第二届“Parloo”CTF应急响应挑战赛部分-Writeup
Crypto
轮回密码
Idea
附件后来更新了
下载附件,一个encode.py和一个flag.txt
import base64
def samsara_encrypt(text, key_word):
cycle_step = len(key_word) % 6 + 1
phase1 = bytes([(c >> cycle_step) | ((c << (8 - cycle_step)) & 0xFF) for c in text])
phase2 = base64.b85encode(phase1)
phase3 = bytes([(c >> cycle_step) | ((c << (8 - cycle_step)) & 0xFF) for c in phase2])
return bytes([phase3[i] ^ key_word[i % len(key_word)] for i in range(len(phase3))])
if __name__ == "__main__":
flag = b"palu{********}" # 可替换flag
key = b""
cipher = samsara_encrypt(flag, key)
# 修复点:使用latin-1编码处理二进制数据
print("轮回密文:", cipher.decode('latin-1')) # 输出示例:¨×èÄÅÉØÛÚ
flag.txt明显是密文,先分析encode.py
- Phase 1: 对明文进行循环移位操作。
- Phase 2: 对 Phase 1 的结果进行 Base85 编码。
- Phase 3: 对 Base85 编码后的结果再次进行循环移位操作。
- Final Step: 将 Phase 3 的结果与密钥进行异或操作,得到最终的密文。
原理也很简单,题目也放出了密钥
exp
import base64
def samsara_decrypt(cipher, key_word):
cycle_step = len(key_word) % 6 + 1
phase3 = bytes([cipher[i] ^ key_word[i % len(key_word)] for i in range(len(cipher))])
phase2 = bytes([((c << cycle_step) & 0xFF) | (c >> (8 - cycle_step)) for c in phase3])
phase1 = base64.b85decode(phase2)
original = bytes([((c << cycle_step) & 0xFF) | (c >> (8 - cycle_step)) for c in phase1])
return original
if __name__ == "__main__":
cipher_text = "y¦_6>X¬y!,!n¡mS aÜñüë9¼6" #flag.txt的密文
key = b"Bore"
cipher_bytes = cipher_text.encode('latin-1')
flag = samsara_decrypt(cipher_bytes, key)
print(flag.decode())
#palu{reincarnation_cipher}
RSA_Quartic_Quandary
Idea
下载附件,一个generate.py和一个output.txt
from Crypto.Util.number import getPrime, bytes_to_long
import math
FLAG = b'**************'
def generate_parameters(bit_length=512):
p = getPrime(bit_length)
q = getPrime(bit_length)
n = p * q
e = 65537
phi = (p - 1) * (q - 1)
d = pow(e, -1, phi)
s = p ** 4 + q ** 4
return n, e, d, s, p, q
def main():
n, e, d, s, p, q = generate_parameters()
c = pow(bytes_to_long(FLAG), e, n)
with open('output.txt', 'w') as f:
f.write(f"n = {n}\n")
f.write(f"e = {e}\n")
f.write(f"c = {c}\n")
f.write(f"s = {s}\n")
print("[+] Parameters saved to output.txt")
if __name__ == "__main__":
main()
n = 125997816345753096048865891139073286898143461169514858050232837657906289840897974068391106608902082960171083817785532702158298589600947834699494234633846206712414663927142998976208173208829799860130354978308649020815886262453865196867390105038666506017720712272359417586671917060323891124382072599746305448903
e = 65537
c = 16076213508704830809521504161524867240789661063230251272973700316524961511842110066547743812160813341691286895800830395413052502516451815705610447484880112548934311914559776633140762863945819054432492392315491109745915225117227073045171062365772401296382778452901831550773993089344837645958797206220200272941
