## Kepiting Cirebon
### Description
\-
### Solution
Given an APK file, decompile it with jadx. From `com.kepitingcirebon.shell.ProxyComponentFactory` and `com.kepitingcirebon.shell.ProxyApplication` classes, we can see that there's a process for dynamically loading Android components.
By leveraging generative AI, we obtain the following information from the list of functions in `libkepiting.so` used in the shell via `JniBridge`:
* Initialize native environment (a(), ia(), cbde())
* Discover real app components (rcf(), rapn())
* Create and delegate to real application (ra(), craa(), craoc())
So the next step is to hook the class loader or dex loader function, but it turns out there's a Frida detection. However, we can bypass the `anti-Frida` with a universal script bypass.
```javascript
try {
var p_pthread_create = Module.findExportByName("libc.so", "pthread_create");
var pthread_create = new NativeFunction(p_pthread_create, "int", ["pointer", "pointer", "pointer", "pointer"]);
Interceptor.replace(p_pthread_create, new NativeCallback(function(ptr0, ptr1, ptr2, ptr3) {
if (ptr1.isNull() && ptr3.isNull()) {
console.log("Possible thread creation for checking. Disabling it");
return -1;
} else {
return pthread_create(ptr0, ptr1, ptr2, ptr3);
}
}, "int", ["pointer", "pointer", "pointer", "pointer"]));
} catch (error) {
console.log("Error", error)
}
```
The next idea is to trace with `frida-trace` several commonly used functions because if we look at the assets there is a file whose function we don't know yet, namely `linggisjawa`.
```bash
frida-trace -U -f com.anyujin.kepiting_cirebon \
-S bypass.js \
-i 'libc.so!open*' \
-i 'libc.so!read' \
-i 'libc.so!mmap*' \
-j '*!*File*'
```
From the output above, we know that there is a file in the code\_cache, namely `i11111i111.zip`. After unzipping, there are two files: `classes.dex` and `classes2.dex`. We tried decompiling them with `jadx`.
The decompile results show that the dex file's code is still `encrypted`, so the next step is to try dumping the dex file while the application is running. Here, we'll use `frida-dexdump`. Because there's anti-frida, we'll try running frida-dexdump on a `running process`, assuming the anti-frida check is performed at the `start of the application`.
```bash
frida-dexdump -p 5267 -U
```
Next we try grep with keyword `PudingCoklatPakHambali`.
After obtaining the two dex files, we tried decompiling each dex file. We found that `classes02.dex` is the same dex file as the one in the .zip (still encrypted), and `classes04.dex` cannot be decompiled with jadx. The next step is to convert it to jar and then decompile it again.
```bash
d2j-dex2jar classes04.dex
```
And it turns out we can decompile it, so the next step is to understand the code of the program.
By hooking each existing function with the script below and looking at the source code, we can see that `keretaArgoNgawi` actually performs an `xor` operation from index `arg1` to index `arg2` and then `compares` it with the static value.
