May 5, 2023

D3CTF2023 REVERSE

D3SKY

0x00 Routine Check Shell

无壳32位

image-20230505130311073

0x01 VM

TLS

首先在TLS函数发现修改了一个RC4的密钥,稍微审计可知,同时在main函数可知我们的输入是37位,所以这边初始化的74位其实就是存放了我们的输入37位和密文37位,整理下可知

1
2
3
4
5
6
7
8
9
10
unsigned int sub_3B1050()
{
  unsigned int v0; // eax

  if ( !IsDebuggerPresent() )
    Str[5] = 49;
  v0 = strlen("YunZhiJun");
  RC4_INIT(&Sbox, "YunZhiJun", v0);
  return RC4(&Sbox, st_input, 74u);
}

MAIN

来到主函数并不是很长,不过是道VM题,而这题比较特殊是 与非 VM,也就是说所有的操作都是靠

op[p2] = ~(op[p0] & op[p1]);

这条语句进行运行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
int __cdecl main(int argc, const char **argv, const char **envp)
{
  int v4; // [esp+0h] [ebp-24h]
  int v5; // [esp+Ch] [ebp-18h]
  unsigned __int16 p2; // [esp+14h] [ebp-10h]
  unsigned __int16 p0; // [esp+18h] [ebp-Ch]
  unsigned __int16 p1; // [esp+1Ch] [ebp-8h]
  unsigned __int16 i; // [esp+20h] [ebp-4h]

  v5 = 0;
  puts("Welcome to D^3CTF~");
  while ( op[0] != 0xFFFF )
  {
    if ( op[2] == 1 )
    {
      op[2] = 0;
      printf("%c", op[3]);
    }
    if ( op[7] == 1 )
    {
      op[7] = 0;
      scanf("%c", &op[8]);
      v4 = v5++;
      if ( v4 == 37 && op[8] != 0x7E )
      {
        puts("Wrong!");
        return 0;
      }
    }
    if ( op[19] )
    {
      puts("Wrong!");
      return 0;
    }
    i = op[0];

    RC4(&Sbox, &op[op[0]], 3u);
    p0 = op[i];
    p1 = op[i + 1];
    p2 = op[i + 2];

    op[0] = i + 3;
    RC4(&Sbox, &op[i], 3u);
    op[p2] = ~(op[p0] & op[p1]);
  }
  puts("Right! Your flag is antd3ctf{your input}");
  return 0;
}

那么稍微审计可知比较重要的几点

那么既然是VM题,先打印出所有的opcode看看效果, 那么这里有两个方法

第一种 利用条件断点

在字节码在加密回去前的地方下个断点,把其语句打印出来

image-20230505152339493

1
2
3
4
5
6
7
8
9
10

op_addr = 0x5B4018
ebp = idc.get_reg_value('ebp')
p0 = ida_bytes.get_word(ebp - 0xC)
p1 = ida_bytes.get_word(ebp - 0x8)
p2 = ida_bytes.get_word(ebp - 0x10)

op_p0 = ida_bytes.get_word(op_addr + p0 * 2)
op_p1 = ida_bytes.get_word(op_addr + p1 * 2)
print('op[%d] = ~(op[%d] & op[%d]) ' % (p2, p0, p1), '(op[%d] = ~(%d & %d))' % (p2, op_p0, op_p1) )

但由于前面还有个input有很多语句,我们只需要关心我们输入后程序进行了什么操作所以在判断输入长度也下个条件断点

image-20230505152609877

1
2
3
4
5
op_addr = 0x5B4018
ebp = idc.get_reg_value('ebp')
v4 = ida_bytes.get_word(ebp - 0x24) 
if (v4 == 36):
	print('----------------------------END INPUT------------------------------')

测试输入 123456781234567812345678123456781234~

随后让程序跑起来直接输入即可跑出opcode,不难发现我们的输入49 50 51 52都被引用到,第一个密文36也被引用到随后程序就跑出wrong,同时也可以知道op[2772]就是存放我们输入的起始位置了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
...
op[11] = ~(op[20] & op[20])  (op[11] = ~(1 & 1))
op[7] = ~(op[11] & op[11])  (op[7] = ~(65534 & 65534))
---------------------END INPUT----------------------
op[7] = ~(op[8] & op[8])  (op[7] = ~(126 & 126))
op[2808] = ~(op[7] & op[7])  (op[2808] = ~(65409 & 65409))
op[11] = ~(op[2772] & op[2772])  (op[11] = ~(49 & 49))
op[11] = ~(op[11] & op[2773])  (op[11] = ~(65486 & 50))
op[12] = ~(op[2773] & op[2773])  (op[12] = ~(50 & 50))
op[12] = ~(op[12] & op[2772])  (op[12] = ~(65485 & 49))
op[17] = ~(op[11] & op[12])  (op[17] = ~(65533 & 65534))
op[11] = ~(op[2774] & op[2774])  (op[11] = ~(51 & 51))
op[11] = ~(op[11] & op[2775])  (op[11] = ~(65484 & 52))
op[12] = ~(op[2775] & op[2775])  (op[12] = ~(52 & 52))
op[12] = ~(op[12] & op[2774])  (op[12] = ~(65483 & 51))
op[18] = ~(op[11] & op[12])  (op[18] = ~(65531 & 65532))
op[11] = ~(op[17] & op[17])  (op[11] = ~(3 & 3))
op[11] = ~(op[11] & op[18])  (op[11] = ~(65532 & 7))
op[12] = ~(op[18] & op[18])  (op[12] = ~(7 & 7))
op[12] = ~(op[12] & op[17])  (op[12] = ~(65528 & 3))
op[18] = ~(op[11] & op[12])  (op[18] = ~(65531 & 65535))
op[11] = ~(op[2809] & op[2809])  (op[11] = ~(36 & 36))
op[11] = ~(op[11] & op[18])  (op[11] = ~(65499 & 4))
op[12] = ~(op[18] & op[18])  (op[12] = ~(4 & 4))
op[12] = ~(op[12] & op[2809])  (op[12] = ~(65531 & 36))
op[19] = ~(op[11] & op[12])  (op[19] = ~(65535 & 65503))

第二种 ctrl cv

还有种方便的方法就是直接复制ida的代码即可,在我们需要输出的地方直接打印即可,其中注意下导入 defs.h 的ida库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
#include <cstdio>
#include <cstring>
#include "defs.h"
#include <cstdlib>
#define _CRT_SECURE_NO_WARNINGS

