REVERSE01

小明给出了一个程序包，作为逆向工程师的你，能否对其进行逆向分析，找出小明藏在其中的秘密？

APK内就是一个简单的调用native，然后我们拿出x86的so开始分析
导出函数没有JAVA_xxx_check，说明可能是动态注册，导入jni.h后修复一下JNI_Onload

观察RegisterNative的(const JNINativeMethod *)off_2D50，第三个即为注册地址

第一个函数是

__int64 __fastcall sm4_keyExpand(_DWORD *a1)
{
  unsigned __int32 v1; // r11d
  unsigned __int32 v2; // r14d
  int v3; // r15d
  unsigned int v4; // ecx
  __int64 i; // rdx
  unsigned __int32 v6; // r10d
  unsigned int v7; // ebx
  __int64 v8; // rbp
  __int64 v9; // rsi
  __int64 result; // rax
  int v11; // ebx
  int v12; // ebx
  unsigned __int64 v13; // rt0

  qword_3018 = 'Z0099864';
  *a1 = 1;
  v1 = _byteswap_ulong(dword_3010) ^ 0xA3B1BAC6;
  v2 = _byteswap_ulong(dword_3014) ^ 0x56AA3350;
  v3 = 0x534BA9AE;
  v4 = 0x8B401286;
  for ( i = 0LL; i != 32; ++i )
  {
    v6 = v2;
    v2 = v3;
    v3 = v4;
    v7 = *(_DWORD *)((char *)&unk_CE0 + i * 4) ^ v6 ^ v2 ^ v4 ^ 7;
    v8 = BYTE1(v7);
    v9 = (unsigned __int8)v7;
    result = (unsigned __int8)(byte_D60[HIBYTE(v7)] ^ 7) << 24;
    v11 = result | ((byte_D60[BYTE2(v7)] ^ 7) << 16);
    LODWORD(v8) = v11 | ((byte_D60[v8] ^ 7) << 8);
    LODWORD(v13) = v11;
    HIDWORD(v13) = v8 | byte_D60[v9] ^ 7;
    v12 = v13 >> 19;
    LODWORD(v13) = v8;
    v4 = (v13 >> 9) ^ v12 ^ v1 ^ HIDWORD(v13);
    a1[i + 1] = v4;
    v1 = v6;
  }
  return result;
}

byte_D60是SM4-Box ^ 7的结果，0xA3B1BAC6和0x56AA3350均为SM4特征值。
下面就是SM4加密过程了，16个字节为一组的ECB加密

unsigned __int64 __fastcall SM4_Encrypt(__int64 a1, unsigned __int8 *a2, _BYTE *a3)
{
  __m128i v3; // xmm0
  __int64 i; // r9
  unsigned int v5; // ecx
  unsigned int v6; // ebx
  int v7; // esi
  int v8; // eax
  int v9; // ecx
  int v10; // esi
  unsigned __int64 v11; // rt0
  unsigned int v12; // esi
  int v13; // eax
  int v14; // eax
  int v15; // eax
  int v16; // eax
  _OWORD v18[7]; // [rsp+10h] [rbp-98h] BYREF
  __int128 v19; // [rsp+80h] [rbp-28h]
  unsigned __int64 v20; // [rsp+90h] [rbp-18h]

  v20 = __readfsqword(0x28u);
  v19 = 0LL;
  memset(v18, 0, sizeof(v18));
  v3 = _mm_or_si128(
         _mm_or_si128(
           _mm_cvtepu8_epi32(_mm_insert_epi8(_mm_insert_epi8(_mm_insert_epi8(_mm_cvtsi32_si128(a2[15]), a2[11], 1), a2[7], 2), a2[3], 3)),
           _mm_slli_epi32(
             _mm_cvtepu8_epi32(
               _mm_insert_epi8(
                 _mm_insert_epi8(_mm_insert_epi8(_mm_cvtsi32_si128(a2[14]), a2[10], 1), a2[6], 2),
                 a2[2],
                 3)),
             8u)),
         _mm_or_si128(
           _mm_slli_epi32(
             _mm_cvtepu8_epi32(
               _mm_insert_epi8(
                 _mm_insert_epi8(_mm_insert_epi8(_mm_cvtsi32_si128(a2[13]), a2[9], 1), a2[5], 2),
                 a2[1],
                 3)),
             0x10u),
           _mm_slli_epi32(
             _mm_cvtepu8_epi32(_mm_insert_epi8(_mm_insert_epi8(_mm_insert_epi8(_mm_cvtsi32_si128(a2[12]), a2[8], 1), a2[4], 2), *a2, 3)),
             0x18u)));
  for ( i = 0LL; i != 32; ++i )
  {
    v5 = *(_DWORD *)(a1 + 4 * i) ^ _mm_extract_epi32(v3, 1) ^ _mm_extract_epi32(v3, 2) ^ _mm_cvtsi128_si32(v3);
    v6 = byte_D60[HIBYTE(v5)] ^ 7;
`    v7 = (v6 << 24) | ((byte_D60[BYTE2(v5)] ^ 7) << 16);
    v8 = v7 | ((byte_D60[BYTE1(v5)] ^ 7) << 8);
    v9 = byte_D60[(unsigned __int8)v5] ^ 7;
    LODWORD(v11) = v7;
    HIDWORD(v11) = v8 + v9;
    v10 = v11 >> 22;
    HIDWORD(v11) = v8 + v9;
    LODWORD(v11) = v8;
    v12 = (v11 >> 14) ^ (__PAIR64__(v9, v8) >> 8) ^ (v8 + v9) ^ _mm_extract_epi32(v3, 3) ^ ((v6 >> 6) + 4 * (v8 + v9)) ^ v10;
    *((_DWORD *)v18 + i) = v12;
    v3 = _mm_blend_epi16(_mm_shuffle_epi32(v3, 144), _mm_cvtsi32_si128(v12), 3);
  }
  v13 = HIDWORD(v19);
  *a3 = HIBYTE(v19);
  a3[1] = BYTE2(v13);
  a3[2] = BYTE1(v13);
  a3[3] = v13;
  v14 = DWORD2(v19);
  a3[4] = BYTE11(v19);
  a3[5] = BYTE2(v14);
  a3[6] = BYTE1(v14);
  a3[7] = v14;
  v15 = DWORD1(v19);
  a3[8] = BYTE7(v19);
  a3[9] = BYTE2(v15);
  a3[10] = BYTE1(v15);
  a3[11] = v15;
  v16 = v19;
  a3[12] = BYTE3(v19);
  a3[13] = BYTE2(v16);
  a3[14] = BYTE1(v16);
  a3[15] = v16;
  return __readfsqword(0x28u);
}

抄出来的东西，在这留一份

#include <Windows.h>
#include <mmintrin.h>
#include <xmmintrin.h>
#include <emmintrin.h>
#include <pmmintrin.h>
#include <tmmintrin.h>
#include <smmintrin.h>
#include <nmmintrin.h>
#include <wmmintrin.h>
#include <immintrin.h>
#include <intrin.h>
#include "def.h"

