linuxpdf
pdf里运行Linux,010打开发现有一个base64解密函数,一些文件名以及文件对应的base64编码,通过正则匹配 ”文件名”: “文件内容“ 获取文件名和文件内容,直接用脚本导出。随便拿个文件看看信息,发现是zlib格式的压缩文件,用python的zlib库解压就行,查看解压出来有许多二进制文件,有一百多个有点不好看,于是寻找看是不是有elf可执行文件,写个函数遍历一下(脚本是AI写的)。
.png)
import os
import re
import base64
import zlib
def extract_and_decode(filename):
# 以二进制方式读取文件内容
with open(filename, 'rb') as f:
content = f.read()
try:
# 尝试 UTF-8 解码,不可解码时忽略错误字符
text_content = content.decode('utf-8', errors='ignore')
except UnicodeDecodeError:
print("文件解码失败,可能包含非 UTF-8 编码数据。")
return
# 正则匹配 "字符串1":"字符串2"
pattern = r'"(.*?)": "(.*?)"'
matches = re.findall(pattern, text_content)
for filename, encoded_data in matches:
try:
# Base64 解码
decoded_data = base64.b64decode(encoded_data)
# 将解码内容以二进制方式写入对应文件
f = open(rf"outdata/{filename.replace('/', '_').replace('\\', '_')}",'wb')
de = zlib.decompress(decoded_data)
f.write(decoded_data)
print(f"已创建文件: {filename}")
except Exception as e:
print(f"处理 {filename} 时出错: {e}")
def dedata():
input_dir = "outdata" # 你的 zlib 文件所在的文件夹
output_dir = "outdata\\dec" # 解压后的文件存放位置
# 确保输出目录存在
os.makedirs(output_dir, exist_ok=True)
# 遍历 zlib 文件
for filename in os.listdir(input_dir):
input_path = os.path.join(input_dir, filename)
output_path = os.path.join(output_dir, filename + ".bin") # 你可以改成合适的扩展名
try:
# 读取文件内容
with open(input_path, "rb") as f:
compressed_data = f.read()
# 尝试解压
decompressed_data = zlib.decompress(compressed_data)
# 写入解压后的文件
with open(output_path, "wb") as f:
f.write(decompressed_data)
print(f"解压成功: {filename} -> {output_path}")
except zlib.error:
print(f"跳过文件(解压失败): {filename}")
except Exception as e:
print(f"其他错误: {filename} - {e}")
print("所有文件处理完成!")
def iself():
input_dir = "outdata\\dec" # 解压后数据的文件夹
for filename in os.listdir(input_dir):
input_path = os.path.join(input_dir, filename)
try:
with open(input_path, "rb") as f:
fdata = f.read()
if b"ELF" in fdata:
print(input_path)
except:
print("error")
if __name__ == "__main__":
input_file = "linux.pdf"
extract_and_decode(input_file)
dedata()
iself()
"""
......
outdata\dec\kernel-riscv64.bin.bin
outdata\dec\root_files_0000000000000002.bin
outdata\dec\root_files_0000000000000003.bin
outdata\dec\root_files_0000000000000039.bin
outdata\dec\root_files_000000000000003c.bin
outdata\dec\root_files_000000000000003d.bin
outdata\dec\root_files_000000000000003e.bin
outdata\dec\root_files_000000000000003f.bin
outdata\dec\root_files_0000000000000040.bin
outdata\dec\root_files_0000000000000041.bin
outdata\dec\root_files_0000000000000042.bin
outdata\dec\root_files_0000000000000043.bin
outdata\dec\root_files_0000000000000044.bin
outdata\dec\root_files_0000000000000045.bin
outdata\dec\root_files_0000000000000046.bin
outdata\dec\root_files_0000000000000047.bin
outdata\dec\root_files_0000000000000048.bin
outdata\dec\root_files_000000000000004a.bin
outdata\dec\root_files_000000000000004b.bin
outdata\dec\root_files_000000000000004c.bin
outdata\dec\root_files_000000000000004d.bin
outdata\dec\root_files_000000000000004e.bin
outdata\dec\root_files_000000000000004f.bin
outdata\dec\root_files_0000000000000050.bin
outdata\dec\root_files_0000000000000051.bin
outdata\dec\root_files_0000000000000052.bin
outdata\dec\root_files_0000000000000089.bin
outdata\dec\root_files_00000000000000a6.bin
outdata\dec\root_files_00000000000000a7.bin
outdata\dec\root_files_00000000000000a9.bin
error
error
error
outdata\dec\root_files_00000000000000aa.bin
"""
最后发现在root_files_00000000000000a9.bin中有flag的逻辑。
.png)
.png)
MD5的特征值。
逻辑大概就是从前往后比较flag后n位(n从28到1,flag总共28字节)生成的MD5值。
爆破一下就行,注意密文中每组哈希值间有0作为分隔符,所以17字节为一组MD5。
import hashlib
hash = [0x38, 0xF8, 0x8A, 0x3B, 0xC5, 0x70, 0x21, 0x0F, 0x8A, 0x8D, 0x95, 0x58, 0x5B, 0x46, 0xB0, 0x65,
0x00, 0x83, 0x05, 0x5A, 0xE8, 0x0C, 0xDC, 0x8B, 0xD5, 0x93, 0x78, 0xB8, 0x62, 0x8D, 0x73, 0x3F,
0xCB, 0x00, 0xFA, 0x7D, 0xAF, 0xFB, 0xD7, 0xAC, 0xEC, 0x13, 0xB0, 0x69, 0x5D, 0x93, 0x5A, 0x04,
0xBC, 0x0F, 0x00, 0xC2, 0x9C, 0xC0, 0xFD, 0x38, 0x01, 0xC7, 0xFD, 0xD3, 0x15, 0xC7, 0x82, 0x99,
0x9B, 0xD4, 0xCB, 0x00, 0x2B, 0xA2, 0xD0, 0x1A, 0xF1, 0x2D, 0x9B, 0xE3, 0x1A, 0x2B, 0x44, 0x32,
0x3C, 0x1A, 0x4F, 0x47, 0x00, 0xDD, 0xEE, 0xBA, 0xF0, 0x02, 0x52, 0x7A, 0x9E, 0xAD, 0x78, 0xBD,
0x16, 0x68, 0x45, 0x73, 0xCC, 0x00, 0xBF, 0x95, 0xB8, 0x99, 0x34, 0xA1, 0xB5, 0x55, 0xE1, 0x09,
0x0F, 0xEC, 0xDF, 0xD3, 0xDA, 0x9F, 0x00, 0xB6, 0x42, 0x2C, 0x30, 0xB0, 0x29, 0x38, 0x53, 0x5F,
0x8E, 0x64, 0x8D, 0x60, 0xA8, 0x7B, 0x94, 0x00, 0x08, 0xC1, 0xB7, 0x66, 0x43, 0xAF, 0x8D, 0xD5,
0x0C, 0xB0, 0x6D, 0x7F, 0xDD, 0x3C, 0xF8, 0xED, 0x00, 0x42, 0xD6, 0x97, 0x19, 0xF9, 0x70, 0x88,
0xF0, 0x65, 0x40, 0xF4, 0x12, 0xDC, 0x17, 0x06, 0xFB, 0x00, 0xA1, 0xF2, 0x3D, 0xA6, 0x16, 0x15,
0x40, 0x0E, 0x7B, 0xD9, 0xEA, 0x72, 0xD6, 0x35, 0x67, 0xEB, 0x00, 0x4E, 0x24, 0x6F, 0x0A, 0x5D,
0xD3, 0xCE, 0x59, 0x46, 0x5F, 0xF3, 0xD0, 0x2E, 0xC4, 0xF9, 0x84, 0x00, 0xB8, 0xCF, 0x25, 0xF9,
0x63, 0xE8, 0xE9, 0xF4, 0xC3, 0xFD, 0xDA, 0x34, 0xF6, 0xF0, 0x1A, 0x35, 0x00, 0x2D, 0x98, 0xD8,
0x20, 0x83, 0x5C, 0x75, 0xA9, 0xF9, 0x81, 0xAD, 0x4D, 0xB8, 0x26, 0xBF, 0x8E, 0x00, 0x70, 0x2E,
0xAD, 0x08, 0xA3, 0xDD, 0x56, 0xB3, 0x13, 0x4C, 0x7C, 0x38, 0x41, 0xA6, 0x52, 0xAA, 0x00, 0xD2,
0xD5, 0x57, 0xB6, 0x13, 0x66, 0x2B, 0x92, 0xF3, 0x99, 0xD6, 0x12, 0xFB, 0x91, 0x59, 0x1E, 0x00,
0xE4, 0x42, 0x2B, 0x63, 0x20, 0xED, 0x98, 0x9E, 0x7E, 0x3C, 0xB9, 0x7F, 0x36, 0x9C, 0xBA, 0x38,
0x00, 0x71, 0x80, 0x35, 0x86, 0xC6, 0x70, 0x59, 0xDD, 0xA3, 0x25, 0x25, 0xCE, 0x84, 0x4C, 0x50,
0x79, 0x00, 0x83, 0xB3, 0x71, 0x80, 0x1D, 0x0A, 0xDE, 0x07, 0xB5, 0xC4, 0xF5, 0x1E, 0x8C, 0x62,
0x15, 0xE2, 0x00, 0xB0, 0xD1, 0xB4, 0x88, 0x5B, 0xC2, 0xFD, 0xC5, 0xA6, 0x65, 0x26, 0x69, 0x24,
0x48, 0x6C, 0x5F, 0x00, 0x79, 0x2C, 0x9E, 0x7F, 0x05, 0xC4, 0x07, 0xC5, 0x6F, 0x3B, 0xEC, 0x4C,
0xA7, 0xE5, 0xC1, 0x71, 0x00, 0x38, 0x55, 0xE5, 0xA5, 0xBB, 0xC1, 0xCB, 0xE1, 0x8A, 0x6E, 0xAB,
0x5D, 0xD9, 0x7C, 0x06, 0x3C, 0x00, 0x88, 0x6D, 0x45, 0xE0, 0x45, 0x1B, 0xBB, 0xA7, 0xC0, 0x34,
0x1F, 0xE9, 0x0A, 0x95, 0x4F, 0x34, 0x00, 0x3A, 0x43, 0x7C, 0xBE, 0x65, 0x91, 0xEA, 0x34, 0x89,
0x64, 0x25, 0x85, 0x6E, 0xAE, 0x7B, 0x65, 0x00, 0x34, 0x30, 0x49, 0x67, 0xA0, 0x67, 0x30, 0x8A,
0x76, 0x70, 0x1F, 0x05, 0xC0, 0x66, 0x85, 0x51, 0x00, 0xD6, 0xAF, 0x7C, 0x4F, 0xED, 0xCF, 0x2B,
0x67, 0x77, 0xDF, 0x8E, 0x83, 0xC9, 0x32, 0xF8, 0x83, 0x00, 0xDF, 0x88, 0x93, 0x1E, 0x7E, 0xEF,
0xDF, 0xCC, 0x2B, 0xB8, 0x0D, 0x4A, 0x4F, 0x57, 0x10, 0xFB, 0x00, 0xCB, 0x0F, 0xC8, 0x13, 0x75,
0x5A, 0x45, 0xCE, 0x59, 0x84, 0xBF, 0xBA, 0x15, 0x84, 0x7C, 0x1E, 0x00]
datalist = [hash[i*17:17*(i+1):] for i in range(len(hash))] #每十七个作为一组哈希值,末尾的0是分隔符
flag ="}"
for i in datalist[::-1]:
tmp=""
for j in i: # 先把哈希值拼成一个字符串
strtmp = hex(j)[2::]
if len(strtmp) <2:
strtmp = "0"*(2-len(strtmp)) + strtmp #补0
tmp+= strtmp
for char in range(32, 127):# 遍历所有可打印字符
has = hashlib.md5((chr(char) + flag).encode()).hexdigest() #拼接字符到flag中生成md5值
print(has,chr(char)+flag)
if tmp.rstrip("0") == has: #去掉结尾的0(分隔符),判断相等,如果相等拼接到flag中生成下一组hash
flag = chr(char) + flag
print(flag)
TPCTF{mag1c_RISC-V_linux-PDF}
chase
用fceux进行调试,amr search在吃豆的时候寻找改变的值,就可以发现0x84的数据是用于存储当前吃豆的数量,0x85好像是当前的关卡,是从0开始的。
用hexeditor修改值可以发现0x83就是目标的豆子数,直接修改关卡值好像会被检测输出hacker,于是继续修改豆子数来逐个通关,通过第五关后可以拿到第一段flag。
得到第一部分flag
在ppu viewer中看到了第三段flag
第三部分
在PPU viewer页面还可以看到字符表。 查询资料可知,NES 游戏中Tile是游戏中所使用一个图案块。游戏的一个画面就是由多个Tile组成的,每个Tile都有一个索引值便于调用显示。
在PPU viewer页面可以看到每个Tile的索引值(左下角)。
.png)
例如26就是上面F的值。。。,直接在010中搜索FLAG的Tile值(26 2C 21 27 )就可以找到对应FLAG这四个字符的tile值出现的位置,那么这个位置大概率就是flag在页面上出现的位置,提取下来,创建字符映射表映射回去就行。注意数字有两个表。
.png)
table = list(range(32,91)) # 获取!~Z的ASCII码
table1 =[123,125,95] # 添加最后的{}_
table.extend(table1)
# for i in table:
# print(chr(i),end='')
# print()
data = [
0x26, 0x2C, 0x21, 0x27, 0x00, 0x30, 0x34, 0x0E, 0xD2, 0x00, 0x26, 0x2F, 0x32, 0x00, 0x39, 0x2F,
0x35, 0x00, 0x29, 0x33, 0x00, 0x01, 0x12, 0xA4, 0x00, 0x01, 0x18, 0x30, 0x2C, 0x21, 0x39, 0xD1,