```javascript
Java.perform(function() {
var target_class = Java.use("com.anyujin.kepiting_cirebon.PudingCoklatPakHambali");
target_class.ahmadUlatSagu.overload().implementation = function() {
console.log("[*] Hooking ahmadUlatSagu ");
console.log("[*] return ", this.ahmadUlatSagu());
return this.ahmadUlatSagu();
}
target_class.$init.overload('[I').implementation = function(arg1) {
console.log("[*] Hooking PudingCoklatPakHambali ");
stacktrace();
console.log("[*] Integer array argument:", JSON.stringify(arg1));
var ret = this.$init(arg1);
console.log("[*] After constructor - Field values:");
try {
console.log("[*] input array:", JSON.stringify(this.input.value));
console.log("[*] n value:", this.n.value);
console.log("[*] tree array:", JSON.stringify(this.tree.value));
} catch (e) {
console.log("[*] Error reading fields:", e);
}
return ret;
}
target_class.anggrekMekarPontianak.overload('int', 'int', 'int').implementation = function(arg1, arg2, arg3) {
console.log("[*] Hooking anggrekMekarPontianak ");
console.log("[*] arg1 ", arg1);
console.log("[*] arg2 ", arg2);
console.log("[*] arg3 ", arg3);
var ret = this.anggrekMekarPontianak(arg1, arg2, arg3);
console.log("[*] ret ", ret);
return ret;
}
target_class.keretaArgoNgawi.overload('int', 'int').implementation = function(arg1, arg2) {
// stacktrace();
console.log("[*] Hooking keretaArgoNgawi ");
console.log("[*] arg1 ", arg1);
console.log("[*] arg2 ", arg2);
var ret = this.keretaArgoNgawi(arg1, arg2);
console.log("[*] ret ", ret);
return ret
}
target_class.kipasAnginMasHarditNyitNyit.overload('int', 'int', 'int', 'int', 'int').implementation = function(arg1, arg2, arg3, arg4, arg5) {
console.log("[*] Hooking kipasAnginMasHarditNyitNyit ");
// stacktrace();
console.log("[*] arg1 ", arg1);
console.log("[*] arg2 ", arg2);
console.log("[*] arg3 ", arg3);
console.log("[*] arg4 ", arg4);
console.log("[*] arg5 ", arg5);
var ret = this.kipasAnginMasHarditNyitNyit(arg1, arg2, arg3, arg4, arg5);
console.log("[*] ret ", ret);
return ret;
}
});
function stacktrace() {
Java.perform(function() {
let AndroidLog = Java.use("android.util.Log");
let ExceptionClass = Java.use("java.lang.Exception");
console.warn(AndroidLog.getStackTraceString(ExceptionClass.$new()));
});
}
try {
var p_pthread_create = Module.findExportByName("libc.so", "pthread_create");
var pthread_create = new NativeFunction(p_pthread_create, "int", ["pointer", "pointer", "pointer", "pointer"]);
Interceptor.replace(p_pthread_create, new NativeCallback(function(ptr0, ptr1, ptr2, ptr3) {
if (ptr1.isNull() && ptr3.isNull()) {
console.log("Possible thread creation for checking. Disabling it");
return -1;
} else {
return pthread_create(ptr0, ptr1, ptr2, ptr3);
}
}, "int", ["pointer", "pointer", "pointer", "pointer"]));
} catch (error) {
console.log("Error", error)
}
```
So the next step is to create a solver using `z3`.
```python
from z3 import *
import string
import hashlib
def all_smt(s, initial_terms):
def block_term(s, m, t):
s.add(t != m.eval(t, model_completion=True))
def fix_term(s, m, t):
s.add(t == m.eval(t, model_completion=True))
def all_smt_rec(terms):
if sat == s.check():
m = s.model()
yield m
for i in range(len(terms)):
s.push()
block_term(s, m, terms[i])
for j in range(i):
fix_term(s, m, terms[j])
yield from all_smt_rec(terms[i:])
s.pop()
yield from all_smt_rec(list(initial_terms))
s = Solver()
input_vars = [BitVec(f'input_{i}', 8) for i in range(32)]
list_char = string.printable[:-6]
list_char = list_char.replace("=", "")
for i in input_vars:
s.add(z3.Or(*[ord(j) == i for j in list_char]))
def xor_range(start, end):
result = BitVecVal(0, 8)
for i in range(start, end + 1):
result = result ^ input_vars[i]
return result
s.add(xor_range(3, 7) == 5)
s.add(xor_range(4, 6) == 115)
expected_values = [65, 105, 61, 62, 110, 8, 85, 89, 95, 110, 45, 67, 0, 108, 45, 95, 49, 45, 67, 25, 59]
pairs = [[0,1], [3,3], [2,3], [3,5], [4,4], [4,6], [3,7]]
value_index = 0
for i in [8, 16, 24]:
for start, end in pairs:
s.add(xor_range(start + i, end + i) == expected_values[value_index])
value_index += 1
s.add(input_vars[0] == 73)
s.add(input_vars[1] == 84)
s.add(input_vars[2] == 83)
s.add(input_vars[3] == 69)
s.add(input_vars[4] == 67)
s.add(input_vars[5] == 123)
s.add(input_vars[31] == 125)
s.add(input_vars[8] == ord('p'))
s.add(input_vars[16] == ord('5'))
for model in all_smt(s, input_vars):
init = []
for j in input_vars:
init.append(model[j].as_long())
nice = bytes(init)
if hashlib.md5(nice).hexdigest() == "1932b746f4b7c349c089bc4aad3a7234":
print(nice)
```
Flag: ITSEC{K3p1Tin9\_45l1\_C1r3Bon\_C1k}
## qengine
### Description
\-
### Solution
We have 2 solutions for this challenge as shown in the table below
#### Understanding behavior through dynamic analysis
Given `emu.py` and ELF files
```python
from qiling import Qiling
global flag
flag = input("Input your flag >> ")
flag = flag.encode()
if len(flag) != 36:
print("Flag's length should be 36 bytes.")
