Mas0n
mailto:MasonShi@88.com
翻车鱼

第一届长城杯网络安全大赛

诸神黄昏,垂直上分。最后半小时直接跳崖。

两题Re,第一题脑洞题,第二题是KCTF2020的题改了下,版本编译了大半天,结果跟原题用的同个版本……后面解出来了,没来得及交上。

Just_cmp-re

题目主逻辑很简单

__int64 __fastcall main(int a1, char **a2, char **a3)
{
  if ( a1 > 1 )
  {
    if ( !strcmp(a2[1], "flag{********************************}") )
      puts("Correct!");
    else
      puts("Wrong!");
  }
  else
  {
    printf("Usage: %s <FLAG>\n", *a2);
  }
  return 0LL;
}

没线索,翻下函数表,只有这个在做处理

__int64 __fastcall sub_800(__int64 a1, __int64 a2)
{
  int i; // [rsp+18h] [rbp-8h]
  int v4; // [rsp+18h] [rbp-8h]
  int j; // [rsp+1Ch] [rbp-4h]

  for ( i = 0; *(_BYTE *)(i + a1); ++i )
    ;
  v4 = (i >> 3) + 1;
  for ( j = 0; j < v4; ++j )
    *(_QWORD *)(8 * j + a1) -= qword_201060[j];
  return unk_201098(a1, a2);
}

写脚本

# -*- coding:utf-8 -*-
"""
@Author: Mas0n
@File: test4.py
@Time: 2021-09-19 10:53
@Desc: It's all about getting better.
"""
import struct

x = [0x2A2A2A7B67616C66, 0x2A2A2A2A2A2A2A2A, 0x2A2A2A2A2A2A2A2A, 0x2A2A2A2A2A2A2A2A,
    0x00007D2A2A2A2A2A]
flag = [0x0A07370000000000, 0x380B06060A080A37, 0x3B0F0E38083B0A07, 0x373B0709060B0A3A, 0x0000000F38070F0D, 0x0000000000000000]
for i, v in enumerate(x):
    print(struct.pack("<Q", x[i]+flag[i]).decode(), end="")

Funny_js

quickjs编译的可执行文件,主逻辑在js代码中

dump出bytecode,github上拉quickjs下来,修改一下quickjs.c

https://cdn.shi1011.cn/2021/09/beb4cf08c4784caa713c1752adc33515.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

JS_ReadObjectRecBC_TAG_FUNCTION_BYTECODE位置加入代码

#if DUMP_BYTECODE
	js_dump_function_bytecode(ctx, b);
#endif

重新编译下

sudo make -j8

导出C样例

sudo ./qjsc -e -o hello.c examples/hello.js

修改bytecode

/* File generated automatically by the QuickJS compiler. */

#include "quickjs-libc.h"

const uint32_t qjsc_hello_size = 1168;