0x2E, 0xD9, 0x3D, 0xD6, 0x20, 0x2D, 0xD3, 0x33, 0x3D, 0x00, 0x01, 0x9A, 0xBD, 0xAD, 0xAD, 0x6D,
0x00, 0x01, 0x03, 0xB9, 0xAD, 0xAD, 0x6E, 0x00, 0x01, 0x03, 0xB9, 0xAD, 0xAD, 0x6E, 0x00, 0x01,
0x03, 0x0D, 0x01, 0x03, 0x00, 0x01, 0x10, 0x00, 0x01, 0x00, 0x0F, 0x0F, 0x0F, 0x0F, 0x0F, 0x1C,
0x2C, 0x3C, 0x0F, 0x12, 0x22, 0x32, 0x0F, 0x14, 0x24, 0x34, 0x0F, 0x11, 0x32, 0x30, 0x0F, 0x1C,
0x2C, 0x3C, 0x0F, 0x09, 0x27, 0x38, 0x0F, 0x11, 0x21, 0x31, 0x0F, 0x11, 0x32, 0x30, 0x0F, 0x11,
0x21, 0x31, 0x0F
] #010提取出来的以flag(26,2c,21,27)开头的字节,这里为第二组数据
dict = {i:j for i,j in zip(range(0x0,0x3E),table)} # 创建索引表1
dict2 = {i:j for i,j in zip(range(0xD0,0xDB),range(48,58))} # 额外的数字表
flag =""
for i in data: # 获取映射值
if(i>=0xD0 and i<=0xD9):
flag+= chr(dict2[i])
if(i>0x3E):
continue
flag+=chr(dict[i])
print(flag)
"""
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ{}_
FLAG PT.2 FOR YOU IS !2 !8PLAY1N9_6@M3S_ ! !# !# !#-!# !0 ! /////<L}/2BR/4DT/1RP/<L}/)GX/1AQ/1RP/1AQ/
"""
解密得到flag的第二部分。
PLAY1N9_6@M3S_
最后的flag: TPCTF{D0_Y0U_L1KE_PLAY1N9_6@M3S_ON_Y0UR_N3S?}
magicfile
文件一般存储一个特征值来确定文件类型。linux通过一个libmagic.so来检测文件类型。文件类型被存储在一个magic文件内(magicfile),里面记录了文件类型(要比较的字节)和要比较的字节地址偏移,以及比较的数据类型。检测原理就是读取文件内容然后根据偏移的地址来获取数据与magic存储的内容进行比较。
本题模拟了libmagic.so的原理,我们输入的flag被作为文件内容进行文件检查。即flag与magic内的内容进行比较,正确则输出congratulations。我们的flag为48字节,如果直接存储在一个类型里那么就可以直接字符串找到flag,所以我们的flag一定是被分块了,而且是单字节。所以我们只需要挨个读取magic文件里比较的内容就行了。本题的magicfile已经被保存在数据段了,所以实现了自定义magic的比较。
首先我们需要了解magic文件是怎么存储信息的。我们在github上可以找到libmagic的源码,查看magic结构体
struct magic {
/* Word 1 */
uint16_t cont_level; /* level of ">" */
uint8_t flag;
uint8_t factor
/* Word 2 */
uint8_t reln; /* relation (0=eq, '>'=gt, etc) */
uint8_t vallen; /* length of string value, if any */
uint8_t type; /* comparison type (FILE_*) */
uint8_t in_type; /* type of indirection */
/* Word 3 */
uint8_t in_op; /* operator for indirection */
uint8_t mask_op; /* operator for mask */
uint8_t cond; /* conditional type */
uint8_t factor_op;
/* Word 4 */
int32_t offset; /* offset to magic number */
/* Word 5 */
int32_t in_offset; /* offset from indirection */
/* Word 6 */
uint32_t lineno; /* line number in magic file */
/* Word 7,8 */
union {
uint64_t _mask; /* for use with numeric and date types */
struct {
uint32_t _count; /* repeat/line count */
uint32_t _flags; /* modifier flags */
} _s; /* for use with string types */
} _u;
/* Words 9-24 */
union VALUETYPE value; /* either number or string */
/* Words 25-40 */
char desc[MAXDESC]; /* description */
/* Words 41-60 */
char mimetype[MAXMIME]; /* MIME type */
/* Words 61-62 */
char apple[8]; /* APPLE CREATOR/TYPE */
/* Words 63-78 */
char ext[64]; /* Popular extensions */
};
value节点中是需要进行比较的内容,看一下value的定义,联合体的大小是最大类型的大小
union VALUETYPE {
uint8_t b;
uint16_t h;
uint32_t l;
uint64_t q;
uint8_t hs[2]; /* 2 bytes of a fixed-endian "short" */
uint8_t hl[4]; /* 4 bytes of a fixed-endian "long" */
uint8_t hq[8]; /* 8 bytes of a fixed-endian "quad" */
char s[MAXstring]; /* the search string or regex pattern */
unsigned char us[MAXstring];
uint64_t guid[2];
float f;
double d;
};
计算一下就可以知道magic结构体大小是376byte。我们可以遍历所有magic结构体,提取所有value位char的内容,flag估计就在里面。。看magic_load的magicfile变量可以看到程序的magic文件存在地址0x21004,后面的magiclen是magic文件大小。
最后的flag要猜一下前面是个Y,最后结果是TPCTF{YoU_AR3_SO_5m@R7_TO_cRACk_Th1$_m@9iC_f1le}
data = open("magicfile_c970e3503feebf8274571f09d27cdd2f", "rb").read()
data = data[0x21004:][376:0x116f9f8]
res =''
for i in range(0,0x116f9f8,376):
value = data[i:i+376:][32:96:].decode().replace(chr(0),'')
res += value
if value == '}':break
print(res)
# TPCTF{YoU_AR3_SO_5m@R7_TO_cRACk_Th1$_m@9iC_f1le}
下面是大佬的脚本参考复现
下面这些是libmagic编译时包含的文件,可以查看特征
$ strings magicfile_c970e3503feebf8274571f09d27cdd2f | grep File:
@(#)$File: magic.c,v 1.115 2021/09/20 17:45:41 christos Exp $
@(#)$File: apprentice.c,v 1.309 2021/09/24 13:59:19 christos Exp $
@(#)$File: encoding.c,v 1.32 2021/04/27 19:37:14 christos Exp $
@(#)$File: compress.c,v 1.129 2020/12/08 21:26:00 christos Exp $
@(#)$File: print.c,v 1.89 2021/06/30 10:08:48 christos Exp $
@(#)$File: fsmagic.c,v 1.81 2019/07/16 13:30:32 christos Exp $
@(#)$File: funcs.c,v 1.122 2021/06/30 10:08:48 christos Exp $
@(#)$File: cdf_time.c,v 1.19 2019/03/12 20:43:05 christos Exp $
@(#)$File: readcdf.c,v 1.74 2019/09/11 15:46:30 christos Exp $
@(#)$File: buffer.c,v 1.8 2020/02/16 15:52:49 christos Exp $
@(#)$File: softmagic.c,v 1.315 2021/09/03 13:17:52 christos Exp $
@(#)$File: ascmagic.c,v 1.109 2021/02/05 23:01:40 christos Exp $
@(#)$File: is_csv.c,v 1.6 2020/08/09 16:43:36 christos Exp $
@(#)$File: is_json.c,v 1.15 2020/06/07 19:05:47 christos Exp $
@(#)$File: is_tar.c,v 1.44 2019/02/20 02:35:27 christos Exp $
@(#)$File: readelf.c,v 1.178 2021/06/30 10:08:48 christos Exp $
@(#)$File: der.c,v 1.21 2020/06/15 00:58:10 christos Exp $
@(#)$File: cdf.c,v 1.120 2021/09/24 13:59:19 christos Exp $
data = open("magicfile_c970e3503feebf8274571f09d27cdd2f", "rb").read()
data = data[0x21004:][376:0x116f9f8]
MAGIC = [ #定义的结构体,理解更加清晰
[2, "cont_level"],
[1, "flag"],
[1, "factor"],
[1, "reln"],
[1, "vallen"],
[1, "type"],
[1, "intype"],
[1, "in_op"],
[1, "mask_op"],
[1, "cond"],
[1, "factor_op"],
[4, "offset"],
[4, "in_offset"],
[4, "lineno"],
[8, "union"],
[64, "value"],
[64, "desc"],
[80, "mimetype"],
[8, "apple"],
[64, "ext"],
[64, "idk_whats_this"],
]
flag = b""
for offset in range(48625):
c = data[376 * offset: 376 * (offset + 1)]
print("===", offset)
cur = 0
for a, b in MAGIC:
d = c[cur:cur+a] if sum(c[cur:cur+a]) else b"(null)"
if b in ["in_op", "mask_op", "type", "vallen"]: d = c[cur:cur+a][0]
if b in ["cont_level", "lineno", "offset"]: d = int.from_bytes(c[cur:cur+a], "little")
if b in ["value", "mimetype"]: d = d.rstrip(b"\\x00")
if d == b"(null)": d = d.decode()
print(str(b).ljust(16, " "), d)
cur += a
if b == "value" and d != "(null)": flag += d
print("\\n\\n")
assert cur == 376
if b"Congratulations" in c: break
print(flag[-48:])
# TPCTF{YoU_AR3_SO_5m@R7_TO_cRACk_Th1$_m@9iC_f1le}
stonegame
解包后用pycdas拿到pocode码,用AI写成python代码
import os
import random
import sys
from time import sleep
# DigitalDisplayGame 类: 游戏逻辑
class DigitalDisplayGame:
def __init__(self, max_stones):
self.max_stones = max_stones
self.stones = [max_stones] * 7 # 初始化7个段,每个段有max_stones个石头
self.current_player = 0 # 0表示玩家,1表示AI
def is_valid_move(self, move):
# 检查玩家的移动是否合法
return all(0 <= m <= self.max_stones for m in move)
def make_move(self, move):
# 执行玩家的移动
for i in range(7):
self.stones[i] -= move[i]
def switch_player(self):
# 切换当前玩家
self.current_player = 1 - self.current_player
# MonteCarloAI 类: 模拟AI的决策
class MonteCarloAI:
def __init__(self, game, iterations=2000):
self.game = game
self.iterations = iterations
def get_best_move(self):
# 这里仅作为一个示例,AI 随机选择一个合法的动作
valid_moves = []
for i in range(7):
if self.game.stones[i] > 0:
move = [0] * 7
move[i] = random.randint(1, self.game.stones[i])
if self.game.is_valid_move(move):
valid_moves.append(move)
return random.choice(valid_moves) if valid_moves else [0] * 7
# GameUI 类: 游戏界面和用户输入
class GameUI:
def __init__(self):
self.max_stones = self.max_stones = random.randint(0,100)
self.reset_game()
def reset_game(self):
self.game = DigitalDisplayGame(self.max_stones)
self.ai = MonteCarloAI(self.game, iterations=2000)
self.current_player = 0
def display_game(self):
os.system('clear' if os.name == 'posix' else 'cls')
print("\nDigital Display Game\n")
print("\nCurrent stone count:")
for i in range(7):
print(f"Segment {i + 1}: {self.game.stones[i]} stones")
print(f"\nCurrent player: {'You' if self.game.current_player == 0 else 'AI'}")
def get_player_move(self):
print("\nEnter the number of stones to remove from each segment (space-separated, e.g.: 0 1 0 2 0 0 0):")
while True:
try:
move = list(map(int, input().split()))
if len(move) != 7:
print("Input must be 7 numbers!")
