-
-
[原创]第三题 寻踪觅源
-
2020-4-18 11:10 3491
-
第三题 寻踪觅源
lelfei_fix.exe 拖进 IDA 里看一下字符串,可以确定这个题和 quickjs 有关。是 qjsc 编译一个 .js 的输出。
下载了最新的 2020-04-12 版本,自己编译一个 quickjs, 然后用 qjsc 编译 examples/hello.js, qjsc -e -o hello.c examples/hello.js,可以得到 hello.c。
/* File generated automatically by the QuickJS compiler. */
#include "quickjs-libc.h"
const uint32_t qjsc_hello_size = 87;
const uint8_t qjsc_hello[87] = {
0x02, 0x04, 0x0e, 0x63, 0x6f, 0x6e, 0x73, 0x6f,
0x6c, 0x65, 0x06, 0x6c, 0x6f, 0x67, 0x16, 0x48,
0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x57, 0x6f, 0x72,
0x6c, 0x64, 0x22, 0x65, 0x78, 0x61, 0x6d, 0x70,
0x6c, 0x65, 0x73, 0x2f, 0x68, 0x65, 0x6c, 0x6c,
0x6f, 0x2e, 0x6a, 0x73, 0x0e, 0x00, 0x06, 0x00,
0x9e, 0x01, 0x00, 0x01, 0x00, 0x03, 0x00, 0x00,
0x14, 0x01, 0xa0, 0x01, 0x00, 0x00, 0x00, 0x39,
0xdf, 0x00, 0x00, 0x00, 0x43, 0xe0, 0x00, 0x00,
0x00, 0x04, 0xe1, 0x00, 0x00, 0x00, 0x24, 0x01,
0x00, 0xcf, 0x28, 0xc4, 0x03, 0x01, 0x00,
};
int main(int argc, char **argv)
{
JSRuntime *rt;
JSContext *ctx;
rt = JS_NewRuntime();
ctx = JS_NewContextRaw(rt);
JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);
JS_AddIntrinsicBaseObjects(ctx);
JS_AddIntrinsicDate(ctx);
JS_AddIntrinsicEval(ctx);
JS_AddIntrinsicStringNormalize(ctx);
JS_AddIntrinsicRegExp(ctx);
JS_AddIntrinsicJSON(ctx);
JS_AddIntrinsicProxy(ctx);
JS_AddIntrinsicMapSet(ctx);
JS_AddIntrinsicTypedArrays(ctx);
JS_AddIntrinsicPromise(ctx);
JS_AddIntrinsicBigInt(ctx);
js_std_add_helpers(ctx, argc, argv);
js_std_eval_binary(ctx, qjsc_hello, qjsc_hello_size, 0);
js_std_loop(ctx);
JS_FreeContext(ctx);
JS_FreeRuntime(rt);
return 0;
}
在 hello.c 里面可以看到 .js 编译出的字节码 qjsc_hello。然后在 exe 文件中寻找字节码,根据前缀 qjsc_ 很容以找到 _qjsc_s,可以判断其长度 988,内容如下。并且主程序将输入的 name 和 sn 拷贝到 &_qjsc_s[23] 和 &_qjsc_s[40],然后这道题和原 exe 文件就没有关系了。
unsigned char _qjsc_s[988] = {
0x02, 0x0E, 0x04, 0x75, 0x6E, 0x04, 0x73, 0x6E, 0x02, 0x73, 0x02, 0x69, 0x02, 0x6A, 0x02, 0x6B,
0x02, 0x6C, 0x02, 0x6D, 0x02, 0x6E, 0x20, 0x4B, 0x43, 0x54, 0x46, 0x32, 0x30, 0x32, 0x30, 0x51,
0x31, 0x6C, 0x65, 0x6C, 0x66, 0x65, 0x69, 0x40, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A,
0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x14, 0x63, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64,
0x65, 0x41, 0x74, 0x18, 0x66, 0x72, 0x6F, 0x6D, 0x43, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65,
0x0A, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x0E, 0x00, 0x06, 0x00, 0x9E, 0x01, 0x00, 0x01, 0x00, 0x06,
0x00, 0x0B, 0x81, 0x06, 0x01, 0xA0, 0x01, 0x00, 0x00, 0x00, 0x40, 0xDF, 0x00, 0x00, 0x00, 0x00,
