Phil's Impressions Things that come along…

9Aug/1294

HowTo: BackupExec 2012 Linux Agent and Kernel 3.0 Debian

Tux

This fix also works on BackupExec 12.5 and BackupExec 2010 (13)!

You only have to patch a different byte from 79 to 78!
For the correct byte to patch, see comment section.
Thx to Clive for finding the correct jump instruction to patch in 12.5 and 13.

UPDATE (17.06.2013): Jérémie has automated the procedure. You can find his solution in his comment. Please double-check the outcome with known values from the comment-section. 

DISCLAIMER: I AM NOT RESPONSIBLE FOR ANY DAMAGE OR DATA LOSS CAUSED BY THIS MODIFICATIONS. USE IT AT YOUR OWN RISK. 

The Problem
Symantec BackupExec 2012 Linux Agent is seg-faulting right after starting the service.

The following message indicates the problem in syslog:

kernel: [151351.976039] beremote[31977]: segfault at ffffffffffffff
fc ip 00007ff3ddc5d8f9 sp 00007ff3db91dc60 error 4 in libc-2.11.3.s
o[7ff3ddbe7000+159000]

The problem is also reported by the agents log itself via:

GetIfAddrs(LINUX): failed err = 11

The Source

During startup the BackupExec agent create a new socket and tries to call the following ioctl() call.

[pid 13860] socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 5
[pid 13860] ioctl(5, SIOCGIFCOUNT, 0x7f3c50919d7c) = -1 ENOTTY 
(Inappropriate ioctl for device)

SIOCGIFCOUNT is not implemented in the linux kernel. Before a change in the kernel source, it seems to have tolerated such an ioctl() call, with a syslog message like:

linux: pid 4080 (beremote): ioctl fd=6, cmd=0x8938 ('\M^I',56) 
is not implemented

Some time ago, in May 2011, a commit to the linux kernel changed the behavior of ioctl().
See:

These changes now return a negative error-code value for the ioctl() call, which causes BackupExec to terminate.

Which means the reason for not working on a 3.0 kernel is ridiculous.

The Solution

tjmcgrew suggested on Symantec connect forums to patch the kernel back to it's old behavior.

This was not an option for me, as maintaining a self compiled and patched kernel is a real pain. So i decided to patch the BackupExec Agent instead. It's just amazing what can be achieved by simply flipping 2 bits.

First off, i used the current BackupExec Agent for Linux available at the time of writing.

  • RALUS_RMALS_RAMS-1798.17.tar.gz
  • and also applying: ralus1798SP1.tar.gz

The cause of the faulty ioctl() is located inside:

-rwxr-xr-x 1 root root 284824 Aug  9 13:57 /opt/VRTSralus/bin/
libbesocket.so*

Here is the code causing the faulty call:

 22647: be 38 89 00 00 mov $0x8938,%esi
 2264c: 31 c0 xor %eax,%eax
 2264e: e8 dd 00 ff ff callq 12730 <ioctl@plt>
 22653: 85 c0 test %eax,%eax
 22655: 79 1a jns 22671 <_Z10getifaddrsPP7ifaddrs+0xb1>
 22657: e8 74 01 ff ff  callq  127d0 <__errno_location@plt>

$0x8938 corresponds to SIOCGIFCOUNT. The test instruction fails and causes that the jump-no-sign instruction is not executed. Therefore the client terminates with an error message.

Since this test instruction will always fail on a linux 3.0 kernel, we are going to exploit that fact, by changing the jump-no-sign instruction to a jump-sign instruction, causing the client to start normally.

I consider this change as safe, because the ioctl() call had no effect before, it just did not fail. Now i consider the fail as wanted behavior and acknowledge this with the jump-sign instruction.

How to fix your BackupExec Linux Agent.

Solution: patch it yourself

I am almost sure i am not allowed to redistribute a patched version of the BackupExec Agent library. So i can only give you instructions on how to proceed.

Use the SHA1 values to verify you have not changed something accidentally.
The library before patching should have the following SHA1 hash:

430c199b5e1397acbe64bf18d75c7b0171b9811c
  /opt/VRTSralus/bin/libbesocket.so

After patching:

3da3980e7c45542ec38d4635ca8d11f147abc43a  
/opt/VRTSralus/bin/libbesocket.so

The faulty call is located here inside the library:

 22647: be 38 89 00 00 mov $0x8938,%esi
 2264c: 31 c0 xor %eax,%eax
 2264e: e8 dd 00 ff ff callq 12730 <ioctl@plt>
 22653: 85 c0 test %eax,%eax
 22655: 79 1a jns 22671 <_Z10getifaddrsPP7ifaddrs+0xb1>
 22657: e8 74 01 ff ff  callq  127d0 <__errno_location@plt>

Use your hex editor to change the jns call direct inside the library. e.g. use hexer, which has a VIM like interface.

Step one: make a copy of your current library!

cd /opt/VRTSralus/bin/ 
cp libbesocket.so libbesocket.so.BACKUP

Step two: open the library in hexer (apt-get install hexer)

hexer libbesocket.so

Step three: find the jump-no-sign instruction and exchange it for a jump-sign instruction. Use the search function by typing: "/ \xx 79 1a" and hit enter.

You should now be able to see the JNS instruction, represented by "79". Verify that the context of the instruction equals to the asm code listing above and/or the following screenshot. In my library there was only one "79 1a" sequence present. So you should be safe.

Now move the cursor to the "79" byte and press "R" inside hexer to enter REPLACE mode.

Now type "78". 78 equals to an jump-sign instruction and causes normal execution if the function call fails! Failing on this call now is the default behavior of the kernel.

Double check you are in replace not insert mode. The "79" should be gone now!

Now save your changes VIM-style, by typing " :wq".

Now you can start your backup exec linux agent with:

/etc/init.d/VRTSralus.init start

Have fun!!

Comments (94) Trackbacks (3)
  1. Many thanks for the great insight here. We gave up on this some while back, when trialing BE2010 we hit the same issues. The library is somewhat different in the 2010 distributions sadly so we can’t use the same “79 1a” trick, but at least it sheds some light on the problem!

  2. Nice job. I had considered looking into doing this option myself as well, but the kernel patch seemed like an easier route to take for now. Unfortunately we too are using 2010, so I can’t use this either, but it’ll help point me in the right direction if I do look in to it.

  3. Although i stress this could be a red herring, in case its any help to others working with 2010 using a bit of trial and error, i identified a possible candidate within the 12.5/2010 RALUS to edit for this. Can’t guarantee its the correct fix as i’ve not been able to test properly yet, however the beremote process is now starting, and stays running.

    The version I used was that from the 12.5 evaluation:
    BEWS_12.5.2213_LINUX-UNIX-MAC-SAP_AGENTS.tar.gz

    00023630: 31 c0 be 38 89 00 00 e8 7c e0 fe ff 85 c0 79 19 1..8….|…..y.
    00023640: e8 23 e1 fe ff 83 38 16 0f 85 40 03 00 00 c7 84 .#….8…@…..

    Look for “ff 85 c0 79 19 e8″, there should only be one occurrence, and again swap 79 for 78 as per the instructions for the 2012 libbesocket.so

    • Oh, 12.5 is BE 2010?
      Seems we have one here afterall. I will try to verify your findings.

      Edit: just found the agent installer on our old backup server. “BEWS_12.5.2213_LINUX-UNIX-MAC-SAP_AGENTS.tar.gz”

    • VERIFIED. exactly the same function call you got there.

      23632: be 38 89 00 00 mov $0×8938,%esi
      23637: e8 7c e0 fe ff callq 116b8
      2363c: 85 c0 test %eax,%eax
      2363e: 79 19 jns 23659 <_z10getifaddrspp7ifaddrs +0xb9>
      23640: e8 23 e1 fe ff callq 11768 <__errno_location @plt>

      This is the same fix i used for 2012, but can be used on 12.5!

  4. Just tried with RALUS_RMALS_RAMS-5204.4.tar.gz from 2010 disc.

    Same deal. Offending section looks like this.

    00023c40: 31 c0 be 38 89 00 00 e8 dc de fe ff 85 c0 79 19 1..8……….y.
    00023c50: e8 83 df fe ff 83 38 16 0f 85 40 03 00 00 c7 84 ……8…@…..

  5. VERIFIED! (thx for the filename ;) )

    23c42: be 38 89 00 00 mov $0×8938,%esi
    23c47: e8 dc de fe ff callq 11b28
    23c4c: 85 c0 test %eax,%eax
    23c4e: 79 19 jns 23c69 <_z10getifaddrspp7ifaddrs +0xb9>
    23c50: e8 83 df fe ff callq 11bd8 <__errno_location @plt>

    For BE 2010 change the 79 to 78!

    • Hello,

      I have trouble finding the offending section, i’ve installed RALUS_RMALS_RAMS-5204.4.tar.gz on a 3.2.0-32-generic-pae #51-Ubuntu kernel.
      sha1sum libbesocket.so
      a320e4236f75185aa5299fba44291c471f2ac235 libbesocket.so

      I followed your instructions but cannot find the 79 section.
      I do hexer libbesocet.so
      Then / \xx 79 1a
      no match

      Any clues?

      Thanks.

      • You replied to the correct comment. You are not searching for “79 1a” for BE 2010.

        You have to search “79 19″ and change the “79″ to “78″.

        – Philip

        • Hello,

          Thanks for responding, if I search for: “/ \xx 79 19″ I also get the no match message.

          I also searched for / \xx 79 xx but no match.

          • use ‘objdump -D libbesocket.so > libbesocket.asm’ to disassemble the binary.
            Then search for ‘$0×8938′ in your disassembled asm code.
            You should find a code portion like the one in my HowTo.
            Find the address displayed besides the 79 / jns instruction with hexer in your binary and replace it with 78.

          • OK, thank you very much
            1ff0f: 79 15 jns 1ff26

            changed it to 78 and now the service works.

          • :) Thanks for sharing the instruction to patch.

  6. I have BackupExec 2012 and a brand new (just built yesterday) Ubuntu server, kernel 3.2.0-29. (32 bit). I’ve installed the Symantec remote agent and get the startup failure as above. However, my /opt/VRTSralus/bin/libbesocket.so file is different than above. It shows:
    -rwxr-xr-x 1 10001 beoper 267320 Jan 26 2012 libbesocket.so
    sh1sum shows
    25c5097347b99383f0bee33c3bbd1b9b7654c311 libbesocket.so

    And (of course) searching for xx 79 1a shows no matches.

    Any suggestions, tips and help would be appreciated!

    It’s a different size

    • Ok, checked the SHA1 sum. It is the 32bit version of the most current installer, which is used in the HowTo.

      Following details for the 32bit version of BackupExec 14

      1f4d9: 68 38 89 00 00 push $0×8938
      1f4de: ff b5 5c ff ff ff pushl -0xa4(%ebp)
      1f4e4: e8 17 fb fe ff call f000
      1f4e9: 83 c4 10 add $0×10,%esp
      1f4ec: 85 c0 test %eax,%eax
      1f4ee: 79 15 jns 1f505 <_z10getifaddrspp7ifaddrs +0xb1>
      1f4f0: e8 eb f1 fe ff call e6e0 <__errno_location @plt>

      0001f4c0: 00 00 00 83 c4 0c 6a 00 ff b3 88 ff ff ff 50 e8 ……j…….P.
      0001f4d0: 3c fd fe ff 8d 45 84 57 50 68 38 89 00 00 ff b5 < ....E.WPh8.....
      0001f4e0: 5c ff ff ff e8 17 fb fe ff 83 c4 10 85 c0 79 15 \.............y.
      0001f4f0: e8 eb f1 fe ff 83 38 16 0f 85 7e 03 00 00 c7 45 ......8...~....E
      0001f500: 84 20 00 00 00 8b 75 84 83 ec 08 c1 e6 05 56 6a . ....u.......Vj

      Patch the sequence "85 c0 79 15" to "85 c0 78 15". Should only occur once in the library. Use the address at the left to find the correct line.

      So same as above. 79 -> 78.

  7. Thank you so much!!!

  8. Many Many Thanks :)

  9. Many many thanks for the patch! It is working for me. But does anyone has the problem that Backup Exec can only backup servers which are added with IP address? When I try to backup a server added with its domainname I got errors.

    Best regards,
    Juliane

  10. Thanks a lot for this patch. I used it on RALUS_RMALS_RAMS-5204.4 and now it works perfectly.

    • Has somebody already applied this patch on a BE2012 agent for a 64bit kernel?? I’m looking into the libbesocket.so but i can’t find the correct.
      The agent version is RALUS_RMALS_RAMS-1798.17

      Best regards
      Amnesium

      • Yes, the entire HowTo used the exact same version.
        Please verfiy the SHA1 value of your libbesocket with the one above.

      • I got it for RALUS_RMALS_RAMS-1798.17

        22653: 85 c0 test %eax,%eax
        22655: 79 1a jns 22671
        22657: e8 74 01 ff ff callq 127d0
        2265c: 83 38 16 cmpl $0×16,(%rax)

        so replace 79 –> 78

        00022650: 00 ff ff 85 c0 79 1a e8 74 01 ff ff 83 38 16 90 …..x..t….8..

        • how is that different from my pictures?

          • Yes sorry nothing different, i missed the sha1 part…

            After that patch, has somebody an error on the backup exec server side like “Directory not found” or “Unable to attach to a ressource” when the backup job try to backup the data on the Linux server?

            I’m trying to backup directories of a Ubuntu 12.04 server 64bit. Without success with Backup Exec 2010 and 2012…

          • I used it on Debian 6 amd64 without problems. Sorry i have no ubuntu machines around.

  11. I’m using the BE13 (2010) and i did not found the line described.
    My ralus version is 5204.125.180429
    My SHA1 hash is 1609BC4B5EA3A591979CD1711889DC9CD3369133.

    I am having this problem a long time… Pls help-me.

  12. Hi, we have the same Problem with the Version ralus=4164.118.154003

    How can i find the jns call?

    Thanks,
    Thomas

    • use ‘objdump -D libbesocket.so > libbesocket.asm’ to disassemble the binary.
      Then search for ‘$0×8938′ in your disassembled asm code.
      You should find a code portion like the one in my HowTo.

      Find the address displayed besides the 79 / jns instruction with hexer in your binary and replace it with 78.

      • thank you.

        Version ralus=4164.118.154003
        23c82: be 38 89 00 00 mov $0×8938,%esi
        23c87: e8 0c df fe ff callq 11b98
        23c8c: 85 c0 test %eax,%eax
        23c8e: 79 19 jns 23ca9
        23c90: e8 b3 df fe ff callq 11c48

  13. Works great for me, looks like this on my VRTSralus-12.5.2213-0.i386 rpm (openSUSE 12.1)

    1fa1a: 68 38 89 00 00 push $0×8938
    1fa1f: ff b5 5c ff ff ff pushl -0xa4(%ebp)
    1fa25: e8 22 e5 fe ff call df4c
    1fa2a: 83 c4 10 add $0×10,%esp
    1fa2d: 85 c0 test %eax,%eax
    1fa2f: 79 15 jns 1fa46

    (replaced 79 15 by 78 15)

    Thank you!

  14. TNX TNX TNX
    Very Much,
    But The Symantec Backup Exec server was unable to detect RALUS :(

  15. I have RALUS_RMALS_RAMS-5204.4.tar.gz

    I’ve installed it in 2 servers. I found “ff 85 c0 79 19 e8″ secuence in the 64bit server but I didn’t find it in the 32 bit server. Do you know which the secuence have I to look for in 32bit server?

    Thank you

    ff 85 c0 79 19 e8

  16. 00023c80: 31 c0 be 38 89 00 00 e8 0c df fe ff 85 c0 79 19 1..8……….x.
    —–>
    00023c80: 31 c0 be 38 89 00 00 e8 0c df fe ff 85 c0 78 19 1..8……….x.

    Ralus 4164

    Tnx Tnx Tnx

  17. Thanks a million, your solution worked in my case also!
    Using VRTSralus-12.5.2213-0.i386.deb on ubuntu server 12.04 LTS.

  18. Confirmed to fix issue with 32-bit RALUS_RMALS_RAMS-1798.17 on Ubuntu 12.04 LTS 64-bit.

    Thanks for the excellent guide!

    • A bit quick there. I too get the same error Amnesium reported above: “The job failed with the following error: Unable to attach to a resource.”

      The patch allowed beremote to start correctly, I can browse files and add backup jobs, but they fail almost instantly with the message above.

      • Did you add the machine via IP or DNS/Hostname to the BE-Server?

      • Anyway. Why are you installing a 32bit client on an 64 bit os?
        I dont think that’s a good idea.

        • It seems there is no difference between the Linux packages bundled inside the 32- and 64-bit ISOs – both have the same name RALUS_RMALS_RAMS-1798.17.tar.gz and MD5 sum.

          As for your other question on how I add client machines, I tried both via hostname and IP, same problem unfortunately.

          • I got it to work through these painful steps for 1798.

            Update your BE2012 server to SP2

            Copy all of the files (tar.gz) files for 1798 to the server. This includes the SPs and HFs.

            http://www.symantec.com/connect/articles/backup-exec-2012-and-ralus-versions

            Note that you will also need 1244.SP2 for this to work. It will download from liveupdate when you update to SP2.

            Do all of this under sudo……

            Extract the x64 deb under the Linux64 folder and install it manually using deb -i and install the VRTSRalus deb.

            Run the install script under Linux64

            Extract the patches to separate folders.

            Modify the install patch scripts for all SP1 and HF to include Ubuntu or replace the Debian near the beginning with Ubuntu. See the 1244.SP2 patch script for an example.

            Install the patches in the order shown the Symantec document above. Don’t worry that the agent is running, the patches will install if you modified the scripts properly.

            Install the 1244.SP2 patch. No script changes necessary here.

            Patch the 79 to a 78 as this article describes.

            Start the service.

            Backup you Ubuntu 12.04 server.

            Note: I am not sure if you really need to put the SP1 or HOTFixes on, but I had already installed them so I know the procedure works.

          • Sorry, there is an error:

            dpkg -i to install.

  19. You are a master! Thanks for your article!!

  20. You are THE BEST!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    Very Thanks, you save my ass :)

  21. I as well have RALUS_RMALS_RAMS-5204.4.tar.gz. I have searched in vain using hexer and searching for via ‘/\xx ff 85 c0 79′ and always get ‘no match’. I have also tried looking in the libbesocket.so contained in the HF provided ralus2896HF348315-Linux.tar_352201.gz. Any ideas would be sincerely appreciated.

  22. Works for the Following Version beagent 13.0.5204

    23842: be 38 89 00 00 mov $0×8938,%esi
    23847: e8 2c df fe ff callq 11778
    2384c: 85 c0 test %eax,%eax
    2384e: 79 19 jns 23869
    23850: e8 d3 df fe ff callq 11828
    23855: 83 38 16 cmpl $0×16,(%rax)
    23858: 0f 85 40 03 00 00 jne 23b9e

    2385e: c7 84 24 ec 00 00 00 movl $0×20,0xec(%rsp)

    hexedit libbesocket.so
    Search for: 85C07919

    swap 79 for 78 as per the instructions

  23. I patched ralus4164SP1, the string from the ASM dump was:
    23c8e: 79 19 jns 23ca9

    Appears to work fine on kernel 3.1.10-1.9.

    Thanks for this!

  24. Thanks a lot for that !

    It is interesting to see that after more than a year Symantec has not come with a fix.

    This illustrate the “efforts” they put towards open source…

    Cheers

  25. What fun – and indeeed it is stil valid and working, thanks!

    Pitty that they haven’t yet provided a official fix…

  26. Didn’t work here, I’m using RALUS_RMALS_RAMS-1798.17 on Ubuntu 12.04 and I found the string and changed the 79 to 78 and saved it. When I try to start the agent it just says “FAILED”. I’m not a Unix guy though so I don’t know how to look at the syslog to see why it failed.

  27. Nevermind my last comment, I likely goofed the first time, uninstalled/reinstalled and went through the steps and working like a charm now thanks!

  28. Hi,
    I did as outlined above. Seemed to work because RALUS doesnt crash any more and allows backupexec to connect. Only problem now is that it seems to go into a loop when it tries to do a listing of the root folder and I have to kill the beremote service.
    After killing beremote, backupexec shows multiple instances of the folder inside root and says it cant connect.

    Please advise.

    Regards

    Carl

  29. ok, this seems correct. Jason Price had the exact same location.

    http://blog.redweb.at/2012/08/howto-backupexec-2012-linux-agent-and-kernel-3-0-debian/#comment-83

    For him it worked. Must be an unrelated issue of the client in combination with gentoo and Kernel 3.6 which is newer than ubuntu/debian versions.

    Unfortunately i cannot replicate your setup. Without some strace/ltrace output it is impossible to see whats going wrong.

    A basic check via strace would be to look for (f)open calls returning 13 (access denied), which would indicate some sort of permission problem.

    • Ran a strace and did not find any open calls returning 13.
      After initialising and connecting to the BE server it seems so go into a loop with the following 2 lines in the strace:

      rt_sigprocmask(SIG_BLOCK, [CHLD], ~[INT KILL USR1 SEGV TERM STOP RTMIN RT_1], 8) = 0
      nanosleep({5, 0}, 0x7fff65e98070) = 0

      Any ideas?

      I also have a error in the beremote log so not sure if that the problem

      FS 1 failed to initialize: 0xE000FE46

      • Did you run strace with the “-f” argument. Seems like this is just the parent process waiting for signals.

        Your error message indicates an error while accessing your filesystem(s). Do have any a-typical filesystems mounted?

        BE is known to have issues with gvfs mounts present.

      • Alternatively try running the agent with debug logging and send me the log file.

        It should reveal more infos what is going on.

        “./beremote –log-file debugme.log”

  30. Thanks, it works perfectly for me!!!

  31. awesome! thx very much! now i can ugrade my servers to wheezy. :)
    shame on symantec for not fixing this issue

  32. Hello,

    I came with an automated way to patch the file, without having to install hexer.

    Inspiration (for objdump):
    http://www.css.washington.edu/wiki/BackupExec_on_Debian

    pos=`objdump -D libbesocket.so | grep -6 0×8938 | grep ‘\.*:\?[[:space:]]\+79′ | awk ‘{print $1}’ | cut -d: -f1`
    echo “$pos: 78″ | xxd -r – libbesocket.so

    Explanations:

    First, search the position in the file : we look around a specific keyword:
    objdump -D libbesocket.so | grep -6 0×8938

    We search ’79 xx’ in that stuff:
    | grep ‘\.*:\?[[:space:]]\+79′

    We get the corresponding line:
    | awk ‘{print $1}’ | cut -d: -f1

    We write the new value (78) instead:
    echo “$pos: 78″ | xxd -r – libbesocket.so

    • Hi,

      Nice solution. Still i would NOT recommend using an automated approach, without manual verification of the outcome!

      If you are using this method, try to verify the patched bytes location with already confirmed values in this comment section.

      There exist many variations of the library. 0×8938 is SIOCGIFCOUNT, which tries to enumerate the available interfaces. There is no way if telling if the result of this call is evaluated in the next condition (e.g JNS/JS instruction).

      greetings,
      Phil

    • Added your comment, to the blog-post.
      Thx for the contribution.

  33. Hi, I can’t solve this issue
    I could patched but the BE server told me that is not compatible version

    now I did a roll back for the source library
    I get the error
    [177108.964415] beremote[4421]: segfault at 24d ip b5c2d3ec sp b4161460 error 4 in libbesocket.so[b5c0e000+40000]

    agent version : 14.0.1798
    BE server 2010 R3

    Thanks for our help

    • Hi,

      Hard to say what is wrong, as i don’t have this version of the library available.
      Maybe you could dump the library with objdump -D and post the section/bytes you are patching?

      best regards,
      Philip

      • Thanks for your reply, I don’t know if this the section that do you need

        libbesocket.so: file format elf32-i386

        Disassembly of section .hash:

        000000d4 :
        d4: 09 02 or %eax,(%edx)
        d6: 00 00 add %al,(%eax)
        d8: cb lret
        d9: 02 00 add (%eax),%al
        db: 00 40 01 add %al,0×1(%eax)
        de: 00 00 add %al,(%eax)
        e0: 00 00 add %al,(%eax)
        e2: 00 00 add %al,(%eax)
        e4: 70 01 jo e7
        e6: 00 00 add %al,(%eax)
        e8: 7b 02 jnp ec
        ea: 00 00 add %al,(%eax)
        ec: bf 02 00 00 00 mov $0×2,%edi
        f1: 00 00 add %al,(%eax)
        f3: 00 bc 02 00 00 96 01 add %bh,0×1960000(%edx,%eax,1)
        fa: 00 00 add %al,(%eax)
        fc: 92 xchg %eax,%edx
        fd: 01 00 add %eax,(%eax)
        ff: 00 00 add %al,(%eax)
        101: 00 00 add %al,(%eax)
        103: 00 ee add %ch,%dh
        105: 01 00 add %eax,(%eax)
        107: 00 73 02 add %dh,0×2(%ebx)
        10a: 00 00 add %al,(%eax)
        10c: 00 00 add %al,(%eax)
        10e: 00 00 add %al,(%eax)
        110: 93 xchg %eax,%ebx
        111: 02 00 add (%eax),%al
        113: 00 00 add %al,(%eax)
        115: 00 00 add %al,(%eax)
        117: 00 7e 02 add %bh,0×2(%esi)
        11a: 00 00 add %al,(%eax)
        11c: 00 00 add %al,(%eax)
        11e: 00 00 add %al,(%eax)
        120: b6 00 mov $0×0,%dh
        122: 00 00 add %al,(%eax)
        124: 01 02 add %eax,(%edx)
        126: 00 00 add %al,(%eax)
        128: 8e 01 mov (%ecx),%es
        12a: 00 00 add %al,(%eax)
        12c: e6 01 out %al,$0×1
        12e: 00 00 add %al,(%eax)
        130: 57 push %edi
        131: 02 00 add (%eax),%al
        133: 00 45 01 add %al,0×1(%ebp)
        136: 00 00 add %al,(%eax)
        138: 00 00 add %al,(%eax)
        13a: 00 00 add %al,(%eax)
        13c: 69 01 00 00 e4 01 imul $0x1e40000,(%ecx),%eax
        142: 00 00 add %al,(%eax)
        144: b6 02 mov $0×2,%dh
        146: 00 00 add %al,(%eax)
        148: 25 02 00 00 5a and $0x5a000002,%eax
        14d: 02 00 add (%eax),%al
        14f: 00 39 add %bh,(%ecx)
        151: 02 00 add (%eax),%al

        15b: 00 38 add %bh,(%eax)
        15d: 01 00 add %eax,(%eax)
        15f: 00 db add %bl,%bl
        161: 01 00 add %eax,(%eax)
        163: 00 00 add %al,(%eax)
        165: 00 00 add %al,(%eax)
        167: 00 1b add %bl,(%ebx)
        169: 02 00 add (%eax),%al
        16b: 00 3e add %bh,(%esi)
        16d: 02 00 add (%eax),%al
        16f: 00 e7 add %ah,%bh
        171: 01 00 add %eax,(%eax)
        173: 00 00 add %al,(%eax)
        175: 00 00 add %al,(%eax)
        177: 00 c4 add %al,%ah
        179: 02 00 add (%eax),%al

        183: 00 33 add %dh,(%ebx)
        185: 01 00 add %eax,(%eax)
        187: 00 9e 00 00 00 11 add %bl,0×11000000(%esi)
        18d: 01 00 add %eax,(%eax)
        18f: 00 00 add %al,(%eax)
        191: 00 00 add %al,(%eax)
        193: 00 78 01 add %bh,0×1(%eax)
        196: 00 00 add %al,(%eax)
        198: 80 02 00 addb $0×0,(%edx)
        19b: 00 00 add %al,(%eax)
        19d: 00 00 add %al,(%eax)
        19f: 00 27 add %ah,(%edi)

        1ad: 00 00 add %al,(%eax)
        1af: 00 17 add %dl,(%edi)
        1b1: 02 00 add (%eax),%al
        1b3: 00 98 02 00 00 00 add %bl,0×2(%eax)
        1b9: 00 00 add %al,(%eax)
        1bb: 00 ba 02 00 00 00 add %bh,0×2(%edx)
        1c1: 00 00 add %al,(%eax)
        1c3: 00 cb add %cl,%bl
        1c5: 01 00 add %eax,(%eax)
        1c7: 00 76 02 add %dh,0×2(%esi)
        1ca: 00 00 add %al,(%eax)
        1cc: ca 02 00 lret $0×2
        1cf: 00 dc add %bl,%ah
        1d1: 01 00 add %eax,(%eax)
        1d3: 00 f6 add %dh,%dh
        1d5: 01 00 add %eax,(%eax)
        1d7: 00 29 add %ch,(%ecx)
        1d9: 02 00 add (%eax),%al

        1e3: 00 cc add %cl,%ah
        1e5: 00 00 add %al,(%eax)
        1e7: 00 00 add %al,(%eax)
        1e9: 00 00 add %al,(%eax)
        1eb: 00 83 02 00 00 51 add %al,0×51000002(%ebx)
        1f1: 02 00 add (%eax),%al
        1f3: 00 c0 add %al,%al
        1f5: 02 00 add (%eax),%al
        1f7: 00 28 add %ch,(%eax)
        1f9: 02 00 add (%eax),%al
        1fb: 00 c0 add %al,%al
        1fd: 01 00 add %eax,(%eax)
        1ff: 00 89 02 00 00 75 add %cl,0×75000002(%ecx)
        205: 01 00 add %eax,(%eax)
        207: 00 3d 02 00 00 5c add %bh,0x5c000002
        20d: 02 00 add (%eax),%al
        20f: 00 00 add %al,(%eax)
        211: 00 00 add %al,(%eax)
        213: 00 98 01 00 00 81 add %bl,-0x7effffff(%eax)
        219: 02 00 add (%eax),%al

        223: 00 a2 02 00 00 52 add %ah,0×52000002(%edx)
        229: 01 00 add %eax,(%eax)
        22b: 00 00 add %al,(%eax)
        22d: 00 00 add %al,(%eax)
        22f: 00 4a 00 add %cl,0×0(%edx)
        232: 00 00 add %al,(%eax)
        234: 2a 00 sub (%eax),%al
        236: 00 00 add %al,(%eax)
        238: 62 01 bound %eax,(%ecx)
        23a: 00 00 add %al,(%eax)
        23c: 8f 01 popl (%ecx)
        23e: 00 00 add %al,(%eax)
        240: 19 02 sbb %eax,(%edx)
        242: 00 00 add %al,(%eax)
        244: 40 inc %eax
        245: 02 00 add (%eax),%al
        247: 00 9d 02 00 00 4c add %bl,0x4c000002(%ebp)
        24d: 02 00 add (%eax),%al
        24f: 00 0f add %cl,(%edi)

        259: 00 00 add %al,(%eax)
        25b: 00 66 01 add %ah,0×1(%esi)
        25e: 00 00 add %al,(%eax)
        260: 00 00 add %al,(%eax)
        262: 00 00 add %al,(%eax)
        264: 02 01 add (%ecx),%al

        26e: 00 00 add %al,(%eax)
        270: d4 01 aam $0×1
        272: 00 00 add %al,(%eax)
        274: 00 00 add %al,(%eax)
        276: 00 00 add %al,(%eax)
        278: 0d 02 00 00 00 or $0×2,%eax
        27d: 00 00 add %al,(%eax)
        27f: 00 00 add %al,(%eax)
        281: 00 00 add %al,(%eax)
        283: 00 72 02 add %dh,0×2(%edx)
        286: 00 00 add %al,(%eax)
        288: a0 01 00 00 69 mov 0×69000001,%al
        28d: 02 00 add (%eax),%al
        28f: 00 00 add %al,(%eax)
        291: 00 00 add %al,(%eax)
        293: 00 c8 add %cl,%al
        295: 00 00 add %al,(%eax)
        297: 00 00 add %al,(%eax)
        299: 00 00 add %al,(%eax)
        29b: 00 3c 02 add %bh,(%edx,%eax,1)
        29e: 00 00 add %al,(%eax)
        2a0: cd 00 int $0×0
        2a2: 00 00 add %al,(%eax)
        2a4: 0f 02 00 lar (%eax),%eax
        2a7: 00 1c 02 add %bl,(%edx,%eax,1)
        2aa: 00 00 add %al,(%eax)
        2ac: 44 inc %esp
        2ad: 01 00 add %eax,(%eax)
        2af: 00 96 02 00 00 63 add %dl,0×63000002(%esi)
        2b5: 02 00 add (%eax),%al
        2b7: 00 4e 02 add %cl,0×2(%esi)
        2ba: 00 00 add %al,(%eax)
        2bc: bd 02 00 00 00 mov $0×2,%ebp
        2c1: 00 00 add %al,(%eax)
        2c3: 00 00 add %al,(%eax)
        2c5: 00 00 add %al,(%eax)
        2c7: 00 e6 add %ah,%dh
        2c9: 00 00 add %al,(%eax)
        2cb: 00 c5 add %al,%ch
        2cd: 02 00 add (%eax),%al
        2cf: 00 3a add %bh,(%edx)
        2d1: 02 00 add (%eax),%al

        2db: 00 01 add %al,(%ecx)
        2dd: 01 00 add %eax,(%eax)
        2df: 00 63 01 add %ah,0×1(%ebx)
        2e2: 00 00 add %al,(%eax)
        2e4: 59 pop %ecx
        2e5: 02 00 add (%eax),%al
        2e7: 00 7e 01 add %bh,0×1(%esi)
        2ea: 00 00 add %al,(%eax)
        2ec: 81 00 00 00 00 00 addl $0×0,(%eax)
        2f2: 00 00 add %al,(%eax)
        2f4: d2 01 rolb %cl,(%ecx)

        306: 00 00 add %al,(%eax)
        308: 91 xchg %eax,%ecx
        309: 02 00 add (%eax),%al
        30b: 00 ae 01 00 00 5d add %ch,0x5d000001(%esi)
        311: 02 00 add (%eax),%al
        313: 00 f2 add %dh,%dl
        315: 01 00 add %eax,(%eax)
        317: 00 1f add %bl,(%edi)
        319: 02 00 add (%eax),%al
        31b: 00 00 add %al,(%eax)
        31d: 00 00 add %al,(%eax)
        31f: 00 2a add %ch,(%edx)
        321: 01 00 add %eax,(%eax)
        323: 00 50 00 add %dl,0×0(%eax)
        326: 00 00 add %al,(%eax)
        328: 74 02 je 32c
        32a: 00 00 add %al,(%eax)
        32c: aa stos %al,%es:(%edi)
        32d: 02 00 add (%eax),%al
        32f: 00 a4 02 00 00 1d 02 add %ah,0x21d0000(%edx,%eax,1)
        336: 00 00 add %al,(%eax)
        338: 33 02 xor (%edx),%eax
        33a: 00 00 add %al,(%eax)
        33c: 21 01 and %eax,(%ecx)
        33e: 00 00 add %al,(%eax)
        340: 00 00 add %al,(%eax)
        342: 00 00 add %al,(%eax)
        344: b7 00 mov $0×0,%bh
        346: 00 00 add %al,(%eax)
        348: 00 00 add %al,(%eax)
        34a: 00 00 add %al,(%eax)
        34c: 94 xchg %eax,%esp
        34d: 02 00 add (%eax),%al
        34f: 00 00 add %al,(%eax)
        351: 00 00 add %al,(%eax)
        353: 00 7b 00 add %bh,0×0(%ebx)
        356: 00 00 add %al,(%eax)
        358: 3f aas
        359: 02 00 add (%eax),%al
        35b: 00 00 add %al,(%eax)
        35d: 00 00 add %al,(%eax)
        35f: 00 85 00 00 00 c8 add %al,-0×38000000(%ebp)
        365: 01 00 add %eax,(%eax)
        367: 00 39 add %bh,(%ecx)
        369: 00 00 add %al,(%eax)
        36b: 00 00 add %al,(%eax)
        36d: 00 00 add %al,(%eax)
        36f: 00 26 add %ah,(%esi)
        371: 02 00 add (%eax),%al
        373: 00 77 02 add %dh,0×2(%edi)
        376: 00 00 add %al,(%eax)
        378: 9f lahf
        379: 02 00 add (%eax),%al
        37b: 00 18 add %bl,(%eax)
        37d: 01 00 add %eax,(%eax)

        387: 00 4b 00 add %cl,0×0(%ebx)
        38a: 00 00 add %al,(%eax)
        38c: 90 nop
        38d: 01 00 add %eax,(%eax)
        38f: 00 28 add %ch,(%eax)
        391: 01 00 add %eax,(%eax)
        393: 00 e7 add %ah,%bh

        39d: 00 00 add %al,(%eax)
        39f: 00 b7 02 00 00 00 add %dh,0×2(%edi)
        3a5: 00 00 add %al,(%eax)
        3a7: 00 00 add %al,(%eax)
        3a9: 00 00 add %al,(%eax)
        3ab: 00 37 add %dh,(%edi)
        3ad: 02 00 add (%eax),%al
        3af: 00 00 add %al,(%eax)
        3b1: 00 00 add %al,(%eax)
        3b3: 00 8a 02 00 00 b8 add %cl,-0x47fffffe(%edx)
        3b9: 02 00 add (%eax),%al
        3bb: 00 39 add %bh,(%ecx)
        3bd: 01 00 add %eax,(%eax)
        3bf: 00 b5 02 00 00 9e add %dh,-0x61fffffe(%ebp)
        3c5: 02 00 add (%eax),%al

        3db: 00 a5 02 00 00 00 add %ah,0×2(%ebp)
        3e1: 00 00 add %al,(%eax)
        3e3: 00 4e 01 add %cl,0×1(%esi)
        3e6: 00 00 add %al,(%eax)
        3e8: 1e push %ds
        3e9: 02 00 add (%eax),%al
        3eb: 00 00 add %al,(%eax)
        3ed: 00 00 add %al,(%eax)
        3ef: 00 03 add %al,(%ebx)
        3f1: 01 00 add %eax,(%eax)
        3f3: 00 00 add %al,(%eax)
        3f5: 00 00 add %al,(%eax)
        3f7: 00 66 02 add %ah,0×2(%esi)
        3fa: 00 00 add %al,(%eax)
        3fc: d9 01 flds (%ecx)
        3fe: 00 00 add %al,(%eax)
        400: 4e dec %esi
        401: 00 00 add %al,(%eax)
        403: 00 9c 00 00 00 e1 01 add %bl,0x1e10000(%eax,%eax,1)
        40a: 00 00 add %al,(%eax)
        40c: 00 00 add %al,(%eax)
        40e: 00 00 add %al,(%eax)
        410: 95 xchg %eax,%ebp
        411: 01 00 add %eax,(%eax)
        413: 00 00 add %al,(%eax)
        415: 00 00 add %al,(%eax)
        417: 00 f0 add %dh,%al

        421: 00 00 add %al,(%eax)
        423: 00 e3 add %ah,%bl
        425: 01 00 add %eax,(%eax)
        427: 00 4f 02 add %cl,0×2(%edi)
        42a: 00 00 add %al,(%eax)
        42c: b3 02 mov $0×2,%bl
        42e: 00 00 add %al,(%eax)
        430: 58 pop %eax
        431: 01 00 add %eax,(%eax)
        433: 00 00 add %al,(%eax)
        435: 00 00 add %al,(%eax)
        437: 00 d8 add %bl,%al
        439: 01 00 add %eax,(%eax)
        43b: 00 2b add %ch,(%ebx)
        43d: 01 00 add %eax,(%eax)
        43f: 00 5c 01 00 add %bl,0×0(%ecx,%eax,1)
        443: 00 95 02 00 00 00 add %dl,0×2(%ebp)
        449: 00 00 add %al,(%eax)
        44b: 00 a1 02 00 00 5f add %ah,0x5f000002(%ecx)
        451: 02 00 add (%eax),%al
        453: 00 6c 01 00 add %ch,0×0(%ecx,%eax,1)
        457: 00 24 02 add %ah,(%edx,%eax,1)
        45a: 00 00 add %al,(%eax)
        45c: 00 00 add %al,(%eax)
        45e: 00 00 add %al,(%eax)
        460: 43 inc %ebx
        461: 02 00 add (%eax),%al
        463: 00 42 02 add %al,0×2(%edx)
        466: 00 00 add %al,(%eax)
        468: c3 ret
        469: 02 00 add (%eax),%al
        46b: 00 00 add %al,(%eax)
        46d: 00 00 add %al,(%eax)
        46f: 00 5e 02 add %bl,0×2(%esi)
        472: 00 00 add %al,(%eax)
        474: 11 00 adc %eax,(%eax)

        47e: 00 00 add %al,(%eax)
        480: f4 hlt
        481: 01 00 add %eax,(%eax)
        483: 00 6f 02 add %ch,0×2(%edi)
        486: 00 00 add %al,(%eax)
        488: 5a pop %edx
        489: 00 00 add %al,(%eax)
        48b: 00 00 add %al,(%eax)
        48d: 00 00 add %al,(%eax)
        48f: 00 a3 01 00 00 00 add %ah,0×1(%ebx)
        495: 00 00 add %al,(%eax)
        497: 00 00 add %al,(%eax)
        499: 00 00 add %al,(%eax)
        49b: 00 12 add %dl,(%edx)
        49d: 02 00 add (%eax),%al
        49f: 00 00 add %al,(%eax)
        4a1: 00 00 add %al,(%eax)
        4a3: 00 9b 00 00 00 ae add %bl,-0×52000000(%ebx)
        4a9: 00 00 add %al,(%eax)
        4ab: 00 08 add %cl,(%eax)
        4ad: 02 00 add (%eax),%al
        4af: 00 6d 02 add %ch,0×2(%ebp)

        4ba: 00 00 add %al,(%eax)
        4bc: 8f 00 popl (%eax)
        4be: 00 00 add %al,(%eax)
        4c0: da 00 fiaddl (%eax)
        4c2: 00 00 add %al,(%eax)
        4c4: 00 00 add %al,(%eax)
        4c6: 00 00 add %al,(%eax)
        4c8: 8f 02 popl (%edx)
        4ca: 00 00 add %al,(%eax)
        4cc: 00 00 add %al,(%eax)
        4ce: 00 00 add %al,(%eax)
        4d0: 6a 01 push $0×1
        4d2: 00 00 add %al,(%eax)
        4d4: ad lods %ds:(%esi),%eax
        4d5: 02 00 add (%eax),%al
        4d7: 00 70 02 add %dh,0×2(%eax)
        4da: 00 00 add %al,(%eax)
        4dc: c6 01 00 movb $0×0,(%ecx)
        4df: 00 14 02 add %dl,(%edx,%eax,1)
        4e2: 00 00 add %al,(%eax)
        4e4: 32 02 xor (%edx),%al
        4e6: 00 00 add %al,(%eax)
        4e8: a8 02 test $0×2,%al
        4ea: 00 00 add %al,(%eax)
        4ec: 00 00 add %al,(%eax)
        4ee: 00 00 add %al,(%eax)
        4f0: 6d insl (%dx),%es:(%edi)
        4f1: 00 00 add %al,(%eax)
        4f3: 00 e2 add %ah,%dl
        4f5: 01 00 add %eax,(%eax)
        4f7: 00 00 add %al,(%eax)
        4f9: 00 00 add %al,(%eax)
        4fb: 00 62 00 add %ah,0×0(%edx)
        4fe: 00 00 add %al,(%eax)
        500: 4d dec %ebp
        501: 02 00 add (%eax),%al
        503: 00 ae 02 00 00 00 add %ch,0×2(%esi)
        509: 00 00 add %al,(%eax)
        50b: 00 00 add %al,(%eax)
        50d: 00 00 add %al,(%eax)
        50f: 00 8c 01 00 00 00 00 add %cl,0×0(%ecx,%eax,1)
        516: 00 00 add %al,(%eax)
        518: 9e sahf
        519: 01 00 add %eax,(%eax)
        51b: 00 00 add %al,(%eax)
        51d: 00 00 add %al,(%eax)
        51f: 00 44 02 00 add %al,0×0(%edx,%eax,1)
        523: 00 9c 02 00 00 00 00 add %bl,0×0(%edx,%eax,1)
        52a: 00 00 add %al,(%eax)
        52c: ba 01 00 00 00 mov $0×1,%edx
        531: 00 00 add %al,(%eax)
        533: 00 00 add %al,(%eax)
        535: 00 00 add %al,(%eax)
        537: 00 c9 add %cl,%cl
        539: 00 00 add %al,(%eax)
        53b: 00 ca add %cl,%dl
        53d: 00 00 add %al,(%eax)
        53f: 00 a6 02 00 00 7c add %ah,0x7c000002(%esi)
        545: 00 00 add %al,(%eax)
        547: 00 56 02 add %dl,0×2(%esi)
        54a: 00 00 add %al,(%eax)
        54c: 00 00 add %al,(%eax)
        54e: 00 00 add %al,(%eax)
        550: 7a 01 jp 553
        552: 00 00 add %al,(%eax)
        554: a2 01 00 00 0b mov %al,0xb000001
        559: 01 00 add %eax,(%eax)
        55b: 00 3e add %bh,(%esi)
        55d: 01 00 add %eax,(%eax)
        55f: 00 92 02 00 00 e9 add %dl,-0x16fffffe(%edx)
        565: 01 00 add %eax,(%eax)
        567: 00 a0 00 00 00 67 add %ah,0×67000000(%eax)
        56d: 01 00 add %eax,(%eax)
        56f: 00 9a 00 00 00 00 add %bl,0×0(%edx)
        575: 00 00 add %al,(%eax)
        577: 00 00 add %al,(%eax)
        579: 00 00 add %al,(%eax)
        57b: 00 78 02 add %bh,0×2(%eax)
        57e: 00 00 add %al,(%eax)
        580: 47 inc %edi
        581: 00 00 add %al,(%eax)
        583: 00 be 00 00 00 48 add %bh,0×48000000(%esi)
        589: 01 00 add %eax,(%eax)
        58b: 00 72 01 add %dh,0×1(%edx)
        58e: 00 00 add %al,(%eax)
        590: 00 00 add %al,(%eax)
        592: 00 00 add %al,(%eax)
        594: 1c 00 sbb $0×0,%al
        596: 00 00 add %al,(%eax)
        598: b4 00 mov $0×0,%ah
        59a: 00 00 add %al,(%eax)
        59c: 00 00 add %al,(%eax)
        59e: 00 00 add %al,(%eax)
        5a0: d1 00 roll (%eax)
        5a2: 00 00 add %al,(%eax)
        5a4: c7 02 00 00 aa 01 movl $0x1aa0000,(%edx)
        5aa: 00 00 add %al,(%eax)
        5ac: d6 (bad)
        5ad: 01 00 add %eax,(%eax)

        5b7: 00 99 02 00 00 08 add %bl,0×8000002(%ecx)
        5bd: 01 00 add %eax,(%eax)
        5bf: 00 c3 add %al,%bl
        5c1: 01 00 add %eax,(%eax)
        5c3: 00 5b 01 add %bl,0×1(%ebx)
        5c6: 00 00 add %al,(%eax)
        5c8: 49 dec %ecx
        5c9: 00 00 add %al,(%eax)
        5cb: 00 c9 add %cl,%cl
        5cd: 01 00 add %eax,(%eax)
        5cf: 00 83 01 00 00 b9 add %al,-0x46ffffff(%ebx)
        5d5: 02 00 add (%eax),%al
        5d7: 00 79 02 add %bh,0×2(%ecx)

        5e2: 00 00 add %al,(%eax)
        5e4: ff 01 incl (%ecx)
        5e6: 00 00 add %al,(%eax)
        5e8: 38 02 cmp %al,(%edx)
        5ea: 00 00 add %al,(%eax)
        5ec: 00 00 add %al,(%eax)
        5ee: 00 00 add %al,(%eax)
        5f0: f5 cmc
        5f1: 01 00 add %eax,(%eax)
        5f3: 00 00 add %al,(%eax)
        5f5: 00 00 add %al,(%eax)
        5f7: 00 86 01 00 00 fd add %al,-0x2ffffff(%esi)
        5fd: 01 00 add %eax,(%eax)
        5ff: 00 c2 add %al,%dl
        601: 02 00 add (%eax),%al
        603: 00 8d 02 00 00 ca add %cl,-0x35fffffe(%ebp)
        609: 01 00 add %eax,(%eax)
        60b: 00 d9 add %bl,%cl
        60d: 00 00 add %al,(%eax)
        60f: 00 d1 add %dl,%cl
        611: 01 00 add %eax,(%eax)
        613: 00 ab 02 00 00 00 add %ch,0×2(%ebx)
        619: 00 00 add %al,(%eax)
        61b: 00 00 add %al,(%eax)
        61d: 00 00 add %al,(%eax)
        61f: 00 05 02 00 00 a6 add %al,0xa6000002
        625: 01 00 add %eax,(%eax)
        627: 00 00 add %al,(%eax)
        629: 00 00 add %al,(%eax)
        62b: 00 13 add %dl,(%ebx)
        62d: 01 00 add %eax,(%eax)
        62f: 00 5b 02 add %bl,0×2(%ebx)
        632: 00 00 add %al,(%eax)
        634: 58 pop %eax
        635: 00 00 add %al,(%eax)
        637: 00 00 add %al,(%eax)
        639: 00 00 add %al,(%eax)
        63b: 00 7e 00 add %bh,0×0(%esi)
        63e: 00 00 add %al,(%eax)
        640: bf 00 00 00 c1 mov $0xc1000000,%edi
        645: 02 00 add (%eax),%al
        647: 00 52 02 add %dl,0×2(%edx)

        652: 00 00 add %al,(%eax)
        654: 2d 02 00 00 fc sub $0xfc000002,%eax
        659: 00 00 add %al,(%eax)
        65b: 00 00 add %al,(%eax)
        65d: 00 00 add %al,(%eax)
        65f: 00 0a add %cl,(%edx)
        661: 01 00 add %eax,(%eax)
        663: 00 cd add %cl,%ch
        665: 01 00 add %eax,(%eax)
        667: 00 35 01 00 00 1d add %dh,0x1d000001
        66d: 00 00 add %al,(%eax)
        66f: 00 00 add %al,(%eax)
        671: 00 00 add %al,(%eax)
        673: 00 7a 02 add %bh,0×2(%edx)
        676: 00 00 add %al,(%eax)
        678: 54 push %esp
        679: 00 00 add %al,(%eax)
        67b: 00 00 add %al,(%eax)
        67d: 00 00 add %al,(%eax)
        67f: 00 e9 add %ch,%cl
        681: 00 00 add %al,(%eax)
        683: 00 9b 02 00 00 ec add %bl,-0x13fffffe(%ebx)
        689: 00 00 add %al,(%eax)
        68b: 00 af 02 00 00 a5 add %ch,-0x5afffffe(%edi)
        691: 00 00 add %al,(%eax)
        693: 00 6e 01 add %ch,0×1(%esi)
        696: 00 00 add %al,(%eax)
        698: 7c 02 jl 69c
        69a: 00 00 add %al,(%eax)
        69c: 14 01 adc $0×1,%al
        69e: 00 00 add %al,(%eax)
        6a0: e5 01 in $0×1,%eax
        6a2: 00 00 add %al,(%eax)
        6a4: 2c 02 sub $0×2,%al
        6a6: 00 00 add %al,(%eax)
        6a8: 3b 02 cmp (%edx),%eax
        6aa: 00 00 add %al,(%eax)
        6ac: f0 01 00 lock add %eax,(%eax)
        6af: 00 00 add %al,(%eax)
        6b1: 00 00 add %al,(%eax)
        6b3: 00 79 01 add %bh,0×1(%ecx)

        6c2: 00 00 add %al,(%eax)
        6c4: b2 02 mov $0×2,%dl
        6c6: 00 00 add %al,(%eax)
        6c8: 4f dec %edi
        6c9: 01 00 add %eax,(%eax)
        6cb: 00 a7 02 00 00 c1 add %ah,-0x3efffffe(%edi)
        6d1: 00 00 add %al,(%eax)
        6d3: 00 54 01 00 add %dl,0×0(%ecx,%eax,1)
        6d7: 00 ea add %ch,%dl

        6ed: 00 00 add %al,(%eax)
        6ef: 00 bb 00 00 00 84 add %bh,-0x7c000000(%ebx)
        6f5: 02 00 add (%eax),%al
        6f7: 00 88 02 00 00 00 add %cl,0×2(%eax)
        6fd: 00 00 add %al,(%eax)
        6ff: 00 00 add %al,(%eax)
        701: 00 00 add %al,(%eax)
        703: 00 a9 02 00 00 a0 add %ch,-0x5ffffffe(%ecx)
        709: 02 00 add (%eax),%al
        70b: 00 c1 add %al,%cl
        70d: 01 00 add %eax,(%eax)
        70f: 00 47 02 add %al,0×2(%edi)
        712: 00 00 add %al,(%eax)
        714: 30 02 xor %al,(%edx)
        716: 00 00 add %al,(%eax)
        718: 9a 02 00 00 e2 00 00 lcall $0×0,$0xe2000002
        71f: 00 09 add %cl,(%ecx)
        721: 01 00 add %eax,(%eax)

        72b: 00 a4 00 00 00 27 02 add %ah,0×2270000(%eax,%eax,1)
        732: 00 00 add %al,(%eax)
        734: 23 02 and (%edx),%eax
        736: 00 00 add %al,(%eax)
        738: 46 inc %esi
        739: 02 00 add (%eax),%al
        73b: 00 67 02 add %ah,0×2(%edi)
        73e: 00 00 add %al,(%eax)
        740: fa cli
        741: 01 00 add %eax,(%eax)
        743: 00 00 add %al,(%eax)
        745: 00 00 add %al,(%eax)
        747: 00 7b 01 add %bh,0×1(%ebx)
        74a: 00 00 add %al,(%eax)
        74c: 1e push %ds
        74d: 00 00 add %al,(%eax)
        74f: 00 00 add %al,(%eax)
        751: 00 00 add %al,(%eax)
        753: 00 15 02 00 00 0e add %dl,0xe000002
        759: 02 00 add (%eax),%al
        75b: 00 ce add %cl,%dh
        75d: 01 00 add %eax,(%eax)
        75f: 00 00 add %al,(%eax)
        761: 00 00 add %al,(%eax)
        763: 00 13 add %dl,(%ebx)
        765: 02 00 add (%eax),%al
        767: 00 1e add %bl,(%esi)
        769: 01 00 add %eax,(%eax)
        76b: 00 a8 01 00 00 24 add %ch,0×24000001(%eax)
        771: 01 00 add %eax,(%eax)
        773: 00 3f add %bh,(%edi)
        775: 00 00 add %al,(%eax)
        777: 00 6c 00 00 add %ch,0×0(%eax,%eax,1)
        77b: 00 2f add %ch,(%edi)
        77d: 02 00 add (%eax),%al
        77f: 00 ed add %ch,%ch
        781: 00 00 add %al,(%eax)
        783: 00 10 add %dl,(%eax)
        785: 01 00 add %eax,(%eax)
        787: 00 60 02 add %ah,0×2(%eax)
        78a: 00 00 add %al,(%eax)
        78c: 8e 02 mov (%edx),%es
        78e: 00 00 add %al,(%eax)
        790: a3 02 00 00 2d mov %eax,0x2d000002
        795: 01 00 add %eax,(%eax)
        797: 00 2e add %ch,(%esi)
        799: 02 00 add (%eax),%al
        79b: 00 40 00 add %al,0×0(%eax)
        79e: 00 00 add %al,(%eax)
        7a0: 20 00 and %al,(%eax)
        7a2: 00 00 add %al,(%eax)
        7a4: 19 00 sbb %eax,(%eax)
        7a6: 00 00 add %al,(%eax)
        7a8: 8b 02 mov (%edx),%eax
        7aa: 00 00 add %al,(%eax)
        7ac: b0 02 mov $0×2,%al
        7ae: 00 00 add %al,(%eax)
        7b0: 68 02 00 00 09 push $0×9000002
        7b5: 02 00 add (%eax),%al
        7b7: 00 85 02 00 00 00 add %al,0×2(%ebp)
        7bd: 00 00 add %al,(%eax)
        7bf: 00 c6 add %al,%dh
        7c1: 02 00 add (%eax),%al
        7c3: 00 82 01 00 00 8c add %al,-0x73ffffff(%edx)
        7c9: 02 00 add (%eax),%al
        7cb: 00 db add %bl,%bl
        7cd: 00 00 add %al,(%eax)
        7cf: 00 b4 02 00 00 89 01 add %dh,0×1890000(%edx,%eax,1)
        7d6: 00 00 add %al,(%eax)
        7d8: 73 01 jae 7db
        7da: 00 00 add %al,(%eax)
        7dc: 82 (bad)
        7dd: 02 00 add (%eax),%al

        7eb: 00 99 01 00 00 00 add %bl,0×1(%ecx)
        7f1: 00 00 add %al,(%eax)
        7f3: 00 f7 add %dh,%bh
        7f5: 01 00 add %eax,(%eax)
        7f7: 00 b5 01 00 00 00 add %dh,0×1(%ebp)
        7fd: 00 00 add %al,(%eax)
        7ff: 00 34 00 add %dh,(%eax,%eax,1)
        802: 00 00 add %al,(%eax)
        804: 86 02 xchg %al,(%edx)
        806: 00 00 add %al,(%eax)
        808: b1 02 mov $0×2,%cl
        80a: 00 00 add %al,(%eax)
        80c: be 02 00 00 00 mov $0×2,%esi
        811: 01 00 add %eax,(%eax)
        813: 00 36 add %dh,(%esi)
        815: 02 00 add (%eax),%al
        817: 00 31 add %dh,(%ecx)
        819: 02 00 add (%eax),%al

        823: 00 a7 01 00 00 57 add %ah,0×57000001(%edi)
        829: 01 00 add %eax,(%eax)
        82b: 00 3b add %bh,(%ebx)
        82d: 01 00 add %eax,(%eax)
        82f: 00 62 02 add %ah,0×2(%edx)
        832: 00 00 add %al,(%eax)
        834: b3 01 mov $0×1,%bl
        836: 00 00 add %al,(%eax)
        838: 00 00 add %al,(%eax)
        83a: 00 00 add %al,(%eax)
        83c: 6a 02 push $0×2
        83e: 00 00 add %al,(%eax)
        840: 00 02 add %al,(%edx)
        842: 00 00 add %al,(%eax)
        844: 0a 02 or (%edx),%al
        846: 00 00 add %al,(%eax)
        848: 00 00 add %al,(%eax)
        84a: 00 00 add %al,(%eax)
        84c: 5e pop %esi
        84d: 01 00 add %eax,(%eax)
        84f: 00 22 add %ah,(%edx)
        851: 02 00 add (%eax),%al
        853: 00 6e 02 add %ch,0×2(%esi)
        856: 00 00 add %al,(%eax)
        858: ac lods %ds:(%esi),%al
        859: 02 00 add (%eax),%al
        85b: 00 c7 add %al,%bh
        85d: 00 00 add %al,(%eax)
        85f: 00 59 01 add %bl,0×1(%ecx)
        862: 00 00 add %al,(%eax)
        864: 18 00 sbb %al,(%eax)
        866: 00 00 add %al,(%eax)
        868: 48 dec %eax
        869: 02 00 add (%eax),%al
        86b: 00 fb add %bh,%bl
        86d: 00 00 add %al,(%eax)
        86f: 00 b8 00 00 00 73 add %bh,0×73000000(%eax)
        875: 00 00 add %al,(%eax)
        877: 00 f8 add %bh,%al
        879: 01 00 add %eax,(%eax)
        87b: 00 00 add %al,(%eax)
        87d: 00 00 add %al,(%eax)
        87f: 00 cc add %cl,%ah
        881: 01 00 add %eax,(%eax)
        883: 00 45 02 add %al,0×2(%ebp)
        886: 00 00 add %al,(%eax)
        888: c9 leave
        889: 02 00 add (%eax),%al
        88b: 00 00 add %al,(%eax)
        88d: 00 00 add %al,(%eax)
        88f: 00 80 01 00 00 75 add %al,0×75000001(%eax)
        895: 02 00 add (%eax),%al
        897: 00 02 add %al,(%edx)
        899: 02 00 add (%eax),%al
        89b: 00 20 add %ah,(%eax)
        89d: 02 00 add (%eax),%al
        89f: 00 c3 add %al,%bl
        8a1: 00 00 add %al,(%eax)
        8a3: 00 05 01 00 00 0b add %al,0xb000001
        8a9: 02 00 add (%eax),%al
        8ab: 00 c8 add %cl,%al
        8ad: 02 00 add (%eax),%al
        8af: 00 54 02 00 add %dl,0×0(%edx,%eax,1)
        8b3: 00 64 02 00 add %ah,0×0(%edx,%eax,1)
        8b7: 00 92 00 00 00 76 add %dl,0×76000000(%edx)
        8bd: 00 00 add %al,(%eax)
        8bf: 00 00 add %al,(%eax)
        8c1: 00 00 add %al,(%eax)
        8c3: 00 ea add %ch,%dl
        8c5: 01 00 add %eax,(%eax)
        8c7: 00 76 01 add %dh,0×1(%esi)

        8d2: 00 00 add %al,(%eax)
        8d4: 50 push %eax
        8d5: 02 00 add (%eax),%al

        8df: 00 52 00 add %dl,0×0(%edx)
        8e2: 00 00 add %al,(%eax)
        8e4: bb 02 00 00 00 mov $0×2,%ebx
        8e9: 00 00 add %al,(%eax)
        8eb: 00 61 02 add %ah,0×2(%ecx)
        8ee: 00 00 add %al,(%eax)
        8f0: de 00 fiadd (%eax)
        8f2: 00 00 add %al,(%eax)
        8f4: 00 00 add %al,(%eax)
        8f6: 00 00 add %al,(%eax)
        8f8: 55 push %ebp
        8f9: 02 00 add (%eax),%al

        9b7: 00 1b add %bl,(%ebx)

        a1d: 00 00 add %al,(%eax)
        a1f: 00 14 00 add %dl,(%eax,%eax,1)

        a4a: 00 00 add %al,(%eax)
        a4c: 37 aaa

        a65: 00 00 add %al,(%eax)
        a67: 00 2f add %ch,(%edi)

        a89: 00 00 add %al,(%eax)
        a8b: 00 2e add %ch,(%esi)

        a9d: 00 00 add %al,(%eax)
        a9f: 00 30 add %dh,(%eax)

        aa9: 00 00 add %al,(%eax)
        aab: 00 46 00 add %al,0×0(%esi)

        ada: 00 00 add %al,(%eax)
        adc: 29 00 sub %eax,(%eax)

        ae6: 00 00 add %al,(%eax)
        ae8: 71 00 jno aea

        b02: 00 00 add %al,(%eax)
        b04: 51 push %ecx
        b05: 00 00 add %al,(%eax)
        b07: 00 2c 00 add %ch,(%eax,%eax,1)

        b2e: 00 00 add %al,(%eax)
        b30: 6b 00 00 imul $0×0,(%eax),%eax

        b57: 00 66 00 add %ah,0×0(%esi)

        b72: 00 00 add %al,(%eax)
        b74: 68 00 00 00 00 push $0×0

        b91: 00 00 add %al,(%eax)
        b93: 00 5b 00 add %bl,0×0(%ebx)
        b96: 00 00 add %al,(%eax)
        b98: 00 00 add %al,(%eax)
        b9a: 00 00 add %al,(%eax)
        b9c: 41 inc %ecx
        b9d: 00 00 add %al,(%eax)
        b9f: 00 a7 00 00 00 00 add %ah,0×0(%edi)
        ba5: 00 00 add %al,(%eax)
        ba7: 00 00 add %al,(%eax)
        ba9: 00 00 add %al,(%eax)
        bab: 00 12 add %dl,(%edx)

        bd5: 00 00 add %al,(%eax)
        bd7: 00 5e 00 add %bl,0×0(%esi)
        bda: 00 00 add %al,(%eax)
        bdc: 00 00 add %al,(%eax)
        bde: 00 00 add %al,(%eax)
        be0: a3 00 00 00 00 mov %eax,0×0

        bf1: 00 00 add %al,(%eax)
        bf3: 00 57 00 add %dl,0×0(%edi)

        bfe: 00 00 add %al,(%eax)
        c00: 87 00 xchg %eax,(%eax)
        c02: 00 00 add %al,(%eax)
        c04: 21 00 and %eax,(%eax)
        c06: 00 00 add %al,(%eax)
        c08: 26 00 00 add %al,%es:(%eax)
        c0b: 00 00 add %al,(%eax)
        c0d: 00 00 add %al,(%eax)
        c0f: 00 a9 00 00 00 00 add %ch,0×0(%ecx)
        c15: 00 00 add %al,(%eax)
        c17: 00 9d 00 00 00 00 add %bl,0×0(%ebp)
        c1d: 00 00 add %al,(%eax)
        c1f: 00 00 add %al,(%eax)
        c21: 00 00 add %al,(%eax)
        c23: 00 8a 00 00 00 00 add %cl,0×0(%edx)
        c29: 00 00 add %al,(%eax)
        c2b: 00 10 add %dl,(%eax)
        c2d: 00 00 add %al,(%eax)
        c2f: 00 88 00 00 00 00 add %cl,0×0(%eax)
        c35: 00 00 add %al,(%eax)
        c37: 00 15 00 00 00 00 add %dl,0×0
        c3d: 00 00 add %al,(%eax)
        c3f: 00 00 add %al,(%eax)
        c41: 00 00 add %al,(%eax)
        c43: 00 6a 00 add %ch,0×0(%edx)
        c46: 00 00 add %al,(%eax)
        c48: b2 00 mov $0×0,%dl

        c52: 00 00 add %al,(%eax)
        c54: 59 pop %ecx
        c55: 00 00 add %al,(%eax)
        c57: 00 00 add %al,(%eax)
        c59: 00 00 add %al,(%eax)
        c5b: 00 33 add %dh,(%ebx)
        c5d: 00 00 add %al,(%eax)
        c5f: 00 13 add %dl,(%ebx)
        c61: 00 00 add %al,(%eax)
        c63: 00 00 add %al,(%eax)
        c65: 00 00 add %al,(%eax)
        c67: 00 8d 00 00 00 00 add %cl,0×0(%ebp)
        c6d: 00 00 add %al,(%eax)
        c6f: 00 0e add %cl,(%esi)

        c79: 00 00 add %al,(%eax)
        c7b: 00 42 00 add %al,0×0(%edx)
        c7e: 00 00 add %al,(%eax)
        c80: 90 nop
        c81: 00 00 add %al,(%eax)
        c83: 00 94 00 00 00 00 00 add %dl,0×0(%eax,%eax,1)
        c8a: 00 00 add %al,(%eax)
        c8c: 6e outsb %ds:(%esi),(%dx)
        c8d: 00 00 add %al,(%eax)
        c8f: 00 00 add %al,(%eax)
        c91: 00 00 add %al,(%eax)
        c93: 00 84 00 00 00 96 00 add %al,0×960000(%eax,%eax,1)
        c9a: 00 00 add %al,(%eax)
        c9c: 00 00 add %al,(%eax)
        c9e: 00 00 add %al,(%eax)
        ca0: 63 00 arpl %ax,(%eax)

        cae: 00 00 add %al,(%eax)
        cb0: 5c pop %esp
        cb1: 00 00 add %al,(%eax)
        cb3: 00 97 00 00 00 00 add %dl,0×0(%edi)
        cb9: 00 00 add %al,(%eax)
        cbb: 00 28 add %ch,(%eax)
        cbd: 00 00 add %al,(%eax)
        cbf: 00 b5 00 00 00 00 add %dh,0×0(%ebp)
        cc5: 00 00 add %al,(%eax)
        cc7: 00 00 add %al,(%eax)
        cc9: 00 00 add %al,(%eax)
        ccb: 00 e5 add %ah,%ch

        ce5: 00 00 add %al,(%eax)
        ce7: 00 55 00 add %dl,0×0(%ebp)
        cea: 00 00 add %al,(%eax)
        cec: 35 00 00 00 00 xor $0×0,%eax
        cf1: 00 00 add %al,(%eax)
        cf3: 00 32 add %dh,(%edx)

        d01: 00 00 add %al,(%eax)
        d03: 00 4d 00 add %cl,0×0(%ebp)

        d0e: 00 00 add %al,(%eax)
        d10: e4 00 in $0×0,%al
        d12: 00 00 add %al,(%eax)
        d14: 00 00 add %al,(%eax)
        d16: 00 00 add %al,(%eax)
        d18: ad lods %ds:(%esi),%eax
        d19: 00 00 add %al,(%eax)
        d1b: 00 ab 00 00 00 af add %ch,-0×51000000(%ebx)
        d21: 00 00 add %al,(%eax)
        d23: 00 00 add %al,(%eax)
        d25: 00 00 add %al,(%eax)
        d27: 00 e3 add %ah,%bl
        d29: 00 00 add %al,(%eax)
        d2b: 00 23 add %ah,(%ebx)
        d2d: 00 00 add %al,(%eax)
        d2f: 00 3c 00 add %bh,(%eax,%eax,1)

        d3a: 00 00 add %al,(%eax)
        d3c: e0 00 loopne d3e

        d4a: 00 00 add %al,(%eax)
        d4c: dc 00 faddl (%eax)
        d4e: 00 00 add %al,(%eax)
        d50: 77 00 ja d52
        d52: 00 00 add %al,(%eax)
        d54: 82 (bad)
        d55: 00 00 add %al,(%eax)
        d57: 00 00 add %al,(%eax)
        d59: 00 00 add %al,(%eax)
        d5b: 00 78 00 add %bh,0×0(%eax)
        d5e: 00 00 add %al,(%eax)
        d60: 16 push %ss
        d61: 01 00 add %eax,(%eax)

        d73: 00 70 00 add %dh,0×0(%eax)
        d76: 00 00 add %al,(%eax)
        d78: 00 00 add %al,(%eax)
        d7a: 00 00 add %al,(%eax)
        d7c: ee out %al,(%dx)
        d7d: 00 00 add %al,(%eax)
        d7f: 00 64 00 00 add %ah,0×0(%eax,%eax,1)

        d97: 00 b9 00 00 00 00 add %bh,0×0(%ecx)

        da5: 00 00 add %al,(%eax)
        da7: 00 0c 01 add %cl,(%ecx,%eax,1)
        daa: 00 00 add %al,(%eax)
        dac: c6 00 00 movb $0×0,(%eax)

        db7: 00 aa 00 00 00 00 add %ch,0×0(%edx)

        dd1: 00 00 add %al,(%eax)
        dd3: 00 7f 00 add %bh,0×0(%edi)

        dde: 00 00 add %al,(%eax)
        de0: f3 00 00 repz add %al,(%eax)
        de3: 00 00 add %al,(%eax)
        de5: 00 00 add %al,(%eax)
        de7: 00 19 add %bl,(%ecx)
        de9: 01 00 add %eax,(%eax)
        deb: 00 ce add %cl,%dh
        ded: 00 00 add %al,(%eax)
        def: 00 f2 add %dh,%dl
        df1: 00 00 add %al,(%eax)
        df3: 00 1a add %bl,(%edx)
        df5: 01 00 add %eax,(%eax)
        df7: 00 00 add %al,(%eax)
        df9: 00 00 add %al,(%eax)
        dfb: 00 7a 00 add %bh,0×0(%edx)
        dfe: 00 00 add %al,(%eax)
        e00: 7d 00 jge e02
        e02: 00 00 add %al,(%eax)
        e04: 56 push %esi
        e05: 00 00 add %al,(%eax)
        e07: 00 06 add %al,(%esi)
        e09: 01 00 add %eax,(%eax)
        e0b: 00 0d 01 00 00 17 add %cl,0×17000001
        e11: 01 00 add %eax,(%eax)
        e13: 00 00 add %al,(%eax)
        e15: 00 00 add %al,(%eax)
        e17: 00 5f 00 add %bl,0×0(%edi)

        e26: 00 00 add %al,(%eax)
        e28: a6 cmpsb %es:(%edi),%ds:(%esi)

        e3d: 00 00 add %al,(%eax)
        e3f: 00 3c 01 add %bh,(%ecx,%eax,1)
        e42: 00 00 add %al,(%eax)
        e44: 22 00 and (%eax),%al

        e4e: 00 00 add %al,(%eax)
        e50: 98 cwtl
        e51: 00 00 add %al,(%eax)
        e53: 00 3d 00 00 00 1a add %bh,0x1a000000

        e61: 00 00 add %al,(%eax)
        e63: 00 1f add %bl,(%edi)
        e65: 01 00 add %eax,(%eax)
        e67: 00 00 add %al,(%eax)
        e69: 00 00 add %al,(%eax)
        e6b: 00 72 00 add %dh,0×0(%edx)
        e6e: 00 00 add %al,(%eax)
        e70: 00 00 add %al,(%eax)
        e72: 00 00 add %al,(%eax)
        e74: fa cli

        e81: 00 00 add %al,(%eax)
        e83: 00 32 add %dh,(%edx)
        e85: 01 00 add %eax,(%eax)
        e87: 00 c2 add %al,%dl
        e89: 00 00 add %al,(%eax)
        e8b: 00 00 add %al,(%eax)
        e8d: 00 00 add %al,(%eax)
        e8f: 00 a1 00 00 00 3a add %ah,0x3a000000(%ecx)
        e95: 00 00 add %al,(%eax)
        e97: 00 60 00 add %ah,0×0(%eax)

        ea2: 00 00 add %al,(%eax)
        ea4: f1 icebp

        eb5: 00 00 add %al,(%eax)
        eb7: 00 f7 add %dh,%bh
        eb9: 00 00 add %al,(%eax)
        ebb: 00 00 add %al,(%eax)
        ebd: 00 00 add %al,(%eax)
        ebf: 00 1f add %bl,(%edi)

        ec9: 00 00 add %al,(%eax)
        ecb: 00 1b add %bl,(%ebx)
        ecd: 01 00 add %eax,(%eax)
        ecf: 00 12 add %dl,(%edx)
        ed1: 01 00 add %eax,(%eax)
        ed3: 00 48 00 add %cl,0×0(%eax)
        ed6: 00 00 add %al,(%eax)
        ed8: 2e 01 00 add %eax,%cs:(%eax)
        edb: 00 00 add %al,(%eax)
        edd: 00 00 add %al,(%eax)
        edf: 00 cf add %cl,%bh
        ee1: 00 00 add %al,(%eax)
        ee3: 00 61 00 add %ah,0×0(%ecx)

        eee: 00 00 add %al,(%eax)
        ef0: a8 00 test $0×0,%al

        efe: 00 00 add %al,(%eax)
        f00: 36 00 00 add %al,%ss:(%eax)
        f03: 00 50 01 add %dl,0×1(%eax)
        f06: 00 00 add %al,(%eax)
        f08: 4c dec %esp
        f09: 01 00 add %eax,(%eax)
        f0b: 00 dd add %bl,%ch
        f0d: 00 00 add %al,(%eax)
        f0f: 00 00 add %al,(%eax)
        f11: 00 00 add %al,(%eax)
        f13: 00 71 01 add %dh,0×1(%ecx)
        f16: 00 00 add %al,(%eax)
        f18: 00 00 add %al,(%eax)
        f1a: 00 00 add %al,(%eax)
        f1c: 84 01 test %al,(%ecx)
        f1e: 00 00 add %al,(%eax)
        f20: 67 00 00 add %al,(%bx,%si)
        f23: 00 00 add %al,(%eax)
        f25: 00 00 add %al,(%eax)
        f27: 00 86 00 00 00 81 add %al,-0x7f000000(%esi)
        f2d: 01 00 add %eax,(%eax)
        f2f: 00 56 01 add %dl,0×1(%esi)
        f32: 00 00 add %al,(%eax)
        f34: 6d insl (%dx),%es:(%edi)
        f35: 01 00 add %eax,(%eax)
        f37: 00 55 01 add %dl,0×1(%ebp)
        f3a: 00 00 add %al,(%eax)
        f3c: 00 00 add %al,(%eax)
        f3e: 00 00 add %al,(%eax)
        f40: 17 pop %ss
        f41: 00 00 add %al,(%eax)
        f43: 00 cb add %cl,%bl
        f45: 00 00 add %al,(%eax)
        f47: 00 65 01 add %ah,0×1(%ebp)

        f56: 00 00 add %al,(%eax)
        f58: 74 00 je f5a
        f5a: 00 00 add %al,(%eax)
        f5c: b3 00 mov $0×0,%bl

        f66: 00 00 add %al,(%eax)
        f68: 41 inc %ecx
        f69: 01 00 add %eax,(%eax)
        f6b: 00 04 01 add %al,(%ecx,%eax,1)
        f6e: 00 00 add %al,(%eax)
        f70: 24 00 and $0×0,%al
        f72: 00 00 add %al,(%eax)
        f74: 38 00 cmp %al,(%eax)
        f76: 00 00 add %al,(%eax)
        f78: 68 01 00 00 00 push $0×1
        f7d: 00 00 add %al,(%eax)
        f7f: 00 93 01 00 00 88 add %dl,-0x77ffffff(%ebx)
        f85: 01 00 add %eax,(%eax)
        f87: 00 00 add %al,(%eax)
        f89: 00 00 add %al,(%eax)
        f8b: 00 4c 00 00 add %cl,0×0(%eax,%eax,1)

        f9b: 00 2c 01 add %ch,(%ecx,%eax,1)
        f9e: 00 00 add %al,(%eax)
        fa0: 00 00 add %al,(%eax)
        fa2: 00 00 add %al,(%eax)
        fa4: 29 01 sub %eax,(%ecx)
        fa6: 00 00 add %al,(%eax)
        fa8: 00 00 add %al,(%eax)
        faa: 00 00 add %al,(%eax)
        fac: a2 00 00 00 00 mov %al,0×0
        fb1: 00 00 add %al,(%eax)
        fb3: 00 4d 01 add %cl,0×1(%ebp)
        fb6: 00 00 add %al,(%eax)
        fb8: e8 00 00 00 42 call 42000fbd
        fbd: 01 00 add %eax,(%eax)
        fbf: 00 c4 add %al,%ah
        fc1: 00 00 add %al,(%eax)
        fc3: 00 00 add %al,(%eax)
        fc5: 00 00 add %al,(%eax)
        fc7: 00 91 01 00 00 d2 add %dl,-0x2dffffff(%ecx)
        fcd: 00 00 add %al,(%eax)
        fcf: 00 9a 01 00 00 00 add %bl,0×1(%edx)
        fd5: 00 00 add %al,(%eax)
        fd7: 00 6f 01 add %ch,0×1(%edi)
        fda: 00 00 add %al,(%eax)
        fdc: df 00 fild (%eax)
        fde: 00 00 add %al,(%eax)
        fe0: 00 00 add %al,(%eax)
        fe2: 00 00 add %al,(%eax)
        fe4: d3 00 roll %cl,(%eax)
        fe6: 00 00 add %al,(%eax)
        fe8: 00 00 add %al,(%eax)
        fea: 00 00 add %al,(%eax)
        fec: 36 01 00 add %eax,%ss:(%eax)
        fef: 00 f9 add %bh,%cl
        ff1: 00 00 add %al,(%eax)
        ff3: 00 00 add %al,(%eax)
        ff5: 00 00 add %al,(%eax)
        ff7: 00 44 00 00 add %al,0×0(%eax,%eax,1)
        ffb: 00 00 add %al,(%eax)
        ffd: 00 00 add %al,(%eax)
        fff: 00 9d 01 00 00 3d add %bl,0x3d000001(%ebp)
        1005: 01 00 add %eax,(%eax)
        1007: 00 0e add %cl,(%esi)
        1009: 01 00 add %eax,(%eax)
        100b: 00 00 add %al,(%eax)
        100d: 00 00 add %al,(%eax)
        100f: 00 5d 01 add %bl,0×1(%ebp)
        1012: 00 00 add %al,(%eax)
        1014: b8 01 00 00 00 mov $0×1,%eax
        1019: 00 00 add %al,(%eax)
        101b: 00 ef add %ch,%bh
        101d: 00 00 add %al,(%eax)
        101f: 00 30 add %dh,(%eax)
        1021: 01 00 add %eax,(%eax)
        1023: 00 00 add %al,(%eax)
        1025: 00 00 add %al,(%eax)
        1027: 00 94 01 00 00 26 01 add %dl,0×1260000(%ecx,%eax,1)
        102e: 00 00 add %al,(%eax)
        1030: 47 inc %edi
        1031: 01 00 add %eax,(%eax)
        1033: 00 00 add %al,(%eax)
        1035: 00 00 add %al,(%eax)
        1037: 00 91 00 00 00 00 add %dl,0×0(%ecx)
        103d: 00 00 add %al,(%eax)
        103f: 00 8c 00 00 00 79 00 add %cl,0×790000(%eax,%eax,1)
        1046: 00 00 add %al,(%eax)
        1048: d0 00 rolb (%eax)

        1056: 00 00 add %al,(%eax)
        1058: cf iret
        1059: 01 00 add %eax,(%eax)
        105b: 00 23 add %ah,(%ebx)
        105d: 01 00 add %eax,(%eax)
        105f: 00 fe add %bh,%dh

        1071: 00 00 add %al,(%eax)
        1073: 00 e1 add %ah,%cl
        1075: 00 00 add %al,(%eax)
        1077: 00 00 add %al,(%eax)
        1079: 00 00 add %al,(%eax)
        107b: 00 5f 01 add %bl,0×1(%edi)
        107e: 00 00 add %al,(%eax)
        1080: 16 push %ss

        1089: 00 00 add %al,(%eax)
        108b: 00 d8 add %bl,%al
        108d: 00 00 add %al,(%eax)
        108f: 00 00 add %al,(%eax)
        1091: 00 00 add %al,(%eax)
        1093: 00 eb add %ch,%bl
        1095: 00 00 add %al,(%eax)
        1097: 00 00 add %al,(%eax)
        1099: 00 00 add %al,(%eax)
        109b: 00 dd add %bl,%ch
        109d: 01 00 add %eax,(%eax)
        109f: 00 60 01 add %ah,0×1(%eax)
        10a2: 00 00 add %al,(%eax)
        10a4: 2f das
        10a5: 01 00 add %eax,(%eax)

        10af: 00 df add %bl,%bh
        10b1: 01 00 add %eax,(%eax)
        10b3: 00 c4 add %al,%ah
        10b5: 01 00 add %eax,(%eax)
        10b7: 00 31 add %dh,(%ecx)
        10b9: 01 00 add %eax,(%eax)
        10bb: 00 46 01 add %al,0×1(%esi)
        10be: 00 00 add %al,(%eax)
        10c0: 89 00 mov %eax,(%eax)

        10ce: 00 00 add %al,(%eax)
        10d0: 9b fwait
        10d1: 01 00 add %eax,(%eax)
        10d3: 00 b9 01 00 00 e0 add %bh,-0x1fffffff(%ecx)
        10d9: 01 00 add %eax,(%eax)
        10db: 00 bd 01 00 00 00 add %bh,0×1(%ebp)
        10e1: 00 00 add %al,(%eax)
        10e3: 00 2d 00 00 00 00 add %ch,0×0
        10e9: 00 00 add %al,(%eax)
        10eb: 00 b7 01 00 00 00 add %dh,0×1(%edi)
        10f1: 00 00 add %al,(%eax)
        10f3: 00 00 add %al,(%eax)
        10f5: 00 00 add %al,(%eax)
        10f7: 00 74 01 00 add %dh,0×0(%ecx,%eax,1)
        10fb: 00 f9 add %bh,%cl
        10fd: 01 00 add %eax,(%eax)
        10ff: 00 00 add %al,(%eax)
        1101: 00 00 add %al,(%eax)
        1103: 00 77 01 add %dh,0×1(%edi)
        1106: 00 00 add %al,(%eax)
        1108: 4b dec %ebx
        1109: 01 00 add %eax,(%eax)
        110b: 00 b6 01 00 00 15 add %dh,0×15000001(%esi)
        1111: 01 00 add %eax,(%eax)
        1113: 00 de add %bl,%dh
        1115: 01 00 add %eax,(%eax)
        1117: 00 93 00 00 00 00 add %dl,0×0(%ebx)
        111d: 00 00 add %al,(%eax)
        111f: 00 75 00 add %dh,0×0(%ebp)
        1122: 00 00 add %al,(%eax)
        1124: 0f 01 00 sgdtl (%eax)
        1127: 00 80 00 00 00 fd add %al,-0×3000000(%eax)
        112d: 00 00 add %al,(%eax)
        112f: 00 ff add %bh,%bh
        1131: 00 00 add %al,(%eax)
        1133: 00 04 02 add %al,(%edx,%eax,1)
        1136: 00 00 add %al,(%eax)
        1138: 97 xchg %eax,%edi
        1139: 01 00 add %eax,(%eax)
        113b: 00 8e 00 00 00 61 add %cl,0×61000000(%esi)
        1141: 01 00 add %eax,(%eax)
        1143: 00 c0 add %al,%al