continue
if not self.game.is_valid_move(move):
print("Invalid move! Remember you cannot form cycles.")
continue
return move
except ValueError:
print("Please enter valid numbers!")
except EOFError:
print("Input error. Exiting...")
sys.exit(1)
def play_single_game(self,total_round):
faile_round = 0
win_round =0
for i in range(total_round):
print("next round will start")
sleep(2)
self.reset_game()
self.display_game()
while sum(self.game.stones) > 0:
if self.game.current_player == 0: # 玩家回合
move = self.get_player_move()
self.game.make_move(move)
else: # AI回合
move = self.ai.get_best_move()
print(f"\nAI is making its move: {move}")
self.game.make_move(move)
self.game.switch_player()
self.display_game()
print("Game over!")
if self.game.current_player == 1:
print("You win!")
win_round +=1
else:
print("AI wins!")
faile_round +=1
if win_round == 90: return 1
if faile_round == 10:
return 0
# 主程序
if __name__ == "__main__":
total_round = 100
f=open("FLAG","r",encoding='utf-8').read()
try:
game_ui = GameUI()
if game_ui.play_single_game(total_round,):
print("you get")
print(f)
except KeyboardInterrupt:
print("\nGame interrupted.")
大概的逻辑就是初始化一堆石子堆,每堆石子的初始值从100以内的数随机选取,玩家和ai反别按回合从每堆石子中抽取一定数量的石子,
有 7 堆
CYCLES = [[1, 2, 4, 5], [1, 3, 4, 6], [2, 4, 5, 7], [3, 4, 6, 7], [1, 2, 3, 7, 5, 6], [2, 4, 6, 7, 5], [3, 4, 5, 7, 6]]
每次可以取多个,不能形成 cycle
无法操作的玩家输
AI 使用了某种蒙特卡罗算法,在终局不是最优的
一种策略是:
- 第一轮取完 1 2 3
- AI 一般只是随便取一个
- 第二轮取完 4 5 6 7
这样两轮能获胜
因为每局 sleep 2s 所以要耐心等待
from pwn import *
io = remote("1.95.128.179", 3675, level="debug")
io.sendline(b"")
while True:
# io.recvuntil(b"Current stone count:\\n", timeout=10)
a = []
for i in range(1, 8):
io.recvuntil(b"Segment ")
a.append(int(io.recvline().decode().strip().split()[1]))
io.recvuntil(b"Current player: ")
player = io.recvline().decode().strip()
if player.lower() == "you":
io.recvline()
if "Enter the number of stones" in io.recvline().decode():
if any(a[:3]): b = a[:3] + [0, 0, 0, 0]
else: b = [0, 0, 0] + a[3:]
io.sendline(" ".join(map(str, b)).encode())
# TPCTF{M0nt3_C4rl0_S34rch_1s_4w3s0m3_f0r_g4m3s}
...
b'You won this round!\\n'
b'Score after round 100: 100/100\\n'
b'\\n'
b'=== Challenge Complete ===\\n'
b'Final score: 100/100\\n'
b'\\n'
b"Congratulations! You've beaten the AI enough times to earn the flag:\\n"
b'TPCTF{M0nt3_C4rl0_S34rch_1s_4w3s0m3_f0r_g4m3s}\\n'
protable
找到main函数只有一个异或
https://github.com/jart/cosmopolitan
binwalk 提取特征字符串得到 APE 程序
根据 repo 中的 specification 文档
APE MZ Magic
- ASCII: `MZqFpD='`
- Hex: 4d 5a 71 46 70 44 3d 27
查找 magic 在 portable 文件的位置,直接取 0x10000 开始的程序
main 在 sub_407F30
静态链接的 binary
看上去是用 c++ string 处理
校验:
- len(flag) = 73
- flag[0…6] = “TPCTF{”
- flag[72…73] = “}”
- flag[i+6] xor key[i%12] = enc[i] for i = 0…65
enc: 34 2A 42 0E 00 1D 5C 33 5E 44 3E 1A 0B 5C 2C 3A 5F 22 03 28 36 1B 07 31 8D DE 10 A2 EB B2 DA A2 D8 18 0D 17 1C 1F BD D9 1D BF EB A2 D8 16 0D A0 F6 30 BD D8 17 BE DA 0F AB C1 AE EA 8D DE 11 01 A1 C5
key: Cosmopolitan
xor 得到是 flag 的一半
b'wE1com3_70_tH3_W0RlD_of_\\xce\\xb1c\\xcf\\x84\\xc2\\xb5\\xce\\xb1lly_p\\xce\\xb4r\\xcf\\x84\\xce\\xb1bl\\xce\\xb5_\\xce\\xb5x\\xce\\xb5c\\xc2\\xb5\\xcf\\x84\\xce\\xb1bl\\xce\\xb5'
在 linux 中运行,结果是 flag 正确?
原来 flag 不全是 ascii…
TPCTF{wE1com3_70_tH3_W0RlD_of_αcτµαlly_pδrταblε_εxεcµταblε}
大概是 windows 也要逆向一遍?
windows main 在 sub_4070BC(?)
有一个虚拟机 (?)
[已完成] elf → js
[已完成] js → wasm
[已完成] wasm → flag
这是 wasm 文件:
wasm 的字符串里有编译的命令,其中包含了参数的值:
-X 'main.encryptedFlag=5ab82be11ac991707e166bbfcbf05cb5776b0ecb34ce659e6209542fecba7ab6ec82f44c1ab55e4f4fb06b37ef935b08'
-X 'main.maskedKey=960937ed01e77d7662565988a67abbfe0a2c11742abd00d6cf74de094447f7d3'
-X 'main.maskedIV=a7ccfe57d2af1deb1a0088517c0a9240'
-X 'main.mask=5dabc0b2b7296eefeaadd177746adb4acb2439e7990792cc7fdb7124b1a2633d'
根据程序内字符串(Error unmasking key/IV)猜测 maskedKey = Key xor mask, maskedIV = IV xor mask,AES 解密得到 flag
ct = bytes.fromhex("5ab82be11ac991707e166bbfcbf05cb5776b0ecb34ce659e6209542fecba7ab6ec82f44c1ab55e4f4fb06b37ef935b08")
mask_key = bytes.fromhex("960937ed01e77d7662565988a67abbfe0a2c11742abd00d6cf74de094447f7d3")
mask_iv = bytes.fromhex("a7ccfe57d2af1deb1a0088517c0a9240")
mask = bytes.fromhex("5dabc0b2b7296eefeaadd177746adb4acb2439e7990792cc7fdb7124b1a2633d")
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
def xor(x, y): return bytes([i ^ j for i, j in zip(x, y)])
key = xor(mask_key, mask)
iv = xor(mask_iv, mask)
cipher = AES.new(key, AES.MODE_CBC, iv=iv)
pt = unpad(cipher.decrypt(ct), AES.block_size)
print(pt.decode())
# TPCTF{m47r3shk4_h4ppy_r3v3r53_g@_w45m}
这题确实套娃……
obfuscator
这题用的是 d3n0l4nd (https://github.com/denoland/deno)将 javascript 包装成 elf
在可执行文件末尾有 js 文件
js 文件中有大量混淆,而且 deobfuscator 都去除不了……
js 中间有一行 import {unzipSync as u} from "node:zlib";import {Buffer as l} from "node:buffer";
这一行前面的部分:
let HbGI;!function(){const Aevx=Array.prototype.slice.call(arguments);return eval("......")}();
其中省略了一个 2 MB 的字符串,这个字符串 unquote 后去混淆,大致逻辑是
(function Y4QD(HkYv) {
const jS0v = Tr5t(HkYv, bIQv(Y4QD.toString()))
try {
let DfTv = eval(jS0v)
return DfTv.apply(null, Aevx)
} catch (fNVv) {
// if fNVv instanceof SyntaxError
// then console.log('Error: the code has been tampered!')
// else throw fNVv
}
function bIQv(bKnw) {
// returns 8-letter key from hash(bKnw)
}
function Tr5t(vZ7t, Pm0t) {
// returns decodeURI(vZ7t) xor Pm0t
}
})("......")
