强网杯S9初赛Reverse writeup

强网杯初赛的这道 re 挺有意思的，做了快 20h 出了。

tradere

基本vm结构分析

ptrace 父子进程调试，父进程追踪子进程 int 3 指令的位置，替换成相应的操作，因为开始的赋值操作导致数据结构不好看，可以考虑 dump + nop 初始化的方式。

每次 int 3 触发之后，会执行一个结构体中的函数，结构体如下定义。

struct data
{
    data* lchild;
    data* rchild;
    long long(__fastcall* func)(user_regs_struct*);
    long long reg2;
};

经过遍历结构体，去重得到一共只会执行以下几个函数。

0000000000401C31  // if eflags is less,return 1 else 0
0000000000401CA6  // if eflags is less or equal,return 1 else 0
0000000000401D22  // if eflags is not zero,return 1 else 0
0000000000401D5B  // if eflags is zero,return 1 else 0
0000000000401DCD  // if eflags is not sign,return 1 else 0
0000000000401E96  // return 2
0000000000401EA5  // return 3
0000000000401EB4  // return 4
0000000000401F0C  // if eflags is greater,return 1 else 0
0000000000000000  // jmp to rchild

分析父进程的操作

unsigned __int64 __fastcall parentrun(unsigned int pid)
{
	//some definition
    v13 = __readfsqword(0x28u);
    v7 = 0;
    sp = 0;
    ptr = (data *)qword_606AC0;
    wait((__WAIT_STATUS)&stat_loc);
    while ( (unsigned __int8)stat_loc == 0x7F )
    {
        ptrace(PTRACE_GETREGS, pid, 0, &regs);
        v8 = ptrace(PTRACE_PEEKTEXT, pid, regs.rip, 0);
        v10 = (unsigned __int8)ptrace(PTRACE_PEEKDATA, pid, regs.rip - 1, 0);
        if ( v10 != 0xCC )
        {
            ptrace(PTRACE_KILL, pid, 0, 0);
            exit(0);
        }
        v4 = 1;
        if ( ptr->func )
        {
            opcode = ptr->func(&regs);
            if ( opcode == 1 )
            {
                ptr = ptr->rchild;
            }
            else if ( opcode )
            {
                switch ( opcode )
                {
                    case 2:                          // get next ptr from my stack
                        if ( sp <= 0 )
                            exit(-1);
                        ptr = (data *)stack[--sp];   // ret
                        regs.rsp += 8LL;
                        break;
                    case 3:						   // call API and control return address
                        regs.rip = (unsigned __int64)ptr->rchild;
                        ptr = ptr->lchild;
                        regs.rsp -= 8LL;             // push RIP,wait to return
                        ptrace(PTRACE_POKEDATA, pid, regs.rsp, ptr->RIP);
                        v4 = 0;
                        break;
                    case 4:                          // lchild push to my stack and goto rchild block
                        if ( sp > 0x30 )
                            exit(-1);
                        stack[sp++] = ptr->lchild;
                        regs.rsp -= 8LL;
                        ptr = ptr->rchild;
                        break;
                    case 5:						   // not used
                        if ( sp > 0x30 )
                            exit(-1);
                        /* ... */
                }
            }
            else
            {
                ptr = ptr->lchild;
            }
        }
        else
        {
            ptr = ptr->rchild;		// NULL Function Process
        }
        if ( v4 ) 				   // attention to new block
            regs.rip = ptr->RIP;
        ptrace(PTRACE_SETREGS, pid, 0, &regs);
        if ( ptrace(PTRACE_CONT, pid, 0, 0) < 0 )
        {
            perror("Ptrace.");
            return __readfsqword(0x28u) ^ v13;
        }
        wait((__WAIT_STATUS)&stat_loc);
    }
    return __readfsqword(0x28u) ^ v13;
}

根据还原的伪代码逻辑也可以看出：

• 2 分支是返回最近一次 4 分支存的右子节点。
• 3 分支是调用 rchild 所指的 API 函数，因为 API 会返回，所以这个操作利用 ptrace 往栈中压了一个地址，用于控制调用 api 结束后的落点位置。
• 4 分支是保存左分支，走右分支。

第一步，断 fork，dump 结构体内容，保存为 .h 文件

#pragma once
struct user_regs_struct
{
    unsigned long long r15;
    unsigned long long r14;
    unsigned long long r13;
    unsigned long long r12;
    unsigned long long rbp;
    unsigned long long rbx;
    unsigned long long r11;
    unsigned long long r10;
    unsigned long long r9;
    unsigned long long r8;
    unsigned long long rax;
    unsigned long long rcx;
    unsigned long long rdx;
    unsigned long long rsi;
    unsigned long long rdi;
    unsigned long long orig_rax;
    unsigned long long rip;
    unsigned long long cs;
    unsigned long long eflags;
    unsigned long long rsp;
    unsigned long long ss;
    unsigned long long fs_base;
    unsigned long long gs_base;
    unsigned long long ds;
    unsigned long long es;
    unsigned long long fs;
    unsigned long long gs;
};

struct data
{
    data* lchild;
    data* rchild;
    long long(__fastcall* func)(user_regs_struct*);
    long long reg2;
};

unsigned char ida_chars[] =
{
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x60, 0x71, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xE0, 0x7F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF7, 0x09, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x40, 0x75, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xD0, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFD, 0x0A,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x6F, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x03, 0x0B, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x7D,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7E, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x6E, 0x0B, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x20, 0x79, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x08,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x79, 0x0B, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x80, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x74, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7C, 0x0B, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xC0, 0x77, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xA0, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x22, 0x1D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x81, 0x0B,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x71, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xA0, 0x7B, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAB, 0x0B, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x71,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x81, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x22, 0x1D, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xBE, 0x0B, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x40, 0x78, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x08,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xEB, 0x0B, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xA0, 0x70, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x70, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF8, 0x0B, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xE0, 0x7B, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x20, 0x71, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0x0B,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x7A, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x60, 0x7F, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x10, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x7D, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x5B, 0x1D, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x25, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x80, 0x7B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x7B,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x34, 0x0C, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x81, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x47, 0x0C, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x80, 0x6B, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x09, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4F, 0x0C,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x7B, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xE0, 0x6E, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x74, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x72,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7A, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x7C, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA0, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x7F,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x84, 0x0C, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8C, 0x0C, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x80, 0x72, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x0C,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x20, 0x7A, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCF, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x79,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x80, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xDF, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x80,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x1F, 0x0D, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x40, 0x70, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x10, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x0D, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x20, 0x80, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4D, 0x0D,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x58, 0x0D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x76, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x5B, 0x0D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x6D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x71,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x90, 0x0D, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x20, 0x75, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA3, 0x0D, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDB, 0x0D,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x74, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x40, 0x73, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x5B, 0x1D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xE0, 0x0D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6B,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xEF, 0x0D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA0, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6B,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x1A, 0x0E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xC0, 0x80, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x0E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xE0, 0x77, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x60, 0x80, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3A, 0x0E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x6D, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x10, 0x08, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x55, 0x0E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x5D, 0x0E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x71, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x6D,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5B, 0x1D, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x5C, 0x0F, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xC0, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x78, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCD, 0x1D,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x0F, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7A, 0x0F,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x60, 0x79, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x83, 0x0F, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x6B,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x80, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB1, 0x0F, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x08,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xC1, 0x0F, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x80, 0x70, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x80, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC9, 0x0F, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xE0, 0x79, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x80, 0x77, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDB, 0x0F,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x60, 0x6B, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xEE, 0x0F, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xF6, 0x0F, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xF9, 0x0F, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x40, 0x6D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x20, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFB, 0x0F, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x40, 0x7B, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFC, 0x0F,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x20, 0x81, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x10, 0x10, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x72,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x08, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x18, 0x10, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x32, 0x10, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x6D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x34, 0x10, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x60, 0x70, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x80, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4D, 0x10,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x71, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x40, 0x6C, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x10, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x81, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x73, 0x10, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x80, 0x10, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x6B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7F, 0x11, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x40, 0x7C, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xA0, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x84, 0x11,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x7C, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x20, 0x71, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x9E, 0x11, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x81,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7C, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB1, 0x11, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x7A,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xC4, 0x11, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xE0, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x11, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0A, 0x12,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xA0, 0x6F, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x0B, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x0C, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xC0, 0x78, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x80,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x13, 0x12, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x7D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x80, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2E, 0x12, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x12,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x74, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x10, 0x08, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x54, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7F, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x5C, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x75, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x72,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x9F, 0x12, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xE0, 0x74, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x10, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAA, 0x12, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xC0, 0x6D, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xD0, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB2, 0x12,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xE0, 0x78, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB8, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x73,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x08, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xC0, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7C,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xC1, 0x12, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x7B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC3, 0x12, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x60, 0x6F, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x10, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE7, 0x12,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x80, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x60, 0x80, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xEF, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x6E, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x0A, 0x13, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x20, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x74,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5B, 0x1D, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x12, 0x13, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x40, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x80, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x19, 0x13, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x60, 0x7C, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x13,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x79, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x80, 0x7C, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x2A, 0x13, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x77, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x3D, 0x13, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6D,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x7F, 0x13, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x20, 0x7D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x20, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8A, 0x13, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xC0, 0x70, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x40, 0x6E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x13,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x40, 0x7A, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x90, 0x13, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x73,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x08, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xC3, 0x13, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA0, 0x75, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x6C,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xCE, 0x13, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xA0, 0x78, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x13, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x80, 0x76, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x40, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF4, 0x13,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x6A, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x40, 0x75, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x0C, 0x1F, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x07, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x7A,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6D, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x0F, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x40, 0x74, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x08,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x1C, 0x14, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xE0, 0x76, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2F, 0x14, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x20, 0x7A, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x14,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x79, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x60, 0x7F, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x76, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x6E,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x75, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x8B, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x7E,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x90, 0x14, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA0, 0x7F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x98, 0x14, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x80, 0x71, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x20, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x14,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA1, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x75,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6D, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xAD, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x79,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xBD, 0x14, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC4, 0x14, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xC0, 0x7B, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x14,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x20, 0x70, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xCD, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x72,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x7D, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xD5, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xDA, 0x14, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x7D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDC, 0x14, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x20, 0x7F, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xA0, 0x76, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF1, 0x14,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x6F, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xFA, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x6C,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x77, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x05, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x18, 0x15, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA0, 0x7F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1A, 0x15, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xC0, 0x76, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xA0, 0x7B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x15,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x40, 0x08, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x38, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x78,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x77, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x61, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x72, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x76,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x1C, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x66, 0x15, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x20, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x20, 0x71, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0x15, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xA0, 0x71, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x09, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x89, 0x15,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x70, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x20, 0x08, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x8A, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x78,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x76, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x8B, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x40, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x08,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x94, 0x15, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xC0, 0x6E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x7F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9C, 0x15, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA1, 0x15,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAD, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x76,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x7E, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB2, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x20, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x7B,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xBA, 0x15, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x40, 0x7D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x7F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCC, 0x15, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE1, 0x15,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x73, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xE3, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x7A,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x70, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x5B, 0x1D, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x12, 0x16, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x73, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7E,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x33, 0x16, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xE0, 0x6B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA0, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3E, 0x16, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xA0, 0x79, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x58, 0x16,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x6E, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x60, 0x7F, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5E, 0x16, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x80,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x79, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x22, 0x1D, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x72, 0x16, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x7A, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6F,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x84, 0x16, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x7B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBF, 0x16, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x40, 0x6B, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x09, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x17,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x03, 0x17, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x7B,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x0A, 0x17, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xE0, 0x72, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6C,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x13, 0x17, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x20, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x20, 0x72, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1B, 0x17, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xE0, 0x78, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x26, 0x17,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x73, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x20, 0x72, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB9, 0x17, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x6E,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xC4, 0x17, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x76,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xD1, 0x17, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xA0, 0x72, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x40, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE1, 0x17, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x80, 0x71, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x5B, 0x1D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF4, 0x17,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x7F, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x10, 0x08, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x02, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7F, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x0D, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x7D,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x31, 0x18, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x79, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x39, 0x18, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x20, 0x70, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x18,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x6B, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x80, 0x77, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x4E, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x6F,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x5B, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x6D,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x64, 0x18, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x80, 0x75, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA3, 0x18, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x60, 0x6C, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xE0, 0x7D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB7, 0x18,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x73, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x6E, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xBC, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x6F, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xCC, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xC0, 0x73, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x08,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xCE, 0x18, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE2, 0x18, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x60, 0x75, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x20, 0x72, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x18,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x20, 0x75, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xF0, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x77, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x3C, 0x19, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x6D,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x53, 0x19, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xE0, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x60, 0x80, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5E, 0x19, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x73, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x40, 0x77, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x31, 0x1C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA2, 0x19,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7D, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x7E, 0x60, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0xAC, 0x19, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x6D,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x80, 0x60, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x31, 0x1C, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xB7, 0x19, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x6C,
    0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0xCA, 0x19, 0x40, 0x00, 0x00, 0x00,
    0x00, 0x00, 0xE0, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x80, 0x77, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
    0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD2, 0x19, 0x40, 0x00,
    0x00, 0x00, 0x00, 0x00
};

第一步可以验证前面两个猜想，一个是找 func 函数，去重，用一个 set 做就行，另一个是当 func return 3 的时候，输出 rchild，观察函数。第一步不给代码了，第二步运行一下：

#include<stdio.h>
#include<set>
#include<map>
#include<stack>
#include<string>
#include<iostream>
#include<queue>
#include"tradre.h"
std::set<unsigned long long> s;
bool visited[200] = { 0 };

void printstruct(data* p, int idx) {
	if ((unsigned long long)p->func == 0x0000000000401EA5) {
		s.insert((unsigned long long)p->rchild);
	}
}
int main() {
	data* p = ((data*)ida_chars) + 1;
	for (int i = 0; i <= 180; i++) {
		printstruct(&p[i], i);
	}
	for (auto ptr : s) {
		printf("%p\n", (void*)ptr);
	}
}

