蓝帽杯2020--js_is_so_NICE

2020-08-29 约 1362 字预计阅读 3 分钟

这个题是仿照kctf2020的一道题出的，就是quickjs的版本不一样。
打开搜索字符串可以看到使用了QucikJS, 版本是2020-07-05
主要逻辑如下：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
puts("Please input flag:");    
gets(&s);    
v7 = strlen(&s);    
v3 = 0x2A;    
if ( v7 <= 0x2A )    
  v3 = v7;    
memcpy(&unk_6CF4E9, &s, v3);    
rt = sub_40D500();    
sub_487A60(rt);    
ctx = (_QWORD *)sub_4746F0(rt);    
sub_40EA30(rt, 0LL, (__int64)sub_4875C0, 0LL);    
sub_476860(ctx);    
sub_4762F0(ctx);    
sub_476390(ctx);    
sub_474DE0(ctx);    
sub_474E50(ctx);    
sub_475BC0(ctx);    
sub_475BE0(ctx);    
sub_475CC0(ctx);    
sub_479330(ctx);    
sub_475EC0(ctx);    
sub_4764B0(ctx);    
sub_4878A0(ctx, a1, a2);    
sub_4886E0((__int64)ctx, (char *)&unk_6CF4E0, 662LL, 0);    
sub_4884F0(ctx);    
sub_40BD80(ctx);    
sub_40CEB0(rt);    
return 0LL;    

其中unk_6CF4E0处存储的是js编译后的二进制代码，数组长度是662.
QucikJS编译以后有一个hello.c文件, 其与我们反编译的逻辑基本一致，所以只需要将qjsc_hello数组替换成unk_6CF4E0的内容即可。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
/* File generated automatically by the QuickJS compiler. */    
    
#include "quickjs-libc.h"    
#include <stdio.h>    
#include <stdlib.h>    
#include <string.h>    
    
const uint32_t qjsc_s_size = 662;    
    
uint8_t qjsc_s[662] = {2, 14, 2, 97, 2, 98, 2, 105, 84, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 2, 99, 20, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 2, 106, 8, 112, 117, 115, 104, 2, 109, 2, 110, 2, 115, 24, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 10, 112, 114, 105, 110, 116, 16, 104, 101, 108, 108, 111, 46, 106, 115, 14, 0, 6, 0, 160, 1, 0, 1, 0, 32, 0, 5, 222, 3, 1, 162, 1, 0, 0, 0, 63, 224, 0, 0, 0, 0, 63, 225, 0, 0, 0, 0, 63, 226, 0, 0, 0, 0, 62, 224, 0, 0, 0, 0, 62, 225, 0, 0, 0, 0, 62, 226, 0, 0, 0, 0, 4, 227, 0, 0, 0, 17, 57, 224, 0, 0, 0, 202, 38, 0, 0, 17, 57, 225, 0, 0, 0, 202, 190, 94, 190, 85, 190, 93, 190, 38, 190, 51, 190, 55, 190, 110, 190, 13, 190, 25, 191, 186, 0, 191, 249, 0, 191, 210, 0, 191, 174, 0, 191, 204, 0, 191, 204, 0, 190, 42, 190, 8, 190, 104, 190, 81, 191, 149, 0, 191, 240, 0, 191, 146, 0, 190, 126, 190, 100, 190, 25, 191, 158, 0, 191, 236, 0, 190, 38, 190, 101, 191, 177, 0, 191, 221, 0, 191, 155, 0, 38, 32, 0, 190, 90, 76, 32, 0, 0, 128, 190, 26, 76, 33, 0, 0, 128, 191, 222, 0, 76, 34, 0, 0, 128, 190, 99, 76, 35, 0, 0, 128, 190, 121, 76, 36, 0, 0, 128, 191, 163, 0, 76, 37, 0, 0, 128, 191, 229, 0, 76, 38, 0, 0, 128, 190, 74, 76, 39, 0, 0, 128, 190, 77, 76, 40, 0, 0, 128, 191, 180, 0, 76, 41, 0, 0, 128, 17, 57, 228, 0, 0, 0, 202, 6, 202, 182, 17, 57, 226, 0, 0, 0, 14, 56, 226, 0, 0, 0, 56, 224, 0, 0, 0, 234, 164, 235, 78, 56, 224, 0, 0, 0, 66, 229, 0, 0, 0, 56, 226, 0, 0, 0, 36, 1, 0, 17, 57, 230, 0, 0, 0, 202, 56, 225, 0, 0, 0, 66, 231, 0, 0, 0, 56, 230, 0, 0, 0, 56, 226, 0, 0, 0, 56, 226, 0, 0, 0, 155, 190, 56, 158, 191, 255, 0, 174, 175, 36, 1, 0, 202, 56, 226, 0, 0, 0, 146, 57, 226, 0, 0, 0, 14, 237, 166, 183, 17, 57, 232, 0, 0, 0, 202, 182, 17, 57, 233, 0, 0, 0, 202, 6, 202, 56, 225, 0, 0, 0, 66, 55, 0, 0, 0, 36, 0, 0, 56, 228, 0, 0, 0, 66, 55, 0, 0, 0, 36, 0, 0, 170, 235, 12, 192, 0, 17, 57, 233, 0, 0, 0, 202, 237, 10, 192, 1, 17, 57, 233, 0, 0, 0, 202, 194, 17, 57, 234, 0, 0, 0, 202, 6, 202, 56, 233, 0, 0, 0, 192, 2, 166, 235, 58, 56, 234, 0, 0, 0, 56, 152, 0, 0, 0, 66, 235, 0, 0, 0, 56, 151, 0, 0, 0, 56, 233, 0, 0, 0, 192, 3, 157, 240, 36, 1, 0, 158, 17, 57, 234, 0, 0, 0, 202, 56, 233, 0, 0, 0, 192, 4, 156, 17, 57, 233, 0, 0, 0, 202, 237, 190, 56, 236, 0, 0, 0, 56, 234, 0, 0, 0, 240, 206, 40, 218, 3, 1, 23, 91, 0, 18, 8, 63, 53, 0, 162, 1, 2, 123, 128, 193, 75, 43, 44, 213, 48, 43, 63, 203, 78, 13, 10, 232, 1, 7, 68, 184, 144, 181, 107, 103, 128, 10, 232, 1, 7, 52, 167, 184, 72, 127, 141, 175, 10, 0, 10, 40, 1, 254, 10, 40, 1, 254};    
    
