BeginCTF 解题记录
题量大,题目难度适中,我挑选关键题目写写 WP
Misc
Tupper
先把文件内容提取并拼接起来:
1txts = []
2for i in range(0, 673, 4):
3 path = f"{i}.txt"
4 with open(path, 'r') as file:
5 txts.append(file.read())
6txts = ''.join(txts)
7print(txts)
得到一段 Base64:
MTQyNzgxOTM0MzI3MjgwMjYwNDkyOTg1NzQ1NzU1NTc1MzQzMjEwNjIzNDkzNTI1NDM1NjI2NTY3NjY0Njk3MDQwOTI4NzQ2ODgzNTQ2NzkzNzEyMTI0NDQzODIyOTg4MjEzNDIwOTM0NTAzOTg5MDcwOTY5NzYwMDI0NTg4MDc1OTg1MzU3MzUxNzIxMjY2NTc1MDQxMzExNzE2ODQ5MDcxNzMwODY2NTk1MDUxNDM5MjAzMDAwODU4MDg4MDk2NDcyNTY3OTAzODQzNzg1NTM3ODAyODI4OTQyMzk3NTE4OTg2MjAwNDExNDMzODMzMTcwNjQ3MjcxMzY5MDM2MzQ3NzA5MzYzOTg1MTg1NDc5MDA1MTI1NDg0MTk0ODYzNjQ5MTUzOTkyNTM5NDEyNDU5MTEyMDUyNjI0OTM1OTExNTg0OTc3MDgyMTkxMjY0NTM1ODc0NTY2MzczMDI4ODg3MDEzMDMzODIyMTA3NDg2Mjk4MDAwODE4MjE2ODQyODMxODczNjg1NDM2MDE1NTk3Nzg0MzE3MzUwMDY3OTQ3NjE1NDI0MTMwMDY2MjEyMTkyMDczMjI4MDg0NDkyMzIwNTA1Nzg4NTI0MzEzNjE2Nzg3NDUzNTU3NzY5MjExMzIzNTI0MTk5MzE5MDc4MzgyMDUwMDExODQ=
解码得到一串数:
根据题目名称可以知道与塔伯自指公式有关。用 Tupper's self-referential fomula 解一下:
where is crazyman 系列
三道社工题,前两道用谷歌识图可以直接找到地点;第三道的图片:
矿泉水瓶子上有 Boudl Apart' Hotel 字样,根据提示在谷歌地图里找到在 Boudl Al Munsiyah 旁的 Starbucks。flag 在谷歌地图里这一家 Starbucks 的评论区里,按时间顺序查看能找到。
devil's word
一查是温州话,听音频把“魔鬼的语言”转成数字 0-9,最后十六进制转字符得到 flag。
发音 | 数字 |
---|---|
leng | 0 |
lia | 2 |
sa | 3 |
sii | 4 |
ng | 5 |
leu | 6 |
cai | 7 |
bo | 8 |
jau | 9 |
使用某些文本编辑器的 Ctrl+H 一键替换的时候注意,不要把 leng 里的 ng 替换成 5。
real check in
MJSWO2LOPNLUKTCDJ5GWKX3UN5PUEM2HNFXEGVCGL4ZDAMRUL5EDAUDFL5MU6VK7O5UUYMK7GEYWWZK7NE3X2===
一眼 Base32
Web
zupload
Web 做不了一点,查资料只做了个签到题。本题的后端没有保护,直接改 ?action=/flag
访问 flag 所在目录。
Reverse
红白机
读 6502 汇编。这玩应有现成的在线工具:Easy 6502
不过还是自己写了个脚本:
1def op_LDA(arg):
2 global reg_acc, line_ptr
3 reg_acc = int(arg[-3:], 16)
4 line_ptr += 1
5
6
7def op_LDX(arg):
8 global x_index, line_ptr
9 x_index = int(arg[-3:], 16)
10 line_ptr += 1
11
12
13def op_LDY(arg):
14 global y_index, line_ptr
15 y_index = int(arg[-3:], 16)
16 line_ptr += 1
17
18
19def op_STA(arg):
20 global reg_acc, mem, line_ptr, x_index
21 addr = int(arg.split(',')[0][1:], 16) + x_index - 0x200
22 mem[addr] = reg_acc
23 line_ptr += 1
24
25
26def op_INX(arg):
27 global x_index, line_ptr
28 x_index += 1
29 line_ptr += 1
30
31
32def op_CPX(arg):
33 global x_index, line_ptr, reg_cmp
34 param = int(arg[-3:], 16)
35 if param == x_index:
36 reg_cmp = 1
37 else:
38 reg_cmp = 0
39 line_ptr += 1
40
41
42def op_BNE(arg):
43 global reg_cmp, line_ptr, seg_addr, seg_name
44 if reg_cmp:
45 line_ptr += 1
46 else:
47 ind = seg_name.index(arg[0])
48 line_ptr = seg_addr[ind]
49
50
51op_dict = { # 指令
52 "LDA": op_LDA,
53 "LDX": op_LDX,
54 "LDY": op_LDY,
55 "STA": op_STA,
56 "INX": op_INX,
57 "CPX": op_CPX,
58 "BNE": op_BNE,
59}
60
61
62line_ptr = 0 # 指令地址指针
63seg_addr = [] # 段地址
64seg_name = [] # 段名称
65mem = [0] * 0x400 # 初始化内存
66x_index = 0 # X 索引寄存器
67y_index = 0 # Y 索引寄存器
68reg_acc = 0 # 累加器
69reg_cmp = 0 # 比较标志位
70
71with open("6502.txt", 'r') as asm_6502:
72
73 for line in asm_6502: # 读取段标识
74 if line.strip()[0].islower():
75 seg_addr.append(line_ptr)
76 seg_name.append(line[0])
77 line_ptr += 1
78
79 line_ptr = 0 # 从头读取
80 asm_6502.seek(0)
81 lines = asm_6502.readlines()
82
83 while line_ptr < 407: # 运行
84 if lines[line_ptr][0].islower(): # 跳过段标识
85 line_ptr += 1
86 else:
87 opcode = lines[line_ptr][0:3]
88 arg = lines[line_ptr][4:]
89 op_dict[opcode](arg)
90
91 for i in range(len(mem)): # 显示
92 if i % 32 == 0: # 显示器宽度
93 print('')
94 if mem[i] == 0:
95 print('.', end = ' ')
96 else:
97 print('■', end = ' ')
98
99'''output:
100. ■ ■ . ■ . . . . . . . . . . . ■ ■ . . . . . . . . . . . . . .
101. ■ . . ■ . . . . . . . . . . . ■ . . . ■ . . ■ ■ ■ . . ■ . . .
102■ ■ ■ . ■ . ■ ■ ■ . . ■ ■ ■ . . ■ . . ■ . ■ . ■ . . . ■ . ■ . .
