-
-
[原创]第三题 寻踪觅源
-
2020-4-18 11:10 3491
-
第三题 寻踪觅源
lelfei_fix.exe 拖进 IDA 里看一下字符串,可以确定这个题和 quickjs 有关。是 qjsc 编译一个 .js 的输出。
下载了最新的 2020-04-12 版本,自己编译一个 quickjs, 然后用 qjsc 编译 examples/hello.js, qjsc -e -o hello.c examples/hello.js
,可以得到 hello.c。
/* File generated automatically by the QuickJS compiler. */ #include "quickjs-libc.h" const uint32_t qjsc_hello_size = 87; const uint8_t qjsc_hello[87] = { 0x02, 0x04, 0x0e, 0x63, 0x6f, 0x6e, 0x73, 0x6f, 0x6c, 0x65, 0x06, 0x6c, 0x6f, 0x67, 0x16, 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x57, 0x6f, 0x72, 0x6c, 0x64, 0x22, 0x65, 0x78, 0x61, 0x6d, 0x70, 0x6c, 0x65, 0x73, 0x2f, 0x68, 0x65, 0x6c, 0x6c, 0x6f, 0x2e, 0x6a, 0x73, 0x0e, 0x00, 0x06, 0x00, 0x9e, 0x01, 0x00, 0x01, 0x00, 0x03, 0x00, 0x00, 0x14, 0x01, 0xa0, 0x01, 0x00, 0x00, 0x00, 0x39, 0xdf, 0x00, 0x00, 0x00, 0x43, 0xe0, 0x00, 0x00, 0x00, 0x04, 0xe1, 0x00, 0x00, 0x00, 0x24, 0x01, 0x00, 0xcf, 0x28, 0xc4, 0x03, 0x01, 0x00, }; int main(int argc, char **argv) { JSRuntime *rt; JSContext *ctx; rt = JS_NewRuntime(); ctx = JS_NewContextRaw(rt); JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL); JS_AddIntrinsicBaseObjects(ctx); JS_AddIntrinsicDate(ctx); JS_AddIntrinsicEval(ctx); JS_AddIntrinsicStringNormalize(ctx); JS_AddIntrinsicRegExp(ctx); JS_AddIntrinsicJSON(ctx); JS_AddIntrinsicProxy(ctx); JS_AddIntrinsicMapSet(ctx); JS_AddIntrinsicTypedArrays(ctx); JS_AddIntrinsicPromise(ctx); JS_AddIntrinsicBigInt(ctx); js_std_add_helpers(ctx, argc, argv); js_std_eval_binary(ctx, qjsc_hello, qjsc_hello_size, 0); js_std_loop(ctx); JS_FreeContext(ctx); JS_FreeRuntime(rt); return 0; }
在 hello.c 里面可以看到 .js 编译出的字节码 qjsc_hello。然后在 exe 文件中寻找字节码,根据前缀 qjsc_ 很容以找到 _qjsc_s,可以判断其长度 988,内容如下。并且主程序将输入的 name 和 sn 拷贝到 &_qjsc_s[23] 和 &_qjsc_s[40],然后这道题和原 exe 文件就没有关系了。
unsigned char _qjsc_s[988] = { 0x02, 0x0E, 0x04, 0x75, 0x6E, 0x04, 0x73, 0x6E, 0x02, 0x73, 0x02, 0x69, 0x02, 0x6A, 0x02, 0x6B, 0x02, 0x6C, 0x02, 0x6D, 0x02, 0x6E, 0x20, 0x4B, 0x43, 0x54, 0x46, 0x32, 0x30, 0x32, 0x30, 0x51, 0x31, 0x6C, 0x65, 0x6C, 0x66, 0x65, 0x69, 0x40, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x2A, 0x14, 0x63, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x41, 0x74, 0x18, 0x66, 0x72, 0x6F, 0x6D, 0x43, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x0A, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x0E, 0x00, 0x06, 0x00, 0x9E, 0x01, 0x00, 0x01, 0x00, 0x06, 0x00, 0x0B, 0x81, 0x06, 0x01, 0xA0, 0x01, 0x00, 0x00, 0x00, 0x40, 0xDF, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x40, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xDF, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE0, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE3, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE4, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE5, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE6, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x3F, 0xE2, 0x00, 0x00, 0x00, 0x00, 0x04, 0xE8, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xDF, 0x00, 0x00, 0x00, 0xCB, 0x04, 0xE9, 0x00, 0x00, 0x00, 0x11, 0x3A, 0xE0, 0x00, 0x00, 0x00, 0xCB, 0xC1, 0x00, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0xB7, 0x11, 0x3A, 0xE2, 0x00, 0x00, 0x00, 0x0E, 0x39, 0xE2, 0x00, 0x00, 0x00, 0x39, 0xDF, 0x00, 0x00, 0x00, 0xEB, 0xA5, 0xEC, 0x43, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x01, 