WPICTF 2019 Writeup

CTF writeup

この大会は2019/4/13 5:00(JST)~2019/4/15 8:00(JST)に開催されました。
今回もチームで参戦。結果は856点で586チーム中53位でした。
自分で解けた問題をWriteupとして書いておきます。

can you read (Intro 1)

問題にフラグが書いてあった。

WPI{y3s_y0u_cAN_r33d}

Discord (Intro 5)

Discordに入ってピン止めされたメッセージを見る。その中にフラグがあった。

WPI{Welcome_to_our_discord}

WebInspect (Web 25)

HTMLソースのコメントにフラグがあった。

WPI{Inspect0r_Gadget}

strings (Reversing 50)

$ strings strings | grep WPI{
WPI{
warbleglarblesomejunkWPI{What_do_you_mean_I_SEE_AHH_SKI}0x13376969

WPI{What_do_you_mean_I_SEE_AHH_SKI}

zoomercrypt (Crypto 50)

顔文字をUnicodeに置き換える。

U+1F603
U+1F601
U+1F615

U+1F617
U+1F608

U+1F617
U+1F607

U+1F60B
U+1F604
U+1F617
{
U+1F606
U+1F613
U+1F604
U+1F613
U+1F602
U+1F608
_
U+1F60E
U+1F603
U+1F603
U+1F601
U+1F613
U+1F606
U+1F607
}

フラグの部分が"WPI{"になるようにコードを変換して復号する。

unicodes = [0x1F603, 0x1F601, 0x1F615, 0, 0x1F617, 0x1F608, 0, 0x1F617, 
    0x1F607, 0, 0x1F60B, 0x1F604, 0x1F617, 1, 0x1F606, 0x1F613, 0x1F604, 
    0x1F613,0x1F602, 0x1F608, 2, 0x1F60E, 0x1F603, 0x1F603, 0x1F601,
    0x1F613, 0x1F606, 0x1F607, 3]
unicode_base1 = 0x1F5B4
unicode_base2 = 0x1F5CE

msg = ''
for unicode in unicodes:
    if unicode == 0:
        msg += ' '
    elif unicode == 1:
        msg += '{'
    elif unicode == 2:
        msg += '_'
    elif unicode == 3:
        msg += '}'
    elif unicode < 0x1F610:
        code = unicode - unicode_base1
        msg += chr(code)
    else:
        code = unicode - unicode_base2
        msg += chr(code)

print msg

実行結果は以下の通り。

OMG IT IS WPI{REPENT_ZOOMERS}

WPI{REPENT_ZOOMERS}

jocipher (Crypto 100)

Easy Python Decompilerでデコンパイルする。

# Embedded file name: ./jocipher.py
import argparse, re
num = ''
first = ''
second = ''
third = ''

def setup():
    global third
    global second
    global num
    global first
    num += '1'
    num += '2'
    num += '3'
    num += '4'
    num += '5'
    num += '6'
    num += '7'
    num += '8'
    num += '9'
    num += '0'
    first += 'q'
    first += 'w'
    first += 'e'
    first += 'r'
    first += 't'
    first += 'y'
    first += 'u'
    first += 'i'
    first += 'o'
    first += 'p'
    second += 'a'
    second += 's'
    second += 'd'
    second += 'f'
    second += 'g'
    second += 'h'
    second += 'j'
    second += 'k'
    second += 'l'
    third += 'z'
    third += 'x'
    third += 'c'
    third += 'v'
    third += 'b'
    third += 'n'
    third += 'm'


def encode(string, shift):
    result = ''
    for i in range(len(string)):
        char = string.lower()[i]
        if char in num:
            new_char = num[(num.index(char) + shift) % len(num)]
            result += new_char
        elif char in first:
            new_char = first[(first.index(char) + shift) % len(first)]
            if string[i].isupper():
                result += new_char.upper()
            else:
                result += new_char
        elif char in second:
            new_char = second[(second.index(char) + shift) % len(second)]
            if string[i].isupper():
                result += new_char.upper()
            else:
                result += new_char
        elif char in third:
            new_char = third[(third.index(char) + shift) % len(third)]
            if string[i].isupper():
                result += new_char.upper()
            else:
                result += new_char
        else:
            result += char

    print result
    return 0


def decode(string, shift):
    result = ''
    shift = -1 * shift
    for i in range(len(string)):
        char = string.lower()[i]
        if char in num:
            new_char = num[(num.index(char) + shift) % len(num)]
            result += new_char
        elif char in first:
            new_char = first[(first.index(char) + shift) % len(first)]
            if string[i].isupper():
                result += new_char.upper()
            else:
                result += new_char
        elif char in second:
            new_char = second[(second.index(char) + shift) % len(second)]
            if string[i].isupper():
                result += new_char.upper()
            else:
                result += new_char
        elif char in third:
            new_char = third[(third.index(char) + shift) % len(third)]
            if string[i].isupper():
                result += new_char.upper()
            else:
                result += new_char
        else:
            result += char

    print result
    return 0


def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('--string', '-s', type=str, required=True, help='the string to encode or decode')
    parser.add_argument('--shift', '-t', type=int, required=True, help='the shift value to use')
    parser.add_argument('--encode', '-e', required=False, action='store_true', help='encode the string')
    parser.add_argument('--decode', '-d', required=False, action='store_true', help='decode the string')
    args = parser.parse_args()
    setup()
    p = re.compile('[a-zA-Z0-9\\-{}]')
    if p.match(args.string) is not None:
        if args.encode:
            ret = encode(args.string, args.shift)
        elif args.decode:
            ret = decode(args.string, args.shift)
        if ret is not 0:
            print 'Sorry, this cipher only uses the [a-zA-Z0-9\\-{}]'
    else:
        print 'Sorry, this cipher only uses the [a-zA-Z0-9\\-{}]'
    return


if __name__ == '__main__':
    main()

デコードする処理もあるので、そのまま使う。num, first, second, thirdでそれぞれシフトするのだが、構成する数が異なり、10, 10, 9, 7になっている。シフト数は最小公倍数の630回までパターンがあるので、全候補を確認する。

num = ''
first = ''
second = ''
third = ''

def setup():
    global third
    global second
    global num
    global first
    num += '1'
    num += '2'
    num += '3'
    num += '4'
    num += '5'
    num += '6'
    num += '7'
    num += '8'
    num += '9'
    num += '0'
    first += 'q'
    first += 'w'
    first += 'e'
    first += 'r'
    first += 't'
    first += 'y'
    first += 'u'
    first += 'i'
    first += 'o'
    first += 'p'
    second += 'a'
    second += 's'
    second += 'd'
    second += 'f'
    second += 'g'
    second += 'h'
    second += 'j'
    second += 'k'
    second += 'l'
    third += 'z'
    third += 'x'
    third += 'c'
    third += 'v'
    third += 'b'
    third += 'n'
    third += 'm'

def decode(string, shift):
    result = ''
    shift = -1 * shift
    for i in range(len(string)):
        char = string.lower()[i]
        if char in num:
            new_char = num[(num.index(char) + shift) % len(num)]
            result += new_char
        elif char in first:
            new_char = first[(first.index(char) + shift) % len(first)]
            if string[i].isupper():
                result += new_char.upper()
            else:
                result += new_char
        elif char in second:
            new_char = second[(second.index(char) + shift) % len(second)]
            if string[i].isupper():
                result += new_char.upper()
            else:
                result += new_char
        elif char in third:
            new_char = third[(third.index(char) + shift) % len(third)]
            if string[i].isupper():
                result += new_char.upper()
            else:
                result += new_char
        else:
            result += char

    return result

enc = 'PIY{zsxh-sqrvufwh-nfgl}'

setup()

for i in range(630):
    flag = decode(enc, i)
    if flag.startswith('WPI{'):
        print flag