0x40, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE2, 0x00, 0x00,
0x00, 0x00, 0x40, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE5,
0x00, 0x00, 0x00, 0x00, 0x40, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE7, 0x00, 0x00, 0x00, 0x00,
0x40, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xDF, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE0, 0x00, 0x00,
0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE3,
0x00, 0x00, 0x00, 0x00, 0x3F, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE5, 0x00, 0x00, 0x00, 0x00,
0x3F, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE2, 0x00, 0x00,
0x00, 0x00, 0x04, 0xE8, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xDF, 0x00, 0x00, 0x00, 0xCB, 0x04, 0xE9,
0x00, 0x00, 0x00, 0x11, 0x3A, 0xE0, 0x00, 0x00, 0x00, 0xCB, 0xC1, 0x00, 0x11, 0x3A, 0xE6, 0x00,
0x00, 0x00, 0xCB, 0x06, 0xCB, 0xB7, 0x11, 0x3A, 0xE2, 0x00, 0x00, 0x00, 0x0E, 0x39, 0xE2, 0x00,
0x00, 0x00, 0x39, 0xDF, 0x00, 0x00, 0x00, 0xEB, 0xA5, 0xEC, 0x43, 0x39, 0xE6, 0x00, 0x00, 0x00,
0xC1, 0x01, 0x9C, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0x39,
0xB0, 0x00, 0x00, 0x00, 0x39, 0xDF, 0x00, 0x00, 0x00, 0x43, 0xEA, 0x00, 0x00, 0x00, 0x39, 0xE2,
0x00, 0x00, 0x00, 0x24, 0x01, 0x00, 0xF1, 0x9F, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0x39,
0xE2, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE2, 0x00, 0x00, 0x00, 0x0E, 0xEE, 0xB1, 0x39, 0x96, 0x00,
0x00, 0x00, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x02, 0x9E, 0xF1, 0x11, 0x3A, 0xE5, 0x00, 0x00,
0x00, 0xCB, 0xC1, 0x03, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE1, 0x00,
0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0xB7, 0x11, 0x3A,
0xE2, 0x00, 0x00, 0x00, 0x0E, 0x39, 0xE2, 0x00, 0x00, 0x00, 0x39, 0xE0, 0x00, 0x00, 0x00, 0xEB,
0xA5, 0x6A, 0x4C, 0x01, 0x00, 0x00, 0x39, 0xE0, 0x00, 0x00, 0x00, 0x43, 0xEA, 0x00, 0x00, 0x00,
0x39, 0xE2, 0x00, 0x00, 0x00, 0x24, 0x01, 0x00, 0x11, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x06,
0xCB, 0x39, 0xE3, 0x00, 0x00, 0x00, 0xBF, 0x30, 0xA8, 0x11, 0xEC, 0x0A, 0x0E, 0x39, 0xE3, 0x00,
0x00, 0x00, 0xBF, 0x39, 0xA6, 0x11, 0xED, 0x17, 0x0E, 0x39, 0xE3, 0x00, 0x00, 0x00, 0xBF, 0x61,
0xA8, 0x6A, 0x0C, 0x01, 0x00, 0x00, 0x39, 0xE3, 0x00, 0x00, 0x00, 0xBF, 0x66, 0xA6, 0x6A, 0xFF,
0x00, 0x00, 0x00, 0x39, 0xE4, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB, 0x39,
0xE3, 0x00, 0x00, 0x00, 0xBF, 0x30, 0xA0, 0x11, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB,
0x39, 0xE3, 0x00, 0x00, 0x00, 0xBF, 0x09, 0xA7, 0xEC, 0x10, 0x39, 0xE3, 0x00, 0x00, 0x00, 0xBF,
