// https://syzkaller.appspot.com/bug?id=3feb4148f314d3eac982f36cf8ec1551a6ca0ed6 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include static void sleep_ms(uint64_t ms) { usleep(ms * 1000); } static uint64_t current_time_ms(void) { struct timespec ts; if (clock_gettime(CLOCK_MONOTONIC, &ts)) exit(1); return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000; } static bool write_file(const char* file, const char* what, ...) { char buf[1024]; va_list args; va_start(args, what); vsnprintf(buf, sizeof(buf), what, args); va_end(args); buf[sizeof(buf) - 1] = 0; int len = strlen(buf); int fd = open(file, O_WRONLY | O_CLOEXEC); if (fd == -1) return false; if (write(fd, buf, len) != len) { int err = errno; close(fd); errno = err; return false; } close(fd); return true; } #define noinline __attribute__((noinline)) #define __no_stack_protector #define __addrspace_guest #define GUEST_CODE \ __attribute__((section("guest"))) __no_stack_protector __addrspace_guest extern char *__start_guest, *__stop_guest; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_SYZOS_ADDR_ZERO 0x0 #define X86_SYZOS_ADDR_GDT 0x1000 #define X86_SYZOS_ADDR_PML4 0x2000 #define X86_SYZOS_ADDR_PDP 0x3000 #define X86_SYZOS_ADDR_PT_POOL 0x5000 #define X86_SYZOS_ADDR_VAR_IDT 0x25000 #define X86_SYZOS_ADDR_VAR_TSS 0x26000 #define X86_SYZOS_ADDR_SMRAM 0x30000 #define X86_SYZOS_ADDR_EXIT 0x40000 #define X86_SYZOS_ADDR_UEXIT (X86_SYZOS_ADDR_EXIT + 256) #define X86_SYZOS_ADDR_DIRTY_PAGES 0x41000 #define X86_SYZOS_ADDR_USER_CODE 0x50000 #define SYZOS_ADDR_EXECUTOR_CODE 0x54000 #define X86_SYZOS_ADDR_SCRATCH_CODE 0x58000 #define X86_SYZOS_ADDR_STACK_BOTTOM 0x60000 #define X86_SYZOS_ADDR_STACK0 0x60f80 #define X86_SYZOS_PER_VCPU_REGIONS_BASE 0x70000 #define X86_SYZOS_L1_VCPU_REGION_SIZE 0x40000 #define X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC 0x0000 #define X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA 0x1000 #define X86_SYZOS_L2_VM_REGION_SIZE 0x8000 #define X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB 0x0000 #define X86_SYZOS_L2_VM_OFFSET_VM_STACK 0x1000 #define X86_SYZOS_L2_VM_OFFSET_VM_CODE 0x2000 #define X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE 0x3000 #define X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP 0x7000 #define X86_SYZOS_ADDR_UNUSED 0x200000 #define X86_SYZOS_ADDR_IOAPIC 0xfec00000 #define X86_SYZOS_ADDR_VMCS_VMCB(cpu, vm) \ (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + \ X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + \ X86_SYZOS_L2_VM_OFFSET_VMCS_VMCB) #define X86_SYZOS_ADDR_VM_CODE(cpu, vm) \ (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + \ X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + \ X86_SYZOS_L2_VM_OFFSET_VM_CODE) #define X86_SYZOS_ADDR_VM_STACK(cpu, vm) \ (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + \ X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + \ X86_SYZOS_L2_VM_OFFSET_VM_STACK) #define X86_SYZOS_ADDR_VM_PGTABLE(cpu, vm) \ (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + \ X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + \ X86_SYZOS_L2_VM_OFFSET_VM_PGTABLE) #define X86_SYZOS_ADDR_MSR_BITMAP(cpu, vm) \ (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + \ X86_SYZOS_L1_VCPU_OFFSET_L2_VMS_AREA + (vm) * X86_SYZOS_L2_VM_REGION_SIZE + \ X86_SYZOS_L2_VM_OFFSET_MSR_BITMAP) #define X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu) \ (X86_SYZOS_PER_VCPU_REGIONS_BASE + (cpu) * X86_SYZOS_L1_VCPU_REGION_SIZE + \ X86_SYZOS_L1_VCPU_OFFSET_VM_ARCH_SPECIFIC) #define X86_SYZOS_SEL_CODE 0x8 #define X86_SYZOS_SEL_DATA 0x10 #define X86_SYZOS_SEL_TSS64 0x18 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 8) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define EPT_MEMTYPE_WB (6ULL << 3) #define EPT_ACCESSED (1ULL << 8) #define EPT_DIRTY (1ULL << 9) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_CR_PAT 0x277 #define X86_MSR_CORE_PERF_GLOBAL_CTRL 0x38f #define X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS 0x48d #define X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS 0x48e #define X86_MSR_IA32_VMX_TRUE_EXIT_CTLS 0x48f #define X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS 0x490 #define X86_MSR_IA32_EFER 0xc0000080 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_FS_BASE 0xc0000100 #define X86_MSR_GS_BASE 0xc0000101 #define X86_MSR_VM_HSAVE_PA 0xc0010117 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define RFLAGS_1_BIT (1ULL << 1) #define CPU_BASED_HLT_EXITING (1U << 7) #define CPU_BASED_RDTSC_EXITING (1U << 12) #define AR_TSS_AVAILABLE 0x0089 #define SVM_ATTR_LDTR_UNUSABLE 0x0000 #define VMX_AR_TSS_BUSY 0x008b #define VMX_AR_TSS_AVAILABLE 0x0089 #define VMX_AR_LDTR_UNUSABLE 0x10000 #define VM_ENTRY_IA32E_MODE (1U << 9) #define SECONDARY_EXEC_ENABLE_EPT (1U << 1) #define SECONDARY_EXEC_ENABLE_RDTSCP (1U << 3) #define VM_EXIT_HOST_ADDR_SPACE_SIZE (1U << 9) #define CPU_BASED_ACTIVATE_SECONDARY_CONTROLS (1U << 31) #define VMX_ACCESS_RIGHTS_P (1 << 7) #define VMX_ACCESS_RIGHTS_S (1 << 4) #define VMX_ACCESS_RIGHTS_TYPE_A (1 << 0) #define VMX_ACCESS_RIGHTS_TYPE_RW (1 << 1) #define VMX_ACCESS_RIGHTS_TYPE_E (1 << 3) #define VMX_ACCESS_RIGHTS_G (1 << 15) #define VMX_ACCESS_RIGHTS_DB (1 << 14) #define VMX_ACCESS_RIGHTS_L (1 << 13) #define VMX_AR_64BIT_DATA_STACK \ (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_RW | \ VMX_ACCESS_RIGHTS_TYPE_A | VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_DB) #define VMX_AR_64BIT_CODE \ (VMX_ACCESS_RIGHTS_P | VMX_ACCESS_RIGHTS_S | VMX_ACCESS_RIGHTS_TYPE_E | \ VMX_ACCESS_RIGHTS_TYPE_RW | VMX_ACCESS_RIGHTS_TYPE_A | \ VMX_ACCESS_RIGHTS_G | VMX_ACCESS_RIGHTS_L) #define VMCS_VIRTUAL_PROCESSOR_ID 0x00000000 #define VMCS_POSTED_INTR_NV 0x00000002 #define VMCS_MSR_BITMAP 0x00002004 #define VMCS_VMREAD_BITMAP 0x00002006 #define VMCS_VMWRITE_BITMAP 0x00002008 #define VMCS_EPT_POINTER 0x0000201a #define VMCS_LINK_POINTER 0x00002800 #define VMCS_PIN_BASED_VM_EXEC_CONTROL 0x00004000 #define VMCS_CPU_BASED_VM_EXEC_CONTROL 0x00004002 #define VMCS_EXCEPTION_BITMAP 0x00004004 #define VMCS_PAGE_FAULT_ERROR_CODE_MASK 0x00004006 #define VMCS_PAGE_FAULT_ERROR_CODE_MATCH 0x00004008 #define VMCS_CR3_TARGET_COUNT 0x0000400a #define VMCS_VM_EXIT_CONTROLS 0x0000400c #define VMCS_VM_EXIT_MSR_STORE_COUNT 0x0000400e #define VMCS_VM_EXIT_MSR_LOAD_COUNT 0x00004010 #define VMCS_VM_ENTRY_CONTROLS 0x00004012 #define VMCS_VM_ENTRY_MSR_LOAD_COUNT 0x00004014 #define VMCS_VM_ENTRY_INTR_INFO_FIELD 0x00004016 #define VMCS_TPR_THRESHOLD 0x0000401c #define VMCS_SECONDARY_VM_EXEC_CONTROL 0x0000401e #define VMCS_VM_INSTRUCTION_ERROR 0x00004400 #define VMCS_VM_EXIT_REASON 0x00004402 #define VMCS_VMX_PREEMPTION_TIMER_VALUE 0x0000482e #define VMCS_CR0_GUEST_HOST_MASK 0x00006000 #define VMCS_CR4_GUEST_HOST_MASK 0x00006002 #define VMCS_CR0_READ_SHADOW 0x00006004 #define VMCS_CR4_READ_SHADOW 0x00006006 #define VMCS_HOST_ES_SELECTOR 0x00000c00 #define VMCS_HOST_CS_SELECTOR 0x00000c02 #define VMCS_HOST_SS_SELECTOR 0x00000c04 #define VMCS_HOST_DS_SELECTOR 0x00000c06 #define VMCS_HOST_FS_SELECTOR 0x00000c08 #define VMCS_HOST_GS_SELECTOR 0x00000c0a #define VMCS_HOST_TR_SELECTOR 0x00000c0c #define VMCS_HOST_IA32_PAT 0x00002c00 #define VMCS_HOST_IA32_EFER 0x00002c02 #define VMCS_HOST_IA32_PERF_GLOBAL_CTRL 0x00002c04 #define VMCS_HOST_IA32_SYSENTER_CS 0x00004c00 #define VMCS_HOST_CR0 0x00006c00 #define VMCS_HOST_CR3 0x00006c02 #define VMCS_HOST_CR4 0x00006c04 #define VMCS_HOST_FS_BASE 0x00006c06 #define VMCS_HOST_GS_BASE 0x00006c08 #define VMCS_HOST_TR_BASE 0x00006c0a #define VMCS_HOST_GDTR_BASE 0x00006c0c #define VMCS_HOST_IDTR_BASE 0x00006c0e #define VMCS_HOST_IA32_SYSENTER_ESP 0x00006c10 #define VMCS_HOST_IA32_SYSENTER_EIP 0x00006c12 #define VMCS_HOST_RSP 0x00006c14 #define VMCS_HOST_RIP 0x00006c16 #define VMCS_GUEST_INTR_STATUS 0x00000810 #define VMCS_GUEST_PML_INDEX 0x00000812 #define VMCS_GUEST_IA32_DEBUGCTL 0x00002802 #define VMCS_GUEST_IA32_PAT 0x00002804 #define VMCS_GUEST_IA32_EFER 0x00002806 #define VMCS_GUEST_IA32_PERF_GLOBAL_CTRL 0x00002808 #define VMCS_GUEST_ES_SELECTOR 0x00000800 #define VMCS_GUEST_CS_SELECTOR 0x00000802 #define VMCS_GUEST_SS_SELECTOR 0x00000804 #define VMCS_GUEST_DS_SELECTOR 0x00000806 #define VMCS_GUEST_FS_SELECTOR 0x00000808 #define VMCS_GUEST_GS_SELECTOR 0x0000080a #define VMCS_GUEST_LDTR_SELECTOR 0x0000080c #define VMCS_GUEST_TR_SELECTOR 0x0000080e #define VMCS_GUEST_ES_LIMIT 0x00004800 #define VMCS_GUEST_CS_LIMIT 0x00004802 #define VMCS_GUEST_SS_LIMIT 0x00004804 #define VMCS_GUEST_DS_LIMIT 0x00004806 #define VMCS_GUEST_FS_LIMIT 0x00004808 #define VMCS_GUEST_GS_LIMIT 0x0000480a #define VMCS_GUEST_LDTR_LIMIT 0x0000480c #define VMCS_GUEST_TR_LIMIT 0x0000480e #define VMCS_GUEST_GDTR_LIMIT 0x00004810 #define VMCS_GUEST_IDTR_LIMIT 0x00004812 #define VMCS_GUEST_ES_ACCESS_RIGHTS 0x00004814 #define VMCS_GUEST_CS_ACCESS_RIGHTS 0x00004816 #define VMCS_GUEST_SS_ACCESS_RIGHTS 0x00004818 #define VMCS_GUEST_DS_ACCESS_RIGHTS 0x0000481a #define VMCS_GUEST_FS_ACCESS_RIGHTS 0x0000481c #define VMCS_GUEST_GS_ACCESS_RIGHTS 0x0000481e #define VMCS_GUEST_LDTR_ACCESS_RIGHTS 0x00004820 #define VMCS_GUEST_TR_ACCESS_RIGHTS 0x00004822 #define VMCS_GUEST_ACTIVITY_STATE 0x00004824 #define VMCS_GUEST_INTERRUPTIBILITY_INFO 0x00004826 #define VMCS_GUEST_SYSENTER_CS 0x0000482a #define VMCS_GUEST_CR0 0x00006800 #define VMCS_GUEST_CR3 0x00006802 #define VMCS_GUEST_CR4 0x00006804 #define VMCS_GUEST_ES_BASE 0x00006806 #define VMCS_GUEST_CS_BASE 0x00006808 #define VMCS_GUEST_SS_BASE 0x0000680a #define VMCS_GUEST_DS_BASE 0x0000680c #define VMCS_GUEST_FS_BASE 0x0000680e #define VMCS_GUEST_GS_BASE 0x00006810 #define VMCS_GUEST_LDTR_BASE 0x00006812 #define VMCS_GUEST_TR_BASE 0x00006814 #define VMCS_GUEST_GDTR_BASE 0x00006816 #define VMCS_GUEST_IDTR_BASE 0x00006818 #define VMCS_GUEST_DR7 0x0000681a #define VMCS_GUEST_RSP 0x0000681c #define VMCS_GUEST_RIP 0x0000681e #define VMCS_GUEST_RFLAGS 0x00006820 #define VMCS_GUEST_PENDING_DBG_EXCEPTIONS 0x00006822 #define VMCS_GUEST_SYSENTER_ESP 0x00006824 #define VMCS_GUEST_SYSENTER_EIP 0x00006826 #define VMCB_CTRL_INTERCEPT_VEC3 0x0c #define VMCB_CTRL_INTERCEPT_VEC3_ALL (0xffffffff) #define VMCB_CTRL_INTERCEPT_VEC4 0x10 #define VMCB_CTRL_INTERCEPT_VEC4_ALL (0x3ff) #define VMCB_CTRL_ASID 0x058 #define VMCB_EXIT_CODE 0x070 #define VMCB_CTRL_NP_ENABLE 0x090 #define VMCB_CTRL_NPT_ENABLE_BIT 0 #define VMCB_CTRL_N_CR3 0x0b0 #define VMCB_GUEST_ES_SEL 0x400 #define VMCB_GUEST_ES_ATTR 0x402 #define VMCB_GUEST_ES_LIM 0x404 #define VMCB_GUEST_ES_BASE 0x408 #define VMCB_GUEST_CS_SEL 0x410 #define VMCB_GUEST_CS_ATTR 0x412 #define VMCB_GUEST_CS_LIM 0x414 #define VMCB_GUEST_CS_BASE 0x418 #define VMCB_GUEST_SS_SEL 0x420 #define VMCB_GUEST_SS_ATTR 0x422 #define VMCB_GUEST_SS_LIM 0x424 #define VMCB_GUEST_SS_BASE 0x428 #define VMCB_GUEST_DS_SEL 0x430 #define VMCB_GUEST_DS_ATTR 0x432 #define VMCB_GUEST_DS_LIM 0x434 #define VMCB_GUEST_DS_BASE 0x438 #define VMCB_GUEST_FS_SEL 0x440 #define VMCB_GUEST_FS_ATTR 0x442 #define VMCB_GUEST_FS_LIM 0x444 #define VMCB_GUEST_FS_BASE 0x448 #define VMCB_GUEST_GS_SEL 0x450 #define VMCB_GUEST_GS_ATTR 0x452 #define VMCB_GUEST_GS_LIM 0x454 #define VMCB_GUEST_GS_BASE 0x458 #define VMCB_GUEST_IDTR_SEL 0x480 #define VMCB_GUEST_IDTR_ATTR 0x482 #define VMCB_GUEST_IDTR_LIM 0x484 #define VMCB_GUEST_IDTR_BASE 0x488 #define VMCB_GUEST_GDTR_SEL 0x460 #define VMCB_GUEST_GDTR_ATTR 0x462 #define VMCB_GUEST_GDTR_LIM 0x464 #define VMCB_GUEST_GDTR_BASE 0x468 #define VMCB_GUEST_LDTR_SEL 0x470 #define VMCB_GUEST_LDTR_ATTR 0x472 #define VMCB_GUEST_LDTR_LIM 0x474 #define VMCB_GUEST_LDTR_BASE 0x478 #define VMCB_GUEST_TR_SEL 0x490 #define VMCB_GUEST_TR_ATTR 0x492 #define VMCB_GUEST_TR_LIM 0x494 #define VMCB_GUEST_TR_BASE 0x498 #define VMCB_GUEST_EFER 0x4d0 #define VMCB_GUEST_CR4 0x548 #define VMCB_GUEST_CR3 0x550 #define VMCB_GUEST_CR0 0x558 #define VMCB_GUEST_DR7 0x560 #define VMCB_GUEST_DR6 0x568 #define VMCB_GUEST_RFLAGS 0x570 #define VMCB_GUEST_RIP 0x578 #define VMCB_GUEST_RSP 0x5d8 #define VMCB_GUEST_PAT 0x668 #define VMCB_GUEST_DEBUGCTL 0x670 #define SVM_ATTR_G (1 << 15) #define SVM_ATTR_DB (1 << 14) #define SVM_ATTR_L (1 << 13) #define SVM_ATTR_P (1 << 7) #define SVM_ATTR_S (1 << 4) #define SVM_ATTR_TYPE_A (1 << 0) #define SVM_ATTR_TYPE_RW (1 << 1) #define SVM_ATTR_TYPE_E (1 << 3) #define SVM_ATTR_64BIT_CODE \ (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_E | SVM_ATTR_TYPE_RW | \ SVM_ATTR_TYPE_A | SVM_ATTR_L | SVM_ATTR_G) #define SVM_ATTR_64BIT_DATA \ (SVM_ATTR_P | SVM_ATTR_S | SVM_ATTR_TYPE_RW | SVM_ATTR_TYPE_A | \ SVM_ATTR_DB | SVM_ATTR_G) #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_PAGES 1024 #define KVM_GUEST_MEM_SIZE (KVM_GUEST_PAGES * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h, l) \ (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) extern char* __start_guest; static inline uintptr_t executor_fn_guest_addr(void* fn) { volatile uintptr_t start = (uintptr_t)&__start_guest; volatile uintptr_t offset = SYZOS_ADDR_EXECUTOR_CODE; return (uintptr_t)fn - start + offset; } typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 100, SYZOS_API_WRMSR = 101, SYZOS_API_RDMSR = 102, SYZOS_API_WR_CRN = 103, SYZOS_API_WR_DRN = 104, SYZOS_API_IN_DX = 105, SYZOS_API_OUT_DX = 106, SYZOS_API_SET_IRQ_HANDLER = 200, SYZOS_API_ENABLE_NESTED = 300, SYZOS_API_NESTED_CREATE_VM = 301, SYZOS_API_NESTED_LOAD_CODE = 302, SYZOS_API_NESTED_VMLAUNCH = 303, SYZOS_API_NESTED_VMRESUME = 304, SYZOS_API_NESTED_INTEL_VMWRITE_MASK = 340, SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK = 380, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_nested_load_code { struct api_call_header header; uint64_t vm_id; uint8_t insns[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; struct api_call_3 { struct api_call_header header; uint64_t args[3]; }; struct api_call_5 { struct api_call_header header; uint64_t args[5]; }; struct l2_guest_regs { uint64_t rax, rbx, rcx, rdx, rsi, rdi, rbp; uint64_t r8, r9, r10, r11, r12, r13, r14, r15; }; GUEST_CODE static void guest_uexit(uint64_t exit_code); GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs); GUEST_CODE static void guest_execute_code(uint8_t* insns, uint64_t size); GUEST_CODE static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); GUEST_CODE static void guest_handle_wrmsr(uint64_t reg, uint64_t val); GUEST_CODE static void guest_handle_rdmsr(uint64_t reg); GUEST_CODE static void guest_handle_wr_crn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_wr_drn(struct api_call_2* cmd); GUEST_CODE static void guest_handle_in_dx(struct api_call_2* cmd); GUEST_CODE static void guest_handle_out_dx(struct api_call_3* cmd); GUEST_CODE static void guest_handle_set_irq_handler(struct api_call_2* cmd); GUEST_CODE static void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id); GUEST_CODE static void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, } uexit_code; typedef