2024鹏程杯 re wp
1341025112991831 发表于 四川 CTF 302浏览 · 2024-11-09 12:02

Rafflesia

DIE看题,32位,无壳,main函数有花,先去花:

.text:004121C0 ; int __cdecl main_0(int argc, const char **argv, const char **envp)
.text:004121C0 _main_0:                                ; CODE XREF: _main↑j
.text:004121C0                 push    ebp
.text:004121C1                 mov     ebp, esp
.text:004121C3                 sub     esp, 270h
.text:004121C9                 push    ebx
.text:004121CA                 push    esi
.text:004121CB                 push    edi
.text:004121CC                 lea     edi, [ebp-1B0h]
.text:004121D2                 mov     ecx, 6Ch ; 'l'
.text:004121D7                 mov     eax, 0CCCCCCCCh
.text:004121DC                 rep stosd
.text:004121DE                 mov     eax, ___security_cookie
.text:004121E3                 xor     eax, ebp
.text:004121E5                 mov     [ebp-4], eax
.text:004121E8                 jz      short near ptr loc_4121EC+1
.text:004121EA                 jnz     short near ptr loc_4121EC+1
.text:004121EC
.text:004121EC loc_4121EC:                             ; CODE XREF: .text:004121E8↑j
.text:004121EC                                         ; .text:004121EA↑j
.text:004121EC                 mov     eax, ebp
.text:004121EC ; ---------------------------------------------------------------------------
.text:004121EE                 dw 0
.text:004121F0                 dd 4800000h, 89C30624h, 0EB9h
.text:004121FC                 db 0, 0BEh
.text:004121FE                 dd offset aHJhwpshJhMTbbk ; "H@^jHwpsH)[jH{M/\\tBBK_|-O{W.iJZ7\\)|~z"...
.text:00412202 ; ---------------------------------------------------------------------------
.text:00412202                 lea     edi, [ebp-44h]
.text:00412205                 rep movsd
.text:00412207                 movsb
.text:00412208                 lea     eax, [ebp-0CCh]
.text:0041220E                 push    eax
.text:0041220F                 lea     ecx, [ebp-44h]
.text:00412212                 push    ecx
.text:00412213                 call    sub_411352
.text:00412218                 add     esp, 8
.text:0041221B                 mov     [ebp-160h], eax
.text:00412221                 mov     eax, [ebp-160h]
.text:00412227                 mov     [ebp-26Ch], eax
.text:0041222D                 cmp     dword ptr [ebp-26Ch], 80h
.text:00412237                 jnb     short loc_41223B
.text:00412239                 jmp     short loc_412240

main函数:

int __cdecl main_0(int argc, const char **argv, const char **envp)
{
  int v3; // ecx
  int v4; // edi
  size_t v5; // eax
  char Str[52]; // [esp+E8h] [ebp-194h] BYREF
  unsigned int v8; // [esp+11Ch] [ebp-160h]
  char Buf2[136]; // [esp+128h] [ebp-154h] BYREF
  char v10[136]; // [esp+1B0h] [ebp-CCh] BYREF
  char Buf1[64]; // [esp+238h] [ebp-44h] BYREF

  *(_DWORD *)(v3 + 14) = v4;
  qmemcpy(Buf1, "H@^jHwpsH)[jH{M/\\tBBK_|-O{W.iJZ7\\)|~zaB^H+Lwv{SS|-j@\\_[Y", 4 * v3 + 1);
  v8 = sub_411352(Buf1, v10);
  if ( v8 >= 0x80 )
    j____report_rangecheckfailure();
  v10[v8] = 0;
  sub_4110E6("input flag:");
  sub_4113FC("%s42", Str);
  j_strlen(Str);
  v5 = j_strlen(Str);
  sub_4111E0(Str, Buf2, v5);
  if ( !j_memcmp(Buf1, Buf2, 0x38u) )
    sub_4110E6("win!!!!!!!!!!!!!!!!!!\n");
  else
    sub_4110E6("nonono\n");
  system("pause");
  return 0;
}

大概逻辑就只有一个变表的base64+异或0x18,表在回调函数里面改了,给回调函数去花后下断点去反调后直接得表,最后base64函数后面异或了一个0x18:

int __stdcall TlsCallback_0_0(int a1, int a2, int a3)
{
  int result; // eax
  char v4; // [esp+D3h] [ebp-29h]
  int v5; // [esp+DCh] [ebp-20h]
  int v6; // [esp+E8h] [ebp-14h]
  int v7; // [esp+F4h] [ebp-8h]

  while ( v7 < v6 )
  {
    v5 = ((v7 >> 2) + 5 * v7) % v6;
    if ( v7 != v5 )
    {
      v4 = byte_41B000[v7];
      byte_41B000[v7] = byte_41B000[v5];
      byte_41B000[v5] = v4;
    }
    ++v7;
  }
  if ( IsDebuggerPresent() )
  {
    MessageBoxW(0, &Text, &Caption, 0x11u);
    exit(1);
  }
  result = sub_411276();
  if ( result )
  {
    MessageBoxW(0, &Text, &Caption, 0x11u);
    exit(1);
  }
  return result;
}
table = HElRNYGmBOMWnbDvUCgcpu1QdPqJIS+iTry39KXse4jLh/x26Ff5Z7Vokt8wzAa0

exp:

'''
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

HElRNYGmBOMWnbDvUCgcpu1QdPqJIS+iTry39KXse4jLh/x26Ff5Z7Vokt8wzAa0
'''
data = 'H@^jHwpsH)[jH{M/\\tBBK_|-O{W.iJZ7\\)|~zaB^H+Lwv{SS|-j@\\_[Y'
a = ''
for i in range(len(data)):
    a +=  "".join(chr(ord(data[i]) ^ 0x18))
print(a)
#a = "PXFrPohkP1CrPcU7DlZZSGd5WcO6qRB/D1dfbyZFP3ToncKKd5rXDGCA"

得到加密数据,知道表知道数据直接用CyberChef解出flag:

flag{8edae458-4tf3-2ph2-9f26-1f8719ec8f8d}

chall_py

下载下来是一个py文件,打开是经过base64加密的数据流,试着直接接一下base64发现又出现了base加密的数据,试了几次,发现这个题应该是要解多重base套娃,先解base:

from base64 import *

data = b''
with open ('./chall.py','rb') as file:
    data = file.read()

def extract_multiline_string(data):
    start = b'"""'
    end = b'"""'
    start_idx = data.find(start)
    end_idx = data.find(end, start_idx + len(start))

    if start_idx != -1 and end_idx != -1:
        return data[start_idx + len(start):end_idx].strip()
    else:
        return None

decode_more = True
while decode_more:
    code = extract_multiline_string(data)

    if code is None:
        break
    if b'b32decode' in data:
        data = b32decode(code)
    elif b'b64decode' in data:
        data = b64decode(code)
    elif b'b85decode' in data:
        data = b85decode(code)    
    elif b'a85decode' in data:
        data = a85decode(code)
    else:
        decode_more = False


with open('./last.txt','wb') as file2:
    file2.write(data)

接出来是这个python代码:

a=True
d=len
G=list
g=range
s=next
R=bytes
o=input
Y=print
def l(S):
 i=0
 j=0
 while a:
  i=(i+1)%256
  j=(j+S[i])%256
  S[i],S[j]=S[j],S[i]
  K=S[(S[i]+S[j])%256]
  yield K
def N(key,O):
 I=d(key)
 S=G(g(256))
 j=0
 for i in g(256):
  j=(j+S[i]+key[i%I])%256
  S[i],S[j]=S[j],S[i]
 z=l(S)
 n=[]
 for k in O:
  n.append(k^s(z)+2)
 return R(n)
def E(s,parts_num):
 Q=d(s.decode())
 S=Q//parts_num
 u=Q%parts_num
 W=[]
 j=0
 for i in g(parts_num):
  T=j+S
  if u>0:
   T+=1
   u-=1
  W.append(s[j:T])
  j=T
 return W
if __name__=='__main__':
 L=o('input the flag: >>> ').encode()
 assert d(L)%2==0,'flag length should be even'
 t=b'v3ry_s3cr3t_p@ssw0rd'
 O=E(L,2)
 U=[]
 for i in O:
  U.append(N(t,i).hex())
 if U==['1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60',2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a']:
  Y('Congratulations! You got the flag!')
 else:
  Y('Wrong flag!')

因为加密逻辑直接给我们了,直接改代码,让他自己把加密的解出来:

# from base64 import *

# data = b''
# with open ('./chall.py','rb') as file:
#     data = file.read()

# def extract_multiline_string(data):
#     start = b'"""'
#     end = b'"""'
#     start_idx = data.find(start)
#     end_idx = data.find(end, start_idx + len(start))

#     if start_idx != -1 and end_idx != -1:
#         return data[start_idx + len(start):end_idx].strip()
#     else:
#         return None

# decode_more = True
# while decode_more:
#     code = extract_multiline_string(data)

#     if code is None:
#         break
#     if b'b32decode' in data:
#         data = b32decode(code)
#     elif b'b64decode' in data:
#         data = b64decode(code)
#     elif b'b85decode' in data:
#         data = b85decode(code)    
#     elif b'a85decode' in data:
#         data = a85decode(code)
#     else:
#         decode_more = False


# with open('./last.txt','wb') as file2:
#     file2.write(data)

a=True
d=len
G=list
g=range
s=next
R=bytes
o=input
Y=print
def l(S):
 i=0
 j=0
 while a:
  i=(i+1)%256
  j=(j+S[i])%256
  S[i],S[j]=S[j],S[i]
  K=S[(S[i]+S[j])%256]
  yield K
def N(key,O):
 I=d(key)
 S=G(g(256))
 j=0
 for i in g(256):
  j=(j+S[i]+key[i%I])%256
  S[i],S[j]=S[j],S[i]
 z=l(S)
 n=[]
 for k in O:
  n.append(k^s(z)+2)
 return R(n)
def E(s,parts_num):
 Q=d(s.decode())
 S=Q//parts_num
 u=Q%parts_num
 W=[]
 j=0
 for i in g(parts_num):
  T=j+S
  if u>0:
   T+=1
   u-=1
  W.append(s[j:T])
  j=T
 return W
if __name__=='__main__':
 L=o('input the flag: >>> ').encode()
 assert d(L)%2==0,'flag length should be even'
 t=b'v3ry_s3cr3t_p@ssw0rd'
 O=E(L,2)
 O = [bytes.fromhex('1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60'),bytes.fromhex('2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a')]
 U=[]
 for i in O:
  U.append(N(t,i).hex())
 print(U)
 if U==['1796972c348bc4fe7a1930b833ff10a80ab281627731ab705dacacfef2e2804d74ab6bc19f60','2ea999141a8cc9e47975269340c177c726a8aa732953a66a6af183bcd9cec8464a']:
  Y('Congratulations! You got the flag!')
 else:
  Y('Wrong flag!')