unsigned char byte_D60[] =
{
  0xD1, 0x97, 0xEE, 0xF9, 0xCB, 0xE6, 0x3A, 0xB0, 0x11, 0xB1,
  0x13, 0xC5, 0x2F, 0xFC, 0x2B, 0x02, 0x2C, 0x60, 0x9D, 0x71,
  0x2D, 0xB9, 0x03, 0xC4, 0xAD, 0x43, 0x14, 0x21, 0x4E, 0x81,
  0x01, 0x9E, 0x9B, 0x45, 0x57, 0xF3, 0x96, 0xE8, 0x9F, 0x7D,
  0x34, 0x53, 0x0C, 0x44, 0xEA, 0xC8, 0xAB, 0x65, 0xE3, 0xB4,
  0x1B, 0xAE, 0xCE, 0x0F, 0xEF, 0x92, 0x87, 0xD8, 0x93, 0xFD,
  0x72, 0x88, 0x38, 0xA1, 0x40, 0x00, 0xA0, 0xFB, 0xF4, 0x74,
  0x10, 0xBD, 0x84, 0x5E, 0x3B, 0x1E, 0xE1, 0x82, 0x48, 0xAF,
  0x6F, 0x6C, 0x86, 0xB5, 0x76, 0x63, 0xDD, 0x8C, 0xFF, 0xEC,
  0x08, 0x4C, 0x77, 0x51, 0x9A, 0x32, 0x19, 0x23, 0x09, 0x59,
  0x64, 0x5F, 0xD6, 0xA5, 0x22, 0x25, 0x7B, 0x3C, 0x06, 0x26,
  0x7F, 0x80, 0xD3, 0x07, 0x41, 0x50, 0x98, 0xD4, 0x20, 0x55,
  0x4B, 0x31, 0x05, 0xE0, 0xA7, 0xC3, 0xCF, 0x99, 0xED, 0xB8,
  0x8D, 0xD5, 0x47, 0xC0, 0x3F, 0xB2, 0xA4, 0xF0, 0xF5, 0xC9,
  0xFE, 0x66, 0x12, 0xA6, 0xE7, 0xA9, 0x5A, 0xA3, 0x9C, 0x33,
  0x1D, 0x52, 0xAA, 0x94, 0x35, 0x37, 0xF2, 0x8B, 0xB6, 0xE4,
  0x1A, 0xF1, 0xE5, 0x29, 0x85, 0x61, 0xCD, 0x67, 0xC7, 0x2E,
  0x24, 0xAC, 0x0A, 0x54, 0x49, 0x68, 0xD2, 0xDC, 0x30, 0x42,
  0xD9, 0xFA, 0x89, 0x28, 0x04, 0xF8, 0x6D, 0x75, 0x6A, 0x6B,
  0x5C, 0x56, 0x8A, 0x1C, 0xA8, 0x95, 0xBC, 0xDA, 0xBB, 0x78,
  0x16, 0xDE, 0x5B, 0x46, 0x18, 0x17, 0x5D, 0xDF, 0x0D, 0xC6,
  0x36, 0x8F, 0xA2, 0xCA, 0x7C, 0xBA, 0x2A, 0x73, 0xD7, 0x15,
  0xBF, 0xE2, 0xB3, 0xB7, 0x8E, 0x6E, 0x90, 0x4D, 0x0B, 0x91,
  0x70, 0x79, 0x62, 0xBE, 0xF6, 0x0E, 0xC2, 0x69, 0xC1, 0x83,
  0x1F, 0xF7, 0x7A, 0xEB, 0x3D, 0xDB, 0x4A, 0x27, 0x7E, 0xE9,
  0x58, 0x39, 0xD0, 0xCC, 0x3E, 0x4F
};

unsigned __int64 __fastcall enc(_DWORD* a1, unsigned __int8* src, _BYTE* a3)
{
    __m128i v4; // xmm0
    __int64 i; // r9
    unsigned int v6; // ecx
    unsigned int v7; // ebx
    int v8; // esi
    int v9; // eax
    int v10; // ecx
    int v11; // esi
    unsigned __int64 v12; // rt0
    unsigned int v13; // esi
    int v14; // eax
    int v15; // eax
    int v16; // eax
    int v17; // eax
    _DWORD v19[32]; // [rsp+10h] [rbp-98h] BYREF

    memset(v19, 0, sizeof(v19));
    v4 = _mm_or_si128(
        _mm_or_si128(
            _mm_cvtepu8_epi32(
                _mm_insert_epi8(
                    _mm_insert_epi8(_mm_insert_epi8(_mm_cvtsi32_si128(src[15]), src[11], 1), src[7], 2),
                    src[3],
                    3)),
            _mm_slli_epi32(
                _mm_cvtepu8_epi32(
                    _mm_insert_epi8(
                        _mm_insert_epi8(_mm_insert_epi8(_mm_cvtsi32_si128(src[14]), src[10], 1), src[6], 2),
                        src[2],
                        3)),
                8u)),
        _mm_or_si128(
            _mm_slli_epi32(
                _mm_cvtepu8_epi32(
                    _mm_insert_epi8(
                        _mm_insert_epi8(_mm_insert_epi8(_mm_cvtsi32_si128(src[13]), src[9], 1), src[5], 2),
                        src[1],
                        3)),
                0x10u),
            _mm_slli_epi32(
                _mm_cvtepu8_epi32(
                    _mm_insert_epi8(
                        _mm_insert_epi8(_mm_insert_epi8(_mm_cvtsi32_si128(src[12]), src[8], 1), src[4], 2),
                        *src,
                        3)),
                0x18u)));
    for (i = 0LL; i != 32; ++i)
    {
        int a = _mm_extract_epi32(v4, 1);
        v6 = a1[i] ^ a ^ _mm_extract_epi32(v4, 2) ^ _mm_cvtsi128_si32(v4);
        int hv6 = HIBYTE(v6);
        int b2v6 = BYTE2(v6);
        int b1v6 = BYTE1(v6);
        v7 = byte_D60[hv6] ^ 7;
        v8 = (v7 << 24) | ((byte_D60[b2v6] ^ 7) << 16);
        v9 = v8 | ((byte_D60[b1v6] ^ 7) << 8);
        v10 = byte_D60[(unsigned __int8)v6] ^ 7;
        LODWORD(v12) = v8;
        HIDWORD(v12) = v9 + v10;
        v11 = v12 >> 22;
        HIDWORD(v12) = v9 + v10;
        LODWORD(v12) = v9;
        int bbb = (v12 >> 14);
        int ccc = (__PAIR64__(v10, v9) >> 8);
        int eee = ((v7 >> 6) + 4 * (v9 + v10));
        int xj = _mm_extract_epi32(v4, 3);
        v13 = bbb ^ ccc ^ (v9 + v10) ^ eee ^ v11;
        v13 ^= xj;
        v19[i] = v13;
        v4 = _mm_blend_epi16(_mm_shuffle_epi32(v4, 0x90), _mm_cvtsi32_si128(v13), 3);
    }
    v14 = v19[31];
    *a3 = HIBYTE(v19[31]);
    a3[1] = BYTE2(v14);
    a3[2] = BYTE1(v14);
    a3[3] = v14;
    v15 = v19[30];
    a3[4] = HIBYTE(v19[30]);
    a3[5] = BYTE2(v15);
    a3[6] = BYTE1(v15);
    a3[7] = v15;
    v16 = v19[29];
    a3[8] = HIBYTE(v19[29]);
    a3[9] = BYTE2(v16);
    a3[10] = BYTE1(v16);
    a3[11] = v16;
    v17 = v19[28];
    a3[12] = HIBYTE(v19[28]);
    a3[13] = BYTE2(v17);
    a3[14] = BYTE1(v17);
    a3[15] = v17;
    return 0;
}

unsigned int unk_CE0[32] = {
    0x00070E12, 0x1C232A36, 0x383F464A, 0x545B626E, 0x70777E82, 0x8C939AA6, 0xA8AFB6BA, 0xC4CBD2DE,
    0xE0E7EEF2, 0xFC030A16, 0x181F262A, 0x343B424E, 0x50575E62, 0x6C737A86, 0x888F969A, 0xA4ABB2BE,
    0xC0C7CED2, 0xDCE3EAF6, 0xF8FF060A, 0x141B222E, 0x30373E42, 0x4C535A66, 0x686F767A, 0x848B929E,
    0xA0A7AEB2, 0xBCC3CAD6, 0xD8DFE6EA, 0xF4FB020E, 0x10171E22, 0x2C333A46, 0x484F565A, 0x646B727E
};