実行結果は以下の通りで、意味の通りそうなものがフラグとなる。

WPI{mdzj-deycogrj-bgha}
WPI{vsbh-seymofrh-xfgl}
WPI{zaxg-aeyvodrg-ndfk}
WPI{blnf-leyzosrf-csdj}
WPI{xkcd-keyboard-mash}★
WPI{njms-jeyxolrs-vlag}
WPI{chva-heynokra-zklf}
WPI{mgzl-geycojrl-bjkd}
WPI{vfbk-feymohrk-xhjs}
WPI{zdxj-deyvogrj-ngha}
WPI{bsnh-seyzofrh-cfgl}
WPI{xacg-aeybodrg-mdfk}
WPI{nlmf-leyxosrf-vsdj}
WPI{ckvd-keynoard-zash}
WPI{mjzs-jeycolrs-blag}
WPI{vhba-heymokra-xklf}
WPI{zgxl-geyvojrl-njkd}
WPI{bfnk-feyzohrk-chjs}
WPI{xdcj-deybogrj-mgha}
WPI{nsmh-seyxofrh-vfgl}
WPI{cavg-aeynodrg-zdfk}
WPI{mlzf-leycosrf-bsdj}
WPI{vkbd-keymoard-xash}
WPI{zjxs-jeyvolrs-nlag}
WPI{bhna-heyzokra-cklf}
WPI{xgcl-geybojrl-mjkd}
WPI{nfmk-feyxohrk-vhjs}
WPI{cdvj-deynogrj-zgha}
WPI{mszh-seycofrh-bfgl}
WPI{vabg-aeymodrg-xdfk}
WPI{zlxf-leyvosrf-nsdj}
WPI{bknd-keyzoard-cash}
WPI{xjcs-jeybolrs-mlag}
WPI{nhma-heyxokra-vklf}
WPI{cgvl-geynojrl-zjkd}
WPI{mfzk-feycohrk-bhjs}
WPI{vdbj-deymogrj-xgha}
WPI{zsxh-seyvofrh-nfgl}
WPI{bang-aeyzodrg-cdfk}
WPI{xlcf-leybosrf-msdj}
WPI{nkmd-keyxoard-vash}
WPI{cjvs-jeynolrs-zlag}
WPI{mhza-heycokra-bklf}
WPI{vgbl-geymojrl-xjkd}
WPI{zfxk-feyvohrk-nhjs}
WPI{bdnj-deyzogrj-cgha}
WPI{xsch-seybofrh-mfgl}
WPI{namg-aeyxodrg-vdfk}
WPI{clvf-leynosrf-zsdj}
WPI{mkzd-keycoard-bash}
WPI{vjbs-jeymolrs-xlag}
WPI{zhxa-heyvokra-nklf}
WPI{bgnl-geyzojrl-cjkd}
WPI{xfck-feybohrk-mhjs}
WPI{ndmj-deyxogrj-vgha}
WPI{csvh-seynofrh-zfgl}
WPI{mazg-aeycodrg-bdfk}
WPI{vlbf-leymosrf-xsdj}
WPI{zkxd-keyvoard-nash}
WPI{bjns-jeyzolrs-clag}
WPI{xhca-heybokra-mklf}
WPI{ngml-geyxojrl-vjkd}
WPI{cfvk-feynohrk-zhjs}
WPI{xkcd-keyboard-mash}

PlaidCTF 2019 Writeup

CTF writeup

この大会は2019/4/13 6:00(JST)~2019/4/15 6:00(JST)に開催されました。
今回もチームで参戦。結果は211点で953チーム中173位でした。
メインの問題は一問も解けず、解けたのはWelcome問題だけでした。
一応その自分で解けた問題をWriteupとして書いておきます。

Sanity Check (Misc 1)

問題にフラグが書いてあった。

PCTF{welcome to PlaidCTF}

YauzaCTF 2019 Quals Writeup

CTF writeup

この大会は2019/4/14 0:00(JST)~2019/4/15 0:00(JST)に開催されました。
今回もチームで参戦。結果は2565点で195チーム中25位でした。
自分で解けた問題をWriteupとして書いておきます。

RSA BlackBox (Crypto)

実際に接続して、試してみる。

$ nc 195.19.44.145 2525
Please, choose one of the commands:
get - to get encrypted message
enc - to encrypt message
sig - to get digest of message

get
Encrypted flag (base64):
j/V6tVj7Hfnp9jnbqbXsakbfSn0e4pWscs0x9FwMPkuRbBqbxri/o8TyXMKG8VSmWJtOt1YDjgS2hvKGWWBlgNQ1xJ9abfh3hzuJHt9aTLX8wsPQa7bjCqJeZ1WFgkZlz+/SLgc48lzGhG412WRMEjtvfB5zndHzGIbYQ44viZdYYEOYlp/T3BDikRQIflhvSwKscTUrBI/Q4OQQqxEVj539M+F0u2Jn0bz7Vk09Zq5VSQjy/RvPHKEBv8z9o9R4mh4y45/vzycJLjwGqr0KbK1ueLFmokx4jhjZ3RD4L4+17cNP2hGBxxJiovA1PQqeu6RGmiXrA9y1ZqKm7ZsB3Q==

Please, choose one of the commands:
get - to get encrypted message
enc - to encrypt message
sig - to get digest of message

enc
Please, input your message to encrypt (ascii):
abc
Encrypted message:
nL5wkXhHOlunlqpqhHsOIfmB09Byp/jBoMj+wQLwVvRU+VszN9g9NiFcrCPdJlRyYUDBGKk9VZVQQkbHrSdUcZWTFCp6HuNxqiV7TKixRvS/UnP7iW5vs80oCFOcrjMV9HJUbqTjPe12NWLOp7W136T3j1uFXKeqLSXGXmyPKN1DL63UjUzn6KLItSNakkB+YtDZddzqkt6ccz0J0gMtNt/3tIiKRrdxH/DcSZqXY5CBmWVYdtnDiT7716zPAKzN+wCC9132sEQPIsK1bNZ9NPmoEYNM0+7TUhMSvDzY77zlCTZqv6Sgwy6r9ODVRQC7sVLmlPId2wxHbdFABPTwew==

Please, choose one of the commands:
get - to get encrypted message
enc - to encrypt message
sig - to get digest of message

sig
Please, input your message to sign (base64):
nL5wkXhHOlunlqpqhHsOIfmB09Byp/jBoMj+wQLwVvRU+VszN9g9NiFcrCPdJlRyYUDBGKk9VZVQQkbHrSdUcZWTFCp6HuNxqiV7TKixRvS/UnP7iW5vs80oCFOcrjMV9HJUbqTjPe12NWLOp7W136T3j1uFXKeqLSXGXmyPKN1DL63UjUzn6KLItSNakkB+YtDZddzqkt6ccz0J0gMtNt/3tIiKRrdxH/DcSZqXY5CBmWVYdtnDiT7716zPAKzN+wCC9132sEQPIsK1bNZ9NPmoEYNM0+7TUhMSvDzY77zlCTZqv6Sgwy6r9ODVRQC7sVLmlPId2wxHbdFABPTwew==
Signed message (base64):
YWJj

Please, choose one of the commands:
get - to get encrypted message
enc - to encrypt message
sig - to get digest of message

    :

$ echo YWJj | base64 -d
abc

それぞれのメニューの処理はこんな感じ。

get: 暗号化フラグを取得
enc: 指定メッセージのRSA暗号化
sig: 指定メッセージのRSA復号

encを使って、nを求める。そのあと、getで目的の暗号を得た後、sigでRSA LSB Oracle Attackでフラグを求める。

from Crypto.Util.number import *
from fractions import Fraction
from base64 import b64encode, b64decode
import socket

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

def egcd(a, b):
    x,y, u,v = 0,1, 1,0
    while a != 0:
        q, r = b//a, b%a
        m, n = x-u*q, y-v*q
        b,a, x,y, u,v = a,r, u,v, m,n
    gcd = b
    return gcd, x, y

def lsb_oracle(s, cipher):
    send_data = 'sig'
    data = recvuntil(s, 'of message\n\n')
    print data + send_data
    s.sendall(send_data + '\n')

    send_data = b64encode(long_to_bytes(cipher))
    data = recvuntil(s, '(base64):\n')
    print data + send_data
    s.sendall(send_data + '\n')

    data = recvuntil(s, '\n')
    data += recvuntil(s, '\n')
    print data.strip()
    sig = bytes_to_long(b64decode(data.split('\n')[1]))

    return sig % 2

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('195.19.44.145', 2525))

