DASCTF-NOVX联合出题人2022年度积分榜争夺赛

babytea

  • Tea加密
  • C++异常处理

三处除0异常处理

第一处

v0dword_FEF038作异或,v1dword_FEF03C作异或

image-20221129100158330

第二处

这里我为了图方便把idiv ecx patch成了jmp h2

sum与0x1234567异或

image-20221129100226853

第三处

v0的值赋给dword_FEF038v1的值赋给dword_FEF03C

image-20221129100325508

直接将各个异常patch成直接跳转到异常处理里可以很清楚的看到步骤

image-20221129100643481

但需要注意的是sum与0x1234567异或并不是每次都执行的,而是当sum >> 31 = 0时才执行

image-20221129100757585

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#include <stdio.h>
#include <stdint.h>
uint32_t d1 = 0x1234567;
uint32_t d2 = 0x89ABCDEF;
//加密函数
void encrypt (uint32_t* v, uint32_t* k,uint32_t* d) {
    uint32_t v0=v[0], v1=v[1], sum=0, i;           /* set up */
    uint32_t delta=0x9e3779b1;                     /* a key schedule constant */
    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];   /* cache key */
    v0 ^= d[0];
    v1 ^= d[1];
    for (i=0; i < 32; i++) {                       /* basic cycle start */
        sum = delta + sum;
        if(sum >> 31 == 0) sum ^= 0x1234567;
        v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
        v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
    }
    d[2] = v0;
    d[3] = v1;
    /* end cycle */
    v[0]=v0; v[1]=v1;
}
//解密函数
void decrypt (uint32_t* v, uint32_t* k,uint32_t* d) {
    uint32_t sum = 0, i;

    for ( i = 0; i < 32; ++i )
    {
        sum = 0x9E3779B1 + sum;
        if(sum >> 31 == 0) sum ^= 0x1234567;
    }
    uint32_t v0=v[0], v1=v[1];  /* set up */
    uint32_t delta=0x9E3779B1;                     /* a key schedule constant */
    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];   /* cache key */
    for (i=0; i<32; i++) {                         /* basic cycle start */
        v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
        v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
        if(sum >> 31 == 0) sum ^= 0x1234567;
        sum = sum - delta;
    }
//    printf("%x\n",sum);
    v0 ^= d[0];
    v1 ^= d[1];
    v[0]=v0; v[1]=v1;
}
int main()
{
    uint32_t v[]={
            0x5E27B530, 0xBDBEF7F3, 0xE3516A8F, 0x5D836CFE, 0xD83DFA09, 0x8EFC737A, 0x55A853A3, 0x7A564EC5
    };
    uint32_t k[]={
            0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476
    };
    uint32_t d[] = {
            0x1234567,0x89ABCDEF, 0x5E27B530, 0xBDBEF7F3, 0xE3516A8F, 0x5D836CFE, 0xD83DFA09, 0x8EFC737A, 0x55A853A3, 0x7A564EC5
    };
    for(int i = 0; i < 8; i += 2){
//        encrypt(&v[i],k,&d[i]);
        decrypt(&v[i],k,&d[i]);
//        printf("%x %x\n",v[i],v[i+1]);
    }
    char* flag = (char*)v;
    for (int i = 0; i < 32; i += 4)
    {
        printf("%c", flag[i + 3]);
        printf("%c", flag[i + 2]);
        printf("%c", flag[i + 1]);
        printf("%c", flag[i]);
    }
    return 0;
}

babysmc

  • smc自解密
  • z3
  • capstone

ida打开可以看到有两端smc

image-20221129120627689

image-20221129120636128

第一段smc的范围为0x401850-0x401950

第二段smc的范围为0x4017C0-0x4018C0

第二段smc

因为第二段的范围包括的第一段的开头,而第一段的范围不包括第二段的开头,所以考虑的函数的常见开头先爆破第二段smc的a1

爆破

因为使用输入进行解密,所以使用所有可见字符进行爆破,并使用capstone进行分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
from capstone import *
from struct import *

def Disassembly(opcode):
    for key in range(32,126):
        new_opcode = b""
        for i in range(len(opcode)):
          new_opcode += pack("B",opcode[i] ^ key)
        md = Cs(CS_ARCH_X86, CS_MODE_32)
        print("---------Key: %#x-----------" % key)
        for item in md.disasm(new_opcode, 0):
            dic = item.mnemonic + " " + item.op_str
            print(dic)

def capstone_bomb():
  opcode1 = [ 0x76, 0xA8, 0xCF, 0xA0, 0xCF, 0x37, 0x82, 0xDF, 0x1D, 0x61, 
              0x23, 0x10, 0xE6, 0xAA, 0x66, 0xDF, 0x49, 0x29, 0x49, 0x23, 
              0xAE, 0x66, 0xD3, 0x73, 0xCB, 0x50, 0x18, 0x23, 0x23, 0xA0, 
              0xE7, 0x2F, 0xAE, 0x6E, 0xD3, 0x72, 0xCB, 0x64, 0xDC, 0xDC, 
              0xDC, 0xA0, 0xE7, 0x27, 0xE4, 0x66, 0xCF, 0x23, 0x23, 0x23, 
              0x23, 0xC8, 0x2A, 0xA8, 0x76, 0xCF, 0xA0, 0xE1, 0x22, 0xAA, 
              0x76, 0xCF, 0xA0, 0x5E, 0xCF, 0x29, 0x50, 0x3D, 0xA8, 0x66, 
              0x2F, 0x73, 0xA8, 0x6E, 0x2B, 0x72, 0xA8, 0x76, 0xCF, 0x2C, 
              0x95, 0x67, 0x36, 0xD3, 0xA8, 0x2F, 0xA6, 0xA3, 0x1D, 0x61, 
              0x23, 0xDC, 0xF2, 0xA0, 0xE7, 0x2B, 0xC8, 0xF0, 0xA8, 0x6E, 
              0xDF, 0x10, 0xEE, 0xCB, 0xCD, 0x0C, 0x23, 0x23, 0xA8, 0xC6, 
              0x7E, 0xE0, 0x76, 0xA8, 0xCF, 0x75, 0x9B, 0x27, 0x23, 0x23, 
              0x23, 0x48, 0xEB, 0x2F, 0x99, 0x22, 0x23, 0x23, 0x23, 0x48, 
              0xE1, 0x20, 0xA8, 0x76, 0x2B, 0x2C, 0x95, 0x27, 0x21, 0x48, 
              0xF3, 0x24, 0x9B, 0x22, 0x23, 0x23, 0x23, 0x48, 0xE3, 0x26, 
              0xA8, 0x56, 0x2B, 0x2C, 0x95, 0x27, 0x25, 0x4A, 0xE3, 0x9C, 
              0x23, 0x23, 0x23, 0x20, 0xF3, 0x9B, 0x22, 0x23, 0x23, 0x23, 
              0x48, 0xE3, 0x28, 0xA8, 0x56, 0x2B, 0x2C, 0x95, 0x27, 0x25, 
              0x4A, 0xE3, 0x96, 0x23, 0x23, 0x23, 0x20, 0xF3, 0x9B, 0x22, 
              0x23, 0x23, 0x23, 0xF2, 0xC3, 0xA8, 0x56, 0x2B, 0x2C, 0x95, 
              0x27, 0x25, 0x48, 0xE3, 0x31, 0x20, 0xF3, 0x9B, 0x22, 0x23, 
              0x23, 0x23, 0x48, 0xE3, 0x25, 0xA8, 0x56, 0x2B, 0x2C, 0x95, 
              0x27, 0x25, 0x48, 0xE3, 0x5F, 0x20, 0xF3, 0x9B, 0x22, 0x23, 
              0x23, 0x23, 0xE2, 0xC3, 0x23, 0xA8, 0x56, 0x2B, 0x2C, 0x95, 
              0x27, 0x25, 0x48, 0xE3, 0x0A, 0x20, 0xF3, 0x9B, 0x22, 0x23, 
              0x23, 0x23, 0x48, 0xE3, 0x23, 0xA8]
  opcode2 = [ 0x74, 0xAA, 0xCD, 0xA2, 0xCD, 0x29, 0xE6, 0x64, 0xDD, 0x21, 
              0x21, 0x21, 0x21, 0x99, 0x20, 0x21, 0x21, 0x21, 0x4A, 0xE9, 
              0x21, 0xAA, 0x74, 0x29, 0xE7, 0x25, 0x2B, 0x23, 0xAA, 0x64, 
              0xDD, 0xA2, 0xE1, 0x20, 0xA8, 0x64, 0xDD, 0x98, 0x20, 0x21, 
              0x21, 0x21, 0xE0, 0xC0, 0x21, 0xAA, 0x74, 0x29, 0xE7, 0x25, 
              0x2B, 0x22, 0xAA, 0x64, 0xDD, 0xA2, 0xE1, 0x20, 0xA8, 0x64, 
              0xDD, 0xE6, 0x64, 0xD9, 0x25, 0x21, 0x21, 0x21, 0xCA, 0x28, 
              0xAA, 0x6C, 0xD9, 0xA2, 0xE0, 0x20, 0xA8, 0x6C, 0xD9, 0xA2, 
              0x5C, 0xD9, 0x3F, 0x56, 0x10, 0xA2, 0x5C, 0xDD, 0x2B, 0x53, 
              0x23, 0xCA, 0x08, 0xAA, 0x74, 0xD9, 0x73, 0xC9, 0x7B, 0xDE, 
              0xDE, 0xDE, 0xA2, 0xE5, 0x25, 0x2E, 0x97, 0xE1, 0xA4, 0xE1, 
              0x55, 0x35, 0xAA, 0x6C, 0x29, 0x22, 0x6C, 0xDD, 0xAB, 0x74, 
              0xD9, 0xA9, 0x30, 0xAA, 0x64, 0xDD, 0xA2, 0xE1, 0x20, 0xA8, 
              0x64, 0xDD, 0xCA, 0xE1, 0xAA, 0xC4, 0x7C, 0xE2, 0xED, 0xED, 
              0xED, 0xED, 0xED, 0xED, 0x57, 0x89, 0xEE, 0x81, 0xEE, 0x16, 
              0xA3, 0xFE, 0x3C, 0x40, 0x02, 0x31, 0xC7, 0x8B, 0x47, 0xFE, 
              0x68, 0x08, 0x68, 0x02, 0x8F, 0x47, 0xF2, 0x52, 0xEA, 0x71, 
              0x39, 0x02, 0x02, 0x81, 0xC6, 0x0E, 0x8F, 0x4F, 0xF2, 0x53, 
              0xEA, 0x45, 0xFD, 0xFD, 0xFD, 0x81, 0xC6, 0x06, 0xC5, 0x47, 
              0xEE, 0x02, 0x02, 0x02, 0x02, 0xE9, 0x0B, 0x89, 0x57, 0xEE, 
              0x81, 0xC0, 0x03, 0x8B, 0x57, 0xEE, 0x81, 0x7F, 0xEE, 0x08, 
              0x71, 0x1C, 0x89, 0x47, 0x0E, 0x52, 0x89, 0x4F, 0x0A, 0x53, 
              0x89, 0x57, 0xEE, 0x0D, 0xB4, 0x46, 0x17, 0xF2, 0x89, 0x0E, 
              0x87, 0x82, 0x3C, 0x40, 0x02, 0xFD, 0xD3, 0x81, 0xC6, 0x0A, 
              0xE9, 0xD1, 0x89, 0x4F, 0xFE, 0x31, 0xCF, 0xEA, 0xEC, 0x2D, 
              0x02, 0x02, 0x89, 0xE7, 0x5F, 0xC1]
  Disassembly(opcode1)