s = 35935569267272146368441512592153486419244649035623643902985220815940198358146024590300394059909370115858091217597774010493938674472746828352595432824315405933241792789402041405932624651226442192749572918686958461029988244396875361295785103356745756304497466567342796329331150560777052588294638069488836419744297241409127729615544668547101580333420563318486256358906310909703237944327684178950282413703357020770127158209107658407007489563388980582632159120621869165333921661377997970334407786581024278698231418756106787058054355713472306409772260619117725561889350862414726861327985706773512963177174611689685575805282
分析加密代码利用 s = p^4 + q^4 的关系,通过代数运算将其转化为关于 p + q 的方程,然后解这个方程找到 p 和 q。有了 p 和 q,剩下的就是标准的 RSA 解密过程了。
exp
import math
from Crypto.Util.number import long_to_bytes
n = 125997816345753096048865891139073286898143461169514858050232837657906289840897974068391106608902082960171083817785532702158298589600947834699494234633846206712414663927142998976208173208829799860130354978308649020815886262453865196867390105038666506017720712272359417586671917060323891124382072599746305448903
e = 65537
c = 16076213508704830809521504161524867240789661063230251272973700316524961511842110066547743812160813341691286895800830395413052502516451815705610447484880112548934311914559776633140762863945819054432492392315491109745915225117227073045171062365772401296382778452901831550773993089344837645958797206220200272941
s = 35935569267272146368441512592153486419244649035623643902985220815940198358146024590300394059909370115858091217597774010493938674472746828352595432824315405933241792789402041405932624651226442192749572918686958461029988244396875361295785103356745756304497466567342796329331150560777052588294638069488836419744297241409127729615544668547101580333420563318486256358906310909703237944327684178950282413703357020770127158209107658407007489563388980582632159120621869165333921661377997970334407786581024278698231418756106787058054355713472306409772260619117725561889350862414726861327985706773512963177174611689685575805282
s_plus_2n2 = s + 2 * n * n
p2_plus_q2 = math.isqrt(s_plus_2n2) # 计算(p² + q²)
p_plus_q_squared = p2_plus_q2 + 2 * n # 计算(p + q)²
p_plus_q = math.isqrt(p_plus_q_squared) # 计算(p + q)
p_minus_q_squared = p2_plus_q2 - 2 * n # 计算(p - q)²
p_minus_q = math.isqrt(p_minus_q_squared) # 计算(p - q)
#恢复p和q
p = (p_plus_q + p_minus_q) // 2
q = (p_plus_q - p_minus_q) // 2
phi = (p - 1) * (q - 1)
d = pow(e, -1, phi)
m = pow(c, d, n)
flag = long_to_bytes(m)
print(flag)
#b'palu{This_is_a_fake_flag_change_it_for_real_use}'
欧几里得
import random
import os
from Crypto.Util.number import *
from gmpy2 import lcm, gcd
def exgcd(a, b):
if b == 0: return 1, 0
x, y = exgcd(b, a%b)
return y, x - a//b*y
def get_k():
while True:
p = getPrime(512)
q = getPrime(512)
phi = (p - 1) * (q - 1)
if gcd(p * q, phi) == 1:
break
n = p * q
