kctf2020-{第三题 寻踪觅源}

Ghidra -> Search -> For Strings

看到quickjs, google that.

编译 运行 quickjs

$ git clone https://github.com/horhof/quickjs.git -b 20200119 --depth 1
cd quickjs
$ make
$ echo "console.log('hello')" > ctf.js
$ ./qjsc -e -o ctf.c ctf.js
$ cc ctf.c libquickjs.lto.a -o ctf
$ ./ctf
hello

check ctf.c

得到qjsc字样, 从lelfei_fix.exe复制_qjsc_s -> [0x00458040 - 0x0045841b]

• Ghidra -> Copy -> Copy Special -> Byte String

• python3 -c "s='...';print(s.replace(' ', ', 0x'))"|clipcopy

• vim ctf.c

/* File generated automatically by the QuickJS compiler. */

#include "quickjs-libc.h"
/* 0x0045841b - 0x00458040 + 1 */
const uint32_t qjsc_ctf_size = 988;

const uint8_t qjsc_ctf[988] = {
0x02, 0x0e, 0x04, 0x75, 0x6e, 0x04, 0x73, 0x6e, 0x02, 0x73, 0x02, 0x69, 0x02, 0x6a, 0x02, 0x6b, 0x02, 0x6c, 0x02, 0x6d, 0x02, 0x6e, 0x20, 0x4b, 0x43, 0x54, 0x46, 0x32, 0x30, 0x32, 0x30, 0x51, 0x31, 0x6c, 0x65, 0x6c, 0x66, 0x65, 0x69, 0x40, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x2a, 0x14, 0x63, 0x68, 0x61, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x41, 0x74, 0x18, 0x66, 0x72, 0x6f, 0x6d, 0x43, 0x68, 0x61, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x0e, 0x00, 0x06, 0x00, 0x9e, 0x01, 0x00, 0x01, 0x00, 0x06, 0x00, 0x0b, 0x81, 0x06, 0x01, 0xa0, 0x01, 0x00, 0x00, 0x00, 0x40, 0xdf, 0x00, 0x00, 0x00, 0x00, 0x40, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x40, 0xe1, 0x00, 0x00, 0x00, 0x00, 0x40, 0xe2, 0x00, 0x00, 0x00, 0x00, 0x40, 0xe3, 0x00, 0x00, 0x00, 0x00, 0x40, 0xe4, 0x00, 0x00, 0x00, 0x00, 0x40, 0xe5, 0x00, 0x00, 0x00, 0x00, 0x40, 0xe6, 0x00, 0x00, 0x00, 0x00, 0x40, 0xe7, 0x00, 0x00, 0x00, 0x00, 0x40, 0xe2, 0x00, 0x00, 0x00, 0x00, 0x3f, 0xdf, 0x00, 0x00, 0x00, 0x00, 0x3f, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x3f, 0xe1, 0x00, 0x00, 0x00, 0x00, 0x3f, 0xe2, 0x00, 0x00, 0x00, 0x00, 0x3f, 0xe3, 0x00, 0x00, 0x00, 0x00, 0x3f, 0xe4, 0x00, 0x00, 0x00, 0x00, 0x3f, 0xe5, 0x00, 0x00, 0x00, 0x00, 0x3f, 0xe6, 0x00, 0x00, 0x00, 0x00, 0x3f, 0xe7, 0x00, 0x00, 0x00, 0x00, 0x3f, 0xe2, 0x00, 0x00, 0x00, 0x00, 0x04, 0xe8, 0x00, 0x00, 0x00, 0x11, 0x3a, 0xdf, 0x00, 0x00, 0x00, 0xcb, 0x04, 0xe9, 0x00, 0x00, 0x00, 0x11, 0x3a, 0xe0, 