hgame 2022 逆向 reverse 部分题目 Writeup

已于 2022-02-24 16:33:08 修改
阅读量2.9k 收藏 4
点赞数 1
分类专栏: ctf 文章标签: ctf hgame hgame2022 逆向 writeup
于 2022-02-18 17:21:49 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/wdearzh/article/details/123007505
版权

文章目录


由于csdn字数限制,有些代码贴不出来。。。

Level - Week1

easyasm

ida分析:

分析汇编得到逻辑如下:

for  si  in range(28):
	 a=si < 4
	 b = si >4
	 c = a+b
	 c ^ 0x17

exp:

r=[0x91,0x61,0x01,0xC1,0x41,0xA0,0x60,0x41,0xD1,0x21,0x14,0xC1,0x41,0xE2,0x50,0xE1,0xE2,0x54,0x20,0xC1,0xE2,0x60,0x14,0x30,0xD1,0x51,0xC0,0x17]
for i in range(28):
	a=r[i] ^ 0x17
	r[i] = (((a&0xf)<<4)|(a>>4))
print(r)
print( bytes(r))
#b'hgame{welc0me_to_4sm_w0rld}\x00'

creakme

魔改的tea算法,对照着tea算法修改一下即可。

exp:

from ctypes import *

def encrypt(v, k):
    v0 = c_uint32(v[0])
    v1 = c_uint32(v[1])
    summ = c_uint32(0)
    delta = 0x12345678
    k0, k1, k2, k3 = c_uint32(k[2]), c_uint32(k[3]), c_uint32(k[0]), c_uint32(k[1])
    w = [0,0]
    for i in range(32):
        summ.value += delta
        v0.value += summ.value^ ((v1.value << 4) + k0.value) ^ (v1.value + summ.value) ^ ((v1.value >> 5) + k1.value)
        v1.value += summ.value^ ((v0.value << 4) + k2.value) ^ (v0.value + summ.value) ^ ((v0.value >> 5) + k3.value)
    w[0], w[1] = v0, v1
    print("summ.value",summ.value)
    return w
def decrypt(v, k):
    v0 = c_uint32(v[0])
    v1 = c_uint32(v[1])
    summ = c_uint32(1183502080)
    delta = 0x12345678
    k0, k1, k2, k3 = c_uint32(k[2]), c_uint32(k[3]), c_uint32(k[0]), c_uint32(k[1])
    w = [0,0]
    for i in range(32):
        v1.value -= summ.value^ ((v0.value << 4) + k2.value) ^ (v0.value + summ.value) ^ ((v0.value >> 5) + k3.value)
        v0.value -= summ.value^ ((v1.value << 4) + k0.value) ^ (v1.value + summ.value) ^ ((v1.value >> 5) + k1.value)
        summ.value -= delta
    w[0] = v0.value
    w[1] = v1.value
    return w

def u32(bytes_n):
    #b'11223344' -> 0x11223344 
    n = 0
    n += bytes_n[0]
    n += bytes_n[1]<<8
    n += bytes_n[2]<<16
    n += bytes_n[3]<<24     
    return n

def p32(int_n):
    #0x11223344 -> b'11223344' 
    n = int_n.to_bytes(4,'little') 
    return n

def pack_teadata(data):# 将bytes数据转换为 整型数组
    pack=[]
    for i in range(len(data)//4):
        pack.append(u32(data[i*4:i*4+4]))
    return pack

def upack_teadata(data):#将整型数组转换为bytes
    bytes_data = b''
    for i in range(len(data)):        
        bytes_data+=(p32(data[i]&0xffffffff))
    return bytes_data

key = [ 1145258561, 1212630597, 1280002633, 1347374669 ]
cipher_int=[1222194312, 51123276, 1391163586, 3986482669, 2921328102, 3126465133, 3482485930, 1709241059]
############ 解密
plain_int=[]
for i in range(len(cipher_int)//2):
    tmp = decrypt(cipher_int[i*2:i*2 +2],key)
    plain_int.append(tmp[0])
    plain_int.append(tmp[1])

plain_dec = upack_teadata(plain_int)
print(plain_dec)
#b'hgame{H4ppy_v4c4ti0n!}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

Flag Checker

jadx分析:

public void onClick(View view) {
                byte[] bArr = new byte[0];
                try {
                    bArr = MainActivity.encrypt(((EditText) MainActivity.this.findViewById(R.id.editTextTextPersonName)).getText().toString(), "carol");
                } catch (Exception e) {
                    e.printStackTrace();
                }
                if (Base64.encodeToString(bArr, 0).replace("\n", "").equals("mg6CITV6GEaFDTYnObFmENOAVjKcQmGncF90WhqvCFyhhsyqq1s=")) {
                    Toast.makeText(MainActivity.this, "Congratulations!!!", 1).show();
                } else {
                    Toast.makeText(MainActivity.this, "Fail,try again.", 1).show();
                }
            }

 public static byte[] encrypt(String str, String str2) throws Exception {
        SecretKeySpec secretKeySpec = new SecretKeySpec(str2.getBytes(), 0, str2.length(), "RC4");
        Cipher instance = Cipher.getInstance("RC4");
        instance.init(1, secretKeySpec);
        return instance.doFinal(str.getBytes());
 }

得知为rc4算法。

密钥为:

密文:mg6CITV6GEaFDTYnObFmENOAVjKcQmGncF90WhqvCFyhhsyqq1s=

使用工具解密:hgame{weLC0ME_To-tHE_WORLD_oF-AnDr0|D}

猫头鹰是不是猫

ida分析得知算法过程为


cat=[16, 16, 16, 16, 15, 15, 。。。。。]
owl=[15, 14, 14, 13, 13, 14, 。。。。。]
a=[104, 。。。。。。]
r=[]
for k in range(64):
	v3=0
	for m in range(64):
		v3 += a[m]*cat[64*m + k]
	r.append(v3)

rr=[]
for k in range(64):
	v3=0
	for m in range(64):
		v3 += r[m]*owl[64*m + k]
	rr.append(v3)
print(rr)

分两步 每一步都需要解64元方程:

enc[0] = r[0]*owl[0] + r[1]*owl[64] + r[2]*owl[128] + r[3]*owl[192] +...+ + r[63]*owl[4033]
enc[1] = r[0]*owl[1] + r[1]*owl[65] + r[2]*owl[129] + r[3]*owl[193] +...+ + r[63]*owl[4034]
。。。。。。

可以使用z3来解,分两步:

cat=[16, 16, 16, 16, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 18, 19, 17, 17, 17, 17, 16, 15, 18, 20, 20, 18, 16, 19, 19, 18, 20, 20, 19, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 18, 17, 17, 17, 17, 17, 17, 18, 16, 16, 16, 16, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 15, 15, 16, 15, 14, 13, 11, 11, 13, 13, 15, 17, 18, 12, 12, 14, 12, 16, 17, 14, 14, 18, 17, 16, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 18, 16, 16, 16, 16, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16, 14, 14, 13, 9, 10, 11, 10, 11, 17, 9, 11, 13, 15, 10, 9, 9, 10, 13, 15, 13, 17, 17, 19, 16, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 18, 16, 16, 16, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 14, 14, 13, 14, 13, 15, 20, 16, 14, 14, 18, 16, 9, 14, 14, 11, 11, 7, 7, 10, 12, 15, 18, 20, 19, 18, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 18, 16, 16, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 17, 15, 13, 13, 13, 16, 14, 17, 18, 16, 14, 17, 14, 17, 12, 10, 14, 14, 10, 11, 7, 8, 12, 17, 21, 20, 21, 21, 17, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 16, 16, 15, 15, 15, 15, 15, 15, 15, 15, 15, 18, 17, 13, 12, 9, 9, 8, 7, 13, 17, 18, 15, 14, 15, 17, 15, 10, 13, 12, 9, 10, 9, 12, 14, 17, 20, 20, 21, 20, 17, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 16, 15, 15, 15, 15, 15, 15, 15, 15, 16, 19, 19, 17, 12, 11, 10, 11, 7, 7, 7, 9, 14, 15, 11, 9, 14, 17, 13, 10, 13, 12, 12, 15, 17, 15, 16, 17, 18, 18, 18, 18, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 16, 15, 15, 15, 15, 15, 15, 15, 15, 16, 19, 16, 16, 11, 7, 15, 13, 11, 9, 7, 7, 8, 8, 8, 9, 10, 13, 17, 15, 15, 13, 16, 19, 17, 14, 15, 15, 16, 14, 16, 17, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 16, 15, 15, 15, 15, 15, 15, 15, 15, 17, 19, 16, 14, 9, 8, 7, 6, 11, 11, 10, 6, 4, 1, 2, 2, 2, 7, 14, 17, 16, 15, 16, 19, 17, 9, 5, 9, 13, 13, 18, 20, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 14, 11, 11, 9, 7, 8, 8, 7, 9, 11, 6, 2, 5, 8, 9, 6, 1, 8, 14, 17, 15, 14, 18, 8, 8, 10, 5, 11, 14, 17, 20, 17, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 17, 15, 15, 15, 15, 15, 15, 15, 15, 15, 14, 16, 12, 13, 8, 10, 9, 8, 9, 11, 9, 6, 6, 0, 3, 8, 5, 6, 4, 12, 17, 18, 17, 15, 7, 8, 7, 15, 14, 16, 18, 18, 18, 17, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 16, 16, 17, 17, 17, 15, 15, 15, 15, 15, 15, 15, 16, 16, 12, 14, 14, 13, 10, 9, 10, 10, 11, 11, 10, 4, 6, 0, 0, 0, 0, 9, 4, 10, 16, 19, 18, 12, 4, 0, 0, 9, 15, 17, 17, 18, 18, 17, 16, 16, 16, 16, 16, 16, 16, 18, 21, 21, 23, 19, 17, 17, 17, 17, 17, 16, 17, 17, 17, 15, 15, 15, 15, 15, 15, 15, 16, 14, 15, 16, 11, 9, 10, 10, 10, 10, 10, 12, 12, 6, 7, 0, 0, 0, 2, 10, 4, 12, 16, 16, 18, 17, 7, 0, 0, 10, 16, 18, 18, 21, 20, 18, 16, 16, 16, 16, 16, 16, 21, 20, 17, 16, 18, 19, 21, 17, 16, 16, 16, 16, 17, 16, 17, 15, 15, 15, 15, 15, 15, 15, 14, 16, 17, 15, 13, 11, 11, 11, 8, 9, 12, 14, 14, 12, 6, 7, 2, 4, 11, 6, 5, 13, 15, 17, 18, 18, 14, 6, 7, 13, 18, 17, 14, 16, 20, 16, 16, 16, 15, 16, 16, 18, 20, 16, 16, 16, 16, 16, 21, 16, 16, 16, 16, 16, 16, 16, 17, 15, 15, 15, 15, 15, 15, 15, 13, 15, 14, 13, 11, 10, 10, 10, 11, 9, 11, 13, 13, 15, 12, 6, 10, 10, 5, 9, 10, 13, 14, 12, 19, 17, 14, 12, 11, 14, 21, 18, 17, 18, 19, 18, 16, 15, 15, 16, 16, 20, 17, 16, 16, 16, 16, 16, 21, 16, 16, 16, 16, 16, 16, 16, 17, 15, 15, 15, 15, 15, 15, 16, 13, 12, 11, 10, 9, 10, 9, 10, 8, 7, 8, 11, 13, 15, 16, 14, 11, 11, 12, 10, 10, 12, 12, 10, 18, 16, 19, 16, 16, 17, 20, 17, 16, 14, 18, 18, 16, 15, 15, 15, 16, 22, 16, 16, 16, 16, 16, 16, 21, 16, 16, 16, 16, 16, 16, 16, 17, 15, 15, 15, 15, 15, 15, 16, 14, 10, 8, 8, 8, 8, 7, 10, 8, 5, 6, 7, 12, 16, 15, 15, 13, 11, 10, 5, 6, 10, 11, 7, 15, 15, 14, 11, 17, 17, 17, 17, 16, 16, 15, 16, 15, 15, 15, 15, 16, 21, 16, 16, 16, 16, 16, 16, 21, 16, 16, 16, 16, 16, 16, 16, 17, 15, 15, 15, 15, 15, 15, 15, 14, 9, 7, 7, 10, 9, 6, 10, 12, 6, 3, 7, 10, 13, 16, 10, 6, 6, 8, 6, 3, 2, 5, 3, 9, 15, 11, 7, 8, 13, 18, 14, 15, 16, 16, 16, 15, 15, 15, 15, 16, 21, 16, 16, 16, 16, 16, 17, 21, 16, 16, 16, 16, 16, 16, 16, 17, 15, 15, 15, 15, 15, 15, 16, 13, 9, 10, 11, 10, 8, 4, 8, 12, 9, 7, 6, 6, 12, 13, 7, 7, 7, 9, 9, 6, 4, 1, 1, 4, 13, 12, 9, 5, 5, 10, 13, 13, 16, 18, 16, 15, 15, 15, 15, 15, 17, 22, 20, 19, 19, 20, 22, 17, 16, 16, 16, 16, 16, 16, 16, 17, 15, 15, 15, 15, 15, 15, 16, 12, 10, 15, 13, 10, 10, 6, 3, 7, 12, 9, 5, 5, 11, 11, 9, 11, 13, 13, 10, 7, 5, 1, 1, 2, 14, 18, 17, 9, 6, 8, 10, 14, 15, 18, 16, 15, 15, 15, 15, 15, 15, 16, 17, 18, 18, 18, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 15, 15, 15, 15, 15, 15, 15, 12, 13, 13, 15, 10, 11, 9, 4, 7, 11, 10, 9, 5, 10, 11, 14, 13, 14, 13, 10, 9, 8, 7, 5, 3, 9, 15, 19, 20, 13, 9, 9, 10, 13, 19, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 15, 15, 15, 15, 15, 15, 15, 17, 17, 11, 14, 10, 10, 7, 6, 3, 6, 10, 12, 6, 7, 14, 13, 14, 12, 16, 14, 12, 8, 6, 5, 4, 6, 9, 17, 20, 20, 11, 6, 9, 12, 21, 16, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 15, 15, 15, 15, 15, 15, 15, 19, 17, 9, 11, 8, 6, 8, 9, 5, 5, 6, 8, 9, 11, 10, 13, 11, 12, 13, 17, 15, 9, 6, 3, 4, 6, 16, 18, 19, 20, 15, 7, 8, 13, 19, 17, 16, 16, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 15, 15, 15, 15, 15, 15, 15, 18, 13, 11, 9, 7, 6, 9, 10, 10, 11, 14, 9, 9, 14, 10, 12, 8, 8, 13, 12, 15, 11, 6, 9, 7, 8, 17, 21, 21, 21, 16, 12, 15, 15, 18, 19, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 15, 15, 15, 15, 15, 15, 15, 14, 14, 14, 9, 6, 7, 10, 14, 12, 9, 11, 11, 13, 12, 8, 6, 7, 8, 12, 10, 9, 11, 14, 12, 8, 6, 10, 11, 11, 17, 19, 14, 14, 16, 18, 18, 18, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 15, 15, 15, 15, 15, 15, 14, 17, 14, 15, 11, 7, 6, 11, 10, 7, 4, 7, 10, 14, 14, 12, 8, 6, 3, 4, 3, 2, 6, 8, 5, 5, 2, 6, 6, 7, 13, 17, 14, 10, 13, 15, 15, 17, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 15, 14, 14, 14, 15, 15, 15, 16, 11, 14, 13, 10, 8, 5, 7, 5, 3, 4, 8, 14, 16, 9, 5, 7, 8, 8, 5, 2, 6, 8, 6, 5, 7, 10, 5, 5, 12, 12, 8, 8, 8, 13, 16, 17, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 15, 14, 14, 14, 14, 14, 15, 10, 8, 12, 11, 16, 7, 5, 3, 4, 2, 2, 5, 9, 13, 10, 3, 4, 10, 13, 10, 5, 6, 9, 6, 5, 12, 8, 5, 6, 12, 9, 6, 6, 5, 10, 15, 16, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 15, 14, 14, 14, 14, 14, 12, 8, 6, 8, 13, 15, 4, 4, 3, 2, 0, 1, 2, 4, 8, 8, 2, 3, 7, 13, 11, 10, 7, 9, 5, 9, 11, 6, 4, 10, 10, 8, 4, 7, 4, 9, 13, 16, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16, 16, 14, 14, 14, 14, 15, 12, 9, 6, 5, 7, 13, 12, 2, 2, 4, 1, 0, 0, 1, 4, 8, 7, 2, 3, 5, 7, 12, 15, 10, 9, 6, 10, 8, 3, 3, 12, 8, 4, 5, 8, 4, 7, 13, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 16, 16, 14, 14, 14, 14, 13, 10, 6, 5, 6, 7, 15, 8, 1, 2, 4, 2, 2, 1, 1, 4, 5, 5, 5, 8, 5, 5, 12, 16, 11, 12, 11, 10, 7, 5, 5, 11, 5, 5, 5, 9, 8, 11, 11, 15, 15, 14, 15, 16, 21, 16, 15, 15, 15, 15, 15, 15, 15, 20, 15, 15, 15, 15, 15, 16, 14, 14, 14, 15, 11, 8, 5, 6, 6, 9, 15, 4, 2, 5, 4, 1, 5, 3, 1, 5, 4, 4, 7, 8, 6, 7, 11, 16, 13, 15, 12, 9, 7, 8, 11, 8, 7, 7, 5, 9, 12, 12, 10, 18, 15, 14, 15, 21, 15, 15, 15, 15, 15, 15, 15, 15, 15, 21, 15, 15, 15, 15, 15, 16, 14, 14, 14, 13, 8, 7, 5, 5, 8, 14, 11, 5, 11, 9, 2, 4, 7, 3, 2, 4, 2, 3, 6, 8, 7, 8, 11, 12, 16, 16, 13, 11, 8, 9, 12, 10, 7, 12, 4, 9, 16, 10, 8, 18, 15, 14, 18, 18, 15, 15, 15, 15, 15, 15, 15, 15, 15, 21, 16, 15, 15, 15, 15, 16, 14, 14, 14, 9, 7, 5, 4, 7, 15, 15, 8, 12, 13, 3, 2, 5, 7, 2, 4, 6, 2, 2, 5, 9, 11, 11, 12, 13, 14, 17, 16, 12, 11, 12, 13, 10, 9, 15, 3, 7, 16, 13, 8, 17, 16, 15, 22, 14, 15, 15, 15, 15, 15, 15, 15, 15, 15, 21, 16, 15, 15, 15, 15, 16, 14, 14, 11, 9, 4, 3, 9, 14, 11, 8, 6, 14, 8, 2, 2, 6, 4, 2, 6, 7, 3, 4, 4, 9, 13, 13, 13, 12, 12, 16, 17, 11, 13, 14, 12, 11, 9, 15, 3, 4, 12, 17, 9, 15, 17, 17, 19, 14, 15, 15, 15, 19, 15, 15, 15, 15, 15, 21, 16, 15, 15, 15, 15, 16, 14, 14, 10, 11, 4, 2, 12, 7, 14, 4, 6, 14, 12, 4, 1, 4, 3, 4, 5, 7, 5, 6, 3, 6, 12, 12, 11, 10, 12, 12, 17, 11, 14, 16, 8, 9, 10, 17, 7, 5, 7, 17, 10, 16, 18, 18, 18, 14, 14, 15, 15, 24, 17, 15, 15, 15, 15, 21, 15, 15, 15, 15, 15, 16, 14, 13, 12, 7, 5, 5, 7, 10, 14, 5, 5, 10, 14, 3, 1, 4, 6, 4, 2, 8, 8, 7, 2, 5, 8, 10, 10, 9, 12, 10, 16, 11, 13, 13, 6, 7, 10, 17, 14, 7, 5, 13, 9, 16, 18, 15, 22, 18, 16, 17, 19, 21, 20, 15, 15, 15, 15, 22, 15, 15, 15, 15, 15, 16, 14, 13, 15, 5, 1, 7, 5, 10, 7, 6, 6, 13, 10, 1, 1, 6, 8, 3, 2, 8, 9, 8, 3, 3, 7, 9, 8, 8, 10, 9, 12, 12, 10, 10, 5, 5, 8, 15, 18, 5, 8, 11, 11, 17, 16, 14, 15, 18, 19, 19, 18, 15, 20, 21, 19, 20, 22, 18, 15, 15, 15, 15, 15, 16, 14, 13, 12, 4, 9, 2, 5, 9, 9, 6, 8, 10, 8, 2, 5, 7, 6, 1, 2, 6, 7, 9, 5, 1, 5, 9, 5, 4, 8, 9, 15, 10, 7, 5, 3, 4, 6, 13, 16, 9, 11, 15, 15, 19, 16, 14, 14, 14, 14, 14, 15, 15, 15, 16, 17, 17, 15, 15, 15, 15, 15, 15, 15, 15, 14, 13, 10, 5, 9, 3, 5, 8, 13, 9, 11, 11, 10, 6, 5, 6, 4, 2, 3, 4, 4, 10, 8, 1, 3, 10, 7, 3, 8, 10, 10, 10, 3, 3, 4, 3, 7, 11, 13, 10, 14, 15, 19, 18, 16, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 16, 13, 13, 14, 12, 12, 5, 6, 13, 14, 11, 11, 10, 8, 4, 5, 4, 3, 2, 6, 3, 1, 8, 11, 3, 2, 7, 9, 6, 8, 12, 8, 9, 2, 5, 5, 3, 9, 9, 11, 12, 16, 15, 18, 16, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 13, 13, 16, 17, 11, 7, 10, 15, 13, 11, 8, 7, 9, 6, 4, 6, 3, 2, 7, 7, 1, 4, 11, 6, 1, 3, 8, 8, 8, 10, 8, 3, 2, 4, 7, 6, 10, 5, 10, 16, 21, 20, 17, 14, 14, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 13, 13, 17, 18, 16, 11, 18, 18, 16, 13, 9, 7, 7, 2, 5, 7, 4, 2, 5, 10, 7, 1, 10, 9, 2, 1, 5, 8, 8, 10, 7, 2, 2, 4, 9, 6, 9, 6, 9, 18, 23, 21, 14, 13, 13, 14, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 13, 13, 17, 18, 16, 14, 22, 19, 16, 10, 8, 8, 4, 2, 5, 7, 7, 4, 3, 9, 13, 10, 6, 11, 5, 0, 3, 8, 10, 10, 4, 1, 1, 6, 5, 6, 9, 11, 10, 17, 22, 17, 13, 13, 13, 13, 14, 14, 14, 14, 20, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 13, 13, 18, 19, 17, 14, 19, 12, 12, 10, 10, 6, 4, 4, 7, 8, 8, 5, 2, 8, 11, 11, 9, 12, 9, 3, 3, 8, 10, 6, 3, 1, 3, 5, 2, 8, 11, 10, 13, 14, 18, 15, 13, 13, 13, 13, 13, 14, 14, 14, 20, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15, 15, 13, 13, 16, 19, 18, 16, 17, 9, 11, 11, 9, 6, 7, 7, 8, 8, 6, 5, 1, 5, 10, 10, 8, 6, 7, 5, 4, 8, 7, 2, 3, 3, 3, 3, 4, 7, 10, 10, 13, 13, 14, 13, 13, 13, 13, 13, 13, 13, 14, 17, 18, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15, 15, 13, 13, 15, 20, 19, 15, 18, 11, 12, 10, 9, 4, 7, 6, 7, 7, 6, 4, 2, 3, 7, 10, 10, 7, 7, 4, 7, 7, 3, 3, 3, 3, 3, 5, 6, 9, 9, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 14, 14, 19, 15, 14, 14, 14, 14, 15, 14, 15, 15, 15, 15, 15, 15, 15, 13, 13, 13, 19, 20, 14, 17, 14, 13, 11, 10, 4, 7, 4, 6, 6, 7, 5, 3, 4, 5, 8, 10, 10, 5, 1, 5, 2, 1, 3, 4, 2, 4, 7, 9, 8, 13, 14, 13, 13, 13, 13, 13, 13, 13, 13, 13, 14, 13, 21, 14, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 13, 13, 13, 14, 15, 13, 17, 17, 13, 13, 10, 3, 6, 5, 7, 6, 5, 4, 4, 3, 5, 5, 7, 10, 9, 5, 4, 3, 4, 3, 1, 3, 8, 13, 9, 8, 15, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 15, 21, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 14, 14, 14, 15, 13, 13, 13, 13, 13, 13, 14, 18, 12, 8, 9, 3, 6, 6, 8, 8, 5, 2, 3, 2, 2, 6, 8, 7, 6, 6, 5, 3, 1, 2, 3, 8, 13, 11, 7, 16, 14, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 17, 18, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 15, 13, 13, 13, 13, 13, 13, 13, 16, 11, 5, 7, 5, 6, 6, 7, 7, 8, 3, 1, 4, 4, 4, 6, 9, 8, 6, 6, 4, 1, 3, 8, 10, 7, 8, 14, 14, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 19, 16, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 15, 18, 13, 13, 12, 13, 13, 13, 13, 13, 12, 8, 7, 9, 6, 3, 4, 6, 8, 7, 2, 2, 7, 7, 7, 7, 7, 6, 5, 3, 0, 4, 6, 3, 6, 14, 14, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 21, 14, 14, 14, 16, 14, 14, 14, 14, 14, 14, 14, 14, 15, 19, 20, 13, 12, 13, 13, 13, 13, 13, 13, 12, 11, 10, 9, 10, 5, 1, 2, 3, 7, 5, 2, 3, 6, 6, 6, 6, 5, 3, 1, 2, 3, 3, 5, 9, 14, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 21, 14, 14, 14, 21, 14, 14, 14, 16, 18, 20, 18, 15, 18, 21, 21, 13, 13, 13, 13, 13, 13, 13, 13, 13, 12, 14, 14, 12, 10, 2, 3, 2, 2, 3, 4, 4, 4, 5, 5, 4, 3, 2, 2, 1, 1, 2, 6, 10, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 14, 21, 14, 14, 16, 20, 16, 22, 23, 22, 23, 23, 24, 23, 20, 24, 22, 13, 12, 13, 12, 13, 13, 13, 13, 13, 13, 14, 14, 14, 11, 9, 8, 5, 4, 2, 4, 5, 7, 8, 9, 8, 8, 5, 3, 2, 2, 6, 4, 11, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 20, 15, 13, 21, 15, 14, 19, 22, 23, 23, 24, 24, 24, 24, 24, 21, 13, 12, 12, 13, 13, 12, 13, 13, 13, 13, 13, 15, 15, 14, 9, 7, 6, 2, 3, 7, 9, 10, 11, 11, 10, 10, 8, 4, 3, 2, 4, 5, 12, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 15, 20, 17, 19, 13, 15, 20, 21, 22, 22, 22, 19, 23, 24, 24, 24, 13, 13, 12, 13, 13, 12, 13, 13, 13, 13, 13, 13, 13, 13, 10, 6, 3, 2, 7, 8, 10, 11, 12, 12, 12, 13, 13, 5, 3, 2, 3, 8, 12, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 17, 20, 14, 13, 14, 18, 19, 20, 20, 21, 20, 20, 21, 22, 20, 13, 13, 12, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 10, 6, 6, 6, 10, 11, 11, 12, 13, 14, 15, 16, 16, 8, 6, 4, 5, 9, 11, 14, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 15, 14, 13, 14, 15, 14, 15, 15, 17, 18, 19, 19, 19, 19, 19, 20, 20, 19, 13, 12, 13, 13, 13, 12, 12, 13, 13, 13, 13, 13, 13, 14, 12, 9, 8, 10, 10, 12, 14, 14, 16, 18, 19, 19, 18, 13, 10, 10, 7, 9, 15, 19, 17, 14, 14, 13, 13, 13, 13, 13, 13, 13, 13, 14, 14, 18, 17, 19, 19, 19, 19, 15, 16, 14, 13, 19, 18, 18, 18, 13, 16, 17, 13, 12, 13, 13, 13, 12, 13, 13, 13, 13, 13, 13, 13, 13, 18, 16, 12, 11, 16, 16, 17, 18, 20, 20, 22, 20, 18, 16, 13, 13, 12, 8, 9, 14, 19, 18, 17, 19, 18, 14, 13, 14, 15, 14, 14, 18, 17, 17, 17, 17, 17, 17, 16, 16, 13, 13, 13, 12, 14, 15, 16, 17, 17, 18, 12, 12, 12, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 21, 18, 13, 11, 17, 19, 20, 21, 20, 18, 19, 18, 14, 14, 13, 13, 13, 9, 7, 12, 18, 18, 16, 16, 19, 20, 17, 16, 16, 18, 17, 15, 14, 13, 12, 13, 14, 13, 12, 10, 10, 9, 12, 16, 16, 18, 19, 18, 18, 19, 12, 12, 12, 12, 13, 12, 12, 13, 13, 13, 13, 13, 13, 17, 21, 20, 16, 13, 14, 14, 16, 16, 16, 16, 14, 15, 13, 13, 13, 13, 13, 12, 7, 10, 14, 20, 13, 14, 16, 20, 20, 17, 16, 12, 14, 11, 14, 15, 10, 11, 13, 10, 8, 9, 9, 8, 14, 19, 19, 18, 18, 18, 18, 19, 12, 12, 12, 13, 12, 13, 13, 13, 13, 13, 13, 13, 15, 22, 22, 20, 15, 13, 13, 10, 9, 9, 10, 11, 11, 9, 10, 13, 12, 11, 10, 10, 9, 10, 9, 19, 17, 8, 8, 15, 21, 16, 11, 10, 10, 12, 10, 9, 8, 11, 8, 8, 6, 9, 13, 9, 9, 12, 16, 18, 17, 16, 18, 20, 13, 13, 13, 13, 13, 13, 13, 13, 13, 14, 15, 20, 22, 22, 22, 22, 16, 12, 8, 8, 6, 6, 8, 7, 7, 6, 7, 10, 8, 9, 8, 11, 9, 8, 6, 12, 16, 10, 6, 11, 15, 14, 10, 12, 11, 11, 11, 9, 7, 9, 8, 11, 10, 8, 7, 8, 9, 18, 20, 20, 19, 19, 17, 19]
owl=[15, 14, 14, 13, 13, 14, 14, 13, 12, 10, 13, 21, 17, 14, 11, 10, 11, 16, 17, 8, 8, 7, 10, 12, 13, 12, 16, 18, 9, 6, 7, 8, 7, 8, 9, 8, 9, 10, 12, 12, 14, 16, 16, 14, 9, 4, 3, 5, 6, 6, 6, 3, 4, 6, 6, 5, 5, 5, 5, 4, 5, 7, 5, 4, 15, 15, 14, 13, 13, 14, 14, 13, 12, 11, 21, 15, 15, 14, 11, 10, 8, 8, 10, 8, 8, 7, 9, 11, 11, 11, 19, 13, 12, 5, 6, 7, 7, 8, 9, 9, 10, 12, 15, 17, 17, 17, 16, 10, 4, 4, 5, 6, 7, 7, 6, 4, 5, 7, 6, 6, 5, 5, 4, 3, 5, 6, 4, 3, 15, 15, 14, 13, 13, 14, 14, 13, 12, 19, 15, 13, 15, 14, 12, 10, 8, 8, 9, 8, 8, 7, 9, 10, 9, 16, 14, 8, 17, 5, 6, 9, 16, 17, 17, 18, 18, 19, 21, 22, 22, 21, 19, 10, 4, 5, 6, 7, 9, 9, 6, 5, 8, 8, 6, 6, 5, 4, 4, 3, 3, 4, 3, 3, 15, 15, 14, 14, 13, 14, 14, 14, 14, 19, 12, 13, 14, 14, 13, 12, 10, 9, 9, 9, 8, 7, 9, 10, 12, 18, 10, 8, 18, 6, 6, 7, 7, 6, 7, 8, 9, 12, 15, 20, 14, 10, 5, 4, 5, 6, 7, 9, 10, 10, 7, 7, 9, 9, 7, 6, 6, 5, 6, 6, 6, 6, 5, 5, 15, 14, 14, 13, 13, 14, 14, 14, 15, 18, 11, 12, 13, 14, 14, 14, 12, 11, 11, 11, 10, 10, 11, 14, 23, 18, 18, 18, 20, 12, 7, 7, 7, 6, 6, 8, 10, 13, 14, 20, 11, 6, 4, 5, 6, 7, 9, 10, 11, 10, 7, 9, 11, 9, 7, 6, 6, 6, 7, 7, 7, 7, 7, 6, 15, 15, 14, 14, 13, 14, 15, 14, 12, 20, 8, 8, 11, 14, 14, 14, 13, 17, 22, 15, 12, 12, 14, 22, 14, 13, 12, 9, 8, 19, 7, 7, 7, 6, 6, 7, 9, 12, 13, 20, 10, 7, 6, 6, 8, 9, 10, 12, 12, 10, 9, 11, 11, 10, 8, 7, 7, 7, 7, 8, 7, 7, 7, 6, 15, 14, 14, 14, 13, 14, 15, 13, 7, 10, 16, 4, 5, 12, 15, 19, 22, 19, 13, 12, 12, 13, 22, 15, 13, 13, 12, 9, 7, 17, 11, 8, 7, 6, 5, 6, 9, 12, 13, 20, 11, 10, 8, 8, 9, 11, 11, 13, 12, 10, 11, 12, 11, 11, 9, 8, 7, 7, 8, 8, 8, 7, 7, 6, 14, 14, 14, 14, 13, 13, 14, 11, 3, 2, 9, 17, 18, 19, 19, 18, 13, 12, 12, 12, 12, 16, 18, 13, 13, 13, 11, 9, 8, 14, 13, 7, 8, 6, 5, 6, 9, 11, 12, 20, 12, 11, 10, 10, 11, 12, 12, 13, 12, 11, 12, 13, 12, 11, 10, 8, 8, 8, 8, 8, 8, 7, 7, 6, 14, 14, 14, 14, 13, 13, 14, 7, 2, 4, 4, 4, 4, 3, 3, 9, 10, 10, 11, 11, 12, 12, 12, 12, 12, 12, 11, 8, 7, 5, 4, 6, 7, 6, 5, 5, 8, 10, 11, 20, 13, 12, 11, 11, 12, 13, 13, 13, 13, 12, 13, 13, 13, 12, 10, 9, 8, 8, 8, 8, 8, 7, 7, 6, 15, 14, 14, 14, 13, 13, 13, 3, 4, 5, 5, 5, 4, 3, 3, 3, 7, 9, 11, 12, 13, 12, 13, 12, 12, 11, 9, 7, 5, 5, 5, 5, 4, 3, 3, 3, 3, 4, 7, 11, 11, 12, 12, 12, 13, 13, 14, 13, 13, 13, 13, 14, 13, 12, 11, 9, 8, 8, 8, 8, 8, 7, 6, 5, 15, 15, 14, 14, 13, 13, 11, 3, 5, 6, 6, 4, 4, 3, 3, 3, 3, 9, 13, 13, 13, 12, 10, 11, 9, 8, 7, 5, 4, 3, 3, 2, 2, 1, 1, 1, 1, 2, 2, 4, 7, 10, 11, 13, 14, 13, 14, 14, 13, 14, 14, 13, 13, 12, 11, 10, 9, 8, 8, 8, 8, 7, 6, 5, 15, 15, 14, 14, 13, 13, 9, 3, 5, 6, 5, 5, 4, 4, 3, 2, 2, 4, 11, 12, 10, 8, 7, 5, 4, 4, 4, 3, 3, 2, 2, 2, 1, 1, 1, 1, 1, 2, 2, 3, 4, 4, 5, 9, 13, 13, 14, 13, 14, 13, 13, 13, 13, 12, 11, 9, 9, 8, 8, 8, 8, 7, 5, 6, 15, 14, 14, 14, 13, 13, 7, 4, 6, 6, 5, 4, 4, 3, 3, 2, 2, 2, 4, 9, 9, 5, 3, 2, 2, 2, 2, 3, 3, 3, 2, 2, 1, 1, 1, 1, 1, 2, 2, 5, 5, 3, 2, 2, 6, 12, 13, 13, 13, 14, 14, 13, 12, 11, 9, 8, 7, 7, 7, 7, 8, 7, 5, 6, 15, 14, 14, 14, 13, 12, 4, 5, 7, 6, 5, 4, 4, 3, 3, 2, 2, 2, 3, 4, 4, 2, 2, 2, 2, 2, 1, 2, 3, 3, 3, 3, 2, 1, 1, 1, 2, 2, 4, 6, 6, 3, 2, 2, 2, 5, 9, 12, 14, 14, 12, 8, 6, 5, 5, 6, 7, 6, 6, 6, 7, 6, 5, 6, 15, 14, 14, 14, 13, 11, 4, 5, 7, 6, 5, 5, 4, 4, 3, 3, 3, 2, 2, 2, 2, 4, 7, 9, 10, 9, 7, 4, 2, 4, 4, 4, 4, 3, 2, 2, 2, 2, 4, 4, 4, 4, 4, 3, 3, 4, 5, 9, 12, 10, 4, 3, 4, 3, 3, 4, 6, 6, 7, 8, 7, 5, 4, 6, 15, 14, 14, 14, 13, 10, 3, 5, 7, 6, 5, 4, 4, 3, 3, 3, 3, 3, 2, 2, 7, 13, 13, 12, 13, 18, 14, 10, 5, 1, 4, 4, 4, 5, 5, 4, 3, 2, 4, 4, 3, 4, 5, 6, 5, 6, 6, 5, 6, 5, 4, 4, 5, 4, 4, 3, 5, 7, 8, 9, 6, 3, 2, 3, 14, 14, 14, 14, 13, 9, 4, 6, 7, 7, 5, 5, 4, 3, 3, 3, 3, 3, 2, 8, 16, 17, 15, 10, 7, 9, 15, 13, 11, 5, 2, 3, 6, 6, 7, 4, 2, 2, 3, 1, 0, 1, 4, 3, 5, 4, 5, 6, 4, 3, 4, 4, 4, 5, 4, 3, 5, 9, 10, 10, 6, 3, 2, 2, 14, 14, 14, 13, 13, 7, 4, 5, 7, 7, 6, 5, 4, 4, 4, 4, 3, 3, 6, 16, 18, 17, 6, 4, 2, 3, 3, 13, 14, 9, 3, 3, 3, 5, 4, 2, 2, 1, 1, 0, 0, 0, 3, 2, 4, 1, 1, 3, 2, 2, 4, 5, 6, 5, 5, 4, 4, 9, 10, 8, 5, 2, 2, 3, 14, 14, 14, 13, 13, 6, 6, 5, 7, 7, 7, 6, 5, 4, 4, 4, 4, 5, 9, 17, 19, 16, 5, 3, 2, 2, 2, 10, 13, 11, 4, 3, 3, 1, 2, 2, 1, 0, 0, 0, 0, 1, 3, 1, 3, 0, 1, 3, 6, 7, 5, 4, 4, 5, 5, 5, 4, 11, 10, 7, 4, 3, 3, 5, 14, 14, 13, 13, 13, 6, 6, 6, 6, 6, 6, 6, 5, 4, 3, 3, 3, 4, 6, 8, 12, 11, 6, 2, 2, 2, 2, 2, 4, 3, 1, 1, 2, 3, 2, 3, 2, 1, 1, 1, 2, 2, 2, 1, 2, 1, 0, 3, 12, 16, 15, 10, 6, 4, 5, 5, 4, 12, 12, 10, 8, 6, 6, 8, 14, 13, 13, 13, 12, 6, 6, 7, 6, 6, 6, 5, 4, 3, 3, 3, 3, 3, 4, 3, 2, 2, 2, 2, 2, 1, 1, 1, 1, 2, 2, 3, 3, 3, 2, 3, 2, 2, 2, 2, 3, 2, 2, 2, 2, 4, 1, 2, 6, 11, 17, 17, 11, 8, 5, 5, 4, 11, 13, 11, 11, 9, 8, 9, 14, 13, 13, 13, 12, 5, 4, 7, 6, 6, 5, 4, 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 2, 2, 3, 3, 2, 3, 3, 3, 3, 2, 1, 1, 2, 3, 3, 2, 3, 3, 3, 4, 4, 4, 4, 11, 16, 14, 8, 5, 4, 10, 11, 11, 12, 11, 9, 8, 13, 13, 13, 13, 10, 2, 3, 5, 6, 6, 4, 3, 2, 2, 2, 1, 1, 1, 2, 1, 1, 1, 1, 2, 1, 1, 1, 2, 2, 3, 2, 3, 3, 3, 3, 2, 1, 1, 1, 1, 1, 3, 3, 2, 3, 2, 3, 4, 5, 5, 4, 2, 14, 17, 14, 5, 4, 9, 10, 10, 11, 11, 9, 9, 12, 12, 12, 12, 10, 4, 3, 3, 5, 5, 3, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 3, 2, 2, 3, 5, 3, 2, 3, 2, 2, 2, 2, 2, 2, 3, 2, 2, 2, 1, 1, 2, 3, 5, 5, 5, 11, 19, 17, 6, 5, 11, 12, 11, 11, 11, 10, 10, 12, 12, 12, 12, 9, 5, 4, 2, 4, 4, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 2, 2, 2, 4, 3, 2, 2, 3, 2, 2, 2, 2, 3, 2, 2, 3, 1, 1, 2, 3, 3, 2, 3, 4, 5, 6, 8, 17, 19, 7, 5, 12, 12, 12, 11, 11, 11, 11, 11, 11, 11, 11, 9, 3, 3, 4, 3, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 3, 3, 2, 2, 2, 1, 0, 1, 2, 3, 4, 3, 3, 3, 4, 5, 5, 7, 12, 6, 5, 11, 11, 11, 11, 11, 11, 11, 12, 12, 13, 12, 9, 2, 2, 3, 3, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3, 2, 2, 2, 1, 1, 1, 1, 2, 2, 2, 3, 3, 2, 2, 1, 2, 2, 1, 1, 1, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 3, 3, 5, 10, 11, 11, 11, 12, 12, 13, 13, 13, 14, 12, 3, 2, 2, 2, 1, 1, 1, 1, 1, 1, 0, 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 1, 1, 1, 1, 2, 2, 2, 2, 2, 4, 5, 8, 10, 11, 12, 8, 5, 3, 2, 2, 3, 2, 2, 3, 4, 4, 3, 2, 2, 2, 4, 11, 12, 12, 12, 13, 14, 14, 14, 14, 14, 13, 3, 2, 2, 1, 1, 1, 1, 2, 2, 2, 2, 1, 1, 0, 1, 1, 1, 2, 2, 2, 2, 1, 1, 1, 1, 1, 2, 2, 1, 3, 10, 13, 14, 14, 15, 15, 17, 16, 14, 12, 11, 8, 3, 2, 2, 2, 3, 3, 3, 2, 2, 2, 3, 10, 12, 12, 13, 13, 14, 14, 15, 15, 14, 13, 4, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 2, 2, 1, 1, 1, 1, 2, 2, 1, 1, 1, 1, 0, 1, 1, 1, 1, 2, 9, 12, 17, 18, 17, 16, 15, 17, 17, 16, 16, 15, 16, 15, 4, 2, 2, 2, 3, 3, 3, 2, 2, 3, 10, 13, 13, 13, 14, 15, 15, 15, 15, 15, 13, 4, 2, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1, 1, 2, 1, 1, 1, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 2, 8, 12, 18, 19, 17, 15, 17, 18, 18, 18, 18, 17, 15, 4, 2, 2, 2, 2, 3, 2, 2, 2, 3, 10, 14, 14, 14, 14, 16, 15, 15, 15, 14, 11, 2, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 2, 9, 12, 14, 16, 14, 17, 16, 16, 17, 15, 13, 10, 1, 2, 1, 2, 2, 2, 3, 2, 1, 3, 11, 13, 13, 14, 15, 16, 15, 15, 15, 14, 7, 2, 2, 1, 1, 1, 1, 1, 0, 0, 0, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 0, 0, 1, 3, 9, 11, 12, 13, 13, 12, 12, 12, 12, 10, 3, 2, 1, 1, 1, 1, 1, 2, 2, 2, 4, 13, 15, 14, 14, 15, 16, 15, 15, 15, 12, 4, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 1, 0, 0, 1, 2, 2, 6, 9, 11, 10, 11, 11, 10, 9, 4, 1, 2, 1, 1, 1, 1, 1, 2, 1, 2, 4, 12, 14, 15, 15, 16, 17, 16, 15, 16, 16, 3, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 0, 2, 1, 0, 0, 0, 0, 0, 0, 1, 2, 1, 2, 1, 2, 4, 6, 6, 5, 3, 1, 0, 1, 2, 1, 1, 1, 1, 1, 2, 2, 1, 4, 13, 14, 13, 15, 16, 16, 18, 19, 19, 18, 6, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 1, 2, 0, 0, 0, 0, 0, 0, 1, 2, 1, 2, 2, 2, 2, 2, 2, 2, 2, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 5, 14, 15, 15, 15, 15, 19, 19, 19, 19, 19, 12, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 2, 1, 0, 0, 0, 0, 1, 1, 2, 2, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 6, 12, 16, 16, 16, 16, 19, 19, 19, 19, 19, 16, 2, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1, 1, 1, 2, 1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 1, 2, 1, 1, 1, 1, 1, 2, 1, 2, 2, 1, 1, 2, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 8, 17, 15, 16, 18, 18, 19, 20, 20, 20, 20, 16, 3, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 2, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 2, 12, 18, 20, 18, 17, 20, 19, 20, 20, 20, 19, 17, 6, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 2, 12, 20, 20, 20, 20, 18, 19, 19, 20, 19, 19, 18, 10, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 2, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 2, 5, 16, 17, 20, 20, 21, 21, 18, 18, 18, 19, 19, 18, 12, 2, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 9, 18, 19, 18, 21, 20, 21, 13, 14, 15, 15, 17, 18, 15, 4, 1, 1, 0, 1, 1, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 2, 14, 20, 19, 20, 19, 21, 20, 9, 12, 12, 9, 11, 16, 14, 6, 1, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 3, 16, 21, 21, 19, 20, 18, 21, 10, 10, 10, 10, 12, 13, 13, 7, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 10, 17, 20, 21, 20, 19, 20, 19, 11, 12, 14, 14, 16, 17, 13, 8, 2, 1, 1, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 15, 20, 19, 20, 21, 20, 20, 20, 17, 18, 17, 19, 20, 19, 18, 12, 2, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 6, 19, 20, 19, 20, 20, 21, 20, 21, 19, 18, 20, 20, 20, 20, 19, 13, 3, 1, 2, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 15, 20, 21, 20, 19, 21, 21, 22, 20, 19, 19, 20, 20, 20, 19, 18, 14, 3, 2, 1, 1, 1, 1, 0, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 5, 20, 21, 21, 21, 19, 21, 22, 22, 21, 20, 20, 20, 20, 19, 19, 18, 13, 3, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 9, 21, 21, 21, 21, 21, 19, 22, 22, 22, 20, 20, 20, 20, 19, 19, 17, 9, 2, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 14, 22, 22, 22, 22, 21, 20, 22, 22, 22, 19, 20, 20, 20, 20, 18, 13, 4, 1, 1, 1, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 5, 18, 22, 22, 22, 21, 21, 21, 20, 22, 22, 15, 16, 17, 17, 17, 14, 7, 2, 1, 1, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 12, 22, 24, 23, 22, 23, 23, 21, 20, 22, 22, 13, 12, 12, 11, 11, 8, 3, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 2, 21, 25, 25, 25, 25, 25, 25, 21, 20, 20, 21, 13, 12, 12, 10, 7, 3, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 1, 1, 5, 25, 25, 25, 25, 25, 25, 25, 21, 20, 17, 18, 12, 12, 11, 8, 5, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 25, 25, 25, 25, 25, 25, 24, 19, 20, 13, 12, 12, 11, 9, 5, 2, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 19, 25, 25, 25, 25, 25, 25, 23, 25, 25, 24, 15, 11, 9, 6, 2, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 10, 6, 3, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 7, 3, 2, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 22, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 5, 2, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 3, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 21, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 2, 2, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 2, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 13, 25, 25, 24, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25]
enc=[39654868, 38564788, 37998449, 36705100, 34811134, 29241290, 21154342, 14031189, 9709480, 10192500, 9488434, 8917703, 8436312, 7963105, 7514984, 7654219, 7487295, 8176216, 9031004, 8970914, 9341190, 9144480, 9366669, 9385331, 9139311, 9514114, 9272562, 8593561, 8340901, 6839039, 5285074, 5402594, 5804603, 5414593, 5336346, 5993555, 7350502, 9029370, 10868398, 13859348, 12111786, 11582283, 11430308, 10556747, 10341351, 10607648, 11143139, 11689137, 11730328, 11611945, 14952608, 18555268, 23156514, 27591411, 29403805, 30676639, 32476022, 36955579, 41264880, 44681781, 44601420, 44143855, 43151161, 42898115]

#z3分步求解 
from z3 import *
s=Solver()
r = [ Int(f'a[{i}]') for i in range(64)]
rr=[]
for k in range(64):
	v3=0
	for m in range(64):
		v3 += r[m]*owl[64*m + k]
	s.add(v3==enc[k])
    
print(s.check())
m=s.model()
print(m)

#得到一组解:
enc[33] = 38575
enc[36] = 46137
enc[9] = 42574
enc[35] = 40920
enc[19] = 32015
enc[12] = 38813
enc[27] = 32739
enc[29] = 34208
enc[13] = 33034
enc[34] = 37661
enc[16] = 29057
enc[24] = 33438
enc[28] = 34235
enc[17] = 26765
enc[20] = 34769
enc[11] = 40936
enc[2] = 50090
enc[10] = 43020
enc[1] = 49684
enc[7] = 46797
enc[41] = 53609
enc[30] = 32414
enc[0] = 50409
enc[6] = 47074
enc[15] = 32345
enc[23] = 32113
enc[21] = 34933
enc[31] = 32762
enc[22] = 32060
enc[8] = 45297
enc[43] = 52995
enc[4] = 47646
enc[3] = 49395
enc[37] = 48875
enc[14] = 32512
enc[58] = 58319
enc[5] = 44689
enc[25] = 34385
enc[18] = 27745
enc[32] = 34717
enc[26] = 34094
enc[40] = 51468
enc[63] = 60254
enc[51] = 55296
enc[50] = 54881
enc[44] = 52056
enc[52] = 54632
enc[45] = 51479
enc[38] = 45934
enc[39] = 47834
enc[61] = 58052
enc[62] = 58623
enc[56] = 55535
enc[59] = 58074
enc[47] = 52533
enc[55] = 56164
enc[42] = 50819
enc[60] = 57949
enc[57] = 59558
enc[54] = 54943
enc[53] = 53955
enc[48] = 55281
enc[49] = 55774
enc[46] = 52784

#继续z3求解
s=Solver()
r = [ Int(f'a[{i}]') for i in range(64)]
rr=[]
for k in range(64):
	v3=0
	for m in range(64):
		v3 += r[m]*cat[64*m + k]
	s.add(v3==enc[k])
    
print(s.check())
m=s.model()
print(m)

#得到flag的数组:

a=[ 0 for i in range(64)]
a[33] = 49
a[36] = 48
a[44] = 48
a[62] = 49
a[51] = 48
a[27] = 48
a[40] = 49
a[29] = 48
a[54] = 48
a[50] = 48
a[34] = 49
a[16] = 48
a[39] = 48
a[28] = 48
a[20] = 48
a[49] = 48
a[61] = 49
a[26] = 48
a[11] = 49
a[2] = 97
a[57] = 48
a[41] = 48
a[60] = 49
a[0] = 104
a[6] = 49
a[23] = 48
a[31] = 48
a[59] = 49
a[48] = 49
a[22] = 48
a[55] = 49
a[3] = 109
a[37] = 48
a[56] = 49
a[5] = 123
a[63] = 125
a[58] = 48
a[53] = 48
a[32] = 48
a[9] = 48
a[35] = 48
a[38] = 49
a[45] = 48
a[19] = 49
a[12] = 49
a[13] = 48
a[24] = 49
a[42] = 49
a[10] = 49
a[1] = 103
a[7] = 48
a[46] = 48
a[30] = 48
a[15] = 48
a[21] = 48
a[43] = 49
a[8] = 48
a[4] = 101
a[14] = 48
a[25] = 48
a[18] = 49
a[17] = 48
a[47] = 48
a[52] = 49
print(bytes(a))
#hgame{100011100000110000100000000110001010110000100010011001111}

Level - Week2

xD MAZE

一维迷宫,根据空格的步长,还原即可。

  ############################################################### ####### ############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################### ############################################################### ###############################################################  ###############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################  ############################################################### ####### ###############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################  ####### ###############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################  ####### ####### ####### #######  ############################################################### ############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################### ###############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################  ############################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################### ############################################################### ############################################################### '

exp:

m=[32, ] #csdn字数限制,这里就不写全了
m=bytes(m)
print(bytes(m))
last=0
flag=""
m=m[1:]
for i in range(0,28):
	a=m.find(b' ')
	print(a)
	if a==0:
		flag +='3'
	if a==7:
		flag +='2'
	if a==63:
		flag +='1'
	if a==511:
		flag +='0'
	m=m[a+1:]

print(flag)

#hgame{3120113031203203222231003011}

upx magic 0

没有upx壳。。。算法爆破:

r=[36200, 40265, 10770, 43802, 52188, 47403, 11826, 40793, 56781, 40265, 43274, 3696, 62927, 2640, 23285, 65439, 40793, 48395, 22757, 14371, 48923, 30887, 43802, 18628, 43274, 11298, 40793, 23749, 24277, 30887, 9842, 22165]

def calcc(data):
	data = ord(data)
	data = data<<8
	for j in range(8):
	  if  (data & 0x8000) != 0 :
	    data = (2 * data) ^ 0x1021;
	  else:
	    data *= 2;
	data = data &0xffff
	return data
import string
flag=""
for i in r:
	for t in  string.printable:
		if calcc(t) == i:
			flag+=t
			break
print(flag)
#noW_YOu~koNw-UPx~mAG|C_@Nd~crC16

fake shell

ida分析,需要执行 sudo cat flag.txt

但是在sudo中有校验密码

校验逻辑为:

1、rc4加密,密钥为w0wy0ugot1t(有反调试,需要运行后attach上去)。

2、rc4密钥与内存数据对比。

解密过程为:

1、计算rc4密文:

v7=[1,1,1,1]
v7[0] = 0xE0B25F3D8FFA94B6
v7[1] = 0xE79D6C9866D20FEA
v7[2] = 0x6D6FBEC57140081B
v7[3] = 0xF6F3BDA88D097B7C

r=b''
for i in v7:
    a=hex(i)[2:]
    a=bytes.fromhex(a)[::-1]
    r+=a 
print(r.hex())
#b694fa8f3d5fb2e0ea0fd266986c9de71b084071c5be6f6d7c7b098da8bdf3f6

2、rc4解密:

密钥:w0wy0ugot1t

密文:b694fa8f3d5fb2e0ea0fd266986c9de71b084071c5be6f6d7c7b098da8bdf3f6

得到:hgame{s0meth1ng_run_bef0r_m4in?}

creakme2

更加复杂的魔改TEA。

#encoding=utf-8
import sys
from ctypes import *

def u32(bytes_n):
    n = 0
    n += bytes_n[0]
    n += bytes_n[1]<<8
    n += bytes_n[2]<<16
    n += bytes_n[3]<<24     
    return n

def p32(int_n):
    #0x11223344 -> b'11223344' 
    n = int_n.to_bytes(4,'little') 
    return n

def pack_teadata(data):# 将bytes数据转换为 整型数组
    pack=[]
    for i in range(len(data)//4):
        pack.append(u32(data[i*4:i*4+4]))
    return pack

def upack_teadata(data):#将整型数组转换为bytes
    bytes_data = b''
    for i in range(len(data)):        
        bytes_data+=(p32(data[i]&0xffffffff))
    return bytes_data

def tea_enc(v, k):
    y = c_uint32(v[0])
    z = c_uint32(v[1])
    sum = c_uint32(0)
    delta = 0x9E3779B1
    n = 32
    w = [0,0]

    while(n>0):
        y.value += (k[sum.value & 3] + sum.value) ^ (z.value + ((z.value >> 5) ^ (z.value << 4))) 
        sum.value += delta
        if sum.value & 0x80000000 == 0:
            sum.value ^= 0x1234567
        z.value += (k[(sum.value >> 11) & 3] + sum.value) ^ (y.value + ((y.value >> 5) ^ (16 * y.value)))
        n -= 1
    w[0] = y.value
    w[1] = z.value
    print(hex(sum.value))
    return w

def tea_dec(v, k):
    y = c_uint32(v[0])
    z = c_uint32(v[1])
    sum = c_uint32(0xc78e4d05)
    delta = 0x9E3779B1
    n =32
    w = [0,0]

    while(n>0):
        z.value -= (k[(sum.value >> 11) & 3] + sum.value) ^ (y.value + ((y.value >> 5) ^ (16 * y.value)))
        if sum.value & 0x80000000 == 0:
            sum.value ^= 0x1234567
        sum.value -= delta
        y.value -= (k[sum.value & 3] + sum.value) ^ (z.value + ((z.value >> 5) ^ (z.value << 4)))      
        n -= 1
    w[0] = y.value
    w[1] = z.value
    return w
Buf2=[1,1,1,1,1,1,1,1]
Buf2[0] = 0x457E62CF
Buf2[1] = 0x9537896C
Buf2[2] = 0x1F7E7F72
Buf2[3] = 0xF7A073D8
Buf2[4] = 0x8E996868
Buf2[5] = 0x40AFAF99
Buf2[6] = 0xF990E34
Buf2[7] = 0x196F4086

key  = [1,2,3,4,5,6,7,8,9,0]
flag=b''
for i in range(0,8,2):
    p = tea_dec(Buf2[i:],key)
    a=upack_teadata(p)
    flag+=a
print(flag)
#b'hgame{SEH_s0und5_50_1ntere5ting}'

upx magic 1

upx手动脱壳,脱壳后算法同upx magic 0


v14 = [0 for i in range(37)]
v14[0] = 36200;
v14[1] = 40265;
v14[2] = 10770;
v14[3] = 43802;
v14[4] = 52188;
v14[5] = 47403;
v14[6] = 11826;
v14[7] = 40793;
v14[8] = 56781;
v14[9] = 40265;
v14[10] = 43274;
v14[11] = 3696;
v14[12] = 62927;
v14[13] = 24277;
v14[14] = 15363;
v14[15] = 31879;
v14[16] = 9842;
v14[17] = 43802;
v14[18] = 2640;
v14[19] = 23285;
v14[20] = 65439;
v14[21] = 40793;
v14[22] = 48395;
v14[23] = 22757;
v14[24] = 14371;
v14[25] = 48923;
v14[26] = 30887;
v14[27] = 43802;
v14[28] = 18628;
v14[29] = 43274;
v14[30] = 11298;
v14[31] = 40793;
v14[32] = 23749;
v14[33] = 24277;
v14[34] = 30887;
v14[35] = 9842;
v14[36] = 22165;

def checkval(data):
  v12 = ord(data) << 8
  for j in range(8):
    if (v12 & 0x8000) != 0:
      v12 = (2 * v12)^ 0x1021
    else:
      v12 = 2 * v12
  print(data,hex(v12&0xffff))
  return v12&0xffff

import string

def checkval1(dest):
  for i in string.printable:
    if checkval(i) == dest:
      return i
  return 0

flag=''
for i in range(37):
  flag+=checkval1(v14[i])
print(flag)

#noW_YOu~koNw-rea1_UPx~mAG|C_@Nd~crC16

Level - Week3

Answer’s Windows

换表base64:

import base64
a = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'    #标准表
b = [33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96]
b = bytes(b).decode()

c = ";'>B<76\\=82@-8.@=T\"@-7ZU:8*F=X2J<G>@=W^@-8.@9D2T:49U@1aa"
trantab = c.maketrans(b, a)
print(base64.b64decode(c.translate(trantab))) 

#b'hgame{qt_1s_s0_1nteresting_so_1s_b4se64}\x06\x9a'

creakme3

IDA只能看到汇编,Ghidra可以看到伪代码。

exp

a=[48, 48, 48, 48, 48, 49, 50, 50, 50, 50, 50, 51, 51, 51, 51, 51, 51, 51, 51, 51, 53, 56, 56, 57, 57, 57, 57, 66, 95, 95, 95, 95, 97, 100, 100, 100, 100, 100, 101, 101, 102, 102, 102, 102, 102, 102, 102, 103, 103, 104, 104, 104, 104, 104, 105, 105, 105, 106, 106, 107, 107, 108, 109, 110, 110, 110, 111, 111, 111, 112, 114, 114, 114, 115, 115, 115, 115, 115, 115, 115, 116, 116, 116, 117, 117, 119, 119, 123, 125]
b=[20093, 26557, 31304, 33442, 37694, 39960, 23295, 27863, 42698, 48505, 52925, 12874, 12946, 14597, 17041, 23262, 28319, 42282, 48693, 52067, 32571, 14612, 45741, 14554, 20048, 27138, 45327, 30949, 32502, 35235, 36541, 38371, 29658, 21388, 25403, 40604, 46987, 51302, 12974, 30329, 10983, 19818, 22280, 26128, 41560, 47116, 51333, 28938, 31988, 16246, 28715, 41966, 44368, 47815, 16420, 35362, 49237, 11090, 50823, 24320, 50199, 24962, 30171, 15457, 18838, 24001, 11638, 32023, 43291, 39661, 17872, 33895, 43869, 20611, 25122, 36243, 37434, 38686, 46266, 51077, 13656, 34493, 38712, 14096, 38777, 12095, 17629, 30945, 40770]
c=[20093, 26557, 31304, 33442, 37694, 39960, 23295, 27863, 42698, 48505, 52925, 12874, 12946, 14597, 17041, 23262, 28319, 42282, 48693, 52067, 32571, 14612, 45741, 14554, 20048, 27138, 45327, 30949, 32502, 35235, 36541, 38371, 29658, 21388, 25403, 40604, 46987, 51302, 12974, 30329, 10983, 19818, 22280, 26128, 41560, 47116, 51333, 28938, 31988, 16246, 28715, 41966, 44368, 47815, 16420, 35362, 49237, 11090, 50823, 24320, 50199, 24962, 30171, 15457, 18838, 24001, 11638, 32023, 43291, 39661, 17872, 33895, 43869, 20611, 25122, 36243, 37434, 38686, 46266, 51077, 13656, 34493, 38712, 14096, 38777, 12095, 17629, 30945, 40770]

c.sort()
print(c)
f=[]
for i in c:
	idx=b.index(i)
	f.append(a[idx])
print(bytes(f))
#b'fjow33etu938nhi3wrnf90sdf32nklsdf0923hgame{B0go_50rt_is_s0_stup1d}fh32orh98sdfh23ikjsdf32'
#hgame{B0go_50rt_is_s0_stup1d}

hardened

加了壳的apk,先用FRIDA-DEXDump脱壳。

java源码:

    public void sendPwd(View view) {
        Intent intent = new Intent(this, rightpage.class);
        if (bbbbb(aesEncryption(((EditText) findViewById(2131165238)).getText().toString().getBytes())).equals("mXYxnHYp61u/5qksdDel6TgiKqcvUbBkX3xErlR4lO0aEAdU0acJY8PRSVXJxxsRR8Dq9MTJhkWLSbBvCG5gtm==")) {
            startActivity(intent);
        } else {
            Toast.makeText(this, "fail >﹏<", 1).show();
        }
    }

bbbbb和aesEncryption函数实现在libenc.so中,bbbbb为换表base64,aesEncryption为AES CBC加密。

分析 aesEncryption 得到key和iv计算发现不正确,调试时发现key iv 还有 base64表数据不同。

当时怀疑时不同的区域异或了一个数据,但是没有深入分析,爆破了一下key 和iv的数据。

from Crypto.Cipher import AES
import base64

key=[122, 101, 99, 100, 111, 113, 111, 126, 127, 98, 125, 113, 124, 111, 123, 117, 105, 111, 118, 127, 98, 111, 105, 127, 101, 111, 100, 127, 111, 116, 117, 115]
iv=[6, 16, 10, 32, 25, 22, 17, 27, 32, 18, 26, 94, 94, 94, 94, 94]
msg_enc=[114,92,-80,1,-41,-2,-4,2,115,85,18,-114,43,-19,39,-29,19,-54,-71,-66,101,46,-87,-90,-5,1,-102,-20,92,14,-9,36]
for i in range(32):
	msg_enc[i] = msg_enc[i] & 0xff
msg_enc = bytes(msg_enc)

msg_p=b'1234567812345678'
for i in range(0xff):
	tkey=[]
	for x in key:
		tkey.append(x ^ i)
	tkey=bytes(tkey)
	for j in range(0xff):
		tiv=[]
		for y in iv:
			tiv.append(y ^ j)
		tiv=bytes(tiv)

		aes = AES.new(tkey,AES.MODE_CBC,tiv)
		msg = aes.encrypt(msg_p)
		if msg[:16] == msg_enc[:16]:
			print(i,j)
			print(tkey,tiv)
            
key=b'JUST_A_NORMAL_KEY_FOR_YOU_TO_DEC' 
iv=b'you_find_me!!!!!'

a = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'    #标准表
b = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/'   #新表
c = 'mXYxnHYp61u/5qksdDel6TgiKqcvUbBkX3xErlR4lO0aEAdU0acJY8PRSVXJxxsRR8Dq9MTJhkWLSbBvCG5gtm=='
trantab = c.maketrans(b, a)

msg_enc=base64.b64decode(c.translate(trantab))
aes = AES.new(key,AES.MODE_CBC,iv)
msg = aes.decrypt(msg_enc)
print(msg.decode())

#48 127
#b'JUST_A_NORMAL_KEY_FOR_YOU_TO_DEC' b'you_find_me!!!!!'
#hgame{cONGraTUl4T|0N5!N0w_yoU_C4n_eN?Oy~thE~MUsIc}

Level - Week4

( WOW )

程序本身存在解密函数,在数据对比后,又对输入数据的密文进行了解密。只要把flag密文复制 输入密文那即可。

1、在结果比较前下断点,在return时下断点,随便输入。
2、读取32个字节的密文标准数据,patch Buf2的内容。继续执行。
3、在return时,v10中存放flag

server

这个题拿到了一血。

跟踪调试得到加密过程为

import gmpy2
from Crypto.Util.number import bytes_to_long,long_to_bytes

p=92582184765240663364795767694262273105045150785272129481762171937885924776597
q=107310528658039985708896636559112400334262005367649176746429531274300859498993 

n=p*q
e=950501
m=b'hgame{12123333333333333333333333333333333333333}'
m=bytes_to_long(m)
c=pow(m,e,n)
print(hex(c), c)
cc=str(c).encode().ljust(153,b'\0')
cc =b'480856246755930918853646960284513996465042625507755175073557975588365361488153082402793738425677614000307090113926819061232387511326704622862441103917794'
tmp=0x66
dd=[]
for i in range(0,153):
	dd.append(cc[i] ^ tmp)
	tmp=cc[i]
	#print(i,hex(tmp))
#print(hex(tmp), dd)
ee=[]
for i in range(0,153):
	ee.append(dd[i] ^ tmp)
	tmp=dd[i]

得到算法的核心为:

假设明文:0123456
第一步:0^0x66  1^0 2^1 3^2 4^3 5^4 6^5 
第二步:0^0x66^6 1^0^0^0x66  2^1^1^0 3^2^2^1  4^3^3^2  5^4^4^3  6^5^5^4 
一二步可以简化为: 0^0x66^6 1^0x66  2^0 3^1  4^2  5^3  6^4

1、3、5。。。奇数位置可以直接解:

enc[1]=c[1]^0x66
enc[3]=c[3]^c[1]
enc[5]=c[5]^c[3]
...
得到:
c[1]=enc[1]^0x66
c[3]=enc[3]^c[1]
c[5]=enc[5]^c[3]
...