__int64 __fastcall sub_940(_DWORD* a1)
{
    unsigned __int32 v1; // r11d
    unsigned __int32 v2; // r14d
    int v3; // r15d
    unsigned int v4; // ecx
    __int64 i; // rdx
    unsigned __int32 v6; // r10d
    unsigned int v7; // ebx
    __int64 v8; // rbp
    __int64 v9; // rsi
    __int64 result; // rax
    int v11; // ebx
    int v12; // ebx
    unsigned __int64 v13; // rt0


    *a1 = 1;
    v1 = _byteswap_ulong(842084673) ^ 0xA3B1BAC6;
    v2 = _byteswap_ulong(926233394) ^ 0x56AA3350;
    v3 = 0x534BA9AE;
    v4 = 0x8B401286;
    for (i = 0LL; i != 32; ++i)
    {
        v6 = v2;
        v2 = v3;
        v3 = v4;
        v7 = unk_CE0[i] ^ v6 ^ v2 ^ v4 ^ 7;
        v8 = BYTE1(v7);
        v9 = (unsigned __int8)v7;
        result = (unsigned __int8)(byte_D60[HIBYTE(v7)] ^ 7) << 24;
        v11 = result | ((byte_D60[BYTE2(v7)] ^ 7) << 16);
        LODWORD(v8) = v11 | ((byte_D60[v8] ^ 7) << 8);
        LODWORD(v13) = v11;
        HIDWORD(v13) = v8 | byte_D60[v9] ^ 7;
        v12 = v13 >> 19;
        LODWORD(v13) = v8;
        v4 = (v13 >> 9) ^ v12 ^ v1 ^ HIDWORD(v13);
        a1[i + 1] = v4;
        v1 = v6;
    }
    return result;
}

int main() {
    _DWORD v11[34];
    _BYTE dest[34];
    unsigned char src[50];
    memcpy_s(src, 50, (const char*)"wdflag{12312312312312111111111111113112}", 41);
    sub_940(v11);
    enc(v11, src, dest);
    enc(v11, src+16, dest + 16);
    enc(v11, src + 32, dest + 16 + 16);
    return 0;
}

from regadgets import *
table_a1 = byte2dword(bytes.fromhex("""
01 00 00 00 7f b9 a3 80 d6 ec d4 b9 aa ec 25 74
65 d3 9b 33 13 8b d1 a5 de a4 a7 56 3e c7 07 e9
a9 04 aa d0 28 7f 82 6c 6a 19 97 e9 d8 2a 2f 0c
a5 6d 9d fd 6d da 4d 16 a4 c2 dc 5f b7 87 99 48
78 59 ef fd ca 1a c2 96 59 62 f4 7f 4e c9 ad b9
6d 56 fb 47 43 c9 cf 8c 36 e3 a5 8d 1b d4 49 1b
75 a1 47 66 68 90 de c3 94 87 70 f6 91 b1 4a e9
a4 89 0b 54 20 a3 ab b6 d0 64 77 2a a7 90 c4 ed
"""))
byte_d60 = [  0xD1, 0x97, 0xEE, 0xF9, 0xCB, 0xE6, 0x3A, 0xB0, 0x11, 0xB1,
  0x13, 0xC5, 0x2F, 0xFC, 0x2B, 0x02, 0x2C, 0x60, 0x9D, 0x71,
  0x2D, 0xB9, 0x03, 0xC4, 0xAD, 0x43, 0x14, 0x21, 0x4E, 0x81,
  0x01, 0x9E, 0x9B, 0x45, 0x57, 0xF3, 0x96, 0xE8, 0x9F, 0x7D,
  0x34, 0x53, 0x0C, 0x44, 0xEA, 0xC8, 0xAB, 0x65, 0xE3, 0xB4,
  0x1B, 0xAE, 0xCE, 0x0F, 0xEF, 0x92, 0x87, 0xD8, 0x93, 0xFD,
  0x72, 0x88, 0x38, 0xA1, 0x40, 0x00, 0xA0, 0xFB, 0xF4, 0x74,
  0x10, 0xBD, 0x84, 0x5E, 0x3B, 0x1E, 0xE1, 0x82, 0x48, 0xAF,
  0x6F, 0x6C, 0x86, 0xB5, 0x76, 0x63, 0xDD, 0x8C, 0xFF, 0xEC,
  0x08, 0x4C, 0x77, 0x51, 0x9A, 0x32, 0x19, 0x23, 0x09, 0x59,
  0x64, 0x5F, 0xD6, 0xA5, 0x22, 0x25, 0x7B, 0x3C, 0x06, 0x26,
  0x7F, 0x80, 0xD3, 0x07, 0x41, 0x50, 0x98, 0xD4, 0x20, 0x55,
  0x4B, 0x31, 0x05, 0xE0, 0xA7, 0xC3, 0xCF, 0x99, 0xED, 0xB8,
  0x8D, 0xD5, 0x47, 0xC0, 0x3F, 0xB2, 0xA4, 0xF0, 0xF5, 0xC9,
  0xFE, 0x66, 0x12, 0xA6, 0xE7, 0xA9, 0x5A, 0xA3, 0x9C, 0x33,
  0x1D, 0x52, 0xAA, 0x94, 0x35, 0x37, 0xF2, 0x8B, 0xB6, 0xE4,
  0x1A, 0xF1, 0xE5, 0x29, 0x85, 0x61, 0xCD, 0x67, 0xC7, 0x2E,
  0x24, 0xAC, 0x0A, 0x54, 0x49, 0x68, 0xD2, 0xDC, 0x30, 0x42,
  0xD9, 0xFA, 0x89, 0x28, 0x04, 0xF8, 0x6D, 0x75, 0x6A, 0x6B,
  0x5C, 0x56, 0x8A, 0x1C, 0xA8, 0x95, 0xBC, 0xDA, 0xBB, 0x78,
  0x16, 0xDE, 0x5B, 0x46, 0x18, 0x17, 0x5D, 0xDF, 0x0D, 0xC6,
  0x36, 0x8F, 0xA2, 0xCA, 0x7C, 0xBA, 0x2A, 0x73, 0xD7, 0x15,
  0xBF, 0xE2, 0xB3, 0xB7, 0x8E, 0x6E, 0x90, 0x4D, 0x0B, 0x91,
  0x70, 0x79, 0x62, 0xBE, 0xF6, 0x0E, 0xC2, 0x69, 0xC1, 0x83,
  0x1F, 0xF7, 0x7A, 0xEB, 0x3D, 0xDB, 0x4A, 0x27, 0x7E, 0xE9,
  0x58, 0x39, 0xD0, 0xCC, 0x3E, 0x4F]


def encrypt(x):
    for i in range(32):
        v1 = table_a1[i] ^ x[0] ^ x[1] ^ x[2]
        a = byte_d60[(v1 >> 24) & 0xff] ^ 7
        b = byte_d60[(v1 >> 16) & 0xff] ^ 7
        c = byte_d60[(v1 >> 8) & 0xff] ^ 7
        d = byte_d60[(v1 >> 0) & 0xff] ^ 7
        v = a << 24 | b << 16 | c << 8 | d
        mask = ror32(v, 30) ^ ror32(v, 22) ^ ror32(v, 14) ^ ror32(v, 8) ^ v
        x[0], x[1], x[2], x[3] = mask ^ x[3], x[0], x[1], x[2]
    return x

def decrypt(x):
    for i in range(32):
        v1 = table_a1[31 - i] ^ x[1] ^ x[2] ^ x[3]
        a = byte_d60[(v1 >> 24) & 0xff] ^ 7
        b = byte_d60[(v1 >> 16) & 0xff] ^ 7
        c = byte_d60[(v1 >> 8) & 0xff] ^ 7
        d = byte_d60[(v1 >> 0) & 0xff] ^ 7
        v = a << 24 | b << 16 | c << 8 | d
        mask = ror32(v, 30) ^ ror32(v, 22) ^ ror32(v, 14) ^ ror32(v, 8) ^ v
        x3 = x[0] ^ mask
        x[0], x[1], x[2], x[3] = x[1], x[2], x[3], x3
    return x