0x00, 0x00, 0x00, 0xcb, 0xc1, 0x00, 0x11, 0x3a, 0xe6, 0x00, 0x00, 0x00, 0xcb, 0x06, 0xcb, 0xb7, 0x11, 0x3a, 0xe2, 0x00, 0x00, 0x00, 0x0e, 0x39, 0xe2, 0x00, 0x00, 0x00, 0x39, 0xdf, 0x00, 0x00, 0x00, 0xeb, 0xa5, 0xec, 0x43, 0x39, 0xe6, 0x00, 0x00, 0x00, 0xc1, 0x01, 0x9c, 0x11, 0x3a, 0xe6, 0x00, 0x00, 0x00, 0xcb, 0x39, 0xe6, 0x00, 0x00, 0x00, 0x39, 0xb0, 0x00, 0x00, 0x00, 0x39, 0xdf, 0x00, 0x00, 0x00, 0x43, 0xea, 0x00, 0x00, 0x00, 0x39, 0xe2, 0x00, 0x00, 0x00, 0x24, 0x01, 0x00, 0xf1, 0x9f, 0x11, 0x3a, 0xe6, 0x00, 0x00, 0x00, 0xcb, 0x39, 0xe2, 0x00, 0x00, 0x00, 0x93, 0x3a, 0xe2, 0x00, 0x00, 0x00, 0x0e, 0xee, 0xb1, 0x39, 0x96, 0x00, 0x00, 0x00, 0x39, 0xe6, 0x00, 0x00, 0x00, 0xc1, 0x02, 0x9e, 0xf1, 0x11, 0x3a, 0xe5, 0x00, 0x00, 0x00, 0xcb, 0xc1, 0x03, 0x11, 0x3a, 0xe7, 0x00, 0x00, 0x00, 0xcb, 0xb7, 0x11, 0x3a, 0xe1, 0x00, 0x00, 0x00, 0xcb, 0xb7, 0x11, 0x3a, 0xe4, 0x00, 0x00, 0x00, 0xcb, 0x06, 0xcb, 0xb7, 0x11, 0x3a, 0xe2, 0x00, 0x00, 0x00, 0x0e, 0x39, 0xe2, 0x00, 0x00, 0x00, 0x39, 0xe0, 0x00, 0x00, 0x00, 0xeb, 0xa5, 0x6a, 0x4c, 0x01, 0x00, 0x00, 0x39, 0xe0, 0x00, 0x00, 0x00, 0x43, 0xea, 0x00, 0x00, 0x00, 0x39, 0xe2, 0x00, 0x00, 0x00, 0x24, 0x01, 0x00, 0x11, 0x3a, 0xe3, 0x00, 0x00, 0x00, 0xcb, 0x06, 0xcb, 0x39, 0xe3, 0x00, 0x00, 0x00, 0xbf, 0x30, 0xa8, 0x11, 0xec, 0x0a, 0x0e, 0x39, 0xe3, 0x00, 0x00, 0x00, 0xbf, 0x39, 0xa6, 0x11, 0xed, 0x17, 0x0e, 0x39, 0xe3, 0x00, 0x00, 0x00, 0xbf, 0x61, 0xa8, 0x6a, 0x0c, 0x01, 0x00, 0x00, 0x39, 0xe3, 0x00, 0x00, 0x00, 0xbf, 0x66, 0xa6, 0x6a, 0xff, 0x00, 0x00, 0x00, 0x39, 0xe4, 0x00, 0x00, 0x00, 0x93, 0x3a, 0xe4, 0x00, 0x00, 0x00, 0xcb, 0x39, 0xe3, 0x00, 0x00, 0x00, 0xbf, 0x30, 0xa0, 0x11, 0x3a, 0xe3, 0x00, 0x00, 0x00, 0xcb, 0x06, 0xcb, 0x39, 0xe3, 0x00, 0x00, 0x00, 0xbf, 0x09, 0xa7, 0xec, 0x10, 0x39, 0xe3, 0x00, 0x00, 0x00, 0xbf, 0x27, 0xa0, 0x11, 0x3a, 0xe3, 0x00, 0x00, 0x00, 0xcb, 0x39, 0xe1, 0x00, 0x00, 0x00, 0xbf, 0x10, 0x9c, 0x11, 0x3a, 0xe1, 0x00, 0x00, 0x00, 0xcb, 0x39, 0xe1, 0x00, 0x00, 0x00, 0x39, 0xe3, 0x00, 0x00, 0x00, 0x9f, 0x11, 0x3a, 0xe1, 0x00, 0x00, 0x00, 0xcb, 0x06, 0xcb, 0x39, 0xe4, 0x00, 0x00, 0x00, 0xb9, 0x9e, 0xb7, 0xab, 0x6a, 0x89, 0x00, 0x00, 0x00, 0x39, 0xe1, 0x00, 0x00, 0x00, 0x39, 0xe5, 