const uint8_t qjsc_hello[1168] = {
    0x02, 0x1B, 0x06, 0x72, 0x63, 0x34, 0x04, 0x73, 0x6E, 0x02, 0x69, 0x02, 0x6A, 0x02, 0x6B, 0x02, 
    0x6C, 0x02, 0x6D, 0x02, 0x6E, 0x04, 0x75, 0x6E, 0x06, 0x61, 0x72, 0x72, 0x0C, 0x63, 0x69, 0x70, 
    0x68, 0x65, 0x72, 0x2A, 0x32, 0x30, 0x32, 0x31, 0x71, 0x75, 0x69, 0x63, 0x6B, 0x6A, 0x73, 0x5F, 
    0x68, 0x61, 0x70, 0x70, 0x79, 0x67, 0x61, 0x6D, 0x65, 0x48, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 
    0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 
    0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x31, 0x02, 0x73, 
    0x18, 0x66, 0x72, 0x6F, 0x6D, 0x43, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x0A, 0x70, 0x72, 
    0x69, 0x6E, 0x74, 0x12, 0x73, 0x6F, 0x75, 0x72, 0x63, 0x65, 0x2E, 0x6A, 0x73, 0x08, 0x64, 0x61, 
    0x74, 0x61, 0x06, 0x6B, 0x65, 0x79, 0x06, 0x62, 0x6F, 0x78, 0x02, 0x78, 0x08, 0x74, 0x65, 0x6D, 
    0x70, 0x02, 0x79, 0x06, 0x6F, 0x75, 0x74, 0x08, 0x63, 0x6F, 0x64, 0x65, 0x14, 0x63, 0x68, 0x61, 
    0x72, 0x43, 0x6F, 0x64, 0x65, 0x41, 0x74, 0x08, 0x70, 0x75, 0x73, 0x68, 0x0E, 0x00, 0x06, 0x00, 
    0x9E, 0x01, 0x00, 0x01, 0x00, 0x20, 0x00, 0x08, 0xEB, 0x04, 0x01, 0xA0, 0x01, 0x00, 0x00, 0x00, 
    0x40, 0xDF, 0x00, 0x00, 0x00, 0x40, 0x40, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 
    0x00, 0x00, 0x40, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE4, 
    0x00, 0x00, 0x00, 0x00, 0x40, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE6, 0x00, 0x00, 0x00, 0x00, 
    0x40, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE9, 0x00, 0x00, 
    0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00, 0xC2, 0x00, 0x41, 0xDF, 0x00, 0x00, 0x00, 0x00, 
    0x3F, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE2, 0x00, 0x00, 
    0x00, 0x00, 0x3F, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE5, 
    0x00, 0x00, 0x00, 0x00, 0x3F, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE7, 0x00, 0x00, 0x00, 0x00, 
    0x3F, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE9, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 
    0x00, 0x00, 0x04, 0xEA, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0x0E, 0x04, 0xEB, 
    0x00, 0x00, 0x00, 0x11, 0x3A, 0xE0, 0x00, 0x00, 0x00, 0xCB, 0xC0, 0x96, 0x00, 0xC0, 0xE0, 0x00, 
    0xC0, 0xF4, 0x00, 0xBF, 0x44, 0xBF, 0x3D, 0xBF, 0x7D, 0xBF, 0x08, 0xC0, 0xEF, 0x00, 0xC0, 0xCB, 
    0x00, 0xC0, 0xFE, 0x00, 0xC0, 0xF1, 0x00, 0xBF, 0x71, 0xC0, 0xD5, 0x00, 0xC0, 0xB0, 0x00, 0xBF, 
    0x40, 0xBF, 0x6A, 0xBF, 0x67, 0xC0, 0xA6, 0x00, 0xC0, 0xB9, 0x00, 0xC0, 0x9F, 0x00, 0xC0, 0x9E, 
    0x00, 0xC0, 0xAC, 0x00, 0xBF, 0x09, 0xC0, 0xD5, 0x00, 0xC0, 0xEF, 0x00, 0xBF, 0x0C, 0xBF, 0x64, 
    0xC0, 0xB9, 0x00, 0xBF, 0x5A, 0xC0, 0xAE, 0x00, 0xBF, 0x6B, 0xC0, 0x83, 0x00, 0x26, 0x20, 0x00, 
    0xC0, 0xDF, 0x00, 0x4D, 0x20, 0x00, 0x00, 0x80, 0xBF, 0x7A, 0x4D, 0x21, 0x00, 0x00, 0x80, 0xC0, 
    0xE5, 0x00, 0x4D, 0x22, 0x00, 0x00, 0x80, 0xC0, 0x9D, 0x00, 0x4D, 0x23, 0x00, 0x00, 0x80, 0x11, 
    0x3A, 0xE8, 0x00, 0x00, 0x00, 0x0E, 0xC1, 0x01, 0x11, 0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 0xC1, 
    0x02, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB, 
    0xB7, 0x11, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xDF, 0x00, 0x00, 0x00, 0x39, 0xE0, 0x00, 
    0x00, 0x00, 0x39, 0xE7, 0x00, 0x00, 0x00, 0xF2, 0x11, 0x3A, 0xE9, 0x00, 0x00, 0x00, 0x0E, 0x06, 
    0xCB, 0xB7, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0x0E, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x39, 0xE9, 
    0x00, 0x00, 0x00, 0xEB, 0xA5, 0xEC, 0x6E, 0x39, 0xE9, 0x00, 0x00, 0x00, 0x39, 0xE1, 0x00, 0x00, 
    0x00, 0x48, 0x11, 0x3A, 0xE2, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE2, 0x00, 0x00, 0x00, 0xBF, 0x38, 
