2024鹏程杯 re wp
Rafflesia
DIE看题,32位,无壳,main函数有花,先去花:
.text:004121C0 ; int __cdecl main_0(int argc, const char **argv, const char **envp)
.text:004121C0 _main_0: ; CODE XREF: _main↑j
.text:004121C0 push ebp
.text:004121C1 mov ebp, esp
.text:004121C3 sub esp, 270h
.text:004121C9 push ebx
.text:004121CA push esi
.text:004121CB push edi
.text:004121CC lea edi, [ebp-1B0h]
.text:004121D2 mov ecx, 6Ch ; 'l'
.text:004121D7 mov eax, 0CCCCCCCCh
.text:004121DC rep stosd
.text:004121DE mov eax, ___security_cookie
.text:004121E3 xor eax, ebp
.text:004121E5 mov [ebp-4], eax
.text:004121E8 jz short near ptr loc_4121EC+1
.text:004121EA jnz short near ptr loc_4121EC+1
.text:004121EC
.text:004121EC loc_4121EC: ; CODE XREF: .text:004121E8↑j
.text:004121EC ; .text:004121EA↑j
.text:004121EC mov eax, ebp
.text:004121EC ; ---------------------------------------------------------------------------
.text:004121EE dw 0
.text:004121F0 dd 4800000h, 89C30624h, 0EB9h
.text:004121FC db 0, 0BEh
.text:004121FE dd offset aHJhwpshJhMTbbk ; "H@^jHwpsH)[jH{M/\\tBBK_|-O{W.iJZ7\\)|~z"...
.text:00412202 ; ---------------------------------------------------------------------------
.text:00412202 lea edi, [ebp-44h]
.text:00412205 rep movsd
.text:00412207 movsb
.text:00412208 lea eax, [ebp-0CCh]
.text:0041220E push eax
.text:0041220F lea ecx, [ebp-44h]
.text:00412212 push ecx
.text:00412213 call sub_411352
.text:00412218 add esp, 8
.text:0041221B mov [ebp-160h], eax
.text:00412221 mov eax, [ebp-160h]
.text:00412227 mov [ebp-26Ch], eax
.text:0041222D cmp dword ptr [ebp-26Ch], 80h
.text:00412237 jnb short loc_41223B
.text:00412239 jmp short loc_412240main函数:
int __cdecl main_0(int argc, const char **argv, const char **envp)
{
int v3; // ecx
int v4; // edi
size_t v5; // eax
char Str[52]; // [esp+E8h] [ebp-194h] BYREF
unsigned int v8; // [esp+11Ch] [ebp-160h]
char Buf2[136]; // [esp+128h] [ebp-154h] BYREF
char v10[136]; // [esp+1B0h] [ebp-CCh] BYREF
char Buf1[64]; // [esp+238h] [ebp-44h] BYREF
*(_DWORD *)(v3 + 14) = v4;
qmemcpy(Buf1, "H@^jHwpsH)[jH{M/\\tBBK_|-O{W.iJZ7\\)|~zaB^H+Lwv{SS|-j@\\_[Y", 4 * v3 + 1);
v8 = sub_411352(Buf1, v10);
if ( v8 >= 0x80 )
j____report_rangecheckfailure();
v10[v8] = 0;
sub_4110E6("input flag:");
sub_4113FC("%s42", Str);
j_strlen(Str);
v5 = j_strlen(Str);
sub_4111E0(Str, Buf2, v5);
if ( !j_memcmp(Buf1, Buf2, 0x38u) )
sub_4110E6("win!!!!!!!!!!!!!!!!!!\n");
else
sub_4110E6("nonono\n");
system("pause");
return 0;
}大概逻辑就只有一个变表的base64+异或0x18,表在回调函数里面改了,给回调函数去花后下断点去反调后直接得表,最后base64函数后面异或了一个0x18:
int __stdcall TlsCallback_0_0(int a1, int a2, int a3)
{
int result; // eax
char v4; // [esp+D3h] [ebp-29h]
int v5; // [esp+DCh] [ebp-20h]
int v6; // [esp+E8h] [ebp-14h]
int v7; // [esp+F4h] [ebp-8h]
while ( v7 < v6 )
{
v5 = ((v7 >> 2) + 5 * v7) % v6;
if ( v7 != v5 )
{
v4 = byte_41B000[v7];
byte_41B000[v7] = byte_41B000[v5];
byte_41B000[v5] = v4;
}
++v7;
}
if ( IsDebuggerPresent() )
{
MessageBoxW(0, &Text, &Caption, 0x11u);
exit(1);
}
result = sub_411276();
if ( result )
{
MessageBoxW(0, &Text, &Caption, 0x11u);
exit(1);
}
return result;
}table = “HElRNYGmBOMWnbDvUCgcpu1QdPqJIS+iTry39KXse4jLh/x26Ff5Z7Vokt8wzAa0”
exp:
'''
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
HElRNYGmBOMWnbDvUCgcpu1QdPqJIS+iTry39KXse4jLh/x26Ff5Z7Vokt8wzAa0
'''
data = 'H@^jHwpsH)[jH{M/\\tBBK_|-O{W.iJZ7\\)|~zaB^H+Lwv{SS|-j@\\_[Y'
a = ''
for i in range(len(data)):
a += "".join(chr(ord(data[i]) ^ 0x18))
print(a)
#a = "PXFrPohkP1CrPcU7DlZZSGd5WcO6qRB/D1dfbyZFP3ToncKKd5rXDGCA"
得到加密数据,知道表知道数据直接用CyberChef解出flag:
flag{8edae458-4tf3-2ph2-9f26-1f8719ec8f8d}chall_py
下载下来是一个py文件,打开是经过base64加密的数据流,试着直接接一下base64发现又出现了base加密的数据,试了几次,发现这个题应该是要解多重base套娃,先解base:
from base64 import *
data = b''
with open ('./chall.py','rb') as file:
data = file.read()
def extract_multiline_string(data):
start = b'"""'
end = b'"""'
start_idx = data.find(start)
end_idx = data.find(end, start_idx + len(start))
if start_idx != -1 and end_idx != -1:
return data[start_idx + len(start):end_idx].strip()
else:
return None
decode_more = True
while decode_more:
code = extract_multiline_string(data)
if code is None:
break
if b'b32decode' in data:
data = b32decode(code)
elif b'b64decode' in data:
data = b64decode(code)
elif b'b85decode' in data:
data = b85decode(code)
elif b'a85decode' in data:
data = a85decode(code)
else:
decode_more = False
with open('./last.txt','wb') as file2:
file2.write(data)接出来是这个python代码:
a=True
d=len
G=list
g=range
s=next
R=bytes
o=input
Y=print
def l(S):
i=0
j=0
while a:
i=(i+1)%256
j=(j+S[i])%256
S[i],S[j]=S[j],S[i]
K=S[(S[i]+S[j])%256]
yield K
def N(key,O):
I=d(key)
S=G(g(256))
j=0
for i in g(256):
j=(j+S[i]+key[i%I])%256
S[i],S[j]=S[j],S[i]
z=l(S)
n=[]
for k in O:
n.append(k^s(z)+2)
return R(n)
def E(s,parts_num):
Q=d(s.decode())
S=Q//parts_num
u=Q%parts_num
W=[]
j=0
for i in g(parts_num):
T=j+S
if u>0:
T+=1
u-=1
W.append(s[j:T])
j=T
return W
if __name__=='__main__':
L=o('input the flag: >>> ').encode()
assert d(L)%2==0,'flag length should be even'
t=b'v3ry_s3cr3t_p@ssw0rd'
O=E(L,2)
U=[]
for i in O:
U.append(N(t,i).hex())
if U==['1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60',2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a']:
Y('Congratulations! You got the flag!')
else:
Y('Wrong flag!')
因为加密逻辑直接给我们了,直接改代码,让他自己把加密的解出来:
# from base64 import *
# data = b''
# with open ('./chall.py','rb') as file:
# data = file.read()
# def extract_multiline_string(data):
# start = b'"""'
# end = b'"""'
# start_idx = data.find(start)
# end_idx = data.find(end, start_idx + len(start))
# if start_idx != -1 and end_idx != -1:
# return data[start_idx + len(start):end_idx].strip()
# else:
# return None
# decode_more = True
# while decode_more:
# code = extract_multiline_string(data)
# if code is None:
# break
# if b'b32decode' in data:
# data = b32decode(code)
# elif b'b64decode' in data:
# data = b64decode(code)
# elif b'b85decode' in data:
# data = b85decode(code)
# elif b'a85decode' in data:
# data = a85decode(code)
# else:
# decode_more = False
# with open('./last.txt','wb') as file2:
# file2.write(data)
a=True
d=len
G=list
g=range
s=next
R=bytes
o=input
Y=print
def l(S):
i=0
j=0
while a:
i=(i+1)%256
j=(j+S[i])%256
S[i],S[j]=S[j],S[i]
K=S[(S[i]+S[j])%256]
yield K
def N(key,O):
I=d(key)
S=G(g(256))
j=0
for i in g(256):
j=(j+S[i]+key[i%I])%256
S[i],S[j]=S[j],S[i]
z=l(S)
n=[]
for k in O:
n.append(k^s(z)+2)
return R(n)
def E(s,parts_num):
Q=d(s.decode())
S=Q//parts_num
u=Q%parts_num
W=[]
j=0
for i in g(parts_num):
T=j+S
if u>0:
T+=1
u-=1
W.append(s[j:T])
j=T
return W
if __name__=='__main__':
L=o('input the flag: >>> ').encode()
assert d(L)%2==0,'flag length should be even'
t=b'v3ry_s3cr3t_p@ssw0rd'
O=E(L,2)
O = [bytes.fromhex('1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60'),bytes.fromhex('2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a')]
U=[]
for i in O:
U.append(N(t,i).hex())
print(U)
if U==['1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60','2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a']:
Y('Congratulations! You got the flag!')
else:
Y('Wrong flag!')