exit(0)
def patch(ql: Qiling):
addr = 0x57b0b3
ql.mem.write(addr, flag)
'''
- Download rootfs from https://github.com/qilingframework/rootfs/tree/master/x8664_linux
- Place v9 challenge in bin folder of the rootfs
'''
ql = Qiling(["rootfs/x8664_linux/bin/v9"], rootfs="rootfs/x8664_linux")
patch(ql)
ql.run()
```
From the code above, we know that the program writes a flag to address `0x57b0b3` and we know that the binary validates the flag that is hardcoded at a specific address.
Next, decompiling it with IDA will reveal some information from the `strings`.
Searching for `quickjs` reveals two repositories: `quickjs-ng` and `bellard`. We initially compiled quickjs-ng and noticed that the structure of the available functions `differed significantly` from the provided ones. So, we compiled it from the bellard repository, first downloading the version corresponding to the one listed in the strings, `2024-01-13`.
*
Do a build for quickjs and create an independent executable for our own script as we did to generate v9.
```bash
./qjsc -e -o chall.c chall.js
gcc -O2 -g -fno-stack-protector chall.c quickjs.c quickjs-libc.c cutils.c libregexp.c libunicode.c libbf.c -I. -DCONFIG_BIGNUM=0 -D_GNU_SOURCE -lm -ldl -lpthread -DCONFIG_VERSION=\"2024-01-13\" -o test_program
```
Next, when we decompile `test_program`, we'll see a code structure similar to the original. So, we create a signature for the `test_program` executable, but when we load it in v9, we find many mismatches.
So the next step is to manually recover the function name based on the `code structure` and `error strings` present in the function.
For example, as in the image above, the function name with a `blue` background is the result of the signature, and the `black` background is the function we renamed ourselves. So, the next step is dynamic analysis. After performing dynamic analysis, we obtained the following information.
* There is a conversion from decimal to binary
* There is a conversion from binary to hex
* There is a conversion from hex to decimal
* There are several operations that change the value for each index
* There is an array construction
Here are some `breakpoints` that I utilize for debugging.
```python
0x401EAB (maybe_main+8F)
0x409B80 (js_strict_eq2)
0x40A2D0 (js_compare_bigfloat)
0x40E5A0 (JS_CallInternal)
0x40EB3E (JS_CallInternal+59E)
0x40EB78 (JS_CallInternal+5D8)
0x4154DA (JS_CallInternal+6F3A)
0x422F70 (js_string_to_bigint)
0x42C4C0 (array_related)
0x4306B0 (JS_ConcatString)
0x432270 (js_bigint_toString)
0x4322EF (js_bigint_toString+7F)
0x44CC10 (js_call_c_function)
0x45D9F3 (maybe_js_array_push+163)
0x46A920 (js_add_slow)
0x46AA60 (js_add_slow+140)
0x46D469 (js_parseInt+99)
0x46DDF0 (sub_46DDF0)
0x4A9220 (bf_cmp)
0x4A95E0 (bf_logic_op)
0x4AA5A0 (sub_4AA5A0)
0x4B3310 (sub_4B3310)
0x4B6340 (sub_4B6340)
```
From this information we can do a dump for each process, here we can set a breakpoint on the `js_string_to_bigint` and `js_array_push` functions, so that the following output is obtained.
