标签:__ Reverse int self 赛题 rbp int64 TSCTF rsp
再不学逆向真要被开了
还是太菜了,T2 T3要么就是找到了加密方法但是不知道怎么把代码逻辑联系起来,要么就是对应的密文找不到,还得加把劲学习啊。。
happy_mota
赛中直接玩游戏玩到底玩出来的,现在试试逆向方法。
把exe解包后得到两个重要文件:main.py和scripts文件夹。scripts文件夹内包含了大量游戏信息,经过寻找后可以发现了以下代码
s = b''
f2 = self.parameter['2wsxdr5']
for i in range(len(f2)):
s += bytes([f2[i] ^ i ^ 0xC8])
self.conversation_control.print_word("商人L3m0nade", "爽快!我这儿捡了个字符串:\"" + s.decode() + '\"你看有没有用.',"npc_2")
self.conversation_control.print_word("仙人", "我发现塔内有一串奇怪的字符串!\n可能是你要找的:","npc_1")
s = b''
f3 = self.parameter['3edcft6']
for i in range(len(f3)):
s += bytes([f3[i] ^ i ^ 0xB4])
self.parameter['answer3'] = s.decode()
self.conversation_control.print_word("仙人", s.decode(),"npc_1")
self.conversation_control.print_word("仙人", "我看到还有一串再公主手上,快去救她吧!","npc_1")
s = b''
f4 = self.parameter['4rfvgy7']
for i in range(len(f4)):
s += bytes([(f4[i] ^ (len(f4) - i) ^ 0xA9)])
self.parameter['answer4'] = s.decode()
self.conversation_control.print_word("公主", "我从魔王那里拿到一串咒语样式的字符串:" + self.parameter['answer4'],"npc_4")
self.conversation_control.print_word("勇者", "太好了,我已经拿到三块Flag了!:\n"+ self.parameter['answer2']+ self.parameter['answer3']+ self.parameter['answer4'],"player")
self.conversation_control.print_word("勇者", "(最后一块在哪里啊!?) 不管了。我们快跑!","player")
显而易见的,2wsxdr5 3edcft6以及4rfvgy7代表了我们想要寻找的enflag,并且还有一块flag是缺失的。
回到main.py,可以发现
'2wsxdr5': b'\xf8\xb0\x95\xfc\x84\x88',
'3edcft6': b'\xeb\xe7\x85\xe1\xd5\xc3\x87\xd6\x85\xdc\xd3\xda\x9e',
'4rfvgy7': b'\xee\x97\xd4\xcc\xe7\x91\xf7\xd4\x92\xdc\xe3\xc5\xcb\xcf\x8a\xd5',
那么直接简单的异或解密就可以拿到三块flag:
0y_7HE_R3Ver5e9ame&W1shB3Tt3rLife!}
当然,这个时候已经可以看出来前面三个字母应该是enj(凑成enjoy)或者它的变种了,试着提交就知道最后一块flag是TSCTF{enj
这块flag的正解应该是:
self.conversation_control.print_word("力量之神", "11-19层的墙有点怪啊?\n","blue_god")
然后根据提示发现地图中的形状是TSCTF{Enj(实际上E应该小写)
得到flag:
TSCTF{enj0y_7HE_R3Ver5e9ame&W1shB3Tt3rLife!}
PatternLock-Easy
赛中犯了个很傻逼的错误,挺无语的
本题是出题人心善放出的easy版本,原来的版本中so文件还有ollvm混淆,等我学会了反混淆再来试试。。
放个本题的源码在这,后面来学习一个
MainActivity里面发现
if (TsUtil.check(str)) {
MainActivity.this.f1751o.setViewMode(0);
Context context = MainActivity.this.n;
Toast.makeText(context, "Submit TSCTF{" + str + "}", 0).show();
return;
}
检查check函数
package com.crackme.tsctf;
public class Check {
public static native boolean check(String str);
public static boolean cmp(String input) {
byte[] keyBytes = "TSCTF2022!!!!!".getBytes();
byte[] inputBytes = input.getBytes();
byte[] cmp = {97, 14, 20, 35, 10, 68, 11, 86, 55, 91, 4, 42, 4, 76, 107, 89, 68, 32, 95, 77, 15, 6, 55, 9, 86, 47, 87, 26, 109, 86, 68, 116, 11, 19, 11, 5, 54, 12, 87, 122};
for (int i2 = 0; i2 < input.length(); i2++) {
if ((keyBytes[i2 % keyBytes.length] ^ inputBytes[i2]) != cmp[i2]) {
return false;
}
}
return true;
}
}
发现是native方法,考虑去逆一下.so文件,我们知道java是用JNI来进行本地代码交互的,那么直奔主题:
jint JNI_OnLoad(JavaVM *vm, void *reserved)
{
int v2; // r0
int i; // [sp+24h] [bp-4Ch]
int j; // [sp+24h] [bp-4Ch]
int v8; // [sp+34h] [bp-3Ch] BYREF
char v9[8]; // [sp+38h] [bp-38h] BYREF
int v10[3]; // [sp+40h] [bp-30h] BYREF
char v11[34]; // [sp+4Eh] [bp-22h] BYREF
ptrace(PTRACE_TRACEME, 0, 0, 0);
if ( sub_1AF0(vm, &v8, 65542) )
return -1;
strcpy(v9, "cig`o");
strcpy(v11, "(Mhbrd)kigm$_y|f~v):N");
for ( i = 0; i <= 4; ++i )
v9[i] ^= i;
for ( j = 0; j <= 20; ++j )
v11[j] ^= j;
v10[0] = (int)v9;
v10[1] = (int)v11;
v10[2] = (int)sub_179C;
if ( !sub_1B24(v8, (int)"com/crackme/tsctf/TsUtil", (int)v10, 1) )
return -1;
v2 = sub_159C();
sub_1670(v2);
return 65542;
}
int __fastcall sub_179C(int a1, int a2, int a3)
{
int v3; // r0
unsigned __int8 v5; // [sp+18h] [bp-38h]
int v6; // [sp+20h] [bp-30h]
int i; // [sp+24h] [bp-2Ch]
int j; // [sp+24h] [bp-2Ch]
int v11[4]; // [sp+34h] [bp-1Ch] BYREF
qmemcpy(v11, "\r<6\x12)G^VfIDjDX", 14);
for ( i = 0; i <= 13; ++i )
*(_BYTE *)(dword_B020 + i) = aTsctf2022[i] ^ *((_BYTE *)v11 + i);
v6 = sub_18B8(a1, (int)"com/crackme/tsctf/TsUtil");
v3 = sub_18E2(a1, v6, (int)"cmp", (int)"(Ljava/lang/String;)Z");
v5 = sub_192C(a1, v6, v3, a3);
for ( j = 0; j <= 13; ++j )
*(_BYTE *)(dword_B020 + j) = aTsctf2022[j];
return v5;
}
现在代码逻辑很明显了。需要注意的是:如果ida里面看见的是这个代码
qmemcpy(v12, ")G^VfIDjDX", 10);
v11 = 305544205;
请记住上面那个截图的对话内容。。。这就是我比赛里面这个题做崩了的原因。。
#include<bits/stdc++.h>
using namespace std;
char aTsctf2022[] = "TSCTF2022!!!!!";
char enkey[] = "\r<6\x12)G^VfIDjDX";
char key[233], flag[233];
char cmp[] = {97, 14, 20, 35, 10, 68, 11, 86, 55, 91, 4, 42, 4, 76, 107, 89, 68, 32, 95, 77, 15, 6, 55, 9, 86, 47, 87, 26, 109, 86, 68, 116, 11, 19, 11, 5, 54, 12, 87, 122};
int main()
{
int len1 = strlen(enkey), len2 = strlen(cmp);
for (int i = 0; i < len1; ++i) key[i] = aTsctf2022[i] ^ enkey[i];
for (int i = 0; i < len2; ++i) flag[i] = key[i % len1] ^ cmp[i];
cout << flag;
}
得到flag:
TSCTF{8aaee1e2c3aaa5261f08abca3d2c4912dfeabd21}
happy_string
连上服务器可以拿到这些东西
>Welcome to TSCTF2022 XD
>L3m0nade loves Interseting Strings,could you show him from the following file?
>Ready to recv(Y|N)?
y // 这个y是我输入的
f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAA4AsAAAAAAABAAAAAAAAAANhBAAAAAAAAAAAAAEAAOAAJAEAAGwAaAAYAAAAEAAAAQAAAAAAAAABAAAAAAAAAAEAAAAAAAAAA+AEAAAAAAAD4AQAAAAAAAAgAAAAAAAAAAwAAAAQAAAA4AgAAAAAAADgCAAAAAAAAOAIAAAAAAAAcAAAAAAAAABwAAAAAAAAAAQAAAAAAAAABAAAABQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGA1AAAAAAAAYDUAAAAAAAAAACAAAAAAAAEAAAAGAAAAED0AAAAAAAAQPSAAAAAAABA9IAAAAAAAsAMAAAAAAADgAwAAAAAAAAAAIAAAAAAAAgAAAAYAAAAoPQAAAAAAACg9IAAAAAAAKD0gAAAAAADwAQAAAAAAAPABAAAAAAAACAAAAAAAAAAEAAAABAAAAFQCAAAAAAAAVAIAAAAAAABUAgAAAAAAAEQAAAAAAAAARAAAAAAAAAAEAAAAAAAAAFDldGQEAAAAgDIAAAAAAACAMgAAAAAAAIAyAAAAAAAAjAAAAAAAAACMAAAAAAAAAAQAAAAAAAAAUeV0ZAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAABS5XRkBAAAABA9AAAAAAAAED0gAAAAAAAQPSAAAAAAAPACAAAAAAAA8AIAAAAAAAABAAAAAAAAAC9saWI2NC9sZC1saW51eC14ODYtNjQuc28uMgAEAAAAEAAAAAEAAABHTlUAAAAAAAMAAAACAAAAAAAAAAQAAAAUAAAAAwAAAEdOVQADpNCFQjs9bZV3jTq/hHwfXUtotQIAAAAbAAAAAQAAAAYAAAAAASAAgAAAAgAAAAAbAAAAZlVhEDnyixwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADfAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAA1AAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAPAQAAIAAAAAAAAAAAAAAAAAAAAAAAAAA9AAAAEgAAAAAAAAAAAAAAAAAAAAAAAABZAAAAEgAAAAAAAAAAAAAAAAAAAAAAAACJAAAAEgAAAAAAAAAAAAAAAAAAAAAAAABtAAAAEgAAAAAAAAAAAAAAAAAAAAAAAABCAAAAEgAAAAAAAAAAAAAAAAAAAAAAAADWAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAB0AAAAEgAAAAAAAAAAAAAAAAAAAAAAAADEAAAAEgAAAAAAAAAAAAAAAAAAAAAAAABgAAAAEgAAAAAAAAAAAAAAAAAAAAAAAABmAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAArAQAAIAAAAAAAAAAAAAAAAAAAAAAAAACCAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAALAAAAEgAAAAAAAAAAAAAAAAAAAAAAAACZAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAlAAAAEgAAAAAAAAAAAAAAAAAAAAAAAACnAAAAEgAAAAAAAAAAAAAAAAAAAAAAAACQAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAfAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAEgAAAAAAAAAAAAAAAAAAAAAAAACuAAAAEgAAAAAAAAAAAAAAAAAAAAAAAAA6AQAAIAAAAAAAAAAAAAAAAAAAAAAAAAC1AAAAIgAAAAAAAAAAAAAAAAAAAAAAAAB7AAAAEgAAAAAAAAAAAAAAAAAAAAAAAABTAAAAEQAYAMBAIAAAAAAACAAAAAAAAACgAAAAEQAYAOBAIAAAAAAACAAAAAAAAAAAbGliYy5zby42AF9feHBnX2Jhc2VuYW1lAGV4aXQAZm9wZW4AX19pc29jOTlfc3NjYW5mAHN0cm5jcHkAcHV0cwBfX3N0YWNrX2Noa19mYWlsAHN0ZGluAGdldHBpZABmZ2V0cwBjYWxsb2MAc3RybGVuAG1lbXNldABzdHJzdHIAbWVtY3B5AGZjbG9zZQBtcHJvdGVjdABtYWxsb2MAc3RkZXJyAHB0cmFjZQBmd3JpdGUAX19jeGFfZmluYWxpemUAX19saWJjX3N0YXJ0X21haW4Ac25wcmludGYAZnJlZQBHTElCQ18yLjcAR0xJQkNfMi4xNABHTElCQ18yLjQAR0xJQkNfMi4yLjUAX0lUTV9kZXJlZ2lzdGVyVE1DbG9uZVRhYmxlAF9fZ21vbl9zdGFydF9fAF9JVE1fcmVnaXN0ZXJUTUNsb25lVGFibGUAAAACAAIAAAACAAIAAgACAAMAAgACAAIAAgACAAAABAACAAIABQACAAIAAgACAAIAAAACAAIAAgACAAAAAQAEAAEAAAAQAAAAAAAAABdpaQ0AAAUA5AAAABAAAACUkZYGAAAEAO4AAAAQAAAAFGlpDQAAAwD5AAAAEAAAAHUaaQkAAAIAAwEAAAAAAAAQPSAAAAAAAAgAAAAAAAAA6gwAAAAAAAAYPSAAAAAAAAgAAAAAAAAA4AwAAAAAAAAgPSAAAAAAAAgAAAAAAAAAoAwAAAAAAAAIQCAAAAAAAAgAAAAAAAAACEAgAAAAAADYPyAAAAAAAAYAAAADAAAAAAAAAAAAAADgPyAAAAAAAAYAAAALAAAAAAAAAAAAAADoPyAAAAAAAAYAAAAOAAAAAAAAAAAAAADwPyAAAAAAAAYAAAAYAAAAAAAAAAAAAAD4PyAAAAAAAAYAAAAZAAAAAAAAAAAAAADAQCAAAAAAAAUAAAAbAAAAAAAAAAAAAADgQCAAAAAAAAUAAAAcAAAAAAAAAAAAAAAwPyAAAAAAAAcAAAABAAAAAAAAAAAAAAA4PyAAAAAAAAcAAAACAAAAAAAAAAAAAABAPyAAAAAAAAcAAAAEAAAAAAAAAAAAAABIPyAAAAAAAAcAAAAFAAAAAAAAAAAAAABQPyAAAAAAAAcAAAAGAAAAAAAAAAAAAABYPyAAAAAAAAcAAAAHAAAAAAAAAAAAAABgPyAAAAAAAAcAAAAIAAAAAAAAAAAAAABoPyAAAAAAAAcAAAAJAAAAAAAAAAAAAABwPyAAAAAAAAcAAAAKAAAAAAAAAAAAAAB4PyAAAAAAAAcAAAAMAAAAAAAAAAAAAACAPyAAAAAAAAcAAAANAAAAAAAAAAAAAACIPyAAAAAAAAcAAAAPAAAAAAAAAAAAAACQPyAAAAAAAAcAAAAQAAAAAAAAAAAAAACYPyAAAAAAAAcAAAARAAAAAAAAAAAAAACgPyAAAAAAAAcAAAASAAAAAAAAAAAAAACoPyAAAAAAAAcAAAATAAAAAAAAAAAAAACwPyAAAAAAAAcAAAAUAAAAAAAAAAAAAAC4PyAAAAAAAAcAAAAVAAAAAAAAAAAAAADAPyAAAAAAAAcAAAAWAAAAAAAAAAAAAADIPyAAAAAAAAcAAAAXAAAAAAAAAAAAAADQPyAAAAAAAAcAAAAaAAAAAAAAAAAAAABIg+wISIsFhTUgAEiFwHQC/9BIg8QIwwD/Nao0IAD/Jaw0IAAPH0AA/yWqNCAAaAAAAADp4P////8lojQgAGgBAAAA6dD/////JZo0IABoAgAAAOnA/////yWSNCAAaAMAAADpsP////8lijQgAGgEAAAA6aD/////JYI0IABoBQAAAOmQ/////yV6NCAAaAYAAADpgP////8lcjQgAGgHAAAA6XD/////JWo0IABoCAAAAOlg/////yViNCAAaAkAAADpUP////8lWjQgAGgKAAAA6UD/////JVI0IABoCwAAAOkw/////yVKNCAAaAwAAADpIP////8lQjQgAGgNAAAA6RD/////JTo0IABoDgAAAOkA/////yUyNCAAaA8AAADp8P7///8lKjQgAGgQAAAA6eD+////JSI0IABoEQAAAOnQ/v///yUaNCAAaBIAAADpwP7///8lEjQgAGgTAAAA6bD+////JQo0IABoFAAAAOmg/v///yUiNCAAZpAAAAAAAAAAADHtSYnRXkiJ4kiD5PBQVEyNBYoVAABIjQ0TFQAASI092gMAAP8V1jMgAPQPH0QAAEiNPak0IABVSI0FoTQgAEg5+EiJ5XQZSIsFqjMgAEiFwHQNXf/gZi4PH4QAAAAAAF3DDx9AAGYuDx+EAAAAAABIjT1pNCAASI01YjQgAFVIKf5IieVIwf4DSInwSMHoP0gBxkjR/nQYSIsFcTMgAEiFwHQMXf/gZg8fhAAAAAAAXcMPH0AAZi4PH4QAAAAAAIA9QTQgAAB1L0iDPUczIAAAVUiJ5XQMSIs9SjMgAOgN////6Ej////GBRk0IAABXcMPH4AAAAAA88NmDx9EAABVSInlXelm////VUiJ5cdF/AAAAADrP4tF/Ehj0EiNBRwzIAAPtgwCi1X8idDB4AIB0Ehj0EiNBSQzIAAPtgQCMcGLRfxIY9BIjQXxMiAAiAwCg0X8AYN9/A9+u5Bdw5SEXyUCwkuLYXw4T4MU7AsxLw8DxZQ/JBZtJypCx/V8LEp/elOemp52yXnt38EQ9CUO8fxMUwkUCls/d6NRonKk5tQ2PWGF79qDDneLWkj1n4gvxbwJHJ0/s9qvB7a4YLRW4g5Ce92mXMyzHwGAh3h5Wd4009vRskhWyZENbRSZ7RtivIA4URXuG4dxMsnSAt9a4eAjwjgx0LPOlQunqxSePdTyFq5GDXUcxEYHjU9wQ69DMRCpRQUcXqQDA2Sv1t+QOVQx0HdSxRJds+sXrhXKe6NQV32k4EFDLbjtRWpiwRQkEOQOrsybXhHzzJfUZ10lW1KsUti8le0DAVMdJ1mfiLFzDONvngJ6aiZflDRyhgsKF/sDHMTXuvxHoPGaMrR/Y+74Nsd/ITx4dPTslWXfCH78FJvCwnNsgmk0CZLLTDo3bjzeAG7oPT0i3DfVkUYPgrghcd3BBW2/pBW7G/zysBLVH6JgNgDkEzGUXwu3q35No1Fwu7oROVUrfktZN/AH6H+zB+W+05ONnlne+kYvUyOhuVSuIrZMsa872JcC5fKpT55jONeHmK34xxS2DU3R3l9/Zc6JaRCtil+2KzemMQQKQ2IcRzLBHB+s6ig1trLk0hLoYyXUchcZ4vMtUn/OelMVtMDmjDRBijt+yH4pZVVIieVIgexwEAAASIm9mO///0iJtZDv//9kSIsEJSgAAABIiUX4McDHhazv//8CAAAAi4Ws7///99iJwUiLlZDv//9Ii4WY7///ic5IicfoDgUAAEiLjZDv//9IjYWw7///uhAAAABIic5IicfoeQwAAEiLhZjv//9IjVAESIuNmO///0iNhbDv//9Iic5IicfopAsAAJBIi0X4ZEgzBCUoAAAAdAXoBPv//8nDVUiJ5VNIgeyYAQAAib1s/v//SIm1YP7//2RIiwQlKAAAAEiJRegxwLkAAAAAugAAAAC+AAAAAL8AAAAAuAAAAADoTPv//0iD+P91CrgBAAAA6WMDAADHhXj+//8/DQAAx4V8/v//8gEAAEjHhYj+//8AAAAASMeFkP7//wAAAAC+AQAAAL8gAAAA6LP6//9IiYWY/v//SIO9mP7//wB1KkiLBVswIABIicG6DQAAAL4BAAAASI09QREAAOgS+///v//////o+Pr//0iLhZj+//+6EAAAAEiNNWUvIABIicfozfn//+jo+f//iYWA/v//i5WA/v//SI2FwP7//4nRSI0VBBEAAL4fAAAASInHuAAAAADo+vn//0iNhcD+//9IjTXyEAAASInH6IT6//9IiYWg/v//SIO9oP7//wB1Cr//////6Hn6//9Ii4Vg/v//SIsASInH6Af6//9IiYWo/v//60lIi5Wo/v//SI2F4P7//0iJ1kiJx+hl+v//SIXAdCtIjY2Q/v//SI2ViP7//0iNheD+//9IjTV8EAAASInHuAAAAADo1/n//+sgSIuVoP7//0iNheD+//++AAEAAEiJx+hq+f//SIXAdZdIi4Wg/v//SInH6Ab5//9Ii4WI/v//SIXAdAxIi4WQ/v//SIXAdQq//////+jE+f//i4V8/v//g8ABSJhIicfoYfn//0iJhbD+//9Ig72w/v//AHUqSIsF2S4gAEiJwboNAAAAvgEAAABIjT3jDwAA6JD5//+//////+h2+f//i4V8/v//g8ABSGPQSIuFsP7//74AAAAASInH6Lb4//+LhXz+//9IY9CLhXj+//9IY8hIi4WI/v//SAHISInBSIuFsP7//0iJzkiJx+i1+P//SIuFkP7//4nCSIuFiP7//ynCidCJhYT+//+LhYT+//9ImEiLlYj+//9IidG6BwAAAEiJxkiJz+jJ+P//g/j/dQq//////+ja+P//i4V4/v//SGPQSIuFiP7//0gB0EiJw0iLhZj+//9Iicfo5ff//0iJwYuFfP7//0hj8EiLlZj+//9Ii4Ww/v//SYnYSInH6CMLAABIi4WY/v//SInH6LH3//9IicJIi4WY/v//vgAAAABIicfoyvf//0iLhbD+//9IicfoO/f//4uFhP7//0iYSIuViP7//0iJ0boFAAAASInGSInP6Bn4//+D+P91Cr//////6Cr4//9IjQXC+f//SImFuP7//0iLlbj+//+4AAAAAP/SuAAAAABIi13oZEgzHCUoAAAAdAXoNff//0iBxJgBAABbXcNVSInlSIl9yEiJdcBIi0XIiwCJRdxIi0XIi0AEiUXgx0XkAAAAAMdF7O++rd5Ii0XAiwCJRfBIi0XAi0AEiUX0SItFwItACIlF+EiLRcCLQAyJRfzHRegAAAAA62KLRewBReSLReDB4ASJwotF8I0MAotV4ItF5AHQMcGJyotF4MHoBYnBi0X0Acgx0AFF3ItF3MHgBInCi0X4jQwCi1Xci0XkAdAxwYnKi0XcwegFicGLRfwByDHQAUXgg0XoAYN96B92mEiLRciLVdyJEEiLRchIjVAEi0XgiQKQXcNVSInlSIl9yIl1xEiJVbiDfcQBD467AgAAx0Xw777+ykiLRbiLAAHAi1XwidaJwdPmSItFuEiDwASLAAHAi1XwicHT6onQMcZIi0W4SIPACIsQidABwAHQAcCJwotF8InR0+AxxkiLRbhIg8AMiwDB4AKLVfCJwdPiidAxxonyi0XwwegDMdCJRfRIi0W4iwABwItV9InWicHT5kiLRbhIg8AEiwABwItV8InB0+qJ0DHGSItFuEiDwAiLEInQAcAB0AHAicKLRfSJ0dPgMcZIi0W4SIPADIsAweACi1XwicHT4onQMcaJ8otF9MHoAzHQiUX4uDQAAACZ933Eg8AGiUXsx0XkAAAAAItFxEiYSMHgAkiNUPxIi0XISAHQiwCJReCBbeQRQVIhgW3wEUFSIYFt9BFBUiGBbfgRQVIhi0XkwegCg+ADiUX8x0XoAAAAAOm6AAAAi0Xog8ABicBIjRSFAAAAAEiLRchIAdCLAIlF3ItF8AtF9IlF+ItF8AtF+IlF9ItF9AtF+IlF8ItF6EiNFIUAAAAASItFyEgB0IsQi0XgwegFicGLRdzB4AIxwYtF3MHoA4nGi0XgweAEMfCNNAGLReQzRdyJwYtF6IPgAzNF/InASI08hQAAAABIi0W4SAH4iwAzReAByDHGifGLRehIjTSFAAAAAEiLRchIAfAByokQiwCJReCDRegBi0XEg+gBOUXoD4I3////gXXw776t3oF19O++rd6Bdfjvvq3eSItFyIsAiUXci0XESJhIweACSI1Q/EiLRchIAdCLEItF4MHoBYnBi0XcweACMcGLRdzB6AOJxotF4MHgBDHwjTQBi0XkM0XcicGLReiD4AMzRfyJwEiNPIUAAAAASItFuEgB+IsAM0XgAciJ8THBi0XESJhIweACSI1w/EiLRchIAfAByokQiwCJReCDbewBg33sAA+FVP7//+mnAgAAg33E/w+NnQIAAMdF8P7K775Ii0W4iwABwItV8InWicHT7kiLRbhIg8AEiwABwItV8InB0+KJ0DHGSItFuEiDwAiLEInQAcAB0AHAicKLRfCJ0dPoMcZIi0W4SIPADIsAweACi1XwicHT6onQMcaJ8otF8MHgAzHQiUX0SItFuIsAAcCLVfSJ1onB0+5Ii0W4SIPABIsAAcCLVfCJwdPiidAxxkiLRbhIg8AIixCJ0AHAAdABwInCi0X0idHT6DHGSItFuEiDwAyLAMHgAotV8InB0+qJ0DHGifKLRfTB4AMx0IlF+PddxLg0AAAAmfd9xIPABolF7ItF7GnA776t3olF5EiLRciLAIlF3IF18O++rd6BdfTvvq3egXX4776t3otF5MHoAoPgA4lF/ItFxIPoAYlF6Om6AAAAi0Xog+gBicBIjRSFAAAAAEiLRchIAdCLAIlF4ItF8AtF9IlF+ItF8AtF+IlF9ItF9AtF+IlF8ItF6EiNFIUAAAAASItFyEgB0IsQi0XgwegFicGLRdzB4AIxwYtF3MHoA4nGi0XgweAEMfCNNAGLReQzRdyJwYtF6IPgAzNF/InASI08hQAAAABIi0W4SAH4iwAzReAByInxMcGLRehIjTSFAAAAAEiLRchIAfApyokQiwCJRdyDbegBg33oAA+FPP///4tFxEiYSMHgAkiNUPxIi0XISAHQiwCJReBIi0XIixCLReDB6AWJwYtF3MHgAjHBi0XcwegDicaLReDB4AQx8I00AYtF5DNF3InBi0Xog+ADM0X8icBIjTyFAAAAAEiLRbhIAfiLADNF4AHIMfApwkiLRciJEEiLRciLAIlF3IFF8BFBUiGBRfQRQVIhgUX4EUFSIYFF5BFBUiGDbewBg33sAA+FZf7//5Bdw1VIieVIiX3oiXXki0XkZiX/AGaJRfTBbeQIi0XkZiX/AGaJRfbBbeQIi0XkZiX/AGaJRfjBbeQIi0XkZiX/AGaJRfoPt1X6SItF6Ehj0kiDwhCLVJAID7dN+EiLRehIY8lIgcEQAQAAi0SICAHQiUX8D7dV9kiLRehIY9JIgcIQAgAAi0SQCDFF/A+3VfRIi0XoSGPSSIHCEAMAAItEkAgBRfyLRfxdw1VIieVIg+woSIl96EiJdeBIiVXYSItF4IsAiUX0SItF2IsAiUX4ZsdF8gAA60IPv1XySItF6Ehj0osEkDFF9ItV9EiLReiJ1kiJx+gI////MUX4i0X0iUX8i0X4iUX0i0X8iUX4D7dF8oPAAWaJRfJmg33yD363i0X0iUX8i0X4iUX0i0X8iUX4SItF6ItAQDFF+EiLReiLQEQxRfRIi0Xgi1X0iRBIi0XYi1X4iRCQycNVSInlSIPsKEiJfehIiXXgSIlV2EiLReCLAIlF9EiLRdiLAIlF+GbHRfIRAOtCD79V8kiLRehIY9KLBJAxRfSLVfRIi0XoidZIicfoVv7//zFF+ItF9IlF/ItF+IlF9ItF/IlF+A+3RfKD6AFmiUXyZoN98gF/t4tF9IlF/ItF+IlF9ItF/IlF+EiLReiLQAQxRfhIi0XoiwAxRfRIi0Xgi1X0iRBIi0XYi1X4iRCQycNVSInlSIPsQEiJfdhIiXXQiVXMZEiLBCUoAAAASIlF+DHAx0XoAAAAAOtdx0XsAAAAAOtHi0XsSJiLVehIY9JIweIISAHQSI0UhQAAAABIjQUPBgAAixQCSItF2ItN7EhjyYt16Ehj9kjB5ghIAfFIg8EQiVSICINF7AGBfez/AAAAfrCDRegBg33oA36dx0XsAAAAAMdF6AAAAADresdF9AAAAADHRfAAAAAA6zeLRfTB