103. ■ . . ■ . ■ . ■ . . ■ . ■ . ■ ■ . . ■ . . . ■ ■ . . ■ . ■ . .
104. ■ . . ■ . ■ ■ ■ ■ . ■ ■ ■ . . ■ . . ■ ■ ■ . . . ■ . ■ . ■ . .
105. . . . . . . . . . . . . ■ . . ■ . . ■ . ■ . . . ■ . ■ . ■ . .
106. . . . . . . . . . . ■ ■ ■ . . ■ ■ . . ■ . . ■ ■ . . . ■ . . .
107. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
108■ ■ ■ . . . . . ■ ■ ■ . . . . . ■ . . . ■ ■ ■ . ■ . ■ . ■ ■ ■ .
109. . ■ . . . . . . ■ . . . . . . ■ . . . ■ . ■ . ■ . ■ . ■ . . .
110. ■ ■ . . . . . . ■ . . . . . . ■ . . . ■ . ■ . ■ . ■ . ■ ■ ■ .
111■ ■ . . . . . . . ■ . . . . . . ■ . . . ■ . ■ . ■ . ■ . ■ . . .
112■ . . . . . . . . ■ . . . . . . ■ . . . ■ . ■ . ■ . ■ . ■ . . .
113■ ■ ■ . ■ ■ ■ . ■ ■ ■ . ■ ■ ■ . ■ ■ ■ . ■ ■ ■ . . ■ . . ■ ■ ■ .
114. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
115. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
116. . . . . . . . ■ ■ . . . . . . . . . . . . . . . . . . . . . .
117. . . . . . . . . ■ . . . . . . . . . . . . . . . . . . . . . .
118. . . . . . . . . ■ . . . . . . . . . . . . . . . . . . . . . .
119. . . . ■ . ■ . . ■ ■ . . . . . . . . . . . . . . . . . . . . .
120. . . . ■ . ■ . . ■ . . . . . . . . . . . . . . . . . . . . . .
121. . . . ■ . ■ . . ■ . . . . . . . . . . . . . . . . . . . . . .
122■ ■ ■ . ■ ■ ■ . ■ ■ . . . . . . . . . . . . . . . . . . . . . .
123. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
124. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
125. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
126. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
127. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
128. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
129. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
130. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
131. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
132'''
算是手搓个小小解释器吧。
Xor
查出来有 UPX 壳,先脱壳放进 IDA。
在最后比较字符串的地方找到了一个加密过的 flag:
加密过程如下:
……
加密过程过于繁琐,豁免还有几个类似加密逻辑。先尝试动调,试着输入密文,竟发现:
难绷,非预期了()
俄语学习
最开始有 30 道俄语题目,不会用 pwntools,遂手自笔录到最后一步。
最后这里对输入的内容有 sub_43AFAA()
和 sub_43A555()
两次操作。
sub_43AFAA()
中调用 sub_4419E0()
生成一个船新的字符串 byte_4CB1E8
,随后在 sub_441B00()
中做了一次 Xor Swap,RC4 中的第三个步骤加密即是 Xor Swap。
sub_43A555()
中有一个字符串比较的操作,随后在 sub_43CBC0()
中同样调用 sub_441B00()
。
关键就在 byte_4CB1E8[i] = Str[i] + byte_4CAEE8[i] - 112;
这一句,动调之后能看见 byte_4CAEE8
,于是上脚本:
1>>> cip1 = "+i&[@Y:g8[&l$f8S8v$Y&e>{"
2>>> cip2 = [0x35, 0x6D, 0x35, 0x64, 0x35, 0x77, 0x35, 0x64, 0x35, 0x62, 0x35, 0x6E, 0x35, 0x6D, 0x35, 0x64, 0x35, 0x77, 0x35, 0x64, 0x35, 0x62, 0x35, 0x6E, 0x35, 0x6D, 0x35, 0x64, 0x35, 0x77, 0x35, 0x64, 0x35, 0x62, 0x35, 0x6E, 0x8E]
3>>> for i in range(len(cip1)):
4... print(chr(ord(cip1[i]) + 112 - cip2[i]), end = '')
5...
6flag{Russian_is_so_easy}
stick game
最绷不住的一题,本来是一血的,结果题目下了()
附件里的 Javascript 脚本里边有这么一坨:
1function _0x3339(_0xc5a7d3,_0x197349){const _0x4be1b2=_0x271a();return _0x3339=function(_0x5f266e,_0x306e60){_0x5f266e=_0x5f266e-(0x1*-0x159c+-0x5*-0x69b+0x9*-0x10e);let _0x97d2a2=_0x4be1b2[_0x5f266e];if(_0x3339['vsEbbX']===undefined){var _0x4e47ab=function(_0x504f68){const _0x55694b='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';let _0x4868cb='',_0x5f5158='';for(let _0x288bde=-0x1275+-0x96f*-0x4+0xeb*-0x15,_0x5400b3,_0x1abc9a,_0x5b8a10=-0x1715*-0x1+-0x2413+0xcfe;_0x1abc9a=_0x504f68['charAt'](_0x5b8a10++);~_0x1abc9a&&(_0x5400b3=_0x288bde%(0xc*-0x27e+0x2*0xc11+-0x2*-0x2e5)?_0x5400b3*(0x1795*0x1+0x3*0x3b+-0x802*0x3)+_0x1abc9a:_0x1abc9a,_0x288bde++%(0x611+-0x70e+0x101))?