#### calculate n ####
try_rsa_enc = []
for m in [2, 4, 16]:
    send_data = 'enc'
    data = recvuntil(s, 'of message\n\n')
    print data + send_data
    s.sendall(send_data + '\n')

    send_data = chr(m)
    data = recvuntil(s, '(ascii):\n')
    print data + send_data
    s.sendall(send_data + '\n')

    data = recvuntil(s, '\n')
    data += recvuntil(s, '\n')
    print data.strip()
    enc = bytes_to_long(b64decode(data.split('\n')[1]))
    try_rsa_enc.append(enc)

diff1 = (try_rsa_enc[0]) ** 2 - try_rsa_enc[1]
diff2 = (try_rsa_enc[1]) ** 2 - try_rsa_enc[2]

n, _, _ = egcd(diff1, diff2)
e = 65537

#### get encrypted flag ####
send_data = 'get'
data = recvuntil(s, 'of message\n\n')
print data + send_data
s.sendall(send_data + '\n')

data = recvuntil(s, '\n')
data += recvuntil(s, '\n')
print data.strip()
c = bytes_to_long(b64decode(data.split('\n')[1]))

#### LSB oracle attack ####
bounds = [0, Fraction(n)]

i = 0
while True:
    print('Round %d' % (i+1))
    i += 1

    c2 = (c * pow(2, e, n)) % n
    lsb = lsb_oracle(s, c2)
    if lsb == 1:
        bounds[0] = sum(bounds)/2
    else:
        bounds[1] = sum(bounds)/2
    diff = bounds[1] - bounds[0]
    diff = diff.numerator / diff.denominator
    #print diff
    if diff == 0:
        m = bounds[1].numerator / bounds[1].denominator
        break
    c = c2

flag = long_to_bytes(m)
print flag

YauzaCTF{DazzlingCleanlinessOfYauza}

enJoy! (Crypto)

rtfを開き、全データをコピーし、codes.txtとして保存する。バイナリを見ると、先頭と終端の2バイトずつを除き、2バイトで一組になっており、\xF0を除くと、printableな文字列になりそう。さらにBase64文字列と思われるので、デコードする。またBase64文字列になった。何重にもエンコード、暗号化されているようだ。最終的には最初から以下のような流れでフラグが得られた。

Base64デコード→Base64デコード→ASCIIコード(16進数)デコード→rot13→0, 1の図示(縦に並べ、上下反転させる)

なお、図示する際はrot13で復号したメッセージの中の「Tupper's self-referential formula」をキーワードに調べ、https://en.wikipedia.org/wiki/Tupper%27s_self-referential_formulaを参考にして、横106、縦17になっていることを使った。

with open('codes.txt', 'rb') as f:
    data = f.read()

data = data[2:-2].replace('\xF0', '')
print '******** 01 ********'
print data

data = data.decode('base64')
print '******** 02 ********'
print data

data = data.decode('base64')
print '******** 03 ********'
print data

print '******** 04 ********'
data = data.split(' ')

msg = ''
for d in data:
    msg += chr(int(d, 16))
print msg

print '******** 05 ********'
msg = msg.decode('rot13')
print msg

print '******** 06 ********'
msg = msg.split('\n')[5].rstrip()
WIDTH = 106
HEIGHT = 17

msg += '0' * (WIDTH * HEIGHT - len(msg))
rows = []
for i in range(HEIGHT):
    row = ''
    for j in range(WIDTH):
        row += msg[i+HEIGHT*j]
    rows.append(row)

flag = ''
for row in rows[::-1]:
    flag += row.replace('0', ' ').replace('1', '*')
    flag += '\n'