结果:
['666c61677b7468456e5f495f4361355f42455f596f55525f4f6e6c375f45786543557469366e', '5f536f5f5573655f6d335f74305f52306e5f744831375f45783343757469306e7d']CyberChef直接转一下:
flag{thEn_I_Ca5_BE_YoUR_Onl7_ExeCUti6n_So_Use_m3_t0_R0n_tH17_Ex3Cuti0n}joyVBS
下载下来一看,是一个VBS脚本语言的题,因为后面执行很多指令可以通过修改“执行”->"打印",和上面这个题类似,不过代码有电长,写入一个文件里面好看一点:
Dim f, o
Set f = CreateObject("Scripting.FileSystemObject")
Set o = f.CreateTextFile("code.txt", True)
o.Write(chr( 1646-1569 ) & chr( 846170/7358 ) & chr( 569487/5529 ) & chr( 571824/8664 ) & chr( 8409-8298 ) & chr( 2893-2773 ) & chr( 7979-7947 ) & chr( 3597-3563 ) & chr( -515+601 ) & chr( 489456/7416 ) & chr( -4892+4975 ) & chr( 4109-4010 ) & chr( -9287+9401 ) & chr( 1007160/9592 ) & chr( 152656/1363 ) & chr( -2648+2764 ) & chr( 419144/9526 ) & chr( 88416/2763 ) & chr( 8380-8269 ) & chr( 24480/240 ) & chr( -4597+4713 ) & chr( 648-547 ) & chr( -8146+8256 ) & chr( -9478+9510 ) & chr( 2699-2602 ) & chr( -1620+1718 ) & chr( -196+294 ) & chr( -1186+1300 ) & chr( -9642+9743 ) & chr( 614544/5208 ) & chr( -4654+4759 ) & chr( 872612/8996 ) & chr( 6703-6587 ) & chr( -5002+5103 ) & chr( 843300/8433 ) & chr( -3604+3636 ) & chr( -2400+2497 ) & chr( -5531+5646 ) & chr( 304160/9505 ) & chr( 766776/8916 ) & chr( 805-739 ) & chr( -6154+6237 ) & chr( -2525+2569 ) & chr( 198112/6191 ) & chr( 365925/3485 ) & chr( -6317+6432 ) & chr( -3595+3627 ) & chr( 9565-9468 ) & chr( -6705+6815 ) & chr( 974-942 ) & chr( 513585/5085 ) & chr( -294+412 ) & chr( 5815-5714 ) & chr( 509850/4635 ) & chr( -641+757 ) & chr( 3390-3345 ) & chr( -8974+9074 ) & chr( 859104/7536 ) & chr( 968-863 ) & chr( 28792/244 ) & chr( -4591+4692 ) & chr( -9716+9826 ) & chr( -6996+7028 ) & chr( 643216/5743 ) & chr( 4386-4272 ) & chr( 6953-6842 ) & chr( 7389-7286 ) & chr( 2247-2133 ) & chr( 8522-8425 ) & chr( 4185-4076 ) & chr( -964+1073 ) & chr( -4253+4358 ) & chr( -1558+1668 ) & chr( 2281-2178 ) & chr( -4204+4236 ) & chr( 542484/5023 ) & chr( -7327+7424 ) & chr( 2064-1954 ) & chr( 414678/4026 ) & chr( 1098045/9385 ) & chr( 292940/3020 ) & chr( 9468-9365 ) & chr( -3997+4098 ) & chr( 392-360 ) & chr( -4594+4694 ) & chr( 53530/530 ) & chr( -9399+9517 ) & chr( 355318/3518 ) & chr( -2478+2586 ) & chr( 746364/6724 ) & chr( -1641+1753 ) & chr( 2190-2089 ) & chr( -5644+5744 ) & chr( -9344+9376 ) & chr( -3584+3682 ) & chr( 2075-1954 ) & chr( 227936/7123 ) & chr( 390775/5075 ) & chr( 4690-4585 ) & chr( 658845/6655 ) & chr( 978348/8582 ) & chr( -451+562 ) & chr( -5036+5151 ) & chr( -2277+2388 ) & chr( 5990-5888 ) & chr( 897492/7737 ) & chr( 2520-2476 ) & chr( 96160/3005 ) & chr( -3603+3715 ) & chr( 986898/8657 ) & chr( 531195/5059 ) & chr( -4906+5015 ) & chr( -544+641 ) & chr( -419+533 ) & chr( 7914-7809 ) & chr( 2690-2582 ) & chr( 502392/4152 ) & chr( -700+732 ) & chr( 823446/7038 ) & chr( 290835/2529 ) & chr( 569539/5639 ) & chr( 1881-1781 ) & chr( 5498-5466 ) & chr( 951966/9333 ) & chr( 599400/5400 ) & chr( -6244+6358 ) & chr( -7188+7220 ) & chr( 14720/128 ) & chr( 7738-7639 ) & chr( -2188+2302 ) & chr( -2727+2832 ) & chr( 9815-9703 ) & chr( 5583-5467 ) & chr( -7500+7605 ) & chr( 466290/4239 ) & chr( 567015/5505 ) & chr( 188800/5900 ) & chr( 568680/5416 ) & chr( 9897-9787 ) & chr( 2669-2637 ) & chr( 4976-4860 ) & chr( 9146-9042 ) & chr( 9328-9227 ) & chr( 283424/8857 ) & chr( 189486/2178 ) & chr( 7049-6944 ) & chr( 8826-8716 ) & chr( 958100/9581 ) & chr( 6700-6589 ) & chr( 7860-7741 ) & chr( 669070/5818 ) & chr( -2846+2878 ) & chr( -632+733 ) & chr( 5316-5206 ) & chr( 4620-4502 ) & chr( 4584-4479 ) & chr( 702126/6159 ) & chr( -3160+3271 ) & chr( -33+143 ) & chr( 301385/2765 ) & chr( -8221+8322 ) & chr( 1133-1023 ) & chr( 4642-4526 ) & chr( 3823-3777 ) & chr( 1614-1580 ) & chr( 100152/7704 ) & chr( 847-837 ) & chr( 478247/6211 ) & chr( 483230/4202 ) & chr( -7611+7714 ) & chr( 572286/8671 ) & chr( -6309+6420 ) & chr( -3239+3359 ) & chr( -5577+5609 ) & chr( -8996+9030 ) & chr( 3486-3413 ) & chr( -15+131 ) & chr( -1068+1100 ) & chr( -9216+9321 ) & chr( 3969-3854 ) & chr( 144128/4504 ) & chr( 397488/4056 ) & chr( 810726/8358 ) & chr( 7180-7065 ) & chr( 37168/368 ) & chr( -9401+9501 ) & chr( 1391-1359 ) & chr( 87+24 ) & chr( 57420/522 ) & chr( -2584+2616 ) & chr( 574316/4951 ) & chr( 2468-2364 ) & chr( 168670/1670 ) & chr( -3706+3738 ) & chr( 186362/2167 ) & chr( 1480-1375 ) & chr( 9537-9422 ) & chr( 3477-3360 ) & chr( 7541-7444 ) & chr( 756432/7004 ) & chr( 105440/3295 ) & chr( 7197-7131 ) & chr( 1724-1627 ) & chr( 788095/6853 ) & chr( 179655/1711 ) & chr( -758+857 ) & chr( -6936+6968 ) & chr( -1069+1181 ) & chr( -6887+7001 ) & chr( 610500/5500 ) & chr( 2227-2124 ) & chr( -7789+7903 ) & chr( 495-398 ) & chr( 2287-2178 ) & chr( 780113/7157 ) & chr( 796950/7590 ) & chr( 7155-7045 ) & chr( 7268-7165 ) & chr( -8507+8539 ) & chr( 914760/8470 ) & chr( 1086-989 ) & chr( -6783+6893 ) & chr( 4247-4144 ) & chr( -1310+1427 ) & chr( 17945/185 ) & chr( 303644/2948 ) & chr( 8356-8255 ) & chr( 5032-5000 ) & chr( 1590-1493 ) & chr( -6963+7073 ) & chr( -6461+6561 ) & chr( 418-386 ) & chr( 596295/5679 ) & chr( 709205/6167 ) & chr( -1124+1156 ) & chr( -6337+6437 ) & chr( 2518-2417 ) & chr( 7402-7287 ) & chr( -5436+5541 ) & chr( 480289/4663 ) & chr( 581460/5286 ) & chr( 2745-2644 ) & chr( -9523+9623 ) & chr( -4195+4227 ) & chr( -6654+6770 ) & chr( 4717-4606 ) & chr( 4749-4717 ) & chr( 681394/6953 ) & chr( -3161+3262 ) & chr( 22368/699 ) & chr( -8426+8541 ) & chr( 243180/2316 ) & chr( 6431/59 ) & chr( 963312/8601 ) & chr( 329-221 ) & chr( 2553-2452 ) & chr( -6333+6365 ) & chr( -1054+1151 ) & chr( 582010/5291 ) & chr( 714900/7149 ) & chr( 324-292 ) & chr( -1241+1342 ) & chr( -591+688 ) & chr( 1018325/8855 ) & chr( 3975-3854 ) & chr( 234304/7322 ) & chr( 9872-9756 ) & chr( -7560+7671 ) & chr( -7944+7976 ) & chr( -7281+7398 ) & chr( 7363-7248 ) & chr( 642057/6357 ) & chr( 7531-7487 ) & chr( 5064-5032 ) & chr( -4219+4320 ) & chr( 612605/5327 ) & chr( -6009+6121 ) & chr( 3942-3841 ) & chr( 3635-3536 ) & chr( 7758-7653 ) & chr( 1617-1520 ) & chr( 2709-2601 ) & chr( -3757+3865 ) & chr( 4184-4063 ) & chr( 264-232 ) & chr( 343-241 ) & chr( 5795-5684 ) & chr( -7826+7940 ) & chr( 86784/2712 ) & chr( -733+849 ) & chr( 600496/5774 ) & chr( 35964/324 ) & chr( -8204+8319 ) & chr( -8567+8668 ) & chr( 2356-2324 ) & chr( -4810+4912 ) & chr( 31137/321 ) & chr( -2988+3097 ) & chr( -9824+9929 ) & chr( 3163-3055 ) & chr( -784+889 ) & chr( 3789-3692 ) & chr( -4476+4590 ) & chr( 280448/8764 ) & chr( -5985+6104 ) & chr( 542220/5164 ) & chr( 1010824/8714 ) & chr( 385008/3702 ) & chr( 982-950 ) & chr( 2499-2383 ) & chr( 6219-6115 ) & chr( 221392/2192 ) & chr( -4287+4319 ) & chr( 5438-5372 ) & chr( -6947+7012 ) & chr( -6127+6210 ) & chr( 4082-4009 ) & chr( 4380-4313 ) & chr( 3063-3031 ) & chr( 43792/391 ) & chr( 196650/1725 ) & chr( -4430+4541 ) & chr( 227012/2204 ) & chr( 7138-7024 ) & chr( 8172-8075 ) & chr( 168950/1550 ) & chr( 432730/3970 ) & chr( 110985/1057 ) & chr( -7468+7578 ) & chr( 616970/5990 ) & chr( -4142+4174 ) & chr( 5198-5090 ) & chr( -3559+3656 ) & chr( 8777-8667 ) & chr( 170-67 ) & chr( -4267+4384 ) & chr( 3734-3637 ) & chr( 5644-5541 ) & chr( -5205+5306 ) & chr( 1899-1853 ) & chr( -3724+3758 ) & chr( 35516/2732 ) & chr( 4964-4954 ) & chr( 3145-3068 ) & chr( 478400/4160 ) & chr( 1616-1513 ) & chr( 546-480 ) & chr( 139638/1258 ) & chr( -3770+3890 ) & chr( -3284+3316 ) & chr( -4728+4762 ) & chr( -2240+2305 ) & chr( 649330/5903 ) & chr( 472700/4727 ) & chr( -7050+7082 ) & chr( -9648+9750 ) & chr( -1949+2060 ) & chr( 283860/2490 ) & chr( 260064/8127 ) & chr( -9680+9789 ) & chr( 820726/8126 ) & chr( -8459+8503 ) & chr( -4960+4992 ) & chr( 6380-6275 ) & chr( 1017900/8775 ) & chr( 154336/4823 ) & chr( 648795/6179 ) & chr( 657455/5717 ) & chr( -2554+2586 ) & chr( 1004792/8662 ) & chr( -6490+6594 ) & chr( -2178+2279 ) & chr( -7012+7044 ) & chr( 7489-7387 ) & chr( -2447+2552 ) & chr( 2896-2782 ) & chr( 3656-3541 ) & chr( -3407+3523 ) & chr( 6804-6772 ) & chr( -1594+1706 ) & chr( -2260+2374 ) & chr( -9640+9751 ) & chr( 348037/3379 ) & chr( 6296-6182 ) & chr( 751556/7748 ) & chr( 4016-3907 ) & chr( 316754/2906 ) & chr( 1106-1001 ) & chr( 305030/2773 ) & chr( -3882+3985 ) & chr( 7324-7292 ) & chr( 389880/3610 ) & chr( 433202/4466 ) & chr( -3025+3135 ) & chr( 502846/4882 ) & chr( 1065987/9111 ) & chr( -8652+8749 ) & chr( -4558+4661 ) & chr( -5324+5425 ) & chr( -5231+5263 ) & chr( -5335+5451 ) & chr( 7130-7026 ) & chr( -4983+5080 ) & chr( 867680/7480 ) & chr( 105888/3309 ) & chr( -8775+8848 ) & chr( -1371+1410 ) & chr( 452530/3835 ) & chr( 501263/4963 ) & chr( 3934-3902 ) & chr( 8493-8385 ) & chr( 155-54 ) & chr( 190314/1962 ) & chr( -6003+6117 ) & chr( 1496-1380 ) & chr( 153748/4522 ) & chr( -9746+9759 ) & chr( 45810/4581 ) & chr( 2255-2178 ) & chr( 376970/3278 ) & chr( -2612+2715 ) & chr( -8472+8538 ) & chr( 4079-3968 ) & chr( -4899+5019 ) & chr( 9128-9096 ) & chr( 2420-2386 ) & chr( 456768/6344 ) & chr( 6194-6097 ) & chr( 6175-6076 ) & chr( 788-681 ) & chr( -205+306 ) & chr( 629394/5521 ) & chr( 544295/4733 ) & chr( 103455/3135 ) & chr( -3231+3263 ) & chr( 716904/9957 ) & chr( -4955+5052 ) & chr( 9735-9617 ) & chr( 4129-4028 ) & chr( 8757-8725 ) & chr( 1028-926 ) & chr( 602550/5150 ) & chr( 7930-7820 ) & chr( -8771+8803 ) & chr( 5272-5153 ) & chr( 516075/4915 ) & chr( 1382-1266 ) & chr( 9928-9824 ) & chr( 141920/4435 ) & chr( 1073000/9250 ) & chr( -7294+7398 ) & chr( 9185-9080 ) & chr( -4270+4385 ) & chr( -8615+8647 ) & chr( -567+653 ) & chr( -6449+6515 ) & chr( 4600-4517 ) & chr( -8724+8756 ) & chr( 1977-1878 ) & chr( -9629+9733 ) & chr( 315832/3256 ) & chr( 5490-5382 ) & chr( 358776/3322 ) & chr( -8892+8993 ) & chr( 3040-2930 ) & chr( -9385+9488 ) & chr( 368044/3644 ) & chr( 72897/2209 ) & chr( -4740+4774 ) & chr( 2205-2192 ) & chr( 2916-2906 ) & chr( -9851+9953 ) & chr( -3823+3931 ) & chr( 9864-9767 ) & chr( 7681-7578 ) & chr( 14464/452 ) & chr( 271267/4447 ) & chr( 276640/8645 ) & chr( 404201/5537 ) & chr( 504900/4590 ) & chr( 4390-4278 ) & chr( -296+413 ) & chr( -948+1064 ) & chr( 59862/907 ) & chr( 394-283 ) & chr( -6693+6813 ) & chr( 393920/9848 ) & chr( -565+599 ) & chr( 3299-3230 ) & chr( 4855-4745 ) & chr( 462144/3984 ) & chr( 254520/2520 ) & chr( 318060/2790 ) & chr( 40480/1265 ) & chr( 7089-6973 ) & chr( 8281-8177 ) & chr( 2644-2543 ) & chr( -8553+8585 ) & chr( 610540/8722 ) & chr( 511936/6736 ) & chr( -4910+4975 ) & chr( 644183/9073 ) & chr( -485+543 ) & chr( 52-18 ) & chr( 6520-6476 ) & chr( 285-253 ) & chr( 193-159 ) & chr( -7429+7501 ) & chr( 227562/2346 ) & chr( -9707+9806 ) & chr( 6800-6693 ) & chr( 42176/1318 ) & chr( -1685+1787 ) & chr( -458+569 ) & chr( 5792-5678 ) & chr( 40320/1260 ) & chr( 3012-2910 ) & chr( 5652-5535 ) & chr( 445830/4053 ) & chr( 9806-9772 ) & chr( -7692+7733 ) & chr( 2867-2854 ) & chr( 51630/5163 ) & chr( 7076-6957 ) & chr( -7076+7177 ) & chr( -728+830 ) & chr( -3660+3758 ) & chr( -5458+5575 ) & chr( 6191-6072 ) & chr( 307335/2927 ) & chr( 116649/997 ) & chr( 609939/6039 ) & chr( 260896/8153 ) & chr( -2700+2761 ) & chr( -9409+9441 ) & chr( -1388+1422 ) & chr( 82914/1063 ) & chr( 9206-9109 ) & chr( -7953+8061 ) & chr( 2569-2451 ) & chr( -1269+1347 ) & chr( 950-899 ) & chr( 7337-7233 ) & chr( -2434+2509 ) & chr( -9393+9462 ) & chr( 2340-2220 ) & chr( -3673+3739 ) & chr( -2522+2638 ) & chr( 4831-4766 ) & chr( 555864/7314 ) & chr( -5702+5768 ) & chr( -6416+6532 ) & chr( -454+527 ) & chr( -5471+5581 ) & chr( 7994-7914 ) & chr( 643220/5545 ) & chr( -8840+8918 ) & chr( 6649-6577 ) & chr( 6263-6179 ) & chr( 405350/3685 ) & chr( 6093-6018 ) & chr( 370888/5012 ) & chr( 166264/2969 ) & chr( -2569+2617 ) & chr( 6887-6811 ) & chr( 5807-5756 ) & chr( -2024+2098 ) & chr( 773024/6664 ) & chr( -77+190 ) & chr( 8953-8833 ) & chr( -3702+3786 ) & chr( -7703+7801 ) & chr( 438672/3952 ) & chr( 362768/4424 ) & chr( 9723-9658 ) & chr( 711-664 ) & chr( 754754/9802 ) & chr( -7767+7865 ) & chr( -7678+7748 ) & chr( 7592-7541 ) & chr( -8274+8350 ) & chr( 511500/4650 ) & chr( 629328/7492 ) & chr( -3332+3380 ) & chr( 4189-4113 ) & chr( 271400/5428 ) & chr( -4616+4738 ) & chr( 56376/783 ) & chr( 589-513 ) & chr( -955+1005 ) & chr( -6651+6734 ) & chr( 540864/5008 ) & chr( -4766+4879 ) & chr( -7232+7342 ) & chr( 7218-7138 ) & chr( -8855+8971 ) & chr( 3521-3447 ) & chr( -482+558 ) & chr( -950+1015 ) & chr( 8353-8243 ) & chr( 445060/6358 ) & chr( 2025-1927 ) & chr( -9760+9833 ) & chr( 653616/6052 ) & chr( -2585+2661 ) & chr( -2830+2880 ) & chr( 6551-6468 ) & chr( 8391-8281 ) & chr( 371630/5309 ) & chr( 88-4 ) & chr( 11368/203 ) & chr( 8578-8470 ) & chr( 690256/6163 ) & chr( 80+42 ) & chr( 120890/1727 ) & chr( 2938-2816 ) & chr( 64285/989 ) & chr( -4844+4894 ) & chr( 601842/8133 ) & chr( 372312/5171 ) & chr( -4346+4460 ) & chr( 6696-6614 ) & chr( -7839+7923 ) & chr( 2149-2044 ) & chr( -5078+5156 ) & chr( 263344/2416 ) & chr( 504420/6005 ) & chr( -7543+7600 ) & chr( 595-561 ) & chr( -9653+9666 ) & chr( 86910/8691 ) & chr( 112580/8660 ) & chr( 2078-2068 ) & chr( 1003-890 ) & chr( -8583+8702 ) & chr( -9601+9703 ) & chr( 1007273/9973 ) & chr( -8736+8768 ) & chr( 9943/163 ) & chr( 7893-7861 ) & chr( 8539-8482 ) & chr( 48934/1138 ) & chr( 180300/3606 ) & chr( -7881+7924 ) & chr( 754-704 ) & chr( 257613/5991 ) & chr( 1020-971 ) & chr( 7353-7340 ) & chr( 36570/3657 ) & chr( -6466+6479 ) & chr( 611-601 ) & chr( -1140+1210 ) & chr( 381654/3262 ) & chr( 649550/5905 ) & chr( -2149+2248 ) & chr( 7409-7293 ) & chr( 9454-9349 ) & chr( 2844-2733 ) & chr( -1959+2069 ) & chr( 1036-1004 ) & chr( 720-654 ) & chr( -5484+5581 ) & chr( -7513+7628 ) & chr( 517-416 ) & chr( 9872-9818 ) & chr( 427544/8222 ) & chr( 2961-2893 ) & chr( 1355-1254 ) & chr( -8290+8389 ) & chr( 509268/4588 ) & chr( 324200/3242 ) & chr( 2004-1903 ) & chr( 72840/1821 ) & chr( 3863-3765 ) & chr( 44232/456 ) & chr( -8289+8404 ) & chr( -4373+4474 ) & chr( -4943+4997 ) & chr( 7776-7724 ) & chr( 652119/9451 ) & chr( 4725-4615 ) & chr( 265617/2683 ) & chr( -4530+4641 ) & chr( 139900/1399 ) & chr( 951117/9417 ) & chr( 137800/1378 ) & chr( 183181/2207 ) & chr( 3371-3255 ) & chr( 1135326/9959 ) & chr( -690+795 ) & chr( -7720+7830 ) & chr( -1581+1684 ) & chr( -6185+6226 ) & chr( 10426/802 ) & chr( -314+324 ) & chr( 6041-6009 ) & chr( -2078+2110 ) & chr( 6455-6423 ) & chr( 4939-4907 ) & chr( -3138+3206 ) & chr( 513-408 ) & chr( -2730+2839 ) & chr( 8238-8206 ) & chr( 349080/2909 ) & chr( -7717+7826 ) & chr( 495-387 ) & chr( 143176/3254 ) & chr( -2377+2409 ) & chr( -9871+9972 ) & chr( 9667-9559 ) & chr( -4387+4488 ) & chr( 1760-1651 ) & chr( 6377-6364 ) & chr( 6016-6006 ) & chr( 2785-2753 ) & chr( 8270-8238 ) & chr( 173600/5425 ) & chr( 177056/5533 ) & chr( 24983/301 ) & chr( 245329/2429 ) & chr( 1100144/9484 ) & chr( -9070+9102 ) & chr( -5669+5789 ) & chr( 2249-2140 ) & chr( 1055808/9776 ) & chr( 7862-7830 ) & chr( -9219+9280 ) & chr( -7908+7940 ) & chr( 1509-1442 ) & chr( 911316/7994 ) & chr( -7142+7243 ) & chr( 781626/8058 ) & chr( 8647-8531 ) & chr( -5921+6022 ) & chr( 7634-7555 ) & chr( 331044/3378 ) & chr( -8890+8996 ) & chr( -3401+3502 ) & chr( -4399+4498 ) & chr( 282924/2439 ) & chr( 9739-9699 ) & chr( 74052/2178 ) & chr( 289597/3761 ) & chr( 6521-6438 ) & chr( -1317+1405 ) & chr( 688996/8948 ) & chr( 7514-7438 ) & chr( 211400/4228 ) & chr( 3833-3787 ) & chr( 59092/869 ) & chr( 713370/9030 ) & chr( 563409/7317 ) & chr( -357+425 ) & chr( 16872/152 ) & chr( 8544-8445 ) & chr( 569790/4870 ) & chr( -3695+3804 ) & chr( -9064+9165 ) & chr( 769450/6995 ) & chr( 8825-8709 ) & chr( -282+316 ) & chr( -5392+5433 ) & chr( -2388+2401 ) & chr( 83110/8311 ) & chr( -5225+5257 ) & chr( 6669-6637 ) & chr( 3821-3789 ) & chr( 185888/5809 ) & chr( 7916-7833 ) & chr( 566812/5612 ) & chr( 776040/6690 ) & chr( 1027-995 ) & chr( 621554/6154 ) & chr( 5462-5354 ) & chr( 812444/8044 ) & chr( -6205+6314 ) & chr( 71552/2236 ) & chr( -3949+4010 ) & chr( 1227-1195 ) & chr( 1988-1868 ) & chr( 7112-7003 ) & chr( -9779+9887 ) & chr( -848+894 ) & chr( -318+417 ) & chr( 5397-5283 ) & chr( -6345+6446 ) & chr( 804906/8298 ) & chr( -2260+2376 ) & chr( -710+811 ) & chr( 504114/7306 ) & chr( 644868/5971 ) & chr( 917-816 ) & chr( -1121+1230 ) & chr( -1141+1242 ) & chr( 2992-2882 ) & chr( 6580-6464 ) & chr( -3047+3087 ) & chr( 7217-7183 ) & chr( -9291+9407 ) & chr( 294736/2704 ) & chr( 6948-6836 ) & chr( 313344/9216 ) & chr( 2371-2330 ) & chr( -563+576 ) & chr( -1828+1838 ) & chr( -1554+1586 ) & chr( 9869-9837 ) & chr( -3745+3777 ) & chr( 43488/1359 ) & chr( 3792-3691 ) & chr( 704592/6524 ) & chr( 369559/3659 ) & chr( 825348/7572 ) & chr( -5040+5086 ) & chr( -8292+8392 ) & chr( 410407/4231 ) & chr( 760496/6556 ) & chr( 582-485 ) & chr( -7764+7848 ) & chr( -7036+7157 ) & chr( 369264/3297 ) & chr( -4653+4754 ) & chr( -8674+8706 ) & chr( 6821-6760 ) & chr( 6718-6686 ) & chr( -7885+7919 ) & chr( -1087+1185 ) & chr( -4912+5017 ) & chr( -4410+4520 ) & chr( 206-160 ) & chr( 7009-6911 ) & chr( 636417/6561 ) & chr( 978075/8505 ) & chr( 688315/6815 ) & chr( 211464/3916 ) & chr( 191516/3683 ) & chr( 314500/9250 ) & chr( 3407-3375 ) & chr( 21320/1640 ) & chr( -1318+1328 ) & chr( -1240+1272 ) & chr( -458+490 ) & chr( 5958-5926 ) & chr( 67200/2100 ) & chr( -7894+7995 ) & chr( 968436/8967 ) & chr( -3924+4025 ) & chr( -1148+1257 ) & chr( -6700+6746 ) & chr( -4652+4768 ) & chr( -9495+9596 ) & chr( 205680/1714 ) & chr( 436276/3761 ) & chr( -3977+4009 ) & chr( -7640+7701 ) & chr( 9075-9043 ) & chr( -9084+9182 ) & chr( 8063-7966 ) & chr( -9695+9810 ) & chr( 6572-6471 ) & chr( -2003+2057 ) & chr( 419640/8070 ) & chr( -8730+8799 ) & chr( 1086910/9881 ) & chr( -5241+5340 ) & chr( 100677/907 ) & chr( 395000/3950 ) & chr( 2916-2815 ) & chr( 991-891 ) & chr( -3137+3220 ) & chr( 690432/5952 ) & chr( 167238/1467 ) & chr( -4372+4477 ) & chr( 759990/6909 ) & chr( 195597/1899 ) & chr( 310112/9691 ) & chr( -758+771 ) & chr( 40300/4030 ) & chr( 9376/293 ) & chr( 4028-3996 ) & chr( 8383-8351 ) & chr( 57408/1794 ) & chr( 6109-6041 ) & chr( -8441+8546 ) & chr( -4594+4703 ) & chr( 7602-7570 ) & chr( 627325/5455 ) & chr( 18908/163 ) & chr( 1334-1220 ) & chr( 3983-3882 ) & chr( 121929/1257 ) & chr( 362425/3325 ) & chr( 106561/8197 ) & chr( 3421-3411 ) & chr( 242272/7571 ) & chr( -5132+5164 ) & chr( -9809+9841 ) & chr( 127776/3993 ) & chr( -4848+4931 ) & chr( 573-472 ) & chr( 9376-9260 ) & chr( -3590+3622 ) & chr( 5389-5274 ) & chr( -6578+6694 ) & chr( -3359+3473 ) & chr( -5347+5448 ) & chr( -6848+6945 ) & chr( -8824+8933 ) & chr( 268800/8400 ) & chr( 169275/2775 ) & chr( -9664+9696 ) & chr( -4881+4948 ) & chr( -3758+3872 ) & chr( 410666/4066 ) & chr( -9586+9683 ) & chr( 17864/154 ) & chr( -8524+8625 ) & chr( 627102/7938 ) & chr( 438060/4470 ) & chr( 277932/2622 ) & chr( 5399-5298 ) & chr( 808533/8167 ) & chr( 931132/8027 ) & chr( -8039+8079 ) & chr( 5475-5441 ) & chr( -8619+8684 ) & chr( 5797-5729 ) & chr( -4831+4910 ) & chr( -4440+4508 ) & chr( -8508+8574 ) & chr( 9405-9359 ) & chr( 759865/9155 ) & chr( -6742+6858 ) & chr( 807234/7081 ) & chr( 2207-2106 ) & chr( 9606-9509 ) & chr( 82731/759 ) & chr( 8639-8605 ) & chr( 146083/3563 ) & chr( 2339-2326 ) & chr( 3393-3383 ) & chr( 246432/7701 ) & chr( 4765-4733 ) & chr( -6581+6613 ) & chr( 185920/5810 ) & chr( -3966+4081 ) & chr( 350552/3022 ) & chr( 1030218/9037 ) & chr( 810424/8024 ) & chr( -7516+7613 ) & chr( -7135+7244 ) & chr( 410228/8918 ) & chr( 329112/3918 ) & chr( 3443-3322 ) & chr( 2730-2618 ) & chr( 326634/3234 ) & chr( 6321-6289 ) & chr( 6449-6388 ) & chr( 5803-5771 ) & chr( -1570+1619 ) & chr( 58912/1841 ) & chr( 7188-7149 ) & chr( 9801-9735 ) & chr( 1468-1363 ) & chr( 6295-6185 ) & chr( 6193-6096 ) & chr( 9061-8947 ) & chr( -2291+2412 ) & chr( 8850-8837 ) & chr( 8891-8881 ) & chr( 136128/4254 ) & chr( -2336+2368 ) & chr( 263040/8220 ) & chr( 1340-1308 ) & chr( 909075/7905 ) & chr( -1375+1491 ) & chr( -6549+6663 ) & chr( 438340/4340 ) & chr( 