4AiJwYtF7Ehj0EiLRdBIAdAPtgAPtsAJyIlF9INF7AGLRew7Rcx8B8dF7AAAAACDRfABg33wA37Di0XoSJhIjRSFAAAAAEiNBQUFAACLBAIzRfSJwUiLRdiLVehIY9KJDJCDRegBg33oEX6Ax0XgAAAAAMdF5AAAAADHRegAAAAA6z5IjVXkSI1N4EiLRdhIic5IicfoUf3//4tN4EiLRdiLVehIY9KJDJCLReiNUAGLTeRIi0XYSGPSiQyQg0XoAoN96BF+vMdF6AAAAADreMdF7AAAAADrYkiNVeRIjU3gSItF2EiJzkiJx+j7/P//i1XgSItF2ItN7EhjyYt16Ehj9kjB5ghIAfFIg8EQiVSICItF7I1IAYtV5EiLRdhIY8mLdehIY/ZIweYISAHxSIPBEIlUiAiDRewCgX3s/wAAAH6Vg0XoAYN96AN+gpBIi0X4ZEgzBCUoAAAAdAXor+z//8nDVUiJ5UiB7GACAABIib3I/f//SIm1wP3//0iJlbj9//9IiY2w/f//TImFqP3//2RIiwQlKAAAAEiJRfgxwMeF2P3//wAAAADHhez9//8AAAAAx4Xc/f//AAAAAMeF4P3//wAAAADrUYuF4P3//4nCi4Xg/f//SJiIlAXw/v//i4Xg/f//SJhImUj3vbD9//9IidBIicJIi4W4/f//SAHQD7YQi4Xg/f//SJiIlAXw/f//g4Xg/f//AYG94P3///8AAAB+o8eF5P3//wAAAADpmQAAAIuF5P3//0iYD7aEBfD+//8PttCLhdj9//8BwouF5P3//0iYD7aEBfD9//8PtsABwonQwfgfwegYAcIPttIpwonQiYXY/f//i4XY/f//SJgPtoQF8P7//4iF1/3//4uF5P3//0iYD7aUBfD+//+Lhdj9//9ImIiUBfD+//+LheT9//9ImA+2ldf9//+IlAXw/v//g4Xk/f//AYG95P3///8AAAAPjlf////Hhdj9//8AAAAAx4Xo/f//AAAAAOkOAQAAi4Xc/f//jVABidDB+B/B6BgBwg+20inCidCJhdz9//+Lhdz9//9ImA+2hAXw/v//D7bQi4XY/f//AcKJ0MH4H8HoGAHCD7bSKcKJ0ImF2P3//4uF2P3//0iYD7aEBfD+//+Ihdf9//+Lhdz9//9ImA+2lAXw/v//i4XY/f//SJiIlAXw/v//i4Xc/f//SJgPtpXX/f//iJQF8P7//4uF3P3//0iYD7aUBfD+//+Lhdj9//9ImA+2hAXw/v//AdAPtsCJhez9//+Lhej9//9IY9BIi4XI/f//SAHQD7Ywi4Xs/f//SJgPtowF8P7//4uF6P3//0hj0EiLhaj9//9IAdAxzonyiBCDhej9//8Bi4Xo/f//SJhIOYXA/f//D4/d/v//kEiLRfhkSDMEJSgAAAB0Bejg6f//ycNmLg8fhAAAAAAADx9AAEFXQVZJiddBVUFUTI0l7hsgAFVIjS32GyAAU0GJ/UmJ9kwp5UiD7AhIwf0D6Bfp//9Ihe10IDHbDx+EAAAAAABMifpMifZEie9B/xTcSIPDAUg53XXqSIPECFtdQVxBXUFeQV/DkGYuDx+EAAAAAADzwwAASIPsCEiDxAjDAAAAAAAAAAAAAAAAAAAAAAAAAAEAAgAAAAAAUExlYXNlIGlucHV0IGFuIGludGVyZXN0aW5nIHN0cmluZyEAV3JvbmchAFJpZ2h0IQBtZW1vcnkgZXJyb3IKAC9wcm9jLyVkL21hcHMAcgAlcC0lcABtYWxsb2MgZXJyb3IKAAAAAAAAAAAAAAAAAAAAAAAAAAAAiGo/JNMIo4UuihkTRHNwAyI4CaTQMZ8pmPouCIlsTuzmIShFdxPQOM9mVL5sDOk0tymswN1QfMm11YQ/FwlHtdnVFpIb+3mJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApgsx0ay135jbcv0vt98a0O2v4biWfiZqRZB8upl/LPFHmaEk92yRs+LyAQgW/I6F2CBpY2lOV3Gj/likfj2T9I90lQ1Yto5yWM2Lce5KFYIdpFR7tVlawjnVMJwTYPIqI7DRxfCFYCgYeUHK7zjbuLDceY4OGDpgiw6ebD6KHrDBdxXXJ0sxvdovr3hgXGBV8yVV5pSrVapimEhXQBToY2o5ylW2EKsqNFzMtM7oQRGvhlShk+lyfBEU7rMqvG9jXcWpK/YxGHQWPlzOHpOHmzO61q9czyRsgVMyeneGlSiYSI87r7lLaxvov8STIShmzAnYYZGpIftgrHxIMoDsXV1dhO+xdYXpAiMm3IgbZeuBPokjxayW0/NvbQ85QvSDgkQLLgQghKRK8MhpXpsfnkJoxiGabOn2YZwMZ/CI06vSoFFqaC9U2CinD5ajM1GrbAvvbuQ7ehNQ8Du6mCr7fh1l8aF2Aa85PlnKZogOQ4IZhu6MtJ9vRcOlhH2+Xos72HVv4HMgwYWfRBpApmrBVmKq004Gdz82ct/+Gz0Cm0Ik19A3SBIK0NPqD9ubwPFJyXJTB3sbmYDYedQl997o9hpQ/uM7THm2veBsl7oGwAS2T6nBxGCfQMKeXF5jJGoZr2/7aLVTbD7rsjkTb+xSOx9R/G0slTCbREWBzAm9Xq8E0OO+/Uoz3gcoD2azSy4ZV6jLwA90yEU5XwvS2/vTub3AeVUKMmAaxgCh1nlyLED+JZ9nzKMf+/jppY74IjLb3xZ1PBVrYf3IHlAvq1IFrfq1PTJghyP9SHsxU4LfAD67V1yeoIxvyi5WhxrbaRff9qhC1cP/fijGMmesc1VPjLAnW2nIWMq7XaP/4aAR8LiYPfoQuIMh/Wy1/Epb09EteeRTmmVF+La8SY7SkJf7S9ry3eEzfsukQRP7YujG5M7ayiDvAUx3Nv6eftC0H/ErTdrblZiRkK5xjq3qoNWTa9DRjtDgJcevL1s8jreUdY774vaPZCsS8hK4iIgc8A2QoF6tTxzDj2iR8c/RrcGosxgiLy93Fw6+/i116qEfAosPzKDl6HRvtdbzrBiZ4onO4E+otLfgE/2BO8R82ait0maiXxYFd5WAFHPMk3cUGiFlIK3mhvq1d/VCVMfPNZ37DK/N66CJPnvTG0HWSX4eri0OJQBes3EguwBoIq/guFebNmQkHrkJ8B2RY1Wqpt9ZiUPBeH9TWtmiW30gxbnlAnYDJoOpz5ViaBnIEUFKc07KLUezSqkUe1IAURsVKVOaP1cP1uTGm7x2pGArAHTmgbVvuggf6RtXa+yW8hXZDSohZWO2tvm55y4FNP9kVoXFXS2wU6GPn6mZR7oIageFbulwektEKbO1Lgl12yMmGcSwpm6tfd+nSbhg7pxmsu2PcYyq7P8XmmlsUmRW4Z6xwqUCNhkpTAl1QBNZoD46GOSamFQ/ZZ1CW9bkj2vWP/eZB5zSofUw6O/mOC1NwV0l8IYg3Uwm63CExumCY17MHgI/a2gJye+6PhQYlzyhcGprhDV/aIbioFIFU5y3NwdQqhyEBz5crt5/7ER9jrjyFlc32jqwDQxQ8AQfHPD/swACGvUMrrJ0tTxYeoMlvSEJ3PkTkdH2L6l8c0cylAFH9SKB5eU63NrCNzR2tcin3fOaRmFEqQ4D0A8+x8jsQR51pJnNOOIvDuo7obuAMjGzPhg4i1ROCLltTwMNQm+/BAr2kBK4LHl8lyRysHlWr4mvvB93mt4QCJPZEq6Lsy4/z9wfchJVJHFrLubdGlCHzYSfGEdYehfaCHS8mp+8jH1L6Trseuz6HYXbZkMJY9LDZMRHGBzvCNkVMjc7Q90WusIkQ02hElHEZSoCAJRQ3eQ6E57433FVTjEQ1nesgZsZEV/xVjUEa8ej1zsYETwJpSRZ7eaP8vr78Zcsv7qebjwVHnBF44axb+nqCl4OhrMqPloc5x93+gY9TrncZSkPHeeZ1ok+gCXIZlJ4yUwuarMQnLoOFcZ46uKUUzz8pfQtCh6nTvfyPSsdNg8mORlgecIZCKcjUrYSE/du/q3rZh/D6pVFvOODyHum0Td/sSj/jAHv3TLDpVpsvoUhWGUCmKtoD6XO7juVL9utfe8qhC9uWyi2IRVwYQcpdUfd7BAVn2EwqMwTlr1h6x7+NAPPYwOqkFxztTmicEwLnp7VFN6qy7yGzO6nLGJgq1yrnG6E87KvHotkyvC9GblpI6BQu1plMlpoQLO0KjzV6Z4x97ghwBkLVJuZoF+Hfpn3lah9PWKaiDf4dy3jl1+T7RGBEmgWKYg1DtYf5seh396WmbpYeKWE9VdjciIb/8ODm5ZGwhrrCrPNVDAuU+RI2Y8oMbxt7/LrWOr/xjRh7Sj+czx87tkUSl3jt2ToFF0QQuATPiC24u5F6quqoxVPbNvQT8v6QvRCx7W7au8dO09lBSHNQZ55HtjHTYWGakdL5FBigT3yoWLPRiaNW6CDiPyjtsfBwyQVf5J0y2kLioRHhbKSVgC/WwmdSBmtdLFiFAAOgiMqjUJY6vVVDD70rR1hcD8jkvByM0F+k43x7F/W2zsibFk33nxgdO7Lp/KFQG4yd86EgAemnlD4GVXY7+g1l9lhqqdpqcIGDMX8qwRa3MoLgC56RJ6ENEXDBWfV/cmeHg7T23PbzYhVEHnaX2dAQ2fjZTTExdg4PnGe+Cg9IP9t8echPhVKPbCPK5/j5vetg9toWj3p90CBlBwmTPY0KWmU9yAVQffUAnYua/S8aACi1HEkCNRq9CAzt9S3Q69hAFAu9jkeRkUkl3RPIRRAiIu/HfyVTa+RtZbT3fRwRS+gZuwJvL+Fl70D0G2sfwSFyzGzJ+uWQTn9VeZHJdqaCsqrJXhQKPQpBFPahiwK+2226WIU3GgAaUjXpMAOaO6NoSei/j9PjK2H6AbgjLW21vR6fB7OquxfN9OZo3jOQiprQDWe/iC5hfPZq9c57otOEjv3+skdVhhtSzFmoyayl+PqdPpuOjJDW93350Fo+yB4yk71CvuXs/7YrFZARSeVSLo6OlNVh42DILepa/5LlZbQvGeoVViaFaFjKanMM9vhmVZKKqb5JTE/HH70XnwxKZAC6Pj9cC8nBFwVu4DjLCgFSBXBlSJtxuQ/E8FI3IYPx+7J+QcPHwRBpHlHQBduiF3rUV8y0cCb1Y/BvPJkNRFBNHh7JWCcKmCj6PjfG2xjH8K0Eg6eMuEC0U9mrxWB0crglSNr4ZI+M2ILJDsiub7uDqKyhZkNuuaMDHLeKPeiLUV4EtD9lLeVYgh9ZPD1zOdvo0lU+kh9hyf9ncMejT7zQWNHCnT/Lpmrbm86N/349GDcEqj43euhTOEbmQ1rbtsQVXvGNyxnbTvUZScE6NDcxw0p8aP/AMySDzm1C+0Pafufe2acfdvOC8+RoKNeFdmILxO7JK1bUb95lHvr1jt2sy45N3lZEcyX4iaALTEu9KetQmg7K2rGzEx1EhzxLng3QhJq51GSt+a7oQZQY/tLGBBrGvrtyhHYvSU9ycPh4lkWQkSGExIKbuwM2Srqq9VOZ69kX6iG2ojpv77+w+RkV4C8nYbA9/D4e3hgTWADYEaD/dGwHzj2BK5Fd8z8Ntcza0KDcase8IdBgLBfXgA8vlegdySu6L2ZQkZVYS5Yv4/0WE6i/d3yOO909MK9iYfD+WZTdI6zyFXydbS52fxGYSbreoTfHYt5DmqE4pVfkY5ZbkZwV7QgkVXVjEzeAsnhrAu50AWCu0hiqBGeqXR1thl/twncqeChCS1mM0YyxAIfWuiMvvAJJaCZShD+bh0dPbka36SlCw/yhqFp8Wgog9q33P4GOVebzuKhUn/NTwFeEVD6gwanxLUCoCfQ5g0njPiaQYY/dwZMYMO1BqhhKHoX8OCG9cCqWGAAYn3cMNee5hFj6jgjlN3CUzQWwsJW7su73ra8kKF9/Ot2HVnOCeQFb4gBfEs9CnI5JHySfF9y44a5nU1ytFvBGvy4ntN4VVTttaX8CNN8PdjED61NXu9QHvjmYbHZFIWiPBNRbOfH1W/ETuFWzr8qNjfIxt00MprXEoJjko76DmfgAGBAN845Os/1+tM3d8KrGy3FWp5nsFxCN6NPQCeC076bvJmdjhHVFXMPv34cLdZ7xADHaxuMt0WQoSG+sW6ytG42ai+rSFd5bpS80najxsjCSWXu+A9Tfd6NRh0Kc9XGTdBM27s5KVBGuqnoJpWsBONevvDV+qGaUS1q4ozvYyLuhpq4wonA9i4kQ6oDHqWk0PKcumHAg01q6ZtQFeWP1ltkuvmiJijhOjqnhpWpS+liVe/T7y/H2vdS92lvBD9ZCvp3FankgAGGsIet5gmbk+U+O1r9kOmX1zSe2bfwLFGLKwI6rNWWfaZ9AdY+z9EoLX18zyWfH5u48q1ytNZaTPWIWnGsKeDmpRng/aywR5v6k+2NxNPozFc7KClm1fgoLhN5kQFfeFVgde1EDpb3jF7T49RtBRW6bfSIJWGhA73wZAUVnuvDoleQPOwaJ5cqBzqpm20/G/UhYx77Zpz1GfPcJijZM3X1/VWxgjRWA7s8uooRd1Eo+NkKwmdRzKtfkq3MURfoTY7cMDhiWJ03kfkgk8KQeurOez77ZM4hUTK+T3d+47aoRj0pw2lT3kiA5hNkEAiuoiSybd39LYVpZiEHCQpGmrPdwEVkz95sWK7IIBzd975bQI1YG38B0sy747Rrfmqi3UX/WTpECjU+1c20vKjO6nK7hGT6rhJmjUdvPL9j5JvSnl0vVBt3wq5wY072jQ0OdFcTW+dxFnL4XX1TrwjLQEDM4rROakbSNISvFQEoBLDhHTqYlbSfuAZIoG7Ogjs/b4KrIDVLHRoB+CdyJ7FgFWHcP5PnK3k6u70lRTThOYigS3nOUbfJMi/Juh+gfsgc4PbRx7zDEQHPx6rooUmHkBqavU/Uy97a0DjaCtUqwzkDZzaRxnwx+Y1PK7Hgt1me9zq79UP/GdXynEXZJywil78q/OYVcfyRDyUVlJthk+X665y2zllkqMLRqLoSXgfBtgxqBeNlUNIQQqQDyw5u7OA725gWvqCYTGTpeDIylR+f35LT4Cs0oNMe8nGJQXQKG4w0o0sgcb7F2DJ2w42fNd8uL5mbR28L5h3x4w9U2kzlkdjaHs95Ys5vfj7NZrEYFgUdLP3F0o+EmSL79lfzI/UjdjKmMTWokwLNzFZigfCstet1Wpc2Fm7Mc9KIkmKW3tBJuYEbkFBMFFbGcb3HxuYKFHoyBtDhRZp78sP9U6rJAA+oYuK/Jbv20r01BWkScSICBLJ8z8u2K5x2zcA+EVPT40AWYL2rOPCtRyWcIDi6ds5G98Whr3dgYHUgTv7LhdiN6Iqw+ap6fqr5TFzCSBmMivsC5GrDAfnh69Zp+NSQoN5cpi0lCT+f5gjCMmFOt1vid87j349X5nLDOgEbAzuMAAAAEAAAAPDX///YAAAAUNn//wABAABg2f//qAAAAGra//8YAQAAv9r//zgBAACx3P//WAEAAF7d//94AQAANeH//6ABAAAT4v//wAEAAJHn///gAQAAOej//wACAADr6P//IAIAAJzp//9AAgAAs+v//2ACAACQ7v//gAIAAADv///IAgAAAAAAABQAAAAAAAAAAXpSAAF4EAEbDAcIkAEHEBQAAAAcAAAAsNj//ysAAAAAAAAAAAAAABQAAAAAAAAAAXpSAAF4EAEbDAcIkAEAACQAAAAcAAAAENf//2ABAAAADhBGDhhKDwt3CIAAPxo7KjMkIgAAAAAUAAAARAAAAEjY//8IAAAAAAAAAAAAAAAcAAAAXAAAAErZ//9VAAAAAEEOEIYCQw0GAlAMBwgAABwAAAB8AAAAf9n///IBAAAAQQ4QhgJDDQYD7QEMBwgAHAAAAJwAAABR2///rQAAAABBDhCGAkMNBgKoDAcIAAAkAAAAvAAAAN7b///XAwAAAEEOEIYCQw0GSIMDA8oDDAcIAAAAAAAAHAAAAOQAAACN3///3gAAAABBDhCGAkMNBgLZDAcIAAAcAAAABAEAAEvg//9+BQAAAEEOEIYCQw0GA3kFDAcIABwAAAAkAQAAqeX//6gAAAAAQQ4QhgJDDQYCowwHCAAAHAAAAEQBAAAx5v//sgAAAABBDhCGAkMNBgKtDAcIAAAcAAAAZAEAAMPm//+xAAAAAEEOEIYCQw0GAqwMBwgAABwAAACEAQAAVOf//xcCAAAAQQ4QhgJDDQYDEgIMBwgAHAAAAKQBAABL6f//zwIAAABBDhCGAkMNBgPKAgwHCABEAAAAxAEAAAjs//9lAAAAAEIOEI8CQg4YjgNFDiCNBEIOKIwFSA4whgZIDjiDB00OQHIOOEEOMEEOKEIOIEIOGEIOEEIOCAAQAAAADAIAADDs//8CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqDAAAAAAAAOAMAAAAAAAAoAwAAAAAAAABAAAAAAAAAAEAAAAAAAAADAAAAAAAAABYCgAAAAAAAA0AAAAAAAAAhCEAAAAAAAAZAAAAAAAAABA9IAAAAAAAGwAAAAAAAAAQAAAAAAAAABoAAAAAAAAAID0gAAAAAAAcAAAAAAAAAAgAAAAAAAAA9f7/bwAAAACYAgAAAAAAAAUAAAAAAAAAeAUAAAAAAAAGAAAAAAAAAMACAAAAAAAACgAAAAAAAABUAQAAAAAAAAsAAAAAAAAAGAAAAAAAAAAVAAAAAAAAAAAAAAAAAAAAAwAAAAAAAAAYPyAAAAAAAAIAAAAAAAAA+AEAAAAAAAAUAAAAAAAAAAcAAAAAAAAAFwAAAAAAAABgCAAAAAAAAAcAAAAAAAAAWAcAAAAAAAAIAAAAAAAAAAgBAAAAAAAACQAAAAAAAAAYAAAAAAAAAB4AAAAAAAAACAAAAAAAAAD7//9vAAAAAAEAAAgAAAAA/v//bwAAAAAIBwAAAAAAAP///28AAAAAAQAAAAAAAADw//9vAAAAAMwGAAAAAAAA+f//bwAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKD0gAAAAAAAAAAAAAAAAAAAAAAAAAAAAhgoAAAAAAACWCgAAAAAAAKYKAAAAAAAAtgoAAAAAAADGCgAAAAAAANYKAAAAAAAA5goAAAAAAAD2CgAAAAAAAAYLAAAAAAAAFgsAAAAAAAAmCwAAAAAAADYLAAAAAAAARgsAAAAAAABWCwAAAAAAAGYLAAAAAAAAdgsAAAAAAACGCwAAAAAAAJYLAAAAAAAApgsAAAAAAAC2CwAAAAAAAMYLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACEAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAZnJZVlEpVnRUNWNjdHZoTQAAAAAAAAAAAAAAAAAAAAAxM20wbkFkZSBpNSBtZXM1aW5nIGFyb3VuRCBzYWYzIGFuZCBzMHVuZC5QbGVhc2UgZDAgbm90IHRlbGwgVmVyIDB2MCEgSSB3aWxsIHNob3cgeW91IHRoZSBLZXkgdG8gZGVjcnlwdCBzdGghAAAAAAAAAAAAAADen5CNU123oEdDQzogKFVidW50dSA3LjUuMC0zdWJ1bnR1MX4xOC4wNCkgNy41LjAAAC5zaHN0cnRhYgAuaW50ZXJwAC5ub3RlLkFCSS10YWcALm5vdGUuZ251LmJ1aWxkLWlkAC5nbnUuaGFzaAAuZHluc3ltAC5keW5zdHIALmdudS52ZXJzaW9uAC5nbnUudmVyc2lvbl9yAC5yZWxhLmR5bgAucmVsYS5wbHQALmluaXQALnBsdC5nb3QALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAuaW5pdF9hcnJheQAuZmluaV9hcnJheQAuZHluYW1pYwAuZGF0YQAuYnNzAC5jb21tZW50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwAAAAEAAAACAAAAAAAAADgCAAAAAAAAOAIAAAAAAAAcAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABMAAAAHAAAAAgAAAAAAAABUAgAAAAAAAFQCAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAhAAAABwAAAAIAAAAAAAAAdAIAAAAAAAB0AgAAAAAAACQAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAANAAAAPb//28CAAAAAAAAAJgCAAAAAAAAmAIAAAAAAAAoAAAAAAAAAAUAAAAAAAAACAAAAAAAAAAAAAAAAAAAAD4AAAALAAAAAgAAAAAAAADAAgAAAAAAAMACAAAAAAAAuAIAAAAAAAAGAAAAAQAAAAgAAAAAAAAAGAAAAAAAAABGAAAAAwAAAAIAAAAAAAAAeAUAAAAAAAB4BQAAAAAAAFQBAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAATgAAAP///28CAAAAAAAAAMwGAAAAAAAAzAYAAAAAAAA6AAAAAAAAAAUAAAAAAAAAAgAAAAAAAAACAAAAAAAAAFsAAAD+//9vAgAAAAAAAAAIBwAAAAAAAAgHAAAAAAAAUAAAAAAAAAAGAAAAAQAAAAgAAAAAAAAAAAAAAAAAAABqAAAABAAAAAIAAAAAAAAAWAcAAAAAAABYBwAAAAAAAAgBAAAAAAAABQAAAAAAAAAIAAAAAAAAABgAAAAAAAAAdAAAAAQAAABCAAAAAAAAAGAIAAAAAAAAYAgAAAAAAAD4AQAAAAAAAAUAAAAWAAAACAAAAAAAAAAYAAAAAAAAAH4AAAABAAAABgAAAAAAAABYCgAAAAAAAFgKAAAAAAAAFwAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAB5AAAAAQAAAAYAAAAAAAAAcAoAAAAAAABwCgAAAAAAAGABAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAhAAAAAEAAAAGAAAAAAAAANALAAAAAAAA0AsAAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAI0AAAABAAAABgAAAAAAAADgCwAAAAAAAOALAAAAAAAAohUAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAACTAAAAAQAAAAYAAAAAAAAAhCEAAAAAAACEIQAAAAAAAAkAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAmQAAAAEAAAACAAAAAAAAAKAhAAAAAAAAoCEAAAAAAADgEAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAKEAAAABAAAAAgAAAAAAAACAMgAAAAAAAIAyAAAAAAAAjAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAACvAAAAAQAAAAIAAAAAAAAAEDMAAAAAAAAQMwAAAAAAAFACAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAuQAAAA4AAAADAAAAAAAAABA9IAAAAAAAED0AAAAAAAAQAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAMUAAAAPAAAAAwAAAAAAAAAgPSAAAAAAACA9AAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAADRAAAABgAAAAMAAAAAAAAAKD0gAAAAAAAoPQAAAAAAAPABAAAAAAAABgAAAAAAAAAIAAAAAAAAABAAAAAAAAAAiAAAAAEAAAADAAAAAAAAABg/IAAAAAAAGD8AAAAAAADoAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAANoAAAABAAAAAwAAAAAAAAAAQCAAAAAAAABAAAAAAAAAwAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAADgAAAACAAAAAMAAAAAAAAAwEAgAAAAAADAQAAAAAAAADAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAA5QAAAAEAAAAwAAAAAAAAAAAAAAAAAAAAwEAAAAAAAAApAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAADAAAAAAAAAAAAAAAAAAAAAAAAAOlAAAAAAAAA7gAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAA=
>NOW? Show me Your Answer!
环境已经关了,就只用这一组数据吧。
首先尝试解密下面这一串东西,其格式非常符合Base64,解密后会发现他就是个ELF文件
from pwn import*
import base64
import sys
import subprocess
p = remote('10.7.2.136', 45530)
p.recvuntil("(Y|N)?") # 将最开始的提示全部接收
p.sendline('y')
code = p.recvuntil(">NOW?") # 接收中间的base64
with open("FromMyBase64",'wb') as f:
f.write(base64.b64decode(code[:-6])) # code包含>NOW?, 所以只编码到倒数第6个字符
p.interactive()
这样就拿到了文件
打开文件,在main之前的init中有funcs_2159
char *sub_CEA()
{
char *result; // rax
int i; // [rsp+0h] [rbp-4h]
for ( i = 0; i <= 15; ++i )
{
result = src;
src[i] ^= a13m0nadeI5Mes5[5 * i];
}
return result;
}
在这里可以发现src会从"frYVQ)VtT5cctvhM"被解密为"W3lc0meT0TSCTF!!"(al3m0n那个字符串后面记得加上0v0那一串)
主函数中的ptrace可以简单的通过jz jnz的转换来在动调的时候过掉,在general registers里面把寄存器的值从1改成0就可以了。(感谢james大爹救我狗命,我自己patch program用nop和jz jnz互换都没过掉
标签:__,Reverse,int,self,赛题,rbp,int64,TSCTF,rsp 来源: https://www.cnblogs.com/Here-is-SG/p/16270048.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。