Reverse Engineering

Challenge	Link
ebin (464 pts) 🥇	Here
CK0P0 CTYXHET (497 pts)	Here
Napoleon (497 pts)	Here
Secret meringue recipe (n pts)	Here
Cloud Storage (n pts)	Here

Challenge

Link

ebin (464 pts) 🥇

Here

CK0P0 CTYXHET (497 pts)

Here

Napoleon (497 pts)

Here

Secret meringue recipe (n pts)

Here

Cloud Storage (n pts)

Here

ebin (464 pts)

Description

Hello, dear bruh. Do you know that once upon a time there were cute small Ebins walking around the planet? And with the each day passed they evolved, mastered something new... And of course... They were breeding... They were becoming more and more perfect... The Ebins developed their own languages... And even philosophy... The Ebins wrote and listened to music... And of course they danced to it... And they applauded to each other... The Ebins went so far in their brogress that they invented anime... But after... The snakes came up to something terrible...

Solution

Given PE32+ file, open it using IDA.

Look at the Strings tab, it looks like executable compiled with pyinstaller.

Using this script we can extract the pyc files and all of its dependencies.

Now, look at main.pyc which is the main code of the executable. Use pycdc to decompile the pyc to py file.

Although the pyc file has been decompiled, the code still obfuscated. Lets dive to the first obfusction

F and C function

F = type(f)
C = type(f.__code__)
...
xD = F(C(1, 0, 0, 1, 6, 3, b'd\x01\x89\x00d\x02\xa0\x00\x87\x00\x87\x01f\x02d\x03d\x04\x84\x08t\x01t\x02\x88\x01\x83\x01\x83\x01D\x00\x83\x01\xa1\x01S\x00', (None, 0x2D362C9293C223BBL, '', C(1, 0, 0, 2, 10, 19, b'g\x00|\x00]&}\x01t\x00\x88\x01|\x01\x19\x00d\x00\x18\x00\x88\x00d\x01|\x01t\x01\x88\x00\xa0\x02\xa1\x00d\x02\x1b\x00\x83\x01\x16\x00d\x03\x14\x00>\x00@\x00|\x01t\x01\x88\x00\xa0\x02\xa1\x00d\x02\x1b\x00\x83\x01\x16\x00d\x03\x14\x00?\x00A\x00\x83\x01\x91\x02q\x02S\x00', (1, 255, 8, 8), ('chr', 'ceil', 'bit_length'), ('.0', 'i'), '0', '0', 11, b'', ('magic', 'self'), ()), 'str.<locals>.<listcomp>'), ('join', 'range', 'len'), ('self',), '0', '0', 4, b'\x00\x01\x04\x01', (), ('magic', 'self')), globals())
...

Actually the decompiler is not purely decompile the pyc file, there are some wrong code in the decompiled version. To defeat this, we can actually debug the python in "executable". To do that, i use pyinjector. So the idea is using pyinjector to dump the opcode then manually convert it back to python code.

run the executable (ebin.exe)
put code.py in the same directory with the executable (ebin.exe)
open process hacker
- find ebin.exe -> right click -> miscellaneous -> Inject DLL
- Choose PyInjector_x64.dll

code.py

import dis

dis.dis(xD)

For the xD function, it looks like string obfuscation and not related to input validation. So for the xD we can defeat it by running the xD function for all obfuscated strings. I use regex and sublime to get all the argument for xD function.

xD\((.*?)\)

code.py

import dis

print(xD(b'\xe9c\x92\xe9'))
print(xD(b'\xc7'))
print(xD(b'\xdaK\xa6'))
print(xD(b'\xd8K\xb7\xe8\xffJ'))
print(xD(b'\xda[\xb7\xf7\xfe_SI\xca'))
print(xD(b'\xda[\xb7\xf7\xf4_EM\xc3'))
print(xD(b'\xc9T\xa4\xe2\xf7J'))
print(xD(b'\xd0M\x9e\xf2\xecYT_'))
print(xD(b'\xcaC\xad\xf5\xf8'))
print(xD(b'\xd8G\xad'))
print(xD(b'\xd3N\xb7'))
print(xD(b'\xdeR\xae\xff\xceOPZ\xdfQ'))
print(xD(b'\xd8K\xb7\xe8\xffJ'))
print(xD(b'\xda[\xb7\xf7\xfe_SI\xca'))
print(xD(b'\xda[\xb7\xf7\xf4_EM\xc3'))
print(xD(b'\xc9T\xae\xf8\xe1D'))
print(xD(b'\xd0M\x9e\xf2\xecYT_'))
print(xD(b'\xcaC\xad\xf5\xf8'))
print(xD(b'\xd8G\xad'))
print(xD(b'\xd3N\xb7'))
print(xD(b'\xdeR\xae\xff\xceOPZ\xdfQ'))
print(xD(b'\xd9X\xbc\xe4\xf8`'))
print(xD(b'\xcdK\xad\xf8\xffA'))
print(xD(b'\xd1G\xb1\xfe\xf8A\x06 '))
print(xD(b'\xeeK\xb1\xe8\xe8N[~\xcaM\xb7\xf7\xf2Y'))
print(xD(b'\xdaR\xae\xe8\xfbJE'))
print(xD(b'\xdaR\xae\xe8\xfbJE'))

Now, replace all obfuscated strings with deobfuscated string.

# Source Generated with Decompyle++
# File: main.pyc (Python 3.10)

Warning: Stack history is not empty!
Warning: block stack is not empty!
import ctypes
import os
from math import ceil

def f():
    pass

F = type(f)
C = type(f.__code__)

class EbinException(Exception):
    pass

no_clean_pops = []
gondola = [
    166,
    495,
    403]
ebor = b'\xe9\x9a\x00\x00\x00\xe3q\x98\x9e\tt\x89\xe6\xbe\xce\x89R\x1egb\n\na\xaa\x0c\xe1\xe2\x10\xa1\x02\xba2\xc7[\xd9W\xbcqk\x82\xf8\xda\xdb\x01\xed\x1f\xc6\xb3\xd3W\xf8\xab.\x94\xe7,)\x89\xfb\xe8\x9dA\xb7\x926c\xb3\xc5\xd5\x83\xfd#\xef\xc4\x92\x18 p\xee:\xe9\xb9\xc1x\xc3\xce\xb9\xcah}\xf5\xe3\xb8\xee\xe9-\xaf\xe0I#\x1e\x9c\x95 M\xe7h\xa5\xbb\x99*\xc9\xc3\x939\xd6\xa5\x1d\xdeT\xfd\xdcl\xfam\x04\xc4i\x96\xca?\xa0\n}\r\xa38\x98\xe5\xf9 \x8b\xc5\x1b\x15\x08\x88\xb2\x1bE\x91\xc2\x1d\xa5\xbe<\xd0\x8b\x97\x89T$\x10H\x89L$\x08UWH\x81\xecH\x01\x00\x00H\x8b\xecH\x8b\x85`\x01\x00\x00H\x83\xc0#H\x89E\x08\xb8\x01\x00\x00\x00Hk\xc0\x16H\x8b\x8d`\x01\x00\x00\x0f\xbe\x04\x01\xc1\xe0\x08H\x98H\x8b\x8d`\x01\x00\x00H\x8dD\x01\x19\xb9\x01\x00\x00\x00Hk\xc9\x15H\x8b\x95`\x01\x00\x00H\x0f\xbe\x0c\nH\x03\xc1H\x89E(\xc7ED\x00\x00\x00\x00\xeb\x08\x8bED\xff\xc0\x89EDHcEDH\x8bM\x08\x0f\xbe\x04\x01\x85\xc0t\x02\xeb\xe6\xc7Ed\x00\x00\x00\x00\xeb\x08\x8bEd\xff\xc0\x89Ed\x8b\x85h\x01\x00\x009Ed}>HcEdH\x89\x858\x01\x00\x00\x8bEd\x99\xf7}D\x8b\xc2H\x98H\x8bM\x08\x0f\xbe\x04\x01H\x8bM(H\x8b\x958\x01\x00\x00\x0f\xbe\x0c\x113\xc8\x8b\xc1HcMdH\x8bU(\x88\x04\n\xeb\xafH\x8d\xa5H\x01\x00\x00_]\xc3\xcc\xcc\xcc\xcc\xf5\xc5\xbf\xdb\xb0I\xf8\xaa\xb0\xd2 |-\x9e\x8b\x99\xb7\xee\x10\xe5\xcf;\xb0\x8f\xa2B\xf0\xfd\xd9\x10*0\xf6\x10\x99t\xb1\x83&_Wx\xd7\xcdr\'H\x0c\xc3\xf8\x98Z\xfa\xd1E\xbdnJ\xce\xc4\tC\xa8\xafo\xc7\xd2\xe2\xc7\x18\xfb\x8dt\xbae\xfd\n\xb67;$@\xb0%\x8e\x02{\x94\x98"1\xa1\x80\xc9\x1aC|\xd2\x82\xb4:\xe4\xe2L\xf3\xe0\xc3\xf6\xaa\xa2*\xad}\x9f;\x8a\xc1\xd0\xa9\xfcq\x02U\xb5\x97\x18\x9d\xa79\xc0\x17\xb0\xa4\x11^\xec[d\x13\xf86\xe5\xd0\x96{1\xbf\x83\x0b\x80\xcd\xcb\xe0\xbb\x8b=\xa4Y\x9c\xab\xb8\xb5p\xf8\x1d\xc3oo\xf5*\x9c\xbf\xd0"\xe1J\xba\xdehn\xb1\xf5D\xec_90\xbds&y\x00\xdbK\xe3Mw\x7f[:\x9a\x9f\xe6I\x13\x88*\x98\xeb\xdd\x1e\xa2]\xd6\x07q\xff\x9d\xd9\x1c\xf8\xc5\xf9Gs\xc9\x92\x88\x82\xe9]\xe6+d&p\xf4\xf3\xd6\xf3\xf8\x07\x89?>\x9a-\xa4\x13\xb7l\xd0\xa3\x98\xeaQ\x9b\x07\\\xcepo\x94\x07\xceF\x10\xa9\xb2\x89\xdcD:-I\xd4v>l\xffr\xd4\xa6\x98N\x94.D\x84\xcd\xbaI\xbc c8\xe9\xab\x18\xab\x17rg\xc5\x0fc\xcb\x9d\xe8s\xa9\xb3\xddd\x92\xbb%\x94\xdc\x19\xb3\xed\n\x82\x00\xb4J\xc3x\xe5\xb78)\xc7\x9d\x7f\xe0h\x95\x14:\x0c\x1d\xd7\xd4\xf3?V\x0e\'=\xfc\xfa2\x85\x95\xcf\xdc;\xd4\xcb\xc8\xc3\xfb\x1a\tE\x94x\x9aC@\x1d\x92\xe7\xbc\xabd!\xe98?\x04\x15\xba\x00\x14\x1f\x0f\xf9\xbb\xc0\x87\xd3FV\xd1\x8cMC\xbb\xbe\xbd\x9f}\x05\x8b\x9b\x9c=/\xee\xb6\x12\x07iL\xb8\x05\tp\x8d\xae\x97\xfcgb\xeae\xde\xa2>\x8a\x13\xc0\xf7\'\xa4\xce&\xb9\x88\xcf(.\xbbO\xdc\xae\xb27T9Y\r\x02\xec\xec\x91\xc0Z\xea\xe4{\xf9\xc6|\xe1\xd3>C\xef\n;\xd77\x0e\x9bJ?\x96\xc0\xec\xc6\xa7W\x87\x86\xda\xfd\xcf\x8c\xe3\xdc\xb3HU\x1c\x1cO\xa5~/\xad\x8c}\xc14\x96\x0e\x1c.q\xd3\x1d4\xc6\x9c\x94\xe6P\x12$\xc5\x9eL)\x82\x14\xebG72\xb6D\xe9\x1dj\xe1\xf9b\xaf;\xff\xf8\x84\x91\xa5\xbc\xb7\xce\x8erh\x1a\xa6\x03\x9de#\xdb\xa3\x9am\xe4O/\xc1V8\xfeK\xc9:\xf6\x0e#\x90\x90\xbf\x82\xc7\xc4]\x0f\x1f\x92\x03\xf4^\xd0\xa98\x98\xdd\xcb\xea\xa9B\xa7\xcd\xca\xee\xdf\xf9\xff\x9c\x87_H\xcfc \xf6\xaer\xc1l\x0b\x06\xc7\x11nL\xf7'
xD = F(C(1, 0, 0, 1, 6, 3, b'd\x01\x89\x00d\x02\xa0\x00\x87\x00\x87\x01f\x02d\x03d\x04\x84\x08t\x01t\x02\x88\x01\x83\x01\x83\x01D\x00\x83\x01\xa1\x01S\x00', (None, 0x2D362C9293C223BBL, '', C(1, 0, 0, 2, 10, 19, b'g\x00|\x00]&}\x01t\x00\x88\x01|\x01\x19\x00d\x00\x18\x00\x88\x00d\x01|\x01t\x01\x88\x00\xa0\x02\xa1\x00d\x02\x1b\x00\x83\x01\x16\x00d\x03\x14\x00>\x00@\x00|\x01t\x01\x88\x00\xa0\x02\xa1\x00d\x02\x1b\x00\x83\x01\x16\x00d\x03\x14\x00?\x00A\x00\x83\x01\x91\x02q\x02S\x00', (1, 255, 8, 8), ('chr', 'ceil', 'bit_length'), ('.0', 'i'), '0', '0', 11, b'', ('magic', 'self'), ()), 'str.<locals>.<listcomp>'), ('join', 'range', 'len'), ('self',), '0', '0', 4, b'\x00\x01\x04\x01', (), ('magic', 'self')), globals())
aggept = F(C(1, 0, 0, 1, 3, 67, b't\x00|\x00\x83\x01d\x01k\x02o\x13|\x00d\x00d\x02\x85\x02\x19\x00d\x03k\x02o\x13|\x00d\x04\x19\x00d\x05k\x02S\x00', (None, 29, 4, 'SAS{', -1, '}'), ('len',), ('a',), '0', '0', 9, b'\x00\x01', (), ()), globals())
ebonatti = b'\x8b!r\xe8\xde\xecz\xbf\x02\xa3Bw\xae\x94\xe2\xddR.\xb2\xb2\xe9w\x00\x00\x00fnk~\xb7U\x9bh\x8bDHb\xc8t*\x80J\x90\x00\xcaF\xacYO\xfa\xfc\xc5>\xe3\xf6X\xef\xad\xc5|\x04\xd5\x94l\xd0o\x1fr\xdb\xa8+\xcc\x83\xff\xaaV\x12\xaf\xd55\x86\xbfkm\xd8\xce\xf3\xf2xL1\xd3\xfea\xfb\x08\x92\xe6\x8c\xf4\x94\xd8\tb\xfb\x13}\xdf\xf8\xfc\xedQ\\4n\xc1\x86\xfc\x0f\x11\xee\x9e\xca<\x1c\xa2c\x9e3\xdeI\x11!\x99b\xb2=k\x9a\x88B\xe3j\xd5\x00\xeb\x84P"\xd5\x1d\xd8\xc9\x8e\x80u*\x80\x02\x1b\xa4\xa5\x8dp+\x80J\x90\x8f\'\xecv*\x80JW\r&\xc8t*\x80\x8d\xd5,b\xc8t*kB\x1b\r\x067\xb4\xa3\xc5.\x135\x06\xd1\tu\x0b\x0f\x94\xc1\'\x8c\xffo\xa4\xc3\xd5L\xe9\x8d0\xa1\xcdn\x93\x80\xe9\t\xfdo\xa4\xc1\xd5,\xfbK\x96-\x83\x88\x13\xa8e\xe3\xb6b\x18\x02\x1b\xc5\x02\xc9t*\x8f\xf4\x94IQ\x8dP\xa3\x05~\x91HbC1N\x19\xc9rOa\n\xf7\xca\x87aR\x00\xfa\x80\xff\xa7\xe0K\x90H\xe9]@+\x80J\x18\\c#\xe7b\r\xef\xd8Ib\xc8+wC\t\xb6}f\xdd\x8bH\x89\x8f%\xc1\xea\xf3\xd2\xb6\xe1}!`\x14\x86Fx\xe0\xe3<Y\xb47\xf7\xe8\xaa\xd42\x86\xa1`\xdcm\xec\x19\xdf\xef\x179^pe\xc0\xe2Oh\xe1/\xbc\xea\xb7\x9b\xeb.I~2\x10\xc3!5\xc0\x13G%\xba\xe0\xfd\x1e\xe5\xe6\xfe-\xed~p\xe5\x9f\xd5\xdf\xd9e\xaba\xec\xc2\xd2B\xaaQ\x15\x8b\x98\xee<\x07*\xea\xec5F\'\xb4\xa1S\x1c\xc7\t?\xf0K\xbf\x12\xd4Zq\xa3\t\x1e\x92\xd4\xbe\xc9\x0b\x87v\x86@J\x1an\xdaV\x19 w\xe1tZ\x90T4 (Qf\x9f.\xfdH\x0f\xe64\x80Su\xe5sC.C\x84\t-\xe9\x94\xa0\xce\xa0xcZ:\xa9\x96\x04\xfc\xd4\x19{\x16WQ\xc267:J\xcfX\t\xbd\x87\x94\xe1k\x020|S@\xb1x\rE\x9e\x9b\x03\x97\xd5\xf8\x90\xd8;\x9a\xd0\x82)G*t\x89\x98\xee\xb4#\xc3\xfa\x9b\xc7N\xa4\xb5=\xcau\xc7-\xa1\xd7\x19\xfd\xa1uL\x02$\xb3\xdc}\x83Da\xf7\xb1S*\xb3?1\x1f\x95?\xa2\xeaK\xe4{\x0f"j\xdb\xf0\x88\x97\xd1S\xe6A5<\n\xa5C\x984!U\xc5\x82\xc5\xd0:r\xd3\x80ur+\xe1U\xb4\xe2\x1d\xc5UA&\x0f\xc9:[\x8f\xee\x04\x00\x9a>)\x86\xe8\x94\xc91\x96\xdb\x87\xbd\xe8Un\xd2\xe1P\xaf\xd6\xac\x10\xbd\x9e\x98\xb0*z\xa4\xbfB7!@1X\xe7\xd6\xce\xd1\x9e\x05v\xfd\x8dWy\x9b(?^w:-\xa0,Ep\xa80\t\xd5\x08\x98rb\xa7O\xa0\xab/\xff\xfe\x9eu\xb24O\xb3\x06=\xdc\xb1K\xf8}\xa8e\x12.>\xe9_:q4z\x0f\xaee\xac&D\xa1\xed\xf1W\x1d\xe9\xab\x86\xc4u\x90\xe2~\xd3%A\xc4\xdb\x06]\xe6\xcec\xb4\xdex\xa3#\x81\xe8t\x99\xb8A\xa0\xfb:\xa6u2\x1e\xab\x8c\x98f\x04P\x9e)\x9c\x8a\xae\xee\xdd\x0f\xcc6\xe9n\x1eeB^e\xc5O\xc6_\x10o\xf6/I\x98R\xae7S\xf2\xf4w=p\xa0\xe8\x84#RK\xb8V]\xf5U\xc5\x95\x8b\xd5VP\xf9\xe1\xef\xde\xc0{\xee\xd3\x85\x9a\n*\xc7\x8c\x1d\x1a\xf8\xce\xa2\xcc\xe1?\x90\x7fmt\xfe\xf8\x91t\x18\x13\xbd\x1d\x0eJ\x99^\xdb\r\x88\x81\x04\xdesk\xf3\xe8\xfdAL\xeas\x13I\xee\xe3)3V`=\x9c\xfd\x81\x96D\n\x81\xe1LZgv\x1fSgH\xaei\xdbf\xb9p\x0c\xa4\xd0\x83e\x9a\xf8\xa0\x04C\xa4\xdc\xa8\x11\x0c\xe3"3\x8d.ArF\xda3c-|\xf9\xda\x96\xa4\xf0\x9e\xe7G\xa7\xb8>|\xea\x7f5\xb3\xfb\x81t\x945\xf6d8\x88\xd0\x06y\x08\xf0\xc5\xd9\x04(L\xe7\x91XL\x8cK\x8e\x03\xb0\x13\xef\xf0g\xe5\xf9\x1d\xa2.\x8b\xc3n2(\'\x94.\xcf\n\x94R7O\x9f\x19:\xda\x96\x94\x86\\\xa3\xea'
eberse_drift = F(C(1, 0, 0, 3, 6, 67, b't\x00|\x00j\x01\xa0\x02d\x01d\x02\xa1\x02\x83\x01}\x01t\x03t\x04|\x01\x83\x01\x83\x01D\x00]\x0e}\x02|\x01|\x02\x05\x00\x19\x00|\x01|\x02\x19\x00d\x03?\x007\x00\x03\x00<\x00q\x0ft\x05j\x06|\x01d\x04d\x05\x8d\x02|\x00_\x01d\x00S\x00', (None, 8, 'big', 5, 'little', ('byteorder',)), ('bytearray', 'sparde', 'to_bytes', 'range', 'len', 'int', 'from_bytes'), ('a', 'b', 'i'), '0', '0', 17, b'\x00\x01\x12\x01\x10\x01\x1a\x01', (), ()), globals())
dibide = F(C(1, 0, 0, 3, 5, 67, b't\x00|\x00j\x01\xa0\x02d\x01d\x02\xa1\x02\x83\x01}\x01t\x03t\x04|\x01\x83\x01\x83\x01D\x00]\n}\x02|\x01|\x02\x05\x00\x19\x00d\x03\x1c\x00\x03\x00<\x00q\x0ft\x05j\x06|\x01d\x02d\x04\x8d\x02|\x00_\x01d\x00S\x00', (None, 8, 'little', 2, ('byteorder',)), ('bytearray', 'spodro', 'to_bytes', 'range', 'len', 'int', 'from_bytes'), ('a', 'b', 'i'), '0', '0', 24, b'\x00\x01\x12\x01\x10\x01\x12\x01', (), ()), globals())
eggbond = b'\xa3\x98\xe7\xe9%\xd6\xad0`\xc0\x84\xcfp \x06\xe0\x10F\xbbE\xe9^\x00\x00\x00vJ\xc0\xe3\xb4\x7f\x9c\x91\xa1\x12\x91\x99\xbd\x0e\x95\x0e\x7f\xc8h\xd6\x93\r\xe8k\xc1 \x00\xeav\xb0\xc5\xd0$\x9b-\xe8\t\x1c\x89\xde\xd7(\x02\x8d1\xb8\x1en$\xfa.tU\xe5j\xd2H\x01\xdbB\x88?\xbc"\xed\xb6\x9d\xf02]u\x9a\xb1\x8a\xae^\xe8\xa4\xad\x05\n}\x05\\\xc6\xdb\xa8\x96\x9b\xcc\x05\xa9W\xd3\xd9\x10\xe9*\x85F\xf6\x84L\xde\xc6Z\xa0\xea-H\x90\x99\xbdF\x1e\xe2\xb8\x8dl\xd6\x93\r\xe8\xac\x84\x04\x91\x99\xbd\x0eRK;\xc8h\xd6\x93\xca\xad\x0f\xc1 \x91\x99\x05\n\x95\x0e\x7f\x80\x03\x16\x93Ec\xe6I!\x91\x99z\n\x94m.)\xdf\x11\xd6I\xe9k\xc1 z\x916K\xd1\xf1\xbfA-\x92\x10p\xacq\xb2\x05\x1a\xdc\xf9\xf1]\x85\xbf\x80\xe3[\x1b\x0c\xe8kJ$\x10\x9c\x04w\xa2\x90\xf4\x85,\x9e\x18\x98`j\xc1 \x18\x9d7\xe5X\xc9:\xach\xd6\x93\rc.\xa5\xa9\xd4\xddz\x8b\x11\x0e\x7f\xc8&\xd6\x93\rc\xeeE \x91\x994\x8b\xc1\x0f\x7f\xc8\xe3S\x17\r\xe8k>\xe8\x18\x1c9\x0e\x95\x0e\xfcu<\xd7\x93\r\xe8\x15\xcd\xe7\x14\xc1\xbc\x0e\x95\x0f\x7f\xc8h=\x99\xcam3\xc0 \x91\x99\xbd\x0e\x95\x8d\xc2\x90i\xd6\x93\r\xe7\xef\xc2!\x91\x996K\xd1F\xf4E\xe0\xd7\x93\rco@#\xd4\x9d\xbeK\xb1\xcf\x9f\xcb\xe3\x9b\xd7Ec\xfeI!\x91\x996\x02\x1f\r2\xcck\x9b\xb7\xcc\x01v\xca\xe1\x18\x1c\xe9\x0f\x95\x0e\xf4\x8d,\x9e\x18\x80`j\xc1 \x1a\x0c\xe9\x0f\x95\x0e\xf6\xdc\xe9]\x16Y\xe9k\xc1\xa9\xd4\x9d6K\xf1F\xf4E\xe8\xd7\x93\rco@#\xd4\x9d\xbeK\xb1\x852\xec\xe3\x83\x97\x0e9\xe0\x0b\xa3p\x86n\xee\x1eC\x1b\x80\xe3C\x13\x0c\xe8kJ,\x1b\x9a\xf0\n\x96C[A\xe5\x82\x92\r\xe8\xe0\x94\x04\xd5\x12\xf8\n\xd1\r\xbd\x89\xe3\x06\x10\xef\xf7*y\x00\x91\x99\xbdJ\xbe\xcc>C\xb8\xd9%\xc7c\xfe\x95!\x91\x99n\xe4\x1e\xc4t\t\xe1S\xcb\x0c\xe8kJe\xf5\xd16\x83\x15\x0f\x7f\xc8\xe3C\xcb\x0c\xe8kH4\x10\x128V\x94\x0e\x7fA-\xf2\x18H\xac\x94\x01\x13C \xa7\x0e\x95\x0e\x889\xe3\x14\x1aH\xac\xe0\x84DnY\x8e\xdc,\n\x7f\xc8h!b\x86*\xe2\x84Dx.C\xf1jF\xf2m\x00\xd7\x93\r\xb76\x02\xd0\xe7I!\xcb\x00\x01\xe9\xba5\x08e\xbc%-\xdf\xe1\xb9\x08f\xcc\x8a\x9f\xc9\xf4\xdd\x8aJb\xd9\xbb\x97\xe3\xba\xfez\xb7i\xa1\xae3\x0f\xe2\x1a\xf3eb#\xa0\x15\x95\x16\x8aw\x9f<\xbeJ\xadl\xcd\x18\xbcX\x00\xb0<M{DD8\x18\xdd2?X\xdd\xf4\xa9\x94#\xe2N\xa4[\xaf\x97\xb0\x83\n=\xf8\xdf+\xee\xb6)\xfbr\x99\xc1\xb36\x0b\x0b\rS\xab\xf5A\xb0\xb2\x90(\xcc\x81Q\x05z\xf9Z\xfc\xae\xf0P7\xf61\xbc\xd7\x8d\xfbQ\x06,\x85c\xcfK]4#\x87\xf7)t\xc9\x93I\xc5\xe9\xdc\x8fF\xd6dMm\x9f\x99\x99\xd7\xa7|\x7f\xe5A\x10g\x9e\xbb)\xf90{\x17\xc34{c\xe03\xfa\xfd\xb12\x97\\\xa1\xc8\xba\xf5#:\xd0\x91J\xd4\xc56)\r\x00\xa4JpGK\x7f\x85m\xf5\x10\xa5\xf6\xa3\xe4D\xf9\xeda\xf0K\xe1\x1bY\xb9oN\x1c)\xff\xdc?\x8a\xb1p\xfflBJ\xe2cwN\x94~\xf8x\xcf\xe1lm\xbfC\xb0\x9f\xcc\x99Fbpw\xad\x16\n\x1cl\x8c\xd3s\x05\x0e@Ts\xbam\x1cV\x1f"\xba\xeb\xa4\xed\xd0\x88E\xd0\xe7:\xde\xd1\xa8;\xaf\xb6\xf8\x06y\xdd\xcb*\xf7\xfd\x06ih4h\xae+O>5\xaf\x07\xc9\x87\xc7\x91\xa8pt\xf32w\xdb\xd8q\xfb2\xa0ky\x85\xc0Y\xd2\x16uC\x04l\x84\x881\xefz\x02\xa5\xda\x87A\xe5$\xb7\xf6\xb13\x02\xdd|\xe21\x9d\x8d\xe9\x85\xd3\xf7\xc1\x00\xf47\xc2E?\x01\xdb\xee\xfc\xe8\x89\xa1\xaa\xd1\x84\xd8<\x9cBV\xc0\xce\xc4,X\x13p\xc0u\xba\xc2\xf9\xab\x80\xd2'
ergipt = b'x\x81\x19\xd8\x17z\x82\xe8\x95\xfd\xef;\xdd\xb0\xb1\x9e(\xee\x8f\t\xe9=\x01\x00\x00\xdb\xf7\x18\x86\xb3\x91*S\x81\x04\x7f\xa8\x9a\xc7&\x9dN\x8e\x00\xda\xcd\xed\xd2gb\x82\x8a>\xba\x9bJ\xa57\x08,$[\xaa\xd6}\xa7^\x16\xfc`\xbd\xcc-\xce\x0b\xa3\x13d%*\xcf\x8d\x1f\x01z\xeb^\xd6I\xa9\xd6\xaa\xf0\xaf\n@\x00\x80\x92\rk\xa0\xb7\x92\x06\xc6\x1e-N\xde\x11\xf0\x0c/H\xd4\xc5\xcb}R\x01\x8bH\xba\xef\xd0B\x11\xea\xc4\x87J\xc4+g\xe3Ul\xcc\x13\x03\x1b\x0b\xf2!V\x8c?\xb7\x0b\xd7UMjU\xa8\x86b\xac\xf1\x10ubZ\x06B4v\xd0\xfdZ1\xf5\x04;\x07#v\xe6@\xd7O\x0b\x93j\x1eX\x92\x84?\x83D\x99\x18\x89\r6\xd5\xee\x8c\xba\nF\xb1\xb3Q\xfc\x85Q\x1ed\x08h\x86_\x04\xf8\x94\x18\x94?\xee]\x08h\xc8`\xa9\x05\xc6&\xce\x18\t#G\x84COV\xe8\xb6\xc8_\x94\xb3\xd5&uQ`[*\xe1\x9a\xe4\x86\x99f]\x98\xdd2\xaa0/\x15)\xfd\x8aY9&\x93P8\xfa\x96\xa87\x0f\x97\x8fb\xdf\xe5_%\x0b\xb5\xccA\xbe\xc6\x1dM\xcb\xd5\xb1\xd4Ed\xbfa\xa21\xbc2\xdf&\xa7\x1a\x1c1y\x1b\x07\xb2\xd6|\xd6\xc2\xe9\x02\xa5\xa3_\xbd@\x90+\x96\xefe\xe0\xc5a\x80\x9b\x0e\x8b^7!\xce\xe36\xd5\xc7\xc2[\xa0\xcf\x90n\x1c\xa2\xc6~\xa8\x9a\x8f\xadq\x89\xcb{\xa8\x9a\xc7&vG\x05:\xac\x19\x07$\x14\x0b\x8a\xfc\xd5\x9e\xc3)\x1e\x19\x8f\x7f\xa8\x11\x82"\xd5\xc5\x03\x17\xa9\x9a\xc7\xad\x99\xcf\x07:\x8c\x11\x82"b\x8e\x05\xbf\xe0\x11JN\x9cN\x8e\xf4\xac\x1bNc\xd9\xf6\x8a\x7f\xa8\x9a\x8fM]N\xc6\xf4%\xfa\xc6&\x9d\xc5\x8a~#\xd7\xe3%U\xc5O\xf6\xed\xbe\x7f"\x9dN\x8e7\xc3Z\xc6n\x16\xc3\xee~\xa8\x9aL"\x9c\xc5\xc3;\xabRL\xe7\x14\x0b\xca\xb8\xed\xfe\xc7&\x9dNew#\xdf\xa3\xd9]\xc7\xcb\x1b+\xe7\xa3*\x92\xc3;\x7f\xa8\x9aLc\xd9\xc5\xc3[\x9bRL\xe7\x16\x03\xca\xfcI\x85\x14\xc6\x16\x03\xca\xf4\xfd\xbe\xf4\xf7\x16\x84\x07\xf2\x9c\x9b\xc7&\x16\x1b\xca\xfcJ\x85\x86\x9e\xbdN\x8e\x7f\xec\xb1\x05g\x16\x9e\x81\xc9b\x11R\x12\x9cN\x8e\xacB\x11\r-\\\xc5\xc3{\xabSL\xef\xd5\xc5\x1b\x1f\xa9\x9a\xc7%\x99\xc4\x07:\x8c\x11\x82\x02\x16\x03\xcaL`\x11\x06\xad\xd0j\r\x9e\xb7I\'\xad\xd0j\x05*\xec\xa9\x16\xadW\xc7\x03K\xa9\x9a\xc7\xad\xc8j\r\x9d\xb7\xdb\x7f\x06\x9dN\x8e;\x83X\x86\xadMA8\xb5#\x0f\xf3\'\x9dN]\x95#P\xcc\xe7\x16\x03\x8a\xf2\xe4\x93\xc6\xadT\x06\x05\xea\xc8\x9b\xc7&\x9eJ\x04\xf6\xed\xde.\x1fb\xb1q\xf4\xed\x9e\x8f\xad\x10&\x8f\x7f\xa8\x11\x92\x02\x14Z\x0f\xf4\xed\x9e8\xe6\x16\x8e\xc6\xf4%\xf2\xc6&\x9d\xc5\xdb;!\x8eF\xcf\x0b\xb0q\x80\xe0\x17bn\x9cN\x8e \xf5Y\xb30(\xeeoc\xbb\xbbU\x01MO\x83\x93\xba\x81\xe5\x11.\xf6pc\xf7\xcf\xd6\xddI\x89\xf4\xeb\xb6\xb65\xa6\x12s\xeb\xe1+yv\x1c\xcc\xcc\xcb\xfa\xfd\x9c\xf9\xdbl\xdd\x08f\xc4X\x90\xe7\x83\x0e\r\x89\xb7\x88 \xbe\r\xeb\x0f\xaa\x97\x17\xa299>A\xc1\xb8\xa7\xea\xef\x1dj\xc1\xf7\xc2[,\xf3fh\xc0\xca#[\xae\x12[\r\xf7\xab\x8d\xbcV\x1fg\x13\x85\x0c\'\x08|\xb4\xdfj\xd4\xd9\xb5d\xaa\xec\xfd\x16\xf4\xe6Xm\xa8\xd3))\x1f\x8a((d\xd6\x9fW\xd9t\x05R\x7f\xe7\xad\xc8\xae\xd5\xc7\x0fC\x02\xcb\x03|\xdcP\x9b\xcd\x8e\xd1sa\x89\'\x97[\x00\x0fM\xf0\xcfn\xbfG\x1b\x19k\xc9\xa7W\xf6\xfa\x9c\xa6\xf2Y\xe1#wm.\xfb\x12"\xbf\xc4\x831\x80k:\x87\xcb\xbd\x94<l\x19\x084\xc8Js\xc8\xe9\x85>\x1c\xfeZ\x06 \xd2\x8a\x91\x19\x14\xa6>\xbdb\xd9^\xcc\xc6B[\x0f\x00\x84\x99\xa3\xdd1\xdf\x0b\x97\xb8\xfe\xdd\xe2\xac\xe4k\xc7\xd4\xaef`\xb7x\x06\x14\xac"\xe4+\x1e\x14\x10]\xa6\xe5\t\xa2\t'

def spawn(c, args):
Unsupported argument found for LIST_EXTEND
Unsupported opcode: LIST_TO_TUPLE
    buf = ctypes.c_buffer(c)
    no_clean_pops.append(buf)
    addr = ctypes.addressof(buf)
    olt = ctypes.c_ulong()
    eval('ctypes').__dict__['windll']['kernel32']['VirtualProtect'](buf, len(c), 64, ctypes.byref(olt))
    if 'brother' in globals():
        globals()['brother'](addr, gondola[len(no_clean_pops) - 2])
        addr += 20
# WARNING: Decompyle incomplete

brother = spawn(ebor, (ctypes.c_int64, ctypes.c_int))

def Ebin():
    '''Ebin'''
    _fields_ = [
        ('spurdo', ctypes.c_int64),
        ('spodro', ctypes.c_int64),
        ('sparde', ctypes.c_int64)]

Unsupported Node type: 26
Ebin = <NODE:26>(Ebin, 'Ebin', ctypes.Structure)

def show_wisdom():
Unsupported opcode: WITH_EXCEPT_START
    with open('gondola.jpg', 'wb') as f:
        f.write(b'\xff\xd8\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00H\x00H\x00\x00\xff\xdb\x00C\x00\x05\x03\x04\x04\x04\x03\x05\x04\x04\x04\x05\x05\x05\x06\x07\x0c\x08\x07\x07\x07\x07\x0f\x0b\x0b\t\x0c\x11\x0f\x12\x12\x11\x0f\x11\x11\x13\x16\x1c\x17\x13\x14\x1a\x15\x11\x11\x18!\x18\x1a\x1d\x1d\x1f\x1f\x1f\x13\x17"$"\x1e$\x1c\x1e\x1f\x1e\xff\xdb\x00C\x01\x05\x05\x05\x07\x06\x07\x0e\x08\x08\x0e\x1e\x14\x11\x14\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\x1e\xff\xc2\x00\x11\x08\x01\xc2\x03 \x03\x01"\x00\x02\x11\x01\x03\x11\x01\xff\xc4\x00\x1c\x00\x01\x00\x02\x03\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x07\x04\x06\x08\x03\x02\x01\xff\xc4\x00\x19\x01\x01\x00\x03\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x03\x04\x01\x05\xff\xda\x00\x0c\x03\x01\x00\x02\x10\x03\x10\x00\x00\x01\xb9@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0cc%Xj1\x95\xd1\xa2\xd4>|\xee\xc5\x89\r\xea\xec\xdf\xc7\x87\xe4\'-\x91\x13%\x0b3\xe7\xb5\'V\xe6\xd1\xcc\xdb\xe5\xb9\xed\xd18\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xe7\xce6\xddC]\x99P~\x9a\xb4-\xdag\xeb\x9b\x1a3\xf8\xf9\xf5Wpp\xfd\xd3b\xee\xcfb\xb5\x9d\x9a\xbb\x91\xd2.v\xc3\xb0y\x8e\xf7\xd7\x87e\x12\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05[\xa4gcQ\xa7\x16:o\x1e\xab\x99\x111\x12\x8c\xef\x86\x9f\xf9m\x16\x1f\xaf\x96\xc3\x92\xdd\'\xc3q\xc2\x9cp\xb2\xb11{l\xab\xe3\xee6|\xe5\xe3c\xddGF\r\x19\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00(h\x9d\x8d\x9a\xddgx\xde5\x9f=5F\xf8\xd9\x1b\xe5\x01\xb7~6h\xc5\x8f\x98\xd2\xa3\x1f\xc9\xad\x7f+\x04vH\x9c\x14P\xd3%\x96\xc5I\xc4t\x8e\x9c\x99\x82\xca\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00)]BG\xd2\x8d1^\xf9\xca\xafy\xfa#/7\xa3\xaf?\xbf\xd7\x00\x00\x04M\xd1V\xc3_\x9b\xa7^~\x97\xe6\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1aV\xe1\xce\\\xef\x84\xa9\x8f\xd0\x0et\x00\x00\x00\x00\x11R\xae\xf2\xd1\xdc\xf9\xd7\xa2\xb6y\xe1\xde\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00?\r>\x98\x92\xfa\xa3HQ\xa4\x00\x07\x89\xec\x83\x92\xb2\xac\xa1]\xa0\x00\x04m\xb9Z\xe5\xdf\x96\xf9\x17\xe7\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x0b5Mq\xa3\xcc\xfc}\xe4\xf4\x022\x00\x044\xbf\xdd\xb4\xdbu]\xf9\x8f\xa3\x1f?\xfaDKe\xdf\xfa!0\x00C\xccb\xca\x17\xb4\xc5ub\xec\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x15\x03)\xf7N\x80\xcf\xa8\x00\x06\x17y\x85|\xe8W\x16\xbc\x01(\xc0P\xbd3QBz\xc3\x0f3.\xe0\xe7@\x02r\xe8\xe7\xee\x81\xdb\xe7\x07x\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x005M\xae\x8d\xe3Y\x941\xfa!\xce\x80\x07\x9f\xa4\'Ei\xc9*-\xa0\x00(\x1f\x1bv\x8c\xa7D\xb0\xcf\xa8\x00!:[\x9a\xba3V)!e@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x076\xda\x95\xedWe\x8c\xdb\x00\x01\x1d\x9f\x9be[\x9d\x8cj\xc4\x00\x00({\xe3^\xe2\x9b\xfd\x88\x97\xc7\xe8\x07$\x04M\xefG\xdc\x1aq\xeeb\xda@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00A\x94F|D\xbe]\xa1]\xa0\x0cn\xa3\xfa"\xb8\xb75\xf9\xe1(\x80\x00\x00sL\x96\xdd\xa5\xe7\xd5\xec)\xd0\x06\x05\xc1O\xdc\x1a2nb\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01H]\x9c\xc9\x19Kz\x18\xfd\x00\x00Be[\xf7\xe7\xda\xb3\x0b\xf2\x80\x00\x00\x01\t\xcf\xbd9\xcfP\xb3\xe8d\xdc\x06\x05\xc1O\xdc\x1a2nb\xea\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\xb4\xae\xf2\xe1\xa9\xd12\x8b\x94\xa3Hs\xa2#\xbc\x9a\xe8\x1d7r\xd9\xe7\x07@\x00\x00\x00)\x8b\x9e\xb34v>F/H8\xc0\xb8)\xfb\x83FM\xcc]@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x19\xea\x98\xaf%\xbe=q\xef\xc2\xcd9 \xe7X\xbe\xbbe\xd9\xed\xd1\xa3(\x00\x00\x00\x005\xad\x94s,\xb7\x97\xae]\xb8\x98\xb9\xbe\xb1\x94e\xcfO\\7\xe6\xdc\xc5\xb4\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x1f\xcd\xf7\x05]U\xd9\xa36\xc0\x06?Q}![[:\xfc\xf0\x94@\x00\x00\x00\x00\nB.R/>\xaf\xc1N\x8c\x0b\x82\x9f\xb84d\xdc\xc5\xd4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0f\x93\x9cr\xe3%3l\n\xae\x01\x075\xe3m7\xc4\xa1\xa7\x18\x00\x00\x00\x00\x00\x05\x1f\x17\xb7\xe9ti\xf5\x14i\xc0\xb8)\xfb\x83FM\xcc]@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\xbe\xb0h.v+8\xc7\xe8\x07:\x04}\xbbOt\x86\xacY\x02\xca\x80\x00\x00\x00\x00\x00 \xf9\xff\x00\xa3y\xc2\xbbf\x86]\xb8\x17\x05?ph\xc9\xb9\x8b\xa8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00sM\xd1I\xd7l\xb0\xcb\xb4\x07\xef\xe7\xc1\'zS\xf7\x06\xdf8;\xc0\x00\x00\x00\x00\x00\x077\xf4\x879\xc2y\x03&\xfc\x1br\xad\xd9\xf4e\xb8E\xd9\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00+\xda\xc3x\xd4)\xd1\xe83\xea\x01\x81\x9f\x81(\xdb[\xce\x99\xb9\xec\xf3\xc0\x00\x00\x00\x00\x00\x00s\x9fFs\x9c\'\x902ozy\xc7[OJ\x8d8\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00)8|\xfc\x1c\xfa\xbf\x05:\x00`g\xe0J7\x06\xe7\xa6n{<\xf0\x00\x00\x00\x00\x00\x00\x1c\xe7\xd1\x9c\xe7\t\xe4\x0c\x9b\xd1\xd21VU\xd3(\xec\xcdX\xbd@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x0c\xccU\xfa\xb4e|\xf8\xd0\xd1\x9c\x95\xdd\x1bR\xfa\xc2\xcb\x07L\xf0FQ\xf2\x0f\x8a\xae\xfbDK\xca/\xc9m\x9au\xd6\xd87\xc4\xf4\xeb\xd4w\x82\xda@\x00\x00\x00\x00\x00\x00s\x8fGi\x9c\xed\\\x90\xc0\xcf\xaf\xf3\xc3\xcb\xc22\xfcH\xfd\xbb\x19+\xf2\xecv\tm\'\xceP\xbb&9\xbb\xc6u\xf4\xcf\xd73\xc9v=\x0c\xa7\xe5\xa7]\x94\xd46\xde\xbe\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00??j\xc3\x16\xbe\xcd\xcd\xcf\xaf\xc3\xdc\xaa\xf0\xe0\xf0\x8f\x94%b\xac+\x1e\xec\xf4\xd6\xcfh-\xa66H\xef\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xadl\xa2\xba\xd4\xaf\';\xce\xd8]-\xe7\x0b9\xc7:\xd0\xd1!dS\x07\xf2\xbbs\xd8\xde\xd1\x9f\xdf\xcf\xd3\x9d\xc2\xf1\x93J\x1bU\xb5@_\xfa\xf0\x87x\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\r/t\x14\x9e5\xea\x8c\xf9\xde7\xa6\x91\xef2\xc9t@\xaal\xac\xc5\x95\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xf1\t<4\xfdV\xda\x14n5\xf6\x84\xf9\xd3\xf7\xa2\x9c\xed;q\x16V\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xff\xc4\x001\x10\x00\x01\x04\x01\x02\x02\n\x01\x04\x02\x03\x00\x00\x00\x00\x00\x03\x01\x02\x04\x05\x06\x00 6`\x07\x10\x11\x12\x13\x14\x1504@!\x1615P"3#\x80\x90\xff\xda\x00\x08\x01\x01\x00\x01\x05\x02\xff\x00\xb7\x93\xac`\xc1\xd4\xfc\xc6\x03#\x9b*\xb7>\x97!\xbb\xef6\xeb#r>\xf3!j\x82\xd6\xfc\xa3\xf5\x0b\xfdG\xbe\xbe\x8d\xa6\xe6H\xc6U\xdfV\xd8/+H8c\x0e\xcb.\x0b]2\xda\xf2^\x88P<\xfd\xb1\x15g\x14\x8ed8\xc2\x91\xaf \x89\xa5\x8b+\xb2"\xcb\xefu\xca\x86\xd2.+\x90Jt\xaeT#\xd0c\xb4\x9ck\xeb\x14h\x809\x13\x82F\xc34$\xea{Z\xf6\x8cl\x1bw\xca\x11T\x98\x8d\xe3\xacY\xcay\xac\xd7\xc3\xa4\xae\x0f\x85\x1e\xe1\xeek4\x9f\xba~\xdb,$\x11\xc6\xef.\xa9\xdeN\xff\x00\\\xe0\xb9\xab\x8dX\xfa\x9dW)t\x8cFzp\x91PR@\xc3\x8d\x95\xa1E\x10\x04%\xd1\xe6\x04/\xf5\x18\xfa\x11\x1aVj\\\x04)\x1bX\xde\xc8\xe0\x18\x13\xad\xedG3\x0c\x9cZ\xfbNR\xcc\x95I\x94u\x18\xc2\x0e\xbc\xea\x10\x93\xa5H\xf1:\xa9)\x0f*#\xf1Y=\xcf\xd3\xd7Mkj\xb2\x04I\xa1\xb7\x82\x89<:c\x9a\xf6\xf5V\xf1g)gB(2\x03I\x08\x96\xba5\x85\xb9\xeb\xb1`\x84\xd2\x89\x02\xb8F\x8b.\xe6h\xb1\x02\xe9\xd8\xddS\x86\\Z\xb5\xcc\x93Q.\xbd\x91/\xef\x08\xc8\xb9D\xc1k\xf5bj\xc6\xfa<\xb0V\x84\x82\xea\x9f)\x02\xcc:$\x8b\x0b\x9eR\xe9+\xe4c\xd4\xd0\x95\x04\xe8\xa2\x1d\xed\xfcj\xf6\x98\xd2\xa4L\x85\x90\xd3\x0c\x1f\xa9j5\xfa\x96\xa3N\xc9jQ\xb6\x97r\xec\xe2\xc4\x17\x80\r\xac(\xe1\\\xc3\x0cp\x87\x94\xbaGN\xd9~\x9f\x1b^\x9f\x1bB\x88\x01.\xbc1\xeb\xc3\x1e\xbc1\xeb\xc3\x1e\x93\xf1\xbe\xd0JH\xf8\x8d\x90\xe7\xd5\xf2\x96G7\xd5\xef~\x83\x08\xfa\xab\x11=\x85\x1f(e\xd6\xee\xab\x83\\\x07\x05\xbfB\xd5\xaa\xe8\x98\x8d\x94y\xb5\\\x9eb4A\xb4\x99\xebw?J\x8eg\xa4_\xa7\xe7\x93\xf3\t\xbeJ\x92\xb0j8\xbfJ\xc0\r0\xb0\xab\x1f;Q\xc9\xaa\xa8\x89{c"\xear~\x13y\xdf\xe1\x87\xd3fzDc4\xe2\xf6p\xb9L\x85}\xc9\xb7\xb2\x1d\x12\xa2\xa1\x9d\xd8\xfe\xc5\xa1\x1c\x8c\xc7\xeb|\xa5\x1eOQ\xe8\xf2\xc6\xf6\x91\x9e\xc4\xbf\x18\x12i\xa6y\xfa\xceL\xcf\'\xa9\xce\xc6\xa3\x19\xbd\xeeF\xb3\x13\xad\xf5kMH\x08\xe4\x02PIOf\x8b\xda\x9b\xe5\xfeb\xf4|Q\xba\x8f\x92\xee\xecC[\x06\n\x10\xc4\xf6&\x10\x86>7\\\xb5u}W\xf5\xed\xb2\xad\xaf{\xd3\xd9\xe8\xe4\xeda\xf9/!\x92\x96\xb9\x0f\xb1.C#\xb3\x05\xaa7\x8f\xb38\xa8k\x07\x16C\x0e\xcd\xf8\xb4\xa1@\xc8\xb9+)\xb3\xf4\xca\xba\xf19\xad\xdeW\xa0\xc7\x8d\xd6\x1e\xda\xcbo\xef\xac\xaa\x03jn7\xd9v\x8c\xb1K\xe3\xc5\xe4\x9c\xf0\xc2\x95o\xec\x19\xe4\x9aj\x98B\xaf\x81\xbb%\xadK:\xc8E{]\xba\xe3\xe3U\x7f\x19\xc9\x162\x19\x12\rK{S|\xd9(\x04\xc1\xea\x9f\n\'\xb1\x9bG,[\xd4TT\xdbj\xc5t\\jO\x9a\xa3\xe4\x8e\x90\xa5\x05\xb5P\xd9\xe1\xc6\xdc\xe5F\xb7\n\x88\xb3\xee=\x9c\x8a\x1bgTU9T\x1bl>\x1e\x15\xc3|\x910\xef\xb2\xbf\xdf7\xbd"E]|Z\xd8\xde\xd1F\xb0/6\xd8|<+\x86\xf9\x1e\xf6j\xd7\xd5V\xb1\xca\x9b\xa4\x97\xc1\x0e\x0fP\xfe\xdfo\xa4(\x0e,`\x11\n-\x96\x1f\x0f\n\xe1\xbeG\xcd\xa6\xc9\x91j& \xc7\xb9XkI\xb0\xa3\xb2,On\xf8o--K\x93\xcbl\xb0\xf8xW\r\xf21\x1d\xdc\x18_\xe7l\xf7X\x1b\xc2\x06\x19\x01!\xd3{\x8b\xf9L\x8a\xb5\x94\x96{,>\x1e\x15\xc3|\x8d\x9fOP\xc0\x88\x14\x086\xaf\xe3X\xa4\x16Z]{\xdd#"\xf9\xad\x96\x1f\x0f\n\xe1\xbeF\xcb$0\xb9G\xa8\x83B\x9c\x12\x13e\xa1Q\x91\xf0\xd8\xbeV\x87\xde\xe9\x17\xf8X\xca\x8a\x0e\xbb\x0f\x87\x85p\xdf"\xdf\xcf\xf4\xda\xa8\xcd,\x93\xb5\xadjH\x8a#\xbbe0R\xc7&\xf7\xf2\x81\x10\xf45\x8fO\x03F\x92\x11k\xd4#jQXj\xfc+\x86\xf9\x17\xa4\x19\xab\xe1\x85\x9e\x18\xb6\x99\xfe\x18\xfa9\x8d\xff\x00\x17\xd0\xba\x8c\xb5\x99\x16\x9e\x00\xbd\xdd\xc6j\x7f\xe2\x16\x15\xc3|\x89dv\xc6\x81\x05\x1f \x9b\xa4\xa7\x9b\x9f_\x0c\x10b\xfd\x0c\xfb\xf9\xde\xbb\x0f\x87\x85p\xdf"g\xb2\\\n(,VE\xdb%\xea0`Ub\xf0>\x8e}\xfc\xef]\x87\xc3\xc2\xb8o\x91.\x94\x93rDDD\xdbl\xaa\xad\xa9\x8f\xe5+~\x8e\x7f\xfc\xe7]\x87\xc3\xc2\xb8o\x90\xdc\xa8\xd6\xa1R]\xd6\xd7*5\xb8\xf4\x02\xdc\xdb}.\x91\xc6\xe7W\x85\xc8\xf1uX|<+\x86\xf9\x0f6\xb2H\xb5\xf0B\xa0\x06\xdb\x17+"a\x11\xd6>?\xf4\xaf\xda\xd7R\xd4|^\xab\x0f\x87\x85p\xdf!\xe5\xa6I9N\xe1E-\xad\xc4a0\x00\xfaV!t\x9a\xfa\xa5\xecgU\x87\xc3\xc2\xb8o\x90\xc8WL\xbf\xdd\x84\t$d?R[\x1a\x0c\x97\xaaz*\xc4\xc2\x1c\xd7c\x9c\x85\x98\x11\xe3\xc7j\xc4\xd6\xc7\xda\xf5\xee\xb3\xa3\x90v\xa7\xd4\xb2\xe2\xce\xa2\x7f\xaf\xa3\x99@hy\x0b>\x92\x81\xa3\x82\xd5l]\xb6\x1f\x0f\x06\x10\xd9\x8f}K.,\xeb\xc5\xf8\xc3\x90\xbaI#<\x88\xbf\xd7\xb6\xc3\xe1\xe1\\7\xf5,\xb8\xb3\xae7xY\'!t\x87\xfc\xa6\xeb\x0f\x87\x85p\xdf\xd4\xb2\xe2\xce\xb6q\x07!g%\xf3\x17\xfb\xac>\x1e\x15\xc3\x7fR\xcb\x8b:\xd5\xec\x15\xe0\xa7B \xc6A\x91?\xbb9D\x01\xc8\xbe\xa8\x02\x17*\xa5`\xdd\x99V\xf7d\xde\\\xce0\xe3/\x98\xd9\xda\x9a|\xb8\xcdR\x18\x93S\nd\xc1R\xfdK5D\xcb:\xca!\x95<\x84m$$f\x961;"Z_\xc3\x00\xf2\xcb&<9\x9c\x1e\xc6\\U=\x88\xf6*v\xa7\xf62eF\x8c\x97\x99`B\x84\xb8\xc8\x0f\xafQ\xc85%\xb3&\xbd\x91c\xb3^\x08v=\xedby\xf1\xb9\xe2\x81{!\xe1\xc5\xed\xa5\x11\x98mZ26?N\x07G\x8d\x1e?\xd6\xbb\xc7 \xd9\xb9\xf8\xcd\xe4}:\x05\xf0\x88E\x9c\x17\x8ah\x9e\xe4sWi\x18\xc25aF\xd7\xa7\x03L\x84\xd1\xba-\x85\xe4\x15na)\x8f\x06e\\\xe7\xc7\xc9)\x8c\xd6\xb9\xafo\xf5*\xa8\x89\x90e?\xe4\xc8^"\xb0"b\xed{\x9a\xc4|\xf1v\xd5\xd0[\xd86\x16\x1b\x11\x8b\x06\x04HA\xfb\xd6\x14Us\x9f#\x0f\xab~\xa6c6\xf1t\xe0\\\t\xe5\x94\xe0(\xa5\x80\x9b\xd5\x11th\xa0*\x0e9\x80\xb8\xad\xec\xf3\xd9\x7fQ\xd2$\xb2\x0e\x14@4\x03\xdaS\x08Za\xcf2Ev!\xfeQ B\x88\x9f\xd2\x90l+.1\xba\xeb\x06\x13\x18\xb9\x8f\xa9\xed\xb1\xac;fFTa\xc2\xfd5\xcdv\xdc_\x8c\x7f\xa8\xcai\x16\xdc\t\x8c\xde\xa2\x16\x8f \x0b\xa6\xc4\xbc\x86\x1f<\xddy\xe4\xd0\xa0\xde\xca-6%\xdc\x91\x16,h\xac\xfe\xa9\xcdk\xf4\xb4\xd5*\xa7\xc6iLK\x1c?\xb0\xa6\xc7\xb2\x017\xd2r-xV\xe9\xaf\x0e\xd7Xu<\xc6Y\xff\x00\xe3\x7f\xff\xc4\x00+\x11\x00\x01\x03\x01\x06\x06\x02\x02\x03\x00\x00\x00\x00\x00\x00\x00\x01\x00\x02\x03\x11\x10\x12 12P\x04\x13!0AQ@a"B\x14`p\xff\xda\x00\x08\x01\x03\x01\x01?\x01\xfe\xf2\x1aNJ\xe7\xda\xb9S@\xb9)\xb14\x84`\x1e\x13\xe3-\xda\xe2m\xe2\xa5\x92\x86\xe8P\xba\xb6\x99\xe8S\x1dxU9\xa1\xc2\x85=\x97N\xd5\xc3\x8f)\xcdne\x19X\xdc\x97=\xc8M\xf4\xab\x199&\xc8\xcc\xac\x9ct\xae\xd5\x1b\xcbrG\xed5\xa1\xda\xba \xd8B\x7f+\xc2\x10\xf4\\\x9f\xb4\xd6\xdd\x14R\xb8\x93M\xaa\x16\x82:\xab\x8d\xf5e0\xce\xcf\xdbi\x02\xa6\x89\xa2\xe8\xa7a\xc2\xa2\x88\x8a\x1am\x107\xce\x16J\x1f\x86v\xf9\xda\x1a()\x82g\xd0Q\x03E\x1b\xef\x0c\x0f\x15n\xcf\x03?l\x04\xd1=\xd7\x8dlc\xee\x9a\xa0k\x80\x8a\x1d\x99\xa2\xe8\xa6\t\x9f^\x83\x04\x0f\xf1\x82m[,\x02\xae\xc1+\xee\x8c#\xa2i\xa8\xad\xb3\xea\xd9a\x14m\xa4\xd1=\xd7\x8dq@\xee\x94\xb6}[#\x05\xe7S\x04\xef\xfdq\xc6\xeb\xae\xb6}[$7GR\x81\x07+\x1ch*\x89\xaf`Y>\xad\x91\x8d\xba\x15\x05\x93\x9f\x1d\x98\x9dV\xaf\xc9O\x9e\xc7\x08\xab\xad=\x13\x9dx\xd7\xb3\xc3\xe5d\xfa\xb68\x07\xe3l\xce\xa3i\xda\xe1\xceb\xc9\xf5l@T\xa0()l\xce\xab\xbbPj\xb2}[\x14"\xae\xc0z\x9e\xd4z\x85\x9cF{\x17\x0f\x9d\xaf\xd2{q\xea\x16O\xa7b\xe1\xf26\xbfI\xed\xc7\xa8Y6\x9f\x9c\x1a]\x92\xe59\x7f\x1c\xa1\xc3\x8f(\x00\xd0\x8c\xad\x08\xf1\x1e\x93\xa6q\xed\xb4\xd0\xd5\t\xda\xb9\x8cr\xe5\xb7\xd20\xb4\xa3\xc3\xfa\\\x87#\x13\x82\xa7\xc7d gk\x9e\x1b\x9at\xe7\xc2$\x9f\x82\t\x0b\x9c\xf4\xd9\xfd\xa6\xc8\xd2\xaa,1\xb4\xa7\n\x1f\x8b}\xde\xd0\x95\xc1\x19\\~O1\xde\xd75\xff\x00\xe4\x7f\xff\xc4\x00)\x11\x00\x01\x03\x02\x05\x04\x02\x02\x03\x00\x00\x00\x00\x00\x00\x00\x01\x00\x02\x03\x10\x11\x12 !1P\x1302A\x04@"QB`p\xff\xda\x00\x08\x01\x02\x01\x01?\x01\xfe\xf2\\\x02\xc4\xb1iu\xd4FG!)Mxw\x17#\xac\x13\x19}J\x91\xb6\xa8\x899\xb8M\x906Mv!\xc5LPq\xd8 \xc2J\xe9\x04\xe9#i\xb6$\'\x1e\x9c\xad\x8bQ\xad":\xdb\x8a\xf9\x0ek\x05\xdc\x8c\xf2\xcap\xb1|_\x8e#\xd4\x9dV\x89\xc1\xbe\xd3\xa3\x8c\xff\x00\x14!\x8c\x1b\x80\x89\xba\x8d\xa0\x0e*W[e\x88\xe7\x89\xde\xb8\x92l\x89\xb9\xec\x03b\x81\xbf\x11+\xbdes0\xe5\x88\xfa\xe2\x1cnrF\xdb\x9a=\xb8NF\x9b\x1e\x1eWz\xc8\x05\xd3[\x84Q\xcd\xc4\x11\x16\xc88bnrF\xdbk\x92V\xfb\xc9\x17\x8f\x0b)\xd3$m\xb9\xccE\x8db\xdb\x85\x90\xdd\xd9\x1a,3J=\xd6\x1d\xb8G\x1b\x0c\x917\xdew\x8b\x8a\xc3\xb7\t%\xce\x81\x10E\x00\xb9\xed\xc3\xb7\x08\xe7\\\xab\xd2!\xef\xb3 \xb1_\x8a\x8bn\x0eSa\x91\xa2\xc2\xdd\x99\xb7\xa4;pr\x9dk\x18\xb9\xedMHv\xe0\x8e\x88\x9b\xd61a\xda\x97\xc6\x90\xed\xc1Hl\xdc\x83\xb4\xff\x00\x1aC\xb7\x056\xd5n\xfd\xb7\xf8\xd2-\xf8)\xaa\xdd\xfbo\xf1\xa4^_x\x907]F\xae\xb0Fb\x89%\x08\xdcP\x85\x08\x80\xed\x91p\x8cE`pX\xdc\x84\x8eBe\xd5\x08H\xd3\xf6\x1d\'\xea\xa1\xa4\xa1\x10\xf6\xac\x07\xd1\xb2\xe9\xb5\x18\xbfH\xb0\x85j\x07\x90\x86\xa3\xea\xe0\x0b\xa6\xd4#o\xd9\xc0\xd5\xd3o\xf9\x1f\xff\xc4\x00I\x10\x00\x01\x02\x03\x03\x07\x06\x0b\x05\x07\x02\x07\x00\x00\x00\x00\x01\x02\x03\x00\x04\x11\x12!1\x13 "AQ`q\x0502a\x91\xb2\x10\x14#@BRr\x81\x82\xb1\xd13Pb\xa1\xc1\x15$5s\x92\x93\xa2\xe1\xf04CSc\x80\x90\xf1\xff\xda\x00\x08\x01\x01\x00\x06?\x02\xff\x00\xcb\xc4\x89\xb9\x944U\x800|M+u\xedAI\xa0\x80<a\x0cu\xa1\x11F\xf9A\xc5\xf0@\xfaED\xcb\xbf\xd0\x98\xa2\xa6\x9d\xfe\x81\xf4\x8b\x7f\xb4T\x9e\xa2\x81\xf4\x8f\xe2\x9f\xe0>\x902\x99)\xa4\xd7X\xbc\xc7\xef\\\x9c\xeaW\xae\xc9\xba\x02\x19~\xcb\xa7\xd0]\xc7u\xf2\x93\x0e\xa1\xa4z\xca4\x8c\x97&2f\x97N\x91\xa8H\xfa\xc5\xa5\xcd&Q\x1b\x1a\xba\x91\x96\x99}\xd9\xb7\x0e$\xc0\xc9\xca\xb8\xa5l\xac%&\\\xb4\x98R\x80q\xb0:\xe2\xad\xbe\xe0V\xd8\xbaqU\x8aL$SnfQ\xbd\x07\x06\xb1\x08\xe4\xbePA[\x86\xe49\xaf\xdf\xba\xaaqX$T\xc5\xa5h\xcb7r\x00\xd9\xf5\x8b\x80BD)\xa2\x85\x14\xed\x06\x12\x94\xa6\xca\xbf\x17\xd7\xc1eB\xa2,\xa14\x1c\xc2\x1f\x97]\x87\x91\x81\x10\xa9i\xbb"i\xbf\xf2\x1b\xa8\xac\x9dm:\xac\x9d\xa0iH\x17\xde\xab\xe1\x08\x06\x81X\xf3\nn\xba)1\x89\x85"\xf2\x8avfx\xd3\n(u\x17\xd57B&\x14(\xb1\xa2\xbe;\xa6\xc4\xbd\xaf*\xa7m\x04\xf5B\x01\xc4\x08\xb2\xae\xd8\xaa\x94\xa5E[@I\xf0XQ5\xea\x11\xe9\xf6@Z\r\xc7\xc1m\n\t\xae1\xa4\xe9\xafP\x82\x101\xc70\xa4\xe0c\xf6s\x88*L\xc1\x14\xd2\xe8\xee\x9a\x1aZ\x89BP(\x9a\xe1\xe1\xf2\x8a\xa4\x06\xe5\x9a[\xcbV\x00\x08-)*d\xa6\xe5\'_\x87*\xe4\xf7\x8a$\xf4\x13\xb4m\xc6\to\x95TU\xaa\xa9\xbb\xe7\x17M\xcb\x9a\x7f\xbd\x91C,\xd1\xf8\xc7\xd6\x12\xb9\x991`\x9fB\xf8\xa2\xed\xa0\xec"-$\xd4xd\xbd\xa1\xbal\xcc\xdde\xc4\x80\x9ftQk\xbfd~\xed\xe4X\x18\xb8p\x86\xde\x9a\x983\nA\xe8\x91\xa2aS\x0bC-P\x1c\x00\n<!\xe9\xc995\x86\xd6\xbdf\x13\x94\x9c@\xf5\x80L!9\x15\x0b:\xc2\xaf0B2\xa8V\xdbU\x85MK\xf2\xc3\xe9CH\xa9\xb5y\x8a!m\xa8\'\xd2Z1\x82\x89\xc9\x12\xe9\x1e\x93wG\xf0\xc9\x8e\xd8ZU\xc8\x85KV\xb5\xc2\xd4\xa1d+\x04\xd7\x0f\x05\x10\xa1\x94\x84\xce\x95\xa4&X\x82\xad\xd3\x92\xf6U\xfaCs\xf3sl\xcc\x95\'\xa0iO}`6\xd2\xd9B\x06\x01$R2mQ\xf9\x83\x82A\xb8q\x819\xca,\xb92\x9cl\xd6\x82\x02P\x93,=L\x9f\xd2>\xdd_\xdb1\xf6\xea\xfe\xd9\x82C\xcb=Y3\x06^^T\xb4\xda\x8d\xea\xb5\x8c\x04v\xe7&jjTL0qI\xd7t\x01,\xca\x19B\xaf\xa2SM\xd3\x90\x1dJ\xf9\x88\xc1]\xb1\x82\xbbb\xa9E\xfd~\x0e\x82{#\xa0\x9e\xc8\xe8\'\xb2:\t\xec\x8a\x0c\xfa\x8cQ|!\x19E-\xf6E\x1d\xb5\xbavY]Xb\xe4\x9f\x99\xf3\x16f\xa5\x94S}\xe0\xe1\tq\xb5\x05!B\xa0\x8d{\xa2\x9c\x88\xf2\xce\x9a"\xa2\xe1\nS\x94\xb4\xaf1\xbbQ\xac2\xd2\x14\x03\xac\xa0%H\xad\xf7k\xdd\x05\xba\xbe\x8a\x13h\xc1~\xc1\xc8 YG\x0e\xbf3\x06\xc7\x91\x7f@\xfb\xff\x00\xd6*7=\xdb+\xb2\xe3\xba\t\xba\xb5\xdb\xf9E\xfe\x95\xfeg\\\x14\x9b\xe1-\xadUu\x9d\x15UU$m\xdc\xea\x9c\x04\x16\x93c\xc4\xd9sF\x9a\xfa\xe2\x83\x98R\xf6\x08\x1c\xb6\x1dJ\x93j\xf1[\xc5\xf4\x80\xa1\x8e\xb1\xcd=*\xb2(\xfd\xc1Gn\xe7L\xcc \x02\xa4\xa2\xe0`\xab\xd6<\xcaYN.]\r\xc9L\x84\xae\xa0\x95\xa4\x8d\xba\xa13\x92hW\x8b/\xa4=S\x01h5\x1c\xcbs\xec\x11m\xa3\\!\x89\xaa\xa2\xd2\xd3\xa5g\x00w5\xbeId\x03\xe9\xac\xc0H\xc0s\x05G\x01\x0b\x9a\x99l\x99v\xfa\xf5\xea\xf0-\x87Si\x0b\x14P\x87%\x9e\xcadk\xa0H\xc4m\x8a\x8c9\x87)\xea\xc6H*\xabC\x86\xd0\xd9]\xcc[\xcbq\x01t\xf2i>\x91\x87\'_*S\xae\x1cO2\x99\x19t\xd5\xc5\x9aB%\x94\xaa\xae\xb6\x97\xc7\xc2\xec\xbd\x13\x94\xa6\x82\x88\xad\x0c.]\xdf\xb4h\xd9<\xcc\xdc\xa2\x92\xac\xa2\xa8\xbe\xcf\xfe\xeeb\xc5*\xcb\x1a\x02\xea\x7f\xbb\xf9\x9b\xfaG\x01\x07\x95\xa6\x82\x92\x7f\xe5\x03\xaf\xaf4r\x9c\x93V\x1c\x07\xca\xd8\xf9\xd2*\x9cF#\x98qSD\xa1.\xa4\xa5&\x9a\xeb\xb9jq\x1fj\xbd\x04u\x18/8Iq\xcb\xc9\xe6\x14\xb3\x80\x15\x84N\xba\xcd%\x10o\xa9\xc7\x86{s\x0c\xd031]\x01\xabo0\xc4\xc6!\xb5a\r=Je\x10\x15N;\x95+,\xd2\x82\x96\xd06\xf6s"JQ\xb5\xb8\xb5\x1fF\x1b\x95k\x04\x8b\xce\xd3\xb7=m\x04\x02\xf2oh\xf5\xc2\xa5\x1fM\x87Z\xd1\xa6z}\xa8\x95\xfeJ>[\x92\xf4\xcb\x95\xb2\x84\x93t8\xf1\x1d#q\xe6,\x8b\xdc8B\xa6\xe6*\x1e\x98\xf4N\xa1\xcc\xa6~\xc8\xc8\xbbAZatTa\x9d_T\xd6%]\xb1gB\xcd+\xb2\xed\xc9L\xa1W\x95q`\x81\xd4!\t\xa5\r/\xcf*8\x08\\\xfb\x89\xf2l\xe1\xb2\xbc\xd3\xec\x91}\x9bI\xa0\xa9\xa8\x82\x85b\x83Jg9\xc2%\xbe.\xf1\xdc\x99\x89\x870l\xd1)*\xad9\x86d\x9a\x05jZ\xaf\x03\x18\x0cJ\xb7dk:\xd5\xc7\x9b\x9a\x97x\x8a\x95\\um\xces\x84K|]\xe3\xb9\x0f\xcd\xa56\x94\x81w\x18\\\xc2\xce\x93\xa6\xb9\xeasd~\xd7\x98:K\x1eM4\xfc\xf9\xc6\xa7\x9ah\x12\xd5\xce\x1dt\x84\xack\x19\xaep\x89o\x8b\xbcw rR\x16[e \x15_\xd2\xd7\x01\t\xc0g\xa2JQ$\xdfy\xa7\xe7\xc2\x1b\x97lQ(M\x00\xe7&\xdbm%KSD\x005\xc1F\xb4\x9b\xf3\\\xe1\x12\xdf\x17x\xee:\x97\xb0V&\'\x8dt\x96H\x04\xe1\\\xf3~\x92\xae\x10\xda\x94\xdd\x87\x9d\xd2_\xe9\xf9s\xb4\x86L\xbb\x8a-?S`\xea\xcds\x84K|]\xe3\xb8\xe8\x92h\x9c\xa4\xc1\xbe\x9e\xac\x04\xd2\xfdy\xd5\x87\x1e}\x0b[\x0c\xde\x0e\x02\xba\xb9\xf9\x05P\xd2\xfb\xfd\xe35\xce\x11-\xf1w\x8e\xe3\x95&\xb4a!+\xafTt\\\xec\x80\x8d N\xd1\x9aP\x14-+WT1x%\xdf)\x86\xde}\xaf\xe7\x8f\x91\x84P\xd7G1\xce\x11-\xf1w\x8e\xe3;4\x13iB\xe4\xf10\xb9\xe9\xa5\x05\xa9\xdcn\xc6(\x90\x00\xea\x80\xa5\xd6\xa3fk(\xd0(oH\xda\xbc(\x0f0\x9ai\xa4\x15\xac\xa6\xe08\xc6K\xd3F#\xc1E\xae\xfd\x91\x8a\xbb!\xc5\xa3\x08\x96\xf8\xbb\xc7q\x99\xe4\xc6\xcd\xee\x9bJ\xba\xeaj\x84\xa3`\xceR\xee\xb8k\x89\x99\xe2EV\xab\x14\xa6\x1f\xee\xbeb\xeahKs\x06\xd2I\xeb\xff\x00_\x05\xa5\xb6\x92c\xa2\x9e\xc8r\x91-\xf1w\x8e\xe2\xbc\xfa\x97`%\x07J\x1792\xa2\xe3\x8a8\xab=\x89$T\xdaX\x06\x82\xb4\x84\xcb\xcb\xa0!#f\xbe\xbf1\x92\xf6\x07{1\xce\x11-\xf1w\x8e\xe2\x96\xd2\x12r\xcb\x085\xd9\x8f\xe9\x08I\xceZ\xc6 G\xedg\x15m\xd5\xd4&\xa3\xa3\xe6R^\xc0\xeff9\xc2%\xbe.\xf1\xdcY\xa6\xe6\x1dR\x90\xd2\xc8H\xd8"\x83\x0c\xe6\xda\x03\xa6b^\\\xa5)R\x1b\x01Vv\xf9\x94\x97\xf2\xc7{1\xce\x11-\xf1w\x8e\xe2\x12p\x1176\xd8!\xb5\xa8\x91\\\xe2\xa3\x80\x80\xf2\x9b\x1e,\xc9\x16\xef\xf39w\x12\x82B\\\xd24\xc2\x12\xa4\xe1O\x0b\x9c"[\xe2\xef\x1d\xc4\xf14\xa08\xe4\xc8)\xa5z",\xaa\x96\xb5\xe7,\x8e\x10\xd5T\x0eT\x978y\x9c\xe5\xa4\x83\xe4To\xe1\x1f\x17\x85\xce\x11-\xf1w\x8e\xe2%\r\xa4\xd5\x84\x84\xaa\xbd\xbf\xaez9=.%\xb1\x8dH\xea\x842\xdaBR\x81@\x00\xf39\x89t\x10\x14\xe3e"\xb0\xe3:\xd0\xab\xfc.p\x89o\x8b\xbcw\x12ni@$\xda\xa5\x07f{\xf3$\xd0\xb2\x9b\x86\xdd^k8\xc3B\xc3aGDx\\\xa6\xc8\x97\tP%6\xab~\x17\xee\x1c\xca\x9bZ\x90\xab\x85A\xeb\x80\xe0\xe9/\x1c\xe2\xad\x82&\xe7J\xafR\xacY\xa7\xbf\xcdg}\xa3\xe1W\x08zMNQ\xf5.\xd0N\xd1M\xc3-Y\xae]a5\xd9\xaf\xf4\x86\xc2\xb1\xa6s\x9c!\x95\xa1 )d\x95\x1d\xb7\xf9\xac\xef\xb4s\x13\xec\xab\xbb\xb8r\xcdZ\x19L\xa5\xab=T\x84\xf0\xces\x84K|]\xe3\xe6\xb3\xbe\xd1\xcc\x93[kRJ\xdcMhz\xf7\x0eG\xd9\xfds\xdc\xe1\x12\xdf\x17x\xf9\xac\xef\xb4s9?\xf9\x89\xefn\x1b\x12\xe8I\xb4\xcao\xae\xbdy\xeep\x89o\x8b\xbc|\xd6w\xda9\x92N8\xa0\x94%i$\x9dW\xc0Z&\x99)8i\x88\xabn%~\xc9\xaf\xdf\x85\xc7\x9cCh\x18\xa9F\x82\x05\xb9\xf6M}Ck\xe5\x05Bd\xb8G\xa2\x96\xcdL\x1c\x9b\x13J^\xa1d_\xf9\xc2\xc3n.M\x9a\xd57^:\xab\x06a\xe7\x96\xeb\xc7\x15\x1c\xdcb\x85\xd1\xee\xbe\x17/),\xeb\xc6\x9e\x80\xac%\x99\xb9r\xcd\x85\x1b\x15\xb8\x91\xe6\xb3\xb5>\x91\xcc\xa3\x89\x06:\'\xb6\x0eI\xe7\x9b\x07RU\x17NLW\xda\x84\xb4\xdc\xc2\x1cB0\n\x150\x0c\xc7&\xb6\xa4ll\x9a\xc5&ef\x19]p\x1aP\x149BZ\x87k\x80EB\x92A\xeb\x8cG\xde$\xbe\xfbm\xd0WIP\x19\xe4\xcb3\x0f\x1fK\xd1\x10\x15\xe3-\xcb\xfe\x14"?\x8a\x7f\x80\xfaE\xaeP\x9dq\xef\xc3\xaa.i>\xfb\xe3\xec\x91\xfd9\x95Z\x80\x10\x12\xd2\x1cp\x9d@BrR\x194\x91P\\\x8f\xdf\x1fn]\xbf\xc2kX\x01NL\xa9Z\xcd\xa1\x01H\x91l\x90)\xa7\xa5\xf3\x83\xe2\xec4\xd5q\xb0\x90+\xe6\xc5\xe2\x0b/\xd3\xa6\x8d|a)a\xe6_O\x1aB\x90\xaeN.SZ0\x82\x89\x8eN}*\xeaM`\xa5UmCR\xa2\xe5\x03\xef\xcd\xb2\xb4\xd4G\xd9\xfeq\x8b\x9d\xb1m\x97\x9dmc\x05\x05a\x15js\xc6\x13\xea\xbb\xa5\t\xf1\x8eK\xa2u\xd9U\xf0R\xf3/\xb1\xc4V-x\xe2Q~\x0b\x14\x80\xa4\x90\xa0p#\xee\xaa\x93A\x06O\x924\xd7\x81{\xe9\xf5\x8c\xa4\xd3\x8aqg\x1b\xe2\xa8m \xe7UD\x01\xd7\x16[J\x9cV\xaa\x08.\xcc:dQ\xe8\x82\x9b\xcf\xba-N\xcc92v\r\x11\tjY\x84 \'\x0b\xaf\xf3\xfc\xa3\xf2\xa9\xb7\x89RtI\x81\x91/\xcb\x9f\xc2\xba\xd7\xb6\x10d\xe6<lkOF\x9d\xa6\n\x1d\xe4\x97\xd4\xa1\xea$\x91\x16&e_e{\x14\x98\xa2\\\x15\xeb\xcf\xbc\x085@\x04\xeb\x10\x95KN<\xda\x93\x86\x94~\xcd\x9e\xb2\xe1\xa5\xcb\xd6(??\xbaX\x94E\xc1\xe5^k\xb3W\xe7\x02\xed/H\xe7yE\x84\xc2e\xf9=\xa2\xe2\xcfT%\xceS\x9a.\xd0\xd7&\x9c x\xb4\xabM\xd0R\xa17\xf6\xfd\xccP\xe2\x12\xb4\x9cB\x85D\x0b-\xa6Y\xc1\x82\x9aM?(\x1e/0\xcb\xe3\xf1\x1aR\x029A\x80\x12\xac\x14\x9c"\xb9P8\xc6\x8b\xa9\xed\x8d\x15\x03\xc0\xe6\xa7\xd9Ww\xee\x96\xf2od\xdej\xb6k\x81\x8ax\xdc\xa7i\xfaE\x94\xb4\xc4\xc7\xe2J\xe9\xf3\xa4e\xe6$@lbRk\xf21\xf6/\x7fLh\xb0\xf1:\xae\x8b\rH-\x81\xb5\xc1O\x9c\x19\x8eUq\x13\n\xad\xc8OG\xdf\x16%\xd8m\xa1\xf8SO\xba\xf4\x92\x15\xc4A\'\x93\xa5\xaa\x7f\xed\x88\xb6d\xc2}\x85\x14\x8f\xca2\xdc\x951\x91?\xf4\xd7x\xed\x8bIT\xb3\xf7\xf4R~\xb4\x8f\xf8\x06\xff\x00\xb8>\xb1ErD\xc9#b\x0c\x7f\x07\x9b\xfe\x83\xf4\x85r\x8c\xeb.3q\xc9\xda\xec\xbc\x7f\xe9\xc3\xff\xc4\x00-\x10\x01\x00\x01\x03\x02\x04\x05\x04\x03\x01\x01\x01\x00\x00\x00\x00\x01\x11\x00!1Aa Qq\x810`\x91\xa1\xf0\x10@\xb1\xc1P\xd1\xf1\xe1\x80\x90\xff\xda\x00\x08\x01\x01\x00\x01?!\xff\x00\xd7\x8e\x01\x92\x9b\xbd\xa9\xcd\xe5\xa2=\xda\xb3le\xbfz\xcc\xd2\xb0\x84\xd3M|\xf8iP\xe3z\xf4\xd6\xcb\x17Joh* \xe6\xd8.Rc\xd2\xadvh\xdd\xb7h|X\x85#\xb7?+\xbd,a\x18\xf7\xae^)#\xd3>\xcaP\x07\xbe\xd1\xcf/\xad0YXg\xac\xe6\x91\r\x9c\x91\xfd\xd1p|\xcc\xd6! \x89\x8f\xb5`\x8d\x84\xcd\x01-\xd02~\xe9J\xd7\xb1I\x9e\xdfT\x12\x12J\x999\xc5\x89\xae\xcb\x8dbz\xb1\x9f*\xcdd\xd8\xb9\x14\xe2y\xb2Z\xb2\xee\xa6\x08E\xd8\xa7\x87\x9d\x04\xd6Ql\x89\xbf\xd0\xa0o\x91\xa8\x92\x9e`\xf0\x1c=\xed\xa2\xf7\xa7\xfbQ-\xbd\xd7\xa7\x95-z!-9W\xda;\xd5\xcd+\xbaxr\xa3\xcf\xe8T\x815\x83\xa7\x0bn6\xa0W\xfa\xd4\xa6d\x15\xd5\xc0\x17?D\xad\xac\xf3\xa4}cj\xc9\x8b\x97m\x7f)\xd9\xe4-R\x04_r\x89\xa8\x08\x9d\xaa\xf2\xcdA\x92\xa2a\xe5\x8aJ\xd9\xa9\xf4K\x0b\xcd\xc8\xad\xdaf\xa9\xf4\xa6I\xd5\xbc\xb5\x0b\xb8`\xa7\xe5\xcc[\xbc\x18\x17a\xa8Y;I^\xe1\xbf\xeb\xcao\xfb\x96\xb2D\xb1\xe9\xf52G\x94\xd5\xa1L\xe8\xcbT\xfe.\x80;\xd2\xce~\x93\xb6\x89\xb0\xf4\x90\x8a\xb4\x8e\xb5\xc4\xf5\x95i.\xb1,\xbe\xb4\n\x97\x9b\xfa\xe9d\xf7J\xfdV(*"\xdd\xd1\xb1\xbe\x13\xeb\xf1\x9b\xf9O\xa8\x1b.\x86}i1BL.\xd2k\xadIg\xf6\xecS6\xc2\xf4\xa6oI\x9bq\xbf\xa6\x13S\x03R\xd9\x97w\xf5IQ\x16\x93S\x9c4\xc1Q\x89\xe7V\x96\xb7c\x1b\xb3Oa\xa0\x18\x8eD\xc5\x12<DI\xee\xe7]\xc9\x88~\xab\xe3\x7f\xaa%\xda\x11_\xd4&\xb5\xe3w\x9fF\xca\x89\x13\x06\xf5;\x10\xac\xb30\x07\xaf\x94\xda8\xc2~ZN\x05S\xa2\xfb\x89\xf9\xa1\xd10(v\xa5jV[u~\xaa"rF1\xca\xc5\x8d\xa8\xeaE\xb7\r\xf4W\xc3\x7fU\xf0\xdf\xd5,\x04$\x17*\x1c\x19$\xa3\x96\x91\xbej\xe9\xca_\xab\x8a\xc4>\x18\x985\xb4\x95\x8d\x8cq\xbfO)\x93\x18I\xfa\x85-\xeb2\x151\xf4\xff\x00\x0f_\xe1\xeb\xfc=\x7f\x87\xa0\x08\x00\xe4q\xde:\x96m\xadB\xe9b^tw?\xaf),\x12\xe2\x88y\x1c#69\x8d\xbe\xc6C\xe5\xf1\xb7Q\x8c\x94%\x15\x8e\x0e\x1f(\xc1\xc2\xe6\x92\x0c\xaf\xad]\xa0\xcc\x1a}\x8aH\xcc\x0b\xa51G=\x82\xce\xc7\xca\r\x921Bl\x12\xd1\xbex\xa40\xbf\xb9~\xcb9\xae[\r\x91d\xe5\x10\xedH\x02\x08\xe1<\x9f;\x1c\xcf3\x0fu\x10\xbeU\xa9\x11\xf6j[\x05\x0c{U\xc8\xdfHHhi\xdb\xc9\xcc\xda\x02V\x9finDmvnP\x02\xc0X\xf0\x05\xb1oZ\xa6\x0bb\xc8\xff\x00\xb1N\x19\xec\x1f\n\xc0N\xc4Yp:\xcf\x93\x94D\xdc\x17J\xb8\xba\xd1\x18\x8f\x04\x99\x94\xff\x00\x14\x8f\xe8\x00\x84\xa5\xd515?\x8bW]\xacX\xe5\xde\x8f\x0b\xeax$T\x00\xce\x11\xcdL\x08\x14\xb9\xd4\x9eM\x0b\x88\x92\xa6\xfa\x1bE\xe7\xa9S\x0f\x0c\x13\xe0`]\x96\x8a\xe0\xf6`\xe9ng\xe8F\x97f\xa3@\xf0\x96\xdcMcDI(\x91\xf0\n\x10\xaa\xacR\x01\xa5\xd5\xd0\xfcy2w\xcf\x9bf\xc4\x17\xa4"\x0c\xb3\xff\x00|\x18!VqwJ\x9c\x96\xa2d\x1eB\xd8\xb7\xd5i\x9c%\x17.\xb8\xefX\x0e\xf0\x99\xc3\x19\xf0\x1c4C\x01\x82\xc1c;\xd9\xe4\xc9\x083\x98\xb6g\xd5A\x04\x1e\x04\xa2\xfe\xe5HS\x84\xb0\xb8\xbfG\r\xcef\xec\x93\xe153\x1dKO\x02\xe5\x058PO\xc7\x92\xd8\xd4\xafT\xd5\xb9\xa4\xf7\x8aS\xef9\x96\xf7\xff\x00\xbe\x00\x04\xb2\x91C\xe6\xefBf\x0efb\x80\x08\x088P\x08\x829*\xf4l\x80\xb8\x88\x04@\\\xf7\xf0\x1c\x0c\x05\xbb7\x9f\xd5o\x0ei\x88Ly(C\x19\xc8\x94c\xad\x9a\x00  \xf0"\x04\x87\xe3J4u\x06u\x97\x19\xde\xc9\x8cG$\xf2\xa0 \x89tY:\xf1\xfbo\xe1\xaf\x8c\xe5\xf2H\xe2\x96\x90\x96\xd8&\x94\r\xcag\x7f\x00H\xa5\xb4\xa0\xba1\x82#\xc4\x91g>\xde\n\xee\x00\x02\x84A\x1d\xf2\xd16\x94I\xc4\xcc&G\xe2\xbdiS{\xdb\xc92 #\xc5\xb5\x1eU(g\x06\xfcj\x08\x04\xb3V;\xbaEb\x0fk\xce\xde\x13\xdaKMP\x03\xacGz\xb3[t\x13\xaf\x17\xcc\xdf\xc9\\H\x196\x90\x96#i\x17\xbf\x81\x10$\x87\xec\xf7\xadP\x0b]\xb9\xad|9\xc7:6S\xbb\xaf\x17\xcc\xdf\xc9<Z`\'s\x03\xef@\x11R\x8cg\x8c\x9c\'A\xbd\x12\xee\xa1Cg\x9f\xc4s\x0c\x84^Ob\xf5\x80\xbc\x131\xc3\xf37\xf2O\x04\x90\x00\xb1\xa6]9Pmf8\xc2&\xc6d\x1b\xa3E\x06\xf3\x88\xaf\xe7\xc4\xcd\xbd6QL\xb8\x9b\x0e\xbc?3\x7f$p\x08\x137\xa2\x98\x18$%\x9b\x1e\x9cbcDVf\xe6YQ\xff\x00\x85\xbcP"\xc3W\xaap^\xe2\xd3\xaex~f\xfeH\xe3\x93\x94&\xcc\x8e\xb7\x93\xd2\x89p\x8c\xf5\xf1 )\x80\xa2\xcc\x91\x9c\x9b\x1fw\xb7\x8f\x86HXX\xa378>f\xfeH\xe0~*\x03t\xa6\xd7+\xfc\x87\xf7C\x12\xd8p\x82\x11k\xf2Q\xca\r$\x8ar<\xe3\xc7\x9d\x00\x8e\x02\x18\xe9\xc1\xf37\xf2?\r\x07\x104\xc0.\xd3R\xd94C*\xd8\x15\x08\xa0\x00\xda\x95\x1c7/0\x8c\x85"\x80\x08,x\xe7o\xf0\xa5`4\xd3p\x88\xe4%\xfe\x89\xa0\x0e\x8c\xfd\n\x80\xae7#S\xc8\xfcI@iD\xa5\xab#%\t*\x91K\xc4\n"\xe1\xba\x81r\x82\xcf\x0b\xcc\xfc[\xec[2\xa7\n\xca\xf8\xea>\x92"\xf5J\x00\x82*\x10\x00\x08\xd3\xaf\x91\xb8\x05m\x05\xa3\xa7\xbcU\xbc\xde\xbf;\xf1\xb3`C2L/b\x80M\xde\x11-V\xff\x00c\xf2\xdc\xdc\x1f3\x7f#q\xcc\x00Dj\x1e\x8ag\x05\x89\xb6\xf7\xe2\x8d\xbc\t\xa8\x948\xda\x16\x16y\xbf\xbf\xb2\xf9nn\x0f\x99\xbf\x91\xb8d\x1a\xb6\xc0\xe0\xe5D\xca\x01\x01\xc4S\xa6\xcb\xbf\xc6\x9cN\x13\x0bn\xfa\xfd\x92\x04P\t\'\xab\x83\xe6o\xe4^\x14(\tj\xd8\xd9\xcc\x92\xdb\x89\xd9\x80\x96\xa4q\t\xb2M\x03Y\xfb7\x9ahp%\xa5\xebK\x04\xa1\x1f_\x99\xbf\x91x}\xaa:\xf3#?\xe5\t\xbc2\x8e(i\x96;\x1ax\x85H0`\x8fo\xb36,\x00&\xe2\x86\xb3\xf5~\xbe\xbf3\x7f"\xf0H6\x05x\x99\x1d\xb8\xdc\xca\x85 $\xbb\xb4.+\x02=>\xcd\xc0\x0b`)\x17\xa9\xb36Z|\xb7\xd7\xe6o\xe4^\x04\x06K\xe4\xe5\xc6\x88\x9e\x83\x12\xd7\xf6\xa1.\x11\x83O\xef\xeaD\x15\xd0u\xa7\x8b\x00\x92T\xdb\xf2\xf2\x1c[\x05\xa4\xc2G\xda\xa4\xc2\x0b\x97~,eq\xbdkZ>\xe2{\xfd\xaf\xc6m\xf5\xf7\xff\x00\xc5\x0f\xc9\xbf\xc8c\xd3\xc8h\xd6\xc1\x96\x9c\xa8\x1d@\xc3\x8b\xdb?4\x0cUZ\xc4K\xd8>\xd7\xe36\xe0 `\x1eC\x19ff^\xe15\xec\xff\x00\x8e/\x99\xbf\xdbq\xf1\x9bp1Q.\x0b0N\x91\xe4;\x8d\xe7\xe3\xfc\xcd\xfe\xdb\x8f\x8c\xdb\xc8\xeb\x08\xe0\x13\xc2Z;q\xfc\xcd\xfe\xdb\x8f\x8c\xdb\x83\x18\xc5\xb8\x17\xb4+\xf6VJ|(\xca0\xf4\xfes\tt0\xee\xd3n\x99\xfc\x9b\xe2\xb1O\x8e\xc2H\x1e\xf5\x84:\xf9KBeVn\x94\x1fhZ\x92dT\xe5xR\x15\x00f\xf5*?\x86\x95pRJ\xa8\x9c\xc0T@\x10L\xa32\x8e.\xbfk\x11\x04\x91=\xb86\xd9y\x95\xfe\xfe\x9a\xd4\xa4\x02\xa7\xf6\xc9qX\x00\xc31\xcaR\xaeps\xee\t\x7f\x14\xccD$\x00\xebo\xc5\x10\xf8\xc9)\xdcY(\xd9\xc2D\xca\x87`n\xff\x00\xc8\x8d~L\x03\x1c\xe2\xb61Z\xff\x00kN\xd9\xe4@\xbe\xec\xcdm+G\x882\x060\x8c`\xf4\xac\xe4\xe8\xfd\xa8\x06Az8:\xde&\xb4Mk\xbfJ&\\1\x11\x9e\xd5\n)\x02M\x1a\xd8\xfd\xd1\xca\x05\x82\x97\x9cE]\xc8\xc4\xa5\xd9G\xb5\x06E\xfd\xca\x8f\xb6K\x05r\x171\xad"E0\xc4m{\xd6\x9d%\xfb\x1a\xd0u\x80\xc3Rh\x920S\xf0\xf7"\\*H\xfa4\xb1"n*\xf8\xdf\xea\x87i;\x9fE"t\x8a\xb3+o\x7fF\x88Qsw\xb0\x8a\x00pH\x9c\xb6\x82\x9d\x880\x94\xe8\x8b\x94\xa2D\xfe)\x99\x80\x95t\xa7^\x92\xc8\x90\xf9\xf8\xcd/5\xf2~\xf5\xbf\xe2\x0e-\xd3\xd2\x8a\x91\xd1e\xa5\xa0\x13,\x9f\xbc \xdd\xa62\xf3\x1f\xd9\xcc\xf7\xac\x92MwT\xe6~\xfd*\xc9\x91z\x84\xcd\x16\x8c\x0c\xbe\xa1u>f4\x8fJ\x04\xefL23\xeb\x02F\x9b\x88]\x89n\xf1I\x80-,\xe3ZT\xeeW$\x10\xa1\xac\x91\xef\x81\xe9FMM8.\x17\x8d^\xbf\xc4\xc8\x82I\xb2\xd0\xee\x1f\xc2\x8e\x823\x99~(\tg\x03Z\xf1\xefG\xf5\xd6\xa7\xbf2\xcc\xb6^\xbc\xa8\x958\x86\xb7\xdc\xff\x00\r\x8a\xbb\xa2vkD\xe5[984\x98W2&\xc6k\x98\xe0\x8a\xe8\xfe\xa8]\xc3Az\x96\x93\x1d\x15\xa3\x1e\xe7\xf1\xc66^.}\x13:\x98\xa0\x92c\x9d\x10\x81\xd2`\x03j\x15\xa6 \x18\xf5\x92(\x8c\x92u\xa2\x843\xc3]\x1e\xb6\x8b\x1e\x1dr\xedz\x02!vU\xbc\x82zV\xc8L\xbf\x8b\x1d\x05r\x92\x9d\xb1%rT\xc1\x91\x11\xe8\x05\x14\x10\x1bP\xae\xe6\xa7\xb44\t\xaf%}\x9f\x97\xd3\xden\xa8X\x9d\xad\xf4$X\xe2"\x05YFLt\xff\x00\xe3\x87\xff\xda\x00\x0c\x03\x01\x00\x02\x00\x03\x00\x00\x00\x10\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3.\xb4\xbb\xf2?\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcc\xde\xc3\xcf\xe1\xd2\xe7<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<w\xf65\xc9n>#\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xc5\xf9\xd2\xea\x86\xb7\xfe<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf8\x99\xcb\x8c{\xff\x00\xff\x00\xa7O<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3G\xbf\xff\x00\xff\x00\xff\x00\xff\x00\xfb\x90\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xce\x12\xff\x00\xff\x00\xfeW\xff\x00\xff\x00\xfd\xff\x00<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xbd\xdf\xff\x00\xff\x00S\xd4\xff\x00\xff\x00\xef\xd3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xc8?\xff\x00\xfeu\xf1\xaf\x7f\xfe\xf5<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf/[\xff\x00\xff\x00\x81\xcf,\xf3\xff\x00\xff\x00G\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf0\xff\x00\xff\x00\xfe\xaf<\xf3\xcb\xdf\xff\x00\xf5|\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf\x15\xff\x00\xff\x00\x05\xf3\xcf<\xf3\x9f\xff\x00[\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xd5\xef\xff\x00\x83\xcf<\xf3\xcf\x1c\xff\x00\xf5\xbc\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xc1\xbe\xfe\xe7\xfc\xf3\xcf<\xf3\xdf?[\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf,\x1d\xdf\xe6s\xcf<\xf3\xcf,\xf4\xbd|\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3/\xff\x00\xe3o<\xf3\xcf<\xf3\xc0\xff\x00[\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf\x14\xff\x00\xff\x00\\\xf3\xcf<\xf3\xcf<\xc7\xf5\xbc\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xa9\xdf\xff\x00\x13\xcf<\xf3\xcf<\xf3\xc9\x7f[\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcd\xbf\xfe\xe7\xbc\xf3\xcf<\xf3\xcf<\xaf\xf7<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xff\x00\xe9\xf3\xcf<\xf3\xcf<\xf3\xca\xbf\xb3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xc4\xbf\xfe\x9f<\xf3\xcf<\xf3\xcf<\xab\xfe\xb8\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf8\xea\x91=o\xe9\xaa\xf3\xcf<\xf3\xcf<\xf3\xcbx\xfc\xcbNg|\xf8\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xb3G?\xeds\x1c\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf.+\x9c}\xfd\xf5|\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf\x0c=\xf7<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf1\xdf\xaf\xf7\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf<\xf3\xcf\xff\xc4\x00(\x11\x01\x00\x02\x00\x05\x03\x04\x02\x03\x01\x00\x00\x00\x00\x00\x00\x01\x00\x11\x10!1AP 0Q@aq\xa1\x81\x91`p\xe1\xf0\xff\xda\x00\x08\x01\x03\x01\x01?\x10\xfes\xa7\xa1\xe4?\xef\x88no\xa8\xa0\xd1\xfa\x96\xc4b\xf5TG=8\xbdWB&\xd1\x1c\xa2i(\xbb\xc0\xd0\t\xa3\xb0\x00\x95<VC\x0bi\x80W\xd27e-3\x8c\xc1R\x85\x1a\xfa\x83p\xd3\xbb\x8a\x11!^n\xe3T\xa97\x93\xf7\x052[\xed\xfeL\x85\xb9\xc6\xd0\x14"\xd5\xa1\xc58D\x01\xb0D\x19O\x10\x03\xa1t~x\x97!\x04\x07b\xdb\xca3-\xb8\x87\xb5\xf4(\x16\xc6\x13N\x92\x10\xf0\xe0\xad\x12\xbf\xa1\x91\xb5b+ \xdd\xbfA\xb0\xf0\xf6\xb6\xe8\x01l[\xd84\xc0,\xe8\xb88P\xb6\x88 :/\xd9\x97E\r\xfa\r>\x174\xf1\xd0\xf5\x1a\xbd)VJ|F\x87\xc7\x0bO\xef\x88\x0bb\xbfR\xf4\xf6\xc7K\xe3\x84\xa4\x80\x02\x8ch\xc9\xf9\xeb\xac\\t\xbe8Gjg\r\xb5x\x0b(\x89^\xb1\xa6+/\r/\x8e\x0c.\x08\x90%C\\+\x0e\xca\xab\xda#rJ\x96\xad\xf8\xe0\xce\xc7lP-\x8c\xab\xb3\xa9\x86\x97\xc7\x06\x05\xab\\O\xc8{\x81\xa5\xf1\xc1T\x10\x80c\xa1m\xdaU\x87K\xe3\x82\xa5\xf6\xc5\xca+\x1e\xe6\x19\x1e\x08fq\xfa\x1d\xbf\xb5\x81\xbb{\xf0C3\x1f\xa1\xdb\xfbXk\xfa\xed9pwHn0\x8ek\x95\x83"n\xd0\x07$\x16\xb4\xed\xd3xDk\x942\x17-\xd96*\x81\xba\'\xe2m\xd1F\xa7\xa7"\xf3\xb0\x03#\rY\x15\xa6\xa6\xa8\xfa\x1d\x11\x80o<?\xd4\xd1X&\x8e\x1a\xc9\x01C\xd2\x87\xban\xd3v\x8b~\x9cQ\xb2\x03\x1e\xf4[m\xfe\xa2\xff\xc4\x00)\x11\x01\x00\x02\x01\x03\x04\x01\x04\x01\x05\x00\x00\x00\x00\x00\x00\x01\x00\x111\x10!P 0Aq@Qa\x81\xa1\xd1`p\x91\xb1\xf0\xff\xda\x00\x08\x01\x02\x01\x01?\x10\xfe\xb9\xc83\xd5\x8d,\x95\xbc\x9f\xb8G0Y!\x1bqx<\xc2\x12&#\x99mV\x8a\x96\xba\x01\xdd\x90\xac8\xad\xc0\x85,\x94f\x15\xef\x1e\xbf\xd1\xfe"J\x1f\xf3\xfc\xc1\x0b?\r\xf4c\x8a\x04~\xaf2\xa2\xd0\xff\x00\xdb\xb2\xd6\xe2\x95\r6\x91\xb4\xa5}\xb6\xff\x00P\xb6\xe7\xdb\x1d\xdb\x00\'\x14\x88\x14_e\x97R\xd9k\xd1\xe5\xf1 -\x8ds\xd8\xa8`\x018\x82\xaat\x05\xb5\x1c_K\xb6\xb8u\xa2\xe5\x93\xd1\xbc8"\tLZ<t8\xa7\x0fI^\x84TB\xa0\xd3h\x88\xa9\xe8V\x0f\n\xb4\\{\x9e\x8a\xd6\xcfE\x85:\x15\xf0\xaa+\xf5\xe8\xdd\x9c\x1d)e2\xe8\xd5\xf0\xbb\x8dAZ&\xdd\xd5[\xf7k\x97\xdf\tv\xc5\xbdm\xdf\xd7\xb7\xeb\x97\xdf\x08j\t\x944b\x08\x14Q\xd6\xc4\xa6\xb4\xcb\xef\x84fb\x92\x9d7\xde\xcb\xf2\xb0i\xb8\xca\xda\xbe\xbc\x1a\xd2y\xd4-\xa8%\xd9`\xd3/\xbe\r\x1a\xea\xf6\xf8;C\x0e\x99}\xf0J\x8b\x11[\xaf\xe7{CF_|\x15\xc7\xdf\xa0P\x1d\xac\x9a-\xc7\x04\xb6\x1a\xe1\xf7\xdb\xc9\xa3\xae\n\xb75\xc3\xef\xb7\x93\x802\xa8\x87\x98\xf8\x08\x83b#l\xf0\x11+v5}\xbb\x82\x0f\x11\xdc\xd4\xa3\xcc\x17\x98\x9eHO\xc8A\x1c|wZ\x85\\\xe9\x8f!\xb2\x86\x01\xf0P\xe4\x8bx\x9f]<tQ\x93L\x13\x1d\x0b\xf1U\xf1\x16\xf1\x01\xe2c\xe3\xa5\xc5<O\xb5\x02\xb6\xfe\xd1\x7f\xff\xc4\x00-\x10\x01\x01\x00\x01\x03\x02\x04\x07\x00\x03\x00\x03\x01\x00\x00\x00\x01\x11!\x001AQa\x10 `\x810@q\x91\xa1\xb1\xf0P\xc1\xf1\x80\x90\xd1\xe1\xff\xda\x00\x08\x01\x01\x00\x01?\x10\xff\x00\xcb\xc6cE)\x9c\xc0\xb3\xbe\x9d\xe6]ns-C\xa1\x96\xeb,\xac\x0fga\xb5\xf4\x9a\xeap\x82{\xe3-\x0bI`\xa1\xf8u\x1e\x88P0\xbd\xb4"\xabPxs\xe0D\xc1/Sp\xd9\x10c\xa9\xd119\xc4\x02\xec\x87\x13\xdfM\xfc+&\nV7L9\x8f\xa5\xca#\x01\xb5`T\x1b\xe9\xbb\xa3[\x11\r\xa1or6\x8b\xc2p[uDV\xd0w\x8c\xeam\xea\x83\x80\x05;\xecgma/\x93\x0f<5\xf4\x9aV\x8d"\x96lX`\xe9\xa0SA\r\x1c\x82\xd61\xcb\xbe\xbb\x1b\xd2\x0e\xb8\'\x1d\xf4Dq@\x0b\xd1j}\xb4P\x01\xb4\n!\x14\x92\xf1\xe2\xc8I\xb8\x94\xd0\n\xf0\xa4#k6{\x9aW\xd2\x917\x11\xd3\x8a\x1c\xf5\xb6\x9e\x94\xdaD\xa2\xb0V\x1fCWU\x10\x81\xa4\x05\x9dGpg\x1a\r\xe7\x9f\x03\x95\xdd\xdfP\xb7H\xe24Jv\xd1B%\x07G\x0f\xe4\xf0\x03\x93\x07GY\xfeJ\x14\xaf9\xf2G\xa7\x91\xf7\xed\x1b\xbb\x0c\xde3\x88\xa6\xb1C\x08\x13a\x8b\xb5\xb4\xc2\x17\x17\xd2\x92\x1a\xe8B\x04\x86h\xe3\x18\xdd\xa9l\x12m\n`1\xd2{\xeb\x1e1\x9d2\x0fl\xf82%L\x05\xd7\xe0?^Q\xdc\xc99\xa5*\xef\xfe\xb5\xff\x00Q\xaeo\x12\x13\x86p\\\xfd\xbc\x90T\x87p,\x88\x83\xfdkjY\xd0\x1a\xa2P7m\xbe\x93\xe1\xc8\x83\x13\x0e\xd8K~t\xe8\x91\x8e\x10\t\xac\x82F!_\xfev\xd4\x9b\x9b8-\xe6o\xa0\x82\x11\x05g\xbe\xde\t\x1cB7\x0e\x1d\xb5\xfc\x8f\xfe\xe9\tm\x14\x88\x9b\x8f\x7f\x0c\x9e2B:\xc7M{s\xc7\xd9t \x8c5\xa1\xb7\xfb\xf2Y*f\xc6$t\xa1MC\x8f\r\xa4\x1b\xec\xe1\xe94\xf9\xca.\x88.*\x16o<@\xaeJ\xb9\x0b0\x19t#\x98\xa0R\xec\x11o\xb6\x90\x8d\xb6\xa2\xe1\x1c\x1fm"\xa9^\xab\xe1!\xf2\xa5P\xaeH]\xa9\x9bt\x1c\xf7x\x9dP\xc1\xdc\x1f\xa6\xae\x8f-\x15C\x05\xddz\xae\x8b\x0e\xdc\xd5\xfb\x07\xe3A\tD\xb0\xf4[\x0f\x14\xcct\xb6x\xcb\xa3\xae.\x86t\xd4S\xc7\xfa\xfd=\'\xa1L\x11\xc9\x13Lm\x9a\xc4\xeb\t\xfa\x18\xd9\xfa\xe8\xe2\x99\xf6\x91w\xfbg3\x1a\xea/\xe2\x96Bpc\xd1N\x9a\x90\x1a\xbcC\x0b%\xb6\r;2\tK5P\xbd\xca\x9aA\xb6\x80\x0cB1w\x8ai&%0Y\x97\xb2\xe3\xb6\xfa\x97\x0c\x9f\'8#Lh/\x10\x80\r6\t!5\xbdr\x92\x0e\xbc\xb4\x92b\x81\xb7\xb6\xa4bM\xb4\x16\xc3\xed\xd5\xaa%\xb2\x04\xcc\xe5\r\xa3\xb8q\xa5B1Ad\xe1:\xc9\x9f\x06\xcc$p\x94\xcff4Y\xe9\xcb\x84\x0e\xe3\x19\\w\xbe\x93D\xc8\x84r:\x91\x99\xe88DII\x89\x087f\xa6\x01\x0c\xde\x80a\xaeh2\x84`\\ve\xed\xbe\xb2 (\xd9\xc1\xa4\xfa\x01m\xb9\xban\x1d_\x178\\\xbe\xb7\xaf\x8a\xc5\x8a\x06\x80+\x0c\x02\x80/viR\x9b\x8e\x8d\xa0\x03\xc1\x87\xdbF\xbey-+y\x8d\xbc\xd7\xbfE9\xa2\x01[\x80\xcd\x8c\x9b\xe8-\xd1\x9e\x80j\td\xf4\x9d\x0bb\x1d\x1d-\xdf\xdd\xd7\xfd\xee\x8c\x0c\\\x9a\xbb_\x0f\xe3?\xd6\xbf\xae\xff\x00Z\xfe\xbb\xfdk\xfa\xef\xf5\xa1\xa1{\x04\x0fo:\x12\x90\x89\x1eF\xf43\xa4\x91\x0e\x8d\xac\x1d\x90\x10\xe7\x90zH\x11\x00\x15^4\xc8@\xc4\xd4\x14\x99A\x15\xbd\x8d;\xfcw$t]Y\xd8,\xc9\n[\x17\x8d9\xb0\x92\x85A\xe8\x8f\xa4`\x8f\xb2($\xa6@B#\x9b\xacus\n\x9c\xe2\xf7\xbb\x1f#yNs\xb0\x1a\xfeMQ5Y 3\x0b\x01\xc5\x96-\xf4\x82\xaa\x14\x08r\x01\xbe\x07\x1a\n+\x05\xb2"\xab\x97a14\x10\x03c\xe4P\x08\x04p\x8f: \n/@H\x8a\xa02-\xc1\xd0\xd0aE\x11\xe4\xf4y\x08Pl6\xf6\x10\xea\xb3\xb6f\xb0\xe8\xda\xa8\xa0\x07\xe2\xfb\xfc\x1aYK\xd3\xe1M\xe5\x9dP\x15]\xb5\xc5\x07^\xe0\xd00f\xdd\xf9\xf4q\x8aa[\x00U\xd00\xd0\xe6)\r\x14\xd2\x04\x01\xe6]\x0c\x11\x81\xd06\xf8\x00\x10H\xdd\xa1\xff\x00$\xa0I\xe0F\x08;:\xc5\x1c\x96\xcfx\xf8&\xfa\x1b\x80BC#\x03U<m\xe8\xea\x91\xd4l\xecb;/:un\xbb\x0e\x0f\x7f\x826\xf2\xcamCwU3\xdbL\xe9\xa5\x934\xa3 \xa3\x19t\x89F\x85\x1ae8(\x99+c`\xd1\x10\x1cu:=\x1f\x82\\\xd5\xdc\xa0\x8c\xc8\x9dn\x8b\x08\xf2\xf29\xd4G\x85\xa7\xa3K\xcd\xfcFe\xc71\x814a(l\xac\x08|\x06\xc1\x1b2\xb0+\xac2\xde4\x9a/\x00$\x12S\xaf\x83\xe1b\x904L#\xa5\xbfG\x81\x00\xc9&\xe0\xf3\x9d\x05\xe2\x81\xb2;?\x00\xee&\x05\\h\x1bT\xacU\xbf\xa8\xbe\xde\x8c\x8c\xbf\xd2\xae\x9eAeM\x8c\xa9\xa7&2\x94\x1d\xda\xb88\x0f\xa7\xc1m\x0f\xe1E@\xb6\x00\xd2\xab#\xab\xfa\xe1\x14\x82c\x00o\xdf>6\xe2^\xc2\xa6I\x105M\x04X\x8c\xd0\x11\r#\x111\xc1\xf08\xdb\xc7B\xdb\x8a\x91\xb4\xb2\xa5@\x9c>\x8c[\xedP\x16\xcey1\x8fI\xa0\x00\x80@\xe8|\x03,\x85\x91k\xab\xd8\xd1\x99\x96Ve\x17yP\xdbk\xb4\xf2\xe4k\xe8\xd7\x82D\xb5\xcb\x04\x15\xe5\xd4\xb6\x18\x03+\xafL\xc7\xe0\'\xfd2\xa9\xc4\xd8p\xbdS\xd1h\xb7\xb6\x80VH\x00\x84\xb3C\x08U\x18,\x96\xb5W-\xf3\xf0\x10\x90\x83r\x1d4E\xa6\x8e\x85\xa8\xc8Q\x90\xc4w\x04\x90\x00\x80\x10\x0f)\x96(\x85\x13\xa3\xa4\x89\xf4\x11t\x00\xc9L\xae\x82 \x88\x8e\xc9\xe744\x98\x96\x02Y\x83e\xd7\xd9\xbd%\xc9\x0b,\xb3\xd1C\x10\x02\x8af\xa2\xe0Xv\xd0\x01\x06\x00 \x1f\x00\xd7\xa5CX\xe4;9XiwL\x92$ \xb0Wy\x8f<\x8d\x12\x0cyJ\x88\xdc\xe5\x0e\x9akEJZ\xe8\x8cBq\xd3\xd204\xb8\x07\x9b\rn\x01^3\xa6\x00Bfk\x17s\x8f\x81\x1a\xb2\x1d\x8b\x81}\xf8\xe7[\xb2H\x84-\x01UXR?\x04\xdf\xa8\xf0\x13\x18\x16\x00\x0b\x8d\n\xa0\x90\xe4|\xc0H\x1d\xf93\x87|\xe9_\x12{\x89\xcd\r\xf3\x9cY\x9fD\x9fU\xb6\x94dm\r\x832\x8fMB\xd3=\xd7w\xce\xc8P\x8a\x18\xef\xa7\x01cO\x04g4P\r\xc7\xc2\x17\x96hJJ-[\x19\x8bP"\xd3#\xec\xdfzg\xcd\xf8\xef\xd3\xd1F\x00-@\rI\xc2`\x18*\xdf\xe0\x0bFrUpp\xb2\xa7m\x15lk\xe0~\xb1\xf86\x00\xc7\xc39\xab\x9c4\x88\x81x\xed\xb8\xf9\xbf\x1d\xfaz$\xc7\x82\x05\x01\x04\xcad\x10\xa72h\xaf\x85\x19\x92Vp\xd5\xc7\xd3\xce\xb5\xd8\x92\xdd`\xbd\xae\x88\xb8,\xa5\x87yG\x10\xd9#w\xf8\x94\xc4&\x8e8\x82Z\xd5\x92\xeaV\x02P)\xc8\xa7>_\xc7~\x9e\x893\x19V\xf4\x90\x90\x1e\x82\x92\x83\x87S\xb5#\xfd\xbf\x7f2\x81T\x0e\xae\x83\xd0\xce\x99\xe3\x95\xd4\xb3\x86h\xa5\xb8\x10\x9b\xc5+\x9b\xbf\xc45\xde\xbdb\x80u\xd1\x01\xc8\xa3n\x1f\xa7\xcb\xf8\xef\xd3\xd1\x06M\x01\xc2\xcb\x0b/\xb6\x97\x1f?\xb8K\xe4\x14\xe3\xe9\xe7\r@a\x0b\x9d\xd9\xd2\\\xf5M.\x90\xa4\xd8mE\x83\\\xb7[\x9b\xf1v@\x11\xfa:r8\x18\x08\n\xe2\xa5)q\xbb\xa7\x7f\'\xe3\xbfOD\x18\x04\x8d6hD\xd1PC\x96t\x03\x10.\x15{\xe4\xdc8\xf3\r UX\x06\xb0\xfd\n\x00q\xf3\xb6\x0c]\xcf\x08\x01\x0c\x1f\x1b\x91\xad+(\x0b\xb0\xc1\xfb:\xa6@\x8eDp\xf9?\x1d\xfaz \xc2W\xd6\x08\xa5\x02\xdfu\xdbC\x94cQ\xa5MH\x17\x83\x0b\xe5\x9e\x81\xc1Un\xed\xf5\xd2\x06\x10\xb2Bf^\x0b\xf8>8P\x14\x15\x9a\xe2z5R\x80O\xbf\x93\xf1\xdf\xa7\xa1\xcco\xb1\x98CD\xa5\x08R\xd9\xa2\x8b\xebC\x05P!\xb1\x89\xa2a\x99\n\x0fcEp"\xf2tp\xe8 \x07\x04\xf2N\xa3iMZ%jG\x18\xd0\x00\x00\x80\x18>>\xeb\xa09\xb49\xc0\xbe\xdaZ\xab*Mp\xfd\xbc\x04\xf8\x8aK\x9e\xd8\xd7\xfd\xee\x90\xa4!\xa2\x94\xc7\xa1\xcc\xccr8\x04\x8d\xc0\xb6\r\xbe\xda/\xca\xe6>j\xf3j \xc6\x0fw@/;\xd2l^\xce2}O\xc8\xeeg\x94\xee@\x88\x0b!a\xce\xfe\x0c\x01\x80\xde\xb3m\x00\x08\x10#\x06\xa7ep!\xb3\xd0\xc6\r\xed\x03\x0eG\xb3\xc8iyEu\xaeK\xdb`\x90\x98\x9euE\x12\xe2\x80\x1b\xd1^\x93:/\xf3\xdc\xa6Q\xba\xba\xab\xd3`\xf9!.\xfe?\x8e\xfd=\x0ca\xea2&\x03\x80\x99\xa1\x9aE\xd5\r\r\xacE\x1f\x87\xcd\x98\xc7x\xae\xa1:\xfd\x94\x85U\x92\\a\x11\xdf\xe4\xc4\xbb\xf8\xfe;\xf4\xf41\x98]g\x96\x81l6\xa9\x96g@( p\x1b\x1eeh\xc9\x19\x02\x01\xa1\\s\xc1\x83\x98\n\xb4\xdew\xf9\'\xec\x02P\x0e]Q\xc8\xd1\xd9\xf1\xfcw\xe9\xe8S\x082\x08\xb0\x03\xeb\xa2\xba\x11\x0c\xd8As\x07jy\xaf9\xdeX\x19u\xca\xb1N\xaa\xa3&\x97\x10&S\x17\xe4\xb3\xa0W\x82N\x80T;\xeb&\xff\x00$\xe2x\xfe;\xf4\xf4)\x92k<,\x02\xceV\xa1\xc5Z\xb0\x94\x13\xd7ay\x9em\xf3\x0bK\x92?\x8d\x00\xe4\x9a\x10\xd1wN}\xfeL>>0$\x03\xc8\x82<:\xfe_O\x17\xe3\xbfOB\x98\xb3\x07\xa0$\xb92Cx\xd1\xc7\x9f+{C`c\x82\xc2\x86\xd97\xd0\xe6"\x06\x07\x03\x05s\xef\xf2o\x07\xb7Fa\x81ex4\x04\x16!\xba\xb3\x1c\xf2\xf1\xfcw\xe9\xe8S-\xb40Fb\x8b\xda\xfd\xfc\xc6P\xd4W\xe5\xc7%S\x9d\xb3\x8e~W\x84\xf0Q\x04o\xdd}\xfcQ\xfa\x10+\xb3C\x13\xef$ \x1b\xa21\xe1=\x07\x99p\x9aBS1H\xf5\x17@\xe3\xa2\xc6\xc8\x03\xcd\x0eB\x0f\n\x18\xd2b\x04\x1c\t\'_D\x9co\xf2\xbf\xd7\xe9\xe3*\x00\xab9\xf5i\xe7D\xd4H\x95l\xa5Sx_A\x91\xb8Q\x04\xcb\x134\x8f}![\nn\xea\x9f\x84\xf3\x7fs\xa3@$|\xc8\xbfp\x07\xb7\xca\xff\x00_\xa7\x92z\x8b@\x9c\xfd\x06\x15\x9a\x0e\xe4\xaazT=\xf5\xfc\xfe\x8f7\xe3\xbfO\x963\xfa\xfd<\x95y\xb0(\x98\xbc\xb0Nk\xe80\x04\x11\x04L8\xe9\x01\x80\x01\x808\xf3~;\xf4\xf9c?\xaf\xd3\xc9\xfe\xdfG\xa0\xeat\xd4\x00\xcb\xfa:\xb9\xd3\xbb\xe6\xfcw\xe9\xf2\xc6\x7f_\xa7\x92\xf6\xc1IJ\x9d\x80\xd4R\x98\x94}\x16\xe9T| ]\x153\xfc\xe4p\x1eA\x18T\x03(h\xb3\xe9+d\x9b\x07\'2\xe89\xf0\x8d\xc9\'\xd5\x19\x1bi\xc0\xa1L\xf9@\x85qc\xf4t\x9e\x84\x9c!\x05\x01\xde\xfbh\x89\x94\x87q\x9a\xb8^|\x8e\n\xed\xa2\xef\x15 \x03\xae\x80*K\xb8}\xc2i.\xe2\x8b\x00\xb5\x19aY\xbe\xa8\xde\xd7LkU!C\x00\xf7\xf9]\xdc\xbe%S\x13\xbf\x92\x12\xa0\x897:<xuJ\x98WD7z\xe9\xc2\x19\xcd\xd5\xdc\x1d1\x8c2\x019\xe9;\xe3If@&\xcclB\xf5\xd1\xe0\x9e\xd9\xd2*]\xdf\x1d\x1c\xe8\x02\xc4\x8a\x89H\t\xd9\x04\xd1i \xc4\tDy4y\x03\xb0\x05\xff\x00"\xee\x860[\x82ja\xd8\xd1\xc3\x15\xa0]&\x1e\xd1\x03\xaf\x1a\xe7\xa7Bs\xc1c\x99\xb9\xb6\xde\x18b\x84 \xb4\x82\x10n\xe6Y\xd1-D\x05\xcc\x9e\xe9\xed\xa1\x01\r\x12\xa3\xf6\xd4:x\xa1\x02\x16\xca\xce\x9du\x98w2W\xa1\xb9\xc5\xdbXch\x1e!U)&&\xfa\xcd1\x9c\x95\xc1"\x90\xdd\xce40\xc2\x1a\xcb"\xb0^+5\x91\xdd\x11\xe1\x15e\xbd}\x93LQ\x04\x9a\x8d\xb0\x96W\x7f\x96\x196b8q\xc6u#\x9c\xac4\xa4\x83{\x02\xa4^\xce\xab\x0e\x02\x8a\xc5\xa5<\xb4mx\x18\x8f*\x13[|\x96\xd2\xd9;7\x11\xd6\'\xbd\x89}\x87\xcb\xbc\x8b\x03\xf3\xd9\xd0Q\x892\'s:\xff\x00\x80\xd1\r]M[(\xc3\xb2\x98M\xf4\xd3 T\xd8\x1a\xe5\xdb\x00] \x90\x8a\x00\xddH\xbd\x97Y]L\xaa\x9b\x9ac7[\xb4R\x0e\x06\x82m\x9d\xfb:1v*\x96\xc8\x98O\xf1O\xa2\xcb\xc0\x1b\xab\xc6\xad\x8b\xbd,\x13\x8a\xf7`\xdc\xb8\xd34\xd8\x86\x05l\xac\xb9W\xa6u\x89\x7f\'\x19\xf5\xf3%?bA\xf7t4\xd0\xc8p\'_\xb1\xa4\xc5\x8d(\xbc\xd8\x19\xc9\\A3\xad\xe0`PB,Rn@v\xd0\x00l\x02\x8e\xe9\xe4\xb9W\xe7\xea\xca\xed\x193G\x03\x9d\x18\xb3\x12\t\x93\x0e\x04\xe2[\xa3\x91\x9a\xa8\x03\x15\x10rP\xf1\xce\xa4\xf0KY\x07\x07\xbc\xdct,\xf8J\x85\xb3\xb9\x9f\xa6\x8a\x81\x10\xd7^\x0b\x85\xfa_5uYw"\xba#\xcd\xc8\x85\xebu\xb3C\xa5\x18\x90"o\xff\x00\xe6\x8aC\xa9\xd1A\x00-e9x\xff\x00\x12?\xb2\xe9\xc2\xa0\xc6A\x1e\x8d\r\xf3\xe4\xa7\x91z_2\x04\x06\xa3/\xb1\xaeO\x92\xb8\xe5x\x07+\x1ah\xb2\x062\n\x96\xf2\x18(a4\xb0ZeV\xa2\x8f\xbc\xbf\xe1\x8aUCF\xd8\x829\r\xf4A%\x00\x9a\xa8\xa7&p\x9dx\xd2\xde|Pb\xb1\xad:0\x9a5\xd4GT\xb8p\xa78;\xeb\xb9\x04\x00\xfa\x93G wQ\xfbM \x8b\n\x81\x1fo/\xf1:\xff\x00\xc4\x92\xc6\x04t\xe3\x07a\x12\xcc\xe1\xe0\xc0\x00\x02\x95\xfa\xaez\xcd\x95\x1d;b\x95\xc5\xd93\xbe\x89\x9dT%\xe4 qRT\xeb\xa64\x86\x00A\xfa\xdc\xebjRY\x13\xb1E\xfdh\x99\x86\x98\x08*!\x16\xc0\xc1\xb3\xaa\xc77x\xc1\x1e\xcc\xc6m\x86D\xea\xccU\xae\xc70\xff\x00\x16d\xe5\xa0\x80\xf5\xce\x99\xa6\x15D\xb5v\xd2Gq\xb3\xced\xae\xf3K\xcc\x01J\xd8\x8cBf\xa8\xf2\x1b\x01\xf2\x04\xecg*(v\xac\xf8\x06\x16\xa4\x15\x9a=\xdaw\xad\xd1}\x035\xc9\x9e\xd01\r\x94\xe1\xb9\xff\x00\xa7\x0f\xff\xd9')
        None(None, None, None)
# WARNING: Decompyle incomplete


def main():
    secret = input("What's the Ebin's most important secret?\n")
    if not aggept(secret):
        raise EbinException()
    gus = None.c_buffer(secret[4:-1].encode())
    segred = Ebin.from_address(ctypes.addressof(gus))
    ebonatto = spawn(ebonatti, (ctypes.c_int64,))
    eggbonde = spawn(eggbond, (ctypes.c_int64, ctypes.c_int64))
    ergipto = spawn(ergipt, (ctypes.c_int64, ctypes.c_int64))
    ebonatto(ctypes.addressof(segred))
    dibide(segred)
    eberse_drift(segred)
    brawl_stars = ctypes.c_buffer(segred.sparde.to_bytes(8, 'little') * 2)
    succ = ctypes.c_uint64 * 13()
    eggbonde(ctypes.addressof(brawl_stars), ctypes.addressof(succ))
    ergipto(ctypes.addressof(succ), ctypes.addressof(segred))
    brawl_stars = ctypes.c_buffer(segred.spurdo.to_bytes(8, 'little') * 2)
    eggbonde(ctypes.addressof(brawl_stars), ctypes.addressof(succ))
    ergipto(ctypes.addressof(succ), ctypes.addressof(segred) + 8)
    if int(gus.value.hex(), 16) == 0x3AF9670E06B9C43175FB8D6E90E1E6225CFF6AC8D52EFFAAL:
        print('Ooh I see, wise old man...')
        show_wisdom()
        return None
    raise None()

if __name__ == '__main__':
    
    try:
        main()
    finally:
        pass
    print('bail :---D')
    os.system('calc.exe')
    os.system('pause')
    return None
    return None

Now, continue with the actual obfuscated function that used to processed our input.

import dis

dis.dis(aggept)
dis.dis(eberse_drift)
dis.dis(dibide)

aggept function

105           0 LOAD_GLOBAL              0 (len)
              2 LOAD_FAST                0 (a)
              4 CALL_FUNCTION            1
              6 LOAD_CONST               1 (29)
              8 COMPARE_OP               2 (==)
             10 JUMP_IF_FALSE_OR_POP    19 (to 38)
             12 LOAD_FAST                0 (a)
             14 LOAD_CONST               0 (None)
             16 LOAD_CONST               2 (4)
             18 BUILD_SLICE              2
             20 BINARY_SUBSCR
             22 LOAD_CONST               3 ('SAS{')
             24 COMPARE_OP               2 (==)
             26 JUMP_IF_FALSE_OR_POP    19 (to 38)
             28 LOAD_FAST                0 (a)
             30 LOAD_CONST               4 (-1)
             32 BINARY_SUBSCR
             34 LOAD_CONST               5 ('}')
             36 COMPARE_OP               2 (==)
        >>   38 RETURN_VALUE

eberse_drift function

19           0 LOAD_GLOBAL              0 (bytearray)
              2 LOAD_FAST                0 (a)
              4 LOAD_ATTR                1 (sparde)
              6 LOAD_METHOD              2 (to_bytes)
              8 LOAD_CONST               1 (8)
             10 LOAD_CONST               2 ('big')
             12 CALL_METHOD              2
             14 CALL_FUNCTION            1
             16 STORE_FAST               1 (b)

 20          18 LOAD_GLOBAL              3 (range)
             20 LOAD_GLOBAL              4 (len)
             22 LOAD_FAST                1 (b)
             24 CALL_FUNCTION            1
             26 CALL_FUNCTION            1
             28 GET_ITER
        >>   30 FOR_ITER                14 (to 60)
             32 STORE_FAST               2 (i)

 21          34 LOAD_FAST                1 (b)
             36 LOAD_FAST                2 (i)
             38 DUP_TOP_TWO
             40 BINARY_SUBSCR
             42 LOAD_FAST                1 (b)
             44 LOAD_FAST                2 (i)
             46 BINARY_SUBSCR
             48 LOAD_CONST               3 (5)
             50 BINARY_RSHIFT
             52 INPLACE_ADD
             54 ROT_THREE
             56 STORE_SUBSCR
             58 JUMP_ABSOLUTE           15 (to 30)
        >>   60 LOAD_GLOBAL              5 (int)
             62 LOAD_ATTR                6 (from_bytes)
             64 LOAD_FAST                1 (b)
             66 LOAD_CONST               4 ('little')
             68 LOAD_CONST               5 (('byteorder',))
             70 CALL_FUNCTION_KW         2
             72 LOAD_FAST                0 (a)
             74 STORE_ATTR               1 (sparde)
             76 LOAD_CONST               0 (None)
             78 RETURN_VALUE

dibide function

 26           0 LOAD_GLOBAL              0 (bytearray)
              2 LOAD_FAST                0 (a)
              4 LOAD_ATTR                1 (spodro)
              6 LOAD_METHOD              2 (to_bytes)
              8 LOAD_CONST               1 (8)
             10 LOAD_CONST               2 ('little')
             12 CALL_METHOD              2
             14 CALL_FUNCTION            1
             16 STORE_FAST               1 (b)

 27          18 LOAD_GLOBAL              3 (range)
             20 LOAD_GLOBAL              4 (len)
             22 LOAD_FAST                1 (b)
             24 CALL_FUNCTION            1
             26 CALL_FUNCTION            1
             28 GET_ITER
        >>   30 FOR_ITER                10 (to 52)
             32 STORE_FAST               2 (i)

 28          34 LOAD_FAST                1 (b)
             36 LOAD_FAST                2 (i)
             38 DUP_TOP_TWO
             40 BINARY_SUBSCR
             42 LOAD_CONST               3 (2)
             44 INPLACE_FLOOR_DIVIDE
             46 ROT_THREE
             48 STORE_SUBSCR
             50 JUMP_ABSOLUTE           15 (to 30)
        >>   52 LOAD_GLOBAL              5 (int)
             54 LOAD_ATTR                6 (from_bytes)
             56 LOAD_FAST                1 (b)
             58 LOAD_CONST               2 ('little')
             60 LOAD_CONST               4 (('byteorder',))
             62 CALL_FUNCTION_KW         2
             64 LOAD_FAST                0 (a)
             66 STORE_ATTR               1 (spodro)
             68 LOAD_CONST               0 (None)
             70 RETURN_VALUE

Convert the opcode manually to python code, validate the code by utilizing dis function.

Function aggept

def aggept(a):
	if len(a) == 29:
		if a[:4] == 'SAS{':
			if a[-1] == '}':
				return True
	return False

Function eberse_drift

def eberse_drift(a):
	b = bytearray(a.sparde.to_bytes(8, 'big'))	
	for i in range(len(b)):
		b[i] += (b[i] >> 5)
	a.sparde = int.from_bytes(b, byteorder='little')

Function dibide

def dibide(a):
	b = bytearray(a.spodro.to_bytes(8, 'little'))
	for i in range(len(b)):
		b[i] //= 2
	a.spodro = int.from_bytes(b, byteorder='little')

Spawn function

There are 4 functions constructed with function spawn which are brother, ebonatto, eggbonde, and ergipto. Lets take a look on spawn function

def spawn(c, args):
Unsupported argument found for LIST_EXTEND
Unsupported opcode: LIST_TO_TUPLE
    buf = ctypes.c_buffer(c)
    no_clean_pops.append(buf)
    addr = ctypes.addressof(buf)
    olt = ctypes.c_ulong()
    eval('ctypes').__dict__['windll']['kernel32']['VirtualProtect'](buf, len(c), 64, ctypes.byref(olt))
    if 'brother' in globals():
        globals()['brother'](addr, gondola[len(no_clean_pops) - 2])
        addr += 20

There is one crucial variable accessed through globals function which is brother. Because if brother defined, it will call brother after calling virtualprotect. From the documentation we know that VirtualProtect will change the protection on region of memory and the memory address will be in first argument of the function call. The first argument is buf which is the return ctypes.c_buffer from first spawn argument. So basically the buf is the address of first argument in spawn. Now, look at the initialization of brother variable we can see that the first argument of spawn function is ebor. Because the process only change the protection we can assume that the ebor value should be assembly bytecode. Lets dump the value and open it using IDA.

Function brother

def write_to_file(fn, data):
	out = open("exe/" + fn, "wb")
	out.write(data)
	out.close()

ebor = b'\xe9\x9a\x00\x00\x00\xe3q\x98\x9e\tt\x89\xe6\xbe\xce\x89R\x1egb\n\na\xaa\x0c\xe1\xe2\x10\xa1\x02\xba2\xc7[\xd9W\xbcqk\x82\xf8\xda\xdb\x01\xed\x1f\xc6\xb3\xd3W\xf8\xab.\x94\xe7,)\x89\xfb\xe8\x9dA\xb7\x926c\xb3\xc5\xd5\x83\xfd#\xef\xc4\x92\x18 p\xee:\xe9\xb9\xc1x\xc3\xce\xb9\xcah}\xf5\xe3\xb8\xee\xe9-\xaf\xe0I#\x1e\x9c\x95 M\xe7h\xa5\xbb\x99*\xc9\xc3\x939\xd6\xa5\x1d\xdeT\xfd\xdcl\xfam\x04\xc4i\x96\xca?\xa0\n}\r\xa38\x98\xe5\xf9 \x8b\xc5\x1b\x15\x08\x88\xb2\x1bE\x91\xc2\x1d\xa5\xbe<\xd0\x8b\x97\x89T$\x10H\x89L$\x08UWH\x81\xecH\x01\x00\x00H\x8b\xecH\x8b\x85`\x01\x00\x00H\x83\xc0#H\x89E\x08\xb8\x01\x00\x00\x00Hk\xc0\x16H\x8b\x8d`\x01\x00\x00\x0f\xbe\x04\x01\xc1\xe0\x08H\x98H\x8b\x8d`\x01\x00\x00H\x8dD\x01\x19\xb9\x01\x00\x00\x00Hk\xc9\x15H\x8b\x95`\x01\x00\x00H\x0f\xbe\x0c\nH\x03\xc1H\x89E(\xc7ED\x00\x00\x00\x00\xeb\x08\x8bED\xff\xc0\x89EDHcEDH\x8bM\x08\x0f\xbe\x04\x01\x85\xc0t\x02\xeb\xe6\xc7Ed\x00\x00\x00\x00\xeb\x08\x8bEd\xff\xc0\x89Ed\x8b\x85h\x01\x00\x009Ed}>HcEdH\x89\x858\x01\x00\x00\x8bEd\x99\xf7}D\x8b\xc2H\x98H\x8bM\x08\x0f\xbe\x04\x01H\x8bM(H\x8b\x958\x01\x00\x00\x0f\xbe\x0c\x113\xc8\x8b\xc1HcMdH\x8bU(\x88\x04\n\xeb\xafH\x8d\xa5H\x01\x00\x00_]\xc3\xcc\xcc\xcc\xcc\xf5\xc5\xbf\xdb\xb0I\xf8\xaa\xb0\xd2 |-\x9e\x8b\x99\xb7\xee\x10\xe5\xcf;\xb0\x8f\xa2B\xf0\xfd\xd9\x10*0\xf6\x10\x99t\xb1\x83&_Wx\xd7\xcdr\'H\x0c\xc3\xf8\x98Z\xfa\xd1E\xbdnJ\xce\xc4\tC\xa8\xafo\xc7\xd2\xe2\xc7\x18\xfb\x8dt\xbae\xfd\n\xb67;$@\xb0%\x8e\x02{\x94\x98"1\xa1\x80\xc9\x1aC|\xd2\x82\xb4:\xe4\xe2L\xf3\xe0\xc3\xf6\xaa\xa2*\xad}\x9f;\x8a\xc1\xd0\xa9\xfcq\x02U\xb5\x97\x18\x9d\xa79\xc0\x17\xb0\xa4\x11^\xec[d\x13\xf86\xe5\xd0\x96{1\xbf\x83\x0b\x80\xcd\xcb\xe0\xbb\x8b=\xa4Y\x9c\xab\xb8\xb5p\xf8\x1d\xc3oo\xf5*\x9c\xbf\xd0"\xe1J\xba\xdehn\xb1\xf5D\xec_90\xbds&y\x00\xdbK\xe3Mw\x7f[:\x9a\x9f\xe6I\x13\x88*\x98\xeb\xdd\x1e\xa2]\xd6\x07q\xff\x9d\xd9\x1c\xf8\xc5\xf9Gs\xc9\x92\x88\x82\xe9]\xe6+d&p\xf4\xf3\xd6\xf3\xf8\x07\x89?>\x9a-\xa4\x13\xb7l\xd0\xa3\x98\xeaQ\x9b\x07\\\xcepo\x94\x07\xceF\x10\xa9\xb2\x89\xdcD:-I\xd4v>l\xffr\xd4\xa6\x98N\x94.D\x84\xcd\xbaI\xbc c8\xe9\xab\x18\xab\x17rg\xc5\x0fc\xcb\x9d\xe8s\xa9\xb3\xddd\x92\xbb%\x94\xdc\x19\xb3\xed\n\x82\x00\xb4J\xc3x\xe5\xb78)\xc7\x9d\x7f\xe0h\x95\x14:\x0c\x1d\xd7\xd4\xf3?V\x0e\'=\xfc\xfa2\x85\x95\xcf\xdc;\xd4\xcb\xc8\xc3\xfb\x1a\tE\x94x\x9aC@\x1d\x92\xe7\xbc\xabd!\xe98?\x04\x15\xba\x00\x14\x1f\x0f\xf9\xbb\xc0\x87\xd3FV\xd1\x8cMC\xbb\xbe\xbd\x9f}\x05\x8b\x9b\x9c=/\xee\xb6\x12\x07iL\xb8\x05\tp\x8d\xae\x97\xfcgb\xeae\xde\xa2>\x8a\x13\xc0\xf7\'\xa4\xce&\xb9\x88\xcf(.\xbbO\xdc\xae\xb27T9Y\r\x02\xec\xec\x91\xc0Z\xea\xe4{\xf9\xc6|\xe1\xd3>C\xef\n;\xd77\x0e\x9bJ?\x96\xc0\xec\xc6\xa7W\x87\x86\xda\xfd\xcf\x8c\xe3\xdc\xb3HU\x1c\x1cO\xa5~/\xad\x8c}\xc14\x96\x0e\x1c.q\xd3\x1d4\xc6\x9c\x94\xe6P\x12$\xc5\x9eL)\x82\x14\xebG72\xb6D\xe9\x1dj\xe1\xf9b\xaf;\xff\xf8\x84\x91\xa5\xbc\xb7\xce\x8erh\x1a\xa6\x03\x9de#\xdb\xa3\x9am\xe4O/\xc1V8\xfeK\xc9:\xf6\x0e#\x90\x90\xbf\x82\xc7\xc4]\x0f\x1f\x92\x03\xf4^\xd0\xa98\x98\xdd\xcb\xea\xa9B\xa7\xcd\xca\xee\xdf\xf9\xff\x9c\x87_H\xcfc \xf6\xaer\xc1l\x0b\x06\xc7\x11nL\xf7'
write_to_file("brother.exe", ebor)

Load as x64 file, then go to address 0x0. Go to the address of jmp instruction to view the actual code.

Press p or create function to make a function of those code.

__int64 __fastcall sub_9F(__int64 a1, unsigned int a2)
{
  __int64 result; // rax
  __int64 vars8; // [rsp+8h] [rbp+8h]
  __int64 vars28; // [rsp+28h] [rbp+28h]
  int i; // [rsp+44h] [rbp+44h]
  int j; // [rsp+64h] [rbp+64h]
  __int64 vars138; // [rsp+138h] [rbp+138h]

  vars8 = a1 + 35;
  vars28 = *(char *)(a1 + 21) + a1 + (*(char *)(a1 + 22) << 8) + 25;
  for ( i = 0; *(_BYTE *)(vars8 + i); ++i )
    ;
  for ( j = 0; ; ++j )
  {
    result = a2;
    if ( j >= (int)a2 )
      break;
    vars138 = j;
    *(_BYTE *)(vars28 + j) ^= *(_BYTE *)(vars8 + j % i);
  }
  return result;
}

Lets modified some variable to make it easier to understand. Convert the __int64 to char * also for several array variable.

__int64 __fastcall sub_9F(char *a1, unsigned int a2)
{
  __int64 result; // rax
  char *key; // [rsp+8h] [rbp+8h]
  char *ciphertext; // [rsp+28h] [rbp+28h]
  int i; // [rsp+44h] [rbp+44h]
  int j; // [rsp+64h] [rbp+64h]
  __int64 vars138; // [rsp+138h] [rbp+138h]

  key = a1 + 35;
  ciphertext = &a1[256 * a1[22] + 25 + a1[21]];
  for ( i = 0; key[i]; ++i )
    ;
  for ( j = 0; ; ++j )
  {
    result = a2;
    if ( j >= (int)a2 )
      break;
    vars138 = j;
    ciphertext[j] ^= key[j % i];
  }
  return result;
}

So basically it just do xor for two data, look at brother function call we can understand that it xor first and second argument.

globals()['brother'](addr, gondola[len(no_clean_pops) - 2])

Next, convert brother algorithm to python code

def brother(ciphertext, key):
	ciphertext = list(ciphertext)
	for i in range(len(ciphertext)):
		ciphertext[i] ^= key[i%len(key)]
	return ciphertext

We already have brother function, so lets get another function bytecode. The problem is during the competition i can't find the correct key for each function, so i choose to directly dump the bytecode from memory using python. To dump all the bytecode we need to do it sequentially like the original code.

def get_asm(func_name, size):
	tmp = ctypes.cast(func_name, ctypes.c_void_p)
	s = (ctypes.c_char * size).from_address(tmp.value)
	return s.raw

ebonatto = spawn(ebonatti, (ctypes.c_int64,))
print(get_asm(ebonatto, len(ebonatti)))

eggbonde = spawn(eggbond, (ctypes.c_int64, ctypes.c_int64))
print(get_asm(eggbonde, len(eggbond)))

ergipto = spawn(ergipt, (ctypes.c_int64, ctypes.c_int64))
print(get_asm(ergipto, len(ergipt)))

Write to file again for all the bytecode then open each of it using IDA.

def write_to_file(fn, data):
	out = open("exe/" + fn, "wb")
	out.write(data)
	out.close()

ebonatto = b'\xe9w\x00\x00\x00fnk~\xb7U\x9bh\x8bDHb\xc8t*\x80J\x90\x00\xcaF\xacYO\xfa\xfc\xc5>\xe3\xf6X\xef\xad\xc5|\x04\xd5\x94l\xd0o\x1fr\xdb\xa8+\xcc\x83\xff\xaaV\x12\xaf\xd55\x86\xbfkm\xd8\xce\xf3\xf2xL1\xd3\xfea\xfb\x08\x92\xe6\x8c\xf4\x94\xd8\tb\xfb\x13}\xdf\xf8\xfc\xedQ\\4n\xc1\x86\xfc\x0f\x11\xee\x9e\xca<\x1c\xa2c\x9e3\xdeI\x11!\x99b\xb2=k\x9a\x88B\xe3j\xd5H\x89L$\x08UWH\x81\xecH\x01\x00\x00H\x8b\xec\xc7E\x04\x01\x00\x00\x00\xc7E$\x02\x00\x00\x00\xc7ED\x00\x00\x00\x00\xc7Ed\x00\x00\x00\x00\xeb\x08\x8bEd\xff\xc0\x89Ed\x83}d\x19}_\x8bE\x04\x89ED\x8bE$\x89E\x04\x8bED\x8bM$\x03\xc8\x8b\xc1\x89E$\x8bEd\x99\x83\xe2\x07\x03\xc2\x83\xe0\x07+\xc2H\x98H\x8b\x8d`\x01\x00\x00\x0f\xbe\x04\x013E$\x89\x854\x01\x00\x00\x8bEd\x99\x83\xe2\x07\x03\xc2\x83\xe0\x07+\xc2H\x98H\x8b\x8d`\x01\x00\x00\x8b\x954\x01\x00\x00\x88\x14\x01\xeb\x93H\x8d\xa5H\x01\x00\x00_]\xc3\t\xb6}f\xdd\x8bH\x89\x8f%\xc1\xea\xf3\xd2\xb6\xe1}!`\x14\x86Fx\xe0\xe3<Y\xb47\xf7\xe8\xaa\xd42\x86\xa1`\xdcm\xec\x19\xdf\xef\x179^pe\xc0\xe2Oh\xe1/\xbc\xea\xb7\x9b\xeb.I~2\x10\xc3!5\xc0\x13G%\xba\xe0\xfd\x1e\xe5\xe6\xfe-\xed~p\xe5\x9f\xd5\xdf\xd9e\xaba\xec\xc2\xd2B\xaaQ\x15\x8b\x98\xee<\x07*\xea\xec5F\'\xb4\xa1S\x1c\xc7\t?\xf0K\xbf\x12\xd4Zq\xa3\t\x1e\x92\xd4\xbe\xc9\x0b\x87v\x86@J\x1an\xdaV\x19 w\xe1tZ\x90T4 (Qf\x9f.\xfdH\x0f\xe64\x80Su\xe5sC.C\x84\t-\xe9\x94\xa0\xce\xa0xcZ:\xa9\x96\x04\xfc\xd4\x19{\x16WQ\xc267:J\xcfX\t\xbd\x87\x94\xe1k\x020|S@\xb1x\rE\x9e\x9b\x03\x97\xd5\xf8\x90\xd8;\x9a\xd0\x82)G*t\x89\x98\xee\xb4#\xc3\xfa\x9b\xc7N\xa4\xb5=\xcau\xc7-\xa1\xd7\x19\xfd\xa1uL\x02$\xb3\xdc}\x83Da\xf7\xb1S*\xb3?1\x1f\x95?\xa2\xeaK\xe4{\x0f"j\xdb\xf0\x88\x97\xd1S\xe6A5<\n\xa5C\x984!U\xc5\x82\xc5\xd0:r\xd3\x80ur+\xe1U\xb4\xe2\x1d\xc5UA&\x0f\xc9:[\x8f\xee\x04\x00\x9a>)\x86\xe8\x94\xc91\x96\xdb\x87\xbd\xe8Un\xd2\xe1P\xaf\xd6\xac\x10\xbd\x9e\x98\xb0*z\xa4\xbfB7!@1X\xe7\xd6\xce\xd1\x9e\x05v\xfd\x8dWy\x9b(?^w:-\xa0,Ep\xa80\t\xd5\x08\x98rb\xa7O\xa0\xab/\xff\xfe\x9eu\xb24O\xb3\x06=\xdc\xb1K\xf8}\xa8e\x12.>\xe9_:q4z\x0f\xaee\xac&D\xa1\xed\xf1W\x1d\xe9\xab\x86\xc4u\x90\xe2~\xd3%A\xc4\xdb\x06]\xe6\xcec\xb4\xdex\xa3#\x81\xe8t\x99\xb8A\xa0\xfb:\xa6u2\x1e\xab\x8c\x98f\x04P\x9e)\x9c\x8a\xae\xee\xdd\x0f\xcc6\xe9n\x1eeB^e\xc5O\xc6_\x10o\xf6/I\x98R\xae7S\xf2\xf4w=p\xa0\xe8\x84#RK\xb8V]\xf5U\xc5\x95\x8b\xd5VP\xf9\xe1\xef\xde\xc0{\xee\xd3\x85\x9a\n*\xc7\x8c\x1d\x1a\xf8\xce\xa2\xcc\xe1?\x90\x7fmt\xfe\xf8\x91t\x18\x13\xbd\x1d\x0eJ\x99^\xdb\r\x88\x81\x04\xdesk\xf3\xe8\xfdAL\xeas\x13I\xee\xe3)3V`=\x9c\xfd\x81\x96D\n\x81\xe1LZgv\x1fSgH\xaei\xdbf\xb9p\x0c\xa4\xd0\x83e\x9a\xf8\xa0\x04C\xa4\xdc\xa8\x11\x0c\xe3"3\x8d.ArF\xda3c-|\xf9\xda\x96\xa4\xf0\x9e\xe7G\xa7\xb8>|\xea\x7f5\xb3\xfb\x81t\x945\xf6d8\x88\xd0\x06y\x08\xf0\xc5\xd9\x04(L\xe7\x91XL\x8cK\x8e\x03\xb0\x13\xef\xf0g\xe5\xf9\x1d\xa2.\x8b\xc3n2(\'\x94.\xcf\n\x94R7O\x9f\x19:\xda\x96\x94\x86\\\xa3\xea\x00\x00\x00\x00\x00\x00\x00\x00\xe9l\x86\xb7\x00\x08\x00\x80\xf0\xdb\xd0\xbb'
eggbonde = b'\xe9^\x00\x00\x00vJ\xc0\xe3\xb4\x7f\x9c\x91\xa1\x12\x91\x99\xbd\x0e\x95\x0e\x7f\xc8h\xd6\x93\r\xe8k\xc1 \x00\xeav\xb0\xc5\xd0$\x9b-\xe8\t\x1c\x89\xde\xd7(\x02\x8d1\xb8\x1en$\xfa.tU\xe5j\xd2H\x01\xdbB\x88?\xbc"\xed\xb6\x9d\xf02]u\x9a\xb1\x8a\xae^\xe8\xa4\xad\x05\n}\x05\\\xc6\xdb\xa8\x96\x9b\xcc\x05\xa9W\xd3H\x89T$\x10H\x89L$\x08UWH\x81\xech\x01\x00\x00H\x8b\xec\xc7E\x04\x00\x00\x00\x00\xc7E$\x00\x00\x00\x00\xc7ED\x00\x00\x00\x00\xc7Ed\x00\x00\x00\x00\xb8\x04\x00\x00\x00Hk\xc0\x00H\x8b\x8d\x88\x01\x00\x00\xc7\x04\x01cQ\xe1\xb7\xc7ED\x01\x00\x00\x00\xeb\x08\x8bED\xff\xc0\x89ED\x83}D\x1as%\x8bED\xff\xc8\x8b\xc0H\x8b\x8d\x88\x01\x00\x00\x8b\x04\x81\x05\xb9y7\x9e\x8bMDH\x8b\x95\x88\x01\x00\x00\x89\x04\x8a\xeb\xcd\xc7Ed\x00\x00\x00\x00\x8bEd\x89ED\xc7\x85\x84\x00\x00\x00N\x00\x00\x00\x8b\x85\x84\x00\x00\x00\x89\x85T\x01\x00\x00\x8b\x85\x84\x00\x00\x00\xff\xc8\x89\x85\x84\x00\x00\x00\x83\xbdT\x01\x00\x00\x00~\x0c\xc7\x85X\x01\x00\x00\x01\x00\x00\x00\xeb\n\xc7\x85X\x01\x00\x00\x00\x00\x00\x00\x83\xbdX\x01\x00\x00\x00\x0f\x84\x03\x01\x00\x00\x8bEDH\x8b\x8d\x88\x01\x00\x00\x8b\x04\x81\x03E\x04\x03E$\xc1\xe0\x03\x8bMDH\x8b\x95\x88\x01\x00\x00\x8b\x0c\x8a\x03M\x04\x03M$\xc1\xe9\x1d\x0b\xc1\x89\x85T\x01\x00\x00\x8bEDH\x8b\x8d\x88\x01\x00\x00\x8b\x95T\x01\x00\x00\x89\x14\x81\x8b\x85T\x01\x00\x00\x89E\x04\x8bEdH\x8b\x8d\x80\x01\x00\x00\x8b\x04\x81\x03E\x04\x03E$\x8bM$\x8bU\x04\x03\xd1\x8b\xca\x83\xe1\x1f\xd3\xe0\x8bMdH\x8b\x95\x80\x01\x00\x00\x8b\x0c\x8a\x03M\x04\x03M$\x89\x8dT\x01\x00\x00\x8bU$D\x8bE\x04D\x03\xc2A\x8b\xd0\x83\xe2\x1fA\xb8 \x00\x00\x00D+\xc2A\x8b\xd0\x0f\xb6\xca\x8b\x95T\x01\x00\x00\xd3\xea\x8b\xca\x0b\xc1\x89\x85X\x01\x00\x00\x8bEdH\x8b\x8d\x80\x01\x00\x00\x8b\x95X\x01\x00\x00\x89\x14\x81\x8b\x85X\x01\x00\x00\x89E$\x8bED\xff\xc03\xd2\xb9\x1a\x00\x00\x00\xf7\xf1\x8b\xc2\x89ED\x8bEd\xff\xc03\xd2\xb9\x04\x00\x00\x00\xf7\xf1\x8b\xc2\x89Ed\xe9\xb7\xfe\xff\xffH\x8d\xa5h\x01\x00\x00_]\xc3\xd0\xe7I!\xcb\x00\x01\xe9\xba5\x08e\xbc%-\xdf\xe1\xb9\x08f\xcc\x8a\x9f\xc9\xf4\xdd\x8aJb\xd9\xbb\x97\xe3\xba\xfez\xb7i\xa1\xae3\x0f\xe2\x1a\xf3eb#\xa0\x15\x95\x16\x8aw\x9f<\xbeJ\xadl\xcd\x18\xbcX\x00\xb0<M{DD8\x18\xdd2?X\xdd\xf4\xa9\x94#\xe2N\xa4[\xaf\x97\xb0\x83\n=\xf8\xdf+\xee\xb6)\xfbr\x99\xc1\xb36\x0b\x0b\rS\xab\xf5A\xb0\xb2\x90(\xcc\x81Q\x05z\xf9Z\xfc\xae\xf0P7\xf61\xbc\xd7\x8d\xfbQ\x06,\x85c\xcfK]4#\x87\xf7)t\xc9\x93I\xc5\xe9\xdc\x8fF\xd6dMm\x9f\x99\x99\xd7\xa7|\x7f\xe5A\x10g\x9e\xbb)\xf90{\x17\xc34{c\xe03\xfa\xfd\xb12\x97\\\xa1\xc8\xba\xf5#:\xd0\x91J\xd4\xc56)\r\x00\xa4JpGK\x7f\x85m\xf5\x10\xa5\xf6\xa3\xe4D\xf9\xeda\xf0K\xe1\x1bY\xb9oN\x1c)\xff\xdc?\x8a\xb1p\xfflBJ\xe2cwN\x94~\xf8x\xcf\xe1lm\xbfC\xb0\x9f\xcc\x99Fbpw\xad\x16\n\x1cl\x8c\xd3s\x05\x0e@Ts\xbam\x1cV\x1f"\xba\xeb\xa4\xed\xd0\x88E\xd0\xe7:\xde\xd1\xa8;\xaf\xb6\xf8\x06y\xdd\xcb*\xf7\xfd\x06ih4h\xae+O>5\xaf\x07\xc9\x87\xc7\x91\xa8pt\xf32w\xdb\xd8q\xfb2\xa0ky\x85\xc0Y\xd2\x16uC\x04l\x84\x881\xefz\x02\xa5\xda\x87A\xe5$\xb7\xf6\xb13\x02\xdd|\xe21\x9d\x8d\xe9\x85\xd3\xf7\xc1\x00\xf47\xc2E?\x01\xdb\xee\xfc\xe8\x89\xa1\xaa\xd1\x84\xd8<\x9cBV\xc0\xce\xc4,X\x13p\xc0u\xba\xc2\xf9\xab\x80\xd2\x00\x00\x00\x00\x00\x00\x00\x00\xa8l\xc7\xb7\x00\t\x00\x90p\xf2\xe1\xb9'
ergipto = b'\xe9=\x01\x00\x00\xdb\xf7\x18\x86\xb3\x91*S\x81\x04\x7f\xa8\x9a\xc7&\x9dN\x8e\x00\xda\xcd\xed\xd2gb\x82\x8a>\xba\x9bJ\xa57\x08,$[\xaa\xd6}\xa7^\x16\xfc`\xbd\xcc-\xce\x0b\xa3\x13d%*\xcf\x8d\x1f\x01z\xeb^\xd6I\xa9\xd6\xaa\xf0\xaf\n@\x00\x80\x92\rk\xa0\xb7\x92\x06\xc6\x1e-N\xde\x11\xf0\x0c/H\xd4\xc5\xcb}R\x01\x8bH\xba\xef\xd0B\x11\xea\xc4\x87J\xc4+g\xe3Ul\xcc\x13\x03\x1b\x0b\xf2!V\x8c?\xb7\x0b\xd7UMjU\xa8\x86b\xac\xf1\x10ubZ\x06B4v\xd0\xfdZ1\xf5\x04;\x07#v\xe6@\xd7O\x0b\x93j\x1eX\x92\x84?\x83D\x99\x18\x89\r6\xd5\xee\x8c\xba\nF\xb1\xb3Q\xfc\x85Q\x1ed\x08h\x86_\x04\xf8\x94\x18\x94?\xee]\x08h\xc8`\xa9\x05\xc6&\xce\x18\t#G\x84COV\xe8\xb6\xc8_\x94\xb3\xd5&uQ`[*\xe1\x9a\xe4\x86\x99f]\x98\xdd2\xaa0/\x15)\xfd\x8aY9&\x93P8\xfa\x96\xa87\x0f\x97\x8fb\xdf\xe5_%\x0b\xb5\xccA\xbe\xc6\x1dM\xcb\xd5\xb1\xd4Ed\xbfa\xa21\xbc2\xdf&\xa7\x1a\x1c1y\x1b\x07\xb2\xd6|\xd6\xc2\xe9\x02\xa5\xa3_\xbd@\x90+\x96\xefe\xe0\xc5a\x80\x9b\x0e\x8b^H\x89T$\x10H\x89L$\x08UWH\x81\xecH\x01\x00\x00H\x8b\xec\xc7E\x04\x00\x00\x00\x00\xeb\t\x8bE\x04\x83\xc0\x02\x89E\x04\x83}\x04\x04\x0f\x83W\x01\x00\x00\x8bE\x04H\x8b\x8dh\x01\x00\x00\x8b\x04\x81\x89E$\x8bE\x04\xff\xc0\x8b\xc0H\x8b\x8dh\x01\x00\x00\x8b\x04\x81\x89ED\xb8\x04\x00\x00\x00Hk\xc0\x00H\x8b\x8d`\x01\x00\x00\x8b\x04\x01\x8bM$\x03\xc8\x8b\xc1\x89E$\xb8\x04\x00\x00\x00Hk\xc0\x01H\x8b\x8d`\x01\x00\x00\x8b\x04\x01\x8bMD\x03\xc8\x8b\xc1\x89ED\xc7Ed\x00\x00\x00\x00\xeb\x08\x8bEd\xff\xc0\x89Ed\x83}d\x0c\x0f\x8d\xb5\x00\x00\x00\x8bED\x8bM$3\xc8\x8b\xc1\x8bMD\x83\xe1\x1f\xd3\xe0\x8bMD\x8bU$3\xd1\x8b\xca\x89\x8d4\x01\x00\x00\x8bUD\x83\xe2\x1fA\xb8 \x00\x00\x00D+\xc2A\x8b\xd0\x0f\xb6\xca\x8b\x954\x01\x00\x00\xd3\xea\x8b\xca\x0b\xc1\x8bM\x04\x03\xc9\x8b\xc9H\x8b\x95`\x01\x00\x00\x03\x04\x8a\x89E$\x8bE$\x8bMD3\xc8\x8b\xc1\x8bM$\x83\xe1\x1f\xd3\xe0\x8bM$\x8bUD3\xd1\x8b\xca\x89\x8d4\x01\x00\x00\x8bU$\x83\xe2\x1fA\xb8 \x00\x00\x00D+\xc2A\x8b\xd0\x0f\xb6\xca\x8b\x954\x01\x00\x00\xd3\xea\x8b\xca\x0b\xc1\x8bM\x04\x8dL\t\x01\x8b\xc9H\x8b\x95`\x01\x00\x00\x03\x04\x8a\x89ED\xe99\xff\xff\xff\x8bE\x04H\x8b\x8dh\x01\x00\x00\x8bU$\x89\x14\x81\x8bE\x04\xff\xc0\x8b\xc0H\x8b\x8dh\x01\x00\x00\x8bUD\x89\x14\x81\xe9\x96\xfe\xff\xffH\x8d\xa5H\x01\x00\x00_]\xc3\xb30(\xeeoc\xbb\xbbU\x01MO\x83\x93\xba\x81\xe5\x11.\xf6pc\xf7\xcf\xd6\xddI\x89\xf4\xeb\xb6\xb65\xa6\x12s\xeb\xe1+yv\x1c\xcc\xcc\xcb\xfa\xfd\x9c\xf9\xdbl\xdd\x08f\xc4X\x90\xe7\x83\x0e\r\x89\xb7\x88 \xbe\r\xeb\x0f\xaa\x97\x17\xa299>A\xc1\xb8\xa7\xea\xef\x1dj\xc1\xf7\xc2[,\xf3fh\xc0\xca#[\xae\x12[\r\xf7\xab\x8d\xbcV\x1fg\x13\x85\x0c\'\x08|\xb4\xdfj\xd4\xd9\xb5d\xaa\xec\xfd\x16\xf4\xe6Xm\xa8\xd3))\x1f\x8a((d\xd6\x9fW\xd9t\x05R\x7f\xe7\xad\xc8\xae\xd5\xc7\x0fC\x02\xcb\x03|\xdcP\x9b\xcd\x8e\xd1sa\x89\'\x97[\x00\x0fM\xf0\xcfn\xbfG\x1b\x19k\xc9\xa7W\xf6\xfa\x9c\xa6\xf2Y\xe1#wm.\xfb\x12"\xbf\xc4\x831\x80k:\x87\xcb\xbd\x94<l\x19\x084\xc8Js\xc8\xe9\x85>\x1c\xfeZ\x06 \xd2\x8a\x91\x19\x14\xa6>\xbdb\xd9^\xcc\xc6B[\x0f\x00\x84\x99\xa3\xdd1\xdf\x0b\x97\xb8\xfe\xdd\xe2\xac\xe4k\xc7\xd4\xaef`\xb7x\x06\x14\xac"\xe4+\x1e\x14\x10]\xa6\xe5\t\xa2\t\x00\x00\x00\x00\x00\x00\x00\x00\xa4o\xdb\xb6\x00\r\x00\x80\x90A\xce\xbb'

write_to_file("ebonatto.exe", ebonatto)
write_to_file("eggbonde.exe", eggbonde)
write_to_file("ergipto.exe", ergipto)

ebonatto function

__int64 __fastcall sub_7C(__int64 a1)
{
  __int64 result; // rax
  int vars4; // [rsp+4h] [rbp+4h]
  int vars24; // [rsp+24h] [rbp+24h]
  int vars44; // [rsp+44h] [rbp+44h]
  int vars44a; // [rsp+44h] [rbp+44h]
  int i; // [rsp+64h] [rbp+64h]

  vars4 = 1;
  vars24 = 2;
  vars44 = 0;
  for ( i = 0; i < 25; ++i )
  {
    vars44a = vars4;
    vars4 = vars24;
    vars24 += vars44a;
    *(_BYTE *)(a1 + i % 8) ^= vars24;
    result = (unsigned int)(i + 1);
  }
  return result;
}

Convert it to python code

def ebonatto(a1): # correct
	a1 = list(long_to_bytes(a1)[::-1])
	vars4 = 1
	vars24 = 2
	vars44 = 0
	for i in range(25):
		vars44a = vars4
		vars4 = vars24
		vars24 += vars44a
		vars24 &= 0xff
		a1[i%8] ^= vars24
	a1 = bytes_to_long(bytes(a1)[::-1])
	return a1 & (2**64 - 1)

eggbonde function

__int64 __fastcall sub_63(__int64 a1, _DWORD *a2)
{
  __int64 result; // rax
  unsigned int vars4; // [rsp+4h] [rbp+4h]
  int vars24; // [rsp+24h] [rbp+24h]
  unsigned int i; // [rsp+44h] [rbp+44h]
  unsigned int vars44a; // [rsp+44h] [rbp+44h]
  int vars64a; // [rsp+64h] [rbp+64h]
  unsigned int vars64; // [rsp+64h] [rbp+64h]
  int vars84; // [rsp+84h] [rbp+84h]
  int vars154; // [rsp+154h] [rbp+154h]
  unsigned int vars154a; // [rsp+154h] [rbp+154h]
  int vars158; // [rsp+158h] [rbp+158h]

  vars4 = 0;
  vars24 = 0;
  vars64a = 0;
  *a2 = -1209970333;
  for ( i = 1; i < 0x1A; ++i )
    a2[i] = a2[i - 1] - 1640531527;
  vars64 = 0;
  vars44a = 0;
  vars84 = 78;
  while ( 1 )
  {
    vars154 = vars84;
    result = (unsigned int)--vars84;
    if ( vars154 <= 0 )
      break;
    vars154a = ((vars24 + vars4 + a2[vars44a]) >> 29) | (8 * (vars24 + vars4 + a2[vars44a]));
    a2[vars44a] = vars154a;
    vars4 = vars154a;
    vars158 = __ROL4__(vars24 + vars154a + *(_DWORD *)(a1 + 4i64 * vars64), (vars24 + vars154a) & 0x1F);
    *(_DWORD *)(a1 + 4i64 * vars64) = vars158;
    vars24 = vars158;
    vars44a = (vars44a + 1) % 0x1A;
    vars64 = (vars64 + 1) % 4;
  }
  return result;
}

Convert it to python code

def eggbonde(a1, a2):
	vars4 = 0
	vars24 = 0
	vars64a = 0
	a2[0] = 0xB7E15163
	for i in range(1, 0x1a):
		a2[i] = (a2[i-1] - 0x61C88647) & (2**32 - 1)
	vars64 = 0
	vars44a = 0
	vars84 = 78
	while True:
		vars84 -= 1
		if vars84 <= 0:
			break
		vars154a = ((vars24 + vars4 + a2[vars44a]) >> 29) | (8 * (vars24 + vars4 + a2[vars44a]))
		a2[vars44a] = vars154a & (2**64 - 1)
		vars4 = vars154a
		vars158 = rol(a1[vars64], (vars24 + vars154a) & 0x1F, 32)
		a1[vars64] = vars158 & 0xff
		vars24 = vars158
		vars44a = (vars44a + 1) % 0x1A
		vars64 = (vars64 + 1) % 4

ergipto function

__int64 __fastcall sub_142(_DWORD *a1, __int64 a2)
{
  __int64 result; // rax
  unsigned int i; // [rsp+4h] [rbp+4h]
  int vars24; // [rsp+24h] [rbp+24h]
  int vars44; // [rsp+44h] [rbp+44h]
  int j; // [rsp+64h] [rbp+64h]
  int vars134; // [rsp+134h] [rbp+134h]

  for ( i = 0; i < 4; i += 2 )
  {
    vars24 = *a1 + *(_DWORD *)(a2 + 4i64 * i);
    vars44 = a1[1] + *(_DWORD *)(a2 + 4i64 * (i + 1));
    for ( j = 0; j < 12; ++j )
    {
      vars24 = a1[2 * i] + __ROL4__(vars44 ^ vars24, vars44 & 0x1F);
      vars134 = vars24 ^ vars44;
      vars44 = a1[2 * i + 1] + __ROL4__(vars24 ^ vars44, vars24 & 0x1F);
    }
    *(_DWORD *)(a2 + 4i64 * i) = vars24;
    *(_DWORD *)(a2 + 4i64 * (i + 1)) = vars44;
    result = i + 2;
  }
  return result;
}

Convert it to python code

def ergipto(a1, a2):
	a2 = list(long_to_bytes(a2))
	for i in range(0, 4, 2):
		vars24 = a1[0] + bytes_to_long(bytes(a2[i*2:i*2+2]))
		vars44 = a1[1] + bytes_to_long(bytes(a2[(i+1)*2:(i+1)*2+2]))
		for j in range(12):
			vars24 = a1[2*i] + rol(vars44 ^ vars24, vars44 & 0x1F, 32)
			vars134 = vars24 ^ vars44
			vars44 = a1[2*i + 1] + rol(vars24 ^ vars44, vars24 & 0x1F, 32)
		a2[i*2] = vars24&0xff
		a2[i*2+1] = (vars24 & 0xffff) >> 8
		a2[(i+1)*2] = vars44&0xff
		a2[(i+1)*2 + 1] = (vars44 & 0xffff) >> 8
	a2 = bytes_to_long(bytes(a2))
	return a2

Put it all to one file

from Crypto.Util.number import *

rol = lambda val, r_bits, max_bits: \
    (val << r_bits%max_bits) & (2**max_bits-1) | \
    ((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))
 
ror = lambda val, r_bits, max_bits: \
    ((val & (2**max_bits-1)) >> r_bits%max_bits) | \
    (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))

def ebonatto(a1):
	a1 = list(long_to_bytes(a1)[::-1])
	vars4 = 1
	vars24 = 2
	vars44 = 0
	for i in range(25):
		vars44a = vars4
		vars4 = vars24
		vars24 += vars44a
		vars24 &= 0xff
		a1[i%8] ^= vars24
	a1 = bytes_to_long(bytes(a1)[::-1])
	return a1 & (2**64 - 1)

def dibide(a):
	b = bytearray(a.spodro.to_bytes(8, 'little'))
	for i in range(len(b)):
		b[i] //= 2
	a.spodro = int.from_bytes(b, byteorder='little')

def eberse_drift(a):
	b = bytearray(a.sparde.to_bytes(8, 'big'))	
	for i in range(len(b)):
		b[i] += (b[i] >> 5)
	a.sparde = int.from_bytes(b, byteorder='little')

def eggbonde(a1, a2):
	vars4 = 0
	vars24 = 0
	vars64a = 0
	a2[0] = 0xB7E15163
	for i in range(1, 0x1a):
		a2[i] = (a2[i-1] - 0x61C88647) & (2**32 - 1)
	vars64 = 0
	vars44a = 0
	vars84 = 78
	while True:
		vars84 -= 1
		if vars84 <= 0:
			break
		vars154a = ((vars24 + vars4 + a2[vars44a]) >> 29) | (8 * (vars24 + vars4 + a2[vars44a]))
		a2[vars44a] = vars154a & (2**64 - 1)
		vars4 = vars154a
		vars158 = rol(a1[vars64], (vars24 + vars154a) & 0x1F, 32)
		a1[vars64] = vars158 & 0xff
		vars24 = vars158
		vars44a = (vars44a + 1) % 0x1A
		vars64 = (vars64 + 1) % 4


def ergipto(a1, a2):
	a2 = list(long_to_bytes(a2))
	for i in range(0, 4, 2):
		vars24 = a1[0] + bytes_to_long(bytes(a2[i*2:i*2+2]))
		vars44 = a1[1] + bytes_to_long(bytes(a2[(i+1)*2:(i+1)*2+2]))
		for j in range(12):
			vars24 = a1[2*i] + rol(vars44 ^ vars24, vars44 & 0x1F, 32)
			vars134 = vars24 ^ vars44
			vars44 = a1[2*i + 1] + rol(vars24 ^ vars44, vars24 & 0x1F, 32)
		a2[i*2] = vars24&0xff
		a2[i*2+1] = (vars24 & 0xffff) >> 8
		a2[(i+1)*2] = vars44&0xff
		a2[(i+1)*2 + 1] = (vars44 & 0xffff) >> 8
	a2 = bytes_to_long(bytes(a2))
	return a2

class Ebin():
	def __init__(self, val):
		self.spurdo = bytes_to_long(val[:8][::-1])
		self.spodro = bytes_to_long(val[8:16][::-1])
		self.sparde = bytes_to_long(val[16:24][::-1])

	def get_hex(self):
		result = long_to_bytes(self.spurdo)[::-1] + long_to_bytes(self.spodro)[::-1] + long_to_bytes(self.sparde)[::-1]
		return result.hex()

inp = b"SAS{0123456789abcdefghijklmn}"
segred = Ebin(inp[4:-1])

segred.spurdo = ebonatto(segred.spurdo)
dibide(segred)
eberse_drift(segred)

succ = [0 for i in range(0x1a)]

brawl_stars = list(segred.sparde.to_bytes(8, 'little') * 2)
eggbonde(brawl_stars, succ)
segred.spurdo = ergipto(succ, segred.spurdo)

brawl_stars = list(segred.spurdo.to_bytes(8, 'little') * 2)
eggbonde(brawl_stars, succ)
segred.spodro = ergipto(succ, segred.spodro)

print(segred.get_hex() == '0x3AF9670E06B9C43175FB8D6E90E1E6225CFF6AC8D52EFFAA')

I alsi create function that communicate through pyinjector to debug each function

code.py

ebonatto = spawn(ebonatti, (ctypes.c_int64,))
eggbonde = spawn(eggbond, (ctypes.c_int64, ctypes.c_int64))
ergipto = spawn(ergipt, (ctypes.c_int64, ctypes.c_int64))

secret = "SAS{0123456789abcdefghijklmn}"
gus = ctypes.c_buffer(secret[4:-1].encode())
segred = Ebin.from_address(ctypes.addressof(gus))
print("init",gus.value.hex())

ebonatto(ctypes.addressof(segred))
print("0",gus.value.hex())

dibide(segred)
print("1",gus.value.hex())

eberse_drift(segred)
print("2",gus.value.hex())

brawl_stars = ctypes.c_buffer(segred.sparde.to_bytes(8, 'little') * 2)
succ = (ctypes.c_uint64 * 13)()
print("3 brawl", brawl_stars.value.hex())

eggbonde(ctypes.addressof(brawl_stars), ctypes.addressof(succ))
print("3",gus.value.hex())
print("succ", list(succ))
print("3 brawl", brawl_stars.value.hex())

ergipto(ctypes.addressof(succ), ctypes.addressof(segred))
print("4",gus.value.hex())

brawl_stars = ctypes.c_buffer(segred.spurdo.to_bytes(8, 'little') * 2)
eggbonde(ctypes.addressof(brawl_stars), ctypes.addressof(succ))
print("5",gus.value)
print("5 brawl", brawl_stars.value.hex())

ergipto(ctypes.addressof(succ), ctypes.addressof(segred) + 8)
print("6",gus.value.hex())

During the competition, after recover all the code my team notice that the algorithm is RC5. After that we directly try to use rc5 to decrypt but it failed, so there is something "modified" from the RC5 algorithm. It takes long time for me to notice the different and the different is the loop, look at the code below

for ( i = 0; i < 4; i += 2 )
  {
    A = *S + *(_DWORD *)(data + 4i64 * i);
    B = S[1] + *(_DWORD *)(data + 4i64 * (i + 1));
    for ( j = 0; j < 12; ++j )
    {
      A = S[2 * i] + __ROL4__(B ^ A, B & 0x1F);
      vars134 = A ^ B;
      B = S[2 * i + 1] + __ROL4__(A ^ B, A & 0x1F);
    }
    *(_DWORD *)(data + 4i64 * i) = A;
    *(_DWORD *)(data + 4i64 * (i + 1)) = B;
    result = i + 2;
  }

Line 7 and 9 in original RC5 use S[2*j] instead of S[2*i]. So the code above use value from the block loop instead the round loop.

Modifying the original rc5 then we can decrypt the ciphertext from the challenge. To get all parts of the flag we need to reverse the flow.

brawl_stars = list(segred.sparde.to_bytes(8, 'little') * 2)
eggbonde(brawl_stars, succ)
segred.spurdo = ergipto(succ, segred.spurdo)

brawl_stars = list(segred.spurdo.to_bytes(8, 'little') * 2)
eggbonde(brawl_stars, succ)
segred.spodro = ergipto(succ, segred.spodro)

Total input is 24 bytes
First encryption
- Sparde is last 8 bytes (16-24), so the first encryption use the last 8 bytes as the key and it will encrypt the 0-16 bytes
Second encryption
- Spurdo is first 8 bytes (0-8), so the second encryption use the first 8 bytes as the key and it will encrypt the 8-24 bytes.

We know that the second encryption use the first 8 bytes of data and it not encrypted and the end. So basically we know the key of the second encryption, after that we can get the first encryption key which is the last 8 bytes. Last, we can reverse the operation to get the rest flag.

class RC5:

    def __init__(self, key, w=32, R=12, strip_extra_nulls=False):
        self.w = w  # block size (32, 64 or 128 bits)
        self.R = R  # number of rounds (0 to 255)
        self.key = key  # key (0 to 2040 bits)
        self.strip_extra_nulls = strip_extra_nulls
        self.T = 2 * (R + 1)
        self.w4 = w // 4
        self.w8 = w // 8
        self.mod = 2 ** self.w
        self.mask = self.mod - 1
        self.b = len(key)

        self.__keyAlign()
        self.__keyExtend()
        self.__shuffle()

    def __lshift(self, val, n):
        n %= self.w
        return ((val << n) & self.mask) | ((val & self.mask) >> (self.w - n))

    def __rshift(self, val, n):
        n %= self.w
        return ((val & self.mask) >> n) | (val << (self.w - n) & self.mask)

    def __const(self):  # constants generation
        if self.w == 16:
            return 0xB7E1, 0x9E37  # return P, Q values
        elif self.w == 32:
            return 0xB7E15163, 0x9E3779B9
        elif self.w == 64:
            return 0xB7E151628AED2A6B, 0x9E3779B97F4A7C15

    def __keyAlign(self):
        if self.b == 0:  # key is empty
            self.c = 1
        elif self.b % self.w8:
            self.key += b'\x00' * (self.w8 - self.b % self.w8)  # fill key with \x00 bytes
            self.b = len(self.key)
            self.c = self.b // self.w8
        else:
            self.c = self.b // self.w8
        L = [0] * self.c
        for i in range(self.b - 1, -1, -1):
            L[i // self.w8] = (L[i // self.w8] << 8) + self.key[i]
        self.L = L

    def __keyExtend(self):
        P, Q = self.__const()
        self.S = [(P + i * Q) % self.mod for i in range(self.T)]

    def __shuffle(self):
        i, j, A, B = 0, 0, 0, 0
        for k in range(3 * max(self.c, self.T)):
            A = self.S[i] = self.__lshift((self.S[i] + A + B), 3)
            B = self.L[j] = self.__lshift((self.L[j] + A + B), A + B)
            i = (i + 1) % self.T
            j = (j + 1) % self.c

    def encryptBlock(self, data):
        A = int.from_bytes(data[:self.w8], byteorder='little')
        B = int.from_bytes(data[self.w8:], byteorder='little')
        A = (A + self.S[0]) % self.mod
        B = (B + self.S[1]) % self.mod
        for i in range(1, self.R + 1):
            A = (self.__lshift((A ^ B), B) + self.S[2 * i]) % self.mod
            B = (self.__lshift((A ^ B), A) + self.S[2 * i + 1]) % self.mod
        return (A.to_bytes(self.w8, byteorder='little')
                + B.to_bytes(self.w8, byteorder='little'))

    def decryptBlock(self, data, key_index):
        A = int.from_bytes(data[:self.w8], byteorder='little')
        B = int.from_bytes(data[self.w8:], byteorder='little')
        for i in range(self.R, 0, -1):
            B = self.__rshift(B - self.S[2 * key_index + 1], A) ^ A
            A = self.__rshift(A - self.S[2 * key_index], B) ^ B
        B = (B - self.S[1]) % self.mod
        A = (A - self.S[0]) % self.mod
        return (A.to_bytes(self.w8, byteorder='little')
                + B.to_bytes(self.w8, byteorder='little'))

    def encryptFile(self, inpFileName, outFileName):
        with open(inpFileName, 'rb') as inp, open(outFileName, 'wb') as out:
            run = True
            while run:
                text = inp.read(self.w4)
                if not text:
                    break
                if len(text) != self.w4:
                    text = text.ljust(self.w4, b'\x00')
                    run = False
                text = self.encryptBlock(text)
                out.write(text)

    def decryptFile(self, inpFileName, outFileName):
        with open(inpFileName, 'rb') as inp, open(outFileName, 'wb') as out:
            while True:
                text = inp.read(self.w4)
                if not text:
                    break
                text = self.decryptBlock(text)
                if self.strip_extra_nulls:
                    text = text.rstrip(b'\x00')
                out.write(text)

    def encryptBytes(self, data):
        res, run = b'', True
        while run:
            temp = data[:self.w4]
            if len(temp) != self.w4:
                data = data.ljust(self.w4, b'\x00')
                run = False
            res += self.encryptBlock(temp)
            data = data[self.w4:]
            if not data:
                break
        return res

    def decryptBytes(self, data, key_index):
        res, run = b'', True
        while run:
            temp = data[:self.w4]
            if len(temp) != self.w4:
                run = False
            res += self.decryptBlock(temp, key_index)
            data = data[self.w4:]
            if not data:
                break
        return res.rstrip(b'\x00')

def ebonatto(a1):
    a1 = list(a1)[::-1]
    vars4 = 1
    vars24 = 2
    vars44 = 0
    for i in range(25):
        vars44a = vars4
        vars4 = vars24
        vars24 += vars44a
        vars24 &= 0xff
        a1[i%8] ^= vars24
    a1 = bytes(a1)[::-1]
    return a1

from Crypto.Util.number import *

known_pt = b"TESTING1"
known_ct = ebonatto(known_pt)
key_ebo = []

for i in range(len(known_pt)):
    key_ebo.append(known_ct[i] ^ known_pt[i])

ct_flag = 0x3AF9670E06B9C43175FB8D6E90E1E6225CFF6AC8D52EFFAA
ct_flag = long_to_bytes(ct_flag)

first_key = ct_flag[:8]
cipher = RC5(first_key*2)
block_ct = [ct_flag[8:16], ct_flag[16:24]]

for key_index in range(0, 4, 2):
    block_ct[key_index // 2] = cipher.decryptBytes(block_ct[key_index // 2], key_index)

block_ct_2 = [first_key, block_ct[0]]
pt_block = []
cipher = RC5(block_ct[-1] * 2)

for key_index in range(0, 4, 2):
    pt_block.append(cipher.decryptBytes(block_ct_2[key_index // 2], key_index))

fix1 = b""
for i in range(8):
    fix1 += bytes([pt_block[0][::-1][i] ^ key_ebo[i]])

fix2 = b""
fix2_1 = b""
for i in range(8):
    fix2 += bytes([(pt_block[1][i] * 2) & 0xff])
    fix2_1 += bytes([(pt_block[1][i] * 2) + 1 & 0xff])

fix3 = b""
for i in range(8):
    tmp = (block_ct[-1][i] >> 5)
    fix3 += bytes([(block_ct[-1][i]-tmp) & 0xff])

flag1 = fix1[::-1] + fix2 + fix3[::-1]
flag2 = fix1[::-1] + fix2_1 + fix3[::-1]

print(flag1)
print(flag2)

# SAS{h3_1S_do1n6_l3g_3x3rC1s3}

Did little guess for the middle 8 bytes and got the flag

Flag : SAS{h3_1S_do1n6_l3g_3x3rC1s3}

CK0P0 CTYXHET (497 pts)

Description

The integrity of a world is at stake. A notorious hacker 3vil_Uranus has taken the FNEICS (Federal Nuclear Energy Interactive Control System). Try to understand this complicated interface faster than the 3vil_Uranus can do. Hurry up, you have very little time!

Solution

Given access to URL, we can see that the URL do validation for the input on wasm. The validation can be seen in index.js, so the next step is try to decompile the wasm file using ghidra.

Look at exports section to get all the check function.

Check1

Check1 is straight forward, so just copy the value for each index.

undefined4 export::check1(char *param1)

{
  undefined4 local_4;
  
  if (((((*param1 == -0x49) && (param1[1] == '$')) && (param1[2] == '`')) &&
      ((param1[3] == '\x05' && (param1[4] == '5')))) &&
     ((param1[5] == '1' && ((param1[6] == 'i' && (param1[7] == 'r')))))) {
    local_4 = 1;
  }
  else {
    local_4 = 0;
  }
  return local_4;
}

Below is the solution for check1

param1 = [0 for _ in range(8)]
param1[0] = chr(- 0x49 & 0xff)
param1[1] = '$'
param1[2] = '`'
param1[3] = '\x05'
param1[4] = '5'
param1[5] = '1'
param1[6] = 'i'
param1[7] = 'r'

inp1 = list(map(ord, param1))
print(inp1)

Check2

Check2 just use xor operation with static value as validation

undefined4 export::check2(int param1)

{
  byte local_1d;
  int local_1c;
  byte local_18 [8];
  byte local_10 [16];
  
  local_10[0] = 5;
  local_10[1] = 0xaa;
  local_10[2] = 0x32;
  local_10[3] = 0xad;
  local_10[4] = 0xb4;
  local_10[5] = 0x15;
  local_10[6] = 0x20;
  local_10[7] = 0x8f;
  local_18[0] = 0x28;
  local_18[1] = 0x19;
  local_18[2] = 0xf3;
  local_18[3] = 0x59;
  local_18[4] = 0x7d;
  local_18[5] = 0x42;
  local_18[6] = 0x16;
  local_18[7] = 0xcb;
  local_1c = 0;
  while( true ) {
    if (7 < local_1c) {
      return 1;
    }
    if ((local_10[local_1c] ^ *(param1 + local_1c)) != local_18[local_1c]) break;
    local_1c = local_1c + 1;
  }
  return 0;
}

Below is the solution

local_10 = [0 for i in range(8)]
local_18 = [0 for i in range(8)]
local_10[0] = 5
local_10[1] = 0xaa
local_10[2] = 0x32
local_10[3] = 0xad
local_10[4] = 0xb4
local_10[5] = 0x15
local_10[6] = 0x20
local_10[7] = 0x8f
local_18[0] = 0x28
local_18[1] = 0x19
local_18[2] = 0xf3
local_18[3] = 0x59
local_18[4] = 0x7d
local_18[5] = 0x42
local_18[6] = 0x16
local_18[7] = 0xcb

inp2 = []
for i in range(8):
	inp2.append(local_10[i] ^ local_18[i])
print(inp2)

Check3

For function check3, it just generate static value using unnamed_function_6 with argument 0x2e. The easy way is by leaking the value through debugger.

uint export::check3(int param1)

{
  int local_18;
  int local_14;
  int local_c;
  int local_8;
  uint local_4;
  
  local_8 = param1;
  local_c = unnamed_function_6(0x2e);
  for (local_18 = 0; local_18 < 4; local_18 = local_18 + 1) {
    *(&local_14 + local_18) = *(local_8 + local_18);
  }
  local_4 = local_14 == local_c;
  return local_4;
}

To call the function directly from console we can use below code (i got it from my friend, vidner).

Boolean(Module.ccall("check3", "number", ["array"], [FromHexString("01020304")]));

Set breakpoint at 0x8f70 then run the code above.

Look at stack and the target value is 1836311903 (0x6d73e55f). Put it on python script

from Crypto.Util.number import *

tmp = 1836311903
inp3 = long_to_bytes(tmp)[::-1]
inp3 = list(inp3)
print(inp3)

Check4

For the check4, we can reverse the operation to get the valid input.

uint export::check4(int param1)

{
  int local_1c;
  int local_18;
  int local_14;
  int local_10;
  int local_c;
  int local_8;
  uint local_4;
  
  local_c = 0xb;
  local_10 = 0x69b43d76;
  local_14 = 0xc945c42;
  local_8 = param1;
  for (local_1c = 0; local_1c < 4; local_1c = local_1c + 1) {
    *(&local_18 + local_1c) = *(local_8 + local_1c);
  }
  local_4 = local_c * local_18 - local_10 == local_14;
  return local_4;
}

Below is the solution for check4

local_c = 0xb
local_10 = 0x69b43d76
local_14 = 0xc945c42
inp4 = (local_14 + local_10) // local_c
inp4 = list(long_to_bytes(inp4))[::-1]
print(inp4)

Check5

Check5 also has reversible operation

undefined4 export::check5(int param1)

{
  int local_70;
  int local_6c;
  ushort local_68 [4];
  int local_60 [4];
  int local_50 [4];
  int local_40 [4];
  int local_30 [4];
  int local_20 [6];
  int local_8;
  
  local_8 = param1;
  local_20[0] = 0x11;
  local_20[1] = 0x12;
  local_20[2] = 0x1a;
  local_20[3] = 2;
  local_30[0] = 0x10cd6;
  local_30[1] = 0xd360;
  local_30[2] = 0x17c87;
  local_30[3] = 0x3b9e;
  local_40[0] = 9;
  local_40[1] = 0x20;
  local_40[2] = 0x1d;
  local_40[3] = 8;
  local_50[0] = 0x4f0a;
  local_50[1] = 0xcff8;
  local_50[2] = 0x151a7;
  local_50[3] = 0x1676d;
  local_60[0] = 0x2f8e9e;
  local_60[1] = 0x1c7f4b8;
  local_60[2] = 0x232e190;
  local_60[3] = 0x6cc2d;
  for (local_6c = 0; local_6c < 8; local_6c = local_6c + 1) {
    *(local_68 + local_6c) = *(param1 + local_6c);
  }
  local_70 = 0;
  while( true ) {
    if (3 < local_70) {
      return 1;
    }
    if ((local_20[local_70] * local_68[local_70] + local_30[local_70]) * local_40[local_70] +
        local_50[local_70] != local_60[local_70]) break;
    local_70 = local_70 + 1;
  }
  return 0;
}

Below is the solution

local_20[0] = 0x11
local_20[1] = 0x12
local_20[2] = 0x1a
local_20[3] = 2
local_30[0] = 0x10cd6
local_30[1] = 0xd360
local_30[2] = 0x17c87
local_30[3] = 0x3b9e
local_40[0] = 9
local_40[1] = 0x20
local_40[2] = 0x1d
local_40[3] = 8
local_50[0] = 0x4f0a
local_50[1] = 0xcff8
local_50[2] = 0x151a7
local_50[3] = 0x1676d
local_60[0] = 0x2f8e9e
local_60[1] = 0x1c7f4b8
local_60[2] = 0x232e190
local_60[3] = 0x6cc2d

inp4 = []
for local_70 in range(4):
	tmp = (((local_60[local_70] - local_50[local_70]) // local_40[local_70]) - local_30[local_70]) // local_20[local_70]
	inp4 += list(long_to_bytes(tmp))[::-1]
print(inp4)

Check6

In last check (check6) there are so many input validation

But we can see there are pattern on the validation so we can extract constraint and solve it using z3. During the competition i can't got valid solution for the constraint and when checking it on ghidra i found something weird.

Take a look on the offset, on disassembler it shows 0x4 but on decompiler it shows 1. Besides that there are also different in size used for each index, sometime it use 4 bytes, sometimes 2 bytes, and sometimes also 1 byte. To overcome this issue we can decompile the wasm to c using wasm2c then parse the decompiled code to get valid index and valid size. So the last step is writing the solution which has been explained previously in python, below is my solution

import re
from z3 import *
from Crypto.Util.number import *

def find_constraint(data, value):
	pattern = f"local_c = {value}"
	found_end = -1
	
	for i in range(len(data)):
		if pattern in data[i]:
			found_end = i
			break
	assert found_end != -1
	
	pattern2 = "local_c == " 
	pattern3 = "local_c != "
	found_start = -1
	local_c_count = 0
	for i in range(i, -1, -1):
		if "local_c" in data[i]:
			local_c_count += 1

		if pattern2 in data[i] or pattern3 in data[i]:
			found_start = i
			break
	assert found_start != -1

	constraint_start = -1
	constraint_end = -1
	for i in range(found_start + 1, found_end - 1):
		if "if" in data[i]:
			constraint_start = i

		if "{" in data[i]:
			constraint_end = i + 1
			break
	if " == " in f[found_start]:
		local_c = f[found_start].split(" == ")[-1].split(")")[0]
	else:
		local_c = f[found_start].split(" != ")[-1].split(")")[0]
	
	actual_index, actual_bytes = find_index(local_c)

	return local_c, actual_index, actual_bytes, ''.join(data[constraint_start:constraint_end])

def find_index(local_c):
	int_local_c = int(local_c, 16)

	pattern = f"case {int_local_c}"
	
	label = -1
	for i in range(len(f2)):
		if pattern in f2[i]:
			label = f2[i].split(" goto ")[-1][:-1]
			break
	
	pattern2 = f"{label}:;"
	index_label = -1
	for i in range(len(f2)):
		if pattern2 in f2[i]:
			index_label = i
			break

	pattern3 = "i32_load16_u"
	pattern4 = "i32_load8_u"
	pattern5 = "i32_load"
	
	actual_index = []
	actual_bytes = []
	
	for i in range(index_label, index_label + 1000):
		if pattern3 in f2[i]:
			if " + " in f2[i]:
				actual_index.append(f2[i].split(" + ")[-1].split("u)")[0])
			else:
				actual_index.append("0")
			actual_bytes.append(2)
		elif pattern4 in f2[i]:
			if " + " in f2[i]:
				actual_index.append(f2[i].split(" + ")[-1].split("u)")[0])
			else:
				actual_index.append("0")
			actual_bytes.append(1)
		elif pattern5 in f2[i]:
			if " + " in f2[i]:
				actual_index.append(f2[i].split(" + ")[-1].split("u)")[0])
			else:
				actual_index.append("0")
			actual_bytes.append(4)
		elif "goto" in f2[i]:
			break
	
	odd_index = []
	odd_bytes = []

	for i in range(0, len(actual_index), 2):
		odd_index.append(actual_index[i + 1])
		odd_bytes.append(actual_bytes[i + 1])
	return odd_index, odd_bytes

def one_replace(data, target, value):
	length = len(target)
	index = data.index(target)
	return data[:index] + value + data[index+length:]

def create_constraint(tmp, actual_index, actual_bytes):
	arr = re.findall("\*\((.*?)\)", tmp)
	counter = 0
	for i in arr:
		tmp_split = i.split(" ")
		index = tmp_split[-1]
		if actual_bytes[counter] == 2:
			new_str = f"to_word({tmp_split[0]}, {actual_index[counter]})"
		elif actual_bytes[counter] == 4:
			new_str = f"to_dword({tmp_split[0]}, {actual_index[counter]})"
		elif actual_bytes[counter] == 1:
			new_str = f"to_byte({tmp_split[0]}, {actual_index[counter]})"
		else:
			print("whatt")
		counter += 1
		tmp = one_replace(tmp, f"*({i})", new_str)
	return tmp.replace(" ", "")[2:-1]

def to_word(param1, off):
    return Extract((off+2)*8-1,(off)*8,param1)

def to_byte(param1, off):
    return Extract((off+1)*8-1,(off)*8,param1)

def to_dword(param1, off):
    return Extract((off+4)*8-1,(off)*8,param1)

f = open("check.c", "r").read().split("\n")
f2 = open("decompiled.c", "r").read().split("\n")
local_c = '100'
list_constraints = []
length = 53

for i in range(length):
	local_c, actual_index, actual_bytes, tmp = find_constraint(f, local_c)
	list_constraints.append(create_constraint(tmp, actual_index, actual_bytes))

list_constraints = list_constraints[::-1]

param1 = BitVec("Flag", 256)
s = Solver()

fmt = "s.add({} == False)"

for i in range(length):
	tmp_constraint = list_constraints[i].replace("*0x10000>>0x10", "")
	tmp_constraint = tmp_constraint.replace("*0x1000000>>0x18", "")
	exec(fmt.format(tmp_constraint))

print(s.check())

model = s.model()
inp6 = long_to_bytes(model[param1].as_long())[::-1]
print(list(inp6))

During the competition i can't get valid solution although all the constraints are correctly parsed and after after the competition i found that the issue is on the definition of variable param1 and conversion function (to_word, to_byte, to_dword). So by modifying the function and param1 i can get the valid solution.

Combine all solution and convert the value to hex then call it through console.

import re
from z3 import *
from Crypto.Util.number import *

param1 = [0 for _ in range(8)]
param1[0] = chr(- 0x49 & 0xff)
param1[1] = '$'
param1[2] = '`'
param1[3] = '\x05'
param1[4] = '5'
param1[5] = '1'
param1[6] = 'i'
param1[7] = 'r'

inp1 = list(map(ord, param1))
print(bytes(inp1).hex())

local_10 = [0 for i in range(8)]
local_18 = [0 for i in range(8)]
local_10[0] = 5
local_10[1] = 0xaa
local_10[2] = 0x32
local_10[3] = 0xad
local_10[4] = 0xb4
local_10[5] = 0x15
local_10[6] = 0x20
local_10[7] = 0x8f
local_18[0] = 0x28
local_18[1] = 0x19
local_18[2] = 0xf3
local_18[3] = 0x59
local_18[4] = 0x7d
local_18[5] = 0x42
local_18[6] = 0x16
local_18[7] = 0xcb

inp2 = []
for i in range(8):
	inp2.append(local_10[i] ^ local_18[i])
print(bytes(inp2).hex())

tmp = 1836311903
inp3 = long_to_bytes(tmp)[::-1]
inp3 = list(inp3)
print(bytes(inp3).hex())


local_c = 0xb
local_10 = 0x69b43d76
local_14 = 0xc945c42
inp4 = (local_14 + local_10) // local_c
inp4 = list(long_to_bytes(inp4))[::-1]
print(bytes(inp4).hex())

local_20 = [0 for _ in range(4)]
local_30 = [0 for _ in range(4)]
local_40 = [0 for _ in range(4)]
local_50 = [0 for _ in range(4)]
local_60 = [0 for _ in range(4)]

local_20[0] = 0x11
local_20[1] = 0x12
local_20[2] = 0x1a
local_20[3] = 2
local_30[0] = 0x10cd6
local_30[1] = 0xd360
local_30[2] = 0x17c87
local_30[3] = 0x3b9e
local_40[0] = 9
local_40[1] = 0x20
local_40[2] = 0x1d
local_40[3] = 8
local_50[0] = 0x4f0a
local_50[1] = 0xcff8
local_50[2] = 0x151a7
local_50[3] = 0x1676d
local_60[0] = 0x2f8e9e
local_60[1] = 0x1c7f4b8
local_60[2] = 0x232e190
local_60[3] = 0x6cc2d

inp5 = []
for local_70 in range(4):
	tmp = (((local_60[local_70] - local_50[local_70]) // local_40[local_70]) - local_30[local_70]) // local_20[local_70]
	inp5 += list(long_to_bytes(tmp))[::-1]
print(bytes(inp5).hex())


def find_constraint(data, value):
	pattern = f"local_c = {value}"
	found_end = -1
	
	for i in range(len(data)):
		if pattern in data[i]:
			found_end = i
			break
	assert found_end != -1
	
	pattern2 = "local_c == " 
	pattern3 = "local_c != "
	found_start = -1
	local_c_count = 0
	for i in range(i, -1, -1):
		if "local_c" in data[i]:
			local_c_count += 1

		if pattern2 in data[i] or pattern3 in data[i]:
			found_start = i
			break
	assert found_start != -1

	constraint_start = -1
	constraint_end = -1
	for i in range(found_start + 1, found_end - 1):
		if "if" in data[i]:
			constraint_start = i

		if "{" in data[i]:
			constraint_end = i + 1
			break
	if " == " in f[found_start]:
		local_c = f[found_start].split(" == ")[-1].split(")")[0]
	else:
		local_c = f[found_start].split(" != ")[-1].split(")")[0]
	
	actual_index, actual_bytes = find_index(local_c)

	return local_c, actual_index, actual_bytes, ''.join(data[constraint_start:constraint_end])

def find_index(local_c):
	int_local_c = int(local_c, 16)

	pattern = f"case {int_local_c}"
	
	label = -1
	for i in range(len(f2)):
		if pattern in f2[i]:
			label = f2[i].split(" goto ")[-1][:-1]
			break
	
	pattern2 = f"{label}:;"
	index_label = -1
	for i in range(len(f2)):
		if pattern2 in f2[i]:
			index_label = i
			break

	pattern3 = "i32_load16_u"
	pattern4 = "i32_load8_u"
	pattern5 = "i32_load"
	
	actual_index = []
	actual_bytes = []
	
	for i in range(index_label, index_label + 1000):
		if pattern3 in f2[i]:
			if " + " in f2[i]:
				actual_index.append(f2[i].split(" + ")[-1].split("u)")[0])
			else:
				actual_index.append("0")
			actual_bytes.append(2)
		elif pattern4 in f2[i]:
			if " + " in f2[i]:
				actual_index.append(f2[i].split(" + ")[-1].split("u)")[0])
			else:
				actual_index.append("0")
			actual_bytes.append(1)
		elif pattern5 in f2[i]:
			if " + " in f2[i]:
				actual_index.append(f2[i].split(" + ")[-1].split("u)")[0])
			else:
				actual_index.append("0")
			actual_bytes.append(4)
		elif "goto" in f2[i]:
			break
	
	odd_index = []
	odd_bytes = []

	for i in range(0, len(actual_index), 2):
		odd_index.append(actual_index[i + 1])
		odd_bytes.append(actual_bytes[i + 1])
	return odd_index, odd_bytes

def one_replace(data, target, value):
	length = len(target)
	index = data.index(target)
	return data[:index] + value + data[index+length:]

def create_constraint(tmp, actual_index, actual_bytes):
	arr = re.findall("\*\((.*?)\)", tmp)
	counter = 0
	for i in arr:
		tmp_split = i.split(" ")
		index = tmp_split[-1]
		if actual_bytes[counter] == 2:
			new_str = f"to_word({tmp_split[0]}, {actual_index[counter]})"
		elif actual_bytes[counter] == 4:
			new_str = f"to_dword({tmp_split[0]}, {actual_index[counter]})"
		elif actual_bytes[counter] == 1:
			new_str = f"to_byte({tmp_split[0]}, {actual_index[counter]})"
		else:
			print("whatt")
		counter += 1
		tmp = one_replace(tmp, f"*({i})", new_str)
	return tmp.replace(" ", "")[2:-1]

def to_word(param1, off):
    return Extract((off+2)*8-1,(off)*8,param1)

def to_byte(param1, off):
    return Extract((off+1)*8-1,(off)*8,param1)

def to_dword(param1, off):
    return Extract((off+4)*8-1,(off)*8,param1)

f = open("check.c", "r").read().split("\n")
f2 = open("decompiled.c", "r").read().split("\n")
local_c = '100'
list_constraints = []
length = 53

for i in range(length):
	local_c, actual_index, actual_bytes, tmp = find_constraint(f, local_c)
	list_constraints.append(create_constraint(tmp, actual_index, actual_bytes))

list_constraints = list_constraints[::-1]

param1 = BitVec("Flag", 256)
s = Solver()

fmt = "s.add({} == False)"

for i in range(length):
	tmp_constraint = list_constraints[i].replace("*0x10000>>0x10", "")
	tmp_constraint = tmp_constraint.replace("*0x1000000>>0x18", "")
	exec(fmt.format(tmp_constraint))

s.check()

model = s.model()
inp6 = long_to_bytes(model[param1].as_long())[::-1]

print(inp6.hex())

check1Data = FromHexString("b724600535316972")
check2Data = FromHexString("2db3c1f4c9573644")
check3Data = FromHexString("5fe5736d")
check4Data = FromHexString("28c8c00a")
check5Data = FromHexString("3e3f8bbe07b07d38")
check6Data = FromHexString("d10dcb769a39c91eb33740e9db857ec5f1c3ccc78ee9862867a2cc0decda24d0")

const strangeMiem = new Uint8Array(check1Data.length + check2Data.length + check3Data.length + check4Data.length + check5Data.length + check6Data.length);
strangeMiem.set(check1Data, 0);
strangeMiem.set(check2Data, check1Data.length);
strangeMiem.set(check3Data, check1Data.length + check2Data.length);
strangeMiem.set(check4Data, check1Data.length + check2Data.length + check3Data.length);
strangeMiem.set(check5Data, check1Data.length + check2Data.length + check3Data.length + check4Data.length);
strangeMiem.set(check6Data, check1Data.length + check2Data.length + check3Data.length + check4Data.length + check5Data.length);
alert(PerformHack(strangeMiem));

Flag: SAS{0k_u_54v3d_7h3_p14n37_n0w_u_5h0u1d_61v3_m34n1n6_70_l1f3}

Napoleon (497 pts)

Description

Some crazy guy imagined himself to be Napoleon and attacked our network. Now all the computers in our office crash as soon as we power them on. That freaky guy demanded $10K as ransom to make our computers work again. Our IT specialists have looked at the broken computers and found a suspicious driver in it, however, we are too afraid to look at it more closely - the guy told us that he will wipe all the data in our company if we try to remove the infection without his help. The freak also offered us to remove the infection from one of the machines for free. We managed to capture the process of him interacting with the driver, however, we weren't able to make sense out of these recordings. It seems like there is nothing we can do...

Solution

TBU

PreviousSAS CTF Quals NextSwampCTF

Last updated 3 months ago