强网杯2025初赛逆向部分题解

强网杯初赛的这道 re 挺有意思的，做了快 20h 出了。
tradere
基本vm结构分析
ptrace 父子进程调试，父进程追踪子进程 int 3 指令的位置，替换成相应的操作，因为开始的赋值操作导致数据结构不好看，可以考虑 dump + nop 初始化的方式。
每次 int 3 触发之后，会执行一个结构体中的函数，结构体如下定义。
struct data
{
data* lchild;
data* rchild;
long long(__fastcall* func)(user_regs_struct*);
long long reg2;
};
经过遍历结构体，去重得到一共只会执行以下几个函数。
0000000000401C31  // if eflags is less,return 1 else 0
0000000000401CA6  // if eflags is less or equal,return 1 else 0
0000000000401D22  // if eflags is not zero,return 1 else 0
0000000000401D5B  // if eflags is zero,return 1 else 0
0000000000401DCD  // if eflags is not sign,return 1 else 0
0000000000401E96  // return 2
0000000000401EA5  // return 3
0000000000401EB4  // return 4
0000000000401F0C  // if eflags is greater,return 1 else 0
0000000000000000  // jmp to rchild
分析父进程的操作
unsigned __int64 __fastcall parentrun(unsigned int pid)
{
//some definition
v13 = __readfsqword(0x28u);
v7 = 0;
sp = 0;
ptr = (data *)qword_606AC0;
wait((__WAIT_STATUS)&stat_loc);
while ( (unsigned __int8)stat_loc == 0x7F )
{
      ptrace(PTRACE_GETREGS, pid, 0, &regs);
      v8 = ptrace(PTRACE_PEEKTEXT, pid, regs.rip, 0);
      v10 = (unsigned __int8)ptrace(PTRACE_PEEKDATA, pid, regs.rip - 1, 0);
      if ( v10 != 0xCC )
      {
         ptrace(PTRACE_KILL, pid, 0, 0);
         exit(0);
      }
      v4 = 1;
      if ( ptr->func )
      {
         opcode = ptr->func(&regs);
         if ( opcode == 1 )
         {
            ptr = ptr->rchild;
         }
         else if ( opcode )
         {
            switch ( opcode )
            {
                  case 2:                         // get next ptr from my stack
                     if ( sp rchild;
                     ptr = ptr->lchild;
                     regs.rsp -= 8LL;          // push RIP,wait to return
                     ptrace(PTRACE_POKEDATA, pid, regs.rsp, ptr->RIP);
                     v4 = 0;
                     break;
                  case 4:                         // lchild push to my stack and goto rchild block
                     if ( sp > 0x30 )
                        exit(-1);
                     stack[sp++] = ptr->lchild;
                     regs.rsp -= 8LL;
                     ptr = ptr->rchild;
                     break;
                  case 5:                      // not used
                     if ( sp > 0x30 )
                        exit(-1);
                     /* ... */
            }
         }
         else
         {
            ptr = ptr->lchild;
         }
      }
      else
      {
         ptr = ptr->rchild;    // NULL Function Process
      }
      if ( v4 )                // attention to new block
         regs.rip = ptr->RIP;
      ptrace(PTRACE_SETREGS, pid, 0, &regs);
      if ( ptrace(PTRACE_CONT, pid, 0, 0)
根据还原的伪代码逻辑也可以看出：

2 分支是返回最近一次 4 分支存的右子节点。

3 分支是调用 rchild 所指的 API 函数，因为 API 会返回，所以这个操作利用 ptrace 往栈中压了一个地址，用于控制调用 api 结束后的落点位置。

4 分支是保存左分支，走右分支。

第一步，断 fork，dump 结构体内容，保存为 .h 文件
#pragma once
struct user_regs_struct
{
unsigned long long r15;
unsigned long long r14;
unsigned long long r13;
unsigned long long r12;
unsigned long long rbp;
unsigned long long rbx;
unsigned long long r11;
unsigned long long r10;
unsigned long long r9;
unsigned long long r8;
unsigned long long rax;
unsigned long long rcx;
unsigned long long rdx;
unsigned long long rsi;
unsigned long long rdi;
unsigned long long orig_rax;
unsigned long long rip;
unsigned long long cs;
unsigned long long eflags;
unsigned long long rsp;
unsigned long long ss;
unsigned long long fs_base;
unsigned long long gs_base;
unsigned long long ds;
unsigned long long es;
unsigned long long fs;
unsigned long long gs;
};
struct data
{
data* lchild;
data* rchild;
long long(__fastcall* func)(user_regs_struct*);
long long reg2;
};
unsigned char ida_chars[] =
{
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x60, 0x71, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xE0, 0x7F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF7, 0x09, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x75, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xD0, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFD, 0x0A,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x6F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x03, 0x0B, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x7D,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7E, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x6E, 0x0B, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x79, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x08,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x79, 0x0B, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x80, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x74, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7C, 0x0B, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC0, 0x77, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x22, 0x1D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x81, 0x0B,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x71, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA0, 0x7B, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xAB, 0x0B, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x71,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x81, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x22, 0x1D, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xBE, 0x0B, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x40, 0x78, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x08,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xEB, 0x0B, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x70, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x70, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF8, 0x0B, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xE0, 0x7B, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x71, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0x0B,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x7A, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x7F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x10, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x7D, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x5B, 0x1D, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x25, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x80, 0x7B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x7B,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0x0C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x81, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x47, 0x0C, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x80, 0x6B, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x09, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4F, 0x0C,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x7B, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xE0, 0x6E, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x74, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x72,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7A, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x7C, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA0, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x7F,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x84, 0x0C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8C, 0x0C, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x80, 0x72, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x0C,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x7A, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xCF, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x79,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x80, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xDF, 0x0C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x80,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x1F, 0x0D, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x40, 0x70, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x10, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x45, 0x0D, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x80, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4D, 0x0D,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x58, 0x0D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x76, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x5B, 0x0D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x6D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x71,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x90, 0x0D, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x75, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA3, 0x0D, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDB, 0x0D,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x74, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x73, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x5B, 0x1D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xE0, 0x0D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6B,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xEF, 0x0D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA0, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6B,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x1A, 0x0E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xC0, 0x80, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x22, 0x0E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xE0, 0x77, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x60, 0x80, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3A, 0x0E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x6D, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x10, 0x08, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x55, 0x0E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x5D, 0x0E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x71, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x6D,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5B, 0x1D, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x5C, 0x0F, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x78, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCD, 0x1D,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6A, 0x0F, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7A, 0x0F,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x79, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x83, 0x0F, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x6B,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x80, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB1, 0x0F, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x08,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC1, 0x0F, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x80, 0x70, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x80, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC9, 0x0F, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xE0, 0x79, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x80, 0x77, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDB, 0x0F,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x6B, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xEE, 0x0F, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xF6, 0x0F, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xF9, 0x0F, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x40, 0x6D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFB, 0x0F, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x7B, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFC, 0x0F,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x81, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x10, 0x10, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x72,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x08, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x18, 0x10, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x32, 0x10, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x6D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x34, 0x10, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x70, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x80, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4D, 0x10,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x71, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x6C, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x10, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x81, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x73, 0x10, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x80, 0x10, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x6B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7F, 0x11, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x7C, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x84, 0x11,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x7C, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x71, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x9E, 0x11, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x81,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7C, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB1, 0x11, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x7A,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC4, 0x11, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xE0, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x11, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0A, 0x12,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA0, 0x6F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x0B, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0C, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xC0, 0x78, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x80,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x13, 0x12, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x7D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x80, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2E, 0x12, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x74, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49, 0x12,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x74, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x10, 0x08, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x54, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7F, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x5C, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x75, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x72,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x9F, 0x12, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE0, 0x74, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x10, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xAA, 0x12, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC0, 0x6D, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xD0, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB2, 0x12,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xE0, 0x78, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB8, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x73,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x08, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7C,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC1, 0x12, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x7B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC3, 0x12, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x6F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x10, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE7, 0x12,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x80, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x80, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xEF, 0x12, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x6E, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0A, 0x13, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x74,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5B, 0x1D, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x12, 0x13, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x40, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x80, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x19, 0x13, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x7C, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x24, 0x13,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x79, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x80, 0x7C, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x2A, 0x13, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x77, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x3D, 0x13, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6D,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x7F, 0x13, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x7D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8A, 0x13, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC0, 0x70, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x40, 0x6E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x13,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x7A, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x90, 0x13, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x73,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x08, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC3, 0x13, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA0, 0x75, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x6C,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xCE, 0x13, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x78, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x13, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x80, 0x76, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x40, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF4, 0x13,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x6A, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x75, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0C, 0x1F, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x07, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x7A,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6D, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0F, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x40, 0x74, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x08,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x1C, 0x14, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE0, 0x76, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2F, 0x14, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x7A, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x14,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x79, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x7F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x76, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x6E,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x75, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x8B, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x7E,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x90, 0x14, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA0, 0x7F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x98, 0x14, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x80, 0x71, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x14,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA1, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x75,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6D, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xAD, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x79,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xBD, 0x14, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC4, 0x14, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC0, 0x7B, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC7, 0x14,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x70, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xCD, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x72,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x7D, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xD5, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xDA, 0x14, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x7D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDC, 0x14, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x7F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x76, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF1, 0x14,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x6F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xFA, 0x14, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x6C,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x77, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x05, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x18, 0x15, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA0, 0x7F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1A, 0x15, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC0, 0x76, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x7B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x25, 0x15,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x77, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x08, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x38, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x78,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x77, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x61, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x72, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x76,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0x1C, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x66, 0x15, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x71, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x76, 0x15, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA0, 0x71, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x09, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x89, 0x15,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x70, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x08, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x8A, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x78,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x76, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x8B, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x40, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x08,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x94, 0x15, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x6E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x7F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9C, 0x15, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA1, 0x15,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xAD, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x76,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x7E, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB2, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x7B,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xBA, 0x15, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x40, 0x7D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x7F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCC, 0x15, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE1, 0x15,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x73, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xE3, 0x15, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x7A,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x70, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x5B, 0x1D, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x12, 0x16, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x73, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7E,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x33, 0x16, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE0, 0x6B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA0, 0x08, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3E, 0x16, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xA0, 0x79, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x58, 0x16,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x6E, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x7F, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x5E, 0x16, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x80,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x79, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x22, 0x1D, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x72, 0x16, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x7A, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6F,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x84, 0x16, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x7B, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBF, 0x16, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x6B, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x09, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x17,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x96, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x03, 0x17, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x7B,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0A, 0x17, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xE0, 0x72, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6C,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x13, 0x17, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x20, 0x72, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1B, 0x17, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE0, 0x78, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x26, 0x17,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x73, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x72, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB9, 0x17, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x6E,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xC4, 0x17, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x76,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xD1, 0x17, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA0, 0x72, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x40, 0x6C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE1, 0x17, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x78, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x80, 0x71, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x5B, 0x1D, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF4, 0x17,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x7F, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x10, 0x08, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x02, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7F, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0D, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x7D,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x31, 0x18, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x79, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x39, 0x18, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x70, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x18,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x6B, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x80, 0x77, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x4E, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x6F,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x6F, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x5B, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x6D,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x64, 0x18, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x80, 0x75, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xC0, 0x6F, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA3, 0x18, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x6C, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE0, 0x7D, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB7, 0x18,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x73, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x6E, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xA6, 0x1C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xBC, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x6F, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xCC, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xC0, 0x73, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x08,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA5, 0x1E, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0xCE, 0x18, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x96, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE2, 0x18, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x60, 0x75, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0x72, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE5, 0x18,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x20, 0x75, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0xF0, 0x18, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x77, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x3C, 0x19, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x6D,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x53, 0x19, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE0, 0x7E, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x60, 0x80, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5E, 0x19, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x73, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0x40, 0x77, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x31, 0x1C, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA2, 0x19,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x7D, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x7E, 0x60, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB4, 0x1E, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xAC, 0x19, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xA0, 0x6D,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x80, 0x60, 0x00,
0x00, 0x00, 0x00, 0x00, 0x31, 0x1C, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xB7, 0x19, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x6C,
0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xCA, 0x19, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE0, 0x7C, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00,
0x80, 0x77, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB4, 0x1E,
0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD2, 0x19, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00
};
第一步可以验证前面两个猜想，一个是找 func 函数，去重，用一个 set 做就行，另一个是当 func return 3 的时候，输出 rchild，观察函数。第一步不给代码了，第二步运行一下：
#include
#include
#include
#include
#include
#include
#include
#include"tradre.h"
std::set s;
bool visited[200] = { 0 };
void printstruct(data* p, int idx) {
if ((unsigned long long)p->func == 0x0000000000401EA5) {
      s.insert((unsigned long long)p->rchild);
}
}
int main() {
data* p = ((data*)ida_chars) + 1;
for (int i = 0; i
运行可以发现，输出地址均为 plt 表中的地址。
0000000000400810
0000000000400820
0000000000400830
0000000000400840
0000000000400860
0000000000400870
00000000004008A0
00000000004008C0
00000000004008D0
0000000000400900
基本块恢复
后续我还做了一张 dot 表，可以直观地感受节点之间的控制关系。
#include
#include
#include
#include
#include
#include
#include
#include"tradre.h"
std::set s;
bool visited[200] = { 0 };
std::map eflagsConditionMap = {
{ 0x0000000000401C31, "if eflags is less, return 1 else 0  // JL" },
{ 0x0000000000401CA6, "if eflags is less or equal, return 1 else 0  // JLE" },
{ 0x0000000000401D22, "if eflags is not zero, return 1 else 0  // JNE/JNZ" },
{ 0x0000000000401D5B, "if eflags is zero, return 1 else 0  // JE/JZ" },
{ 0x0000000000401DCD, "if eflags is not sign, return 1 else 0  // JNS" },
{ 0x0000000000401F0C, "if eflags is greater, return 1 else 0  // JG" },
{ 0x0000000000401E96, "return 2" },
{ 0x0000000000401EA5, "return 3" },
{ 0x0000000000401EB4, "return 4" },
{0x00,"NULL"},
};
std::map plt_map = {
{0x400810, "_puts"},
{0x400820, "___stack_chk_fail"},
{0x400830, "_printf"},
{0x400840, "_memset"},
{0x400850, "_alarm"},
{0x400860, "_read"},
{0x400870, "_srand"},
{0x400880, "_signal"},
{0x400890, "_ptrace"},
{0x4008A0, "_setvbuf"},
{0x4008B0, "_perror"},
{0x4008C0, "_atoi"},
{0x4008D0, "_exit"},
{0x4008E0, "_wait"},
{0x4008F0, "_fork"},
{0x400900, "_rand"}
};
int calc_child(unsigned long long child, unsigned long long base) {
if ((child - base) / sizeof(data) >= 0 && (child - base) / sizeof(data) lchild, 0x606AC0);
int ridx = calc_child((unsigned long long)p->rchild, 0x606AC0);
if (lidx != -1) {
      printf("%d -> %d;\n", idx, lidx);
}
if (ridx != -1) {
      printf("%d -> %d;\n", idx, ridx);
}
}
void printdot(data* p, int idx) {
char descript[0x1000] = { 0 };
char tmp[0x1000];
int lidx = calc_child((unsigned long long)p->lchild, 0x606AC0);
int ridx = calc_child((unsigned long long)p->rchild, 0x606AC0);
sprintf(tmp, "%d [label = \"idx: %d\\n func :%s\\n ", idx, idx, eflagsConditionMap[(unsigned long long)p->func].c_str());
strcat(descript, tmp);
if (lidx != -1) {
      sprintf(tmp, "lchild idx: %d\\n ", lidx);
      strcat(descript, tmp);
}
else {
      sprintf(tmp, "lchild data: %p\\n ", p->lchild);
      strcat(descript, tmp);
      //s.insert((unsigned long long)p->lchild);
}
if (ridx != -1) {
      sprintf(tmp, "rchild idx: %d\\n ", ridx);
      strcat(descript, tmp);
}
else {
      sprintf(tmp, "rchild data: %s\\n ", plt_map[(unsigned long long)p->rchild].c_str());
      strcat(descript, tmp);
      //s.insert((unsigned long long)p->rchild);
}
sprintf(tmp, "RIP: %p\"];\n", p->reg2);
s.insert((unsigned long long)p->reg2);
strcat(descript, tmp);
std::cout
用输出的结果转为 dot 图。
digraph ControlFlowTree {
node [shape=box, style=rounded];
// ---------------------- 节点定义 ----------------------
// ---------------------- 边定义 ----------------------
// 边关系
}
最后得到下面的图

是的最开始拿到这张图，我也没招了，总不能真一个个看吧，随后我写了一个分析 vm 指令流的脚本，并用广搜去解析它们之前基本块的关系。
#include
#include
#include
#include
#include
#include
#include
#include"tradre.h"
std::set s;
bool visited[200] = { 0 };
std::map eflagsConditionMap = {
{ 0x0000000000401C31, "if eflags is less, return 1 else 0  // JL" },
{ 0x0000000000401CA6, "if eflags is less or equal, return 1 else 0  // JLE" },
{ 0x0000000000401D22, "if eflags is not zero, return 1 else 0  // JNE/JNZ" },
{ 0x0000000000401D5B, "if eflags is zero, return 1 else 0  // JE/JZ" },
{ 0x0000000000401DCD, "if eflags is not sign, return 1 else 0  // JNS" },
{ 0x0000000000401F0C, "if eflags is greater, return 1 else 0  // JG" },
{ 0x0000000000401E96, "return 2" },
{ 0x0000000000401EA5, "return 3" },
{ 0x0000000000401EB4, "return 4" },
{0x00,"NULL"},
};
std::map plt_map = {
{0x400810, "_puts"},
{0x400820, "___stack_chk_fail"},
{0x400830, "_printf"},
{0x400840, "_memset"},
{0x400850, "_alarm"},
{0x400860, "_read"},
{0x400870, "_srand"},
{0x400880, "_signal"},
{0x400890, "_ptrace"},
{0x4008A0, "_setvbuf"},
{0x4008B0, "_perror"},
{0x4008C0, "_atoi"},
{0x4008D0, "_exit"},
{0x4008E0, "_wait"},
{0x4008F0, "_fork"},
{0x400900, "_rand"}
};
int calc_child(unsigned long long child, unsigned long long base) {
if ((child - base) / sizeof(data) >= 0 && (child - base) / sizeof(data) lchild, 0x606AC0);
      int ridx = calc_child((unsigned long long)ptr->rchild, 0x606AC0);
      int nextidx = 0;
      switch ((unsigned long long)ptr->func)
      {
         case 0x0000000000000000:
            //calc next idx
            nextidx = ridx;
            queue.push(nextidx);
            printf("next RIP: %p\n", ptr->reg2);
            printf("goto idx %d\n", nextidx);
            break;
         case 0x0000000000401E96:
            // return 2
            nextidx = stack.top();
            stack.pop();
            printf("add rsp, 8;\n");
            printf("next RIP: %p\n", ptr->reg2);
            queue.push(nextidx);
            fprintf(stderr, "2 jmp %d -> %d\n", nowidx, nextidx);
            printf("goto idx %d\n", nextidx);
            break;
         case 0x0000000000401EA5:
            // return 3
            printf("call %s", plt_map[(unsigned long long)ptr->rchild].c_str());
            //printf("call %p\n", ptr->rchild);
            printf(" ,ret to %p\n", ptr->reg2);
            nextidx = lidx;
            queue.push(nextidx);
            printf("goto idx %d\n", nextidx);
            break;
         case 0x0000000000401EB4:
            // return 4
            stack.push(lidx);
            printf("sub rsp 8;\n");
            nextidx = ridx;
            queue.push(nextidx);
            printf("next RIP: %p\n", ptr->reg2);
            printf("goto idx %d\n", nextidx);
            break;
         case 0x0000000000401CA6:
            // JLE
            // 0 left 1 right
            printf("goto %p\nJLE %d else %d\n", ptr->reg2, ridx, lidx);
            queue.push(lidx);
            queue.push(ridx);
            break;
         case 0x0000000000401C31:
            // JL
            // 0 left 1 right
            printf("goto %p\nJL %d else %d\n", ptr->reg2, ridx, lidx);
            queue.push(lidx);
            queue.push(ridx);
            break;
         case 0x0000000000401D22:
            // JNE/JNZ
            // 0 left 1 right
            printf("goto %p\nJNE %d else %d\n", ptr->reg2, ridx, lidx);
            queue.push(lidx);
            queue.push(ridx);
            break;
         case 0x0000000000401D5B:
            // JE/JZ
            // 0 left 1 right
            printf("goto %p\nJE %d else %d\n", ptr->reg2, ridx, lidx);
            queue.push(lidx);
            queue.push(ridx);
            break;
         case 0x0000000000401DCD:
            // JNS
            // 0 left 1 right
            printf("goto %p\nJNS %d else %d\n", ptr->reg2, ridx, lidx);
            queue.push(lidx);
            queue.push(ridx);
            break;
         case 0x0000000000401F0C:
            // JG
            // 0 left 1 right
            printf("goto %p\nJG %d else %d\n", ptr->reg2, ridx, lidx);
            queue.push(lidx);
            queue.push(ridx);
            break;
         default:
            printf("Unknown func %p\n", ptr->func);
            break;
      }
}
}
int main() {
vmrun2();
}
在 case 2 的处理中，我输出了下一步的块，虽然可能会有点错误，但是不影响指令分析。
把这些块解引用之后，可以输出结构体，然后编写 idapy 脚本去取指令分块重构，以 int 3 为间隔，每次扫描该块的 RIP 字段，取出该地址往下的所有指令，直到遇到 int 3 停止，这里根据 func 去处理函数：

case 2：通过上一个脚本的分析在末尾建立 jmp 指令

case 3：末尾添加对 rchild 所指向函数的 call，随后再跟上 jmp 指令跳转到 RIP 所指向的位置。

case 4：仅添加对 rchild 的 jmp。

条件跳转：对 rchild 添加对应的条件跳转，并在后面添加对 lchild 块的直接 jmp。

NULL：仅添加对 rchild 的 jmp。

jumptable = {
170 : 53,
49 : 89,
27 : 120,
48 : 171,
59 : 85,
147 : 29,
114 : 132,
132 : 21,
}
mp = {
0: [0x607160,0x607fe0,0x401eb4,0x4009f7],
1: [0x607540,0x4008d0,0x401ea5,0x400afd],
2: [0x0,0x606f00,0x0,0x400b03],
3: [0x607dc0,0x607e00,0x401eb4,0x400b6e],
4: [0x607920,0x400870,0x401ea5,0x400b79],
5: [0x608000,0x607460,0x401ca6,0x400b7c],
6: [0x6077c0,0x607ea0,0x401d22,0x400b81],
7: [0x6071e0,0x607ba0,0x401eb4,0x400bab],
8: [0x607140,0x608120,0x401d22,0x400bbe],
9: [0x607840,0x400830,0x401ea5,0x400beb],
10: [0x6070a0,0x400870,0x401ea5,0x400bf8],
11: [0x607be0,0x607120,0x401eb4,0x400bfe],
12: [0x607ac0,0x607f60,0x401eb4,0x400c10],
13: [0x607600,0x607d20,0x401d5b,0x400c25],
14: [0x607b80,0x607ba0,0x401eb4,0x400c34],
15: [0x0,0x608100,0x0,0x400c47],
16: [0x606b80,0x400900,0x401ea5,0x400c4f],
17: [0x607b60,0x606ee0,0x401ca6,0x400c74],
18: [0x6072c0,0x607a80,0x401ca6,0x400c7c],
19: [0x607ca0,0x607f40,0x401ca6,0x400c84],
20: [0x0,0x0,0x401e96,0x400c8c],
21: [0x607280,0x606fc0,0x401eb4,0x400c96],
22: [0x0,0x607a20,0x0,0x400ccf],
23: [0x6079c0,0x608060,0x401eb4,0x400cdf],
24: [0x0,0x6080c0,0x0,0x400d1f],
25: [0x607040,0x400810,0x401ea5,0x400d45],
26: [0x608020,0x607e00,0x401eb4,0x400d4d],
27: [0x0,0x0,0x401e96,0x400d58],
28: [0x0,0x607620,0x0,0x400d5b],
29: [0x606d60,0x607120,0x401eb4,0x400d90],
30: [0x0,0x607520,0x0,0x400da3],
31: [0x0,0x0,0x401e96,0x400ddb],
32: [0x607480,0x607340,0x401d5b,0x400de0],
33: [0x606bc0,0x400900,0x401ea5,0x400def],
34: [0x606ca0,0x606b00,0x401ca6,0x400e1a],
35: [0x0,0x6080c0,0x0,0x400e22],
36: [0x6077e0,0x608060,0x401eb4,0x400e3a],
37: [0x606de0,0x400810,0x401ea5,0x400e55],
38: [0x0,0x0,0x401e96,0x400e5d],
39: [0x607100,0x606d40,0x401d5b,0x400f5c],
40: [0x607ec0,0x607860,0x401dcd,0x400f6a],
41: [0x0,0x0,0x401e96,0x400f7a],
42: [0x0,0x607960,0x0,0x400f83],
43: [0x606b20,0x6080e0,0x401ca6,0x400fb1],
44: [0x606c00,0x400810,0x401ea5,0x400fc1],
45: [0x607080,0x607c80,0x401eb4,0x400fc9],
46: [0x6079e0,0x607780,0x401eb4,0x400fdb],
47: [0x0,0x606b60,0x0,0x400fee],
48: [0x0,0x0,0x401e96,0x400ff6],
49: [0x0,0x0,0x401e96,0x400ff9],
50: [0x606d40,0x400820,0x401ea5,0x400ffb],
51: [0x607b40,0x606fc0,0x401eb4,0x400ffc],
52: [0x0,0x608120,0x0,0x401010],
53: [0x607260,0x4008a0,0x401ea5,0x401018],
54: [0x0,0x0,0x401e96,0x401032],
55: [0x0,0x606d00,0x0,0x401034],
56: [0x607060,0x607c80,0x401eb4,0x40104d],
57: [0x6071c0,0x606c40,0x401eb4,0x401060],
58: [0x0,0x608100,0x0,0x401073],
59: [0x0,0x0,0x401e96,0x401080],
60: [0x0,0x606b60,0x0,0x40117f],
61: [0x607c40,0x4008a0,0x401ea5,0x401184],
62: [0x607cc0,0x607120,0x401eb4,0x40119e],
63: [0x608140,0x607c80,0x401eb4,0x4011b1],
64: [0x0,0x607a40,0x0,0x4011c4],
65: [0x0,0x606ce0,0x0,0x4011ff],
66: [0x0,0x607c00,0x0,0x40120a],
67: [0x0,0x606fa0,0x0,0x40120b],
68: [0x0,0x0,0x401e96,0x40120c],
69: [0x6078c0,0x608060,0x401eb4,0x401213],
70: [0x607d00,0x608060,0x401eb4,0x40122e],
71: [0x607400,0x607e00,0x401eb4,0x401249],
72: [0x607420,0x400810,0x401ea5,0x401254],
73: [0x0,0x607f80,0x0,0x40125c],
74: [0x607500,0x607220,0x401eb4,0x40129f],
75: [0x6074e0,0x400810,0x401ea5,0x4012aa],
76: [0x606dc0,0x4008d0,0x401ea5,0x4012b2],
77: [0x0,0x6078e0,0x0,0x4012b8],
78: [0x607340,0x400820,0x401ea5,0x4012c0],
79: [0x0,0x607c00,0x0,0x4012c1],
80: [0x0,0x607b00,0x0,0x4012c3],
81: [0x606f60,0x400810,0x401ea5,0x4012e7],
82: [0x6080a0,0x608060,0x401eb4,0x4012ef],
83: [0x607000,0x606e80,0x401ca6,0x40130a],
84: [0x606f20,0x6074a0,0x401d5b,0x401312],
85: [0x606f40,0x607e80,0x401eb4,0x401319],
86: [0x607c60,0x606fc0,0x401eb4,0x401324],
87: [0x607980,0x607c80,0x401eb4,0x40132a],
88: [0x0,0x6077a0,0x0,0x40133d],
89: [0x0,0x606d00,0x0,0x40137f],
90: [0x607d20,0x400820,0x401ea5,0x40138a],
91: [0x6070c0,0x606e40,0x401ca6,0x40138b],
92: [0x0,0x607a40,0x0,0x401390],
93: [0x607320,0x400810,0x401ea5,0x4013c3],
94: [0x6075a0,0x606c40,0x401eb4,0x4013ce],
95: [0x6078a0,0x606fc0,0x401eb4,0x4013e0],
96: [0x607680,0x606c40,0x401eb4,0x4013f4],
97: [0x606ae0,0x607540,0x401f0c,0x401407],
98: [0x607ae0,0x606dc0,0x401eb4,0x40140f],
99: [0x607440,0x400810,0x401ea5,0x40141c],
100: [0x6076e0,0x400860,0x401ea5,0x40142f],
101: [0x0,0x607a20,0x0,0x401441],
102: [0x607940,0x607f60,0x401eb4,0x401476],
103: [0x606e20,0x6075c0,0x401ca6,0x40148b],
104: [0x0,0x607ea0,0x0,0x401490],
105: [0x0,0x607fa0,0x0,0x401498],
106: [0x607180,0x400820,0x401ea5,0x4014a0],
107: [0x0,0x0,0x401e96,0x4014a1],
108: [0x6075e0,0x606dc0,0x401eb4,0x4014ad],
109: [0x0,0x607900,0x0,0x4014bd],
110: [0x0,0x0,0x401e96,0x4014c4],
111: [0x607bc0,0x606fc0,0x401eb4,0x4014c7],
112: [0x0,0x607020,0x0,0x4014cd],
113: [0x607240,0x607da0,0x401ca6,0x4014d5],
114: [0x0,0x0,0x401e96,0x4014da],
115: [0x0,0x607d60,0x0,0x4014dc],
116: [0x607f20,0x6076a0,0x401eb4,0x4014f1],
117: [0x0,0x606f00,0x0,0x4014fa],
118: [0x606c80,0x607780,0x401eb4,0x401505],
119: [0x0,0x0,0x401e96,0x401518],
120: [0x0,0x607fa0,0x0,0x40151a],
121: [0x6076c0,0x607ba0,0x401eb4,0x401525],
122: [0x607700,0x400840,0x401ea5,0x401538],
123: [0x607880,0x607760,0x401ca6,0x401561],
124: [0x607200,0x607640,0x401c31,0x401566],
125: [0x606c20,0x607120,0x401eb4,0x401576],
126: [0x6071a0,0x400900,0x401ea5,0x401589],
127: [0x6070e0,0x400820,0x401ea5,0x40158a],
128: [0x607820,0x6076a0,0x401eb4,0x40158b],
129: [0x607e40,0x4008c0,0x401ea5,0x401594],
130: [0x606ec0,0x607f00,0x401ca6,0x40159c],
131: [0x0,0x0,0x401e96,0x4015a1],
132: [0x0,0x0,0x401e96,0x4015ad],
133: [0x607660,0x607e60,0x401ca6,0x4015b2],
134: [0x607e20,0x607ba0,0x401eb4,0x4015ba],
135: [0x607d40,0x607f60,0x401eb4,0x4015cc],
136: [0x0,0x0,0x401e96,0x4015e1],
137: [0x6073e0,0x606fc0,0x401eb4,0x4015e3],
138: [0x607aa0,0x6070e0,0x401d5b,0x401612],
139: [0x607360,0x607e80,0x401eb4,0x401633],
140: [0x606be0,0x4008a0,0x401ea5,0x40163e],
141: [0x6079a0,0x606fc0,0x401eb4,0x401658],
142: [0x606ea0,0x607f60,0x401eb4,0x40165e],
143: [0x608040,0x607960,0x401d22,0x401672],
144: [0x607a60,0x606fc0,0x401eb4,0x401684],
145: [0x0,0x607b00,0x0,0x4016bf],
146: [0x606b40,0x400900,0x401ea5,0x401702],
147: [0x0,0x0,0x401e96,0x401703],
148: [0x607b20,0x606fc0,0x401eb4,0x40170a],
149: [0x6072e0,0x606cc0,0x401ca6,0x401713],
150: [0x607c20,0x607220,0x401eb4,0x40171b],
151: [0x0,0x6078e0,0x0,0x401726],
152: [0x607380,0x607220,0x401eb4,0x4017b9],
153: [0x606e60,0x606fc0,0x401eb4,0x4017c4],
154: [0x0,0x607620,0x0,0x4017d1],
155: [0x6072a0,0x606c40,0x401eb4,0x4017e1],
156: [0x607800,0x607180,0x401d5b,0x4017f4],
157: [0x607fc0,0x400810,0x401ea5,0x401802],
158: [0x0,0x607f80,0x0,0x40180d],
159: [0x0,0x607d60,0x0,0x401831],
160: [0x0,0x607900,0x0,0x401839],
161: [0x0,0x607020,0x0,0x401843],
162: [0x606ba0,0x607780,0x401eb4,0x40184e],
163: [0x606fe0,0x606fc0,0x401eb4,0x40185b],
164: [0x0,0x606d20,0x0,0x401864],
165: [0x607580,0x606fc0,0x401eb4,0x4018a3],
166: [0x606c60,0x607de0,0x401ca6,0x4018b7],
167: [0x6073a0,0x606e00,0x401ca6,0x4018bc],
168: [0x0,0x606fa0,0x0,0x4018cc],
169: [0x6073c0,0x400810,0x401ea5,0x4018ce],
170: [0x0,0x0,0x401e96,0x4018e2],
171: [0x607560,0x607220,0x401eb4,0x4018e5],
172: [0x0,0x607520,0x0,0x4018f0],
173: [0x0,0x6077a0,0x0,0x40193c],
174: [0x0,0x606d20,0x0,0x401953],
175: [0x607ee0,0x608060,0x401eb4,0x40195e],
176: [0x607300,0x607740,0x401c31,0x4019a2],
177: [0x607d80,0x607e00,0x401eb4,0x4019ac],
178: [0x606da0,0x608080,0x401c31,0x4019b7],
179: [0x0,0x606ce0,0x0,0x4019ca],
180: [0x607ce0,0x607780,0x401eb4,0x4019d2],
}
func_map = {
0x400810: "_puts",
0x400820: "___stack_chk_fail",
0x400830: "_printf",
0x400840: "_memset",
0x400850: "_alarm",
0x400860: "_read",
0x400870: "_srand",
0x400880: "_signal",
0x400890: "_ptrace",
0x4008A0: "_setvbuf",
0x4008B0: "_perror",
0x4008C0: "_atoi",
0x4008D0: "_exit",
0x4008E0: "_wait",
0x4008F0: "_fork",
0x400900: "_rand",
}
import idc
import ida_bytes
import ida_ua
def print_until_int3(ea, key):
"""
从地址 ea 开始遍历汇编指令，直到遇到 int3 (0xCC)
"""
print("idx_{}:".format(key))
cur_ea = ea
while cur_ea != idc.BADADDR:
      # 获取当前指令的字节
      byte = ida_bytes.get_bytes(cur_ea, 1)
      if not byte:
         break
      # 判断是否是 int3
      if byte[0] == 0xCC:
         #print("0x{:x}: int3".format(cur_ea))
         break
      print("0x{:x}:".format(cur_ea),end = ' ')
      # 获取指令文本
      disasm = idc.generate_disasm_line(cur_ea, 0)
      print("\t{}".format(disasm))
      # 移动到下一条指令
      cur_ea = idc.next_head(cur_ea)
def calc_idx(addr):
return (addr - 0x606AC0)//0x20
# 遍历字典
for key in sorted(mp.keys()):
info = mp[key]
addr = info[3]
func = info[2]
print_until_int3(addr, key)
if func == 0x0000000000401C31:  # JL: if eflags is less, return 1 else 0
      lidx = calc_idx(info[0])
      ridx = calc_idx(info[1])
      print(f"\tjl idx_{ridx}")
      print(f"\tjmp idx_{lidx}")
elif func == 0x0000000000401CA6:  # JLE: if eflags is less or equal
      lidx = calc_idx(info[0])
      ridx = calc_idx(info[1])
      print(f"\tjle idx_{ridx}")
      print(f"\tjmp idx_{lidx}")
elif func == 0x0000000000401D22:  # JNE/JNZ: if eflags is not zero
      lidx = calc_idx(info[0])
      ridx = calc_idx(info[1])
      print(f"\tjnz idx_{ridx}")
      print(f"\tjmp idx_{lidx}")
elif func == 0x0000000000401D5B:  # JE/JZ: if eflags is zero
      lidx = calc_idx(info[0])
      ridx = calc_idx(info[1])
      print(f"\tje idx_{ridx}")
      print(f"\tjmp idx_{lidx}")
elif func == 0x0000000000401DCD:  # JNS: if eflags is not sign
      lidx = calc_idx(info[0])
      ridx = calc_idx(info[1])
      print(f"\tjns idx_{ridx}")
      print(f"\tjmp idx_{lidx}")
elif func == 0x0000000000401F0C:  # JG: if eflags is greater
      lidx = calc_idx(info[0])
      ridx = calc_idx(info[1])
      print(f"\tjg idx_{ridx}")
      print(f"\tjmp idx_{lidx}")
elif func == 0x0000000000401E96:  # return 2
      if key in jumptable:
         ridx = jumptable[key]
         print(f"\tjmp idx_{ridx}")
      else:
         print(f"\tjmp ??? ; never execute here")
elif func == 0x0000000000401EA5:  # return 3
      lidx = calc_idx(info[0])
      print(f"\tcall\t{func_map[info[1]]}@plt")
      print(f"\tjmp\tidx_{lidx}")
elif func == 0x0000000000401EB4:  # return 4
      ridx = calc_idx(info[1])
      print(f"\tjmp\tidx_{ridx}")
elif func == 0x0000000000000000:
      ridx = calc_idx(info[1])
      print(f"\tjmp\tidx_{ridx}")
else:
      print("except\n");
      quit()
jumptable 来源于上一个脚本向标准错误流打印的数据（方便重定向）。
运行脚本之后得到原指令流，事实上可以根据广搜结果将明显访问不到的块去掉。

如图右边这一块，但是事实上只有 80 个块你也不可能拉条儿去硬找，基本都是用 search。
idx_0:
0x4009f7: push rbp
0x4009f8: mov    rbp, rsp
0x4009fb: push rbx
0x4009fc: sub    rsp, 1E8h
0x400a03: mov    rax, fs:28h
0x400a0c: mov    [rbp+var_18], rax
0x400a10: xor    eax, eax
0x400a12: mov    [rbp+var_160], 0E2h
0x400a19: mov    [rbp+var_160+1], 8Bh
0x400a20: mov    [rbp+var_160+2], 55h ; 'U'
0x400a27: mov    [rbp+var_160+3], 38h ; '8'
0x400a2e: mov    [rbp+var_160+4], 69h ; 'i'
0x400a35: mov    [rbp+var_160+5], 0FAh
0x400a3c: mov    [rbp+var_160+6], 80h
0x400a43: mov    [rbp+var_160+7], 0C2h
0x400a4a: mov    [rbp+var_160+8], 64h ; 'd'
0x400a51: mov    [rbp+var_160+9], 4Eh ; 'N'
0x400a58: mov    [rbp+var_160+0Ah], 7Fh
0x400a5f: mov    [rbp+var_160+0Bh], 0E7h
0x400a66: mov    [rbp+var_160+0Ch], 13h
0x400a6d: mov    [rbp+var_160+0Dh], 6
0x400a74: mov    [rbp+var_160+0Eh], 14h
0x400a7b: mov    [rbp+var_160+0Fh], 0C5h
0x400a82: mov    [rbp+var_160+10h], 0C0h
0x400a89: mov    [rbp+var_160+11h], 13h
0x400a90: mov    [rbp+var_160+12h], 0D3h
0x400a97: mov    [rbp+var_160+13h], 12h
0x400a9e: mov    [rbp+var_160+14h], 6Bh ; 'k'
0x400aa5: mov    [rbp+var_160+15h], 0BDh
0x400aac: mov    [rbp+var_160+16h], 0F2h
0x400ab3: mov    [rbp+var_160+17h], 0C7h
0x400aba: mov    [rbp+var_160+18h], 88h
0x400ac1: mov    [rbp+var_160+19h], 44h ; 'D'
0x400ac8: mov    [rbp+var_160+1Ah], 3Eh ; '>'
0x400acf: mov    [rbp+var_160+1Bh], 9
0x400ad6: mov    [rbp+var_160+1Ch], 0E8h
0x400add: mov    [rbp+var_160+1Dh], 0A3h
0x400ae4: mov    [rbp+var_160+1Eh], 83h
0x400aeb: mov    [rbp+var_160+1Fh], 30h ; '0'
0x400af2: lea    rax, [rbp+var_160]
0x400af9: mov    rdi, rax
jmp idx_169
idx_1:
0x400afd: mov    edi, 0FFFFFFFFh
call _exit@plt
jmp idx_84
idx_2:
0x400b03: mov    eax, [rbp+var_1C0]
0x400b09: sub    eax, [rbp+var_1C8]
0x400b0f: lea    edx, ds:0[rax*4]
0x400b16: mov    eax, [rbp+var_1BC]
0x400b1c: add    eax, edx
0x400b1e: movsxd  rdx, eax
0x400b21: mov    rax, [rbp+var_190]
0x400b28: add    rax, rdx
0x400b2b: movzx esi, byte ptr [rax]
0x400b2e: mov    eax, [rbp+var_1BC]
0x400b34: cdqe
0x400b36: movzx ecx, [rbp+rax+var_184]
0x400b3e: mov    eax, [rbp+var_1C0]
0x400b44: lea    edx, ds:0[rax*4]
0x400b4b: mov    eax, [rbp+var_1BC]
0x400b51: add    eax, edx
0x400b53: movsxd  rdx, eax
0x400b56: mov    rax, [rbp+var_190]
0x400b5d: add    rax, rdx
0x400b60: xor    esi, ecx
0x400b62: mov    edx, esi
0x400b64: mov    [rax], dl
0x400b66: add    [rbp+var_1BC], 1
jmp idx_34
idx_3:
0x400b6e: mov    rax, [rbp+var_1B8]
0x400b75: mov    rdi, rax
jmp idx_154
idx_4:
0x400b79: mov    edi, eax
call _srand@plt
jmp idx_115
idx_5:
0x400b7c: cmp    dword ptr [rbp+var_8], 7
jle idx_77
jmp idx_170
idx_6:
0x400b81: xor    eax, ebx
0x400b83: mov    [rbp+var_1E2], al
0x400b89: movzx edx, [rbp+var_1E2]
0x400b90: mov    rcx, cs:off_606A48; "Congratulations! This is the correct fl"...
0x400b97: mov    eax, [rbp+var_1E0]
0x400b9d: cdqe
0x400b9f: add    rax, rcx
0x400ba2: movzx eax, byte ptr [rax]
0x400ba5: movsx eax, al
0x400ba8: cmp    edx, eax
jnz idx_159
jmp idx_104
idx_7:
0x400bab: mov    ebx, eax
0x400bad: mov    rax, [rbp+var_28]
0x400bb1: add    rax, 1
0x400bb5: movzx eax, byte ptr [rax]
0x400bb8: movzx eax, al
0x400bbb: mov    edi, eax
jmp idx_135
idx_8:
0x400bbe: xor    eax, ebx
0x400bc0: mov    [rbp+var_1E2], al
0x400bc6: movzx edx, [rbp+var_1E2]
0x400bcd: mov    rcx, cs:off_606A48; "Congratulations! This is the correct fl"...
0x400bd4: mov    eax, [rbp+var_1E0]
0x400bda: add    eax, 11h
0x400bdd: cdqe
0x400bdf: add    rax, rcx
0x400be2: movzx eax, byte ptr [rax]
0x400be5: movsx eax, al
0x400be8: cmp    edx, eax
jnz idx_179
jmp idx_52
idx_9:
0x400beb: lea    rdi, aInputYourFlag; "Input your flag: "
0x400bf2: mov    eax, 0
call _printf@plt
jmp idx_108
idx_10:
0x400bf8: mov    edi, 10000h
call _srand@plt
jmp idx_47
idx_11:
0x400bfe: xor    eax, ebx
0x400c00: mov    byte ptr [rbp+var_20+6], al
0x400c03: mov    rax, [rbp+var_28]
0x400c07: movzx eax, byte ptr [rax]
0x400c0a: movzx eax, al
0x400c0d: mov    edi, eax
jmp idx_51
idx_12:
0x400c10: push rbp
0x400c11: mov    rbp, rsp
0x400c14: push rbx
0x400c15: sub    rsp, 8
0x400c19: mov    eax, edi
0x400c1b: mov    byte ptr [rbp+var_C], al
0x400c1e: movzx eax, byte ptr [rbp+var_C]
0x400c22: mov    edi, eax
jmp idx_165
idx_13:
0x400c25: nop
0x400c26: mov    rax, [rbp+var_18]
0x400c2a: xor    rax, fs:28h
je idx_147
jmp idx_90
idx_14:
0x400c34: xor    ebx, eax
0x400c36: mov    rax, [rbp+var_28]
0x400c3a: add    rax, 3
0x400c3e: movzx eax, byte ptr [rax]
0x400c41: movzx eax, al
0x400c44: mov    edi, eax
jmp idx_135
idx_15:
0x400c47: add    [rbp+var_1C0], 1
jmp idx_178
idx_16:
0x400c4f: mov    eax, [rbp+var_1E0]
0x400c55: cdqe
0x400c57: movzx edx, [rbp+rax+var_140]
0x400c5f: mov    eax, [rbp+var_1E0]
0x400c65: cdqe
0x400c67: movzx eax, [rbp+rax+var_160]
0x400c6f: xor    eax, edx
0x400c71: mov    ebx, eax
call _rand@plt
jmp idx_6
idx_17:
0x400c74: cmp    [rbp+var_1E0], 0Fh
jle idx_33
jmp idx_133
idx_18:
0x400c7c: cmp    [rbp+var_1E0], 0Fh
jle idx_126
jmp idx_64
idx_19:
0x400c84: cmp    [rbp+var_1BC], 3
jle idx_164
jmp idx_143
idx_20:
0x400c8c: add    rsp, 1E8h
0x400c93: pop    rbx
0x400c94: pop    rbp
jmp ??? ; never execute here
idx_21:
0x400c96: xor    ebx, eax
0x400c98: mov    edx, ebx
0x400c9a: mov    rax, [rbp+var_28]
0x400c9e: add    rax, 2
0x400ca2: movzx eax, byte ptr [rax]
0x400ca5: xor    edx, eax
0x400ca7: mov    rax, [rbp+var_28]
0x400cab: add    rax, 3
0x400caf: movzx eax, byte ptr [rax]
0x400cb2: xor    eax, edx
0x400cb4: mov    byte ptr [rbp+var_20+4], al
0x400cb7: mov    rax, [rbp+var_28]
0x400cbb: movzx ebx, byte ptr [rax]
0x400cbe: mov    rax, [rbp+var_28]
0x400cc2: add    rax, 1
0x400cc6: movzx eax, byte ptr [rax]
0x400cc9: movzx eax, al
0x400ccc: mov    edi, eax
jmp idx_40
idx_22:
0x400ccf: push rbp
0x400cd0: mov    rbp, rsp
0x400cd3: mov    [rbp+var_18], rdi
0x400cd7: mov    dword ptr [rbp+var_8+4], 0
jmp idx_123
idx_23:
0x400cdf: lea    rax, [rbp+var_140]
0x400ce6: mov    [rbp+var_1A8], rax
0x400ced: lea    rax, [rbp+var_110]
0x400cf4: mov    [rbp+var_1A0], rax
0x400cfb: mov    [rbp+var_1D0], 0Ah
0x400d05: mov    rcx, [rbp+var_1A0]
0x400d0c: mov    rax, [rbp+var_1A8]
0x400d13: mov    edx, 0
0x400d18: mov    rsi, rcx
0x400d1b: mov    rdi, rax
jmp idx_173
idx_24:
0x400d1f: push rbp
0x400d20: mov    rbp, rsp
0x400d23: sub    rsp, 30h
0x400d27: mov    [rbp+var_28], rdi
0x400d2b: mov    [rbp+var_2C], esi
0x400d2e: mov    rax, fs:28h
0x400d37: mov    [rbp+var_8], rax
0x400d3b: xor    eax, eax
0x400d3d: mov    [rbp+var_10], 0
jmp idx_176
idx_25:
0x400d45: lea    rdi, a888888D8888888; "    888    888    d8(  888  888 "...
call _puts@plt
jmp idx_44
idx_26:
0x400d4d: mov    rax, [rbp+var_1A8]
0x400d54: mov    rdi, rax
jmp idx_154
idx_27:
0x400d58: nop
0x400d59: pop    rbp
jmp idx_120
idx_28:
0x400d5b: mov    eax, dword ptr [rbp+var_8+4]
0x400d5e: movsxd  rdx, eax
0x400d61: mov    rax, [rbp+var_18]
0x400d65: add    rax, rdx
0x400d68: movzx eax, byte ptr [rax]
0x400d6b: movzx eax, al
0x400d6e: mov    edx, dword ptr [rbp+var_8+4]
0x400d71: movsxd  rcx, edx
0x400d74: mov    rdx, [rbp+var_18]
0x400d78: add    rcx, rdx
0x400d7b: movsxd  rdx, eax
0x400d7e: lea    rax, sbox_enc
0x400d85: movzx eax, byte ptr [rdx+rax]
0x400d89: mov    [rcx], al
0x400d8b: add    dword ptr [rbp+var_8+4], 1
jmp idx_91
idx_29:
0x400d90: mov    ebx, eax
0x400d92: mov    rax, [rbp+var_28]
0x400d96: add    rax, 1
0x400d9a: movzx eax, byte ptr [rax]
0x400d9d: movzx eax, al
0x400da0: mov    edi, eax
jmp idx_51
idx_30:
0x400da3: mov    eax, [rbp+var_1BC]
0x400da9: cdqe
0x400dab: movzx eax, [rbp+rax+var_184]
0x400db3: movzx eax, al
0x400db6: movsxd  rdx, eax
0x400db9: lea    rax, sbox_enc
0x400dc0: movzx edx, byte ptr [rdx+rax]
0x400dc4: mov    eax, [rbp+var_1BC]
0x400dca: cdqe
0x400dcc: mov    [rbp+rax+var_184], dl
0x400dd3: add    [rbp+var_1BC], 1
jmp idx_83
idx_31:
0x400ddb: xor    al, byte ptr [rbp+var_8+4]
0x400dde: leave
jmp ??? ; never execute here
idx_32:
0x400de0: nop
0x400de1: mov    rax, [rbp+var_18]
0x400de5: xor    rax, fs:28h
je idx_68
jmp idx_78
idx_33:
0x400def: mov    eax, [rbp+var_1E0]
0x400df5: add    eax, 10h
0x400df8: cdqe
0x400dfa: movzx edx, [rbp+rax+var_140]
0x400e02: mov    eax, [rbp+var_1E0]
0x400e08: add    eax, 10h
0x400e0b: cdqe
0x400e0d: movzx eax, [rbp+rax+var_160]
0x400e15: xor    eax, edx
0x400e17: mov    ebx, eax
call _rand@plt
jmp idx_8
idx_34:
0x400e1a: cmp    [rbp+var_1BC], 3
jle idx_2
jmp idx_15
idx_35:
0x400e22: mov    eax, [rbp+var_10]
0x400e25: movsxd  rdx, eax
0x400e28: mov    rax, [rbp+var_28]
0x400e2c: add    rdx, rax
0x400e2f: movzx eax, byte ptr [rbp+var_18+7]
0x400e33: mov    [rdx], al
0x400e35: add    [rbp+var_10], 1
jmp idx_176
idx_36:
0x400e3a: mov    edx, [rbp+var_1CC]
0x400e40: mov    rcx, [rbp+var_1A0]
0x400e47: mov    rax, [rbp+var_1A8]
0x400e4e: mov    rsi, rcx
0x400e51: mov    rdi, rax
jmp idx_173
idx_37:
0x400e55: lea    rdi, a888888Op888888; "    888    888    .oP\"888  888  "...
call _puts@plt
jmp idx_25
idx_38:
0x400e5d: push rbp
0x400e5e: mov    rbp, rsp
0x400e61: mov    [rbp+var_18], rdi
0x400e65: mov    rax, [rbp+var_18]
0x400e69: movzx eax, byte ptr [rax+0Dh]
0x400e6d: mov    byte ptr [rbp+var_8+7], al
0x400e70: mov    rax, [rbp+var_18]
0x400e74: lea    rdx, [rax+0Dh]
0x400e78: mov    rax, [rbp+var_18]
0x400e7c: movzx eax, byte ptr [rax+9]
0x400e80: mov    [rdx], al
0x400e82: mov    rax, [rbp+var_18]
0x400e86: lea    rdx, [rax+9]
0x400e8a: mov    rax, [rbp+var_18]
0x400e8e: movzx eax, byte ptr [rax+5]
0x400e92: mov    [rdx], al
0x400e94: mov    rax, [rbp+var_18]
0x400e98: lea    rdx, [rax+5]
0x400e9c: mov    rax, [rbp+var_18]
0x400ea0: movzx eax, byte ptr [rax+1]
0x400ea4: mov    [rdx], al
0x400ea6: mov    rax, [rbp+var_18]
0x400eaa: lea    rdx, [rax+1]
0x400eae: movzx eax, byte ptr [rbp+var_8+7]
0x400eb2: mov    [rdx], al
0x400eb4: mov    rax, [rbp+var_18]
0x400eb8: movzx eax, byte ptr [rax+2]
0x400ebc: mov    byte ptr [rbp+var_8+7], al
0x400ebf: mov    rax, [rbp+var_18]
0x400ec3: lea    rdx, [rax+2]
0x400ec7: mov    rax, [rbp+var_18]
0x400ecb: movzx eax, byte ptr [rax+0Ah]
0x400ecf: mov    [rdx], al
0x400ed1: mov    rax, [rbp+var_18]
0x400ed5: lea    rdx, [rax+0Ah]
0x400ed9: movzx eax, byte ptr [rbp+var_8+7]
0x400edd: mov    [rdx], al
0x400edf: mov    rax, [rbp+var_18]
0x400ee3: movzx eax, byte ptr [rax+6]
0x400ee7: mov    byte ptr [rbp+var_8+7], al
0x400eea: mov    rax, [rbp+var_18]
0x400eee: lea    rdx, [rax+6]
0x400ef2: mov    rax, [rbp+var_18]
0x400ef6: movzx eax, byte ptr [rax+0Eh]
0x400efa: mov    [rdx], al
0x400efc: mov    rax, [rbp+var_18]
0x400f00: lea    rdx, [rax+0Eh]
0x400f04: movzx eax, byte ptr [rbp+var_8+7]
0x400f08: mov    [rdx], al
0x400f0a: mov    rax, [rbp+var_18]
0x400f0e: movzx eax, byte ptr [rax+3]
0x400f12: mov    byte ptr [rbp+var_8+7], al
0x400f15: mov    rax, [rbp+var_18]
0x400f19: lea    rdx, [rax+3]
0x400f1d: mov    rax, [rbp+var_18]
0x400f21: movzx eax, byte ptr [rax+7]
0x400f25: mov    [rdx], al
0x400f27: mov    rax, [rbp+var_18]
0x400f2b: lea    rdx, [rax+7]
0x400f2f: mov    rax, [rbp+var_18]
0x400f33: movzx eax, byte ptr [rax+0Bh]
0x400f37: mov    [rdx], al
0x400f39: mov    rax, [rbp+var_18]
0x400f3d: lea    rdx, [rax+0Bh]
0x400f41: mov    rax, [rbp+var_18]
0x400f45: movzx eax, byte ptr [rax+0Fh]
0x400f49: mov    [rdx], al
0x400f4b: mov    rax, [rbp+var_18]
0x400f4f: lea    rdx, [rax+0Fh]
0x400f53: movzx eax, byte ptr [rbp+var_8+7]
0x400f57: mov    [rdx], al
0x400f59: nop
0x400f5a: pop    rbp
jmp ??? ; never execute here
idx_39:
0x400f5c: mov    rax, [rbp+var_18]
0x400f60: xor    rax, fs:28h
je idx_20
jmp idx_50
idx_40:
0x400f6a: push rbp
0x400f6b: mov    rbp, rsp
0x400f6e: mov    eax, edi
0x400f70: mov    byte ptr [rbp+var_8+4], al
0x400f73: movzx eax, byte ptr [rbp+var_8+4]
0x400f77: test al, al
jns idx_109
jmp idx_160
idx_41:
0x400f7a: xor    eax, ebx
0x400f7c: add    rsp, 8
0x400f80: pop    rbx
0x400f81: pop    rbp
jmp ??? ; never execute here
idx_42:
0x400f83: movzx ecx, [rbp+var_184]
0x400f8a: mov    eax, [rbp+var_1C0]
0x400f90: cdq
0x400f91: idiv [rbp+var_1C8]
0x400f97: sub    eax, 1
0x400f9a: movsxd  rdx, eax
0x400f9d: lea    rax, byte_404B30
0x400fa4: movzx eax, byte ptr [rdx+rax]
0x400fa8: xor    eax, ecx
0x400faa: mov    [rbp+var_184], al
jmp idx_117
idx_43:
0x400fb1: mov    eax, [rbp+var_1D8]
0x400fb7: sub    eax, 1
0x400fba: cmp    [rbp+var_1D4], eax
jle idx_177
jmp idx_3
idx_44:
0x400fc1: lea    rdi, aO888oD888bY888; " o888o    d888b `Y888\"\"8o `Y8b"...
call _puts@plt
jmp idx_10
idx_45:
0x400fc9: xor    eax, ebx
0x400fcb: mov    byte ptr [rbp+var_20+4], al
0x400fce: mov    rax, [rbp+var_28]
0x400fd2: movzx eax, byte ptr [rax]
0x400fd5: movzx eax, al
0x400fd8: mov    edi, eax
jmp idx_142
idx_46:
0x400fdb: mov    ebx, eax
0x400fdd: mov    rax, [rbp+var_28]
0x400fe1: add    rax, 1
0x400fe5: movzx eax, byte ptr [rax]
0x400fe8: movzx eax, al
0x400feb: mov    edi, eax
jmp idx_102
idx_47:
0x400fee: mov    dword ptr [rbp+var_8], 0
jmp idx_5
idx_48:
0x400ff6: nop
0x400ff7: pop    rbp
jmp idx_171
idx_49:
0x400ff9: leave
jmp idx_89
idx_50:
call ___stack_chk_fail@plt
jmp idx_20
idx_51:
0x400ffc: push rbp
0x400ffd: mov    rbp, rsp
0x401000: sub    rsp, 8
0x401004: mov    eax, edi
0x401006: mov    byte ptr [rbp+var_8+4], al
0x401009: movzx eax, byte ptr [rbp+var_8+4]
0x40100d: mov    edi, eax
jmp idx_40
idx_52:
0x401010: add    [rbp+var_1DC], 1
jmp idx_179
idx_53:
0x401018: mov    rax, cs:stdin
0x40101f: mov    ecx, 0
0x401024: mov    edx, 2
0x401029: mov    esi, 0
0x40102e: mov    rdi, rax
call _setvbuf@plt
jmp idx_61
idx_54:
0x401032: leave
jmp ??? ; never execute here
idx_55:
0x401034: mov    edx, eax
0x401036: mov    eax, [rbp+var_1E0]
0x40103c: cdqe
0x40103e: mov    [rbp+rax+var_180], dl
0x401045: add    [rbp+var_1E0], 1
jmp idx_18
idx_56:
0x40104d: xor    ebx, eax
0x40104f: mov    rax, [rbp+var_28]
0x401053: add    rax, 3
0x401057: movzx eax, byte ptr [rax]
0x40105a: movzx eax, al
0x40105d: mov    edi, eax
jmp idx_142
idx_57:
0x401060: xor    ebx, eax
0x401062: mov    rax, [rbp+var_28]
0x401066: add    rax, 2
0x40106a: movzx eax, byte ptr [rax]
0x40106d: movzx eax, al
0x401070: mov    edi, eax
jmp idx_12
idx_58:
0x401073: mov    eax, [rbp+var_1C8]
0x401079: mov    [rbp+var_1C0], eax
jmp idx_178
idx_59:
0x401080: push rbp
0x401081: mov    rbp, rsp
0x401084: mov    [rbp+var_18], rdi
0x401088: mov    rax, [rbp+var_18]
0x40108c: movzx eax, byte ptr [rax+1]
0x401090: mov    byte ptr [rbp+var_8+7], al
0x401093: mov    rax, [rbp+var_18]
0x401097: lea    rdx, [rax+1]
0x40109b: mov    rax, [rbp+var_18]
0x40109f: movzx eax, byte ptr [rax+5]
0x4010a3: mov    [rdx], al
0x4010a5: mov    rax, [rbp+var_18]
0x4010a9: lea    rdx, [rax+5]
0x4010ad: mov    rax, [rbp+var_18]
0x4010b1: movzx eax, byte ptr [rax+9]
0x4010b5: mov    [rdx], al
0x4010b7: mov    rax, [rbp+var_18]
0x4010bb: lea    rdx, [rax+9]
0x4010bf: mov    rax, [rbp+var_18]
0x4010c3: movzx eax, byte ptr [rax+0Dh]
0x4010c7: mov    [rdx], al
0x4010c9: mov    rax, [rbp+var_18]
0x4010cd: lea    rdx, [rax+0Dh]
0x4010d1: movzx eax, byte ptr [rbp+var_8+7]
0x4010d5: mov    [rdx], al
0x4010d7: mov    rax, [rbp+var_18]
0x4010db: movzx eax, byte ptr [rax+2]
0x4010df: mov    byte ptr [rbp+var_8+7], al
0x4010e2: mov    rax, [rbp+var_18]
0x4010e6: lea    rdx, [rax+2]
0x4010ea: mov    rax, [rbp+var_18]
0x4010ee: movzx eax, byte ptr [rax+0Ah]
0x4010f2: mov    [rdx], al
0x4010f4: mov    rax, [rbp+var_18]
0x4010f8: lea    rdx, [rax+0Ah]
0x4010fc: movzx eax, byte ptr [rbp+var_8+7]
0x401100: mov    [rdx], al
0x401102: mov    rax, [rbp+var_18]
0x401106: movzx eax, byte ptr [rax+6]
0x40110a: mov    byte ptr [rbp+var_8+7], al
0x40110d: mov    rax, [rbp+var_18]
0x401111: lea    rdx, [rax+6]
0x401115: mov    rax, [rbp+var_18]
0x401119: movzx eax, byte ptr [rax+0Eh]
0x40111d: mov    [rdx], al
0x40111f: mov    rax, [rbp+var_18]
0x401123: lea    rdx, [rax+0Eh]
0x401127: movzx eax, byte ptr [rbp+var_8+7]
0x40112b: mov    [rdx], al
0x40112d: mov    rax, [rbp+var_18]
0x401131: movzx eax, byte ptr [rax+0Fh]
0x401135: mov    byte ptr [rbp+var_8+7], al
0x401138: mov    rax, [rbp+var_18]
0x40113c: lea    rdx, [rax+0Fh]
0x401140: mov    rax, [rbp+var_18]
0x401144: movzx eax, byte ptr [rax+0Bh]
0x401148: mov    [rdx], al
0x40114a: mov    rax, [rbp+var_18]
0x40114e: lea    rdx, [rax+0Bh]
0x401152: mov    rax, [rbp+var_18]
0x401156: movzx eax, byte ptr [rax+7]
0x40115a: mov    [rdx], al
0x40115c: mov    rax, [rbp+var_18]
0x401160: lea    rdx, [rax+7]
0x401164: mov    rax, [rbp+var_18]
0x401168: movzx eax, byte ptr [rax+3]
0x40116c: mov    [rdx], al
0x40116e: mov    rax, [rbp+var_18]
0x401172: lea    rdx, [rax+3]
0x401176: movzx eax, byte ptr [rbp+var_8+7]
0x40117a: mov    [rdx], al
0x40117c: nop
0x40117d: pop    rbp
jmp idx_85
idx_60:
0x40117f: add    dword ptr [rbp+var_8], 1
jmp idx_5
idx_61:
0x401184: mov    rax, cs:stdout
0x40118b: mov    ecx, 0
0x401190: mov    edx, 2
0x401195: mov    esi, 0
0x40119a: mov    rdi, rax
call _setvbuf@plt
jmp idx_140
idx_62:
0x40119e: xor    ebx, eax
0x4011a0: mov    rax, [rbp+var_28]
0x4011a4: add    rax, 2
0x4011a8: movzx eax, byte ptr [rax]
0x4011ab: movzx eax, al
0x4011ae: mov    edi, eax
jmp idx_51
idx_63:
0x4011b1: xor    ebx, eax
0x4011b3: mov    rax, [rbp+var_28]
0x4011b7: add    rax, 2
0x4011bb: movzx eax, byte ptr [rax]
0x4011be: movzx eax, al
0x4011c1: mov    edi, eax
jmp idx_142
idx_64:
0x4011c4: lea    rax, [rbp+var_180]
0x4011cb: mov    [rbp+var_198], rax
0x4011d2: lea    rax, [rbp+var_110]
0x4011d9: mov    [rbp+var_190], rax
0x4011e0: mov    [rbp+var_1C8], 4
0x4011ea: mov    [rbp+var_1C4], 0Ah
0x4011f4: mov    [rbp+var_1C0], 0
jmp idx_124
idx_65:
0x4011ff: mov    [rbp+var_1E0], 0
jmp idx_17
idx_66:
jmp idx_138
idx_67:
jmp idx_39
idx_68:
0x40120c: add    rsp, 28h
0x401210: pop    rbx
0x401211: pop    rbp
jmp ??? ; never execute here
idx_69:
0x401213: mov    edx, [rbp+var_1D4]
0x401219: mov    rcx, [rbp+var_1B0]
0x401220: mov    rax, [rbp+var_1B8]
0x401227: mov    rsi, rcx
0x40122a: mov    rdi, rax
jmp idx_173
idx_70:
0x40122e: mov    edx, [rbp+var_1D8]
0x401234: mov    rcx, [rbp+var_1B0]
0x40123b: mov    rax, [rbp+var_1B8]
0x401242: mov    rsi, rcx
0x401245: mov    rdi, rax
jmp idx_173
idx_71:
0x401249: mov    rax, [rbp+var_1A8]
0x401250: mov    rdi, rax
jmp idx_154
idx_72:
0x401254: lea    rdi, a88888888888Y88; "8' 888 `8                      "...
call _puts@plt
jmp idx_75
idx_73:
0x40125c: xor    eax, ebx
0x40125e: mov    byte ptr [rbp+var_20+7], al
0x401261: movzx edx, byte ptr [rbp+var_20+4]
0x401265: mov    rax, [rbp+var_28]
0x401269: mov    [rax], dl
0x40126b: mov    rax, [rbp+var_28]
0x40126f: lea    rdx, [rax+1]
0x401273: movzx eax, byte ptr [rbp+var_20+5]
0x401277: mov    [rdx], al
0x401279: mov    rax, [rbp+var_28]
0x40127d: lea    rdx, [rax+2]
0x401281: movzx eax, byte ptr [rbp+var_20+6]
0x401285: mov    [rdx], al
0x401287: mov    rax, [rbp+var_28]
0x40128b: lea    rdx, [rax+3]
0x40128f: movzx eax, byte ptr [rbp+var_20+7]
0x401293: mov    [rdx], al
0x401295: add    dword ptr [rbp+var_20], 1
0x401299: add    [rbp+var_28], 4
jmp idx_166
idx_74:
0x40129f: mov    rax, [rbp+var_1A8]
0x4012a6: mov    rdi, rax
jmp idx_59
idx_75:
0x4012aa: lea    rdi, a888OoooD8bOooo; "    888    oooo d8b  .oooo. .oooo"...
call _puts@plt
jmp idx_81
idx_76:
0x4012b2: mov    edi, 1
call _exit@plt
jmp idx_24
idx_77:
0x4012b8: mov    dword ptr [rbp+var_8+4], 0
jmp idx_113
idx_78:
call ___stack_chk_fail@plt
jmp idx_68
idx_79:
0x4012c1: nop
jmp idx_138
idx_80:
0x4012c3: push rbp
0x4012c4: mov    rbp, rsp
0x4012c7: push rbx
0x4012c8: sub    rsp, 28h
0x4012cc: mov    [rbp+var_28], rdi
0x4012d0: mov    rax, fs:28h
0x4012d9: mov    [rbp+var_18], rax
0x4012dd: xor    eax, eax
0x4012df: mov    dword ptr [rbp+var_20], 0
jmp idx_130
idx_81:
0x4012e7: lea    rdi, a8888888pP88bD8; "    888    `888\"\"8P `P  )88b  d88'"...
call _puts@plt
jmp idx_37
idx_82:
0x4012ef: mov    edx, [rbp+var_1D0]
0x4012f5: mov    rcx, [rbp+var_1A0]
0x4012fc: mov    rax, [rbp+var_1A8]
0x401303: mov    rsi, rcx
0x401306: mov    rdi, rax
jmp idx_173
idx_83:
0x40130a: cmp    [rbp+var_1BC], 3
jle idx_30
jmp idx_42
idx_84:
0x401312: movzx eax, byte ptr [rbp+var_18+7]
0x401316: cmp    al, 0Ah
je idx_79
jmp idx_35
idx_85:
0x401319: mov    rax, [rbp+var_1A8]
0x401320: mov    rdi, rax
jmp idx_158
idx_86:
0x401324: movzx eax, al
0x401327: mov    edi, eax
jmp idx_40
idx_87:
0x40132a: mov    ebx, eax
0x40132c: mov    rax, [rbp+var_28]
0x401330: add    rax, 1
0x401334: movzx eax, byte ptr [rax]
0x401337: movzx eax, al
0x40133a: mov    edi, eax
jmp idx_142
idx_88:
0x40133d: mov    eax, dword ptr [rbp+var_8+4]
0x401340: movsxd  rdx, eax
0x401343: mov    rax, [rbp+var_18]
0x401347: add    rax, rdx
0x40134a: movzx esi, byte ptr [rax]
0x40134d: mov    eax, dword ptr [rbp+var_28+4]
0x401350: shl    eax, 4
0x401353: mov    edx, eax
0x401355: mov    eax, dword ptr [rbp+var_8+4]
0x401358: add    eax, edx
0x40135a: movsxd  rdx, eax
0x40135d: mov    rax, [rbp+var_20]
0x401361: add    rax, rdx
0x401364: movzx ecx, byte ptr [rax]
0x401367: mov    eax, dword ptr [rbp+var_8+4]
0x40136a: movsxd  rdx, eax
0x40136d: mov    rax, [rbp+var_18]
0x401371: add    rax, rdx
0x401374: xor    esi, ecx
0x401376: mov    edx, esi
0x401378: mov    [rax], dl
0x40137a: add    dword ptr [rbp+var_8+4], 1
jmp idx_103
idx_89:
0x40137f: mov    [rbp+var_1E0], 0
jmp idx_18
idx_90:
call ___stack_chk_fail@plt
jmp idx_147
idx_91:
0x40138b: cmp    dword ptr [rbp+var_8+4], 0Fh
jle idx_28
jmp idx_48
idx_92:
0x401390: mov    eax, [rbp+var_1C0]
0x401396: movsxd  rdx, eax
0x401399: mov    rax, [rbp+var_198]
0x4013a0: add    rax, rdx
0x4013a3: mov    edx, [rbp+var_1C0]
0x4013a9: movsxd  rcx, edx
0x4013ac: mov    rdx, [rbp+var_190]
0x4013b3: add    rdx, rcx
0x4013b6: movzx eax, byte ptr [rax]
0x4013b9: mov    [rdx], al
0x4013bb: add    [rbp+var_1C0], 1
jmp idx_124
idx_93:
0x4013c3: mov    rax, cs:off_606A48; "Congratulations! This is the correct fl"...
0x4013ca: mov    rdi, rax
call _puts@plt
jmp idx_67
idx_94:
0x4013ce: xor    eax, ebx
0x4013d0: mov    byte ptr [rbp+var_20+5], al
0x4013d3: mov    rax, [rbp+var_28]
0x4013d7: movzx eax, byte ptr [rax]
0x4013da: movzx eax, al
0x4013dd: mov    edi, eax
jmp idx_12
idx_95:
0x4013e0: push rbp
0x4013e1: mov    rbp, rsp
0x4013e4: sub    rsp, 8
0x4013e8: mov    eax, edi
0x4013ea: mov    byte ptr [rbp+var_8+4], al
0x4013ed: movzx eax, byte ptr [rbp+var_8+4]
0x4013f1: mov    edi, eax
jmp idx_40
idx_96:
0x4013f4: xor    ebx, eax
0x4013f6: mov    rax, [rbp+var_28]
0x4013fa: add    rax, 3
0x4013fe: movzx eax, byte ptr [rax]
0x401401: movzx eax, al
0x401404: mov    edi, eax
jmp idx_12
idx_97:
0x401407: mov    [rbp+var_C], eax
0x40140a: cmp    [rbp+var_C], 0
jg idx_84
jmp idx_1
idx_98:
0x40140f: lea    rax, [rbp+var_20]
0x401413: mov    esi, 10h
0x401418: mov    rdi, rax
jmp idx_24
idx_99:
0x40141c: push rbp
0x40141d: mov    rbp, rsp
0x401420: sub    rsp, 10h
0x401424: mov    dword ptr [rbp+var_8+4], edi
0x401427: lea    rdi, aOut; "Out!"
call _puts@plt
jmp idx_76
idx_100:
0x40142f: lea    rax, [rbp+var_18+7]
0x401433: mov    edx, 1
0x401438: mov    rsi, rax
0x40143b: mov    edi, 0
call _read@plt
jmp idx_97
idx_101:
0x401441: mov    eax, dword ptr [rbp+var_8+4]
0x401444: movsxd  rdx, eax
0x401447: mov    rax, [rbp+var_18]
0x40144b: add    rax, rdx
0x40144e: movzx eax, byte ptr [rax]
0x401451: movzx eax, al
0x401454: mov    edx, dword ptr [rbp+var_8+4]
0x401457: movsxd  rcx, edx
0x40145a: mov    rdx, [rbp+var_18]
0x40145e: add    rcx, rdx
0x401461: movsxd  rdx, eax
0x401464: lea    rax, inv_sbox_enc
0x40146b: movzx eax, byte ptr [rdx+rax]
0x40146f: mov    [rcx], al
0x401471: add    dword ptr [rbp+var_8+4], 1
jmp idx_123
idx_102:
0x401476: push rbp
0x401477: mov    rbp, rsp
0x40147a: push rbx
0x40147b: sub    rsp, 8
0x40147f: mov    eax, edi
0x401481: mov    byte ptr [rbp+var_C], al
0x401484: movzx eax, byte ptr [rbp+var_C]
0x401488: mov    edi, eax
jmp idx_165
idx_103:
0x40148b: cmp    dword ptr [rbp+var_8+4], 0Fh
jle idx_88
jmp idx_27
idx_104:
0x401490: add    [rbp+var_1DC], 1
jmp idx_159
idx_105:
0x401498: add    [rbp+var_1CC], 1
jmp idx_167
idx_106:
call ___stack_chk_fail@plt
jmp idx_54
idx_107:
0x4014a1: xor    eax, ebx
0x4014a3: xor    al, byte ptr [rbp+var_C]
0x4014a6: add    rsp, 8
0x4014aa: pop    rbx
0x4014ab: pop    rbp
jmp ??? ; never execute here
idx_108:
0x4014ad: lea    rax, [rbp+var_140]
0x4014b4: mov    esi, 21h ; '!'
0x4014b9: mov    rdi, rax
jmp idx_24
idx_109:
0x4014bd: movzx eax, byte ptr [rbp+var_8+4]
0x4014c1: add    eax, eax
jmp idx_114
idx_110:
0x4014c4: nop
0x4014c5: pop    rbp
jmp ??? ; never execute here
idx_111:
0x4014c7: movzx eax, al
0x4014ca: mov    edi, eax
jmp idx_40
idx_112:
0x4014cd: add    [rbp+var_1D4], 1
jmp idx_43
idx_113:
0x4014d5: cmp    dword ptr [rbp+var_8+4], 1Fh
jle idx_151
jmp idx_60
idx_114:
0x4014da: pop    rbp
jmp idx_132
idx_115:
0x4014dc: mov    [rbp+var_1DC], 0
0x4014e6: mov    [rbp+var_1E0], 0
jmp idx_149
idx_116:
0x4014f1: mov    ebx, eax
0x4014f3: movzx eax, byte ptr [rbp+var_C]
0x4014f7: mov    edi, eax
jmp idx_95
idx_117:
0x4014fa: mov    [rbp+var_1BC], 0
jmp idx_34
idx_118:
0x401505: xor    ebx, eax
0x401507: mov    rax, [rbp+var_28]
0x40150b: add    rax, 2
0x40150f: movzx eax, byte ptr [rax]
0x401512: movzx eax, al
0x401515: mov    edi, eax
jmp idx_102
idx_119:
0x401518: leave
jmp ??? ; never execute here
idx_120:
0x40151a: mov    [rbp+var_1CC], 1
jmp idx_167
idx_121:
0x401525: xor    ebx, eax
0x401527: mov    rax, [rbp+var_28]
0x40152b: add    rax, 2
0x40152f: movzx eax, byte ptr [rax]
0x401532: movzx eax, al
0x401535: mov    edi, eax
jmp idx_135
idx_122:
0x401538: push rbp
0x401539: mov    rbp, rsp
0x40153c: sub    rsp, 20h
0x401540: mov    rax, fs:28h
0x401549: mov    [rbp+var_8], rax
0x40154d: xor    eax, eax
0x40154f: lea    rax, [rbp+var_20]
0x401553: mov    edx, 14h
0x401558: mov    esi, 0
0x40155d: mov    rdi, rax
call _memset@plt
jmp idx_98
idx_123:
0x401561: cmp    dword ptr [rbp+var_8+4], 0Fh
jle idx_101
jmp idx_110
idx_124:
0x401566: mov    eax, [rbp+var_1C8]
0x40156c: shl    eax, 2
0x40156f: cmp    [rbp+var_1C0], eax
jl idx_92
jmp idx_58
idx_125:
0x401576: xor    ebx, eax
0x401578: mov    rax, [rbp+var_28]
0x40157c: add    rax, 3
0x401580: movzx eax, byte ptr [rax]
0x401583: movzx eax, al
0x401586: mov    edi, eax
jmp idx_51
idx_126:
call _rand@plt
jmp idx_55
idx_127:
call ___stack_chk_fail@plt
jmp idx_49
idx_128:
0x40158b: mov    ebx, eax
0x40158d: movzx eax, byte ptr [rbp+var_C]
0x401591: mov    edi, eax
jmp idx_95
idx_129:
0x401594: lea    rax, [rbp+var_20]
0x401598: mov    rdi, rax
call _atoi@plt
jmp idx_156
idx_130:
0x40159c: cmp    dword ptr [rbp+var_20], 3
jle idx_162
jmp idx_32
idx_131:
0x4015a1: xor    eax, ebx
0x4015a3: xor    al, byte ptr [rbp+var_C]
0x4015a6: add    rsp, 8
0x4015aa: pop    rbx
0x4015ab: pop    rbp
jmp ??? ; never execute here
idx_132:
0x4015ad: xor    al, byte ptr [rbp+var_8+4]
0x4015b0: leave
jmp idx_21
idx_133:
0x4015b2: cmp    [rbp+var_1DC], 1Fh
jle idx_157
jmp idx_93
idx_134:
0x4015ba: xor    eax, ebx
0x4015bc: mov    byte ptr [rbp+var_20+6], al
0x4015bf: mov    rax, [rbp+var_28]
0x4015c3: movzx eax, byte ptr [rax]
0x4015c6: movzx eax, al
0x4015c9: mov    edi, eax
jmp idx_135
idx_135:
0x4015cc: push rbp
0x4015cd: mov    rbp, rsp
0x4015d0: push rbx
0x4015d1: sub    rsp, 8
0x4015d5: mov    eax, edi
0x4015d7: mov    byte ptr [rbp+var_C], al
0x4015da: movzx eax, byte ptr [rbp+var_C]
0x4015de: mov    edi, eax
jmp idx_165
idx_136:
0x4015e1: leave
jmp ??? ; never execute here
idx_137:
0x4015e3: mov    edx, eax
0x4015e5: mov    rax, [rbp+var_28]
0x4015e9: add    rax, 1
0x4015ed: movzx eax, byte ptr [rax]
0x4015f0: xor    edx, eax
0x4015f2: mov    rax, [rbp+var_28]
0x4015f6: add    rax, 2
0x4015fa: movzx eax, byte ptr [rax]
0x4015fd: xor    edx, eax
0x4015ff: mov    ebx, edx
0x401601: mov    rax, [rbp+var_28]
0x401605: add    rax, 3
0x401609: movzx eax, byte ptr [rax]
0x40160c: movzx eax, al
0x40160f: mov    edi, eax
jmp idx_40
idx_138:
0x401612: mov    eax, [rbp+var_10]
0x401615: movsxd  rdx, eax
0x401618: mov    rax, [rbp+var_28]
0x40161c: add    rax, rdx
0x40161f: mov    byte ptr [rax], 0
0x401622: mov    eax, [rbp+var_10]
0x401625: mov    rcx, [rbp+var_8]
0x401629: xor    rcx, fs:28h
je idx_49
jmp idx_127
idx_139:
0x401633: mov    rax, [rbp+var_1B8]
0x40163a: mov    rdi, rax
jmp idx_158
idx_140:
0x40163e: mov    rax, cs:stderr
0x401645: mov    ecx, 0
0x40164a: mov    edx, 2
0x40164f: mov    esi, 0
0x401654: mov    rdi, rax
call _setvbuf@plt
jmp idx_9
idx_141:
0x401658: movzx eax, al
0x40165b: mov    edi, eax
jmp idx_40
idx_142:
0x40165e: push rbp
0x40165f: mov    rbp, rsp
0x401662: sub    rsp, 8
0x401666: mov    eax, edi
0x401668: mov    byte ptr [rbp+var_8+4], al
0x40166b: movzx eax, byte ptr [rbp+var_8+4]
0x40166f: mov    edi, eax
jmp idx_165
idx_143:
0x401672: mov    eax, [rbp+var_1C0]
0x401678: cdq
0x401679: idiv [rbp+var_1C8]
0x40167f: mov    eax, edx
0x401681: test eax, eax
jnz idx_117
jmp idx_172
idx_144:
0x401684: xor    ebx, eax
0x401686: mov    edx, ebx
0x401688: mov    rax, [rbp+var_28]
0x40168c: add    rax, 3
0x401690: movzx eax, byte ptr [rax]
0x401693: xor    eax, edx
0x401695: mov    byte ptr [rbp+var_20+5], al
0x401698: mov    rax, [rbp+var_28]
0x40169c: movzx edx, byte ptr [rax]
0x40169f: mov    rax, [rbp+var_28]
0x4016a3: add    rax, 1
0x4016a7: movzx eax, byte ptr [rax]
0x4016aa: mov    ebx, edx
0x4016ac: xor    ebx, eax
0x4016ae: mov    rax, [rbp+var_28]
0x4016b2: add    rax, 2
0x4016b6: movzx eax, byte ptr [rax]
0x4016b9: movzx eax, al
0x4016bc: mov    edi, eax
jmp idx_40
idx_145:
0x4016bf: xor    eax, ebx
0x4016c1: mov    byte ptr [rbp+var_20+7], al
0x4016c4: movzx edx, byte ptr [rbp+var_20+4]
0x4016c8: mov    rax, [rbp+var_28]
0x4016cc: mov    [rax], dl
0x4016ce: mov    rax, [rbp+var_28]
0x4016d2: lea    rdx, [rax+1]
0x4016d6: movzx eax, byte ptr [rbp+var_20+5]
0x4016da: mov    [rdx], al
0x4016dc: mov    rax, [rbp+var_28]
0x4016e0: lea    rdx, [rax+2]
0x4016e4: movzx eax, byte ptr [rbp+var_20+6]
0x4016e8: mov    [rdx], al
0x4016ea: mov    rax, [rbp+var_28]
0x4016ee: lea    rdx, [rax+3]
0x4016f2: movzx eax, byte ptr [rbp+var_20+7]
0x4016f6: mov    [rdx], al
0x4016f8: add    dword ptr [rbp+var_20], 1
0x4016fc: add    [rbp+var_28], 4
jmp idx_130
idx_146:
call _rand@plt
jmp idx_4
idx_147:
0x401703: add    rsp, 28h
0x401707: pop    rbx
0x401708: pop    rbp
jmp idx_29
idx_148:
0x40170a: mov    ebx, eax
0x40170c: movzx eax, byte ptr [rbp+var_C]
0x401710: mov    edi, eax
jmp idx_40
idx_149:
0x401713: cmp    [rbp+var_1E0], 0Fh
jle idx_16
jmp idx_65
idx_150:
0x40171b: mov    rax, [rbp+var_1B8]
0x401722: mov    rdi, rax
jmp idx_59
idx_151:
0x401726: mov    eax, dword ptr [rbp+var_8]
0x401729: shl    eax, 5
0x40172c: mov    edx, eax
0x40172e: mov    eax, dword ptr [rbp+var_8+4]
0x401731: add    eax, edx
0x401733: movsxd  rdx, eax
0x401736: lea    rax, sbox_enc
0x40173d: movzx esi, byte ptr [rdx+rax]
0x401741: mov    eax, dword ptr [rbp+var_8+4]
0x401744: movsxd  rdx, eax
0x401747: mov    rax, [rbp+var_18]
0x40174b: add    rax, rdx
0x40174e: movzx ecx, byte ptr [rax]
0x401751: mov    eax, dword ptr [rbp+var_8]
0x401754: shl    eax, 5
0x401757: mov    edx, eax
0x401759: mov    eax, dword ptr [rbp+var_8+4]
0x40175c: add    eax, edx
0x40175e: xor    ecx, esi
0x401760: movsxd  rdx, eax
0x401763: lea    rax, sbox_enc
0x40176a: mov    [rdx+rax], cl
0x40176d: mov    eax, dword ptr [rbp+var_8]
0x401770: shl    eax, 5
0x401773: mov    edx, eax
0x401775: mov    eax, dword ptr [rbp+var_8+4]
0x401778: add    eax, edx
0x40177a: movsxd  rdx, eax
0x40177d: lea    rax, inv_sbox_enc
0x401784: movzx esi, byte ptr [rdx+rax]
0x401788: mov    eax, dword ptr [rbp+var_8+4]
0x40178b: movsxd  rdx, eax
0x40178e: mov    rax, [rbp+var_18]
0x401792: add    rax, rdx
0x401795: movzx ecx, byte ptr [rax]
0x401798: mov    eax, dword ptr [rbp+var_8]
0x40179b: shl    eax, 5
0x40179e: mov    edx, eax
0x4017a0: mov    eax, dword ptr [rbp+var_8+4]
0x4017a3: add    eax, edx
0x4017a5: xor    ecx, esi
0x4017a7: movsxd  rdx, eax
0x4017aa: lea    rax, inv_sbox_enc
0x4017b1: mov    [rdx+rax], cl
0x4017b4: add    dword ptr [rbp+var_8+4], 1
jmp idx_113
idx_152:
0x4017b9: mov    rax, [rbp+var_1B8]
0x4017c0: mov    rdi, rax
jmp idx_59
idx_153:
0x4017c4: mov    rax, [rbp+var_28]
0x4017c8: movzx eax, byte ptr [rax]
0x4017cb: movzx eax, al
0x4017ce: mov    edi, eax
jmp idx_40
idx_154:
0x4017d1: push rbp
0x4017d2: mov    rbp, rsp
0x4017d5: mov    [rbp+var_18], rdi
0x4017d9: mov    dword ptr [rbp+var_8+4], 0
jmp idx_91
idx_155:
0x4017e1: mov    ebx, eax
0x4017e3: mov    rax, [rbp+var_28]
0x4017e7: add    rax, 1
0x4017eb: movzx eax, byte ptr [rax]
0x4017ee: movzx eax, al
0x4017f1: mov    edi, eax
jmp idx_12
idx_156:
0x4017f4: mov    rcx, [rbp+var_8]
0x4017f8: xor    rcx, fs:28h
je idx_54
jmp idx_106
idx_157:
0x401802: mov    rax, cs:off_606A40; "This is a fake flag!"
0x401809: mov    rdi, rax
call _puts@plt
jmp idx_168
idx_158:
0x40180d: push rbp
0x40180e: mov    rbp, rsp
0x401811: push rbx
0x401812: sub    rsp, 28h
0x401816: mov    [rbp+var_28], rdi
0x40181a: mov    rax, fs:28h
0x401823: mov    [rbp+var_18], rax
0x401827: xor    eax, eax
0x401829: mov    dword ptr [rbp+var_20], 0
jmp idx_166
idx_159:
0x401831: add    [rbp+var_1E0], 1
jmp idx_149
idx_160:
0x401839: movzx eax, byte ptr [rbp+var_8+4]
0x40183d: add    eax, eax
0x40183f: xor    eax, 1Bh
jmp idx_114
idx_161:
0x401843: mov    [rbp+var_1D4], 1
jmp idx_43
idx_162:
0x40184e: mov    rax, [rbp+var_28]
0x401852: movzx eax, byte ptr [rax]
0x401855: movzx eax, al
0x401858: mov    edi, eax
jmp idx_102
idx_163:
0x40185b: xor    ebx, eax
0x40185d: movzx eax, byte ptr [rbp+var_C]
0x401861: mov    edi, eax
jmp idx_40
idx_164:
0x401864: mov    eax, [rbp+var_1C0]
0x40186a: sub    eax, 1
0x40186d: lea    edx, ds:0[rax*4]
0x401874: mov    eax, [rbp+var_1BC]
0x40187a: add    eax, edx
0x40187c: movsxd  rdx, eax
0x40187f: mov    rax, [rbp+var_190]
0x401886: add    rax, rdx
0x401889: movzx edx, byte ptr [rax]
0x40188c: mov    eax, [rbp+var_1BC]
0x401892: cdqe
0x401894: mov    [rbp+rax+var_184], dl
0x40189b: add    [rbp+var_1BC], 1
jmp idx_19
idx_165:
0x4018a3: push rbp
0x4018a4: mov    rbp, rsp
0x4018a7: sub    rsp, 8
0x4018ab: mov    eax, edi
0x4018ad: mov    byte ptr [rbp+var_8+4], al
0x4018b0: movzx eax, byte ptr [rbp+var_8+4]
0x4018b4: mov    edi, eax
jmp idx_40
idx_166:
0x4018b7: cmp    dword ptr [rbp+var_20], 3
jle idx_153
jmp idx_13
idx_167:
0x4018bc: mov    eax, [rbp+var_1D0]
0x4018c2: sub    eax, 1
0x4018c5: cmp    [rbp+var_1CC], eax
jle idx_26
jmp idx_71
idx_168:
0x4018cc: nop
jmp idx_39
idx_169:
0x4018ce: push rbp
0x4018cf: mov    rbp, rsp
0x4018d2: sub    rsp, 20h
0x4018d6: mov    [rbp+var_18], rdi
0x4018da: lea    rdi, aOooooooooooooO; "ooooooooooooo                         "...
call _puts@plt
jmp idx_72
idx_170:
0x4018e2: nop
0x4018e3: leave
jmp idx_53
idx_171:
0x4018e5: mov    rax, [rbp+var_1A8]
0x4018ec: mov    rdi, rax
jmp idx_59
idx_172:
0x4018f0: movzx eax, [rbp+var_184]
0x4018f7: mov    [rbp+var_1E1], al
0x4018fd: movzx eax, [rbp+var_183]
0x401904: mov    [rbp+var_184], al
0x40190a: movzx eax, [rbp+var_182]
0x401911: mov    [rbp+var_183], al
0x401917: movzx eax, [rbp+var_181]
0x40191e: mov    [rbp+var_182], al
0x401924: movzx eax, [rbp+var_1E1]
0x40192b: mov    [rbp+var_181], al
0x401931: mov    [rbp+var_1BC], 0
jmp idx_83
idx_173:
0x40193c: push rbp
0x40193d: mov    rbp, rsp
0x401940: mov    [rbp+var_18], rdi
0x401944: mov    [rbp+var_20], rsi
0x401948: mov    dword ptr [rbp+var_28+4], edx
0x40194b: mov    dword ptr [rbp+var_8+4], 0
jmp idx_103
idx_174:
0x401953: mov    [rbp+var_1BC], 0
jmp idx_19
idx_175:
0x40195e: lea    rax, [rbp+var_140]
0x401965: add    rax, 10h
0x401969: mov    [rbp+var_1B8], rax
0x401970: lea    rax, [rbp+var_110]
0x401977: mov    [rbp+var_1B0], rax
0x40197e: mov    [rbp+var_1D8], 0Ah
0x401988: mov    rcx, [rbp+var_1B0]
0x40198f: mov    rax, [rbp+var_1B8]
0x401996: mov    edx, 0
0x40199b: mov    rsi, rcx
0x40199e: mov    rdi, rax
jmp idx_173
idx_176:
0x4019a2: mov    eax, [rbp+var_2C]
0x4019a5: sub    eax, 1
0x4019a8: cmp    [rbp+var_10], eax
jl idx_100
jmp idx_66
idx_177:
0x4019ac: mov    rax, [rbp+var_1B8]
0x4019b3: mov    rdi, rax
jmp idx_154
idx_178:
0x4019b7: mov    eax, [rbp+var_1C4]
0x4019bd: add    eax, 1
0x4019c0: shl    eax, 2
0x4019c3: cmp    [rbp+var_1C0], eax
jl idx_174
jmp idx_23
idx_179:
0x4019ca: add    [rbp+var_1E0], 1
jmp idx_17
idx_180:
0x4019d2: xor    ebx, eax
0x4019d4: mov    rax, [rbp+var_28]
0x4019d8: add    rax, 3
0x4019dc: movzx eax, byte ptr [rax]
0x4019df: movzx eax, al
0x4019e2: mov    edi, eax
jmp idx_102
动态调试
汇编好的选手可以直接秒了，像我这种汇编不好的选手只能求助 AI 了，通过求助 AI 大致摸清楚了前面的执行流程。
#include
#include
#include
char byte_606020[0x100]={0};
char byte_606120[0x100]={0};
void safe_read(char *buf,size_t len){
int i = 0;
while (i
而比较关键的是对于两个 256 字节的数组进行的初始化，仅仅简单对一个 32 字节硬编码数组做了一个异或运算。

这下看懂了，这就是 AES 的 SBOX 数组，随后的循环明显是轮密钥加，之后我写了 dump 脚本去 dump 轮密钥，并用程序去进行了验证。

dump 的轮密钥和 AES 的key对应上了，而且 key 可以用随机数种子去验证，分段发给 AI 汇编代码，AI 后面可以分析出又使用了 srand(rand()) 。动调也可以验证，因为发现整个块里面就调用了两次 srand，第二次 srand 前驱调用了一个 rand() 函数。
idx_146:
call _rand@plt
jmp idx_4
idx_4:
0x400b79: mov    edi, eax
call _srand@plt
jmp idx_115
如果实在不放心，可以在 0x400b79 地址被引用的代码下硬件断点去观察

也就是这里的 0x606b58。
这样刚好可以在 case 3 call srand 之前断住。

这里的 rchild=0x400870 就是 srand 的地址，本次continue过去就会执行srand，那么这里关心的值当然就是上一个块 rand 的返回值，直接找 regs 结构体的 RAX 。
这里找到了它的返回值 1343350356，刚好是可以对应上的（可以自己 srand(0x10000)，然后输出第 17 个 rand 值验证）。

后面的异或操作都是问 AI 的，最后比较的 target 就是祝贺找到正确的 flag 那句话。
通过输入 24 个 a，观察 AI 拿的加密数组，基本可以确定异或之前的值就是输入进行 AES 之后的值，这里我直接用 /proc/pid/mem 去 dump 指定区域的内存。
#include
#include
#include
char buffer [0x200000];
int main(){
int fd = open("/proc/13521/mem",O_RDWR);
size_t nbytes;
perror("open");
//0x7FFFFFFFDEB0 RBP - 0x140
lseek(fd,0x7FFFFFFFDEB0 - 0x140,SEEK_CUR);
nbytes = read(fd,buffer,0x40);
perror("read");
close(fd);
for(int i=0;i
通过dump结果比对

发现就是普普通通的 AES ECB/Nopadding。

那么流程就清晰了：
input -> AES ECB/NoPadding -> 异或随机数组 -> 异或开头硬编码数组
提取目标比对的字节，异或硬编码数组和随机数数组之后输出，最后 AES 解密即可。
#include
#include
unsigned char target[] =
{
0x43, 0x6F, 0x6E, 0x67, 0x72, 0x61, 0x74, 0x75, 0x6C, 0x61,
0x74, 0x69, 0x6F, 0x6E, 0x73, 0x21, 0x54, 0x68, 0x69,
0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63,
0x6F, 0x72, 0x72, 0x65, 0x63, 0x74, 0x20, 0x66, 0x6C, 0x61,
0x67, 0x21, 0x00
};
char key2[]="\xe2\x8b\x55\x38\x69\xfa\x80\xc2\x64\x4e\x7f\xe7\x13\x06\x14\xc5\xc0\x13\xd3\x12\x6b\xbd\xf2\xc7\x88\x44\x3e\x09\xe8\xa3\x83\x30";
int main(){
char buffer[32];
srand(0x10000);
for (int i = 0; i
最后的 AES 解密得到 flag。

也分享一下我的 AI 聊天记录
https://chatgpt.com/share/68f4fb20-852c-8002-a3ee-3fa981f88925
在群友的帮助下，我大概知道正确的恢复流程了，应该给 case 4 建立 rchild 的 call，再建立lchild的jmp，而 case 2 直接 ret 就行，但是即使恢复正确的流程 ida 也是无法正确恢复指令流，所以差别不大。
butterfly
这题属于签到的水平，只不过就是静态链接的题目，对于静态链接的题目，lumina 直接秒了，我搭建了一个私人服务器，里面放了一些常用的库代码。
关于 lumina：http://8.153.71.247:8000/lumina/info.html

恢复符号之后约等于裸奔，然后全选，复制，粘贴，发给 AI，秒了。。。
https://chatgpt.com/share/68f59cfd-b610-8002-9fff-407548840f47
总共就问了两句话，用时 1 分钟。

结语
CTF 真好玩，上周末单休，这周的强网杯直接把周末干碎了，从 11 点到 6 点（第二天凌晨），已经是一个活人微死的状态了，tradre 这题 80 解，我 CN 的逆向水平真好。

指令, 数组