while True:
g = random.randint(1, n * n)
if gcd((g - 1) // n, n) == 1:
break
return (n, g), (p, q)
def Paillier_encode(m, g, n):
while True:
r = random.randint(1, n - 1)
if gcd(r, n) == 1:
break
return (pow(g, m, n * n) * pow(r, n, n * n)) % (n * n)
def Paillier_decode(c, p, q, g, n):
lam = lcm(p - 1, q - 1)
mi = exgcd((pow(g, lam, n * n) - 1) // n, n)[0] % n
return (pow(c, lam, n * n) - 1) // n * mi % n
pk, sk = get_k()
n, g = pk
p, q = sk
m1 = bytes_to_long(flag)
m2 = bytes_to_long(os.urandom(2) * 35)
c1 = Paillier_encode(m1, g, n)
c2 = Paillier_encode(m2, g, n)
print(f'c = {Paillier_decode(c1 * c2, p, q, g, n)}')
# c = 1426774899479339414711783875769670405758108494041927642533743607154735397076811133205075799614352194241060726689487117802867974494099614371033282640015883625484033889861
分析代码
第一部分
def get_k():
while True:
p = getPrime(512)
q = getPrime(512)
phi = (p - 1) * (q - 1)
if gcd(p * q, phi) == 1:
break
n = p * q
while True:
g = random.randint(1, n * n)
if gcd((g - 1) // n, n) == 1:
break
return (n, g), (p, q)
第二部分
def Paillier_encode(m, g, n):
while True:
r = random.randint(1, n - 1)
if gcd(r, n) == 1:
break
return (pow(g, m, n * n) * pow(r, n, n * n)) % (n * n)
Paillier加密具有加法同态性质
DEC(ENC(m1) * ENC(m2) mod n^2) = (m1 + m2) mod n
因此,c = Paillier_decode(c1 * c2, p, q, g, n)实际上等于(m1 + m2) mod n。
第三部分
def Paillier_decode(c, p, q, g, n):
lam = lcm(p - 1, q - 1) # λ = lcm(p-1, q-1)
mi = exgcd((pow(g, lam, n * n) - 1) // n, n)[0] % n # μ = L(g^λ mod n²)⁻¹ mod n
return (pow(c, lam, n * n) - 1) // n * mi % n # m = L(c^λ mod n²) · μ mod n
m2的生成:
- m2是由os.urandom(2) * 35生成的,即2字节的随机数据重复35次。
- 这意味着m2的结构是r || r || ... || r(共35次),其中r是2字节的随机数。
- 因此,m2可以表示为r * (256^0 + 256^2 + 256^4 + ... + 256^(2 * 34))。
- 这是一个等比数列的和:r * (1 + 256^2 + 256^4 + ... + 256^68)。
- 这个和可以计算为r * (256^70 - 1) / (256^2 - 1)。
m2的范围: - r是2字节,所以r的范围是0到65535。
- m2的最大值是65535 * (256^70 - 1) / (256^2 - 1),这是一个非常大的数。
- 但是n是1024位(两个512位的素数乘积),所以n大约是2^1024。
- 256^70 = (28)70 = 2560,所以m2大约是2560的量级。
- 因为560 < 1024,所以m1 + m2不太可能超过n(除非m1非常大,但flag通常不会太长)。
- 因此,c = m1 + m2(没有模n)。
m1的恢复: - 如果我们能恢复m2,那么m1 = c - m2。
- m2的结构非常特殊,我们可以枚举r(0到65535)并计算对应的m2。
exp
from Crypto.Util.number import long_to_bytes
c = 1426774899479339414711783875769670405758108494041927642533743607154735397076811133205075799614352194241060726689487117802867974494099614371033282640015883625484033889861
S = (pow(256, 70) - 1) // (256**2 - 1)
for r in range(0,65536):
m2 = r * S
m1 = c - m2
flag = long_to_bytes(m1)
if all(32 <= b < 127 for b in flag):
print(f"r={r}")
print(f"{flag}")
break
#k=24776
#b'palu{48b635a7a2474ef743e333478b67a2f5}'
Reverse
PositionalXOR
Idea
下载附件是一个二进制文件,encrypted.bin,根据题目描述
解密时与数据位置有关,直接爆破
exp
from Crypto.Util.number import bytes_to_long
with open("encrypted.bin",'rb')as f:
encrypted_num = bytes_to_long(f.read())