0x9C, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0x39, 0xB0, 0x00, 0x00, 0x00, 0x39, 0xDF, 0x00, 0x00, 0x00, 0x43, 0xEA, 0x00, 0x00, 0x00, 0x39, 0xE2, 0x00, 0x00, 0x00, 0x24, 0x01, 0x00, 0xF1, 0x9F, 0x11, 0x3A, 0xE6, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE2, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE2, 0x00, 0x00, 0x00, 0x0E, 0xEE, 0xB1, 0x39, 0x96, 0x00, 0x00, 0x00, 0x39, 0xE6, 0x00, 0x00, 0x00, 0xC1, 0x02, 0x9E, 0xF1, 0x11, 0x3A, 0xE5, 0x00, 0x00, 0x00, 0xCB, 0xC1, 0x03, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0xB7, 0x11, 0x3A, 0xE2, 0x00, 0x00, 0x00, 0x0E, 0x39, 0xE2, 0x00, 0x00, 0x00, 0x39, 0xE0, 0x00, 0x00, 0x00, 0xEB, 0xA5, 0x6A, 0x4C, 0x01, 0x00, 0x00, 0x39, 0xE0, 0x00, 0x00, 0x00, 0x43, 0xEA, 0x00, 0x00, 0x00, 0x39, 0xE2, 0x00, 0x00, 0x00, 0x24, 0x01, 0x00, 0x11, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE3, 0x00, 0x00, 0x00, 0xBF, 0x30, 0xA8, 0x11, 0xEC, 0x0A, 0x0E, 0x39, 0xE3, 0x00, 0x00, 0x00, 0xBF, 0x39, 0xA6, 0x11, 0xED, 0x17, 0x0E, 0x39, 0xE3, 0x00, 0x00, 0x00, 0xBF, 0x61, 0xA8, 0x6A, 0x0C, 0x01, 0x00, 0x00, 0x39, 0xE3, 0x00, 0x00, 0x00, 0xBF, 0x66, 0xA6, 0x6A, 0xFF, 0x00, 0x00, 0x00, 0x39, 0xE4, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE4, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE3, 0x00, 0x00, 0x00, 0xBF, 0x30, 0xA0, 0x11, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE3, 0x00, 0x00, 0x00, 0xBF, 0x09, 0xA7, 0xEC, 0x10, 0x39, 0xE3, 0x00, 0x00, 0x00, 0xBF, 0x27, 0xA0, 0x11, 0x3A, 0xE3, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE1, 0x00, 0x00, 0x00, 0xBF, 0x10, 0x9C, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x39, 0xE3, 0x00, 0x00, 0x00, 0x9F, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE4, 0x00, 0x00, 0x00, 0xB9, 0x9E, 0xB7, 0xAB, 0x6A, 0x89, 0x00, 0x00, 0x00, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x39, 0xE5, 0x00, 0x00, 0x00, 0xB0, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE1, 0x00, 0x00, 0x00, 0xBB, 0xA3, 0xBF, 0x09, 0xA7, 0x11, 0xED, 0x0D, 0x0E, 0x39, 0xE1, 0x00, 0x00, 0x00, 0xBF, 0x10, 0x9E, 0xBF, 0x09, 0xA7, 0xEC, 0x0C, 0xC1, 0x04, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x5B, 0x39, 0xE1, 0x00, 0x00, 0x00, 0xBB, 0xA3, 0xBF, 0x0A, 0x9C, 0x39, 0xE1, 0x00, 0x00, 0x00, 0xBF, 0x10, 0x9E, 0x9F, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE7, 0x00, 0x00, 0x00, 0xC1, 0x05, 0x9C, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE7, 0x00, 0x00, 0x00, 0x39, 0xB0, 0x00, 0x00, 0x00, 0x39, 0xE1, 0x00, 0x00, 0x00, 0xF1, 0x9F, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0xCB, 0xB7, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x01, 0x39, 0xE2, 0x00, 0x00, 0x00, 0x93, 0x3A, 0xE2, 0x00, 0x00, 0x00, 0x0E, 0xEF, 0xA9, 0xFE, 0x06, 0xCB, 0x39, 0xE6, 0x00, 0x00, 0x00, 0x39, 0xE7, 0x00, 0x00, 0x00, 0xAB, 0xEC, 0x0C, 0xC1, 0x06, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0x0A, 0xC1, 0x07, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0xCB, 0xC3, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0xCB, 0x06, 0xCB, 0x39, 0xE7, 0x00, 0x00, 0x00, 0xC1, 0x08, 0xA7, 0xEC, 0x3A, 0x39, 0xE1, 0x00, 0x00, 0x00, 0x39, 0x97, 0x00, 0x00, 0x00, 0x43, 0xEB, 0x00, 0x00, 0x00, 0x39, 0x96, 0x00, 0x00, 0x00, 0x39, 0xE7, 0x00, 0x00, 0x00, 0xC1, 0x09, 0x9E, 0xF1, 0x24, 0x01, 0x00, 0x9F, 0x11, 