其中省略了一个 1 MB 的字符串,这个字符串 URI 解码后异或 key = ipgslcfa (key 可以用明文攻击得到,因为 js 里有大量的函数定义)得到的是
(function() {
function AYnQ() {
return (IqhF()) + (QIKN())
}
function UTeQ() {
return cypN() + AUkK() + EjQI() + EHOF() + sqiD() + glTI()
}
function wVhQ() {
return (sqiD())[wtgN()]()
}
function QQYP() {
return (+!+[] + (++[+[]][+[]])) + (+[] + !+[])
}
HbGI = {};
function sSbQ() {
return EjQI() + ceKC() + wVhQ() + ULQN()
}
function smPQ() {
gJRF = [];
const UnSQ = AUsA();
const ojJQ = MxyB();
const QkMQ = seBO();
const kgDQ = wFNB();
const MhGQ = MdDK();
var gdxQ = (196698 % 0o200026);
{
let IeAQ;
while (gdxQ < (196664 % 0o200011)) {
switch (gdxQ) {
case (0x102D0 - 0o201270):
gdxQ = (262208 % 0o200014);
IeAQ = (0x75bcd15 - 0O726746425);
break;
case (262225 % 0o200017):
gdxQ = (0O264353757 % 8);
{
let kEBN = "";
const MFEN = QofD[IeAQ];
var gBvN = (0o201510 - 0x1032C);
{
let ICyN;
while (gBvN < (0x4009E % 0o200036)) {
switch (gBvN) {
case (0x10C4E - 0o206053):
gBvN = (0o1000247 % 0x10023);
{
kEBN += UnSQ[ojJQ](MFEN[QkMQ](ICyN) ^ (0O264353757 % 8));
}
break;
case (68056 - 0o204674):
gBvN = (0o1000301 % 0x10027);
ICyN = (0x21786 % 3);
break;
case (262319 % 0o200045):
gBvN = (0o201344 - 0x102BF);
ICyN++;
break;
case (0o600243 % 0x1002A):
gBvN = ICyN < MFEN[kgDQ] ? (262319 % 0o200043) : (0o1000246 % 0x10020);
break;
}
}
}
gJRF[MhGQ](kEBN);
}
break;
case (0o1000104 % 65549):
gdxQ = IeAQ < QofD[kgDQ] ? (131113 % 0o200012) : (0o202652 - 66957);
break;
case (0O264353757 % 8):
gdxQ = (0x40058 % 0o200022);
IeAQ++;
break;
}
}
}
}
function cypN() {
return (typeof([] + []))[+!+[] + !+[]]
}
function EzsN() {
return ((+([+[
[!+[] + !+[]] + [+[]]
]] + [])[+[
[+[
[+[]] + [+[]]
] + []][+[]][+!+[]]
]]) * (orfJ())) + (+[
[+[
[+!+[]] + [+[]]
] + []][+[]][+!+[]]
])
}
function YujN() {
return (AILL())[kYoO()](AoYK())
}
function AwmN() {
return EbCG() + MVoI() + EvpH() + EjQI()
}
function AQZN() {
return oPdG() + kMXF() + kwnL() + wNTN()
}
HbGI.t = ([null] == '');
function cScO() {
return ([][gViO()] + [])[cWnK()]
}
function wNTN() {
return (EvpH())[wtgN()]()
}
function YOWN() {
return (AQhE())[wtgN()]()
}
function sKNN() {
return cypN() + oPdG() + YiSE() + wNTN() + oPdG() + kMXF() + kwnL() + wNTN()
}
function ULQN() {
return (AUkK())[wtgN()]()
}
function oHHN() {
return function() {};
}
function QIKN() {
return (UrdN()) + (sCHB())
}
var QcyO = [(263359 % 0o200361), (86096 - 0o247517), (0x2935494a % 7), (0x20451009 % 9)];
function seBO() {
return gtpB() + UbBI() + AUkK() + cypN() + kwnL() + sqiD() + EHOF() + AsjH() + ULQN() + cOZH() + wVpG()
}
function MZrO() {
return (++[+[]][+[]]) + ((QQYP()) * (+([+[
[!+[] + !+[]] + [+[]]
]] + [])[+[
[+[
[+[]] + [+[]]
] + []][+[]][+!+[]]
]]))
}
function obvO() {
return UXxC() + EHOF() + EDDJ() + wNTN()
}
function IWlO() {
return gZtK() + EHOF() + EHOF() + ofGK() + IaxK() + kAyH() + ETfO() + EDDJ()
}
function kYoO() {
return wVpG() + sqiD() + QoXM() + wVpG() + cypN() + MVoI() + EjQI() + EvpH()
}
function ETfO() {
return (IGJJ()) + []
}
function gViO() {
return AQhE() + MVoI() + EjQI() + EHOF()
}
var gpWO = [(0o217620 - 0x11F2B), (0x3015A % 0o200121), (0o400345 % 65597), (0o216716 - 73057), (73446 - 0o217165)];
function IqZO(cmQO, EnTO, YiKO) {
let AkNO = "";
var UfEO = (0o205120 - 0x10A3A);
{
let whHO;
YWkQ: while (UfEO < (0x10E74 - 0o207117)) {
switch (UfEO) {
case (0o400136 % 0x1001D):
UfEO = (0o400124 % 65561);
{
var YGIL = (262237 % 0o200017);
while (YGIL < (131179 % 0o200043)) switch (YGIL) {
case (66616 - 0o202024):
YGIL = (0x20075 % 0o200050);
break YWkQ;
case (0o400075 % 0x1000E):
YGIL = whHO >= cmQO.length ? (0x400B4 % 0o200044) : (0x1073A - 0o203425);
break;
}
AkNO += cmQO[whHO];
}
break;
case (0o600074 % 0x10009):
UfEO = whHO < EnTO + (YiKO === undefined ? cmQO.length : YiKO) ? (196737 % 0o200037) : (0x11158 - 0o210463);
break;
case (0o205240 - 68222):
UfEO = (0x3005D % 0o200024);
whHO++;
break;
case (0o205120 - 68154):
UfEO = (0x107BC - 0o203633);
whHO = EnTO;
break;
}
}
}
return AkNO;
}
function AILL() {
return ((+[] + !+[] + (++[+[]][+[] + []])) * (wlSK())) + (+[] + !+[])
}
function UDCL(wFFL) {
return gJRF[wFFL];
}
function QAwL() {
return (+!+[] + !+[]) + (+[
[+[
[+!+[]] + [+[]]
] + []][+[]][+[]]
])
}
function sCzL() {
return YmdB() + YGQB() + AsjH() + EjQI() + wVpG() + QoXM() + wVpG() + sqiD() + cypN() + AUkK() + EvpH() + AsjH()
}
function MxqL() {
return (YCFF())[kYoO()](MlZC())
}
function oztL() {
return '\\u0055'
}
let oTgM;
function QUjM() {
return gZtK() + EHOF() + EHOF() + ofGK()
}
function kQaM() {
return glTI() + MVoI() + EjQI()
}
function MRdM() {
return (EjQI())[wtgN()]()
}
function gNUL() {
return ('' [koZI()]())[ErmB()]
}
function IOXL() {
return YGQB() + EbCG() + cypN() + ULQN()
}
function cKOL() {
return (QQYP()) + (AILL())
}
function ELRL() {
return EreL() + kMXF() + cqjB() + EDDJ()
}
HbGI[(UXpM()) + (MBBH())] = function(EfFM, ghIM, AczM) {
var ceCM = (262229 % 0o200020);
while (ceCM < (0o206534 - 68918)) switch (ceCM) {
case (0x9D8DE4 - 0O47306735):
ceCM = (0o1000222 % 0x1001B);
{
return QcyO[IWlO()]()[UzzF()][ghIM];
}
break;
case (0o1000131 % 0x10011):
ceCM = EfFM === (+[
[+[
[+[]] + [+[]]
] + []][+[]][+!+[]]
]) ? (0x9D8DE4 - 0O47306735) : (0x1076C - 0o203506);
break;
}
EfFM = sqaN()[ETnE()][kQaM()](EfFM, kUlI());
const wZsM = IqhF() + sqaN()[ETnE()][ICGD()](EfFM / (+([+[
[!+[] + !+[]] + [+[]]
]] + [])[+[
[+[
[+[]] + [+[]]
] + []][+[]][+!+[]]
]]) - (MpcJ()), EfFM) - QIKN();
var YawM = (0o203004 - 67054);
while (YawM < (69976 - 0o210463)) switch (YawM) {
case (0x30045 % 0o200014):
YawM = (0x20073 % 0o200047);
{
var sWmM = (0o1000265 % 65572);
while (sWmM < (0o600175 % 0x1001D)) switch (sWmM) {
case (0o204254 - 0x10887):
sWmM = AczM ? (0x1015E - 0o200473) : (0x102F8 - 0o201322);
break;
case (0o600214 % 0x10023):
sWmM = (262306 % 0o200037);
{
AczM();
return QcyO[(QUjM()) + (EXyA())]()[kgLG()](EfFM, ghIM);
}
break;
}
}
break;
case (0x2003E % 0o200024):
YawM = EfFM + (QAwL()) < (+[]) ? (0o201224 - 0x10273) : (0o600221 % 65572);
break;
}
return gpWO[kgLG()](wZsM, ghIM, AczM);
};
function UXpM() {
return ojRG() + IeIG() + oztL() + wNTN()
}
function UrdN() {
return (+([+[
[!+[] + !+[]] + [+[]]
]] + [])[+[]]) * (+[
[+[
[+![] + !+[]] + [+[]]
] + []][+[]][+[]]
]) + (++[+[]][+[]] + (++[+[]][+[]]))
}
function wtgN() {
return wVpG() + sqiD() + oztL() + QEHH() + QEHH() + AsjH() + cypN() + kwnL() + AUkK() + EbCG() + AsjH()
}
function QoXM() {
return (EbCG())[wtgN()]()
}
function sqaN() {
var MlRM = (0o600127 % 65555);
while (MlRM < (262347 % 0o200053)) switch (MlRM) {
case (0o205670 - 68506):
MlRM = !oTgM ? (73639709 % 9) : (0x20075 % 0o200053);
break;
case (0O3153050563 - 0x19AC516B):
MlRM = (0x1026C - 0o201115);
{
const onUM = oTgM = Function(cWvA(IukL(), MNaG(), AILL(), UHNH()))();
oncD();
let IiLM = onUM[gNcC() + sCzL()];
var kkOM = (0x30039 % 0o200010);
while (kkOM < (0x400D9 % 0o200055)) switch (kkOM) {
case (0o204160 - 67660):
kkOM = (0o600246 % 0x1002B);
{
oTgM[MZzE()] = onUM[EfNC() + UnaH()];
onUM[smXG()] = oHHN;
}
break;
case (0x30039 % 0o200010):
kkOM = !IiLM ? (0o1000264 % 0x10024) : (0o400171 % 0x1002A);
break;
}
}
break;
}
return oTgM;
}
function MJPJ() {
return cypN() + EreL() + kwnL() + YmdB() + oPdG() + EnbF() + MFMD() + YmdB()
}
function oLSJ() {
return AQhE() + YmdB() + EreL() + EDDJ()
}
HbGI[kkWC()] = (wlSK()) - sCHB();
function IGJJ() {
return (++[+[]][+[]]) + (+([+[
[!+[] + !+[]] + [+[]]
]] + [])[+[
[+[
[+[]] + [+[]]
] + []][+[]][+!+[]]
]]) + (+!+[] + (++[+[]][+[]]))
}
function kIMJ() {
return IaxK() + MVoI() + EjQI() + EHOF()
}
function EDDJ() {
return ([][IusB()]() + [])[cWnK()]
}
function gFGJ(AAxJ) {
return gJRF[AAxJ];
}
function cCAJ() {
return EjQI() + wNTN() + YOWN() + wNTN()
}
function cWnK() {
return (++[+[]][+[]] + (++[+[]][+[]])) + (QIKN())
}
function EXqK() {
return AQhE() + wNTN() + AUkK() + ofGK()
}
let YShK = MZrO() + (sqaN() ? +[] : +[] + !+[] + (++[+[]][+[] + []]));
function AUkK() {
return (![] + [])[+!+[]]
}
function UPbK() {
return ((QIKN()) * (cumH())) + (QQYP())
}
function wReK() {
return (MpcJ()) + (MZrO())
}
function QMVJ() {
return (+!+[]) + ((wReK()) * (QAwL()))
}
function sOYJ() {
return ((wReK()) * (++[+[]][+[]] + (++[+[]][+[]]))) + (++[+[]][+[]] + (++[+[]][+[]]) - +!+[])
}
function siMK() {
return EjQI() + sqiD() + YqgH()
}
function UjPK() {
return ((+[] + !+[] + (++[+[]][+[] + []])) * (QsiJ())) + (+[
[+[
[+[]] + [+[]]
] + []][+[]][+!+[]]
])
}
QcyO[IWlO()]()[(kYwE()) + (wdEI())] = function() {
YShK = (YShK + (0O57060516 - 0xbc614d)) % (AwuD());
return HbGI.nGFGP5zE[YShK] > (QIKN());
};
function ofGK() {
return (YujN())[wtgN()]()
}
function QgJK() {
return this[(oLSJ()) + (EXqK())];
}
function kcAK() {
return (MhOG())[wtgN()]()
}
function MdDK() {
return QEHH() + MFMD() + EbCG() + UbBI()
}
function gZtK() {
return (UbBI())[wtgN()]()
}
function IaxK() {
return (typeof ![])[+[]]
}
function IukL() {
return YqgH() + YqgH() + gpeF() + EnbF() + ISiI() + QYuI() + MRdM() + YeHI() + ciNI() + YaEC() + ofGK() + wVpG() + MFMD() + AsjH() + cypN() + AQhE() + QYuI() + cScO() + IiTC() + MhOG() + EbCG() + QEHH() + gNUL() + EjQI() + wVpG() + UXxC() + MVoI() + cypN() + QoXM() + QoXM() + YOWN() + oPdG() + oPdG() + YGQB() + UbBI() + kskF() + gNUL()
}
QcyO[(QUjM()) + (EXyA())]()[sKNN()] = (IqhF()) - MZrO();
function kwnL() {
return '\\u0043'
}
function EreL() {
return (EHOF())[wtgN()]()
}
function gthL() {
return AQhE() + MVoI() + AEIF() + kwnL()
}
function AoYK() {
return (+[]) + ((+([+[
[!+[] + !+[]] + [+[]]
]] + [])[+[
[+[
[+[]] + [+[]]
] + []][+[]][+!+[]]
]]) * (oDEH()))
}
function cqbL() {
return ojRG() + MhOG() + YqgH() + ULQN()
}
function wlSK() {
return (+!+[]) + ((++[+[]][+[]] + (++[+[]][+[]])) * (UrdN()))
}
function YmVK(AMWH) {
return gJRF[AMWH];
}
wBCF();
function cOZH() {
const wJQH = sqaN()[gBDD()];
return wJQH ? (wJQH + [])[wpdH % QsiJ()] : IqZO(wJQH + [], AILL());
}
function YKTH() {
return AQhE() + AUkK() + YmdB() + ULQN()
}
function sGKH() {
return kcAK() + QQgG() + EnbF() + ULQN()
}
function UHNH() {
return (QQYP()) + (sOYJ())
}
function oDEH() {
return ((QQYP()) * (MpcJ())) + (+[])
}
function QEHH() {
return '\\u0070'
}
function QYuI() {
return (wlSK()) + []
}
let sayI;
function MVoI() {
return (typeof([] + []))[+!+[] + !+[] + !+[]]
}
function oXrI() {
return UXxC() + ETfO() + ojRG() + YmdB()
}
function ISiI() {
return (((+!+[]) / (++[+[]][+[]] + (++[+[]][+[]]))) + [])[+!+[]]
}
function kUlI() {
return (++[+[]][+[]]) + ((+!+[] + (++[+[]][+[]])) * (sCHB()))
}
function EPcI() {
return EreL() + AUkK() + wVpG() + AsjH()
}
function gRfI() {
return kcAK() + YGQB() + EnbF() + EDDJ()
}
function glTI() {
return (cKOL())[kYoO()](AoYK())
}
let ImWI = {
[kUlI()]: AoYK() < AYvG(),
[UjPK()]: kwvB() > UHNH(),
[YCFF()]: oHPD() < ghQC(),
[wxrJ()]: AgKI() < AILL(),
[AoYK()]: ErmB() < wReK(),
[QMVJ()]: AoYK() > ovqF()
};
function ciNI() {
return (wVpG())[wtgN()]()
}
function EjQI() {
return ([][
[]
] + [])[+[] + !+[]]
}
function YeHI() {
return (MxqL())[wtgN()]()
}
function AgKI() {
return (++[+[]][+[]] + (++[+[]][+[]]) - +!+[]) + ((+([+[
[!+[] + !+[]] + [+[]]
]] + [])[+[]]) * (cWnK()))
}
function UbBI() {
return (kUlI())[kYoO()](oHPD())
}
function wdEI() {
return oPdG() + EnbF() + MFMD() + YmdB()
}
function wxrJ() {
return ((QQYP()) * (QsiJ())) + (+!+[] + !+[])
}
HbGI.u = (function(YyuJ) {
var sulJ = (66976 - 0o202574);
while (sulJ < (131187 % 0o200047)) switch (sulJ) {
case (0x30075 % 0o200033):
sulJ = !sayI ? (67236 - 0o203202) : (0x11158 - 0o210463);
break;
case (65876 - 0o200462):
sulJ = (0x20079 % 0o200052);
{
(function(UvoJ) {
sayI = UvoJ;
})(ImWI)
}
break;
}
return sayI[YyuJ] ^ (gpWO.nGFGP5zE[YShK] < (QIKN()));
});
function orfJ() {
return (+([+[
[!+[] + !+[]] + [+[]]
]] + [])[+[
[+[
[+[]] + [+[]]
] + []][+[]][+!+[]]
]]) + ((MpcJ()) * (gdFG()))
}
function QsiJ() {
return ((++[+[]][+[]] + (++[+[]][+[]])) * (gxsH())) + (+[
[+[
[+!+[]] + [+[]]
] + []][+[]][+!+[]]
])
}
function koZI() {
return AQhE() + sqiD() + EjQI() + wVpG() + gtpB() + sqiD() + cyxD() + sqiD() + cypN()
}
function MpcJ() {
return (QAwL()) + (QQYP())
}
function oPdG() {
return (cyxD())[wtgN()]()
}
function QQgG() {
return (+[] + !+[]) + []
}
function kMXF() {
return (sCHB()) + []
}
function MNaG() {
return (+!+[] + !+[]) + (IWtE())
}
let gJRF;
function IKUF(cGLF) {
return gJRF[cGLF];
}
function EHOF() {
return ([][
[]
] + [])[++[++[
[]
][+[]]][+[]]]
}
function EbCG() {
return (![] + [])[+!+[] + !+[] + !+[]]
}
function gdFG() {
return (+[
[+[
[+!+[]] + [+[]]
] + []][+[]][+!+[]]
]) + ((QQYP()) * (MZrO()))
}
function AYvG() {
return ((MpcJ()) * (sCHB())) + (+[
[+[
[+!+[]] + [+[]]
] + []][+[]][+!+[]]
])
}
function cazG() {
return EjQI() + wNTN() + YOWN() + wNTN() + UXxC() + ETfO() + ojRG() + YmdB()
}
function wVpG() {
return (typeof([] + []))[+!+[]]
}
HbGI[gthL()] = YmVK;
function YWsG() {
return MFMD() + EjQI() + ceKC() + EjQI() + sqiD() + YqgH() + EjQI()
}
function sSjG(UTmG) {
return gJRF[UTmG];
}
function UnaH() {
return EjQI() + EbCG() + sqiD() + cyxD() + AsjH()
}
function wpdH() {
return sqaN()[EPcI()][siMK()]();
}
function QkUG() {
return (cypN())[wtgN()]()
}
function smXG() {
return ULQN() + IaxK() + sqiD() + cypN() + wVpG() + QoXM() + MVoI() + EvpH() + EjQI() + AUkK() + cyxD() + QkUG() + AsjH() + EjQI() + EHOF() + AsjH() + cypN() + AsjH() + cypN()
}
function MhOG() {
return (QcGE())[kYoO()](cSkE())
}
HbGI[AcHC()] = wZAC;
function ojRG() {
return (IWtE())[kYoO()](AoYK())
}
function IeIG() {
return (YGQB())[wtgN()]()
}
function kgLG() {
return ojRG() + IeIG() + oztL() + wNTN() + ciNI() + MVoI() + MRdM() + wNTN()
}
function kAyH() {
return (IaxK())[wtgN()]()
}
function MBBH() {
return ciNI() + MVoI() + MRdM() + wNTN()
}
function gxsH() {
return (+[
[+[
[+![] + !+[]] + [+[]]
] + []][+[]][+[]]
]) + (+[] + !+[] + (++[+[]][+[] + []])) + (+!+[] + !+[])
}
function IyvH() {
return (+(((+!+[]) + []) + ((!![] + [])[+!+[] + !+[] + !+[]]) + (+!+[]) + (+[]) + (+[]) + (+[])) + [])[+!+[] + !+[] + !+[] + !+[] + !+[] + !+[] + !+[]]
}
HbGI[YKTH()] = AogB;
function cumH() {
return (++[+[]][+[]] + (++[+[]][+[]])) * (+[
[+[
[+![] + !+[]] + [+[]]
] + []][+[]][+[]]
]) + (+[] + !+[] + (++[+[]][+[] + []]))
}
function EvpH() {
return (typeof([] + []))[+!+[] + !+[] + !+[] + !+[] + !+[]]
}
function YqgH() {
return (wxrJ())[kYoO()](QcGE())
}
function AsjH() {
return ([][
[]
] + [])[+!+[] + !+[] + !+[]]
}
function cSkE() {
return (+([+[
[!+[] + !+[]] + [+[]]
]] + [])[+[]]) + (wxrJ())
}
function ETnE() {
return AEIF() + AUkK() + wVpG() + UbBI()
}
function YOeE() {
HbGI[AkVE()] = sqaN()[gBDD()];
sqaN()[EfNC() + UnaH()] = HbGI[YWsG()];
}
HbGI[UrlD()] = UDCL;
function AQhE() {
return ([][
[]
] + [])[+!+[] + !+[] + !+[] + !+[]]
}
function ULYD(wNbE, QISD) {
let sKVD = - ++[+[]][+[]];
var seJE = (0o201224 - 66163);
{
let UfME;
while (seJE < (0o205036 - 68089)) {
switch (seJE) {
case (131145 % 0o200024):
seJE = (0o204160 - 67660);
UfME = +[
[+[
[+!+[]] + [+[]]
] + []][+[]][+!+[]]
];
break;
case (67856 - 0o204363):
seJE = (0o202070 - 0x10414);
UfME++;
break;
case (0x10BF4 - 0o205722):
seJE = (0o400057 % 65545);
{
var obDE = (0o201510 - 0x10333);
while (obDE < (0x4007E % 0o200026)) switch (obDE) {
case (0x9D8DE4 - 0O47306735):
obDE = (0x10A64 - 0o205076);
return UfME;
case (68056 - 0o204703):
obDE = wNbE[UfME] === QISD[+[
[+[
[+[]] + [+[]]
] + []][+[]][+!+[]]
]] ? (0O144657447 ^ 0x1935F20) : (0o400114 % 0x10013);
break;
}
}
break;
case (0x105A0 - 0o202574):
seJE = UfME < wNbE.length ? (0x40092 % 0o200034) : (67386 - 0o203425);
break;
}
}
}
return sKVD;
}
function QcGE() {
return (+[] + !+[]) + ((++[+[]][+[]] + (++[+[]][+[]])) * (cmYE()))
}
function kYwE() {
return cypN() + EreL() + kwnL() + YmdB()
}
function MZzE() {
return YqgH() + AsjH() + IaxK() + ceKC() + MVoI() + wVpG() + YmdB() + YGQB() + AsjH() + EjQI() + wVpG() + QoXM() + wVpG() + sqiD() + cypN() + AUkK() + EvpH() + AsjH()
}
function gVqE() {
sqaN()[gBDD()] = HbGI[AkVE()];
}
function IWtE() {
return (QQYP()) + ((cumH()) * (sCHB()))
}
HbGI[cqbL()] = kEJD;
function IqhF() {
