HackTM CTF Quals 2020 Writeup

CTF writeup

この大会は2020/2/1 17:00(JST)～2020/2/3 17:00(JST)に開催されました。
今回もチームで参戦。結果は 516点で747チーム中132位でした。
自分で解けた問題をWriteupとして書いておきます。

Romanian Gibberish (misc)

問題はこうなっている。

https://en.wikipedia.org/wiki/Gibberish_(language_game)

HapackTM{Wepelcopomepe_Topo_HAPACKTMCTF_2020!}

"pa", "pe", "po"を外す。

HackTM{Welcome_To_HACKTMCTF_2020!}

Bad keys (crypto)

$ nc 138.68.67.161 60005
Starting key server from snapshot #8055 ...
Enter 'k' to generate the next key
> k
Your RSA keys:
((pub),(priv))
((e,n),(d,n ))
((65537, 137417688467756359797848792921596849649790768073161495314477575372798841766852293300511205481418653561628307984765315188339818877322283218342526622470383894798997710542319525493962602304814897519613411188823956663552829906542264398068578748695548563497144701693503515093113085117299532542465467990654323225983), (16229197380722862273759092683723081866569732286895493747563306733379053592252265897828047216475889628255841796269031837858769826364869800417644323937939960086359433302031065593401066479017927161654460166804930445040262208681486580993781132790515056274461396583334534502636207406119958551030720651252502007073, 137417688467756359797848792921596849649790768073161495314477575372798841766852293300511205481418653561628307984765315188339818877322283218342526622470383894798997710542319525493962602304814897519613411188823956663552829906542264398068578748695548563497144701693503515093113085117299532542465467990654323225983))
Enter 'k' to generate the next key
> k
Your RSA keys:
((pub),(priv))
((e,n),(d,n ))
((65537, 14887703973686489670472465065563898633902979110972415506228258615613225664543477842998048377000542542032179029133500397422244667148732787156029037693958076189341405050840371784217187528266056256197211543797286963428908255286673335510215856673653564142024030658368593520314167678786063673673739842242444328829), (-7375816108787808918787409680238555697456335028368148665207826555843963319988131621592438359290639116792694522131553540807526467455821976382335273584160464202671327941929290415426526848787261144705908855795849835428621110403530484803697924515080494159489498795519005544701091938984012084648432935991618102207, 14887703973686489670472465065563898633902979110972415506228258615613225664543477842998048377000542542032179029133500397422244667148732787156029037693958076189341405050840371784217187528266056256197211543797286963428908255286673335510215856673653564142024030658368593520314167678786063673673739842242444328829))
Enter 'k' to generate the next key
> k
Your RSA keys:
((pub),(priv))
((e,n),(d,n ))
((65537, 85067348166796819134140286846911380997120576879261347799893781779203363678458348245741474525610084074356037840061205888025565555103111583087513156825927006418088480057703183195760258461188350345472158519877466355998574793951858736607817735705990664873676427568078019830876054954931985472530872450143006952101), (-19732270729994434357343189963634997236953583620222637735233307453918390140530140379202006435117940981405320463930458396169562957850946828296937226453266735746753440572757291524173711755730548955628802393863052324436041141602477212519819503171521846464517849064876561966030777272275875601306500501037996633239, 85067348166796819134140286846911380997120576879261347799893781779203363678458348245741474525610084074356037840061205888025565555103111583087513156825927006418088480057703183195760258461188350345472158519877466355998574793951858736607817735705990664873676427568078019830876054954931985472530872450143006952101))
Enter 'k' to generate the next key

それぞれp, qを割り出してみる。

import random
from Crypto.Util.number import *

def factor_modulus(n, d, e):
    t = (e * d - 1)
    s = 0

    while True:
        quotient, remainder = divmod(t, 2)
        if remainder != 0:
            break
        s += 1
        t = quotient

    found = False
    while not found:
        i = 1
        a = random.randint(1, n-1)
        while i <= s and not found:
            c1 = pow(a, pow(2, i-1, n) * t, n)
            c2 = pow(a, pow(2, i, n) * t, n)
            found = c1 != 1 and c1 != (-1 % n) and c2 == 1
            i += 1

    p = GCD(c1 - 1, n)
    q = n // p

    return p, q

e = 65537
n = 137417688467756359797848792921596849649790768073161495314477575372798841766852293300511205481418653561628307984765315188339818877322283218342526622470383894798997710542319525493962602304814897519613411188823956663552829906542264398068578748695548563497144701693503515093113085117299532542465467990654323225983
d = 16229197380722862273759092683723081866569732286895493747563306733379053592252265897828047216475889628255841796269031837858769826364869800417644323937939960086359433302031065593401066479017927161654460166804930445040262208681486580993781132790515056274461396583334534502636207406119958551030720651252502007073

p, q = factor_modulus(n, d, e)
print('p =', p)
print('q =', q)

n = 14887703973686489670472465065563898633902979110972415506228258615613225664543477842998048377000542542032179029133500397422244667148732787156029037693958076189341405050840371784217187528266056256197211543797286963428908255286673335510215856673653564142024030658368593520314167678786063673673739842242444328829
d = -7375816108787808918787409680238555697456335028368148665207826555843963319988131621592438359290639116792694522131553540807526467455821976382335273584160464202671327941929290415426526848787261144705908855795849835428621110403530484803697924515080494159489498795519005544701091938984012084648432935991618102207

p, q = factor_modulus(n, d, e)
print('p =', p)
print('q =', q)

n = 85067348166796819134140286846911380997120576879261347799893781779203363678458348245741474525610084074356037840061205888025565555103111583087513156825927006418088480057703183195760258461188350345472158519877466355998574793951858736607817735705990664873676427568078019830876054954931985472530872450143006952101
d = -19732270729994434357343189963634997236953583620222637735233307453918390140530140379202006435117940981405320463930458396169562957850946828296937226453266735746753440572757291524173711755730548955628802393863052324436041141602477212519819503171521846464517849064876561966030777272275875601306500501037996633239

p, q = factor_modulus(n, d, e)
print('p =', p)
print('q =', q)

実行結果は以下の通り。

p = 12117717634661447128647943483912040772241097914126380240028878917605920543320951000813217299678214801720664141663955381289172887935222185768875580129863163
q = 11340228631395703153203289700584583183108832246939459901831495144294115443808565971462649827019253999757788793971590022606697010599444452781890121322040141
p = 1228589774290646133402194788648441529244684712777228171063273217674759083989656078178171164001861483812271416585347892764476972223742639396962963935224109
q = 12117717634661447128647943483912040772241097914126380240028878917605920543320951000813217299678214801720664141663955381289172887935222185768875580129864081
p = 7020080078732870012275762272027419319526223683777354425367603486401476812779364788848593675380044935338783635392741186184668167977412374828391262838582383
q = 12117717634661447128647943483912040772241097914126380240028878917605920543320951000813217299678214801720664141663955381289172887935222185768875580129864747

以下の数値から次の素数が因数としてnが生成されているようだ。

12117717634661447128647943483912040772241097914126380240028878917605920543320951000813217299678214801720664141663955381289172887935222185768875580129863163

さらに初めの1回目のnについて最大公約数を求めてみる。

$ nc 138.68.67.161 60005
Starting key server from snapshot #8055 ...
Enter 'k' to generate the next key
> k
Your RSA keys:
((pub),(priv))
((e,n),(d,n ))
((65537, 11411176369801108856291485937444160828271725510169664884401250925793437741426548291360502311480456779021690775940864909353759990756428970128937694336285797651385962726325976753344151400931971710251796227290459532029547338266445813361023485990666411190773505392316245156622890857894973388289433053721425505791), (4944256896056766209671682174644313759854798321357062484664508923033255384066226181873946375891466663062086016656496329798577424928201733917959546033128936925305036702866581504884054996140550393707276182730812428551255638580365434903599521667466330808762027001040433457798056660844122262765432385515492255649, 11411176369801108856291485937444160828271725510169664884401250925793437741426548291360502311480456779021690775940864909353759990756428970128937694336285797651385962726325976753344151400931971710251796227290459532029547338266445813361023485990666411190773505392316245156622890857894973388289433053721425505791))
Enter 'k' to generate the next key

$ nc 138.68.67.161 60005
Starting key server from snapshot #8055 ...
Enter 'k' to generate the next key
> k
Your RSA keys:
((pub),(priv))
((e,n),(d,n ))
((65537, 112458056813113429397087919281210953800139390285649148569759734945508789354486012990908137525935988864056845076283221312442664207354570210664525404618272819420257678253809603728032854419284998726621507152320820312557210978267143769531086105589054367061788465645401016011753117823441246552584637858466248181593), (-36681811503332862050773585157612441207036937091052716007381385384288896196512618821530482870621689029814351850034429741918104776853054723185003274097453615565526251267781773280351897631488970742182033823078293138470291513522771589531099564419125142122597356040991694500318746949232321715391266035323026723747, 112458056813113429397087919281210953800139390285649148569759734945508789354486012990908137525935988864056845076283221312442664207354570210664525404618272819420257678253809603728032854419284998726621507152320820312557210978267143769531086105589054367061788465645401016011753117823441246552584637858466248181593))
Enter 'k' to generate the next key

>>> from Crypto.Util.number import *
>>> n1 = 11411176369801108856291485937444160828271725510169664884401250925793437741426548291360502311480456779021690775940864909353759990756428970128937694336285797651385962726325976753344151400931971710251796227290459532029547338266445813361023485990666411190773505392316245156622890857894973388289433053721425505791
>>> n2 = 112458056813113429397087919281210953800139390285649148569759734945508789354486012990908137525935988864056845076283221312442664207354570210664525404618272819420257678253809603728032854419284998726621507152320820312557210978267143769531086105589054367061788465645401016011753117823441246552584637858466248181593
>>> GCD(n1, n2)
12117717634661447128647943483912040772241097914126380240028878917605920543320951000813217299678214801720664141663955381289172887935222185768875580129863163L

やはり必ず以下の数値が因数に含まれている。

12117717634661447128647943483912040772241097914126380240028878917605920543320951000813217299678214801720664141663955381289172887935222185768875580129863163

この素数から前の素数をさかのぼっていけば、暗号化したときのnの素因数の1つがわかるはず。

from Crypto.Util.number import *
import gmpy2

with open('RSA_PUB', 'r') as f:
    (e, n) = eval(f.read())

with open('flag.enc', 'r') as f:
    c = int(f.read())

base_p = 12117717634661447128647943483912040772241097914126380240028878917605920543320951000813217299678214801720664141663955381289172887935222185768875580129863163

start_p = base_p - 100000
tmp_p = gmpy2.next_prime(start_p)
found = False
while True:
    if n % tmp_p == 0:
        found = True
        p = tmp_p
        q = n / p
        break
    tmp_p = gmpy2.next_prime(tmp_p)
    if tmp_p > start_p + 100000:
        start_p -= 100000
        tmp_p = gmpy2.next_prime(start_p)

print 'p =', p
print 'q =', q

phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c, d, n)
flag = long_to_bytes(m)
print flag

実行結果は以下の通り。

p = 12117717634661447128647943483912040772241097914126380240028878917605920543320951000813217299678214801720664141663955381289172887935222185768875580128178823
q = 191335851945837067856377662680848400296318974773300853031596930993909166558084000989878627579396244459141148723017644937657511582545081598962216442940353
HackTM{SanTa_ple@s3_TakE_mE_0ff_yOur_l1st_4f2d20ec18}

HackTM{SanTa_ple@s3_TakE_mE_0ff_yOur_l1st_4f2d20ec18}

RSA is easy #1 (crypto)

フラグを1文字ずつRSA暗号化しているので、ブルートフォースで復号する。

with open('c', 'r') as f:
    lines = f.readlines()

(e, n) = eval(lines[1])
flag_c = eval(lines[4])

flag = ''
for c in flag_c:
    for code in range(32, 127):
        if pow(code, e, n) == c:
            flag += chr(code)
            break

print flag

HackTM{why_ar3_MY_pR1va7es_pu8l1C_??}

RSA is easy #2 (crypto)

1文字ずつRSA暗号化しているが、nがわからない。暗号化した数値の配列は1111個の要素を持っている。こんな長いフラグではないだろうから英語の文章になっているはず。
もしかしたらRSA暗号の問題に見えて、換字式暗号の問題か。。。1文字ずつ暗号化しているので、それをアルファベットに置き換える。31種類あるので、記号も使用されていることを考慮して、スペースから推測する。quipqiupを使って、調整しながら、復号する。

import string

with open('c', 'r') as f:
    lines = f.readlines()

flag_c = eval(lines[4])

dic = {
20208833413145256771572368688664189468143545391164156105460199405734708819434076552216759462791005323959520084836115140504630769338040681414876273881508073569978297202819424741264124574247314460725471331318820764161255759739403546471531796892912689444815674366578876801858606344288032682809803593429599353582: ' ',
12932315605361356260109350737202295649066381035837249252185795202913980480440863417983883037159810577739986004162343142150811156736478717833534910573828843843135123757197342268856313199793884733585941943828474996180460900240457279087457908434717560236156491751130556115885434115169341757101655831937772066303: '.',
39071839511948638988080907036852746654085273366404837973213329692814484554408908523546999438831321352816110395822192272922701572846039352688552458816923896373772472819785936751685465282644216513301671688378689515602296293965301386883552780271126801778759956341143215735911106078099952795281272294184101222894: ',',
47570760099332538630074246588266937941307517820515142582135658748192399272005539496578959306267521195254022986091052760574620123103280649808061816984656151624030812710123783651478012545264847339309664114861788542619162083048255751820685971177031319072241032895991001430158963380558156843892347920250300986171: '\'',
32673744615799712487218586784858666657615496658878295924699304141157435241805321678825497057203170526047413088723755930727839423037832480520297361079311603101279858983310265841651031957166707800564192379099456051456890378670008176632913201998572911894331423107676669652519124282681545581828946130363768378027: '&'
}

chars = string.letters

index = 0
enc = ''
for c in flag_c:
    if c not in dic:
        dic[c] = chars[index]
        index += 1
    enc += dic[c]

print enc

調整ながら実行した結果は以下の通り。

abcd e afg ed hijjckc ed lbc cfmjn o&g, e pcqegcp abfl e rcjecqcp afg f rmejjefdl cdhmnsleid ghbctc. f getsjc sgcupimfdpit dutrcm glmcft afg fppcp li lbc sjfedlcvl glmcft li hmcflc hesbcmlcvl. lbeg aiujp gcctedkjn lbafml fdn wmcxucdhn fdfjngeg iw lbc hesbcmlcvl, fdp aiujp rc udhmfhyfrjc cqcd li lbc tigl mcgiumhcwuj kiqcmdtcdl edlcjjekcdhc fkcdhecg. e wcjl gi gtuk friul tn fhbecqctcdl. ncfmg jflcm, e peghiqcmcp lbeg gftc ghbctc ed gcqcmfj edlmipuhlimn hmnslikmfsbn lcvlg fdp lulimefj sfscmg. bia dehc. ilbcm hmnslikmfsbcmg bfp lbiukbl iw lbc gftc ghbctc. udwimludflcjn, lbc ghbctc afg smcgcdlcp fg f getsjc bitcaimy fggekdtcdl id bia li ugc cjctcdlfmn hmnslfdfjnleh lchbdexucg li lmeqefjjn hmfhy el. gi tuhb wim tn rmejjefdl ghbctc. wmit lbeg butrjedk cvscmecdhc e jcfmdcp bia cfgn el eg li wfjj edli f wfjgc gcdgc iw gchumeln abcd pcqegedk fd cdhmnsleid fjkimelbt. tigl scisjc pid'l mcfjezc bia wecdpegbjn pewwehujl el eg li pcqegc fd cdhmnsleid fjkimelbt lbfl hfd aelbglfdp f smijidkcp fdp pclcmtedcp fllfhy rn f mcgiumhcwuj issidcdl. bcmc eg lbc wjfk. abcd el hitcg li hmnsli im hfmscl dcqcm mijj nium iad

復号結果は以下の通り。

when i was in college in the early j&s, i devised what i believed was a brilliant encryption scheme. a simple pseudorandom number stream was added to the plaintext stream to create ciphertext. this would seemingly thwart any frequency analysis of the ciphertext, and would be uncrackable even to the most resourceful government intelligence agencies. i felt so smug about my achievement. years later, i discovered this same scheme in several introductory cryptography texts and tutorial papers. how nice. other cryptographers had thought of the same scheme. unfortunately, the scheme was presented as a simple homework assignment on how to use elementary cryptanalytic techniques to trivially crack it. so much for my brilliant scheme. from this humbling experience i learned how easy it is to fall into a false sense of security when devising an encryption algorithm. most people don't realize how fiendishly difficult it is to devise an encryption algorithm that can withstand a prolonged and determined attack by a resourceful opponent. here is the flag. when it comes to crypto or carpet never roll your own

"&"は正しいかわからないが、フラグには影響ないので、よしとする。

HackTM{when_it_comes_to_crypto_or_carpet_never_roll_your_own}

2020-01-28

riceteacatpanda Writeup

CTF writeup

この大会は2020/1/21 1:00(JST)～2020/1/25 17:00(JST)に開催されました。
今回もチームで参戦。結果は 3456点で1323チーム中148位でした。
自分で解けた問題をWriteupとして書いておきます。

Strong Password (Misc 1)

問題文にはこう書いてある。

Eat, Drink, Pet, Hug, Repeat!

flags are entered in the format rtcp{flag}

ヒント2つはこうなっている。

Words are separated by underscores ("_")

Come on, repeat it! Just once!