if __name__ == '__main__':
    # z3_decode()
    capstone_bomb()

image-20221129122414597

解密

1
2
3
4
5
6
7
8
9
10
11
#include <idc.idc>

static main()
{
    auto addr = 0x4017C0;
    auto i = 0;
    for(i=0;addr+i< addr + 256;i++) 
    {
        PatchByte(addr+i, Byte(addr+i) ^ 0x21);
    }
}

image-20221129122622676

第一段smc

步骤如上

爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
from capstone import *
from struct import *

def Disassembly(opcode):
    for key in range(32,126):
        new_opcode = b""
        for i in range(len(opcode)):
          new_opcode += pack("B",opcode[i] ^ key)
        md = Cs(CS_ARCH_X86, CS_MODE_32)
        print("---------Key: %#x-----------" % key)
        for item in md.disasm(new_opcode, 0):
            dic = item.mnemonic + " " + item.op_str
            print(dic)

def capstone_bomb():
  opcode1 = [ 0x76, 0xA8, 0xCF, 0xA0, 0xCF, 0x37, 0x82, 0xDF, 0x1D, 0x61, 
              0x23, 0x10, 0xE6, 0xAA, 0x66, 0xDF, 0x49, 0x29, 0x49, 0x23, 
              0xAE, 0x66, 0xD3, 0x73, 0xCB, 0x50, 0x18, 0x23, 0x23, 0xA0, 
              0xE7, 0x2F, 0xAE, 0x6E, 0xD3, 0x72, 0xCB, 0x64, 0xDC, 0xDC, 
              0xDC, 0xA0, 0xE7, 0x27, 0xE4, 0x66, 0xCF, 0x23, 0x23, 0x23, 
              0x23, 0xC8, 0x2A, 0xA8, 0x76, 0xCF, 0xA0, 0xE1, 0x22, 0xAA, 
              0x76, 0xCF, 0xA0, 0x5E, 0xCF, 0x29, 0x50, 0x3D, 0xA8, 0x66, 
              0x2F, 0x73, 0xA8, 0x6E, 0x2B, 0x72, 0xA8, 0x76, 0xCF, 0x2C, 
              0x95, 0x67, 0x36, 0xD3, 0xA8, 0x2F, 0xA6, 0xA3, 0x1D, 0x61, 
              0x23, 0xDC, 0xF2, 0xA0, 0xE7, 0x2B, 0xC8, 0xF0, 0xA8, 0x6E, 
              0xDF, 0x10, 0xEE, 0xCB, 0xCD, 0x0C, 0x23, 0x23, 0xA8, 0xC6, 
              0x7E, 0xE0, 0x76, 0xA8, 0xCF, 0x75, 0x9B, 0x27, 0x23, 0x23, 
              0x23, 0x48, 0xEB, 0x2F, 0x99, 0x22, 0x23, 0x23, 0x23, 0x48, 
              0xE1, 0x20, 0xA8, 0x76, 0x2B, 0x2C, 0x95, 0x27, 0x21, 0x48, 
              0xF3, 0x24, 0x9B, 0x22, 0x23, 0x23, 0x23, 0x48, 0xE3, 0x26, 
              0xA8, 0x56, 0x2B, 0x2C, 0x95, 0x27, 0x25, 0x4A, 0xE3, 0x9C, 
              0x23, 0x23, 0x23, 0x20, 0xF3, 0x9B, 0x22, 0x23, 0x23, 0x23, 
              0x48, 0xE3, 0x28, 0xA8, 0x56, 0x2B, 0x2C, 0x95, 0x27, 0x25, 
              0x4A, 0xE3, 0x96, 0x23, 0x23, 0x23, 0x20, 0xF3, 0x9B, 0x22, 
              0x23, 0x23, 0x23, 0xF2, 0xC3, 0xA8, 0x56, 0x2B, 0x2C, 0x95, 
              0x27, 0x25, 0x48, 0xE3, 0x31, 0x20, 0xF3, 0x9B, 0x22, 0x23, 
              0x23, 0x23, 0x48, 0xE3, 0x25, 0xA8, 0x56, 0x2B, 0x2C, 0x95, 
              0x27, 0x25, 0x48, 0xE3, 0x5F, 0x20, 0xF3, 0x9B, 0x22, 0x23, 
              0x23, 0x23, 0xE2, 0xC3, 0x23, 0xA8, 0x56, 0x2B, 0x2C, 0x95, 
              0x27, 0x25, 0x48, 0xE3, 0x0A, 0x20, 0xF3, 0x9B, 0x22, 0x23, 
              0x23, 0x23, 0x48, 0xE3, 0x23, 0xA8]
  opcode2 = [ 0x74, 0xAA, 0xCD, 0xA2, 0xCD, 0x29, 0xE6, 0x64, 0xDD, 0x21, 
              0x21, 0x21, 0x21, 0x99, 0x20, 0x21, 0x21, 0x21, 0x4A, 0xE9, 
              0x21, 0xAA, 0x74, 0x29, 0xE7, 0x25, 0x2B, 0x23, 0xAA, 0x64, 
              0xDD, 0xA2, 0xE1, 0x20, 0xA8, 0x64, 0xDD, 0x98, 0x20, 0x21, 
              0x21, 0x21, 0xE0, 0xC0, 0x21, 0xAA, 0x74, 0x29, 0xE7, 0x25, 
              0x2B, 0x22, 0xAA, 0x64, 0xDD, 0xA2, 0xE1, 0x20, 0xA8, 0x64, 
              0xDD, 0xE6, 0x64, 0xD9, 0x25, 0x21, 0x21, 0x21, 0xCA, 0x28, 
              0xAA, 0x6C, 0xD9, 0xA2, 0xE0, 0x20, 0xA8, 0x6C, 0xD9, 0xA2, 
              0x5C, 0xD9, 0x3F, 0x56, 0x10, 0xA2, 0x5C, 0xDD, 0x2B, 0x53, 
              0x23, 0xCA, 0x08, 0xAA, 0x74, 0xD9, 0x73, 0xC9, 0x7B, 0xDE, 
              0xDE, 0xDE, 0xA2, 0xE5, 0x25, 0x2E, 0x97, 0xE1, 0xA4, 0xE1, 
              0x55, 0x35, 0xAA, 0x6C, 0x29, 0x22, 0x6C, 0xDD, 0xAB, 0x74, 
              0xD9, 0xA9, 0x30, 0xAA, 0x64, 0xDD, 0xA2, 0xE1, 0x20, 0xA8, 
              0x64, 0xDD, 0xCA, 0xE1, 0xAA, 0xC4, 0x7C, 0xE2, 0xED, 0xED, 
              0xED, 0xED, 0xED, 0xED, 0x57, 0x89, 0xEE, 0x81, 0xEE, 0x16, 
              0xA3, 0xFE, 0x3C, 0x40, 0x02, 0x31, 0xC7, 0x8B, 0x47, 0xFE, 
              0x68, 0x08, 0x68, 0x02, 0x8F, 0x47, 0xF2, 0x52, 0xEA, 0x71, 
              0x39, 0x02, 0x02, 0x81, 0xC6, 0x0E, 0x8F, 0x4F, 0xF2, 0x53, 
              0xEA, 0x45, 0xFD, 0xFD, 0xFD, 0x81, 0xC6, 0x06, 0xC5, 0x47, 
              0xEE, 0x02, 0x02, 0x02, 0x02, 0xE9, 0x0B, 0x89, 0x57, 0xEE, 
              0x81, 0xC0, 0x03, 0x8B, 0x57, 0xEE, 0x81, 0x7F, 0xEE, 0x08, 
              0x71, 0x1C, 0x89, 0x47, 0x0E, 0x52, 0x89, 0x4F, 0x0A, 0x53, 
              0x89, 0x57, 0xEE, 0x0D, 0xB4, 0x46, 0x17, 0xF2, 0x89, 0x0E, 
              0x87, 0x82, 0x3C, 0x40, 0x02, 0xFD, 0xD3, 0x81, 0xC6, 0x0A, 
              0xE9, 0xD1, 0x89, 0x4F, 0xFE, 0x31, 0xCF, 0xEA, 0xEC, 0x2D, 
              0x02, 0x02, 0x89, 0xE7, 0x5F, 0xC1]
  Disassembly(opcode1)