结果:

['666c61677b7468456e5f495f4361355f42455f596f55525f4f6e6c375f45786543557469366e', '5f536f5f5573655f6d335f74305f52306e5f744831375f45783343757469306e7d']

CyberChef直接转一下:

flag{thEn_I_Ca5_BE_YoUR_Onl7_ExeCUti6n_So_Use_m3_t0_R0n_tH17_Ex3Cuti0n}

joyVBS

下载下来一看,是一个VBS脚本语言的题,因为后面执行很多指令可以通过修改“执行”->"打印",和上面这个题类似,不过代码有电长,写入一个文件里面好看一点:

Dim f, o
Set f = CreateObject("Scripting.FileSystemObject")
Set o = f.CreateTextFile("code.txt", True)
o.Write(chr( 1646-1569 ) & chr( 846170/7358 ) & chr( 569487/5529 ) & chr( 571824/8664 ) & chr( 8409-8298 ) & chr( 2893-2773 ) & chr( 7979-7947 ) & chr( 3597-3563 ) & chr( -515+601 ) & chr( 489456/7416 ) & chr( -4892+4975 ) & chr( 4109-4010 ) & chr( -9287+9401 ) & chr( 1007160/9592 ) & chr( 152656/1363 ) & chr( -2648+2764 ) & chr( 419144/9526 ) & chr( 88416/2763 ) & chr( 8380-8269 ) & chr( 24480/240 ) & chr( -4597+4713 ) & chr( 648-547 ) & chr( -8146+8256 ) & chr( -9478+9510 ) & chr( 2699-2602 ) & chr( -1620+1718 ) & chr( -196+294 ) & chr( -1186+1300 ) & chr( -9642+9743 ) & chr( 614544/5208 ) & chr( -4654+4759 ) & chr( 872612/8996 ) & chr( 6703-6587 ) & chr( -5002+5103 ) & chr( 843300/8433 ) & chr( -3604+3636 ) & chr( -2400+2497 ) & chr( -5531+5646 ) & chr( 304160/9505 ) & chr( 766776/8916 ) & chr( 805-739 ) & chr( -6154+6237 ) & chr( -2525+2569 ) & chr( 198112/6191 ) & chr( 365925/3485 ) & chr( -6317+6432 ) & chr( -3595+3627 ) & chr( 9565-9468 ) & chr( -6705+6815 ) & chr( 974-942 ) & chr( 513585/5085 ) & chr( -294+412 ) & chr( 5815-5714 ) & chr( 509850/4635 ) & chr( -641+757 ) & chr( 3390-3345 ) & chr( -8974+9074 ) & chr( 859104/7536 ) & chr( 968-863 ) & chr( 28792/244 ) & chr( -4591+4692 ) & chr( -9716+9826 ) & chr( -6996+7028 ) & chr( 643216/5743 ) & chr( 4386-4272 ) & chr( 6953-6842 ) & chr( 7389-7286 ) & chr( 2247-2133 ) & chr( 8522-8425 ) & chr( 4185-4076 ) & chr( -964+1073 ) & chr( -4253+4358 ) & chr( -1558+1668 ) & chr( 2281-2178 ) & chr( -4204+4236 ) & chr( 542484/5023 ) & chr( -7327+7424 ) & chr( 2064-1954 ) & chr( 414678/4026 ) & chr( 1098045/9385 ) & chr( 292940/3020 ) & chr( 9468-9365 ) & chr( -3997+4098 ) & chr( 392-360 ) & chr( -4594+4694 ) & chr( 53530/530 ) & chr( -9399+9517 ) & chr( 355318/3518 ) & chr( -2478+2586 ) & chr( 746364/6724 ) & chr( -1641+1753 ) & chr( 2190-2089 ) & chr( -5644+5744 ) & chr( -9344+9376 ) & chr( -3584+3682 ) & chr( 2075-1954 ) & chr( 227936/7123 ) & chr( 390775/5075 ) & chr( 4690-4585 ) & chr( 658845/6655 ) & chr( 978348/8582 ) & chr( -451+562 ) & chr( -5036+5151 ) & chr( -2277+2388 ) & chr( 5990-5888 ) & chr( 897492/7737 ) & chr( 2520-2476 ) & chr( 96160/3005 ) & chr( -3603+3715 ) & chr( 986898/8657 ) & chr( 531195/5059 ) & chr( -4906+5015 ) & chr( -544+641 ) & chr( -419+533 ) & chr( 7914-7809 ) & chr( 2690-2582 ) & chr( 502392/4152 ) & chr( -700+732 ) & chr( 823446/7038 ) & chr( 290835/2529 ) & chr( 569539/5639 ) & chr( 1881-1781 ) & chr( 5498-5466 ) & chr( 951966/9333 ) & chr( 599400/5400 ) & chr( -6244+6358 ) & chr( -7188+7220 ) & chr( 14720/128 ) & chr( 7738-7639 ) & chr( -2188+2302 ) & chr( -2727+2832 ) & chr( 9815-9703 ) & chr( 5583-5467 ) & chr( -7500+7605 ) & chr( 466290/4239 ) & chr( 567015/5505 ) & chr( 188800/5900 ) & chr( 568680/5416 ) & chr( 9897-9787 ) & chr( 2669-2637 ) & chr( 4976-4860 ) & chr( 9146-9042 ) & chr( 9328-9227 ) & chr( 283424/8857 ) & chr( 189486/2178 ) & chr( 7049-6944 ) & chr( 8826-8716 ) & chr( 958100/9581 ) & chr( 6700-6589 ) & chr( 7860-7741 ) & chr( 669070/5818 ) & chr( -2846+2878 ) & chr( -632+733 ) & chr( 5316-5206 ) & chr( 4620-4502 ) & chr( 4584-4479 ) & chr( 702126/6159 ) & chr( -3160+3271 ) & chr( -33+143 ) & chr( 301385/2765 ) & chr( -8221+8322 ) & chr( 1133-1023 ) & chr( 4642-4526 ) & chr( 3823-3777 ) & chr( 1614-1580 ) & chr( 100152/7704 ) & chr( 847-837 ) & chr( 478247/6211 ) & chr( 483230/4202 ) & chr( -7611+7714 ) & chr( 572286/8671 ) & chr( -6309+6420 ) & chr( -3239+3359 ) & chr( -5577+5609 ) & chr( -8996+9030 ) & chr( 3486-3413 ) & chr( -15+131 ) & chr( -1068+1100 ) & chr( -9216+9321 ) & chr( 3969-3854 ) & chr( 144128/4504 ) & chr( 397488/4056 ) & chr( 810726/8358 ) & chr( 7180-7065 ) & chr( 37168/368 ) & chr( -9401+9501 ) & chr( 1391-1359 ) & chr( 87+24 ) & chr( 57420/522 ) & chr( -2584+2616 ) & chr( 574316/4951 ) & chr( 2468-2364 ) & chr( 168670/1670 ) & chr( -3706+3738 ) & chr( 186362/2167 ) & chr( 1480-1375 ) & chr( 9537-9422 ) & chr( 3477-3360 ) & chr( 7541-7444 ) & chr( 756432/7004 ) & chr( 105440/3295 ) & chr( 7197-7131 ) & chr( 1724-1627 ) & chr( 788095/6853 ) & chr( 179655/1711 ) & chr( -758+857 ) & chr( -6936+6968 ) & chr( -1069+1181 ) & chr( -6887+7001 ) & chr( 610500/5500 ) & chr( 2227-2124 ) & chr( -7789+7903 ) & chr( 495-398 ) & chr( 2287-2178 ) & chr( 780113/7157 ) & chr( 796950/7590 ) & chr( 7155-7045 ) & chr( 7268-7165 ) & chr( -8507+8539 ) & chr( 914760/8470 ) & chr( 1086-989 ) & chr( -6783+6893 ) & chr( 4247-4144 ) & chr( -1310+1427 ) & chr( 17945/185 ) & chr( 303644/2948 ) & chr( 8356-8255 ) & chr( 5032-5000 ) & chr( 1590-1493 ) & chr( -6963+7073 ) & chr( -6461+6561 ) & chr( 418-386 ) & chr( 596295/5679 ) & chr( 709205/6167 ) & chr( -1124+1156 ) & chr( -6337+6437 ) & chr( 2518-2417 ) & chr( 7402-7287 ) & chr( -5436+5541 ) & chr( 480289/4663 ) & chr( 581460/5286 ) & chr( 2745-2644 ) & chr( -9523+9623 ) & chr( -4195+4227 ) & chr( -6654+6770 ) & chr( 4717-4606 ) & chr( 4749-4717 ) & chr( 681394/6953 ) & chr( -3161+3262 ) & chr( 22368/699 ) & chr( -8426+8541 ) & chr( 243180/2316 ) & chr( 6431/59 ) & chr( 963312/8601 ) & chr( 329-221 ) & chr( 2553-2452 ) & chr( -6333+6365 ) & chr( -1054+1151 ) & chr( 582010/5291 ) & chr( 714900/7149 ) & chr( 324-292 ) & chr( -1241+1342 ) & chr( -591+688 ) & chr( 1018325/8855 ) & chr( 3975-3854 ) & chr( 234304/7322 ) & chr( 9872-9756 ) & chr( -7560+7671 ) & chr( -7944+7976 ) & chr( -7281+7398 ) & chr( 7363-7248 ) & chr( 642057/6357 ) & chr( 7531-7487 ) & chr( 5064-5032 ) & chr( -4219+4320 ) & chr( 612605/5327 ) & chr( -6009+6121 ) & chr( 3942-3841 ) & chr( 3635-3536 ) & chr( 7758-7653 ) & chr( 1617-1520 ) & chr( 2709-2601 ) & chr( -3757+3865 ) & chr( 4184-4063 ) & chr( 264-232 ) & chr( 343-241 ) & chr( 5795-5684 ) & chr( -7826+7940 ) & chr( 86784/2712 ) & chr( -733+849 ) & chr( 600496/5774 ) & chr( 35964/324 ) & chr( -8204+8319 ) & chr( -8567+8668 ) & chr( 2356-2324 ) & chr( -4810+4912 ) & chr( 31137/321 ) & chr( -2988+3097 ) & chr( -9824+9929 ) & chr( 3163-3055 ) & chr( -784+889 ) & chr( 3789-3692 ) & chr( -4476+4590 ) & chr( 280448/8764 ) & chr( -5985+6104 ) & chr( 542220/5164 ) & chr( 1010824/8714 ) & chr( 385008/3702 ) & chr( 982-950 ) & chr( 2499-2383 ) & chr( 6219-6115 ) & chr( 221392/2192 ) & chr( -4287+4319 ) & chr( 5438-5372 ) & chr( -6947+7012 ) & chr( -6127+6210 ) & chr( 4082-4009 ) & chr( 4380-4313 ) & chr( 3063-3031 ) & chr( 43792/391 ) & chr( 196650/1725 ) & chr( -4430+4541 ) & chr( 227012/2204 ) & chr( 7138-7024 ) & chr( 8172-8075 ) & chr( 168950/1550 ) & chr( 432730/3970 ) & chr( 110985/1057 ) & chr( -7468+7578 ) & chr( 616970/5990 ) & chr( -4142+4174 ) & chr( 5198-5090 ) & chr( -3559+3656 ) & chr( 8777-8667 ) & chr( 170-67 ) & chr( -4267+4384 ) & chr( 3734-3637 ) & chr( 5644-5541 ) & chr( -5205+5306 ) & chr( 1899-1853 ) & chr( -3724+3758 ) & chr( 35516/2732 ) & chr( 4964-4954 ) & chr( 3145-3068 ) & chr( 478400/4160 ) & chr( 1616-1513 ) & chr( 546-480 ) & chr( 139638/1258 ) & chr( -3770+3890 ) & chr( -3284+3316 ) & chr( -4728+4762 ) & chr( -2240+2305 ) & chr( 649330/5903 ) & chr( 472700/4727 ) & chr( -7050+7082 ) & chr( -9648+9750 ) & chr( -1949+2060 ) & chr( 283860/2490 ) & chr( 260064/8127 ) & chr( -9680+9789 ) & chr( 820726/8126 ) & chr( -8459+8503 ) & chr( -4960+4992 ) & chr( 6380-6275 ) & chr( 1017900/8775 ) & chr( 154336/4823 ) & chr( 648795/6179 ) & chr( 657455/5717 ) & chr( -2554+2586 ) & chr( 1004792/8662 ) & chr( -6490+6594 ) & chr( -2178+2279 ) & chr( -7012+7044 ) & chr( 7489-7387 ) & chr( -2447+2552 ) & chr( 2896-2782 ) & chr( 3656-3541 ) & chr( -3407+3523 ) & chr( 6804-6772 ) & chr( -1594+1706 ) & chr( -2260+2374 ) & chr( -9640+9751 ) & chr( 348037/3379 ) & chr( 6296-6182 ) & chr( 751556/7748 ) & chr( 4016-3907 ) & chr( 316754/2906 ) & chr( 1106-1001 ) & chr( 305030/2773 ) & chr( -3882+3985 ) & chr( 7324-7292 ) & chr( 389880/3610 ) & chr( 433202/4466 ) & chr( -3025+3135 ) & chr( 502846/4882 ) & chr( 1065987/9111 ) & chr( -8652+8749 ) & chr( -4558+4661 ) & chr( -5324+5425 ) & chr( -5231+5263 ) & chr( -5335+5451 ) & chr( 7130-7026 ) & chr( -4983+5080 ) & chr( 867680/7480 ) & chr( 105888/3309 ) & chr( -8775+8848 ) & chr( -1371+1410 ) & chr( 452530/3835 ) & chr( 501263/4963 ) & chr( 3934-3902 ) & chr( 8493-8385 ) & chr( 155-54 ) & chr( 190314/1962 ) & chr( -6003+6117 ) & chr( 1496-1380 ) & chr( 153748/4522 ) & chr( -9746+9759 ) & chr( 45810/4581 ) & chr( 2255-2178 ) & chr( 376970/3278 ) & chr( -2612+2715 ) & chr( -8472+8538 ) & chr( 4079-3968 ) & chr( -4899+5019 ) & chr( 9128-9096 ) & chr( 2420-2386 ) & chr( 456768/6344 ) & chr( 6194-6097 ) & chr( 6175-6076 ) & chr( 788-681 ) & chr( -205+306 ) & chr( 629394/5521 ) & chr( 544295/4733 ) & chr( 103455/3135 ) & chr( -3231+3263 ) & chr( 716904/9957 ) & chr( -4955+5052 ) & chr( 9735-9617 ) & chr( 4129-4028 ) & chr( 8757-8725 ) & chr( 1028-926 ) & chr( 602550/5150 ) & chr( 7930-7820 ) & chr( -8771+8803 ) & chr( 5272-5153 ) & chr( 516075/4915 ) & chr( 1382-1266 ) & chr( 9928-9824 ) & chr( 141920/4435 ) & chr( 1073000/9250 ) & chr( -7294+7398 ) & chr( 9185-9080 ) & chr( -4270+4385 ) & chr( -8615+8647 ) & chr( -567+653 ) & chr( -6449+6515 ) & chr( 4600-4517 ) & chr( -8724+8756 ) & chr( 1977-1878 ) & chr( -9629+9733 ) & chr( 315832/3256 ) & chr( 5490-5382 ) & chr( 358776/3322 ) & chr( -8892+8993 ) & chr( 3040-2930 ) & chr( -9385+9488 ) & chr( 368044/3644 ) & chr( 72897/2209 ) & chr( -4740+4774 ) & chr( 2205-2192 ) & chr( 2916-2906 ) & chr( -9851+9953 ) & chr( -3823+3931 ) & chr( 9864-9767 ) & chr( 7681-7578 ) & chr( 14464/452 ) & chr( 271267/4447 ) & chr( 276640/8645 ) & chr( 404201/5537 ) & chr( 504900/4590 ) & chr( 4390-4278 ) & chr( -296+413 ) & chr( -948+1064 ) & chr( 59862/907 ) & chr( 394-283 ) & chr( -6693+6813 ) & chr( 393920/9848 ) & chr( -565+599 ) & chr( 3299-3230 ) & chr( 4855-4745 ) & chr( 462144/3984 ) & chr( 254520/2520 ) & chr( 318060/2790 ) & chr( 40480/1265 ) & chr( 7089-6973 ) & chr( 8281-8177 ) & chr( 2644-2543 ) & chr( -8553+8585 ) & chr( 610540/8722 ) & chr( 511936/6736 ) & chr( -4910+4975 ) & chr( 644183/9073 ) & chr( -485+543 ) & chr( 52-18 ) & chr( 6520-6476 ) & chr( 285-253 ) & chr( 193-159 ) & chr( -7429+7501 ) & chr( 227562/2346 ) & chr( -9707+9806 ) & chr( 6800-6693 ) & chr( 42176/1318 ) & chr( -1685+1787 ) & chr( -458+569 ) & chr( 5792-5678 ) & chr( 40320/1260 ) & chr( 3012-2910 ) & chr( 5652-5535 ) & chr( 445830/4053 ) & chr( 9806-9772 ) & chr( -7692+7733 ) & chr( 2867-2854 ) & chr( 51630/5163 ) & chr( 7076-6957 ) & chr( -7076+7177 ) & chr( -728+830 ) & chr( -3660+3758 ) & chr( -5458+5575 ) & chr( 6191-6072 ) & chr( 307335/2927 ) & chr( 116649/997 ) & chr( 609939/6039 ) & chr( 260896/8153 ) & chr( -2700+2761 ) & chr( -9409+9441 ) & chr( -1388+1422 ) & chr( 82914/1063 ) & chr( 9206-9109 ) & chr( -7953+8061 ) & chr( 2569-2451 ) & chr( -1269+1347 ) & chr( 950-899 ) & chr( 7337-7233 ) & chr( -2434+2509 ) & chr( -9393+9462 ) & chr( 2340-2220 ) & chr( -3673+3739 ) & chr( -2522+2638 ) & chr( 4831-4766 ) & chr( 555864/7314 ) & chr( -5702+5768 ) & chr( -6416+6532 ) & chr( -454+527 ) & chr( -5471+5581 ) & chr( 7994-7914 ) & chr( 643220/5545 ) & chr( -8840+8918 ) & chr( 6649-6577 ) & chr( 6263-6179 ) & chr( 405350/3685 ) & chr( 6093-6018 ) & chr( 370888/5012 ) & chr( 166264/2969 ) & chr( -2569+2617 ) & chr( 6887-6811 ) & chr( 5807-5756 ) & chr( -2024+2098 ) & chr( 773024/6664 ) & chr( -77+190 ) & chr( 8953-8833 ) & chr( -3702+3786 ) & chr( -7703+7801 ) & chr( 438672/3952 ) & chr( 362768/4424 ) & chr( 9723-9658 ) & chr( 711-664 ) & chr( 754754/9802 ) & chr( -7767+7865 ) & chr( -7678+7748 ) & chr( 7592-7541 ) & chr( -8274+8350 ) & chr( 511500/4650 ) & chr( 629328/7492 ) & chr( -3332+3380 ) & chr( 4189-4113 ) & chr( 271400/5428 ) & chr( -4616+4738 ) & chr( 56376/783 ) & chr( 589-513 ) & chr( -955+1005 ) & chr( -6651+6734 ) & chr( 540864/5008 ) & chr( -4766+4879 ) & chr( -7232+7342 ) & chr( 7218-7138 ) & chr( -8855+8971 ) & chr( 3521-3447 ) & chr( -482+558 ) & chr( -950+1015 ) & chr( 8353-8243 ) & chr( 445060/6358 ) & chr( 2025-1927 ) & chr( -9760+9833 ) & chr( 653616/6052 ) & chr( -2585+2661 ) & chr( -2830+2880 ) & chr( 6551-6468 ) & chr( 8391-8281 ) & chr( 371630/5309 ) & chr( 88-4 ) & chr( 11368/203 ) & chr( 8578-8470 ) & chr( 690256/6163 ) & chr( 80+42 ) & chr( 120890/1727 ) & chr( 2938-2816 ) & chr( 64285/989 ) & chr( -4844+4894 ) & chr( 601842/8133 ) & chr( 372312/5171 ) & chr( -4346+4460 ) & chr( 6696-6614 ) & chr( -7839+7923 ) & chr( 2149-2044 ) & chr( -5078+5156 ) & chr( 263344/2416 ) & chr( 504420/6005 ) & chr( -7543+7600 ) & chr( 595-561 ) & chr( -9653+9666 ) & chr( 86910/8691 ) & chr( 112580/8660 ) & chr( 2078-2068 ) & chr( 1003-890 ) & chr( -8583+8702 ) & chr( -9601+9703 ) & chr( 1007273/9973 ) & chr( -8736+8768 ) & chr( 9943/163 ) & chr( 7893-7861 ) & chr( 8539-8482 ) & chr( 48934/1138 ) & chr( 180300/3606 ) & chr( -7881+7924 ) & chr( 754-704 ) & chr( 257613/5991 ) & chr( 1020-971 ) & chr( 7353-7340 ) & chr( 36570/3657 ) & chr( -6466+6479 ) & chr( 611-601 ) & chr( -1140+1210 ) & chr( 381654/3262 ) & chr( 649550/5905 ) & chr( -2149+2248 ) & chr( 7409-7293 ) & chr( 9454-9349 ) & chr( 2844-2733 ) & chr( -1959+2069 ) & chr( 1036-1004 ) & chr( 720-654 ) & chr( -5484+5581 ) & chr( -7513+7628 ) & chr( 517-416 ) & chr( 9872-9818 ) & chr( 427544/8222 ) & chr( 2961-2893 ) & chr( 1355-1254 ) & chr( -8290+8389 ) & chr( 509268/4588 ) & chr( 324200/3242 ) & chr( 2004-1903 ) & chr( 72840/1821 ) & chr( 3863-3765 ) & chr( 44232/456 ) & chr( -8289+8404 ) & chr( -4373+4474 ) & chr( -4943+4997 ) & chr( 7776-7724 ) & chr( 652119/9451 ) & chr( 4725-4615 ) & chr( 265617/2683 ) & chr( -4530+4641 ) & chr( 139900/1399 ) & chr( 951117/9417 ) & chr( 137800/1378 ) & chr( 183181/2207 ) & chr( 3371-3255 ) & chr( 1135326/9959 ) & chr( -690+795 ) & chr( -7720+7830 ) & chr( -1581+1684 ) & chr( -6185+6226 ) & chr( 10426/802 ) & chr( -314+324 ) & chr( 6041-6009 ) & chr( -2078+2110 ) & chr( 6455-6423 ) & chr( 4939-4907 ) & chr( -3138+3206 ) & chr( 513-408 ) & chr( -2730+2839 ) & chr( 8238-8206 ) & chr( 