XYCTF2025

Misc

XGCTF

flag{1t_I3_t3E_s@Me_ChAl1eNge_aT_a1L_P1e@se_fOrg1ve_Me}

MADer也要当CTFer

附件是.mkv文件，播放器打开注意到有两个音轨，显示时长明显大于真实时长

MKVToolNix打开导出音轨后用Audacity打开后查看频谱图没有发现什么有用的信息

.\mkvextract.exe D:\ctf\XYCTF2025\Misc\MADer也要当CTFer\MADer也要当CTFer\只是刚好情窦初开遇到你.mkv tracks 2:111.ogg -c IS08859-1

用FFmpeg来查看视频的详细信息：

ffprobe "只是刚好情窦初开遇到你.mkv"

ffprobe version 7.0.2-essentials_build-www.gyan.dev Copyright (c) 2007-2024 the FFmpeg developers
  built with gcc 13.2.0 (Rev5, Built by MSYS2 project)
  configuration: --enable-gpl --enable-version3 --enable-static --disable-w32threads --disable-autodetect --enable-fontconfig --enable-iconv --enable-gnutls --enable-libxml2 --enable-gmp --enable-bzlib --enable-lzma --enable-zlib --enable-libsrt --enable-libssh --enable-libzmq --enable-avisynth --enable-sdl2 --enable-libwebp --enable-libx264 --enable-libx265 --enable-libxvid --enable-libaom --enable-libopenjpeg --enable-libvpx --enable-mediafoundation --enable-libass --enable-libfreetype --enable-libfribidi --enable-libharfbuzz --enable-libvidstab --enable-libvmaf --enable-libzimg --enable-amf --enable-cuda-llvm --enable-cuvid --enable-dxva2 --enable-d3d11va --enable-d3d12va --enable-ffnvcodec --enable-libvpl --enable-nvdec --enable-nvenc --enable-vaapi --enable-libgme --enable-libopenmpt --enable-libopencore-amrwb --enable-libmp3lame --enable-libtheora --enable-libvo-amrwbenc --enable-libgsm --enable-libopencore-amrnb --enable-libopus --enable-libspeex --enable-libvorbis --enable-librubberband
  libavutil      59.  8.100 / 59.  8.100
  libavcodec     61.  3.100 / 61.  3.100
  libavformat    61.  1.100 / 61.  1.100
  libavdevice    61.  1.100 / 61.  1.100
  libavfilter    10.  1.100 / 10.  1.100
  libswscale      8.  1.100 /  8.  1.100
  libswresample   5.  1.100 /  5.  1.100
  libpostproc    58.  1.100 / 58.  1.100
Input #0, matroska,webm, from '只是刚好情窦初开遇到你.mkv':
  Metadata:
    encoder         : libebml v1.3.4 + libmatroska v1.4.5
    creation_time   : 2025-03-03T12:00:09.000000Z
  Duration: 05:50:19.50, start: 0.000000, bitrate: 2 kb/s
  Stream #0:0: Video: h264 (High), yuv420p(progressive), 1920x1080 [SAR 1:1 DAR 16:9], 23.81 fps, 23.81 tbr, 1k tbn (default)
      Metadata:
        BPS             : 3406202
        BPS-eng         : 3406202
        DURATION        : 00:00:12.513000000
        DURATION-eng    : 00:00:12.513000000
        NUMBER_OF_FRAMES: 300
        NUMBER_OF_FRAMES-eng: 300
        NUMBER_OF_BYTES : 5327726
        NUMBER_OF_BYTES-eng: 5327726
        _STATISTICS_WRITING_APP: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_APP-eng: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_DATE_UTC: 2025-03-03 12:00:09
        _STATISTICS_WRITING_DATE_UTC-eng: 2025-03-03 12:00:09
        _STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
        _STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
  Stream #0:1: Audio: aac (LC), 48000 Hz, stereo, fltp (default)
      Metadata:
        BPS             : 92763
        BPS-eng         : 92763
        DURATION        : 00:00:12.586000000
        DURATION-eng    : 00:00:12.586000000
        NUMBER_OF_FRAMES: 590
        NUMBER_OF_FRAMES-eng: 590
        NUMBER_OF_BYTES : 145940
        NUMBER_OF_BYTES-eng: 145940
        _STATISTICS_WRITING_APP: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_APP-eng: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_DATE_UTC: 2025-03-03 12:00:09
        _STATISTICS_WRITING_DATE_UTC-eng: 2025-03-03 12:00:09
        _STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
        _STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
  Stream #0:2: Audio: mp3 (mp3float), 48000 Hz, stereo, fltp, 119 kb/s
      Metadata:
        BPS             : 127878
        BPS-eng         : 127878
        DURATION        : 00:00:12.648000000
        DURATION-eng    : 00:00:12.648000000
        NUMBER_OF_FRAMES: 527
        NUMBER_OF_FRAMES-eng: 527
        NUMBER_OF_BYTES : 202176
        NUMBER_OF_BYTES-eng: 202176
        _STATISTICS_WRITING_APP: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_APP-eng: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_DATE_UTC: 2025-03-03 12:00:09
        _STATISTICS_WRITING_DATE_UTC-eng: 2025-03-03 12:00:09
        _STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
        _STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
  Stream #0:3: Subtitle: ass (ssa) (default)
      Metadata:
        BPS             : 207
        BPS-eng         : 207
        DURATION        : 05:50:19.500000000
        DURATION-eng    : 05:50:19.500000000
        NUMBER_OF_FRAMES: 8408
        NUMBER_OF_FRAMES-eng: 8408
        NUMBER_OF_BYTES : 545406
        NUMBER_OF_BYTES-eng: 545406
        _STATISTICS_WRITING_APP: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_APP-eng: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_DATE_UTC: 2025-03-03 12:00:09
        _STATISTICS_WRITING_DATE_UTC-eng: 2025-03-03 12:00:09
        _STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
        _STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
 34405@Warmlight D:\....\MADer也要当CTFer  ffmpeg -i "只是刚好情窦初开遇到你.mkv" -map 0:a:0 audio1.wav
ffmpeg version 7.0.2-essentials_build-www.gyan.dev Copyright (c) 2000-2024 the FFmpeg developers
  built with gcc 13.2.0 (Rev5, Built by MSYS2 project)
  configuration: --enable-gpl --enable-version3 --enable-static --disable-w32threads --disable-autodetect --enable-fontconfig --enable-iconv --enable-gnutls --enable-libxml2 --enable-gmp --enable-bzlib --enable-lzma --enable-zlib --enable-libsrt --enable-libssh --enable-libzmq --enable-avisynth --enable-sdl2 --enable-libwebp --enable-libx264 --enable-libx265 --enable-libxvid --enable-libaom --enable-libopenjpeg --enable-libvpx --enable-mediafoundation --enable-libass --enable-libfreetype --enable-libfribidi --enable-libharfbuzz --enable-libvidstab --enable-libvmaf --enable-libzimg --enable-amf --enable-cuda-llvm --enable-cuvid --enable-dxva2 --enable-d3d11va --enable-d3d12va --enable-ffnvcodec --enable-libvpl --enable-nvdec --enable-nvenc --enable-vaapi --enable-libgme --enable-libopenmpt --enable-libopencore-amrwb --enable-libmp3lame --enable-libtheora --enable-libvo-amrwbenc --enable-libgsm --enable-libopencore-amrnb --enable-libopus --enable-libspeex --enable-libvorbis --enable-librubberband
  libavutil      59.  8.100 / 59.  8.100
  libavcodec     61.  3.100 / 61.  3.100
  libavformat    61.  1.100 / 61.  1.100
  libavdevice    61.  1.100 / 61.  1.100
  libavfilter    10.  1.100 / 10.  1.100
  libswscale      8.  1.100 /  8.  1.100
  libswresample   5.  1.100 /  5.  1.100
  libpostproc    58.  1.100 / 58.  1.100
Input #0, matroska,webm, from '只是刚好情窦初开遇到你.mkv':
  Metadata:
    encoder         : libebml v1.3.4 + libmatroska v1.4.5
    creation_time   : 2025-03-03T12:00:09.000000Z
  Duration: 05:50:19.50, start: 0.000000, bitrate: 2 kb/s
  Stream #0:0: Video: h264 (High), yuv420p(progressive), 1920x1080 [SAR 1:1 DAR 16:9], 23.81 fps, 23.81 tbr, 1k tbn (default)
      Metadata:
        BPS             : 3406202
        BPS-eng         : 3406202
        DURATION        : 00:00:12.513000000
        DURATION-eng    : 00:00:12.513000000
        NUMBER_OF_FRAMES: 300
        NUMBER_OF_FRAMES-eng: 300
        NUMBER_OF_BYTES : 5327726
        NUMBER_OF_BYTES-eng: 5327726
        _STATISTICS_WRITING_APP: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_APP-eng: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_DATE_UTC: 2025-03-03 12:00:09
        _STATISTICS_WRITING_DATE_UTC-eng: 2025-03-03 12:00:09
        _STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
        _STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
  Stream #0:1: Audio: aac (LC), 48000 Hz, stereo, fltp (default)
      Metadata:
        BPS             : 92763
        BPS-eng         : 92763
        DURATION        : 00:00:12.586000000
        DURATION-eng    : 00:00:12.586000000
        NUMBER_OF_FRAMES: 590
        NUMBER_OF_FRAMES-eng: 590
        NUMBER_OF_BYTES : 145940
        NUMBER_OF_BYTES-eng: 145940
        _STATISTICS_WRITING_APP: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_APP-eng: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_DATE_UTC: 2025-03-03 12:00:09
        _STATISTICS_WRITING_DATE_UTC-eng: 2025-03-03 12:00:09
        _STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
        _STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
  Stream #0:2: Audio: mp3 (mp3float), 48000 Hz, stereo, fltp, 119 kb/s
      Metadata:
        BPS             : 127878
        BPS-eng         : 127878
        DURATION        : 00:00:12.648000000
        DURATION-eng    : 00:00:12.648000000
        NUMBER_OF_FRAMES: 527
        NUMBER_OF_FRAMES-eng: 527
        NUMBER_OF_BYTES : 202176
        NUMBER_OF_BYTES-eng: 202176
        _STATISTICS_WRITING_APP: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_APP-eng: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_DATE_UTC: 2025-03-03 12:00:09
        _STATISTICS_WRITING_DATE_UTC-eng: 2025-03-03 12:00:09
        _STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
        _STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
  Stream #0:3: Subtitle: ass (ssa) (default)
      Metadata:
        BPS             : 207
        BPS-eng         : 207
        DURATION        : 05:50:19.500000000
        DURATION-eng    : 05:50:19.500000000
        NUMBER_OF_FRAMES: 8408
        NUMBER_OF_FRAMES-eng: 8408
        NUMBER_OF_BYTES : 545406
        NUMBER_OF_BYTES-eng: 545406
        _STATISTICS_WRITING_APP: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_APP-eng: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_DATE_UTC: 2025-03-03 12:00:09
        _STATISTICS_WRITING_DATE_UTC-eng: 2025-03-03 12:00:09
        _STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
        _STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
Stream mapping:
  Stream #0:1 -> #0:0 (aac (native) -> pcm_s16le (native))
Press [q] to stop, [?] for help
Output #0, wav, to 'audio1.wav':
  Metadata:
    ISFT            : Lavf61.1.100
  Stream #0:0: Audio: pcm_s16le ([1][0][0][0] / 0x0001), 48000 Hz, stereo, s16, 1536 kb/s (default)
      Metadata:
        BPS             : 92763
        BPS-eng         : 92763
        DURATION        : 00:00:12.586000000
        DURATION-eng    : 00:00:12.586000000
        NUMBER_OF_FRAMES: 590
        NUMBER_OF_FRAMES-eng: 590
        NUMBER_OF_BYTES : 145940
        NUMBER_OF_BYTES-eng: 145940
        _STATISTICS_WRITING_APP: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_APP-eng: mkvmerge v9.5.0 ('Quiet Fire') 32bit
        _STATISTICS_WRITING_DATE_UTC: 2025-03-03 12:00:09
        _STATISTICS_WRITING_DATE_UTC-eng: 2025-03-03 12:00:09
        _STATISTICS_TAGS: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
        _STATISTICS_TAGS-eng: BPS DURATION NUMBER_OF_FRAMES NUMBER_OF_BYTES
        encoder         : Lavc61.3.100 pcm_s16le
[out#0/wav @ 000002dd2c07c680] video:0KiB audio:2360KiB subtitle:0KiB other streams:0KiB global headers:0KiB muxing overhead: 0.003228%
size=    2360KiB time=00:00:12.58 bitrate=1536.2kbits/s speed= 957x

视频流 (Stream #0:0)
- 编码：H.264 (High Profile)
- 分辨率：1920x1080 (16:9)
- 帧率：23.81 fps
- 实际时长：00:00:12.513（12.513秒）
- 帧数：300 帧
- 数据量：5,327,726 字节
音频流
- Stream #0:1 (默认音轨)：AAC，48kHz，立体声，时长 00:00:12.586
- Stream #0:2 (第二音轨)：MP3，48kHz，立体声，时长 00:00:12.648
字幕流 (Stream #0:3)
- 格式：ASS (SSA)
- 异常时长：05:50:19.50（5小时50分19秒）
- 帧数：8,408 帧
- 数据量：545,406 字节
全局元数据
- 文件总时长显示为 05:50:19.50，但实际视频/音频时长均约 12 秒。

提取音频：

ffmpeg -i "只是刚好情窦初开遇到你.mkv" -map 0:a:0 audio1.wav

ffmpeg -i "只是刚好情窦初开遇到你.mkv" -map 0:a:1 audio2.wav

提取字幕流：

ffmpeg -i "只是刚好情窦初开遇到你.mkv" -map 0:s:0 subtitle.ass

将数据部分导出

import re

def extract_hex_from_dialogues(input_file, output_file):

    # 打开输入文件并读取内容
    with open(input_file, 'r', encoding='utf-8') as infile:
        lines = infile.readlines()

    # 打开输出文件准备写入提取结果
    with open(output_file, 'w', encoding='utf-8') as outfile:
        for line in lines:
            # 使用正则表达式匹配 Dialogue 行
            match = re.match(r'^Dialogue:.*,,(.+)$', line)
            if match:
                # 提取十六进制字符串部分
                hex_string = match.group(1).strip()
                # 写入输出文件
                outfile.write(hex_string + '\n')

# 示例用法
input_file_path = r'data.txt'  # 输入文件路径
output_file_path = r'extracted_hex.txt'   # 输出文件路径
extract_hex_from_dialogues(input_file_path, output_file_path)

从文段末来看，应该是aep文件

flag{l_re@IIy_w@nn@_2_Ie@rn_AE}

文本中有提示性字符

全局搜索) >> ] /16 false /17 0 >> /1 [ << /0 << /0 (?

会飞的雷克萨斯

已知 flag格式： flag{xx省xx市xx县xxx路xxxxxx内} 一个x代表一个字

flag{四川省内江市资中县春岚北路中铁城市中心内}

曼波曼波曼波

可以看到两张一样的图片，但是数据大小明显不同，猜测为双图盲水印

python .\bwmforpy3.py decode .\easy.png '.\EASY (2).png' 2.png

XYCTF{easy_yin_xie_dfbfuj877}

Reverse

WARMUP

vbs逆向

1
2

Execute(chr( 667205/8665 ) & chr( -7671+7786 ) & chr( 8541-8438 ) & chr( 422928/6408 ) & chr( -1948+2059 ) & chr( -3066+3186 ) & chr( 756-724 ) & chr( 4080/120 ) & chr( -3615+3683 ) & chr( -1619+1720 ) & chr( -2679+2776 ) & chr( 659718/5787 ) & chr( 302752/9461 ) & chr( -6627+6694 ) & chr( -4261+4345 ) & chr( 81690/1167 ) & chr( 636180/9220 ) & chr( 538658/6569 ) & chr( -1542+1588 ) & chr( -1644+1676 ) & chr( 122184/1697 ) & chr( 966411/9963 ) & chr( 2186-2068 ) & chr( -5283+5384 ) & chr( 305056/9533 ) & chr( 66402/651 ) & chr( 1141452/9756 ) & chr( 882090/8019 ) & chr( -4243+4275 ) & chr( 2669-2564 ) & chr( 83+27 ) & chr( 254880/7965 ) & chr( -1291+1379 ) & chr( -4699+4788 ) & chr( 4730-4663 ) & chr( -1179+1263 ) & chr( 5274-5204 ) & chr( 210144/6567 ) & chr( -6803+6853 ) & chr( 6655-6607 ) & chr( 4067-4017 ) & chr( 121900/2300 ) & chr( -6158+6191 ) & chr( 11934/351 ) & chr( 64883/4991 ) & chr( 65420/6542 ) & chr( 3781-3679 ) & chr( 1612-1504 ) & chr( 892788/9204 ) & chr( 927618/9006 ) & chr( -6692+6724 ) & chr( 410591/6731 ) & chr( 6675-6643 ) & chr( 697880/9560 ) & chr( 4250-4140 ) & chr( 5464-5352 ) & chr( -1082+1199 ) & chr( 3343-3227 ) & chr( 1211-1145 ) & chr( 482406/4346 ) & chr( -5549+5669 ) & chr( -5150+5190 ) & chr( 4400-4366 ) & chr( -3277+3346 ) & chr( -6649+6759 ) & chr( -5669+5785 ) & chr( -6734+6835 ) & chr( 9757-9643 ) & chr( 109-77 ) & chr( 5620-5504 ) & chr( -2887+2991 ) & chr( -3081+3182 ) & chr( -5109+5141 ) & chr( 699860/9998 ) & chr( -3603+3679 ) & chr( 1631-1566 ) & chr( 445-374 ) & chr( 294118/5071 ) & chr( -1115+1149 ) & chr( 222376/5054 ) & chr( 8137-8105 ) & chr( -1653+1687 ) & chr( 357104/4058 ) & chr( 1650-1561 ) & chr( -9501+9568 ) & chr( 1047-963 ) & chr( 2540-2470 ) & chr( 1692-1658 ) & chr( 9947-9906 ) & chr( 9186-9173 ) & chr( -2846+2856 ) & chr( 425187/3573 ) & chr( -3066+3167 ) & chr( 2850-2748 ) & chr( -2992+3090 ) & chr( 958230/8190 ) & chr( 869295/7305 ) & chr( 3380-3275 ) & chr( -7338+7455 ) & chr( 408848/4048 ) & chr( 9211-9179 ) & chr( -2437+2498 ) & chr( 1672-1640 ) & chr( 2378-2344 ) & chr( 544749/9557 ) & chr( 351120/7315 ) & chr( 773800/7738 ) & chr( 2033-1931 ) & chr( -8059+8111 ) & chr( -4731+4783 ) & chr( -9204+9252 ) & chr( -4261+4316 ) & chr( 850521/8421 ) & chr( -7011+7112 ) & chr( 292272/6089 ) & chr( -8609+8666 ) & chr( -2921+2972 ) & chr( 6772-6672 ) & chr( 487611/9561 ) & chr( -6754+6802 ) & chr( 464835/8155 ) & chr( -939+987 ) & chr( 421173/7389 ) & chr( -8145+8201 ) & chr( 9368-9268 ) & chr( -7682+7738 ) & chr( -8646+8699 ) & chr( 484612/4996 ) & chr( 286832/5516 ) & chr( -9710+9760 ) & chr( 884156/9022 ) & chr( 7080-6979 ) & chr( 265477/5009 ) & chr( 6+49 ) & chr( 5395-5298 ) & chr( 6645-6595 ) & chr( -9706+9763 ) & chr( -6697+6752 ) & chr( 927-870 ) & chr( 4048-3946 ) & chr( 34398/702 ) & chr( 825675/8175 ) & chr( -438+491 ) & chr( 87808/1792 ) & chr( -2601+2653 ) & chr( 420228/7782 ) & chr( -5266+5317 ) & chr( 53059/547 ) & chr( 477054/9354 ) & chr( 9238-9189 ) & chr( 799112/7912 ) & chr( 3340-3284 ) & chr( 8544-8444 ) & chr( 1220-1171 ) & chr( -7192+7245 ) & chr( 73629/729 ) & chr( 6523-6473 ) & chr( 2761-2659 ) & chr( 358124/3692 ) & chr( -6167+6266 ) & chr( -3842+3894 ) & chr( 7840-7739 ) & chr( -3980+4036 ) & chr( 987-935 ) & chr( 6868/68 ) & chr( -559+656 ) & chr( 6513-6465 ) & chr( 843300/8433 ) & chr( -8159+8261 ) & chr( -753+807 ) & chr( 278700/5574 ) & chr( 5600/112 ) & chr( -549+646 ) & chr( -7697+7750 ) & chr( 390292/7364 ) & chr( 988020/9980 ) & chr( -3250+3302 ) & chr( 6295-6195 ) & chr( 4342-4242 ) & chr( -9602+9704 ) & chr( 1312-1214 ) & chr( 1065-1012 ) & chr( 1122/22 ) & chr( 191012/3604 ) & chr( 330775/3275 ) & chr( 226848/2224 ) & chr( 4973-4922 ) & chr( 369357/3657 ) & chr( -7229+7282 ) & chr( 588/12 ) & chr( 57570/570 ) & chr( 4554-4498 ) & chr( 483924/4938 ) & chr( 485600/9712 ) & chr( 5051-4998 ) & chr( 8467-8417 ) & chr( -6799+6855 ) & chr( 668360/6820 ) & chr( 428008/7643 ) & chr( -309+359 ) & chr( -7495+7549 ) & chr( 198200/1982 ) & chr( -4298+4351 ) & chr( 2979-2928 ) & chr( -391+443 ) & chr( -5951+6006 ) & chr( -2271+2372 ) & chr( 1431-1382 ) & chr( -2812+2866 ) & chr( 4906-4853 ) & chr( -5308+5365 ) & chr( -8587+8636 ) & chr( -1003+1053 ) & chr( 468741/4641 ) & chr( 8449-8392 ) & chr( 14877/261 ) & chr( -5097+5146 ) & chr( 6695-6646 ) & chr( -2866+2922 ) & chr( 483786/9486 ) & chr( -4142+4193 ) & chr( 2347-2296 ) & chr( -1784+1833 ) & chr( 116229/2193 ) & chr( -1099+1148 ) & chr( 8230-8180 ) & chr( -4351+4406 ) & chr( 1975-1924 ) & chr( 779229/7871 ) & chr( 102960/1040 ) & chr( 67830/1330 ) & chr( -4771+4873 ) & chr( -32+129 ) & chr( 155456/2776 ) & chr( 9798-9700 ) & chr( 4944-4894 ) & chr( -2496+2594 ) & chr( 5495-5444 ) & chr( 8113-8015 ) & chr( -8444+8496 ) & chr( 3896-3847 ) & chr( 6306-6255 ) & chr( 1284-1185 ) & chr( 1003986/9843 ) & chr( -1321+1371 ) & chr( 2676-2578 ) & chr( -5421+5521 ) & chr( 564186/5757 ) & chr( 6608-6559 ) & chr( 7038-6937 ) & chr( 209720/3745 ) & chr( -616+715 ) & chr( 9766-9709 ) & chr( 2111-2012 ) & chr( 528993/9981 ) & chr( 1901-1851 ) & chr( 281344/5024 ) & chr( 5695-5641 ) & chr( 4815-4762 ) & chr( 399556/3956 ) & chr( 572730/5615 ) & chr( -5718+5817 ) & chr( 21+27 ) & chr( 4532-4475 ) & chr( -8446+8499 ) & chr( 5786-5689 ) & chr( 4177-4121 ) & chr( -8411+8511 ) & chr( -9499+9599 ) & chr( 479528/8563 ) & chr( 6850-6793 ) & chr( -3725+3823 ) & chr( -8692+8743 ) & chr( 284298/2901 ) & chr( 214302/4202 ) & chr( 576675/5825 ) & chr( -4565+4667 ) & chr( -7223+7321 ) & chr( 383278/3911 ) & chr( -2540+2590 ) & chr( 35+13 ) & chr( -5549+5597 ) & chr( 969122/9889 ) & chr( 964712/9844 ) & chr( -6231+6328 ) & chr( -1560+1660 ) & chr( -7416+7514 ) & chr( 609144/5972 ) & chr( 471432/9066 ) & chr( -4500+4597 ) & chr( 8620-8566 ) & chr( 7113-7014 ) & chr( -2488+2588 ) & chr( -3599+3651 ) & chr( 211956/6234 ) & chr( 1697-1665 ) & chr( -5122+5161 ) & chr( -3189+3221 ) & chr( -5840+114 ) & chr( -37790+6278 ) & chr( -8.231351E+07/3957 ) & chr( -14110+7864 ) & chr( -30457-1205 ) & chr( 9930-9863 ) & chr( 107-55 ) & chr( 517-7291 ) & chr( -31263+6916 ) & chr( -29685+9083 ) & chr( -2.138515E+07/3442 ) & chr( -26304-1370 ) & chr( -1.510879E+08/6060 ) & chr( -903-3261 ) & chr( -22484-8007 ) & chr( -34437+5126 ) & chr( -10635+3856 ) & chr( -1.97004E+08/9374 ) & chr( -1.079768E+08/6550 ) & chr( -2.533546E+07/3739 ) & chr( -25645+6931 ) & chr( -1.720817E+08/7056 ) & chr( -12498+5774 ) & chr( -2.164872E+08/7546 ) & chr( -8955-8316 ) & chr( -3584+3597 ) & chr( -1280+1290 ) & chr( 795633/7041 ) & chr( 291669/2451 ) & chr( 9044-8942 ) & chr( 264014/2614 ) & chr( -7841+7873 ) & chr( 10919/179 ) & chr( 22272/696 ) & chr( -8135+8169 ) & chr( -5733+5847 ) & chr( 371547/3753 ) & chr( 473980/9115 ) & chr( 391-284 ) & chr( -1824+1925 ) & chr( -1707+1828 ) & chr( 2151-2117 ) & chr( 2535/195 ) & chr( 7236-7226 ) & chr( 58097/4469 ) & chr( 2710/271 ) & chr( 118677/3043 ) & chr( -7992+8024 ) & chr( -5.682766E+07/8145 ) & chr( -3.747722E+07/1805 ) & chr( -20535-2876 ) & chr( -5076000/750 ) & chr( -28220-733 ) & chr( -33583+7603 ) & chr( 7730-7648 ) & chr( 7057-6990 ) & chr( 338728/6514 ) & chr( -4.203267E+07/6205 ) & chr( -20128-4219 ) & chr( -29090+8488 ) & chr( -7954+1177 ) & chr( -25730+8808 ) & chr( -23859-3357 ) & chr( -2130+2143 ) & chr( 6827-6817 ) & chr( 4334-4264 ) & chr( 4851-4734 ) & chr( 5121-5011 ) & chr( 7034-6935 ) & chr( 4197-4081 ) & chr( -1823+1928 ) & chr( 1032744/9304 ) & chr( 1547-1437 ) & chr( -7393+7425 ) & chr( 608932/7426 ) & chr( 864513/7389 ) & chr( 1748-1638 ) & chr( 501676/6118 ) & chr( 510473/7619 ) & chr( -6752+6792 ) & chr( -5142+5257 ) & chr( -9558+9635 ) & chr( 7906-7805 ) & chr( 5308-5193 ) & chr( 163300/1420 ) & chr( 10961/113 ) & chr( 740364/7188 ) & chr( -5327+5428 ) & chr( 5703-5659 ) & chr( -7307+7339 ) & chr( 445970/3878 ) & chr( 608-492 ) & chr( -4799+4913 ) & chr( -3687+3762 ) & chr( 9993-9892 ) & chr( 1032493/8533 ) & chr( 103607/2527 ) & chr( 123266/9482 ) & chr( 61520/6152 ) & chr( 251424/7857 ) & chr( 104032/3251 ) & chr( -7228+7260 ) & chr( 239648/7489 ) & chr( -1858+1926 ) & chr( 865515/8243 ) & chr( 818481/7509 ) & chr( 244384/7637 ) & chr( -4252+4359 ) & chr( 10+66 ) & chr( -3202+3303 ) & chr( 466070/4237 ) & chr( 3973-3929 ) & chr( -7658+7690 ) & chr( 563430/5366 ) & chr( 168872/3838 ) & chr( 306144/9567 ) & chr( 158046/1491 ) & chr( 311740/7085 ) & chr( -6862+6894 ) & chr( 621760/5360 ) & chr( -8151+8252 ) & chr( 9608-9499 ) & chr( 309680/2765 ) & chr( 244288/5552 ) & chr( 6191-6159 ) & chr( 705936/6303 ) & chr( 4828-4717 ) & chr( 1097330/9542 ) & chr( 431596/9809 ) & chr( -8819+8851 ) & chr( 546675/4925 ) & chr( 805545/6885 ) & chr( -5087+5203 ) & chr( 1223-1151 ) & chr( 9566-9465 ) & chr( 2413-2293 ) & chr( 4760-4747 ) & chr( -4859+4869 ) & chr( 3357-3325 ) & chr( 667-635 ) & chr( -2223+2255 ) & chr( 4357-4325 ) & chr( 366928/5396 ) & chr( 203175/1935 ) & chr( -7837+7946 ) & chr( 47936/1498 ) & chr( 3589-3474 ) & chr( 254920/6373 ) & chr( 3498-3448 ) & chr( 54113/1021 ) & chr( 9319-9266 ) & chr( 380767/9287 ) & chr( 298804/6791 ) & chr( -5151+5183 ) & chr( 3487-3380 ) & chr( 246760/6169 ) & chr( 7465-7415 ) & chr( -8879+8932 ) & chr( -281+334 ) & chr( 314470/7670 ) & chr( -1151+1164 ) & chr( 4880-4870 ) & chr( 3582-3550 ) & chr( 147008/4594 ) & chr( 169248/5289 ) & chr( -8224+8256 ) & chr( 4654/358 ) & chr( -2894+2904 ) & chr( 3479-3447 ) & chr( 2036-2004 ) & chr( 7024-6992 ) & chr( -8686+8718 ) & chr( -664+703 ) & chr( 53952/1686 ) & chr( -10371+3595 ) & chr( -21805-3310 ) & chr( -1.930486E+08/8525 ) & chr( -6242-530 ) & chr( -2.479211E+08/9214 ) & chr( -28712+8110 ) & chr( 4047-9789 ) & chr( 278397/4419 ) & chr( -6794+6804 ) & chr( 310624/9707 ) & chr( 120896/3778 ) & chr( 6925-6893 ) & chr( 8256-8224 ) & chr( -4736+4843 ) & chr( 1256-1180 ) & chr( 4250-4149 ) & chr( -9132+9242 ) & chr( 173344/5417 ) & chr( -9030+9091 ) & chr( 72-40 ) & chr( 344204/4529 ) & chr( 351985/3485 ) & chr( 6120-6010 ) & chr( 1113-1073 ) & chr( 2781-2666 ) & chr( 6375-6259 ) & chr( 780330/6845 ) & chr( 106050/1414 ) & chr( 1239-1138 ) & chr( -986+1107 ) & chr( 324351/7911 ) & chr( -7872+7885 ) & chr( -1326+1336 ) & chr( 17728/554 ) & chr( 61600/1925 ) & chr( -4930+4962 ) & chr( 113856/3558 ) & chr( -7210+7280 ) & chr( 3126-3015 ) & chr( 9894-9780 ) & chr( 2040-2008 ) & chr( 957810/9122 ) & chr( -1680+1712 ) & chr( -7068+7129 ) & chr( -9765+9797 ) & chr( 4121-4073 ) & chr( -9924+9956 ) & chr( -4370+4454 ) & chr( 437340/3940 ) & chr( 5315-5283 ) & chr( 304500/6090 ) & chr( -6807+6860 ) & chr( 19186/362 ) & chr( -6044+6057 ) & chr( 9876-9866 ) & chr( -2071+2103 ) & chr( 8923-8891 ) & chr( 4890-4858 ) & chr( 7473-7441 ) & chr( 5632-5600 ) & chr( 8294-8262 ) & chr( -271+303 ) & chr( 6410-6378 ) & chr( 5536-5421 ) & chr( 44720/1118 ) & chr( 6272-6167 ) & chr( 26568/648 ) & chr( 233440/7295 ) & chr( -8944+9005 ) & chr( 204192/6381 ) & chr( 5731-5626 ) & chr( 9617-9604 ) & chr( 7388-7378 ) & chr( 960/30 ) & chr( 99008/3094 ) & chr( 8422-8390 ) & chr( 19136/598 ) & chr( -6328+6360 ) & chr( 199712/6241 ) & chr( -2315+2347 ) & chr( -6898+6930 ) & chr( 9875-9768 ) & chr( -4621+4661 ) & chr( -7725+7830 ) & chr( -3507+3548 ) & chr( 4844-4812 ) & chr( 570716/9356 ) & chr( -3814+3846 ) & chr( -1467+1532 ) & chr( 138115/1201 ) & chr( -7634+7733 ) & chr( -7021+7061 ) & chr( 942-865 ) & chr( 924630/8806 ) & chr( 8706-8606 ) & chr( -6756+6796 ) & chr( -5325+5440 ) & chr( 2765-2649 ) & chr( -7079+7193 ) & chr( 2100/28 ) & chr( 8156-8055 ) & chr( -7792+7913 ) & chr( 5324/121 ) & chr( 6423-6391 ) & chr( 5454-5414 ) & chr( -4828+4933 ) & chr( 13504/422 ) & chr( 244552/3176 ) & chr( -3016+3127 ) & chr( -4103+4203 ) & chr( 2567-2535 ) & chr( 435-328 ) & chr( 787-711 ) & chr( 1474-1373 ) & chr( 803550/7305 ) & chr( -5410+5451 ) & chr( -6556+6588 ) & chr( -2204+2247 ) & chr( 223424/6982 ) & chr( -8753+8802 ) & chr( 135872/3088 ) & chr( -7757+7789 ) & chr( 272-223 ) & chr( 340177/8297 ) & chr( 1487-1446 ) & chr( -9083+9115 ) & chr( 7132-7093 ) & chr( 4540-4508 ) & chr( -13541+6804 ) & chr( -7.75285E+07/2501 ) & chr( -32055+4060 ) & chr( -1318-5661 ) & chr( -5.265648E+07/3209 ) & chr( -31857+4377 ) & chr( 585065/9001 ) & chr( -2558+2641 ) & chr( -8549+8616 ) & chr( 6403-6330 ) & chr( 6271-6198 ) & chr( -2.477346E+07/3988 ) & chr( -17020-9885 ) & chr( -2542488/104 ) & chr( -1327+1340 ) & chr( -887+897 ) & chr( -7751+7783 ) & chr( 2629-2597 ) & chr( -6489+6521 ) & chr( 2254-2222 ) & chr( 154518/1981 ) & chr( -764+865 ) & chr( 629040/5242 ) & chr( 1098636/9471 ) & chr( 78793/6061 ) & chr( -7110+7120 ) & chr( -7378+7410 ) & chr( -1777+1809 ) & chr( 2538-2506 ) & chr( 119392/3731 ) & chr( -4327+4340 ) & chr( 10580/1058 ) & chr( -7677+7709 ) & chr( 8254-8222 ) & chr( 3782-3750 ) & chr( 214240/6695 ) & chr( 7006-6967 ) & chr( 8305-8273 ) & chr( 4841-4766 ) & chr( 937-854 ) & chr( 616460/9484 ) & chr( -16-6721 ) & chr( -28078-2921 ) & chr( -24670-3325 ) & chr( -9340+3372 ) & chr( -25211-6560 ) & chr( -22908+5154 ) & chr( 6567-6554 ) & chr( -635+645 ) & chr( -5907+5939 ) & chr( 4841-4809 ) & chr( 20576/643 ) & chr( -2196+2228 ) & chr( 3270-3164 ) & chr( 212384/6637 ) & chr( 509533/8353 ) & chr( 94368/2949 ) & chr( -1648+1696 ) & chr( 23335/1795 ) & chr( -86+96 ) & chr( 209408/6544 ) & chr( 5186-5154 ) & chr( 91072/2846 ) & chr( 8978-8946 ) & chr( 45850/655 ) & chr( 256632/2312 ) & chr( -8647+8761 ) & chr( 5661-5629 ) & chr( 191940/1828 ) & chr( 2132-2100 ) & chr( -9855+9916 ) & chr( 3562-3530 ) & chr( 24864/518 ) & chr( 275424/8607 ) & chr( 3176-3092 ) & chr( 3798-3687 ) & chr( -6055+6087 ) & chr( -6024+6074 ) & chr( -6425+6478 ) & chr( -9745+9798 ) & chr( 23387/1799 ) & chr( -3891+3901 ) & chr( -4637+4669 ) & chr( -3183+3215 ) & chr( 9860-9828 ) & chr( 1677-1645 ) & chr( 3698-3666 ) & chr( -7915+7947 ) & chr( 200128/6254 ) & chr( -3984+4016 ) & chr( 5982-5876 ) & chr( -5627+5659 ) & chr( 6122-6061 ) & chr( -5851+5883 ) & chr( 204520/5113 ) & chr( -566+672 ) & chr( 260512/8141 ) & chr( 7314-7271 ) & chr( -1563+1595 ) & chr( 5079-4964 ) & chr( 11680/292 ) & chr( 8464-8359 ) & chr( 6991-6950 ) & chr( -3136+3168 ) & chr( 4262-4219 ) & chr( 4518-4486 ) & chr( 9317-9210 ) & chr( 7615-7575 ) & chr( 55650/530 ) & chr( 1185-1144 ) & chr( 7853-7812 ) & chr( -3099+3131 ) & chr( 288288/3744 ) & chr( -8871+8982 ) & chr( -8502+8602 ) & chr( 2470-2438 ) & chr( 364100/7282 ) & chr( -8754+8807 ) & chr( 476874/8831 ) & chr( 768-755 ) & chr( 8485-8475 ) & chr( -6548+6580 ) & chr( 68960/2155 ) & chr( 31904/997 ) & chr( 113792/3556 ) & chr( -8387+8419 ) & chr( 116448/3639 ) & chr( 279552/8736 ) & chr( -2637+2669 ) & chr( -5483+5599 ) & chr( 4853-4752 ) & chr( -7090+7199 ) & chr( 544320/4860 ) & chr( 305600/9550 ) & chr( 510570/8370 ) & chr( 72640/2270 ) & chr( 3200-3085 ) & chr( -6820+6860 ) & chr( 396375/3775 ) & chr( -7447+7488 ) & chr( -9189+9202 ) & chr( -4261+4271 ) & chr( 1688-1656 ) & chr( 9083-9051 ) & chr( 9012-8980 ) & chr( -3650+3682 ) & chr( 291424/9107 ) & chr( 842-810 ) & chr( -7058+7090 ) & chr( -7119+7151 ) & chr( -4515+4630 ) & chr( 9315-9275 ) & chr( 2216-2111 ) & chr( -1847+1888 ) & chr( 100192/3131 ) & chr( 8671-8610 ) & chr( -1498+1530 ) & chr( 5376-5261 ) & chr( 965-925 ) & chr( 597628/5638 ) & chr( -6697+6738 ) & chr( 9809-9796 ) & chr( 740-730 ) & chr( 4866-4834 ) & chr( 8064-8032 ) & chr( 8204-8172 ) & chr( 6706-6674 ) & chr( -3302+3334 ) & chr( -9585+9617 ) & chr( 8259-8227 ) & chr( 9319-9287 ) & chr( 6042-5927 ) & chr( -4563+4603 ) & chr( 843124/7954 ) & chr( -468+509 ) & chr( 91-59 ) & chr( 55+6 ) & chr( -470+502 ) & chr( 8800-8684 ) & chr( -732+833 ) & chr( 1859-1750 ) & chr( -9065+9177 ) & chr( -3551+3564 ) & chr( -5998+6008 ) & chr( 309248/9664 ) & chr( 78080/2440 ) & chr( 1337-1305 ) & chr( 1031-999 ) & chr( -2405+2483 ) & chr( 900011/8911 ) & chr( 9591-9471 ) & chr( 3993-3877 ) & chr( 37024/2848 ) & chr( 2372-2362 ) & chr( -1999+2031 ) & chr( 402-370 ) & chr( 2339-2307 ) & chr( 215232/6726 ) & chr( 56706/4362 ) & chr( 88610/8861 ) & chr( 6347-6315 ) & chr( -1057+1089 ) & chr( -8215+8247 ) & chr( -5359+5391 ) & chr( 360048/9232 ) & chr( 150208/4694 ) & chr( 549760/6872 ) & chr( 709710/8655 ) & chr( -9253+9324 ) & chr( -1875+1940 ) & chr( 3060-9834 ) & chr( -1.219054E+08/5007 ) & chr( -16837-3765 ) & chr( -13859+7384 ) & chr( -40413+8132 ) & chr( -7.735399E+07/3455 ) & chr( -3620+3633 ) & chr( 7370/737 ) & chr( 9207-9175 ) & chr( 21216/663 ) & chr( -8881+8913 ) & chr( 59712/1866 ) & chr( 1881-1776 ) & chr( 5987-5955 ) & chr( 213378/3498 ) & chr( 185536/5798 ) & chr( -1106+1154 ) & chr( -6274+6306 ) & chr( 244-186 ) & chr( -7680+7712 ) & chr( 417216/3936 ) & chr( 1383-1351 ) & chr( 346419/5679 ) & chr( -7913+7945 ) & chr( 3201-3153 ) & chr( 268160/8380 ) & chr( -5532+5590 ) & chr( -6959+6991 ) & chr( 3356-3245 ) & chr( -7222+7339 ) & chr( 9549-9433 ) & chr( -426+498 ) & chr( 510555/5055 ) & chr( 699720/5831 ) & chr( -5601+5633 ) & chr( 260653/4273 ) & chr( 26752/836 ) & chr( 4148-4114 ) & chr( -6483+6517 ) & chr( 120601/9277 ) & chr( 92430/9243 ) & chr( 3296/103 ) & chr( 3355-3323 ) & chr( 6661-6629 ) & chr( -309+341 ) & chr( -4300+4370 ) & chr( 132090/1190 ) & chr( 296742/2603 ) & chr( -568+600 ) & chr( 576016/5143 ) & chr( 4279-4168 ) & chr( -3514+3629 ) & chr( -7862+7894 ) & chr( 201544/3304 ) & chr( 6720/210 ) & chr( -1246+1295 ) & chr( 6539-6507 ) & chr( 7479-7395 ) & chr( 685536/6176 ) & chr( -7312+7344 ) & chr( -2052+2128 ) & chr( -8510+8611 ) & chr( 311630/2833 ) & chr( 8715-8675 ) & chr( -6734+6849 ) & chr( -5728+5805 ) & chr( 9955-9854 ) & chr( 269445/2343 ) & chr( -4059+4174 ) & chr( 47142/486 ) & chr( 921-818 ) & chr( 663-562 ) & chr( 164328/4008 ) & chr( 23634/1818 ) & chr( 82110/8211 ) & chr( 5730-5698 ) & chr( 245312/7666 ) & chr( 1656-1624 ) & chr( 269536/8423 ) & chr( 168864/5277 ) & chr( -2835+2867 ) & chr( -9348+9380 ) & chr( 216128/6754 ) & chr( -6873+6978 ) & chr( 8769-8737 ) & chr( -7159+7220 ) & chr( -2374+2406 ) & chr( 145560/3639 ) & chr( 84945/809 ) & chr( 4967-4935 ) & chr( 3533-3490 ) & chr( -8222+8254 ) & chr( -5971+6020 ) & chr( 203811/4971 ) & chr( 64768/2024 ) & chr( -8894+8971 ) & chr( -7605+7716 ) & chr( 7530-7430 ) & chr( 8961-8929 ) & chr( 204800/4096 ) & chr( 34291/647 ) & chr( 5124-5070 ) & chr( 117455/9035 ) & chr( 70910/7091 ) & chr( 191072/5971 ) & chr( -8276+8308 ) & chr( 194464/6077 ) & chr( 1606-1574 ) & chr( 200032/6251 ) & chr( -183+215 ) & chr( 7729-7697 ) & chr( -6288+6320 ) & chr( 563-457 ) & chr( 48544/1517 ) & chr( 504-443 ) & chr( -227+259 ) & chr( 358600/8965 ) & chr( 5705-5599 ) & chr( -4736+4768 ) & chr( 321554/7478 ) & chr( -8525+8557 ) & chr( 402615/3501 ) & chr( 1320/33 ) & chr( 233100/2220 ) & chr( 7463-7422 ) & chr( 8959-8918 ) & chr( 9538-9506 ) & chr( -3809+3886 ) & chr( 17094/154 ) & chr( 3305-3205 ) & chr( 5389-5357 ) & chr( 101450/2029 ) & chr( -2702+2755 ) & chr( 422-368 ) & chr( 3681-3668 ) & chr( 1374-1364 ) & chr( 244192/7631 ) & chr( 2106-2074 ) & chr( 301504/9422 ) & chr( 6788-6756 ) & chr( 275072/8596 ) & chr( -2612+2644 ) & chr( 1544-1512 ) & chr( 263424/8232 ) & chr( 5985-5869 ) & chr( 409555/4055 ) & chr( 7844-7735 ) & chr( 668752/5971 ) & chr( 1110-1078 ) & chr( -880+941 ) & chr( 9828-9796 ) & chr( 610650/5310 ) & chr( -2213+2253 ) & chr( 5697-5592 ) & chr( 340505/8305 ) & chr( 1757-1744 ) & chr( 88340/8834 ) & chr( 2986-2954 ) & chr( -7747+7779 ) & chr( 5952-5920 ) & chr( 6697-6665 ) & chr( 180160/5630 ) & chr( 1671-1639 ) & chr( -8613+8645 ) & chr( 95904/2997 ) & chr( 8994-8879 ) & chr( 7256-7216 ) & chr( -5776+5881 ) & chr( 1529-1488 ) & chr( 179680/5615 ) & chr( -684+745 ) & chr( 119840/3745 ) & chr( 828000/7200 ) & chr( -1371+1411 ) & chr( 2474-2368 ) & chr( 144033/3513 ) & chr( 1617-1604 ) & chr( 9503-9493 ) & chr( -1100+1132 ) & chr( 211680/6615 ) & chr( 7607-7575 ) & chr( 5777-5745 ) & chr( 319712/9991 ) & chr( -9605+9637 ) & chr( 140672/4396 ) & chr( 3740-3708 ) & chr( 92575/805 ) & chr( 9363-9323 ) & chr( 292136/2756 ) & chr( -9536+9577 ) & chr( -9310+9342 ) & chr( 7634-7573 ) & chr( -9716+9748 ) & chr( -7090+7206 ) & chr( 376-275 ) & chr( -6333+6442 ) & chr( 3986-3874 ) & chr( 3115-3102 ) & chr( -2171+2181 ) & chr( 100544/3142 ) & chr( 74-42 ) & chr( -1400+1432 ) & chr( 81504/2547 ) & chr( 5073-5041 ) & chr( 4596-4564 ) & chr( 9048-9016 ) & chr( -2733+2765 ) & chr( -4650+4663 ) & chr( -151+161 ) & chr( 10592/331 ) & chr( 3163-3131 ) & chr( 4722-4690 ) & chr( 30624/957 ) & chr( 2545-2513 ) & chr( 251232/7851 ) & chr( -2926+2958 ) & chr( 239584/7487 ) & chr( 389-350 ) & chr( -2+34 ) & chr( -5.053404E+07/7460 ) & chr( -26034+1687 ) & chr( -19313-1289 ) & chr( -30-6697 ) & chr( -17366-1346 ) & chr( -15077-1903 ) & chr( -6552-432 ) & chr( -13927-3764 ) & chr( -37232+7921 ) & chr( 1107-7886 ) & chr( -15477-5539 ) & chr( -1.750707E+07/1062 ) & chr( -3.826407E+07/5647 ) & chr( 364959/5793 ) & chr( 2034-2024 ) & chr( -7296+7328 ) & chr( -3111+3143 ) & chr( -3156+3188 ) & chr( 7990-7958 ) & chr( 166496/5203 ) & chr( -4151+4183 ) & chr( 4071-4039 ) & chr( 9102-9070 ) & chr( -6166+6234 ) & chr( 283185/2697 ) & chr( 3833-3724 ) & chr( 119776/3743 ) & chr( 658224/5877 ) & chr( 7881-7773 ) & chr( 390328/4024 ) & chr( 8122-8017 ) & chr( 934010/8491 ) & chr( 579751/8653 ) & chr( -8024+8128 ) & chr( 57036/588 ) & chr( 2457-2343 ) & chr( 9781-9737 ) & chr( -5599+5631 ) & chr( -7710+7809 ) & chr( -4501+4606 ) & chr( 625072/5581 ) & chr( 783432/7533 ) & chr( 877488/8688 ) & chr( 6473-6359 ) & chr( 5963-5897 ) & chr( 150282/1242 ) & chr( -9775+9891 ) & chr( -7486+7587 ) & chr( 565-552 ) & chr( 5581-5571 ) & chr( 771-739 ) & chr( 69824/2182 ) & chr( 4603-4571 ) & chr( -5709+5741 ) & chr( 8242-8210 ) & chr( 94112/2941 ) & chr( 100352/3136 ) & chr( -8344+8376 ) & chr( -1824+1936 ) & chr( 6678-6570 ) & chr( 638454/6582 ) & chr( 6614-6509 ) & chr( 1012990/9209 ) & chr( 8744-8677 ) & chr( 561912/5403 ) & chr( 444163/4579 ) & chr( 10089-9975 ) & chr( 280960/8780 ) & chr( 320128/5248 ) & chr( -3399+3431 ) & chr( -1771+1836 ) & chr( 5417-5302 ) & chr( -1824+1923 ) & chr( 212600/5315 ) & chr( -4973+5050 ) & chr( 60060/572 ) & chr( 639000/6390 ) & chr( 355520/8888 ) & chr( 866410/7534 ) & chr( 5901-5824 ) & chr( 9869-9768 ) & chr( -4100+4215 ) & chr( 9973-9858 ) & chr( 601594/6202 ) & chr( 857887/8329 ) & chr( -7663+7764 ) & chr( -205+249 ) & chr( -5719+5751 ) & chr( 8618-8506 ) & chr( 822732/7412 ) & chr( 9707-9592 ) & chr( 106832/2428 ) & chr( 1917-1885 ) & chr( 7491-7442 ) & chr( 263507/6427 ) & chr( -3050+3091 ) & chr( 6688/209 ) & chr( 3579-3540 ) & chr( 62400/1950 ) & chr( -5.533603E+07/8508 ) & chr( -1.094461E+07/378 ) & chr( -19198-7803 ) & chr( -1503-5013 ) & chr( -22047-8352 ) & chr( -9364+9447 ) & chr( -3664+3731 ) & chr( 7198-7125 ) & chr( 6274-6201 ) & chr( -16376+9628 ) & chr( -3.882402E+07/1232 ) & chr( -35990+7452 ) & chr( 59020/4540 ) & chr( 32900/3290 ) & chr( 51776/1618 ) & chr( -7782+7814 ) & chr( 9795-9763 ) & chr( 254592/7956 ) & chr( 83520/2610 ) & chr( 7721-7689 ) & chr( -7133+7165 ) & chr( 1340-1308 ) & chr( 330066/3334 ) & chr( -9106+9211 ) & chr( 6064-5952 ) & chr( 6286-6182 ) & chr( -9220+9321 ) & chr( -2056+2170 ) & chr( 279444/4234 ) & chr( 5693-5572 ) & chr( 7627-7511 ) & chr( 9114-9013 ) & chr( 128864/4027 ) & chr( 465247/7627 ) & chr( -1215+1247 ) & chr( 9956-9841 ) & chr( -6215+6255 ) & chr( 26080/652 ) & chr( -5167+5282 ) & chr( 296520/7413 ) & chr( -5640+5745 ) & chr( -8069+8110 ) & chr( -740+772 ) & chr( 92235/2145 ) & chr( 6267-6235 ) & chr( -3504+3619 ) & chr( 11240/281 ) & chr( 753448/7108 ) & chr( -5324+5365 ) & chr( -5911+5952 ) & chr( -2746+2778 ) & chr( -2953+3030 ) & chr( 1074702/9682 ) & chr( -3942+4042 ) & chr( 8672-8640 ) & chr( 3343-3293 ) & chr( -9590+9643 ) & chr( -1920+1974 ) & chr( 190568/4648 ) & chr( -8907+8939 ) & chr( 4693-4605 ) & chr( 4103-3992 ) & chr( 1024974/8991 ) & chr( 117216/3663 ) & chr( -7725+7837 ) & chr( 1025460/9495 ) & chr( 6361-6264 ) & chr( 925995/8819 ) & chr( 166210/1511 ) & chr( 8106-8039 ) & chr( 256672/2468 ) & chr( 8511-8414 ) & chr( -1592+1706 ) & chr( 4349-4336 ) & chr( 20-10 ) & chr( 131648/4114 ) & chr( 3440-3408 ) & chr( 3286-3254 ) & chr( 86528/2704 ) & chr( -209+241 ) & chr( 176256/5508 ) & chr( -4786+4818 ) & chr( 24576/768 ) & chr( 973581/8771 ) & chr( -5686+5803 ) & chr( 1068012/9207 ) & chr( 419760/5830 ) & chr( 438138/4338 ) & chr( 6119-5999 ) & chr( 56320/1760 ) & chr( -5861+5922 ) & chr( -9201+9233 ) & chr( 6816-6705 ) & chr( 8085-7968 ) & chr( -365+481 ) & chr( 604944/8402 ) & chr( 246238/2438 ) & chr( -8362+8482 ) & chr( 171296/5353 ) & chr( -4409+4447 ) & chr( 6653-6621 ) & chr( 336856/4108 ) & chr( -7684+7789 ) & chr( 2731-2628 ) & chr( 6687-6583 ) & chr( 93496/806 ) & chr( 1485-1445 ) & chr( 5893-5859 ) & chr( 410832/8559 ) & chr( -4662+4696 ) & chr( 44352/1386 ) & chr( -9673+9711 ) & chr( 86144/2692 ) & chr( 507744/7052 ) & chr( 9182-9081 ) & chr( 7532-7412 ) & chr( 8068-8028 ) & chr( 921096/9304 ) & chr( 7511-7406 ) & chr( 542752/4846 ) & chr( 7625-7521 ) & chr( 811939/8039 ) & chr( -5529+5643 ) & chr( 366498/5553 ) & chr( 366993/3033 ) & chr( 116/1 ) & chr( -4380+4481 ) & chr( 234889/5729 ) & chr( 374-330 ) & chr( 7121-7089 ) & chr( -964+1014 ) & chr( -9185+9226 ) & chr( 53105/4085 ) & chr( 1368-1358 ) & chr( 3776-3744 ) & chr( 81760/2555 ) & chr( 2908-2876 ) & chr( 672/21 ) & chr( 591084/7578 ) & chr( -9777+9878 ) & chr( 4310-4190 ) & chr( -329+445 ) & chr( 8841-8828 ) & chr( 80190/8019 ) & chr( 9449-9417 ) & chr( 5188-5156 ) & chr( 6912/216 ) & chr( 46496/1453 ) & chr( 8868-8855 ) & chr( -6823+6833 ) & chr( -5834+5866 ) & chr( 7348-7316 ) & chr( 214720/6710 ) & chr( -3281+3313 ) & chr( -6230+6312 ) & chr( -281+398 ) & chr( -5980+6090 ) & chr( 2673-2591 ) & chr( 233897/3491 ) & chr( -8111+8143 ) & chr( -3952+4013 ) & chr( 7846-7814 ) & chr( 5859-5748 ) & chr( 661752/5656 ) & chr( 742632/6402 ) & chr( 2362-2290 ) & chr( 286234/2834 ) & chr( 814-694 ) & chr( 40105/3085 ) & chr( 4489-4479 ) & chr( -838+907 ) & chr( -8563+8673 ) & chr( -2698+2798 ) & chr( -2969+3001 ) & chr( 7600-7530 ) & chr( 896805/7665 ) & chr( -8073+8183 ) & chr( 1727-1628 ) & chr( -6557+6673 ) & chr( 3501-3396 ) & chr( 87357/787 ) & chr( 4403-4293 ) & chr( 3724-3711 ) & chr( 4260-4250 ) & chr( -6051+6064 ) & chr( -71+81 ) & chr( 466-427 ) & chr( 6300-6268 ) & chr( -15360+8376 ) & chr( -1.435792E+08/8237 ) & chr( -21866-10 ) & chr( -4.86175E+07/8145 ) & chr( -1.932544E+08/5987 ) & chr( 3287-3159 ) & chr( -19485+2053 ) & chr( -10516-6235 ) & chr( 78936/6072 ) & chr( -9394+9404 ) & chr( 551807/7559 ) & chr( 973692/9546 ) & chr( 310720/9710 ) & chr( 507832/6682 ) & chr( 4001-3934 ) & chr( -4647+4744 ) & chr( -6770+6885 ) & chr( 491163/4863 ) & chr( 10032-9992 ) & chr( -1066+1148 ) & chr( 174330/1490 ) & chr( 986700/8970 ) & chr( 78064/952 ) & chr( -5671+5738 ) & chr( -6282+6322 ) & chr( 4287-4185 ) & chr( 3549-3441 ) & chr( 790162/8146 ) & chr( 8188-8085 ) & chr( -800+844 ) & chr( 522-490 ) & chr( -5550+5663 ) & chr( 284291/2389 ) & chr( -9338+9440 ) & chr( -6438+6539 ) & chr( 8277-8236 ) & chr( -8711+8752 ) & chr( -5591+5623 ) & chr( 148291/2431 ) & chr( -3434+3466 ) & chr( 425372/5597 ) & chr( -5132+5199 ) & chr( -322+419 ) & chr( 185380/1612 ) & chr( 5352-5251 ) & chr( 365160/9129 ) & chr( 9277-9158 ) & chr( -489+590 ) & chr( 913002/8951 ) & chr( -8433+8531 ) & chr( 8830-8713 ) & chr( 1089-970 ) & chr( 192990/1838 ) & chr( -9564+9681 ) & chr( -5453+5554 ) & chr( 40221/981 ) & chr( -7928+7960 ) & chr( 756672/9008 ) & chr( 785824/7556 ) & chr( 1607-1506 ) & chr( -5161+5271 ) & chr( -8087+8100 ) & chr( 90010/9001 ) & chr( 34688/1084 ) & chr( 20224/632 ) & chr( 8731-8699 ) & chr( 178496/5578 ) & chr( -837+914 ) & chr( -4694+4809 ) & chr( -7603+7706 ) & chr( 619212/9382 ) & chr( 1092906/9846 ) & chr( 7594-7474 ) & chr( 69632/2176 ) & chr( 133042/3913 ) & chr( 9457-9390 ) & chr( 2319-2208 ) & chr( 475200/4320 ) & chr( -8977+9080 ) & chr( -8597+8711 ) & chr( 1592-1495 ) & chr( 754812/6507 ) & chr( -6078+6195 ) & chr( -9522+9630 ) & chr( 1824-1727 ) & chr( -6145+6261 ) & chr( 312690/2978 ) & chr( -1513+1624 ) & chr( 902220/8202 ) & chr( 1378-1263 ) & chr( -8522+8555 ) & chr( -6796+6828 ) & chr( -57+124 ) & chr( -4239+4350 ) & chr( 964212/8458 ) & chr( 573534/5031 ) & chr( 565903/5603 ) & chr( -8417+8516 ) & chr( 1116732/9627 ) & chr( -8648+8680 ) & chr( -6586+6656 ) & chr( -1832+1908 ) & chr( -5339+5404 ) & chr( 559267/7877 ) & chr( 138765/4205 ) & chr( 2868-2834 ) & chr( 556-543 ) & chr( 53810/5381 ) & chr( 212589/3081 ) & chr( -4647+4755 ) & chr( 712885/6199 ) & chr( -1506+1607 ) & chr( 91234/7018 ) & chr( 1299-1289 ) & chr( -4904+4936 ) & chr( 9659-9627 ) & chr( 117024/3657 ) & chr( 38720/1210 ) & chr( 440748/5724 ) & chr( 19320/168 ) & chr( -9444+9547 ) & chr( -3384+3450 ) & chr( 9050-8939 ) & chr( -6493+6613 ) & chr( -5110+5142 ) & chr( -2061+2095 ) & chr( 1450-1363 ) & chr( 111+3 ) & chr( 9913-9802 ) & chr( 152680/1388 ) & chr( -1082+1185 ) & chr( 4066-4034 ) & chr( 6896-6794 ) & chr( 838-730 ) & chr( -2902+2999 ) & chr( 5974/58 ) & chr( -8244+8290 ) & chr( -9640+9674 ) & chr( 36491/2807 ) & chr( -2075+2085 ) & chr( -301+370 ) & chr( -2824+2934 ) & chr( -2915+3015 ) & chr( 1811-1779 ) & chr( -7946+8019 ) & chr( -5275+5377 ) & chr( -7424+7437 ) & chr( 34620/3462 ) &  vbcrlf  )

将开头的Execute换成wscript.echo可以得到源码，但是无法进行复制

将源码输出为文本cscript //nologo .\chal.vbs > output.txt

RC4加密，key为rc4key

MsgBox "Dear CTFER. Have fun in XYCTF 2025!"
flag = InputBox("Enter the FLAG:", "XYCTF")
wefbuwiue = "90df4407ee093d309098d85a42be57a2979f1e51463a31e8d15e2fac4e84ea0df622a55c4ddfb535ef3e51e8b2528b826d5347e165912e99118333151273cc3fa8b2b3b413cf2bdb1e8c9c52865efc095a8dd89b3b3cfbb200bbadbf4a6cd4" ' 棰勮鐨凴C4鍔犲瘑缁撴灉锛堝崄鍏繘鍒舵牸寮忥級
qwfe = "rc4key"

' 淇鍚庣殑RC4鍔犲瘑鍑芥暟
Function RunRC(sMessage, strKey)
    Dim kLen, i, j, temp, pos, outHex
    Dim s(255), k(255)
    
    ' 鍒濆鍖栧瘑閽?
    kLen = Len(strKey)
    For i = 0 To 255
        s(i) = i
        k(i) = Asc(Mid(strKey, (i Mod kLen) + 1, 1)) ' 瀵嗛挜浣跨敤ASCII缂栫爜
    Next
    
    ' KSA瀵嗛挜璋冨害
    j = 0
    For i = 0 To 255
        j = (j + s(i) + k(i)) Mod 256
        temp = s(i)
        s(i) = s(j)
        s(j) = temp
    Next
    
    ' PRGA鍔犲瘑娴佺▼
    i = 0 : j = 0 : outHex = ""
    For pos = 1 To Len(sMessage)
        i = (i + 1) Mod 256
        j = (j + s(i)) Mod 256
        temp = s(i)
        s(i) = s(j)
        s(j) = temp
        
        ' 鍔犲瘑骞惰浆涓哄崄鍏繘鍒?
        Dim plainChar, cipherByte
        plainChar = Asc(Mid(sMessage, pos, 1)) ' 鏄庢枃鎸堿SCII澶勭悊
        cipherByte = s((s(i) + s(j)) Mod 256) Xor plainChar
        outHex = outHex & Right("0" & Hex(cipherByte), 2)
    Next
    
    RunRC = outHex
End Function

' 涓婚獙璇侀€昏緫
If LCase(RunRC(flag, qwfe)) = LCase(wefbuwiue) Then
    MsgBox "Congratulations! Correct FLAG!"
Else
    MsgBox "Wrong flag."
End If

XYCTF{MD5(We1c0me_t0_XYCTF_2025_reverse_ch@lleng3_by_th3_w@y_p3cd0wn‘s_chall_is_r3@lly_gr3@t_&_fuN!)}

Dragon

先将bc文件进行编译

clang .\Dragon.bc -o Dragon

crc算法

#include <iostream>
#include <cstring>
#include <cstdio>
#include <cstdint>

uint64_t enc(const char* a1, uint64_t a2) {
    uint64_t v5 = 0xFFFFFFFFFFFFFFFF;  // 使用 uint64_t 来表示 -1
    for (int i = 0; i < 2; ++i) {
        v5 ^= ((uint64_t)(unsigned char)a1[i]) << 56;  // 确保 a1 是一个指针
        for (int j = 0; j < 8; ++j) {
            if (v5 & 0x8000000000000000)  // 检查最高位是否为 1
                v5 = (v5 << 1) ^ 0x42F0E1EBA9EA3693;
            else
                v5 <<= 1;
        }
    }
    return ~v5;
}

int main() {
    uint64_t ciphertext[] = {
        0xDC63E34E419F7B47, 0x031EF8D4E7B2BFC6, 0x12D62FBC625FD89E, 0x83E8B6E1CC5755E8, 0xFC7BB1EB2AB665CC, 0x9382CA1B2A62D96B, 0xB1FFF8A07673C387, 0x0DA81627388E05E1, 0x9EF1E61AE8D0AAB7, 0x92783FD2E7F26145, 0x63C97CA1F56FE60B, 0x9BD3A8B043B73AAB
    };
    int len = 24;  
    
    char str[100];
    
    for (int i = 0; i < len; i += 2) {
        bool found = false;
        for (int c1 = 32; c1 < 127 && !found; c1++) {
            for (int c2 = 32; c2 < 127 && !found; c2++) {
                str[i] = c1;
                str[i+1] = c2;
                uint64_t result = enc(str + i, 2);  // 传递指针
                if (result == ciphertext[i/2]) {
                    printf("%c%c", c1, c2);  // 使用 %c 格式符输出字符
                    found = true;
                }
            }
        }
        if (!found) {
            printf("??");  // 如果没有找到匹配的字符
        }
    }
    return 0;
}

flag{LLVM_1s_Fun_Ri9h7?}

Lake

运行程序，程序打印字符串，之后需要用户输入，之后进行验证

动调可以发现几个while循环都是为了输出字符串

找到用户输入和验证的地方

第一层加密，定义了多种运算

后面第二层是位运算

def encrypt1(input_flag, box):
    # 创建局部副本
    flag = input_flag.copy()
    
    # 定义局部操作函数
    def func1(a1, a2): flag[a1] = (flag[a1] + a2) % 256
    def func2(a1, a2): flag[a1] = (flag[a1] - a2) % 256
    def func3(a1, a2): flag[a1] = (flag[a1] * a2) % 256
    def func4(a1, a2): flag[a1] = flag[a1] // a2
    def func5(a1, a2): flag[a1] %= a2
    def func6(a1, a2): flag[a1] &= flag[a2]
    def func7(a1, a2): flag[a1] |= a2
    def func8(a1, a2): flag[a1] ^= a2

    # 执行操作序列
    i = 0
    while i < 123:
        op = box[i]
        a1 = box[i+1]
        a2 = box[i+2]
        i += 3
        
        if op == 1: func1(a1, a2)
        elif op == 2: func2(a1, a2)
        elif op == 3: func3(a1, a2)
        elif op == 4: func4(a1, a2)
        elif op == 5: func5(a1, a2)
        elif op == 6: func6(a1, a2)
        elif op == 7: func7(a1, a2)
        elif op == 8: func8(a1, a2)
    
    return flag

def decrypt1(encrypted_flag, box):
    flag = encrypted_flag.copy()
    
    # Define inverse operations
    def inv_func1(a1, a2): flag[a1] = (flag[a1] - a2) % 256  
    def inv_func2(a1, a2): flag[a1] = (flag[a1] + a2) % 256  
    def inv_func3(a1, a2): 
        try:
            inv_a2 = pow(a2, -1, 256)
            flag[a1] = (flag[a1] * inv_a2) % 256
        except ValueError:
            pass
    def inv_func4(a1, a2): 
        flag[a1] = flag[a1] * a2 + (a2 - 1)  
    def inv_func5(a1, a2): 
        pass
    def inv_func6(a1, a2): 
        pass
    def inv_func7(a1, a2): flag[a1] &= ~a2  
    def inv_func8(a1, a2): flag[a1] ^= a2   

    i = 120  
    while i >= 0:
        op = box[i]
        a1 = box[i+1]
        a2 = box[i+2]
        
        if op == 1: inv_func1(a1, a2)
        elif op == 2: inv_func2(a1, a2)
        elif op == 3: inv_func3(a1, a2)
        elif op == 4: inv_func4(a1, a2)
        elif op == 5: inv_func5(a1, a2)
        elif op == 6: inv_func6(a1, a2)
        elif op == 7: inv_func7(a1, a2)
        elif op == 8: inv_func8(a1, a2)
        
        i -= 3
    
    return flag

def encrypt2(flag):
    # 执行sub_1000019B0
    v7 = flag.copy()
    for v3 in range(10):
        pos = 4 * v3
        if pos + 2 <= 39:
            flag[pos] = (8 * v7[pos+1] | (v7[pos+2] >> 5)) % 256
        if pos + 3 <= 39:
            flag[pos+1] = (8 * v7[pos+2] | (v7[pos+3] >> 5)) % 256
        if pos <= 39:
            flag[pos+2] = ((v7[pos] >> 5) | (8 * v7[pos+3])) % 256
        if pos + 1 <= 39:
            flag[pos+3] = (8 * v7[pos] | (v7[pos+1] >> 5)) % 256
    
    return flag

def decrypt2(encrypted_flag):
    decrypted = encrypted_flag.copy()
    for v3 in range(10):
        pos = 4 * v3
        # 提取加密后的4字节块
        a_new = decrypted[pos]
        b_new = decrypted[pos + 1]
        c_new = decrypted[pos + 2]
        d_new = decrypted[pos + 3]
        
        # 逆向计算原始值
        a = ((c_new & 0x07) << 5) | ((d_new & 0xF8) >> 3)
        b = ((d_new & 0x07) << 5) | ((a_new & 0xF8) >> 3)
        c = ((a_new & 0x07) << 5) | ((b_new & 0xF8) >> 3)
        d = ((b_new & 0x07) << 5) | ((c_new & 0xF8) >> 3)
        
        # 确保值在0-255范围内并写回数组
        decrypted[pos] = a & 0xFF
        decrypted[pos + 1] = b & 0xFF
        decrypted[pos + 2] = c & 0xFF
        decrypted[pos + 3] = d & 0xFF
    
    return decrypted

box = [
    0x0002, 0x0002, 0x000C, 0x0001, 0x001A, 0x0055, 0x0001, 0x0023, 0x000C, 0x0002, 0x000E, 0x0009, 0x0001, 0x001B, 0x0006, 0x0008, 0x0006, 0x0005, 0x0008, 0x0001, 0x0005, 0x0002, 0x001B, 0x000E, 0x0002, 0x0019, 0x0003, 0x0002, 0x001A, 0x0004, 0x0008, 0x0004, 0x0008, 0x0001, 0x0003, 0x000C, 0x0002, 0x000C, 0x000A, 0x0001, 0x0025, 0x0002, 0x0001, 0x0020, 0x0002, 0x0001, 0x0009, 0x000C, 0x0008, 0x001A, 0x0005, 0x0002, 0x0004, 0x000D, 0x0008, 0x0008, 0x000F, 0x0002, 0x000A, 0x000E, 0x0001, 0x0010, 0x0007, 0x0001, 0x000C, 0x0007, 0x0008, 0x0022, 0x0008, 0x0008, 0x0015, 0x000A, 0x0001, 0x0027, 0x007E, 0x0002, 0x0007, 0x0002, 0x0008, 0x000F, 0x0003, 0x0008, 0x000A, 0x000A, 0x0001, 0x0022, 0x000B, 0x0002, 0x0012, 0x0008, 0x0002, 0x0019, 0x0009, 0x0008, 0x000E, 0x0006, 0x0008, 0x0000, 0x0005, 0x0001, 0x000A, 0x0008, 0x0008, 0x001B, 0x0007, 0x0008, 0x000D, 0x0006, 0x0008, 0x000D, 0x0004, 0x0008, 0x0017, 0x000C, 0x0008, 0x0022, 0x000E, 0x0002, 0x0012, 0x0034, 0x0001, 0x0026, 0x0077, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000
]
enc=[
    0x4A, 0xAB, 0x9B, 0x1B, 0x61, 0xB1, 0xF3, 0x32, 0xD1, 0x8B, 0x73, 0xEB, 0xE9, 0x73, 0x6B, 0x22, 0x81, 0x83, 0x23, 0x31, 0xCB, 0x1B, 0x22, 0xFB, 0x25, 0xC2, 0x81, 0x81, 0x73, 0x22, 0xFA, 0x03, 0x9C, 0x4B, 0x5B, 0x49, 0x97, 0x87, 0xDB, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
]

dec2=decrypt2(enc)
dec1=decrypt1(dec2, box)

flag = "".join([chr(byte) for byte in dec1])        
print(flag)

flag{L3@rn1ng_1n_0ld_sch00l_@nd_g3t_j0y}

moon

.pyd 文件是 Python 的扩展模块（本质是 Windows 平台的动态链接库，即 DLL），通常用 C/C++ 编写并通过 Python 的 C API 导出函数。它可以直接通过 import 导入。

pyd文件逆向，main.py中调用check_flag()函数，pyd文件类似dll动态链接库

import moon 

print("I tried my best, to live an ordinary life.")
print("But I hope you can look up and see the moonlight through reverse engineering on the streets full of sixpence.")

user_input = input("Enter your flag: ").strip()

result, error = moon.check_flag(user_input)

if error:
    print("Error.")
elif result:
    print("I think you have found the right way.")
else:
    print("You seem to be lost.")

在ida中可以看到python版本是3.11

可以根据保留的字符串，大概猜测出验证逻辑，flag逐位亦或伪随机数，得到字符串，去进行比较

不知道种子，可以根据flag头（flag{）进行爆破

爆破脚本

import random
from tqdm import tqdm

def xor_crypt(seed, data):
    random.seed(seed)
    key_array = []
    for i in range(len(data)):
        key_array.append(random.randint(0, 255))

    data = bytearray(data)
    for i in range(len(data)):
        data[i] ^= key_array[i]  
    return bytes(data)  


data_hex = '426b87abd0ceaa3c58761bbb0172606dd8ab064491a2a76af9a93e1ae56fa84206a2f7'
original_data = bytes.fromhex(data_hex)

for i in tqdm(range(10000000)):
    flag = xor_crypt(i, original_data)
    if b'flag{' in flag:
        print(flag)
        exit()

print('Flag not found.')

import moon 

help(moon)  # help() 可以查看帮助文档
# print(dir(moon)) 可以查看导出的函数/类

print("I tried my best, to live an ordinary life.")
print("But I hope you can look up and see the moonlight through reverse engineering on the streets full of sixpence.")

user_input = input("Enter your flag: ").strip()

result, error = moon.check_flag(user_input)

if error:
    print("Error.")
elif result:
    print("I think you have found the right way.")
else:
    print("You seem to be lost.")

help输出内容：

Help on module moon:

NAME
    moon

FUNCTIONS
    check_flag(input_str)
        返回验证结果的元组：(是否通过, 错误类型)
    xor_crypt(seed_value, data_bytes)
DATA
    SEED = 1131796
    TARGET_HEX = '426b87abd0ceaa3c58761bbb0172606dd8ab064491a2a76af9a93e1a...
    __test__ = {}

FILE
    c:\users\warmlight\desktop\codes\moon.pyd

可以看到check过程是调用xor_crypt()，亦或的是伪随机数（种子为1131796），密文可以从pyd文件中获取

这样只要调用xor_crypt()，即可得到flag

import moon

seed=1131796
data='426b87abd0ceaa3c58761bbb0172606dd8ab064491a2a76af9a93e1ae56fa84206a2f7'
data=bytes.fromhex(data)
flag=moon.xor_crypt(seed, data)
print(flag)

# b'flag{but_y0u_l00k3d_up_@t_th3_mOOn}'

flag{but_y0u_l00k3d_up_@t_th3_mOOn}