return (+([+[
[!+[] + !+[]] + [+[]]
]] + [])[+[]]) + ((QQYP()) * (QQYP()))
}
function kskF() {
return ([][gViO()] + [])[wReK()]
}
function EnbF() {
return (+[
[+[
[+[]] + [+[]]
] + []][+[]][+!+[]]
]) + []
}
function gpeF() {
return ('' [koZI()]())[AYnQ()]
}
function AkVE() {
return gtpB() + UbBI()
}
function cmYE() {
return ((+([+[
[!+[] + !+[]] + [+[]]
]] + [])[+[]]) * (sCHB())) + (+[
[+[
[+!+[]] + [+[]]
] + []][+[]][+!+[]]
])
}
function whPE() {
return YGQB() + YeHI() + UXxC() + wNTN()
}
HbGI[IOXL()] = gFGJ;
function YiSE() {
return (ceKC())[wtgN()]()
}
function YCFF() {
return ((+([+[
[!+[] + !+[]] + [+[]]
]] + [])[+[]]) * (wReK())) + (+[
[+[
[+!+[]] + [+[]]
] + []][+[]][+!+[]]
])
}
function AEIF() {
return (glTI())[wtgN()]()
}
function UzzF() {
return EreL() + kMXF() + cqjB() + EDDJ() + kcAK() + YGQB() + EnbF() + EDDJ()
}
function wBCF() {
QcyO[IWlO()]()[(cCAJ()) + (oXrI())] = [];
var QwtF = (0o200764 - 0x101EA);
{
let sywF;
while (QwtF < (68536 - 0o205637)) {
switch (QwtF) {
case (0o1000151 % 0x10017):
QwtF = (0x10226 - 0o201033);
sywF++;
break;
case (0o202114 - 66625):
QwtF = sywF < EzsN() ? (0o202520 - 0x1053F) : (67286 - 0o203275);
break;
case (0x102A8 - 0o201227):
QwtF = (0o400057 % 65553);
{
const MtnF = sqaN()[ETnE()][kQaM()](HbGI[(whPE()) + (obvO())], QcyO[(QUjM()) + (EXyA())]()[(YurD()) + (AQZN())]) || (QAwL());
QcyO[IWlO()]()[cazG()][MdDK()](sqaN()[ETnE()][AwmN()](MtnF) * sqaN()[ETnE()][cKWB()](sqaN()[ETnE()][UTeQ()]() * (EzsN()) + (++[+[]][+[]] + (++[+[]][+[]]) - +!+[])) + (QIKN()));
}
break;
case (196681 % 0o200025):
QwtF = (0x103DE - 0o201723);
sywF = +[
[+[
[+[]] + [+[]]
] + []][+[]][+[]]
];
break;
}
}
}
}
function ovqF() {
return ((wReK()) * (UrdN())) + (+[])
}
function QUrC(sWuC, MRlC) {
let oToC = "";
var IOfC = (0o201774 - 0x103EB);
{
let kQiC;
while (IOfC < (0o201750 - 0x103CF)) {
switch (IOfC) {
case (0o400073 % 65559):
IOfC = kQiC >= +[
[+[
[+[]] + [+[]]
] + []][+[]][+[]]
] ? (0x100F0 - 0o200330) : (0x20049 % 0o200030);
break;
case (0x3006B % 0o200036):
IOfC = (66576 - 0o202003);
kQiC = sWuC - (++[+[]][+[]]);
break;
case (0o1000054 % 0x10007):
IOfC = (0o200606 - 0x10179);
kQiC--;
break;
case (0x40070 % 0o200026):
IOfC = (0o600100 % 65552);
{
oToC += MRlC;
}
break;
}
}
}
return oToC;
}
HbGI[sGKH()] = sSjG;
function ELZB() {
return AQhE() + YmdB() + EreL() + EDDJ() + AQhE() + wNTN() + AUkK() + ofGK()
}
function gNcC() {
return YqgH() + AsjH() + IaxK() + ceKC() + MVoI() + wVpG()
}
function ghQC() {
return (+!+[] + (++[+[]][+[]])) + (UPbK())
}
function IiTC() {
return ([][gViO()] + [])[sCHB()]
}
function ceKC() {
return (UjPK())[kYoO()](gdFG())
}
function EfNC() {
return gtpB() + sqiD()
}
function YaEC() {
return ('' [koZI()]())[+[]]
}
HbGI[sSbQ()] = IKUF;
function AcHC() {
return IaxK() + EHOF() + gZtK() + kwnL()
}
function UXxC() {
return (QEHH())[wtgN()]()
}
function wZAC(wtoD) {
return gJRF[wtoD];
}
function YurD() {
return cypN() + oPdG() + YiSE() + wNTN()
}
function sqiD() {
return (typeof [])[+[]]
}
function UrlD() {
return IaxK() + ETfO() + IyvH() + ULQN()
}
function oncD() {
QcyO[ELZB()] = HbGI;
QcyO[IWlO()] = QgJK[kIMJ()](QcyO);
gpWO = QcyO[(QUjM()) + (EXyA())]();
gpWO[(ELRL()) + (gRfI())] = [];
}
let QofD = [ ...... ];
function kkWC() {
return YGQB() + YeHI() + UXxC() + wNTN() + UXxC() + EHOF() + EDDJ() + wNTN()
}
function MlZC() {
return (QQYP()) + ((IGJJ()) * (gxsH()))
}
function MFMD() {
return ([][
[]
] + [])[+[]]
}
function oHPD() {
return (MpcJ()) + (ErmB())
}
function ICGD() {
return glTI() + AUkK() + MhOG()
}
function kEJD(EzAD) {
return gJRF[EzAD];
}
function gBDD() {
return gtpB() + sqiD() + EjQI() + EbCG() + sqiD() + cyxD() + AsjH()
}
YOeE();
function AwuD() {
return (cumH()) + ((MpcJ()) * (cmYE()))
}
function cyxD() {
return (![] + [])[+!+[] + !+[]]
}
function EXyA() {
return IaxK() + kAyH() + ETfO() + EDDJ()
}
function gZBA() {
return QoXM() + wVpG() + cypN() + MVoI() + EjQI() + EvpH()
}
function AUsA() {
return sqaN()[gZBA()];
}
function cWvA(wRmA, YSpA, sOgA, UPjA) {
const UjXA = IqZO(wRmA, wRmA.length - (++[+[]][+[]] + (++[+[]][+[]]) - +!+[]));
let wlaB = QUrC(YSpA - (+!+[]), UjXA);
let QgRA = UPjA;
var siUA = (0x10E9C - 0o207172);
{
let MdLA;
while (siUA < (131165 % 0o200035)) {
switch (siUA) {
case (0o1000124 % 65549):
siUA = (0o201604 - 66427);
{
const ofOA = wRmA[MdLA];
wlaB = IqZO(wlaB, +[
[+[
[+!+[]] + [+[]]
] + []][+[]][+!+[]]
], QgRA - (+[] + !+[])) + ofOA + IqZO(wlaB, QgRA);
QgRA = (QgRA * sOgA) % YSpA;
}
break;
case (0o203314 - 0x106AF):
siUA = MdLA < YSpA - (+[
[+[
[+![] + !+[]] + [+[]]
] + []][+[]][+[]]
]) ? (196685 % 0o200017) : (0o202032 - 66551);
break;
case (0o207234 - 69242):
siUA = (0x10122 - 0o200405);
MdLA = +[
[+[
[!+[] + !+[]] + [+[]]
] + []][+[]][+!+[]]
];
break;
case (0o600077 % 0x10012):
siUA = (0o202652 - 0x1058D);
MdLA++;
break;
}
}
}
const IaFA = ULYD(wlaB, UjXA);
var kcIA = (0x105DC - 0o202715);
while (kcIA < (0x103A2 - 0o201603)) switch (kcIA) {
case (0o1000102 % 0x1000C):
kcIA = (0o1000247 % 65570);
{
wlaB = IqZO(wlaB, +[
[+[
[!+[] + !+[]] + [+[]]
] + []][+[]][+!+[]]
], IaFA);
}
break;
case (66886 - 0o202467):
kcIA = IaFA >= +[
[+[
[+[]] + [+[]]
] + []][+[]][+[]]
] ? (0o1000066 % 65545) : (262311 % 0o200042);
break;
}
return wlaB;
}
function kwvB() {
return ((QAwL()) * (QIKN())) + (+!+[] + (++[+[]][+[]]))
}
smPQ();
function MxyB() {
return AQhE() + cypN() + sqiD() + glTI() + kwnL() + UbBI() + AUkK() + cOZH() + cypN() + kwnL() + sqiD() + EHOF() + AsjH()
}
function gtpB() {
return ([][gViO()] + [])[+!+[] + !+[] + !+[]]
}
function IusB() {
return AsjH() + EjQI() + wVpG() + cypN() + MVoI() + AsjH() + EbCG()
}
function cqjB() {
return (MZrO()) + []
}
function ErmB() {
return (+[
[+[
[+![] + !+[]] + [+[]]
] + []][+[]][+[]]
]) + ((MpcJ()) * (cumH()))
}
function YmdB() {
return (AsjH())[wtgN()]()
}
function AogB(AITB) {
return gJRF[AITB];
}
gVqE();
function cKWB() {
return AQhE() + cyxD() + sqiD() + sqiD() + cypN()
}
function wFNB() {
return cyxD() + AsjH() + EjQI() + EvpH() + cOZH() + wVpG() + UbBI()
}
function YGQB() {
return (oHPD())[kYoO()](IWtE())
}
function sCHB() {
return (cumH()) + (cumH())
}
HbGI.Q4lG = function() {
return 24
};
HbGI.Q6SG = function() {
return 16
};
HbGI.sEVG = function() {
return 21
};
HbGI.M1NG = function() {
return 7
};
HbGI.ozQG = function() {
return 29
};
HbGI.IWIG = function() {
return 30
};
HbGI.ERDG = function() {
return 28
};
HbGI.gpGG = function() {
return 37
};
HbGI.IOAE = function() {
return 35
};
HbGI.kmDE = function() {
return 27
};
HbGI.EJvE = function() {
return 38
};
HbGI.ghyE = function() {
return 39
};
HbGI.cctE = function() {
return 22
};
HbGI.wzlE = function() {
return 33
};
HbGI.Y6nE = function() {
return 36
};
HbGI.Y8UE = function() {
return 34
};
HbGI.orIE = function() {
return 8
};
HbGI.otfF = function() {
return 14
};
HbGI.Q0hF = function() {
return 31
};
HbGI.koaF = function() {
return 32
};
HbGI.ENzF = function() {
return 10
};
HbGI.glCF = function() {
return 11
};
HbGI.AIuF = function() {
return 17
};
HbGI.cgxF = function() {
return 13
};
HbGI.wDpF = function() {
return 25
};
HbGI.YasF = function() {
return 26
};
HbGI.wvhD = function() {
return 9
};
HbGI.sqcD = function() {
return 15
};
HbGI.UXeD = function() {
return 18
};
HbGI.cEpv = function() {
return 20
};
HbGI.Yykv = function() {
return 12
}
})
其中省略了一个字符串数组 QofD 的内容(这里的字符串 由于未知原因 因为 xor 加密 有大量的 0x7F 字符)
检查混淆,它将 QofD 的每个字符串都异或了 7
解异或后得到一串 base64,解码然后解压 gzip 得到一个 wasm 文件
后面的部分:
const UDKB=HbGI.faEA(2);(()=>{const ozBB=()=>{const QAEB=new Error(HbGI.b5yA(3));return QAEB[HbGI.zxwA(4)]=HbGI.vsrA(5),QAEB;};if(!globalThis[HbGI.X10A(6)]){let saGy=HbGI.nkOA(7);globalThis[HbGI.X10A(6)]={[HbGI.fiMC(8)]:{[HbGI.bdHC(9)]:-(0O57060516-0xbc614d),[HbGI.faEA(10)]:-(0O57060516-0xbc614d),[HbGI.b5yA(11)]:-(0O57060516-0xbc614d),[HbGI.zxwA(12)]:-(0O57060516-0xbc614d),[HbGI.vsrA(13)]:-(0O57060516-0xbc614d),[HbGI.X10A(14)]:-(0O57060516-0xbc614d),[HbGI.nkOA(15)]:-(0O57060516-0xbc614d)},[HbGI.fiMC(16)](UbJy,oXzy){saGy+=cGTv[HbGI.bdHC(17)](oXzy);const QYCy=saGy[HbGI.faEA(18)](`${HbGI.b5yA(19)}`);return QYCy!=-(0O57060516-0xbc614d)&&(console[HbGI.zxwA(20)](saGy[HbGI.vsrA(21)](HbGI.u(17)?0:-9,QYCy)),saGy=saGy[HbGI.vsrA(21)](QYCy+(0O57060516-0xbc614d))),oXzy[HbGI.X10A(22)];},[HbGI.nkOA(23)](kUty,MVwy,gRny,ISqy,Imez,kohz){if(gRny!==(0x75bcd15-0O726746425)||ISqy!==MVwy[HbGI.X10A(22)]||Imez!==null){kohz(ozBB());return;}const EjYy=this[HbGI.fiMC(16)](kUty,MVwy);kohz(null,EjYy);},[HbGI.fiMC(24)](glbz,AgSy,ciVy){ciVy(ozBB());},[HbGI.bdHC(25)](wdMy,YePy,YyCz,AAFz){AAFz(ozBB());},[HbGI.faEA(26)](Uvwz,wxzz){wxzz(ozBB());},[HbGI.b5yA(27)](Qsqz,sutz,Mpkz){Mpkz(ozBB());},[HbGI.zxwA(28)](ornz,oLaA,QMdA,kIUz){kIUz(ozBB());},[HbGI.vsrA(29)](MJXz,gFOz){gFOz(ozBB());},[HbGI.X10A(30)](IGRz,cCIz){cCIz(null);},[HbGI.nkOA(31)](EDLz,gdNw,IeQw){IeQw(ozBB());},[HbGI.fiMC(32)](caHw,EbKw,YWAw,AYDw){AYDw(ozBB());},[HbGI.bdHC(33)](UTuw,wVxw,wplx){wplx(ozBB());},[HbGI.faEA(34)](Yqox,smfx){smfx(ozBB());},[HbGI.b5yA(35)](Unix,ojZw,Qkcx){Qkcx(ozBB());},[HbGI.zxwA(36)](kgTw,MhWw,MBJx,oDMx){oDMx(ozBB());},[HbGI.vsrA(37)](IyDx,kAGx,Evxx,gxAx,Asrx,cuux){cuux(ozBB());},[HbGI.X10A(38)](cOhy,EPky){EPky(ozBB());},[HbGI.nkOA(39)](YKby,AMey){AMey(ozBB());},[HbGI.fiMC(40)](UHVx,wJYx,QEPx){QEPx(ozBB());},[HbGI.bdHC(41)](sGSx,UfUu){UfUu(ozBB());},[HbGI.faEA(42)](whXu,QcOu){QcOu(ozBB());},[HbGI.b5yA(43)](seRu,MZHu,obLu){obLu(ozBB());},[HbGI.zxwA(44)](IWBu,kYEu,kssv){kssv(ozBB());},[HbGI.vsrA(45)](Mtvv,gpmv){gpmv(ozBB());},[HbGI.X10A(46)](Iqpv,cmgv,Enjv,Yiav){Yiav(ozBB());}};}if(globalThis[HbGI.nkOA(47)]||(globalThis[HbGI.nkOA(47)]={[HbGI.fiMC(48)](){return -(0O57060516-0xbc614d);},[HbGI.bdHC(49)](){return -(0O57060516-0xbc614d);},[HbGI.faEA(50)](){return -(0O57060516-0xbc614d);},[HbGI.b5yA(51)](){return -(0O57060516-0xbc614d);},[HbGI.zxwA(52)](){throw ozBB();},[HbGI.vsrA(53)]:-(0O57060516-0xbc614d),[HbGI.X10A(54)]:-(0O57060516-0xbc614d),[HbGI.nkOA(55)](){throw ozBB();},[HbGI.fiMC(56)](){throw ozBB();},[HbGI.bdHC(57)](){throw ozBB();}}),globalThis[HbGI.faEA(58)]||(globalThis[HbGI.faEA(58)]={[HbGI.b5yA(59)](...Akdv){return Akdv[HbGI.zxwA(60)](HbGI.vsrA(61));}}),!globalThis[HbGI.X10A(62)])throw new Error(HbGI.nkOA(63));if(!globalThis[HbGI.fiMC(64)])throw new Error(HbGI.bdHC(65));if(!globalThis[HbGI.faEA(66)])throw new Error(HbGI.b5yA(67));if(!globalThis[HbGI.zxwA(68)])throw new Error(HbGI.vsrA(69));const AEQv=new TextEncoder(HbGI.X10A(70)),cGTv=new TextDecoder(HbGI.X10A(70));globalThis[HbGI.nkOA(71)]=class{constructor(){this[HbGI.fiMC(72)]=[HbGI.bdHC(73)],this[HbGI.faEA(74)]={},this[HbGI.b5yA(75)]=YCNv=>{YCNv!==(0x75bcd15-0O726746425)&&console[HbGI.zxwA(76)](HbGI.vsrA(77),YCNv);},this[HbGI.X10A(78)]=new Promise(syEv=>{this[HbGI.nkOA(79)]=syEv;}),this[HbGI.fiMC(80)]=null,this[HbGI.bdHC(81)]=new Map(),this[HbGI.faEA(82)]=(0O57060516-0xbc614d);const UzHv=(EHWv,gJZv)=>{this[HbGI.b5yA(83)][HbGI.zxwA(84)](EHWv+(0x75bcd15-0O726746425),gJZv,!(0x75bcd15-0O726746425)),this[HbGI.b5yA(83)][HbGI.zxwA(84)](EHWv+(0x5E30A78-0O570605164),Math[HbGI.vsrA(85)](gJZv/4294967296),!(0x75bcd15-0O726746425));},ovyv=Iibt=>{const kket=this[HbGI.b5yA(83)][HbGI.X10A(86)](Iibt+(0x75bcd15-0O726746425),!(0x75bcd15-0O726746425)),EfVs=this[HbGI.b5yA(83)][HbGI.nkOA(87)](Iibt+(0x5E30A78-0O570605164),!(0x75bcd15-0O726746425));return kket+EfVs*4294967296;},QwBv=ghYs=>{const AcPs=this[HbGI.b5yA(83)][HbGI.fiMC(88)](ghYs,!(0x75bcd15-0O726746425));if(AcPs===(0x75bcd15-0O726746425))return;if(!isNaN(AcPs))return AcPs;const ceSs=this[HbGI.b5yA(83)][HbGI.X10A(86)](ghYs,!(0x75bcd15-0O726746425));return this[HbGI.bdHC(89)][ceSs];},QQow=(wZIs,YaMs)=>{if(typeof YaMs==HbGI.faEA(90)&&YaMs!==(0x75bcd15-0O726746425)){if(isNaN(YaMs)){this[HbGI.b5yA(83)][HbGI.zxwA(84)](wZIs+(0x5E30A78-0O570605164),HbGI.u(20)?2146959360:2146959366,!(0x75bcd15-0O726746425)),this[HbGI.b5yA(83)][HbGI.zxwA(84)](wZIs,HbGI.u(26)?0:-11,!(0x75bcd15-0O726746425));return;}this[HbGI.b5yA(83)][HbGI.b5yA(91)](wZIs,YaMs,!(0x75bcd15-0O726746425));return;}if(YaMs===void (0x75bcd15-0O726746425)){this[HbGI.b5yA(83)][HbGI.b5yA(91)](wZIs,HbGI.u(32)?-10:0,!(0x75bcd15-0O726746425));return;}let Yuzt=this[HbGI.zxwA(92)][HbGI.vsrA(93)](YaMs);Yuzt===void (0x75bcd15-0O726746425)&&(Yuzt=this[HbGI.X10A(94)][HbGI.nkOA(95)](),Yuzt===void (0x75bcd15-0O726746425)&&(Yuzt=this[HbGI.bdHC(89)][HbGI.X10A(22)]),this[HbGI.bdHC(89)][Yuzt]=YaMs,this[HbGI.fiMC(96)][Yuzt]=(0x75bcd15-0O726746425),this[HbGI.zxwA(92)][HbGI.bdHC(97)](YaMs,Yuzt)),this[HbGI.fiMC(96)][Yuzt]++;let AwCt=(0x75bcd15-0O726746425);switch(typeof YaMs){case HbGI.faEA(98):YaMs!==null&&(AwCt=(0O57060516-0xbc614d));break;case HbGI.b5yA(99):AwCt=(15658734^0O73567354);break;case HbGI.zxwA(100):AwCt=(0O334664274-0x37368B9);break;case HbGI.vsrA(101):AwCt=(0x5E30A78-0O570605164);break;}this[HbGI.b5yA(83)][HbGI.zxwA(84)](wZIs+(0x5E30A78-0O570605164),2146959360|AwCt,!(0x75bcd15-0O726746425)),this[HbGI.b5yA(83)][HbGI.zxwA(84)](wZIs,Yuzt,!(0x75bcd15-0O726746425));},sSrw=Urtt=>{const wtwt=ovyv(Urtt+(0x75bcd15-0O726746425)),Qont=ovyv(Urtt+(0O347010110&0x463A71D));return new Uint8Array(this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.b5yA(83)][HbGI.fiMC(104)],wtwt,Qont);},MNiw=sqqt=>{const Mlht=ovyv(sqqt+(0x75bcd15-0O726746425)),onkt=ovyv(sqqt+(0O347010110&0x463A71D)),oHXt=new Array(onkt);for(let QIau=(0x75bcd15-0O726746425);QIau<onkt;QIau++)oHXt[QIau]=QwBv(Mlht+QIau*(0O347010110&0x463A71D));return oHXt;},oPlw=kERt=>{const MFUt=ovyv(kERt+(0x75bcd15-0O726746425)),gBLt=ovyv(kERt+(0O347010110&0x463A71D));return cGTv[HbGI.bdHC(17)](new DataView(this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.b5yA(83)][HbGI.fiMC(104)],MFUt,gBLt));},IKcw=(ICOt,cyFt)=>((this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.bdHC(105)](),this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.faEA(106)](ICOt,cyFt))),kMfw=Date[HbGI.b5yA(107)]()-performance[HbGI.b5yA(107)]();this[HbGI.zxwA(108)]={[HbGI.vsrA(109)]:{[HbGI.X10A(110)]:(EzIt,ETvu)=>EzIt+ETvu,[HbGI.nkOA(111)]:IKcw},[HbGI.fiMC(112)]:{[HbGI.bdHC(113)]:gVyu=>{gVyu>>>=(0x75bcd15-0O726746425);const AQpu=this[HbGI.b5yA(83)][HbGI.nkOA(87)](gVyu+(0O347010110&0x463A71D),!(0x75bcd15-0O726746425));this[HbGI.faEA(114)]=!(0x75bcd15-0O726746425),delete this[HbGI.X10A(102)],delete this[HbGI.bdHC(89)],delete this[HbGI.fiMC(96)],delete this[HbGI.zxwA(92)],delete this[HbGI.X10A(94)],this[HbGI.b5yA(75)](AQpu);},[HbGI.b5yA(115)]:cSsu=>{cSsu>>>=(0x75bcd15-0O726746425);const wNju=ovyv(cSsu+(0O347010110&0x463A71D)),YOmu=ovyv(cSsu+16),sKdu=this[HbGI.b5yA(83)][HbGI.nkOA(87)](cSsu+24,!(0x75bcd15-0O726746425));fs[HbGI.fiMC(16)](wNju,new Uint8Array(this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.b5yA(83)][HbGI.fiMC(104)],YOmu,sKdu));},[HbGI.zxwA(116)]:ULgu=>{this[HbGI.b5yA(83)]=new DataView(this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.b5yA(83)][HbGI.fiMC(104)]);},[HbGI.vsrA(117)]:wlir=>{wlir>>>=(0x75bcd15-0O726746425),UzHv(wlir+(0O347010110&0x463A71D),(kMfw+performance[HbGI.b5yA(107)]())*1e6);},[HbGI.X10A(118)]:Ymlr=>{Ymlr>>>=(0x75bcd15-0O726746425);const sicr=(new Date())[HbGI.nkOA(119)]();UzHv(Ymlr+(0O347010110&0x463A71D),sicr/1e3),this[HbGI.b5yA(83)][HbGI.fiMC(120)](Ymlr+16,sicr%1e3*1e6,!(0x75bcd15-0O726746425));},[HbGI.bdHC(121)]:Ujfr=>{Ujfr>>>=(0x75bcd15-0O726746425);const ofWq=this[HbGI.faEA(82)];this[HbGI.faEA(82)]++,this[HbGI.bdHC(81)][HbGI.bdHC(97)](ofWq,setTimeout(()=>{for(this[HbGI.faEA(122)]();this[HbGI.bdHC(81)][HbGI.b5yA(123)](ofWq);)console[HbGI.zxwA(76)](HbGI.zxwA(124)),this[HbGI.faEA(122)]();},ovyv(Ujfr+(0O347010110&0x463A71D)))),this[HbGI.b5yA(83)][HbGI.fiMC(120)](Ujfr+16,ofWq,!(0x75bcd15-0O726746425));},[HbGI.vsrA(125)]:QgZq=>{QgZq>>>=(0x75bcd15-0O726746425);const kcQq=this[HbGI.b5yA(83)][HbGI.nkOA(87)](QgZq+(0O347010110&0x463A71D),!(0x75bcd15-0O726746425));clearTimeout(this[HbGI.bdHC(81)][HbGI.vsrA(93)](kcQq)),this[HbGI.bdHC(81)][HbGI.X10A(126)](kcQq);},[HbGI.nkOA(127)]:MdTq=>{MdTq>>>=(0x75bcd15-0O726746425),crypto[HbGI.fiMC(128)](sSrw(MdTq+(0O347010110&0x463A71D)));},[HbGI.bdHC(129)]:MxGr=>{MxGr>>>=(0x75bcd15-0O726746425);const ozJr=this[HbGI.b5yA(83)][HbGI.X10A(86)](MxGr+(0O347010110&0x463A71D),!