运行可以发现，输出地址均为 plt 表中的地址。

0000000000400810
0000000000400820
0000000000400830
0000000000400840
0000000000400860
0000000000400870
00000000004008A0
00000000004008C0
00000000004008D0
0000000000400900

基本块恢复

后续我还做了一张 dot 表，可以直观地感受节点之间的控制关系。

#include<stdio.h>
#include<set>
#include<map>
#include<stack>
#include<string>
#include<iostream>
#include<queue>
#include"tradre.h"
std::set<unsigned long long> s;
bool visited[200] = { 0 };
std::map<__int64, std::string> eflagsConditionMap = {
    { 0x0000000000401C31, "if eflags is less, return 1 else 0  // JL" },
    { 0x0000000000401CA6, "if eflags is less or equal, return 1 else 0  // JLE" },
    { 0x0000000000401D22, "if eflags is not zero, return 1 else 0  // JNE/JNZ" },
    { 0x0000000000401D5B, "if eflags is zero, return 1 else 0  // JE/JZ" },
    { 0x0000000000401DCD, "if eflags is not sign, return 1 else 0  // JNS" },
    { 0x0000000000401F0C, "if eflags is greater, return 1 else 0  // JG" },
    { 0x0000000000401E96, "return 2" },
    { 0x0000000000401EA5, "return 3" },
    { 0x0000000000401EB4, "return 4" },
    {0x00,"NULL"},
};
std::map<uint64_t, std::string> plt_map = {
    {0x400810, "_puts"},
    {0x400820, "___stack_chk_fail"},
    {0x400830, "_printf"},
    {0x400840, "_memset"},
    {0x400850, "_alarm"},
    {0x400860, "_read"},
    {0x400870, "_srand"},
    {0x400880, "_signal"},
    {0x400890, "_ptrace"},
    {0x4008A0, "_setvbuf"},
    {0x4008B0, "_perror"},
    {0x4008C0, "_atoi"},
    {0x4008D0, "_exit"},
    {0x4008E0, "_wait"},
    {0x4008F0, "_fork"},
    {0x400900, "_rand"}
};

int calc_child(unsigned long long child, unsigned long long base) {
    if ((child - base) / sizeof(data) >= 0 && (child - base) / sizeof(data) <= 180) {
        return (child - base) / sizeof(data);
    }
    return -1;
}

void printedge(data* p, int idx) {
    char descript[0x1000] = { 0 };
    char tmp[0x1000];
    int lidx = calc_child((unsigned long long)p->lchild, 0x606AC0);
    int ridx = calc_child((unsigned long long)p->rchild, 0x606AC0);

    if (lidx != -1) {
        printf("%d -> %d;\n", idx, lidx);
    }
    if (ridx != -1) {
        printf("%d -> %d;\n", idx, ridx);
    }
}

void printdot(data* p, int idx) {
    char descript[0x1000] = { 0 };
    char tmp[0x1000];
    int lidx = calc_child((unsigned long long)p->lchild, 0x606AC0);
    int ridx = calc_child((unsigned long long)p->rchild, 0x606AC0);
    sprintf(tmp, "%d [label = \"idx: %d\\n func :%s\\n ", idx, idx, eflagsConditionMap[(unsigned long long)p->func].c_str());
    strcat(descript, tmp);
    if (lidx != -1) {
        sprintf(tmp, "lchild idx: %d\\n ", lidx);
        strcat(descript, tmp);
    }
    else {
        sprintf(tmp, "lchild data: %p\\n ", p->lchild);
        strcat(descript, tmp);
        //s.insert((unsigned long long)p->lchild);
    }
    if (ridx != -1) {
        sprintf(tmp, "rchild idx: %d\\n ", ridx);
        strcat(descript, tmp);
    }
    else {
        sprintf(tmp, "rchild data: %s\\n ", plt_map[(unsigned long long)p->rchild].c_str());
        strcat(descript, tmp);
        //s.insert((unsigned long long)p->rchild);
    }
    sprintf(tmp, "RIP: %p\"];\n", p->reg2);
    s.insert((unsigned long long)p->reg2);
    strcat(descript, tmp);
    std::cout << descript;
}

int main() {
    data* p = ((data*)ida_chars) + 1;
    for (int i = 0; i <= 180; i++) {
        printdot(&p[i], i);
    }
    for (int i = 0; i <= 180; i++) {
        printedge(&p[i], i);
    }
}

用输出的结果转为 dot 图。

digraph ControlFlowTree {
    node [shape=box, style=rounded];

    // ---------------------- 节点定义 ----------------------
    
    // ---------------------- 边定义 ----------------------
    // 边关系
}

最后得到下面的图

是的最开始拿到这张图，我也没招了，总不能真一个个看吧，随后我写了一个分析 vm 指令流的脚本，并用广搜去解析它们之前基本块的关系。

#include<stdio.h>
#include<set>
#include<map>
#include<stack>
#include<string>
#include<iostream>
#include<queue>
#include"tradre.h"
std::set<unsigned long long> s;
bool visited[200] = { 0 };
std::map<__int64, std::string> eflagsConditionMap = {
    { 0x0000000000401C31, "if eflags is less, return 1 else 0  // JL" },
    { 0x0000000000401CA6, "if eflags is less or equal, return 1 else 0  // JLE" },
    { 0x0000000000401D22, "if eflags is not zero, return 1 else 0  // JNE/JNZ" },
    { 0x0000000000401D5B, "if eflags is zero, return 1 else 0  // JE/JZ" },
    { 0x0000000000401DCD, "if eflags is not sign, return 1 else 0  // JNS" },
    { 0x0000000000401F0C, "if eflags is greater, return 1 else 0  // JG" },
    { 0x0000000000401E96, "return 2" },
    { 0x0000000000401EA5, "return 3" },
    { 0x0000000000401EB4, "return 4" },
    {0x00,"NULL"},
};
std::map<uint64_t, std::string> plt_map = {
    {0x400810, "_puts"},
    {0x400820, "___stack_chk_fail"},
    {0x400830, "_printf"},
    {0x400840, "_memset"},
    {0x400850, "_alarm"},
    {0x400860, "_read"},
    {0x400870, "_srand"},
    {0x400880, "_signal"},
    {0x400890, "_ptrace"},
    {0x4008A0, "_setvbuf"},
    {0x4008B0, "_perror"},
    {0x4008C0, "_atoi"},
    {0x4008D0, "_exit"},
    {0x4008E0, "_wait"},
    {0x4008F0, "_fork"},
    {0x400900, "_rand"}
};

int calc_child(unsigned long long child, unsigned long long base) {
    if ((child - base) / sizeof(data) >= 0 && (child - base) / sizeof(data) <= 180) {
        return (child - base) / sizeof(data);
    }
    return -1;
}
void vmrun2() {
    std::stack<unsigned long long> stack;
    std::queue<unsigned long long> queue;
    data* ptr = ((data*)ida_chars) + 1;
    data* base = ptr;
    queue.push(0);
    while (queue.size()) {
        int nowidx = queue.front();
        ptr = base + nowidx;
        queue.pop();
        if (!visited[nowidx])
            visited[nowidx] = 1;
        else
            continue;
        printf("now index: %d\n", nowidx);
        int lidx = calc_child((unsigned long long)ptr->lchild, 0x606AC0);
        int ridx = calc_child((unsigned long long)ptr->rchild, 0x606AC0);
        int nextidx = 0;
        switch ((unsigned long long)ptr->func)
        {
            case 0x0000000000000000:
                //calc next idx
                nextidx = ridx;
                queue.push(nextidx);
                printf("next RIP: %p\n", ptr->reg2);
                printf("goto idx %d\n", nextidx);
                break;
            case 0x0000000000401E96:
                // return 2
                nextidx = stack.top();
                stack.pop();
                printf("add rsp, 8;\n");
                printf("next RIP: %p\n", ptr->reg2);
                queue.push(nextidx);
                fprintf(stderr, "2 jmp %d -> %d\n", nowidx, nextidx);
                printf("goto idx %d\n", nextidx);
                break;
            case 0x0000000000401EA5:
                // return 3
                printf("call %s", plt_map[(unsigned long long)ptr->rchild].c_str());
                //printf("call %p\n", ptr->rchild);
                printf(" ,ret to %p\n", ptr->reg2);
                nextidx = lidx;
                queue.push(nextidx);
                printf("goto idx %d\n", nextidx);
                break;
            case 0x0000000000401EB4:
                // return 4
                stack.push(lidx);
                printf("sub rsp 8;\n");
                nextidx = ridx;
                queue.push(nextidx);
                printf("next RIP: %p\n", ptr->reg2);
                printf("goto idx %d\n", nextidx);
                break;
            case 0x0000000000401CA6:
                // JLE
                // 0 left 1 right
                printf("goto %p\nJLE %d else %d\n", ptr->reg2, ridx, lidx);
                queue.push(lidx);
                queue.push(ridx);
                break;
            case 0x0000000000401C31:
                // JL
                // 0 left 1 right
                printf("goto %p\nJL %d else %d\n", ptr->reg2, ridx, lidx);
                queue.push(lidx);
                queue.push(ridx);
                break;
            case 0x0000000000401D22:
                // JNE/JNZ
                // 0 left 1 right
                printf("goto %p\nJNE %d else %d\n", ptr->reg2, ridx, lidx);
                queue.push(lidx);
                queue.push(ridx);
                break;
            case 0x0000000000401D5B:
                // JE/JZ
                // 0 left 1 right
                printf("goto %p\nJE %d else %d\n", ptr->reg2, ridx, lidx);
                queue.push(lidx);
                queue.push(ridx);
                break;
            case 0x0000000000401DCD:
                // JNS
                // 0 left 1 right
                printf("goto %p\nJNS %d else %d\n", ptr->reg2, ridx, lidx);
                queue.push(lidx);
                queue.push(ridx);
                break;
            case 0x0000000000401F0C:
                // JG
                // 0 left 1 right
                printf("goto %p\nJG %d else %d\n", ptr->reg2, ridx, lidx);
                queue.push(lidx);
                queue.push(ridx);
                break;
            default:
                printf("Unknown func %p\n", ptr->func);
                break;
        }

    }
}
int main() {
    vmrun2();
}

在 case 2 的处理中，我输出了下一步的块，虽然可能会有点错误，但是不影响指令分析。

把这些块解引用之后，可以输出结构体，然后编写 idapy 脚本去取指令分块重构，以 int 3 为间隔，每次扫描该块的 RIP 字段，取出该地址往下的所有指令，直到遇到 int 3 停止，这里根据 func 去处理函数：

• case 2：通过上一个脚本的分析在末尾建立 jmp 指令
• case 3：末尾添加对 rchild 所指向函数的 call，随后再跟上 jmp 指令跳转到 RIP 所指向的位置。
• case 4：仅添加对 rchild 的 jmp。
• 条件跳转：对 rchild 添加对应的条件跳转，并在后面添加对 lchild 块的直接 jmp。
• NULL：仅添加对 rchild 的 jmp。

