主要就是构造408ede处的2A个字节..
其中第一个字节必须为0x2D,倒数第二个字节必须为0x36,倒数第三个字节为0x31.
之后,对这个2A字节的缓冲区,要满足一些条件:
1\
在408ede里查找字符0x2E
找到0x2E之后的第一个位置存到栈中,位置A
之后再从位置A开始找0x2D
找到-之后的第一个位置,位置B,存到EDX中
位置A到位置B之间的字符串,拷贝到408321中
408321在sub401c51处作为第一个参数,第二个参数为[408824] == 431A
我写了一个循环,用于得到合适的数值对, 即
循环后有许多解,找到eax==431a431a的,然后对应的i就应该是字符串.
比如我最终得到i == 968768946
那么字符串应该就是39 36 38 37 36 38 39 34 36
在408ede里就是2e 39 36 38 37 36 38 39 34 36 2d
2\
在408ede中寻找0x5F,然后称其为位置C. 位置B到位置C之间的字符串必须满足
长度为6,第4个字符的ASCII码值,等于6个字符以数值形式的值的总和(对大于0xXX的还要减去0x37).
这个可以有很多种选择,我就选了个
35 35 35 41 5D 32
5D - 0x37 = 0x26
0x26 + 5+5+5+0xA+2 = 0x41(就刚好是A)
3\在408ede中寻找0x5D,称其位置为D,从408ede的第三个字节开始,到0x5d,全部拷贝.
然后对前16个字节,前8个拷贝到40846d, 后8个拷贝到40856d
这16个字符,必须在a~f,A~F,0~9内..然后
每8个都会对应地转换成为一个DWORD
比如有0x31 0x41 0x31 0x31 0x31 0x31 0x31 0x42
就会转换称1A11111B这样的DWORD
这样的两个DWORD会到sub_4020ac处参与运算,得到两个DWORD,存放在40884E,和408852
,后两个结果会分别跟e43f955c,f19714bb作对比,相等,那么不跳,最终也就成功了.
那么在sub_4020ac处的运算就很关键
这个过程,用到了409240开始的一大块数据,这一大块数据,经过我的实验,输入相同的用户名,改变前面讲的16个字节的字符,对这一大块数据不会有影响. 这一大块数据是在函数sub_401fa9里产生的,具体怎么产生不重要.
然后经过我的研究sub_4020ac里的算法是可逆的, 我把那一大块数据扣出来,然后写了逆算法,由正确的两个DWORDe43f955c,f19714bb 反推了正确的初始值
31 44 45 30 32 41 31 38 44 42 33 37 39 43 34 41 这16个,正确的初始值
正向算法是:
EAX == XX
EDX == YY
begin:
eax ^= constant_a
esi = f(eax)
edx ^= esi
xchg eax,edx
jmp begin 执行16次
逆向算法是:
.
反推的代码,我也写在了damnit.cpp的DAMN里面..
然后最终正确的2A个serial就是
0x2d,0x31,0x31,0x44,0x45,0x30,0x32,0x41,0x31,0x38,0x44,0x42,0x33,0x37,0x39,0x43,0x34,0x41,0x31,0x5d,0x2e,0x39,0x36,0x38,0x37,0x36,0x38,0x39,0x34,0x36,0x2d,0x35,0x35,0x35,0x41,0x5d,0x32,0x5f,0x31,0x31,0x36,0x31,0x0
然后就是做最后的处理,把这个转换成输入时的字符.
详见代码的FUCK1宏里包括的, 以及分析过程.txt里的sub_401981和sub_4019EC
最终得到了最后结果
aaaaaa
Ljq4i,UiAq_2N)bkD3qxV]YWGoxpO(eTEn0xMBTPFj
最终成功..
以下是分析过程中我的笔记: 按执行顺序
namelen >=5 <=0x180 408ade name 408820 namelen 408bde serial 40882c seriallen sub_4018AF--------------------- arg4 408956 S29zdHlhS29zdHlhS29zdHlhS29zdHlhS29zdHlhS2 arg3 40725C S29zdHlhOiBTaW1wbHkgYnV0IGVhc3kgaW4gQmFzZTY0IDop arg2 8 arg1 408bde 111111111111111111111111111111111111111111 得到arg1的长度,放到全局40883A 把arg3前8个放到arg4前8个 果然就是把arg3的前8个,循环地放在arg4里面,长度为次数为arg1的长度 最终全局的40883A变为0 sub_401a23------------------------------ arg1 408956 S29zdHlhS29zdHlhS29zdHlhS29zdHlhS29zdHlhS2 arg2 408bde 111111111111111111111111111111111111111111 arg3 408fde 是一个缓冲区,进去之前是空的 对arg2,arg1的每一对字符分别调用sub_401981, 然后把返回值分别存在408830和408831, 取出,放在AL,DL,之后AL=AL-DL-1 然后EAX和0x47比,小于等于的话就放在408fde开始的对应字节 如果EAX大于0X47,说明此时AL是负数,那么EAX再加0x47,,就变成正数而且小于0x47, 再存. 看来AL是正数的时候是不可能大于0x47的. sub_401981:---------------------------------------------- arg1: 就一个字符 用到了407012处存储的字符串 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890.-_()[],& 对arg1在这个表中寻找,得到arg1字符在表中的索引,索引以1开始 返回值就是这个索引 sub_4019EC:_____________________________________ arg1: 40882C 是seriallen arg2: 408fde 就是sub_401a23最终得到的结果 arg3: 408ede 初始进去是空的 408fde的每个字节的值作为数组下标,到407012[下标处]找到对应字节 放到408ede开始的对应字节 ----408EDE最重要的字符串 -------------------------------------------------- 出了sub_4019EC: 在408ede里查找字符0x2E(.) 找到0x2E之后的第一个位置存到栈中,位置A 之后再从位置A开始找0x2D,即为'-', 找到-之后的第一个位置,位置B,存到EDX中 位置A到位置B之间的字符串,拷贝到408321中 从408ede+1开始再找0x2D,这里的值应该就是位置B了, (怪不得这里要+1,因为第一个字节就是2D) 之后再从408ede开始找0x5F,之后的第一个位置,称为位置C 把位置B到位置C之间的字符串拷贝到408341处 sub401c51___________________________________________必须返回1 arg1: 408321 arg2: [408824] ==> 431A 408321字符串必须为968768946 431A431A ___________________________________________________ 出了sub401c51之后 408341开始的字符串 前6个字符,如果是数字,那么加起来,如果是字符,那么-0x37后求和,所以如果是大写字母,那么刚好是十六进制的和 408341处的字符串长度必须是6 第4个字符的ASCII码值必须等于6个字符的前面求出的和. 408ede的倒数第二个字符的值必须是'6' 倒数第三个字符必须为'1' [408320]这个byte必须为0 sub_402189_______________________ 返回值必须非零 arg1: 408ede 在408ede中找0x5D,位置A 从408ede的第三个字符开始到这个0x5D,拷贝到408361处 然后得到这个字符串的长度放到408461处 然后对这个字符串的每一个字符: 如果 BL>=0x30跳 BL<=0X39跳 这一段代码谁来都会跳到后面去 把408361处的8个字符,拷贝到40846D处 把408361+8处开始的8个字符,拷贝到40856D处 然后用40846D和40856D这两个字符串作为参数分别调用sub_402254, 得到的返回值放在408846和40884A处 然后返回1,成功完成这个函数 sub_402254___________________________________________ arg1: 字符串地址,字符串长度为8 对字符串中每一个字符,比如12345678 如果是纯数字,那么产生的返回值的值就是纯数字12345678 如果不是数字,那么就把他的ASCII码值-0x57后 经过试验发现1~9,, A~F,,a~f都可以转换为对应的字符,其中字母随意大小写都行. 比如'123154ab' 返回值就是123154AB __________________________________ 出了sub_402189之后,jnz就跳到401571,开始最后一段的处理.... sub_4020ac______________________________________ arg1: 40884e :存放的目的地址,用于得到最终的结果 arg2: 408846 :sub_402189得到的值,有两个DWORD arg1最终的得是e43f955c, arg1+4最终的得是f19714bb 408846 XX 40884A YY 40884E e43f955c 408852 f19714bb (EAX初始的值放的是XX) EAX跟[409244+0x40]==[409284]开始的DWORD开始XOR,一直XOR到[409244+4] 得到的结果假设为 EAX == AA BB CC DD [BB*4+409688] + [AA*4+409288]--> esi ---> esi xor [CC*4+409a88] + [DD*4+409e88] ---> esi EDX = EDX xor esi, (EDX的初始的值放的是YY) 然后EDX跟EAX交换了值 然后再上去xor,循环16次, 得到的结果,EAX再和[409244] xor一次 EDX再和[409240]xor 一次 然后eax放在408852,EDX放在40884E 记得409288 409688 409a88 409e88 折是一段连续的地址 每两个相聚为0x400, 100个DWORD _______________________________________________________________________ sub_401fa9填充了[409240,40a288)这一块地方 这一块地方的值又是和那两个字符串有关的. sub_401fa9似乎和那两个字符串没什么关系... 是固定值.. 从4072d8开始,搬运0x412个DWORD到409240处 从407284开始,,搬运0x38个BYTE到40a288处,就是上面那次搬运结束后的地方 再从40a288处搬运0x25个字节到40a2ab ....我日,反正这里有一堆处理... 最后实验一下,如果不行,我就真的放弃了!! __________________________________________________________________ 把409240开始的数全部拷到数组里,然后根据最终出来的值反推一下... 写个程序.... 最终成功了!!!!!!!!!!! 408ede的第一个字符xor 0x2c 后结果为1 那么第一个字符应该是2D 2A = 42长度 aaaaaa Ljq4i,UiAq_2N)bkD3qxV]YWGoxpO(eTEn0xMBTPFj
这个crackme的一些说明:
1\这是培训期间的一个CRACKME,最终算出了一对注册码,获得了一大瓶可乐
2\分析过程断网
3\f1,f2,f3 3个txt是我用来确定不同的输入,是否是相同的输出数据块,结果发现是的.