0x00, 0x00, 0x00, 0xb0, 0x11, 0x3a, 0xe1, 0x00, 0x00, 0x00, 0xcb, 0x06, 0xcb, 0x39, 0xe1, 0x00, 0x00, 0x00, 0xbb, 0xa3, 0xbf, 0x09, 0xa7, 0x11, 0xed, 0x0d, 0x0e, 0x39, 0xe1, 0x00, 0x00, 0x00, 0xbf, 0x10, 0x9e, 0xbf, 0x09, 0xa7, 0xec, 0x0c, 0xc1, 0x04, 0x11, 0x3a, 0xe7, 0x00, 0x00, 0x00, 0xcb, 0xee, 0x5b, 0x39, 0xe1, 0x00, 0x00, 0x00, 0xbb, 0xa3, 0xbf, 0x0a, 0x9c, 0x39, 0xe1, 0x00, 0x00, 0x00, 0xbf, 0x10, 0x9e, 0x9f, 0x11, 0x3a, 0xe1, 0x00, 0x00, 0x00, 0xcb, 0x39, 0xe7, 0x00, 0x00, 0x00, 0xc1, 0x05, 0x9c, 0x11, 0x3a, 0xe7, 0x00, 0x00, 0x00, 0xcb, 0x39, 0xe7, 0x00, 0x00, 0x00, 0x39, 0xb0, 0x00, 0x00, 0x00, 0x39, 0xe1, 0x00, 0x00, 0x00, 0xf1, 0x9f, 0x11, 0x3a, 0xe7, 0x00, 0x00, 0x00, 0xcb, 0xb7, 0x11, 0x3a, 0xe1, 0x00, 0x00, 0x00, 0xcb, 0xee, 0x01, 0x39, 0xe2, 0x00, 0x00, 0x00, 0x93, 0x3a, 0xe2, 0x00, 0x00, 0x00, 0x0e, 0xef, 0xa9, 0xfe, 0x06, 0xcb, 0x39, 0xe6, 0x00, 0x00, 0x00, 0x39, 0xe7, 0x00, 0x00, 0x00, 0xab, 0xec, 0x0c, 0xc1, 0x06, 0x11, 0x3a, 0xe7, 0x00, 0x00, 0x00, 0xcb, 0xee, 0x0a, 0xc1, 0x07, 0x11, 0x3a, 0xe7, 0x00, 0x00, 0x00, 0xcb, 0xc3, 0x11, 0x3a, 0xe1, 0x00, 0x00, 0x00, 0xcb, 0x06, 0xcb, 0x39, 0xe7, 0x00, 0x00, 0x00, 0xc1, 0x08, 0xa7, 0xec, 0x3a, 0x39, 0xe1, 0x00, 0x00, 0x00, 0x39, 0x97, 0x00, 0x00, 0x00, 0x43, 0xeb, 0x00, 0x00, 0x00, 0x39, 0x96, 0x00, 0x00, 0x00, 0x39, 0xe7, 0x00, 0x00, 0x00, 0xc1, 0x09, 0x9e, 0xf1, 0x24, 0x01, 0x00, 0x9f, 0x11, 0x3a, 0xe1, 0x00, 0x00, 0x00, 0xcb, 0x39, 0xe7, 0x00, 0x00, 0x00, 0xc1, 0x0a, 0x9d, 0x11, 0x3a, 0xe7, 0x00, 0x00, 0x00, 0xcb, 0xee, 0xbe, 0x39, 0xec, 0x00, 0x00, 0x00, 0x39, 0xe1, 0x00, 0x00, 0x00, 0xf1, 0xcf, 0x28, 0xc2, 0x03, 0x01, 0x2b, 0x00, 0x3c, 0x01, 0x00, 0x3c, 0x06, 0x3f, 0x3f, 0x30, 0x7b, 0x4e, 0xbc, 0x49, 0x6d, 0x30, 0x2b, 0x2b, 0x8a, 0x80, 0x00, 0x34, 0x02, 0x3f, 0x4e, 0x8a, 0x4e, 0x5d, 0x53, 0x5d, 0xcb, 0x85, 0x4e, 0x7b, 0x2c, 0x0f, 0x4f, 0x85, 0x30, 0x2b, 0x3f, 0xcb, 0x4e, 0x0d, 0x0a, 0x00, 0x0a, 0x24, 0x01, 0xac, 0x0a, 0x28, 0x01, 0xfe, 0x0a, 0x00, 0x0a, 0x00, 0x0a, 0x28, 0x01, 0xc8, 0x0a, 0xe8, 0x01, 0x07, 0x44, 0xb8, 0x90, 0xb5, 0x6b, 0x67, 0x80, 0x0a, 0xe8, 0x01, 0x07, 0x34, 0xa7, 0xb8, 0x48, 0x7f, 0x8d, 0xaf, 0x0a, 0x00, 0x0a, 0x28, 0x01, 0xfe, 0x0a, 0x28, 0x01, 0xfe,
};

