[hackme.inndy.tw] Reversing wp

最近看书看的没有状态,好无聊…边做点简单的re题边看书学习吧

helloworld

  • 输入数字314159265就完事….

simple

  • 对需要比较的那个字符串ascii码减1便是flag

exp:

1
2
3
4
5
6
7
8
#-*- coding : utf-8 -*-
a = "UIJT.JT.ZPVS.GMBH"
b = ""

for i in a:
b += chr(ord(i) - 1)

print b

passthis

  • 这题先要去他的url下载一个图片(需要梯子),改名为wall.jpg程序才能跑下去,然后就是一个异或的事了

exp:

1
2
3
4
5
6
7
#-*- coding : utf-8 -*-
a = [0xc1,0xcb,0xc6,0xc0,0xfc,0xc9,0xe8,0xab,0xa7,0xde,0xe8,0xf2,0xa7,0xf4,0xef,0xe8,0xf2,0xeb,0xe3,0xa7,0xe9,0xe8,0xf3,0xa7,0xf7,0xe6,0xf4,0xf4,0xa7,0xf3,0xef,0xe2,0xa7,0xe1,0xeb,0xe6,0xe0,0xfa]
b = ""
for i in a:
b += chr(i ^ 0x87)

print b
  • 这里补充一个ida copy数据出来的小技巧

  • 可以看到我们需要的数据就出现在Output窗口了

pyyy

  • 下载下来的是一个pyc文件,用在线的反编译效果很差不能运行,这里用uncompyle6反编译的效果不错,可以直接运行,然后程序是需要我们每次输入的字符跟l相等,直接把这部分check的代码给注释掉即可输出flag
1
2
3
4
5
c = raw_input('Channenge #%d:' % i)
if int(c) != l:
print 'Wrong~'
exit()
z.append(l)

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
__import__('sys').setrecursionlimit(1048576)
data = 'Tt1PJbKTTP+nCqHvVwojv9K8AmPWx1q1UCC7yAxMRIpddAlH+oIHgTET7KHS1SIZshfo2DOu8dUt6wORBvNVBpUSsuHa0S78KG+SCQtB2lr4c1RPbMf0nR9SeSm1ptEY37y310SJMY28u6m4Y44qniGTi39ToHRTyxwsbHVuEjf480eeYAfSVvpWvS8Oy2bjvy0QMVEMSkyJ9p1QlGgyg3mUnNCpSb96VgCaUe4aFu4YbOnOV3HUgYcgXs7IcCELyUeUci7mN8HSvNc93sST6mKl5SDryngxuURkmqLB3azioL6MLWZTg69j6dflQIhr8RvOLNwRURYRKa1g7CKkmhN4RytXn4nyK2UM/SoR+ntja1scBJTUo0I31x1wBJpT4HjDN47FLQWIkRW+2wnB3eEwO5+uSiQpzA8VaH7VGRrlU/BFW4GqbaepzKPLdXQFBkNyBKzqzR/zA2GIrYbLIVScWJ19DqJCOyVLGeVIVXyzN1y327orYL2Ee3lRITnE3FouicRStaznIcw8xmxvukwVMRZIJ/vTu8Zc1WQIYEIFXMHozGuvzZgROZTyFihWNRCBBtoP9DJJALJb0pA1IKIb2zLh+pwGF40Y6y93D6weKejGPO+A0DBXH9vuLcCcCIvr/XPQhO3jLKCBN+h9unuJKW3dyWxyaVPdR2V+BTw10VXolo7yaTH1GbR4TiVSB308mBOMwfchwihEe7RdMXvmXgaGarKkJe0NLUCd8jwhYII+WymjxO/xOz/ppOvNfAyIQksW0sggRPQTlgXSZ7MIVA1h66sGNljJ833MoFzWof3azLabaz1OrAJFqYXBg/myDsy1tV6rULSQ82hVR/TNnSmBGvyEDJTrLSwHyj78NOrW4mUnlLGBnAgWfw6pW2lRK2jkNX9NM6DfLsRK8lwl85UP8CZSuNdcLmLwHTVMZGm/cNkZCtWRBlZqEggxGdIO44D+f4y6ysnAk5/QzEwjIuecxEOb0jyV6dFui8g0c3Oxlhzcli0X8ToJFyeQRv1N9nokYZ07tFlG6m18kCToKz1qiH1U7kljXa6SvdORur5dWYLQ//gwhwppe7JlNda/cEoh92h96wRZDv1dSK/f1vz+mUeUyUlFY0iMjfw5eBXWZppNZi3ZtJcq5kllM2ACVFcxQWI3azM3ArOcqjosoiPjNoDYgKh7w4k2Cd0kLYEHscz/njtJ1KEcwLtqs4nJ+gB2r4V9g03YgvY5E8JJtfJMKdaTedjtvEuif8FNlCK9DMnL1iLpWptJbdfO83Y7Y46XCqjZFBI5o9Qtb78nLhMEM5/YTaNOM/wE/oJl5HI/i1X6kW3PKCsVubRkOkc2xawl6NYdLETjLvmrGhhI'
a = 138429774382724799266162638867586769792748493609302140496533867008095173455879947894779596310639574974753192434052788523153034589364467968354251594963074151184337695885797721664543377136576728391441971163150867881230659356864392306243566560400813331657921013491282868612767612765572674016169587707802180184907L
b = 166973306488837616386657525560867472072892600582336170876582087259745204609621953127155704341986656998388476384268944991674622137321564169015892277394676111821625785660520124854949115848029992901570017003426516060587542151508457828993393269285811192061921777841414081024007246548176106270807755753959299347499L
c = 139406975904616010993781070968929386959137770161716276206009304788138064464003872600873092175794194742278065731836036319691820923110824297438873852431436552084682500678960815829913952504299121961851611486307770895268480972697776808108762998982519628673363727353417882436601914441385329576073198101416778820619L
d = 120247815040203971878156401336064195859617475109255488973983177090503841094270099798091750950310387020985631462241773194856928204176366565203099326711551950860726971729471331094591029476222036323301387584932169743858328653144427714133805588252752063520123349229781762269259290641902996030408389845608487018053L
e = 104267926052681232399022097693567945566792104266393042997592419084595590842792587289837162127972340402399483206179123720857893336658554734721858861632513815134558092263747423069663471743032485002524258053046479965386191422139115548526476836214275044776929064607168983831792995196973781849976905066967868513707L
F = (a, b, c, d, e)
m = 8804961678093749244362737710317041066205860704668932527558424153061050650933657852195829452594083176433024286784373401822915616916582813941258471733233011L
g = 67051725181167609293818569777421162357707866659797065037224862389521658445401L
z = []
for i, f in enumerate(F):
n = pow(f, m, g)
this_is = 'Y-Combinator'
l = (lambda f: (lambda x: x(x))(lambda y: f(lambda *args: y(y)(*args))))(lambda f: lambda x: 1 if x < 2 else f(x - 1) * x % n)(g % 27777)
# c = raw_input('Channenge #%d:' % i)
# if int(c) != l:
# print 'Wrong~'
# exit()
z.append(l)

z.sort()
gg = '(flaSg\'7 \\h#GiQwt~66\x0csxCN]4sT{? Zx YCf6S>|~`\x0c$/}\'\r:4DjJFvm]([sP%FMY"@=YS;CQ7T#zx42#$S_j0\\Lu^N31=r\x0b\t\tjVhhb_KM$|6]\nl!:V\rx8P[0m ;ho_\rR(0/~9HgE8!ec*AsGd[e|2&h!}GLGt\'=$\x0cbKFMnbez-q\\`I~];@$y#bj9K0xmI2#8 sl^gBNL@fUL\x0b\\9Ohf]c>Vj/>rnWXgLP#<+4$BG@,\'n a_7C:-}f(WO8Y\x0c2|(nTP!\'\\>^\'}-7+AwBV!w7KUq4Qpg\tf.}Z7_!m+ypy=`3#\\=?9B4=?^}&\'~ Z@OH8\n0=6\x0b\tv\nl!G\'y4dQW5!~g~I*f"rz1{qQH{G9\x0c\'b\x0cp\x0bdu!2/\\@i4eG"If0A{-)N=6GMC<U5/ds\rG&z>P1\nsq=5>dFZUWtjv\tX~^?9?Irwx\\5A!32N\x0bcVkx!f)sVY Men\x0c\'ujN<"LJ\x0c5R4"\\\\XPVA\'m$~tj)Br}C}&kX2<|\np3XtaHB.P\'(E 4$dm!uDyC%u ["x[VYw=1aDJ (8V/a!J?`_r:n7J88!a25AZ]#,ab?{%e\x0b]wN_}*Q:mh>@]u\t&6:Z*Fmr?U`cOHbAf7s@&5~L ,\tQ18 -Hg q2nz%\x0ccUm=dz&h1(ozoZ)mrA=`HKo\n\'rXm}Z-l3]WgN\\NW<{o=)[V({7<N1.-A8S"=;3sderb\tOZ$K\r0o/5\x0bMc76EGCWJ3IQpr7!QhbgzX8uGe3<w-g\'/j\'\tM4|9l?i&tm_\n57X0B2rOpuB@H@%L_\r)&/q=LZa(%}""#if#Kq74xK?`jGFOn"8&^3Q-\r#]E$=!b^In0:$4VKPXP0UK=IK)Y\rstOT40=?DyHor8j7O\\r/~ncJ5];cCT)c?OS0EM5m#V(-%"Tu:!UsE],0Dp s@HErS]J{%oH54B&(zE.(@5#2k\tJnNlnUEij\\.q/3HBpJNk*X(k5;DlqK\'\'fX\r}EBk_7\x0b:>8~\t+M@WJx.PO({/U}1}#TqjreG\nN{\rX>4EsJr0Pn\\Z\\aL/-U<<{,Q;j\tF=7f\')+wH:p{G=_.s\\t-\x0bI\x0c*y\t1P:Y|/2xE<uo]~$>5k]FW+>fR<QA"(Fj[LL(hzfQo#PJ;:*0kB~3]9uL[o.xue:VQ\t;9-Tu\tq|mzzhV_okP\t,d\rQ`]5Gf\x0c#gXB\x0cAH|)NI|K=KW-&p-<b"3e.rO\x0cuK=\x0c^\r+MuLxCJ`UKaD\x0bBH&n+YVajZ(U7pwWtto3T10VLHwSJ\rK\t}\'F$l1:b2Bd\na=#t0iq}#!{1_)w$}<Dp(borC\'\t?r6;,+k;a(Q3@B?RCWYEDrjZe![x=n_%S]rl{&fLr*mgCD;92/nNsaxKy/;\nr]sPK=`+YP>MmfB\n8O4/"}nE7r*=41f2\t37>K\'s$wpl;qS[`qzu\x0b\t\nuaU|b,C`4& dRN~]7DnuTb2FhNHV!#Z2Hho\x0b[%.{O\t$q0\x0ch_@?w@b8[I^{JL|O8]i8{p)A.w)14qK3JoyF%licZ~ga\rW[L:W\rtIvfWJjZUOvB\rS.Beav3!-@bw|PexJ Pcw1\ry6!63B}]J])6fak/3r]W\tMeXt[uc(1_U lys{a1X\r%)[wwP3rhgNW{*d~_E%Q2htCt5ha@l0^0=\x0bwT\ni4/V;_\nM1rb?w~Q)Dli4u\n`}1+D8"\t`@V~$9l$Uy**VnI (@Ga0<RxfmoNgJTtE-aLH\rE5fMy7rk$)V\rL2Fv/AivOa"\nuX|70Xrw^D]%i%JyT\x0cc%cwZ/Wbp=IiY;/@nFEe>3=tM;K*`fReGoc5V/Ri?nXZ-RW)\'\t<\x0cV>@X@-Ei4%sO%},B_pjc`s"@oKCmdgDhjUZT@?mb\'?Q:F\x0bLJkPgjaFAc=rbrjAz$Zz\x0cq0GU!")xFOEF(x!3M\t:l83|}}HgGJJ#eT/I\x0b[|lK_n+;Wi/N^B4LzL.a(gVWq,zO6\'S|tb>RX` ca*CO<w\x0ci =wc1,M~\x0bc`FYEs\r){+Ll8[I9-88m\t\\iK/\\hno-C[vX*3Hx:%:K\rt\x0cW!tj\'SOhqxP|k7cw Hm?I@?P\'HmapG7$0#T(Auz]sjmd#\rFP/}53@-Kvmi(d%dZKLZ2LK\'e_E\x0bQmR 5/(irq4-EUyp<hB?[\tnU:p*xuzASM'
print ('').join((gg[(lambda f: (lambda x: x(x))(lambda y: f(lambda *args: y(y)(*args))))(lambda f: lambda n: 1 if n < 3 else f(n - 1) + f(n - 2))(i + 2)] for i in range(16))) % ('').join((data[pow((__import__('fractions').gcd(z[i % 5], z[(i + 1) % 5]) * 2 + 1) * g, F[i % 5] * (i * 2 + 1), len(data))] for i in range(32)))