    0xBF, 0x11, 0xA0, 0xB0, 0x11, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE4, 0x00, 
    0x00, 0x00, 0x39, 0xE8, 0x00, 0x00, 0x00, 0x39, 0xE3, 0x00, 0x00, 0x00, 0x48, 0xAB, 0xEC, 0x0F, 
    0x39, 0xE5, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0D, 0x39, 0xE6, 
    0x00, 0x00, 0x00, 0x93, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE3, 0x00, 0x00, 0x00, 0x93, 
    0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE1, 0x00, 0x00, 
    0x00, 0x0E, 0xEE, 0x86, 0x06, 0xCB, 0x39, 0xE5, 0x00, 0x00, 0x00, 0x39, 0xE9, 0x00, 0x00, 0x00, 
    0xEB, 0xAB, 0xEC, 0x15, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xB7, 0xAB, 0xEC, 0x0C, 0xC1, 0x03, 0x11, 
    0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0A, 0xC1, 0x04, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 
    0xCB, 0xC3, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 
    0xC1, 0x05, 0xA7, 0xEC, 0x3A, 0x39, 0xEC, 0x00, 0x00, 0x00, 0x39, 0x97, 0x00, 0x00, 0x00, 0x43, 
    0xED, 0x00, 0x00, 0x00, 0x39, 0x96, 0x00, 0x00, 0x00, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x06, 
    0x9E, 0xF1, 0x24, 0x01, 0x00, 0x9F, 0x11, 0x3A, 0xEC, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE6, 0x00, 
    0x00, 0x00, 0xC1, 0x07, 0x9D, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0xBE, 0x39, 0xEE, 
    0x00, 0x00, 0x00, 0x39, 0xEC, 0x00, 0x00, 0x00, 0xF1, 0xCF, 0x28, 0xDE, 0x03, 0x01, 0x20, 0x00, 
    0x48, 0x01, 0x00, 0x4A, 0x52, 0x3F, 0x40, 0x00, 0x7C, 0x04, 0x30, 0x30, 0x2B, 0x2B, 0x77, 0x7B, 
    0x5D, 0x5D, 0x6C, 0x3F, 0x0E, 0x40, 0x3F, 0x4A, 0xB7, 0x30, 0x2B, 0x3F, 0xCB, 0x4E, 0x0D, 0x0E, 
    0x43, 0x06, 0x00, 0xBE, 0x03, 0x02, 0x08, 0x02, 0x05, 0x00, 0x00, 0xBB, 0x01, 0x0A, 0xE0, 0x03, 
    0x00, 0x01, 0x00, 0xE2, 0x03, 0x00, 0x01, 0x00, 0xE4, 0x03, 0x00, 0x00, 0x00, 0xC2, 0x03, 0x00, 
    0x01, 0x00, 0xE6, 0x03, 0x00, 0x02, 0x00, 0xE8, 0x03, 0x00, 0x03, 0x00, 0xEA, 0x03, 0x00, 0x04, 
    0x00, 0xEC, 0x03, 0x00, 0x05, 0x00, 0xEE, 0x03, 0x00, 0x06, 0x00, 0xC6, 0x03, 0x00, 0x07, 0x00, 
    0x39, 0x94, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x01, 0xF1, 0xCB, 0xB7, 0xCC, 0xC8, 0xC0, 0x00, 0x01, 
    0xA5, 0xEC, 0x09, 0xC7, 0xC8, 0xC8, 0x4A, 0x95, 0x01, 0xEE, 0xF2, 0xB7, 0xCD, 0xB7, 0xCC, 0xC8, 
    0xC0, 0x00, 0x01, 0xA5, 0xEC, 0x2C, 0xC9, 0xC7, 0xC8, 0x48, 0x9F, 0xD4, 0x43, 0xF8, 0x00, 0x00, 
    0x00, 0xC8, 0xD4, 0xEB, 0x9E, 0x24, 0x01, 0x00, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xCD, 0xC7, 0xC8, 
    0x48, 0xCE, 0xC7, 0xC8, 0x72, 0xC7, 0xC9, 0x48, 0x4A, 0xC7, 0xC9, 0xCA, 0x4A, 0x95, 0x01, 0xEE, 
    0xCF, 0xB7, 0xCD, 0xB7, 0xC5, 0x04, 0x26, 0x00, 0x00, 0xC5, 0x05, 0xB7, 0xCC, 0xC8, 0xD3, 0xEB, 
    0xA5, 0xEC, 0x56, 0xD3, 0x43, 0xF8, 0x00, 0x00, 0x00, 0xC8, 0x24, 0x01, 0x00, 0xC5, 0x06, 0xC9, 
    0xB8, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 0xCD, 0xC4, 0x04, 0xC7, 0xC9, 0x48, 0x9F, 0xC0, 0x00, 0x01, 
    0x9E, 0xC5, 0x04, 0xC7, 0xC9, 0x48, 0xCE, 0xC7, 0xC9, 0x72, 0xC7, 0xC4, 0x04, 0x48, 0x4A, 0xC7, 
    0xC4, 0x04, 0xCA, 0x4A, 0xC7, 0xC9, 0x48, 0xC7, 0xC4, 0x04, 0x48, 0x9F, 0xC0, 0x00, 0x01, 0x9E, 
    0xC5, 0x07, 0xC4, 0x05, 0x43, 0xF9, 0x00, 0x00, 0x00, 0xC4, 0x06, 0xC7, 0xC4, 0x07, 0x48, 0xB0, 
    0x24, 0x01, 0x00, 0x0E, 0x95, 0x01, 0xEE, 0xA6, 0xC4, 0x05, 0x28, 0xDE, 0x03, 0x03, 0x19, 0x04, 
    0x35, 0x30, 0x17, 0x18, 0x0D, 0x30, 0x7B, 0x17, 0x26, 0x17, 0x19, 0x0D, 0x12, 0x1C, 0x2C, 0x40, 
    0x2B, 0x3F, 0x17, 0x2B, 0x1D, 0x4A, 0x5D, 0x17, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0xE8, 0x01, 0x07, 
    0x44, 0xB8, 0x90, 0xB5, 0x6B, 0x67, 0x80, 0x0A, 0xE8, 0x01, 0x07, 0x34, 0xA7, 0xB8, 0x48, 0x7F, 
    0x8D, 0xAF, 0x0A, 0x00, 0x0A, 0x28, 0x01, 0xFE, 0x0A, 0x28, 0x01, 0xFE, 0x00, 0x00, 0x00, 0x00
};