コンテストの名前を連結し、_区切りにしたものがフラグ。

rtcp{rice_tea_cat_panda}

Robots. Yeah, I know, pretty obvious. (Web 25)

https://riceteacatpanda.wtf/robots.txtにアクセスする。

User-agent: *
Disallow: 
/robot-nurses
/flag

https://riceteacatpanda.wtf/robot-nursesにアクセスするとフラグが表示された。

rtcp{r0b0t5_4r3_g01ng_t0_t4k3_0v3r_4nd_w3_4r3_s0_scr3w3d}

No Sleep (Web 100)

Cookieのgamerfuelに Jan 27, 2020 04:20:00 と設定されている。Jan 21, 2020 04:20:00 に書き換えるとフラグが表示された。

rtcp{w0w_d1d_u_st4y_up?}

Phishing for Flags (Web 105)

添付されているメールを眺めてみる。GIVE ME BACK MY EYEHOLES.emlのリンクをクリックしたら、フラグが表示された。

rtcp{r34d_b3f0rE_yOU_C1iCk}

Uwu? (Web 125)

https://riceteacatpanda.wtf/uwuにアクセスすると、以下のURLに次々とリダイレクトされる。

https://riceteacatpanda.wtf/omgmeow
https://riceteacatpanda.wtf/pandaaaaaaa
https://riceteacatpanda.wtf/you-better-wash-your-rice
https://riceteacatpanda.wtf/uwustorage

https://riceteacatpanda.wtf/you-better-wash-your-riceにアクセスしたときに、レスポンスにフラグが含まれていた。

rtcp{uwu_,_1_f0und_y0u}

What's in The Box？! (Web 200)

Chromeのブックマークバーにコピペしてスクリプトを見る。

javascript: function spawncat(){ var cat = document.createElement("IMG"); ...(snip)...; cat.setAttribute("src", cat_idle); var x = Math.random() * (window.innerWidth - 64); var y = Math.random() * (document.documentElement.scrollHeight - 64); var dx = 0; var dy = 0; var onGround = true; /*rtcp{*/ var ticks = 0; var jump_t = 20; var move_t = 180; cat.style.cssFloat = "left"; cat.style.position = "absolute"; cat.style.width = "64px"; cat.style.height = "64px"; cat.style.left = 0; cat.style.up = 0; cat.style.zIndex = 100000000; document.body.insertBefore(cat, document.body.firstChild); setInterval(function() { ticks++; if (onGround) { if (dx != 0) { if (ticks >= jump_t) { /*k4wA1*/ onGround = false; dy = 2 + Math.random() * 4; jump_t = ticks + Math.floor(Math.random() * 100) + 10; } } } else { dy -= 0.1; if (ticks >= jump_t) { onGround = true; dy = 0; /*I_kitT3nz*/ jump_t = ticks + Math.floor(Math.random() * 200) + 50; } } /*_4_tH*/ if (ticks >= move_t) { if (dx == 0) { var temp = Math.random(); if (temp > 0.5) { dx = 0.5 + Math.random(); cat.setAttribute("src", cat_right); } else { dx = -0.5 - Math.random(); /*3_w1N*/ cat.setAttribute("src", cat_left); } move_t = ticks + Math.floor(Math.random() * 200) + 25; } else { dx = 0; move_t = ticks + Math.floor(Math.random() * 200) + 25; cat.setAttribute("src", cat_idle); } } if (x + dx >= 0 && x + 64 + dx < window.innerWidth) { x += dx; } else if (x + dx < 0) { dx = 0; x = 0; } else { dx = 0; x = window.innerWidth - 64; } if (y - dy >= 0) { y -= dy; /*!!_4123*/ } else { dy = -dy; y = 0; } cat.style.left = (x + "px"); /*2345}*/ cat.style.top = (y + "px"); }, 20); }var i; for (i = 0; i < 2; i++) { spawncat(); }

途中から整形してみる。

cat.setAttribute("src", cat_idle);
var x = Math.random() * (window.innerWidth - 64);
var y = Math.random() * (document.documentElement.scrollHeight - 64);
var dx = 0;
var dy = 0;
var onGround = true; /*rtcp{*/
var ticks = 0;
var jump_t = 20;
var move_t = 180;
cat.style.cssFloat = "left";
cat.style.position = "absolute";
cat.style.width = "64px";
cat.style.height = "64px";
cat.style.left = 0;
cat.style.up = 0;
cat.style.zIndex = 100000000;
document.body.insertBefore(cat, document.body.firstChild);
setInterval(function() {
    ticks++;
    if (onGround) {
        if (dx != 0) {
            if (ticks >= jump_t) { /*k4wA1*/
                onGround = false;
                dy = 2 + Math.random() * 4;
                jump_t = ticks + Math.floor(Math.random() * 100) + 10;
            }
        }
    } else {
        dy -= 0.1;
        if (ticks >= jump_t) {
            onGround = true;
            dy = 0; /*I_kitT3nz*/
            jump_t = ticks + Math.floor(Math.random() * 200) + 50;
        }
    } /*_4_tH*/
    if (ticks >= move_t) {
        if (dx == 0) {
            var temp = Math.random();
            if (temp > 0.5) {
                dx = 0.5 + Math.random();
                cat.setAttribute("src", cat_right);
            } else {
                dx = -0.5 - Math.random(); /*3_w1N*/
                cat.setAttribute("src", cat_left);
            }
            move_t = ticks + Math.floor(Math.random() * 200) + 25;
        } else {
            dx = 0;
            move_t = ticks + Math.floor(Math.random() * 200) + 25;
            cat.setAttribute("src", cat_idle);
        }
    }
    if (x + dx >= 0 && x + 64 + dx < window.innerWidth) {
        x += dx;
    } else if (x + dx < 0) {
        dx = 0;
        x = 0;
    } else {
        dx = 0;
        x = window.innerWidth - 64;
    }
    if (y - dy >= 0) {
        y -= dy; /*!!_4123*/
    } else {
        dy = -dy;
        y = 0;
    }
    cat.style.left = (x + "px"); /*2345}*/
    cat.style.top = (y + "px");
}, 20); }var i; for (i = 0; i < 2; i++) { spawncat(); }

スクリプトの中のコメントにフラグが含まれている。

rtcp{k4wA1I_kitT3nz_4_tH3_w1N!!_41232345}

BTS-Crazed (Forensics 75)

$ strings Save\ Me.mp3 | grep rtcp
rtcp{j^cks0n_3ats_r1c3}N

rtcp{j^cks0n_3ats_r1c3}

Come Eat Grandma (General Skills 25)

スプレッドシートの変更履歴から「oh, woah, a FLAG」のものを見てみると、フラグが書いてあった。

rtcp{D0n't_E^t_Gr4NDmA_734252}

Sticks and Stones (General Skills 50)

rtcp{xxx}という形式のデータがたくさん含まれている。フラグは"_"を含んでいると推定し、"_"で検索する。

rtcp{w0Rd5_HuRt_,_d0n'T_Bu11y_,_k1Dz}

ghost-in-the-system (General Skills 1500)

Ghidraでデコンパイルする。

int main(void)

{
  char cVar1;
  long lVar2;
  bool bVar3;
  bool bVar4;
  DIR *__dirp;
  dirent *pdVar5;
  long lVar6;
  char *pcVar7;
  basic_ostream *this;
  reference pcVar8;
  long in_FS_OFFSET;
  int numcorr;
  int count;
  int n;
  int leng;
  int aschar;
  iterator __for_begin;
  iterator __for_end;
  DIR *dr;
  dirent *de;
  basic_string<char,std--char_traits<char>,std--allocator<char>> *__for_range;
  char *c;
  string str;
  string otxt;
  char flg [100];
  
  lVar2 = *(long *)(in_FS_OFFSET + 0x28);
  __dirp = opendir(".");
  if (__dirp == (DIR *)0x0) {
    printf("Could not open current directory");
  }
  else {
    while( true ) {
      pdVar5 = readdir(__dirp);
      if (pdVar5 == (dirent *)0x0) break;
      allocator();
                    /* try { // try from 001011d4 to 001011d8 has its CatchHandler @ 00101faf */
      basic_string((char *)&str,(allocator *)pdVar5->d_name);
      ~allocator((allocator<char> *)&__for_end);
      bVar3 = false;
      numcorr = 0;
                    /* try { // try from 0010121c to 00101220 has its CatchHandler @ 00101ff4 */
      lVar6 = rfind((char *)&str,(ulong)"rtcp{");
      if (lVar6 == 0) {
        lVar6 = length();
        if (lVar6 != 100) goto LAB_00101262;
        pcVar7 = (char *)back();
        if (*pcVar7 != '}') goto LAB_00101262;
        bVar4 = true;
      }
      else {
LAB_00101262:
        bVar4 = false;
      }
      if (bVar4) {
        allocator();
                    /* try { // try from 00101296 to 0010129a has its CatchHandler @ 00101fcc */
        basic_string((char *)&otxt,(allocator *)&DAT_001021e8);
        ~allocator((allocator<char> *)&__for_end);
                    /* try { // try from 001012b9 to 00101e09 has its CatchHandler @ 00101fe0 */
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1f0);
        flg[0] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x192);
        flg[1] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x322);
        flg[2] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xe4);
        flg[3] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x2f6);
        flg[4] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x2f4);
        flg[5] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x276);
        flg[6] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x27a);
        flg[7] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x2d6);
        flg[8] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xce);
        flg[9] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x8e);
        flg[10] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x33d);
        flg[11] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1cb);
        flg[12] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xd3);
        flg[13] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x126);
        flg[14] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x22a);
        flg[15] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x125);
        flg[16] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x2ad);
        flg[17] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1ab);
        flg[18] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x274);
        flg[19] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x117);
        flg[20] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x3a2);
        flg[21] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1cb);
        flg[22] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x161);
        flg[23] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xfb);
        flg[24] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x28a);
        flg[25] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xa9);
        flg[26] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x216);
        flg[27] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x142);
        flg[28] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x2f);
        flg[29] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x21a);
        flg[30] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x325);
        flg[31] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x216);
        flg[32] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x164);
        flg[33] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1e4);
        flg[34] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1b9);
        flg[35] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x2df);
        flg[36] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1e9);
        flg[37] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x3d);
        flg[38] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1fe);
        flg[39] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x2d3);
        flg[40] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1a1);
        flg[41] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x97);
        flg[42] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xaa);
        flg[43] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x123);
        flg[44] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x2d8);
        flg[45] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x184);
        flg[46] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x2d7);
        flg[47] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x90);
        flg[48] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x14);
        flg[49] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xd9);
        flg[50] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x5b);
        flg[51] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x346);
        flg[52] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x25c);
        flg[53] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1f7);
        flg[54] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1b6);
        flg[55] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xba);
        flg[56] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1bd);
        flg[57] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x204);
        flg[58] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xf8);
        flg[59] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x135);
        flg[60] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x14c);
        flg[61] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xb3);
        flg[62] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x35b);
        flg[63] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xe9);
        flg[64] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,9);
        flg[65] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1c3);
        flg[66] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x333);
        flg[67] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x3a1);
        flg[68] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xce);
        flg[69] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x2f7);
        flg[70] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x4f);
        flg[71] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x374);
        flg[72] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x164);
        flg[73] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xb8);
        flg[74] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x2c1);
        flg[75] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1cb);
        flg[76] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x36f);
        flg[77] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x62);
        flg[78] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x123);
        flg[79] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x395);
        flg[80] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x4f);
        flg[81] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x12e);
        flg[82] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1bd);
        flg[83] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x208);
        flg[84] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x142);
        flg[85] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xef);
        flg[86] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x1cb);
        flg[87] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x368);
        flg[88] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x2ee);
        flg[89] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xd);
        flg[90] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x28a);
        flg[91] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x3e2);
        flg[92] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x388);
        flg[93] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x39a);
        flg[94] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x3a5);
        flg[95] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xf2);
        flg[96] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xe5);
        flg[97] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0x2f7);
        flg[98] = *pcVar7;
        pcVar7 = (char *)operator[]((basic_string<char,std--char_traits<char>,std--allocator<char>>
                                     *)&otxt,0xe6);
        flg[99] = *pcVar7;
        bVar3 = true;
        bVar4 = operator==<char,std--char_traits<char>,std--allocator<char>>
                          ((basic_string<char,std--char_traits<char>,std--allocator<char>> *)&str,
                           flg);
        if (bVar4 == false) {
          n = 0;
          while (n < 0x65) {
            pcVar7 = (char *)operator[]((
                                         basic_string<char,std--char_traits<char>,std--allocator<char>>
                                         *)&str,(long)n);
            if (*pcVar7 == flg[n]) {
              numcorr = numcorr + 1;
              this = operator<<<std--char_traits<char>>((basic_ostream *)cout,"\x1b[46;1m");
              pcVar7 = (char *)operator[]((
                                           basic_string<char,std--char_traits<char>,std--allocator<char>>
                                           *)&str,(long)n);
              operator<<<std--char_traits<char>>(this,*pcVar7);
            }
            else {
              this = operator<<<std--char_traits<char>>((basic_ostream *)cout,"\x1b[47;1m");
              pcVar7 = (char *)operator[]((
                                           basic_string<char,std--char_traits<char>,std--allocator<char>>
                                           *)&str,(long)n);
              operator<<<std--char_traits<char>>(this,*pcVar7);
            }
            n = n + 1;
          }
        }
        else {
          this = operator<<<std--char_traits<char>>((basic_ostream *)cout,"\x1b[42;1m");
          operator<<<char,std--char_traits<char>,std--allocator<char>>(this,(basic_string *)&str);
          numcorr = 100;
        }
        ~basic_string((basic_string<char,std--char_traits<char>,std--allocator<char>> *)&otxt);
      }
      else {
        __for_begin = (char *)begin();
        __for_end = (char *)end();
        while( true ) {
          bVar4 = operator!=<char*,std--__cxx11--basic_string<char>>
                            ((
                              __normal_iterator<char*,std--__cxx11--basic_string<char,std--char_traits<char>,std--allocator<char>>>
                              *)&__for_begin,
                             (
                              __normal_iterator<char*,std--__cxx11--basic_string<char,std--char_traits<char>,std--allocator<char>>>
                              *)&__for_end);
          if (bVar4 == false) break;
          pcVar8 = operator*((
                              __normal_iterator<char*,std--__cxx11--basic_string<char,std--char_traits<char>,std--allocator<char>>>
                              *)&__for_begin);
          cVar1 = *pcVar8;
                    /* try { // try from 00101ebc to 00101f75 has its CatchHandler @ 00101ff4 */
          this = operator<<<std--char_traits<char>>((basic_ostream *)cout,"\x1b[38;5;");
          this = (basic_ostream *)
                 operator<<((basic_ostream<char,std--char_traits<char>> *)this,(int)cVar1 + -0x4b);
          this = operator<<<std--char_traits<char>>(this,"m");
          operator<<<std--char_traits<char>>(this,*pcVar8);
          operator++((
                      __normal_iterator<char*,std--__cxx11--basic_string<char,std--char_traits<char>,std--allocator<char>>>
                      *)&__for_begin);
        }
      }
      if (bVar3) {
        this = operator<<<std--char_traits<char>>((basic_ostream *)cout,"\x1b[0m ::: ");
        this = (basic_ostream *)
               operator<<((basic_ostream<char,std--char_traits<char>> *)this,numcorr);
        operator<<<std--char_traits<char>>(this,"\n");
      }
      else {
        this = operator<<<std--char_traits<char>>((basic_ostream *)cout,"\x1b[0m");
        operator<<<std--char_traits<char>>(this,"\n");
      }
      ~basic_string((basic_string<char,std--char_traits<char>,std--allocator<char>> *)&str);
    }
    closedir(__dirp);
  }
  if (lVar2 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}

