bruce30262/disasm.py Secret

## disasm.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-

code = open("code", "rb").read() # the bytecodes
code = [ord(c) for c in code]

def f0(*arg):
    return "init_0_1024", 1
def f1(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "addubsw", op1), 4
def f2(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "addwd", op1), 4
def f3(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "^", op1), 4
def f4(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "|", op1), 4
def f5(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "&", op1), 4
def f6(*arg):
    dst, src = arg
    return "mov buf[{}] <- buf[{}] ^ 0xffffffffffffffffffffffffffffffff".format(dst, src), 3
def f7(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "addb", op1), 4
def f8(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "subb", op1), 4
def f9(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "addw", op1), 4
def f10(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "subw", op1), 4
def f11(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "addd", op1), 4
def f12(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "subd", op1), 4
def f13(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "addq", op1), 4
def f14(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "subq", op1), 4
def f15(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "muldq", op1), 4
def f16(*arg):
    return "mov buf[{}] <- buf[{}]".format(arg[0], arg[1]), 3
def f17(*arg):
    idx = arg[0]
    return "write_32byte_to_buf[{}]".format(idx), 34
def f18(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} {}".format(dst, op2, "srld", op1), 4
def f19(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} {}".format(dst, op2, "slld", op1), 4
def f20(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "shufb", op1), 4
def f21(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op1, "permd", op2), 4
def f22(*arg):
    dst, op2, op1 = arg
    return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "cmpeqb", op1), 4
def f23(*arg):
    return "nop", 1

fptr = [f0, f1, f2, f3, f4, f5, f6, f7, f8, f9, f10, f11, f12, f13, f14, f15, f16, f17, f18, f19, f20, f21, f22, f23]

pc = 0
out = ""

while True:
    now = code[pc]
    if now == 0xff:
        out += "HLT"
        break
    line, off = None, None
    if now == 0 or now == 0x17: # 0 arg
        line, off = fptr[now]()
    elif now == 0x11: # 1 arg, write 32 byte to buf[idx]
        line, off = fptr[now](code[pc+1])
        line += "(data: {!r})".format(''.join(chr(c) for c in code[pc+2:pc+2+32]))
    elif now == 6 or now == 0x10: # 2 arg
        arg0, arg1 = code[pc+1], code[pc+2]
        line, off = fptr[now](arg0, arg1)
    else: # 3 arg
        arg0, arg1, arg2 = code[pc+1], code[pc+2], code[pc+3]
        line, off = fptr[now](arg0, arg1, arg2)
    out += line + '\n'
    pc += off

print(out)

## level11.asm
init_0_1024
write_32byte_to_buf[0](data: '123456789\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')
write_32byte_to_buf[1](data: 'aaaaaaaabbbbbbbbccccccccdddddddd')
write_32byte_to_buf[3](data: '\x15\x11\x11\x11\x11\x11\x11\x11\x11\x11\x13\x1a\x1b\x1b\x1b\x1a\x15\x11\x11\x11\x11\x11\x11\x11\x11\x11\x13\x1a\x1b\x1b\x1b\x1a')
write_32byte_to_buf[4](data: '\x10\x10\x01\x02\x04\x08\x04\x08\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x01\x02\x04\x08\x04\x08\x10\x10\x10\x10\x10\x10\x10\x10')
write_32byte_to_buf[5](data: '\x00\x10\x13\x04\xbf\xbf\xb9\xb9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x13\x04\xbf\xbf\xb9\xb9\x00\x00\x00\x00\x00\x00\x00\x00')
write_32byte_to_buf[6](data: '////////////////////////////////')
write_32byte_to_buf[10](data: '@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01')
write_32byte_to_buf[11](data: '\x00\x10\x01\x00\x00\x10\x01\x00\x00\x10\x01\x00\x00\x10\x01\x00\x00\x10\x01\x00\x00\x10\x01\x00\x00\x10\x01\x00\x00\x10\x01\x00')
write_32byte_to_buf[12](data: '\x02\x01\x00\x06\x05\x04\n\t\x08\x0e\r\x0c\xff\xff\xff\xff\x02\x01\x00\x06\x05\x04\n\t\x08\x0e\r\x0c\xff\xff\xff\xff')
write_32byte_to_buf[13](data: '\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x04\x00\x00\x00\x05\x00\x00\x00\x06\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff')
write_32byte_to_buf[16](data: '\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff')
write_32byte_to_buf[17](data: '\x19\xcd\xe0[\xab\xd9\x83\x1f\x8ch\x05\x9b\x7fR\x0eQ:\xf5O\xa5r\xf3n<\x85\xaeg\xbbg\xe6\tj')
write_32byte_to_buf[18](data: '\xd5^\x1c\xab\xa4\x82?\x92\xf1\x11\xf1Y[\xc2V9\xa5\xdb\xb5\xe9\xcf\xfb\xc0\xb5\x91D7q\x98/\x8aB')
write_32byte_to_buf[19](data: '\x04\x00\x00\x00\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00')
write_32byte_to_buf[20](data: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')
write_32byte_to_buf[21](data: '\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00')
write_32byte_to_buf[22](data: '\x02\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00')
write_32byte_to_buf[23](data: '\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00')
write_32byte_to_buf[24](data: '\x04\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00')
write_32byte_to_buf[25](data: '\x05\x00\x00\x00\x05\x00\x00\x00\x05\x00\x00\x00\x05\x00\x00\x00\x05\x00\x00\x00\x05\x00\x00\x00\x05\x00\x00\x00\x05\x00\x00\x00')
write_32byte_to_buf[26](data: '\x06\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00')
write_32byte_to_buf[27](data: '\x07\x00\x00\x00\x07\x00\x00\x00\x07\x00\x00\x00\x07\x00\x00\x00\x07\x00\x00\x00\x07\x00\x00\x00\x07\x00\x00\x00\x07\x00\x00\x00')
mov buf[20] <- buf[20] permd buf[0]
mov buf[21] <- buf[21] permd buf[0]
mov buf[22] <- buf[22] permd buf[0]
mov buf[23] <- buf[23] permd buf[0]
mov buf[24] <- buf[24] permd buf[0]
mov buf[25] <- buf[25] permd buf[0]
mov buf[26] <- buf[26] permd buf[0]
mov buf[27] <- buf[27] permd buf[0]
mov buf[7] <- buf[1] srld 4
mov buf[28] <- buf[20] ^ buf[21]
mov buf[28] <- buf[28] ^ buf[22]
mov buf[28] <- buf[28] ^ buf[23]
mov buf[28] <- buf[28] ^ buf[24]
mov buf[28] <- buf[28] ^ buf[25]
mov buf[28] <- buf[28] ^ buf[26]
mov buf[28] <- buf[28] ^ buf[27]
mov buf[7] <- buf[7] & buf[6]
mov buf[29] <- buf[17] slld 7
mov buf[30] <- buf[17] srld 25
mov buf[15] <- buf[29] | buf[30]
mov buf[8] <- buf[1] cmpeqb buf[6]
mov buf[29] <- buf[17] slld 21
mov buf[30] <- buf[17] srld 11
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[8] <- buf[1] cmpeqb buf[6]
mov buf[29] <- buf[17] slld 26
mov buf[30] <- buf[17] srld 6
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[29] <- buf[20] ^ buf[16]
mov buf[30] <- buf[20] & buf[18]
mov buf[29] <- buf[29] ^ buf[30]
mov buf[15] <- buf[29] addd buf[15]
mov buf[20] <- buf[15] addd buf[0]
mov buf[7] <- buf[8] addb buf[7]
mov buf[29] <- buf[20] ^ buf[28]
mov buf[17] <- buf[19] permd buf[29]
mov buf[7] <- buf[5] shufb buf[7]
mov buf[29] <- buf[17] slld 7
mov buf[30] <- buf[17] srld 25
mov buf[15] <- buf[29] | buf[30]
mov buf[29] <- buf[17] slld 21
mov buf[30] <- buf[17] srld 11
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[29] <- buf[17] slld 26
mov buf[30] <- buf[17] srld 6
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[2] <- buf[1] addb buf[7]
mov buf[29] <- buf[21] ^ buf[16]
mov buf[30] <- buf[21] & buf[18]
mov buf[29] <- buf[29] ^ buf[30]
mov buf[15] <- buf[29] addd buf[15]
mov buf[21] <- buf[15] addd buf[0]
mov buf[29] <- buf[21] ^ buf[28]
mov buf[17] <- buf[19] permd buf[29]
mov buf[20] <- buf[20] ^ buf[21]
mov buf[29] <- buf[17] slld 7
mov buf[30] <- buf[17] srld 25
mov buf[15] <- buf[29] | buf[30]
mov buf[29] <- buf[17] slld 21
mov buf[30] <- buf[17] srld 11
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[29] <- buf[17] slld 26
mov buf[30] <- buf[17] srld 6
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[7] <- buf[2] addubsw buf[10]
mov buf[29] <- buf[22] ^ buf[16]
mov buf[30] <- buf[22] & buf[18]
mov buf[29] <- buf[29] ^ buf[30]
mov buf[15] <- buf[29] addd buf[15]
mov buf[22] <- buf[15] addd buf[0]
mov buf[29] <- buf[22] ^ buf[28]
mov buf[17] <- buf[19] permd buf[29]
mov buf[20] <- buf[20] ^ buf[22]
mov buf[29] <- buf[17] slld 7
mov buf[30] <- buf[17] srld 25
mov buf[15] <- buf[29] | buf[30]
mov buf[29] <- buf[17] slld 21
mov buf[30] <- buf[17] srld 11
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[29] <- buf[17] slld 26
mov buf[30] <- buf[17] srld 6
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[2] <- buf[7] addwd buf[11]
mov buf[29] <- buf[23] ^ buf[16]
mov buf[30] <- buf[23] & buf[18]
mov buf[29] <- buf[29] ^ buf[30]
mov buf[15] <- buf[29] addd buf[15]
mov buf[23] <- buf[15] addd buf[0]
mov buf[29] <- buf[23] ^ buf[28]
mov buf[17] <- buf[19] permd buf[29]
mov buf[20] <- buf[20] ^ buf[23]
mov buf[29] <- buf[17] slld 7
mov buf[30] <- buf[17] srld 25
mov buf[15] <- buf[29] | buf[30]
mov buf[29] <- buf[17] slld 21
mov buf[30] <- buf[17] srld 11
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[29] <- buf[17] slld 26
mov buf[30] <- buf[17] srld 6
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[29] <- buf[24] ^ buf[16]
mov buf[30] <- buf[24] & buf[18]
mov buf[29] <- buf[29] ^ buf[30]
mov buf[15] <- buf[29] addd buf[15]
mov buf[24] <- buf[15] addd buf[0]
mov buf[29] <- buf[24] ^ buf[28]
mov buf[17] <- buf[19] permd buf[29]
mov buf[20] <- buf[20] ^ buf[24]
mov buf[29] <- buf[17] slld 7
mov buf[30] <- buf[17] srld 25
mov buf[15] <- buf[29] | buf[30]
mov buf[29] <- buf[17] slld 21
mov buf[30] <- buf[17] srld 11
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[29] <- buf[17] slld 26
mov buf[30] <- buf[17] srld 6
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[29] <- buf[25] ^ buf[16]
mov buf[30] <- buf[25] & buf[18]
mov buf[29] <- buf[29] ^ buf[30]
mov buf[15] <- buf[29] addd buf[15]
mov buf[25] <- buf[15] addd buf[0]
mov buf[29] <- buf[25] ^ buf[28]
mov buf[17] <- buf[19] permd buf[29]
mov buf[20] <- buf[20] ^ buf[25]
mov buf[2] <- buf[2] shufb buf[12]
mov buf[29] <- buf[17] slld 7
mov buf[30] <- buf[17] srld 25
mov buf[15] <- buf[29] | buf[30]
mov buf[29] <- buf[17] slld 21
mov buf[30] <- buf[17] srld 11
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[29] <- buf[17] slld 26
mov buf[30] <- buf[17] srld 6
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[29] <- buf[26] ^ buf[16]
mov buf[30] <- buf[26] & buf[18]
mov buf[29] <- buf[29] ^ buf[30]
mov buf[15] <- buf[29] addd buf[15]
mov buf[26] <- buf[15] addd buf[0]
mov buf[29] <- buf[26] ^ buf[28]
mov buf[17] <- buf[19] permd buf[29]
mov buf[20] <- buf[20] ^ buf[26]
mov buf[29] <- buf[17] slld 7
mov buf[30] <- buf[17] srld 25
mov buf[15] <- buf[29] | buf[30]
mov buf[29] <- buf[17] slld 21
mov buf[30] <- buf[17] srld 11
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[29] <- buf[17] slld 26
mov buf[30] <- buf[17] srld 6
mov buf[29] <- buf[29] | buf[30]
mov buf[15] <- buf[15] ^ buf[29]
mov buf[2] <- buf[13] permd buf[2]
mov buf[29] <- buf[27] ^ buf[16]
mov buf[30] <- buf[27] & buf[18]
mov buf[29] <- buf[29] ^ buf[30]
mov buf[15] <- buf[29] addd buf[15]
mov buf[27] <- buf[15] addd buf[0]
mov buf[29] <- buf[27] ^ buf[28]
mov buf[17] <- buf[19] permd buf[29]
mov buf[20] <- buf[20] ^ buf[27]
write_32byte_to_buf[19](data: '\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00')
mov buf[20] <- buf[20] & buf[19]
write_32byte_to_buf[31](data: '"\x1e\x1bK-\x17\x05\x0c\x15Y\x0ex#&3.\x10\x07Os\x186X\x0b)\x0f\\:\x0cbv!')
HLT

## sol.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-

import struct
import numpy
import string

okstring = string.letters + string.digits + "_"

def p32(x):
    return struct.pack('<I', x & 0xffffffff)

def u32(x):
    return struct.unpack('<I', x.ljust(4, '\x00'))[0]

def p16(x):
    return struct.pack('<H', x & 0xffff)

def u16(x):
    return struct.unpack('<H', x.ljust(2, '\x00'))[0]

def to_n(data):
    now = 0
    for i in xrange(0, 32, 4):
        cur = u32(data[i:i+4:])
        shift = int(i/4)*32
        now = (cur<<shift) | now
    return "{:#x}".format(now)

def to_s(n):
    ret = ""
    for i in xrange(8):
        now = (n>>(32*i))&0xffffffff
        ret += p32(now)
    return ret

final = "\x70\x70\xB2\xAC\x01\xD2\x5E\x61\x0A\xA7\x2A\xA8\x08\x1C\x86\x1A\xE8\x45\xC8\x29\xB2\xF3\xA1\x1E\x00\x00\x00\x00\x00\x00\x00\x00"

### de-permd buf[13]
idx_13 = [0, 1, 2, 4, 5 ,6]
last = ""
now = 0
i = 0
while i < 6:
    cur = final[i*4:i*4+4:]
    if now in idx_13:
        last += cur
        i+=1
    else:
        last += p32(0)
    now+=1

last += p32(0)
print("After de-permd buf13:")
print to_n(last)

### de-shufb buf[12]
buf12 = "\x02\x01\x00\x06\x05\x04\n\t\x08\x0e\r\x0c\xff\xff\xff\xff\x02\x01\x00\x06\x05\x04\n\t\x08\x0e\r\x0c\xff\xff\xff\xff"
check_idx = [0 for _ in xrange(16)]
def de_shufb(data, buf):
    global check_idx
    last_tmp = [0 for _ in xrange(32)]
    for i in xrange(0, 16):
        if buf[i] == '\xff':
            continue
        cur = ord(data[i])
        idx = ord(buf[i])
        check_idx[idx]=1
        last_tmp[idx] = cur
    for i in xrange(16, 32):
        if buf[i] == '\xff':
            continue
        cur = ord(data[i])
        idx = ord(buf[i])
        check_idx[idx]=1
        last_tmp[16+idx] = cur
    return ''.join(chr(c) for c in last_tmp)

last = de_shufb(last, buf12)
assert len(last) == 32
print("After de-shufb buf12:")
print to_n(last)

# de-addwd
last_tmp=""
for i in xrange(0, 32, 4):
    now = u32(last[i:i+4])
    high = (now&0xfff)<<16
    low = (now&0xfff000)>>12
    last_tmp += p32(high|low)
last = last_tmp
print("After de-addwd buf11:")
print to_n(last)
# de-addubsw
# original: low_8bit*0x40 + high_8bit*1
last_tmp = ""
cand = [""]*256
for i in xrange(0, 32, 2):
    now = u16(last[i:i+2])
    ok = False
    for high in xrange(0x100):
        for low in xrange(0x100):
            if (low*0x40 + high)&0xffff == now:
                last_tmp += p16((high<<8)|low)
                ok = True
                break
        if ok:
            break

print("After de-addubsw")
last = last_tmp
assert len(last) == 32
print(to_n(last))

buf5 = "\x00\x10\x13\x04\xbf\xbf\xb9\xb9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x13\x04\xbf\xbf\xb9\xb9\x00\x00\x00\x00\x00\x00\x00\x00"
key = ""

def crack(data):
    global buf5, key
    for x01 in xrange(0xffff+1):
        now = x01
        x0 = x01&0xff
        now = (now>>4)&0x2f2f
        add = ord(buf5[(now&0xff)&15])
        if (x0 + add)&0xff == ord(data[0]):
            x1 = x01>>8
            for x2 in xrange(0x100):
                x21 = (x2<<8)|x1
                now = x21
                now = (now>>4)&0x2f2f
                add = ord(buf5[(now&0xff)&15])
                if (x1 + add)&0xff == ord(data[1]):
                    for x3 in xrange(0x100):
                        x32 = (x3<<8)|x2
                        now = x32
                        now = (now>>4)&0x2f2f
                        add = ord(buf5[(now&0xff)&15])
                        if (x2 + add)&0xff == ord(data[2]):
                            if (ord(buf5[((x3>>4)&0x2f)&15]) + x3)&0xff == ord(data[3]):
                                answer = (x3<<24) | (x2<<16) | (x1<<8) | x0
                                if all(c in okstring for c in p32(answer)):
                                    key += p32(answer)

print("Start crack...")
for i in xrange(0, 32, 4):
    crack(last[i:i+4])

# will print cHCyrAHSXmEKpyqoCByGGuhFyCmy86E_86Ee
# but it's actually cHCyrAHSXmEKpyqoCByGGuhFyCmy86E_ or cHCyrAHSXmEKpyqoCByGGuhFyCmy86Ee
# the latter is the right key
print key
	#!/usr/bin/env python
	# -- coding: utf-8 --

	code = open("code", "rb").read() # the bytecodes
	code = [ord(c) for c in code]

	def f0(*arg):
	return "init_0_1024", 1
	def f1(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "addubsw", op1), 4
	def f2(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "addwd", op1), 4
	def f3(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "^", op1), 4
	def f4(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "\|", op1), 4
	def f5(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "&", op1), 4
	def f6(*arg):
	dst, src = arg
	return "mov buf[{}] <- buf[{}] ^ 0xffffffffffffffffffffffffffffffff".format(dst, src), 3
	def f7(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "addb", op1), 4
	def f8(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "subb", op1), 4
	def f9(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "addw", op1), 4
	def f10(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "subw", op1), 4
	def f11(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "addd", op1), 4
	def f12(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "subd", op1), 4
	def f13(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "addq", op1), 4
	def f14(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "subq", op1), 4
	def f15(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "muldq", op1), 4
	def f16(*arg):
	return "mov buf[{}] <- buf[{}]".format(arg[0], arg[1]), 3
	def f17(*arg):
	idx = arg[0]
	return "write_32byte_to_buf[{}]".format(idx), 34
	def f18(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} {}".format(dst, op2, "srld", op1), 4
	def f19(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} {}".format(dst, op2, "slld", op1), 4
	def f20(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "shufb", op1), 4
	def f21(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op1, "permd", op2), 4
	def f22(*arg):
	dst, op2, op1 = arg
	return "mov buf[{}] <- buf[{}] {} buf[{}]".format(dst, op2, "cmpeqb", op1), 4
	def f23(*arg):
	return "nop", 1

	fptr = [f0, f1, f2, f3, f4, f5, f6, f7, f8, f9, f10, f11, f12, f13, f14, f15, f16, f17, f18, f19, f20, f21, f22, f23]

	pc = 0
	out = ""

	while True:
	now = code[pc]
	if now == 0xff:
	out += "HLT"
	break
	line, off = None, None
	if now == 0 or now == 0x17: # 0 arg
	line, off = fptr[now]()
	elif now == 0x11: # 1 arg, write 32 byte to buf[idx]
	line, off = fptr[now](code[pc+1])
	line += "(data: {!r})".format(''.join(chr(c) for c in code[pc+2:pc+2+32]))
	elif now == 6 or now == 0x10: # 2 arg
	arg0, arg1 = code[pc+1], code[pc+2]
	line, off = fptr[now](arg0, arg1)
	else: # 3 arg
	arg0, arg1, arg2 = code[pc+1], code[pc+2], code[pc+3]
	line, off = fptr[now](arg0, arg1, arg2)
	out += line + '\n'
	pc += off

	print(out)
	init_0_1024
	write_32byte_to_buf[0](data: '123456789\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')
	write_32byte_to_buf[1](data: 'aaaaaaaabbbbbbbbccccccccdddddddd')
	write_32byte_to_buf[3](data: '\x15\x11\x11\x11\x11\x11\x11\x11\x11\x11\x13\x1a\x1b\x1b\x1b\x1a\x15\x11\x11\x11\x11\x11\x11\x11\x11\x11\x13\x1a\x1b\x1b\x1b\x1a')
	write_32byte_to_buf[4](data: '\x10\x10\x01\x02\x04\x08\x04\x08\x10\x10\x10\x10\x10\x10\x10\x10\x10\x10\x01\x02\x04\x08\x04\x08\x10\x10\x10\x10\x10\x10\x10\x10')
	write_32byte_to_buf[5](data: '\x00\x10\x13\x04\xbf\xbf\xb9\xb9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x13\x04\xbf\xbf\xb9\xb9\x00\x00\x00\x00\x00\x00\x00\x00')
	write_32byte_to_buf[6](data: '////////////////////////////////')
	write_32byte_to_buf[10](data: '@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01@\x01')
	write_32byte_to_buf[11](data: '\x00\x10\x01\x00\x00\x10\x01\x00\x00\x10\x01\x00\x00\x10\x01\x00\x00\x10\x01\x00\x00\x10\x01\x00\x00\x10\x01\x00\x00\x10\x01\x00')
	write_32byte_to_buf[12](data: '\x02\x01\x00\x06\x05\x04\n\t\x08\x0e\r\x0c\xff\xff\xff\xff\x02\x01\x00\x06\x05\x04\n\t\x08\x0e\r\x0c\xff\xff\xff\xff')
	write_32byte_to_buf[13](data: '\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x04\x00\x00\x00\x05\x00\x00\x00\x06\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff')
	write_32byte_to_buf[16](data: '\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff')
	write_32byte_to_buf[17](data: '\x19\xcd\xe0[\xab\xd9\x83\x1f\x8ch\x05\x9b\x7fR\x0eQ:\xf5O\xa5r\xf3n<\x85\xaeg\xbbg\xe6\tj')
	write_32byte_to_buf[18](data: '\xd5^\x1c\xab\xa4\x82?\x92\xf1\x11\xf1Y[\xc2V9\xa5\xdb\xb5\xe9\xcf\xfb\xc0\xb5\x91D7q\x98/\x8aB')
	write_32byte_to_buf[19](data: '\x04\x00\x00\x00\x05\x00\x00\x00\x06\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00')
	write_32byte_to_buf[20](data: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00')
	write_32byte_to_buf[21](data: '\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00')
	write_32byte_to_buf[22](data: '\x02\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00')
	write_32byte_to_buf[23](data: '\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00\x03\x00\x00\x00')
	write_32byte_to_buf[24](data: '\x04\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00\x04\x00\x00\x00')
	write_32byte_to_buf[25](data: '\x05\x00\x00\x00\x05\x00\x00\x00\x05\x00\x00\x00\x05\x00\x00\x00\x05\x00\x00\x00\x05\x00\x00\x00\x05\x00\x00\x00\x05\x00\x00\x00')
	write_32byte_to_buf[26](data: '\x06\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00\x06\x00\x00\x00')
	write_32byte_to_buf[27](data: '\x07\x00\x00\x00\x07\x00\x00\x00\x07\x00\x00\x00\x07\x00\x00\x00\x07\x00\x00\x00\x07\x00\x00\x00\x07\x00\x00\x00\x07\x00\x00\x00')
	mov buf[20] <- buf[20] permd buf[0]
	mov buf[21] <- buf[21] permd buf[0]
	mov buf[22] <- buf[22] permd buf[0]
	mov buf[23] <- buf[23] permd buf[0]
	mov buf[24] <- buf[24] permd buf[0]
	mov buf[25] <- buf[25] permd buf[0]
	mov buf[26] <- buf[26] permd buf[0]
	mov buf[27] <- buf[27] permd buf[0]
	mov buf[7] <- buf[1] srld 4
	mov buf[28] <- buf[20] ^ buf[21]
	mov buf[28] <- buf[28] ^ buf[22]
	mov buf[28] <- buf[28] ^ buf[23]
	mov buf[28] <- buf[28] ^ buf[24]
	mov buf[28] <- buf[28] ^ buf[25]
	mov buf[28] <- buf[28] ^ buf[26]
	mov buf[28] <- buf[28] ^ buf[27]
	mov buf[7] <- buf[7] & buf[6]
	mov buf[29] <- buf[17] slld 7
	mov buf[30] <- buf[17] srld 25
	mov buf[15] <- buf[29] \| buf[30]
	mov buf[8] <- buf[1] cmpeqb buf[6]
	mov buf[29] <- buf[17] slld 21
	mov buf[30] <- buf[17] srld 11
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[8] <- buf[1] cmpeqb buf[6]
	mov buf[29] <- buf[17] slld 26
	mov buf[30] <- buf[17] srld 6
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[29] <- buf[20] ^ buf[16]
	mov buf[30] <- buf[20] & buf[18]
	mov buf[29] <- buf[29] ^ buf[30]
	mov buf[15] <- buf[29] addd buf[15]
	mov buf[20] <- buf[15] addd buf[0]
	mov buf[7] <- buf[8] addb buf[7]
	mov buf[29] <- buf[20] ^ buf[28]
	mov buf[17] <- buf[19] permd buf[29]
	mov buf[7] <- buf[5] shufb buf[7]
	mov buf[29] <- buf[17] slld 7
	mov buf[30] <- buf[17] srld 25
	mov buf[15] <- buf[29] \| buf[30]
	mov buf[29] <- buf[17] slld 21
	mov buf[30] <- buf[17] srld 11
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[29] <- buf[17] slld 26
	mov buf[30] <- buf[17] srld 6