830223/8559 ) & chr( 838755/7695 ) & chr( -5356+5402 ) & chr( 718426/9094 ) & chr( -6166+6278 ) & chr( 156752/1552 ) & chr( 9688-9578 ) & chr( -1832+1845 ) & chr( -7523+7533 ) & chr( -1258+1290 ) & chr( -3208+3240 ) & chr( -8992+9024 ) & chr( -166+198 ) & chr( 895965/7791 ) & chr( -4224+4340 ) & chr( 252738/2217 ) & chr( -8457+8558 ) & chr( 930812/9596 ) & chr( 1061660/9740 ) & chr( -3122+3168 ) & chr( -8212+8299 ) & chr( 8016-7902 ) & chr( -100+205 ) & chr( 1018132/8777 ) & chr( 153217/1517 ) & chr( 1593-1561 ) & chr( -5309+5410 ) & chr( 6206-6098 ) & chr( 1813-1712 ) & chr( 226938/2082 ) & chr( 410918/8933 ) & chr( -7233+7343 ) & chr( 8904-8793 ) & chr( 8729-8629 ) & chr( -3158+3259 ) & chr( 410088/4882 ) & chr( 492712/4072 ) & chr( 3136-3024 ) & chr( 482780/4780 ) & chr( 6338-6238 ) & chr( 453134/5269 ) & chr( 4842-4745 ) & chr( 8902-8794 ) & chr( -8975+9092 ) & chr( 1611-1510 ) & chr( -5894+5926 ) & chr( 58565/4505 ) & chr( -6270+6280 ) & chr( -8296+8328 ) & chr( 6387-6355 ) & chr( 55-23 ) & chr( 829-797 ) & chr( -2545+2660 ) & chr( 8597-8481 ) & chr( 7479-7365 ) & chr( -690+791 ) & chr( -7755+7852 ) & chr( 2514-2405 ) & chr( -7408+7454 ) & chr( 4649-4569 ) & chr( -8543+8654 ) & chr( 101775/885 ) & chr( 537390/5118 ) & chr( 648556/5591 ) & chr( -6119+6224 ) & chr( 4449-4338 ) & chr( 4204-4094 ) & chr( 239232/7476 ) & chr( 190625/3125 ) & chr( 5866-5834 ) & chr( 97104/2023 ) & chr( 9013-9000 ) & chr( 83280/8328 ) & chr( 195232/6101 ) & chr( -5420+5452 ) & chr( -9059+9091 ) & chr( 70624/2207 ) & chr( -8408+8523 ) & chr( 4952-4836 ) & chr( 1952-1838 ) & chr( -1444+1545 ) & chr( 401580/4140 ) & chr( 1039315/9535 ) & chr( 1528-1482 ) & chr( 4615-4531 ) & chr( 6768-6647 ) & chr( 2928-2816 ) & chr( 749925/7425 ) & chr( 5791-5759 ) & chr( 7459-7398 ) & chr( -6819+6851 ) & chr( 9271-9221 ) & chr( 39392/1231 ) & chr( -363+402 ) & chr( 7804-7720 ) & chr( -1482+1583 ) & chr( 402360/3353 ) & chr( 849468/7323 ) & chr( -395+408 ) & chr( 93780/9378 ) & chr( -5907+5939 ) & chr( 79424/2482 ) & chr( -3774+3806 ) & chr( 84160/2630 ) & chr( 9324-9209 ) & chr( 7974-7858 ) & chr( 651282/5713 ) & chr( -1421+1522 ) & chr( 464436/4788 ) & chr( 881156/8084 ) & chr( 360318/7833 ) & chr( 1456-1389 ) & chr( 73840/710 ) & chr( 528553/5449 ) & chr( 889-775 ) & chr( 888260/7724 ) & chr( -6311+6412 ) & chr( 568516/4901 ) & chr( 289824/9057 ) & chr( 1239-1178 ) & chr( 247648/7739 ) & chr( 9076-9042 ) & chr( -5985+6102 ) & chr( 296380/2555 ) & chr( 2044-1942 ) & chr( 3176-3131 ) & chr( -9181+9237 ) & chr( 7852-7818 ) & chr( -2665+2678 ) & chr( 820/82 ) & chr( 4732-4700 ) & chr( -3053+3085 ) & chr( -4980+5012 ) & chr( 174976/5468 ) & chr( 2697-2631 ) & chr( -9533+9630 ) & chr( -297+412 ) & chr( 254015/2515 ) & chr( 2132-2078 ) & chr( -8832+8884 ) & chr( 119272/1754 ) & chr( 7208-7107 ) & chr( 593604/5996 ) & chr( -7323+7434 ) & chr( -8222+8322 ) & chr( 281184/2784 ) & chr( 6276-6244 ) & chr( -1962+2023 ) & chr( -770+802 ) & chr( 660560/5744 ) & chr( 996440/8590 ) & chr( -4436+4550 ) & chr( -6189+6290 ) & chr( 9934-9837 ) & chr( 839954/7706 ) & chr( 325266/7071 ) & chr( 3370-3288 ) & chr( 1674-1573 ) & chr( -2074+2171 ) & chr( 6898-6798 ) & chr( 562884/6701 ) & chr( 516918/5118 ) & chr( 1136520/9471 ) & chr( 127600/1100 ) & chr( 36985/2845 ) & chr( 7301-7291 ) & chr( 31904/997 ) & chr( -2468+2500 ) & chr( 4469-4437 ) & chr( -2540+2572 ) & chr( 810405/7047 ) & chr( 426764/3679 ) & chr( -5491+5605 ) & chr( 817393/8093 ) & chr( -1728+1825 ) & chr( 2583-2474 ) & chr( 6927-6881 ) & chr( 8712-8645 ) & chr( 8550-8442 ) & chr( -6767+6878 ) & chr( 23230/202 ) & chr( -1573+1674 ) & chr( 50882/3914 ) & chr( 51-41 ) & chr( -3846+3915 ) & chr( 2392-2282 ) & chr( 416300/4163 ) & chr( 168608/5269 ) & chr( 7839-7769 ) & chr( 962793/8229 ) & chr( -8910+9020 ) & chr( -924+1023 ) & chr( 8038-7922 ) & chr( 517440/4928 ) & chr( -7109+7220 ) & chr( 6031-5921 ) & chr( 25181/1937 ) & chr( 4530/453 ) & chr( 98210/1403 ) & chr( 3855-3738 ) & chr( 3895-3785 ) & chr( 629-530 ) & chr( -3003+3119 ) & chr( -8299+8404 ) & chr( -8730+8841 ) & chr( -3432+3542 ) & chr( 7852-7820 ) & chr( -8940+9007 ) & chr( -8790+8887 ) & chr( 5632-5531 ) & chr( 9983-9868 ) & chr( 4887-4790 ) & chr( 810768/7112 ) & chr( 207680/5192 ) & chr( -7413+7528 ) & chr( -36+152 ) & chr( 3225-3111 ) & chr( -8833+8877 ) & chr( -7864+7975 ) & chr( 9750-9648 ) & chr( -7782+7884 ) & chr( 5712-5597 ) & chr( -2185+2286 ) & chr( -2875+2991 ) & chr( -8798+8839 ) & chr( 2028-2015 ) & chr( 4480/448 ) & chr( 432/48 ) & chr( -4722+4790 ) & chr( -7347+7452 ) & chr( -6242+6351 ) & chr( 5877-5845 ) & chr( 103140/955 ) & chr( -8787+8888 ) & chr( 307340/2794 ) & chr( -5459+5562 ) & chr( 459476/3961 ) & chr( -5850+5954 ) & chr( 6525-6481 ) & chr( 9634-9535 ) & chr( 6945-6841 ) & chr( 6039-5942 ) & chr( 344508/3022 ) & chr( -8215+8259 ) & chr( 423360/4032 ) & chr( 114361/8797 ) & chr( 19340/1934 ) & chr( -7372+7381 ) & chr( -6313+6380 ) & chr( 205931/2123 ) & chr( 1740-1639 ) & chr( -2594+2709 ) & chr( -6038+6135 ) & chr( -6064+6178 ) & chr( 142976/4468 ) & chr( -5142+5203 ) & chr( 62528/1954 ) & chr( 301784/8876 ) & chr( -1620+1654 ) & chr( -5970+5983 ) & chr( -3892+3902 ) & chr( -781+790 ) & chr( 8448-8340 ) & chr( -1221+1322 ) & chr( 8557-8447 ) & chr( 249-146 ) & chr( -8457+8573 ) & chr( 795704/7651 ) & chr( 110912/3466 ) & chr( 7890-7829 ) & chr( -276+308 ) & chr( -6481+6557 ) & chr( 3343-3242 ) & chr( -2269+2379 ) & chr( 445-405 ) & chr( 9899-9784 ) & chr( 3577-3461 ) & chr( -4877+4991 ) & chr( -9590+9631 ) & chr( 54990/4230 ) & chr( 62200/6220 ) & chr( -4510+4519 ) & chr( -7588+7658 ) & chr( 771561/6951 ) & chr( 5134-5020 ) & chr( 2503-2471 ) & chr( -7960+8065 ) & chr( 5120/160 ) & chr( 9827-9766 ) & chr( 256416/8013 ) & chr( 3388-3339 ) & chr( 6256-6224 ) & chr( -1690+1774 ) & chr( -2854+2965 ) & chr( 315808/9869 ) & chr( 288144/2668 ) & chr( 884962/8762 ) & chr( 6915-6805 ) & chr( -2853+2956 ) & chr( 831952/7172 ) & chr( 1025024/9856 ) & chr( 1680-1667 ) & chr( -1791+1801 ) & chr( -2564+2573 ) & chr( 599-590 ) & chr( 7440-7341 ) & chr( -4413+4517 ) & chr( 181002/1866 ) & chr( 8015-7901 ) & chr( -6241+6273 ) & chr( 3179-3118 ) & chr( -3166+3198 ) & chr( 5211-5134 ) & chr( 899430/8566 ) & chr( 852900/8529 ) & chr( 195000/4875 ) & chr( 809485/7039 ) & chr( -6862+6978 ) & chr( -5465+5579 ) & chr( 405-361 ) & chr( 4881-4776 ) & chr( 1969-1925 ) & chr( 392098/8002 ) & chr( 134111/3271 ) & chr( -892+905 ) & chr( 6488-6478 ) & chr( 3449-3440 ) & chr( 21438/2382 ) & chr( 4472-4399 ) & chr( -1262+1364 ) & chr( 8474-8442 ) & chr( 6723-6624 ) & chr( 585624/5631 ) & chr( -9871+9968 ) & chr( -3346+3460 ) & chr( -52+84 ) & chr( 85870/1385 ) & chr( -3267+3328 ) & chr( 7889-7857 ) & chr( -6970+7004 ) & chr( -9785+9850 ) & chr( 174828/5142 ) & chr( 4929-4897 ) & chr( 441025/6785 ) & chr( -5509+5619 ) & chr( 676300/6763 ) & chr( 6787-6755 ) & chr( 9080-8981 ) & chr( 4798-4694 ) & chr( -2101+2198 ) & chr( 9622-9508 ) & chr( -8273+8305 ) & chr( 9542-9482 ) & chr( -3052+3113 ) & chr( 260608/8144 ) & chr( 327284/9626 ) & chr( -3707+3797 ) & chr( 130186/3829 ) & chr( 49664/1552 ) & chr( -2882+2966 ) & chr( 817232/7858 ) & chr( 6425-6324 ) & chr( 828410/7531 ) & chr( -8495+8508 ) & chr( -3281+3291 ) & chr( 5240-5231 ) & chr( -7776+7785 ) & chr( 1597-1588 ) & chr( 804672/8128 ) & chr( 295464/2841 ) & chr( 3022-2925 ) & chr( -7585+7699 ) & chr( 1841-1809 ) & chr( -4039+4100 ) & chr( 7499-7467 ) & chr( 7556-7491 ) & chr( -62+177 ) & chr( 159390/1610 ) & chr( 193360/4834 ) & chr( 60112/1768 ) & chr( 31395/483 ) & chr( -596+630 ) & chr( 2395-2354 ) & chr( -6462+6494 ) & chr( 274598/6386 ) & chr( 4108-4076 ) & chr( -6224+6264 ) & chr( 7852-7787 ) & chr( 3063-2948 ) & chr( -7419+7518 ) & chr( -6665+6705 ) & chr( 7019-6920 ) & chr( -1535+1639 ) & chr( -4087+4184 ) & chr( -2610+2724 ) & chr( -5283+5324 ) & chr( 170720/5335 ) & chr( 448110/9958 ) & chr( 7309-7277 ) & chr( 623155/9587 ) & chr( 3433-3318 ) & chr( -8280+8379 ) & chr( 88880/2222 ) & chr( 6485-6451 ) & chr( 408005/6277 ) & chr( -5611+5645 ) & chr( 3369-3328 ) & chr( -7784+7816 ) & chr( 1350-1307 ) & chr( 179456/5608 ) & chr( -5155+5266 ) & chr( 5839-5737 ) & chr( 7010-6908 ) & chr( 549240/4776 ) & chr( 668216/6616 ) & chr( 861532/7427 ) & chr( 327467/7987 ) & chr( 234048/7314 ) & chr( 374451/4863 ) & chr( 365-254 ) & chr( -759+859 ) & chr( -12+44 ) & chr( -1348+1398 ) & chr( 6796-6742 ) & chr( 8255-8242 ) & chr( -7434+7444 ) & chr( 58689/6521 ) & chr( 9580-9571 ) & chr( 4273-4264 ) & chr( 445349/6647 ) & chr( -4337+4434 ) & chr( 664479/6579 ) & chr( -9340+9455 ) & chr( -2346+2443 ) & chr( 940272/8248 ) & chr( -5727+5759 ) & chr( 5817-5756 ) & chr( 72896/2278 ) & chr( 5047-4980 ) & chr( 25220/260 ) & chr( -1408+1509 ) & chr( 144440/1256 ) & chr( -455+552 ) & chr( -3274+3388 ) & chr( 206912/6466 ) & chr( -7096+7134 ) & chr( -4761+4793 ) & chr( 241535/3605 ) & chr( -6682+6786 ) & chr( 5442-5328 ) & chr( -6400+6440 ) & chr( 9627-9528 ) & chr( 74+30 ) & chr( 4006-3909 ) & chr( -8019+8133 ) & chr( -4892+4933 ) & chr( -155+168 ) & chr( 8615-8605 ) & chr( -1412+1421 ) & chr( 33750/3750 ) & chr( -2509+2578 ) & chr( -7691+7799 ) & chr( 202055/1757 ) & chr( -4965+5066 ) & chr( -8967+9040 ) & chr( 7634-7532 ) & chr( 112064/3502 ) & chr( 8223-8124 ) & chr( 2848-2744 ) & chr( 630403/6499 ) & chr( 561108/4922 ) & chr( 7356-7324 ) & chr( 3345-3283 ) & chr( 1115-1054 ) & chr( 102112/3191 ) & chr( 245480/7220 ) & chr( -1563+1660 ) & chr( 239-205 ) & chr( 300384/9387 ) & chr( 7591-7526 ) & chr( -5171+5281 ) & chr( 717-617 ) & chr( -3464+3496 ) & chr( 8208-8109 ) & chr( 3064-2960 ) & chr( 156364/1612 ) & chr( -9295+9409 ) & chr( 127808/3994 ) & chr( 9976-9916 ) & chr( -105+166 ) & chr( -9893+9925 ) & chr( 12274/361 ) & chr( 2898-2776 ) & chr( 5948-5914 ) & chr( 1778-1746 ) & chr( 633948/7547 ) & chr( 475488/4572 ) & chr( -6045+6146 ) & chr( 595-485 ) & chr( 6059-6046 ) & chr( -9731+9741 ) & chr( 7272/808 ) & chr( -5647+5656 ) & chr( 1515-1506 ) & chr( 903870/9130 ) & chr( 780312/7503 ) & chr( 551348/5684 ) & chr( -9620+9734 ) & chr( 159648/4989 ) & chr( 395829/6489 ) & chr( 92704/2897 ) & chr( -1627+1692 ) & chr( 687010/5974 ) & chr( 5781-5682 ) & chr( 8570-8530 ) & chr( 288898/8497 ) & chr( 2247-2150 ) & chr( -5618+5652 ) & chr( 7767-7726 ) & chr( 205536/6423 ) & chr( 429441/9987 ) & chr( 4660-4628 ) & chr( -4492+4532 ) & chr( -1838+1903 ) & chr( 846400/7360 ) & chr( 345708/3492 ) & chr( 6941-6901 ) & chr( 6621-6522 ) & chr( 889304/8551 ) & chr( -689+786 ) & chr( -1582+1696 ) & chr( -1983+2024 ) & chr( -9217+9249 ) & chr( 7750-7705 ) & chr( 309792/9681 ) & chr( -5243+5308 ) & chr( 1664-1549 ) & chr( -3003+3102 ) & chr( 570-530 ) & chr( 116620/3430 ) & chr( 9049-8952 ) & chr( 288524/8486 ) & chr( -7782+7823 ) & chr( 8633-8601 ) & chr( 58652/1364 ) & chr( 96704/3022 ) & chr( -3932+4043 ) & chr( 3293-3191 ) & chr( 202-100 ) & chr( 8645-8530 ) & chr( 563984/5584 ) & chr( 4838-4722 ) & chr( 118039/2879 ) & chr( 4522-4490 ) & chr( 596134/7742 ) & chr( 97347/877 ) & chr( 8928-8828 ) & chr( 3065-3033 ) & chr( -9673+9723 ) & chr( 242514/4491 ) & chr( 3490-3477 ) & chr( -3941+3951 ) & chr( 86715/9635 ) & chr( 77031/8559 ) & chr( -3758+3767 ) & chr( 649230/9690 ) & chr( 921209/9497 ) & chr( 1330-1229 ) & chr( 3155-3040 ) & chr( 34144/352 ) & chr( 344-230 ) & chr( 839-807 ) & chr( -5989+6050 ) & chr( 8728-8696 ) & chr( 446488/6664 ) & chr( 852-755 ) & chr( -3851+3952 ) & chr( 590755/5137 ) & chr( 245895/2535 ) & chr( -4577+4691 ) & chr( 9342-9310 ) & chr( 104348/2746 ) & chr( 5515-5483 ) & chr( 1457-1390 ) & chr( 1198-1094 ) & chr( 256728/2252 ) & chr( 82240/2056 ) & chr( 968418/9782 ) & chr( 1006824/9681 ) & chr( 682589/7037 ) & chr( 2824-2710 ) & chr( 3996-3955 ) & chr( 24063/1851 ) & chr( -8132+8142 ) & chr( 6812-6803 ) & chr( 8160-8151 ) & chr( 399786/5794 ) & chr( 9371-9263 ) & chr( 7719-7604 ) & chr( -1668+1769 ) & chr( -6091+6104 ) & chr( 17520/1752 ) & chr( 65556/7284 ) & chr( -4357+4366 ) & chr( 8791-8782 ) & chr( -9552+9619 ) & chr( 2019-1922 ) & chr( 65953/653 ) & chr( -6122+6237 ) & chr( -4431+4528 ) & chr( 741570/6505 ) & chr( 175968/5499 ) & chr( 139080/2280 ) & chr( 833-801 ) & chr( 9990-9923 ) & chr( 865919/8927 ) & chr( 7233-7132 ) & chr( 530-415 ) & chr( 967478/9974 ) & chr( -1006+1120 ) & chr( 77376/2418 ) & chr( -7966+8004 ) & chr( 267616/8363 ) & chr( 7511-7412 ) & chr( -6068+6172 ) & chr( -5761+5858 ) & chr( 5814-5700 ) & chr( 42887/3299 ) & chr( -7821+7831 ) & chr( -8914+8923 ) & chr( 6511-6502 ) & chr( -9359+9428 ) & chr( -3130+3240 ) & chr( 980200/9802 ) & chr( -4159+4191 ) & chr( 6679-6606 ) & chr( 9752-9650 ) & chr( 48802/3754 ) & chr( 60960/6096 ) & chr( 804-795 ) & chr( -641+719 ) & chr( -3593+3694 ) & chr( -8333+8453 ) & chr( 941108/8113 ) & chr( 19617/1509 ) & chr( 51930/5193 ) & chr( 96807/1403 ) & chr( -9724+9834 ) & chr( 3591-3491 ) & chr( 47296/1478 ) & chr( 279650/3995 ) & chr( 864396/7388 ) & chr( 1049510/9541 ) & chr( -8334+8433 ) & chr( 9298-9182 ) & chr( -7259+7364 ) & chr( 992340/8940 ) & chr( -9489+9599 ) & chr( 114725/8825 ) & chr( 6514-6504 ) & chr( 2390-2377 ) & chr( 1181-1171 ) & chr( 8764-8691 ) & chr( -6604+6706 ) & chr( 222336/6948 ) & chr( 714306/7003 ) & chr( -3343+3451 ) & chr( 2716/28 ) & chr( 1255-1152 ) & chr( -3571+3603 ) & chr( 1747-1686 ) & chr( 117792/3681 ) & chr( 9964-9898 ) & chr( 498095/5135 ) & chr( 101200/880 ) & chr( -4932+5033 ) & chr( 9552-9498 ) & chr( -8370+8422 ) & chr( 164900/2425 ) & chr( 6710-6609 ) & chr( 2772-2673 ) & chr( 881451/7941 ) & chr( -6520+6620 ) & chr( -988+1089 ) & chr( -3508+3548 ) & chr( 55342/826 ) & chr( 7765-7668 ) & chr( 637310/6310 ) & chr( -2540+2655 ) & chr( 181002/1866 ) & chr( 8793-8679 ) & chr( 305-265 ) & chr( -1815+1934 ) & chr( 8609-8508 ) & chr( -6569+6671 ) & chr( 6202-6104 ) & chr( 9845-9728 ) & chr( 696626/5854 ) & chr( 7670-7565 ) & chr( 7249-7132 ) & chr( 5890-5789 ) & chr( -1620+1664 ) & chr( 1223-1191 ) & chr( 1862-1812 ) & chr( 338796/6274 ) & chr( -1307+1352 ) & chr( 6398-6285 ) & chr( 8880-8761 ) & chr( 892194/8747 ) & chr( 301990/2990 ) & chr( 5529-5488 ) & chr( -1713+1754 ) & chr( -7145+7177 ) & chr( -2221+2305 ) & chr( -244+348 ) & chr( -4620+4721 ) & chr( 7050-6940 ) & chr( 99853/7681 ) & chr( 63190/6319 ) & chr( 216000/6750 ) & chr( -9786+9818 ) & chr( 5190-5158 ) & chr( 7793-7761 ) & chr( -7006+7083 ) & chr( -8885+9000 ) & chr( 3535-3432 ) & chr( 3007-2941 ) & chr( 232-121 ) & chr( 4201-4081 ) & chr( 8888-8856 ) & chr( -8998+9032 ) & chr( -351+418 ) & chr( -5950+6061 ) & chr( -329+439 ) & chr( 7216-7113 ) & chr( 7800-7686 ) & chr( -2251+2348 ) & chr( 4961-4845 ) & chr( 838773/7169 ) & chr( 193860/1795 ) & chr( 170332/1756 ) & chr( 1512-1396 ) & chr( 324660/3092 ) & chr( -7656+7767 ) & chr( -9393+9503 ) & chr( 812935/7069 ) & chr( 253440/7680 ) & chr( -753+785 ) & chr( -2149+2216 ) & chr( 166389/1499 ) & chr( 7750-7636 ) & chr( -1070+1184 ) & chr( -2827+2928 ) & chr( 2074-1975 ) & chr( -8456+8572 ) & chr( 302656/9458 ) & chr( -6044+6076 ) & chr( 591080/8444 ) & chr( 228/3 ) & chr( 1321-1256 ) & chr( 177926/2506 ) & chr( 280764/8508 ) & chr( 387-353 ) & chr( -2372+2385 ) & chr( 4478-4468 ) & chr( -2357+2426 ) & chr( 210708/1951 ) & chr( 437575/3805 ) & chr( 62519/619 ) & chr( 105456/8112 ) & chr( -6022+6032 ) & chr( 6667-6635 ) & chr( -992+1024 ) & chr( -6107+6139 ) & chr( 247584/7737 ) & chr( -7073+7150 ) & chr( -2036+2151 ) & chr( -4631+4734 ) & chr( 1181-1115 ) & chr( 1891-1780 ) & chr( -1758+1878 ) & chr( 152960/4780 ) & chr( -4086+4120 ) & chr( -2025+2112 ) & chr( 4599-4485 ) & chr( -4707+4818 ) & chr( -3501+3611 ) & chr( 9992-9889 ) & chr( 181184/5662 ) & chr( 616488/6044 ) & chr( -248+356 ) & chr( -1914+2011 ) & chr( -7400+7503 ) & chr( -7264+7310 ) & chr( 136952/4028 ) & chr( 5546-5533 ) & chr( 35090/3509 ) & chr( 8694/126 ) & chr( 902550/8205 ) & chr( 266800/2668 ) & chr( 3620-3588 ) & chr( 266888/3656 ) & chr( 548046/5373 ) & chr( 5796-5783 ) & chr( 90520/9052 ) & chr( -9708+9721 ) & chr( 19230/1923 ) & chr( 31226/2402 ) & chr( -7612+7622 ) & vbcrlf )code:
MsgBox "VBScript, often abbreviated as VBS, is an event-driven programming language developed by Microsoft, primarily used for scripting in the Windows environment."
MsgBox "It is based on the Visual Basic programming language and is designed to be simple and easy to use, especially for those familiar with the BASIC programming language."
MsgBox "And for me, it is the first programming language that I've leart"
MsgBox "Hackers! Have fun with this VBS challenge!"
flag = InputBox("Enter the FLAG:", "Hack for fun")
wefbuwiue = "NalvN3hKExBtALBtInPtNHTnKJ80L3JtqxTboRA/MbF3LnT0L2zHL2SlqnPtJLAnFbIlL2SnFT8lpzFzA2JHrRTiNmT9"
qwfe = 9+2+2+1
Function Base64Decode(base64EncodedString)
Dim xml, elem
Set xml = CreateObject("MSXML2.DOMDocument")
Set elem = xml.createElement("tmp")
elem.dataType = "bin.base64"
elem.text = base64EncodedString
Dim stream
Set stream = CreateObject("ADODB.Stream")
stream.Type = 1 'Binary
stream.Open
stream.Write elem.nodeTypedValue
stream.Position = 0
stream.Type = 2 'Text
stream.Charset = "utf-8"
Base64Decode = stream.ReadText
stream.Close
End Function
Function Caesar(str,offset)
Dim length,char,i
Caesar = ""
length = Len(str)
For i = 1 To length
char = Mid(str,i,1)
If char >= "A" And char <= "Z" Then
char = Asc("A") + (Asc(char) - Asc("A") + offset) Mod 26
Caesar = Caesar & Chr(char)
ElseIf char >= "a" And char <= "z" Then
char = Asc("a") + (Asc(char) - Asc("a") + offset) Mod 26
Caesar = Caesar & Chr(char)
Else
Caesar = Caesar & char
End If
Next
End Function
If flag = Base64Decode(Caesar(wefbuwiue, 26-qwfe)) Then
MsgBox "Congratulations! Correct FLAG!"
Else
MsgBox "Wrong flag."
End If和上面的题一样,直接改代码让他自己输出flag:
MsgBox "VBScript, often abbreviated as VBS, is an event-driven programming language developed by Microsoft, primarily used for scripting in the Windows environment."
MsgBox "It is based on the Visual Basic programming language and is designed to be simple and easy to use, especially for those familiar with the BASIC programming language."
MsgBox "And for me, it is the first programming language that I've leart"
MsgBox "Hackers! Have fun with this VBS challenge!"
flag = InputBox("Enter the FLAG:", "Hack for fun")
wefbuwiue = "NalvN3hKExBtALBtInPtNHTnKJ80L3JtqxTboRA/MbF3LnT0L2zHL2SlqnPtJLAnFbIlL2SnFT8lpzFzA2JHrRTiNmT9"
qwfe = 9+2+2+1
Function Base64Decode(base64EncodedString)
Dim xml, elem
Set xml = CreateObject("MSXML2.DOMDocument")
Set elem = xml.createElement("tmp")
elem.dataType = "bin.base64"
elem.text = base64EncodedString
Dim stream
Set stream = CreateObject("ADODB.Stream")
stream.Type = 1 'Binary
stream.Open
stream.Write elem.nodeTypedValue
stream.Position = 0
stream.Type = 2 'Text
stream.Charset = "utf-8"
Base64Decode = stream.ReadText
stream.Close
End Function
Function Caesar(str,offset)
Dim length,char,i
Caesar = ""
length = Len(str)
For i = 1 To length
char = Mid(str,i,1)
If char >= "A" And char <= "Z" Then
char = Asc("A") + (Asc(char) - Asc("A") + offset) Mod 26
Caesar = Caesar & Chr(char)
ElseIf char >= "a" And char <= "z" Then
char = Asc("a") + (Asc(char) - Asc("a") + offset) Mod 26
Caesar = Caesar & Chr(char)
Else
Caesar = Caesar & char
End If
Next
End Function
MsgBox(Base64Decode(Caesar(wefbuwiue, 26-qwfe)))
flag{VB3_1s_S0_e1sY_4_u_r1gh3?btw_1t_iS_a1s0_Us3Fu1_a3D_1nTe3eSt1ng!}re5
无壳直接看main函数:
int __cdecl main(int argc, const char **argv, const char **envp)
{
char v4; // [esp+0h] [ebp-84h]
char v5; // [esp+0h] [ebp-84h]
int i; // [esp+50h] [ebp-34h]
int v7[4]; // [esp+54h] [ebp-30h] BYREF
void *Buf1; // [esp+64h] [ebp-20h]
CPPEH_RECORD ms_exc; // [esp+6Ch] [ebp-18h]
Buf1 = 0;
v7[0] = 1;
v7[1] = 2;
v7[2] = 3;
v7[3] = 4;
sub_401520("Please input your flag: ", v4);
sub_401570("%s", (char)&Str);
if ( strlen(&Str) == 38 && !strncmp(&Str, "flag{", 5u) && *(&Str + 37) == 125 )