enc =[0x4D, 0xA0, 0xFC, 0xEA, 0x2F, 0x84, 0x1D, 0x8F, 0xA1, 0x98, 0xA8, 0xC8, 0xC7, 0x29, 0xD8, 0xD9, 0xA0, 0xE4, 0x72, 0xEC, 0xD7, 0x48, 0x7F, 0x5A, 0xA9, 0x0D, 0x34, 0x35, 0xCB, 0x22, 0xC9, 0x11, 0xA3, 0x6E, 0xC9, 0x27, 0xDA, 0x4D, 0x64, 0x24, 0x34, 0x6B, 0xB4, 0xED, 0x28, 0x21, 0x51, 0xF3]
print(bytes(enc).hex())

enc = byte2dword([0x4D, 0xA0, 0xFC, 0xEA, 0x2F, 0x84, 0x1D, 0x8F, 0xA1, 0x98, 0xA8, 0xC8, 0xC7, 0x29, 0xD8, 0xD9, 0xA0, 0xE4, 0x72, 0xEC, 0xD7, 0x48, 0x7F, 0x5A, 0xA9, 0x0D, 0x34, 0x35, 0xCB, 0x22, 0xC9, 0x11, 0xA3, 0x6E, 0xC9, 0x27, 0xDA, 0x4D, 0x64, 0x24, 0x34, 0x6B, 0xB4, 0xED, 0x28, 0x21, 0x51, 0xF3])
enc = dword2byte(enc)
r = []
for i in range(0, len(enc), 4):
    r.append(b2l(bytes(enc[i:i+4])))
enc = r
result = b''
if __name__ == '__main__':
    for i in range(0, len(enc), 4):
        vv = enc[i:i+4]
        print(vv)
        result += dword2byte(decrypt(vv))[::-1]
print(result)

当时抄出来这个的时候没反应过来是SM4，最后在老学长指点下才明白。
直接把key弄出来，然后enc放CyberChef就秒了...

REVERSE02

过于简单的签到题，四个不一样的加密/编码，直接CyberChef就秒了。

babyre

一个简单的check_debugger，后面把flag分为了两部分，前23是异或0xA，后23是第一个字节异或'-'，也就是前23的最后一个，然后后面字节不断异或前面的字节。

手动解密一下就OK

ez?否

动态加载

xdbg载入后直接搜字符串，定位到后找到一个xxtea

但是魔改了一些🤬，动调抓一下key，后面还有个..base64标准编码，然后动调也能看见结果。

from regadgets import *

def b2024buildctf(z, y, sum, k, p, debug = False):
    e = (sum.value >> 2) & 3
    PE = (p & 3) ^ e
    Ly = y.value << 3
    Ry = y.value >> 7
    Lz = z.value << 8
    Rz = z.value >> 5 

    LzRy = Rz ^ Ly
    LyRz = Ry ^ Lz
    SY = sum.value ^ y.value
    K = k[PE].value
    KZ = K ^ z.value
    result = (LzRy + LyRz) ^ (KZ + SY)
    return result

xxtea_key = b'Yigod' + b'\x00' * 11
enc = decode_b64('DcxHei12cHzBv7QrvkVO693GezASEOK8PF3rZzvfJNYihLczydjCBBYN1LF9JU0hw0gULw==')
ee = xxtea_decrypt(byte2dword(enc), byte2dword(xxtea_key), delta=0x11451411, shift_func=b2024buildctf)
print(dword2byte(ee))
# b'BuildCTF{Life_long_long&&debugging_15_wonderful}0\x00\x00\x00'

ez_asm

看题目猜到了是idct和dct，然后找一下有个memcpy，肯定是把加密数据复制了一份，然后在最下面找到加密后的数据，然后idct就可以了。

from regadgets import *
enc = [0x4E,0x7B,0x4A,0xCE,0x89,0x69,0x80,0x40,0xB5,0xDF,0xDA,0x89,0x92,8,0x2E,0x40,0x3D,0xEF,0xC6,0x82,0xC2,0xD0,0x3E,0xC0,0x43,0x3B,0xA7,0x59,0xA0,0xBD,0x3A,0x40,0xA7,0x5B,0x76,0x88,0x7F,0xD8,0x2E,0x40,0xE4,0x12,0x47,0x1E,0x88,0x5C,0x1F,0xC0,0x3D,0x82,0x1B,0x29,0x5B,0x28,0x40,0x40,0x65,0x8C,0xF,0xB3,0x97,0xC3,0x43,0xC0,0xA0,0x17,0xEE,0x5C,0x18,0x29,0x29,0x40,0xEC,0x13,0x40,0x31,0xB2,0xC6,0x47,0xC0,0x16,0xDB,0xA4,0xA2,0xB1,0x8E,0x38,0x40,0xB6,0xA2,0xCD,0x71,0x6E,0xB3,0x1E,0xC0,0xD2,0xC5,0xA6,0x95,0x42,0x4E,0x46,0xC0,0x8F,0x37,0xF9,0x2D,0x3A,0xB1,0x39,0xC0,0xD7,0x16,0x9E,0x97,0x8A,0x79,0x37,0xC0,0x22,0x89,0x5E,0x46,0xB1,0xE0,0x34,0x40,0xAE,0xF,0xEB,0x8D,0x5A,0x8D,0x31,0x40,0xFD,0xF8,0x4B,0x8B,0xFA,0x24,0x1A,0xC0,4,0x75,0xCA,0xA3,0x1B,0xA1,0x1E,0x40,0x93,1,0xA0,0x8A,0x1B,9,0x48,0xC0,0x33,0xDF,0xC1,0x4F,0x1C,0x28,0x21,0x40,0x2A,0xE5,0xB5,0x12,0xBA,0xDF,0x41,0xC0,0x16,0x32,0x57,6,0xD5,0x86,0x1E,0x40,0x7C,0x65,0xDE,0xAA,0xEB,0xDC,0x39,0x40,5,0xA3,0x92,0x3A,1,0x4D,0x16,0x40,0xE4,0x4A,0x3D,0xB,0x42,0xF9,0x46,0xC0,0xA4,0x50,0x16,0xBE,0xBE,0x66,0x40,0xC0,0xD5,0x42,0xC9,0xE4,0xD4,0xDE,0x12,0xC0,0xEB,0x6F,9,0xC0,0x3F,0x45,0x30,0x40,0x1C,0x95,0x9B,0xA8,0xA5,0x69,0x1F,0xC0,0x3F,0x39,0xA,0x10,5,0xF3,0xF3,0x3F,0x11,0xA6,0x28,0x97,0xC6,0xF,0xB,0x40,0xA,0x66,0x4C,0xC1,0x1A,0x67,0x3E,0x40]
encd = byte2double(enc)
# 525.192, 15.0167, -30.8155, 26.7407, 15.4228, -7.84036, 32.3153, -39.5281, 12.5803, -47.5523, 24.5574, -7.67523, -44.6114, -25.6923, -23.4748, 20.8777, 17.5522, -6.53611, 7.65733, -48.0712, 8.57834, -35.7479, 7.63167, 25.863, 5.5752, -45.9473, -32.8027, -4.71761, 16.2705, -7.85317, 1.24683, 3.3827,30.4028
decrypted_values = idct_transform(encd)
print(bytes(decrypted_values))
# b'BuildCTF{H0vv_w0ndevfUl_arm&&DTC}'