if __name__ == '__main__':
    # z3_decode()
    capstone_bomb()

image-20221129122826982

解密

1
2
3
4
5
6
7
8
9
10
11
#include <idc.idc>

static main()
{
    auto addr = 0x401850;
    auto i = 0;
    for(i=0;addr+i< addr + 256;i++) 
    {
        PatchByte(addr+i, Byte(addr+i) ^ 0x23);
    }
}

image-20221129123003350

逆向推理

解完smc后逻辑清晰可见

image-20221129131622159

对input[1]-input[32]进行加密后check

encode

image-20221129131922110

取出30以内的10个质数,然后用质数数组作为索引调用函数数组里的函数对输入进行加密

check1

image-20221129145019265

使用z3求解

exp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
def z3_decode1():
    enc1 = [0x0002A81A, 0x00028D44, 0x00022653, 0x0002E993, 0x000249B5, 0x00024265, 0x0003253D, 0x0002D77B, 0x000282C8, 0x00022892, 0x0002BD54, 0x0002482E, 0x00024C1F, 0x00028127, 0x0001E62E, 0x0001F009]
    head = [BitVec(f"head[{i}]", 8) for i in range(16)]
    
    solver1 = Solver()
    
    solver1.add( enc1[12] == ( 199 * head[9]
                   + 98 * head[7]
                   + 192 * head[8]
                   + 23 * head[12]
                   + 79 * head[14]
                   + 77 * head[10]
                   + 185 * head[13]
                   + 135 * head[15]
                   + 119 * head[4]
                   + 54 * head[0]
                   + 41 * head[1]
                   + 124 * head[6]
                   + 18 * head[2]
                   + 181 * head[11]
                   + 191 * head[5]
                   + 7 * head[3]
      )& 0xffffffff)
    solver1.add( enc1[3] == ( 210 * head[11]
                  + 26 * head[15]
                  + 169 * head[0]
                  + 177 * head[13]
                  + head[6]
                  + 205 * head[8]
                  + 223 * head[10]
                  + 32 * head[5]
                  + 225 * head[3]
                  + 61 * head[14]
                  + 72 * head[1]
                  + 186 * head[9]
                  + 253 * head[12]
                  + 205 * head[2]
                  + 49 * head[4]
                  + 232 * head[7]
      )& 0xffffffff)
    solver1.add( enc1[13] == ( 192 * head[3]
                   + 22 * head[10]
                   + 175 * head[1]
                   + 184 * head[7]
                   + 116 * head[15]
                   + 70 * head[13]
                   + 153 * head[14]
                   + 119 * head[0]
                   + 217 * head[6]
                   + 123 * head[5]
                   + 17 * head[2]
                   + 244 * head[12]
                   + 116 * head[8]
                   + 46 * head[4]
                   + 19 * head[9]
                   + 130 * head[11]
      )& 0xffffffff)
    solver1.add( enc1[7] == ( 41 * head[12]
                  + 71 * head[7]
                  + 185 * head[1]
                  + 69 * head[11]
                  + 142 * head[8]
                  + 221 * head[5]
                  + 24 * head[3]
                  + 208 * head[6]
                  + 41 * head[9]
                  + 159 * head[2]
                  + 231 * head[14]
                  + 235 * head[13]
                  + 225 * head[0]
                  + (head[4] << 6)
                  + 162 * head[10]
                  + 134 * head[15]
      )& 0xffffffff)
    solver1.add( enc1[11] == ( 36 * head[12]
                   + 220 * head[4]
                   + 110 * head[13]
                   + 45 * head[7]
                   + 123 * head[9]
                   + 133 * head[1]
                   + 101 * head[5]
                   + 137 * head[10]
                   + 102 * head[0]
                   + 227 * head[14]
                   + 94 * head[15]
                   + 18 * head[2]
                   + 22 * head[6]
                   + 189 * head[11]
                   + 218 * head[8]
      )& 0xffffffff)
    solver1.add( enc1[15] == ( 86 * head[11]
                   + 31 * head[9]
                   + 229 * head[6]
                   + 27 * head[3]
                   + 6 * head[12]
                   + 13 * head[10]
                   + 158 * head[1]
                   + 89 * head[7]
                   + 35 * head[15]
                   + 126 * head[8]
                   + 165 * head[13]
                   + 220 * head[0]
                   + 138 * head[5]
                   + 100 * head[4]
                   + 84 * head[14]
                   + 175 * head[2]
      )& 0xffffffff)
    solver1.add( enc1[8] == ( 7 * head[1]
                  + 28 * head[8]
                  + 131 * head[10]
                  + 6 * head[6]
                  + 254 * head[0]
                  + 130 * head[13]
                  + 124 * head[3]
                  + 55 * head[12]
                  + 157 * head[14]
                  + 175 * head[5]
                  + 140 * head[4]
                  + 241 * head[9]
                  + 11 * head[11]
                  + 211 * head[2]
                  + 121 * head[7]
                  + 200 * head[15]
      )& 0xffffffff)
    solver1.add( enc1[6] == ( 195 * head[14]
                  + 197 * head[13]
                  + 218 * head[7]
                  + 83 * head[1]
                  + 98 * head[2]
                  + 70 * head[10]
                  + 229 * head[15]
                  + 148 * head[11]
                  + 195 * head[0]
                  + 94 * head[6]
                  + 211 * head[12]
                  + 220 * head[9]
                  + 81 * head[5]
                  + 253 * head[8]
                  + 78 * head[4]
                  + 4 * head[3]
      )& 0xffffffff)
    solver1.add( enc1[14] == ( 3 * head[4]
                   + 136 * head[7]
                   + 156 * head[3]
                   + 189 * head[1]
                   + 244 * head[12]
                   + 157 * head[15]
                   + 83 * head[9]
                   + 6 * head[0]
                   + 113 * head[6]
                   + 63 * head[14]
                   + 35 * head[2]
                   + 22 * head[8]
                   + 26 * head[10]
                   + 62 * head[11]
                   + 98 * head[5]
                   + 110 * head[13]
      )& 0xffffffff)
    solver1.add( enc1[4] == ( 96 * head[4]
                  + 248 * head[8]
                  + 191 * head[9]
                  + 194 * head[2]
                  + 154 * head[1]
                  + 31 * head[6]
                  + 157 * head[7]
                  + 248 * head[13]
                  + 81 * head[15]
                  + 56 * head[10]
                  + 52 * head[0]
                  + 94 * head[12]
                  + 212 * head[5]
                  + 83 * head[3]
                  + 83 * head[14]
                  + 158 * head[11]
      )& 0xffffffff)
    solver1.add( enc1[1] == ( 67 * head[4]
                  + 220 * head[2]
                  + 123 * head[11]
                  + 168 * head[5]
                  + 23 * head[12]
                  + 148 * head[7]
                  + 127 * head[10]
                  + 194 * head[1]
                  + 132 * head[8]
                  + 44 * head[0]
                  + 60 * head[13]
                  + 98 * head[15]
                  + 38 * head[14]
                  + 245 * head[9]
                  + 159 * head[6]
                  + 146 * head[3]
      )& 0xffffffff)
    solver1.add( enc1[5] == ( 132 * head[3]
                  + 10 * head[7]
                  + 95 * head[0]
                  + 83 * head[10]
                  + 99 * head[1]
                  + 77 * head[12]
                  + 195 * head[2]
                  + 47 * head[6]
                  + 38 * head[13]
                  + 178 * head[8]
                  + 74 * head[4]
                  + 86 * head[11]
                  + 208 * head[9]
                  + 240 * head[14]
                  + 120 * head[5]
                  + 43 * head[15]
      )& 0xffffffff)
    solver1.add( enc1[9] == ( 172 * head[1]
                  + 110 * head[2]
                  + 92 * head[7]
                  + 126 * head[15]
                  + 91 * head[0]
                  + 77 * head[6]
                  + 207 * head[5]
                  + 249 * head[11]
                  + 240 * head[12]
                  + 129 * head[10]
                  + 6 * head[13]
                  + 100 * head[3]
                  + head[14]
                  + 76 * head[9]
                  + 127 * head[4]
                  + 4 * head[8]
      )& 0xffffffff)
    solver1.add( enc1[10] == ( 46 * head[15]
                   + 37 * head[0]
                   + 3 * head[3]
                   + 72 * head[6]
                   + 116 * head[7]
                   + 186 * head[1]
                   + 221 * head[14]
                   + 236 * head[4]
                   + 79 * head[2]
                   + 175 * head[10]
                   + 184 * head[9]
                   + 160 * head[11]
                   + 227 * head[12]
                   + 99 * head[8]
                   + 71 * head[13]
                   + 4 * head[5]
      )& 0xffffffff)
    solver1.add( enc1[0] == ( 203 * head[3]
                  + 31 * head[0]
                  + 11 * head[14]
                  + 149 * head[7]
                  + 215 * head[5]
                  + 206 * head[1]
                  + 245 * head[6]
                  + 9 * head[11]
                  + 16 * head[10]
                  + 241 * head[13]
                  + 110 * head[8]
                  + 175 * head[2]
                  + 38 * head[4]
                  + 227 * head[9]
                  + 208 * head[12]
                  + 8 * head[15]
      )& 0xffffffff)
    solver1.add( enc1[2] == ( 132 * head[3]
                  + 119 * head[14]
                  + 26 * head[8]
                  + 24 * head[6]
                  + 121 * head[11]
                  + 235 * head[2]
                  + 228 * head[12]
                  + 34 * head[5]
                  + 37 * head[15]
                  + 24 * head[9]
                  + 145 * head[13]
                  + 199 * head[4]
                  + 173 * head[10]
                  + 58 * head[0]
                  + 246 * head[7]
                  + 199 * head[1]
      )& 0xffffffff)
    assert solver1.check() == sat
    ans1 = solver1.model()
    num = []
    for i in range(16):
        num.append(ans1.eval(head[i]))
    print(num)
if __name__ == '__main__':
    z3_decode1()