int main(int argc, char **argv)
{
  JSRuntime *rt;
  JSContext *ctx;
  rt = JS_NewRuntime();
  ctx = JS_NewContextRaw(rt);
  JS_SetModuleLoaderFunc(rt, NULL, js_module_loader, NULL);
  JS_AddIntrinsicBaseObjects(ctx);
  JS_AddIntrinsicDate(ctx);
  JS_AddIntrinsicEval(ctx);
  JS_AddIntrinsicStringNormalize(ctx);
  JS_AddIntrinsicRegExp(ctx);
  JS_AddIntrinsicJSON(ctx);
  JS_AddIntrinsicProxy(ctx);
  JS_AddIntrinsicMapSet(ctx);
  JS_AddIntrinsicTypedArrays(ctx);
  JS_AddIntrinsicPromise(ctx);
  JS_AddIntrinsicBigInt(ctx);
  js_std_add_helpers(ctx, argc, argv);
  js_std_eval_binary(ctx, qjsc_ctf, qjsc_ctf_size, 0);
  js_std_loop(ctx);
  JS_FreeContext(ctx);
  JS_FreeRuntime(rt);
  return 0;
}

编译 ctf.c

$ cc ctf.c libquickjs.lto.a -o ctf
$ ./ctf
Error...

修改 quickjs.c, 使其输出 byte_code

diff --git a/quickjs.c b/quickjs.c
index b19a4d9..9a3f483 100644
--- a/quickjs.c
+++ b/quickjs.c
@@ -82,7 +82,7 @@
   16: dump bytecode in hex
   32: dump line number table
  */
-//#define DUMP_BYTECODE  (1)
+#define DUMP_BYTECODE  (1)
 /* dump the occurence of the automatic GC */
 //#define DUMP_GC
 /* dump objects freed by the garbage collector */
@@ -96,7 +96,7 @@
 //#define DUMP_SHAPES     /* dump shapes in JS_FreeContext */
 //#define DUMP_MODULE_RESOLVE
 //#define DUMP_PROMISE
-//#define DUMP_READ_OBJECT
+#define DUMP_READ_OBJECT
 
 /* test the GC by forcing it before each object allocation */
 //#define FORCE_GC_AT_MALLOC
@@ -33897,6 +33897,9 @@ static JSValue JS_ReadObjectRec(BCReaderState *s)
                 bc_read_trace(s, "}\n");
             }
             bc_read_trace(s, "}\n");
+#if DUMP_BYTECODE
+            js_dump_function_bytecode(ctx, b);
+#endif
         }
         break;
     case BC_TAG_MODULE:

重新编译运行 ctf.c, 得到输出信息

$ make
$ cc ctf.c libquickjs.lto.a -o ctf
$ ./ctf
0000:  02 0e                    14 atom indexes {
0002:  04 75 6e                   string: 1"un"
0005:  04 73 6e                   string: 1"sn"
0008:  02 73                      string: 1"s"
000a:  02 69                      string: 1"i"
000c:  02 6a                      string: 1"j"
000e:  02 6b                      string: 1"k"
0010:  02 6c                      string: 1"l"
0012:  02 6d                      string: 1"m"
0014:  02 6e                      string: 1"n"
0016:  20 4b 43 54 46 32 30 32
       30 51 31 6c 65 6c 66 65
       69                         string: 1"KCTF2020Q1lelfei"
0027:  40 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a 2a 2a 2a
       2a 2a 2a 2a 2a 2a 2a 2a
       2a                         string: 1"********************************"
0048:  14 63 68 61 72 43 6f 64
       65 41 74                   string: 1"charCodeAt"
0053:  18 66 72 6f 6d 43 68 61
       72 43 6f 64 65             string: 1"fromCharCode"
0060:  0a 70 72 69 6e 74          string: 1"print"
                                }
0066:  0e                       function {
0067:  00 06 00 9e 01 00 01 00
       06 00 0b 81 06 01          name: "<eval>"
                                  args=0 vars=1 defargs=0 closures=0 cpool=11
                                  stack=6 bclen=769 locals=1
                                  vars {
0075:  a0 01 00 00 00               name: "<ret>"
                                  }
                                  bytecode {
007a:  40 df 00 00 00 00 40 e0
       00 00 00 00 40 e1 00 00
       00 00 40 e2 00 00 00 00
       40 e3 00 00 00 00 40 e4
       00 00 00 00 40 e5 00 00
       00 00 40 e6 00 00 00 00
       40 e7 00 00 00 00 40 e2
       00 00 00 00 3f df 00 00
       00 00 3f e0 00 00 00 00
       3f e1 00 00 00 00 3f e2
       00 00 00 00 3f e3 00 00
       00 00 3f e4 00 00 00 00
       3f e5 00 00 00 00 3f e6
       00 00 00 00 3f e7 00 00
       00 00 3f e2 00 00 00 00
       04 e8 00 00 00 11 3a df
       00 00 00 cb 04 e9 00 00
       00 11 3a e0 00 00 00 cb
       c1 00 11 3a e6 00 00 00
       cb 06 cb b7 11 3a e2 00
       00 00 0e 39 e2 00 00 00
       39 df 00 00 00 eb a5 ec
       43 39 e6 00 00 00 c1 01
       9c 11 3a e6 00 00 00 cb
       39 e6 00 00 00 39 b0 00
       00 00 39 df 00 00 00 43
       ea 00 00 00 39 e2 00 00
       00 24 01 00 f1 9f 11 3a
       e6 00 00 00 cb 39 e2 00
       00 00 93 3a e2 00 00 00
       0e ee b1 39 96 00 00 00
       39 e6 00 00 00 c1 02 9e
       f1 11 3a e5 00 00 00 cb
       c1 03 11 3a e7 00 00 00
       cb b7 11 3a e1 00 00 00
       cb b7 11 3a e4 00 00 00
       cb 06 cb b7 11 3a e2 00
       00 00 0e 39 e2 00 00 00
       39 e0 00 00 00 eb a5 6a
       4c 01 00 00 39 e0 00 00
       00 43 ea 00 00 00 39 e2
       00 00 00 24 01 00 11 3a
       e3 00 00 00 cb 06 cb 39
       e3 00 00 00 bf 30 a8 11
       ec 0a 0e 39 e3 00 00 00
       bf 39 a6 11 ed 17 0e 39
       e3 00 00 00 bf 61 a8 6a
       0c 01 00 00 39 e3 00 00
       00 bf 66 a6 6a ff 00 00
       00 39 e4 00 00 00 93 3a
       e4 00 00 00 cb 39 e3 00
       00 00 bf 30 a0 11 3a e3
       00 00 00 cb 06 cb 39 e3
       00 00 00 bf 09 a7 ec 10
       39 e3 00 00 00 bf 27 a0
       11 3a e3 00 00 00 cb 39
       e1 00 00 00 bf 10 9c 11
       3a e1 00 00 00 cb 39 e1
       00 00 00 39 e3 00 00 00
       9f 11 3a e1 00 00 00 cb
       06 cb 39 e4 00 00 00 b9
       9e b7 ab 6a 89 00 00 00
       39 e1 00 00 00 39 e5 00
       00 00 b0 11 3a e1 00 00
       00 cb 06 cb 39 e1 00 00
       00 bb a3 bf 09 a7 11 ed
       0d 0e 39 e1 00 00 00 bf
       10 9e bf 09 a7 ec 0c c1
       04 11 3a e7 00 00 00 cb
       ee 5b 39 e1 00 00 00 bb
       a3 bf 0a 9c 39 e1 00 00
       00 bf 10 9e 9f 11 3a e1
       00 00 00 cb 39 e7 00 00
       00 c1 05 9c 11 3a e7 00
       00 00 cb 39 e7 00 00 00
       39 b0 00 00 00 39 e1 00
       00 00 f1 9f 11 3a e7 00
       00 00 cb b7 11 3a e1 00
       00 00 cb ee 01 39 e2 00
       00 00 93 3a e2 00 00 00
       0e ef a9 fe 06 cb 39 e6
       00 00 00 39 e7 00 00 00
       ab ec 0c c1 06 11 3a e7
       00 00 00 cb ee 0a c1 07
       11 3a e7 00 00 00 cb c3
       11 3a e1 00 00 00 cb 06
       cb 39 e7 00 00 00 c1 08
       a7 ec 3a 39 e1 00 00 00
       39 97 00 00 00 43 eb 00
       00 00 39 96 00 00 00 39
       e7 00 00 00 c1 09 9e f1
       24 01 00 9f 11 3a e1 00
       00 00 cb 39 e7 00 00 00
       c1 0a 9d 11 3a e7 00 00
       00 cb ee be 39 ec 00 00
       00 39 e1 00 00 00 f1 cf
       28                           at 1, fixup atom: un
                                    at 7, fixup atom: sn
                                    at 13, fixup atom: s
                                    at 19, fixup atom: i
                                    at 25, fixup atom: j
                                    at 31, fixup atom: k
                                    at 37, fixup atom: l
                                    at 43, fixup atom: m
                                    at 49, fixup atom: n
                                    at 55, fixup atom: i
                                    at 61, fixup atom: un
                                    at 67, fixup atom: sn
                                    at 73, fixup atom: s
                                    at 79, fixup atom: i
                                    at 85, fixup atom: j
                                    at 91, fixup atom: k
                                    at 97, fixup atom: l
                                    at 103, fixup atom: m
                                    at 109, fixup atom: n
                                    at 115, fixup atom: i
                                    at 121, fixup atom: KCTF2020Q1lelfei
                                    at 127, fixup atom: un
                                    at 133, fixup atom: "********************************"
