diff --git a/README.md b/README.md new file mode 100644 index 0000000..e71244f --- /dev/null +++ b/README.md @@ -0,0 +1,8 @@ + +This is my write-up repository for single person CTF. + +See [Play4Fun](http://p4f.github.io) for write-ups from my current team and [Rentjong](https://github.com/rentjongteam/) for my Indonesian team. + +Current write-up: + +* [Flare On 2015](flare-2015) diff --git a/flare-2015/README.md b/flare-2015/README.md new file mode 100644 index 0000000..f036129 --- /dev/null +++ b/flare-2015/README.md @@ -0,0 +1,17 @@ +# Flare-On 2015 + + +Content + +* [Challenge 1](flare1) +* [Challenge 2](flare2) +* [Challenge 3](flare3) +* [Challenge 4](flare4) +* [Challenge 5](flare5) +* [Challenge 6](flare6) +* [Challenge 7](flare7) +* [Challenge 8](flare8) +* [Challenge 9](flare9) +* [Challenge 10](flare10) +* [Challenge 11](flare11) + diff --git a/flare-2015/flare1/README.md b/flare-2015/flare1/README.md new file mode 100644 index 0000000..5fe0196 --- /dev/null +++ b/flare-2015/flare1/README.md @@ -0,0 +1,13 @@ +# Challenge 1 + +This is so trivial. You can see the complete tutorial to solve it in the webinar (which I didn't see until I finished all the challenges). The only thing I want to show here is that I solved this using objdump, I didn't have access to Windows when I downloaded the first challenge: + + objdump -p -s -d i_am_happy_you_are_to_playing_the_flareon_challenge.exe + +I know its not easy to read it, and it didn't occur to me to use online disassembler, but with a bit of concentration we can immediatelly see that `push $0x4020f2` refers to the string `"Let's start out easy\r\nEnter the password>"`. Address `$0x402158` will contain the result of `ReadFile`, and it will be compared with block at `0x402140` after xoring it with fixed key `0x7d`. So basically this is just XOR encryption, 24 characters (`"cmp $0x18,%ecx"`). + + objdump -s --start-address=0x402140 --stop=0x402158 i_am_happy_you_are_to_playing_the_flareon_challenge.exe + +And this one line of python is enough to solve it: + + print "".join([chr(ord(x) ^ 0x7d) for x in "1f08131304220e114d0d183d1b111c0f18501213531e1210".decode("hex")]) diff --git a/flare-2015/flare10/README.md b/flare-2015/flare10/README.md new file mode 100644 index 0000000..e5227dc --- /dev/null +++ b/flare-2015/flare10/README.md @@ -0,0 +1,9 @@ +# Challenge 10 + +This file is an `AutoIt.exe`. It can be extracted using: Exe2Aut.exe. The autoit script doesn't do anything meaningful except for installing the driver and calling IOCTL, so I went to look at the driver. The driver contains many functions, mostly junk, except for parts where it writes a byte to certain memory location. + +I am still not sure how to separate the junk instructions, so I just wander around the code to see if there are something that is clear and doesn't contain junk. One thing pops up: a number that is used as constant to TEA encryption algorithm. The input for the algorithm is a memory location, and a fixed key. + +I am too lazy to setup an environment to debug the code, so I just used Ida's xref function to trace one by one the bytes written to the memory location that is decrypted. I traced the first 8 bytes, tried to decrypt it, and got a plaintext `uncondit`, it looks right, so I just continued to the next bytes, until I got the string: `unconditional_conditions@flare-o`, and just stops there. + + diff --git a/flare-2015/flare10/flare10.c b/flare-2015/flare10/flare10.c new file mode 100644 index 0000000..94333d5 --- /dev/null +++ b/flare-2015/flare10/flare10.c @@ -0,0 +1,47 @@ +#include + +unsigned int TEA(int *a1, int *a2) // +{ + unsigned int result; // eax@4 + unsigned int v3; // [sp+0h] [bp-24h]@1 + signed int v4; // [sp+14h] [bp-10h]@1 + unsigned int v5; // [sp+18h] [bp-Ch]@1 + unsigned int i; // [sp+20h] [bp-4h]@1 + + v3 = *a1; + v5 = a1[1]; + v4 = 0xC6EF3720; + for ( i = 0; i < 32; ++i ) + { + v5 -= (a2[3] + (v3 >> 5)) ^ (v4 + v3) ^ (a2[2] + 16 * v3); + v3 -= (a2[1] + (v5 >> 5)) ^ (v4 + v5) ^ (*a2 + 16 * v5); + v4 += 0x61C88647; + } + *a1 = v3; + result = v5; + a1[1] = v5; + return result; +} + +void decrypt(char *ax) +{ + int key[] = {0x33323130,0x37363534,0x42413938,0x46454443, 0}; + TEA((int *)ax, key); + printf("%s", ax); +} + +int main() +{ + + char ax1[] = "V\x7F\xDC\xFA\xAA\x27\x99\xC4\x00"; + decrypt(ax1); + char ax2[] ="\x6c\x7c\xfc\x92\x61\x61\x47\x1a\x00"; + decrypt(ax2); + char ax3[] ="\x19\xb9\x63\xfd\x0c\xf2\xb6\x20\x00"; + decrypt(ax3); + char ax4[] = "\xC0\x2D\x5C\xFD\xD9\x71\x54\x96\x00"; + decrypt(ax4); + printf("\n"); + + return 0; +} diff --git a/flare-2015/flare11/README.md b/flare-2015/flare11/README.md new file mode 100644 index 0000000..8b5d898 --- /dev/null +++ b/flare-2015/flare11/README.md @@ -0,0 +1,43 @@ +# Challenge 11 + +Note: This write up is not as complete as I want it to be. May be I will update it someday. + +Reading the easy part of the code: this app tries to decrypt a resource file to "secret.jpg". Like the challenge #4, it reads a single argument from command line, but this time brute force doesn't work. Even given the correct parameter, the program just hangs. + +I tried to extract the encryption code so I can just call it, but there are too many functions being called. I tried reimplementing it, but its too complicated. + +For the first part: finding the correct parameter, I just patched the binary, so it will exit with esi as the return value (`call exit(esi)`) after the first MD5 comparation. When `esi` is less than 0, it means I got the correct parameter. + +Here is the patch: + + fc CryptoGraph.exe CryptoGraph-patched.exe + Comparing files CryptoGraph.exe and CRYPTOGRAPH-PATCHED.EXE + 00000B29: 85 56 + 00000B2A: FF E8 + 00000B2B: 74 2E + 00000B2C: 09 4F + 00000B2D: 57 00 + 00000B2E: E8 00 + +For the second part, I finally understood that the loop is mean to create decryption key for the decryption. I also saw a bit counting algorithm being used. I have a theory that you don't need the full 32 iteration to generate the bytes necessary to decrypt the resource inside the file. + +First I need to be able to control the loop count, and also the return value of the bit counting mechanism. Then I wrote a python brute forcer. In another window I executed: "file *jpg", until I got: + + c-9.exe.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 416x416, frames 3 + +The patch for the second part: + + fc CryptoGraph.exe CryptoGraph2.exe + Comparing files CryptoGraph.exe and CRYPTOGRAPH2.EXE + 00000CC2: 20 02 + 000011A6: FF 90 + 000011A7: 75 90 + 000011A8: 10 90 + 000011AC: FF 90 + 000011AD: 75 90 + 000011AE: C0 90 + 000011AF: E8 B8 + 000011B0: AC 02 + 000011B1: FD 00 + 000011B2: FF 00 + 000011B3: FF 00 diff --git a/flare-2015/flare11/brute.py b/flare-2015/flare11/brute.py new file mode 100644 index 0000000..d2d61f8 --- /dev/null +++ b/flare-2015/flare11/brute.py @@ -0,0 +1,20 @@ +import os + +with open("CryptoGraph2.exe", "rb") as f: + r = f.read() + +n = 0xcc2 #patch loop count +r = r[:n] + chr(0xA) + r[n+1:] + +n = 0x11B0 +for i in range(0, 64): + c = chr(i) + #patch bit count + new = r[:n] + c + r[n+1:] + name = "c-%d.exe" % i + with open(name, "wb") as f: + f.write(new) + os.system(name + " 205") + os.rename("secret.jpg", name + ".jpg"); + + diff --git a/flare-2015/flare11/stage1.py b/flare-2015/flare11/stage1.py new file mode 100644 index 0000000..e1e9843 --- /dev/null +++ b/flare-2015/flare11/stage1.py @@ -0,0 +1,9 @@ +import os +for i in range(0, 1000): + print "i = ", i + n = os.system("CryptoGraph-patched.exe %d" % i) + if (n<=100): + print "-------", n + with open("result.xt", "a+") as f: + f.write(str(i)+"\n"); + diff --git a/flare-2015/flare2/Makefile b/flare-2015/flare2/Makefile new file mode 100644 index 0000000..5b63639 --- /dev/null +++ b/flare-2015/flare2/Makefile @@ -0,0 +1,6 @@ +flare2: flare2.c func.o + gcc -m32 flare2.c func.o -o flare2 + +func.o: func.asm + nasm -f elf func.asm + diff --git a/flare-2015/flare2/README.md b/flare-2015/flare2/README.md new file mode 100644 index 0000000..5c3fd53 --- /dev/null +++ b/flare-2015/flare2/README.md @@ -0,0 +1,57 @@ +# Challenge 2 + +This is also a small and easy challenge, and I just want to show how I used `objdump` + `nasm` to solve the problem without knowing the exact algorithm. I looked at the encryption part a little bit and I don't remember exactly the bits on the x86 flags i.e: I don't know which flags are set by `sahf` instruction, and I don't want to spend time to check and implement it. Still on Linux, I used objdump to cut the encryption part. Added this header: + + --- + BITS 32 + global func + + + section .text + func: + ----- + +And changed the addresses to labels. + + nasm -f elf func.asm + gcc -m32 flare.c func.o + +And wrote this short code: + +```C +#include + +extern int func(char *s1, char *s2, int len); + +int main() +{ + char *a1 = "\xaf\xaa\xad\xeb\xae\xaa\xec\xa4\xba\xaf\xae" + "\xaa\x8a\xc0\xa7\xb0\xbc\x9a\xba\xa5\xa5\xba" + "\xaf\xb8\x9d\xb8\xf9\xae\x9d\xab\xb4\xbc\xb6" + "\xb3\x90\x9a\xa8"; //edi (compare) + char inp[] = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00"; //esi (input) + int i = 0; + int ch = 0; + int count = 0x25; + + for (i=0; i < 37; i++) { + for (ch=0; ch < 255; ch++) { + inp[i] = ch; + int n = func(a1, inp, 0x25); + int idx = (n & 0xff00)>>8; + if (idx!=count) { + printf("%c", ch); + count = idx; + break; + } + } + } + printf("\n"); + +} +``` + +So in this case: I don't need to know how the algorithm works, just by understanding a little bit of the main loop, I can just brute force it. diff --git a/flare-2015/flare2/flare2.c b/flare-2015/flare2/flare2.c new file mode 100644 index 0000000..e9fd350 --- /dev/null +++ b/flare-2015/flare2/flare2.c @@ -0,0 +1,27 @@ +#include + +extern int func(char *s1, char *s2, int len); + +int main() +{ + char *a1 = "\xaf\xaa\xad\xeb\xae\xaa\xec\xa4\xba\xaf\xae\xaa\x8a\xc0\xa7\xb0\xbc\x9a\xba\xa5\xa5\xba\xaf\xb8\x9d\xb8\xf9\xae\x9d\xab\xb4\xbc\xb6\xb3\x90\x9a\xa8"; //edi (compare) + char inp[] = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; //esi (input) + int i = 0; + int ch = 0; + int count = 0x25; + + for (i=0; i < 37; i++) { + for (ch=0; ch < 255; ch++) { + inp[i] = ch; + int n = func(a1, inp, 0x25); + int idx = (n & 0xff00)>>8; + if (idx!=count) { + printf("%c", ch); + count = idx; + break; + } + } + } + printf("\n"); + +} diff --git a/flare-2015/flare2/func.asm b/flare-2015/flare2/func.asm new file mode 100644 index 0000000..ba70bc1 --- /dev/null +++ b/flare-2015/flare2/func.asm @@ -0,0 +1,57 @@ + BITS 32 +global func + + + section .text + +func: + push ebp + mov ebp,esp + sub esp,0x0 + push edi + push esi + ;; make it 0 + xor eax, eax + xor ebx,ebx + mov ecx,0x25 + cmp DWORD [ebp+0x10],ecx + jl .done + mov esi,DWORD [ebp+0xc] + mov edi,DWORD [ebp+0x8] + lea edi,[edi+ecx*1-0x1] +.loop1: + mov dx,bx + and dx,0x3 + mov ax,0x1c7 + push eax + sahf + lodsb + pushf + xor al,BYTE [esp+0x4] + xchg dl,cl + rol ah,cl + popf + adc al,ah + xchg dl,cl ; dl contains loop counter + xor edx,edx + and eax,0xff + add bx,ax + scasb + jne .wrong + cmovne cx,dx + pop eax + jecxz .done + sub edi,0x2 + loop .loop1 + jmp .done + xor eax,eax + jmp .done + .wrong: + shl ecx, 8 + or eax, ecx +.done: + pop esi + pop edi + mov esp,ebp + pop ebp + ret diff --git a/flare-2015/flare3/README.md b/flare-2015/flare3/README.md new file mode 100644 index 0000000..08c555b --- /dev/null +++ b/flare-2015/flare3/README.md @@ -0,0 +1,34 @@ +# Challenge 3 + +This is a huge (12 Mb) binary. I made a guess that this file must be a special binary. I looked at some clues on using strings, and it shows: + + mstruct + mpyi_os_path + mpyi_archive + mpyi_importers + s_pyi_bootstrap + spyi_carchive + selfie + bMicrosoft.VC90.CRT.manifest + bmsvcr90.dll + bmsvcp90.dll + bmsvcm90.dll + bpython27.dll + bselect.pyd + bunicodedata.pyd + bPySide.QtCore.pyd + b_hashlib.pyd + bbz2.pyd + b_ssl.pyd + bPySide.QtGui.pyd + b_socket.pyd + bpyside-python2.7.dll + bshiboken-python2.7.dll + bQtCore4.dll + bQtGui4.dll + belfie.exe.manifest + python27.dll + +Ok so this was built using Python. The is a hint from the string about pyi_archive, so i tried extracting it using `pyi-archive_viewer`, and it works. There is file inside it named `"elfie"`, it reminded me of [a CTF problem where they embed an ELF file inside an ELF and called it selfie](https://github.com/smokeleeteveryday/CTF_WRITEUPS/tree/master/2015/ASISCTF/reversing/selfie). So I immediatelly looked at the file named `elfie`. Its an obfuscated python file, but can be easily decoded using `print`. + +In the result file, I saw the string `reversed ("moc.no-eralf@...")`, and knew immediatelly that this is the string that I am looking for. We just need to reverse it: `"".join(list(reversed("moc.no-eralf@...")))` diff --git a/flare-2015/flare4/README.md b/flare-2015/flare4/README.md new file mode 100644 index 0000000..1775dac --- /dev/null +++ b/flare-2015/flare4/README.md @@ -0,0 +1,9 @@ +# Challenge 4 + +Using `strings`, I can see that this file is packed using UPX (you can see the string `UPX0`, `UPX1`), so I decided to postpone this problem until I got an access to a Windows machine. I tried to decompress it using `upx` command line, but it doesn't run in Windows 10. I thought that this must have used a modified compressor. + +Anyway, I just run this inside OllyDbg. The interesting thing is: it reads from a command line, and converts the string from command line it to single byte int. 256 is very small key space, so I just brute force this without knowing what exactly this file does. + + for /l %x in (0, 1, 255) do youPecks.exe %x >> result.txt + +And you can see the answer in one of the lines. Reading others writeup, it seems that this is time dependant. diff --git a/flare-2015/flare5/Makefile b/flare-2015/flare5/Makefile new file mode 100644 index 0000000..39b4ed6 --- /dev/null +++ b/flare-2015/flare5/Makefile @@ -0,0 +1,8 @@ +flare5 : flare5.c enc.o + gcc -m32 flare5.c enc.o -o flare5 + +flare5test : flare5test.c enc.o + gcc -m32 flare5test.c enc.o -o flare5test + +enc.o: enc.asm + nasm -f elf enc.asm diff --git a/flare-2015/flare5/README.md b/flare-2015/flare5/README.md new file mode 100644 index 0000000..d35e4c6 --- /dev/null +++ b/flare-2015/flare5/README.md @@ -0,0 +1,26 @@ +# Challenge 5 + +In this challenge we are given a pcap file and an executable file. In the Pcap file we can see several HTTP Post, each is 4 bytes. If we merge them together, we got: + + UDYs1D7bNmdE1o3g5ms1V6RrYCVvODJF1DpxKTxAJ9xuZW== + +It looks like bse64 encoded string, but when we try to decrypt it, it produces junk. + +Its time to run the file. When trying to run the file it says that `key.txt` not found. So I tested sending `abcdef \r\n`, and watch the data sent. The data sent is: + + X87e1SRiHyf/Fq== + + +I still haven't figured out what the algorithm is, so its time to open it in disassembler. Quickly looking at the code can see the basic stuff: it sends the content of the file using encryption key `flarebearstare`. I don't really understand what the encryption function does, it uses a lot of mmx instruction, with alphabet table, so it must have encoded something. + +Like challenge no 2: I don't want to reimplement this, so again I just copy pasted the encryption code from `objdump`. I have a test input and output (`abcdef \r\n` and the one that I received from network), so I can test the encryption code, and compare it. Running `flare5test`, I got the output: + + x87E1srIhYF/ + +Ok, some characters are missing, its probably because I didn't pad the data to 4 bytes alignment, so its fine. What we can immediatelly see, ist that it is base64 encoding, but we need to toggle the case (lower to upper and vice versa). I don't want to write a base64 decoder, this small script is enough to generate input for my C bruteforcer: + + echo UDYs1D7bNmdE1o3g5ms1V6RrYCVvODJF1DpxKTxAJ9xuZW== | tr A-Za-z a-zA-Z | base64 -d| hexdump -ve '1/1 "%.2X"' + + B9DC92D5DEC19CC0DED4EDC6E4C4B5BFAAD1C9CBD5A1D8DFD5D3D792D5DA8FD5D4CF + +So now we can start brute forcing this. Just put in `A`, encrypt it, compare the encrypted with the target `B9`, if not, try `B` and so on (see [flare5.c](flare.5)) diff --git a/flare-2015/flare5/enc.asm b/flare-2015/flare5/enc.asm new file mode 100644 index 0000000..ce126d1 --- /dev/null +++ b/flare-2015/flare5/enc.asm @@ -0,0 +1,48 @@ + BITS 32 +global encrypt +global xtab + + section .text + +encrypt: + push ebx + push esi + push edi + mov edi,edx + xor esi,esi + mov ebx,ecx + test edi,edi + je .done + lea ecx,[ecx+0x0] + + .loop1: +mov eax,0x24924925 +mul esi +mov eax,esi +sub eax,edx +shr eax,1 +add eax,edx +shr eax,0x3 +lea ecx,[eax*8+0x0] +sub ecx,eax +mov eax,esi +add ecx,ecx +sub eax,ecx +mov al,BYTE [eax+xtab] +add BYTE [esi+ebx*1],al +inc esi +cmp esi,edi + jb .loop1 + .done: +pop edi +pop esi +pop ebx +ret + + + + + section .data + + xtab db "flarebearstare" + diff --git a/flare-2015/flare5/flare5.c b/flare-2015/flare5/flare5.c new file mode 100644 index 0000000..8f251ab --- /dev/null +++ b/flare-2015/flare5/flare5.c @@ -0,0 +1,32 @@ +#include +#include +#include + +extern int encrypt(unsigned char *x, int n) __attribute__((fastcall)); + +unsigned char target[] = "\xb9\xdc\x92\xd5\xde\xc1\x9c\xc0" + "\xde\xd4\xed\xc6\xe4\xc4\xb5\xbf\xaa\xd1" + "\xc9\xcb\xd5\xa1\xd8\xdf\xd5\xd3\xd7\x92" + "\xd5\xda\x8f\xd5\xd4\xcf"; + +unsigned char current[sizeof(target)+1]; + +int main() +{ + int i, ch; + int n = sizeof(target); + + unsigned char crypted[n+1]; + memset(current, 0, n+1); + for (i=0; i < n; i++) { + for (ch=0; ch<255; ch++) { + current[i] = ch; + memcpy(crypted, current, n); + encrypt(crypted, n); + if (crypted[i]==target[i]) { + printf("\nNow: %s\n", current); + break; + } + } + } +} diff --git a/flare-2015/flare5/flare5test.c b/flare-2015/flare5/flare5test.c new file mode 100644 index 0000000..98b23ec --- /dev/null +++ b/flare-2015/flare5/flare5test.c @@ -0,0 +1,26 @@ +#include +#include +#include + +extern int encrypt(unsigned char *x, int n) __attribute__((fastcall)); + + +int main() +{ + + int i, ch; + unsigned char abc[] = "abcdef \x0d\0xa"; + int n = strlen(abc); + encrypt(abc, strlen(abc)); + char buff[1024]; + buff[0]= '\0'; + char tbuff[5]; + for (i=0; i < n; i++) { + sprintf(tbuff, "%02x", (unsigned char)abc[i]); + strcat(buff, tbuff); + } + char cmd[1024]; + sprintf(cmd, "echo -n %s|xxd -r -p|base64", buff); + system(cmd); + +} diff --git a/flare-2015/flare6/README.md b/flare-2015/flare6/README.md new file mode 100644 index 0000000..648a372 --- /dev/null +++ b/flare-2015/flare6/README.md @@ -0,0 +1,21 @@ +# Challenge 6 + +My way of solving this is a bit convoluted, but it works, and I don't need to understand the algorithm. By using `dex2jar` and `JD-GUI`, we understand that the Java code only calls native ARM code. + +I don't have a deep understanding of ARM assembly, and I am afraid that I am going to get frustrated reimplementing the algorithm, so again: I let the code solve it. + +From what I understand: the code takes 2 bytes of input at a time, does some computation to produce a chunk of memory, that is compared to the correct memory using `memcmp`. So this is how I attacked the problem: + +1. create an `LD_PRELOAD` file to intercept `memcmp` +2. create a C code to call the `libvalidate.so`, passing my own function pointers for `JNIEnv` +3. create a Python script to generate possible pairs of characters from valid email characters (actually this can be done in C, I just want to see the list and be able to edit it before bruteforcing it, e.g: removing "@?" pairs except "@f" because it must have "@flare-on.com" ) + +Here is the idea: we will brute force pair by pair. When bruteforcing first pair, I will set `_pos_` to 0, and i will try out all possible pairs by calling `validate`, when `memcmp` returns 0, i will set `_stop_` to be 1. When i set `_stop_` to 1, I am telling `strlen` to return 0, which will stop the loop. Obtaining the first pair, I will go to the next position by setting `_pos_` to 1 and call `validate` again. This time `memcmp` will not imediatelly stop after comparing the first pair (because we already know the correct first pair). + +One problem: how to set `_pos_` and `_stop_` from main? The first thing that occur to me is just to override a library function that is unused in the library, and for this i use `strrchr`. + +And I just run the script and wait. + +It turns out that the string is not exactly what flare-on wants even though that it got accepted by the app. + +I found `Should_havAYg0ne_to_tashi_$tation@flare-on.com` and the correct one should be: `“Should_have_g0ne_to_tashi_$tation@flare-on.com` diff --git a/flare-2015/flare6/build.bat b/flare-2015/flare6/build.bat new file mode 100755 index 0000000..0b443db --- /dev/null +++ b/flare-2015/flare6/build.bat @@ -0,0 +1 @@ +\android-ndk-r10c\ndk-build -B diff --git a/flare-2015/flare6/jni/Android.mk b/flare-2015/flare6/jni/Android.mk new file mode 100755 index 0000000..fd2d819 --- /dev/null +++ b/flare-2015/flare6/jni/Android.mk @@ -0,0 +1,63 @@ + + +TARGET_CFLAGS += -fno-builtin -save-temps -g + +LOCAL_PATH := $(call my-dir) + +include $(CLEAR_VARS) + +LOCAL_MODULE := hello +LOCAL_SRC_FILES := main.c + +include $(BUILD_EXECUTABLE) +# include $(CLEAR_VARS) +# TARGET_CFLAGS += -fno-builtin -save-temps + +# LOCAL_MODULE := testing +# LOCAL_SRC_FILES := testing.c + +# include $(BUILD_EXECUTABLE) + + +include $(CLEAR_VARS) + +TARGET_CFLAGS += -fno-builtin + + +LOCAL_MODULE := mylib +LOCAL_SRC_FILES := hello.c + +include $(BUILD_SHARED_LIBRARY) + +# include $(CLEAR_VARS) + + +# TARGET_CFLAGS += -fno-builtin + + +# LOCAL_MODULE := libstrlen +# LOCAL_SRC_FILES := strlen.c + +# include $(BUILD_SHARED_LIBRARY) + + + +# include $(CLEAR_VARS) + +# TARGET_CFLAGS += -fno-builtin + + +# LOCAL_MODULE := myuserlib +# LOCAL_SRC_FILES := hello2.c + +# include $(BUILD_SHARED_LIBRARY) + + +include $(CLEAR_VARS) +TARGET_CFLAGS += -fno-builtin -save-temps -g -llog +TARGET_LDFLAGS += -llog + +LOCAL_MODULE := poc +LOCAL_SRC_FILES := poc.c + +include $(BUILD_SHARED_LIBRARY) diff --git a/flare-2015/flare6/jni/genpair.py b/flare-2015/flare6/jni/genpair.py new file mode 100755 index 0000000..5692e0d --- /dev/null +++ b/flare-2015/flare6/jni/genpair.py @@ -0,0 +1,6 @@ +a = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +a += a.lower() +a += "0123456789!#%&'*+-/=?^_`{|}~.@" +for i in a: + for j in a: + print '"%s%s", ' %(i,j) diff --git a/flare-2015/flare6/jni/hello.c b/flare-2015/flare6/jni/hello.c new file mode 100755 index 0000000..a315937 --- /dev/null +++ b/flare-2015/flare6/jni/hello.c @@ -0,0 +1,80 @@ +#include +#include +void (*orig_memset)(void *s, int c, size_t n) = 0; + +#define PREP_OVERRIDE(syscall) do { \ + if (!orig_##syscall) {\ + orig_##syscall = dlsym(RTLD_NEXT, #syscall);\ + } } while (0) + +int _pos_ = 0; +int _ctr_ = 0; +int _stop_ = 0; +int _correct_ = 0; + +//hack to call from main, hopefully not called from somewhere else +char *strrchr(const char *string, int c) +{ + if (string==0) { + //printf("correct count = %d\n", c); + _pos_ = c; + return 0; + } + + //printf("STRCHR %d", c); + if (c==-2) { + //printf("correct %d pos %d\n", _correct_, _pos_); + return _correct_>=_pos_; + } + + if (c==-1) { + //printf("reset state"); + _ctr_= 0; + _stop_ = 0; + _correct_ = 0; + } + return 0; +} + +void *memset(void *s, int c, size_t n) +{ + PREP_OVERRIDE(memset); + //printf("j_j_memset %d\n", n); + // _ctr_++; + orig_memset(s, c, n); +} + + +size_t (*orig_strlen)(const char *s); + +size_t strlen(const char *s) +{ + PREP_OVERRIDE(strlen); + if (_stop_) { + return 0; + } + + size_t sl = orig_strlen(s); + // printf("strlen = %d\n", sl); + return sl; +} + +int (*orig_memcmp)(const void *s1, const void *s2, size_t n); + +int memcmp(const void *s1, const void *s2, size_t n) +{ + PREP_OVERRIDE(memcmp); + int sl = orig_memcmp(s1,s2,n); + + if (sl==0) { + //printf("memcmp sz = %d = %d\n", n, sl); + _correct_++; + //printf("_cor = %d pos = %d\n", _correct_, _pos_); + if (_correct_==_pos_) { + _stop_ = 1; + } + } else { + _stop_ = 1; + } + return sl; +} diff --git a/flare-2015/flare6/jni/main.c b/flare-2015/flare6/jni/main.c new file mode 100755 index 0000000..02c9fa7 --- /dev/null +++ b/flare-2015/flare6/jni/main.c @@ -0,0 +1,111 @@ +#include +#include +#include +#include + +#include "strs2.h" + +int (*check)(JNIEnv *, void * obj, jstring); + +jsize MyGetStringLength(JNIEnv*env, jstring s) +{ + const char *ss = (char *)s; + printf("get string length : %d\n", ss);fflush(stdout); + return strlen(ss); +} + +jsize MyGetStringUTFLength(JNIEnv *env, jstring s) +{ + const char *ss = (char *)s; + printf("\nget string utf length : %d\n", ss); + fflush(stdout); + return strlen(ss); +} + +jstring MyNewStringUTF(JNIEnv*env, const char*s) +{ + // printf("new string utf chars : %s\n", s);fflush(stdout); + return (jstring)strdup(s); +} + +const char* MyGetStringUTFChars(JNIEnv *env, jstring s, jboolean* isCopy) +{ + const char *ss = (char *)s; + //printf("get string utf chars : %p %d\n", ss, strlen(ss));fflush(stdout); + return strdup(ss); +} + +void MyReleaseStringUTFChars(JNIEnv*env, jstring ss, const char*s) +{ + free(s); + //printf("Release string UTF8 %s\n", s); +} + + +int test() +{ + printf("****** test called\n");fflush(stdout); + return 0; +} + + +char rootparam[] = "______________________________________________"; +//char rootparam[] = "Should_havAYg0ne_to_tashi_$tatio_@flare-on.com"; + +int main(int argc, char *argv[]) +{ + struct JNINativeInterface *myenv; + myenv = malloc(sizeof(struct JNINativeInterface)); + int l = sizeof(struct JNINativeInterface); + printf("size of interface: %d\n", l); + int i; + int *intf = (int*)myenv; + printf("count methods = %d\n", l/4); + for(i=0; i < l/4; i++) { + intf[i] = test; + } + + myenv->GetStringLength = MyGetStringLength; + myenv->GetStringUTFLength = MyGetStringUTFLength; + myenv->GetStringUTFChars = MyGetStringUTFChars; + myenv->ReleaseStringUTFChars = MyReleaseStringUTFChars; + myenv->NewStringUTF = MyNewStringUTF; + + void *f = dlopen("/data/local/tmp/libvalidate.so", RTLD_NOW); + printf("Error %p f-pointer = %p\n", dlerror(), f); + check = dlsym(f, "Java_com_flareon_flare_ValidateActivity_validate"); + printf("pointer = %p", check); + + /* check(&myenv, 1, (jstring)"Should_havAYg0ne_to_tashi_$tation@flare-on.com"); */ + /* exit(0); */ + + int repos = 0; //replace position + int found = 0; + while (repos<46) { + strrchr(0, 1 + (repos/2)); //set current pair + found = 0; + for (i=0; pairs[i]; i++) { + //printf("testing i %d\n", i); + const char *xx = pairs[i]; + strrchr(xx, -1); + int j; + rootparam[repos] = xx[0]; + rootparam[repos+1] = xx[1]; + check(&myenv, 1, (jstring)rootparam); + if (strrchr(xx, -2)) { + printf("GOT %d %s\n", repos, rootparam); + repos += 2; + found = 1; + break; + } + } + if (!found) { + printf("ERROR: not found"); + break; + } + } + //root(0, 0, 0); + //root(0); + printf("hello world\n");fflush(stdout); + return 0; +} diff --git a/flare-2015/flare6/jni/poc.c b/flare-2015/flare6/jni/poc.c new file mode 100644 index 0000000..f0b6eba --- /dev/null +++ b/flare-2015/flare6/jni/poc.c @@ -0,0 +1,10 @@ +#include +#include +#include +#include + +int j_j_memcmp(const void *mem1, const void *mem2, int len) +{ + __android_log_print(ANDROID_LOG_DEBUG, "CMP", "%s %s %d", (char *)mem1, (char*)mem2, len); + return memcmp(mem1, mem2, len); +} diff --git a/flare-2015/flare6/jni/strs2.h b/flare-2015/flare6/jni/strs2.h new file mode 100755 index 0000000..533458b --- /dev/null +++ b/flare-2015/flare6/jni/strs2.h @@ -0,0 +1,6726 @@ +char *pairs[] = { +"AA", +"AB", +"AC", +"AD", +"AE", +"AF", +"AG", +"AH", +"AI", +"AJ", +"AK", +"AL", +"AM", +"AN", +"AO", +"AP", +"AQ", +"AR", +"AS", +"AT", +"AU", +"AV", +"AW", +"AX", +"AY", +"AZ", +"Aa", +"Ab", +"Ac", +"Ad", +"Ae", +"Af", +"Ag", +"Ah", +"Ai", +"Aj", +"Ak", +"Al", +"Am", +"An", +"Ao", +"Ap", +"Aq", +"Ar", +"As", +"At", +"Au", +"Av", +"Aw", +"Ax", +"Ay", +"Az", +"A0", +"A1", +"A2", +"A3", +"A4", +"A5", +"A6", +"A7", +"A8", +"A9", +"A!", +"A#", +"A%", +"A&", +"A'", +"A*", +"A+", +"A-", +"A/", +"A=", +"A?", +"A^", +"A_", +"A`", +"A{", +"A|", +"A}", +"A~", +"A.", +"A@", +"BA", +"BB", +"BC", +"BD", +"BE", +"BF", +"BG", +"BH", +"BI", +"BJ", +"BK", +"BL", +"BM", +"BN", +"BO", +"BP", +"BQ", +"BR", +"BS", +"BT", +"BU", +"BV", +"BW", +"BX", +"BY", +"BZ", +"Ba", +"Bb", +"Bc", +"Bd", +"Be", +"Bf", +"Bg", +"Bh", +"Bi", +"Bj", +"Bk", +"Bl", +"Bm", +"Bn", +"Bo", +"Bp", +"Bq", +"Br", +"Bs", +"Bt", +"Bu", +"Bv", +"Bw", +"Bx", +"By", +"Bz", +"B0", +"B1", +"B2", +"B3", +"B4", +"B5", +"B6", +"B7", +"B8", +"B9", +"B!", +"B#", +"B%", +"B&", +"B'", +"B*", +"B+", +"B-", +"B/", +"B=", +"B?", +"B^", +"B_", +"B`", +"B{", +"B|", +"B}", +"B~", +"B.", +"B@", +"CA", +"CB", +"CC", +"CD", +"CE", +"CF", +"CG", +"CH", +"CI", +"CJ", +"CK", +"CL", +"CM", +"CN", +"CO", +"CP", +"CQ", +"CR", +"CS", +"CT", +"CU", +"CV", +"CW", +"CX", +"CY", +"CZ", +"Ca", +"Cb", +"Cc", +"Cd", +"Ce", +"Cf", +"Cg", +"Ch", +"Ci", +"Cj", +"Ck", +"Cl", +"Cm", +"Cn", +"Co", +"Cp", +"Cq", +"Cr", +"Cs", +"Ct", +"Cu", +"Cv", +"Cw", +"Cx", +"Cy", +"Cz", +"C0", +"C1", +"C2", +"C3", +"C4", +"C5", +"C6", +"C7", +"C8", +"C9", +"C!", +"C#", +"C%", +"C&", +"C'", +"C*", +"C+", +"C-", +"C/", +"C=", +"C?", +"C^", +"C_", +"C`", +"C{", +"C|", +"C}", +"C~", +"C.", +"C@", +"DA", +"DB", +"DC", +"DD", +"DE", +"DF", +"DG", +"DH", +"DI", +"DJ", +"DK", +"DL", +"DM", +"DN", +"DO", +"DP", +"DQ", +"DR", +"DS", +"DT", +"DU", +"DV", +"DW", +"DX", +"DY", +"DZ", +"Da", +"Db", +"Dc", +"Dd", +"De", +"Df", +"Dg", +"Dh", +"Di", +"Dj", +"Dk", +"Dl", +"Dm", +"Dn", +"Do", +"Dp", +"Dq", +"Dr", +"Ds", +"Dt", +"Du", +"Dv", +"Dw", +"Dx", +"Dy", +"Dz", +"D0", +"D1", +"D2", +"D3", +"D4", +"D5", +"D6", +"D7", +"D8", +"D9", +"D!", +"D#", +"D%", +"D&", +"D'", +"D*", +"D+", +"D-", +"D/", +"D=", +"D?", +"D^", +"D_", +"D`", +"D{", +"D|", +"D}", +"D~", +"D.", +"D@", +"EA", +"EB", +"EC", +"ED", +"EE", +"EF", +"EG", +"EH", +"EI", +"EJ", +"EK", +"EL", +"EM", +"EN", +"EO", +"EP", +"EQ", +"ER", +"ES", +"ET", +"EU", +"EV", +"EW", +"EX", +"EY", +"EZ", +"Ea", +"Eb", +"Ec", +"Ed", +"Ee", +"Ef", +"Eg", +"Eh", +"Ei", +"Ej", +"Ek", +"El", +"Em", +"En", +"Eo", +"Ep", +"Eq", +"Er", +"Es", +"Et", +"Eu", +"Ev", +"Ew", +"Ex", +"Ey", +"Ez", +"E0", +"E1", +"E2", +"E3", +"E4", +"E5", +"E6", +"E7", +"E8", +"E9", +"E!", +"E#", +"E%", +"E&", +"E'", +"E*", +"E+", +"E-", +"E/", +"E=", +"E?", +"E^", +"E_", +"E`", +"E{", +"E|", +"E}", +"E~", +"E.", +"E@", +"FA", +"FB", +"FC", +"FD", +"FE", +"FF", +"FG", +"FH", +"FI", +"FJ", +"FK", +"FL", +"FM", +"FN", +"FO", +"FP", +"FQ", +"FR", +"FS", +"FT", +"FU", +"FV", +"FW", +"FX", +"FY", +"FZ", +"Fa", +"Fb", +"Fc", +"Fd", +"Fe", +"Ff", +"Fg", +"Fh", +"Fi", +"Fj", +"Fk", +"Fl", +"Fm", +"Fn", +"Fo", +"Fp", +"Fq", +"Fr", +"Fs", +"Ft", +"Fu", +"Fv", +"Fw", +"Fx", +"Fy", +"Fz", +"F0", +"F1", +"F2", +"F3", +"F4", +"F5", +"F6", +"F7", +"F8", +"F9", +"F!", +"F#", +"F%", +"F&", +"F'", +"F*", +"F+", +"F-", +"F/", +"F=", +"F?", +"F^", +"F_", +"F`", +"F{", +"F|", +"F}", +"F~", +"F.", +"F@", +"GA", +"GB", +"GC", +"GD", +"GE", +"GF", +"GG", +"GH", +"GI", +"GJ", +"GK", +"GL", +"GM", +"GN", +"GO", +"GP", +"GQ", +"GR", +"GS", +"GT", +"GU", +"GV", +"GW", +"GX", +"GY", +"GZ", +"Ga", +"Gb", +"Gc", +"Gd", +"Ge", +"Gf", +"Gg", +"Gh", +"Gi", +"Gj", +"Gk", +"Gl", +"Gm", +"Gn", +"Go", +"Gp", +"Gq", +"Gr", +"Gs", +"Gt", +"Gu", +"Gv", +"Gw", +"Gx", +"Gy", +"Gz", +"G0", +"G1", +"G2", +"G3", +"G4", +"G5", +"G6", +"G7", +"G8", +"G9", +"G!", +"G#", +"G%", +"G&", +"G'", +"G*", +"G+", +"G-", +"G/", +"G=", +"G?", +"G^", +"G_", +"G`", +"G{", +"G|", +"G}", +"G~", +"G.", +"G@", +"HA", +"HB", +"HC", +"HD", +"HE", +"HF", +"HG", +"HH", +"HI", +"HJ", +"HK", +"HL", +"HM", +"HN", +"HO", +"HP", +"HQ", +"HR", +"HS", +"HT", +"HU", +"HV", +"HW", +"HX", +"HY", +"HZ", +"Ha", +"Hb", +"Hc", +"Hd", +"He", +"Hf", +"Hg", +"Hh", +"Hi", +"Hj", +"Hk", +"Hl", +"Hm", +"Hn", +"Ho", +"Hp", +"Hq", +"Hr", +"Hs", +"Ht", +"Hu", +"Hv", +"Hw", +"Hx", +"Hy", +"Hz", +"H0", +"H1", +"H2", +"H3", +"H4", +"H5", +"H6", +"H7", +"H8", +"H9", +"H!", +"H#", +"H%", +"H&", +"H'", +"H*", +"H+", +"H-", +"H/", +"H=", +"H?", +"H^", +"H_", +"H`", +"H{", +"H|", +"H}", +"H~", +"H.", +"H@", +"IA", +"IB", +"IC", +"ID", +"IE", +"IF", +"IG", +"IH", +"II", +"IJ", +"IK", +"IL", +"IM", +"IN", +"IO", +"IP", +"IQ", +"IR", +"IS", +"IT", +"IU", +"IV", +"IW", +"IX", +"IY", +"IZ", +"Ia", +"Ib", +"Ic", +"Id", +"Ie", +"If", +"Ig", +"Ih", +"Ii", +"Ij", +"Ik", +"Il", +"Im", +"In", +"Io", +"Ip", +"Iq", +"Ir", +"Is", +"It", +"Iu", +"Iv", +"Iw", +"Ix", +"Iy", +"Iz", +"I0", +"I1", +"I2", +"I3", +"I4", +"I5", +"I6", +"I7", +"I8", +"I9", +"I!", +"I#", +"I%", +"I&", +"I'", +"I*", +"I+", +"I-", +"I/", +"I=", +"I?", +"I^", +"I_", +"I`", +"I{", +"I|", +"I}", +"I~", +"I.", +"I@", +"JA", +"JB", +"JC", +"JD", +"JE", +"JF", +"JG", +"JH", +"JI", +"JJ", +"JK", +"JL", +"JM", +"JN", +"JO", +"JP", +"JQ", +"JR", +"JS", +"JT", +"JU", +"JV", +"JW", +"JX", +"JY", +"JZ", +"Ja", +"Jb", +"Jc", +"Jd", +"Je", +"Jf", +"Jg", +"Jh", +"Ji", +"Jj", +"Jk", +"Jl", +"Jm", +"Jn", +"Jo", +"Jp", +"Jq", +"Jr", +"Js", +"Jt", +"Ju", +"Jv", +"Jw", +"Jx", +"Jy", +"Jz", +"J0", +"J1", +"J2", +"J3", +"J4", +"J5", +"J6", +"J7", +"J8", +"J9", +"J!", +"J#", +"J%", +"J&", +"J'", +"J*", +"J+", +"J-", +"J/", +"J=", +"J?", +"J^", +"J_", +"J`", +"J{", +"J|", +"J}", +"J~", +"J.", +"J@", +"KA", +"KB", +"KC", +"KD", +"KE", +"KF", +"KG", +"KH", +"KI", +"KJ", +"KK", +"KL", +"KM", +"KN", +"KO", +"KP", +"KQ", +"KR", +"KS", +"KT", +"KU", +"KV", +"KW", +"KX", +"KY", +"KZ", +"Ka", +"Kb", +"Kc", +"Kd", +"Ke", +"Kf", +"Kg", +"Kh", +"Ki", +"Kj", +"Kk", +"Kl", +"Km", +"Kn", +"Ko", +"Kp", +"Kq", +"Kr", +"Ks", +"Kt", +"Ku", +"Kv", +"Kw", +"Kx", +"Ky", +"Kz", +"K0", +"K1", +"K2", +"K3", +"K4", +"K5", +"K6", +"K7", +"K8", +"K9", +"K!", +"K#", +"K%", +"K&", +"K'", +"K*", +"K+", +"K-", +"K/", +"K=", +"K?", +"K^", +"K_", +"K`", +"K{", +"K|", +"K}", +"K~", +"K.", +"K@", +"LA", +"LB", +"LC", +"LD", +"LE", +"LF", +"LG", +"LH", +"LI", +"LJ", +"LK", +"LL", +"LM", +"LN", +"LO", +"LP", +"LQ", +"LR", +"LS", +"LT", +"LU", +"LV", +"LW", +"LX", +"LY", +"LZ", +"La", +"Lb", +"Lc", +"Ld", +"Le", +"Lf", +"Lg", +"Lh", +"Li", +"Lj", +"Lk", +"Ll", +"Lm", +"Ln", +"Lo", +"Lp", +"Lq", +"Lr", +"Ls", +"Lt", +"Lu", +"Lv", +"Lw", +"Lx", +"Ly", +"Lz", +"L0", +"L1", +"L2", +"L3", +"L4", +"L5", +"L6", +"L7", +"L8", +"L9", +"L!", +"L#", +"L%", +"L&", +"L'", +"L*", +"L+", +"L-", +"L/", +"L=", +"L?", +"L^", +"L_", +"L`", +"L{", +"L|", +"L}", +"L~", +"L.", +"L@", +"MA", +"MB", +"MC", +"MD", +"ME", +"MF", +"MG", +"MH", +"MI", +"MJ", +"MK", +"ML", +"MM", +"MN", +"MO", +"MP", +"MQ", +"MR", +"MS", +"MT", +"MU", +"MV", +"MW", +"MX", +"MY", +"MZ", +"Ma", +"Mb", +"Mc", +"Md", +"Me", +"Mf", +"Mg", +"Mh", +"Mi", +"Mj", +"Mk", +"Ml", +"Mm", +"Mn", +"Mo", +"Mp", +"Mq", +"Mr", +"Ms", +"Mt", +"Mu", +"Mv", +"Mw", +"Mx", +"My", +"Mz", +"M0", +"M1", +"M2", +"M3", +"M4", +"M5", +"M6", +"M7", +"M8", +"M9", +"M!", +"M#", +"M%", +"M&", +"M'", +"M*", +"M+", +"M-", +"M/", +"M=", +"M?", +"M^", +"M_", +"M`", +"M{", +"M|", +"M}", +"M~", +"M.", +"M@", +"NA", +"NB", +"NC", +"ND", +"NE", +"NF", +"NG", +"NH", +"NI", +"NJ", +"NK", +"NL", +"NM", +"NN", +"NO", +"NP", +"NQ", +"NR", +"NS", +"NT", +"NU", +"NV", +"NW", +"NX", +"NY", +"NZ", +"Na", +"Nb", +"Nc", +"Nd", +"Ne", +"Nf", +"Ng", +"Nh", +"Ni", +"Nj", +"Nk", +"Nl", +"Nm", +"Nn", +"No", +"Np", +"Nq", +"Nr", +"Ns", +"Nt", +"Nu", +"Nv", +"Nw", +"Nx", +"Ny", +"Nz", +"N0", +"N1", +"N2", +"N3", +"N4", +"N5", +"N6", +"N7", +"N8", +"N9", +"N!", +"N#", +"N%", +"N&", +"N'", +"N*", +"N+", +"N-", +"N/", +"N=", +"N?", +"N^", +"N_", +"N`", +"N{", +"N|", +"N}", +"N~", +"N.", +"N@", +"OA", +"OB", +"OC", +"OD", +"OE", +"OF", +"OG", +"OH", +"OI", +"OJ", +"OK", +"OL", +"OM", +"ON", +"OO", +"OP", +"OQ", +"OR", +"OS", +"OT", +"OU", +"OV", +"OW", +"OX", +"OY", +"OZ", +"Oa", +"Ob", +"Oc", +"Od", +"Oe", +"Of", +"Og", +"Oh", +"Oi", +"Oj", +"Ok", +"Ol", +"Om", +"On", +"Oo", +"Op", +"Oq", +"Or", +"Os", +"Ot", +"Ou", +"Ov", +"Ow", +"Ox", +"Oy", +"Oz", +"O0", +"O1", +"O2", +"O3", +"O4", +"O5", +"O6", +"O7", +"O8", +"O9", +"O!", +"O#", +"O%", +"O&", +"O'", +"O*", +"O+", +"O-", +"O/", +"O=", +"O?", +"O^", +"O_", +"O`", +"O{", +"O|", +"O}", +"O~", +"O.", +"O@", +"PA", +"PB", +"PC", +"PD", +"PE", +"PF", +"PG", +"PH", +"PI", +"PJ", +"PK", +"PL", +"PM", +"PN", +"PO", +"PP", +"PQ", +"PR", +"PS", +"PT", +"PU", +"PV", +"PW", +"PX", +"PY", +"PZ", +"Pa", +"Pb", +"Pc", +"Pd", +"Pe", +"Pf", +"Pg", +"Ph", +"Pi", +"Pj", +"Pk", +"Pl", +"Pm", +"Pn", +"Po", +"Pp", +"Pq", +"Pr", +"Ps", +"Pt", +"Pu", +"Pv", +"Pw", +"Px", +"Py", +"Pz", +"P0", +"P1", +"P2", +"P3", +"P4", +"P5", +"P6", +"P7", +"P8", +"P9", +"P!", +"P#", +"P%", +"P&", +"P'", +"P*", +"P+", +"P-", +"P/", +"P=", +"P?", +"P^", +"P_", +"P`", +"P{", +"P|", +"P}", +"P~", +"P.", +"P@", +"QA", +"QB", +"QC", +"QD", +"QE", +"QF", +"QG", +"QH", +"QI", +"QJ", +"QK", +"QL", +"QM", +"QN", +"QO", +"QP", +"QQ", +"QR", +"QS", +"QT", +"QU", +"QV", +"QW", +"QX", +"QY", +"QZ", +"Qa", +"Qb", +"Qc", +"Qd", +"Qe", +"Qf", +"Qg", +"Qh", +"Qi", +"Qj", +"Qk", +"Ql", +"Qm", +"Qn", +"Qo", +"Qp", +"Qq", +"Qr", +"Qs", +"Qt", +"Qu", +"Qv", +"Qw", +"Qx", +"Qy", +"Qz", +"Q0", +"Q1", +"Q2", +"Q3", +"Q4", +"Q5", +"Q6", +"Q7", +"Q8", +"Q9", +"Q!", +"Q#", +"Q%", +"Q&", +"Q'", +"Q*", +"Q+", +"Q-", +"Q/", +"Q=", +"Q?", +"Q^", +"Q_", +"Q`", +"Q{", +"Q|", +"Q}", +"Q~", +"Q.", +"Q@", +"RA", +"RB", +"RC", +"RD", +"RE", +"RF", +"RG", +"RH", +"RI", +"RJ", +"RK", +"RL", +"RM", +"RN", +"RO", +"RP", +"RQ", +"RR", +"RS", +"RT", +"RU", +"RV", +"RW", +"RX", +"RY", +"RZ", +"Ra", +"Rb", +"Rc", +"Rd", +"Re", +"Rf", +"Rg", +"Rh", +"Ri", +"Rj", +"Rk", +"Rl", +"Rm", +"Rn", +"Ro", +"Rp", +"Rq", +"Rr", +"Rs", +"Rt", +"Ru", +"Rv", +"Rw", +"Rx", +"Ry", +"Rz", +"R0", +"R1", +"R2", +"R3", +"R4", +"R5", +"R6", +"R7", +"R8", +"R9", +"R!", +"R#", +"R%", +"R&", +"R'", +"R*", +"R+", +"R-", +"R/", +"R=", +"R?", +"R^", +"R_", +"R`", +"R{", +"R|", +"R}", +"R~", +"R.", +"R@", +"SA", +"SB", +"SC", +"SD", +"SE", +"SF", +"SG", +"SH", +"SI", +"SJ", +"SK", +"SL", +"SM", +"SN", +"SO", +"SP", +"SQ", +"SR", +"SS", +"ST", +"SU", +"SV", +"SW", +"SX", +"SY", +"SZ", +"Sa", +"Sb", +"Sc", +"Sd", +"Se", +"Sf", +"Sg", +"Sh", +"Si", +"Sj", +"Sk", +"Sl", +"Sm", +"Sn", +"So", +"Sp", +"Sq", +"Sr", +"Ss", +"St", +"Su", +"Sv", +"Sw", +"Sx", +"Sy", +"Sz", +"S0", +"S1", +"S2", +"S3", +"S4", +"S5", +"S6", +"S7", +"S8", +"S9", +"S!", +"S#", +"S%", +"S&", +"S'", +"S*", +"S+", +"S-", +"S/", +"S=", +"S?", +"S^", +"S_", +"S`", +"S{", +"S|", +"S}", +"S~", +"S.", +"S@", +"TA", +"TB", +"TC", +"TD", +"TE", +"TF", +"TG", +"TH", +"TI", +"TJ", +"TK", +"TL", +"TM", +"TN", +"TO", +"TP", +"TQ", +"TR", +"TS", +"TT", +"TU", +"TV", +"TW", +"TX", +"TY", +"TZ", +"Ta", +"Tb", +"Tc", +"Td", +"Te", +"Tf", +"Tg", +"Th", +"Ti", +"Tj", +"Tk", +"Tl", +"Tm", +"Tn", +"To", +"Tp", +"Tq", +"Tr", +"Ts", +"Tt", +"Tu", +"Tv", +"Tw", +"Tx", +"Ty", +"Tz", +"T0", +"T1", +"T2", +"T3", +"T4", +"T5", +"T6", +"T7", +"T8", +"T9", +"T!", +"T#", +"T%", +"T&", +"T'", +"T*", +"T+", +"T-", +"T/", +"T=", +"T?", +"T^", +"T_", +"T`", +"T{", +"T|", +"T}", +"T~", +"T.", +"T@", +"UA", +"UB", +"UC", +"UD", +"UE", +"UF", +"UG", +"UH", +"UI", +"UJ", +"UK", +"UL", +"UM", +"UN", +"UO", +"UP", +"UQ", +"UR", +"US", +"UT", +"UU", +"UV", +"UW", +"UX", +"UY", +"UZ", +"Ua", +"Ub", +"Uc", +"Ud", +"Ue", +"Uf", +"Ug", +"Uh", +"Ui", +"Uj", +"Uk", +"Ul", +"Um", +"Un", +"Uo", +"Up", +"Uq", +"Ur", +"Us", +"Ut", +"Uu", +"Uv", +"Uw", +"Ux", +"Uy", +"Uz", +"U0", +"U1", +"U2", +"U3", +"U4", +"U5", +"U6", +"U7", +"U8", +"U9", +"U!", +"U#", +"U%", +"U&", +"U'", +"U*", +"U+", +"U-", +"U/", +"U=", +"U?", +"U^", +"U_", +"U`", +"U{", +"U|", +"U}", +"U~", +"U.", +"U@", +"VA", +"VB", +"VC", +"VD", +"VE", +"VF", +"VG", +"VH", +"VI", +"VJ", +"VK", +"VL", +"VM", +"VN", +"VO", +"VP", +"VQ", +"VR", +"VS", +"VT", +"VU", +"VV", +"VW", +"VX", +"VY", +"VZ", +"Va", +"Vb", +"Vc", +"Vd", +"Ve", +"Vf", +"Vg", +"Vh", +"Vi", +"Vj", +"Vk", +"Vl", +"Vm", +"Vn", +"Vo", +"Vp", +"Vq", +"Vr", +"Vs", +"Vt", +"Vu", +"Vv", +"Vw", +"Vx", +"Vy", +"Vz", +"V0", +"V1", +"V2", +"V3", +"V4", +"V5", +"V6", +"V7", +"V8", +"V9", +"V!", +"V#", +"V%", +"V&", +"V'", +"V*", +"V+", +"V-", +"V/", +"V=", +"V?", +"V^", +"V_", +"V`", +"V{", +"V|", +"V}", +"V~", +"V.", +"V@", +"WA", +"WB", +"WC", +"WD", +"WE", +"WF", +"WG", +"WH", +"WI", +"WJ", +"WK", +"WL", +"WM", +"WN", +"WO", +"WP", +"WQ", +"WR", +"WS", +"WT", +"WU", +"WV", +"WW", +"WX", +"WY", +"WZ", +"Wa", +"Wb", +"Wc", +"Wd", +"We", +"Wf", +"Wg", +"Wh", +"Wi", +"Wj", +"Wk", +"Wl", +"Wm", +"Wn", +"Wo", +"Wp", +"Wq", +"Wr", +"Ws", +"Wt", +"Wu", +"Wv", +"Ww", +"Wx", +"Wy", +"Wz", +"W0", +"W1", +"W2", +"W3", +"W4", +"W5", +"W6", +"W7", +"W8", +"W9", +"W!", +"W#", +"W%", +"W&", +"W'", +"W*", +"W+", +"W-", +"W/", +"W=", +"W?", +"W^", +"W_", +"W`", +"W{", +"W|", +"W}", +"W~", +"W.", +"W@", +"XA", +"XB", +"XC", +"XD", +"XE", +"XF", +"XG", +"XH", +"XI", +"XJ", +"XK", +"XL", +"XM", +"XN", +"XO", +"XP", +"XQ", +"XR", +"XS", +"XT", +"XU", +"XV", +"XW", +"XX", +"XY", +"XZ", +"Xa", +"Xb", +"Xc", +"Xd", +"Xe", +"Xf", +"Xg", +"Xh", +"Xi", +"Xj", +"Xk", +"Xl", +"Xm", +"Xn", +"Xo", +"Xp", +"Xq", +"Xr", +"Xs", +"Xt", +"Xu", +"Xv", +"Xw", +"Xx", +"Xy", +"Xz", +"X0", +"X1", +"X2", +"X3", +"X4", +"X5", +"X6", +"X7", +"X8", +"X9", +"X!", +"X#", +"X%", +"X&", +"X'", +"X*", +"X+", +"X-", +"X/", +"X=", +"X?", +"X^", +"X_", +"X`", +"X{", +"X|", +"X}", +"X~", +"X.", +"X@", +"YA", +"YB", +"YC", +"YD", +"YE", +"YF", +"YG", +"YH", +"YI", +"YJ", +"YK", +"YL", +"YM", +"YN", +"YO", +"YP", +"YQ", +"YR", +"YS", +"YT", +"YU", +"YV", +"YW", +"YX", +"YY", +"YZ", +"Ya", +"Yb", +"Yc", +"Yd", +"Ye", +"Yf", +"Yg", +"Yh", +"Yi", +"Yj", +"Yk", +"Yl", +"Ym", +"Yn", +"Yo", +"Yp", +"Yq", +"Yr", +"Ys", +"Yt", +"Yu", +"Yv", +"Yw", +"Yx", +"Yy", +"Yz", +"Y0", +"Y1", +"Y2", +"Y3", +"Y4", +"Y5", +"Y6", +"Y7", +"Y8", +"Y9", +"Y!", +"Y#", +"Y%", +"Y&", +"Y'", +"Y*", +"Y+", +"Y-", +"Y/", +"Y=", +"Y?", +"Y^", +"Y_", +"Y`", +"Y{", +"Y|", +"Y}", +"Y~", +"Y.", +"Y@", +"ZA", +"ZB", +"ZC", +"ZD", +"ZE", +"ZF", +"ZG", +"ZH", +"ZI", +"ZJ", +"ZK", +"ZL", +"ZM", +"ZN", +"ZO", +"ZP", +"ZQ", +"ZR", +"ZS", +"ZT", +"ZU", +"ZV", +"ZW", +"ZX", +"ZY", +"ZZ", +"Za", +"Zb", +"Zc", +"Zd", +"Ze", +"Zf", +"Zg", +"Zh", +"Zi", +"Zj", +"Zk", +"Zl", +"Zm", +"Zn", +"Zo", +"Zp", +"Zq", +"Zr", +"Zs", +"Zt", +"Zu", +"Zv", +"Zw", +"Zx", +"Zy", +"Zz", +"Z0", +"Z1", +"Z2", +"Z3", +"Z4", +"Z5", +"Z6", +"Z7", +"Z8", +"Z9", +"Z!", +"Z#", +"Z%", +"Z&", +"Z'", +"Z*", +"Z+", +"Z-", +"Z/", +"Z=", +"Z?", +"Z^", +"Z_", +"Z`", +"Z{", +"Z|", +"Z}", +"Z~", +"Z.", +"Z@", +"aA", +"aB", +"aC", +"aD", +"aE", +"aF", +"aG", +"aH", +"aI", +"aJ", +"aK", +"aL", +"aM", +"aN", +"aO", +"aP", +"aQ", +"aR", +"aS", +"aT", +"aU", +"aV", +"aW", +"aX", +"aY", +"aZ", +"aa", +"ab", +"ac", +"ad", +"ae", +"af", +"ag", +"ah", +"ai", +"aj", +"ak", +"al", +"am", +"an", +"ao", +"ap", +"aq", +"ar", +"as", +"at", +"au", +"av", +"aw", +"ax", +"ay", +"az", +"a0", +"a1", +"a2", +"a3", +"a4", +"a5", +"a6", +"a7", +"a8", +"a9", +"a!", +"a#", +"a%", +"a&", +"a'", +"a*", +"a+", +"a-", +"a/", +"a=", +"a?", +"a^", +"a_", +"a`", +"a{", +"a|", +"a}", +"a~", +"a.", +"a@", +"bA", +"bB", +"bC", +"bD", +"bE", +"bF", +"bG", +"bH", +"bI", +"bJ", +"bK", +"bL", +"bM", +"bN", +"bO", +"bP", +"bQ", +"bR", +"bS", +"bT", +"bU", +"bV", +"bW", +"bX", +"bY", +"bZ", +"ba", +"bb", +"bc", +"bd", +"be", +"bf", +"bg", +"bh", +"bi", +"bj", +"bk", +"bl", +"bm", +"bn", +"bo", +"bp", +"bq", +"br", +"bs", +"bt", +"bu", +"bv", +"bw", +"bx", +"by", +"bz", +"b0", +"b1", +"b2", +"b3", +"b4", +"b5", +"b6", +"b7", +"b8", +"b9", +"b!", +"b#", +"b%", +"b&", +"b'", +"b*", +"b+", +"b-", +"b/", +"b=", +"b?", +"b^", +"b_", +"b`", +"b{", +"b|", +"b}", +"b~", +"b.", +"b@", +"cA", +"cB", +"cC", +"cD", +"cE", +"cF", +"cG", +"cH", +"cI", +"cJ", +"cK", +"cL", +"cM", +"cN", +"cO", +"cP", +"cQ", +"cR", +"cS", +"cT", +"cU", +"cV", +"cW", +"cX", +"cY", +"cZ", +"ca", +"cb", +"cc", +"cd", +"ce", +"cf", +"cg", +"ch", +"ci", +"cj", +"ck", +"cl", +"cm", +"cn", +"co", +"cp", +"cq", +"cr", +"cs", +"ct", +"cu", +"cv", +"cw", +"cx", +"cy", +"cz", +"c0", +"c1", +"c2", +"c3", +"c4", +"c5", +"c6", +"c7", +"c8", +"c9", +"c!", +"c#", +"c%", +"c&", +"c'", +"c*", +"c+", +"c-", +"c/", +"c=", +"c?", +"c^", +"c_", +"c`", +"c{", +"c|", +"c}", +"c~", +"c.", +"c@", +"dA", +"dB", +"dC", +"dD", +"dE", +"dF", +"dG", +"dH", +"dI", +"dJ", +"dK", +"dL", +"dM", +"dN", +"dO", +"dP", +"dQ", +"dR", +"dS", +"dT", +"dU", +"dV", +"dW", +"dX", +"dY", +"dZ", +"da", +"db", +"dc", +"dd", +"de", +"df", +"dg", +"dh", +"di", +"dj", +"dk", +"dl", +"dm", +"dn", +"do", +"dp", +"dq", +"dr", +"ds", +"dt", +"du", +"dv", +"dw", +"dx", +"dy", +"dz", +"d0", +"d1", +"d2", +"d3", +"d4", +"d5", +"d6", +"d7", +"d8", +"d9", +"d!", +"d#", +"d%", +"d&", +"d'", +"d*", +"d+", +"d-", +"d/", +"d=", +"d?", +"d^", +"d_", +"d`", +"d{", +"d|", +"d}", +"d~", +"d.", +"d@", +"eA", +"eB", +"eC", +"eD", +"eE", +"eF", +"eG", +"eH", +"eI", +"eJ", +"eK", +"eL", +"eM", +"eN", +"eO", +"eP", +"eQ", +"eR", +"eS", +"eT", +"eU", +"eV", +"eW", +"eX", +"eY", +"eZ", +"ea", +"eb", +"ec", +"ed", +"ee", +"ef", +"eg", +"eh", +"ei", +"ej", +"ek", +"el", +"em", +"en", +"eo", +"ep", +"eq", +"er", +"es", +"et", +"eu", +"ev", +"ew", +"ex", +"ey", +"ez", +"e0", +"e1", +"e2", +"e3", +"e4", +"e5", +"e6", +"e7", +"e8", +"e9", +"e!", +"e#", +"e%", +"e&", +"e'", +"e*", +"e+", +"e-", +"e/", +"e=", +"e?", +"e^", +"e_", +"e`", +"e{", +"e|", +"e}", +"e~", +"e.", +"e@", +"fA", +"fB", +"fC", +"fD", +"fE", +"fF", +"fG", +"fH", +"fI", +"fJ", +"fK", +"fL", +"fM", +"fN", +"fO", +"fP", +"fQ", +"fR", +"fS", +"fT", +"fU", +"fV", +"fW", +"fX", +"fY", +"fZ", +"fa", +"fb", +"fc", +"fd", +"fe", +"ff", +"fg", +"fh", +"fi", +"fj", +"fk", +"fl", +"fm", +"fn", +"fo", +"fp", +"fq", +"fr", +"fs", +"ft", +"fu", +"fv", +"fw", +"fx", +"fy", +"fz", +"f0", +"f1", +"f2", +"f3", +"f4", +"f5", +"f6", +"f7", +"f8", +"f9", +"f!", +"f#", +"f%", +"f&", +"f'", +"f*", +"f+", +"f-", +"f/", +"f=", +"f?", +"f^", +"f_", +"f`", +"f{", +"f|", +"f}", +"f~", +"f.", +"f@", +"gA", +"gB", +"gC", +"gD", +"gE", +"gF", +"gG", +"gH", +"gI", +"gJ", +"gK", +"gL", +"gM", +"gN", +"gO", +"gP", +"gQ", +"gR", +"gS", +"gT", +"gU", +"gV", +"gW", +"gX", +"gY", +"gZ", +"ga", +"gb", +"gc", +"gd", +"ge", +"gf", +"gg", +"gh", +"gi", +"gj", +"gk", +"gl", +"gm", +"gn", +"go", +"gp", +"gq", +"gr", +"gs", +"gt", +"gu", +"gv", +"gw", +"gx", +"gy", +"gz", +"g0", +"g1", +"g2", +"g3", +"g4", +"g5", +"g6", +"g7", +"g8", +"g9", +"g!", +"g#", +"g%", +"g&", +"g'", +"g*", +"g+", +"g-", +"g/", +"g=", +"g?", +"g^", +"g_", +"g`", +"g{", +"g|", +"g}", +"g~", +"g.", +"g@", +"hA", +"hB", +"hC", +"hD", +"hE", +"hF", +"hG", +"hH", +"hI", +"hJ", +"hK", +"hL", +"hM", +"hN", +"hO", +"hP", +"hQ", +"hR", +"hS", +"hT", +"hU", +"hV", +"hW", +"hX", +"hY", +"hZ", +"ha", +"hb", +"hc", +"hd", +"he", +"hf", +"hg", +"hh", +"hi", +"hj", +"hk", +"hl", +"hm", +"hn", +"ho", +"hp", +"hq", +"hr", +"hs", +"ht", +"hu", +"hv", +"hw", +"hx", +"hy", +"hz", +"h0", +"h1", +"h2", +"h3", +"h4", +"h5", +"h6", +"h7", +"h8", +"h9", +"h!", +"h#", +"h%", +"h&", +"h'", +"h*", +"h+", +"h-", +"h/", +"h=", +"h?", +"h^", +"h_", +"h`", +"h{", +"h|", +"h}", +"h~", +"h.", +"h@", +"iA", +"iB", +"iC", +"iD", +"iE", +"iF", +"iG", +"iH", +"iI", +"iJ", +"iK", +"iL", +"iM", +"iN", +"iO", +"iP", +"iQ", +"iR", +"iS", +"iT", +"iU", +"iV", +"iW", +"iX", +"iY", +"iZ", +"ia", +"ib", +"ic", +"id", +"ie", +"if", +"ig", +"ih", +"ii", +"ij", +"ik", +"il", +"im", +"in", +"io", +"ip", +"iq", +"ir", +"is", +"it", +"iu", +"iv", +"iw", +"ix", +"iy", +"iz", +"i0", +"i1", +"i2", +"i3", +"i4", +"i5", +"i6", +"i7", +"i8", +"i9", +"i!", +"i#", +"i%", +"i&", +"i'", +"i*", +"i+", +"i-", +"i/", +"i=", +"i?", +"i^", +"i_", +"i`", +"i{", +"i|", +"i}", +"i~", +"i.", +"i@", +"jA", +"jB", +"jC", +"jD", +"jE", +"jF", +"jG", +"jH", +"jI", +"jJ", +"jK", +"jL", +"jM", +"jN", +"jO", +"jP", +"jQ", +"jR", +"jS", +"jT", +"jU", +"jV", +"jW", +"jX", +"jY", +"jZ", +"ja", +"jb", +"jc", +"jd", +"je", +"jf", +"jg", +"jh", +"ji", +"jj", +"jk", +"jl", +"jm", +"jn", +"jo", +"jp", +"jq", +"jr", +"js", +"jt", +"ju", +"jv", +"jw", +"jx", +"jy", +"jz", +"j0", +"j1", +"j2", +"j3", +"j4", +"j5", +"j6", +"j7", +"j8", +"j9", +"j!", +"j#", +"j%", +"j&", +"j'", +"j*", +"j+", +"j-", +"j/", +"j=", +"j?", +"j^", +"j_", +"j`", +"j{", +"j|", +"j}", +"j~", +"j.", +"j@", +"kA", +"kB", +"kC", +"kD", +"kE", +"kF", +"kG", +"kH", +"kI", +"kJ", +"kK", +"kL", +"kM", +"kN", +"kO", +"kP", +"kQ", +"kR", +"kS", +"kT", +"kU", +"kV", +"kW", +"kX", +"kY", +"kZ", +"ka", +"kb", +"kc", +"kd", +"ke", +"kf", +"kg", +"kh", +"ki", +"kj", +"kk", +"kl", +"km", +"kn", +"ko", +"kp", +"kq", +"kr", +"ks", +"kt", +"ku", +"kv", +"kw", +"kx", +"ky", +"kz", +"k0", +"k1", +"k2", +"k3", +"k4", +"k5", +"k6", +"k7", +"k8", +"k9", +"k!", +"k#", +"k%", +"k&", +"k'", +"k*", +"k+", +"k-", +"k/", +"k=", +"k?", +"k^", +"k_", +"k`", +"k{", +"k|", +"k}", +"k~", +"k.", +"k@", +"lA", +"lB", +"lC", +"lD", +"lE", +"lF", +"lG", +"lH", +"lI", +"lJ", +"lK", +"lL", +"lM", +"lN", +"lO", +"lP", +"lQ", +"lR", +"lS", +"lT", +"lU", +"lV", +"lW", +"lX", +"lY", +"lZ", +"la", +"lb", +"lc", +"ld", +"le", +"lf", +"lg", +"lh", +"li", +"lj", +"lk", +"ll", +"lm", +"ln", +"lo", +"lp", +"lq", +"lr", +"ls", +"lt", +"lu", +"lv", +"lw", +"lx", +"ly", +"lz", +"l0", +"l1", +"l2", +"l3", +"l4", +"l5", +"l6", +"l7", +"l8", +"l9", +"l!", +"l#", +"l%", +"l&", +"l'", +"l*", +"l+", +"l-", +"l/", +"l=", +"l?", +"l^", +"l_", +"l`", +"l{", +"l|", +"l}", +"l~", +"l.", +"l@", +"mA", +"mB", +"mC", +"mD", +"mE", +"mF", +"mG", +"mH", +"mI", +"mJ", +"mK", +"mL", +"mM", +"mN", +"mO", +"mP", +"mQ", +"mR", +"mS", +"mT", +"mU", +"mV", +"mW", +"mX", +"mY", +"mZ", +"ma", +"mb", +"mc", +"md", +"me", +"mf", +"mg", +"mh", +"mi", +"mj", +"mk", +"ml", +"mm", +"mn", +"mo", +"mp", +"mq", +"mr", +"ms", +"mt", +"mu", +"mv", +"mw", +"mx", +"my", +"mz", +"m0", +"m1", +"m2", +"m3", +"m4", +"m5", +"m6", +"m7", +"m8", +"m9", +"m!", +"m#", +"m%", +"m&", +"m'", +"m*", +"m+", +"m-", +"m/", +"m=", +"m?", +"m^", +"m_", +"m`", +"m{", +"m|", +"m}", +"m~", +"m.", +"m@", +"nA", +"nB", +"nC", +"nD", +"nE", +"nF", +"nG", +"nH", +"nI", +"nJ", +"nK", +"nL", +"nM", +"nN", +"nO", +"nP", +"nQ", +"nR", +"nS", +"nT", +"nU", +"nV", +"nW", +"nX", +"nY", +"nZ", +"na", +"nb", +"nc", +"nd", +"ne", +"nf", +"ng", +"nh", +"ni", +"nj", +"nk", +"nl", +"nm", +"nn", +"no", +"np", +"nq", +"nr", +"ns", +"nt", +"nu", +"nv", +"nw", +"nx", +"ny", +"nz", +"n0", +"n1", +"n2", +"n3", +"n4", +"n5", +"n6", +"n7", +"n8", +"n9", +"n!", +"n#", +"n%", +"n&", +"n'", +"n*", +"n+", +"n-", +"n/", +"n=", +"n?", +"n^", +"n_", +"n`", +"n{", +"n|", +"n}", +"n~", +"n.", +"n@", +"oA", +"oB", +"oC", +"oD", +"oE", +"oF", +"oG", +"oH", +"oI", +"oJ", +"oK", +"oL", +"oM", +"oN", +"oO", +"oP", +"oQ", +"oR", +"oS", +"oT", +"oU", +"oV", +"oW", +"oX", +"oY", +"oZ", +"oa", +"ob", +"oc", +"od", +"oe", +"of", +"og", +"oh", +"oi", +"oj", +"ok", +"ol", +"om", +"on", +"oo", +"op", +"oq", +"or", +"os", +"ot", +"ou", +"ov", +"ow", +"ox", +"oy", +"oz", +"o0", +"o1", +"o2", +"o3", +"o4", +"o5", +"o6", +"o7", +"o8", +"o9", +"o!", +"o#", +"o%", +"o&", +"o'", +"o*", +"o+", +"o-", +"o/", +"o=", +"o?", +"o^", +"o_", +"o`", +"o{", +"o|", +"o}", +"o~", +"o.", +"o@", +"pA", +"pB", +"pC", +"pD", +"pE", +"pF", +"pG", +"pH", +"pI", +"pJ", +"pK", +"pL", +"pM", +"pN", +"pO", +"pP", +"pQ", +"pR", +"pS", +"pT", +"pU", +"pV", +"pW", +"pX", +"pY", +"pZ", +"pa", +"pb", +"pc", +"pd", +"pe", +"pf", +"pg", +"ph", +"pi", +"pj", +"pk", +"pl", +"pm", +"pn", +"po", +"pp", +"pq", +"pr", +"ps", +"pt", +"pu", +"pv", +"pw", +"px", +"py", +"pz", +"p0", +"p1", +"p2", +"p3", +"p4", +"p5", +"p6", +"p7", +"p8", +"p9", +"p!", +"p#", +"p%", +"p&", +"p'", +"p*", +"p+", +"p-", +"p/", +"p=", +"p?", +"p^", +"p_", +"p`", +"p{", +"p|", +"p}", +"p~", +"p.", +"p@", +"qA", +"qB", +"qC", +"qD", +"qE", +"qF", +"qG", +"qH", +"qI", +"qJ", +"qK", +"qL", +"qM", +"qN", +"qO", +"qP", +"qQ", +"qR", +"qS", +"qT", +"qU", +"qV", +"qW", +"qX", +"qY", +"qZ", +"qa", +"qb", +"qc", +"qd", +"qe", +"qf", +"qg", +"qh", +"qi", +"qj", +"qk", +"ql", +"qm", +"qn", +"qo", +"qp", +"qq", +"qr", +"qs", +"qt", +"qu", +"qv", +"qw", +"qx", +"qy", +"qz", +"q0", +"q1", +"q2", +"q3", +"q4", +"q5", +"q6", +"q7", +"q8", +"q9", +"q!", +"q#", +"q%", +"q&", +"q'", +"q*", +"q+", +"q-", +"q/", +"q=", +"q?", +"q^", +"q_", +"q`", +"q{", +"q|", +"q}", +"q~", +"q.", +"q@", +"rA", +"rB", +"rC", +"rD", +"rE", +"rF", +"rG", +"rH", +"rI", +"rJ", +"rK", +"rL", +"rM", +"rN", +"rO", +"rP", +"rQ", +"rR", +"rS", +"rT", +"rU", +"rV", +"rW", +"rX", +"rY", +"rZ", +"ra", +"rb", +"rc", +"rd", +"re", +"rf", +"rg", +"rh", +"ri", +"rj", +"rk", +"rl", +"rm", +"rn", +"ro", +"rp", +"rq", +"rr", +"rs", +"rt", +"ru", +"rv", +"rw", +"rx", +"ry", +"rz", +"r0", +"r1", +"r2", +"r3", +"r4", +"r5", +"r6", +"r7", +"r8", +"r9", +"r!", +"r#", +"r%", +"r&", +"r'", +"r*", +"r+", +"r-", +"r/", +"r=", +"r?", +"r^", +"r_", +"r`", +"r{", +"r|", +"r}", +"r~", +"r.", +"r@", +"sA", +"sB", +"sC", +"sD", +"sE", +"sF", +"sG", +"sH", +"sI", +"sJ", +"sK", +"sL", +"sM", +"sN", +"sO", +"sP", +"sQ", +"sR", +"sS", +"sT", +"sU", +"sV", +"sW", +"sX", +"sY", +"sZ", +"sa", +"sb", +"sc", +"sd", +"se", +"sf", +"sg", +"sh", +"si", +"sj", +"sk", +"sl", +"sm", +"sn", +"so", +"sp", +"sq", +"sr", +"ss", +"st", +"su", +"sv", +"sw", +"sx", +"sy", +"sz", +"s0", +"s1", +"s2", +"s3", +"s4", +"s5", +"s6", +"s7", +"s8", +"s9", +"s!", +"s#", +"s%", +"s&", +"s'", +"s*", +"s+", +"s-", +"s/", +"s=", +"s?", +"s^", +"s_", +"s`", +"s{", +"s|", +"s}", +"s~", +"s.", +"s@", +"tA", +"tB", +"tC", +"tD", +"tE", +"tF", +"tG", +"tH", +"tI", +"tJ", +"tK", +"tL", +"tM", +"tN", +"tO", +"tP", +"tQ", +"tR", +"tS", +"tT", +"tU", +"tV", +"tW", +"tX", +"tY", +"tZ", +"ta", +"tb", +"tc", +"td", +"te", +"tf", +"tg", +"th", +"ti", +"tj", +"tk", +"tl", +"tm", +"tn", +"to", +"tp", +"tq", +"tr", +"ts", +"tt", +"tu", +"tv", +"tw", +"tx", +"ty", +"tz", +"t0", +"t1", +"t2", +"t3", +"t4", +"t5", +"t6", +"t7", +"t8", +"t9", +"t!", +"t#", +"t%", +"t&", +"t'", +"t*", +"t+", +"t-", +"t/", +"t=", +"t?", +"t^", +"t_", +"t`", +"t{", +"t|", +"t}", +"t~", +"t.", +"t@", +"uA", +"uB", +"uC", +"uD", +"uE", +"uF", +"uG", +"uH", +"uI", +"uJ", +"uK", +"uL", +"uM", +"uN", +"uO", +"uP", +"uQ", +"uR", +"uS", +"uT", +"uU", +"uV", +"uW", +"uX", +"uY", +"uZ", +"ua", +"ub", +"uc", +"ud", +"ue", +"uf", +"ug", +"uh", +"ui", +"uj", +"uk", +"ul", +"um", +"un", +"uo", +"up", +"uq", +"ur", +"us", +"ut", +"uu", +"uv", +"uw", +"ux", +"uy", +"uz", +"u0", +"u1", +"u2", +"u3", +"u4", +"u5", +"u6", +"u7", +"u8", +"u9", +"u!", +"u#", +"u%", +"u&", +"u'", +"u*", +"u+", +"u-", +"u/", +"u=", +"u?", +"u^", +"u_", +"u`", +"u{", +"u|", +"u}", +"u~", +"u.", +"u@", +"vA", +"vB", +"vC", +"vD", +"vE", +"vF", +"vG", +"vH", +"vI", +"vJ", +"vK", +"vL", +"vM", +"vN", +"vO", +"vP", +"vQ", +"vR", +"vS", +"vT", +"vU", +"vV", +"vW", +"vX", +"vY", +"vZ", +"va", +"vb", +"vc", +"vd", +"ve", +"vf", +"vg", +"vh", +"vi", +"vj", +"vk", +"vl", +"vm", +"vn", +"vo", +"vp", +"vq", +"vr", +"vs", +"vt", +"vu", +"vv", +"vw", +"vx", +"vy", +"vz", +"v0", +"v1", +"v2", +"v3", +"v4", +"v5", +"v6", +"v7", +"v8", +"v9", +"v!", +"v#", +"v%", +"v&", +"v'", +"v*", +"v+", +"v-", +"v/", +"v=", +"v?", +"v^", +"v_", +"v`", +"v{", +"v|", +"v}", +"v~", +"v.", +"v@", +"wA", +"wB", +"wC", +"wD", +"wE", +"wF", +"wG", +"wH", +"wI", +"wJ", +"wK", +"wL", +"wM", +"wN", +"wO", +"wP", +"wQ", +"wR", +"wS", +"wT", +"wU", +"wV", +"wW", +"wX", +"wY", +"wZ", +"wa", +"wb", +"wc", +"wd", +"we", +"wf", +"wg", +"wh", +"wi", +"wj", +"wk", +"wl", +"wm", +"wn", +"wo", +"wp", +"wq", +"wr", +"ws", +"wt", +"wu", +"wv", +"ww", +"wx", +"wy", +"wz", +"w0", +"w1", +"w2", +"w3", +"w4", +"w5", +"w6", +"w7", +"w8", +"w9", +"w!", +"w#", +"w%", +"w&", +"w'", +"w*", +"w+", +"w-", +"w/", +"w=", +"w?", +"w^", +"w_", +"w`", +"w{", +"w|", +"w}", +"w~", +"w.", +"w@", +"xA", +"xB", +"xC", +"xD", +"xE", +"xF", +"xG", +"xH", +"xI", +"xJ", +"xK", +"xL", +"xM", +"xN", +"xO", +"xP", +"xQ", +"xR", +"xS", +"xT", +"xU", +"xV", +"xW", +"xX", +"xY", +"xZ", +"xa", +"xb", +"xc", +"xd", +"xe", +"xf", +"xg", +"xh", +"xi", +"xj", +"xk", +"xl", +"xm", +"xn", +"xo", +"xp", +"xq", +"xr", +"xs", +"xt", +"xu", +"xv", +"xw", +"xx", +"xy", +"xz", +"x0", +"x1", +"x2", +"x3", +"x4", +"x5", +"x6", +"x7", +"x8", +"x9", +"x!", +"x#", +"x%", +"x&", +"x'", +"x*", +"x+", +"x-", +"x/", +"x=", +"x?", +"x^", +"x_", +"x`", +"x{", +"x|", +"x}", +"x~", +"x.", +"x@", +"yA", +"yB", +"yC", +"yD", +"yE", +"yF", +"yG", +"yH", +"yI", +"yJ", +"yK", +"yL", +"yM", +"yN", +"yO", +"yP", +"yQ", +"yR", +"yS", +"yT", +"yU", +"yV", +"yW", +"yX", +"yY", +"yZ", +"ya", +"yb", +"yc", +"yd", +"ye", +"yf", +"yg", +"yh", +"yi", +"yj", +"yk", +"yl", +"ym", +"yn", +"yo", +"yp", +"yq", +"yr", +"ys", +"yt", +"yu", +"yv", +"yw", +"yx", +"yy", +"yz", +"y0", +"y1", +"y2", +"y3", +"y4", +"y5", +"y6", +"y7", +"y8", +"y9", +"y!", +"y#", +"y%", +"y&", +"y'", +"y*", +"y+", +"y-", +"y/", +"y=", +"y?", +"y^", +"y_", +"y`", +"y{", +"y|", +"y}", +"y~", +"y.", +"y@", +"zA", +"zB", +"zC", +"zD", +"zE", +"zF", +"zG", +"zH", +"zI", +"zJ", +"zK", +"zL", +"zM", +"zN", +"zO", +"zP", +"zQ", +"zR", +"zS", +"zT", +"zU", +"zV", +"zW", +"zX", +"zY", +"zZ", +"za", +"zb", +"zc", +"zd", +"ze", +"zf", +"zg", +"zh", +"zi", +"zj", +"zk", +"zl", +"zm", +"zn", +"zo", +"zp", +"zq", +"zr", +"zs", +"zt", +"zu", +"zv", +"zw", +"zx", +"zy", +"zz", +"z0", +"z1", +"z2", +"z3", +"z4", +"z5", +"z6", +"z7", +"z8", +"z9", +"z!", +"z#", +"z%", +"z&", +"z'", +"z*", +"z+", +"z-", +"z/", +"z=", +"z?", +"z^", +"z_", +"z`", +"z{", +"z|", +"z}", +"z~", +"z.", +"z@", +"0A", +"0B", +"0C", +"0D", +"0E", +"0F", +"0G", +"0H", +"0I", +"0J", +"0K", +"0L", +"0M", +"0N", +"0O", +"0P", +"0Q", +"0R", +"0S", +"0T", +"0U", +"0V", +"0W", +"0X", +"0Y", +"0Z", +"0a", +"0b", +"0c", +"0d", +"0e", +"0f", +"0g", +"0h", +"0i", +"0j", +"0k", +"0l", +"0m", +"0n", +"0o", +"0p", +"0q", +"0r", +"0s", +"0t", +"0u", +"0v", +"0w", +"0x", +"0y", +"0z", +"00", +"01", +"02", +"03", +"04", +"05", +"06", +"07", +"08", +"09", +"0!", +"0#", +"0%", +"0&", +"0'", +"0*", +"0+", +"0-", +"0/", +"0=", +"0?", +"0^", +"0_", +"0`", +"0{", +"0|", +"0}", +"0~", +"0.", +"0@", +"1A", +"1B", +"1C", +"1D", +"1E", +"1F", +"1G", +"1H", +"1I", +"1J", +"1K", +"1L", +"1M", +"1N", +"1O", +"1P", +"1Q", +"1R", +"1S", +"1T", +"1U", +"1V", +"1W", +"1X", +"1Y", +"1Z", +"1a", +"1b", +"1c", +"1d", +"1e", +"1f", +"1g", +"1h", +"1i", +"1j", +"1k", +"1l", +"1m", +"1n", +"1o", +"1p", +"1q", +"1r", +"1s", +"1t", +"1u", +"1v", +"1w", +"1x", +"1y", +"1z", +"10", +"11", +"12", +"13", +"14", +"15", +"16", +"17", +"18", +"19", +"1!", +"1#", +"1%", +"1&", +"1'", +"1*", +"1+", +"1-", +"1/", +"1=", +"1?", +"1^", +"1_", +"1`", +"1{", +"1|", +"1}", +"1~", +"1.", +"1@", +"2A", +"2B", +"2C", +"2D", +"2E", +"2F", +"2G", +"2H", +"2I", +"2J", +"2K", +"2L", +"2M", +"2N", +"2O", +"2P", +"2Q", +"2R", +"2S", +"2T", +"2U", +"2V", +"2W", +"2X", +"2Y", +"2Z", +"2a", +"2b", +"2c", +"2d", +"2e", +"2f", +"2g", +"2h", +"2i", +"2j", +"2k", +"2l", +"2m", +"2n", +"2o", +"2p", +"2q", +"2r", +"2s", +"2t", +"2u", +"2v", +"2w", +"2x", +"2y", +"2z", +"20", +"21", +"22", +"23", +"24", +"25", +"26", +"27", +"28", +"29", +"2!", +"2#", +"2%", +"2&", +"2'", +"2*", +"2+", +"2-", +"2/", +"2=", +"2?", +"2^", +"2_", +"2`", +"2{", +"2|", +"2}", +"2~", +"2.", +"2@", +"3A", +"3B", +"3C", +"3D", +"3E", +"3F", +"3G", +"3H", +"3I", +"3J", +"3K", +"3L", +"3M", +"3N", +"3O", +"3P", +"3Q", +"3R", +"3S", +"3T", +"3U", +"3V", +"3W", +"3X", +"3Y", +"3Z", +"3a", +"3b", +"3c", +"3d", +"3e", +"3f", +"3g", +"3h", +"3i", +"3j", +"3k", +"3l", +"3m", +"3n", +"3o", +"3p", +"3q", +"3r", +"3s", +"3t", +"3u", +"3v", +"3w", +"3x", +"3y", +"3z", +"30", +"31", +"32", +"33", +"34", +"35", +"36", +"37", +"38", +"39", +"3!", +"3#", +"3%", +"3&", +"3'", +"3*", +"3+", +"3-", +"3/", +"3=", +"3?", +"3^", +"3_", +"3`", +"3{", +"3|", +"3}", +"3~", +"3.", +"3@", +"4A", +"4B", +"4C", +"4D", +"4E", +"4F", +"4G", +"4H", +"4I", +"4J", +"4K", +"4L", +"4M", +"4N", +"4O", +"4P", +"4Q", +"4R", +"4S", +"4T", +"4U", +"4V", +"4W", +"4X", +"4Y", +"4Z", +"4a", +"4b", +"4c", +"4d", +"4e", +"4f", +"4g", +"4h", +"4i", +"4j", +"4k", +"4l", +"4m", +"4n", +"4o", +"4p", +"4q", +"4r", +"4s", +"4t", +"4u", +"4v", +"4w", +"4x", +"4y", +"4z", +"40", +"41", +"42", +"43", +"44", +"45", +"46", +"47", +"48", +"49", +"4!", +"4#", +"4%", +"4&", +"4'", +"4*", +"4+", +"4-", +"4/", +"4=", +"4?", +"4^", +"4_", +"4`", +"4{", +"4|", +"4}", +"4~", +"4.", +"4@", +"5A", +"5B", +"5C", +"5D", +"5E", +"5F", +"5G", +"5H", +"5I", +"5J", +"5K", +"5L", +"5M", +"5N", +"5O", +"5P", +"5Q", +"5R", +"5S", +"5T", +"5U", +"5V", +"5W", +"5X", +"5Y", +"5Z", +"5a", +"5b", +"5c", +"5d", +"5e", +"5f", +"5g", +"5h", +"5i", +"5j", +"5k", +"5l", +"5m", +"5n", +"5o", +"5p", +"5q", +"5r", +"5s", +"5t", +"5u", +"5v", +"5w", +"5x", +"5y", +"5z", +"50", +"51", +"52", +"53", +"54", +"55", +"56", +"57", +"58", +"59", +"5!", +"5#", +"5%", +"5&", +"5'", +"5*", +"5+", +"5-", +"5/", +"5=", +"5?", +"5^", +"5_", +"5`", +"5{", +"5|", +"5}", +"5~", +"5.", +"5@", +"6A", +"6B", +"6C", +"6D", +"6E", +"6F", +"6G", +"6H", +"6I", +"6J", +"6K", +"6L", +"6M", +"6N", +"6O", +"6P", +"6Q", +"6R", +"6S", +"6T", +"6U", +"6V", +"6W", +"6X", +"6Y", +"6Z", +"6a", +"6b", +"6c", +"6d", +"6e", +"6f", +"6g", +"6h", +"6i", +"6j", +"6k", +"6l", +"6m", +"6n", +"6o", +"6p", +"6q", +"6r", +"6s", +"6t", +"6u", +"6v", +"6w", +"6x", +"6y", +"6z", +"60", +"61", +"62", +"63", +"64", +"65", +"66", +"67", +"68", +"69", +"6!", +"6#", +"6%", +"6&", +"6'", +"6*", +"6+", +"6-", +"6/", +"6=", +"6?", +"6^", +"6_", +"6`", +"6{", +"6|", +"6}", +"6~", +"6.", +"6@", +"7A", +"7B", +"7C", +"7D", +"7E", +"7F", +"7G", +"7H", +"7I", +"7J", +"7K", +"7L", +"7M", +"7N", +"7O", +"7P", +"7Q", +"7R", +"7S", +"7T", +"7U", +"7V", +"7W", +"7X", +"7Y", +"7Z", +"7a", +"7b", +"7c", +"7d", +"7e", +"7f", +"7g", +"7h", +"7i", +"7j", +"7k", +"7l", +"7m", +"7n", +"7o", +"7p", +"7q", +"7r", +"7s", +"7t", +"7u", +"7v", +"7w", +"7x", +"7y", +"7z", +"70", +"71", +"72", +"73", +"74", +"75", +"76", +"77", +"78", +"79", +"7!", +"7#", +"7%", +"7&", +"7'", +"7*", +"7+", +"7-", +"7/", +"7=", +"7?", +"7^", +"7_", +"7`", +"7{", +"7|", +"7}", +"7~", +"7.", +"7@", +"8A", +"8B", +"8C", +"8D", +"8E", +"8F", +"8G", +"8H", +"8I", +"8J", +"8K", +"8L", +"8M", +"8N", +"8O", +"8P", +"8Q", +"8R", +"8S", +"8T", +"8U", +"8V", +"8W", +"8X", +"8Y", +"8Z", +"8a", +"8b", +"8c", +"8d", +"8e", +"8f", +"8g", +"8h", +"8i", +"8j", +"8k", +"8l", +"8m", +"8n", +"8o", +"8p", +"8q", +"8r", +"8s", +"8t", +"8u", +"8v", +"8w", +"8x", +"8y", +"8z", +"80", +"81", +"82", +"83", +"84", +"85", +"86", +"87", +"88", +"89", +"8!", +"8#", +"8%", +"8&", +"8'", +"8*", +"8+", +"8-", +"8/", +"8=", +"8?", +"8^", +"8_", +"8`", +"8{", +"8|", +"8}", +"8~", +"8.", +"8@", +"9A", +"9B", +"9C", +"9D", +"9E", +"9F", +"9G", +"9H", +"9I", +"9J", +"9K", +"9L", +"9M", +"9N", +"9O", +"9P", +"9Q", +"9R", +"9S", +"9T", +"9U", +"9V", +"9W", +"9X", +"9Y", +"9Z", +"9a", +"9b", +"9c", +"9d", +"9e", +"9f", +"9g", +"9h", +"9i", +"9j", +"9k", +"9l", +"9m", +"9n", +"9o", +"9p", +"9q", +"9r", +"9s", +"9t", +"9u", +"9v", +"9w", +"9x", +"9y", +"9z", +"90", +"91", +"92", +"93", +"94", +"95", +"96", +"97", +"98", +"99", +"9!", +"9#", +"9%", +"9&", +"9'", +"9*", +"9+", +"9-", +"9/", +"9=", +"9?", +"9^", +"9_", +"9`", +"9{", +"9|", +"9}", +"9~", +"9.", +"9@", +"!A", +"!B", +"!C", +"!D", +"!E", +"!F", +"!G", +"!H", +"!I", +"!J", +"!K", +"!L", +"!M", +"!N", +"!O", +"!P", +"!Q", +"!R", +"!S", +"!T", +"!U", +"!V", +"!W", +"!X", +"!Y", +"!Z", +"!a", +"!b", +"!c", +"!d", +"!e", +"!f", +"!g", +"!h", +"!i", +"!j", +"!k", +"!l", +"!m", +"!n", +"!o", +"!p", +"!q", +"!r", +"!s", +"!t", +"!u", +"!v", +"!w", +"!x", +"!y", +"!z", +"!0", +"!1", +"!2", +"!3", +"!4", +"!5", +"!6", +"!7", +"!8", +"!9", +"!!", +"!#", +"!%", +"!&", +"!'", +"!*", +"!+", +"!-", +"!/", +"!=", +"!?", +"!^", +"!_", +"!`", +"!{", +"!|", +"!}", +"!~", +"!.", +"!@", +"#A", +"#B", +"#C", +"#D", +"#E", +"#F", +"#G", +"#H", +"#I", +"#J", +"#K", +"#L", +"#M", +"#N", +"#O", +"#P", +"#Q", +"#R", +"#S", +"#T", +"#U", +"#V", +"#W", +"#X", +"#Y", +"#Z", +"#a", +"#b", +"#c", +"#d", +"#e", +"#f", +"#g", +"#h", +"#i", +"#j", +"#k", +"#l", +"#m", +"#n", +"#o", +"#p", +"#q", +"#r", +"#s", +"#t", +"#u", +"#v", +"#w", +"#x", +"#y", +"#z", +"#0", +"#1", +"#2", +"#3", +"#4", +"#5", +"#6", +"#7", +"#8", +"#9", +"#!", +"##", +"#%", +"#&", +"#'", +"#*", +"#+", +"#-", +"#/", +"#=", +"#?", +"#^", +"#_", +"#`", +"#{", +"#|", +"#}", +"#~", +"#.", +"#@", +"%A", +"%B", +"%C", +"%D", +"%E", +"%F", +"%G", +"%H", +"%I", +"%J", +"%K", +"%L", +"%M", +"%N", +"%O", +"%P", +"%Q", +"%R", +"%S", +"%T", +"%U", +"%V", +"%W", +"%X", +"%Y", +"%Z", +"%a", +"%b", +"%c", +"%d", +"%e", +"%f", +"%g", +"%h", +"%i", +"%j", +"%k", +"%l", +"%m", +"%n", +"%o", +"%p", +"%q", +"%r", +"%s", +"%t", +"%u", +"%v", +"%w", +"%x", +"%y", +"%z", +"%0", +"%1", +"%2", +"%3", +"%4", +"%5", +"%6", +"%7", +"%8", +"%9", +"%!", +"%#", +"%%", +"%&", +"%'", +"%*", +"%+", +"%-", +"%/", +"%=", +"%?", +"%^", +"%_", +"%`", +"%{", +"%|", +"%}", +"%~", +"%.", +"%@", +"&A", +"&B", +"&C", +"&D", +"&E", +"&F", +"&G", +"&H", +"&I", +"&J", +"&K", +"&L", +"&M", +"&N", +"&O", +"&P", +"&Q", +"&R", +"&S", +"&T", +"&U", +"&V", +"&W", +"&X", +"&Y", +"&Z", +"&a", +"&b", +"&c", +"&d", +"&e", +"&f", +"&g", +"&h", +"&i", +"&j", +"&k", +"&l", +"&m", +"&n", +"&o", +"&p", +"&q", +"&r", +"&s", +"&t", +"&u", +"&v", +"&w", +"&x", +"&y", +"&z", +"&0", +"&1", +"&2", +"&3", +"&4", +"&5", +"&6", +"&7", +"&8", +"&9", +"&!", +"&#", +"&%", +"&&", +"&'", +"&*", +"&+", +"&-", +"&/", +"&=", +"&?", +"&^", +"&_", +"&`", +"&{", +"&|", +"&}", +"&~", +"&.", +"&@", +"'A", +"'B", +"'C", +"'D", +"'E", +"'F", +"'G", +"'H", +"'I", +"'J", +"'K", +"'L", +"'M", +"'N", +"'O", +"'P", +"'Q", +"'R", +"'S", +"'T", +"'U", +"'V", +"'W", +"'X", +"'Y", +"'Z", +"'a", +"'b", +"'c", +"'d", +"'e", +"'f", +"'g", +"'h", +"'i", +"'j", +"'k", +"'l", +"'m", +"'n", +"'o", +"'p", +"'q", +"'r", +"'s", +"'t", +"'u", +"'v", +"'w", +"'x", +"'y", +"'z", +"'0", +"'1", +"'2", +"'3", +"'4", +"'5", +"'6", +"'7", +"'8", +"'9", +"'!", +"'#", +"'%", +"'&", +"''", +"'*", +"'+", +"'-", +"'/", +"'=", +"'?", +"'^", +"'_", +"'`", +"'{", +"'|", +"'}", +"'~", +"'.", +"'@", +"*A", +"*B", +"*C", +"*D", +"*E", +"*F", +"*G", +"*H", +"*I", +"*J", +"*K", +"*L", +"*M", +"*N", +"*O", +"*P", +"*Q", +"*R", +"*S", +"*T", +"*U", +"*V", +"*W", +"*X", +"*Y", +"*Z", +"*a", +"*b", +"*c", +"*d", +"*e", +"*f", +"*g", +"*h", +"*i", +"*j", +"*k", +"*l", +"*m", +"*n", +"*o", +"*p", +"*q", +"*r", +"*s", +"*t", +"*u", +"*v", +"*w", +"*x", +"*y", +"*z", +"*0", +"*1", +"*2", +"*3", +"*4", +"*5", +"*6", +"*7", +"*8", +"*9", +"*!", +"*#", +"*%", +"*&", +"*'", +"**", +"*+", +"*-", +"*/", +"*=", +"*?", +"*^", +"*_", +"*`", +"*{", +"*|", +"*}", +"*~", +"*.", +"*@", +"+A", +"+B", +"+C", +"+D", +"+E", +"+F", +"+G", +"+H", +"+I", +"+J", +"+K", +"+L", +"+M", +"+N", +"+O", +"+P", +"+Q", +"+R", +"+S", +"+T", +"+U", +"+V", +"+W", +"+X", +"+Y", +"+Z", +"+a", +"+b", +"+c", +"+d", +"+e", +"+f", +"+g", +"+h", +"+i", +"+j", +"+k", +"+l", +"+m", +"+n", +"+o", +"+p", +"+q", +"+r", +"+s", +"+t", +"+u", +"+v", +"+w", +"+x", +"+y", +"+z", +"+0", +"+1", +"+2", +"+3", +"+4", +"+5", +"+6", +"+7", +"+8", +"+9", +"+!", +"+#", +"+%", +"+&", +"+'", +"+*", +"++", +"+-", +"+/", +"+=", +"+?", +"+^", +"+_", +"+`", +"+{", +"+|", +"+}", +"+~", +"+.", +"+@", +"-A", +"-B", +"-C", +"-D", +"-E", +"-F", +"-G", +"-H", +"-I", +"-J", +"-K", +"-L", +"-M", +"-N", +"-O", +"-P", +"-Q", +"-R", +"-S", +"-T", +"-U", +"-V", +"-W", +"-X", +"-Y", +"-Z", +"-a", +"-b", +"-c", +"-d", +"-e", +"-f", +"-g", +"-h", +"-i", +"-j", +"-k", +"-l", +"-m", +"-n", +"-o", +"-p", +"-q", +"-r", +"-s", +"-t", +"-u", +"-v", +"-w", +"-x", +"-y", +"-z", +"-0", +"-1", +"-2", +"-3", +"-4", +"-5", +"-6", +"-7", +"-8", +"-9", +"-!", +"-#", +"-%", +"-&", +"-'", +"-*", +"-+", +"--", +"-/", +"-=", +"-?", +"-^", +"-_", +"-`", +"-{", +"-|", +"-}", +"-~", +"-.", +"-@", +"/A", +"/B", +"/C", +"/D", +"/E", +"/F", +"/G", +"/H", +"/I", +"/J", +"/K", +"/L", +"/M", +"/N", +"/O", +"/P", +"/Q", +"/R", +"/S", +"/T", +"/U", +"/V", +"/W", +"/X", +"/Y", +"/Z", +"/a", +"/b", +"/c", +"/d", +"/e", +"/f", +"/g", +"/h", +"/i", +"/j", +"/k", +"/l", +"/m", +"/n", +"/o", +"/p", +"/q", +"/r", +"/s", +"/t", +"/u", +"/v", +"/w", +"/x", +"/y", +"/z", +"/0", +"/1", +"/2", +"/3", +"/4", +"/5", +"/6", +"/7", +"/8", +"/9", +"/!", +"/#", +"/%", +"/&", +"/'", +"/*", +"/+", +"/-", +"//", +"/=", +"/?", +"/^", +"/_", +"/`", +"/{", +"/|", +"/}", +"/~", +"/.", +"/@", +"=A", +"=B", +"=C", +"=D", +"=E", +"=F", +"=G", +"=H", +"=I", +"=J", +"=K", +"=L", +"=M", +"=N", +"=O", +"=P", +"=Q", +"=R", +"=S", +"=T", +"=U", +"=V", +"=W", +"=X", +"=Y", +"=Z", +"=a", +"=b", +"=c", +"=d", +"=e", +"=f", +"=g", +"=h", +"=i", +"=j", +"=k", +"=l", +"=m", +"=n", +"=o", +"=p", +"=q", +"=r", +"=s", +"=t", +"=u", +"=v", +"=w", +"=x", +"=y", +"=z", +"=0", +"=1", +"=2", +"=3", +"=4", +"=5", +"=6", +"=7", +"=8", +"=9", +"=!", +"=#", +"=%", +"=&", +"='", +"=*", +"=+", +"=-", +"=/", +"==", +"=?", +"=^", +"=_", +"=`", +"={", +"=|", +"=}", +"=~", +"=.", +"=@", +"?A", +"?B", +"?C", +"?D", +"?E", +"?F", +"?G", +"?H", +"?I", +"?J", +"?K", +"?L", +"?M", +"?N", +"?O", +"?P", +"?Q", +"?R", +"?S", +"?T", +"?U", +"?V", +"?W", +"?X", +"?Y", +"?Z", +"?a", +"?b", +"?c", +"?d", +"?e", +"?f", +"?g", +"?h", +"?i", +"?j", +"?k", +"?l", +"?m", +"?n", +"?o", +"?p", +"?q", +"?r", +"?s", +"?t", +"?u", +"?v", +"?w", +"?x", +"?y", +"?z", +"?0", +"?1", +"?2", +"?3", +"?4", +"?5", +"?6", +"?7", +"?8", +"?9", +"?!", +"?#", +"?%", +"?&", +"?'", +"?*", +"?+", +"?-", +"?/", +"?=", +"??", +"?^", +"?_", +"?`", +"?{", +"?|", +"?}", +"?~", +"?.", +"?@", +"^A", +"^B", +"^C", +"^D", +"^E", +"^F", +"^G", +"^H", +"^I", +"^J", +"^K", +"^L", +"^M", +"^N", +"^O", +"^P", +"^Q", +"^R", +"^S", +"^T", +"^U", +"^V", +"^W", +"^X", +"^Y", +"^Z", +"^a", +"^b", +"^c", +"^d", +"^e", +"^f", +"^g", +"^h", +"^i", +"^j", +"^k", +"^l", +"^m", +"^n", +"^o", +"^p", +"^q", +"^r", +"^s", +"^t", +"^u", +"^v", +"^w", +"^x", +"^y", +"^z", +"^0", +"^1", +"^2", +"^3", +"^4", +"^5", +"^6", +"^7", +"^8", +"^9", +"^!", +"^#", +"^%", +"^&", +"^'", +"^*", +"^+", +"^-", +"^/", +"^=", +"^?", +"^^", +"^_", +"^`", +"^{", +"^|", +"^}", +"^~", +"^.", +"^@", +"_A", +"_B", +"_C", +"_D", +"_E", +"_F", +"_G", +"_H", +"_I", +"_J", +"_K", +"_L", +"_M", +"_N", +"_O", +"_P", +"_Q", +"_R", +"_S", +"_T", +"_U", +"_V", +"_W", +"_X", +"_Y", +"_Z", +"_a", +"_b", +"_c", +"_d", +"_e", +"_f", +"_g", +"_h", +"_i", +"_j", +"_k", +"_l", +"_m", +"_n", +"_o", +"_p", +"_q", +"_r", +"_s", +"_t", +"_u", +"_v", +"_w", +"_x", +"_y", +"_z", +"_0", +"_1", +"_2", +"_3", +"_4", +"_5", +"_6", +"_7", +"_8", +"_9", +"_!", +"_#", +"_%", +"_&", +"_'", +"_*", +"_+", +"_-", +"_/", +"_=", +"_?", +"_^", +"__", +"_`", +"_{", +"_|", +"_}", +"_~", +"_.", +"_@", +"`A", +"`B", +"`C", +"`D", +"`E", +"`F", +"`G", +"`H", +"`I", +"`J", +"`K", +"`L", +"`M", +"`N", +"`O", +"`P", +"`Q", +"`R", +"`S", +"`T", +"`U", +"`V", +"`W", +"`X", +"`Y", +"`Z", +"`a", +"`b", +"`c", +"`d", +"`e", +"`f", +"`g", +"`h", +"`i", +"`j", +"`k", +"`l", +"`m", +"`n", +"`o", +"`p", +"`q", +"`r", +"`s", +"`t", +"`u", +"`v", +"`w", +"`x", +"`y", +"`z", +"`0", +"`1", +"`2", +"`3", +"`4", +"`5", +"`6", +"`7", +"`8", +"`9", +"`!", +"`#", +"`%", +"`&", +"`'", +"`*", +"`+", +"`-", +"`/", +"`=", +"`?", +"`^", +"`_", +"``", +"`{", +"`|", +"`}", +"`~", +"`.", +"`@", +"{A", +"{B", +"{C", +"{D", +"{E", +"{F", +"{G", +"{H", +"{I", +"{J", +"{K", +"{L", +"{M", +"{N", +"{O", +"{P", +"{Q", +"{R", +"{S", +"{T", +"{U", +"{V", +"{W", +"{X", +"{Y", +"{Z", +"{a", +"{b", +"{c", +"{d", +"{e", +"{f", +"{g", +"{h", +"{i", +"{j", +"{k", +"{l", +"{m", +"{n", +"{o", +"{p", +"{q", +"{r", +"{s", +"{t", +"{u", +"{v", +"{w", +"{x", +"{y", +"{z", +"{0", +"{1", +"{2", +"{3", +"{4", +"{5", +"{6", +"{7", +"{8", +"{9", +"{!", +"{#", +"{%", +"{&", +"{'", +"{*", +"{+", +"{-", +"{/", +"{=", +"{?", +"{^", +"{_", +"{`", +"{{", +"{|", +"{}", +"{~", +"{.", +"{@", +"|A", +"|B", +"|C", +"|D", +"|E", +"|F", +"|G", +"|H", +"|I", +"|J", +"|K", +"|L", +"|M", +"|N", +"|O", +"|P", +"|Q", +"|R", +"|S", +"|T", +"|U", +"|V", +"|W", +"|X", +"|Y", +"|Z", +"|a", +"|b", +"|c", +"|d", +"|e", +"|f", +"|g", +"|h", +"|i", +"|j", +"|k", +"|l", +"|m", +"|n", +"|o", +"|p", +"|q", +"|r", +"|s", +"|t", +"|u", +"|v", +"|w", +"|x", +"|y", +"|z", +"|0", +"|1", +"|2", +"|3", +"|4", +"|5", +"|6", +"|7", +"|8", +"|9", +"|!", +"|#", +"|%", +"|&", +"|'", +"|*", +"|+", +"|-", +"|/", +"|=", +"|?", +"|^", +"|_", +"|`", +"|{", +"||", +"|}", +"|~", +"|.", +"|@", +"}A", +"}B", +"}C", +"}D", +"}E", +"}F", +"}G", +"}H", +"}I", +"}J", +"}K", +"}L", +"}M", +"}N", +"}O", +"}P", +"}Q", +"}R", +"}S", +"}T", +"}U", +"}V", +"}W", +"}X", +"}Y", +"}Z", +"}a", +"}b", +"}c", +"}d", +"}e", +"}f", +"}g", +"}h", +"}i", +"}j", +"}k", +"}l", +"}m", +"}n", +"}o", +"}p", +"}q", +"}r", +"}s", +"}t", +"}u", +"}v", +"}w", +"}x", +"}y", +"}z", +"}0", +"}1", +"}2", +"}3", +"}4", +"}5", +"}6", +"}7", +"}8", +"}9", +"}!", +"}#", +"}%", +"}&", +"}'", +"}*", +"}+", +"}-", +"}/", +"}=", +"}?", +"}^", +"}_", +"}`", +"}{", +"}|", +"}}", +"}~", +"}.", +"}@", +"~A", +"~B", +"~C", +"~D", +"~E", +"~F", +"~G", +"~H", +"~I", +"~J", +"~K", +"~L", +"~M", +"~N", +"~O", +"~P", +"~Q", +"~R", +"~S", +"~T", +"~U", +"~V", +"~W", +"~X", +"~Y", +"~Z", +"~a", +"~b", +"~c", +"~d", +"~e", +"~f", +"~g", +"~h", +"~i", +"~j", +"~k", +"~l", +"~m", +"~n", +"~o", +"~p", +"~q", +"~r", +"~s", +"~t", +"~u", +"~v", +"~w", +"~x", +"~y", +"~z", +"~0", +"~1", +"~2", +"~3", +"~4", +"~5", +"~6", +"~7", +"~8", +"~9", +"~!", +"~#", +"~%", +"~&", +"~'", +"~*", +"~+", +"~-", +"~/", +"~=", +"~?", +"~^", +"~_", +"~`", +"~{", +"~|", +"~}", +"~~", +"~.", +"~@", +".A", +".B", +".C", +".D", +".E", +".F", +".G", +".H", +".I", +".J", +".K", +".L", +".M", +".N", +".O", +".P", +".Q", +".R", +".S", +".T", +".U", +".V", +".W", +".X", +".Y", +".Z", +".a", +".b", +".c", +".d", +".e", +".f", +".g", +".h", +".i", +".j", +".k", +".l", +".m", +".n", +".o", +".p", +".q", +".r", +".s", +".t", +".u", +".v", +".w", +".x", +".y", +".z", +".0", +".1", +".2", +".3", +".4", +".5", +".6", +".7", +".8", +".9", +".!", +".#", +".%", +".&", +".'", +".*", +".+", +".-", +"./", +".=", +".?", +".^", +"._", +".`", +".{", +".|", +".}", +".~", +"..", +".@", +"@A", +"@B", +"@C", +"@D", +"@E", +"@F", +"@G", +"@H", +"@I", +"@J", +"@K", +"@L", +"@M", +"@N", +"@O", +"@P", +"@Q", +"@R", +"@S", +"@T", +"@U", +"@V", +"@W", +"@X", +"@Y", +"@Z", +"@a", +"@b", +"@c", +"@d", +"@e", +"@f", +"@g", +"@h", +"@i", +"@j", +"@k", +"@l", +"@m", +"@n", +"@o", +"@p", +"@q", +"@r", +"@s", +"@t", +"@u", +"@v", +"@w", +"@x", +"@y", +"@z", +"@0", +"@1", +"@2", +"@3", +"@4", +"@5", +"@6", +"@7", +"@8", +"@9", +"@!", +"@#", +"@%", +"@&", +"@'", +"@*", +"@+", +"@-", +"@/", +"@=", +"@?", +"@^", +"@_", +"@`", +"@{", +"@|", +"@}", +"@~", +"@.", +"@@", + 0}; diff --git a/flare-2015/flare6/run.bat b/flare-2015/flare6/run.bat new file mode 100755 index 0000000..f5909f9 --- /dev/null +++ b/flare-2015/flare6/run.bat @@ -0,0 +1,5 @@ +adb push libs\armeabi\hello /data/local/tmp +adb push libvalidate.so /data/local/tmp +adb shell "chmod 755 /data/local/tmp/hello" +adb push libs\armeabi\libmylib.so /data/local/tmp +adb shell "LD_PRELOAD=/data/local/tmp/libmylib.so /data/local/tmp/hello" diff --git a/flare-2015/flare7/README.md b/flare-2015/flare7/README.md new file mode 100644 index 0000000..d695a41 --- /dev/null +++ b/flare-2015/flare7/README.md @@ -0,0 +1,42 @@ +# Challenge 7 + +This is a heavily obfuscated .NET package. I tried opening it to find a string that I can use as a starting point, while clicking away, I found an array. Pasting it to Python: + + +![](yousometa.png) + +```python + a = [80, 108, 101, 97, 115, 101, 32, 101, 110, 116, 101, 114, 32, 116, 104, 101, 32, 99, 111, 114, 114, 101, 99, 116, 32, 112, 97, 115, 115, 119, 111, 114, 100, 58, 32] + print "".join([chr(x) for x in a]) + 'Please enter the correct password: ' +``` + +Ok, this is a good point to start. Looking a bit further, I saw a comparison. + + +![](comparison.png) + +Well, if we can debug this, the problem is solved. Not knowing much about .NET, I tried to read as much as possible, and I found something called `sos.dll` and `sosex.dll`. + +Now its time to use WinDBG. My logic is simple: try to break the result of `System.Concole.ReadLine` + + + sxe ld:clrjit + g + .load C:\gitwork\sosex\sosex.dll + !mbm System.Console.ReadLine + g + gu + step over few times until before the comparison call + !strings + +![](solution.png) + +Wait, whats that last string? it looks like a password + + metaprogrammingisherd_DD9BE1704C690FB422F1509A46ABC988 + +Yup it is + + +![](answer.png) diff --git a/flare-2015/flare7/answer.png