4\分析过程.txt是我按照顺序分析下去时记录的. 整理报告是写完后整理了下思路后总结的.
5\这个CRACKME我感觉我转过了好几个巧妙的弯
第一个简单的弯是:
这里,XOR EAX,0x1234执行0x10000次,其实相当于什么都没做,
4013A2这里必须跳,EAX必须等于0x56003C, 那么可以知道GetDlgTextA后得到的EAX必须为0x56003c-0x1000*56 - 0x12=0x2a,就是密码长度.
第二个弯是:
sub_401c51里的一个判断,
给定了两个初始值,得算出符合条件的一个EAX
我用C写了个穷举,算出了结果
第三个弯是:
我发现这个算法是可逆的,同样也写了个C语言的解密.
以下是为了这个crackme写的计算程序代码:
#include <windows.h> #include <stdio.h> // //int main() //{ // DWORD edx = 0x17, ecx = 0x1b,esi=0; // DWORD eax; // for (DWORD i = 0; i < 0xffff'ffff; i++) // { // eax = i; // edx = 0x17; // ecx = 0x1B; // // while (ecx > 0) // { // esi = edx; // esi <<= ecx; // esi *= ecx; // esi ^= eax; // esi &= 0x7fff'ffff; // ecx -= 3; // eax = esi; // } // if (HIWORD(eax) == LOWORD(eax)) // { // printf("%08X", eax); // printf(" %d\n", i); // // } // } // // // // return 0; //} #define FUCK 1 #if FUCK int main() { BYTE arr[] = { 0x2d,0x31,0x31,0x44,0x45,0x30,0x32,0x41,0x31,0x38,0x44,0x42,0x33,0x37,0x39,0x43,0x34,0x41,0x31,0x5d,0x2e,0x39,0x36,0x38,0x37,0x36,0x38,0x39,0x34,0x36,0x2d,0x35 ,0x35,0x35,0x41,0x5d,0x32,0x5f,0x31,0x31,0x36,0x31,0x0}; char *szString = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890.-_()[],&"; int i = 0; while (arr[i] != 0) { for (int j = 0; j < strlen(szString); ++j) { if (szString[j] == arr[i]) { printf("%x ", j); break; } } ++i; } //3f 34 34 3 4 3d 35 0 34 3b 3 1 36 3a 3c 2 37 0 34 44 3e 3c 39 3b 3a 39 3b 3c 37 39 3f 38 38 38 0 44 35 40 34 34 39 34 //3f 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 34 44 3e 3c 39 3b 3a 39 3b 3c 37 39 3f 38 38 38 00 44 35 40 34 34 39 34 //13 36 3d 34 1e 08 26 22 13 36 3d 34 1e 08 26 22 13 36 3d 34 1e 08 26 22 13 36 3d 34 1e 08 26 22 13 36 3d 34 1e 08 26 22 13 36 3d 34 1e 08 26 22 //如果上面列和+1>0x47,那么就把和-0x47,否则保留原值,那么得到的就是 输入的字符串在表中的索引了(1开头).. int arrxxx[] = {0x3f,0x34,0x34,0x03,0x04,0x3d,0x35,0x00,0x34,0x3b,0x03,0x01,0x36,0x3a,0x3c,0x02,0x37,0x00,0x34,0x44,0x3e,0x3c,0x39,0x3b,0x3a,0x39,0x3b,0x3c,0x37,0x39,0x3f,0x38,0x38,0x38,0x0,0x44,0x35,0x40,0x34,0x34,0x39,0x34}; int arryyy[] = { 0x13,0x36,0x3d,0x34,0x1e,0x08,0x26,0x22,0x13,0x36,0x3d,0x34,0x1e,0x08,0x26,0x22,0x13,0x36,0x3d,0x34,0x1e,0x08,0x26,0x22,0x13,0x36,0x3d,0x34,0x1e,0x08,0x26,0x22,0x13,0x36,0x3d,0x34,0x1e,0x08,0x26,0x22,0x13,0x36 }; for (int i = 0; i < 0x2a; ++i) { int k = arrxxx[i] + arryyy[i] + 1; if (k <= 0x47) { printf("%c", szString[k-1]); } else { printf("%c", szString[k - 0x47-1]); } } //L jqhL9TPAjqhL9TPAjq xV]YWGoxpO(eTEn0xMBTPFj //Ljq4i,UiAq_2N)bkD3qxV]YWGoxpO(eTEn0xMBTPFj return 0; } #endif #define BYTE1(para) (DWORD)((para&0xff00'0000)>>24) #define BYTE2(para) (DWORD)((para&0x00ff'0000)>>16) #define BYTE3(para) (DWORD)((para&0x0000'ff00)>>8) #define BYTE4(para) (DWORD)((para&0x0000'00ff)>>0) #define DAMN 0 #if DAMN BYTE arr[] = { 0x3B,0xF0,0x98,0xEF,0x4D,0x37,0xF1,0xC6,0x93,0x1A,0x57,0x75,0x30,0x72,0xF2,0x5B, 0x98,0x4E,0x99,0x64,0x4C,0xF0,0x08,0x84,0x3D,0xC0,0x69,0xAA,0xDF,0xD8,0x1A,0xB8, 0xC8,0xF7,0x31,0x6A,0x8B,0x1C,0x4A,0x56,0xCF,0xB3,0xC0,0x45,0x8A,0x97,0xDC,0xB4, 0x12,0x8E,0x23,0xA1,0xEC,0xEE,0x3D,0x3B,0xE3,0x7F,0xB1,0x79,0xD1,0xE2,0x93,0xEC, 0x24,0x0C,0x33,0xE1,0x2D,0x35,0xEA,0x6E,0x7C,0x2B,0x6B,0x6E,0x41,0xA9,0xBE,0xE6, 0xA5,0xA5,0x4E,0xCE,0xF2,0x90,0xD5,0x2E,0x40,0xF3,0x8C,0xEF,0xB6,0x52,0x1B,0xCD, 0x00,0x52,0x6E,0xE1,0x9C,0x64,0x99,0x40,0xC8,0xB8,0x08,0x6C,0x3A,0xE7,0xF8,0x68, 0xEA,0x08,0x0F,0x84,0x9A,0x20,0xA7,0x43,0x4E,0xDE,0x56,0x89,0x0A,0xCD,0xB0,0xDA, 0xC2,0xF5,0x5B,0x22,0x58,0x1D,0x91,0x8C,0xFB,0x66,0x54,0xA4,0x9F,0xBF,0x71,0x94, 0x9D,0x76,0x14,0x73,0xD3,0x6F,0x53,0xE0,0xB7,0xB3,0xD7,0x64,0x15,0x02,0x63,0xB1, 0x6F,0x72,0xEE,0xF9,0x94,0x99,0x57,0xC0,0x95,0x5D,0x62,0xEC,0x85,0xFA,0xB6,0x5B, 