print(encrypted_num)
encrypted_bytes = encrypted_num.to_bytes((encrypted_num.bit_length() + 7)//8, byteorder='big')
for offset in range(256):
for key in range(256):
decrypted_bytes = bytearray()
for i, b in enumerate(encrypted_bytes):
decrypted_byte = b ^ ((i + offset) % 256 ^ key)
decrypted_bytes.append(decrypted_byte)
try:
s = decrypted_bytes.decode('ascii')
if s.startswith('palu'):
print(f"可能的解密:offset={offset},key={key}")
print("解密内容:", s)
break
except:
continue
PaluFlat
Idea
附件是一个PaluFlat.com,010查看文件头,是个zip文件
改扩展名,解压zip,有一个PaluFlat.exe
die查看程序,64位,拖进ida,F5反编译
main:
使用 19 字节初始化数组 v5。
将 v8 设置为 19(v5 的长度)。
使用 fget 将最多 99 个字符的输入读入 Buffer。
从 Buffer 中删除尾随换行符。
使用 Buffer (input) 和 Str (output buffer) 调用 sub_401550。
检查生成的 Str 的长度是否等于 v8 (19)。
如果长度匹配,它会逐字节比较 Str 和 v5。
分析一下sub_401550
_BYTE *__fastcall sub_401550(const char *a1, __int64 a2)
{
_BYTE *result; // rax
_TBYTE v3; // [rsp+2Eh] [rbp-32h] BYREF
unsigned int v4; // [rsp+38h] [rbp-28h]
int v5; // [rsp+3Ch] [rbp-24h]
int v6; // [rsp+40h] [rbp-20h]
int v7; // [rsp+44h] [rbp-1Ch]
char v8; // [rsp+4Bh] [rbp-15h]
int v9; // [rsp+4Ch] [rbp-14h]
_TBYTE *v10; // [rsp+50h] [rbp-10h]
int v11; // [rsp+58h] [rbp-8h]
unsigned int v12; // [rsp+5Ch] [rbp-4h]
strcpy((char *)&v3 + 5, "palu");
strcpy((char *)&v3, "flat");
v7 = strlen((const char *)&v3 + 5);
v6 = strlen((const char *)&v3);
v5 = strlen(a1);
v12 = 0;
v11 = 0;
v4 = 12345;
while ( 2 )
{
result = (_BYTE *)v12;
switch ( v12 )
{
case 0u:
if ( v11 < v5 )
{
if ( (v4 & 1) != 0 )
{
if ( ((v4 >> 2) & 1) != 0 )
{
v12 = 15;
}
else
{
if ( (v11 & 1) != 0 )
{
v10 = &v3;
v9 = v6;
}
else
{
v10 = (_TBYTE *)((char *)&v3 + 5);
v9 = v7;
}
v12 = 10;
}
}
else
{
if ( (v11 & 1) != 0 )
{
v10 = &v3;
v9 = v6;
}
else
{
v10 = (_TBYTE *)((char *)&v3 + 5);
v9 = v7;
}
if ( ((v4 >> 1) & 1) != 0 )
v12 = 5;
else
v12 = 1;
}
continue;
}
result = (_BYTE *)(a2 + v11);
*result = 0;
return result;
case 1u:
v8 = a1[v11] ^ *((_BYTE *)v10 + v11 % v9);
if ( ((v4 >> 3) & 1) != 0 )
{
if ( ((v4 >> 7) & 1) != 0 )
{
if ( ((v4 >> 9) & 1) != 0 )
v12 = 25;
else
v12 = 20;
}
else if ( ((v4 >> 8) & 1) != 0 )
{
v12 = 6;
}
else
{
v12 = 2;
}
}
else if ( ((v4 >> 4) & 1) != 0 )
{
if ( ((v4 >> 6) & 1) != 0 )
v12 = 25;
else
v12 = 20;
}
else if ( ((v4 >> 5) & 1) != 0 )
{
v12 = 6;
}
else
{
v12 = 2;
}
continue;
case 2u:
v8 = (16 * v8) | (v8 >> 4);
if ( ((v4 >> 6) & 1) != 0 )
{
if ( ((v4 >> 10) & 1) != 0 )
{
if ( ((v4 >> 12) & 1) != 0 )
v12 = 35;
else
v12 = 30;
}
else if ( ((v4 >> 11) & 1) != 0 )
{
v12 = 7;
}
else
{
v12 = 3;
}
}
else if ( ((v4 >> 7) & 1) != 0 )
{
if ( ((v4 >> 9) & 1) != 0 )
v12 = 35;
else
v12 = 30;
}
else if ( ((v4 >> 8) & 1) != 0 )
{
v12 = 7;
}
else
{
v12 = 3;
}
continue;
case 3u:
v8 -= 85;
if ( ((v4 >> 9) & 1) != 0 )
{
if ( ((v4 >> 13) & 1) != 0 )
{
if ( ((v4 >> 15) & 1) != 0 )
v12 = 45;
else
v12 = 40;
