蓝帽杯2020- js_is_so_NICE

这个题是仿照kctf2020的一道题出的，就是quickjs的版本不一样。
参考链接：
https://bbs.pediy.com/thread-259014.htm

打开搜索字符串可以看到使用了QucikJS, 版本是2020-07-05
主要逻辑如下：

puts("Please input flag:");
  gets(&s);
  v7 = strlen(&s);
  v3 = 0x2A;
  if ( v7 <= 0x2A )
    v3 = v7;
  memcpy(&unk_6CF4E9, &s, v3);
  rt = sub_40D500();
  sub_487A60(rt);
  ctx = (_QWORD *)sub_4746F0(rt);
  sub_40EA30(rt, 0LL, (__int64)sub_4875C0, 0LL);
  sub_476860(ctx);
  sub_4762F0(ctx);
  sub_476390(ctx);
  sub_474DE0(ctx);
  sub_474E50(ctx);
  sub_475BC0(ctx);
  sub_475BE0(ctx);
  sub_475CC0(ctx);
  sub_479330(ctx);
  sub_475EC0(ctx);
  sub_4764B0(ctx);
  sub_4878A0(ctx, a1, a2);
  sub_4886E0((__int64)ctx, (char *)&unk_6CF4E0, 662LL, 0);
  sub_4884F0(ctx);
  sub_40BD80(ctx);
  sub_40CEB0(rt);
  return 0LL;

其中unk_6CF4E0处存储的是js编译后的二进制代码，数组长度是662.
QucikJS编译以后有一个hello.c文件, 其与我们反编译的逻辑基本一致，所以只需要将qjsc_hello数组替换成unk_6CF4E0的内容即可。

/* File generated automatically by the QuickJS compiler. */

#include "quickjs-libc.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

const uint32_t qjsc_s_size = 662;

uint8_t qjsc_s[662] = {2, 14, 2, 97, 2, 98, 2, 105, 84, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 2, 99, 20, 99, 104, 97, 114, 67, 111, 100, 101, 65, 116, 2, 106, 8, 112, 117, 115, 104, 2, 109, 2, 110, 2, 115, 24, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 10, 112, 114, 105, 110, 116, 16, 104, 101, 108, 108, 111, 46, 106, 115, 14, 0, 6, 0, 160, 1, 0, 1, 0, 32, 0, 5, 222, 3, 1, 162, 1, 0, 0, 0, 63, 224, 0, 0, 0, 0, 63, 225, 0, 0, 0, 0, 63, 226, 0, 0, 0, 0, 62, 224, 0, 0, 0, 0, 62, 225, 0, 0, 0, 0, 62, 226, 0, 0, 0, 0, 4, 227, 0, 0, 0, 17, 57, 224, 0, 0, 0, 202, 38, 0, 0, 17, 57, 225, 0, 0, 0, 202, 190, 94, 190, 85, 190, 93, 190, 38, 190, 51, 190, 55, 190, 110, 190, 13, 190, 25, 191, 186, 0, 191, 249, 0, 191, 210, 0, 191, 174, 0, 191, 204, 0, 191, 204, 0, 190, 42, 190, 8, 190, 104, 190, 81, 191, 149, 0, 191, 240, 0, 191, 146, 0, 190, 126, 190, 100, 190, 25, 191, 158, 0, 191, 236, 0, 190, 38, 190, 101, 191, 177, 0, 191, 221, 0, 191, 155, 0, 38, 32, 0, 190, 90, 76, 32, 0, 0, 128, 190, 26, 76, 33, 0, 0, 128, 191, 222, 0, 76, 34, 0, 0, 128, 190, 99, 76, 35, 0, 0, 128, 190, 121, 76, 36, 0, 0, 128, 191, 163, 0, 76, 37, 0, 0, 128, 191, 229, 0, 76, 38, 0, 0, 128, 190, 74, 76, 39, 0, 0, 128, 190, 77, 76, 40, 0, 0, 128, 191, 180, 0, 76, 41, 0, 0, 128, 17, 57, 228, 0, 0, 0, 202, 6, 202, 182, 17, 57, 226, 0, 0, 0, 14, 56, 226, 0, 0, 0, 56, 224, 0, 0, 0, 234, 164, 235, 78, 56, 224, 0, 0, 0, 66, 229, 0, 0, 0, 56, 226, 0, 0, 0, 36, 1, 0, 17, 57, 230, 0, 0, 0, 202, 56, 225, 0, 0, 0, 66, 231, 0, 0, 0, 56, 230, 0, 0, 0, 56, 226, 0, 0, 0, 56, 226, 0, 0, 0, 155, 190, 56, 158, 191, 255, 0, 174, 175, 36, 1, 0, 202, 56, 226, 0, 0, 0, 146, 57, 226, 0, 0, 0, 14, 237, 166, 183, 17, 57, 232, 0, 0, 0, 202, 182, 17, 57, 233, 0, 0, 0, 202, 6, 202, 56, 225, 0, 0, 0, 66, 55, 0, 0, 0, 36, 0, 0, 56, 228, 0, 0, 0, 66, 55, 0, 0, 0, 36, 0, 0, 170, 235, 12, 192, 0, 17, 57, 233, 0, 0, 0, 202, 237, 10, 192, 1, 17, 57, 233, 0, 0, 0, 202, 194, 17, 57, 234, 0, 0, 0, 202, 6, 202, 56, 233, 0, 0, 0, 192, 2, 166, 235, 58, 56, 234, 0, 0, 0, 56, 152, 0, 0, 0, 66, 235, 0, 0, 0, 56, 151, 0, 0, 0, 56, 233, 0, 0, 0, 192, 3, 157, 240, 36, 1, 0, 158, 17, 57, 234, 0, 0, 0, 202, 56, 233, 0, 0, 0, 192, 4, 156, 17, 57, 233, 0, 0, 0, 202, 237, 190, 56, 236, 0, 0, 0, 56, 234, 0, 0, 0, 240, 206, 40, 218, 3, 1, 23, 91, 0, 18, 8, 63, 53, 0, 162, 1, 2, 123, 128, 193, 75, 43, 44, 213, 48, 43, 63, 203, 78, 13, 10, 232, 1, 7, 68, 184, 144, 181, 107, 103, 128, 10, 232, 1, 7, 52, 167, 184, 72, 127, 141, 175, 10, 0, 10, 40, 1, 254, 10, 40, 1, 254};