print flag

実行結果は以下の通り。

******** 01 ********
TlRVZ05tVWdOamtnTnpJZ01qQWdObU1nTmpJZ05qZ2dNakFnTnpJZ05qa2dOeklnTmpVZ01qQWdOelVnTnpJZ05tVWdOalVnTnpFZ01qQWdObVVnTm1ZZ05qSWdOamdnTmpjZ01qQWdOVElnTmprZ056SWdOalVnTm1NZ05qY2dOelVnTnpZZ05qRWdOelFnTWpBZ05UTWdOaklnTmpVZ04yRWdOamdnTnprZ05tVWdNMllnTWpBZ05UWWdOamNnTWpjZ05qWWdNakFnTm1VZ056a2dOallnTmpJZ01qQWdOemdnTmpFZ05qSWdObUVnTmpFZ01qQWdObVVnTmpZZ01qQWdORGNnTmpnZ05qTWdOak1nTnpJZ05qVWdNamNnTmpZZ01qQWdOallnTnpJZ056a2dOek1nTW1RZ05qVWdOeklnTnpNZ056SWdOalVnTnpJZ05qRWdOamNnTnpZZ05tVWdOemtnTWpBZ056TWdOaklnTmpVZ04yRWdOamdnTnprZ05tVWdNbVVnTWpBZ01HUWdNR0VnTkRjZ056VWdOeklnTWpBZ056TWdOaklnTmpVZ04yRWdOamdnTnprZ05tVWdNakFnTm1FZ05tVWdOallnTWpBZ056RWdOeklnTnpNZ056WWdOakVnTnpJZ056RWdNakFnTm1ZZ05tTWdNakFnTlRjZ056SWdOek1nTnpNZ01qQWdORGNnTmpnZ05qTWdOak1nTnpJZ05qVWdNakFnTm1VZ05qRWdOekVnTWpBZ05tVWdOak1nTmpNZ056SWdObVVnTmpVZ05qWWdNakFnTm1VZ05qWWdNakFnTm1VZ05qRWdNakFnTnpJZ05tSWdObVVnTjJFZ05qTWdOemtnTnpJZ01qQWdOellnTmpFZ01qQWdORGNnTmpnZ05qTWdOak1nTnpJZ05qVWdNamNnTmpZZ01qQWdNeklnTXpBZ016QWdNekVnTWpBZ05EWWdOVFlnTlRRZ05UUWdORFVnTkdVZ05ETWdOVFVnTWpBZ05qTWdObVVnTmpNZ056SWdOalVnTWpBZ05qSWdOakVnTWpBZ05qVWdOeklnTnprZ056WWdObVVnTm1ZZ056a2dOeklnTWpBZ05qY2dObUVnTmpJZ01tUWdOekVnTnpZZ04yRWdOeklnTmpFZ05qWWdOellnTmpJZ05qRWdObVVnTnprZ01qQWdOekFnTmpJZ04yRWdOak1nTmpnZ05qY2dOeklnTmpVZ01qQWdOelFnTmpVZ05tVWdOak1nTnpVZ056WWdOakVnTnpRZ01qQWdObVVnTnprZ056UWdOaklnTmpVZ056WWdOamNnTnpVZ04yRWdOallnTW1VZ01qQWdORGNnTnpVZ056WWdOallnTWpBZ05qTWdObVVnTmpNZ056SWdOalVnTWpBZ056RWdOellnTmpZZ056QWdOamdnTmpZZ05qWWdOeklnTmpZZ01qQWdOMkVnTnpJZ05qY2dOelVnTmpJZ056RWdOallnTWpBZ05qVWdOeklnTnprZ05tVWdOamNnTnpJZ056RWdNakFnTmpjZ05qSWdNakFnTmpjZ056VWdOeklnTWpBZ05UUWdOalVnTm1VZ056TWdOVElnTmpRZ01qQWdOek1nTmpJZ05qVWdOMkVnTmpnZ056a2dObVVnTW1RZ056UWdOalVnTm1VZ05qTWdOelVnTnpZZ05qRWdOelFnTWpBZ05qTWdOalVnTmpJZ056UWdOalVnTm1VZ04yRWdNakFnTnpFZ056SWdOamtnTnpJZ056a2dOaklnTmpNZ056SWdOekVnTWpBZ05tWWdObU1nTWpBZ05EY2dOamdnTmpNZ05qTWdOeklnTmpVZ01tVWdNR1FnTUdFZ05HVWdOakVnTnpFZ01qQWdOakVnTmpJZ05tRWdNakFnTm1FZ056SWdNakFnTm1FZ05tVWdOakVnTmpjZ01qQWdObU1nTmpJZ05qZ2dNakFnTmpjZ05qSWdNakFnTm1VZ056QWdOalFnTmpnZ05tVWdOellnTmpFZ05qY2dNakFnTm1FZ056WWdOamNnTnpVZ01qQWdOellnTmpjZ01qRWdNakFnTTJFZ01qa2dNR1FnTUdFZ01HUWdNR0VnTkdVZ05qRWdOekVnTWpBZ05qRWdOaklnTm1FZ01qQWdObU1nTmpJZ05qZ2dNakFnTnpVZ05tVWdOamtnTnpJZ01qQWdOamNnTnpVZ056WWdOallnTWpBZ05qRWdOamdnTjJFZ05tWWdOeklnTmpVZ00yRWdNR1FnTUdFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpFZ016RWdNekVnTXpFZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpFZ016RWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016RWdNekVnTXpFZ016RWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekVnTXpFZ016RWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekVnTXpFZ016RWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016RWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016RWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016RWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016RWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpFZ016RWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016RWdNekVnTXpFZ016RWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpFZ016RWdNekVnTXpFZ016RWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekVnTXpFZ016RWdNekVnTXpFZ016RWdNekVnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpFZ016RWdNekVnTXpFZ016RWdNekVnTXpFZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpFZ016RWdNekFnTXpFZ016RWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpFZ016RWdNekVnTXpFZ016RWdNekVnTXpFZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016RWdNekVnTXpFZ016RWdNekVnTXpFZ016RWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016RWdNekVnTXpFZ016RWdNekVnTXpFZ016RWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekVnTXpFZ016RWdNekVnTXpFZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekVnTXpFZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpFZ016RWdNekFnTXpFZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016RWdNekVnTXpBZ016QWdNekFnTXpFZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpFZ016RWdNekVnTXpFZ016RWdNekVnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016RWdNekVnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpFZ016RWdNekVnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekVnTXpFZ016RWdNekFnTXpFZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpFZ016QWdNekFnTXpFZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekVnTXpFZ016RWdNekFnTXpFZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekVnTXpFZ016RWdNekFnTXpFZ016RWdNekVnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016QWdNekFnTXpBZ016RWdNR1FnTUdFZ05EWWdOaklnTW1NZ01qQWdObUVnTnpVZ05tVWdOamNnTWpjZ05qWWdNakFnTm1NZ05qSWdOamdnTmpVZ01qQWdOemtnTm1VZ05qWWdOamNnTWpBZ05qWWdOamNnTnpJZ05qTWdNMlk9
******** 02 ********
NTUgNmUgNjkgNzIgMjAgNmMgNjIgNjggMjAgNzIgNjkgNzIgNjUgMjAgNzUgNzIgNmUgNjUgNzEgMjAgNmUgNmYgNjIgNjggNjcgMjAgNTIgNjkgNzIgNjUgNmMgNjcgNzUgNzYgNjEgNzQgMjAgNTMgNjIgNjUgN2EgNjggNzkgNmUgM2YgMjAgNTYgNjcgMjcgNjYgMjAgNmUgNzkgNjYgNjIgMjAgNzggNjEgNjIgNmEgNjEgMjAgNmUgNjYgMjAgNDcgNjggNjMgNjMgNzIgNjUgMjcgNjYgMjAgNjYgNzIgNzkgNzMgMmQgNjUgNzIgNzMgNzIgNjUgNzIgNjEgNjcgNzYgNmUgNzkgMjAgNzMgNjIgNjUgN2EgNjggNzkgNmUgMmUgMjAgMGQgMGEgNDcgNzUgNzIgMjAgNzMgNjIgNjUgN2EgNjggNzkgNmUgMjAgNmEgNmUgNjYgMjAgNzEgNzIgNzMgNzYgNjEgNzIgNzEgMjAgNmYgNmMgMjAgNTcgNzIgNzMgNzMgMjAgNDcgNjggNjMgNjMgNzIgNjUgMjAgNmUgNjEgNzEgMjAgNmUgNjMgNjMgNzIgNmUgNjUgNjYgMjAgNmUgNjYgMjAgNmUgNjEgMjAgNzIgNmIgNmUgN2EgNjMgNzkgNzIgMjAgNzYgNjEgMjAgNDcgNjggNjMgNjMgNzIgNjUgMjcgNjYgMjAgMzIgMzAgMzAgMzEgMjAgNDYgNTYgNTQgNTQgNDUgNGUgNDMgNTUgMjAgNjMgNmUgNjMgNzIgNjUgMjAgNjIgNjEgMjAgNjUgNzIgNzkgNzYgNmUgNmYgNzkgNzIgMjAgNjcgNmEgNjIgMmQgNzEgNzYgN2EgNzIgNjEgNjYgNzYgNjIgNjEgNmUgNzkgMjAgNzAgNjIgN2EgNjMgNjggNjcgNzIgNjUgMjAgNzQgNjUgNmUgNjMgNzUgNzYgNjEgNzQgMjAgNmUgNzkgNzQgNjIgNjUgNzYgNjcgNzUgN2EgNjYgMmUgMjAgNDcgNzUgNzYgNjYgMjAgNjMgNmUgNjMgNzIgNjUgMjAgNzEgNzYgNjYgNzAgNjggNjYgNjYgNzIgNjYgMjAgN2EgNzIgNjcgNzUgNjIgNzEgNjYgMjAgNjUgNzIgNzkgNmUgNjcgNzIgNzEgMjAgNjcgNjIgMjAgNjcgNzUgNzIgMjAgNTQgNjUgNmUgNzMgNTIgNjQgMjAgNzMgNjIgNjUgN2EgNjggNzkgNmUgMmQgNzQgNjUgNmUgNjMgNzUgNzYgNjEgNzQgMjAgNjMgNjUgNjIgNzQgNjUgNmUgN2EgMjAgNzEgNzIgNjkgNzIgNzkgNjIgNjMgNzIgNzEgMjAgNmYgNmMgMjAgNDcgNjggNjMgNjMgNzIgNjUgMmUgMGQgMGEgNGUgNjEgNzEgMjAgNjEgNjIgNmEgMjAgNmEgNzIgMjAgNmEgNmUgNjEgNjcgMjAgNmMgNjIgNjggMjAgNjcgNjIgMjAgNmUgNzAgNjQgNjggNmUgNzYgNjEgNjcgMjAgNmEgNzYgNjcgNzUgMjAgNzYgNjcgMjEgMjAgM2EgMjkgMGQgMGEgMGQgMGEgNGUgNjEgNzEgMjAgNjEgNjIgNmEgMjAgNmMgNjIgNjggMjAgNzUgNmUgNjkgNzIgMjAgNjcgNzUgNzYgNjYgMjAgNjEgNjggN2EgNmYgNzIgNjUgM2EgMGQgMGEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzEgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzEgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzAgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzEgMzEgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzEgMzEgMzAgMzEgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzAgMzAgMzAgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzAgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzEgMzAgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMzEgMzEgMzAgMzEgMzEgMzEgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzAgMzEgMGQgMGEgNDYgNjIgMmMgMjAgNmEgNzUgNmUgNjcgMjcgNjYgMjAgNmMgNjIgNjggNjUgMjAgNzkgNmUgNjYgNjcgMjAgNjYgNjcgNzIgNjMgM2Y=
******** 03 ********
55 6e 69 72 20 6c 62 68 20 72 69 72 65 20 75 72 6e 65 71 20 6e 6f 62 68 67 20 52 69 72 65 6c 67 75 76 61 74 20 53 62 65 7a 68 79 6e 3f 20 56 67 27 66 20 6e 79 66 62 20 78 61 62 6a 61 20 6e 66 20 47 68 63 63 72 65 27 66 20 66 72 79 73 2d 65 72 73 72 65 72 61 67 76 6e 79 20 73 62 65 7a 68 79 6e 2e 20 0d 0a 47 75 72 20 73 62 65 7a 68 79 6e 20 6a 6e 66 20 71 72 73 76 61 72 71 20 6f 6c 20 57 72 73 73 20 47 68 63 63 72 65 20 6e 61 71 20 6e 63 63 72 6e 65 66 20 6e 66 20 6e 61 20 72 6b 6e 7a 63 79 72 20 76 61 20 47 68 63 63 72 65 27 66 20 32 30 30 31 20 46 56 54 54 45 4e 43 55 20 63 6e 63 72 65 20 62 61 20 65 72 79 76 6e 6f 79 72 20 67 6a 62 2d 71 76 7a 72 61 66 76 62 61 6e 79 20 70 62 7a 63 68 67 72 65 20 74 65 6e 63 75 76 61 74 20 6e 79 74 62 65 76 67 75 7a 66 2e 20 47 75 76 66 20 63 6e 63 72 65 20 71 76 66 70 68 66 66 72 66 20 7a 72 67 75 62 71 66 20 65 72 79 6e 67 72 71 20 67 62 20 67 75 72 20 54 65 6e 73 52 64 20 73 62 65 7a 68 79 6e 2d 74 65 6e 63 75 76 61 74 20 63 65 62 74 65 6e 7a 20 71 72 69 72 79 62 63 72 71 20 6f 6c 20 47 68 63 63 72 65 2e 0d 0a 4e 61 71 20 61 62 6a 20 6a 72 20 6a 6e 61 67 20 6c 62 68 20 67 62 20 6e 70 64 68 6e 76 61 67 20 6a 76 67 75 20 76 67 21 20 3a 29 0d 0a 0d 0a 4e 61 71 20 61 62 6a 20 6c 62 68 20 75 6e 69 72 20 67 75 76 66 20 61 68 7a 6f 72 65 3a 0d 0a 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 31 31 31 31 31 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 31 30 30 30 30 30 30 30 30 30 31 31 31 31 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 31 31 31 31 31 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 31 31 31 31 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 31 31 31 31 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 31 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 31 30 31 30 30 31 30 30 30 30 30 30 30 30 30 30 30 31 30 30 31 30 31 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 31 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 31 31 31 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 31 31 31 31 31 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 31 31 31 31 31 31 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 31 31 31 31 31 31 31 31 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 31 31 31 31 31 31 31 31 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 31 31 31 30 31 31 31 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 31 31 31 31 31 31 31 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 31 31 31 31 31 31 31 31 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 31 31 31 31 31 31 31 31 31 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 31 31 31 31 31 31 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 31 30 30 30 31 30 30 30 31 30 30 30 30 30 30 30 30 31 30 30 30 31 31 30 30 31 30 30 30 30 30 30 30 30 31 30 30 31 31 30 31 30 31 30 30 30 30 30 30 30 30 30 31 31 31 30 30 30 31 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 31 31 31 31 31 31 31 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 31 31 31 31 30 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 31 30 30 30 30 31 30 30 30 30 30 30 30 30 30 30 30 30 31 31 31 31 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 31 31 31 31 30 31 31 30 30 30 30 30 30 30 30 30 31 30 30 30 30 31 30 30 31 30 30 30 30 30 30 30 30 31 30 30 30 30 31 30 30 31 30 30 30 30 30 30 30 30 30 31 31 31 31 30 31 31 30 30 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 31 30 30 30 30 30 30 30 30 30 31 31 31 30 31 31 31 30 30 30 30 30 30 30 30 30 30 30 30 30 31 0d 0a 46 62 2c 20 6a 75 6e 67 27 66 20 6c 62 68 65 20 79 6e 66 67 20 66 67 72 63 3f
******** 04 ********
Unir lbh rire urneq nobhg Rirelguvat Sbezhyn? Vg'f nyfb xabja nf Ghccre'f frys-ersreragvny sbezhyn. 