unsigned short op[2772] = {
	0x0015, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
	0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
	0x0000, 0x0000, 0x0000, 0x0000, 0x0001, 0x0A16, 0x0A9C, 0x000A,
	0x0061, 0x00DA, 0x006E, 0x008E, 0x0012, 0x0065, 0x00EA, 0x0086,
	0x000D, 0x0A96, 0x0A45, 0x008D, 0x0043, 0x0023, 0x00F5, 0x00A4,
	0x0080, 0x006D, 0x0064, 0x009F, 0x00CF, 0x0AF8, 0x0A4B, 0x00F0,
	0x0072, 0x00BD, 0x000F, 0x004E, 0x00ED, 0x0092, 0x006F, 0x00AE,
	0x0060, 0x0A4E, 0x0A3E, 0x00D1, 0x009D, 0x0005, 0x0018, 0x00E7,
	0x0013, 0x0031, 0x0009, 0x008C, 0x0017, 0x0A14, 0x0A29, 0x00A0,
	0x00E8, 0x001A, 0x0015, 0x001B, 0x003A, 0x00ED, 0x001F, 0x00C7,
	0x0003, 0x0A2C, 0x0AC6, 0x0078, 0x0091, 0x004E, 0x0009, 0x0062,
	0x00C7, 0x0020, 0x005E, 0x0064, 0x00F2, 0x0003, 0x0052, 0x0049,
	0x0065, 0x00FF, 0x00F1, 0x00E4, 0x002F, 0x0064, 0x0027, 0x00E6,
	0x0AFB, 0x00D4, 0x00B6, 0x000D, 0x0051, 0x003E, 0x0042, 0x0029,
	0x004D, 0x00A3, 0x00DD, 0x0067, 0x0AEC, 0x00DD, 0x0020, 0x00F2,
	0x000D, 0x005F, 0x0011, 0x005D, 0x0097, 0x009E, 0x002C, 0x0020,
	0x0AED, 0x009E, 0x0044, 0x00B2, 0x0002, 0x00EA, 0x0020, 0x0039,
	0x00F8, 0x0000, 0x0011, 0x0079, 0x0ACA, 0x00AE, 0x0075, 0x00AB,
	0x0032, 0x0003, 0x00D2, 0x00FC, 0x0088, 0x0044, 0x005F, 0x00FC,
	0x0ADF, 0x0064, 0x001E, 0x0004, 0x007E, 0x0024, 0x0045, 0x00EF,
	0x002A, 0x0036, 0x00D1, 0x0025, 0x0AE6, 0x00EB, 0x0047, 0x00EC,
	0x0081, 0x0069, 0x00E1, 0x0046, 0x0085, 0x0011, 0x00E3, 0x002B,
	0x0A9E, 0x0099, 0x00D0, 0x0095, 0x0032, 0x00ED, 0x0097, 0x00CB,
	0x006E, 0x00B4, 0x003C, 0x0009, 0x0A1F, 0x00A1, 0x009C, 0x0083,
	0x006D, 0x0070, 0x0009, 0x0078, 0x00FE, 0x00A2, 0x0090, 0x00D5,
	0x0A3F, 0x00F9, 0x00E5, 0x0015, 0x00B9, 0x0063, 0x0023, 0x00B6,
	0x0024, 0x00B4, 0x00DD, 0x00F1, 0x0A56, 0x007C, 0x0070, 0x000F,
	0x0007, 0x005A, 0x005E, 0x0099, 0x0012, 0x0028, 0x00C2, 0x0095,
	0x0AAA, 0x00AF, 0x00B7, 0x00A3, 0x0032, 0x0029, 0x0086, 0x00D9,
	0x008C, 0x008F, 0x00FA, 0x009D, 0x0A5C, 0x0028, 0x00B4, 0x001C,
	0x00C1, 0x0013, 0x002C, 0x0023, 0x0072, 0x0083, 0x00A4, 0x007E,
	0x0A1E, 0x003A, 0x0048, 0x004A, 0x007C, 0x00B1, 0x0011, 0x0009,
	0x00CE, 0x00FB, 0x0045, 0x00BA, 0x0AC8, 0x00F7, 0x001E, 0x00AC,
	0x0055, 0x0048, 0x0082, 0x00B5, 0x005D, 0x00A7, 0x005F, 0x0092,
	0x0A64, 0x004F, 0x009B, 0x0022, 0x0054, 0x000E, 0x00FC, 0x0009,
	0x0008, 0x000A, 0x0043, 0x00D8, 0x0A60, 0x00B4, 0x00BB, 0x006D,
	0x0036, 0x0037, 0x002E, 0x0054, 0x009D, 0x006B, 0x0079, 0x00E2,
	0x0AE4, 0x00A5, 0x0047, 0x0094, 0x0062, 0x00E8, 0x002E, 0x00E0,
	0x00AD, 0x009E, 0x00B2, 0x0020, 0x0A44, 0x0064, 0x0041, 0x0011,
	0x00A1, 0x0060, 0x009E, 0x002F, 0x005B, 0x006F, 0x0000, 0x0039,
	0x0A87, 0x0077, 0x00F6, 0x00E6, 0x0086, 0x006D, 0x003F, 0x00A1,
	0x003F, 0x00C5, 0x002F, 0x0092, 0x0ABF, 0x004B, 0x0025, 0x000B,
	0x0035, 0x006E, 0x006B, 0x00A7, 0x0058, 0x00E6, 0x0055, 0x00EC,
	0x0AAA, 0x000C, 0x00D6, 0x009E, 0x0053, 0x0035, 0x00BA, 0x007B,
	0x0036, 0x0095, 0x00CD, 0x00DC, 0x0A52, 0x0056, 0x00EC, 0x0059,
	0x00B3, 0x005E, 0x00A7, 0x003D, 0x00C8, 0x0090, 0x00D7, 0x00F9,
	0x0A5D, 0x0009, 0x003C, 0x005F, 0x00B1, 0x00A8, 0x00C5, 0x00E3,
	0x00D8, 0x0047, 0x0097, 0x00CD, 0x0AB3, 0x0059, 0x0024, 0x00F3,
	0x007E, 0x0047, 0x0022, 0x0016, 0x00E4, 0x001D, 0x0052, 0x0012,
	0x0A05, 0x0024, 0x00D2, 0x0086, 0x00DA, 0x0096, 0x00E4, 0x004E,
	0x001B, 0x0037, 0x0037, 0x0069, 0x0ABB, 0x0021, 0x0004, 0x00FD,
	0x0088, 0x0025, 0x004C, 0x001C, 0x00F0, 0x0014, 0x00AE, 0x008B,
	0x0A6E, 0x00DE, 0x0097, 0x00FE, 0x00EE, 0x00E3, 0x007D, 0x00C1,
	0x00C2, 0x003C, 0x00A4, 0x0064, 0x0A55, 0x0088, 0x004F, 0x00F0,
	0x0082, 0x00C8, 0x0098, 0x005E, 0x00FB, 0x0058, 0x003C, 0x0005,
	0x0A77, 0x0019, 0x0053, 0x006A, 0x00F9, 0x00A3, 0x0029, 0x0011,
	0x00B5, 0x00BA, 0x00A7, 0x00F8, 0x0AC4, 0x00C4, 0x0052, 0x00B3,
	0x003E, 0x00C2, 0x00A1, 0x00D7, 0x00E0, 0x0014, 0x0018, 0x00F9,
	0x0AAB, 0x0024, 0x00D4, 0x0020, 0x0080, 0x003E, 0x0040, 0x009B,
	0x00D3, 0x00AE, 0x008B, 0x00B1, 0x0A37, 0x0053, 0x00F1, 0x0062,
	0x0038, 0x005D, 0x0020, 0x0000, 0x00C2, 0x00D8, 0x00E3, 0x00E4,
	0x0A73, 0x00D4, 0x00E2, 0x0008, 0x00FD, 0x00E6, 0x00FC, 0x00AD,
	0x004F, 0x0087, 0x00A3, 0x00D4, 0x0A47, 0x0024, 0x00A2, 0x0031,
	0x008C, 0x0004, 0x0061, 0x0081, 0x001B, 0x003F, 0x008C, 0x0010,
	0x0A14, 0x0099, 0x00FF, 0x00A9, 0x00AD, 0x00FC, 0x0008, 0x0034,
	0x003D, 0x00B0, 0x007B, 0x0020, 0x0A63, 0x002D, 0x00C8, 0x00D0,
	0x0029, 0x004E, 0x002E, 0x0078, 0x00E9, 0x00DF, 0x00DA, 0x00F8,
	0x0A4A, 0x0A2B, 0x0A10, 0x00DA, 0x0041, 0x0A95, 0x0012, 0x0A1A,
	0x0A98, 0x00A8, 0x0024, 0x0AE7, 0x0066, 0x004D, 0x0007, 0x00E0,
	0x0AC1, 0x0A66, 0x00E7, 0x0048, 0x0AB3, 0x00E0, 0x0A7F, 0x0A6D,
	0x0088, 0x00E7, 0x0AEA, 0x0065, 0x00C7, 0x00E1, 0x0019, 0x0002,
	0x00B9, 0x0075, 0x00DF, 0x0035, 0x0025, 0x0003, 0x003B, 0x00D4,
	0x00F6, 0x0028, 0x0091, 0x00E8, 0x00C4, 0x0059, 0x0AE6, 0x0AD2,
	0x0064, 0x00A0, 0x002E, 0x0060, 0x00B6, 0x00D4, 0x006C, 0x00EE,
	0x0AD3, 0x00AB, 0x00CF, 0x00BB, 0x0021, 0x0AFC, 0x0A0C, 0x0031,
	0x0000, 0x0A32, 0x0051, 0x0AC3, 0x0A15, 0x00C6, 0x0023, 0x0AB2,
	0x00CE, 0x0032, 0x00A7, 0x001B, 0x0AEC, 0x0A9C, 0x002F, 0x0075,
	0x0ACC, 0x008B, 0x0A4F, 0x0ACD, 0x0005, 0x00AF, 0x0AB1, 0x0055,
	0x0080, 0x00C0, 0x009D, 0x009C, 0x0034, 0x0090, 0x0092, 0x00EC,
	0x0002, 0x0032, 0x0015, 0x00DF, 0x002E, 0x009B, 0x0026, 0x00B9,
	0x0070, 0x0001, 0x0AEB, 0x0AD8, 0x006B, 0x0018, 0x0089, 0x0086,
	0x00E5, 0x0016, 0x00C2, 0x00E0, 0x0A26, 0x008D, 0x0064, 0x000B,
	0x00FC, 0x0A05, 0x0A52, 0x001A, 0x008C, 0x0A26, 0x0017, 0x0A3D,
	0x0A17, 0x003C, 0x0011, 0x0AEC, 0x00D4, 0x0014, 0x00A2, 0x005D,
	0x0AEB, 0x0A93, 0x00CC, 0x00A6, 0x0A1A, 0x0073, 0x0AD2, 0x0AAF,
	0x0077, 0x0012, 0x0A36, 0x0077, 0x0047, 0x00CD, 0x00D5, 0x00AF,
	0x0036, 0x00F2, 0x00CE, 0x00B2, 0x0023, 0x003A, 0x00B3, 0x00F3,
	0x0045, 0x0003, 0x00F4, 0x00A7, 0x00EE, 0x00CF, 0x0A3C, 0x0AA7,
	0x0012, 0x00A9, 0x0061, 0x005F, 0x00A7, 0x0090, 0x0046, 0x00DB,
