// https://syzkaller.appspot.com/bug?id=ea9b71fc359357c82524a0209aa9458e7da1c51e // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0" "\x00\x0f\x00\xd8\xb8\x2b\x00\x8e\xd8\x8e\xc0\x8e" "\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba" "\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01" "\xc7\x06\x06\x01\x2b\x00\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22" "\xc0\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00" "\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22" "\xc0\xea\xde\xc0\xad\x0b\x50\x00\x48\xc7" "\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f" "\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22" "\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89" "\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3" "\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48" "\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x3f\x48\x21\xd0\x48\xc7\xc2" "\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x40\x00\x00\x48\xb8\x84\x9e" "\x99\xf3\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x40\x00\x00\x48\xc7" "\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83\x04\x00\x00\x0f\x32\x48" "\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c\x40\x00\x00\x0f\x79\xd0" "\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff\x17\x00\x00\x48\x21\xd0" "\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x2c\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x28\x00\x00\x48\xc7" "\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x0c\x00\x00\x48\xc7\xc0" "\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00\x00\x00\x48\xc7\xc2\x00" "\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x0c\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc0\xd8\x00\x00\x00\x48" "\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x2c\x00\x00\x48\xc7" "\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x4c\x00\x00\x48\xc7\xc0" "\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c\x00\x00\x48\xc7\xc0\x00" "\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00\x00\x48\xc7\xc0\x00\x00" "\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x6c\x00\x00\x48\x89\xc0" "\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00\x00\x48\x89\xc0\x0f\x79" "\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48" "\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c" "\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x6c" "\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x6c\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x6c\x00\x00" "\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x00\x00\x00" "\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x00\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x20\x00\x00\x48\xc7" "\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x20\x00\x00\x48\xc7\xc0" "\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20\x00\x00\x48\xc7\xc0\x00" "\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00\x00\x48\xc7\xc0\x00\x00" "\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00\x0f\x32\x48\xc1\xe2\x20" "\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7" "\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e" "\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x40" "\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x40\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x40\x00\x00" "\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x60\x00\x00\x48" "\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02\x60\x00\x00\x48\xc7" "\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c\x20\x00\x00\x48\xc7\xc0" "\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20\x00\x00\x48\xc7\xc0\x00" "\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00\x00\x48\xc7\xc0\x00\x00" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00\x48\xc7\xc0\x00\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12" "\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x68" "\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x68\x00" "\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x68\x00\x00" "\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x48\x00\x00\x48" "\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x48\x00\x00\x48\xc7" "\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x48\x00\x00\x48\xc7\xc0" "\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48\x00\x00\x48\xc7\xc0\xff" "\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00\x00\x48\xc7\xc0\xff\xff" "\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f" "\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff\x1f\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c" "\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x48" "\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x48\x00" "\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x48\x00\x00" "\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1c\x68\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x68\x00\x00\x48\xc7" "\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x68\x00\x00\x48\xc7\xc0" "\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28\x00\x00\x48\xc7\xc0\x00" "\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00\x00\x48\xc7\xc0\x00\x00" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00\x48\xc7\xc0\x00\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f" "\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0" "\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20" "\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f\x79\xd0\x48\xc7\xc0\x18" "\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00\x00\x48\x8b\x08\x48\x31" "\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01\xc2\x48\xc7\xc2\x00\x44" "\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48" "\xc7\xc3\x02\x44\x00\x00\x0f\x78\xd9\x48\xc7" "\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3" "\x1e\x68\x00\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e" "\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24" "\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08" "\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define ADDR_TEXT 0x0000 #define ADDR_GDT 0x1000 #define ADDR_LDT 0x1800 #define ADDR_PML4 0x2000 #define ADDR_PDP 0x3000 #define ADDR_PD 0x4000 #define ADDR_STACK0 0x0f80 #define ADDR_VAR_HLT 0x2800 #define ADDR_VAR_SYSRET 0x2808 #define ADDR_VAR_SYSEXIT 0x2810 #define ADDR_VAR_IDT 0x3800 #define ADDR_VAR_TSS64 0x3a00 #define ADDR_VAR_TSS64_CPL3 0x3c00 #define ADDR_VAR_TSS16 0x3d00 #define ADDR_VAR_TSS16_2 0x3e00 #define ADDR_VAR_TSS16_CPL3 0x3f00 #define ADDR_VAR_TSS32 0x4800 #define ADDR_VAR_TSS32_2 0x4a00 #define ADDR_VAR_TSS32_CPL3 0x4c00 #define ADDR_VAR_TSS32_VM86 0x4e00 #define ADDR_VAR_VMXON_PTR 0x5f00 #define ADDR_VAR_VMCS_PTR 0x5f08 #define ADDR_VAR_VMEXIT_PTR 0x5f10 #define ADDR_VAR_VMWRITE_FLD 0x5f18 #define ADDR_VAR_VMWRITE_VAL 0x5f20 #define ADDR_VAR_VMXON 0x6000 #define ADDR_VAR_VMCS 0x7000 #define ADDR_VAR_VMEXIT_CODE 0x9000 #define ADDR_VAR_USER_CODE 0x9100 #define ADDR_VAR_USER_CODE2 0x9120 #define SEL_LDT (1 << 3) #define SEL_CS16 (2 << 3) #define SEL_DS16 (3 << 3) #define SEL_CS16_CPL3 ((4 << 3) + 3) #define SEL_DS16_CPL3 ((5 << 3) + 3) #define SEL_CS32 (6 << 3) #define SEL_DS32 (7 << 3) #define SEL_CS32_CPL3 ((8 << 3) + 3) #define SEL_DS32_CPL3 ((9 << 3) + 3) #define SEL_CS64 (10 << 3) #define SEL_DS64 (11 << 3) #define SEL_CS64_CPL3 ((12 << 3) + 3) #define SEL_DS64_CPL3 ((13 << 3) + 3) #define SEL_CGATE16 (14 << 3) #define SEL_TGATE16 (15 << 3) #define SEL_CGATE32 (16 << 3) #define SEL_TGATE32 (17 << 3) #define SEL_CGATE64 (18 << 3) #define SEL_CGATE64_HI (19 << 3) #define SEL_TSS16 (20 << 3) #define SEL_TSS16_2 (21 << 3) #define SEL_TSS16_CPL3 ((22 << 3) + 3) #define SEL_TSS32 (23 << 3) #define SEL_TSS32_2 (24 << 3) #define SEL_TSS32_CPL3 ((25 << 3) + 3) #define SEL_TSS32_VM86 (26 << 3) #define SEL_TSS64 (27 << 3) #define SEL_TSS64_HI (28 << 3) #define SEL_TSS64_CPL3 ((29 << 3) + 3) #define SEL_TSS64_CPL3_HI (30 << 3) #define MSR_IA32_FEATURE_CONTROL 0x3a #define MSR_IA32_VMX_BASIC 0x480 #define MSR_IA32_SMBASE 0x9e #define MSR_IA32_SYSENTER_CS 0x174 #define MSR_IA32_SYSENTER_ESP 0x175 #define MSR_IA32_SYSENTER_EIP 0x176 #define MSR_IA32_STAR 0xC0000081 #define MSR_IA32_LSTAR 0xC0000082 #define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define NEXT_INSN $0xbadc0de #define PREFIX_SIZE 0xba1d #define KVM_SMI _IO(KVMIO, 0xb7) #define CR0_PE 1 #define CR0_MP (1 << 1) #define CR0_EM (1 << 2) #define CR0_TS (1 << 3) #define CR0_ET (1 << 4) #define CR0_NE (1 << 5) #define CR0_WP (1 << 16) #define CR0_AM (1 << 18) #define CR0_NW (1 << 29) #define CR0_CD (1 << 30) #define CR0_PG (1 << 31) #define CR4_VME 1 #define CR4_PVI (1 << 1) #define CR4_TSD (1 << 2) #define CR4_DE (1 << 3) #define CR4_PSE (1 << 4) #define CR4_PAE (1 << 5) #define CR4_MCE (1 << 6) #define CR4_PGE (1 << 7) #define CR4_PCE (1 << 8) #define CR4_OSFXSR (1 << 8) #define CR4_OSXMMEXCPT (1 << 10) #define CR4_UMIP (1 << 11) #define CR4_VMXE (1 << 13) #define CR4_SMXE (1 << 14) #define CR4_FSGSBASE (1 << 16) #define CR4_PCIDE (1 << 17) #define CR4_OSXSAVE (1 << 18) #define CR4_SMEP (1 << 20) #define CR4_SMAP (1 << 21) #define CR4_PKE (1 << 22) #define EFER_SCE 1 #define EFER_LME (1 << 8) #define EFER_LMA (1 << 10) #define EFER_NXE (1 << 11) #define EFER_SVME (1 << 12) #define EFER_LMSLE (1 << 13) #define EFER_FFXSR (1 << 14) #define EFER_TCE (1 << 15) #define PDE32_PRESENT 1 #define PDE32_RW (1 << 1) #define PDE32_USER (1 << 2) #define PDE32_PS (1 << 7) #define PDE64_PRESENT 1 #define PDE64_RW (1 << 1) #define PDE64_USER (1 << 2) #define PDE64_ACCESSED (1 << 5) #define PDE64_DIRTY (1 << 6) #define PDE64_PS (1 << 7) #define PDE64_G (1 << 8) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = MSR_IA32_SYSENTER_ESP; entries[1].data = ADDR_STACK0; entries[2].index = MSR_IA32_SYSENTER_EIP; entries[2].data = ADDR_VAR_SYSEXIT; entries[3].index = MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = MSR_IA32_LSTAR; entries[4].data = ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = SEL_CS16; break; case 1: gate.type = 7; gate.base = SEL_CS16; break; case 2: gate.type = 3; gate.base = SEL_TGATE16; break; case 3: gate.type = 14; gate.base = SEL_CS32; break; case 4: gate.type = 15; gate.base = SEL_CS32; break; case 5: gate.type = 11; gate.base = SEL_TGATE32; break; } gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = SEL_CS64; gate.limit = guest_mem + ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + ADDR_TEXT; regs.rsp = ADDR_STACK0; sregs.gdt.base = guest_mem + ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; seg_ldt.selector = SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; seg_cs16.selector = SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; seg_tss32.selector = SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = SEL_TSS32_2; seg_tss32_2.base = ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = SEL_TSS32_CPL3; seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = SEL_TSS32_VM86; seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = SEL_TSS16; seg_tss16.base = ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = SEL_TSS16_2; seg_tss16_2.base = ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = SEL_TSS16_CPL3; seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = SEL_TSS64; seg_tss64.base = ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = SEL_TSS64_CPL3; seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; seg_cgate16.selector = SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = SEL_CS16 | (2 << 16); seg_cgate16.limit = ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= CR0_PE; sregs.efer |= EFER_SCE; setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= EFER_LME | EFER_SCE; sregs.cr0 |= CR0_PE; setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4); uint64_t pdpt_addr = guest_mem + ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP); uint64_t pd_addr = guest_mem + ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD); pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr; pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr; pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= CR0_NE; *((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON; *((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS; memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16; tss16.es = tss16.ds = tss16.ss = SEL_DS16; tss16.ldt = SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0; tss16.ip = ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3; tss16.ldt = SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0; tss32.ip = ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32; tss32.cs = SEL_CS32; tss32.ldt = SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = ADDR_STACK0; tss64.rsp[1] = ADDR_STACK0; tss64.rsp[2] = ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size); *(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM | CR0_NW | CR0_CD); break; case 1: sregs.cr4 ^= val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE | CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE | CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP | CR4_SMAP | CR4_PKE); break; case 2: sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE | EFER_FFXSR | EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); intptr_t res = 0; memcpy((void*)0x20000080, "/dev/kvm\000", 9); res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000080ul, 0ul, 0ul); if (res != -1) r[0] = res; res = syscall(__NR_ioctl, r[0], 0xae01, 0ul); if (res != -1) r[1] = res; res = syscall(__NR_ioctl, r[1], 0xae41, 0ul); if (res != -1) r[2] = res; *(uint64_t*)0x20000040 = 0x20; *(uint64_t*)0x20000048 = 0x20000140; memcpy((void*)0x20000140, "\x36\x0f\x22\x24\x0f\x78\xa4\x8a\x00\x00\x00\x00\xc7\x44\x24\x00\x08" "\x00\x00\x00\xc7\x44\x24\x02\x00\xa0\x00\x00\xc7\x44\x24\x06\x00\x00" "\x00\x00\x0f\x01\x1c\x24\x3e\xda\x39\xb9\x80\x00\x00\xc0\x0f\x32\x35" "\x00\x08\x00\x00\x0f\x30\xb8\x65\xe9\xf5\xc3\x0f\x23\xd8\x0f\x21\xf8" "\x35\x40\x00\x00\xc0\x0f\x23\xf8\x0f\x22\x5b\xf3\xad\xf9\xab\xf3\x65" "\xd9\xf9", 87); *(uint64_t*)0x20000050 = 0x57; syz_kvm_setup_cpu(r[1], r[2], 0x20fd9000, 0x20000040, 1, 0x14, 0, 0); *(uint16_t*)0x20000280 = 0; *(uint16_t*)0x20000282 = 0; *(uint32_t*)0x20000284 = 0x80; *(uint64_t*)0x20000288 = 0; *(uint64_t*)0x20000290 = 0x1000; *(uint16_t*)0x20000298 = 0; memcpy( (void*)0x20000300, "\xbe\x77\xf6\x45\xfa\x0f\xaa\xb4\x17\x33\x28\xe0\x3e\x0e\x9f\x02\x0b\xbc" "\x79\x8c\x84\xbe\x65\xbf\x76\x21\x99\xe2\x69\xb6\xd1\x5a\xf3\xd5\x42\xe5" "\xa5\x31\xa8\x95\x86\x6f\xbf\x13\x91\x0d\x95\xe9\x22\xd6\xaa\x84\xd6\x89" "\x24\xef\xe5\xe4\x44\xb3\x4d\x9d\xf0\x8a\x86\x8a\xe2\x3c\x67\x75\x46\x79" "\x8d\x6e\xc2\xc1\x7d\x6e\x3f\x87\xf0\xd7\x57\xc2\x07\x8c\x93\x25\xc6\x41" "\xfe\xa9\x93\x8b\xa4\xf2\x0e\xbb\x25\x77\xf5\x1b\xa4\x67\xd9\x73\x39\x8c" "\x7f\xa9\x4b\xe4\xe2\xab\xd4\x27\xb7\xad\x43\x85\xc6\x3e\x63\x00\x90\x75" "\x9c\x2a\x6c\x76\x8a\x97\x3d\x0b\x1e\x72\x44\xe4\x94\xd5\x92\x5d\x9d\x9f" "\x40\xaf\xd5\x44\xb8\x4d\x1f\xdb\x8d\xe7\xaf\x27\x9d\x87\x00\x73\x9c\x11" "\x32\x7a\x76\xf8\xbc\x32\x74\x3c\x95\x9d\x88\x58\xb2\x76\xc2\x11\x22\x2f" "\x40\x20\x62\x57\xbe\x84\xdd\xd0\x7b\x20\xd8\xb1\xde\x9b\x53\x90\xba\x5e" "\xaa\x28\x9c\x0b\xfd\xf6\xb5\x63\x6b\x7a\xcf\xac\x51\x59\xe2\xe7\x75\x93" "\x38\xe0\x6a\xe0\x0e\x4b\x7c\xf1\x62\xe4\x54\x42\xe3\xc8\x39\x58\x58\x84" "\x7e\x3e\x28\xda\x4e\xd2\x37\x02\x7c\xd8\x49\x99\x1a\xb9\x1e\x6e\x5d\xc6" "\x1b\x99\x36\xde\x57\x4c\x3b\x26\xa2\xb0\xe3\x03\x38\x6c\x02\xed\x1b\xb6" "\xa5\xac\xaf\x8a\x92\x71\xe1\x96\xbc\x59\xfb\x3d\x7d\x6a\x88\x38\x3d\x53" "\x30\x26\x80\xfd\x8e\xbd\x0e\x75\xfa\x67\x33\x3a\x6f\xb9\xda\x03\x33\xd6" "\xf8\x7b\x3f\x62\x81\x36\xa4\xb9\xec\x1c\x2f\x4c\xf3\xd5\xec\x90\x0e\xc1" "\x7d\x48\xe3\xf7\x41\x86\x0d\x96\x3e\xc6\xe6\x29\x24\x3d\x06\xb5\x47\x37" "\x4e\xc3\xf5\xa0\xa8\xe7\x1c\xdd\x67\xe8\xf5\x91\xd6\x87\x11\xba\x4d\xf1" "\xf2\xfc\x62\xd9\xf5\x4c\x6f\x7b\x88\x44\xc8\xce\x56\x9f\xb7\xf9\x83\xa6" "\x31\x25\x0e\x77\x37\x47\x80\x41\x3a\xb3\x72\x35\xaf\xde\xfb\x70\x57\x2e" "\x79\xf3\x5d\x36\x40\x6a\xde\xd6\x1b\xcf\x76\x71\x1a\xac\xf3\x25\xb2\xac" "\x1f\x78\xb4\xed\xe1\x23\x9e\x36\xd5\xd6\x44\xc7\xa8\x1c\xdf\x6b\x95\xa1" "\xe3\xaa\x6c\x2f\x70\xd8\x89\x65\x45\x72\xd1\xf8\x8f\x05\xe5\xb2\xc5\xf5" "\xc3\x7d\x65\x70\x10\x2c\x25\x25\xa9\xb3\xfa\x28\xa8\x8c\x83\xde\xd5\x73" "\xa8\x96\x23\x99\x00\xbd\x36\x5d\xc0\x32\x3d\x49\x21\xc3\xc9\x6a\x3d\xae" "\x81\x04\x79\xa1\xac\x83\xb6\x4f\x0f\x9b\x20\x08\xeb\x51\x83\x2b\xce\x90" "\x10\x5d\xab\x37\x9b\x3d\x99\xf6\x76\x1d\x4c\xf4\x38\xd9\x23\x56\xc5\x63" "\xc9\x82\x93\x8f\xe8\x30\x26\x25\x8a\xad\x0a\x7d\x9f\x5e\xac\xfa\x35\x9c" "\x68\xec\x27\x1d\x3e\xcf\x9a\x57\xd3\xee\xc5\x6c\xb0\xbc\xf1\xbb\x0a\xdc" "\x6c\x29\x7d\x6e\x5b\x10\x16\x40\xd3\xc5\xb5\x0b\xcb\x54\xfa\xeb\xed\x4f" "\x85\x0e\x73\x7b\x5a\x28\x37\x05\x4b\xcc\xbe\xcf\xd1\xc2\x8e\x70\xa9\x67" "\xa3\x50\xd2\x18\x67\xea\x95\xb2\xcd\xfe\x55\xfd\x3e\xdc\x6e\x1f\x4d\xb0" "\x6a\x5e\x6b\x77\xa3\x33\xaf\x48\xe9\x28\x99\xe0\x74\x79\x4f\x3b\x46\x87" "\xdc\xe6\xd4\x5c\xb3\x34\x33\xe9\x22\xb1\x60\x2e\x76\x71\x64\xdc\x0e\x76" "\x0d\x14\xb4\xc7\x0f\x30\x4d\xe2\xcb\x56\xca\x5e\xa3\x57\x19\xf4\x92\x48" "\x0e\x48\xb9\x00\x7e\x40\x73\xa8\xe0\x24\x50\xa9\x3d\x39\x32\x97\x1b\x32" "\xac\xa2\x83\x77\x3b\xbb\x79\x74\x48\x64\x78\xd3\x80\xd8\x52\x4c\x0e\xee" "\x27\xba\x19\xd9\xc5\x11\x96\x49\x4b\xc3\xf2\xc4\x1c\x1d\xdc\x72\xb0\xb9" "\xd9\x7c\xa3\x07\x02\x2b\xaf\x74\x2c\xb6\x9b\x45\xde\x66\x9e\x32\x24\xc1" "\xea\xf4\xe6\xec\x7b\xb7\x6f\x92\x1a\xd3\xfd\x01\xe1\x13\x8e\xda\x10\xe9" "\x45\xca\x95\x30\x2c\x17\x29\xad\xf6\x52\x60\x41\x16\x97\x00\xa7\x83\xf7" "\x67\x63\x2e\x99\xb5\x5e\xac\x5e\x4e\xbc\x25\xb6\x3e\x11\x64\x9a\x31\xe1" "\xdb\xa3\x34\x45\xa3\x6b\x40\xc7\xcc\x7a\xb6\x45\x0c\xb4\x85\x3c\x69\xa9" "\xf1\xeb\x00\xd4\x66\xf6\xc9\x8f\x29\x7d\x3e\x48\x82\xfd\x4d\x1a\x9d\xff" "\x07\x86\xce\xce\x0d\xd1\xb0\x3f\xd8\x4f\x98\x2b\x49\x33\x49\xf3\x2e\x49" "\xbe\x25\x51\x02\xe7\xbd\x14\x75\xe2\x55\x74\xa9\x92\xda\x69\x07\xa0\xe6" "\xbc\xe4\x8d\x46\x01\xb5\x1c\xa0\x57\x98\xa0\xe8\xb5\xfa\xa9\xed\x67\x00" "\x90\x2e\x46\x26\xb8\x66\xb4\x21\x9e\x38\x80\x27\x7b\xca\x07\xf5\x77\xde" "\xf9\x54\xfd\xd6\x4e\x08\x96\x22\xed\x0e\xec\x55\x87\x59\xa9\xb6\xd3\xe5" "\x12\xb3\x30\xfa\x30\xe3\x14\x03\x05\x3a\x73\xda\x17\x47\xa7\x87\x4f\x5b" "\x7a\x9f\xde\x4c\x0f\x9f\x29\xa2\x7e\x79\x5e\x27\x5c\x9f\x6c\x33\xd9\xdb" "\x7f\x37\x0f\x14\x8a\x79\x08\x11\x42\x8b\x2f\x96\x56\x6b\xd0\xe2\xb1\x48" "\x99\x7e\x69\xb0\xff\xe1\xa8\x1c\xb0\x4d\x43\xce\x6a\x24\xea\x2a\x94\x14" "\xb9\x30\xfa\x13\x30\x15\x3c\xb2\x0a\xaa\xe4\x84\xe5\x15\x39\x3b\x9d\xdf" "\x9d\x02\x98\x06\xc3\x5d\x5e\x95\x64\x62\xb7\xcc\x7f\x1c\x79\x95\x00\x6f" "\xfe\xae\x1f\x1b\xa1\xda\xf8\xd4\x33\x09\x19\x8b\xf4\x44\xec\x82\xc6\x70" "\x80\x0d\x5d\xac\xd6\x00\x92\x45\x64\x93\x10\x14\xb1\xe8\x34\xa3\x82\x74" "\xc6\x56\x07\x84\x57\x2e\x6d\x4b\xf8\xc4\xa5\xa1\xee\x5e\xdb\x2f\x4e\xa5" "\xfa\x9f\x07\xb1\x1d\x3d\x1d\x88\xb9\x93\xfa\x66\x2b\xc0\x4d\xfb\x9f\xfa" "\x9e\x53\x4f\x16\x22\xef\xd7\xf8\x23\x34\x6a\xa7\xe0\xa9\x88\xf5\x6b\xe5" "\x31\xc7\x3f\x34\x43\x9d\xf6\x1f\x97\x37\xcc\xa8\xb9\x3d\x2c\x25\x69\x51" "\x38\xc7\x0c\x46\x92\x98\xc3\xa1\x14\xc8\x9a\x8c\x34\x09\xd4\xdc\x18\xe7" "\xbd\x01\x58\x63\x1d\x0b\x93\x68\x23\xa6\xdd\xa8\x14\xed\x50\xf8\x38\x62" "\x05\x8d\x1e\xcc\x19\xb2\xe1\x19\x5c\x91\x0e\xdb\x5e\x71\x64\xfb\xd4\x03" "\xde\x0b\xeb\x5d\x7f\xee\xc9\x01\xa5\xa3\x73\xaf\xa1\x16\x2b\xe9\x5f\x0e" "\x71\xe5\x0d\x47\x9e\x33\x49\x4d\x7c\x98\xc1\xcb\x2a\xc8\x86\xc8\x16\x10" "\x67\x89\x23\x68\x5f\xa9\xf5\xff\xf2\x58\x4c\x89\x13\x0b\x7d\x2a\xc7\x83" "\x17\xe5\x31\xbb\x2f\xca\xde\x76\x52\x0c\xf8\xbe\xc4\x50\xe3\x1e\xeb\xfa" "\x5a\xe2\xf7\x85\x87\xc5\x72\xd3\x6d\x56\xa6\x9c\xf3\xf2\xcc\x9e\x15\xb7" "\x7c\x11\x87\x7d\x27\xe8\xaf\x01\x96\x90\x2d\x7f\x94\x64\x6f\x02\x94\xb4" "\x50\x7a\xe4\x46\x13\x97\xef\x21\xb2\x4a\x21\x42\xf7\x40\x46\x0e\x1e\xb1" "\x93\x5c\xba\xcc\xd1\x4f\x71\xf2\x1d\x6f\xb7\x14\x4d\xe9\x91\x54\xf0\x37" "\xcf\x31\xe9\xf3\x0d\xa3\xc9\x35\x95\x0c\x7d\x1c\x85\x90\x96\xd4\x4b\x57" "\xe7\xbd\x37\x14\x73\x04\xb2\xfe\x51\xab\x63\xca\x7c\x40\x31\xc1\xf0\x79" "\x13\xc8\xa8\x94\xa6\xb0\x57\x38\x86\xd7\xa0\xa6\x2c\xd2\x0a\x0f\x43\x3e" "\x54\x1a\x43\x80\x84\x65\xeb\x82\xaf\x5b\xb9\xc8\x19\xa7\x4b\xed\x83\xcf" "\x91\xaa\x18\x04\x42\xc2\x8b\x9f\x4d\x69\xdd\x7e\x72\x8c\x77\x34\xdd\x3b" "\xd3\xe2\x77\xe6\x7e\x96\xab\x9f\x09\xe0\x83\xc0\xa6\xe4\x2f\xe2\xbc\x5d" "\xca\xe9\xa2\xde\xdd\xb7\xf7\x63\xe6\x2b\x0d\x8a\xda\xcc\x00\xaf\x73\x4b" "\xb9\xe9\x78\xc1\x60\x60\x06\x11\xc8\x33\x09\x46\x8a\x2f\x94\x2f\x5d\x2c" "\x9f\x7c\xaf\xc9\x7d\xae\x2f\x54\x2e\xf3\x3b\xe3\x99\x52\xfa\x70\xee\x3e" "\x2e\xcb\x31\x05\xc1\xa4\x90\xdb\x73\xfc\xf4\x6a\x36\x45\xde\x10\xe1\xcb" "\x33\x5e\xa6\x04\xf4\x1d\x10\xb7\x23\x87\x2c\x26\xf2\x0a\x71\xf4\x4b\x13" "\x01\xff\xfd\x60\x1c\x6a\x60\x9e\x0d\x19\x5b\xbc\xb1\x20\x3c\xd2\x3f\xdb" "\x3e\x3f\x59\xfa\x8a\xe5\xa4\x84\x88\x1c\x34\x70\x6b\xac\xb6\xa4\x79\xfa" "\x7c\x9c\xc6\x92\x06\x13\xdd\x69\x03\xbf\x04\x64\x93\xba\xc0\x60\xf0\x46" "\xef\xc6\xce\x43\xaa\xfe\x9a\x3b\x73\x5c\x1c\xb2\x83\x71\x45\x48\xfd\xc1" "\x6a\x2c\xe9\xd9\xdc\xcd\x77\xf3\xb8\x03\x71\x32\xec\x1b\x1f\x1d\x96\x59" "\x32\xa9\xec\x4b\x20\xef\xe1\xf2\x21\x2c\x94\x51\x1b\x61\x79\x9b\x5b\xd2" "\x9b\xe8\x4e\x47\xd1\xc1\x20\x9a\xf5\x44\xbb\x4c\x48\x20\xb4\x89\x7f\xe0" "\x0f\xd5\x83\xb8\xae\x53\x94\x35\x4d\x1f\x25\x32\xd0\x80\x1f\x20\x2b\xa3" "\x1b\xf0\x1a\x89\x6e\xbe\xa5\x30\x21\x67\xcf\x9b\x0e\xd7\x1e\x79\x3d\x95" "\x72\xfa\xc4\x8d\x75\x72\x4c\xaa\x57\xf9\x9b\xa9\xdb\x21\x13\xf5\xfa\x52" "\xd1\x93\x56\xed\x1d\x0c\x85\xbd\x60\x80\x59\x52\x11\x3e\x52\x1a\x01\x44" "\x4d\x6a\x6a\x50\x21\x44\x69\x1a\x9d\x32\x36\x32\x84\x41\x0e\x96\x76\x26" "\xc7\x20\xcd\xb3\x44\x4a\x56\xb1\xb7\x04\x30\x47\xdb\xf8\xe5\xf1\xb5\x17" "\x7c\x82\xa6\x51\x71\x0e\xae\xd5\x91\xe1\xd4\xac\x5f\xfa\xf8\x54\x11\xf7" "\xc3\xc3\xe5\x8f\xef\xb5\xe0\x52\x8f\x74\xb3\xf7\x8a\x0b\x31\xde\x68\xf1" "\xe3\x14\x15\xa7\xa3\x70\x10\xbe\x81\x8b\x88\x6c\x28\xcc\xa1\xbf\x68\xdb" "\x06\x89\x29\xba\xd7\x1b\xc6\xb4\xae\x2a\x4c\x9f\x2c\x9b\xf9\x8f\x15\x16" "\x4e\x6e\xf9\x6e\xf4\x12\x1c\x19\x1e\x5a\x94\xca\x43\x1b\x49\xc4\x75\xf0" "\x2a\xce\xbc\x42\xd2\xc6\x02\x6e\x4f\x7d\x59\x5e\x56\x77\x94\x7b\xf6\xcc" "\x0d\x6f\x95\xd7\x83\x8f\x76\xcf\xc0\x44\x92\xce\xba\xed\x43\x74\x98\x47" "\x06\x46\x5a\xc8\x3a\x1a\xcb\xb5\x54\x50\xf5\xb5\xe1\xe4\xcc\x00\xa8\x8c" "\x33\x4a\xf4\x4d\x33\x70\x89\xc8\x01\x67\xa8\x13\xf5\x4f\xa9\x03\xec\x85" "\xd8\xf1\xd2\x2c\x44\x3b\xcd\xfb\x3d\x26\x8a\x3e\x57\xf5\x63\xb9\x73\x2c" "\xc3\xf5\xd8\xb1\xfd\x98\xa6\xf4\x4e\x3b\x05\x6c\xbe\xb6\x59\x46\xec\x91" "\x7e\xf0\x93\xc3\xa6\x27\x57\xf2\xb2\x7e\x6b\x48\x73\xae\x71\x83\xb5\xb9" "\xa6\x52\x8a\x57\x6a\xf6\x94\x49\xdf\x90\xcd\xa4\xbf\xad\x6c\x54\xbe\xd6" "\x7f\xec\xc6\xfd\xc6\x24\x18\x3a\xec\xb5\x07\x20\x02\xc8\xdc\x9d\x45\x50" "\x59\x01\xc6\x14\x89\xab\x31\xb7\xd6\xcd\xe6\x94\x3f\x04\x29\x53\xdf\x64" "\x88\x61\xb6\x86\x63\x29\x11\x17\xf3\xde\xb7\x4d\x3f\x9e\x95\x01\xd9\xd5" "\x0b\x09\x5b\xaa\xee\xf2\x1a\xca\x82\xe0\x02\x03\xc0\x6c\xe1\x03\xcc\x92" "\x3e\x6f\x02\xab\x48\x1e\xed\x2d\xa0\xa4\xee\xde\xb8\x27\xe9\xd7\x96\x1f" "\x6d\x97\x2f\x34\x7c\x64\x9e\x70\x6d\xc0\x25\x9d\x69\x7a\x6a\x5e\xa1\xba" "\x33\xa6\xf2\xc1\x6b\xee\xd9\x2b\x58\xfa\x29\x00\x26\xc7\x28\xe9\x1f\x3d" "\xe2\x85\xa7\x4e\x56\xe9\x68\xc5\xd1\x74\x63\x9a\x91\x5b\x5e\x53\xd7\xb1" "\xe5\x56\x6b\x1a\x89\xf0\x94\x34\xaf\xb2\xa2\xff\x1f\xd0\x0d\x13\xe7\xce" "\x5a\x3d\xcb\x8e\x62\x8f\x39\xa6\xc6\x82\x5a\xcd\x4b\x71\x52\xa7\x77\xd2" "\x14\x85\xf6\x36\x0a\xf8\xb1\xc6\x2a\x4a\x29\xf2\xad\x98\xd9\xc3\x93\x53" "\x01\x87\xc1\x4b\x4d\xef\xdf\xc8\xac\x12\x43\x3b\xe7\xf5\x6a\x40\xce\x40" "\x87\xeb\x1f\x7c\xf9\x49\xe4\xe9\xb3\xc6\x12\xe4\x95\x37\x16\xab\x02\x7a" "\x36\xce\x83\x9f\x1d\x28\x15\xc2\x89\xd0\x8e\x0e\x50\x06\x30\xc2\xf5\x43" "\x44\xd6\x54\x9b\x96\x45\xa4\xb3\x16\x48\xd2\x5f\x71\xdc\x7a\x43\x65\x1a" "\xa8\x53\x0c\xcd\x0c\xec\x2f\x96\xa4\x38\x5b\x18\x58\x23\x11\x1c\x51\x4b" "\x5b\xeb\x81\x7a\x98\x82\x4f\x30\x14\x62\x59\x8f\x03\x91\x9e\xc5\x2c\x0f" "\xdf\x5a\x52\x2f\x3e\x4b\x25\x0d\xed\x30\x89\xe0\x95\x8b\xb2\x0e\x5f\x93" "\x6c\x8a\xb4\xfc\x00\x31\x6c\xe4\x83\x25\x4f\x6e\x2a\xbc\x02\x48\x35\xac" "\xdb\xa2\x39\xde\xcc\x60\xfc\xc3\x16\xcb\xb5\xfe\x85\xdb\x2e\x22\xec\xd1" "\x25\x9c\x60\x7b\x57\x5d\x83\x62\x22\xd7\xa2\x1f\x0f\xcc\xdc\x6d\x4f\x90" "\xc4\x87\xc6\x6d\xcb\xe9\xd1\x7f\x6a\xf2\xed\xc3\x0b\x57\x18\x9f\x00\x90" "\x72\xfa\x5b\x46\xe1\xf4\x9a\xa3\x3a\x65\x46\xae\xa6\x02\x02\xc4\xe7\x70" "\x66\xe2\xf4\x87\xb2\xbd\x36\xf3\x17\x8e\xa8\x88\x48\x8a\xe5\x2f\xad\x83" "\x08\x68\x17\x2d\x8f\x2b\x33\x35\xdb\x98\xa8\x3c\x45\xe0\x47\xba\x93\xeb" "\x32\xe0\x8a\x01\x4d\x13\xfb\x8b\x9f\x3b\x54\xc1\x6a\xda\xac\x8a\x95\xc2" "\x50\x05\x1b\xaa\xa3\x66\x73\x43\xa3\xdf\x51\xab\x7d\xcc\xed\xcf\x44\x10" "\x48\x2f\xb2\x4a\xb3\x37\x28\x5d\x4c\x0d\x18\x2b\xf0\x00\x50\xc5\xcd\x2f" "\x8a\x1f\x79\x54\xfe\x0c\xe1\xc2\x32\x5d\xc1\x59\x44\x54\x64\x32\x7f\x0c" "\x46\x3d\xfd\xae\x8c\x94\x4d\xb6\x03\xce\xab\x50\x44\x09\xbe\x7e\x33\x16" "\xe6\x79\x96\x0b\x63\xe1\x93\x50\x18\x64\x1f\x0d\x30\xd4\x0f\xb4\xf8\x3f" "\xaa\x27\x86\xe7\x28\x4b\x0a\xdf\x6f\xe0\xae\x04\xf6\x1c\x36\x2b\xe8\x91" "\x77\xaa\x7a\x27\xcd\x00\xa1\xc1\x01\xde\xb3\x3f\xba\xe0\x4b\x8b\x20\xfc" "\xee\xef\x60\x10\x49\x62\x69\x54\xf0\x43\x64\x70\xeb\x4d\x34\x4f\xd5\x3c" "\x34\xea\xb4\xfc\xa4\x01\xbb\x6a\xa6\x4c\x1d\x18\x91\xca\x88\x30\x0c\xe5" "\xf8\xb9\xb7\xba\xdb\x64\xa5\xaa\x3c\xe8\xea\x84\x8e\x28\x82\x39\xde\xf4" "\x60\x2e\x48\x12\xc6\x65\x03\xcc\xc2\xa6\x8b\x73\x4d\x97\xb2\xfe\x71\xe3" "\x21\xe0\x92\x75\xbb\xc7\x27\xe4\xc0\x2c\xe1\xa9\x67\xf2\xf7\xc5\xf0\x2f" "\x65\x8c\x5e\x44\x9a\x1c\x71\x8a\x53\x55\x61\xaf\xbd\xdd\x05\xad\x28\x55" "\x9c\x6e\xa8\xa5\xd1\x92\x98\xee\xcc\xee\x69\x81\x8b\x69\xa8\x33\xb9\x72" "\x12\x8e\x15\x33\x06\x52\x2a\x37\x33\x39\x6e\x25\xe3\xa2\x17\x54\x43\x71" "\x5b\x09\x26\xea\x96\x76\x09\xf7\x3e\x25\x29\xfa\x4b\x6c\x34\x6e\x32\x54" "\x34\x31\xd1\x1f\x57\xf5\x57\xc7\x1f\xf6\xb7\x89\xd9\xa7\x8e\x80\x39\xf7" "\x8c\x50\x89\x58\x6a\xeb\xa7\xa5\x84\xb3\xd6\xb7\x53\xf8\x63\x3d\x06\x2b" "\x5c\xca\x36\x39\xeb\x95\x88\x50\x27\xa1\xb7\x8a\x90\xf7\x9d\x33\xe8\x87" "\x2b\x45\x5a\x21\x61\x8b\x76\xa4\xaf\xd3\xd7\x04\x84\x9b\x06\x7a\xb8\xf9" "\x68\xbf\x52\x8f\xbd\xbd\xfd\xd3\x4e\x84\x16\x3d\x64\x4e\x21\x1e\x32\xf9" "\xb5\xb9\x1f\x86\xfb\x81\x58\x90\xf6\xe4\x05\xd7\x32\x4f\xd6\xff\x84\xfe" "\xa2\x68\xcf\x4d\x61\x3d\x8b\x8c\xc7\x84\xfd\x43\x4f\x31\x7d\xd7\x7c\xca" "\xf4\x0d\x97\x4c\x43\xd7\x0e\xc1\x53\x06\xc6\x91\xce\x97\x82\x26\x7b\x20" "\xb3\x5c\x15\x0c\x1c\x10\x4a\xdf\xf5\x43\x70\x68\xf7\xc9\xde\xe0\x58\xc0" "\x84\x03\x02\x4e\x5e\xd1\xf3\x5b\xf1\xb6\xdb\x21\x3a\xf8\xfd\x02\x93\xb2" "\x30\xdd\xc7\xa4\x05\xe1\xe3\xe5\x84\x29\x2c\xf6\xd9\xbd\x4c\xa1\xd0\xc3" "\x25\xec\xf3\x7c\x57\x13\x43\x20\xf7\x9f\xac\x3f\x26\x87\x4b\x1d\x59\x5d" "\x0a\xac\xb7\xbf\x45\x4b\xc4\xe1\x5f\x75\x5c\x1c\x7e\x2d\x09\x51\xd7\x73" "\x1d\x8b\xf2\x7c\x80\x02\xf6\x11\xa9\x42\xd6\x33\xc9\xe0\x20\x3e\xe9\xf8" "\x48\xde\x15\x96\x6e\x6c\x99\x3d\x79\x0b\xbc\x26\x95\x8f\xdc\x3f\xf4\xe6" "\x2b\x97\x16\x97\x85\x5a\xd0\x98\x0d\x3c\xf6\xcd\x79\xc0\xf2\xf0\xd4\x1e" "\xab\x6d\x2c\x67\xe8\x32\x95\xaf\xcb\xee\x60\x17\x9e\x09\x97\xdd\xf9\xb1" "\x50\x02\xb7\xfc\x05\x8a\xfa\x56\x70\x34\xda\xbc\x64\x07\x90\xab\xa2\x41" "\x9a\x5c\xcb\xce\x25\xab\xcc\xde\x58\x63\x73\xf4\xe3\x1f\x34\x36\xe5\xba" "\xb2\xe1\x56\xb4\xcd\x6a\xba\xad\xbd\x4e\x99\x1c\xb4\xa1\x5c\xde\xa2\x20" "\x2b\x13\xbc\xe7\x16\xe1\xdf\x40\xd6\xbc\xc2\x75\xf1\x4c\x15\x2f\xfe\x62" "\x94\xd2\xb5\xa5\x37\x7a\x9d\xa5\x46\x49\x0a\x0f\xf9\xec\x3f\x27\xa0\xa6" "\x07\x0f\x1b\x0d\x72\xb7\x5a\x74\xac\x1e\x76\x4c\x46\x70\xb9\x54\x7f\xaa" "\x72\x85\x00\x23\x3d\xc4\x10\x13\x2d\x80\x0b\xdd\xd4\xe8\x12\x72\xf1\xac" "\xe1\xfa\x81\x86\xe1\xb6\x8e\x19\xb2\x3e\xe6\x11\xb2\xc9\x11\x9b\x09\x47" "\x64\xfd\x07\x20\x21\x2c\x14\xf1\x2f\x18\x35\x59\x66\x60\xe0\x8d\xba\xf1" "\xa2\x8c\x2e\xcb\x39\x10\x94\xe8\xde\xcb\x50\x04\x84\xa4\xf9\xde\x41\x27" "\x81\xfe\x08\x46\x95\xa2\x43\xd4\x74\x47\x1a\x3d\x6a\xbd\x4a\xc6\x40\xcf" "\xb7\xda\x40\xe0\x32\x7d\xef\xce\x9a\xa8\x10\x1a\x25\xf7\x14\x5b\x55\xdb" "\x05\x10\xdd\x09\x0a\xf6\x3f\xd6\x5f\x90\x03\x69\x3b\x21\xb2\xf3\xd4\x77" "\x5c\x65\x70\x7f\xed\x78\x47\x42\x38\xd6\x45\x35\x92\x93\x3b\x22\x65\xc3" "\x83\x6d\x0c\x77\x5b\x95\xe9\x73\x9b\x3d\xe3\x85\x60\x72\xa5\xb4\x3c\x9e" "\x30\x24\xe8\x84\x3b\x25\x22\xe9\x2d\x12\xaa\xb4\xa6\x36\xc6\x8a\xf1\x27" "\x22\xab\x38\xd8\x81\xf4\xc9\x71\x18\x01\x4d\xb9\x86\xf3\xec\x96\x67\x83" "\xb9\x3d\x81\xd1\xd7\x0e\x3e\xa6\x11\x48\x2d\xf7\x45\x25\x6c\x3e\xf9\xc6" "\xc9\x49\xc6\xaf\xc6\x92\x9f\x69\xd9\x42\x7d\xdd\xe8\x1f\x3f\x27\x85\x00" "\xc5\x86\xb3\xbb\x73\x6c\x2f\xc7\x71\x3a\xd9\x2e\xd1\x36\x40\xf4\x05\x1e" "\x72\xb3\x85\x68\xe3\xf2\x11\xf7\x52\x61\xee\x65\x17\xde\x0b\x98\x00\x76" "\x12\x7d\x7d\xc0\x0a\x16\x60\xa1\x12\x32\x32\x5f\x7a\xc0\x97\xf4\x6e\x0e" "\xf4\x49\x3c\xd7\xde\x87\x5d\x14\x05\x64\x19\x37\x3d\x88\x7a\x82\x16\x72" "\xd8\x94\xd3\x2c\x81\x04\x64\x70\x5e\x92\xc9\xab\xe3\x29\x67\xfe\xad\x24" "\x64\xc8\xb2\xf6\x93\xf4\x5d\x07\xa8\x16\x0f\x59\xec\x04\x60\x19\xb0\x16" "\xee\x8b\x07\x76\x42\x78\xaf\x8c\x6b\x22\xb4\xcc\x07\x9f\x40\x6c\x0b\xa8" "\x98\x33\x2a\xa8\x91\x1b\x02\x6c\x75\xed\xd0\x2d\x5a\x40\xf8\xed\x9c\x1a" "\x3d\x39\xc1\x89\x3a\x0a\xff\xe4\xb3\x8c\x77\x30\x54\x29\x56\x2e\x9d\x09" "\x07\x17\x97\x53\x05\x1c\xbf\x13\xff\x93\x60\x91\x33\x4f\xe2\x4a\x53\x81" "\x6d\x2a\xa5\xe2\xe2\x69\x93\xda\xc3\xf2\xc5\x73\xb0\x00\x11\x52\xee\x26" "\xb6\x33\xaf\xd9\x66\xbf\xb7\x04\x05\x42\x27\x16\x0b\xf2\x92\xbb\xcc\x35" "\xf7\x8a\x64\x9b\xb7\xf4\xfe\x17\x83\xa6\xb1\x0d\xe7\x78\x51\x9c\x8a\x71" "\xf1\x38\x1c\xc6\x7a\x77\x9e\x51\xce\x30\x97\xe6\x66\xd9\x64\x72\x8d\x55" "\x70\x8e\x76\x95\x38\x26\xc7\x65\x9c\x36\x47\xd3\xf3\xce\xdf\x9f\x1b\x45" "\xb2\x7f\x57\x35\xbb\x8d\x78\xd8\x74\xbf\x73\x14\x7b\x73\x8b\x9c\x05\x66" "\xa0\xd2\xfd\xcb\x17\xf8\x5d\xc7\x12\x46\x2e\x38\x1b\xa1\x46\x6d\x92\xd9" "\x03\xba\x24\xd0\xcc\x17\xdd\xbe\xb7\xbd\x80\xb5\x52\x5d\x72\x36\xa8\xad" "\xd5\x4d\x4e\xca\x06\xfe\x4c\xd0\xd3\x72\x44\x03\xc7\xad\x09\xf2\x2e\xb2" "\xfc\xb4\x18\x1e\xdd\xde\x27\x1b\xe8\x21\x57\x9b\x73\x82\xbb\xfe\x36\xda" "\xb5\x07\x98\x11\xe6\x28\x42\xda\x65\x16\x5c\x27\xc1\x81\xdf\xed\x27\x9d" "\x5e\xc1\x2a\x1c\x0c\x13\x54\x17\x60\xc2\xfe\x5c\xce\x95\xc6\x89\x26\x22" "\x22\x9a\xc2\x4a\x72\x11\xba\x43\xe5\x13\x07\x7f\x34\x34\x2b\x61\x61\x1a" "\x1a\xb1\x0b\x6c\x51\xf6\xe3\xa0\x6b\xe0\x71\x6d\x7d\x1a\xbc\x82\xf5\x90" "\x3e\x32\xf1\xe6\xe3\xe8\x57\x89\xc1\xb8\xf1\x40\xbb\xe1\x90\x3b\x96\x77" "\xec\x96\x55\xe1\x71\xbf\x1f\x4d\x27\xdd\xa0\x03\xc2\x7d\x4e\xf0\xe0\x43" "\xd0\xde\xf4\x51\xdb\xc0\xf4\x8c\xb6\xcb\x60\x5b\x1e\x2d\x27\xe9\xfc\x9d" "\xb1\x0c\x0b\x57\x1b\x68\x05\xf3\x16\xb0\x0b\x58\x1d\x0d\x73\x58\xf8\x3e" "\x14\xd1\xb4\x29\x0e\x61\xfc\x0d\x0b\xd9\x73\x34\xf3\x1a\x54\x73\x50\xc0" "\x08\x77\xc9\x0b\xcb\x59\x1b\x98\x98\x6c\x19\xd9\xd4\x77\xf7\xdc\x52\x1a" "\xc4\x3d\x2e\xdf\x92\x01\xea\x61\xc4\x3e\x63\x65\xe7\x95\xbf\xb4\x4b\x0d" "\x90\xce\xd7\xb9\xd3\x4a\x84\x9d\xec\x49\x5d\x79\xca\xe7\x76\x9c\x72\x1d" "\x7c\xd1\x7f\x15\x03\xdf\x3d\x11\x3c\x49\xfc\xb1\x84\x49\xff\x18\x0d\x39" "\xc9\x47\x17\xae\x8f\xcb\xa7\xee\x1d\x8c\xf7\x58\x73\x09\x8a\x7a\x69\x7d" "\x5f\x5d\x7a\x6e\xee\xf1\x4d\xaf\x14\x67\x10\xee\x40\xc9\x4f\xf8\xea\x9f" "\xf0\x48\xd1\x08\x68\x87\x76\xfd\x07\x4e\x72\x65\x8d\x6e\xa4\x3f\x42\xea" "\x03\x88\x3f\x70\xf4\x5c\x7b\x86\xd3\xeb\x0b\xce\xd0\xf3\xa6\x0b\x6d\xa5" "\x10\x83\x37\x28\xff\xdb\x82\xaf\x9a\x34\xc5\xfc\x86\xe0\x13\x08\x61\xac" "\x66\xc6\x8b\x78\x43\x00\x00\x00\x00\x00", 4096); memcpy( (void*)0x20001300, "\x20\x4b\x9e\x18\x04\xd6\x36\x30\x11\x50\x77\x52\x98\xe6\x49\x00\x40\xd0" "\xec\xb7\x23\x71\xcf\xe0\xcc\xc2\x58\xd2\xb4\x45\x04\x58\xb9\x09\xff\x01" "\x00\x00\x00\x00\x00\x00\x37\xed\x25\xdf\x0c\xe2\xb0\x46\xcc\xc4\x7e\x35" "\x01\xed\x7a\x53\xe6\x9d\x95\xdf\xb7\x61\xf3\xfb\x81\x65\x99\x83\x87\x6f" "\x91\x5b\x21\xb4\xb9\x12\x70\xb4\x60\x78\x75\xb7\x51\x13\x65\x14\xbb\x42" "\xb1\xde\x57\x5e\x5a\xe0\x5e\x98\xfd\x37\xdd\xe4\x9a\xcb\x6a\x8e\x7f\x7c" "\x59\x2c\xeb\x87\x93\xd0\x0c\x84\x51\x5e\x9b\x09\x1f\xca\x80\x56\xf6\x9e" "\xf4\x7c\x1c\x91\x73\x5a\xf0\x4b\x30\x77\xa9\x4a\x24\x14\x74\x89\xc6\xbb" "\xc3\xd6\x3a\x76\xba\x4e\xb1\xe6\xad\xf0\x14\x10\x6f\x4b\x01\x17\xfc\x6a" "\x2b\x2c\x84\xca\x9e\x6c\x40\xfa\xde\x37\x3f\xd4\x9f\x65\x7e\x5e\x82\x83" "\x99\x86\x8d\x39\xd2\xa9\xd8\xcb\x3f\x45\x08\xe1\x56\xd3\x1d\xed\x82\x6a" "\x64\xd8\x4b\x19\xce\xb0\xc1\x3d\x95\x66\xf1\x48\x66\x02\x8f\x00\x40\x84" "\x28\xbc\x6b\x9a\x27\x76\x1f\xb1\x3e\x70\x56\x1f\xa8\xbb\x45\xbf\x25\x47" "\xba\xee\xbd\x7c\x99\xe0\x1c\x1e\xbd\xac\x09\xba\x75\xe3\xf6\x7b\x2b\xc6" "\x89\x8c\xa2\xc8\xe6\xc2\xb0\x9e\xfe\xf1\xe6\x88\xc7\x4f\xe8\xe2\x14\xb6" "\x57\xd3\x32\x57\x25\x53\x1f\x9c\xe7\x1d\x59\x53\x2a\xdc\x69\xf4\x0e\x0b" "\x82\x1f\xbd\x14\x55\x81\x33\xf9\xfc\xd9\xd5\xac\xe9\x15\x07\x03\xb5\x87" "\x9f\x74\x02\x85\x83\xdc\xcd\x49\x84\xa9\xfe\xdf\x23\xf1\xf6\xb8\xc5\x01" "\xf9\xa9\x97\x62\x07\x94\x04\xf1\x09\xe6\xd6\x9b\x02\x5e\xdb\xf2\xd3\x16" "\x9e\x44\xf1\x86\xeb\x60\xe7\xab\xf9\x53\x9c\xb8\x01\x36\x70\x43\x54\x20" "\xf5\x4b\x7e\x48\x56\x44\xf5\xaf\xc2\xd0\x58\x1d\x84\x04\xc2\x3b\xcf\x2c" "\x0b\xcd\x6d\x3a\x6f\xbc\x65\x87\x21\xe7\x45\x46\xea\x52\xd5\x7f\x25\x9e" "\x84\x1e\x87\xf0\x1a\xce\x9d\x7f\xb1\x0b\xb4\x35\x6a\xbf\xfa\x30\x6d\x91" "\x96\x39\x14\xbc\x14\x4e\x48\x6f\x78\xc0\x48\xaa\xfe\x20\xea\xe2\x7f\xf5" "\x32\x50\xde\x7b\xed\x8c\x41\x67\x78\x0c\x53\xfa\xcf\xd7\x41\xb9\x3f\x53" "\xd6\x7a\x60\xeb\xa1\x52\x77\x01\x89\x6b\xcd\x29\xa6\xcc\x20\xb9\x39\x05" "\x82\x42\x1e\xb0\xe5\xdc\xe7\xa6\x6a\x94\x88\x19\x04\xdd\x91\xc4\x7c\x59" "\xe8\xb7\x21\x9a\xda\xe8\x6b\xa7\x8b\x23\x03\x06\x82\x93\x68\xa5\x6d\xc9" "\x08\x24\x5f\xc7\x28\x86\xc3\xb1\x8f\xac\xea\x65\x9b\x27\x46\x6d\x3c\x6a" "\x85\xb5\x41\xf2\x0a\x01\x26\x60\x31\x9f\x8f\x4b\xa0\xfa\xf0\xd8\x3d\x28" "\xac\x63\xae\x41\x73\x23\xa0\xf7\x5b\x88\x23\x5d\x1a\x60\xa2\x9c\x41\xf6" "\x62\xb3\x4a\xc4\x0a\xc1\x9c\x94\xf2\x27\x56\x78\x60\xa9\x98\xf5\xe4\xd8" "\xf6\x5b\x93\x0c\x1a\x12\x09\xba\x04\xcc\x24\x06\x59\x99\x14\xe8\xed\x7c" "\x98\xd8\x09\x5a\x56\xfd\x29\x92\x0c\x47\xc6\x22\x1b\xf7\xe6\xa0\x76\xdf" "\xc9\x09\x47\xaf\x94\x68\xd8\x84\x47\x31\xac\x39\x23\x89\x6f\x25\xa8\x40" "\x24\x21\xe2\x4e\x1d\x32\x8e\x5b\x9d\xae\xb9\x70\x48\xb8\x7e\x3d\x37\x48" "\x74\x07\x19\x31\xad\x79\x1c\x1f\x03\x32\x4b\xa0\x1d\x46\x33\x64\xa5\xbb" "\x1d\xba\x7e\x3b\x80\x7a\xec\x9c\x33\x37\x03\x39\x7a\x45\x91\x8c\x73\xb4" "\x43\xdd\x46\xf7\xb2\x89\x73\x66\x62\xad\x83\x33\x02\xfa\x89\x56\x7e\x44" "\xc3\xde\x8e\x2f\x87\xbb\x5f\x87\x58\xab\xf6\xf8\x88\xad\x26\xbb\x5e\xd4" "\x8a\x4b\xd8\x28\xd8\xfc\xf5\xc0\x1c\xf7\x58\x80\x09\xc1\xa6\xc3\x5e\x94" "\x14\x29\x50\xb3\xba\xc8\xfa\x0a\xf1\x5c\x2f\x30\x50\x4c\xef\x3e\x54\x4b" "\x13\x2e\x40\x96\xa8\x36\xaa\x49\x33\x6c\xbe\x87\x8d\x2e\x33\x07\x5d\x07" "\x12\xad\xc3\xe7\x5b\x9f\x9b\xc7\xec\x42\x0f\x12\x30\x84\xeb\x29\x61\x19" "\x17\x15\x35\xc4\xfa\x49\xd4\x60\xd4\x44\x4e\xb3\x09\xf4\x24\xec\x13\xbe" "\x89\xff\x66\x41\xca\xa0\x89\xda\x26\x2f\xf8\x9c\x0d\x4b\x1a\x86\xfa\xc9" "\x13\x61\xa7\xa1\x24\xa0\xe4\xb2\x7d\xe2\x53\x18\x6e\x10\x67\x1d\x25\x32" "\xd6\x00\xf6\xb4\x08\x9d\xc6\x90\xf6\x00\x36\x30\x92\xad\x93\xfb\x62\xfb" "\xab\x9e\x1a\x96\xca\xef\xe3\x1e\x4c\x11\x74\x20\xfd\x1d\xf6\x4e\x4e\x0c" "\xf4\x96\x7c\xb0\x26\xa0\x03\xbe\x44\x42\x78\x55\x3c\x2e\x58\xe1\x9e\xc5" "\xa6\xdb\x39\x21\xfa\xb8\xfa\x07\x48\x96\x5e\x52\x36\x59\xe5\x4a\x3e\x01" "\x19\x04\x92\xf9\xb0\x18\x11\xd0\x6b\x13\xd8\xc8\x33\x45\x4a\xb5\xa9\x3a" "\xf8\xa9\xad\x27\xa1\x55\xd6\x82\xd8\xc7\x8f\x07\x4d\xa1\x7d\x6c\xcb\x7d" "\xed\x5b\x5f\x3c\x30\xe3\xaf\xb3\xc0\xe4\xaa\xb6\xce\x79\xe0\x0d\x42\xdf" "\x9a\x74\xf4\x86\xae\xe7\x4c\x0b\xc0\x21\xc2\x09\x00\x00\x00\xf5\xe7\x96" "\x78\xc4\x5b\xac\x33\x1d\x6e\xc2\x4e\xcb\x40\x42\x96\xdc\x9e\x90\xb2\xc1" "\x91\xfc\x14\xc5\x35\x05\xe9\x25\x87\xf4\x3a\x5e\xed\xc5\x6a\x64\x08\x04" "\x8d\x9d\xbb\x8b\xee\x88\x40\xa6\x56\x95\x2c\xb3\x61\xf0\xd7\x6b\xaa\x20" "\x93\x9e\x6e\x8a\xb9\x17\xe1\x2b\x76\xdd\x81\x2b\x95\xe6\x8c\x90\x70\x8d" "\x7c\xd8\x1a\xa1\x80\x02\xee\xa1\x16\xf4\x19\x0e\x49\xd1\xf6\x28\xa5\x09" "\xc8\xfb\x65\xf3\x93\xef\x5b\xcf\x7d\x1b\x9e\xa2\x89\xe0\x53\x2e\xe5\xf4" "\x6e\x65\x70\x9e\x84\xaa\xa7\xa6\x33\x4c\x58\xea\xab\x5c\x3c\xce\xd8\x8f" "\xa3\xe9\xe3\x65\xac\xe1\x19\xa3\xc4\x0d\xfe\x33\x6a\xbb\xe6\xd3\xa0\x9d" "\xfd\x89\x5c\xdc\x3d\xaa\xe2\x6a\xe9\xd3\xf6\x8a\x3a\x21\x84\xac\x5f\x69" "\x72\xef\x03\x4f\x1f\x9f\x0d\x41\x00\xa5\x5b\x86\x38\xdb\x09\x86\xf3\x62" "\xa2\x3b\x59\x99\x03\x90\x9a\x5a\x61\x93\xfc\x2c\x6e\x54\xad\xc9\x65\xff" "\x5d\x48\xbc\x1e\xd1\xb6\xff\x0a\xb2\x26\xb9\x59\x8f\x70\xa1\x3c\xa0\xa0" "\xb2\xd2\xcc\x05\xf1\x74\x49\xbd\x4c\xbd\x22\x4f\xa7\x58\x10\x95\x50\x11" "\xd5\xa4\x01\x34\x8c\x0b\x75\x54\x6c\x1f\xd8\x68\x24\xce\xd7\xb0\xc7\x9c" "\xb4\xd1\x3a\x37\x22\xae\xf6\xf7\xa0\xcb\x49\xf7\x6a\x37\x2f\xf1\x33\x73" "\x6f\x04\xb6\x7b\xf6\xa7\x4d\x51\x64\xa2\x27\xf4\x86\x5d\xfd\x15\x18\x1e" "\x0a\x9e\x5d\xc5\x33\x17\xff\xb0\x4a\x7a\xb1\xfb\xa8\x7d\x3b\x34\xbd\x1c" "\xee\x7c\x6a\xef\x4b\x3e\xbe\xf1\x83\xc9\xfc\xd4\xda\xf0\x91\xef\x1f\x5f" "\x27\x09\xa7\xeb\x4a\x64\x82\x42\xc4\x08\xe7\xd5\xb1\x0b\x76\x6e\x0f\x64" "\x8c\x21\x89\xc4\x95\x64\x74\x89\x2e\x37\x9a\x84\xb1\xf0\x9f\x13\xba\x58" "\x94\x23\xe4\x3b\x4b\x0d\xd2\x67\xb1\xd0\xc9\x76\xfb\x64\x90\x3e\xa2\xd2" "\x2e\x26\x12\xd9\xdb\xad\x91\x53\x6a\x98\x6f\x44\x98\x6d\x74\x57\x8f\x2c" "\xf3\x78\xdc\x65\x05\xcc\x26\x26\x15\x48\xa0\x80\xe1\x1d\x74\xfe\xd2\xcd" "\xaa\x90\x47\x9f\x06\x56\xfd\x92\x7f\x89\xa0\x62\x4f\x4c\xe9\x43\x98\x1f" "\xfb\xec\x2c\xeb\x27\xc7\xfb\x6e\x6e\xe7\xdf\x7c\x2d\x26\xd7\x15\x1f\x1d" "\xad\xb1\x72\xa0\x01\x77\x87\xc5\xd3\x2d\x64\x08\xb6\x66\x2c\x8f\x53\x48" "\xf3\x4e\x63\x64\x92\x06\x14\x21\x64\xf7\xaa\x07\x6b\x2c\x83\xbf\xff\xe4" "\x41\x26\xee\x92\x3f\x0b\x9b\xc9\x17\xe5\x23\x08\x37\x35\x53\xcf\x19\xe6" "\x79\x8a\xc8\x3a\xce\x35\x0b\xe4\x7f\x44\x5e\xf0\xd2\x68\xc2\xa4\xfc\x67" "\x99\x8a\x59\x07\xdb\x42\xde\xcc\x63\xfc\xfc\x30\xdf\x0a\x45\x43\xda\x17" "\x8e\x44\x2a\xec\x97\x06\x0e\xdc\x20\x9e\x34\x84\x9f\x6b\xee\xa0\xe3\x66" "\xec\xcc\x80\xb8\x7c\x1c\x16\xf8\x9e\x56\x08\xb9\x6c\x17\x6c\xcf\xaf\x60" "\x14\xa6\x19\xb8\x3d\x72\xc5\xa8\x97\x49\xcf\x76\x3f\xd7\x6c\x6a\xe8\x2b" "\x6a\x13\x22\x67\x48\x38\xab\x9e\x5f\x9a\x0d\xb7\xaa\x8b\x7d\x27\xdb\x30" "\x8e\xdb\x66\x4f\xc0\x19\x77\x56\xf6\x70\x9d\xf3\x6d\x9f\x6e\xd6\x78\x94" "\x4e\x18\x45\x5a\x8d\x49\x43\x4f\x9a\x6f\x22\x3c\xbf\x52\xb6\xa1\xba\x26" "\x6a\x55\x33\x1f\xfe\x7e\x83\xfb\x41\x30\xc2\xf5\x52\x86\x26\xc4\xe4\x51" "\xd8\xba\xc1\xda\x04\x6d\xd5\x92\x49\xfe\x41\xb6\xc8\xa3\x6e\x82\x34\x69" "\x18\xe0\x17\x7c\x87\x6f\x44\x10\x1f\xf9\xf7\x72\x1d\x8f\xbe\x1e\xca\x04" "\xe1\x3b\xa8\xdb\x3f\x5b\xd0\x1c\x36\x61\xdf\x0d\x6c\x8a\x24\xd4\x5a\x24" "\x6e\x0a\xc8\x0a\xed\x41\x78\x90\x1a\x71\xa9\x39\xda\x46\x22\x59\x2b\x3a" "\x8d\x87\xb3\xae\x35\x37\x05\x30\x03\x9d\x7d\x41\x34\x55\xe9\xd6\x16\x56" "\xb5\x8a\x1e\x63\xaa\x9b\xf1\xa8\x7d\x8b\xcc\x66\x05\xc3\x16\x78\x36\xf8" "\x2b\xa0\x1f\x54\x93\x4e\x2d\x31\xd7\x46\x3e\x18\x48\xee\x8a\x2c\xca\x55" "\xa0\x29\xd5\xed\x37\x23\x6d\xda\x9f\x27\x89\x81\xcd\xb3\x30\xea\xbc\x6b" "\xfc\x33\xa7\xfe\xe5\x67\x8c\x38\xb8\xe0\xa9\x25\x8f\xa8\xce\x5c\xb8\xab" "\xc3\x32\x0d\x44\xdd\x16\x09\x8d\xf1\xbb\xf9\xd3\xe3\x14\x2e\xc1\x83\x8b" "\xa8\x17\x85\xe3\x7d\xc9\x7f\xda\x27\x97\xe3\xcf\x6b\x7d\x6c\x36\x77\x37" "\xb4\xdf\x96\xa2\x42\x14\x9b\xbb\xa7\xaf\x54\xda\x91\xb4\x04\xfb\xf0\x1f" "\x4e\xcf\xb7\xeb\xd9\x7c\x67\xde\x24\x15\xb3\xbc\xa3\xb5\xf2\x1d\xea\xe9" "\x88\x73\x3d\xcb\x54\x7a\x17\xaa\x38\xc0\xb9\x8a\xba\x60\xfb\xb1\xd5\x7f" "\x9e\x8f\x00\x5a\xe6\x23\x3e\x5d\xa6\x8d\xa3\x2c\x7a\x27\x78\x94\x4a\x2e" "\xac\xba\x03\xe3\x31\x2f\xe9\x68\xfa\x3b\xe0\xe2\xce\xb4\xd8\x52\x68\x03" "\xe7\xa8\xf2\x46\x18\xb1\x00\x38\x60\xe4\x24\xda\x51\x8c\x96\x02\xcb\x09" "\x2c\x9c\x6b\x93\x0b\x72\x52\x3b\xbf\x61\x5a\xd8\x33\x0e\x33\x7e\x64\xff" "\x82\xeb\x78\xd9\xa2\x38\x4e\x86\xaf\xec\xe8\xaa\x9d\x9c\xb1\xb7\xab\x27" "\x26\x52\x61\xa3\xcf\x54\x2e\x16\x55\x79\x2e\xd6\x6b\x28\xd2\x7b\xf4\xf0" "\x2d\x13\xe9\x34\x13\xbf\xc5\xfa\xe7\xdb\xec\x15\xaa\xc8\x53\x31\xae\x3d" "\x40\x32\x67\x99\x88\xff\xd1\xc1\x75\x04\x47\xf7\x63\xeb\xc9\xba\x8f\x8b" "\xa4\x52\x1b\x74\x56\x3a\xf6\xee\x8a\x99\x6a\xf3\x70\x7d\xd0\x31\x18\xc3" "\xf0\xd1\x8d\x61\x2a\x51\x05\x51\x93\x10\xf7\xb8\xc5\xeb\x4b\x7e\x3a\x0d" "\x67\x53\x74\xda\x18\x31\x4d\x14\x4b\x5d\x5d\x0b\xa2\x73\x5d\xab\x4e\xfd" "\xf6\x8f\x78\x28\x5c\xe4\xd3\x50\x32\x42\x7e\x23\xfe\x7c\x59\xc5\x84\x48" "\x79\x55\x04\x17\xdc\x93\xd2\x22\x1f\xe0\xff\x82\xc7\xe2\x1e\xbb\xa1\x9c" "\x01\xfe\xfc\x6f\x6e\xeb\x70\x78\xe7\x55\x7f\x07\x7c\xa0\x89\x24\x6e\x6f" "\x39\x01\xe1\x27\xca\x46\x85\xc1\x91\x84\x7a\xe7\x20\xce\x30\xd4\x19\x39" "\x23\x9b\x28\x35\xd9\xcf\xd1\x26\xfa\xab\xc8\x8e\xb8\x0d\x40\x9d\x8e\xc1" "\xcd\xf6\x07\x0c\x55\x10\x9b\xdb\xbb\x66\x8f\xd5\x6c\x6e\xbd\x35\x03\x98" "\x6c\xdf\x5a\xde\x19\x90\x3a\x85\x51\x6f\x0e\xd8\x78\x72\xf3\x97\xe6\x24" "\x4b\x0f\x58\xc7\x0b\x8d\xd0\xcb\xc4\x08\xdd\x7a\x87\xc4\x2d\x67\x2d\x31" "\xfd\xe7\xfb\xc3\x1b\x3a\xcf\xf4\xbe\x74\x4b\x93\x3e\xc0\x64\x5f\x76\xb5" "\x24\x81\xba\x6f\x50\xa2\x5a\x98\xf8\x9d\x99\x89\xe3\x47\xb6\x82\xa4\x59" "\xeb\x38\x00\x4d\x0d\xe0\xa7\x31\x4f\x83\x19\xb1\xe0\xce\x51\x52\xa4\x92" "\x8d\x7f\x59\x76\x93\x47\xa7\xf4\x8a\xf5\x95\xd0\x28\xb5\x01\x2c\xf5\xb7" "\xfc\x08\x1c\xbe\xc3\xc5\xad\x30\x80\x19\x47\xb5\xd3\xf8\x7a\x24\x2b\x05" "\x69\x1e\xf3\xf4\x6f\x0b\xa3\x5f\xa6\xee\x28\xa9\x66\xad\x42\xe3\x4e\xf6" "\x19\x2c\xb6\xe5\xde\x41\x41\x1d\xf4\x63\x8c\x82\x56\x88\xab\xc1\xc8\xf1" "\xfa\x7b\x2e\xce\xd5\xae\x40\xa5\xd3\x5d\x7c\xfd\x98\x1f\x4d\xd4\x6a\x91" "\xe8\xf1\x23\x18\x7d\x8e\x99\xa9\x47\x02\x0c\xdc\x4c\xfc\xb6\x6e\xe0\x04" "\x23\x2e\xd5\xba\xdf\xa6\x94\xfd\x94\x3e\xd5\x9f\x01\x43\x39\x89\xe5\x66" "\x3a\x77\xfd\x2b\xbc\xdb\xfa\xad\x5a\xb4\x82\x15\x0f\x22\xff\xa6\xb1\xae" "\x9e\x99\x13\x4b\x32\x0c\x04\x44\x4c\x3d\x5d\x71\xe3\x7c\x6d\x4f\xaf\x82" "\xb1\x29\x7d\x75\xa5\x20\xe6\xe6\xc5\xa0\xd7\xab\x86\xde\xa5\x24\x5a\x97" "\xb1\x6a\x76\x90\xf5\x0e\x9a\xbd\x45\x2d\xa3\x3c\x58\x97\x4c\xb6\x3e\x47" "\x11\xfe\xce\x83\xcf\x12\x51\xc6\xee\xcc\x7c\x9a\x88\x7b\x0a\x88\x1f\x14" "\x8b\x6c\x8f\xa3\x74\x9e\xf0\x96\x61\x48\x89\x09\xa2\xf7\x4e\x41\xa4\x96" "\x8f\x5f\x1d\x1e\xbd\x9a\x51\x1f\x57\x32\xed\x60\xa1\x80\x32\xd6\x8d\xcf" "\x34\xa5\x91\x4b\x1c\x24\x27\x5e\x6c\x3d\x33\x1a\x8c\x45\x4e\x4c\x61\x5d" "\xc5\xf6\xce\x4d\xe1\xb4\x4f\xc7\x55\xda\x73\xee\xf5\x17\xbc\xa0\x8f\xa4" "\x64\x44\x3e\xab\xf4\x04\x69\x61\x62\x5e\xe8\x2c\x40\x6e\x08\x35\x9b\x49" "\x78\x5a\x1c\xbe\x98\x22\xca\xda\x33\x75\xda\x9a\xdf\x55\xbd\x50\xe1\x56" "\xa3\x14\xf1\x01\x07\xa3\xfb\x88\x0a\x94\x4f\xa3\xa0\xcd\xb4\xbe\x22\x34" "\xc1\x9a\xb2\x6f\x80\x75\xc6\x38\x9a\x0a\x60\x62\xe8\x20\x50\xb4\x93\xa3" "\x0e\x61\x7f\x72\x8b\x8d\x0c\xed\x0b\x69\xda\x60\xc6\xfd\xad\xd9\x5e\xe1" "\xc0\xe6\x56\xb6\x3e\xcc\x72\xa4\x91\xe0\x7b\xce\x4c\x3d\xf3\x76\x1e\x51" "\xbb\x32\x7a\x86\xd5\x5a\x37\x5e\x4f\x58\x59\xa8\xb1\x79\xa4\x7f\x4b\x5b" "\x8b\x85\xfe\xd0\xdb\x91\x6e\x31\x88\x5d\x0a\xd1\x85\xd6\xc7\xe7\x94\x49" "\xe2\x82\xa5\xd1\x0a\x7c\xf8\x6d\x03\x05\xa2\x67\x3c\xd9\xaa\x83\x4d\x13" "\x0f\xcb\x10\x98\xc0\xf6\x97\x71\xae\x23\xe2\xb4\x9c\xdd\x3d\x39\xbe\x17" "\xfc\xc3\x09\xa2\x82\x48\x6b\xf0\xe0\x82\x9a\x08\x05\xa0\x36\xb0\xb1\xe3" "\x57\xf0\x3a\x86\x18\x57\x31\x2d\xab\x30\x33\xf0\x09\x57\xff\x6f\x03\xa3" "\x52\x40\x72\x4b\xc6\xad\xf4\x29\x09\x0f\x55\x5a\xca\x56\x3f\xfb\x5e\x4b" "\x67\xc7\x54\x86\x14\x9f\x24\x95\x97\x1b\xf6\x53\x61\x7f\x29\xe5\x0d\x59" "\xda\x32\x28\x8a\xfe\xab\xc7\x68\x78\x7d\x2e\x83\x0c\x70\xd5\xf0\xdb\xd8" "\xdb\x5e\x99\x23\xb8\x89\x3f\x32\xc4\xcd\xc0\xd8\x13\x0c\xae\xfa\xde\x59" "\xd7\xf5\xe2\x70\xf8\xb5\x48\x7b\x69\x81\x5d\xd8\xce\xc6\xd3\xdf\xa3\xca" "\x30\x89\x87\xf2\x97\x0a\xb3\xe8\x71\x4c\xdb\xae\x27\xdc\x22\xfa\x43\x48" "\x05\xc9\x28\x4b\x90\x48\x40\xa9\x2b\xc7\x64\x90\xc1\x5c\x6a\x04\xdf\x13" "\x79\x40\xd4\x8f\x7a\xc6\x28\x5f\x85\x86\x11\x37\x6f\x44\x7e\xba\xf1\x1c" "\xe4\x01\x40\x66\xd5\x7e\x5f\xa5\x79\xb5\x88\xe0\xd7\x95\xfb\x03\x22\xd1" "\xb8\x60\x6f\xaf\x95\x07\x09\x2b\xe3\xe3\x20\x18\x4a\x53\x24\xdf\x47\x79" "\x2e\x8b\x01\x5e\xe2\x7a\xce\x73\xb0\xbc\x05\xf3\xef\xf2\xc2\xa9\xee\x45" "\x75\x2d\xf3\x2a\x85\xb1\xad\x56\x79\xae\xdb\xe4\x0a\xc5\x95\x11\x93\x89" "\x29\xe2\x10\xa4\x09\xe5\x38\xc1\x39\xd1\xfb\x93\x89\x1d\x2b\x99\x08\xf9" "\x15\xb9\xc5\x56\x78\x8b\xb8\x92\x6b\x6a\x96\x92\x30\x38\xa1\x19\xeb\x68" "\xbc\xb5\x28\xa4\x2e\x97\xf8\xfb\xd4\x9e\x7d\x5b\xb3\xe5\x19\x87\xcc\xa5" "\x90\xea\x8a\x18\xe0\x49\xf6\x4d\x8c\x99\x4d\x63\xa7\x07\xc4\x41\xe6\x35" "\x09\xf9\x09\xad\xf5\xf7\xc2\x6d\x36\x71\x4b\xd5\x63\x07\x51\x30\x03\xf8" "\xf8\x5f\x20\xc8\xfe\xa4\x24\x86\x27\xd2\xf1\x98\x91\xba\xef\x9b\x13\x4a" "\x8e\xcb\x6e\x3d\xa6\x23\x2c\x5b\x81\x8d\x74\x69\x64\x50\x38\x31\x2b\x6b" "\x95\x2f\x78\x2f\x28\xcc\xd1\x99\x36\x7a\x51\xf7\x50\x92\x7e\x5f\x11\xef" "\x04\xcb\x29\x9d\xc7\xba\x0c\x24\x50\x01\x34\xd3\xa9\xa0\xa4\xf6\x29\x03" "\xae\x93\x0f\x5b\xa4\x9c\x39\x85\x5f\xfc\x4a\xba\x6c\xc9\xd4\x00\x07\x5f" "\x09\x48\x75\xdb\x9e\xbc\xbc\xbb\x35\x30\x94\x21\xd0\x8a\x92\x8b\x02\x16" "\xdc\xbb\xf7\x18\x76\x1b\x01\xb4\xd4\x1c\xf5\x5b\x0b\x2b\xf4\xc8\x96\x03" "\xa6\x1e\x5a\xc2\xf5\xbf\x52\x36\xd4\xbe\xe9\x06\x17\xe1\xb2\xfd\xc3\xa4" "\x54\x0d\xb2\xc8\x95\x61\xc1\xcb\x9b\x1e\x28\x43\x60\x13\x54\x6e\x65\x4e" "\x36\xfa\x32\x80\x97\xce\x8a\x4b\xaf\x5a\x2f\xd7\x8f\x9b\xca\x61\x7b\xd4" "\xde\x06\x2d\xbb\xc3\x8c\x73\x56\x23\x2b\x38\x58\x23\xb6\xc6\x04\xa4\x01" "\xf4\x3f\x58\x64\x11\x1e\xff\x29\x04\x5c\x12\xb6\xc6\x22\x18\x2e\x09\x7c" "\xaa\x5a\x99\x45\x13\x33\x75\xb4\x6d\xc0\xe2\x68\xe8\x60\xdd\x58\xb6\x24" "\x03\xc4\x13\x93\xf0\x2c\x7f\x1d\x23\xa1\xd0\xda\xad\x5d\x2e\xb7\xa0\x85" "\x38\x7e\xa6\xb8\x1c\xeb\x61\x91\xd5\xff\xa7\xf5\x88\x48\x99\x6c\xaa\xd4" "\x79\x6e\xe8\xd9\xe1\xba\xd0\x72\x45\x5a\x37\xd8\xb6\x48\x88\xcb\x40\x07" "\xf3\x44\x78\x3a\xfc\xa2\x2d\xb0\x7a\x2c\xcb\x85\x31\xc6\xa9\xec\x9b\xff" "\xdf\x1f\x94\x9e\x3f\xce\x89\xf6\x23\x11\x95\x95\xc5\xb9\xbf\xa5\x18\x93" "\xff\x36\x84\x9b\xe6\x1f\xf0\x29\x39\x36\x0a\x5d\x5b\x0e\x05\xd2\x2a\xa3" "\xa1\xf1\x6c\x27\x10\x3e\xde\xb0\x0c\x0f\x76\x3b\xd4\x25\x18\x05\xec\x8d" "\x89\x46\x92\xcd\x16\x36\xb4\xb1\xc9\x6a\xb6\x13\x89\x6c\x17\xb2\xfb\x8a" "\x41\x4a\x91\x46\x3d\x54\xf1\x45\xe1\xd4\x93\x78\xe7\x26\xe5\x92\x1d\x8c" "\xd3\x4a\xeb\x17\x6a\x36\x70\x1c\x9b\x75\x31\x18\x06\xef\xcf\x40\x2d\x43" "\x45\x03\x4d\x7f\xd5\x16\x58\x57\xbd\x2c\xd0\x7b\x32\xa1\x83\x34\xa3\xcf" "\x35\x8d\xad\xbc\x81\x44\xb8\x06\x12\x08\x05\xa0\x77\x14\xd8\xd0\x02\x9f" "\xe0\xdb\x79\x58\xbb\xb6\x9b\x9a\x21\x6e\x59\x45\xfd\xf0\xb8\x92\x66\x5c" "\x0b\xad\x2c\xd8\x22\x79\x7d\x5c\x72\x23\x09\x4c\xd5\x40\x42\xc7\x81\xfb" "\xa9\xd7\xf0\x5a\x16\x9f\x39\x02\x25\x38\x5d\x5c\x05\x58\x96\xdc\x8a\x62" "\x0a\x63\x7a\x7c\x73\xee\x77\xfb\xf2\x15\x2f\xb6\x2a\xf9\xbc\xbe\x01\x38" "\x9d\xd8\x46\x72\x4f\xa2\x4c\xa6\x08\x8d\x2b\xdd\xf9\xbc\xae\x4d\x9e\x11" "\xf8\x62\x66\xe4\xd8\x7f\x6b\x11\xf3\x72\x1c\x30\xc3\xf4\x8d\xdf\xec\xb7" "\x62\x38\x02\xc7\xe3\xf5\x95\xb0\x88\x47\x37\x47\xd2\x5b\x70\xbb\xdf\x89" "\x20\x92\x4c\x6b\xb9\xe2\x02\xe6\xd5\x4e\x34\x0a\x46\x9e\x8e\xcf\x66\xb4" "\x9d\xda\x00\x36\xa7\xd0\x71\x49\x27\x42\x59\x3c\x2e\x02\xbd\x7b\xd7\x03" "\x77\x4f\x2a\xc8\xc4\x5d\xbf\xa1\xf8\xce\x4c\x20\x5a\x05\x06\x43\x62\xbf" "\x28\x19\xe8\x0b\xd4\x06\x36\x7a\x86\xec\xe3\xf5\xd5\x4b\x43\x02\x9b\x3f" "\x7f\xcc\x23\x78\xc5\xe3\x3e\x8d\xe6\x6f\xa5\xf3\xc4\x97\x43\x10\xc3\xac" "\x4d\x2a\xb1\x23\x4b\x1f\xea\x14\xd7\x15\x12\xc5\x78\xdf\xab\x15\x4a\x74" "\xdc\x66\xc8\xa5\xff\x98\x3a\x41\xe0\x2c\x57\xc5\x8c\xd9\xc3\xa7\x7d\x22" "\xf1\x5f\x8a\x6a\xbe\x41\xde\x51\xce\x4a\x92\x15\x1e\xe2\x5c\x6f\x2c\x4f" "\xeb\x04\x53\xb4\xf8\x6f\xb4\xc7\xe1\x90\x63\xb8\x71\xff\x64\x58\xb2\xad" "\x51\xb9\x92\xdf\x6b\x16\xde\x3a\x5a\x2f\x59\x35\xc8\x5d\x5a\x87\x09\xd8" "\x29\x43\xc6\x45\xf6\x19\x9e\x76\xb3\x8d\x71\x8b\x86\x94\x56\x38\xd9\x2d" "\xaa\x15\xae\xb9\xbe\xaa\x53\x02\x8a\x42\x5c\x6e\xe9\x0d\xbd\x58\xb5\x7f" "\x4a\x74\x8e\xc0\x03\x7f\xca\x72\x58\x12\xaa\xac\x8e\x20\x1d\x51\x21\xc0" "\x6c\x9d\x3b\xfc\xbe\x79\x9b\x9f\xa2\x84\x40\xfc\xee\xc7\x8a\x5d\x39\xa1" "\x12\x62\x6b\xd0\xf9\xe5\x30\xcb\x55\x73\x08\x3e\x6b\x3b\x0c\xe5\xef\x60" "\xe8\x5e\xa6\x43\x33\x1d\x45\x66\x3f\x30\x9d\x75\xd3\x6c\x88\xed\x56\xab" "\xba\xc7\x46\x72\xda\xa7\x2c\x2f\x18\x0a\xb5\xd1\x17\xd2\xab\x17\xdb\x9e" "\x36\xa8\x07\xbc\xaa\x62\xa0\x7a\xa5\x48\x6d\x39\xd6\x3f\x64\xd2\x3f\x03" "\xe5\x8f\x6f\xa3\x46\xb3\x90\x05\xcd\xe0\x51\x21\xec\xc2\x14\x6a\xe9\x82" "\xd0\x25\x32\xa2\xde\xb9\x0d\x8b\x9c\xfd\x32\xff\x03\xa5\x29\x49\x33\x29" "\x2f\xb3\xd5\x87\x60\xbc\x81\xa7\x2d\xf0\xe6\x02\xb9\xb4\xb7\xe4\x07\xbc" "\x54\x29\x24\xe9\x76\x3f\xe0\xd4\xbd\x53\x46\xcc\xb9\xe1\x0b\x1e\xa7\xda" "\xde\x31\xd4\xbb\xc9\x00\x00\x00\x00\x00", 4096); syscall(__NR_ioctl, r[2], 0x4080aebf, 0x20000280ul); syscall(__NR_ioctl, r[2], 0xae80, 0ul); return 0; }