强网杯初赛的这道 re 挺有意思的,做了快 20h 出了。
<!--more-->
tradere
基本vm结构分析
ptrace 父子进程调试,父进程追踪子进程 int 3 指令的位置,替换成相应的操作,因为开始的赋值操作导致数据结构不好看,可以考虑 dump + nop 初始化的方式。
每次 int 3 触发之后,会执行一个结构体中的函数,结构体如下定义。
struct data
{
data* lchild;
data* rchild;
long long(__fastcall* func)(user_regs_struct*);
long long reg2;
};
经过遍历结构体,去重得到一共只会执行以下几个函数。
0000000000401C31 // if eflags is less,return 1 else 0
0000000000401CA6 // if eflags is less or equal,return 1 else 0
0000000000401D22 // if eflags is not zero,return 1 else 0
0000000000401D5B // if eflags is zero,return 1 else 0
0000000000401DCD // if eflags is not sign,return 1 else 0
0000000000401E96 // return 2
0000000000401EA5 // return 3
0000000000401EB4 // return 4
0000000000401F0C // if eflags is greater,return 1 else 0
0000000000000000 // jmp to rchild
分析父进程的操作
unsigned __int64 __fastcall parentrun(unsigned int pid)
{
//some definition
v13 = __readfsqword(0x28u);
v7 = 0;
sp = 0;
ptr = (data *)qword_606AC0;
wait((__WAIT_STATUS)&stat_loc);
while ( (unsigned __int8)stat_loc == 0x7F )
{
ptrace(PTRACE_GETREGS, pid, 0, ®s);
v8 = ptrace(PTRACE_PEEKTEXT, pid, regs.rip, 0);
v10 = (unsigned __int8)ptrace(PTRACE_PEEKDATA, pid, regs.rip - 1, 0);
if ( v10 != 0xCC )
{
ptrace(PTRACE_KILL, pid, 0, 0);
exit(0);
}
v4 = 1;
if ( ptr->func )
{
opcode = ptr->func(®s);
if ( opcode == 1 )
{
ptr = ptr->rchild;
}
else if ( opcode )
{
switch ( opcode )
{
case 2: // get next ptr from my stack
if ( sp <= 0 )
exit(-1);
ptr = (data *)stack[--sp]; // ret
regs.rsp += 8LL;
break;
case 3: // call API and control return address
regs.rip = (unsigned __int64)ptr->rchild;
ptr = ptr->lchild;
regs.rsp -= 8LL; // push RIP,wait to return
ptrace(PTRACE_POKEDATA, pid, regs.rsp, ptr->RIP);
v4 = 0;
break;
case 4: // lchild push to my stack and goto rchild block
if ( sp > 0x30 )
exit(-1);
stack[sp++] = ptr->lchild;
regs.rsp -= 8LL;
ptr = ptr->rchild;
break;
case 5: // not used
if ( sp > 0x30 )
exit(-1);
/* ... */
}
}
else
{
ptr = ptr->lchild;
}
}
else
{
ptr = ptr->rchild; // NULL Function Process
}
if ( v4 ) // attention to new block
regs.rip = ptr->RIP;
ptrace(PTRACE_SETREGS, pid, 0, ®s);
if ( ptrace(PTRACE_CONT, pid, 0, 0) < 0 )
{
perror("Ptrace.");
return __readfsqword(0x28u) ^ v13;
}
wait((__WAIT_STATUS)&stat_loc);
}
return __readfsqword(0x28u) ^ v13;
}
根据还原的伪代码逻辑也可以看出:
- 2 分支是返回最近一次 4 分支存的右子节点。
- 3 分支是调用 rchild 所指的 API 函数,因为 API 会返回,所以这个操作利用 ptrace 往栈中压了一个地址,用于控制调用
api 结束后的落点位置。
- 4 分支是保存左分支,走右分支。
第一步,断 fork,dump 结构体内容,保存为 .h 文件
#pragma once
struct user_regs_struct
{
unsigned long long r15;
unsigned long long r14;
unsigned long long r13;
unsigned long long r12;
unsigned long long rbp;
unsigned long long rbx;
unsigned long long r11;
unsigned long long r10;
unsigned long long r9;
unsigned long long r8;
unsigned long long rax;
unsigned long long rcx;
unsigned long long rdx;
unsigned long long rsi;
unsigned long long rdi;
unsigned long long orig_rax;
unsigned long long rip;
unsigned long long cs;
unsigned long long eflags;
unsigned long long rsp;
unsigned long long ss;
unsigned long long fs_base;
unsigned long long gs_base;
unsigned long long ds;
unsigned long long es;
unsigned long long fs;
unsigned long long gs;
};
struct data
{
data* lchild;
data* rchild;
long long(__fastcall* func)(user_regs_struct*);
long long reg2;
};
unsigned char ida_chars[] =
{
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x60, 0x71, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xE0, 0x7F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF7, 0x09, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x75, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xD0, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFD, 0x0A,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x6F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x03, 0x0B, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x7D,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7E, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x6E, 0x0B, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x79, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x08,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x79, 0x0B, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x80, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x74, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7C, 0x0B, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC0, 0x77, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x22, 0x1D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x81, 0x0B,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x71, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA0, 0x7B, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xAB, 0x0B, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x71,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x81, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x22, 0x1D, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xBE, 0x0B, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x40, 0x78, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x08,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xEB, 0x0B, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x70, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x70, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF8, 0x0B, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xE0, 0x7B, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x71, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0x0B,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x7A, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x7F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x10, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x7D, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x5B, 0x1D, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x25, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x80, 0x7B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x7B,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0x0C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x81, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x47, 0x0C, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x80, 0x6B, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x09, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4F, 0x0C,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x7B, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xE0, 0x6E, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x74, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x72,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7A, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x7C, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA0, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x7F,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x84, 0x0C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8C, 0x0C, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x80, 0x72, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x0C,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x7A, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xCF, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x79,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x80, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xDF, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x80,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x1F, 0x0D, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x40, 0x70, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x10, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x0D, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x80, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4D, 0x0D,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x58, 0x0D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x76, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x5B, 0x0D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x6D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x71,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x90, 0x0D, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x75, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA3, 0x0D, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDB, 0x0D,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x74, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x73, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x5B, 0x1D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xE0, 0x0D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6B,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xEF, 0x0D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA0, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6B,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x1A, 0x0E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xC0, 0x80, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x0E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xE0, 0x77, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x60, 0x80, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3A, 0x0E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x6D, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x10, 0x08, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x55, 0x0E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x5D, 0x0E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x71, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x6D,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5B, 0x1D, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x5C, 0x0F, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x78, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCD, 0x1D,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x0F, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7A, 0x0F,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x79, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x83, 0x0F, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x6B,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x80, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB1, 0x0F, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x08,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC1, 0x0F, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x80, 0x70, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x80, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC9, 0x0F, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xE0, 0x79, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x80, 0x77, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDB, 0x0F,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x6B, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xEE, 0x0F, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xF6, 0x0F, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xF9, 0x0F, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x40, 0x6D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFB, 0x0F, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x7B, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFC, 0x0F,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x81, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x10, 0x10, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x72,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x08, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x18, 0x10, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x32, 0x10, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x6D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x34, 0x10, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x70, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x80, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4D, 0x10,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x71, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x6C, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x10, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x81, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x73, 0x10, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x80, 0x10, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x6B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7F, 0x11, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x7C, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x84, 0x11,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x7C, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x71, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x9E, 0x11, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x81,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7C, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB1, 0x11, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x7A,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC4, 0x11, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xE0, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x11, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0A, 0x12,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA0, 0x6F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x0B, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0C, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xC0, 0x78, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x80,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x13, 0x12, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x7D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x80, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2E, 0x12, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x12,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x74, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x10, 0x08, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x54, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7F, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x5C, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x75, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x72,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x9F, 0x12, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE0, 0x74, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x10, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAA, 0x12, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC0, 0x6D, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xD0, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB2, 0x12,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xE0, 0x78, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB8, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x73,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x08, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7C,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC1, 0x12, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x7B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC3, 0x12, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x6F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x10, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE7, 0x12,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x80, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x80, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xEF, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x6E, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0A, 0x13, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x74,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5B, 0x1D, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x12, 0x13, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x40, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x80, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x19, 0x13, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x7C, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x13,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x79, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x80, 0x7C, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x2A, 0x13, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x77, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x3D, 0x13, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6D,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x7F, 0x13, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x7D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8A, 0x13, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC0, 0x70, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x40, 0x6E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x13,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x7A, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x90, 0x13, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x73,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x08, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC3, 0x13, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA0, 0x75, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x6C,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xCE, 0x13, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x78, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x13, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x80, 0x76, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x40, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF4, 0x13,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x6A, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x75, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0C, 0x1F, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x07, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x7A,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6D, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0F, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x40, 0x74, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x08,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x1C, 0x14, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE0, 0x76, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2F, 0x14, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x7A, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x14,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x79, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x7F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x76, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x6E,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x75, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x8B, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x7E,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x90, 0x14, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA0, 0x7F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x98, 0x14, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x80, 0x71, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x14,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA1, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x75,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6D, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xAD, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x79,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xBD, 0x14, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC4, 0x14, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC0, 0x7B, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x14,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x70, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xCD, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x72,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x7D, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xD5, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xDA, 0x14, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x7D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDC, 0x14, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x7F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x76, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF1, 0x14,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x6F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xFA, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x6C,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x77, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x05, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x18, 0x15, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA0, 0x7F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1A, 0x15, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC0, 0x76, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x7B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x15,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x08, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x38, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x78,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x77, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x61, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x72, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x76,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x1C, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x66, 0x15, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x71, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0x15, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA0, 0x71, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x09, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x89, 0x15,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x70, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x08, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x8A, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x78,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x76, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x8B, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x40, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x08,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x94, 0x15, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x6E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x7F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9C, 0x15, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA1, 0x15,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xAD, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x76,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x7E, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB2, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x7B,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xBA, 0x15, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x40, 0x7D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x7F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCC, 0x15, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE1, 0x15,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x73, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xE3, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x7A,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x70, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x5B, 0x1D, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x12, 0x16, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x73, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7E,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x33, 0x16, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE0, 0x6B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA0, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3E, 0x16, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA0, 0x79, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x58, 0x16,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x6E, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x7F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x5E, 0x16, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x80,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x79, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x22, 0x1D, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x72, 0x16, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x7A, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6F,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x84, 0x16, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x7B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBF, 0x16, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x6B, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x09, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x17,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x03, 0x17, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x7B,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0A, 0x17, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xE0, 0x72, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6C,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x13, 0x17, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x72, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1B, 0x17, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE0, 0x78, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x26, 0x17,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x73, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x72, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB9, 0x17, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x6E,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC4, 0x17, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x76,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xD1, 0x17, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x72, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x40, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE1, 0x17, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x80, 0x71, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x5B, 0x1D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF4, 0x17,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x7F, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x10, 0x08, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x02, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7F, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0D, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x7D,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x31, 0x18, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x79, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x39, 0x18, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x70, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x18,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x6B, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x80, 0x77, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x4E, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x6F,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x5B, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x6D,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x64, 