0x63,0x2E,0xE3,0xF2,0x61,0x3B,0xA3,0x93,0xAD,0x7D,0xFD,0x4E,0x36,0x00,0x27,0x2F, 0xF4,0x75,0xFA,0x6F,0x18,0xEF,0x3E,0x82,0x5F,0xA9,0x59,0x2A,0x45,0x28,0x9F,0x8E, 0x72,0xA1,0x00,0x73,0x6F,0xF9,0x9D,0xB3,0x58,0x6E,0x49,0x1F,0x10,0x3B,0x53,0xCC, 0x82,0xCB,0x55,0x76,0x86,0x51,0xAB,0x8A,0x89,0x08,0xA8,0x24,0xD3,0xF7,0x10,0xCF, 0xA9,0x28,0x7D,0x8C,0xF5,0x9F,0x29,0x96,0x9C,0x64,0x3B,0xD1,0x17,0x4E,0xEC,0xF6, 0x79,0x24,0x09,0x5A,0x9B,0x89,0x36,0x5C,0xEB,0x55,0x60,0x8B,0x38,0x1E,0x72,0x7F, 0x7B,0xBB,0x8D,0x6F,0xC7,0xA3,0x60,0x32,0x48,0x54,0xBB,0x22,0x0F,0x4B,0x37,0x92, 0x43,0x52,0xAD,0xA4,0x67,0xD3,0xAE,0x3C,0x3A,0xAF,0xAC,0x2C,0x58,0x73,0x50,0xC2, 0x92,0xA6,0x0A,0xE4,0x6C,0xA7,0xDD,0x7C,0x09,0x2B,0xB3,0xBA,0xF9,0xB8,0x60,0x7F, 0xF3,0x10,0x0B,0x16,0xB1,0x1F,0x62,0x28,0x69,0xB0,0x07,0xB9,0x23,0x6E,0x94,0x97, 0xFE,0xAB,0xC9,0xE6,0x1A,0x34,0x89,0xB1,0x91,0x74,0xFD,0x0C,0x12,0xD2,0x2C,0x49, 0x2C,0xA3,0xE5,0x8C,0x6D,0x6A,0x6F,0xF4,0x1E,0x91,0x79,0xCE,0xE3,0x1A,0x12,0x14, 0x29,0x98,0x20,0xF2,0xF0,0x67,0x75,0xFD,0xA7,0xAA,0xCB,0x11,0x60,0x0F,0x8E,0x81, 0x6E,0x05,0x18,0xB0,0x94,0xC7,0xE3,0xEF,0xBD,0xF6,0x08,0xA2,0xC5,0xAE,0x44,0xFE, 0x17,0x79,0x9B,0xEC,0x88,0x96,0xD0,0x38,0xF2,0x3A,0x6A,0x3C,0x7A,0x82,0x98,0xE1, 0x97,0xBA,0xBC,0x40,0xC8,0xF2,0x27,0x24,0x1F,0xCF,0xA9,0xDE,0xEF,0xEE,0x49,0x8B, 0x23,0x3A,0xC9,0x02,0xB5,0xBD,0x5E,0x99,0x1F,0xCF,0x30,0x0F,0xAB,0x0B,0x01,0xA6, 0x86,0x10,0x5A,0xCC,0x02,0xCD,0xA3,0x21,0x5C,0x53,0x07,0xF3,0xF7,0x86,0x9B,0x1E, 0xC4,0x80,0x63,0x90,0x9A,0x97,0xA3,0xC6,0xAD,0xCE,0xAF,0x11,0x69,0x60,0xA9,0x18, 0xA7,0xF8,0xB5,0xE8,0xC4,0xAB,0xE4,0xD7,0x65,0x96,0x76,0x3A,0xC3,0x30,0x32,0x97, 0x92,0x59,0xD8,0xA9,0x9F,0x82,0x4B,0x24,0x51,0x0E,0x24,0xCD,0x2D,0x64,0x52,0xA3, 0x20,0xD2,0x7D,0xA9,0xF0,0x05,0x60,0xB9,0x69,0x8A,0xFC,0xC2,0x5F,0x47,0x0C,0x11, 0x7E,0x4D,0x5B,0x6A,0xEE,0x7B,0xF1,0xCC,0x84,0x47,0x14,0x84,0x28,0xC2,0xCC,0xD5, 0x96,0x71,0x72,0x92,0x9F,0x60,0x86,0x75,0x2D,0x61,0x89,0x15,0xE5,0xF8,0x70,0xD2, 0x15,0xB6,0x2C,0x09,0xAA,0x07,0xB6,0x9E,0x5A,0x31,0xD5,0x4E,0x80,0x40,0x16,0xBD, 0x5A,0xEE,0x94,0xBA,0x5B,0xE9,0x91,0x2B,0x10,0x14,0xC6,0x9F,0x6D,0x5D,0x42,0xDC, 0x0B,0xF4,0xE4,0x37,0x20,0x3D,0xE2,0x66,0x97,0x56,0xDE,0x3B,0x19,0xAA,0x97,0x25, 0x4D,0x43,0x0A,0x13,0x9E,0xF2,0x83,0xC2,0x21,0x3E,0x65,0x2F,0x6C,0xF9,0x12,0xC4, 0x95,0xD6,0xDF,0x63,0xD4,0x24,0xF9,0x66,0x48,0xFA,0x31,0xB5,0x59,0x5C,0xFA,0x7A,//未知字符0x02,这TM是什么鬼 0x02,0xA3,0x0B,0x94,0xFD,0x53,0x2C,0x25,0xDF,0x36,0xD1,0xDE,0x67,0xF4,0x30,0xAB, 0x02,0xA3,0x0B,0x94,0xFD,0x53,0x2C,0x25,0xDF,0x36,0xD1,0xDE,0x67,0xF4,0x30,0xAB, 0xFE,0xDB,0xFA,0x11,0xE8,0x76,0xC3,0x71,0x74,0xC6,0x4F,0x75,0xFE,0x66,0x3B,0xB8, 0x6E,0x37,0x90,0xF7,0xE2,0xD5,0x62,0x67,0x57,0x8A,0xE5,0x47,0x4B,0xEC,0xEE,0xED, 0xD8,0xED,0x9E,0x40,0x23,0x7E,0xD3,0x56,0x01,0x8A,0x4D,0xBF,0xA6,0xCD,0xDF,0xFA, 0x25,0x24,0xE0,0x44,0x4C,0x95,0x53,0xCA,0xA3,0x33,0x11,0x1B,0xD3,0xED,0x32,0xAB, 0x3F,0x1B,0x17,0xBE,0x5D,0xFE,0x67,0xEF,0x6E,0x0D,0xF8,0x58,0xAD,0x32,0x3F,0x04, 0x3C,0xB2,0x2C,0x25,0xD2,0xB1,0x4F,0x51,0x8C,0x48,0x20,0x19,0xB1,0xE6,0x4A,0xC2, 0xE2,0x7A,0xB6,0x4C,0x10,0xD6,0xBD,0xDA,0x41,0xD3,0xB3,0x1A,0x82,0x85,0x7F,0xD1, 0x52,0xC1,0x63,0xCF,0x36,0x93,0x53,0x09,0x78,0xCE,0xA3,0xEA,0x06,0x7D,0xC1,0x0D, 0x1B,0xAB,0x57,0x1D,0x19,0xA2,0x22,0x91,0x15,0xD6,0xFC,0x72,0xF8,0x2F,0x76,0xF7, 0x5D,0x87,0x38,0xA5,0x6D,0x6E,0x99,0xD8,0x43,0x16,0xAA,0x85,0xDA,0x8E,0x54,0x3B, 0x5F,0x6D,0x09,0x35,0x66,0xC2,0x58,0xF4,0x5F,0x84,0x53,0xAB,0x7C,0x2F,0x55,0x30, 0xA5,0x8E,0xD0,0x33,0x31,0x34,0x19,0xD0,0x64,0x3D,0x23,0x9A,0x24,0x3A,0x48,0x36, 0xB0,0xA0,0xB8,0x2D,0xBF,0x42,0x4E,0xE6,0x3B,0x4E,0x1B,0xC0,0x34,0xBB,0xAB,0xCA, 