{% code title="First input" %}
```python
input = b"ITSEC{0123456789abcdefghijklmnopqrs}"
[164, 170, 41, 162, 161, 189, 152, 24, 153, 25, 154, 26, 155, 27, 156, 28, 176, 177, 49, 178, 50, 179, 51, 180, 52, 181, 53, 182, 54, 183, 55, 184, 56, 185, 57, 190]
[255, 170, 146, 231, 234, 43, 84, 134, 92, 192, 248, 131, 205, 222, 82, 128, 97, 188, 6, 255, 48, 162, 170, 252, 167, 186, 0, 249, 54, 164, 172, 246, 173, 176, 10, 245]
[9, 42, 116, 0, 4, 118, 254, 87, 251, 245, 43, 86, 48, 121, 123, 82, 216, 55, 170, 20, 179, 187, 255, 16, 125, 50, 175, 17, 182, 190, 250, 31, 114, 61, 160, 27]
[132, 234, 225, 148, 29, 5, 129, 238, 143, 90, 17, 105, 51, 13, 198, 105, 61, 121, 208, 138, 241, 46, 0, 10, 202, 254, 87, 13, 118, 169, 135, 130, 66, 118, 223, 130]
[207, 202, 62, 202, 8, 207, 65, 139, 65, 162, 182, 73, 177, 195, 37, 207, 42, 144, 151, 91, 146, 241, 0, 157, 38, 212, 211, 31, 214, 181, 68, 209, 234, 24, 31, 215]
[33, 122, 142, 59, 23, 224, 225, 220, 104, 38, 66, 249, 114, 106, 183, 186, 54, 141, 115, 98, 64, 193, 128, 65, 60, 235, 21, 4, 38, 167, 230, 43, 150, 65, 191, 168]
[51, 209, 209, 19, 33, 112, 224, 249, 122, 141, 29, 209, 68, 250, 182, 159, 36, 38, 44, 74, 118, 81, 129, 100, 46, 64, 74, 44, 16, 55, 231, 14, 132, 234, 224, 128]
[113, 36, 205, 101, 14, 177, 35, 65, 170, 193, 152, 35, 160, 47, 217, 235, 73, 60, 202, 142, 247, 210, 129, 230, 87, 150, 96, 36, 93, 120, 43, 89, 168, 105, 159, 208]
```
{% endcode %}
{% code title="Second input" %}
```python
input = b"ITSEC{zyxwvutsrqponmlkjihgfedcba987}"
[164, 170, 41, 162, 161, 189, 189, 60, 188, 59, 187, 58, 186, 57, 185, 56, 184, 55, 183, 54, 182, 53, 181, 52, 180, 51, 179, 50, 178, 49, 177, 48, 156, 156, 27, 190]
[255, 170, 146, 231, 234, 43, 99, 48, 107, 115, 201, 51, 252, 109, 101, 54, 109, 121, 195, 57, 246, 103, 111, 60, 103, 127, 197, 63, 240, 97, 105, 58, 91, 135, 185, 245]
[9, 42, 116, 0, 4, 118, 210, 58, 215, 159, 130, 62, 25, 19, 215, 63, 210, 144, 141, 49, 22, 28, 216, 48, 221, 149, 136, 52, 19, 25, 221, 53, 255, 17, 202, 155]
[132, 234, 225, 148, 29, 5, 187, 181, 53, 5, 236, 181, 14, 210, 60, 50, 178, 141, 100, 61, 134, 90, 180, 186, 58, 10, 227, 186, 1, 221, 51, 61, 137, 204, 128, 66]
[207, 202, 62, 202, 8, 207, 102, 253, 38, 210, 181, 123, 146, 243, 34, 185, 98, 158, 121, 183, 94, 63, 238, 117, 174, 90, 61, 243, 26, 123, 170, 49, 196, 127, 111, 247]
[33, 122, 142, 59, 23, 224, 213, 17, 60, 238, 64, 82, 64, 194, 179, 119, 90, 132, 234, 248, 234, 104, 25, 221, 240, 34, 140, 158, 140, 14, 127, 187, 175, 21, 119, 152]
[51, 209, 209, 19, 33, 112, 212, 52, 46, 69, 31, 122, 118, 82, 178, 82, 72, 47, 181, 208, 220, 248, 24, 248, 226, 137, 211, 182, 186, 158, 126, 158, 189, 190, 40, 176]