晴窗细乳戏分茶

一个tea一个xtea，直接解密。

from regadgets import *
key = [1] * 4
enc = [1] * 6
key[0] = 1646625
key[1] = 164438
key[2] = 164439
key[3] = 2631985
enc[0]=-1559465970
enc[1]=-158607645
enc[2]=-1059812880
enc[3]=314506021
enc[4]=-2131835469
enc[5]=731233488
r =  b''
r += tea_decrypt(enc, key=key, delta=-0x61C88647)

key2 = [1] * 4
enc2 = [1] * 4
key2[0] = 358040470
key2[1] = 1131796
key2[2] = 85988116
key2[3] = 120935944
enc2[0] = -2022820316
enc2[1] = -1470027656
enc2[2] = 1057529116
enc2[3] = 1243942236
r += xtea_decrypt(enc2, key=key2, delta=-0x61C88647)
print(r)
# b'BuildCTF{D0_y0u_WanT_T0_D3ink_s0mE_TEA?}'

自是花中第一流

看题目可以猜到是花指令，ida打开手动patch一下 jnx 和 jx两个连起来和后面的一个0xE8就可以了。

可惜secret是init_key里面生成的，init_key也有花，我们直接去

后面还有个encrypt，没花，一眼标准rc4了

from regadgets import *
enc =[0x7E, 0x58, 0x36, 0xF5, 0xC5, 0xF3, 0x39, 0xD4, 0x65, 0xCF, 0x67, 0x85, 0x37, 0x8C, 0x0C, 0xD4, 0x46, 0x88, 0x95, 0x2F, 0xDB, 0xB6, 0xA7, 0x56, 0xDC, 0xFE, 0xA9, 0x99, 0x92, 0x60, 0xA6, 0xC9, 0xE7, 0xCF, 0xBD, 0xB5, 0x62]

ik = [0x77, 0x00, 0x01, 0x5E, 0x46, 0x54, 0x43]
key = bxor_cycle(ik, b'\x31')

print(rc4_crypt(rc4_init(key), enc))
# b'BuildCTF{What_A_Beautifu1_F10ower!!!}'

新?Android路

AndLua
but.lua->RC4重新打包，随便找个工具都能反编译
crc3264.lua -> 疑似变表Base64，但是不会反编译
native->AndLua库，没有修改，所以不用看
上面几个lua都有一个base64编码，网上找AndLua解密就可以。
由于crc3264没法反编译，所以我们把main.lua更换，print一下
我们构造一个特殊的字符串组合，用来套出Base64表。

local str ="\x00\x10\x83\x10\x51\x87\x20\x92\x8b\x30\xd3\x8f\x41\x14\x93\x51\x55\x97\x61\x96\x9b\x71\xd7\x9f\x82\x18\xa3\x92\x59\xa7\xa2\x9a\xab\xb2\xdb\xaf\xc3\x1c\xb3\xd3\x5d\xb7\xe3\x9e\xbb\xf3\xdf\x7d\xf7\xdf\x7d"
local result = L1_2.crc3264.encode(str)
print(result)
-- AbCdEfGhIjKlMnOpQrStUvWxYzaBcDeFgHiJkLmNoPqRsTuVwXyZ0246813579999999

重打包回去后运行可以得到表：
AbCdEfGhIjKlMnOpQrStUvWxYzaBcDeFgHiJkLmNoPqRsTuVwXyZ0246813579+/
用CyberChef解

#recipe=From_Base64('AbCdEfGhIjKlMnOpQrStUvWxYzaBcDeFgHiJkLmNoPqRsTuVwXyZ0246813579%2B/',true,false)RC4(%7B'option':'UTF8','string':'BuiIdCTF'%7D,'Latin1','Latin1')From_Base64('AbCdEfGhIjKlMnOpQrStUvWxYzaBcDeFgHiJkLmNoPqRsTuVwXyZ0246813579%2B/',true,false)&input=TDh4ZUc5MmErbXJscWE4QnA1NGZ4VGdBZTdJSnVlNUhUWngrYk02ZUJ4SnIwdWtSNm9RblJnPT0&oeol=CR

BuildCTF{vve1C0me2_lua_word}

Pyc

import base64

def decode(encoded_message):
    decoded = base64.b64decode(encoded_message)
    message = ""
    for i in decoded:
        x = i - 16
        if x < 0:
            x += 256
        x = x ^ 32
        message += chr(x)
    
    return message

correct = 'cmVZXFRzhHZrYFNpjyFjj1VRVWmPVl9ij4kgZW0='
print(decode(correct))
# BuildCTF{pcy_1s_eaey_for_Y0u}

ez_vm

慢慢调试跟数据变化就行。

from z3 import *
enc = [0x0000054A, 0x00005541, 0x00000665, 0x000066D5, 0x00000768, 0x00000769, 0x00000786, 0x000078EA, 0x00000787, 0x000078ED, 0x000006BF, 0x00006C63, 0x00000553, 0x000055C4, 0x000005F7, 0x00005FD9]
result = ''
for i in range(0, len(enc), 2):
    b = chr((enc[i+1] - ((enc[i] >> 4) | enc[i] << 4)) & 0xff)
    a = chr((enc[i] - ((ord(b) >> 4) | ord(b) << 4)) & 0xff)
    result += a + b

print(result)
# vMp_1s_r0u9h_ORZ

ezMfc

Spy++查句柄，然后伟大的易语言+CE搜

BuildCTF{WindowsApi_is_easy!!!}

ez_xor?

实际上和xor没什么关系，输入一组数据，看变化就行了。

from regadgets import *
from z3 import *
after = b"\x45\x55\x91\x0B\xA8\xAE\x10\xE1\x50\x7E\xDE\x11\xFC\xBE\x83\x21\x1C\x35\xA2\x31\x11\x40\x5E\x18\x69\x8F\x7E\x6F\x61\x45\x3E\x75\x1E\x4C\x25\x37\xD5\xB4\x74\x43\x9E\x93\x44\xB6\xC7\x8B\x84\xAA\xBF\xDA\x1A\x1E\x6A\x4B\x80\x32\x8C\x0D\xE6\x9F\x99\xB3\x1A\x3A"
raw = b'a'*len(after)
table = [after[i] - raw[i] for i in range(len(after))]
enc = b"\x19\x68\xA2\xEF\x7B\xBA\x0E\xC5\x5D\x80\xEF\x09\x0B\xD1\x81\xF1\xF0\x33\xA6\x11\x23\x58\x5C\x2B\x38\x8D\x80\x60\x61\x27\x48\x35"

for i in range(len(enc)):
    print(chr((enc[i] - table[i]) & 0xff), end='')
# 5trE4m_EncrYpt_15_eAsy_t0_cRaCk!

notMe

BruteForce sha256

from regadgets import *
from z3 import *
from hashlib import sha256
from itertools import product
from string import printable

sets = "ABCDEFGHIJKLMNOPQRSTUVWXYZ{}-_1234567089abcdefghijklmnopqrstuvwxyz"
def bf_sha256(v):
    it = product(printable, repeat=4)    
    for i in it:
        j = "".join(i)
        if sha256(j.encode()).digest() == v:
            return j
    return '****'