0x9F,0x91,0xA4,0xCE,0x9A,0xC2,0xC2,0x7E,0x35,0xFA,0xE0,0x22,0xB5,0xAD,0xC0,0x2E, 0x2F,0x41,0x69,0xAC,0x42,0x25,0x2D,0x21,0xE2,0x62,0xEB,0xDA,0x27,0x68,0x5D,0x35, 0xC3,0x3C,0x79,0xE8,0xD5,0x2B,0x87,0x5E,0x99,0x8C,0x69,0xB8,0x29,0x41,0x59,0x7D, 0x2F,0x7D,0x8E,0x24,0x18,0x3E,0x3F,0x6A,0xAB,0xDD,0x92,0xEA,0xCA,0xBF,0xCD,0xBC, 0x76,0x82,0xA1,0x61,0x73,0x5B,0x63,0x00,0xD4,0x4B,0xC4,0xA8,0xDF,0xA3,0x93,0x02, 0xE4,0x95,0x5C,0xE9,0x35,0xA2,0xF6,0xC3,0xC9,0x2C,0x6F,0x0F,0xC0,0xF1,0x7C,0x29, 0x41,0x80,0x70,0x80,0xC5,0x18,0x84,0x81,0x2A,0x24,0x8E,0x34,0xAB,0xC6,0x4D,0xA4, 0x87,0x4A,0xE1,0xD5,0xEA,0x87,0x36,0x0E,0xF8,0xF2,0xA6,0x6B,0x2B,0x02,0x13,0x45, 0xD8,0x42,0xFC,0x7C,0xBA,0x1B,0xAF,0xBC,0x1A,0x9F,0x48,0x6B,0x1C,0x38,0x3D,0x58, 0x1E,0x06,0xBF,0xD9,0x76,0xF7,0x8F,0xC2,0xD2,0x36,0xCC,0x59,0x46,0x96,0xAB,0x6E, 0x10,0x1C,0x5A,0x24,0x3B,0x2E,0x98,0x0A,0x61,0x4B,0xAF,0xC7,0x89,0xD5,0xF9,0x3B, 0x68,0x8E,0xF9,0xEE,0xA2,0x92,0x86,0xE3,0x6C,0xF9,0xED,0xAE,0x04,0x0E,0x5C,0xF0, 0x1D,0x96,0xD1,0x6C,0xE1,0x64,0xDF,0xC3,0xEC,0xF6,0x23,0x05,0x4A,0x70,0xC4,0xD1, 0x6D,0xF6,0xAC,0x18,0x60,0x6A,0xDE,0x0A,0xA3,0x9E,0x83,0x07,0x75,0x08,0xE4,0x9E, 0xA9,0x89,0x61,0x62,0x56,0x96,0x33,0xEB,0x28,0xD1,0x70,0x27,0x23,0x21,0x4D,0xCF, 0x15,0xBA,0x4D,0xDE,0xC9,0x90,0x57,0x2C,0xB5,0x0C,0x47,0x4A,0xCC,0x6F,0xB6,0x54, 0x6D,0x10,0x74,0xEA,0xBE,0x1B,0x93,0xD2,0xDE,0xFB,0x92,0x57,0x2E,0x21,0x2C,0x86, 0x55,0x24,0x8A,0x76,0xBF,0x0F,0x34,0x64,0xC7,0x18,0x55,0x00,0xCF,0x61,0xA0,0xA2, 0x80,0x82,0x9B,0xEB,0x41,0xDE,0xFD,0x99,0x9C,0xF6,0x0E,0x18,0xF6,0x2E,0x97,0x2A, 0x55,0xEC,0x03,0xAD,0x2D,0xB6,0x41,0x67,0x7E,0xEE,0x4F,0xE8,0xBF,0xC0,0xED,0x2F, 0x1A,0x77,0xD0,0x59,0xFB,0x46,0x8F,0x53,0x99,0x7B,0x81,0x65,0x93,0x80,0x05,0x5C, 0x83,0xC9,0xE4,0xEE,0xF6,0xC3,0x9B,0xB5,0x63,0x9B,0xC9,0x49,0x88,0x80,0xE3,0xD8, 0xD8,0x35,0x25,0x2D,0x18,0x13,0x60,0x40,0x54,0xEF,0x61,0xD1,0xD2,0x4F,0xF4,0x0E, 0x18,0x10,0x67,0x54,0x52,0x01,0x72,0x8E,0x27,0x2A,0x8A,0x1F,0xEA,0x86,0xAD,0xA1, 0xC5,0x20,0xC6,0x51,0xFA,0x67,0x7B,0xB7,0x4B,0xAF,0xDD,0xC6,0x20,0x55,0x56,0x9C, 0x51,0x55,0x23,0x00,0xC2,0x82,0xDF,0x9D,0x66,0xD9,0xCD,0x31,0x00,0xDC,0xAF,0x33, 0x19,0xD9,0xB6,0x9B,0x2D,0x1B,0x68,0x33,0xC3,0x61,0x59,0x82,0xE4,0x87,0xA6,0xE8, 0xB0,0xDA,0x39,0xC6,0xBC,0x69,0x17,0x0C,0x17,0x11,0x7F,0x57,0xE8,0x46,0xBA,0xBD, 0x89,0x4B,0x15,0x66,0xDE,0x59,0x37,0xB3,0xE2,0x53,0x47,0x38,0x97,0xC3,0x17,0x52, 0x9D,0x89,0xE1,0x79,0x75,0xBA,0x76,0x05,0x79,0xFB,0xAC,0x6E,0x40,0x0F,0x4A,0x99, 0x64,0x24,0x03,0xEA,0x29,0x62,0x01,0x87,0x11,0x49,0xEB,0x98,0xB9,0x4F,0x6A,0xE3, 0x74,0x06,0x61,0x30,0xC9,0x04,0x53,0xA8,0xF7,0x6C,0xCD,0x74,0x78,0x66,0x1A,0x73, 0xF9,0x07,0xF9,0x79,0x78,0xC0,0x1B,0x27,0xBD,0x33,0x96,0x40,0x31,0xA9,0xB2,0x40, 0xB0,0x58,0x2B,0x8F,0x49,0x11,0x7B,0xDD,0x17,0xD2,0xF3,0xB6,0x1A,0x7C,0xF1,0x9C, 0x01,0x38,0x23,0x3D,0xB5,0x8B,0x22,0x3E,0xE2,0xD2,0x0A,0xCF,0x55,0xD2,0x52,0x5D, 0x5A,0x01,0xF1,0xF6,0xE3,0xB7,0xB3,0xCB,0x0C,0x26,0x70,0x38,0x18,0x69,0x62,0x46, 0xA6,0xC7,0x58,0x2A,0xC6,0xD2,0xF4,0x84,0xE8,0xB0,0x8F,0xD8,0x40,0x5F,0x4C,0x33, 0x66,0x41,0xA2,0x72,0x5A,0x55,0xC1,0xC3,0x0A,0xDD,0xD2,0xEF,0x94,0x52,0x56,0xD1, 0xF3,0xA4,0x54,0x17,0xE1,0x53,0x58,0x61,0xE7,0xE8,0xFB,0x1E,0xBD,0x20,0x26,0x27, 0x40,0xDC,0x9A,0xDF,0x9F,0xAA,0x51,0x1C,0xE9,0x69,0x7E,0xC1,0xFA,0x2E,0x20,0xB2, 0x27,0xE2,0xB7,0x34,0x0B,0x12,0x2E,0x86,0xF3,0x4E,0x30,0xE1,0x48,0x50,0xF8,0x8E, 0xAE,0x95,0x11,0xF2,0x0C,0xA8,0x43,0x7A,0x0F,0x77,0x55,0x6D,0x9C,0x71,0x85,0xA8, 0xF8,0x26,0x40,0xB8,0x06,0xBD,0x0C,0x35,0x9B,0xD3,0x1D,0x3F,0xE9,0x78,0x4F,0xCA, 0xC4,0x0D,0xAA,0x28,0x62,0x50,0xD8,0x74,0x77,0xB0,0x16,0xC9,0x81,0xAA,0xEB,0xFA, 0xEF,0x27,0x99,0x2D,0x06,0x8F,0xD8,0x7F,0xB5,0x49,0x88,0xD1,0xC4,0x48,0xB3,0xF8, 