check2

image-20221129145148236

与check1类似

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
def z3_decode2():
    enc2 = [0x00027FC8, 0x00029049, 0x0003336C, 0x0002C6A7, 0x00036CB0, 0x0001F2BB, 0x00035262, 0x0002AEDF, 0x0002955E, 0x0002EE10, 0x0002B057, 0x0002FDE8, 0x00029B92, 0x00035842, 0x000294D2, 0x0002B984]
    tail = [BitVec(f"tail[{i}]", 8) for i in range(16)]
    solver2 = Solver()
    solver2.add(enc2[0] == 159 * tail[8]
                 + 109 * tail[12]
                 + 14 * tail[0]
                 + 92 * tail[14]
                 + 211 * tail[4]
                 + 178 * tail[7]
                 + 57 * tail[2]
                 + 175 * tail[5]
                 + 170 * tail[11]
                 + 59 * tail[6]
                 + 200 * tail[9]
                 + 5 * tail[15]
                 + 48 * tail[13]
                 + 28 * tail[3]
                 + 18 * tail[10]
                 + 228 * tail[1]
      )
    solver2.add(enc2[6] == 173 * tail[11]
                 + 34 * tail[5]
                 + 69 * tail[4]
                 + 216 * tail[14]
                 + 225 * tail[9]
                 + 160 * tail[1]
                 + 207 * tail[10]
                 + 175 * tail[7]
                 + 121 * tail[0]
                 + 122 * tail[2]
                 + 179 * tail[12]
                 + 91 * tail[13]
                 + 181 * tail[8]
                 + 93 * tail[3]
                 + 121 * tail[6]
                 + 12 * tail[15]
      )
    solver2.add(enc2[8] == 215 * tail[11]
                 + 164 * tail[5]
                 + 97 * tail[2]
                 + 99 * tail[3]
                 + 188 * tail[4]
                 + (tail[9] << 7)
                 + 214 * tail[6]
                 + 106 * tail[8]
                 + 169 * tail[0]
                 + 28 * tail[14]
                 + 18 * tail[12]
                 + tail[1]
                 + 177 * tail[10]
                 + 114 * tail[7]
                 + 176 * tail[15]
                 + 25 * tail[13]
      )
    solver2.add(enc2[9] == 175 * tail[14]
                 + 42 * tail[4]
                 + 214 * tail[12]
                 + 43 * tail[13]
                 + 147 * tail[6]
                 + 53 * tail[10]
                 + 12 * tail[1]
                 + 213 * tail[7]
                 + 241 * tail[9]
                 + 223 * tail[5]
                 + 65 * tail[3]
                 + 42 * tail[15]
                 + 131 * tail[2]
                 + 81 * tail[0]
                 + 92 * tail[11]
                 + 110 * tail[8]
      )
    solver2.add(enc2[13] == 57 * tail[0]
                  + 109 * tail[7]
                  + 60 * tail[2]
                  + 228 * tail[13]
                  + 166 * tail[4]
                  + 236 * tail[9]
                  + 100 * tail[6]
                  + 179 * tail[11]
                  + 20 * tail[12]
                  + 45 * tail[8]
                  + 204 * tail[3]
                  + 182 * tail[14]
                  + 84 * tail[10]
                  + 170 * tail[15]
                  + 199 * tail[5]
                  + 138 * tail[1]
      )
    solver2.add(enc2[10] == 98 * tail[11]
                  + 122 * tail[9]
                  + 237 * tail[12]
                  + 117 * tail[0]
                  + 34 * tail[3]
                  + 168 * tail[8]
                  + 135 * tail[10]
                  + 119 * tail[6]
                  + 91 * tail[2]
                  + 161 * tail[15]
                  + 152 * tail[7]
                  + 186 * tail[4]
                  + 187 * tail[13]
                  + 72 * tail[14]
                  + 36 * tail[5]
                  + 171 * tail[1]
      )
    solver2.add(enc2[7] == 184 * tail[9]
                 + 112 * tail[0]
                 + 107 * tail[11]
                 + 170 * tail[13]
                 + 55 * tail[8]
                 + 85 * tail[14]
                 + 212 * tail[10]
                 + 173 * tail[15]
                 + 166 * tail[12]
                 + 142 * tail[4]
                 + 202 * tail[5]
                 + 63 * tail[2]
                 + 30 * tail[7]
                 + 175 * tail[3]
                 + 217 * tail[6]
                 + 63 * tail[1]
      )
    solver2.add(enc2[15] == (tail[7] << 6)
                  + 228 * tail[4]
                  + 90 * tail[11]
                  + 85 * tail[3]
                  + 196 * tail[6]
                  + 219 * tail[0]
                  + 93 * tail[14]
                  + 183 * tail[15]
                  + 156 * tail[12]
                  + 197 * tail[8]
                  + 119 * tail[13]
                  + 36 * tail[10]
                  + 205 * tail[2]
                  + 94 * tail[9]
                  + 153 * tail[5]
      )
    solver2.add(enc2[5] == 9 * tail[4]
                 + (tail[5] << 6)
                 + 62 * tail[1]
                 + 58 * tail[7]
                 + 100 * tail[13]
                 + 137 * tail[11]
                 + 6 * tail[0]
                 + 119 * tail[9]
                 + 180 * tail[6]
                 + 228 * tail[8]
                 + 88 * tail[12]
                 + 107 * tail[15]
                 + 56 * tail[14]
                 + 207 * tail[2]
                 + 248 * tail[10]
                 + 150 * tail[3]
      )
    solver2.add(enc2[3] == 38 * tail[7]
                 + 194 * tail[4]
                 + 105 * tail[0]
                 + 150 * tail[6]
                 + 75 * tail[1]
                 + 89 * tail[15]
                 + 99 * tail[14]
                 + 98 * tail[3]
                 + 91 * tail[8]
                 + 178 * tail[12]
                 + 117 * tail[2]
                 + 48 * tail[13]
                 + 239 * tail[10]
                 + 233 * tail[11]
                 + 63 * tail[5]
                 + 250 * tail[9]
      )
    solver2.add(enc2[11] == 30 * tail[8]
                  + 13 * tail[5]
                  + 206 * tail[3]
                  + 234 * tail[15]
                  + 71 * tail[7]
                  + 239 * tail[12]
                  + 141 * tail[10]
                  + 179 * tail[13]
                  + 113 * tail[14]
                  + 181 * tail[9]
                  + 52 * tail[6]
                  + 74 * tail[11]
                  + 168 * tail[4]
                  + 239 * tail[1]
                  + 164 * tail[0]
                  + 179 * tail[2]
      )
    solver2.add(enc2[14] == 211 * tail[1]
                  + 74 * tail[5]
                  + 144 * tail[8]
                  + 234 * tail[0]
                  + 241 * tail[2]
                  + 157 * tail[11]
                  + 25 * tail[15]
                  + 6 * tail[10]
                  + 243 * tail[6]
                  + 107 * tail[9]
                  + 77 * tail[12]
                  + 127 * tail[4]
                  + 67 * tail[7]
                  + 13 * tail[14]
                  + 151 * tail[3]
                  + 127 * tail[13]
      )
    solver2.add(enc2[2] == 209 * tail[9]
                 + 110 * tail[7]
                 + 22 * tail[10]
                 + 102 * tail[11]
                 + 187 * tail[1]
                 + 58 * tail[8]
                 + 236 * tail[6]
                 + 146 * tail[13]
                 + 205 * tail[15]
                 + 63 * tail[2]
                 + 211 * tail[4]
                 + 152 * tail[3]
                 + 82 * tail[14]
                 + 14 * tail[5]
                 + 49 * tail[12]
                 + 251 * tail[0]
      )
    solver2.add(enc2[12] == 230 * tail[0]
                  + 27 * tail[3]
                  + 186 * tail[10]
                  + 58 * tail[7]
                  + 121 * tail[1]
                  + 59 * tail[14]
                  + 90 * tail[12]
                  + 40 * tail[2]
                  + 230 * tail[11]
                  + 25 * tail[6]
                  + 198 * tail[5]
                  + 81 * tail[4]
                  + 71 * tail[13]
                  + 180 * tail[8]
                  + 149 * tail[9]
                  + 73 * tail[15]
      )
    solver2.add(enc2[4] == 188 * tail[5]
                 + 80 * tail[1]
                 + 221 * tail[6]
                 + (tail[12] << 6)
                 + 230 * tail[3]
                 + 123 * tail[8]
                 + 124 * tail[11]
                 + 253 * tail[0]
                 + 202 * tail[10]
                 + 63 * tail[2]
                 + 40 * tail[7]
                 + 109 * tail[9]
                 + 195 * tail[15]
                 + 199 * tail[13]
                 + 82 * tail[4]
                 + 225 * tail[14]
      )
    solver2.add(enc2[1] == 236 * tail[15]
                 + 44 * tail[14]
                 + 214 * tail[13]
                 + 52 * tail[8]
                 + 37 * tail[6]
                 + 101 * tail[9]
                 + 244 * tail[10]
                 + 238 * tail[11]
                 + 109 * tail[0]
                 + 188 * tail[1]
                 + 20 * tail[3]
                 + 87 * tail[7]
                 + 93 * tail[4]
                 + 158 * tail[5]
                 + 105 * tail[12]
                 + 3 * tail[2])
    assert solver2.check() == sat
    ans2 = solver2.model()
    # print(ans)
    num = [0] * 32
    for i in range(16):
      num[i + 16] = ans2.eval(tail[i])
    print(num)
if __name__ == '__main__':
    z3_decode2()