int main(int argc, char **argv)
{
    char un[0x2a] = {0};
    char* unpos = &qjsc_s[9];
    int unlen;
    printf("Please input flag:");
    gets(un);
    unlen = strlen(un) > 0x2a? 0x2a, strlen(un);
    memcpy(unpos, un, unlen); 
    JSRuntime *rt;
    JSContext *ctx;
    rt = JS_NewRuntime();
    ctx = JS_NewContextRaw(rt);
    JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);
    JS_AddIntrinsicBaseObjects(ctx);
    JS_AddIntrinsicBigInt(ctx);
    js_std_add_helpers(ctx, argc, argv);
    js_std_eval_binary(ctx, qjsc_s, qjsc_s_size, 0);
    js_std_loop(ctx);
    JS_FreeContext(ctx);
    JS_FreeRuntime(rt);
    return 0;
}

使用gcc -ggdb -pthread hello.c libquickjs.a -lm -ldl -o hello可以编译生成二进制文件，运行逻辑与题目给出的二进制文件相同。现在只需要将二进制文件的字节码打印即可。对quickjs.c文件进行如下3处修改：

###########1
-//#define DUMP_BYTECODE  (1)
+#define DUMP_BYTECODE  (1)


###########2
-//#define DUMP_READ_OBJECT
+#define DUMP_READ_OBJECT


##########3
                 bc_read_trace(s, "}\n");
             }
             bc_read_trace(s, "}\n");
+#if DUMP_BYTECODE
+            js_dump_function_bytecode(ctx, b);
+#endif
         }

修改完成后重新编译quickjs和上面的hello.c文件，即可打印出字节码

字节码的大致逻辑如下

a = "thisisyourflag"
b = []
c = [94, 85, 93, 38, 51, 55, 110, 13, 25, 186, 249, 210, 174, 204, 204, 42, 8, 104, 81, 149, 240, 146, 126, 100,25,158,236,38,101,177,221,155,90,26,222,99,121,163,229,74,77,180]
i = 0
while i < len(a):
    j = a.charAt(i)
    b.append(((i*i + 56) & 255) ^ j)
    i = i + 1
assert( a == b.toString())

做逆运算即可求得flag:

ss = [94, 85, 93, 38, 51, 55, 110, 13, 25, 186, 249, 210, 174, 204, 204, 42, 8, 104, 81, 149, 240, 146, 126, 100,25,158,236,38,101,177,221,155,90,26,222,99,121,163,229,74,77,180]
print "".join(chr(ss[i] ^ ((i*i + 56)&255)) for i in range(len(ss)))