0xA5,0x93,0x4A,0xAD,0xC4,0x8C,0xC8,0xD9,0x47,0x13,0x72,0x26,0xC6,0xA5,0x39,0x25, 0x57,0x61,0x72,0xD7,0x98,0xB8,0x21,0x89,0x7F,0x21,0x77,0xEE,0xAA,0x85,0x35,0x72, 0x1E,0x37,0x25,0x37,0xA3,0xF6,0x8D,0xDC,0xAB,0xB9,0xDC,0x90,0x71,0x19,0x9B,0xD2, 0x62,0xB6,0x32,0x42,0xCC,0xF8,0x9F,0x6C,0x5B,0x23,0x7E,0x4D,0x7A,0x0A,0xB8,0xAC, 0xFE,0xE3,0x64,0x69,0xC3,0x1A,0xF3,0xB1,0x3B,0xF0,0xF2,0x6B,0xEC,0x0E,0x58,0x39, 0x1B,0x7C,0x86,0x99,0xAA,0x0D,0x53,0x82,0xCA,0x89,0x16,0xCD,0x1A,0x97,0xAD,0xD6, 0x05,0x24,0x7D,0xEC,0xFD,0x2F,0x49,0x94,0x33,0x2F,0x52,0x30,0xFB,0x68,0x57,0xBB, 0x22,0xCD,0x10,0xAF,0x74,0x5E,0x30,0x01,0x44,0xA5,0x6F,0x1B,0x08,0x21,0x13,0x2C, 0x84,0x2F,0xC9,0x3C,0x10,0x18,0xF4,0xDB,0x84,0xBC,0x02,0x8A,0xA7,0xD6,0xB0,0x5D, 0x9F,0x38,0x19,0xDB,0xD5,0x1E,0x05,0xB9,0x94,0xF1,0xC9,0xFE,0x04,0x1F,0x86,0xEF, 0xD2,0xF9,0x46,0xE0,0x14,0x58,0x0D,0x25,0x1E,0x70,0xC8,0x94,0xCB,0xD6,0x67,0xCF, 0x81,0x1A,0xEF,0x5D,0xB4,0x2F,0x96,0x36,0xEF,0x5D,0x47,0x1E,0x80,0x5F,0x6A,0x13, 0xDF,0x17,0x24,0xED,0x37,0x4C,0x1B,0xA8,0xCA,0xA8,0xE4,0x30,0x58,0x7D,0x7B,0x24, 0x8E,0x16,0x5F,0x09,0x36,0x5E,0x92,0x59,0x92,0x87,0xA6,0xEF,0xF9,0xCA,0x54,0x3D, 0xE4,0xA8,0x48,0xD6,0xCE,0x6C,0x91,0x18,0x3D,0xE2,0x92,0xDE,0x3B,0x2C,0xE2,0xA3, 0x68,0xB6,0x47,0x9E,0xBD,0x53,0x89,0x1E,0xEB,0x23,0xD2,0x61,0x01,0xB9,0x0D,0x1B, 0x9A,0xF0,0xA3,0xCD,0x2B,0x5B,0xF8,0x2A,0x4C,0x20,0x29,0xBD,0xAA,0xFA,0x36,0x5C, 0xCA,0x20,0xBD,0xA5,0x6C,0x7C,0x4A,0x93,0x32,0x2F,0x6D,0x74,0x25,0x3F,0x46,0xB0, 0x13,0x89,0xAD,0xEB,0xEA,0x8E,0xF3,0xD6,0x80,0x00,0x25,0xC2,0xDB,0x49,0x7D,0x77, 0x0F,0xB3,0x97,0x34,0xFE,0x57,0x55,0xC7,0x41,0xB5,0xB9,0xFC,0xDF,0x46,0x7E,0xCE, 0x47,0x5E,0x9A,0x62,0x29,0x4A,0xA4,0x20,0x8F,0x42,0xDE,0xB8,0x29,0x3E,0xE3,0x7B, 0xB4,0x63,0x47,0x06,0x1F,0xC6,0xEF,0x1F,0x7B,0xE0,0x46,0xB6,0xAB,0x36,0x3A,0xC0, 0xD0,0x88,0x9A,0x09,0x4C,0x22,0x72,0x69,0x92,0xDA,0x97,0x33,0x0C,0x74,0x11,0xD7, 0xC3,0xE7,0xEC,0x82,0xC6,0x94,0x15,0x43,0x62,0x45,0xBA,0xE2,0xB3,0x1A,0x02,0x16, 0x48,0xED,0xD0,0x83,0x04,0x55,0x45,0xE0,0x47,0x65,0x34,0x1C,0x06,0xFA,0x0D,0x9A, 0xC9,0x7A,0x89,0x2B,0x29,0x7E,0xEA,0x2E,0x2E,0x9D,0xEC,0x0A,0xC7,0xA6,0x2B,0xFE, 0xB0,0x59,0x48,0x1A,0xD7,0xD4,0xC0,0xE2,0x38,0xE4,0x6E,0xB2,0xA2,0x8E,0x70,0x26, 0x5C,0x8B,0xD8,0x6D,0x30,0xF8,0xA9,0x53,0x5F,0x46,0x54,0x48,0xC2,0xEE,0xB9,0x5D, 0x0C,0x71,0xF4,0x33,0xFF,0x79,0x23,0xF0,0x37,0x19,0xCD,0x12,0xCD,0xDA,0x79,0xDC, 0xEE,0xBE,0x1F,0x91,0x7A,0x1C,0x72,0x81,0x00,0x63,0xD3,0x90,0x8F,0x05,0x39,0x3F, 0xE8,0xC2,0x1C,0xA3,0x73,0x40,0xD6,0xE5,0x95,0x32,0x48,0x02,0x42,0x01,0xCC,0x59, 0xE5,0x0A,0x27,0xE1,0x46,0x9F,0xEA,0xB4,0x86,0x89,0xD6,0xA9,0xE8,0x52,0xB9,0x5F, 0xF7,0xD0,0x6F,0x36,0xB3,0x85,0xBE,0xF6,0x6A,0xD0,0xD8,0x97,0x3A,0x72,0x9D,0x66, 0xF6,0x58,0x96,0x1B,0x58,0x31,0x8F,0x3F,0x0C,0x64,0x61,0x1E,0x72,0x56,0x7D,0x92, 0x25,0x00,0xD3,0xC9,0x0A,0x42,0x29,0x01,0xE4,0x29,0x94,0xBD,0xB1,0xD6,0x66,0x1F, 0x72,0xC4,0xAF,0xB5,0x5B,0xE7,0xC3,0x48,0x79,0x12,0x9C,0x10,0xAE,0x5A,0x34,0xE8, 0x4C,0xE9,0x64,0x9C,0x99,0xF4,0xDA,0xF3,0xB3,0xAD,0xFD,0xFF,0x5F,0xFC,0xAD,0x59, 0xB5,0x3C,0xB8,0x43,0x97,0x88,0x2A,0xE7,0xCB,0x20,0xEF,0xA3,0x2F,0x1E,0x87,0x3E, 0x41,0x40,0xC9,0x03,0xB1,0x44,0xB9,0x9A,0x3E,0xD6,0xB1,0x9E,0x45,0x4F,0x13,0x05, 0x9F,0x13,0x5E,0x22,0x7D,0xD5,0x51,0x8E,0x02,0x10,0x6F,0xC1,0x40,0x2F,0x0D,0xE8, 0x3B,0x9D,0x7C,0xE1,0x15,0x32,0x82,0x45,0xC9,0x7C,0xFE,0x07,0xBC,0xB7,0x58,0x0C, 0x01,0x6E,0x15,0x03,0x20,0xCF,0x31,0x33,0x45,0x40,0xC4,0x89,0xCA,0xCD,0xDD,0x9D, 0x9C,0x52,0x41,0x33,0x66,0x16,0x9A,0x2A,0x44,0x55,0x2F,0xCC,0x5F,0x51,0xC1,0xB9, 0x7D,0x2C,0x2C,0x02,0xCF,0x2C,0xF4,0x21,0x7B,0xCF,0x27,0xCF,0x39,0xCB,0x33,0xE1, 0x9D,0x9B,0xA1,0xF3,0x9B,0xAD,0xAF,0x2C,0x56,0x9F,0xFE,0x89,0xA6,0xB4,0xED,0x35, 