	0x0A41, 0x0034, 0x00C4, 0x0034, 0x0038, 0x0A52, 0x0A13, 0x0016,
	0x00AD, 0x0AB7, 0x0021, 0x0A0E, 0x0A24, 0x006C, 0x0018, 0x0AE5,
	0x0092, 0x0061, 0x00CF, 0x00AB, 0x0AC0, 0x0AA3, 0x0071, 0x00D9,
	0x0A13, 0x00DB, 0x0A3C, 0x0A8B, 0x0012, 0x0019, 0x0A2A, 0x0002,
	0x00C3, 0x0096, 0x00ED, 0x006E, 0x0024, 0x00FA, 0x00C4, 0x0085,
	0x0075, 0x00FE, 0x0050, 0x0007, 0x00E8, 0x000A, 0x00E6, 0x0041,
	0x0082, 0x0012, 0x0A83, 0x0AD9, 0x007C, 0x005E, 0x004E, 0x0015,
	0x004F, 0x001B, 0x005E, 0x00C3, 0x0AFC, 0x0030, 0x00FB, 0x0076,
	0x0058, 0x0AC3, 0x0A3A, 0x0033, 0x0044, 0x0A1B, 0x009C, 0x0AB9,
	0x0A7C, 0x0008, 0x004B, 0x0A17, 0x0070, 0x0082, 0x00BC, 0x00F3,
	0x0A01, 0x0AEF, 0x00C5, 0x0062, 0x0A9F, 0x002A, 0x0A09, 0x0ACD,
	0x003F, 0x0086, 0x0A8B, 0x00C5, 0x0087, 0x0045, 0x00EA, 0x00DE,
	0x0014, 0x00BD, 0x00FE, 0x00F8, 0x00C6, 0x00BB, 0x00D9, 0x009E,
	0x006A, 0x0083, 0x0013, 0x0063, 0x006A, 0x00AF, 0x0AD0, 0x0AC0,
	0x00C9, 0x00F6, 0x002F, 0x0062, 0x0088, 0x00DF, 0x00E2, 0x0090,
	0x0AC4, 0x0069, 0x0095, 0x0050, 0x0082, 0x0A6A, 0x0AB1, 0x00F1,
	0x003E, 0x0A22, 0x002A, 0x0A1F, 0x0A66, 0x007B, 0x0089, 0x0AB8,
	0x0030, 0x004B, 0x00BB, 0x0031, 0x0AF1, 0x0A8E, 0x00DC, 0x00D4,
	0x0AB2, 0x00F3, 0x0AF0, 0x0A1D, 0x008C, 0x00CA, 0x0A57, 0x0087,
	0x00C3, 0x009C, 0x00FB, 0x007E, 0x0053, 0x00B6, 0x0033, 0x00BA,
	0x00F2, 0x00BB, 0x0009, 0x0054, 0x00A1, 0x0072, 0x0088, 0x00A4,
	0x00D3, 0x0070, 0x0ACC, 0x0AFB, 0x004F, 0x002E, 0x008B, 0x0031,
	0x0040, 0x000E, 0x00B8, 0x009A, 0x0A44, 0x00AC, 0x00FF, 0x00F1,
	0x00F5, 0x0A7B, 0x0A95, 0x0077, 0x0057, 0x0A3D, 0x0092, 0x0A0A,
	0x0A6E, 0x0017, 0x00E4, 0x0ABD, 0x0075, 0x005D, 0x008D, 0x0023,
	0x0A84, 0x0A76, 0x00A1, 0x00F6, 0x0A03, 0x003D, 0x0AB1, 0x0A87,
	0x0055, 0x0037, 0x0A0F, 0x0093, 0x001A, 0x001A, 0x0002, 0x00F1,
	0x0018, 0x0005, 0x009A, 0x008A, 0x0013, 0x001A, 0x0087, 0x001B,
	0x0045, 0x007E, 0x0023, 0x0077, 0x008B, 0x0094, 0x0AF2, 0x0ABE,
	0x00BF, 0x00D5, 0x006C, 0x005B, 0x0019, 0x0075, 0x001C, 0x00EA,
	0x0A7C, 0x0002, 0x0075, 0x00F5, 0x00CB, 0x0A25, 0x0AC6, 0x005C,
	0x00BA, 0x0A80, 0x00C6, 0x0ADA, 0x0A40, 0x0059, 0x0094, 0x0A08,
	0x0053, 0x0098, 0x00FD, 0x0096, 0x0AB8, 0x0ADA, 0x0023, 0x0060,
	0x0A6A, 0x00CB, 0x0AB2, 0x0A25, 0x003B, 0x004F, 0x0A4D, 0x000B,
	0x002A, 0x00D1, 0x00E0, 0x00AF, 0x006D, 0x00B3, 0x00CB, 0x0072,
	0x00BE, 0x0007, 0x00AC, 0x00AE, 0x000B, 0x0039, 0x0026, 0x0005,
	0x000A, 0x00B4, 0x0BD9, 0x0BEC, 0x0061, 0x0024, 0x00E0, 0x007B,
	0x0031, 0x004B, 0x005E, 0x0022, 0x0B8A, 0x00AD, 0x000B, 0x000C,
	0x008D, 0x0A23, 0x0A22, 0x00B0, 0x00F5, 0x0ADD, 0x0044, 0x0ADD,
	0x0ADD, 0x006F, 0x00F3, 0x0A22, 0x009A, 0x00F5, 0x000C, 0x0030,
	0x0ADE, 0x0ADE, 0x0003, 0x00F4, 0x0A21, 0x001B, 0x0A21, 0x0ADF,
	0x00AA, 0x000C, 0x0ADE, 0x0042, 0x00F4, 0x00F2, 0x005C, 0x00EF,
	0x0011, 0x007E, 0x000B, 0x0012, 0x0093, 0x00ED, 0x00EC, 0x0075,
	0x00F2, 0x0011, 0x0039, 0x000B, 0x000C, 0x00C5, 0x0BFE, 0x0BFF,
	0x0017, 0x00F5, 0x0012, 0x00A0, 0x0012, 0x0012, 0x00E4, 0x00F3,
	0x0BFF, 0x00E6, 0x00F5, 0x000C, 0x00FF, 0x0ADD, 0x0ADD, 0x00E7,
	0x00F4, 0x0A20, 0x00EF, 0x0A20, 0x0ADE, 0x007E, 0x000C, 0x0ADD,
	0x0081, 0x00F4, 0x00F2, 0x00E5, 0x0A21, 0x0ADF, 0x00F3, 0x000B,
	0x0AE0, 0x00F3, 0x0A1F, 0x0A1E, 0x004F, 0x00F2, 0x0ADF, 0x00BB,
	0x000B, 0x000C, 0x009A, 0x00EE, 0x00EF, 0x0038, 0x00F5, 0x0012,
	0x000C, 0x0012, 0x0012, 0x00CB, 0x00F3, 0x00EF, 0x00E5, 0x00F5,
	0x000C, 0x0032, 0x0B02, 0x0B02, 0x0089, 0x00F4, 0x00EC, 0x0088,
	0x00EC, 0x0012, 0x0086, 0x000C, 0x0B02, 0x004A, 0x00F4, 0x00F2,
	0x00F2, 0x0A20, 0x0ADE, 0x00C7, 0x000B, 0x0ADF, 0x001C, 0x0A20,
	0x0A21, 0x0088, 0x00F2, 0x0ADE, 0x002A, 0x000B, 0x000C, 0x00C9,
	0x0A1F, 0x0A1E, 0x007F, 0x00F5, 0x0AE1, 0x00BC, 0x0AE1, 0x0AE1,
	0x0075, 0x00F3, 0x0A1E, 0x00E9, 0x00F5, 0x000C, 0x0081, 0x0011,
	0x0011, 0x00E2, 0x00F4, 0x00EC, 0x00CD, 0x00EC, 0x0012, 0x00B3,
	0x000C, 0x0011, 0x00BA, 0x00F4, 0x00F2, 0x00BA, 0x0BFD, 0x0B03,
	0x00FF, 0x000B, 0x0012, 0x0034, 0x00ED, 0x00EC, 0x007A, 0x00F2,
	0x0B03, 0x0042, 0x000B, 0x000C, 0x00E3, 0x0A20, 0x0A21, 0x0097,
	0x00F5, 0x0AE0, 0x00D1, 0x0AE0, 0x0AE0, 0x00D6, 0x00F3, 0x0A21,
	0x00CA, 0x00F5, 0x000C, 0x000C, 0x0AE1, 0x0AE1, 0x00B1, 0x00F4,
	0x0A1C, 0x000D, 0x0A1C, 0x0AE2, 0x0096, 0x000C, 0x0AE1, 0x0020,
	0x00F4, 0x00F2, 0x003C, 0x00EF, 0x0011, 0x003B, 0x000B, 0x0012,
	0x003B, 0x00ED, 0x00EC, 0x003E, 0x00F2, 0x0011, 0x0003, 0x000B,
	0x000C, 0x00F8, 0x0BFB, 0x0BFA, 0x00E5, 0x00F5, 0x0012, 0x00DC,
	0x0012, 0x0012, 0x00C1, 0x00F3, 0x0BFA, 0x0083, 0x00F5, 0x000C,
	0x0021, 0x0AE0, 0x0AE0, 0x00DF, 0x00F4, 0x0A1F, 0x00AE, 0x0A1F,
	0x0AE1, 0x008E, 0x000C, 0x0AE0, 0x008E, 0x00F4, 0x00F2, 0x00D9,
	0x0A1C, 0x0AE2, 0x001E, 0x000B, 0x0AE3, 0x006A, 0x0A1C, 0x0A1D,
	0x000E, 0x000C, 0x0AE2, 0x00B1, 0x00F4, 0x00F2, 0x0055, 0x00EF,
	0x0011, 0x00F4, 0x000B, 0x0012, 0x00A3, 0x00ED, 0x00EC, 0x00A6,
	0x00F2, 0x0011, 0x00BB, 0x000B, 0x000C, 0x00D0, 0x0BFA, 0x0BFB,
	0x0086, 0x00F5, 0x0012, 0x00FF, 0x0012, 0x0012, 0x00F8, 0x00F3,
	0x0BFB, 0x007A, 0x00F5, 0x000C, 0x006B, 0x0AE1, 0x0AE1, 0x0073,
	0x00F4, 0x0A1C, 0x0001, 0x0A1C, 0x0AE2, 0x003C, 0x000C, 0x0AE1,
	0x0058, 0x00F4, 0x00F2, 0x0047, 0x0A1D, 0x0AE3, 0x0027, 0x000B,
	0x0AE4, 0x00CB, 0x0A1B, 0x0A1A, 0x00CE, 0x00F2, 0x0AE3, 0x001D,
	0x000B, 0x000C, 0x004C, 0x00EE, 0x00EF, 0x00F5, 0x00F5, 0x0012,
	0x000A, 0x0012, 0x0012, 0x000C, 0x00F3, 0x00EF, 0x00D2, 0x00F5,
	0x000C, 0x00F2, 0x0B06, 0x0B06, 0x00EB, 0x00F4, 0x00EC, 0x00E9,
	0x00EC, 0x0012, 0x0045, 0x000C, 0x0B06, 0x00A2, 0x00F4, 0x00F2,
	0x0025, 0x0A1C, 0x0AE2, 0x0094, 0x000B, 0x0AE3, 0x000D, 0x0A1C,
	0x0A1D, 0x000E, 0x000C, 0x0AE2, 0x0009, 0x00F4, 0x00F2, 0x0013,
	0x0AE4, 0x0AE4, 0x000E, 0x00F4, 0x0A1B, 0x0009, 0x0AE5, 0x0AE5,
	0x0009, 0x00F3, 0x0A1A, 0x000E, 0x000B, 0x000C, 0x0017, 0x00EE,
	0x00EF, 0x0009, 0x000B, 0x0012, 0x000E, 0x00ED, 0x00EC, 0x000E,
	0x000C, 0x0011, 0x0009, 0x00F4, 0x00F2, 0x0010, 0x0B07, 0x0B07,