(0x75bcd15-0O726746425));if(this[HbGI.fiMC(96)][ozJr]--,this[HbGI.fiMC(96)][ozJr]===(0x75bcd15-0O726746425)){const IuAr=this[HbGI.bdHC(89)][ozJr];this[HbGI.bdHC(89)][ozJr]=null,this[HbGI.zxwA(92)][HbGI.X10A(126)](IuAr),this[HbGI.X10A(94)][HbGI.faEA(130)](ozJr);}},[HbGI.b5yA(131)]:kwDr=>{kwDr>>>=(0x75bcd15-0O726746425),QQow(kwDr+24,oPlw(kwDr+(0O347010110&0x463A71D)));},[HbGI.zxwA(132)]:Erur=>{Erur>>>=(0x75bcd15-0O726746425);const gtxr=Reflect[HbGI.vsrA(93)](QwBv(Erur+(0O347010110&0x463A71D)),oPlw(Erur+16));Erur=this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.vsrA(133)]()>>>(0x75bcd15-0O726746425),QQow(Erur+32,gtxr);},[HbGI.X10A(134)]:Aoor=>{Aoor>>>=(0x75bcd15-0O726746425),Reflect[HbGI.bdHC(97)](QwBv(Aoor+(0O347010110&0x463A71D)),oPlw(Aoor+16),QwBv(Aoor+32));},[HbGI.nkOA(135)]:cqrr=>{cqrr>>>=(0x75bcd15-0O726746425),Reflect[HbGI.fiMC(136)](QwBv(cqrr+(0O347010110&0x463A71D)),oPlw(cqrr+16));},[HbGI.bdHC(137)]:cKes=>{cKes>>>=(0x75bcd15-0O726746425),QQow(cKes+24,Reflect[HbGI.vsrA(93)](QwBv(cKes+(0O347010110&0x463A71D)),ovyv(cKes+16)));},[HbGI.faEA(138)]:ELhs=>{ELhs>>>=(0x75bcd15-0O726746425),Reflect[HbGI.bdHC(97)](QwBv(ELhs+(0O347010110&0x463A71D)),ovyv(ELhs+16),QwBv(ELhs+24));},[HbGI.b5yA(139)]:YGYr=>{YGYr>>>=(0x75bcd15-0O726746425);try{const AIbs=QwBv(YGYr+(0O347010110&0x463A71D)),UDSr=Reflect[HbGI.vsrA(93)](AIbs,oPlw(YGYr+16)),wFVr=MNiw(YGYr+32),QAMr=Reflect[HbGI.zxwA(140)](UDSr,AIbs,wFVr);YGYr=this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.vsrA(133)]()>>>(0x75bcd15-0O726746425),QQow(YGYr+56,QAMr),this[HbGI.b5yA(83)][HbGI.vsrA(141)](YGYr+64,HbGI.u(36)?5:1);}catch(sCPr){YGYr=this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.vsrA(133)]()>>>(0x75bcd15-0O726746425),QQow(YGYr+56,sCPr),this[HbGI.b5yA(83)][HbGI.vsrA(141)](YGYr+64,HbGI.u(17)?0:1);}},[HbGI.X10A(142)]:sWCs=>{sWCs>>>=(0x75bcd15-0O726746425);try{const UXFs=QwBv(sWCs+(0O347010110&0x463A71D)),oTws=MNiw(sWCs+16),QUzs=Reflect[HbGI.zxwA(140)](UXFs,void (0x75bcd15-0O726746425),oTws);sWCs=this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.vsrA(133)]()>>>(0x75bcd15-0O726746425),QQow(sWCs+40,QUzs),this[HbGI.b5yA(83)][HbGI.vsrA(141)](sWCs+48,HbGI.u(40)?2:1);}catch(kQqs){sWCs=this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.vsrA(133)]()>>>(0x75bcd15-0O726746425),QQow(sWCs+40,kQqs),this[HbGI.b5yA(83)][HbGI.vsrA(141)](sWCs+48,HbGI.u(17)?0:-7);}},[HbGI.nkOA(143)]:MRts=>{MRts>>>=(0x75bcd15-0O726746425);try{const gNks=QwBv(MRts+(0O347010110&0x463A71D)),IOns=MNiw(MRts+16),kopp=Reflect[HbGI.fiMC(144)](gNks,IOns);MRts=this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.vsrA(133)]()>>>(0x75bcd15-0O726746425),QQow(MRts+40,kopp),this[HbGI.b5yA(83)][HbGI.vsrA(141)](MRts+48,HbGI.u(36)?-8:1);}catch(Mpsp){MRts=this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.vsrA(133)]()>>>(0x75bcd15-0O726746425),QQow(MRts+40,Mpsp),this[HbGI.b5yA(83)][HbGI.vsrA(141)](MRts+48,HbGI.u(26)?0:11);}},[HbGI.bdHC(145)]:gljp=>{gljp>>>=(0x75bcd15-0O726746425),UzHv(gljp+16,parseInt(QwBv(gljp+(0O347010110&0x463A71D))[HbGI.X10A(22)]));},[HbGI.faEA(146)]:Immp=>{Immp>>>=(0x75bcd15-0O726746425);const cidp=AEQv[HbGI.b5yA(147)](String(QwBv(Immp+(0O347010110&0x463A71D))));QQow(Immp+16,cidp),UzHv(Immp+24,cidp[HbGI.X10A(22)]);},[HbGI.zxwA(148)]:Ejgp=>{Ejgp>>>=(0x75bcd15-0O726746425);const YeXo=QwBv(Ejgp+(0O347010110&0x463A71D));sSrw(Ejgp+16)[HbGI.bdHC(97)](YeXo);},[HbGI.vsrA(149)]:Agap=>{Agap>>>=(0x75bcd15-0O726746425),this[HbGI.b5yA(83)][HbGI.vsrA(141)](Agap+24,QwBv(Agap+(0O347010110&0x463A71D)) instanceof QwBv(Agap+16)?(0O57060516-0xbc614d):(0x75bcd15-0O726746425));},[HbGI.X10A(150)]:AANp=>{AANp>>>=(0x75bcd15-0O726746425);const cCQp=sSrw(AANp+(0O347010110&0x463A71D)),wxHp=QwBv(AANp+32);if(!(wxHp instanceof Uint8Array||wxHp instanceof Uint8ClampedArray)){this[HbGI.b5yA(83)][HbGI.vsrA(141)](AANp+48,HbGI.u(20)?0:-8);return;}const YyKp=wxHp[HbGI.nkOA(151)](HbGI.u(32)?-7:0,cCQp[HbGI.X10A(22)]);cCQp[HbGI.bdHC(97)](YyKp),UzHv(AANp+40,YyKp[HbGI.X10A(22)]),this[HbGI.b5yA(83)][HbGI.vsrA(141)](AANp+48,HbGI.u(40)?1:1);},[HbGI.fiMC(152)]:suBp=>{suBp>>>=(0x75bcd15-0O726746425);const UvEp=QwBv(suBp+(0O347010110&0x463A71D)),orvp=sSrw(suBp+16);if(!(UvEp instanceof Uint8Array||UvEp instanceof Uint8ClampedArray)){this[HbGI.b5yA(83)][HbGI.vsrA(141)](suBp+48,HbGI.u(20)?0:-10);return;}const Qsyp=orvp[HbGI.nkOA(151)](HbGI.u(32)?10:0,UvEp[HbGI.X10A(22)]);UvEp[HbGI.bdHC(97)](Qsyp),UzHv(suBp+40,Qsyp[HbGI.X10A(22)]),this[HbGI.b5yA(83)][HbGI.vsrA(141)](suBp+48,HbGI.u(40)?12:1);},[HbGI.bdHC(153)]:QMlq=>{console[HbGI.zxwA(20)](QMlq);}}};}async [HbGI.faEA(154)](sOoq){if(!(sOoq instanceof WebAssembly[HbGI.b5yA(155)]))throw new Error(HbGI.zxwA(156));this[HbGI.X10A(102)]=sOoq,this[HbGI.b5yA(83)]=new DataView(this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.b5yA(83)][HbGI.fiMC(104)]),this[HbGI.bdHC(89)]=[NaN,(0x75bcd15-0O726746425),null,!(0x75bcd15-0O726746425),!(0O57060516-0xbc614d),globalThis,this],this[HbGI.fiMC(96)]=new Array(this[HbGI.bdHC(89)][HbGI.X10A(22)])[HbGI.vsrA(157)]((0O57060516-0xbc614d)/(0x75bcd15-0O726746425)),this[HbGI.zxwA(92)]=new Map([[(0x75bcd15-0O726746425),(0O57060516-0xbc614d)],[null,(15658734^0O73567354)],[!(0x75bcd15-0O726746425),(0O334664274-0x37368B9)],[!(0O57060516-0xbc614d),(0x5E30A78-0O570605164)],[globalThis,(0O507646144^0x51F4C61)],[this,(1011010-0O3666474)]]),this[HbGI.X10A(94)]=[],this[HbGI.faEA(114)]=!(0O57060516-0xbc614d);let MJfq=4096;const oLiq=EDTp=>{const gFWp=MJfq,gZJq=AEQv[HbGI.b5yA(147)](EDTp+HbGI.X10A(158));return new Uint8Array(this[HbGI.b5yA(83)][HbGI.fiMC(104)],MJfq,gZJq[HbGI.X10A(22)])[HbGI.bdHC(97)](gZJq),MJfq+=gZJq[HbGI.X10A(22)],MJfq%(0O347010110&0x463A71D)!==(0x75bcd15-0O726746425)&&(MJfq+=(0O347010110&0x463A71D)-MJfq%(0O347010110&0x463A71D)),gFWp;},IGZp=this[HbGI.fiMC(72)][HbGI.X10A(22)],kIcq=[];this[HbGI.fiMC(72)][HbGI.nkOA(159)](IaNq=>{kIcq[HbGI.faEA(130)](oLiq(IaNq));}),kIcq[HbGI.faEA(130)](HbGI.u(17)?0:-7),Object[HbGI.fiMC(160)](this[HbGI.faEA(74)])[HbGI.bdHC(161)]()[HbGI.nkOA(159)](cWDq=>{kIcq[HbGI.faEA(130)](oLiq(`${cWDq}${HbGI.faEA(162)}${this[HbGI.faEA(74)][cWDq]}`));}),kIcq[HbGI.faEA(130)](HbGI.u(32)?11:0);const EXGq=MJfq;if(kIcq[HbGI.nkOA(159)](YSxq=>{this[HbGI.b5yA(83)][HbGI.zxwA(84)](MJfq,YSxq,!(0x75bcd15-0O726746425)),this[HbGI.b5yA(83)][HbGI.zxwA(84)](MJfq+(0x5E30A78-0O570605164),HbGI.u(36)?-5:0,!(0x75bcd15-0O726746425)),MJfq+=(0O347010110&0x463A71D);}),MJfq>=12288)throw new Error(HbGI.b5yA(163));this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.faEA(154)](IGZp,EXGq),this[HbGI.faEA(114)]&&this[HbGI.nkOA(79)](),await this[HbGI.X10A(78)];}[HbGI.faEA(122)](){if(this[HbGI.faEA(114)])throw new Error(HbGI.zxwA(164));this[HbGI.X10A(102)][HbGI.nkOA(103)][HbGI.vsrA(165)](),this[HbGI.faEA(114)]&&this[HbGI.nkOA(79)]();}[HbGI.X10A(166)](AUAq){const UPrq=this;return function(){const wRuq={[HbGI.nkOA(167)]:AUAq,[HbGI.fiMC(168)]:this,[HbGI.bdHC(169)]:arguments};return UPrq[HbGI.fiMC(80)]=wRuq,UPrq[HbGI.faEA(122)](),wRuq[HbGI.faEA(170)];};}};})();process[HbGI.fiMC(72)][HbGI.X10A(22)]!==(0O334664274-0x37368B9)&&(console[HbGI.zxwA(20)](`${HbGI.b5yA(171)}`),process[HbGI.b5yA(75)](HbGI.u(20)?1:8));const Yqwn=new Go();Yqwn[HbGI.fiMC(72)]=[];Yqwn[HbGI.faEA(74)]={[HbGI.zxwA(172)]:HbGI.vsrA(173),[HbGI.X10A(174)]:process[HbGI.fiMC(72)][(15658734^0O73567354)]};Yqwn[HbGI.b5yA(75)]=process[HbGI.b5yA(75)];fetch(UDKB)[HbGI.nkOA(175)](Aszn=>Aszn[HbGI.fiMC(176)]())[HbGI.nkOA(175)](Unqn=>u(l[HbGI.bdHC(177)](Unqn)))[HbGI.nkOA(175)](wptn=>WebAssembly[HbGI.faEA(178)](wptn,Yqwn[HbGI.zxwA(108)]))[HbGI.nkOA(175)](Qkkn=>((process[HbGI.b5yA(179)](HbGI.b5yA(75),smnn=>{smnn===(0x75bcd15-0O726746425)&&!Yqwn[HbGI.faEA(114)]&&(Yqwn[HbGI.fiMC(80)]={[HbGI.nkOA(167)]:0},Yqwn[HbGI.faEA(122)]());}),Yqwn[HbGI.faEA(154)](Qkkn[HbGI.zxwA(180)]),Qkkn)))[HbGI.vsrA(181)](Mhen=>{console[HbGI.X10A(182)](Mhen),process[HbGI.b5yA(75)](HbGI.u(36)?-3:1);});
不知道是什么,但是不重要了