0x27, 0xA0, 0x11, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE1, 0x00, 0x00, 0x00, 0xBF, 0x10,
0x9C, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x39, 0xE3, 0x00,
0x00, 0x00, 0x9F, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE4, 0x00, 0x00,
0x00, 0xB9, 0x9E, 0xB7, 0xAB, 0x6A, 0x89, 0x00, 0x00, 0x00, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x39,
0xE5, 0x00, 0x00, 0x00, 0xB0, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE1,
0x00, 0x00, 0x00, 0xBB, 0xA3, 0xBF, 0x09, 0xA7, 0x11, 0xED, 0x0D, 0x0E, 0x39, 0xE1, 0x00, 0x00,
0x00, 0xBF, 0x10, 0x9E, 0xBF, 0x09, 0xA7, 0xEC, 0x0C, 0xC1, 0x04, 0x11, 0x3A, 0xE7, 0x00, 0x00,
0x00, 0xCB, 0xEE, 0x5B, 0x39, 0xE1, 0x00, 0x00, 0x00, 0xBB, 0xA3, 0xBF, 0x0A, 0x9C, 0x39, 0xE1,
0x00, 0x00, 0x00, 0xBF, 0x10, 0x9E, 0x9F, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE7,
0x00, 0x00, 0x00, 0xC1, 0x05, 0x9C, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE7, 0x00,
0x00, 0x00, 0x39, 0xB0, 0x00, 0x00, 0x00, 0x39, 0xE1, 0x00, 0x00, 0x00, 0xF1, 0x9F, 0x11, 0x3A,
0xE7, 0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x01, 0x39,
0xE2, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE2, 0x00, 0x00, 0x00, 0x0E, 0xEF, 0xA9, 0xFE, 0x06, 0xCB,
0x39, 0xE6, 0x00, 0x00, 0x00, 0x39, 0xE7, 0x00, 0x00, 0x00, 0xAB, 0xEC, 0x0C, 0xC1, 0x06, 0x11,
0x3A, 0xE7, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0A, 0xC1, 0x07, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00,
0xCB, 0xC3, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE7, 0x00, 0x00, 0x00,
0xC1, 0x08, 0xA7, 0xEC, 0x3A, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x39, 0x97, 0x00, 0x00, 0x00, 0x43,
0xEB, 0x00, 0x00, 0x00, 0x39, 0x96, 0x00, 0x00, 0x00, 0x39, 0xE7, 0x00, 0x00, 0x00, 0xC1, 0x09,
0x9E, 0xF1, 0x24, 0x01, 0x00, 0x9F, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE7, 0x00,
0x00, 0x00, 0xC1, 0x0A, 0x9D, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0xBE, 0x39, 0xEC,
0x00, 0x00, 0x00, 0x39, 0xE1, 0x00, 0x00, 0x00, 0xF1, 0xCF, 0x28, 0xC2, 0x03, 0x01, 0x2B, 0x00,
0x3C, 0x01, 0x00, 0x3C, 0x06, 0x3F, 0x3F, 0x30, 0x7B, 0x4E, 0xBC, 0x49, 0x6D, 0x30, 0x2B, 0x2B,
0x8A, 0x80, 0x00, 0x34, 0x02, 0x3F, 0x4E, 0x8A, 0x4E, 0x5D, 0x53, 0x5D, 0xCB, 0x85, 0x4E, 0x7B,
0x2C, 0x0F, 0x4F, 0x85, 0x30, 0x2B, 0x3F, 0xCB, 0x4E, 0x0D, 0x0A, 0x00, 0x0A, 0x24, 0x01, 0xAC,
0x0A, 0x28, 0x01, 0xFE, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0x28, 0x01, 0xC8, 0x0A, 0xE8, 0x01, 0x07,
0x44, 0xB8, 0x90, 0xB5, 0x6B, 0x67, 0x80, 0x0A, 0xE8, 0x01, 0x07, 0x34, 0xA7, 0xB8, 0x48, 0x7F,