jumptable = {
    170 : 53,
    49 : 89,
    27 : 120,
    48 : 171,
    59 : 85,
    147 : 29,
    114 : 132,
    132 : 21,
}
mp = {
    0: [0x607160,0x607fe0,0x401eb4,0x4009f7],
    1: [0x607540,0x4008d0,0x401ea5,0x400afd],
    2: [0x0,0x606f00,0x0,0x400b03],
    3: [0x607dc0,0x607e00,0x401eb4,0x400b6e],
    4: [0x607920,0x400870,0x401ea5,0x400b79],
    5: [0x608000,0x607460,0x401ca6,0x400b7c],
    6: [0x6077c0,0x607ea0,0x401d22,0x400b81],
    7: [0x6071e0,0x607ba0,0x401eb4,0x400bab],
    8: [0x607140,0x608120,0x401d22,0x400bbe],
    9: [0x607840,0x400830,0x401ea5,0x400beb],
    10: [0x6070a0,0x400870,0x401ea5,0x400bf8],
    11: [0x607be0,0x607120,0x401eb4,0x400bfe],
    12: [0x607ac0,0x607f60,0x401eb4,0x400c10],
    13: [0x607600,0x607d20,0x401d5b,0x400c25],
    14: [0x607b80,0x607ba0,0x401eb4,0x400c34],
    15: [0x0,0x608100,0x0,0x400c47],
    16: [0x606b80,0x400900,0x401ea5,0x400c4f],
    17: [0x607b60,0x606ee0,0x401ca6,0x400c74],
    18: [0x6072c0,0x607a80,0x401ca6,0x400c7c],
    19: [0x607ca0,0x607f40,0x401ca6,0x400c84],
    20: [0x0,0x0,0x401e96,0x400c8c],
    21: [0x607280,0x606fc0,0x401eb4,0x400c96],
    22: [0x0,0x607a20,0x0,0x400ccf],
    23: [0x6079c0,0x608060,0x401eb4,0x400cdf],
    24: [0x0,0x6080c0,0x0,0x400d1f],
    25: [0x607040,0x400810,0x401ea5,0x400d45],
    26: [0x608020,0x607e00,0x401eb4,0x400d4d],
    27: [0x0,0x0,0x401e96,0x400d58],
    28: [0x0,0x607620,0x0,0x400d5b],
    29: [0x606d60,0x607120,0x401eb4,0x400d90],
    30: [0x0,0x607520,0x0,0x400da3],
    31: [0x0,0x0,0x401e96,0x400ddb],
    32: [0x607480,0x607340,0x401d5b,0x400de0],
    33: [0x606bc0,0x400900,0x401ea5,0x400def],
    34: [0x606ca0,0x606b00,0x401ca6,0x400e1a],
    35: [0x0,0x6080c0,0x0,0x400e22],
    36: [0x6077e0,0x608060,0x401eb4,0x400e3a],
    37: [0x606de0,0x400810,0x401ea5,0x400e55],
    38: [0x0,0x0,0x401e96,0x400e5d],
    39: [0x607100,0x606d40,0x401d5b,0x400f5c],
    40: [0x607ec0,0x607860,0x401dcd,0x400f6a],
    41: [0x0,0x0,0x401e96,0x400f7a],
    42: [0x0,0x607960,0x0,0x400f83],
    43: [0x606b20,0x6080e0,0x401ca6,0x400fb1],
    44: [0x606c00,0x400810,0x401ea5,0x400fc1],
    45: [0x607080,0x607c80,0x401eb4,0x400fc9],
    46: [0x6079e0,0x607780,0x401eb4,0x400fdb],
    47: [0x0,0x606b60,0x0,0x400fee],
    48: [0x0,0x0,0x401e96,0x400ff6],
    49: [0x0,0x0,0x401e96,0x400ff9],
    50: [0x606d40,0x400820,0x401ea5,0x400ffb],
    51: [0x607b40,0x606fc0,0x401eb4,0x400ffc],
    52: [0x0,0x608120,0x0,0x401010],
    53: [0x607260,0x4008a0,0x401ea5,0x401018],
    54: [0x0,0x0,0x401e96,0x401032],
    55: [0x0,0x606d00,0x0,0x401034],
    56: [0x607060,0x607c80,0x401eb4,0x40104d],
    57: [0x6071c0,0x606c40,0x401eb4,0x401060],
    58: [0x0,0x608100,0x0,0x401073],
    59: [0x0,0x0,0x401e96,0x401080],
    60: [0x0,0x606b60,0x0,0x40117f],
    61: [0x607c40,0x4008a0,0x401ea5,0x401184],
    62: [0x607cc0,0x607120,0x401eb4,0x40119e],
    63: [0x608140,0x607c80,0x401eb4,0x4011b1],
    64: [0x0,0x607a40,0x0,0x4011c4],
    65: [0x0,0x606ce0,0x0,0x4011ff],
    66: [0x0,0x607c00,0x0,0x40120a],
    67: [0x0,0x606fa0,0x0,0x40120b],
    68: [0x0,0x0,0x401e96,0x40120c],
    69: [0x6078c0,0x608060,0x401eb4,0x401213],
    70: [0x607d00,0x608060,0x401eb4,0x40122e],
    71: [0x607400,0x607e00,0x401eb4,0x401249],
    72: [0x607420,0x400810,0x401ea5,0x401254],
    73: [0x0,0x607f80,0x0,0x40125c],
    74: [0x607500,0x607220,0x401eb4,0x40129f],
    75: [0x6074e0,0x400810,0x401ea5,0x4012aa],
    76: [0x606dc0,0x4008d0,0x401ea5,0x4012b2],
    77: [0x0,0x6078e0,0x0,0x4012b8],
    78: [0x607340,0x400820,0x401ea5,0x4012c0],
    79: [0x0,0x607c00,0x0,0x4012c1],
    80: [0x0,0x607b00,0x0,0x4012c3],
    81: [0x606f60,0x400810,0x401ea5,0x4012e7],
    82: [0x6080a0,0x608060,0x401eb4,0x4012ef],
    83: [0x607000,0x606e80,0x401ca6,0x40130a],
    84: [0x606f20,0x6074a0,0x401d5b,0x401312],
    85: [0x606f40,0x607e80,0x401eb4,0x401319],
    86: [0x607c60,0x606fc0,0x401eb4,0x401324],
    87: [0x607980,0x607c80,0x401eb4,0x40132a],
    88: [0x0,0x6077a0,0x0,0x40133d],
    89: [0x0,0x606d00,0x0,0x40137f],
    90: [0x607d20,0x400820,0x401ea5,0x40138a],
    91: [0x6070c0,0x606e40,0x401ca6,0x40138b],
    92: [0x0,0x607a40,0x0,0x401390],
    93: [0x607320,0x400810,0x401ea5,0x4013c3],
    94: [0x6075a0,0x606c40,0x401eb4,0x4013ce],
    95: [0x6078a0,0x606fc0,0x401eb4,0x4013e0],
    96: [0x607680,0x606c40,0x401eb4,0x4013f4],
    97: [0x606ae0,0x607540,0x401f0c,0x401407],
    98: [0x607ae0,0x606dc0,0x401eb4,0x40140f],
    99: [0x607440,0x400810,0x401ea5,0x40141c],
    100: [0x6076e0,0x400860,0x401ea5,0x40142f],
    101: [0x0,0x607a20,0x0,0x401441],
    102: [0x607940,0x607f60,0x401eb4,0x401476],
    103: [0x606e20,0x6075c0,0x401ca6,0x40148b],
    104: [0x0,0x607ea0,0x0,0x401490],
    105: [0x0,0x607fa0,0x0,0x401498],
    106: [0x607180,0x400820,0x401ea5,0x4014a0],
    107: [0x0,0x0,0x401e96,0x4014a1],
    108: [0x6075e0,0x606dc0,0x401eb4,0x4014ad],
    109: [0x0,0x607900,0x0,0x4014bd],
    110: [0x0,0x0,0x401e96,0x4014c4],
    111: [0x607bc0,0x606fc0,0x401eb4,0x4014c7],
    112: [0x0,0x607020,0x0,0x4014cd],
    113: [0x607240,0x607da0,0x401ca6,0x4014d5],
    114: [0x0,0x0,0x401e96,0x4014da],
    115: [0x0,0x607d60,0x0,0x4014dc],
    116: [0x607f20,0x6076a0,0x401eb4,0x4014f1],
    117: [0x0,0x606f00,0x0,0x4014fa],
    118: [0x606c80,0x607780,0x401eb4,0x401505],
    119: [0x0,0x0,0x401e96,0x401518],
    120: [0x0,0x607fa0,0x0,0x40151a],
    121: [0x6076c0,0x607ba0,0x401eb4,0x401525],
    122: [0x607700,0x400840,0x401ea5,0x401538],
    123: [0x607880,0x607760,0x401ca6,0x401561],
    124: [0x607200,0x607640,0x401c31,0x401566],
    125: [0x606c20,0x607120,0x401eb4,0x401576],
    126: [0x6071a0,0x400900,0x401ea5,0x401589],
    127: [0x6070e0,0x400820,0x401ea5,0x40158a],
    128: [0x607820,0x6076a0,0x401eb4,0x40158b],
    129: [0x607e40,0x4008c0,0x401ea5,0x401594],
    130: [0x606ec0,0x607f00,0x401ca6,0x40159c],
    131: [0x0,0x0,0x401e96,0x4015a1],
    132: [0x0,0x0,0x401e96,0x4015ad],
    133: [0x607660,0x607e60,0x401ca6,0x4015b2],
    134: [0x607e20,0x607ba0,0x401eb4,0x4015ba],
    135: [0x607d40,0x607f60,0x401eb4,0x4015cc],
    136: [0x0,0x0,0x401e96,0x4015e1],
    137: [0x6073e0,0x606fc0,0x401eb4,0x4015e3],
    138: [0x607aa0,0x6070e0,0x401d5b,0x401612],
    139: [0x607360,0x607e80,0x401eb4,0x401633],
    140: [0x606be0,0x4008a0,0x401ea5,0x40163e],
    141: [0x6079a0,0x606fc0,0x401eb4,0x401658],
    142: [0x606ea0,0x607f60,0x401eb4,0x40165e],
    143: [0x608040,0x607960,0x401d22,0x401672],
    144: [0x607a60,0x606fc0,0x401eb4,0x401684],
    145: [0x0,0x607b00,0x0,0x4016bf],
    146: [0x606b40,0x400900,0x401ea5,0x401702],
    147: [0x0,0x0,0x401e96,0x401703],
    148: [0x607b20,0x606fc0,0x401eb4,0x40170a],
    149: [0x6072e0,0x606cc0,0x401ca6,0x401713],
    150: [0x607c20,0x607220,0x401eb4,0x40171b],
    151: [0x0,0x6078e0,0x0,0x401726],
    152: [0x607380,0x607220,0x401eb4,0x4017b9],
    153: [0x606e60,0x606fc0,0x401eb4,0x4017c4],
    154: [0x0,0x607620,0x0,0x4017d1],
    155: [0x6072a0,0x606c40,0x401eb4,0x4017e1],
    156: [0x607800,0x607180,0x401d5b,0x4017f4],
    157: [0x607fc0,0x400810,0x401ea5,0x401802],
    158: [0x0,0x607f80,0x0,0x40180d],
    159: [0x0,0x607d60,0x0,0x401831],
    160: [0x0,0x607900,0x0,0x401839],
    161: [0x0,0x607020,0x0,0x401843],
    162: [0x606ba0,0x607780,0x401eb4,0x40184e],
    163: [0x606fe0,0x606fc0,0x401eb4,0x40185b],
    164: [0x0,0x606d20,0x0,0x401864],
    165: [0x607580,0x606fc0,0x401eb4,0x4018a3],
    166: [0x606c60,0x607de0,0x401ca6,0x4018b7],
    167: [0x6073a0,0x606e00,0x401ca6,0x4018bc],
    168: [0x0,0x606fa0,0x0,0x4018cc],
    169: [0x6073c0,0x400810,0x401ea5,0x4018ce],
    170: [0x0,0x0,0x401e96,0x4018e2],
    171: [0x607560,0x607220,0x401eb4,0x4018e5],
    172: [0x0,0x607520,0x0,0x4018f0],
    173: [0x0,0x6077a0,0x0,0x40193c],
    174: [0x0,0x606d20,0x0,0x401953],
    175: [0x607ee0,0x608060,0x401eb4,0x40195e],
    176: [0x607300,0x607740,0x401c31,0x4019a2],
    177: [0x607d80,0x607e00,0x401eb4,0x4019ac],
    178: [0x606da0,0x608080,0x401c31,0x4019b7],
    179: [0x0,0x606ce0,0x0,0x4019ca],
    180: [0x607ce0,0x607780,0x401eb4,0x4019d2],
}

func_map = {
    0x400810: "_puts",
    0x400820: "___stack_chk_fail",
    0x400830: "_printf",
    0x400840: "_memset",
    0x400850: "_alarm",
    0x400860: "_read",
    0x400870: "_srand",
    0x400880: "_signal",
    0x400890: "_ptrace",
    0x4008A0: "_setvbuf",
    0x4008B0: "_perror",
    0x4008C0: "_atoi",
    0x4008D0: "_exit",
    0x4008E0: "_wait",
    0x4008F0: "_fork",
    0x400900: "_rand",
}

import idc
import ida_bytes
import ida_ua

def print_until_int3(ea, key):
    """
    从地址 ea 开始遍历汇编指令，直到遇到 int3 (0xCC)
    """
    print("idx_{}:".format(key))
    cur_ea = ea
    while cur_ea != idc.BADADDR:
        # 获取当前指令的字节
        byte = ida_bytes.get_bytes(cur_ea, 1)
        if not byte:
            break

        # 判断是否是 int3
        if byte[0] == 0xCC:
            #print("0x{:x}: int3".format(cur_ea))
            break
        print("0x{:x}:".format(cur_ea),end = ' ')
        # 获取指令文本
        disasm = idc.generate_disasm_line(cur_ea, 0)
        print("\t{}".format(disasm))
        
        # 移动到下一条指令
        cur_ea = idc.next_head(cur_ea)
def calc_idx(addr):
    return (addr - 0x606AC0)//0x20
# 遍历字典
for key in sorted(mp.keys()):
    info = mp[key]
    addr = info[3]
    func = info[2]
    print_until_int3(addr, key)
    if func == 0x0000000000401C31:  # JL: if eflags is less, return 1 else 0
        lidx = calc_idx(info[0])
        ridx = calc_idx(info[1])
        print(f"\tjl idx_{ridx}")
        print(f"\tjmp idx_{lidx}")
    
    elif func == 0x0000000000401CA6:  # JLE: if eflags is less or equal
        lidx = calc_idx(info[0])
        ridx = calc_idx(info[1])
        print(f"\tjle idx_{ridx}")
        print(f"\tjmp idx_{lidx}")
    
    elif func == 0x0000000000401D22:  # JNE/JNZ: if eflags is not zero
        lidx = calc_idx(info[0])
        ridx = calc_idx(info[1])
        print(f"\tjnz idx_{ridx}")
        print(f"\tjmp idx_{lidx}")
    
    elif func == 0x0000000000401D5B:  # JE/JZ: if eflags is zero
        lidx = calc_idx(info[0])
        ridx = calc_idx(info[1])
        print(f"\tje idx_{ridx}")
        print(f"\tjmp idx_{lidx}")
    
    elif func == 0x0000000000401DCD:  # JNS: if eflags is not sign
        lidx = calc_idx(info[0])
        ridx = calc_idx(info[1])
        print(f"\tjns idx_{ridx}")
        print(f"\tjmp idx_{lidx}")
    
    elif func == 0x0000000000401F0C:  # JG: if eflags is greater
        lidx = calc_idx(info[0])
        ridx = calc_idx(info[1])
        print(f"\tjg idx_{ridx}")
        print(f"\tjmp idx_{lidx}")
    elif func == 0x0000000000401E96:  # return 2
        if key in jumptable:
            ridx = jumptable[key]
            print(f"\tjmp idx_{ridx}")
        else:
            print(f"\tjmp ??? ; never execute here")
    elif func == 0x0000000000401EA5:  # return 3
        lidx = calc_idx(info[0])
        
        print(f"\tcall\t{func_map[info[1]]}@plt")
        print(f"\tjmp\tidx_{lidx}")
    elif func == 0x0000000000401EB4:  # return 4
        ridx = calc_idx(info[1])
        print(f"\tjmp\tidx_{ridx}")
    elif func == 0x0000000000000000:
        ridx = calc_idx(info[1])
        print(f"\tjmp\tidx_{ridx}")
    else:
        print("except\n");
        quit()