[113, 36, 205, 101, 14, 177, 126, 22, 87, 153, 159, 222, 247, 215, 212, 188, 253, 38, 96, 33, 8, 40, 43, 67, 2, 204, 202, 139, 162, 130, 129, 233, 227, 148, 199, 128]
```
{% endcode %}
While there may be something missing from each process, we can at least see a pattern from the known process. From the final value, it is known that the values for the first 6 indexes are the same, namely `113, 36, 205, 101, 14, 177` , but if we look at the next index, the values are different. If we look at the value at the last index, it can be seen that the values are different even though our input has the same final value, which is `}` .
From here we can see that each input is actually not processed completely independently but there is still a relationship between index-i and index-i+1 or at least we can see in the first array that the 0th index has 1 bit of value from the last input index. From this we can conclude that we can do `bruteforce per byte`. So the idea is to take the final value of the entire process, then check it with the correct value. The question is, where is the correct value? So we checked the bytecode that we had dumped and found an `interesting sequence`
From there, we realized that the correct final value was hardcoded. So, we tried dumping it and validating it with `qjsc`.
```python
buf = open("bytecode.bin", "rb").read()
arr = []
for i in range(len(buf)):
if buf[i] == 0xc0:
arr.append(buf[i+1])
elif buf[i] == 0xbf:
arr.append(buf[i+1])
print(arr[arr.index(0x71):arr.index(0x71)+36])
```
Create file `test.js` as following
{% code title="test.js" %}
```javascript
a = [113, 36, 205, 101, 14, 177, 115, 90, 8, 40, 238, 250, 161, 94, 246, 93, 151, 230, 52, 39, 242, 203, 143, 9, 247, 149, 216, 20, 125, 35, 136, 236, 179, 222, 44, 52]
```
{% endcode %}
and compile it with qjsc
```bash
./qjsc -e -o test.c test.js
```
And we can see the results are the same as those in bytecode.bin or the question bytecode. The final step, because I forgot this was a Linux problem, i used `idapython` to automate the solution, which of course took longer than using `gdb scripting`. Here's our solver
```python
import ida_dbg
import string
def delete_all_bp():
bp_count = ida_dbg.get_bpt_qty()
if bp_count == 0:
print("No breakpoints to delete")
return
deleted = 0
while deleted != bp_count:
bpt = ida_dbg.bpt_t()
if ida_dbg.getn_bpt(0, bpt):
if ida_dbg.del_bpt(bpt.ea):
deleted += 1
else:
print(f"Failed to delete breakpoint at {hex(bpt.ea)}")
print(f"[+] Deleted {deleted} breakpoint(s)")
def overwrite_flag(flag):
start = 0x057B0B3
for i in range(36):
val = get_bytes(start+i, 1)
new_val = flag[i]
patch_byte(start+i, new_val)
target_flag = [113, 36, 205, 101, 14, 177, 115, 90, 8, 40, 238, 250, 161, 94, 246, 93, 151, 230, 52, 39, 242, 203, 143, 9, 247, 149, 216, 20, 125, 35, 136, 236, 179, 222, 44, 52]
