TOC

这个题是仿照kctf2020的一道题出的,就是quickjs的版本不一样。
参考链接:
https://bbs.pediy.com/thread-259014.htm

打开搜索字符串可以看到使用了QucikJS, 版本是2020-07-05
主要逻辑如下:

puts("Please input flag:");  
gets(&s);  
v7 = strlen(&s);  
v3 = 0x2A;  
if ( v7 <= 0x2A )  
  v3 = v7;  
memcpy(&unk_6CF4E9, &s, v3);  
rt = sub_40D500();  
sub_487A60(rt);  
ctx = (_QWORD *)sub_4746F0(rt);  
sub_40EA30(rt, 0LL, (__int64)sub_4875C0, 0LL);  
sub_476860(ctx);  
sub_4762F0(ctx);  
sub_476390(ctx);  
sub_474DE0(ctx);  
sub_474E50(ctx);  
sub_475BC0(ctx);  
sub_475BE0(ctx);  
sub_475CC0(ctx);  
sub_479330(ctx);  
sub_475EC0(ctx);  
sub_4764B0(ctx);  
sub_4878A0(ctx, a1, a2);  
sub_4886E0((__int64)ctx, (char *)&unk_6CF4E0, 662LL, 0);  
sub_4884F0(ctx);  
sub_40BD80(ctx);  
sub_40CEB0(rt);  
return 0LL;  

其中unk_6CF4E0处存储的是js编译后的二进制代码,数组长度是662.
QucikJS编译以后有一个hello.c文件, 其与我们反编译的逻辑基本一致,所以只需要将qjsc_hello数组替换成unk_6CF4E0的内容即可。

/* File generated automatically by the QuickJS compiler. */  
  
#include "quickjs-libc.h"  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
  
const uint32_t qjsc_s_size = 662;  
  
uint8_t qjsc_s[662] = {2, 14, 2, 97, 2, 98, 2, 105, 84, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 2, 99, 20, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 2, 106, 8, 112, 117, 115, 104, 2, 109, 2, 110, 2, 115, 24, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 10, 112, 114, 105, 110, 116, 16, 104, 101, 108, 108, 111, 46, 106, 115, 14, 0, 6, 0, 160, 1, 0, 1, 0, 32, 0, 5, 222, 3, 1, 162, 1, 0, 0, 0, 63, 224, 0, 0, 0, 0, 63, 225, 0, 0, 0, 0, 63, 226, 0, 0, 0, 0, 62, 224, 0, 0, 0, 0, 62, 225, 0, 0, 0, 0, 62, 226, 0, 0, 0, 0, 4, 227, 0, 0, 0, 17, 57, 224, 0, 0, 0, 202, 38, 0, 0, 17, 57, 225, 0, 0, 0, 202, 190, 94, 190, 85, 190, 93, 190, 38, 190, 51, 190, 55, 190, 110, 190, 13, 190, 25, 191, 186, 0, 191, 249, 0, 191, 210, 0, 191, 174, 0, 191, 204, 0, 191, 204, 0, 190, 42, 190, 8, 190, 104, 190, 81, 191, 149, 0, 191, 240, 0, 191, 146, 0, 190, 126, 190, 100, 190, 25, 191, 158, 0, 191, 236, 0, 190, 38, 190, 101, 191, 177, 0, 191, 221, 0, 191, 155, 0, 38, 32, 0, 190, 90, 76, 32, 0, 0, 128, 190, 26, 76, 33, 0, 0, 128, 191, 222, 0, 76, 34, 0, 0, 128, 190, 99, 76, 35, 0, 0, 128, 190, 121, 76, 36, 0, 0, 128, 191, 163, 0, 76, 37, 0, 0, 128, 191, 229, 0, 76, 38, 0, 0, 128, 190, 74, 76, 39, 0, 0, 128, 190, 77, 76, 40, 0, 0, 128, 191, 180, 0, 76, 41, 0, 0, 128, 17, 57, 228, 0, 0, 0, 202, 6, 202, 182, 17, 57, 226, 0, 0, 0, 14, 56, 226, 0, 0, 0, 56, 224, 0, 0, 0, 234, 164, 235, 78, 56, 224, 0, 0, 0, 66, 229, 0, 0, 0, 56, 226, 0, 0, 0, 36, 1, 0, 17, 57, 230, 0, 0, 0, 202, 56, 225, 0, 0, 0, 66, 231, 0, 0, 0, 56, 230, 0, 0, 0, 56, 226, 0, 0, 0, 56, 226, 0, 0, 0, 155, 190, 56, 158, 191, 255, 0, 174, 175, 36, 1, 0, 202, 56, 226, 0, 0, 0, 146, 57, 226, 0, 0, 0, 14, 237, 166, 183, 17, 57, 232, 0, 0, 0, 202, 182, 17, 57, 233, 0, 0, 0, 202, 6, 202, 56, 225, 0, 0, 0, 66, 55, 0, 0, 0, 36, 0, 0, 56, 228, 0, 0, 0, 66, 55, 0, 0, 0, 36, 0, 0, 170, 235, 12, 192, 0, 17, 57, 233, 0, 0, 0, 202, 237, 10, 192, 1, 17, 57, 233, 0, 0, 0, 202, 194, 17, 57, 234, 0, 0, 0, 202, 6, 202, 56, 233, 0, 0, 0, 192, 2, 166, 235, 58, 56, 234, 0, 0, 0, 56, 152, 0, 0, 0, 66, 235, 0, 0, 0, 56, 151, 0, 0, 0, 56, 233, 0, 0, 0, 192, 3, 157, 240, 36, 1, 0, 158, 17, 57, 234, 0, 0, 0, 202, 56, 233, 0, 0, 0, 192, 4, 156, 17, 57, 233, 0, 0, 0, 202, 237, 190, 56, 236, 0, 0, 0, 56, 234, 0, 0, 0, 240, 206, 40, 218, 3, 1, 23, 91, 0, 18, 8, 63, 53, 0, 162, 1, 2, 123, 128, 193, 75, 43, 44, 213, 48, 43, 63, 203, 78, 13, 10, 232, 1, 7, 68, 184, 144, 181, 107, 103, 128, 10, 232, 1, 7, 52, 167, 184, 72, 127, 141, 175, 10, 0, 10, 40, 1, 254, 10, 40, 1, 254};  
  