Gur sbezhyn jnf qrsvarq ol Wrss Ghccre naq nccrnef nf na rknzcyr va Ghccre'f 2001 FVTTENCU cncre ba eryvnoyr gjb-qvzrafvbany pbzchgre tencuvat nytbevguzf. Guvf cncre qvfphffrf zrgubqf eryngrq gb gur TensRd sbezhyn-tencuvat cebtenz qrirybcrq ol Ghccre.

Naq abj jr jnag lbh gb npdhnvag jvgu vg! :)



Naq abj lbh unir guvf ahzore:

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011000000000000001000000000000000100000000000111111000000000000000010000000000000000010000000000000000011000000000111100000000000010000100000000000100001000000000000100100000000000011111100000000000000000000000000000000000000000000001111100000000000100000000000000001000000000000000001111100000000000100000000000000000000000000000000011000100000000000101001000000000001001010000000000010001100000000000000000000000000000111100000000000010000100000000000100001000000000000100100000000000011111100000000000000000000000000000111111100000000010000000100000000100000001000000001000000010000000010000000100000000000000000000000000000000010000000000000000100000000000000001000000001111111110000000000000000100000000000000001000000000000000010000000000000000000000000111111111000000000000100010000000000001000100000000000010001000000000000000010000000000000000000000000000010000000000000111011100000000010000000100000000000000000000000000000000000000000000000000000000000111111111000000000000000100000000000000010000000000000001000000000000000100000000000011111111100000000000000000000000001000000010000000011111111100000000100000001000000000000000000000000001111111000000000100000001000000001000000010000000010000000100000000100000001000000000000000000000000010000000100000000100010001000000001000110010000000010011010100000000011100011000000000000000000000000000000000000000000100000000000000001000000000000000010000000000000000100000001000000000111111110000000000000000100000000011110000000000001000010000000000010000100000000000011110000000000000000000000000000001111011000000000100001001000000001000010010000000001111011000000000100000001000000000111011100000000000001

Fb, jung'f lbhe ynfg fgrc?
******** 05 ********
Have you ever heard about Everything Formula? It's also known as Tupper's self-referential formula. 

The formula was defined by Jeff Tupper and appears as an example in Tupper's 2001 SIGGRAPH paper on reliable two-dimensional computer graphing algorithms. This paper discusses methods related to the GrafEq formula-graphing program developed by Tupper.

And now we want you to acquaint with it! :)



And now you have this number:

0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000011000000000000001000000000000000100000000000111111000000000000000010000000000000000010000000000000000011000000000111100000000000010000100000000000100001000000000000100100000000000011111100000000000000000000000000000000000000000000001111100000000000100000000000000001000000000000000001111100000000000100000000000000000000000000000000011000100000000000101001000000000001001010000000000010001100000000000000000000000000000111100000000000010000100000000000100001000000000000100100000000000011111100000000000000000000000000000111111100000000010000000100000000100000001000000001000000010000000010000000100000000000000000000000000000000010000000000000000100000000000000001000000001111111110000000000000000100000000000000001000000000000000010000000000000000000000000111111111000000000000100010000000000001000100000000000010001000000000000000010000000000000000000000000000010000000000000111011100000000010000000100000000000000000000000000000000000000000000000000000000000111111111000000000000000100000000000000010000000000000001000000000000000100000000000011111111100000000000000000000000001000000010000000011111111100000000100000001000000000000000000000000001111111000000000100000001000000001000000010000000010000000100000000100000001000000000000000000000000010000000100000000100010001000000001000110010000000010011010100000000011100011000000000000000000000000000000000000000000100000000000000001000000000000000010000000000000000100000001000000000111111110000000000000000100000000011110000000000001000010000000000010000100000000000011110000000000000000000000000000001111011000000000100001001000000001000010010000000001111011000000000100000001000000000111011100000000000001

So, what's your last step?
******** 06 ********
                                                                                                          
                                                                                                          
                                                                                                          
       *     *                         **** ******* *****   *   *    * ***  **** *****     ***      ** *  
       *     *                        *        *    *      *    **   *  *  *         *      *      *  * * 
        *   *                         *        *    *      *    * *  *  *  *        *       *      *  * * 
         ***   ** *  *  *  ****  ** * *        *    *      *    *  * *  *  *       *        *  **   **  * 
          *   *  **  *  *     * *  ** *        *    ****  *     *   **  *  *      ***       * *  * *  *  *
          *   *   *  *  *    *  *   * *        *    *      *    *    *  *  *        **      * *  * *  * * 
          *   *   *  *  *   *   *   * *        *    *      *    *    *  *  *         *      * *  * *  * * 
          *   *  **  *  *  *    *  ** *        *    *      *    *    *  *  *         *      * *  * *  * * 
          *    ** *   ** * ****  ** *  ****    *    *       *   *    * ***  **** ****   ****   **   ** *  
                                                                                                          
                                                                                                          
                                                                                                          
                                                                                                          
                                                                                                          
YauzaCTF{NIC3Jo8}

Byte Bandits CTF 2019 Writeup

CTF writeup

この大会は2019/4/13 0:30(JST)~2019/4/14 0:30(JST)に開催されました。
今回もチームで参戦。結果は556点で319チーム中33位でした。
自分で解けた問題をWriteupとして書いておきます。