list_addr = [
0x401EAB,
0x422F70, # string to bigint
]
# init_flag = list(b"ITSEC{0123456789abcdefghijklmnopqrs}")
# index_target = 6
init_flag = list(b"ITSEC{t123456789abcdefghijklmnopqrs}")
index_target = 7
list_char = list(("_" + string.printable[:-6]).encode())
while index_target != len(init_flag) - 1:
for bf in list_char:
delete_all_bp()
for addr in list_addr:
ida_dbg.add_bpt(addr, 1, ida_idd.BPT_DEFAULT)
ida_dbg.start_process("", "", "")
idaapi.wait_for_next_event(idaapi.WFNE_SUSP, -1)
init_flag[index_target] = bf
overwrite_flag(init_flag)
# print(bytes(init_flag))
for _ in range(6):
idaapi.continue_process()
idaapi.wait_for_next_event(idaapi.WFNE_SUSP, -1)
ida_dbg.add_bpt(0x45D9F3, 1, ida_idd.BPT_DEFAULT)
# now in set properties
idaapi.continue_process()
idaapi.wait_for_next_event(idaapi.WFNE_SUSP, -1)
for i in range(36*2):
idaapi.continue_process()
idaapi.wait_for_next_event(idaapi.WFNE_SUSP, -1)
for i in range(index_target):
idaapi.continue_process()
idaapi.wait_for_next_event(idaapi.WFNE_SUSP, -1)
idaapi.get_reg_val('RAX', rv)
rax = rv.ival
print(bytes(init_flag), rax)
if rax == target_flag[index_target]:
init_flag[index_target] = bf
index_target += 1
print(bytes(init_flag))
ida_dbg.exit_process()
idaapi.wait_for_next_event(idaapi.WFNE_SUSP, -1)
break
else:
ida_dbg.exit_process()
idaapi.wait_for_next_event(idaapi.WFNE_SUSP, -1)
```
Flag: ITSEC{th!s\_1s\_4n\_0pt1m!z33d\_v8r5i0n}
#### Dumping the opcode by modifying QuickJS code
Open `quickjs.c` and we can see that there is function named `js_dump_function_bytecode` as following
{% code title="quickjs.c" %}
```cpp
static __maybe_unused void js_dump_function_bytecode(JSContext *ctx, JSFunctionBytecode *b)
{
int i;
char atom_buf[ATOM_GET_STR_BUF_SIZE];
const char *str;
if (b->has_debug && b->debug.filename != JS_ATOM_NULL) {
str = JS_AtomGetStr(ctx, atom_buf, sizeof(atom_buf), b->debug.filename);
printf("%s:%d: ", str, b->debug.line_num);
}
str = JS_AtomGetStr(ctx, atom_buf, sizeof(atom_buf), b->func_name);
printf("function: %s%s\n", &"*"[b->func_kind != JS_FUNC_GENERATOR], str);
if (b->js_mode) {
printf(" mode:");
if (b->js_mode & JS_MODE_STRICT)
printf(" strict");
#ifdef CONFIG_BIGNUM
```
{% endcode %}
If we find reference to that function, we will see following code in function `js_create_function`
```c
#if defined(DUMP_BYTECODE) && (DUMP_BYTECODE & 1)
if (!(fd->js_mode & JS_MODE_STRIP)) {
js_dump_function_bytecode(ctx, b);
}
#endif
```
By looking at `js_dump_function_bytecode` and its reference we know that this function used for dumping the opcode of quickjs, this function is called by default if we run a javascript through `qjs` and enable the `DUMP_BYTECODE` option during compilation. So let's try to modify the Makefile and create `qjs-debug` binary.