                                    at 139, fixup atom: sn
                                    at 148, fixup atom: m
                                    at 158, fixup atom: i
                                    at 164, fixup atom: i
                                    at 169, fixup atom: un
                                    at 178, fixup atom: m
                                    at 187, fixup atom: m
                                    at 193, fixup atom: m
                                    at 198, fixup atom: BigInt
                                    at 203, fixup atom: un
                                    at 208, fixup atom: charCodeAt
                                    at 213, fixup atom: i
                                    at 224, fixup atom: m
                                    at 230, fixup atom: i
                                    at 236, fixup atom: i
                                    at 244, fixup atom: Number
                                    at 249, fixup atom: m
                                    at 259, fixup atom: l
                                    at 268, fixup atom: n
                                    at 276, fixup atom: s
                                    at 284, fixup atom: k
                                    at 294, fixup atom: i
                                    at 300, fixup atom: i
                                    at 305, fixup atom: sn
                                    at 317, fixup atom: sn
                                    at 322, fixup atom: charCodeAt
                                    at 327, fixup atom: i
                                    at 336, fixup atom: j
                                    at 344, fixup atom: j
                                    at 356, fixup atom: j
                                    at 368, fixup atom: j
                                    at 381, fixup atom: j
                                    at 394, fixup atom: k
                                    at 400, fixup atom: k
                                    at 406, fixup atom: j
                                    at 415, fixup atom: j
                                    at 423, fixup atom: j
                                    at 433, fixup atom: j
                                    at 442, fixup atom: j
                                    at 448, fixup atom: s
                                    at 457, fixup atom: s
                                    at 463, fixup atom: s
                                    at 468, fixup atom: j
                                    at 475, fixup atom: s
                                    at 483, fixup atom: k
                                    at 497, fixup atom: s
                                    at 502, fixup atom: l
                                    at 509, fixup atom: s
                                    at 517, fixup atom: s
                                    at 531, fixup atom: s
                                    at 547, fixup atom: n
                                    at 555, fixup atom: s
                                    at 565, fixup atom: s
                                    at 575, fixup atom: s
                                    at 581, fixup atom: n
                                    at 590, fixup atom: n
                                    at 596, fixup atom: n
                                    at 601, fixup atom: BigInt
                                    at 606, fixup atom: s
                                    at 614, fixup atom: n
                                    at 622, fixup atom: s
                                    at 630, fixup atom: i
                                    at 636, fixup atom: i
                                    at 647, fixup atom: m
                                    at 652, fixup atom: n
                                    at 663, fixup atom: n
                                    at 674, fixup atom: n
                                    at 682, fixup atom: s
                                    at 690, fixup atom: n
                                    at 700, fixup atom: s
                                    at 705, fixup atom: String
                                    at 710, fixup atom: fromCharCode
                                    at 715, fixup atom: Number
                                    at 720, fixup atom: n
                                    at 734, fixup atom: s
                                    at 740, fixup atom: n
                                    at 749, fixup atom: n
                                    at 757, fixup atom: print
                                    at 762, fixup atom: s
                                  }
                                  debug {
037b:  c2 03 01 2b 00 3c 01 00
       3c 06 3f 3f 30 7b 4e bc
       49 6d 30 2b 2b 8a 80 00
       34 02 3f 4e 8a 4e 5d 53
       5d cb 85 4e 7b 2c 0f 4f
       85 30 2b 3f cb 4e 0d         filename: s
                                  }
                                  cpool {
03aa:  0a                           bigint {
03ab:  00                           }
03ac:  0a                           bigint {
03ad:  24 01                          len=1
03af:  ac                           }
03b0:  0a                           bigint {
03b1:  28 01                          len=1
03b3:  fe                           }
03b4:  0a                           bigint {
03b5:  00                           }
03b6:  0a                           bigint {
03b7:  00                           }
03b8:  0a                           bigint {
03b9:  28 01                          len=1
03bb:  c8                           }
03bc:  0a                           bigint {
03bd:  e8 01 07                       len=7
03c0:  44 b8 90 b5 6b 67 80         }
03c7:  0a                           bigint {
03c8:  e8 01 07                       len=7
03cb:  34 a7 b8 48 7f 8d af         }