	0x000E, 0x00F4, 0x00EC, 0x0009, 0x0012, 0x0012, 0x0009, 0x00F3,
	0x0BF9, 0x000E, 0x000B, 0x000C, 0x0016, 0x0A1C, 0x0A1D, 0x0009,
	0x000B, 0x0AE4, 0x000E, 0x0A1B, 0x0A1A, 0x000E, 0x000C, 0x0AE3,
	0x0009, 0x00F4, 0x00F2, 0x0013, 0x0AE5, 0x0AE5, 0x000E, 0x00F4,
	0x0A18, 0x0009, 0x0AE6, 0x0AE6, 0x0009, 0x00F3, 0x0A1B, 0x000E,
	0x000B, 0x000C, 0x0017, 0x00EE, 0x00EF, 0x0009, 0x000B, 0x0012,
	0x000E, 0x00ED, 0x00EC, 0x000E, 0x000C, 0x0011, 0x0009, 0x00F4,
	0x00F2, 0x0010, 0x0B08, 0x0B08, 0x000E, 0x00F4, 0x00EC, 0x0009,
	0x0012, 0x0012, 0x0009, 0x00F3, 0x0BF6, 0x000E, 0x000B, 0x000C,
	0x0016, 0x0A1B, 0x0A1A, 0x0009, 0x000B, 0x0AE5, 0x000E, 0x0A1A,
	0x0A1B, 0x000E, 0x000C, 0x0AE4, 0x0009, 0x00F4, 0x00F2, 0x0013,
	0x0AE6, 0x0AE6, 0x000E, 0x00F4, 0x0A19, 0x0009, 0x0AE7, 0x0AE7,
	0x0009, 0x00F3, 0x0A18, 0x000E, 0x000B, 0x000C, 0x0017, 0x00EE,
	0x00EF, 0x0009, 0x000B, 0x0012, 0x000E, 0x00ED, 0x00EC, 0x000E,
	0x000C, 0x0011, 0x0009, 0x00F4, 0x00F2, 0x0010, 0x0B09, 0x0B09,
	0x000E, 0x00F4, 0x00EC, 0x0009, 0x0012, 0x0012, 0x0009, 0x00F3,
	0x0BF7, 0x000E, 0x000B, 0x000C, 0x0016, 0x0A1A, 0x0A1B, 0x0009,
	0x000B, 0x0AE6, 0x000E, 0x0A19, 0x0A18, 0x000E, 0x000C, 0x0AE5,
	0x0009, 0x00F4, 0x00F2, 0x0013, 0x0AE7, 0x0AE7, 0x000E, 0x00F4,
	0x0A16, 0x0009, 0x0AE8, 0x0AE8, 0x0009, 0x00F3, 0x0A19, 0x000E,
	0x000B, 0x000C, 0x0017, 0x00EE, 0x00EF, 0x0009, 0x000B, 0x0012,
	0x000E, 0x00ED, 0x00EC, 0x000E, 0x000C, 0x0011, 0x0009, 0x00F4,
	0x00F2, 0x0010, 0x0B0A, 0x0B0A, 0x000E, 0x00F4, 0x00EC, 0x0009,
	0x0012, 0x0012, 0x0009, 0x00F3, 0x0BF4, 0x000E, 0x000B, 0x000C,
	0x0016, 0x0A19, 0x0A18, 0x0009, 0x000B, 0x0AE7, 0x000E, 0x0A18,
	0x0A19, 0x000E, 0x000C, 0x0AE6, 0x0009, 0x00F4, 0x00F2, 0x0013,
	0x0AE8, 0x0AE8, 0x000E, 0x00F4, 0x0A17, 0x0009, 0x0AE9, 0x0AE9,
	0x0009, 0x00F3, 0x0A16, 0x000E, 0x000B, 0x000C, 0x0017, 0x00EE,
	0x00EF, 0x0009, 0x000B, 0x0012, 0x000E, 0x00ED, 0x00EC, 0x000E,
	0x000C, 0x0011, 0x0009, 0x00F4, 0x00F2, 0x0010, 0x0B0B, 0x0B0B,
	0x000E, 0x00F4, 0x00EC, 0x0009, 0x0012, 0x0012, 0x0009, 0x00F3,
	0x0BF5, 0x000E, 0x000B, 0x000C, 0x0016, 0x0A18, 0x0A19, 0x0009,
	0x000B, 0x0AE8, 0x000E, 0x0A17, 0x0A16, 0x000E, 0x000C, 0x0AE7,
	0x0009, 0x00F4, 0x00F2, 0x0013, 0x0AE9, 0x0AE9, 0x000E, 0x00F4,
	0x0A14, 0x0009, 0x0AEA, 0x0AEA, 0x0009, 0x00F3, 0x0A17, 0x000E,
	0x000B, 0x000C, 0x0017, 0x00EE, 0x00EF, 0x0009, 0x000B, 0x0012,
	0x000E, 0x00ED, 0x00EC, 0x000E, 0x000C, 0x0011, 0x0009, 0x00F4,
	0x00F2, 0x0010, 0x0B0C, 0x0B0C, 0x000E, 0x00F4, 0x00EC, 0x0009,
	0x0012, 0x0012, 0x0009, 0x00F3, 0x0BF2, 0x000E, 0x000B, 0x000C,
	0x0016, 0x0A17, 0x0A16, 0x0009, 0x000B, 0x0AE9, 0x000E, 0x0A16,
	0x0A17, 0x000E, 0x000C, 0x0AE8, 0x0009, 0x00F4, 0x00F2, 0x0013,
	0x0AEA, 0x0AEA, 0x000E, 0x00F4, 0x0A15, 0x0009, 0x0AEB, 0x0AEB,
	0x0009, 0x00F3, 0x0A14, 0x000E, 0x000B, 0x000C, 0x0017, 0x00EE,
	0x00EF, 0x0009, 0x000B, 0x0012, 0x000E, 0x00ED, 0x00EC, 0x000E,
	0x000C, 0x0011, 0x0009, 0x00F4, 0x00F2, 0x0010, 0x0B0D, 0x0B0D,
	0x000E, 0x00F4, 0x00EC, 0x0009, 0x0012, 0x0012, 0x0009, 0x00F3,
	0x0BF3, 0x000E, 0x000B, 0x000C, 0x0016, 0x0A16, 0x0A17, 0x0009,
	0x000B, 0x0AEA, 0x000E, 0x0A15, 0x0A14, 0x000E, 0x000C, 0x0AE9,
	0x0009, 0x00F4, 0x00F2, 0x0013, 0x0AEB, 0x0AEB, 0x000E, 0x00F4,
	0x0A12, 0x0009, 0x0AEC, 0x0AEC, 0x0009, 0x00F3, 0x0A15, 0x000E,
	0x000B, 0x000C, 0x0017, 0x00EE, 0x00EF, 0x0009, 0x000B, 0x0012,
	0x000E, 0x00ED, 0x00EC, 0x000E, 0x000C, 0x0011, 0x0009, 0x00F4,
	0x00F2, 0x0010, 0x0B0E, 0x0B0E, 0x000E, 0x00F4, 0x00EC, 0x0009,
	0x0012, 0x0012, 0x0009, 0x00F3, 0x0BF0, 0x000E, 0x000B, 0x000C,
	0x0016, 0x0A15, 0x0A14, 0x0009, 0x000B, 0x0AEB, 0x000E, 0x0A14,
	0x0A15, 0x000E, 0x000C, 0x0AEA, 0x0009, 0x00F4, 0x00F2, 0x0013,
	0x0AEC, 0x0AEC, 0x000E, 0x00F4, 0x0A13, 0x0009, 0x0AED, 0x0AED,
	0x0009, 0x00F3, 0x0A12, 0x000E, 0x000B, 0x000C, 0x0017, 0x00EE,
	0x00EF, 0x0009, 0x000B, 0x0012, 0x000E, 0x00ED, 0x00EC, 0x000E,
	0x000C, 0x0011, 0x0009, 0x00F4, 0x00F2, 0x0010, 0x0B0F, 0x0B0F,
	0x000E, 0x00F4, 0x00EC, 0x0009, 0x0012, 0x0012, 0x0009, 0x00F3,
	0x0BF1, 0x000E, 0x000B, 0x000C, 0x0016, 0x0A14, 0x0A15, 0x0009,
	0x000B, 0x0AEC, 0x000E, 0x0A13, 0x0A12, 0x000E, 0x000C, 0x0AEB,
	0x0009, 0x00F4, 0x00F2, 0x0013, 0x0AED, 0x0AED, 0x000E, 0x00F4,
	0x0A10, 0x0009, 0x0AEE, 0x0AEE, 0x0009, 0x00F3, 0x0A13, 0x000E,
	0x000B, 0x000C, 0x0017, 0x00EE, 0x00EF, 0x0009, 0x000B, 0x0012,
	0x000E, 0x00ED, 0x00EC, 0x000E, 0x000C, 0x0011, 0x0009, 0x00F4,
	0x00F2, 0x0010, 0x0B10, 0x0B10, 0x000E, 0x00F4, 0x00EC, 0x0009,
	0x0012, 0x0012, 0x0009, 0x00F3, 0x0BEE, 0x000E, 0x000B, 0x000C,
	0x0016, 0x0A13, 0x0A12, 0x0009, 0x000B, 0x0AED, 0x000E, 0x0A12,
	0x0A13, 0x000E, 0x000C, 0x0AEC, 0x0009, 0x00F4, 0x00F2, 0x0013,
	0x0AEE, 0x0AEE, 0x000E, 0x00F4, 0x0A11, 0x0009, 0x0AEF, 0x0AEF,
	0x0009, 0x00F3, 0x0A10, 0x000E, 0x000B, 0x000C, 0x0017, 0x00EE,
	0x00EF, 0x0009, 0x000B, 0x0012, 0x000E, 0x00ED, 0x00EC, 0x000E,
	0x000C, 0x0011, 0x0009, 0x00F4, 0x00F2, 0x0010, 0x0B11, 0x0B11,
	0x000E, 0x00F4, 0x00EC, 0x0009, 0x0012, 0x0012, 0x0009, 0x00F3,
	0x0BEF, 0x000E, 0x000B, 0x000C, 0x0016, 0x0A12, 0x0A13, 0x0009,
	0x000B, 0x0AEE, 0x000E, 0x0A11, 0x0A10, 0x000E, 0x000C, 0x0AED,
	0x0009, 0x00F4, 0x00F2, 0x0013, 0x0AEF, 0x0AEF, 0x000E, 0x00F4,
	0x0A0E, 0x0009, 0x0AF0, 0x0AF0, 0x0009, 0x00F3, 0x0A11, 0x000E,
	0x000B, 0x000C, 0x0017, 0x00EE, 0x00EF, 0x0009, 0x000B, 0x0012,
	0x000E, 0x00ED, 0x00EC, 0x000E, 0x000C, 0x0011, 0x0009, 0x00F4,
	0x00F2, 0x0010, 0x0B12, 0x0B12, 0x000E, 0x00F4, 0x00EC, 0x0009,
	0x0012, 0x0012, 0x0009, 0x00F3, 0x0BEC, 0x000E, 0x000B, 0x000C,
	0x0016, 0x0A11, 0x0A10, 0x0009, 0x000B, 0x0AEF, 0x000E, 0x0A10,
	0x0A11, 0x000E, 0x000C, 0x0AEE, 0x0009, 0x00F4, 0x00F2, 0x0013,
	0x0AF0, 0x0AF0, 0x000E, 0x00F4, 0x0A0F, 0x0009, 0x0AF1, 0x0AF1,
	0x0009, 0x00F3, 0x0A0E, 0x000E, 0x000B, 0x000C, 0x0017, 0x00EE,
	0x00EF, 0x0009, 0x000B, 0x0012, 0x000E, 0x00ED, 0x00EC, 0x000E,