                             DAT_001021e8                                    XREF[1]:     main:0010128c(*)  
        001021e8 73              ??         73h    s
        001021e9 7d              ??         7Dh    }
        001021ea 79              ??         79h    y
        001021eb 76              ??         76h    v
        001021ec 7a              ??         7Ah    z
        001021ed 65              ??         65h    e
        001021ee 7a              ??         7Ah    z
        001021ef 71              ??         71h    q
        001021f0 72              ??         72h    r
        001021f1 5f              ??         5Fh    _
        001021f2 36              ??         36h    6
        001021f3 78              ??         78h    x
        001021f4 34              ??         34h    4
        001021f5 35              ??         35h    5
        001021f6 6a              ??         6Ah    j
        001021f7 78              ??         78h    x
        001021f8 32              ??         32h    2
        001021f9 79              ??         79h    y
        001021fa 70              ??         70h    p
        001021fb 34              ??         34h    4
        001021fc 64              ??         64h    d
        001021fd 33              ??         33h    3
        001021fe 38              ??         38h    8
        001021ff 71              ??         71h    q
        00102200 71              ??         71h    q
        00102201 31              ??         31h    1
        00102202 6d              ??         6Dh    m
        00102203 76              ??         76h    v
        00102204 6e              ??         6Eh    n
        00102205 73              ??         73h    s
        00102206 6c              ??         6Ch    l
        00102207 30              ??         30h    0
        00102208 75              ??         75h    u
        00102209 37              ??         37h    7
        0010220a 77              ??         77h    w
        0010220b 33              ??         33h    3
        0010220c 32              ??         32h    2
        0010220d 6c              ??         6Ch    l
        0010220e 72              ??         72h    r
        0010220f 31              ??         31h    1
        00102210 32              ??         32h    2
        00102211 67              ??         67h    g
        00102212 69              ??         69h    i
        00102213 7d              ??         7Dh    }
        00102214 74              ??         74h    t
        00102215 33              ??         33h    3
        00102216 69              ??         69h    i
        00102217 35              ??         35h    5
        00102218 6b              ??         6Bh    k
        00102219 77              ??         77h    w
        0010221a 30              ??         30h    0
        0010221b 6f              ??         6Fh    o
        0010221c 65              ??         65h    e
        0010221d 77              ??         77h    w
        0010221e 6b              ??         6Bh    k
        0010221f 71              ??         71h    q
        00102220 62              ??         62h    b
        00102221 5f              ??         5Fh    _
        00102222 76              ??         76h    v
        00102223 76              ??         76h    v
        00102224 36              ??         36h    6
        00102225 37              ??         37h    7
        00102226 32              ??         32h    2
        00102227 36              ??         36h    6
        00102228 7d              ??         7Dh    }
        00102229 7d              ??         7Dh    }
        0010222a 39              ??         39h    9
        0010222b 35              ??         35h    5
        0010222c 63              ??         63h    c
        0010222d 6d              ??         6Dh    m
        0010222e 66              ??         66h    f
        0010222f 79              ??         79h    y
        00102230 5f              ??         5Fh    _
        00102231 6a              ??         6Ah    j
        00102232 66              ??         66h    f
        00102233 67              ??         67h    g
        00102234 79              ??         79h    y
        00102235 78              ??         78h    x
        00102236 32              ??         32h    2
        00102237 35              ??         35h    5
        00102238 6e              ??         6Eh    n
        00102239 31              ??         31h    1
        0010223a 65              ??         65h    e
        0010223b 39              ??         39h    9
        0010223c 63              ??         63h    c
        0010223d 75              ??         75h    u
        0010223e 79              ??         79h    y
        0010223f 76              ??         76h    v
        00102240 73              ??         73h    s
        00102241 6f              ??         6Fh    o
        00102242 72              ??         72h    r
        00102243 5f              ??         5Fh    _
        00102244 30              ??         30h    0
        00102245 6d              ??         6Dh    m
        00102246 69              ??         69h    i
        00102247 6a              ??         6Ah    j
        00102248 63              ??         63h    c
        00102249 6e              ??         6Eh    n
        0010224a 68              ??         68h    h
        0010224b 6f              ??         6Fh    o
        0010224c 61              ??         61h    a
        0010224d 32              ??         32h    2
        0010224e 6b              ??         6Bh    k
        0010224f 70              ??         70h    p
        00102250 76              ??         76h    v
        00102251 64              ??         64h    d
        00102252 74              ??         74h    t
        00102253 6a              ??         6Ah    j
        00102254 64              ??         64h    d
        00102255 39              ??         39h    9
        00102256 6a              ??         6Ah    j
        00102257 73              ??         73h    s
        00102258 32              ??         32h    2
        00102259 6b              ??         6Bh    k
        0010225a 73              ??         73h    s
        0010225b 74              ??         74h    t
        0010225c 62              ??         62h    b
        0010225d 65              ??         65h    e
        0010225e 35              ??         35h    5
        0010225f 7d              ??         7Dh    }
        00102260 73              ??         73h    s
        00102261 36              ??         36h    6
        00102262 7a              ??         7Ah    z
        00102263 67              ??         67h    g
        00102264 79              ??         79h    y
        00102265 69              ??         69h    i
        00102266 6c              ??         6Ch    l
        00102267 36              ??         36h    6
        00102268 71              ??         71h    q
        00102269 78              ??         78h    x
        0010226a 74              ??         74h    t
        0010226b 72              ??         72h    r
        0010226c 7d              ??         7Dh    }
        0010226d 77              ??         77h    w
        0010226e 62              ??         62h    b
        0010226f 6f              ??         6Fh    o
        00102270 6c              ??         6Ch    l
        00102271 7d              ??         7Dh    }
        00102272 64              ??         64h    d
        00102273 7a              ??         7Ah    z
        00102274 6d              ??         6Dh    m
        00102275 67              ??         67h    g
        00102276 33              ??         33h    3
        00102277 74              ??         74h    t
        00102278 30              ??         30h    0
        00102279 32              ??         32h    2
        0010227a 34              ??         34h    4
        0010227b 36              ??         36h    6
        0010227c 36              ??         36h    6
        0010227d 68              ??         68h    h
        0010227e 75              ??         75h    u
        0010227f 31              ??         31h    1
        00102280 67              ??         67h    g
        00102281 6b              ??         6Bh    k
        00102282 70              ??         70h    p
        00102283 6d              ??         6Dh    m
        00102284 32              ??         32h    2
        00102285 78              ??         78h    x
        00102286 76              ??         76h    v
        00102287 38              ??         38h    8
        00102288 75              ??         75h    u
        00102289 7b              ??         7Bh    {
        0010228a 72              ??         72h    r
        0010228b 79              ??         79h    y
        0010228c 6e              ??         6Eh    n
        0010228d 30              ??         30h    0
        0010228e 73              ??         73h    s
        0010228f 31              ??         31h    1
        00102290 31              ??         31h    1
        00102291 75              ??         75h    u
        00102292 7a              ??         7Ah    z
        00102293 75              ??         75h    u
        00102294 5f              ??         5Fh    _
        00102295 34              ??         34h    4
        00102296 32              ??         32h    2
        00102297 36              ??         36h    6
        00102298 70              ??         70h    p
        00102299 38              ??         38h    8
        0010229a 6b              ??         6Bh    k
        0010229b 34              ??         34h    4
        0010229c 6f              ??         6Fh    o
        0010229d 77              ??         77h    w
        0010229e 62              ??         62h    b
        0010229f 32              ??         32h    2
        001022a0 31              ??         31h    1
        001022a1 66              ??         66h    f
        001022a2 33              ??         33h    3
        001022a3 62              ??         62h    b
        001022a4 75              ??         75h    u
        001022a5 6f              ??         6Fh    o
        001022a6 66              ??         66h    f
        001022a7 36              ??         36h    6
        001022a8 6f              ??         6Fh    o
        001022a9 6b              ??         6Bh    k
        001022aa 7b              ??         7Bh    {
        001022ab 63              ??         63h    c
        001022ac 70              ??         70h    p
        001022ad 39              ??         39h    9
        001022ae 73              ??         73h    s
        001022af 32              ??         32h    2
        001022b0 73              ??         73h    s
        001022b1 38              ??         38h    8
        001022b2 38              ??         38h    8
        001022b3 6b              ??         6Bh    k
        001022b4 33              ??         33h    3
        001022b5 79              ??         79h    y
        001022b6 68              ??         68h    h
        001022b7 7a              ??         7Ah    z
        001022b8 64              ??         64h    d
        001022b9 73              ??         73h    s
        001022ba 71              ??         71h    q
        001022bb 31              ??         31h    1
        001022bc 64              ??         64h    d
        001022bd 32              ??         32h    2
        001022be 75              ??         75h    u
        001022bf 37              ??         37h    7
        001022c0 6e              ??         6Eh    n
        001022c1 33              ??         33h    3
        001022c2 7d              ??         7Dh    }
        001022c3 39              ??         39h    9
        001022c4 65              ??         65h    e
        001022c5 78              ??         78h    x
        001022c6 7d              ??         7Dh    }
        001022c7 39              ??         39h    9
        001022c8 73              ??         73h    s
        001022c9 6c              ??         6Ch    l
        001022ca 79              ??         79h    y
        001022cb 30              ??         30h    0
        001022cc 70              ??         70h    p
        001022cd 30              ??         30h    0
        001022ce 7d              ??         7Dh    }
        001022cf 6c              ??         6Ch    l
        001022d0 70              ??         70h    p
        001022d1 35              ??         35h    5
        001022d2 79              ??         79h    y
        001022d3 78              ??         78h    x
        001022d4 64              ??         64h    d
        001022d5 69              ??         69h    i
        001022d6 37              ??         37h    7
        001022d7 6d              ??         6Dh    m
        001022d8 33              ??         33h    3
        001022d9 37              ??         37h    7
        001022da 5f              ??         5Fh    _
        001022db 70              ??         70h    p
        001022dc 38              ??         38h    8
        001022dd 32              ??         32h    2
        001022de 6f              ??         6Fh    o
        001022df 35              ??         35h    5
        001022e0 34              ??         34h    4
        001022e1 69              ??         69h    i
        001022e2 6d              ??         6Dh    m
        001022e3 31              ??         31h    1
        001022e4 7a              ??         7Ah    z
        001022e5 37              ??         37h    7
        001022e6 62              ??         62h    b
        001022e7 77              ??         77h    w
        001022e8 35              ??         35h    5
        001022e9 75              ??         75h    u
        001022ea 32              ??         32h    2
        001022eb 74              ??         74h    t
        001022ec 75              ??         75h    u
        001022ed 39              ??         39h    9
        001022ee 6e              ??         6Eh    n
        001022ef 32              ??         32h    2
        001022f0 6c              ??         6Ch    l
        001022f1 6f              ??         6Fh    o
        001022f2 79              ??         79h    y
        001022f3 62              ??         62h    b
        001022f4 6d              ??         6Dh    m
        001022f5 72              ??         72h    r
        001022f6 35              ??         35h    5
        001022f7 31              ??         31h    1
        001022f8 6a              ??         6Ah    j
        001022f9 69              ??         69h    i
        001022fa 68              ??         68h    h
        001022fb 38              ??         38h    8
        001022fc 6c              ??         6Ch    l
        001022fd 78              ??         78h    x
        001022fe 66              ??         66h    f
        001022ff 37              ??         37h    7
        00102300 7a              ??         7Ah    z
        00102301 36              ??         36h    6
        00102302 6e              ??         6Eh    n
        00102303 36              ??         36h    6
        00102304 32              ??         32h    2
        00102305 67              ??         67h    g
        00102306 6f              ??         6Fh    o
        00102307 68              ??         68h    h
        00102308 33              ??         33h    3
        00102309 5f              ??         5Fh    _
        0010230a 36              ??         36h    6
        0010230b 33              ??         33h    3
        0010230c 63              ??         63h    c
        0010230d 6e              ??         6Eh    n
        0010230e 6e              ??         6Eh    n
        0010230f 62              ??         62h    b
        00102310 66              ??         66h    f
        00102311 63              ??         63h    c
        00102312 7a              ??         7Ah    z
        00102313 68              ??         68h    h
        00102314 6d              ??         6Dh    m
        00102315 73              ??         73h    s
        00102316 79              ??         79h    y
        00102317 34              ??         34h    4
        00102318 70              ??         70h    p
        00102319 65              ??         65h    e
        0010231a 7d              ??         7Dh    }
        0010231b 69              ??         69h    i
        0010231c 6a              ??         6Ah    j
        0010231d 6c              ??         6Ch    l
        0010231e 75              ??         75h    u
        0010231f 71              ??         71h    q
        00102320 39              ??         39h    9
        00102321 78              ??         78h    x
        00102322 62              ??         62h    b
        00102323 6b              ??         6Bh    k
        00102324 6b              ??         6Bh    k
        00102325 34              ??         34h    4
        00102326 64              ??         64h    d
        00102327 7b              ??         7Bh    {
        00102328 63              ??         63h    c
        00102329 31              ??         31h    1
        0010232a 33              ??         33h    3
        0010232b 73              ??         73h    s
        0010232c 35              ??         35h    5
        0010232d 68              ??         68h    h
        0010232e 6a              ??         6Ah    j
        0010232f 6b              ??         6Bh    k
        00102330 6a              ??         6Ah    j
        00102331 6c              ??         6Ch    l
        00102332 64              ??         64h    d
        00102333 65              ??         65h    e
        00102334 77              ??         77h    w
        00102335 77              ??         77h    w
        00102336 39              ??         39h    9
        00102337 7a              ??         7Ah    z
        00102338 7d              ??         7Dh    }
        00102339 37              ??         37h    7
        0010233a 38              ??         38h    8
        0010233b 6f              ??         6Fh    o
        0010233c 79              ??         79h    y
        0010233d 74              ??         74h    t
        0010233e 31              ??         31h    1
        0010233f 70              ??         70h    p
        00102340 6f              ??         6Fh    o
        00102341 67              ??         67h    g
        00102342 35              ??         35h    5
        00102343 71              ??         71h    q
        00102344 75              ??         75h    u
        00102345 64              ??         64h    d
        00102346 7a              ??         7Ah    z
        00102347 7b              ??         7Bh    {
        00102348 36              ??         36h    6
        00102349 66              ??         66h    f
        0010234a 6b              ??         6Bh    k
        0010234b 77              ??         77h    w
        0010234c 5f              ??         5Fh    _
        0010234d 77              ??         77h    w
        0010234e 67              ??         67h    g
        0010234f 6f              ??         6Fh    o
        00102350 6e              ??         6Eh    n
        00102351 39              ??         39h    9
        00102352 39              ??         39h    9
        00102353 79              ??         79h    y
        00102354 63              ??         63h    c
        00102355 7b              ??         7Bh    {
        00102356 37              ??         37h    7
        00102357 76              ??         76h    v
        00102358 34              ??         34h    4
        00102359 73              ??         73h    s
        0010235a 61              ??         61h    a
        0010235b 6b              ??         6Bh    k
        0010235c 6a              ??         6Ah    j
        0010235d 36              ??         36h    6
        0010235e 70              ??         70h    p
        0010235f 64              ??         64h    d
        00102360 64              ??         64h    d
        00102361 6b              ??         6Bh    k
        00102362 35              ??         35h    5
        00102363 69              ??         69h    i
        00102364 31              ??         31h    1
        00102365 63              ??         63h    c
        00102366 5f              ??         5Fh    _
        00102367 31              ??         31h    1
        00102368 67              ??         67h    g
        00102369 37              ??         37h    7
        0010236a 34              ??         34h    4
        0010236b 65              ??         65h    e
        0010236c 5f              ??         5Fh    _
        0010236d 78              ??         78h    x
        0010236e 77              ??         77h    w
        0010236f 69              ??         69h    i
        00102370 76              ??         76h    v
        00102371 6b              ??         6Bh    k
        00102372 37              ??         37h    7
        00102373 6d              ??         6Dh    m
        00102374 6d              ??         6Dh    m
        00102375 62              ??         62h    b
        00102376 6d              ??         6Dh    m
        00102377 31              ??         31h    1
        00102378 36              ??         36h    6
        00102379 69              ??         69h    i
        0010237a 74              ??         74h    t
        0010237b 36              ??         36h    6
        0010237c 7a              ??         7Ah    z
        0010237d 78              ??         78h    x
        0010237e 66              ??         66h    f
        0010237f 63              ??         63h    c
        00102380 31              ??         31h    1
        00102381 79              ??         79h    y
        00102382 36              ??         36h    6
        00102383 73              ??         73h    s
        00102384 64              ??         64h    d
        00102385 7a              ??         7Ah    z
        00102386 7b              ??         7Bh    {
        00102387 30              ??         30h    0
        00102388 7a              ??         7Ah    z
        00102389 72              ??         72h    r
        0010238a 6d              ??         6Dh    m
        0010238b 75              ??         75h    u
        0010238c 76              ??         76h    v
        0010238d 79              ??         79h    y
        0010238e 73              ??         73h    s
        0010238f 62              ??         62h    b
        00102390 6c              ??         6Ch    l
        00102391 7d              ??         7Dh    }
        00102392 70              ??         70h    p
        00102393 6d              ??         6Dh    m
        00102394 77              ??         77h    w
        00102395 38              ??         38h    8
        00102396 7a              ??         7Ah    z
        00102397 36              ??         36h    6
        00102398 6a              ??         6Ah    j
        00102399 62              ??         62h    b
        0010239a 38              ??         38h    8
        0010239b 65              ??         65h    e
        0010239c 6a              ??         6Ah    j
        0010239d 6d              ??         6Dh    m
        0010239e 72              ??         72h    r
        0010239f 71              ??         71h    q
        001023a0 6b              ??         6Bh    k
        001023a1 6e              ??         6Eh    n
        001023a2 78              ??         78h    x
        001023a3 62              ??         62h    b
        001023a4 75              ??         75h    u
        001023a5 35              ??         35h    5
        001023a6 77              ??         77h    w
        001023a7 34              ??         34h    4
        001023a8 73              ??         73h    s
        001023a9 76              ??         76h    v
        001023aa 35              ??         35h    5
        001023ab 34              ??         34h    4
        001023ac 32              ??         32h    2
        001023ad 70              ??         70h    p
        001023ae 6c              ??         6Ch    l
        001023af 6e              ??         6Eh    n
        001023b0 7a              ??         7Ah    z
        001023b1 73              ??         73h    s
        001023b2 38              ??         38h    8
        001023b3 5f              ??         5Fh    _
        001023b4 7d              ??         7Dh    }
        001023b5 7a              ??         7Ah    z
        001023b6 6e              ??         6Eh    n
        001023b7 79              ??         79h    y
        001023b8 71              ??         71h    q
        001023b9 36              ??         36h    6
        001023ba 62              ??         62h    b
        001023bb 36              ??         36h    6
        001023bc 78              ??         78h    x
        001023bd 36              ??         36h    6
        001023be 37              ??         37h    7
        001023bf 61              ??         61h    a
        001023c0 72              ??         72h    r
        001023c1 30              ??         30h    0
        001023c2 6c              ??         6Ch    l
        001023c3 73              ??         73h    s
        001023c4 71              ??         71h    q
        001023c5 30              ??         30h    0
        001023c6 34              ??         34h    4
        001023c7 71              ??         71h    q
        001023c8 75              ??         75h    u
        001023c9 37              ??         37h    7
        001023ca 34              ??         34h    4
        001023cb 32              ??         32h    2
        001023cc 75              ??         75h    u
        001023cd 65              ??         65h    e
        001023ce 6e              ??         6Eh    n
        001023cf 70              ??         70h    p
        001023d0 34              ??         34h    4
        001023d1 75              ??         75h    u
        001023d2 66              ??         66h    f
        001023d3 6f              ??         6Fh    o
        001023d4 78              ??         78h    x
        001023d5 7a              ??         7Ah    z
        001023d6 37              ??         37h    7
        001023d7 69              ??         69h    i
        001023d8 72              ??         72h    r
        001023d9 38              ??         38h    8
        001023da 67              ??         67h    g