03d2:  0a                           bigint {
03d3:  00                           }
03d4:  0a                           bigint {
03d5:  28 01                          len=1
03d7:  fe                           }
03d8:  0a                           bigint {
03d9:  28 01                          len=1
03db:  fe                           }
                                  }
                                }
s:1: function: <eval>
  locals:
    0: var <ret>
  stack_size: 6
  opcodes:
        check_define_var un,0
        check_define_var sn,0
        check_define_var s,0
        check_define_var i,0
        check_define_var j,0
        check_define_var k,0
        check_define_var l,0
        check_define_var m,0
        check_define_var n,0
        check_define_var i,0
        define_var un,0
        define_var sn,0
        define_var s,0
        define_var i,0
        define_var j,0
        define_var k,0
        define_var l,0
        define_var m,0
        define_var n,0
        define_var i,0
        push_atom_value KCTF2020Q1lelfei
        dup
        put_var un
        put_loc0 0: "<ret>"
        push_atom_value "********************************"
        dup
        put_var sn
        put_loc0 0: "<ret>"
        push_const8 0: 0n
        dup
        put_var m
        put_loc0 0: "<ret>"
        undefined
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var i
        drop
  163:  get_var i
        get_var un
        get_length
        lt
        if_false8 243
        get_var m
        push_const8 1: 43n
        mul
        dup
        put_var m
        put_loc0 0: "<ret>"
        get_var m
        get_var BigInt
        get_var un
        get_field2 charCodeAt
        get_var i
        call_method 1
        call1 1
        add
        dup
        put_var m
        put_loc0 0: "<ret>"
        get_var i
        post_inc
        put_var i
        drop
        goto8 163
  243:  get_var Number
        get_var m
        push_const8 2: 127n
        mod
        call1 1
        dup
        put_var l
        put_loc0 0: "<ret>"
        push_const8 3: 0n
        dup
        put_var n
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var s
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var k
        put_loc0 0: "<ret>"
        undefined
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var i
        drop
  299:  get_var i
        get_var sn
        get_length
        lt
        if_false 644
        get_var sn
        get_field2 charCodeAt
        get_var i
        call_method 1
        dup
        put_var j
        put_loc0 0: "<ret>"
        undefined
        put_loc0 0: "<ret>"
        get_var j
        push_i8 48
        gte
        dup
        if_false8 363
        drop
        get_var j
        push_i8 57
        lte
  363:  dup
        if_true8 388
        drop
        get_var j
        push_i8 97
        gte
        if_false 644
        get_var j
        push_i8 102
        lte
  388:  if_false 644
        get_var k
        post_inc
        put_var k
        put_loc0 0: "<ret>"
        get_var j
        push_i8 48
        sub
        dup
        put_var j
        put_loc0 0: "<ret>"
        undefined
        put_loc0 0: "<ret>"
        get_var j
        push_i8 9
        gt
        if_false8 447
        get_var j
        push_i8 39
        sub
        dup
        put_var j
        put_loc0 0: "<ret>"
  447:  get_var s
        push_i8 16
        mul
        dup
        put_var s
        put_loc0 0: "<ret>"
        get_var s
        get_var j
        add
        dup
        put_var s
        put_loc0 0: "<ret>"
        undefined
        put_loc0 0: "<ret>"
        get_var k
        push_2 2
        mod
        push_0 0
        eq
        if_false 629
        get_var s
        get_var l
        xor
        dup
        put_var s
        put_loc0 0: "<ret>"
        undefined
        put_loc0 0: "<ret>"
        get_var s
        push_4 4
        sar
        push_i8 9
        gt
        dup
        if_true8 541
        drop
        get_var s
        push_i8 16
        mod
        push_i8 9
        gt
  541:  if_false8 554
        push_const8 4: 0n
        dup
        put_var n
        put_loc0 0: "<ret>"
        goto8 644
  554:  get_var s
        push_4 4
        sar
        push_i8 10
        mul
        get_var s
        push_i8 16
        mod
        add
        dup
        put_var s
        put_loc0 0: "<ret>"
        get_var n
        push_const8 5: 100n
        mul
        dup
        put_var n
        put_loc0 0: "<ret>"
        get_var n
        get_var BigInt
        get_var s
        call1 1
        add
        dup
        put_var n
        put_loc0 0: "<ret>"
        push_0 0
        dup
        put_var s
        put_loc0 0: "<ret>"
        goto8 629
  629:  get_var i
        post_inc
        put_var i
        drop
        goto16 299
  644:  undefined
        put_loc0 0: "<ret>"
        get_var m
        get_var n
        eq
        if_false8 670
        push_const8 6: 18071254662143010n
        dup
        put_var n
        put_loc0 0: "<ret>"
        goto8 679
  670:  push_const8 7: 24706849372394394n
        dup
        put_var n
        put_loc0 0: "<ret>"
  679:  push_empty_string
        dup
        put_var s
        put_loc0 0: "<ret>"
        undefined
        put_loc0 0: "<ret>"
  689:  get_var n
        push_const8 8: 0n
        gt
        if_false8 756
        get_var s
        get_var String
        get_field2 fromCharCode
        get_var Number
        get_var n
        push_const8 9: 127n
        mod
        call1 1
        call_method 1
        add
        dup
        put_var s
        put_loc0 0: "<ret>"
        get_var n
        push_const8 10: 127n
        div
        dup
        put_var n
        put_loc0 0: "<ret>"
        goto8 689
  756:  get_var print
        get_var s
        call1 1
        set_loc0 0: "<ret>"
        return