accumulator

  • 程序会对sha512(input) + input的字符串调用check函数,gdb调试就会发现check函数是对字符串逐字节相加然后每加一次就会与dict数组的数进行比较,不相等就会退出,所以直接对数组相邻的数做差就能直接得到sha512(flag) + flag的字符串

exp:

1
2
3
4
5
a = [0x00c3, 0x00ff, 0x01ed, 0x0248, 0x031f, 0x03a1, 0x03b2, 0x043e, 0x049c, 0x04a0, 0x058d, 0x063b, 0x070d, 0x0736, 0x0821, 0x0910, 0x097e, 0x0a2d, 0x0aa7, 0x0b9c, 0x0c8d, 0x0d4b, 0x0d5a, 0x0e41, 0x0e80, 0x0f6e, 0x0f95, 0x1061, 0x1084, 0x112a, 0x11ab, 0x1210, 0x1262, 0x1347, 0x1387, 0x13d0, 0x13f2, 0x14ab, 0x1586, 0x15a0, 0x160c, 0x1677, 0x1769, 0x17e6, 0x17ee, 0x1836, 0x1843, 0x190a, 0x1945, 0x19d1, 0x19f7, 0x1a60, 0x1b42, 0x1b62, 0x1b8d, 0x1bc2, 0x1c6a, 0x1d2c, 0x1d8b, 0x1df9, 0x1e1a, 0x1f14, 0x1fd2, 0x1ffb, 0x2041, 0x208d, 0x20ce, 0x2115, 0x2190, 0x21c0, 0x21f5, 0x2226, 0x2259, 0x228c, 0x22c5, 0x22f9, 0x232f, 0x2366, 0x2399, 0x23c9, 0x23ff, 0x2465, 0x249e, 0x24d5, 0x250b, 0x2544, 0x2577, 0x25ac, 0x25dc, 0x260d, 0x2640, 0x2676, 0x26d8, 0x270c, 0x273d, 0x27a0, 0x27d3, 0x2806, 0x2836, 0x286e, 0x28a2, 0x28d2, 0x2937, 0x299c, 0x29fe, 0x2a61, 0x2ac2, 0x2b25, 0x2b58, 0x2b8b, 0x2bc2, 0x2c28, 0x2c59, 0x2cbb, 0x2cf3, 0x2d55, 0x2d85, 0x2de9, 0x2e4c, 0x2e7c, 0x2eaf, 0x2f14, 0x2f49, 0x2f81, 0x2fe3, 0x3048, 0x3079, 0x30ad, 0x3113, 0x3178, 0x31ae, 0x31e7, 0x3217, 0x3279, 0x32aa, 0x32dc, 0x330f, 0x3375, 0x33ab, 0x33dc, 0x343e, 0x346e, 0x34d1, 0x3501, 0x3563, 0x3596, 0x35cb, 0x3631, 0x3694, 0x36cd, 0x3700, 0x3763, 0x37c6, 0x3829, 0x3860, 0x3892, 0x38c3, 0x38f3, 0x3923, 0x3957, 0x398c, 0x39c5, 0x39f8, 0x3a2e, 0x3a67, 0x3acc, 0x3b32, 0x3b6a, 0x3b9f, 0x3bd2, 0x3c03, 0x3c64, 0x3c95, 0x3cfa, 0x3d32, 0x3d93, 0x3dca, 0x3e2c, 0x3e60, 0x3e92, 0x3ecb, 0x3f04, 0x3f69, 0x3fa0, 0x4002, 0x403b, 0x409f, 0x40d8, 0x410f, 0x413f, 0x41a1, 0x41da, 0x423b, 0x426d, 0x42a0, 0x4301, 0x4362, 0x43df]
b = ""
for i in range(1,len(a)):
b += chr(a[i] - a[i-1])
print b

GCCC

  • 用.net编译的一个程序,直接用ILSpy反编译得到java代码,可以知道程序会对我们输入的key进行32轮验证,并且右移了32次后为0,所以

  • key取值范围为[2 ^ 31, 2 ^ 32)

  • flag前5位是FLAG{
  • flag最后一位是}
  • flag中间范围是”ABCDEFGHIJKLMNOPQRSTUVWXYZ “
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
// GrayCCC
using System;

public static void Main()
{
Console.Write("Input the key: ");
if (!uint.TryParse(Console.ReadLine().Trim(), out uint result))
{
Console.WriteLine("Invalid key");
}
else
{
string text = "";
string text2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ{} ";
int num = 0;
byte[] array = new byte[32]
{164,25,4,130,126,158,91,199,173,252,239,143,150,251,126,39,104,104,146,208,249,9,219,208,101,182,62,92,6,27,5,46]};
byte b = 0;
while (result != 0)
{
char c = (char)(array[num] ^ (byte)result ^ b);
if (!text2.Contains(new string(c, 1)))
{
Console.WriteLine("Invalid key");
return;
}
text += c;
b = (byte)(b ^ array[num++]);
result >>= 1;
}
if (text.Substring(0, 5) != "FLAG{" || text.Substring(31, 1) != "}")
{
Console.WriteLine("Invalid key");
}
else
{
Console.WriteLine("Your flag is: " + text);
}
}
}
  • 直接用z3来求解,这里要注意java中的byte函数要用&0x7f来处理
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from z3 import *

array = [164,25,4,130,126,158,91,199,173,252,239,143,150,251,126,39,104,104,146,208,249,9,219,208,101,182,62,92,6,27,5,46]
text2 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ{} "

b = 0
x = BitVec('x',64)
solver = Solver()
solver.add( x >= 2**31 )
solver.add( x < 2**32 )

for num in range(32):
if num < 5:
solver.add( (array[num] ^ (x & 0x7f) ^ b) & 0x7f == ord('FLAG{'[num]) )


elif num < 31:
solver.add(
Or(
And(
(array[num] ^ (x & 0x7f) ^ b) & 0x7f >= ord('A') ,
(array[num] ^ (x & 0x7f) ^ b) & 0x7f <= ord('Z')
),
(array[num] ^ (x & 0x7f) ^ b) & 0x7f == ord(' ')
)
)


if num == 31:
solver.add( (array[num] ^ (x & 0x7f) ^ b) & 0x7f == ord('}') )


b = (b ^ array[num]) & 0x7f
num += 1
x >>= 1

if solver.check() == sat :
print solver.model()
  • 得到key后直接在程序输入得到flag

ccc

  • 首先输入字符串长度为42,verify函数就是对我们输入的字符串每次取3的倍数个进行crc32校验,生成的校验码与hashes数组里的数进行比较,我们直接写个类似的crc32校验函数然后进行爆破

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import string

crc32_tab = [0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9, 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b, 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3, 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a, 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599, 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924, 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190, 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f, 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e, 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01, 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed, 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950, 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3, 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2, 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a, 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5, 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010, 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f, 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17, 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6, 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615, 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8, 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344, 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb, 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a, 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5, 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1, 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c, 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef, 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236, 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe, 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31, 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c, 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713, 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b, 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242, 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1, 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c, 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278, 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7, 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66, 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9, 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605, 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8, 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b, 0x2d02ef8d]

def crc32(num,a3):
i = 0xffffffff
while True:
v4 = a3
a3 -= 1
if (not v4):
return 0xffffffff - i
a2 = num & 0x7f
num = num >> 8
i = (i >> 8) ^ (crc32_tab[(i ^ a2) & 0xff])


hashes = [0xd641596f, 0x80a3e990, 0xc98d5c9b, 0x0d05afaf, 0x1372a12d, 0x5d5f117b, 0x4001fbfd, 0xa7d2d56b, 0x7d04fb7e, 0x2e42895e, 0x61c97eb3, 0x84ab43c3, 0x9fc129dd, 0xf4592f4d, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff]

flag = ""
count = 3
count_i = 0
while count <= 42:
for i in string.printable:
for j in string.printable:
for l in string.printable:
s = flag + i + j + l
#print s,count,count_i
if crc32( int(s[::-1].encode('hex'),16) , count ) == hashes[count_i]:
flag = s
count += 3
count_i += 1
print flag
break

print flag

bitx

  • 程序将我们输入的字符每字节+9 然后与经过处理的data处数据进行比较,所以我们利用data数据逆向求解我们的输入

exp:

1
2
3
4
5
6
7
8
9
10
data = [0x8f, 0xaa, 0x85, 0xa0, 0x48, 0xac, 0x40, 0x95, 0xb6, 0x16, 0xbe, 0x40, 0xb4, 0x16, 0x97, 0xb1, 0xbe, 0xbc, 0x16, 0xb1, 0xbc, 0x16, 0x9d, 0x95, 0xbc, 0x41, 0x16, 0x36, 0x42, 0x95, 0x95, 0x16, 0x40, 0xb1, 0xbe, 0xb2, 0x16, 0x36, 0x42, 0x3d, 0x3d, 0x49]

flag = ""

for i in range(len(data)):
a = ((data[i] & 0xaa) >> 1) & 0x7f
b = 2 * (data[i] & 0x55 & 0x7f )
flag += chr( ( a | b ) - 9 )

print flag

2018-rev

  • 运行以后会出现报错
1
2018.rev: 2018.c:67: main: Assertion `argc == 2018 && argv[0][0] == 1 && envp[0][0] == 1' failed.
  • 于是我们在gdb中通过设置rdi,rsi,rdx寄存器来绕过保护,我们可以在gdb中通过source rev.gdb来执行我们多条gdb命令