这里很奇怪,如果我把check1和check2的求解函数放在一起,结果就不一样,要是有师傅知道为什么麻烦和我联系一下

image-20221129150449333

image-20221129150508858

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
def find_02(num):
  byte_422280 = [0x7A, 0x91, 0x9F, 0x23, 0x71, 0xD1, 0x63, 0xDB, 0x59, 0x0A, 0xEC, 0x69, 0xEE, 0x76, 0x5D, 0x64, 0x37, 0x42, 0x8C, 0x0B, 0x3C, 0x5C, 0x80, 0xAD, 0x6A, 0x03, 0x43, 0x93, 0xBC, 0xBF, 0xE3, 0xAF, 0x5A, 0x8A, 0x65, 0x0D, 0x31, 0xDF, 0x3E, 0xA7, 0xE4, 0xDD, 0xB4, 0xB0, 0x56, 0x1C, 0x12, 0xA4, 0x9E, 0xD8, 0x3D, 0x81, 0x60, 0x9A, 0xCB, 0xFA, 0xB1, 0xE0, 0xD3, 0xF4, 0xA2, 0x26, 0x68, 0x90, 0x4B, 0x45, 0x85, 0x20, 0x16, 0xDE, 0xED, 0x4C, 0x6F, 0x34, 0xDC, 0xBE, 0xD2, 0x46, 0x33, 0x14, 0x77, 0xC6, 0xCD, 0xF0, 0xC5, 0xAC, 0x1F, 0xD0, 0x95, 0x97, 0x3F, 0xD7, 0x52, 0xAE, 0xB9, 0xC9, 0x0C, 0xCA, 0x4E, 0xF1, 0xB7, 0x39, 0x7F, 0x27, 0x2B, 0x40, 0x4A, 0x51, 0xA1, 0xCC, 0xCE, 0x6E, 0x70, 0xFF, 0x0E, 0xEF, 0x8E, 0x25, 0xB3, 0x5E, 0x6C, 0xAB, 0x02, 0x49, 0xE9, 0x9B, 0x36, 0x13, 0x9C, 0x04, 0x35, 0xC0, 0xFB, 0x3A, 0x67, 0xB6, 0x9D, 0xC2, 0x73, 0xB5, 0x6D, 0xCF, 0x83, 0x2C, 0x01, 0xC1, 0x10, 0x6B, 0x79, 0x87, 0x5B, 0x57, 0x47, 0xE5, 0x15, 0xF7, 0xA5, 0x74, 0xAA, 0x53, 0x7D, 0x2E, 0xD5, 0xA3, 0x19, 0xF5, 0x2D, 0xFD, 0x61, 0x8D, 0xC8, 0x1B, 0xC3, 0xDA, 0xF6, 0x72, 0x54, 0x5F, 0x1E, 0xE8, 0x17, 0x50, 0xB2, 0xE7, 0x0F, 0x7E, 0x55, 0xBD, 0x86, 0x00, 0x78, 0x94, 0x92, 0x09, 0x2F, 0xD6, 0xD9, 0xF3, 0x29, 0xE6, 0x24, 0x32, 0x66, 0x22, 0x41, 0xC4, 0x7C, 0x05, 0x98, 0x44, 0x4F, 0x99, 0xA9, 0xE1, 0x8F, 0x08, 0x1A, 0x2A, 0x11, 0xEA, 0x3B, 0xE2, 0x38, 0xB8, 0x18, 0xF9, 0xD4, 0xC7, 0x62, 0x7B, 0x75, 0x58, 0x96, 0x28, 0xEB, 0x06, 0x84, 0x89, 0x48, 0x82, 0x88, 0xA6, 0xFE, 0xA0, 0xF2, 0xF8, 0x1D, 0x8B, 0xFC, 0xA8, 0x21, 0x30, 0xBB, 0x07, 0xBA, 0x4D]
  for i in range(len(num)):
    for j in range(len(byte_422280)):
      if(byte_422280[j] == num[i]):
        num[i] = j
        break
  return num
def find_03(num):
  byte_422380 = [0x45, 0x1F, 0x63, 0x81, 0xE6, 0xAD, 0x4F, 0xD3, 0xC0, 0x15, 0x69, 0x8F, 0x0D, 0x31, 0x0C, 0xB0, 0xF1, 0x2E, 0x98, 0xC1, 0xC2, 0x96, 0xB2, 0xEB, 0xBF, 0xDF, 0x17, 0xF4, 0x7F, 0xE5, 0x66, 0x73, 0xD8, 0x56, 0x46, 0x20, 0x9C, 0x77, 0x3D, 0x72, 0xA3, 0x91, 0x49, 0x68, 0x4C, 0x1E, 0xAE, 0x06, 0x7A, 0x94, 0xDD, 0x52, 0x55, 0x2C, 0xB8, 0x42, 0x79, 0xFE, 0x38, 0xEF, 0x8B, 0xF7, 0xAC, 0xDC, 0xFF, 0x78, 0x34, 0x70, 0xA9, 0xCE, 0x3F, 0x0E, 0x11, 0x43, 0x5B, 0xF8, 0xAF, 0xD0, 0xFA, 0x33, 0xBA, 0xCF, 0x4A, 0xC9, 0x88, 0x4E, 0x80, 0x10, 0x85, 0x37, 0x12, 0xAB, 0xE1, 0x61, 0xB7, 0x3E, 0x4D, 0x19, 0x3A, 0x04, 0x8C, 0x92, 0x0B, 0xE7, 0x3C, 0xEA, 0xC7, 0x16, 0x35, 0xB1, 0xA7, 0x8E, 0x40, 0x9F, 0xB6, 0xB5, 0x25, 0xA0, 0x5A, 0x30, 0x7D, 0xA2, 0x1A, 0x64, 0xC5, 0x6D, 0x74, 0x82, 0x08, 0x7E, 0xD2, 0xF6, 0xAA, 0xDA, 0xED, 0x4B, 0x6E, 0xE8, 0xE9, 0xE2, 0xD4, 0x71, 0xB9, 0x09, 0x84, 0x3B, 0xC4, 0x1C, 0x60, 0xFD, 0x22, 0x99, 0x39, 0x97, 0x18, 0x89, 0x7C, 0xA4, 0x27, 0xBD, 0x0F, 0xCC, 0x95, 0xF5, 0xB3, 0x65, 0x6B, 0x8A, 0x58, 0x36, 0xBB, 0x9E, 0x75, 0xD1, 0x03, 0x9D, 0x6A, 0x6C, 0x53, 0x05, 0xB4, 0xE4, 0xEE, 0x67, 0x87, 0x7B, 0x32, 0x2D, 0x24, 0x2A, 0x59, 0xEC, 0x0A, 0xDB, 0x21, 0x07, 0x23, 0x50, 0x02, 0x41, 0xF2, 0x83, 0xD9, 0x26, 0xBC, 0x6F, 0x86, 0xA6, 0x93, 0xF9, 0xC8, 0xD6, 0xA5, 0x1D, 0xE3, 0xE0, 0xFC, 0xCA, 0x1B, 0x5E, 0x8D, 0x2F, 0x5C, 0xBE, 0x47, 0xA8, 0x44, 0x57, 0x54, 0x48, 0xC3, 0x00, 0x62, 0x5D, 0xCB, 0xD7, 0x76, 0xCD, 0x28, 0xD5, 0x14, 0x90, 0x13, 0xDE, 0x5F, 0xF0, 0x01, 0x2B, 0xC6, 0x29, 0x9A, 0x9B, 0x51, 0xF3, 0xFB, 0xA1]
  for i in range(len(num)):
    for j in range(len(byte_422380)):
      if(byte_422380[j] == num[i]):
        num[i] = j
        break
  return num
def find_05(num):
  byte_422580 = [0x00, 0x74, 0x59, 0xC6, 0xAC, 0xD3, 0xC1, 0xA0, 0x88, 0x3F, 0x1C, 0x28, 0x17, 0x22, 0xC5, 0x38, 0xF9, 0x1B, 0x21, 0x49, 0x99, 0xAF, 0xD6, 0x95, 0xA4, 0x9D, 0x5D, 0x5B, 0x73, 0xFE, 0xC9, 0x9A, 0x4C, 0xB4, 0x27, 0x5E, 0x71, 0x25, 0xE2, 0x90, 0xC0, 0x62, 0x5F, 0x48, 0x77, 0xE0, 0xF2, 0x8E, 0x40, 0xC7, 0x79, 0x1A, 0xDC, 0xF3, 0x01, 0xB6, 0xD8, 0xB5, 0x67, 0x1E, 0x85, 0x12, 0x68, 0x87, 0xD0, 0x30, 0xEB, 0x2F, 0x50, 0xCF, 0xEE, 0xDD, 0xFB, 0xE6, 0xA5, 0x69, 0x05, 0x75, 0xB7, 0xEF, 0x70, 0x53, 0xFF, 0xBA, 0x80, 0x41, 0x9B, 0xA1, 0x39, 0xF8, 0x65, 0x1F, 0x7A, 0x51, 0x98, 0xAD, 0x02, 0x13, 0x18, 0xC3, 0x31, 0x89, 0xCD, 0xCA, 0x91, 0xD1, 0x78, 0x57, 0x47, 0xB8, 0x54, 0x9F, 0x96, 0x04, 0x23, 0x2B, 0xE5, 0x46, 0x29, 0x7C, 0x76, 0x82, 0xBC, 0xFC, 0x6E, 0xEC, 0xED, 0x64, 0x4A, 0x26, 0x34, 0x5C, 0x19, 0x55, 0xFD, 0x6D, 0xFA, 0x7E, 0xB2, 0xD4, 0xF1, 0xF6, 0xE4, 0x60, 0xB0, 0x52, 0x9E, 0x8F, 0xBB, 0x08, 0x3B, 0x97, 0xE8, 0x10, 0x6C, 0x44, 0x3A, 0x36, 0x35, 0x03, 0xC4, 0x81, 0x9C, 0xAB, 0xCB, 0x66, 0xAA, 0x37, 0xA2, 0xD2, 0xE1, 0xE9, 0x7B, 0x14, 0x8D, 0xD9, 0xF5, 0x0B, 0xC2, 0x07, 0xA8, 0x0D, 0xA3, 0x0A, 0x84, 0x6B, 0x2C, 0xEA, 0x0C, 0xAE, 0x7D, 0x6F, 0xD7, 0xE7, 0xC8, 0x3C, 0x45, 0xCC, 0x58, 0xB9, 0x3D, 0x33, 0x4E, 0x4B, 0x8C, 0xCE, 0x72, 0x6A, 0x8B, 0x2D, 0x24, 0x11, 0xDF, 0x5A, 0x2E, 0x92, 0xDA, 0x86, 0x94, 0xA7, 0xD5, 0x4F, 0x2A, 0xB3, 0x63, 0x61, 0xE3, 0xDE, 0x43, 0x1D, 0xBF, 0x15, 0x32, 0xBE, 0x16, 0x3E, 0x93, 0x7F, 0x83, 0x56, 0x06, 0xF7, 0x8A, 0x20, 0xBD, 0x0E, 0xA6, 0xDB, 0x0F, 0xB1, 0x42, 0xF0, 0x09, 0x4D, 0xA9, 0xF4]
  for i in range(len(num)):
    for j in range(len(byte_422580)):
      if(byte_422580[j] == num[i]):
        num[i] = j
        break
  return num
def find_07(num):