int main(int argc, char **argv)
{
  JSRuntime *rt;
  JSContext *ctx;
  rt = JS_NewRuntime();
  ctx = JS_NewContextRaw(rt);
  JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);
  JS_AddIntrinsicBaseObjects(ctx);
  JS_AddIntrinsicDate(ctx);
  JS_AddIntrinsicEval(ctx);
  JS_AddIntrinsicStringNormalize(ctx);
  JS_AddIntrinsicRegExp(ctx);
  JS_AddIntrinsicJSON(ctx);
  JS_AddIntrinsicProxy(ctx);
  JS_AddIntrinsicMapSet(ctx);
  JS_AddIntrinsicTypedArrays(ctx);
  JS_AddIntrinsicPromise(ctx);
  JS_AddIntrinsicBigInt(ctx);
  js_std_add_helpers(ctx, argc, argv);
  js_std_eval_binary(ctx, qjsc_hello, qjsc_hello_size, 0);
  js_std_loop(ctx);
  JS_FreeContext(ctx);
  JS_FreeRuntime(rt);
  return 0;
}

编译运行

sudo gcc -D _GNU_SOURCE -I . -o hello hello.c ./libquickjs.a -lm -ldl -pthread
./hello

反编译失败说明版本不对,正确的版本20200119

unofficial-mirrors/quickjs

能看到解析出来字节码

0000:  02 1b                    27 atom indexes {
0002:  06 72 63 34                string: 1"rc4"
0006:  04 73 6e                   string: 1"sn"
0009:  02 69                      string: 1"i"
000b:  02 6a                      string: 1"j"
000d:  02 6b                      string: 1"k"
000f:  02 6c                      string: 1"l"
0011:  02 6d                      string: 1"m"
0013:  02 6e                      string: 1"n"
0015:  04 75 6e                   string: 1"un"
0018:  06 61 72 72                string: 1"arr"
001c:  0c 63 69 70 68 65 72       string: 1"cipher"
0023:  2a 32 30 32 31 71 75 69
       63 6b 6a 73 5f 68 61 70
       70 79 67 61 6d 65          string: 1"2021quickjs_happygame"
0039:  48 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 31             string: 1"***********************************1"
005e:  02 73                      string: 1"s"
0060:  18 66 72 6f 6d 43 68 61
       72 43 6f 64 65             string: 1"fromCharCode"
006d:  0a 70 72 69 6e 74          string: 1"print"
0073:  12 73 6f 75 72 63 65 2e
       6a 73                      string: 1"source.js"
007d:  08 64 61 74 61             string: 1"data"
0082:  06 6b 65 79                string: 1"key"
0086:  06 62 6f 78                string: 1"box"
008a:  02 78                      string: 1"x"
008c:  08 74 65 6d 70             string: 1"temp"
0091:  02 79                      string: 1"y"
0093:  06 6f 75 74                string: 1"out"
0097:  08 63 6f 64 65             string: 1"code"
009c:  14 63 68 61 72 43 6f 64
       65 41 74                   string: 1"charCodeAt"
00a7:  08 70 75 73 68             string: 1"push"
                                }
00ac:  0e                       function {
00ad:  00 06 00 9e 01 00 01 00
       20 00 08 eb 04 01          name: "<eval>"
                                  args=0 vars=1 defargs=0 closures=0 cpool=8
                                  stack=32 bclen=619 locals=1
                                  vars {
00bb:  a0 01 00 00 00               name: "<ret>"
                                  }
                                  bytecode {
00c0:  40 df 00 00 00 40 40 e0
       00 00 00 00 40 e1 00 00
       00 00 40 e2 00 00 00 00
       40 e3 00 00 00 00 40 e4
       00 00 00 00 40 e5 00 00
       00 00 40 e6 00 00 00 00
       40 e7 00 00 00 00 40 e8
       00 00 00 00 40 e9 00 00
       00 00 40 e1 00 00 00 00
       c2 00 41 df 00 00 00 00
       3f e0 00 00 00 00 3f e1
       00 00 00 00 3f e2 00 00
       00 00 3f e3 00 00 00 00
       3f e4 00 00 00 00 3f e5
       00 00 00 00 3f e6 00 00
       00 00 3f e7 00 00 00 00
       3f e8 00 00 00 00 3f e9
       00 00 00 00 3f e1 00 00
       00 00 04 ea 00 00 00 11
       3a e7 00 00 00 0e 04 eb
       00 00 00 11 3a e0 00 00
       00 cb c0 96 00 c0 e0 00
       c0 f4 00 bf 44 bf 3d bf
       7d bf 08 c0 ef 00 c0 cb
       00 c0 fe 00 c0 f1 00 bf
       71 c0 d5 00 c0 b0 00 bf
       40 bf 6a bf 67 c0 a6 00
       c0 b9 00 c0 9f 00 c0 9e
       00 c0 ac 00 bf 09 c0 d5
       00 c0 ef 00 bf 0c bf 64
       c0 b9 00 bf 5a c0 ae 00
       bf 6b c0 83 00 26 20 00
       c0 df 00 4d 20 00 00 80
       bf 7a 4d 21 00 00 80 c0
       e5 00 4d 22 00 00 80 c0
       9d 00 4d 23 00 00 80 11
       3a e8 00 00 00 0e c1 01
       11 3a e5 00 00 00 cb c1
       02 11 3a e6 00 00 00 cb
       b7 11 3a e4 00 00 00 cb
       b7 11 3a e3 00 00 00 cb
       39 df 00 00 00 39 e0 00
       00 00 39 e7 00 00 00 f2
       11 3a e9 00 00 00 0e 06
       cb b7 11 3a e1 00 00 00
       0e 39 e1 00 00 00 39 e9
       00 00 00 eb a5 ec 6e 39
       e9 00 00 00 39 e1 00 00
       00 48 11 3a e2 00 00 00
       cb 39 e2 00 00 00 bf 38
       bf 11 a0 b0 11 3a e4 00
       00 00 cb 06 cb 39 e4 00
       00 00 39 e8 00 00 00 39
       e3 00 00 00 48 ab ec 0f
       39 e5 00 00 00 93 3a e5
       00 00 00 cb ee 0d 39 e6
       00 00 00 93 3a e6 00 00
       00 cb 39 e3 00 00 00 93
       3a e3 00 00 00 cb 39 e1
       00 00 00 93 3a e1 00 00
       00 0e ee 86 06 cb 39 e5
       00 00 00 39 e9 00 00 00
       eb ab ec 15 39 e6 00 00
       00 b7 ab ec 0c c1 03 11
       3a e6 00 00 00 cb ee 0a
       c1 04 11 3a e6 00 00 00
       cb c3 11 3a ec 00 00 00
       cb 06 cb 39 e6 00 00 00