        001023db 7a              ??         7Ah    z
        001023dc 6f              ??         6Fh    o
        001023dd 68              ??         68h    h
        001023de 69              ??         69h    i
        001023df 33              ??         33h    3
        001023e0 35              ??         35h    5
        001023e1 32              ??         32h    2
        001023e2 7d              ??         7Dh    }
        001023e3 37              ??         37h    7
        001023e4 7b              ??         7Bh    {
        001023e5 39              ??         39h    9
        001023e6 68              ??         68h    h
        001023e7 6b              ??         6Bh    k
        001023e8 7b              ??         7Bh    {
        001023e9 79              ??         79h    y
        001023ea 75              ??         75h    u
        001023eb 34              ??         34h    4
        001023ec 5f              ??         5Fh    _
        001023ed 7a              ??         7Ah    z
        001023ee 62              ??         62h    b
        001023ef 6a              ??         6Ah    j
        001023f0 37              ??         37h    7
        001023f1 67              ??         67h    g
        001023f2 6d              ??         6Dh    m
        001023f3 76              ??         76h    v
        001023f4 6c              ??         6Ch    l
        001023f5 7b              ??         7Bh    {
        001023f6 63              ??         63h    c
        001023f7 5f              ??         5Fh    _
        001023f8 32              ??         32h    2
        001023f9 34              ??         34h    4
        001023fa 77              ??         77h    w
        001023fb 65              ??         65h    e
        001023fc 68              ??         68h    h
        001023fd 38              ??         38h    8
        001023fe 72              ??         72h    r
        001023ff 77              ??         77h    w
        00102400 78              ??         78h    x
        00102401 70              ??         70h    p
        00102402 5f              ??         5Fh    _
        00102403 32              ??         32h    2
        00102404 34              ??         34h    4
        00102405 64              ??         64h    d
        00102406 68              ??         68h    h
        00102407 70              ??         70h    p
        00102408 7b              ??         7Bh    {
        00102409 67              ??         67h    g
        0010240a 69              ??         69h    i
        0010240b 76              ??         76h    v
        0010240c 39              ??         39h    9
        0010240d 6b              ??         6Bh    k
        0010240e 7d              ??         7Dh    }
        0010240f 67              ??         67h    g
        00102410 7a              ??         7Ah    z
        00102411 38              ??         38h    8
        00102412 34              ??         34h    4
        00102413 30              ??         30h    0
        00102414 75              ??         75h    u
        00102415 65              ??         65h    e
        00102416 7a              ??         7Ah    z
        00102417 71              ??         71h    q
        00102418 6b              ??         6Bh    k
        00102419 39              ??         39h    9
        0010241a 73              ??         73h    s
        0010241b 7d              ??         7Dh    }
        0010241c 71              ??         71h    q
        0010241d 78              ??         78h    x
        0010241e 69              ??         69h    i
        0010241f 7b              ??         7Bh    {
        00102420 32              ??         32h    2
        00102421 75              ??         75h    u
        00102422 32              ??         32h    2
        00102423 6c              ??         6Ch    l
        00102424 62              ??         62h    b
        00102425 62              ??         62h    b
        00102426 74              ??         74h    t
        00102427 34              ??         34h    4
        00102428 69              ??         69h    i
        00102429 7d              ??         7Dh    }
        0010242a 6b              ??         6Bh    k
        0010242b 71              ??         71h    q
        0010242c 38              ??         38h    8
        0010242d 67              ??         67h    g
        0010242e 6f              ??         6Fh    o
        0010242f 6d              ??         6Dh    m
        00102430 72              ??         72h    r
        00102431 71              ??         71h    q
        00102432 65              ??         65h    e
        00102433 77              ??         77h    w
        00102434 76              ??         76h    v
        00102435 72              ??         72h    r
        00102436 6a              ??         6Ah    j
        00102437 36              ??         36h    6
        00102438 35              ??         35h    5
        00102439 64              ??         64h    d
        0010243a 67              ??         67h    g
        0010243b 77              ??         77h    w
        0010243c 61              ??         61h    a
        0010243d 6f              ??         6Fh    o
        0010243e 69              ??         69h    i
        0010243f 74              ??         74h    t
        00102440 63              ??         63h    c
        00102441 39              ??         39h    9
        00102442 39              ??         39h    9
        00102443 79              ??         79h    y
        00102444 68              ??         68h    h
        00102445 34              ??         34h    4
        00102446 6a              ??         6Ah    j
        00102447 65              ??         65h    e
        00102448 73              ??         73h    s
        00102449 74              ??         74h    t
        0010244a 36              ??         36h    6
        0010244b 73              ??         73h    s
        0010244c 63              ??         63h    c
        0010244d 63              ??         63h    c
        0010244e 6e              ??         6Eh    n
        0010244f 7a              ??         7Ah    z
        00102450 32              ??         32h    2
        00102451 77              ??         77h    w
        00102452 6c              ??         6Ch    l
        00102453 67              ??         67h    g
        00102454 6d              ??         6Dh    m
        00102455 61              ??         61h    a
        00102456 70              ??         70h    p
        00102457 36              ??         36h    6
        00102458 66              ??         66h    f
        00102459 39              ??         39h    9
        0010245a 6b              ??         6Bh    k
        0010245b 30              ??         30h    0
        0010245c 34              ??         34h    4
        0010245d 6c              ??         6Ch    l
        0010245e 68              ??         68h    h
        0010245f 61              ??         61h    a
        00102460 6e              ??         6Eh    n
        00102461 63              ??         63h    c
        00102462 33              ??         33h    3
        00102463 77              ??         77h    w
        00102464 6d              ??         6Dh    m
        00102465 67              ??         67h    g
        00102466 70              ??         70h    p
        00102467 6a              ??         6Ah    j
        00102468 36              ??         36h    6
        00102469 78              ??         78h    x
        0010246a 61              ??         61h    a
        0010246b 77              ??         77h    w
        0010246c 6c              ??         6Ch    l
        0010246d 6e              ??         6Eh    n
        0010246e 5f              ??         5Fh    _
        0010246f 6a              ??         6Ah    j
        00102470 63              ??         63h    c
        00102471 65              ??         65h    e
        00102472 36              ??         36h    6
        00102473 63              ??         63h    c
        00102474 36              ??         36h    6
        00102475 76              ??         76h    v
        00102476 66              ??         66h    f
        00102477 74              ??         74h    t
        00102478 74              ??         74h    t
        00102479 75              ??         75h    u
        0010247a 7b              ??         7Bh    {
        0010247b 7a              ??         7Ah    z
        0010247c 77              ??         77h    w
        0010247d 73              ??         73h    s
        0010247e 34              ??         34h    4
        0010247f 6f              ??         6Fh    o
        00102480 64              ??         64h    d
        00102481 6f              ??         6Fh    o
        00102482 6d              ??         6Dh    m
        00102483 37              ??         37h    7
        00102484 7b              ??         7Bh    {
        00102485 68              ??         68h    h
        00102486 35              ??         35h    5
        00102487 68              ??         68h    h
        00102488 65              ??         65h    e
        00102489 77              ??         77h    w
        0010248a 72              ??         72h    r
        0010248b 5f              ??         5Fh    _
        0010248c 7b              ??         7Bh    {
        0010248d 35              ??         35h    5
        0010248e 7d              ??         7Dh    }
        0010248f 36              ??         36h    6
        00102490 66              ??         66h    f
        00102491 74              ??         74h    t
        00102492 79              ??         79h    y
        00102493 34              ??         34h    4
        00102494 61              ??         61h    a
        00102495 31              ??         31h    1
        00102496 34              ??         34h    4
        00102497 61              ??         61h    a
        00102498 72              ??         72h    r
        00102499 36              ??         36h    6
        0010249a 34              ??         34h    4
        0010249b 71              ??         71h    q
        0010249c 31              ??         31h    1
        0010249d 76              ??         76h    v
        0010249e 76              ??         76h    v
        0010249f 67              ??         67h    g
        001024a0 30              ??         30h    0
        001024a1 73              ??         73h    s
        001024a2 32              ??         32h    2
        001024a3 38              ??         38h    8
        001024a4 7a              ??         7Ah    z
        001024a5 73              ??         73h    s
        001024a6 69              ??         69h    i
        001024a7 6b              ??         6Bh    k
        001024a8 7d              ??         7Dh    }
        001024a9 6e              ??         6Eh    n
        001024aa 68              ??         68h    h
        001024ab 70              ??         70h    p
        001024ac 6d              ??         6Dh    m
        001024ad 77              ??         77h    w
        001024ae 7d              ??         7Dh    }
        001024af 6a              ??         6Ah    j
        001024b0 39              ??         39h    9
        001024b1 32              ??         32h    2
        001024b2 73              ??         73h    s
        001024b3 34              ??         34h    4
        001024b4 32              ??         32h    2
        001024b5 6b              ??         6Bh    k
        001024b6 7d              ??         7Dh    }
        001024b7 7a              ??         7Ah    z
        001024b8 7a              ??         7Ah    z
        001024b9 78              ??         78h    x
        001024ba 78              ??         78h    x
        001024bb 30              ??         30h    0
        001024bc 62              ??         62h    b
        001024bd 6e              ??         6Eh    n
        001024be 37              ??         37h    7
        001024bf 63              ??         63h    c
        001024c0 64              ??         64h    d
        001024c1 64              ??         64h    d
        001024c2 6b              ??         6Bh    k
        001024c3 37              ??         37h    7
        001024c4 30              ??         30h    0
        001024c5 69              ??         69h    i
        001024c6 77              ??         77h    w
        001024c7 34              ??         34h    4
        001024c8 7b              ??         7Bh    {
        001024c9 66              ??         66h    f
        001024ca 38              ??         38h    8
        001024cb 77              ??         77h    w
        001024cc 71              ??         71h    q
        001024cd 67              ??         67h    g
        001024ce 75              ??         75h    u
        001024cf 79              ??         79h    y
        001024d0 6a              ??         6Ah    j
        001024d1 36              ??         36h    6
        001024d2 61              ??         61h    a
        001024d3 35              ??         35h    5
        001024d4 38              ??         38h    8
        001024d5 73              ??         73h    s
        001024d6 30              ??         30h    0
        001024d7 75              ??         75h    u
        001024d8 32              ??         32h    2
        001024d9 7d              ??         7Dh    }
        001024da 78              ??         78h    x
        001024db 7a              ??         7Ah    z
        001024dc 77              ??         77h    w
        001024dd 68              ??         68h    h
        001024de 7b              ??         7Bh    {
        001024df 30              ??         30h    0
        001024e0 76              ??         76h    v
        001024e1 64              ??         64h    d
        001024e2 61              ??         61h    a
        001024e3 77              ??         77h    w
        001024e4 64              ??         64h    d
        001024e5 67              ??         67h    g
        001024e6 65              ??         65h    e
        001024e7 38              ??         38h    8
        001024e8 6e              ??         6Eh    n
        001024e9 38              ??         38h    8
        001024ea 38              ??         38h    8
        001024eb 6a              ??         6Ah    j
        001024ec 36              ??         36h    6
        001024ed 6d              ??         6Dh    m
        001024ee 73              ??         73h    s
        001024ef 38              ??         38h    8
        001024f0 75              ??         75h    u
        001024f1 76              ??         76h    v
        001024f2 74              ??         74h    t
        001024f3 5f              ??         5Fh    _
        001024f4 72              ??         72h    r
        001024f5 34              ??         34h    4
        001024f6 68              ??         68h    h
        001024f7 65              ??         65h    e
        001024f8 7a              ??         7Ah    z
        001024f9 76              ??         76h    v
        001024fa 65              ??         65h    e
        001024fb 69              ??         69h    i
        001024fc 33              ??         33h    3
        001024fd 75              ??         75h    u
        001024fe 32              ??         32h    2
        001024ff 6b              ??         6Bh    k
        00102500 31              ??         31h    1
        00102501 37              ??         37h    7
        00102502 39              ??         39h    9
        00102503 74              ??         74h    t
        00102504 6c              ??         6Ch    l
        00102505 65              ??         65h    e
        00102506 70              ??         70h    p
        00102507 75              ??         75h    u
        00102508 6e              ??         6Eh    n
        00102509 7b              ??         7Bh    {
        0010250a 63              ??         63h    c
        0010250b 31              ??         31h    1
        0010250c 6c              ??         6Ch    l
        0010250d 30              ??         30h    0
        0010250e 32              ??         32h    2
        0010250f 5f              ??         5Fh    _
        00102510 65              ??         65h    e
        00102511 39              ??         39h    9
        00102512 32              ??         32h    2
        00102513 69              ??         69h    i
        00102514 6a              ??         6Ah    j
        00102515 6b              ??         6Bh    k
        00102516 39              ??         39h    9
        00102517 78              ??         78h    x
        00102518 78              ??         78h    x
        00102519 30              ??         30h    0
        0010251a 6f              ??         6Fh    o
        0010251b 5f              ??         5Fh    _
        0010251c 61              ??         61h    a
        0010251d 38              ??         38h    8
        0010251e 67              ??         67h    g
        0010251f 77              ??         77h    w
        00102520 6e              ??         6Eh    n
        00102521 6d              ??         6Dh    m
        00102522 70              ??         70h    p
        00102523 31              ??         31h    1
        00102524 6a              ??         6Ah    j
        00102525 72              ??         72h    r
        00102526 39              ??         39h    9
        00102527 67              ??         67h    g
        00102528 74              ??         74h    t
        00102529 6b              ??         6Bh    k
        0010252a 32              ??         32h    2
        0010252b 7b              ??         7Bh    {
        0010252c 63              ??         63h    c
        0010252d 71              ??         71h    q
        0010252e 37              ??         37h    7
        0010252f 71              ??         71h    q
        00102530 6e              ??         6Eh    n
        00102531 6d              ??         6Dh    m
        00102532 72              ??         72h    r
        00102533 70              ??         70h    p
        00102534 68              ??         68h    h
        00102535 76              ??         76h    v
        00102536 79              ??         79h    y
        00102537 65              ??         65h    e
        00102538 63              ??         63h    c
        00102539 70              ??         70h    p
        0010253a 73              ??         73h    s
        0010253b 7d              ??         7Dh    }
        0010253c 36              ??         36h    6
        0010253d 33              ??         33h    3
        0010253e 63              ??         63h    c
        0010253f 71              ??         71h    q
        00102540 76              ??         76h    v
        00102541 78              ??         78h    x
        00102542 63              ??         63h    c
        00102543 79              ??         79h    y
        00102544 7b              ??         7Bh    {
        00102545 69              ??         69h    i
        00102546 35              ??         35h    5
        00102547 7d              ??         7Dh    }
        00102548 64              ??         64h    d
        00102549 32              ??         32h    2
        0010254a 72              ??         72h    r
        0010254b 31              ??         31h    1
        0010254c 72              ??         72h    r
        0010254d 7b              ??         7Bh    {
        0010254e 72              ??         72h    r
        0010254f 67              ??         67h    g
        00102550 31              ??         31h    1
        00102551 6e              ??         6Eh    n
        00102552 7d              ??         7Dh    }
        00102553 6e              ??         6Eh    n
        00102554 75              ??         75h    u
        00102555 66              ??         66h    f
        00102556 6d              ??         6Dh    m
        00102557 37              ??         37h    7
        00102558 73              ??         73h    s
        00102559 75              ??         75h    u
        0010255a 65              ??         65h    e
        0010255b 33              ??         33h    3
        0010255c 37              ??         37h    7
        0010255d 38              ??         38h    8
        0010255e 75              ??         75h    u
        0010255f 77              ??         77h    w
        00102560 64              ??         64h    d
        00102561 71              ??         71h    q
        00102562 65              ??         65h    e
        00102563 39              ??         39h    9
        00102564 65              ??         65h    e
        00102565 7a              ??         7Ah    z
        00102566 73              ??         73h    s
        00102567 63              ??         63h    c
        00102568 78              ??         78h    x
        00102569 6f              ??         6Fh    o
        0010256a 71              ??         71h    q
        0010256b 39              ??         39h    9
        0010256c 30              ??         30h    0
        0010256d 6e              ??         6Eh    n
        0010256e 6d              ??         6Dh    m
        0010256f 65              ??         65h    e
        00102570 37              ??         37h    7
        00102571 36              ??         36h    6
        00102572 7d              ??         7Dh    }
        00102573 6a              ??         6Ah    j
        00102574 78              ??         78h    x
        00102575 34              ??         34h    4
        00102576 7d              ??         7Dh    }
        00102577 7d              ??         7Dh    }
        00102578 62              ??         62h    b
        00102579 38              ??         38h    8
        0010257a 61              ??         61h    a
        0010257b 68              ??         68h    h
        0010257c 65              ??         65h    e
        0010257d 5f              ??         5Fh    _
        0010257e 70              ??         70h    p
        0010257f 61              ??         61h    a
        00102580 62              ??         62h    b
        00102581 79              ??         79h    y
        00102582 32              ??         32h    2
        00102583 71              ??         71h    q
        00102584 78              ??         78h    x
        00102585 71              ??         71h    q
        00102586 77              ??         77h    w
        00102587 6f              ??         6Fh    o
        00102588 70              ??         70h    p
        00102589 36              ??         36h    6
        0010258a 33              ??         33h    3
        0010258b 6b              ??         6Bh    k
        0010258c 63              ??         63h    c
        0010258d 36              ??         36h    6
        0010258e 65              ??         65h    e
        0010258f 75              ??         75h    u
        00102590 6a              ??         6Ah    j
        00102591 73              ??         73h    s
        00102592 37              ??         37h    7
        00102593 7d              ??         7Dh    }
        00102594 66              ??         66h    f
        00102595 39              ??         39h    9
        00102596 30              ??         30h    0
        00102597 70              ??         70h    p
        00102598 6b              ??         6Bh    k
        00102599 6b              ??         6Bh    k
        0010259a 69              ??         69h    i
        0010259b 64              ??         64h    d
        0010259c 64              ??         64h    d
        0010259d 6c              ??         6Ch    l
        0010259e 76              ??         76h    v
        0010259f 66              ??         66h    f
        001025a0 6f              ??         6Fh    o
        001025a1 62              ??         62h    b
        001025a2 62              ??         62h    b
        001025a3 32              ??         32h    2
        001025a4 34              ??         34h    4
        001025a5 77              ??         77h    w
        001025a6 6a              ??         6Ah    j
        001025a7 35              ??         35h    5
        001025a8 32              ??         32h    2
        001025a9 77              ??         77h    w
        001025aa 7a              ??         7Ah    z
        001025ab 75              ??         75h    u
        001025ac 32              ??         32h    2
        001025ad 63              ??         63h    c
        001025ae 6e              ??         6Eh    n
        001025af 68              ??         68h    h
        001025b0 6f              ??         6Fh    o
        001025b1 61              ??         61h    a
        001025b2 5f              ??         5Fh    _
        001025b3 70              ??         70h    p
        001025b4 34              ??         34h    4
        001025b5 6a              ??         6Ah    j
        001025b6 6a              ??         6Ah    j
        001025b7 77              ??         77h    w
        001025b8 34              ??         34h    4
        001025b9 6e              ??         6Eh    n
        001025ba 68              ??         68h    h
        001025bb 39              ??         39h    9
        001025bc 6b              ??         6Bh    k
        001025bd 72              ??         72h    r
        001025be 35              ??         35h    5
        001025bf 67              ??         67h    g
        001025c0 69              ??         69h    i
        001025c1 66              ??         66h    f
        001025c2 30              ??         30h    0
        001025c3 34              ??         34h    4
        001025c4 6f              ??         6Fh    o
        001025c5 6a              ??         6Ah    j
        001025c6 62              ??         62h    b
        001025c7 68              ??         68h    h
        001025c8 31              ??         31h    1
        001025c9 65              ??         65h    e
        001025ca 5f              ??         5Fh    _
        001025cb 65              ??         65h    e
        001025cc 65              ??         65h    e
        001025cd 63              ??         63h    c
        001025ce 31              ??         31h    1
        001025cf 32              ??         32h    2
        001025d0 00              ??         00h