Greetings (misc)

IRCのfreenodeで#BBCTFチャネルに入ると、フラグがあった。

05:08 *topic : ByteBandits CTF 2019 | https://ctf.euristica.in | euristica@iiti.ac.in | Please visit https://ctf.euristica.in/rules | flag{Welc0me_t0_Byt3B4ndits_CTF_Y0u_did_y0ur_p4rt}

flag{Welc0me_t0_Byt3B4ndits_CTF_Y0u_did_y0ur_p4rt}

RivestShamirAdleman (crypto)

RSA暗号で、nが大きく、eが小さいため、e乗根で復号する。

from Crypto.Util.number import *
import gmpy

e = 3
c = 56274920108122478990888092521371739605513959053322262229138771723654033167756128122086229722406180593128664696512912311575327724724695863345048713415525599333

m = gmpy.root(c, e)[0]
flag = long_to_bytes(m)
print flag

flag{nO_paDDing00_rsa}

oldschool (crypto)

古典暗号をいろいろ試すと、Affine暗号だったようだ。https://www.dcode.fr/affine-cipherで復号。

A=3,B=23	THEFLAGISDIFFRENTFROMTHAFFINECIPHR

数字は抜けているので埋め、小文字・大文字を暗号と合わせる。

Csj mexp vz gvmM3wjkCMwnHCs3XmMvkjDvQs3w
The flag is difF3renTFroMTh3AfFineCiPh3r

flag{difF3renTFroMTh3AfFineCiPh3r}

TJCTF 2019 Writeup

CTF writeup

この大会は2019/4/6 8:00(JST)~2019/4/10 8:00(JST)に開催されました。
今回は久々に個人で参戦。結果は330点で608チーム中98位でした。
解けた問題をWriteupとして書いておきます。

Blurry (Web 5)

HTMLソースにフラグが書いてある。

tjctf{cl0se_1nspecti0n}

Double Duty (Crypto 5)

シーザー暗号。https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号する。

tjctf{sekret_code}

Touch Base (Crypto 5)

Base64デコードする。

$ echo dGpjdGZ7ajJzdF9zMG0zX2I0c2U2NH0= | base64 -d
tjctf{j2st_s0m3_b4se64}

tjctf{j2st_s0m3_b4se64}

Corsair (Forensics 5)

Stegsolveで開き、Blue plane 4を見る。
f:id:satou-y:20190416211811p:plain

tjctf{c0l0r_pl4n3s_ar3_c00l}

Python in One Line (Reversing 10)

jとmが同じコードになっているので、調整してデコードする。

table = {'a':'...-', 'b':'--..', 'c':'/', 'd':'-.--', 'e':'.-.', 'f':'...', 'g':'.-..', 'h':'--', 'i':'---', 'j':'-', 'k':'-..-', 'l':'-..', 'm':'..', 'n':'.--', 'o':'-.-.', 'p':'--.-', 'q':'-.-', 'r':'.-', 's':'-...', 't':'..', 'u':'....', 'v':'--.', 'w':'.---', 'y':'..-.', 'x':'..-', 'z':'.--.', '{':'-.', '}':'.'}

codes = '.. - / .. ... -. - / -- --- .-. ... / -.-. --- -.. .'.split(' ')

flag = ''
for code in codes:
    for k, v in table.items():
        if v == code:
            flag += k
            break

flag = flag.replace('m', 't')
print flag

tjctf{jchiefcoil}

Sportsmanship (Cryptography 10)

Playfair暗号。https://www.dcode.fr/playfair-cipherで復号する。

PRACTICALPLAYFAIRX

tjctf{PRACTICALPLAYFAIRX}

Guess My Hashword (Cryptography 10)

条件から総当たりで目的のmd5になるものを探す。

import hashlib
import string
import itertools

target = '31f40dc5308fa2a311d2e2ba8955df6c'

found = False
for a in string.uppercase:
    for b in string.lowercase:
        for c in string.lowercase:
            for d in string.digits:
                chars = a + b + c + d + '_'
                for s in list(itertools.permutations(chars)):
                    word = ''.join(s)
                    flag = 'tjctf{%s}' % word
                    if hashlib.md5(flag).hexdigest() == target:
                        print flag
                        found = True
                        break
                if found:
                    break
            if found:
                break
        if found:
            break
    if found:
        break

tjctf{w0w_E}

Easy as RSA (Cryptography 20)

nをfactordbで素因数分解する。

379557705825593928168388035830440307401877224401739990998883 =
564819669946735512444543556507 * 671998030559713968361666935769

あとはそのまま復号する。

from Crypto.Util.number import *

n = 379557705825593928168388035830440307401877224401739990998883
e = 65537
c = 29031324384546867512310480993891916222287719490566042302485

p = 564819669946735512444543556507
q = 671998030559713968361666935769

phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c, d, n)

flag = long_to_bytes(m)
print flag

tjctf{RSA_2_3asy}

Galaxy (Forensics 20)

Stegsolveで開き、Data ExtractでRGBのLSBにチェックをつけると、フラグが文字として現れた。

tjctf{last_but_n0t_l3ast}

Mind Blown (Forensics 30)

EXIFを見てみる。

$ exiftool 694003b3deecf2382b3aa510e5f3e5f5153bb9c062e4f20878c0d343bc297767_meme.jpg 
ExifTool Version Number         : 10.10
File Name                       : 694003b3deecf2382b3aa510e5f3e5f5153bb9c062e4f20878c0d343bc297767_meme.jpg
Directory                       : .
File Size                       : 87 kB
File Modification Date/Time     : 2019:04:06 18:39:14+09:00
File Access Date/Time           : 2019:04:06 18:45:37+09:00
File Inode Change Date/Time     : 2019:04:06 18:39:14+09:00
File Permissions                : rwxrwxrwx
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Exif Byte Order                 : Big-endian (Motorola, MM)
X Resolution                    : 1
Y Resolution                    : 1
Resolution Unit                 : None
Y Cb Cr Positioning             : Centered
Compression                     : JPEG (old-style)
Thumbnail Offset                : 202
Thumbnail Length                : 62058
Comment                         : Compressed by jpeg-recompress
Image Width                     : 524
Image Height                    : 332
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 524x332
Megapixels                      : 0.174
Thumbnail Image                 : (Binary data 62058 bytes, use -b option to extract)
$ exiftool -b 694003b3deecf2382b3aa510e5f3e5f5153bb9c062e4f20878c0d343bc297767_meme.jpg > extract.jpg

先頭のごみを削除すると、jpgになる。またEXIFを見てみる。

$ exiftool extract.jpg
ExifTool Version Number         : 10.10
File Name                       : extract.jpg
Directory                       : .
File Size                       : 61 kB
File Modification Date/Time     : 2019:04:06 18:47:38+09:00
File Access Date/Time           : 2019:04:06 18:48:17+09:00
File Inode Change Date/Time     : 2019:04:06 18:47:38+09:00
File Permissions                : rwxrwxrwx
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Exif Byte Order                 : Big-endian (Motorola, MM)
X Resolution                    : 1
Y Resolution                    : 1
Resolution Unit                 : None
Y Cb Cr Positioning             : Centered
Compression                     : JPEG (old-style)
Thumbnail Offset                : 202
Thumbnail Length                : 25641
Comment                         : Compressed by jpeg-recompress
Image Width                     : 534
Image Height                    : 380
Encoding Process                : Progressive DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 534x380
Megapixels                      : 0.203
Thumbnail Image                 : (Binary data 25641 bytes, use -b option to extract)
$ exiftool -b extract.jpg > flag.jpg

先頭のごみを削除する。flag.jpgにフラグが書いてある。

tjctf{kn0w_y0ur_m3tad4ta}

Checker (Reversing 30)