enum { CPU_VENDOR_INTEL, CPU_VENDOR_AMD, } cpu_vendor_id; __attribute__((naked)) GUEST_CODE static void dummy_null_handler() { asm("iretq"); } __attribute__((naked)) GUEST_CODE static void uexit_irq_handler() { asm volatile(R"( movq $-2, %rdi call guest_uexit iretq )"); } __attribute__((used)) GUEST_CODE static void guest_main(uint64_t size, uint64_t cpu) { uint64_t addr = X86_SYZOS_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; if (cmd->call >= SYZOS_API_STOP) return; if (cmd->size > size) return; volatile uint64_t call = cmd->call; if (call == SYZOS_API_UEXIT) { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); } else if (call == SYZOS_API_CODE) { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); } else if (call == SYZOS_API_CPUID) { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); } else if (call == SYZOS_API_WRMSR) { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); } else if (call == SYZOS_API_RDMSR) { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); } else if (call == SYZOS_API_WR_CRN) { guest_handle_wr_crn((struct api_call_2*)cmd); } else if (call == SYZOS_API_WR_DRN) { guest_handle_wr_drn((struct api_call_2*)cmd); } else if (call == SYZOS_API_IN_DX) { guest_handle_in_dx((struct api_call_2*)cmd); } else if (call == SYZOS_API_OUT_DX) { guest_handle_out_dx((struct api_call_3*)cmd); } else if (call == SYZOS_API_SET_IRQ_HANDLER) { guest_handle_set_irq_handler((struct api_call_2*)cmd); } else if (call == SYZOS_API_ENABLE_NESTED) { guest_handle_enable_nested((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_CREATE_VM) { guest_handle_nested_create_vm((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_LOAD_CODE) { guest_handle_nested_load_code((struct api_call_nested_load_code*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMLAUNCH) { guest_handle_nested_vmlaunch((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_VMRESUME) { guest_handle_nested_vmresume((struct api_call_1*)cmd, cpu); } else if (call == SYZOS_API_NESTED_INTEL_VMWRITE_MASK) { guest_handle_nested_intel_vmwrite_mask((struct api_call_5*)cmd, cpu); } else if (call == SYZOS_API_NESTED_AMD_VMCB_WRITE_MASK) { guest_handle_nested_amd_vmcb_write_mask((struct api_call_5*)cmd, cpu); } addr += cmd->size; size -= cmd->size; }; guest_uexit((uint64_t)-1); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } __attribute__((used)) GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_SYZOS_ADDR_UEXIT; *ptr = exit_code; } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile("cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void wrmsr(uint64_t reg, uint64_t val) { asm volatile("wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { wrmsr(reg, val); } GUEST_CODE static noinline uint64_t rdmsr(uint64_t msr_id) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(msr_id)); return ((uint64_t)high << 32) | low; } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { (void)rdmsr(reg); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_wr_drn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%dr0" ::"r"(value) : "memory"); return; } if (reg == 1) { asm volatile("movq %0, %%dr1" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%dr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%dr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%dr4" ::"r"(value) : "memory"); return; } if (reg == 5) { asm volatile("movq %0, %%dr5" ::"r"(value) : "memory"); return; } if (reg == 6) { asm volatile("movq %0, %%dr6" ::"r"(value) : "memory"); return; } if (reg == 7) { asm volatile("movq %0, %%dr7" ::"r"(value) : "memory"); return; } } GUEST_CODE static noinline void guest_handle_in_dx(struct api_call_2* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; if (size == 1) { uint8_t unused; asm volatile("inb %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 2) { uint16_t unused; asm volatile("inw %1, %0" : "=a"(unused) : "d"(port)); return; } if (size == 4) { uint32_t unused; asm volatile("inl %1, %0" : "=a"(unused) : "d"(port)); } return; } GUEST_CODE static noinline void guest_handle_out_dx(struct api_call_3* cmd) { uint16_t port = cmd->args[0]; volatile int size = cmd->args[1]; uint32_t data = (uint32_t)cmd->args[2]; if (size == 1) { asm volatile("outb %b0, %w1" ::"a"(data), "d"(port)); return; } if (size == 2) { asm volatile("outw %w0, %w1" ::"a"(data), "d"(port)); return; } if (size == 4) { asm volatile("outl %k0, %w1" ::"a"(data), "d"(port)); return; } } struct idt_entry_64 { uint16_t offset_low; uint16_t selector; uint8_t ist; uint8_t type_attr; uint16_t offset_mid; uint32_t offset_high; uint32_t reserved; } __attribute__((packed)); GUEST_CODE static void set_idt_gate(uint8_t vector, uint64_t handler) { volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)(X86_SYZOS_ADDR_VAR_IDT); volatile struct idt_entry_64* idt_entry = &idt[vector]; idt_entry->offset_low = (uint16_t)handler; idt_entry->offset_mid = (uint16_t)(handler >> 16); idt_entry->offset_high = (uint32_t)(handler >> 32); idt_entry->selector = X86_SYZOS_SEL_CODE; idt_entry->type_attr = 0x8E; idt_entry->ist = 0; idt_entry->reserved = 0; } GUEST_CODE static noinline void guest_handle_set_irq_handler(struct api_call_2* cmd) { uint8_t vector = (uint8_t)cmd->args[0]; uint64_t type = cmd->args[1]; volatile uint64_t handler_addr = 0; if (type == 1) handler_addr = executor_fn_guest_addr(dummy_null_handler); else if (type == 2) handler_addr = executor_fn_guest_addr(uexit_irq_handler); set_idt_gate(vector, handler_addr); } GUEST_CODE static cpu_vendor_id get_cpu_vendor(void) { uint32_t ebx, eax = 0; asm volatile("cpuid" : "+a"(eax), "=b"(ebx) : : "ecx", "edx"); if (ebx == 0x756e6547) { return CPU_VENDOR_INTEL; } else if (ebx == 0x68747541) { return CPU_VENDOR_AMD; } else { guest_uexit(UEXIT_ASSERT); return CPU_VENDOR_INTEL; } } GUEST_CODE static inline uint64_t read_cr0(void) { uint64_t val; asm volatile("mov %%cr0, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr3(void) { uint64_t val; asm volatile("mov %%cr3, %0" : "=r"(val)); return val; } GUEST_CODE static inline uint64_t read_cr4(void) { uint64_t val; asm volatile("mov %%cr4, %0" : "=r"(val)); return val; } GUEST_CODE static inline void write_cr4(uint64_t val) { asm volatile("mov %0, %%cr4" : : "r"(val)); } GUEST_CODE static noinline void vmwrite(uint64_t field, uint64_t value) { uint8_t error = 0; asm volatile("vmwrite %%rax, %%rbx; setna %0" : "=q"(error) : "a"(value), "b"(field) : "cc", "memory"); if (error) guest_uexit(UEXIT_ASSERT); } GUEST_CODE static noinline uint64_t vmread(uint64_t field) { uint64_t value; asm volatile("vmread %%rbx, %%rax" : "=a"(value) : "b"(field) : "cc"); return value; } GUEST_CODE static inline void nested_vmptrld(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; asm volatile("vmptrld %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) guest_uexit(0xE2BAD2); } GUEST_CODE static noinline void vmcb_write16(uint64_t vmcb, uint16_t offset, uint16_t val) { *((volatile uint16_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write32(uint64_t vmcb, uint16_t offset, uint32_t val) { *((volatile uint32_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline void vmcb_write64(uint64_t vmcb, uint16_t offset, uint64_t val) { *((volatile uint64_t*)(vmcb + offset)) = val; } GUEST_CODE static noinline uint64_t vmcb_read64(volatile uint8_t* vmcb, uint16_t offset) { return *((volatile uint64_t*)(vmcb + offset)); } GUEST_CODE static void guest_memset(void* s, uint8_t c, int size) { volatile uint8_t* p = (volatile uint8_t*)s; for (int i = 0; i < size; i++) p[i] = c; } GUEST_CODE static void guest_memcpy(void* dst, void* src, int size) { volatile uint8_t* d = (volatile uint8_t*)dst; volatile uint8_t* s = (volatile uint8_t*)src; for (int i = 0; i < size; i++) d[i] = s[i]; } GUEST_CODE static noinline void nested_enable_vmx_intel(uint64_t cpu_id) { uint64_t vmxon_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t cr4 = read_cr4(); cr4 |= X86_CR4_VMXE; write_cr4(cr4); uint64_t feature_control = rdmsr(X86_MSR_IA32_FEATURE_CONTROL); if ((feature_control & 1) == 0) { feature_control |= 0b101; asm volatile("wrmsr" : : "d"(0x0), "c"(X86_MSR_IA32_FEATURE_CONTROL), "A"(feature_control)); } *(uint32_t*)vmxon_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); uint8_t error; asm volatile("vmxon %1; setna %0" : "=q"(error) : "m"(vmxon_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD0); return; } } GUEST_CODE static noinline void nested_enable_svm_amd(uint64_t cpu_id) { uint64_t hsave_addr = X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); efer |= X86_EFER_SVME; wrmsr(X86_MSR_IA32_EFER, efer); wrmsr(X86_MSR_VM_HSAVE_PA, hsave_addr); } GUEST_CODE static noinline void guest_handle_enable_nested(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_enable_vmx_intel(cpu_id); } else { nested_enable_svm_amd(cpu_id); } } GUEST_CODE static noinline void setup_l2_page_tables(cpu_vendor_id vendor, uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); uint64_t l2_pdpt_addr = l2_pml4_addr + KVM_PAGE_SIZE; uint64_t l2_pd_addr = l2_pml4_addr + 2 * KVM_PAGE_SIZE; uint64_t l2_pt_addr = l2_pml4_addr + 3 * KVM_PAGE_SIZE; volatile uint64_t* pml4 = (volatile uint64_t*)l2_pml4_addr; volatile uint64_t* pdpt = (volatile uint64_t*)l2_pdpt_addr; volatile uint64_t* pd = (volatile uint64_t*)l2_pd_addr; volatile uint64_t* pt = (volatile uint64_t*)l2_pt_addr; guest_memset((void*)l2_pml4_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pdpt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pd_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)l2_pt_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_MSR_BITMAP(cpu_id, vm_id), 0, KVM_PAGE_SIZE); uint64_t flags = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER; pml4[0] = l2_pdpt_addr | flags; pdpt[0] = l2_pd_addr | flags; pd[0] = l2_pt_addr | flags; uint64_t pt_flags = flags; if (vendor == CPU_VENDOR_INTEL) { pt_flags |= EPT_MEMTYPE_WB | EPT_ACCESSED | EPT_DIRTY; } else { pt_flags |= X86_PDE64_ACCESSED | X86_PDE64_DIRTY; } for (int i = 0; i < 512; i++) pt[i] = (i * KVM_PAGE_SIZE) | pt_flags; } GUEST_CODE static noinline void init_vmcs_control_fields(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PINBASED_CTLS); vmwrite(VMCS_PIN_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = (uint32_t)rdmsr(X86_MSR_IA32_VMX_PROCBASED_CTLS2); vmx_msr |= SECONDARY_EXEC_ENABLE_EPT | SECONDARY_EXEC_ENABLE_RDTSCP; vmwrite(VMCS_SECONDARY_VM_EXEC_CONTROL, vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_PROCBASED_CTLS); vmx_msr |= CPU_BASED_ACTIVATE_SECONDARY_CONTROLS; vmx_msr |= CPU_BASED_HLT_EXITING | CPU_BASED_RDTSC_EXITING; vmwrite(VMCS_CPU_BASED_VM_EXEC_CONTROL, (uint32_t)vmx_msr); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_EXIT_CTLS); vmwrite(VMCS_VM_EXIT_CONTROLS, (uint32_t)vmx_msr | VM_EXIT_HOST_ADDR_SPACE_SIZE); vmx_msr = rdmsr(X86_MSR_IA32_VMX_TRUE_ENTRY_CTLS); vmwrite(VMCS_VM_ENTRY_CONTROLS, (uint32_t)vmx_msr | VM_ENTRY_IA32E_MODE); uint64_t eptp = (X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id) & ~0xFFF) | (6 << 0) | (3 << 3); vmwrite(VMCS_EPT_POINTER, eptp); vmwrite(VMCS_CR0_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR4_GUEST_HOST_MASK, 0); vmwrite(VMCS_CR0_READ_SHADOW, read_cr0()); vmwrite(VMCS_CR4_READ_SHADOW, read_cr4()); vmwrite(VMCS_MSR_BITMAP, 0); vmwrite(VMCS_VMREAD_BITMAP, 0); vmwrite(VMCS_VMWRITE_BITMAP, 0); vmwrite(VMCS_EXCEPTION_BITMAP, (1 << 6)); vmwrite(VMCS_VIRTUAL_PROCESSOR_ID, 0); vmwrite(VMCS_POSTED_INTR_NV, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MASK, 0); vmwrite(VMCS_PAGE_FAULT_ERROR_CODE_MATCH, -1); vmwrite(VMCS_CR3_TARGET_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_STORE_COUNT, 0); vmwrite(VMCS_VM_EXIT_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_MSR_LOAD_COUNT, 0); vmwrite(VMCS_VM_ENTRY_INTR_INFO_FIELD, 0); vmwrite(VMCS_TPR_THRESHOLD, 0); } typedef enum { SYZOS_NESTED_EXIT_REASON_HLT = 1, SYZOS_NESTED_EXIT_REASON_INVD = 2, SYZOS_NESTED_EXIT_REASON_CPUID = 3, SYZOS_NESTED_EXIT_REASON_RDTSC = 4, SYZOS_NESTED_EXIT_REASON_RDTSCP = 5, SYZOS_NESTED_EXIT_REASON_UNKNOWN = 0xFF, } syz_nested_exit_reason; GUEST_CODE static void guest_uexit_l2(uint64_t exit_reason, syz_nested_exit_reason mapped_reason, cpu_vendor_id vendor) { if (mapped_reason != SYZOS_NESTED_EXIT_REASON_UNKNOWN) { guest_uexit(0xe2e20000 | mapped_reason); } else if (vendor == CPU_VENDOR_INTEL) { guest_uexit(0xe2110000 | exit_reason); } else { guest_uexit(0xe2aa0000 | exit_reason); } } #define EXIT_REASON_CPUID 0xa #define EXIT_REASON_HLT 0xc #define EXIT_REASON_INVD 0xd #define EXIT_REASON_RDTSC 0x10 #define EXIT_REASON_RDTSCP 0x33 GUEST_CODE static syz_nested_exit_reason map_intel_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == EXIT_REASON_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == EXIT_REASON_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == EXIT_REASON_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == EXIT_REASON_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == EXIT_REASON_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_intel(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; uint64_t rip = vmread(VMCS_GUEST_RIP); if ((reason == EXIT_REASON_INVD) || (reason == EXIT_REASON_CPUID) || (reason == EXIT_REASON_RDTSC)) { rip += 2; } else if (reason == EXIT_REASON_RDTSCP) { rip += 3; } vmwrite(VMCS_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_intel(uint64_t exit_reason, struct l2_guest_regs* regs) { uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_intel_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_INTEL); advance_l2_rip_intel(basic_reason); } extern char after_vmentry_label; __attribute__((naked)) GUEST_CODE static void nested_vm_exit_handler_intel_asm(void) { asm volatile(R"( push %%rax push %%rbx push %%rcx push %%rdx push %%rsi push %%rdi push %%rbp push %%r8 push %%r9 push %%r10 push %%r11 push %%r12 push %%r13 push %%r14 push %%r15 mov %%rsp, %%rsi mov %[vm_exit_reason], %%rbx vmread %%rbx, %%rdi call nested_vm_exit_handler_intel add %[stack_cleanup_size], %%rsp jmp after_vmentry_label )" : : [stack_cleanup_size] "i"(sizeof(struct l2_guest_regs)), [vm_exit_reason] "i"(VMCS_VM_EXIT_REASON) : "memory", "cc", "rbx", "rdi", "rsi"); } #define VMEXIT_RDTSC 0x6e #define VMEXIT_CPUID 0x72 #define VMEXIT_INVD 0x76 #define VMEXIT_HLT 0x78 #define VMEXIT_RDTSCP 0x87 GUEST_CODE static syz_nested_exit_reason map_amd_exit_reason(uint64_t basic_reason) { volatile uint64_t reason = basic_reason; if (reason == VMEXIT_HLT) return SYZOS_NESTED_EXIT_REASON_HLT; if (reason == VMEXIT_INVD) return SYZOS_NESTED_EXIT_REASON_INVD; if (reason == VMEXIT_CPUID) return SYZOS_NESTED_EXIT_REASON_CPUID; if (reason == VMEXIT_RDTSC) return SYZOS_NESTED_EXIT_REASON_RDTSC; if (reason == VMEXIT_RDTSCP) return SYZOS_NESTED_EXIT_REASON_RDTSCP; return SYZOS_NESTED_EXIT_REASON_UNKNOWN; } GUEST_CODE