int main(int argc, char **argv)  
{  
  char un[0x2a] = {0};  
  char* unpos = &qjsc_s[9];  
  int unlen;  
  printf("Please input flag:");  
  gets(un);  
  unlen = strlen(un) > 0x2a? 0x2a, strlen(un);  
  memcpy(unpos, un, unlen);   
  JSRuntime *rt;  
  JSContext *ctx;  
  rt = JS_NewRuntime();  
  ctx = JS_NewContextRaw(rt);  
  JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);  
  JS_AddIntrinsicBaseObjects(ctx);  
  JS_AddIntrinsicBigInt(ctx);  
  js_std_add_helpers(ctx, argc, argv);  
  js_std_eval_binary(ctx, qjsc_s, qjsc_s_size, 0);  
  js_std_loop(ctx);  
  JS_FreeContext(ctx);  
  JS_FreeRuntime(rt);  
  return 0;  
}  

使用gcc -ggdb -pthread hello.c libquickjs.a -lm -ldl -o hello可以编译生成二进制文件,运行逻辑与题目给出的二进制文件相同。现在只需要将二进制文件的字节码打印即可。对quickjs.c文件进行如下3处修改:

###########1  
-//#define DUMP_BYTECODE  (1)  
+#define DUMP_BYTECODE  (1)  
  
  
###########2  
-//#define DUMP_READ_OBJECT  
+#define DUMP_READ_OBJECT  
  
  
##########3  
               bc_read_trace(s, "}\n");  
           }  
           bc_read_trace(s, "}\n");  
+#if DUMP_BYTECODE  
+            js_dump_function_bytecode(ctx, b);  
+#endif  
       }  

修改完成后重新编译quickjs和上面的hello.c文件,即可打印出字节码

字节码的大致逻辑如下

a = "thisisyourflag"  
b = []  
c = [94, 85, 93, 38, 51, 55, 110, 13, 25, 186, 249, 210, 174, 204, 204, 42, 8, 104, 81, 149, 240, 146, 126, 100,25,158,236,38,101,177,221,155,90,26,222,99,121,163,229,74,77,180]  
i = 0  
while i < len(a):  
	j = a.charAt(i)  
	b.append(((i*i + 56) & 255) ^ j)  
	i = i + 1  
assert( a == b.toString())  

做逆运算即可求得flag:

ss = [94, 85, 93, 38, 51, 55, 110, 13, 25, 186, 249, 210, 174, 204, 204, 42, 8, 104, 81, 149, 240, 146, 126, 100,25,158,236,38,101,177,221,155,90,26,222,99,121,163,229,74,77,180]  
print "".join(chr(ss[i] ^ ((i*i + 56)&255)) for i in range(len(ss)))