       c1 05 a7 ec 3a 39 ec 00
       00 00 39 97 00 00 00 43
       ed 00 00 00 39 96 00 00
       00 39 e6 00 00 00 c1 06
       9e f1 24 01 00 9f 11 3a
       ec 00 00 00 cb 39 e6 00
       00 00 c1 07 9d 11 3a e6
       00 00 00 cb ee be 39 ee
       00 00 00 39 ec 00 00 00
       f1 cf 28                     at 1, fixup atom: rc4
                                    at 7, fixup atom: sn
                                    at 13, fixup atom: i
                                    at 19, fixup atom: j
                                    at 25, fixup atom: k
                                    at 31, fixup atom: l
                                    at 37, fixup atom: m
                                    at 43, fixup atom: n
                                    at 49, fixup atom: un
                                    at 55, fixup atom: arr
                                    at 61, fixup atom: cipher
                                    at 67, fixup atom: i
                                    at 75, fixup atom: rc4
                                    at 81, fixup atom: sn
                                    at 87, fixup atom: i
                                    at 93, fixup atom: j
                                    at 99, fixup atom: k
                                    at 105, fixup atom: l
                                    at 111, fixup atom: m
                                    at 117, fixup atom: n
                                    at 123, fixup atom: un
                                    at 129, fixup atom: arr
                                    at 135, fixup atom: cipher
                                    at 141, fixup atom: i
                                    at 147, fixup atom: "2021quickjs_happygame"
                                    at 153, fixup atom: un
                                    at 159, fixup atom: "***********************************1"
                                    at 165, fixup atom: sn
                                    at 260, fixup atom: "32"
                                    at 267, fixup atom: "33"
                                    at 275, fixup atom: "34"
                                    at 283, fixup atom: "35"
                                    at 289, fixup atom: arr
                                    at 298, fixup atom: m
                                    at 307, fixup atom: n
                                    at 315, fixup atom: l
                                    at 323, fixup atom: k
                                    at 329, fixup atom: rc4
                                    at 334, fixup atom: sn
                                    at 339, fixup atom: un
                                    at 346, fixup atom: cipher
                                    at 356, fixup atom: i
                                    at 362, fixup atom: i
                                    at 367, fixup atom: cipher
                                    at 376, fixup atom: cipher
                                    at 381, fixup atom: i
                                    at 388, fixup atom: j
                                    at 394, fixup atom: j
                                    at 406, fixup atom: l
                                    at 414, fixup atom: l
                                    at 419, fixup atom: arr
                                    at 424, fixup atom: k
                                    at 433, fixup atom: m
                                    at 439, fixup atom: m
                                    at 447, fixup atom: n
                                    at 453, fixup atom: n
                                    at 459, fixup atom: k
                                    at 465, fixup atom: k
                                    at 471, fixup atom: i
                                    at 477, fixup atom: i
                                    at 487, fixup atom: m
                                    at 492, fixup atom: cipher
                                    at 501, fixup atom: n
                                    at 513, fixup atom: n
                                    at 524, fixup atom: n
                                    at 532, fixup atom: s
                                    at 540, fixup atom: n
                                    at 550, fixup atom: s
                                    at 555, fixup atom: String
                                    at 560, fixup atom: fromCharCode
                                    at 565, fixup atom: Number
                                    at 570, fixup atom: n
                                    at 584, fixup atom: s
                                    at 590, fixup atom: n
                                    at 599, fixup atom: n
                                    at 607, fixup atom: print
                                    at 612, fixup atom: s
                                  }
                                  debug {
032b:  de 03 01 20 00 48 01 00
       4a 52 3f 40 00 7c 04 30
       30 2b 2b 77 7b 5d 5d 6c
       3f 0e 40 3f 4a b7 30 2b