0x59,0x6B,0x76,0xE7,0xB2,0x98,0x16,0x0E,0x62,0xB1,0xD1,0x3E,0x70,0x4A,0x17,0xF3, 0x51,0xBC,0x8D,0x5A,0xDB,0x7E,0x34,0xC5,0xE1,0xF5,0x16,0xF6,0xB2,0x70,0x1D,0xAC, 0x3E,0xFD,0x11,0xB5,0xF6,0xDF,0xB9,0xD6,0x92,0x47,0xED,0xD3,0x4A,0x01,0xEB,0x91, 0x04,0xCA,0xF1,0x4A,0xA9,0x55,0x0F,0xFE,0xEB,0x7D,0xBC,0xE6,0x3E,0x88,0x66,0xDE, 0xC6,0x0F,0x67,0x79,0xFF,0x1C,0x4D,0xF8,0x5B,0x32,0x31,0x80,0xA9,0xBB,0xA4,0xC9, 0x4A,0x5E,0xCA,0xAE,0xDE,0xFA,0xF5,0x85,0x8B,0x10,0xB2,0x07,0x61,0x25,0x8D,0x38, 0x3D,0xE7,0xDE,0x45,0x7D,0x9A,0x9F,0x3D,0xB6,0xA9,0x6C,0x41,0xA3,0x41,0x63,0xC8, 0xC7,0x82,0xE2,0x64,0x30,0x38,0x2F,0x3C,0xF8,0x39,0xFA,0x51,0xC1,0x45,0xDB,0x7E, 0xFE,0x90,0xCB,0xCB,0x62,0x2E,0x45,0x30,0xDF,0x8C,0x89,0x9B,0x35,0xF6,0x50,0x12, 0xD0,0xC2,0xB9,0x36,0x34,0x5F,0x41,0x84,0xE1,0xBC,0xCE,0xB0,0xBB,0x45,0x06,0xA5, 0x4F,0x4C,0x2B,0x54,0xC3,0xBF,0xA1,0xD2,0xFE,0xF1,0x93,0xB7,0x0C,0xB5,0x14,0xD5, 0xB4,0x52,0x58,0x56,0x66,0x26,0x03,0xF6,0x86,0x66,0xA8,0xAE,0x28,0xCF,0xB7,0x7A, 0xBB,0xB3,0x2B,0xFB,0xAA,0xA4,0x93,0xC7,0xD1,0x67,0x3D,0x4C,0xEF,0x90,0xEE,0xBF, 0x48,0xFD,0xB5,0x47,0xB2,0xC8,0x5C,0x61,0x70,0x6F,0x2F,0x0A,0xAA,0x8C,0x88,0xF6, 0xBF,0x59,0xDC,0xF0,0xD3,0xB7,0xBB,0xB0,0x2C,0x34,0xAB,0x58,0x21,0x35,0x9D,0xCF, 0xDC,0xA4,0x8B,0x7B,0xB8,0x44,0x39,0x1D,0xF9,0x22,0xBA,0xFB,0x14,0x5C,0xF1,0xA4, 0x4D,0x40,0x36,0x78,0x8C,0x2E,0x70,0x79,0xB6,0x1C,0x79,0x29,0x50,0x6B,0xB7,0xA7, 0xFE,0xBD,0xC2,0xFB,0xA3,0xD4,0xA1,0xB6,0xF7,0x4C,0x07,0xE5,0xA2,0xD4,0x4F,0x8E, 0x8D,0x49,0xE3,0x00,0xCA,0x49,0x6C,0x56,0xAD,0x6E,0xE9,0x35,0x42,0x29,0xF4,0xEF, 0x7F,0x14,0x31,0x04,0xDD,0xB3,0x73,0xFC,0xF7,0xA8,0x95,0xD8,0x39,0x7B,0x61,0xB8, 0xFD,0x89,0xD3,0x48,0x32,0x3E,0x3C,0xF9,0xE3,0xC2,0xEB,0xF2,0x99,0x0D,0xA7,0xAD, 0x13,0xCC,0xA3,0x7C,0xD5,0x3A,0x03,0xFA,0x9C,0xAF,0xDA,0xE6,0x46,0x93,0xD9,0x7A, 0x16,0xF9,0x55,0xB1,0x90,0x50,0x8A,0x72,0x2C,0xAE,0x4F,0x60,0x12,0xF3,0x82,0xB5, 0x13,0x64,0xA6,0x0E,0xA0,0x8F,0x59,0x63,0x7A,0x02,0x88,0xD5,0x57,0x9B,0xB2,0x5F, 0xCC,0xDC,0x5D,0x03,0x0F,0x6C,0xCB,0x24,0xA2,0x84,0x7D,0x3D,0xB9,0xE0,0xF3,0xF2, 0x8D,0x90,0x82,0xBB,0xD3,0x2A,0xFD,0x47,0x10,0xA9,0xEA,0xC5,0x59,0x52,0x9C,0xB4, 0xEC,0x50,0x99,0xB4,0xDB,0xFA,0xFC,0xA0,0xF9,0xC1,0xC3,0x7B,0x49,0xD0,0x29,0xE4, 0x1F,0x39,0x50,0x33,0x84,0x8F,0x96,0x3B,0xE7,0xFE,0x41,0x0A,0x4E,0xEA,0x4F,0xF0, 0xCE,0x19,0x34,0x5C,0xBB,0xBF,0x95,0x94,0x26,0x61,0x5E,0x29,0x3D,0x2B,0xC7,0xA8, 0xB2,0x02,0x73,0xC5,0xF5,0x8D,0x04,0x26,0x4C,0x77,0xC7,0xFD,0x8B,0xA9,0x6F,0x02, 0xA2,0x8F,0xC4,0x9F,0xF4,0xA6,0x55,0x88,0xEB,0x55,0x88,0x32,0x24,0xC2,0x82,0x4D, 0xBA,0x68,0x16,0xF7,0xDD,0xD3,0x83,0x8E,0x50,0x5B,0xA4,0xB6,0xFE,0x49,0x0C,0xD3, 0x02,0x4B,0xB3,0x52,0x8F,0xF5,0xCD,0xA7,0xE3,0x41,0x63,0xA5,0xFE,0xF7,0xDF,0x7F, 0xEF,0x9D,0x68,0x20,0x89,0xB3,0xA0,0xF7,0x75,0xA4,0x52,0xE3,0x88,0x81,0x13,0x9F, 0x24,0x1C,0x5A,0xB6,0x63,0x70,0x11,0x1F,0x65,0xBC,0xCD,0x7C,0x48,0x79,0xC7,0x32, 0x0D,0x6F,0x90,0x20,0x26,0xA2,0xD9,0x49,0x3D,0xDD,0x3D,0xB9,0xCA,0x33,0x74,0x76, 0x21,0xC0,0x34,0xD6,0xD5,0x38,0x9B,0xA2,0x61,0x26,0x99,0x58,0x2A,0xBB,0xB0,0xFD, 0xF5,0x5E,0x92,0x15,0x49,0x08,0x00,0x8B,0x01,0x0E,0xFB,0x2F,0x81,0xD5,0xE7,0xC0, 0xC4,0x54,0x16,0xD1,0xE0,0x00,0x03,0x91,0x14,0x39,0x69,0x48,0x2F,0xA0,0x15,0x76, 0xA2,0xD8,0xE6,0x3F,0x66,0xA8,0xFA,0x15,0x0F,0x41,0x35,0x20,0x66,0xF1,0xE1,0xCD, 0x9D,0x0D,0xE2,0x96,0xBF,0xCD,0x56,0xBD,0x4D,0x33,0x05,0x7D,0x7E,0x09,0x2E,0x46, 0x80,0x4C,0xEE,0x08,0xB9,0xF1,0x11,0x6D,0x98,0xBC,0xC7,0xA4,0x67,0xEB,0xBD,0x22, 0x25,0xA6,0x1F,0x15,0xE6,0xB3,0xF7,0x00,0x2A,0x7A,0x13,0xC6,0x9F,0xAD,0x03,0x0F, 0xF0,0xAB,0xCF,0x3F,0xCF,0x15,0xDB,0x84,0x70,0x04,0xD4,0x94,0xD5,0x96,0x4B,0x69, 