enc = [0x79, 0x69, 0x88, 0x3E, 0xA8, 0x1D, 0xCF, 0x11, 0x3D, 0xDC, 0x62, 0xE9, 0xAE, 0xCB, 0x54, 0x86, 0xCB, 0x8C, 0x96, 0x1E, 0x9A, 0x0D, 0xD6, 0x83, 0xF8, 0x85, 0xE5, 0xBD, 0x68, 0x37, 0xAD, 0xDF, 0xDE, 0x58, 0xDC, 0xE0, 0x52, 0x57, 0x69, 0x7E, 0xF2, 0x5C, 0xA5, 0x7A, 0x0B, 0xFA, 0xC8, 0xED, 0x83, 0x89, 0xDC, 0x20, 0x03, 0xBB, 0xA3, 0xAB, 0x4B, 0x6E, 0x95, 0xD5, 0x6F, 0xC7, 0xBA, 0xC6, 0x58, 0x37, 0x55, 0x78, 0xCE, 0xB4, 0x62, 0xF4, 0x53, 0x1A, 0x0E, 0x29, 0x7C, 0xCA, 0x93, 0x71, 0xC9, 0x44, 0xAA, 0x3B, 0xC7, 0x05, 0x14, 0x06, 0xF4, 0xAE, 0xBE, 0x8A, 0x45, 0x3A, 0x58, 0x21, 0xE7, 0xC5, 0xE7, 0x66, 0xDF, 0x33, 0x36, 0x11, 0xC0, 0x3F, 0xF1, 0x25, 0xD2, 0x15, 0x76, 0xD5, 0x9D, 0x0C, 0x9A, 0x01, 0xA5, 0x72, 0xB7, 0x9A, 0x69, 0xE7, 0xDB, 0x82, 0x16, 0x45, 0xD9, 0x77, 0x46, 0xEC, 0x58, 0xDD, 0xC7, 0xFF, 0x28, 0xE3, 0x5C, 0x7D, 0x36, 0x1F, 0x6C, 0xE9, 0xBE, 0xA2, 0xB0, 0x8E, 0xDF, 0x94, 0x3B, 0x22, 0x6E, 0x90, 0x03, 0x47, 0x2B, 0x11, 0x9B, 0xA8, 0xD6, 0xC7, 0x36, 0x09, 0x5C, 0xFF, 0xF0, 0x4A, 0x7E, 0x49, 0x52, 0x30, 0xEA, 0x66, 0x47, 0xA2, 0xFB, 0x0B, 0x75, 0x61, 0xA5, 0x12, 0x73, 0x96, 0xE8, 0xCB, 0x40, 0x28, 0xA3, 0x65, 0x10, 0x1D, 0x18, 0xFD, 0x28, 0x6A, 0x2E, 0x7A, 0x0B, 0xD1, 0xEE, 0xE9, 0x49, 0xF6, 0xE1, 0x28, 0x9D, 0x24, 0x20, 0x90, 0x8D, 0x37, 0xC7, 0xB6, 0x05, 0x2D, 0xCC, 0xA8, 0x96, 0xEA, 0xCD, 0x25, 0x0E, 0x61, 0x12, 0x2C, 0x95, 0x91, 0x11, 0x58, 0x3B, 0xBE, 0x38, 0x46, 0x5D, 0xCF, 0x51, 0xE9, 0x2D, 0x9A, 0xDA, 0xAA, 0x44, 0x20, 0x49, 0x45, 0x74, 0x37, 0x78, 0x12, 0xB3, 0x5B, 0xB0, 0x52, 0x80, 0x8E, 0xED, 0xBA, 0x3B, 0xB9, 0x23, 0x7B, 0x41, 0xB7, 0xC9, 0xA7, 0x85, 0x14, 0xE6, 0x34, 0x5C, 0x6C, 0x65, 0x90, 0x8B, 0x50, 0xF9, 0x73, 0x09, 0xB8, 0xFB, 0xCA, 0xBD, 0x3D, 0xAD, 0x2C, 0x6E, 0x29, 0x9C, 0x63, 0x08, 0x19, 0x33, 0xDC, 0xB1, 0x79, 0xD6, 0x17, 0x41, 0x02, 0x80, 0x21, 0x6D, 0xB8, 0x66, 0x22, 0x09, 0xB9, 0xE1, 0x00, 0x83, 0x97, 0x9A, 0x60, 0xB3, 0x1F, 0x7C, 0xB8, 0xFA, 0x8D, 0xB1, 0xBE]
result = ''
for i in range(0, len(enc), 32):
    v = enc[i:i+32]
    v = bxor_cycle(v, b'BuildCTF')
    result += bf_sha256(v)
    print(result)
print(result)
'''
cracking 3b1ce152cc5e9b577fa90b85ca8800c089f9ff72fe4e82c5baf08cd10c74f999
Buil
cracking 9c2db58c36143d38b029cc166fb99cabc1fcb54c67f8f7ed091bfcb90b84ee80
BuildCTF
cracking 1a423c14aaf736b2116f67451889c7378b31c357a3464040b6dbd7e621790c67
BuildCTF{y0u
cracking a5b08e0abb706257824a9849b6562293df79f36dc131e3dc2b92b2ee72068d31
BuildCTF{y0u_4r3
cracking 049931b1a3bc7ca51e085f7308aaeae4f2fbb6f85f613ad64132427dffeb8281
BuildCTF{y0u_4r3_4_g
cracking 747c359394092a0f1045830a23e1af4d3714cc7e17d5bc8d025dca09745e4cbb
BuildCTF{y0u_4r3_4_g00d_
cracking 6a1f47166f92baaf0b838844f96774d6cf42aeda616e98eed49fa4496a22466a
BuildCTF{y0u_4r3_4_g00d_w1nd
cracking d7e478345ffd6c001fba388549d98eec0655202910742c54f12ed93ee4cdb9fc
BuildCTF{y0u_4r3_4_g00d_w1nd0w5_
cracking 79cc4a1725f49de1c7618f58382f31d6c925901f6dfbaf8cff48c4400a6ac825
BuildCTF{y0u_4r3_4_g00d_w1nd0w5_cr4c
cracking 4a6c5ab0d53a82510377e94d09fb32644bcc886ce7d4ce26f16a15d49ecee5f8
BuildCTF{y0u_4r3_4_g00d_w1nd0w5_cr4ck3r}
BuildCTF{y0u_4r3_4_g00d_w1nd0w5_cr4ck3r}
'''

被隔壁朋友拉过来写的

Cr4ckVWe （这真的是新生赛吗？）

下载双击打开发现缺一堆dll，打开Everything搜一下，发现很多都在Mingw的目录下，于是干脆直接把程序放Mingw目录下了。
IDA打开简单分析一下

__int64 sub_401A93()
{
  const char *v0; // rax
  __int64 v1; // rax
  __int64 v2; // rax
  __int64 v3; // rax
  __int64 v4; // rax
  unsigned __int8 vm_code_with_data[768]; // [rsp+20h] [rbp-60h] BYREF
  DWORD v7[100]; // [rsp+320h] [rbp+2A0h] BYREF
  stl_struct1 v8; // [rsp+4B0h] [rbp+430h] BYREF
  unsigned __int8 proc1[32]; // [rsp+4C0h] [rbp+440h] BYREF
  char input_1[48]; // [rsp+4E0h] [rbp+460h] BYREF
  _BYTE input[40]; // [rsp+510h] [rbp+490h] BYREF
  __int64 v12; // [rsp+538h] [rbp+4B8h]
  int m; // [rsp+540h] [rbp+4C0h]
  int k; // [rsp+544h] [rbp+4C4h]
  int j; // [rsp+548h] [rbp+4C8h]
  int i; // [rsp+54Ch] [rbp+4CCh]