       3f cb 4e 0d                  filename: "source.js"
                                  }
                                  cpool {
034f:  0e                           function {
0350:  43 06 00 be 03 02 08 02
       05 00 00 bb 01 0a              name: rc4
                                      args=2 vars=8 defargs=2 closures=0 cpool=0
                                      stack=5 bclen=187 locals=10
                                      vars {
035e:  e0 03 00 01 00                   name: data
0363:  e2 03 00 01 00                   name: key
0368:  e4 03 00 00 00                   name: box
036d:  c2 03 00 01 00                   name: i
0372:  e6 03 00 02 00                   name: x
0377:  e8 03 00 03 00                   name: temp
037c:  ea 03 00 04 00                   name: y
0381:  ec 03 00 05 00                   name: out
0386:  ee 03 00 06 00                   name: code
038b:  c6 03 00 07 00                   name: k
                                      }
                                      bytecode {
0390:  39 94 00 00 00 c0 00 01
       f1 cb b7 cc c8 c0 00 01
       a5 ec 09 c7 c8 c8 4a 95
       01 ee f2 b7 cd b7 cc c8
       c0 00 01 a5 ec 2c c9 c7
       c8 48 9f d4 43 f8 00 00
       00 c8 d4 eb 9e 24 01 00
       9f c0 00 01 9e cd c7 c8
       48 ce c7 c8 72 c7 c9 48
       4a c7 c9 ca 4a 95 01 ee
       cf b7 cd b7 c5 04 26 00
       00 c5 05 b7 cc c8 d3 eb
       a5 ec 56 d3 43 f8 00 00
       00 c8 24 01 00 c5 06 c9
       b8 9f c0 00 01 9e cd c4
       04 c7 c9 48 9f c0 00 01
       9e c5 04 c7 c9 48 ce c7
       c9 72 c7 c4 04 48 4a c7
       c4 04 ca 4a c7 c9 48 c7
       c4 04 48 9f c0 00 01 9e
       c5 07 c4 05 43 f9 00 00
       00 c4 06 c7 c4 07 48 b0
       24 01 00 0e 95 01 ee a6
       c4 05 28                         at 1, fixup atom: Array
                                        at 45, fixup atom: charCodeAt
                                        at 101, fixup atom: charCodeAt
                                        at 165, fixup atom: push
                                      }
                                      debug {
044b:  de 03 03 19 04 35 30 17
       18 0d 30 7b 17 26 17 19
       0d 12 1c 2c 40 2b 3f 17
       2b 1d 4a 5d 17                   filename: "source.js"
                                      }
                                    }
source.js:3: function: rc4
  args: data key
  locals:
    0: var box
    1: var i
    2: var x
    3: var temp
    4: var y
    5: var out
    6: var code
    7: var k
  stack_size: 5
  opcodes:
        get_var Array
        push_i16 256
        call1 1
        put_loc0 0: box
        push_0 0
        put_loc1 1: i
   12:  get_loc1 1: i
        push_i16 256
        lt
        if_false8 27
        get_loc0 0: box
        get_loc1 1: i
        get_loc1 1: i
        put_array_el
        inc_loc 1: i
        goto8 12
   27:  push_0 0
        put_loc2 2: x
        push_0 0
        put_loc1 1: i
   31:  get_loc1 1: i
        push_i16 256
        lt
        if_false8 81
        get_loc2 2: x
        get_loc0 0: box
        get_loc1 1: i
        get_array_el
        add
        get_arg1 1: key
        get_field2 charCodeAt
        get_loc1 1: i
        get_arg1 1: key
        get_length
        mod
        call_method 1
        add
        push_i16 256
        mod
        put_loc2 2: x
        get_loc0 0: box
        get_loc1 1: i
        get_array_el
        put_loc3 3: temp
        get_loc0 0: box
        get_loc1 1: i
        to_propkey2
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        put_array_el
        get_loc0 0: box
        get_loc2 2: x
        get_loc3 3: temp
        put_array_el
        inc_loc 1: i
        goto8 31
   81:  push_0 0
        put_loc2 2: x
        push_0 0
        put_loc8 4: y
        array_from 0
        put_loc8 5: out
        push_0 0
        put_loc1 1: i
   93:  get_loc1 1: i
        get_arg0 0: data
        get_length
        lt
        if_false8 184
        get_arg0 0: data
        get_field2 charCodeAt
        get_loc1 1: i
        call_method 1
        put_loc8 6: code
        get_loc2 2: x
        push_1 1
        add
        push_i16 256
        mod
        put_loc2 2: x
        get_loc8 4: y
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        add
        push_i16 256
        mod
        put_loc8 4: y
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        put_loc3 3: temp
        get_loc0 0: box
        get_loc2 2: x
        to_propkey2
        get_loc0 0: box
        get_loc8 4: y
        get_array_el
        put_array_el
        get_loc0 0: box
        get_loc8 4: y
        get_loc3 3: temp
        put_array_el
        get_loc0 0: box
        get_loc2 2: x
        get_array_el
        get_loc0 0: box
        get_loc8 4: y
        get_array_el
        add
        push_i16 256
        mod
        put_loc8 7: k
        get_loc8 5: out
        get_field2 push
        get_loc8 6: code
        get_loc0 0: box
        get_loc8 7: k
        get_array_el
        xor
        call_method 1
        drop
        inc_loc 1: i
        goto8 93
  184:  get_loc8 5: out
        return