static void advance_l2_rip_amd(uint64_t basic_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t reason = basic_reason; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t rip = vmcb_read64((volatile uint8_t*)vmcb_addr, VMCB_GUEST_RIP); if ((reason == VMEXIT_INVD) || (reason == VMEXIT_CPUID) || (reason == VMEXIT_RDTSC)) { rip += 2; } else if (reason == VMEXIT_RDTSCP) { rip += 3; } vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, rip); } __attribute__((used)) GUEST_CODE static void nested_vm_exit_handler_amd(uint64_t exit_reason, uint64_t cpu_id, uint64_t vm_id) { volatile uint64_t basic_reason = exit_reason & 0xFFFF; syz_nested_exit_reason mapped_reason = map_amd_exit_reason(basic_reason); guest_uexit_l2(exit_reason, mapped_reason, CPU_VENDOR_AMD); advance_l2_rip_amd(basic_reason, cpu_id, vm_id); } GUEST_CODE static noinline void init_vmcs_host_state(void) { vmwrite(VMCS_HOST_CS_SELECTOR, X86_SYZOS_SEL_CODE); vmwrite(VMCS_HOST_DS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_ES_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_SS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_FS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_GS_SELECTOR, X86_SYZOS_SEL_DATA); vmwrite(VMCS_HOST_TR_SELECTOR, X86_SYZOS_SEL_TSS64); vmwrite(VMCS_HOST_TR_BASE, 0); vmwrite(VMCS_HOST_GDTR_BASE, X86_SYZOS_ADDR_GDT); vmwrite(VMCS_HOST_IDTR_BASE, X86_SYZOS_ADDR_VAR_IDT); vmwrite(VMCS_HOST_FS_BASE, rdmsr(X86_MSR_FS_BASE)); vmwrite(VMCS_HOST_GS_BASE, rdmsr(X86_MSR_GS_BASE)); uint64_t tmpreg = 0; asm volatile("mov %%rsp, %0" : "=r"(tmpreg)); vmwrite(VMCS_HOST_RSP, tmpreg); vmwrite(VMCS_HOST_RIP, (uintptr_t)nested_vm_exit_handler_intel_asm); vmwrite(VMCS_HOST_CR0, read_cr0()); vmwrite(VMCS_HOST_CR3, read_cr3()); vmwrite(VMCS_HOST_CR4, read_cr4()); vmwrite(VMCS_HOST_IA32_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); vmwrite(VMCS_HOST_IA32_EFER, rdmsr(X86_MSR_IA32_EFER)); vmwrite(VMCS_HOST_IA32_PERF_GLOBAL_CTRL, rdmsr(X86_MSR_CORE_PERF_GLOBAL_CTRL)); vmwrite(VMCS_HOST_IA32_SYSENTER_CS, rdmsr(X86_MSR_IA32_SYSENTER_CS)); vmwrite(VMCS_HOST_IA32_SYSENTER_ESP, rdmsr(X86_MSR_IA32_SYSENTER_ESP)); vmwrite(VMCS_HOST_IA32_SYSENTER_EIP, rdmsr(X86_MSR_IA32_SYSENTER_EIP)); } #define COPY_VMCS_FIELD(GUEST_FIELD, HOST_FIELD) \ vmwrite(GUEST_FIELD, vmread(HOST_FIELD)) #define SETUP_L2_SEGMENT(SEG, SELECTOR, BASE, LIMIT, AR) \ vmwrite(VMCS_GUEST_##SEG##_SELECTOR, SELECTOR); \ vmwrite(VMCS_GUEST_##SEG##_BASE, BASE); \ vmwrite(VMCS_GUEST_##SEG##_LIMIT, LIMIT); \ vmwrite(VMCS_GUEST_##SEG##_ACCESS_RIGHTS, AR); GUEST_CODE static noinline void init_vmcs_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); SETUP_L2_SEGMENT(CS, vmread(VMCS_HOST_CS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_CODE); SETUP_L2_SEGMENT(DS, vmread(VMCS_HOST_DS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(ES, vmread(VMCS_HOST_ES_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(SS, vmread(VMCS_HOST_SS_SELECTOR), 0, 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(FS, vmread(VMCS_HOST_FS_SELECTOR), vmread(VMCS_HOST_FS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(GS, vmread(VMCS_HOST_GS_SELECTOR), vmread(VMCS_HOST_GS_BASE), 0xFFFFFFFF, VMX_AR_64BIT_DATA_STACK); SETUP_L2_SEGMENT(TR, vmread(VMCS_HOST_TR_SELECTOR), vmread(VMCS_HOST_TR_BASE), 0x67, VMX_AR_TSS_BUSY); SETUP_L2_SEGMENT(LDTR, 0, 0, 0, VMX_AR_LDTR_UNUSABLE); vmwrite(VMCS_GUEST_CR0, vmread(VMCS_HOST_CR0)); vmwrite(VMCS_GUEST_CR3, vmread(VMCS_HOST_CR3)); vmwrite(VMCS_GUEST_CR4, vmread(VMCS_HOST_CR4)); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmwrite(VMCS_GUEST_RFLAGS, RFLAGS_1_BIT); vmwrite(VMCS_GUEST_DR7, 0x400); COPY_VMCS_FIELD(VMCS_GUEST_IA32_EFER, VMCS_HOST_IA32_EFER); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PAT, VMCS_HOST_IA32_PAT); COPY_VMCS_FIELD(VMCS_GUEST_IA32_PERF_GLOBAL_CTRL, VMCS_HOST_IA32_PERF_GLOBAL_CTRL); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_CS, VMCS_HOST_IA32_SYSENTER_CS); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_ESP, VMCS_HOST_IA32_SYSENTER_ESP); COPY_VMCS_FIELD(VMCS_GUEST_SYSENTER_EIP, VMCS_HOST_IA32_SYSENTER_EIP); vmwrite(VMCS_GUEST_IA32_DEBUGCTL, 0); vmwrite(VMCS_GUEST_GDTR_BASE, vmread(VMCS_HOST_GDTR_BASE)); vmwrite(VMCS_GUEST_GDTR_LIMIT, 0xffff); vmwrite(VMCS_GUEST_IDTR_BASE, vmread(VMCS_HOST_IDTR_BASE)); vmwrite(VMCS_GUEST_IDTR_LIMIT, 0xffff); vmwrite(VMCS_LINK_POINTER, 0xffffffffffffffff); vmwrite(VMCS_GUEST_ACTIVITY_STATE, 0); vmwrite(VMCS_GUEST_INTERRUPTIBILITY_INFO, 0); vmwrite(VMCS_GUEST_PENDING_DBG_EXCEPTIONS, 0); vmwrite(VMCS_VMX_PREEMPTION_TIMER_VALUE, 0); vmwrite(VMCS_GUEST_INTR_STATUS, 0); vmwrite(VMCS_GUEST_PML_INDEX, 0); } GUEST_CODE static noinline void nested_create_vm_intel(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcs_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint8_t error = 0; *(uint32_t*)vmcs_addr = rdmsr(X86_MSR_IA32_VMX_BASIC); asm volatile("vmclear %1; setna %0" : "=q"(error) : "m"(vmcs_addr) : "memory", "cc"); if (error) { guest_uexit(0xE2BAD1); return; } nested_vmptrld(cpu_id, vm_id); setup_l2_page_tables(CPU_VENDOR_INTEL, cpu_id, vm_id); init_vmcs_control_fields(cpu_id, vm_id); init_vmcs_host_state(); init_vmcs_guest_state(cpu_id, vm_id); } #define SETUP_L2_SEGMENT_SVM(VMBC_PTR, SEG_NAME, SELECTOR, BASE, LIMIT, ATTR) \ vmcb_write16(VMBC_PTR, VMCB_GUEST_##SEG_NAME##_SEL, SELECTOR); \ vmcb_write16(VMBC_PTR, VMCB_GUEST_##SEG_NAME##_ATTR, ATTR); \ vmcb_write32(VMBC_PTR, VMCB_GUEST_##SEG_NAME##_LIM, LIMIT); \ vmcb_write64(VMBC_PTR, VMCB_GUEST_##SEG_NAME##_BASE, BASE); GUEST_CODE static noinline void init_vmcb_guest_state(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t npt_pml4_addr = X86_SYZOS_ADDR_VM_PGTABLE(cpu_id, vm_id); SETUP_L2_SEGMENT_SVM(vmcb_addr, CS, X86_SYZOS_SEL_CODE, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_CODE); SETUP_L2_SEGMENT_SVM(vmcb_addr, DS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, ES, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, SS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, FS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, GS, X86_SYZOS_SEL_DATA, 0, 0xFFFFFFFF, SVM_ATTR_64BIT_DATA); SETUP_L2_SEGMENT_SVM(vmcb_addr, TR, X86_SYZOS_SEL_TSS64, X86_SYZOS_ADDR_VAR_TSS, 0x67, VMX_AR_TSS_AVAILABLE); SETUP_L2_SEGMENT_SVM(vmcb_addr, LDTR, 0, 0, 0, SVM_ATTR_LDTR_UNUSABLE); uint64_t efer = rdmsr(X86_MSR_IA32_EFER); vmcb_write64(vmcb_addr, VMCB_GUEST_CR0, read_cr0() | X86_CR0_WP); vmcb_write64(vmcb_addr, VMCB_GUEST_CR3, read_cr3()); vmcb_write64(vmcb_addr, VMCB_GUEST_CR4, read_cr4()); vmcb_write64(vmcb_addr, VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(vmcb_addr, VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); vmcb_write64(vmcb_addr, VMCB_GUEST_RFLAGS, RFLAGS_1_BIT); vmcb_write64(vmcb_addr, VMCB_GUEST_DEBUGCTL, 0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR6, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_DR7, 0x0); vmcb_write64(vmcb_addr, VMCB_GUEST_EFER, efer & ~X86_EFER_SCE); vmcb_write64(vmcb_addr, VMCB_GUEST_PAT, rdmsr(X86_MSR_IA32_CR_PAT)); struct { uint16_t limit; uint64_t base; } __attribute__((packed)) gdtr, idtr; asm volatile("sgdt %0" : "=m"(gdtr)); asm volatile("sidt %0" : "=m"(idtr)); vmcb_write64(vmcb_addr, VMCB_GUEST_GDTR_BASE, gdtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_GDTR_LIM, gdtr.limit); vmcb_write64(vmcb_addr, VMCB_GUEST_IDTR_BASE, idtr.base); vmcb_write32(vmcb_addr, VMCB_GUEST_IDTR_LIM, idtr.limit); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC3, VMCB_CTRL_INTERCEPT_VEC3_ALL); vmcb_write32(vmcb_addr, VMCB_CTRL_INTERCEPT_VEC4, VMCB_CTRL_INTERCEPT_VEC4_ALL); vmcb_write64(vmcb_addr, VMCB_CTRL_NP_ENABLE, (1 << VMCB_CTRL_NPT_ENABLE_BIT)); uint64_t npt_pointer = (npt_pml4_addr & ~0xFFF); vmcb_write64(vmcb_addr, VMCB_CTRL_N_CR3, npt_pointer); vmcb_write32(vmcb_addr, VMCB_CTRL_ASID, 1); } GUEST_CODE static noinline void nested_create_vm_amd(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); guest_memset((void*)vmcb_addr, 0, KVM_PAGE_SIZE); guest_memset((void*)X86_SYZOS_ADDR_VM_ARCH_SPECIFIC(cpu_id), 0, KVM_PAGE_SIZE); setup_l2_page_tables(CPU_VENDOR_AMD, cpu_id, vm_id); init_vmcb_guest_state(cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_create_vm(struct api_call_1* cmd, uint64_t cpu_id) { if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_create_vm_intel(cmd, cpu_id); } else { nested_create_vm_amd(cmd, cpu_id); } } GUEST_CODE static noinline void guest_handle_nested_load_code(struct api_call_nested_load_code* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->vm_id; uint64_t l2_code_addr = X86_SYZOS_ADDR_VM_CODE(cpu_id, vm_id); uint64_t l2_stack_addr = X86_SYZOS_ADDR_VM_STACK(cpu_id, vm_id); uint64_t l2_code_size = cmd->header.size - sizeof(struct api_call_header) - sizeof(uint64_t); if (l2_code_size > KVM_PAGE_SIZE) l2_code_size = KVM_PAGE_SIZE; guest_memcpy((void*)l2_code_addr, (void*)cmd->insns, l2_code_size); if (get_cpu_vendor() == CPU_VENDOR_INTEL) { nested_vmptrld(cpu_id, vm_id); vmwrite(VMCS_GUEST_RIP, l2_code_addr); vmwrite(VMCS_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } else { vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RIP, l2_code_addr); vmcb_write64(X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id), VMCB_GUEST_RSP, l2_stack_addr + KVM_PAGE_SIZE - 8); } } GUEST_CODE static noinline void guest_handle_nested_vmentry_intel(uint64_t vm_id, uint64_t cpu_id, bool is_launch) { uint64_t vmx_error_code = 0; uint8_t fail_flag = 0; nested_vmptrld(cpu_id, vm_id); if (is_launch) { asm volatile(R"( vmlaunch setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } else { asm volatile(R"( vmresume setc %%al setz %%bl or %%bl, %%al)" : "=a"(fail_flag) : : "rbx", "cc", "memory"); } asm volatile(".globl after_vmentry_label\nafter_vmentry_label:"); if (fail_flag) { vmx_error_code = vmread(VMCS_VM_INSTRUCTION_ERROR); guest_uexit(0xE2E10000 | (uint32_t)vmx_error_code); return; } } GUEST_CODE static noinline void guest_run_amd_vm(uint64_t cpu_id, uint64_t vm_id) { uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); volatile uint8_t* vmcb_ptr = (volatile uint8_t*)vmcb_addr; uint8_t fail_flag = 0; asm volatile("mov %1, %%rax\n\t" "vmrun\n\t" "setc %0\n\t" : "=q"(fail_flag) : "m"(vmcb_addr) : "rax", "cc", "memory"); if (fail_flag) { guest_uexit(0xE2E10000 | 0xFFFF); return; } uint64_t exit_reason = vmcb_read64(vmcb_ptr, VMCB_EXIT_CODE); nested_vm_exit_handler_amd(exit_reason, cpu_id, vm_id); } GUEST_CODE static noinline void guest_handle_nested_vmlaunch(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, true); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_vmresume(struct api_call_1* cmd, uint64_t cpu_id) { uint64_t vm_id = cmd->arg; if (get_cpu_vendor() == CPU_VENDOR_INTEL) { guest_handle_nested_vmentry_intel(vm_id, cpu_id, false); } else { guest_run_amd_vm(cpu_id, vm_id); } } GUEST_CODE static noinline void guest_handle_nested_intel_vmwrite_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_INTEL) return; uint64_t vm_id = cmd->args[0]; nested_vmptrld(cpu_id, vm_id); uint64_t field = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmread(field); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmwrite(field, new_value); } GUEST_CODE static noinline void guest_handle_nested_amd_vmcb_write_mask(struct api_call_5* cmd, uint64_t cpu_id) { if (get_cpu_vendor() != CPU_VENDOR_AMD) return; uint64_t vm_id = cmd->args[0]; uint64_t vmcb_addr = X86_SYZOS_ADDR_VMCS_VMCB(cpu_id, vm_id); uint64_t offset = cmd->args[1]; uint64_t set_mask = cmd->args[2]; uint64_t unset_mask = cmd->args[3]; uint64_t flip_mask = cmd->args[4]; uint64_t current_value = vmcb_read64((volatile uint8_t*)vmcb_addr, offset); uint64_t new_value = (current_value & ~unset_mask) | set_mask; new_value ^= flip_mask; vmcb_write64(vmcb_addr, offset, new_value); } const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b" "\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba" "\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00" "\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8" "\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f" "\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22" "\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89" "\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3" "\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48" "\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2" "\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83" "\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83" "\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c" "\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff" "\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02" "\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00" "\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08" "\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7" "\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00" "\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c" "\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00" "\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00" "\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48" "\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02" "\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20" "\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00" "\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89" "\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2" "\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c" "\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20" "\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00" "\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48" "\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7" "\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0" "\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58" "\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2" "\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04" "\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48" "\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00" "\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00" "\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7" "\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0" "\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff" "\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20" "\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28" "\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00" "\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7" "\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00" "\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89" "\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f" "\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00" "\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01" "\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f" "\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00" "\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e" "\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24" "\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08" "\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) #define MEM_REGION_FLAG_USER_CODE (1 << 0) #define MEM_REGION_FLAG_DIRTY_LOG (1 << 1) #define MEM_REGION_FLAG_READONLY (1 << 2) #define MEM_REGION_FLAG_EXECUTOR_CODE (1 << 3) #define MEM_REGION_FLAG_GPA0 (1 << 5) #define MEM_REGION_FLAG_NO_HOST_MEM (1 << 6) struct mem_region { uint64_t gpa; int pages; uint32_t flags; }; static const struct mem_region syzos_mem_regions[] = { {X86_SYZOS_ADDR_ZERO, 48, MEM_REGION_FLAG_GPA0}, {X86_SYZOS_ADDR_SMRAM, 10, 0}, {X86_SYZOS_ADDR_EXIT, 1, MEM_REGION_FLAG_NO_HOST_MEM}, {X86_SYZOS_ADDR_DIRTY_PAGES, 2, MEM_REGION_FLAG_DIRTY_LOG}, {X86_SYZOS_ADDR_USER_CODE, KVM_MAX_VCPU, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_USER_CODE}, {SYZOS_ADDR_EXECUTOR_CODE, 4, MEM_REGION_FLAG_READONLY | MEM_REGION_FLAG_EXECUTOR_CODE}, {X86_SYZOS_ADDR_SCRATCH_CODE, 1, 0}, {X86_SYZOS_ADDR_STACK_BOTTOM, 1, 0}, {X86_SYZOS_PER_VCPU_REGIONS_BASE, (KVM_MAX_VCPU * X86_SYZOS_L1_VCPU_REGION_SIZE) / KVM_PAGE_SIZE, 0}, {X86_SYZOS_ADDR_IOAPIC, 1, 0}, }; struct kvm_syz_vm { int vmfd; int next_cpu_id; void* host_mem; size_t total_pages; void* user_text; void* gpa0_mem; }; #define X86_NUM_IDT_ENTRIES 256 static void syzos_setup_idt(struct kvm_syz_vm* vm, struct kvm_sregs* sregs) { sregs->idt.base = X86_SYZOS_ADDR_VAR_IDT; sregs->idt.limit = (X86_NUM_IDT_ENTRIES * sizeof(struct idt_entry_64)) - 1; volatile struct idt_entry_64* idt = (volatile struct idt_entry_64*)((uint64_t)vm->host_mem + sregs->idt.base); uint64_t handler_addr = executor_fn_guest_addr(dummy_null_handler); for (int i = 0; i < X86_NUM_IDT_ENTRIES; i++) { idt[i].offset_low = (uint16_t)(handler_addr & 0xFFFF); idt[i].selector = X86_SYZOS_SEL_CODE; idt[i].ist = 0; idt[i].type_attr = 0x8E; idt[i].offset_mid = (uint16_t)((handler_addr >> 16) & 0xFFFF); idt[i].offset_high = (uint32_t)((handler_addr >> 32) & 0xFFFFFFFF); idt[i].reserved = 0; } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; #define PAGE_MASK GENMASK_ULL(51, 12) typedef struct { uint64_t next_page; uint64_t last_page; } page_alloc_t; static uint64_t pg_alloc(page_alloc_t* alloc) { if (alloc->next_page >= alloc->last_page) exit(1); uint64_t page = alloc->next_page; alloc->next_page += KVM_PAGE_SIZE; return page; } static void map_4k_page(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa) { uint64_t* pml4 = (uint64_t*)(host_mem + X86_SYZOS_ADDR_PML4); uint64_t pml4_idx = (gpa >> 39) & 0x1FF; if (pml4[pml4_idx] == 0) pml4[pml4_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pdpt = (uint64_t*)(host_mem + (pml4[pml4_idx] & PAGE_MASK)); uint64_t pdpt_idx = (gpa >> 30) & 0x1FF; if (pdpt[pdpt_idx] == 0) pdpt[pdpt_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pd = (uint64_t*)(host_mem + (pdpt[pdpt_idx] & PAGE_MASK)); uint64_t pd_idx = (gpa >> 21) & 0x1FF; if (pd[pd_idx] == 0) pd[pd_idx] = X86_PDE64_PRESENT | X86_PDE64_RW | pg_alloc(alloc); uint64_t* pt = (uint64_t*)(host_mem + (pd[pd_idx] & PAGE_MASK)); uint64_t pt_idx = (gpa >> 12) & 0x1FF; pt[pt_idx] = (gpa & PAGE_MASK) | X86_PDE64_PRESENT | X86_PDE64_RW; } static int map_4k_region(uint64_t host_mem, page_alloc_t* alloc, uint64_t gpa_start, int num_pages) { for (int i = 0; i < num_pages; i++) map_4k_page(host_mem, alloc, gpa_start + (i * KVM_PAGE_SIZE)); return num_pages; } static void setup_pg_table(struct kvm_syz_vm* vm) { int total = vm->total_pages; uint64_t host_mem = (uint64_t)vm->gpa0_mem; page_alloc_t alloc = {.next_page = X86_SYZOS_ADDR_PT_POOL, .last_page = X86_SYZOS_ADDR_PT_POOL + 32 * KVM_PAGE_SIZE}; for (uint64_t i = 0; i < (alloc.last_page - alloc.next_page); i += KVM_PAGE_SIZE) memset((void*)(host_mem + alloc.next_page + i), 0, KVM_PAGE_SIZE); for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) total -= map_4k_region(host_mem, &alloc, syzos_mem_regions[i].gpa, syzos_mem_regions[i].pages); map_4k_region(host_mem, &alloc, X86_SYZOS_ADDR_UNUSED, total); } struct gdt_entry { uint16_t limit_low; uint16_t base_low; uint8_t base_mid; uint8_t access; uint8_t limit_high_and_flags; uint8_t base_high; } __attribute__((packed)); static void setup_gdt_64(struct gdt_entry* gdt) { gdt[0] = (struct gdt_entry){0}; gdt[X86_SYZOS_SEL_CODE >> 3] = (struct gdt_entry){.limit_low = 0xFFFF, .base_low = 0, .base_mid = 0, .access = 0x9A, .limit_high_and_flags = 0xAF, .base_high = 0}; gdt[X86_SYZOS_SEL_DATA >> 3] = (struct gdt_entry){ .limit_low = 0xFFFF, .base_low = (uint16_t)(X86_SYZOS_ADDR_VAR_TSS & 0xFFFF), .base_mid = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 16) & 0xFF), .access = 0x92, .limit_high_and_flags = 0xCF, .base_high = (uint8_t)((X86_SYZOS_ADDR_VAR_TSS >> 24) & 0xFF)}; gdt[X86_SYZOS_SEL_TSS64 >> 3] = (struct gdt_entry){.limit_low = 0x67, .base_low = 0, .base_mid = 0, .access = 0x89, .limit_high_and_flags = 0x00, .base_high = 0}; } static void setup_gdt_ldt_pg(struct kvm_syz_vm* vm, int cpufd) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_SYZOS_ADDR_GDT; sregs.gdt.limit = 5 * sizeof(struct gdt_entry) - 1; struct gdt_entry* gdt = (struct gdt_entry*)((uint64_t)vm->host_mem + sregs.gdt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SYZOS_SEL_CODE; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SYZOS_SEL_DATA; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; seg_ds64.db = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; sregs.fs = seg_ds64; sregs.gs = seg_ds64; sregs.ss = seg_ds64; struct kvm_segment seg_tr; memset(&seg_tr, 0, sizeof(seg_tr)); seg_tr.selector = X86_SYZOS_SEL_TSS64; seg_tr.type = 11; seg_tr.base = X86_SYZOS_ADDR_VAR_TSS; seg_tr.limit = 0x67; seg_tr.present = 1; seg_tr.s = 0; sregs.tr = seg_tr; volatile uint8_t* l1_tss = (volatile uint8_t*)((uint64_t)vm->host_mem + X86_SYZOS_ADDR_VAR_TSS); memset((void*)l1_tss, 0, 104); *(volatile uint64_t*)(l1_tss + 4) = X86_SYZOS_ADDR_STACK0; setup_gdt_64(gdt); syzos_setup_idt(vm, &sregs); setup_pg_table(vm); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define RFLAGS_1_BIT (1ULL << 1) #define RFLAGS_IF_BIT (1ULL << 9) static void reset_cpu_regs(int cpufd, int cpu_id, size_t text_size) { struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rflags |= RFLAGS_1_BIT | RFLAGS_IF_BIT; regs.rip = executor_fn_guest_addr(guest_main); regs.rsp = X86_SYZOS_ADDR_STACK0; regs.rdi = text_size; regs.rsi = cpu_id; ioctl(cpufd, KVM_SET_REGS, ®s); } static void install_user_code(struct kvm_syz_vm* vm, int cpufd, int cpu_id, const void* text, size_t text_size) { if ((cpu_id < 0) || (cpu_id >= KVM_MAX_VCPU)) return; if (text_size > KVM_PAGE_SIZE) text_size = KVM_PAGE_SIZE; void* target = (void*)((uint64_t)vm->user_text + (KVM_PAGE_SIZE * cpu_id)); memcpy(target, text, text_size); setup_gdt_ldt_pg(vm, cpufd); setup_cpuid(cpufd); reset_cpu_regs(cpufd, cpu_id, text_size); } struct addr_size { void* addr; size_t size; }; static struct addr_size alloc_guest_mem(struct addr_size* free, size_t size) { struct addr_size ret = {.addr = NULL, .size = 0}; if (free->size < size) return ret; ret.addr = free->addr; ret.size = size; free->addr = (void*)((char*)free->addr + size); free->size -= size; return ret; } static void vm_set_user_memory_region(int vmfd, uint32_t slot, uint32_t flags, uint64_t guest_phys_addr, uint64_t memory_size, uint64_t userspace_addr) { struct kvm_userspace_memory_region memreg; memreg.slot = slot; memreg.flags = flags; memreg.guest_phys_addr = guest_phys_addr; memreg.memory_size = memory_size; memreg.userspace_addr = userspace_addr; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } static void install_syzos_code(void* host_mem, size_t mem_size) { size_t size = (char*)&__stop_guest - (char*)&__start_guest; if (size > mem_size) exit(1); memcpy(host_mem, &__start_guest, size); } static void setup_vm(int vmfd, struct kvm_syz_vm* vm) { struct addr_size allocator = {.addr = vm->host_mem, .size = vm->total_pages * KVM_PAGE_SIZE}; int slot = 0; for (size_t i = 0; i < sizeof(syzos_mem_regions) / sizeof(syzos_mem_regions[0]); i++) { const struct mem_region* r = &syzos_mem_regions[i]; if (r->flags & MEM_REGION_FLAG_NO_HOST_MEM) continue; struct addr_size next = alloc_guest_mem(&allocator, r->pages * KVM_PAGE_SIZE); uint32_t flags = 0; if (r->flags & MEM_REGION_FLAG_DIRTY_LOG) flags |= KVM_MEM_LOG_DIRTY_PAGES; if (r->flags & MEM_REGION_FLAG_READONLY) flags |= KVM_MEM_READONLY; if (r->flags & MEM_REGION_FLAG_USER_CODE) vm->user_text = next.addr; if (r->flags & MEM_REGION_FLAG_GPA0) vm->gpa0_mem = next.addr; if (r->flags & MEM_REGION_FLAG_EXECUTOR_CODE) install_syzos_code(next.addr, next.size); vm_set_user_memory_region(vmfd, slot++, flags, r->gpa, next.size, (uintptr_t)next.addr); } struct addr_size next = alloc_guest_mem(&allocator, allocator.size); vm_set_user_memory_region(vmfd, slot++, 0, X86_SYZOS_ADDR_UNUSED, next.size, (uintptr_t)next.addr); } static long syz_kvm_setup_syzos_vm(volatile long a0, volatile long a1) { const int vmfd = a0; void* host_mem = (void*)a1; struct kvm_syz_vm* ret = (struct kvm_syz_vm*)host_mem; ret->host_mem = (void*)((uint64_t)host_mem + KVM_PAGE_SIZE); ret->total_pages = KVM_GUEST_PAGES - 1; setup_vm(vmfd, ret); ret->vmfd = vmfd; ret->next_cpu_id = 0; return (long)ret; } static long syz_kvm_add_vcpu(volatile long a0, volatile long a1) { struct kvm_syz_vm* vm = (struct kvm_syz_vm*)a0; struct kvm_text* utext = (struct kvm_text*)a1; const void* text = utext->text; size_t text_size = utext->size; if (!vm) { errno = EINVAL; return -1; } if (vm->next_cpu_id == KVM_MAX_VCPU) { errno = ENOMEM; return -1; } int cpu_id = vm->next_cpu_id; int cpufd = ioctl(vm->vmfd, KVM_CREATE_VCPU, cpu_id); if (cpufd == -1) return -1; vm->next_cpu_id++; install_user_code(vm, cpufd, cpu_id, text, text_size); return cpufd; } static void kill_and_wait(int pid, int* status) { kill(-pid, SIGKILL); kill(pid, SIGKILL); for (int i = 0; i < 100; i++) { if (waitpid(-1, status, WNOHANG | __WALL) == pid) return; usleep(1000); } DIR* dir = opendir("/sys/fs/fuse/connections"); if (dir) { for (;;) { struct dirent* ent = readdir(dir); if (!ent) break; if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0) continue; char abort[300]; snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name); int fd = open(abort, O_WRONLY); if (fd == -1) { continue; } if (write(fd, abort, 1) < 0) { } close(fd); } closedir(dir); } else { } while (waitpid(-1, status, __WALL) != pid) { } } static void setup_test() { prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0); setpgrp(); write_file("/proc/self/oom_score_adj", "1000"); } static void execute_one(void); #define WAIT_FLAGS __WALL static void loop(void) { int iter = 0; for (;; iter++) { int pid = fork(); if (pid < 0) exit(1); if (pid == 0) { setup_test(); execute_one(); exit(0); } int status = 0; uint64_t start = current_time_ms(); for (;;) { sleep_ms(10); if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid) break; if (current_time_ms() - start < 5000) continue; kill_and_wait(pid, &status); break; } } } uint64_t r[4] = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0xffffffffffffffff}; void execute_one(void) { intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // openat$kvm arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: ptr[in, buffer] { // buffer: {2f 64 65 76 2f 6b 76 6d 00} (length 0x9) // } // flags: open_flags = 0x40202 (4 bytes) // mode: const = 0x0 (2 bytes) // ] // returns fd_kvm memcpy((void*)0x200000000440, "/dev/kvm\000", 9); res = syscall(__NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000440ul, /*flags=O_TRUNC|O_NOATIME|O_RDWR*/ 0x40202, /*mode=*/0); if (res != -1) r[0] = res; // ioctl$KVM_CREATE_VM arguments: [ // fd: fd_kvm (resource) // cmd: const = 0xae01 (4 bytes) // type: intptr = 0x0 (8 bytes) // ] // returns fd_kvmvm res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xae01, /*type=*/0ul); if (res != -1) r[1] = res; // ioctl$KVM_CREATE_IRQCHIP arguments: [ // fd: fd_kvmvm (resource) // cmd: const = 0xae60 (4 bytes) // ] syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae60, 0); // syz_kvm_setup_syzos_vm$x86 arguments: [ // fd: fd_kvmvm (resource) // usermem: VMA[0x400000] // ] // returns kvm_syz_vm$x86 res = -1; res = syz_kvm_setup_syzos_vm(/*fd=*/r[1], /*usermem=*/0x200000bfe000); if (res != -1) r[2] = res; // syz_kvm_add_vcpu$x86 arguments: [ // vm: kvm_syz_vm$x86 (resource) // text: ptr[in, kvm_text$x86] { // kvm_text$x86 { // typ: const = 0x0 (8 bytes) // text: nil // size: bytesize = 0x0 (8 bytes) // } // } // ] // returns fd_kvmcpu *(uint64_t*)0x200000000a40 = 0; *(uint64_t*)0x200000000a48 = 0; *(uint64_t*)0x200000000a50 = 0; res = -1; res = syz_kvm_add_vcpu(/*vm=*/r[2], /*text=*/0x200000000a40); if (res != -1) r[3] = res; // ioctl$KVM_SET_MP_STATE arguments: [ // fd: fd_kvmcpu (resource) // cmd: const = 0x4004ae99 (4 bytes) // arg: ptr[in, kvm_mp_state] { // kvm_mp_state = 0x4 (4 bytes) // } // ] *(uint32_t*)0x200000000000 = 4; syscall(__NR_ioctl, /*fd=*/r[3], /*cmd=*/0x4004ae99, /*arg=*/0x200000000000ul); // ioctl$KVM_SET_NESTED_STATE arguments: [ // fd: fd_kvmcpu (resource) // cmd: const = 0x4080aebf (4 bytes) // arg: ptr[in, kvm_nested_state_arg] { // kvm_nested_state_arg { // state: kvm_nested_state { // flags: kvm_nested_state_flags = 0x3 (2 bytes) // format: const = 0x0 (2 bytes) // size: bytesize = 0x80 (4 bytes) // hdr: kvm_vmx_nested_state { // vmxon_pa: kvm_guest_addrs = 0x4000 (8 bytes) // vmcs_pa: kvm_guest_addrs = 0x2 (8 bytes) // smm_flags: kvm_nested_smm_flags = 0x0 (2 bytes) // pad = 0x0 (6 bytes) // pad = 0x0 (96 bytes) // } // data: buffer: {} (length 0x0) // } // current_vmcs: buffer: {3c de 08 e8 8a 84 0d 98 8c 44 3a 7e 61 17 18 // c0 15 70 4b 99 7f 91 01 6e b5 77 88 95 61 ae 48 45 a8 d3 63 56 23 e8 // 8e dd 16 70 36 b1 97 da 64 20 27 17 70 b6 a9 4a f0 9a 82 09 96 42 19 // 10 2f 40 c4 b7 61 ba 61 9a 47 2e 29 c2 82 3f fa b2 a0 71 8c d7 cd 32 // 8e 76 cc 4b 3d f1 0f 25 b1 b5 a9 f2 11 9d dc 06 0f 7b 69 13 b6 90 8f // 71 cb fb 34 6a 17 ef 3c c7 ad 28 fb aa 85 63 68 22 08 58 43 91 7d 8a // 57 a5 f4 b2 b7 2c 44 94 8a 51 a4 25 35 5e 7d 93 a2 cb 78 4e f8 d3 ab // c1 b1 5c cd 6f f3 46 93 51 c6 93 e1 c0 6d 14 83 d6 8f a1 ce 4a 13 0f // 99 25 f7 f7 bb 2e 64 8c 7b 4f 18 88 c3 56 19 65 5a 0f 13 bf f6 8b e6 // 78 c4 73 1f bf 74 fe 15 15 c0 2c 6c 73 15 45 a7 41 3b 13 dc 60 87 3b // 72 cd 1d 21 1c 26 be bd c9 00 e7 22 e0 fb a2 eb 6d bc 6e 5e 4c 7c 43 // 26 d9 51 5a bc 61 91 36 cd f1 5c 63 ec d5 ce 8f ef 33 0d 9c 1d b5 f3 // c9 38 1c 63 ac 85 39 ab 50 68 dd 4a 24 ad d9 21 3f 33 aa 5d 6a d4 e2 // 4e 1a 7a c0 e2 3f b0 25 1c db 25 94 5e 7a ae 0b fa 47 30 70 d8 2d c3 // ca 3f 74 df 0c 0b 72 e7 6f b0 e5 10 89 50 28 02 31 f0 ca 7f 67 99 24 // 26 a4 f4 29 6e 3c ae 0a f5 03 ad 07 21 09 9b 11 4d 24 e6 b4 e4 8e 1b // a3 c6 cf 0c cc 29 c9 3e 94 f9 eb 75 37 33 5c cf e3 4c 5b e4 47 a5 43 // 39 fc b2 6d 65 14 f3 c9 17 36 54 38 e1 71 6c cb b7 cf ee 1c bb 51 26 // f0 78 d3 a8 09 d8 77 03 0e aa 4f 8e 5a 24 26 30 04 35 8a f5 9f b6 ad // f1 26 30 a3 0b 7e 56 4a f9 9b 4b 32 bf b0 46 6b 21 ea 5b 4a a7 e6 1f // 04 a1 29 ef 99 f0 8e b2 e8 b9 28 e2 af 2f 16 44 51 8c 46 fe dd ee 25 // 0a e1 44 1a c7 a6 80 db de 8c 12 ff 31 3f 43 43 24 cd 96 61 a2 61 f6 // 26 d7 1f 0c 31 14 1a 5a 73 86 36 fb 8e 43 e3 a5 f1 ba 5a c9 92 2e 7a // 67 3b 73 ff be 7e b1 41 c2 2f e4 d4 5f 94 db 3f f0 5a 44 27 73 79 6b // 8d 95 55 0b 4a d6 08 87 98 3d f5 06 d0 44 a3 01 2f bb 82 ef 40 73 12 // a3 c4 05 88 d6 cd 50 dc 78 7f 93 46 d2 4b 21 8a 32 65 36 8f 8a 78 20 // 1d 18 96 be b1 c7 5d 4b ce 9b 3b 64 22 69 24 fa 6d a4 77 2c 0f 2e 78 // 37 06 c8 f3 45 73 64 c5 20 e2 1e 0b 5d e6 a3 77 b5 53 44 93 2c 5c 31 // ba 15 6f 72 12 f7 4f 0f 5e c5 10 73 3f 19 fe f2 bf ac c5 6a 51 6d 68 // 17 b0 04 8e 4b 21 cc 97 51 f2 a1 ac 90 6e 30 a8 7e 56 99 54 1a 3b 55 // e8 03 8b 18 75 9a 82 1d c1 e8 9b f2 7b 42 27 9a 1a 51 6c 56 e4 38 ce // 80 12 8d d1 b3 0d 51 db c1 30 7b 41 a0 8c 01 4b 86 6f 93 48 00 4c ae // 53 02 12 97 0b 2b 4b a6 6c 06 d5 0a f7 08 b8 8b 93 67 40 c9 2f 17 a2 // 97 5b 49 4c 53 2c 84 e5 ab f3 f0 9f 11 94 c1 dc f4 f4 27 89 07 97 8c // 20 b4 eb a9 fb 42 d0 49 0b 28 68 da 9c ac e8 be 56 0e 7e 92 f0 ff ca // 18 24 d9 c1 55 81 26 6f bb d7 59 4f 5f af ce 43 3c 88 3a 97 f9 08 6b // 51 f1 18 43 9a 74 9e 7d 42 43 11 c0 23 4c e1 40 ac 0a 74 fa c5 a5 01 // 2a c2 3b 0c 4b d6 cc 10 8a f9 25 73 e5 ee c6 c8 c5 58 6a 7d 81 04 6b // 8d 41 b6 91 59 6b b8 f1 58 ec a2 41 5e 1a 2a b1 d7 5f 97 56 81 2a 75 // cc 66 b3 98 6f 7d 4c f2 ee ac 00 1e 38 97 92 f4 b8 48 38 56 4f 73 e9 // 20 1e f1 96 3f ce 9e 3d 36 0a 59 72 d1 cb b8 38 51 c1 1d 4e 27 39 54 // b7 4d 53 bc 61 d0 59 3a d0 b6 13 25 d1 ec 93 47 5f 0f 3f 03 ef 25 94 // b3 87 e7 a6 03 75 cd 2a 0e 1f 08 f6 a6 e7 7a 36 95 78 31 b9 f5 49 c0 // 2e 83 f0 9d 36 a6 78 21 84 da 88 b3 b9 ec 83 87 11 18 82 03 8c e3 84 // 03 d6 e2 1a 94 89 c2 27 30 e7 81 8b 34 9c 3f b7 cd 3d c2 f2 26 b5 6d // 72 84 31 ba 70 a0 92 a7 4d 02 ba f1 7f 00 72 7e d3 01 33 d7 52 74 9b // ef 67 64 ba a5 55 cf 4f fa a1 4e 11 ae ef ff 0c 45 d8 b9 f3 fb d3 08 // d7 9a d2 b2 b6 b9 b4 47 74 69 91 13 5d 04 2f ba 72 d7 95 7d 50 22 57 // 87 dd 99 6b 13 a3 e6 73 b6 49 23 01 4c dd 1e 8e 54 39 2b 37 26 50 7e // f0 f0 c7 86 6a 54 8b 54 ee 4d 2a 3a c7 84 d7 1b bf 43 34 4f 61 a0 4a // 6c 98 5b 12 35 7f 5f 1b ac eb af 80 bc 21 36 9f dd 1a 68 6b d3 37 f8 // 3b 71 ad 08 75 dd ec 74 31 db 5b 97 7c 8e 16 88 33 c7 f3 7c 67 f0 3d // b8 ca 01 03 74 c6 95 d2 93 ef e3 4e f6 03 88 7b 99 f5 d4 8f 1b 70 bc // e1 5b 3e fe b2 fd c5 42 9e 09 f2 5b 3a a4 83 a3 c9 0f 07 b3 bf e4 ce // 4a 7a 2b 21 6e a1 4b 65 27 60 fd e9 a8 a8 70 80 c9 54 0e d1 a2 c3 0a // 9c 28 66 24 e7 ef 2b f6 1c d0 9c 87 15 5c 39 4e 9a dd d5 25 b0 67 51 // 4a 3c 07 18 c0 85 02 bc e1 1c a0 cb cf 43 d8 44 0f e8 9e 09 65 00 73 // e1 0a bb e3 14 a3 e7 f2 bf ff 12 00 50 87 0e 84 b2 14 a5 17 31 07 f0 // bc f1 dc 3e e3 42 a1 9a c0 02 f1 12 a4 50 03 04 99 67 d9 dd e2 91 db // 6b 42 4d 1b 88 3e 99 a8 b6 f5 5f 78 06 c6 04 19 63 fb 16 48 26 ef 2d // 2c f0 98 da 9b 3f 51 ba 8e 6c 92 09 37 4f 7b fb 80 32 79 e7 cb 8d 74 // 6e 29 aa 9a d2 80 3d 2a 04 e0 a8 b0 dc 14 c5 5a bf 1d 78 a4 bb f7 0b // e1 79 bc e8 56 44 e4 b7 eb 0e 13 4e e2 77 8e 06 e8 15 7b 09 fc 95 f9 // ea b5 89 f7 e9 2b a0 01 99 a7 51 52 95 7e 9e bf 8d f1 e9 62 2c af f0 // ca 3d 8b ee 3c 11 71 e8 ba 84 45 3e 0c f2 60 8d 80 73 5c 5e 22 ba 58 // 28 63 d4 25 d9 f4 8b 1d d1 07 0b 36 3c 39 8c 54 a5 ad 90 cf 68 b3 c2 // b3 62 59 94 9d 7d af 71 d2 c9 c6 62 17 09 22 ad 0f d8 ce 64 0e fa 31 // dd 1f 40 ec 14 6b f7 d6 db cc aa 8c 0b fb ae 2f 5f 81 1d 64 70 0e f3 // ab 08 e5 11 fb e5 0b c6 5f 83 ca c0 eb 12 5e 6c 33 73 1f 7c d8 b1 a3 // 5e 4a 39 60 24 79 f5 5b c1 7f 0b fe 22 e9 bb 1d 38 b6 e2 79 70 aa c9 // c2 6a 53 b9 1c c3 8e d5 96 a8 27 e6 1f 2d f1 9c 04 13 79 5c f7 76 ea // 5b 40 0c d6 6a a8 1c 14 e6 79 4b 35 d4 d3 9c a9 ef 74 f1 e8 1e 70 98 // 4d 19 13 52 ed 66 bf 06 a5 27 b7 df b6 26 87 48 36 c5 2f c2 7f d7 9a // 99 df c6 15 e3 f7 db 7c b8 b4 af 97 0c 75 d6 2c ec 2f 61 9c f5 d6 c0 // 17 11 b7 bc 4c 68 5e 35 a6 69 55 28 72 fc b9 61 7c b3 de 1c eb 02 66 // 16 77 80 d9 2c d0 cd a2 d0 85 6f 66 45 f8 45 75 b6 1a fc 1b 04 04 10 // c5 57 d0 b4 1c 09 e6 e5 89 78 8b bc a0 b6 f3 bc 7a cf a5 08 a8 20 f6 // 5c 79 d2 a5 85 3c da 42 2e 77 aa 39 5c 1b 8a 7d 44 99 8e 1e 4b de e8 // ab 25 b1 77 64 4f 30 b6 9f d0 d3 24 b1 83 9f 63 36 a2 e9 14 2b 16 44 // 75 8f 04 ed ab 6b e8 1b 49 ed 57 ed 2d 11 7e e3 a6 0e 17 e6 07 43 89 // 94 9f af 1a ce 12 42 ae 8e 35 8d 89 8d a1 14 6b e1 00 11 a0 47 f3 e1 // d1 a5 42 49 6a 92 21 ce 09 be 11 21 42 20 a5 0e 70 8c 7a 66 49 7f b0 // f3 6b 5d 6c ab bb 58 8e 37 69 6a f8 b5 c4 98 7b 19 d9 92 8b 26 10 4f // af af b8 04 b2 ef de 4b a9 b6 de 58 8d 03 18 d9 db de 6f aa 4d 6a 9b // 61 72 19 d3 ac bc 58 bf d0 72 17 64 87 19 07 d0 5c 40 d9 8c ab 83 16 // 19 e8 91 43 56 95 96 41 72 77 b7 24 48 74 6e fa 45 ab cb 1f 8f 18 7e // c0 66 cc 5a 4c ee 90 44 55 9f ec 52 3b 17 f2 30 d7 7a 6f f8 20 af cf // 55 28 51 ff 1b b8 50 fc da b4 21 f0 10 88 9b 3a 45 09 e5 b8 75 34 e5 // 79 76 c9 03 5e 2d 34 83 c8 81 2f b0 a4 d1 14 89 bf 93 2e 09 ab 5c 49 // 34 8c 25 f0 bd 38 74 3f 33 47 d0 14 74 2d c5 2f 1f e4 85 39 fd bb 2f // 15 24 dd 22 a0 02 fd 83 15 7b c0 2a 51 72 b3 5a fc e5 9a 89 b3 9c f7 // 4d 38 eb 5b 77 a8 10 12 46 56 75 53 09 80 02 a3 03 d8 4a 94 cb db e8 // a7 22 b8 ef 3f 5e 9e 40 4c 41 04 6e ff 7e 7e c1 11 1a bc a7 33 bd 4c // 6c 17 a1 fa 9c 6d cd 0b 52 1f 3f e6 fa 84 f8 72 3c 25 4c 5b 80 76 59 // 1b db 1b da ab 9c d9 78 eb 61 cc 7d 8d 15 be 9d 51 86 93 19 6f 9a ca // 63 1e 23 51 6a 25 8e 8f fb eb 4e 51 3a ff 57 65 06 0f e9 a6 5f 94 02 // 8e c9 f5 0e a1 4a e2 c2 2e 49 83 5b 8a 79 03 67 62 42 2c 3d ff 07 be // 34 f2 99 a9 ba cf 6e 2e 0e a4 b4 7a d1 b0 54 e8 34 75 91 c9 f6 3a a0 // f7 f5 dd 05 36 3d bd 5c ea 88 31 06 82 c5 e0 2e ff c5 d6 87 35 df 77 // 87 63 ee 16 2b 9c 34 f8 8a aa 67 61 4f 29 01 c0 35 2d e8 94 11 83 3f // d9 8b 19 63 e4 65 77 06 71 bb e2 cc 45 0c fc 8d 3f 51 c6 9f 5c fe 21 // aa 1f b5 27 1e 4f 33 d3 7b 8a a4 45 09 4c b5 53 db cd 40 9f 7b 6a d5 // 68 15 b8 18 7f 31 80 c5 3b 17 ca 84 0f 19 ef 80 6f 3c 15 83 0a d8 a1 // 4f 33 22 df b7 4f fe 96 49 65 f9 d4 48 89 15 25 d7 fa 53 92 e1 7f d3 // 7a bc a2 37 cf 6a 8c e2 56 aa a4 2f 38 76 6a ed 5e d2 8e 1f 91 c8 25 // 99 00 a3 70 f5 67 4b 55 2a 6f 14 fc 5f e7 90 34 76 c9 64 b1 09 08 2d // 58 8f 42 e8 90 d2 68 10 07 21 b4 6d b8 1f 99 d6 c8 fe d0 58 ec ab c5 // 66 d6 06 8f a1 9b 33 41 33 0b a4 9a ae 70 a1 0a 74 69 53 13 b0 0b 15 // b3 af ba 6f 3c 94 93 03 0c 7d e4 60 d4 0d fd 84 cb 37 71 29 2c a7 5e // 42 36 e8 47 c0 99 ca c5 ca 80 5f 0c ec e6 65 70 14 9f f1 7e 4f 83 e1 // 1d 10 19 9b cc 95 d6 9b a1 e3 37 fa 02 ab 82 2f 46 06 51 8f ec eb 08 // 1d fc f9 74 d2 17 56 eb 78 69 11 92 03 8b c3 7f d5 84 fb f7 fe d3 8e // d2 de aa 22 d1 91 4a fa 4a 06 72 c9 e8 8c 3f 57 e4 b2 9e 0d fc 5a cd // 1a 4e 27 ad 42 73 aa 53 15 5f 75 06 53 f6 86 90 9b 56 1e f6 58 25 41 // b4 b9 76 8a aa f4 8c ff 69 89 8f b9 83 cd 6a 49 06 d2 5a d1 ff d8 f4 // f4 41 0f 92 c5 53 11 56 1e 7d 15 3a 16 95 32 c8 d2 14 c6 a4 8f 31 cf // fc ff 8a 71 68 90 a7 5f 5e 4e 9a 47 10 fe d4 8b a2 a6 44 e6 c4 51 16 // 23 4f 64 31 ef b4 23 b0 f4 ac 1f 7c 90 ee 71 74 c3 50 5f a2 ac 98 c3 // ea 33 d6 41 5a 9c ed 90 56 5f 42 52 c6 07 5c 6e 98 39 ec c9 d4 d6 85 // 0d 62 ad 4e fe db 3e 61 e6 1b 87 43 04 11 d6 20 1f 02 2b 55 9a aa 3e // 67 ae d0 b8 4f 67 fd 5b ba ef e8 18 5f 77 d3 4b a2 18 08 2b bf c3 fd // 06 5d eb 51 58 e3 f0 fa d7 50 04 88 c2 7f c4 80 0e 4a 6e 2f 6e 4a 18 // f3 31 9b e5 85 48 43 cc fc 91 75 77 3e e7 50 34 51 1a 35 8c 79 87 72 // 78 3a 79 98 17 b5 68 18 51 37 7d 5d 28 90 53 6a 25 0c 78 43 4c b0 5b // 77 ba c5 c0 8c 14 fc ad 69 df 81 1d 5c 1a f0 5b 69 e6 e2 ff 20 d1 ec // 8e 71 73 70 2a 9c 94 54 7d da 5a 75 a7 c7 f2 53 ef e3 d0 a9 15 09 a0 // 8b 6b 29 ba e8 fd 9a 13 f8 5d 58 84 ad ea 38 d1 d7 71 93 d6 c0 87 1b // 8f 52 93 62 1c be d9 14 5b c0 b4 e8 ef f1 64 f9 78 0a bb 74 42 08 d7 // 27 bc 6b 75 9f fd c9 04 1d 78 14 8d a4 22 d7 c5 ac ff 69 e0 a8 5e 7d // 20 70 23 60 c6 77 b7 f8 1d e0 22 94 54 7a 9f 5d 39 f6 fe bd bf 7c 5f // 57 80 73 e7 e4 e9 41 c2 26 40 c3 ff a5 68 a3 79 ac 2b 81 2a 3c 9b 23 // b8 ec 39 11 ef 06 ac 50 69 9d 11 7a 90 14 6a 76 aa c4 1a 53 64 0e b7 // 49 84 de c7 bf 6b f8 f1 45 b8 06 15 33 33 eb 71 3b c7 e5 b2 74 16 0b // ea 2e ab ef ca 2f 3d b0 4d 28 55 cb 0f b0 e6 a1 71 a2 55 bc 8d e0 0b // 87 8f bc ac 20 10 41 81 8d f2 96 0a a4 8e ae c8 8f 86 05 57 d8 0e 86 // 95 9c 80 9f 89 7a 64 24 bb 6a c6 3b b2 e5 a6 43 08 17 31 bb 83 a7 ab // 25 fd 29 9c 9f e8 2e 04 fe 79 2b 09 f7 35 7c b9 9a c2 b5 24 88 74 1f // f2 59 e2 9a a6 0d c7 46 7d c5 c4 eb c7 c1 fa 26 95 8d 72 b1 1d 6e b4 // 7e 67 d3 1e 0e f0 5b 2c 12 7f c9 e2 f4 a9 02 dd d1 0b 8d 8e 58 3b 1f // a1 73 a2 8c b2 69 bc 0e b5 09 40 8b a7 bb 7e 66 c7 57 68 4c 2d 0f 62 // fc 30 99 1f 22 13 d1 3a cf 58 dc 4e 4f 56 f3 f6 e0 11 e7 0d da f3 f1 // ca 0f 7d 8a 53 ef df fa 88 48 bb ae f0 fe 49 0f 13 dd f9 75 91 96 09 // 19 ac bb 55 88 ca cf f4 ce a2 67 2d eb 15 bb 29 89 9b e9 bd 00 fc 38 // e5 7b a8 53 95 4f 62 63 90 b4 64 ce a7 9a 79 3d 04 59 ba d7 c5 14 cc // 39 33 2f 48 50 e8 64 9f d9 1d 66 c1 b3 95 63 d2 43 ca 76 4d 3c f4 b2 // 4b 38 c8 76 9c 16 fd 2c 50 1c 13 93 ef 6f 7d 93 1d 74 fc 93 ca 94 ce // 83 40 2f 44 ac e2 8c 40 49 0c 3d 7e 81 df ed 02 b2 93 fd 6f ae fb f8 // 73 d4 1c 7c 2d e6 2a 89 39 b8 43 91 94 60 fa 21 b5 5b f7 b0 ad bf a9 // 60 1f f7 79 73 2e e8 75 21 ea 67 17 9e 20 0a f9 f1 84 05 94 6a 98 c9 // ea db 5f e1 7b 09 3e 4b 5e 3f fb 74 be ac 43 db ca 6e a6 31 db 8f 63 // 72 78 15 68 a4 55 cc 79 3e 6b 63 c7 9e 5e 1f 8a 3c c1 1a a1 bf cf bd // 7c 0e d2 a3 f1 b4 2a 12 78 35 2c f1 d7 f1 f3 fc a1 aa ea bd 71 d8 61 // 12 76 03 b5 0a 78 6e e5 ee da c2 1d b0 c8 0f 82 20 d3 51 4a 4f bc 68 // c2 25 c6 51 8d 5f 09 43 c9 7f 51 dc 71 2f 9b d3 89 ed 56 bd 02 9b ad // ba 82 42 d9 b0 42 e4 70 04 12 d1 27 9f 29 99 b3 c1 1d 75 4d 73 1f ca // 2b 5a fb 61 cc 71 5c c2 4c c8 0b 9c 9d ca d1 72 d0 e3 f4 ee cd 87 aa // e7 ae 21 5a 9d 96 dd e3 20 0a 15 d7 b9 27 b3 b7 10 62 35 76 4b de 30 // 19 16 c2 28 ad 7a 58 ae b7 a8 5b b7 a4 0d 7a a8 e4 33 32 df fd d1 44 // ae 22 8d 51 5a 9c 71 4b 36 ca 63 cb ca 72 ff f6 60 f4 b4 ff 88 07 4f // 68 9f 21 f1 6e ec 2d 5a 9d 7f 8f a6 10 7f 8a 34 60 fb e8 fe 2b 2e a7 // 5f 15 9f 8a ca de 78 47 23 25 af c7 a6 11 95 47 15 f7 8a 60 f5 80 ed // 90 44 99 c4 50 b5 18 09 fa 54 49 c4 7b 53 e9 0a 56 97 fa 29 ae 2a fb // 0f e7 5d e3 ab f9 ef 0a 72 c3 5b 49 26 db a9 49 a6 bd 48 e8 86 05 08 // 1f ab 4f ed c7 9d bd a1 11 c9 4b d5 97 48 b8 b2 04 ee 9d 26 fe 3d c4 // b0 30 0d fc 58 a0 f8 30 d1 2f 2f e2 a0 2f c3 ac 76 61 3b 31 a5 19 6f // 53 6b 31 14 d0 58 d7 8c fc 13 a2 3e 5f 3c 56 13 cc b8 a5 ed 46 29 fe // 57 17 0a 3c d8 51 3f e1 89 9b 5a 32 d2 e4 31 47 87 42 77 a7 7a a9 52 // 55 c2 51 6e aa 59 a2 fe 8e 68 d9 4f fc 23 d2 d4 e9 56 d0 66 96 9e 1f // a4 ad a9 bb dd 95 9c ac e1 d3 d3 6f 0d 99 2d 05 6a 19 81 98 47 01 d7 // e4 d6 04 f3 97 75 a8 58 f0 8a 88 23 fc 79 83 94 43 8e 85 a8 7d ca 27 // ca 98 a1 cb 06 0e 90 78 98 03 a6 2e 3e b1 dd 18 9e 62 25 b6 29 52 b7 // 55 40 2f f7 d0 ea bb 84 58 5c b8 53 ab fd 11 e6 2b 7c 4b ba f3 05 0f // 08 5e fb ed 43 b7 ef 44 96 29 52 c4 8b c2 da 17 a0 3e 8d 2b 0f c6 78 // b2 53 68 ac 07 69 03 45 bc ee 28 06 87 84 7d 24 b3 e7 e3 3f a1 7c be // de cc a6 4a 01 22 70 1a f2 87 fa a0 c2 19 ec 30 5d a7 f0 6f 37 49 6f // f8 c1 8e 42 a6 a5 33 e4 9f 82 24 17 93 7f f8 db 72 5c 7d c0 24 ef ba // 3f 34 6a 67 d7 03 0b bf 45 13 a7 d9 15 1b b7 08 ab e3 85 d2 1a 09 8f // 34 5b 94 99 a7 9d d3 71 fb dc 4a 29 b6 be 6c d0 ff be 5f 2a 49 ee fc // 2f d5 f3 ea cc 47 0c 32 94 e5} (length 0x1000) shadow_vmcs: buffer: // {92 bb e6 8d 68 83 14 72 73 1a 7d 2c 7a 75 4f d8 b7 96 b7 be 48 98 // 25 76 b6 d9 a9 60 1d 71 81 1f d8 57 b1 1f 89 03 9f d5 6f 1c c7 1b 70 // df 1b 5c 66 08 4c 14 a9 0b 75 2d 8c 4a 37 c6 ce 3d fe a7 ee 28 d4 7e // f6 0f 00 e2 6b c9 92 32 67 36 6b 9c 78 de 73 6d 87 d0 2e d8 26 5f fe // 73 3c f8 02 9a 49 5c cd 2d fa 56 ab 87 fb 1e b9 cf a8 96 83 c4 13 d4 // 0e d8 f7 a4 68 aa ad 6a bf 03 08 68 ec 9b 23 77 75 27 23 09 3a e5 67 // 68 fb db ff 77 45 91 dc 7e 1d db ab fd ca f7 f9 bb 77 30 56 ef 23 9f // 16 22 d3 10 99 3e fb 4e 84 dd 2e d5 36 83 6b 03 f1 b3 29 48 22 2e 8b // ba 28 85 69 b7 5a 6e 1f c0 68 a0 d7 ee bb 2b 6f ff 77 a4 05 24 c4 91 // a0 c3 12 96 ca 1f 43 04 03 af be 50 e1 5a a2 b9 6f c1 d2 d4 24 03 14 // eb 56 dc 75 dc 8d cc eb 7d 82 6f 42 f0 43 91 b9 e3 62 50 31 d5 69 bc // bd c7 5b 1c cc 5a b8 48 05 6c 3b a2 7e 4b fb cf ba e3 98 f9 ad c3 c8 // e2 e5 08 7b 45 44 a2 49 5f cd a9 39 fc 4f 19 d1 e9 63 62 08 79 e2 e7 // ee 7a b8 f4 fd 7d 33 7a 95 10 5b e0 16 6b 8d 15 09 0d 45 6e 36 33 67 // a2 e1 9d 54 8a 94 10 88 bf 1d 1c f7 15 c5 40 1f 95 a2 7d d1 4c d2 52 // 50 15 23 35 31 f5 9e 45 eb 75 02 46 42 70 27 fe 3f bc fd 1e 17 e9 a1 // bd 77 df f8 79 0e cd 2a 1a 95 94 4c be 3a c1 18 1c 0c 15 ac f2 ae fb // 97 00 20 56 c3 b0 8e 91 8b e9 15 a7 0b b9 b6 a9 b1 b7 af 8f 32 93 7c // ca 7d 53 21 54 16 21 81 da 3c 7b d4 11 5a d9 56 0c 18 75 56 6c 62 02 // 08 69 29 b7 d2 dd 3a e6 28 e1 81 7d e9 1c 2f 75 02 15 33 9a c2 87 81 // 56 fb 12 5e 64 56 91 f2 9c 7a 7d 05 86 a0 b6 32 30 33 8a 0a 52 16 7b // 42 d1 89 46 49 c0 9d e6 56 69 de 20 dd 22 a9 b5 14 c6 80 d3 c9 23 8b // bf de b0 3d 06 6f 0a 6a e3 b2 5d 7d ea 41 0a 41 a1 0c b3 2c b5 88 ea // 5f 73 00 eb 2c a4 ee 60 ba 11 cb f4 ab 2d 40 16 b9 d2 b2 83 22 19 73 // e2 1c 47 ad 08 a5 e1 51 12 12 6b d0 d9 95 46 e8 da 93 eb 77 23 d5 4c // 8e a4 1a 06 ec 90 ed a6 09 cc 2a fa e5 09 cc a4 99 80 21 63 d1 b6 91 // 3e 56 dc 1d bb 54 02 77 2b 13 58 fb 05 22 0b 01 e5 be 45 6c ce 42 9d // ab 81 ce 56 db a3 33 4b de 68 e6 dd d8 e8 1d 1a 8f 99 08 79 14 28 fe // 82 7c ad a3 99 36 5d b0 bc 9d 55 1e 7e 24 58 2a 56 fe 24 29 24 4b 57 // 1c 91 ed 8c 39 79 11 e9 25 02 c8 b7 8b 1c 81 41 c2 99 c9 e8 67 f6 32 // 95 c2 9d f1 af b3 62 db d3 85 96 d1 59 a7 62 d2 24 99 5d 59 b3 f1 24 // d6 8b ac e2 7d ac a6 95 52 f8 f4 27 19 6b c0 e1 05 82 8a 8a be e8 ae // 82 db cc b9 16 a5 b4 63 6c ee 9b 91 31 a7 78 1b e6 d0 34 56 ee cf 53 // 3e 42 7c 15 17 ad 59 01 bf f4 44 7c c6 ad 04 7b 21 4d 01 ba 95 14 33 // a9 09 60 bd 94 2b d4 8b 08 a5 6a 8f aa 59 67 21 4c 75 f0 8b 36 61 bc // 16 9b a3 66 05 bf 35 8f 85 4b f0 52 ad 84 f1 f5 87 26 c9 31 33 fe a2 // 50 c1 14 a2 23 e7 36 6e e5 c5 eb 23 5d b7 20 b8 62 a1 58 bc d0 94 5e // 97 a6 74 4f f7 3b a2 94 b7 a2 d0 28 c1 65 db d9 ab d6 23 cd e1 d4 27 // 19 8a 0f e6 0f 24 c0 1b c4 e8 08 14 7c 2a 03 e8 b6 2d 10 47 e4 7e 1d // 6f ad 8c 96 ae e7 e1 c8 c5 c7 62 d5 0f 8d 16 3c f4 aa 39 5a 63 93 19 // 30 af 40 6a f5 2b d4 89 85 21 05 f6 7e e0 92 34 b1 e4 69 73 13 a7 b3 // cd 58 0e b3 67 f6 4e 9a 09 dc 32 a5 77 f3 8f 68 2e 53 6b 35 db 04 0d // 19 ae f2 1f d8 f2 9d 7f 73 17 1f 42 cb 9d a7 2a 83 cd 86 b8 22 4a e6 // a4 96 c8 b2 ab ff eb a2 22 b1 6b e0 38 c9 32 19 1b 4a d1 c3 29 e7 85 // 70 bf 57 6c 12 fb 21 2f 0e fb 25 cc 3c 3b e7 55 d7 c8 0b cf 13 54 d6 // ee 6d ba 72 77 16 60 a7 7f ce 17 2e 33 f3 2a 3b a1 bd f6 b4 27 f3 7c // ed 09 2e ea bf a3 68 f1 11 01 54 79 80 b0 cb 82 7e d3 db 3a 1b 22 43 // 1c 37 ef 69 1a 8f 9e 07 cd ef 55 7a 3c d0 e6 66 18 8a 67 80 70 9f 37 // 4b d8 fb fd ee b8 8e 0f af 1c 95 d0 f6 68 11 62 27 b4 47 bb 14 90 b6 // 59 38 dc af 47 e3 58 59 12 20 d8 db c5 d8 7b 12 2d 9b e6 f3 0d 36 3c // 26 26 de 93 cd 48 0a 21 87 5f 47 4b 96 be d3 f1 98 f6 90 88 3f 86 22 // dd 96 c1 74 b4 3c ea 38 22 9d 32 31 42 e0 3a 27 01 6c 5f 44 2b 94 49 // 37 9a c4 55 aa e9 f2 bc 87 bd 37 6f 52 6c 38 6b ea 3f bb 0b c9 5e 31 // be 68 dc 0d e0 76 aa 75 43 22 75 5d be 09 f6 9f 80 ba 6c f4 f7 86 da // 3c f3 81 36 88 ed 2c 48 41 4e 1a 55 cd 1d 04 e3 68 df e7 3c c3 14 ed // 0b d5 55 e9 c6 4b d5 b7 37 54 5b 20 a6 54 c3 e2 ad 4f e9 4e 27 4b 74 // ee 54 bd bb f8 f7 63 1c ff d2 fd 84 47 87 7b 6e aa e6 d9 6c c0 c7 61 // d4 49 3a fa 04 d8 81 08 52 09 7f d6 1e 1e 6a 9c 4a 7a eb 71 14 23 99 // aa a1 a8 ea 7c 9b c0 3c 28 02 8c 98 3c 94 79 90 9d 88 10 df ae 68 97 // e1 36 76 6f 3b 24 de 25 ce 7a 13 62 7b 2f 37 c0 82 30 94 7b c8 9e a8 // 01 6a da dc 10 69 b2 aa 04 a0 72 72 1f bc e0 1c 47 1d 35 20 e9 e3 35 // 17 69 30 ce 4a 9e 57 3a 97 dc 74 1e 78 32 5b 1c 83 92 81 2c 78 d3 62 // 84 c2 d0 30 eb b8 92 45 ed e6 80 e7 94 bb dd c7 f7 25 4c 0d 00 f3 79 // 95 6d 9f 8c 90 df 6e c7 90 da 86 af 76 f8 a8 02 d8 e2 37 1a 5f 5b 2a // 30 84 95 c9 df 54 9e 0c 96 6b f7 47 51 fa 64 7b 26 8e 47 39 d2 e4 07 // 10 c8 2c d8 86 8a 06 f3 7a 2e b6 83 36 2e a1 4d bd bc 4d 3d 12 02 0f // 4d c5 e1 d6 82 9b b1 ad 6e fe cc 44 4e 5e 0a bc c5 49 35 f3 02 53 35 // 7c fb fd ba 20 aa 68 02 d4 73 ad d2 96 14 45 37 e8 30 28 a6 93 cb b1 // 4b 61 25 b6 87 34 ad 01 92 61 35 6d 8d 83 d9 77 ec 33 de 80 16 14 d8 // a2 2f 5c 4f 8f 0b 2b c9 bd c2 b5 32 4f f5 79 d6 14 37 d4 04 8b d9 71 // 1d 96 b7 0a 0e ec 2b 73 1d ac 54 d0 fd af 83 32 0e bc 64 bd ae 72 b1 // 56 91 fc a6 30 9d 8d 67 38 6a 9d f1 32 f9 47 f4 23 48 6d bf 2f 9d cd // 07 4b 0a 70 a0 b9 c7 65 ef 0d c6 0e 06 07 c0 9e 12 fa e4 8a 91 ea e0 // 9a cd 1c 2a 15 d2 f8 96 62 94 6a 4a 85 9d 22 20 33 46 c3 b8 fe ff a0 // 17 51 d0 1d ad 6d 57 20 1f e0 94 d8 c4 e5 dd da 1d af 10 0f 65 64 07 // 9d f3 06 23 0e 4b ee 17 66 d0 30 84 b2 20 c6 90 73 72 7b 03 0c 4a 6e // 44 f1 81 3a f2 89 79 2d 83 78 20 42 0e f4 d6 52 5b 59 44 4e 5b 5e ea // ab 77 22 fd 84 03 6e 3d a5 13 c4 63 c2 72 f8 38 75 35 a0 41 7f 07 c2 // 11 a9 9d 1e 0d b2 29 60 8e 85 f8 cf 11 6f 32 28 af 89 10 6d eb 4e 6a // f2 8b 95 a8 bd e0 3c 0c 04 55 7d 22 44 c9 a6 d3 1c d7 ed 27 a8 20 2e // ac 27 b5 67 6d 86 58 bb 48 ca 76 5b ad 75 20 0a c9 57 62 f3 f7 fd 79 // 53 72 74 0a b1 f9 85 ca 20 5b ca ce bf db 83 a9 bb c3 2e cc 3e 3c 0b // ce f1 99 7b 5c 6b d4 a0 45 ec 04 41 ee 07 b4 c7 d9 ad 45 ae db d9 83 // 22 9f 48 74 41 a5 2a 64 52 07 43 82 ef 27 21 ee c8 82 a6 4c dd 69 29 // da 3d 03 41 50 60 21 e9 a7 b1 a8 69 89 8f 96 a5 c7 b9 ec 6d 32 0a b0 // a3 a6 6f 80 a7 42 42 d3 e2 67 d3 99 90 6f 6b a1 dd cd 79 b4 7a cd ff // 54 6d f0 87 b4 9b a8 33 81 c6 4f b7 b7 2d 19 c2 ba 6a 04 79 0f 13 c3 // 03 2a 93 0c 4d 86 ba 14 ba c9 8a f6 5e be 10 d2 3d a4 26 e2 63 6a b4 // 95 0f 0c 0c af b0 f1 f4 a4 93 b7 a6 82 46 12 d7 94 49 45 6b 93 0c de // da 4b fa 93 89 b3 14 b7 dd 57 df 97 c4 06 14 0f 08 10 e2 49 c1 20 95 // c6 10 8b 0c 98 a8 e5 53 f9 42 f4 c8 f2 8f de af 79 81 ba 62 3a dd 8f // 0c 39 06 ca 53 3d 28 62 29 55 91 d3 ab a2 61 f4 1a 23 4e e5 30 5d e3 // 09 bb 43 14 09 85 dd 79 6a fb 3a 02 e0 4b f3 14 a1 65 fb 46 98 c1 d2 // 15 6d be ce 00 13 5d 1e 04 3b d7 80 64 db 6e 97 cf 13 af b9 a1 88 ae // c0 94 54 05 c8 ec 7f cf f3 39 69 d9 7d 60 e2 f2 b0 6e 3a b8 8f 2c cc // 4d b9 91 5e 42 d3 1e 57 5b 91 57 7d 3d 57 8e d2 16 9b 2c de 0d 8d f8 // bb 27 74 59 bd ac 3c 82 da a7 25 4d af d5 a5 18 e0 4f b7 05 74 a3 1f // 04 da 50 ff 37 9f 15 46 4a e7 00 67 48 0e 6b 07 1c b3 38 9d 45 a0 e9 // cf a9 be f1 a0 40 f6 ed 85 be 79 23 32 5a 23 cc df fe 20 89 11 31 9a // cc eb 99 b4 f8 45 5a 74 d7 f9 8b 2c fd 53 76 1e 78 c6 fe 1e e0 95 aa // 2e d0 e3 38 b7 5c 92 b6 47 9a 98 e2 f4 41 b7 9c 8b b2 ec 73 b3 0f df // 71 64 d0 c4 c8 ec bd 43 9f 62 f9 1b 32 16 5b d0 60 27 f0 c6 4b c2 ac // d2 28 1b 57 cf fd 4e 3f 36 37 81 60 ea 6c 0b 33 90 be 56 af 4e 48 fb // a1 a5 99 82 a6 77 b0 f0 bd 57 1a 84 f1 9f 26 bd 23 d6 70 a8 6c 7d b5 // 0d 42 fa 12 19 ab 7b 42 c4 f2 f4 90 32 af 18 25 a6 26 46 cb e4 7f 2d // 01 28 c3 e7 2f 71 27 25 eb 57 67 03 3f 8d f3 ec c5 a5 dd 2b e2 d9 1d // ac 9c 08 56 bd 1a e2 89 08 2a 88 97 5a 1e f4 92 74 d7 f7 42 a8 66 06 // 7f 4d 9c 76 ba 4e 88 54 f7 91 c9 02 dc c7 94 b2 a8 2d e8 c3 89 e7 4f // dc 67 67 00 b0 a7 e5 61 59 7e c7 3f 93 3d bb 8b a5 b9 90 23 46 c8 58 // b3 ff 78 c3 8b f9 c2 da ea 6a ad b3 7b 5e 58 62 01 98 a8 2c 51 98 e6 // 12 8e 08 78 93 d2 9c e3 4c 0d 98 27 0e 2f 5f 42 72 b9 e2 43 35 75 28 // 4b 9d 0c 14 61 44 2b 95 dd a0 fa e5 9f 1f 08 41 f1 c3 fc 7d c7 60 52 // a3 59 39 5f 2f fb 14 66 e2 48 af a7 24 3f 4d 95 a6 34 d6 2f 28 1c fe // dd 8a a6 28 48 19 71 0d de 35 41 ef dd ae ad ab da 06 8c 36 c8 87 d9 // 67 a2 3a f2 65 18 9a eb 14 7f 7b 18 3f 40 6e 47 a4 f2 dc b2 47 28 e0 // 94 7d 0c f9 35 29 ea 26 63 cc ea 21 50 ad 89 85 60 49 d5 95 a5 07 01 // 26 28 b4 8b 24 0e b3 14 26 f8 c0 a3 31 3f ce 2b 1f de c1 22 c9 1b 52 // c5 df eb a8 df 4e 91 45 92 4b c7 fa b6 18 e3 05 8d 0c 2e af 7f 47 aa // b8 b1 35 05 d8 ed 5b e5 7b 63 d9 38 a7 7d 5c d5 bb 13 62 41 81 2e e8 // 6a ce f0 ed 4f 3d 29 8a d5 f1 34 52 80 a8 41 45 e1 8e 23 26 5d cb 43 // 6e 47 77 f8 11 12 20 4f ed 54 d2 0f 90 6e a5 0f f3 39 02 c1 8c 7d d9 // a5 7e a9 31 15 a3 f9 da 7f c9 17 ea c1 44 6c c6 84 ac 29 3d 90 cc 60 // 06 65 e8 37 10 2a 1a 25 1f c9 56 d4 9b 30 65 1f c5 10 1c 4e 98 4d e2 // b9 79 25 7b 4c e2 15 9e 04 a4 fa 58 41 29 62 12 c4 12 47 53 0a a1 47 // ca 36 18 c7 9e 7f 8e 4f 91 f3 e8 0c 86 46 75 cc 1c ae da 77 00 bc 01 // 4b 14 f8 70 2d 68 47 73 89 a9 9a 47 60 d3 4b e7 ab a0 80 65 94 9f 8e // 68 84 91 60 e9 33 60 11 c2 6e 10 51 7f 5b 4f 6e 68 8f c2 78 77 71 4d // b0 d2 b4 9d 13 d6 7f fa 01 c2 11 5a 49 28 36 93 d9 44 69 fa 42 5b cb // e7 f5 6f da 05 ec 44 82 4f 04 68 e9 83 ee db 0f 61 ff 52 d3 26 c9 57 // b4 13 de 50 9b 42 9a 10 f5 58 be 7d 87 34 84 df a0 3d 9e c4 3d a3 d4 // 2c 95 10 31 55 23 d0 57 ee b4 c0 57 e7 d5 be de 83 46 20 dc fa 01 9f // 05 75 e4 4f d1 a0 d6 b3 80 82 d1 04 2c 11 ff 4a 4c 48 22 ab 71 86 04 // ec fd d8 c5 2c 19 37 ab 2d 3c 0a ae 66 b0 54 e4 4b 95 a8 61 3d d8 c7 // 25 a8 17 d1 d2 c2 71 7e f1 40 91 08 3d 3f fb b1 91 87 5d 29 09 42 af // cb c2 d3 48 0d e3 53 3d 23 77 97 cd 1f 75 b7 01 b0 f2 cc a9 f8 0d 62 // 36 d8 88 cf 2e 28 ea c2 b1 f4 29 db d5 4f 0b 0a 2d f5 0b f5 7e b2 76 // 20 01 81 26 f8 bd 45 80 f2 99 d5 7e 44 b0 80 77 5b 4d ca 99 72 22 28 // d0 70 db 00 56 cd df 0f 70 ab 71 57 fb 0c e4 ac fb 71 40 88 4e 24 b1 // 68 2b 25 23 0d 40 36 70 a4 22 b4 88 cd 97 8b d7 df 59 ba fc 58 f6 f4 // eb a8 7c b3 d0 31 ea 2e 59 27 b2 dd bb 21 5e db 08 20 90 0c d6 d2 1d // 88 b0 c7 4a 0f 86 cd ef c3 ea 91 16 01 c7 18 ed be 3b 48 d3 cd 52 1e // be e2 e6 8c ec a7 9f e6 5d 1c b1 90 d8 d5 66 89 eb a0 6f bf 4d e6 bd // bb db 83 1a 2d 83 59 c7 58 0e fe 72 69 a7 54 d3 f1 21 f9 60 a9 a7 23 // 1d fd c0 b4 74 a2 4b ed 56 f2 f0 ea f3 2c 97 b4 f1 03 d2 cc e6 b4 f0 // a9 32 a7 43 d9 dc bb 52 58 1f 62 8a ea 23 82 03 47 b8 3c a1 5e 4f 95 // 2e a7 7e 84 e0 32 c2 c0 f0 a7 0d eb 9e e1 c5 87 b4 de 34 e4 1d 43 7c // 89 53 c5 e1 60 4a d4 63 11 8d bd 2e fa c2 04 ec f8 e6 61 34 46 68 f7 // 75 3d 1b 24 c5 73 81 a6 b5 7b cd b5 3b 42 99 05 cf fe 7b 8d 0a c3 c6 // 92 bf 42 f1 aa 30 29 a1 de 4b 16 68 ae 6b 78 e4 bf 92 ec 7f a4 0b 0b // 66 75 92 ef 2b be 44 bf 3a b4 86 09 27 47 54 56 26 53 c8 ab c1 6c 4e // 86 20 04 48 b7 f7 2d 56 d0 98 ce a3 9f 7e d9 48 4c e9 ea dd f7 2e c3 // 29 9c 4d 98 08 d1 27 6f de 07 36 56 4c 35 89 d7 80 60 7c b8 cf 11 9b // 96 f6 32 6d 70 28 7f 30 a4 6a 4c a9 4e a8 6e a9 e4 90 c0 2f 10 61 42 // db 5a 0f 2f a9 d6 93 23 dd 89 a8 1a 27 fe 76 ee b9 4f a8 cf 16 24 ac // 51 c0 5c 9e 30 53 50 59 3d 50 9d c3 ad f7 0e 3e e2 f9 ab 8c 07 80 af // 90 84 04 4b 40 2a 18 b9 42 a7 3f 76 04 8d 46 6c dc db 0c af 26 ba db // c7 b8 7c f8 f1 1d 5c 06 5f 17 b8 93 35 9c db 0c f9 4c 04 56 85 8e 53 // 43 be b6 08 e0 cd a1 0e 8b a4 57 a9 d6 86 7f 0a 98 9e c5 4e 8d 80 d6 // e0 ab 96 1d 85 bd ff 43 33 e6 c0 dd b2 25 00 99 e0 73 a5 02 23 a4 cb // 78 a9 be 17 4f 17 b8 a6 7d 60 ea b0 d6 a1 c0 ed 0b fb 03 58 9b fc 81 // ed 5b c2 b1 ff 08 54 58 18 7a 2d 4b 2d cd 75 3f bc c8 83 a3 33 95 08 // a7 2d 6f 36 8b e3 ad 94 6c 5e 1f dd 25 54 7b b2 6d 73 61 77 61 f5 54 // 54 c1 24 23 61 c5 16 81 19 bf 7f 5b 6f 44 a7 2f 5e ea c7 98 a7 e1 fe // 19 80 2c 75 39 78 79 59 7e 1c a5 64 d8 d6 2d 5b c7 3f bc 0c ee f1 3f // 51 1d 24 f1 70 2c b9 70 5a b6 d4 93 cc f1 d0 f7 9f b5 84 f7 64 28 a7 // ba 80 b6 ec de d9 e1 9e 0f 12 a7 f3 a2 8a 80 93 fe 6f 4b 5e 2e 7c 7e // fc 0c 5b 71 ea 4a 27 6f e1 36 a7 d5 89 f2 80 78 7c cb 6b 40 a6 85 cb // 63 2d e8 53 02 15 75 92 95 c3 6f 2c f9 c8 82 ac 95 84 d6 8d 58 91 52 // 5e 7b 08 fd 75 1e 65 9f 51 f1 78 5f 27 27 cf 5e 1d de 9d 52 b6 28 5e // 5d b4 bf c3 08 ec 4e fe cd f4 84 3f be 0c 40 11 3b e4 73 c6 cb 9e c3 // b5 39 ae 02 16 ff cc 74 ce 5b 57 a8 dc b9 50 60 54 7b c4 2e 03 94 e1 // 99 53 5e 71 e2 1e bf 39 46 05 48 3f 72 ec 2e c5 18 8c a3 8f d9 fa a4 // 76 86 bd 33 8d fc 98 70 c8 b6 20 3a 20 1d 12 58 06 45 23 c5 d6 27 31 // 3b 78 dc 94 f6 a1 a4 88 d4 9a 92 96 d6 32 e6 e3 1e 17 71 22 09 fd 67 // bc 66 95 15 fc a6 ca 43 21 02 03 e9 21 08 1a f1 3a 86 2d 14 81 2e 98 // ed 1e 38 0c 45 fe c0 b1 6f 3e 4c c0 4b f3 fe 00 cb 28 a6 c6 5b 44 6b // 45 c6 53 0c 38 05 78 41 e2 52 11 d5 3f 57 ac b2 4d 35 c0 76 5d 1f 34 // c6 26 26 cb 89 ec 09 d6 b6 cc 27 ce 2c 06 41 73 ce 0d 83 b4 53 58 91 // fa c2 cb} (length 0x1000) // } // } // ] *(uint16_t*)0x200000000a80 = 3; *(uint16_t*)0x200000000a82 = 0; *(uint32_t*)0x200000000a84 = 0x80; *(uint64_t*)0x200000000a88 = 0x4000; *(uint64_t*)0x200000000a90 = 2; *(uint16_t*)0x200000000a98 = 0; memcpy( (void*)0x200000000b00, "\x3c\xde\x08\xe8\x8a\x84\x0d\x98\x8c\x44\x3a\x7e\x61\x17\x18\xc0\x15\x70" "\x4b\x99\x7f\x91\x01\x6e\xb5\x77\x88\x95\x61\xae\x48\x45\xa8\xd3\x63\x56" "\x23\xe8\x8e\xdd\x16\x70\x36\xb1\x97\xda\x64\x20\x27\x17\x70\xb6\xa9\x4a" "\xf0\x9a\x82\x09\x96\x42\x19\x10\x2f\x40\xc4\xb7\x61\xba\x61\x9a\x47\x2e" "\x29\xc2\x82\x3f\xfa\xb2\xa0\x71\x8c\xd7\xcd\x32\x8e\x76\xcc\x4b\x3d\xf1" "\x0f\x25\xb1\xb5\xa9\xf2\x11\x9d\xdc\x06\x0f\x7b\x69\x13\xb6\x90\x8f\x71" "\xcb\xfb\x34\x6a\x17\xef\x3c\xc7\xad\x28\xfb\xaa\x85\x63\x68\x22\x08\x58" "\x43\x91\x7d\x8a\x57\xa5\xf4\xb2\xb7\x2c\x44\x94\x8a\x51\xa4\x25\x35\x5e" "\x7d\x93\xa2\xcb\x78\x4e\xf8\xd3\xab\xc1\xb1\x5c\xcd\x6f\xf3\x46\x93\x51" "\xc6\x93\xe1\xc0\x6d\x14\x83\xd6\x8f\xa1\xce\x4a\x13\x0f\x99\x25\xf7\xf7" "\xbb\x2e\x64\x8c\x7b\x4f\x18\x88\xc3\x56\x19\x65\x5a\x0f\x13\xbf\xf6\x8b" "\xe6\x78\xc4\x73\x1f\xbf\x74\xfe\x15\x15\xc0\x2c\x6c\x73\x15\x45\xa7\x41" "\x3b\x13\xdc\x60\x87\x3b\x72\xcd\x1d\x21\x1c\x26\xbe\xbd\xc9\x00\xe7\x22" "\xe0\xfb\xa2\xeb\x6d\xbc\x6e\x5e\x4c\x7c\x43\x26\xd9\x51\x5a\xbc\x61\x91" "\x36\xcd\xf1\x5c\x63\xec\xd5\xce\x8f\xef\x33\x0d\x9c\x1d\xb5\xf3\xc9\x38" "\x1c\x63\xac\x85\x39\xab\x50\x68\xdd\x4a\x24\xad\xd9\x21\x3f\x33\xaa\x5d" "\x6a\xd4\xe2\x4e\x1a\x7a\xc0\xe2\x3f\xb0\x25\x1c\xdb\x25\x94\x5e\x7a\xae" "\x0b\xfa\x47\x30\x70\xd8\x2d\xc3\xca\x3f\x74\xdf\x0c\x0b\x72\xe7\x6f\xb0" "\xe5\x10\x89\x50\x28\x02\x31\xf0\xca\x7f\x67\x99\x24\x26\xa4\xf4\x29\x6e" "\x3c\xae\x0a\xf5\x03\xad\x07\x21\x09\x9b\x11\x4d\x24\xe6\xb4\xe4\x8e\x1b" "\xa3\xc6\xcf\x0c\xcc\x29\xc9\x3e\x94\xf9\xeb\x75\x37\x33\x5c\xcf\xe3\x4c" "\x5b\xe4\x47\xa5\x43\x39\xfc\xb2\x6d\x65\x14\xf3\xc9\x17\x36\x54\x38\xe1" "\x71\x6c\xcb\xb7\xcf\xee\x1c\xbb\x51\x26\xf0\x78\xd3\xa8\x09\xd8\x77\x03" "\x0e\xaa\x4f\x8e\x5a\x24\x26\x30\x04\x35\x8a\xf5\x9f\xb6\xad\xf1\x26\x30" "\xa3\x0b\x7e\x56\x4a\xf9\x9b\x4b\x32\xbf\xb0\x46\x6b\x21\xea\x5b\x4a\xa7" "\xe6\x1f\x04\xa1\x29\xef\x99\xf0\x8e\xb2\xe8\xb9\x28\xe2\xaf\x2f\x16\x44" "\x51\x8c\x46\xfe\xdd\xee\x25\x0a\xe1\x44\x1a\xc7\xa6\x80\xdb\xde\x8c\x12" "\xff\x31\x3f\x43\x43\x24\xcd\x96\x61\xa2\x61\xf6\x26\xd7\x1f\x0c\x31\x14" "\x1a\x5a\x73\x86\x36\xfb\x8e\x43\xe3\xa5\xf1\xba\x5a\xc9\x92\x2e\x7a\x67" "\x3b\x73\xff\xbe\x7e\xb1\x41\xc2\x2f\xe4\xd4\x5f\x94\xdb\x3f\xf0\x5a\x44" "\x27\x73\x79\x6b\x8d\x95\x55\x0b\x4a\xd6\x08\x87\x98\x3d\xf5\x06\xd0\x44" "\xa3\x01\x2f\xbb\x82\xef\x40\x73\x12\xa3\xc4\x05\x88\xd6\xcd\x50\xdc\x78" "\x7f\x93\x46\xd2\x4b\x21\x8a\x32\x65\x36\x8f\x8a\x78\x20\x1d\x18\x96\xbe" "\xb1\xc7\x5d\x4b\xce\x9b\x3b\x64\x22\x69\x24\xfa\x6d\xa4\x77\x2c\x0f\x2e" "\x78\x37\x06\xc8\xf3\x45\x73\x64\xc5\x20\xe2\x1e\x0b\x5d\xe6\xa3\x77\xb5" "\x53\x44\x93\x2c\x5c\x31\xba\x15\x6f\x72\x12\xf7\x4f\x0f\x5e\xc5\x10\x73" "\x3f\x19\xfe\xf2\xbf\xac\xc5\x6a\x51\x6d\x68\x17\xb0\x04\x8e\x4b\x21\xcc" "\x97\x51\xf2\xa1\xac\x90\x6e\x30\xa8\x7e\x56\x99\x54\x1a\x3b\x55\xe8\x03" "\x8b\x18\x75\x9a\x82\x1d\xc1\xe8\x9b\xf2\x7b\x42\x27\x9a\x1a\x51\x6c\x56" "\xe4\x38\xce\x80\x12\x8d\xd1\xb3\x0d\x51\xdb\xc1\x30\x7b\x41\xa0\x8c\x01" "\x4b\x86\x6f\x93\x48\x00\x4c\xae\x53\x02\x12\x97\x0b\x2b\x4b\xa6\x6c\x06" "\xd5\x0a\xf7\x08\xb8\x8b\x93\x67\x40\xc9\x2f\x17\xa2\x97\x5b\x49\x4c\x53" "\x2c\x84\xe5\xab\xf3\xf0\x9f\x11\x94\xc1\xdc\xf4\xf4\x27\x89\x07\x97\x8c" "\x20\xb4\xeb\xa9\xfb\x42\xd0\x49\x0b\x28\x68\xda\x9c\xac\xe8\xbe\x56\x0e" "\x7e\x92\xf0\xff\xca\x18\x24\xd9\xc1\x55\x81\x26\x6f\xbb\xd7\x59\x4f\x5f" "\xaf\xce\x43\x3c\x88\x3a\x97\xf9\x08\x6b\x51\xf1\x18\x43\x9a\x74\x9e\x7d" "\x42\x43\x11\xc0\x23\x4c\xe1\x40\xac\x0a\x74\xfa\xc5\xa5\x01\x2a\xc2\x3b" "\x0c\x4b\xd6\xcc\x10\x8a\xf9\x25\x73\xe5\xee\xc6\xc8\xc5\x58\x6a\x7d\x81" "\x04\x6b\x8d\x41\xb6\x91\x59\x6b\xb8\xf1\x58\xec\xa2\x41\x5e\x1a\x2a\xb1" "\xd7\x5f\x97\x56\x81\x2a\x75\xcc\x66\xb3\x98\x6f\x7d\x4c\xf2\xee\xac\x00" "\x1e\x38\x97\x92\xf4\xb8\x48\x38\x56\x4f\x73\xe9\x20\x1e\xf1\x96\x3f\xce" "\x9e\x3d\x36\x0a\x59\x72\xd1\xcb\xb8\x38\x51\xc1\x1d\x4e\x27\x39\x54\xb7" "\x4d\x53\xbc\x61\xd0\x59\x3a\xd0\xb6\x13\x25\xd1\xec\x93\x47\x5f\x0f\x3f" "\x03\xef\x25\x94\xb3\x87\xe7\xa6\x03\x75\xcd\x2a\x0e\x1f\x08\xf6\xa6\xe7" "\x7a\x36\x95\x78\x31\xb9\xf5\x49\xc0\x2e\x83\xf0\x9d\x36\xa6\x78\x21\x84" "\xda\x88\xb3\xb9\xec\x83\x87\x11\x18\x82\x03\x8c\xe3\x84\x03\xd6\xe2\x1a" "\x94\x89\xc2\x27\x30\xe7\x81\x8b\x34\x9c\x3f\xb7\xcd\x3d\xc2\xf2\x26\xb5" "\x6d\x72\x84\x31\xba\x70\xa0\x92\xa7\x4d\x02\xba\xf1\x7f\x00\x72\x7e\xd3" "\x01\x33\xd7\x52\x74\x9b\xef\x67\x64\xba\xa5\x55\xcf\x4f\xfa\xa1\x4e\x11" "\xae\xef\xff\x0c\x45\xd8\xb9\xf3\xfb\xd3\x08\xd7\x9a\xd2\xb2\xb6\xb9\xb4" "\x47\x74\x69\x91\x13\x5d\x04\x2f\xba\x72\xd7\x95\x7d\x50\x22\x57\x87\xdd" "\x99\x6b\x13\xa3\xe6\x73\xb6\x49\x23\x01\x4c\xdd\x1e\x8e\x54\x39\x2b\x37" "\x26\x50\x7e\xf0\xf0\xc7\x86\x6a\x54\x8b\x54\xee\x4d\x2a\x3a\xc7\x84\xd7" "\x1b\xbf\x43\x34\x4f\x61\xa0\x4a\x6c\x98\x5b\x12\x35\x7f\x5f\x1b\xac\xeb" "\xaf\x80\xbc\x21\x36\x9f\xdd\x1a\x68\x6b\xd3\x37\xf8\x3b\x71\xad\x08\x75" "\xdd\xec\x74\x31\xdb\x5b\x97\x7c\x8e\x16\x88\x33\xc7\xf3\x7c\x67\xf0\x3d" "\xb8\xca\x01\x03\x74\xc6\x95\xd2\x93\xef\xe3\x4e\xf6\x03\x88\x7b\x99\xf5" "\xd4\x8f\x1b\x70\xbc\xe1\x5b\x3e\xfe\xb2\xfd\xc5\x42\x9e\x09\xf2\x5b\x3a" "\xa4\x83\xa3\xc9\x0f\x07\xb3\xbf\xe4\xce\x4a\x7a\x2b\x21\x6e\xa1\x4b\x65" "\x27\x60\xfd\xe9\xa8\xa8\x70\x80\xc9\x54\x0e\xd1\xa2\xc3\x0a\x9c\x28\x66" "\x24\xe7\xef\x2b\xf6\x1c\xd0\x9c\x87\x15\x5c\x39\x4e\x9a\xdd\xd5\x25\xb0" "\x67\x51\x4a\x3c\x07\x18\xc0\x85\x02\xbc\xe1\x1c\xa0\xcb\xcf\x43\xd8\x44" "\x0f\xe8\x9e\x09\x65\x00\x73\xe1\x0a\xbb\xe3\x14\xa3\xe7\xf2\xbf\xff\x12" "\x00\x50\x87\x0e\x84\xb2\x14\xa5\x17\x31\x07\xf0\xbc\xf1\xdc\x3e\xe3\x42" "\xa1\x9a\xc0\x02\xf1\x12\xa4\x50\x03\x04\x99\x67\xd9\xdd\xe2\x91\xdb\x6b" "\x42\x4d\x1b\x88\x3e\x99\xa8\xb6\xf5\x5f\x78\x06\xc6\x04\x19\x63\xfb\x16" "\x48\x26\xef\x2d\x2c\xf0\x98\xda\x9b\x3f\x51\xba\x8e\x6c\x92\x09\x37\x4f" "\x7b\xfb\x80\x32\x79\xe7\xcb\x8d\x74\x6e\x29\xaa\x9a\xd2\x80\x3d\x2a\x04" "\xe0\xa8\xb0\xdc\x14\xc5\x5a\xbf\x1d\x78\xa4\xbb\xf7\x0b\xe1\x79\xbc\xe8" "\x56\x44\xe4\xb7\xeb\x0e\x13\x4e\xe2\x77\x8e\x06\xe8\x15\x7b\x09\xfc\x95" "\xf9\xea\xb5\x89\xf7\xe9\x2b\xa0\x01\x99\xa7\x51\x52\x95\x7e\x9e\xbf\x8d" "\xf1\xe9\x62\x2c\xaf\xf0\xca\x3d\x8b\xee\x3c\x11\x71\xe8\xba\x84\x45\x3e" "\x0c\xf2\x60\x8d\x80\x73\x5c\x5e\x22\xba\x58\x28\x63\xd4\x25\xd9\xf4\x8b" "\x1d\xd1\x07\x0b\x36\x3c\x39\x8c\x54\xa5\xad\x90\xcf\x68\xb3\xc2\xb3\x62" "\x59\x94\x9d\x7d\xaf\x71\xd2\xc9\xc6\x62\x17\x09\x22\xad\x0f\xd8\xce\x64" "\x0e\xfa\x31\xdd\x1f\x40\xec\x14\x6b\xf7\xd6\xdb\xcc\xaa\x8c\x0b\xfb\xae" "\x2f\x5f\x81\x1d\x64\x70\x0e\xf3\xab\x08\xe5\x11\xfb\xe5\x0b\xc6\x5f\x83" "\xca\xc0\xeb\x12\x5e\x6c\x33\x73\x1f\x7c\xd8\xb1\xa3\x5e\x4a\x39\x60\x24" "\x79\xf5\x5b\xc1\x7f\x0b\xfe\x22\xe9\xbb\x1d\x38\xb6\xe2\x79\x70\xaa\xc9" "\xc2\x6a\x53\xb9\x1c\xc3\x8e\xd5\x96\xa8\x27\xe6\x1f\x2d\xf1\x9c\x04\x13" "\x79\x5c\xf7\x76\xea\x5b\x40\x0c\xd6\x6a\xa8\x1c\x14\xe6\x79\x4b\x35\xd4" "\xd3\x9c\xa9\xef\x74\xf1\xe8\x1e\x70\x98\x4d\x19\x13\x52\xed\x66\xbf\x06" "\xa5\x27\xb7\xdf\xb6\x26\x87\x48\x36\xc5\x2f\xc2\x7f\xd7\x9a\x99\xdf\xc6" "\x15\xe3\xf7\xdb\x7c\xb8\xb4\xaf\x97\x0c\x75\xd6\x2c\xec\x2f\x61\x9c\xf5" "\xd6\xc0\x17\x11\xb7\xbc\x4c\x68\x5e\x35\xa6\x69\x55\x28\x72\xfc\xb9\x61" "\x7c\xb3\xde\x1c\xeb\x02\x66\x16\x77\x80\xd9\x2c\xd0\xcd\xa2\xd0\x85\x6f" "\x66\x45\xf8\x45\x75\xb6\x1a\xfc\x1b\x04\x04\x10\xc5\x57\xd0\xb4\x1c\x09" "\xe6\xe5\x89\x78\x8b\xbc\xa0\xb6\xf3\xbc\x7a\xcf\xa5\x08\xa8\x20\xf6\x5c" "\x79\xd2\xa5\x85\x3c\xda\x42\x2e\x77\xaa\x39\x5c\x1b\x8a\x7d\x44\x99\x8e" "\x1e\x4b\xde\xe8\xab\x25\xb1\x77\x64\x4f\x30\xb6\x9f\xd0\xd3\x24\xb1\x83" "\x9f\x63\x36\xa2\xe9\x14\x2b\x16\x44\x75\x8f\x04\xed\xab\x6b\xe8\x1b\x49" "\xed\x57\xed\x2d\x11\x7e\xe3\xa6\x0e\x17\xe6\x07\x43\x89\x94\x9f\xaf\x1a" "\xce\x12\x42\xae\x8e\x35\x8d\x89\x8d\xa1\x14\x6b\xe1\x00\x11\xa0\x47\xf3" "\xe1\xd1\xa5\x42\x49\x6a\x92\x21\xce\x09\xbe\x11\x21\x42\x20\xa5\x0e\x70" "\x8c\x7a\x66\x49\x7f\xb0\xf3\x6b\x5d\x6c\xab\xbb\x58\x8e\x37\x69\x6a\xf8" "\xb5\xc4\x98\x7b\x19\xd9\x92\x8b\x26\x10\x4f\xaf\xaf\xb8\x04\xb2\xef\xde" "\x4b\xa9\xb6\xde\x58\x8d\x03\x18\xd9\xdb\xde\x6f\xaa\x4d\x6a\x9b\x61\x72" "\x19\xd3\xac\xbc\x58\xbf\xd0\x72\x17\x64\x87\x19\x07\xd0\x5c\x40\xd9\x8c" "\xab\x83\x16\x19\xe8\x91\x43\x56\x95\x96\x41\x72\x77\xb7\x24\x48\x74\x6e" "\xfa\x45\xab\xcb\x1f\x8f\x18\x7e\xc0\x66\xcc\x5a\x4c\xee\x90\x44\x55\x9f" "\xec\x52\x3b\x17\xf2\x30\xd7\x7a\x6f\xf8\x20\xaf\xcf\x55\x28\x51\xff\x1b" "\xb8\x50\xfc\xda\xb4\x21\xf0\x10\x88\x9b\x3a\x45\x09\xe5\xb8\x75\x34\xe5" "\x79\x76\xc9\x03\x5e\x2d\x34\x83\xc8\x81\x2f\xb0\xa4\xd1\x14\x89\xbf\x93" "\x2e\x09\xab\x5c\x49\x34\x8c\x25\xf0\xbd\x38\x74\x3f\x33\x47\xd0\x14\x74" "\x2d\xc5\x2f\x1f\xe4\x85\x39\xfd\xbb\x2f\x15\x24\xdd\x22\xa0\x02\xfd\x83" "\x15\x7b\xc0\x2a\x51\x72\xb3\x5a\xfc\xe5\x9a\x89\xb3\x9c\xf7\x4d\x38\xeb" "\x5b\x77\xa8\x10\x12\x46\x56\x75\x53\x09\x80\x02\xa3\x03\xd8\x4a\x94\xcb" "\xdb\xe8\xa7\x22\xb8\xef\x3f\x5e\x9e\x40\x4c\x41\x04\x6e\xff\x7e\x7e\xc1" "\x11\x1a\xbc\xa7\x33\xbd\x4c\x6c\x17\xa1\xfa\x9c\x6d\xcd\x0b\x52\x1f\x3f" "\xe6\xfa\x84\xf8\x72\x3c\x25\x4c\x5b\x80\x76\x59\x1b\xdb\x1b\xda\xab\x9c" "\xd9\x78\xeb\x61\xcc\x7d\x8d\x15\xbe\x9d\x51\x86\x93\x19\x6f\x9a\xca\x63" "\x1e\x23\x51\x6a\x25\x8e\x8f\xfb\xeb\x4e\x51\x3a\xff\x57\x65\x06\x0f\xe9" "\xa6\x5f\x94\x02\x8e\xc9\xf5\x0e\xa1\x4a\xe2\xc2\x2e\x49\x83\x5b\x8a\x79" "\x03\x67\x62\x42\x2c\x3d\xff\x07\xbe\x34\xf2\x99\xa9\xba\xcf\x6e\x2e\x0e" "\xa4\xb4\x7a\xd1\xb0\x54\xe8\x34\x75\x91\xc9\xf6\x3a\xa0\xf7\xf5\xdd\x05" "\x36\x3d\xbd\x5c\xea\x88\x31\x06\x82\xc5\xe0\x2e\xff\xc5\xd6\x87\x35\xdf" "\x77\x87\x63\xee\x16\x2b\x9c\x34\xf8\x8a\xaa\x67\x61\x4f\x29\x01\xc0\x35" "\x2d\xe8\x94\x11\x83\x3f\xd9\x8b\x19\x63\xe4\x65\x77\x06\x71\xbb\xe2\xcc" "\x45\x0c\xfc\x8d\x3f\x51\xc6\x9f\x5c\xfe\x21\xaa\x1f\xb5\x27\x1e\x4f\x33" "\xd3\x7b\x8a\xa4\x45\x09\x4c\xb5\x53\xdb\xcd\x40\x9f\x7b\x6a\xd5\x68\x15" "\xb8\x18\x7f\x31\x80\xc5\x3b\x17\xca\x84\x0f\x19\xef\x80\x6f\x3c\x15\x83" "\x0a\xd8\xa1\x4f\x33\x22\xdf\xb7\x4f\xfe\x96\x49\x65\xf9\xd4\x48\x89\x15" "\x25\xd7\xfa\x53\x92\xe1\x7f\xd3\x7a\xbc\xa2\x37\xcf\x6a\x8c\xe2\x56\xaa" "\xa4\x2f\x38\x76\x6a\xed\x5e\xd2\x8e\x1f\x91\xc8\x25\x99\x00\xa3\x70\xf5" "\x67\x4b\x55\x2a\x6f\x14\xfc\x5f\xe7\x90\x34\x76\xc9\x64\xb1\x09\x08\x2d" "\x58\x8f\x42\xe8\x90\xd2\x68\x10\x07\x21\xb4\x6d\xb8\x1f\x99\xd6\xc8\xfe" "\xd0\x58\xec\xab\xc5\x66\xd6\x06\x8f\xa1\x9b\x33\x41\x33\x0b\xa4\x9a\xae" "\x70\xa1\x0a\x74\x69\x53\x13\xb0\x0b\x15\xb3\xaf\xba\x6f\x3c\x94\x93\x03" "\x0c\x7d\xe4\x60\xd4\x0d\xfd\x84\xcb\x37\x71\x29\x2c\xa7\x5e\x42\x36\xe8" "\x47\xc0\x99\xca\xc5\xca\x80\x5f\x0c\xec\xe6\x65\x70\x14\x9f\xf1\x7e\x4f" "\x83\xe1\x1d\x10\x19\x9b\xcc\x95\xd6\x9b\xa1\xe3\x37\xfa\x02\xab\x82\x2f" "\x46\x06\x51\x8f\xec\xeb\x08\x1d\xfc\xf9\x74\xd2\x17\x56\xeb\x78\x69\x11" "\x92\x03\x8b\xc3\x7f\xd5\x84\xfb\xf7\xfe\xd3\x8e\xd2\xde\xaa\x22\xd1\x91" "\x4a\xfa\x4a\x06\x72\xc9\xe8\x8c\x3f\x57\xe4\xb2\x9e\x0d\xfc\x5a\xcd\x1a" "\x4e\x27\xad\x42\x73\xaa\x53\x15\x5f\x75\x06\x53\xf6\x86\x90\x9b\x56\x1e" "\xf6\x58\x25\x41\xb4\xb9\x76\x8a\xaa\xf4\x8c\xff\x69\x89\x8f\xb9\x83\xcd" "\x6a\x49\x06\xd2\x5a\xd1\xff\xd8\xf4\xf4\x41\x0f\x92\xc5\x53\x11\x56\x1e" "\x7d\x15\x3a\x16\x95\x32\xc8\xd2\x14\xc6\xa4\x8f\x31\xcf\xfc\xff\x8a\x71" "\x68\x90\xa7\x5f\x5e\x4e\x9a\x47\x10\xfe\xd4\x8b\xa2\xa6\x44\xe6\xc4\x51" "\x16\x23\x4f\x64\x31\xef\xb4\x23\xb0\xf4\xac\x1f\x7c\x90\xee\x71\x74\xc3" "\x50\x5f\xa2\xac\x98\xc3\xea\x33\xd6\x41\x5a\x9c\xed\x90\x56\x5f\x42\x52" "\xc6\x07\x5c\x6e\x98\x39\xec\xc9\xd4\xd6\x85\x0d\x62\xad\x4e\xfe\xdb\x3e" "\x61\xe6\x1b\x87\x43\x04\x11\xd6\x20\x1f\x02\x2b\x55\x9a\xaa\x3e\x67\xae" "\xd0\xb8\x4f\x67\xfd\x5b\xba\xef\xe8\x18\x5f\x77\xd3\x4b\xa2\x18\x08\x2b" "\xbf\xc3\xfd\x06\x5d\xeb\x51\x58\xe3\xf0\xfa\xd7\x50\x04\x88\xc2\x7f\xc4" "\x80\x0e\x4a\x6e\x2f\x6e\x4a\x18\xf3\x31\x9b\xe5\x85\x48\x43\xcc\xfc\x91" "\x75\x77\x3e\xe7\x50\x34\x51\x1a\x35\x8c\x79\x87\x72\x78\x3a\x79\x98\x17" "\xb5\x68\x18\x51\x37\x7d\x5d\x28\x90\x53\x6a\x25\x0c\x78\x43\x4c\xb0\x5b" "\x77\xba\xc5\xc0\x8c\x14\xfc\xad\x69\xdf\x81\x1d\x5c\x1a\xf0\x5b\x69\xe6" "\xe2\xff\x20\xd1\xec\x8e\x71\x73\x70\x2a\x9c\x94\x54\x7d\xda\x5a\x75\xa7" "\xc7\xf2\x53\xef\xe3\xd0\xa9\x15\x09\xa0\x8b\x6b\x29\xba\xe8\xfd\x9a\x13" "\xf8\x5d\x58\x84\xad\xea\x38\xd1\xd7\x71\x93\xd6\xc0\x87\x1b\x8f\x52\x93" "\x62\x1c\xbe\xd9\x14\x5b\xc0\xb4\xe8\xef\xf1\x64\xf9\x78\x0a\xbb\x74\x42" "\x08\xd7\x27\xbc\x6b\x75\x9f\xfd\xc9\x04\x1d\x78\x14\x8d\xa4\x22\xd7\xc5" "\xac\xff\x69\xe0\xa8\x5e\x7d\x20\x70\x23\x60\xc6\x77\xb7\xf8\x1d\xe0\x22" "\x94\x54\x7a\x9f\x5d\x39\xf6\xfe\xbd\xbf\x7c\x5f\x57\x80\x73\xe7\xe4\xe9" "\x41\xc2\x26\x40\xc3\xff\xa5\x68\xa3\x79\xac\x2b\x81\x2a\x3c\x9b\x23\xb8" "\xec\x39\x11\xef\x06\xac\x50\x69\x9d\x11\x7a\x90\x14\x6a\x76\xaa\xc4\x1a" "\x53\x64\x0e\xb7\x49\x84\xde\xc7\xbf\x6b\xf8\xf1\x45\xb8\x06\x15\x33\x33" "\xeb\x71\x3b\xc7\xe5\xb2\x74\x16\x0b\xea\x2e\xab\xef\xca\x2f\x3d\xb0\x4d" "\x28\x55\xcb\x0f\xb0\xe6\xa1\x71\xa2\x55\xbc\x8d\xe0\x0b\x87\x8f\xbc\xac" "\x20\x10\x41\x81\x8d\xf2\x96\x0a\xa4\x8e\xae\xc8\x8f\x86\x05\x57\xd8\x0e" "\x86\x95\x9c\x80\x9f\x89\x7a\x64\x24\xbb\x6a\xc6\x3b\xb2\xe5\xa6\x43\x08" "\x17\x31\xbb\x83\xa7\xab\x25\xfd\x29\x9c\x9f\xe8\x2e\x04\xfe\x79\x2b\x09" "\xf7\x35\x7c\xb9\x9a\xc2\xb5\x24\x88\x74\x1f\xf2\x59\xe2\x9a\xa6\x0d\xc7" "\x46\x7d\xc5\xc4\xeb\xc7\xc1\xfa\x26\x95\x8d\x72\xb1\x1d\x6e\xb4\x7e\x67" "\xd3\x1e\x0e\xf0\x5b\x2c\x12\x7f\xc9\xe2\xf4\xa9\x02\xdd\xd1\x0b\x8d\x8e" "\x58\x3b\x1f\xa1\x73\xa2\x8c\xb2\x69\xbc\x0e\xb5\x09\x40\x8b\xa7\xbb\x7e" "\x66\xc7\x57\x68\x4c\x2d\x0f\x62\xfc\x30\x99\x1f\x22\x13\xd1\x3a\xcf\x58" "\xdc\x4e\x4f\x56\xf3\xf6\xe0\x11\xe7\x0d\xda\xf3\xf1\xca\x0f\x7d\x8a\x53" "\xef\xdf\xfa\x88\x48\xbb\xae\xf0\xfe\x49\x0f\x13\xdd\xf9\x75\x91\x96\x09" "\x19\xac\xbb\x55\x88\xca\xcf\xf4\xce\xa2\x67\x2d\xeb\x15\xbb\x29\x89\x9b" "\xe9\xbd\x00\xfc\x38\xe5\x7b\xa8\x53\x95\x4f\x62\x63\x90\xb4\x64\xce\xa7" "\x9a\x79\x3d\x04\x59\xba\xd7\xc5\x14\xcc\x39\x33\x2f\x48\x50\xe8\x64\x9f" "\xd9\x1d\x66\xc1\xb3\x95\x63\xd2\x43\xca\x76\x4d\x3c\xf4\xb2\x4b\x38\xc8" "\x76\x9c\x16\xfd\x2c\x50\x1c\x13\x93\xef\x6f\x7d\x93\x1d\x74\xfc\x93\xca" "\x94\xce\x83\x40\x2f\x44\xac\xe2\x8c\x40\x49\x0c\x3d\x7e\x81\xdf\xed\x02" "\xb2\x93\xfd\x6f\xae\xfb\xf8\x73\xd4\x1c\x7c\x2d\xe6\x2a\x89\x39\xb8\x43" "\x91\x94\x60\xfa\x21\xb5\x5b\xf7\xb0\xad\xbf\xa9\x60\x1f\xf7\x79\x73\x2e" "\xe8\x75\x21\xea\x67\x17\x9e\x20\x0a\xf9\xf1\x84\x05\x94\x6a\x98\xc9\xea" "\xdb\x5f\xe1\x7b\x09\x3e\x4b\x5e\x3f\xfb\x74\xbe\xac\x43\xdb\xca\x6e\xa6" "\x31\xdb\x8f\x63\x72\x78\x15\x68\xa4\x55\xcc\x79\x3e\x6b\x63\xc7\x9e\x5e" "\x1f\x8a\x3c\xc1\x1a\xa1\xbf\xcf\xbd\x7c\x0e\xd2\xa3\xf1\xb4\x2a\x12\x78" "\x35\x2c\xf1\xd7\xf1\xf3\xfc\xa1\xaa\xea\xbd\x71\xd8\x61\x12\x76\x03\xb5" "\x0a\x78\x6e\xe5\xee\xda\xc2\x1d\xb0\xc8\x0f\x82\x20\xd3\x51\x4a\x4f\xbc" "\x68\xc2\x25\xc6\x51\x8d\x5f\x09\x43\xc9\x7f\x51\xdc\x71\x2f\x9b\xd3\x89" "\xed\x56\xbd\x02\x9b\xad\xba\x82\x42\xd9\xb0\x42\xe4\x70\x04\x12\xd1\x27" "\x9f\x29\x99\xb3\xc1\x1d\x75\x4d\x73\x1f\xca\x2b\x5a\xfb\x61\xcc\x71\x5c" "\xc2\x4c\xc8\x0b\x9c\x9d\xca\xd1\x72\xd0\xe3\xf4\xee\xcd\x87\xaa\xe7\xae" "\x21\x5a\x9d\x96\xdd\xe3\x20\x0a\x15\xd7\xb9\x27\xb3\xb7\x10\x62\x35\x76" "\x4b\xde\x30\x19\x16\xc2\x28\xad\x7a\x58\xae\xb7\xa8\x5b\xb7\xa4\x0d\x7a" "\xa8\xe4\x33\x32\xdf\xfd\xd1\x44\xae\x22\x8d\x51\x5a\x9c\x71\x4b\x36\xca" "\x63\xcb\xca\x72\xff\xf6\x60\xf4\xb4\xff\x88\x07\x4f\x68\x9f\x21\xf1\x6e" "\xec\x2d\x5a\x9d\x7f\x8f\xa6\x10\x7f\x8a\x34\x60\xfb\xe8\xfe\x2b\x2e\xa7" "\x5f\x15\x9f\x8a\xca\xde\x78\x47\x23\x25\xaf\xc7\xa6\x11\x95\x47\x15\xf7" "\x8a\x60\xf5\x80\xed\x90\x44\x99\xc4\x50\xb5\x18\x09\xfa\x54\x49\xc4\x7b" "\x53\xe9\x0a\x56\x97\xfa\x29\xae\x2a\xfb\x0f\xe7\x5d\xe3\xab\xf9\xef\x0a" "\x72\xc3\x5b\x49\x26\xdb\xa9\x49\xa6\xbd\x48\xe8\x86\x05\x08\x1f\xab\x4f" "\xed\xc7\x9d\xbd\xa1\x11\xc9\x4b\xd5\x97\x48\xb8\xb2\x04\xee\x9d\x26\xfe" "\x3d\xc4\xb0\x30\x0d\xfc\x58\xa0\xf8\x30\xd1\x2f\x2f\xe2\xa0\x2f\xc3\xac" "\x76\x61\x3b\x31\xa5\x19\x6f\x53\x6b\x31\x14\xd0\x58\xd7\x8c\xfc\x13\xa2" "\x3e\x5f\x3c\x56\x13\xcc\xb8\xa5\xed\x46\x29\xfe\x57\x17\x0a\x3c\xd8\x51" "\x3f\xe1\x89\x9b\x5a\x32\xd2\xe4\x31\x47\x87\x42\x77\xa7\x7a\xa9\x52\x55" "\xc2\x51\x6e\xaa\x59\xa2\xfe\x8e\x68\xd9\x4f\xfc\x23\xd2\xd4\xe9\x56\xd0" "\x66\x96\x9e\x1f\xa4\xad\xa9\xbb\xdd\x95\x9c\xac\xe1\xd3\xd3\x6f\x0d\x99" "\x2d\x05\x6a\x19\x81\x98\x47\x01\xd7\xe4\xd6\x04\xf3\x97\x75\xa8\x58\xf0" "\x8a\x88\x23\xfc\x79\x83\x94\x43\x8e\x85\xa8\x7d\xca\x27\xca\x98\xa1\xcb" "\x06\x0e\x90\x78\x98\x03\xa6\x2e\x3e\xb1\xdd\x18\x9e\x62\x25\xb6\x29\x52" "\xb7\x55\x40\x2f\xf7\xd0\xea\xbb\x84\x58\x5c\xb8\x53\xab\xfd\x11\xe6\x2b" "\x7c\x4b\xba\xf3\x05\x0f\x08\x5e\xfb\xed\x43\xb7\xef\x44\x96\x29\x52\xc4" "\x8b\xc2\xda\x17\xa0\x3e\x8d\x2b\x0f\xc6\x78\xb2\x53\x68\xac\x07\x69\x03" "\x45\xbc\xee\x28\x06\x87\x84\x7d\x24\xb3\xe7\xe3\x3f\xa1\x7c\xbe\xde\xcc" "\xa6\x4a\x01\x22\x70\x1a\xf2\x87\xfa\xa0\xc2\x19\xec\x30\x5d\xa7\xf0\x6f" "\x37\x49\x6f\xf8\xc1\x8e\x42\xa6\xa5\x33\xe4\x9f\x82\x24\x17\x93\x7f\xf8" "\xdb\x72\x5c\x7d\xc0\x24\xef\xba\x3f\x34\x6a\x67\xd7\x03\x0b\xbf\x45\x13" "\xa7\xd9\x15\x1b\xb7\x08\xab\xe3\x85\xd2\x1a\x09\x8f\x34\x5b\x94\x99\xa7" "\x9d\xd3\x71\xfb\xdc\x4a\x29\xb6\xbe\x6c\xd0\xff\xbe\x5f\x2a\x49\xee\xfc" "\x2f\xd5\xf3\xea\xcc\x47\x0c\x32\x94\xe5", 4096); memcpy( (void*)0x200000001b00, "\x92\xbb\xe6\x8d\x68\x83\x14\x72\x73\x1a\x7d\x2c\x7a\x75\x4f\xd8\xb7\x96" "\xb7\xbe\x48\x98\x25\x76\xb6\xd9\xa9\x60\x1d\x71\x81\x1f\xd8\x57\xb1\x1f" "\x89\x03\x9f\xd5\x6f\x1c\xc7\x1b\x70\xdf\x1b\x5c\x66\x08\x4c\x14\xa9\x0b" "\x75\x2d\x8c\x4a\x37\xc6\xce\x3d\xfe\xa7\xee\x28\xd4\x7e\xf6\x0f\x00\xe2" "\x6b\xc9\x92\x32\x67\x36\x6b\x9c\x78\xde\x73\x6d\x87\xd0\x2e\xd8\x26\x5f" "\xfe\x73\x3c\xf8\x02\x9a\x49\x5c\xcd\x2d\xfa\x56\xab\x87\xfb\x1e\xb9\xcf" "\xa8\x96\x83\xc4\x13\xd4\x0e\xd8\xf7\xa4\x68\xaa\xad\x6a\xbf\x03\x08\x68" "\xec\x9b\x23\x77\x75\x27\x23\x09\x3a\xe5\x67\x68\xfb\xdb\xff\x77\x45\x91" "\xdc\x7e\x1d\xdb\xab\xfd\xca\xf7\xf9\xbb\x77\x30\x56\xef\x23\x9f\x16\x22" "\xd3\x10\x99\x3e\xfb\x4e\x84\xdd\x2e\xd5\x36\x83\x6b\x03\xf1\xb3\x29\x48" "\x22\x2e\x8b\xba\x28\x85\x69\xb7\x5a\x6e\x1f\xc0\x68\xa0\xd7\xee\xbb\x2b" "\x6f\xff\x77\xa4\x05\x24\xc4\x91\xa0\xc3\x12\x96\xca\x1f\x43\x04\x03\xaf" "\xbe\x50\xe1\x5a\xa2\xb9\x6f\xc1\xd2\xd4\x24\x03\x14\xeb\x56\xdc\x75\xdc" "\x8d\xcc\xeb\x7d\x82\x6f\x42\xf0\x43\x91\xb9\xe3\x62\x50\x31\xd5\x69\xbc" "\xbd\xc7\x5b\x1c\xcc\x5a\xb8\x48\x05\x6c\x3b\xa2\x7e\x4b\xfb\xcf\xba\xe3" "\x98\xf9\xad\xc3\xc8\xe2\xe5\x08\x7b\x45\x44\xa2\x49\x5f\xcd\xa9\x39\xfc" "\x4f\x19\xd1\xe9\x63\x62\x08\x79\xe2\xe7\xee\x7a\xb8\xf4\xfd\x7d\x33\x7a" "\x95\x10\x5b\xe0\x16\x6b\x8d\x15\x09\x0d\x45\x6e\x36\x33\x67\xa2\xe1\x9d" "\x54\x8a\x94\x10\x88\xbf\x1d\x1c\xf7\x15\xc5\x40\x1f\x95\xa2\x7d\xd1\x4c" "\xd2\x52\x50\x15\x23\x35\x31\xf5\x9e\x45\xeb\x75\x02\x46\x42\x70\x27\xfe" "\x3f\xbc\xfd\x1e\x17\xe9\xa1\xbd\x77\xdf\xf8\x79\x0e\xcd\x2a\x1a\x95\x94" "\x4c\xbe\x3a\xc1\x18\x1c\x0c\x15\xac\xf2\xae\xfb\x97\x00\x20\x56\xc3\xb0" "\x8e\x91\x8b\xe9\x15\xa7\x0b\xb9\xb6\xa9\xb1\xb7\xaf\x8f\x32\x93\x7c\xca" "\x7d\x53\x21\x54\x16\x21\x81\xda\x3c\x7b\xd4\x11\x5a\xd9\x56\x0c\x18\x75" "\x56\x6c\x62\x02\x08\x69\x29\xb7\xd2\xdd\x3a\xe6\x28\xe1\x81\x7d\xe9\x1c" "\x2f\x75\x02\x15\x33\x9a\xc2\x87\x81\x56\xfb\x12\x5e\x64\x56\x91\xf2\x9c" "\x7a\x7d\x05\x86\xa0\xb6\x32\x30\x33\x8a\x0a\x52\x16\x7b\x42\xd1\x89\x46" "\x49\xc0\x9d\xe6\x56\x69\xde\x20\xdd\x22\xa9\xb5\x14\xc6\x80\xd3\xc9\x23" "\x8b\xbf\xde\xb0\x3d\x06\x6f\x0a\x6a\xe3\xb2\x5d\x7d\xea\x41\x0a\x41\xa1" "\x0c\xb3\x2c\xb5\x88\xea\x5f\x73\x00\xeb\x2c\xa4\xee\x60\xba\x11\xcb\xf4" "\xab\x2d\x40\x16\xb9\xd2\xb2\x83\x22\x19\x73\xe2\x1c\x47\xad\x08\xa5\xe1" "\x51\x12\x12\x6b\xd0\xd9\x95\x46\xe8\xda\x93\xeb\x77\x23\xd5\x4c\x8e\xa4" "\x1a\x06\xec\x90\xed\xa6\x09\xcc\x2a\xfa\xe5\x09\xcc\xa4\x99\x80\x21\x63" "\xd1\xb6\x91\x3e\x56\xdc\x1d\xbb\x54\x02\x77\x2b\x13\x58\xfb\x05\x22\x0b" "\x01\xe5\xbe\x45\x6c\xce\x42\x9d\xab\x81\xce\x56\xdb\xa3\x33\x4b\xde\x68" "\xe6\xdd\xd8\xe8\x1d\x1a\x8f\x99\x08\x79\x14\x28\xfe\x82\x7c\xad\xa3\x99" "\x36\x5d\xb0\xbc\x9d\x55\x1e\x7e\x24\x58\x2a\x56\xfe\x24\x29\x24\x4b\x57" "\x1c\x91\xed\x8c\x39\x79\x11\xe9\x25\x02\xc8\xb7\x8b\x1c\x81\x41\xc2\x99" "\xc9\xe8\x67\xf6\x32\x95\xc2\x9d\xf1\xaf\xb3\x62\xdb\xd3\x85\x96\xd1\x59" "\xa7\x62\xd2\x24\x99\x5d\x59\xb3\xf1\x24\xd6\x8b\xac\xe2\x7d\xac\xa6\x95" "\x52\xf8\xf4\x27\x19\x6b\xc0\xe1\x05\x82\x8a\x8a\xbe\xe8\xae\x82\xdb\xcc" "\xb9\x16\xa5\xb4\x63\x6c\xee\x9b\x91\x31\xa7\x78\x1b\xe6\xd0\x34\x56\xee" "\xcf\x53\x3e\x42\x7c\x15\x17\xad\x59\x01\xbf\xf4\x44\x7c\xc6\xad\x04\x7b" "\x21\x4d\x01\xba\x95\x14\x33\xa9\x09\x60\xbd\x94\x2b\xd4\x8b\x08\xa5\x6a" "\x8f\xaa\x59\x67\x21\x4c\x75\xf0\x8b\x36\x61\xbc\x16\x9b\xa3\x66\x05\xbf" "\x35\x8f\x85\x4b\xf0\x52\xad\x84\xf1\xf5\x87\x26\xc9\x31\x33\xfe\xa2\x50" "\xc1\x14\xa2\x23\xe7\x36\x6e\xe5\xc5\xeb\x23\x5d\xb7\x20\xb8\x62\xa1\x58" "\xbc\xd0\x94\x5e\x97\xa6\x74\x4f\xf7\x3b\xa2\x94\xb7\xa2\xd0\x28\xc1\x65" "\xdb\xd9\xab\xd6\x23\xcd\xe1\xd4\x27\x19\x8a\x0f\xe6\x0f\x24\xc0\x1b\xc4" "\xe8\x08\x14\x7c\x2a\x03\xe8\xb6\x2d\x10\x47\xe4\x7e\x1d\x6f\xad\x8c\x96" "\xae\xe7\xe1\xc8\xc5\xc7\x62\xd5\x0f\x8d\x16\x3c\xf4\xaa\x39\x5a\x63\x93" "\x19\x30\xaf\x40\x6a\xf5\x2b\xd4\x89\x85\x21\x05\xf6\x7e\xe0\x92\x34\xb1" "\xe4\x69\x73\x13\xa7\xb3\xcd\x58\x0e\xb3\x67\xf6\x4e\x9a\x09\xdc\x32\xa5" "\x77\xf3\x8f\x68\x2e\x53\x6b\x35\xdb\x04\x0d\x19\xae\xf2\x1f\xd8\xf2\x9d" "\x7f\x73\x17\x1f\x42\xcb\x9d\xa7\x2a\x83\xcd\x86\xb8\x22\x4a\xe6\xa4\x96" "\xc8\xb2\xab\xff\xeb\xa2\x22\xb1\x6b\xe0\x38\xc9\x32\x19\x1b\x4a\xd1\xc3" "\x29\xe7\x85\x70\xbf\x57\x6c\x12\xfb\x21\x2f\x0e\xfb\x25\xcc\x3c\x3b\xe7" "\x55\xd7\xc8\x0b\xcf\x13\x54\xd6\xee\x6d\xba\x72\x77\x16\x60\xa7\x7f\xce" "\x17\x2e\x33\xf3\x2a\x3b\xa1\xbd\xf6\xb4\x27\xf3\x7c\xed\x09\x2e\xea\xbf" "\xa3\x68\xf1\x11\x01\x54\x79\x80\xb0\xcb\x82\x7e\xd3\xdb\x3a\x1b\x22\x43" "\x1c\x37\xef\x69\x1a\x8f\x9e\x07\xcd\xef\x55\x7a\x3c\xd0\xe6\x66\x18\x8a" "\x67\x80\x70\x9f\x37\x4b\xd8\xfb\xfd\xee\xb8\x8e\x0f\xaf\x1c\x95\xd0\xf6" "\x68\x11\x62\x27\xb4\x47\xbb\x14\x90\xb6\x59\x38\xdc\xaf\x47\xe3\x58\x59" "\x12\x20\xd8\xdb\xc5\xd8\x7b\x12\x2d\x9b\xe6\xf3\x0d\x36\x3c\x26\x26\xde" "\x93\xcd\x48\x0a\x21\x87\x5f\x47\x4b\x96\xbe\xd3\xf1\x98\xf6\x90\x88\x3f" "\x86\x22\xdd\x96\xc1\x74\xb4\x3c\xea\x38\x22\x9d\x32\x31\x42\xe0\x3a\x27" "\x01\x6c\x5f\x44\x2b\x94\x49\x37\x9a\xc4\x55\xaa\xe9\xf2\xbc\x87\xbd\x37" "\x6f\x52\x6c\x38\x6b\xea\x3f\xbb\x0b\xc9\x5e\x31\xbe\x68\xdc\x0d\xe0\x76" "\xaa\x75\x43\x22\x75\x5d\xbe\x09\xf6\x9f\x80\xba\x6c\xf4\xf7\x86\xda\x3c" "\xf3\x81\x36\x88\xed\x2c\x48\x41\x4e\x1a\x55\xcd\x1d\x04\xe3\x68\xdf\xe7" "\x3c\xc3\x14\xed\x0b\xd5\x55\xe9\xc6\x4b\xd5\xb7\x37\x54\x5b\x20\xa6\x54" "\xc3\xe2\xad\x4f\xe9\x4e\x27\x4b\x74\xee\x54\xbd\xbb\xf8\xf7\x63\x1c\xff" "\xd2\xfd\x84\x47\x87\x7b\x6e\xaa\xe6\xd9\x6c\xc0\xc7\x61\xd4\x49\x3a\xfa" "\x04\xd8\x81\x08\x52\x09\x7f\xd6\x1e\x1e\x6a\x9c\x4a\x7a\xeb\x71\x14\x23" "\x99\xaa\xa1\xa8\xea\x7c\x9b\xc0\x3c\x28\x02\x8c\x98\x3c\x94\x79\x90\x9d" "\x88\x10\xdf\xae\x68\x97\xe1\x36\x76\x6f\x3b\x24\xde\x25\xce\x7a\x13\x62" "\x7b\x2f\x37\xc0\x82\x30\x94\x7b\xc8\x9e\xa8\x01\x6a\xda\xdc\x10\x69\xb2" "\xaa\x04\xa0\x72\x72\x1f\xbc\xe0\x1c\x47\x1d\x35\x20\xe9\xe3\x35\x17\x69" "\x30\xce\x4a\x9e\x57\x3a\x97\xdc\x74\x1e\x78\x32\x5b\x1c\x83\x92\x81\x2c" "\x78\xd3\x62\x84\xc2\xd0\x30\xeb\xb8\x92\x45\xed\xe6\x80\xe7\x94\xbb\xdd" "\xc7\xf7\x25\x4c\x0d\x00\xf3\x79\x95\x6d\x9f\x8c\x90\xdf\x6e\xc7\x90\xda" "\x86\xaf\x76\xf8\xa8\x02\xd8\xe2\x37\x1a\x5f\x5b\x2a\x30\x84\x95\xc9\xdf" "\x54\x9e\x0c\x96\x6b\xf7\x47\x51\xfa\x64\x7b\x26\x8e\x47\x39\xd2\xe4\x07" "\x10\xc8\x2c\xd8\x86\x8a\x06\xf3\x7a\x2e\xb6\x83\x36\x2e\xa1\x4d\xbd\xbc" "\x4d\x3d\x12\x02\x0f\x4d\xc5\xe1\xd6\x82\x9b\xb1\xad\x6e\xfe\xcc\x44\x4e" "\x5e\x0a\xbc\xc5\x49\x35\xf3\x02\x53\x35\x7c\xfb\xfd\xba\x20\xaa\x68\x02" "\xd4\x73\xad\xd2\x96\x14\x45\x37\xe8\x30\x28\xa6\x93\xcb\xb1\x4b\x61\x25" "\xb6\x87\x34\xad\x01\x92\x61\x35\x6d\x8d\x83\xd9\x77\xec\x33\xde\x80\x16" "\x14\xd8\xa2\x2f\x5c\x4f\x8f\x0b\x2b\xc9\xbd\xc2\xb5\x32\x4f\xf5\x79\xd6" "\x14\x37\xd4\x04\x8b\xd9\x71\x1d\x96\xb7\x0a\x0e\xec\x2b\x73\x1d\xac\x54" "\xd0\xfd\xaf\x83\x32\x0e\xbc\x64\xbd\xae\x72\xb1\x56\x91\xfc\xa6\x30\x9d" "\x8d\x67\x38\x6a\x9d\xf1\x32\xf9\x47\xf4\x23\x48\x6d\xbf\x2f\x9d\xcd\x07" "\x4b\x0a\x70\xa0\xb9\xc7\x65\xef\x0d\xc6\x0e\x06\x07\xc0\x9e\x12\xfa\xe4" "\x8a\x91\xea\xe0\x9a\xcd\x1c\x2a\x15\xd2\xf8\x96\x62\x94\x6a\x4a\x85\x9d" "\x22\x20\x33\x46\xc3\xb8\xfe\xff\xa0\x17\x51\xd0\x1d\xad\x6d\x57\x20\x1f" "\xe0\x94\xd8\xc4\xe5\xdd\xda\x1d\xaf\x10\x0f\x65\x64\x07\x9d\xf3\x06\x23" "\x0e\x4b\xee\x17\x66\xd0\x30\x84\xb2\x20\xc6\x90\x73\x72\x7b\x03\x0c\x4a" "\x6e\x44\xf1\x81\x3a\xf2\x89\x79\x2d\x83\x78\x20\x42\x0e\xf4\xd6\x52\x5b" "\x59\x44\x4e\x5b\x5e\xea\xab\x77\x22\xfd\x84\x03\x6e\x3d\xa5\x13\xc4\x63" "\xc2\x72\xf8\x38\x75\x35\xa0\x41\x7f\x07\xc2\x11\xa9\x9d\x1e\x0d\xb2\x29" "\x60\x8e\x85\xf8\xcf\x11\x6f\x32\x28\xaf\x89\x10\x6d\xeb\x4e\x6a\xf2\x8b" "\x95\xa8\xbd\xe0\x3c\x0c\x04\x55\x7d\x22\x44\xc9\xa6\xd3\x1c\xd7\xed\x27" "\xa8\x20\x2e\xac\x27\xb5\x67\x6d\x86\x58\xbb\x48\xca\x76\x5b\xad\x75\x20" "\x0a\xc9\x57\x62\xf3\xf7\xfd\x79\x53\x72\x74\x0a\xb1\xf9\x85\xca\x20\x5b" "\xca\xce\xbf\xdb\x83\xa9\xbb\xc3\x2e\xcc\x3e\x3c\x0b\xce\xf1\x99\x7b\x5c" "\x6b\xd4\xa0\x45\xec\x04\x41\xee\x07\xb4\xc7\xd9\xad\x45\xae\xdb\xd9\x83" "\x22\x9f\x48\x74\x41\xa5\x2a\x64\x52\x07\x43\x82\xef\x27\x21\xee\xc8\x82" "\xa6\x4c\xdd\x69\x29\xda\x3d\x03\x41\x50\x60\x21\xe9\xa7\xb1\xa8\x69\x89" "\x8f\x96\xa5\xc7\xb9\xec\x6d\x32\x0a\xb0\xa3\xa6\x6f\x80\xa7\x42\x42\xd3" "\xe2\x67\xd3\x99\x90\x6f\x6b\xa1\xdd\xcd\x79\xb4\x7a\xcd\xff\x54\x6d\xf0" "\x87\xb4\x9b\xa8\x33\x81\xc6\x4f\xb7\xb7\x2d\x19\xc2\xba\x6a\x04\x79\x0f" "\x13\xc3\x03\x2a\x93\x0c\x4d\x86\xba\x14\xba\xc9\x8a\xf6\x5e\xbe\x10\xd2" "\x3d\xa4\x26\xe2\x63\x6a\xb4\x95\x0f\x0c\x0c\xaf\xb0\xf1\xf4\xa4\x93\xb7" "\xa6\x82\x46\x12\xd7\x94\x49\x45\x6b\x93\x0c\xde\xda\x4b\xfa\x93\x89\xb3" "\x14\xb7\xdd\x57\xdf\x97\xc4\x06\x14\x0f\x08\x10\xe2\x49\xc1\x20\x95\xc6" "\x10\x8b\x0c\x98\xa8\xe5\x53\xf9\x42\xf4\xc8\xf2\x8f\xde\xaf\x79\x81\xba" "\x62\x3a\xdd\x8f\x0c\x39\x06\xca\x53\x3d\x28\x62\x29\x55\x91\xd3\xab\xa2" "\x61\xf4\x1a\x23\x4e\xe5\x30\x5d\xe3\x09\xbb\x43\x14\x09\x85\xdd\x79\x6a" "\xfb\x3a\x02\xe0\x4b\xf3\x14\xa1\x65\xfb\x46\x98\xc1\xd2\x15\x6d\xbe\xce" "\x00\x13\x5d\x1e\x04\x3b\xd7\x80\x64\xdb\x6e\x97\xcf\x13\xaf\xb9\xa1\x88" "\xae\xc0\x94\x54\x05\xc8\xec\x7f\xcf\xf3\x39\x69\xd9\x7d\x60\xe2\xf2\xb0" "\x6e\x3a\xb8\x8f\x2c\xcc\x4d\xb9\x91\x5e\x42\xd3\x1e\x57\x5b\x91\x57\x7d" "\x3d\x57\x8e\xd2\x16\x9b\x2c\xde\x0d\x8d\xf8\xbb\x27\x74\x59\xbd\xac\x3c" "\x82\xda\xa7\x25\x4d\xaf\xd5\xa5\x18\xe0\x4f\xb7\x05\x74\xa3\x1f\x04\xda" "\x50\xff\x37\x9f\x15\x46\x4a\xe7\x00\x67\x48\x0e\x6b\x07\x1c\xb3\x38\x9d" "\x45\xa0\xe9\xcf\xa9\xbe\xf1\xa0\x40\xf6\xed\x85\xbe\x79\x23\x32\x5a\x23" "\xcc\xdf\xfe\x20\x89\x11\x31\x9a\xcc\xeb\x99\xb4\xf8\x45\x5a\x74\xd7\xf9" "\x8b\x2c\xfd\x53\x76\x1e\x78\xc6\xfe\x1e\xe0\x95\xaa\x2e\xd0\xe3\x38\xb7" "\x5c\x92\xb6\x47\x9a\x98\xe2\xf4\x41\xb7\x9c\x8b\xb2\xec\x73\xb3\x0f\xdf" "\x71\x64\xd0\xc4\xc8\xec\xbd\x43\x9f\x62\xf9\x1b\x32\x16\x5b\xd0\x60\x27" "\xf0\xc6\x4b\xc2\xac\xd2\x28\x1b\x57\xcf\xfd\x4e\x3f\x36\x37\x81\x60\xea" "\x6c\x0b\x33\x90\xbe\x56\xaf\x4e\x48\xfb\xa1\xa5\x99\x82\xa6\x77\xb0\xf0" "\xbd\x57\x1a\x84\xf1\x9f\x26\xbd\x23\xd6\x70\xa8\x6c\x7d\xb5\x0d\x42\xfa" "\x12\x19\xab\x7b\x42\xc4\xf2\xf4\x90\x32\xaf\x18\x25\xa6\x26\x46\xcb\xe4" "\x7f\x2d\x01\x28\xc3\xe7\x2f\x71\x27\x25\xeb\x57\x67\x03\x3f\x8d\xf3\xec" "\xc5\xa5\xdd\x2b\xe2\xd9\x1d\xac\x9c\x08\x56\xbd\x1a\xe2\x89\x08\x2a\x88" "\x97\x5a\x1e\xf4\x92\x74\xd7\xf7\x42\xa8\x66\x06\x7f\x4d\x9c\x76\xba\x4e" "\x88\x54\xf7\x91\xc9\x02\xdc\xc7\x94\xb2\xa8\x2d\xe8\xc3\x89\xe7\x4f\xdc" "\x67\x67\x00\xb0\xa7\xe5\x61\x59\x7e\xc7\x3f\x93\x3d\xbb\x8b\xa5\xb9\x90" "\x23\x46\xc8\x58\xb3\xff\x78\xc3\x8b\xf9\xc2\xda\xea\x6a\xad\xb3\x7b\x5e" "\x58\x62\x01\x98\xa8\x2c\x51\x98\xe6\x12\x8e\x08\x78\x93\xd2\x9c\xe3\x4c" "\x0d\x98\x27\x0e\x2f\x5f\x42\x72\xb9\xe2\x43\x35\x75\x28\x4b\x9d\x0c\x14" "\x61\x44\x2b\x95\xdd\xa0\xfa\xe5\x9f\x1f\x08\x41\xf1\xc3\xfc\x7d\xc7\x60" "\x52\xa3\x59\x39\x5f\x2f\xfb\x14\x66\xe2\x48\xaf\xa7\x24\x3f\x4d\x95\xa6" "\x34\xd6\x2f\x28\x1c\xfe\xdd\x8a\xa6\x28\x48\x19\x71\x0d\xde\x35\x41\xef" "\xdd\xae\xad\xab\xda\x06\x8c\x36\xc8\x87\xd9\x67\xa2\x3a\xf2\x65\x18\x9a" "\xeb\x14\x7f\x7b\x18\x3f\x40\x6e\x47\xa4\xf2\xdc\xb2\x47\x28\xe0\x94\x7d" "\x0c\xf9\x35\x29\xea\x26\x63\xcc\xea\x21\x50\xad\x89\x85\x60\x49\xd5\x95" "\xa5\x07\x01\x26\x28\xb4\x8b\x24\x0e\xb3\x14\x26\xf8\xc0\xa3\x31\x3f\xce" "\x2b\x1f\xde\xc1\x22\xc9\x1b\x52\xc5\xdf\xeb\xa8\xdf\x4e\x91\x45\x92\x4b" "\xc7\xfa\xb6\x18\xe3\x05\x8d\x0c\x2e\xaf\x7f\x47\xaa\xb8\xb1\x35\x05\xd8" "\xed\x5b\xe5\x7b\x63\xd9\x38\xa7\x7d\x5c\xd5\xbb\x13\x62\x41\x81\x2e\xe8" "\x6a\xce\xf0\xed\x4f\x3d\x29\x8a\xd5\xf1\x34\x52\x80\xa8\x41\x45\xe1\x8e" "\x23\x26\x5d\xcb\x43\x6e\x47\x77\xf8\x11\x12\x20\x4f\xed\x54\xd2\x0f\x90" "\x6e\xa5\x0f\xf3\x39\x02\xc1\x8c\x7d\xd9\xa5\x7e\xa9\x31\x15\xa3\xf9\xda" "\x7f\xc9\x17\xea\xc1\x44\x6c\xc6\x84\xac\x29\x3d\x90\xcc\x60\x06\x65\xe8" "\x37\x10\x2a\x1a\x25\x1f\xc9\x56\xd4\x9b\x30\x65\x1f\xc5\x10\x1c\x4e\x98" "\x4d\xe2\xb9\x79\x25\x7b\x4c\xe2\x15\x9e\x04\xa4\xfa\x58\x41\x29\x62\x12" "\xc4\x12\x47\x53\x0a\xa1\x47\xca\x36\x18\xc7\x9e\x7f\x8e\x4f\x91\xf3\xe8" "\x0c\x86\x46\x75\xcc\x1c\xae\xda\x77\x00\xbc\x01\x4b\x14\xf8\x70\x2d\x68" "\x47\x73\x89\xa9\x9a\x47\x60\xd3\x4b\xe7\xab\xa0\x80\x65\x94\x9f\x8e\x68" "\x84\x91\x60\xe9\x33\x60\x11\xc2\x6e\x10\x51\x7f\x5b\x4f\x6e\x68\x8f\xc2" "\x78\x77\x71\x4d\xb0\xd2\xb4\x9d\x13\xd6\x7f\xfa\x01\xc2\x11\x5a\x49\x28" "\x36\x93\xd9\x44\x69\xfa\x42\x5b\xcb\xe7\xf5\x6f\xda\x05\xec\x44\x82\x4f" "\x04\x68\xe9\x83\xee\xdb\x0f\x61\xff\x52\xd3\x26\xc9\x57\xb4\x13\xde\x50" "\x9b\x42\x9a\x10\xf5\x58\xbe\x7d\x87\x34\x84\xdf\xa0\x3d\x9e\xc4\x3d\xa3" "\xd4\x2c\x95\x10\x31\x55\x23\xd0\x57\xee\xb4\xc0\x57\xe7\xd5\xbe\xde\x83" "\x46\x20\xdc\xfa\x01\x9f\x05\x75\xe4\x4f\xd1\xa0\xd6\xb3\x80\x82\xd1\x04" "\x2c\x11\xff\x4a\x4c\x48\x22\xab\x71\x86\x04\xec\xfd\xd8\xc5\x2c\x19\x37" "\xab\x2d\x3c\x0a\xae\x66\xb0\x54\xe4\x4b\x95\xa8\x61\x3d\xd8\xc7\x25\xa8" "\x17\xd1\xd2\xc2\x71\x7e\xf1\x40\x91\x08\x3d\x3f\xfb\xb1\x91\x87\x5d\x29" "\x09\x42\xaf\xcb\xc2\xd3\x48\x0d\xe3\x53\x3d\x23\x77\x97\xcd\x1f\x75\xb7" "\x01\xb0\xf2\xcc\xa9\xf8\x0d\x62\x36\xd8\x88\xcf\x2e\x28\xea\xc2\xb1\xf4" "\x29\xdb\xd5\x4f\x0b\x0a\x2d\xf5\x0b\xf5\x7e\xb2\x76\x20\x01\x81\x26\xf8" "\xbd\x45\x80\xf2\x99\xd5\x7e\x44\xb0\x80\x77\x5b\x4d\xca\x99\x72\x22\x28" "\xd0\x70\xdb\x00\x56\xcd\xdf\x0f\x70\xab\x71\x57\xfb\x0c\xe4\xac\xfb\x71" "\x40\x88\x4e\x24\xb1\x68\x2b\x25\x23\x0d\x40\x36\x70\xa4\x22\xb4\x88\xcd" "\x97\x8b\xd7\xdf\x59\xba\xfc\x58\xf6\xf4\xeb\xa8\x7c\xb3\xd0\x31\xea\x2e" "\x59\x27\xb2\xdd\xbb\x21\x5e\xdb\x08\x20\x90\x0c\xd6\xd2\x1d\x88\xb0\xc7" "\x4a\x0f\x86\xcd\xef\xc3\xea\x91\x16\x01\xc7\x18\xed\xbe\x3b\x48\xd3\xcd" "\x52\x1e\xbe\xe2\xe6\x8c\xec\xa7\x9f\xe6\x5d\x1c\xb1\x90\xd8\xd5\x66\x89" "\xeb\xa0\x6f\xbf\x4d\xe6\xbd\xbb\xdb\x83\x1a\x2d\x83\x59\xc7\x58\x0e\xfe" "\x72\x69\xa7\x54\xd3\xf1\x21\xf9\x60\xa9\xa7\x23\x1d\xfd\xc0\xb4\x74\xa2" "\x4b\xed\x56\xf2\xf0\xea\xf3\x2c\x97\xb4\xf1\x03\xd2\xcc\xe6\xb4\xf0\xa9" "\x32\xa7\x43\xd9\xdc\xbb\x52\x58\x1f\x62\x8a\xea\x23\x82\x03\x47\xb8\x3c" "\xa1\x5e\x4f\x95\x2e\xa7\x7e\x84\xe0\x32\xc2\xc0\xf0\xa7\x0d\xeb\x9e\xe1" "\xc5\x87\xb4\xde\x34\xe4\x1d\x43\x7c\x89\x53\xc5\xe1\x60\x4a\xd4\x63\x11" "\x8d\xbd\x2e\xfa\xc2\x04\xec\xf8\xe6\x61\x34\x46\x68\xf7\x75\x3d\x1b\x24" "\xc5\x73\x81\xa6\xb5\x7b\xcd\xb5\x3b\x42\x99\x05\xcf\xfe\x7b\x8d\x0a\xc3" "\xc6\x92\xbf\x42\xf1\xaa\x30\x29\xa1\xde\x4b\x16\x68\xae\x6b\x78\xe4\xbf" "\x92\xec\x7f\xa4\x0b\x0b\x66\x75\x92\xef\x2b\xbe\x44\xbf\x3a\xb4\x86\x09" "\x27\x47\x54\x56\x26\x53\xc8\xab\xc1\x6c\x4e\x86\x20\x04\x48\xb7\xf7\x2d" "\x56\xd0\x98\xce\xa3\x9f\x7e\xd9\x48\x4c\xe9\xea\xdd\xf7\x2e\xc3\x29\x9c" "\x4d\x98\x08\xd1\x27\x6f\xde\x07\x36\x56\x4c\x35\x89\xd7\x80\x60\x7c\xb8" "\xcf\x11\x9b\x96\xf6\x32\x6d\x70\x28\x7f\x30\xa4\x6a\x4c\xa9\x4e\xa8\x6e" "\xa9\xe4\x90\xc0\x2f\x10\x61\x42\xdb\x5a\x0f\x2f\xa9\xd6\x93\x23\xdd\x89" "\xa8\x1a\x27\xfe\x76\xee\xb9\x4f\xa8\xcf\x16\x24\xac\x51\xc0\x5c\x9e\x30" "\x53\x50\x59\x3d\x50\x9d\xc3\xad\xf7\x0e\x3e\xe2\xf9\xab\x8c\x07\x80\xaf" "\x90\x84\x04\x4b\x40\x2a\x18\xb9\x42\xa7\x3f\x76\x04\x8d\x46\x6c\xdc\xdb" "\x0c\xaf\x26\xba\xdb\xc7\xb8\x7c\xf8\xf1\x1d\x5c\x06\x5f\x17\xb8\x93\x35" "\x9c\xdb\x0c\xf9\x4c\x04\x56\x85\x8e\x53\x43\xbe\xb6\x08\xe0\xcd\xa1\x0e" "\x8b\xa4\x57\xa9\xd6\x86\x7f\x0a\x98\x9e\xc5\x4e\x8d\x80\xd6\xe0\xab\x96" "\x1d\x85\xbd\xff\x43\x33\xe6\xc0\xdd\xb2\x25\x00\x99\xe0\x73\xa5\x02\x23" "\xa4\xcb\x78\xa9\xbe\x17\x4f\x17\xb8\xa6\x7d\x60\xea\xb0\xd6\xa1\xc0\xed" "\x0b\xfb\x03\x58\x9b\xfc\x81\xed\x5b\xc2\xb1\xff\x08\x54\x58\x18\x7a\x2d" "\x4b\x2d\xcd\x75\x3f\xbc\xc8\x83\xa3\x33\x95\x08\xa7\x2d\x6f\x36\x8b\xe3" "\xad\x94\x6c\x5e\x1f\xdd\x25\x54\x7b\xb2\x6d\x73\x61\x77\x61\xf5\x54\x54" "\xc1\x24\x23\x61\xc5\x16\x81\x19\xbf\x7f\x5b\x6f\x44\xa7\x2f\x5e\xea\xc7" "\x98\xa7\xe1\xfe\x19\x80\x2c\x75\x39\x78\x79\x59\x7e\x1c\xa5\x64\xd8\xd6" "\x2d\x5b\xc7\x3f\xbc\x0c\xee\xf1\x3f\x51\x1d\x24\xf1\x70\x2c\xb9\x70\x5a" "\xb6\xd4\x93\xcc\xf1\xd0\xf7\x9f\xb5\x84\xf7\x64\x28\xa7\xba\x80\xb6\xec" "\xde\xd9\xe1\x9e\x0f\x12\xa7\xf3\xa2\x8a\x80\x93\xfe\x6f\x4b\x5e\x2e\x7c" "\x7e\xfc\x0c\x5b\x71\xea\x4a\x27\x6f\xe1\x36\xa7\xd5\x89\xf2\x80\x78\x7c" "\xcb\x6b\x40\xa6\x85\xcb\x63\x2d\xe8\x53\x02\x15\x75\x92\x95\xc3\x6f\x2c" "\xf9\xc8\x82\xac\x95\x84\xd6\x8d\x58\x91\x52\x5e\x7b\x08\xfd\x75\x1e\x65" "\x9f\x51\xf1\x78\x5f\x27\x27\xcf\x5e\x1d\xde\x9d\x52\xb6\x28\x5e\x5d\xb4" "\xbf\xc3\x08\xec\x4e\xfe\xcd\xf4\x84\x3f\xbe\x0c\x40\x11\x3b\xe4\x73\xc6" "\xcb\x9e\xc3\xb5\x39\xae\x02\x16\xff\xcc\x74\xce\x5b\x57\xa8\xdc\xb9\x50" "\x60\x54\x7b\xc4\x2e\x03\x94\xe1\x99\x53\x5e\x71\xe2\x1e\xbf\x39\x46\x05" "\x48\x3f\x72\xec\x2e\xc5\x18\x8c\xa3\x8f\xd9\xfa\xa4\x76\x86\xbd\x33\x8d" "\xfc\x98\x70\xc8\xb6\x20\x3a\x20\x1d\x12\x58\x06\x45\x23\xc5\xd6\x27\x31" "\x3b\x78\xdc\x94\xf6\xa1\xa4\x88\xd4\x9a\x92\x96\xd6\x32\xe6\xe3\x1e\x17" "\x71\x22\x09\xfd\x67\xbc\x66\x95\x15\xfc\xa6\xca\x43\x21\x02\x03\xe9\x21" "\x08\x1a\xf1\x3a\x86\x2d\x14\x81\x2e\x98\xed\x1e\x38\x0c\x45\xfe\xc0\xb1" "\x6f\x3e\x4c\xc0\x4b\xf3\xfe\x00\xcb\x28\xa6\xc6\x5b\x44\x6b\x45\xc6\x53" "\x0c\x38\x05\x78\x41\xe2\x52\x11\xd5\x3f\x57\xac\xb2\x4d\x35\xc0\x76\x5d" "\x1f\x34\xc6\x26\x26\xcb\x89\xec\x09\xd6\xb6\xcc\x27\xce\x2c\x06\x41\x73" "\xce\x0d\x83\xb4\x53\x58\x91\xfa\xc2\xcb", 4096); syscall(__NR_ioctl, /*fd=*/r[3], /*cmd=*/0x4080aebf, /*arg=*/0x200000000a80ul); // ioctl$KVM_GET_MP_STATE arguments: [ // fd: fd_kvmcpu (resource) // cmd: const = 0x8004ae98 (4 bytes) // arg: nil // ] syscall(__NR_ioctl, /*fd=*/r[3], /*cmd=*/0x8004ae98, /*arg=*/0ul); } int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; loop(); return 0; }