この情報を元にフラグを構成する。

indexes = [496, 402, 802, 228, 758, 756, 630, 634, 726, 206, 142, 829, 459,
    211, 294, 554, 293, 685, 427, 628, 279, 930, 459, 353, 251, 650, 169, 534,
    322, 47, 538, 805, 534, 356, 484, 441, 735, 489, 61, 510, 723, 417, 151,
    170, 291, 728, 388, 727, 144, 20, 217, 91, 838, 604, 503, 438, 186, 445,
    516, 248, 309, 332, 179, 859, 233, 9, 451, 819, 929, 206, 759, 79, 884,
    356, 184, 705, 459, 879, 98, 291, 917, 79, 302, 445, 520, 322, 239, 459,
    872, 750, 13, 650, 994, 904, 922, 933, 242, 229, 759, 230]

values = ['s', '}', 'y', 'v', 'z', 'e', 'z', 'q', 'r', '_', '6', 'x', '4', '5',
    'j', 'x', '2', 'y', 'p', '4', 'd', '3', '8', 'q', 'q', '1', 'm', 'v', 'n',
    's', 'l', '0', 'u', '7', 'w', '3', '2', 'l', 'r', '1', '2', 'g', 'i', '}',
    't', '3', 'i', '5', 'k', 'w', '0', 'o', 'e', 'w', 'k', 'q', 'b', '_', 'v',
    'v', '6', '7', '2', '6', '}', '}', '9', '5', 'c', 'm', 'f', 'y', '_', 'j',
    'f', 'g', 'y', 'x', '2', '5', 'n', '1', 'e', '9', 'c', 'u', 'y', 'v', 's',
    'o', 'r', '_', '0', 'm', 'i', 'j', 'c', 'n', 'h', 'o', 'a', '2', 'k', 'p',
    'v', 'd', 't', 'j', 'd', '9', 'j', 's', '2', 'k', 's', 't', 'b', 'e', '5',
    '}', 's', '6', 'z', 'g', 'y', 'i', 'l', '6', 'q', 'x', 't', 'r', '}', 'w',
    'b', 'o', 'l', '}', 'd', 'z', 'm', 'g', '3', 't', '0', '2', '4', '6', '6',
    'h', 'u', '1', 'g', 'k', 'p', 'm', '2', 'x', 'v', '8', 'u', '{', 'r', 'y',
    'n', '0', 's', '1', '1', 'u', 'z', 'u', '_', '4', '2', '6', 'p', '8', 'k',
    '4', 'o', 'w', 'b', '2', '1', 'f', '3', 'b', 'u', 'o', 'f', '6', 'o', 'k',
    '{', 'c', 'p', '9', 's', '2', 's', '8', '8', 'k', '3', 'y', 'h', 'z', 'd',
    's', 'q', '1', 'd', '2', 'u', '7', 'n', '3', '}', '9', 'e', 'x', '}', '9',
    's', 'l', 'y', '0', 'p', '0', '}', 'l', 'p', '5', 'y', 'x', 'd', 'i', '7',
    'm', '3', '7', '_', 'p', '8', '2', 'o', '5', '4', 'i', 'm', '1', 'z', '7',
    'b', 'w', '5', 'u', '2', 't', 'u', '9', 'n', '2', 'l', 'o', 'y', 'b', 'm',
    'r', '5', '1', 'j', 'i', 'h', '8', 'l', 'x', 'f', '7', 'z', '6', 'n', '6',
    '2', 'g', 'o', 'h', '3', '_', '6', '3', 'c', 'n', 'n', 'b', 'f', 'c', 'z',
    'h', 'm', 's', 'y', '4', 'p', 'e', '}', 'i', 'j', 'l', 'u', 'q', '9', 'x',
    'b', 'k', 'k', '4', 'd', '{', 'c', '1', '3', 's', '5', 'h', 'j', 'k', 'j',
    'l', 'd', 'e', 'w', 'w', '9', 'z', '}', '7', '8', 'o', 'y', 't', '1', 'p',
    'o', 'g', '5', 'q', 'u', 'd', 'z', '{', '6', 'f', 'k', 'w', '_', 'w', 'g',
    'o', 'n', '9', '9', 'y', 'c', '{', '7', 'v', '4', 's', 'a', 'k', 'j', '6',
    'p', 'd', 'd', 'k', '5', 'i', '1', 'c', '_', '1', 'g', '7', '4', 'e', '_',
    'x', 'w', 'i', 'v', 'k', '7', 'm', 'm', 'b', 'm', '1', '6', 'i', 't', '6',
    'z', 'x', 'f', 'c', '1', 'y', '6', 's', 'd', 'z', '{', '0', 'z', 'r', 'm',
    'u', 'v', 'y', 's', 'b', 'l', '}', 'p', 'm', 'w', '8', 'z', '6', 'j', 'b',
    '8', 'e', 'j', 'm', 'r', 'q', 'k', 'n', 'x', 'b', 'u', '5', 'w', '4', 's',
    'v', '5', '4', '2', 'p', 'l', 'n', 'z', 's', '8', '_', '}', 'z', 'n', 'y',
    'q', '6', 'b', '6', 'x', '6', '7', 'a', 'r', '0', 'l', 's', 'q', '0', '4',
    'q', 'u', '7', '4', '2', 'u', 'e', 'n', 'p', '4', 'u', 'f', 'o', 'x', 'z',
    '7', 'i', 'r', '8', 'g', 'z', 'o', 'h', 'i', '3', '5', '2', '}', '7', '{',
    '9', 'h', 'k', '{', 'y', 'u', '4', '_', 'z', 'b', 'j', '7', 'g', 'm', 'v',
    'l', '{', 'c', '_', '2', '4', 'w', 'e', 'h', '8', 'r', 'w', 'x', 'p', '_',
    '2', '4', 'd', 'h', 'p', '{', 'g', 'i', 'v', '9', 'k', '}', 'g', 'z', '8',
    '4', '0', 'u', 'e', 'z', 'q', 'k', '9', 's', '}', 'q', 'x', 'i', '{', '2',
    'u', '2', 'l', 'b', 'b', 't', '4', 'i', '}', 'k', 'q', '8', 'g', 'o', 'm',
    'r', 'q', 'e', 'w', 'v', 'r', 'j', '6', '5', 'd', 'g', 'w', 'a', 'o', 'i',
    't', 'c', '9', '9', 'y', 'h', '4', 'j', 'e', 's', 't', '6', 's', 'c', 'c',
    'n', 'z', '2', 'w', 'l', 'g', 'm', 'a', 'p', '6', 'f', '9', 'k', '0', '4',
    'l', 'h', 'a', 'n', 'c', '3', 'w', 'm', 'g', 'p', 'j', '6', 'x', 'a', 'w',
    'l', 'n', '_', 'j', 'c', 'e', '6', 'c', '6', 'v', 'f', 't', 't', 'u', '{',
    'z', 'w', 's', '4', 'o', 'd', 'o', 'm', '7', '{', 'h', '5', 'h', 'e', 'w',
    'r', '_', '{', '5', '}', '6', 'f', 't', 'y', '4', 'a', '1', '4', 'a', 'r',
    '6', '4', 'q', '1', 'v', 'v', 'g', '0', 's', '2', '8', 'z', 's', 'i', 'k',
    '}', 'n', 'h', 'p', 'm', 'w', '}', 'j', '9', '2', 's', '4', '2', 'k', '}',
    'z', 'z', 'x', 'x', '0', 'b', 'n', '7', 'c', 'd', 'd', 'k', '7', '0', 'i',
    'w', '4', '{', 'f', '8', 'w', 'q', 'g', 'u', 'y', 'j', '6', 'a', '5', '8',
    's', '0', 'u', '2', '}', 'x', 'z', 'w', 'h', '{', '0', 'v', 'd', 'a', 'w',
    'd', 'g', 'e', '8', 'n', '8', '8', 'j', '6', 'm', 's', '8', 'u', 'v', 't',
    '_', 'r', '4', 'h', 'e', 'z', 'v', 'e', 'i', '3', 'u', '2', 'k', '1', '7',
    '9', 't', 'l', 'e', 'p', 'u', 'n', '{', 'c', '1', 'l', '0', '2', '_', 'e',
    '9', '2', 'i', 'j', 'k', '9', 'x', 'x', '0', 'o', '_', 'a', '8', 'g', 'w',
    'n', 'm', 'p', '1', 'j', 'r', '9', 'g', 't', 'k', '2', '{', 'c', 'q', '7',
    'q', 'n', 'm', 'r', 'p', 'h', 'v', 'y', 'e', 'c', 'p', 's', '}', '6', '3',
    'c', 'q', 'v', 'x', 'c', 'y', '{', 'i', '5', '}', 'd', '2', 'r', '1', 'r',
    '{', 'r', 'g', '1', 'n', '}', 'n', 'u', 'f', 'm', '7', 's', 'u', 'e', '3',
    '7', '8', 'u', 'w', 'd', 'q', 'e', '9', 'e', 'z', 's', 'c', 'x', 'o', 'q',
    '9', '0', 'n', 'm', 'e', '7', '6', '}', 'j', 'x', '4', '}', '}', 'b', '8',
    'a', 'h', 'e', '_', 'p', 'a', 'b', 'y', '2', 'q', 'x', 'q', 'w', 'o', 'p',
    '6', '3', 'k', 'c', '6', 'e', 'u', 'j', 's', '7', '}', 'f', '9', '0', 'p',
    'k', 'k', 'i', 'd', 'd', 'l', 'v', 'f', 'o', 'b', 'b', '2', '4', 'w', 'j',
    '5', '2', 'w', 'z', 'u', '2', 'c', 'n', 'h', 'o', 'a', '_', 'p', '4', 'j',
    'j', 'w', '4', 'n', 'h', '9', 'k', 'r', '5', 'g', 'i', 'f', '0', '4', 'o',
    'j', 'b', 'h', '1', 'e', '_', 'e', 'e', 'c', '1', '2']

flag = ''
for index in indexes:
    flag += values[index]

print flag

rtcp{wh37h3r_1n4n1m473_f16ur35_0r_un4u7h0r1z3d_c0d3_7h3r35_4lw4y5_4_6h057_1n_7h3_5y573m_1056_726_00}

HOOOOOOOOOOMEEEEEE RUNNNNNNNNNNNNN!!!!! (Cryptography 50)

Ascii85デコードする。

#!/usr/bin/env python3
import base64

enc = 'Ecbf1HZ_kd8jR5K?[";(7;aJp?[4>J?Slk3<+n\'pF]W^,F>._lB/=r'

flag = base64.a85decode(enc)
print(flag)

rtcp{uH_JAk3_w3REn't_y0u_4t_Th3_uWust0r4g3}

Don't Give The GIANt a COOKie (Cryptography 100)

md5が69acad26c0b7fa29d2df023b4744bf07になるパスワードをrockyou.txtからブルートフォースで探す。

import hashlib

with open('dict/rockyou.txt', 'r') as f:
    lines = f.readlines()

for line in lines:
    word = line.rstrip()
    if hashlib.md5(word).hexdigest() == '69acad26c0b7fa29d2df023b4744bf07':
        break

flag = 'rtcp{%s}' % word
print flag

rtcp{chocolate mmm}

15 (Cryptography 100)

暗号化されている長文が与えられている。換字式暗号と推測して、quipqiupで復号する。

Number fifteen: Burger King Foot Lettuce

The last thing you'd want in your Burger King burger is someone's foot fungus. But as it turns out, that might be what you get. A 4channer uploaded a photo anonymously to the site showcasing his feet in a plastic bin of lettuce, with the statement: "This is the lettuce you eat at Burger King." Admittedly, he had shoes on. But that's even worse.

The post went live at 11:38 PM on July 16, and a mere twenty minutes later, the Burger King in question was alerted to the rogue employee. At least, I hope he's rogue. How did it happen? Well, the BK employee hadn't removed the EXIF data from the uploaded photo, which suggested the culprit was somewhere in Mayfield Heights, Ohio. This was at 11:47. Three minutes later at 11:50, the Burger King branch address was posted with wishes of happy unemployment. Five minutes later, the news station was contacted by another 4channer. And three minutes later, at 11:58, a link was posted: BK's "Tell us about us" online forum. The foot photo, otherwise known as exhibit A, was attached. Cleveland Scene Magazine contacted the BK in question the next day. When questioned, the breakfast shift manager said "Oh, I know who that is. He's getting fired." Mystery solved, by 4chan. Now we can all go back to eating our fast food in peace.

rtcp{c4R3Ful_w1tH_3X1f_d4T4}

rtcp{c4R3Ful_w1tH_3X1f_d4T4}

notice me senpai (Cryptography 100)

Rail Fence Cipherと推定し、rtcpで始まることを考慮して復号を試す。
レール本数が7の場合はこうなる。

.x...........x...........x....
x.x.........x.x.........x.x...
...x.......x...x.......x...x..
....x.....x.....x.....x.....x.
.....x...x.......x...x.......x
......x.x.........x.x.........
.......x...........x..........

.t...........l...........y....
r.c........._.o........._.0...
...p.......n...v.......h...u..
....}.....x.....x.....x.....x.
.....x...x.......x...x.......x
......x.x.........x.x.........
.......x...........x..........

"}"の位置がおかしくなる。レール本数を6にしてみる。

.x.........x.........x........
x.x.......x.x.......x.x.......
...x.....x...x.....x...x.....x
....x...x.....x...x.....x...x.
.....x.x.......x.x.......x.x..
......x.........x.........x...

.t.........l.........y........
r.c......._.o......._.0.......
...p.....n...v.....h...u.....}
....{...1.....3...7.....r...m.
.....i._......._.i......._.o..
......m.........w.........m...

フラグになった。

rtcp{im_1n_lov3_wi7h_y0ur_mom}

That's Some Interesting Tea(rs)....... (Cryptography 175)

以下のように順にデコードする。

base32デコード⇒base58デコード⇒base62デコード⇒base64デコード⇒base85デコード

#!/usr/bin/env python3
import base64
import base58
import base62

enc = 'O53GG4CSJRHEWQT2GJ5HC4CGOM4VKY3SOZGECZ2YNJTXO6LROV3DIR3CK4ZEMWCDHFMTOWSXGRSHU23DLJVTS5BXOQZXMU3ONJSFKRCVO5BEGVSELJSGUNSYLI2XQ32UOI3FKWDYMJQWOMKQOJ4XIU2WN5KTKWT2INUW44SZONGUUN2BMFRTQQJYKM3WGSSUNVXGEU3THFIFUSDHIVWVEQ3LJVUXEMSXK5MXSZ3TG5JXORKTMZRFIVQ='

dec = base64.b32decode(enc)
print(dec)

dec = base58.b58decode(dec.decode())
print(dec)

dec = base62.decode(dec.decode())
dec = dec.to_bytes((dec.bit_length() + 7) // 8, byteorder='big')
print(dec)

dec = base64.b64decode(dec)
print(dec)

dec = base64.a85decode(dec)
print(dec)

実行結果は以下の通り。

b'wvcpRLNKBz2zqpFs9UcrvLAgXjgwyquv4GbW2FXC9Y7ZW4dzkcZk9t7t3vSnjdUDUwBCVDZdj6XZ5xoTr6UXxbag1PrytSVoU5ZzCinrYsMJ7Aac8A8S7cJTmnbSs9PZHgEmRCkMir2WWYygs7SwESfbTV'
b'BGJz4dCH0UuQZ2Q9vLExJUKcrvdIoYRwrspUSms5eRJoVc3WAztlKjjkEXDJuI1uqXQT3OdCcm8LjC12gR3Fd1EfZ2isyNxfe55MiOvz2DYGDb9dh'
b'RWNiZjFIWldwWEY+W0RfMFByVVEyKUssa0ghYllMMWdfdEVAVmRsPDFMRHRUQ2dWOXQwUVQkV0Y+R2FvRisi'
b'Ecbf1HZWpXF>[D_0PrUQ2)K,kH!bYL1g_tE@Vdl<1LDtTCgV9t0QT$WF>GaoF+"'
b'rtcp{th4t5_50m3_54lty_t34_1_bl4m3_4ll_th0s3_t34rs}'

rtcp{th4t5_50m3_54lty_t34_1_bl4m3_4ll_th0s3_t34rs}

That's a Lot of Stuff . . . (Cryptography 275)

hexデコードすると、スペース区切りの数値になる。これを8進数でASCIIコードとして文字にすると、base64文字列のようになるので、デコードする。

enc = '31 34 33 20 31 35 36 20 31 32 32 20 31 35 32 20 31 34 33 20 31 31 30 20 31 36 34 20 31 35 32 20 31 31 35 20 31 30 37 20 36 35 20 36 32 20 31 31 35 20 36 33 20 31 31 32 20 31 37 32 20 31 31 35 20 31 32 34 20 31 30 32 20 31 36 35 20 31 34 33 20 36 31 20 37 31 20 31 35 30 20 31 34 33 20 31 35 32 20 31 31 36 20 31 34 36 20 31 31 36 20 31 30 36 20 37 31 20 31 35 32 20 31 31 35 20 31 30 34 20 31 30 32 20 31 31 35 20 31 33 30 20 36 32 20 31 31 35 20 36 30 20 31 34 34 20 31 31 30 20 31 31 36 20 37 31'

enc = enc.replace(' ', '').decode('hex')
print enc
enc = enc.split(' ')

b64 = ''
for e in enc:
    b64 += chr(int(e, 8))
print b64

flag = b64.decode('base64')
print flag

実行結果は以下の通り。

143 156 122 152 143 110 164 152 115 107 65 62 115 63 112 172 115 124 102 165 143 61 71 150 143 152 116 146 116 106 71 152 115 104 102 115 130 62 115 60 144 110 116 71
cnRjcHtjMG52M3JzMTBuc19hcjNfNF9jMDBMX2M0dHN9
rtcp{c0nv3rs10ns_ar3_4_c00L_c4ts}

rtcp{c0nv3rs10ns_ar3_4_c00L_c4ts}

Pandas Like Salads (Cryptography 350)