0x3A, 0xE1, 0x00, 0x00, 0x00, 0xCB, 0x39, 0xE7, 0x00, 0x00, 0x00, 0xC1, 0x0A, 0x9D, 0x11, 0x3A, 0xE7, 0x00, 0x00, 0x00, 0xCB, 0xEE, 0xBE, 0x39, 0xEC, 0x00, 0x00, 0x00, 0x39, 0xE1, 0x00, 0x00, 0x00, 0xF1, 0xCF, 0x28, 0xC2, 0x03, 0x01, 0x2B, 0x00, 0x3C, 0x01, 0x00, 0x3C, 0x06, 0x3F, 0x3F, 0x30, 0x7B, 0x4E, 0xBC, 0x49, 0x6D, 0x30, 0x2B, 0x2B, 0x8A, 0x80, 0x00, 0x34, 0x02, 0x3F, 0x4E, 0x8A, 0x4E, 0x5D, 0x53, 0x5D, 0xCB, 0x85, 0x4E, 0x7B, 0x2C, 0x0F, 0x4F, 0x85, 0x30, 0x2B, 0x3F, 0xCB, 0x4E, 0x0D, 0x0A, 0x00, 0x0A, 0x24, 0x01, 0xAC, 0x0A, 0x28, 0x01, 0xFE, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0x28, 0x01, 0xC8, 0x0A, 0xE8, 0x01, 0x07, 0x44, 0xB8, 0x90, 0xB5, 0x6B, 0x67, 0x80, 0x0A, 0xE8, 0x01, 0x07, 0x34, 0xA7, 0xB8, 0x48, 0x7F, 0x8D, 0xAF, 0x0A, 0x00, 0x0A, 0x28, 0x01, 0xFE, 0x0A, 0x28, 0x01, 0xFE };
将 hello.c 文件中的字节码和长度替换为 _qjsc_s,988,并 使用 gcc -D _GNU_SOURCE -I . -o hello hello.c ./libquickjs.a -lm -ldl
编译后运行,结果崩溃了 Segmentation fault (core dumped)
,这就很尴尬了。折腾了一番发现不同版本的 quickjs 编译出的字节码并不相同,然后从一个一个版本往前试,2020-03-16 版本还是崩溃,2020-01-19 版就好了。
能够正确执行字节码之后,可以修改 quickjs.c 文件,将所有执行的字节码打印出来,结合 quickjs-opcode.h 文件,可以得到字节码和定义。
0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x40, DEF(check_define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x3f, DEF( define_var, 6, 0, 0, atom_u8) 0x4, DEF(push_atom_value, 5, 0, 1, atom) 0x11, DEF( dup, 1, 1, 2, none) /* a -> a a */ 0x3a, DEF( put_var, 5, 1, 0, atom) /* must come after get_var */ 0xcb, DEF( put_loc0, 1, 1, 0, none_loc) 0x4, DEF(push_atom_value, 5, 0, 1, atom) 0x11, DEF( dup, 1, 1, 2, none) /* a -> a a */ 0x3a, DEF( put_var, 5, 1, 0, atom) /* must come after get_var */ 0xcb, DEF( put_loc0, 1, 1, 0, none_loc) 0xc1, DEF( push_const8, 2, 0, 1, const8) 0x11, DEF( dup, 1, 1, 2, none) /* a -> a a */ 0x3a, DEF( put_var, 5, 1, 0, atom) /* must come after get_var */ 0xcb, DEF( put_loc0, 1, 1, 0, none_loc) 0x6, DEF( undefined, 1, 0, 1, none) ...
又折腾了 一番发现,里面关键的 opcode 只有 add, sub, mul, div, mod, xor, sar。将这些字节码的参数和结果打印出来,基本就可以确定运算过程了,这个过程依旧很麻烦。
正向过程如下
def big_num_print(n): br = bin(n)[2:] p = len(br) br += (8- (len(br)-1) % 8 - 1) * '0' print(f"{eval(f'0b{br}'):#x} p{p}") name = b'5ADACAEBF4B4A8A4' sn = bytes.fromhex('31430057b0557020141973402736') nr = 0 print('*********** nr *********') for c in name: nr = nr*0x2b + c big_num_print(nr) x = nr % 0x7f print('*********** x ***********') big_num_print(x) big_num_print(nr // 0x7f) sr = 0 print('*********** sr **********') for c in sn: t = c ^ x # t = (t >> 4) * 10 + (t % 0x10) t = int(hex(t)[2:]) sr = sr * 0x64 + t big_num_print(sr) if sr == nr: print('Success!') else: print('Error...')
逆过程如下
def big_num_print(n): br = bin(n)[2:] p = len(br) br += (8- (len(br)-1) % 8 - 1) * '0' print(f"{eval(f'0b{br}'):#x} p{p}") # name = b'D9D951D13E6AE085' # sn = bytes.fromhex('2c0e193a0e0aab59493d2b784d38') name = b'KCTF' * 4 sn = b'' nr = 0 print('*********** nr *********') for c in name: nr = nr*0x2b + c big_num_print(nr) x = nr % 0x7f print('*********** x ***********') big_num_print(x) big_num_print(nr // 0x7f) sr = nr print('*********** sn **********') while sr > 0: t = sr % 0x64 sr = sr // 0x64 # t = ((t // 10) << 4) + (t % 10) t = int( str(t), 16) c = t ^ x sn = bytes([c,]) + sn print(sn.hex())
sn 为 40017535dad01714402635730122
。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课