-
-
[原创]第三题 寻踪觅源
-
2020-4-18 20:10 3895
-
题目分析
本题用quickjs实现校验逻辑
解体思路
1. 在0x45781B _JS_NewAtomStr处下断,可以获得一些JS变量的信息
2. 结合quickjs源码加调试分析出部分OP码0x171 un0x172 sn0x173 s0x174 i0x175 j0x176 k0x177 l0x178 m0x179 n0x17a 5ADACAEBF4B4A8A40x17b 31430057b0557020141973402736****0x123 charCodeAt0x121 fromCharCode0x16f print 这个是Console.log
3. 在0x4017D5处下断,ebx指向bytecode,对bytecode进行分析,大概逻辑如下:0x04 OP_push_atom_value0x06 OP_undefine0x0E OP_drop JS_FreeValue(ctx, sp[-1]);0x11 OP_dup0x24 op_call_method 20x39 OP_get_var0x3A OP_put_var0x3F OP_define_var0x40 OP_check_define_var0x43 OP_get_field20x93 OP_post_inc +10x9C OP_mul0x9E OP_mod0x9F OP_add0xA5 OP_CMP(OP_lt, <, js_relational_slow(ctx, sp, opcode));0xA6 OP_CMP(OP_lte, <=, js_relational_slow(ctx, sp, opcode));0xA7 OP_CMP(OP_gt, >, js_relational_slow(ctx, sp, opcode));0xA8 OP_CMP(OP_gte, >=, js_relational_slow(ctx, sp, opcode));0xA9 OP_CMP(OP_eq, ==, js_eq_slow(ctx, sp, 0));0xAA OP_CMP(OP_neq, !=, js_eq_slow(ctx, sp, 1));0xAB OP_CMP(OP_strict_eq, ==, js_strict_eq_slow(ctx, sp, 0));0xAC OP_CMP(OP_strict_neq0xB0 OP_xor0xB7 OP_push_00xBF OP_push_i80xC1 op_push_?0xCB OP_put_loc0? set_value(ctx, &var_buf[0], *--sp)0xEE OP_goto80xEB OP_get_length0xEC goto_if_false0xF1 OP_call1
let un = "5ADACAEBF4B4A8A4" let m = 0 for(let i = 0; i < un.len; i++) m = m*0x2b+un.charCodeAt(i) let l = m%0xfe let sn = '31430057b0557020141973402736****' let k = 0 let s = 0 let j = 0 let n = 0 for (i = 0; i < sn.length; i++) { j = sn.charCodeAt(i) if ('0' <= j <= '9') s = s * 0x10 + j - '0' else s = s * 0x10 + j - 'a' if (!k) { k += 1 continue } s = s ^ l if (s>>4 > 9 || s%0x10 > 9) /*error*/ n = n * 0x64 + (s>>4) * 0xa + s % 0x10 } if (m == n) /*success*/ else /*error*/
4. 计算sn
un = 'KCTF'*4 m = 0 for c in un: m = m*0x2b + ord(c) print('m is ' + hex(m)) l=m%0xfe print('l is ' + hex(l)) while m > 0: a=m%0x64 m=m//0x64 print hex(((a//0xa)*0x10 + a%0xa)^l),
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开 发者可享99元/年,续费同价!
赞赏
他的文章
看原图
赞赏
雪币:
留言: