N1CTF 2025 WP

easy_re

push到手机里面运行

启动./android_server64

转发端口adb forward tcp:23946 tcp:23946

设置参数后就能进行动调

浅浅调试一下，可以发现一些关键的异或

^i

rc4的异或

暂时不知道啥的两个异或

上ida_dbg

from ida_hexrays import *
from ida_dbg import *
from idaapi import *
from idautils import *
from idc import *
from ida_kernwin import *
'''自定义调试器钩子类'''
key=[]
idx=[]
class dbg_hooks_t(ida_dbg.DBG_Hooks):
    '''继承自父类DBG_Hooks'''
    def __init__(self):
        ida_dbg.DBG_Hooks.__init__(self)

    def dbg_suspend_process(self):
        global key,idx
        if GetDisasm(here())=="EOR             W10, W11, W10" or GetDisasm(here())=="EOR             W10, W10, W11":
            print("{}^{}={}".format(hex(cpu.W10),hex(cpu.W11),hex(cpu.W10^cpu.W11)))
            continue_process()
        if GetDisasm(here())=="EOR             W8, W11, W8":
            print("{}^{}={}".format(hex(cpu.W8), hex(cpu.W11), hex(cpu.W8 ^ cpu.W11)))
            continue_process()
        # if GetDisasm(here())=="EOR             W10, W11, W10" or GetDisasm(here())=="EOR             W10, W10, W11":
        #     key.append(cpu.W10)
        #     print(",".join(map(hex,key)))
        #     continue_process()
        # if GetDisasm(here())=="ADD             X8, X8, X9":
        #     idx.append(cpu.X9)
        #     print(",".join(map(hex, idx)))
        #     continue_process()
        # if GetDisasm(here())=="CMP             X0, #0":
        #     cpu.X0=0
        #     continue_process()


'''安装/卸载钩子'''
if 'tmp_dbg_hooks' not in dir():
    tmp_dbg_hooks = dbg_hooks_t()
    tmp_dbg_hooks.hook()
    print('[+] tmp dbg hook success')
else:
    tmp_dbg_hooks.unhook()
    del tmp_dbg_hooks
    print('[+] tmp dbg unhook success')

为了方便将输入调整为了4个1

得到log

0x31^0x0=0x31
0x27^0x31=0x16
0x0^0x16=0x16
0x31^0x1=0x30
0xbe^0x30=0x8e
0x16^0x0=0x16
0x16^0x8e=0x98
0x31^0x2=0x33
0xb2^0x33=0x81
0x16^0x0=0x16
0x98^0x16=0x8e
0x8e^0x81=0xf
0x31^0x3=0x32
0x67^0x32=0x55
0x16^0x0=0x16
0x98^0x16=0x8e
0xf^0x8e=0x81
0x81^0x55=0xd4

复现出算法，其中keystream为rc4密钥流

解密算法则如下

关键就是密钥流了，可以继续用ida_dbg获取

from ida_hexrays import *
from ida_dbg import *
from idaapi import *
from idautils import *
from idc import *
from ida_kernwin import *
'''自定义调试器钩子类'''
key=[]
idx=[]
class dbg_hooks_t(ida_dbg.DBG_Hooks):
    '''继承自父类DBG_Hooks'''
    def __init__(self):
        ida_dbg.DBG_Hooks.__init__(self)

    def dbg_suspend_process(self):
        global key,idx
        # if GetDisasm(here())=="EOR             W10, W11, W10" or GetDisasm(here())=="EOR             W10, W10, W11":
        #     print("{}^{}={}".format(hex(cpu.W10),hex(cpu.W11),hex(cpu.W10^cpu.W11)))
        #     continue_process()
        # if GetDisasm(here())=="EOR             W8, W11, W8":
        #     print("{}^{}={}".format(hex(cpu.W8), hex(cpu.W11), hex(cpu.W8 ^ cpu.W11)))
        #     continue_process()
        if GetDisasm(here())=="EOR             W10, W11, W10" or GetDisasm(here())=="EOR             W10, W10, W11":
            key.append(cpu.W10)
            print(",".join(map(hex,key)))
            continue_process()
        # if GetDisasm(here())=="ADD             X8, X8, X9":
        #     idx.append(cpu.X9)
        #     print(",".join(map(hex, idx)))
        #     continue_process()
        # if GetDisasm(here())=="CMP             X0, #0":
        #     cpu.X0=0
        #     continue_process()


'''安装/卸载钩子'''
if 'tmp_dbg_hooks' not in dir():
    tmp_dbg_hooks = dbg_hooks_t()
    tmp_dbg_hooks.hook()
    print('[+] tmp dbg hook success')
else:
    tmp_dbg_hooks.unhook()
    del tmp_dbg_hooks
    print('[+] tmp dbg unhook success')

但是会发现解不出来，说明有反调试

constructor函数中找到反调

这里我非常糖的直接改x0寄存器，还坚信对的，浪费半天时间

实际上后面用到了TracerPid这个字符串作为rc4密钥

所以我们修改一下fgets拿到的值就行了

我们可以在文件夹中找到一份status，参照这个修改fgets

然后用ida_dbg拿到密钥流就行（trace不懂为啥不行）

解密拿到flag

keystream=[0x36,0x71,0xf4,0x67,0xfa,0x9a,0xf9,0xa,0x5e,0xa0,0xb6,0xb0,0x11,0xab,0x7a,0x2d,0xd0,0xd3,0xa,0xca,0xe8,0x91,0x9a,0xc2,0x64,0x8e,0x12,0x8,0xba,0x46,0x4a,0x6e]

test=[0x50, 0x4C, 0x8B, 0x94, 0x86, 0x6D, 0x72, 0xFB, 0x54, 0xF3,
  0x17, 0x0F, 0xEE, 0xE4, 0xC5, 0x1E, 0xB8, 0x1A, 0xC7, 0xDF,
  0x2D, 0x3D, 0x4E, 0x51, 0xE7, 0xAD, 0x97, 0x55, 0xF3, 0xF5,
  0x41, 0x79]
for i in range(len(test)-1,-1,-1):
    if i==0:
        test[i] ^= keystream[i]
    else:
        test[i] ^= keystream[i] ^ i
        for j in range(i):
            test[i] ^= test[j]
print("".join(map(chr,test)))

5mc

断在图中位置，f9后直接f7进去看，按u取消定义，按c成代码，按p设置函数，看逻辑复现出算法即可

from devil import *

test = [ord(i) for i in "flagflagflagflagflagflagflagflag"]
table = [0xB0, 0xF0, 0x21, 0xCF, 0xF2, 0x04, 0x3A, 0x68, 0x84, 0x7B,
         0x39, 0x86, 0x36, 0x87, 0x9B, 0xF7, 0x3D, 0x18, 0x1E, 0x61,
         0x1B, 0x2E, 0x6C, 0xDF, 0x2C, 0xAE, 0x65, 0x9D, 0xEB, 0x2F,
         0xDA, 0xF4, 0xDE, 0xCA, 0x56, 0x92, 0x75, 0x3B, 0x62, 0x45,
         0x06, 0x3C, 0x52, 0x33, 0x6E, 0x25, 0xCE, 0xA3, 0xD2, 0x44,
         0xA1, 0x4A, 0x58, 0xB1, 0xA0, 0x2A, 0x47, 0x0A, 0x02, 0xAF,
         0x50, 0xC3, 0xDC, 0xEA, 0xE5, 0x0D, 0x67, 0x91, 0xE1, 0x51,
         0xE3, 0xC1, 0xAA, 0x95, 0x5C, 0x79, 0x72, 0x1C, 0x3F, 0xB8,
         0xE8, 0x1F, 0xFF, 0x7A, 0x73, 0x26, 0x54, 0x9E, 0xED, 0xA9,
         0x41, 0x20, 0xEF, 0xA6, 0x48, 0x97, 0x4F, 0xD4, 0xBB, 0x23,
         0x66, 0xD9, 0xE4, 0x0B, 0x30, 0x15, 0xD7, 0x6B, 0x19, 0xCD,
         0xC4, 0x08, 0xB4, 0xC8, 0x14, 0xFD, 0x7F, 0x28, 0x0E, 0x05,
         0x0F, 0x4B, 0x6F, 0xF5, 0x90, 0x76, 0xBF, 0x60, 0xE7, 0x24,
         0x78, 0x6D, 0x71, 0xA8, 0x43, 0xB5, 0x0C, 0x31, 0xF9, 0xA2,
         0x9C, 0x99, 0xF6, 0x2D, 0xDB, 0xB7, 0xC9, 0x85, 0x81, 0x03,
         0x64, 0x1D, 0x07, 0x34, 0x5A, 0xBD, 0x37, 0x4C, 0xA7, 0x5F,
         0x46, 0xE9, 0x35, 0x93, 0x8D, 0xA5, 0xFB, 0x42, 0x01, 0xC2,
         0x17, 0x12, 0x1A, 0x77, 0xC6, 0x53, 0x83, 0x4D, 0xB2, 0x10,
         0x2B, 0xF8, 0x88, 0x6A, 0x3E, 0xD0, 0x7C, 0x63, 0x40, 0x27,
         0xBE, 0xD5, 0x38, 0xD1, 0x74, 0xB6, 0x57, 0x94, 0xAB, 0x8A,
         0xB9, 0xBC, 0x7D, 0xB3, 0x96, 0x7E, 0xFC, 0xAD, 0x22, 0x4E,
         0xFA, 0xE0, 0xCB, 0x8B, 0xEE, 0x32, 0xA4, 0x16, 0xFE, 0x5B,
         0x13, 0xDD, 0xC0, 0x9A, 0x5E, 0x8E, 0x29, 0xF3, 0x8F, 0x49,
         0xE6, 0x9F, 0xF1, 0xC5, 0x70, 0x55, 0x8C, 0x11, 0xCC, 0x5D,
         0xEC, 0x00, 0xAC, 0x89, 0xD3, 0x82, 0x69, 0xD6, 0xBA, 0xD8,
         0x59, 0x98, 0x09, 0x80, 0xE2, 0xC7]
ip = [0x13, 0x1F, 0x10, 0x1D, 0x01, 0x0D, 0x07, 0x15, 0x08, 0x06,
      0x16, 0x00, 0x0F, 0x0C, 0x02, 0x05, 0x0E, 0x03, 0x12, 0x04,
      0x18, 0x14, 0x1A, 0x1C, 0x1E, 0x19, 0x09, 0x1B, 0x11, 0x0B,
      0x17, 0x0A]
key = [0x7D, 0xB7, 0x24, 0x7E, 0xC3, 0x6B, 0xBD, 0xD8, 0x7F, 0x13,
       0x6E, 0x0F, 0x43, 0xCD, 0x6B, 0xCF, 0x18, 0x4F, 0x26, 0x18,
       0x12, 0x2A, 0x7E, 0x9B, 0x27, 0x4C, 0x33, 0x67, 0x40, 0xC9,
       0x9E, 0xC4]
key2 = [0x91, 0xDB, 0x9F, 0x5F, 0x26, 0x27, 0xD6, 0xA8, 0xBF, 0x41,
        0x16, 0x79, 0xDE, 0x73, 0x16, 0xF8, 0x1E, 0xBA, 0x6A, 0xBE,
        0xC6, 0x12, 0xB2, 0x39, 0x9E, 0xF3, 0x12, 0x4E, 0x02, 0x1C,
        0xE2, 0x43]
target = [0x46, 0x0D, 0x93, 0x07, 0x71, 0x3E, 0x0B, 0x09, 0x6E, 0xDA,
          0xEB, 0xF9, 0xE9, 0xBC, 0xBB, 0x32, 0x06, 0x52, 0xD3, 0x82,
          0x1A, 0x9D, 0xC2, 0x4C, 0xBE, 0xE3, 0x8C, 0xC2, 0xB4, 0xEF,
          0x6C, 0x3F]
v3 = [0] * 32

for i in range(len(test)):
    test[i] = table[test[i]]
for i in range(len(ip)):
    v3[ip[i]] = test[i]
for i in range(len(ip)):
    test[ip[i]] = v3[i]
for i in range(len(test)):
    test[i] = (test[i] ^ key[i]) + key2[i]
    test[i] &= 0xff
    test[i] = (test[i] >> 5) | (test[i] << 3)
    test[i] &= 0xff

    test[i] = (test[i] + key2[i]) ^ key[i]
    test[i] &= 0xff
    test[i] = (test[i] >> 1) | (test[i] << 7)
    test[i] &= 0xff

for i in range(len(test)):
    test[i] = table[test[i]]
for i in range(len(ip)):
    v3[ip[i]] = test[i]
for i in range(len(ip)):
    test[ip[i]] = v3[i]
for i in range(len(test)):
    test[i] = (test[i] ^ key[i]) + key2[i]
    test[i] &= 0xff
    test[i] = (test[i] >> 2) | (test[i] << 6)
    test[i] &= 0xff

    test[i] = key[i] ^ (test[i] + key2[i])
    test[i] &= 0xff
    test[i] = (test[i] >> 4) | (test[i] << 4)
    test[i] &= 0xff
printhex(test)
for i in range(len(test)):
    test[i] = table[test[i]]
for i in range(len(ip)):
    v3[ip[i]] = test[i]
for i in range(len(ip)):
    test[ip[i]] = v3[i]
for i in range(len(test)):
    test[i] = (test[i] ^ key[i]) + key2[i]
    test[i] &= 0xff
    test[i] = (test[i] >> 5) | (test[i] << 3)
    test[i] &= 0xff

    test[i] = key[i] ^ (test[i] + key2[i])
    test[i] &= 0xff
    test[i] = (test[i] >> 3) | (test[i] << 5)
    test[i] &= 0xff


for i in range(len(test)):
    test[i] = table[test[i]]
for i in range(len(ip)):
    v3[ip[i]] = test[i]
for i in range(len(ip)):
    test[ip[i]] = v3[i]


for i in range(len(test)):
    test[i] = (test[i] ^ key[i]) + key2[i]
    test[i] &= 0xff
    test[i] = (test[i] >> 6) | (test[i] << 2)
    test[i] &= 0xff

    test[i] = key[i] ^ (test[i] + key2[i])
    test[i] &= 0xff
    test[i] = (test[i] >> 7) | (test[i] << 1)
    test[i] &= 0xff

printhex(test)
'''解密'''
test=[0x5B, 0x2D, 0xE9, 0x66, 0xED, 0x39, 0x90, 0x23, 0xAF, 0xDA,
  0xEB, 0x2E, 0xD1, 0x0D, 0xBB, 0xBD, 0x57, 0x52, 0x02, 0xB0,
  0xBA, 0x9D, 0x52, 0xFA, 0x67, 0xEE, 0xA3, 0x85, 0xA9, 0x84,
  0xE2, 0x6F]
for i in range(len(test)):
    test[i] = (test[i] >> 1) | (test[i] << 7)
    test[i] &= 0xff
    test[i] = (test[i] ^ key[i]) - key2[i]
    test[i] &= 0xff

    test[i] = (test[i] >> 2) | (test[i] << 6)
    test[i] &= 0xff
    test[i] = ((test[i] - key2[i])) & 0xff ^ key[i]
    test[i] &= 0xff
for i in range(len(test)):
    v3[i]=test[ip[i]]
for i in range(len(test)):
    test[i]=v3[ip[i]]
for i in range(len(test)):
    test[i]=table.index(test[i])


for i in range(len(test)):
    test[i] = (test[i] >> 5) | (test[i] << 3)
    test[i] &= 0xff
    test[i] = (test[i] ^ key[i]) - key2[i]
    test[i] &= 0xff

    test[i] = (test[i] >> 3) | (test[i] << 5)
    test[i] &= 0xff
    test[i] = ((test[i] - key2[i])) & 0xff ^ key[i]
    test[i] &= 0xff
for i in range(len(test)):
    v3[i]=test[ip[i]]
for i in range(len(test)):
    test[i]=v3[ip[i]]
for i in range(len(test)):
    test[i]=table.index(test[i])


for i in range(len(test)):
    test[i] = (test[i] >> 4) | (test[i] << 4)
    test[i] &= 0xff
    test[i] = (test[i] ^ key[i]) - key2[i]
    test[i] &= 0xff

    test[i] = (test[i] >> 6) | (test[i] << 2)
    test[i] &= 0xff
    test[i] = ((test[i] - key2[i])) & 0xff ^ key[i]
    test[i] &= 0xff
for i in range(len(test)):
    v3[i]=test[ip[i]]
for i in range(len(test)):
    test[i]=v3[ip[i]]
for i in range(len(test)):
    test[i]=table.index(test[i])


for i in range(len(test)):
    test[i] = (test[i] >> 7) | (test[i] << 1)
    test[i] &= 0xff
    test[i] = (test[i] ^ key[i]) - key2[i]
    test[i] &= 0xff

    test[i] = (test[i] >> 3) | (test[i] << 5)
    test[i] &= 0xff
    test[i] = ((test[i] - key2[i])) & 0xff ^ key[i]
    test[i] &= 0xff
for i in range(len(test)):
    v3[i]=test[ip[i]]
for i in range(len(test)):
    test[i]=v3[ip[i]]
for i in range(len(test)):
    test[i]=table.index(test[i])
puts(test)

df5

一个人写的代码？大部分重复，解法差不多，主要是递归思路

从最后一字节开始，假设进行revfun0，看解密后的最后一个字节&3是不是等于0，成立就递归，不成立舍弃

test = [ord(i) for i in "flagflagflagflagflagflagflagflag"]
ip = [0x13, 0x1F, 0x10, 0x1D, 0x01, 0x0D, 0x07, 0x15, 0x08, 0x06,
      0x16, 0x00, 0x0F, 0x0C, 0x02, 0x05, 0x0E, 0x03, 0x12, 0x04,
      0x18, 0x14, 0x1A, 0x1C, 0x1E, 0x19, 0x09, 0x1B, 0x11, 0x0B,
      0x17, 0x0A]
key = [0x7D, 0xB7, 0x24, 0x7E, 0xC3, 0x6B, 0xBD, 0xD8, 0x7F, 0x13,
       0x6E, 0x0F, 0x43, 0xCD, 0x6B, 0xCF, 0x18, 0x4F, 0x26, 0x18,
       0x12, 0x2A, 0x7E, 0x9B, 0x27, 0x4C, 0x33, 0x67, 0x40, 0xC9,
       0x9E, 0xC4]
key2 = [0x91, 0xDB, 0x9F, 0x5F, 0x26, 0x27, 0xD6, 0xA8, 0xBF, 0x41,
        0x16, 0x79, 0xDE, 0x73, 0x16, 0xF8, 0x1E, 0xBA, 0x6A, 0xBE,
        0xC6, 0x12, 0xB2, 0x39, 0x9E, 0xF3, 0x12, 0x4E, 0x02, 0x1C,
        0xE2, 0x43]
target = [0x46, 0x0D, 0x93, 0x07, 0x71, 0x3E, 0x0B, 0x09, 0x6E, 0xDA,
          0xEB, 0xF9, 0xE9, 0xBC, 0xBB, 0x32, 0x06, 0x52, 0xD3, 0x82,
          0x1A, 0x9D, 0xC2, 0x4C, 0xBE, 0xE3, 0x8C, 0xC2, 0xB4, 0xEF,
          0x6C, 0x3F]
table = [0xB0, 0xF0, 0x21, 0xCF, 0xF2, 0x04, 0x3A, 0x68, 0x84, 0x7B,
         0x39, 0x86, 0x36, 0x87, 0x9B, 0xF7, 0x3D, 0x18, 0x1E, 0x61,
         0x1B, 0x2E, 0x6C, 0xDF, 0x2C, 0xAE, 0x65, 0x9D, 0xEB, 0x2F,
         0xDA, 0xF4, 0xDE, 0xCA, 0x56, 0x92, 0x75, 0x3B, 0x62, 0x45,
         0x06, 0x3C, 0x52, 0x33, 0x6E, 0x25, 0xCE, 0xA3, 0xD2, 0x44,
         0xA1, 0x4A, 0x58, 0xB1, 0xA0, 0x2A, 0x47, 0x0A, 0x02, 0xAF,
         0x50, 0xC3, 0xDC, 0xEA, 0xE5, 0x0D, 0x67, 0x91, 0xE1, 0x51,
         0xE3, 0xC1, 0xAA, 0x95, 0x5C, 0x79, 0x72, 0x1C, 0x3F, 0xB8,
         0xE8, 0x1F, 0xFF, 0x7A, 0x73, 0x26, 0x54, 0x9E, 0xED, 0xA9,
         0x41, 0x20, 0xEF, 0xA6, 0x48, 0x97, 0x4F, 0xD4, 0xBB, 0x23,
         0x66, 0xD9, 0xE4, 0x0B, 0x30, 0x15, 0xD7, 0x6B, 0x19, 0xCD,
         0xC4, 0x08, 0xB4, 0xC8, 0x14, 0xFD, 0x7F, 0x28, 0x0E, 0x05,
         0x0F, 0x4B, 0x6F, 0xF5, 0x90, 0x76, 0xBF, 0x60, 0xE7, 0x24,
         0x78, 0x6D, 0x71, 0xA8, 0x43, 0xB5, 0x0C, 0x31, 0xF9, 0xA2,
         0x9C, 0x99, 0xF6, 0x2D, 0xDB, 0xB7, 0xC9, 0x85, 0x81, 0x03,
         0x64, 0x1D, 0x07, 0x34, 0x5A, 0xBD, 0x37, 0x4C, 0xA7, 0x5F,
         0x46, 0xE9, 0x35, 0x93, 0x8D, 0xA5, 0xFB, 0x42, 0x01, 0xC2,
         0x17, 0x12, 0x1A, 0x77, 0xC6, 0x53, 0x83, 0x4D, 0xB2, 0x10,
         0x2B, 0xF8, 0x88, 0x6A, 0x3E, 0xD0, 0x7C, 0x63, 0x40, 0x27,
         0xBE, 0xD5, 0x38, 0xD1, 0x74, 0xB6, 0x57, 0x94, 0xAB, 0x8A,
         0xB9, 0xBC, 0x7D, 0xB3, 0x96, 0x7E, 0xFC, 0xAD, 0x22, 0x4E,
         0xFA, 0xE0, 0xCB, 0x8B, 0xEE, 0x32, 0xA4, 0x16, 0xFE, 0x5B,
         0x13, 0xDD, 0xC0, 0x9A, 0x5E, 0x8E, 0x29, 0xF3, 0x8F, 0x49,
         0xE6, 0x9F, 0xF1, 0xC5, 0x70, 0x55, 0x8C, 0x11, 0xCC, 0x5D,
         0xEC, 0x00, 0xAC, 0x89, 0xD3, 0x82, 0x69, 0xD6, 0xBA, 0xD8,
         0x59, 0x98, 0x09, 0x80, 0xE2, 0xC7]

def ror(byte, n):
    # 对 byte 进行循环右移 n 位
    return ((byte >> n) | (byte << (8 - n))) & 0xFF
def rol(byte, n):
    # 对 byte 进行循环左移 n 位
    return ((byte << n) | (byte >> (8 - n))) & 0xFF
'''1'''
def fun2():
    for i in range(len(test)):
        test[i] ^= key[i]
        test[i] &= 0xff
        test[i] += key2[i]
        test[i] &= 0xff
def revfun2():
    for i in range(len(test)):
        test[i]-=key2[i]
        test[i]&=0xff
        test[i]^=key[i]
        test[i]&=0xff

'''2'''
def fun3():
    for i in range(len(test)):
        test[i]=ror(test[i],3)
def revfun3():
    for i in range(len(test)):
        test[i]=rol(test[i],3)
'''3'''
def fun0():
    for i in range(len(test)):
        test[i]=table[test[i]]
def revfun0():
    for i in range(len(test)):
        test[i]=table.index(test[i])


'''4'''
def fun1():
    v3=[0]*32
    for i in range(len(ip)):
        v3[ip[i]] = test[i]
    for i in range(len(ip)):
        test[ip[i]] = v3[i]
def revfun1():
    v3 = [0] * 32
    for i in range(len(ip)):
        v3[i]=test[ip[i]]
    for i in range(len(ip)):
        test[i]=v3[ip[i]]

fun=[fun0, fun1, fun2, fun3]
revfun=[revfun0, revfun1, revfun2, revfun3]
for i in range(len(test)):
    temp=test[i]&3
    fun[temp]()
    # revfun[temp]()


def crack(level):
    global test
    if level == -1:
        print("".join(map(chr,test)))
        return

    for i in range(4):
        temp=[j for j in test]
        revfun[i]()
        if test[level]&3==i:
            crack(level-1)
        test=[j for j in temp]
test=[0x65, 0x3E, 0x43, 0xB8, 0xBA, 0xDB, 0xF6, 0x88, 0x25, 0x1B,
  0x28, 0xC7, 0xC0, 0x54, 0xA6, 0x4A, 0x90, 0x37, 0xBC, 0x29,
  0x41, 0xAA, 0x28, 0xDB, 0x9A, 0x59, 0x63, 0x9E, 0x4B, 0xCF,
  0x2E, 0x41]
crack(31)