  • 修改前

  • 修改后

  • 运行后又发现第二个错误信息
1
Bad timing, you should open this at 2018/1/1 00:00:00 (UTC) :(
  • 由于程序的运行时间是从/etc/localtime读取的,所以我们可以写个shell脚本不断的更改localtime来绕过,这里直接用M4x师傅的脚本
1
2
3
4
5
6
#!/usr/bin/env bash

while true
do
sudo date -us "2018-01-01 00:00:00"
done

what-the-hell

  • calc_key3函数会对我们输入的两个数进行一系列验证,然后调用what函数(实际上是求斐波那契数列的函数)来得到i,最后生成我们的key,先用z3跑出符合验证的两个数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
from z3 import *
import gmpy2
import math


x = BitVec('x',32)
y = BitVec('y',32)

solver = Solver()

solver.add(x * y == 0xDDC34132)
solver.add((x ^ 0x7e) * (y + 16) == 0x732092BE)
solver.add( ((x & 0xffff) - (y & 0xffff)) & 0xFFF == 3295)

while solver.check() == sat :
a = bytes(solver.model()[x])
if gmpy2.is_prime(int(a)):
print solver.model()
solver.add(Or(solver.model()[x] != x))

☁ 桌面 python what-the-hell.py
[y = 1234567890, x = 2136772529]
[y = 1234567890, x = 4284256177]
  • 由于what函数使用了递归,所以跑的非常慢,这里我们自己写了个不用递归的求斐波那契数列的函数,然后加上decrypt_flag函数,即可得到flag,注意我们生成的数可能会溢出,而32位所能表示的最大数为0xffffffff,所以对大于这个范围的数要 & 0xffffffff

生成flag的exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import math 
import time