0x92,0x30,0xD2,0xA9,0x5D,0x79,0x52,0xE3,0xD8,0x9C,0x2C,0x62,0x49,0xDF,0x9E,0xC1, 0x4E,0x37,0x72,0x4B,0x71,0x2A,0x70,0x9A,0xCF,0x06,0x16,0x12,0x7E,0x6D,0x78,0x78, 0xB5,0x24,0xC2,0xB6,0x0C,0xB0,0x57,0x6A,0xDB,0xD0,0x1B,0x75,0x1F,0xAA,0x41,0xF5, 0xC7,0x2A,0xD0,0xE1,0x98,0x2A,0x5B,0x66,0x63,0x2B,0x52,0x5B,0x61,0x8C,0x8C,0x91, 0x0F,0x87,0x9E,0x86,0x4C,0x38,0x08,0xDC,0x85,0x98,0xDE,0xB5,0xBB,0x37,0x28,0xF0, 0x82,0xCA,0xBE,0xFE,0xD3,0x09,0x98,0x8E,0x8B,0xFE,0x6E,0x20,0x7C,0x31,0x75,0x06, 0x4E,0x75,0x81,0x32,0xA7,0x79,0xA3,0x1C,0x29,0x33,0x0B,0x35,0x58,0x16,0x00,0xD0, 0x9A,0xE5,0x66,0xAF,0x37,0x84,0xE1,0xAB,0x2F,0xF8,0x9E,0x6B,0x32,0xFE,0x62,0x85, 0x8B,0x2E,0x7E,0xB1,0xDD,0xAE,0x17,0x1B,0x3F,0x5F,0x58,0x18,0x50,0x29,0x60,0x27, 0xFF,0x60,0xDA,0xF5,0x11,0x1A,0x56,0x85,0xB2,0x46,0x94,0xD7,0x47,0x02,0x60,0x32, 0x0C,0x39,0xB0,0x54,0x71,0x73,0x66,0x7F,0x57,0x21,0xF9,0xC8,0x80,0x3C,0x1C,0x07, 0x7C,0x22,0x2B,0x5D,0x9E,0x07,0x36,0xD1,0xB4,0xCD,0xF1,0x6D,0x88,0xDE,0x85,0xEA, 0xFC,0x5C,0x48,0xD4,0xF6,0x76,0xC4,0x00,0xA6,0x64,0x74,0xAF,0xE5,0xDE,0xBB,0xB6, 0x3C,0xD9,0x3B,0xA8,0xE7,0xD9,0xFF,0x59,0x87,0x9B,0x72,0xF3,0x92,0x27,0xE2,0x5C, 0xD6,0xF9,0x39,0xD9,0x2C,0xA5,0xD1,0x8C,0xAE,0xEA,0x44,0xAA,0x78,0x65,0xAD,0x5A, 0x7C,0xF8,0x7C,0xC9,0x61,0xCF,0xE8,0x88,0xE3,0xD7,0xA9,0x3D,0xA9,0xD8,0xFD,0xFE, 0x6C,0x0B,0x89,0x15,0xBE,0xD1,0xC4,0xAF,0xA8,0x16,0x6A,0xC3,0x32,0x63,0xBD,0xFF, 0xA3,0x28,0xDA,0xD1,0x4F,0x5D,0x3D,0x54,0xAA,0x41,0xFF,0xFA,0xAF,0x6E,0x4E,0x05, 0x52,0x01,0x23,0xE4,0xFB,0x89,0xFE,0x51,0xE8,0xCE,0xD8,0xDC,0x51,0x70,0x39,0x5B, 0x4C,0x8A,0xE5,0x61,0xD2,0xA3,0xD5,0xF5,0x33,0xD3,0x87,0x1A,0xED,0x5C,0x35,0xAD, 0xD6,0xCC,0xB5,0x2B,0x0C,0x1C,0x45,0x75,0x71,0xF7,0x08,0x77,0x28,0xEB,0x35,0x37, 0x7A,0x12,0x70,0x92,0x69,0xF7,0xC4,0xCA,0x70,0x4A,0x44,0x63,0x90,0xA3,0xCF,0x94, 0xCB,0x1D,0x69,0xA0,0xC2,0x3D,0xDE,0x01,0x97,0xDE,0x1D,0xB5,0x00,0x93,0x73,0xA1, 0x6C,0x80,0x64,0x2D,0x83,0xBA,0xE7,0x3F,0x83,0x1A,0x04,0x55,0x99,0xA0,0xF1,0xAA, 0x23,0x53,0x23,0xB4,0xC7,0xB3,0x98,0xEE,0xCA,0xE1,0xB0,0xB8,0xAC,0x58,0xC3,0x55, 0x46,0xE1,0xF5,0xE5,0x0C,0x6C,0xAE,0x9A,0x2D,0xBA,0x99,0x47,0xE5,0x28,0x43,0xAA, 0x7E,0x1F,0x72,0x6A,0xE9,0xBD,0x03,0xB6,0x70,0xC4,0x26,0x6C,0x4C,0x79,0x57,0x32, 0x17,0xD0,0x38,0x21,0x02,0x4B,0x2E,0x8D,0x9F,0xE6,0x2B,0xD1,0xED,0x2D,0xEC,0xF0, 0x6F,0x18,0x42,0x05,0x3B,0xA4,0x14,0x94,0x43,0x60,0xF2,0x81,0xA3,0xE8,0x93,0x5B, 0xB3,0xBE,0xEF,0x01,0x1C,0x66,0xA7,0x92,0x0C,0xF5,0xFD,0x59,0x5C,0xC8,0x88,0xE7, 0x76,0xD4,0x66,0xBE,0x70,0x77,0x3A,0xA9,0x8C,0xD5,0xA4,0xE9,0xF5,0xE4,0x56,0x61, 0x2B,0xBA,0x47,0x27,0xFE,0x93,0x65,0xD2,0x66,0xF0,0x6B,0x61,0x54,0x59,0xF4,0xF0, 0xAA,0xA8,0xB2,0x2F,0x89,0xCE,0x3F,0xDD,0xD4,0x50,0xEE,0x5F,0xE2,0xE6,0x4A,0xE9, 0x93,0x91,0x4A,0xA3,0xAA,0x57,0x69,0x4C,0xF9,0x88,0x92,0x68,0x54,0xD6,0x5D,0x6F, 0x77,0xE8,0xCD,0xF0,0xD1,0xB6,0xD0,0xE3,0x24,0x51,0x16,0xE1,0x13,0x2A,0x0E,0x60, 0xB9,0x9A,0x8F,0x96,0x86,0xEA,0x5C,0x02,0xE5,0x4D,0x69,0x26,0x8A,0x08,0xCB,0xC4, 0xDA,0x04,0xD0,0x0E,0x23,0xDA,0x9A,0xD9,0x4E,0x9C,0x47,0x7F,0xE6,0xCB,0x60,0xEB, 0xD3,0x14,0x2E,0xA2,0x8E,0x5B,0xB2,0xAC,0x5B,0xEC,0x47,0x6E,0xFA,0xDC,0xBC,0x8B, 0x68,0x30,0x43,0xEF,0x69,0xA6,0xF3,0x09,0xE6,0xD5,0x70,0x6C,0x5E,0x9B,0x4A,0xBB, 0xF5,0x1F,0x6D,0x0C,0xF2,0x3B,0x7B,0xAF,0xC9,0x00,0x6D,0xDA,0x50,0x03,0xE9,0x93, 0x19,0xDC,0x73,0x6E,0x6D,0x3F,0xFD,0x31,0xBB,0x53,0x61,0x34,0x50,0x1F,0x52,0x93, 0x94,0x9B,0xAE,0xBE,0xEB,0x05,0x76,0x6E,0x9E,0x0A,0xFD,0xF5,0xE1,0x56,0x8B,0x67, 0x64,0x31,0xC7,0xDF,0xC6,0x4B,0x91,0x53,0x04,0xC9,0x74,0x50,0xF3,0xFD,0x9D,0xE1, 0xB5,0x20,0x10,0x0D,0xC9,0xFA,0xDC,0x5C,0xB9,0x56,0x48,0x6B,0x3A,0x7B,0x0F,0x42, 0x0E,0x53,0x57,0xA1,0xB9,0xF5,0x47,0xF7,0xB6,0x0E,0xF4,0x49,0x34,0x83,0x42,0xAC, 