0x18, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x80, 0x75, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA3, 0x18, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x6C, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE0, 0x7D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB7, 0x18,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x73, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x6E, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xBC, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x6F, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xCC, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xC0, 0x73, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x08,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xCE, 0x18, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE2, 0x18, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x75, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x72, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x18,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x75, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xF0, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x77, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x3C, 0x19, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x6D,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x53, 0x19, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE0, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x80, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5E, 0x19, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x73, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x40, 0x77, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x31, 0x1C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA2, 0x19,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7D, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x7E, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xAC, 0x19, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x6D,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x80, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x31, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB7, 0x19, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x6C,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xCA, 0x19, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE0, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x80, 0x77, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD2, 0x19, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00
};
第一步可以验证前面两个猜想,一个是找 func 函数,去重,用一个 set 做就行,另一个是当 func return 3 的时候,输出 rchild,观察函数。第一步不给代码了,第二步运行一下:
#include<stdio.h>
#include<set>
#include<map>
#include<stack>
#include<string>
#include<iostream>
#include<queue>
#include"tradre.h"
std::set<unsigned long long> s;
bool visited[200] = { 0 };
void printstruct(data* p, int idx) {
if ((unsigned long long)p->func == 0x0000000000401EA5) {
s.insert((unsigned long long)p->rchild);
}
}
int main() {
data* p = ((data*)ida_chars) + 1;
for (int i = 0; i <= 180; i++) {
printstruct(&p[i], i);
}
for (auto ptr : s) {
printf("%p\n", (void*)ptr);
}
}
运行可以发现,输出地址均为 plt 表中的地址。
0000000000400810
0000000000400820
0000000000400830
0000000000400840
0000000000400860
0000000000400870
00000000004008A0
00000000004008C0
00000000004008D0
0000000000400900
基本块恢复
后续我还做了一张 dot 表,可以直观地感受节点之间的控制关系。
#include<stdio.h>
#include<set>
#include<map>
#include<stack>
#include<string>
#include<iostream>
#include<queue>
#include"tradre.h"
std::set<unsigned long long> s;
bool visited[200] = { 0 };
std::map<__int64, std::string> eflagsConditionMap = {
{ 0x0000000000401C31, "if eflags is less, return 1 else 0 // JL" },
{ 0x0000000000401CA6, "if eflags is less or equal, return 1 else 0 // JLE" },
{ 0x0000000000401D22, "if eflags is not zero, return 1 else 0 // JNE/JNZ" },
{ 0x0000000000401D5B, "if eflags is zero, return 1 else 0 // JE/JZ" },
{ 0x0000000000401DCD, "if eflags is not sign, return 1 else 0 // JNS" },
{ 0x0000000000401F0C, "if eflags is greater, return 1 else 0 // JG" },
{ 0x0000000000401E96, "return 2" },
{ 0x0000000000401EA5, "return 3" },
{ 0x0000000000401EB4, "return 4" },
{0x00,"NULL"},
};
std::map<uint64_t, std::string> plt_map = {
{0x400810, "_puts"},
{0x400820, "___stack_chk_fail"},
{0x400830, "_printf"},
{0x400840, "_memset"},
{0x400850, "_alarm"},
{0x400860, "_read"},
{0x400870, "_srand"},
{0x400880, "_signal"},
{0x400890, "_ptrace"},
{0x4008A0, "_setvbuf"},
{0x4008B0, "_perror"},
{0x4008C0, "_atoi"},
{0x4008D0, "_exit"},
{0x4008E0, "_wait"},
{0x4008F0, "_fork"},
{0x400900, "_rand"}
};
int calc_child(unsigned long long child, unsigned long long base) {
if ((child - base) / sizeof(data) >= 0 && (child - base) / sizeof(data) <= 180) {
return (child - base) / sizeof(data);
}
return -1;
}
void printedge(data* p, int idx) {
char descript[0x1000] = { 0 };
char tmp[0x1000];
int lidx = calc_child((unsigned long long)p->lchild, 0x606AC0);
int ridx = calc_child((unsigned long long)p->rchild, 0x606AC0);
if (lidx != -1) {
printf("%d -> %d;\n", idx, lidx);
}
if (ridx != -1) {
printf("%d -> %d;\n", idx, ridx);
}
}
void printdot(data* p, int idx) {
char descript[0x1000] = { 0 };
char tmp[0x1000];
int lidx = calc_child((unsigned long long)p->lchild, 0x606AC0);
int ridx = calc_child((unsigned long long)p->rchild, 0x606AC0);
sprintf(tmp, "%d [label = \"idx: %d\\n func :%s\\n ", idx, idx, eflagsConditionMap[(unsigned long long)p->func].c_str());
strcat(descript, tmp);
if (lidx != -1) {
sprintf(tmp, "lchild idx: %d\\n ", lidx);
strcat(descript, tmp);
}
else {
sprintf(tmp, "lchild data: %p\\n ", p->lchild);
strcat(descript, tmp);
//s.insert((unsigned long long)p->lchild);
}
if (ridx != -1) {
sprintf(tmp, "rchild idx: %d\\n ", ridx);
strcat(descript, tmp);
}
else {
sprintf(tmp, "rchild data: %s\\n ", plt_map[(unsigned long long)p->rchild].c_str());
strcat(descript, tmp);
//s.insert((unsigned long long)p->rchild);
}
sprintf(tmp, "RIP: %p\"];\n", p->reg2);
s.insert((unsigned long long)p->reg2);
strcat(descript, tmp);
std::cout << descript;
}
int main() {
data* p = ((data*)ida_chars) + 1;
for (int i = 0; i <= 180; i++) {
printdot(&p[i], i);
}
for (int i = 0; i <= 180; i++) {
printedge(&p[i], i);
}
}
用输出的结果转为 dot 图。
digraph ControlFlowTree {
node [shape=box, style=rounded];
// ---------------------- 节点定义 ----------------------
// ---------------------- 边定义 ----------------------
// 边关系
}
最后得到下面的图
是的最开始拿到这张图,我也没招了,总不能真一个个看吧,随后我写了一个分析 vm 指令流的脚本,并用广搜去解析它们之前基本块的关系。
#include<stdio.h>
#include<set>
#include<map>
#include<stack>
#include<string>
#include<iostream>
#include<queue>
#include"tradre.h"
std::set<unsigned long long> s;
bool visited[200] = { 0 };
std::map<__int64, std::string> eflagsConditionMap = {
{ 0x0000000000401C31, "if eflags is less, return 1 else 0 // JL" },
{ 0x0000000000401CA6, "if eflags is less or equal, return 1 else 0 // JLE" },
{ 0x0000000000401D22, "if eflags is not zero, return 1 else 0 // JNE/JNZ" },
{ 0x0000000000401D5B, "if eflags is zero, return 1 else 0 // JE/JZ" },
{ 0x0000000000401DCD, "if eflags is not sign, return 1 else 0 // JNS" },
{ 0x0000000000401F0C, "if eflags is greater, return 1 else 0 // JG" },
{ 0x0000000000401E96, "return 2" },
{ 0x0000000000401EA5, "return 3" },
{ 0x0000000000401EB4, "return 4" },
{0x00,"NULL"},
};
std::map<uint64_t, std::string> plt_map = {
{0x400810, "_puts"},
{0x400820, "___stack_chk_fail"},
{0x400830, "_printf"},
{0x400840, "_memset"},
{0x400850, "_alarm"},
{0x400860, "_read"},
{0x400870, "_srand"},
{0x400880, "_signal"},
{0x400890, "_ptrace"},
{0x4008A0, "_setvbuf"},
{0x4008B0, "_perror"},
{0x4008C0, "_atoi"},
{0x4008D0, "_exit"},
{0x4008E0, "_wait"},
{0x4008F0, "_fork"},
{0x400900, "_rand"}
};
int calc_child(unsigned long long child, unsigned long long base) {
if ((child - base) / sizeof(data) >= 0 && (child - base) / sizeof(data) <= 180) {
return (child - base) / sizeof(data);
}
return -1;
}
void vmrun2() {
std::stack<unsigned long long> stack;
std::queue<unsigned long long> queue;
data* ptr = ((data*)ida_chars) + 1;
data* base = ptr;
queue.push(0);
while (queue.size()) {
int nowidx = queue.front();
ptr = base + nowidx;
queue.pop();
if (!visited[nowidx])
visited[nowidx] = 1;
else
continue;
printf("now index: %d\n", nowidx);
int lidx = calc_child((unsigned long long)ptr->lchild, 0x606AC0);
int ridx = calc_child((unsigned long long)ptr->rchild, 0x606AC0);
int nextidx = 0;
switch ((unsigned long long)ptr->func)
{
case 0x0000000000000000:
//calc next idx
nextidx = ridx;
queue.push(nextidx);
printf("next RIP: %p\n", ptr->reg2);
printf("goto idx %d\n", nextidx);
break;
case 0x0000000000401E96:
// return 2
nextidx = stack.top();
stack.pop();
printf("add rsp, 8;\n");
printf("next RIP: %p\n", ptr->reg2);
queue.push(nextidx);
fprintf(stderr, "2 jmp %d -> %d\n", nowidx, nextidx);
printf("goto idx %d\n", nextidx);
break;
case 0x0000000000401EA5:
// return 3
printf("call %s", plt_map[(unsigned long long)ptr->rchild].c_str());
//printf("call %p\n", ptr->rchild);
printf(" ,ret to %p\n", ptr->reg2);
nextidx = lidx;
queue.push(nextidx);
printf("goto idx %d\n", nextidx);
break;
case 0x0000000000401EB4:
// return 4
stack.push(lidx);
printf("sub rsp 8;\n");
nextidx = ridx;
queue.push(nextidx);
printf("next RIP: %p\n", ptr->reg2);
printf("goto idx %d\n", nextidx);
break;
case 0x0000000000401CA6:
// JLE
// 0 left 1 right
printf("goto %p\nJLE %d else %d\n", ptr->reg2, ridx, lidx);
queue.push(lidx);
queue.push(ridx);
break;
case 0x0000000000401C31:
// JL
// 0 left 1 right
printf("goto %p\nJL %d else %d\n", ptr->reg2, ridx, lidx);
queue.push(lidx);
queue.push(ridx);
break;
case 0x0000000000401D22:
// JNE/JNZ
// 0 left 1 right
printf("goto %p\nJNE %d else %d\n", ptr->reg2, ridx, lidx);
queue.push(lidx);
queue.push(ridx);
break;
case 0x0000000000401D5B:
// JE/JZ
// 0 left 1 right
printf("goto %p\nJE %d else %d\n", ptr->reg2, ridx, lidx);
queue.push(lidx);
queue.push(ridx);
break;
case 0x0000000000401DCD:
// JNS
// 0 left 1 right
printf("goto %p\nJNS %d else %d\n", ptr->reg2, ridx, lidx);
queue.push(lidx);
queue.push(ridx);
break;
case 0x0000000000401F0C:
// JG
// 0 left 1 right
printf("goto %p\nJG %d else %d\n", ptr->reg2, ridx, lidx);
queue.push(lidx);
queue.push(ridx);
break;
default:
printf("Unknown func %p\n", ptr->func);
break;
}
}
}
int main() {
vmrun2();
}
在 case 2 的处理中,我输出了下一步的块,虽然可能会有点错误,但是不影响指令分析。
把这些块解引用之后,可以输出结构体,然后编写 idapy 脚本去取指令分块重构,以 int 3 为间隔,每次扫描该块的 RIP 字段,取出该地址往下的所有指令,直到遇到 int 3 停止,这里根据 func 去处理函数:
- case 2:通过上一个脚本的分析在末尾建立 jmp 指令
- case 3:末尾添加对 rchild 所指向函数的 call,随后再跟上 jmp 指令跳转到 RIP 所指向的位置。
- case 4:仅添加对 rchild 的 jmp。
- 条件跳转:对 rchild 添加对应的条件跳转,并在后面添加对 lchild 块的直接 jmp。
- NULL:仅添加对 rchild 的 jmp。
jumptable = {
170 : 53,
49 : 89,
27 : 120,
48 : 171,
59 : 85,
147 : 29,
114 : 132,
132 : 21,
}
mp = {
0: [0x607160,0x607fe0,0x401eb4,0x4009f7],
1: [0x607540,0x4008d0,0x401ea5,0x400afd],
2: [0x0,0x606f00,0x0,0x400b03],
3: [0x607dc0,0x607e00,0x401eb4,0x400b6e],
4: [0x607920,0x400870,0x401ea5,0x400b79],
5: [0x608000,0x607460,0x401ca6,0x400b7c],
6: [0x6077c0,0x607ea0,0x401d22,0x400b81],
7: [0x6071e0,0x607ba0,0x401eb4,0x400bab],
8: [0x607140,0x608120,0x401d22,0x400bbe],
9: [0x607840,0x400830,0x401ea5,0x400beb],
10: [0x6070a0,0x400870,0x401ea5,0x400bf8],
11: [0x607be0,0x607120,0x401eb4,0x400bfe],
12: [0x607ac0,0x607f60,0x401eb4,0x400c10],
13: [0x607600,0x607d20,0x401d5b,0x400c25],
14: [0x607b80,0x607ba0,0x401eb4,0x400c34],
15: [0x0,0x608100,0x0,0x400c47],
16: [0x606b80,0x400900,0x401ea5,0x400c4f],
17: [0x607b60,0x606ee0,0x401ca6,0x400c74],
18: [0x6072c0,0x607a80,0x401ca6,0x400c7c],
19: [0x607ca0,0x607f40,0x401ca6,0x400c84],
20: [0x0,0x0,0x401e96,0x400c8c],
21: [0x607280,0x606fc0,0x401eb4,0x400c96],
22: [0x0,0x607a20,0x0,0x400ccf],
23: [0x6079c0,0x608060,0x401eb4,0x400cdf],
24: [0x0,0x6080c0,0x0,0x400d1f],
25: [0x607040,0x400810,0x401ea5,0x400d45],
26: [0x608020,0x607e00,0x401eb4,0x400d4d],
27: [0x0,0x0,0x401e96,0x400d58],
28: [0x0,0x607620,0x0,0x400d5b],
29: [0x606d60,0x607120,0x401eb4,0x400d90],
30: [0x0,0x607520,0x0,0x400da3],
31: [0x0,0x0,0x401e96,0x400ddb],
32: [0x607480,0x607340,0x401d5b,0x400de0],
33: [0x606bc0,0x400900,0x401ea5,0x400def],
34: [0x606ca0,0x606b00,0x401ca6,0x400e1a],
35: [0x0,0x6080c0,0x0,0x400e22],
36: [0x6077e0,0x608060,0x401eb4,0x400e3a],
37: [0x606de0,0x400810,0x401ea5,0x400e55],
38: [0x0,0x0,0x401e96,0x400e5d],
39: [0x607100,0x606d40,0x401d5b,0x400f5c],
40: [0x607ec0,0x607860,0x401dcd,0x400f6a],
41: [0x0,0x0,0x401e96,0x400f7a],
42: [0x0,0x607960,0x0,0x400f83],
43: [0x606b20,0x6080e0,0x401ca6,0x400fb1],
44: [0x606c00,0x400810,0x401ea5,0x400fc1],
45: [0x607080,0x607c80,0x401eb4,0x400fc9],
46: [0x6079e0,0x607780,0x401eb4,0x400fdb],
47: [0x0,0x606b60,0x0,0x400fee],
48: [0x0,0x0,0x401e96,0x400ff6],
49: [0x0,0x0,0x401e96,0x400ff9],
50: [0x606d40,0x400820,0x401ea5,0x400ffb],
51: [0x607b40,0x606fc0,0x401eb4,0x400ffc],
52: [0x0,0x608120,0x0,0x401010],
53: [0x607260,0x4008a0,0x401ea5,0x401018],
54: [0x0,0x0,0x401e96,0x401032],
55: [0x0,0x606d00,0x0,0x401034],
56: [0x607060,0x607c80,0x401eb4,0x40104d],
57: [0x6071c0,0x606c40,0x401eb4,0x401060],
58: [0x0,0x608100,0x0,0x401073],
59: [0x0,0x0,0x401e96,0x401080],
60: [0x0,0x606b60,0x0,0x40117f],
61: [0x607c40,0x4008a0,0x401ea5,0x401184],
62: [0x607cc0,0x607120,0x401eb4,0x40119e],
63: [0x608140,0x607c80,0x401eb4,0x4011b1],
64: [0x0,0x607a40,0x0,0x4011c4],
65: [0x0,0x606ce0,0x0,0x4011ff],
66: [0x0,0x607c00,0x0,0x40120a],
67: [0x0,0x606fa0,0x0,0x40120b],
68: [0x0,0x0,0x401e96,0x40120c],
69: [0x6078c0,0x608060,0x401eb4,0x401213],
70: [0x607d00,0x608060,0x401eb4,0x40122e],
71: [0x607400,0x607e00,0x401eb4,0x401249],
72: [0x607420,0x400810,0x401ea5,0x401254],
73: [0x0,0x607f80,0x0,0x40125c],
74: [0x607500,0x607220,0x401eb4,0x40129f],
75: [0x6074e0,0x400810,0x401ea5,0x4012aa],
76: [0x606dc0,0x4008d0,0x401ea5,0x4012b2],
77: [0x0,0x6078e0,0x0,0x4012b8],
78: [0x607340,0x400820,0x401ea5,0x4012c0],
79: [0x0,0x607c00,0x0,0x4012c1],
80: [0x0,0x607b00,0x0,0x4012c3],
81: [0x606f60,0x400810,0x401ea5,0x4012e7],
82: [0x6080a0,0x608060,0x401eb4,0x4012ef],
83: [0x607000,0x606e80,0x401ca6,0x40130a],
84: [0x606f20,0x6074a0,0x401d5b,0x401312],
85: [0x606f40,0x607e80,0x401eb4,0x401319],
86: [0x607c60,0x606fc0,0x401eb4,0x401324],
87: [0x607980,0x607c80,0x401eb4,0x40132a],
88: [0x0,0x6077a0,0x0,0x40133d],
89: [0x0,0x606d00,0x0,0x40137f],
90: [0x607d20,0x400820,0x401ea5,0x40138a],
91: [0x6070c0,0x606e40,0x401ca6,0x40138b],
92: [0x0,0x607a40,0x0,0x401390],
93: [0x607320,0x400810,0x401ea5,0x4013c3],
94: [0x6075a0,0x606c40,0x401eb4,0x4013ce],
95: [0x6078a0,0x606fc0,0x401eb4,0x4013e0],
96: [0x607680,0x606c40,0x401eb4,0x4013f4],
97: [0x606ae0,0x607540,0x401f0c,0x401407],
98: [0x607ae0,0x606dc0,0x401eb4,0x40140f],
99: [0x607440,0x400810,0x401ea5,0x40141c],
100: [0x6076e0,0x400860,0x401ea5,0x40142f],
101: [0x0,0x607a20,0x0,0x401441],
102: [0x607940,0x607f60,0x401eb4,0x401476],
103: [0x606e20,0x6075c0,0x401ca6,0x40148b],
104: [0x0,0x607ea0,0x0,0x401490],
105: [0x0,0x607fa0,0x0,0x401498],
106: [0x607180,0x400820,0x401ea5,0x4014a0],
107: [0x0,0x0,0x401e96,0x4014a1],
108: [0x6075e0,0x606dc0,0x401eb4,0x4014ad],
109: [0x0,0x607900,0x0,0x4014bd],
110: [0x0,0x0,0x401e96,0x4014c4],
111: [0x607bc0,0x606fc0,0x401eb4,0x4014c7],
112: [0x0,0x607020,0x0,0x4014cd],
113: [0x607240,0x607da0,0x401ca6,0x4014d5],
114: [0x0,0x0,0x401e96,0x4014da],
115: [0x0,0x607d60,0x0,0x4014dc],
116: [0x607f20,0x6076a0,0x401eb4,0x4014f1],
117: [0x0,0x606f00,0x0,0x4014fa],
118: [0x606c80,0x607780,0x401eb4,0x401505],
119: [0x0,0x0,0x401e96,0x401518],
120: [0x0,0x607fa0,0x0,0x40151a],
121: [0x6076c0,0x607ba0,0x401eb4,0x401525],
122: [0x607700,0x400840,0x401ea5,0x401538],
123: [0x607880,0x607760,0x401ca6,0x401561],
124: [0x607200,0x607640,0x401c31,0x401566],
125: [0x606c20,0x607120,0x401eb4,0x401576],
126: [0x6071a0,0x400900,0x401ea5,0x401589],
127: [0x6070e0,0x400820,0x401ea5,0x40158a],
128: [0x607820,0x6076a0,0x401eb4,0x40158b],
129: [0x607e40,0x4008c0,0x401ea5,0x401594],
130: [0x606ec0,0x607f00,0x401ca6,0x40159c],
131: [0x0,0x0,0x401e96,0x4015a1],
132: [0x0,0x0,0x401e96,0x4015ad],
133: [0x607660,0x607e60,0x401ca6,0x4015b2],
134: [0x607e20,0x607ba0,0x401eb4,0x4015ba],
135: [0x607d40,0x607f60,0x401eb4,0x4015cc],
136: [0x0,0x0,0x401e96,0x4015e1],
137: [0x6073e0,0x606fc0,0x401eb4,0x4015e3],
138: [0x607aa0,0x6070e0,0x401d5b,0x401612],
139: [0x607360,0x607e80,0x401eb4,0x401633],
140: [0x606be0,0x4008a0,0x401ea5,0x40163e],
141: [0x6079a0,0x606fc0,0x401eb4,0x401658],
142: [0x606ea0,0x607f60,0x401eb4,0x40165e],
143: [0x608040,0x607960,0x401d22,0x401672],
144: [0x607a60,0x606fc0,0x401eb4,0x401684],
145: [0x0,0x607b00,0x0,0x4016bf],
146: [0x606b40,0x400900,0x401ea5,0x401702],
147: [0x0,0x0,0x401e96,0x401703],
148: [0x607b20,0x606fc0,0x401eb4,0x40170a],
149: [0x6072e0,0x606cc0,0x401ca6,0x401713],
150: [0x607c20,0x607220,0x401eb4,0x40171b],
151: [0x0,0x6078e0,0x0,0x401726],
152: [0x607380,0x607220,0x401eb4,0x4017b9],
153: [0x606e60,0x606fc0,0x401eb4,0x4017c4],
154: [0x0,0x607620,0x0,0x4017d1],
155: [0x6072a0,0x606c40,0x401eb4,0x4017e1],
156: [0x607800,0x607180,0x401d5b,0x4017f4],
157: [0x607fc0,0x400810,0x401ea5,0x401802],
158: [0x0,0x607f80,0x0,0x40180d],
159: [0x0,0x607d60,0x0,0x401831],
160: [0x0,0x607900,0x0,0x401839],
161: [0x0,0x607020,0x0,0x401843],
162: [0x606ba0,0x607780,0x401eb4,0x40184e],
163: [0x606fe0,0x606fc0,0x401eb4,0x40185b],
164: [0x0,0x606d20,0x0,0x401864],
165: [0x607580,0x606fc0,0x401eb4,0x4018a3],
166: [0x606c60,0x607de0,0x401ca6,0x4018b7],
167: [0x6073a0,0x606e00,0x401ca6,0x4018bc],
168: [0x0,0x606fa0,0x0,0x4018cc],
169: [0x6073c0,0x400810,0x401ea5,0x4018ce],
170: [0x0,0x0,0x401e96,0x4018e2],
171: [0x607560,0x607220,0x401eb4,0x4018e5],
172: [0x0,0x607520,0x0,0x4018f0],
173: [0x0,0x6077a0,0x0,0x40193c],
174: [0x0,0x606d20,0x0,0x401953],
175: [0x607ee0,0x608060,0x401eb4,0x40195e],
176: [0x607300,0x607740,0x401c31,0x4019a2],
177: [0x607d80,0x607e00,0x401eb4,0x4019ac],
178: [0x606da0,0x608080,0x401c31,0x4019b7],
179: [0x0,0x606ce0,0x0,0x4019ca],
180: [0x607ce0,0x607780,0x401eb4,0x4019d2],
}
func_map = {
0x400810: "_puts",
0x400820: "___stack_chk_fail",
0x400830: "_printf",
0x400840: "_memset",
0x400850: "_alarm",
0x400860: "_read",
0x400870: "_srand",
0x400880: "_signal",
0x400890: "_ptrace",
0x4008A0: "_setvbuf",
0x4008B0: "_perror",
0x4008C0: "_atoi",
0x4008D0: "_exit",
0x4008E0: "_wait",
0x4008F0: "_fork",
0x400900: "_rand",
}
import idc
import ida_bytes
import ida_ua
def print_until_int3(ea, key):
"""
从地址 ea 开始遍历汇编指令,直到遇到 int3 (0xCC)
"""
print("idx_{}:".format(key))
cur_ea = ea
while cur_ea != idc.BADADDR:
# 获取当前指令的字节
byte = ida_bytes.get_bytes(cur_ea, 1)
if not byte:
break
# 判断是否是 int3
if byte[0] == 0xCC:
#print("0x{:x}: int3".format(cur_ea))
break
print("0x{:x}:".format(cur_ea),end = ' ')
# 获取指令文本
disasm = idc.generate_disasm_line(cur_ea, 0)
print("\t{}".format(disasm))
# 移动到下一条指令
cur_ea = idc.next_head(cur_ea)
def calc_idx(addr):
return (addr - 0x606AC0)//0x20
# 遍历字典
for key in sorted(mp.keys()):
info = mp[key]
addr = info[3]
func = info[2]
print_until_int3(addr, key)
if func == 0x0000000000401C31: # JL: if eflags is less, return 1 else 0
lidx = calc_idx(info[0])
ridx = calc_idx(info[1])
print(f"\tjl idx_{ridx}")
print(f"\tjmp idx_{lidx}")
elif func == 0x0000000000401CA6: # JLE: if eflags is less or equal
lidx = calc_idx(info[0])
ridx = calc_idx(info[1])
print(f"\tjle idx_{ridx}")
print(f"\tjmp idx_{lidx}")
elif func == 0x0000000000401D22: # JNE/JNZ: if eflags is not zero
lidx = calc_idx(info[0])
ridx = calc_idx(info[1])
print(f"\tjnz idx_{ridx}")
print(f"\tjmp idx_{lidx}")
elif func == 0x0000000000401D5B: # JE/JZ: if eflags is zero
lidx = calc_idx(info[0])
ridx = calc_idx(info[1])
print(f"\tje idx_{ridx}")
print(f"\tjmp idx_{lidx}")
elif func == 0x0000000000401DCD: # JNS: if eflags is not sign
lidx = calc_idx(info[0])
ridx = calc_idx(info[1])
print(f"\tjns idx_{ridx}")
print(f"\tjmp idx_{lidx}")
elif func == 0x0000000000401F0C: # JG: if eflags is greater
lidx = calc_idx(info[0])
ridx = calc_idx(info[1])
print(f"\tjg idx_{ridx}")
print(f"\tjmp idx_{lidx}")
elif func == 0x0000000000401E96: # return 2
if key in jumptable:
ridx = jumptable[key]
print(f"\tjmp idx_{ridx}")
else:
print(f"\tjmp ??? ; never execute here")
elif func == 0x0000000000401EA5: # return 3
lidx = calc_idx(info[0])
print(f"\tcall\t{func_map[info[1]]}@plt")
print(f"\tjmp\tidx_{lidx}")
elif func == 0x0000000000401EB4: # return 4
ridx = calc_idx(info[1])
print(f"\tjmp\tidx_{ridx}")
elif func == 0x0000000000000000:
ridx = calc_idx(info[1])
print(f"\tjmp\tidx_{ridx}")
else:
print("except\n");
quit()
jumptable 来源于上一个脚本向标准错误流打印的数据(方便重定向)。
运行脚本之后得到原指令流,事实上可以根据广搜结果将明显访问不到的块去掉。
如图右边这一块,但是事实上只有 80 个块你也不可能拉条儿去硬找,基本都是用 search。
idx_0:
0x4009f7: push rbp
0x4009f8: mov rbp, rsp
0x4009fb: push rbx
0x4009fc: sub rsp, 1E8h
0x400a03: mov rax, fs:28h
0x400a0c: mov [rbp+var_18], rax
0x400a10: xor eax, eax
0x400a12: mov [rbp+var_160], 0E2h
0x400a19: mov [rbp+var_160+1], 8Bh
0x400a20: mov [rbp+var_160+2], 55h ; 'U'
0x400a27: mov [rbp+var_160+3], 38h ; '8'
0x400a2e: mov [rbp+var_160+4], 69h ; 'i'
0x400a35: mov [rbp+var_160+5], 0FAh
0x400a3c: mov [rbp+var_160+6], 80h
0x400a43: mov [rbp+var_160+7], 0C2h
0x400a4a: mov [rbp+var_160+8], 64h ; 'd'
0x400a51: mov [rbp+var_160+9], 4Eh ; 'N'
0x400a58: mov [rbp+var_160+0Ah], 7Fh
0x400a5f: mov [rbp+var_160+0Bh], 0E7h
0x400a66: mov [rbp+var_160+0Ch], 13h
0x400a6d: mov [rbp+var_160+0Dh], 6
0x400a74: mov [rbp+var_160+0Eh], 14h
0x400a7b: mov [rbp+var_160+0Fh], 0C5h
0x400a82: mov [rbp+var_160+10h], 0C0h
0x400a89: mov [rbp+var_160+11h], 13h
0x400a90: mov [rbp+var_160+12h], 0D3h
0x400a97: mov [rbp+var_160+13h], 12h
0x400a9e: mov [rbp+var_160+14h], 6Bh ; 'k'
0x400aa5: mov [rbp+var_160+15h], 0BDh
0x400aac: mov [rbp+var_160+16h], 0F2h
0x400ab3: mov [rbp+var_160+17h], 0C7h
0x400aba: mov [rbp+var_160+18h], 88h
0x400ac1: mov [rbp+var_160+19h], 44h ; 'D'
0x400ac8: mov [rbp+var_160+1Ah], 3Eh ; '>'
0x400acf: mov [rbp+var_160+1Bh], 9
0x400ad6: mov [rbp+var_160+1Ch], 0E8h
0x400add: mov [rbp+var_160+1Dh], 0A3h
0x400ae4: mov [rbp+var_160+1Eh], 83h
0x400aeb: mov [rbp+var_160+1Fh], 30h ; '0'
0x400af2: lea rax, [rbp+var_160]
0x400af9: mov rdi, rax
jmp idx_169
idx_1:
0x400afd: mov edi, 0FFFFFFFFh
call _exit@plt
jmp idx_84
idx_2:
0x400b03: mov eax, [rbp+var_1C0]
0x400b09: sub eax, [rbp+var_1C8]
0x400b0f: lea edx, ds:0[rax*4]
0x400b16: mov eax, [rbp+var_1BC]
0x400b1c: add eax, edx
0x400b1e: movsxd rdx, eax
0x400b21: mov rax, [rbp+var_190]
0x400b28: add rax, rdx
0x400b2b: movzx esi, byte ptr [rax]
0x400b2e: mov eax, [rbp+var_1BC]
0x400b34: cdqe
0x400b36: movzx ecx, [rbp+rax+var_184]
0x400b3e: mov eax, [rbp+var_1C0]
0x400b44: lea edx, ds:0[rax*4]
0x400b4b: mov eax, [rbp+var_1BC]
0x400b51: add eax, edx
0x400b53: movsxd rdx, eax
0x400b56: mov rax, [rbp+var_190]
0x400b5d: add rax, rdx
0x400b60: xor esi, ecx
0x400b62: mov edx, esi
0x400b64: mov [rax], dl
0x400b66: add [rbp+var_1BC], 1
jmp idx_34
idx_3:
0x400b6e: mov rax, [rbp+var_1B8]
0x400b75: mov rdi, rax
jmp idx_154
idx_4:
0x400b79: mov edi, eax
call _srand@plt
jmp idx_115
idx_5:
0x400b7c: cmp dword ptr [rbp+var_8], 7
jle idx_77
jmp idx_170
idx_6:
0x400b81: xor eax, ebx
0x400b83: mov [rbp+var_1E2], al
0x400b89: movzx edx, [rbp+var_1E2]
0x400b90: mov rcx, cs:off_606A48; "Congratulations! This is the correct fl"...
0x400b97: mov eax, [rbp+var_1E0]
0x400b9d: cdqe
0x400b9f: add rax, rcx
0x400ba2: movzx eax, byte ptr [rax]
0x400ba5: movsx eax, al
0x400ba8: cmp edx, eax
jnz idx_159
jmp idx_104
idx_7:
0x400bab: mov ebx, eax
0x400bad: mov rax, [rbp+var_28]
0x400bb1: add rax, 1
0x400bb5: movzx eax, byte ptr [rax]
0x400bb8: movzx eax, al
0x400bbb: mov edi, eax
jmp idx_135
idx_8:
0x400bbe: xor eax, ebx
0x400bc0: mov [rbp+var_1E2], al
0x400bc6: movzx edx, [rbp+var_1E2]
0x400bcd: mov rcx, cs:off_606A48; "Congratulations! This is the correct fl"...
0x400bd4: mov eax, [rbp+var_1E0]
0x400bda: add eax, 11h
0x400bdd: cdqe
0x400bdf: add rax, rcx
0x400be2: movzx eax, byte ptr [rax]
0x400be5: movsx eax, al
0x400be8: cmp edx, eax
jnz idx_179
jmp idx_52
idx_9:
0x400beb: lea rdi, aInputYourFlag; "Input your flag: "
0x400bf2: mov eax, 0
call _printf@plt
jmp idx_108
idx_10:
0x400bf8: mov edi, 10000h
call _srand@plt
jmp idx_47
idx_11:
0x400bfe: xor eax, ebx
0x400c00: mov byte ptr [rbp+var_20+6], al
0x400c03: mov rax, [rbp+var_28]
0x400c07: movzx eax, byte ptr [rax]
0x400c0a: movzx eax, al
0x400c0d: mov edi, eax
jmp idx_51
idx_12:
0x400c10: push rbp
0x400c11: mov rbp, rsp
0x400c14: push rbx
0x400c15: sub rsp, 8
0x400c19: mov eax, edi
0x400c1b: mov byte ptr [rbp+var_C], al
0x400c1e: movzx eax, byte ptr [rbp+var_C]
0x400c22: mov edi, eax
jmp idx_165
idx_13:
0x400c25: nop
0x400c26: mov rax, [rbp+var_18]
0x400c2a: xor rax, fs:28h
je idx_147
jmp idx_90
idx_14:
0x400c34: xor ebx, eax
0x400c36: mov rax, [rbp+var_28]
0x400c3a: add rax, 3
0x400c3e: movzx eax, byte ptr [rax]
0x400c41: movzx eax, al
0x400c44: mov edi, eax
jmp idx_135
idx_15:
0x400c47: add [rbp+var_1C0], 1
jmp idx_178
idx_16:
0x400c4f: mov eax, [rbp+var_1E0]
0x400c55: cdqe
0x400c57: movzx edx, [rbp+rax+var_140]
0x400c5f: mov eax, [rbp+var_1E0]
0x400c65: cdqe
0x400c67: movzx eax, [rbp+rax+var_160]
0x400c6f: xor eax, edx
0x400c71: mov ebx, eax
call _rand@plt
jmp idx_6
idx_17:
0x400c74: cmp [rbp+var_1E0], 0Fh
jle idx_33
jmp idx_133
idx_18:
0x400c7c: cmp [rbp+var_1E0], 0Fh
jle idx_126
jmp idx_64
idx_19:
0x400c84: cmp [rbp+var_1BC], 3
jle idx_164
jmp idx_143
idx_20:
0x400c8c: add rsp, 1E8h
0x400c93: pop rbx
0x400c94: pop rbp
jmp ??? ; never execute here
idx_21:
0x400c96: xor ebx, eax
0x400c98: mov edx, ebx
0x400c9a: mov rax, [rbp+var_28]
0x400c9e: add rax, 2
0x400ca2: movzx eax, byte ptr [rax]
0x400ca5: xor edx, eax
0x400ca7: mov rax, [rbp+var_28]
0x400cab: add rax, 3
0x400caf: movzx eax, byte ptr [rax]
0x400cb2: xor eax, edx
0x400cb4: mov byte ptr [rbp+var_20+4], al
0x400cb7: mov rax, [rbp+var_28]
0x400cbb: movzx ebx, byte ptr [rax]
0x400cbe: mov rax, [rbp+var_28]
0x400cc2: add rax, 1
0x400cc6: movzx eax, byte ptr [rax]
0x400cc9: movzx eax, al
0x400ccc: mov edi, eax
jmp idx_40
idx_22:
0x400ccf: push rbp
0x400cd0: mov rbp, rsp
0x400cd3: mov [rbp+var_18], rdi
0x400cd7: mov dword ptr [rbp+var_8+4], 0
jmp idx_123
idx_23:
0x400cdf: lea rax, [rbp+var_140]
0x400ce6: mov [rbp+var_1A8], rax
0x400ced: lea rax, [rbp+var_110]
0x400cf4: mov [rbp+var_1A0], rax
0x400cfb: mov [rbp+var_1D0], 0Ah
0x400d05: mov rcx, [rbp+var_1A0]
0x400d0c: mov rax, [rbp+var_1A8]
0x400d13: mov edx, 0
0x400d18: mov rsi, rcx
0x400d1b: mov rdi, rax
jmp idx_173
idx_24:
0x400d1f: push rbp
0x400d20: mov rbp, rsp
0x400d23: sub rsp, 30h
0x400d27: mov [rbp+var_28], rdi
0x400d2b: mov [rbp+var_2C], esi
0x400d2e: mov rax, fs:28h
0x400d37: mov [rbp+var_8], rax
0x400d3b: xor eax, eax
0x400d3d: mov [rbp+var_10], 0
jmp idx_176
idx_25:
0x400d45: lea rdi, a888888D8888888; " 888 888 d8( 888 888 "...
call _puts@plt
jmp idx_44
idx_26:
0x400d4d: mov rax, [rbp+var_1A8]
0x400d54: mov rdi, rax
jmp idx_154
idx_27:
0x400d58: nop
0x400d59: pop rbp
jmp idx_120
idx_28:
0x400d5b: mov eax, dword ptr [rbp+var_8+4]
0x400d5e: movsxd rdx, eax
0x400d61: mov rax, [rbp+var_18]
0x400d65: add rax, rdx
0x400d68: movzx eax, byte ptr [rax]
0x400d6b: movzx eax, al
0x400d6e: mov edx, dword ptr [rbp+var_8+4]
0x400d71: movsxd rcx, edx
0x400d74: mov rdx, [rbp+var_18]
0x400d78: add rcx, rdx
0x400d7b: movsxd rdx, eax
0x400d7e: lea rax, sbox_enc
0x400d85: movzx eax, byte ptr [rdx+rax]
0x400d89: mov [rcx], al
0x400d8b: add dword ptr [rbp+var_8+4], 1
jmp idx_91
idx_29:
0x400d90: mov ebx, eax
0x400d92: mov rax, [rbp+var_28]
0x400d96: add rax, 1
0x400d9a: movzx eax, byte ptr [rax]
0x400d9d: movzx eax, al
0x400da0: mov edi, eax
jmp idx_51
idx_30:
0x400da3: mov eax, [rbp+var_1BC]
0x400da9: cdqe
0x400dab: movzx eax, [rbp+rax+var_184]
0x400db3: movzx eax, al
0x400db6: movsxd rdx, eax
0x400db9: lea rax, sbox_enc
0x400dc0: movzx edx, byte ptr [rdx+rax]
0x400dc4: mov eax, [rbp+var_1BC]
0x400dca: cdqe
0x400dcc: mov [rbp+rax+var_184], dl
0x400dd3: add [rbp+var_1BC], 1
jmp idx_83
idx_31:
0x400ddb: xor al, byte ptr [rbp+var_8+4]
0x400dde: leave
jmp ??? ; never execute here
idx_32:
0x400de0: nop
0x400de1: mov rax, [rbp+var_18]
0x400de5: xor rax, fs:28h
je idx_68
jmp idx_78
idx_33:
0x400def: mov eax, [rbp+var_1E0]
0x400df5: add eax, 10h
0x400df8: cdqe
0x400dfa: movzx edx, [rbp+rax+var_140]
0x400e02: mov eax, [rbp+var_1E0]
0x400e08: add eax, 10h
0x400e0b: cdqe
0x400e0d: movzx eax, [rbp+rax+var_160]
0x400e15: xor eax, edx
0x400e17: mov ebx, eax
call _rand@plt
jmp idx_8
idx_34:
0x400e1a: cmp [rbp+var_1BC], 3
jle idx_2
jmp idx_15
idx_35:
0x400e22: mov eax, [rbp+var_10]
0x400e25: movsxd rdx, eax
0x400e28: mov rax, [rbp+var_28]
0x400e2c: add rdx, rax
0x400e2f: movzx eax, byte ptr [rbp+var_18+7]
0x400e33: mov [rdx], al
0x400e35: add [rbp+var_10], 1
jmp idx_176
idx_36:
0x400e3a: mov edx, [rbp+var_1CC]
0x400e40: mov rcx, [rbp+var_1A0]
0x400e47: mov rax, [rbp+var_1A8]
0x400e4e: mov rsi, rcx
0x400e51: mov rdi, rax
jmp idx_173
idx_37:
0x400e55: lea rdi, a888888Op888888; " 888 888 .oP\"888 888 "...
call _puts@plt
jmp idx_25
idx_38:
0x400e5d: push rbp
0x400e5e: mov rbp, rsp
0x400e61: mov [rbp+var_18], rdi
0x400e65: mov rax, [rbp+var_18]
0x400e69: movzx eax, byte ptr [rax+0Dh]
0x400e6d: mov byte ptr [rbp+var_8+7], al
0x400e70: mov rax, [rbp+var_18]
0x400e74: lea rdx, [rax+0Dh]
0x400e78: mov rax, [rbp+var_18]
0x400e7c: movzx eax, byte ptr [rax+9]
0x400e80: mov [rdx], al
0x400e82: mov rax, [rbp+var_18]
0x400e86: lea rdx, [rax+9]
0x400e8a: mov rax, [rbp+var_18]
0x400e8e: movzx eax, byte ptr [rax+5]
0x400e92: mov [rdx], al
0x400e94: mov rax, [rbp+var_18]
0x400e98: lea rdx, [rax+5]
0x400e9c: mov rax, [rbp+var_18]
0x400ea0: movzx eax, byte ptr [rax+1]
0x400ea4: mov [rdx], al
0x400ea6: mov rax, [rbp+var_18]
0x400eaa: lea rdx, [rax+1]
0x400eae: movzx eax, byte ptr [rbp+var_8+7]
0x400eb2: mov [rdx], al
0x400eb4: mov rax, [rbp+var_18]
0x400eb8: movzx eax, byte ptr [rax+2]
0x400ebc: mov byte ptr [rbp+var_8+7], al
0x400ebf: mov rax, [rbp+var_18]
0x400ec3: lea rdx, [rax+2]
0x400ec7: mov rax, [rbp+var_18]
0x400ecb: movzx eax, byte ptr [rax+0Ah]
0x400ecf: mov [rdx], al
0x400ed1: mov rax, [rbp+var_18]
0x400ed5: lea rdx, [rax+0Ah]
0x400ed9: movzx eax, byte ptr [rbp+var_8+7]
0x400edd: mov [rdx], al
0x400edf: mov rax, [rbp+var_18]
0x400ee3: movzx eax, byte ptr [rax+6]
0x400ee7: mov byte ptr [rbp+var_8+7], al
0x400eea: mov rax, [rbp+var_18]
0x400eee: lea rdx, [rax+6]
0x400ef2: mov rax, [rbp+var_18]
0x400ef6: movzx eax, byte ptr [rax+0Eh]
0x400efa: mov [rdx], al
0x400efc: mov rax, [rbp+var_18]
0x400f00: lea rdx, [rax+0Eh]
0x400f04: movzx eax, byte ptr [rbp+var_8+7]
0x400f08: mov [rdx], al
0x400f0a: mov rax, [rbp+var_18]
0x400f0e: movzx eax, byte ptr [rax+3]
0x400f12: mov byte ptr [rbp+var_8+7], al
0x400f15: mov rax, [rbp+var_18]
0x400f19: lea rdx, [rax+3]
0x400f1d: mov rax, [rbp+var_18]
0x400f21: movzx eax, byte ptr [rax+7]
0x400f25: mov [rdx], al
0x400f27: mov rax, [rbp+var_18]
0x400f2b: lea rdx, [rax+7]
0x400f2f: mov rax, [rbp+var_18]
0x400f33: movzx eax, byte ptr [rax+0Bh]
0x400f37: mov [rdx], al
0x400f39: mov rax, [rbp+var_18]
0x400f3d: lea rdx, [rax+0Bh]
0x400f41: mov rax, [rbp+var_18]
0x400f45: movzx eax, byte ptr [rax+0Fh]
0x400f49: mov [rdx], al
0x400f4b: mov rax, [rbp+var_18]
0x400f4f: lea rdx, [rax+0Fh]
0x400f53: movzx eax, byte ptr [rbp+var_8+7]
0x400f57: mov [rdx], al
0x400f59: nop
0x400f5a: pop rbp
jmp ??? ; never execute here
idx_39:
0x400f5c: mov rax, [rbp+var_18]
0x400f60: xor rax, fs:28h
je idx_20
jmp idx_50
idx_40:
0x400f6a: push rbp
0x400f6b: mov rbp, rsp
0x400f6e: mov eax, edi
0x400f70: mov byte ptr [rbp+var_8+4], al
0x400f73: movzx eax, byte ptr [rbp+var_8+4]
0x400f77: test al, al
jns idx_109
jmp idx_160
idx_41:
0x400f7a: xor eax, ebx
0x400f7c: add rsp, 8
0x400f80: pop rbx
0x400f81: pop rbp
jmp ??? ; never execute here
idx_42:
0x400f83: movzx ecx, [rbp+var_184]
0x400f8a: mov eax, [rbp+var_1C0]
0x400f90: cdq
0x400f91: idiv [rbp+var_1C8]
0x400f97: sub eax, 1
0x400f9a: movsxd rdx, eax
0x400f9d: lea rax, byte_404B30
0x400fa4: movzx eax, byte ptr [rdx+rax]
0x400fa8: xor eax, ecx
0x400faa: mov [rbp+var_184], al
jmp idx_117
idx_43:
0x400fb1: mov eax, [rbp+var_1D8]
0x400fb7: sub eax, 1
0x400fba: cmp [rbp+var_1D4], eax
jle idx_177
jmp idx_3
idx_44:
0x400fc1: lea rdi, aO888oD888bY888; " o888o d888b `Y888\"\"8o `Y8b"...
call _puts@plt
jmp idx_10
idx_45:
0x400fc9: xor eax, ebx
0x400fcb: mov byte ptr [rbp+var_20+4], al
0x400fce: mov rax, [rbp+var_28]
0x400fd2: movzx eax, byte ptr [rax]
0x400fd5: movzx eax, al
0x400fd8: mov edi, eax
jmp idx_142
idx_46:
0x400fdb: mov ebx, eax
0x400fdd: mov rax, [rbp+var_28]
0x400fe1: add rax, 1
0x400fe5: movzx eax, byte ptr [rax]
0x400fe8: movzx eax, al
0x400feb: mov edi, eax
jmp idx_102
idx_47:
0x400fee: mov dword ptr [rbp+var_8], 0
jmp idx_5
idx_48:
0x400ff6: nop
0x400ff7: pop rbp
jmp idx_171
idx_49:
0x400ff9: leave
jmp idx_89
idx_50:
call ___stack_chk_fail@plt
jmp idx_20
idx_51:
0x400ffc: push rbp
0x400ffd: mov rbp, rsp
0x401000: sub rsp, 8
0x401004: mov eax, edi
0x401006: mov byte ptr [rbp+var_8+4], al
0x401009: movzx eax, byte ptr [rbp+var_8+4]
0x40100d: mov edi, eax
jmp idx_40
idx_52:
0x401010: add [rbp+var_1DC], 1
jmp idx_179
idx_53:
0x401018: mov rax, cs:stdin
0x40101f: mov ecx, 0
0x401024: mov edx, 2
0x401029: mov esi, 0
0x40102e: mov rdi, rax
call _setvbuf@plt
jmp idx_61
idx_54:
0x401032: leave
jmp ??? ; never execute here
idx_55:
0x401034: mov edx, eax
0x401036: mov eax, [rbp+var_1E0]
0x40103c: cdqe
0x40103e: mov [rbp+rax+var_180], dl
0x401045: add [rbp+var_1E0], 1
jmp idx_18
idx_56:
0x40104d: xor ebx, eax
0x40104f: mov rax, [rbp+var_28]
0x401053: add rax, 3
0x401057: movzx eax, byte ptr [rax]
0x40105a: movzx eax, al
0x40105d: mov edi, eax
jmp idx_142
idx_57:
0x401060: xor ebx, eax
0x401062: mov rax, [rbp+var_28]
0x401066: add rax, 2
0x40106a: movzx eax, byte ptr [rax]
0x40106d: movzx eax, al
0x401070: mov edi, eax
jmp idx_12
idx_58:
0x401073: mov eax, [rbp+var_1C8]
0x401079: mov [rbp+var_1C0], eax
jmp idx_178
idx_59:
0x401080: push rbp
0x401081: mov rbp, rsp
0x401084: mov [rbp+var_18], rdi
0x401088: mov rax, [rbp+var_18]
0x40108c: movzx eax, byte ptr [rax+1]
0x401090: mov byte ptr [rbp+var_8+7], al
0x401093: mov rax, [rbp+var_18]
0x401097: lea rdx, [rax+1]
0x40109b: mov rax, [rbp+var_18]
0x40109f: movzx eax, byte ptr [rax+5]
0x4010a3: mov [rdx], al
0x4010a5: mov rax, [rbp+var_18]
0x4010a9: lea rdx, [rax+5]
0x4010ad: mov rax, [rbp+var_18]
0x4010b1: movzx eax, byte ptr [rax+9]
0x4010b5: mov [rdx], al
0x4010b7: mov rax, [rbp+var_18]
0x4010bb: lea rdx, [rax+9]
0x4010bf: mov rax, [rbp+var_18]
0x4010c3: movzx eax, byte ptr [rax+0Dh]
0x4010c7: mov [rdx], al
0x4010c9: mov rax, [rbp+var_18]
0x4010cd: lea rdx, [rax+0Dh]
0x4010d1: movzx eax, byte ptr [rbp+var_8+7]
0x4010d5: mov [rdx], al
0x4010d7: mov rax, [rbp+var_18]
0x4010db: movzx eax, byte ptr [rax+2]
0x4010df: mov byte ptr [rbp+var_8+7], al
0x4010e2: mov rax, [rbp+var_18]
0x4010e6: lea rdx, [rax+2]
0x4010ea: mov rax, [rbp+var_18]
0x4010ee: movzx eax, byte ptr [rax+0Ah]
0x4010f2: mov [rdx], al
0x4010f4: mov rax, [rbp+var_18]
0x4010f8: lea rdx, [rax+0Ah]
0x4010fc: movzx eax, byte ptr [rbp+var_8+7]
0x401100: mov [rdx], al
0x401102: mov rax, [rbp+var_18]
0x401106: movzx eax, byte ptr [rax+6]
0x40110a: mov byte ptr [rbp+var_8+7], al
0x40110d: mov rax, [rbp+var_18]
0x401111: lea rdx, [rax+6]
0x401115: mov rax, [rbp+var_18]
0x401119: movzx eax, byte ptr [rax+0Eh]
0x40111d: mov [rdx], al
0x40111f: mov rax, [rbp+var_18]
0x401123: lea rdx, [rax+0Eh]
0x401127: movzx eax, byte ptr [rbp+var_8+7]
0x40112b: mov [rdx], al
0x40112d: mov rax, [rbp+var_18]
0x401131: movzx eax, byte ptr [rax+0Fh]
0x401135: mov byte ptr [rbp+var_8+7], al
0x401138: mov rax, [rbp+var_18]
0x40113c: lea rdx, [rax+0Fh]
0x401140: mov rax, [rbp+var_18]
0x401144: movzx eax, byte ptr [rax+0Bh]
0x401148: mov [rdx], al
0x40114a: mov rax, [rbp+var_18]
0x40114e: lea rdx, [rax+0Bh]
0x401152: mov rax, [rbp+var_18]
0x401156: movzx eax, byte ptr [rax+7]
0x40115a: mov [rdx], al
0x40115c: mov rax, [rbp+var_18]
0x401160: lea rdx, [rax+7]
0x401164: mov rax, [rbp+var_18]
0x401168: movzx eax, byte ptr [rax+3]
0x40116c: mov [rdx], al
0x40116e: mov rax, [rbp+var_18]
0x401172: lea rdx, [rax+3]
0x401176: movzx eax, byte ptr [rbp+var_8+7]
0x40117a: mov [rdx], al
0x40117c: nop
0x40117d: pop rbp
jmp idx_85
idx_60:
0x40117f: add dword ptr [rbp+var_8], 1
jmp idx_5
idx_61:
0x401184: mov rax, cs:stdout
0x40118b: mov ecx, 0
0x401190: mov edx, 2
0x401195: mov esi, 0
0x40119a: mov rdi, rax
call _setvbuf@plt
jmp idx_140
idx_62:
0x40119e: xor ebx, eax
0x4011a0: mov rax, [rbp+var_28]
0x4011a4: add rax, 2
0x4011a8: movzx eax, byte ptr [rax]
0x4011ab: movzx eax, al
0x4011ae: mov edi, eax
jmp idx_51
idx_63:
0x4011b1: xor ebx, eax
0x4011b3: mov rax, [rbp+var_28]
0x4011b7: add rax, 2
0x4011bb: movzx eax, byte ptr [rax]
0x4011be: movzx eax, al
0x4011c1: mov edi, eax
jmp idx_142
idx_64:
0x4011c4: lea rax, [rbp+var_180]
0x4011cb: mov [rbp+var_198], rax
0x4011d2: lea rax, [rbp+var_110]
0x4011d9: mov [rbp+var_190], rax
0x4011e0: mov [rbp+var_1C8], 4
0x4011ea: mov [rbp+var_1C4], 0Ah
0x4011f4: mov [rbp+var_1C0], 0
jmp idx_124
idx_65:
0x4011ff: mov [rbp+var_1E0], 0
jmp idx_17
idx_66:
jmp idx_138
idx_67:
jmp idx_39
idx_68:
0x40120c: add rsp, 28h
0x401210: pop rbx
0x401211: pop rbp
jmp ??? ; never execute here
idx_69:
0x401213: mov edx, [rbp+var_1D4]
0x401219: mov rcx, [rbp+var_1B0]
0x401220: mov rax, [rbp+var_1B8]
0x401227: mov rsi, rcx
0x40122a: mov rdi, rax
jmp idx_173
idx_70:
0x40122e: mov edx, [rbp+var_1D8]
0x401234: mov rcx, [rbp+var_1B0]
0x40123b: mov rax, [rbp+var_1B8]
0x401242: mov rsi, rcx
0x401245: mov rdi, rax
jmp idx_173
idx_71:
0x401249: mov rax, [rbp+var_1A8]
0x401250: mov rdi, rax
jmp idx_154
idx_72:
0x401254: lea rdi, a88888888888Y88; "8' 888 `8 "...
call _puts@plt
jmp idx_75
idx_73:
0x40125c: xor eax, ebx
0x40125e: mov byte ptr [rbp+var_20+7], al
0x401261: movzx edx, byte ptr [rbp+var_20+4]
0x401265: mov rax, [rbp+var_28]
0x401269: mov [rax], dl
0x40126b: mov rax, [rbp+var_28]
0x40126f: lea rdx, [rax+1]
0x401273: movzx eax, byte ptr [rbp+var_20+5]
0x401277: mov [rdx], al
0x401279: mov rax, [rbp+var_28]
0x40127d: lea rdx, [rax+2]
0x401281: movzx eax, byte ptr [rbp+var_20+6]
0x401285: mov [rdx], al
0x401287: mov rax, [rbp+var_28]
0x40128b: lea rdx, [rax+3]
0x40128f: movzx eax, byte ptr [rbp+var_20+7]
0x401293: mov [rdx], al
0x401295: add dword ptr [rbp+var_20], 1
0x401299: add [rbp+var_28], 4
jmp idx_166
idx_74:
0x40129f: mov rax, [rbp+var_1A8]
0x4012a6: mov rdi, rax
jmp idx_59
idx_75:
0x4012aa: lea rdi, a888OoooD8bOooo; " 888 oooo d8b .oooo. .oooo"...
call _puts@plt
jmp idx_81
idx_76:
0x4012b2: mov edi, 1
call _exit@plt
jmp idx_24
idx_77:
0x4012b8: mov dword ptr [rbp+var_8+4], 0
jmp idx_113
idx_78:
call ___stack_chk_fail@plt
jmp idx_68
idx_79:
0x4012c1: nop
jmp idx_138
idx_80:
0x4012c3: push rbp
0x4012c4: mov rbp, rsp
0x4012c7: push rbx
0x4012c8: sub rsp, 28h
0x4012cc: mov [rbp+var_28], rdi
0x4012d0: mov rax, fs:28h
0x4012d9: mov [rbp+var_18], rax
0x4012dd: xor eax, eax
0x4012df: mov dword ptr [rbp+var_20], 0
jmp idx_130
idx_81:
0x4012e7: lea rdi, a8888888pP88bD8; " 888 `888\"\"8P `P )88b d88'"...
call _puts@plt
jmp idx_37
idx_82:
0x4012ef: mov edx, [rbp+var_1D0]
0x4012f5: mov rcx, [rbp+var_1A0]
0x4012fc: mov rax, [rbp+var_1A8]
0x401303: mov rsi, rcx
0x401306: mov rdi, rax
jmp idx_173
idx_83:
0x40130a: cmp [rbp+var_1BC], 3
jle idx_30
jmp idx_42
idx_84:
0x401312: movzx eax, byte ptr [rbp+var_18+7]
0x401316: cmp al, 0Ah
je idx_79
jmp idx_35
idx_85:
0x401319: mov rax, [rbp+var_1A8]
0x401320: mov rdi, rax
jmp idx_158
idx_86:
0x401324: movzx eax, al
0x401327: mov edi, eax
jmp idx_40
idx_87:
0x40132a: mov ebx, eax
0x40132c: mov rax, [rbp+var_28]
0x401330: add rax, 1
0x401334: movzx eax, byte ptr [rax]
0x401337: movzx eax, al
0x40133a: mov edi, eax
jmp idx_142
idx_88:
0x40133d: mov eax, dword ptr [rbp+var_8+4]
0x401340: movsxd rdx, eax
0x401343: mov rax, [rbp+var_18]
0x401347: add rax, rdx
0x40134a: movzx esi, byte ptr [rax]
0x40134d: mov eax, dword ptr [rbp+var_28+4]
0x401350: shl eax, 4
0x401353: mov edx, eax
0x401355: mov eax, dword ptr [rbp+var_8+4]
0x401358: add eax, edx
0x40135a: movsxd rdx, eax
0x40135d: mov rax, [rbp+var_20]
0x401361: add rax, rdx
0x401364: movzx ecx, byte ptr [rax]
0x401367: mov eax, dword ptr [rbp+var_8+4]
0x40136a: movsxd rdx, eax
0x40136d: mov rax, [rbp+var_18]
0x401371: add rax, rdx
0x401374: xor esi, ecx
0x401376: mov edx, esi
0x401378: mov [rax], dl
0x40137a: add dword ptr [rbp+var_8+4], 1
jmp idx_103
idx_89:
0x40137f: mov [rbp+var_1E0], 0
jmp idx_18
idx_90:
call ___stack_chk_fail@plt
jmp idx_147
idx_91:
0x40138b: cmp dword ptr [rbp+var_8+4], 0Fh
jle idx_28
jmp idx_48
idx_92:
0x401390: mov eax, [rbp+var_1C0]
0x401396: movsxd rdx, eax
0x401399: mov rax, [rbp+var_198]
0x4013a0: add rax, rdx
0x4013a3: mov edx, [rbp+var_1C0]
0x4013a9: movsxd rcx, edx
0x4013ac: mov rdx, [rbp+var_190]
0x4013b3: add rdx, rcx
0x4013b6: movzx eax, byte ptr [rax]
0x4013b9: mov [rdx], al
0x4013bb: add [rbp+var_1C0], 1
jmp idx_124
idx_93:
0x4013c3: mov rax, cs:off_606A48; "Congratulations! This is the correct fl"...
0x4013ca: mov rdi, rax
call _puts@plt
jmp idx_67
idx_94:
0x4013ce: xor eax, ebx
0x4013d0: mov byte ptr [rbp+var_20+5], al
0x4013d3: mov rax, [rbp+var_28]
0x4013d7: movzx eax, byte ptr [rax]
0x4013da: movzx eax, al
0x4013dd: mov edi, eax
jmp idx_12
idx_95:
0x4013e0: push rbp
0x4013e1: mov rbp, rsp
0x4013e4: sub rsp, 8
0x4013e8: mov eax, edi
0x4013ea: mov byte ptr [rbp+var_8+4], al
0x4013ed: movzx eax, byte ptr [rbp+var_8+4]
0x4013f1: mov edi, eax
jmp idx_40
idx_96:
0x4013f4: xor ebx, eax
0x4013f6: mov rax, [rbp+var_28]
0x4013fa: add rax, 3
0x4013fe: movzx eax, byte ptr [rax]
0x401401: movzx eax, al
0x401404: mov edi, eax
jmp idx_12
idx_97:
0x401407: mov [rbp+var_C], eax
0x40140a: cmp [rbp+var_C], 0
jg idx_84
jmp idx_1
idx_98:
0x40140f: lea rax, [rbp+var_20]
0x401413: mov esi, 10h
0x401418: mov rdi, rax
jmp idx_24
idx_99:
0x40141c: push rbp
0x40141d: mov rbp, rsp
0x401420: sub rsp, 10h
0x401424: mov dword ptr [rbp+var_8+4], edi
0x401427: lea rdi, aOut; "Out!"
call _puts@plt
jmp idx_76
idx_100:
0x40142f: lea rax, [rbp+var_18+7]
0x401433: mov edx, 1
0x401438: mov rsi, rax
0x40143b: mov edi, 0
call _read@plt
jmp idx_97
idx_101:
0x401441: mov eax, dword ptr [rbp+var_8+4]
0x401444: movsxd rdx, eax
0x401447: mov rax, [rbp+var_18]
0x40144b: add rax, rdx
0x40144e: movzx eax, byte ptr [rax]
0x401451: movzx eax, al
0x401454: mov edx, dword ptr [rbp+var_8+4]
0x401457: movsxd rcx, edx
0x40145a: mov rdx, [rbp+var_18]
0x40145e: add rcx, rdx
0x401461: movsxd rdx, eax
0x401464: lea rax, inv_sbox_enc
0x40146b: movzx eax, byte ptr [rdx+rax]
0x40146f: mov [rcx], al
0x401471: add dword ptr [rbp+var_8+4], 1
jmp idx_123
idx_102:
0x401476: push rbp
0x401477: mov rbp, rsp
0x40147a: push rbx
0x40147b: sub rsp, 8
0x40147f: mov eax, edi
0x401481: mov byte ptr [rbp+var_C], al
0x401484: movzx eax, byte ptr [rbp+var_C]
0x401488: mov edi, eax
jmp idx_165
idx_103:
0x40148b: cmp dword ptr [rbp+var_8+4], 0Fh
jle idx_88
jmp idx_27
idx_104:
0x401490: add [rbp+var_1DC], 1
jmp idx_159
idx_105:
0x401498: add [rbp+var_1CC], 1
jmp idx_167
idx_106:
call ___stack_chk_fail@plt
jmp idx_54
idx_107:
0x4014a1: xor eax, ebx
0x4014a3: xor al, byte ptr [rbp+var_C]
0x4014a6: add rsp, 8
0x4014aa: pop rbx
0x4014ab: pop rbp
jmp ??? ; never execute here
idx_108:
0x4014ad: lea rax, [rbp+var_140]
0x4014b4: mov esi, 21h ; '!'
0x4014b9: mov rdi, rax
jmp idx_24
idx_109:
0x4014bd: movzx eax, byte ptr [rbp+var_8+4]
0x4014c1: add eax, eax
jmp idx_114
idx_110:
0x4014c4: nop
0x4014c5: pop rbp
jmp ??? ; never execute here
idx_111:
0x4014c7: movzx eax, al
0x4014ca: mov edi, eax
jmp idx_40
idx_112:
0x4014cd: add [rbp+var_1D4], 1
jmp idx_43
idx_113:
0x4014d5: cmp dword ptr [rbp+var_8+4], 1Fh
jle idx_151
jmp idx_60
idx_114:
0x4014da: pop rbp
jmp idx_132
idx_115:
0x4014dc: mov [rbp+var_1DC], 0
0x4014e6: mov [rbp+var_1E0], 0
jmp idx_149
idx_116:
0x4014f1: mov ebx, eax
0x4014f3: movzx eax, byte ptr [rbp+var_C]
0x4014f7: mov edi, eax
jmp idx_95
idx_117:
0x4014fa: mov [rbp+var_1BC], 0
jmp idx_34
idx_118:
0x401505: xor ebx, eax
0x401507: mov rax, [rbp+var_28]
0x40150b: add rax, 2
0x40150f: movzx eax, byte ptr [rax]
0x401512: movzx eax, al
0x401515: mov edi, eax
jmp idx_102
idx_119:
0x401518: leave
jmp ??? ; never execute here
idx_120:
0x40151a: mov [rbp+var_1CC], 1
jmp idx_167
idx_121:
0x401525: xor ebx, eax
0x401527: mov rax, [rbp+var_28]
0x40152b: add rax, 2
0x40152f: movzx eax, byte ptr [rax]
0x401532: movzx eax, al
0x401535: mov edi, eax
jmp idx_135
idx_122:
0x401538: push rbp
0x401539: mov rbp, rsp
0x40153c: sub rsp, 20h
0x401540: mov rax, fs:28h
0x401549: mov [rbp+var_8], rax
0x40154d: xor eax, eax
0x40154f: lea rax, [rbp+var_20]
0x401553: mov edx, 14h
0x401558: mov esi, 0
0x40155d: mov rdi, rax
call _memset@plt
jmp idx_98
idx_123:
0x401561: cmp dword ptr [rbp+var_8+4], 0Fh
jle idx_101
jmp idx_110
idx_124:
0x401566: mov eax, [rbp+var_1C8]
0x40156c: shl eax, 2
0x40156f: cmp [rbp+var_1C0], eax
jl idx_92
jmp idx_58
idx_125:
0x401576: xor ebx, eax
0x401578: mov rax, [rbp+var_28]
0x40157c: add rax, 3
0x401580: movzx eax, byte ptr [rax]
0x401583: movzx eax, al
0x401586: mov edi, eax
jmp idx_51
idx_126:
call _rand@plt
jmp idx_55
idx_127:
call ___stack_chk_fail@plt
jmp idx_49
idx_128:
0x40158b: mov ebx, eax
0x40158d: movzx eax, byte ptr [rbp+var_C]
0x401591: mov edi, eax
jmp idx_95
idx_129:
0x401594: lea rax, [rbp+var_20]
0x401598: mov rdi, rax
call _atoi@plt
jmp idx_156
idx_130:
0x40159c: cmp dword ptr [rbp+var_20], 3
jle idx_162
jmp idx_32
idx_131:
0x4015a1: xor eax, ebx
0x4015a3: xor al, byte ptr [rbp+var_C]
0x4015a6: add rsp, 8
0x4015aa: pop rbx
0x4015ab: pop rbp
jmp ??? ; never execute here
idx_132:
0x4015ad: xor al, byte ptr [rbp+var_8+4]
0x4015b0: leave
jmp idx_21
idx_133:
0x4015b2: cmp [rbp+var_1DC], 1Fh
jle idx_157
jmp idx_93
idx_134:
0x4015ba: xor eax, ebx
0x4015bc: mov byte ptr [rbp+var_20+6], al
0x4015bf: mov rax, [rbp+var_28]
0x4015c3: movzx eax, byte ptr [rax]
0x4015c6: movzx eax, al
0x4015c9: mov edi, eax
jmp idx_135
idx_135:
0x4015cc: push rbp
0x4015cd: mov rbp, rsp
0x4015d0: push rbx
0x4015d1: sub rsp, 8
0x4015d5: mov eax, edi
0x4015d7: mov byte ptr [rbp+var_C], al
0x4015da: movzx eax, byte ptr [rbp+var_C]
0x4015de: mov edi, eax
jmp idx_165
idx_136:
0x4015e1: leave
jmp ??? ; never execute here
idx_137:
0x4015e3: mov edx, eax
0x4015e5: mov rax, [rbp+var_28]
0x4015e9: add rax, 1
0x4015ed: movzx eax, byte ptr [rax]
0x4015f0: xor edx, eax
0x4015f2: mov rax, [rbp+var_28]
0x4015f6: add rax, 2
0x4015fa: movzx eax, byte ptr [rax]
0x4015fd: xor edx, eax
0x4015ff: mov ebx, edx
0x401601: mov rax, [rbp+var_28]
0x401605: add rax, 3
0x401609: movzx eax, byte ptr [rax]
0x40160c: movzx eax, al
0x40160f: mov edi, eax
jmp idx_40
idx_138:
0x401612: mov eax, [rbp+var_10]
0x401615: movsxd rdx, eax
0x401618: mov rax, [rbp+var_28]
0x40161c: add rax, rdx
0x40161f: mov byte ptr [rax], 0
0x401622: mov eax, [rbp+var_10]
0x401625: mov rcx, [rbp+var_8]
0x401629: xor rcx, fs:28h
je idx_49
jmp idx_127
idx_139:
0x401633: mov rax, [rbp+var_1B8]
0x40163a: mov rdi, rax
jmp idx_158
idx_140:
0x40163e: mov rax, cs:stderr
0x401645: mov ecx, 0
0x40164a: mov edx, 2
0x40164f: mov esi, 0
0x401654: mov rdi, rax
call _setvbuf@plt
jmp idx_9
idx_141:
0x401658: movzx eax, al
0x40165b: mov edi, eax
jmp idx_40
idx_142:
0x40165e: push rbp
0x40165f: mov rbp, rsp
0x401662: sub rsp, 8
0x401666: mov eax, edi
0x401668: mov byte ptr [rbp+var_8+4], al
0x40166b: movzx eax, byte ptr [rbp+var_8+4]
0x40166f: mov edi, eax
jmp idx_165
idx_143:
0x401672: mov eax, [rbp+var_1C0]
0x401678: cdq
0x401679: idiv [rbp+var_1C8]
0x40167f: mov eax, edx
0x401681: test eax, eax
jnz idx_117
jmp idx_172
idx_144:
0x401684: xor ebx, eax
0x401686: mov edx, ebx
0x401688: mov rax, [rbp+var_28]
0x40168c: add rax, 3
0x401690: movzx eax, byte ptr [rax]
0x401693: xor eax, edx
0x401695: mov byte ptr [rbp+var_20+5], al
0x401698: mov rax, [rbp+var_28]
0x40169c: movzx edx, byte ptr [rax]
0x40169f: mov rax, [rbp+var_28]
0x4016a3: add rax, 1
0x4016a7: movzx eax, byte ptr [rax]
0x4016aa: mov ebx, edx
0x4016ac: xor ebx, eax
0x4016ae: mov rax, [rbp+var_28]
0x4016b2: add rax, 2
0x4016b6: movzx eax, byte ptr [rax]
0x4016b9: movzx eax, al
0x4016bc: mov edi, eax
jmp idx_40
idx_145:
0x4016bf: xor eax, ebx
0x4016c1: mov byte ptr [rbp+var_20+7], al
0x4016c4: movzx edx, byte ptr [rbp+var_20+4]
0x4016c8: mov rax, [rbp+var_28]
0x4016cc: mov [rax], dl
0x4016ce: mov rax, [rbp+var_28]
0x4016d2: lea rdx, [rax+1]
0x4016d6: movzx eax, byte ptr [rbp+var_20+5]
0x4016da: mov [rdx], al
0x4016dc: mov rax, [rbp+var_28]
0x4016e0: lea rdx, [rax+2]
0x4016e4: movzx eax, byte ptr [rbp+var_20+6]
0x4016e8: mov [rdx], al
0x4016ea: mov rax, [rbp+var_28]
0x4016ee: lea rdx, [rax+3]
0x4016f2: movzx eax, byte ptr [rbp+var_20+7]
0x4016f6: mov [rdx], al
0x4016f8: add dword ptr [rbp+var_20], 1
0x4016fc: add [rbp+var_28], 4
jmp idx_130
idx_146:
call _rand@plt
jmp idx_4
idx_147:
0x401703: add rsp, 28h
0x401707: pop rbx
0x401708: pop rbp
jmp idx_29
idx_148:
0x40170a: mov ebx, eax
0x40170c: movzx eax, byte ptr [rbp+var_C]
0x401710: mov edi, eax
jmp idx_40
idx_149:
0x401713: cmp [rbp+var_1E0], 0Fh
jle idx_16
jmp idx_65
idx_150:
0x40171b: mov rax, [rbp+var_1B8]
0x401722: mov rdi, rax
jmp idx_59
idx_151:
0x401726: mov eax, dword ptr [rbp+var_8]
0x401729: shl eax, 5
0x40172c: mov edx, eax
0x40172e: mov eax, dword ptr [rbp+var_8+4]
0x401731: add eax, edx
0x401733: movsxd rdx, eax
0x401736: lea rax, sbox_enc
0x40173d: movzx esi, byte ptr [rdx+rax]
0x401741: mov eax, dword ptr [rbp+var_8+4]
0x401744: movsxd rdx, eax
0x401747: mov rax, [rbp+var_18]
0x40174b: add rax, rdx
0x40174e: movzx ecx, byte ptr [rax]
0x401751: mov eax, dword ptr [rbp+var_8]
0x401754: shl eax, 5
0x401757: mov edx, eax
0x401759: mov eax, dword ptr [rbp+var_8+4]
0x40175c: add eax, edx
0x40175e: xor ecx, esi
0x401760: movsxd rdx, eax
0x401763: lea rax, sbox_enc
0x40176a: mov [rdx+rax], cl
0x40176d: mov eax, dword ptr [rbp+var_8]
0x401770: shl eax, 5
0x401773: mov edx, eax
0x401775: mov eax, dword ptr [rbp+var_8+4]
0x401778: add eax, edx
0x40177a: movsxd rdx, eax
0x40177d: lea rax, inv_sbox_enc
0x401784: movzx esi, byte ptr [rdx+rax]
0x401788: mov eax, dword ptr [rbp+var_8+4]
0x40178b: movsxd rdx, eax
0x40178e: mov rax, [rbp+var_18]
0x401792: add rax, rdx
0x401795: movzx ecx, byte ptr [rax]
0x401798: mov eax, dword ptr [rbp+var_8]
0x40179b: shl eax, 5
0x40179e: mov edx, eax
0x4017a0: mov eax, dword ptr [rbp+var_8+4]
0x4017a3: add eax, edx
0x4017a5: xor ecx, esi
0x4017a7: movsxd rdx, eax
0x4017aa: lea rax, inv_sbox_enc
0x4017b1: mov [rdx+rax], cl
0x4017b4: add dword ptr [rbp+var_8+4], 1
jmp idx_113
idx_152:
0x4017b9: mov rax, [rbp+var_1B8]
0x4017c0: mov rdi, rax
jmp idx_59
idx_153:
0x4017c4: mov rax, [rbp+var_28]
0x4017c8: movzx eax, byte ptr [rax]
0x4017cb: movzx eax, al
0x4017ce: mov edi, eax
jmp idx_40
idx_154:
0x4017d1: push rbp
0x4017d2: mov rbp, rsp
0x4017d5: mov [rbp+var_18], rdi
0x4017d9: mov dword ptr [rbp+var_8+4], 0
jmp idx_91
idx_155:
0x4017e1: mov ebx, eax
0x4017e3: mov rax, [rbp+var_28]
0x4017e7: add rax, 1
0x4017eb: movzx eax, byte ptr [rax]
0x4017ee: movzx eax, al
0x4017f1: mov edi, eax
jmp idx_12
idx_156:
0x4017f4: mov rcx, [rbp+var_8]
0x4017f8: xor rcx, fs:28h
je idx_54
jmp idx_106
idx_157:
0x401802: mov rax, cs:off_606A40; "This is a fake flag!"
0x401809: mov rdi, rax
call _puts@plt
jmp idx_168
idx_158:
0x40180d: push rbp
0x40180e: mov rbp, rsp
0x401811: push rbx
0x401812: sub rsp, 28h
0x401816: mov [rbp+var_28], rdi
0x40181a: mov rax, fs:28h
0x401823: mov [rbp+var_18], rax
0x401827: xor eax, eax
0x401829: mov dword ptr [rbp+var_20], 0
jmp idx_166
idx_159:
0x401831: add [rbp+var_1E0], 1
jmp idx_149
idx_160:
0x401839: movzx eax, byte ptr [rbp+var_8+4]
0x40183d: add eax, eax
0x40183f: xor eax, 1Bh
jmp idx_114
idx_161:
0x401843: mov [rbp+var_1D4], 1
jmp idx_43
idx_162:
0x40184e: mov rax, [rbp+var_28]
0x401852: movzx eax, byte ptr [rax]
0x401855: movzx eax, al
0x401858: mov edi, eax
jmp idx_102
idx_163:
0x40185b: xor ebx, eax
0x40185d: movzx eax, byte ptr [rbp+var_C]
0x401861: mov edi, eax
jmp idx_40
idx_164:
0x401864: mov eax, [rbp+var_1C0]
0x40186a: sub eax, 1
0x40186d: lea edx, ds:0[rax*4]
0x401874: mov eax, [rbp+var_1BC]
0x40187a: add eax, edx
0x40187c: movsxd rdx, eax
0x40187f: mov rax, [rbp+var_190]
0x401886: add rax, rdx
0x401889: movzx edx, byte ptr [rax]
0x40188c: mov eax, [rbp+var_1BC]
0x401892: cdqe
0x401894: mov [rbp+rax+var_184], dl
0x40189b: add [rbp+var_1BC], 1
jmp idx_19
idx_165:
0x4018a3: push rbp
0x4018a4: mov rbp, rsp
0x4018a7: sub rsp, 8
0x4018ab: mov eax, edi
0x4018ad: mov byte ptr [rbp+var_8+4], al
0x4018b0: movzx eax, byte ptr [rbp+var_8+4]
0x4018b4: mov edi, eax
jmp idx_40
idx_166:
0x4018b7: cmp dword ptr [rbp+var_20], 3
jle idx_153
jmp idx_13
idx_167:
0x4018bc: mov eax, [rbp+var_1D0]
0x4018c2: sub eax, 1
0x4018c5: cmp [rbp+var_1CC], eax
jle idx_26
jmp idx_71
idx_168:
0x4018cc: nop
jmp idx_39
idx_169:
0x4018ce: push rbp
0x4018cf: mov rbp, rsp
0x4018d2: sub rsp, 20h
0x4018d6: mov [rbp+var_18], rdi
0x4018da: lea rdi, aOooooooooooooO; "ooooooooooooo "...
call _puts@plt
jmp idx_72
idx_170:
0x4018e2: nop
0x4018e3: leave
jmp idx_53
idx_171:
0x4018e5: mov rax, [rbp+var_1A8]
0x4018ec: mov rdi, rax
jmp idx_59
idx_172:
0x4018f0: movzx eax, [rbp+var_184]
0x4018f7: mov [rbp+var_1E1], al
0x4018fd: movzx eax, [rbp+var_183]
0x401904: mov [rbp+var_184], al
0x40190a: movzx eax, [rbp+var_182]
0x401911: mov [rbp+var_183], al
0x401917: movzx eax, [rbp+var_181]
0x40191e: mov [rbp+var_182], al
0x401924: movzx eax, [rbp+var_1E1]
0x40192b: mov [rbp+var_181], al
0x401931: mov [rbp+var_1BC], 0
jmp idx_83
idx_173:
0x40193c: push rbp
0x40193d: mov rbp, rsp
0x401940: mov [rbp+var_18], rdi
0x401944: mov [rbp+var_20], rsi
0x401948: mov dword ptr [rbp+var_28+4], edx
0x40194b: mov dword ptr [rbp+var_8+4], 0
jmp idx_103
idx_174:
0x401953: mov [rbp+var_1BC], 0
jmp idx_19
idx_175:
0x40195e: lea rax, [rbp+var_140]
0x401965: add rax, 10h
0x401969: mov [rbp+var_1B8], rax
0x401970: lea rax, [rbp+var_110]
0x401977: mov [rbp+var_1B0], rax
0x40197e: mov [rbp+var_1D8], 0Ah
0x401988: mov rcx, [rbp+var_1B0]
0x40198f: mov rax, [rbp+var_1B8]
0x401996: mov edx, 0
0x40199b: mov rsi, rcx
0x40199e: mov rdi, rax
jmp idx_173
idx_176:
0x4019a2: mov eax, [rbp+var_2C]
0x4019a5: sub eax, 1
0x4019a8: cmp [rbp+var_10], eax
jl idx_100
jmp idx_66
idx_177:
0x4019ac: mov rax, [rbp+var_1B8]
0x4019b3: mov rdi, rax
jmp idx_154
idx_178:
0x4019b7: mov eax, [rbp+var_1C4]
0x4019bd: add eax, 1
0x4019c0: shl eax, 2
0x4019c3: cmp [rbp+var_1C0], eax
jl idx_174
jmp idx_23
idx_179:
0x4019ca: add [rbp+var_1E0], 1
jmp idx_17
idx_180:
0x4019d2: xor ebx, eax
0x4019d4: mov rax, [rbp+var_28]
0x4019d8: add rax, 3
0x4019dc: movzx eax, byte ptr [rax]
0x4019df: movzx eax, al
0x4019e2: mov edi, eax
jmp idx_102
动态调试
汇编好的选手可以直接秒了,像我这种汇编不好的选手只能求助 AI 了,通过求助 AI 大致摸清楚了前面的执行流程。
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
char byte_606020[0x100]={0};
char byte_606120[0x100]={0};
void safe_read(char *buf,size_t len){
int i = 0;
while (i < len - 1) {
char c;
size_t ret = read(0, &c, 1); // 从stdin读取1字节
if(ret<=0){
exit(-1);
}
buf[i++] = c;
if (c == 10)
break;
}
buf[i] = 0;
}
int main(){
char key[32] = "";//...
char input[40];
puts("");
puts("");
puts("");
puts("");
puts("");
puts("");//puts banner
srand(0x10000);
for(int i = 0;i<7;i++){
for(int j=0;j<32;j++){
byte_606020[i*32+j] ^= key[j];
byte_606120[i*32+j] ^= key[j];
}
}
setvbuf(stdin,0,0,0);
setvbuf(stdout,0,0,0);
setvbuf(stderr,0,0,0);
printf("Input your flag: ");
safe_read(input,0x20);
unsigned char buf1[0x10]; // var_180
unsigned char buf2[0x10]; // var_110
unsigned char temp[4]; // var_184
// 1. 生成随机数
for (int i = 0; i < 16; i++)
buf1[i] = rand() & 0xFF;
// 2. 拷贝
memcpy(buf2, buf1, 16);
// 3. 初始化参数
int lenA = 4;
int lenB = 0xA;
int idx = lenA; // 4
// 4. 主循环
while (idx < ((lenB + 1) << 2)) { // idx < 44
// 取上一个块的 4 字节
for (int i = 0; i < 4; i++)
temp[i] = buf2[(idx - 1) * 4 + i];
// 如果 idx 不是 4 的倍数,则 XOR 混合
if (idx % lenA != 0) {
for (int i = 0; i < 4; i++) {
buf2[idx * 4 + i] = buf2[(idx - lenA) * 4 + i] ^ temp[i];
}
}
idx++;
}
}
而比较关键的是对于两个 256 字节的数组进行的初始化,仅仅简单对一个 32 字节硬编码数组做了一个异或运算。
这下看懂了,这就是 AES 的 SBOX 数组,随后的循环明显是轮密钥加,之后我写了 dump 脚本去 dump 轮密钥,并用程序去进行了验证。
dump 的轮密钥和 AES 的key对应上了,而且 key 可以用随机数种子去验证,分段发给 AI 汇编代码,AI 后面可以分析出又使用了 srand(rand()) 。动调也可以验证,因为发现整个块里面就调用了两次 srand,第二次 srand 前驱调用了一个 rand() 函数。
idx_146:
call _rand@plt
jmp idx_4
idx_4:
0x400b79: mov edi, eax
call _srand@plt
jmp idx_115
如果实在不放心,可以在 0x400b79 地址被引用的代码下硬件断点去观察
也就是这里的 0x606b58。
这样刚好可以在 case 3 call srand 之前断住。
这里的 rchild=0x400870 就是 srand 的地址,本次continue过去就会执行srand,那么这里关心的值当然就是上一个块 rand 的返回值,直接找 regs 结构体的 RAX 。
这里找到了它的返回值 1343350356,刚好是可以对应上的(可以自己 srand(0x10000),然后输出第 17 个 rand 值验证)。
后面的异或操作都是问 AI 的,最后比较的 target 就是祝贺找到正确的 flag 那句话。
通过输入 24 个 a,观察 AI 拿的加密数组,基本可以确定异或之前的值就是输入进行 AES 之后的值,这里我直接用 /proc/pid/mem 去 dump 指定区域的内存。
#include<stdio.h>
#include<fcntl.h>
#include<unistd.h>
char buffer [0x200000];
int main(){
int fd = open("/proc/13521/mem",O_RDWR);
size_t nbytes;
perror("open");
//0x7FFFFFFFDEB0 RBP - 0x140
lseek(fd,0x7FFFFFFFDEB0 - 0x140,SEEK_CUR);
nbytes = read(fd,buffer,0x40);
perror("read");
close(fd);
for(int i=0;i<0x100;i++){
printf("%02x ",(unsigned char)buffer[i]);
}
}
通过dump结果比对
发现就是普普通通的 AES ECB/Nopadding。
那么流程就清晰了:
input -> AES ECB/NoPadding -> 异或随机数组 -> 异或开头硬编码数组
提取目标比对的字节,异或硬编码数组和随机数数组之后输出,最后 AES 解密即可。
#include<stdio.h>
#include<stdlib.h>
unsigned char target[] =
{
0x43, 0x6F, 0x6E, 0x67, 0x72, 0x61, 0x74, 0x75, 0x6C, 0x61,
0x74, 0x69, 0x6F, 0x6E, 0x73, 0x21, 0x54, 0x68, 0x69,
0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63,
0x6F, 0x72, 0x72, 0x65, 0x63, 0x74, 0x20, 0x66, 0x6C, 0x61,
0x67, 0x21, 0x00
};
char key2[]="\xe2\x8b\x55\x38\x69\xfa\x80\xc2\x64\x4e\x7f\xe7\x13\x06\x14\xc5\xc0\x13\xd3\x12\x6b\xbd\xf2\xc7\x88\x44\x3e\x09\xe8\xa3\x83\x30";
int main(){
char buffer[32];
srand(0x10000);
for (int i = 0; i < 16; i++){
buffer[i] = rand() & 0xFF;
//printf("%02x ",(unsigned char)buffer[i]);
}putchar(10) ;
int seed = rand();
printf("seed:%d\n",seed);
srand(seed);
for(int i=0;i<32;i++){
buffer[i] = rand() & 0xFF;
//printf("%02x ",(unsigned char)buffer[i]);
}
for(int i=0;i<32;i++){
target[i] ^=buffer[i];
target[i] ^=key2[i];
printf("%02x ",target[i]);
}
}
//59 a0 fd e5 aa 7e fa 8c aa 64 be 24 36 e1 a0 44 8d c6 56 3f 95 15 42 60 89 ca 49 58 ea 26 05 1b
最后的 AES 解密得到 flag。
也分享一下我的 AI 聊天记录
https://chatgpt.com/share/68f4fb20-852c-8002-a3ee-3fa981f88925
在群友的帮助下,我大概知道正确的恢复流程了,应该给 case 4 建立 rchild 的 call,再建立lchild的jmp,而 case 2 直接 ret 就行,但是即使恢复正确的流程 ida 也是无法正确恢复指令流,所以差别不大。
butterfly
这题属于签到的水平,只不过就是静态链接的题目,对于静态链接的题目,lumina 直接秒了,我搭建了一个私人服务器,里面放了一些常用的库代码。
关于 lumina:http://8.153.71.247:8000/lumina/info.html
恢复符号之后约等于裸奔,然后全选,复制,粘贴,发给 AI,秒了。。。
https://chatgpt.com/share/68f59cfd-b610-8002-9fff-407548840f47
总共就问了两句话,用时 1 分钟。
结语
CTF 真好玩,上周末单休,这周的强网杯直接把周末干碎了,从 11 点到 6 点(第二天凌晨),已经是一个活人微死的状态了,tradre 这题 80 解,我 CN 的逆向水平真好。
[复制链接]
发表于 2025-10-21 15:01
发表于 2025-10-21 16:04
分享到朋友圈