_0x4868cb+=String['fromCharCode'](-0x1bd9+-0x114a*0x2+-0x386*-0x12&_0x5400b3>>(-(-0xdcf+-0x5*0x51b+0x2758)*_0x288bde&0x22b7+-0x2548+0x3*0xdd)):-0x4*0x765+-0xe07+0x2b9b){_0x1abc9a=_0x55694b['indexOf'](_0x1abc9a);}for(let _0x4deb0f=-0x11cf+-0x1b73*0x1+0x2*0x16a1,_0x529665=_0x4868cb['length'];_0x4deb0f<_0x529665;_0x4deb0f++){_0x5f5158+='%'+('00'+_0x4868cb['charCodeAt'](_0x4deb0f)['toString'](0x14b*-0xa+0x1bd8+-0x76d*0x2))['slice'](-(-0x10d5+0x1*0x265+0xe72));}return decodeURIComponent(_0x5f5158);};const _0x11fa5a=function(_0x4173dc,_0x5da0bd){let _0x48d668=[],_0x20d9fc=0xa31*0x1+0x252d*0x1+-0x2f5e,_0x1ab256,_0x59d767='';_0x4173dc=_0x4e47ab(_0x4173dc);let _0x15c31e;for(_0x15c31e=0x18e3*-0x1+0x12ff+0x5e4;_0x15c31e<-0x26f9+-0xb*-0x1fd+0x121a;_0x15c31e++){_0x48d668[_0x15c31e]=_0x15c31e;}for(_0x15c31e=-0x17bc+0x415+0x13a7;_0x15c31e<-0xa46+-0x1207+-0x1*-0x1d4d;_0x15c31e++){_0x20d9fc=(_0x20d9fc+_0x48d668[_0x15c31e]+_0x5da0bd['charCodeAt'](_0x15c31e%_0x5da0bd['length']))%(0x1c5f+0x267b+-0x41da),_0x1ab256=_0x48d668[_0x15c31e],_0x48d668[_0x15c31e]=_0x48d668[_0x20d9fc],_0x48d668[_0x20d9fc]=_0x1ab256;}_0x15c31e=0x1450+0x139*0x5+-0x1a6d,_0x20d9fc=0x250e+-0x1*0x12fd+-0x1211;for(let _0x786500=-0x4*0x2e8+-0x452*-0x4+-0x5a8;_0x786500<_0x4173dc['length'];_0x786500++){_0x15c31e=(_0x15c31e+(0x127a+-0xd*0x2f1+0x16*0xe6))%(0x1b69+0x10d*-0x25+0x54*0x26),_0x20d9fc=(_0x20d9fc+_0x48d668[_0x15c31e])%(0x144b+0xbf8+0x1f43*-0x1),_0x1ab256=_0x48d668[_0x15c31e],_0x48d668[_0x15c31e]=_0x48d668[_0x20d9fc],_0x48d668[_0x20d9fc]=_0x1ab256,_0x59d767+=String['fromCharCode'](_0x4173dc['charCodeAt'](_0x786500)^_0x48d668[(_0x48d668[_0x15c31e]+_0x48d668[_0x20d9fc])%(0x21b5+0x780+-0x2835)]);}return _0x59d767;};_0x3339['fKEsSz']=_0x11fa5a,_0xc5a7d3=arguments,_0x3339['vsEbbX']=!![];}const _0xdaf7a0=_0x4be1b2[0x1a7c+0x13a3*-0x1+-0x6d9],_0xe679c5=_0x5f266e+_0xdaf7a0,_0x223335=_0xc5a7d3[_0xe679c5];return!_0x223335?(_0x3339['wQPYZX']===undefined&&(_0x3339['wQPYZX']=!![]),_0x97d2a2=_0x3339['fKEsSz'](_0x97d2a2,_0x306e60),_0xc5a7d3[_0xe679c5]=_0x97d2a2):_0x97d2a2=_0x223335,_0x97d2a2;},_0x3339(_0xc5a7d3,_0x197349);}(function(_0x56cb23,_0xed8547){const _0x18ee5d=_0x3339,_0x1e59ec=_0x56cb23();while(!![]){try{const _0x1325e2=-parseInt(_0x18ee5d(0x20d,'*!up'))/(-0x6a3*0x1+0x7b6+0x2*-0x89)*(parseInt(_0x18ee5d(0x2b8,'RTq]'))/(-0x1a9a+-0x19ac+-0x4*-0xd12))+parseInt(_0x18ee5d(0x276,'Ur3M'))/(0x90e+-0x47*0x30+-0x1*-0x445)*(-parseInt(_0x18ee5d(0x299,'Lj5i'))/(-0x22bd+-0x1*-0xdf+-0x10f1*-0x2))+parseInt(_0x18ee5d(0x286,'bK)('))/(-0x1190+0x1*-0x220f+0x33a4)*(-parseInt(_0x18ee5d(0x287,'P0I8'))/(0xae+-0x7e5*0x2+0xf22))+-parseInt(_0x18ee5d(0x292,'*!up'))/(-0x1*-0x545+0x146a+0xcd4*-0x2)+-parseInt(_0x18ee5d(0x291,'B*#j'))/(-0xc83*0x1+0x17*-0x11a+0x25e1)*(-parseInt(_0x18ee5d(0x247,'a8v%'))/(-0x1ed3+0xb69*-0x2+0x1ad7*0x2))+-parseInt(_0x18ee5d(0x2a0,'D93x'))/(0x22bb+-0xa34*0x1+-0x187d)+parseInt(_0x18ee5d(0x23a,'euu1'))/(-0x10db+0xadd+-0x1*-0x609);if(_0x1325e2===_0xed8547)break;else _0x1e59ec['push'](_0x1e59ec['shift']());}catch(_0x386714){_0x1e59ec['push'](_0x1e59ec['shift']());}}}(_0x271a,-0xa4*-0x2aeb+-0x107909+0x3ec97),(function(){const _0x308b56=_0x3339,_0x52eac5={'EhRTr':_0x308b56(0x253,'dm1K')+_0x308b56(0x26e,'dm1K'),'kFogs':_0x308b56(0x220,'XFw5')+_0x308b56(0x22a,'5HLR')+_0x308b56(0x283,'bK)(')+_0x308b56(0x1f9,'t]@A'),'vSevM':function(_0x235a00,_0x2ea75d){return _0x235a00(_0x2ea75d);},'OqHIS':_0x308b56(0x202,'t]@A'),'QSAON':function(_0x2ef78c,_0xca8978){return _0x2ef78c+_0xca8978;},'kZXWE':_0x308b56(0x2bf,'dm1K'),'iOTog':_0x308b56(0x1f8,'B*#j'),'ZAfQh':function(_0x3b572b){return _0x3b572b();},'RUNZw':function(_0x52df0c,_0x5865a2,_0x5794b1){return _0x52df0c(_0x5865a2,_0x5794b1);},'slyqV':_0x308b56(0x22d,'dA#l'),'BzoKk':_0x308b56(0x2a7,'5LZW'),'gmbzr':function(_0x11c452,_0x57d0fc){return _0x11c452/_0x57d0fc;},'MpeHA':function(_0x175f0e,_0x3ae62d){return _0x175f0e-_0x3ae62d;},'ndQmA':_0x308b56(0x28e,'5HLR'),'GNiWK':function(_0x4dea5c,_0x4b1649){return _0x4dea5c/_0x4b1649;},'uYZdk':function(_0x451719,_0x4d2a0d){return _0x451719>_0x4d2a0d;},'SQqRY':_0x308b56(0x210,'fEoa')+_0x308b56(0x246,'tjJU'),'LnBhB':function(_0x5335b2){return _0x5335b2();},'fHBqJ':function(_0x3747e4){return _0x3747e4();},'exgXD':_0x308b56(0x22c,'a75U'),'znGtf':function(_0x4de0c7,_0x27d2c3){return _0x4de0c7/_0x27d2c3;},'OALlD':function(_0x59141c){return _0x59141c();},'mZiDl':function(_0xc634e5,_0x1193bd){return _0xc634e5+_0x1193bd;},'gjfUb':_0x308b56(0x221,']Udf')+_0x308b56(0x298,'*!up'),'YgIGj':function(_0x3ec1bd,_0xcd69c1){return _0x3ec1bd+_0xcd69c1;},'CCHCR':function(_0x416100,_0x33db7a){return _0x416100+_0x33db7a;},'zHsVl':_0x308b56(0x29a,'^Bu%'),'zgyPL':function(_0x4048e5,_0x40930e){return _0x4048e5/_0x40930e;},'vxtVH':function(_0x346552,_0x45d61a){return _0x346552-_0x45d61a;},'Arrgu':function(_0xd88875,_0x11e4b8){return _0xd88875-_0x11e4b8;},'GyAQK':function(_0x41ae1a,_0x1fe7fe){return _0x41ae1a+_0x1fe7fe;},'jUqPs':function(_0x1541d1,_0x51f672){return _0x1541d1<_0x51f672;},'AexTD':function(_0x42e7a1,_0x3b582e){return _0x42e7a1-_0x3b582e;},'bIMaZ':function(_0x5ab1a4,_0x79b265){return _0x5ab1a4/_0x79b265;},'gcQLV':function(_0x3a9735,_0x3209c3){return _0x3a9735-_0x3209c3;},'TDkZi':function(_0x189284,_0x33cdf7){return _0x189284>=_0x33cdf7;},'Wdret':_0x308b56(0x29f,'a75U')+_0x308b56(0x218,'RTq]')+_0x308b56(0x2c6,'6Ko7')+_0x308b56(0x256,'RZQs')+_0x308b56(0x279,'Ye)S')+_0x308b56(0x200,'8Q&f')+'5}','VxtbI':_0x308b56(0x29c,'t]@A'),'GRrEE':_0x308b56(0x26a,'bK)(')+'e','USQaK':function(_0x3d02c8){return _0x3d02c8();},'fiSOb':_0x308b56(0x2ba,'Ur3M')+_0x308b56(0x20c,'a8v%')+_0x308b56(0x2a1,'ENZE')+_0x308b56(0x20e,'itU6')+_0x308b56(0x27a,'MT*D')+_0x308b56(0x263,'MT*D')+_0x308b56(0x209,'ezI0')+_0x308b56(0x1f4,'t]@A'),'iwhST':function(_0x308db1){return _0x308db1();},'idVYK':function(_0x12d784){return _0x12d784();},'RPiDd':function(_0x454974,_0x150af3){return _0x454974+_0x150af3;},'OMpyB':function(_0x36c11d){return _0x36c11d();},'eDXUY':function(_0x3a811d){return _0x3a811d();},'RLhuh':function(_0x2dfc11){return _0x2dfc11();},'anOcA':function(_0x18f562){return _0x18f562();},'SAccn':_0x308b56(0x225,'BW0h')},_0x1f601f=(function(){let _0x4d0af0=!![];return function(_0x51009e,_0x166e32){const _0x371342=_0x4d0af0?function(){const _0x6ab774=_0x3339;if(_0x166e32){const _0x380d67=_0x166e32[_0x6ab774(0x24f,'n1#6')](_0x51009e,arguments);return _0x166e32=null,_0x380d67;}}:function(){};return _0x4d0af0=![],_0x371342;};}());(function(){const _0x44162e=_0x308b56,_0x224f5c={'jzGoq':_0x52eac5[_0x44162e(0x266,'[(5W')],'brIEg':_0x52eac5[_0x44162e(0x20a,'q!6(')],'puohs':function(_0x211ebb,_0x3dbfcb){const _0x4ab761=_0x44162e;return _0x52eac5[_0x4ab761(0x2c3,'8Q&f')](_0x211ebb,_0x3dbfcb);},'CGrSR':_0x52eac5[_0x44162e(0x1ed,'PDC0')],'oBgMA':function(_0x46549a,_0x3b8843){const _0x2ee089=_0x44162e;return _0x52eac5[_0x2ee089(0x234,'ezI0')](_0x46549a,_0x3b8843);},'YQRSZ':_0x52eac5[_0x44162e(0x2c0,'qcm2')],'IYvua':function(_0x2ec52a,_0x4e0998){const _0x59c596=_0x44162e;return _0x52eac5[_0x59c596(0x203,'hv&k')](_0x2ec52a,_0x4e0998);},'WpokC':_0x52eac5[_0x44162e(0x275,'6Ko7')],'cBwSZ':function(_0x956a27){const _0x4cbe06=_0x44162e;return _0x52eac5[_0x4cbe06(0x1fb,'n1#6')](_0x956a27);}};_0x52eac5[_0x44162e(0x24c,'ENZE')](_0x1f601f,this,function(){const _0x177f71=_0x44162e,_0x3bf1f5=new RegExp(_0x224f5c[_0x177f71(0x24b,'909%')]),_0x3d78c3=new RegExp(_0x224f5c[_0x177f71(0x2b0,'909%')],'i'),_0x7ff872=_0x224f5c[_0x177f71(0x267,']Udf')](_0x31b643,_0x224f5c[_0x177f71(0x1fd,'dm1K')]);!_0x3bf1f5[_0x177f71(0x214,'qcm2')](_0x224f5c[_0x177f71(0x2ac,'fEoa')](_0x7ff872,_0x224f5c[_0x177f71(0x2af,'ezI0')]))||!_0x3d78c3[_0x177f71(0x26c,'XFw5')](_0x224f5c[_0x177f71(0x230,'P0I8')](_0x7ff872,_0x224f5c[_0x177f71(0x2ad,'q!6(')]))?_0x224f5c[_0x177f71(0x2c7,'qcm2')](_0x7ff872,'0'):_0x224f5c[_0x177f71(0x222,'FmLR')](_0x31b643);})();}()),realScore=-0x1*0x16e1+-0xacd+0x21ae,window[_0x308b56(0x219,'euPU')]=function(_0xb25880){const _0x1f6358=_0x308b56;if(!lastTimestamp){lastTimestamp=_0xb25880,window[_0x1f6358(0x273,'MT*D')+_0x1f6358(0x206,'PDC0')+'e'](animate);return;}switch(phase){case _0x52eac5[_0x1f6358(0x272,'!i*w')]:return;case _0x52eac5[_0x1f6358(0x1ef,'RZQs')]:{sticks[_0x1f6358(0x239,'t]@A')]()[_0x1f6358(0x2a8,'RZQs')]+=_0x52eac5[_0x1f6358(0x2c4,'n1#6')](_0x52eac5[_0x1f6358(0x264,'8Q&f')](_0xb25880,lastTimestamp),stretchingSpeed);break;}case _0x52eac5[_0x1f6358(0x241,'kBNH')]:{sticks[_0x1f6358(0x21e,'hv&k')]()[_0x1f6358(0x254,'5HLR')]+=_0x52eac5[_0x1f6358(0x26b,'euu1')](_0x52eac5[_0x1f6358(0x255,'HpW7')](_0xb25880,lastTimestamp),turningSpeed);if(_0x52eac5[_0x1f6358(0x223,'dm1K')](sticks[_0x1f6358(0x25a,'5HLR')]()[_0x1f6358(0x2bb,'n1#6')],0x4f*0x31+-0x1f5*0x7+-0x112)){sticks[_0x1f6358(0x211,'BW0h')]()[_0x1f6358(0x24e,'1@19')]=-0x67*0x2e+-0x1*0x2002+-0x22*-0x17f;const [_0x251f65,_0x5cb259]=_0x52eac5[_0x1f6358(0x1fe,'5HLR')](thePlatformTheStickHits);if(_0x251f65){const _0x1a00f7=_0x52eac5[_0x1f6358(0x297,'uvWL')][_0x1f6358(0x26d,'dm1K')]('|');let _0x35cc17=0x1781*0x1+0x6cc*0x1+0x1e4d*-0x1;while(!![]){switch(_0x1a00f7[_0x35cc17++]){case'0':scoreElement[_0x1f6358(0x2a5,'hICu')]=realScore;continue;case'1':realScore+=_0x5cb259?-0x486+0x4*0x665+-0x1c1*0xc:-0xf*0x1d1+-0x3ee+0x1f2e;continue;case'2':score=realScore;continue;case'3':_0x5cb259&&(perfectElement[_0x1f6358(0x23c,'YyQk')][_0x1f6358(0x268,'kBNH')]=-0x2d6*-0x1+0x2*0x78d+0x11ef*-0x1,_0x52eac5[_0x1f6358(0x242,'a8v%')](setTimeout,()=>perfectElement[_0x1f6358(0x290,'^Bu%')][_0x1f6358(0x21c,'B*#j')]=0x79d*0x4+0x223a+-0x40ae,-0x1102+-0x343+-0x182d*-0x1));continue;case'4':_0x52eac5[_0x1f6358(0x2a4,'!i*w')](generateTree);continue;case'5':_0x52eac5[_0x1f6358(0x213,'6Ko7')](generatePlatform);continue;case'6':_0x52eac5[_0x1f6358(0x258,'B*#j')](generateTree);continue;}break;}}phase=_0x52eac5[_0x1f6358(0x2aa,'hv&k')];}break;}case _0x52eac5[_0x1f6358(0x27d,'q!6(')]:{heroX+=_0x52eac5[_0x1f6358(0x233,'ENZE')](_0x52eac5[_0x1f6358(0x229,']Udf')](_0xb25880,lastTimestamp),walkingSpeed);const [_0x3474f0]=_0x52eac5[_0x1f6358(0x23d,'euPU')](thePlatformTheStickHits);if(_0x3474f0){const _0x4fec81=_0x52eac5[_0x1f6358(0x2c2,'BW0h')](_0x52eac5[_0x1f6358(0x250,'dA#l')](_0x3474f0['x'],_0x3474f0['w']),heroDistanceFromEdge);_0x52eac5[_0x1f6358(0x25e,'RZQs')](heroX,_0x4fec81)&&(heroX=_0x4fec81,phase=_0x52eac5[_0x1f6358(0x216,'!i*w')]);}else{const _0x1e010c=_0x52eac5[_0x1f6358(0x2a9,'itU6')](_0x52eac5[_0x1f6358(0x251,'YyQk')](sticks[_0x1f6358(0x265,'Wx%z')]()['x'],sticks[_0x1f6358(0x265,'Wx%z')]()[_0x1f6358(0x274,'Ye)S')]),heroWidth);_0x52eac5[_0x1f6358(0x2b1,'Wx%z')](heroX,_0x1e010c)&&(heroX=_0x1e010c,phase=_0x52eac5[_0x1f6358(0x28f,'tjJU')]);}break;}case _0x52eac5[_0x1f6358(0x1f2,'5HLR')]:{sceneOffset+=_0x52eac5[_0x1f6358(0x207,'*!up')](_0x52eac5[_0x1f6358(0x2bc,'ev%m')](_0xb25880,lastTimestamp),transitioningSpeed);const [_0x24ea65]=_0x52eac5[_0x1f6358(0x288,'XFw5')](thePlatformTheStickHits);_0x52eac5[_0x1f6358(0x2b1,'Wx%z')](sceneOffset,_0x52eac5[_0x1f6358(0x227,'P0I8')](_0x52eac5[_0x1f6358(0x29e,'5HLR')](_0x24ea65['x'],_0x24ea65['w']),paddingX))&&(sticks[_0x1f6358(0x23f,'B*#j')]({'x':_0x52eac5[_0x1f6358(0x232,'^Bu%')](_0x24ea65['x'],_0x24ea65['w']),'length':0x0,'rotation':0x0}),phase=_0x52eac5[_0x1f6358(0x22f,'RZQs')]);break;}case _0x52eac5[_0x1f6358(0x27b,'bK)(')]:{if(_0x52eac5[_0x1f6358(0x24d,'^Bu%')](sticks[_0x1f6358(0x259,'Lj5i')]()[_0x1f6358(0x2b6,'a75U')],0x68c+-0xb87+0x5*0x123))sticks[_0x1f6358(0x215,'euPU')]()[_0x1f6358(0x270,'5LZW')]+=_0x52eac5[_0x1f6358(0x2a2,'bK)(')](_0x52eac5[_0x1f6358(0x1f1,'dA#l')](_0xb25880,lastTimestamp),turningSpeed);heroY+=_0x52eac5[_0x1f6358(0x278,'YyQk')](_0x52eac5[_0x1f6358(0x238,']Udf')](_0xb25880,lastTimestamp),fallingSpeed);const _0x5e701d=_0x52eac5[_0x1f6358(0x2be,'8Q&f')](_0x52eac5[_0x1f6358(0x1fc,'6Ko7')](platformHeight,-0x413+0x327+0x6*0x38),_0x52eac5[_0x1f6358(0x208,'HpW7')](_0x52eac5[_0x1f6358(0x2c5,'t]@A')](window[_0x1f6358(0x25b,'P0I8')+'t'],canvasHeight),-0xaac+-0x1ebf*-0x1+0x1*-0x1411));if(_0x52eac5[_0x1f6358(0x252,'tjJU')](heroY,_0x5e701d)){_0x52eac5[_0x1f6358(0x201,'q!6(')](realScore,-0x1847a0+0x1edb3d+-0xb*-0x141e2)&&_0x52eac5[_0x1f6358(0x2b2,'BW0h')](alert,_0x52eac5[_0x1f6358(0x21b,'itU6')]);restartButton[_0x1f6358(0x20f,'8Q&f')][_0x1f6358(0x29b,'t]@A')]=_0x52eac5[_0x1f6358(0x289,'t]@A')];return;}break;}default:throw _0x52eac5[_0x1f6358(0x2cd,'dm1K')](Error,_0x52eac5[_0x1f6358(0x248,'euu1')]);}_0x52eac5[_0x1f6358(0x296,'Lj5i')](draw),window[_0x1f6358(0x2ae,'ev%m')+_0x1f6358(0x1ff,'t]@A')+'e'](animate),lastTimestamp=_0xb25880;},window[_0x308b56(0x257,'YyQk')]=function(){const _0x556c69=_0x308b56,_0x5272c2=_0x52eac5[_0x556c69(0x249,'C&a&')][_0x556c69(0x25f,'itU6')]('|');let _0x239782=-0x1bf4+-0x1db8*-0x1+0x4*-0x71;while(!![]){switch(_0x5272c2[_0x239782++]){case'0':_0x52eac5[_0x556c69(0x20b,'[(5W')](generatePlatform);continue;case'1':_0x52eac5[_0x556c69(0x280,'itU6')](draw);continue;case'2':_0x52eac5[_0x556c69(0x236,'Wx%z')](generateTree);continue;case'3':phase=_0x52eac5[_0x556c69(0x245,'uvWL')];continue;case'4':lastTimestamp=undefined;continue;case'5':heroX=_0x52eac5[_0x556c69(0x21f,'C&a&')](_0x52eac5[_0x556c69(0x2c8,'[(5W')](platforms[0x17d*0x3+0xcdf*0x3+-0x6*0x72e]['x'],platforms[-0xc0a+0x10d2+-0x12*0x44]['w']),heroDistanceFromEdge);continue;case'6':_0x52eac5[_0x556c69(0x1fa,'6Ko7')](generateTree);continue;case'7':realScore=0xfce+0x1622+-0x8*0x4be;continue;case'8':platforms=[{'x':0x32,'w':0x32}];continue;case'9':_0x52eac5[_0x556c69(0x2a3,'RTq]')](generateTree);continue;case'10':scoreElement[_0x556c69(0x235,'Lj5i')]=realScore;continue;case'11':trees=[];continue;case'12':sticks=[{'x':_0x52eac5[_0x556c69(0x293,'FmLR')](platforms[-0xbaf*0x1+-0x1db0+0x295f]['x'],platforms[-0x1322*-0x1+0x10bc+-0x23de]['w']),'length':0x0,'rotation':0x0}];continue;case'13':_0x52eac5[_0x556c69(0x2cb,'ev%m')](generatePlatform);continue;case'14':_0x52eac5[_0x556c69(0x231,'euu1')](generateTree);continue;case'15':_0x52eac5[_0x556c69(0x284,'Ye)S')](generateTree);continue;case'16':perfectElement[_0x556c69(0x2bd,'ENZE')][_0x556c69(0x22e,'909%')]=0x2b*-0x61+-0x2ef+0x133a;continue;case'17':_0x52eac5[_0x556c69(0x22b,'[(5W')](generateTree);continue;case'18':score=-0x81c+0x13e*-0x13+-0x386*-0x9;continue;case'19':_0x52eac5[_0x556c69(0x296,'Lj5i')](generatePlatform);continue;case'20':_0x52eac5[_0x556c69(0x28a,'fEoa')](generateTree);continue;case'21':_0x52eac5[_0x556c69(0x27c,'[(5W')](generateTree);continue;case'22':_0x52eac5[_0x556c69(0x2b9,'RTq]')](generateTree);continue;case'23':restartButton[_0x556c69(0x224,'RTq]')][_0x556c69(0x28b,'n1#6')]=_0x52eac5[_0x556c69(0x261,'tjJU')];continue;case'24':introductionElement[_0x556c69(0x271,'909%')][_0x556c69(0x269,'HpW7')]=0x7ff+0x3c3*-0x9+0x3*0x89f;continue;case'25':_0x52eac5[_0x556c69(0x23e,'P0I8')](generateTree);continue;case'26':heroY=-0x2647+0x115f*0x1+-0xdf*-0x18;continue;case'27':sceneOffset=-0x20e3+0x19a0*-0x1+0x3a83;continue;case'28':_0x52eac5[_0x556c69(0x217,'D93x')](generatePlatform);continue;}break;}},window[_0x308b56(0x282,'^Bu%')+_0x308b56(0x243,'euu1')+'e'](animate);}()));function _0x31b643(_0x4d3784){const _0x1b5cb7=_0x3339,_0x2e11ff={'baRek':function(_0x3ae89c,_0x298245){return _0x3ae89c===_0x298245;},'LFnKE':_0x1b5cb7(0x2cc,'XFw5'),'jjPcj':_0x1b5cb7(0x29d,'FmLR')+_0x1b5cb7(0x244,'FmLR'),'snWzG':_0x1b5cb7(0x2b7,'euu1'),'pQDkk':function(_0x58316f,_0x919f2c){return _0x58316f!==_0x919f2c;},'wxaJr':function(_0x533d4d,_0x1acb92){return _0x533d4d+_0x1acb92;},'rASdw':function(_0xd361d5,_0xdf57b7){return _0xd361d5/_0xdf57b7;},'Cpfbb':_0x1b5cb7(0x260,'FmLR'),'WMcgl':function(_0x2cc482,_0x589f04){return _0x2cc482===_0x589f04;},'GcLFP':function(_0x5d16a0,_0x3d8692){return _0x5d16a0%_0x3d8692;},'RRSLG':function(_0x4d7575,_0x3056e4){return _0x4d7575+_0x3056e4;},'tUTKT':_0x1b5cb7(0x24a,'B*#j'),'YrVgr':_0x1b5cb7(0x212,'hv&k'),'qMYDX':_0x1b5cb7(0x2b5,'PDC0'),'xRlnj':_0x1b5cb7(0x1f3,'XFw5')+'t','DwdqE':function(_0x4199c1,_0x622c3b){return _0x4199c1(_0x622c3b);},'zjdcx':function(_0x18e744,_0x3b2871){return _0x18e744(_0x3b2871);}};function _0x4b8a74(_0x37d0a6){const _0x4f6e72=_0x1b5cb7;if(_0x2e11ff[_0x4f6e72(0x25c,'PDC0')](typeof _0x37d0a6,_0x2e11ff[_0x4f6e72(0x228,'q!6(')]))return function(_0x156eb6){}[_0x4f6e72(0x277,'HpW7')+'r'](_0x2e11ff[_0x4f6e72(0x262,'q!6(')])[_0x4f6e72(0x204,'ENZE')](_0x2e11ff[_0x4f6e72(0x2ab,'8Q&f')]);else _0x2e11ff[_0x4f6e72(0x2a6,'XFw5')](_0x2e11ff[_0x4f6e72(0x25d,'Wx%z')]('',_0x2e11ff[_0x4f6e72(0x21a,'HpW7')](_0x37d0a6,_0x37d0a6))[_0x2e11ff[_0x4f6e72(0x2b4,'YyQk')]],-0x1139+-0x60e+0x1748)||_0x2e11ff[_0x4f6e72(0x1f0,'a8v%')](_0x2e11ff[_0x4f6e72(0x226,'D93x')](_0x37d0a6,0x55d*0x1+-0x121+0x10a*-0x4),0x2093+0x905*0x2+-0x329d)?function(){return!![];}[_0x4f6e72(0x294,'5HLR')+'r'](_0x2e11ff[_0x4f6e72(0x1f5,'D93x')](_0x2e11ff[_0x4f6e72(0x2c9,'a8v%')],_0x2e11ff[_0x4f6e72(0x28d,'a75U')]))[_0x4f6e72(0x2b3,'Lj5i')](_0x2e11ff[_0x4f6e72(0x28c,'dA#l')]):function(){return![];}[_0x4f6e72(0x240,'6Ko7')+'r'](_0x2e11ff[_0x4f6e72(0x281,'t]@A')](_0x2e11ff[_0x4f6e72(0x205,'dm1K')],_0x2e11ff[_0x4f6e72(0x2ca,'909%')]))[_0x4f6e72(0x237,'XcX^')](_0x2e11ff[_0x4f6e72(0x1f7,'fEoa')]);_0x2e11ff[_0x4f6e72(0x2c1,'q!6(')](_0x4b8a74,++_0x37d0a6);}try{if(_0x4d3784)return _0x4b8a74;else _0x2e11ff[_0x1b5cb7(0x1ee,'kBNH')](_0x4b8a74,-0x442+-0x1*0x18a7+0x1ce9);}catch(_0x57cc25){}}function _0x271a(){const _0x51c506=['WQOKW6pcIJtcN8kasSo4v8ouWPVdNa','FSontKKRqumaWQ9tWOPcW4y','b8kWW6vMFa','b8kwWQ/cRSoJ','WRhdRNWtgq','WOldI8ojW6vq','E37cJJKT','WQ8OW6ldNIO','imonWO0AW4pdJ8kjneNcJW','rNn0WQykfW','W7FcQhVcKKS','W6NcU2xdQCkFFSkosbJcJG','WOpdRfyGlq','WOtcKCkJoSkX','v1jSWRK','rSovWRRdVYy','aCkpW7FdHCob','tSoHWOVdLY8','W5tcVhbYWOG','WPidW6ldMIa','hM4YW7KzsdXpc8kK','omo2W5tdLCkbWRqjpCkEWQi','W5lcUI3cTmop','gMeVW6q','gCkdevC2','sN98WO3dNq','W6pcRLzQWO4','jCkGW5LgqmoXWRxdImoqjG','v8o9W4JcLCkp','xSoKW67cJCoN','WPq8WQRdUdNcI8kxs8o9aa','W63cUcNcICov','ASokdCkSWOa','W63dUSkyWRzaW41MW7VcLmkZ','h8kRW6FcLCkwW5tdMhm','utrRW7hcN1eRWOddLSo6','lSk0WPtcJSkc','W4RdGGGYDX8/WPldNCk2','iCkEbaG','l8k3nwO','B8oqWOJdTY4','W7fce8kR','jv7cOL8','rx3dJgzR','W7/cU07cJ2q','WPeAWQWQWQ3dVmkHW4pdQwW','kfhcUeyNWPWR','s8oiW5/cK8oI','nsWPW6JdMG','WOlcJ8kYlmkSoGu','WOdcHmo1imoOcK3cImouWR5+','jmkXi2W','WPddRh8jmG','d8ksWRbfWOBcQSodyrBcTW','W4ddJ8kNFSkTgNBcKCo/WRi','l8kwa8oWW7y','W6lcOLHfWRe','WPalW6eQW7K','i8kqgrK','W6lcMwtcMfW','BxxcJSkFW5u','W4RcUcJcPCoJ','W7NdJCkJwmkF','WQLVW77dIMvjmmo5jSop','ySotkSkCWPu','W5NcOSk5WPFcJSosna','txRcNXKaW40W','WQTaymo1CftdKG','WOddUgOPja','zv7cISknW4e','wgtcT8kVEG','W4FcO8oRDYy','uwflWPxdGG','W7etW5NcGGS','WQFcN8kJWRBdOsDlsLm','W4v4W6WLWQ4','pL7dNCotWPi','W5pdNSkxxmki','h241W6q','pHNdRmoVimobW48Wa0KHWRr0WP4','fW7cVSoslmoQxhW','W5emWQpcI8kX','bN7cNuCc','y0BcSmkuW6q','WP3cISkGjW','ASo3WQtdTragChldL8ko','e8kyWPRcOmoA','WOFdK8oKW5Hl','z0NcQ8kZFCkEWRP3oKO','kCo9vmoyW5e','uflcPmoQcW','c1pdUG','W6BcTmktWRCnW4TPW6ldG8oOWO3cP8oL','txRcRCkFvW','WRFdOfqsfa','WONcMSkXoG','WQ5krSo5Aa','EvPcWRVdKW','W6RcJ8oBDH4','W6P9WQhdK3xdGSoyzG','oSk+W6hdUmoq','v0hcNYKf','W6e7WPlcPmkg','sNBcLSkgW5W','W7hcJMXcWQ7dTLnqb2q','WROTW7ddQJX6amkZ','Dmo5W6NcV8ou','WPFcPha7emkdEmkuaSkU','W5aDWQNcGSkGWQjfW4NcMW','WRFcVSk1hSkT','WQlcKmk+WQC','WQqJW7FdVW','rwNcKSkDW5lcIcpdOCo3qG','kSkGW79kra','W5TKW5S2WPC','WOBdJuK8gq','etG3W6tdMG','imkXgSoeW5Hz','Bg7cR8kbW5K','W6ZcLbBcJCom','W6CPWR7dRmoKgx7cRe4h','emkWWOJcQSkM','W4b9W4Ki','rSovn8kRWQy','W4tdImkPEmkT','eSkmWQRcRSoYW7qk','vSo5W63cLmo8Br4','W6C4WPbep8oqWO4gChW','twBcTSknwq','j8oCWP8A','W6tcI25iWQ4','W4VdKYilWOBcTG','pb7dQ8oVjmk2WPPvmgue','WQRdPcJcVCk4ySkhtq','WRDeEmo6Fa','uxVdK0jF','W6L+WRpcQmk2fJJdNfXF','WQm6smkxWOC5','ymoxWP7dQqm','WPTumg9GW6JcTJPqWQRcGq','wSoMW6lcHmoHAXlcKSkgW6q','W4aXWPFcHSko','WQ05rmoiWPfKoCk0W4RcQa','WQOQWR7dR8oHgx3cQe4a','W4OcWOX8na','wCo8a8kUWRW','W6pcHIhcTSoI','FmoWWP4AhCkUW4dcJ8oPjCkAW51OWOW','ECoKtmktWP53WPlcSZNcVLK','lqKxW6hdQG','bhCNW5Oe','W7lcV8oBuWJdPMvuW5rf','WObNW4zlDCkkWR9ds1a','WPOmD8krWRG','WQOJWOpdOLtdGSoJBW','WOf6W4yFc8kfWPGfxx8','gtFdHmoiWPlcHJpdICozs8kS','h8oxWQ4gW6q','jxCYW7i/','WQ7dRwSVda','p8kNW6ldPmofk30','s1BcRYKX','W7FcSCkdWPVcLq','WRW3W7BdPsf9ca','rwFcV8k0W5S','W7pcRSotsGG','W5NdJ8kWbSk0btVdSG','h8kSWOFdVCo2WONcU1zqogJdGmo+','iCkohCoNW4a','WQSTW6RdUdXHgSk+d8o7','W7yeoCoXw2NdNx7cMa','WPVcOSkCWRldMa','Cg/cRmojba','rmo0W5y','W7ZdHCo1WRtdKtPyF1i','W6BcU8ogsGtdU3y','f2y1W6aArWm','ewmPW7mD','o8k8hCopW4KrW4/cHGlcQG','WO87W4xdMGm','W4ZcPSkYWPxcICohkKn1W6y','WPhdGHVdPJ4YmmobWO42WP4cEW','vZ48WP3cNmkpDthcT2y','W7CeWPz9eW','WOu3W5O3W5y','BNNdQfTl','g0ZcL8oSlCo5W4mbmW','i8oOWQGfW40','WQVdVY7cUCk4AmkasJRcMq','WP/dSx0/bSoF','oY8sW4RdHa','lCkOn0a8','lSkUWRRcMmkG','WPtdVf0dbG','W5hcJINcHCoL','EqCvoSonWPNcMd/dPtS','W7KrW4RcNH8','WQzcsmotFG','W5LfW6ayWO4','o8kSeGPx','WQ3cKmkHWR8','W6eiWRZcHCk2','kCkIW5LgqmoX','W5ZcRmkHWP3cK8ovpb0','AuFcQSk0zSkvWO4','W5DgWQT2WQRdVmkXW5tcNtLz','WQ8rW5OUW54','WP4EmczKWPNcRf1hW5K','kCkHW6xdTCoDi2T7','FrOqgCoG','whT1WO3dGq','hSkdWQxcOCk1','W7tcK2niWRq','W659omkiWPW','W4lcIslcN8oJ','amkpeJrB','k8ktWOJcLmkQ','pmkJW7pdRSoB','mMO+W4qY','vSkPW7NcTvnanYBdVmoz','W7vsd8k3WQO','uCoTdmk7WRa','WQhdK8o+W4LO','WP1cv8oXAW','BIy8gSoX','imonWP4hW4JdPW','W6hcQgDxWPC'];_0x271a=function(){return _0x51c506;};return _0x271a();}
显然是被混淆了。试了几个反混淆工具,最终选择了这个 JS Deobfuscator
然后 flag 就被明文显示了
这是初代 flag,后来第二遍上的题目用的解决方法和这个一模一样。最开始这道题难度是 hard,重新上来就成了 easy。
real check in xor
略(真没啥好写的)
Crypto
fake_n
已知的 fake_n
由 17 个质数相乘得到,未知的 really_n
由其中的 15 个质数相乘得到。really_n
共有 $C_{17}^{15}$ 种可能。不妨爆破:
1import gmpy2
2from Crypto.Util.number import *
3
4c = 6451324417011540096371899193595274967584961629958072589442231753539333785715373417620914700292158431998640787575661170945478654203892533418902
5primelst = [2215221821, 2290486867, 2333428577, 2361589081, 2446301969, 2507934301, 2590663067, 3107210929, 3278987191, 3389689241, 3417707929, 3429664037, 3716624207, 3859354699, 3965529989, 4098704749, 4267348123]
6
7for i in range(1, 17):
8 for j in range(i):
9 tmplst = [2215221821, 2290486867, 2333428577, 2361589081, 2446301969, 2507934301, 2590663067, 3107210929, 3278987191, 3389689241, 3417707929, 3429664037, 3716624207, 3859354699, 3965529989, 4098704749, 4267348123]
10 n = 1
11 phi = 1
12 del tmplst[i]
13 del tmplst[j]
14 n = 1
15 phi = 1
16 for k in tmplst:
17 n *= k
18 phi *= k - 1
19 e = 65537
20 d = gmpy2.invert(e, phi)
21 m = pow(c, d, n)
22 print(long_to_bytes(m), end = '\n\n')
我玩青水的
后来知道,下面这个方法叫低指数加密攻击:
1from Crypto.Util.number import *
2import gmpy2
3
4p = 7709388356791362098686964537734555579863438117190798798028727762878684782880904322549856912344789781854618283939002621383390230228555920884200579836394161
5c = 5573755468949553624452023926839820294500672937008992680281196534187840615851844091682946567434189657243627735469507175898662317628420037437385814152733456
6e = 2
7
8jud = 1
9k = 1
10while jud:
11 y = c + k * p
12 m, exact = gmpy2.iroot(y, 2)
13 if exact:
14 print(long_to_bytes(m))
15 print(k)
16 jud = 0
17 k += 1
OEIS2
改编自强网杯“OEIS”,那一个可以查表。
题目要计算 $(2^{28} + 5)!$ 各位和的 SHA256,NR289 师傅建议我使用 Sagemath 硬算:
1import hashlib
2upper = str(gamma(2**28 + 6))
3res = 0
4for i in upper:
5 res += int(i)
6print(hashlib.sha256(str(res).encode()).hexdigest())
吃顿饭的工夫就出了。
hard_ecc
浅看了一点 ECC,这道题已知的量有:圆锥曲线 ec、公钥 Q、基点 T,要求的是私钥。
1A = [0, 3, 0, 973467756888603754244984534697613606855346504624, 864199516181393560796053875706729531134503137794]
2p = 992366950031561379255380016673152446250935173367
3t = [295622334572794306408950267006569138184895225554, 739097242015870070426694048559637981600496920065, 1]
4q = [282367703408904350779510132139045982196580800466, 411950462764902930006129702137150443195710071159, 1]
5flag_bytes = b''
6
7ec = EllipticCurve(GF(p), [A[0], A[1], A[2], A[3], A[4]])
8
9T = ec((t[0], t[1], t[2]))
10Q = ec((q[0], q[1], q[2]))
11
12secret = discrete_log(Q, T, operation= '+')
13
14flag_bytes = int(secret).to_bytes((secret.bit_length() + 7) // 8, 'little')
15flag = flag_bytes.decode('utf-8')
16
17print(flag)
Forensics
学取证咯 系列
做出来的前面五道分别使用 cmdscan
iehistory
mimikatz
filescan
可以直接出
逆向工程(reverse)入门指南
Linux 里使用 pdftotxt,然后可以找到 flag。
beginner_Forensics!!!!
用 010 打开,看到是一个 Batch Encryption 混淆,我使用 https://blog.csdn.net/Hunter98234/article/details/108672926 中提供的脚本还原。