但是偶数位置因为 enc[0]=c[0]0x66c[6] 里面 c[0]和c[6]均未知,但是计算出enc[0]后续enc[2、4、6]都可以计算。尝试使用爆破c[6]的方式爆破出c即可。c为纯数字。

import gmpy2
from Crypto.Util.number import bytes_to_long,long_to_bytes

p=92582184765240663364795767694262273105045150785272129481762171937885924776597
q=107310528658039985708896636559112400334262005367649176746429531274300859498993 
n=p*q
e=950501
ccc=[99, 85, 4, 3, 5, 5, 5, 3, 7, 7, 2, 8, 8, 11, 1, 2, 10, 4, 2, 13, 8, 9, 12, 9, 4, 13, 8, 0, 14, 0, 15, 13, 14, 10, 2, 2, 1, 7, 3, 5, 6, 4, 6, 7, 6, 2, 2, 5, 3, 3, 9, 6, 0, 11, 13, 11, 0, 2, 3, 8, 3, 11, 7, 1, 11, 5, 14, 5, 0, 10, 14, 15, 13, 7, 13, 7, 14, 1, 15, 1, 11, 5, 6, 2, 12, 6, 10, 4, 1, 7, 4, 2, 6, 3, 6, 12, 5, 12, 3, 12, 6, 0, 4, 15, 2, 14, 7, 0, 14, 14, 12, 4, 3, 4, 2, 0, 0, 2, 6, 2, 3, 6, 4, 4, 4, 7, 1, 2, 3, 9, 2, 12, 8, 1, 12, 3, 12, 2, 0, 3, 14, 3, 14, 12, 9, 1, 7, 15, 5, 7, 2, 2, 4, 102, 94]

tmp=0x66
for i in range(1,153,2):
	ccc[i] ^= tmp
	tmp = ccc[i]
	#print(i, chr(tmp))

print(hex(tmp))
for j in range(0x30,0x3a):
	tmp=j
	tmp ^= 0x66
	cct=[i for i in ccc]
	for i in range(0,153,2):
		cct[i] ^= tmp
		tmp = cct[i]
	a=bytes(cct)
	print(a)

c=135005562109829034199059149474896341566307600227148289525068532297727897409776873250963225670468340868270979975367474527115512003915945795967599087720024
#c=34015463119928024098049048464997351467317701237049299424078433287626887508766972240862235771478241878371969874377575537014502102905844785866589186730125
d=gmpy2.invert(e,(p-1)*(q-1))
m=pow(c,d,n)
print(long_to_bytes(m))

#b'hgame{g0_and_g0_http_5erv3r_nb}'

ezvm

vm虚拟机

分析每个指令的功能,一步步跟踪下逻辑:

1、初始化几个寄存器。

2、输入flag以回车结束

3、对flag长度判断是否是0x20。

4、循环处理flag每个字符:

flag[i]  *=2
flag[i] ^= salt[i]

5、同结果比较。

复现算法:

flag=b'hgame{12345678901234567890abcde}'
flag=list(flag)
salt=[94, 70, 97, 67, 14, 83, 73, 31, 81, 94, 54, 55, 41, 65, 99, 59, 100, 59, 21, 24, 91, 62, 34, 80, 70, 94, 53, 78, 67, 35, 96, 59]
for i in range(0x20):
	flag[i]  *=2
	flag[i] ^= salt[i]
print(flag)

#enc=[142, 136, 163, 153, 196, 165, 195, 221, 25, 236, 108, 155, 243, 27, 139, 91, 62, 155, 241, 134, 243, 244, 164, 248, 248, 152, 171, 134, 137, 97, 34, 193]

exp:

salt=[94, 70, 97, 67, 14, 83, 73, 31, 81, 94, 54, 55, 41, 65, 99, 59, 100, 59, 21, 24, 91, 62, 34, 80, 70, 94, 53, 78, 67, 35, 96, 59]
enc=[142, 136, 163, 153, 196, 165, 195, 221, 25, 236, 108, 155, 243, 27, 139, 91, 62, 155, 241, 134, 243, 244, 164, 248, 248, 152, 171, 134, 137, 97, 34, 193]
for i in range(32):
	enc[i] ^= salt[i]
	enc[i] = enc[i]//2
print(bytes(enc))

#b'hgame{Ea$Y-Vm-t0-PrOTeCT_cOde!!}'
丶拾光_w4ngz
关注
  • 1
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
2021-08-15 代码
dasd11sda456的博客
08-15 1732
07-Http-302 package com.bjpowernode.controller; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; public
CDUT新生赛wp misc (杂项
weixin_47234647的博客
10-17 2377
杂项 真的很杂 签到 不多说 直接关注信科青听 回复flag得到答案 所以这里不写答案了`~ 说好的二维码呢? 压缩包加密了,但没完全加密。说好的二维码呢? 下载之后得到压缩包 解压再解压 发现有密码 根据题目描述 应该是伪加密压缩包了 可以有很多方法解决 相关知识( 以下复制自ctfwiki ZIP 文件主要由三部分构成,分别为 压缩源文件数据区 核心目录 目录结束 local file header + file data + data descriptor central direct
HGAME2021部分逆向WP
re1wn
03-04 1083
HGAME2021_RE_WP
indexedDb
tangyuhui
10-11 6629
参考教程:https://wangdoc.com/javascript/bom/indexeddb.html#indexeddb-%E5%AF%B9%E8%B1%A1
【API进阶之路】因为不会创建云服务器,我被实习生摆了一道
华为云官方博客
07-20 3742
被实习生摆了一道?什么情况?
vm虚拟机-简单题目(hgame-week4-easyvm、cg-ctf wxyVM1/2
01-08
然后先写了前面的cg-ctf的两个题目,其实当时做的时候还没太大虚拟机的感觉,后面接触到hgame题目,然后再看的时候就感觉到有些那个意思,但是两个题目是基础题目也就不是太难为人,看成数据处理的考点也做的出来...
hgame:Haskell 游戏引擎
05-30
【Hgame:Haskell游戏引擎】是一个开源项目,旨在利用Haskell这门纯函数式编程语言来构建高效、灵活的游戏开发框架。Haskell以其强大的类型系统、 lazy evaluation(惰性求值)特性以及对并行和并发的良好支持,为...
HGAME cdcollector-开源
04-24
【标题】"HGAME cdcollector-开源"是一个针对游戏收藏管理者的开源项目,它扩展了原有的cdcollector系统,特别设计用于管理和记录大量的电子游戏数据,尤其是HGAME(可能指的是成人向游戏)的数据库。这个系统利用...
0hgame:用0h制作的游戏->阅读README
05-01
0h游戏卡纸我在2014年10月26日凌晨02:00开始了这个项目,并在2014年10月26日凌晨02:00完成了该项目。 没有时间的游戏? 是的! 好好享受! (对于那些谁是它asceptical, ) 规则: 1- No one talk about fight club...
单表替换密码算法破解工具
01-15
网络密码中介绍的基本加密方法,与凯撒密码相似,该软件提供基本的替换功能
如何使PB编译出的NK支持大容量的SD卡?
gooogleman#foxmail.com
01-21 4063
http://support.microsoft.com/kb/933809/zh-cn     我的2440发现不了4G的SD卡,原来是没有更新PB?Microsoft Windows CE 5.0 支持只有安全数字 (SD) 1.1 兼容内存卡小于 2 千兆字节 (GB) 的。解决方案软件更新信息受支持的软件更新以 Windows CE 5.0 Platform B
LeetCode-笔记-525. 连续数组
勿在浮沙築高台
06-03 688
LeetCode-笔记-525. 连续数组 6月份第三天前缀和了 给定一个二进制数组 nums , 找到含有相同数量的 0 和 1 的最长连续子数组,并返回该子数组的长度。 示例 1: 输入: nums = [0,1] 输出: 2 说明: [0, 1] 是具有相同数量0和1的最长连续子数组。 示例 2: 输入: nums = [0,1,0] 输出: 2 说明: [0, 1] (或 [1, 0]) 是具有相同数量0和1的最长连续子数组。 提示: 1 <= nums.length <= 105
DDE在vb.net中的应用
lgs7907
01-08 2180
李国帅(对以前的文件做些补充,顺便编辑一下。)随便罗嗦几句,自己已经好几年没有写什么东西了,而自己已经从事这一行好久了,希望能提供一些东西给大家,好与坏无所谓。 很早的时候做过DDE方面的程序,那是在2005年刚来深圳的时候,公司的一个产品需要在excel中动态显示数据,临时做了这么个东西,那个产品是vb.net做的,因此就现在vc下面测试后移到vb中应用,还真的成功了。但是时间不经意间已经过去
黑鹰的VIP数据库(一)
caiguazheng4921的博客
12-06 16万+
转自:[url]http://bbs.cqqqz.cn/read.php?tid=4897[/url] NA 353b2cd767a9d75d waq99hjz 8c01f9e64dc3f965 waqi520 83aa400af464c76d war1 7d010614f902b76e warangle 28d9277b06468304 warbb 92935ef2...
HTML教程
最新发布
qq_66274152的博客
10-08 14万+
HTML教程
CVPR2019 (一)
mtxxxx的blog
07-04 11万+
1.Expressive Body Capture: 3D Hands, Face, and Body from a Single Image paper code Abstract:To facilitate the analysis of human actions, interactions and emotions, we compute a 3D m...
http请求响应系列01_做了这么多的请求和响应,你知道你都干了些啥吗?请求报文详解
jiang7701037的博客
07-05 1136
一、做了这么多的请求和响应,你知道你都干了些啥吗? 请看请求和响应的深入了解系列01 2、请求报文详解 二、请求报文 1、请求报文的详解 上篇文字讲的“请求报文和响应报文”,本篇主要解释请求报文包括的内容。 请求报文的内容包括三部分,分别是: 请求行,请求头,空行,请求体。除了空行是分隔的作用,其它三部分放的都是信息。 用汉语的语法解释请求头,请求体的关系。 请求体是主体,是请求时传给后端的主体信息。请求头是附属信息。 对比汉语。请求体就是宾语。请求头是修饰词(如:定语,状语...
java sde_Java操作Oracle空间信息介绍(SDE)
weixin_28867883的博客
02-15 475
sde是Spatial Database Engine简写,中文全称:空间数据库引擎。SDE是一种客户/服务器软件,可使空间数据在工业标准的数据库管理系统中存储、管理和快速查询检索。把GIS数据放在RDBMS中,但是一般的RDBMS都没有提供GIS的数据类型(如点、线、多边形、以及这些feature之间的拓扑关系和投影坐标等相关信息),RDBMS只提供了少量的数据类型支持:int,float,do...
传说中的神器--磁力链接
热门推荐
u012762054的博客
01-29 48万+
如今,在网上求资源,再也不像以前一样需要繁琐的去寻找Torrent文件、图种以及五花八门格式各样的种子文件。只需要一小段“magnet:?xt=urn:btih:”开头的字符串即可完成下载操作。 那么,这一小段字符串究竟是什么?为什么有这么神奇的功效呢?下面我们就来一探究竟。 2009年时,很多BT服务器被迫关闭,不仅仅是很多种子文件从此销声匿迹,就连BT Tracker服务器也停止解析工作,这时...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

丶拾光_w4ngz

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值