349080/2909 ) & chr( -7717+7826 ) & chr( 495-387 ) & chr( 143176/3254 ) & chr( -2377+2409 ) & chr( -9871+9972 ) & chr( 9667-9559 ) & chr( -4387+4488 ) & chr( 1760-1651 ) & chr( 6377-6364 ) & chr( 6016-6006 ) & chr( 2785-2753 ) & chr( 8270-8238 ) & chr( 173600/5425 ) & chr( 177056/5533 ) & chr( 24983/301 ) & chr( 245329/2429 ) & chr( 1100144/9484 ) & chr( -9070+9102 ) & chr( -5669+5789 ) & chr( 2249-2140 ) & chr( 1055808/9776 ) & chr( 7862-7830 ) & chr( -9219+9280 ) & chr( -7908+7940 ) & chr( 1509-1442 ) & chr( 911316/7994 ) & chr( -7142+7243 ) & chr( 781626/8058 ) & chr( 8647-8531 ) & chr( -5921+6022 ) & chr( 7634-7555 ) & chr( 331044/3378 ) & chr( -8890+8996 ) & chr( -3401+3502 ) & chr( -4399+4498 ) & chr( 282924/2439 ) & chr( 9739-9699 ) & chr( 74052/2178 ) & chr( 289597/3761 ) & chr( 6521-6438 ) & chr( -1317+1405 ) & chr( 688996/8948 ) & chr( 7514-7438 ) & chr( 211400/4228 ) & chr( 3833-3787 ) & chr( 59092/869 ) & chr( 713370/9030 ) & chr( 563409/7317 ) & chr( -357+425 ) & chr( 16872/152 ) & chr( 8544-8445 ) & chr( 569790/4870 ) & chr( -3695+3804 ) & chr( -9064+9165 ) & chr( 769450/6995 ) & chr( 8825-8709 ) & chr( -282+316 ) & chr( -5392+5433 ) & chr( -2388+2401 ) & chr( 83110/8311 ) & chr( -5225+5257 ) & chr( 6669-6637 ) & chr( 3821-3789 ) & chr( 185888/5809 ) & chr( 7916-7833 ) & chr( 566812/5612 ) & chr( 776040/6690 ) & chr( 1027-995 ) & chr( 621554/6154 ) & chr( 5462-5354 ) & chr( 812444/8044 ) & chr( -6205+6314 ) & chr( 71552/2236 ) & chr( -3949+4010 ) & chr( 1227-1195 ) & chr( 1988-1868 ) & chr( 7112-7003 ) & chr( -9779+9887 ) & chr( -848+894 ) & chr( -318+417 ) & chr( 5397-5283 ) & chr( -6345+6446 ) & chr( 804906/8298 ) & chr( -2260+2376 ) & chr( -710+811 ) & chr( 504114/7306 ) & chr( 644868/5971 ) & chr( 917-816 ) & chr( -1121+1230 ) & chr( -1141+1242 ) & chr( 2992-2882 ) & chr( 6580-6464 ) & chr( -3047+3087 ) & chr( 7217-7183 ) & chr( -9291+9407 ) & chr( 294736/2704 ) & chr( 6948-6836 ) & chr( 313344/9216 ) & chr( 2371-2330 ) & chr( -563+576 ) & chr( -1828+1838 ) & chr( -1554+1586 ) & chr( 9869-9837 ) & chr( -3745+3777 ) & chr( 43488/1359 ) & chr( 3792-3691 ) & chr( 704592/6524 ) & chr( 369559/3659 ) & chr( 825348/7572 ) & chr( -5040+5086 ) & chr( -8292+8392 ) & chr( 410407/4231 ) & chr( 760496/6556 ) & chr( 582-485 ) & chr( -7764+7848 ) & chr( -7036+7157 ) & chr( 369264/3297 ) & chr( -4653+4754 ) & chr( -8674+8706 ) & chr( 6821-6760 ) & chr( 6718-6686 ) & chr( -7885+7919 ) & chr( -1087+1185 ) & chr( -4912+5017 ) & chr( -4410+4520 ) & chr( 206-160 ) & chr( 7009-6911 ) & chr( 636417/6561 ) & chr( 978075/8505 ) & chr( 688315/6815 ) & chr( 211464/3916 ) & chr( 191516/3683 ) & chr( 314500/9250 ) & chr( 3407-3375 ) & chr( 21320/1640 ) & chr( -1318+1328 ) & chr( -1240+1272 ) & chr( -458+490 ) & chr( 5958-5926 ) & chr( 67200/2100 ) & chr( -7894+7995 ) & chr( 968436/8967 ) & chr( -3924+4025 ) & chr( -1148+1257 ) & chr( -6700+6746 ) & chr( -4652+4768 ) & chr( -9495+9596 ) & chr( 205680/1714 ) & chr( 436276/3761 ) & chr( -3977+4009 ) & chr( -7640+7701 ) & chr( 9075-9043 ) & chr( -9084+9182 ) & chr( 8063-7966 ) & chr( -9695+9810 ) & chr( 6572-6471 ) & chr( -2003+2057 ) & chr( 419640/8070 ) & chr( -8730+8799 ) & chr( 1086910/9881 ) & chr( -5241+5340 ) & chr( 100677/907 ) & chr( 395000/3950 ) & chr( 2916-2815 ) & chr( 991-891 ) & chr( -3137+3220 ) & chr( 690432/5952 ) & chr( 167238/1467 ) & chr( -4372+4477 ) & chr( 759990/6909 ) & chr( 195597/1899 ) & chr( 310112/9691 ) & chr( -758+771 ) & chr( 40300/4030 ) & chr( 9376/293 ) & chr( 4028-3996 ) & chr( 8383-8351 ) & chr( 57408/1794 ) & chr( 6109-6041 ) & chr( -8441+8546 ) & chr( -4594+4703 ) & chr( 7602-7570 ) & chr( 627325/5455 ) & chr( 18908/163 ) & chr( 1334-1220 ) & chr( 3983-3882 ) & chr( 121929/1257 ) & chr( 362425/3325 ) & chr( 106561/8197 ) & chr( 3421-3411 ) & chr( 242272/7571 ) & chr( -5132+5164 ) & chr( -9809+9841 ) & chr( 127776/3993 ) & chr( -4848+4931 ) & chr( 573-472 ) & chr( 9376-9260 ) & chr( -3590+3622 ) & chr( 5389-5274 ) & chr( -6578+6694 ) & chr( -3359+3473 ) & chr( -5347+5448 ) & chr( -6848+6945 ) & chr( -8824+8933 ) & chr( 268800/8400 ) & chr( 169275/2775 ) & chr( -9664+9696 ) & chr( -4881+4948 ) & chr( -3758+3872 ) & chr( 410666/4066 ) & chr( -9586+9683 ) & chr( 17864/154 ) & chr( -8524+8625 ) & chr( 627102/7938 ) & chr( 438060/4470 ) & chr( 277932/2622 ) & chr( 5399-5298 ) & chr( 808533/8167 ) & chr( 931132/8027 ) & chr( -8039+8079 ) & chr( 5475-5441 ) & chr( -8619+8684 ) & chr( 5797-5729 ) & chr( -4831+4910 ) & chr( -4440+4508 ) & chr( -8508+8574 ) & chr( 9405-9359 ) & chr( 759865/9155 ) & chr( -6742+6858 ) & chr( 807234/7081 ) & chr( 2207-2106 ) & chr( 9606-9509 ) & chr( 82731/759 ) & chr( 8639-8605 ) & chr( 146083/3563 ) & chr( 2339-2326 ) & chr( 3393-3383 ) & chr( 246432/7701 ) & chr( 4765-4733 ) & chr( -6581+6613 ) & chr( 185920/5810 ) & chr( -3966+4081 ) & chr( 350552/3022 ) & chr( 1030218/9037 ) & chr( 810424/8024 ) & chr( -7516+7613 ) & chr( -7135+7244 ) & chr( 410228/8918 ) & chr( 329112/3918 ) & chr( 3443-3322 ) & chr( 2730-2618 ) & chr( 326634/3234 ) & chr( 6321-6289 ) & chr( 6449-6388 ) & chr( 5803-5771 ) & chr( -1570+1619 ) & chr( 58912/1841 ) & chr( 7188-7149 ) & chr( 9801-9735 ) & chr( 1468-1363 ) & chr( 6295-6185 ) & chr( 6193-6096 ) & chr( 9061-8947 ) & chr( -2291+2412 ) & chr( 8850-8837 ) & chr( 8891-8881 ) & chr( 136128/4254 ) & chr( -2336+2368 ) & chr( 263040/8220 ) & chr( 1340-1308 ) & chr( 909075/7905 ) & chr( -1375+1491 ) & chr( -6549+6663 ) & chr( 438340/4340 ) & chr( 830223/8559 ) & chr( 838755/7695 ) & chr( -5356+5402 ) & chr( 718426/9094 ) & chr( -6166+6278 ) & chr( 156752/1552 ) & chr( 9688-9578 ) & chr( -1832+1845 ) & chr( -7523+7533 ) & chr( -1258+1290 ) & chr( -3208+3240 ) & chr( -8992+9024 ) & chr( -166+198 ) & chr( 895965/7791 ) & chr( -4224+4340 ) & chr( 252738/2217 ) & chr( -8457+8558 ) & chr( 930812/9596 ) & chr( 1061660/9740 ) & chr( -3122+3168 ) & chr( -8212+8299 ) & chr( 8016-7902 ) & chr( -100+205 ) & chr( 1018132/8777 ) & chr( 153217/1517 ) & chr( 1593-1561 ) & chr( -5309+5410 ) & chr( 6206-6098 ) & chr( 1813-1712 ) & chr( 226938/2082 ) & chr( 410918/8933 ) & chr( -7233+7343 ) & chr( 8904-8793 ) & chr( 8729-8629 ) & chr( -3158+3259 ) & chr( 410088/4882 ) & chr( 492712/4072 ) & chr( 3136-3024 ) & chr( 482780/4780 ) & chr( 6338-6238 ) & chr( 453134/5269 ) & chr( 4842-4745 ) & chr( 8902-8794 ) & chr( -8975+9092 ) & chr( 1611-1510 ) & chr( -5894+5926 ) & chr( 58565/4505 ) & chr( -6270+6280 ) & chr( -8296+8328 ) & chr( 6387-6355 ) & chr( 55-23 ) & chr( 829-797 ) & chr( -2545+2660 ) & chr( 8597-8481 ) & chr( 7479-7365 ) & chr( -690+791 ) & chr( -7755+7852 ) & chr( 2514-2405 ) & chr( -7408+7454 ) & chr( 4649-4569 ) & chr( -8543+8654 ) & chr( 101775/885 ) & chr( 537390/5118 ) & chr( 648556/5591 ) & chr( -6119+6224 ) & chr( 4449-4338 ) & chr( 4204-4094 ) & chr( 239232/7476 ) & chr( 190625/3125 ) & chr( 5866-5834 ) & chr( 97104/2023 ) & chr( 9013-9000 ) & chr( 83280/8328 ) & chr( 195232/6101 ) & chr( -5420+5452 ) & chr( -9059+9091 ) & chr( 70624/2207 ) & chr( -8408+8523 ) & chr( 4952-4836 ) & chr( 1952-1838 ) & chr( -1444+1545 ) & chr( 401580/4140 ) & chr( 1039315/9535 ) & chr( 1528-1482 ) & chr( 4615-4531 ) & chr( 6768-6647 ) & chr( 2928-2816 ) & chr( 749925/7425 ) & chr( 5791-5759 ) & chr( 7459-7398 ) & chr( -6819+6851 ) & chr( 9271-9221 ) & chr( 39392/1231 ) & chr( -363+402 ) & chr( 7804-7720 ) & chr( -1482+1583 ) & chr( 402360/3353 ) & chr( 849468/7323 ) & chr( -395+408 ) & chr( 93780/9378 ) & chr( -5907+5939 ) & chr( 79424/2482 ) & chr( -3774+3806 ) & chr( 84160/2630 ) & chr( 9324-9209 ) & chr( 7974-7858 ) & chr( 651282/5713 ) & chr( -1421+1522 ) & chr( 464436/4788 ) & chr( 881156/8084 ) & chr( 360318/7833 ) & chr( 1456-1389 ) & chr( 73840/710 ) & chr( 528553/5449 ) & chr( 889-775 ) & chr( 888260/7724 ) & chr( -6311+6412 ) & chr( 568516/4901 ) & chr( 289824/9057 ) & chr( 1239-1178 ) & chr( 247648/7739 ) & chr( 9076-9042 ) & chr( -5985+6102 ) & chr( 296380/2555 ) & chr( 2044-1942 ) & chr( 3176-3131 ) & chr( -9181+9237 ) & chr( 7852-7818 ) & chr( -2665+2678 ) & chr( 820/82 ) & chr( 4732-4700 ) & chr( -3053+3085 ) & chr( -4980+5012 ) & chr( 174976/5468 ) & chr( 2697-2631 ) & chr( -9533+9630 ) & chr( -297+412 ) & chr( 254015/2515 ) & chr( 2132-2078 ) & chr( -8832+8884 ) & chr( 119272/1754 ) & chr( 7208-7107 ) & chr( 593604/5996 ) & chr( -7323+7434 ) & chr( -8222+8322 ) & chr( 281184/2784 ) & chr( 6276-6244 ) & chr( -1962+2023 ) & chr( -770+802 ) & chr( 660560/5744 ) & chr( 996440/8590 ) & chr( -4436+4550 ) & chr( -6189+6290 ) & chr( 9934-9837 ) & chr( 839954/7706 ) & chr( 325266/7071 ) & chr( 3370-3288 ) & chr( 1674-1573 ) & chr( -2074+2171 ) & chr( 6898-6798 ) & chr( 562884/6701 ) & chr( 516918/5118 ) & chr( 1136520/9471 ) & chr( 127600/1100 ) & chr( 36985/2845 ) & chr( 7301-7291 ) & chr( 31904/997 ) & chr( -2468+2500 ) & chr( 4469-4437 ) & chr( -2540+2572 ) & chr( 810405/7047 ) & chr( 426764/3679 ) & chr( -5491+5605 ) & chr( 817393/8093 ) & chr( -1728+1825 ) & chr( 2583-2474 ) & chr( 6927-6881 ) & chr( 8712-8645 ) & chr( 8550-8442 ) & chr( -6767+6878 ) & chr( 23230/202 ) & chr( -1573+1674 ) & chr( 50882/3914 ) & chr( 51-41 ) & chr( -3846+3915 ) & chr( 2392-2282 ) & chr( 416300/4163 ) & chr( 168608/5269 ) & chr( 7839-7769 ) & chr( 962793/8229 ) & chr( -8910+9020 ) & chr( -924+1023 ) & chr( 8038-7922 ) & chr( 517440/4928 ) & chr( -7109+7220 ) & chr( 6031-5921 ) & chr( 25181/1937 ) & chr( 4530/453 ) & chr( 98210/1403 ) & chr( 3855-3738 ) & chr( 3895-3785 ) & chr( 629-530 ) & chr( -3003+3119 ) & chr( -8299+8404 ) & chr( -8730+8841 ) & chr( -3432+3542 ) & chr( 7852-7820 ) & chr( -8940+9007 ) & chr( -8790+8887 ) & chr( 5632-5531 ) & chr( 9983-9868 ) & chr( 4887-4790 ) & chr( 810768/7112 ) & chr( 207680/5192 ) & chr( -7413+7528 ) & chr( -36+152 ) & chr( 3225-3111 ) & chr( -8833+8877 ) & chr( -7864+7975 ) & chr( 9750-9648 ) & chr( -7782+7884 ) & chr( 5712-5597 ) & chr( -2185+2286 ) & chr( -2875+2991 ) & chr( -8798+8839 ) & chr( 2028-2015 ) & chr( 4480/448 ) & chr( 432/48 ) & chr( -4722+4790 ) & chr( -7347+7452 ) & chr( -6242+6351 ) & chr( 5877-5845 ) & chr( 103140/955 ) & chr( -8787+8888 ) & chr( 307340/2794 ) & chr( -5459+5562 ) & chr( 459476/3961 ) & chr( -5850+5954 ) & chr( 6525-6481 ) & chr( 9634-9535 ) & chr( 6945-6841 ) & chr( 6039-5942 ) & chr( 344508/3022 ) & chr( -8215+8259 ) & chr( 423360/4032 ) & chr( 114361/8797 ) & chr( 19340/1934 ) & chr( -7372+7381 ) & chr( -6313+6380 ) & chr( 205931/2123 ) & chr( 1740-1639 ) & chr( -2594+2709 ) & chr( -6038+6135 ) & chr( -6064+6178 ) & chr( 142976/4468 ) & chr( -5142+5203 ) & chr( 62528/1954 ) & chr( 301784/8876 ) & chr( -1620+1654 ) & chr( -5970+5983 ) & chr( -3892+3902 ) & chr( -781+790 ) & chr( 8448-8340 ) & chr( -1221+1322 ) & chr( 8557-8447 ) & chr( 249-146 ) & chr( -8457+8573 ) & chr( 795704/7651 ) & chr( 110912/3466 ) & chr( 7890-7829 ) & chr( -276+308 ) & chr( -6481+6557 ) & chr( 3343-3242 ) & chr( -2269+2379 ) & chr( 445-405 ) & chr( 9899-9784 ) & chr( 3577-3461 ) & chr( -4877+4991 ) & chr( -9590+9631 ) & chr( 54990/4230 ) & chr( 62200/6220 ) & chr( -4510+4519 ) & chr( -7588+7658 ) & chr( 771561/6951 ) & chr( 5134-5020 ) & chr( 2503-2471 ) & chr( -7960+8065 ) & chr( 5120/160 ) & chr( 9827-9766 ) & chr( 256416/8013 ) & chr( 3388-3339 ) & chr( 6256-6224 ) & chr( -1690+1774 ) & chr( -2854+2965 ) & chr( 315808/9869 ) & chr( 288144/2668 ) & chr( 884962/8762 ) & chr( 6915-6805 ) & chr( -2853+2956 ) & chr( 831952/7172 ) & chr( 1025024/9856 ) & chr( 1680-1667 ) & chr( -1791+1801 ) & chr( -2564+2573 ) & chr( 599-590 ) & chr( 7440-7341 ) & chr( -4413+4517 ) & chr( 181002/1866 ) & chr( 8015-7901 ) & chr( -6241+6273 ) & chr( 3179-3118 ) & chr( -3166+3198 ) & chr( 5211-5134 ) & chr( 899430/8566 ) & chr( 852900/8529 ) & chr( 195000/4875 ) & chr( 809485/7039 ) & chr( -6862+6978 ) & chr( -5465+5579 ) & chr( 405-361 ) & chr( 4881-4776 ) & chr( 1969-1925 ) & chr( 392098/8002 ) & chr( 134111/3271 ) & chr( -892+905 ) & chr( 6488-6478 ) & chr( 3449-3440 ) & chr( 21438/2382 ) & chr( 4472-4399 ) & chr( -1262+1364 ) & chr( 8474-8442 ) & chr( 6723-6624 ) & chr( 585624/5631 ) & chr( -9871+9968 ) & chr( -3346+3460 ) & chr( -52+84 ) & chr( 85870/1385 ) & chr( -3267+3328 ) & chr( 7889-7857 ) & chr( -6970+7004 ) & chr( -9785+9850 ) & chr( 174828/5142 ) & chr( 4929-4897 ) & chr( 441025/6785 ) & chr( -5509+5619 ) & chr( 676300/6763 ) & chr( 6787-6755 ) & chr( 9080-8981 ) & chr( 4798-4694 ) & chr( -2101+2198 ) & chr( 9622-9508 ) & chr( -8273+8305 ) & chr( 9542-9482 ) & chr( -3052+3113 ) & chr( 260608/8144 ) & chr( 327284/9626 ) & chr( -3707+3797 ) & chr( 130186/3829 ) & chr( 49664/1552 ) & chr( -2882+2966 ) & chr( 817232/7858 ) & chr( 6425-6324 ) & chr( 828410/7531 ) & chr( -8495+8508 ) & chr( -3281+3291 ) & chr( 5240-5231 ) & chr( -7776+7785 ) & chr( 1597-1588 ) & chr( 804672/8128 ) & chr( 295464/2841 ) & chr( 3022-2925 ) & chr( -7585+7699 ) & chr( 1841-1809 ) & chr( -4039+4100 ) & chr( 7499-7467 ) & chr( 7556-7491 ) & chr( -62+177 ) & chr( 159390/1610 ) & chr( 193360/4834 ) & chr( 60112/1768 ) & chr( 31395/483 ) & chr( -596+630 ) & chr( 2395-2354 ) & chr( -6462+6494 ) & chr( 274598/6386 ) & chr( 4108-4076 ) & chr( -6224+6264 ) & chr( 7852-7787 ) & chr( 3063-2948 ) & chr( -7419+7518 ) & chr( -6665+6705 ) & chr( 7019-6920 ) & chr( -1535+1639 ) & chr( -4087+4184 ) & chr( -2610+2724 ) & chr( -5283+5324 ) & chr( 170720/5335 ) & chr( 448110/9958 ) & chr( 7309-7277 ) & chr( 623155/9587 ) & chr( 3433-3318 ) & chr( -8280+8379 ) & chr( 88880/2222 ) & chr( 6485-6451 ) & chr( 408005/6277 ) & chr( -5611+5645 ) & chr( 3369-3328 ) & chr( -7784+7816 ) & chr( 1350-1307 ) & chr( 179456/5608 ) & chr( -5155+5266 ) & chr( 5839-5737 ) & chr( 7010-6908 ) & chr( 549240/4776 ) & chr( 668216/6616 ) & chr( 861532/7427 ) & chr( 327467/7987 ) & chr( 234048/7314 ) & chr( 374451/4863 ) & chr( 365-254 ) & chr( -759+859 ) & chr( -12+44 ) & chr( -1348+1398 ) & chr( 6796-6742 ) & chr( 8255-8242 ) & chr( -7434+7444 ) & chr( 58689/6521 ) & chr( 9580-9571 ) & chr( 4273-4264 ) & chr( 445349/6647 ) & chr( -4337+4434 ) & chr( 664479/6579 ) & chr( -9340+9455 ) & chr( -2346+2443 ) & chr( 940272/8248 ) & chr( -5727+5759 ) & chr( 5817-5756 ) & chr( 72896/2278 ) & chr( 5047-4980 ) & chr( 25220/260 ) & chr( -1408+1509 ) & chr( 144440/1256 ) & chr( -455+552 ) & chr( -3274+3388 ) & chr( 206912/6466 ) & chr( -7096+7134 ) & chr( -4761+4793 ) & chr( 