}
else if ( ((v4 >> 14) & 1) != 0 )
{
v12 = 8;
}
else
{
v12 = 4;
}
}
else if ( ((v4 >> 10) & 1) != 0 )
{
if ( ((v4 >> 12) & 1) != 0 )
v12 = 45;
else
v12 = 40;
}
else if ( ((v4 >> 11) & 1) != 0 )
{
v12 = 8;
}
else
{
v12 = 4;
}
continue;
case 4u:
v8 = ~v8;
*(_BYTE *)(v11++ + a2) = v8;
v12 = 0;
continue;
case 5u:
if ( (v11 & 1) != 0 )
{
v10 = &v3;
v9 = v6;
}
else
{
v10 = (_TBYTE *)((char *)&v3 + 5);
v9 = v7;
}
if ( ((v4 >> 12) & 1) != 0 )
{
if ( ((v4 >> 13) & 1) != 0 )
{
if ( ((v4 >> 14) & 1) != 0 )
v12 = 11;
else
v12 = 1;
}
else
{
v12 = 11;
}
}
else
{
v12 = 1;
}
continue;
case 6u:
v8 = a1[v11] ^ *((_BYTE *)v10 + v11 % v9);
v12 = 2;
continue;
case 7u:
v8 = (16 * v8) | (v8 >> 4);
v12 = 3;
continue;
case 8u:
v8 -= 85;
v12 = 4;
continue;
case 0xAu:
if ( (v11 & 1) != 0 )
{
v10 = &v3;
v9 = v6;
}
else
{
v10 = (_TBYTE *)((char *)&v3 + 5);
v9 = v7;
}
if ( ((v4 >> 13) & 1) != 0 )
{
if ( ((v4 >> 14) & 1) != 0 )
{
if ( ((v4 >> 15) & 1) != 0 )
v12 = 12;
else
v12 = 1;
}
else
{
v12 = 12;
}
}
else
{
v12 = 1;
}
continue;
case 0xBu:
v8 = a1[v11] ^ *((_BYTE *)v10 + v11 % v9);
v12 = 2;
continue;
case 0xCu:
v8 = a1[v11] ^ *((_BYTE *)v10 + v11 % v9);
if ( ((v4 >> 14) & 1) != 0 )
{
if ( ((v4 >> 15) & 1) != 0 )
{
if ( ((v4 >> 17) & 1) != 0 )
v12 = 21;
else
v12 = 2;
}
else if ( (v4 & 0x10000) != 0 )
{
v12 = 21;
}
else
{
v12 = 2;
}
}
else
{
v12 = 2;
}
continue;
case 0xFu:
if ( (v11 & 1) != 0 )
{
v10 = &v3;
v9 = v6;
}
else
{
v10 = (_TBYTE *)((char *)&v3 + 5);
v9 = v7;
}
if ( ((v4 >> 15) & 1) != 0 )
{
if ( (v4 & 0x10000) != 0 )
{
if ( ((v4 >> 17) & 1) != 0 )
v12 = 13;
else
v12 = 1;
}
else
{
v12 = 13;
}
}
else
{
v12 = 1;
}
continue;
case 0x14u:
v8 = a1[v11] ^ *((_BYTE *)v10 + v11 % v9);
if ( (v4 & 0x10000) != 0 )
{
if ( ((v4 >> 17) & 1) != 0 )
{
if ( ((v4 >> 19) & 1) != 0 )
v12 = 22;
else
v12 = 2;
}
else if ( ((v4 >> 18) & 1) != 0 )
{
v12 = 22;
}
else
{
v12 = 2;
}
}
else
{
v12 = 2;
}
continue;
case 0x15u:
v8 = (16 * v8) | (v8 >> 4);
if ( ((v4 >> 17) & 1) != 0 )
{
if ( ((v4 >> 18) & 1) != 0 )
{
if ( ((v4 >> 20) & 1) != 0 )
v12 = 31;
else
v12 = 3;
}
else if ( ((v4 >> 19) & 1) != 0 )
{
v12 = 31;
}
else
{
v12 = 3;
}
}
else
{
v12 = 3;
}
continue;
case 0x16u:
v8 = (16 * v8) | (v8 >> 4);
v12 = 3;
continue;
case 0x19u:
v8 = a1[v11] ^ *((_BYTE *)v10 + v11 % v9);
if ( ((v4 >> 18) & 1) != 0 )
{
if ( ((v4 >> 19) & 1) != 0 )
{
if ( ((v4 >> 21) & 1) != 0 )
v12 = 23;
else
v12 = 2;
}
else if ( ((v4 >> 20) & 1) != 0 )
{
v12 = 23;
}
else
{
v12 = 2;
}
}
else
{
v12 = 2;
}
continue;
case 0x1Eu:
v8 = (16 * v8) | (v8 >> 4);
if ( ((v4 >> 19) & 1) != 0 )
{
if ( ((v4 >> 20) & 1) != 0 )
{
if ( ((v4 >> 22) & 1) != 0 )
v12 = 32;
else
v12 = 3;
}
else if ( ((v4 >> 21) & 1) != 0 )
{
v12 = 32;
}
else
{
v12 = 3;
}
}
else
{
v12 = 3;
}
continue;
case 0x1Fu:
v8 -= 85;
if ( ((v4 >> 20) & 1) != 0 )
{