junk_data = [0x09, 0x23, 0x8c, 0xb9, 0x2f, 0x19, 0x8d, 0xf8, 0xf3, 0x79, 0x81, 0x87, 0x93, 0x99, 0x35, 0x52, 0x9c, 0xf0, 0x34, 0x99, 0x23, 0xb1, 0x84, 0x1d, 0xf0, 0x8f, 0x7e, 0x45, 0x0f, 0xcb, 0x40, 0xf8, 0x4e, 0xd1, 0x42, 0x29, 0x76, 0x17, 0x43, 0xe1, 0xac, 0x04, 0x37, 0xa0, 0xe4, 0x30, 0x59, 0xa9, 0x68, 0xd9, 0x1c, 0x96, 0xfc, 0x1d, 0x85, 0xea, 0xd2, 0x94, 0x07, 0x90, 0x09, 0xd2, 0xc9, 0x19, 0x86, 0xc9, 0xdc, 0x24, 0x6f, 0x3b, 0x5c, 0x92, 0x4c, 0x9f, 0xd9, 0x50, 0xdd, 0x98, 0x37, 0x1c, 0xb1, 0xda, 0xa5, 0x44, 0xf2, 0x8e, 0x43, 0x66, 0x91, 0xa3, 0xdf, 0xaf, 0x3a, 0x7e, 0x65, 0x91, 0x19, 0x22, 0xfd, 0xfe, 0x14, 0xba, 0x0a, 0xe1, 0xb9, 0x61, 0x73, 0x86, 0xe1, 0x96, 0xc1, 0x67, 0xce, 0x06, 0x25, 0x74, 0xf0, 0x2e, 0xa3, 0xbb, 0xed, 0x68, 0x3e, 0x53, 0x30, 0x43, 0x0e, 0x53, 0xb8, 0x8a, 0x9c, 0x95, 0x41, 0xc3, 0xb0, 0x25, 0x1c, 0xcb, 0x38, 0x86, 0xa6, 0x7a, 0x6f, 0xf2, 0x63, 0x0a, 0x19, 0x7c, 0x07, 0xda, 0x6f, 0xa2, 0x4e, 0xd2, 0x74, 0x4a, 0xf9, 0xaf, 0xc2, 0x9c, 0xfd, 0x89, 0xe6, 0x04, 0x11, 0xf6, 0x6f, 0xf5, 0x98, 0x55, 0x9d, 0x37, 0x12, 0xf2, 0xa6, 0x66, 0xbe, 0x85, 0x87, 0x8e, 0x87, 0x64, 0x5e, 0xa0, 0x61, 0x52, 0xd8, 0xbb, 0x39, 0x3d, 0x7b, 0xd2, 0x47, 0x27, 0x37, 0x30, 0xb5, 0xf8, 0x90, 0xfc, 0x50, 0xf3, 0xc1, 0x5c, 0x6b, 0xa4, 0xbe, 0x8d, 0xa5, 0xea, 0xdd, 0x72, 0xf2, 0x28, 0xe1, 0x74, 0xef, 0x07, 0x10, 0xcf, 0x39, 0x7d, 0x58, 0xe7, 0x46, 0x09, 0x04, 0xe9, 0xe9, 0x37, 0xd7, 0xe1, 0x20, 0xf9, 0xc2, 0x54, 0x28, 0xe7, 0x30, 0xe8, 0x86, 0x58, 0x77, 0x6c, 0x7d, 0x2e, 0x00, 0xce, 0xcc, 0x9c, 0xfb, 0xa3, 0x8d, 0xd1, 0x04, 0x98, 0x9d, 0x4f, 0xe8, 0x1f, 0x60, 0x3a, 0x8a, 0x5b, 0x1a, 0x11, 0x55, 0xf0, 0x6b, 0xcf, 0xd8, 0x6d, 0x75, 0x30, 0x9a, 0xd8, 0xd8, 0x5d, 0x2e, 0x90, 0x7e, 0x43, 0x5c, 0xeb, 0x3f, 0x26, 0x78, 0xaf, 0xb3, 0xb0, 0xc3, 0x1c, 0xe9, 0xab, 0x94, 0xe6, 0xc1, 0x49, 0x25, 0x4b, 0xaa, 0xff, 0x59, 0xe1, 0x11, 0x48, 0x3c, 0xb9, 0x16, 0x67, 0x27, 0xf9, 0xa0, 0x29, 0x68, 0x2e, 0xfb, 0x45, 0x5d, 0x29, 0x12, 0x0a, 0x36, 0x04, 0x54, 0xb3, 0xcf, 0x87, 0x24, 0x37, 0x8e, 0x7c, 0x5a, 0xef, 0xf8, 0x33, 0xe2, 0xe0, 0x89, 0x83, 0xa8, 0x4d, 0x72, 0x28, 0x80, 0xaa, 0xd4, 0x0e, 0xdd, 0x72, 0xa5, 0x0b, 0xad, 0x85, 0x6f, 0xee, 0x44, 0xad, 0x43, 0x7d, 0x30, 0xc2, 0x15, 0xc9, 0x72, 0x12, 0x53, 0x8a, 0x37, 0x9d, 0xf2, 0x64, 0x1d, 0x21, 0x5e, 0x49, 0x78, 0x54, 0xc0, 0xf0, 0xa9, 0x81, 0xe3, 0x32, 0xd4, 0x99, 0x81, 0x88, 0x64, 0xfe, 0x20, 0x92, 0x89, 0xd0, 0xc9, 0x5a, 0xce, 0xfa, 0xb5, 0xe4, 0x2a, 0x9d, 0x50, 0xab, 0x32, 0x35, 0x8d, 0x31, 0x4c, 0x94, 0x6c, 0xc0, 0xef, 0xf4, 0xe2, 0x40, 0xf7, 0x47, 0x51, 0xdb, 0x1c, 0x6d, 0x3b, 0x6b, 0xea, 0xda, 0x16, 0x9a, 0x27, 0x68, 0xa3, 0x73, 0xbf, 0x9d, 0x40, 0x8f, 0x07, 0xf3, 0xc7, 0x65, 0x57, 0xb7, 0x7e, 0x0c, 0xea, 0xc9, 0x9f, 0x7f, 0x46, 0x82, 0xe6, 0x5c, 0xe6, 0xdf, 0xfe, 0x42, 0x41, 0x12, 0x62, 0x33, 0x74, 0xff, 0xe9, 0x52, 0xd1, 0x0f, 0x75, 0x88, 0x43, 0x17, 0x02, 0x5a, 0x9e, 0x29, 0xad, 0x40, 0x62, 0xdb, 0x1f, 0x2c, 0xe7, 0xa8, 0x6e, 0xac, 0x62, 0xc4, 0xbe, 0xec, 0x98, 0xb3, 0xe9, 0x44, 0xd4, 0x3e, 0xc3, 0x9e, 0x0f, 0xbc, 0xad, 0xc6, 0x28, 0x28, 0x95, 0x93, 0xd1, 0xd5, 0x03, 0xaa, 0x78, 0xe3, 0x0d, 0x20, 0x90, 0x58, 0x82, 0xcc, 0x5f, 0x46, 0xf9, 0x2c, 0x17, 0x55, 0xdb, 0x96, 0x0a, 0x34, 0x69, 0x6b, 0x87, 0x2b, 0xb2, 0x45, 0x9d, 0x7c, 0xea, 0xf3, 0xab, 0x19, 0x6a, 0xe3, 0x73, 0x9d, 0x84, 0x6c, 0x3a, 0x04, 0xb5, 0x07, 0x3d, 0x10, 0x3e, 0x67, 0x5e, 0x53, 0x86, 0xdb, 0xa0, 0x39, 0xab, 0xe0, 0x06, 0x22, 0x27, 0x8c, 0x81, 0xd3, 0xc6, 0x1f, 0x15, 0x35, 0x8d, 0x26, 0x8d, 0x67, 0x03, 0xbd, 0xc3, 0x76, 0xf7, 0x27, 0x29, 0x82, 0xaf, 0x64, 0x9d, 0x15, 0x0f, 0xbe, 0xad, 0xab, 0x39, 0x50, 0xd7, 0xb9, 0x1b, 0x0a, 0x3f, 0x99, 0xcc, 0x6a, 0xf5, 0xff, 0x5b, 0xde, 0x9f, 0xd1, 0x4d, 0xfc, 0xf4, 0x21, 0x83, 0xd0, 0x33, 0xab, 0xa4, 0x3e, 0x3b, 0x3a, 0x67, 0x41, 0xde, 0x93, 0xb1, 0x2a, 0xc4, 0x98, 0xda, 0xea, 0x51, 0xfd, 0xcf, 0xeb, 0xf0, 0xc7, 0x1f, 0xf6, 0x4c, 0xfc, 0x04, 0xef, 0x24, 0x51, 0xbf, 0x0d, 0xb0, 0x50, 0x2c, 0x06, 0xaa, 0x0e, 0x2f, 0x74, 0xb0, 0xd5, 0x27, 0xe7, 0xd3, 0xc4, 0xa7, 0x57, 0x0d, 0x31, 0xce, 0xd2, 0x5f, 0x6f, 0x99, 0x43, 0xdb, 0x93, 0x59, 0x24, 0xc0, 0xa8, 0x29, 0x3f, 0xda, 0x70, 0xbd, 0x92, 0x8a, 0xc5, 0x76, 0xf9, 0x31, 0x8b, 0x98, 0xd6, 0x0a, 0x7c, 0xa0, 0x8d, 0x9b, 0x96, 0x4a, 0x77, 0x5b, 0xc2, 0xe5, 0x46, 0x72, 0x28, 0x4f, 0x54, 0x44, 0x06, 0xb4, 0xe5, 0xb2, 0x6c, 0xef, 0x4e, 0x1e, 0x7e, 0xae, 0x0a, 0xc0, 0x7d, 0x1e, 0x6e, 0x80, 0x3a, 0xdf, 0x88, 0x07, 0x4b, 0xf8, 0xce, 0x3a, 0x40, 0x60, 0x6f, 0xda, 0x9f, 0xe4, 0xd9, 0x58, 0xa3, 0x19, 0xec, 0x5a, 0xd8, 0x85, 0x52, 0x1e, 0xa8, 0xca, 0x04, 0xdc, 0x5d, 0xd2, 0x77, 0x45, 0x35, 0xb0, 0x5a, 0xd1, 0xcd, 0xdc, 0x30, 0xa6, 0x14, 0xa6, 0xa1, 0xbf, 0x24, 0xe1, 0xde, 0xe6, 0xef, 0xa9, 0x0e, 0x00, 0x64, 0x5d, 0xef, 0x11, 0x4a, 0xf3, 0x38, 0x52, 0x86, 0x81, 0x6f, 0x42, 0xfb, 0x8b, 0x4b, 0x36, 0xfb, 0x79, 0x9d, 0x82, 0xbc, 0x0d, 0x01, 0x14, 0x42, 0x86, 0xd7, 0x65, 0xb4, 0x51, 0xbf, 0xec, 0x64, 0xe4, 0x61, 0x21, 0x63, 0x99, 0xd3, 0xc5, 0xfe, 0x58, 0x0a, 0xf5, 0xa1, 0xd5, 0xb0, 0xd9, 0xb4, 0x8a, 0x02, 0xc7, 0x50, 0xde, 0xde, 0xf2, 0xbe, 0x13, 0xf8, 0x3f, 0x23, 0x51, 0x4c, 0x19, 0x40, 0x74, 0xa6, 0x35, 0xba, 0x4b, 0x71, 0x1b, 0xae, 0xfe, 0x43, 0x8f, 0xa4, 0x25, 0xa5, 0xe5, 0x31, 0xb3, 0x17, 0x00, 0x83, 0x34, 0x4a, 0xba, 0x05, 0xcf, 0xbb, 0xb8, 0x67, 0x25, 0xe0, 0xd3, 0x53, 0xfc, 0xaa, 0xba, 0xb3, 0x6c, 0x8a, 0xec, 0x8f, 0x9c, 0xdb, 0x47, 0x05, 0x8e, 0x5a, 0x3e, 0xd4, 0x7b, 0x5f, 0xc5, 0x42, 0xd1, 0x6c, 0x2c, 0x99, 0xba, 0xfd, 0x9d, 0x6b, 0x52, 0xd2, 0x34, 0x86, 0x6a, 0x5d, 0x5e, 0x50, 0xb3, 0x58, 0xd4, 0x3a, 0xb7, 0x12, 0x46, 0x0e, 0x40, 0x81, 0xa5, 0x21, 0x5d, 0x5e, 0x63, 0xe5, 0x3b, 0x30, 0x3b, 0x6e, 0x13, 0x73, 0x36, 0x20, 0x3c, 0xe3, 0xa9, 0x99, 0x70, 0x49, 0x92, 0xfc, 0xfa, 0x70, 0x24, 0x6f, 0x7b, 0x1d, 0x93, 0x8d, 0x7d, 0xb4, 0xae, 0x2a, 0x7d, 0x53, 0x5c, 0x68, 0xea, 0xfa, 0x94, 0x58, 0x54, 0x28, 0xcf, 0x23, 0xfb, 0x70, 0x80, 0x7f, 0xf0, 0x4f, 0x2a, 0x0b, 0x94, 0xd7, 0x3e, 0x7f, 0x78, 0x45, 0xfc, 0xe3, 0xa9, 0x3e, 0x1e, 0x23, 0xa3, 0x7e, 0x06, 0x00, 0x1d, 0x66, 0x50, 0x9d, 0xd1, 0x1f, 0x65, 0x7e, 0x76, 0x8f, 0x47, 0x73, 0xf0, 0xaa, 0x3a, 0xc5, 0xb8, 0xb0, 0x65, 0xdd, 0x34, 0x48, 0x80, 0x30, 0x46, 0xe0, 0x0a, 0xdd, 0x1b, 0xc6, 0xd6, 0x88, 0xfb, 0x76, 0x0a, 0xa5, 0xe9, 