241535/3605 ) & chr( -6682+6786 ) & chr( 5442-5328 ) & chr( -6400+6440 ) & chr( 9627-9528 ) & chr( 74+30 ) & chr( 4006-3909 ) & chr( -8019+8133 ) & chr( -4892+4933 ) & chr( -155+168 ) & chr( 8615-8605 ) & chr( -1412+1421 ) & chr( 33750/3750 ) & chr( -2509+2578 ) & chr( -7691+7799 ) & chr( 202055/1757 ) & chr( -4965+5066 ) & chr( -8967+9040 ) & chr( 7634-7532 ) & chr( 112064/3502 ) & chr( 8223-8124 ) & chr( 2848-2744 ) & chr( 630403/6499 ) & chr( 561108/4922 ) & chr( 7356-7324 ) & chr( 3345-3283 ) & chr( 1115-1054 ) & chr( 102112/3191 ) & chr( 245480/7220 ) & chr( -1563+1660 ) & chr( 239-205 ) & chr( 300384/9387 ) & chr( 7591-7526 ) & chr( -5171+5281 ) & chr( 717-617 ) & chr( -3464+3496 ) & chr( 8208-8109 ) & chr( 3064-2960 ) & chr( 156364/1612 ) & chr( -9295+9409 ) & chr( 127808/3994 ) & chr( 9976-9916 ) & chr( -105+166 ) & chr( -9893+9925 ) & chr( 12274/361 ) & chr( 2898-2776 ) & chr( 5948-5914 ) & chr( 1778-1746 ) & chr( 633948/7547 ) & chr( 475488/4572 ) & chr( -6045+6146 ) & chr( 595-485 ) & chr( 6059-6046 ) & chr( -9731+9741 ) & chr( 7272/808 ) & chr( -5647+5656 ) & chr( 1515-1506 ) & chr( 903870/9130 ) & chr( 780312/7503 ) & chr( 551348/5684 ) & chr( -9620+9734 ) & chr( 159648/4989 ) & chr( 395829/6489 ) & chr( 92704/2897 ) & chr( -1627+1692 ) & chr( 687010/5974 ) & chr( 5781-5682 ) & chr( 8570-8530 ) & chr( 288898/8497 ) & chr( 2247-2150 ) & chr( -5618+5652 ) & chr( 7767-7726 ) & chr( 205536/6423 ) & chr( 429441/9987 ) & chr( 4660-4628 ) & chr( -4492+4532 ) & chr( -1838+1903 ) & chr( 846400/7360 ) & chr( 345708/3492 ) & chr( 6941-6901 ) & chr( 6621-6522 ) & chr( 889304/8551 ) & chr( -689+786 ) & chr( -1582+1696 ) & chr( -1983+2024 ) & chr( -9217+9249 ) & chr( 7750-7705 ) & chr( 309792/9681 ) & chr( -5243+5308 ) & chr( 1664-1549 ) & chr( -3003+3102 ) & chr( 570-530 ) & chr( 116620/3430 ) & chr( 9049-8952 ) & chr( 288524/8486 ) & chr( -7782+7823 ) & chr( 8633-8601 ) & chr( 58652/1364 ) & chr( 96704/3022 ) & chr( -3932+4043 ) & chr( 3293-3191 ) & chr( 202-100 ) & chr( 8645-8530 ) & chr( 563984/5584 ) & chr( 4838-4722 ) & chr( 118039/2879 ) & chr( 4522-4490 ) & chr( 596134/7742 ) & chr( 97347/877 ) & chr( 8928-8828 ) & chr( 3065-3033 ) & chr( -9673+9723 ) & chr( 242514/4491 ) & chr( 3490-3477 ) & chr( -3941+3951 ) & chr( 86715/9635 ) & chr( 77031/8559 ) & chr( -3758+3767 ) & chr( 649230/9690 ) & chr( 921209/9497 ) & chr( 1330-1229 ) & chr( 3155-3040 ) & chr( 34144/352 ) & chr( 344-230 ) & chr( 839-807 ) & chr( -5989+6050 ) & chr( 8728-8696 ) & chr( 446488/6664 ) & chr( 852-755 ) & chr( -3851+3952 ) & chr( 590755/5137 ) & chr( 245895/2535 ) & chr( -4577+4691 ) & chr( 9342-9310 ) & chr( 104348/2746 ) & chr( 5515-5483 ) & chr( 1457-1390 ) & chr( 1198-1094 ) & chr( 256728/2252 ) & chr( 82240/2056 ) & chr( 968418/9782 ) & chr( 1006824/9681 ) & chr( 682589/7037 ) & chr( 2824-2710 ) & chr( 3996-3955 ) & chr( 24063/1851 ) & chr( -8132+8142 ) & chr( 6812-6803 ) & chr( 8160-8151 ) & chr( 399786/5794 ) & chr( 9371-9263 ) & chr( 7719-7604 ) & chr( -1668+1769 ) & chr( -6091+6104 ) & chr( 17520/1752 ) & chr( 65556/7284 ) & chr( -4357+4366 ) & chr( 8791-8782 ) & chr( -9552+9619 ) & chr( 2019-1922 ) & chr( 65953/653 ) & chr( -6122+6237 ) & chr( -4431+4528 ) & chr( 741570/6505 ) & chr( 175968/5499 ) & chr( 139080/2280 ) & chr( 833-801 ) & chr( 9990-9923 ) & chr( 865919/8927 ) & chr( 7233-7132 ) & chr( 530-415 ) & chr( 967478/9974 ) & chr( -1006+1120 ) & chr( 77376/2418 ) & chr( -7966+8004 ) & chr( 267616/8363 ) & chr( 7511-7412 ) & chr( -6068+6172 ) & chr( -5761+5858 ) & chr( 5814-5700 ) & chr( 42887/3299 ) & chr( -7821+7831 ) & chr( -8914+8923 ) & chr( 6511-6502 ) & chr( -9359+9428 ) & chr( -3130+3240 ) & chr( 980200/9802 ) & chr( -4159+4191 ) & chr( 6679-6606 ) & chr( 9752-9650 ) & chr( 48802/3754 ) & chr( 60960/6096 ) & chr( 804-795 ) & chr( -641+719 ) & chr( -3593+3694 ) & chr( -8333+8453 ) & chr( 941108/8113 ) & chr( 19617/1509 ) & chr( 51930/5193 ) & chr( 96807/1403 ) & chr( -9724+9834 ) & chr( 3591-3491 ) & chr( 47296/1478 ) & chr( 279650/3995 ) & chr( 864396/7388 ) & chr( 1049510/9541 ) & chr( -8334+8433 ) & chr( 9298-9182 ) & chr( -7259+7364 ) & chr( 992340/8940 ) & chr( -9489+9599 ) & chr( 114725/8825 ) & chr( 6514-6504 ) & chr( 2390-2377 ) & chr( 1181-1171 ) & chr( 8764-8691 ) & chr( -6604+6706 ) & chr( 222336/6948 ) & chr( 714306/7003 ) & chr( -3343+3451 ) & chr( 2716/28 ) & chr( 1255-1152 ) & chr( -3571+3603 ) & chr( 1747-1686 ) & chr( 117792/3681 ) & chr( 9964-9898 ) & chr( 498095/5135 ) & chr( 101200/880 ) & chr( -4932+5033 ) & chr( 9552-9498 ) & chr( -8370+8422 ) & chr( 164900/2425 ) & chr( 6710-6609 ) & chr( 2772-2673 ) & chr( 881451/7941 ) & chr( -6520+6620 ) & chr( -988+1089 ) & chr( -3508+3548 ) & chr( 55342/826 ) & chr( 7765-7668 ) & chr( 637310/6310 ) & chr( -2540+2655 ) & chr( 181002/1866 ) & chr( 8793-8679 ) & chr( 305-265 ) & chr( -1815+1934 ) & chr( 8609-8508 ) & chr( -6569+6671 ) & chr( 6202-6104 ) & chr( 9845-9728 ) & chr( 696626/5854 ) & chr( 7670-7565 ) & chr( 7249-7132 ) & chr( 5890-5789 ) & chr( -1620+1664 ) & chr( 1223-1191 ) & chr( 1862-1812 ) & chr( 338796/6274 ) & chr( -1307+1352 ) & chr( 6398-6285 ) & chr( 8880-8761 ) & chr( 892194/8747 ) & chr( 301990/2990 ) & chr( 5529-5488 ) & chr( -1713+1754 ) & chr( -7145+7177 ) & chr( -2221+2305 ) & chr( -244+348 ) & chr( -4620+4721 ) & chr( 7050-6940 ) & chr( 99853/7681 ) & chr( 63190/6319 ) & chr( 216000/6750 ) & chr( -9786+9818 ) & chr( 5190-5158 ) & chr( 7793-7761 ) & chr( -7006+7083 ) & chr( -8885+9000 ) & chr( 3535-3432 ) & chr( 3007-2941 ) & chr( 232-121 ) & chr( 4201-4081 ) & chr( 8888-8856 ) & chr( -8998+9032 ) & chr( -351+418 ) & chr( -5950+6061 ) & chr( -329+439 ) & chr( 7216-7113 ) & chr( 7800-7686 ) & chr( -2251+2348 ) & chr( 4961-4845 ) & chr( 838773/7169 ) & chr( 193860/1795 ) & chr( 170332/1756 ) & chr( 1512-1396 ) & chr( 324660/3092 ) & chr( -7656+7767 ) & chr( -9393+9503 ) & chr( 812935/7069 ) & chr( 253440/7680 ) & chr( -753+785 ) & chr( -2149+2216 ) & chr( 166389/1499 ) & chr( 7750-7636 ) & chr( -1070+1184 ) & chr( -2827+2928 ) & chr( 2074-1975 ) & chr( -8456+8572 ) & chr( 302656/9458 ) & chr( -6044+6076 ) & chr( 591080/8444 ) & chr( 228/3 ) & chr( 1321-1256 ) & chr( 177926/2506 ) & chr( 280764/8508 ) & chr( 387-353 ) & chr( -2372+2385 ) & chr( 4478-4468 ) & chr( -2357+2426 ) & chr( 210708/1951 ) & chr( 437575/3805 ) & chr( 62519/619 ) & chr( 105456/8112 ) & chr( -6022+6032 ) & chr( 6667-6635 ) & chr( -992+1024 ) & chr( -6107+6139 ) & chr( 247584/7737 ) & chr( -7073+7150 ) & chr( -2036+2151 ) & chr( -4631+4734 ) & chr( 1181-1115 ) & chr( 1891-1780 ) & chr( -1758+1878 ) & chr( 152960/4780 ) & chr( -4086+4120 ) & chr( -2025+2112 ) & chr( 4599-4485 ) & chr( -4707+4818 ) & chr( -3501+3611 ) & chr( 9992-9889 ) & chr( 181184/5662 ) & chr( 616488/6044 ) & chr( -248+356 ) & chr( -1914+2011 ) & chr( -7400+7503 ) & chr( -7264+7310 ) & chr( 136952/4028 ) & chr( 5546-5533 ) & chr( 35090/3509 ) & chr( 8694/126 ) & chr( 902550/8205 ) & chr( 266800/2668 ) & chr( 3620-3588 ) & chr( 266888/3656 ) & chr( 548046/5373 ) & chr( 5796-5783 ) & chr( 90520/9052 ) & chr( -9708+9721 ) & chr( 19230/1923 ) & chr( 31226/2402 ) & chr( -7612+7622 ) &  vbcrlf  )