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[2] <- buf[1] addb buf[7]
	mov buf[29] <- buf[21] ^ buf[16]
	mov buf[30] <- buf[21] & buf[18]
	mov buf[29] <- buf[29] ^ buf[30]
	mov buf[15] <- buf[29] addd buf[15]
	mov buf[21] <- buf[15] addd buf[0]
	mov buf[29] <- buf[21] ^ buf[28]
	mov buf[17] <- buf[19] permd buf[29]
	mov buf[20] <- buf[20] ^ buf[21]
	mov buf[29] <- buf[17] slld 7
	mov buf[30] <- buf[17] srld 25
	mov buf[15] <- buf[29] \| buf[30]
	mov buf[29] <- buf[17] slld 21
	mov buf[30] <- buf[17] srld 11
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[29] <- buf[17] slld 26
	mov buf[30] <- buf[17] srld 6
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[7] <- buf[2] addubsw buf[10]
	mov buf[29] <- buf[22] ^ buf[16]
	mov buf[30] <- buf[22] & buf[18]
	mov buf[29] <- buf[29] ^ buf[30]
	mov buf[15] <- buf[29] addd buf[15]
	mov buf[22] <- buf[15] addd buf[0]
	mov buf[29] <- buf[22] ^ buf[28]
	mov buf[17] <- buf[19] permd buf[29]
	mov buf[20] <- buf[20] ^ buf[22]
	mov buf[29] <- buf[17] slld 7
	mov buf[30] <- buf[17] srld 25
	mov buf[15] <- buf[29] \| buf[30]
	mov buf[29] <- buf[17] slld 21
	mov buf[30] <- buf[17] srld 11
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[29] <- buf[17] slld 26
	mov buf[30] <- buf[17] srld 6
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[2] <- buf[7] addwd buf[11]
	mov buf[29] <- buf[23] ^ buf[16]
	mov buf[30] <- buf[23] & buf[18]
	mov buf[29] <- buf[29] ^ buf[30]
	mov buf[15] <- buf[29] addd buf[15]
	mov buf[23] <- buf[15] addd buf[0]
	mov buf[29] <- buf[23] ^ buf[28]
	mov buf[17] <- buf[19] permd buf[29]
	mov buf[20] <- buf[20] ^ buf[23]
	mov buf[29] <- buf[17] slld 7
	mov buf[30] <- buf[17] srld 25
	mov buf[15] <- buf[29] \| buf[30]
	mov buf[29] <- buf[17] slld 21
	mov buf[30] <- buf[17] srld 11
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[29] <- buf[17] slld 26
	mov buf[30] <- buf[17] srld 6
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[29] <- buf[24] ^ buf[16]
	mov buf[30] <- buf[24] & buf[18]
	mov buf[29] <- buf[29] ^ buf[30]
	mov buf[15] <- buf[29] addd buf[15]
	mov buf[24] <- buf[15] addd buf[0]
	mov buf[29] <- buf[24] ^ buf[28]
	mov buf[17] <- buf[19] permd buf[29]
	mov buf[20] <- buf[20] ^ buf[24]
	mov buf[29] <- buf[17] slld 7
	mov buf[30] <- buf[17] srld 25
	mov buf[15] <- buf[29] \| buf[30]
	mov buf[29] <- buf[17] slld 21
	mov buf[30] <- buf[17] srld 11
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[29] <- buf[17] slld 26
	mov buf[30] <- buf[17] srld 6
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[29] <- buf[25] ^ buf[16]
	mov buf[30] <- buf[25] & buf[18]
	mov buf[29] <- buf[29] ^ buf[30]
	mov buf[15] <- buf[29] addd buf[15]
	mov buf[25] <- buf[15] addd buf[0]
	mov buf[29] <- buf[25] ^ buf[28]
	mov buf[17] <- buf[19] permd buf[29]
	mov buf[20] <- buf[20] ^ buf[25]
	mov buf[2] <- buf[2] shufb buf[12]
	mov buf[29] <- buf[17] slld 7
	mov buf[30] <- buf[17] srld 25
	mov buf[15] <- buf[29] \| buf[30]
	mov buf[29] <- buf[17] slld 21
	mov buf[30] <- buf[17] srld 11
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[29] <- buf[17] slld 26
	mov buf[30] <- buf[17] srld 6
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[29] <- buf[26] ^ buf[16]
	mov buf[30] <- buf[26] & buf[18]
	mov buf[29] <- buf[29] ^ buf[30]
	mov buf[15] <- buf[29] addd buf[15]
	mov buf[26] <- buf[15] addd buf[0]
	mov buf[29] <- buf[26] ^ buf[28]
	mov buf[17] <- buf[19] permd buf[29]
	mov buf[20] <- buf[20] ^ buf[26]
	mov buf[29] <- buf[17] slld 7
	mov buf[30] <- buf[17] srld 25
	mov buf[15] <- buf[29] \| buf[30]
	mov buf[29] <- buf[17] slld 21
	mov buf[30] <- buf[17] srld 11
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[29] <- buf[17] slld 26
	mov buf[30] <- buf[17] srld 6
	mov buf[29] <- buf[29] \| buf[30]
	mov buf[15] <- buf[15] ^ buf[29]
	mov buf[2] <- buf[13] permd buf[2]
	mov buf[29] <- buf[27] ^ buf[16]
	mov buf[30] <- buf[27] & buf[18]
	mov buf[29] <- buf[29] ^ buf[30]
	mov buf[15] <- buf[29] addd buf[15]
	mov buf[27] <- buf[15] addd buf[0]
	mov buf[29] <- buf[27] ^ buf[28]
	mov buf[17] <- buf[19] permd buf[29]
	mov buf[20] <- buf[20] ^ buf[27]
	write_32byte_to_buf[19](data: '\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00')
	mov buf[20] <- buf[20] & buf[19]
	write_32byte_to_buf[31](data: '"\x1e\x1bK-\x17\x05\x0c\x15Y\x0ex#&3.\x10\x07Os\x186X\x0b)\x0f\\:\x0cbv!')
	HLT
	#!/usr/bin/env python
	# -- coding: utf-8 --