int main(int argc, char **argv)    
{    
  char un[0x2a] = {0};    
  char* unpos = &qjsc_s[9];    
  int unlen;    
  printf("Please input flag:");    
  gets(un);    
  unlen = strlen(un) > 0x2a? 0x2a, strlen(un);    
  memcpy(unpos, un, unlen);     
  JSRuntime *rt;    
  JSContext *ctx;    
  rt = JS_NewRuntime();    
  ctx = JS_NewContextRaw(rt);    
  JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);    
  JS_AddIntrinsicBaseObjects(ctx);    
  JS_AddIntrinsicBigInt(ctx);    
  js_std_add_helpers(ctx, argc, argv);    
  js_std_eval_binary(ctx, qjsc_s, qjsc_s_size, 0);    
  js_std_loop(ctx);    
  JS_FreeContext(ctx);    
  JS_FreeRuntime(rt);    
  return 0;    
}    

使用gcc -ggdb -pthread hello.c libquickjs.a -lm -ldl -o hello可以编译生成二进制文件，运行逻辑与题目给出的二进制文件相同。现在只需要将二进制文件的字节码打印即可。对quickjs.c文件进行如下3处修改：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
###########1    
-//#define DUMP_BYTECODE  (1)    
+#define DUMP_BYTECODE  (1)    
    
    
###########2    
-//#define DUMP_READ_OBJECT    
+#define DUMP_READ_OBJECT    
    
    
##########3    
               bc_read_trace(s, "}\n");    
           }    
           bc_read_trace(s, "}\n");    
+#if DUMP_BYTECODE    
+            js_dump_function_bytecode(ctx, b);    
+#endif    
       }    

修改完成后重新编译quickjs和上面的hello.c文件，即可打印出字节码

字节码的大致逻辑如下

1
2
3
4
5
6
7
8
9
a = "thisisyourflag"    
b = []    
c = [94, 85, 93, 38, 51, 55, 110, 13, 25, 186, 249, 210, 174, 204, 204, 42, 8, 104, 81, 149, 240, 146, 126, 100,25,158,236,38,101,177,221,155,90,26,222,99,121,163,229,74,77,180]    
i = 0    
while i < len(a):    
	j = a.charAt(i)    
	b.append(((i*i + 56) & 255) ^ j)    
	i = i + 1    
assert( a == b.toString())    

做逆运算即可求得flag:

1
2
ss = [94, 85, 93, 38, 51, 55, 110, 13, 25, 186, 249, 210, 174, 204, 204, 42, 8, 104, 81, 149, 240, 146, 126, 100,25,158,236,38,101,177,221,155,90,26,222,99,121,163,229,74,77,180]    
print "".join(chr(ss[i] ^ ((i*i + 56)&255)) for i in range(len(ss)))    

参考链接：
https://bbs.pediy.com/thread-259014.htm

目录

蓝帽杯2020--js_is_so_NICE