0xb5, 0xc8, 0xbc, 0x0b, 0x82, 0x1c, 0x33, 0xa3, 0x4d, 0xd3, 0xce, 0x2f, 0x2a, 0x8e, 0xfa, 0xaa, 0xb2, 0x5d, 0x57, 0x89, 0x03, 0x56, 0x5f, 0xf2, 0x05, 0xf7, 0x24, 0xe6, 0xb6, 0x13, 0x84, 0xbc, 0x5d, 0xa5, 0x8f, 0x0d, 0xac, 0xc1, 0xa7, 0xdb, 0x2a, 0xdf, 0xb9, 0xda, 0x91, 0xfb, 0xf1, 0xd7, 0x83, 0x36, 0xcc, 0x3d, 0xbe, 0x14, 0xef, 0x51, 0x57, 0xe1, 0xbf, 0x6a, 0x3f, 0x5f, 0xea, 0xa8, 0x08, 0xb6, 0x83, 0x84, 0xa2, 0x8b, 0x2f, 0x13, 0x2b, 0x59, 0x9d, 0x86, 0x29, 0x22, 0x53, 0x17, 0xee, 0x15, 0x84, 0x3b, 0x1e, 0x2d, 0x10, 0xf0, 0x8b, 0xc3, 0xad, 0x4b, 0x45, 0x50, 0x06, 0x12, 0xaa, 0x94, 0x60, 0x07, 0x09, 0x6b, 0x2a, 0xda, 0xbf, 0x86, 0x90, 0x9a, 0xfb, 0xaf, 0xec, 0xbe, 0x05, 0x4a, 0x1e, 0xfc, 0x6e, 0xfe, 0x81, 0xc0, 0x1b, 0xb2, 0x39, 0x2f, 0x5c, 0x05, 0x40, 0xab, 0x0b, 0x4e, 0xe3, 0x69, 0x15, 0x9a, 0x3f, 0x70, 0x94, 0x10, 0xe7, 0x91, 0xef, 0x1e, 0x69, 0xe3, 0x6d, 0xf6, 0x43, 0xe5, 0xeb, 0xe4, 0x1e, 0xfe, 0xac, 0xaf, 0x64, 0xcd, 0xf0, 0x59, 0x07, 0x0b, 0x5a, 0xc8, 0xed, 0x19, 0x84, 0xd0, 0x4d, 0xf8, 0xcc, 0x85, 0x54, 0x75, 0xfc, 0xe8, 0x6e, 0x3f, 0x5e, 0xf8, 0xb6, 0x39, 0xdc, 0x7f, 0x24, 0x7d, 0x7e, 0x83, 0x3f, 0xf4, 0xb9, 0x8a, 0xe8, 0xc8, 0xdc, 0x7a, 0xfb, 0x2e, 0x63, 0xb2, 0x5c, 0x11, 0xf6, 0x8b, 0xfb, 0x83, 0x20, 0xba, 0x00, 0x9a, 0x04, 0xfb, 0xd5, 0xdd, 0x51, 0x8d, 0x90, 0x59, 0x0c, 0xf9, 0xa5, 0xef, 0x24, 0x98, 0x09, 0x26, 0x97, 0x32, 0x97, 0xbc, 0xaa, 0x3d, 0x82, 0x9e, 0xb0, 0x2d, 0xa8, 0x23, 0x76, 0xce, 0x5c, 0x59, 0x2a, 0x9f, 0x12, 0xaa, 0x60, 0x8d, 0x8f, 0x1f, 0xd1, 0xe1, 0x67, 0xc8, 0x2a, 0x19, 0x67, 0x66, 0x5b, 0x81, 0xae, 0x98, 0xd3, 0x3a, 0x17, 0xf5, 0xaa, 0xd6, 0x43, 0xf7, 0xd9, 0x6a, 0xa4, 0x71, 0x08, 0xfc, 0xfe, 0x5f, 0x01, 0xa4, 0x26, 0x06, 0x94, 0x95, 0xbb, 0xbe, 0x0a, 0xcf, 0x2d, 0x88, 0x1f, 0x7e, 0xbf, 0x21, 0x12, 0x51, 0x1e, 0xbc, 0xb9, 0xa3, 0x56, 0x20, 0x9c, 0x60, 0x82, 0x57, 0x41, 0x82, 0xcc, 0x91, 0xc8, 0xff, 0xef, 0xcd, 0xcf, 0x61, 0x17, 0xe5, 0xe9, 0x55, 0xa0, 0xfd, 0xd4, 0x12, 0x1b, 0x5c, 0xca, 0x75, 0x73, 0x19, 0x87, 0xd6, 0xd6, 0x08, 0x29, 0xee, 0xa9, 0x96, 0xfe, 0x7f, 0x6a, 0xba, 0x68, 0xe9, 0x88, 0x3f, 0xd7, 0x6b, 0xe1, 0x9c, 0x26, 0x45, 0x39, 0x28, 0x5b, 0xc1, 0xed, 0x40, 0xf3, 0x1c, 0x1e, 0x05, 0xc3, 0x69, 0x29, 0x7a, 0xf1, 0x48, 0xda, 0xb3, 0xb3, 0xf0, 0x86, 0xc9, 0xce, 0xdd, 0x29, 0xda, 0x53, 0xf5, 0x47, 0x1a, 0x11, 0x5e, 0x07, 0x5a, 0x94, 0x7c, 0x72, 0x21, 0x71, 0x63, 0xae, 0xb3, 0xec, 0x17, 0xa8, 0xc4, 0xdb, 0x13, 0x61, 0x58, 0xa4, 0x6c, 0x63, 0x0a, 0xa6, 0xd5, 0xc5, 0xff, 0x0e, 0xc3, 0x3b, 0xcb, 0xa2, 0x56, 0x04, 0x86, 0x32, 0x71, 0xbf, 0xd9, 0xe5, 0xed, 0x01, 0x52, 0xc8, 0xd3, 0x2d, 0x08, 0xf9, 0x6b, 0xf0, 0x53, 0x71, 0x23, 0x07, 0xa7, 0xdd, 0xa1, 0xa1, 0x39, 0xa8, 0x27, 0x7c, 0xad, 0xce, 0xba, 0x46, 0xde, 0xef, 0x5c, 0x8c, 0x98, 0xbe, 0xda, 0xae, 0x63, 0xf6, 0xdf, 0x4c, 0x7f, 0x29, 0x83, 0x65, 0x87, 0x09, 0x2b, 0xfb, 0x10, 0xc1, 0xdb, 0xff, 0x08, 0x2a, 0x9d, 0x87, 0x29, 0x86, 0x34, 0x0e, 0xa3, 0x43, 0x29, 0x46, 0x33, 0xf0, 0x6c, 0x53, 0x20, 0x89, 0x36, 0x49, 0x7e, 0x5b, 0x11, 0x80, 0xa6, 0x48, 0x80, 0xb9, 0xb9, 0x32, 0xb3, 0xc8, 0x16, 0xd2, 0x05, 0x47, 0x53, 0xb5, 0x96, 0x15, 0x82, 0x16, 0x3b, 0x25, 0x47, 0x53, 0x3e, 0x95, 0xea, 0xad, 0x9d, 0x91, 0x94, 0xf9, 0xd4, 0x8b, 0x53, 0x66, 0xae, 0x8c, 0x0e, 0x1f, 0xb0, 0xcf, 0xa4, 0x3e, 0x91, 0x9a, 0xe3, 0xde, 0xb5, 0xb0, 0xda, 0xf2, 0x9d, 0x0c, 0x79, 0xb6, 0x7b, 0x70, 0x0a, 0x50, 0x4f, 0x7a, 0x58, 0x33, 0x89, 0x74, 0x9d, 0xa7, 0xad, 0x71, 0x9c, 0xd0, 0x8f, 0xca, 0xc9, 0x51, 0xc7, 0x81, 0x0c, 0xc6, 0x6a, 0x8a, 0x52, 0xb6, 0x0c, 0xd9, 0x86, 0x92, 0x33, 0xdc, 0x9e, 0xa9, 0xe7, 0xf2, 0xed, 0xa5, 0x4a, 0x80, 0x5f, 0x00, 0xb7, 0xdb, 0x75, 0xa9, 0x81, 0x12, 0x56, 0xc7, 0xe8, 0x72, 0xcb, 0xc9, 0x62, 0x38, 0x03, 0x76, 0xb2, 0x57, 0xcd, 0x1a, 0xf7, 0xff, 0x3c, 0x1d, 0x5f, 0xb4, 0x4c, 0x90, 0x3e, 0x8d, 0x10, 0x7e, 0x33, 0xfd, 0x59, 0xd9, 0xad, 0xf5, 0x33, 0x58, 0x41, 0xff, 0xda, 0x8e, 0x06, 0x37, 0x52, 0x9e, 0x68, 0xfc, 0xcc, 0x59, 0xaa, 0x27, 0x11, 0x34, 0x02, 0x63, 0x00, 0x03, 0x06, 0x60, 0x90, 0xde, 0x07, 0xd9, 0x15, 0x8a, 0x71, 0x03, 0x6c, 0x6f, 0x4a, 0x56, 0x8f, 0x08, 0x7f, 0x63, 0xe0, 0xa9, 0x23, 0x5b, 0x27, 0xe8, 0xd7, 0xc0, 0x8e, 0xd6, 0xa0, 0x6f, 0xb5, 0x1d, 0x96, 0x39, 0x21, 0x76, 0x3c, 0x74, 0xdc, 0xa2, 0xc9, 0x3a, 0xcc, 0x1b, 0x67, 0x06, 0x1c, 0xf6, 0x48, 0xf4, 0x57, 0x31, 0x48, 0xf2, 0x07, 0xd7, 0xcf, 0xf7, 0x63, 0x50, 0xc0, 0x03, 0x15, 0x2e, 0xa0, 0x26, 0x48, 0xa6, 0x2f, 0x3f, 0xd2, 0x96, 0x0a, 0xee, 0x52, 0x1f, 0xbf, 0x1a, 0x0f, 0xb8, 0xaf, 0x32, 0xbc, 0x78, 0x46, 0x43, 0x36, 0x28, 0x30, 0x4e, 0x7b, 0x57, 0x0d, 0x58, 0xb5, 0xb6, 0x2e, 0x3d, 0x9b, 0x32, 0xca, 0x1c, 0x69, 0x74, 0x42, 0x13, 0xd3, 0x4f, 0x64, 0x2e, 0x1b, 0x65, 0xbb, 0x0a, 0x1f, 0xaa, 0xd9, 0x5e, 0xbd, 0x2f, 0xa0, 0xd3, 0xa8, 0xef, 0x1b, 0xac, 0xf8, 0x42, 0x96, 0x6f, 0xc3, 0x44, 0x6e, 0x2f, 0x97, 0x36, 0x9a, 0x18, 0x1e, 0x0d, 0xb9, 0xa0, 0x29, 0x5d, 0xcb, 0xd4, 0xe2, 0xbe, 0x55, 0x59, 0xa6, 0x26, 0x9e, 0x57, 0xaa, 0x62, 0xeb, 0xc0, 0x6d, 0x76, 0x45, 0x80, 0xc4, 0xdf, 0x91, 0x39, 0x32, 0xe9, 0xc3, 0xfd, 0x94, 0x49, 0xce, 0x8c, 0x98, 0xde, 0x4a, 0x6d, 0x6e, 0x60, 0xe7, 0x8d, 0x89, 0x95, 0x26, 0x8b, 0x79, 0x53, 0xbc, 0xb2, 0xfb, 0xc6, 0x9c, 0x9b, 0x99, 0xe2, 0x99, 0xe2, 0xae, 0xb8, 0x94, 0x62, 0x9b, 0x3f, 0x41, 0x5f, 0xc9, 0x4e, 0x64, 0xdc, 0x93, 0xfa, 0xb8, 0x0b, 0x9e, 0x6e, 0x2f, 0x92, 0xd9, 0xdb, 0xcf, 0xfa, 0x85, 0x9f, 0x0e, 0xb0, 0x54, 0x72, 0x4a, 0x3d, 0xfa, 0x48, 0x10, 0xfe, 0x14, 0x4d, 0x6f, 0xa2, 0x65, 0x80, 0xf1, 0x86, 0xe3, 0x37, 0x28, 0x6b, 0x7d, 0x7f, 0xf0, 0x62, 0xcf, 0x8e, 0x66, 0x3e, 0xe3, 0x65, 0xdd, 0x26, 0xde, 0xa4, 0x0d, 0x6d, 0x26, 0x1c, 0x5d, 0x69, 0x70, 0xbe, 0x99, 0xe2, 0xd1, 0xdb, 0xde, 0xc2, 0x90, 0xf5, 0xb1, 0x69, 0x2e, 0x75, 0x3c, 0xb1, 0xa5, 0x93, 0xf8, 0x01, 0x40, 0xe7, 0x39, 0x42, 0x0c, 0x39, 0xe0, 0xed, 0x97, 0xc3, 0xba, 0x89, 0x77, 0xc3, 0xb6, 0x5e, 0xa8, 0x40, 0xf6, 0x8f, 0x32, 0xb3, 0x23, 0x9e, 0x92, 0xdb, 0x10, 0xb2, 0xd0, 0xfd, 0xb4, 0x32, 0x2e, 0xb3, 0xc6, 0x24, 0x6f, 0xce, 0x01, 0xce, 0x27, 0xd8, 0x5c, 0x7d, 0xa5, 0x1f, 0xcc, 0x48, 0x53, 0x07, 0x8f, 0x8b, 0x53, 0xad, 0x94, 0xba, 0xe7, 0x62, 0xeb, 0x53, 0xea, 0xec, 0xa0, 0x05, 0x94, 0x0c, 0xd4, 0x72, 0x6d, 0x24, 0x50, 0xc1, 0x85, 0xa3, 0xbb, 0x51, 0x52, 0x13, 0xcf, 0xf3, 0x39, 0x3f, 0x5b, 0x5a, 0x6d, 0xbd, 