	import struct
	import numpy
	import string

	okstring = string.letters + string.digits + "_"

	def p32(x):
	return struct.pack('<I', x & 0xffffffff)

	def u32(x):
	return struct.unpack('<I', x.ljust(4, '\x00'))[0]

	def p16(x):
	return struct.pack('<H', x & 0xffff)

	def u16(x):
	return struct.unpack('<H', x.ljust(2, '\x00'))[0]

	def to_n(data):
	now = 0
	for i in xrange(0, 32, 4):
	cur = u32(data[i:i+4:])
	shift = int(i/4)*32
	now = (cur<<shift) \| now
	return "{:#x}".format(now)

	def to_s(n):
	ret = ""
	for i in xrange(8):
	now = (n>>(32*i))&0xffffffff
	ret += p32(now)
	return ret

	final = "\x70\x70\xB2\xAC\x01\xD2\x5E\x61\x0A\xA7\x2A\xA8\x08\x1C\x86\x1A\xE8\x45\xC8\x29\xB2\xF3\xA1\x1E\x00\x00\x00\x00\x00\x00\x00\x00"

	### de-permd buf[13]
	idx_13 = [0, 1, 2, 4, 5 ,6]
	last = ""
	now = 0
	i = 0
	while i < 6:
	cur = final[i4:i4+4:]
	if now in idx_13:
	last += cur
	i+=1
	else:
	last += p32(0)
	now+=1

	last += p32(0)
	print("After de-permd buf13:")
	print to_n(last)

	### de-shufb buf[12]
	buf12 = "\x02\x01\x00\x06\x05\x04\n\t\x08\x0e\r\x0c\xff\xff\xff\xff\x02\x01\x00\x06\x05\x04\n\t\x08\x0e\r\x0c\xff\xff\xff\xff"
	check_idx = [0 for _ in xrange(16)]
	def de_shufb(data, buf):
	global check_idx
	last_tmp = [0 for _ in xrange(32)]
	for i in xrange(0, 16):
	if buf[i] == '\xff':
	continue
	cur = ord(data[i])
	idx = ord(buf[i])
	check_idx[idx]=1
	last_tmp[idx] = cur
	for i in xrange(16, 32):
	if buf[i] == '\xff':
	continue
	cur = ord(data[i])
	idx = ord(buf[i])
	check_idx[idx]=1
	last_tmp[16+idx] = cur
	return ''.join(chr(c) for c in last_tmp)

	last = de_shufb(last, buf12)
	assert len(last) == 32
	print("After de-shufb buf12:")
	print to_n(last)

	# de-addwd
	last_tmp=""
	for i in xrange(0, 32, 4):
	now = u32(last[i:i+4])
	high = (now&0xfff)<<16
	low = (now&0xfff000)>>12
	last_tmp += p32(high\|low)
	last = last_tmp
	print("After de-addwd buf11:")
	print to_n(last)
	# de-addubsw
	# original: low_8bit0x40 + high_8bit1
	last_tmp = ""
	cand = [""]*256
	for i in xrange(0, 32, 2):
	now = u16(last[i:i+2])
	ok = False
	for high in xrange(0x100):
	for low in xrange(0x100):
	if (low*0x40 + high)&0xffff == now:
	last_tmp += p16((high<<8)\|low)
	ok = True
	break
	if ok:
	break

	print("After de-addubsw")
	last = last_tmp
	assert len(last) == 32
	print(to_n(last))

	buf5 = "\x00\x10\x13\x04\xbf\xbf\xb9\xb9\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x13\x04\xbf\xbf\xb9\xb9\x00\x00\x00\x00\x00\x00\x00\x00"
	key = ""

	def crack(data):
	global buf5, key
	for x01 in xrange(0xffff+1):
	now = x01
	x0 = x01&0xff
	now = (now>>4)&0x2f2f
	add = ord(buf5[(now&0xff)&15])
	if (x0 + add)&0xff == ord(data[0]):
	x1 = x01>>8
	for x2 in xrange(0x100):
	x21 = (x2<<8)\|x1
	now = x21
	now = (now>>4)&0x2f2f
	add = ord(buf5[(now&0xff)&15])
	if (x1 + add)&0xff == ord(data[1]):
	for x3 in xrange(0x100):
	x32 = (x3<<8)\|x2
	now = x32
	now = (now>>4)&0x2f2f
	add = ord(buf5[(now&0xff)&15])
	if (x2 + add)&0xff == ord(data[2]):
	if (ord(buf5[((x3>>4)&0x2f)&15]) + x3)&0xff == ord(data[3]):
	answer = (x3<<24) \| (x2<<16) \| (x1<<8) \| x0
	if all(c in okstring for c in p32(answer)):
	key += p32(answer)

	print("Start crack...")
	for i in xrange(0, 32, 4):
	crack(last[i:i+4])

	# will print cHCyrAHSXmEKpyqoCByGGuhFyCmy86E_86Ee
	# but it's actually cHCyrAHSXmEKpyqoCByGGuhFyCmy86E_ or cHCyrAHSXmEKpyqoCByGGuhFyCmy86Ee
	# the latter is the right key
	print key