jumptable 来源于上一个脚本向标准错误流打印的数据（方便重定向）。

运行脚本之后得到原指令流，事实上可以根据广搜结果将明显访问不到的块去掉。

如图右边这一块，但是事实上只有 80 个块你也不可能拉条儿去硬找，基本都是用 search。

idx_0:
0x4009f7: 	push    rbp
0x4009f8: 	mov     rbp, rsp
0x4009fb: 	push    rbx
0x4009fc: 	sub     rsp, 1E8h
0x400a03: 	mov     rax, fs:28h
0x400a0c: 	mov     [rbp+var_18], rax
0x400a10: 	xor     eax, eax
0x400a12: 	mov     [rbp+var_160], 0E2h
0x400a19: 	mov     [rbp+var_160+1], 8Bh
0x400a20: 	mov     [rbp+var_160+2], 55h ; 'U'
0x400a27: 	mov     [rbp+var_160+3], 38h ; '8'
0x400a2e: 	mov     [rbp+var_160+4], 69h ; 'i'
0x400a35: 	mov     [rbp+var_160+5], 0FAh
0x400a3c: 	mov     [rbp+var_160+6], 80h
0x400a43: 	mov     [rbp+var_160+7], 0C2h
0x400a4a: 	mov     [rbp+var_160+8], 64h ; 'd'
0x400a51: 	mov     [rbp+var_160+9], 4Eh ; 'N'
0x400a58: 	mov     [rbp+var_160+0Ah], 7Fh
0x400a5f: 	mov     [rbp+var_160+0Bh], 0E7h
0x400a66: 	mov     [rbp+var_160+0Ch], 13h
0x400a6d: 	mov     [rbp+var_160+0Dh], 6
0x400a74: 	mov     [rbp+var_160+0Eh], 14h
0x400a7b: 	mov     [rbp+var_160+0Fh], 0C5h
0x400a82: 	mov     [rbp+var_160+10h], 0C0h
0x400a89: 	mov     [rbp+var_160+11h], 13h
0x400a90: 	mov     [rbp+var_160+12h], 0D3h
0x400a97: 	mov     [rbp+var_160+13h], 12h
0x400a9e: 	mov     [rbp+var_160+14h], 6Bh ; 'k'
0x400aa5: 	mov     [rbp+var_160+15h], 0BDh
0x400aac: 	mov     [rbp+var_160+16h], 0F2h
0x400ab3: 	mov     [rbp+var_160+17h], 0C7h
0x400aba: 	mov     [rbp+var_160+18h], 88h
0x400ac1: 	mov     [rbp+var_160+19h], 44h ; 'D'
0x400ac8: 	mov     [rbp+var_160+1Ah], 3Eh ; '>'
0x400acf: 	mov     [rbp+var_160+1Bh], 9
0x400ad6: 	mov     [rbp+var_160+1Ch], 0E8h
0x400add: 	mov     [rbp+var_160+1Dh], 0A3h
0x400ae4: 	mov     [rbp+var_160+1Eh], 83h
0x400aeb: 	mov     [rbp+var_160+1Fh], 30h ; '0'
0x400af2: 	lea     rax, [rbp+var_160]
0x400af9: 	mov     rdi, rax
	jmp	idx_169
idx_1:
0x400afd: 	mov     edi, 0FFFFFFFFh
	call	_exit@plt
	jmp	idx_84
idx_2:
0x400b03: 	mov     eax, [rbp+var_1C0]
0x400b09: 	sub     eax, [rbp+var_1C8]
0x400b0f: 	lea     edx, ds:0[rax*4]
0x400b16: 	mov     eax, [rbp+var_1BC]
0x400b1c: 	add     eax, edx
0x400b1e: 	movsxd  rdx, eax
0x400b21: 	mov     rax, [rbp+var_190]
0x400b28: 	add     rax, rdx
0x400b2b: 	movzx   esi, byte ptr [rax]
0x400b2e: 	mov     eax, [rbp+var_1BC]
0x400b34: 	cdqe
0x400b36: 	movzx   ecx, [rbp+rax+var_184]
0x400b3e: 	mov     eax, [rbp+var_1C0]
0x400b44: 	lea     edx, ds:0[rax*4]
0x400b4b: 	mov     eax, [rbp+var_1BC]
0x400b51: 	add     eax, edx
0x400b53: 	movsxd  rdx, eax
0x400b56: 	mov     rax, [rbp+var_190]
0x400b5d: 	add     rax, rdx
0x400b60: 	xor     esi, ecx
0x400b62: 	mov     edx, esi
0x400b64: 	mov     [rax], dl
0x400b66: 	add     [rbp+var_1BC], 1
	jmp	idx_34
idx_3:
0x400b6e: 	mov     rax, [rbp+var_1B8]
0x400b75: 	mov     rdi, rax
	jmp	idx_154
idx_4:
0x400b79: 	mov     edi, eax
	call	_srand@plt
	jmp	idx_115
idx_5:
0x400b7c: 	cmp     dword ptr [rbp+var_8], 7
	jle idx_77
	jmp idx_170
idx_6:
0x400b81: 	xor     eax, ebx
0x400b83: 	mov     [rbp+var_1E2], al
0x400b89: 	movzx   edx, [rbp+var_1E2]
0x400b90: 	mov     rcx, cs:off_606A48; "Congratulations! This is the correct fl"...
0x400b97: 	mov     eax, [rbp+var_1E0]
0x400b9d: 	cdqe
0x400b9f: 	add     rax, rcx
0x400ba2: 	movzx   eax, byte ptr [rax]
0x400ba5: 	movsx   eax, al
0x400ba8: 	cmp     edx, eax
	jnz idx_159
	jmp idx_104
idx_7:
0x400bab: 	mov     ebx, eax
0x400bad: 	mov     rax, [rbp+var_28]
0x400bb1: 	add     rax, 1
0x400bb5: 	movzx   eax, byte ptr [rax]
0x400bb8: 	movzx   eax, al
0x400bbb: 	mov     edi, eax
	jmp	idx_135
idx_8:
0x400bbe: 	xor     eax, ebx
0x400bc0: 	mov     [rbp+var_1E2], al
0x400bc6: 	movzx   edx, [rbp+var_1E2]
0x400bcd: 	mov     rcx, cs:off_606A48; "Congratulations! This is the correct fl"...
0x400bd4: 	mov     eax, [rbp+var_1E0]
0x400bda: 	add     eax, 11h
0x400bdd: 	cdqe
0x400bdf: 	add     rax, rcx
0x400be2: 	movzx   eax, byte ptr [rax]
0x400be5: 	movsx   eax, al
0x400be8: 	cmp     edx, eax
	jnz idx_179
	jmp idx_52
idx_9:
0x400beb: 	lea     rdi, aInputYourFlag; "Input your flag: "
0x400bf2: 	mov     eax, 0
	call	_printf@plt
	jmp	idx_108
idx_10:
0x400bf8: 	mov     edi, 10000h
	call	_srand@plt
	jmp	idx_47
idx_11:
0x400bfe: 	xor     eax, ebx
0x400c00: 	mov     byte ptr [rbp+var_20+6], al
0x400c03: 	mov     rax, [rbp+var_28]
0x400c07: 	movzx   eax, byte ptr [rax]
0x400c0a: 	movzx   eax, al
0x400c0d: 	mov     edi, eax
	jmp	idx_51
idx_12:
0x400c10: 	push    rbp
0x400c11: 	mov     rbp, rsp
0x400c14: 	push    rbx
0x400c15: 	sub     rsp, 8
0x400c19: 	mov     eax, edi
0x400c1b: 	mov     byte ptr [rbp+var_C], al
0x400c1e: 	movzx   eax, byte ptr [rbp+var_C]
0x400c22: 	mov     edi, eax
	jmp	idx_165
idx_13:
0x400c25: 	nop
0x400c26: 	mov     rax, [rbp+var_18]
0x400c2a: 	xor     rax, fs:28h
	je idx_147
	jmp idx_90
idx_14:
0x400c34: 	xor     ebx, eax
0x400c36: 	mov     rax, [rbp+var_28]
0x400c3a: 	add     rax, 3
0x400c3e: 	movzx   eax, byte ptr [rax]
0x400c41: 	movzx   eax, al
0x400c44: 	mov     edi, eax
	jmp	idx_135
idx_15:
0x400c47: 	add     [rbp+var_1C0], 1
	jmp	idx_178
idx_16:
0x400c4f: 	mov     eax, [rbp+var_1E0]
0x400c55: 	cdqe
0x400c57: 	movzx   edx, [rbp+rax+var_140]
0x400c5f: 	mov     eax, [rbp+var_1E0]
0x400c65: 	cdqe
0x400c67: 	movzx   eax, [rbp+rax+var_160]
0x400c6f: 	xor     eax, edx
0x400c71: 	mov     ebx, eax
	call	_rand@plt
	jmp	idx_6
idx_17:
0x400c74: 	cmp     [rbp+var_1E0], 0Fh
	jle idx_33
	jmp idx_133
idx_18:
0x400c7c: 	cmp     [rbp+var_1E0], 0Fh
	jle idx_126
	jmp idx_64
idx_19:
0x400c84: 	cmp     [rbp+var_1BC], 3
	jle idx_164
	jmp idx_143
idx_20:
0x400c8c: 	add     rsp, 1E8h
0x400c93: 	pop     rbx
0x400c94: 	pop     rbp
	jmp ??? ; never execute here
idx_21:
0x400c96: 	xor     ebx, eax
0x400c98: 	mov     edx, ebx
0x400c9a: 	mov     rax, [rbp+var_28]
0x400c9e: 	add     rax, 2
0x400ca2: 	movzx   eax, byte ptr [rax]
0x400ca5: 	xor     edx, eax
0x400ca7: 	mov     rax, [rbp+var_28]
0x400cab: 	add     rax, 3
0x400caf: 	movzx   eax, byte ptr [rax]
0x400cb2: 	xor     eax, edx
0x400cb4: 	mov     byte ptr [rbp+var_20+4], al
0x400cb7: 	mov     rax, [rbp+var_28]
0x400cbb: 	movzx   ebx, byte ptr [rax]
0x400cbe: 	mov     rax, [rbp+var_28]
0x400cc2: 	add     rax, 1
0x400cc6: 	movzx   eax, byte ptr [rax]
0x400cc9: 	movzx   eax, al
0x400ccc: 	mov     edi, eax
	jmp	idx_40
idx_22:
0x400ccf: 	push    rbp
0x400cd0: 	mov     rbp, rsp
0x400cd3: 	mov     [rbp+var_18], rdi
0x400cd7: 	mov     dword ptr [rbp+var_8+4], 0
	jmp	idx_123
idx_23:
0x400cdf: 	lea     rax, [rbp+var_140]
0x400ce6: 	mov     [rbp+var_1A8], rax
0x400ced: 	lea     rax, [rbp+var_110]
0x400cf4: 	mov     [rbp+var_1A0], rax
0x400cfb: 	mov     [rbp+var_1D0], 0Ah
0x400d05: 	mov     rcx, [rbp+var_1A0]
0x400d0c: 	mov     rax, [rbp+var_1A8]
0x400d13: 	mov     edx, 0
0x400d18: 	mov     rsi, rcx
0x400d1b: 	mov     rdi, rax
	jmp	idx_173
idx_24:
0x400d1f: 	push    rbp
0x400d20: 	mov     rbp, rsp
0x400d23: 	sub     rsp, 30h
0x400d27: 	mov     [rbp+var_28], rdi
0x400d2b: 	mov     [rbp+var_2C], esi
0x400d2e: 	mov     rax, fs:28h
0x400d37: 	mov     [rbp+var_8], rax
0x400d3b: 	xor     eax, eax
0x400d3d: 	mov     [rbp+var_10], 0
	jmp	idx_176
idx_25:
0x400d45: 	lea     rdi, a888888D8888888; "     888       888     d8(  888  888   "...
	call	_puts@plt
	jmp	idx_44
idx_26:
0x400d4d: 	mov     rax, [rbp+var_1A8]
0x400d54: 	mov     rdi, rax
	jmp	idx_154
idx_27:
0x400d58: 	nop
0x400d59: 	pop     rbp
	jmp idx_120
idx_28:
0x400d5b: 	mov     eax, dword ptr [rbp+var_8+4]
0x400d5e: 	movsxd  rdx, eax
0x400d61: 	mov     rax, [rbp+var_18]
0x400d65: 	add     rax, rdx
0x400d68: 	movzx   eax, byte ptr [rax]
0x400d6b: 	movzx   eax, al
0x400d6e: 	mov     edx, dword ptr [rbp+var_8+4]
0x400d71: 	movsxd  rcx, edx
0x400d74: 	mov     rdx, [rbp+var_18]
0x400d78: 	add     rcx, rdx
0x400d7b: 	movsxd  rdx, eax
0x400d7e: 	lea     rax, sbox_enc
0x400d85: 	movzx   eax, byte ptr [rdx+rax]
0x400d89: 	mov     [rcx], al
0x400d8b: 	add     dword ptr [rbp+var_8+4], 1
	jmp	idx_91
idx_29:
0x400d90: 	mov     ebx, eax
0x400d92: 	mov     rax, [rbp+var_28]
0x400d96: 	add     rax, 1
0x400d9a: 	movzx   eax, byte ptr [rax]
0x400d9d: 	movzx   eax, al
0x400da0: 	mov     edi, eax
	jmp	idx_51
idx_30:
0x400da3: 	mov     eax, [rbp+var_1BC]
0x400da9: 	cdqe
0x400dab: 	movzx   eax, [rbp+rax+var_184]
0x400db3: 	movzx   eax, al
0x400db6: 	movsxd  rdx, eax
0x400db9: 	lea     rax, sbox_enc
0x400dc0: 	movzx   edx, byte ptr [rdx+rax]
0x400dc4: 	mov     eax, [rbp+var_1BC]
0x400dca: 	cdqe
0x400dcc: 	mov     [rbp+rax+var_184], dl
0x400dd3: 	add     [rbp+var_1BC], 1
	jmp	idx_83
idx_31:
0x400ddb: 	xor     al, byte ptr [rbp+var_8+4]
0x400dde: 	leave
	jmp ??? ; never execute here
idx_32:
0x400de0: 	nop
0x400de1: 	mov     rax, [rbp+var_18]
0x400de5: 	xor     rax, fs:28h
	je idx_68
	jmp idx_78
idx_33:
0x400def: 	mov     eax, [rbp+var_1E0]
0x400df5: 	add     eax, 10h
0x400df8: 	cdqe
0x400dfa: 	movzx   edx, [rbp+rax+var_140]
0x400e02: 	mov     eax, [rbp+var_1E0]
0x400e08: 	add     eax, 10h
0x400e0b: 	cdqe
0x400e0d: 	movzx   eax, [rbp+rax+var_160]
0x400e15: 	xor     eax, edx
0x400e17: 	mov     ebx, eax
	call	_rand@plt
	jmp	idx_8
idx_34:
0x400e1a: 	cmp     [rbp+var_1BC], 3
	jle idx_2
	jmp idx_15
idx_35:
0x400e22: 	mov     eax, [rbp+var_10]
0x400e25: 	movsxd  rdx, eax
0x400e28: 	mov     rax, [rbp+var_28]
0x400e2c: 	add     rdx, rax
0x400e2f: 	movzx   eax, byte ptr [rbp+var_18+7]
0x400e33: 	mov     [rdx], al
0x400e35: 	add     [rbp+var_10], 1
	jmp	idx_176
idx_36:
0x400e3a: 	mov     edx, [rbp+var_1CC]
0x400e40: 	mov     rcx, [rbp+var_1A0]
0x400e47: 	mov     rax, [rbp+var_1A8]
0x400e4e: 	mov     rsi, rcx
0x400e51: 	mov     rdi, rax
	jmp	idx_173
idx_37:
0x400e55: 	lea     rdi, a888888Op888888; "     888       888      .oP\"888  888  "...
	call	_puts@plt
	jmp	idx_25
idx_38:
0x400e5d: 	push    rbp
0x400e5e: 	mov     rbp, rsp
0x400e61: 	mov     [rbp+var_18], rdi
0x400e65: 	mov     rax, [rbp+var_18]
0x400e69: 	movzx   eax, byte ptr [rax+0Dh]
0x400e6d: 	mov     byte ptr [rbp+var_8+7], al
0x400e70: 	mov     rax, [rbp+var_18]
0x400e74: 	lea     rdx, [rax+0Dh]
0x400e78: 	mov     rax, [rbp+var_18]
0x400e7c: 	movzx   eax, byte ptr [rax+9]
0x400e80: 	mov     [rdx], al
0x400e82: 	mov     rax, [rbp+var_18]
0x400e86: 	lea     rdx, [rax+9]
0x400e8a: 	mov     rax, [rbp+var_18]
0x400e8e: 	movzx   eax, byte ptr [rax+5]
0x400e92: 	mov     [rdx], al
0x400e94: 	mov     rax, [rbp+var_18]
0x400e98: 	lea     rdx, [rax+5]
0x400e9c: 	mov     rax, [rbp+var_18]
0x400ea0: 	movzx   eax, byte ptr [rax+1]
0x400ea4: 	mov     [rdx], al
0x400ea6: 	mov     rax, [rbp+var_18]
0x400eaa: 	lea     rdx, [rax+1]
0x400eae: 	movzx   eax, byte ptr [rbp+var_8+7]
0x400eb2: 	mov     [rdx], al
0x400eb4: 	mov     rax, [rbp+var_18]
0x400eb8: 	movzx   eax, byte ptr [rax+2]
0x400ebc: 	mov     byte ptr [rbp+var_8+7], al
0x400ebf: 	mov     rax, [rbp+var_18]
0x400ec3: 	lea     rdx, [rax+2]
0x400ec7: 	mov     rax, [rbp+var_18]
0x400ecb: 	movzx   eax, byte ptr [rax+0Ah]
0x400ecf: 	mov     [rdx], al
0x400ed1: 	mov     rax, [rbp+var_18]
0x400ed5: 	lea     rdx, [rax+0Ah]
0x400ed9: 	movzx   eax, byte ptr [rbp+var_8+7]
0x400edd: 	mov     [rdx], al
0x400edf: 	mov     rax, [rbp+var_18]
0x400ee3: 	movzx   eax, byte ptr [rax+6]
0x400ee7: 	mov     byte ptr [rbp+var_8+7], al
0x400eea: 	mov     rax, [rbp+var_18]
0x400eee: 	lea     rdx, [rax+6]
0x400ef2: 	mov     rax, [rbp+var_18]
0x400ef6: 	movzx   eax, byte ptr [rax+0Eh]
0x400efa: 	mov     [rdx], al
0x400efc: 	mov     rax, [rbp+var_18]
0x400f00: 	lea     rdx, [rax+0Eh]
0x400f04: 	movzx   eax, byte ptr [rbp+var_8+7]
0x400f08: 	mov     [rdx], al
0x400f0a: 	mov     rax, [rbp+var_18]
0x400f0e: 	movzx   eax, byte ptr [rax+3]
0x400f12: 	mov     byte ptr [rbp+var_8+7], al
0x400f15: 	mov     rax, [rbp+var_18]
0x400f19: 	lea     rdx, [rax+3]
0x400f1d: 	mov     rax, [rbp+var_18]
0x400f21: 	movzx   eax, byte ptr [rax+7]
0x400f25: 	mov     [rdx], al
0x400f27: 	mov     rax, [rbp+var_18]
0x400f2b: 	lea     rdx, [rax+7]
0x400f2f: 	mov     rax, [rbp+var_18]
0x400f33: 	movzx   eax, byte ptr [rax+0Bh]
0x400f37: 	mov     [rdx], al
0x400f39: 	mov     rax, [rbp+var_18]
0x400f3d: 	lea     rdx, [rax+0Bh]
0x400f41: 	mov     rax, [rbp+var_18]
0x400f45: 	movzx   eax, byte ptr [rax+0Fh]
0x400f49: 	mov     [rdx], al
0x400f4b: 	mov     rax, [rbp+var_18]
0x400f4f: 	lea     rdx, [rax+0Fh]
0x400f53: 	movzx   eax, byte ptr [rbp+var_8+7]
0x400f57: 	mov     [rdx], al
0x400f59: 	nop
0x400f5a: 	pop     rbp
	jmp ??? ; never execute here
idx_39:
0x400f5c: 	mov     rax, [rbp+var_18]
0x400f60: 	xor     rax, fs:28h
	je idx_20
	jmp idx_50
idx_40:
0x400f6a: 	push    rbp
0x400f6b: 	mov     rbp, rsp
0x400f6e: 	mov     eax, edi
0x400f70: 	mov     byte ptr [rbp+var_8+4], al
0x400f73: 	movzx   eax, byte ptr [rbp+var_8+4]
0x400f77: 	test    al, al
	jns idx_109
	jmp idx_160
idx_41:
0x400f7a: 	xor     eax, ebx
0x400f7c: 	add     rsp, 8
0x400f80: 	pop     rbx
0x400f81: 	pop     rbp
	jmp ??? ; never execute here
idx_42:
0x400f83: 	movzx   ecx, [rbp+var_184]
0x400f8a: 	mov     eax, [rbp+var_1C0]
0x400f90: 	cdq
0x400f91: 	idiv    [rbp+var_1C8]
0x400f97: 	sub     eax, 1
0x400f9a: 	movsxd  rdx, eax
0x400f9d: 	lea     rax, byte_404B30
0x400fa4: 	movzx   eax, byte ptr [rdx+rax]
0x400fa8: 	xor     eax, ecx
0x400faa: 	mov     [rbp+var_184], al
	jmp	idx_117
idx_43:
0x400fb1: 	mov     eax, [rbp+var_1D8]
0x400fb7: 	sub     eax, 1
0x400fba: 	cmp     [rbp+var_1D4], eax
	jle idx_177
	jmp idx_3
idx_44:
0x400fc1: 	lea     rdi, aO888oD888bY888; "    o888o     d888b    `Y888\"\"8o `Y8b"...
	call	_puts@plt
	jmp	idx_10
idx_45:
0x400fc9: 	xor     eax, ebx
0x400fcb: 	mov     byte ptr [rbp+var_20+4], al
0x400fce: 	mov     rax, [rbp+var_28]
0x400fd2: 	movzx   eax, byte ptr [rax]
0x400fd5: 	movzx   eax, al
0x400fd8: 	mov     edi, eax
	jmp	idx_142
idx_46:
0x400fdb: 	mov     ebx, eax
0x400fdd: 	mov     rax, [rbp+var_28]
0x400fe1: 	add     rax, 1
0x400fe5: 	movzx   eax, byte ptr [rax]
0x400fe8: 	movzx   eax, al
0x400feb: 	mov     edi, eax
	jmp	idx_102
idx_47:
0x400fee: 	mov     dword ptr [rbp+var_8], 0
	jmp	idx_5
idx_48:
0x400ff6: 	nop
0x400ff7: 	pop     rbp
	jmp idx_171
idx_49:
0x400ff9: 	leave
	jmp idx_89
idx_50:
	call	___stack_chk_fail@plt
	jmp	idx_20
idx_51:
0x400ffc: 	push    rbp
0x400ffd: 	mov     rbp, rsp
0x401000: 	sub     rsp, 8
0x401004: 	mov     eax, edi
0x401006: 	mov     byte ptr [rbp+var_8+4], al
0x401009: 	movzx   eax, byte ptr [rbp+var_8+4]
0x40100d: 	mov     edi, eax
	jmp	idx_40
idx_52:
0x401010: 	add     [rbp+var_1DC], 1
	jmp	idx_179
idx_53:
0x401018: 	mov     rax, cs:stdin
0x40101f: 	mov     ecx, 0
0x401024: 	mov     edx, 2
0x401029: 	mov     esi, 0
0x40102e: 	mov     rdi, rax
	call	_setvbuf@plt
	jmp	idx_61
idx_54:
0x401032: 	leave
	jmp ??? ; never execute here
idx_55:
0x401034: 	mov     edx, eax
0x401036: 	mov     eax, [rbp+var_1E0]
0x40103c: 	cdqe
0x40103e: 	mov     [rbp+rax+var_180], dl
0x401045: 	add     [rbp+var_1E0], 1
	jmp	idx_18
idx_56:
0x40104d: 	xor     ebx, eax
0x40104f: 	mov     rax, [rbp+var_28]
0x401053: 	add     rax, 3
0x401057: 	movzx   eax, byte ptr [rax]
0x40105a: 	movzx   eax, al
0x40105d: 	mov     edi, eax
	jmp	idx_142
idx_57:
0x401060: 	xor     ebx, eax
0x401062: 	mov     rax, [rbp+var_28]
0x401066: 	add     rax, 2
0x40106a: 	movzx   eax, byte ptr [rax]
0x40106d: 	movzx   eax, al
0x401070: 	mov     edi, eax
	jmp	idx_12
idx_58:
0x401073: 	mov     eax, [rbp+var_1C8]
0x401079: 	mov     [rbp+var_1C0], eax
	jmp	idx_178
idx_59:
0x401080: 	push    rbp
0x401081: 	mov     rbp, rsp
0x401084: 	mov     [rbp+var_18], rdi
0x401088: 	mov     rax, [rbp+var_18]
0x40108c: 	movzx   eax, byte ptr [rax+1]
0x401090: 	mov     byte ptr [rbp+var_8+7], al
0x401093: 	mov     rax, [rbp+var_18]
0x401097: 	lea     rdx, [rax+1]
0x40109b: 	mov     rax, [rbp+var_18]
0x40109f: 	movzx   eax, byte ptr [rax+5]
0x4010a3: 	mov     [rdx], al
0x4010a5: 	mov     rax, [rbp+var_18]
0x4010a9: 	lea     rdx, [rax+5]
0x4010ad: 	mov     rax, [rbp+var_18]
0x4010b1: 	movzx   eax, byte ptr [rax+9]
0x4010b5: 	mov     [rdx], al
0x4010b7: 	mov     rax, [rbp+var_18]
0x4010bb: 	lea     rdx, [rax+9]
0x4010bf: 	mov     rax, [rbp+var_18]
0x4010c3: 	movzx   eax, byte ptr [rax+0Dh]
0x4010c7: 	mov     [rdx], al
0x4010c9: 	mov     rax, [rbp+var_18]
0x4010cd: 	lea     rdx, [rax+0Dh]
0x4010d1: 	movzx   eax, byte ptr [rbp+var_8+7]
0x4010d5: 	mov     [rdx], al
0x4010d7: 	mov     rax, [rbp+var_18]
0x4010db: 	movzx   eax, byte ptr [rax+2]
0x4010df: 	mov     byte ptr [rbp+var_8+7], al
0x4010e2: 	mov     rax, [rbp+var_18]
0x4010e6: 	lea     rdx, [rax+2]
0x4010ea: 	mov     rax, [rbp+var_18]
0x4010ee: 	movzx   eax, byte ptr [rax+0Ah]
0x4010f2: 	mov     [rdx], al
0x4010f4: 	mov     rax, [rbp+var_18]
0x4010f8: 	lea     rdx, [rax+0Ah]
0x4010fc: 	movzx   eax, byte ptr [rbp+var_8+7]
0x401100: 	mov     [rdx], al
0x401102: 	mov     rax, [rbp+var_18]
0x401106: 	movzx   eax, byte ptr [rax+6]
0x40110a: 	mov     byte ptr [rbp+var_8+7], al
0x40110d: 	mov     rax, [rbp+var_18]
0x401111: 	lea     rdx, [rax+6]
0x401115: 	mov     rax, [rbp+var_18]
0x401119: 	movzx   eax, byte ptr [rax+0Eh]
0x40111d: 	mov     [rdx], al
0x40111f: 	mov     rax, [rbp+var_18]
0x401123: 	lea     rdx, [rax+0Eh]
0x401127: 	movzx   eax, byte ptr [rbp+var_8+7]
0x40112b: 	mov     [rdx], al
0x40112d: 	mov     rax, [rbp+var_18]
0x401131: 	movzx   eax, byte ptr [rax+0Fh]
0x401135: 	mov     byte ptr [rbp+var_8+7], al
0x401138: 	mov     rax, [rbp+var_18]
0x40113c: 	lea     rdx, [rax+0Fh]
0x401140: 	mov     rax, [rbp+var_18]
0x401144: 	movzx   eax, byte ptr [rax+0Bh]
0x401148: 	mov     [rdx], al
0x40114a: 	mov     rax, [rbp+var_18]
0x40114e: 	lea     rdx, [rax+0Bh]
0x401152: 	mov     rax, [rbp+var_18]
0x401156: 	movzx   eax, byte ptr [rax+7]
0x40115a: 	mov     [rdx], al
0x40115c: 	mov     rax, [rbp+var_18]
0x401160: 	lea     rdx, [rax+7]
0x401164: 	mov     rax, [rbp+var_18]
0x401168: 	movzx   eax, byte ptr [rax+3]
0x40116c: 	mov     [rdx], al
0x40116e: 	mov     rax, [rbp+var_18]
0x401172: 	lea     rdx, [rax+3]
0x401176: 	movzx   eax, byte ptr [rbp+var_8+7]
0x40117a: 	mov     [rdx], al
0x40117c: 	nop
0x40117d: 	pop     rbp
	jmp idx_85
idx_60:
0x40117f: 	add     dword ptr [rbp+var_8], 1
	jmp	idx_5
idx_61:
0x401184: 	mov     rax, cs:stdout
0x40118b: 	mov     ecx, 0
0x401190: 	mov     edx, 2
0x401195: 	mov     esi, 0
0x40119a: 	mov     rdi, rax
	call	_setvbuf@plt
	jmp	idx_140
idx_62:
0x40119e: 	xor     ebx, eax
0x4011a0: 	mov     rax, [rbp+var_28]
0x4011a4: 	add     rax, 2
0x4011a8: 	movzx   eax, byte ptr [rax]
0x4011ab: 	movzx   eax, al
0x4011ae: 	mov     edi, eax
	jmp	idx_51
idx_63:
0x4011b1: 	xor     ebx, eax
0x4011b3: 	mov     rax, [rbp+var_28]
0x4011b7: 	add     rax, 2
0x4011bb: 	movzx   eax, byte ptr [rax]
0x4011be: 	movzx   eax, al
0x4011c1: 	mov     edi, eax
	jmp	idx_142
idx_64:
0x4011c4: 	lea     rax, [rbp+var_180]
0x4011cb: 	mov     [rbp+var_198], rax
0x4011d2: 	lea     rax, [rbp+var_110]
0x4011d9: 	mov     [rbp+var_190], rax
0x4011e0: 	mov     [rbp+var_1C8], 4
0x4011ea: 	mov     [rbp+var_1C4], 0Ah
0x4011f4: 	mov     [rbp+var_1C0], 0
	jmp	idx_124
idx_65:
0x4011ff: 	mov     [rbp+var_1E0], 0
	jmp	idx_17
idx_66:
	jmp	idx_138
idx_67:
	jmp	idx_39
idx_68:
0x40120c: 	add     rsp, 28h
0x401210: 	pop     rbx
0x401211: 	pop     rbp
	jmp ??? ; never execute here
idx_69:
0x401213: 	mov     edx, [rbp+var_1D4]
0x401219: 	mov     rcx, [rbp+var_1B0]
0x401220: 	mov     rax, [rbp+var_1B8]
0x401227: 	mov     rsi, rcx
0x40122a: 	mov     rdi, rax
	jmp	idx_173
idx_70:
0x40122e: 	mov     edx, [rbp+var_1D8]
0x401234: 	mov     rcx, [rbp+var_1B0]
0x40123b: 	mov     rax, [rbp+var_1B8]
0x401242: 	mov     rsi, rcx
0x401245: 	mov     rdi, rax
	jmp	idx_173
idx_71:
0x401249: 	mov     rax, [rbp+var_1A8]
0x401250: 	mov     rdi, rax
	jmp	idx_154
idx_72:
0x401254: 	lea     rdi, a88888888888Y88; "8'   888   `8                         "...
	call	_puts@plt
	jmp	idx_75
idx_73:
0x40125c: 	xor     eax, ebx
0x40125e: 	mov     byte ptr [rbp+var_20+7], al
0x401261: 	movzx   edx, byte ptr [rbp+var_20+4]
0x401265: 	mov     rax, [rbp+var_28]
0x401269: 	mov     [rax], dl
0x40126b: 	mov     rax, [rbp+var_28]
0x40126f: 	lea     rdx, [rax+1]
0x401273: 	movzx   eax, byte ptr [rbp+var_20+5]
0x401277: 	mov     [rdx], al
0x401279: 	mov     rax, [rbp+var_28]
0x40127d: 	lea     rdx, [rax+2]
0x401281: 	movzx   eax, byte ptr [rbp+var_20+6]
0x401285: 	mov     [rdx], al
0x401287: 	mov     rax, [rbp+var_28]
0x40128b: 	lea     rdx, [rax+3]
0x40128f: 	movzx   eax, byte ptr [rbp+var_20+7]
0x401293: 	mov     [rdx], al
0x401295: 	add     dword ptr [rbp+var_20], 1
0x401299: 	add     [rbp+var_28], 4
	jmp	idx_166
idx_74:
0x40129f: 	mov     rax, [rbp+var_1A8]
0x4012a6: 	mov     rdi, rax
	jmp	idx_59
idx_75:
0x4012aa: 	lea     rdi, a888OoooD8bOooo; "     888      oooo d8b  .oooo.    .oooo"...
	call	_puts@plt
	jmp	idx_81
idx_76:
0x4012b2: 	mov     edi, 1
	call	_exit@plt
	jmp	idx_24
idx_77:
0x4012b8: 	mov     dword ptr [rbp+var_8+4], 0
	jmp	idx_113
idx_78:
	call	___stack_chk_fail@plt
	jmp	idx_68
idx_79:
0x4012c1: 	nop
	jmp	idx_138
idx_80:
0x4012c3: 	push    rbp
0x4012c4: 	mov     rbp, rsp
0x4012c7: 	push    rbx
0x4012c8: 	sub     rsp, 28h
0x4012cc: 	mov     [rbp+var_28], rdi
0x4012d0: 	mov     rax, fs:28h
0x4012d9: 	mov     [rbp+var_18], rax
0x4012dd: 	xor     eax, eax
0x4012df: 	mov     dword ptr [rbp+var_20], 0
	jmp	idx_130
idx_81:
0x4012e7: 	lea     rdi, a8888888pP88bD8; "     888      `888\"\"8P `P  )88b  d88'"...
	call	_puts@plt
	jmp	idx_37
idx_82:
0x4012ef: 	mov     edx, [rbp+var_1D0]
0x4012f5: 	mov     rcx, [rbp+var_1A0]
0x4012fc: 	mov     rax, [rbp+var_1A8]
0x401303: 	mov     rsi, rcx
0x401306: 	mov     rdi, rax
	jmp	idx_173
idx_83:
0x40130a: 	cmp     [rbp+var_1BC], 3
	jle idx_30
	jmp idx_42
idx_84:
0x401312: 	movzx   eax, byte ptr [rbp+var_18+7]
0x401316: 	cmp     al, 0Ah
	je idx_79
	jmp idx_35
idx_85:
0x401319: 	mov     rax, [rbp+var_1A8]
0x401320: 	mov     rdi, rax
	jmp	idx_158
idx_86:
0x401324: 	movzx   eax, al
0x401327: 	mov     edi, eax
	jmp	idx_40
idx_87:
0x40132a: 	mov     ebx, eax
0x40132c: 	mov     rax, [rbp+var_28]
0x401330: 	add     rax, 1
0x401334: 	movzx   eax, byte ptr [rax]
0x401337: 	movzx   eax, al
0x40133a: 	mov     edi, eax
	jmp	idx_142
idx_88:
0x40133d: 	mov     eax, dword ptr [rbp+var_8+4]
0x401340: 	movsxd  rdx, eax
0x401343: 	mov     rax, [rbp+var_18]
0x401347: 	add     rax, rdx
0x40134a: 	movzx   esi, byte ptr [rax]
0x40134d: 	mov     eax, dword ptr [rbp+var_28+4]
0x401350: 	shl     eax, 4
0x401353: 	mov     edx, eax
0x401355: 	mov     eax, dword ptr [rbp+var_8+4]
0x401358: 	add     eax, edx
0x40135a: 	movsxd  rdx, eax
0x40135d: 	mov     rax, [rbp+var_20]
0x401361: 	add     rax, rdx
0x401364: 	movzx   ecx, byte ptr [rax]
0x401367: 	mov     eax, dword ptr [rbp+var_8+4]
0x40136a: 	movsxd  rdx, eax
0x40136d: 	mov     rax, [rbp+var_18]
0x401371: 	add     rax, rdx
0x401374: 	xor     esi, ecx
0x401376: 	mov     edx, esi
0x401378: 	mov     [rax], dl
0x40137a: 	add     dword ptr [rbp+var_8+4], 1
	jmp	idx_103
idx_89:
0x40137f: 	mov     [rbp+var_1E0], 0
	jmp	idx_18
idx_90:
	call	___stack_chk_fail@plt
	jmp	idx_147
idx_91:
0x40138b: 	cmp     dword ptr [rbp+var_8+4], 0Fh
	jle idx_28
	jmp idx_48
idx_92:
0x401390: 	mov     eax, [rbp+var_1C0]
0x401396: 	movsxd  rdx, eax
0x401399: 	mov     rax, [rbp+var_198]
0x4013a0: 	add     rax, rdx
0x4013a3: 	mov     edx, [rbp+var_1C0]
0x4013a9: 	movsxd  rcx, edx
0x4013ac: 	mov     rdx, [rbp+var_190]
0x4013b3: 	add     rdx, rcx
0x4013b6: 	movzx   eax, byte ptr [rax]
0x4013b9: 	mov     [rdx], al
0x4013bb: 	add     [rbp+var_1C0], 1
	jmp	idx_124
idx_93:
0x4013c3: 	mov     rax, cs:off_606A48; "Congratulations! This is the correct fl"...
0x4013ca: 	mov     rdi, rax
	call	_puts@plt
	jmp	idx_67
idx_94:
0x4013ce: 	xor     eax, ebx
0x4013d0: 	mov     byte ptr [rbp+var_20+5], al
0x4013d3: 	mov     rax, [rbp+var_28]
0x4013d7: 	movzx   eax, byte ptr [rax]
0x4013da: 	movzx   eax, al
0x4013dd: 	mov     edi, eax
	jmp	idx_12
idx_95:
0x4013e0: 	push    rbp
0x4013e1: 	mov     rbp, rsp
0x4013e4: 	sub     rsp, 8
0x4013e8: 	mov     eax, edi
0x4013ea: 	mov     byte ptr [rbp+var_8+4], al
0x4013ed: 	movzx   eax, byte ptr [rbp+var_8+4]
0x4013f1: 	mov     edi, eax
	jmp	idx_40
idx_96:
0x4013f4: 	xor     ebx, eax
0x4013f6: 	mov     rax, [rbp+var_28]
0x4013fa: 	add     rax, 3
0x4013fe: 	movzx   eax, byte ptr [rax]
0x401401: 	movzx   eax, al
0x401404: 	mov     edi, eax
	jmp	idx_12
idx_97:
0x401407: 	mov     [rbp+var_C], eax
0x40140a: 	cmp     [rbp+var_C], 0
	jg idx_84
	jmp idx_1
idx_98:
0x40140f: 	lea     rax, [rbp+var_20]
0x401413: 	mov     esi, 10h
0x401418: 	mov     rdi, rax
	jmp	idx_24
idx_99:
0x40141c: 	push    rbp
0x40141d: 	mov     rbp, rsp
0x401420: 	sub     rsp, 10h
0x401424: 	mov     dword ptr [rbp+var_8+4], edi
0x401427: 	lea     rdi, aOut; "Out!"
	call	_puts@plt
	jmp	idx_76
idx_100:
0x40142f: 	lea     rax, [rbp+var_18+7]
0x401433: 	mov     edx, 1
0x401438: 	mov     rsi, rax
0x40143b: 	mov     edi, 0
	call	_read@plt
	jmp	idx_97
idx_101:
0x401441: 	mov     eax, dword ptr [rbp+var_8+4]
0x401444: 	movsxd  rdx, eax
0x401447: 	mov     rax, [rbp+var_18]
0x40144b: 	add     rax, rdx
0x40144e: 	movzx   eax, byte ptr [rax]
0x401451: 	movzx   eax, al
0x401454: 	mov     edx, dword ptr [rbp+var_8+4]
0x401457: 	movsxd  rcx, edx
0x40145a: 	mov     rdx, [rbp+var_18]
0x40145e: 	add     rcx, rdx
0x401461: 	movsxd  rdx, eax
0x401464: 	lea     rax, inv_sbox_enc
0x40146b: 	movzx   eax, byte ptr [rdx+rax]
0x40146f: 	mov     [rcx], al
0x401471: 	add     dword ptr [rbp+var_8+4], 1
	jmp	idx_123
idx_102:
0x401476: 	push    rbp
0x401477: 	mov     rbp, rsp
0x40147a: 	push    rbx
0x40147b: 	sub     rsp, 8
0x40147f: 	mov     eax, edi
0x401481: 	mov     byte ptr [rbp+var_C], al
0x401484: 	movzx   eax, byte ptr [rbp+var_C]
0x401488: 	mov     edi, eax
	jmp	idx_165
idx_103:
0x40148b: 	cmp     dword ptr [rbp+var_8+4], 0Fh
	jle idx_88
	jmp idx_27
idx_104:
0x401490: 	add     [rbp+var_1DC], 1
	jmp	idx_159
idx_105:
0x401498: 	add     [rbp+var_1CC], 1
	jmp	idx_167
idx_106:
	call	___stack_chk_fail@plt
	jmp	idx_54
idx_107:
0x4014a1: 	xor     eax, ebx
0x4014a3: 	xor     al, byte ptr [rbp+var_C]
0x4014a6: 	add     rsp, 8
0x4014aa: 	pop     rbx
0x4014ab: 	pop     rbp
	jmp ??? ; never execute here
idx_108:
0x4014ad: 	lea     rax, [rbp+var_140]
0x4014b4: 	mov     esi, 21h ; '!'
0x4014b9: 	mov     rdi, rax
	jmp	idx_24
idx_109:
0x4014bd: 	movzx   eax, byte ptr [rbp+var_8+4]
0x4014c1: 	add     eax, eax
	jmp	idx_114
idx_110:
0x4014c4: 	nop
0x4014c5: 	pop     rbp
	jmp ??? ; never execute here
idx_111:
0x4014c7: 	movzx   eax, al
0x4014ca: 	mov     edi, eax
	jmp	idx_40
idx_112:
0x4014cd: 	add     [rbp+var_1D4], 1
	jmp	idx_43
idx_113:
0x4014d5: 	cmp     dword ptr [rbp+var_8+4], 1Fh
	jle idx_151
	jmp idx_60
idx_114:
0x4014da: 	pop     rbp
	jmp idx_132
idx_115:
0x4014dc: 	mov     [rbp+var_1DC], 0
0x4014e6: 	mov     [rbp+var_1E0], 0
	jmp	idx_149
idx_116:
0x4014f1: 	mov     ebx, eax
0x4014f3: 	movzx   eax, byte ptr [rbp+var_C]
0x4014f7: 	mov     edi, eax
	jmp	idx_95
idx_117:
0x4014fa: 	mov     [rbp+var_1BC], 0
	jmp	idx_34
idx_118:
0x401505: 	xor     ebx, eax
0x401507: 	mov     rax, [rbp+var_28]
0x40150b: 	add     rax, 2
0x40150f: 	movzx   eax, byte ptr [rax]
0x401512: 	movzx   eax, al
0x401515: 	mov     edi, eax
	jmp	idx_102
idx_119:
0x401518: 	leave
	jmp ??? ; never execute here
idx_120:
0x40151a: 	mov     [rbp+var_1CC], 1
	jmp	idx_167
idx_121:
0x401525: 	xor     ebx, eax
0x401527: 	mov     rax, [rbp+var_28]
0x40152b: 	add     rax, 2
0x40152f: 	movzx   eax, byte ptr [rax]
0x401532: 	movzx   eax, al
0x401535: 	mov     edi, eax
	jmp	idx_135
idx_122:
0x401538: 	push    rbp
0x401539: 	mov     rbp, rsp
0x40153c: 	sub     rsp, 20h
0x401540: 	mov     rax, fs:28h
0x401549: 	mov     [rbp+var_8], rax
0x40154d: 	xor     eax, eax
0x40154f: 	lea     rax, [rbp+var_20]
0x401553: 	mov     edx, 14h
0x401558: 	mov     esi, 0
0x40155d: 	mov     rdi, rax
	call	_memset@plt
	jmp	idx_98
idx_123:
0x401561: 	cmp     dword ptr [rbp+var_8+4], 0Fh
	jle idx_101
	jmp idx_110
idx_124:
0x401566: 	mov     eax, [rbp+var_1C8]
0x40156c: 	shl     eax, 2
0x40156f: 	cmp     [rbp+var_1C0], eax
	jl idx_92
	jmp idx_58
idx_125:
0x401576: 	xor     ebx, eax
0x401578: 	mov     rax, [rbp+var_28]
0x40157c: 	add     rax, 3
0x401580: 	movzx   eax, byte ptr [rax]
0x401583: 	movzx   eax, al
0x401586: 	mov     edi, eax
	jmp	idx_51
idx_126:
	call	_rand@plt
	jmp	idx_55
idx_127:
	call	___stack_chk_fail@plt
	jmp	idx_49
idx_128:
0x40158b: 	mov     ebx, eax
0x40158d: 	movzx   eax, byte ptr [rbp+var_C]
0x401591: 	mov     edi, eax
	jmp	idx_95
idx_129:
0x401594: 	lea     rax, [rbp+var_20]
0x401598: 	mov     rdi, rax
	call	_atoi@plt
	jmp	idx_156
idx_130:
0x40159c: 	cmp     dword ptr [rbp+var_20], 3
	jle idx_162
	jmp idx_32
idx_131:
0x4015a1: 	xor     eax, ebx
0x4015a3: 	xor     al, byte ptr [rbp+var_C]
0x4015a6: 	add     rsp, 8
0x4015aa: 	pop     rbx
0x4015ab: 	pop     rbp
	jmp ??? ; never execute here
idx_132:
0x4015ad: 	xor     al, byte ptr [rbp+var_8+4]
0x4015b0: 	leave
	jmp idx_21
idx_133:
0x4015b2: 	cmp     [rbp+var_1DC], 1Fh
	jle idx_157
	jmp idx_93
idx_134:
0x4015ba: 	xor     eax, ebx
0x4015bc: 	mov     byte ptr [rbp+var_20+6], al
0x4015bf: 	mov     rax, [rbp+var_28]
0x4015c3: 	movzx   eax, byte ptr [rax]
0x4015c6: 	movzx   eax, al
0x4015c9: 	mov     edi, eax
	jmp	idx_135
idx_135:
0x4015cc: 	push    rbp
0x4015cd: 	mov     rbp, rsp
0x4015d0: 	push    rbx
0x4015d1: 	sub     rsp, 8
0x4015d5: 	mov     eax, edi
0x4015d7: 	mov     byte ptr [rbp+var_C], al
0x4015da: 	movzx   eax, byte ptr [rbp+var_C]
0x4015de: 	mov     edi, eax
	jmp	idx_165
idx_136:
0x4015e1: 	leave
	jmp ??? ; never execute here
idx_137:
0x4015e3: 	mov     edx, eax
0x4015e5: 	mov     rax, [rbp+var_28]
0x4015e9: 	add     rax, 1
0x4015ed: 	movzx   eax, byte ptr [rax]
0x4015f0: 	xor     edx, eax
0x4015f2: 	mov     rax, [rbp+var_28]
0x4015f6: 	add     rax, 2
0x4015fa: 	movzx   eax, byte ptr [rax]
0x4015fd: 	xor     edx, eax
0x4015ff: 	mov     ebx, edx
0x401601: 	mov     rax, [rbp+var_28]
0x401605: 	add     rax, 3
0x401609: 	movzx   eax, byte ptr [rax]
0x40160c: 	movzx   eax, al
0x40160f: 	mov     edi, eax
	jmp	idx_40
idx_138:
0x401612: 	mov     eax, [rbp+var_10]
0x401615: 	movsxd  rdx, eax
0x401618: 	mov     rax, [rbp+var_28]
0x40161c: 	add     rax, rdx
0x40161f: 	mov     byte ptr [rax], 0
0x401622: 	mov     eax, [rbp+var_10]
0x401625: 	mov     rcx, [rbp+var_8]
0x401629: 	xor     rcx, fs:28h
	je idx_49
	jmp idx_127
idx_139:
0x401633: 	mov     rax, [rbp+var_1B8]
0x40163a: 	mov     rdi, rax
	jmp	idx_158
idx_140:
0x40163e: 	mov     rax, cs:stderr
0x401645: 	mov     ecx, 0
0x40164a: 	mov     edx, 2
0x40164f: 	mov     esi, 0
0x401654: 	mov     rdi, rax
	call	_setvbuf@plt
	jmp	idx_9
idx_141:
0x401658: 	movzx   eax, al
0x40165b: 	mov     edi, eax
	jmp	idx_40
idx_142:
0x40165e: 	push    rbp
0x40165f: 	mov     rbp, rsp
0x401662: 	sub     rsp, 8
0x401666: 	mov     eax, edi
0x401668: 	mov     byte ptr [rbp+var_8+4], al
0x40166b: 	movzx   eax, byte ptr [rbp+var_8+4]
0x40166f: 	mov     edi, eax
	jmp	idx_165
idx_143:
0x401672: 	mov     eax, [rbp+var_1C0]
0x401678: 	cdq
0x401679: 	idiv    [rbp+var_1C8]
0x40167f: 	mov     eax, edx
0x401681: 	test    eax, eax
	jnz idx_117
	jmp idx_172
idx_144:
0x401684: 	xor     ebx, eax
0x401686: 	mov     edx, ebx
0x401688: 	mov     rax, [rbp+var_28]
0x40168c: 	add     rax, 3
0x401690: 	movzx   eax, byte ptr [rax]
0x401693: 	xor     eax, edx
0x401695: 	mov     byte ptr [rbp+var_20+5], al
0x401698: 	mov     rax, [rbp+var_28]
0x40169c: 	movzx   edx, byte ptr [rax]
0x40169f: 	mov     rax, [rbp+var_28]
0x4016a3: 	add     rax, 1
0x4016a7: 	movzx   eax, byte ptr [rax]
0x4016aa: 	mov     ebx, edx
0x4016ac: 	xor     ebx, eax
0x4016ae: 	mov     rax, [rbp+var_28]
0x4016b2: 	add     rax, 2
0x4016b6: 	movzx   eax, byte ptr [rax]
0x4016b9: 	movzx   eax, al
0x4016bc: 	mov     edi, eax
	jmp	idx_40
idx_145:
0x4016bf: 	xor     eax, ebx
0x4016c1: 	mov     byte ptr [rbp+var_20+7], al
0x4016c4: 	movzx   edx, byte ptr [rbp+var_20+4]
0x4016c8: 	mov     rax, [rbp+var_28]
0x4016cc: 	mov     [rax], dl
0x4016ce: 	mov     rax, [rbp+var_28]
0x4016d2: 	lea     rdx, [rax+1]
0x4016d6: 	movzx   eax, byte ptr [rbp+var_20+5]
0x4016da: 	mov     [rdx], al
0x4016dc: 	mov     rax, [rbp+var_28]
0x4016e0: 	lea     rdx, [rax+2]
0x4016e4: 	movzx   eax, byte ptr [rbp+var_20+6]
0x4016e8: 	mov     [rdx], al
0x4016ea: 	mov     rax, [rbp+var_28]
0x4016ee: 	lea     rdx, [rax+3]
0x4016f2: 	movzx   eax, byte ptr [rbp+var_20+7]
0x4016f6: 	mov     [rdx], al
0x4016f8: 	add     dword ptr [rbp+var_20], 1
0x4016fc: 	add     [rbp+var_28], 4
	jmp	idx_130
idx_146:
	call	_rand@plt
	jmp	idx_4
idx_147:
0x401703: 	add     rsp, 28h
0x401707: 	pop     rbx
0x401708: 	pop     rbp
	jmp idx_29
idx_148:
0x40170a: 	mov     ebx, eax
0x40170c: 	movzx   eax, byte ptr [rbp+var_C]
0x401710: 	mov     edi, eax
	jmp	idx_40
idx_149:
0x401713: 	cmp     [rbp+var_1E0], 0Fh
	jle idx_16
	jmp idx_65
idx_150:
0x40171b: 	mov     rax, [rbp+var_1B8]
0x401722: 	mov     rdi, rax
	jmp	idx_59
idx_151:
0x401726: 	mov     eax, dword ptr [rbp+var_8]
0x401729: 	shl     eax, 5
0x40172c: 	mov     edx, eax
0x40172e: 	mov     eax, dword ptr [rbp+var_8+4]
0x401731: 	add     eax, edx
0x401733: 	movsxd  rdx, eax
0x401736: 	lea     rax, sbox_enc
0x40173d: 	movzx   esi, byte ptr [rdx+rax]
0x401741: 	mov     eax, dword ptr [rbp+var_8+4]
0x401744: 	movsxd  rdx, eax
0x401747: 	mov     rax, [rbp+var_18]
0x40174b: 	add     rax, rdx
0x40174e: 	movzx   ecx, byte ptr [rax]
0x401751: 	mov     eax, dword ptr [rbp+var_8]
0x401754: 	shl     eax, 5
0x401757: 	mov     edx, eax
0x401759: 	mov     eax, dword ptr [rbp+var_8+4]
0x40175c: 	add     eax, edx
0x40175e: 	xor     ecx, esi
0x401760: 	movsxd  rdx, eax
0x401763: 	lea     rax, sbox_enc
0x40176a: 	mov     [rdx+rax], cl
0x40176d: 	mov     eax, dword ptr [rbp+var_8]
0x401770: 	shl     eax, 5
0x401773: 	mov     edx, eax
0x401775: 	mov     eax, dword ptr [rbp+var_8+4]
0x401778: 	add     eax, edx
0x40177a: 	movsxd  rdx, eax
0x40177d: 	lea     rax, inv_sbox_enc
0x401784: 	movzx   esi, byte ptr [rdx+rax]
0x401788: 	mov     eax, dword ptr [rbp+var_8+4]
0x40178b: 	movsxd  rdx, eax
0x40178e: 	mov     rax, [rbp+var_18]
0x401792: 	add     rax, rdx
0x401795: 	movzx   ecx, byte ptr [rax]
0x401798: 	mov     eax, dword ptr [rbp+var_8]
0x40179b: 	shl     eax, 5
0x40179e: 	mov     edx, eax
0x4017a0: 	mov     eax, dword ptr [rbp+var_8+4]
0x4017a3: 	add     eax, edx
0x4017a5: 	xor     ecx, esi
0x4017a7: 	movsxd  rdx, eax
0x4017aa: 	lea     rax, inv_sbox_enc
0x4017b1: 	mov     [rdx+rax], cl
0x4017b4: 	add     dword ptr [rbp+var_8+4], 1
	jmp	idx_113
idx_152:
0x4017b9: 	mov     rax, [rbp+var_1B8]
0x4017c0: 	mov     rdi, rax
	jmp	idx_59
idx_153:
0x4017c4: 	mov     rax, [rbp+var_28]
0x4017c8: 	movzx   eax, byte ptr [rax]
0x4017cb: 	movzx   eax, al
0x4017ce: 	mov     edi, eax
	jmp	idx_40
idx_154:
0x4017d1: 	push    rbp
0x4017d2: 	mov     rbp, rsp
0x4017d5: 	mov     [rbp+var_18], rdi
0x4017d9: 	mov     dword ptr [rbp+var_8+4], 0
	jmp	idx_91
idx_155:
0x4017e1: 	mov     ebx, eax
0x4017e3: 	mov     rax, [rbp+var_28]
0x4017e7: 	add     rax, 1
0x4017eb: 	movzx   eax, byte ptr [rax]
0x4017ee: 	movzx   eax, al
0x4017f1: 	mov     edi, eax
	jmp	idx_12
idx_156:
0x4017f4: 	mov     rcx, [rbp+var_8]
0x4017f8: 	xor     rcx, fs:28h
	je idx_54
	jmp idx_106
idx_157:
0x401802: 	mov     rax, cs:off_606A40; "This is a fake flag!"
0x401809: 	mov     rdi, rax
	call	_puts@plt
	jmp	idx_168
idx_158:
0x40180d: 	push    rbp
0x40180e: 	mov     rbp, rsp
0x401811: 	push    rbx
0x401812: 	sub     rsp, 28h
0x401816: 	mov     [rbp+var_28], rdi
0x40181a: 	mov     rax, fs:28h
0x401823: 	mov     [rbp+var_18], rax
0x401827: 	xor     eax, eax
0x401829: 	mov     dword ptr [rbp+var_20], 0
	jmp	idx_166
idx_159:
0x401831: 	add     [rbp+var_1E0], 1
	jmp	idx_149
idx_160:
0x401839: 	movzx   eax, byte ptr [rbp+var_8+4]
0x40183d: 	add     eax, eax
0x40183f: 	xor     eax, 1Bh
	jmp	idx_114
idx_161:
0x401843: 	mov     [rbp+var_1D4], 1
	jmp	idx_43
idx_162:
0x40184e: 	mov     rax, [rbp+var_28]
0x401852: 	movzx   eax, byte ptr [rax]
0x401855: 	movzx   eax, al
0x401858: 	mov     edi, eax
	jmp	idx_102
idx_163:
0x40185b: 	xor     ebx, eax
0x40185d: 	movzx   eax, byte ptr [rbp+var_C]
0x401861: 	mov     edi, eax
	jmp	idx_40
idx_164:
0x401864: 	mov     eax, [rbp+var_1C0]
0x40186a: 	sub     eax, 1
0x40186d: 	lea     edx, ds:0[rax*4]
0x401874: 	mov     eax, [rbp+var_1BC]
0x40187a: 	add     eax, edx
0x40187c: 	movsxd  rdx, eax
0x40187f: 	mov     rax, [rbp+var_190]
0x401886: 	add     rax, rdx
0x401889: 	movzx   edx, byte ptr [rax]
0x40188c: 	mov     eax, [rbp+var_1BC]
0x401892: 	cdqe
0x401894: 	mov     [rbp+rax+var_184], dl
0x40189b: 	add     [rbp+var_1BC], 1
	jmp	idx_19
idx_165:
0x4018a3: 	push    rbp
0x4018a4: 	mov     rbp, rsp
0x4018a7: 	sub     rsp, 8
0x4018ab: 	mov     eax, edi
0x4018ad: 	mov     byte ptr [rbp+var_8+4], al
0x4018b0: 	movzx   eax, byte ptr [rbp+var_8+4]
0x4018b4: 	mov     edi, eax
	jmp	idx_40
idx_166:
0x4018b7: 	cmp     dword ptr [rbp+var_20], 3
	jle idx_153
	jmp idx_13
idx_167:
0x4018bc: 	mov     eax, [rbp+var_1D0]
0x4018c2: 	sub     eax, 1
0x4018c5: 	cmp     [rbp+var_1CC], eax
	jle idx_26
	jmp idx_71
idx_168:
0x4018cc: 	nop
	jmp	idx_39
idx_169:
0x4018ce: 	push    rbp
0x4018cf: 	mov     rbp, rsp
0x4018d2: 	sub     rsp, 20h
0x4018d6: 	mov     [rbp+var_18], rdi
0x4018da: 	lea     rdi, aOooooooooooooO; "ooooooooooooo                          "...
	call	_puts@plt
	jmp	idx_72
idx_170:
0x4018e2: 	nop
0x4018e3: 	leave
	jmp idx_53
idx_171:
0x4018e5: 	mov     rax, [rbp+var_1A8]
0x4018ec: 	mov     rdi, rax
	jmp	idx_59
idx_172:
0x4018f0: 	movzx   eax, [rbp+var_184]
0x4018f7: 	mov     [rbp+var_1E1], al
0x4018fd: 	movzx   eax, [rbp+var_183]
0x401904: 	mov     [rbp+var_184], al
0x40190a: 	movzx   eax, [rbp+var_182]
0x401911: 	mov     [rbp+var_183], al
0x401917: 	movzx   eax, [rbp+var_181]
0x40191e: 	mov     [rbp+var_182], al
0x401924: 	movzx   eax, [rbp+var_1E1]
0x40192b: 	mov     [rbp+var_181], al
0x401931: 	mov     [rbp+var_1BC], 0
	jmp	idx_83
idx_173:
0x40193c: 	push    rbp
0x40193d: 	mov     rbp, rsp
0x401940: 	mov     [rbp+var_18], rdi
0x401944: 	mov     [rbp+var_20], rsi
0x401948: 	mov     dword ptr [rbp+var_28+4], edx
0x40194b: 	mov     dword ptr [rbp+var_8+4], 0
	jmp	idx_103
idx_174:
0x401953: 	mov     [rbp+var_1BC], 0
	jmp	idx_19
idx_175:
0x40195e: 	lea     rax, [rbp+var_140]
0x401965: 	add     rax, 10h
0x401969: 	mov     [rbp+var_1B8], rax
0x401970: 	lea     rax, [rbp+var_110]
0x401977: 	mov     [rbp+var_1B0], rax
0x40197e: 	mov     [rbp+var_1D8], 0Ah
0x401988: 	mov     rcx, [rbp+var_1B0]
0x40198f: 	mov     rax, [rbp+var_1B8]
0x401996: 	mov     edx, 0
0x40199b: 	mov     rsi, rcx
0x40199e: 	mov     rdi, rax
	jmp	idx_173
idx_176:
0x4019a2: 	mov     eax, [rbp+var_2C]
0x4019a5: 	sub     eax, 1
0x4019a8: 	cmp     [rbp+var_10], eax
	jl idx_100
	jmp idx_66
idx_177:
0x4019ac: 	mov     rax, [rbp+var_1B8]
0x4019b3: 	mov     rdi, rax
	jmp	idx_154
idx_178:
0x4019b7: 	mov     eax, [rbp+var_1C4]
0x4019bd: 	add     eax, 1
0x4019c0: 	shl     eax, 2
0x4019c3: 	cmp     [rbp+var_1C0], eax
	jl idx_174
	jmp idx_23
idx_179:
0x4019ca: 	add     [rbp+var_1E0], 1
	jmp	idx_17
idx_180:
0x4019d2: 	xor     ebx, eax
0x4019d4: 	mov     rax, [rbp+var_28]
0x4019d8: 	add     rax, 3
0x4019dc: 	movzx   eax, byte ptr [rax]
0x4019df: 	movzx   eax, al
0x4019e2: 	mov     edi, eax
	jmp	idx_102