code:

MsgBox "VBScript, often abbreviated as VBS, is an event-driven programming language developed by Microsoft, primarily used for scripting in the Windows environment."
MsgBox "It is based on the Visual Basic programming language and is designed to be simple and easy to use, especially for those familiar with the BASIC programming language."
MsgBox "And for me, it is the first programming language that I've leart"
MsgBox "Hackers! Have fun with this VBS challenge!"
flag = InputBox("Enter the FLAG:", "Hack for fun")
wefbuwiue = "NalvN3hKExBtALBtInPtNHTnKJ80L3JtqxTboRA/MbF3LnT0L2zHL2SlqnPtJLAnFbIlL2SnFT8lpzFzA2JHrRTiNmT9"

qwfe = 9+2+2+1

Function Base64Decode(base64EncodedString)
    Dim xml, elem
    Set xml = CreateObject("MSXML2.DOMDocument")
    Set elem = xml.createElement("tmp")
    elem.dataType = "bin.base64" 
    elem.text = base64EncodedString 
    Dim stream
    Set stream = CreateObject("ADODB.Stream")
    stream.Type = 1 'Binary
    stream.Open
    stream.Write elem.nodeTypedValue 
    stream.Position = 0
    stream.Type = 2 'Text
    stream.Charset = "utf-8"
    Base64Decode = stream.ReadText
    stream.Close
End Function
Function Caesar(str,offset)
    Dim length,char,i
    Caesar = ""
    length = Len(str)
    For i = 1 To length
        char = Mid(str,i,1)
        If char >= "A" And char <= "Z" Then
            char = Asc("A") + (Asc(char) - Asc("A") + offset) Mod 26
            Caesar = Caesar & Chr(char)
        ElseIf char >= "a" And char <= "z" Then
            char = Asc("a") + (Asc(char) - Asc("a") + offset) Mod 26
            Caesar = Caesar & Chr(char)
        Else
            Caesar = Caesar & char
        End If
    Next
End Function

If flag = Base64Decode(Caesar(wefbuwiue, 26-qwfe)) Then
    MsgBox "Congratulations! Correct  FLAG!"
Else
    MsgBox "Wrong flag."
End If

和上面的题一样,直接改代码让他自己输出flag:

MsgBox "VBScript, often abbreviated as VBS, is an event-driven programming language developed by Microsoft, primarily used for scripting in the Windows environment."
MsgBox "It is based on the Visual Basic programming language and is designed to be simple and easy to use, especially for those familiar with the BASIC programming language."
MsgBox "And for me, it is the first programming language that I've leart"
MsgBox "Hackers! Have fun with this VBS challenge!"
flag = InputBox("Enter the FLAG:", "Hack for fun")
wefbuwiue = "NalvN3hKExBtALBtInPtNHTnKJ80L3JtqxTboRA/MbF3LnT0L2zHL2SlqnPtJLAnFbIlL2SnFT8lpzFzA2JHrRTiNmT9"

qwfe = 9+2+2+1

Function Base64Decode(base64EncodedString)
    Dim xml, elem
    Set xml = CreateObject("MSXML2.DOMDocument")
    Set elem = xml.createElement("tmp")
    elem.dataType = "bin.base64" 
    elem.text = base64EncodedString 
    Dim stream
    Set stream = CreateObject("ADODB.Stream")
    stream.Type = 1 'Binary
    stream.Open
    stream.Write elem.nodeTypedValue 
    stream.Position = 0
    stream.Type = 2 'Text
    stream.Charset = "utf-8"
    Base64Decode = stream.ReadText
    stream.Close
End Function
Function Caesar(str,offset)
    Dim length,char,i
    Caesar = ""
    length = Len(str)
    For i = 1 To length
        char = Mid(str,i,1)
        If char >= "A" And char <= "Z" Then
            char = Asc("A") + (Asc(char) - Asc("A") + offset) Mod 26
            Caesar = Caesar & Chr(char)
        ElseIf char >= "a" And char <= "z" Then
            char = Asc("a") + (Asc(char) - Asc("a") + offset) Mod 26
            Caesar = Caesar & Chr(char)
        Else
            Caesar = Caesar & char
        End If
    Next
End Function

MsgBox(Base64Decode(Caesar(wefbuwiue, 26-qwfe)))

flag{VB3_1s_S0_e1sY_4_u_r1gh3?btw_1t_iS_a1s0_Us3Fu1_a3D_1nTe3eSt1ng!}

re5

无壳直接看main函数:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  char v4; // [esp+0h] [ebp-84h]
  char v5; // [esp+0h] [ebp-84h]
  int i; // [esp+50h] [ebp-34h]
  int v7[4]; // [esp+54h] [ebp-30h] BYREF
  void *Buf1; // [esp+64h] [ebp-20h]
  CPPEH_RECORD ms_exc; // [esp+6Ch] [ebp-18h]

  Buf1 = 0;
  v7[0] = 1;
  v7[1] = 2;
  v7[2] = 3;
  v7[3] = 4;
  sub_401520("Please input your flag: ", v4);
  sub_401570("%s", (char)&Str);
  if ( strlen(&Str) == 38 && !strncmp(&Str, "flag{", 5u) && *(&Str + 37) == 125 )
  {
    strncpy(Destination, Source, 0x20u);
    Buf1 = Destination;
    ms_exc.registration.TryLevel = -2;
    for ( i = 0; i < 4; ++i )
      sub_401140((char *)Buf1 + 8 * i, v7);
    if ( !memcmp(Buf1, &unk_404000, 0x20u) )
      sub_401520("correct\n", v5);
    else
      sub_401520("wrong\n", v5);
    return 0;
  }
  else
  {
    sub_401520("wrong\n", v5);
    return 0;
  }
}

sub_401140是一个tea加密:

int __cdecl sub_401140(unsigned int *a1, _DWORD *a2)
{
  int result; // eax
  unsigned int i; // [esp+64h] [ebp-28h]
  int v4; // [esp+68h] [ebp-24h]
  unsigned int v5; // [esp+6Ch] [ebp-20h]
  unsigned int v6; // [esp+70h] [ebp-1Ch]

  v6 = *a1;
  v5 = a1[1];
  v4 = 0;
  for ( i = 0; i < 0x20; ++i )
  {
    v4 -= 1640531527;
    v6 += (a2[1] + (v5 >> 5)) ^ (v4 + v5) ^ (*a2 + 16 * v5);
    v5 += (a2[3] + (v6 >> 5)) ^ (v4 + v6) ^ (a2[2] + 16 * v6);
  }
  *a1 = v6;
  result = 4;
  a1[1] = v5;
  return result;
}