  std::string::basic_string(input);
  std::operator<<<std::char_traits<char>>(&std::cout, "key:");
  std::operator>><char>(&std::cin, input);
  if ( std::string::length(input) == 10 )
  {
    v0 = (const char *)std::string::c_str(input);
    sub_403FE0(input_1, v0);
    memset(proc1, 0, sizeof(proc1));
    for ( i = 0; i <= 31; ++i )
    {
      if ( input_1[i] <= '/' || input_1[i] > '9' )
      {
        if ( input_1[i] > '`' && input_1[i] <= 'f' )// 不在0~9
          proc1[i] = input_1[i] - 87;           // 在a~f
      }
      else
      {
        proc1[i] = input_1[i] - '0';
      }
    }
    if ( proc1[0] == proc1[10] )                // 第一个是0
    {
      v12 = 0x3000LL;
      new_empty_memory(&v8, 0x3000uLL);
      memcpy(v7, &UNK1, sizeof(v7));
      for ( j = 0; j <= 99; ++j )
        get_bits(&v8, 32 * j, 0x20uLL, v7[j]);  // to binary
      memcpy(vm_code_with_data, &vm_code, 0x2F1uLL);
      for ( k = 0; k <= 9; ++k )
      {
        *(_DWORD *)&vm_code_with_data[75 * k + 26] = 0x20 * (10 * proc1[k] + proc1[(k + 1) % 10]);
        *(_DWORD *)&vm_code_with_data[75 * k + 63] = 0x20 * (proc1[k] + 0x108);
        *(_DWORD *)&vm_code_with_data[75 * k + 67] = 0x20 * (proc1[k] + 0x108);// 0x2100 + 0x2100 * proc[k]
      }
      vm_run(&v8, vm_code_with_data);
      for ( m = 0; m <= 9 && check(&v8, 32 * (m + 0x108), 0x20uLL); ++m )
        ;
      if ( m <= 9 || check(&v8, 0x2080LL, 0x20uLL) > 0x105A )// 104
      {
        v1 = std::operator<<<std::char_traits<char>>(&std::cout, "wrong");
        std::ostream::operator<<(v1, &std::endl<char,std::char_traits<char>>);
      }
      else
      {
        v2 = std::operator<<<std::char_traits<char>>(&std::cout, "Congratulate, your flag is 'YLCTF{hashlib.md5(\"");
        v3 = std::operator<<<char>(v2, input);
        v4 = std::operator<<<std::char_traits<char>>(v3, "\").hexdigest()}'");
        std::ostream::operator<<(v4, &std::endl<char,std::char_traits<char>>);
      }
      sub_4020A2(&v8);
    }
    else
    {
      std::operator<<<std::char_traits<char>>(&std::cout, "wrong\n");
    }
  }
  else
  {
    std::operator<<<std::char_traits<char>>(&std::cout, "wrong\n");
  }
  return std::string::~string(input);
}

大概意思就是你的输入是在0~9和a~f之间，第一个字符必须是0（proc[10]）是输入的第11个字符，但是程序限制输入10个，所以最后一个肯定是x00截断的东西，接下来就是把你的输入填入到vm_code_with_data里面，当然还把全局变量UNK转二进制然后保存起来为v8。然后是vm_run，vm运行完毕后vm_code_with_data不会变，说明vm执行的时候逻辑固定，或是说只和输入的东西相关。

vm_run（如上图）里面是几个方法，他们都有参数，其中add是一个全加器的模拟，他们处理的都是二进制。
x64dbg打表

xor(cnt=1, dest=102, arg1=102, arg2=102)
INT3 breakpoint at cr4ckvwe.0000000000402393!
Breakpoint disabled!
add(cnt=1, dest=102, arg1=102, arg2=1)
INT3 breakpoint at cr4ckvwe.000000000040249F!
Breakpoint disabled!
round_with_get(cnt=1, dest=103, arg1=102, arg2=0)
add(cnt=1, dest=104, arg1=104, arg2=103)
add(cnt=1, dest=108, arg1=108, arg2=103)
xor(cnt=1, dest=102, arg1=102, arg2=102)
add(cnt=1, dest=102, arg1=102, arg2=C)
round_with_get(cnt=1, dest=103, arg1=102, arg2=0)
add(cnt=1, dest=104, arg1=104, arg2=103)
add(cnt=1, dest=109, arg1=109, arg2=103)
xor(cnt=1, dest=102, arg1=102, arg2=102)
add(cnt=1, dest=102, arg1=102, arg2=17)
round_with_get(cnt=1, dest=103, arg1=102, arg2=0)
add(cnt=1, dest=104, arg1=104, arg2=103)
add(cnt=1, dest=10A, arg1=10A, arg2=103)
xor(cnt=1, dest=102, arg1=102, arg2=102)
add(cnt=1, dest=102, arg1=102, arg2=22)
round_with_get(cnt=1, dest=103, arg1=102, arg2=0)
add(cnt=1, dest=104, arg1=104, arg2=103)
add(cnt=1, dest=10B, arg1=10B, arg2=103)
xor(cnt=1, dest=102, arg1=102, arg2=102)
add(cnt=1, dest=102, arg1=102, arg2=2D)
round_with_get(cnt=1, dest=103, arg1=102, arg2=0)
add(cnt=1, dest=104, arg1=104, arg2=103)
add(cnt=1, dest=10C, arg1=10C, arg2=103)
xor(cnt=1, dest=102, arg1=102, arg2=102)
add(cnt=1, dest=102, arg1=102, arg2=38)
round_with_get(cnt=1, dest=103, arg1=102, arg2=0)
add(cnt=1, dest=104, arg1=104, arg2=103)
add(cnt=1, dest=10D, arg1=10D, arg2=103)
xor(cnt=1, dest=102, arg1=102, arg2=102)
add(cnt=1, dest=102, arg1=102, arg2=43)
round_with_get(cnt=1, dest=103, arg1=102, arg2=0)
add(cnt=1, dest=104, arg1=104, arg2=103)
add(cnt=1, dest=10E, arg1=10E, arg2=103)
xor(cnt=1, dest=102, arg1=102, arg2=102)
add(cnt=1, dest=102, arg1=102, arg2=4E)
round_with_get(cnt=1, dest=103, arg1=102, arg2=0)
add(cnt=1, dest=104, arg1=104, arg2=103)
add(cnt=1, dest=10F, arg1=10F, arg2=103)
xor(cnt=1, dest=102, arg1=102, arg2=102)
add(cnt=1, dest=102, arg1=102, arg2=59)
round_with_get(cnt=1, dest=103, arg1=102, arg2=0)
add(cnt=1, dest=104, arg1=104, arg2=103)
add(cnt=1, dest=110, arg1=110, arg2=103)
xor(cnt=1, dest=102, arg1=102, arg2=102)
add(cnt=1, dest=102, arg1=102, arg2=5A)
round_with_get(cnt=1, dest=103, arg1=102, arg2=0)
add(cnt=1, dest=104, arg1=104, arg2=103)
add(cnt=1, dest=111, arg1=111, arg2=103)
result = 314
result = 614
result = 204
result = B07
result = 161
result = 252
result = 176
result = E54
result = D7F
result = 78E

check的话，是把二进制转换回来成数字。有两波check，第一波check是对于每个数字对应的存储位置的check，只有9次，所以说如果两个数字重复，那么就必然会有一个空缺，就不能过check。
第二波check是对于这几个check求和后的约束。
可以注意到，v104是累加量，值得注意的是，round_with_get里面大有乾坤，实际上它偷偷把我的数据（32位）整体左移了6。
在程序的最后，它也判断了第104个的值是否大于0x105A，我们直接大胆认为他们是相等！

而且我们从trace结果看出，每次拿的数据都是01 12 23 34..这样的，也就是v[i+0]*10+v[i+1]。那么我们大胆推测，如果数字在A~F之间，它也是这个原理，但是索引就会大于100，因为当a在右边的时候且左边很小的时候，显然是在100范围内，但是下一次a必然在左边，因为这个是循环取的，一旦a在左边，索引值至少就会是150，一旦所以大于100，里面的东西都是0，因为你可以注意到那个UNK是一个DWORD数组，有104个元素，前100个元素是有值的，后4个是0，而且在分配内存的时候，后面填入的都是0，无论你循环移动多少次都是0，那么就显然不可能，所以A~F在输入中是不可能出现的。