0468:  0a                           bigint {
0469:  00                           }
046a:  0a                           bigint {
046b:  00                           }
046c:  0a                           bigint {
046d:  e8 01 07                       len=7
0470:  44 b8 90 b5 6b 67 80         }
0477:  0a                           bigint {
0478:  e8 01 07                       len=7
047b:  34 a7 b8 48 7f 8d af         }
0482:  0a                           bigint {
0483:  00                           }
0484:  0a                           bigint {
0485:  28 01                          len=1
0487:  fe                           }
0488:  0a                           bigint {
0489:  28 01                          len=1
048b:  fe                           }
                                  }
                                }
source.js:1: function: <eval>
  locals:
    0: var <ret>
  stack_size: 32
  opcodes:
        check_define_var rc4,64
        check_define_var sn,0
        check_define_var i,0
        check_define_var j,0
        check_define_var k,0
        check_define_var l,0
        check_define_var m,0
        check_define_var n,0
        check_define_var un,0
        check_define_var arr,0
        check_define_var cipher,0
        check_define_var i,0
        fclosure8 0: [bytecode rc4]
        define_func rc4,0
        define_var sn,0
        define_var i,0
        define_var j,0
        define_var k,0
        define_var l,0
        define_var m,0
        define_var n,0
        define_var un,0
        define_var arr,0
        define_var cipher,0
        define_var i,0
        push_atom_value "2021quickjs_happygame"
        dup
        put_var un
        drop
        push_atom_value "***********************************1"
        dup
        put_var sn
        put_loc0 0: "<ret>"
        push_i16 150
        push_i16 224
        push_i16 244
        push_i8 68
        push_i8 61
        push_i8 125
        push_i8 8
        push_i16 239
        push_i16 203
        push_i16 254
        push_i16 241
        push_i8 113
        push_i16 213
        push_i16 176
        push_i8 64
        push_i8 106
        push_i8 103
        push_i16 166
        push_i16 185
        push_i16 159
        push_i16 158
        push_i16 172
        push_i8 9
        push_i16 213
        push_i16 239
        push_i8 12
        push_i8 100
        push_i16 185
        push_i8 90
        push_i16 174
        push_i8 107
        push_i16 131
        array_from 32
        push_i16 223
        define_field "32"
        push_i8 122
        define_field "33"
        push_i16 229
        define_field "34"
        push_i16 157
        define_field "35"
        dup
        put_var arr
        drop
        push_const8 1: 0n
        dup
        put_var m
        put_loc0 0: "<ret>"
        push_const8 2: 0n
        dup
        put_var n
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var l
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var k
        put_loc0 0: "<ret>"
        get_var rc4
        get_var sn
        get_var un
        call2 2
        dup
        put_var cipher
        drop
        undefined
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var i
        drop
  361:  get_var i
        get_var cipher
        get_length
        lt
        if_false8 484
        get_var cipher
        get_var i
        get_array_el
        dup
        put_var j
        put_loc0 0: "<ret>"
        get_var j
        push_i8 56
        push_i8 17
        sub
        xor
        dup
        put_var l
        put_loc0 0: "<ret>"
        undefined
        put_loc0 0: "<ret>"
        get_var l
        get_var arr
        get_var k
        get_array_el
        eq
        if_false8 446
        get_var m
        post_inc
        put_var m
        put_loc0 0: "<ret>"
        goto8 458
  446:  get_var n
        post_inc
        put_var n
        put_loc0 0: "<ret>"
  458:  get_var k
        post_inc
        put_var k
        put_loc0 0: "<ret>"
        get_var i
        post_inc
        put_var i
        drop
        goto8 361
  484:  undefined
        put_loc0 0: "<ret>"
        get_var m
        get_var cipher
        get_length
        eq
        if_false8 520
        get_var n
        push_0 0
        eq
        if_false8 520
        push_const8 3: 18071254662143010n
        dup
        put_var n
        put_loc0 0: "<ret>"
        goto8 529
  520:  push_const8 4: 24706849372394394n
        dup
        put_var n
        put_loc0 0: "<ret>"
  529:  push_empty_string
        dup
        put_var s
        put_loc0 0: "<ret>"
        undefined
        put_loc0 0: "<ret>"
  539:  get_var n
        push_const8 5: 0n
        gt
        if_false8 606
        get_var s
        get_var String
        get_field2 fromCharCode
        get_var Number
        get_var n
        push_const8 6: 127n
        mod
        call1 1
        call_method 1
        add
        dup
        put_var s
        put_loc0 0: "<ret>"
        get_var n
        push_const8 7: 127n
        div
        dup
        put_var n
        put_loc0 0: "<ret>"
        goto8 539
  606:  get_var print
        get_var s
        call1 1
        set_loc0 0: "<ret>"
        return