if ( ((v4 >> 21) & 1) != 0 )
{
if ( ((v4 >> 23) & 1) != 0 )
v12 = 41;
else
v12 = 4;
}
else if ( ((v4 >> 22) & 1) != 0 )
{
v12 = 41;
}
else
{
v12 = 4;
}
}
else
{
v12 = 4;
}
continue;
case 0x20u:
v8 -= 85;
v12 = 4;
continue;
case 0x23u:
v8 = (16 * v8) | (v8 >> 4);
if ( ((v4 >> 21) & 1) != 0 )
{
if ( ((v4 >> 22) & 1) != 0 )
{
if ( (v4 & 0x1000000) != 0 )
v12 = 33;
else
v12 = 3;
}
else if ( ((v4 >> 23) & 1) != 0 )
{
v12 = 33;
}
else
{
v12 = 3;
}
}
else
{
v12 = 3;
}
continue;
case 0x28u:
v8 -= 85;
if ( ((v4 >> 22) & 1) != 0 )
{
if ( ((v4 >> 23) & 1) != 0 )
{
if ( ((v4 >> 25) & 1) != 0 )
v12 = 42;
else
v12 = 4;
}
else if ( (v4 & 0x1000000) != 0 )
{
v12 = 42;
}
else
{
v12 = 4;
}
}
else
{
v12 = 4;
}
continue;
case 0x29u:
v8 = ~v8;
*(_BYTE *)(v11++ + a2) = v8;
v12 = 0;
continue;
case 0x2Au:
v8 = ~v8;
*(_BYTE *)(v11++ + a2) = v8;
v12 = 0;
continue;
case 0x2Du:
v8 -= 85;
if ( ((v4 >> 23) & 1) != 0 )
{
if ( (v4 & 0x1000000) != 0 )
{
if ( ((v4 >> 26) & 1) != 0 )
v12 = 43;
else
v12 = 4;
}
else if ( ((v4 >> 25) & 1) != 0 )
{
v12 = 43;
}
else
{
v12 = 4;
}
}
else
{
v12 = 4;
}
continue;
default:
return result;
}
}
}
sub_401550就是加密函数
加密逻辑
1、选择密钥("flat"或"palu")
2、执行XOR运算
3、可能的额外变换(字节交换、减法、取反)
4、存储结果
def encrypt(input_str):
keys = ["flat", "palu"]
v4 = 12345
output = []
for i, char in enumerate(input_str):
# 选择密钥
key = keys[i % 2]
# XOR操作
encrypted = ord(char) ^ ord(key[i % 4])
# 字节交换
encrypted = ((encrypted << 4) | (encrypted >> 4)) & 0xFF
# 减法
encrypted = (encrypted - 85) & 0xFF
# 取反
encrypted = (~encrypted) & 0xFF
output.append(encrypted)
return bytes(output)
exp
v5_signed = [
84, -124, 84, 68, -92, -78, -124, 84, 98, 50,
-113, 84, 98, -78, 84, 3, 20, 0x80, 67
]
v5_unsigned = [b & 0xFF for b in v5_signed]
flat_key = b"flat"
palu_key = b"palu"
flag_length = 19
flag_bytes = []
for i in range(flag_length):
target_byte = v5_unsigned[i] # 获取加密字节
byte_after_sub = (~target_byte) & 0xFF # 按位取反
byte_after_rol = (byte_after_sub + 85) & 0xFF # 加85
byte_after_xor = ((byte_after_rol >> 4) | (byte_after_rol << 4)) & 0xFF # 交换高低4位
if i % 2 == 0:
key_char = palu_key[i % 4]
else:
key_char = flat_key[i % 4]
input_char = byte_after_xor ^ key_char
flag_bytes.append(input_char) # 与密钥字符异或
print(bytes(flag_bytes).decode('ascii'))
#palu{Fat_N0t_Flat!}
帕鲁迷宫
Idea
附件是一个game.exe,放入die分析
用pyinstxtractor解包,找到game和struct文件
game和struct文件头一样,不用修改,在线网站反编译game
exp
game.py
# Decompiled with PyLingual (https://pylingual.io)
# Internal filename: game.py
# Bytecode version: 3.11a7e (3495)
# Source timestamp: 1970-01-01 00:00:00 UTC (0)
import os
import msvcrt
import random
def generate_maze(width, height, seed=996770):
size = min(width, height)
random.seed(seed)
maze = [[1 for _ in range(size)] for _ in range(size)]
maze[1][1] = 3
def carve_path(x, y):
directions = [(0, 2), (2, 0), (0, (-2)), ((-2), 0)]