0xb6, 0x9b, 0xae, 0x4c, 0x60, 0x1a, 0x9c, 0x48, 0x40, 0x6e, 0x0a, 0xc5, 0x96, 0x25, 0xce, 0x0a, 0x26, 0x9a, 0x0e, 0x47, 0xad, 0xc8, 0x43, 0x0c, 0xd7, 0xf8, 0xb7, 0x5b, 0xaa, 0x3b, 0x16, 0xbf, 0x8a, 0xff, 0x7b, 0x0f, 0xf3, 0x5f, 0x0b, 0x4d, 0x62, 0xe1, 0x3c, 0x5e, 0xe0, 0x70, 0xb6, 0x31, 0xf9, 0xbf, 0xc3, 0x77, 0xde, 0xb6, 0x17, 0xf6, 0x0e, 0x53, 0x32, 0x3e, 0x3f, 0x93, 0x73, 0xe7, 0x72, 0xce, 0x8d, 0xc3, 0xfe, 0x89, 0xef, 0xd7, 0xca, 0xea, 0x85, 0xb2, 0xf0, 0xf2, 0xb8, 0x7b, 0x46, 0xb7, 0x71, 0x98, 0x79, 0x8b, 0xac, 0x0b, 0xda, 0x4c, 0x86, 0x7b, 0x42, 0x53, 0x69, 0x05, 0x6b, 0xda, 0x34, 0x4b, 0xb3, 0xb2, 0x49, 0x2d, 0x9d, 0xab, 0xb9, 0xc8, 0x2b, 0x3f, 0xb3, 0x9d, 0x66, 0x71, 0xd0, 0x9f, 0xfc, 0x4e, 0xf0, 0xce, 0x4f, 0xac, 0x4e, 0x08, 0x2a, 0x23, 0xde, 0xa2, 0x1f, 0x2f, 0x21, 0xce, 0x73, 0x42, 0xb6, 0xf2, 0xef, 0x4b, 0x6e, 0x56, 0xf6, 0x35, 0xad, 0x2d, 0x61, 0x7d, 0x44, 0xcb, 0x61, 0x08, 0xaf, 0xd3, 0x94, 0x12, 0x7b, 0x61, 0x48, 0xde, 0x2e, 0xb8, 0x98, 0xf8, 0xc3, 0x66, 0xbc, 0x27, 0x31, 0x77, 0x33, 0x9f, 0xb7, 0x68, 0x39, 0xb8, 0x7c, 0x16, 0x76, 0x68, 0xa9, 0x58, 0x08, 0xe6, 0x07, 0xfb, 0xbd, 0xef, 0x27, 0xcd, 0x47, 0x71, 0xcd, 0xcb, 0x81, 0x48, 0x4b, 0xcc, 0xa5, 0x85, 0xd2, 0xda, 0xc9, 0x8c, 0x5c, 0x68, 0xc3, 0xa6, 0x83, 0x98, 0x6b, 0xee, 0x51, 0x8a, 0x65, 0x32, 0x94, 0x27, 0x11, 0x2c, 0x6d, 0xa3, 0x6a, 0xd3, 0xf6, 0xd5, 0xbb, 0x27, 0xba, 0x54, 0x1c, 0x92, 0xf7, 0xbf, 0x17, 0x7f, 0x7a, 0xa7, 0x01, 0x8b, 0x84, 0x56, 0x46, 0x13, 0xcf, 0x18, 0xd1, 0x60, 0xc8, 0x08, 0xe0, 0x3c, 0x63, 0x2f, 0x4f, 0xfa, 0xe8, 0x5c, 0x3b, 0xad, 0x5c, 0x45, 0x62, 0x3a, 0xd1, 0xbe, 0x75, 0x3d, 0x79, 0x26, 0xf0, 0xa2, 0x82, 0x23, 0xb8, 0x8c, 0xfe, 0xc7, 0x2a, 0x38, 0x03, 0xc1, 0x6d, 0x87, 0xfd, 0xba, 0x28, 0x55, 0x22, 0xe7, 0x4f, 0xb4, 0x33, 0xb7, 0x7d, 0x88, 0xae, 0x79, 0x4f, 0x87, 0x0f, 0xe3, 0x26, 0xd2, 0xe7, 0x4e, 0xc8, 0x69, 0xab, 0x8a, 0x15, 0x19, 0x95, 0xc3, 0x0d, 0x57, 0xd3, 0x5b, 0x67, 0x24, 0x10, 0x31, 0x35, 0x23, 0xa5, 0xdf, 0x0b, 0xc7, 0xd3, 0x20, 0x11, 0x8b, 0xb3, 0x09, 0xd3, 0x3c, 0x6b, 0x25, 0x80, 0xae, 0xcd, 0x50, 0x32, 0x19, 0xc0, 0x09, 0xa8, 0x52, 0x93, 0x0a, 0x78, 0x8f, 0x01, 0x0a, 0xd2, 0x24, 0x96, 0x52, 0x06, 0x2a, 0xbd, 0xd5, 0x71, 0x42, 0x5d, 0xb5, 0x23, 0x22, 0xba, 0xa5, 0x17, 0xab, 0xa0, 0xe3, 0x2b, 0xb5, 0x34, 0xcc, 0x83, 0x98, 0xac, 0x23, 0x92, 0xe7, 0x7f, 0x3b, 0x6b, 0x8a, 0x29, 0x8f, 0x44, 0x6d, 0x07, 0x67, 0xa7, 0xaa, 0x1b, 0x37, 0xe1, 0x2b, 0xe5, 0x39, 0x7e, 0x42, 0xeb, 0xfa, 0x2c, 0x09, 0x1d, 0x77, 0x95, 0xab, 0x3a, 0x41, 0x4b, 0xd2, 0x73, 0xaf, 0xe2, 0xc8, 0xa3, 0xea, 0xfe, 0xae, 0x69, 0x75, 0x3f, 0x54, 0x93, 0x40, 0x13, 0x7a, 0xc8, 0xea, 0x3b, 0x85, 0xd1, 0x82, 0xdd, 0x6b, 0x93, 0xad, 0xb1, 0x9a, 0xd5, 0x33, 0x8b, 0xd9, 0x3f, 0x40, 0x8e, 0x4e, 0xca, 0xf1, 0x74, 0x58, 0xfc, 0xd7, 0xa7, 0xc7, 0xbf, 0x6d, 0x61, 0x13, 0x9f, 0x64, 0x91, 0x1e, 0xc4, 0x00, 0x36, 0x3b, 0xb5, 0x66, 0xcf, 0xd6, 0xd0, 0x85, 0x1b, 0xdb, 0xb7, 0x94, 0x8f, 0xaf, 0x08, 0x2d, 0x28, 0xbd, 0xf9, 0x8c, 0x60, 0x6c, 0xc9, 0x93, 0x10, 0x0f, 0x0e, 0x73, 0x99, 0xfd, 0xda, 0x7e, 0xe0, 0xa1, 0xc4, 0xe8, 0xe6, 0x19, 0x65, 0x80, 0x98, 0xb3, 0xa7, 0xc1, 0x8e, 0x2c, 0xa4, 0x2b, 0xc5, 0xab, 0x6e, 0xad, 0x3b, 0xf5, 0xa6, 0xc1, 0x6d, 0x1d, 0x1a, 0xbd, 0x3e, 0xb8, 0xe5, 0xaa, 0x9a, 0x7d, 0xd4, 0x56, 0x0e, 0x12, 0x33, 0x8e, 0xbf, 0x18, 0x5b, 0x4b, 0x17, 0x66, 0x76, 0x3e, 0x01, 0xc7, 0x73, 0x07, 0xf8, 0x40, 0xd6, 0x93, 0x97, 0xb5, 0x31, 0x25, 0xd1, 0xaa, 0x00, 0xf9, 0x3c, 0x42, 0x93, 0x77, 0x54, 0x11, 0x54, 0x71, 0x2e, 0x09, 0x77, 0xe1, 0x10, 0x58, 0x53, 0xcf, 0xb3, 0xd2, 0xb2, 0x72, 0x60, 0x89, 0x18, 0xad, 0xfc, 0x09, 0xf5, 0xbc, 0x68, 0x01, 0xc2, 0xf9, 0x35, 0xe3, 0x7e, 0xb7, 0x5c, 0xe5, 0x3b, 0x9d, 0x01, 0x8c, 0xd5, 0x6b, 0x91, 0xea, 0x9f, 0x51, 0x29, 0xd6, 0xcd, 0x2e, 0x67, 0xe8, 0x19, 0x49, 0x27, 0xee, 0x12, 0xfc, 0x2f, 0x46, 0x0e, 0xf9, 0xca, 0x35, 0x54, 0x67, 0x08, 0xb6, 0xed, 0x06, 0x25, 0xff, 0x28, 0x7e, 0xca, 0x4d, 0xbd, 0x8c, 0x76, 0x7d, 0x23, 0x8d, 0xf4, 0xaf, 0x77, 0x6c, 0x46, 0x21, 0x64, 0xf2, 0x5f, 0x7a, 0x51, 0xa5, 0xcd, 0x87, 0xa8, 0xf4, 0x63, 0x81, 0x17, 0xdb, 0x21, 0x34, 0x8e, 0x3d, 0xb1, 0xdb, 0x96, 0x25, 0xff, 0xce, 0xae, 0x7d, 0xb5, 0xb8, 0x01, 0x90, 0xf4, 0x07, 0xcb, 0xfa, 0x50, 0xdb, 0xa8, 0xe3, 0xc9, 0x3f, 0xb4, 0x98, 0x53, 0xfe, 0x43, 0x8f, 0x2c, 0x9d, 0xb9, 0xf3, 0x92, 0x5d, 0x86, 0x3f, 0x8b, 0x82, 0xd0, 0x97, 0x32, 0xbf, 0x23, 0x86, 0xec, 0x3c, 0xf3, 0x56, 0x29, 0xd5, 0x5c, 0xeb, 0x50, 0x39, 0xb8, 0x88, 0x97, 0x70, 0xe3, 0xe0, 0xda, 0x3e, 0x61, 0x03, 0x1f, 0xc4, 0x26, 0x07, 0x6f, 0x00, 0x18, 0x89, 0x29, 0x0f, 0xf4, 0x08, 0xfd, 0x84, 0xba, 0x52, 0xf6, 0xab, 0x4a, 0xdf, 0x50, 0x6d, 0xb0, 0x5e, 0x5c, 0x6f, 0xd8, 0xb6, 0x0a, 0x9a, 0x42, 0x25, 0x75, 0xb2, 0x5e, 0x7c, 0x6a, 0x21, 0xd4, 0x63, 0xf0, 0xc6, 0xa1, 0x02, 0xec, 0x28, 0x1e, 0xcc, 0x73, 0x71, 0x75, 0xd5, 0x0f, 0x4f, 0xe1, 0xe4, 0x11, 0x24, 0x6b, 0x79, 0x7d, 0x12, 0xc7, 0xb3, 0xed, 0xed, 0x93, 0x98, 0x63, 0xff, 0x34, 0x6e, 0xfc, 0x36, 0x43, 0x83, 0x62, 0x9a, 0x64, 0x0a, 0xf3, 0x94, 0xe1, 0xc5, 0x00, 0xca, 0x01, 0x4b, 0xce, 0x3f, 0x48, 0xb7, 0x57, 0x69, 0x87, 0x9a, 0x82, 0xc8, 0xc4, 0xa8, 0xad, 0x2e, 0x68, 0xbf, 0x1e, 0x85, 0xb1, 0x83, 0x4f, 0x1d, 0x39, 0x8a, 0x36, 0x04, 0xdd, 0xdb, 0x06, 0x2f, 0xfa, 0xf6, 0xf7, 0xec, 0x7c, 0x16, 0x22, 0x17, 0x7b, 0x12, 0x28, 0xaa, 0xd8, 0x78, 0xe2, 0xf3, 0x23, 0x83, 0x1b, 0x6c, 0xcc, 0xd6, 0x3d, 0xa0, 0x99, 0x22, 0x3a, 0x85, 0xa8, 0x84, 0xd1, 0xba, 0x26, 0x1d, 0x70, 0x01, 0x34, 0x94, 0x3d, 0x1f, 0x0c, 0xc5, 0x12, 0xd8, 0xcc, 0x55, 0x74, 0xbe, 0xb3, 0xc3, 0x4b, 0xe5, 0x45, 0x3a, 0x46, 0x17, 0x2e, 0x5f, 0x43, 0xe5, 0x0f, 0x29, 0xa6, 0x39, 0x04, 0x5e, 0xea, 0x07, 0x1f, 0x10, 0xbb, 0x77, 0xb1, 0xd2, 0xb7, 0xbf, 0xda, 0x30, 0x3b, 0x7c, 0x14, 0x9e, 0x22, 0xa6, 0x29, 0xbd, 0xf2, 0xb4, 0xbf, 0xcc, 0x13, 0x79, 0xb2, 0xe7, 0xa0, 0x3c, 0x81, 0x33, 0xe1, 0xb8, 0x40, 0x95, 0x5b, 0xcd, 0x6e, 0x1e, 0xdb, 0x7e, 0x52, 0x77, 0xd1, 0xbc, 0x80, 0x31, 0x40, 0x86, 0x7a, 0xd7, 0xb6, 0x5b, 0x87, 0xe6, 0xe3, 0xc5, 0xbd, 0x30, 0x6b, 0x2e, 0xfa, 0x19, 0x7d, 0x41, 0xf1, 0x73, 0x90, 0xe6, 0x53, 0x58, 0x1a, 0x88, 0x48, 0x9a, 0x83, 0x83, 0x81, 0x25, 0xee, 0xdc, 0xdd, 0x11, 0xcd, 0x22, 0x66, 0x41, 0x84, 0x27, 0x65, 0xc6, 0x75, 0x8f, 0x78, 0x98, 0x36, 0x31, 0x30, 0x1b, 0xb4, 0xbd, 0x4b, 0xc1, 0x23, 