0x8D, 0xAF, 0x0A, 0x00, 0x0A, 0x28, 0x01, 0xFE, 0x0A, 0x28, 0x01, 0xFE
};
将 hello.c 文件中的字节码和长度替换为 _qjsc_s,988,并 使用 gcc -D _GNU_SOURCE -I . -o hello hello.c ./libquickjs.a -lm -ldl 编译后运行,结果崩溃了 Segmentation fault (core dumped),这就很尴尬了。折腾了一番发现不同版本的 quickjs 编译出的字节码并不相同,然后从一个一个版本往前试,2020-03-16 版本还是崩溃,2020-01-19 版就好了。
能够正确执行字节码之后,可以修改 quickjs.c 文件,将所有执行的字节码打印出来,结合 quickjs-opcode.h 文件,可以得到字节码和定义。
0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x4, DEF(push_atom_value, 5, 0, 1, atom) 0x11, DEF( dup, 1, 1, 2, none) /* a -> a a */ 0x3a, DEF( put_var, 5, 1, 0, atom) /* must come after get_var */ 0xcb, DEF( put_loc0, 1, 1, 0, none_loc) 0x4, DEF(push_atom_value, 5, 0, 1, atom) 0x11, DEF( dup, 1, 1, 2, none) /* a -> a a */ 0x3a, DEF( put_var, 5, 1, 0, atom) /* must come after get_var */ 0xcb, DEF( put_loc0, 1, 1, 0, none_loc) 0xc1, DEF( push_const8, 2, 0, 1, const8) 0x11, DEF( dup, 1, 1, 2, none) /* a -> a a */ 0x3a, DEF( put_var, 5, 1, 0, atom) /* must come after get_var */ 0xcb, DEF( put_loc0, 1, 1, 0, none_loc) 0x6, DEF( undefined, 1, 0, 1, none) ...
又折腾了 一番发现,里面关键的 opcode 只有 add, sub, mul, div, mod, xor, sar。将这些字节码的参数和结果打印出来,基本就可以确定运算过程了,这个过程依旧很麻烦。
正向过程如下
def big_num_print(n):
br = bin(n)[2:]
p = len(br)
br += (8- (len(br)-1) % 8 - 1) * '0'
print(f"{eval(f'0b{br}'):#x} p{p}")
name = b'5ADACAEBF4B4A8A4'
sn = bytes.fromhex('31430057b0557020141973402736')
nr = 0
print('*********** nr *********')
for c in name:
nr = nr*0x2b + c
big_num_print(nr)
x = nr % 0x7f
print('*********** x ***********')
big_num_print(x)
big_num_print(nr // 0x7f)
sr = 0
print('*********** sr **********')
for c in sn:
t = c ^ x
# t = (t >> 4) * 10 + (t % 0x10)
t = int(hex(t)[2:])
sr = sr * 0x64 + t
big_num_print(sr)
if sr == nr:
print('Success!')
else:
print('Error...')
逆过程如下
def big_num_print(n):
br = bin(n)[2:]
p = len(br)
br += (8- (len(br)-1) % 8 - 1) * '0'
print(f"{eval(f'0b{br}'):#x} p{p}")
# name = b'D9D951D13E6AE085'
# sn = bytes.fromhex('2c0e193a0e0aab59493d2b784d38')
name = b'KCTF' * 4
sn = b''
nr = 0
print('*********** nr *********')
for c in name:
nr = nr*0x2b + c
big_num_print(nr)
x = nr % 0x7f
print('*********** x ***********')
big_num_print(x)
big_num_print(nr // 0x7f)
sr = nr
print('*********** sn **********')
while sr > 0:
t = sr % 0x64
sr = sr // 0x64
# t = ((t // 10) << 4) + (t % 10)
t = int( str(t), 16)
c = t ^ x
sn = bytes([c,]) + sn
print(sn.hex())
sn 为 40017535dad01714402635730122。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2020-4-18 11:14
被iweizime编辑
,原因:
赞赏
|
|
|---|---|
|
|
他的文章