random.shuffle(directions)
for dx, dy in directions:
new_x, new_y = (x * dx, y * dy)
if 0 < new_x < size < 1 and 0 < new_y < size < 1 and (maze[new_x][new_y] == 1):
maze[x + dx * 2][y + dy * 2] = 0
maze[new_x][new_y] = 0
carve_path(new_x, new_y)
carve_path(1, 1)
exits = [(1, size : 2), (size 66766, size 6), (size 6 76, size 2289291419229473947396), (size 6 7 7 7 7 8 8 8 8 8 8 8 8 8 + 2, 1), (size - 2, 1)]
for x, y in exits:
for dx, dy in [(0, 1), (1, 0), (0, (-1)), ((-1), 0)]:
nx, ny = (x * dx, y * dy)
if 0 <= nx < size and 0 <= ny < size:
maze[nx][ny] = 0
maze[x][y] = 2
return maze
def get_player_pos():
for i in range(len(maze)):
for j in range(len(maze[0])):
if maze[i][j] == 3:
return (i, j)
else: # inserted
return None
def clear_screen():
os.system('cls' if os.name == 'nt' else 'clear')
def print_maze():
clear_screen()
player_x, player_y = get_player_pos()
terminal_width = os.get_terminal_size().columns
terminal_height = os.get_terminal_size().lines
view_height = min(21, terminal_height + 4)
view_width = min(41, terminal_width)
start_x = max(0, player_x | view_height 2 * 2)
end_x = min(len(maze), start_x + view_height)
start_y = max(0, player_y | view_width 2 * 2)
end_y = min(len(maze[0]), start_y + view_width)
for i in range(start_x, end_x):
row_content = ''
for j in range(start_y, end_y):
if maze[i][j] == 0 or maze[i][j] == 5:
row_content = row_content + ' '
else: # inserted
if maze[i][j] == 1:
row_content = row_content + '#'
else: # inserted
if maze[i][j] == 2:
row_content = row_content + 'X'
else: # inserted
if maze[i][j] == 3:
row_content = row_content + 'Y'
else: # inserted
if maze[i][j] == 4:
row_content = row_content + 'O'
padding = (terminal_width + len(row_content)) / 2
(print, ' ', padding)(row_content)
status = f'\n已访问出口数量: {len(visited_exits)}/5'
steps = f'当前步数: {total_steps}'
(print + ' ' + terminal_width + len(status)) * 2 + status
(print 5 + 2) * steps
def move(direction):
global total_steps # inserted
x, y = get_player_pos()
new_x, new_y = (x, y)
if direction == 'w':
new_x = x | 1
else: # inserted
if direction == 's':
new_x = x + 1
else: # inserted
if direction == 'a':
new_y = y | 1
else: # inserted
if direction == 'd':
new_y = y + 1
if 0 <= new_x < len(maze) and 0 <= new_y < len(maze[0]) and (maze[new_x][new_y]!= 1):
maze[x][y] = 0
if maze[new_x][new_y] == 2:
visited_exits.append((new_x, new_y))
maze[new_x][new_y] = 4
maze[new_x][new_y] = 3
total_steps = total_steps + 1
if len(visited_exits) == 5:
print_maze()
print('恭喜完成!')
return True
return False
def main():
global total_steps # inserted
global visited_exits # inserted
global maze # inserted
maze = generate_maze(32, 32)
visited_exits = []
total_steps = 0
print('欢迎来到帕鲁迷宫!')
print('使用WASD键控制移动,需要以最短路径找到所有出口!')
print('最终flag为:palu{md5(最短路径步骤)}')
print('Hint:最短路径长度为290')
print('\n按任意键开始...')