0x73, 0x93, 0x00, 0x91, 0x8a, 0xd1, 0x39, 0x98, 0x27, 0x77, 0xc0, 0xfa, 0x21, 0x15, 0x17, 0xb3, 0xd6, 0x89, 0xdb, 0x7c, 0xe2, 0xea, 0x7a, 0x2b, 0xae, 0xa4, 0x1d, 0x24, 0x17, 0xd3, 0xd5, 0x4f, 0xec, 0x3c, 0x9b, 0x06, 0xa1, 0xfd, 0xd6, 0xcd, 0xad, 0x37, 0x95, 0xfa, 0x23, 0x77, 0x54, 0x64, 0x7c, 0x2f, 0x95, 0x02, 0x26, 0x6a, 0x4a, 0xaa, 0xfc, 0xe4, 0xf9, 0x49, 0xca, 0x27, 0xfd, 0xff, 0x10, 0xe2, 0xe1, 0xb4, 0xd9, 0x50, 0xc2, 0xc4, 0x89, 0xd6, 0x5c, 0x44, 0x68, 0xea, 0xd3, 0xbb, 0x4a, 0xd6, 0x33, 0x3e, 0x42, 0xb3, 0x23, 0x69, 0x05, 0x2a, 0x9b, 0x1d, 0xdc, 0x81, 0x1c, 0xa9, 0x8a, 0x47, 0x2f, 0x84, 0x3d, 0x4e, 0x84, 0x72, 0x50, 0xaf, 0x23, 0xf3, 0x63, 0xce, 0x26, 0xb3, 0xd6, 0xff, 0xb7, 0x9d, 0x16, 0x8d, 0x5c, 0x6d, 0xf7, 0x5c, 0x6e, 0x7b, 0x1d, 0x8e, 0x26, 0xc0, 0xfe, 0x8c, 0x2d, 0x8e, 0x5f, 0xc5, 0xa0, 0x90, 0xce, 0xf5, 0xa4, 0x08, 0x06, 0x0a, 0x9f, 0x34, 0xac, 0xda, 0xa0, 0xc7, 0x71, 0x2e, 0x12, 0x98, 0x00, 0x5c, 0x40, 0xdd, 0x1a, 0xe2, 0xc2, 0x59, 0x56, 0xf3, 0x5e, 0xe8, 0x64, 0x6f, 0x0d, 0xa2, 0xd5, 0x21, 0x50, 0x9c, 0x8b, 0x54, 0x88, 0x01, 0xa6, 0xa0, 0x58, 0x55, 0xf9, 0x57, 0xd2, 0x63, 0x13, 0x43, 0x97, 0xc3, 0x8a, 0xc1, 0xc8, 0xa2, 0xcc, 0xce, 0xc7, 0x8e, 0xbf, 0x1f, 0x58, 0x8f, 0x2a, 0x19, 0xbc, 0x6e, 0x07, 0x91, 0x50, 0x23, 0xeb, 0x25, 0xbc, 0x90, 0xcb, 0x88, 0x8a, 0xa2, 0x06, 0x8c, 0xc6, 0x30, 0xc7, 0xcc, 0x04, 0x93, 0xf6, 0xb4, 0x74, 0x52, 0x76, 0x86, 0x79, 0xc5, 0x60, 0x98, 0xdd, 0x29, 0x46, 0x4a, 0x4b, 0x10, 0x1d, 0x35, 0x81, 0xe7, 0x59, 0xe8, 0xa1, 0x90, 0xdd, 0x75, 0x5c, 0x36, 0xb1, 0x51, 0x22, 0xe2, 0xf7, 0xf8, 0xe8, 0xdb, 0xd9, 0x4a, 0xad, 0x08, 0xd9, 0x35, 0xf8, 0x00, 0xc4, 0x34, 0x39, 0x03, 0xc8, 0x37, 0xc5, 0x60, 0x3d, 0x25, 0x7e, 0x07, 0xbe, 0x25, 0x27, 0xb7, 0x86, 0x3a, 0x3a, 0x8c, 0xb2, 0xc1, 0xd4, 0x4e, 0xa9, 0x68, 0x15, 0x55, 0xb8, 0xbd, 0xba, 0xff, 0x0f, 0xd3, 0x63, 0x63, 0x9e, 0xed, 0x1e, 0x48, 0xab, 0x18, 0xea, 0x7d, 0xad, 0x38, 0xd2, 0xe9, 0x77, 0x1b, 0x4b, 0xdd, 0xd9, 0x78, 0x3c, 0x27, 0x47, 0xfd, 0x02, 0xad, 0xfe, 0x38, 0x45, 0xb5, 0xa0, 0xcc, 0x2a, 0xbd, 0xad, 0x5b, 0x53, 0xfd, 0xa5, 0x50, 0x42, 0x5d, 0x60, 0xe9, 0x51, 0x2c, 0x4a, 0x8d, 0x58, 0xd2, 0x2b, 0x41, 0x95, 0x69, 0x3c, 0xdd, 0xd1, 0xaa, 0x9f, 0xba, 0x41, 0x72, 0x40, 0x27, 0xc1, 0x7e, 0x38, 0xee, 0x51, 0xc2, 0x06, 0x61, 0x14, 0x3a, 0xc4, 0xbc, 0x4c, 0x58, 0x23, 0x42, 0xc0, 0x6e, 0x70, 0x2e, 0x36, 0x2f, 0x8e, 0xd5, 0x3e, 0x9b, 0x57, 0x7f, 0x7d, 0xd7, 0x1d, 0x6d, 0x56, 0x1b, 0x52, 0xe2, 0x5b, 0xf8, 0x99, 0xce, 0xae, 0xd8, 0x51, 0xfb, 0xa0, 0xb8, 0xa1, 0xe7, 0x03, 0x45, 0x0f, 0xcf, 0xea, 0xe8, 0x8a, 0x15, 0xac, 0x59, 0xc3, 0x91, 0x49, 0x7c, 0x83, 0xb0, 0x13, 0x43, 0x51, 0x49, 0x2c, 0xe4, 0x33, 0x0b, 0x84, 0xe8, 0x5b, 0x9e, 0x82, 0x95, 0x49, 0x1b, 0x76, 0x0b, 0x87, 0x56, 0x36, 0xbb, 0x2e, 0xdc, 0xe0, 0x13, 0xf1, 0xe1, 0x91, 0x11, 0x40, 0x46, 0xa3, 0x8e, 0x6b, 0x0b, 0xc2, 0x19, 0xe0, 0x2b, 0x32, 0x7c, 0x81, 0x22, 0x12, 0xe9, 0xe0, 0x58, 0x05, 0x08, 0x56, 0x46, 0x83, 0xd8, 0xb9, 0x9b, 0x3f, 0xbe, 0xc6, 0x3b, 0x43, 0x6f, 0x57, 0x17, 0x8e, 0xde, 0x21, 0x25, 0x9e, 0x2c, 0xd3, 0x10, 0xc2, 0x9b, 0x47, 0xaf, 0xb4, 0xd3, 0xdd, 0x05, 0xd8, 0x0c, 0xf2, 0x69, 0x9a, 0x33, 0xb1, 0xfd, 0x1e, 0xeb, 0x3f, 0x4c, 0x5b, 0xcd, 0x22, 0x38, 0xb5, 0x80, 0xc0, 0x88, 0xdd, 0x9a, 0xb5, 0xf6, 0xb5, 0x63, 0x13, 0x45, 0x70, 0xf4, 0xd8, 0x39, 0x59, 0x5e, 0xbe, 0x02, 0x0d, 0xb6, 0xc7, 0x43, 0x43, 0x4f, 0x49, 0xf1, 0xa6, 0x3c, 0xdd, 0x5f, 0xc1, 0xf9, 0x35, 0x2d, 0xa1, 0x97, 0xc7, 0x3f, 0xb6, 0xcd, 0x2f, 0x62, 0x45, 0x1f, 0xe0, 0x6d, 0x65, 0x5e, 0xfe, 0x8b, 0xf9, 0xb8, 0xe1, 0xce, 0xf7, 0xcb, 0xde, 0xd2, 0x55, 0x72, 0xa8, 0x26, 0xf2, 0x11, 0x2f, 0x75, 0xfa, 0x8c, 0x23, 0x60, 0xfd, 0x6f, 0x0e, 0xfd, 0xb3, 0xad, 0x88, 0x47, 0xb7, 0x6c, 0x49, 0xe7, 0x6b, 0x76, 0x4f, 0xfb, 0xf2, 0x5b, 0x94, 0x0f, 0xb4, 0x65, 0x70, 0x84, 0x99, 0xa2, 0x0e, 0x8f, 0xbe, 0x38, 0x09, 0x01, 0x9b, 0x9d, 0x1c, 0xd7, 0xbd, 0xcb, 0x74, 0x5f, 0xfb, 0x11, 0x9b, 0xf4, 0x62, 0x8a, 0xd6, 0xbf, 0xef, 0x94, 0x72, 0x86, 0x27, 0xcd, 0x2e, 0x36, 0x03, 0xfb, 0xdd, 0x32, 0xf4, 0x56, 0xc5, 0xd5, 0x4a, 0x68, 0x48, 0xc5, 0x28, 0x72, 0x61, 0x18, 0x10, 0xf3, 0x00, 0xa8, 0x1c, 0x45, 0xef, 0x6d, 0x07, 0xab, 0xde, 0x80, 0x4a, 0xca, 0xa3, 0xfc, 0x5a, 0x92, 0xe0, 0x78, 0x88, 0xc6, 0x4e, 0x36, 0xee, 0x4e, 0x28, 0x05, 0xb2, 0xf7, 0xf2, 0xac, 0xb8, 0x58, 0xf3, 0x99, 0x9d, 0x23, 0x8d, 0x41, 0x65, 0x9f, 0xeb, 0x76, 0xc0, 0x2e, 0xc6, 0x66, 0x52, 0x0e, 0x06, 0x6a, 0x38, 0x63, 0xda, 0x2f, 0x71, 0x1b, 0xe7, 0x73, 0x96, 0x8b, 0x91, 0x33, 0x4b, 0x7c, 0x46, 0xa0, 0x9d, 0x9d, 0x3c, 0xa0, 0x20, 0x66, 0x03, 0x2b, 0x1c, 0x14, 0xed, 0x53, 0x67, 0x20, 0xf7, 0xfe, 0xb5, 0xa0, 0x3b, 0x59, 0xee, 0x90, 0x02, 0xfb, 0x9a, 0x05, 0x47, 0xdc, 0xc6, 0x98, 0xea, 0xca, 0xd7, 0x09, 0x69, 0x70, 0x59, 0xb4, 0x68, 0x3c, 0xc2, 0xb6, 0x5f, 0x63, 0xea, 0x62, 0x6f, 0x6b, 0xac, 0x22, 0xad, 0xb8, 0x2b, 0x36, 0x3b, 0x2b, 0xb7, 0xb8, 0x75, 0xcb, 0xcd, 0xd5, 0x3b, 0x79, 0xc7, 0x19, 0x4b, 0xf1, 0xa9, 0xb1, 0xd5, 0xc4, 0x59, 0x57, 0xad, 0x5a, 0xa8, 0x28, 0x8e, 0xd7, 0x1e, 0x92, 0x6c, 0x01, 0x85, 0x13, 0x51, 0x62, 0x81, 0x65, 0xea, 0x84, 0x57, 0x6f, 0x97, 0xb6, 0x0a, 0x37, 0xe0, 0x1d, 0x1e, 0x80, 0x04, 0x34, 0xc7, 0x7d, 0xba, 0x74, 0x40, 0xd4, 0x6a, 0x72, 0xc2, 0xa1, 0x96, 0x3a, 0xf8, 0x5a, 0x9d, 0xa0, 0x50, 0xc3, 0x27, 0xf9, 0x96, 0x7f, 0x88, 0x41, 0x13, 0xe7, 0xab, 0xac, 0x7e, 0x77, 0xe2, 0x94, 0x67, 0x41, 0x11, 0x0d, 0xfb, 0xf2, 0x73, 0xda, 0x18, 0x2f, 0x1c, 0xd5, 0x6b, 0xec, 0xde, 0x96, 0x4b, 0x83, 0x1a, 0xd6, 0xf3, 0x10, 0x9a, 0x4b, 0x8e, 0xbb, 0x2e, 0x74, 0x6d, 0x97, 0x0a, 0xce, 0xc8, 0xc4, 0xfa, 0x4a, 0xac, 0xb4, 0x6e, 0xde, 0xac, 0x58, 0xd2, 0xe1, 0x62, 0x38, 0x99, 0xab, 0x92, 0xae, 0xbd, 0x84, 0x52, 0x7d, 0x38, 0xfe, 0xaa, 0x6e, 0x14, 0x04, 0xa3, 0xb1, 0x72, 0xcb, 0x55, 0x97, 0x91, 0xf8, 0x31, 0x7e, 0xa9, 0x75, 0x13, 0xc0, 0xf9, 0xe2, 0x22, 0x63, 0x8f, 0xd2, 0x68, 0x3a, 0x97, 0xd7, 0x9e, 0x5b, 0xb9, 0xde, 0xb8, 0x94, 0xa8, 0xaa, 0x34, 0x25, 0xf2, 0xc6, 0xc6, 0x81, 0xee, 0xc8, 0x39, 0x40, 0x2b, 0x74, 0xe5, 0x52, 0x2a, 0xb9, 0x21, 0x92, 0xe8, 0x64, 0x4e, 0x24, 0x90, 0xda, 0xd7, 0xdb, 0x67, 0x63, 0xa4, 0x8e, 0x03, 0x95, 0xd7, 0x2c, 0x87, 0x95, 0x50, 0x97, 0x8e, 0x27, 0xcc, 0x3b, 0xc7, 0x6b, 0x8e, 0x96, 0x69, 0x49, 0x07, 0x1c, 0xd1, 0x6a, 0x8e, 0x2a, 0x61, 0x26, 0xa0]
list=[1,1]