Error...

按照字节码翻译出代码

# -*- coding:utf-8 -*-
"""
@Author: Mas0n
@File: test5.py
@Time: 2021-09-19 15:58
@Desc: It's all about getting better.
"""


def rc4(data, key):
    box = [0] * 256
    i_ = 0
    while i_ < 256:
        box[i_] = i_
        i_ += 1

    x = 0
    i = 0
    while i < 256:
        x = (x + box[i] + ord(key[i % len(key)])) % 256
        temp = box[i]
        box[i] = box[x]
        box[x] = temp
        i += 1

    x = 0
    y = 0
    out = []
    i = 0
    while i < len(data):
        code = ord(data[i])
        x = (x + 1) % 256
        y = (y + box[x]) % 256
        temp = box[x]
        box[x] = box[y]
        box[y] = temp
        k = (box[x] + box[y]) % 256
        out.append(code ^ box[k])
        i += 1
    return out


arr = [150, 224, 244, 68, 61, 125, 8, 239, 203, 254, 241, 113, 213, 176, 64, 106, 103, 166, 185, 159,
       158, 172, 9, 213, 239, 12, 100, 185, 90, 174, 107, 131, 223, 122, 229, 157]

m = 0
n = 0
l = 0
k = 0
sn = "***********************************"
un = "2021quickjs_happygame"

cipher = rc4(sn, un)

i = 0

while i < len(cipher):
    j = cipher[i]
    l = j ^ 39

    if arr[k] == l:
        m += 1
    n += 1
    k += 1
    i += 1

if m == len(cipher):
    if n == 0:
        n = 18071254662143010
else:
    n = 24706849372394394

s = ""
while n > 0:
    s += chr(n % 127)
    n = int(n / 127)
print(s)

# DECRYPT
rc4Cipher = b""
for i in arr:
    rc4Cipher += chr(i ^ 39).encode()
flag = rc4(rc4Cipher.decode(), un)
print("".join([chr(i) for i in flag]))

参考资料

2020 KCTF 春季赛 | 第三题设计思路及解析

本文链接:https://blog.shi1011.cn/ctf/1608
本文采用 CC BY-NC-SA 3.0 Unported 协议进行许可

Mas0n

文章作者

发表评论

textsms
account_circle
email

翻车鱼

第一届长城杯网络安全大赛
诸神黄昏,垂直上分。最后半小时直接跳崖。 两题Re,第一题脑洞题,第二题是KCTF2020的题改了下,版本编译了大半天,结果跟原题用的同个版本……后面解出来了,没来得及交上。 Just_c…
扫描二维码继续阅读
2021-09-19