  byte_422780 = [0x0F, 0xA5, 0xBA, 0x03, 0xF9, 0x69, 0x2A, 0xD7, 0xEA, 0xB5, 0xFC, 0xA1, 0x39, 0x20, 0x68, 0x72, 0x25, 0xB2, 0x6C, 0xAD, 0x88, 0x51, 0x73, 0xEB, 0xCF, 0x13, 0xDE, 0x7C, 0x6D, 0x38, 0x05, 0x09, 0xC2, 0x96, 0x1F, 0x7F, 0x37, 0x4A, 0xC9, 0xE7, 0x6A, 0xB0, 0x59, 0xF7, 0xD2, 0xB9, 0x16, 0xC8, 0xEE, 0xA9, 0x18, 0x80, 0xAC, 0xE3, 0x9E, 0x6F, 0x3C, 0x2F, 0x3E, 0x9A, 0xBE, 0x1D, 0xB4, 0x7B, 0x7D, 0x32, 0x6B, 0x74, 0xC5, 0xC0, 0xC7, 0xD1, 0x29, 0x98, 0xDD, 0xB6, 0x0E, 0x4D, 0xBF, 0x79, 0x0D, 0xDA, 0x7A, 0x17, 0x71, 0x43, 0x87, 0xFF, 0xDC, 0xC6, 0x12, 0xE9, 0x67, 0x2D, 0x70, 0x9F, 0x95, 0x30, 0x26, 0x24, 0x2B, 0xA8, 0xA2, 0xD8, 0x3B, 0x31, 0xA0, 0x3D, 0x4B, 0x90, 0x60, 0x34, 0x75, 0xE8, 0x5D, 0xF4, 0x85, 0xF3, 0xFE, 0x35, 0xCB, 0xB8, 0x02, 0x50, 0xB1, 0xF1, 0x1A, 0x1B, 0x21, 0xCD, 0xC4, 0x7E, 0xED, 0x07, 0xD9, 0xD6, 0x44, 0x15, 0x8E, 0x49, 0xB3, 0x97, 0xE6, 0x63, 0xB7, 0xEF, 0x3A, 0x8F, 0xF2, 0x53, 0x10, 0x77, 0x86, 0xF8, 0x8A, 0x28, 0x3F, 0xD4, 0x4C, 0xE5, 0x82, 0x83, 0xEC, 0x62, 0x89, 0xDF, 0xC3, 0x14, 0xCA, 0xA3, 0x5F, 0x64, 0x47, 0xFD, 0x00, 0x84, 0x66, 0xA7, 0x5A, 0x0C, 0x01, 0xD5, 0x5B, 0x0A, 0x4F, 0x27, 0x78, 0x0B, 0x2E, 0x48, 0x36, 0xFA, 0x08, 0x56, 0xE0, 0xA6, 0xC1, 0x5C, 0x8B, 0x41, 0x06, 0xBB, 0x52, 0x93, 0xAF, 0x2C, 0x5E, 0xF6, 0x61, 0xF0, 0xAB, 0x91, 0x45, 0x04, 0xBD, 0xCC, 0xE4, 0x65, 0x9D, 0x92, 0xCE, 0x40, 0xAE, 0x76, 0x9B, 0x9C, 0xAA, 0x54, 0xD0, 0x1C, 0x81, 0x4E, 0x57, 0x55, 0x23, 0x6E, 0x1E, 0x99, 0xDB, 0xFB, 0xA4, 0x22, 0x19, 0x58, 0x11, 0x8D, 0x94, 0xD3, 0xE2, 0x8C, 0xF5, 0x42, 0x46, 0xBC, 0x33, 0xE1]
  for i in range(len(num)):
    for j in range(len(byte_422780)):
      if(byte_422780[j] == num[i]):
        num[i] = j
        break
  return num
def find_11(num):
  byte_422B80 = [0x38, 0xD9, 0xDA, 0xE6, 0xB5, 0xF1, 0x0B, 0x93, 0x0C, 0x58, 0x0D, 0xAE, 0x0A, 0x85, 0x2A, 0x50, 0xC2, 0xBF, 0xD4, 0x28, 0x52, 0xC4, 0x4F, 0xE1, 0x44, 0xE0, 0xA2, 0x70, 0x36, 0x65, 0x4B, 0x41, 0x9D, 0x5F, 0x05, 0x7C, 0xF7, 0xD7, 0x99, 0x8B, 0xCC, 0xCE, 0x16, 0xBE, 0xB6, 0xC5, 0x8F, 0x79, 0xC7, 0x20, 0x7E, 0xF4, 0xF3, 0x2E, 0x4A, 0x89, 0xD6, 0x0F, 0x6E, 0xB0, 0x61, 0xB1, 0x6D, 0x19, 0x73, 0x03, 0x74, 0xA1, 0x40, 0xEC, 0xC0, 0x57, 0x94, 0x7A, 0x66, 0xD5, 0xEA, 0x17, 0x6A, 0x84, 0x37, 0xED, 0xF6, 0x13, 0x31, 0x5B, 0x82, 0x1E, 0xFC, 0x92, 0xE2, 0x42, 0x86, 0xBA, 0xE3, 0x91, 0x7F, 0x67, 0x5C, 0x98, 0x15, 0x22, 0x8D, 0x80, 0x04, 0xE4, 0x25, 0x09, 0xA0, 0xAD, 0x63, 0xE5, 0xB4, 0x9A, 0x3C, 0xA3, 0x3A, 0x69, 0xF8, 0xCD, 0xBC, 0x88, 0x55, 0xB2, 0xBD, 0x6B, 0x77, 0x71, 0xB3, 0xD3, 0x90, 0x75, 0x06, 0x49, 0xC3, 0x32, 0x4D, 0x1D, 0xA8, 0xAA, 0xFB, 0x7B, 0x7D, 0x2B, 0xA6, 0x34, 0x72, 0x47, 0xF0, 0x2F, 0x9C, 0x08, 0x00, 0x14, 0x8C, 0x26, 0x5E, 0x87, 0xD1, 0xCF, 0xC9, 0x18, 0x51, 0x23, 0xCB, 0xF5, 0x1C, 0x9F, 0x97, 0xF9, 0xBB, 0xA7, 0x39, 0x45, 0x02, 0xFD, 0x46, 0x8A, 0x54, 0xA4, 0x8E, 0x9E, 0x68, 0x96, 0x0E, 0x78, 0xB8, 0x3D, 0x11, 0x64, 0xAF, 0x10, 0xDE, 0x6C, 0x60, 0x5A, 0x76, 0x1A, 0xE9, 0xC1, 0x3E, 0xCA, 0x9B, 0x27, 0x30, 0xEF, 0xFF, 0x07, 0xD2, 0xB9, 0x2D, 0xD0, 0xEE, 0x83, 0xAB, 0xF2, 0x4C, 0xA5, 0x21, 0x62, 0x81, 0x33, 0x1B, 0xD8, 0x6F, 0xAC, 0x3B, 0x5D, 0xE8, 0xFA, 0x3F, 0xDB, 0x95, 0xE7, 0x59, 0x12, 0x48, 0x35, 0xC6, 0x2C, 0x4E, 0x01, 0xDD, 0x43, 0x29, 0xDC, 0x24, 0x1F, 0xB7, 0xA9, 0xEB, 0xC8, 0xFE, 0x56, 0xDF, 0x53]
  for i in range(len(num)):
    for j in range(len(byte_422B80)):
      if(byte_422B80[j] == num[i]):
        num[i] = j
        break
  return num
def find_13(num):
  byte_422D80 = [0xB0, 0x28, 0x0B, 0x89, 0x4B, 0xA4, 0xBE, 0x1A, 0x8F, 0x6C, 0xCF, 0xB2, 0xB5, 0xFE, 0xFB, 0x59, 0x2D, 0x29, 0x39, 0x62, 0x97, 0xAA, 0xD7, 0x7D, 0x94, 0x2C, 0xFC, 0x5D, 0xB4, 0x7C, 0x8A, 0x82, 0xD3, 0xA7, 0xBA, 0xDF, 0x21, 0xE6, 0xA2, 0xD0, 0xE8, 0xF0, 0x67, 0x3A, 0xB9, 0x98, 0xF9, 0xAE, 0xD1, 0x56, 0xD8, 0xCA, 0x10, 0xEA, 0x92, 0xA8, 0x75, 0x7E, 0x65, 0xA9, 0xAF, 0x51, 0xC9, 0x8E, 0xD4, 0x77, 0xE4, 0x49, 0x06, 0x61, 0x9E, 0x24, 0xD9, 0x9B, 0x11, 0x05, 0x1D, 0x96, 0x9A, 0xB1, 0xE0, 0x83, 0xE1, 0x1C, 0xCD, 0xF3, 0x38, 0xB3, 0x57, 0x50, 0xF4, 0xAC, 0xEB, 0x14, 0xA5, 0x46, 0xF6, 0x93, 0xAD, 0x7B, 0x30, 0xEF, 0x79, 0x17, 0x47, 0xDA, 0xC0, 0xDD, 0xDE, 0xDC, 0x5A, 0x76, 0x3B, 0x31, 0x0D, 0x0E, 0x86, 0xF1, 0x71, 0xFA, 0x0C, 0x00, 0xA3, 0xBF, 0x64, 0x37, 0x22, 0xD2, 0x69, 0x5C, 0xC6, 0x16, 0x9F, 0x5E, 0x7A, 0x1E, 0x27, 0x60, 0x6E, 0xF8, 0x8C, 0xEE, 0xC2, 0x74, 0x81, 0x8B, 0x33, 0x03, 0xBD, 0x2A, 0x0A, 0x68, 0x6B, 0x3F, 0x4C, 0xC3, 0x15, 0x04, 0x3D, 0x63, 0xF5, 0xAB, 0xCC, 0x3C, 0x53, 0x20, 0x66, 0xC4, 0xC1, 0x23, 0xE7, 0x25, 0x55, 0xC7, 0xED, 0xB7, 0xBC, 0xCB, 0x8D, 0x09, 0xCE, 0x52, 0xBB, 0xE2, 0xC5, 0xB6, 0x26, 0x12, 0x2F, 0x99, 0x58, 0x40, 0x6D, 0xA1, 0x3E, 0x48, 0x85, 0xA6, 0xF2, 0x0F, 0x43, 0x78, 0xB8, 0x01, 0xE5, 0xD5, 0x6F, 0x4E, 0xF7, 0x13, 0x42, 0xEC, 0x45, 0x2B, 0x4F, 0x36, 0xDB, 0x9C, 0xE3, 0x44, 0x34, 0x84, 0x73, 0x2E, 0x7F, 0xFD, 0x91, 0x41, 0xD6, 0x95, 0x18, 0xFF, 0x70, 0xC8, 0x02, 0x5F, 0x08, 0x1B, 0x6A, 0x5B, 0x19, 0xA0, 0x4D, 0x35, 0x54, 0xE9, 0x32, 0x88, 0x72, 0x07, 0x87, 0x90, 0x4A, 0x80, 0x1F, 0x9D]
  for i in range(len(num)):
    for j in range(len(byte_422D80)):
      if(byte_422D80[j] == num[i]):
        num[i] = j
        break
  return num
def find_17(num):
  byte_423180 = [0xE8, 0x22, 0x64, 0x9F, 0xC5, 0xD5, 0x25, 0xC9, 0x5D, 0xDF, 0xA1, 0x74, 0xCB, 0x57, 0xF7, 0xF0, 0xBD, 0x56, 0xFF, 0x33, 0x79, 0xFE, 0x87, 0xB6, 0xB1, 0x54, 0x10, 0x95, 0x8A, 0xEC, 0x7B, 0x48, 0x84, 0x3D, 0x30, 0xEF, 0x86, 0xFA, 0x97, 0x1C, 0xDC, 0xA9, 0x5A, 0xF3, 0x67, 0x18, 0x83, 0x72, 0x06, 0xB9, 0xF5, 0x05, 0x68, 0x59, 0xF2, 0xE4, 0x88, 0x5E, 0x14, 0x17, 0x11, 0x9C, 0xAB, 0xDE, 0xEB, 0x7D, 0x62, 0x9B, 0xD6, 0xF4, 0x01, 0x29, 0xBC, 0xC0, 0x69, 0xA2, 0x2B, 0x0D, 0x1D, 0x98, 0x6A, 0xBE, 0x65, 0x09, 0xF8, 0x96, 0xB4, 0x6E, 0x63, 0xE3, 0x34, 0x2D, 0xCE, 0x0A, 0xCD, 0xAA, 0x21, 0xCC, 0xE7, 0xA5, 0xDB, 0xD8, 0x03, 0xDD, 0xB2, 0x1F, 0x9D, 0x9E, 0x0E, 0x8F, 0x8B, 0xCA, 0x92, 0x0B, 0xA7, 0x5B, 0xD2, 0xCF, 0x47, 0x07, 0x04, 0xAE, 0x3B, 0xA8, 0x7C, 0x73, 0xF9, 0x35, 0xEE, 0x7A, 0xB0, 0xBA, 0x85, 0x46, 0x3E, 0x81, 0xC7, 0x40, 0x37, 0x15, 0x3A, 0x19, 0xE0, 0x1E, 0x28, 0x4A, 0x4F, 0x8C, 0xD4, 0x51, 0x2E, 0x94, 0x89, 0x2A, 0x0F, 0x7E, 0xE1, 0xC8, 0x5F, 0x4E, 0x6D, 0xF6, 0x49, 0xB8, 0x55, 0x60, 0x82, 0x20, 0x36, 0xC1, 0x0C, 0x1B, 0xC4, 0x00, 0xE5, 0xA3, 0x2C, 0xE9, 0xC2, 0xF1, 0x23, 0x3F, 0xC3, 0xB5, 0x8D, 0xD7, 0x42, 0xFC, 0x50, 0x13, 0xBB, 0x61, 0x9A, 0x44, 0xE6, 0x91, 0x2F, 0x70, 0xC6, 0x6F, 0xD1, 0x27, 0x43, 0x08, 0xDA, 0xFD, 0x52, 0x71, 0x77, 0xED, 0xE2, 0xAD, 0x16, 0x8E, 0x12, 0x4C, 0x31, 0x3C, 0x39, 0x78, 0x90, 0xBF, 0x1A, 0x76, 0x75, 0x41, 0x99, 0xD0, 0x80, 0xB7, 0x66, 0x24, 0xD3, 0x7F, 0x4B, 0x45, 0x5C, 0x53, 0x4D, 0x26, 0x32, 0xA0, 0xFB, 0xB3, 0x38, 0x6B, 0xAF, 0xA6, 0xD9, 0x02, 0xA4, 0xEA, 0x6C, 0xAC, 0x58, 0x93]