直接Z3-Solver梭哈了。

from regadgets import *
from z3 import *
enc = [0x05, 0x00, 0x00, 0x94, 0x0C, 0x00, 0x00, 0x50, 0x25, 0x00, 0x00, 0x68, 0x17, 0x00, 0x00, 0x4C, 0x16, 0x00, 0x00, 0xF0, 0x03, 0x00, 0x00, 0x10, 0x2F, 0x00, 0x00, 0x0C, 0x1E, 0x00, 0x00, 0xD4, 0x3B, 0x00, 0x00, 0xA0, 0x09, 0x00, 0x00, 0xCC, 0x2F, 0x00, 0x00, 0xBC, 0x14, 0x00, 0x00, 0x10, 0x18, 0x00, 0x00, 0x50, 0x20, 0x00, 0x00, 0xCC, 0x09, 0x00, 0x00, 0x0C, 0x38, 0x00, 0x00, 0x30, 0x27, 0x00, 0x00, 0xB0, 0x23, 0x00, 0x00, 0xF4, 0x1E, 0x00, 0x00, 0xF0, 0x1D, 0x00, 0x00, 0xC8, 0x3D, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x80, 0x07, 0x00, 0x00, 0x60, 0x08, 0x00, 0x00, 0x10, 0x0D, 0x00, 0x00, 0xC0, 0x12, 0x00, 0x00, 0x8C, 0x16, 0x00, 0x00, 0xBC, 0x1A, 0x00, 0x00, 0x78, 0x3E, 0x00, 0x00, 0x64, 0x0A, 0x00, 0x00, 0x44, 0x1B, 0x00, 0x00, 0x18, 0x29, 0x00, 0x00, 0x4C, 0x1A, 0x00, 0x00, 0xF0, 0x03, 0x00, 0x00, 0xD0, 0x2C, 0x00, 0x00, 0x1C, 0x01, 0x00, 0x00, 0x5C, 0x2D, 0x00, 0x00, 0xC8, 0x40, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0xEC, 0x24, 0x00, 0x00, 0xE4, 0x1A, 0x00, 0x00, 0xFC, 0x31, 0x00, 0x00, 0x04, 0x06, 0x00, 0x00, 0xBC, 0x0B, 0x00, 0x00, 0xC0, 0x39, 0x00, 0x00, 0x98, 0x05, 0x00, 0x00, 0x84, 0x05, 0x00, 0x00, 0x18, 0x07, 0x00, 0x00, 0x30, 0x30, 0x00, 0x00, 0xFC, 0x1C, 0x00, 0x00, 0x0C, 0x38, 0x00, 0x00, 0xA4, 0x0C, 0x00, 0x00, 0xA4, 0x3D, 0x00, 0x00, 0x8C, 0x24, 0x00, 0x00, 0xBC, 0x06, 0x00, 0x00, 0x40, 0x1F, 0x00, 0x00, 0x98, 0x09, 0x00, 0x00, 0x48, 0x23, 0x00, 0x00, 0x14, 0x25, 0x00, 0x00, 0x68, 0x0A, 0x00, 0x00, 0xE8, 0x07, 0x00, 0x00, 0x08, 0x01, 0x00, 0x00, 0x8C, 0x23, 0x00, 0x00, 0xC8, 0x36, 0x00, 0x00, 0xD0, 0x36, 0x00, 0x00, 0xBC, 0x37, 0x00, 0x00, 0xA8, 0x01, 0x00, 0x00, 0x70, 0x05, 0x00, 0x00, 0xD8, 0x36, 0x00, 0x00, 0xE4, 0x12, 0x00, 0x00, 0x3C, 0x31, 0x00, 0x00, 0xB8, 0x11, 0x00, 0x00, 0xF8, 0x36, 0x00, 0x00, 0xBC, 0x0F, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x54, 0x22, 0x00, 0x00, 0x74, 0x13, 0x00, 0x00, 0x4C, 0x25, 0x00, 0x00, 0x84, 0x39, 0x00, 0x00, 0x50, 0x1F, 0x00, 0x00, 0x64, 0x05, 0x00, 0x00, 0x98, 0x11, 0x00, 0x00, 0xF4, 0x12, 0x00, 0x00, 0x2C, 0x27, 0x00, 0x00, 0x50, 0x10, 0x00, 0x00, 0xAC, 0x30, 0x00, 0x00, 0x70, 0x0B, 0x00, 0x00, 0x10, 0x2A, 0x00, 0x00, 0xC8, 0x2A, 0x00, 0x00, 0x9C, 0x35, 0x00, 0x00, 0xFC, 0x1E, 0x00, 0x00, 0x38, 0x1C, 0x00, 0x00, 0xF0, 0x08, 0x00, 0x00, 0x60, 0x2C, 0x00, 0x00, 0x84, 0x38, 0x00, 0x00, 0xA4, 0x1E, 0x00, 0x00, 0x20, 0x09, 0x00, 0x00, 0x18, 0x3D, 0x00, 0x00, 0x74, 0x39, 0x00, 0x00, 0xB8, 0x26, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]
enc = byte2dword(enc)
enc = [rol32(i, 6) for i in enc]
print(enc)

s = Solver()
x = [Int(f'x{i}') for i in range(10)]
for i in range(10):
    s.add(x[i] >= 0, x[i] <= 9)
s.add(Distinct(x))

s.add(x[0] == 0)
arr = Array('array', IntSort(), IntSort())
for i in range(len(enc)):
    s.add(arr[i] == enc[i])

result = 0
for i in range(10):
    result += arr[x[i] * 10 + x[(i+1) % 10]]

s.add(result == 0x105A)

# Wait For 1 min.
print(s.check())

m = s.model()
for i in x:
    print(str(m[i].as_long()),end='')
    # 0592146738

最后套上MD5就能交题了
YLCTF{e9135fddeb475aeaec044e037ba25933}

ezvvvvm

随便调试一下，就是一个*一个+，由于在0xffffffff+1范围内，且没有溢出，所以不需要使用乘法逆元，直接除就行。

from regadgets import *
bc = [0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xE7, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xCB, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xD6, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xFA, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xD4, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xF8, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xCA, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xE6, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x37, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xD9, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xF5, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x56, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x7A, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xC4, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xE8, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x53, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x7F, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x1A, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x9E, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xB2, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xF4, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xD8, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xBF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x93, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xC1, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xED, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x92, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xBE, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x7C, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xA0, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x8C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xEC, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x3D, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x6F, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x19, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x43, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x1A, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x1A, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x1A, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xB7, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x9B, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x1D, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x4B, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x1D, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x1D, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x67, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x1E, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x1E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x1E, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x75, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x1F, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xC5, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x1F, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x1F, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xE9, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x12, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x3E, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x67, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x21, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x4B, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x22, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x7B, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x22, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x22, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x57, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x9D, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xB1, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xE5, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xC9, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xB4, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x98, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x27, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x27, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x27, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x22, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xB3, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x28, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x9F, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x29, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x29, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x29, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x25, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x62, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x4E, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x2B, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x2B, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x2B, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x2F, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x2F, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x2F, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x32, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x32, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x32, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x33, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x34, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x35, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x37, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x37, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x37, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xF9, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x39, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xD5, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x6B, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x3A, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x47, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x3B, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x57, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x3B, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x3B, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x7B, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xA5, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x89, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x3D, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x59, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x3D, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x3D, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x75, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x3E, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x3E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x3E, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x3F, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x66, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x3F, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x3F, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x4A, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x42, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x43, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x43, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x43, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x45, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x47, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x47, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x47, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x49, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x4A, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x4A, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x4A, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x0E, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x2C, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x2F, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x41, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x31, 0x00, 0x00, 0x00]
enc = [64960,72500,69192,65780,5035,4806,76930,22692,56608,17272,95,4104,2704,46102,62424,1350,42483,57591,46550,2090,14080,4161,36680,69148,1802,13936,12064,10744,35805,12360,16146,58716,4216,15225,19575,36639,55677,35112,3520,3842,37206,3959,17394]
print(len(enc))
for i in range(0, len(bc), 13*4):
    a1 = bc[i+12]
    a2 = bc[i+13*3+1]
    e = enc[i//(13*4)]
    c = chr(((e // a2) - a1) & 0xff)
    if c == '}':
        break
    print(c, end='')
# YLCTF{ad05232e-ab2c-44fe-a060-172df203fc7b}