        1159: 00 00 add %al,(%eax)
        115b: 00 85 01 00 00 9c add %al,-0x63ffffff(%ebp)
        1161: 01 00 add %eax,(%eax)
        1163: 00 a1 01 00 00 00 add %ah,0×1(%ecx)
        1169: 00 00 add %al,(%eax)
        116b: 00 b1 01 00 00 07 add %dh,0×7000001(%ecx)
        1171: 01 00 add %eax,(%eax)
        1173: 00 69 00 add %ch,0×0(%ecx)

        118a: 00 00 add %al,(%eax)
        118c: e8 01 00 00 f5 call f5001192

        1199: 00 00 add %al,(%eax)
        119b: 00 25 01 00 00 ed add %ah,0xed000001
        11a1: 01 00 add %eax,(%eax)
        11a3: 00 d3 add %dl,%bl
        11a5: 01 00 add %eax,(%eax)
        11a7: 00 43 00 add %al,0×0(%ebx)
        11aa: 00 00 add %al,(%eax)
        11ac: 10 02 adc %al,(%edx)
        11ae: 00 00 add %al,(%eax)
        11b0: 00 00 add %al,(%eax)
        11b2: 00 00 add %al,(%eax)
        11b4: f6 00 00 testb $0×0,(%eax)
        11b7: 00 00 add %al,(%eax)
        11b9: 00 00 add %al,(%eax)
        11bb: 00 7c 01 00 add %bh,0×0(%ecx,%eax,1)
        11bf: 00 d7 add %dl,%bh
        11c1: 01 00 add %eax,(%eax)
        11c3: 00 00 add %al,(%eax)
        11c5: 00 00 add %al,(%eax)
        11c7: 00 1c 01 add %bl,(%ecx,%eax,1)
        11ca: 00 00 add %al,(%eax)
        11cc: 03 02 add (%edx),%eax

        11da: 00 00 add %al,(%eax)
        11dc: 99 cltd
        11dd: 00 00 add %al,(%eax)
        11df: 00 ec add %ch,%ah
        11e1: 01 00 add %eax,(%eax)
        11e3: 00 fe add %bh,%dh
        11e5: 01 00 add %eax,(%eax)
        11e7: 00 b0 00 00 00 00 add %dh,0×0(%eax)
        11ed: 00 00 add %al,(%eax)
        11ef: 00 1d 01 00 00 bb add %bl,0xbb000001
        11f5: 01 00 add %eax,(%eax)
        11f7: 00 f4 add %dh,%ah
        11f9: 00 00 add %al,(%eax)
        11fb: 00 87 01 00 00 9f add %al,-0x60ffffff(%edi)
        1201: 01 00 add %eax,(%eax)
        1203: 00 ac 01 00 00 bc 01 add %ch,0x1bc0000(%ecx,%eax,1)
        120a: 00 00 add %al,(%eax)
        120c: 53

  34. Hi,
    not any news?

    Perhaps that could help you

    7908: 65 63 74 69 6f arpl %si,%gs:0x6f(%ecx,%ebp,2)
    790d: 6e outsb %ds:(%esi),(%dx)
    790e: 39 53 65 cmp %edx,0×65(%ebx)
    7911: 74 4c je 795f
    7913: 69 6e 67 65 72 45 52 imul $0×52457265,0×67(%esi),%ebp
    791a: 4b dec %ebx
    791b: 4e dec %esi
    791c: 53 push %ebx
    791d: 5f pop %edi
    791e: 31 31 xor %esi,(%ecx)

    I see the 791a byte but with hexer always match not found
    I’ve downgrade agent to 13.0.5204 version
    thanks in advance

  35. Hi!

    With ralus client 12.0.1364.9.SP0 i can not find any matching string.

    objdump -D /opt/VRTSralus/bin/libbesocket.so | grep -6 0×8938

    1f5a7: 85 c0 test %eax,%eax
    1f5a9: 89 85 5c ff ff ff mov %eax,-0xa4(%ebp)
    1f5af: 0f 88 83 06 00 00 js 1fc38
    1f5b5: 8d 45 84 lea -0x7c(%ebp),%eax
    1f5b8: 57 push %edi
    1f5b9: 50 push %eax
    1f5ba: 68 38 89 00 00 push $0×8938
    1f5bf: ff b5 5c ff ff ff pushl -0xa4(%ebp)
    1f5c5: e8 4e e6 fe ff call dc18
    1f5ca: 83 c4 10 add $0×10,%esp
    1f5cd: 85 c0 test %eax,%eax
    1f5cf: 0f 88 47 06 00 00 js 1fc1c
    1f5d5: 8b 75 84 mov -0x7c(%ebp),%esi

  36. Thx a lot.

    Solution works !

  37. I can confirm that this just worked for me on Ubuntu 12.04 using BE Ralus version:
    14.0.1798.1244
    This is the version you get when you install these packages:
    RALUS_RMALS_RAMS-1798.17.tar.gz + ralus1798.1244SP2.tar.gz

    The sha1 checksum on that library is the same as stated above.
    (Note: when searching do NOT put a space between ‘/’ and ‘\’. The command is: ‘/\xx 78 1a’.

    Killer fix man, thanks for taking the trouble to post it!

    Can’t believe Symantec hasn’t implemented this on their own in the last year… how hard could it be to have one of their own devs fix this??
    I’d be a much happier customer if they had.

  38. Working fine with Debian 6.0.7 updated to kernel 3.2.0-0.bpo.4-686-pae.

    Using RALUS_RMALS_RAMS-2896.9.tar.gz (13.0.2896.0) – in Backup Exec 2010.

    objdump -D libbesocket.so | grep -6 0×8938
    1fc11: ff b3 14 05 00 00 pushl 0×514(%ebx)
    1fc17: 50 push %eax
    1fc18: e8 fb dc fe ff call d918
    1fc1d: 8d 45 84 lea -0x7c(%ebp),%eax
    1fc20: 57 push %edi
    1fc21: 50 push %eax
    1fc22: 68 38 89 00 00 push $0×8938
    1fc27: ff b5 5c ff ff ff pushl -0xa4(%ebp)
    1fc2d: e8 d6 e3 fe ff call e008
    1fc32: 83 c4 10 add $0×10,%esp
    1fc35: 85 c0 test %eax,%eax
    1fc37: 79 15 jns 1fc4e
    1fc39: e8 aa da fe ff call d6e8

    Thanks a heap.

  39. Thanks alot man – this really works, amazing Symantec isn’t doing a better job fixing this themselves :)

  40. THX Guys, this works also with RALUS 13-R2-3 on a QNAP with FW 3.8.4!

  41. For those on Backup Exec 2012 SP2 with Hotfix 209149:

    Search for “79 15 “(hexer -> “/\xx 79 15″) – for me it was on 1f4ee

    Before:
    1f4d9: 68 38 89 00 00 push $0×8938
    1f4de: ff b5 5c ff ff ff pushl -0xa4(%ebp)
    1f4e4: e8 17 fb fe ff call f000
    1f4e9: 83 c4 10 add $0×10,%esp
    1f4ec: 85 c0 test %eax,%eax
    1f4ee: 79 15 jns 1f505
    1f4f0: e8 eb f1 fe ff call e6e0

    After:
    1f4d9: 68 38 89 00 00 push $0×8938
    1f4de: ff b5 5c ff ff ff pushl -0xa4(%ebp)
    1f4e4: e8 17 fb fe ff call f000
    1f4e9: 83 c4 10 add $0×10,%esp
    1f4ec: 85 c0 test %eax,%eax
    1f4ee: 78 15 js 1f505
    1f4f0: e8 eb f1 fe ff call e6e0

    #cat /var/VRTSralus/ralus.ver
    ralus=1798.209149
    mdm=MDM_v0.0.6209
    vxms=VxMS_4.4_038a

  42. Goodness, I love the internet and amazing people like you that save my butt on a daily basis!

  43. MAGNIFICENT
    ——————

    Great. Solved my life. i have BE2012 Works Great.
    i’ve been looking for this for too much time.

  44. Thanks for your work on this. This was very helpful for us to get Backup Exec RALUS working on a kernel 3.x system. I have, however, a nagging doubt whether your solution is quite reliable, for the following reasons:

    a) The offending kernel commit http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=41c31f318a5209922d051e293c61e4724daad11c did actually not change the return value of the ioctl() call, which was -1 before and after that commit. It only changed the accompanying errno value from EINVAL to ENOTTY.

    b) Manually reverse compiling the code section you propose to patch yields:

    if (ioctl(s, SIOCGIFCOUNT, &ifno) < 0) {

    2263d: 48 8d 94 24 ec 00 00 lea 0xec(%rsp),%rdx
    22644: 00
    22645: 89 c7 mov %eax,%edi
    22647: be 38 89 00 00 mov $0×8938,%esi
    2264c: 31 c0 xor %eax,%eax
    2264e: e8 dd 00 ff ff callq 12730
    22653: 85 c0 test %eax,%eax
    22655: 78 1a jns 22671

    if (errno != EINVAL) {

    22657: e8 74 01 ff ff callq 127d0
    2265c: 83 38 16 cmpl $0×16,(%rax)
    2265f: 90 nop
    22660: 0f 85 25 03 00 00 jne 2298b

    throw(new exception( ));
    }
    ifno = 32;

    22666: c7 84 24 ec 00 00 00 movl $0×20,0xec(%rsp)
    2266d: 20 00 00 00

    }
    ifr = calloc(sizeof(struct ifreq)*ifno, 1);

    22671: 48 63 84 24 ec 00 00 movslq 0xec(%rsp),%rax
    22678: 00
    22679: bf 01 00 00 00 mov $0×1,%edi
    2267e: 48 8d 04 80 lea (%rax,%rax,4),%rax
    22682: 48 8d 1c c5 00 00 00 lea 0×0(,%rax,8),%rbx
    22689: 00
    2268a: 48 89 de mov %rbx,%rsi
    2268d: e8 2e 00 ff ff callq 126c0

    So what this does is:
    - Call ioctl(,SIOCGIFCOUNT,) to determine the number of interfaces, ifno.
    - If that call fails with EINVAL, set ifno to 32. (That should be enough for anybody.)
    - If it fails with anything else, abort execution by throwing an exception. (at address 2298b ff., not shown)
    - Allocate a result structure for a subsequent call to ioctl(,SIOCGIFCONF,) based on the number of interfaces indicated by ifno.

    Your patch inverts the test for failure of the ioctl(,SIOCGIFCOUNT,) call. As that call always fails, ifno is now never set at all, so the size of the allocated structure is determined by the random previous content of variable ifno. This will work most of the time (ie. as long as ifno is at least as big as the real number of interfaces and not too big to allocate that number of ifreq structures), but it still makes me uneasy.

    IMHO a better solution would be to disable the errno test:
    - either by overwriting the jne instruction at address 22660 with 6x 90 (nop)
    - or by overwriting the cmpl instruction at 2265c with 31 c0 90 (xor %eax,%eax & nop)

    What do you think?

    Thanks,
    Tilman

  45. All the way up until BE2012 SP3 and its hotfixes libbesocket.so was never patched by Symantec so fortunately your fix helped me getting a working libbesocket.so for Debian wheezy. (Downside: It showed us that Symantec simply didn’t care about fixing this)

    Now (finally!) after installing BE 2012 SP4 libbesocket.so got patched – for the better, since it does seem to work without modification.


Leave a comment