  for i in range(len(num)):
    for j in range(len(byte_423180)):
      if(byte_423180[j] == num[i]):
        num[i] = j
        break
  return num
def find_19(num):
  byte_423380 = [0x91, 0x67, 0x1A, 0xBE, 0xAB, 0xC2, 0x85, 0xD5, 0xDA, 0xCC, 0xF7, 0x5B, 0x54, 0x61, 0x05, 0xDF, 0x02, 0x70, 0x65, 0x69, 0x9A, 0x7A, 0x09, 0x92, 0x5D, 0x2A, 0xA7, 0x37, 0xFF, 0x19, 0xE6, 0x99, 0xF3, 0x1E, 0xBD, 0x82, 0x48, 0x3C, 0xE8, 0xC8, 0x66, 0x17, 0xB7, 0xA9, 0xC5, 0x4E, 0x33, 0x84, 0x45, 0xD3, 0x8B, 0x49, 0x50, 0x43, 0x8F, 0xCD, 0x73, 0x29, 0x04, 0xDC, 0x01, 0x0C, 0xDD, 0x2E, 0xFB, 0x6E, 0x0F, 0x24, 0x57, 0xE9, 0xC9, 0x7D, 0xB3, 0x40, 0x4B, 0x56, 0x6C, 0x68, 0xE2, 0x22, 0xF6, 0x80, 0xAA, 0x95, 0xD4, 0x97, 0x94, 0x21, 0x53, 0xD1, 0xE3, 0x59, 0xD2, 0xED, 0x41, 0x4D, 0x74, 0xA3, 0xA0, 0x32, 0x0D, 0xFC, 0x46, 0x34, 0xFA, 0xB1, 0x5E, 0xC6, 0x71, 0xC0, 0xE0, 0x3F, 0x13, 0x12, 0xD7, 0xEE, 0xF8, 0x26, 0xE1, 0x25, 0x88, 0x77, 0xB0, 0x8D, 0x6A, 0xEA, 0x0E, 0xD6, 0x3E, 0x03, 0x64, 0xBF, 0x8C, 0x96, 0xD9, 0xA4, 0x42, 0xAD, 0xFD, 0x16, 0x5A, 0xE4, 0x06, 0x9D, 0x07, 0x87, 0x5F, 0xAF, 0xDB, 0xC1, 0x93, 0x1C, 0xF1, 0xDE, 0xA6, 0x3A, 0xF4, 0x2C, 0x1B, 0x39, 0xE7, 0x4A, 0xC7, 0x35, 0xFE, 0x0A, 0x62, 0xF0, 0xCA, 0xEC, 0x27, 0x52, 0x23, 0x7F, 0xA5, 0x79, 0x7C, 0x75, 0x86, 0xEB, 0x60, 0xA8, 0xF5, 0x1F, 0x20, 0xC3, 0x63, 0x5C, 0x72, 0x18, 0xE5, 0x51, 0xAC, 0xB9, 0x90, 0x9F, 0x4C, 0xB2, 0xCB, 0x00, 0x6F, 0x28, 0xA1, 0xB6, 0x9B, 0xD0, 0x7B, 0x36, 0x4F, 0x9C, 0xCF, 0x98, 0x8A, 0x0B, 0x78, 0xB4, 0x7E, 0x2B, 0xEF, 0x58, 0xB5, 0xBA, 0x55, 0xB8, 0x10, 0x2F, 0x44, 0xAE, 0x89, 0x08, 0xC4, 0x3B, 0x9E, 0xF9, 0x6D, 0xF2, 0x15, 0x1D, 0x30, 0x47, 0x8E, 0x31, 0x2D, 0xD8, 0x6B, 0x3D, 0x11, 0x14, 0xA2, 0x83, 0xCE, 0xBB, 0x81, 0xBC, 0x76, 0x38]
  for i in range(len(num)):
    for j in range(len(byte_423380)):
      if(byte_423380[j] == num[i]):
        num[i] = j
        break
  return num
def find_23(num):
  byte_423780 = [0x38, 0x5A, 0xC7, 0x98, 0x15, 0x6A, 0xC9, 0x28, 0x33, 0xEA, 0xF4, 0xD9, 0xDB, 0x77, 0xB8, 0x49, 0x1B, 0x79, 0xF5, 0xFD, 0x3E, 0xA2, 0xDE, 0x17, 0xC4, 0x5E, 0xE5, 0x11, 0xB6, 0x1D, 0x86, 0xF9, 0x90, 0x78, 0x8A, 0x14, 0x12, 0xB1, 0xC2, 0x21, 0xF1, 0x02, 0x58, 0xA1, 0x23, 0x0C, 0xAD, 0xA5, 0x50, 0x48, 0x1E, 0x6D, 0xF8, 0x96, 0x9D, 0x19, 0x00, 0xBD, 0x26, 0xCE, 0xA7, 0x24, 0x2E, 0x39, 0x7B, 0xFA, 0x5F, 0xCC, 0x1A, 0x0B, 0x40, 0x0F, 0x4B, 0x82, 0xE2, 0x97, 0x10, 0x2A, 0xFC, 0x3B, 0xB2, 0x66, 0x27, 0x54, 0x07, 0xE3, 0x08, 0xA3, 0xA6, 0xED, 0x62, 0x13, 0x9C, 0x20, 0x01, 0x92, 0xE8, 0xAE, 0xBE, 0xE1, 0x0A, 0x41, 0x94, 0x80, 0xA9, 0x2F, 0x29, 0x70, 0x35, 0x16, 0xF7, 0x6B, 0xFE, 0x9E, 0x0D, 0xD3, 0x7F, 0x1F, 0xA0, 0x32, 0xD2, 0x52, 0x05, 0x76, 0x89, 0x9B, 0x7A, 0x8F, 0x99, 0xEF, 0xCF, 0x51, 0x0E, 0xEC, 0x59, 0x5C, 0x37, 0xD5, 0x8E, 0x31, 0x34, 0x2D, 0x93, 0x25, 0x1C, 0xC8, 0x5B, 0x47, 0x9F, 0x03, 0x67, 0x7E, 0x42, 0x7D, 0x3A, 0xAA, 0x57, 0xDA, 0x9A, 0xAB, 0x74, 0x72, 0xE4, 0xB7, 0x5D, 0xCD, 0x87, 0x46, 0x2B, 0x43, 0xF3, 0xD0, 0x85, 0x55, 0xBB, 0xD4, 0xC6, 0x61, 0x56, 0x04, 0x65, 0x7C, 0x88, 0xC3, 0x73, 0xBC, 0xEB, 0xDD, 0x4D, 0xE0, 0xE6, 0xC0, 0x63, 0x8D, 0xF2, 0x81, 0xF6, 0xA8, 0x3D, 0x3F, 0xA4, 0xE9, 0x4A, 0xB5, 0xF0, 0xCA, 0x8B, 0x2C, 0xD7, 0xAC, 0xC5, 0xC1, 0xBF, 0x53, 0xD1, 0x6F, 0x06, 0xE7, 0xD6, 0x09, 0x95, 0x44, 0x71, 0xB9, 0x83, 0x4C, 0x22, 0xAF, 0xB4, 0x75, 0x36, 0x30, 0xCB, 0xEE, 0x91, 0x45, 0x8C, 0x4E, 0x6E, 0x6C, 0x4F, 0x84, 0xBA, 0xFF, 0x64, 0xB3, 0x60, 0xFB, 0xB0, 0x18, 0xD8, 0xDF, 0x3C, 0x68, 0xDC, 0x69]
  for i in range(len(num)):
    for j in range(len(byte_423780)):
      if(byte_423780[j] == num[i]):
        num[i] = j
        break
  return num
def find_29(num):
  byte_423D80 = [0xD1, 0x9C, 0x68, 0xC0, 0x13, 0xAC, 0x48, 0x32, 0xA3, 0xBA, 0x4C, 0xE7, 0x6D, 0xC8, 0x1C, 0xAB, 0xE2, 0x7A, 0x42, 0xE1, 0x7B, 0x16, 0x67, 0x03, 0xAE, 0x7E, 0xAA, 0x38, 0x22, 0x02, 0x39, 0x51, 0xC7, 0x79, 0xD7, 0xCB, 0xEF, 0x62, 0x98, 0xDC, 0x53, 0x72, 0x89, 0xA5, 0x4B, 0xC6, 0x86, 0xF6, 0xFC, 0x77, 0x5A, 0xF5, 0x2E, 0x3D, 0xB2, 0xFE, 0x59, 0x27, 0x80, 0x63, 0xDD, 0x1A, 0x12, 0x5E, 0xED, 0xB0, 0xBC, 0xC4, 0x5F, 0x11, 0xC9, 0x09, 0xC5, 0x75, 0x96, 0x0A, 0x2F, 0x00, 0x17, 0x81, 0x14, 0x47, 0xBB, 0x9D, 0x8E, 0x3C, 0xD6, 0xA1, 0xE0, 0xA2, 0x26, 0x5D, 0x08, 0x6E, 0x4E, 0xF1, 0xCF, 0x73, 0x8A, 0x90, 0x0B, 0xB3, 0x3E, 0xB6, 0x1F, 0xC3, 0xB7, 0xDA, 0x8D, 0x05, 0xEE, 0x18, 0x93, 0x3A, 0x6A, 0x8C, 0x43, 0x8F, 0xEB, 0xE9, 0x5B, 0x29, 0x37, 0x1E, 0x46, 0x33, 0x31, 0xFB, 0x35, 0x34, 0x61, 0x04, 0x0E, 0x2B, 0x74, 0xF9, 0x8B, 0x2C, 0x20, 0x0C, 0x7C, 0x28, 0x5C, 0xCA, 0xE6, 0x6B, 0xD8, 0x30, 0xE4, 0x21, 0x44, 0x70, 0x06, 0xA6, 0x60, 0x41, 0x84, 0x10, 0x95, 0x4F, 0x64, 0x83, 0xD2, 0x9A, 0xBE, 0xAF, 0x9F, 0x07, 0xC1, 0xB8, 0x3B, 0x65, 0xCC, 0x57, 0xB5, 0xD9, 0x92, 0xDE, 0x0D, 0xE3, 0xF3, 0xA4, 0xBD, 0x6F, 0xD3, 0x25, 0x88, 0x71, 0xFF, 0xA9, 0x36, 0xB1, 0x78, 0x24, 0x69, 0xAD, 0x19, 0xBF, 0xFD, 0xCD, 0x4A, 0xEA, 0x87, 0x91, 0xA8, 0x66, 0x82, 0x50, 0x0F, 0x99, 0x45, 0xF2, 0xD5, 0x9B, 0x94, 0x7D, 0xCE, 0xDB, 0xB9, 0x52, 0xE5, 0xF4, 0x01, 0x7F, 0xD4, 0x15, 0x2D, 0x3F, 0x1D, 0xA7, 0xC2, 0xFA, 0x40, 0xE8, 0xA0, 0x55, 0x6C, 0xF7, 0x1B, 0x58, 0x85, 0x56, 0x9E, 0xEC, 0x97, 0x23, 0xF0, 0x4D, 0xD0, 0xF8, 0x2A, 0x49, 0xB4, 0x76, 0x54, 0xDF]
  for i in range(len(num)):
    for j in range(len(byte_423D80)):
      if(byte_423D80[j] == num[i]):
        num[i] = j
        break
  return num