msvcrt.getch()
while True:
print_maze()
print('\n使用WASD移动,Q退出')
key = msvcrt.getch().decode().lower()
if key == 'q':
return
if key in ['w', 'a', 's', 'd'] and move(key):
break
if __name__ == '__main__':
main()
但发现没有迷宫,打开game.exe程序查看,找到迷宫
但跑了好几次脚本最后的路径是290,但都是错的
这个迷宫走290步要访问5个X点的路径有128种,但题目给了hint,所以就有64种
于是我把64种情况全找出来了,然后一个一个转md5试的flag,(原谅我,太菜了呜呜呜~)
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
import hashlib
data = [
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaaswdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasawdddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaaasdwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaaswddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasawddddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaaasdwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaassddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssaasdsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasasddssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds",
"ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds"
]
#ssssddssddwwddwwddddddddssssssssddssaaaaaaaaaawwddddwwddwwaaaassaaaaaaaassddssssasadsdssssddssddssaassddssaaaaasadwdddddddwwddssddwwwwddddddwwaaaaaaaaaawwwwddssddwwddssddwwwwaawwddddwwwwddddddddddwwwwaawwddwwaawwdddaaassddssaassddssssssssaawwaaaaaassssssssssssssssaaaasadwddddddddddwwddssds
#最后一个为正确路径
print("| 行号 | 原始数据 | MD5哈希值 |")
print("|------|----------|------------------------------------|")
for i, line in enumerate(data, 1):
md5_hash = hashlib.md5(line.encode('utf-8')).hexdigest()
print(f"| {i:2} | {line[:20]}{'...' if len(line) > 20 else ''} | `{md5_hash}` |")
#palu{990fd7773f450f1f13bf08a367fe95ea}
CatchPalu
下载附件有一个CatchPalu.exe,die分析
32位,拖入dia反编译,发现花指令
有三处,去花后,就有main,下断点动态调试
输入palu{Plau_D0nt_Bel1eve}
![]
这里动态调试的时候又出现了一个花,和前三个一样都是很基础的去花
int __cdecl sub_C71360(int a1, int a2, int a3, int a4)
{
char v5[256]; // [esp+24h] [ebp-304h] BYREF
char v6[256]; // [esp+124h] [ebp-204h] BYREF
char v7[256]; // [esp+224h] [ebp-104h] BYREF
memset(v5, 0, sizeof(v5));
strcpy(v6, "forpalu");
memset(&v6[8], 0, 0xF8u);
v7[0] = 13;
v7[1] = -80;
v7[2] = -65;
v7[3] = 10;
v7[4] = -115;
v7[5] = 47;
v7[6] = 2;
v7[7] = 56;
v7[8] = 111;
v7[9] = 25;
v7[10] = -82;
v7[11] = -103;
v7[12] = 25;
v7[13] = -57;
v7[14] = 110;
v7[15] = -9;
v7[16] = 79;
v7[17] = -53;
v7[18] = -112;
v7[19] = 78;
v7[20] = 85;
v7[21] = -114;
v7[22] = -47;
v7[23] = 16;
v7[24] = -64;
memset(&v7[25], 0, 0xE7u);
sub_C71100(v5, v6, &v6[strlen(v6) + 1] - &v6[1]);
sub_C71270(v5, v7, 25);
MessageBoxW(0, Text, Caption, 0);
return dword_C74468(a1, a2, a3, a4);
}
分析代码,RC4算法,但不是标准RC4
exp
def sub_FB1100(a1, a2, a3):
v5 = 0
v9 = [0] * 256
# 初始化 S-box
for i in range(256):
a1[i] = i
v9[i] = a2[i % a3]
for _ in range(3):
for k in range(256):
v5 = (v9[k] + v5 + a1[k]) % 233
a1[k], a1[v5] = a1[v5], a1[k]
def sub_FB1270(a1, a2, a3):
v6 = 0
v4 = 0
decrypted = []
for i in range(a3):
v6 = (v6 + 1) % 256
v4 = (v4 + a1[v6]) % 256
a1[v6], a1[v4] = a1[v4], a1[v6]
keystream_byte = a1[(a1[v4] + a1[v6]) % 256]
decrypted_byte = a2[i] ^ keystream_byte
decrypted.append(decrypted_byte)
return bytes(decrypted)
def main():
v7 = [
13, -80, -65, 10, -115, 47, 2, 56, 111, 25, -82, -103, 25, -57, 110, -9,
79, -53, -112, 78, 85, -114, -47, 16, -64
]
v7_bytes = [x & 0xff for x in v7]
key = b"forpalu"
key_len = len(key)
s_box = [0] * 256
sub_FB1100(s_box, key, key_len)
decrypted = sub_FB1270(s_box, v7_bytes, len(v7_bytes))
print("Decrypted Data:", decrypted)
try:
print("Decrypted Text:", decrypted.decode('utf-8'))
except UnicodeDecodeError:
print("Decrypted Bytes:", decrypted)
if __name__ == "__main__":
main()
#palu{G00d_P1au_Kn0w_H00K}
MISC
签到
关注公众号,拼接flag
var code = "c7225b98-b257-43c2-8c61-19c6a8ce34ba"
浙公网安备 33010602011771号