	0x000C, 0x0011, 0x0009, 0x00F4, 0x00F2, 0x0010, 0x0B13, 0x0B13,
	0x000E, 0x00F4, 0x00EC, 0x0009, 0x0012, 0x0012, 0x0009, 0x00F3,
	0x0BED, 0x000E, 0x000B, 0x000C, 0x0016, 0x0A10, 0x0A11, 0x0009,
	0x000B, 0x0AF0, 0x000E, 0x0A0F, 0x0A0E, 0x000E, 0x000C, 0x0AEF,
	0x0009, 0x00F4, 0x00F2, 0x0013, 0x0AF1, 0x0AF1, 0x000E, 0x00F4,
	0x0A0C, 0x0009, 0x0AF2, 0x0AF2, 0x0009, 0x00F3, 0x0A0F, 0x000E,
	0x000B, 0x000C, 0x0017, 0x00EE, 0x00EF, 0x0009, 0x000B, 0x0012,
	0x000E, 0x00ED, 0x00EC, 0x000E, 0x000C, 0x0011, 0x0009, 0x00F4,
	0x00F2, 0x0010, 0x0B14, 0x0B14, 0x000E, 0x00F4, 0x00EC, 0x0009,
	0x0012, 0x0012, 0x0009, 0x00F3, 0x0BEA, 0x000E, 0x000B, 0x000C,
	0x0016, 0x0A0F, 0x0A0E, 0x0009, 0x000B, 0x0AF1, 0x000E, 0x0A0E,
	0x0A0F, 0x000E, 0x000C, 0x0AF0, 0x0009, 0x00F4, 0x00F2, 0x0013,
	0x0AF2, 0x0AF2, 0x000E, 0x00F4, 0x0A0D, 0x0009, 0x0AF3, 0x0AF3,
	0x0009, 0x00F3, 0x0A0C, 0x000E, 0x000B, 0x000C, 0x0017, 0x00EE,
	0x00EF, 0x0009, 0x000B, 0x0012, 0x000E, 0x00ED, 0x00EC, 0x000E,
	0x000C, 0x0011, 0x0009, 0x00F4, 0x00F2, 0x0010, 0x0B15, 0x0B15,
	0x000E, 0x00F4, 0x00EC, 0x0009, 0x0012, 0x0012, 0x0009, 0x00F3,
	0x0BEB, 0x000E, 0x000B, 0x000C, 0x0016, 0x0A0E, 0x0A0F, 0x0009,
	0x000B, 0x0AF2, 0x000E, 0x0A0D, 0x0A0C, 0x000E, 0x000C, 0x0AF1,
	0x0009, 0x00F4, 0x00F2, 0x0013, 0x0AF3, 0x0AF3, 0x000E, 0x00F4,
	0x0A0A, 0x0009, 0x0AF4, 0x0AF4, 0x0009, 0x00F3, 0x0A0D, 0x000E,
	0x000B, 0x000C, 0x0017, 0x00EE, 0x00EF, 0x0009, 0x000B, 0x0012,
	0x000E, 0x00ED, 0x00EC, 0x000E, 0x000C, 0x0011, 0x0009, 0x00F4,
	0x00F2, 0x0010, 0x0B16, 0x0B16, 0x000E, 0x00F4, 0x00EC, 0x0009,
	0x0012, 0x0012, 0x0009, 0x00F3, 0x0BE8, 0x000E, 0x000B, 0x000C,
	0x0016, 0x0A0D, 0x0A0C, 0x0009, 0x000B, 0x0AF3, 0x000E, 0x0A0C,
	0x0A0D, 0x000E, 0x000C, 0x0AF2, 0x0009, 0x00F4, 0x00F2, 0x0013,
	0x0AF4, 0x0AF4, 0x000E, 0x00F4, 0x0A0B, 0x0009, 0x0AF5, 0x0AF5,
	0x0009, 0x00F3, 0x0A0A, 0x000E, 0x000B, 0x000C, 0x0017, 0x00EE,
	0x00EF, 0x0009, 0x000B, 0x0012, 0x000E, 0x00ED, 0x00EC, 0x000E,
	0x000C, 0x0011, 0x0009, 0x00F4, 0x00F2, 0x0010, 0x0B17, 0x0B17,
	0x000E, 0x00F4, 0x00EC, 0x0009, 0x0012, 0x0012, 0x0009, 0x00F3,
	0x0BE9, 0x000E, 0x000B, 0x000C, 0x0016, 0x0A0C, 0x0A0D, 0x0009,
	0x000B, 0x0AF4, 0x000E, 0x0A0B, 0x0A0A, 0x000E, 0x000C, 0x0AF3,
	0x0009, 0x00F4, 0x00F2, 0x0013, 0x0AF5, 0x0AF5, 0x000E, 0x00F4,
	0x0A08, 0x0009, 0x0AF6, 0x0AF6, 0x0009, 0x00F3, 0x0A0B, 0x000E,
	0x000B, 0x000C, 0x0017, 0x00EE, 0x00EF, 0x0009, 0x000B, 0x0012,
	0x000E, 0x00ED, 0x00EC, 0x000E, 0x000C, 0x0011, 0x0009, 0x00F4,
	0x00F2, 0x0010, 0x0B18, 0x0B18, 0x000E, 0x00F4, 0x00EC, 0x0009,
	0x0012, 0x0012, 0x0009, 0x00F3, 0x0BE6, 0x000E, 0x000B, 0x000C,
	0x0016, 0x0A0B, 0x0A0A, 0x0009, 0x000B, 0x0AF5, 0x000E, 0x0A0A,
	0x0A0B, 0x000E, 0x000C, 0x0AF4, 0x0009, 0x00F4, 0x00F2, 0x0013,
	0x0AF6, 0x0AF6, 0x000E, 0x00F4, 0x0A09, 0x0009, 0x0AF7, 0x0AF7,
	0x0009, 0x00F3, 0x0A08, 0x000E, 0x000B, 0x000C, 0x0017, 0x00EE,
	0x00EF, 0x0009, 0x000B, 0x0012, 0x000E, 0x00ED, 0x00EC, 0x000E,
	0x000C, 0x0011, 0x0009, 0x00F4, 0x00F2, 0x0010, 0x0B19, 0x0B19,
	0x000E, 0x00F4, 0x00EC, 0x0009, 0x0012, 0x0012, 0x0009, 0x00F3,
	0x0BE7, 0x000E, 0x000B, 0x000C, 0x0016, 0x0A0A, 0x0A0B, 0x0009,
	0x000B, 0x0AF6, 0x000E, 0x0A09, 0x0A08, 0x000E, 0x000C, 0x0AF5,
	0x0009, 0x00F4, 0x00F2, 0x0013, 0x0AF7, 0x0AF7, 0x000E, 0x00F4,
	0x0A06, 0x0009, 0x0AF8, 0x0AF8, 0x0009, 0x00F3, 0x0A09, 0x000E,
	0x000B, 0x000C, 0x0017, 0x00EE, 0x00EF, 0x0009, 0x000B, 0x0012,
	0x000E, 0x00ED, 0x00EC, 0x000E, 0x000C, 0x0011, 0x0009, 0x00F4,
	0x00F2, 0x0010, 0x0B1A, 0x0B1A, 0x000E, 0x00F4, 0x00EC, 0x0009,
	0x0012, 0x0012, 0x0009, 0x00F3, 0x0BE4, 0x000E, 0x000B, 0x000C,
	0x0016, 0x0A09, 0x0A08, 0x0009, 0x000B, 0x0AF7, 0x000E, 0x0A08,
	0x0A09, 0x000E, 0x000C, 0x0AF6, 0x0009, 0x00F4, 0x00F2, 0x0013,
	0x0AF8, 0x0AF8, 0x000E, 0x00F4, 0x0A2A, 0x0009, 0x0AD4, 0x0AD4,
	0x0009, 0x00F3, 0x0A06, 0x000E, 0x000B, 0x000C, 0x0017, 0x00EE,
	0x00EF, 0x0009, 0x000B, 0x0012, 0x000E, 0x00ED, 0x00EC, 0x000E,
	0x000C, 0x0011, 0x0009, 0x00F4, 0x00F2, 0x0010, 0x0B1B, 0x0B1B,
	0x000E, 0x00F4, 0x00EC, 0x0009, 0x0012, 0x0012, 0x0009, 0x00F3,
	0x0BE5, 0x000E, 0x000B, 0x000C, 0x0016, 0x0A08, 0x0A09, 0x0009,
	0x000B, 0x0AF8, 0x000E, 0x0A07, 0x0A06, 0x000E, 0x000C, 0x0AF7,
	0x0009, 0x00F4, 0x00F2, 0x0013, 0x0AD4, 0x0AD4, 0x000E, 0x00F4,
	0x0A2B, 0x0009, 0x0AD5, 0x0AD5, 0x0009, 0x00F3, 0x0A2A, 0x000E,
	0x000B, 0x000C, 0x0017, 0x00EE, 0x00EF, 0x0009, 0x000B, 0x0012,
	0x000E, 0x00ED, 0x00EC, 0x000E, 0x000C, 0x0011, 0x0009, 0x00F4,
	0x00F2, 0x0010, 0x0B1C, 0x0B1C, 0x000E, 0x00F4, 0x00EC, 0x0009,
	0x0012, 0x0012, 0x0009, 0x00F3, 0x0BE2, 0x000E, 0x000B, 0x000C,
	0x0016, 0x0A07, 0x0A06, 0x0009, 0x000B, 0x0AD4, 0x000E, 0x0A2B,
	0x0A2A, 0x000E, 0x000C, 0x0AF8, 0x0009, 0x00F4, 0x00F2, 0x0013,
	0x0AD5, 0x0AD5, 0x000E, 0x00F4, 0x0A28, 0x0009, 0x0AD6, 0x0AD6,
	0x0009, 0x00F3, 0x0A2B, 0x000E, 0x000B, 0x000C, 0x0017, 0x00EE,
	0x00EF, 0x0009, 0x000B, 0x0012, 0x000E, 0x00ED, 0x00EC, 0x000E,
	0x000C, 0x0011, 0x0009, 0x00F4, 0x00F2, 0x0010, 0x0B1D, 0x0B1D,
	0x000E, 0x00F4, 0x00EC, 0x0009, 0x0012, 0x0012, 0x0009, 0x00F3,
	0x0BE3, 0x000E, 0x000B, 0x000C, 0x0016, 0x00F5, 0x00F4, 0x0002,
	0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0049, 0x006E,
	0x0070, 0x0075, 0x0074, 0x003A
};
unsigned short data[74] = {
	0x009E, 0x0028, 0x00F5, 0x0075, 0x0073, 0x0073, 0x0030, 0x007E,
	0x0048, 0x0048, 0x00F2, 0x002F, 0x003D, 0x00EC, 0x0001, 0x0026,
	0x003E, 0x00CD, 0x0082, 0x00AD, 0x00B1, 0x00D1, 0x0036, 0x00D2,
	0x00B4, 0x00E5, 0x00E8, 0x004C, 0x003D, 0x000C, 0x0073, 0x00FD,
	0x0059, 0x00A7, 0x0048, 0x0093, 0x00FD, 0x0006, 0x00E0, 0x0044,
	0x0048, 0x0071, 0x0094, 0x004A, 0x008E, 0x00A4, 0x0036, 0x0091,
	0x0023, 0x00EE, 0x0068, 0x00C1, 0x005D, 0x000B, 0x004D, 0x001A,
	0x0074, 0x0083, 0x0051, 0x0052, 0x00EE, 0x00FE, 0x0011, 0x00A2,
	0x00A1, 0x0064, 0x00BD, 0x0098, 0x004D, 0x00B9, 0x0097, 0x0045,
	0x00E6, 0x00F7
};

unsigned char s[256];

char* get_name(int id) {
	char* p = (char*)malloc(0x100);

	if (id >= 2772) {
		snprintf(p, 0x100, "data[%d]", id - 2772);
	}
	else {
		snprintf(p, 0x100, "op[%d]", id);
	}
	return p;
}

void __cdecl rc4_key(_BYTE* a1, const char* a2, unsigned int a3)
{
	int v3; // [esp+0h] [ebp-110h]
	char v4; // [esp+7h] [ebp-109h]
	int i; // [esp+8h] [ebp-108h]
	int j; // [esp+8h] [ebp-108h]
	char v7[256]; // [esp+Ch] [ebp-104h] BYREF

	v3 = 0;
	memset(v7, 0, sizeof(v7));
	for (i = 0; i < 256; ++i)
	{
		a1[i] = i;
		v7[i] = a2[i % a3];
	}
	for (j = 0; j < 256; ++j)
	{
		v3 = ((unsigned __int8)v7[j] + v3 + (unsigned __int8)a1[j]) % 256;
		v4 = a1[j];
		a1[j] = a1[v3];
		a1[v3] = v4;
	}
}

unsigned int __cdecl rc4(unsigned __int8* s, _WORD* data, unsigned int len)
{
	unsigned int result; // eax
	int v4; // [esp+4h] [ebp-10h]
	unsigned int i; // [esp+8h] [ebp-Ch]
	int v6; // [esp+Ch] [ebp-8h]
	unsigned __int8 v7; // [esp+13h] [ebp-1h]

	v6 = 0;
	v4 = 0;
	for (i = 0; i < len; ++i)
	{
		v6 = (v6 + 1) % 256;
		v4 = (v4 + s[v6]) % 256;
		v7 = s[v6];
		s[v6] = s[v4];
		s[v4] = v7;
		data[i] ^= s[(s[v4] + s[v6]) % 256];
		result = i + 1;
	}
	return result;
}

int main() {
	rc4_key(s, "YunZh1JunAlkaid", 0xF);
	rc4(s, data, 0x4Au);
	int v4;
	int v5 = 0;

	while ((unsigned __int16)op[0] != 0xFFFF)
	{
		if (op[2] == 1)
		{
			op[2] = 0;
			printf("%c", op[3]);
		}
		if (op[7] == 1)
		{
			op[7] = 0;
			scanf_s("%c", &op[8]);
			v4 = v5++;
			if (v4 == 36 && op[8] != 0x7E)
			{
				puts("Wrong!");
				return 0;
			}

			if (v4 == 36) {

				printf("---------------End Input---------------\n");
				int i;
//				for (i = 0; i < 2772; i++)
//					printf("0x%X, ", op[i]);

			}

		}
		if (op[19])
		{
			int i;
//			for (i = 0; i < 2772; i++)
//				printf("0x%X, ", op[i]);
			puts("Wrong!");
			return 0;
		}
		unsigned __int16 v9 = op[0];
		rc4(s, &op[(unsigned __int16)op[0]], 3);
		unsigned __int16 v7 = op[v9];
		unsigned __int16 v8 = op[v9 + 1];
		unsigned __int16 v6 = op[v9 + 2];
		op[0] = v9 + 3;
		rc4(s, &op[v9], 3);

		op[v6] = ~(op[v7] & op[v8]);

		printf("%s = ~(%s & %s)\n", get_name(v6), get_name(v7), get_name(v8));

	}

	return 0;
}

0x02 Get Flag

那么再经过稍微的调试与审计,不难发现我们的每段比较密文都是这种形式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# op[17] = in[0] ^ in[1]
op[11] = ~(data[0] & data[0])
op[11] = ~(op[11] & data[1])
op[12] = ~(data[1] & data[1])
op[12] = ~(op[12] & data[0])
op[17] = ~(op[11] & op[12])

# op[18] = in[2] ^ in[3]
op[11] = ~(data[2] & data[2])
op[11] = ~(op[11] & data[3])
op[12] = ~(data[3] & data[3])
op[12] = ~(op[12] & data[2])
op[18] = ~(op[11] & op[12])

# op[18] = op[17] ^ op[18]
op[11] = ~(op[17] & op[17])
op[11] = ~(op[11] & op[18])
op[12] = ~(op[18] & op[18])
op[12] = ~(op[12] & op[17])
op[18] = ~(op[11] & op[12])

# check
op[11] = ~(data[37] & data[37]) # data[37]也就是我们的密文第一位
op[11] = ~(op[11] & op[18])
op[12] = ~(op[18] & op[18])
op[12] = ~(op[12] & data[37])
op[19] = ~(op[11] & op[12])

随后直接Z3即可,当然看了云之君师傅博客直接逆也可以

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from z3 import *

enc = [0x0024, 0x000B, 0x006D, 0x000F, 0x0003, 0x0032, 0x0042, 0x001D, 0x002B, 0x0043, 0x0078, 0x0043, 0x0073, 0x0030, 0x002B, 0x004E, 0x0063, 0x0048, 0x0077, 0x002E, 0x0032, 0x0039, 0x001A, 0x0012, 0x0071, 0x007A, 0x0042, 0x0017, 0x0045, 0x0072, 0x0056, 0x000C, 0x005C, 0x004A, 0x0062, 0x0053, 0x0033]
sol = Solver()
input = [BitVec('input%d' % i, 8) for i in range(37)]

sol.add(input[36] == ord('~'))

for i in range(37):
    sol.add((input[i] ^ input[(i + 1) % 37] ^ input[(i + 2) % 37] ^ input[(i + 3) % 37]) == enc[i])

assert sat == sol.check()
ans = sol.model()
for i in range(37):
    print(chr(ans[input[i]].as_long()), end = "")
# A_Sin91e_InS7rUcti0N_ViRTua1_M4chin3~

D3RC4

0x00 Routine Check Shell

无壳64位

image-20230505153709916

0x01 主子进程

首先点入main函数是会得到一个fake flag,不过也已经经过RC4异或了一次我们的输入,随后出题人在_fini_array还有起个函数,也就是本题的关键了

那么先普及点前置知识

fork函数的返回值

pipe管道

1
2
3
#include <unistd.h>
int pipe (int fd[2]);
                         //返回:成功返回0,出错返回-1

那么简单来说就是写的时候关读端fd[0],起写端fd[1],另一端反之

Father

该函数为程序退出后要执行的函数,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
unsigned __int64 father()
{
  int v1; // eax
  __WAIT_STATUS stat_loc; // [rsp+4h] [rbp-2Ch] BYREF
  int i; // [rsp+Ch] [rbp-24h]
  int j; // [rsp+10h] [rbp-20h]
  int k; // [rsp+14h] [rbp-1Ch]
  __pid_t p; // [rsp+18h] [rbp-18h]
  int v7; // [rsp+1Ch] [rbp-14h]
  int ffd[2]; // [rsp+20h] [rbp-10h] BYREF
  unsigned __int64 v9; // [rsp+28h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  if ( pipe(ffd) == -1 )
    exit(1);
  p = fork();
  if ( p < 0 )
    exit(1);


  if ( p )                                      // 父进程
  {
    close(ffd[0]);
    v7 = 2;
    HIDWORD(stat_loc.__iptr) = 3;
    while ( SHIDWORD(stat_loc.__iptr) < len )   // 主进程写数据
    {
      if ( SHIDWORD(stat_loc.__iptr) % v7 )     // 奇数
        write(ffd[1], &stat_loc.__iptr + 4, 4uLL);
      else                                      // 偶数,执行十六次
        ++p1;
      ++HIDWORD(stat_loc.__iptr);
    }


    close(ffd[1]);                              // 关闭写端开始读子进程的数据放入密钥
    close(fd0[1]);
    while ( read(fd0[0], &stat_loc.__iptr + 4, 4uLL) )
    {
      v1 = p2++;
      aWe1c0m3T0D3ctf[v1] = BYTE4(stat_loc.__iptr);// 修改了Key
    }


    close(fd0[0]);                              // 关闭读端,再起一个子进程
    wait(&stat_loc);

    if ( LODWORD(stat_loc.__uptr) )
    {
      puts(s);
      exit(1);
    }


    p = fork();
    if ( p < 0 )
      exit(1);


    if ( !p )                                   // 子进程
    {
      init_key(Sbox, aWe1c0m3T0D3ctf, p2);
      for ( i = 0; i < p1; ++i )
        RC4(Sbox, len, xor_key);
      for ( j = 0; j < len; j += 2 )
      {
        in1[j] = (in1[j] + in1[j + 1]) ^ xor_key[j];
        in1[j + 1] = xor_key[j + 1] ^ (in1[j] - in1[j + 1]);
      }
      for ( k = 0; k < len; ++k )
      {
        if ( in1[k] != enc[k] )
          exit(1);
      }
      exit(0);
    }


    wait(&stat_loc);                            // 父进程调用wait等待子进程退出
    if ( LODWORD(stat_loc.__uptr) )             // 根据子进程返回值输出,就是最后的check了
      puts(s);
    else
      puts(aGqk9lLwyvj);
    exit(0);
  }
  child(ffd);
  return v9 - __readfsqword(0x28u);
}

总结下该函数所执行的操作

Child

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
unsigned __int64 __fastcall child(int *ffd)
{
  int v2; // eax
  int buf; // [rsp+18h] [rbp-28h] BYREF
  __WAIT_STATUS stat_loc; // [rsp+1Ch] [rbp-24h] BYREF
  int i; // [rsp+24h] [rbp-1Ch]
  int j; // [rsp+28h] [rbp-18h]
  __pid_t v7; // [rsp+2Ch] [rbp-14h]
  int lfd[2]; // [rsp+30h] [rbp-10h] BYREF
  unsigned __int64 v9; // [rsp+38h] [rbp-8h]

  v9 = __readfsqword(0x28u);
  close(ffd[1]);
  if ( !read(*ffd, &buf, 4uLL) )                // 读不到数据就退
    exit(1);
  if ( pipe(lfd) == -1 )
    exit(1);


  v7 = fork();
  if ( v7 < 0 )
    exit(1);


  if ( v7 )                                     // 子父进程
  {
    close(lfd[0]);
    close(fd0[0]);


    write(fd0[1], &buf, 4uLL);                  // 写入的就是从ffd管道读到的值,也就是Buf[0],随后写入key
    close(fd0[1]);


    while ( read(*ffd, &stat_loc.__iptr + 4, 4uLL) )// 向上读入 其父进程 传入的值
    {
      if ( SHIDWORD(stat_loc.__iptr) % buf )    // 余第一项,注意每次都不一样,随后向下递归写入取值
        write(lfd[1], &stat_loc.__iptr + 4, 4uLL);
      else
        ++p1;
    }
    close(lfd[1]);
    wait(&stat_loc);

    v2 = p2++;                                  // 注意fork后的子进程和父进程不共有这些值,所以随便改也没事
    aWe1c0m3T0D3ctf[v2] = Sbox[buf];
    init_key(Sbox, aWe1c0m3T0D3ctf, p2);
    for ( i = 0; i < 256 - p1; ++i )
    {
      RC4(Sbox, len, xor_key);
      for ( j = 0; j < len; j += 2 )
      {
        in1[j] = (in1[j] + in1[j + 1]) ^ xor_key[j];
        in1[j + 1] = xor_key[j + 1] ^ (in1[j] - in1[j + 1]);
      }
    }
    exit(0);
  }
  child(lfd);
  return v9 - __readfsqword(0x28u);
}