def what(a1):
num = list[-1] + list[-2]
list.append(num)
return num


def calc_key(x,y):
i = 3
while i <= 9999998 :
if what(i) & 0xffffffff == x :
break
i += 1
print 'key: %d'%(i * y + 1)
return i * y +1

def decrypt_flag(a1,a2,a3):
v5 = 4
flag = "FLAG"
while a2:
v3 = v5
v5 += 1
flag += chr( (junk_data[a1 & 0xfff] ^ a2) & 0x7f )
a1 *= 77777
a2 = a3 ^ (a2 >> 1)
a3 >>= 1
return flag

#x = 2136772529
#y = 1234567890
x = 4284256177
y = 1234567890
key = calc_key(x,y) & 0xffffffff
print decrypt_flag(x,y,key)

unpackme

  • 这题从题目可以知道是加了壳的

-这里我们用ESP定律来脱壳,具体操作可以看菜鸟教你用esp定律手脱UPX壳,这里脱完壳后会提示IAT仍然无效,然后会运行不了,这里不管它,拖进ida直接静态分析

  • 程序真正入口

  • 反汇编后定位到关键代码,程序主要对我们的输入String先产生一个hash然后去跟v8比较,然后再产生我们的flag,所以我们的关键是找到我们输入的String是什么,将v8提取出来是32位的hash,找了个网站爆破出来了

  • 所以只要我们输入’how do you turn this on’就可获得flag,但这里EnableWIndow函数的第二个参数设置为0了导致我们check Password 按钮不能点,我们在od运行的时候将这里提前patch为1再运行即可

mov

  • 这道题ida一打开很吓人,全是mov指令,一查才知道这是用了movfuscator混淆机制,但是无意间发现程序只会对输入长度内的字符进行校验,如果输入的刚好是flag的前x位,都会返回Good flag,否则返回bad flag

  • 那么直接写个脚本爆破即可

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import subprocess
import string


baopo = lambda : subprocess.Popen('./mov', shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE)

flag = "F"

while flag[-1] != '}':
for i in string.printable:
p = baopo()
p.stdin.write(flag + i)
if 'Good' in p.stdout.read():
flag += i
break

print flag

a-maze

  • 首先tar -Jxvf maze.txz解压文件,然后程序主要就是会读取map文件的十六进制保存在堆里,然后对我们的输入进行逐位校验,最终当v2 = -1时我们的输入才算正确

  • 这里我们根据最后v2 = -1的条件,以及下面的这个校验得出v2是个整数
1
LODWORD(v2) = *(_DWORD *)(qword_601088 + (v2 << 9) + 4LL * (*a1 & 0x7F))

然后根据以上条件写个递归算法来从后面往前爆破flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#coding: utf-8
import string

f = open('./map','rb')
content = f.read().encode('hex')
list = []
for i in range(0,len(content),8):
a = content[i:i+2]
b = content[i+2:i+4]
c = content[i+4:i+6]
d = content[i+6:i+8]
tmp = int('0x' + d + c + b + a,16)
list.append(tmp)



flag = ""

def baopo(v2):
global flag
if v2 == 0:
exit(0)
for i in range(0x20,0x7f):
for j in range(len(list)):
if list[j] == v2 and (j * 4 - 4 * i) % 512 == 0 : #j是按4 byte分组的序号,j * 4得到偏移
v2 = (j*4 - 4*i) / 512
flag = chr(i) + flag
print flag
baopo(v2)



baopo(0xffffffff)

esrever-mv

  • 这题用的非预期,简单粗暴的方法做的(如果有会逆向vm的师傅求份wp),无意间发现程序是一比特一比特的读取输入,只有当前一位正确的时候才会读取下一位,而且程序无缓冲读取

  • 于是我们可以根据这个来爆破flag,当前一位输入不正确时缓冲区还剩下./esrever-mv+’\n’的时候shell就会继续执行,而前一位输入正确时程序就是读取掉’.’,然后缓冲区就剩下/esrever-mv+’\n’就会出现没有这个文件,然后加上一个穷举所有可能的脚本再手动爆破….大概花了2个小时爆破,爆破的时候可以猜测出题人的flag语句,中间还挺快的,但是最后就是随机的字符所以花了比较多的时候….

exp:

1
2
3
4
5
6
7
8
import string

list = string.digits+string.ascii_letters+'{}_ '
f = open('11','w')
for i in list:
f.write('FLAG{' + i + './esrever-mv'+'\n')

#RkxBR3tGMXI1dF90MW0zX3QwX3IzdjNyNTNfYV9WTV8xc19GdU5fX2paSllKZDN5WTVoRE1sN3F9\n
  • 手动爆破过程(手很累…)

  • 花了半天时间想能读取bash缓冲区的方法都没找到,最后只能手动了,如果有师傅会写脚本的话欢迎指导

termvis

  • 这题一开始挺懵逼的,然后gdb里面调了一下,发现函数类似于用brainf**k的原理来执行checkflag.png

  • 然后调试到 0x40671E 这个地址处会发现程序会将即将打印出来的字符保存在ecx寄存器中

  • 所以我们猜想这里是对读取字符进行下一步操作的地方,于是我们运行到输入时直接回车后多运行几次就会发现flag在ecx寄存器,然后用c 11指令就会一直显示flag的每一位,然后自己手动拼接flag即可

rc87cipher

  • 这题一开始拿到还是比较棘手的,首先ida打开程序是加了壳的,而且upx -d脱不了壳,看了charlie师傅的文章才知道是魔改了upx壳,而且是linux下的upx,这样我们就不能用ESP定律去脱壳,这里参考使用radare2脱linux的upx壳,所以我们第一步先脱upx壳,视频里面的脱壳脚本会报错,这里用charlie师傅写的radare2脚本来找OEP
1
2
3
4
5
6
#对于静态链接的程序
9dcs
ds
#对于动态链接的程序
15dsc
ds
1
2
3
4
5
6
7
#unpack upx
r2 -d rc87 enc 333 123 321
. dupx.r2
s 0x400000;pfo elf64
pf.elf_phdr @ $$+0x40
pf 9? (elf_phdr)phdr @ $$+0x40!
wt load1 0x6ca048 @ 0x400000
  • 找OEP

  • dump elf,可以看到我们把elf dump出来了,虽然运行不了但是并不影响我们ida分析

  • 程序由于是无符号静态编译的,为了更容易看可以使用Rizzo插件添加符号文件来识别一些库函数,下面是我添加了符号文件然后自己识别了一下函数的ida反编译情况

  • 加密函数

  • sbox_init函数

  • 经过处理后很容易分析程序的加密流程,首先先随机取8字节的IV然后写入到加密文件中,再用IV对sbox进行初始化操作,然后每次读取被加密文件的1字节和密码的1字节进行一系列操作之后写入到加密文件中,根据这个写了个模拟函数加密的py程序
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#coding: utf-8


def sbox_init(sbox_seed):
sbox = []
for i in range(256):
sbox.append(i)


for i in range(8):

v1 = ord(sbox_seed[i])
v2 = i

for j in range(36):
v2 = (13 * (~v2)) & 0xff
v1 = (17 * (~v1)) & 0xff
v4 = sbox[v2]
sbox[v2] = sbox[v1]
sbox[v1] = v4

return sbox


def rc87_enc(date,passwd,sbox):

for i in range(len(date)):

date_byte = ord(date[i])
v6 = ord(passwd[i % len(passwd)]) #passwd_byte
v7 = i % len(passwd)

for j in range(36):

v7 = (13 * (~v7)) & 0xff
v6 = (17 * (~v6)) & 0xff
v8 = sbox[v7]
sbox[v7] = sbox[v6]
sbox[v6] = v8

v9 = 0xdeadbeef

for l in range(256):
v11 = sbox[l] & 0xff
v9 = (0xc8763 * v11 ^ 0x5a77 * v9) & 0xffffffff

output_byte = ( ((17 * date_byte)) ^ v9 ) & 0xff
print 'output_byte: %x'%output_byte
#return output_byte


def get_IV_cipher(encrypted_file):
f = open(encrypted_file,'rb')
tmp = f.read()
IV = tmp[:8]
cipher = tmp[8:]
f.close()
return IV,cipher

def get_plain(input_file):
f = open(input_file,'rb')
plain = f.read()
f.close()
return plain

if __name__ == '__main__':
IV,cipher = get_IV_cipher('./321')
#print IV.encode('hex'),cipher.encode('hex')
plain = get_plain('./123')
#print plain.encode('hex')
sbox = sbox_init(IV)
rc87_enc(plain,'1234',sbox) #1234 is your password
  • 经过检验,程序是正确的,于是根据这个利用暴力DFS算法写个来爆破密码(想了一晚上才理解了这个算法…太菜了),而且在写的时候被python的list是可变变量搞了半天,而密码就是flag

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#coding: utf-8


def sbox_init(sbox_seed):
sbox = []
for i in range(256):
sbox.append(i)


for i in range(8):

v1 = ord(sbox_seed[i])
v2 = i

for j in range(36):
v2 = (13 * (~v2)) & 0xff
v1 = (17 * (~v1)) & 0xff
v4 = sbox[v2]
sbox[v2] = sbox[v1]
sbox[v1] = v4

return sbox


def rc87_enc(date,passwd,sbox,i):


date_byte = ord(date[i])
v6 = ord(passwd) #passwd_byte
v7 = i

for j in range(36):

v7 = (13 * (~v7)) & 0xff
v6 = (17 * (~v6)) & 0xff
v8 = sbox[v7]
sbox[v7] = sbox[v6]
sbox[v6] = v8

v9 = 0xdeadbeef

for l in range(256):
v11 = sbox[l] & 0xff
v9 = (0xc8763 * v11 ^ 0x5a77 * v9) & 0xffffffff

output_byte = ( ((17 * date_byte)) ^ v9 ) & 0xff
#print 'output_byte: %x'%output_byte
return output_byte,sbox


def get_IV_cipher(encrypted_file):
f = open(encrypted_file,'rb')
tmp = f.read()
IV = tmp[:8]
cipher = tmp[8:]
f.close()
return IV,cipher

def get_plain(input_file):
f = open(input_file,'rb')
plain = f.read()
f.close()
return plain


def dfs(plain,passwd,sbox,cipher):
if len(passwd) >= 40:
if passwd[39] == '}':

return passwd
else:
return ''

password = ""
for i in range(0x20,0x7f):
ssbox = sbox[:]

output_byte , sssbox = rc87_enc(plain,chr(i),ssbox,len(passwd))
if output_byte == ord(cipher[len(passwd)]):

password += dfs(plain,passwd + chr(i),sssbox,cipher)

return password

if __name__ == '__main__':
IV,cipher = get_IV_cipher('./rc87.enc')
#print IV.encode('hex'),cipher.encode('hex')
plain = get_plain('./rc87')
#print plain.encode('hex')
sbox = sbox_init(IV)

#print sbox
print dfs(plain,'',sbox,cipher)
  • 这道题的所有文件放在GitHub上了,有需要的可以下来在ida更直观的分析程序流程

参考文章: