// https://syzkaller.appspot.com/bug?id=72188d3cf50b2fb0f9eb5e128a3a5ddd40c5f521 // autogenerated by syzkaller (https://github.com/google/syzkaller) #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define noinline __attribute__((noinline)) #define __no_stack_protector #define GUEST_CODE __attribute__((section("guest"))) __no_stack_protector extern char *__start_guest, *__stop_guest; #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_ADDR_SMRAM 0x30000 #define X86_ADDR_EXIT 0x40000 #define X86_ADDR_UEXIT (X86_ADDR_EXIT + 256) #define X86_ADDR_DIRTY_PAGES 0x41000 #define X86_ADDR_USER_CODE 0x50000 #define X86_ADDR_EXECUTOR_CODE 0x54000 #define X86_ADDR_SCRATCH_CODE 0x58000 #define X86_ADDR_UNUSED 0x200000 #define X86_ADDR_IOAPIC 0xfec00000 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 8) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_MEM_SIZE (1024 * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h, l) \ (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) #define ARM64_ADDR_GICD_BASE 0x08000000 #define ARM64_ADDR_GITS_BASE 0x08080000 #define ARM64_ADDR_GICR_BASE 0x080a0000 #define ARM64_ADDR_ITS_TABLES 0xc0000000 #define ARM64_ADDR_EXIT 0xdddd0000 #define ARM64_ADDR_UEXIT (ARM64_ADDR_EXIT + 256) #define ARM64_ADDR_DIRTY_PAGES 0xdddd1000 #define ARM64_ADDR_USER_CODE 0xeeee0000 #define ARM64_ADDR_EXECUTOR_CODE 0xeeee8000 #define ARM64_ADDR_SCRATCH_CODE 0xeeef0000 #define ARM64_ADDR_EL1_STACK_BOTTOM 0xffff1000 #define ITS_MAX_DEVICES 16 #define ARM64_ADDR_ITS_DEVICE_TABLE (ARM64_ADDR_ITS_TABLES) #define ARM64_ADDR_ITS_COLL_TABLE (ARM64_ADDR_ITS_DEVICE_TABLE + SZ_64K) #define ARM64_ADDR_ITS_CMDQ_BASE (ARM64_ADDR_ITS_COLL_TABLE + SZ_64K) #define ARM64_ADDR_ITS_ITT_TABLES (ARM64_ADDR_ITS_CMDQ_BASE + SZ_64K) #define ARM64_ADDR_ITS_PROP_TABLE \ (ARM64_ADDR_ITS_ITT_TABLES + SZ_64K * ITS_MAX_DEVICES) #define ARM64_ADDR_ITS_PEND_TABLES (ARM64_ADDR_ITS_PROP_TABLE + SZ_64K) typedef enum { SYZOS_API_UEXIT = 0, SYZOS_API_CODE = 10, SYZOS_API_CPUID = 20, SYZOS_API_WRMSR = 30, SYZOS_API_RDMSR = 50, SYZOS_API_WR_CRN = 70, SYZOS_API_STOP, } syzos_api_id; struct api_call_header { uint64_t call; uint64_t size; }; struct api_call_uexit { struct api_call_header header; uint64_t exit_code; }; struct api_call_code { struct api_call_header header; uint8_t insns[]; }; struct api_call_cpuid { struct api_call_header header; uint32_t eax; uint32_t ecx; }; struct api_call_1 { struct api_call_header header; uint64_t arg; }; struct api_call_2 { struct api_call_header header; uint64_t args[2]; }; static void guest_uexit(uint64_t exit_code); static void guest_execute_code(uint8_t* insns, uint64_t size); static void guest_handle_cpuid(uint32_t eax, uint32_t ecx); static void guest_handle_wrmsr(uint64_t reg, uint64_t val); static void guest_handle_rdmsr(uint64_t reg); static void guest_handle_wr_crn(struct api_call_2* cmd); typedef enum { UEXIT_END = (uint64_t)-1, UEXIT_IRQ = (uint64_t)-2, UEXIT_ASSERT = (uint64_t)-3, } uexit_code; __attribute__((used)) GUEST_CODE static void guest_main(uint64_t size, uint64_t cpu) { uint64_t addr = X86_ADDR_USER_CODE + cpu * KVM_PAGE_SIZE; while (size >= sizeof(struct api_call_header)) { struct api_call_header* cmd = (struct api_call_header*)addr; if (cmd->call >= SYZOS_API_STOP) return; if (cmd->size > size) return; switch (cmd->call) { case SYZOS_API_UEXIT: { struct api_call_uexit* ucmd = (struct api_call_uexit*)cmd; guest_uexit(ucmd->exit_code); break; } case SYZOS_API_CODE: { struct api_call_code* ccmd = (struct api_call_code*)cmd; guest_execute_code(ccmd->insns, cmd->size - sizeof(struct api_call_header)); break; } case SYZOS_API_CPUID: { struct api_call_cpuid* ccmd = (struct api_call_cpuid*)cmd; guest_handle_cpuid(ccmd->eax, ccmd->ecx); break; } case SYZOS_API_WRMSR: { struct api_call_2* ccmd = (struct api_call_2*)cmd; guest_handle_wrmsr(ccmd->args[0], ccmd->args[1]); break; } case SYZOS_API_RDMSR: { struct api_call_1* ccmd = (struct api_call_1*)cmd; guest_handle_rdmsr(ccmd->arg); break; } case SYZOS_API_WR_CRN: { guest_handle_wr_crn((struct api_call_2*)cmd); break; } } addr += cmd->size; size -= cmd->size; }; guest_uexit((uint64_t)-1); } GUEST_CODE static noinline void guest_execute_code(uint8_t* insns, uint64_t size) { volatile void (*fn)() = (volatile void (*)())insns; fn(); } GUEST_CODE static noinline void guest_uexit(uint64_t exit_code) { volatile uint64_t* ptr = (volatile uint64_t*)X86_ADDR_UEXIT; *ptr = exit_code; } GUEST_CODE static noinline void guest_handle_cpuid(uint32_t eax, uint32_t ecx) { asm volatile("cpuid\n" : : "a"(eax), "c"(ecx) : "rbx", "rdx"); } GUEST_CODE static noinline void guest_handle_wrmsr(uint64_t reg, uint64_t val) { asm volatile("wrmsr" : : "c"(reg), "a"((uint32_t)val), "d"((uint32_t)(val >> 32)) : "memory"); } GUEST_CODE static noinline void guest_handle_rdmsr(uint64_t reg) { uint32_t low = 0, high = 0; asm volatile("rdmsr" : "=a"(low), "=d"(high) : "c"(reg) :); } GUEST_CODE static noinline void guest_handle_wr_crn(struct api_call_2* cmd) { uint64_t value = cmd->args[1]; volatile uint64_t reg = cmd->args[0]; if (reg == 0) { asm volatile("movq %0, %%cr0" ::"r"(value) : "memory"); return; } if (reg == 2) { asm volatile("movq %0, %%cr2" ::"r"(value) : "memory"); return; } if (reg == 3) { asm volatile("movq %0, %%cr3" ::"r"(value) : "memory"); return; } if (reg == 4) { asm volatile("movq %0, %%cr4" ::"r"(value) : "memory"); return; } if (reg == 8) { asm volatile("movq %0, %%cr8" ::"r"(value) : "memory"); return; } } #define X86_ADDR_TEXT 0x0000 #define X86_ADDR_PD_IOAPIC 0x0000 #define X86_ADDR_GDT 0x1000 #define X86_ADDR_LDT 0x1800 #define X86_ADDR_PML4 0x2000 #define X86_ADDR_PDP 0x3000 #define X86_ADDR_PD 0x4000 #define X86_ADDR_STACK0 0x0f80 #define X86_ADDR_VAR_HLT 0x2800 #define X86_ADDR_VAR_SYSRET 0x2808 #define X86_ADDR_VAR_SYSEXIT 0x2810 #define X86_ADDR_VAR_IDT 0x3800 #define X86_ADDR_VAR_TSS64 0x3a00 #define X86_ADDR_VAR_TSS64_CPL3 0x3c00 #define X86_ADDR_VAR_TSS16 0x3d00 #define X86_ADDR_VAR_TSS16_2 0x3e00 #define X86_ADDR_VAR_TSS16_CPL3 0x3f00 #define X86_ADDR_VAR_TSS32 0x4800 #define X86_ADDR_VAR_TSS32_2 0x4a00 #define X86_ADDR_VAR_TSS32_CPL3 0x4c00 #define X86_ADDR_VAR_TSS32_VM86 0x4e00 #define X86_ADDR_VAR_VMXON_PTR 0x5f00 #define X86_ADDR_VAR_VMCS_PTR 0x5f08 #define X86_ADDR_VAR_VMEXIT_PTR 0x5f10 #define X86_ADDR_VAR_VMWRITE_FLD 0x5f18 #define X86_ADDR_VAR_VMWRITE_VAL 0x5f20 #define X86_ADDR_VAR_VMXON 0x6000 #define X86_ADDR_VAR_VMCS 0x7000 #define X86_ADDR_VAR_VMEXIT_CODE 0x9000 #define X86_ADDR_VAR_USER_CODE 0x9100 #define X86_ADDR_VAR_USER_CODE2 0x9120 #define X86_ADDR_SMRAM 0x30000 #define X86_ADDR_EXIT 0x40000 #define X86_ADDR_UEXIT (X86_ADDR_EXIT + 256) #define X86_ADDR_DIRTY_PAGES 0x41000 #define X86_ADDR_USER_CODE 0x50000 #define X86_ADDR_EXECUTOR_CODE 0x54000 #define X86_ADDR_SCRATCH_CODE 0x58000 #define X86_ADDR_UNUSED 0x200000 #define X86_ADDR_IOAPIC 0xfec00000 #define X86_CR0_PE 1ULL #define X86_CR0_MP (1ULL << 1) #define X86_CR0_EM (1ULL << 2) #define X86_CR0_TS (1ULL << 3) #define X86_CR0_ET (1ULL << 4) #define X86_CR0_NE (1ULL << 5) #define X86_CR0_WP (1ULL << 16) #define X86_CR0_AM (1ULL << 18) #define X86_CR0_NW (1ULL << 29) #define X86_CR0_CD (1ULL << 30) #define X86_CR0_PG (1ULL << 31) #define X86_CR4_VME 1ULL #define X86_CR4_PVI (1ULL << 1) #define X86_CR4_TSD (1ULL << 2) #define X86_CR4_DE (1ULL << 3) #define X86_CR4_PSE (1ULL << 4) #define X86_CR4_PAE (1ULL << 5) #define X86_CR4_MCE (1ULL << 6) #define X86_CR4_PGE (1ULL << 7) #define X86_CR4_PCE (1ULL << 8) #define X86_CR4_OSFXSR (1ULL << 8) #define X86_CR4_OSXMMEXCPT (1ULL << 10) #define X86_CR4_UMIP (1ULL << 11) #define X86_CR4_VMXE (1ULL << 13) #define X86_CR4_SMXE (1ULL << 14) #define X86_CR4_FSGSBASE (1ULL << 16) #define X86_CR4_PCIDE (1ULL << 17) #define X86_CR4_OSXSAVE (1ULL << 18) #define X86_CR4_SMEP (1ULL << 20) #define X86_CR4_SMAP (1ULL << 21) #define X86_CR4_PKE (1ULL << 22) #define X86_EFER_SCE 1ULL #define X86_EFER_LME (1ULL << 8) #define X86_EFER_LMA (1ULL << 10) #define X86_EFER_NXE (1ULL << 11) #define X86_EFER_SVME (1ULL << 12) #define X86_EFER_LMSLE (1ULL << 13) #define X86_EFER_FFXSR (1ULL << 14) #define X86_EFER_TCE (1ULL << 15) #define X86_PDE32_PRESENT 1UL #define X86_PDE32_RW (1UL << 1) #define X86_PDE32_USER (1UL << 2) #define X86_PDE32_PS (1UL << 7) #define X86_PDE64_PRESENT 1 #define X86_PDE64_RW (1ULL << 1) #define X86_PDE64_USER (1ULL << 2) #define X86_PDE64_ACCESSED (1ULL << 5) #define X86_PDE64_DIRTY (1ULL << 6) #define X86_PDE64_PS (1ULL << 7) #define X86_PDE64_G (1ULL << 8) #define X86_SEL_LDT (1 << 3) #define X86_SEL_CS16 (2 << 3) #define X86_SEL_DS16 (3 << 3) #define X86_SEL_CS16_CPL3 ((4 << 3) + 3) #define X86_SEL_DS16_CPL3 ((5 << 3) + 3) #define X86_SEL_CS32 (6 << 3) #define X86_SEL_DS32 (7 << 3) #define X86_SEL_CS32_CPL3 ((8 << 3) + 3) #define X86_SEL_DS32_CPL3 ((9 << 3) + 3) #define X86_SEL_CS64 (10 << 3) #define X86_SEL_DS64 (11 << 3) #define X86_SEL_CS64_CPL3 ((12 << 3) + 3) #define X86_SEL_DS64_CPL3 ((13 << 3) + 3) #define X86_SEL_CGATE16 (14 << 3) #define X86_SEL_TGATE16 (15 << 3) #define X86_SEL_CGATE32 (16 << 3) #define X86_SEL_TGATE32 (17 << 3) #define X86_SEL_CGATE64 (18 << 3) #define X86_SEL_CGATE64_HI (19 << 3) #define X86_SEL_TSS16 (20 << 3) #define X86_SEL_TSS16_2 (21 << 3) #define X86_SEL_TSS16_CPL3 ((22 << 3) + 3) #define X86_SEL_TSS32 (23 << 3) #define X86_SEL_TSS32_2 (24 << 3) #define X86_SEL_TSS32_CPL3 ((25 << 3) + 3) #define X86_SEL_TSS32_VM86 (26 << 3) #define X86_SEL_TSS64 (27 << 3) #define X86_SEL_TSS64_HI (28 << 3) #define X86_SEL_TSS64_CPL3 ((29 << 3) + 3) #define X86_SEL_TSS64_CPL3_HI (30 << 3) #define X86_MSR_IA32_FEATURE_CONTROL 0x3a #define X86_MSR_IA32_VMX_BASIC 0x480 #define X86_MSR_IA32_SMBASE 0x9e #define X86_MSR_IA32_SYSENTER_CS 0x174 #define X86_MSR_IA32_SYSENTER_ESP 0x175 #define X86_MSR_IA32_SYSENTER_EIP 0x176 #define X86_MSR_IA32_STAR 0xC0000081 #define X86_MSR_IA32_LSTAR 0xC0000082 #define X86_MSR_IA32_VMX_PROCBASED_CTLS2 0x48B #define X86_NEXT_INSN $0xbadc0de #define X86_PREFIX_SIZE 0xba1d #define KVM_MAX_VCPU 4 #define KVM_PAGE_SIZE (1 << 12) #define KVM_GUEST_MEM_SIZE (1024 * KVM_PAGE_SIZE) #define SZ_4K 0x00001000 #define SZ_64K 0x00010000 #define GENMASK_ULL(h, l) \ (((~0ULL) - (1ULL << (l)) + 1ULL) & (~0ULL >> (63 - (h)))) #define ARM64_ADDR_GICD_BASE 0x08000000 #define ARM64_ADDR_GITS_BASE 0x08080000 #define ARM64_ADDR_GICR_BASE 0x080a0000 #define ARM64_ADDR_ITS_TABLES 0xc0000000 #define ARM64_ADDR_EXIT 0xdddd0000 #define ARM64_ADDR_UEXIT (ARM64_ADDR_EXIT + 256) #define ARM64_ADDR_DIRTY_PAGES 0xdddd1000 #define ARM64_ADDR_USER_CODE 0xeeee0000 #define ARM64_ADDR_EXECUTOR_CODE 0xeeee8000 #define ARM64_ADDR_SCRATCH_CODE 0xeeef0000 #define ARM64_ADDR_EL1_STACK_BOTTOM 0xffff1000 #define ITS_MAX_DEVICES 16 #define ARM64_ADDR_ITS_DEVICE_TABLE (ARM64_ADDR_ITS_TABLES) #define ARM64_ADDR_ITS_COLL_TABLE (ARM64_ADDR_ITS_DEVICE_TABLE + SZ_64K) #define ARM64_ADDR_ITS_CMDQ_BASE (ARM64_ADDR_ITS_COLL_TABLE + SZ_64K) #define ARM64_ADDR_ITS_ITT_TABLES (ARM64_ADDR_ITS_CMDQ_BASE + SZ_64K) #define ARM64_ADDR_ITS_PROP_TABLE \ (ARM64_ADDR_ITS_ITT_TABLES + SZ_64K * ITS_MAX_DEVICES) #define ARM64_ADDR_ITS_PEND_TABLES (ARM64_ADDR_ITS_PROP_TABLE + SZ_64K) const char kvm_asm16_cpl3[] = "\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b" "\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba" "\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00" "\xcb"; const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0"; const char kvm_asm32_vm86[] = "\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm32_paged_vm86[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8" "\xea\x00\x00\x00\x00\xd0\x00"; const char kvm_asm64_enable_long[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8"; const char kvm_asm64_init_vm[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f" "\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22" "\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89" "\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3" "\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48" "\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2" "\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83" "\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83" "\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c" "\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff" "\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02" "\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00" "\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08" "\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7" "\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00" "\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c" "\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00" "\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00" "\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48" "\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02" "\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20" "\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00" "\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89" "\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2" "\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c" "\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20" "\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00" "\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48" "\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7" "\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0" "\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58" "\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2" "\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04" "\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48" "\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00" "\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00" "\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7" "\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0" "\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff" "\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40" "\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00" "\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00" "\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f" "\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79" "\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0" "\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48" "\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7" "\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2" "\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20" "\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28" "\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00" "\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00" "\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48" "\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7" "\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00" "\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89" "\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f" "\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00" "\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01" "\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4"; const char kvm_asm64_vm_exit[] = "\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f" "\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00" "\x00\x0f\x78\xdb\xf4"; const char kvm_asm64_cpl3[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00" "\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e" "\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24" "\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08" "\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb"; #define KVM_SMI _IO(KVMIO, 0xb7) struct tss16 { uint16_t prev; uint16_t sp0; uint16_t ss0; uint16_t sp1; uint16_t ss1; uint16_t sp2; uint16_t ss2; uint16_t ip; uint16_t flags; uint16_t ax; uint16_t cx; uint16_t dx; uint16_t bx; uint16_t sp; uint16_t bp; uint16_t si; uint16_t di; uint16_t es; uint16_t cs; uint16_t ss; uint16_t ds; uint16_t ldt; } __attribute__((packed)); struct tss32 { uint16_t prev, prevh; uint32_t sp0; uint16_t ss0, ss0h; uint32_t sp1; uint16_t ss1, ss1h; uint32_t sp2; uint16_t ss2, ss2h; uint32_t cr3; uint32_t ip; uint32_t flags; uint32_t ax; uint32_t cx; uint32_t dx; uint32_t bx; uint32_t sp; uint32_t bp; uint32_t si; uint32_t di; uint16_t es, esh; uint16_t cs, csh; uint16_t ss, ssh; uint16_t ds, dsh; uint16_t fs, fsh; uint16_t gs, gsh; uint16_t ldt, ldth; uint16_t trace; uint16_t io_bitmap; } __attribute__((packed)); struct tss64 { uint32_t reserved0; uint64_t rsp[3]; uint64_t reserved1; uint64_t ist[7]; uint64_t reserved2; uint32_t reserved3; uint32_t io_bitmap; } __attribute__((packed)); static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { uint16_t index = seg->selector >> 3; uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit; uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 | (uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 | (uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 | (limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 | (uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 | (uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56; dt[index] = sd; lt[index] = sd; } static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt, struct kvm_segment* seg) { fill_segment_descriptor(dt, lt, seg); uint16_t index = seg->selector >> 3; dt[index + 1] = 0; lt[index + 1] = 0; } static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3) { char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)]; memset(buf, 0, sizeof(buf)); struct kvm_msrs* msrs = (struct kvm_msrs*)buf; struct kvm_msr_entry* entries = msrs->entries; msrs->nmsrs = 5; entries[0].index = X86_MSR_IA32_SYSENTER_CS; entries[0].data = sel_cs; entries[1].index = X86_MSR_IA32_SYSENTER_ESP; entries[1].data = X86_ADDR_STACK0; entries[2].index = X86_MSR_IA32_SYSENTER_EIP; entries[2].data = X86_ADDR_VAR_SYSEXIT; entries[3].index = X86_MSR_IA32_STAR; entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48); entries[4].index = X86_MSR_IA32_LSTAR; entries[4].data = X86_ADDR_VAR_SYSRET; ioctl(cpufd, KVM_SET_MSRS, msrs); } static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = i << 3; switch (i % 6) { case 0: gate.type = 6; gate.base = X86_SEL_CS16; break; case 1: gate.type = 7; gate.base = X86_SEL_CS16; break; case 2: gate.type = 3; gate.base = X86_SEL_TGATE16; break; case 3: gate.type = 14; gate.base = X86_SEL_CS32; break; case 4: gate.type = 15; gate.base = X86_SEL_CS32; break; case 5: gate.type = 11; gate.base = X86_SEL_TGATE32; break; } gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor(idt, idt, &gate); } } static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem, uintptr_t guest_mem) { sregs->idt.base = guest_mem + X86_ADDR_VAR_IDT; sregs->idt.limit = 0x1ff; uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base); for (int i = 0; i < 32; i++) { struct kvm_segment gate; gate.selector = (i * 2) << 3; gate.type = (i & 1) ? 14 : 15; gate.base = X86_SEL_CS64; gate.limit = guest_mem + X86_ADDR_VAR_USER_CODE2; gate.present = 1; gate.dpl = 0; gate.s = 0; gate.g = 0; gate.db = 0; gate.l = 0; gate.avl = 0; fill_segment_descriptor_dword(idt, idt, &gate); } } struct kvm_text { uintptr_t typ; const void* text; uintptr_t size; }; struct kvm_opt { uint64_t typ; uint64_t val; }; #define PAGE_MASK GENMASK_ULL(51, 12) static void setup_pg_table(void* host_mem) { uint64_t* pml4 = (uint64_t*)((uint64_t)host_mem + X86_ADDR_PML4); uint64_t* pdp = (uint64_t*)((uint64_t)host_mem + X86_ADDR_PDP); uint64_t* pd = (uint64_t*)((uint64_t)host_mem + X86_ADDR_PD); uint64_t* pd_ioapic = (uint64_t*)((uint64_t)host_mem + X86_ADDR_PD_IOAPIC); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | (X86_ADDR_PDP & PAGE_MASK); pdp[0] = X86_PDE64_PRESENT | X86_PDE64_RW | (X86_ADDR_PD & PAGE_MASK); pdp[3] = X86_PDE64_PRESENT | X86_PDE64_RW | (X86_ADDR_PD_IOAPIC & PAGE_MASK); pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_PS; pd_ioapic[502] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_PS; } static void setup_gdt_ldt_pg(int cpufd, void* host_mem) { struct kvm_sregs sregs; ioctl(cpufd, KVM_GET_SREGS, &sregs); sregs.gdt.base = X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)((uint64_t)host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)((uint64_t)host_mem + sregs.ldt.base); struct kvm_segment seg_cs64; memset(&seg_cs64, 0, sizeof(seg_cs64)); seg_cs64.selector = X86_SEL_CS64; seg_cs64.type = 11; seg_cs64.base = 0; seg_cs64.limit = 0xFFFFFFFFu; seg_cs64.present = 1; seg_cs64.s = 1; seg_cs64.g = 1; seg_cs64.l = 1; sregs.cs = seg_cs64; struct kvm_segment seg_ds64; memset(&seg_ds64, 0, sizeof(struct kvm_segment)); seg_ds64.selector = X86_SEL_DS64; seg_ds64.type = 3; seg_ds64.limit = 0xFFFFFFFFu; seg_ds64.present = 1; seg_ds64.s = 1; seg_ds64.g = 1; sregs.ds = seg_ds64; sregs.es = seg_ds64; struct kvm_segment seg_tss64; memset(&seg_tss64, 0, sizeof(seg_tss64)); seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; seg_tss64.type = 9; seg_tss64.present = 1; struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)((uint64_t)host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); setup_pg_table(host_mem); sregs.cr0 = X86_CR0_PE | X86_CR0_NE | X86_CR0_PG; sregs.cr4 |= X86_CR4_PAE | X86_CR4_OSFXSR; sregs.efer |= (X86_EFER_LME | X86_EFER_LMA | X86_EFER_NXE); sregs.cr3 = X86_ADDR_PML4; ioctl(cpufd, KVM_SET_SREGS, &sregs); } static void setup_cpuid(int cpufd) { int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); } #define KVM_SETUP_PAGING (1 << 0) #define KVM_SETUP_PAE (1 << 1) #define KVM_SETUP_PROTECTED (1 << 2) #define KVM_SETUP_CPL3 (1 << 3) #define KVM_SETUP_VIRT86 (1 << 4) #define KVM_SETUP_SMM (1 << 5) #define KVM_SETUP_VM (1 << 6) static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7) { const int vmfd = a0; const int cpufd = a1; char* const host_mem = (char*)a2; const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3; const uintptr_t text_count = a4; const uintptr_t flags = a5; const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6; uintptr_t opt_count = a7; const uintptr_t page_size = 4 << 10; const uintptr_t ioapic_page = 10; const uintptr_t guest_mem_size = 24 * page_size; const uintptr_t guest_mem = 0; (void)text_count; int text_type = text_array_ptr[0].typ; const void* text = text_array_ptr[0].text; uintptr_t text_size = text_array_ptr[0].size; for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) { struct kvm_userspace_memory_region memreg; memreg.slot = i; memreg.flags = 0; memreg.guest_phys_addr = guest_mem + i * page_size; if (i == ioapic_page) memreg.guest_phys_addr = 0xfec00000; memreg.memory_size = page_size; memreg.userspace_addr = (uintptr_t)host_mem + i * page_size; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); } struct kvm_userspace_memory_region memreg; memreg.slot = 1 + (1 << 16); memreg.flags = 0; memreg.guest_phys_addr = 0x30000; memreg.memory_size = 64 << 10; memreg.userspace_addr = (uintptr_t)host_mem; ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg); struct kvm_sregs sregs; if (ioctl(cpufd, KVM_GET_SREGS, &sregs)) return -1; struct kvm_regs regs; memset(®s, 0, sizeof(regs)); regs.rip = guest_mem + X86_ADDR_TEXT; regs.rsp = X86_ADDR_STACK0; sregs.gdt.base = guest_mem + X86_ADDR_GDT; sregs.gdt.limit = 256 * sizeof(uint64_t) - 1; uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base); struct kvm_segment seg_ldt; memset(&seg_ldt, 0, sizeof(seg_ldt)); seg_ldt.selector = X86_SEL_LDT; seg_ldt.type = 2; seg_ldt.base = guest_mem + X86_ADDR_LDT; seg_ldt.limit = 256 * sizeof(uint64_t) - 1; seg_ldt.present = 1; seg_ldt.dpl = 0; seg_ldt.s = 0; seg_ldt.g = 0; seg_ldt.db = 1; seg_ldt.l = 0; sregs.ldt = seg_ldt; uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base); struct kvm_segment seg_cs16; memset(&seg_cs16, 0, sizeof(seg_cs16)); seg_cs16.selector = X86_SEL_CS16; seg_cs16.type = 11; seg_cs16.base = 0; seg_cs16.limit = 0xfffff; seg_cs16.present = 1; seg_cs16.dpl = 0; seg_cs16.s = 1; seg_cs16.g = 0; seg_cs16.db = 0; seg_cs16.l = 0; struct kvm_segment seg_ds16 = seg_cs16; seg_ds16.selector = X86_SEL_DS16; seg_ds16.type = 3; struct kvm_segment seg_cs16_cpl3 = seg_cs16; seg_cs16_cpl3.selector = X86_SEL_CS16_CPL3; seg_cs16_cpl3.dpl = 3; struct kvm_segment seg_ds16_cpl3 = seg_ds16; seg_ds16_cpl3.selector = X86_SEL_DS16_CPL3; seg_ds16_cpl3.dpl = 3; struct kvm_segment seg_cs32 = seg_cs16; seg_cs32.selector = X86_SEL_CS32; seg_cs32.db = 1; struct kvm_segment seg_ds32 = seg_ds16; seg_ds32.selector = X86_SEL_DS32; seg_ds32.db = 1; struct kvm_segment seg_cs32_cpl3 = seg_cs32; seg_cs32_cpl3.selector = X86_SEL_CS32_CPL3; seg_cs32_cpl3.dpl = 3; struct kvm_segment seg_ds32_cpl3 = seg_ds32; seg_ds32_cpl3.selector = X86_SEL_DS32_CPL3; seg_ds32_cpl3.dpl = 3; struct kvm_segment seg_cs64 = seg_cs16; seg_cs64.selector = X86_SEL_CS64; seg_cs64.l = 1; struct kvm_segment seg_ds64 = seg_ds32; seg_ds64.selector = X86_SEL_DS64; struct kvm_segment seg_cs64_cpl3 = seg_cs64; seg_cs64_cpl3.selector = X86_SEL_CS64_CPL3; seg_cs64_cpl3.dpl = 3; struct kvm_segment seg_ds64_cpl3 = seg_ds64; seg_ds64_cpl3.selector = X86_SEL_DS64_CPL3; seg_ds64_cpl3.dpl = 3; struct kvm_segment seg_tss32; memset(&seg_tss32, 0, sizeof(seg_tss32)); seg_tss32.selector = X86_SEL_TSS32; seg_tss32.type = 9; seg_tss32.base = X86_ADDR_VAR_TSS32; seg_tss32.limit = 0x1ff; seg_tss32.present = 1; seg_tss32.dpl = 0; seg_tss32.s = 0; seg_tss32.g = 0; seg_tss32.db = 0; seg_tss32.l = 0; struct kvm_segment seg_tss32_2 = seg_tss32; seg_tss32_2.selector = X86_SEL_TSS32_2; seg_tss32_2.base = X86_ADDR_VAR_TSS32_2; struct kvm_segment seg_tss32_cpl3 = seg_tss32; seg_tss32_cpl3.selector = X86_SEL_TSS32_CPL3; seg_tss32_cpl3.base = X86_ADDR_VAR_TSS32_CPL3; struct kvm_segment seg_tss32_vm86 = seg_tss32; seg_tss32_vm86.selector = X86_SEL_TSS32_VM86; seg_tss32_vm86.base = X86_ADDR_VAR_TSS32_VM86; struct kvm_segment seg_tss16 = seg_tss32; seg_tss16.selector = X86_SEL_TSS16; seg_tss16.base = X86_ADDR_VAR_TSS16; seg_tss16.limit = 0xff; seg_tss16.type = 1; struct kvm_segment seg_tss16_2 = seg_tss16; seg_tss16_2.selector = X86_SEL_TSS16_2; seg_tss16_2.base = X86_ADDR_VAR_TSS16_2; seg_tss16_2.dpl = 0; struct kvm_segment seg_tss16_cpl3 = seg_tss16; seg_tss16_cpl3.selector = X86_SEL_TSS16_CPL3; seg_tss16_cpl3.base = X86_ADDR_VAR_TSS16_CPL3; seg_tss16_cpl3.dpl = 3; struct kvm_segment seg_tss64 = seg_tss32; seg_tss64.selector = X86_SEL_TSS64; seg_tss64.base = X86_ADDR_VAR_TSS64; seg_tss64.limit = 0x1ff; struct kvm_segment seg_tss64_cpl3 = seg_tss64; seg_tss64_cpl3.selector = X86_SEL_TSS64_CPL3; seg_tss64_cpl3.base = X86_ADDR_VAR_TSS64_CPL3; seg_tss64_cpl3.dpl = 3; struct kvm_segment seg_cgate16; memset(&seg_cgate16, 0, sizeof(seg_cgate16)); seg_cgate16.selector = X86_SEL_CGATE16; seg_cgate16.type = 4; seg_cgate16.base = X86_SEL_CS16 | (2 << 16); seg_cgate16.limit = X86_ADDR_VAR_USER_CODE2; seg_cgate16.present = 1; seg_cgate16.dpl = 0; seg_cgate16.s = 0; seg_cgate16.g = 0; seg_cgate16.db = 0; seg_cgate16.l = 0; seg_cgate16.avl = 0; struct kvm_segment seg_tgate16 = seg_cgate16; seg_tgate16.selector = X86_SEL_TGATE16; seg_tgate16.type = 3; seg_cgate16.base = X86_SEL_TSS16_2; seg_tgate16.limit = 0; struct kvm_segment seg_cgate32 = seg_cgate16; seg_cgate32.selector = X86_SEL_CGATE32; seg_cgate32.type = 12; seg_cgate32.base = X86_SEL_CS32 | (2 << 16); struct kvm_segment seg_tgate32 = seg_cgate32; seg_tgate32.selector = X86_SEL_TGATE32; seg_tgate32.type = 11; seg_tgate32.base = X86_SEL_TSS32_2; seg_tgate32.limit = 0; struct kvm_segment seg_cgate64 = seg_cgate16; seg_cgate64.selector = X86_SEL_CGATE64; seg_cgate64.type = 12; seg_cgate64.base = X86_SEL_CS64; int kvmfd = open("/dev/kvm", O_RDWR); char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)]; memset(buf, 0, sizeof(buf)); struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf; cpuid->nent = 128; ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid); ioctl(cpufd, KVM_SET_CPUID2, cpuid); close(kvmfd); const char* text_prefix = 0; int text_prefix_size = 0; char* host_text = host_mem + X86_ADDR_TEXT; if (text_type == 8) { if (flags & KVM_SETUP_SMM) { if (flags & KVM_SETUP_PROTECTED) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; sregs.cr0 |= X86_CR0_PE; } else { sregs.cs.selector = 0; sregs.cs.base = 0; } *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_VIRT86) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_PAGING) { uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged_vm86; text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1; } else { text_prefix = kvm_asm32_vm86; text_prefix_size = sizeof(kvm_asm32_vm86) - 1; } } else { sregs.cs.selector = 0; sregs.cs.base = 0; } } else if (text_type == 16) { if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; text_prefix = kvm_asm16_cpl3; text_prefix_size = sizeof(kvm_asm16_cpl3) - 1; } else { sregs.cr0 |= X86_CR0_PE; sregs.cs = seg_cs16; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16; } } else if (text_type == 32) { sregs.cr0 |= X86_CR0_PE; sregs.efer |= X86_EFER_SCE; setup_syscall_msrs(cpufd, X86_SEL_CS32, X86_SEL_CS32_CPL3); setup_32bit_idt(&sregs, host_mem, guest_mem); if (flags & KVM_SETUP_SMM) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; *(host_mem + X86_ADDR_TEXT) = 0xf4; host_text = host_mem + 0x8000; ioctl(cpufd, KVM_SMI, 0); } else if (flags & KVM_SETUP_PAGING) { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pd[0] = X86_PDE32_PRESENT | X86_PDE32_RW | X86_PDE32_USER | X86_PDE32_PS; sregs.cr3 = pd_addr; sregs.cr4 |= X86_CR4_PSE; text_prefix = kvm_asm32_paged; text_prefix_size = sizeof(kvm_asm32_paged) - 1; } else if (flags & KVM_SETUP_CPL3) { sregs.cs = seg_cs32_cpl3; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3; } else { sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; } } else { sregs.efer |= X86_EFER_LME | X86_EFER_SCE; sregs.cr0 |= X86_CR0_PE; setup_syscall_msrs(cpufd, X86_SEL_CS64, X86_SEL_CS64_CPL3); setup_64bit_idt(&sregs, host_mem, guest_mem); sregs.cs = seg_cs32; sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32; uint64_t pml4_addr = guest_mem + X86_ADDR_PML4; uint64_t* pml4 = (uint64_t*)(host_mem + X86_ADDR_PML4); uint64_t pdpt_addr = guest_mem + X86_ADDR_PDP; uint64_t* pdpt = (uint64_t*)(host_mem + X86_ADDR_PDP); uint64_t pd_addr = guest_mem + X86_ADDR_PD; uint64_t* pd = (uint64_t*)(host_mem + X86_ADDR_PD); pml4[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pdpt_addr; pdpt[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | pd_addr; pd[0] = X86_PDE64_PRESENT | X86_PDE64_RW | X86_PDE64_USER | X86_PDE64_PS; sregs.cr3 = pml4_addr; sregs.cr4 |= X86_CR4_PAE; if (flags & KVM_SETUP_VM) { sregs.cr0 |= X86_CR0_NE; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMXON_PTR)) = X86_ADDR_VAR_VMXON; *((uint64_t*)(host_mem + X86_ADDR_VAR_VMCS_PTR)) = X86_ADDR_VAR_VMCS; memcpy(host_mem + X86_ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit, sizeof(kvm_asm64_vm_exit) - 1); *((uint64_t*)(host_mem + X86_ADDR_VAR_VMEXIT_PTR)) = X86_ADDR_VAR_VMEXIT_CODE; text_prefix = kvm_asm64_init_vm; text_prefix_size = sizeof(kvm_asm64_init_vm) - 1; } else if (flags & KVM_SETUP_CPL3) { text_prefix = kvm_asm64_cpl3; text_prefix_size = sizeof(kvm_asm64_cpl3) - 1; } else { text_prefix = kvm_asm64_enable_long; text_prefix_size = sizeof(kvm_asm64_enable_long) - 1; } } struct tss16 tss16; memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base); memcpy(tss16_addr, &tss16, sizeof(tss16)); memset(&tss16, 0, sizeof(tss16)); tss16.ss0 = tss16.ss1 = tss16.ss2 = X86_SEL_DS16; tss16.sp0 = tss16.sp1 = tss16.sp2 = X86_ADDR_STACK0; tss16.ip = X86_ADDR_VAR_USER_CODE2; tss16.flags = (1 << 1); tss16.cs = X86_SEL_CS16_CPL3; tss16.es = tss16.ds = tss16.ss = X86_SEL_DS16_CPL3; tss16.ldt = X86_SEL_LDT; struct tss16* tss16_cpl3_addr = (struct tss16*)(host_mem + seg_tss16_cpl3.base); memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16)); struct tss32 tss32; memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1) | (1 << 17); tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base); memcpy(tss32_addr, &tss32, sizeof(tss32)); memset(&tss32, 0, sizeof(tss32)); tss32.ss0 = tss32.ss1 = tss32.ss2 = X86_SEL_DS32; tss32.sp0 = tss32.sp1 = tss32.sp2 = X86_ADDR_STACK0; tss32.ip = X86_ADDR_VAR_USER_CODE; tss32.flags = (1 << 1); tss32.cr3 = sregs.cr3; tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = X86_SEL_DS32; tss32.cs = X86_SEL_CS32; tss32.ldt = X86_SEL_LDT; tss32.cr3 = sregs.cr3; tss32.io_bitmap = offsetof(struct tss32, io_bitmap); struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base); memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32)); struct tss64 tss64; memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base); memcpy(tss64_addr, &tss64, sizeof(tss64)); memset(&tss64, 0, sizeof(tss64)); tss64.rsp[0] = X86_ADDR_STACK0; tss64.rsp[1] = X86_ADDR_STACK0; tss64.rsp[2] = X86_ADDR_STACK0; tss64.io_bitmap = offsetof(struct tss64, io_bitmap); struct tss64* tss64_cpl3_addr = (struct tss64*)(host_mem + seg_tss64_cpl3.base); memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64)); if (text_size > 1000) text_size = 1000; if (text_prefix) { memcpy(host_text, text_prefix, text_prefix_size); void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4); if (patch) *((uint32_t*)patch) = guest_mem + X86_ADDR_TEXT + ((char*)patch - host_text) + 6; uint16_t magic = X86_PREFIX_SIZE; patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic)); if (patch) *((uint16_t*)patch) = guest_mem + X86_ADDR_TEXT + text_prefix_size; } memcpy((void*)(host_text + text_prefix_size), text, text_size); *(host_text + text_prefix_size + text_size) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_USER_CODE, text, text_size); *(host_mem + X86_ADDR_VAR_USER_CODE + text_size) = 0xf4; *(host_mem + X86_ADDR_VAR_HLT) = 0xf4; memcpy(host_mem + X86_ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3); memcpy(host_mem + X86_ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = 0; *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = 0; if (opt_count > 2) opt_count = 2; for (uintptr_t i = 0; i < opt_count; i++) { uint64_t typ = opt_array_ptr[i].typ; uint64_t val = opt_array_ptr[i].val; switch (typ % 9) { case 0: sregs.cr0 ^= val & (X86_CR0_MP | X86_CR0_EM | X86_CR0_ET | X86_CR0_NE | X86_CR0_WP | X86_CR0_AM | X86_CR0_NW | X86_CR0_CD); break; case 1: sregs.cr4 ^= val & (X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE | X86_CR4_MCE | X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR | X86_CR4_OSXMMEXCPT | X86_CR4_UMIP | X86_CR4_VMXE | X86_CR4_SMXE | X86_CR4_FSGSBASE | X86_CR4_PCIDE | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_SMAP | X86_CR4_PKE); break; case 2: sregs.efer ^= val & (X86_EFER_SCE | X86_EFER_NXE | X86_EFER_SVME | X86_EFER_LMSLE | X86_EFER_FFXSR | X86_EFER_TCE); break; case 3: val &= ((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) | (1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21)); regs.rflags ^= val; tss16_addr->flags ^= val; tss16_cpl3_addr->flags ^= val; tss32_addr->flags ^= val; tss32_cpl3_addr->flags ^= val; break; case 4: seg_cs16.type = val & 0xf; seg_cs32.type = val & 0xf; seg_cs64.type = val & 0xf; break; case 5: seg_cs16_cpl3.type = val & 0xf; seg_cs32_cpl3.type = val & 0xf; seg_cs64_cpl3.type = val & 0xf; break; case 6: seg_ds16.type = val & 0xf; seg_ds32.type = val & 0xf; seg_ds64.type = val & 0xf; break; case 7: seg_ds16_cpl3.type = val & 0xf; seg_ds32_cpl3.type = val & 0xf; seg_ds64_cpl3.type = val & 0xf; break; case 8: *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_FLD) = (val & 0xffff); *(uint64_t*)(host_mem + X86_ADDR_VAR_VMWRITE_VAL) = (val >> 16); break; default: exit(1); } } regs.rflags |= 2; fill_segment_descriptor(gdt, ldt, &seg_ldt); fill_segment_descriptor(gdt, ldt, &seg_cs16); fill_segment_descriptor(gdt, ldt, &seg_ds16); fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs32); fill_segment_descriptor(gdt, ldt, &seg_ds32); fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cs64); fill_segment_descriptor(gdt, ldt, &seg_ds64); fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32); fill_segment_descriptor(gdt, ldt, &seg_tss32_2); fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3); fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86); fill_segment_descriptor(gdt, ldt, &seg_tss16); fill_segment_descriptor(gdt, ldt, &seg_tss16_2); fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64); fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3); fill_segment_descriptor(gdt, ldt, &seg_cgate16); fill_segment_descriptor(gdt, ldt, &seg_tgate16); fill_segment_descriptor(gdt, ldt, &seg_cgate32); fill_segment_descriptor(gdt, ldt, &seg_tgate32); fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64); if (ioctl(cpufd, KVM_SET_SREGS, &sregs)) return -1; if (ioctl(cpufd, KVM_SET_REGS, ®s)) return -1; return 0; } uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; int main(void) { syscall(__NR_mmap, /*addr=*/0x1ffffffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200000000000ul, /*len=*/0x1000000ul, /*prot=PROT_WRITE|PROT_READ|PROT_EXEC*/ 7ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); syscall(__NR_mmap, /*addr=*/0x200001000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=MAP_FIXED|MAP_ANONYMOUS|MAP_PRIVATE*/ 0x32ul, /*fd=*/(intptr_t)-1, /*offset=*/0ul); const char* reason; (void)reason; intptr_t res = 0; if (write(1, "executing program\n", sizeof("executing program\n") - 1)) { } // openat$kvm arguments: [ // fd: const = 0xffffffffffffff9c (8 bytes) // file: ptr[in, buffer] { // buffer: {2f 64 65 76 2f 6b 76 6d 00} (length 0x9) // } // flags: open_flags = 0x80b00 (4 bytes) // mode: const = 0x0 (2 bytes) // ] // returns fd_kvm memcpy((void*)0x200000000000, "/dev/kvm\000", 9); res = syscall( __NR_openat, /*fd=*/0xffffffffffffff9cul, /*file=*/0x200000000000ul, /*flags=O_TRUNC|O_NONBLOCK|O_NOCTTY|O_CLOEXEC*/ 0x80b00, /*mode=*/0); if (res != -1) r[0] = res; // ioctl$KVM_CREATE_VM arguments: [ // fd: fd_kvm (resource) // cmd: const = 0xae01 (4 bytes) // type: intptr = 0x0 (8 bytes) // ] // returns fd_kvmvm res = syscall(__NR_ioctl, /*fd=*/r[0], /*cmd=*/0xae01, /*type=*/0ul); if (res != -1) r[1] = res; // ioctl$KVM_CREATE_IRQCHIP arguments: [ // fd: fd_kvmvm (resource) // cmd: const = 0xae60 (4 bytes) // ] syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae60, 0); // ioctl$KVM_CREATE_VCPU arguments: [ // fd: fd_kvmvm (resource) // cmd: const = 0xae41 (4 bytes) // id: intptr = 0x0 (8 bytes) // ] // returns fd_kvmcpu res = syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0xae41, /*id=*/0ul); if (res != -1) r[2] = res; // syz_kvm_setup_cpu$x86 arguments: [ // fd: fd_kvmvm (resource) // cpufd: fd_kvmcpu (resource) // usermem: VMA[0x18000] // text: ptr[in, array[kvm_text_x86]] { // array[kvm_text_x86] { // union kvm_text_x86 { // text64: kvm_text_x86_64 { // typ: const = 0x40 (8 bytes) // text: nil // size: len = 0x0 (8 bytes) // } // } // } // } // ntext: len = 0x1 (8 bytes) // flags: kvm_setup_flags = 0x68 (8 bytes) // opts: nil // nopt: len = 0x0 (8 bytes) // ] *(uint64_t*)0x200000000080 = 0x40; *(uint64_t*)0x200000000088 = 0; *(uint64_t*)0x200000000090 = 0; syz_kvm_setup_cpu(/*fd=*/r[1], /*cpufd=*/r[2], /*usermem=*/0x200000fe6000, /*text=*/0x200000000080, /*ntext=*/1, /*flags=KVM_SETUP_VM|KVM_SETUP_SMM|KVM_SETUP_CPL3*/ 0x68, /*opts=*/0, /*nopt=*/0); // ioctl$KVM_SET_IRQCHIP arguments: [ // fd: fd_kvmvm (resource) // cmd: const = 0x8208ae63 (4 bytes) // arg: ptr[in, kvm_irqchip] { // kvm_irqchip { // chipid: kvm_chip_id = 0x2 (4 bytes) // pad: const = 0x0 (4 bytes) // chip: union kvm_irq_chip { // ioapic: kvm_ioapic_state { // base: kvm_guest_addrs = 0xeeee0000 (8 bytes) // ioregs: int32 = 0xb (4 bytes) // id: int32 = 0xfefffffb (4 bytes) // irr: int32 = 0xfffffffc (4 bytes) // pad: const = 0x0 (4 bytes) // redir: array[kvm_ioapic_redir] { // kvm_ioapic_redir { // vector: int8 = 0xc (1 bytes) // f0: int8 = 0xfc (1 bytes) // f1: int8 = 0x8 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0xb4 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x83 (1 bytes) // f0: int8 = 0x9 (1 bytes) // f1: int8 = 0x7 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x4b (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0xf9 (1 bytes) // f0: int8 = 0xe (1 bytes) // f1: int8 = 0x7 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0xda (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x0 (1 bytes) // f0: int8 = 0x5 (1 bytes) // f1: int8 = 0x0 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x8 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x8 (1 bytes) // f0: int8 = 0xd (1 bytes) // f1: int8 = 0x8 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x0 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x2 (1 bytes) // f0: int8 = 0x5 (1 bytes) // f1: int8 = 0x6 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0xff (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x6 (1 bytes) // f0: int8 = 0xe (1 bytes) // f1: int8 = 0x47 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x6 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x5 (1 bytes) // f0: int8 = 0x90 (1 bytes) // f1: int8 = 0x4 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0xe9 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0xe (1 bytes) // f0: int8 = 0x6 (1 bytes) // f1: int8 = 0xa7 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x1 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x9 (1 bytes) // f0: int8 = 0xcc (1 bytes) // f1: int8 = 0x16 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x5 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x1 (1 bytes) // f0: int8 = 0x9 (1 bytes) // f1: int8 = 0x15 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x8 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x0 (1 bytes) // f0: int8 = 0x3 (1 bytes) // f1: int8 = 0x9b (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x7 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x1 (1 bytes) // f0: int8 = 0xca (1 bytes) // f1: int8 = 0x80 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x4 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x3 (1 bytes) // f0: int8 = 0xf1 (1 bytes) // f1: int8 = 0x6 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0xb2 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x8 (1 bytes) // f0: int8 = 0x4 (1 bytes) // f1: int8 = 0x0 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0xfd (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x6 (1 bytes) // f0: int8 = 0x0 (1 bytes) // f1: int8 = 0x4 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x9 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x7 (1 bytes) // f0: int8 = 0x2 (1 bytes) // f1: int8 = 0x8 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x3 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0xee (1 bytes) // f0: int8 = 0x3 (1 bytes) // f1: int8 = 0x4 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0xff (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0xf (1 bytes) // f0: int8 = 0x41 (1 bytes) // f1: int8 = 0x6 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x1 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x9 (1 bytes) // f0: int8 = 0x8 (1 bytes) // f1: int8 = 0x54 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x39 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x1 (1 bytes) // f0: int8 = 0x3 (1 bytes) // f1: int8 = 0x4 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x6 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0xd (1 bytes) // f0: int8 = 0x40 (1 bytes) // f1: int8 = 0x7 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x4 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x5 (1 bytes) // f0: int8 = 0xfd (1 bytes) // f1: int8 = 0x7 (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x2 (1 bytes) // } // kvm_ioapic_redir { // vector: int8 = 0x5 (1 bytes) // f0: int8 = 0x6 (1 bytes) // f1: int8 = 0xfa (1 bytes) // reserv: buffer: {00 00 00 00} (length 0x4) // destid: int8 = 0x48 (1 bytes) // } // } // } // } // } // } // ] *(uint32_t*)0x200000000580 = 2; *(uint32_t*)0x200000000584 = 0; *(uint64_t*)0x200000000588 = 0xeeee0000; *(uint32_t*)0x200000000590 = 0xb; *(uint32_t*)0x200000000594 = 0xfefffffb; *(uint32_t*)0x200000000598 = 0xfffffffc; *(uint32_t*)0x20000000059c = 0; *(uint8_t*)0x2000000005a0 = 0xc; *(uint8_t*)0x2000000005a1 = 0xfc; *(uint8_t*)0x2000000005a2 = 8; memset((void*)0x2000000005a3, 0, 4); *(uint8_t*)0x2000000005a7 = 0xb4; *(uint8_t*)0x2000000005a8 = 0x83; *(uint8_t*)0x2000000005a9 = 9; *(uint8_t*)0x2000000005aa = 7; memset((void*)0x2000000005ab, 0, 4); *(uint8_t*)0x2000000005af = 0x4b; *(uint8_t*)0x2000000005b0 = 0xf9; *(uint8_t*)0x2000000005b1 = 0xe; *(uint8_t*)0x2000000005b2 = 7; memset((void*)0x2000000005b3, 0, 4); *(uint8_t*)0x2000000005b7 = 0xda; *(uint8_t*)0x2000000005b8 = 0; *(uint8_t*)0x2000000005b9 = 5; *(uint8_t*)0x2000000005ba = 0; memset((void*)0x2000000005bb, 0, 4); *(uint8_t*)0x2000000005bf = 8; *(uint8_t*)0x2000000005c0 = 8; *(uint8_t*)0x2000000005c1 = 0xd; *(uint8_t*)0x2000000005c2 = 8; memset((void*)0x2000000005c3, 0, 4); *(uint8_t*)0x2000000005c7 = 0; *(uint8_t*)0x2000000005c8 = 2; *(uint8_t*)0x2000000005c9 = 5; *(uint8_t*)0x2000000005ca = 6; memset((void*)0x2000000005cb, 0, 4); *(uint8_t*)0x2000000005cf = -1; *(uint8_t*)0x2000000005d0 = 6; *(uint8_t*)0x2000000005d1 = 0xe; *(uint8_t*)0x2000000005d2 = 0x47; memset((void*)0x2000000005d3, 0, 4); *(uint8_t*)0x2000000005d7 = 6; *(uint8_t*)0x2000000005d8 = 5; *(uint8_t*)0x2000000005d9 = 0x90; *(uint8_t*)0x2000000005da = 4; memset((void*)0x2000000005db, 0, 4); *(uint8_t*)0x2000000005df = 0xe9; *(uint8_t*)0x2000000005e0 = 0xe; *(uint8_t*)0x2000000005e1 = 6; *(uint8_t*)0x2000000005e2 = 0xa7; memset((void*)0x2000000005e3, 0, 4); *(uint8_t*)0x2000000005e7 = 1; *(uint8_t*)0x2000000005e8 = 9; *(uint8_t*)0x2000000005e9 = 0xcc; *(uint8_t*)0x2000000005ea = 0x16; memset((void*)0x2000000005eb, 0, 4); *(uint8_t*)0x2000000005ef = 5; *(uint8_t*)0x2000000005f0 = 1; *(uint8_t*)0x2000000005f1 = 9; *(uint8_t*)0x2000000005f2 = 0x15; memset((void*)0x2000000005f3, 0, 4); *(uint8_t*)0x2000000005f7 = 8; *(uint8_t*)0x2000000005f8 = 0; *(uint8_t*)0x2000000005f9 = 3; *(uint8_t*)0x2000000005fa = 0x9b; memset((void*)0x2000000005fb, 0, 4); *(uint8_t*)0x2000000005ff = 7; *(uint8_t*)0x200000000600 = 1; *(uint8_t*)0x200000000601 = 0xca; *(uint8_t*)0x200000000602 = 0x80; memset((void*)0x200000000603, 0, 4); *(uint8_t*)0x200000000607 = 4; *(uint8_t*)0x200000000608 = 3; *(uint8_t*)0x200000000609 = 0xf1; *(uint8_t*)0x20000000060a = 6; memset((void*)0x20000000060b, 0, 4); *(uint8_t*)0x20000000060f = 0xb2; *(uint8_t*)0x200000000610 = 8; *(uint8_t*)0x200000000611 = 4; *(uint8_t*)0x200000000612 = 0; memset((void*)0x200000000613, 0, 4); *(uint8_t*)0x200000000617 = 0xfd; *(uint8_t*)0x200000000618 = 6; *(uint8_t*)0x200000000619 = 0; *(uint8_t*)0x20000000061a = 4; memset((void*)0x20000000061b, 0, 4); *(uint8_t*)0x20000000061f = 9; *(uint8_t*)0x200000000620 = 7; *(uint8_t*)0x200000000621 = 2; *(uint8_t*)0x200000000622 = 8; memset((void*)0x200000000623, 0, 4); *(uint8_t*)0x200000000627 = 3; *(uint8_t*)0x200000000628 = 0xee; *(uint8_t*)0x200000000629 = 3; *(uint8_t*)0x20000000062a = 4; memset((void*)0x20000000062b, 0, 4); *(uint8_t*)0x20000000062f = -1; *(uint8_t*)0x200000000630 = 0xf; *(uint8_t*)0x200000000631 = 0x41; *(uint8_t*)0x200000000632 = 6; memset((void*)0x200000000633, 0, 4); *(uint8_t*)0x200000000637 = 1; *(uint8_t*)0x200000000638 = 9; *(uint8_t*)0x200000000639 = 8; *(uint8_t*)0x20000000063a = 0x54; memset((void*)0x20000000063b, 0, 4); *(uint8_t*)0x20000000063f = 0x39; *(uint8_t*)0x200000000640 = 1; *(uint8_t*)0x200000000641 = 3; *(uint8_t*)0x200000000642 = 4; memset((void*)0x200000000643, 0, 4); *(uint8_t*)0x200000000647 = 6; *(uint8_t*)0x200000000648 = 0xd; *(uint8_t*)0x200000000649 = 0x40; *(uint8_t*)0x20000000064a = 7; memset((void*)0x20000000064b, 0, 4); *(uint8_t*)0x20000000064f = 4; *(uint8_t*)0x200000000650 = 5; *(uint8_t*)0x200000000651 = 0xfd; *(uint8_t*)0x200000000652 = 7; memset((void*)0x200000000653, 0, 4); *(uint8_t*)0x200000000657 = 2; *(uint8_t*)0x200000000658 = 5; *(uint8_t*)0x200000000659 = 6; *(uint8_t*)0x20000000065a = 0xfa; memset((void*)0x20000000065b, 0, 4); *(uint8_t*)0x20000000065f = 0x48; syscall(__NR_ioctl, /*fd=*/r[1], /*cmd=*/0x8208ae63, /*arg=*/0x200000000580ul); // ioctl$KVM_SET_MP_STATE arguments: [ // fd: fd_kvmcpu (resource) // cmd: const = 0x4004ae99 (4 bytes) // arg: ptr[in, kvm_mp_state] { // kvm_mp_state = 0x2 (4 bytes) // } // ] *(uint32_t*)0x200000000100 = 2; syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x4004ae99, /*arg=*/0x200000000100ul); // ioctl$KVM_SET_NESTED_STATE arguments: [ // fd: fd_kvmcpu (resource) // cmd: const = 0x4080aebf (4 bytes) // arg: ptr[in, kvm_nested_state_arg] { // kvm_nested_state_arg { // state: kvm_nested_state { // flags: kvm_nested_state_flags = 0x1 (2 bytes) // format: const = 0x0 (2 bytes) // size: bytesize = 0x80 (4 bytes) // hdr: kvm_vmx_nested_state { // vmxon_pa: kvm_guest_addrs = 0x5000 (8 bytes) // vmcs_pa: kvm_guest_addrs = 0xdddd1000 (8 bytes) // smm_flags: kvm_nested_smm_flags = 0x0 (2 bytes) // pad = 0x0 (6 bytes) // pad = 0x0 (96 bytes) // } // data: buffer: {} (length 0x0) // } // current_vmcs: buffer: {0c eb 4f c1 11 99 ac e5 8c 4e 6c b9 7b ed e6 // df 88 4f 9a 11 9a ca fc 33 4d 9a 44 91 83 89 a5 ce fb b7 64 b9 94 d9 // 17 ac 44 fa cd 42 92 bf fe e2 4f 0b 7f a0 4a f5 64 17 0c 8d a9 38 14 // d5 60 6c c5 1b ff 60 ce 9c 75 6c 3a de 47 00 35 50 b4 da 42 dc 10 6a // 2e 45 d9 3e 4b 56 47 7d 06 d8 35 ab f7 59 1f 40 ba ad 68 7d 26 3b 98 // e2 77 55 a2 da 27 f5 84 79 f9 02 b4 e1 c8 7f c4 0c de bb d4 3b b8 a7 // 93 24 3a ba be 9f e2 25 33 87 bf 12 f5 97 2a c8 a0 35 af fc 9a 40 b4 // bd 1f e9 9f 38 35 30 2f 42 fb 35 2b dc 51 f3 52 3d d7 86 64 06 cb 86 // 8a 04 c7 ed cc a6 16 72 ff 99 67 2e d0 b1 02 76 9a 91 6c 53 21 c3 fe // ff 9d 75 c5 92 ad 98 03 68 27 11 43 59 7f 48 8e dc bc b4 3e 3f df 72 // ef 77 82 d9 e5 7a 9f 13 d4 bc 88 24 fe 86 9a a0 ab 25 09 2e 00 0d 14 // 40 9f 57 7c d1 64 12 9e 21 0e a2 aa 0f db 55 35 cf f5 32 a7 c5 e0 76 // 85 8e bc d4 58 3a 73 92 6d 9d de 0d 8f 48 ea eb 60 e3 ae 5a 7d f0 48 // 80 da 75 9f b0 1c 9b 03 bc e1 27 03 c4 95 2b 98 a9 d9 ab 23 03 5c 73 // 92 4d a5 3b 60 39 e0 e3 bf 40 6f b1 26 f5 bd c6 bf 56 d1 02 51 0e 1a // 17 f7 2d 49 cc dd c3 5d 01 4f 4b 07 26 41 df ed 79 04 f3 83 db d6 e9 // 74 d3 22 f2 80 f8 b9 93 ef aa be a6 c6 70 6b 9a f5 9a f5 2a 76 51 47 // 96 0b 4f 49 94 2d af 5b 15 aa 30 94 fa 5f bf 6c d5 3f f6 1f 53 fb dd // 92 ab c6 eb 75 c5 41 de 9b 30 c3 eb 6f ee 95 ef ab 78 ca 9d e1 59 76 // 25 62 8a 61 e6 3c aa f6 f3 11 87 c5 5a 96 f4 fa 1f 26 ff c3 f7 6c f3 // 4f 06 cd 7b c3 ed b2 87 d6 de d7 6f 20 81 c2 09 15 21 d8 b3 d1 48 c2 // 94 c6 1d 4e 93 5b 0d ec e0 52 fa 72 cb d6 19 53 8c 2f b8 91 bb 9d 94 // 4c 87 f2 08 38 69 f3 5c cd ce b0 aa f3 f3 1b 7c a7 14 13 fc cd ab d3 // 1f 7d e7 ef 80 38 ab 1b 60 51 62 26 3f b2 ae 8f ba 31 51 bd 86 8a 6c // c5 48 6b 04 d2 1a 3a 0b af 29 96 03 5c 51 65 ec 6b 87 bf 9b b2 6f 7a // 7e 41 2a 32 cd 23 ab 2d e4 99 aa 4d 0e 48 15 8b 2f 16 88 f0 36 c0 95 // 5e d5 2d 17 29 03 6a 6c 15 f5 f5 a7 26 b3 2c 2d 5d 5d f9 6a d8 09 c6 // f6 b1 69 12 c9 bb cb 39 ee 05 ca 2f 87 8b 9e bd 80 0e 24 83 b8 65 a6 // 7b 26 c7 b5 4a 54 63 52 7f dd 1c b0 94 c2 dd 88 ea 74 34 97 a2 8b f0 // 93 89 91 c7 68 a2 53 68 a9 cf c0 2c 31 f0 3f 57 ed ef 71 49 cc 89 0e // eb ab 15 f6 b8 de 0c d3 56 9d 34 6f 2d f6 ce 12 1a e7 32 ab d1 59 e4 // 80 27 f7 57 5e 70 37 c3 5e 3c 0d 49 9d f9 4e f5 47 71 66 f6 03 e7 96 // fb 88 fa 91 42 ab 1a 8f 16 b3 a5 fc c3 d4 c0 ba d8 04 cf 81 a7 bb b5 // 79 5c fc 42 9c dd ec 3b 27 89 f6 03 f3 c5 64 e9 c0 fd 99 c9 77 64 44 // fb 8a a6 ca e3 31 d5 7b 30 7d f7 e2 6a 74 ba 2a 6f cc 44 3a 4d 4d 99 // f1 f6 d3 3c 88 b4 72 25 25 3f 50 23 55 4d df e9 c0 ee b2 7e 09 a2 eb // 4c 61 f7 f6 bf ed 68 75 76 4b c9 e8 c5 51 02 5e ae 87 2b 03 a2 3f b0 // cd 6d cf d0 37 12 9a b7 62 4f e7 6c 08 01 7b 9b 8e 58 ce 37 08 e4 08 // 6d 5f d2 5f 9f bc bb d6 1e ab 41 e8 02 b6 97 6d fd 45 a7 a4 04 41 b1 // fc b4 1b af e8 49 82 bb 78 08 65 14 5d 31 2b c0 87 75 46 ce 7e ea 5d // e1 e3 fd 3d fe a2 e1 78 23 26 10 82 c3 4b ae 15 7a 61 cb 5f 45 b0 87 // 84 2f 62 a9 3a ab 20 ce 47 48 e8 6c a1 b9 cc 35 a7 cd d8 5a f3 d2 56 // d6 a6 57 10 c6 d9 79 0a 58 a1 ca f0 04 9b e0 eb 3e c1 04 a2 26 ed 68 // c3 f8 66 d2 b9 88 b3 5f 91 33 05 9e 3e db 9e 15 52 19 92 c6 8f 83 5a // 51 af 80 59 86 35 07 a1 d9 55 7f 87 a5 4e c9 11 60 42 ec 78 65 cb eb // d7 8b 89 65 06 c5 6a 50 79 18 27 ee 4a a7 3a 43 c0 6a 75 cc c1 e5 3d // bf dd 51 fc 7b f3 75 64 d6 b9 7a 88 a5 32 ba f7 c1 24 2c 70 61 17 54 // fe 91 c9 93 fe d8 10 98 e6 e9 14 fc 37 54 4a bf 6a e9 f4 e5 bf 2c cd // 0f 13 79 98 2e 08 07 66 7d 11 d8 f4 67 e6 f0 1e 5f 6f 0e 60 77 61 c2 // ec b3 ba ae cb 5e 1c 93 40 27 7e 62 8a 0f 91 7a 52 69 35 6b 94 9e 84 // 0e 2e 76 ed 27 db 32 cc 54 c8 ff 03 71 cf 5f e1 af b3 6a 47 00 11 6d // 15 d4 b4 0a 7a 13 ba d5 8e db 72 55 f2 54 99 f2 fb 63 84 07 2e f1 45 // 52 89 d1 f8 01 13 5d d0 17 21 20 db 2d a4 64 35 cc 5a a6 7d 2b 55 15 // d5 68 09 7e c8 b1 21 f1 33 98 6b 36 47 70 89 a4 93 e1 d7 21 05 2e e3 // af 84 5a 87 2e dc 5a 2f 97 80 c1 a7 a1 89 15 68 f5 a6 ca 84 73 8d 29 // af 41 73 27 94 29 d5 90 8e d2 65 30 dd ba bc e5 2f 39 52 1a 7e e1 70 // 99 dd 23 f6 13 23 21 08 95 90 f9 de 07 18 20 f8 4c bb 68 1f 47 b9 7f // 33 18 df 51 82 25 e9 81 d2 ca ce 31 9b 1e da ad 90 1f 22 4a 08 7a 4a // 4b 70 3b e6 ca cc bd 62 1e a1 bb b4 89 04 cf 46 00 78 cb fa fb 54 9e // 54 b8 b1 14 68 68 91 cf b2 b1 b0 47 02 07 c7 e1 21 e7 b6 c3 12 06 3f // fc 17 c8 05 ff 47 88 3d 39 63 70 96 e9 42 a1 e4 dc a8 de ba cf 1d 2e // 69 f6 cd e8 d7 7a 75 cb fc 7c 05 64 b6 da 1d a8 90 b9 dd d5 32 84 c4 // cc 10 9c 20 7f d3 d1 a1 ee bd 31 57 d8 6f a1 d3 bd 77 5d 36 fe 99 05 // 0c d9 c1 41 00 92 7e b1 06 c0 c2 69 c3 33 76 1e bf 90 40 2d bf 92 d2 // 73 9d a2 b6 9f 4e 2a 05 e3 9b 03 36 95 6b 16 61 53 4a 01 57 be 6a c0 // 15 36 af 67 98 d8 9c ac e7 43 25 a5 53 7b 2a 5a dd 7d 36 49 c3 e1 8b // b3 ee 64 d0 76 66 ff ab 04 82 6c 12 a5 f3 48 ac fd 97 b4 39 32 05 bf // d5 a9 a3 36 5c ed 18 16 b7 61 ea 1e 8f 69 e5 73 e9 c5 2a 58 05 7f dc // c3 48 ca ef e1 ef 84 cc 35 dd bf 78 09 13 95 e1 2a 9f 5a 4a 24 1c 7a // 32 6e 64 aa 85 75 f1 bc 9a 5e 17 41 7f 49 a8 d5 aa 9a ae 50 e9 af 17 // 85 e0 1e d6 f4 e4 31 3e 0e da b3 50 a0 86 ae d2 9c d5 aa 1d db 5e 00 // de 7a c8 d3 bc 2b 16 7b 32 d9 92 50 46 27 ac 20 14 8c 1f 66 eb 61 70 // 3f 43 07 f3 b2 06 24 56 d3 a8 20 f2 e0 57 9c 53 1f a5 d7 a9 f1 9c 00 // a3 cf 3c 9a f8 6c de 1d b8 b4 6c e7 3c 8e 92 ed 6d 18 6e d8 c9 48 f0 // 6b 3f 3d bb 96 d4 7d 5e 24 e8 82 1b 6b eb 7f 65 9c 7b aa de 01 40 a8 // 31 1f f1 ed c0 67 37 23 2b af e6 30 cc 8a ee 5c c0 ff ba 50 d6 27 b1 // 47 19 a1 93 3b 4e 2f a1 bb a3 9a 8d 4e 7a 25 33 24 13 33 bf 19 a7 7f // c7 79 88 4f 17 2f 44 37 12 68 4f df 65 58 91 f0 1e 52 bd fd 09 e1 b9 // 69 68 61 62 2f 0c b1 5e 58 f8 7d 1a a4 ff ab 12 09 49 27 df b1 d6 47 // 9b 91 ba 73 bc 34 8d 3f 34 65 d1 ef f1 b1 77 4b 49 38 17 48 f9 8f 3b // 79 85 83 65 a3 57 e3 ed 5c b8 98 ef 69 59 7c b5 7a bc 9c 3c d9 0f ee // bf ed 6a 98 87 1e d2 a5 6a 2f 8b 1b fd 3e c3 83 e0 77 82 7d b5 bd d9 // 92 da 14 6a 91 29 59 94 c0 39 64 d1 c9 af f8 cc 25 70 ef fa bc 81 e1 // f4 b4 77 d1 e4 52 20 4c d0 7a 3f 8b 72 96 b2 08 e7 be 2c 3f 71 de 25 // cd 5f 96 43 78 1e b1 9b 3d 2b c7 d7 3a e9 72 94 0c 10 3d bb 57 58 40 // 6a 3f 6d 56 e9 b3 b0 c1 85 90 47 44 02 d6 80 ff a8 7b f9 a1 b2 41 44 // 82 78 f5 64 14 e8 fa 88 5a 68 03 48 6a 9c c2 33 1b 3b a3 18 c8 08 34 // 8f a4 43 e0 02 e5 7e 04 5f 36 81 bc 45 98 7a 30 1c d2 a4 b7 ab cf 7c // b1 e3 df e8 7f 91 d5 1e 52 1b 8b c1 54 a3 e6 04 60 07 65 b0 1e 52 f7 // f1 ea ed bc 95 48 66 e8 e5 72 31 52 32 1e e4 3b af 10 a1 7c d2 2c 95 // d8 4e cb 41 9f 85 b8 0f ed 17 9c 4d c9 a9 98 51 e5 94 71 4b d2 26 25 // 89 1d 88 d7 41 8b 23 3c af 07 e7 26 b2 e2 10 b3 f4 e1 d3 60 1e d8 fe // 90 fe 34 60 23 a6 7c 7a 7a 1d 48 e1 85 f1 22 9c e8 de 92 5b d2 93 5d // e1 33 1c 6a 59 a3 61 90 da d3 e7 67 ba 3c 65 9a 93 6c 1e c3 b1 6a 7d // 4f 04 12 1e be 19 3f e3 ae 8d f8 c3 bb 06 60 73 c6 f2 5f a0 6d bd 8b // 67 c5 7d c0 a7 1b 9e 5c 06 a4 05 16 b3 6d 33 1e fb 0b 3d 3d 0f df e0 // eb 4d c8 4c 4a 8d 15 77 ef bf ca 91 6b 01 f5 6e fa 66 33 f4 ba e0 f4 // 04 bb 4f 85 6b a2 6b a6 44 e0 50 49 d3 64 a6 10 1c e5 1b d7 d2 be 1c // 10 34 fc 87 a8 c1 54 65 b9 a9 df c9 26 ce 41 c8 6f 9c b1 55 81 85 9b // 7c 56 04 24 dc 08 27 1d bc e8 68 b7 ca 15 3f 82 d5 64 84 e9 98 1f 6e // 7b 6c fe ee 8d 2a e4 d3 b2 bf e3 24 bf f7 dc e2 0e 42 3a 79 0c 56 d9 // 3c fa e5 e1 93 c3 73 72 fa 64 3e d5 29 70 78 d9 a0 fe db 7b 09 1b 56 // 30 fb 46 b8 ca 3e ed c4 ff 11 c2 3a e5 20 e3 a1 ec 8e ca bf 17 6c 03 // fc 74 af 37 6f 6e 20 8f a5 79 5c 99 03 0c 11 18 97 30 41 4e 70 64 8c // f1 14 c4 ce 37 78 26 29 9b ef 5a 84 fe 18 eb 43 b9 2a 8c da fc d7 1b // 15 6c ad ab b7 ba 84 be ae 56 ce 1f 0d 4f a1 ac 03 e5 cf 4f 3e f5 c4 // 95 0a 63 78 fa f6 87 88 fe 35 8b e4 d9 6a 49 42 8e c9 76 23 56 2f d6 // 3d 5c 96 5a f9 43 7d 14 04 73 5b 9e b6 82 2a 10 e2 79 0f 6b 07 4a 07 // 10 cd 6e 8c f9 6c 74 88 6a fe db 09 d9 8b 90 8c 89 7a 19 58 d6 85 ff // 7d 37 c8 dc 95 3e 9c d2 2a c8 19 1e e2 00 38 3b 24 a3 38 5c 9c a6 93 // 39 b0 a8 12 92 f8 1b be ef f4 2d d7 0b e7 ba 62 f1 be b1 62 54 90 ee // 96 71 15 37 5a 78 40 c1 f7 34 54 ac d9 be 17 35 aa 1e b0 b6 bf 6e d5 // 6e 8c d3 60 cd 53 72 24 68 41 6f d1 46 22 2b 35 02 66 be dc 84 64 81 // a4 c6 df af 15 13 2d 46 0a b8 14 bb b9 a2 e3 5a 80 68 51 d7 ec 41 df // 32 fa 5b bf 68 b7 bd 92 b7 97 03 c2 8a 6b 1f 9f de 6a 87 8e be c9 53 // 1d 74 cf 27 f5 55 97 ae 90 f4 f7 fe d4 2c 79 a8 36 55 d6 bd 44 47 e3 // b2 72 28 37 cb 17 c1 86 19 d7 66 b7 84 58 b0 44 ea e9 ef b8 62 35 56 // 44 09 9f 19 30 fa 28 f5 45 97 6d 2a 83 44 70 f3 8c ee fd ac bc bc 45 // 89 ae eb 68 5b 5e 53 64 e2 69 68 7d a3 b2 6f f2 9d d1 4c 1e 1f e2 87 // 7c 95 2b 5c a6 5f 45 ee fb 98 b5 46 7a 3c 1c 71 fc e2 1e ef 77 88 ab // f2 93 00 e1 a7 2e af 46 87 28 8f a3 ab 47 94 59 3c 84 12 f7 41 f3 ce // 3d 08 04 8f 31 cb 35 d6 a9 49 c6 b5 fc cb be d7 b8 a3 4a 98 50 64 16 // 46 b0 f3 27 fc 2c 03 0d b8 f7 35 83 af 3b 4c c6 da 43 50 b9 28 dc 16 // 2c c9 72 a7 f5 ec ee 34 a0 dd 7a 67 ba 16 c0 1b 5c 04 4e 25 b7 60 37 // 06 dd 6f 58 3f 40 14 2e ee 57 57 28 bc aa 27 12 41 3d 0e 61 6d ec ad // f0 dd 82 c9 f7 60 3a 9a 56 35 f9 e8 7e 5d 71 78 f5 a9 2a 47 e9 c4 70 // fe eb 8c 21 17 a0 2f 23 31 05 d8 1e 8d 6b 94 6c 62 70 89 36 41 33 c6 // 03 d8 64 da e8 0a 01 4d d8 10 26 5f 89 ca 19 4a 2f 3f ac 21 88 9c 98 // af a5 b7 c0 62 94 e1 81 0e b5 54 f6 fc b4 28 dc 7c 62 46 18 7f ef c0 // fc d1 e6 b7 bf 04 af d9 2d 7f b9 20 2a fc 5c 1d 3c 61 35 a1 22 b1 f7 // 7a 74 f6 84 a5 30 d9 cc 09 94 c7 34 c1 d4 4a 73 48 ba d1 e2 00 94 44 // 48 e9 19 70 7b d6 94 8d 62 8f a8 c9 1c b4 9d a2 ad 26 de 79 11 a1 4f // 83 53 31 95 15 d7 67 85 67 41 51 f7 d1 37 7b 99 7f 3f 28 5a 21 e1 6e // d8 74 59 ff 4d cc 9f f6 8b 3a 27 54 31 b2 e6 c8 ac 55 d8 71 e5 67 75 // 51 0c 0f 7c 1c 24 fe 80 8b bf 09 ba 53 d3 b0 c5 42 92 da f2 35 a2 fd // 37 82 75 69 4e f9 b4 ff 66 38 4e 88 f8 f1 42 eb f7 e2 28 50 24 bf 70 // 90 7b 64 b7 67 4a f3 fd bb f6 5b d0 25 d3 35 29 20 5c e0 db c8 e9 6a // 84 5a 51 f8 4b b9 8a 8a d7 15 ce 86 b0 50 21 6a 09 e1 f9 c5 ab c4 4a // 39 4c 4a 4d d3 e7 c5 47 f3 fc f8 67 cc 2f c3 fb 5b aa 75 35 d5 1f 86 // 05 1d 0d 68 0c b4 95 8b e1 2e 91 f8 f9 45 52 d9 68 93 54 ad 6b 5f 5a // a4 bc 15 49 d3 e6 a2 96 d6 2f af 83 9c e4 19 04 ab 36 86 c3 bf 5b 52 // d6 5f e3 19 61 bb 3e 82 74 48 70 2c 44 32 b7 cd 4f b2 a6 ee 79 48 23 // fe 4d 67 2f a2 c7 d9 0e 18 73 47 72 aa 14 d2 93 69 19 6b aa ff 6e 72 // 20 bf c1 7d 7c 1a f2 de 20 61 bd 3d bb de 20 07 6e 56 39 bc ae d6 76 // 06 09 63 55 82 14 fd 0e 3d 5a e5 66 02 db 9e 7c bf 03 4b d7 56 17 0b // 6e 40 69 71 42 aa 59 0a dc ad 47 12 25 53 b5 1e 60 e1 ff 2a 98 87 4b // 99 8d 20 e1 9e 7a 36 92 65 45 67 b0 a6 e9 c0 8a 38 bd cb 8d da 2d bd // fd a7 35 39 12 5d 79 41 57 35 fa 47 7a 29 ad 5e 27 ce 09 37 46 78 30 // 76 3e 03 97 48 53 46 c0 e7 6c 84 29 50 1c 89 e3 e9 80 e0 9f 08 0a 8d // 45 11 94 cd da 91 3d aa 9d dc 19 93 11 fe cd e8 f9 4c a2 c5 a0 06 60 // 0e ee 43 c9 96 19 b4 58 9f d3 0d 33 54 9b eb 8a 64 c3 76 de 2e d9 b7 // 90 1f f6 d3 99 43 9b 7d a6 e9 23 d5 a2 60 f3 8e 47 c1 95 54 8d 3b 72 // bb 4b db 4b c0 1e 19 74 f4 9b cf a5 25 c2 d6 b5 e7 f1 61 2b f4 ed 4e // ae ce 1d ae 0b ab 8a a4 f2 48 0a 1b a7 37 bd a7 3b 51 59 4a 5d d7 32 // 48 ec f7 18 ba 39 fc e3 0a 59 b9 8a 53 cb ae 4c 2c 0d 23 c6 17 bc 75 // a6 58 97 54 25 39 e0 ac fd b8 b0 07 bf 2e 5b e8 96 db 56 2f 26 34 60 // b2 a0 51 5e 44 de 7d 96 5d 7d 4f 94 00 65 34 25 a4 60 ac d2 a3 01 3e // bb b5 f2 13 db be ae db 56 6d 3d ce 8e db b7 93 b7 fb 16 f4 63 aa d4 // 7e 41 27 5d 70 df 56 09 ff 2a 3c f2 1f 4e 94 33 13 42 6e 0f f5 79 6c // b4 ac dd b8 6a b2 56 dc b6 53 9d 06 5d 74 9a a9 2d d2 b2 57 ca 6f b5 // 7d 11 00 9b 98 58 52 ec 9e a2 29 98 60 06 a4 df 20 93 c9 97 ff 64 67 // 7d 9f d3 d0 85 8f 12 bb 91 48 80 43 51 48 45 56 c4 07 3e ae 97 e6 34 // 0c 82 11 96 80 f0 f8 cd a3 e4 17 50 42 cb 0e 6a dc e9 d0 13 61 44 ca // 09 c3 63 f8 5e 82 b2 0d 3f 27 bb 45 87 92 7b 1f de 64 50 41 42 fc 2b // 6d 2b 27 fb 6d b9 46 94 f0 5f 0e 21 03 ba d8 26 72 e8 e9 46 16 9a 4d // 71 07 06 35 1a 28 1e 29 a2 ad 55 ca 10 47 06 ee d5 3e 06 c3 41 e6 3d // 6b 93 a2 8f 38 b7 c4 18 e5 f7 87 c4 96 ff f3 c5 5c ed ec 24 29 f5 7b // 6d 29 e4 16 32 c1 78 0b 5a 95 8d 3e 01 f8 97 94 b1 9b 7c d0 de e5 83 // 16 11 2e 30 3d 4b f6 98 b7 ff b3 9c 54 47 27 85 e1 bb 74 86 2e 60 06 // e6 6e 27 c7 47 01 6c ab 40 ae 9b 78 11 33 16 09 d2 83 0b 91 bb fc 06 // 7d 78 4d ad 42 bc d8 13 68 26 57 f7 88 96 57 6b 1d 32 d4 51 1a af b8 // 56 e7 71 5a 27 8e a9 b4 12 cc b4 04 1a 6f 7c 0b 61 a6 1d fd 90 36 54 // 51 b7 b9 33 eb c9 3a b0 e4 f9 93 c5 c1 be 0d 00 29 65 a9 cf 2e 46 bc // 91 10 c7 cf 86 1f 23 ae 00 4f f0 7b 8f d7 64 b8 f0 ef 1c 2f 54 fc 3a // 43 de 17 c6 d6 db 2b 8f 80 b8 09 12 01 24 3d 16 d4 48 b1 4e 32 14 7f // 82 42 6b 33 ee df 2f c5 d3 cc a4 0f ec b9 f6 8e ec df d9 44 00 3d 26 // c8 55 b2 92 36 b5 00 15 82 12 a9 1c f0 09 01 9e 9f b5 6e 5a a5 5b a2 // 20 a4 8c e2 a0 80 dc 2f 82 a0 66 fc c2 6f 81 a1 40 e8 cf 61 40 36 02 // 82 c6 fe 86 ad 39 84 c3 36 52} (length 0x1000) shadow_vmcs: buffer: // {1d 0b 05 98 1d 90 4b 13 4f a7 ed e8 a8 69 6d 85 8a 7b 8d b0 c6 b4 // 43 bd 46 06 75 d1 2d 8e 31 b9 66 ed e5 87 48 f1 02 5c 8a ce 9d 34 1f // 9e 9c f5 70 6a 38 b9 c0 70 c1 f3 75 93 2e 7a cf 07 c6 57 ee b7 8c ad // 5d f7 bc ec 3e b9 b5 b6 85 37 7b 09 2a 52 b4 6a 98 4d 8b 57 3b 36 a8 // ca 61 11 51 e8 78 2c 07 eb e8 d7 8f 4d 32 0a 61 e5 6f b6 43 d6 25 6f // 1f 3d 64 cb d9 e7 a3 91 1f 45 95 eb 7f 81 36 c6 d8 5c 3e 99 3f 00 35 // 5e 99 44 00 d8 2e 71 f9 83 30 15 63 b9 32 65 1c 0f 45 69 e7 44 83 41 // 71 5b a1 73 0b 0a 50 d8 4a 3c 8c 60 7f 08 fd 41 d7 82 79 c8 7f 35 3e // b2 6d a1 03 3a d0 b7 a9 1a a2 71 d8 cd 00 c2 8f 6a cc 08 77 6a 58 ca // 5e 71 6e eb 00 92 86 a6 0c a7 fb d8 8d 7a 07 54 30 a9 90 51 fc 8b 13 // 34 20 a5 66 27 49 40 b9 70 e6 57 f0 0b 5c c5 ff 95 01 ab c7 cb 33 e5 // 9a 9f 6a 82 6e 80 5d be c8 4e 91 02 cc 17 e9 13 78 94 48 fa 7e 48 33 // 00 06 d6 d7 e0 04 ae b5 0e eb 62 42 94 f8 73 65 d4 c6 61 02 b4 c4 4c // 3b 8f fa 4c b8 d4 67 bb b7 f5 cf 4e e0 d8 9b 90 91 de 1a 5c 09 2f 97 // 00 a2 f0 7e d8 55 b9 7b 39 2a 2e 6d 95 64 b3 43 13 e1 81 29 cb 20 a1 // 02 70 7a 2e c2 df cd 09 48 2c 4b 4b ff 49 e8 08 28 1a 1b 2c e0 73 3f // 81 26 c4 22 9f a3 e7 8a 2b a2 79 31 e6 c7 2a 2a c9 04 85 76 05 ab 8c // 93 20 e9 10 3d 60 f4 30 63 90 b5 4c d0 aa df 4a 2b fb fc 3b db 12 92 // ae 1a ea 4a 0d ec 56 6d 5b 42 c8 bc 88 2d 77 3e 39 5e 32 fa c8 42 13 // cd 33 99 fa 8d 5d 08 41 65 99 78 79 4c 39 29 97 c5 10 6c 92 03 24 5a // 37 26 9a f1 59 fe 9b 05 9d 8f bf d0 8f 93 31 b2 46 98 9f 87 ef 82 36 // bb 87 b1 a9 55 0c f6 eb 53 1c 52 6c 0c 21 98 ac 80 51 88 4e 78 fe bd // 2c fd 24 6b 48 f0 9f 61 03 0c 81 03 16 69 49 5d 15 fd 48 65 1c e1 d6 // b5 5c 60 8c 83 9b 1a 35 12 b9 d0 df a1 64 73 21 3e 7f 85 59 c9 5b 89 // 69 16 ba af cb 90 fe 0b 5e 84 01 75 03 73 7c cf 5c 59 20 ef 5c 33 86 // 2e 58 54 43 ea 39 95 36 4b a2 47 1d 32 d2 c7 e9 bd 49 66 9a 83 68 ef // 05 86 8e 3d 3e 70 7c 7a 3c a7 81 bf 49 ac fe 11 74 df 6f 48 ef 58 22 // 98 2f 65 58 84 d6 dc 12 00 42 07 2e 0f 9d eb 49 ba 12 2c a6 6e 0b 4b // 6a 91 a5 44 14 fa 3f ad 51 84 63 1f 9b 33 3d 3f 36 75 6d 7f 09 b3 17 // 8a 0d 67 ba 87 52 48 41 f9 2d a1 9c 36 69 b4 b2 f1 61 4a 0e b7 45 3d // fe 77 84 a3 f9 b3 7e ff 65 52 8e 89 8f 22 d7 5f 01 b3 2a ea 5d 80 cb // 04 ee 42 77 f7 a9 70 9e e9 6b 77 8d 62 9f f8 10 24 23 6a ef 22 a5 1b // 28 20 d7 f8 44 36 ce bf 05 ed 2d 76 b3 1f c7 11 80 73 b3 4c 1f 41 e4 // 0e 71 1c 3b 55 3a 60 d5 ad 7d 7c 3a 1f 8b 5b d8 26 c3 3b 49 8d 7c 2d // 68 8a c8 21 da cb 8c b7 41 c8 d7 eb 61 50 ce ff 0e 37 83 47 8d 2a 60 // 4f 12 05 e7 3e 89 23 29 a9 00 d6 e2 0c 3f 11 0b 00 d5 02 85 41 a3 35 // b6 1f c1 a7 9b b0 81 8d 88 38 93 21 36 84 a3 60 a8 cc 1a de 1f 63 b1 // 09 e9 cf 96 e2 12 6d 7b 02 cd 71 31 6c 2c ca c3 58 4b b7 80 07 52 a6 // 26 51 e8 10 c2 36 25 ca f2 49 b2 d5 e8 54 e3 1e fe fe 44 85 da c4 5d // cb e9 aa a3 74 02 f6 cc 7b 4b 2c e5 95 72 e6 94 61 26 00 1a b9 71 7d // df a5 8c 1e c7 ae 8d 93 b7 9c d5 2d be 0f cb 26 fa 43 de 46 f8 a3 cc // 6e cb 65 29 c3 22 f9 c2 3d 39 d9 2f e0 b3 40 17 17 00 72 88 49 76 ce // 8b 01 dc 98 1b 91 33 02 c8 11 48 9b 81 a1 57 11 74 88 22 45 36 d5 09 // a1 22 72 75 24 5f 71 23 1a f6 bf e1 21 62 83 5e 20 86 36 d0 74 f0 81 // d8 8e 61 ca bb 40 c9 3f 08 61 3a b1 5b 8e 60 09 b9 7a 83 ac cb fa 49 // b3 93 74 bf 08 a7 45 bf 4e ed be f5 d2 b4 20 43 8b f3 16 a5 e2 d6 02 // 4a 71 91 9c 24 d3 cc fb 46 98 77 68 f1 67 36 1f 4d 2a b9 1f 1f a2 98 // 19 f0 d0 bc c9 30 f0 58 18 c8 c6 c3 b5 55 e2 f9 70 94 c0 87 23 2b e3 // 40 48 30 d2 15 d6 b0 92 df 62 81 c7 cc f1 bd b9 40 22 70 33 0c 00 39 // e0 3f 27 6b c3 68 e9 53 08 21 88 2a 50 dc e6 d1 b5 19 0b 76 06 f3 4d // 84 e3 75 a5 4f 4b 13 0e 5f 52 6b 9d cd c9 8f 42 90 39 49 5f 40 ec 1e // 1f 44 5f 50 ec 6a a7 60 6c c3 cb 3b d7 4c 5f 95 51 04 13 c5 fd d8 5e // e5 b1 6c d7 f9 51 1f 3e 1d c3 95 59 64 39 b4 5a c0 34 4a 4d 2d 14 11 // 28 d5 97 d8 31 85 28 32 52 78 e3 a5 70 9c d6 4e 9a 49 b8 d5 ba 10 79 // 83 64 4c 45 2f 6f 80 53 e7 ec 32 fc 56 89 83 62 f2 87 59 6d c1 be a6 // b2 63 96 e6 90 9a ff 73 f9 ac 6f eb 19 a8 d8 7f 12 6e 1d 23 74 c4 cb // 7f 6e 31 2a 8a 17 19 7f ee 59 06 e5 ad b3 2e 02 ac 30 4c d8 3c 23 96 // 97 67 a9 f9 e9 38 4a 3f c0 d7 a2 63 ba 82 9c 87 44 cc 42 79 d8 d4 30 // 94 34 f7 ef 65 36 ba 1d 83 19 87 0d 18 91 61 88 de 24 90 c6 8f a4 ef // 83 da b1 64 0b 65 e7 07 a7 c4 c6 fe 35 c6 cf 21 5d d0 a9 5f 7b 67 bc // 2e ee fd 74 cd 29 ef fe f4 35 7b 85 db 1b ee fd eb 4d c8 10 cc a1 78 // 39 c2 76 20 d7 50 ae b2 8a a0 ef ec b9 f4 a2 2f a0 b0 f3 23 66 f0 b4 // b7 5b 4b e8 11 e5 94 0e d2 84 e8 50 ea 2c e9 ca ed c9 25 b1 41 7a e3 // f3 4d 13 74 7b 4b e3 2f ed e1 36 2e 2c 33 16 81 40 00 a5 d0 17 1d 98 // a1 bd aa 6a f5 9d ca e8 00 8b 8a 9d 6a 83 6b 70 17 1f 5e c4 fe be ec // bc 4f 83 27 77 d7 53 a7 03 3b 86 81 f2 0f 4c af a1 35 5c a6 69 fa be // 2c c3 d0 a6 54 01 a6 a4 7a 35 2f 0f 81 ba 35 e7 00 78 5a 7c e0 21 a5 // b2 b7 95 42 51 3f a4 13 b7 87 73 3d a9 d5 91 17 e5 b1 fe a5 ae 4e e5 // 6b a2 2f 1a f1 77 a3 7d b3 39 b4 0a 9a c7 c2 80 db 05 35 df 32 e9 4b // 50 fb ad d3 62 05 0d 77 6d 5c a4 0f fc 68 2c b3 9c f3 ca f0 76 55 5a // 73 c3 56 40 53 53 8d 77 8f f0 20 c3 52 9a 65 5a 06 98 05 2a 35 36 40 // c4 15 1e 62 8b 54 8f c0 48 e9 5a 44 e1 65 78 ef 1f c9 54 7b 23 c1 b1 // 94 10 b4 e2 15 9a 17 52 87 26 8d 80 9a 0f 21 95 0b 12 39 ef a2 b3 de // 57 f7 9d d9 6c a9 c0 91 85 d2 e5 73 ec 69 e1 e4 7b 7e b8 7b 7a 10 a1 // cb 0a 55 29 cf 5a a7 14 33 2b 75 19 9d 03 a0 d5 44 20 dc 65 bb 19 04 // 31 34 8b 05 9f 20 ed 36 67 0d 72 3e ec 04 68 8f 23 20 3f 20 cb 0e 86 // 51 c7 53 e3 f3 76 91 7e ea ee 66 e0 15 67 6b 71 d2 5e 11 58 5a 1c 4c // b6 ba 68 8c f0 63 7c 73 9f 11 53 ab 00 8e a0 03 07 d6 be 89 68 9b 1c // 05 ea 52 aa b7 3f 33 08 6e 67 6c a1 bf f9 ca 79 bb fd e5 3b 0c 1c ce // f7 ab ff d9 5d 05 b5 88 4f d1 ab 28 f0 17 36 26 d7 00 c7 c8 11 12 cb // f0 40 12 ec 36 89 f3 c5 84 1e 2c 0e c6 0a 74 b5 33 19 d6 7d 4c 51 36 // 56 c5 f8 94 d1 da 1e 62 b5 af cc c2 9a 2d 8d ca 63 6f 01 ca 5f dd fe // 19 d3 66 fb 95 b2 64 e4 8e d1 08 96 84 90 b0 1f aa 24 8f 46 a9 c3 d2 // 90 8d 00 c0 0d 21 25 7e db 78 cd 22 e8 08 01 9f ba e4 98 53 f8 cb 36 // 7e 9c de e4 94 01 fe 61 b1 2f 43 19 85 70 48 f4 0c 25 cc 65 64 0f 2e // 3a f4 87 e4 22 4b 62 89 63 70 44 93 48 87 e4 9f 82 22 d4 67 c9 40 1c // f8 f0 b7 77 bd 93 a6 dc d6 cc f1 9d 49 12 4a cc 63 af 4e 80 b6 10 a6 // f4 9c 0c 3b ff 77 d9 14 b6 26 c6 de b0 fb 70 ed d3 56 ae 75 3e 80 47 // 86 23 16 42 72 0d 54 57 95 cc c3 b6 5a e3 43 a5 67 2d a0 35 07 a5 94 // 76 bb 51 46 98 51 52 cd 8e f4 db b3 77 82 21 a1 b8 55 7c 53 34 17 86 // c0 39 80 33 ad 3e 7f 89 39 60 b7 75 e4 b1 9b af 23 0c a7 59 94 16 83 // 45 cd 1d d4 e7 13 d0 69 15 ac 66 ba 4e 4f d7 1a 6f 14 4e 52 71 32 21 // 39 e6 2b 29 21 2a 88 26 cc f3 ce 45 5c 88 1b 7c 22 c7 87 66 65 46 b2 // ca b8 da 97 bd 32 8f ee 68 4c e5 22 0d b4 ae a6 dd 17 65 72 56 7c 3b // 8c ad 98 16 e2 33 80 57 7b f0 32 df 39 9b 9b 33 c4 5c fc 86 9a 28 c8 // 83 8e fc 2b b3 ba ab b7 6d 38 04 ae 72 1c ea a5 cb 66 27 db 8d 98 47 // 10 48 9d f1 2c a1 a5 99 73 f9 34 9f 35 60 79 5a dd f3 ff 4f fd 46 21 // 49 7c 51 fb 8f 8d a5 7a d3 0c 9d 02 02 0d 76 64 28 12 29 76 3d d1 1d // f0 ac b2 70 31 51 f0 b2 4e de 22 fe af 78 4a 66 d2 3e 36 34 74 37 1b // 5c 94 83 ec 4d a6 c8 7a bc 07 f2 0d c7 3f ff 6e 07 c3 53 2c f9 0f 80 // 23 56 89 d3 10 10 47 d3 57 25 ed 99 ce 36 87 47 49 3b d0 09 90 58 54 // e6 6d 95 73 aa f3 af f5 b8 a9 b6 ad a6 58 76 6a 89 9c 25 f8 ff 26 85 // 9b 3d 62 9f c9 5a 2c c5 fb 36 79 ef 93 17 83 38 d7 7e 04 e9 26 e3 84 // 3f 59 e5 2e 7a 6d 07 83 07 04 09 40 a7 5f 78 cb c5 10 44 74 e4 e6 b9 // c9 24 31 5e e4 56 5b 69 62 62 72 6e 27 da 07 ba 6e d4 ad 1e 6c 77 d4 // 61 36 ed 8d d3 a4 59 01 f1 04 60 ae 7f 3a 1d 1a fb a6 4e e6 b5 9d af // 4d 09 0b 81 1f 44 01 45 ab 2a dc ad 20 fa e6 f0 4b 1e 46 f4 91 54 06 // 9f 69 ee c5 8e eb 85 55 e5 c8 e2 e2 3a 9c 40 45 3e 43 47 13 d3 e3 cb // 7f f7 04 14 9a 3d 59 12 9e 4e 33 df 56 73 a6 64 34 8c 18 29 e0 00 e1 // ab ae 37 c9 0a 1a b6 60 d4 92 9b 77 25 36 33 4e f4 18 4a eb 13 94 bb // 71 d1 0b d4 4b a2 d7 ee 35 2e 15 29 4a 67 3f 34 95 26 66 5f 75 1a f4 // 35 42 b3 ee 47 22 6b 01 3c 01 34 86 53 29 0f b5 b5 5d 7f c4 b6 9e 10 // b7 b0 93 69 a8 bf ef 2d b5 c7 26 3e bf 07 ce 77 e6 66 25 45 83 b7 a7 // bd 76 57 5f 44 38 5f c7 54 9b f5 82 a5 88 14 fe 0d b6 4c 4b 7a ed 5d // 0f b7 2e 82 74 71 75 f9 36 19 3a 9a 7b 4a 8b 59 41 bb af 47 f6 b3 c8 // 72 20 d4 34 23 3c 0c ae d4 1d 1a c9 11 5d 62 97 42 73 db 95 7d 9c b4 // 7f 85 0f b0 e6 b5 96 89 f4 e8 13 88 ed 1b 13 2d a8 a6 d8 8b d6 1b 9f // 29 82 c7 65 a8 4a 98 76 31 c4 08 3a ef e3 ba 1e 50 cb 4a 16 07 58 5b // 59 39 b3 16 93 fd 9c 0f cf 59 e0 11 1a 6d 49 ce 1a 5e 47 d4 e4 c5 76 // e1 0b 0d 4c dc 4b 2e 28 95 05 55 1b dc fb 76 d7 02 3b 30 b0 a1 04 b9 // c3 41 1a 71 77 10 a5 b0 1b e3 20 3f 7a 16 c0 99 81 5c f1 14 8a e8 d3 // 65 3d de 13 5c 5b 2d c3 3f a8 c4 2f 79 a8 d3 f5 a3 81 cd bf 20 43 28 // be f0 6e 3d 15 10 bc ae 70 5a af dd 26 c2 c7 0c f8 e8 13 28 d4 77 13 // 67 a2 ff 5f 01 8b ff 7a a8 9d a5 60 b0 44 ea 25 3f 8a ab ae ba b2 a0 // e0 0d e8 01 57 2c 04 f8 5c b0 b3 81 e7 18 b7 15 f8 d2 96 ca bc 25 d0 // aa aa 0a 9e fd 88 10 2c 9d 02 1d 97 eb 5a 5c 14 c6 36 f5 50 1d 7e 6e // 82 e3 78 38 4d 63 13 4a 1a 9e a0 15 2d 51 cc f7 1b 4e d9 b6 0b ee 0b // bb 6b 86 47 7f de ad 73 1e f7 cb f7 0a ec 67 8a 8b 35 45 6b 2c 2c 67 // 26 51 3e 32 ae ed e7 39 0d 89 59 75 cc 72 00 05 51 d2 52 18 18 16 de // e8 e1 22 17 7b 1b ea eb bf 2e 3c 9f 4d ca 39 51 99 0e 5d 64 99 e1 13 // 8f 5e c3 ad 53 43 3e c7 cb e3 92 7b 2c fe b5 a3 3e 47 27 e9 4f 33 e7 // 54 97 b9 03 d6 b4 71 cd f0 3e 32 64 65 d5 e0 89 b2 92 09 19 71 c0 55 // 8e 91 0c 4b fe 02 99 be ee c7 20 cb 1a a0 a0 f2 59 36 12 af 13 5d d9 // f9 4d a7 4b 09 34 39 19 36 19 11 c1 ba 31 6c 53 14 06 0c 0a a1 2b 0b // 7e 5b 4e ff f6 84 2d 92 a8 a5 ba cc 20 93 26 6c 3a 72 c5 47 47 f8 73 // 06 65 bf 8b 93 d2 7e a6 42 5b f3 21 ee 49 a4 61 0e 8f 44 3c 57 32 1f // 35 a6 21 1d 42 47 c3 48 3d 59 e9 c3 e9 43 75 6e b8 f1 53 e5 d3 f5 71 // dd 31 1d 36 93 fc 77 37 8b 20 9d 10 03 0e 59 61 52 5a 7f a2 09 36 a2 // 48 02 19 70 c9 df 55 3f 26 e5 02 5f 61 c4 0e c9 e4 c1 b6 32 fa 2b 8d // 16 f6 c5 13 98 63 7b 83 9f c8 62 bf ea cf 6d a5 32 80 c7 5d a9 f6 c7 // 47 ad fa 9e 85 59 03 46 d3 dc 29 2e 88 c5 43 c7 12 4f 2f 19 82 5c 6c // a2 d5 5c a6 9b 07 25 f0 68 c0 eb 0d 85 bd 4b 69 13 6d fe 2e 58 6f 20 // 0f ea 86 b2 a2 60 61 2e 2f ac 84 c4 53 24 fc bd 73 44 1b fb dc 85 d5 // 16 03 5d 17 a6 7c 15 4d 03 8e 58 a7 ee 5b dd a2 90 a3 85 5e c9 80 ef // 06 1d 52 64 08 04 ce 79 27 73 da 53 08 ec 34 ae bf e2 b6 b9 0a 67 14 // 95 d8 4f 98 61 0a fe d6 38 9b 3d 7a a0 f1 51 3b 33 36 30 61 9a 38 4a // 75 cd 86 69 c3 59 47 be 86 e4 d4 41 dd b2 83 6a f8 63 dc 93 45 e0 d6 // 4b 2c 53 da 97 56 e6 dc f5 53 86 83 74 6a eb 71 ff 97 da e4 64 20 c9 // f0 37 ea 45 16 fc 79 2d eb a7 33 e3 ab ce 02 0f 94 44 50 20 bb 58 e0 // fe 9f f5 60 4b b4 f4 14 24 6a b0 58 c0 53 e5 7e 1d b1 d4 47 a8 b2 5e // 5b ee 1e df eb d4 a0 b4 00 41 d1 f7 ca 3b ee bb 2a 57 db 40 98 de dd // cb ad 5b 4d 19 69 84 88 90 94 7a 77 44 2f 08 d7 89 47 f8 e4 de 99 55 // fa 9a 1f 3a 3b 24 f9 a7 9d 0a a9 bc 00 5f b2 43 63 9d fb 0d b8 02 ae // 72 92 22 74 ca 1f cb da 19 41 28 d1 b1 92 4c ac a2 77 67 eb 06 f5 72 // 1a 2d ec 96 74 9a d9 b0 2c 7a 76 3a f0 22 32 03 34 e9 0e 2e 8c d0 cf // 18 ac cd e7 a0 1c a7 6e 86 d7 3d ff b9 0b be 70 4a 88 af 2c a6 6b 1d // 9d 59 9d dd d6 8c 0c bb 67 97 4b f7 5b 12 26 f4 80 d5 4b a6 10 05 4d // 4d 04 48 45 fd 21 eb 70 62 f4 88 0b 3e 09 eb a1 2e 8a 77 7c d9 33 5c // 4a 4c 0c da c8 a0 56 94 97 6c 43 8f b6 f7 65 75 52 33 a7 f7 17 47 f4 // 7a 8a b0 1d ee a5 67 e3 5c 6e b8 92 bd 09 cc 14 fd 9a 39 da b1 f2 1c // b2 69 11 80 39 f6 49 5e ee 2a 29 50 0f 8a c8 7d b3 64 fe 9a cb c0 88 // 86 b8 ef 67 da 6b b2 a9 cc c7 b9 a5 09 b0 83 52 ee eb 0e 52 7d dd 67 // 84 4d e2 30 f9 3c 99 03 16 00 e1 0f d8 6c 9e 9f 89 d5 37 c7 8e 97 9e // c2 88 21 76 db 76 67 70 e8 21 61 26 0e 1c 43 70 1c 6a b9 f2 0b 9d 2e // 93 9c 76 53 26 3f 13 e0 5e 48 62 cc b4 2c 7c 50 4d de e8 b0 d2 f4 e7 // 82 93 03 8d 90 4b 3c 54 5e c7 89 11 bf 3a da e2 6f a5 bd d4 d9 17 bc // 03 1a cc 5a 77 89 24 6c 02 37 cf 2d a1 ba 42 12 75 5f ac f8 47 34 93 // 2b 67 2e f6 9e 9f 59 9a 6b 5b e0 1b 16 e5 8f d5 1c 0e 2b 08 ab df 5a // 28 40 9f 7a ba 95 f0 bb 17 6a fc ac a7 23 36 ac d5 40 b2 d2 11 58 6d // 42 bb 94 30 8c 5e d0 0d e0 54 0d 48 b8 d5 07 8c ca dd c2 b4 f1 3b 67 // b7 6a 30 f9 1a f5 35 c4 7f bc 14 b8 d9 5a 38 76 70 3e ba ce ce 92 9d // 51 9d 64 49 9a 16 78 1f a7 53 e1 1b ac 5f a5 38 b1 ea 8d 59 2c 09 02 // d2 74 29 7f 8e 4f c4 62 9b 85 58 4f e7 77 bd 45 59 52 a4 5c c8 96 a1 // ea 45 64 16 85 5f 0c 99 7c 55 dd d7 2c 85 42 f4 2e 72 31 ed 07 c2 4d // 1b 6a 3c 30 de fa 64 01 d8 c9 a4 89 e5 9f d1 b1 f4 7a 3f d2 a6 33 ef // 78 eb 0a ab c0 09 dc b9 07 0d bb 38 d0 67 1e ad 07 2f 08 de ec 5d c9 // 39 a5 5c c5 b4 a6 f1 14 2a 10 1b 9a 30 38 b2 89 65 d2 35 b8 79 5e 3f // 7b 4c 75 93 30 9f 5f 67 ef 8b e8 36 30 89 0f 42 5d 69 ac 37 7b 5e fc // 63 4f 13} (length 0x1000) // } // } // ] *(uint16_t*)0x2000000007c0 = 1; *(uint16_t*)0x2000000007c2 = 0; *(uint32_t*)0x2000000007c4 = 0x80; *(uint64_t*)0x2000000007c8 = 0x5000; *(uint64_t*)0x2000000007d0 = 0xdddd1000; *(uint16_t*)0x2000000007d8 = 0; memcpy( (void*)0x200000000840, "\x0c\xeb\x4f\xc1\x11\x99\xac\xe5\x8c\x4e\x6c\xb9\x7b\xed\xe6\xdf\x88\x4f" "\x9a\x11\x9a\xca\xfc\x33\x4d\x9a\x44\x91\x83\x89\xa5\xce\xfb\xb7\x64\xb9" "\x94\xd9\x17\xac\x44\xfa\xcd\x42\x92\xbf\xfe\xe2\x4f\x0b\x7f\xa0\x4a\xf5" "\x64\x17\x0c\x8d\xa9\x38\x14\xd5\x60\x6c\xc5\x1b\xff\x60\xce\x9c\x75\x6c" "\x3a\xde\x47\x00\x35\x50\xb4\xda\x42\xdc\x10\x6a\x2e\x45\xd9\x3e\x4b\x56" "\x47\x7d\x06\xd8\x35\xab\xf7\x59\x1f\x40\xba\xad\x68\x7d\x26\x3b\x98\xe2" "\x77\x55\xa2\xda\x27\xf5\x84\x79\xf9\x02\xb4\xe1\xc8\x7f\xc4\x0c\xde\xbb" "\xd4\x3b\xb8\xa7\x93\x24\x3a\xba\xbe\x9f\xe2\x25\x33\x87\xbf\x12\xf5\x97" "\x2a\xc8\xa0\x35\xaf\xfc\x9a\x40\xb4\xbd\x1f\xe9\x9f\x38\x35\x30\x2f\x42" "\xfb\x35\x2b\xdc\x51\xf3\x52\x3d\xd7\x86\x64\x06\xcb\x86\x8a\x04\xc7\xed" "\xcc\xa6\x16\x72\xff\x99\x67\x2e\xd0\xb1\x02\x76\x9a\x91\x6c\x53\x21\xc3" "\xfe\xff\x9d\x75\xc5\x92\xad\x98\x03\x68\x27\x11\x43\x59\x7f\x48\x8e\xdc" "\xbc\xb4\x3e\x3f\xdf\x72\xef\x77\x82\xd9\xe5\x7a\x9f\x13\xd4\xbc\x88\x24" "\xfe\x86\x9a\xa0\xab\x25\x09\x2e\x00\x0d\x14\x40\x9f\x57\x7c\xd1\x64\x12" "\x9e\x21\x0e\xa2\xaa\x0f\xdb\x55\x35\xcf\xf5\x32\xa7\xc5\xe0\x76\x85\x8e" "\xbc\xd4\x58\x3a\x73\x92\x6d\x9d\xde\x0d\x8f\x48\xea\xeb\x60\xe3\xae\x5a" "\x7d\xf0\x48\x80\xda\x75\x9f\xb0\x1c\x9b\x03\xbc\xe1\x27\x03\xc4\x95\x2b" "\x98\xa9\xd9\xab\x23\x03\x5c\x73\x92\x4d\xa5\x3b\x60\x39\xe0\xe3\xbf\x40" "\x6f\xb1\x26\xf5\xbd\xc6\xbf\x56\xd1\x02\x51\x0e\x1a\x17\xf7\x2d\x49\xcc" "\xdd\xc3\x5d\x01\x4f\x4b\x07\x26\x41\xdf\xed\x79\x04\xf3\x83\xdb\xd6\xe9" "\x74\xd3\x22\xf2\x80\xf8\xb9\x93\xef\xaa\xbe\xa6\xc6\x70\x6b\x9a\xf5\x9a" "\xf5\x2a\x76\x51\x47\x96\x0b\x4f\x49\x94\x2d\xaf\x5b\x15\xaa\x30\x94\xfa" "\x5f\xbf\x6c\xd5\x3f\xf6\x1f\x53\xfb\xdd\x92\xab\xc6\xeb\x75\xc5\x41\xde" "\x9b\x30\xc3\xeb\x6f\xee\x95\xef\xab\x78\xca\x9d\xe1\x59\x76\x25\x62\x8a" "\x61\xe6\x3c\xaa\xf6\xf3\x11\x87\xc5\x5a\x96\xf4\xfa\x1f\x26\xff\xc3\xf7" "\x6c\xf3\x4f\x06\xcd\x7b\xc3\xed\xb2\x87\xd6\xde\xd7\x6f\x20\x81\xc2\x09" "\x15\x21\xd8\xb3\xd1\x48\xc2\x94\xc6\x1d\x4e\x93\x5b\x0d\xec\xe0\x52\xfa" "\x72\xcb\xd6\x19\x53\x8c\x2f\xb8\x91\xbb\x9d\x94\x4c\x87\xf2\x08\x38\x69" "\xf3\x5c\xcd\xce\xb0\xaa\xf3\xf3\x1b\x7c\xa7\x14\x13\xfc\xcd\xab\xd3\x1f" "\x7d\xe7\xef\x80\x38\xab\x1b\x60\x51\x62\x26\x3f\xb2\xae\x8f\xba\x31\x51" "\xbd\x86\x8a\x6c\xc5\x48\x6b\x04\xd2\x1a\x3a\x0b\xaf\x29\x96\x03\x5c\x51" "\x65\xec\x6b\x87\xbf\x9b\xb2\x6f\x7a\x7e\x41\x2a\x32\xcd\x23\xab\x2d\xe4" "\x99\xaa\x4d\x0e\x48\x15\x8b\x2f\x16\x88\xf0\x36\xc0\x95\x5e\xd5\x2d\x17" "\x29\x03\x6a\x6c\x15\xf5\xf5\xa7\x26\xb3\x2c\x2d\x5d\x5d\xf9\x6a\xd8\x09" "\xc6\xf6\xb1\x69\x12\xc9\xbb\xcb\x39\xee\x05\xca\x2f\x87\x8b\x9e\xbd\x80" "\x0e\x24\x83\xb8\x65\xa6\x7b\x26\xc7\xb5\x4a\x54\x63\x52\x7f\xdd\x1c\xb0" "\x94\xc2\xdd\x88\xea\x74\x34\x97\xa2\x8b\xf0\x93\x89\x91\xc7\x68\xa2\x53" "\x68\xa9\xcf\xc0\x2c\x31\xf0\x3f\x57\xed\xef\x71\x49\xcc\x89\x0e\xeb\xab" "\x15\xf6\xb8\xde\x0c\xd3\x56\x9d\x34\x6f\x2d\xf6\xce\x12\x1a\xe7\x32\xab" "\xd1\x59\xe4\x80\x27\xf7\x57\x5e\x70\x37\xc3\x5e\x3c\x0d\x49\x9d\xf9\x4e" "\xf5\x47\x71\x66\xf6\x03\xe7\x96\xfb\x88\xfa\x91\x42\xab\x1a\x8f\x16\xb3" "\xa5\xfc\xc3\xd4\xc0\xba\xd8\x04\xcf\x81\xa7\xbb\xb5\x79\x5c\xfc\x42\x9c" "\xdd\xec\x3b\x27\x89\xf6\x03\xf3\xc5\x64\xe9\xc0\xfd\x99\xc9\x77\x64\x44" "\xfb\x8a\xa6\xca\xe3\x31\xd5\x7b\x30\x7d\xf7\xe2\x6a\x74\xba\x2a\x6f\xcc" "\x44\x3a\x4d\x4d\x99\xf1\xf6\xd3\x3c\x88\xb4\x72\x25\x25\x3f\x50\x23\x55" "\x4d\xdf\xe9\xc0\xee\xb2\x7e\x09\xa2\xeb\x4c\x61\xf7\xf6\xbf\xed\x68\x75" "\x76\x4b\xc9\xe8\xc5\x51\x02\x5e\xae\x87\x2b\x03\xa2\x3f\xb0\xcd\x6d\xcf" "\xd0\x37\x12\x9a\xb7\x62\x4f\xe7\x6c\x08\x01\x7b\x9b\x8e\x58\xce\x37\x08" "\xe4\x08\x6d\x5f\xd2\x5f\x9f\xbc\xbb\xd6\x1e\xab\x41\xe8\x02\xb6\x97\x6d" "\xfd\x45\xa7\xa4\x04\x41\xb1\xfc\xb4\x1b\xaf\xe8\x49\x82\xbb\x78\x08\x65" "\x14\x5d\x31\x2b\xc0\x87\x75\x46\xce\x7e\xea\x5d\xe1\xe3\xfd\x3d\xfe\xa2" "\xe1\x78\x23\x26\x10\x82\xc3\x4b\xae\x15\x7a\x61\xcb\x5f\x45\xb0\x87\x84" "\x2f\x62\xa9\x3a\xab\x20\xce\x47\x48\xe8\x6c\xa1\xb9\xcc\x35\xa7\xcd\xd8" "\x5a\xf3\xd2\x56\xd6\xa6\x57\x10\xc6\xd9\x79\x0a\x58\xa1\xca\xf0\x04\x9b" "\xe0\xeb\x3e\xc1\x04\xa2\x26\xed\x68\xc3\xf8\x66\xd2\xb9\x88\xb3\x5f\x91" "\x33\x05\x9e\x3e\xdb\x9e\x15\x52\x19\x92\xc6\x8f\x83\x5a\x51\xaf\x80\x59" "\x86\x35\x07\xa1\xd9\x55\x7f\x87\xa5\x4e\xc9\x11\x60\x42\xec\x78\x65\xcb" "\xeb\xd7\x8b\x89\x65\x06\xc5\x6a\x50\x79\x18\x27\xee\x4a\xa7\x3a\x43\xc0" "\x6a\x75\xcc\xc1\xe5\x3d\xbf\xdd\x51\xfc\x7b\xf3\x75\x64\xd6\xb9\x7a\x88" "\xa5\x32\xba\xf7\xc1\x24\x2c\x70\x61\x17\x54\xfe\x91\xc9\x93\xfe\xd8\x10" "\x98\xe6\xe9\x14\xfc\x37\x54\x4a\xbf\x6a\xe9\xf4\xe5\xbf\x2c\xcd\x0f\x13" "\x79\x98\x2e\x08\x07\x66\x7d\x11\xd8\xf4\x67\xe6\xf0\x1e\x5f\x6f\x0e\x60" "\x77\x61\xc2\xec\xb3\xba\xae\xcb\x5e\x1c\x93\x40\x27\x7e\x62\x8a\x0f\x91" "\x7a\x52\x69\x35\x6b\x94\x9e\x84\x0e\x2e\x76\xed\x27\xdb\x32\xcc\x54\xc8" "\xff\x03\x71\xcf\x5f\xe1\xaf\xb3\x6a\x47\x00\x11\x6d\x15\xd4\xb4\x0a\x7a" "\x13\xba\xd5\x8e\xdb\x72\x55\xf2\x54\x99\xf2\xfb\x63\x84\x07\x2e\xf1\x45" "\x52\x89\xd1\xf8\x01\x13\x5d\xd0\x17\x21\x20\xdb\x2d\xa4\x64\x35\xcc\x5a" "\xa6\x7d\x2b\x55\x15\xd5\x68\x09\x7e\xc8\xb1\x21\xf1\x33\x98\x6b\x36\x47" "\x70\x89\xa4\x93\xe1\xd7\x21\x05\x2e\xe3\xaf\x84\x5a\x87\x2e\xdc\x5a\x2f" "\x97\x80\xc1\xa7\xa1\x89\x15\x68\xf5\xa6\xca\x84\x73\x8d\x29\xaf\x41\x73" "\x27\x94\x29\xd5\x90\x8e\xd2\x65\x30\xdd\xba\xbc\xe5\x2f\x39\x52\x1a\x7e" "\xe1\x70\x99\xdd\x23\xf6\x13\x23\x21\x08\x95\x90\xf9\xde\x07\x18\x20\xf8" "\x4c\xbb\x68\x1f\x47\xb9\x7f\x33\x18\xdf\x51\x82\x25\xe9\x81\xd2\xca\xce" "\x31\x9b\x1e\xda\xad\x90\x1f\x22\x4a\x08\x7a\x4a\x4b\x70\x3b\xe6\xca\xcc" "\xbd\x62\x1e\xa1\xbb\xb4\x89\x04\xcf\x46\x00\x78\xcb\xfa\xfb\x54\x9e\x54" "\xb8\xb1\x14\x68\x68\x91\xcf\xb2\xb1\xb0\x47\x02\x07\xc7\xe1\x21\xe7\xb6" "\xc3\x12\x06\x3f\xfc\x17\xc8\x05\xff\x47\x88\x3d\x39\x63\x70\x96\xe9\x42" "\xa1\xe4\xdc\xa8\xde\xba\xcf\x1d\x2e\x69\xf6\xcd\xe8\xd7\x7a\x75\xcb\xfc" "\x7c\x05\x64\xb6\xda\x1d\xa8\x90\xb9\xdd\xd5\x32\x84\xc4\xcc\x10\x9c\x20" "\x7f\xd3\xd1\xa1\xee\xbd\x31\x57\xd8\x6f\xa1\xd3\xbd\x77\x5d\x36\xfe\x99" "\x05\x0c\xd9\xc1\x41\x00\x92\x7e\xb1\x06\xc0\xc2\x69\xc3\x33\x76\x1e\xbf" "\x90\x40\x2d\xbf\x92\xd2\x73\x9d\xa2\xb6\x9f\x4e\x2a\x05\xe3\x9b\x03\x36" "\x95\x6b\x16\x61\x53\x4a\x01\x57\xbe\x6a\xc0\x15\x36\xaf\x67\x98\xd8\x9c" "\xac\xe7\x43\x25\xa5\x53\x7b\x2a\x5a\xdd\x7d\x36\x49\xc3\xe1\x8b\xb3\xee" "\x64\xd0\x76\x66\xff\xab\x04\x82\x6c\x12\xa5\xf3\x48\xac\xfd\x97\xb4\x39" "\x32\x05\xbf\xd5\xa9\xa3\x36\x5c\xed\x18\x16\xb7\x61\xea\x1e\x8f\x69\xe5" "\x73\xe9\xc5\x2a\x58\x05\x7f\xdc\xc3\x48\xca\xef\xe1\xef\x84\xcc\x35\xdd" "\xbf\x78\x09\x13\x95\xe1\x2a\x9f\x5a\x4a\x24\x1c\x7a\x32\x6e\x64\xaa\x85" "\x75\xf1\xbc\x9a\x5e\x17\x41\x7f\x49\xa8\xd5\xaa\x9a\xae\x50\xe9\xaf\x17" "\x85\xe0\x1e\xd6\xf4\xe4\x31\x3e\x0e\xda\xb3\x50\xa0\x86\xae\xd2\x9c\xd5" "\xaa\x1d\xdb\x5e\x00\xde\x7a\xc8\xd3\xbc\x2b\x16\x7b\x32\xd9\x92\x50\x46" "\x27\xac\x20\x14\x8c\x1f\x66\xeb\x61\x70\x3f\x43\x07\xf3\xb2\x06\x24\x56" "\xd3\xa8\x20\xf2\xe0\x57\x9c\x53\x1f\xa5\xd7\xa9\xf1\x9c\x00\xa3\xcf\x3c" "\x9a\xf8\x6c\xde\x1d\xb8\xb4\x6c\xe7\x3c\x8e\x92\xed\x6d\x18\x6e\xd8\xc9" "\x48\xf0\x6b\x3f\x3d\xbb\x96\xd4\x7d\x5e\x24\xe8\x82\x1b\x6b\xeb\x7f\x65" "\x9c\x7b\xaa\xde\x01\x40\xa8\x31\x1f\xf1\xed\xc0\x67\x37\x23\x2b\xaf\xe6" "\x30\xcc\x8a\xee\x5c\xc0\xff\xba\x50\xd6\x27\xb1\x47\x19\xa1\x93\x3b\x4e" "\x2f\xa1\xbb\xa3\x9a\x8d\x4e\x7a\x25\x33\x24\x13\x33\xbf\x19\xa7\x7f\xc7" "\x79\x88\x4f\x17\x2f\x44\x37\x12\x68\x4f\xdf\x65\x58\x91\xf0\x1e\x52\xbd" "\xfd\x09\xe1\xb9\x69\x68\x61\x62\x2f\x0c\xb1\x5e\x58\xf8\x7d\x1a\xa4\xff" "\xab\x12\x09\x49\x27\xdf\xb1\xd6\x47\x9b\x91\xba\x73\xbc\x34\x8d\x3f\x34" "\x65\xd1\xef\xf1\xb1\x77\x4b\x49\x38\x17\x48\xf9\x8f\x3b\x79\x85\x83\x65" "\xa3\x57\xe3\xed\x5c\xb8\x98\xef\x69\x59\x7c\xb5\x7a\xbc\x9c\x3c\xd9\x0f" "\xee\xbf\xed\x6a\x98\x87\x1e\xd2\xa5\x6a\x2f\x8b\x1b\xfd\x3e\xc3\x83\xe0" "\x77\x82\x7d\xb5\xbd\xd9\x92\xda\x14\x6a\x91\x29\x59\x94\xc0\x39\x64\xd1" "\xc9\xaf\xf8\xcc\x25\x70\xef\xfa\xbc\x81\xe1\xf4\xb4\x77\xd1\xe4\x52\x20" "\x4c\xd0\x7a\x3f\x8b\x72\x96\xb2\x08\xe7\xbe\x2c\x3f\x71\xde\x25\xcd\x5f" "\x96\x43\x78\x1e\xb1\x9b\x3d\x2b\xc7\xd7\x3a\xe9\x72\x94\x0c\x10\x3d\xbb" "\x57\x58\x40\x6a\x3f\x6d\x56\xe9\xb3\xb0\xc1\x85\x90\x47\x44\x02\xd6\x80" "\xff\xa8\x7b\xf9\xa1\xb2\x41\x44\x82\x78\xf5\x64\x14\xe8\xfa\x88\x5a\x68" "\x03\x48\x6a\x9c\xc2\x33\x1b\x3b\xa3\x18\xc8\x08\x34\x8f\xa4\x43\xe0\x02" "\xe5\x7e\x04\x5f\x36\x81\xbc\x45\x98\x7a\x30\x1c\xd2\xa4\xb7\xab\xcf\x7c" "\xb1\xe3\xdf\xe8\x7f\x91\xd5\x1e\x52\x1b\x8b\xc1\x54\xa3\xe6\x04\x60\x07" "\x65\xb0\x1e\x52\xf7\xf1\xea\xed\xbc\x95\x48\x66\xe8\xe5\x72\x31\x52\x32" "\x1e\xe4\x3b\xaf\x10\xa1\x7c\xd2\x2c\x95\xd8\x4e\xcb\x41\x9f\x85\xb8\x0f" "\xed\x17\x9c\x4d\xc9\xa9\x98\x51\xe5\x94\x71\x4b\xd2\x26\x25\x89\x1d\x88" "\xd7\x41\x8b\x23\x3c\xaf\x07\xe7\x26\xb2\xe2\x10\xb3\xf4\xe1\xd3\x60\x1e" "\xd8\xfe\x90\xfe\x34\x60\x23\xa6\x7c\x7a\x7a\x1d\x48\xe1\x85\xf1\x22\x9c" "\xe8\xde\x92\x5b\xd2\x93\x5d\xe1\x33\x1c\x6a\x59\xa3\x61\x90\xda\xd3\xe7" "\x67\xba\x3c\x65\x9a\x93\x6c\x1e\xc3\xb1\x6a\x7d\x4f\x04\x12\x1e\xbe\x19" "\x3f\xe3\xae\x8d\xf8\xc3\xbb\x06\x60\x73\xc6\xf2\x5f\xa0\x6d\xbd\x8b\x67" "\xc5\x7d\xc0\xa7\x1b\x9e\x5c\x06\xa4\x05\x16\xb3\x6d\x33\x1e\xfb\x0b\x3d" "\x3d\x0f\xdf\xe0\xeb\x4d\xc8\x4c\x4a\x8d\x15\x77\xef\xbf\xca\x91\x6b\x01" "\xf5\x6e\xfa\x66\x33\xf4\xba\xe0\xf4\x04\xbb\x4f\x85\x6b\xa2\x6b\xa6\x44" "\xe0\x50\x49\xd3\x64\xa6\x10\x1c\xe5\x1b\xd7\xd2\xbe\x1c\x10\x34\xfc\x87" "\xa8\xc1\x54\x65\xb9\xa9\xdf\xc9\x26\xce\x41\xc8\x6f\x9c\xb1\x55\x81\x85" "\x9b\x7c\x56\x04\x24\xdc\x08\x27\x1d\xbc\xe8\x68\xb7\xca\x15\x3f\x82\xd5" "\x64\x84\xe9\x98\x1f\x6e\x7b\x6c\xfe\xee\x8d\x2a\xe4\xd3\xb2\xbf\xe3\x24" "\xbf\xf7\xdc\xe2\x0e\x42\x3a\x79\x0c\x56\xd9\x3c\xfa\xe5\xe1\x93\xc3\x73" "\x72\xfa\x64\x3e\xd5\x29\x70\x78\xd9\xa0\xfe\xdb\x7b\x09\x1b\x56\x30\xfb" "\x46\xb8\xca\x3e\xed\xc4\xff\x11\xc2\x3a\xe5\x20\xe3\xa1\xec\x8e\xca\xbf" "\x17\x6c\x03\xfc\x74\xaf\x37\x6f\x6e\x20\x8f\xa5\x79\x5c\x99\x03\x0c\x11" "\x18\x97\x30\x41\x4e\x70\x64\x8c\xf1\x14\xc4\xce\x37\x78\x26\x29\x9b\xef" "\x5a\x84\xfe\x18\xeb\x43\xb9\x2a\x8c\xda\xfc\xd7\x1b\x15\x6c\xad\xab\xb7" "\xba\x84\xbe\xae\x56\xce\x1f\x0d\x4f\xa1\xac\x03\xe5\xcf\x4f\x3e\xf5\xc4" "\x95\x0a\x63\x78\xfa\xf6\x87\x88\xfe\x35\x8b\xe4\xd9\x6a\x49\x42\x8e\xc9" "\x76\x23\x56\x2f\xd6\x3d\x5c\x96\x5a\xf9\x43\x7d\x14\x04\x73\x5b\x9e\xb6" "\x82\x2a\x10\xe2\x79\x0f\x6b\x07\x4a\x07\x10\xcd\x6e\x8c\xf9\x6c\x74\x88" "\x6a\xfe\xdb\x09\xd9\x8b\x90\x8c\x89\x7a\x19\x58\xd6\x85\xff\x7d\x37\xc8" "\xdc\x95\x3e\x9c\xd2\x2a\xc8\x19\x1e\xe2\x00\x38\x3b\x24\xa3\x38\x5c\x9c" "\xa6\x93\x39\xb0\xa8\x12\x92\xf8\x1b\xbe\xef\xf4\x2d\xd7\x0b\xe7\xba\x62" "\xf1\xbe\xb1\x62\x54\x90\xee\x96\x71\x15\x37\x5a\x78\x40\xc1\xf7\x34\x54" "\xac\xd9\xbe\x17\x35\xaa\x1e\xb0\xb6\xbf\x6e\xd5\x6e\x8c\xd3\x60\xcd\x53" "\x72\x24\x68\x41\x6f\xd1\x46\x22\x2b\x35\x02\x66\xbe\xdc\x84\x64\x81\xa4" "\xc6\xdf\xaf\x15\x13\x2d\x46\x0a\xb8\x14\xbb\xb9\xa2\xe3\x5a\x80\x68\x51" "\xd7\xec\x41\xdf\x32\xfa\x5b\xbf\x68\xb7\xbd\x92\xb7\x97\x03\xc2\x8a\x6b" "\x1f\x9f\xde\x6a\x87\x8e\xbe\xc9\x53\x1d\x74\xcf\x27\xf5\x55\x97\xae\x90" "\xf4\xf7\xfe\xd4\x2c\x79\xa8\x36\x55\xd6\xbd\x44\x47\xe3\xb2\x72\x28\x37" "\xcb\x17\xc1\x86\x19\xd7\x66\xb7\x84\x58\xb0\x44\xea\xe9\xef\xb8\x62\x35" "\x56\x44\x09\x9f\x19\x30\xfa\x28\xf5\x45\x97\x6d\x2a\x83\x44\x70\xf3\x8c" "\xee\xfd\xac\xbc\xbc\x45\x89\xae\xeb\x68\x5b\x5e\x53\x64\xe2\x69\x68\x7d" "\xa3\xb2\x6f\xf2\x9d\xd1\x4c\x1e\x1f\xe2\x87\x7c\x95\x2b\x5c\xa6\x5f\x45" "\xee\xfb\x98\xb5\x46\x7a\x3c\x1c\x71\xfc\xe2\x1e\xef\x77\x88\xab\xf2\x93" "\x00\xe1\xa7\x2e\xaf\x46\x87\x28\x8f\xa3\xab\x47\x94\x59\x3c\x84\x12\xf7" "\x41\xf3\xce\x3d\x08\x04\x8f\x31\xcb\x35\xd6\xa9\x49\xc6\xb5\xfc\xcb\xbe" "\xd7\xb8\xa3\x4a\x98\x50\x64\x16\x46\xb0\xf3\x27\xfc\x2c\x03\x0d\xb8\xf7" "\x35\x83\xaf\x3b\x4c\xc6\xda\x43\x50\xb9\x28\xdc\x16\x2c\xc9\x72\xa7\xf5" "\xec\xee\x34\xa0\xdd\x7a\x67\xba\x16\xc0\x1b\x5c\x04\x4e\x25\xb7\x60\x37" "\x06\xdd\x6f\x58\x3f\x40\x14\x2e\xee\x57\x57\x28\xbc\xaa\x27\x12\x41\x3d" "\x0e\x61\x6d\xec\xad\xf0\xdd\x82\xc9\xf7\x60\x3a\x9a\x56\x35\xf9\xe8\x7e" "\x5d\x71\x78\xf5\xa9\x2a\x47\xe9\xc4\x70\xfe\xeb\x8c\x21\x17\xa0\x2f\x23" "\x31\x05\xd8\x1e\x8d\x6b\x94\x6c\x62\x70\x89\x36\x41\x33\xc6\x03\xd8\x64" "\xda\xe8\x0a\x01\x4d\xd8\x10\x26\x5f\x89\xca\x19\x4a\x2f\x3f\xac\x21\x88" "\x9c\x98\xaf\xa5\xb7\xc0\x62\x94\xe1\x81\x0e\xb5\x54\xf6\xfc\xb4\x28\xdc" "\x7c\x62\x46\x18\x7f\xef\xc0\xfc\xd1\xe6\xb7\xbf\x04\xaf\xd9\x2d\x7f\xb9" "\x20\x2a\xfc\x5c\x1d\x3c\x61\x35\xa1\x22\xb1\xf7\x7a\x74\xf6\x84\xa5\x30" "\xd9\xcc\x09\x94\xc7\x34\xc1\xd4\x4a\x73\x48\xba\xd1\xe2\x00\x94\x44\x48" "\xe9\x19\x70\x7b\xd6\x94\x8d\x62\x8f\xa8\xc9\x1c\xb4\x9d\xa2\xad\x26\xde" "\x79\x11\xa1\x4f\x83\x53\x31\x95\x15\xd7\x67\x85\x67\x41\x51\xf7\xd1\x37" "\x7b\x99\x7f\x3f\x28\x5a\x21\xe1\x6e\xd8\x74\x59\xff\x4d\xcc\x9f\xf6\x8b" "\x3a\x27\x54\x31\xb2\xe6\xc8\xac\x55\xd8\x71\xe5\x67\x75\x51\x0c\x0f\x7c" "\x1c\x24\xfe\x80\x8b\xbf\x09\xba\x53\xd3\xb0\xc5\x42\x92\xda\xf2\x35\xa2" "\xfd\x37\x82\x75\x69\x4e\xf9\xb4\xff\x66\x38\x4e\x88\xf8\xf1\x42\xeb\xf7" "\xe2\x28\x50\x24\xbf\x70\x90\x7b\x64\xb7\x67\x4a\xf3\xfd\xbb\xf6\x5b\xd0" "\x25\xd3\x35\x29\x20\x5c\xe0\xdb\xc8\xe9\x6a\x84\x5a\x51\xf8\x4b\xb9\x8a" "\x8a\xd7\x15\xce\x86\xb0\x50\x21\x6a\x09\xe1\xf9\xc5\xab\xc4\x4a\x39\x4c" "\x4a\x4d\xd3\xe7\xc5\x47\xf3\xfc\xf8\x67\xcc\x2f\xc3\xfb\x5b\xaa\x75\x35" "\xd5\x1f\x86\x05\x1d\x0d\x68\x0c\xb4\x95\x8b\xe1\x2e\x91\xf8\xf9\x45\x52" "\xd9\x68\x93\x54\xad\x6b\x5f\x5a\xa4\xbc\x15\x49\xd3\xe6\xa2\x96\xd6\x2f" "\xaf\x83\x9c\xe4\x19\x04\xab\x36\x86\xc3\xbf\x5b\x52\xd6\x5f\xe3\x19\x61" "\xbb\x3e\x82\x74\x48\x70\x2c\x44\x32\xb7\xcd\x4f\xb2\xa6\xee\x79\x48\x23" "\xfe\x4d\x67\x2f\xa2\xc7\xd9\x0e\x18\x73\x47\x72\xaa\x14\xd2\x93\x69\x19" "\x6b\xaa\xff\x6e\x72\x20\xbf\xc1\x7d\x7c\x1a\xf2\xde\x20\x61\xbd\x3d\xbb" "\xde\x20\x07\x6e\x56\x39\xbc\xae\xd6\x76\x06\x09\x63\x55\x82\x14\xfd\x0e" "\x3d\x5a\xe5\x66\x02\xdb\x9e\x7c\xbf\x03\x4b\xd7\x56\x17\x0b\x6e\x40\x69" "\x71\x42\xaa\x59\x0a\xdc\xad\x47\x12\x25\x53\xb5\x1e\x60\xe1\xff\x2a\x98" "\x87\x4b\x99\x8d\x20\xe1\x9e\x7a\x36\x92\x65\x45\x67\xb0\xa6\xe9\xc0\x8a" "\x38\xbd\xcb\x8d\xda\x2d\xbd\xfd\xa7\x35\x39\x12\x5d\x79\x41\x57\x35\xfa" "\x47\x7a\x29\xad\x5e\x27\xce\x09\x37\x46\x78\x30\x76\x3e\x03\x97\x48\x53" "\x46\xc0\xe7\x6c\x84\x29\x50\x1c\x89\xe3\xe9\x80\xe0\x9f\x08\x0a\x8d\x45" "\x11\x94\xcd\xda\x91\x3d\xaa\x9d\xdc\x19\x93\x11\xfe\xcd\xe8\xf9\x4c\xa2" "\xc5\xa0\x06\x60\x0e\xee\x43\xc9\x96\x19\xb4\x58\x9f\xd3\x0d\x33\x54\x9b" "\xeb\x8a\x64\xc3\x76\xde\x2e\xd9\xb7\x90\x1f\xf6\xd3\x99\x43\x9b\x7d\xa6" "\xe9\x23\xd5\xa2\x60\xf3\x8e\x47\xc1\x95\x54\x8d\x3b\x72\xbb\x4b\xdb\x4b" "\xc0\x1e\x19\x74\xf4\x9b\xcf\xa5\x25\xc2\xd6\xb5\xe7\xf1\x61\x2b\xf4\xed" "\x4e\xae\xce\x1d\xae\x0b\xab\x8a\xa4\xf2\x48\x0a\x1b\xa7\x37\xbd\xa7\x3b" "\x51\x59\x4a\x5d\xd7\x32\x48\xec\xf7\x18\xba\x39\xfc\xe3\x0a\x59\xb9\x8a" "\x53\xcb\xae\x4c\x2c\x0d\x23\xc6\x17\xbc\x75\xa6\x58\x97\x54\x25\x39\xe0" "\xac\xfd\xb8\xb0\x07\xbf\x2e\x5b\xe8\x96\xdb\x56\x2f\x26\x34\x60\xb2\xa0" "\x51\x5e\x44\xde\x7d\x96\x5d\x7d\x4f\x94\x00\x65\x34\x25\xa4\x60\xac\xd2" "\xa3\x01\x3e\xbb\xb5\xf2\x13\xdb\xbe\xae\xdb\x56\x6d\x3d\xce\x8e\xdb\xb7" "\x93\xb7\xfb\x16\xf4\x63\xaa\xd4\x7e\x41\x27\x5d\x70\xdf\x56\x09\xff\x2a" "\x3c\xf2\x1f\x4e\x94\x33\x13\x42\x6e\x0f\xf5\x79\x6c\xb4\xac\xdd\xb8\x6a" "\xb2\x56\xdc\xb6\x53\x9d\x06\x5d\x74\x9a\xa9\x2d\xd2\xb2\x57\xca\x6f\xb5" "\x7d\x11\x00\x9b\x98\x58\x52\xec\x9e\xa2\x29\x98\x60\x06\xa4\xdf\x20\x93" "\xc9\x97\xff\x64\x67\x7d\x9f\xd3\xd0\x85\x8f\x12\xbb\x91\x48\x80\x43\x51" "\x48\x45\x56\xc4\x07\x3e\xae\x97\xe6\x34\x0c\x82\x11\x96\x80\xf0\xf8\xcd" "\xa3\xe4\x17\x50\x42\xcb\x0e\x6a\xdc\xe9\xd0\x13\x61\x44\xca\x09\xc3\x63" "\xf8\x5e\x82\xb2\x0d\x3f\x27\xbb\x45\x87\x92\x7b\x1f\xde\x64\x50\x41\x42" "\xfc\x2b\x6d\x2b\x27\xfb\x6d\xb9\x46\x94\xf0\x5f\x0e\x21\x03\xba\xd8\x26" "\x72\xe8\xe9\x46\x16\x9a\x4d\x71\x07\x06\x35\x1a\x28\x1e\x29\xa2\xad\x55" "\xca\x10\x47\x06\xee\xd5\x3e\x06\xc3\x41\xe6\x3d\x6b\x93\xa2\x8f\x38\xb7" "\xc4\x18\xe5\xf7\x87\xc4\x96\xff\xf3\xc5\x5c\xed\xec\x24\x29\xf5\x7b\x6d" "\x29\xe4\x16\x32\xc1\x78\x0b\x5a\x95\x8d\x3e\x01\xf8\x97\x94\xb1\x9b\x7c" "\xd0\xde\xe5\x83\x16\x11\x2e\x30\x3d\x4b\xf6\x98\xb7\xff\xb3\x9c\x54\x47" "\x27\x85\xe1\xbb\x74\x86\x2e\x60\x06\xe6\x6e\x27\xc7\x47\x01\x6c\xab\x40" "\xae\x9b\x78\x11\x33\x16\x09\xd2\x83\x0b\x91\xbb\xfc\x06\x7d\x78\x4d\xad" "\x42\xbc\xd8\x13\x68\x26\x57\xf7\x88\x96\x57\x6b\x1d\x32\xd4\x51\x1a\xaf" "\xb8\x56\xe7\x71\x5a\x27\x8e\xa9\xb4\x12\xcc\xb4\x04\x1a\x6f\x7c\x0b\x61" "\xa6\x1d\xfd\x90\x36\x54\x51\xb7\xb9\x33\xeb\xc9\x3a\xb0\xe4\xf9\x93\xc5" "\xc1\xbe\x0d\x00\x29\x65\xa9\xcf\x2e\x46\xbc\x91\x10\xc7\xcf\x86\x1f\x23" "\xae\x00\x4f\xf0\x7b\x8f\xd7\x64\xb8\xf0\xef\x1c\x2f\x54\xfc\x3a\x43\xde" "\x17\xc6\xd6\xdb\x2b\x8f\x80\xb8\x09\x12\x01\x24\x3d\x16\xd4\x48\xb1\x4e" "\x32\x14\x7f\x82\x42\x6b\x33\xee\xdf\x2f\xc5\xd3\xcc\xa4\x0f\xec\xb9\xf6" "\x8e\xec\xdf\xd9\x44\x00\x3d\x26\xc8\x55\xb2\x92\x36\xb5\x00\x15\x82\x12" "\xa9\x1c\xf0\x09\x01\x9e\x9f\xb5\x6e\x5a\xa5\x5b\xa2\x20\xa4\x8c\xe2\xa0" "\x80\xdc\x2f\x82\xa0\x66\xfc\xc2\x6f\x81\xa1\x40\xe8\xcf\x61\x40\x36\x02" "\x82\xc6\xfe\x86\xad\x39\x84\xc3\x36\x52", 4096); memcpy( (void*)0x200000001840, "\x1d\x0b\x05\x98\x1d\x90\x4b\x13\x4f\xa7\xed\xe8\xa8\x69\x6d\x85\x8a\x7b" "\x8d\xb0\xc6\xb4\x43\xbd\x46\x06\x75\xd1\x2d\x8e\x31\xb9\x66\xed\xe5\x87" "\x48\xf1\x02\x5c\x8a\xce\x9d\x34\x1f\x9e\x9c\xf5\x70\x6a\x38\xb9\xc0\x70" "\xc1\xf3\x75\x93\x2e\x7a\xcf\x07\xc6\x57\xee\xb7\x8c\xad\x5d\xf7\xbc\xec" "\x3e\xb9\xb5\xb6\x85\x37\x7b\x09\x2a\x52\xb4\x6a\x98\x4d\x8b\x57\x3b\x36" "\xa8\xca\x61\x11\x51\xe8\x78\x2c\x07\xeb\xe8\xd7\x8f\x4d\x32\x0a\x61\xe5" "\x6f\xb6\x43\xd6\x25\x6f\x1f\x3d\x64\xcb\xd9\xe7\xa3\x91\x1f\x45\x95\xeb" "\x7f\x81\x36\xc6\xd8\x5c\x3e\x99\x3f\x00\x35\x5e\x99\x44\x00\xd8\x2e\x71" "\xf9\x83\x30\x15\x63\xb9\x32\x65\x1c\x0f\x45\x69\xe7\x44\x83\x41\x71\x5b" "\xa1\x73\x0b\x0a\x50\xd8\x4a\x3c\x8c\x60\x7f\x08\xfd\x41\xd7\x82\x79\xc8" "\x7f\x35\x3e\xb2\x6d\xa1\x03\x3a\xd0\xb7\xa9\x1a\xa2\x71\xd8\xcd\x00\xc2" "\x8f\x6a\xcc\x08\x77\x6a\x58\xca\x5e\x71\x6e\xeb\x00\x92\x86\xa6\x0c\xa7" "\xfb\xd8\x8d\x7a\x07\x54\x30\xa9\x90\x51\xfc\x8b\x13\x34\x20\xa5\x66\x27" "\x49\x40\xb9\x70\xe6\x57\xf0\x0b\x5c\xc5\xff\x95\x01\xab\xc7\xcb\x33\xe5" "\x9a\x9f\x6a\x82\x6e\x80\x5d\xbe\xc8\x4e\x91\x02\xcc\x17\xe9\x13\x78\x94" "\x48\xfa\x7e\x48\x33\x00\x06\xd6\xd7\xe0\x04\xae\xb5\x0e\xeb\x62\x42\x94" "\xf8\x73\x65\xd4\xc6\x61\x02\xb4\xc4\x4c\x3b\x8f\xfa\x4c\xb8\xd4\x67\xbb" "\xb7\xf5\xcf\x4e\xe0\xd8\x9b\x90\x91\xde\x1a\x5c\x09\x2f\x97\x00\xa2\xf0" "\x7e\xd8\x55\xb9\x7b\x39\x2a\x2e\x6d\x95\x64\xb3\x43\x13\xe1\x81\x29\xcb" "\x20\xa1\x02\x70\x7a\x2e\xc2\xdf\xcd\x09\x48\x2c\x4b\x4b\xff\x49\xe8\x08" "\x28\x1a\x1b\x2c\xe0\x73\x3f\x81\x26\xc4\x22\x9f\xa3\xe7\x8a\x2b\xa2\x79" "\x31\xe6\xc7\x2a\x2a\xc9\x04\x85\x76\x05\xab\x8c\x93\x20\xe9\x10\x3d\x60" "\xf4\x30\x63\x90\xb5\x4c\xd0\xaa\xdf\x4a\x2b\xfb\xfc\x3b\xdb\x12\x92\xae" "\x1a\xea\x4a\x0d\xec\x56\x6d\x5b\x42\xc8\xbc\x88\x2d\x77\x3e\x39\x5e\x32" "\xfa\xc8\x42\x13\xcd\x33\x99\xfa\x8d\x5d\x08\x41\x65\x99\x78\x79\x4c\x39" "\x29\x97\xc5\x10\x6c\x92\x03\x24\x5a\x37\x26\x9a\xf1\x59\xfe\x9b\x05\x9d" "\x8f\xbf\xd0\x8f\x93\x31\xb2\x46\x98\x9f\x87\xef\x82\x36\xbb\x87\xb1\xa9" "\x55\x0c\xf6\xeb\x53\x1c\x52\x6c\x0c\x21\x98\xac\x80\x51\x88\x4e\x78\xfe" "\xbd\x2c\xfd\x24\x6b\x48\xf0\x9f\x61\x03\x0c\x81\x03\x16\x69\x49\x5d\x15" "\xfd\x48\x65\x1c\xe1\xd6\xb5\x5c\x60\x8c\x83\x9b\x1a\x35\x12\xb9\xd0\xdf" "\xa1\x64\x73\x21\x3e\x7f\x85\x59\xc9\x5b\x89\x69\x16\xba\xaf\xcb\x90\xfe" "\x0b\x5e\x84\x01\x75\x03\x73\x7c\xcf\x5c\x59\x20\xef\x5c\x33\x86\x2e\x58" "\x54\x43\xea\x39\x95\x36\x4b\xa2\x47\x1d\x32\xd2\xc7\xe9\xbd\x49\x66\x9a" "\x83\x68\xef\x05\x86\x8e\x3d\x3e\x70\x7c\x7a\x3c\xa7\x81\xbf\x49\xac\xfe" "\x11\x74\xdf\x6f\x48\xef\x58\x22\x98\x2f\x65\x58\x84\xd6\xdc\x12\x00\x42" "\x07\x2e\x0f\x9d\xeb\x49\xba\x12\x2c\xa6\x6e\x0b\x4b\x6a\x91\xa5\x44\x14" "\xfa\x3f\xad\x51\x84\x63\x1f\x9b\x33\x3d\x3f\x36\x75\x6d\x7f\x09\xb3\x17" "\x8a\x0d\x67\xba\x87\x52\x48\x41\xf9\x2d\xa1\x9c\x36\x69\xb4\xb2\xf1\x61" "\x4a\x0e\xb7\x45\x3d\xfe\x77\x84\xa3\xf9\xb3\x7e\xff\x65\x52\x8e\x89\x8f" "\x22\xd7\x5f\x01\xb3\x2a\xea\x5d\x80\xcb\x04\xee\x42\x77\xf7\xa9\x70\x9e" "\xe9\x6b\x77\x8d\x62\x9f\xf8\x10\x24\x23\x6a\xef\x22\xa5\x1b\x28\x20\xd7" "\xf8\x44\x36\xce\xbf\x05\xed\x2d\x76\xb3\x1f\xc7\x11\x80\x73\xb3\x4c\x1f" "\x41\xe4\x0e\x71\x1c\x3b\x55\x3a\x60\xd5\xad\x7d\x7c\x3a\x1f\x8b\x5b\xd8" "\x26\xc3\x3b\x49\x8d\x7c\x2d\x68\x8a\xc8\x21\xda\xcb\x8c\xb7\x41\xc8\xd7" "\xeb\x61\x50\xce\xff\x0e\x37\x83\x47\x8d\x2a\x60\x4f\x12\x05\xe7\x3e\x89" "\x23\x29\xa9\x00\xd6\xe2\x0c\x3f\x11\x0b\x00\xd5\x02\x85\x41\xa3\x35\xb6" "\x1f\xc1\xa7\x9b\xb0\x81\x8d\x88\x38\x93\x21\x36\x84\xa3\x60\xa8\xcc\x1a" "\xde\x1f\x63\xb1\x09\xe9\xcf\x96\xe2\x12\x6d\x7b\x02\xcd\x71\x31\x6c\x2c" "\xca\xc3\x58\x4b\xb7\x80\x07\x52\xa6\x26\x51\xe8\x10\xc2\x36\x25\xca\xf2" "\x49\xb2\xd5\xe8\x54\xe3\x1e\xfe\xfe\x44\x85\xda\xc4\x5d\xcb\xe9\xaa\xa3" "\x74\x02\xf6\xcc\x7b\x4b\x2c\xe5\x95\x72\xe6\x94\x61\x26\x00\x1a\xb9\x71" "\x7d\xdf\xa5\x8c\x1e\xc7\xae\x8d\x93\xb7\x9c\xd5\x2d\xbe\x0f\xcb\x26\xfa" "\x43\xde\x46\xf8\xa3\xcc\x6e\xcb\x65\x29\xc3\x22\xf9\xc2\x3d\x39\xd9\x2f" "\xe0\xb3\x40\x17\x17\x00\x72\x88\x49\x76\xce\x8b\x01\xdc\x98\x1b\x91\x33" "\x02\xc8\x11\x48\x9b\x81\xa1\x57\x11\x74\x88\x22\x45\x36\xd5\x09\xa1\x22" "\x72\x75\x24\x5f\x71\x23\x1a\xf6\xbf\xe1\x21\x62\x83\x5e\x20\x86\x36\xd0" "\x74\xf0\x81\xd8\x8e\x61\xca\xbb\x40\xc9\x3f\x08\x61\x3a\xb1\x5b\x8e\x60" "\x09\xb9\x7a\x83\xac\xcb\xfa\x49\xb3\x93\x74\xbf\x08\xa7\x45\xbf\x4e\xed" "\xbe\xf5\xd2\xb4\x20\x43\x8b\xf3\x16\xa5\xe2\xd6\x02\x4a\x71\x91\x9c\x24" "\xd3\xcc\xfb\x46\x98\x77\x68\xf1\x67\x36\x1f\x4d\x2a\xb9\x1f\x1f\xa2\x98" "\x19\xf0\xd0\xbc\xc9\x30\xf0\x58\x18\xc8\xc6\xc3\xb5\x55\xe2\xf9\x70\x94" "\xc0\x87\x23\x2b\xe3\x40\x48\x30\xd2\x15\xd6\xb0\x92\xdf\x62\x81\xc7\xcc" "\xf1\xbd\xb9\x40\x22\x70\x33\x0c\x00\x39\xe0\x3f\x27\x6b\xc3\x68\xe9\x53" "\x08\x21\x88\x2a\x50\xdc\xe6\xd1\xb5\x19\x0b\x76\x06\xf3\x4d\x84\xe3\x75" "\xa5\x4f\x4b\x13\x0e\x5f\x52\x6b\x9d\xcd\xc9\x8f\x42\x90\x39\x49\x5f\x40" "\xec\x1e\x1f\x44\x5f\x50\xec\x6a\xa7\x60\x6c\xc3\xcb\x3b\xd7\x4c\x5f\x95" "\x51\x04\x13\xc5\xfd\xd8\x5e\xe5\xb1\x6c\xd7\xf9\x51\x1f\x3e\x1d\xc3\x95" "\x59\x64\x39\xb4\x5a\xc0\x34\x4a\x4d\x2d\x14\x11\x28\xd5\x97\xd8\x31\x85" "\x28\x32\x52\x78\xe3\xa5\x70\x9c\xd6\x4e\x9a\x49\xb8\xd5\xba\x10\x79\x83" "\x64\x4c\x45\x2f\x6f\x80\x53\xe7\xec\x32\xfc\x56\x89\x83\x62\xf2\x87\x59" "\x6d\xc1\xbe\xa6\xb2\x63\x96\xe6\x90\x9a\xff\x73\xf9\xac\x6f\xeb\x19\xa8" "\xd8\x7f\x12\x6e\x1d\x23\x74\xc4\xcb\x7f\x6e\x31\x2a\x8a\x17\x19\x7f\xee" "\x59\x06\xe5\xad\xb3\x2e\x02\xac\x30\x4c\xd8\x3c\x23\x96\x97\x67\xa9\xf9" "\xe9\x38\x4a\x3f\xc0\xd7\xa2\x63\xba\x82\x9c\x87\x44\xcc\x42\x79\xd8\xd4" "\x30\x94\x34\xf7\xef\x65\x36\xba\x1d\x83\x19\x87\x0d\x18\x91\x61\x88\xde" "\x24\x90\xc6\x8f\xa4\xef\x83\xda\xb1\x64\x0b\x65\xe7\x07\xa7\xc4\xc6\xfe" "\x35\xc6\xcf\x21\x5d\xd0\xa9\x5f\x7b\x67\xbc\x2e\xee\xfd\x74\xcd\x29\xef" "\xfe\xf4\x35\x7b\x85\xdb\x1b\xee\xfd\xeb\x4d\xc8\x10\xcc\xa1\x78\x39\xc2" "\x76\x20\xd7\x50\xae\xb2\x8a\xa0\xef\xec\xb9\xf4\xa2\x2f\xa0\xb0\xf3\x23" "\x66\xf0\xb4\xb7\x5b\x4b\xe8\x11\xe5\x94\x0e\xd2\x84\xe8\x50\xea\x2c\xe9" "\xca\xed\xc9\x25\xb1\x41\x7a\xe3\xf3\x4d\x13\x74\x7b\x4b\xe3\x2f\xed\xe1" "\x36\x2e\x2c\x33\x16\x81\x40\x00\xa5\xd0\x17\x1d\x98\xa1\xbd\xaa\x6a\xf5" "\x9d\xca\xe8\x00\x8b\x8a\x9d\x6a\x83\x6b\x70\x17\x1f\x5e\xc4\xfe\xbe\xec" "\xbc\x4f\x83\x27\x77\xd7\x53\xa7\x03\x3b\x86\x81\xf2\x0f\x4c\xaf\xa1\x35" "\x5c\xa6\x69\xfa\xbe\x2c\xc3\xd0\xa6\x54\x01\xa6\xa4\x7a\x35\x2f\x0f\x81" "\xba\x35\xe7\x00\x78\x5a\x7c\xe0\x21\xa5\xb2\xb7\x95\x42\x51\x3f\xa4\x13" "\xb7\x87\x73\x3d\xa9\xd5\x91\x17\xe5\xb1\xfe\xa5\xae\x4e\xe5\x6b\xa2\x2f" "\x1a\xf1\x77\xa3\x7d\xb3\x39\xb4\x0a\x9a\xc7\xc2\x80\xdb\x05\x35\xdf\x32" "\xe9\x4b\x50\xfb\xad\xd3\x62\x05\x0d\x77\x6d\x5c\xa4\x0f\xfc\x68\x2c\xb3" "\x9c\xf3\xca\xf0\x76\x55\x5a\x73\xc3\x56\x40\x53\x53\x8d\x77\x8f\xf0\x20" "\xc3\x52\x9a\x65\x5a\x06\x98\x05\x2a\x35\x36\x40\xc4\x15\x1e\x62\x8b\x54" "\x8f\xc0\x48\xe9\x5a\x44\xe1\x65\x78\xef\x1f\xc9\x54\x7b\x23\xc1\xb1\x94" "\x10\xb4\xe2\x15\x9a\x17\x52\x87\x26\x8d\x80\x9a\x0f\x21\x95\x0b\x12\x39" "\xef\xa2\xb3\xde\x57\xf7\x9d\xd9\x6c\xa9\xc0\x91\x85\xd2\xe5\x73\xec\x69" "\xe1\xe4\x7b\x7e\xb8\x7b\x7a\x10\xa1\xcb\x0a\x55\x29\xcf\x5a\xa7\x14\x33" "\x2b\x75\x19\x9d\x03\xa0\xd5\x44\x20\xdc\x65\xbb\x19\x04\x31\x34\x8b\x05" "\x9f\x20\xed\x36\x67\x0d\x72\x3e\xec\x04\x68\x8f\x23\x20\x3f\x20\xcb\x0e" "\x86\x51\xc7\x53\xe3\xf3\x76\x91\x7e\xea\xee\x66\xe0\x15\x67\x6b\x71\xd2" "\x5e\x11\x58\x5a\x1c\x4c\xb6\xba\x68\x8c\xf0\x63\x7c\x73\x9f\x11\x53\xab" "\x00\x8e\xa0\x03\x07\xd6\xbe\x89\x68\x9b\x1c\x05\xea\x52\xaa\xb7\x3f\x33" "\x08\x6e\x67\x6c\xa1\xbf\xf9\xca\x79\xbb\xfd\xe5\x3b\x0c\x1c\xce\xf7\xab" "\xff\xd9\x5d\x05\xb5\x88\x4f\xd1\xab\x28\xf0\x17\x36\x26\xd7\x00\xc7\xc8" "\x11\x12\xcb\xf0\x40\x12\xec\x36\x89\xf3\xc5\x84\x1e\x2c\x0e\xc6\x0a\x74" "\xb5\x33\x19\xd6\x7d\x4c\x51\x36\x56\xc5\xf8\x94\xd1\xda\x1e\x62\xb5\xaf" "\xcc\xc2\x9a\x2d\x8d\xca\x63\x6f\x01\xca\x5f\xdd\xfe\x19\xd3\x66\xfb\x95" "\xb2\x64\xe4\x8e\xd1\x08\x96\x84\x90\xb0\x1f\xaa\x24\x8f\x46\xa9\xc3\xd2" "\x90\x8d\x00\xc0\x0d\x21\x25\x7e\xdb\x78\xcd\x22\xe8\x08\x01\x9f\xba\xe4" "\x98\x53\xf8\xcb\x36\x7e\x9c\xde\xe4\x94\x01\xfe\x61\xb1\x2f\x43\x19\x85" "\x70\x48\xf4\x0c\x25\xcc\x65\x64\x0f\x2e\x3a\xf4\x87\xe4\x22\x4b\x62\x89" "\x63\x70\x44\x93\x48\x87\xe4\x9f\x82\x22\xd4\x67\xc9\x40\x1c\xf8\xf0\xb7" "\x77\xbd\x93\xa6\xdc\xd6\xcc\xf1\x9d\x49\x12\x4a\xcc\x63\xaf\x4e\x80\xb6" "\x10\xa6\xf4\x9c\x0c\x3b\xff\x77\xd9\x14\xb6\x26\xc6\xde\xb0\xfb\x70\xed" "\xd3\x56\xae\x75\x3e\x80\x47\x86\x23\x16\x42\x72\x0d\x54\x57\x95\xcc\xc3" "\xb6\x5a\xe3\x43\xa5\x67\x2d\xa0\x35\x07\xa5\x94\x76\xbb\x51\x46\x98\x51" "\x52\xcd\x8e\xf4\xdb\xb3\x77\x82\x21\xa1\xb8\x55\x7c\x53\x34\x17\x86\xc0" "\x39\x80\x33\xad\x3e\x7f\x89\x39\x60\xb7\x75\xe4\xb1\x9b\xaf\x23\x0c\xa7" "\x59\x94\x16\x83\x45\xcd\x1d\xd4\xe7\x13\xd0\x69\x15\xac\x66\xba\x4e\x4f" "\xd7\x1a\x6f\x14\x4e\x52\x71\x32\x21\x39\xe6\x2b\x29\x21\x2a\x88\x26\xcc" "\xf3\xce\x45\x5c\x88\x1b\x7c\x22\xc7\x87\x66\x65\x46\xb2\xca\xb8\xda\x97" "\xbd\x32\x8f\xee\x68\x4c\xe5\x22\x0d\xb4\xae\xa6\xdd\x17\x65\x72\x56\x7c" "\x3b\x8c\xad\x98\x16\xe2\x33\x80\x57\x7b\xf0\x32\xdf\x39\x9b\x9b\x33\xc4" "\x5c\xfc\x86\x9a\x28\xc8\x83\x8e\xfc\x2b\xb3\xba\xab\xb7\x6d\x38\x04\xae" "\x72\x1c\xea\xa5\xcb\x66\x27\xdb\x8d\x98\x47\x10\x48\x9d\xf1\x2c\xa1\xa5" "\x99\x73\xf9\x34\x9f\x35\x60\x79\x5a\xdd\xf3\xff\x4f\xfd\x46\x21\x49\x7c" "\x51\xfb\x8f\x8d\xa5\x7a\xd3\x0c\x9d\x02\x02\x0d\x76\x64\x28\x12\x29\x76" "\x3d\xd1\x1d\xf0\xac\xb2\x70\x31\x51\xf0\xb2\x4e\xde\x22\xfe\xaf\x78\x4a" "\x66\xd2\x3e\x36\x34\x74\x37\x1b\x5c\x94\x83\xec\x4d\xa6\xc8\x7a\xbc\x07" "\xf2\x0d\xc7\x3f\xff\x6e\x07\xc3\x53\x2c\xf9\x0f\x80\x23\x56\x89\xd3\x10" "\x10\x47\xd3\x57\x25\xed\x99\xce\x36\x87\x47\x49\x3b\xd0\x09\x90\x58\x54" "\xe6\x6d\x95\x73\xaa\xf3\xaf\xf5\xb8\xa9\xb6\xad\xa6\x58\x76\x6a\x89\x9c" "\x25\xf8\xff\x26\x85\x9b\x3d\x62\x9f\xc9\x5a\x2c\xc5\xfb\x36\x79\xef\x93" "\x17\x83\x38\xd7\x7e\x04\xe9\x26\xe3\x84\x3f\x59\xe5\x2e\x7a\x6d\x07\x83" "\x07\x04\x09\x40\xa7\x5f\x78\xcb\xc5\x10\x44\x74\xe4\xe6\xb9\xc9\x24\x31" "\x5e\xe4\x56\x5b\x69\x62\x62\x72\x6e\x27\xda\x07\xba\x6e\xd4\xad\x1e\x6c" "\x77\xd4\x61\x36\xed\x8d\xd3\xa4\x59\x01\xf1\x04\x60\xae\x7f\x3a\x1d\x1a" "\xfb\xa6\x4e\xe6\xb5\x9d\xaf\x4d\x09\x0b\x81\x1f\x44\x01\x45\xab\x2a\xdc" "\xad\x20\xfa\xe6\xf0\x4b\x1e\x46\xf4\x91\x54\x06\x9f\x69\xee\xc5\x8e\xeb" "\x85\x55\xe5\xc8\xe2\xe2\x3a\x9c\x40\x45\x3e\x43\x47\x13\xd3\xe3\xcb\x7f" "\xf7\x04\x14\x9a\x3d\x59\x12\x9e\x4e\x33\xdf\x56\x73\xa6\x64\x34\x8c\x18" "\x29\xe0\x00\xe1\xab\xae\x37\xc9\x0a\x1a\xb6\x60\xd4\x92\x9b\x77\x25\x36" "\x33\x4e\xf4\x18\x4a\xeb\x13\x94\xbb\x71\xd1\x0b\xd4\x4b\xa2\xd7\xee\x35" "\x2e\x15\x29\x4a\x67\x3f\x34\x95\x26\x66\x5f\x75\x1a\xf4\x35\x42\xb3\xee" "\x47\x22\x6b\x01\x3c\x01\x34\x86\x53\x29\x0f\xb5\xb5\x5d\x7f\xc4\xb6\x9e" "\x10\xb7\xb0\x93\x69\xa8\xbf\xef\x2d\xb5\xc7\x26\x3e\xbf\x07\xce\x77\xe6" "\x66\x25\x45\x83\xb7\xa7\xbd\x76\x57\x5f\x44\x38\x5f\xc7\x54\x9b\xf5\x82" "\xa5\x88\x14\xfe\x0d\xb6\x4c\x4b\x7a\xed\x5d\x0f\xb7\x2e\x82\x74\x71\x75" "\xf9\x36\x19\x3a\x9a\x7b\x4a\x8b\x59\x41\xbb\xaf\x47\xf6\xb3\xc8\x72\x20" "\xd4\x34\x23\x3c\x0c\xae\xd4\x1d\x1a\xc9\x11\x5d\x62\x97\x42\x73\xdb\x95" "\x7d\x9c\xb4\x7f\x85\x0f\xb0\xe6\xb5\x96\x89\xf4\xe8\x13\x88\xed\x1b\x13" "\x2d\xa8\xa6\xd8\x8b\xd6\x1b\x9f\x29\x82\xc7\x65\xa8\x4a\x98\x76\x31\xc4" "\x08\x3a\xef\xe3\xba\x1e\x50\xcb\x4a\x16\x07\x58\x5b\x59\x39\xb3\x16\x93" "\xfd\x9c\x0f\xcf\x59\xe0\x11\x1a\x6d\x49\xce\x1a\x5e\x47\xd4\xe4\xc5\x76" "\xe1\x0b\x0d\x4c\xdc\x4b\x2e\x28\x95\x05\x55\x1b\xdc\xfb\x76\xd7\x02\x3b" "\x30\xb0\xa1\x04\xb9\xc3\x41\x1a\x71\x77\x10\xa5\xb0\x1b\xe3\x20\x3f\x7a" "\x16\xc0\x99\x81\x5c\xf1\x14\x8a\xe8\xd3\x65\x3d\xde\x13\x5c\x5b\x2d\xc3" "\x3f\xa8\xc4\x2f\x79\xa8\xd3\xf5\xa3\x81\xcd\xbf\x20\x43\x28\xbe\xf0\x6e" "\x3d\x15\x10\xbc\xae\x70\x5a\xaf\xdd\x26\xc2\xc7\x0c\xf8\xe8\x13\x28\xd4" "\x77\x13\x67\xa2\xff\x5f\x01\x8b\xff\x7a\xa8\x9d\xa5\x60\xb0\x44\xea\x25" "\x3f\x8a\xab\xae\xba\xb2\xa0\xe0\x0d\xe8\x01\x57\x2c\x04\xf8\x5c\xb0\xb3" "\x81\xe7\x18\xb7\x15\xf8\xd2\x96\xca\xbc\x25\xd0\xaa\xaa\x0a\x9e\xfd\x88" "\x10\x2c\x9d\x02\x1d\x97\xeb\x5a\x5c\x14\xc6\x36\xf5\x50\x1d\x7e\x6e\x82" "\xe3\x78\x38\x4d\x63\x13\x4a\x1a\x9e\xa0\x15\x2d\x51\xcc\xf7\x1b\x4e\xd9" "\xb6\x0b\xee\x0b\xbb\x6b\x86\x47\x7f\xde\xad\x73\x1e\xf7\xcb\xf7\x0a\xec" "\x67\x8a\x8b\x35\x45\x6b\x2c\x2c\x67\x26\x51\x3e\x32\xae\xed\xe7\x39\x0d" "\x89\x59\x75\xcc\x72\x00\x05\x51\xd2\x52\x18\x18\x16\xde\xe8\xe1\x22\x17" "\x7b\x1b\xea\xeb\xbf\x2e\x3c\x9f\x4d\xca\x39\x51\x99\x0e\x5d\x64\x99\xe1" "\x13\x8f\x5e\xc3\xad\x53\x43\x3e\xc7\xcb\xe3\x92\x7b\x2c\xfe\xb5\xa3\x3e" "\x47\x27\xe9\x4f\x33\xe7\x54\x97\xb9\x03\xd6\xb4\x71\xcd\xf0\x3e\x32\x64" "\x65\xd5\xe0\x89\xb2\x92\x09\x19\x71\xc0\x55\x8e\x91\x0c\x4b\xfe\x02\x99" "\xbe\xee\xc7\x20\xcb\x1a\xa0\xa0\xf2\x59\x36\x12\xaf\x13\x5d\xd9\xf9\x4d" "\xa7\x4b\x09\x34\x39\x19\x36\x19\x11\xc1\xba\x31\x6c\x53\x14\x06\x0c\x0a" "\xa1\x2b\x0b\x7e\x5b\x4e\xff\xf6\x84\x2d\x92\xa8\xa5\xba\xcc\x20\x93\x26" "\x6c\x3a\x72\xc5\x47\x47\xf8\x73\x06\x65\xbf\x8b\x93\xd2\x7e\xa6\x42\x5b" "\xf3\x21\xee\x49\xa4\x61\x0e\x8f\x44\x3c\x57\x32\x1f\x35\xa6\x21\x1d\x42" "\x47\xc3\x48\x3d\x59\xe9\xc3\xe9\x43\x75\x6e\xb8\xf1\x53\xe5\xd3\xf5\x71" "\xdd\x31\x1d\x36\x93\xfc\x77\x37\x8b\x20\x9d\x10\x03\x0e\x59\x61\x52\x5a" "\x7f\xa2\x09\x36\xa2\x48\x02\x19\x70\xc9\xdf\x55\x3f\x26\xe5\x02\x5f\x61" "\xc4\x0e\xc9\xe4\xc1\xb6\x32\xfa\x2b\x8d\x16\xf6\xc5\x13\x98\x63\x7b\x83" "\x9f\xc8\x62\xbf\xea\xcf\x6d\xa5\x32\x80\xc7\x5d\xa9\xf6\xc7\x47\xad\xfa" "\x9e\x85\x59\x03\x46\xd3\xdc\x29\x2e\x88\xc5\x43\xc7\x12\x4f\x2f\x19\x82" "\x5c\x6c\xa2\xd5\x5c\xa6\x9b\x07\x25\xf0\x68\xc0\xeb\x0d\x85\xbd\x4b\x69" "\x13\x6d\xfe\x2e\x58\x6f\x20\x0f\xea\x86\xb2\xa2\x60\x61\x2e\x2f\xac\x84" "\xc4\x53\x24\xfc\xbd\x73\x44\x1b\xfb\xdc\x85\xd5\x16\x03\x5d\x17\xa6\x7c" "\x15\x4d\x03\x8e\x58\xa7\xee\x5b\xdd\xa2\x90\xa3\x85\x5e\xc9\x80\xef\x06" "\x1d\x52\x64\x08\x04\xce\x79\x27\x73\xda\x53\x08\xec\x34\xae\xbf\xe2\xb6" "\xb9\x0a\x67\x14\x95\xd8\x4f\x98\x61\x0a\xfe\xd6\x38\x9b\x3d\x7a\xa0\xf1" "\x51\x3b\x33\x36\x30\x61\x9a\x38\x4a\x75\xcd\x86\x69\xc3\x59\x47\xbe\x86" "\xe4\xd4\x41\xdd\xb2\x83\x6a\xf8\x63\xdc\x93\x45\xe0\xd6\x4b\x2c\x53\xda" "\x97\x56\xe6\xdc\xf5\x53\x86\x83\x74\x6a\xeb\x71\xff\x97\xda\xe4\x64\x20" "\xc9\xf0\x37\xea\x45\x16\xfc\x79\x2d\xeb\xa7\x33\xe3\xab\xce\x02\x0f\x94" "\x44\x50\x20\xbb\x58\xe0\xfe\x9f\xf5\x60\x4b\xb4\xf4\x14\x24\x6a\xb0\x58" "\xc0\x53\xe5\x7e\x1d\xb1\xd4\x47\xa8\xb2\x5e\x5b\xee\x1e\xdf\xeb\xd4\xa0" "\xb4\x00\x41\xd1\xf7\xca\x3b\xee\xbb\x2a\x57\xdb\x40\x98\xde\xdd\xcb\xad" "\x5b\x4d\x19\x69\x84\x88\x90\x94\x7a\x77\x44\x2f\x08\xd7\x89\x47\xf8\xe4" "\xde\x99\x55\xfa\x9a\x1f\x3a\x3b\x24\xf9\xa7\x9d\x0a\xa9\xbc\x00\x5f\xb2" "\x43\x63\x9d\xfb\x0d\xb8\x02\xae\x72\x92\x22\x74\xca\x1f\xcb\xda\x19\x41" "\x28\xd1\xb1\x92\x4c\xac\xa2\x77\x67\xeb\x06\xf5\x72\x1a\x2d\xec\x96\x74" "\x9a\xd9\xb0\x2c\x7a\x76\x3a\xf0\x22\x32\x03\x34\xe9\x0e\x2e\x8c\xd0\xcf" "\x18\xac\xcd\xe7\xa0\x1c\xa7\x6e\x86\xd7\x3d\xff\xb9\x0b\xbe\x70\x4a\x88" "\xaf\x2c\xa6\x6b\x1d\x9d\x59\x9d\xdd\xd6\x8c\x0c\xbb\x67\x97\x4b\xf7\x5b" "\x12\x26\xf4\x80\xd5\x4b\xa6\x10\x05\x4d\x4d\x04\x48\x45\xfd\x21\xeb\x70" "\x62\xf4\x88\x0b\x3e\x09\xeb\xa1\x2e\x8a\x77\x7c\xd9\x33\x5c\x4a\x4c\x0c" "\xda\xc8\xa0\x56\x94\x97\x6c\x43\x8f\xb6\xf7\x65\x75\x52\x33\xa7\xf7\x17" "\x47\xf4\x7a\x8a\xb0\x1d\xee\xa5\x67\xe3\x5c\x6e\xb8\x92\xbd\x09\xcc\x14" "\xfd\x9a\x39\xda\xb1\xf2\x1c\xb2\x69\x11\x80\x39\xf6\x49\x5e\xee\x2a\x29" "\x50\x0f\x8a\xc8\x7d\xb3\x64\xfe\x9a\xcb\xc0\x88\x86\xb8\xef\x67\xda\x6b" "\xb2\xa9\xcc\xc7\xb9\xa5\x09\xb0\x83\x52\xee\xeb\x0e\x52\x7d\xdd\x67\x84" "\x4d\xe2\x30\xf9\x3c\x99\x03\x16\x00\xe1\x0f\xd8\x6c\x9e\x9f\x89\xd5\x37" "\xc7\x8e\x97\x9e\xc2\x88\x21\x76\xdb\x76\x67\x70\xe8\x21\x61\x26\x0e\x1c" "\x43\x70\x1c\x6a\xb9\xf2\x0b\x9d\x2e\x93\x9c\x76\x53\x26\x3f\x13\xe0\x5e" "\x48\x62\xcc\xb4\x2c\x7c\x50\x4d\xde\xe8\xb0\xd2\xf4\xe7\x82\x93\x03\x8d" "\x90\x4b\x3c\x54\x5e\xc7\x89\x11\xbf\x3a\xda\xe2\x6f\xa5\xbd\xd4\xd9\x17" "\xbc\x03\x1a\xcc\x5a\x77\x89\x24\x6c\x02\x37\xcf\x2d\xa1\xba\x42\x12\x75" "\x5f\xac\xf8\x47\x34\x93\x2b\x67\x2e\xf6\x9e\x9f\x59\x9a\x6b\x5b\xe0\x1b" "\x16\xe5\x8f\xd5\x1c\x0e\x2b\x08\xab\xdf\x5a\x28\x40\x9f\x7a\xba\x95\xf0" "\xbb\x17\x6a\xfc\xac\xa7\x23\x36\xac\xd5\x40\xb2\xd2\x11\x58\x6d\x42\xbb" "\x94\x30\x8c\x5e\xd0\x0d\xe0\x54\x0d\x48\xb8\xd5\x07\x8c\xca\xdd\xc2\xb4" "\xf1\x3b\x67\xb7\x6a\x30\xf9\x1a\xf5\x35\xc4\x7f\xbc\x14\xb8\xd9\x5a\x38" "\x76\x70\x3e\xba\xce\xce\x92\x9d\x51\x9d\x64\x49\x9a\x16\x78\x1f\xa7\x53" "\xe1\x1b\xac\x5f\xa5\x38\xb1\xea\x8d\x59\x2c\x09\x02\xd2\x74\x29\x7f\x8e" "\x4f\xc4\x62\x9b\x85\x58\x4f\xe7\x77\xbd\x45\x59\x52\xa4\x5c\xc8\x96\xa1" "\xea\x45\x64\x16\x85\x5f\x0c\x99\x7c\x55\xdd\xd7\x2c\x85\x42\xf4\x2e\x72" "\x31\xed\x07\xc2\x4d\x1b\x6a\x3c\x30\xde\xfa\x64\x01\xd8\xc9\xa4\x89\xe5" "\x9f\xd1\xb1\xf4\x7a\x3f\xd2\xa6\x33\xef\x78\xeb\x0a\xab\xc0\x09\xdc\xb9" "\x07\x0d\xbb\x38\xd0\x67\x1e\xad\x07\x2f\x08\xde\xec\x5d\xc9\x39\xa5\x5c" "\xc5\xb4\xa6\xf1\x14\x2a\x10\x1b\x9a\x30\x38\xb2\x89\x65\xd2\x35\xb8\x79" "\x5e\x3f\x7b\x4c\x75\x93\x30\x9f\x5f\x67\xef\x8b\xe8\x36\x30\x89\x0f\x42" "\x5d\x69\xac\x37\x7b\x5e\xfc\x63\x4f\x13", 4096); syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0x4080aebf, /*arg=*/0x2000000007c0ul); // ioctl$KVM_RUN arguments: [ // fd: fd_kvmcpu (resource) // cmd: const = 0xae80 (4 bytes) // arg: const = 0x0 (8 bytes) // ] syscall(__NR_ioctl, /*fd=*/r[2], /*cmd=*/0xae80, /*arg=*/0ul); return 0; }