0x69,0xD7,0xAC,0xED,0x66,0xCA,0xA9,0x8C,0xEF,0xB5,0x42,0x68,0x55,0x5A,0x65,0x2B, 0xB9,0x98,0x6D,0x91,0xB6,0x10,0x8B,0x4C,0xC3,0x93,0x5E,0x92,0xF6,0x5C,0x7B,0xD2, 0x9E,0x1C,0xE9,0x8C,0x54,0x8B,0x7B,0xA2,0x5B,0xC4,0x2C,0x1D,0x6B,0xC1,0xDA,0x53, 0x4C,0x13,0xD6,0xC7,0xEB,0x03,0x24,0xC2,0x31,0x10,0x07,0x9D,0xDF,0x30,0xAB,0xBD, 0x2E,0x72,0x7A,0x3F,0x40,0x9A,0x0A,0x9B,0x10,0xCA,0x5E,0x8A,0x89,0x9B,0xA7,0x1A, 0xC5,0x71,0x3F,0x71,0x6B,0x6B,0xE3,0xA8,0x5A,0x11,0x3A,0xB0,0xE0,0x24,0xEE,0x50, 0x18,0x8A,0x00,0xBE,0x26,0x14,0xFC,0xB0,0x65,0x07,0x01,0x20,0x73,0x5D,0x0B,0x92, 0x56,0x6A,0x1F,0x10,0x3C,0x74,0x69,0x16,0x20,0x0D,0xC2,0x95,0xFB,0xD8,0x39,0x65, 0x36,0x9D,0x8F,0x06,0x6C,0x4D,0x72,0x13,0x6F,0x5F,0x70,0x85,0xB9,0x1E,0x6A,0x03, 0x20,0x6F,0x98,0xA2,0x69,0x3F,0xC7,0x4B,0x75,0x0D,0x92,0x05,0x66,0x7C,0x7B,0x0E, 0x3B,0xE7,0x1C,0xE8,0xC9,0x61,0x60,0xD8,0x88,0x26,0xE4,0xDC,0x88,0xDD,0x29,0xDE, 0xBC,0xD6,0xF3,0x16,0xF1,0x91,0x18,0x55,0x49,0x8B,0xD9,0x2E,0x14,0x4F,0x4C,0x04, 0x20,0x00,0xD8,0xA9,0xAF,0x1C,0x09,0xEB,0x42,0x63,0x90,0x6C,0xFE,0x77,0xDC,0x8C, 0x80,0x78,0x83,0xC7,0x00,0xC9,0xF7,0x83,0x10,0x24,0x1F,0x7A,0xCD,0x72,0xC8,0x5A, 0x71,0x77,0xB2,0x67,0x9A,0xA3,0x51,0xDD,0xA3,0x1D,0x21,0x9C,0xAF,0x8B,0xF9,0xCB, 0x34,0x66,0x26,0x1E,0x7E,0x64,0x18,0xFD,0x61,0x98,0xA0,0x4B,0x03,0x20,0xC0,0x1C, 0x93,0x8B,0x97,0x34,0x08,0x05,0xFF,0xA8,0x56,0xB3,0xF9,0x8D,0xA9,0x60,0x94,0x0C, 0xA6,0x7C,0x26,0xB0,0x14,0xFD,0x8E,0x84,0xF0,0x0E,0x72,0x07,0xEF,0x57,0xFB,0x17, 0xA9,0x87,0x1E,0x13,0xF5,0x8A,0x31,0x1A,0x7A,0x0E,0xE2,0x7A,0x1A,0x80,0xD3,0xF5, 0x70,0x9D,0x2A,0x81,0x25,0x4F,0x54,0xFC,0x9E,0x04,0x5F,0x39,0x02,0x23,0x4C,0x84, 0x5F,0xA2,0xC7,0xA4,0xAD,0x93,0x51,0x71,0x9C,0x86,0x78,0xAA,0xD2,0xB6,0xF7,0xA5, 0xA1,0x86,0xA4,0xFE,0xF4,0x4D,0xB9,0x9F,0x0F,0x52,0x2E,0x8D,0xD5,0x5B,0x41,0x73, 0x62,0xBE,0x73,0xA8,0xF7,0xB1,0x2B,0x10,0x9F,0xC0,0x18,0xBA,0xAF,0x9A,0xC2,0xED, 0xCC,0xD1,0x7C,0x61,0xBF,0x7E,0x86,0xAD,0x52,0x74,0x68,0xA0,0xF9,0x85,0x61,0x9D, 0x3A,0x33,0x8B,0x96,0x40,0x59,0x13,0xBC,0x48,0x3A,0x10,0xD7,0x0D,0x07,0x9F,0x1F, 0x4C,0xCD,0xB9,0xC2,0xDB,0x9E,0xBF,0x0A,0xB8,0x90,0x2E,0xD1,0x39,0x0F,0x78,0x78, 0xD7,0x00,0x20,0x2B,0x77,0x20,0x2C,0xA0,0x7A,0xD7,0xFB,0x7E,0xCC,0xBF,0xD3,0x70, 0xE5,0x4B,0xD1,0x30,0xDC,0xCD,0x83,0x95,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x20,0x73,0x6F,0x6D,0x65,0x20,0x63,0x61,0x66,0x66,0x65,0x69,0x6E,0x65,0x20,0x74, 0x6F,0x20,0x73,0x6F,0x6C,0x76,0x65,0x20,0x69,0x74,0x21,0x59,0x6F,0x75,0x20,0x6E, 0x65,0x65,0x64,0x20,0x73,0x6F,0x6D,0x65,0x20,0x63,0x61,0x66,0x66,0x65,0x69,0x6E, 0x65,0x20,0x74,0x6F,0x20,0x73,0x6F,0x6C,0x76,0x65,0x20,0x69,0x74,0x21,0x59,0x6F }; //这个数组从409240开始 int main() { DWORD eax = 0xf19714bb, edx = 0xe43f955c; /*DWORD eax = 0xe3a91d54, edx = 0xf9536d3a;*/ DWORD dword_409240 = *(DWORD*)&arr[0]; DWORD dword_409244 = *(DWORD*)&arr[4]; DWORD esi = 0; eax ^= dword_409244; edx ^= dword_409240; DWORD temp = 0; for (int i = 0; i < 16; ++i) { //交换eax,edx temp = eax; eax = edx; edx = temp; esi = *(DWORD*)&arr[0x409688 - 0x409240 + BYTE2(eax) * 4] + *(DWORD*)&arr[0x409288 - 0x409240 + BYTE1(eax) * 4]; esi = (esi ^ (*(DWORD*)&arr[0x409a88 - 0x409240 + BYTE3(eax) * 4])) + *(DWORD*)&arr[0x409e88 - 0x409240 + BYTE4(eax) * 4]; //被优先级坑了一把,+的优先级高于^ edx ^= esi; eax ^= *(DWORD*)&arr[0x409248 - 0x409240 + i * 4]; } printf("%08X %08X", eax, edx); //c648553b d3c9ddbd //3b5548c6 bdddc9d3 //1DE02A18 DB379C4A //182ae01d 4a9c37db //182ae01d 4a9c37db // 0x41 0x42 0x43 0x44 0x45 0X46 // A B C D E F //31 38 32 41 45 30 31 44 34 41 39 43 33 37 44 42 //31 44 45 30 32 41 31 38 44 42 33 37 39 43 34 41 return 0; } #endif // eax edx esi // 1 16cb9d01 25582a19 123d8026 // 2