Error...

根据输出信息写出js

var un,sn,s,i,j,k,l,m,n;
un = "KCTF2020Q1lelfei";
sn = "********************************";
m = 0n;
for(i=0;i<un.length;i++){
  m = m * 43n;
  m = m + BigInt(un.charCodeAt(i));
}
l = Number(m%127n);
n = 0n;
s = 0;
k = 0;
for(i=0;i<sn.length;i++){
  j = sn.charCodeAt(i);
  if(j >= 48 && j <= 57 || j >= 97 && j <= 102){
    k++;
    j = j-48;
    if(j>9) j = j-39;
    s = s * 16;
    s = s + j;
    if(k % 2 == 0){
      s = s ^ l;
      if((s >> 4) > 9 || (s % 16) > 9){
        n = 0;
        break;
      }
      s = (s >> 4) * 10 + (s % 16);
      n = n * 100n;
      n = n + BigInt(s);
      s = 0;
    }
  } else {
    break;
  }
}
if (m == n) {
  n = 18071254662143010n;
} else {
  n = 24706849372394394n;
}
s = "";
while(n > 0n){
  s = s + String.fromCharCode(Number(n % 127n));
  n = n / 127n;
}
console.log(s)

解出sn

def hex2dec(s):
  return (s//10)*16 + (s % 10)

sn = ""
un = 'KCTF'*4
m = 0
for i in un:
    m = m*43 + ord(i)
l=m%127
while m > 0:
    s=m%100
    m=m//100
    sn = "%02x" % (l^hex2dec(s)) + sn
print(sn)