s1 = b'\x08#\x03\x03\x13\x03\x13\x03\x01#1\x13\x11\xc8\x03\xc8\x03\x13\x01\xc8\x13\x13\x03\x13\x13\x11\x13#'
s5 = b'\x02@\x80\x08\x08\x08\xc8\xc8\x80\x88\x08\x80\x882\x082\x80\x80\x802\x08\x80\x08\x08H\x88\x80\xc8'
s2 = [0] * 28
v8 = [0] * 28
s = [0] * 28
for i in range(28):
for j in range(32,127):
s[i] = j
s[i] = (s[i] >> 5) | (8 * s[i])
if (s[i] & 1) != 0:
s2[i] = s[i] & 0x33
v8[i] = s[i] & 0xCC
else:
s2[i] = s[i] & 0xCC
v8[i] = s[i] & 0x33
if s2[i] == s1[i] and v8[i] == s5[i]:
print(chr(j),end='')ok = b"\xdc\x86\x1a\x9a\xdd\x93\x9b5\xd3t\xda\xee\xe8Z<\xc5\x1cd3G\xd2;(\xf3\xccZH\x8bt\x0cK\x878\xd6\x80@Q\xe6J'\xa1sR\x0f\x93\x06T=e\x13\xfb\xc8e\xaf\xd2g\xb3\t\xef}#\xa6v\xe5\x13\x10\x13\xff4\x8d\xae\xd0\x9c,M\xf3\xa1\xbcF/\x98\x87\xb6W\x1a\xa2\x17\xf1\xf0\xe5\xb0\xba\x9bm\xb5\xa7\xacj^\xac\xe8\xf6\x90\xd8\xb0\xa2\x99\x91"
first = 0x61706C41
sec = 0x61486163
thir = 0x6F526B63
final = 0x38646E75
from pwn import *
for i in range(0, len(ok), 4):
yo = rol(first, 5, 32) + ror(sec, 3, 32)
yi = ror(thir, 3, 32) - rol(final, 5, 32)
yo &= 0xffffffff
yi &= 0xffffffff
# print(hex(yo), hex(yi))
flag = u32(ok[i:i+4]) ^ yo ^ yi
oke = u32(ok[i:i+4])
print(p32(flag).decode(), end="")
if oke & 1 == 0:
first ^= ror(yi,13, 32)
sec ^= ror(yi, 15, 32)
thir ^= rol(yo, 13, 32)
final ^= rol(yo, 11, 32)
# print(hex(first), hex(sec), hex(thir), hex(final))
else:
first ^= rol(yi,11, 32)
sec ^= rol(yi, 13, 32)
thir ^= ror(yo, 15, 32)
final ^= ror(yo, 13, 32)
# print(hex(first), hex(sec), hex(thir), hex(final))correct = [0x345A7191, 0xDCC4950A, 0x8AD73F4E, 0x6006DEEE, 0xB474F6A4, 0x9620574D, 0x7FBA5668, 0x45CB397E]
from pwn import *
init = 0xE8D2BFCD
eff = 38766742 % 32
for i in range(len(correct)):
v2 = correct[i]
for i in range(eff + 1):
v2 = ror(v2, 3, 32)
print(p32(v2 ^ init).decode(),end='')
init += 0x17CA85FE
init &= 0xffffffff 