mikepaul-LuaJIT

mirror of https://github.com/LuaJIT/LuaJIT.git synced 2025-04-19 21:43:27 +00:00

Mirror of the LuaJIT git repository

Go to file

Thibaud Labat c1bbf01932 README		2024-06-28 12:56:46 +02:00
doc	FFI: Clarify scalar boxing behavior.	2024-05-25 15:48:07 +02:00
dynasm	DynASM/x86: Add endbr instruction.	2024-01-22 19:17:45 +01:00
etc	Merge branch 'master' into v2.1	2023-08-21 03:18:35 +02:00
src	fix check_safe_func	2024-06-26 21:19:14 +02:00
.gitattributes	Add .gitattributes to dynamically resolve .relver.	2023-08-22 15:30:27 +02:00
.gitignore	RELEASE LuaJIT-2.0.0-beta1	2009-12-08 19:46:35 +01:00
.relver	Add .gitattributes to dynamically resolve .relver.	2023-08-22 15:30:27 +02:00
COPYRIGHT	Bump copyright date.	2023-08-20 21:25:30 +02:00
Makefile	Fix typo.	2023-08-22 17:06:34 +02:00
README.md	README	2024-06-28 12:56:46 +02:00

LuaJIT 2.1 - exploitation challenge

LuaJIT is a Just-In-Time (JIT) compiler for the Lua programming language.

See our commits to understand what has been modified
Programming in Lua

You need no more than basic language constructs. No fancy language feature. (The authors of this challenge had previously never written a single line of Lua)
Just-in-time compilation (Wikipedia)

Worth reading if you have never heard of Just-in-time compilation before.
Introducing LuaJIT

Explains concepts but it is slightly outdated (eg. jit.compile() does not exist anymore)
LuaJIT web inspector

Compile and inspect LuaJIT bytecode / generated Assembly
Online Assembler and Disassembler

x86_64 assembler/disassembler
You are in a sandbox
- flag is in memory
- seccomp syscall filter prevents you from just running os.execute("/bin/get_flag")
- anyway, we deleted almost every global variable
Heavy workload is required to trigger JIT compilation.

This code will not be JIT-compiled:

f = function()
  for i=0, 10, 1 do
    end
end
f()

But this code will (notice loop boundaries):

f = function()
  for i=0, 100, 1 do
    end
end
f()