再总结下Child函数

那么稍微屡屡就知道我们的key到底做了什么修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
def get_key(arr):
  if len(arr) <= 0:
    return
  global key
  key.append(arr[0])

  new_arr = []
  for i in range(1, len(arr)):
    if arr[i] % arr[0] != 0:
      new_arr.append(arr[i])

  get_key(new_arr)

arr = []
global key
key = bytearray(b'We1c0m3_t0_d^3ctf')
for i in range(3, 36):
  if i % 2 != 0:    
    arr.append(i)
get_key(arr)
print(key)

# b'We1c0m3_t0_d^3ctf\x03\x05\x07\x0b\r\x11\x13\x17\x1d\x1f'

那么得到key了之后这题也就没有什么难点了

调试!

还有个神奇的方法,我一直没意识到,赛后问了P1umH0师傅,其实直接attach上就能拿到key了

image-20230505164409194

按理来说在这下断点是应该断的住的,毕竟我们的输入与key的修改没有任何关系,而我每次跑到这就自动退了,而且key也没成功修改,属于是玄学问题

1
2
3
4
5
if ( LODWORD(stat_loc.__uptr) )
{
  puts(s);
  exit(1);
}

0x02 Get Flag

那么这题也可以用Z3直接做了,跟着程序写完所有加密直接就可以出

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
from z3 import *

def init_key(Sbox, key, p2):
    v4 = 0
    for i in range(256):
        v4 = (Sbox[i] + v4 + key[i % p2]) % 256
        Sbox[i], Sbox[v4] = Sbox[v4], Sbox[i]


def RC4(Sbox, l):
    v7 = -1
    v5 = 0
    v6 = 0
    xor_key = [0] * 104
    while (l):
        v5 = (v5 + 1) % 256
        v6 = (v6 + Sbox[v5]) % 256
        Sbox[v6], Sbox[v5] = Sbox[v5], Sbox[v6]
        v7 += 1
        xor_key[v7] = Sbox[(Sbox[v5] + Sbox[v6]) % 256]
        l -= 1
    return xor_key


def Encrypt(input):
    global Sbox
    Sbox = [0] * 256
    for i in range(256):
        Sbox[i] = i
    enc = [0xF7, 0x5F, 0xE7, 0xB0, 0x9A, 0xB4, 0xE0, 0xE7, 0x9E, 0x05, 
  0xFE, 0xD8, 0x35, 0x5C, 0x72, 0xE0, 0x86, 0xDE, 0x73, 0x9F, 
  0x9A, 0xF6, 0x0D, 0xDC, 0xC8, 0x4F, 0xC2, 0xA4, 0x7A, 0xB5, 
  0xE3, 0xCD, 0x60, 0x9D, 0x04, 0x1F]


    sol = Solver()
    # main decryption
    p1 = 17
    p2 = 17 
    l = len(input)
    key = b'We1c0m3_t0_d^3ctf'
    init_key(Sbox, key, p2)
#    print(Sbox)
    xor_key = RC4(Sbox, l)
#    print(xor_key)
    in1 = [0] * 36
    for i in range(l):
        in1[i] = input[i] ^ xor_key[i]
    

    key = b'We1c0m3_t0_d^3ctf\x03\x05\x07\x0b\r\x11\x13\x17\x1d\x1f'
    # father-child decryption
    init_key(Sbox, key, len(key))
    for i in range(p1):
        xor_key = RC4(Sbox, l)
    print(xor_key)
    for j in range(0, l, 2):
        in1[j] = (in1[j] + in1[j + 1]) ^ xor_key[j]
        in1[j + 1] = xor_key[j + 1] ^ (in1[j] - in1[j + 1])
    for i in range(l):
        sol.add(in1[i] == enc[i])
    
    assert sat == sol.check()
    ans = sol.model()
    for i in range(l):
        print(chr(ans[input[i]].as_long()), end = "")


input = [BitVec('input%d' % i, 8) for i in range(36)]
Encrypt(input)
# getting_primes_with_pipes_is_awesome

D3RECOVER

0x00 Routine Check Shell

无壳64位

image-20230506002044352

0x01 Find Check

那么本题为抽象的pyd逆向,第一个文件是没有符号的,第二个文件是有符号的,出题人也就是想让我们用Bindiff来合并一下,于是可以直接恢复第一个文件的符号方便逆向

于是直接搜索check向上引用不难发现 _pyx_pf_14d3recover_ver2_2check 就是我们的加密函数

那么通过调试与化简可得以下逻辑

1
2
3
4
5
6
7
8
9
10
for ( i = 0LL; i <= 31; ++i )
  _Pyx_PyByteArray_Append(v9, input ^ 0x23u)
for ( j = 0LL; j <= 29; ++j )
{
	input_t1 = input[index]
	input_t1 = input[index + 2]
	PyNumber_Add(input_t1, input_t2)
	Pyx_PyInt_AndObjC(index, num_0xFF, 0xFFLL, 0LL, 0LL)
	_Pyx_PyInt_XorObjC(input_t2, num_0x54, 0x54LL, 0LL, 0LL)
}

0x02 Get Flag

那么调试拿到enc直接用Z3就出了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from z3 import *

enc = [0xd3,0xc7,0xce,0xca,0x3f,0x84,0xdb,0xb3,0xb6,0xb9,0x80,0xea,0xd0,0xcd,0x72,0xfc,0xd8,0x30,0x95,0xdb,0xe2,0xd8,0x92,0x08,0xc1,0xc6,0xc5,0xf4,0x07,0xec,0x02,0x5e]
enc1 = [0x76,0x7c,0x72,0x78,0x7e,0x64,0x72,0x78,0x76,0x7c,0x72,0x78,0x7e,0x64,0x72,0x78,0x76,0x7c,0x72,0x78,0x7e,0x64,0x72,0x78,0x76,0x7c,0x72,0x78,0x7e,0x64,0x14,0x1b]
input = [BitVec("input%d" % i, 8) for i in range(32)]
sol = Solver()
in1 = [0] * 32
for i in range(32):
  in1[i] = input[i] ^ 0x23

for i in range(30):
  in1[i] = ((in1[i] + in1[i + 2]) & 0xFF) ^ 0x54

for i in range(32):
  sol.add(enc[i] == in1[i])

while sat == sol.check():
  ans = sol.model()
  for i in range(32):
    print(chr(ans[input[i]].as_long()), end = "")
  sol.add(Or([input[i] != ans[input[i]] for i in range(32)]) )
# flag{y0U_RE_Ma5t3r_0f_R3vocery!}

D3SYSCALL

0x00 Routine Check Shell

无壳64位

image-20230509215337325

0x01 VM

这题VM也比较特别,是利用内核模块动态修改了系统调用实现的VM,这题由syscall所进行的VM进行过程

64位下的syscall是通过不同的rax的值进行不同的系统调用

简单来说这题就是注册了几个自己的操作,不同操作由不同的eax代表,随后syscall到相应操作进行VM操作

那么出题人师傅在官解里解释的很详细了

https://github.com/4nsw3r123/d3syscall

image-20230509220149303

有了这个概念,那么现在从逆向的角度去看待这题

_init_array

首先我们可以在这个区域看到运行于主函数之前的函数

随后直接调试可以看到在tmp目录起了个my_module,随后去 kallsyms(符号表,它包含了内核中所有的符号信息) 获取sys_call_table(系统调用表) ,随后将sys_call_module传入my_module

image-20230509220405492

main

那么在看my_module前先看下main函数

image-20230509221904418

sub_55B9EFF733F5

进到该函数可以发现清一色的syscall

image-20230509222117872

那么至此我们了解了主程序在 init 起了个 my_module 注册了自己的系统调用,随后程序syscall到自己注册的系统调用进行加密,那么事情就很简单了,只要我们搞懂每次的调用所对应的操作就能解出本题

my_module

该文件直接动调取出,IDA打开看到 init_module 函数,主要就是解析这几个函数,也就是syscall所对应的操作

1
2
3
4
5
6
*(sys_table + 2680) = mov;                    // v4[0x14F]
v4[0x150] = ALU;
v4[0x151] = push;
v4[0x152] = pop;
v4[0x153] = reset;
v4[0x154] = check;

拿 mov 举例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
__int64 __fastcall mov(_QWORD *a1)
{
  __int64 rdi0; // rax
  unsigned __int64 rdx0; // r12
  unsigned __int64 rsi0; // rbx

  _fentry__(a1);
  rdi0 = a1[14];                                // 我是通过传参顺序命名好所传入的变量
  rdx0 = a1[12];
  rsi0 = a1[13];
  if ( rdi0 )
  {
    if ( rdi0 == 1 )
    {
      if ( rsi0 > 3 )
        _ubsan_handle_out_of_bounds(&off_1800, a1[13]);// 像这种 out 就是越界了而程序正常执行是不会发生的
      tmp_reg[rsi0] = rdx0;                     // 我们只需要关注实际操作,如这条
    }
  }
  else
  {
    if ( rdx0 > 3 )
      _ubsan_handle_out_of_bounds(&off_1840, a1[12]);
    if ( rsi0 > 3 )
      _ubsan_handle_out_of_bounds(&off_1820, rsi0);
    tmp_reg[rsi0] = tmp_reg[rdx0];
  }
  if ( rsi0 > 3 )
    _ubsan_handle_out_of_bounds(&off_17E0, rsi0);
  return tmp_reg[rsi0];
}

写出对应的代码

1
2
3
4
5
def mov(rdx, rsi, rdi):
    if rdi == 1:
        print('tmp_reg[%x] = %x' %(rsi, rdx))
    else:
        print('tmp_reg[%x] = tmp_reg[%x]' %(rsi, rdx))