{% code title="Makefile" %}
```diff
123c123
< CFLAGS_DEBUG=$(CFLAGS) -O0
---
> CFLAGS_DEBUG=$(CFLAGS) -O0 -DDUMP_BYTECODE
```
{% endcode %}
Then run command below
```bash
make qjs-debug
```
After compilation successful, create a javascript file such as coba.js with following contents
{% code title="coba.js" %}
```javascript
console.log(123);
```
{% endcode %}
When we run that javascript file with qjs-debug we will see the following output
Okay now we can confirm that we able to dump the `opcode` of `quickjs`, now the question is how to dump the opcodes of the given challenge? during the competition we also try to just create our own `quickjs` wrapper and compile the code and run the executable but the result is failed, we got `segmentation fault` by running it.
When we take a look on the error, we can see following error
```c
AddressSanitizer:DEADLYSIGNAL
=================================================================
==48335==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x608297edc50b bp 0x7ffd09a76c60 sp 0x7ffd09a76c20 T0)
==48335==The signal is caused by a READ memory access.
==48335==Hint: address points to the zero page.
#0 0x608297edc50b in free_bytecode_atoms /home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/quickjs.c:29369
#1 0x608297ef63fe in free_function_bytecode /home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/quickjs.c:33366
#2 0x608297e34eda in free_gc_object /home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/quickjs.c:5468
#3 0x608297e3501d in free_zero_refcount /home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/quickjs.c:5490
#4 0x608297e3533c in __JS_FreeValueRT /home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/quickjs.c:5534
#5 0x608297e354fe in __JS_FreeValue /home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/quickjs.c:5575
#6 0x608297e19150 in JS_FreeValue /home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/quickjs.h:651
#7 0x608297f09f61 in JS_ReadFunctionTag /home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/quickjs.c:36081
#8 0x608297f0ca89 in JS_ReadObjectRec /home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/quickjs.c:36472
#9 0x608297f09d34 in JS_ReadFunctionTag /home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/quickjs.c:36071
#10 0x608297f0ca89 in JS_ReadObjectRec /home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/quickjs.c:36472
#11 0x608297f0db53 in JS_ReadObject /home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/quickjs.c:36612
#12 0x608297fa981a in js_std_eval_binary /home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/quickjs-libc.c:3976
#13 0x608297e1755b in main /home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/chall.c:38
#14 0x7ca23002a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#15 0x7ca23002a28a in __libc_start_main_impl ../csu/libc-start.c:360
#16 0x608297e17344 in _start (/home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/test_program_debug+0x30344) (BuildId: d6897c7f0366acf053aab4b972668b2cbe9cb75f)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/kosong/ctf/final_itsec/re/qengine/quickjs_2/quickjs-2024-01-13/quickjs.c:29369 in free_bytecode_atoms
==48335==ABORTING
```
We can see that the error is on `free_bytecode_atoms`, so something about atoms!
If we look closer to the `js_dump_function_bytecode` we will see some information, not only `bytecode`. There is `atom`, `vardefs`, `closure`, `cpool`, and etc. We can simplify those terminology as following
* atom
* something like dictionary, used by quickjs as part of optimization technique
* vardefs
* variable declaration of current function/scope
* closure
* variable from outside function
* cpool
* constant pool, store values used in function
* bytecode
* byte that represent the logic of code/opcode
So the previous issue caused by atom, most likely because the atom is mismatch, something like we want to free atom in index 0x1337 but there is no key 0x1337 in it, so what should we free?
Until this step we know the urgency of atom and bytecode, but for vardefs, closure, and cpool actually we can fake it. How we can fake it? we know that js\_dump\_function\_bytecode is called when we run qjs binary and we know also that the dumped opcode are derived from the given javascript file which is in previous step is coba.js. So if we provide a valid coba.js with fake vardefs, closure, and cpool then it will still produce valid opcode but with "generic" information about variables.
Now we need to dump the `bytecode` and `atom` first, let's back to the original binary. Through diffing the binary with our compiled quickjs, we will found the right address to dump the bytecode