b/flare-2015/flare7/answer.png new file mode 100644 index 0000000..2296d81 Binary files /dev/null and b/flare-2015/flare7/answer.png differ diff --git a/flare-2015/flare7/comparison.png b/flare-2015/flare7/comparison.png new file mode 100644 index 0000000..a51e1bc Binary files /dev/null and b/flare-2015/flare7/comparison.png differ diff --git a/flare-2015/flare7/solution.png b/flare-2015/flare7/solution.png new file mode 100644 index 0000000..43c7d85 Binary files /dev/null and b/flare-2015/flare7/solution.png differ diff --git a/flare-2015/flare7/yousometa.png b/flare-2015/flare7/yousometa.png new file mode 100644 index 0000000..d13d233 Binary files /dev/null and b/flare-2015/flare7/yousometa.png differ diff --git a/flare-2015/flare8/README.md b/flare-2015/flare8/README.md new file mode 100644 index 0000000..202e8a7 --- /dev/null +++ b/flare-2015/flare8/README.md @@ -0,0 +1,20 @@ +# Challenge 8 + +This is a steganography challenge. I never liked these kinds of challenges. + +The first part is easy: extracting the base64 text to get the image. I used `stegsolve` and saw that there is something strange in the top part of the image for the bit 0 of R, G and B component. I tried clicking many combinations in `stegsolve` but It didn't produce something meaningful. + +I tried looking for `"fireeye steganography"` on Google and saw some articles about embedding executable inside an image. So I tried to do things manually: + +1. I extracted several bits from R, and G, and B (the 0th bit of each component) +2. I made a guess that the content should be another EXE file, so it should start with MZ (or 01001101 01011010 in binary) +3. I tried to make an arrangement such that the bits from R, G and B forms the MZ + +The result is [steg.py](steg.py) a very slow python script (it was a very quick and dirty solution). + +Looking at the result, the first thing to try is: + + strings res.exe + Im_in_ur_p1cs@flare-on.com + +Great, no need to reverse anything diff --git a/flare-2015/flare8/input.png b/flare-2015/flare8/input.png new file mode 100644 index 0000000..ba3c0d2 Binary files /dev/null and b/flare-2015/flare8/input.png differ diff --git a/flare-2015/flare8/steg.py b/flare-2015/flare8/steg.py new file mode 100644 index 0000000..fc23097 --- /dev/null +++ b/flare-2015/flare8/steg.py @@ -0,0 +1,43 @@ +import scipy.misc +import sys + + +a = scipy.misc.imread("input.png") + +bitpos = 0 +stegmin = 2**bitpos - 1 +mask = 1<< bitpos + +res = '' +tmp = '' +endian = 0 + +perm = [0,1,2] + +for i in range(0, a.shape[0]): + for j in range(0, a.shape[1]): + for k in range(0, 3): + km = perm[k] + rgb = a[i][j][km] + #print >>sys.stderr, "got rgb ", rgb, rgb & mask + onebit = (rgb & mask)>0 + if rgb>stegmin: + if endian==1: + tmp = ("1" if onebit else "0") + tmp + else: + tmp += ("1" if onebit else "0") + else: + #print >>sys.stderr, "ignore" + if endian==1: + tmp = "0" + tmp + else: + tmp += "0" + if len(tmp)>=8: + c = tmp[:8] + c = "".join(list(reversed(c))) + #print c, chr(int(c,2)) + tmp = tmp[8:] + res += chr(int(c, 2)) + +with open("res.exe", "wb") as f: + f.write(res) diff --git a/flare-2015/flare9/README.md b/flare-2015/flare9/README.md new file mode 100644 index 0000000..b30056a --- /dev/null +++ b/flare-2015/flare9/README.md @@ -0,0 +1,31 @@ +# Challenge 9 + +This is a complicated binary that is very hard to debug manually, so I didn't try to debug it. It is also very difficul to understand using a disassembler (so I didn't really try that one either), and it is impossible to decompile. Well, actually I am just very lazy :) + +What I did: i use the itrace.dll from intel PIN to see the decision taken by the program. I looked at the last few instructions, and go back to find the branch that decides whether I pass or not. + +The interesting thing is: this program compares eax with 41 decimal (which is about the right length for @flare-on.com emails) at 00401C27. My theory is that eax will contain the number of correct characters (in correct position). I modified the trace.cpp to print EAX value at that point. First test is: + + ****************************@flare-on.com + +Which should generate 13 (the @flare-on.com should be correct), asterisk is not a valid email character. One problem: this is slow, it takes about 5.5 seconds on my laptop. + +In retrospect, I should have just patched with exitcode (like what you can see in my solution to the last challenge). + +I can brute for it the dumb way, but it will take many hours. So I did it in two steps, first, I will test which characters are used in the email address. So I tested: + + aaaaaaaaaaaaaaaaaaaaaaaaaaaa@flare-on.com + +and see how many character are correct + + bbbbbbbbbbbbbbbbbbbbbbbbbbbb@flare-on.com + +and see how many character are correct. + +and so on. If `eax` value is 13, then the character is not used. I waited about 6 seconds times 72 character (set of valid email addreses) which is around 8 minutes for this first stage. You can see [my script](stage1.py) for this. + +I found that the characters used are: + + chars = "_afhilmnorstuv13I" + +Only 17 characters, at most I will need 17*28 characters = 476 tries. With 6 seconds per try, it will take less than an hour. I could have optimized it but decided that I just run it, and within about 20 minutes, I got the answer. The code is in [stage2.py](stage2.py). diff --git a/flare-2015/flare9/itrace_flare.cpp b/flare-2015/flare9/itrace_flare.cpp new file mode 100644 index 0000000..b2cdf6d --- /dev/null +++ b/flare-2015/flare9/itrace_flare.cpp @@ -0,0 +1,111 @@ +/*BEGIN_LEGAL +Intel Open Source License + +Copyright (c) 2002-2015 Intel Corporation. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are +met: + +Redistributions of source code must retain the above copyright notice, +this list of conditions and the following disclaimer. Redistributions +in binary form must reproduce the above copyright notice, this list of +conditions and the following disclaimer in the documentation and/or +other materials provided with the distribution. Neither the name of +the Intel Corporation nor the names of its contributors may be used to +endorse or promote products derived from this software without +specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INTEL OR +ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +END_LEGAL */ +#include +#include "pin.H" + +FILE * trace; + +// This function is called before every instruction is executed +// and prints the IP +VOID printip(VOID *ip, CONTEXT *ctx) { + UINT32 x = (UINT32)ip; + if (x>0x70000000) + return; + if (x==0x0401C27) { + fprintf(trace,"%d", PIN_GetContextReg(ctx, REG_EAX)); + } +#if 0 + fprintf(trace, "B %p: eax=%08x ebx=%08x ecx=%08x edx=%08x edi=%08x esi=%08x esp=%08x ebp=%08x\n", ip, + PIN_GetContextReg(ctx, REG_EAX), + PIN_GetContextReg(ctx, REG_EBX), + PIN_GetContextReg(ctx, REG_ECX), + PIN_GetContextReg(ctx, REG_EDX), + PIN_GetContextReg(ctx, REG_EDI), + PIN_GetContextReg(ctx, REG_ESI), + PIN_GetContextReg(ctx, REG_ESP), + PIN_GetContextReg(ctx, REG_EBP) + ); +#endif +} + + +VOID printip_after(VOID *ip, CONTEXT *ctx) { + fprintf(trace, "A %p: eax=%08x\n", ip, PIN_GetContextReg(ctx, REG_EAX)); +} + +// Pin calls this function every time a new instruction is encountered +VOID Instruction(INS ins, VOID *v) +{ + // Insert a call to printip before every instruction, and pass it the IP + INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)printip, IARG_INST_PTR, IARG_CONTEXT, IARG_END); + // INS_InsertCall(ins, IPOINT_AFTER, (AFUNPTR)printip_after, IARG_INST_PTR, IARG_CONTEXT, IARG_END); +} + +// This function is called when the application exits +VOID Fini(INT32 code, VOID *v) +{ + //fprintf(trace, "#eof\n"); + fclose(trace); +} + +/* ===================================================================== */ +/* Print Help Message */ +/* ===================================================================== */ + +INT32 Usage() +{ + PIN_ERROR("This Pintool prints the IPs of every instruction executed\n" + + KNOB_BASE::StringKnobSummary() + "\n"); + return -1; +} + +/* ===================================================================== */ +/* Main */ +/* ===================================================================== */ + +int main(int argc, char * argv[]) +{ + trace = fopen("itrace.out", "w"); + + // Initialize pin + if (PIN_Init(argc, argv)) return Usage(); + + // Register Instruction to be called to instrument instructions + INS_AddInstrumentFunction(Instruction, 0); + + // Register Fini to be called when the application exits + PIN_AddFiniFunction(Fini, 0); + + // Start the program, never returns + PIN_StartProgram(); + + return 0; +} diff --git a/flare-2015/flare9/stage1.py b/flare-2015/flare9/stage1.py new file mode 100644 index 0000000..43f826a --- /dev/null +++ b/flare-2015/flare9/stage1.py @@ -0,0 +1,44 @@ +import time +current_milli_time = lambda: int(round(time.time() * 1000)) + + +#a = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" +a = "IJKLMNOPQRSTUVWXYZ" +a += "abcdefghijklmnopqrstuvwxyz" +#a += a.lower() +a += "0123456789!#%&'+-/=?^_`{|}~." +print a +print len(a) +import os + +flare = '****************************@flare-on.com' + +total = 0 + +def writeres(i): + with open("res.txt", "a+") as f: + f.write(i) + +for i in a: + print "testing ", i + inx = flare.replace('*', i) + with open("inp.txt", "w") as f: + f.write(inx) + cmd = "c:\\pin-2.14-71313-msvc12-windows\\pin_bat.bat -t itrace.dll -- \\gitwork\\flare9\\you_are_very_good_at_this.exe < inp.txt" + t1 = current_milli_time() + os.system(cmd) + t2 = current_milli_time() + t = (t2-t1)/1000.0 + total += t + print t, "second" + print "total ", total, " second" + with open("itrace.out", "r") as f: + x = f.read() + x = int(x.strip()) + x -= 13 + + if x>0: + print "IN USE: ", i, x + writeres(i) + else: + print "NO: ", i diff --git a/flare-2015/flare9/stage2.py b/flare-2015/flare9/stage2.py new file mode 100644 index 0000000..86da84f --- /dev/null +++ b/flare-2015/flare9/stage2.py @@ -0,0 +1,45 @@ +import time +current_milli_time = lambda: int(round(time.time() * 1000)) + +import os + +chars = "_afhilmnorstuv13I" + +flare = '****************************@flare-on.com' + +total = 0 + +def check(inx): + global total + with open("inp.txt", "w") as f: + f.write(inx) + cmd = "c:\\pin-2.14-71313-msvc12-windows\\pin_bat.bat -t itrace.dll -- \\gitwork\\flare9\\you_are_very_good_at_this.exe < inp.txt" + t1 = current_milli_time() + os.system(cmd) + t2 = current_milli_time() + t = (t2-t1)/1000.0 + total += t + print t, "second" + print "total ", total, " second" + with open("itrace.out", "r") as f: + x = f.read() + x = int(x.strip()) + return x + + +idx = 0 +last_correct = 13 +while '*' in flare: + lflare = list(flare) + for i in chars: + lflare[idx] = i + test = "".join(lflare) + print "testing ", test + a = check(test) + print "Result ", a + if a>last_correct: + print "Good ", test + last_correct = a + flare = test + break + idx += 1