Pigpen cipherとして文字を起こす。

YSAY{HJKAHR_QQGDIA_UNR_KW_YRQ_PM_NNFB}

Vigenere暗号と推定する。https://www.dcode.fr/vigenere-cipherで、キーにCUTENESSを指定して復号する。

WYHU{UFSIFX_XMTZQI_STY_GJ_UZY_NS_UJSX}

Ceaser暗号として、復号する。大文字では通らなかったので、小文字にする。

rtcp{pandas_should_not_be_put_in_pens}

2020-01-25

Insomni'hack teaser 2020 Writeup

CTF writeup

この大会は2020/1/18 18:00(JST)～2020/1/19 18:00(JST)に開催されました。
今回もチームで参戦。結果は72点で647チーム中239位でした。
自分で解けた問題をWriteupとして書いておきます。

LowDeep (web)

OSコマンドインジェクションをしてみる。

$ curl http://lowdeep.insomnihack.ch/ -d 'ipaddr=8.8.8.8;ls'
<!DOCTYPE html>
<html lang="en">
<head>
  <title>Insomni'hack 2020 Teaser</title>
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css">
  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.16.0/umd/popper.min.js"></script>
  <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js"></script>
  <style>
  body {
 background-image: url("_res_/img/skull-slim.png");
 background-color: #cccccc;
}
  </style>
</head>

<body>
<div class="container p-3 my-3 bg-dark text-white">
  <h2>LowDeep Plateform </h2>
  <p>That's our new plateform to perform ping the easy way.</p>

  <form action="#" method="post">
    <div class="form-group">
      <label for="ip">Enter the IP address to ping:</label>
      <input type="text" class="form-control" id="ip" name="ipaddr">
    </div>
    <input type="submit" name="submit" value="Submit" class="btn btn-primary" />
    <div>
    	</br>PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.</br>64 bytes from 8.8.8.8: icmp_seq=1 ttl=59 time=1.33 ms</br></br>--- 8.8.8.8 ping statistics ---</br>1 packets transmitted, 1 received, 0% packet loss, time 0ms</br>rtt min/avg/max/mdev = 1.338/1.338/1.338/0.000 ms</br>_res_</br>index.php</br>print-flag</br>robots.txt    </div>
  </form>
</div>
</body>
</html>

ファイル群の中にprint-flagがあることがわかるので、ダウンロードして実行してみる。

$ ./print-flag 
INS{Wh1le_ld_k1nd_0f_forg0t_ab0ut_th3_x_fl4g}

INS{Wh1le_ld_k1nd_0f_forg0t_ab0ut_th3_x_fl4g}

2020-01-16

WhiteHat Grand Prix 06 – Quals Writeup

CTF writeup

この大会は2020/1/4 11:00(JST)～2020/1/5 11:00(JST)に開催されました。
今回もチームで参戦。結果は500点で150チーム中50位でした。
自分で解けた問題をWriteupとして書いておきます。

Blockchain (Misc)

3つのjsonファイルと2つの公開鍵、パスワード付きzipファイルが添付されている。2者間で公開鍵で暗号化してメッセージを送っていて、それがjsonに書かれている。試してみたところ、2つの公開鍵のnは1でない素数を共通に持っているので、素因数分解できる。それを元にメッセージを復号する。

from Crypto.PublicKey import RSA
from Crypto.Util.number import *
import json

id_list = ['34a7370734caff5d129ad355f78f3ccf', '8a95963d7bedd2b81ad09cd1838c7a4d']

ns = []
es = []
for i in range(2):
    filename = 'Blockchain/%s.pem' % id_list[i]
    with open(filename, 'r') as f:
        pub_data = f.read()
    pubkey = RSA.importKey(pub_data)
    ns.append(pubkey.n)
    es.append(pubkey.e)

p = GCD(ns[0], ns[1])

ds = []
for i in range(2):
    q = ns[i] / p
    phi = (p - 1) * (q - 1)
    d = inverse(es[i], phi)
    ds.append(d)

for i in range(1, 4):
    filename = 'Blockchain/block%d.json' % i
    with open(filename) as f:
        block = json.load(f)

    for j in range(2):
        c = int(block['data_block'][j][id_list[j]]['messger'])
        m = pow(c, ds[j], ns[j])
        msg = long_to_bytes(m)
        print msg

メッセージの復号結果は以下の通り。

Do you understand the blockchain?
Password using open flag.zip
flag in flag.txt
Password = Password1+Password2
Password1:'irVOwoJR7d'
Password2:'D@V!4P##Ij'

flag.zipをパスワード'irVOwoJR7dD@V!4P##Ij'で解凍する。flag.txtにはbase64文字列が書かれているので、デコードしてファイルに保存する。

with open('Blockchain/flag/flag.txt', 'r') as f:
    data = f.read()

with open('flag.png', 'wb') as f:
    f.write(data.decode('base64'))

f:id:satou-y:20200116220611p:plain
QRコードの画像ファイルだったので、読み取る。

Whitehat{the_ flag_blockchain_ iot}

$ echo -n "the_ flag_blockchain_ iot" | sha1sum
af398a30871f3f533986bf4e58cc8899e00c1139  -

WhiteHat{af398a30871f3f533986bf4e58cc8899e00c1139}

Crypto 01 (Crypto)

$ nc 15.164.159.194 8006
Your cipher key: 32322f34342f67672f4444 36362f2d2d2f1b1b2f7474 34342f3e3e2f12122f6464 30302f23232f6b6b2f4646 34342f40402f1a1a2f6f6f 30302f3d3d2f6b6b2f5151 58582f74742f43432f7c7c2f3535 30302f20202f6d6d2f5757 78782f31312f4f4f 35352f37372f61612f4f4f 6b6b2f33332f4b4b 39392f36362f79792f4f4f 35352f3e3e2f17172f7474 70702f33332fb6b6 36362fc0c02f75752f5555 33332f2c2c2febeb2f7575 ffff2f67672f41412f7e7e2f3838 31312f7c7c2fe2e22f7676 a8a82f6c6c2f54542f28282f3636 adad2f62622f59592f2c2c2f3535 37372fd0d02f7a7a2f4f4f 37372f3f3f2fe7e72f7676 37372f3d3d2fe2e22f7272 eaea2f77772f48482f3c3c2f3939 31312f3f3f2ff3f32f7676 32322fc8c82f62622f4343 34342f2b2b2fe4e42f7676 a2a22f6d6d2f47472f60602f3737 a1a12f62622f4b4b2f3d3d2f3838 30302f3f3f2ff5f52f6c6c 35352fc9c92f6d6d2f5252 34342f3c3c2ff9f92f6e6e 37372f24242ff2f22f6d6d 33332f29292fe4e42f6363 71712f38382fa5a5 bdbd2f64642f50502f2e2e2f3232 6c6c2f39392faeae f8f82f79792f47472f5f5f2f3939 34342fcbcb2f63632f5757 38382fc0c02f65652f5151 bebe2f6e6e2f59592f60602f3939 b0b02f6e6e2f42422f7e7e2f3939 38382fcfcf2f6f6f2f5353 38382fd1d12f72722f4b4b 32322f2e2e2fe9e92f7979 fefe2f6c6c2f41412f2a2a2f3030 38382f3d3d2fc3c32f7575 9d9d2f73732f56562f24242f3939 39392fe8e82f70702f5959 33332ffefe2f61612f4c4c 38382f3c3c2fdddd2f7979 63632f33332f9090 35352f3c3c2fd7d72f6464 72722f32322f9898 36362ff0f02f64642f4141 30302fe3e32f75752f4141 39392ffefe2f6b6b2f4a4a 33332fffff2f77772f4c4c 31312febeb2f6f6f2f4747 62622f33332f9d9d 32322ffdfd2f63632f4c4c 37372fe6e62f67672f4242 39392f3f3f2fd4d42f7474 65652f37372f8181
WELCOME TO CHAOS TOOL: 
Description: This is a tool which helps you hide the content of the message
Notes:
- Message cannot contain whitespace characters
- Message can use all characters including punctuation marks and number
- Decrypt the above key to get the flag, len(key) = 64
- All punctuation marks use in plain key: ~`!@#$%^&*()_-+=<,>.?|
- Key is not a meaningful sentence
- Find the rule in this tool
**FEATURES**
<1> Encrypt message 
<2> Get the flag 
Your choice: 1
Enter your message: 1234
66662f32322f4242 75752f32322f4646 71712f32322f4646 61612f32322f4242
**FEATURES**
<1> Encrypt message 
<2> Get the flag 
Your choice: 2
Please enter the key to get flag: abcd
WRONG KEY

メッセージには英数字＋記号(~`!@#$%^&*()_-+=<,>.?|)が使われる。

$ nc 15.164.159.194 8006
Your cipher key: a0a02f66662f59592f25252f3030 33332f28282ff3f32f7171 38382fe5e52f6f6f2f4242 63632f30302f9797 dcdc2f73732f4e4e2f2d2d2f3333 9c9c2f6f6f2f58582f5f5f2f3838 35352ff1f12f63632f5757 32322f40402fd2d22f6c6c 36362fecec2f69692f4f4f 31312f3e3e2fcccc2f7676 33332fecec2f7a7a2f5757 35352f7e7e2fcaca2f6666 36362f3e3e2fc4c42f6f6f 6b6b2f36362f9c9c 31312feeee2f72722f4242 76762f36362f9898 d2d22f7a7a2f43432f40402f3434 30302feeee2f75752f4f4f 35352feaea2f62622f4848 36362f3d3d2fcbcb2f7474 34342f2c2c2fcaca2f6f6f 32322f3d3d2fc4c42f6f6f 9e9e2f72722f59592f2a2a2f3535 39392ffdfd2f6e6e2f4a4a 38382ff9f92f76762f5252 e8e82f67672f59592f5f5f2f3030 31312ff2f22f6d6d2f5959 74742f32322f8080 35352f28282fd9d92f6565 e4e42f6f6f2f42422f5e5e2f3131 32322ffafa2f63632f4e4e 98982f66662f48482f3f3f2f3636 38382ff7f72f73732f4444 95952f61612f4d4d2f2c2c2f3131 32322f28282fa5a52f7a7a ffff2f75752f51512f2b2b2f3636 31312f96962f70702f5151 33332f2d2d2fbaba2f6c6c 32322f3c3c2fa9a92f6f6f e6e62f64642f55552f2c2c2f3535 34342f92922f70702f5252 34342f3e3e2fafaf2f7979 31312f9f9f2f72722f4343 31312f88882f77772f5454 f7f72f61612f53532f23232f3737 34342f7c7c2fbaba2f7575 30302f25252fb6b62f6464 35352f80802f6c6c2f4f4f 35352f9b9b2f79792f4646 e5e52f6b6b2f52522f7e7e2f3636 32322f21212fb5b52f7272 36362f23232fa7a72f7373 ffff2f69692f54542f2c2c2f3434 32322f86862f73732f5757 6a6a2f30302fe4e4 abab2f6d6d2f5a5a2f3c3c2f3535 30302f29292fb7b72f7575 39392f85852f61612f4c4c 32322f97972f67672f4848 62622f35352feded 76762f33332feded f3f32f64642f4d4d2f2b2b2f3232 36362f95952f6d6d2f4a4a e1e12f6c6c2f42422f2c2c2f3232
WELCOME TO CHAOS TOOL: 
Description: This is a tool which helps you hide the content of the message
Notes:
- Message cannot contain whitespace characters
- Message can use all characters including punctuation marks and number
- Decrypt the above key to get the flag, len(key) = 64
- All punctuation marks use in plain key: ~`!@#$%^&*()_-+=<,>.?|
- Key is not a meaningful sentence
- Find the rule in this tool
**FEATURES**
<1> Encrypt message 
<2> Get the flag 
Your choice: 1
Enter your message: 1
69692f37372fafaf
**FEATURES**
<1> Encrypt message 
<2> Get the flag 
Your choice: 1
Enter your message: 1
65652f32322fafaf
**FEATURES**
<1> Encrypt message 
<2> Get the flag 
Your choice: 1
Enter your message: 1
73732f34342fafaf
**FEATURES**
<1> Encrypt message 
<2> Get the flag 
Your choice: 1
Enter your message: 1
68682f31312fafaf
**FEATURES**
<1> Encrypt message 
<2> Get the flag 
Your choice: 1
Enter your message: 12
6d6d2f38382fafaf 70702f30302fadad

同じ文字でも暗号は異なる。hexデコードしてみる。

■平文: 1
>>> '69692f37372fafaf'.decode('hex')
'ii/77/\xaf\xaf'
>>> '65652f32322fafaf'.decode('hex')
'ee/22/\xaf\xaf'

どこかでこういう暗号を見たことがある。ISITDTU CTF 2019 Quals の Chaos 1000と類似の問題だが、特徴が少々複雑。特徴を見出すために何回か試してみる。

■aからzまで順に試す。
00/&&/ll/rr 30302f26262f6c6c2f7272
33/((/oo/bb 33332f28282f6f6f2f6262
11/((/nn/aa 31312f28282f6e6e2f6161
22/>>/ii/vv 32322f3e3e2f69692f7676
99/>>/hh/vv 39392f3e3e2f68682f7676
22/**/kk/kk 32322f2a2a2f6b6b2f6b6b
55/``/jj/ww 35352f60602f6a6a2f7777
77/==/ee/pp 37372f3d3d2f65652f7070
88/&&/dd/vv 38382f26262f64642f7676
99/&&/gg/yy 39392f26262f67672f7979
00/((/ff/xx 30302f28282f66662f7878
11/--/aa/rr 31312f2d2d2f61612f7272
00/--/``/ii 30302f2d2d2f60602f6969
99/%%/cc/mm 39392f25252f63632f6d6d
77/%%/bb/kk 37372f25252f62622f6b6b
33/--/}}/tt 33332f2d2d2f7d7d2f7474
00/,,/||/hh 30302f2c2c2f7c7c2f6868
44/!!//kk 34342f21212f7f7f2f6b6b
88/$$/~~/kk 38382f24242f7e7e2f6b6b
22/^^/yy/zz 32322f5e5e2f79792f7a7a
44/<</xx/ii 34342f3c3c2f78782f6969
11/^^/{{/cc 31312f5e5e2f7b7b2f6363
66/||/zz/tt 36362f7c7c2f7a7a2f7474
33/$$/uu/oo 33332f24242f75752f6f6f
66/##/tt/oo 36362f23232f74742f6f6f
44/../ww/jj 34342f2e2e2f77772f6a6a

この暗号の特徴は以下のようになっていることがわかった。

"/"区切りで3つの場合は数字で、平文は"/"区切りの3番目の文字が決まり、XORの値が固定になっている。
"/"区切りで4つの場合で、4つ目が英小文字の場合は英小文字で、平文は"/"区切りの3番目の文字が決まり、XORの値が固定になっている。
"/"区切りで4つの場合で、4つ目が英大文字の場合は英大文字で、平文は"/"区切りの2番目の文字が決まり、XORの値が固定になっている。
"/"区切りで5つの場合は記号で、平文は"/"区切りの1番目の文字が決まり、XORの値が固定になっている。

各バイトのXORの値を求めれば、復号できる。

import socket
import string

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

def get_elems(k):
    elems = []
    for i in range(0, len(k), 3):
        elems.append(k[i:i+2])
    return elems