Javaコードの処理は以下のようになっている。

1.flagの先頭からASCIIコードをpush
2.popしていき、2進数にして連結する。
3.0と1を逆にする。
4.9ビットシフトする。

これを逆算していき、途中いろいろ試しながら、2進数を分離し、フラグに戻す。

def dec_wow(b, s):
    r = ''
    for x in range(len(b)):
        r += b[(x-s)%len(b)]
    return r

def dec_woah(b):
    r = ''
    for x in range(len(b)):
        if b[x] == '0':
            r += '1'
        else:
            r += '0'
    return r

encoded = '1100001110000111000011000010100001110000111000010100001110000010000110010001011001110000101010001011000001000'

b = dec_wow(encoded, 9)
b = dec_woah(b)
print b

## manual decode ##
codes = '1111101 110011 1100011 110001 1110011 1101011 1100011 110001 1110101 1110001 1111011 1100110 1110100 1100011 1101010 1110100'
###################
codes = codes.split(' ')

flag = ''
for code in codes:
    flag += chr(int(code, 2))

flag = flag[::-1]
print flag

tjctf{qu1cks1c3}

Cable Selachimorpha (Forensics 40)

tcp.stream eq 14でHTTP Streamを見る。認証でPOSTパケットが見える。

POST /verify.php HTTP/1.1
Host: 192.168.56.101
Connection: keep-alive
Content-Length: 42
Cache-Control: max-age=0
Origin: http://192.168.56.101
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://192.168.56.101/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

usr=omkar&pwd=tjctf%7Bb0mk4r_br0k3_b10n%7D

tjctf{b0mk4r_br0k3_b10n}

Comprehensive (Reversing 50)

以下のような処理の流れ。

★f
k[0] ^ m[0+0]
k[1] ^ m[1+0]
    :
k[7] ^ m[7+0]

k[0] ^ m[0+8]
k[1] ^ m[1+8]
    :
k[7] ^ m[7+8]

k[0] ^ m[0+16]
k[1] ^ m[1+16]
    :
k[7] ^ m[7+16]


★g(fを1つの配列に!)
k[0] ^ m[0+0]
k[1] ^ m[1+0]
    :
k[7] ^ m[7+0]
k[0] ^ m[0+8]
k[1] ^ m[1+8]
    :
k[7] ^ m[7+8]
k[0] ^ m[0+16]
k[1] ^ m[1+16]
    :
k[7] ^ m[7+16]

★h(7個飛ばしで、3個ずつの組み合わせにする)
[g[0], g[8], g[16]], [g[1], g[9], g[17],...

★i
h[0][0] ^ k[0] = g[0] ^ k[0] = m[0] ^ k[0] ^ k[0]
h[0][1] ^ k[1] = g[8] ^ k[1] = m[8] ^ k[0] ^ k[1]
h[0][2] ^ k[2] = g[16] ^ k[2] = m[16] ^ k[0] ^ k[2]
h[1][0] ^ k[0] = g[1] ^ k[0] = m[1] ^ k[1] ^ k[0]
h[1][1] ^ k[1] = g[9] ^ k[1] = m[9] ^ k[1] ^ k[1]
h[1][2] ^ k[2] = g[17] ^ k[2] = m[17] ^ k[1] ^ k[2]
h[2][0] ^ k[0] = g[2] ^ k[0] = m[2] ^ k[2] ^ k[0]
h[2][1] ^ k[1] = g[10] ^ k[1] = m[10] ^ k[2] ^ k[1]
h[2][2] ^ k[2] = g[18] ^ k[2] = m[18] ^ k[2] ^ k[2]
    :
h[7][0] ^ k[0] = g[7] ^ k[0] = m[7] ^ k[7] ^ k[0]
h[7][1] ^ k[1] = g[15] ^ k[0] = m[15] ^ k[7] ^ k[1]
h[7][2] ^ k[2] = g[23] ^ k[0] = m[23] ^ k[7] ^ k[2]

★print
k[0]プラス

このことから以下が言える。

k[1] = (o[3] - k[0]) ^ m[1] ^ k[0]
k[2] = (o[6] - k[0]) ^ m[2] ^ k[0]
k[3] = (o[9] - k[0]) ^ m[3] ^ k[0]
k[4] = (o[12] - k[0]) ^ m[4] ^ k[0]
k[5] = (o[15] - k[0]) ^ m[5] ^ k[0]
k[7] = (o[23] - k[0]) ^ m[23] ^ k[2]

以上のことを踏まえスクリプトにすると、以下のようになりフラグが得られる。

enc = '225, 228, 219, 223, 220, 231, 205, 217, 224, 231, 228, 210, 208, 227, 220, 234, 236, 222, 232, 235, 227, 217, 223, 234, 2613'
sum_code = int(enc.split(', ')[-1])
enc = map(int, enc.split(', ')[:-1])

def decrypt(enc, key):
    m = [0] * len(enc)
    for i in range(len(enc)):
        idx = (i % 3) * 8 + i // 3
        m[idx] = (enc[i] - key[0]) ^ key[i//3] ^ key[i%3]
    s = ''
    for code in m:
        s += chr(code)
    return s

def get_sum(s):
    sum = 0
    for c in s:
        sum += ord(c)
    return sum

flag_head = 'tjctf{'
flag_tail = '}'

ks = [-1] * 8
ks[0] = enc[0] - ord(flag_head[0])

for i in range(1, 6):
    ks[i] = (enc[i*3] - ks[0]) ^ ord(flag_head[i]) ^ ks[0]

ks[7] = (enc[-1] - ks[0]) ^ ord(flag_tail) ^ ks[2]
print chr(ks[7])

for k_6 in range(32, 127):
    ks[6] = k_6
    flag = decrypt(enc, ks)
    if get_sum(flag) == sum_code:
        print flag
        break

tjctf{oooowakarimashita}

Is this the real life (Cryptography 90)

処理をデバッグしながら確認すると、以下のようなことがわかる。

block = 1
n = 1.00000000000000
phi = phiの先頭4バイト+(phiの末尾4バイトの逆)
nlistはphiのリスト(8個)

flagの各文字について
・nm = flagの文字のASCIIコード(2進数) いつも同じ
・cipher[i] = nm[i] * nlist[i]
 例) nm[0] = '01101110', nlist[0] = 42798447
・cipher[i] *= nm[i]
・cipher[i] = cipher[i] % modulus

平文1文字が暗号文1文字に対応するので、1文字ずつブルートフォースでフラグを求める。

nlist = [42798447, 60070844, 64372735, 50740679, 96064802, 42258424, 44356317, 77336984]
ct = [292296909762800, 215653060477940, 208434519524352, 292296909762800, 265338299876870, 338411113077906, 217961079953287, 344375715089844, 205288667438400, 16912457697000, 11315622010000, 341537164927645, 314135413320574, 169124576970000, 32145056144756, 344375715089844, 15964193777715, 292296909762800, 344375715089844, 388451782884159, 16912457697000, 26533829987687, 344375715089844, 150925396356060, 281783803794437, 87154851154764, 398222847250224]

def decrypt(c):
    for code in range(32, 127):
        nm = str(int(bin(code).replace('0b', '')))
        cipher = 0
        for b in range(len(nm)):
            cipher += int(nm[b]) * nlist[b]
        cipher = cipher * int(nm)
        if cipher == c:
            return chr(code)
    return chr(0)

flag = ''
for i in range(len(ct)):
    flag += decrypt(ct[i])

print flag

tjctf{i_T40ugh7_1t_w43_RsA}

SwampCTF 2019 Writeup

CTF writeup

この大会は2019/4/6 7:00(JST)~2019/4/8 7:00(JST)に開催されました。
今回もチームで参戦。結果は850点で772チーム中72位でした。
自分で解けた問題をWriteupとして書いておきます。

Welcome! (Misc)

問題にフラグが書いてある。

flag{w3lc0m3_t0_th3_SwAmP}

We Three Keys (Crypto)

スクリプトの処理概要は以下の通り。

・key選択(1/2/3)
・処理選択

■1: Encrypt a message
・メッセージ入力(hex)
 iv  = key
 key = key
 AES-CBC暗号

■2: Decrypt a message
・メッセージ入力(hex)
 iv  = key
 key = key
 AES-CBC復号

■3: Choose a new key
・key変更(1/2/3)

key1~3を求めればよさそう。

平文1ブロック目:\x00*16
平文2ブロック目:\x10*16(パディング)