动态调试

汇编好的选手可以直接秒了，像我这种汇编不好的选手只能求助 AI 了，通过求助 AI 大致摸清楚了前面的执行流程。

#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
char byte_606020[0x100]={0}; 
char byte_606120[0x100]={0};

void safe_read(char *buf,size_t len){
    int i = 0;
    while (i < len - 1) {
        char c;
        size_t ret = read(0, &c, 1);      // 从stdin读取1字节
        if(ret<=0){
            exit(-1);
        }
        buf[i++] = c;
        if (c == 10)
            break;
    }
    buf[i] = 0;  
}

int main(){
    char key[32] = "";//...
    char input[40];
    puts("");
    puts("");
    puts("");
    puts("");
    puts("");
    puts("");//puts banner
    srand(0x10000);
    for(int i = 0;i<7;i++){
        for(int j=0;j<32;j++){
            byte_606020[i*32+j] ^= key[j];
            byte_606120[i*32+j] ^= key[j];
        }
    } 
    setvbuf(stdin,0,0,0);
    setvbuf(stdout,0,0,0);
    setvbuf(stderr,0,0,0);
    printf("Input your flag: ");
    safe_read(input,0x20);


    unsigned char buf1[0x10];   // var_180
    unsigned char buf2[0x10];   // var_110
    unsigned char temp[4];      // var_184

    // 1. 生成随机数
    for (int i = 0; i < 16; i++)
        buf1[i] = rand() & 0xFF;

    // 2. 拷贝
    memcpy(buf2, buf1, 16);

    // 3. 初始化参数
    int lenA = 4;
    int lenB = 0xA;
    int idx = lenA;  // 4

    // 4. 主循环
    while (idx < ((lenB + 1) << 2)) {   // idx < 44
        // 取上一个块的 4 字节
        for (int i = 0; i < 4; i++)
            temp[i] = buf2[(idx - 1) * 4 + i];

        // 如果 idx 不是 4 的倍数，则 XOR 混合
        if (idx % lenA != 0) {
            for (int i = 0; i < 4; i++) {
                buf2[idx * 4 + i] = buf2[(idx - lenA) * 4 + i] ^ temp[i];
            }
        }
        idx++;
    }
}

而比较关键的是对于两个 256 字节的数组进行的初始化，仅仅简单对一个 32 字节硬编码数组做了一个异或运算。

这下看懂了，这就是 AES 的 SBOX 数组，随后的循环明显是轮密钥加，之后我写了 dump 脚本去 dump 轮密钥，并用程序去进行了验证。

dump 的轮密钥和 AES 的key对应上了，而且 key 可以用随机数种子去验证，分段发给 AI 汇编代码，AI 后面可以分析出又使用了 srand(rand()) 。动调也可以验证，因为发现整个块里面就调用了两次 srand，第二次 srand 前驱调用了一个 rand() 函数。

idx_146:
	call	_rand@plt
	jmp	idx_4
idx_4:
0x400b79: 	mov     edi, eax
	call	_srand@plt
	jmp	idx_115

如果实在不放心，可以在 0x400b79 地址被引用的代码下硬件断点去观察

也就是这里的 0x606b58。

这样刚好可以在 case 3 call srand 之前断住。

这里的 rchild=0x400870 就是 srand 的地址，本次continue过去就会执行srand，那么这里关心的值当然就是上一个块 rand 的返回值，直接找 regs 结构体的 RAX 。

这里找到了它的返回值 1343350356，刚好是可以对应上的（可以自己 srand(0x10000)，然后输出第 17 个 rand 值验证）。

后面的异或操作都是问 AI 的，最后比较的 target 就是祝贺找到正确的 flag 那句话。

通过输入 24 个 a，观察 AI 拿的加密数组，基本可以确定异或之前的值就是输入进行 AES 之后的值，这里我直接用 /proc/pid/mem 去 dump 指定区域的内存。

#include<stdio.h>
#include<fcntl.h>
#include<unistd.h>
char buffer [0x200000];
int main(){
    int fd = open("/proc/13521/mem",O_RDWR);
    size_t nbytes;
    perror("open");
    //0x7FFFFFFFDEB0 RBP - 0x140
    lseek(fd,0x7FFFFFFFDEB0 - 0x140,SEEK_CUR);
    nbytes = read(fd,buffer,0x40);
    perror("read");
    close(fd);
    for(int i=0;i<0x100;i++){
        printf("%02x ",(unsigned char)buffer[i]);
    }
}

通过dump结果比对

发现就是普普通通的 AES ECB/Nopadding。

那么流程就清晰了：

input -> AES ECB/NoPadding -> 异或随机数组 -> 异或开头硬编码数组

提取目标比对的字节，异或硬编码数组和随机数数组之后输出，最后 AES 解密即可。

#include<stdio.h>
#include<stdlib.h>

unsigned char target[] =
{
	0x43, 0x6F, 0x6E, 0x67, 0x72, 0x61, 0x74, 0x75, 0x6C, 0x61, 
	0x74, 0x69, 0x6F, 0x6E, 0x73, 0x21, 0x54, 0x68, 0x69, 
	0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 
	0x6F, 0x72, 0x72, 0x65, 0x63, 0x74, 0x20, 0x66, 0x6C, 0x61, 
	0x67, 0x21, 0x00
};
char key2[]="\xe2\x8b\x55\x38\x69\xfa\x80\xc2\x64\x4e\x7f\xe7\x13\x06\x14\xc5\xc0\x13\xd3\x12\x6b\xbd\xf2\xc7\x88\x44\x3e\x09\xe8\xa3\x83\x30"; 

int main(){
	char buffer[32]; 
	srand(0x10000);
	for (int i = 0; i < 16; i++){
		buffer[i] = rand() & 0xFF;
		//printf("%02x ",(unsigned char)buffer[i]);
	}putchar(10) ;
	int seed = rand(); 
	printf("seed:%d\n",seed); 
	srand(seed);
	for(int i=0;i<32;i++){
		buffer[i] = rand() & 0xFF;
		//printf("%02x ",(unsigned char)buffer[i]);
	} 
	
	for(int i=0;i<32;i++){
		target[i] ^=buffer[i];
		target[i] ^=key2[i];
		printf("%02x ",target[i]);
	}
}
//59 a0 fd e5 aa 7e fa 8c aa 64 be 24 36 e1 a0 44 8d c6 56 3f 95 15 42 60 89 ca 49 58 ea 26 05 1b

最后的 AES 解密得到 flag。

结语

CTF 真好玩，上周末单休，这周的强网杯直接把周末干碎了，从 11 点到 6 点（第二天凌晨），已经是一个活人微死的状态了，这题 80 解，我 CN 的逆向水平真好。