那么到这一步,我们只需要逐个翻译每个 rax 所对应的操作,再从主程序取得所有参数就能将程序所有的操作打印出来

那么出题人还提供了个很方便的思路就是 strace 可以打印出所有的syscall,这样可以快速拿到所有参数

image-20230509223159507

0x02 Get Flag

那么翻译出整个流程直接通过Z3或者逆向直接解密即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
def mov(rdx, rsi, rdi):
    if rdi == 1:
        print('tmp_reg[%x] = %x' %(rsi, rdx))
    else:
        print('tmp_reg[%x] = tmp_reg[%x]' %(rsi, rdx))


def alu(rdx, rsi, rdi):
    if rdi == 3:
        print('tmp_reg[%x] = tmp_reg[%x] ^ tmp_reg[%x]' % (rsi, rdx, rsi))
    elif rdi == 4:
        print('tmp_reg[%x] = tmp_reg[%x] << tmp_reg[%x]' % (rsi, rsi, rdx))
    elif rdi == 5:
        print('tmp_reg[%x] = tmp_reg[%x] >> tmp_reg[%x]' % (rsi, rsi, rdx))
    elif rdi == 1:
        print('tmp_reg[%x] = tmp_reg[%x] - tmp_reg[%x]' % (rsi, rsi, rdx))
    elif rdi == 2:
        print('tmp_reg[%x] = tmp_reg[%x] * tmp_reg[%x]' % (rsi, rdx, rsi))
    else:
        print('tmp_reg[%x] = tmp_reg[%x] + tmp_reg[%x]' % (rsi, rdx, rsi))


def push(rsi, rdi):
    if rdi == 1:
        print('mem[tmp_reg[5] + 1] = %x' % (rsi))
    else:
        print('mem[tmp_reg[5] + 1] = tmp_reg[%x]' % (rsi))


def pop(rsi):
    print('tmp_reg[5] = tmp_reg[5] - 1')
    print('tmp_reg[%x] = mem[tmp_reg[5]]' % (rsi))


def reset():
    print('init_reg[0] = 0')
    print('init_reg[1] = 0')
    print('init_reg[2] = 0')
    print('init_reg[3] = 0')


def check():
    print('check mem == enc')


def syscall(op):
    if op[0] == 0x14F:
        mov(op[3], op[2], op[1])
    elif op[0] == 0x150:
        alu(op[3], op[2], op[1])
    elif op[0] == 0x151:
        push(op[2], op[1])
    elif op[0] == 0x152:
        pop(op[2])
    elif op[0] == 0x153:
        reset()
    elif op[0] == 0x154:
        check()



opcode = [[0x14f, 0x1, 0, 0x3837363534333231],
[0x14f, 0x1, 0x1, 0x3837363534333231],
[0x151, 0, 0x1, 0x3837363534333231],
[0x14f, 0, 0x2, 0],
[0x14f, 0x1, 0x1, 0x3],
[0x150, 0x4, 0x2, 0x1],
[0x14f, 0x1, 0x1, 0x51e7647e],
[0x150, 0, 0x2, 0x1],
[0x14f, 0, 0x3, 0],
[0x14f, 0x1, 0x1, 0x3],
[0x150, 0x2, 0x3, 0x1],
[0x14f, 0x1, 0x1, 0xe0b4140a],
[0x150, 0, 0x3, 0x1],
[0x150, 0x3, 0x2, 0x3],
[0x14f, 0, 0x3, 0],
[0x14f, 0x1, 0x1, 0xe6978f27],
[0x150, 0, 0x3, 0x1],
[0x150, 0x3, 0x2, 0x3],
[0x152, 0x1, 0x2, 0x3],
[0x150, 0, 0x1, 0x2],
[0x151, 0, 0x1, 0x2],
[0x151, 0, 0, 0x2],
[0x14f, 0, 0x2, 0x1],
[0x14f, 0x1, 0, 0x6],
[0x150, 0x4, 0x2, 0],
[0x14f, 0x1, 0, 0x53a35337],
[0x150, 0, 0x2, 0],
[0x14f, 0, 0x3, 0x1],
[0x14f, 0x1, 0, 0x5],
[0x150, 0x2, 0x3, 0],
[0x14f, 0x1, 0, 0x9840294d],
[0x150, 0, 0x3, 0],
[0x150, 0x3, 0x2, 0x3],
[0x14f, 0, 0x3, 0x1],
[0x14f, 0x1, 0, 0x5eae4751],
[0x150, 0x1, 0x3, 0],
[0x150, 0x3, 0x2, 0x3],
[0x152, 0, 0x2, 0x3],
[0x150, 0, 0, 0x2],
[0x151, 0, 0, 0x2],
[0x153, 0, 0, 0x2],
[0x14f, 0x1, 0, 0x3837363534333231],
[0x14f, 0x1, 0x1, 0x3837363534333231],
[0x151, 0, 0x1, 0x3837363534333231],
[0x14f, 0, 0x2, 0],
[0x14f, 0x1, 0x1, 0x3],
[0x150, 0x4, 0x2, 0x1],
[0x14f, 0x1, 0x1, 0x51e7647e],
[0x150, 0, 0x2, 0x1],
[0x14f, 0, 0x3, 0],
[0x14f, 0x1, 0x1, 0x3],
[0x150, 0x2, 0x3, 0x1],
[0x14f, 0x1, 0x1, 0xe0b4140a],
[0x150, 0, 0x3, 0x1],
[0x150, 0x3, 0x2, 0x3],
[0x14f, 0, 0x3, 0],
[0x14f, 0x1, 0x1, 0xe6978f27],
[0x150, 0, 0x3, 0x1],
[0x150, 0x3, 0x2, 0x3],
[0x152, 0x1, 0x2, 0x3],
[0x150, 0, 0x1, 0x2],
[0x151, 0, 0x1, 0x2],
[0x151, 0, 0, 0x2],
[0x14f, 0, 0x2, 0x1],
[0x14f, 0x1, 0, 0x6],
[0x150, 0x4, 0x2, 0],
[0x14f, 0x1, 0, 0x53a35337],
[0x150, 0, 0x2, 0],
[0x14f, 0, 0x3, 0x1],
[0x14f, 0x1, 0, 0x5],
[0x150, 0x2, 0x3, 0],
[0x14f, 0x1, 0, 0x9840294d],
[0x150, 0, 0x3, 0],
[0x150, 0x3, 0x2, 0x3],
[0x14f, 0, 0x3, 0x1],
[0x14f, 0x1, 0, 0x5eae4751],
[0x150, 0x1, 0x3, 0],
[0x150, 0x3, 0x2, 0x3],
[0x152, 0, 0x2, 0x3],
[0x150, 0, 0, 0x2],
[0x151, 0, 0, 0x2],
[0x153, 0, 0, 0x2],
[0x14f, 0x1, 0, 0x34333231],
[0x14f, 0x1, 0x1, 0],
[0x151, 0, 0x1, 0],
[0x14f, 0, 0x2, 0],
[0x14f, 0x1, 0x1, 0x3],
[0x150, 0x4, 0x2, 0x1],
[0x14f, 0x1, 0x1, 0x51e7647e],
[0x150, 0, 0x2, 0x1],
[0x14f, 0, 0x3, 0],
[0x14f, 0x1, 0x1, 0x3],
[0x150, 0x2, 0x3, 0x1],
[0x14f, 0x1, 0x1, 0xe0b4140a],
[0x150, 0, 0x3, 0x1],
[0x150, 0x3, 0x2, 0x3],
[0x14f, 0, 0x3, 0],
[0x14f, 0x1, 0x1, 0xe6978f27],
[0x150, 0, 0x3, 0x1],
[0x150, 0x3, 0x2, 0x3],
[0x152, 0x1, 0x2, 0x3],
[0x150, 0, 0x1, 0x2],
[0x151, 0, 0x1, 0x2],
[0x151, 0, 0, 0x2],
[0x14f, 0, 0x2, 0x1],
[0x14f, 0x1, 0, 0x6],
[0x150, 0x4, 0x2, 0],
[0x14f, 0x1, 0, 0x53a35337],
[0x150, 0, 0x2, 0],
[0x14f, 0, 0x3, 0x1],
[0x14f, 0x1, 0, 0x5],
[0x150, 0x2, 0x3, 0],
[0x14f, 0x1, 0, 0x9840294d],
[0x150, 0, 0x3, 0],
[0x150, 0x3, 0x2, 0x3],
[0x14f, 0, 0x3, 0x1],
[0x14f, 0x1, 0, 0x5eae4751],
[0x150, 0x1, 0x3, 0],
[0x150, 0x3, 0x2, 0x3],
[0x152, 0, 0x2, 0x3],
[0x150, 0, 0, 0x2],
[0x151, 0, 0, 0x2],
[0x153, 0, 0, 0x2],
[0x154, 0, 0, 0x2]]

for op in opcode:
    syscall(op)

def encrypt(p1, p2, cnt):
    enc = [0xB0800699CB89CC89, 0x4764FD523FA00B19, 0x396A7E6DF099D700, 0xB115D56BCDEAF50A, 0x2521513C985791F4, 0xB03C06AF93AD0BE]
    p2 += ((p1 << 3) + 0x51e7647e) ^ (p1 * 3 + 0xe0b4140a) ^ (p1 + 0xe6978f27)
    p1 += ((p2 << 6) + 0x53a35337) ^ (5 * p2 + 0x9840294d) ^ (p2 - 0x5eae4751)
    sol.add(p1 == enc[cnt + 1])
    sol.add(p2 == enc[cnt])


from z3 import *

input = [BitVec('input%d' % i, 64) for i in range(6)]
sol = Solver()
for i in range(0, 6, 2):
    encrypt(input[i], input[i + 1], i)
assert sat == sol.check()
ans = sol.model()
for i in range(6):
    print(int.to_bytes(ans[input[i]].as_long(), 8, 'little').decode(),end='')
# d3ctf{cef9b994-2547-4844-ac0d-a097b75806a0}

D3Tetris

To be continue…

Reference

官方题解搜Q群:532023069

http://lu1u.bxsteam.tk/2023/05/02/d3ctf-re/#d3Hell

https://mp.weixin.qq.com/s?__biz=Mzg4MjcxMTAwMQ==&mid=2247486967&idx=1&sn=ad55ddd11c6bfa17843270625f5f92fc&chksm=cf53cd41f8244457c2db68626c91f2e4564d756b903222f3a913e89f211d475418864c5041bc&mpshare=1&scene=23&srcid=0501bEUrW8ydbpm175TL5FFn&sharer_sharetime=1682949687637&sharer_shareid=6eea79ff6da57fc6752ab0bc570bf392#rd

让我看看我被读了 ... 次呢🎉

DASCTF X SU
🍬
HFCTF2022
🍪

About this Post

This post is written by P.Z, licensed under CC BY-NC 4.0.