上記の形式で暗号化する。この結果をC1+C2とする。以下の形式の暗号文を復号する。

暗号文1ブロック目:\x00*16
暗号文2ブロック目:C1

この結果をP1+P2とすると、CBCモードの特性によりP2はIVになり、KEYでもある。これをkey1~3に対して繰り返し行い、連結するとフラグになる。

import socket
from base64 import b64encode
from Crypto.Util.number import *

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('chal1.swampctf.com', 1441))

flag = ''
for k in range(1, 4):
    if k == 1:
        data = recvuntil(s, '<= ')
        print data + str(k)
    else:
        data = recvuntil(s, '<= ')
        print data + '3'
        s.sendall('3\n')
        data = recvuntil(s, '<= ')
        print data + str(k)
    s.sendall(str(k) + '\n')

    data = recvuntil(s, '<= ')
    print data + '1'
    s.sendall('1\n')
    send_data = '0' * 32
    data = recvuntil(s, '<= ')
    print data + send_data
    s.sendall(send_data + '\n')
    data = recvuntil(s, '\n').strip()
    print data
    enc = '0' * 32 + data[:32]

    data = recvuntil(s, '<= ')
    print data + '2'
    s.sendall('2\n')
    send_data = enc
    data = recvuntil(s, '<= ')
    print data + send_data
    s.sendall(send_data + '\n')
    data = recvuntil(s, '\n').strip()
    print data
    key = data[32:].decode('hex')
    flag += key

print flag

flag{w0w_wh4t_l4zy_k3yz_much_w34k_crypt0_f41ls!}

Leap of Faith (Forensics)

jpgが添付されている。EXIFを見てみる。

$ exiftool leap_of_faith.jpeg 
ExifTool Version Number         : 10.10
File Name                       : leap_of_faith.jpeg
Directory                       : .
File Size                       : 41 kB
File Modification Date/Time     : 2019:04:06 07:38:44+09:00
File Access Date/Time           : 2019:04:06 07:39:26+09:00
File Inode Change Date/Time     : 2019:04:06 07:38:44+09:00
File Permissions                : rwxrwxrwx
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Exif Byte Order                 : Little-endian (Intel, II)
X Resolution                    : 72
Y Resolution                    : 72
Resolution Unit                 : inches
Modify Date                     : 2019:04:04 09:22:27
Exif Version                    : 0210
Date/Time Original              : 2019:04:04 09:22:27
Flashpix Version                : 0100
Color Space                     : Uncalibrated
Thumbnail Offset                : 226
Thumbnail Length                : 25217
Image Width                     : 720
Image Height                    : 480
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 720x480
Megapixels                      : 0.346
Thumbnail Image                 : (Binary data 25217 bytes, use -b option to extract)

$ exiftool -b leap_of_faith.jpeg > extract

extractの先頭のごみを削るとjpgになるので、またEXIFを見てみる。

$ exiftool extract_fix.jpg
ExifTool Version Number         : 10.10
File Name                       : extract_fix.jpg
Directory                       : .
File Size                       : 25 kB
File Modification Date/Time     : 2019:04:06 08:12:20+09:00
File Access Date/Time           : 2019:04:06 08:14:04+09:00
File Inode Change Date/Time     : 2019:04:06 08:12:20+09:00
File Permissions                : rwxrwxrwx
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Exif Byte Order                 : Little-endian (Intel, II)
X Resolution                    : 72
Y Resolution                    : 72
Resolution Unit                 : inches
Modify Date                     : 2019:04:04 09:23:36
Exif Version                    : 0210
Date/Time Original              : 2019:04:04 09:23:36
Flashpix Version                : 0100
Color Space                     : Uncalibrated
Thumbnail Offset                : 226
Thumbnail Length                : 5199
Image Width                     : 334
Image Height                    : 302
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 334x302
Megapixels                      : 0.101
Thumbnail Image                 : (Binary data 5199 bytes, use -b option to extract)

$ exiftool -b leap_of_faith.jpeg > extract2

extract2の先頭のごみを削ると、またまたjpgになり、フラグが書いてある。
f:id:satou-y:20190415215045j:plain

flag{FR33_Y0UR_M1ND}

CBM CTF 2019 Writeup

CTF writeup

この大会は2019/4/7 3:30(JST)~2019/4/8 3:30(JST)に開催されました。
今回もチームで参戦。結果は1435点で228チーム中5位でした。
自分で解けた問題をWriteupとして書いておきます。

Welcome (Misc 5)

Discordの#miscチャネルにフラグが書いてある。

cbmctf{welc0me_7o_CbMcTF_2019}

image Mystry (Misc 85)

PNGファイルの方はPIET用のファイルのようだ。https://www.bertnase.de/npiet/npiet-execute.phpで実行すると、以下の文字列が得られる。

pI37_i5_fUn

steghideのパスワードとして使ってみる。

$ steghide extract -sf flag.jpg
Enter passphrase: ★pI37_i5_fUnを指定
wrote extracted data to "secret.txt".
$ cat secret.txt
cbmctf{p!e7_iS_4rt_0f_CoMput3r5}

cbmctf{p!e7_iS_4rt_0f_CoMput3r5}

Are You Fast (Scripting 40)

B mod Aを答える必要があるが、timeを先の時間に偽る必要がある。

import requests
import re

base_url = 'http://cbmctf2019.cf:3003/'

s = requests.Session()
r = s.get(base_url)
body = r.text
print body

pattern1 = 'A=(.+) and B=(.+)<br> Enter'
m = re.search(pattern1, body)
A = int(m.group(1))
B = int(m.group(2))
ans = B % A

pattern2 = 'name="time" value=(.+)></form>'
m = re.search(pattern2, body)
tm = int(m.group(1)) + 3600

post_url = base_url + 'check'
payload = {'answere': str(ans), 'time': str(tm)}
print payload
r = s.post(post_url, data=payload)
body = r.text
print body

実行結果は以下の通り。

$ python solve.py
<h1>A=45926 and B=53871<br> Enter B mod A <br></h1><form action="/check" method="post"><input type="text" id="answere" name="answere"><div class="button"><button type="submit">check</button></div><input type="hidden" id="time" name="time" value=1554624770375></form>
{'answere': '7945', 'time': '1554624773975'}
congrats!! here is the flag cbmctf{c0Nn3ct_pR0gr4m!7Ic@lLy}

cbmctf{c0Nn3ct_pR0gr4m!7Ic@lLy}

Easy_cipher (Crypto 50)

Rail Fence Cipherと推定。https://www.geocachingtoolbox.com/index.php?lang=en&page=railFenceCipherで復号する。
Base64文字列になっていそうなので、cbmctfをbase64した文字列を参考にレール数を変えてみる。
レール数3で以下のようになる。

Y2JtY3Rme1JAMWxfRmVOYzdfQzFwaGU0XzFzX2MwMGx9

$ echo Y2JtY3Rme1JAMWxfRmVOYzdfQzFwaGU0XzFzX2MwMGx9 | base64 -d
cbmctf{R@1l_FeNc7_C1phe4_1s_c00l}

cbmctf{R@1l_FeNc7_C1phe4_1s_c00l}

Any chess lover!! (Crypto 65)

文字セットと、以下の暗号文とチェス盤の画像が添付されている。

ms1r3uj@fv&!4grw((^m

f:id:satou-y:20190414214938p:plain
暗号文の長さは配置しているチェスの駒の数と同じ。文字列のテーブルも決まっているので、シフトの数を見てみる。

m  s  1  r  3  u  j
c  b  m  c  t  f  { 
10 17 15 15 10 15 15

左上から右に順番に駒ごとにシフト数が決まっていそう。チェスのことを調べていて、各駒の頭文字が関係していそうだと気づいた。文字列のテーブルは以下の通りで、シフトする数にも合致していそう。

          1111111111222222222233333333334444444444555555
01234567890123456789012345678901234567890123456789012345
abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+-={}[]<>

K(キング): 10
R(ルーク): 17
P(ポーン): 15
K(ナイト): 10
B(ビショップ): 1
Q(クイーン): 16

以上のことを念頭に復号する。

table = 'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+-={}[]<>'
enc = 'ms1r3uj@fv&!4grw((^m'
key = [10, 17, 15, 15, 10, 15, 15, 1, 15, 10, 16, 15, 1, 16, 15, 15, 15, 15, 10, 17]

flag = ''
for i in range(len(enc)):
    idx = table.index(enc[i]) - key[i]
    flag += table[idx]

print flag

cbmctf{!_l0v3_ch335}