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('15.164.159.194', 8006))

data = recvuntil(s, 'choice: ')
key = data.split('\n')[0].split(': ')[1].split(' ')
print data + '1'
s.sendall('1\n')

chars = 'a' * 64
data = recvuntil(s, ': ')
print data + chars
s.sendall(chars + '\n')

data = recvuntil(s, '\n').rstrip()
print data

try_key = data.split(' ')
xor_key = []
for tk in try_key:
    c = ord(get_elems(tk.decode('hex'))[2][0])
    xor_key.append(c ^ ord('a'))

print '[+] XOR Key:', xor_key

pt = ''
for i in range(len(key)):
    elems = get_elems(key[i].decode('hex'))
    if len(elems) == 3:
        code = ord(elems[2][0]) ^ xor_key[i]
    elif len(elems) == 4:
        if elems[3][0] in string.lowercase:
            code = ord(elems[2][0]) ^ xor_key[i]
        else:
            code = ord(elems[1][0]) ^ xor_key[i]
    else:
        code = ord(elems[0][0]) ^ xor_key[i]
    pt += chr(code)

data = recvuntil(s, 'choice: ')
print data + '2'
s.sendall('2\n')

data = recvuntil(s, ': ')
print data + pt
s.sendall(pt+ '\n')

data = s.recv(8192)
print data

実行結果は以下の通り。

Your cipher key: 39392f5e5e2f88882f7373 c2c22f65652f44442f2c2c2f3636 84842f72722f51512f2a2a2f3030 30302fb4b42f79792f5050 37372f25252f8a8a2f7878 30302faeae2f63632f5252 6a6a2f31312fdcdc 31312f2d2d2f8f8f2f6b6b 67672f33332fd9d9 32322f29292f8e8e2f6d6d 32322fa9a92f75752f5959 c3c32f65652f4f4f2f2d2d2f3939 92922f78782f5a5a2f3f3f2f3333 68682f31312fdede d3d32f6d6d2f4f4f2f24242f3939 cece2f73732f50502f24242f3232 69692f36362fc7c7 30302f2d2d2f99992f7373 34342f28282f93932f7474 35352f7e7e2f9c9c2f6969 72722f35352fc7c7 34342f2e2e2f96962f7878 33332f5e5e2f8c8c2f6b6b 30302f23232f95952f6a6a 63632f38382fcdcd 35352fb0b02f74742f4b4b dada2f6d6d2f44442f29292f3535 d8d82f7a7a2f57572f29292f3333 37372fb3b32f79792f5050 40402f69692f48482f60602f3131 20202f6e6e2f4d4d2f3c3c2f3838 34342f2c2c2f7a7a2f6262 79792f31312f3333 30302f5c5c2f66662f5353 39392f21212f77772f6f6f 34342f7c7c2f6d6d2f6969 7a7a2f37372f3636 21212f70702f43432f5e5e2f3232 33332f3f3f2f6e6e2f6868 35352f66662f58582f21212f3636 6b6b2f65652f48482f7e7e2f3737 2d2d2f67672f58582f7e7e2f3737 36362f25252f7d7d2f7777 33332f44442f68682f4d4d 79792f31312f3f3f 3a3a2f6d6d2f57572f3f3f2f3030 33332f50502f75752f5151 32322f29292f71712f7979 30302f29292f77772f6565 35352f66662f48482f7c7c2f3535 39392f56562f66662f4242 37372f79792f4b4b2f26262f3535 34342f24242f6f6f2f6161 37372f41412f70702f4545 38382f6f6f2f57572f7c7c2f3939 33332f7c7c2f60602f7676 30302f5e5e2f73732f4e4e 33332f53532f61612f4747 38382f4c4c2f65652f4f4f 38382f44442f61612f5a5a 33332f4f4f2f6f6f2f4343 0b0b2f66662f48482f3e3e2f3232 35352f7c7c2f45452f6969 7a7a2f37372f1b1b
WELCOME TO CHAOS TOOL:
Description: This is a tool which helps you hide the content of the message
Notes:
- Message cannot contain whitespace characters
- Message can use all characters including punctuation marks and number
- Decrypt the above key to get the flag, len(key) = 64
- All punctuation marks use in plain key: ~`!@#$%^&*()_-+=<,>.?|
- Key is not a meaningful sentence
- Find the rule in this tool
**FEATURES**
<1> Encrypt message
<2> Get the flag
Your choice: 1
Enter your message: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
36362f2c2c2f83832f6262 37372f5f5f2f82822f6464 39392f24242f85852f7575 34342f2c2c2f84842f7979 34342f2c2c2f87872f6868 34342f2a2a2f86862f6d6d 30302f5e5e2f89892f6262 34342f2d2d2f88882f6666 32322f2d2d2f8b8b2f6767 30302f60602f8a8a2f7575 33332f23232f8d8d2f7a7a 38382f3e3e2f8c8c2f6b6b 30302f2d2d2f8f8f2f7777 31312f40402f8e8e2f6d6d 35352f3d3d2f91912f7a7a 37372f7c7c2f90902f7777 39392f7c7c2f93932f6f6f 39392f40402f92922f7272 39392f40402f95952f6868 37372f28282f94942f7070 37372f7e7e2f97972f7676 39392f2b2b2f96962f7a7a 32322f3c3c2f99992f6969 31312f7e7e2f98982f7171 33332f2b2b2f9b9b2f7a7a 36362f5e5e2f9a9a2f6f6f 34342f25252f9d9d2f6464 38382f3e3e2f9c9c2f7979 33332f26262f9f9f2f6e6e 34342f7e7e2f61612f6262 38382f3d3d2f60602f6d6d 36362f2d2d2f63632f7979 33332f21212f62622f6b6b 39392f26262f65652f6464 37372f23232f64642f7070 33332f2d2d2f67672f7777 38382f3c3c2f66662f6c6c 32322f21212f69692f6767 30302f3c3c2f68682f7272 32322f23232f6b6b2f6565 36362f3f3f2f6a6a2f7474 34342f2c2c2f6d6d2f6a6a 31312f2a2a2f6c6c2f6e6e 34342f3c3c2f6f6f2f6b6b 32322f2d2d2f6e6e2f6464 33332f24242f71712f7a7a 33332f21212f70702f6d6d 35352f2a2a2f73732f6a6a 38382f29292f72722f6a6a 38382f25252f75752f6464 37372f3d3d2f74742f6f6f 32322f60602f77772f7272 32322f5e5e2f76762f6363 39392f2b2b2f79792f6969 38382f2a2a2f78782f6e6e 36362f21212f7b7b2f7070 36362f5e5e2f7a7a2f6e6e 31312f5f5f2f7d7d2f6868 32322f7e7e2f7c7c2f7a7a 38382f2c2c2f7f7f2f7777 32322f3c3c2f7e7e2f6a6a 32322f29292f41412f6a6a 33332f2a2a2f40402f7878 37372f2a2a2f43432f7272
[+] XOR Key: [226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34]
**FEATURES**
<1> Encrypt message
<2> Get the flag
Your choice: 2
Please enter the key to get flag: j!`QlI4f3eE.|1#?5jgi1atl7K&%M@!x0Xrk1)g?`!pJ0*Acd!C!xY!zEOQZP+d9
Good job! Here is your flag: Hav3_y0u_had_4_h3adach3_4ga1n??_Forgive_me!^^

>>> import hashlib
>>> hashlib.sha1('Hav3_y0u_had_4_h3adach3_4ga1n??_Forgive_me!^^').hexdigest()
'960caf240a19b8531b4f50807ec0a67c765b8f18'

WhiteHat{960caf240a19b8531b4f50807ec0a67c765b8f18}

Misc 03 (Misc)

PNGの後ろによくわからないデータが付いている。ヘッダ部分を1バイトの鍵でXORのブルートフォースをしてみると、PNGのヘッダになるものがあった。その鍵で復号して画像にする。

def decrypt(s, key):
    dec = ''
    for i in range(len(s)):
        dec += chr(ord(s[i]) ^ key)
    return dec

with open('pied_piper_2', 'rb') as f:
    enc = f.read()

PNG_HEAD = '\x89PNG'

for key in range(256):
    dec = decrypt(enc[:4], key)
    if dec == PNG_HEAD:
        print key
        break

dec = ''
for e in enc:
    code = ord(e) ^ key
    dec += chr(code)

with open('flag.png', 'wb') as f:
    f.write(dec)

f:id:satou-y:20200116221433p:plain
Pigpen cipherの暗号画像になったので、復号する。

ITSNOTMAGI
CITSTALENT
ANDSWEATHE
RESYOURFLA
GPETERGREG
ORY

フラグは"PETERGREGORY"。

$ echo -n PETERGREGORY | sha1sum
135d4281008b8ccddef42be4a7762e68b8a8f579  -

WhiteHat{135d4281008b8ccddef42be4a7762e68b8a8f579}

2020-01-11

BambooFox CTF Writeup

CTF writeup

この大会は2019/12/31 19:00(JST)～2020/1/1 19:00(JST)に開催されました。
今回もチームで参戦。結果は872点で554チーム中41位でした。
自分で解けた問題をWriteupとして書いておきます。

we1c0me (General)

リンク先の動画にフラグが書かれている。
f:id:satou-y:20200111153552p:plain

BAMBOOFOX{we1c0me_t0_B4mbooF0x_CTF}

How2decompyle (Reverse)

ファイルの種類を確認すると、Pythonのバイトコードであるとわかるので、デコンパイルする。

$ file decompyle 
decompyle: python 2.7 byte-compiled
$ mv decompyle decompyle.pyc
$ uncompyle6 decompyle.pyc 
# uncompyle6 version 3.6.0
# Python bytecode 2.7 (62211)
# Decompiled from: Python 3.6.8 (default, Oct  9 2019, 14:04:01) 
# [GCC 5.4.0 20160609]
# Embedded file name: decompyle.py
# Compiled at: 2019-09-22 21:18:03
import string
restrictions = [
 'uudcjkllpuqngqwbujnbhobowpx_kdkp_',
 'f_negcqevyxmauuhthijbwhpjbvalnhnm',
 'dsafqqwxaqtstghrfbxzp_x_xo_kzqxck',
 'mdmqs_tfxbwisprcjutkrsogarmijtcls',
 'kvpsbdddqcyuzrgdomvnmlaymnlbegnur',
 'oykgmfa_cmroybxsgwktlzfitgagwxawu',
 'ewxbxogihhmknjcpbymdxqljvsspnvzfv',
 'izjwevjzooutelioqrbggatwkqfcuzwin',
 'xtbifb_vzsilvyjmyqsxdkrrqwyyiu_vb',
 'watartiplxa_ktzn_ouwzndcrfutffyzd',
 'rqzhdgfhdnbpmomakleqfpmxetpwpobgj',
 'qggdzxprwisr_vkkipgftuvhsizlc_pbz',
 'jerzhlnsegcaqzathfpuufwunakdtceqw',
 'lbvlyyrugffgrwo_v_zrqvqszchqrrljq',
 'aiwuuhzbszvfpidwwkl_wynlujbsbhfox',
 'vmhrizxtiegxdxsqcdoiyxkffloudwtxg',
 'tffjnabob_jbf_qiszdsemczghnjysmah',
 'zrqkppvynlkelnevngwlkhgaputhoagtt',
 'nl_oojyafwoqccbedijmigpedkdzglq_f',
 'cksy_skctjlyxktuzchvstunyvcvabomc',
 'ppcxleeguvhvhengmvac_bykhzqohjuei',
 '_clmaicjrrzhwd_fescyaejtbyefxyihy',
 'hhopvwsmjtpjiffzatyhjrev_dwnsidyo',
 'sjevtrmkkk_zjalxrxfovjsbcxjx_pskp',
 'gnynwuuqypddbsylparpcczqimimqmvdl',
 'bxitcmhnmanwuhvjxnqeoiimlegrmkjra']
capital = [
 0, 4, 9, 19, 23, 26]
flag = raw_input('Please tell me something : ').lower()
flag = flag.lower()
if len(flag) != len(restrictions[0]):
    print 'No......You are wrong orzzzzz'
    exit(0)
for f in range(len(flag)):
    for r in restrictions:
        if flag[f] not in string.lowercase + '_' or flag[f] == r[f]:
            print 'No......You are wrong orzzzzzzzzzzzz'
            exit(0)

cap_flag = ''
for f in range(len(flag)):
    if f in capital:
        cap_flag += flag[f].upper()
    else:
        cap_flag += flag[f]

print 'Yeah, you got it !\nBambooFox{' + cap_flag + '}\n'
# okay decompiling decompyle.pyc

以下の条件を満たすものを探す。

・flagはrestrictions[0]と同じ長さ
・以下のいずれか
　・flagは英小文字や_でない。
　・restrictionsの各バイト目で使われていない。

import string

def check_no_char(s):
    chars = string.lowercase + '_'
    for c in chars:
        if c not in s:
            return c
    return ''

restrictions = [
    'uudcjkllpuqngqwbujnbhobowpx_kdkp_',
    'f_negcqevyxmauuhthijbwhpjbvalnhnm',
    'dsafqqwxaqtstghrfbxzp_x_xo_kzqxck',
    'mdmqs_tfxbwisprcjutkrsogarmijtcls',
    'kvpsbdddqcyuzrgdomvnmlaymnlbegnur',
    'oykgmfa_cmroybxsgwktlzfitgagwxawu',
    'ewxbxogihhmknjcpbymdxqljvsspnvzfv',
    'izjwevjzooutelioqrbggatwkqfcuzwin',
    'xtbifb_vzsilvyjmyqsxdkrrqwyyiu_vb',
    'watartiplxa_ktzn_ouwzndcrfutffyzd',
    'rqzhdgfhdnbpmomakleqfpmxetpwpobgj',
    'qggdzxprwisr_vkkipgftuvhsizlc_pbz',
    'jerzhlnsegcaqzathfpuufwunakdtceqw',
    'lbvlyyrugffgrwo_v_zrqvqszchqrrljq',
    'aiwuuhzbszvfpidwwkl_wynlujbsbhfox',
    'vmhrizxtiegxdxsqcdoiyxkffloudwtxg',
    'tffjnabob_jbf_qiszdsemczghnjysmah',
    'zrqkppvynlkelnevngwlkhgaputhoagtt',
    'nl_oojyafwoqccbedijmigpedkdzglq_f',
    'cksy_skctjlyxktuzchvstunyvcvabomc',
    'ppcxleeguvhvhengmvac_bykhzqohjuei',
    '_clmaicjrrzhwd_fescyaejtbyefxyihy',
    'hhopvwsmjtpjiffzatyhjrev_dwnsidyo',
    'sjevtrmkkk_zjalxrxfovjsbcxjx_pskp',
    'gnynwuuqypddbsylparpcczqimimqmvdl',
    'bxitcmhnmanwuhvjxnqeoiimlegrmkjra']
capital = [0, 4, 9, 19, 23, 26]

flag = ''
for i in range(len(restrictions[0])):
    s = ''
    for j in range(len(restrictions)):
        s += restrictions[j][i]
    flag += check_no_char(s)

cap_flag = ''
for f in range(len(flag)):
    if f in capital:
        cap_flag += flag[f].upper()
    else:
        cap_flag += flag[f]

print 'Yeah, you got it !\nBambooFox{' + cap_flag + '}\n'

BambooFox{You_Know_Decompyle_And_Do_Reverse}

I can't see you! (Misc)

rarファイルにはパスワードがかかっている。johnでクラックする。

$ rar2john what.rar > hash.txt
$ john --wordlist=dict/rockyou.txt hash.txt --rules
Loaded 1 password hash (RAR5 [PBKDF2-SHA256 128/128 SSE4.1 4x])
Warning: OpenMP is disabled; a non-OpenMP build may be faster
Press 'q' or Ctrl-C to abort, almost any other key for status
blind            (what.rar)
1g 0:00:03:02 DONE (2019-12-31 21:06) 0.005474g/s 105.6p/s 105.6c/s 105.6C/s bre123..benten
Use the "--show" option to display all of the cracked passwords reliably
Session completed

パスワードblindで解凍すると、点字の画像が展開される。

f:id:satou-y:20200111154303p:plain

点字を文字にデコードする。

BAMBOOFOX
{ YA_YOU_
KNOW_WHAT_
BLIND_
MEANS }

BAMBOOFOX{YA_YOU_KNOW_WHAT_BLIND_MEANS}

Find the Cat (Misc)

$ binwalk cat.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 739 x 554, 8-bit/color RGBA, non-interlaced
101           0x65            Zlib compressed data, best compression
371382        0x5AAB6         PNG image, 739 x 554, 8-bit/color RGBA, non-interlaced
371483        0x5AB1B         Zlib compressed data, best compression

後ろにPNGがもう一つ付いている。

$ foremost cat.png
Processing: cat.png
|*|

似たような画像がもう一つ入っていた。差分を白黒で画像にしてみる。

from PIL import Image

img1 = Image.open('00000000.png').convert('RGB')
img2 = Image.open('00000725.png').convert('RGB')
w, h = img1.size

output_img = Image.new('RGB', (w, h), (255, 255, 255))

for y in range(0, h):
    for x in range(0, w):
        r1, g1, b1 = img1.getpixel((x, y))
        r2, g2, b2 = img2.getpixel((x, y))

        if r1 == r2 and g1 == g2 and b1 == b2:
            output_img.putpixel((x, y), (255, 255, 255))
        else:
            output_img.putpixel((x, y), (0, 0, 0))

output_img.save('diff.png')

f:id:satou-y:20200111154552p:plain
QRコードになったので、読み取る。

https://imgur.com/download/Xrv86y2

このURLにアクセスすると、Xrv86y2 - Imgur.jpgがダウンロードできた。バイナリエディタで見るとPrintableな文字ばかり含まれているので、BAMBOOFOXで検索してみると、フラグが見つかった。
f:id:satou-y:20200111154629p:plain

BAMBOOFOX{Y0u_f1nd_th3_h1dd3n_c4t!!!}

oracle (Crypto)

$ nc 34.82.101.212 20001
1) Info
2) Decrypt
3) Exit
> 1
c = 3707379833111040015783163740193874788414803250531435971653144043446898319590407294871874573636048964074059158735677108453718201912319567996556576283315815748346821418011805401072680103982963210417620997185812458739089731859722602065043829112903847812848345496034190632584920309575488320362226972676630275524
n = 96194794049596317702519938191271814417816716400282810425930600761352066370293757401367088699070463576925336421861089418264302022319363405255438953242163929922974851426935044638903429374717691402537243254925572965917089355609141962782853759805533770299159601171220779548891129054688964114370404823325735253993
1) Info
2) Decrypt
3) Exit
> 2
c = 123
m = 1
1) Info
2) Decrypt
3) Exit
> 3