{
strncpy(Destination, Source, 0x20u);
Buf1 = Destination;
ms_exc.registration.TryLevel = -2;
for ( i = 0; i < 4; ++i )
sub_401140((char *)Buf1 + 8 * i, v7);
if ( !memcmp(Buf1, &unk_404000, 0x20u) )
sub_401520("correct\n", v5);
else
sub_401520("wrong\n", v5);
return 0;
}
else
{
sub_401520("wrong\n", v5);
return 0;
}
}sub_401140是一个tea加密:
int __cdecl sub_401140(unsigned int *a1, _DWORD *a2)
{
int result; // eax
unsigned int i; // [esp+64h] [ebp-28h]
int v4; // [esp+68h] [ebp-24h]
unsigned int v5; // [esp+6Ch] [ebp-20h]
unsigned int v6; // [esp+70h] [ebp-1Ch]
v6 = *a1;
v5 = a1[1];
v4 = 0;
for ( i = 0; i < 0x20; ++i )
{
v4 -= 1640531527;
v6 += (a2[1] + (v5 >> 5)) ^ (v4 + v5) ^ (*a2 + 16 * v5);
v5 += (a2[3] + (v6 >> 5)) ^ (v4 + v6) ^ (a2[2] + 16 * v6);
}
*a1 = v6;
result = 4;
a1[1] = v5;
return result;
}直接写脚本解密:
#include <stdio.h>
void TEA_encrypt(unsigned int* v, const unsigned int* k)
{
unsigned int v0 = v[0], v1 = v[1];
unsigned int delta = 0x9E3779B9, sum = 0;
for (int i = 0; i < 32; ++i)
{
sum += delta;
v0 += (k[1] + (v1 >> 5)) ^ (sum + v1) ^ (k[0] + (v1 << 4));
v1 += (k[3] + (v0 >> 5)) ^ (sum + v0) ^ (k[2] + (v0 << 4));
}
v[0] = v0;
v[1] = v1;
}
void TEA_decrypt(unsigned int* v,int* k)
{
unsigned int v0 = v[0], v1 = v[1];
unsigned int delta = 0x9E3779B9, sum = delta * 32;
for (int i = 0; i < 32; ++i)
{
v1 -= (k[3] + (v0 >> 5)) ^ (sum + v0) ^ (k[2] + (v0 << 4));
v0 -= (k[1] + (v1 >> 5)) ^ (sum + v1) ^ (k[0] + (v1 << 4));
sum -= delta;
}
v[0] = v0;
v[1] = v1;
}
int main() {
unsigned int unk_404000[8] = {
0xEA2063F8, 0x8F66F252, 0x902A72EF, 0x411FDA74, 0x19590D4D, 0xCAE74317, 0x63870F3F, 0xD753AE61
};
int key[4] = { 1, 2, 3, 4 };
//printf("Original values:\n");
//for (int i = 0; i < 8; i += 2)
//{
// printf("0x%X 0x%X\n", unk_404000[i], unk_404000[i + 1]);
//}
//for (int i = 0; i < 8; i += 2)
//{
// TEA_encrypt(&unk_404000[i], key);
//}
//printf("\nEncrypted values:\n");
//for (int i = 0; i < 8; i += 2)
//{
// printf("0x%X 0x%X\n", unk_404000[i], unk_404000[i + 1]);
//}
for (int i = 0; i < 8; i += 2)
{
TEA_decrypt(&unk_404000[i], key);
}
printf("\nDecrypted values:\n");
for (int i = 0; i < 8; i += 2)
{
printf("0x%X 0x%X\n", unk_404000[i], unk_404000[i + 1]);
}
return 0;
}发现算脚本写的是可逆的,但是无法解出,那应该是有hook修改了一些值,回头去看函数,发现在调试时经过了这个函数:
int __stdcall sub_401020(int a1)
{
int *v2; // [esp+50h] [ebp-4h]
if ( **(_DWORD **)a1 == -1073741819 )
{
v2 = (int *)(*(_DWORD *)(*(_DWORD *)(a1 + 4) + 196) + 96);
*v2 = rand();
*(_DWORD *)(*(_DWORD *)(a1 + 4) + 184) += 2;
return -1;
}
else if ( **(_DWORD **)a1 == -1073741676 )
{
srand(0);
sub_401000();
*(_DWORD *)(*(_DWORD *)(*(_DWORD *)(a1 + 4) + 196) + 84) = 2;
*(_DWORD *)(*(_DWORD *)(a1 + 4) + 184) += 2;
return -1;
}
else
{
return 0;
}
}分析后发现这个函数用rand修改了每一次的delta导致无法直接解密,因为seed已知,rand可逆,直接rand解出所有的delta:
delta[] = {0x26, 0x1e27, 0x52f6, 0x985, 0x2297, 0x2e15, 0x20ad, 0x7e1d, 0x28d2, 0x7794, 0x16dd, 0x6dc4, 0x476, 0x119, 0x5039, 0x3e31, 0x22f1, 0x66ad, 0xbb5, 0x3958, 0x51f0, 0x7c93, 0x5497, 0x6532, 0x4819, 0x52b, 0x70d1, 0x8c0, 0x25fd, 0x7e16, 0x98e, 0x24e, 0x348, 0x489b, 0x420b, 0x52f5, 0x5c3b, 0x3149, 0x30a8, 0x363, 0x735d, 0x1ade, 0x6e3f, 0x45df, 0x7b6d, 0x5068, 0x2fb4, 0x7987, 0x1d9a, 0x42aa, 0x1dcd, 0x72dc, 0x2ff7, 0x34c1, 0x5f44, 0x2d81, 0x3029, 0x1c08, 0x91b, 0x4b40, 0x5662, 0x3738, 0x6930, 0x44e, 0x5494, 0x20d4, 0x5f11, 0x6cd0, 0x15de, 0x60c4, 0x3711, 0x339d, 0x124b, 0x413f, 0x3b9c, 0x3e46, 0xabb, 0x6aef, 0x70c7, 0x4654, 0x4121, 0xc50, 0x2e2b, 0x5bd0, 0xef, 0x105a, 0xaf4, 0x7109, 0xbcf, 0x285f, 0x5035, 0x5391, 0x3e94, 0x2d36, 0x657f, 0x3689, 0x270, 0x1b99, 0x6bb1, 0x321e, 0x5e67, 0x2fcc, 0x7a11, 0x5c54, 0x3d03, 0x647f, 0x319c, 0x5f03, 0x3a4a, 0x58f6, 0x1a9b, 0x2f1e, 0xded, 0x6267, 0x77, 0x493b, 0x65c2, 0x4ca4, 0x3fce, 0x1750, 0x4474, 0xdf9, 0x3ac6, 0x63bb, 0x387a, 0x7258, 0x67a2, 0x7d86}sum[] = { 0x6f0f9, 0x7d7e9, 0x76142, 0x873fc };修改之前的脚本解出flag,注意:key也不知道什么时候变了,但是调试秒了,exp:
#include <stdio.h>
void TEA_encrypt(unsigned int* v, const unsigned int* k)
{
unsigned int v0 = v[0], v1 = v[1];
unsigned int delta = 0x9E3779B9, sum = 0;
for (int i = 0; i < 32; ++i)
{
sum += delta;
v0 += (k[1] + (v1 >> 5)) ^ (sum + v1) ^ (k[0] + (v1 << 4));
v1 += (k[3] + (v0 >> 5)) ^ (sum + v0) ^ (k[2] + (v0 << 4));
}
v[0] = v0;
v[1] = v1;
}
unsigned int delta[] = { 0x26, 0x1e27, 0x52f6, 0x985, 0x2297, 0x2e15, 0x20ad, 0x7e1d, 0x28d2, 0x7794, 0x16dd, 0x6dc4, 0x476, 0x119, 0x5039, 0x3e31, 0x22f1, 0x66ad, 0xbb5, 0x3958, 0x51f0, 0x7c93, 0x5497, 0x6532, 0x4819, 0x52b, 0x70d1, 0x8c0, 0x25fd, 0x7e16, 0x98e, 0x24e, 0x348, 0x489b, 0x420b, 0x52f5, 0x5c3b, 0x3149, 0x30a8, 0x363, 0x735d, 0x1ade, 0x6e3f, 0x45df, 0x7b6d, 0x5068, 0x2fb4, 0x7987, 0x1d9a, 0x42aa, 0x1dcd, 0x72dc, 0x2ff7, 0x34c1, 0x5f44, 0x2d81, 0x3029, 0x1c08, 0x91b, 0x4b40, 0x5662, 0x3738, 0x6930, 0x44e, 0x5494, 0x20d4, 0x5f11, 0x6cd0, 0x15de, 0x60c4, 0x3711, 0x339d, 0x124b, 0x413f, 0x3b9c, 0x3e46, 0xabb, 0x6aef, 0x70c7, 0x4654, 0x4121, 0xc50, 0x2e2b, 0x5bd0, 0xef, 0x105a, 0xaf4, 0x7109, 0xbcf, 0x285f, 0x5035, 0x5391, 0x3e94, 0x2d36, 0x657f, 0x3689, 0x270, 0x1b99, 0x6bb1, 0x321e, 0x5e67, 0x2fcc, 0x7a11, 0x5c54, 0x3d03, 0x647f, 0x319c, 0x5f03, 0x3a4a, 0x58f6, 0x1a9b, 0x2f1e, 0xded, 0x6267, 0x77, 0x493b, 0x65c2, 0x4ca4, 0x3fce, 0x1750, 0x4474, 0xdf9, 0x3ac6, 0x63bb, 0x387a, 0x7258, 0x67a2, 0x7d86 };
unsigned int sum[] = { 0x6f0f9, 0x7d7e9, 0x76142, 0x873fc };
void TEA_decrypt(unsigned int* v,int count,int* k)
{
unsigned int v0 = v[0], v1 = v[1];
for (int i = 31; i >= 0; i--)
{
v1 -= (k[3] + (v0 >> 5)) ^ (sum[count] + v0) ^ (k[2] + (v0 << 4));
v0 -= (k[1] + (v1 >> 5)) ^ (sum[count] + v1) ^ (k[0] + (v1 << 4));
sum[count] -= delta[count * 32 + i];
}
v[0] = v0;
v[1] = v1;
}
int main() {
int key[4] = { 2, 2, 3, 3 };
//printf("Original values:\n");
//for (int i = 0; i < 8; i += 2)
//{
// printf("0x%X 0x%X\n", unk_404000[i], unk_404000[i + 1]);
//}
//for (int i = 0; i < 8; i += 2)
//{
// TEA_encrypt(&unk_404000[i], key);
//}
//printf("\nEncrypted values:\n");
//for (int i = 0; i < 8; i += 2)
//{
// printf("0x%X 0x%X\n", unk_404000[i], unk_404000[i + 1]);
//}
unsigned int unk_404000[8] = {
0xEA2063F8, 0x8F66F252, 0x902A72EF, 0x411FDA74, 0x19590D4D, 0xCAE74317, 0x63870F3F, 0xD753AE61
};
unsigned int count = 3;
for (int i = 6; i >= 0; i -= 2)
{
TEA_decrypt(&unk_404000[i],count ,key);
count--;
}
for (int i = 0; i < 8; i += 2)
{
printf("0x%X 0x%X\n", unk_404000[i], unk_404000[i + 1]);
}
return 0;
}0x35353564 0x35376563
0x39326365 0x65386333
0x32333264 0x64333864
0x30626666 0x32386666CyberChef转字符:
这里手动调一下顺序,因为0x35353564(555d) -> 0x64,0x35,0x35,0x35 (d555)
flag:
d555ce75ec293c8ed232d83dffb0ff82
转载
分享
0 条评论
可输入 255 字
发布投稿
