// https://syzkaller.appspot.com/bug?id=1b411bfb1739c497a8f0c7f1aa501202726cd01a
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/kvm.h>
#define ADDR_TEXT 0x0000
#define ADDR_GDT 0x1000
#define ADDR_LDT 0x1800
#define ADDR_PML4 0x2000
#define ADDR_PDP 0x3000
#define ADDR_PD 0x4000
#define ADDR_STACK0 0x0f80
#define ADDR_VAR_HLT 0x2800
#define ADDR_VAR_SYSRET 0x2808
#define ADDR_VAR_SYSEXIT 0x2810
#define ADDR_VAR_IDT 0x3800
#define ADDR_VAR_TSS64 0x3a00
#define ADDR_VAR_TSS64_CPL3 0x3c00
#define ADDR_VAR_TSS16 0x3d00
#define ADDR_VAR_TSS16_2 0x3e00
#define ADDR_VAR_TSS16_CPL3 0x3f00
#define ADDR_VAR_TSS32 0x4800
#define ADDR_VAR_TSS32_2 0x4a00
#define ADDR_VAR_TSS32_CPL3 0x4c00
#define ADDR_VAR_TSS32_VM86 0x4e00
#define ADDR_VAR_VMXON_PTR 0x5f00
#define ADDR_VAR_VMCS_PTR 0x5f08
#define ADDR_VAR_VMEXIT_PTR 0x5f10
#define ADDR_VAR_VMWRITE_FLD 0x5f18
#define ADDR_VAR_VMWRITE_VAL 0x5f20
#define ADDR_VAR_VMXON 0x6000
#define ADDR_VAR_VMCS 0x7000
#define ADDR_VAR_VMEXIT_CODE 0x9000
#define ADDR_VAR_USER_CODE 0x9100
#define ADDR_VAR_USER_CODE2 0x9120
#define SEL_LDT (1 << 3)
#define SEL_CS16 (2 << 3)
#define SEL_DS16 (3 << 3)
#define SEL_CS16_CPL3 ((4 << 3) + 3)
#define SEL_DS16_CPL3 ((5 << 3) + 3)
#define SEL_CS32 (6 << 3)
#define SEL_DS32 (7 << 3)
#define SEL_CS32_CPL3 ((8 << 3) + 3)
#define SEL_DS32_CPL3 ((9 << 3) + 3)
#define SEL_CS64 (10 << 3)
#define SEL_DS64 (11 << 3)
#define SEL_CS64_CPL3 ((12 << 3) + 3)
#define SEL_DS64_CPL3 ((13 << 3) + 3)
#define SEL_CGATE16 (14 << 3)
#define SEL_TGATE16 (15 << 3)
#define SEL_CGATE32 (16 << 3)
#define SEL_TGATE32 (17 << 3)
#define SEL_CGATE64 (18 << 3)
#define SEL_CGATE64_HI (19 << 3)
#define SEL_TSS16 (20 << 3)
#define SEL_TSS16_2 (21 << 3)
#define SEL_TSS16_CPL3 ((22 << 3) + 3)
#define SEL_TSS32 (23 << 3)
#define SEL_TSS32_2 (24 << 3)
#define SEL_TSS32_CPL3 ((25 << 3) + 3)
#define SEL_TSS32_VM86 (26 << 3)
#define SEL_TSS64 (27 << 3)
#define SEL_TSS64_HI (28 << 3)
#define SEL_TSS64_CPL3 ((29 << 3) + 3)
#define SEL_TSS64_CPL3_HI (30 << 3)
#define MSR_IA32_FEATURE_CONTROL 0x3a
#define MSR_IA32_VMX_BASIC 0x480
#define MSR_IA32_SMBASE 0x9e
#define MSR_IA32_SYSENTER_CS 0x174
#define MSR_IA32_SYSENTER_ESP 0x175
#define MSR_IA32_SYSENTER_EIP 0x176
#define MSR_IA32_STAR 0xC0000081
#define MSR_IA32_LSTAR 0xC0000082
#define MSR_IA32_VMX_PROCBASED_CTLS2 0x48B
#define NEXT_INSN $0xbadc0de
#define PREFIX_SIZE 0xba1d
const char kvm_asm16_cpl3[] =
"\x0f\x20\xc0\x66\x83\xc8\x01\x0f\x22\xc0\xb8\xa0\x00\x0f\x00\xd8\xb8\x2b"
"\x00\x8e\xd8\x8e\xc0\x8e\xe0\x8e\xe8\xbc\x00\x01\xc7\x06\x00\x01\x1d\xba"
"\xc7\x06\x02\x01\x23\x00\xc7\x06\x04\x01\x00\x01\xc7\x06\x06\x01\x2b\x00"
"\xcb";
const char kvm_asm32_paged[] = "\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0";
const char kvm_asm32_vm86[] =
"\x66\xb8\xb8\x00\x0f\x00\xd8\xea\x00\x00\x00\x00\xd0\x00";
const char kvm_asm32_paged_vm86[] =
"\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\x66\xb8\xb8\x00\x0f\x00\xd8"
"\xea\x00\x00\x00\x00\xd0\x00";
const char kvm_asm64_enable_long[] =
"\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00"
"\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8";
const char kvm_asm64_init_vm[] =
"\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00"
"\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc1\x3a\x00\x00\x00\x0f"
"\x32\x48\x83\xc8\x05\x0f\x30\x0f\x20\xe0\x48\x0d\x00\x20\x00\x00\x0f\x22"
"\xe0\x48\xc7\xc1\x80\x04\x00\x00\x0f\x32\x48\xc7\xc2\x00\x60\x00\x00\x89"
"\x02\x48\xc7\xc2\x00\x70\x00\x00\x89\x02\x48\xc7\xc0\x00\x5f\x00\x00\xf3"
"\x0f\xc7\x30\x48\xc7\xc0\x08\x5f\x00\x00\x66\x0f\xc7\x30\x0f\xc7\x30\x48"
"\xc7\xc1\x81\x04\x00\x00\x0f\x32\x48\x83\xc8\x00\x48\x21\xd0\x48\xc7\xc2"
"\x00\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x82\x04\x00\x00\x0f\x32\x48\x83"
"\xc8\x00\x48\x21\xd0\x48\xc7\xc2\x02\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc2"
"\x1e\x40\x00\x00\x48\xc7\xc0\x81\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x83"
"\x04\x00\x00\x0f\x32\x48\x0d\xff\x6f\x03\x00\x48\x21\xd0\x48\xc7\xc2\x0c"
"\x40\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x84\x04\x00\x00\x0f\x32\x48\x0d\xff"
"\x17\x00\x00\x48\x21\xd0\x48\xc7\xc2\x12\x40\x00\x00\x0f\x79\xd0\x48\xc7"
"\xc2\x04\x2c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2"
"\x00\x28\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x02"
"\x0c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc0\x58\x00"
"\x00\x00\x48\xc7\xc2\x00\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x0c\x00"
"\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08"
"\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x0c\x00\x00\x0f\x79\xd0\x48\xc7"
"\xc0\xd8\x00\x00\x00\x48\xc7\xc2\x0c\x0c\x00\x00\x0f\x79\xd0\x48\xc7\xc2"
"\x02\x2c\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00"
"\x4c\x00\x00\x48\xc7\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x6c"
"\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x6c\x00"
"\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00"
"\x6c\x00\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x6c\x00"
"\x00\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x6c\x00\x00\x48"
"\x89\xc0\x0f\x79\xd0\x48\xc7\xc2\x06\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00"
"\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00"
"\x0f\x79\xd0\x48\xc7\xc2\x0a\x6c\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f"
"\x79\xd0\x48\xc7\xc2\x0c\x6c\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79"
"\xd0\x48\xc7\xc2\x0e\x6c\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0"
"\x48\xc7\xc2\x14\x6c\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48"
"\xc7\xc2\x16\x6c\x00\x00\x48\x8b\x04\x25\x10\x5f\x00\x00\x0f\x79\xd0\x48"
"\xc7\xc2\x00\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x79\xd0\x48\xc7"
"\xc2\x02\x00\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2"
"\x00\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02"
"\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x20"
"\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x20\x00"
"\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc1\x77\x02\x00\x00"
"\x0f\x32\x48\xc1\xe2\x20\x48\x09\xd0\x48\xc7\xc2\x00\x2c\x00\x00\x48\x89"
"\xc0\x0f\x79\xd0\x48\xc7\xc2\x04\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00"
"\x0f\x79\xd0\x48\xc7\xc2\x0a\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f"
"\x79\xd0\x48\xc7\xc2\x0e\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79"
"\xd0\x48\xc7\xc2\x10\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0"
"\x48\xc7\xc2\x16\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48"
"\xc7\xc2\x14\x40\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7"
"\xc2\x00\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2"
"\x02\x60\x00\x00\x48\xc7\xc0\xff\xff\xff\xff\x0f\x79\xd0\x48\xc7\xc2\x1c"
"\x20\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x1e\x20"
"\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20\x20\x00"
"\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x22\x20\x00\x00"
"\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x00\x08\x00\x00\x48"
"\xc7\xc0\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x02\x08\x00\x00\x48\xc7"
"\xc0\x50\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x04\x08\x00\x00\x48\xc7\xc0"
"\x58\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x08\x00\x00\x48\xc7\xc0\x58"
"\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x08\x00\x00\x48\xc7\xc0\x58\x00"
"\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x08\x00\x00\x48\xc7\xc0\x58\x00\x00"
"\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x08\x00\x00\x48\xc7\xc0\x00\x00\x00\x00"
"\x0f\x79\xd0\x48\xc7\xc2\x0e\x08\x00\x00\x48\xc7\xc0\xd8\x00\x00\x00\x0f"
"\x79\xd0\x48\xc7\xc2\x12\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79"
"\xd0\x48\xc7\xc2\x14\x68\x00\x00\x48\xc7\xc0\x00\x3a\x00\x00\x0f\x79\xd0"
"\x48\xc7\xc2\x16\x68\x00\x00\x48\xc7\xc0\x00\x10\x00\x00\x0f\x79\xd0\x48"
"\xc7\xc2\x18\x68\x00\x00\x48\xc7\xc0\x00\x38\x00\x00\x0f\x79\xd0\x48\xc7"
"\xc2\x00\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2"
"\x02\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x04"
"\x48\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x48"
"\x00\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x08\x48\x00"
"\x00\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x48\x00\x00"
"\x48\xc7\xc0\xff\xff\x0f\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x48\x00\x00\x48"
"\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x48\x00\x00\x48\xc7"
"\xc0\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x48\x00\x00\x48\xc7\xc0"
"\xff\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x12\x48\x00\x00\x48\xc7\xc0\xff"
"\x1f\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x14\x48\x00\x00\x48\xc7\xc0\x93\x40"
"\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x16\x48\x00\x00\x48\xc7\xc0\x9b\x20\x00"
"\x00\x0f\x79\xd0\x48\xc7\xc2\x18\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00"
"\x0f\x79\xd0\x48\xc7\xc2\x1a\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f"
"\x79\xd0\x48\xc7\xc2\x1c\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79"
"\xd0\x48\xc7\xc2\x1e\x48\x00\x00\x48\xc7\xc0\x93\x40\x00\x00\x0f\x79\xd0"
"\x48\xc7\xc2\x20\x48\x00\x00\x48\xc7\xc0\x82\x00\x00\x00\x0f\x79\xd0\x48"
"\xc7\xc2\x22\x48\x00\x00\x48\xc7\xc0\x8b\x00\x00\x00\x0f\x79\xd0\x48\xc7"
"\xc2\x1c\x68\x00\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2"
"\x1e\x68\x00\x00\x48\xc7\xc0\x00\x91\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x20"
"\x68\x00\x00\x48\xc7\xc0\x02\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x06\x28"
"\x00\x00\x48\xc7\xc0\x00\x05\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0a\x28\x00"
"\x00\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0c\x28\x00\x00"
"\x48\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x0e\x28\x00\x00\x48"
"\xc7\xc0\x00\x00\x00\x00\x0f\x79\xd0\x48\xc7\xc2\x10\x28\x00\x00\x48\xc7"
"\xc0\x00\x00\x00\x00\x0f\x79\xd0\x0f\x20\xc0\x48\xc7\xc2\x00\x68\x00\x00"
"\x48\x89\xc0\x0f\x79\xd0\x0f\x20\xd8\x48\xc7\xc2\x02\x68\x00\x00\x48\x89"
"\xc0\x0f\x79\xd0\x0f\x20\xe0\x48\xc7\xc2\x04\x68\x00\x00\x48\x89\xc0\x0f"
"\x79\xd0\x48\xc7\xc0\x18\x5f\x00\x00\x48\x8b\x10\x48\xc7\xc0\x20\x5f\x00"
"\x00\x48\x8b\x08\x48\x31\xc0\x0f\x78\xd0\x48\x31\xc8\x0f\x79\xd0\x0f\x01"
"\xc2\x48\xc7\xc2\x00\x44\x00\x00\x0f\x78\xd0\xf4";
const char kvm_asm64_vm_exit[] =
"\x48\xc7\xc3\x00\x44\x00\x00\x0f\x78\xda\x48\xc7\xc3\x02\x44\x00\x00\x0f"
"\x78\xd9\x48\xc7\xc0\x00\x64\x00\x00\x0f\x78\xc0\x48\xc7\xc3\x1e\x68\x00"
"\x00\x0f\x78\xdb\xf4";
const char kvm_asm64_cpl3[] =
"\x0f\x20\xc0\x0d\x00\x00\x00\x80\x0f\x22\xc0\xea\xde\xc0\xad\x0b\x50\x00"
"\x48\xc7\xc0\xd8\x00\x00\x00\x0f\x00\xd8\x48\xc7\xc0\x6b\x00\x00\x00\x8e"
"\xd8\x8e\xc0\x8e\xe0\x8e\xe8\x48\xc7\xc4\x80\x0f\x00\x00\x48\xc7\x04\x24"
"\x1d\xba\x00\x00\x48\xc7\x44\x24\x04\x63\x00\x00\x00\x48\xc7\x44\x24\x08"
"\x80\x0f\x00\x00\x48\xc7\x44\x24\x0c\x6b\x00\x00\x00\xcb";
#define KVM_SMI _IO(KVMIO, 0xb7)
#define CR0_PE 1
#define CR0_MP (1 << 1)
#define CR0_EM (1 << 2)
#define CR0_TS (1 << 3)
#define CR0_ET (1 << 4)
#define CR0_NE (1 << 5)
#define CR0_WP (1 << 16)
#define CR0_AM (1 << 18)
#define CR0_NW (1 << 29)
#define CR0_CD (1 << 30)
#define CR0_PG (1 << 31)
#define CR4_VME 1
#define CR4_PVI (1 << 1)
#define CR4_TSD (1 << 2)
#define CR4_DE (1 << 3)
#define CR4_PSE (1 << 4)
#define CR4_PAE (1 << 5)
#define CR4_MCE (1 << 6)
#define CR4_PGE (1 << 7)
#define CR4_PCE (1 << 8)
#define CR4_OSFXSR (1 << 8)
#define CR4_OSXMMEXCPT (1 << 10)
#define CR4_UMIP (1 << 11)
#define CR4_VMXE (1 << 13)
#define CR4_SMXE (1 << 14)
#define CR4_FSGSBASE (1 << 16)
#define CR4_PCIDE (1 << 17)
#define CR4_OSXSAVE (1 << 18)
#define CR4_SMEP (1 << 20)
#define CR4_SMAP (1 << 21)
#define CR4_PKE (1 << 22)
#define EFER_SCE 1
#define EFER_LME (1 << 8)
#define EFER_LMA (1 << 10)
#define EFER_NXE (1 << 11)
#define EFER_SVME (1 << 12)
#define EFER_LMSLE (1 << 13)
#define EFER_FFXSR (1 << 14)
#define EFER_TCE (1 << 15)
#define PDE32_PRESENT 1
#define PDE32_RW (1 << 1)
#define PDE32_USER (1 << 2)
#define PDE32_PS (1 << 7)
#define PDE64_PRESENT 1
#define PDE64_RW (1 << 1)
#define PDE64_USER (1 << 2)
#define PDE64_ACCESSED (1 << 5)
#define PDE64_DIRTY (1 << 6)
#define PDE64_PS (1 << 7)
#define PDE64_G (1 << 8)
struct tss16 {
uint16_t prev;
uint16_t sp0;
uint16_t ss0;
uint16_t sp1;
uint16_t ss1;
uint16_t sp2;
uint16_t ss2;
uint16_t ip;
uint16_t flags;
uint16_t ax;
uint16_t cx;
uint16_t dx;
uint16_t bx;
uint16_t sp;
uint16_t bp;
uint16_t si;
uint16_t di;
uint16_t es;
uint16_t cs;
uint16_t ss;
uint16_t ds;
uint16_t ldt;
} __attribute__((packed));
struct tss32 {
uint16_t prev, prevh;
uint32_t sp0;
uint16_t ss0, ss0h;
uint32_t sp1;
uint16_t ss1, ss1h;
uint32_t sp2;
uint16_t ss2, ss2h;
uint32_t cr3;
uint32_t ip;
uint32_t flags;
uint32_t ax;
uint32_t cx;
uint32_t dx;
uint32_t bx;
uint32_t sp;
uint32_t bp;
uint32_t si;
uint32_t di;
uint16_t es, esh;
uint16_t cs, csh;
uint16_t ss, ssh;
uint16_t ds, dsh;
uint16_t fs, fsh;
uint16_t gs, gsh;
uint16_t ldt, ldth;
uint16_t trace;
uint16_t io_bitmap;
} __attribute__((packed));
struct tss64 {
uint32_t reserved0;
uint64_t rsp[3];
uint64_t reserved1;
uint64_t ist[7];
uint64_t reserved2;
uint32_t reserved3;
uint32_t io_bitmap;
} __attribute__((packed));
static void fill_segment_descriptor(uint64_t* dt, uint64_t* lt,
struct kvm_segment* seg)
{
uint16_t index = seg->selector >> 3;
uint64_t limit = seg->g ? seg->limit >> 12 : seg->limit;
uint64_t sd = (limit & 0xffff) | (seg->base & 0xffffff) << 16 |
(uint64_t)seg->type << 40 | (uint64_t)seg->s << 44 |
(uint64_t)seg->dpl << 45 | (uint64_t)seg->present << 47 |
(limit & 0xf0000ULL) << 48 | (uint64_t)seg->avl << 52 |
(uint64_t)seg->l << 53 | (uint64_t)seg->db << 54 |
(uint64_t)seg->g << 55 | (seg->base & 0xff000000ULL) << 56;
dt[index] = sd;
lt[index] = sd;
}
static void fill_segment_descriptor_dword(uint64_t* dt, uint64_t* lt,
struct kvm_segment* seg)
{
fill_segment_descriptor(dt, lt, seg);
uint16_t index = seg->selector >> 3;
dt[index + 1] = 0;
lt[index + 1] = 0;
}
static void setup_syscall_msrs(int cpufd, uint16_t sel_cs, uint16_t sel_cs_cpl3)
{
char buf[sizeof(struct kvm_msrs) + 5 * sizeof(struct kvm_msr_entry)];
memset(buf, 0, sizeof(buf));
struct kvm_msrs* msrs = (struct kvm_msrs*)buf;
struct kvm_msr_entry* entries = msrs->entries;
msrs->nmsrs = 5;
entries[0].index = MSR_IA32_SYSENTER_CS;
entries[0].data = sel_cs;
entries[1].index = MSR_IA32_SYSENTER_ESP;
entries[1].data = ADDR_STACK0;
entries[2].index = MSR_IA32_SYSENTER_EIP;
entries[2].data = ADDR_VAR_SYSEXIT;
entries[3].index = MSR_IA32_STAR;
entries[3].data = ((uint64_t)sel_cs << 32) | ((uint64_t)sel_cs_cpl3 << 48);
entries[4].index = MSR_IA32_LSTAR;
entries[4].data = ADDR_VAR_SYSRET;
ioctl(cpufd, KVM_SET_MSRS, msrs);
}
static void setup_32bit_idt(struct kvm_sregs* sregs, char* host_mem,
uintptr_t guest_mem)
{
sregs->idt.base = guest_mem + ADDR_VAR_IDT;
sregs->idt.limit = 0x1ff;
uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base);
for (int i = 0; i < 32; i++) {
struct kvm_segment gate;
gate.selector = i << 3;
switch (i % 6) {
case 0:
gate.type = 6;
gate.base = SEL_CS16;
break;
case 1:
gate.type = 7;
gate.base = SEL_CS16;
break;
case 2:
gate.type = 3;
gate.base = SEL_TGATE16;
break;
case 3:
gate.type = 14;
gate.base = SEL_CS32;
break;
case 4:
gate.type = 15;
gate.base = SEL_CS32;
break;
case 5:
gate.type = 11;
gate.base = SEL_TGATE32;
break;
}
gate.limit = guest_mem + ADDR_VAR_USER_CODE2;
gate.present = 1;
gate.dpl = 0;
gate.s = 0;
gate.g = 0;
gate.db = 0;
gate.l = 0;
gate.avl = 0;
fill_segment_descriptor(idt, idt, &gate);
}
}
static void setup_64bit_idt(struct kvm_sregs* sregs, char* host_mem,
uintptr_t guest_mem)
{
sregs->idt.base = guest_mem + ADDR_VAR_IDT;
sregs->idt.limit = 0x1ff;
uint64_t* idt = (uint64_t*)(host_mem + sregs->idt.base);
for (int i = 0; i < 32; i++) {
struct kvm_segment gate;
gate.selector = (i * 2) << 3;
gate.type = (i & 1) ? 14 : 15;
gate.base = SEL_CS64;
gate.limit = guest_mem + ADDR_VAR_USER_CODE2;
gate.present = 1;
gate.dpl = 0;
gate.s = 0;
gate.g = 0;
gate.db = 0;
gate.l = 0;
gate.avl = 0;
fill_segment_descriptor_dword(idt, idt, &gate);
}
}
struct kvm_text {
uintptr_t typ;
const void* text;
uintptr_t size;
};
struct kvm_opt {
uint64_t typ;
uint64_t val;
};
#define KVM_SETUP_PAGING (1 << 0)
#define KVM_SETUP_PAE (1 << 1)
#define KVM_SETUP_PROTECTED (1 << 2)
#define KVM_SETUP_CPL3 (1 << 3)
#define KVM_SETUP_VIRT86 (1 << 4)
#define KVM_SETUP_SMM (1 << 5)
#define KVM_SETUP_VM (1 << 6)
static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1,
volatile long a2, volatile long a3,
volatile long a4, volatile long a5,
volatile long a6, volatile long a7)
{
const int vmfd = a0;
const int cpufd = a1;
char* const host_mem = (char*)a2;
const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3;
const uintptr_t text_count = a4;
const uintptr_t flags = a5;
const struct kvm_opt* const opt_array_ptr = (struct kvm_opt*)a6;
uintptr_t opt_count = a7;
const uintptr_t page_size = 4 << 10;
const uintptr_t ioapic_page = 10;
const uintptr_t guest_mem_size = 24 * page_size;
const uintptr_t guest_mem = 0;
(void)text_count;
int text_type = text_array_ptr[0].typ;
const void* text = text_array_ptr[0].text;
uintptr_t text_size = text_array_ptr[0].size;
for (uintptr_t i = 0; i < guest_mem_size / page_size; i++) {
struct kvm_userspace_memory_region memreg;
memreg.slot = i;
memreg.flags = 0;
memreg.guest_phys_addr = guest_mem + i * page_size;
if (i == ioapic_page)
memreg.guest_phys_addr = 0xfec00000;
memreg.memory_size = page_size;
memreg.userspace_addr = (uintptr_t)host_mem + i * page_size;
ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg);
}
struct kvm_userspace_memory_region memreg;
memreg.slot = 1 + (1 << 16);
memreg.flags = 0;
memreg.guest_phys_addr = 0x30000;
memreg.memory_size = 64 << 10;
memreg.userspace_addr = (uintptr_t)host_mem;
ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &memreg);
struct kvm_sregs sregs;
if (ioctl(cpufd, KVM_GET_SREGS, &sregs))
return -1;
struct kvm_regs regs;
memset(®s, 0, sizeof(regs));
regs.rip = guest_mem + ADDR_TEXT;
regs.rsp = ADDR_STACK0;
sregs.gdt.base = guest_mem + ADDR_GDT;
sregs.gdt.limit = 256 * sizeof(uint64_t) - 1;
uint64_t* gdt = (uint64_t*)(host_mem + sregs.gdt.base);
struct kvm_segment seg_ldt;
seg_ldt.selector = SEL_LDT;
seg_ldt.type = 2;
seg_ldt.base = guest_mem + ADDR_LDT;
seg_ldt.limit = 256 * sizeof(uint64_t) - 1;
seg_ldt.present = 1;
seg_ldt.dpl = 0;
seg_ldt.s = 0;
seg_ldt.g = 0;
seg_ldt.db = 1;
seg_ldt.l = 0;
sregs.ldt = seg_ldt;
uint64_t* ldt = (uint64_t*)(host_mem + sregs.ldt.base);
struct kvm_segment seg_cs16;
seg_cs16.selector = SEL_CS16;
seg_cs16.type = 11;
seg_cs16.base = 0;
seg_cs16.limit = 0xfffff;
seg_cs16.present = 1;
seg_cs16.dpl = 0;
seg_cs16.s = 1;
seg_cs16.g = 0;
seg_cs16.db = 0;
seg_cs16.l = 0;
struct kvm_segment seg_ds16 = seg_cs16;
seg_ds16.selector = SEL_DS16;
seg_ds16.type = 3;
struct kvm_segment seg_cs16_cpl3 = seg_cs16;
seg_cs16_cpl3.selector = SEL_CS16_CPL3;
seg_cs16_cpl3.dpl = 3;
struct kvm_segment seg_ds16_cpl3 = seg_ds16;
seg_ds16_cpl3.selector = SEL_DS16_CPL3;
seg_ds16_cpl3.dpl = 3;
struct kvm_segment seg_cs32 = seg_cs16;
seg_cs32.selector = SEL_CS32;
seg_cs32.db = 1;
struct kvm_segment seg_ds32 = seg_ds16;
seg_ds32.selector = SEL_DS32;
seg_ds32.db = 1;
struct kvm_segment seg_cs32_cpl3 = seg_cs32;
seg_cs32_cpl3.selector = SEL_CS32_CPL3;
seg_cs32_cpl3.dpl = 3;
struct kvm_segment seg_ds32_cpl3 = seg_ds32;
seg_ds32_cpl3.selector = SEL_DS32_CPL3;
seg_ds32_cpl3.dpl = 3;
struct kvm_segment seg_cs64 = seg_cs16;
seg_cs64.selector = SEL_CS64;
seg_cs64.l = 1;
struct kvm_segment seg_ds64 = seg_ds32;
seg_ds64.selector = SEL_DS64;
struct kvm_segment seg_cs64_cpl3 = seg_cs64;
seg_cs64_cpl3.selector = SEL_CS64_CPL3;
seg_cs64_cpl3.dpl = 3;
struct kvm_segment seg_ds64_cpl3 = seg_ds64;
seg_ds64_cpl3.selector = SEL_DS64_CPL3;
seg_ds64_cpl3.dpl = 3;
struct kvm_segment seg_tss32;
seg_tss32.selector = SEL_TSS32;
seg_tss32.type = 9;
seg_tss32.base = ADDR_VAR_TSS32;
seg_tss32.limit = 0x1ff;
seg_tss32.present = 1;
seg_tss32.dpl = 0;
seg_tss32.s = 0;
seg_tss32.g = 0;
seg_tss32.db = 0;
seg_tss32.l = 0;
struct kvm_segment seg_tss32_2 = seg_tss32;
seg_tss32_2.selector = SEL_TSS32_2;
seg_tss32_2.base = ADDR_VAR_TSS32_2;
struct kvm_segment seg_tss32_cpl3 = seg_tss32;
seg_tss32_cpl3.selector = SEL_TSS32_CPL3;
seg_tss32_cpl3.base = ADDR_VAR_TSS32_CPL3;
struct kvm_segment seg_tss32_vm86 = seg_tss32;
seg_tss32_vm86.selector = SEL_TSS32_VM86;
seg_tss32_vm86.base = ADDR_VAR_TSS32_VM86;
struct kvm_segment seg_tss16 = seg_tss32;
seg_tss16.selector = SEL_TSS16;
seg_tss16.base = ADDR_VAR_TSS16;
seg_tss16.limit = 0xff;
seg_tss16.type = 1;
struct kvm_segment seg_tss16_2 = seg_tss16;
seg_tss16_2.selector = SEL_TSS16_2;
seg_tss16_2.base = ADDR_VAR_TSS16_2;
seg_tss16_2.dpl = 0;
struct kvm_segment seg_tss16_cpl3 = seg_tss16;
seg_tss16_cpl3.selector = SEL_TSS16_CPL3;
seg_tss16_cpl3.base = ADDR_VAR_TSS16_CPL3;
seg_tss16_cpl3.dpl = 3;
struct kvm_segment seg_tss64 = seg_tss32;
seg_tss64.selector = SEL_TSS64;
seg_tss64.base = ADDR_VAR_TSS64;
seg_tss64.limit = 0x1ff;
struct kvm_segment seg_tss64_cpl3 = seg_tss64;
seg_tss64_cpl3.selector = SEL_TSS64_CPL3;
seg_tss64_cpl3.base = ADDR_VAR_TSS64_CPL3;
seg_tss64_cpl3.dpl = 3;
struct kvm_segment seg_cgate16;
seg_cgate16.selector = SEL_CGATE16;
seg_cgate16.type = 4;
seg_cgate16.base = SEL_CS16 | (2 << 16);
seg_cgate16.limit = ADDR_VAR_USER_CODE2;
seg_cgate16.present = 1;
seg_cgate16.dpl = 0;
seg_cgate16.s = 0;
seg_cgate16.g = 0;
seg_cgate16.db = 0;
seg_cgate16.l = 0;
seg_cgate16.avl = 0;
struct kvm_segment seg_tgate16 = seg_cgate16;
seg_tgate16.selector = SEL_TGATE16;
seg_tgate16.type = 3;
seg_cgate16.base = SEL_TSS16_2;
seg_tgate16.limit = 0;
struct kvm_segment seg_cgate32 = seg_cgate16;
seg_cgate32.selector = SEL_CGATE32;
seg_cgate32.type = 12;
seg_cgate32.base = SEL_CS32 | (2 << 16);
struct kvm_segment seg_tgate32 = seg_cgate32;
seg_tgate32.selector = SEL_TGATE32;
seg_tgate32.type = 11;
seg_tgate32.base = SEL_TSS32_2;
seg_tgate32.limit = 0;
struct kvm_segment seg_cgate64 = seg_cgate16;
seg_cgate64.selector = SEL_CGATE64;
seg_cgate64.type = 12;
seg_cgate64.base = SEL_CS64;
int kvmfd = open("/dev/kvm", O_RDWR);
char buf[sizeof(struct kvm_cpuid2) + 128 * sizeof(struct kvm_cpuid_entry2)];
memset(buf, 0, sizeof(buf));
struct kvm_cpuid2* cpuid = (struct kvm_cpuid2*)buf;
cpuid->nent = 128;
ioctl(kvmfd, KVM_GET_SUPPORTED_CPUID, cpuid);
ioctl(cpufd, KVM_SET_CPUID2, cpuid);
close(kvmfd);
const char* text_prefix = 0;
int text_prefix_size = 0;
char* host_text = host_mem + ADDR_TEXT;
if (text_type == 8) {
if (flags & KVM_SETUP_SMM) {
if (flags & KVM_SETUP_PROTECTED) {
sregs.cs = seg_cs16;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16;
sregs.cr0 |= CR0_PE;
} else {
sregs.cs.selector = 0;
sregs.cs.base = 0;
}
*(host_mem + ADDR_TEXT) = 0xf4;
host_text = host_mem + 0x8000;
ioctl(cpufd, KVM_SMI, 0);
} else if (flags & KVM_SETUP_VIRT86) {
sregs.cs = seg_cs32;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32;
sregs.cr0 |= CR0_PE;
sregs.efer |= EFER_SCE;
setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3);
setup_32bit_idt(&sregs, host_mem, guest_mem);
if (flags & KVM_SETUP_PAGING) {
uint64_t pd_addr = guest_mem + ADDR_PD;
uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD);
pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS;
sregs.cr3 = pd_addr;
sregs.cr4 |= CR4_PSE;
text_prefix = kvm_asm32_paged_vm86;
text_prefix_size = sizeof(kvm_asm32_paged_vm86) - 1;
} else {
text_prefix = kvm_asm32_vm86;
text_prefix_size = sizeof(kvm_asm32_vm86) - 1;
}
} else {
sregs.cs.selector = 0;
sregs.cs.base = 0;
}
} else if (text_type == 16) {
if (flags & KVM_SETUP_CPL3) {
sregs.cs = seg_cs16;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16;
text_prefix = kvm_asm16_cpl3;
text_prefix_size = sizeof(kvm_asm16_cpl3) - 1;
} else {
sregs.cr0 |= CR0_PE;
sregs.cs = seg_cs16;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds16;
}
} else if (text_type == 32) {
sregs.cr0 |= CR0_PE;
sregs.efer |= EFER_SCE;
setup_syscall_msrs(cpufd, SEL_CS32, SEL_CS32_CPL3);
setup_32bit_idt(&sregs, host_mem, guest_mem);
if (flags & KVM_SETUP_SMM) {
sregs.cs = seg_cs32;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32;
*(host_mem + ADDR_TEXT) = 0xf4;
host_text = host_mem + 0x8000;
ioctl(cpufd, KVM_SMI, 0);
} else if (flags & KVM_SETUP_PAGING) {
sregs.cs = seg_cs32;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32;
uint64_t pd_addr = guest_mem + ADDR_PD;
uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD);
pd[0] = PDE32_PRESENT | PDE32_RW | PDE32_USER | PDE32_PS;
sregs.cr3 = pd_addr;
sregs.cr4 |= CR4_PSE;
text_prefix = kvm_asm32_paged;
text_prefix_size = sizeof(kvm_asm32_paged) - 1;
} else if (flags & KVM_SETUP_CPL3) {
sregs.cs = seg_cs32_cpl3;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32_cpl3;
} else {
sregs.cs = seg_cs32;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32;
}
} else {
sregs.efer |= EFER_LME | EFER_SCE;
sregs.cr0 |= CR0_PE;
setup_syscall_msrs(cpufd, SEL_CS64, SEL_CS64_CPL3);
setup_64bit_idt(&sregs, host_mem, guest_mem);
sregs.cs = seg_cs32;
sregs.ds = sregs.es = sregs.fs = sregs.gs = sregs.ss = seg_ds32;
uint64_t pml4_addr = guest_mem + ADDR_PML4;
uint64_t* pml4 = (uint64_t*)(host_mem + ADDR_PML4);
uint64_t pdpt_addr = guest_mem + ADDR_PDP;
uint64_t* pdpt = (uint64_t*)(host_mem + ADDR_PDP);
uint64_t pd_addr = guest_mem + ADDR_PD;
uint64_t* pd = (uint64_t*)(host_mem + ADDR_PD);
pml4[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pdpt_addr;
pdpt[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | pd_addr;
pd[0] = PDE64_PRESENT | PDE64_RW | PDE64_USER | PDE64_PS;
sregs.cr3 = pml4_addr;
sregs.cr4 |= CR4_PAE;
if (flags & KVM_SETUP_VM) {
sregs.cr0 |= CR0_NE;
*((uint64_t*)(host_mem + ADDR_VAR_VMXON_PTR)) = ADDR_VAR_VMXON;
*((uint64_t*)(host_mem + ADDR_VAR_VMCS_PTR)) = ADDR_VAR_VMCS;
memcpy(host_mem + ADDR_VAR_VMEXIT_CODE, kvm_asm64_vm_exit,
sizeof(kvm_asm64_vm_exit) - 1);
*((uint64_t*)(host_mem + ADDR_VAR_VMEXIT_PTR)) = ADDR_VAR_VMEXIT_CODE;
text_prefix = kvm_asm64_init_vm;
text_prefix_size = sizeof(kvm_asm64_init_vm) - 1;
} else if (flags & KVM_SETUP_CPL3) {
text_prefix = kvm_asm64_cpl3;
text_prefix_size = sizeof(kvm_asm64_cpl3) - 1;
} else {
text_prefix = kvm_asm64_enable_long;
text_prefix_size = sizeof(kvm_asm64_enable_long) - 1;
}
}
struct tss16 tss16;
memset(&tss16, 0, sizeof(tss16));
tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16;
tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0;
tss16.ip = ADDR_VAR_USER_CODE2;
tss16.flags = (1 << 1);
tss16.cs = SEL_CS16;
tss16.es = tss16.ds = tss16.ss = SEL_DS16;
tss16.ldt = SEL_LDT;
struct tss16* tss16_addr = (struct tss16*)(host_mem + seg_tss16_2.base);
memcpy(tss16_addr, &tss16, sizeof(tss16));
memset(&tss16, 0, sizeof(tss16));
tss16.ss0 = tss16.ss1 = tss16.ss2 = SEL_DS16;
tss16.sp0 = tss16.sp1 = tss16.sp2 = ADDR_STACK0;
tss16.ip = ADDR_VAR_USER_CODE2;
tss16.flags = (1 << 1);
tss16.cs = SEL_CS16_CPL3;
tss16.es = tss16.ds = tss16.ss = SEL_DS16_CPL3;
tss16.ldt = SEL_LDT;
struct tss16* tss16_cpl3_addr =
(struct tss16*)(host_mem + seg_tss16_cpl3.base);
memcpy(tss16_cpl3_addr, &tss16, sizeof(tss16));
struct tss32 tss32;
memset(&tss32, 0, sizeof(tss32));
tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32;
tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0;
tss32.ip = ADDR_VAR_USER_CODE;
tss32.flags = (1 << 1) | (1 << 17);
tss32.ldt = SEL_LDT;
tss32.cr3 = sregs.cr3;
tss32.io_bitmap = offsetof(struct tss32, io_bitmap);
struct tss32* tss32_addr = (struct tss32*)(host_mem + seg_tss32_vm86.base);
memcpy(tss32_addr, &tss32, sizeof(tss32));
memset(&tss32, 0, sizeof(tss32));
tss32.ss0 = tss32.ss1 = tss32.ss2 = SEL_DS32;
tss32.sp0 = tss32.sp1 = tss32.sp2 = ADDR_STACK0;
tss32.ip = ADDR_VAR_USER_CODE;
tss32.flags = (1 << 1);
tss32.cr3 = sregs.cr3;
tss32.es = tss32.ds = tss32.ss = tss32.gs = tss32.fs = SEL_DS32;
tss32.cs = SEL_CS32;
tss32.ldt = SEL_LDT;
tss32.cr3 = sregs.cr3;
tss32.io_bitmap = offsetof(struct tss32, io_bitmap);
struct tss32* tss32_cpl3_addr = (struct tss32*)(host_mem + seg_tss32_2.base);
memcpy(tss32_cpl3_addr, &tss32, sizeof(tss32));
struct tss64 tss64;
memset(&tss64, 0, sizeof(tss64));
tss64.rsp[0] = ADDR_STACK0;
tss64.rsp[1] = ADDR_STACK0;
tss64.rsp[2] = ADDR_STACK0;
tss64.io_bitmap = offsetof(struct tss64, io_bitmap);
struct tss64* tss64_addr = (struct tss64*)(host_mem + seg_tss64.base);
memcpy(tss64_addr, &tss64, sizeof(tss64));
memset(&tss64, 0, sizeof(tss64));
tss64.rsp[0] = ADDR_STACK0;
tss64.rsp[1] = ADDR_STACK0;
tss64.rsp[2] = ADDR_STACK0;
tss64.io_bitmap = offsetof(struct tss64, io_bitmap);
struct tss64* tss64_cpl3_addr =
(struct tss64*)(host_mem + seg_tss64_cpl3.base);
memcpy(tss64_cpl3_addr, &tss64, sizeof(tss64));
if (text_size > 1000)
text_size = 1000;
if (text_prefix) {
memcpy(host_text, text_prefix, text_prefix_size);
void* patch = memmem(host_text, text_prefix_size, "\xde\xc0\xad\x0b", 4);
if (patch)
*((uint32_t*)patch) =
guest_mem + ADDR_TEXT + ((char*)patch - host_text) + 6;
uint16_t magic = PREFIX_SIZE;
patch = memmem(host_text, text_prefix_size, &magic, sizeof(magic));
if (patch)
*((uint16_t*)patch) = guest_mem + ADDR_TEXT + text_prefix_size;
}
memcpy((void*)(host_text + text_prefix_size), text, text_size);
*(host_text + text_prefix_size + text_size) = 0xf4;
memcpy(host_mem + ADDR_VAR_USER_CODE, text, text_size);
*(host_mem + ADDR_VAR_USER_CODE + text_size) = 0xf4;
*(host_mem + ADDR_VAR_HLT) = 0xf4;
memcpy(host_mem + ADDR_VAR_SYSRET, "\x0f\x07\xf4", 3);
memcpy(host_mem + ADDR_VAR_SYSEXIT, "\x0f\x35\xf4", 3);
*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = 0;
*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = 0;
if (opt_count > 2)
opt_count = 2;
for (uintptr_t i = 0; i < opt_count; i++) {
uint64_t typ = opt_array_ptr[i].typ;
uint64_t val = opt_array_ptr[i].val;
switch (typ % 9) {
case 0:
sregs.cr0 ^= val & (CR0_MP | CR0_EM | CR0_ET | CR0_NE | CR0_WP | CR0_AM |
CR0_NW | CR0_CD);
break;
case 1:
sregs.cr4 ^=
val & (CR4_VME | CR4_PVI | CR4_TSD | CR4_DE | CR4_MCE | CR4_PGE |
CR4_PCE | CR4_OSFXSR | CR4_OSXMMEXCPT | CR4_UMIP | CR4_VMXE |
CR4_SMXE | CR4_FSGSBASE | CR4_PCIDE | CR4_OSXSAVE | CR4_SMEP |
CR4_SMAP | CR4_PKE);
break;
case 2:
sregs.efer ^= val & (EFER_SCE | EFER_NXE | EFER_SVME | EFER_LMSLE |
EFER_FFXSR | EFER_TCE);
break;
case 3:
val &=
((1 << 8) | (1 << 9) | (1 << 10) | (1 << 12) | (1 << 13) | (1 << 14) |
(1 << 15) | (1 << 18) | (1 << 19) | (1 << 20) | (1 << 21));
regs.rflags ^= val;
tss16_addr->flags ^= val;
tss16_cpl3_addr->flags ^= val;
tss32_addr->flags ^= val;
tss32_cpl3_addr->flags ^= val;
break;
case 4:
seg_cs16.type = val & 0xf;
seg_cs32.type = val & 0xf;
seg_cs64.type = val & 0xf;
break;
case 5:
seg_cs16_cpl3.type = val & 0xf;
seg_cs32_cpl3.type = val & 0xf;
seg_cs64_cpl3.type = val & 0xf;
break;
case 6:
seg_ds16.type = val & 0xf;
seg_ds32.type = val & 0xf;
seg_ds64.type = val & 0xf;
break;
case 7:
seg_ds16_cpl3.type = val & 0xf;
seg_ds32_cpl3.type = val & 0xf;
seg_ds64_cpl3.type = val & 0xf;
break;
case 8:
*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_FLD) = (val & 0xffff);
*(uint64_t*)(host_mem + ADDR_VAR_VMWRITE_VAL) = (val >> 16);
break;
default:
exit(1);
}
}
regs.rflags |= 2;
fill_segment_descriptor(gdt, ldt, &seg_ldt);
fill_segment_descriptor(gdt, ldt, &seg_cs16);
fill_segment_descriptor(gdt, ldt, &seg_ds16);
fill_segment_descriptor(gdt, ldt, &seg_cs16_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_ds16_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_cs32);
fill_segment_descriptor(gdt, ldt, &seg_ds32);
fill_segment_descriptor(gdt, ldt, &seg_cs32_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_ds32_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_cs64);
fill_segment_descriptor(gdt, ldt, &seg_ds64);
fill_segment_descriptor(gdt, ldt, &seg_cs64_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_ds64_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_tss32);
fill_segment_descriptor(gdt, ldt, &seg_tss32_2);
fill_segment_descriptor(gdt, ldt, &seg_tss32_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_tss32_vm86);
fill_segment_descriptor(gdt, ldt, &seg_tss16);
fill_segment_descriptor(gdt, ldt, &seg_tss16_2);
fill_segment_descriptor(gdt, ldt, &seg_tss16_cpl3);
fill_segment_descriptor_dword(gdt, ldt, &seg_tss64);
fill_segment_descriptor_dword(gdt, ldt, &seg_tss64_cpl3);
fill_segment_descriptor(gdt, ldt, &seg_cgate16);
fill_segment_descriptor(gdt, ldt, &seg_tgate16);
fill_segment_descriptor(gdt, ldt, &seg_cgate32);
fill_segment_descriptor(gdt, ldt, &seg_tgate32);
fill_segment_descriptor_dword(gdt, ldt, &seg_cgate64);
if (ioctl(cpufd, KVM_SET_SREGS, &sregs))
return -1;
if (ioctl(cpufd, KVM_SET_REGS, ®s))
return -1;
return 0;
}
uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
int main(void)
{
syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
intptr_t res = 0;
memcpy((void*)0x20000080, "/dev/kvm\000", 9);
res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000080ul, 0ul, 0ul);
if (res != -1)
r[0] = res;
res = syscall(__NR_ioctl, r[0], 0xae01, 0ul);
if (res != -1)
r[1] = res;
res = syscall(__NR_ioctl, r[1], 0xae41, 0ul);
if (res != -1)
r[2] = res;
*(uint64_t*)0x20000000 = 0x40;
*(uint64_t*)0x20000008 = 0x20002440;
memcpy((void*)0x20002440,
"\x64\x0f\xb1\x68\x04\x48\xb8\x19\xcd\xfe\xb8\x00\x00\x00\x00\x0f\x23"
"\xd8\x0f\x21\xf8\x35\x80\x00\x00\xa0\x0f\x23\xf8\xc4\x02\xfd\x33\x83"
"\x02\x00\x00\x00\x12\x3e\x36\x64\x45\x0f\x01\xc3\x3c\xc3\x3c\x43\x0f"
"\x79\x58\x35\xc7\x44\x24\x00\x2d\x01\x00\x00\xc4\xc2\x7d\x1d\x6c\xd1"
"\xce\x44\xd8\xc7\x0f\x08\xc7\x44\x24\x00\x11\x00\x00\x00\xc7\x44\x24"
"\x02\x00\x00\x00\x00\xff\x2c\x24\x66\xba\xf8\x0c\xb8\xba\x7e\x69\x83"
"\xef\x66\xba\xfc\x0c\xaa\x66\xb8\x7f\x00\x8e\xd8",
114);
*(uint64_t*)0x20000010 = 0x72;
syz_kvm_setup_cpu(r[1], r[2], 0x20fe8000, 0x20000000, 1, 0, 0, 0);
syscall(__NR_ioctl, r[2], 0xae80, 0ul);
*(uint16_t*)0x20000280 = 0;
*(uint16_t*)0x20000282 = 0;
*(uint32_t*)0x20000284 = 0xffffff54;
*(uint64_t*)0x20000288 = 0x6000;
*(uint64_t*)0x20000290 = 0;
*(uint16_t*)0x20000298 = 0;
memcpy(
(void*)0x20000300,
"\xbe\x77\xf6\x45\xfa\x0f\xaa\xb4\x17\x33\x28\xe0\x3e\x0e\x9f\x02\x0b\xbc"
"\x79\x8c\x84\xbe\x65\xbf\x76\x21\x99\xe2\x69\xb6\xd1\x5a\xf3\xd5\x42\xe5"
"\xa5\x31\xa8\x95\x86\x6f\xbf\x13\x91\x0d\x95\xe9\x22\xd6\xaa\x84\xd6\x89"
"\x24\xef\xe5\xe4\x44\xb3\x4d\x9d\xf0\x8a\x86\x8a\xe2\x3c\x67\x75\x46\x79"
"\x8d\x6e\xc2\xc1\x7d\x6e\x3f\x87\xf0\xd7\x57\xc2\x07\x8c\x93\x25\xc6\x41"
"\xfe\xa9\x93\x8b\xa4\xf2\x0e\xbb\x25\x77\xf5\x1b\xa4\x67\xd9\x73\x39\x8c"
"\x7f\xa9\x4b\xe4\xe2\xab\xd4\x27\xb7\xad\x43\x85\xc6\x3e\x63\x00\x90\x75"
"\x9c\x2a\x6c\x76\x8a\x97\x3d\x0b\x1e\x72\x44\xe4\x94\xd5\x92\x5d\x9d\x9f"
"\x40\xaf\xd5\x44\xb8\x4d\x1f\xdb\x8d\xe7\xaf\x27\x9d\x87\x00\x73\x9c\x11"
"\x32\x7a\x76\xf8\xbc\x32\x74\x3c\x95\x9d\x88\x58\xb2\x76\xc2\x11\x22\x2f"
"\x40\x20\x62\x57\xbe\x84\xdd\xd0\x7b\x20\xd8\xb1\xde\x9b\x53\x90\xba\x5e"
"\xaa\x28\x9c\x0b\xfd\xf6\xb5\x63\x6b\x7a\xcf\xac\x51\x59\xe2\xe7\x75\x93"
"\x38\xe0\x6a\xe0\x0e\x4b\x7c\xf1\x62\xe4\x54\x42\xe3\xc8\x39\x58\x58\x84"
"\x7e\x3e\x28\xda\x4e\xd2\x37\x02\x7c\xd8\x49\x99\x1a\xb9\x1e\x6e\x5d\xc6"
"\x1b\x99\x36\xde\x57\x4c\x3b\x26\xa2\xb0\xe3\x03\x38\x6c\x02\xed\x1b\xb6"
"\xa5\xac\xaf\x8a\x92\x71\xe1\x96\xbc\x59\xfb\x3d\x7d\x6a\x88\x38\x3d\x53"
"\x30\x26\x80\xfd\x8e\xbd\x0e\x75\xfa\x67\x33\x3a\x6f\xb9\xda\x03\x33\xd6"
"\xf8\x7b\x3f\x62\x81\x36\xa4\xb9\xec\x1c\x2f\x4c\xf3\xd5\xec\x90\x0e\xc1"
"\x7d\x48\xe3\xf7\x41\x86\x0d\x96\x3e\xc6\xe6\x29\x24\x3d\x06\xb5\x47\x37"
"\x4e\xc3\xf5\xa0\xa8\xe7\x1c\xdd\x67\xe8\xf5\x91\xd6\x87\x11\xba\x4d\xf1"
"\xf2\xfc\x62\xd9\xf5\x4c\x6f\x7b\x88\x44\xc8\xce\x56\x9f\xb7\xf9\x83\xa6"
"\x31\x25\x0e\x77\x37\x47\x80\x41\x3a\xb3\x72\x35\xaf\xde\xfb\x70\x57\x2e"
"\x79\xf3\x5d\x36\x40\x6a\xde\xd6\x1b\xcf\x76\x71\x1a\xac\xf3\x25\xb2\xac"
"\x1f\x78\xb4\xed\xe1\x23\x9e\x36\xd5\xd6\x44\xc7\xa8\x1c\xdf\x6b\x95\xa1"
"\xe3\xaa\x6c\x2f\x70\xd8\x89\x65\x45\x72\xd1\xf8\x8f\x05\xe5\xb2\xc5\xf5"
"\xc3\x7d\x65\x70\x10\x2c\x25\x25\xa9\xb3\xfa\x28\xa8\x8c\x83\xde\xd5\x73"
"\xa8\x96\x23\x99\x00\xbd\x36\x5d\xc0\x32\x3d\x49\x21\xc3\xc9\x6a\x3d\xae"
"\x81\x04\x79\xa1\xac\x83\xb6\x4f\x0f\x9b\x20\x08\xeb\x51\x83\x2b\xce\x90"
"\x10\x5d\xab\x37\x9b\x3d\x99\xf6\x76\x1d\x4c\xf4\x38\xd9\x23\x56\xc5\x63"
"\xc9\x82\x93\x8f\xe8\x30\x26\x25\x8a\xad\x0a\x7d\x9f\x5e\xac\xfa\x35\x9c"
"\x68\xec\x27\x1d\x3e\xcf\x9a\x57\xd3\xee\xc5\x6c\xb0\xbc\xf1\xbb\x0a\xdc"
"\x6c\x29\x7d\x6e\x5b\x10\x16\x40\xd3\xc5\xb5\x0b\xcb\x54\xfa\xeb\xed\x4f"
"\x85\x0e\x73\x7b\x5a\x28\x37\x05\x4b\xcc\xbe\xcf\xd1\xc2\x8e\x70\xa9\x67"
"\xa3\x50\xd2\x18\x67\xea\x95\xb2\xcd\xfe\x55\xfd\x3e\xdc\x6e\x1f\x4d\xb0"
"\x6a\x5e\x6b\x77\xa3\x33\xaf\x48\xe9\x28\x99\xe0\x74\x79\x4f\x3b\x46\x87"
"\xdc\xe6\xd4\x5c\xb3\x34\x33\xe9\x22\xb1\x60\x2e\x76\x71\x64\xdc\x0e\x76"
"\x0d\x14\xb4\xc7\x0f\x30\x4d\xe2\xcb\x56\xca\x5e\xa3\x57\x19\xf4\x92\x48"
"\x0e\x48\xb9\x00\x7e\x40\x73\xa8\xe0\x24\x50\xa9\x3d\x39\x32\x97\x1b\x32"
"\xac\xa2\x83\x77\x3b\xbb\x79\x74\x48\x64\x78\xd3\x80\xd8\x52\x4c\x0e\xee"
"\x27\xba\x19\xd9\xc5\x11\x96\x49\x4b\xc3\xf2\xc4\x1c\x1d\xdc\x72\xb0\xb9"
"\xd9\x7c\xa3\x07\x02\x2b\xaf\x74\x2c\xb6\x9b\x45\xde\x66\x9e\x32\x24\xc1"
"\xea\xf4\xe6\xec\x7b\xb7\x6f\x92\x1a\xd3\xfd\x01\xe1\x13\x8e\xda\x10\xe9"
"\x45\xca\x95\x30\x2c\x17\x29\xad\xf6\x52\x60\x41\x16\x97\x00\xa7\x83\xf7"
"\x67\x63\x2e\x99\xb5\x5e\xac\x5e\x4e\xbc\x25\xb6\x3e\x11\x64\x9a\x31\xe1"
"\xdb\xa3\x34\x45\xa3\x6b\x40\xc7\xcc\x7a\xb6\x45\x0c\xb4\x85\x3c\x69\xa9"
"\xf1\xeb\x00\xd4\x66\xf6\xc9\x8f\x29\x7d\x3e\x48\x82\xfd\x4d\x1a\x9d\xff"
"\x07\x86\xce\xce\x0d\xd1\xb0\x3f\xd8\x4f\x98\x2b\x49\x33\x49\xf3\x2e\x49"
"\xbe\x25\x51\x02\xe7\xbd\x14\x75\xe2\x55\x74\xa9\x92\xda\x69\x07\xa0\xe6"
"\xbc\xe4\x8d\x46\x01\xb5\x1c\xa0\x57\x98\xa0\xe8\xb5\xfa\xa9\xed\x67\x00"
"\x90\x2e\x46\x26\xb8\x66\xb4\x21\x9e\x38\x80\x27\x7b\xca\x07\xf5\x77\xde"
"\xf9\x54\xfd\xd6\x4e\x08\x96\x22\xed\x0e\xec\x55\x87\x59\xa9\xb6\xd3\xe5"
"\x12\xb3\x30\xfa\x30\xe3\x14\x03\x05\x3a\x73\xda\x17\x47\xa7\x87\x4f\x5b"
"\x7a\x9f\xde\x4c\x0f\x9f\x29\xa2\x7e\x79\x5e\x27\x5c\x9f\x6c\x33\xd9\xdb"
"\x7f\x37\x0f\x14\x8a\x79\x08\x11\x42\x8b\x2f\x96\x56\x6b\xd0\xe2\xb1\x48"
"\x99\x7e\x69\xb0\xff\xe1\xa8\x1c\xb0\x4d\x43\xce\x6a\x24\xea\x2a\x94\x14"
"\xb9\x30\xfa\x13\x30\x15\x3c\xb2\x0a\xaa\xe4\x84\xe5\x15\x39\x3b\x9d\xdf"
"\x9d\x02\x98\x06\xc3\x5d\x5e\x95\x64\x62\xb7\xcc\x7f\x1c\x79\x95\x00\x6f"
"\xfe\xae\x1f\x1b\xa1\xda\xf8\xd4\x33\x09\x19\x8b\xf4\x44\xec\x82\xc6\x70"
"\x80\x0d\x5d\xac\xd6\x00\x92\x45\x64\x93\x10\x14\xb1\xe8\x34\xa3\x82\x74"
"\xc6\x56\x07\x84\x57\x2e\x6d\x4b\xf8\xc4\xa5\xa1\xee\x5e\xdb\x2f\x4e\xa5"
"\xfa\x9f\x07\xb1\x1d\x3d\x1d\x88\xb9\x93\xfa\x66\x2b\xc0\x4d\xfb\x9f\xfa"
"\x9e\x53\x4f\x16\x22\xef\xd7\xf8\x23\x34\x6a\xa7\xe0\xa9\x88\xf5\x6b\xe5"
"\x31\xc7\x3f\x34\x43\x9d\xf6\x1f\x97\x37\xcc\xa8\xb9\x3d\x2c\x25\x69\x51"
"\x38\xc7\x0c\x46\x92\x98\xc3\xa1\x14\xc8\x9a\x8c\x34\x09\xd4\xdc\x18\xe7"
"\xbd\x01\x58\x63\x1d\x0b\x93\x68\x23\xa6\xdd\xa8\x14\xed\x50\xf8\x38\x62"
"\x05\x8d\x1e\xcc\x19\xb2\xe1\x19\x5c\x91\x0e\xdb\x5e\x71\x64\xfb\xd4\x03"
"\xde\x0b\xeb\x5d\x7f\xee\xc9\x01\xa5\xa3\x73\xaf\xa1\x16\x2b\xe9\x5f\x0e"
"\x71\xe5\x0d\x47\x9e\x33\x49\x4d\x7c\x98\xc1\xcb\x2a\xc8\x86\xc8\x16\x10"
"\x67\x89\x23\x68\x5f\xa9\xf5\xff\xf2\x58\x4c\x89\x13\x0b\x7d\x2a\xc7\x83"
"\x17\xe5\x31\xbb\x2f\xca\xde\x76\x52\x0c\xf8\xbe\xc4\x50\xe3\x1e\xeb\xfa"
"\x5a\xe2\xf7\x85\x87\xc5\x72\xd3\x6d\x56\xa6\x9c\xf3\xf2\xcc\x9e\x15\xb7"
"\x7c\x11\x87\x7d\x27\xe8\xaf\x01\x96\x90\x2d\x7f\x94\x64\x6f\x02\x94\xb4"
"\x50\x7a\xe4\x46\x13\x97\xef\x21\xb2\x4a\x21\x42\xf7\x40\x46\x0e\x1e\xb1"
"\x93\x5c\xba\xcc\xd1\x4f\x71\xf2\x1d\x6f\xb7\x14\x4d\xe9\x91\x54\xf0\x37"
"\xcf\x31\xe9\xf3\x0d\xa3\xc9\x35\x95\x0c\x7d\x1c\x85\x90\x96\xd4\x4b\x57"
"\xe7\xbd\x37\x14\x73\x04\xb2\xfe\x51\xab\x63\xca\x7c\x40\x31\xc1\xf0\x79"
"\x13\xc8\xa8\x94\xa6\xb0\x57\x38\x86\xd7\xa0\xa6\x2c\xd2\x0a\x0f\x43\x3e"
"\x54\x1a\x43\x80\x84\x65\xeb\x82\xaf\x5b\xb9\xc8\x19\xa7\x4b\xed\x83\xcf"
"\x91\xaa\x18\x04\x42\xc2\x8b\x9f\x4d\x69\xdd\x7e\x72\x8c\x77\x34\xdd\x3b"
"\xd3\xe2\x77\xe6\x7e\x96\xab\x9f\x09\xe0\x83\xc0\xa6\xe4\x2f\xe2\xbc\x5d"
"\xca\xe9\xa2\xde\xdd\xb7\xf7\x63\xe6\x2b\x0d\x8a\xda\xcc\x00\xaf\x73\x4b"
"\xb9\xe9\x78\xc1\x60\x60\x06\x11\xc8\x33\x09\x46\x8a\x2f\x94\x2f\x5d\x2c"
"\x9f\x7c\xaf\xc9\x7d\xae\x2f\x54\x2e\xf3\x3b\xe3\x99\x52\xfa\x70\xee\x3e"
"\x2e\xcb\x31\x05\xc1\xa4\x90\xdb\x73\xfc\xf4\x6a\x36\x45\xde\x10\xe1\xcb"
"\x33\x5e\xa6\x04\xf4\x1d\x10\xb7\x23\x87\x2c\x26\xf2\x0a\x71\xf4\x4b\x13"
"\x01\xff\xfd\x60\x1c\x6a\x60\x9e\x0d\x19\x5b\xbc\xb1\x20\x3c\xd2\x3f\xdb"
"\x3e\x3f\x59\xfa\x8a\xe5\xa4\x84\x88\x1c\x34\x70\x6b\xac\xb6\xa4\x79\xfa"
"\x7c\x9c\xc6\x92\x06\x13\xdd\x69\x03\xbf\x04\x64\x93\xba\xc0\x60\xf0\x46"
"\xef\xc6\xce\x43\xaa\xfe\x9a\x3b\x73\x5c\x1c\xb2\x83\x71\x45\x48\xfd\xc1"
"\x6a\x2c\xe9\xd9\xdc\xcd\x77\xf3\xb8\x03\x71\x32\xec\x1b\x1f\x1d\x96\x59"
"\x32\xa9\xec\x4b\x20\xef\xe1\xf2\x21\x2c\x94\x51\x1b\x61\x79\x9b\x5b\xd2"
"\x9b\xe8\x4e\x47\xd1\xc1\x20\x9a\xf5\x44\xbb\x4c\x48\x20\xb4\x89\x7f\xe0"
"\x0f\xd5\x83\xb8\xae\x53\x94\x35\x4d\x1f\x25\x32\xd0\x80\x1f\x20\x2b\xa3"
"\x1b\xf0\x1a\x89\x6e\xbe\xa5\x30\x21\x67\xcf\x9b\x0e\xd7\x1e\x79\x3d\x95"
"\x72\xfa\xc4\x8d\x75\x72\x4c\xaa\x57\xf9\x9b\xa9\xdb\x21\x13\xf5\xfa\x52"
"\xd1\x93\x56\xed\x1d\x0c\x85\xbd\x60\x80\x59\x52\x11\x3e\x52\x1a\x01\x44"
"\x4d\x6a\x6a\x50\x21\x44\x69\x1a\x9d\x32\x36\x32\x84\x41\x0e\x96\x76\x26"
"\xc7\x20\xcd\xb3\x44\x4a\x56\xb1\xb7\x04\x30\x47\xdb\xf8\xe5\xf1\xb5\x17"
"\x7c\x82\xa6\x51\x71\x0e\xae\xd5\x91\xe1\xd4\xac\x5f\xfa\xf8\x54\x11\xf7"
"\xc3\xc3\xe5\x8f\xef\xb5\xe0\x52\x8f\x74\xb3\xf7\x8a\x0b\x31\xde\x68\xf1"
"\xe3\x14\x15\xa7\xa3\x70\x10\xbe\x81\x8b\x88\x6c\x28\xcc\xa1\xbf\x68\xdb"
"\x06\x89\x29\xba\xd7\x1b\xc6\xb4\xae\x2a\x4c\x9f\x2c\x9b\xf9\x8f\x15\x16"
"\x4e\x6e\xf9\x6e\xf4\x12\x1c\x19\x1e\x5a\x94\xca\x43\x1b\x49\xc4\x75\xf0"
"\x2a\xce\xbc\x42\xd2\xc6\x02\x6e\x4f\x7d\x59\x5e\x56\x77\x94\x7b\xf6\xcc"
"\x0d\x6f\x95\xd7\x83\x8f\x76\xcf\xc0\x44\x92\xce\xba\xed\x43\x74\x98\x47"
"\x06\x46\x5a\xc8\x3a\x1a\xcb\xb5\x54\x50\xf5\xb5\xe1\xe4\xcc\x00\xa8\x8c"
"\x33\x4a\xf4\x4d\x33\x70\x89\xc8\x01\x67\xa8\x13\xf5\x4f\xa9\x03\xec\x85"
"\xd8\xf1\xd2\x2c\x44\x3b\xcd\xfb\x3d\x26\x8a\x3e\x57\xf5\x63\xb9\x73\x2c"
"\xc3\xf5\xd8\xb1\xfd\x98\xa6\xf4\x4e\x3b\x05\x6c\xbe\xb6\x59\x46\xec\x91"
"\x7e\xf0\x93\xc3\xa6\x27\x57\xf2\xb2\x7e\x6b\x48\x73\xae\x71\x83\xb5\xb9"
"\xa6\x52\x8a\x57\x6a\xf6\x94\x49\xdf\x90\xcd\xa4\xbf\xad\x6c\x54\xbe\xd6"
"\x7f\xec\xc6\xfd\xc6\x24\x18\x3a\xec\xb5\x07\x20\x02\xc8\xdc\x9d\x45\x50"
"\x59\x01\xc6\x14\x89\xab\x31\xb7\xd6\xcd\xe6\x94\x3f\x04\x29\x53\xdf\x64"
"\x88\x61\xb6\x86\x63\x29\x11\x17\xf3\xde\xb7\x4d\x3f\x9e\x95\x01\xd9\xd5"
"\x0b\x09\x5b\xaa\xee\xf2\x1a\xca\x82\xe0\x02\x03\xc0\x6c\xe1\x03\xcc\x92"
"\x3e\x6f\x02\xab\x48\x1e\xed\x2d\xa0\xa4\xee\xde\xb8\x27\xe9\xd7\x96\x1f"
"\x6d\x97\x2f\x34\x7c\x64\x9e\x70\x6d\xc0\x25\x9d\x69\x7a\x6a\x5e\xa1\xba"
"\x33\xa6\xf2\xc1\x6b\xee\xd9\x2b\x58\xfa\x29\x00\x26\xc7\x28\xe9\x1f\x3d"
"\xe2\x85\xa7\x4e\x56\xe9\x68\xc5\xd1\x74\x63\x9a\x91\x5b\x5e\x53\xd7\xb1"
"\xe5\x56\x6b\x1a\x89\xf0\x94\x34\xaf\xb2\xa2\xff\x1f\xd0\x0d\x13\xe7\xce"
"\x5a\x3d\xcb\x8e\x62\x8f\x39\xa6\xc6\x82\x5a\xcd\x4b\x71\x52\xa7\x77\xd2"
"\x14\x85\xf6\x36\x0a\xf8\xb1\xc6\x2a\x4a\x29\xf2\xad\x98\xd9\xc3\x93\x53"
"\x01\x87\xc1\x4b\x4d\xef\xdf\xc8\xac\x12\x43\x3b\xe7\xf5\x6a\x40\xce\x40"
"\x87\xeb\x1f\x7c\xf9\x49\xe4\xe9\xb3\xc6\x12\xe4\x95\x37\x16\xab\x02\x7a"
"\x36\xce\x83\x9f\x1d\x28\x15\xc2\x89\xd0\x8e\x0e\x50\x06\x30\xc2\xf5\x43"
"\x44\xd6\x54\x9b\x96\x45\xa4\xb3\x16\x48\xd2\x5f\x71\xdc\x7a\x43\x65\x1a"
"\xa8\x53\x0c\xcd\x0c\xec\x2f\x96\xa4\x38\x5b\x18\x58\x23\x11\x1c\x51\x4b"
"\x5b\xeb\x81\x7a\x98\x82\x4f\x30\x14\x62\x59\x8f\x03\x91\x9e\xc5\x2c\x0f"
"\xdf\x5a\x52\x2f\x3e\x4b\x25\x0d\xed\x30\x89\xe0\x95\x8b\xb2\x0e\x5f\x93"
"\x6c\x8a\xb4\xfc\x00\x31\x6c\xe4\x83\x25\x4f\x6e\x2a\xbc\x02\x48\x35\xac"
"\xdb\xa2\x39\xde\xcc\x60\xfc\xc3\x16\xcb\xb5\xfe\x85\xdb\x2e\x22\xec\xd1"
"\x25\x9c\x60\x7b\x57\x5d\x83\x62\x22\xd7\xa2\x1f\x0f\xcc\xdc\x6d\x4f\x90"
"\xc4\x87\xc6\x6d\xcb\xe9\xd1\x7f\x6a\xf2\xed\xc3\x0b\x57\x18\x9f\x00\x90"
"\x72\xfa\x5b\x46\xe1\xf4\x9a\xa3\x3a\x65\x46\xae\xa6\x02\x02\xc4\xe7\x70"
"\x66\xe2\xf4\x87\xb2\xbd\x36\xf3\x17\x8e\xa8\x88\x48\x8a\xe5\x2f\xad\x83"
"\x08\x68\x17\x2d\x8f\x2b\x33\x35\xdb\x98\xa8\x3c\x45\xe0\x47\xba\x93\xeb"
"\x32\xe0\x8a\x01\x4d\x13\xfb\x8b\x9f\x3b\x54\xc1\x6a\xda\xac\x8a\x95\xc2"
"\x50\x05\x1b\xaa\xa3\x66\x73\x43\xa3\xdf\x51\xab\x7d\xcc\xed\xcf\x44\x10"
"\x48\x2f\xb2\x4a\xb3\x37\x28\x5d\x4c\x0d\x18\x2b\xf0\x00\x50\xc5\xcd\x2f"
"\x8a\x1f\x79\x54\xfe\x0c\xe1\xc2\x32\x5d\xc1\x59\x44\x54\x64\x32\x7f\x0c"
"\x46\x3d\xfd\xae\x8c\x94\x4d\xb6\x03\xce\xab\x50\x44\x09\xbe\x7e\x33\x16"
"\xe6\x79\x96\x0b\x63\xe1\x93\x50\x18\x64\x1f\x0d\x30\xd4\x0f\xb4\xf8\x3f"
"\xaa\x27\x86\xe7\x28\x4b\x0a\xdf\x6f\xe0\xae\x04\xf6\x1c\x36\x2b\xe8\x91"
"\x77\xaa\x7a\x27\xcd\x00\xa1\xc1\x01\xde\xb3\x3f\xba\xe0\x4b\x8b\x20\xfc"
"\xee\xef\x60\x10\x49\x62\x69\x54\xf0\x43\x64\x70\xeb\x4d\x34\x4f\xd5\x3c"
"\x34\xea\xb4\xfc\xa4\x01\xbb\x6a\xa6\x4c\x1d\x18\x91\xca\x88\x30\x0c\xe5"
"\xf8\xb9\xb7\xba\xdb\x64\xa5\xaa\x3c\xe8\xea\x84\x8e\x28\x82\x39\xde\xf4"
"\x60\x2e\x48\x12\xc6\x65\x03\xcc\xc2\xa6\x8b\x73\x4d\x97\xb2\xfe\x71\xe3"
"\x21\xe0\x92\x75\xbb\xc7\x27\xe4\xc0\x2c\xe1\xa9\x67\xf2\xf7\xc5\xf0\x2f"
"\x65\x8c\x5e\x44\x9a\x1c\x71\x8a\x53\x55\x61\xaf\xbd\xdd\x05\xad\x28\x55"
"\x9c\x6e\xa8\xa5\xd1\x92\x98\xee\xcc\xee\x69\x81\x8b\x69\xa8\x33\xb9\x72"
"\x12\x8e\x15\x33\x06\x52\x2a\x37\x33\x39\x6e\x25\xe3\xa2\x17\x54\x43\x71"
"\x5b\x09\x26\xea\x96\x76\x09\xf7\x3e\x25\x29\xfa\x4b\x6c\x34\x6e\x32\x54"
"\x34\x31\xd1\x1f\x57\xf5\x57\xc7\x1f\xf6\xb7\x89\xd9\xa7\x8e\x80\x39\xf7"
"\x8c\x50\x89\x58\x6a\xeb\xa7\xa5\x84\xb3\xd6\xb7\x53\xf8\x63\x3d\x06\x2b"
"\x5c\xca\x36\x39\xeb\x95\x88\x50\x27\xa1\xb7\x8a\x90\xf7\x9d\x33\xe8\x87"
"\x2b\x45\x5a\x21\x61\x8b\x76\xa4\xaf\xd3\xd7\x04\x84\x9b\x06\x7a\xb8\xf9"
"\x68\xbf\x52\x8f\xbd\xbd\xfd\xd3\x4e\x84\x16\x3d\x64\x4e\x21\x1e\x32\xf9"
"\xb5\xb9\x1f\x86\xfb\x81\x58\x90\xf6\xe4\x05\xd7\x32\x4f\xd6\xff\x84\xfe"
"\xa2\x68\xcf\x4d\x61\x3d\x8b\x8c\xc7\x84\xfd\x43\x4f\x31\x7d\xd7\x7c\xca"
"\xf4\x0d\x97\x4c\x43\xd7\x0e\xc1\x53\x06\xc6\x91\xce\x97\x82\x26\x7b\x20"
"\xb3\x5c\x15\x0c\x1c\x10\x4a\xdf\xf5\x43\x70\x68\xf7\xc9\xde\xe0\x58\xc0"
"\x84\x03\x02\x4e\x5e\xd1\xf3\x5b\xf1\xb6\xdb\x21\x3a\xf8\xfd\x02\x93\xb2"
"\x30\xdd\xc7\xa4\x05\xe1\xe3\xe5\x84\x29\x2c\xf6\xd9\xbd\x4c\xa1\xd0\xc3"
"\x25\xec\xf3\x7c\x57\x13\x43\x20\xf7\x9f\xac\x3f\x26\x87\x4b\x1d\x59\x5d"
"\x0a\xac\xb7\xbf\x45\x4b\xc4\xe1\x5f\x75\x5c\x1c\x7e\x2d\x09\x51\xd7\x73"
"\x1d\x8b\xf2\x7c\x80\x02\xf6\x11\xa9\x42\xd6\x33\xc9\xe0\x20\x3e\xe9\xf8"
"\x48\xde\x15\x96\x6e\x6c\x99\x3d\x79\x0b\xbc\x26\x95\x8f\xdc\x3f\xf4\xe6"
"\x2b\x97\x16\x97\x85\x5a\xd0\x98\x0d\x3c\xf6\xcd\x79\xc0\xf2\xf0\xd4\x1e"
"\xab\x6d\x2c\x67\xe8\x32\x95\xaf\xcb\xee\x60\x17\x9e\x09\x97\xdd\xf9\xb1"
"\x50\x02\xb7\xfc\x05\x8a\xfa\x56\x70\x34\xda\xbc\x64\x07\x90\xab\xa2\x41"
"\x9a\x5c\xcb\xce\x25\xab\xcc\xde\x58\x63\x73\xf4\xe3\x1f\x34\x36\xe5\xba"
"\xb2\xe1\x56\xb4\xcd\x6a\xba\xad\xbd\x4e\x99\x1c\xb4\xa1\x5c\xde\xa2\x20"
"\x2b\x13\xbc\xe7\x16\xe1\xdf\x40\xd6\xbc\xc2\x75\xf1\x4c\x15\x2f\xfe\x62"
"\x94\xd2\xb5\xa5\x37\x7a\x9d\xa5\x46\x49\x0a\x0f\xf9\xec\x3f\x27\xa0\xa6"
"\x07\x0f\x1b\x0d\x72\xb7\x5a\x74\xac\x1e\x76\x4c\x46\x70\xb9\x54\x7f\xaa"
"\x72\x85\x00\x23\x3d\xc4\x10\x13\x2d\x80\x0b\xdd\xd4\xe8\x12\x72\xf1\xac"
"\xe1\xfa\x81\x86\xe1\xb6\x8e\x19\xb2\x3e\xe6\x11\xb2\xc9\x11\x9b\x09\x47"
"\x64\xfd\x07\x20\x21\x2c\x14\xf1\x2f\x18\x35\x59\x66\x60\xe0\x8d\xba\xf1"
"\xa2\x8c\x2e\xcb\x39\x10\x94\xe8\xde\xcb\x50\x04\x84\xa4\xf9\xde\x41\x27"
"\x81\xfe\x08\x46\x95\xa2\x43\xd4\x74\x47\x1a\x3d\x6a\xbd\x4a\xc6\x40\xcf"
"\xb7\xda\x40\xe0\x32\x7d\xef\xce\x9a\xa8\x10\x1a\x25\xf7\x14\x5b\x55\xdb"
"\x05\x10\xdd\x09\x0a\xf6\x3f\xd6\x5f\x90\x03\x69\x3b\x21\xb2\xf3\xd4\x77"
"\x5c\x65\x70\x7f\xed\x78\x47\x42\x38\xd6\x45\x35\x92\x93\x3b\x22\x65\xc3"
"\x83\x6d\x0c\x77\x5b\x95\xe9\x73\x9b\x3d\xe3\x85\x60\x72\xa5\xb4\x3c\x9e"
"\x30\x24\xe8\x84\x3b\x25\x22\xe9\x2d\x12\xaa\xb4\xa6\x36\xc6\x8a\xf1\x27"
"\x22\xab\x38\xd8\x81\xf4\xc9\x71\x18\x01\x4d\xb9\x86\xf3\xec\x96\x67\x83"
"\xb9\x3d\x81\xd1\xd7\x0e\x3e\xa6\x11\x48\x2d\xf7\x45\x25\x6c\x3e\xf9\xc6"
"\xc9\x49\xc6\xaf\xc6\x92\x9f\x69\xd9\x42\x7d\xdd\xe8\x1f\x3f\x27\x85\x00"
"\xc5\x86\xb3\xbb\x73\x6c\x2f\xc7\x71\x3a\xd9\x2e\xd1\x36\x40\xf4\x05\x1e"
"\x72\xb3\x85\x68\xe3\xf2\x11\xf7\x52\x61\xee\x65\x17\xde\x0b\x98\x00\x76"
"\x12\x7d\x7d\xc0\x0a\x16\x60\xa1\x12\x32\x32\x5f\x7a\xc0\x97\xf4\x6e\x0e"
"\xf4\x49\x3c\xd7\xde\x87\x5d\x14\x05\x64\x19\x37\x3d\x88\x7a\x82\x16\x72"
"\xd8\x94\xd3\x2c\x81\x04\x64\x70\x5e\x92\xc9\xab\xe3\x29\x67\xfe\xad\x24"
"\x64\xc8\xb2\xf6\x93\xf4\x5d\x07\xa8\x16\x0f\x59\xec\x04\x60\x19\xb0\x16"
"\xee\x8b\x07\x76\x42\x78\xaf\x8c\x6b\x22\xb4\xcc\x07\x9f\x40\x6c\x0b\xa8"
"\x98\x33\x2a\xa8\x91\x1b\x02\x6c\x75\xed\xd0\x2d\x5a\x40\xf8\xed\x9c\x1a"
"\x3d\x39\xc1\x89\x3a\x0a\xff\xe4\xb3\x8c\x77\x30\x54\x29\x56\x2e\x9d\x09"
"\x07\x17\x97\x53\x05\x1c\xbf\x13\xff\x93\x60\x91\x33\x4f\xe2\x4a\x53\x81"
"\x6d\x2a\xa5\xe2\xe2\x69\x93\xda\xc3\xf2\xc5\x73\xb0\x00\x11\x52\xee\x26"
"\xb6\x33\xaf\xd9\x66\xbf\xb7\x04\x05\x42\x27\x16\x0b\xf2\x92\xbb\xcc\x35"
"\xf7\x8a\x64\x9b\xb7\xf4\xfe\x17\x83\xa6\xb1\x0d\xe7\x78\x51\x9c\x8a\x71"
"\xf1\x38\x1c\xc6\x7a\x77\x9e\x51\xce\x30\x97\xe6\x66\xd9\x64\x72\x8d\x55"
"\x70\x8e\x76\x95\x38\x26\xc7\x65\x9c\x36\x47\xd3\xf3\xce\xdf\x9f\x1b\x45"
"\xb2\x7f\x57\x35\xbb\x8d\x78\xd8\x74\xbf\x73\x14\x7b\x73\x8b\x9c\x05\x66"
"\xa0\xd2\xfd\xcb\x17\xf8\x5d\xc7\x12\x46\x2e\x38\x1b\xa1\x46\x6d\x92\xd9"
"\x03\xba\x24\xd0\xcc\x17\xdd\xbe\xb7\xbd\x80\xb5\x52\x5d\x72\x36\xa8\xad"
"\xd5\x4d\x4e\xca\x06\xfe\x4c\xd0\xd3\x72\x44\x03\xc7\xad\x09\xf2\x2e\xb2"
"\xfc\xb4\x18\x1e\xdd\xde\x27\x1b\xe8\x21\x57\x9b\x73\x82\xbb\xfe\x36\xda"
"\xb5\x07\x98\x11\xe6\x28\x42\xda\x65\x16\x5c\x27\xc1\x81\xdf\xed\x27\x9d"
"\x5e\xc1\x2a\x1c\x0c\x13\x54\x17\x60\xc2\xfe\x5c\xce\x95\xc6\x89\x26\x22"
"\x22\x9a\xc2\x4a\x72\x11\xba\x43\xe5\x13\x07\x7f\x34\x34\x2b\x61\x61\x1a"
"\x1a\xb1\x0b\x6c\x51\xf6\xe3\xa0\x6b\xe0\x71\x6d\x7d\x1a\xbc\x82\xf5\x90"
"\x3e\x32\xf1\xe6\xe3\xe8\x57\x89\xc1\xb8\xf1\x40\xbb\xe1\x90\x3b\x96\x77"
"\xec\x96\x55\xe1\x71\xbf\x1f\x4d\x27\xdd\xa0\x03\xc2\x7d\x4e\xf0\xe0\x43"
"\xd0\xde\xf4\x51\xdb\xc0\xf4\x8c\xb6\xcb\x60\x5b\x1e\x2d\x27\xe9\xfc\x9d"
"\xb1\x0c\x0b\x57\x1b\x68\x05\xf3\x16\xb0\x0b\x58\x1d\x0d\x73\x58\xf8\x3e"
"\x14\xd1\xb4\x29\x0e\x61\xfc\x0d\x0b\xd9\x73\x34\xf3\x1a\x54\x73\x50\xc0"
"\x08\x77\xc9\x0b\xcb\x59\x1b\x98\x98\x6c\x19\xd9\xd4\x77\xf7\xdc\x52\x1a"
"\xc4\x3d\x2e\xdf\x92\x01\xea\x61\xc4\x3e\x63\x65\xe7\x95\xbf\xb4\x4b\x0d"
"\x90\xce\xd7\xb9\xd3\x4a\x84\x9d\xec\x49\x5d\x79\xca\xe7\x76\x9c\x72\x1d"
"\x7c\xd1\x7f\x15\x03\xdf\x3d\x11\x3c\x49\xfc\xb1\x84\x49\xff\x18\x0d\x39"
"\xc9\x47\x17\xae\x8f\xcb\xa7\xee\x1d\x8c\xf7\x58\x73\x09\x8a\x7a\x69\x7d"
"\x5f\x5d\x7a\x6e\xee\xf1\x4d\xaf\x14\x67\x10\xee\x40\xc9\x4f\xf8\xea\x9f"
"\xf0\x48\xd1\x08\x68\x87\x76\xfd\x07\x4e\x72\x65\x8d\x6e\xa4\x3f\x42\xea"
"\x03\x88\x3f\x70\xf4\x5c\x7b\x86\xd3\xeb\x0b\xce\xd0\xf3\xa6\x0b\x6d\xa5"
"\x10\x83\x37\x28\xff\xdb\x82\xaf\x9a\x34\xc5\xfc\x86\xe0\x13\x08\x61\xac"
"\x66\xc6\x8b\x78\x43\x00\x00\x00\x00\x00",
4096);
memcpy(
(void*)0x20001300,
"\x20\x4b\x9e\x18\x04\xd6\x36\x30\x11\x50\x77\x52\x98\xe6\x49\x00\x40\xd0"
"\xec\xb7\x23\x71\xcf\xe0\xcc\xc2\x58\xd2\xb4\x45\x04\x58\xb9\x09\xae\x78"
"\x5f\x60\xb9\x32\x86\x39\x37\xed\x25\xdf\x0c\xe2\xb0\x46\xcc\xc4\x7e\x35"
"\x01\xed\x7a\x53\xe6\x9d\x95\xdf\xb7\x61\xf3\xfb\x81\x65\x99\x83\x87\x6f"
"\x91\x5b\x21\xb4\xb9\x12\x70\xb4\x60\x78\x75\xb7\x51\x13\x65\x14\xbb\x42"
"\xb1\xde\x57\x5e\x5a\xe0\x5e\x98\xfd\x37\xdd\xe4\x9a\xcb\x6a\x8e\x7f\x7c"
"\x59\x2c\xeb\x87\x93\xd0\x0c\x84\x51\x5e\x9b\x09\x1f\xca\x80\x56\xf6\x9e"
"\xf4\x7c\x1c\x91\x73\x5a\xf0\x4b\x30\x77\xa9\x4a\x24\x14\x74\x89\xc6\xbb"
"\xc3\xd6\x3a\x76\xba\x4e\xb1\xe6\xad\xf0\x14\x10\x6f\x4b\x01\x17\xfc\x6a"
"\x2b\x2c\x84\xca\x9e\x6c\x40\xfa\xde\x37\x3f\xd4\x9f\x65\x7e\x5e\x82\x83"
"\x99\x86\x8d\x39\xd2\xa9\xd8\xcb\x3f\x45\x08\xe1\x56\xd3\x1d\xed\x82\x6a"
"\x64\xd8\x4b\x19\xce\xb0\xc1\x3d\x95\x66\xf1\x48\x66\x02\x8f\x00\x40\x84"
"\x28\xbc\x6b\x9a\x27\x76\x1f\xb1\x3e\x70\x56\x1f\xa8\xbb\x45\xbf\x25\x47"
"\xba\xee\xbd\x7c\x99\xe0\x1c\x1e\xbd\xac\x09\xba\x75\xe3\xf6\x7b\x2b\xc6"
"\x89\x8c\xa2\xc8\xe6\xc2\xb0\x9e\xfe\xf1\xe6\x88\xc7\x4f\xe8\xe2\x14\xb6"
"\x57\xd3\x32\x57\x25\x53\x1f\x9c\xe7\x1d\x59\x53\x2a\xdc\x69\xf4\x0e\x0b"
"\x82\x1f\xbd\x14\x55\x81\x33\xf9\xfc\xd9\xd5\xac\xe9\x15\x07\x03\xb5\x87"
"\x9f\x74\x02\x85\x83\xdc\xcd\x49\x84\xa9\xfe\xdf\x23\xf1\xf6\xb8\xc5\x01"
"\xf9\xa9\x97\x62\x07\x94\x04\xf1\x09\xe6\xd6\x9b\x02\x5e\xdb\xf2\xd3\x16"
"\x9e\x44\xf1\x86\xeb\x60\xe7\xab\xf9\x53\x9c\xb8\x01\x36\x70\x43\x54\x20"
"\xf5\x4b\x7e\x48\x56\x44\xf5\xaf\xc2\xd0\x58\x1d\x84\x04\xc2\x3b\xcf\x2c"
"\x0b\xcd\x6d\x3a\x6f\xbc\x65\x87\x21\xe7\x45\x46\xea\x52\xd5\x7f\x25\x9e"
"\x84\x1e\x87\xf0\x1a\xce\x9d\x7f\xb1\x0b\xb4\x35\x6a\xbf\xfa\x30\x6d\x91"
"\x96\x39\x14\xbc\x14\x4e\x48\x6f\x78\xc0\x48\xaa\xfe\x20\xea\xe2\x7f\xf5"
"\x32\x50\xde\x7b\xed\x8c\x41\x67\x78\x0c\x53\xfa\xcf\xd7\x41\xb9\x3f\x53"
"\xd6\x7a\x60\xeb\xa1\x52\x77\x01\x89\x6b\xcd\x29\xa6\xcc\x20\xb9\x39\x05"
"\x82\x42\x1e\xb0\xe5\xdc\xe7\xa6\x6a\x94\x88\x19\x04\xdd\x91\xc4\x7c\x59"
"\xe8\xb7\x21\x9a\xda\xe8\x6b\xa7\x8b\x23\x03\x06\x82\x93\x68\xa5\x6d\xc9"
"\x08\x24\x5f\xc7\x28\x86\xc3\xb1\x8f\xac\xea\x65\x9b\x27\x46\x6d\x3c\x6a"
"\x85\xb5\x41\xf2\x0a\x01\x26\x60\x31\x9f\x8f\x4b\xa0\xfa\xf0\xd8\x3d\x28"
"\xac\x63\xae\x41\x73\x23\xa0\xf7\x5b\x88\x23\x5d\x1a\x60\xa2\x9c\x41\xf6"
"\x62\xb3\x4a\xc4\x0a\xc1\x9c\x94\xf2\x27\x56\x78\x60\xa9\x98\xf5\xe4\xd8"
"\xf6\x5b\x93\x0c\x1a\x12\x09\xba\x04\xcc\x24\x06\x59\x99\x14\xe8\xed\x7c"
"\x98\xd8\x09\x5a\x56\xfd\x29\x92\x0c\x47\xc6\x22\x1b\xf7\xe6\xa0\x76\xdf"
"\xc9\x09\x47\xaf\x94\x68\xd8\x84\x47\x31\xac\x39\x23\x89\x6f\x25\xa8\x40"
"\x24\x21\xe2\x4e\x1d\x32\x8e\x5b\x9d\xae\xb9\x70\x48\xb8\x7e\x3d\x37\x48"
"\x74\x07\x19\x31\xad\x79\x1c\x1f\x03\x32\x4b\xa0\x1d\x46\x33\x64\xa5\xbb"
"\x1d\xba\x7e\x3b\x80\x7a\xec\x9c\x33\x37\x03\x39\x7a\x45\x91\x8c\x73\xb4"
"\x43\xdd\x46\xf7\xb2\x89\x73\x66\x62\xad\x83\x33\x02\xfa\x89\x56\x7e\x44"
"\xc3\xde\x8e\x2f\x87\xbb\x5f\x87\x58\xab\xf6\xf8\x88\xad\x26\xbb\x5e\xd4"
"\x8a\x4b\xd8\x28\xd8\xfc\xf5\xc0\x1c\xf7\x58\x80\x09\xc1\xa6\xc3\x5e\x94"
"\x14\x29\x50\xb3\xba\xc8\xfa\x0a\xf1\x5c\x2f\x30\x50\x4c\xef\x3e\x54\x4b"
"\x13\x2e\x40\x96\xa8\x36\xaa\x49\x33\x6c\xbe\x87\x8d\x2e\x33\x07\x5d\x07"
"\x12\xad\xc3\xe7\x5b\x9f\x9b\xc7\xec\x42\x0f\x12\x30\x84\xeb\x29\x61\x19"
"\x17\x15\x35\xc4\xfa\x49\xd4\x60\xd4\x44\x4e\xb3\x09\xf4\x24\xec\x13\xbe"
"\x89\xff\x66\x41\xca\xa0\x89\xda\x26\x2f\xf8\x9c\x0d\x4b\x1a\x86\xfa\xc9"
"\x13\x61\xa7\xa1\x24\xa0\xe4\xb2\x7d\xe2\x53\x18\x6e\x10\x67\x1d\x25\x32"
"\xd6\x00\xf6\xb4\x08\x9d\xc6\x90\xf6\x00\x36\x30\x92\xad\x93\xfb\x62\xfb"
"\xab\x9e\x1a\x96\xca\xef\xe3\x1e\x4c\x11\x74\x20\xfd\x1d\xf6\x4e\x4e\x0c"
"\xf4\x96\x7c\xb0\x26\xa0\x03\xbe\x44\x42\x78\x55\x3c\x2e\x58\xe1\x9e\xc5"
"\xa6\xdb\x39\x21\xfa\xb8\xfa\x07\x48\x96\x5e\x52\x36\x59\xe5\x4a\x3e\x01"
"\x19\x04\x92\xf9\xb0\x18\x11\xd0\x6b\x13\xd8\xc8\x33\x45\x4a\xb5\xa9\x3a"
"\xf8\xa9\xad\x27\xa1\x55\xd6\x82\xd8\xc7\x8f\x07\x4d\xa1\x7d\x6c\xcb\x7d"
"\xed\x5b\x5f\x3c\x30\xe3\xaf\xb3\xc0\xe4\xaa\xb6\xce\x79\x7e\x81\x42\xdf"
"\x9a\x74\xf4\x86\xae\xe7\x4c\x0b\xc0\x21\xc2\x27\xd8\x02\xc5\xf5\xe7\x96"
"\x78\xc4\x5b\xac\x33\x1d\x6e\xc2\x4e\xcb\x40\x42\x96\xdc\x9e\x90\xb2\xc1"
"\x91\xfc\x14\xc5\x35\x05\xe9\x25\x87\xf4\x3a\x5e\xed\xc5\x6a\x64\x08\x04"
"\x8d\x9d\xbb\x8b\xee\x88\x40\xa6\x56\x95\x2c\xb3\x61\xf0\xd7\x6b\xaa\x20"
"\x93\x9e\x6e\x8a\xb9\x17\xe1\x2b\x76\xdd\x81\x2b\x95\xe6\x8c\x90\x70\x8d"
"\x7c\xd8\x1a\xa1\x80\x02\xee\xa1\x16\xf4\x19\x0e\x49\xd1\xf6\x28\xa5\x09"
"\xc8\xfb\x65\xf3\x93\xef\x5b\xcf\x7d\x1b\x9e\xa2\x89\xe0\x53\x2e\xe5\xf4"
"\x6e\x65\x70\x9e\x84\xaa\xa7\xa6\x33\x4c\x58\xea\xab\x5c\x3c\xce\xd8\x8f"
"\xa3\xe9\xe3\x65\xac\xe1\x19\xa3\xc4\x0d\xfe\x33\x6a\xbb\xe6\xd3\xa0\x9d"
"\xfd\x89\x5c\xdc\x3d\xaa\xe2\x6a\xe9\xd3\xf6\x8a\x3a\x21\x84\xac\x5f\x69"
"\x72\xef\x03\x4f\x1f\x9f\x0d\x41\x00\xa5\x5b\x86\x38\xdb\x09\x86\xf3\x62"
"\xa2\x3b\x59\x99\x03\x90\x9a\x5a\x61\x93\xfc\x2c\x6e\x54\xad\xc9\x65\xff"
"\x5d\x48\xbc\x1e\xd1\xb6\xff\x0a\xb2\x26\xb9\x59\x8f\x70\xa1\x3c\xa0\xa0"
"\xb2\xd2\xcc\x05\xf1\x74\x49\xbd\x4c\xbd\x22\x4f\xa7\x58\x10\x95\x50\x11"
"\xd5\xa4\x01\x34\x8c\x0b\x75\x54\x6c\x1f\xd8\x68\x24\xce\xd7\xb0\xc7\x9c"
"\xb4\xd1\x3a\x37\x22\xae\xf6\xf7\xa0\xcb\x49\xf7\x6a\x37\x2f\xf1\x33\x73"
"\x6f\x04\xb6\x7b\xf6\xa7\x4d\x51\x64\xa2\x27\xf4\x86\x5d\xfd\x15\x18\x1e"
"\x0a\x9e\x5d\xc5\x33\x17\xff\xb0\x4a\x7a\xb1\xfb\xa8\x7d\x3b\x34\xbd\x1c"
"\xee\x7c\x6a\xef\x4b\x3e\xbe\xf1\x83\xc9\xfc\xd4\xda\xf0\x91\xef\x1f\x5f"
"\x27\x09\xa7\xeb\x4a\x64\x82\x42\xc4\x08\xe7\xd5\xb1\x0b\x76\x6e\x0f\x64"
"\x8c\x65\x4d\x99\xd0\x72\x21\x89\xc4\x95\x64\x74\x89\x2e\x37\x9a\x84\xb1"
"\xf0\x9f\x13\xba\x58\x94\x23\xe4\x3b\x4b\x0d\xd2\x67\xb1\xd0\xc9\x76\xfb"
"\x64\x90\x3e\xa2\xd2\x2e\x26\x12\xd9\xdb\xad\x91\x53\x6a\x98\x6f\x44\x98"
"\x6d\x74\x57\x8f\x2c\xf3\x78\xdc\x65\x05\xcc\x26\x26\x15\x48\xa0\x80\xe1"
"\x1d\x74\xfe\xd2\xcd\xaa\x90\x47\x9f\x06\x56\xfd\x92\x7f\x89\xa0\x62\x4f"
"\x4c\xe9\x43\x98\x1f\xfb\xec\x2c\xeb\x27\xc7\xfb\x6e\x6e\xe7\xdf\x7c\x2d"
"\x26\xd7\x15\x1f\x1d\xad\xb1\x72\xa0\x01\x77\x87\xc5\xd3\x2d\x64\x08\xb6"
"\x66\x2c\x8f\x53\x48\xf3\x4e\x63\x64\x92\x06\x14\x21\x64\xf7\xaa\x07\x6b"
"\x2c\x83\xbf\xff\xe4\x41\x26\xee\x92\x3f\x0b\x9b\xc9\x17\xe5\x23\x08\x37"
"\x35\x53\xcf\x19\xe6\x79\x8a\xc8\x3a\xce\x35\x0b\xe4\x7f\x44\x5e\xf0\xd2"
"\x68\xc2\xa4\xfc\x67\x99\x8a\x59\x07\xdb\x42\xde\xcc\x63\xfc\xfc\x30\xdf"
"\x0a\x45\x43\xda\x17\x8e\x44\x2a\xec\x97\x06\x0e\xdc\x20\x9e\x34\x84\x9f"
"\x6b\xee\xa0\xe3\x66\xec\xcc\x80\xb8\x7c\x1c\x16\xf8\x9e\x56\x08\xb9\x6c"
"\x17\x6c\xcf\xaf\x60\x14\xa6\x19\xb8\x3d\x72\xc5\xa8\x97\x49\xcf\x76\x3f"
"\xd7\x6c\x6a\xe8\x2b\x6a\x13\x22\x67\x48\x38\xab\x9e\x5f\x9a\x0d\xb7\xaa"
"\x8b\x7d\x27\xdb\x30\x8e\xdb\x66\x4f\xc0\x19\x77\x56\xf6\x70\x9d\xf3\x6d"
"\x9f\x6e\xd6\x78\x94\x4e\x18\x45\x5a\x8d\x49\x43\x4f\x9a\x6f\x22\x3c\xbf"
"\x52\xb6\xa1\xba\x26\x6a\x55\x33\x1f\xfe\x7e\x83\xfb\x41\x30\xc2\xf5\x52"
"\x86\x26\xc4\xe4\x51\xd8\xba\xc1\xda\x04\x6d\xd5\x92\x49\xfe\x41\xb6\xc8"
"\xa3\x6e\x82\x34\x69\x18\xe0\x17\x7c\x87\x6f\x44\x10\x1f\xf9\xf7\x72\x1d"
"\x8f\xbe\x1e\xca\x04\xe1\x3b\xa8\xdb\x3f\x5b\xd0\x1c\x36\x61\xdf\x0d\x6c"
"\x8a\x24\xd4\x5a\x24\x6e\x0a\xc8\x0a\xed\x41\x78\x90\x1a\x71\xa9\x39\xda"
"\x46\x22\x59\x2b\x3a\x8d\x87\xb3\xae\x35\x37\x05\x30\x03\x9d\x7d\x41\x34"
"\x55\xe9\xd6\x16\x56\xb5\x8a\x1e\x63\xaa\x9b\xf1\xa8\x7d\x8b\xcc\x66\x05"
"\xc3\x16\x78\x36\xf8\x2b\xa0\x1f\x54\x93\x4e\x2d\x31\xd7\x46\x3e\x18\x48"
"\xee\x8a\x2c\xca\x55\xa0\x29\xd5\xed\x37\x23\x6d\xda\x9f\x27\x89\x81\xcd"
"\xb3\x30\xea\xbc\x6b\xfc\x33\xa7\xfe\xe5\x67\x8c\x38\xb8\xe0\xa9\x25\x8f"
"\xa8\xce\x5c\xb8\xab\xc3\x32\x0d\x44\xdd\x16\x09\x8d\xf1\xbb\xf9\xd3\xe3"
"\x14\x2e\xc1\x83\x8b\xa8\x17\x85\xe3\x7d\xc9\x7f\xda\x27\x97\xe3\xcf\x6b"
"\x7d\x6c\x36\x77\x37\xb4\xdf\x96\xa2\x42\x14\x9b\xbb\xa7\xaf\x54\xda\x91"
"\xb4\x04\xfb\xf0\x1f\x4e\xcf\xb7\xeb\xd9\x7c\x67\xde\x24\x15\xb3\xbc\xa3"
"\xb5\xf2\x1d\xea\xe9\x88\x73\x3d\xcb\x54\x7a\x17\xaa\x38\xc0\xb9\x8a\xba"
"\x60\xfb\xb1\xd5\x7f\x9e\x8f\x00\x5a\xe6\x23\x3e\x5d\xa6\x8d\xa3\x2c\x7a"
"\x27\x78\x94\x4a\x2e\xac\xba\x03\xe3\x31\x2f\xe9\x68\xfa\x3b\xe0\xe2\xce"
"\xb4\xd8\x52\x68\x03\xe7\xa8\xf2\x46\x18\xb1\x00\x38\x60\xe4\x24\xda\x51"
"\x8c\x96\x02\xcb\x09\x2c\x9c\x6b\x93\x0b\x72\x52\x3b\xbf\x61\x5a\xd8\x33"
"\x0e\x33\x7e\x64\xff\x82\xeb\x78\xd9\xa2\x38\x4e\x86\xaf\xec\xe8\xaa\x9d"
"\x9c\xb1\xb7\xab\x27\x26\x52\x61\xa3\xcf\x54\x2e\x16\x55\x79\x2e\xd6\x6b"
"\x28\xd2\x7b\xf4\xf0\x2d\x13\xe9\x34\x13\xbf\xc5\xfa\xe7\xdb\xec\x15\xaa"
"\xc8\x53\x31\xae\x3d\x40\x32\x67\x99\x88\xff\xd1\xc1\x75\x04\x47\xf7\x63"
"\xeb\xc9\xba\x8f\x8b\xa4\x52\x1b\x74\x56\x3a\xf6\xee\x8a\x99\x6a\xf3\x70"
"\x7d\xd0\x31\x18\xc3\xf0\xd1\x8d\x61\x2a\x51\x05\x51\x93\x10\xf7\xb8\xc5"
"\xeb\x4b\x7e\x3a\x0d\x67\x53\x74\xda\x18\x31\x4d\x14\x4b\x5d\x5d\x0b\xa2"
"\x73\x5d\xab\x4e\xfd\xf6\x8f\x70\x28\x5c\xe4\xd3\x50\x32\x42\x7e\x23\xfe"
"\x7c\x59\xc5\x84\x48\x79\x55\x04\x17\xdc\x93\xd2\x22\x1f\xe0\xff\x82\xc7"
"\xe2\x1e\xbb\xa1\x9c\x01\xfe\xfc\x6f\x6e\xeb\x70\x78\xe7\x55\x7f\x07\x7c"
"\xa0\x89\x24\x6e\x6f\x39\x01\xe1\x27\xca\x46\x85\xc1\x91\x84\x7a\xe7\x20"
"\xce\x30\xd4\x19\x39\x23\x9b\x28\x35\xd9\xcf\xd1\x26\xfa\xab\xc8\x8e\xb8"
"\x0d\x40\x9d\x8e\xc1\xcd\xf6\x07\x0c\x55\x10\x9b\xdb\xbb\x66\x8f\xd5\x6c"
"\x6e\xbd\x35\x03\x98\x6c\xdf\x5a\xde\x19\x90\x3a\x85\x51\x6f\x0e\xd8\x78"
"\x72\xf3\x97\xe6\x24\x4b\x0f\x58\xc7\x0b\x8d\xd0\xcb\xc4\x08\xdd\x7a\x87"
"\xc4\x2d\x67\x2d\x31\xfd\xe7\xfb\xc3\x1b\x3a\xcf\xf4\xbe\x74\x4b\x93\x3e"
"\xc0\x64\x5f\x76\xb5\x24\x81\xba\x6f\x50\xa2\x5a\x98\xf8\x9d\x99\x89\xe3"
"\x47\xb6\x82\xa4\x59\xeb\x38\x00\x4d\x0d\xe0\xa7\x31\x4f\x83\x19\xb1\xe0"
"\xce\x51\x52\xa4\x92\x8d\x7f\x59\x76\x93\x47\xa7\xf4\x8a\xf5\x95\xd0\x28"
"\xb5\x01\x2c\xf5\xb7\xfc\x08\x1c\xbe\xc3\xc5\xad\x30\x80\x19\x47\xb5\xd3"
"\xf8\x7a\x24\x2b\x05\x69\x1e\xf3\xf4\x6f\x0b\xa3\x5f\xa6\xee\x28\xa9\x66"
"\xad\x42\xe3\x4e\xf6\x19\x2c\xb6\xe5\xde\x41\x41\x1d\xf4\x63\x8c\x82\x56"
"\x88\xab\xc1\xc8\xf1\xfa\x7b\x2e\xce\xd5\xae\x40\xa5\xd3\x5d\x7c\xfd\x98"
"\x1f\x4d\xd4\x6a\x91\xe8\xf1\x23\x18\x7d\x8e\x99\xa9\x47\x02\x0c\xdc\x4c"
"\xfc\xb6\x6e\xe0\x04\x23\x2e\xd5\xba\xdf\xa6\x94\xfd\x94\x3e\xd5\x9f\x01"
"\x43\x39\x89\xe5\x66\x3a\x77\xfd\x2b\xbc\xdb\xfa\xad\x5a\xb4\x82\x15\x0f"
"\x22\xff\xa6\xb1\xae\x9e\x99\x13\x4b\x32\x0c\x04\x44\x4c\x3d\x5d\x71\xe3"
"\x7c\x6d\x4f\xaf\x82\xb1\x29\x7d\x75\xa5\x20\xe6\xe6\xc5\xa0\xd7\xab\x86"
"\xde\xa5\x24\x5a\x97\xb1\x6a\x76\x90\xf5\x0e\x9a\xbd\x45\x2d\xa3\x3c\x58"
"\x97\x4c\xb6\x3e\x47\x11\xfe\xce\x83\xcf\x12\x51\xc6\xee\xcc\x7c\x9a\x88"
"\x7b\x0a\x88\x1f\x14\x8b\x6c\x8f\xa3\x74\x9e\xf0\x96\x61\x48\x89\x09\xa2"
"\xf7\x4e\x41\xa4\x96\x8f\x5f\x1d\x1e\xbd\x9a\x51\x1f\x57\x32\xea\x60\xa1"
"\x80\x32\xd6\x8d\xcf\x34\xa5\x91\x4b\x1c\x24\x27\x5e\x6c\x3d\x33\x1a\x8c"
"\x45\x4e\x4c\x61\x5d\xc5\xf6\xce\x4d\xe1\xb4\x4f\xc7\x55\xda\x73\xee\xf5"
"\x17\xbc\xa0\x8f\xa4\x64\x44\x3e\xab\xf4\x04\x69\x61\x62\x5e\xe8\x2c\x40"
"\x6e\x08\x35\x9b\x49\x78\x5a\x1c\xbe\x98\x22\xca\xda\x33\x75\xda\x9a\xdf"
"\x55\xbd\x50\xe1\x56\xa3\x14\xf1\x01\x07\xa3\xfb\x88\x0a\x94\x4f\xa3\xa0"
"\xcd\xb4\xbe\x22\x34\xc1\x9a\xb2\x6f\x80\x75\xc6\x38\x9a\x0a\x60\x62\xe8"
"\x20\x50\xb4\x93\xa3\x0e\x61\x7f\x72\x8b\x8d\x0c\xed\x0b\x69\xda\x60\xc6"
"\xfd\xad\xd9\x5e\xe1\xc0\xe6\x56\xb6\x3e\xcc\x72\xa4\x91\xe0\x7b\xce\x4c"
"\x3d\xf3\x76\x1e\x51\xbb\x32\x7a\x86\xd5\x5a\x37\x5e\x4f\x58\x59\xa8\xb1"
"\x79\xa4\x7f\x4b\x5b\x8b\x85\xfe\xd0\xdb\x91\x6e\x31\x88\x5d\x0a\xd1\x85"
"\xd6\xc7\xe7\x94\x49\xe2\x82\xa5\xd1\x0a\x7c\xf8\x6d\x03\x05\xa2\x67\x3c"
"\xd9\xaa\x83\x4d\x13\x0f\xcb\x10\x98\xc0\xf6\x97\x71\xae\x23\xe2\xb4\x9c"
"\xdd\x3d\x39\xbe\x17\xfc\xc3\x09\xa2\x82\x48\x6b\xf0\xe0\x82\x9a\x08\x05"
"\xa0\x36\xb0\xb1\xe3\x57\xf0\x3a\x86\x18\x57\x31\x2d\xab\x30\x33\xf0\x09"
"\x57\xff\x6f\x03\xa3\x52\x40\x72\x4b\xc6\xad\xf4\x29\x09\x0f\x55\x5a\xca"
"\x56\x3f\xfb\x5e\x4b\x67\xc7\x54\x86\x14\x9f\x24\x95\x97\x1b\xf6\x53\x61"
"\x7f\x29\xe5\x0d\x59\xda\x32\x28\x8a\xfe\xab\xc7\x68\x78\x7d\x2e\x83\x0c"
"\x70\xd5\xf0\xdb\xd8\xdb\x5e\x99\x23\xb8\x89\x3f\x32\xc4\xcd\xc0\xd8\x13"
"\x0c\xae\xfa\xde\x59\xd7\xf5\xe2\x70\xf8\xb5\x48\x7b\x69\x81\x5d\xd8\xce"
"\xc6\xd3\xdf\xa3\xca\x30\x89\x87\xf2\x97\x0a\xb3\xe8\x71\x4c\xdb\xae\x27"
"\xdc\x22\xfa\x43\x48\x05\xc9\x28\x4b\x90\x48\x40\xa9\x2b\xc7\x64\x90\xc1"
"\x5c\x6a\x04\xdf\x13\x79\x40\xd4\x8f\x7a\xc6\x28\x5f\x85\x86\x11\x37\x6f"
"\x44\x7e\xba\xf1\x1c\xe4\x01\x40\x66\xd5\x7e\x5f\xa5\x79\xb5\x88\xe0\xd7"
"\x95\xfb\x03\x22\xd1\xb8\x60\x6f\xaf\x95\x07\x09\x2b\xe3\xe3\x20\x18\x4a"
"\x53\x24\xdf\x47\x79\x2e\x8b\x01\x5e\xe2\x7a\xce\x73\xb0\xbc\x05\xf3\xef"
"\xf2\xc2\xa9\xee\x45\x75\x2d\xf3\x2a\x85\xb1\xad\x56\x79\xae\xdb\xe4\x0a"
"\xc5\x95\x11\x93\x89\x29\xe2\x10\xa4\x09\xe5\x38\xc1\x39\xd1\xfb\x93\x89"
"\x1d\x2b\x99\x08\xf9\x15\xb9\xc5\x56\x78\x8b\xb8\x92\x6b\x6a\x96\x92\x30"
"\x38\xa1\x19\xeb\x68\xbc\xb5\x28\xa4\x2e\x97\xf8\xfb\xd4\x9e\x7d\x5b\xb3"
"\xe5\x19\x87\xcc\xa5\x90\xea\x8a\x18\xe0\x49\xf6\x4d\x8c\x99\x4d\x63\xa7"
"\x07\xc4\x41\xe6\x35\x09\xf9\x09\xad\xf5\xf7\xc2\x6d\x36\x71\x4b\xd5\x63"
"\x07\x51\x30\x03\xf8\xf8\x5f\x20\xc8\xfe\xa4\x24\x86\x27\xd2\xf1\x98\x91"
"\xba\xef\x9b\x13\x4a\x8e\xcb\x6e\x3d\xa6\x23\x2c\x5b\x81\x8d\x74\x69\x64"
"\x50\x38\x31\x2b\x6b\x95\x2f\x78\x2f\x28\xcc\xd1\x99\x36\x7a\x51\xf7\x50"
"\x92\x7e\x5f\x11\xef\x04\xcb\x29\x9d\xc7\xba\x0c\x24\x50\x01\x34\xd3\xa9"
"\xa0\xa4\xf6\x29\x03\xae\x93\x0f\x5b\xa4\x9c\x39\x85\x5f\xfc\x4a\xba\x6c"
"\xc9\xd4\x00\x07\x5f\x09\x48\x75\xdb\x9e\xbc\xbc\xbb\x35\x30\x94\x21\xd0"
"\x8a\x92\x8b\x02\x16\xdc\xbb\xf7\x18\x76\x1b\x01\xb4\xd4\x1c\xf5\x5b\x0b"
"\x2b\xf4\xc8\x96\x03\xa6\x1e\x5a\xc2\xf5\xbf\x52\x36\xd4\xbe\xe9\x06\x17"
"\xe1\xb2\xfd\xc3\xa4\x54\x0d\xb2\xc8\x95\x61\xc1\xcb\x9b\x1e\x28\x43\x60"
"\x13\x54\x6e\x65\x4e\x36\xfa\x32\x80\x97\xce\x8a\x4b\xaf\x5a\x2f\xd7\x8f"
"\x9b\xca\x61\x7b\xd4\xde\x06\x2d\xbb\xc3\x8c\x73\x56\x23\x2b\x38\x58\x23"
"\xb6\xc6\x04\xa4\x01\xf4\x3f\x58\x64\x11\x1e\xff\x29\x04\x5c\x12\xb6\xc6"
"\x22\x18\x2e\x09\x7c\xaa\x5a\x99\x45\x13\x33\x75\xb4\x6d\xc0\xe2\x68\xe8"
"\x60\xdd\x58\xb6\x24\x03\xc4\x13\x93\xf0\x2c\x7f\x1d\x23\xa1\xd0\xda\xad"
"\x5d\x2e\xb7\xa0\x85\x38\x7e\xa6\xb8\x1c\xeb\x61\x91\xd5\xff\xa7\xf5\x88"
"\x48\x99\x6c\xaa\xd4\x79\x6e\xe8\xd9\xe1\xba\xd0\x72\x45\x5a\x37\xd8\xb6"
"\x48\x88\xcb\x40\x07\xf3\x44\x78\x3a\xfc\xa2\x2d\xb0\x7a\x2c\xcb\x85\x31"
"\xc6\xa9\xd6\x9b\xff\xdf\x1f\x94\x9e\x3f\xce\x89\xf2\x23\x11\x95\x95\xc5"
"\xb9\xbf\xa5\x18\x93\xff\x36\x84\x9b\xe6\x1f\xf0\x29\x39\x36\x0a\x5d\x5b"
"\x0e\x05\xd2\x2a\xa3\xa1\xf1\x6c\x27\x10\x3e\xde\xb0\x0c\x0f\x76\x3b\xd4"
"\x25\x18\x05\xec\x8d\x89\x46\x92\xcd\x16\x36\xb4\xb1\xc9\x6a\xb6\x13\x89"
"\x6c\x17\xb2\xfb\x8a\x41\x4a\x91\x46\x3d\x54\xf1\x45\xe1\xd4\x93\x78\xe7"
"\x26\xe5\x92\x1d\x8c\xd3\x4a\xeb\x17\x6a\x36\x70\x1c\x9b\x75\x31\x18\x06"
"\xef\xcf\x40\x2d\x43\x45\x03\x4d\x7f\xd5\x16\x58\x57\xbd\x2c\xd0\x7b\x32"
"\xa1\x83\x34\xa3\xcf\x35\x8d\xad\xbc\x81\x44\xb8\x06\x12\x08\x05\xa0\x77"
"\x14\xd8\xd0\x02\x9f\xe0\xdb\x79\x58\xbb\xb6\x9b\x9a\x21\x6e\x59\x45\xfd"
"\xf0\xb8\x92\x66\x5c\x0b\xad\x2c\xd8\x22\x79\x7d\x5c\x72\x23\x09\x4c\xd5"
"\x40\x42\xc7\x81\xfb\xa9\xd7\xf0\x5a\x16\x9f\x39\x02\x25\x38\x5d\x5c\x05"
"\x58\x96\xdc\x8a\x62\x0a\x63\x7a\x7c\x73\xee\x77\xfb\xf2\x15\x2f\xb6\x2a"
"\xf9\xbc\xbe\x01\x38\x9d\xd8\x46\x72\x4f\xa2\x4c\xa6\x08\x8d\x2b\xdd\xf9"
"\xbc\xae\x4d\x9e\x11\xf8\x62\x66\xe4\xd8\x7f\x6b\x11\xf3\x72\x1c\x30\xc3"
"\xf4\x8d\xdf\xec\xb7\x62\x38\x02\xc7\xe3\xf5\x95\xb0\x88\x47\x37\x47\xd2"
"\x5b\x70\xbb\xdf\x89\x20\x92\x4c\x6b\xb9\xe2\x02\xe6\xd5\x4e\x34\x0a\x46"
"\x9e\x8e\xcf\x66\xb4\x9d\xda\x00\x36\xa7\xd0\x71\x49\x27\x42\x59\x3c\x2e"
"\x02\xbd\x7b\xd7\x03\x77\x4f\x2a\xc8\xc4\x5d\xbf\xa1\xf8\xce\x4c\x20\x5a"
"\x05\x06\x43\x62\xbf\x28\x19\xe8\x0b\xd4\x06\x36\x7a\x86\xec\xe3\xf5\xd5"
"\x4b\x43\x02\x9b\x3f\x7f\xcc\x23\x78\xc5\xe3\x3e\x8d\xe6\x6f\xa5\xf3\xc4"
"\x97\x43\x10\xc3\xac\x4d\x2a\xb1\x23\x4b\x1f\xea\x14\xd7\x15\x12\xc5\x78"
"\xdf\xab\x15\x4a\x74\xdc\x66\xc8\xa5\xff\x98\x3a\x41\xe0\x2c\x57\xc5\x8c"
"\xd9\xc3\xa7\x7d\x22\xf1\x5f\x8a\x6a\xbe\x41\xde\x51\xce\x4a\x92\x15\x1e"
"\xe2\x5c\x6f\x2c\x4f\xeb\x04\x53\xb4\xf8\x6f\xb4\xc7\xe1\x90\x63\xb8\x71"
"\xff\x64\x58\xb2\xad\x51\xb9\x92\xdf\x6b\x16\xde\x3a\x5a\x2f\x59\x35\xc8"
"\x5d\x5a\x87\x09\xd8\x29\x43\xc6\x45\xf6\x19\x9e\x76\xb3\x8d\x71\x8b\x86"
"\x94\x56\x38\xd9\x2d\xaa\x15\xae\xb9\xbe\xaa\x53\x02\x8a\x42\x5c\x6e\xe9"
"\x0d\xbd\x58\xb5\x7f\x4a\x74\x8e\xc0\x03\x7f\xca\x72\x58\x12\xaa\xac\x8e"
"\x20\x1d\x51\x21\xc0\x6c\x9d\x3b\xfc\xbe\x79\x9b\x9f\xa2\x84\x40\xfc\xee"
"\xc7\x8a\x5d\x39\xa1\x12\x62\x6b\xd0\xf9\xe5\x30\xcb\x55\x73\x08\x3e\x6b"
"\x3b\x0c\xe5\xef\x60\xe8\x5e\xa6\x43\x33\x1d\x45\x66\x3f\x30\x9d\x75\xd3"
"\x6c\x88\xed\x56\xab\xba\xc7\x46\x72\xda\xa7\x2c\x2f\x18\x0a\xb5\xd1\x17"
"\xd2\xab\x17\xdb\x9e\x36\xa8\x07\xbc\xaa\x62\xa0\x7a\xa5\x48\x6d\x39\xd6"
"\x3f\x64\xd2\x3f\x03\xe5\x8f\x6f\xa3\x46\xb3\x90\x05\xcd\xe0\x51\x21\xec"
"\xc2\x14\x6a\xe9\x82\xd0\x25\x32\xa2\xde\xb9\x0d\x8b\x9c\xfd\x32\xff\x03"
"\xa5\x29\x49\x33\x29\x2f\xb3\xd5\x87\x60\xbc\x81\xa7\x2d\xf0\xe6\x02\xb9"
"\xb4\xb7\xe4\x07\xbc\x54\x29\x24\xe9\x76\x3f\xe0\xd4\xbd\x53\x46\xcc\xb9"
"\xe1\x0b\x1e\xa7\xda\xde\x31\xd4\xbb\xc9",
4096);
syscall(__NR_ioctl, r[2], 0x4080aebf, 0x20000280ul);
syscall(__NR_ioctl, r[2], 0xae80, 0ul);
return 0;
}