復号した結果を3で割った数がわかる。2で割った数がわかる場合は通常のRSA LSB Decryption Oracle Attackで解けるが、そのままでは解けないので、RSA LSB Decryption Oracle Attackの原理を考え、スクリプトをカスタマイズする。

fを復号関数とする。
a = 3^e mod n
-> f(a^i * c) = (3^i * m mod n) mod 3

i = 1の場合、f(a * c) = (3*m mod n) mod 3

以下の条件を満たす
・3m < 3n
・3m / n = 0 or 1 or 2

★n % 3 == 1

☆f(ac) = 2
　3*m mod n ⇒ n < 3*m < 2*n
　⇒ n/3 < m < n*2/3

☆f(ac) = 1
　3*m mod n ⇒ 2*n < 3*m < 3*n
　⇒ n*2/3 < m < n

☆f(ac) = 0
　3*m mod n ⇒ 0 < 3*m < n
　⇒ 0 < m < n/3

★n % 3 == 2

☆f(ac) = 2
　3*m mod n ⇒ 2*n < 3*m < 3*n
　⇒ n*2/3 < m < n

☆f(ac) = 1
　3*m mod n ⇒ n < 3*m < 2*n
　⇒ n/3 < m < n*2/3

☆f(ac) = 0
　3*m mod n ⇒ 0 < 3*m < n
　⇒ 0 < m < n/3

from fractions import Fraction
from Crypto.Util.number import *
import socket

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

def remainder_oracle(enc):
    data = recvuntil(s, '>')
    print data + '2'
    s.sendall('2\n')
    data = recvuntil(s, '= ')
    print data + str(enc)
    s.sendall(str(enc) + '\n')
    data = recvuntil(s, '\n').rstrip()
    print data
    m = int(data.split(' = ')[1])
    return m

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('34.82.101.212', 20001))

data = recvuntil(s, '>')
print data + '1'
s.sendall('1\n')
data = recvuntil(s, '\n').rstrip()
print data
c = int(data.split(' = ')[1])
data = recvuntil(s, '\n').rstrip()
print data
n = int(data.split(' = ')[1])
e = 65537

bounds = [0, Fraction(n)]

i = 0
m = 0
while True:
    print 'Round %d' % (i + 1)
    i += 1

    c2 = (c * pow(3, e, n)) % n
    remainder = remainder_oracle(c2)

    diff = bounds[1] -  bounds[0]
    if remainder == 2:
        if n % 3 == 1:
            bounds[0] = bounds[0] + diff/3
            bounds[1] = bounds[1] - diff/3
        elif n % 3 == 2:
            bounds[0] = bounds[1] - diff/3
    elif remainder == 1:
        if n % 3 == 1:
            bounds[0] = bounds[1] - diff/3
        elif n % 3 == 2:
            bounds[0] = bounds[0] + diff/3
            bounds[1] = bounds[1] - diff/3
    else:
        bounds[1] = bounds[0] + diff/3
    diff = bounds[1] - bounds[0]
    diff = diff.numerator / diff.denominator
    if diff == 0:
        m = bounds[1].numerator / bounds[1].denominator
        break
    c = c2

flag = long_to_bytes(m)
print flag

BAMBOOFOX{SimPlE0RACl3}

2020-01-05

hxp 36C3 CTF Writeup

CTF writeup

この大会は2019/12/28 5:00(JST)～2019/12/30 5:00(JST)に開催されました。
今回もチームで参戦。結果は105点で321チーム中122位でした。
自分で解けた問題をWriteupとして書いておきます。

1337 skills (ZAJ)

Google PlayのサイトのWILD Skillsというアプリへのリンクが提示されている。GooglePlayからapkとしてファイルを入手する。Bytecode Viewerで入手したapkファイルを開き、コードを見てみる。

public class MainActivity extends Activity {

                :

   public void activateApp(View var1) {
      int var2;
      try {
         var2 = Integer.parseInt(this.editTextActivation.getText().toString());
      } catch (NumberFormatException var5) {
         var2 = -1;
      }

      Calendar var6 = Calendar.getInstance();
      if (var2 == (int)(Math.pow((double)(var6.get(3) * var6.get(1)), 2.0D) % 999983.0D)) {
         this.findViewById(2131296458).setVisibility(4);
         ((InputMethodManager)this.getSystemService("input_method")).hideSoftInputFromWindow(this.editTextActivation.getWindowToken(), 0);
         Editor var7 = this.prefsmain.edit();
         var7.putBoolean("Activated", true);
         long var3 = (new Date()).getTime();
         var7.putLong("Installed", var3);
         var7.putLong("ActivationDate", var3);
         var7.commit();
      } else {
         Toast.makeText(this, "Ungültiger Aktivierungscode", 1).show();
         this.editTextActivation.requestFocus();
         ((InputMethodManager)this.getSystemService("input_method")).showSoftInput(this.editTextActivation, 1);
      }

   }

                :

   public void courseActivation(View var1) {
      String var4 = ((EditText)this.findViewById(2131296341)).getText().toString();
      int var2 = activateCourse;
      Editor var3;
      StringBuilder var5;
      if (var2 != 3) {
         switch(var2) {
         case 0:
            if (var4.equals("sgk258")) {
               course = activateCourse;
               activateCourse = -1;
               this.setCourse();
               ((InputMethodManager)this.getSystemService("input_method")).hideSoftInputFromWindow(this.editTextActivation.getWindowToken(), 0);
               Editor var6 = this.prefsmain.edit();
               StringBuilder var7 = new StringBuilder();
               var7.append("Activated");
               var7.append(course);
               var6.putBoolean(var7.toString(), true);
               var6.apply();
            } else {
               Toast.makeText(this, "Ungﾃｼltiger Aktivierungscode", 1).show();
            }
            break;
         case 1:
            if (var4.equals("wmt275")) {
               course = activateCourse;
               activateCourse = -1;
               this.setCourse();
               ((InputMethodManager)this.getSystemService("input_method")).hideSoftInputFromWindow(this.editTextActivation.getWindowToken(), 0);
               var3 = this.prefsmain.edit();
               var5 = new StringBuilder();
               var5.append("Activated");
               var5.append(course);
               var3.putBoolean(var5.toString(), true);
               var3.apply();
            } else {
               Toast.makeText(this, "Ungﾃｼltiger Aktivierungscode", 1).show();
            }
         }
      } else if (var4.equals("udh736")) {
         course = activateCourse;
         activateCourse = -1;
         this.setCourse();
         ((InputMethodManager)this.getSystemService("input_method")).hideSoftInputFromWindow(this.editTextActivation.getWindowToken(), 0);
         var3 = this.prefsmain.edit();
         var5 = new StringBuilder();
         var5.append("Activated");
         var5.append(course);
         var3.putBoolean(var5.toString(), true);
         var3.apply();
      } else {
         Toast.makeText(this, "Ungﾃｼltiger Aktivierungscode", 1).show();
      }

   }

                :
}

activateAppメソッドの以下の部分の条件を確認する。

if (var2 == (int)(Math.pow((double)(var6.get(3) * var6.get(1)), 2.0D) % 999983.0D)) {

$ cat ActivateCode.java
import java.util.Calendar;

class ActivateCode {
    public static void main(String args[]){
        int var2;
        Calendar var6 = Calendar.getInstance();
        var2 = (int)(Math.pow((double)(var6.get(3) * var6.get(1)), 2.0D) % 999983.0D);
        System.out.println(var2);
    }
}
$ javac ActivateCode.java
$ java ActivateCode
667518

あとはcourseActivationに書いてあるコードを指定する。

$ nc 88.198.154.132 7002
Activation code: 
667518
activated!
Sales activation code: 
sgk258
activated!
Leadership activation code: 
wmt275
activated
Service Roadmap (SRM) activation code: 
udh736
activated!
Congratulations please give me your name: 
hogehoge　←適当
   ______________________________
 / \                             \.
|   |                            |.
 \_ |                            |.
    | Certificate of Attendance  |.
    |                            |.
    |  This is to certify that   |.
    |                            |.
    |          hogehoge          |.
    |                            |.
    |        has attended        |.
    |                            |.
    | **The baby rev challenge** |.
    |                            |.
    |                            |.
    |                       hxp  |.
    |                            |.
    | -------------------------- |.
    |                            |.
    |hxp{thx_f0r_4773nd1n6_70d4y}|.
    |                            |.
    |   _________________________|___
    |  /                            /.
    \_/____________________________/.

hxp{thx_f0r_4773nd1n6_70d4y}

2020-01-04

#kksctf open 2019 Writeup

CTF writeup

この大会は2019/12/28 16:00(JST)～2019/12/29 16:00(JST)に開催されました。
今回もチームで参戦。結果は1746点で393チーム中41位でした。
自分で解けた問題をWriteupとして書いておきます。

Xmas Tree (Misc)

クリスマスツリーのASCIIアートのあるページのHTMLソースを見る。

		<pre id="background">
                               <span style="color: red;">$</span>
                              <span style="color: red;">:$$</span>
                         <span style="color: red;">seeee$$$Neeee</span>
                           <span style="color: red;">R$$$F$$$$F</span>
                             <span style="color: red;">$$$$$$</span>
                            <span style="color: red;">@$$P*$$B</span>
                           <span style="color: red;">z$</span>#"  $#<span style="color: red;">$b</span>
                           " d   'N "
                            @"     ?r
                          xF .       "N
                       .$> P54.R       `$
                     $*   '*"$$$  uoP***~
                      #Noo "?$N"   #oL
                         f       o$#<span style="color: violet;">$$}</span>e.
                        $  @b    hoR$$r ^"$$b
                     .M   ?B$E   *.B$$       .R
                   .*     *\ *.4*R         ..*
                oo#     ooL    d#R.     P##~
                $c    .""P#$  @   P     k
                  R$r <span style="color: yellow;">w_y</span>L$$  P  "r     'N
                    ^$ "$$$` $.....JL     "N.
                  .$\           * P5"LR      $..
               ..* 4*R     xr    'PFN$$   .k    "*****.
            od#"   d#*.  "*$$P~   "?$*" '<span style="color: tomato;">kks{</span>"       u"
         e""      f   M   @F"$  ec       x$"$.     :"
         M        >  "d       $$$$?$           .$$F`
          "P..  .$.....$L $$.4$$. "   @#3$$   $E.
             '**..  *   R..$$ `R$*k.  f<span style="color: skyblue;">m@d</span>$>     *..
               J"       *k$$$~  "*$**o$o$$P        '*oo.
              P           #        "$$$#*o          >  '####*oooo
           .e"            :e$$e.  F3  ^"$P  :$$s :e@$ee        s"
         $P` <span style="color: orange;">n3</span>>    $P$$k "$"?$3 @"#N      CxN$$> .$$$       .P
      M$~   J\##   44N>$$  .d$.$d   @&      `$$$  F  .8..$$$*
  .***     :   JM   *d$$*.$$.P  M  .P5     M          **.
  "oo      J  .dP    ud$$od#   $oooooo$  oo$oo           ###ou
     "####$beeee$.'$eeP#~        ""      $<span style="color: greenyellow;">34r_</span>    e$$$o       #heeee
        :"    " z$r ^            o$N     '"  "   4$z>$$             """#$$$
       .~      F$4$B       r    F @#$.       ..   $8$$P M7                $
     .*  $     8 $$B     .J$..  hP$$$F     .'PB$       J~##             .d~
   .P  *<span style="color: blue;">n3</span>$*    "*"       $$$    #**~      hdM$$>     <   JM.......*****
 .P     $#*k       .o#>  P" "k   ..         '$$P      d  .JP'h
"""hr ^        xe""  >          ""c           ee    @beeeee$.)
      """t$$$$F"      M        $`   R          > "$r     "     "c
                              <span style="color: brown;">oooooooooo</span>
                              <span style="color: brown;">z        z</span>
                              <span style="color: brown;">z.,ze.$$$z</span>
                </pre>

spanタグの中にフラグが入っている。

<span style="color: violet;">$$}</span>
<span style="color: yellow;">w_y</span>
<span style="color: tomato;">kks{</span>
<span style="color: skyblue;">m@d</span>
<span style="color: orange;">n3</span>
<span style="color: greenyellow;">34r_</span>
<span style="color: blue;">n3</span>

虹の色で順に並べる。

kks{n3w_y34r_m@dn3$$}

ru!e5p@g3 (Misc)

ルールが記載されている箇所にフラグのサンプルが書いてある。

kks{w3lcom3_to_0ur_ru!e5p@g3}

Stego Warmup (Misc)

jpgが添付されている。EXIF情報を見てみる。

$ exiftool stego50.jpg 
ExifTool Version Number         : 10.10
File Name                       : stego50.jpg
Directory                       : .
File Size                       : 218 kB
File Modification Date/Time     : 2019:12:28 20:09:10+09:00
File Access Date/Time           : 2019:12:28 20:13:33+09:00
File Inode Change Date/Time     : 2019:12:28 20:09:10+09:00
File Permissions                : rwxrwxrwx
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : inches
X Resolution                    : 72
Y Resolution                    : 72
XMP Toolkit                     : Image::ExifTool 11.11
Author                          : kks{just_s1ml3_st3g0}
Comment                         : Created with GIMP
Image Width                     : 622
Image Height                    : 860
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)
Image Size                      : 622x860
Megapixels                      : 0.535

Authorにフラグが設定されていた。

kks{just_s1ml3_st3g0}

kacker Bob and kacker Alice (Cryptography)

nとc1～c3が与えられている。おそらくRSA暗号で、nはそれほど大きくないので、nを素因数分解する。

n = 13037609104445998727 * 16003250919732396127

eはとりあえず65537で決め打ち。あとはc1から順に復号し、結合する。

from Crypto.Util.number import *

n = 208644129891836890527171768061301730329

c1 = 173743301171240370198046699578309731314
c2 = 18997024455485040483743919351219518166
c3 = 49337945995780286416188917529635194536

p = 13037609104445998727
q = 16003250919732396127
phi = (p - 1) * (q - 1)

e = 65537
d = inverse(e, phi)

m1 = pow(c1, d, n)
m2 = pow(c2, d, n)
m3 = pow(c3, d, n)
flag = long_to_bytes(m1) + long_to_bytes(m2) + long_to_bytes(m3)
print flag

kks{sm4ll_rs4_c4n_br3k_all_ur_creptographix}

Message from base (Cryptography)

たぶん問題名からも何進数かが使われている。"l"まで使われているので、最低22進数と推定して、デコードしてみる。

from Crypto.Util.number import *

enc = '2bi4j2fcjli84edk07kbjj3cggg3k5ih0hcgg710260lak1ibead1gf15hflb5f41'

val = int(enc, 22)
flag = long_to_bytes(val)
print flag

kks{do_y0u_know_h0w_3nc0d1ng_w0rk$?}

Every day i'm shuffling (Cryptography)

乱数を使って、ファイル名とファイル内のメッセージをシャッフルしている。seedはファイル名の長さの範囲のため、ブルートフォースで求められる。さらに同じ長さのデータでシャッフル後にどの位置が来るかが分かれば、元に戻せる。

#!/usr/bin/env python3
from random import *

def Shuffle(p, data):
    buf = list(data)
    for i in range(len(data)):
        buf[i] = data[p[i]]
    return ''.join(buf)

file_name = 'message_from_above'

for seed_val in range(1, len(file_name) + 1):
    file_name = 'message_from_above'
    seed(seed_val)
    file_name = list(file_name)
    shuffle(file_name)
    if ''.join(file_name) == 'fsegovs_meaoerbma_':
        break

with open('fsegovs_meaoerbma_.txt', 'r') as f:
    enc = f.read()

p = list(range(len(enc)))
shuffle(p)

place = []
for i in range(len(enc)):
    try_pt = '0' * i + '1' + '0' * (len(enc) - i - 1)
    data = Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,Shuffle(p,try_pt))))))))))))))))))))))))))))))))))))))))
    place.append(data.index('1'))

msg = ''
for i in range(len(enc)):
    msg += enc[place[i]]

print(msg)

実行結果は以下の通り。

Once upon a midnight dreary, while I pondered, weak and weary,
Over many a quaint and curious volume of forgotten lore—
    While I nodded, nearly napping, suddenly there came a tapping,
As of some one gently rapping, rapping at my chamber door.
“’Tis some visitor,” I muttered, “tapping at my chamber door—
            Only this and nothing more.”

    Ah, distinctly I remember it was in the bleak December;
And each separate dying ember wrought its ghost upon the floor.
    Eagerly I wished the morrow;—vainly I had sought to borrow
    From my books surcease of sorrow—sorrow for the lost Lenore—
For the rare and radiant maiden whom the angels name Lenore—
            Nameless here for evermore.

    And the silken, sad, uncertain rustling of each purple curtain
Thrilled me—filled me with fantastic terrors never felt before;
    So that now, to still the beating of my heart, I stood repeating
    “’Tis some visitor entreating entrance at my chamber door—
Some late visitor entreating entrance at my chamber door;—
            This it is and nothing more.”

    Presently my soul grew stronger; hesitating then no longer,
“Sir,” said I, “or Madam, truly your forgiveness I implore;
    But the fact is I was napping, and so gently you came rapping,
    And so faintly you came tapping, tapping at my chamber door,
That I scarce was sure I heard you”—here I opened wide the door;—
            Darkness there and nothing more.

    Deep into that darkness peering, long I stood there wondering, fearing,
Doubting, dreaming dreams no mortal ever dared to dream before;
    But the silence was unbroken, and the stillness gave no token,
    And the only word there spoken was the whispered word, “Lenore?”
This I whispered, and an echo murmured back the word, “Lenore!”—
            Merely this and nothing more.

    Back into the chamber turning, all my soul within me burning,
Soon again I heard a tapping somewhat louder than before.
    “Surely,” said I, “surely that is something at my window lattice;
      Let me see, then, what thereat is, and this mystery explore—
Let my heart be still a moment and this mystery explore;—
            ’Tis the wind and nothing more!”

    Open here I flung the shutter, when, with many a flirt and flutter,
In there stepped a stately Raven of the saintly days of yore;
    Not the least obeisance made he; not a minute stopped or stayed he;
    But, with mien of lord or lady, perched above my chamber door—
Perched upon a bust of Pallas just above my chamber door—
            Perched, and sat, and nothing more.

Then this ebony bird beguiling my sad fancy into smiling,
By the grave and stern decorum of the countenance it wore,
“Though thy crest be shorn and shaven, thou,” I said, “art sure no craven,
Ghastly grim and ancient Raven wandering from the Nightly shore—
Tell me what thy lordly name is on the Night’s Plutonian shore!”
            Quoth the Raven “kks{5huffl3_5huffl3_5huffl3}”

kks{5huffl3_5huffl3_5huffl3}