if __name__ == "__main__":
    # z3_decode1()
    # z3_decode2()
    num = [0x23, 90, 45, 1, 51, 43, 42, 186, 51, 72, 179, 186, 51, 113, 43, 114, 72, 186, 42, 51, 45, 71, 51, 42, 186, 25, 186, 42, 114, 11, 124, 209, 51, 0x21]
    num[1:33] = find_29(num[1:33])
    num[1:33] = find_23(num[1:33])
    num[1:33] = find_19(num[1:33])
    num[1:33] = find_17(num[1:33])
    num[1:33] = find_13(num[1:33])
    num[1:33] = find_11(num[1:33])
    num[1:33] = find_07(num[1:33])
    num[1:33] = find_05(num[1:33])
    num[1:33] = find_03(num[1:33])
    num[1:33] = find_02(num[1:33])

    print("".join(chr(num[i]) for i in range(len(num))))

babyimg

  • bmp图片二进制格式

对bmp图片进行处理

image-20221129163141595

获取bmp图片的像素信息(GetPixels函数)

image-20221129163243210

对像素信息进行加密(encode函数)

对像素信息进行异或加密

image-20221129163446465

将图片的像素的长宽位置替换并水平对称

image-20221129163739204

将像素信息写入新的图片

image-20221129163842735

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
from PIL import Image

filename = 'flag.enc.bmp'

im = Image.open(filename)
width,height= im.size[0],im.size[1]
# print("width:"+str(width))
# print("height:"+str(height))
pixels = []
for h in range(height):
    for w in range(width):
        pixels.append(list(im.getpixel((h,w))))
# print(pixels)
for size in range(width * height - 1, -1, -1):
    if size == 0:
        pixels[size][0] ^= 0xFE
        pixels[size][1] ^= 0xDC
        pixels[size][2] ^= 0xBA
    else:
        pixels[size][0] ^= pixels[size - 1][0]
        pixels[size][1] ^= pixels[size - 1][1]
        pixels[size][2] ^= pixels[size - 1][2]
for size in range(width * height):
    pixels[size][0], pixels[size][1], pixels[size][2] = pixels[size][2], pixels[size][0], pixels[size][1]
for h in range(height):
    for w in range(width):
        im.putpixel((w,h),tuple(pixels[(width - w - 1) + h * width]))
im.save('flag.bmp')

flag

BadSecret

没看懂,等一手达不溜批

Reference