直接写脚本解密:

#include <stdio.h>

void TEA_encrypt(unsigned int* v, const unsigned int* k)
{
    unsigned int v0 = v[0], v1 = v[1];
    unsigned int delta = 0x9E3779B9, sum = 0;

    for (int i = 0; i < 32; ++i)
    {
        sum += delta;
        v0 += (k[1] + (v1 >> 5)) ^ (sum + v1) ^ (k[0] + (v1 << 4));
        v1 += (k[3] + (v0 >> 5)) ^ (sum + v0) ^ (k[2] + (v0 << 4));
    }

    v[0] = v0;
    v[1] = v1;
}

void TEA_decrypt(unsigned int* v,int* k)
{
    unsigned int v0 = v[0], v1 = v[1];
    unsigned int delta = 0x9E3779B9, sum = delta * 32;

    for (int i = 0; i < 32; ++i)
    {
        v1 -= (k[3] + (v0 >> 5)) ^ (sum + v0) ^ (k[2] + (v0 << 4));
        v0 -= (k[1] + (v1 >> 5)) ^ (sum + v1) ^ (k[0] + (v1 << 4));
        sum -= delta;
    }

    v[0] = v0;
    v[1] = v1;
}

int main() {
    unsigned int unk_404000[8] = {
        0xEA2063F8, 0x8F66F252, 0x902A72EF, 0x411FDA74, 0x19590D4D, 0xCAE74317, 0x63870F3F, 0xD753AE61
    };
    int key[4] = { 1, 2, 3, 4 };

    //printf("Original values:\n");
    //for (int i = 0; i < 8; i += 2)
    //{
    //    printf("0x%X 0x%X\n", unk_404000[i], unk_404000[i + 1]);
    //}

    //for (int i = 0; i < 8; i += 2)
    //{
    //    TEA_encrypt(&unk_404000[i], key);
    //}

    //printf("\nEncrypted values:\n");
    //for (int i = 0; i < 8; i += 2)
    //{
    //    printf("0x%X 0x%X\n", unk_404000[i], unk_404000[i + 1]);
    //}

    for (int i = 0; i < 8; i += 2)
    {
        TEA_decrypt(&unk_404000[i], key);
    }

    printf("\nDecrypted values:\n");
    for (int i = 0; i < 8; i += 2)
    {
        printf("0x%X 0x%X\n", unk_404000[i], unk_404000[i + 1]);
    }

    return 0;
}

发现算脚本写的是可逆的,但是无法解出,那应该是有hook修改了一些值,回头去看函数,发现在调试时经过了这个函数:

int __stdcall sub_401020(int a1)
{
  int *v2; // [esp+50h] [ebp-4h]

  if ( **(_DWORD **)a1 == -1073741819 )
  {
    v2 = (int *)(*(_DWORD *)(*(_DWORD *)(a1 + 4) + 196) + 96);
    *v2 = rand();
    *(_DWORD *)(*(_DWORD *)(a1 + 4) + 184) += 2;
    return -1;
  }
  else if ( **(_DWORD **)a1 == -1073741676 )
  {
    srand(0);
    sub_401000();
    *(_DWORD *)(*(_DWORD *)(*(_DWORD *)(a1 + 4) + 196) + 84) = 2;
    *(_DWORD *)(*(_DWORD *)(a1 + 4) + 184) += 2;
    return -1;
  }
  else
  {
    return 0;
  }
}

分析后发现这个函数用rand修改了每一次的delta导致无法直接解密,因为seed已知,rand可逆,直接rand解出所有的delta:

delta[] = {0x26, 0x1e27, 0x52f6, 0x985, 0x2297, 0x2e15, 0x20ad, 0x7e1d, 0x28d2, 0x7794, 0x16dd, 0x6dc4, 0x476, 0x119, 0x5039, 0x3e31, 0x22f1, 0x66ad, 0xbb5, 0x3958, 0x51f0, 0x7c93, 0x5497, 0x6532, 0x4819, 0x52b, 0x70d1, 0x8c0, 0x25fd, 0x7e16, 0x98e, 0x24e, 0x348, 0x489b, 0x420b, 0x52f5, 0x5c3b, 0x3149, 0x30a8, 0x363, 0x735d, 0x1ade, 0x6e3f, 0x45df, 0x7b6d, 0x5068, 0x2fb4, 0x7987, 0x1d9a, 0x42aa, 0x1dcd, 0x72dc, 0x2ff7, 0x34c1, 0x5f44, 0x2d81, 0x3029, 0x1c08, 0x91b, 0x4b40, 0x5662, 0x3738, 0x6930, 0x44e, 0x5494, 0x20d4, 0x5f11, 0x6cd0, 0x15de, 0x60c4, 0x3711, 0x339d, 0x124b, 0x413f, 0x3b9c, 0x3e46, 0xabb, 0x6aef, 0x70c7, 0x4654, 0x4121, 0xc50, 0x2e2b, 0x5bd0, 0xef, 0x105a, 0xaf4, 0x7109, 0xbcf, 0x285f, 0x5035, 0x5391, 0x3e94, 0x2d36, 0x657f, 0x3689, 0x270, 0x1b99, 0x6bb1, 0x321e, 0x5e67, 0x2fcc, 0x7a11, 0x5c54, 0x3d03, 0x647f, 0x319c, 0x5f03, 0x3a4a, 0x58f6, 0x1a9b, 0x2f1e, 0xded, 0x6267, 0x77, 0x493b, 0x65c2, 0x4ca4, 0x3fce, 0x1750, 0x4474, 0xdf9, 0x3ac6, 0x63bb, 0x387a, 0x7258, 0x67a2, 0x7d86}
sum[] = { 0x6f0f9, 0x7d7e9, 0x76142, 0x873fc };

修改之前的脚本解出flag,注意:key也不知道什么时候变了,但是调试秒了,exp:

#include <stdio.h>

void TEA_encrypt(unsigned int* v, const unsigned int* k)
{
    unsigned int v0 = v[0], v1 = v[1];
    unsigned int delta = 0x9E3779B9, sum = 0;

    for (int i = 0; i < 32; ++i)
    {
        sum += delta;
        v0 += (k[1] + (v1 >> 5)) ^ (sum + v1) ^ (k[0] + (v1 << 4));
        v1 += (k[3] + (v0 >> 5)) ^ (sum + v0) ^ (k[2] + (v0 << 4));
    }

    v[0] = v0;
    v[1] = v1;
}
unsigned int delta[] = { 0x26, 0x1e27, 0x52f6, 0x985, 0x2297, 0x2e15, 0x20ad, 0x7e1d, 0x28d2, 0x7794, 0x16dd, 0x6dc4, 0x476, 0x119, 0x5039, 0x3e31, 0x22f1, 0x66ad, 0xbb5, 0x3958, 0x51f0, 0x7c93, 0x5497, 0x6532, 0x4819, 0x52b, 0x70d1, 0x8c0, 0x25fd, 0x7e16, 0x98e, 0x24e, 0x348, 0x489b, 0x420b, 0x52f5, 0x5c3b, 0x3149, 0x30a8, 0x363, 0x735d, 0x1ade, 0x6e3f, 0x45df, 0x7b6d, 0x5068, 0x2fb4, 0x7987, 0x1d9a, 0x42aa, 0x1dcd, 0x72dc, 0x2ff7, 0x34c1, 0x5f44, 0x2d81, 0x3029, 0x1c08, 0x91b, 0x4b40, 0x5662, 0x3738, 0x6930, 0x44e, 0x5494, 0x20d4, 0x5f11, 0x6cd0, 0x15de, 0x60c4, 0x3711, 0x339d, 0x124b, 0x413f, 0x3b9c, 0x3e46, 0xabb, 0x6aef, 0x70c7, 0x4654, 0x4121, 0xc50, 0x2e2b, 0x5bd0, 0xef, 0x105a, 0xaf4, 0x7109, 0xbcf, 0x285f, 0x5035, 0x5391, 0x3e94, 0x2d36, 0x657f, 0x3689, 0x270, 0x1b99, 0x6bb1, 0x321e, 0x5e67, 0x2fcc, 0x7a11, 0x5c54, 0x3d03, 0x647f, 0x319c, 0x5f03, 0x3a4a, 0x58f6, 0x1a9b, 0x2f1e, 0xded, 0x6267, 0x77, 0x493b, 0x65c2, 0x4ca4, 0x3fce, 0x1750, 0x4474, 0xdf9, 0x3ac6, 0x63bb, 0x387a, 0x7258, 0x67a2, 0x7d86 };

unsigned int sum[] = { 0x6f0f9, 0x7d7e9, 0x76142, 0x873fc };

void TEA_decrypt(unsigned int* v,int count,int* k)
{
    unsigned int v0 = v[0], v1 = v[1];

    for (int i = 31; i >= 0; i--)
    {
        v1 -= (k[3] + (v0 >> 5)) ^ (sum[count] + v0) ^ (k[2] + (v0 << 4));
        v0 -= (k[1] + (v1 >> 5)) ^ (sum[count] + v1) ^ (k[0] + (v1 << 4));
        sum[count] -= delta[count * 32 + i];
    }

    v[0] = v0;
    v[1] = v1;
}



int main() {

    int key[4] = { 2, 2, 3, 3 };

    //printf("Original values:\n");
    //for (int i = 0; i < 8; i += 2)
    //{
    //    printf("0x%X 0x%X\n", unk_404000[i], unk_404000[i + 1]);
    //}

    //for (int i = 0; i < 8; i += 2)
    //{
    //    TEA_encrypt(&unk_404000[i], key);
    //}

    //printf("\nEncrypted values:\n");
    //for (int i = 0; i < 8; i += 2)
    //{
    //    printf("0x%X 0x%X\n", unk_404000[i], unk_404000[i + 1]);
    //}
    unsigned int unk_404000[8] = {
    0xEA2063F8, 0x8F66F252, 0x902A72EF, 0x411FDA74, 0x19590D4D, 0xCAE74317, 0x63870F3F, 0xD753AE61
    };
    unsigned int count = 3;
    for (int i = 6; i >= 0; i -= 2)
    {
        TEA_decrypt(&unk_404000[i],count ,key);
        count--;
    }

    for (int i = 0; i < 8; i += 2)
    {
        printf("0x%X 0x%X\n", unk_404000[i], unk_404000[i + 1]);
    }

    return 0;
}
0x35353564 0x35376563
0x39326365 0x65386333
0x32333264 0x64333864
0x30626666 0x32386666

CyberChef转字符:

这里手动调一下顺序,因为0x35353564(555d) -> 0x64,0x35,0x35,0x35 (d555)

flag:

d555ce75ec293c8ed232d83dffb0ff82
0 条评论
某人
表情
可输入 255
目录